Merge branch 'main' into ux/project-pickers-quill

Author: jonathanlab

apps/code/src/main/services/agent/service.ts

@@ -53,6 +53,7 @@ import type { FsService } from "../fs/service";
 import type { McpAppsService } from "../mcp-apps/service";
 import type { PosthogPluginService } from "../posthog-plugin/service";
 import type { ProcessTrackingService } from "../process-tracking/service";
+import { loadSessionEnvOverrides } from "../session-env/loader";
 import type { SleepService } from "../sleep/service";
 import type { AgentAuthAdapter, McpToolInstallations } from "./auth-adapter";
 import { discoverExternalPlugins } from "./discover-plugins";
@@ -983,6 +984,27 @@ When creating pull requests, add the following footer at the end of the PR descr
     return taskId ? all.filter((s) => s.taskId === taskId) : all;
   }
 
+  /**
+   * Resolve env-var overrides set by the SessionStart-style hooks of the most
+   * recently active agent session for `taskId`.
+   *
+   * Used by git/gh operations triggered from the UI (Commit, Create PR) so
+   * they pick up the same hook env the agent itself sees — most importantly
+   * the SSH_AUTH_SOCK that Secretive's hook re-points at the Secretive agent
+   * for commit signing. Returns an empty object when there is no session for
+   * the task or when no hook output is available.
+   */
+  public async getSessionEnvForTask(
+    taskId: string,
+  ): Promise<Record<string, string>> {
+    const candidates = this.listSessions(taskId)
+      .filter((s) => !!s.config.sessionId)
+      .sort((a, b) => b.lastActivityAt - a.lastActivityAt);
+    const session = candidates[0];
+    if (!session?.config.sessionId) return {};
+    return loadSessionEnvOverrides(session.config.sessionId);
+  }
+
   /**
    * Get sessions that were interrupted for a specific reason.
    * Optionally filter by repoPath to get only sessions for a specific repo.

apps/code/src/main/services/file-watcher/service.ts

@@ -214,6 +214,11 @@ export class FileWatcherService extends TypedEventEmitter<FileWatcherEvents> {
           (e) =>
             e.path.endsWith("/HEAD") ||
             e.path.endsWith("/index") ||
+            e.path.endsWith("/MERGE_HEAD") ||
+            e.path.endsWith("/CHERRY_PICK_HEAD") ||
+            e.path.endsWith("/REVERT_HEAD") ||
+            e.path.includes("/rebase-merge") ||
+            e.path.includes("/rebase-apply") ||
             e.path.includes("/refs/heads/"),
         );
         if (isRelevant) {

apps/code/src/main/services/git/schemas.ts

@@ -147,6 +147,27 @@ export const getCurrentBranchOutput = z.string().nullable();
 export const getAllBranchesInput = directoryPathInput;
 export const getAllBranchesOutput = z.array(z.string());
 
+// getGitBusyState schemas
+export const gitBusyOperationSchema = z.enum([
+  "rebase",
+  "merge",
+  "cherry-pick",
+  "revert",
+]);
+
+export const gitBusyStateSchema = z.union([
+  z.object({ busy: z.literal(false) }),
+  z.object({
+    busy: z.literal(true),
+    operation: gitBusyOperationSchema,
+  }),
+]);
+
+export type { GitBusyOperation, GitBusyState } from "../../../shared/types";
+
+export const getGitBusyStateInput = directoryPathInput;
+export const getGitBusyStateOutput = gitBusyStateSchema;
+
 // createBranch schemas
 export const createBranchInput = z.object({
   directoryPath: z.string(),

apps/code/src/main/services/git/service.test.ts

@@ -23,6 +23,7 @@ vi.mock("../../utils/logger.js", () => ({
   },
 }));
 
+import type { AgentService } from "../agent/service";
 import type { LlmGatewayService } from "../llm-gateway/service";
 import type { WorkspaceService } from "../workspace/service";
 import { GitService, mapPrState } from "./service";
@@ -32,7 +33,11 @@ describe("GitService.getPrChangedFiles", () => {
 
   beforeEach(() => {
     vi.clearAllMocks();
-    service = new GitService({} as LlmGatewayService, {} as WorkspaceService);
+    service = new GitService(
+      {} as LlmGatewayService,
+      {} as WorkspaceService,
+      { getSessionEnvForTask: async () => ({}) } as unknown as AgentService,
+    );
   });
 
   it("flattens paginated GH API results and maps file statuses", async () => {
@@ -140,7 +145,11 @@ describe("GitService.getGhAuthToken", () => {
 
   beforeEach(() => {
     vi.clearAllMocks();
-    service = new GitService({} as LlmGatewayService, {} as WorkspaceService);
+    service = new GitService(
+      {} as LlmGatewayService,
+      {} as WorkspaceService,
+      { getSessionEnvForTask: async () => ({}) } as unknown as AgentService,
+    );
   });
 
   it("returns the authenticated GitHub CLI token", async () => {
@@ -198,7 +207,11 @@ describe("GitService.getPrUrlForBranch", () => {
 
   beforeEach(() => {
     vi.clearAllMocks();
-    service = new GitService({} as LlmGatewayService, {} as WorkspaceService);
+    service = new GitService(
+      {} as LlmGatewayService,
+      {} as WorkspaceService,
+      { getSessionEnvForTask: async () => ({}) } as unknown as AgentService,
+    );
   });
 
   it("returns the PR URL for a branch via gh pr list", async () => {

apps/code/src/main/services/git/service.ts

@@ -19,6 +19,7 @@ import {
   getDiffHead,
   getDiffStats,
   getFileAtHead,
+  getGitBusyState,
   getLatestCommit,
   getRemoteUrl,
   getStagedDiff,
@@ -40,6 +41,7 @@ import { inject, injectable } from "inversify";
 import { MAIN_TOKENS } from "../../di/tokens";
 import { logger } from "../../utils/logger";
 import { TypedEventEmitter } from "../../utils/typed-event-emitter";
+import type { AgentService } from "../agent/service";
 import type { LlmGatewayService } from "../llm-gateway/service";
 import type { SidebarPrState } from "../workspace/schemas";
 import type { WorkspaceService } from "../workspace/service";
@@ -57,6 +59,7 @@ import type {
   GetPrTemplateOutput,
   GhAuthTokenOutput,
   GhStatusOutput,
+  GitBusyState,
   GitCommitInfo,
   GitFileStatus,
   GithubRef,
@@ -134,10 +137,31 @@ export class GitService extends TypedEventEmitter<GitServiceEvents> {
     private readonly llmGateway: LlmGatewayService,
     @inject(MAIN_TOKENS.WorkspaceService)
     private readonly workspaceService: WorkspaceService,
+    @inject(MAIN_TOKENS.AgentService)
+    private readonly agentService: AgentService,
   ) {
     super();
   }
 
+  /**
+   * Resolve env-var overrides set by the agent's SessionStart hooks for the
+   * given task. Used so UI-triggered git/gh operations (Commit, Create PR)
+   * see the same env (notably `SSH_AUTH_SOCK` re-pointed at Secretive) as
+   * the agent's bash tool. Returns `undefined` if there's nothing to apply.
+   */
+  private async getSessionEnv(
+    taskId: string | undefined,
+  ): Promise<Record<string, string> | undefined> {
+    if (!taskId) return undefined;
+    try {
+      const env = await this.agentService.getSessionEnvForTask(taskId);
+      return Object.keys(env).length > 0 ? env : undefined;
+    } catch (err) {
+      log.warn("Failed to load session env for task", { taskId, err });
+      return undefined;
+    }
+  }
+
   private async getStateSnapshot(
     directoryPath: string,
     options?: {
@@ -285,6 +309,10 @@ export class GitService extends TypedEventEmitter<GitServiceEvents> {
     return getAllBranches(directoryPath);
   }
 
+  public async getGitBusyState(directoryPath: string): Promise<GitBusyState> {
+    return getGitBusyState(directoryPath);
+  }
+
   public async createBranch(
     directoryPath: string,
     branchName: string,
@@ -475,6 +503,7 @@ export class GitService extends TypedEventEmitter<GitServiceEvents> {
     branch?: string,
     setUpstream = false,
     signal?: AbortSignal,
+    env?: Record<string, string>,
   ): Promise<PushOutput> {
     const saga = new PushSaga();
     const result = await saga.run({
@@ -483,6 +512,7 @@ export class GitService extends TypedEventEmitter<GitServiceEvents> {
       branch: branch || undefined,
       setUpstream,
       signal,
+      env,
     });
     if (!result.success) {
       return { success: false, message: result.error };
@@ -532,6 +562,7 @@ export class GitService extends TypedEventEmitter<GitServiceEvents> {
     directoryPath: string,
     remote = "origin",
     signal?: AbortSignal,
+    env?: Record<string, string>,
   ): Promise<PublishOutput> {
     const currentBranch = await getCurrentBranch(directoryPath);
     if (!currentBranch) {
@@ -544,6 +575,7 @@ export class GitService extends TypedEventEmitter<GitServiceEvents> {
       currentBranch,
       true,
       signal,
+      env,
     );
     return {
       success: pushResult.success,
@@ -617,6 +649,8 @@ export class GitService extends TypedEventEmitter<GitServiceEvents> {
       });
     };
 
+    const sessionEnv = await this.getSessionEnv(input.taskId);
+
     const saga = new CreatePrSaga(
       {
         getCurrentBranch: (dir) => getCurrentBranch(dir),
@@ -625,14 +659,16 @@ export class GitService extends TypedEventEmitter<GitServiceEvents> {
         getChangedFilesHead: (dir) => this.getChangedFilesHead(dir),
         generateCommitMessage: (dir) =>
           this.generateCommitMessage(dir, input.conversationContext),
-        commit: (dir, msg, opts) => this.commit(dir, msg, opts),
+        commit: (dir, msg, opts) =>
+          this.commit(dir, msg, { ...opts, envOverride: sessionEnv }),
         getSyncStatus: (dir) => this.getGitSyncStatus(dir),
-        push: (dir) => this.push(dir),
-        publish: (dir) => this.publish(dir),
+        push: (dir) =>
+          this.push(dir, "origin", undefined, false, undefined, sessionEnv),
+        publish: (dir) => this.publish(dir, "origin", undefined, sessionEnv),
         generatePrTitleAndBody: (dir) =>
           this.generatePrTitleAndBody(dir, input.conversationContext),
         createPr: (dir, title, body, draft) =>
-          this.createPrViaGh(dir, title, body, draft),
+          this.createPrViaGh(dir, title, body, draft, sessionEnv),
         onProgress: emitProgress,
       },
       log,
@@ -723,6 +759,8 @@ export class GitService extends TypedEventEmitter<GitServiceEvents> {
       allowEmpty?: boolean;
       stagedOnly?: boolean;
       taskId?: string;
+      /** Pre-resolved session env. Internal — used by createPr to avoid re-loading. */
+      envOverride?: Record<string, string>;
     },
   ): Promise<CommitOutput> {
     const fail = (msg: string): CommitOutput => ({
@@ -734,11 +772,15 @@ export class GitService extends TypedEventEmitter<GitServiceEvents> {
 
     if (!message.trim()) return fail("Commit message is required");
 
+    const { envOverride, ...sagaOptions } = options ?? {};
+    const env = envOverride ?? (await this.getSessionEnv(options?.taskId));
+
     const saga = new CommitSaga();
     const result = await saga.run({
       baseDir: directoryPath,
       message: message.trim(),
-      ...options,
+      env,
+      ...sagaOptions,
     });
 
     if (!result.success) return fail(result.error);
@@ -949,6 +991,7 @@ export class GitService extends TypedEventEmitter<GitServiceEvents> {
     title?: string,
     body?: string,
     draft?: boolean,
+    env?: Record<string, string>,
   ): Promise<{ success: boolean; message: string; prUrl: string | null }> {
     const prFooter =
       "\n\n---\n*Created with [PostHog Code](https://posthog.com/code?ref=pr)*";
@@ -962,7 +1005,7 @@ export class GitService extends TypedEventEmitter<GitServiceEvents> {
     }
     if (draft) args.push("--draft");
 
-    const result = await execGh(args, { cwd: directoryPath });
+    const result = await execGh(args, { cwd: directoryPath, env });
     if (result.exitCode !== 0) {
       return {
         success: false,