feat(git-sync): native GitmostDataSource + 'git-sync' provenance (Phase A.4a)

Native data plane for git-sync (plan §3, §8.1):
- provenance: widen actor to 'user'|'agent'|'git-sync' (jwt-payload,
  auth-provenance decorator); PersistenceExtension resolves lastUpdatedSource
  with precedence agent > git-sync > user, debounced history (like a human edit,
  not the agent's immediate snapshot).
- GitmostDataSourceService implements @docmost/git-sync's GitSyncClient natively:
  reads via PageRepo/SpaceRepo (listSpaceTree complete:true, getPageJson), writes
  via PageService (create/removePage soft-delete/movePage with computed fractional
  position/update-rename/restore) + the writeBody linchpin through collab
  openDirectConnection('page.'+id, {actor:'git-sync'}) mirroring
  collaboration.handler withYdocConnection 'replace'. bind({workspaceId,userId})
  returns the context-bound client for the orchestrator.
- 10 unit/contract tests (mapping + soft-delete + move-position), tsc clean.

Known gap (closed in A.4b): PageService.create/update/movePage only branch on
actor==='agent'; git-sync provenance is already passed through so the row source
marker propagates once PageService honors 'git-sync'. Module/orchestrator/config
come next.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
claude code agent 227
2026-06-21 14:52:06 +03:00
parent 7c3199f597
commit cdf2d2f2e9
6 changed files with 754 additions and 4 deletions
+9 -3
View File
@@ -3,8 +3,12 @@
* from the SIGNED token claim (never a request body), so 'agent' is unspoofable.
* Single source of truth so a typo like 'agnet' can't slip through as a bare
* string (#143 review). Distinct from `ActorType` (auth principal kind).
*
* 'git-sync' marks writes made by the git-sync data plane (plan §8.1). It NEVER
* travels in a user-facing token; it is set in-process on the collab connection
* context by the native datasource, so it cannot be spoofed from a request.
*/
export type ProvenanceSource = 'user' | 'agent';
export type ProvenanceSource = 'user' | 'agent' | 'git-sync';
export enum JwtType {
ACCESS = 'access',
@@ -26,7 +30,8 @@ export type JwtPayload = {
// normal user token (treated as 'user'); set only when the internal agent
// mints a provenance access token so REST writes (create/rename/move page,
// comment create/resolve) record a non-spoofable 'agent' marker (§6.5 / §15
// C3 / §14 N2).
// C3 / §14 N2). (git-sync writes use the in-process actor, not a token — see
// the ProvenanceSource note.)
actor?: ProvenanceSource;
// Nullable: an external MCP agent has no internal ai_chats row, so it carries
// an 'agent' actor with a null aiChatId.
@@ -39,7 +44,8 @@ export type JwtCollabPayload = {
type: 'collab';
// Optional agent-edit provenance, signed into the collab token. Absent for
// the human collab path (treated as 'user'); set only when the internal agent
// mints a provenance collab token (§6.6 / §15 C2).
// mints a provenance collab token (§6.6 / §15 C2). 'git-sync' (in ProvenanceSource)
// is accepted for type-compatibility with the in-process git-sync write path.
actor?: ProvenanceSource;
// Nullable: an external MCP agent has no internal ai_chats row, so it carries
// an 'agent' actor with a null aiChatId.