Files
2026-07-02 15:03:53 +08:00

1005 lines
38 KiB
Go

// Package repocache manages bare git clone caches for workspace repositories.
// The daemon uses these caches as the source for creating per-task worktrees.
package repocache
import (
"context"
"fmt"
"log/slog"
"net/url"
"os"
"os/exec"
"path/filepath"
"regexp"
"strconv"
"strings"
"sync"
"time"
)
// gitEnv returns an environment for git subprocesses that contact remotes.
// It passes the full daemon environment so credential helpers (e.g. gh) can
// locate their config, and disables TTY prompting so auth failures produce
// clear errors instead of blocking on a non-existent terminal.
//
// safe.directory=* is set via GIT_CONFIG_* env vars so git trusts all
// directories regardless of ownership. The daemon manages its own bare
// caches and worktrees, so the ownership check adds no security value
// and breaks CI environments where the runner UID differs from the
// directory owner.
func gitEnv() []string {
base := os.Environ()
// Find the existing GIT_CONFIG_COUNT so we append at the next index
// rather than overwriting any env-scoped git config (auth, URL
// rewrites, extra headers, etc.).
existing := 0
for _, e := range base {
if strings.HasPrefix(e, "GIT_CONFIG_COUNT=") {
if n, err := strconv.Atoi(strings.TrimPrefix(e, "GIT_CONFIG_COUNT=")); err == nil {
existing = n
}
}
}
idx := strconv.Itoa(existing)
return append(base,
"GIT_TERMINAL_PROMPT=0",
"GIT_CONFIG_COUNT="+strconv.Itoa(existing+1),
"GIT_CONFIG_KEY_"+idx+"=safe.directory",
"GIT_CONFIG_VALUE_"+idx+"=*",
)
}
var agentGitExcludePatterns = []string{".agent_context", "CLAUDE.md", "AGENTS.md", ".claude", ".opencode"}
const repoCacheGitTimeout = 10 * time.Minute
func newGitCommand(ctx context.Context, args ...string) *exec.Cmd {
cmd := exec.CommandContext(ctx, "git", args...)
cmd.Env = gitEnv()
cmd.WaitDelay = 5 * time.Second
return cmd
}
func runGitCombinedOutput(args ...string) ([]byte, error) {
return runGitCombinedOutputWithTimeout(repoCacheGitTimeout, args...)
}
func runGitCombinedOutputWithTimeout(timeout time.Duration, args ...string) ([]byte, error) {
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
cmd := newGitCommand(ctx, args...)
out, err := cmd.CombinedOutput()
if ctx.Err() == context.DeadlineExceeded {
return out, fmt.Errorf("git command timed out after %s: %w", timeout, ctx.Err())
}
return out, err
}
func runGitOutput(args ...string) ([]byte, error) {
return runGitOutputWithTimeout(repoCacheGitTimeout, args...)
}
func runGitOutputWithTimeout(timeout time.Duration, args ...string) ([]byte, error) {
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
cmd := newGitCommand(ctx, args...)
out, err := cmd.Output()
if ctx.Err() == context.DeadlineExceeded {
return out, fmt.Errorf("git command timed out after %s: %w", timeout, ctx.Err())
}
return out, err
}
func runGit(args ...string) error {
return runGitWithTimeout(repoCacheGitTimeout, args...)
}
func runGitWithTimeout(timeout time.Duration, args ...string) error {
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
cmd := newGitCommand(ctx, args...)
err := cmd.Run()
if ctx.Err() == context.DeadlineExceeded {
return fmt.Errorf("git command timed out after %s: %w", timeout, ctx.Err())
}
return err
}
// RepoInfo describes a repository to cache.
type RepoInfo struct {
URL string
}
// CachedRepo describes a cached bare clone ready for worktree creation.
type CachedRepo struct {
URL string // remote URL
LocalPath string // absolute path to the bare clone
}
// Cache manages bare git clones for workspace repositories.
type Cache struct {
root string // base directory for all caches (e.g. ~/multica_workspaces/.repos)
logger *slog.Logger
// repoLocks maps bare repo path → dedicated mutex. Any mutating operation
// on a given bare repo (clone, fetch, worktree add, ref update) must
// hold its lock — git's own lockfiles (packed-refs.lock, config.lock,
// worktree admin dirs) don't tolerate parallel mutations on the same
// repo. Separate repos are independent and run concurrently.
repoLocks sync.Map // barePath -> *sync.Mutex
}
// New creates a new repo cache rooted at the given directory.
func New(root string, logger *slog.Logger) *Cache {
return &Cache{root: root, logger: logger}
}
// lockForRepo returns the mutex dedicated to the given bare repo path. See
// the Cache.repoLocks field comment for semantics.
func (c *Cache) lockForRepo(barePath string) *sync.Mutex {
if l, ok := c.repoLocks.Load(barePath); ok {
return l.(*sync.Mutex)
}
newLock := &sync.Mutex{}
actual, _ := c.repoLocks.LoadOrStore(barePath, newLock)
return actual.(*sync.Mutex)
}
// Sync ensures all repos for a workspace are cloned (or fetched if already cached).
// Repos no longer in the list are left in place (cheap to keep, avoids re-cloning
// if a repo is temporarily removed and re-added).
//
// Per-repo mutation serializes against CreateWorktree on the same bare path
// via lockForRepo. Different repos run sequentially within a single Sync call
// but concurrent Sync calls (different workspaces, or the same workspace
// re-synced while checkouts are running) do not block each other.
func (c *Cache) Sync(workspaceID string, repos []RepoInfo) error {
wsDir := filepath.Join(c.root, workspaceID)
if err := os.MkdirAll(wsDir, 0o755); err != nil {
return fmt.Errorf("create workspace cache dir: %w", err)
}
var firstErr error
for _, repo := range repos {
if repo.URL == "" {
continue
}
barePath := filepath.Join(wsDir, bareDirName(repo.URL))
repoLock := c.lockForRepo(barePath)
repoLock.Lock()
if isBareRepo(barePath) {
// Already cached — fetch latest.
c.logger.Info("repo cache: fetching", "url", repo.URL, "path", barePath)
if err := gitFetch(barePath); err != nil {
c.logger.Warn("repo cache: fetch failed", "url", repo.URL, "error", err)
if firstErr == nil {
firstErr = err
}
}
} else {
// Not cached — bare clone.
c.logger.Info("repo cache: cloning", "url", repo.URL, "path", barePath)
if err := gitCloneBare(repo.URL, barePath); err != nil {
c.logger.Error("repo cache: clone failed", "url", repo.URL, "error", err)
if firstErr == nil {
firstErr = err
}
}
}
repoLock.Unlock()
}
return firstErr
}
// Lookup returns the local bare clone path for a repo URL within a workspace.
// Returns "" if not cached.
func (c *Cache) Lookup(workspaceID, url string) string {
barePath := filepath.Join(c.root, workspaceID, bareDirName(url))
if isBareRepo(barePath) {
return barePath
}
return ""
}
// WithRepoLock serializes caller-supplied mutations on a bare repo against all
// other same-repo operations that use the cache's lock (Sync, Fetch,
// CreateWorktree, and daemon GC maintenance).
func (c *Cache) WithRepoLock(barePath string, fn func() error) error {
repoLock := c.lockForRepo(barePath)
repoLock.Lock()
defer repoLock.Unlock()
return fn()
}
// Fetch runs `git fetch origin` on a cached bare clone to get latest refs.
func (c *Cache) Fetch(barePath string) error {
return c.WithRepoLock(barePath, func() error {
return gitFetch(barePath)
})
}
// bareDirName returns a filesystem-safe, collision-free directory name for
// the bare clone of rawURL. The name is built from the host plus each
// path segment, joined by '+'. '+' is disallowed in GitHub and GitLab
// path segments, so two URLs produce the same name only if they point at
// the same repository on the same host.
//
// Examples:
//
// https://github.com/org/my-repo.git -> github.com+org+my-repo.git
// git@github.com:org/my-repo -> github.com+org+my-repo.git
// git@github.com:foo/bar-baz.git -> github.com+foo+bar-baz.git
// git@github.com:foo-bar/baz.git -> github.com+foo-bar+baz.git
// git@github.com:org/repo.git -> github.com+org+repo.git
// git@gitlab.example.com:org/repo.git -> gitlab.example.com+org+repo.git
// ssh://git@gitlab.example.com:22/g/s/r.git -> gitlab.example.com%3A22+g+s+r.git
// git@gitlab.example.com-22:org/repo.git -> gitlab.example.com-22+org+repo.git
// my-repo -> my-repo.git (bare name fallback)
func bareDirName(rawURL string) string {
rawURL = strings.TrimRight(rawURL, "/")
host, path := splitHostAndPath(rawURL)
host = strings.ToLower(strings.TrimSpace(host))
// Encode ':' as '%3A' so host:port is lossless. A naive ':'->'-' rewrite
// would collapse `gitlab.example.com:22` onto a literal hostname
// `gitlab.example.com-22`, reintroducing the silent wrong-remote class
// this function exists to prevent. '%' is forbidden in valid hostnames
// (RFC 952 / RFC 1123), and in GitHub/GitLab path segments, so the
// encoded marker can never come from a legal input.
host = strings.ReplaceAll(host, ":", "%3A")
var parts []string
if host != "" {
parts = append(parts, host)
}
for _, seg := range strings.Split(path, "/") {
if seg != "" {
parts = append(parts, seg)
}
}
name := strings.Join(parts, "+")
if !strings.HasSuffix(name, ".git") {
name += ".git"
}
if name == "" || name == ".git" {
name = "repo.git"
}
return name
}
// splitHostAndPath extracts the host and path-with-namespace from the
// supported git URL forms:
//
// - URL form (ssh://user@host[:port]/path, https://host/path) — returns
// u.Host verbatim (may include :port) and u.Path without the leading slash.
// - scp-style ([user@]host:path) — splits on the first ':' after the
// optional 'user@'.
// - Anything else (bare repo names, absolute filesystem paths) — returns
// an empty host and the raw input as the path.
func splitHostAndPath(rawURL string) (host, path string) {
if u, err := url.Parse(rawURL); err == nil && u.Scheme != "" && u.Host != "" {
return u.Host, strings.TrimPrefix(u.Path, "/")
}
s := rawURL
if i := strings.Index(s, "@"); i >= 0 {
s = s[i+1:]
}
if i := strings.Index(s, ":"); i >= 0 {
return s[:i], s[i+1:]
}
return "", s
}
// isBareRepo checks if a path looks like a bare git repository.
func isBareRepo(path string) bool {
// A bare repo has a HEAD file at the root.
_, err := os.Stat(filepath.Join(path, "HEAD"))
return err == nil
}
// modernFetchRefspec is the remote-tracking refspec that keeps fetched heads
// out of the bare repo's refs/heads/* namespace. That namespace is reserved
// for per-task worktree branches created by `git worktree add -b ...`, and any
// mirror-style fetch that targets refs/heads/* can collide with those locked
// refs and abort the entire fetch.
const modernFetchRefspec = "+refs/heads/*:refs/remotes/origin/*"
func gitCloneBare(url, dest string) error {
if out, err := runGitCombinedOutput("clone", "--bare", url, dest); err != nil {
// Clean up partial clone.
os.RemoveAll(dest)
return fmt.Errorf("git clone --bare: %s: %w", strings.TrimSpace(string(out)), err)
}
// `git clone --bare` populates refs/heads/* as a snapshot and defaults to
// a mirror-style fetch refspec. Convert the bare repo to the standard
// remote-tracking layout immediately so subsequent fetches write to
// refs/remotes/origin/* and can't conflict with worktree-locked heads.
if err := ensureRemoteTrackingLayout(dest); err != nil {
os.RemoveAll(dest)
return fmt.Errorf("configure fetch refspec: %w", err)
}
return nil
}
// gitFetch runs `git fetch origin` on a bare cache, migrating its fetch
// refspec to the remote-tracking layout first if it's still using the legacy
// mirror-style layout from an older version of this package. After a
// successful fetch it also refreshes refs/remotes/origin/HEAD so a remote
// default-branch change (e.g. master→main on an existing repo) actually
// takes effect in getRemoteDefaultBranch. Plain `git fetch origin` never
// touches that symref on its own, so without this call an existing cache
// would keep basing new worktrees on the original default branch forever
// after the remote flipped.
func gitFetch(barePath string) error {
if err := ensureRemoteTrackingLayout(barePath); err != nil {
return fmt.Errorf("ensure refspec: %w", err)
}
if err := runGitFetch(barePath); err != nil {
return err
}
// Refresh refs/remotes/origin/HEAD after every successful fetch.
// set-head --auto is lightweight (a single ls-remote HEAD round-trip)
// and non-fatal: if it fails we still have the step 2-5 fallbacks in
// getRemoteDefaultBranch, but the modern-cache default-branch-change
// path (the only path that can't be recovered any other way) relies
// on this call.
_ = runGit("-C", barePath, "remote", "set-head", "origin", "--auto")
return nil
}
// runGitFetch is the raw `git fetch origin` wrapper. Callers should go through
// gitFetch, which migrates legacy caches first.
func runGitFetch(barePath string) error {
if out, err := runGitCombinedOutput("-C", barePath, "fetch", "origin"); err != nil {
return fmt.Errorf("git fetch: %s: %w", strings.TrimSpace(string(out)), err)
}
return nil
}
// ensureRemoteTrackingLayout upgrades a bare repo from the legacy mirror
// refspec (+refs/heads/*:refs/heads/*) to the standard remote-tracking refspec
// (+refs/heads/*:refs/remotes/origin/*). It's idempotent: on an already-modern
// cache it's a single `git config --get` call. On legacy caches it rewrites
// the refspec, performs a backfill fetch to populate refs/remotes/origin/*,
// and runs `git remote set-head origin --auto` so getRemoteDefaultBranch can
// resolve the remote's default branch.
func ensureRemoteTrackingLayout(barePath string) error {
cur, err := readFetchRefspec(barePath)
if err != nil {
return err
}
if cur == modernFetchRefspec || cur == strings.TrimPrefix(modernFetchRefspec, "+") {
return nil // already modern
}
if err := setFetchRefspec(barePath, modernFetchRefspec); err != nil {
return err
}
// Backfill refs/remotes/origin/* by fetching with the new refspec. This
// writes to the origin/* namespace, so even worktree-locked refs/heads/*
// branches can't collide.
if err := runGitFetch(barePath); err != nil {
return fmt.Errorf("backfill fetch after refspec migration: %w", err)
}
// Set refs/remotes/origin/HEAD so getRemoteDefaultBranch can read it.
// Non-fatal: if this fails we fall back to origin/main, origin/master.
_ = runGit("-C", barePath, "remote", "set-head", "origin", "--auto")
return nil
}
// readFetchRefspec returns the current remote.origin.fetch config value, or
// the empty string if it's not set. Distinguishes "missing" (exit 1) from
// real git errors.
func readFetchRefspec(barePath string) (string, error) {
out, err := runGitOutput("-C", barePath, "config", "--get", "remote.origin.fetch")
if err != nil {
if ee, ok := err.(*exec.ExitError); ok && ee.ExitCode() == 1 {
return "", nil // key missing, not an error
}
return "", fmt.Errorf("read remote.origin.fetch: %w", err)
}
return strings.TrimSpace(string(out)), nil
}
func setFetchRefspec(barePath, refspec string) error {
out, err := runGitCombinedOutput("-C", barePath, "config", "remote.origin.fetch", refspec)
if err != nil {
return fmt.Errorf("set remote.origin.fetch: %s: %w", strings.TrimSpace(string(out)), err)
}
return nil
}
// WorktreeParams holds inputs for creating a worktree from a cached bare clone.
type WorktreeParams struct {
WorkspaceID string // workspace that owns the repo
RepoURL string // remote URL to look up in the cache
WorkDir string // parent directory for the worktree (e.g. task workdir)
Ref string // optional branch, tag, or commit to base the worktree on
AgentName string // for branch naming
TaskID string // for branch naming uniqueness
CoAuthoredByEnabled bool // install prepare-commit-msg hook for Co-authored-by trailer
}
// WorktreeResult describes a successfully created worktree.
type WorktreeResult struct {
Path string `json:"path"` // absolute path to the worktree
BranchName string `json:"branch_name"` // git branch created for this worktree
}
// CreateWorktree looks up the bare cache for a repo, fetches latest, and creates
// a git worktree in the agent's working directory. If a worktree already exists
// at the target path (reused environment), it updates the existing worktree to
// the latest remote default branch instead of failing.
func (c *Cache) CreateWorktree(params WorktreeParams) (*WorktreeResult, error) {
barePath := c.Lookup(params.WorkspaceID, params.RepoURL)
if barePath == "" {
return nil, fmt.Errorf("repo not found in cache: %s (workspace: %s)", params.RepoURL, params.WorkspaceID)
}
// Serialize concurrent CreateWorktree calls on the same bare repo. Git's
// own lockfiles (packed-refs.lock, config.lock, worktree admin dirs)
// can't tolerate parallel fetch + worktree mutations on the same repo.
repoLock := c.lockForRepo(barePath)
repoLock.Lock()
defer repoLock.Unlock()
// Fetch latest from origin. This also migrates the bare cache's refspec
// to the modern remote-tracking layout on first run, so subsequent fetches
// never collide with the refs/heads/agent/* branches that worktree creation
// locks in this same bare repo.
if err := gitFetch(barePath); err != nil {
// Non-fatal: preserve cached state and continue, but make the warning
// loud enough that it's findable in the daemon log. The agent will
// receive an older snapshot than the remote head.
c.logger.Warn("repo checkout: fetch failed, agent will see possibly stale code",
"url", params.RepoURL,
"error", err,
)
}
// Determine the ref to base the worktree on. By default this is the remote's
// default branch (resolved internally via getRemoteDefaultBranch, which walks
// origin/HEAD → origin/main, origin/master → bare-HEAD hint into origin/<same>
// → single-entry scan of origin/* → bare HEAD when origin/* is empty).
// Callers may request a specific branch, tag, or commit so review/QA agents
// can inspect the exact revision without trying to mutate the daemon-owned
// worktree metadata themselves.
baseRef, err := resolveBaseRef(barePath, params.Ref)
if err != nil {
return nil, err
}
// Empty here means params.Ref was unset and getRemoteDefaultBranch couldn't
// resolve a default — the cache is in a state we refuse to guess from (no
// origin/HEAD, no main/master, bare HEAD doesn't match any origin/* entry,
// and origin/* has multiple candidates). The requested-ref path returns an
// explicit error before reaching here, so this branch only fires for the
// default-branch case.
if baseRef == "" {
return nil, fmt.Errorf("cannot resolve default branch for %s: bare cache at %s has no usable refs (origin/* is empty or ambiguous and bare HEAD has no match). The cache may be corrupted; delete it and retry", params.RepoURL, barePath)
}
// Build branch name: agent/{sanitized-name}/{short-task-id}
branchName := fmt.Sprintf("agent/%s/%s", sanitizeName(params.AgentName), shortID(params.TaskID))
// Derive directory name from repo URL.
dirName := repoNameFromURL(params.RepoURL)
worktreePath := filepath.Join(params.WorkDir, dirName)
// If worktree already exists (reused environment from a prior task),
// update it to the latest remote code instead of creating a new one.
if isGitWorktree(worktreePath) {
actualBranch, err := updateExistingWorktree(worktreePath, branchName, baseRef)
if err != nil {
return nil, fmt.Errorf("update existing worktree: %w", err)
}
for _, pattern := range agentGitExcludePatterns {
_ = excludeFromGit(worktreePath, pattern)
}
// Install or remove the Co-authored-by hook based on the workspace
// setting. The hook lives in the bare repo's shared hooks dir, so we
// must actively remove it when disabled — otherwise a previously
// installed hook keeps appending the trailer to every commit even
// after the user toggles the setting off.
if params.CoAuthoredByEnabled {
if err := installCoAuthoredByHook(worktreePath); err != nil {
c.logger.Warn("repo checkout: install co-authored-by hook failed (non-fatal)", "error", err)
}
} else {
if err := removeCoAuthoredByHook(worktreePath); err != nil {
c.logger.Warn("repo checkout: remove co-authored-by hook failed (non-fatal)", "error", err)
}
}
c.logger.Info("repo checkout: existing worktree updated",
"url", params.RepoURL,
"path", worktreePath,
"branch", actualBranch,
"base", baseRef,
)
return &WorktreeResult{
Path: worktreePath,
BranchName: actualBranch,
}, nil
}
// Create a new worktree. createWorktree may rename the branch to avoid
// collisions with stale per-task refs left over from previous runs.
actualBranch, err := createWorktree(barePath, worktreePath, branchName, baseRef)
if err != nil {
return nil, fmt.Errorf("create worktree: %w", err)
}
// Exclude agent context files from git tracking.
for _, pattern := range agentGitExcludePatterns {
_ = excludeFromGit(worktreePath, pattern)
}
// Install or remove the Co-authored-by hook based on the workspace
// setting. See the existing-worktree branch above for why removal is
// required when the setting is disabled.
if params.CoAuthoredByEnabled {
if err := installCoAuthoredByHook(worktreePath); err != nil {
c.logger.Warn("repo checkout: install co-authored-by hook failed (non-fatal)", "error", err)
}
} else {
if err := removeCoAuthoredByHook(worktreePath); err != nil {
c.logger.Warn("repo checkout: remove co-authored-by hook failed (non-fatal)", "error", err)
}
}
c.logger.Info("repo checkout: worktree created",
"url", params.RepoURL,
"path", worktreePath,
"branch", actualBranch,
"base", baseRef,
)
return &WorktreeResult{
Path: worktreePath,
BranchName: actualBranch,
}, nil
}
func resolveBaseRef(barePath, requestedRef string) (string, error) {
ref := strings.TrimSpace(requestedRef)
if ref == "" {
return getRemoteDefaultBranch(barePath), nil
}
// Prefer remote-tracking branches for human branch names. Then allow full
// local refs, tags, and raw commits that exist in the fetched bare cache.
candidates := []string{
"refs/remotes/origin/" + ref,
"refs/tags/" + ref,
ref,
}
for _, candidate := range candidates {
if gitRefExists(barePath, candidate+"^{commit}") {
return candidate, nil
}
}
return "", fmt.Errorf("cannot resolve requested ref %q in repo cache at %s", ref, barePath)
}
func gitRefExists(repoPath, ref string) bool {
return runGit("-C", repoPath, "rev-parse", "--verify", "--quiet", ref) == nil
}
// createWorktree creates a git worktree at the given path with a new branch.
// Returns the actual branch name used — which may differ from the requested
// branchName if a collision was resolved by appending a timestamp suffix.
func createWorktree(gitRoot, worktreePath, branchName, baseRef string) (string, error) {
// Pre-check: if the worktree path already exists we would get a confusing
// "already exists" error from `git worktree add` — which used to be
// misclassified as a branch collision, causing the retry to leak branches
// into the bare repo. Fail cleanly here instead. The caller is expected
// to route reused workdirs through updateExistingWorktree via isGitWorktree.
if _, err := os.Stat(worktreePath); err == nil {
return "", fmt.Errorf("worktree path already exists and is not a valid git worktree: %s", worktreePath)
}
err := runWorktreeAdd(gitRoot, worktreePath, branchName, baseRef)
if err != nil && isBranchCollisionError(err) {
// Branch name collision: append timestamp and retry once.
branchName = fmt.Sprintf("%s-%d", branchName, time.Now().Unix())
err = runWorktreeAdd(gitRoot, worktreePath, branchName, baseRef)
}
if err != nil {
return "", err
}
return branchName, nil
}
func runWorktreeAdd(gitRoot, worktreePath, branchName, baseRef string) error {
if out, err := runGitCombinedOutput("-C", gitRoot, "worktree", "add", "-b", branchName, worktreePath, baseRef); err != nil {
return fmt.Errorf("git worktree add: %s: %w", strings.TrimSpace(string(out)), err)
}
return nil
}
// isBranchCollisionError returns true if err is specifically about a branch
// name already existing. Git's other "already exists" messages (notably path
// collisions from `git worktree add`) must NOT be treated as branch
// collisions, or the retry-with-timestamp logic will leak branches while
// still failing on the original path collision.
func isBranchCollisionError(err error) bool {
if err == nil {
return false
}
msg := strings.ToLower(err.Error())
// Git's message is "fatal: a branch named 'X' already exists".
return strings.Contains(msg, "a branch named")
}
// isGitWorktree checks if a path is an existing git worktree.
// Worktrees have a .git *file* (not directory) that points to the main repo.
func isGitWorktree(path string) bool {
info, err := os.Stat(filepath.Join(path, ".git"))
return err == nil && !info.IsDir()
}
// updateExistingWorktree resets the worktree to a clean state and checks out a
// new branch from the default branch. The caller is responsible for fetching
// the bare cache beforehand (worktrees share the same object store).
// Returns the actual branch name used (may differ from input on collision).
func updateExistingWorktree(worktreePath, branchName, baseRef string) (string, error) {
// Discard any leftover uncommitted changes from the previous task.
if out, err := runGitCombinedOutput("-C", worktreePath, "reset", "--hard"); err != nil {
return "", fmt.Errorf("git reset --hard: %s: %w", strings.TrimSpace(string(out)), err)
}
// Clean untracked files (e.g. build artifacts from previous task).
if out, err := runGitCombinedOutput("-C", worktreePath, "clean", "-fd"); err != nil {
return "", fmt.Errorf("git clean -fd: %s: %w", strings.TrimSpace(string(out)), err)
}
// Create a new branch from the resolved default-branch ref and switch to
// it. baseRef is a ref path returned by getRemoteDefaultBranch — usually
// "refs/remotes/origin/<branch>" but may be "refs/heads/<branch>" on a
// legacy/migration-pending cache. Either form is valid as a checkout
// startpoint.
out, err := runGitCombinedOutput("-C", worktreePath, "checkout", "-b", branchName, baseRef)
if err == nil {
return branchName, nil
}
wrapped := fmt.Errorf("git checkout -b: %s: %w", strings.TrimSpace(string(out)), err)
if !isBranchCollisionError(wrapped) {
return "", wrapped
}
// Branch name collision: append timestamp and retry once.
branchName = fmt.Sprintf("%s-%d", branchName, time.Now().Unix())
if out2, err2 := runGitCombinedOutput("-C", worktreePath, "checkout", "-b", branchName, baseRef); err2 != nil {
return "", fmt.Errorf("git checkout -b (retry): %s: %w", strings.TrimSpace(string(out2)), err2)
}
return branchName, nil
}
// getRemoteDefaultBranch returns a ref path (e.g. "refs/remotes/origin/main")
// that points at the remote's default branch in a bare cache. The return value
// is usable directly as a `git worktree add` / `git checkout -b` startpoint.
//
// Resolution order:
// 1. refs/remotes/origin/HEAD (verified; set by `git remote set-head origin --auto`)
// 2. refs/remotes/origin/main, refs/remotes/origin/master (common defaults)
// 3. The bare repo's own HEAD mapped into refs/remotes/origin/<same name> —
// `git clone --bare` sets HEAD to the remote's default, so this is a
// reliable hint for custom default branches (trunk, develop, …) when
// `git remote set-head --auto` failed to populate refs/remotes/origin/HEAD.
// 4. Scan refs/remotes/origin/* — returns a result ONLY when exactly one
// non-HEAD ref exists. Multiple refs cannot be disambiguated from refname
// order alone (git for-each-ref sorts alphabetically), so we refuse to
// guess; returning a wrong default would silently base new agent work on
// an arbitrary feature branch.
// 5. Legacy last-resort: the bare repo's own HEAD as a plain refs/heads/*
// ref, for caches that haven't populated refs/remotes/origin/* at all
// yet (e.g. a migration-pending cache whose backfill fetch failed).
// Gated on refs/remotes/origin/* being completely empty so we don't fall
// back to a stale snapshot when the cache has real remote-tracking refs
// but we just can't pick between them.
//
// Returns "" only when none of the above resolve — which the caller treats
// as a hard error with a clear "cache has no usable refs" message.
func getRemoteDefaultBranch(barePath string) string {
// 1) Primary: refs/remotes/origin/HEAD set by `git remote set-head
// origin --auto` during ensureRemoteTrackingLayout. Verify the
// target actually exists — a partial set-head or a manually-broken
// repo can leave a symref pointing at a deleted ref, and returning
// it here would later fail in `git worktree add` with a confusing
// "invalid reference" error.
if out, err := runGitOutput("-C", barePath, "symbolic-ref", "refs/remotes/origin/HEAD"); err == nil {
ref := strings.TrimSpace(string(out))
if ref != "" {
if err := runGit("-C", barePath, "rev-parse", "--verify", ref); err == nil {
return ref
}
}
}
// 2) Common default branch names under the origin namespace.
for _, candidate := range []string{"refs/remotes/origin/main", "refs/remotes/origin/master"} {
if err := runGit("-C", barePath, "rev-parse", "--verify", candidate); err == nil {
return candidate
}
}
// 3) Use the bare repo's own HEAD as a hint. `git clone --bare` sets HEAD
// to the remote's default branch, so this reliably identifies custom
// default branch names (trunk, develop, ...) when set-head --auto
// didn't populate refs/remotes/origin/HEAD. We only return when the
// matching origin/<name> exists, so we still pick up up-to-date code
// rather than a stale local head.
bareRef := bareHeadBranch(barePath)
if bareRef != "" {
originRef := "refs/remotes/origin/" + strings.TrimPrefix(bareRef, "refs/heads/")
if err := runGit("-C", barePath, "rev-parse", "--verify", originRef); err == nil {
return originRef
}
}
// 4) Scan refs/remotes/origin/* — return a result ONLY when there's
// exactly one non-HEAD candidate. Multiple candidates cannot be
// disambiguated from refname order alone; returning the alphabetically-
// first entry would silently base new agent work on a feature branch
// instead of the real default. Count entries here so step 5 can tell
// "legacy empty" apart from "ambiguous".
originCount := 0
var singleton string
if out, err := runGitOutput("-C", barePath, "for-each-ref", "--format=%(refname)", "refs/remotes/origin/"); err == nil {
for _, line := range strings.Split(strings.TrimSpace(string(out)), "\n") {
line = strings.TrimSpace(line)
if line == "" || line == "refs/remotes/origin/HEAD" {
continue
}
originCount++
if singleton == "" {
singleton = line
}
}
if originCount == 1 {
return singleton
}
}
// 5) Last-resort fallback: legacy / migration-pending caches still have
// refs/heads/* and a bare HEAD from the mirror-style layout. Gate this
// on refs/remotes/origin/* being completely empty — if origin/* has
// multiple refs but none match bare HEAD, the cache is in an
// ambiguous state and returning the local head would mask the
// problem with a stale snapshot. Let the caller fail loudly instead.
if originCount == 0 && bareRef != "" {
return bareRef
}
return ""
}
// bareHeadBranch returns the bare repo's local HEAD ref (e.g.
// "refs/heads/main") if HEAD is a symbolic ref to an existing branch.
// Returns "" if HEAD is detached, missing, or points at a non-existent ref.
//
// Only used by getRemoteDefaultBranch as a last-resort fallback for caches
// that haven't successfully populated refs/remotes/origin/* yet. Healthy
// modern caches should never reach this path because origin/* resolution
// succeeds first.
func bareHeadBranch(barePath string) string {
out, err := runGitOutput("-C", barePath, "symbolic-ref", "HEAD")
if err != nil {
return ""
}
ref := strings.TrimSpace(string(out))
if ref == "" {
return ""
}
if err := runGit("-C", barePath, "rev-parse", "--verify", ref); err != nil {
return ""
}
return ref
}
// multicaHookMarker is a sentinel comment embedded in every prepare-commit-msg
// hook installed by the daemon. removeCoAuthoredByHook uses it to recognize
// hooks it owns so it never deletes a hook installed by the user or another
// tool. Do not change without bumping the recognition logic.
const multicaHookMarker = "# multica:prepare-commit-msg:co-authored-by"
// daemonInstalledHookSignatures lists substrings that identify a
// prepare-commit-msg hook as one the daemon installed. removeCoAuthoredByHook
// treats a hook as Multica-owned if its content contains ANY of these
// substrings. The list deliberately includes the legacy comment that the
// daemon used before multicaHookMarker existed, so disabling the toggle on
// existing installations still cleans up old hooks seeded by previous daemon
// versions. Add to this list — never remove from it — so future tweaks to
// prepareCommitMsgHook keep recognizing every previously-shipped variant.
var daemonInstalledHookSignatures = []string{
multicaHookMarker,
"# Installed by the Multica daemon.",
}
// prepareCommitMsgHook is the prepare-commit-msg hook script that appends a
// Co-authored-by trailer for the Multica Agent to every commit message.
const prepareCommitMsgHook = `#!/bin/sh
# multica:prepare-commit-msg:co-authored-by
# Multica: add Co-authored-by trailer for the Multica Agent.
# Installed by the Multica daemon. Do not edit — it will be overwritten.
COMMIT_MSG_FILE="$1"
COMMIT_SOURCE="$2"
# Skip merge and squash commits.
case "$COMMIT_SOURCE" in
merge|squash) exit 0 ;;
esac
TRAILER="Co-authored-by: multica-agent <github@multica.ai>"
# Don't add if already present.
if grep -qF "$TRAILER" "$COMMIT_MSG_FILE"; then
exit 0
fi
# Use git interpret-trailers for proper formatting.
git interpret-trailers --in-place --trailer "$TRAILER" "$COMMIT_MSG_FILE"
`
// installCoAuthoredByHook installs a prepare-commit-msg git hook that appends
// a Co-authored-by trailer for the Multica Agent. The hook is installed in the
// git common directory (the bare repo for worktrees) so it applies to all
// worktrees created from this cache.
func installCoAuthoredByHook(worktreePath string) error {
out, err := runGitOutput("-C", worktreePath, "rev-parse", "--git-common-dir")
if err != nil {
return fmt.Errorf("resolve git common dir: %w", err)
}
commonDir := strings.TrimSpace(string(out))
if !filepath.IsAbs(commonDir) {
commonDir = filepath.Join(worktreePath, commonDir)
}
hooksDir := filepath.Join(commonDir, "hooks")
if err := os.MkdirAll(hooksDir, 0o755); err != nil {
return fmt.Errorf("create hooks dir: %w", err)
}
hookPath := filepath.Join(hooksDir, "prepare-commit-msg")
if err := os.WriteFile(hookPath, []byte(prepareCommitMsgHook), 0o755); err != nil {
return fmt.Errorf("write prepare-commit-msg hook: %w", err)
}
return nil
}
// isDaemonInstalledHook reports whether a prepare-commit-msg hook on disk was
// installed by the Multica daemon (current or any previously released
// version). It returns false for hooks that don't carry any known daemon
// signature, so a user-installed hook at the same path is left alone.
func isDaemonInstalledHook(contents []byte) bool {
body := string(contents)
for _, sig := range daemonInstalledHookSignatures {
if strings.Contains(body, sig) {
return true
}
}
return false
}
// removeCoAuthoredByHook removes the prepare-commit-msg hook installed by
// installCoAuthoredByHook. It only deletes the file when the content matches
// a known daemon signature (current marker or any previously released hook
// content), so a user-installed prepare-commit-msg hook is never touched.
// Returns nil when no hook is present or when an unrelated hook occupies
// the path.
func removeCoAuthoredByHook(worktreePath string) error {
out, err := runGitOutput("-C", worktreePath, "rev-parse", "--git-common-dir")
if err != nil {
return fmt.Errorf("resolve git common dir: %w", err)
}
commonDir := strings.TrimSpace(string(out))
if !filepath.IsAbs(commonDir) {
commonDir = filepath.Join(worktreePath, commonDir)
}
hookPath := filepath.Join(commonDir, "hooks", "prepare-commit-msg")
contents, err := os.ReadFile(hookPath)
if err != nil {
if os.IsNotExist(err) {
return nil
}
return fmt.Errorf("read prepare-commit-msg hook: %w", err)
}
if !isDaemonInstalledHook(contents) {
// Unrelated hook (user or third-party): leave it alone.
return nil
}
if err := os.Remove(hookPath); err != nil && !os.IsNotExist(err) {
return fmt.Errorf("remove prepare-commit-msg hook: %w", err)
}
return nil
}
// excludeFromGit adds a pattern to the worktree's .git/info/exclude file.
func excludeFromGit(worktreePath, pattern string) error {
out, err := runGitOutput("-C", worktreePath, "rev-parse", "--git-dir")
if err != nil {
return fmt.Errorf("resolve git dir: %w", err)
}
gitDir := strings.TrimSpace(string(out))
if !filepath.IsAbs(gitDir) {
gitDir = filepath.Join(worktreePath, gitDir)
}
excludePath := filepath.Join(gitDir, "info", "exclude")
if err := os.MkdirAll(filepath.Dir(excludePath), 0o755); err != nil {
return fmt.Errorf("create info dir: %w", err)
}
existing, _ := os.ReadFile(excludePath)
if strings.Contains(string(existing), pattern) {
return nil
}
f, err := os.OpenFile(excludePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
if err != nil {
return fmt.Errorf("open exclude file: %w", err)
}
defer f.Close()
if _, err := fmt.Fprintf(f, "\n%s\n", pattern); err != nil {
return fmt.Errorf("write exclude pattern: %w", err)
}
return nil
}
// repoNameFromURL extracts a short directory name from a git remote URL.
// e.g. "https://github.com/org/my-repo.git" → "my-repo"
func repoNameFromURL(url string) string {
url = strings.TrimRight(url, "/")
url = strings.TrimSuffix(url, ".git")
if i := strings.LastIndex(url, "/"); i >= 0 {
url = url[i+1:]
}
if i := strings.LastIndex(url, ":"); i >= 0 {
url = url[i+1:]
if j := strings.LastIndex(url, "/"); j >= 0 {
url = url[j+1:]
}
}
name := strings.TrimSpace(url)
if name == "" {
return "repo"
}
return name
}
var nonAlphanumeric = regexp.MustCompile(`[^a-z0-9]+`)
// sanitizeName produces a git-branch-safe name from a human-readable string.
func sanitizeName(name string) string {
s := strings.ToLower(strings.TrimSpace(name))
s = nonAlphanumeric.ReplaceAllString(s, "-")
s = strings.Trim(s, "-")
if len(s) > 30 {
s = s[:30]
s = strings.TrimRight(s, "-")
}
if s == "" {
s = "agent"
}
return s
}
// shortID returns the first 8 characters of a UUID string (dashes stripped).
func shortID(uuid string) string {
s := strings.ReplaceAll(uuid, "-", "")
if len(s) > 8 {
return s[:8]
}
return s
}