feat(state): track full state dir in git

skulidropek · skulidropek · commit e80467d8192d · 2026-02-10T22:28:57.000+04:00
diff --git a/effect-template/packages/lib/src/usecases/state-repo.ts b/effect-template/packages/lib/src/usecases/state-repo.ts
@@ -25,36 +25,43 @@ const resolveStateRoot = (
   cwd: string
 ): string => path.resolve(defaultProjectsRoot(cwd))
 
+const stateGitignoreMarker = "# docker-git state repository"
+
 const defaultStateGitignore = [
-  "# docker-git state repository",
-  "# Generated by docker-git to prevent committing secrets and machine-local files.",
-  "",
-  "# Secrets (tokens, auth, env)",
-  "**/.orch/env/",
-  "**/.orch/auth/",
-  "",
-  "# Logs",
-  "**/*.log",
-  "",
-  "# Machine-local SSH allow-list",
-  "authorized_keys",
+  stateGitignoreMarker,
+  "# NOTE: this repo intentionally tracks EVERYTHING under the state dir, including .orch/env and .orch/auth.",
+  "# Keep the remote private; treat it as sensitive infrastructure state.",
   ""
 ].join("\n")
 
-const requiredGitignorePatterns: ReadonlyArray<string> = [
-  "**/.orch/env/",
-  "**/.orch/auth/"
-]
+const normalizeGitignoreText = (text: string): string =>
+  text
+    .replaceAll("\r\n", "\n")
+    .trim()
 
-// CHANGE: ensure state repo has a safe .gitignore
-// WHY: prevent accidental commit of secrets (tokens, auth, env) when using git-synced state
-// QUOTE(ТЗ): "общая память через гит" / "иметь возможность комитить его на гит"
-// REF: user-request-2026-02-08-state-gitignore
+const shouldRewriteDockerGitStateGitignore = (existing: string): boolean => {
+  const normalized = normalizeGitignoreText(existing)
+  if (!normalized.startsWith(stateGitignoreMarker)) {
+    return false
+  }
+  // Old docker-git default tried to prevent committing secrets. If we still see those patterns,
+  // rewrite to the new "track everything" default.
+  const hadSecretIgnores = normalized.includes("**/.orch/env/") || normalized.includes("**/.orch/auth/")
+  if (!hadSecretIgnores) {
+    return false
+  }
+  return normalized !== normalizeGitignoreText(defaultStateGitignore)
+}
+
+// CHANGE: ensure state repo has a .gitignore that allows committing the full state directory
+// WHY: user wants the whole ~/.docker-git (including .orch/auth) to be synced via git
+// QUOTE(ТЗ): "чтобы вся папка .docker-git уходила на гит Даже .orch/auth и тд"
+// REF: user-request-2026-02-10-state-track-all
 // SOURCE: n/a
-// FORMAT THEOREM: forall root: ensureGitignore(root) -> patternsIncluded(root, required)
+// FORMAT THEOREM: forall root: ensureGitignore(root) -> exists(.gitignore(root))
 // PURITY: SHELL
 // EFFECT: Effect<void, PlatformError, FileSystem | Path>
-// INVARIANT: preserves existing file content; only appends missing patterns
+// INVARIANT: rewrites only docker-git-managed .gitignore that previously ignored secrets
 // COMPLEXITY: O(n) where n = |.gitignore|
 const ensureStateGitignore = (
   fs: FileSystem.FileSystem,
@@ -76,14 +83,10 @@ const ensureStateGitignore = (
     }
 
     const prev = yield* _(fs.readFileString(gitignorePath))
-    const prevLines = new Set(prev.replaceAll("\r", "").split("\n").map((l) => l.trimEnd()))
-    const missing = requiredGitignorePatterns.filter((p) => !prevLines.has(p))
-    if (missing.length === 0) {
+    if (!shouldRewriteDockerGitStateGitignore(prev)) {
       return
     }
-
-    const next = `${prev.trimEnd()}\n\n# Added by docker-git\n${missing.join("\n")}\n`
-    yield* _(fs.writeFileString(gitignorePath, next))
+    yield* _(fs.writeFileString(gitignorePath, defaultStateGitignore))
   })
 
 // CHANGE: manage docker-git state dir as a git repository
