fix(git-tools): harden gitea pr metadata wrappers

2026-05-22 11:17:09 -05:00
4 changed files with 50 additions and 10 deletions
--- a/docs/scratchpads/t-a292e96f-gitea-pr-metadata.md
+++ b/docs/scratchpads/t-a292e96f-gitea-pr-metadata.md
@@ -30,7 +30,7 @@ Repair Mosaic git wrappers so Gitea PR metadata and merge preflight work for U-C
  - Falls back to authenticated Gitea merge API when no matching `tea` login exists, avoiding the wrong `mosaicstack` login for USC repos.
  - Keeps squash-only and main-only merge policy.
 - `packages/mosaic/framework/tools/git/test-pr-metadata-gitea.sh`
-  - Added fixture-based regression harness for standard Gitea fields, fallback branch fields, and API error payloads.
+  - Added fixture-based regression harness for standard Gitea fields, fallback branch fields, `refs/pull/<n>/head` plus `head.label` normalization, and API error payloads.

 ## Documentation / changelog note

@@ -38,12 +38,14 @@ This repository currently has no root `CHANGELOG.md`; the scratchpad and `docs/T

 ## Verification log

+- Red regression check: copied the new `test-pr-metadata-gitea.sh` harness next to `origin/main` wrapper scripts and ran it with `MOSAIC_TEST_WORK_DIR=$PWD/.mosaic-test-work/pr-metadata-gitea-red`; it failed as expected with `headRefName=''` and `baseRefName=''` on the fixture API-error path.
 - `bash -n packages/mosaic/framework/tools/git/{detect-platform.sh,pr-metadata.sh,pr-merge.sh,test-pr-metadata-gitea.sh}`: passed.
 - `shellcheck -x -P . -e SC1090 packages/mosaic/framework/tools/git/{detect-platform.sh,pr-metadata.sh,pr-merge.sh,test-pr-metadata-gitea.sh}`: passed.
- `packages/mosaic/framework/tools/git/test-pr-metadata-gitea.sh`: passed; verifies standard Gitea fields, fallback branch fields, and nonzero API-error handling.
- Live sanitized U-Connect metadata from `/src/uconnect-worktrees/t_39ce717c-authentik-smoke-gate` with `MOSAIC_CREDENTIALS_FILE=/src/jarvis-brain/credentials.json`:
+- `MOSAIC_TEST_WORK_DIR=$PWD/.mosaic-test-work/pr-metadata-gitea packages/mosaic/framework/tools/git/test-pr-metadata-gitea.sh`: passed; verifies standard Gitea fields, fallback branch fields, `refs/pull/<n>/head` label normalization, and nonzero API-error handling.
+- Installed wrapper parity: `/home/hermes/.config/mosaic/tools/git/{detect-platform.sh,pr-metadata.sh,pr-merge.sh}` byte-match the PR source copies after validation, so active U-Connect wrapper invocations use the same fix while source PR review runs.
+- Live sanitized U-Connect metadata from `/src/uconnect` with `MOSAIC_CREDENTIALS_FILE=/src/jarvis-brain/credentials.json`:
  - PR #1905: `number=1905`, `baseRefName=main`, `headRefName=edith/t_39ce717c-authentik-smoke-gate`, `state=open`, `host=git.uscllc.com`.
-  - PR #1908: `number=1908`, `baseRefName=main`, `headRefName=fix/t_23fa9e1d-portal-health-backend`, `state=open`, `host=git.uscllc.com`.
- Merge preflight dry runs:
+  - PR #1908: `number=1908`, `baseRefName=main`, `headRefName=fix/t_23fa9e1d-portal-health-backend`, `state=closed`, `host=git.uscllc.com`.
+- Merge preflight dry runs from installed wrappers:
  - PR #1905: `Dry run: would merge PR #1905 on git.uscllc.com with authenticated Gitea API fallback (base=main, method=squash).`
  - PR #1908: `Dry run: would merge PR #1908 on git.uscllc.com with authenticated Gitea API fallback (base=main, method=squash).`
--- a/packages/mosaic/framework/tools/git/detect-platform.sh
+++ b/packages/mosaic/framework/tools/git/detect-platform.sh
@@ -103,16 +103,28 @@ get_gitea_token() {
    if [[ -f "$cred_loader" ]]; then
        local token
        token=$(
+            # shellcheck source=/dev/null
            source "$cred_loader"
+            # Host-specific wrapper resolution must not inherit caller/global GITEA_*.
+            # load_credentials intentionally preserves existing env vars for interactive use,
+            # but metadata/merge wrappers need credentials matching the remote host.
+            unset GITEA_TOKEN GITEA_URL
            case "$host" in
                git.mosaicstack.dev) load_credentials gitea-mosaicstack 2>/dev/null ;;
                git.uscllc.com)      load_credentials gitea-usc 2>/dev/null ;;
                *)
+                    local matched=false
                    for svc in gitea-mosaicstack gitea-usc; do
-                        load_credentials "$svc" 2>/dev/null || continue
-                        [[ "${GITEA_URL:-}" == *"$host"* ]] && break
                        unset GITEA_TOKEN GITEA_URL
+                        load_credentials "$svc" 2>/dev/null || continue
+                        if [[ "${GITEA_URL:-}" == "https://$host" || "${GITEA_URL:-}" == "http://$host" || "${GITEA_URL:-}" == *"//$host" ]]; then
+                            matched=true
+                            break
+                        fi
                    done
+                    if [[ "$matched" != true ]]; then
+                        unset GITEA_TOKEN GITEA_URL
+                    fi
                    ;;
            esac
            echo "${GITEA_TOKEN:-}"
@@ -123,10 +135,12 @@ get_gitea_token() {
        fi
    fi

-    # 2. GITEA_TOKEN env var (may be set by caller)
+    # 2. GITEA_TOKEN env var (only when GITEA_URL, if present, matches the remote host)
    if [[ -n "${GITEA_TOKEN:-}" ]]; then
-        echo "$GITEA_TOKEN"
-        return 0
+        if [[ -z "${GITEA_URL:-}" || "${GITEA_URL:-}" == "https://$host" || "${GITEA_URL:-}" == "http://$host" || "${GITEA_URL:-}" == *"//$host" ]]; then
+            echo "$GITEA_TOKEN"
+            return 0
+        fi
    fi

    # 3. ~/.git-credentials file
--- a/packages/mosaic/framework/tools/git/pr-metadata.sh
+++ b/packages/mosaic/framework/tools/git/pr-metadata.sh
@@ -163,8 +163,19 @@ head_ref = first_non_empty(
    nested(data, 'head', 'branch'),
    data.get('head_branch'),
    data.get('head_ref'),
+    nested(data, 'head', 'label'),
    data.get('head_label'),
 )
+if isinstance(head_ref, str) and head_ref.startswith('refs/pull/'):
+    head_ref = first_non_empty(
+        nested(data, 'head', 'label'),
+        data.get('head_label'),
+        nested(data, 'head', 'name'),
+        nested(data, 'head', 'branch'),
+        data.get('head_branch'),
+        data.get('head_ref'),
+        head_ref,
+    )
 base_ref = first_non_empty(
    nested(data, 'base', 'ref'),
    nested(data, 'base', 'name'),
--- a/packages/mosaic/framework/tools/git/test-pr-metadata-gitea.sh
+++ b/packages/mosaic/framework/tools/git/test-pr-metadata-gitea.sh
@@ -40,6 +40,18 @@ cat > "$FIXTURE_DIR/gitea-fallback.json" <<'JSON'
 }
 JSON

+cat > "$FIXTURE_DIR/gitea-refs-pull-label.json" <<'JSON'
+{
+  "number": 1908,
+  "title": "Closed merged PR with synthetic pull ref",
+  "state": "closed",
+  "user": {"login": "edith"},
+  "head": {"ref": "refs/pull/1908/head", "label": "fix/t_23fa9e1d-portal-health-backend"},
+  "base": {"ref": "main"},
+  "html_url": "https://git.uscllc.com/USC/uconnect/pulls/1908"
+}
+JSON
+
 cat > "$FIXTURE_DIR/gitea-error.json" <<'JSON'
 {"message": "user does not exist [uid: 0, name: ]", "url": "https://git.uscllc.com/api/swagger"}
 JSON
@@ -64,6 +76,7 @@ PY

 run_case "$FIXTURE_DIR/gitea-standard.json" 1905 edith/t_39ce717c-authentik-smoke-gate
 run_case "$FIXTURE_DIR/gitea-fallback.json" 1908 fix/fallback-head
+run_case "$FIXTURE_DIR/gitea-refs-pull-label.json" 1908 fix/t_23fa9e1d-portal-health-backend

 if cd "$REPO_DIR" && MOSAIC_GITEA_PR_METADATA_RAW_FILE="$FIXTURE_DIR/gitea-error.json" "$SCRIPT_DIR/pr-metadata.sh" -n 1909 >/dev/null 2>"$WORK_DIR/error.log"; then
    echo "Expected API error fixture to fail" >&2