vvzvlad/gitmost
1
0
Fork 0
Code Issues 14 Pull Requests 12 Packages Projects Releases Activity

fix(git-sync): red-team hardening — 12 confirmed sync-breaking bugs + regression tests

Browse Source 
A 10-agent red-team pass on the two-way Docmost<->git sync surfaced 16 ranked
findings (9 others triaged out as already-defended). Wrote a reproduction test
per finding (each asserts the CORRECT behavior, so it fails on the bug), then
fixed the production code so every repro goes green. All confirmed bugs:

Round-trip data loss (markdown-converter.ts + docmost-schema.ts mirror):
- #1 editor-ext node types silently dropped on export — ported the 8 missing
  canon nodes (footnoteReference/footnotesList/footnoteDefinition, htmlEmbed,
  status, pageEmbed, transclusionSource/Reference) into the git-sync schema
  mirror and added converter cases that emit their schema-matching HTML instead
  of flattening unknown nodes to '' (this was the critical data-loss flagged in
  review #1679: footnotes/htmlEmbed lost on sync). Snapshot surface updated.
- #2 top-level image lost width/height/align/attachmentId — now emits an HTML
  <img> (like video/diagrams) when it carries layout attrs; bare images stay
  ![](src). Image node parses width/height as strings so they re-import.
- #3 code block containing a ``` fence corrupted on round-trip — outer fence is
  now widened to (longest-inner-backtick-run + 1).
- #16 deep nesting threw RangeError (page never synced) — added a depth guard
  (MAX_NODE_DEPTH=400) so the converter never overflows the stack.

Push/layout/cycle (engine):
- #4 disambiguation ' ~slugId' suffix corrupted Docmost titles + order-dependent
  layout — deterministic, order-independent sibling disambiguation; suffix is
  stripped from a path-derived title ONLY when the new name is exactly the old
  title plus the suffix (never a genuine retitle ending in ' ~token').
- #6 retry-adopt by (parent,title) clobbered the wrong duplicate-title sibling —
  ambiguous (parent,title) is no longer adopted (falls back to fresh create).
- #12 a new child under a new parent was created at ROOT — creates are ordered
  parent-before-child with an in-memory created-id map for parent resolution.
- #13 git conflict markers could reach Docmost — bodies are scanned and the
  marker lines stripped (a '=======' line is only treated as a conflict
  separator inside a <<<<<<< ... >>>>>>> block, so setext headings are safe).
- #15 a divergent `docmost` mirror was escalated by runPush but dropped by
  runCycle — RunCycleResult now forwards divergentDocmost to the orchestrator.

Server (merge / lock / provenance):
- #9 3-way merge lost a human's block edit when git inserted an adjacent block —
  finer-grained diff3 region merge (via lcs) preserves non-overlapping human
  edits; genuine same-block conflicts still resolve git-wins.
- #10 single-writer race — module-static liveLocks closes the same-process TOCTOU
  window, and a heartbeat refresh that cannot confirm the lock now aborts the
  cycle at its next write checkpoint (cooperative AbortSignal threaded through
  runCycle). Cross-process fencing tokens remain a follow-up.
- #14 sticky-agent provenance overrode an explicit actor='git-sync' write,
  blinding the listener loop-guard — resolveSource now lets an explicit actor
  win over the sticky-agent fallback (explicit agent still wins).

Verified: git-sync vitest 617 pass (+1 expected-fail), server unit jest 1541
pass, server tsc clean. A review pass over the fixes caught and corrected a
title-suffix over-strip, an inert abort signal, a document-wide conflict-marker
strip, and two leaf-atom content-holes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
claude code agent 227
2026-06-26 01:29:02 +03:00
parent 6d17db1658
commit cc835a86c0
20 changed files with 1621 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
apps/server/src/collaboration/extensions/persistence.extension.spec.ts
View File

@@ -142,17 +142,22 @@ describe('PersistenceExtension.onStoreDocument — provenance precedence (#2)',
expect(sourceOf(pageRepo)).toBe('git-sync');
});
it("keeps 'agent' even when the storing writer is 'git-sync' (agent > git-sync)", async () => {
it("keeps 'git-sync' for an explicit git-sync store even with a sticky agent marker (#14 loop-guard)", async () => {
const { ext, pageRepo } = build();
// An agent edit landed earlier in the coalescing window (sticky marker),
// then a git-sync writer performs the store. Agent precedence must win.
// then a git-sync writer performs the store. Red-team finding #14: an
// EXPLICIT current-write actor is authoritative for THIS write, so the
// store must stay 'git-sync' — otherwise the PageChangeListener loop-guard
// (keyed on lastUpdatedSource === 'git-sync') fails to recognize git-sync's
// own write and re-exports it. Explicit 'agent' still wins (see below); the
// sticky marker only promotes a plain human writer to 'agent'.
await ext.onChange(makeChangePayload('agent'));
await ext.onStoreDocument(
makeStorePayload({ user: { id: 'svc-user' }, actor: 'git-sync' }),
);
expect(sourceOf(pageRepo)).toBe('agent');
expect(sourceOf(pageRepo)).toBe('git-sync');
});
it("tags 'agent' when the storing writer itself is the agent (no prior onChange)", async () => {

13
apps/server/src/collaboration/extensions/persistence.extension.ts
View File

@@ -52,11 +52,16 @@ export function resolveSource(
stickyTouched: boolean,
contextActor?: string,
): ProvenanceSource {
// Precedence: agent > git-sync > user. The sticky agent marker wins so a
// window that mixed an agent edit stays tagged 'agent'; otherwise a native
// git-sync write (plan §8.1) tags 'git-sync'; a plain human edit stays 'user'.
if (stickyTouched || contextActor === 'agent') return 'agent';
// An EXPLICIT current-write actor is authoritative for THIS write and wins
// over the sticky-agent fallback. Order: explicit 'agent' > explicit
// 'git-sync' > sticky agent marker > plain human 'user'. The git-sync case
// must NOT be masked by the sticky marker, or the PageChangeListener
// loop-guard (which keys on lastUpdatedSource === 'git-sync') would re-export
// git-sync's own writes (#14). Explicit agent still wins so a window that
// mixed an agent edit stays tagged 'agent'.
if (contextActor === 'agent') return 'agent';
if (contextActor === 'git-sync') return 'git-sync';
if (stickyTouched) return 'agent';
return 'user';
}

10
apps/server/src/collaboration/extensions/redteam-provenance.spec.ts Normal file
View File

@@ -0,0 +1,10 @@
import { resolveSource } from './persistence.extension';
// Red-team finding #14: an explicit git-sync write (no agent edit in the
// coalescing window) must keep the 'git-sync' source so the git-sync
// listener's loop-guard can recognize its own writes and not re-export them.
describe('resolveSource — #14 git-sync provenance loop-guard', () => {
it('keeps git-sync source for an explicit git-sync write (stickyTouched=true, actor=git-sync)', () => {
expect(resolveSource(true, 'git-sync')).toBe('git-sync');
});
});

39
apps/server/src/collaboration/git-sync-converter-gate.spec.ts
View File

@@ -402,7 +402,7 @@ describe('git-sync converter §13.1 idempotency gate (editor-ext schema)', () =>
// data-* attrs, as it already does for video/diagrams), these assertions flip
// and the image fixture should be promoted into the green CORPUS above.
// ---------------------------------------------------------------------------
describe('git-sync converter §13.1 KNOWN DIVERGENCE (markdown image lossiness)', () => {
describe('git-sync converter §13.1 image dimensions preserved (was KNOWN DIVERGENCE)', () => {
const imageDoc = doc({
type: 'image',
attrs: {
@@ -413,29 +413,26 @@ describe('git-sync converter §13.1 KNOWN DIVERGENCE (markdown image lossiness)'
},
});
it('drops width/height/align (markdown ![](src) cannot carry them); the block-image hoist no longer leaves an empty paragraph', async () => {
it('preserves width/height/align by exporting an HTML <img> (PR #119 round-trip fix)', async () => {
const { md, canonNormalized } = await runGate(imageDoc);
// Export is plain markdown image syntax — no dimensions/align survive.
expect(md.trim()).toBe('![](https://example.com/pic.png)');
// A top-level image carrying layout attrs is now exported as a schema-
// matching HTML <img> (the same path video/diagrams already use), so the
// dimensions and alignment survive the round trip instead of collapsing to
// bare `![](src)`.
expect(md.trim()).toBe(
'<img src="https://example.com/pic.png" width="640" height="480" align="center">',
);
// The round-tripped doc carries ONLY src (+ alt=""). The leading empty
// paragraph that the block-image hoist used to leave behind (a phantom
// blank-gap on every sync) is now stripped on import (git-sync fix), so the
// doc is just the image — no empty-paragraph artifact.
expect(canonNormalized).toEqual({
type: 'doc',
content: [
{
type: 'image',
attrs: { alt: '', src: 'https://example.com/pic.png' },
},
],
});
// Still NOT canonically equal to the original: width/height/align are an
// intrinsic markdown-transport loss (unrelated to the empty-paragraph fix).
expect(docsCanonicallyEqual(imageDoc, canonNormalized)).toBe(false);
// The round-tripped image keeps src + the layout attrs. width/height are
// re-imported as strings (matching the video/audio/pdf string convention),
// so assert the values rather than the JS type.
const imgAttrs = (canonNormalized as any).content[0].attrs;
expect((canonNormalized as any).content[0].type).toBe('image');
expect(imgAttrs.src).toBe('https://example.com/pic.png');
expect(imgAttrs.align).toBe('center');
expect(String(imgAttrs.width)).toBe('640');
expect(String(imgAttrs.height)).toBe('480');
});
});

13
apps/server/src/integrations/git-sync/services/git-sync.orchestrator.ts
View File

@@ -151,8 +151,8 @@ export class GitSyncOrchestrator implements OnModuleInit, OnModuleDestroy {
// when it could not enter — surfaced here as the existing skipped:'in-progress'
// / 'lock-held' status so runOnce's observable behavior is unchanged.
try {
const result = await this.spaceLock.withSpaceLock(spaceId, () =>
this.driveCycle(spaceId, workspaceId, serviceUserId),
const result = await this.spaceLock.withSpaceLock(spaceId, (signal) =>
this.driveCycle(spaceId, workspaceId, serviceUserId, signal),
);
if ('skipped' in result && !('spaceId' in result)) {
return { spaceId, ran: false, skipped: result.skipped };
@@ -199,7 +199,7 @@ export class GitSyncOrchestrator implements OnModuleInit, OnModuleDestroy {
}
const serviceUserId = this.environmentService.getGitSyncServiceUserId();
const result = await this.spaceLock.withSpaceLock(spaceId, async () => {
const result = await this.spaceLock.withSpaceLock(spaceId, async (signal) => {
// 1) Stream the receive-pack to the client (durable commits land on main).
await runReceivePack();
@@ -214,7 +214,7 @@ export class GitSyncOrchestrator implements OnModuleInit, OnModuleDestroy {
return;
}
try {
await this.driveCycle(spaceId, workspaceId, serviceUserId);
await this.driveCycle(spaceId, workspaceId, serviceUserId, signal);
} catch (err) {
// Do NOT rethrow: the push succeeded and the commits are durable on main;
// the poll-interval backstop retries the cycle. Log for visibility.
@@ -246,6 +246,7 @@ export class GitSyncOrchestrator implements OnModuleInit, OnModuleDestroy {
spaceId: string,
workspaceId: string,
serviceUserId: string,
signal?: AbortSignal,
): Promise<GitSyncRunStatus> {
const { runCycle } = await loadGitSync();
const settings = this.buildSettings(spaceId);
@@ -254,6 +255,10 @@ export class GitSyncOrchestrator implements OnModuleInit, OnModuleDestroy {
const maxDeletes = this.environmentService.getGitSyncMaxDeletesPerCycle();
const result = await runCycle({
// Cooperative-abort signal from the per-space lock: if a heartbeat refresh
// cannot confirm the lock, the cycle bails before its next destructive
// write phase instead of writing blind after a possible lock loss.
signal,
spaceId,
client,
vault,

101
apps/server/src/integrations/git-sync/services/redteam-space-lock.spec.ts Normal file
View File

@@ -0,0 +1,101 @@
// Red-team finding #10: single-writer guarantee across replicas must survive a
// TTL lapse with a swallowed heartbeat refresh. Two SpaceLockService instances
// (A, B) share ONE redis store. A holds 'X' and stays in-flight; the lock key
// then disappears (TTL expiry while refreshLock silently failed). B must NOT be
// able to acquire 'X' and run its fn concurrently with A — that would be two
// writers racing the same working tree. This test asserts the DESIRED
// single-writer behavior, so it FAILS today if the lapse lets B in.
import { Logger } from '@nestjs/common';
import { SpaceLockService } from './space-lock.service';
import { GIT_SYNC_LOCK_PREFIX } from '../git-sync.constants';
/**
* Minimal shared fake redis honoring exactly the two primitives the lock uses:
* - `SET key val PX ttl NX` → 'OK' only when the key is absent (NX semantics).
* - `eval(<get/del CAS>|<get/pexpire CAS>, 1, key, instanceId[, ttl])` →
* compares the stored value to ARGV[1] before del/pexpire (CAS).
* TTL expiry is not time-driven here; tests simulate it by mutating `store`.
*/
function makeSharedRedis() {
const store = new Map<string, string>();
return {
store,
async set(key: string, val: string, _px: 'PX', _ttl: number, nx: 'NX') {
if (nx === 'NX' && store.has(key)) return null;
store.set(key, val);
return 'OK';
},
async eval(lua: string, _numKeys: number, key: string, argInstanceId: string) {
// Only act when WE still own the key (CAS), mirroring the Lua scripts.
if (store.get(key) !== argInstanceId) return 0;
if (lua.includes('del')) {
store.delete(key);
return 1;
}
// pexpire CAS refresh: value matches, "extend" is a no-op in the fake.
return 1;
},
};
}
function buildInstance(redis: ReturnType<typeof makeSharedRedis>) {
const redisService = { getOrThrow: jest.fn(() => redis) };
return new SpaceLockService(redisService as any);
}
async function flushMicrotasks(): Promise<void> {
await Promise.resolve();
await Promise.resolve();
await Promise.resolve();
}
beforeAll(() => {
jest.spyOn(Logger.prototype, 'warn').mockImplementation(() => undefined);
});
describe('SpaceLockService — finding #10 single-writer across TTL lapse', () => {
it('B must not run its fn concurrently with an in-flight A after the lock key vanishes', async () => {
const redis = makeSharedRedis();
const A = buildInstance(redis);
const B = buildInstance(redis);
let aRunning = false;
let releaseA!: () => void;
const gateA = new Promise<void>((resolve) => {
releaseA = resolve;
});
// A acquires 'X' and stays in-flight awaiting the gate.
const aResult = A.withSpaceLock('X', async () => {
aRunning = true;
await gateA;
aRunning = false;
return 'A-done';
});
await flushMicrotasks();
// Sanity: A is in-flight and owns the redis key.
expect(aRunning).toBe(true);
expect(redis.store.has(GIT_SYNC_LOCK_PREFIX + 'X')).toBe(true);
// Simulate TTL lapse with a swallowed heartbeat refresh: the lock key
// disappears from the shared store while A is still running.
redis.store.delete(GIT_SYNC_LOCK_PREFIX + 'X');
// Now B tries to take 'X'. Desired: rejected as 'lock-held' (single writer);
// and under no circumstance may fn2 run while A is still in flight.
let bRanWhileARunning = false;
const bResult = await B.withSpaceLock('X', async () => {
bRanWhileARunning = aRunning; // captures whether A was still in-flight
return 'B-done';
});
// Single-writer assertions: B did NOT execute concurrently with A.
expect(bRanWhileARunning).toBe(false);
expect(bResult).toEqual({ skipped: 'lock-held' });
// Cleanup: let A finish.
releaseA();
await expect(aResult).resolves.toBe('A-done');
});
});

20
apps/server/src/integrations/git-sync/services/redteam-three-way.spec.ts Normal file
View File

@@ -0,0 +1,20 @@
import { diff3Plan, type Pick } from './three-way-merge';
// Materialize a plan into the merged key sequence for assertion.
function apply(plan: Pick[], live: string[], target: string[]): string[] {
return plan.map((p) => (p.src === 'live' ? live[p.index] : target[p.index]));
}
const merge = (o: string[], a: string[], b: string[]): string[] =>
apply(diff3Plan(o, a, b), a, b);
describe('diff3Plan red-team #9 (human edit + adjacent git insert)', () => {
it('keeps human block-2 edit AND applies git insert of 2.5', () => {
// base: 1 2 3
// live: 1 H 3 (human rewrote block 2)
// target: 1 2 2.5 3 (git inserted 2.5 after block 2)
expect(
merge(['1', '2', '3'], ['1', 'H', '3'], ['1', '2', '2.5', '3']),
).toEqual(['1', 'H', '2.5', '3']);
});
});

52
apps/server/src/integrations/git-sync/services/space-lock.service.ts
View File

@@ -22,6 +22,16 @@ export class SpaceLockService {
private readonly instanceId = randomUUID();
/** In-process per-space mutex: spaceIds with a cycle currently running. */
private readonly running = new Set<string>();
/**
* Process-wide single-writer guard: spaceId -> instanceId of the live holder.
* Unlike `running` (scoped to ONE service instance), this is shared by every
* SpaceLockService in the process, so even if the Redis lock key lapses
* (swallowed heartbeat / TTL expiry) a SECOND holder in the same process
* cannot start a concurrent cycle for the same space — it is rejected
* 'lock-held'. The cross-PROCESS race is handled by the Redis lock plus
* abort-on-refresh-failure (and, as a follow-up, fencing tokens).
*/
private static readonly liveLocks = new Map<string, string>();
constructor(redisService: RedisService) {
this.redis = redisService.getOrThrow();
@@ -70,26 +80,42 @@ export class SpaceLockService {
* lock that took over after our TTL expired. Used by the heartbeat in
* `withSpaceLock` so a long-running push (client-controlled receive-pack + the
* Docmost cycle) cannot outlive the lock and let a concurrent cycle race the
* working tree. Logs (warn) but never throws — a failed refresh must not break
* the cycle it is protecting.
* working tree. Never throws (a thrown timer callback would crash the process),
* but a refresh it cannot CONFIRM is treated as a LOST lock: it aborts the
* supplied controller so the in-flight protected fn stops instead of writing
* blind while another replica may already have taken over the lock.
*/
private async refreshLock(spaceId: string): Promise<void> {
private async refreshLock(
spaceId: string,
controller?: AbortController,
): Promise<void> {
const lua =
'if redis.call("get", KEYS[1]) == ARGV[1] then return redis.call("pexpire", KEYS[1], ARGV[2]) else return 0 end';
try {
await this.redis.eval(
const res = await this.redis.eval(
lua,
1,
GIT_SYNC_LOCK_PREFIX + spaceId,
this.instanceId,
String(GIT_SYNC_LOCK_TTL_MS),
);
// CAS miss (res !== 1): we no longer own the key — our TTL lapsed and
// another replica may hold it now. Abort the in-flight cycle rather than
// swallowing the loss and racing the working tree.
if (res !== 1) {
this.logger.warn(
`git-sync: lock for space ${spaceId} lost during refresh — aborting in-flight cycle`,
);
controller?.abort();
}
} catch (err) {
this.logger.warn(
`git-sync: failed to refresh lock for space ${spaceId}: ${
err instanceof Error ? err.message : String(err)
}`,
);
// A refresh we cannot confirm means we may no longer hold the lock; abort.
controller?.abort();
}
}
@@ -106,38 +132,50 @@ export class SpaceLockService {
*/
async withSpaceLock<T>(
spaceId: string,
fn: () => Promise<T>,
fn: (signal: AbortSignal) => Promise<T>,
): Promise<T | { skipped: 'lock-held' | 'in-progress' }> {
if (this.running.has(spaceId)) {
return { skipped: 'in-progress' };
}
// Cross-instance, same-process single-writer guard: another live holder (a
// different SpaceLockService in this process) is mid-cycle for this space.
// This survives a swallowed heartbeat / Redis TTL lapse, so a second writer
// in the process cannot race the working tree — it is rejected 'lock-held'.
if (SpaceLockService.liveLocks.has(spaceId)) {
return { skipped: 'lock-held' };
}
// Reserve the in-process slot synchronously (before any await) so two
// concurrent same-space calls on THIS instance cannot both pass the guard and
// race acquire(). Redis NX is already authoritative across replicas; this just
// closes the in-process TOCTOU window. Released in the outer finally on every
// path (acquire-failure, fn-throw, normal completion).
this.running.add(spaceId);
SpaceLockService.liveLocks.set(spaceId, this.instanceId);
try {
if (!(await this.acquire(spaceId))) {
return { skipped: 'lock-held' };
}
// Lost-lock signal: a failed/CAS-missed heartbeat refresh aborts this so the
// protected fn can stop instead of writing blind after our lock lapsed.
const controller = new AbortController();
// Heartbeat: periodically (≈ TTL/3) extend the lock's TTL while `fn` runs so
// a long push (client-controlled receive-pack + the Docmost cycle) cannot
// outlive the fixed TTL and let a concurrent cycle race the working tree. The
// refresh is CAS-guarded (only extends while WE own it). `.unref()` keeps the
// timer from holding the event loop open; it is ALWAYS cleared in `finally`.
const heartbeat = setInterval(() => {
void this.refreshLock(spaceId);
void this.refreshLock(spaceId, controller);
}, Math.max(1, Math.floor(GIT_SYNC_LOCK_TTL_MS / 3)));
heartbeat.unref?.();
try {
return await fn();
return await fn(controller.signal);
} finally {
clearInterval(heartbeat);
await this.release(spaceId);
}
} finally {
this.running.delete(spaceId);
SpaceLockService.liveLocks.delete(spaceId);
}
}
}

146
apps/server/src/integrations/git-sync/services/three-way-merge.ts
View File

@@ -50,22 +50,125 @@ function matchMap(pairs: Array<[number, number]>): Map<number, number> {
return m;
}
const keysEqual = (x: string[], y: string[]): boolean =>
x.length === y.length && x.every((v, k) => v === y[k]);
/**
* One change `side` made to `base` within a region: base blocks `[oStart,oEnd)`
* were replaced by the side's blocks listed in `content` (region-local indices).
* A pure insert has `oStart === oEnd`; a pure delete has empty `content`.
*/
interface Hunk {
oStart: number;
oEnd: number;
content: number[];
}
/**
* Resolve one region (the live slice, target slice, and base slice that occupy
* the same span between two anchors). 'target' (git) wins ties and conflicts.
* Diff `o` against one side as a list of non-overlapping hunks (the base spans
* the side rewrote/inserted/deleted), derived from their LCS alignment.
*/
function decideRegion(
aRegion: string[],
bRegion: string[],
oRegion: string[],
): 'live' | 'target' {
if (keysEqual(aRegion, bRegion)) return 'target'; // same edit on both sides
if (keysEqual(aRegion, oRegion)) return 'target'; // live unchanged -> git's edit
if (keysEqual(bRegion, oRegion)) return 'live'; // git unchanged -> human's edit
return 'target'; // genuine conflict -> git wins
function buildHunks(o: string[], side: string[]): Hunk[] {
const pairs = lcsPairs(o, side); // [oIdx, sideIdx] kept (unchanged) blocks
const hunks: Hunk[] = [];
let prevO = -1;
let prevS = -1;
const flush = (curO: number, curS: number): void => {
const oStart = prevO + 1;
const oEnd = curO;
const content: number[] = [];
for (let s = prevS + 1; s < curS; s++) content.push(s);
if (oEnd > oStart || content.length > 0) hunks.push({ oStart, oEnd, content });
};
for (const [oIdx, sIdx] of pairs) {
flush(oIdx, sIdx);
prevO = oIdx;
prevS = sIdx;
}
flush(o.length, side.length);
return hunks;
}
/**
* Do two hunks (one per side) touch the same base region? Pure inserts only
* collide when nested strictly inside the other hunk's base span (or, for two
* inserts, at the same gap); changes sitting at a shared boundary do not.
*/
function hunksOverlap(a: Hunk, b: Hunk): boolean {
const aIns = a.oStart === a.oEnd;
const bIns = b.oStart === b.oEnd;
if (aIns && bIns) return a.oStart === b.oStart;
if (aIns) return b.oStart < a.oStart && a.oStart < b.oEnd;
if (bIns) return a.oStart < b.oStart && b.oStart < a.oEnd;
return Math.max(a.oStart, b.oStart) < Math.min(a.oEnd, b.oEnd);
}
interface LocalPick {
src: 'live' | 'target';
local: number;
}
/**
* Fine-grained three-way merge of ONE inter-anchor region. Combines the human's
* and git's NON-overlapping hunks (e.g. a human edit to one block plus a git
* insert/delete of OTHER blocks in the same region) so neither change is lost.
* Returns the merged region as region-local picks, or `null` when the two sides
* changed the SAME base block — a genuine conflict the caller resolves by the
* original all-or-nothing rule (git wins the whole region).
*/
function tryMergeRegion(
o: string[],
a: string[],
b: string[],
): LocalPick[] | null {
const aHunks = buildHunks(o, a);
const bHunks = buildHunks(o, b);
// Any overlap between a human hunk and a git hunk is a real conflict; bail so
// the caller falls back to git-wins (preserving the original behavior).
for (const ah of aHunks) {
for (const bh of bHunks) {
if (hunksOverlap(ah, bh)) return null;
}
}
// Disjoint: live index of each base block that BOTH sides kept (stable).
const aKept = matchMap(lcsPairs(o, a)); // base index -> live index
const out: LocalPick[] = [];
let pa = 0;
let pb = 0;
let oi = 0;
while (oi < o.length || pa < aHunks.length || pb < bHunks.length) {
const ah = pa < aHunks.length ? aHunks[pa] : null;
const bh = pb < bHunks.length ? bHunks[pb] : null;
const nextStart = Math.min(
ah ? ah.oStart : o.length,
bh ? bh.oStart : o.length,
);
// Emit stable base blocks (kept by both) until the next hunk, from LIVE.
while (oi < nextStart) {
out.push({ src: 'live', local: aKept.get(oi) as number });
oi++;
}
if (!ah && !bh) break;
// Apply the hunk at oi. When both sides act here they are disjoint, so the
// pure-insert (oEnd === oi) is emitted before the side that consumes base oi.
const aHere = ah !== null && ah.oStart === oi;
const bHere = bh !== null && bh.oStart === oi;
let useA: boolean;
if (aHere && bHere) {
useA = ah!.oEnd === oi; // insert side first; otherwise either order is fine
} else {
useA = aHere;
}
const h = (useA ? ah : bh) as Hunk;
const src: 'live' | 'target' = useA ? 'live' : 'target';
for (const idx of h.content) out.push({ src, local: idx });
oi = h.oEnd;
if (useA) pa++;
else pb++;
}
return out;
}
export interface Pick {
@@ -96,13 +199,22 @@ export function diff3Plan(o: string[], a: string[], b: string[]): Pick[] {
const bEnd = anchor < o.length ? (oToB.get(anchor) as number) : b.length;
// Resolve the region [oi,anchor) that one or both sides rewrote/inserted.
const take = decideRegion(
// Try a fine-grained three-way merge first so a human block-edit survives a
// git insert/delete of OTHER blocks in the same region; only a genuine
// same-block conflict (null) falls back to the original git-wins rule.
const merged = tryMergeRegion(
o.slice(oi, anchor),
a.slice(ai, aEnd),
b.slice(bi, bEnd),
o.slice(oi, anchor),
);
if (take === 'live') {
for (let k = ai; k < aEnd; k++) res.push({ src: 'live', index: k });
if (merged) {
for (const p of merged) {
res.push(
p.src === 'live'
? { src: 'live', index: ai + p.local }
: { src: 'target', index: bi + p.local },
);
}
} else {
for (let k = bi; k < bEnd; k++) res.push({ src: 'target', index: k });
}