Closed #17 Bug enhancement

filed by gabriel human · 1 day ago

Unify signing identity resolution across all transport callers

0 Anchors

— Blast radius

— Churn 30d

0 Proposals

Background

Every command that calls HttpTransport must pass a SigningIdentity resolved against the actual target remote URL, not the repo's default hub URL. The two can differ — e.g. when a named remote points to staging while the repo's [hub] url is localhost:1337.

The current codebase has inconsistent patterns across callers. ls-remote had a concrete bug (HTTP 401 on staging) because it called get_signing_identity(root) before resolving the remote URL. Fix shipped in feat/test-merge-6. The remaining callers need auditing.

Callers of `fetch_remote_info` and their current pattern

File	Pattern	Status
`ls_remote.py`	`get_signing_identity(root, remote_url=url)` (post URL resolution)	✅ Fixed
`fetch.py`	`get_signing_identity(root, remote_url=url)`	✅ Correct
`clone.py`	`get_signing_identity(root, remote_url=url)`	✅ Correct
`pull.py`	`get_signing_identity(root)` (no remote_url)	⚠️ Needs audit
`push.py`	`get_signing_identity(root)` (no remote_url)	⚠️ Needs audit
`release.py`	needs audit	⚠️ Needs audit
`domains.py`	needs audit	⚠️ Needs audit

Also spotted

proposalType returned by the hub still uses state_merge — legacy value not covered by the alias cleanup (migration 0070 only handled mergeStrategy). Needs its own migration and enum cleanup.

Proposed phases

Phase 1 — Audit all callers Read each caller, verify whether remote_url is forwarded correctly to get_signing_identity. Document any that resolve against the wrong hostname.

Phase 2 — Fix callers For each broken caller: resolve URL first, then call get_signing_identity(root, remote_url=url). Add regression tests matching the pattern in test_cmd_ls_remote.py::TestSigningIdentityForwarding.

Phase 3 — proposalType canonical cleanup Add migration 0071 to rename state_merge → merge (and any other state_* / domain_* proposal type values). Update enum, service, MCP tools, and templates.

Phase 4 — Integration test Wire test that runs muse ls-remote, muse fetch, muse pull, muse push against a local hub instance with a non-default hub URL and asserts no 401s.

◎ Activity1

●

gabriel opened this issue 1 day ago

○

gabriel 1 day ago

Closing as duplicate. Consolidated into #20 with full audit results and accurate phase breakdown.

Assignee

○ unassigned

Release

no commits linked to this issue

create

muse hub issue create \
  --title "..." \
  --body "..." \
  --label bug \
  --anchor path/to/file.py::Symbol \
  --commit-anchor <sha> \
  --repo gabriel/muse

read

muse hub issue get 17 --json
muse hub issue list --state open --json

update

muse hub issue edit 17 \
  --anchor path/to/file.py::Symbol \
  --repo gabriel/muse

comment

muse hub issue comment 17 \
  --body "Fixed in <sha>" \
  --repo gabriel/muse

reopen

muse hub issue reopen 17 \
  --repo gabriel/muse

create

create_issue({
  repo_id: "sha256:200e8689fe34a831289bc1eca17633b2069d595379b7c2f57a158e35d8291bec",
  title: "...",
  body: "...",
  labels: ["bug"],
  symbol_anchors: [
    "path/to/file.py::Symbol"
  ],
  commit_anchors: ["<sha>"]
})

read

get_issue({
  repo_id: "sha256:200e8689fe34a831289bc1eca17633b2069d595379b7c2f57a158e35d8291bec",
  issue_number: 17
})

list_issues({
  repo_id: "sha256:200e8689fe34a831289bc1eca17633b2069d595379b7c2f57a158e35d8291bec",
  state: "open"
})

update

edit_issue({
  repo_id: "sha256:200e8689fe34a831289bc1eca17633b2069d595379b7c2f57a158e35d8291bec",
  issue_number: 17,
  symbol_anchors: ["path/to/file.py::Symbol"]
})

comment

create_issue_comment({
  repo_id: "sha256:200e8689fe34a831289bc1eca17633b2069d595379b7c2f57a158e35d8291bec",
  issue_number: 17,
  body: "..."
})

reopen

reopen_issue({
  repo_id: "sha256:200e8689fe34a831289bc1eca17633b2069d595379b7c2f57a158e35d8291bec",
  issue_number: 17
})

create

curl -X POST \
  http://localhost:10003/api/repos/sha256:200e8689fe34a831289bc1eca17633b2069d595379b7c2f57a158e35d8291bec/issues \
  -H "Content-Type: application/json" \
  -H "Authorization: MSign handle=\"...\" ts=... sig=\"...\"" \
  -d '{
    "title": "...",
    "body": "...",
    "labels": ["bug"],
    "symbol_anchors": ["path/to/file.py::Symbol"]
  }'

read

# get one issue
curl http://localhost:10003/api/repos/sha256:200e8689fe34a831289bc1eca17633b2069d595379b7c2f57a158e35d8291bec/issues/17

# list open issues
curl "http://localhost:10003/api/repos/sha256:200e8689fe34a831289bc1eca17633b2069d595379b7c2f57a158e35d8291bec/issues?state=open"

update

curl -X PATCH \
  http://localhost:10003/api/repos/sha256:200e8689fe34a831289bc1eca17633b2069d595379b7c2f57a158e35d8291bec/issues/17 \
  -H "Content-Type: application/json" \
  -H "Authorization: MSign handle=\"...\" ts=... sig=\"...\"" \
  -d '{"title": "...", "body": "..."}'

comment

curl -X POST \
  http://localhost:10003/api/repos/sha256:200e8689fe34a831289bc1eca17633b2069d595379b7c2f57a158e35d8291bec/issues/17/comments \
  -H "Content-Type: application/json" \
  -H "Authorization: MSign handle=\"...\" ts=... sig=\"...\"" \
  -d '{"body": "Fixed in <sha>"}'

reopen

curl -X POST \
  http://localhost:10003/api/repos/sha256:200e8689fe34a831289bc1eca17633b2069d595379b7c2f57a158e35d8291bec/issues/17/reopen \
  -H "Authorization: MSign handle=\"...\" ts=... sig=\"...\""

Unify signing identity resolution across all transport callers

Background

Callers of fetch_remote_info and their current pattern

Also spotted

Proposed phases

Callers of `fetch_remote_info` and their current pattern