Merge pull request #42 from tstromberg/main

add env var for tier enforcement

Author: tstromberg

cmd/server/main.go

@@ -53,7 +53,12 @@ var (
 		return "*"
 	}(), "Comma-separated list of allowed webhook event types (use '*' for all, default: '*')")
 	debugHeaders = flag.Bool("debug-headers", false, "Log request headers for debugging (security warning: may log sensitive data)")
-	enforceTiers = flag.Bool("enforce-tiers", false, "Enforce GitHub Marketplace tier restrictions (default: false, logs warnings only)")
+	enforceTiers = flag.Bool("enforce-tiers", func() bool {
+		if val := os.Getenv("ENFORCE_TIERS"); val != "" {
+			return val == "true" || val == "1"
+		}
+		return false
+	}(), "Enforce GitHub Marketplace tier restrictions (default: false, logs warnings only; can set via ENFORCE_TIERS env)")
 )
 
 //nolint:funlen,gocognit,lll,revive,maintidx // Main function orchestrates entire server setup and cannot be split without losing clarity

pkg/github/mock.go

@@ -8,16 +8,18 @@ import (
 
 // MockClient is a mock GitHub API client for testing.
 // Thread-safe for concurrent access.
+//
+//nolint:govet // fieldalignment: minimal impact, current order is logical
 type MockClient struct {
+	Orgs                       []string
 	Err                        error
 	Username                   string
 	LastValidatedOrg           string
-	Orgs                       []string
 	Tier                       Tier // Mock tier to return
+	mu                         sync.Mutex
 	UserAndOrgsCalls           int
 	ValidateOrgMembershipCalls int
 	UserTierCalls              int
-	mu                         sync.Mutex
 }
 
 // UserAndOrgs returns the mock user info.

pkg/github/tier.go

@@ -95,25 +95,21 @@ func (c *Client) UserTier(ctx context.Context, username string) (Tier, error) {
 		return TierFree, fmt.Errorf("failed to parse marketplace response: %w", err)
 	}
 
-	tier := mapPlanToTier(account.Plan.Name)
+	// Map plan name to tier (update when marketplace listing is approved)
+	var tier Tier
+	switch strings.ToLower(account.Plan.Name) {
+	case "pro":
+		tier = TierPro
+	case "flock", "team", "enterprise":
+		tier = TierFlock
+	default:
+		tier = TierFree
+	}
+
 	c.logger.Info("marketplace tier detected",
 		"username", username,
 		"plan", account.Plan.Name,
 		"tier", tier)
 
 	return tier, nil
 }
-
-// mapPlanToTier maps GitHub Marketplace plan names to internal tier constants.
-// Update this function when your marketplace listing is approved with the actual plan names.
-func mapPlanToTier(planName string) Tier {
-	switch strings.ToLower(planName) {
-	case "pro":
-		return TierPro
-	case "flock", "team", "enterprise":
-		return TierFlock
-	default:
-		// Unknown plan names default to free tier
-		return TierFree
-	}
-}

pkg/github/tier_cache.go

@@ -7,18 +7,20 @@ import (
 
 // TierCache caches tier lookups to reduce API calls to GitHub Marketplace.
 // Implements thread-safe in-memory caching with TTL expiration.
+//
+//nolint:govet // fieldalignment: minimal impact, current order is logical
 type TierCache struct {
 	mu      sync.RWMutex
 	cache   map[string]*tierEntry
-	ttl     time.Duration
 	stopCh  chan struct{}
 	stopped chan struct{}
+	ttl     time.Duration
 }
 
 // tierEntry represents a cached tier with expiration.
 type tierEntry struct {
-	tier      Tier
 	expiresAt time.Time
+	tier      Tier
 }
 
 // NewTierCache creates a new tier cache with the specified TTL.

pkg/srv/client.go

@@ -44,16 +44,18 @@ import (
 //	  4. defer closeWebSocket() closes the WebSocket connection only
 //	  5. Client.Run() sees context cancellation, exits, calls defer client.Close()
 //	  6. Hub.Run() processes unregister, calls client.Close() (idempotent via sync.Once)
+//
+//nolint:govet // fieldalignment: minimal impact, current order is logical
 type Client struct {
+	subscription Subscription
+	ID           string
+	tier         github.Tier // GitHub Marketplace tier
 	conn         *websocket.Conn
 	send         chan Event
 	control      chan map[string]any // Control messages (pongs, shutdown notices)
 	hub          *Hub
 	done         chan struct{}
 	userOrgs     map[string]bool
-	ID           string
-	subscription Subscription
-	tier         github.Tier // GitHub Marketplace tier
 	closeOnce    sync.Once
 	closed       uint32 // Atomic flag: 1 if closed, 0 if open
 }

pkg/srv/subscription.go

@@ -244,34 +244,19 @@ func matchesPRSubscription(sub Subscription, payload map[string]any, eventOrg st
 	return false
 }
 
-// repoInfo holds repository metadata extracted from event payloads.
-type repoInfo struct {
-	Private  bool
-	FullName string
-}
-
-// extractRepoFromPayload extracts repository information from a GitHub webhook payload.
-// Returns nil if no repository information is found in the payload.
-func extractRepoFromPayload(payload map[string]any) *repoInfo {
+// extractRepoInfo extracts repository private status and full name from webhook payload.
+// Returns (private, fullName, ok) where ok is false if repository data is missing.
+//
+//nolint:errcheck,revive // Type assertions intentionally unchecked; defaults are correct
+func extractRepoInfo(payload map[string]any) (private bool, fullName string, ok bool) {
 	repoData, ok := payload["repository"].(map[string]any)
 	if !ok {
-		return nil
-	}
-
-	private, ok := repoData["private"].(bool)
-	if !ok {
-		private = false // Default to false if not present
+		return false, "", false
 	}
 
-	fullName, ok := repoData["full_name"].(string)
-	if !ok {
-		fullName = "" // Default to empty string if not present
-	}
-
-	return &repoInfo{
-		Private:  private,
-		FullName: fullName,
-	}
+	private, _ = repoData["private"].(bool)
+	fullName, _ = repoData["full_name"].(string)
+	return private, fullName, true
 }
 
 // matchesForTest is a test helper that creates a minimal client for testing.
@@ -294,21 +279,15 @@ func matches(ctx context.Context, client *Client, event Event, payload map[strin
 	sub := client.subscription
 	userOrgs := client.userOrgs
 
-	// Extract repository info early to check private repo access
-	repo := extractRepoFromPayload(payload)
-
 	// Filter private repo events based on tier
-	if repo != nil && repo.Private {
-		canAccess := client.CanAccessPrivateRepos()
-		enforceTiers := client.hub.enforceTiers
-
-		if !canAccess {
-			if enforceTiers {
+	if private, repoName, ok := extractRepoInfo(payload); ok && private {
+		if !client.CanAccessPrivateRepos() {
+			if client.hub.enforceTiers {
 				// Enforcement is active - actually filter the event
 				logger.Info(ctx, "filtering private repo event (tier enforcement active)", logger.Fields{
 					"user":       sub.Username,
 					"tier":       string(client.tier),
-					"repo":       repo.FullName,
+					"repo":       repoName,
 					"event_type": event.Type,
 				})
 				return false
@@ -317,7 +296,7 @@ func matches(ctx context.Context, client *Client, event Event, payload map[strin
 			logger.Warn(ctx, "would filter private repo event if enforcement was active", logger.Fields{
 				"user":       sub.Username,
 				"tier":       string(client.tier),
-				"repo":       repo.FullName,
+				"repo":       repoName,
 				"event_type": event.Type,
 				"suggestion": "upgrade to Pro or Flock tier for private repo access",
 			})