feat: add diff scanning, aggregate validation, and approval flow for transparent proxy

Proxy-mode pushes now generate and persist diffs (via ScanDiffFilter) so the
dashboard can display them, run all validation filters before reporting failures
in aggregate (ValidationSummaryFilter), and block valid pushes pending review
(PushFinalizerFilter). Approved pushes are detected on re-push via
AllowApprovedPushFilter and forwarded to upstream.

Key changes:
- ScanDiffFilter always records a "diff" PushStep for dashboard display
- Content filters use recordIssue() instead of blockAndSendError() so all
  failures are collected; ValidationSummaryFilter sends a combined rejection
- PushFinalizerFilter (order 5000) sets BLOCKED for unapproved valid pushes
  and ALLOWED for pre-approved re-pushes; overrides doFilter() to bypass
  the preApproved short-circuit
- AllowApprovedPushFilter moved after EnrichPushCommitsFilter so
  GitRequestDetails is populated when the approval lookup runs
- FetchFinalizerFilter marks passing fetches as ALLOWED
- GitRequestDetails defaults to PENDING; isRefDeletion() + skipForRefDeletion()
  centralize branch-deletion handling across the filter chain
- Fix PID file deleteOnExit() removing the file before stop task can read it
- E2e tests exercise the full push→block→approve→re-push flow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: coopernetes

jgit-proxy-core/src/main/java/org/finos/gitproxy/config/CommitConfig.java

@@ -19,6 +19,10 @@ public class CommitConfig {
     @Builder.Default
     private MessageConfig message = MessageConfig.builder().build();
 
+    /** Configuration for diff content scanning. */
+    @Builder.Default
+    private DiffConfig diff = DiffConfig.builder().build();
+
     /** Configuration for author validation. */
     @Data
     @Builder
@@ -94,6 +98,16 @@ public static class BlockConfig {
         private List<Pattern> patterns = new ArrayList<>();
     }
 
+    /** Configuration for diff content scanning. */
+    @Data
+    @Builder
+    public static class DiffConfig {
+
+        /** Configuration for blocking specific patterns in diff content. */
+        @Builder.Default
+        private BlockConfig block = BlockConfig.builder().build();
+    }
+
     /**
      * Create a default configuration with no restrictions.
      *

jgit-proxy-core/src/main/java/org/finos/gitproxy/db/PushRecordMapper.java

@@ -27,7 +27,7 @@ public static PushRecord fromRequestDetails(GitRequestDetails details) {
             PushStatus status = mapResult(details.getResult());
             if (status == PushStatus.ERROR) {
                 builder.errorMessage(details.getReason());
-            } else if (status == PushStatus.BLOCKED) {
+            } else if (status == PushStatus.BLOCKED || status == PushStatus.REJECTED) {
                 builder.blockedMessage(details.getReason());
             }
         }
@@ -117,6 +117,7 @@ public static PushStatus mapResult(GitRequestDetails.GitResult result) {
             case PENDING -> PushStatus.PROCESSING;
             case ALLOWED -> PushStatus.APPROVED;
             case BLOCKED -> PushStatus.BLOCKED;
+            case REJECTED -> PushStatus.REJECTED;
             case ACCEPTED -> PushStatus.RECEIVED;
             case ERROR -> PushStatus.ERROR;
         };

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/CommitInspectionService.java

@@ -4,6 +4,7 @@
 import java.nio.charset.StandardCharsets;
 import java.time.Instant;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.jgit.api.Git;
@@ -13,6 +14,7 @@
 import org.eclipse.jgit.lib.ObjectId;
 import org.eclipse.jgit.lib.ObjectReader;
 import org.eclipse.jgit.lib.PersonIdent;
+import org.eclipse.jgit.lib.Ref;
 import org.eclipse.jgit.lib.Repository;
 import org.eclipse.jgit.revwalk.RevCommit;
 import org.eclipse.jgit.revwalk.RevWalk;
@@ -72,8 +74,17 @@ public static List<Commit> getCommitRange(Repository repository, String fromComm
             if (fromId != null && !isNullCommit(fromCommit)) {
                 revCommits = git.log().addRange(fromId, toId).call();
             } else {
-                // New branch - get all commits up to toCommit
-                revCommits = git.log().add(toId).call();
+                // New branch — exclude commits reachable from any existing ref so we only
+                // validate commits that are genuinely new in this push.  The local cache is a
+                // bare clone, so existing branch tips live under refs/heads/ (not refs/remotes/).
+                var logCmd = git.log().add(toId);
+                Collection<Ref> existingRefs = repository.getRefDatabase().getRefsByPrefix("refs/heads/");
+                for (Ref ref : existingRefs) {
+                    if (ref.getObjectId() != null) {
+                        logCmd.not(ref.getObjectId());
+                    }
+                }
+                revCommits = logCmd.call();
             }
 
             for (RevCommit revCommit : revCommits) {
@@ -99,7 +110,10 @@ public static List<DiffEntry> getDiff(Repository repository, String fromCommit,
             CanonicalTreeParser oldTreeParser = new CanonicalTreeParser();
             CanonicalTreeParser newTreeParser = new CanonicalTreeParser();
 
-            ObjectId oldId = repository.resolve(fromCommit + "^{tree}");
+            // For new-branch pushes fromCommit is the all-zeros null object, which does not
+            // exist in the repository.  Guard before calling resolve() — JGit throws
+            // MissingObjectException rather than returning null for the zero SHA.
+            ObjectId oldId = isNullCommit(fromCommit) ? null : repository.resolve(fromCommit + "^{tree}");
             ObjectId newId = repository.resolve(toCommit + "^{tree}");
 
             if (oldId != null) {

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/DiffScanningHook.java

@@ -0,0 +1,146 @@
+package org.finos.gitproxy.git;
+
+import static org.finos.gitproxy.git.GitClient.AnsiColor.*;
+import static org.finos.gitproxy.git.GitClient.SymbolCodes.*;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.regex.Pattern;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.eclipse.jgit.lib.Repository;
+import org.eclipse.jgit.transport.PreReceiveHook;
+import org.eclipse.jgit.transport.ReceiveCommand;
+import org.eclipse.jgit.transport.ReceivePack;
+import org.finos.gitproxy.config.CommitConfig;
+import org.finos.gitproxy.db.model.PushStep;
+import org.finos.gitproxy.db.model.StepStatus;
+
+/**
+ * Pre-receive hook that scans the diff content of incoming pushes for blocked literals and patterns. Runs after
+ * {@link DiffGenerationHook} so the diff is already available for review, but independently generates its own diff for
+ * scanning.
+ *
+ * <p>Only added lines (those prefixed with {@code +} in the unified diff) are scanned — deletions and context lines are
+ * ignored. Violations are reported via sideband and recorded in the shared {@link ValidationContext}.
+ */
+@Slf4j
+@RequiredArgsConstructor
+public class DiffScanningHook implements PreReceiveHook {
+
+    private final CommitConfig commitConfig;
+    private final ValidationContext validationContext;
+    private final PushContext pushContext;
+
+    @Override
+    public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
+        rp.sendMessage(CYAN + "[git-proxy] " + KEY.emoji() + "  Scanning diff content..." + RESET);
+
+        Repository repo = rp.getRepository();
+        List<String> logs = new ArrayList<>();
+        boolean anyFailed = false;
+
+        for (ReceiveCommand cmd : commands) {
+            if (cmd.getType() == ReceiveCommand.Type.DELETE) {
+                continue;
+            }
+
+            try {
+                String diff = CommitInspectionService.getFormattedDiff(
+                        repo, cmd.getOldId().name(), cmd.getNewId().name());
+
+                if (diff.isEmpty()) {
+                    rp.sendMessage(GREEN + "[git-proxy]   " + HEAVY_CHECK_MARK.emoji() + "  " + cmd.getRefName()
+                            + " — empty diff, nothing to scan" + RESET);
+                    logs.add("SKIP: " + cmd.getRefName() + " — empty diff");
+                    continue;
+                }
+
+                List<String> violations = scanDiff(diff);
+
+                if (!violations.isEmpty()) {
+                    for (String violation : violations) {
+                        validationContext.addIssue("DiffContent", violation, "ref: " + cmd.getRefName());
+                        rp.sendMessage(RED + "[git-proxy]   " + CROSS_MARK.emoji() + "  " + violation + RESET);
+                        logs.add("FAIL: " + violation);
+                    }
+                    anyFailed = true;
+                } else {
+                    rp.sendMessage(GREEN + "[git-proxy]   " + HEAVY_CHECK_MARK.emoji() + "  " + cmd.getRefName()
+                            + " — clean" + RESET);
+                    logs.add("PASS: " + cmd.getRefName());
+                }
+
+            } catch (Exception e) {
+                log.error("Failed to scan diff for {}", cmd.getRefName(), e);
+                rp.sendMessage(YELLOW + "[git-proxy]   " + WARNING.emoji() + "  Could not scan diff: " + e.getMessage()
+                        + RESET);
+                logs.add("ERROR: " + cmd.getRefName() + " — " + e.getMessage());
+            }
+        }
+
+        if (!anyFailed) {
+            pushContext.addStep(PushStep.builder()
+                    .stepName("scanDiff")
+                    .status(StepStatus.PASS)
+                    .logs(logs)
+                    .build());
+        }
+    }
+
+    /**
+     * Scans the unified diff for blocked content, returning a deduplicated list of violation descriptions. Only added
+     * lines (prefixed with {@code +}, excluding the {@code +++} header) are checked.
+     */
+    List<String> scanDiff(String diff) {
+        Set<String> violations = new LinkedHashSet<>();
+        CommitConfig.BlockConfig block = commitConfig.getDiff().getBlock();
+
+        if (block.getLiterals().isEmpty() && block.getPatterns().isEmpty()) {
+            return List.of();
+        }
+
+        String currentFile = null;
+        for (String line : diff.lines().toList()) {
+            if (line.startsWith("diff --git ")) {
+                currentFile = extractFileName(line);
+            }
+
+            // Only scan added lines; skip the +++ header line
+            if (!line.startsWith("+") || line.startsWith("+++")) {
+                continue;
+            }
+            String content = line.substring(1);
+
+            for (String literal : block.getLiterals()) {
+                if (content.toLowerCase().contains(literal.toLowerCase())) {
+                    String location = currentFile != null ? " in " + currentFile : "";
+                    violations.add("diff contains blocked term: \"" + literal + "\"" + location);
+                }
+            }
+
+            for (Pattern pattern : block.getPatterns()) {
+                if (pattern.matcher(content).find()) {
+                    String location = currentFile != null ? " in " + currentFile : "";
+                    violations.add("diff matches blocked pattern: " + pattern.pattern() + location);
+                }
+            }
+        }
+
+        return new ArrayList<>(violations);
+    }
+
+    /** Extracts the {@code b/} path from a {@code diff --git a/... b/...} header line. */
+    private static String extractFileName(String diffHeader) {
+        // "diff --git a/path/to/file b/path/to/file"
+        String[] parts = diffHeader.split(" ");
+        if (parts.length >= 4) {
+            String bPath = parts[3];
+            return bPath.startsWith("b/") ? bPath.substring(2) : bPath;
+        }
+        return diffHeader;
+    }
+}

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/GitRequestDetails.java

@@ -25,9 +25,14 @@ public class GitRequestDetails {
     private GitProxyProvider provider;
     private List<GitProxyFilter> filters = new ArrayList<>();
     private List<PushStep> steps = new ArrayList<>(); // Filter/hook results for audit trail
-    private GitResult result = GitResult.ALLOWED;
+    private GitResult result = GitResult.PENDING;
     private String reason;
 
+    /** Returns true when this push is a ref deletion (commitTo is the all-zeros null SHA). */
+    public boolean isRefDeletion() {
+        return commitTo != null && commitTo.matches("^0+$");
+    }
+
     @Builder
     @Getter
     public static class Repository {
@@ -45,6 +50,7 @@ public enum GitResult {
         PENDING,
         ALLOWED,
         BLOCKED,
+        REJECTED, // hard reject with no review queue (transparent proxy mode)
         ACCEPTED, // for async where a push or fetch is accepted but not yet complete
         ERROR;
     }

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/StoreAndForwardReceivePackFactory.java

@@ -92,12 +92,14 @@ public ReceivePack create(HttpServletRequest req, Repository db)
         // 2. CommitMessageValidationHook           — validates messages; records "checkCommitMessages" step
         // 3. ProxyPreReceiveHook                   — commit inspection; records "inspection" step
         // 4. DiffGenerationHook                    — generates diffs; records "diff" / "diff:default-branch" steps
-        // 5. PushStorePersistenceHook.validationResult — saves APPROVED or BLOCKED record with all steps so far
-        // 6. ApprovalPreReceiveHook                — blocks until reviewer approves/rejects or timeout
+        // 5. DiffScanningHook                      — scans diff added-lines for blocked content; records "scanDiff"
+        // step
+        // 6. PushStorePersistenceHook.validationResult — saves APPROVED or BLOCKED record with all steps so far
+        // 7. ApprovalPreReceiveHook                — blocks until reviewer approves/rejects or timeout
         //
         // Post-receive (only runs when pre-receive doesn't stop the chain):
-        // 7. ForwardingPostReceiveHook             — forwards to upstream; records "forward" step
-        // 8. PushStorePersistenceHook.postReceive  — saves FORWARDED or ERROR record with forwarding step
+        // 8. ForwardingPostReceiveHook             — forwards to upstream; records "forward" step
+        // 9. PushStorePersistenceHook.postReceive  — saves FORWARDED or ERROR record with forwarding step
 
         PreReceiveHook[] preHooks;
         if (persistenceHook != null) {
@@ -107,6 +109,7 @@ public ReceivePack create(HttpServletRequest req, Repository db)
                 new CommitMessageValidationHook(commitConfig, validationContext, pushContext),
                 new ProxyPreReceiveHook(pushContext),
                 new DiffGenerationHook(pushContext),
+                new DiffScanningHook(commitConfig, validationContext, pushContext),
                 persistenceHook.validationResultHook(validationContext),
                 new ApprovalPreReceiveHook(pushStore, approvalGateway, serviceUrl)
             };
@@ -115,7 +118,8 @@ public ReceivePack create(HttpServletRequest req, Repository db)
                 new AuthorEmailValidationHook(commitConfig, validationContext, pushContext),
                 new CommitMessageValidationHook(commitConfig, validationContext, pushContext),
                 new ProxyPreReceiveHook(pushContext),
-                new DiffGenerationHook(pushContext)
+                new DiffGenerationHook(pushContext),
+                new DiffScanningHook(commitConfig, validationContext, pushContext)
             };
         }
         rp.setPreReceiveHook(chainPreReceiveHooks(preHooks));

jgit-proxy-core/src/main/java/org/finos/gitproxy/servlet/GitProxyServlet.java

@@ -12,12 +12,15 @@
 
 @Slf4j
 public class GitProxyServlet extends AsyncProxyServlet.Transparent {
-    public static final String GIT_REQUEST_ATTRIBUTE = "org.finos.gitproxy.gitproxy.gitRequest";
+    public static final String GIT_REQUEST_ATTR = "gitproxy.gitRequest";
+    public static final String ERROR_ATTR = "gitproxy.error";
+    public static final String PRE_APPROVED_ATTR = "gitproxy.preApproved";
+    public static final String SERVICE_URL_ATTR = "gitproxy.serviceUrl";
 
     @Override
     protected void service(HttpServletRequest clientRequest, HttpServletResponse proxyResponse)
             throws ServletException, IOException {
-        var details = (GitRequestDetails) clientRequest.getAttribute(GIT_REQUEST_ATTRIBUTE);
+        var details = (GitRequestDetails) clientRequest.getAttribute(GIT_REQUEST_ATTR);
         var canProxy = details != null && details.getResult() == GitRequestDetails.GitResult.ALLOWED;
         if (canProxy) {
             super.service(clientRequest, proxyResponse);

jgit-proxy-core/src/main/java/org/finos/gitproxy/servlet/filter/AllowApprovedPushFilter.java

@@ -1,6 +1,7 @@
 package org.finos.gitproxy.servlet.filter;
 
-import static org.finos.gitproxy.servlet.GitProxyProviderServlet.GIT_REQUEST_ATTRIBUTE;
+import static org.finos.gitproxy.servlet.GitProxyProviderServlet.*;
+import static org.finos.gitproxy.servlet.GitProxyServlet.*;
 
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
@@ -31,9 +32,6 @@
 @Slf4j
 public class AllowApprovedPushFilter extends AbstractGitProxyFilter {
 
-    private static final String PRE_APPROVED_ATTR = "gitproxy.preApproved";
-    private static final String SERVICE_URL_ATTR = "gitproxy.serviceUrl";
-
     private final PushStore pushStore;
     private final String serviceUrl;
 
@@ -53,7 +51,7 @@ public void doHttpFilter(HttpServletRequest request, HttpServletResponse respons
             return;
         }
 
-        var details = (GitRequestDetails) request.getAttribute(GIT_REQUEST_ATTRIBUTE);
+        var details = (GitRequestDetails) request.getAttribute(GIT_REQUEST_ATTR);
         if (details == null || details.getCommit() == null) {
             return;
         }

jgit-proxy-core/src/main/java/org/finos/gitproxy/servlet/filter/AuditFilter.java

@@ -1,6 +1,6 @@
 package org.finos.gitproxy.servlet.filter;
 
-import static org.finos.gitproxy.servlet.GitProxyProviderServlet.GIT_REQUEST_ATTRIBUTE;
+import static org.finos.gitproxy.servlet.GitProxyServlet.GIT_REQUEST_ATTR;
 
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -15,7 +15,7 @@ public interface AuditFilter extends GitProxyFilter {
     @Override
     default void doHttpFilter(HttpServletRequest request, HttpServletResponse response)
             throws IOException, ServletException {
-        var requestDetails = (GitRequestDetails) request.getAttribute(GIT_REQUEST_ATTRIBUTE);
+        var requestDetails = (GitRequestDetails) request.getAttribute(GIT_REQUEST_ATTR);
         audit(requestDetails);
     }
 }

jgit-proxy-core/src/main/java/org/finos/gitproxy/servlet/filter/CheckAuthorEmailsFilter.java

@@ -2,7 +2,7 @@
 
 import static org.finos.gitproxy.git.GitClient.AnsiColor.*;
 import static org.finos.gitproxy.git.GitClient.SymbolCodes.*;
-import static org.finos.gitproxy.servlet.GitProxyProviderServlet.GIT_REQUEST_ATTRIBUTE;
+import static org.finos.gitproxy.servlet.GitProxyServlet.GIT_REQUEST_ATTR;
 
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
@@ -38,7 +38,7 @@ public CheckAuthorEmailsFilter(CommitConfig commitConfig) {
 
     @Override
     public void doHttpFilter(HttpServletRequest request, HttpServletResponse response) throws IOException {
-        var requestDetails = (GitRequestDetails) request.getAttribute(GIT_REQUEST_ATTRIBUTE);
+        var requestDetails = (GitRequestDetails) request.getAttribute(GIT_REQUEST_ATTR);
         if (requestDetails == null) {
             log.warn("GitRequestDetails not found in request attributes");
             return;
@@ -71,7 +71,7 @@ public void doHttpFilter(HttpServletRequest request, HttpServletResponse respons
                     + "\n"
                     + "Verify your Git email address is valid:\n"
                     + "  git config user.email \"you@example.com\"";
-            blockAndSendError(request, response, "Illegal author emails", GitClient.format(title, message, RED, null));
+            recordIssue(request, "Illegal author emails", GitClient.format(title, message, RED, null));
             return;
         }