feat(pm): integrate git dependency support into install flow (3/3)

[killagu]

Summary

Split from #2603 — Part 3 of 3 for git dependency resolution. Depends on #2623.

• Enable native-git feature for utoo-ruborist dependency
• Add git_resolver module with resolve_git_spec/resolve_github_spec wrappers
• Add is_git_url, git_cache_lookup, resolve_cache_path to downloader
• Route git packages through resolve_cache_path in cloner
• Skip download pipeline for git packages (pre-cached during BFS)
• Update resolve_package_spec with PackageSpec::parse() and exhaustive match
• Add format_save_spec for git-aware package.json writing

Pipeline flow for git packages

1. BFS resolution clones git repo → caches at <cache_dir>/<name>/<sha>/
2. Download worker sees git+ URL → skips (already cached)
3. Clone worker calls resolve_cache_path → routes to git_cache_lookup → returns cached path
4. Package cloned to node_modules/ from cache

Architectural fixes applied

• Single is_git_url in downloader.rs — no duplicate function
• Exhaustive match on PackageSpec variants — no _ => catch-all
• format_save_spec handles git URLs (written as-is to package.json)

Test plan

• cargo check -p utoo-pm passes
• cargo test -p utoo-pm — 202 pass (1 pre-existing network failure unrelated)
• End-to-end: utoo install git+https://github.com/user/repo.git
• Verify utoo clean handles git-cached packages

Part of git dependency resolution: #2622 → #2623 → PR3

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello @killagu, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the package manager's capability by integrating comprehensive support for Git dependencies. It establishes a robust pipeline for resolving, caching, and installing packages directly from Git repositories, including GitHub shorthand. The changes streamline the dependency resolution process, ensure proper handling of Git URLs in package.json, and optimize the download workflow by leveraging pre-caching for Git-based packages.

Highlights

• Git Dependency Support: Enabled the native-git feature for the utoo-ruborist dependency to allow native Git operations.
• New Git Resolver Module: Introduced a new git_resolver module to handle Git and GitHub package specifications, including cloning and caching.
• Intelligent Caching for Git Packages: Implemented is_git_url, git_cache_lookup, and resolve_cache_path in the downloader utility for intelligent caching and retrieval of Git packages.
• Optimized Download Pipeline: Optimized the download pipeline to skip Git packages, as they are pre-cached during the BFS resolution phase, improving efficiency.
• Refactored Package Specification Resolution: Refactored resolve_package_spec to use PackageSpec::parse() and an exhaustive match, improving handling of various package specification types.
• Git-Aware package.json Writing: Added format_save_spec to correctly write Git-aware package specifications (e.g., resolved URLs with pinned commits) into package.json files.

Changelog

• crates/pm/Cargo.toml
  • Enabled the native-git feature for utoo-ruborist.
• crates/pm/src/helper/lock.rs
  • Imported resolve_git_spec and resolve_github_spec from git_resolver.
  • Replaced downloader::download_to_cache with downloader::resolve_cache_path.
  • Replaced utoo_ruborist::util::parse_package_spec with utoo_ruborist::spec::PackageSpec.
  • Introduced format_save_spec function to handle writing git-aware versions to package.json.
  • Updated resolve_package_spec to use PackageSpec::parse() and an exhaustive match for different package types (Registry, Git, GitHub).
  • Changed download_to_cache call to resolve_cache_path in prepare_global_package_json.
• crates/pm/src/service/pipeline/worker.rs
  • Imported is_git_url from downloader.
  • Added logic to skip the download pipeline for Git packages, relying on pre-caching.
• crates/pm/src/util/cloner.rs
  • Replaced downloader::download_to_cache with downloader::resolve_cache_path.
• crates/pm/src/util/downloader.rs
  • Added is_git_url function to identify Git URLs.
  • Implemented git_cache_lookup for retrieving pre-cached Git packages.
  • Introduced resolve_cache_path to route requests to either git_cache_lookup or download_to_cache.
  • Updated documentation for download_to_cache to clarify its use for registry tarballs.
• crates/pm/src/util/git_resolver.rs
  • Added a new module.
  • Implemented resolve_git_spec to clone Git repositories and cache results.
  • Implemented resolve_github_spec to convert GitHub shorthand to Git URLs and resolve them.
• crates/pm/src/util/mod.rs
  • Exported the new git_resolver module.

Activity

• This pull request is the third part of a three-part series for Git dependency resolution, split from feat(pm): internalize git dependency resolution into ruborist #2603, and depends on feat(pm): add native-git BFS resolution (2/3) #2623.
• All cargo check -p utoo-pm tests passed.
• cargo test -p utoo-pm resulted in 202 passing tests, with one pre-existing network failure unrelated to these changes.
• The PR description includes a test plan for end-to-end verification of utoo install git+https://github.com/user/repo.git and utoo clean handling of git-cached packages.
• The summary was generated using Claude Code.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request successfully integrates git dependency support into the package manager's installation flow. The changes are well-structured, enabling the native-git feature, adding a git_resolver module, and correctly updating the download and cloning pipeline to handle git packages by pre-caching them during dependency resolution. I've provided a couple of suggestions to improve code consistency and promote idiomatic Rust, which will enhance overall maintainability.

[gemini-code-assist]

To adhere to the PR's goal of having a single source of truth for identifying git URLs, please use the newly introduced is_git_url function from the downloader module here. This will improve maintainability by avoiding logic duplication.

You will need to add use crate::util::downloader::is_git_url; to the imports at the top of the file.

Suggested change

	if version_spec.starts_with("git+") || version_spec.starts_with("git://") {
	if is_git_url(version_spec) {

[gemini-code-assist]

This function's body can be simplified into a single if-else expression. This is more idiomatic in Rust and improves readability by making the two execution paths clearer.

    if is_git_url(tarball_url) {
        git_cache_lookup(name, version, tarball_url).await
    } else {
        download_to_cache(name, version, tarball_url).await
    }

[Copilot]

Pull request overview

Integrates git-based dependency resolution into the utoo-pm install pipeline by leveraging utoo-ruborist’s native git clone/cache support, ensuring git packages are pre-cached during BFS and then cloned from cache during install.

Changes:

• Enable utoo-ruborist’s native-git feature and add a PM-side git_resolver wrapper that injects the PM cache dir.
• Add git-aware cache routing in the downloader (is_git_url, git_cache_lookup, resolve_cache_path) and route cloner + pipeline behavior accordingly (skip downloads for git URLs).
• Update spec resolution and package.json writing to be git-aware via PackageSpec::parse() and format_save_spec.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
crates/pm/src/util/mod.rs	Exposes the new git_resolver utility module.
crates/pm/src/util/git_resolver.rs	Adds thin wrappers around ruborist git clone, injecting PM cache dir.
crates/pm/src/util/downloader.rs	Introduces git URL detection + git cache lookup and a unified resolve_cache_path.
crates/pm/src/util/cloner.rs	Switches from download_to_cache to resolve_cache_path to support git-cached packages.
crates/pm/src/service/pipeline/worker.rs	Skips the download worker for git URLs since BFS pre-caches them.
crates/pm/src/helper/lock.rs	Moves to typed PackageSpec::parse(), adds git-aware save formatting, and resolves git specs via the new wrappers.
crates/pm/Cargo.toml	Enables native-git feature for utoo-ruborist.

[Copilot]

git_cache_lookup trusts the URL fragment as a path segment (cache_dir.join(name).join(commit_sha)). If tarball_url comes from a user-edited/compromised lockfile, a fragment like #../.. could cause path traversal and let the cloner read/copy from unexpected directories. Consider validating commit_sha (e.g., only [0-9a-f]{7,40}) and rejecting anything containing path separators or .. before constructing cache_path.

[Copilot]

New git-aware helpers (is_git_url / git_cache_lookup / resolve_cache_path) add a distinct control-flow path (skip download + cache lookup), but there are no unit tests covering git URL detection and cache-hit/miss behavior. Since this file already has async tests, please add tests that cover at least: (1) is_git_url for git+https, git+ssh, git:// and non-git URLs; (2) resolve_cache_path returning the expected cache path when _resolved exists for a git URL.

Suggested change

	#[cfg(test)]
	mod tests {
	use super::*;
	use std::fs;
	#[test]
	fn is_git_url_recognizes_git_and_non_git_urls() {
	assert!(is_git_url("git+https://github.com/example/repo.git#abcdef"));
	assert!(is_git_url("git+ssh://git@github.com/example/repo.git#123456"));
	assert!(is_git_url("git://github.com/example/repo.git#deadbeef"));
	assert!(!is_git_url("https://registry.npmjs.org/example/-/example-1.0.0.tgz"));
	assert!(!is_git_url("http://example.com/not-a-git-url"));
	assert!(!is_git_url("file:///tmp/local-package.tgz"));
	}
	#[tokio::test]
	async fn resolve_cache_path_returns_git_cache_hit_when_resolved_exists() {
	let name = "gitpkg-cache-hit";
	let version = "1.0.0";
	let commit_sha = "cafebabecafebabe";
	let tarball_url = format!("git+https://example.com/{}.git#{}", name, commit_sha);
	let cache_dir = get_cache_dir();
	let cache_path = cache_dir.join(name).join(commit_sha);
	// Prepare the cache directory and _resolved marker file to simulate a pre-resolved git package.
	fs::create_dir_all(&cache_path).expect("failed to create git cache directory");
	let resolved_marker = cache_path.join("_resolved");
	fs::File::create(&resolved_marker).expect("failed to create _resolved marker file");
	let resolved = resolve_cache_path(name, version, &tarball_url).await;
	assert_eq!(resolved, Some(cache_path));
	}
	#[tokio::test]
	async fn resolve_cache_path_returns_none_when_git_cache_miss() {
	let name = "gitpkg-cache-miss";
	let version = "1.0.0";
	let commit_sha = "0123456789abcdef";
	let tarball_url = format!("git+ssh://git@example.com/{}.git#{}", name, commit_sha);
	let cache_dir = get_cache_dir();
	let cache_path = cache_dir.join(name).join(commit_sha);
	// Ensure the cache directory exists but without the _resolved marker,
	// or clean up any leftover state from previous runs.
	if cache_path.exists() {
	// Best-effort cleanup; ignore errors if the directory is in use.
	let _ = fs::remove_dir_all(&cache_path);
	}
	let resolved = resolve_cache_path(name, version, &tarball_url).await;
	assert!(resolved.is_none());
	}
	}

[Copilot]

resolve_package_spec now returns resolved.resolved_url as the third tuple element for git/GitHub specs, but returns a semver/range string for registry specs. This makes the meaning of the third element ambiguous and can break callers that assume it’s always a registry version spec (e.g. prepare_global_package_json later passes it into resolve_package). Consider returning a typed struct/enum (or include the parsed PackageSpec) so callers can handle git vs registry explicitly, or split into separate resolve_registry_spec vs resolve_non_registry_spec helpers.

[Copilot]

format_save_spec re-implements git URL detection inline (starts_with("git+") || starts_with("git://")), which duplicates the predicate introduced in util::downloader::is_git_url. Using the shared helper would keep git routing rules consistent if supported prefixes expand (and reduces drift between save-formatting vs download/clone routing).