feat(pm): add native-git BFS resolution (2/3)

[killagu]

Summary

Split from #2603 — Part 2 of 3 for git dependency resolution. Depends on #2622.

• Add resolver/git.rs with full gix clone implementation + BFS resolver
• Add GIT_CLONE_CACHE with tokio::sync::OnceCell for concurrent clone dedup
• Add native-git feature flag (gix + tempfile optional deps)
• Route non-registry specs through git resolver in BFS process_dependency
• Add BuildDepsConfig.cache_dir with builder pattern

Key implementation details

• clone_repo (async) wraps clone_repo_blocking via spawn_blocking
• resolve_non_registry_dep, build_manifest_from_git_cache live in resolver/ (not traits/) per module boundary convention
• build_manifest_from_git_cache uses tokio::fs::read_to_string (non-blocking I/O)
• BuildDepsOptions::new() preserved — no public API removal
• Step comments in service/api.rs unchanged

Cache layout

Git packages: <cache_dir>/<name>/<commit_sha>/ — same <name>/<key>/ layout as registry tarballs, so utoo clean works uniformly.

Test plan

• cargo check -p utoo-ruborist passes (no feature)
• cargo check -p utoo-ruborist --features native-git passes
• cargo test -p utoo-ruborist — all tests pass
• Verify OnceMap dedup under concurrent BFS load

Part of git dependency resolution: #2622 → PR2 → #2603-pr3

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello @killagu, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances ruborist's dependency resolution capabilities by introducing native Git support. It enables the resolver to fetch and process packages directly from Git repositories, including GitHub, by leveraging the gix library. The changes include a new feature flag to make this functionality optional, a dedicated module for Git operations with built-in caching for efficiency, and updates to the core dependency processing logic to seamlessly integrate Git-based packages alongside registry packages. This is a crucial step in expanding ruborist's ability to handle diverse package sources.

Highlights

• Native Git Resolution: Introduced a native-git feature flag to enable Git dependency resolution using the gix library.
• Git Resolver Module: Added a new resolver/git.rs module containing the core logic for cloning Git repositories and resolving Git-based package specifications.
• Concurrent Clone Deduplication: Implemented GIT_CLONE_CACHE using tokio::sync::OnceCell to prevent redundant concurrent Git clone operations for the same repository.
• Configurable Git Cache Directory: Extended BuildDepsConfig with a cache_dir option, allowing users to specify the location for caching Git repositories.
• BFS Integration: Modified the Breadth-First Search (BFS) process_dependency logic to route non-registry package specifications (e.g., git+https://, github:) through the new Git resolver.

Changelog

• crates/ruborist/Cargo.toml
  • Added gix and tempfile as optional dependencies.
  • Defined a native-git feature that enables gix and tempfile.
• crates/ruborist/src/lib.rs
  • Exported clone_repo from the new resolver::git module, conditional on the native-git feature.
• crates/ruborist/src/resolver/builder.rs
  • Introduced conditional compilation for resolve_non_registry_dep, providing a real implementation when native-git is enabled and a stub otherwise.
  • Added cache_dir: Option<PathBuf> to BuildDepsConfig and its Default implementation.
  • Implemented with_cache_dir builder method for BuildDepsConfig.
  • Updated gather_preload_deps to use is_non_registry_spec for identifying non-registry dependencies.
  • Refactored process_dependency to accept &BuildDepsConfig instead of a boolean legacy_peer_deps.
  • Modified process_dependency to check if a spec is non-registry and, if so, route it through resolve_non_registry_dep.
  • Adjusted calls to add_edges_from and run_bfs_phase to pass the BuildDepsConfig or its relevant fields.
• crates/ruborist/src/resolver/git.rs
  • Added a new module containing the core logic for Git cloning and resolution.
  • Implemented GIT_CLONE_CACHE for deduplicating concurrent clone operations.
  • Provided helper functions for GitHub authentication token injection, package.json parsing from Git trees, and recursive tree extraction.
  • Defined clone_repo_blocking for the actual gix-based cloning and caching.
  • Exposed clone_repo as an async public API for Git cloning.
  • Implemented resolve_non_registry_dep to parse Git specs, clone repositories, and build VersionManifest from cached package.json.
  • Included build_manifest_from_git_cache for creating manifests from cached Git packages.
• crates/ruborist/src/resolver/mod.rs
  • Added pub mod git; conditionally compiled with the native-git feature.
• crates/ruborist/src/resolver/registry.rs
  • Updated the ResolveError::Git enum variant to store both url and message for more detailed error reporting.
• crates/ruborist/src/service/api.rs
  • Modified the build_deps_with_config function to pass the cache_dir to the BuildDepsConfig.

Activity

• This pull request is the second part of a three-part series for Git dependency resolution, following feat(pm): add git protocol spec parsing (1/3) #2622 and preceding feat(pm): internalize git dependency resolution into ruborist #2603-pr3.
• All cargo check and cargo test commands for the utoo-ruborist crate (with and without the native-git feature) have passed.
• Verification of OnceMap deduplication under concurrent BFS load is a pending test plan item.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces native git dependency resolution using the gix crate, gated behind a native-git feature flag. The implementation includes a new resolver/git.rs module with logic for cloning, caching, and resolving git dependencies. The changes are well-structured, with a clear separation of concerns between blocking git operations and the async resolver logic. The use of tokio::sync::OnceCell for deduplicating concurrent clones is a good approach. My feedback focuses on improving the robustness of error handling in the new git resolver by propagating errors instead of silently ignoring them, and refining error messages for clarity.

[gemini-code-assist]

Silently ignoring the error from set_permissions with .ok() could lead to unexpected behavior if the executable bit is not set correctly on systems where it matters. It's better to propagate the error to make the cloning process more robust and debuggable.

Suggested change

	std::fs::set_permissions(&entry_path, perms).ok();
	std::fs::set_permissions(&entry_path, perms)?;

[gemini-code-assist]

Silently ignoring the error from symlink with .ok() could hide issues like lack of filesystem support or permission errors. It's better to propagate the error to ensure the cached package is a faithful representation of the git tree.

Suggested change

	std::os::unix::fs::symlink(target, &entry_path).ok();
	std::os::unix::fs::symlink(target, &entry_path)?;

[gemini-code-assist]

Silently ignoring the error from remove_dir_all with .ok() could hide underlying problems, such as file permission issues in the cache directory. This might lead to subsequent, harder-to-debug failures during extraction. It would be better to propagate the error.

Suggested change

	std::fs::remove_dir_all(&package_dir).ok();
	std::fs::remove_dir_all(&package_dir)?;

[gemini-code-assist]

The error message "git resolver task panicked" is not entirely accurate. A JoinError from tokio::task::spawn_blocking can occur if the task is cancelled, not just when it panics. A more general message would be more appropriate.

Suggested change

	.context("git resolver task panicked")?
	.context("git resolver task failed")?

[Copilot]

Pull request overview

This PR adds a native-git-gated, gix-powered git clone backend and wires non-registry dependency specs into the BFS resolver, using a shared clone-dedup cache and a configurable cache directory to persist git checkouts alongside registry tarball cache layout.

Changes:

• Introduce resolver/git.rs (clone + cache + git/GitHub spec resolution) behind the native-git feature flag.
• Route non-registry specs through the git resolver during BFS dependency processing, and add BuildDepsConfig.cache_dir.
• Add optional gix/tempfile dependencies and re-export clone_repo (feature-gated) from the crate.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
crates/ruborist/src/service/api.rs	Passes cache_dir into BuildDepsConfig for git clone caching.
crates/ruborist/src/resolver/registry.rs	Refines ResolveError::Git to include { url, message } for better error reporting.
crates/ruborist/src/resolver/mod.rs	Adds the new git resolver module under cfg(feature = "native-git").
crates/ruborist/src/resolver/git.rs	Implements gix-based cloning, cache extraction, dedup via OnceCell, and manifest building from cached package.json.
crates/ruborist/src/resolver/builder.rs	Adds cache_dir to config and routes non-registry specs through git resolution in BFS.
crates/ruborist/src/lib.rs	Re-exports clone_repo under native-git.
crates/ruborist/Cargo.toml	Adds native-git feature and optional deps (gix, tempfile).

[Copilot]

If an existing package_dir is present, remove_dir_all errors are ignored (.ok()). If removal fails (permissions, locks, partial state), the subsequent extraction can leave a corrupted cache directory. Consider propagating the error (or at least logging and bailing) so callers don't proceed with a potentially inconsistent cache entry.

Suggested change

	std::fs::remove_dir_all(&package_dir).ok();
	std::fs::remove_dir_all(&package_dir).with_context(|| {
	format!(
	"failed to remove existing git package cache directory: {}",
	package_dir.display()
	)
	})?;

[Copilot]

ResolvedPackage.name is set to dep_name, whereas registry resolution returns the package's canonical name from the manifest. For consistency (and to avoid surprising downstream consumers of ResolvedPackage), consider setting ResolvedPackage.name to result.name (the package.json name) and treating dep_name purely as the edge/install name handled by the graph.

Suggested change

	name: dep_name.to_string(),
	name: result.name,

[Copilot]

is_non_registry_spec() includes local specs (file:/link:/workspace:/portal:). Routing all of these through resolve_non_registry_dep will currently bail as "Unsupported non-registry spec" and then be surfaced as ResolveError::Git, breaking valid workspace/local dependency specs. Consider narrowing the routing condition to only git-like specs (git+, git://, github:) or parsing with PackageSpec::parse() and only invoking the git resolver for PackageSpec::Git|GitHub; local specs should be handled separately (e.g., resolved to workspace/link nodes or skipped).

[Copilot]

There are existing async tests in this file, but none cover the new non-registry routing logic in process_dependency (git spec -> git resolver, optional non-registry failures -> skipped, non-optional failures -> ResolveError::Git). Adding targeted tests here would help prevent regressions (including the stubbed behavior when native-git is disabled).

[Copilot]

The clone dedup key is computed from the raw url (format!("{}#{}", url, ...)) but the actual clone uses clone_url with the git+ prefix stripped. This means callers using logically equivalent URLs (with vs without git+) won't dedup, and (more importantly) the key does not include cache_dir, so two callers using different cache roots in the same process can incorrectly share a cached result and receive a cache_path in the wrong directory. Consider canonicalizing the URL used for the key (strip git+, normalize) and including cache_dir (or otherwise scoping the cache per cache root).

[Copilot]

clone_repo_blocking always configures a shallow fetch with depth 1, but the code path for a full 40-hex commit_ish just constructs an ObjectId and then immediately tries to look it up in the repo. For non-HEAD commits this object typically won't be present in a depth-1 fetch, so resolving by full SHA will fail deterministically. Consider fetching the specific commit (or disabling shallow / increasing depth) when commit_ish is a full SHA, or otherwise documenting that only refs (branch/tag) are supported with shallow cloning.

[Copilot]

package_dir is derived from the repo's package.json name and joined directly onto cache_dir. Since this value comes from untrusted content, a malicious package name containing path traversal (e.g. .. segments or platform separators) could escape the intended cache root and write files outside cache_dir. Consider validating/sanitizing the package name (e.g. enforce npm package name rules and reject .., absolute paths, Windows prefixes) before using it as a filesystem path component.

[killagu]

Code Guard Review

审查维度：类型建模、命名语义、match 穷举性、废弃策略、错误消息质量、项目约定。

---

🔴 Must Fix (3 项)

1. process_dependency 中 enum 分类重复实现 — builder.rs

process_dependency 用 matches! 探针对 PackageSpec 变体做路由，而不是直接 exhaustive match。每新增一个 PackageSpec 变体（如 HttpTarball），编译器不会在路由处报错，只会悄悄走 registry 路径。

// 现在（有问题）:
let resolved = if matches!(
    crate::model::spec::PackageSpec::parse(&edge_info.spec),
    crate::model::spec::PackageSpec::Git { .. }
        | crate::model::spec::PackageSpec::GitHub { .. }
) { ... } else { ... };

// 修改后 — parse 一次，exhaustive match:
let resolved: ResolvedPackage = match PackageSpec::parse(&edge_info.spec) {
    PackageSpec::Git { .. } | PackageSpec::GitHub { .. } => {
        resolve_non_registry_dep(cache_dir, &edge_info.name, &edge_info.spec).await
            .map_err(|e| ResolveError::Git {
                url: edge_info.spec.clone(),
                message: e.to_string(),
            })?
    }
    PackageSpec::Registry { .. } => {
        match resolve_dependency(registry, &edge_info.name, &edge_info.spec, &edge_info.edge_type).await? {
            Some(r) => r,
            None => return Ok(ProcessResult::Skipped),
        }
    }
    // 编译器强制穷举：新增变体 = 编译错误，而不是 runtime 静默误判
};

2. is_non_registry_spec 遗漏 HTTP tarball — preload.rs

is_non_registry_spec 遗漏了 https://*.tgz 格式，导致 HTTP tarball 依赖会被错误地发往 registry 预加载，产生 404。这是与 PackageSpec enum 独立维护两套分类逻辑的反模式（A1）。

建议：删除 is_non_registry_spec，所有调用处改为：

!matches!(PackageSpec::parse(spec), PackageSpec::Registry { .. })

编译器保证分类逻辑永远与 enum 同步，新增变体时不会遗漏。

3. 缓存写入存在 TOCTOU 竞态 — git.rs clone_repo_blocking

resolved_marker.exists() 检查和后续写入之间没有原子保证。两个并发进程 resolve 相同 commit 时，第二个进程会在第一个正在 extract 时删除并重建 package_dir，产生损坏的部分提取目录，且该目录通过 resolved_marker.exists() 检查被当作合法缓存复用。

// 修改后 — 写入临时目录，再原子 rename：
let tmp_dir = package_dir.with_extension("tmp");
if tmp_dir.exists() {
    std::fs::remove_dir_all(&tmp_dir)?;
}
std::fs::create_dir_all(&tmp_dir)?;
extract_tree_to_dir(&checkout, tree_id.into(), &tmp_dir)?;
std::fs::write(tmp_dir.join("_resolved"), "")?;
std::fs::rename(&tmp_dir, &package_dir)?; // POSIX 保证原子性

---

🟡 Should Fix (5 项)

4. github_auth_token() 调用两次 — git.rs

clone_repo_blocking 函数顶部调用一次用于注入 token，map_err closure 内又调用一次检查是否为 None，逻辑不一致且冗余。

// 修改后：
let token = github_auth_token(); // 捕获一次
let effective_url = match token {
    Some(ref t) => inject_token_into_url(clone_url, t),
    None => clone_url.to_string(),
};
// map_err 中复用：
if token.is_none() && (clone_url.contains("github.com") || ...) { ... }

5. NonZeroU32::new(1).unwrap() — git.rs

项目使用 nightly toolchain，.unwrap() 此处无必要，建议改用：

// Option A：语义最清晰
NonZeroU32::MIN  // 值保证为 1，stable 1.70+

// Option B：const 上下文，编译期验证
const DEPTH_ONE: NonZeroU32 = NonZeroU32::new(1).unwrap();

6. with_cache_dir(Option<PathBuf>) 参数类型 — builder.rs

项目 builder 惯例是接受值类型，调用方不应手写 Some(...)：

// 修改后：
pub fn with_cache_dir(mut self, cache_dir: PathBuf) -> Self {
    self.cache_dir = Some(cache_dir);
    self
}
// 调用方：builder.with_cache_dir(path)  而非  builder.with_cache_dir(Some(path))

7. ResolveError::Git 丢失错误链 — registry.rs

message: String 导致 source() 返回 None，anyhow 和诊断工具无法回溯原始 gix 错误：

// 修改后：
ResolveError::Git { url: String, source: anyhow::Error }

// Display:
ResolveError::Git { url, source } => write!(f, "Git resolution failed for {}: {}", url, source)

// source():
ResolveError::Git { source, .. } => source.source()

8. is_local_spec 未删除，仍在 builder.rs 中使用 — preload.rs

preload.rs 给 is_local_spec 加了 #[deprecated]，但 builder.rs 仍在 import 并调用它。内部函数应直接删除并更新所有调用处，不应走废弃路径。

---

⚪ Style Suggestion (2 项)

9. 错误消息引号不一致 — registry.rs

现有变体无引号，新增 Git 变体的 URL 有单引号，建议保持一致：

// 现在: "Git resolution failed for '{}': {}"
// 建议: "Git resolution failed for {}: {}"

10. submodule 条目静默跳过缺少 trace — git.rs

gix::object::tree::EntryKind::Commit => {
    // 建议添加：
    tracing::debug!("Skipping submodule entry at {:?} (submodules are not resolved)", entry.filename());
}

---

核心总结

三个 Must Fix 共享同一根因：PackageSpec enum 被引入作为 spec 分类的唯一真相来源，但 process_dependency 路由和 is_non_registry_spec 各自独立重新实现了子集分类逻辑。统一修复方案是删除所有独立分类器，所有调用处改为 exhaustive match PackageSpec::parse(spec) { ... }，让编译器强制穷举性保证，避免新增变体时出现静默误判。

🤖 Generated with Claude Code

[elrrrrrrr]

禁止出现 serde_json::value，直接使用 versionManifest
同时需要注意 package.json 和 versionManifest 的区别

[elrrrrrrr]

resolve_non_registry_dep 内未来还需要实现 sepc => version 过期判断

目前 resolve_dependency 的命名不够语义化，没有体现缓存功能

[elrrrrrrr]

workspace: 目前已经支持了，需要考虑

[elrrrrrrr]

禁止 serde_jons::Value 😈

[elrrrrrrr]

git.rs 目前都是同步方法，目前 pipeline 模式都是异步运行时，看看有 async 的解决方案吗？

[xusd320]

Suggested change

	pub(crate) async fn resolve_non_registry_dep(
	// TODO: refactor this to be more extendable
	pub(crate) async fn resolve_non_registry_dep(

[elrrrrrrr]

clone_repo_blocking 每次都走网络，不读磁盘缓存

                                                                                                                                                                                                                                          
  fn clone_repo_blocking(...) -> Result<GitCloneResult> {                                                                                                                                                                                  
      let temp_dir = tempfile::tempdir()?;        // ← tempdir 创建                                                                                                                                                                        
      let (checkout, _outcome) = prepare.fetch_only(...)?;  // ← 网络 fetch 总是执行                                                                                                                                                       
                                                                                                                                                                                                                                           
      // ... 计算 commit_hex, package_dir, resolved_marker ...                                                                                                                                                                             
                                                                                                                                                                                                                                           
      if resolved_marker.exists() {              // ← 检查缓存在 fetch 之后！                                                                                                                                                              
          return Ok(GitCloneResult { ... });                                                                                                                                                                                               
      }
      // ... extract ...                                                                                                                                                                                                                   
  }                                                                                                                                                                                                                                        
     

_resolved 标记用来做进程间原子性保证，但它是在完成网络 fetch 之后才检查的。这意味着每次 utoo install 运行，即使包已经在磁盘缓存里，都会重新 clone。

缓存路径在 fetch 前就完全确定（cache_dir///），可以提前检查。修复思路：

  // 仅对全 SHA 可提前检查（branch/tag refs 必须 fetch 才能知道当前 HEAD）
  if let Some(sha) = commit_ish.filter(|s| s.len() == 40 && s.chars().all(|c| c.is_ascii_hexdigit())) {
      // 但 name 未知……需要从磁盘 package.json 读取
      // 或者维护一个 url->name 的索引文件
  }

[elrrrrrrr]

ResolveError 其他 variant 用的是具体类型（deno_semver::VersionError、E），唯独 Git 用了 trait object。这破坏了 enum 的类型安全优势——Comprehensive Rust 的 Error trait 章节说过
"boxing errors gives up the ability to cleanly handle different error cases"。

建议： 用 #[from] 配合具体的 GitResolveError 类型，或至少用 anyhow::Error 替代裸 Box 以保持一致。

[elrrrrrrr]

type CloneCache = Mutex<HashMap<String, Arc<tokio::sync::OnceCell<Arc>>>>;
static GIT_CLONE_CACHE: LazyLock = LazyLock::new(|| Mutex::new(HashMap::new()));

Comprehensive Rust 并发章节强调在 async 上下文中要注意 mutex 的选择。这里用 parking_lot::Mutex（同步锁）来保护一个在 async 函数中使用的 HashMap。虽然锁持有时间很短（只是
entry().or_insert_with()），理论上不会 block executor，但有两个问题：

• 全局 static 无法被 test/clean/drop：进程生命周期内缓存永远增长，utoo clean 只清磁盘但内存 map 不清。
• 跨 test 泄漏：#[tokio::test] 之间共享全局状态。

建议： 将 CloneCache 作为 BuildDepsConfig 或 resolver context 的一个字段（Arc），而不是 static。

可以参照一下目前 VersionManifestCache 相关实现

[elrrrrrrr]

为了找某个 SHA 的缓存目录，遍历了 cache_dir 下所有顶层目录，包括 scoped package 的二级目录。如果缓存目录有大量包，这会很慢。

其实可以直接读取 name 后判断，因为我们虽然不知道版本号，但是 name 是确定的

[elrrrrrrr]

还需要审视一下目前异常处理、全局缓存方案，结构要保持一致。

1. 不能存在 cache_dir 目录下全文件扫描，由于在同步方法的上下文内，获取 hash 成本会很高
2. 注意不用 mutex、box dyn error 等方式，架构需要 ruborist 和其他 resolver.rs 保持一致