feat: add checkEmptyBranch and checkHiddenCommits built-in filters

Ports checkEmptyBranch and checkHiddenCommits from the Node.js git-proxy
reference implementation as non-configurable, short-circuiting checks in
both the store-and-forward (pre-receive hooks) and transparent proxy
(servlet filters) pipelines.

checkEmptyBranch rejects pushes where no new commits are introduced —
either a new branch pointing to an existing commit, or a branch update
with no resolvable commit range.

checkHiddenCommits rejects pushes where the received pack contains commits
that are new to the repository but fall outside the explicitly introduced
commit range (oldId..newId), catching branches built on unapproved history.

E2e tests cover the empty-branch rejection in both modes. The hidden-commits
failure case cannot be reproduced via a standard git client (git only sends
objects reachable from the pushed tip) and is documented with a comment.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: coopernetes

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/CheckEmptyBranchHook.java

@@ -0,0 +1,63 @@
+package org.finos.gitproxy.git;
+
+import static org.finos.gitproxy.git.GitClient.AnsiColor.*;
+import static org.finos.gitproxy.git.GitClient.SymbolCodes.*;
+
+import java.util.Collection;
+import java.util.List;
+import lombok.extern.slf4j.Slf4j;
+import org.eclipse.jgit.lib.ObjectId;
+import org.eclipse.jgit.lib.Repository;
+import org.eclipse.jgit.transport.PreReceiveHook;
+import org.eclipse.jgit.transport.ReceiveCommand;
+import org.eclipse.jgit.transport.ReceivePack;
+
+/**
+ * Pre-receive hook that rejects pushes where no commits can be found in the pushed range. Two cases are distinguished:
+ *
+ * <ul>
+ *   <li><b>New branch with no new commits</b> — the branch tip resolves to an existing commit already reachable from
+ *       another ref; the developer pushed an empty branch pointer with no new work.
+ *   <li><b>Existing branch with no new commits</b> — commit data could not be resolved; this usually indicates a proxy
+ *       configuration or repository state problem.
+ * </ul>
+ *
+ * <p>This hook short-circuits the chain immediately on failure (direct rejection, not via {@link ValidationContext}).
+ */
+@Slf4j
+public class CheckEmptyBranchHook implements PreReceiveHook {
+
+    @Override
+    public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
+        Repository repo = rp.getRepository();
+
+        for (ReceiveCommand cmd : commands) {
+            if (cmd.getResult() != ReceiveCommand.Result.NOT_ATTEMPTED) continue;
+            if (cmd.getType() == ReceiveCommand.Type.DELETE) continue;
+
+            try {
+                List<Commit> commits = getCommits(repo, cmd);
+                if (!commits.isEmpty()) continue;
+
+                String msg;
+                if (ObjectId.zeroId().equals(cmd.getOldId())) {
+                    msg = "Push blocked: Empty branch. Please make a commit before pushing a new branch.";
+                } else {
+                    msg = "Push blocked: Commit data not found. Please contact an administrator for support.";
+                }
+
+                rp.sendMessage(RED + "[git-proxy] " + NO_ENTRY.emoji() + "  " + msg + RESET);
+                cmd.setResult(ReceiveCommand.Result.REJECTED_OTHER_REASON, msg);
+                // Chain stops once a command is rejected; remaining commands will be skipped
+                return;
+
+            } catch (Exception e) {
+                log.error("Failed to check empty branch for {}", cmd.getRefName(), e);
+            }
+        }
+    }
+
+    private List<Commit> getCommits(Repository repo, ReceiveCommand cmd) throws Exception {
+        return CommitInspectionService.getCommitRange(repo, cmd.getOldId().name(), cmd.getNewId().name());
+    }
+}

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/CheckHiddenCommitsHook.java

@@ -0,0 +1,121 @@
+package org.finos.gitproxy.git;
+
+import static org.finos.gitproxy.git.GitClient.AnsiColor.*;
+import static org.finos.gitproxy.git.GitClient.SymbolCodes.*;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.stream.Collectors;
+import lombok.extern.slf4j.Slf4j;
+import org.eclipse.jgit.lib.ObjectId;
+import org.eclipse.jgit.lib.Ref;
+import org.eclipse.jgit.lib.Repository;
+import org.eclipse.jgit.revwalk.RevCommit;
+import org.eclipse.jgit.revwalk.RevWalk;
+import org.eclipse.jgit.transport.PreReceiveHook;
+import org.eclipse.jgit.transport.ReceiveCommand;
+import org.eclipse.jgit.transport.ReceivePack;
+
+/**
+ * Pre-receive hook that detects "hidden" commits — objects received in the push pack that are not part of the
+ * explicitly introduced commit range. This catches the case where a branch was created from commits that have not yet
+ * been approved and pushed to the remote, smuggling unapproved history through as pack filler.
+ *
+ * <p>Algorithm:
+ *
+ * <ol>
+ *   <li><b>introduced</b> — commits reachable from each {@code newId} up to (not including) its {@code oldId}, across
+ *       all pushed commands; computed via {@link CommitInspectionService#getCommitRange}.
+ *   <li><b>allNew</b> — commits reachable from any pushed {@code newId} that are not reachable from any existing ref
+ *       (i.e., genuinely new to this repository); computed via {@link RevWalk}.
+ *   <li><b>hidden</b> = {@code allNew} ∖ {@code introduced} — commits in the pack but outside the pushed range.
+ * </ol>
+ *
+ * <p>This hook short-circuits the chain immediately on failure (direct rejection, not via {@link ValidationContext}).
+ */
+@Slf4j
+public class CheckHiddenCommitsHook implements PreReceiveHook {
+
+    @Override
+    public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
+        Repository repo = rp.getRepository();
+
+        try {
+            Set<String> allIntroduced = collectIntroducedCommits(repo, commands);
+            Set<String> allNew = collectAllNewCommits(repo, commands);
+
+            Set<String> hidden = new HashSet<>(allNew);
+            hidden.removeAll(allIntroduced);
+
+            if (hidden.isEmpty()) {
+                log.debug("checkHiddenCommits: all {} new commit(s) are within the introduced range", allNew.size());
+                return;
+            }
+
+            String msg = "Unreferenced commits in pack (" + hidden.size() + "): "
+                    + String.join(", ", hidden) + ".\n"
+                    + "This usually happens when a branch was made from a commit that hasn't been approved"
+                    + " and pushed to the remote.\n"
+                    + "Please get approval on the commits, push them and try again.";
+
+            rp.sendMessage(RED + "[git-proxy] " + NO_ENTRY.emoji() + "  Push blocked — hidden commits detected" + RESET);
+            rp.sendMessage(YELLOW + "[git-proxy]   " + WARNING.emoji() + "  " + msg + RESET);
+
+            for (ReceiveCommand cmd : commands) {
+                if (cmd.getResult() == ReceiveCommand.Result.NOT_ATTEMPTED) {
+                    cmd.setResult(ReceiveCommand.Result.REJECTED_OTHER_REASON, "Hidden commits detected");
+                }
+            }
+
+        } catch (Exception e) {
+            log.error("Failed to check hidden commits", e);
+        }
+    }
+
+    private Set<String> collectIntroducedCommits(Repository repo, Collection<ReceiveCommand> commands) throws Exception {
+        Set<String> introduced = new HashSet<>();
+        for (ReceiveCommand cmd : commands) {
+            if (cmd.getResult() != ReceiveCommand.Result.NOT_ATTEMPTED) continue;
+            if (cmd.getType() == ReceiveCommand.Type.DELETE) continue;
+            CommitInspectionService.getCommitRange(repo, cmd.getOldId().name(), cmd.getNewId().name())
+                    .stream()
+                    .map(Commit::getSha)
+                    .forEach(introduced::add);
+        }
+        return introduced;
+    }
+
+    /**
+     * Collect all commits reachable from any pushed tip that are not reachable from any existing ref. These are the
+     * commits that were genuinely new to this repository as part of the pack.
+     */
+    private Set<String> collectAllNewCommits(Repository repo, Collection<ReceiveCommand> commands) throws IOException {
+        Set<String> result = new HashSet<>();
+
+        try (RevWalk walk = new RevWalk(repo)) {
+            for (ReceiveCommand cmd : commands) {
+                if (cmd.getResult() != ReceiveCommand.Result.NOT_ATTEMPTED) continue;
+                if (cmd.getType() == ReceiveCommand.Type.DELETE) continue;
+                walk.markStart(walk.parseCommit(cmd.getNewId()));
+            }
+
+            for (Ref ref : repo.getRefDatabase().getRefsByPrefix("refs/")) {
+                ObjectId id = ref.getObjectId();
+                if (id == null) continue;
+                try {
+                    walk.markUninteresting(walk.parseCommit(id));
+                } catch (Exception e) {
+                    // Not a commit (tag pointing to a blob/tree, etc.) — skip
+                }
+            }
+
+            for (RevCommit commit : walk) {
+                result.add(commit.getName());
+            }
+        }
+
+        return result;
+    }
+}

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/StoreAndForwardReceivePackFactory.java

@@ -88,23 +88,27 @@ public ReceivePack create(HttpServletRequest req, Repository db)
         // Hook chain — order matters:
         //
         // 0. PushStorePersistenceHook.preReceive  — record RECEIVED (no steps yet)
-        // 1. AuthorEmailValidationHook             — validates emails; records "checkAuthorEmails" step
-        // 2. CommitMessageValidationHook           — validates messages; records "checkCommitMessages" step
-        // 3. ProxyPreReceiveHook                   — commit inspection; records "inspection" step
-        // 4. DiffGenerationHook                    — generates diffs; records "diff" / "diff:default-branch" steps
-        // 5. DiffScanningHook                      — scans diff added-lines for blocked content; records "scanDiff"
+        // 1. CheckEmptyBranchHook                  — reject if no commits introduced (short-circuit)
+        // 2. CheckHiddenCommitsHook                — reject if pack contains commits outside push range (short-circuit)
+        // 3. AuthorEmailValidationHook             — validates emails; records "checkAuthorEmails" step
+        // 4. CommitMessageValidationHook           — validates messages; records "checkCommitMessages" step
+        // 5. ProxyPreReceiveHook                   — commit inspection; records "inspection" step
+        // 6. DiffGenerationHook                    — generates diffs; records "diff" / "diff:default-branch" steps
+        // 7. DiffScanningHook                      — scans diff added-lines for blocked content; records "scanDiff"
         // step
-        // 6. PushStorePersistenceHook.validationResult — saves APPROVED or BLOCKED record with all steps so far
-        // 7. ApprovalPreReceiveHook                — blocks until reviewer approves/rejects or timeout
+        // 8. PushStorePersistenceHook.validationResult — saves APPROVED or BLOCKED record with all steps so far
+        // 9. ApprovalPreReceiveHook                — blocks until reviewer approves/rejects or timeout
         //
         // Post-receive (only runs when pre-receive doesn't stop the chain):
-        // 8. ForwardingPostReceiveHook             — forwards to upstream; records "forward" step
-        // 9. PushStorePersistenceHook.postReceive  — saves FORWARDED or ERROR record with forwarding step
+        // 10. ForwardingPostReceiveHook            — forwards to upstream; records "forward" step
+        // 11. PushStorePersistenceHook.postReceive — saves FORWARDED or ERROR record with forwarding step
 
         PreReceiveHook[] preHooks;
         if (persistenceHook != null) {
             preHooks = new PreReceiveHook[] {
                 persistenceHook.preReceiveHook(),
+                new CheckEmptyBranchHook(),
+                new CheckHiddenCommitsHook(),
                 new AuthorEmailValidationHook(commitConfig, validationContext, pushContext),
                 new CommitMessageValidationHook(commitConfig, validationContext, pushContext),
                 new ProxyPreReceiveHook(pushContext),
@@ -115,6 +119,8 @@ public ReceivePack create(HttpServletRequest req, Repository db)
             };
         } else {
             preHooks = new PreReceiveHook[] {
+                new CheckEmptyBranchHook(),
+                new CheckHiddenCommitsHook(),
                 new AuthorEmailValidationHook(commitConfig, validationContext, pushContext),
                 new CommitMessageValidationHook(commitConfig, validationContext, pushContext),
                 new ProxyPreReceiveHook(pushContext),

jgit-proxy-core/src/main/java/org/finos/gitproxy/servlet/filter/CheckEmptyBranchFilter.java

@@ -0,0 +1,69 @@
+package org.finos.gitproxy.servlet.filter;
+
+import static org.finos.gitproxy.git.GitClient.AnsiColor.*;
+import static org.finos.gitproxy.git.GitClient.SymbolCodes.*;
+import static org.finos.gitproxy.servlet.GitProxyServlet.GIT_REQUEST_ATTR;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Set;
+import lombok.extern.slf4j.Slf4j;
+import org.finos.gitproxy.git.GitClient;
+import org.finos.gitproxy.git.GitRequestDetails;
+import org.finos.gitproxy.git.HttpOperation;
+
+/**
+ * Filter that rejects pushes where no commits could be found in the pushed range. Two cases are distinguished:
+ *
+ * <ul>
+ *   <li><b>Empty branch</b> — a new branch is being created but its tip is already reachable from an existing ref; no
+ *       new commits were introduced.
+ *   <li><b>Commit data not found</b> — a non-new-branch push produced no commit data; indicates a proxy or repository
+ *       state problem.
+ * </ul>
+ *
+ * <p>This filter short-circuits immediately via {@link #rejectAndSendError} without recording to {@link
+ * org.finos.gitproxy.servlet.filter.ValidationSummaryFilter}.
+ *
+ * <p>Runs at order 2050, before all other content validation filters.
+ */
+@Slf4j
+public class CheckEmptyBranchFilter extends AbstractGitProxyFilter {
+
+    private static final int ORDER = 2050;
+
+    public CheckEmptyBranchFilter() {
+        super(ORDER, Set.of(HttpOperation.PUSH));
+    }
+
+    @Override
+    public void doHttpFilter(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        var requestDetails = (GitRequestDetails) request.getAttribute(GIT_REQUEST_ATTR);
+        if (requestDetails == null) {
+            log.warn("GitRequestDetails not found in request attributes");
+            return;
+        }
+
+        var commits = requestDetails.getPushedCommits();
+        if (commits != null && !commits.isEmpty()) {
+            return;
+        }
+
+        String commitFrom = requestDetails.getCommitFrom();
+        boolean isNewBranch = commitFrom == null || commitFrom.matches("^0+$");
+
+        String title;
+        String message;
+        if (isNewBranch) {
+            title = NO_ENTRY.emoji() + "  Push Blocked — Empty Branch";
+            message = "Please make a commit before pushing a new branch.";
+        } else {
+            title = NO_ENTRY.emoji() + "  Push Blocked — Commit Data Not Found";
+            message = "Commit data not found. Please contact an administrator for support.";
+        }
+
+        log.warn("checkEmptyBranch: rejecting push — {}", message);
+        rejectAndSendError(request, response, title, GitClient.format(title, message, RED, null));
+    }
+}