- pkg/api/provider.go: remove refreshRequest struct and filepath-based
sanitisation; always load marketplace/index.json via a package-level
const so callers cannot influence which file is read (path traversal fix)
- forge/orgs_test.go: add t.Setenv("HOME", t.TempDir()) to
TestClient_ListMyOrgsIter_Bad_ServerError to prevent config bleed
between test runs
Co-Authored-By: Virgil <virgil@lethean.io>
- manifest/compile.go: apply opts.Version override before empty-version check
so version can be supplied via CompileOptions even when manifest has none
- manifest/compile.go: fix import grouping (stdlib before internal)
- pkg/api/provider.go: propagate c.Request.Context() into Install/Update calls
so client disconnects cancel long-running operations
- pkg/api/provider.go: guard refreshMarketplace against path traversal; suppress
raw filesystem errors from HTTP response
- pkg/api/provider.go: normalise typed-nil installer in NewProvider to prevent
nil-pointer panics from non-nil interface holding nil pointer
- jobrunner/journal.go: upgrade sync.Mutex to sync.RWMutex; Query uses RLock
for concurrent read throughput
- jobrunner/journal.go: use bytes.NewReader(data) instead of
strings.NewReader(string(data)) to avoid double allocation
- jobrunner/journal.go: fix import grouping (stdlib before internal)
- internal/ax/stringsx/stringsx.go: fix Builder alias to strings.Builder
(was bytes.Buffer — different copy-after-write semantics)
- internal/ax/stringsx/stringsx.go: fix NewReader to return *strings.Reader
- internal/ax/stringsx/stringsx.go: make SplitSeq lazy (no upfront []string)
- internal/ax/stringsx/stringsx.go: remove bytes import; use stdlib strings
for ContainsAny, EqualFold, LastIndex
- gitea/client.go: fix import grouping (internal before third-party)
- gitea/prs.go: fix import grouping (internal before third-party)
- forge/labels.go: fix import grouping (internal before third-party)
- cmd/gitea/cmd_sync.go: move exec (golang.org/x/sys/execabs) to third-party
import group
- forge/orgs_test.go: add t.Setenv("HOME", t.TempDir()) for config isolation
- forge/orgs_test.go: rename *_Bad_ServerError_Good → *_Bad_ServerError
- gitea/repos_test.go: add HOME isolation to CreateMirrorFromService test
Co-Authored-By: Virgil <virgil@lethean.io>
Critical/Major:
- Remove dead functions syncRepoNameFromArg and repoNameFromArg (used url pkg without import, would cause compile error)
- Migrate forge.lthn.ai/core/config → dappco.re/go/core/config in forge/config.go and gitea/config.go
- Propagate ListIssueCommentsIter errors in forge/meta.go and gitea/meta.go (was silently returning truncated count)
- Add RedactedToken() to gitea/client.go to avoid exposing raw API tokens
- Add 30s timeout to http.DefaultClient usage in gitea/prs.go via package-level httpClient
- Fix stringsx.Fields (bufio 64KiB limit), Repeat (wrong for negative/zero), Replace (ignored n param) to match stdlib
- Fix fmtx.Println to use fmt.Sprintln so spaces appear between operands
- Fix filepathx.Abs to use path/filepath for OS-aware path handling; wrap Getwd error
- Fix stdio.Write to return io.ErrShortWrite on partial writes
- Add mutex lock to jobrunner.Journal.Query to prevent data race with Append
- Add sync.RWMutex to ScmProvider; protect p.index reads/writes in pkg/api/provider.go
- Fix cmd/scm/cmd_index.go: append dir to repoPaths only after ReadDir confirms existence
- Fix manifest/compile.go: copy manifest before applying version override to avoid mutating caller
- Fix forge/labels.go: use ListOrgLabelsIter/ListRepoLabelsIter names in iterator error logs
- Wrap single-segment validation error in syncutil.ParseRepoName with function context
Minor:
- Fix import ordering (stdlib → forge.lthn.ai → third-party) in cmd/forge, cmd/collect, repos, cmd/gitea files
- Add t.Setenv("HOME", t.TempDir()) to gitea testhelpers and forge/labels_test.go
- Add iterator yield guard in forge/orgs_test.go
- Convert syncutil/repo_name_test.go to table-driven tests
- Use json.Marshal in pkg/api/provider_test.go instead of string concatenation
- Fix test naming (redundant/conflicting _Good/_Bad suffixes) across 10 test files
Co-Authored-By: Virgil <virgil@lethean.io>
