feat(git): Role-based push permissions with service-bound auth

.gitignore

@@ -36,3 +36,4 @@ typesense-data/
 # Hermit (toolchain manager cache)
 .hermit/
 doc/
+repos/

crates/git-credential-nostr/src/main.rs

@@ -180,10 +180,14 @@ fn main() {
     let method = parse_method(wwwauth)
         .unwrap_or_else(|| fail("server did not include method hint in WWW-Authenticate"));
 
-    // Sign the repo root URL, not the full endpoint URL.
-    // Git's credential helper is invoked once (for info/refs) and the token is reused
-    // for subsequent requests (upload-pack, receive-pack). The server verifies against
-    // the canonical repo root, so we strip endpoint suffixes here.
+    // Sign the repo root URL — strip endpoint suffixes to get the canonical form.
+    //
+    // Git's credential helper is invoked once (for the initial info/refs GET) and the
+    // token is reused for subsequent requests (upload-pack, receive-pack POST). The
+    // server verifies against the bare repo root URL.
+    //
+    // Git's credential protocol does NOT pass query strings in the `path` field, so
+    // we never see `?service=...` here — just the path component.
     let repo_path = path
         .split_once("/info/refs")
         .map(|(prefix, _)| prefix)

crates/sprout-core/src/channel.rs

@@ -96,6 +96,10 @@ impl FromStr for ChannelType {
 // ── Member role ──────────────────────────────────────────────────────────────
 
 /// A member's role within a channel.
+///
+/// The hierarchy for permission checks is: Owner > Admin > Member > Guest.
+/// Bot is a **separate designation** — it is not part of the linear hierarchy.
+/// Use [`MemberRole::permission_level`] for numeric comparisons in authorization.
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum MemberRole {
     /// Full control — can manage members and delete the channel.
@@ -106,7 +110,7 @@ pub enum MemberRole {
     Member,
     /// Read-only external participant.
     Guest,
-    /// Automated agent or integration.
+    /// Automated agent or integration (not in the role hierarchy).
     Bot,
 }
 
@@ -126,6 +130,27 @@ impl MemberRole {
     pub fn is_elevated(&self) -> bool {
         matches!(self, Self::Owner | Self::Admin)
     }
+
+    /// Numeric permission level for authorization comparisons.
+    ///
+    /// Higher = more privileged. Bot returns 0 (must use explicit grants).
+    /// Use `role.permission_level() >= required.permission_level()` for checks.
+    pub fn permission_level(self) -> u8 {
+        match self {
+            Self::Owner => 4,
+            Self::Admin => 3,
+            Self::Member => 2,
+            Self::Guest => 1,
+            Self::Bot => 0,
+        }
+    }
+
+    /// Returns true if this role meets or exceeds the required role's permission level.
+    ///
+    /// Bot never meets any requirement (returns false for all non-Bot requirements).
+    pub fn has_at_least(self, required: MemberRole) -> bool {
+        self.permission_level() >= required.permission_level()
+    }
 }
 
 impl fmt::Display for MemberRole {