docs: justify postgres behaviors by backend parity, not the issue

Review feedback on #1532: the codebase is the source of truth, so
comments should argue from the existing mongo/NeDB behavior rather
than cite the originating issue. Drops the stale repo_users TODO
(implemented on a follow-up branch) and the issue references in code
comments, CI config and test names.

Author: dcoric

.github/workflows/ci.yml

@@ -22,10 +22,9 @@ jobs:
         node-version: [22.x, 24.x]
         mongodb-version: ['6.0', '7.0', '8.0']
 
-    # PostgreSQL service container for the postgres integration tests added in
-    # issue #1497. A single version (postgres:16) is sufficient for the initial
-    # CI lane per the issue's "Open Questions"; a broader version matrix can
-    # follow later.
+    # PostgreSQL service container for the postgres integration tests. A
+    # single version (postgres:16) keeps the lane fast; a broader version
+    # matrix can follow later if needed.
     services:
       postgres:
         image: postgres:16

src/db/postgres/helper.ts

@@ -130,8 +130,7 @@ export const resetConnection = async (): Promise<void> => {
  * IMPORTANT: this function MUST NOT silently return undefined when Postgres is
  * the active sink — that would cause express-session to fall back to its
  * default in-memory store, which loses sessions on every restart and is unsafe
- * in any multi-process deployment. Issue #1497 calls this out as a must-fix
- * requirement, so we throw loudly instead.
+ * in any multi-process deployment. Throw loudly instead.
  */
 export const getSessionStore = (): Store => {
   const connectionString = getDatabase().connectionString;

src/db/postgres/repo.ts

@@ -14,11 +14,6 @@
  * limitations under the License.
  */
 
-// TODO(#1497-followup): consider normalizing repo permissions into a
-// repo_users(repo_id, user, role) join table. JSONB is used for v1 to
-// match the mongo/fs shape and minimize migration churn — the issue
-// flags this as an open question for a follow-up PR.
-
 import { Repo, RepoQuery } from '../types';
 import { query } from './helper';
 
@@ -100,9 +95,6 @@ export const createRepo = async (repo: Repo): Promise<Repo> => {
  * Append a user to one of the JSONB permission arrays. The query is a
  * read-modify-write that deduplicates the value, then re-serialises the array
  * so the stored shape matches the existing mongo/fs backends exactly.
- *
- * Crucially: when the last user is later removed, the array stays `[]` rather
- * than collapsing to `null` — issue #1497 explicitly requires this.
  */
 const addUserToRole = async (
   _id: string,
@@ -137,8 +129,7 @@ const removeUserFromRole = async (
   role: 'canPush' | 'canAuthorise',
 ): Promise<void> => {
   const lowered = user.toLowerCase();
-  // The filter expression evaluates to `[]` if the last matching user is
-  // removed — preserving the empty-array invariant from issue #1497.
+  // The filter evaluates to `[]` if the last matching user is removed
   await query(
     `UPDATE repos
         SET users = jsonb_set(

src/service/index.ts

@@ -137,8 +137,7 @@ const corsOptions: cors.CorsOptions = {
 // Backend sink types that promise a persistent session store. If one of these
 // is active and getSessionStore() returns undefined, express-session would
 // silently fall back to MemoryStore — which loses sessions on restart and is
-// unsafe in any multi-process deployment. Issue #1497 calls this out as a
-// must-fix requirement, so we throw loudly instead.
+// unsafe in any multi-process deployment. Throw loudly instead.
 const PERSISTENT_SESSION_BACKENDS = new Set(['mongo', 'postgres']);
 
 async function createApp(proxy: Proxy): Promise<Express> {

test/db/postgres/pushes.integration.test.ts

@@ -145,7 +145,7 @@ describe.runIf(shouldRunPostgresTests)('PostgreSQL Pushes Integration Tests', ()
       );
     });
 
-    it('orders pushes by timestamp DESC (issue #1497 must-fix)', async () => {
+    it('orders pushes by timestamp DESC', async () => {
       const result = await getPushes({});
       const ids = result.map((p) => p.id);
       expect(ids).toEqual(['push-authorised', 'push-b', 'push-a']);

test/db/postgres/repo.integration.test.ts

@@ -94,7 +94,7 @@ describe.runIf(shouldRunPostgresTests)('PostgreSQL Repo Integration Tests', () =
     });
   });
 
-  describe('permission JSONB — issue #1497 must-fix', () => {
+  describe('permission JSONB', () => {
     it('starts with empty arrays', async () => {
       const created = await createRepo(
         createTestRepo({ name: 'perm-start', url: 'https://example.com/ps.git' }),
@@ -127,7 +127,7 @@ describe.runIf(shouldRunPostgresTests)('PostgreSQL Repo Integration Tests', () =
       await removeUserCanPush(id, 'bob');
 
       const fromDb = await getRepoById(id);
-      // This is the core invariant from issue #1497.
+      // Same behavior as Mongo and NeDB
       expect(fromDb?.users.canPush).toEqual([]);
       expect(fromDb?.users.canPush).not.toBeNull();
     });

test/db/postgres/repo.test.ts

@@ -157,7 +157,7 @@ describe('PostgreSQL - Repo', async () => {
     });
   });
 
-  describe('add/remove user — empty array invariant (issue #1497)', () => {
+  describe('add/remove user — empty array invariant', () => {
     it('lower-cases user on add', async () => {
       mockQuery.mockResolvedValue({ rowCount: 1, rows: [] });
       await addUserCanPush('r-1', 'Bob');