Add broker team management and discovery coverage

.github/workflows/test-and-build-artifacts.yml

@@ -1,6 +1,20 @@
 name: Test And Build Artifacts
 
 on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "*.go"
+      - "**/*.go"
+      - "go.mod"
+      - "go.sum"
+      - "CHANGELOG.md"
+      - "broker/**"
+      - "www/**"
+      - "testsuite/**"
+      - ".github/workflows/test-and-build-artifacts.yml"
+      - ".github/workflows/test.yml"
   push:
     branches:
       - main
@@ -15,7 +29,14 @@ on:
       - "www/**"
       - "testsuite/**"
       - ".github/workflows/test-and-build-artifacts.yml"
+      - ".github/workflows/test.yml"
   workflow_dispatch:
+    inputs:
+      speed_lane:
+        description: "Skip tests and integration; build and publish only"
+        required: false
+        default: false
+        type: boolean
 
 permissions:
   contents: read
@@ -27,6 +48,7 @@ concurrency:
 jobs:
   unit:
     name: Unit Tests (${{ matrix.os }})
+    if: (github.ref == 'refs/heads/develop' || github.event_name == 'workflow_dispatch') && !(github.event_name == 'push' && contains(github.event.head_commit.message || '', '[speed-lane]')) && !(github.event_name == 'workflow_dispatch' && github.event.inputs.speed_lane == 'true')
     runs-on: ${{ matrix.os }}
     timeout-minutes: 15
     permissions:
@@ -57,6 +79,7 @@ jobs:
     name: Build Multiarchitecture Artifacts
     needs:
       - unit
+    if: always() && (github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && github.base_ref == 'main' && github.head_ref == 'develop' && github.event.pull_request.head.repo.full_name == github.repository) || needs.unit.result == 'success' || (github.event_name == 'push' && contains(github.event.head_commit.message || '', '[speed-lane]')) || (github.event_name == 'workflow_dispatch' && github.event.inputs.speed_lane == 'true'))
     runs-on: ubuntu-24.04
     timeout-minutes: 20
     permissions:
@@ -74,7 +97,7 @@ jobs:
           cache-dependency-path: go.sum
 
       - name: Resolve Version From Changelog
-        if: github.ref == 'refs/heads/main'
+        if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && github.base_ref == 'main' && github.head_ref == 'develop' && github.event.pull_request.head.repo.full_name == github.repository)
         shell: pwsh
         run: |
           if (!(Test-Path "CHANGELOG.md")) {
@@ -194,6 +217,7 @@ jobs:
     name: Integration Tests (${{ matrix.os }})
     needs:
       - build
+    if: (github.ref == 'refs/heads/develop' || github.event_name == 'workflow_dispatch') && !(github.event_name == 'push' && contains(github.event.head_commit.message || '', '[speed-lane]')) && !(github.event_name == 'workflow_dispatch' && github.event.inputs.speed_lane == 'true')
     runs-on: ${{ matrix.os }}
     timeout-minutes: 45
     permissions:
@@ -277,9 +301,10 @@ jobs:
   publish:
     name: Publish Release
     needs:
+      - build
       - integration
     runs-on: ubuntu-24.04
-    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
+    if: always() && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && ((github.ref == 'refs/heads/main' && needs.build.result == 'success') || (github.ref == 'refs/heads/develop' && (needs.integration.result == 'success' || ((((github.event_name == 'push' && contains(github.event.head_commit.message || '', '[speed-lane]')) || (github.event_name == 'workflow_dispatch' && github.event.inputs.speed_lane == 'true')) && needs.build.result == 'success')))))
     timeout-minutes: 15
     permissions:
       contents: write

.github/workflows/test.yml

@@ -2,6 +2,8 @@ name: Test
 
 on:
   pull_request:
+    branches:
+      - develop
   workflow_dispatch:
 
 permissions:

CHANGELOG.md

@@ -4,6 +4,19 @@ All notable changes to `bgit` are documented in this file.
 
 This project follows semantic versioning.
 
+## 1.1.0
+
+Changed
+
+- Added broker users, broker admins, teams, team-to-repository grants, and
+  exact-FQDN TXT discovery for team clone URLs.
+- `bgit setup` now seeds the default `core` team, and flat repository flows map
+  through `core` while still accepting explicit team clone URLs.
+- `bgit setup` now starts from configured brokers, with explicit new, update,
+  manage, and delete paths instead of mixing broker creation and redeploys.
+- Broker user creation now uses an invite/accept flow, setup management fields
+  use selectable roles/users/teams/repos, and invalid roles are rejected.
+
 ## 1.0.1
 
 Changed

README.md

@@ -62,13 +62,15 @@ Set up BucketGit for one or more cloud profiles:
 bgit setup
 ```
 
-`bgit setup` discovers GCP and AWS profiles, lets you choose regions, imports
-owner SSH keys, deploys or updates the broker, and writes global configuration to
-`~/.bgit/config.yaml`.
+`bgit setup` is the interactive broker setup and management tool. It discovers
+GCP and AWS profiles, lets you choose regions, creates or updates brokers,
+imports owner SSH keys, manages users and teams, and writes global configuration
+to `~/.bgit/config.yaml`.
 
-Create a new repository:
+Create a broker repository, then attach a local checkout:
 
 ```bash
+bgit admin repo create --team core demo
 mkdir demo
 cd demo
 bgit init
@@ -82,7 +84,15 @@ bgit push
 Clone an existing broker-backed repository:
 
 ```bash
-bgit clone https://broker.example.com/team/demo.git ./demo
+bgit clone https://broker.example.com/demo.git ./demo
+```
+
+Flat clone URLs use the broker's default `core` team. The explicit form is also
+accepted:
+
+```bash
+bgit clone https://broker.example.com/core/demo.git ./demo
+bgit clone https://broker.example.com/core/demo/demo.git ./demo
 ```
 
 Inside an initialized checkout, normal Git commands also work for fetch and push
@@ -93,16 +103,41 @@ git fetch
 git push
 ```
 
+## Custom Domains
+
+BucketGit can discover brokers from DNS TXT records, so users can clone from a
+clean domain instead of a generated Cloud Run or Lambda Function URL.
+
+For `https://git.example.com/...`, publish records at `_bgit.git.example.com`.
+Discovery is exact-FQDN based; BucketGit does not fall back from
+`git.example.com` to `example.com`.
+
+```text
+v=bgit1 broker=https://broker.example.com team=t_abcd1234 name=platform
+```
+
+The `name` is the public path segment users type. The `team` value is the
+opaque broker team identifier. With the record above, both forms work:
+
+```bash
+bgit clone https://git.example.com/platform/demo.git ./demo
+bgit clone https://git.example.com/platform/demo/demo.git ./demo
+```
+
+BucketGit skips TXT discovery for direct broker URLs such as Cloud Run and AWS
+Lambda Function URLs.
+
 ## Common Commands
 
 ```bash
 bgit setup
 bgit setup profile create --provider gcp work
 bgit setup profile create --provider aws work
 
+bgit admin repo create --team core demo
 bgit init
-bgit init --noninteractive --repo team/demo --profile work.europe-west1
-bgit clone https://broker.example.com/team/demo.git ./demo
+bgit init --noninteractive --repo demo --profile work.europe-west1 --team core
+bgit clone https://broker.example.com/demo.git ./demo
 bgit web
 
 bgit status
@@ -131,9 +166,12 @@ bgit issue view 1
 
 bgit whoami
 bgit repos mine
+
+bgit admin repo list
+bgit admin repo info
 ```
 
-## Setup And Profiles
+## Setup And Broker Management
 
 Global configuration is stored in `~/.bgit/config.yaml`. Profiles are
 provider- and region-aware, so the same cloud account can have brokers in
@@ -142,7 +180,8 @@ multiple regions.
 Examples:
 
 ```bash
-bgit init --noninteractive --repo app --profile work.europe-west1
+bgit admin repo create --team core app
+bgit init --noninteractive --repo app --profile work.europe-west1 --team core
 bgit push --profile work --region europe-west1
 ```
 
@@ -168,6 +207,12 @@ bgit setup profile create --provider aws work
 GCP setup uses `gcloud` configurations. AWS setup reads AWS config/credentials
 files and can use the AWS CLI when profile creation is requested.
 
+`bgit setup` also manages configured brokers. From the setup UI you can create,
+update, manage, or delete brokers, manage users and teams, and seed the default
+`core` team. Repositories are created explicitly with `bgit admin repo create`
+or through the setup broker-management UI; `bgit init` attaches a local checkout
+to an existing broker repository.
+
 ## Identity
 
 BucketGit supports a global name and email in `~/.bgit/config.yaml` and per-repo
@@ -195,27 +240,51 @@ an SSH signature.
 Useful admin commands:
 
 ```bash
+bgit admin repo list
+bgit admin repo info
+bgit admin repo create --team platform app
+
 bgit admin keys list
 bgit admin keys add --user ada --role developer --key ~/.ssh/ada.pub
 bgit admin keys import-github octocat --role triage
 bgit admin keys suspend KEY_OR_FINGERPRINT
 bgit admin keys remove KEY_OR_FINGERPRINT
 
-bgit admin invite-user --broker https://broker.example.com --user ada --role developer team/demo.git
+bgit admin invite-user --broker https://broker.example.com --user ada --role developer demo.git
 bgit admin accept-invite CODE
-bgit admin cancel-invite --broker https://broker.example.com --user ada team/demo.git
+bgit admin cancel-invite --broker https://broker.example.com --user ada demo.git
 
-bgit admin confirm-ownership-transfer --broker https://broker.example.com team/demo.git
+bgit admin invite-broker-user --broker https://broker.example.com --user ada --role user
+bgit admin accept-broker-invite CODE
+bgit admin cancel-broker-invite --broker https://broker.example.com --user ada
+
+bgit admin confirm-ownership-transfer --broker https://broker.example.com demo.git
 bgit admin accept-ownership-transfer CODE
-bgit admin cancel-ownership-transfer --broker https://broker.example.com team/demo.git
+bgit admin cancel-ownership-transfer --broker https://broker.example.com demo.git
 
 bgit admin protect add main
 bgit admin protect list
 bgit admin protect remove main
+
+bgit admin broker-users list
+bgit admin broker-users upsert ada --role user --key ~/.ssh/ada.pub
+bgit admin broker-users upsert ada --role user --suspended true
+bgit admin broker-users delete ada
+
+bgit admin teams create platform
+bgit admin teams delete TEAM_ID
+bgit admin teams member add TEAM_ID ada --role developer
+bgit admin teams member remove TEAM_ID ada
+bgit admin teams repo list
+bgit admin teams repo add TEAM_ID developer
+bgit admin teams repo remove TEAM_ID
 ```
 
 A repo can have at most one active pending invite per username. Invite
-cancellation is repo-scoped.
+cancellation is repo-scoped. Broker logical repository names are flat, such as
+`demo.git`; path-shaped clone URLs route through teams. Flat broker clone URLs
+use the default `core` team, while `bgit init` prompts for a team or requires
+`--team` in noninteractive mode.
 
 ## Repository Settings
 
@@ -289,7 +358,7 @@ The web assets are embedded into the `bgit` binary at build time.
 `bgit init` writes a Git remote like:
 
 ```text
-git@git.bucketgit.com:team/demo.git
+git@git.bucketgit.com:demo.git
 ```
 
 and configures: