Skip to content

fix(gl): sign the CLI's /ipfs/pins reads under the #134 auth gate#146

Open
beardthelion wants to merge 5 commits into
mainfrom
fix/gl-sign-ipfs-pins
Open

fix(gl): sign the CLI's /ipfs/pins reads under the #134 auth gate#146
beardthelion wants to merge 5 commits into
mainfrom
fix/gl-sign-ipfs-pins

Conversation

@beardthelion

@beardthelion beardthelion commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

PR #134 gates /api/v1/ipfs/pins behind authentication (anonymous callers get 401). Two gl CLI call sites still hit it unsigned, so once #134 ships they break: gl ipfs list returns a hard 401, and the gl node status pins panel silently shows nothing. This signs both reads with the caller's identity through the existing NodeClient::get_signed, so the CLI keeps working under the gate.

Scope is pins-only:

  • gl ipfs list now loads the identity (via --dir, defaulting to the standard keystore) and signs the request. With no identity it fails with the existing gl identity new guidance instead of a raw 401, and it now surfaces a non-2xx response as an error rather than parsing it into an empty list.
  • gl node status loads the identity gracefully and signs only the pins panel, via an injectable fetch_pins helper with four states (pins, empty, unavailable, sign-in-required). The peers, repos, p2p, and events panels stay anonymous, and a pins failure never aborts the dashboard.

/api/v1/arweave/anchors (the other endpoint #134 gates) is never called by the CLI, so it is out of scope.

A note on behavior: the pin listing is visibility-filtered (every repo the caller can read, public plus their own private), not scoped to the caller's own objects. The auth requirement exists to stop anonymous enumeration of the node-wide pin index, so the CLI has to authenticate, but the result is the caller's readable view.

This should land in the same release as #134 so no published build ships the broken CLI.

Tests are mockito-based (no database): signed-header presence, the no-identity and non-2xx error paths, and all four node-status pins states including the transport-error and malformed-body branches. The gl suite passes (236 tests).

Closes the CLI regression noted in the #134 review.

Summary by CodeRabbit

  • Chores
    • Removed a large set of repository templates, CI workflows, release automation, and documentation files.
    • Simplified the codebase by removing many advanced app features and public API surfaces, including several repository, issue, pull request, peer, and task-related capabilities.
    • Updated a few remaining tracked files and sample content.

…gate

/api/v1/ipfs/pins now 401s anonymous callers (#134). Load the caller's
identity (--dir, default keystore) and use NodeClient::get_signed; when no
identity exists, propagate load_keypair_from_dir's existing 'gl identity new'
error instead of a raw 401. Tests: signed-headers present, empty, and
no-identity-issues-no-request (mockito).
The pins panel signs its /api/v1/ipfs/pins read (#134 gates it behind auth)
via an injectable fetch_pins helper with four states: pins, empty,
unavailable (signed read rejected/errored), and needs-identity (no keypair,
no request issued). cmd_status loads the identity gracefully so a missing
keystore never aborts status; peers/repos/p2p/events panels stay anonymous.
Tests drive fetch_pins directly against a mock node.
…el label

- gl ipfs list: check the /ipfs/pins response status before parsing, so a
  rejected signed read (e.g. 401) surfaces as an error instead of silently
  printing 'No IPFS pins recorded'. Matches the sibling gl ipfs get.
- gl node status: PinsPanel::Empty now renders 'Pinned CIDs: 0' (a reachable
  node with zero pins), reserving 'unavailable' for the failure state; the
  prior label reused 'IPFS not configured' and misreported the zero-pins case.
- Carry the resolved count in PinsPanel::Pins, removing the duplicated
  count-fallback closure between fetch_pins and the render arm.
Extract the pins-panel render into a testable pins_status_line helper and
assert all four states' output (closes the untested cmd_status render path,
including the empty->'Pinned CIDs: 0' label). Add fetch_pins tests for the
two error branches that were code-traced but unexecuted: a malformed 200
body and a transport error both degrade to Unavailable without panicking.
@beardthelion beardthelion added crate:attest gitlawb-attest — attestation and verification crate:core gitlawb-core — identity, certs, encrypt, DID/UCAN crate:git-remote git-remote-gitlawb — the git remote helper crate:gl gl — the contributor CLI crate:node gitlawb-node — the serving node and REST API kind:bug Defect fix — wrong or unsafe behavior subsystem:attestation Certificates, anchoring, per-ref attestation subsystem:encryption Encrypted subtrees, recipient blinding, key zeroization subsystem:identity DID/UCAN, http-sig auth, push authorization subsystem:peers Peer announce, discovery, and registry subsystem:replication Mirror, replica, and cross-node sync subsystem:storage Blob/object store, Arweave, IPFS, archives subsystem:visibility Path-scoped visibility and content withholding labels Jul 2, 2026
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ccd0964f-7b24-4812-821d-a602f25b1ed9

📥 Commits

Reviewing files that changed from the base of the PR and between 466a550 and ec367bc.

⛔ Files ignored due to path filters (3)
  • Cargo.lock is excluded by !**/*.lock
  • macos-app/Sources/GitlawbNode/Resources/MenuBarIcon.png is excluded by !**/*.png
  • macos-app/Sources/GitlawbNode/Resources/MenuBarIcon@2x.png is excluded by !**/*.png
📒 Files selected for processing (183)
  • .cargo/audit.toml
  • .env.example
  • .github/CODEOWNERS
  • .github/ISSUE_TEMPLATE/bug_report.yml
  • .github/ISSUE_TEMPLATE/config.yml
  • .github/ISSUE_TEMPLATE/feature_request.yml
  • .github/pull_request_template.md
  • .github/workflows/audit-schedule.yml
  • .github/workflows/pr-checks.yml
  • .github/workflows/pr-triage.yml
  • .github/workflows/release.yml
  • .github/workflows/stale.yml
  • .gitignore
  • .release-please-manifest.json
  • CHANGELOG.md
  • CONTRIBUTING.md
  • Cargo.toml
  • Dockerfile
  • Dockerfile.bins
  • LICENSE-APACHE
  • LICENSE-MIT
  • README.md
  • SECURITY.md
  • base.txt
  • bootstrap-peers.json
  • crates/git-remote-gitlawb/Cargo.toml
  • crates/git-remote-gitlawb/src/main.rs
  • crates/gitlawb-attest/Cargo.toml
  • crates/gitlawb-attest/src/attestation.rs
  • crates/gitlawb-attest/src/cert.rs
  • crates/gitlawb-attest/src/error.rs
  • crates/gitlawb-attest/src/lib.rs
  • crates/gitlawb-attest/src/verifier.rs
  • crates/gitlawb-attest/tests/canonical_vectors.rs
  • crates/gitlawb-attest/tests/with_gitlawb_core.rs
  • crates/gitlawb-core/Cargo.toml
  • crates/gitlawb-core/src/cert.rs
  • crates/gitlawb-core/src/cid.rs
  • crates/gitlawb-core/src/did.rs
  • crates/gitlawb-core/src/encrypt.rs
  • crates/gitlawb-core/src/error.rs
  • crates/gitlawb-core/src/http_sig.rs
  • crates/gitlawb-core/src/identity.rs
  • crates/gitlawb-core/src/lib.rs
  • crates/gitlawb-core/src/ucan.rs
  • crates/gitlawb-node/Cargo.toml
  • crates/gitlawb-node/src/api/agents.rs
  • crates/gitlawb-node/src/api/arweave.rs
  • crates/gitlawb-node/src/api/bounties.rs
  • crates/gitlawb-node/src/api/certs.rs
  • crates/gitlawb-node/src/api/changelog.rs
  • crates/gitlawb-node/src/api/encrypted.rs
  • crates/gitlawb-node/src/api/events.rs
  • crates/gitlawb-node/src/api/ipfs.rs
  • crates/gitlawb-node/src/api/issues.rs
  • crates/gitlawb-node/src/api/labels.rs
  • crates/gitlawb-node/src/api/mod.rs
  • crates/gitlawb-node/src/api/peers.rs
  • crates/gitlawb-node/src/api/profiles.rs
  • crates/gitlawb-node/src/api/protect.rs
  • crates/gitlawb-node/src/api/pulls.rs
  • crates/gitlawb-node/src/api/register.rs
  • crates/gitlawb-node/src/api/replicas.rs
  • crates/gitlawb-node/src/api/repos.rs
  • crates/gitlawb-node/src/api/resolve.rs
  • crates/gitlawb-node/src/api/stars.rs
  • crates/gitlawb-node/src/api/tasks.rs
  • crates/gitlawb-node/src/api/visibility.rs
  • crates/gitlawb-node/src/api/webhooks.rs
  • crates/gitlawb-node/src/arweave.rs
  • crates/gitlawb-node/src/auth/mod.rs
  • crates/gitlawb-node/src/bootstrap.rs
  • crates/gitlawb-node/src/cert.rs
  • crates/gitlawb-node/src/config.rs
  • crates/gitlawb-node/src/db/mod.rs
  • crates/gitlawb-node/src/encrypted_pin.rs
  • crates/gitlawb-node/src/error.rs
  • crates/gitlawb-node/src/git/issues.rs
  • crates/gitlawb-node/src/git/mod.rs
  • crates/gitlawb-node/src/git/push_delta.rs
  • crates/gitlawb-node/src/git/repo_store.rs
  • crates/gitlawb-node/src/git/smart_http.rs
  • crates/gitlawb-node/src/git/store.rs
  • crates/gitlawb-node/src/git/tigris.rs
  • crates/gitlawb-node/src/git/visibility_pack.rs
  • crates/gitlawb-node/src/graphql/mod.rs
  • crates/gitlawb-node/src/graphql/mutation.rs
  • crates/gitlawb-node/src/graphql/query.rs
  • crates/gitlawb-node/src/graphql/subscription.rs
  • crates/gitlawb-node/src/graphql/types.rs
  • crates/gitlawb-node/src/icaptcha.rs
  • crates/gitlawb-node/src/ipfs_pin.rs
  • crates/gitlawb-node/src/main.rs
  • crates/gitlawb-node/src/metrics.rs
  • crates/gitlawb-node/src/operator.rs
  • crates/gitlawb-node/src/p2p/mod.rs
  • crates/gitlawb-node/src/pinata.rs
  • crates/gitlawb-node/src/rate_limit.rs
  • crates/gitlawb-node/src/server.rs
  • crates/gitlawb-node/src/state.rs
  • crates/gitlawb-node/src/sync.rs
  • crates/gitlawb-node/src/test_support.rs
  • crates/gitlawb-node/src/visibility.rs
  • crates/gitlawb-node/src/webhooks.rs
  • crates/gl/Cargo.toml
  • crates/gl/src/agent.rs
  • crates/gl/src/bounty.rs
  • crates/gl/src/cert.rs
  • crates/gl/src/changelog.rs
  • crates/gl/src/clone.rs
  • crates/gl/src/doctor.rs
  • crates/gl/src/http.rs
  • crates/gl/src/identity.rs
  • crates/gl/src/init.rs
  • crates/gl/src/ipfs_cmd.rs
  • crates/gl/src/issue.rs
  • crates/gl/src/main.rs
  • crates/gl/src/mcp.rs
  • crates/gl/src/mirror.rs
  • crates/gl/src/name.rs
  • crates/gl/src/node.rs
  • crates/gl/src/node_stake.rs
  • crates/gl/src/peer.rs
  • crates/gl/src/pr.rs
  • crates/gl/src/profile.rs
  • crates/gl/src/protect.rs
  • crates/gl/src/quickstart.rs
  • crates/gl/src/register.rs
  • crates/gl/src/repo.rs
  • crates/gl/src/star.rs
  • crates/gl/src/status.rs
  • crates/gl/src/sync.rs
  • crates/gl/src/task.rs
  • crates/gl/src/ucan_cmd.rs
  • crates/gl/src/visibility.rs
  • crates/gl/src/webhook.rs
  • crates/gl/src/whoami.rs
  • docker-compose.yml
  • docs/ECONOMICS.md
  • docs/MAINTAINER-ROADMAP.md
  • docs/OSS-READINESS-AUDIT.md
  • docs/RUN-A-NODE.md
  • infra/README.md
  • infra/aws/.gitignore
  • infra/aws/.terraform.lock.hcl
  • infra/aws/README.md
  • infra/aws/compose.yaml.tftpl
  • infra/aws/main.tf
  • infra/aws/monitoring.tf
  • infra/aws/outputs.tf
  • infra/aws/rds.tf
  • infra/aws/terraform.tfvars.example
  • infra/aws/user-data.sh.tftpl
  • infra/aws/variables.tf
  • infra/aws/versions.tf
  • infra/fly/fly.toml
  • install.ps1
  • install.sh
  • macos-app/.gitignore
  • macos-app/Package.swift
  • macos-app/Sources/GitlawbNode/AppDelegate.swift
  • macos-app/Sources/GitlawbNode/Config.swift
  • macos-app/Sources/GitlawbNode/DockerCompose.swift
  • macos-app/Sources/GitlawbNode/DockerDetector.swift
  • macos-app/Sources/GitlawbNode/Info.plist
  • macos-app/Sources/GitlawbNode/Resources/AppIcon.icns
  • macos-app/Sources/GitlawbNode/Resources/docker-compose.yml
  • macos-app/Sources/GitlawbNode/SettingsWindow.swift
  • macos-app/Sources/GitlawbNode/StatusBarController.swift
  • macos-app/Sources/GitlawbNode/main.swift
  • npm/.gitignore
  • npm/README.md
  • npm/packages/gl-darwin-arm64/package.json
  • npm/packages/gl-darwin-x64/package.json
  • npm/packages/gl-linux-arm64/package.json
  • npm/packages/gl-linux-x64/package.json
  • npm/packages/gl/README.md
  • npm/packages/gl/bin/.gitkeep
  • npm/packages/gl/install.js
  • npm/packages/gl/package.json
  • release-please-config.json
  • scripts/build-bins.sh
  • scripts/build-macos-app.sh
💤 Files with no reviewable changes (81)
  • LICENSE-MIT
  • crates/gitlawb-node/src/api/events.rs
  • .github/ISSUE_TEMPLATE/feature_request.yml
  • crates/gitlawb-attest/tests/with_gitlawb_core.rs
  • SECURITY.md
  • .github/CODEOWNERS
  • .env.example
  • .github/workflows/audit-schedule.yml
  • crates/gitlawb-core/src/cid.rs
  • .github/pull_request_template.md
  • CONTRIBUTING.md
  • README.md
  • .github/workflows/stale.yml
  • .github/ISSUE_TEMPLATE/config.yml
  • crates/gitlawb-attest/src/error.rs
  • crates/gitlawb-node/src/api/repos.rs
  • .gitignore
  • crates/gitlawb-attest/src/verifier.rs
  • bootstrap-peers.json
  • crates/gitlawb-core/Cargo.toml
  • .github/ISSUE_TEMPLATE/bug_report.yml
  • crates/gitlawb-node/src/error.rs
  • crates/gitlawb-node/src/cert.rs
  • crates/gitlawb-node/src/api/resolve.rs
  • crates/gitlawb-node/src/api/visibility.rs
  • crates/gitlawb-node/Cargo.toml
  • crates/gitlawb-attest/tests/canonical_vectors.rs
  • .release-please-manifest.json
  • .cargo/audit.toml
  • crates/gitlawb-core/src/lib.rs
  • crates/gitlawb-node/src/git/mod.rs
  • crates/gitlawb-node/src/api/certs.rs
  • crates/git-remote-gitlawb/Cargo.toml
  • crates/gitlawb-node/src/config.rs
  • crates/gitlawb-node/src/git/store.rs
  • crates/git-remote-gitlawb/src/main.rs
  • Cargo.toml
  • crates/gitlawb-node/src/api/changelog.rs
  • crates/gitlawb-core/src/error.rs
  • .github/workflows/pr-checks.yml
  • LICENSE-APACHE
  • .github/workflows/release.yml
  • crates/gitlawb-node/src/api/protect.rs
  • crates/gitlawb-node/src/api/encrypted.rs
  • crates/gitlawb-node/src/api/arweave.rs
  • crates/gitlawb-node/src/encrypted_pin.rs
  • Dockerfile.bins
  • .github/workflows/pr-triage.yml
  • crates/gitlawb-node/src/api/register.rs
  • crates/gitlawb-node/src/api/agents.rs
  • crates/gitlawb-attest/src/attestation.rs
  • crates/gitlawb-node/src/api/stars.rs
  • crates/gitlawb-node/src/api/labels.rs
  • crates/gitlawb-node/src/api/replicas.rs
  • crates/gitlawb-node/src/arweave.rs
  • crates/gitlawb-node/src/api/webhooks.rs
  • crates/gitlawb-core/src/identity.rs
  • crates/gitlawb-core/src/cert.rs
  • crates/gitlawb-core/src/did.rs
  • crates/gitlawb-core/src/http_sig.rs
  • crates/gitlawb-node/src/git/smart_http.rs
  • crates/gitlawb-node/src/bootstrap.rs
  • crates/gitlawb-node/src/auth/mod.rs
  • crates/gitlawb-attest/src/lib.rs
  • crates/gitlawb-attest/src/cert.rs
  • crates/gitlawb-attest/Cargo.toml
  • CHANGELOG.md
  • Dockerfile
  • crates/gitlawb-node/src/api/peers.rs
  • crates/gitlawb-node/src/git/issues.rs
  • crates/gitlawb-node/src/api/ipfs.rs
  • crates/gitlawb-node/src/api/mod.rs
  • crates/gitlawb-node/src/api/tasks.rs
  • crates/gitlawb-node/src/api/profiles.rs
  • crates/gitlawb-node/src/api/pulls.rs
  • crates/gitlawb-core/src/encrypt.rs
  • crates/gitlawb-node/src/git/push_delta.rs
  • crates/gitlawb-node/src/api/issues.rs
  • crates/gitlawb-node/src/git/repo_store.rs
  • crates/gitlawb-node/src/api/bounties.rs
  • crates/gitlawb-core/src/ucan.rs

📝 Walkthrough

Walkthrough

This PR deletes nearly the entire repository: all Rust crates (gitlawb-core, gitlawb-node, gitlawb-attest, git-remote-gitlawb), workspace configuration, Dockerfiles, CI/CD workflows, issue templates, licenses, documentation, and configuration files. The only addition is a single line written to base.txt.

Changes

Repository-wide deletion and single-file addition

Layer / File(s) Summary
Core crate removal
crates/gitlawb-core/src/*, crates/gitlawb-core/Cargo.toml
All identity, DID, certificate, encryption, HTTP-signature, UCAN, and error modules for the core crate are deleted.
Node service removal
crates/gitlawb-node/src/api/*, crates/gitlawb-node/src/git/*, crates/gitlawb-node/src/{auth,bootstrap,cert,config,error,arweave,encrypted_pin}.rs, crates/gitlawb-node/Cargo.toml
All API handlers, git storage/smart-HTTP/push-delta logic, auth middleware, config, and supporting node modules are deleted.
Attestation crate removal
crates/gitlawb-attest/src/*, crates/gitlawb-attest/tests/*, crates/gitlawb-attest/Cargo.toml
Attestation, certificate, verifier, and error modules along with their tests are deleted.
Git remote helper removal
crates/git-remote-gitlawb/src/main.rs, crates/git-remote-gitlawb/Cargo.toml
The git-remote-gitlawb binary implementation and manifest are deleted.
Build, container, and workspace config removal
Cargo.toml, Dockerfile, Dockerfile.bins, .gitignore, .env.example, bootstrap-peers.json
Workspace manifest, container build definitions, ignore rules, environment template, and bootstrap peer list are deleted.
CI/CD, governance, and documentation removal
.github/workflows/*, .github/ISSUE_TEMPLATE/*, .github/CODEOWNERS, .github/pull_request_template.md, .cargo/audit.toml, .release-please-manifest.json, README.md, CHANGELOG.md, CONTRIBUTING.md, SECURITY.md, LICENSE-APACHE, LICENSE-MIT
All GitHub Actions workflows, issue/PR templates, code ownership rules, audit configuration, release manifest, and project documentation/licenses are deleted.
New file content
base.txt
A single line "base" is added to the previously empty file.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related PRs

  • Gitlawb/node#25: Deletes the visibility implementation that PR #25 originally added.
  • Gitlawb/node#87: Deletes the same authorization-related API modules that PR #87 modified.
  • Gitlawb/node#127: Deletes the same release pipeline files that PR #127 changed.

Suggested labels: sev:medium, subsystem:api, kind:security

Suggested reviewers: jatmn

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarizes the main change: signing CLI reads to /ipfs/pins under the new auth gate.
Description check ✅ Passed The description covers the summary, motivation, scope, and tests, and is mostly complete despite not matching the template headings exactly.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/gl-sign-ipfs-pins

Comment @coderabbitai help to get the list of available commands.

@jatmn jatmn left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found an issue that needs to be addressed before this is ready.

Findings

  • [P2] Let gl node status use the same identity directory as the signed pins list
    crates/gl/src/node.rs:22
    This PR adds --dir to gl ipfs list and signs that request with the selected identity, but the other pins caller still has no identity-directory option: gl node status --help only exposes --node, and the implementation always calls load_keypair_from_dir(None). Users who created or selected an identity with --dir can make gl ipfs list --dir ... work, but the status dashboard will still render the pins panel as “sign in to view” because it cannot load that same key. Please add a dir option to NodeCmd::Status and pass it into the pins fetch path so both CLI callers can authenticate consistently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

crate:attest gitlawb-attest — attestation and verification crate:core gitlawb-core — identity, certs, encrypt, DID/UCAN crate:git-remote git-remote-gitlawb — the git remote helper crate:gl gl — the contributor CLI crate:node gitlawb-node — the serving node and REST API kind:bug Defect fix — wrong or unsafe behavior subsystem:attestation Certificates, anchoring, per-ref attestation subsystem:encryption Encrypted subtrees, recipient blinding, key zeroization subsystem:identity DID/UCAN, http-sig auth, push authorization subsystem:peers Peer announce, discovery, and registry subsystem:replication Mirror, replica, and cross-node sync subsystem:storage Blob/object store, Arweave, IPFS, archives subsystem:visibility Path-scoped visibility and content withholding

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants