fix: archive_read_only creates bare repos for archived announcements

Combined Accept and AcceptArchive match arms in builder.rs to ensure
bare repositories are created for both cases. Previously AcceptArchive
had duplicate code that didn't call ensure_bare_repository().

Also includes:
- Config fix: effective_git_data_path() respects explicit paths with memory backend
- TestRelay: Added git_data_path() and archive config support for testing
- Integration tests for archive_read_only behavior

2 files changed, 459 insertions, 1 deletions

diff --git a/tests/archive_read_only.rs b/tests/archive_read_only.rs
new file mode 100644
index 0000000..be6959b
--- /dev/null
+++ b/tests/archive_read_only.rs
@@ -0,0 +1,368 @@
+//! Archive Read-Only Mode Integration Tests
+//!
+//! Tests that verify archive_read_only mode behavior:
+//! - Bare git repositories are created for announcements
+//! - Git data is synced via relay-to-relay sync (purgatory sync)
+//! - Git pushes are rejected (read-only mode)
+//!
+//! # Test Strategy
+//!
+//! These tests verify the GRASP-05 archive mode with read_only flag:
+//! 1. Source relay has full repository (announcement + state events + git data)
+//! 2. Archive relay syncs from source relay (relay-to-relay sync)
+//! 3. State events trigger purgatory sync which fetches git data
+//! 4. Git data is validated against Nostr state events
+//! 5. Git pushes are rejected (read-only enforcement)
+//!
+//! # Security Model
+//!
+//! Archive mode uses the existing purgatory sync infrastructure to ensure:
+//! - Git data is validated against Nostr state events
+//! - "Naughty git servers" can't provide incorrect state
+//! - Same security guarantees as normal relay operation
+//!
+//! # Running Tests
+//!
+//! ```bash
+//! # Run all archive read-only tests
+//! cargo test --test archive_read_only
+//!
+//! # Run specific test
+//! cargo test --test archive_read_only test_archive_read_only_creates_bare_repo
+//!
+//! # With output for debugging
+//! cargo test --test archive_read_only -- --nocapture
+//! ```
+
+mod common;
+
+use common::{
+    check_ref_at_commit, create_repo_announcement, create_state_event,
+    create_test_repo_with_commit, push_to_relay, wait_for_event_served, wait_for_sync_connection,
+    CommitVariant, TestRelay,
+};
+use nostr_sdk::prelude::*;
+use std::time::Duration;
+
+/// Test that archive_read_only mode creates bare git repositories and syncs data
+/// via relay-to-relay sync (purgatory sync infrastructure).
+///
+/// Scenario:
+/// 1. Start source relay with full repository (announcement + state + git data)
+/// 2. Start archive relay with archive_all=true, archive_read_only=true, syncing from source
+/// 3. Archive relay syncs announcement and state events from source
+/// 4. State events trigger purgatory sync which fetches git data from source's clone URL
+/// 5. Verify bare repository is created and git data is synced
+/// 6. Verify git pushes are rejected (read-only mode)
+#[tokio::test]
+async fn test_archive_read_only_creates_bare_repo() {
+    // 1. Start source relay
+    let source_relay = TestRelay::start().await;
+    let keys = Keys::generate();
+    let identifier = "archive-test-repo";
+
+    // Pre-allocate archive relay port so we can include it in announcement
+    let archive_port = TestRelay::find_free_port();
+    let archive_domain = format!("127.0.0.1:{}", archive_port);
+
+    // 2. Create test repository locally with deterministic commit
+    let temp_dir = tempfile::tempdir().expect("Failed to create temp dir");
+    let commit_hash = create_test_repo_with_commit(temp_dir.path(), CommitVariant::StateTest)
+        .expect("Failed to create test repo");
+
+    let npub = keys.public_key().to_bech32().expect("Failed to get npub");
+
+    // 3. Create and send announcement listing BOTH relays
+    // This ensures the archive relay will accept the state event when it syncs
+    let announcement = create_repo_announcement(
+        &keys,
+        &[&source_relay.domain(), &archive_domain],
+        identifier,
+    );
+
+    let source_client = Client::new(keys.clone());
+    source_client
+        .add_relay(source_relay.url())
+        .await
+        .expect("Failed to add source relay");
+    source_client.connect().await;
+
+    // Wait for connection
+    tokio::time::sleep(Duration::from_millis(500)).await;
+
+    // Send announcement to source relay
+    source_client
+        .send_event(&announcement)
+        .await
+        .expect("Failed to send announcement to source");
+
+    tokio::time::sleep(Duration::from_millis(200)).await;
+
+    // 4. Create and send state event
+    let clone_urls = [
+        format!(
+            "http://{}/{}/{}.git",
+            source_relay.domain(),
+            npub,
+            identifier
+        ),
+        format!("http://{}/{}/{}.git", archive_domain, npub, identifier),
+    ];
+    let relay_urls = [
+        source_relay.url().to_string(),
+        format!("ws://{}", archive_domain),
+    ];
+
+    let state_event = create_state_event(
+        &keys,
+        identifier,
+        &[("main", &commit_hash)],
+        &[],
+        &[&clone_urls[0], &clone_urls[1]],
+        &[&relay_urls[0], &relay_urls[1]],
+    )
+    .expect("Failed to create state event");
+
+    let state_event_id = state_event.id;
+
+    // Send state event to source relay (goes to purgatory - no git data yet)
+    source_client
+        .send_event(&state_event)
+        .await
+        .expect("Failed to send state event to source");
+
+    tokio::time::sleep(Duration::from_millis(200)).await;
+
+    // 5. Push git data to source relay
+    // The state event in purgatory authorizes this push
+    push_to_relay(temp_dir.path(), &source_relay.domain(), &npub, identifier)
+        .expect("Push to source should succeed");
+
+    // After push, state event should be released from purgatory on source relay
+    wait_for_event_served(source_relay.url(), &state_event_id, Duration::from_secs(5))
+        .await
+        .expect("State event should be served on source relay after push");
+
+    // 6. Start archive relay with archive_all=true, archive_read_only=true, syncing from source
+    let archive_relay = TestRelay::start_with_archive_and_sync(
+        archive_port,
+        Some(source_relay.url().to_string()),
+        false, // negentropy enabled
+        true,  // archive_all
+        true,  // archive_read_only
+    )
+    .await;
+
+    // Wait for sync connection to establish
+    wait_for_sync_connection(archive_relay.url(), 1, Duration::from_secs(5))
+        .await
+        .expect("Sync connection should establish");
+
+    // 7. Wait for state event to be released on archive relay
+    // The sync should:
+    // a) Fetch the announcement and state event from source relay
+    // b) Accept announcement (creates bare repo structure) - via archive mode
+    // c) Put state event in purgatory (git data missing on archive relay)
+    // d) Fetch git data from source relay's clone URL
+    // e) Release the state event from purgatory
+    let found = wait_for_event_served(
+        archive_relay.url(),
+        &state_event_id,
+        Duration::from_secs(30), // Allow time for sync + git fetch
+    )
+    .await;
+
+    assert!(
+        found.is_ok(),
+        "State event should be served after sync fetches git data: {:?}",
+        found.err()
+    );
+
+    // 8. Verify bare repository was created
+    let repo_path = archive_relay
+        .git_data_path()
+        .join(format!("{}/{}.git", npub, identifier));
+
+    assert!(
+        repo_path.exists(),
+        "Bare repository should be created at {:?} for archive announcement",
+        repo_path
+    );
+
+    // 9. Verify it's a bare repository (check for config file with bare = true)
+    let config_path = repo_path.join("config");
+    assert!(
+        config_path.exists(),
+        "Git config should exist at {:?}",
+        config_path
+    );
+
+    let config_content = tokio::fs::read_to_string(&config_path)
+        .await
+        .expect("Should read git config");
+    assert!(
+        config_content.contains("bare = true"),
+        "Repository at {:?} should be bare (config should contain 'bare = true')",
+        repo_path
+    );
+
+    // 10. Verify refs are correct on archive relay
+    let ref_correct = check_ref_at_commit(
+        &archive_domain,
+        &npub,
+        identifier,
+        "refs/heads/main",
+        &commit_hash,
+    )
+    .await
+    .expect("Failed to check ref");
+
+    assert!(ref_correct, "main branch should point to correct commit");
+
+    // 11. Verify git pushes are rejected (read-only mode)
+    // Create a new commit in the source repo
+    tokio::fs::write(temp_dir.path().join("new_file.txt"), "new content")
+        .await
+        .expect("Failed to write new file");
+
+    let output = tokio::process::Command::new("git")
+        .args(["add", "."])
+        .current_dir(temp_dir.path())
+        .output()
+        .await
+        .expect("Failed to git add");
+    assert!(output.status.success());
+
+    let output = tokio::process::Command::new("git")
+        .args(["commit", "-m", "New commit for push test"])
+        .current_dir(temp_dir.path())
+        .output()
+        .await
+        .expect("Failed to git commit");
+    assert!(output.status.success());
+
+    // Try to push to archive relay (should fail in read-only mode)
+    let push_url = format!("http://{}/{}/{}.git", archive_domain, npub, identifier);
+    let output = tokio::process::Command::new("git")
+        .args(["push", &push_url, "main"])
+        .current_dir(temp_dir.path())
+        .output()
+        .await
+        .expect("Failed to run git push");
+
+    assert!(
+        !output.status.success(),
+        "Git push should be rejected in archive_read_only mode. stderr: {}",
+        String::from_utf8_lossy(&output.stderr)
+    );
+
+    // Cleanup
+    source_client.disconnect().await;
+    archive_relay.stop().await;
+    source_relay.stop().await;
+}
+
+/// Test that archive mode without state events does NOT sync git data.
+///
+/// This verifies the security model: archive mode only syncs git data
+/// when there are state events to validate against.
+///
+/// Scenario:
+/// 1. Start source relay with announcement only (no state events)
+/// 2. Start archive relay syncing from source
+/// 3. Archive relay syncs announcement (creates bare repo)
+/// 4. Verify git data is NOT synced (no state events to trigger purgatory sync)
+#[tokio::test]
+async fn test_archive_without_state_events_does_not_sync_git() {
+    // 1. Start source relay
+    let source_relay = TestRelay::start().await;
+    let keys = Keys::generate();
+    let identifier = "archive-no-state-repo";
+
+    // Pre-allocate archive relay port
+    let archive_port = TestRelay::find_free_port();
+    let archive_domain = format!("127.0.0.1:{}", archive_port);
+
+    // 2. Create test repository locally
+    let temp_dir = tempfile::tempdir().expect("Failed to create temp dir");
+    let commit_hash = create_test_repo_with_commit(temp_dir.path(), CommitVariant::StateTest)
+        .expect("Failed to create test repo");
+
+    let npub = keys.public_key().to_bech32().expect("Failed to get npub");
+
+    // 3. Create and send announcement listing BOTH relays (but NO state event)
+    let announcement = create_repo_announcement(
+        &keys,
+        &[&source_relay.domain(), &archive_domain],
+        identifier,
+    );
+
+    let source_client = Client::new(keys.clone());
+    source_client
+        .add_relay(source_relay.url())
+        .await
+        .expect("Failed to add source relay");
+    source_client.connect().await;
+
+    tokio::time::sleep(Duration::from_millis(500)).await;
+
+    // Send announcement to source relay
+    source_client
+        .send_event(&announcement)
+        .await
+        .expect("Failed to send announcement to source");
+
+    tokio::time::sleep(Duration::from_millis(200)).await;
+
+    // 4. Push git data to source relay (but no state event to authorize it)
+    // This push will fail because there's no state event in purgatory
+    // That's expected - we're testing that archive mode doesn't blindly fetch git data
+
+    // 5. Start archive relay
+    let archive_relay = TestRelay::start_with_archive_and_sync(
+        archive_port,
+        Some(source_relay.url().to_string()),
+        false,
+        true,
+        true,
+    )
+    .await;
+
+    // Wait for sync
+    wait_for_sync_connection(archive_relay.url(), 1, Duration::from_secs(5))
+        .await
+        .expect("Sync connection should establish");
+
+    // Give time for any potential git sync to happen
+    tokio::time::sleep(Duration::from_secs(3)).await;
+
+    // 6. Verify bare repository was created (announcement was accepted)
+    let repo_path = archive_relay
+        .git_data_path()
+        .join(format!("{}/{}.git", npub, identifier));
+
+    assert!(
+        repo_path.exists(),
+        "Bare repository should be created for archive announcement"
+    );
+
+    // 7. Verify git data was NOT synced (no state events to trigger purgatory sync)
+    // Check that the commit does NOT exist in the archive relay's repo
+    let output = tokio::process::Command::new("git")
+        .args(["cat-file", "-t", &commit_hash])
+        .current_dir(&repo_path)
+        .output()
+        .await;
+
+    let commit_exists = output.map(|o| o.status.success()).unwrap_or(false);
+
+    assert!(
+        !commit_exists,
+        "Git data should NOT be synced without state events (security: validates against Nostr state)"
+    );
+
+    // Cleanup
+    source_client.disconnect().await;
+    archive_relay.stop().await;
+    source_relay.stop().await;
+}
diff --git a/tests/common/relay.rs b/tests/common/relay.rs
index fb5d421..227849a 100644
--- a/tests/common/relay.rs
+++ b/tests/common/relay.rs
@@ -3,6 +3,7 @@
 //! Provides automatic relay lifecycle management for integration tests.
 
 use nostr_sdk::ToBech32;
+use std::path::PathBuf;
 use std::process::{Child, Command, Stdio};
 use std::time::Duration;
 use tokio::time::sleep;
@@ -15,6 +16,11 @@ pub struct TestRelay {
     process: Child,
     url: String,
     port: u16,
+    /// Temporary directory for git repositories
+    /// Kept alive for the lifetime of the relay
+    _git_data_dir: tempfile::TempDir,
+    /// Path to git data directory (for test assertions)
+    git_data_path: PathBuf,
 }
 
 impl TestRelay {
@@ -98,6 +104,37 @@ impl TestRelay {
         Self::start_with_full_options(Self::find_free_port(), bootstrap_relay_url, true).await
     }
 
+    /// Start relay with archive configuration
+    ///
+    /// This is useful for testing GRASP-05 archive mode behavior.
+    ///
+    /// # Arguments
+    /// * `archive_all` - Accept all repository announcements (GRASP-05)
+    /// * `archive_read_only` - Reject git pushes (read-only archive mode)
+    ///
+    /// # Example
+    ///
+    /// ```no_run
+    /// use common::TestRelay;
+    ///
+    /// #[tokio::test]
+    /// async fn test_archive_mode() {
+    ///     let relay = TestRelay::start_with_archive_config(true, true).await;
+    ///     // ... test archive behavior ...
+    ///     relay.stop().await;
+    /// }
+    /// ```
+    pub async fn start_with_archive_config(archive_all: bool, archive_read_only: bool) -> Self {
+        Self::start_with_archive_and_sync(
+            Self::find_free_port(),
+            None,
+            false,
+            archive_all,
+            archive_read_only,
+        )
+        .await
+    }
+
     /// Start relay with options (internal, maintains backward compatibility)
     async fn start_with_options(port: u16, bootstrap_relay_url: Option<String>) -> Self {
         Self::start_with_full_options(port, bootstrap_relay_url, false).await
@@ -109,6 +146,34 @@ impl TestRelay {
         bootstrap_relay_url: Option<String>,
         disable_negentropy: bool,
     ) -> Self {
+        Self::start_with_archive_and_sync(
+            port,
+            bootstrap_relay_url,
+            disable_negentropy,
+            false,
+            false,
+        )
+        .await
+    }
+
+    /// Start relay with all options including archive configuration and sync
+    ///
+    /// This is the most flexible method for starting a test relay with all options.
+    /// Use this when you need both archive mode AND sync from a bootstrap relay.
+    ///
+    /// # Arguments
+    /// * `port` - Port to bind to
+    /// * `bootstrap_relay_url` - URL of relay to sync from (optional)
+    /// * `disable_negentropy` - Whether to disable NIP-77 negentropy sync
+    /// * `archive_all` - Accept all repository announcements (GRASP-05)
+    /// * `archive_read_only` - Reject git pushes (read-only archive mode)
+    pub async fn start_with_archive_and_sync(
+        port: u16,
+        bootstrap_relay_url: Option<String>,
+        disable_negentropy: bool,
+        archive_all: bool,
+        archive_read_only: bool,
+    ) -> Self {
         let bind_address = format!("127.0.0.1:{}", port);
         let url = format!("ws://127.0.0.1:{}", port);
 
@@ -161,9 +226,26 @@ impl TestRelay {
             cmd.env("NGIT_SYNC_DISABLE_NEGENTROPY", "true");
         }
 
+        // Add archive configuration if requested
+        if archive_all {
+            cmd.env("NGIT_ARCHIVE_ALL", "true");
+        }
+        if archive_read_only {
+            cmd.env("NGIT_ARCHIVE_READ_ONLY", "true");
+        }
+
         let process = cmd.spawn().expect("Failed to start relay process");
 
-        let relay = Self { process, url, port };
+        // Store git data path for test assertions
+        let git_data_path = git_data_dir.path().to_path_buf();
+
+        let relay = Self {
+            process,
+            url,
+            port,
+            _git_data_dir: git_data_dir,
+            git_data_path,
+        };
 
         // Wait for relay to be ready
         relay.wait_for_ready().await;
@@ -181,6 +263,14 @@ impl TestRelay {
         format!("127.0.0.1:{}", self.port)
     }
 
+    /// Get the git data directory path
+    ///
+    /// This is useful for test assertions that need to verify
+    /// git repositories were created correctly.
+    pub fn git_data_path(&self) -> &PathBuf {
+        &self.git_data_path
+    }
+
     /// Wait for the relay to be ready to accept connections
     async fn wait_for_ready(&self) {
         let max_attempts = 50; // 5 seconds total