fix: request_apply_commit resolves sha locally + rejects non-sha refs

hive-c0re/src/lifecycle.rs

@@ -559,17 +559,49 @@ async fn git(dir: &Path, args: &[&str]) -> Result<()> {
     Ok(())
 }
 
-/// Fetch `sha` from the `src` git repo into `dst` and pin it as
-/// `refs/tags/<tag>`. Used at `request_apply_commit` time so hive-c0re
-/// captures an immutable handle on the manager's commit; subsequent
-/// amendments / force-pushes in `src` no longer affect what gets
-/// built. Returns the resolved sha (which equals `sha` on success
-/// but normalised — short shas get expanded).
+/// Fetch the commit `sha` from the `src` git repo into `dst` and pin
+/// it as `refs/tags/<tag>`. Used at `request_apply_commit` time so
+/// hive-c0re captures an immutable handle on the manager's commit;
+/// subsequent amendments / force-pushes in `src` no longer affect
+/// what gets built. Returns the resolved full sha.
+///
+/// `sha` must be a commit sha (short or full) — the caller
+/// (`submit_apply_commit`) shape-checks it first. We resolve it
+/// LOCALLY against `src` rather than asking the remote to resolve
+/// it: `git fetch <remote> <sha>:<dst>` treats the left side as a
+/// remote *ref name*, and a bare sha is not one ("couldn't find
+/// remote ref ..."). Fetching by sha would need a full 40-hex sha
+/// plus `uploadpack.allow*SHA1InWant` on the remote, which the
+/// proposed repos don't set. hive-c0re has direct read access to
+/// `src`, so a local `rev-parse` + a branch-glob fetch sidesteps
+/// the whole sha-want negotiation.
 pub async fn git_fetch_to_tag(dst: &Path, src: &Path, sha: &str, tag: &str) -> Result<String> {
     let src_str = src.display().to_string();
-    let refspec = format!("{sha}:refs/tags/{tag}");
-    git(dst, &["fetch", "--no-tags", &src_str, &refspec]).await?;
-    git_rev_parse(dst, &format!("refs/tags/{tag}")).await
+    // Resolve the (short-or-full) sha to a full sha against the
+    // source repo. The `^{commit}` peel + non-zero exit on a missing
+    // object means a typo'd / stale sha fails loudly right here.
+    let full = git_rev_parse(src, &format!("{sha}^{{commit}}"))
+        .await
+        .with_context(|| format!("commit '{sha}' not found in proposed repo {src_str}"))?;
+    // Bring src's objects into dst. Fetching every head pulls the
+    // wanted commit's history (always reachable from a branch in the
+    // manager's flow) into dst's object db without sha-want.
+    git(
+        dst,
+        &[
+            "fetch",
+            "--no-tags",
+            &src_str,
+            "+refs/heads/*:refs/remotes/proposal-src/*",
+        ],
+    )
+    .await?;
+    // Pin the exact commit as the proposal tag. The objects are now
+    // local so this resolves without touching the remote.
+    git(dst, &["tag", tag, &full]).await.with_context(|| {
+        format!("tag {tag} at {full}: commit not reachable from any branch in proposed repo")
+    })?;
+    Ok(full)
 }
 
 /// Resolve `refname` (a tag, branch, or sha) in `dir` to its full sha.

hive-c0re/src/manager_server.rs

@@ -392,6 +392,25 @@ async fn dispatch(req: &ManagerRequest, coord: &Arc<Coordinator>) -> ManagerResp
     }
 }
 
+/// `request_apply_commit` takes a commit SHA only — not a branch or
+/// tag name. A branch is mutable; pinning the proposal to a concrete
+/// sha keeps "what the manager asked to deploy" unambiguous and means
+/// the `proposal/<id>` tag is a faithful record of the request.
+/// Accepts a 7..=40 char hex string (short or full sha); the exact
+/// commit is resolved + existence-checked against the proposed repo
+/// later in `lifecycle::git_fetch_to_tag`.
+fn validate_commit_ref(commit_ref: &str) -> Result<()> {
+    let n = commit_ref.len();
+    let hex = commit_ref.chars().all(|c| c.is_ascii_hexdigit());
+    if !(7..=40).contains(&n) || !hex {
+        anyhow::bail!(
+            "commit_ref '{commit_ref}' is not a commit sha — request_apply_commit \
+             takes a 7-40 char hex sha, not a branch or tag name"
+        );
+    }
+    Ok(())
+}
+
 /// Submit-time half of the apply flow: queue the approval row, then
 /// fetch the manager's commit from the proposed repo into applied and
 /// pin it as `refs/tags/proposal/<id>`. From this point on the manager
@@ -409,6 +428,7 @@ async fn submit_apply_commit(
     commit_ref: &str,
     description: Option<&str>,
 ) -> anyhow::Result<(i64, String)> {
+    validate_commit_ref(commit_ref)?;
     let proposed_dir = crate::coordinator::Coordinator::agent_proposed_dir(agent);
     let applied_dir = crate::coordinator::Coordinator::agent_applied_dir(agent);
     if !proposed_dir.exists() {
@@ -518,3 +538,33 @@ pub fn spawn_question_watchdog(coord: &Arc<Coordinator>, id: i64, ttl_secs: u64)
         }
     });
 }
+
+#[cfg(test)]
+mod tests {
+    use super::validate_commit_ref;
+
+    #[test]
+    fn accepts_short_and_full_sha() {
+        assert!(validate_commit_ref("e194f78").is_ok());
+        assert!(validate_commit_ref("e194f7812ab").is_ok());
+        assert!(validate_commit_ref(&"a".repeat(40)).is_ok());
+        // Uppercase hex resolves fine through `git rev-parse`.
+        assert!(validate_commit_ref("E194F78").is_ok());
+    }
+
+    #[test]
+    fn rejects_branch_and_tag_names() {
+        // The exact bug class this guard exists for.
+        assert!(validate_commit_ref("main").is_err());
+        assert!(validate_commit_ref("HEAD").is_err());
+        assert!(validate_commit_ref("deployed/0").is_err());
+        assert!(validate_commit_ref("feature-branch").is_err());
+    }
+
+    #[test]
+    fn rejects_too_short_too_long_and_empty() {
+        assert!(validate_commit_ref("").is_err());
+        assert!(validate_commit_ref("abc123").is_err()); // 6 chars
+        assert!(validate_commit_ref(&"a".repeat(41)).is_err());
+    }
+}