void_core/collab/manifest/

contributors.rs

//! Contributor management operations.
//!
//! This module provides functions for managing repository contributors:
//! - Listing contributors
//! - Adding contributors (with ECIES key wrapping)
//! - Removing contributors (with key rotation warnings)
//!
//! In Phase 3, only the repository owner can add/remove contributors.
//! Delegation is planned for Phase 5.

use std::path::Path;
use std::time::{SystemTime, UNIX_EPOCH};

use crate::collab::Identity;
use crate::VoidError;

use super::io::{detect_repo_mode, load_manifest, load_repo_key, save_manifest, RepoMode};
use super::keys::{ecies_wrap_key, ContributorId, RecipientPubKey, SigningPubKey};
use super::types::Contributor;

// ============================================================================
// ContributorInfo — Information about a contributor for display/API
// ============================================================================

/// Information about a contributor for display and API purposes.
#[derive(Debug, Clone)]
pub struct ContributorInfo {
    /// Ed25519 public key for signature verification.
    pub signing_pubkey: SigningPubKey,
    /// X25519 public key for ECIES encryption.
    pub recipient_pubkey: RecipientPubKey,
    /// Human-readable name (if set).
    pub name: Option<String>,
    /// Unix timestamp when the contributor was added.
    pub added_at: u64,
    /// Signing key of the user who added this contributor.
    pub added_by: SigningPubKey,
    /// Whether this contributor is the repository owner.
    pub is_owner: bool,
}

impl ContributorInfo {
    /// Create from a Contributor and ownership status.
    pub fn from_contributor(contributor: &Contributor, is_owner: bool) -> Self {
        Self {
            signing_pubkey: contributor.identity.signing.clone(),
            recipient_pubkey: contributor.identity.recipient.clone(),
            name: contributor.name.clone(),
            added_at: contributor.added_at,
            added_by: contributor.added_by.clone(),
            is_owner,
        }
    }
}

// ============================================================================
// list_contributors — List all contributors
// ============================================================================

/// List all contributors in a collaboration-mode repository.
///
/// # Arguments
/// * `void_dir` - Path to the .void directory
/// * `_identity` - The caller's identity (reserved for future authorization checks)
///
/// # Returns
/// A list of `ContributorInfo` for each contributor.
///
/// # Errors
/// - `NotInitialized` if not in a void repository
pub fn list_contributors(void_dir: &Path, _identity: &Identity) -> Result<Vec<ContributorInfo>, VoidError> {
    // Check repo mode
    let mode = detect_repo_mode(void_dir);
    if mode == RepoMode::Uninitialized {
        return Err(VoidError::NotInitialized);
    }

    // Load the manifest
    let manifest = load_manifest(void_dir)?
        .ok_or_else(|| VoidError::NotFound("Manifest not found".into()))?;

    // Convert contributors to ContributorInfo
    let contributors: Vec<ContributorInfo> = manifest
        .contributors
        .iter()
        .map(|c| {
            let is_owner = manifest.is_owner_or_identity(&c.identity.signing);
            ContributorInfo::from_contributor(c, is_owner)
        })
        .collect();

    Ok(contributors)
}

// ============================================================================
// add_contributor — Add a new contributor
// ============================================================================

/// Add a new contributor to the repository.
///
/// This is owner-only in Phase 3. The function:
/// 1. Verifies the caller is the repository owner
/// 2. Checks the new identity is not already a contributor
/// 3. Wraps the repo key using ECIES for the new contributor
/// 4. Creates a signed Contributor entry
/// 5. Updates and saves the manifest
///
/// # Arguments
/// * `void_dir` - Path to the .void directory
/// * `identity` - The caller's identity (must be owner)
/// * `new_identity` - The new contributor's identity (signing + recipient pubkeys)
/// * `name` - Optional human-readable name for the contributor
///
/// # Errors
/// - `NotInitialized` if not in a void repository
/// - `Unauthorized` if caller is not the owner
/// - `Conflict` if identity is already a contributor
pub fn add_contributor(
    void_dir: &Path,
    identity: &Identity,
    new_identity: &ContributorId,
    name: Option<String>,
) -> Result<(), VoidError> {
    // Check repo mode
    let mode = detect_repo_mode(void_dir);
    if mode == RepoMode::Uninitialized {
        return Err(VoidError::NotInitialized);
    }

    // Load the repo key (needed for ECIES key wrapping)
    let repo_key = load_repo_key(void_dir, Some(identity))?;

    // Load the manifest
    let mut manifest = load_manifest(void_dir)?
        .ok_or_else(|| VoidError::NotFound("Manifest not found".into()))?;

    // Verify caller is the owner (checks both repo owner key and identity key via delegation cert)
    let caller_signing = identity.signing_pubkey();
    if !manifest.is_owner_or_identity(&caller_signing) {
        return Err(VoidError::Unauthorized(
            "Only the repository owner can add contributors".into(),
        ));
    }

    // Check if already a contributor
    if manifest.find_contributor(&new_identity.signing).is_some() {
        return Err(VoidError::Conflict(
            "Identity is already a contributor".into(),
        ));
    }

    // Wrap the repo key for the new contributor using ECIES
    let wrapped_key = ecies_wrap_key(&repo_key, &new_identity.recipient)?;

    // Create the contributor entry
    let added_at = SystemTime::now()
        .duration_since(UNIX_EPOCH)
        .unwrap_or_default()
        .as_millis() as u64;

    // Build signable bytes for the contributor addition
    let mut signable = Vec::new();
    signable.extend(added_at.to_le_bytes());
    signable.extend(new_identity.signing.as_bytes());
    signable.extend(new_identity.recipient.as_bytes());
    signable.extend(caller_signing.as_bytes());

    // Sign the contributor addition
    let signature = identity.sign(&signable);

    let contributor = Contributor {
        identity: new_identity.clone(),
        name,
        nostr_pubkey: None,
        added_at,
        added_by: caller_signing,
        signature: signature.to_vec(),
    };

    // Add to manifest
    manifest.contributors.push(contributor);

    // Add wrapped key to read_keys
    manifest
        .read_keys
        .wrapped
        .insert(new_identity.signing.clone(), wrapped_key);

    // Save the updated manifest
    save_manifest(void_dir, &manifest)?;

    Ok(())
}

// ============================================================================
// RemoveResult — Result of removing a contributor
// ============================================================================

/// Result of removing a contributor.
#[derive(Debug, Clone)]
pub struct RemoveResult {
    /// The removed contributor's name (if set).
    pub removed_name: Option<String>,
    /// The removed contributor's signing public key.
    pub removed_signing_pubkey: SigningPubKey,
    /// Whether key rotation is recommended after this removal.
    ///
    /// Key rotation is always recommended when removing contributors because
    /// they may have cached the unwrapped repo key.
    pub key_rotation_recommended: bool,
}

// ============================================================================
// remove_contributor — Remove a contributor
// ============================================================================

/// Remove a contributor from the repository.
///
/// This is owner-only in Phase 3. The contributor can be matched by:
/// - Exact name (case-insensitive)
/// - Signing public key hex prefix (at least 8 characters)
///
/// The owner cannot be removed.
///
/// # Arguments
/// * `void_dir` - Path to the .void directory
/// * `identity` - The caller's identity (must be owner)
/// * `target` - Name or hex pubkey prefix to match
///
/// # Returns
/// A `RemoveResult` with details about the removed contributor.
///
/// # Errors
/// - `NotInitialized` if not in a void repository
/// - `Unauthorized` if caller is not the owner or trying to remove owner
/// - `NotFound` if no matching contributor found
pub fn remove_contributor(
    void_dir: &Path,
    identity: &Identity,
    target: &str,
) -> Result<RemoveResult, VoidError> {
    // Check repo mode
    let mode = detect_repo_mode(void_dir);
    if mode == RepoMode::Uninitialized {
        return Err(VoidError::NotInitialized);
    }

    // Load the manifest
    let mut manifest = load_manifest(void_dir)?
        .ok_or_else(|| VoidError::NotFound("Manifest not found".into()))?;

    // Verify caller is the owner (checks both repo owner key and identity key via delegation cert)
    let caller_signing = identity.signing_pubkey();
    if !manifest.is_owner_or_identity(&caller_signing) {
        return Err(VoidError::Unauthorized(
            "Only the repository owner can remove contributors".into(),
        ));
    }

    // Find the contributor to remove
    let target_lower = target.to_lowercase();
    let index = manifest
        .contributors
        .iter()
        .position(|c| {
            // Match by name (case-insensitive)
            if let Some(ref name) = c.name {
                if name.to_lowercase() == target_lower {
                    return true;
                }
            }
            // Match by pubkey hex prefix (at least 8 chars for uniqueness)
            let pubkey_hex = c.identity.signing.to_hex();
            if target.len() >= 8 && pubkey_hex.starts_with(&target_lower) {
                return true;
            }
            false
        })
        .ok_or_else(|| {
            VoidError::NotFound(format!(
                "No contributor found matching '{}'. Use name or pubkey prefix (8+ chars).",
                target
            ))
        })?;

    // Get the contributor before removal
    let contributor = &manifest.contributors[index];

    // Cannot remove the owner
    if manifest.is_owner(&contributor.identity.signing) {
        return Err(VoidError::Unauthorized(
            "Cannot remove the repository owner".into(),
        ));
    }

    // Save info for result before removal
    let removed_name = contributor.name.clone();
    let removed_signing_pubkey = contributor.identity.signing.clone();

    // Remove from contributors list
    manifest.contributors.remove(index);

    // Remove from read_keys.wrapped
    manifest.read_keys.wrapped.remove(&removed_signing_pubkey);

    // Save the updated manifest
    save_manifest(void_dir, &manifest)?;

    Ok(RemoveResult {
        removed_name,
        removed_signing_pubkey,
        key_rotation_recommended: true,
    })
}

// ============================================================================
// RenameResult — Result of renaming a contributor
// ============================================================================

/// Result of renaming a contributor.
#[derive(Debug, Clone)]
pub struct RenameResult {
    /// The contributor's previous name (if set).
    pub old_name: Option<String>,
    /// The new name assigned.
    pub new_name: String,
    /// The contributor's signing public key.
    pub signing_pubkey: SigningPubKey,
}

// ============================================================================
// rename_contributor — Rename a contributor
// ============================================================================

/// Rename a contributor in the repository.
///
/// This is owner-only in Phase 3. The contributor can be matched by:
/// - Exact name (case-insensitive)
/// - Signing public key hex prefix (at least 8 characters)
///
/// # Arguments
/// * `void_dir` - Path to the .void directory
/// * `identity` - The caller's identity (must be owner)
/// * `target` - Name or hex pubkey prefix to match
/// * `new_name` - The new display name to assign
///
/// # Returns
/// A `RenameResult` with old and new name details.
///
/// # Errors
/// - `NotInitialized` if not in a void repository
/// - `Unauthorized` if caller is not the owner
/// - `NotFound` if no matching contributor found
pub fn rename_contributor(
    void_dir: &Path,
    identity: &Identity,
    target: &str,
    new_name: String,
) -> Result<RenameResult, VoidError> {
    // Check repo mode
    let mode = detect_repo_mode(void_dir);
    if mode == RepoMode::Uninitialized {
        return Err(VoidError::NotInitialized);
    }

    // Load the manifest
    let mut manifest = load_manifest(void_dir)?
        .ok_or_else(|| VoidError::NotFound("Manifest not found".into()))?;

    // Verify caller is the owner (checks both repo owner key and identity key via delegation cert)
    let caller_signing = identity.signing_pubkey();
    if !manifest.is_owner_or_identity(&caller_signing) {
        return Err(VoidError::Unauthorized(
            "Only the repository owner can rename contributors".into(),
        ));
    }

    // Find the contributor to rename
    let target_lower = target.to_lowercase();
    let index = manifest
        .contributors
        .iter()
        .position(|c| {
            // Match by name (case-insensitive)
            if let Some(ref name) = c.name {
                if name.to_lowercase() == target_lower {
                    return true;
                }
            }
            // Match by pubkey hex prefix (at least 8 chars for uniqueness)
            let pubkey_hex = c.identity.signing.to_hex();
            if target.len() >= 8 && pubkey_hex.starts_with(&target_lower) {
                return true;
            }
            false
        })
        .ok_or_else(|| {
            VoidError::NotFound(format!(
                "No contributor found matching '{}'. Use name or pubkey prefix (8+ chars).",
                target
            ))
        })?;

    // Save old name for result
    let old_name = manifest.contributors[index].name.clone();
    let signing_pubkey = manifest.contributors[index].identity.signing.clone();

    // Update the name
    manifest.contributors[index].name = Some(new_name.clone());

    // Save the updated manifest
    save_manifest(void_dir, &manifest)?;

    Ok(RenameResult {
        old_name,
        new_name,
        signing_pubkey,
    })
}

// ============================================================================
// Tests
// ============================================================================

#[cfg(test)]
mod tests {
    use super::*;
    use crate::collab::manifest::keys::{ecies_wrap_key as wrap_key, RepoKey};
    use crate::collab::manifest::types::Manifest;
    use std::fs;
    use tempfile::tempdir;

    fn setup_collab_repo() -> (tempfile::TempDir, std::path::PathBuf, Identity) {
        let dir = tempdir().unwrap();
        let void_dir = dir.path().join(".void");
        fs::create_dir(&void_dir).unwrap();

        // Generate identity for owner
        let identity = Identity::generate();
        let signing = identity.signing_pubkey();
        let recipient = identity.recipient_pubkey();

        // Create manifest directly with owner as first contributor
        let mut manifest = Manifest::new(signing.clone(), None);

        // Wrap a repo key for the owner
        let repo_key = RepoKey::from_bytes([0x42u8; 32]);
        let wrapped = wrap_key(&repo_key, &recipient).unwrap();
        manifest.read_keys.wrapped.insert(signing.clone(), wrapped);

        // Add owner as contributor
        let timestamp = SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .map(|d| d.as_secs())
            .unwrap_or(0);
        let contributor = Contributor {
            identity: ContributorId::new(signing.clone(), recipient),
            name: None,
            nostr_pubkey: None,
            added_at: timestamp,
            added_by: signing,
            signature: vec![],
        };
        manifest.contributors.push(contributor);

        save_manifest(&void_dir, &manifest).unwrap();

        (dir, void_dir, identity)
    }

    #[test]
    fn test_list_contributors_shows_owner() {
        let (_dir, void_dir, identity) = setup_collab_repo();

        let contributors = list_contributors(&void_dir, &identity).unwrap();

        assert_eq!(contributors.len(), 1);
        assert!(contributors[0].is_owner);
        assert_eq!(
            contributors[0].signing_pubkey,
            identity.signing_pubkey()
        );
    }

    #[test]
    fn test_add_contributor_success() {
        let (_dir, void_dir, owner_identity) = setup_collab_repo();

        // Generate a new identity for the contributor
        let new_identity = Identity::generate();
        let new_id = ContributorId::new(
            new_identity.signing_pubkey(),
            new_identity.recipient_pubkey(),
        );

        // Add the contributor
        add_contributor(&void_dir, &owner_identity, &new_id, Some("Alice".to_string())).unwrap();

        // Verify they're in the list
        let contributors = list_contributors(&void_dir, &owner_identity).unwrap();
        assert_eq!(contributors.len(), 2);

        let alice = contributors.iter().find(|c| c.name == Some("Alice".to_string()));
        assert!(alice.is_some());
        assert!(!alice.unwrap().is_owner);
    }

    #[test]
    fn test_add_contributor_wraps_key() {
        let (_dir, void_dir, owner_identity) = setup_collab_repo();

        // Generate a new identity
        let new_identity = Identity::generate();
        let new_id = ContributorId::new(
            new_identity.signing_pubkey(),
            new_identity.recipient_pubkey(),
        );

        add_contributor(&void_dir, &owner_identity, &new_id, None).unwrap();

        // Load manifest and verify wrapped key exists
        let manifest = load_manifest(&void_dir).unwrap().unwrap();

        let wrapped = manifest.read_keys.wrapped.get(&new_id.signing);
        assert!(wrapped.is_some());
    }

    #[test]
    fn test_add_duplicate_fails() {
        let (_dir, void_dir, owner_identity) = setup_collab_repo();

        let new_identity = Identity::generate();
        let new_id = ContributorId::new(
            new_identity.signing_pubkey(),
            new_identity.recipient_pubkey(),
        );

        // First add succeeds
        add_contributor(&void_dir, &owner_identity, &new_id, None).unwrap();

        // Second add fails with conflict
        let result = add_contributor(&void_dir, &owner_identity, &new_id, None);
        assert!(matches!(result, Err(VoidError::Conflict(_))));
    }

    #[test]
    fn test_non_owner_cannot_add() {
        let (_dir, void_dir, owner_identity) = setup_collab_repo();

        // Add a non-owner contributor first
        let non_owner = Identity::generate();
        let non_owner_id = ContributorId::new(
            non_owner.signing_pubkey(),
            non_owner.recipient_pubkey(),
        );
        add_contributor(&void_dir, &owner_identity, &non_owner_id, None).unwrap();

        // Non-owner tries to add another contributor
        let another = Identity::generate();
        let another_id = ContributorId::new(
            another.signing_pubkey(),
            another.recipient_pubkey(),
        );

        let result = add_contributor(&void_dir, &non_owner, &another_id, None);
        assert!(matches!(result, Err(VoidError::Unauthorized(_))));
    }

    #[test]
    fn test_remove_contributor_success() {
        let (_dir, void_dir, owner_identity) = setup_collab_repo();

        // Add a contributor
        let contributor = Identity::generate();
        let contributor_id = ContributorId::new(
            contributor.signing_pubkey(),
            contributor.recipient_pubkey(),
        );
        add_contributor(&void_dir, &owner_identity, &contributor_id, Some("Bob".to_string())).unwrap();

        // Remove by name
        let result = remove_contributor(&void_dir, &owner_identity, "bob").unwrap();
        assert_eq!(result.removed_name, Some("Bob".to_string()));
        assert!(result.key_rotation_recommended);

        // Verify they're gone
        let contributors = list_contributors(&void_dir, &owner_identity).unwrap();
        assert_eq!(contributors.len(), 1);
        assert!(contributors[0].is_owner);
    }

    #[test]
    fn test_cannot_remove_owner() {
        let (_dir, void_dir, owner_identity) = setup_collab_repo();

        // Get the owner's pubkey prefix
        let owner_pubkey = owner_identity.signing_pubkey();
        let prefix = &owner_pubkey.to_hex()[..8];

        let result = remove_contributor(&void_dir, &owner_identity, prefix);
        assert!(matches!(result, Err(VoidError::Unauthorized(_))));
    }

    #[test]
    fn test_remove_by_name() {
        let (_dir, void_dir, owner_identity) = setup_collab_repo();

        let contributor = Identity::generate();
        let contributor_id = ContributorId::new(
            contributor.signing_pubkey(),
            contributor.recipient_pubkey(),
        );
        add_contributor(&void_dir, &owner_identity, &contributor_id, Some("Carol".to_string())).unwrap();

        // Case-insensitive name match
        let result = remove_contributor(&void_dir, &owner_identity, "CAROL").unwrap();
        assert_eq!(result.removed_name, Some("Carol".to_string()));
    }

    #[test]
    fn test_remove_by_pubkey_prefix() {
        let (_dir, void_dir, owner_identity) = setup_collab_repo();

        let contributor = Identity::generate();
        let contributor_id = ContributorId::new(
            contributor.signing_pubkey(),
            contributor.recipient_pubkey(),
        );
        add_contributor(&void_dir, &owner_identity, &contributor_id, None).unwrap();

        // Match by pubkey prefix
        let pubkey_hex = contributor_id.signing.to_hex();
        let prefix = &pubkey_hex[..12];

        let result = remove_contributor(&void_dir, &owner_identity, prefix).unwrap();
        assert_eq!(result.removed_signing_pubkey.to_hex(), pubkey_hex);
    }

}