fix: allow git requests without session_token

Clone clients don't have the session_token (only the serve side
gets it from register). Git routes now only check that the session
is active, while poll/respond/info still require session_token.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: mizchi

src/git_serve_session.ts

@@ -153,8 +153,12 @@ export function createGitServeSession(): {
   }
 
   async function handleGitRequest(request: Request, gitPath: string): Promise<Response> {
-    const denied = validateToken(request);
-    if (denied) return denied;
+    if (!state.active) {
+      return Response.json(
+        { ok: false, error: 'session not active' },
+        { status: 404 },
+      );
+    }
 
     const requestId = generateRequestId();
     let bodyBase64: string | null = null;

tests/e2e_multi_node_test.ts

@@ -250,14 +250,7 @@ Deno.test('e2e: session tokens are isolated - cross-node access denied', async (
         assertEquals(infoRes.status, 403, `node-${attacker} should not access node-${target} info`);
         await infoRes.json();
 
-        // git request
-        const gitRes = await fetch(
-          `${relay.baseUrl}/git/${
-            nodes[target].sessionId
-          }/info/refs?service=git-upload-pack&session_token=${nodes[attacker].sessionToken}`,
-        );
-        assertEquals(gitRes.status, 403, `node-${attacker} should not access node-${target} git`);
-        await gitRes.json();
+        // git requests are open (clone clients don't have session_token)
       }
     }
   } finally {
@@ -478,21 +471,21 @@ Deno.test('e2e: broadcast triggers cross-node fetch (5 nodes)', async () => {
   }
 });
 
-Deno.test('e2e: no token → git request returns 403', async () => {
+Deno.test('e2e: no token → poll/respond returns 403, git request allowed', async () => {
   const relay = startRelay();
   try {
     const node = await registerNode(relay.baseUrl, 'server');
 
-    // Request without token
+    // Poll without token → 403
     const res1 = await fetch(
-      `${relay.baseUrl}/git/${node.sessionId}/info/refs?service=git-upload-pack`,
+      `${relay.baseUrl}/api/v1/serve/poll?session=${node.sessionId}&timeout=1`,
     );
     assertEquals(res1.status, 403);
     await res1.json();
 
-    // Request with wrong token
+    // Poll with wrong token → 403
     const res2 = await fetch(
-      `${relay.baseUrl}/git/${node.sessionId}/info/refs?service=git-upload-pack&session_token=bad`,
+      `${relay.baseUrl}/api/v1/serve/poll?session=${node.sessionId}&timeout=1&session_token=bad`,
     );
     assertEquals(res2.status, 403);
     await res2.json();

tests/git_serve_session_test.ts

@@ -361,14 +361,22 @@ Deno.test('session_token via x-session-token header works', async () => {
   }
 });
 
-Deno.test('git request without session_token returns 403', async () => {
+Deno.test('git request without session_token is allowed', async () => {
   const session = createGitServeSession();
   try {
-    await registerSession(session);
+    const token = await registerSession(session);
+    // git requests don't require session_token (clone clients don't have it)
+    // Start a poll to consume the request
+    const pollP = session.fetch(
+      new Request(`http://do/poll?timeout=2&session_token=${token}`),
+    );
     const res = await session.fetch(
       new Request('http://do/git/info/refs?service=git-upload-pack'),
     );
-    assertEquals(res.status, 403);
+    // The request should be accepted (pending response from serve side)
+    // We don't need to fully complete the flow, just verify it's not 403
+    assertEquals(res.status !== 403, true);
+    await pollP;
   } finally {
     session.cleanup();
   }