feat: unified filter/hook order ranges; add GitProxyHook interface and OrderableGitProxyFilter

Introduces a unified order numbering scheme across both proxy modes so
operators can reason about execution order from a single table:

  System       MIN_VALUE … MIN_VALUE+99  (ForceGitClient, ParseGitRequest, EnrichPushCommits)
  Authorization        0 … 199           (AllowApproved 50, Whitelist 100, UserPermission 150)
  Content            200 … 399           (EmptyBranch 210, HiddenCommits 220, AuthorEmail 250,
                                          CommitMessage 260, ScanDiff 300, Gpg 320, SecretScan 340)
  Extended           400 … 499           (reserved for user-defined filters)
  Terminal    MAX_VALUE-3 … MAX_VALUE-1   (ValidationSummary, FetchFinalizer, PushFinalizer)
  Audit          MAX_VALUE               (AuditLog)

Store-and-forward hooks now implement GitProxyHook (getOrder()) and are
sorted by order in StoreAndForwardReceivePackFactory rather than relying
on list insertion order.

Transparent-proxy filters are collected into a List, sorted by
getOrder(), then added to Jetty — so the constant alone controls
execution order regardless of registration sequence.

OrderableGitProxyFilter extends GitProxyFilter with setOrder(int) for
user-supplied filters that need to be positioned at runtime.

Closes #13

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: coopernetes

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/AuthorEmailValidationHook.java

@@ -7,7 +7,6 @@
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.jgit.lib.ObjectId;
 import org.eclipse.jgit.lib.Repository;
-import org.eclipse.jgit.transport.PreReceiveHook;
 import org.eclipse.jgit.transport.ReceiveCommand;
 import org.eclipse.jgit.transport.ReceivePack;
 import org.finos.gitproxy.config.CommitConfig;
@@ -22,9 +21,9 @@
  */
 @Slf4j
 @RequiredArgsConstructor
-public class AuthorEmailValidationHook implements PreReceiveHook {
+public class AuthorEmailValidationHook implements GitProxyHook {
 
-    private static final int STEP_ORDER = 2100;
+    private static final int ORDER = 250;
 
     private final CommitConfig commitConfig;
     private final ValidationContext validationContext;
@@ -52,12 +51,22 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
         if (allViolations.isEmpty()) {
             pushContext.addStep(PushStep.builder()
                     .stepName("checkAuthorEmails")
-                    .stepOrder(STEP_ORDER)
+                    .stepOrder(ORDER)
                     .status(StepStatus.PASS)
                     .build());
         }
     }
 
+    @Override
+    public int getOrder() {
+        return ORDER;
+    }
+
+    @Override
+    public String getName() {
+        return "AuthorEmailValidationHook";
+    }
+
     private List<Commit> getCommits(Repository repo, ReceiveCommand cmd) throws Exception {
         if (ObjectId.zeroId().equals(cmd.getOldId())) {
             return List.of(CommitInspectionService.getCommitDetails(

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/CheckEmptyBranchHook.java

@@ -11,7 +11,6 @@
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.jgit.lib.ObjectId;
 import org.eclipse.jgit.lib.Repository;
-import org.eclipse.jgit.transport.PreReceiveHook;
 import org.eclipse.jgit.transport.ReceiveCommand;
 import org.eclipse.jgit.transport.ReceivePack;
 import org.finos.gitproxy.db.model.PushStep;
@@ -31,9 +30,9 @@
  */
 @Slf4j
 @RequiredArgsConstructor
-public class CheckEmptyBranchHook implements PreReceiveHook {
+public class CheckEmptyBranchHook implements GitProxyHook {
 
-    private static final int STEP_ORDER = 2050;
+    private static final int ORDER = 210;
     private static final String STEP_NAME = "checkEmptyBranch";
 
     private final PushContext pushContext;
@@ -69,12 +68,22 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
         if (pushContext != null) {
             pushContext.addStep(PushStep.builder()
                     .stepName(STEP_NAME)
-                    .stepOrder(STEP_ORDER)
+                    .stepOrder(ORDER)
                     .status(StepStatus.PASS)
                     .build());
         }
     }
 
+    @Override
+    public int getOrder() {
+        return ORDER;
+    }
+
+    @Override
+    public String getName() {
+        return "CheckEmptyBranchHook";
+    }
+
     private List<Commit> getCommits(Repository repo, ReceiveCommand cmd) throws Exception {
         return CommitInspectionService.getCommitRange(
                 repo, cmd.getOldId().name(), cmd.getNewId().name());

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/CheckHiddenCommitsHook.java

@@ -16,7 +16,6 @@
 import org.eclipse.jgit.lib.Repository;
 import org.eclipse.jgit.revwalk.RevCommit;
 import org.eclipse.jgit.revwalk.RevWalk;
-import org.eclipse.jgit.transport.PreReceiveHook;
 import org.eclipse.jgit.transport.ReceiveCommand;
 import org.eclipse.jgit.transport.ReceivePack;
 import org.finos.gitproxy.db.model.PushStep;
@@ -41,9 +40,9 @@
  */
 @Slf4j
 @RequiredArgsConstructor
-public class CheckHiddenCommitsHook implements PreReceiveHook {
+public class CheckHiddenCommitsHook implements GitProxyHook {
 
-    private static final int STEP_ORDER = 2060;
+    private static final int ORDER = 220;
     private static final String STEP_NAME = "checkHiddenCommits";
 
     private final PushContext pushContext;
@@ -63,7 +62,7 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
                 if (pushContext != null) {
                     pushContext.addStep(PushStep.builder()
                             .stepName(STEP_NAME)
-                            .stepOrder(STEP_ORDER)
+                            .stepOrder(ORDER)
                             .status(StepStatus.PASS)
                             .build());
                 }
@@ -90,6 +89,16 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
         }
     }
 
+    @Override
+    public int getOrder() {
+        return ORDER;
+    }
+
+    @Override
+    public String getName() {
+        return "CheckHiddenCommitsHook";
+    }
+
     private Set<String> collectIntroducedCommits(Repository repo, Collection<ReceiveCommand> commands)
             throws Exception {
         Set<String> introduced = new HashSet<>();

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/CheckUserPushPermissionHook.java

@@ -8,7 +8,6 @@
 import java.util.Collection;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.eclipse.jgit.transport.PreReceiveHook;
 import org.eclipse.jgit.transport.ReceiveCommand;
 import org.eclipse.jgit.transport.ReceivePack;
 import org.finos.gitproxy.db.model.PushStep;
@@ -24,9 +23,9 @@
  */
 @Slf4j
 @RequiredArgsConstructor
-public class CheckUserPushPermissionHook implements PreReceiveHook {
+public class CheckUserPushPermissionHook implements GitProxyHook {
 
-    private static final int STEP_ORDER = 2000;
+    private static final int ORDER = 150;
 
     private final UserAuthorizationService userAuthorizationService;
     private final ValidationContext validationContext;
@@ -40,7 +39,7 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
             log.debug("No push user found in repo config, skipping permission check");
             pushContext.addStep(PushStep.builder()
                     .stepName("checkUserPermission")
-                    .stepOrder(STEP_ORDER)
+                    .stepOrder(ORDER)
                     .status(StepStatus.PASS)
                     .build());
             return;
@@ -73,8 +72,18 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
         log.debug("Push user {} is authorized", pushUser);
         pushContext.addStep(PushStep.builder()
                 .stepName("checkUserPermission")
-                .stepOrder(STEP_ORDER)
+                .stepOrder(ORDER)
                 .status(StepStatus.PASS)
                 .build());
     }
+
+    @Override
+    public int getOrder() {
+        return ORDER;
+    }
+
+    @Override
+    public String getName() {
+        return "CheckUserPushPermissionHook";
+    }
 }

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/CommitMessageValidationHook.java

@@ -7,7 +7,6 @@
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.jgit.lib.ObjectId;
 import org.eclipse.jgit.lib.Repository;
-import org.eclipse.jgit.transport.PreReceiveHook;
 import org.eclipse.jgit.transport.ReceiveCommand;
 import org.eclipse.jgit.transport.ReceivePack;
 import org.finos.gitproxy.config.CommitConfig;
@@ -22,9 +21,9 @@
  */
 @Slf4j
 @RequiredArgsConstructor
-public class CommitMessageValidationHook implements PreReceiveHook {
+public class CommitMessageValidationHook implements GitProxyHook {
 
-    private static final int STEP_ORDER = 2200;
+    private static final int ORDER = 260;
 
     private final CommitConfig commitConfig;
     private final ValidationContext validationContext;
@@ -52,12 +51,22 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
         if (allViolations.isEmpty()) {
             pushContext.addStep(PushStep.builder()
                     .stepName("checkCommitMessages")
-                    .stepOrder(STEP_ORDER)
+                    .stepOrder(ORDER)
                     .status(StepStatus.PASS)
                     .build());
         }
     }
 
+    @Override
+    public int getOrder() {
+        return ORDER;
+    }
+
+    @Override
+    public String getName() {
+        return "CommitMessageValidationHook";
+    }
+
     private List<Commit> getCommits(Repository repo, ReceiveCommand cmd) throws Exception {
         if (ObjectId.zeroId().equals(cmd.getOldId())) {
             return List.of(CommitInspectionService.getCommitDetails(

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/DiffGenerationHook.java

@@ -7,7 +7,6 @@
 import org.eclipse.jgit.lib.ObjectId;
 import org.eclipse.jgit.lib.Ref;
 import org.eclipse.jgit.lib.Repository;
-import org.eclipse.jgit.transport.PreReceiveHook;
 import org.eclipse.jgit.transport.ReceiveCommand;
 import org.eclipse.jgit.transport.ReceivePack;
 import org.finos.gitproxy.db.model.PushStep;
@@ -32,7 +31,9 @@
  */
 @Slf4j
 @RequiredArgsConstructor
-public class DiffGenerationHook implements PreReceiveHook {
+public class DiffGenerationHook implements GitProxyHook {
+
+    private static final int ORDER = 280;
 
     public static final String STEP_NAME_PUSH_DIFF = "diff";
     public static final String STEP_NAME_BRANCH_DIFF = "diff:default-branch";
@@ -72,7 +73,7 @@ private void generatePushDiff(
 
             PushStep step = PushStep.builder()
                     .stepName(STEP_NAME_PUSH_DIFF)
-                    .stepOrder(3000)
+                    .stepOrder(ORDER)
                     .status(StepStatus.PASS)
                     .content(diff)
                     .build();
@@ -118,7 +119,7 @@ private void generateDefaultBranchDiff(ReceivePack rp, Repository repo, String p
 
             PushStep step = PushStep.builder()
                     .stepName(STEP_NAME_BRANCH_DIFF)
-                    .stepOrder(3001)
+                    .stepOrder(ORDER + 1)
                     .status(StepStatus.PASS)
                     .content(diff)
                     .build();
@@ -133,6 +134,16 @@ private void generateDefaultBranchDiff(ReceivePack rp, Repository repo, String p
         }
     }
 
+    @Override
+    public int getOrder() {
+        return ORDER;
+    }
+
+    @Override
+    public String getName() {
+        return "DiffGenerationHook";
+    }
+
     /**
      * Resolve the default branch. In a bare clone, HEAD is a symbolic ref pointing to the remote's default branch.
      * Falls back to common names if HEAD is detached.

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/DiffScanningHook.java

@@ -5,7 +5,6 @@
 import java.util.List;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.eclipse.jgit.transport.PreReceiveHook;
 import org.eclipse.jgit.transport.ReceiveCommand;
 import org.eclipse.jgit.transport.ReceivePack;
 import org.finos.gitproxy.config.CommitConfig;
@@ -23,9 +22,9 @@
  */
 @Slf4j
 @RequiredArgsConstructor
-public class DiffScanningHook implements PreReceiveHook {
+public class DiffScanningHook implements GitProxyHook {
 
-    private static final int STEP_ORDER = 2300;
+    private static final int ORDER = 300;
 
     private final CommitConfig commitConfig;
     private final ValidationContext validationContext;
@@ -80,10 +79,20 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
         if (!anyFailed) {
             pushContext.addStep(PushStep.builder()
                     .stepName("scanDiff")
-                    .stepOrder(STEP_ORDER)
+                    .stepOrder(ORDER)
                     .status(StepStatus.PASS)
                     .logs(logs)
                     .build());
         }
     }
+
+    @Override
+    public int getOrder() {
+        return ORDER;
+    }
+
+    @Override
+    public String getName() {
+        return "DiffScanningHook";
+    }
 }

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/GitProxyHook.java

@@ -0,0 +1,31 @@
+package org.finos.gitproxy.git;
+
+import org.eclipse.jgit.transport.PreReceiveHook;
+
+/**
+ * A {@link PreReceiveHook} with an associated order value, used to sort hooks in the store-and-forward receive chain.
+ *
+ * <p>Hooks are executed in ascending order of their {@link #getOrder()} value. The following ranges mirror the filter
+ * order scheme and are reserved:
+ *
+ * <ul>
+ *   <li><b>Negative (&lt;= -1):</b> System lifecycle hooks that must run first or last (e.g., persistence hooks).
+ *       Custom hooks must not use negative values.
+ *   <li><b>0-199 authorization range:</b> Whitelist and user/repo/provider permission checks.
+ *   <li><b>200-399 content filtering range:</b> Commit content validation (emails, messages, diffs, signatures,
+ *       secrets). Built-in hooks use multiples of 10 within this range to leave room for custom hooks between them.
+ *   <li><b>400-499 post-validation range:</b> Reserved for future use (e.g., outbound commit decoration).
+ *   <li><b>500+ extended range:</b> Custom bespoke hooks.
+ * </ul>
+ *
+ * <p>Lifecycle hooks ({@code PushStorePersistenceHook}, {@code ApprovalPreReceiveHook}) do not implement this interface
+ * and are always pinned at fixed positions in the chain by {@link StoreAndForwardReceivePackFactory}.
+ */
+public interface GitProxyHook extends PreReceiveHook {
+
+    /** Returns the order value that determines this hook's position in the chain. */
+    int getOrder();
+
+    /** Returns a human-readable name for this hook, used in logging and diagnostics. */
+    String getName();
+}

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/GpgSignatureHook.java

@@ -12,7 +12,6 @@
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.jgit.lib.ObjectId;
 import org.eclipse.jgit.lib.Repository;
-import org.eclipse.jgit.transport.PreReceiveHook;
 import org.eclipse.jgit.transport.ReceiveCommand;
 import org.eclipse.jgit.transport.ReceivePack;
 import org.finos.gitproxy.config.GpgConfig;
@@ -27,9 +26,9 @@
  */
 @Slf4j
 @RequiredArgsConstructor
-public class GpgSignatureHook implements PreReceiveHook {
+public class GpgSignatureHook implements GitProxyHook {
 
-    private static final int STEP_ORDER = 2400;
+    private static final int ORDER = 320;
 
     private final GpgConfig config;
     private final ValidationContext validationContext;
@@ -59,12 +58,22 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
         if (allViolations.isEmpty()) {
             pushContext.addStep(PushStep.builder()
                     .stepName("checkSignatures")
-                    .stepOrder(STEP_ORDER)
+                    .stepOrder(ORDER)
                     .status(StepStatus.PASS)
                     .build());
         }
     }
 
+    @Override
+    public int getOrder() {
+        return ORDER;
+    }
+
+    @Override
+    public String getName() {
+        return "GpgSignatureHook";
+    }
+
     private List<Commit> getCommits(Repository repo, ReceiveCommand cmd) throws Exception {
         if (ObjectId.zeroId().equals(cmd.getOldId())) {
             return List.of(CommitInspectionService.getCommitDetails(