- pkg/api/provider.go: remove refreshRequest struct and filepath-based
sanitisation; always load marketplace/index.json via a package-level
const so callers cannot influence which file is read (path traversal fix)
- forge/orgs_test.go: add t.Setenv("HOME", t.TempDir()) to
TestClient_ListMyOrgsIter_Bad_ServerError to prevent config bleed
between test runs
Co-Authored-By: Virgil <virgil@lethean.io>
- manifest/compile.go: apply opts.Version override before empty-version check
so version can be supplied via CompileOptions even when manifest has none
- manifest/compile.go: fix import grouping (stdlib before internal)
- pkg/api/provider.go: propagate c.Request.Context() into Install/Update calls
so client disconnects cancel long-running operations
- pkg/api/provider.go: guard refreshMarketplace against path traversal; suppress
raw filesystem errors from HTTP response
- pkg/api/provider.go: normalise typed-nil installer in NewProvider to prevent
nil-pointer panics from non-nil interface holding nil pointer
- jobrunner/journal.go: upgrade sync.Mutex to sync.RWMutex; Query uses RLock
for concurrent read throughput
- jobrunner/journal.go: use bytes.NewReader(data) instead of
strings.NewReader(string(data)) to avoid double allocation
- jobrunner/journal.go: fix import grouping (stdlib before internal)
- internal/ax/stringsx/stringsx.go: fix Builder alias to strings.Builder
(was bytes.Buffer — different copy-after-write semantics)
- internal/ax/stringsx/stringsx.go: fix NewReader to return *strings.Reader
- internal/ax/stringsx/stringsx.go: make SplitSeq lazy (no upfront []string)
- internal/ax/stringsx/stringsx.go: remove bytes import; use stdlib strings
for ContainsAny, EqualFold, LastIndex
- gitea/client.go: fix import grouping (internal before third-party)
- gitea/prs.go: fix import grouping (internal before third-party)
- forge/labels.go: fix import grouping (internal before third-party)
- cmd/gitea/cmd_sync.go: move exec (golang.org/x/sys/execabs) to third-party
import group
- forge/orgs_test.go: add t.Setenv("HOME", t.TempDir()) for config isolation
- forge/orgs_test.go: rename *_Bad_ServerError_Good → *_Bad_ServerError
- gitea/repos_test.go: add HOME isolation to CreateMirrorFromService test
Co-Authored-By: Virgil <virgil@lethean.io>
Critical/Major:
- Remove dead functions syncRepoNameFromArg and repoNameFromArg (used url pkg without import, would cause compile error)
- Migrate forge.lthn.ai/core/config → dappco.re/go/core/config in forge/config.go and gitea/config.go
- Propagate ListIssueCommentsIter errors in forge/meta.go and gitea/meta.go (was silently returning truncated count)
- Add RedactedToken() to gitea/client.go to avoid exposing raw API tokens
- Add 30s timeout to http.DefaultClient usage in gitea/prs.go via package-level httpClient
- Fix stringsx.Fields (bufio 64KiB limit), Repeat (wrong for negative/zero), Replace (ignored n param) to match stdlib
- Fix fmtx.Println to use fmt.Sprintln so spaces appear between operands
- Fix filepathx.Abs to use path/filepath for OS-aware path handling; wrap Getwd error
- Fix stdio.Write to return io.ErrShortWrite on partial writes
- Add mutex lock to jobrunner.Journal.Query to prevent data race with Append
- Add sync.RWMutex to ScmProvider; protect p.index reads/writes in pkg/api/provider.go
- Fix cmd/scm/cmd_index.go: append dir to repoPaths only after ReadDir confirms existence
- Fix manifest/compile.go: copy manifest before applying version override to avoid mutating caller
- Fix forge/labels.go: use ListOrgLabelsIter/ListRepoLabelsIter names in iterator error logs
- Wrap single-segment validation error in syncutil.ParseRepoName with function context
Minor:
- Fix import ordering (stdlib → forge.lthn.ai → third-party) in cmd/forge, cmd/collect, repos, cmd/gitea files
- Add t.Setenv("HOME", t.TempDir()) to gitea testhelpers and forge/labels_test.go
- Add iterator yield guard in forge/orgs_test.go
- Convert syncutil/repo_name_test.go to table-driven tests
- Use json.Marshal in pkg/api/provider_test.go instead of string concatenation
- Fix test naming (redundant/conflicting _Good/_Bad suffixes) across 10 test files
Co-Authored-By: Virgil <virgil@lethean.io>
Keep dappco.re module paths throughout; github/main had stale forge.lthn.ai
paths in go.mod and several source files. All conflicts resolved in favour of
dev (HEAD): AX-pattern aliased imports, SecureSSHCommandContext, syncutil,
and _Good test naming convention.
Note: go mod tidy fails — dappco.re/go/core/cli@v0.3.7 and
dappco.re/go/core/config@v0.1.8 tags still declare forge.lthn.ai module
paths. New tags with correct dappco.re paths are needed on both repos
before tidy will succeed.
Co-Authored-By: Virgil <virgil@lethean.io>
Change module path from forge.lthn.ai/core/go-scm to dappco.re/go/core/scm.
Update all Go source imports for migrated packages:
- go-log -> dappco.re/go/core/log
- go-io -> dappco.re/go/core/io
- go-i18n -> dappco.re/go/core/i18n
- go-ws -> dappco.re/go/core/ws
- api -> dappco.re/go/core/api
Non-migrated packages (cli, config) left on forge.lthn.ai paths.
Replace directives use local paths (../go, ../go-io, etc.) until the
dappco.re vanity URL server resolves these modules.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ScmProvider implements Provider + Streamable + Describable + Renderable,
wrapping marketplace, manifest, installed, and registry endpoints as REST
API with WS event streaming. Includes Lit custom element bundle with
panel, marketplace browser, manifest viewer, installed manager, and
registry status display. All 14 tests pass.
Co-Authored-By: Virgil <virgil@lethean.io>
