Summary
This PR adds namespace-backed organizations and repository RBAC across the web app, Git gateway, Campfire gateway, CI, and repository settings flows.
It replaces owner-profile-only assumptions with namespace-aware repository ownership, syncs org membership from Stack Auth without requiring admin keys, and centralizes sensitive authorization decisions so Git, Campfire, CI, PRs, issues, settings, forks, and repository pages all use the same capability model.
What Changed
- Added namespace, organization membership, repository permission, and owner audit schema/migrations.
- Added Stack-backed org membership sync and fresh repository authorization helpers.
- Added an internal repository authorization endpoint used by Git and Campfire gateways.
- Updated repository pages, APIs, CI routes, Campfire routes, PR flows, issue flows, and settings actions to enforce repository capabilities.
- Added organization settings pages and expanded repository settings sections for general, access, runners, and danger settings.
- Hardened fork visibility so private forks cannot be made public.
- Rejected invalid or missing repository visibility instead of silently defaulting to public.
- Fixed PR source visibility filtering, CI step/job binding, exact grant-target lookup, and Campfire cross-repo mention side effects.
- Implemented repository insights data loading so web typecheck passes again.
- Added focused tests for RBAC helpers, fork visibility, visibility validation, grant target normalization, migration preflight diagnostics, and stale helper guards.
Deployment Notes
This adds required internal authorization configuration for gateway-to-web authorization checks:
OPEN_GIT_INTERNAL_AUTH_SECRETOPEN_GIT_INTERNAL_AUTH_URL
The deploy examples, README, Docker Compose files, and Turbo env configuration were updated accordingly.
Test Plan
pnpm --filter web typecheckpnpm --filter web lint -- ...pnpm --filter web test -- db/repository-permissions.test.ts lib/pre-org-helper-guards.test.ts lib/repository-permissions.test.ts lib/migration-preflight.test.tspnpm --filter web db:check- Focused gateway typechecks for Git and Campfire gateway changes