Install gate, Phase 3 (lane 1): uv gate + yarn/pnpm named-only wrappers#113
Open
juangaitanv wants to merge 3 commits into
Open
Install gate, Phase 3 (lane 1): uv gate + yarn/pnpm named-only wrappers#113juangaitanv wants to merge 3 commits into
juangaitanv wants to merge 3 commits into
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
juangaitanv
force-pushed
the
install-gate-phase-2
branch
from
936d69a to
dd4b575
Compare
juangaitanv
added a commit
that referenced
this pull request
Jun 12, 2026
… guard Addresses Cursor review on #113. - uv commands are now classified after skipping leading global flags, so `uv --project ./app sync` / `uv --quiet add x` are gated instead of falling through to ungated passthrough. - the custom-index warning (from Phase 1) now fires for uv install/add/sync too, listing uv's index flags (--index, --default-index, --find-links, …). - the pip↔uv wrong-manager guard is applied consistently: it stays on `uv add` (project management, writes pyproject) but NOT `uv pip install` / `uv pip sync` — those are uv's pip-compatible interface, correct to use in a requirements project, and already fully gated by the tree pass. (Partial decline of the review's ask, with the reasoning above.) - parse_uv_lock now verdicts ONLY registry-sourced packages: git/url direct artifacts are skipped (their name@version is not a PyPI identity), and a registry package missing a version fails closed instead of being silently dropped. - the Node wrong-manager guard walks past a workspace MEMBER's leaf package.json to the workspace root (root `workspaces` field or pnpm-workspace.yaml), so a member install is checked against the root's manager. Standalone fresh projects still stop at their own leaf.
juangaitanv
force-pushed
the
install-gate-phase-3-uv
branch
from
c39ab0f to
d9af832
Compare
juangaitanv
force-pushed
the
install-gate-phase-2
branch
from
dd4b575 to
c86aa2d
Compare
juangaitanv
added a commit
that referenced
this pull request
Jun 12, 2026
… guard Addresses Cursor review on #113. - uv commands are now classified after skipping leading global flags, so `uv --project ./app sync` / `uv --quiet add x` are gated instead of falling through to ungated passthrough. - the custom-index warning (from Phase 1) now fires for uv install/add/sync too, listing uv's index flags (--index, --default-index, --find-links, …). - the pip↔uv wrong-manager guard is applied consistently: it stays on `uv add` (project management, writes pyproject) but NOT `uv pip install` / `uv pip sync` — those are uv's pip-compatible interface, correct to use in a requirements project, and already fully gated by the tree pass. (Partial decline of the review's ask, with the reasoning above.) - parse_uv_lock now verdicts ONLY registry-sourced packages: git/url direct artifacts are skipped (their name@version is not a PyPI identity), and a registry package missing a version fails closed instead of being silently dropped. - the Node wrong-manager guard walks past a workspace MEMBER's leaf package.json to the workspace root (root `workspaces` field or pnpm-workspace.yaml), so a member install is checked against the root's manager. Standalone fresh projects still stop at their own leaf.
juangaitanv
force-pushed
the
install-gate-phase-3-uv
branch
from
d9af832 to
36350f3
Compare
Harvested from the install-vuln-gate spike (dfac68e); still public-mode only, no --json. - corgea uv: `uv pip install` / `uv add` / `uv pip sync` gate through `uv pip compile` (--only-binary :all:, temp .in file) so the full resolved set is verdicted; `uv sync` is gated from the nearest-ancestor uv.lock (local/editable stanzas skipped, unparsable lock refuses, --force escape); `uv lock` and everything else passes through; top-level `uv install` gets a did-you-mean - corgea yarn|pnpm: named targets verified (with the loud named-only warning — no safe dry-run); bare installs exec unchecked behind an honest stderr note; bare `yarn` routes through `yarn install` - wrong-package-manager guard: npm/yarn/pnpm cross-checked against lockfiles + the packageManager field (ambiguous indicators stand down, fresh projects don't inherit ancestor lockfiles); pip↔uv cross-checked against uv.lock / requirements files; all suggestions name the corgea-wrapped command; --force bypasses - SKILL.md updated for the new managers and limitations
… guard Addresses Cursor review on #113. - uv commands are now classified after skipping leading global flags, so `uv --project ./app sync` / `uv --quiet add x` are gated instead of falling through to ungated passthrough. - the custom-index warning (from Phase 1) now fires for uv install/add/sync too, listing uv's index flags (--index, --default-index, --find-links, …). - the pip↔uv wrong-manager guard is applied consistently: it stays on `uv add` (project management, writes pyproject) but NOT `uv pip install` / `uv pip sync` — those are uv's pip-compatible interface, correct to use in a requirements project, and already fully gated by the tree pass. (Partial decline of the review's ask, with the reasoning above.) - parse_uv_lock now verdicts ONLY registry-sourced packages: git/url direct artifacts are skipped (their name@version is not a PyPI identity), and a registry package missing a version fails closed instead of being silently dropped. - the Node wrong-manager guard walks past a workspace MEMBER's leaf package.json to the workspace root (root `workspaces` field or pnpm-workspace.yaml), so a member install is checked against the root's manager. Standalone fresh projects still stop at their own leaf.
…flag-skip, ungated disclosures
- SECURITY: valued global flags missing from takes_value made their VALUE
classify as the subcommand → silent ungated passthrough. Added uv's
--color/--config-file/--cache-dir/--allow-insecure-host and yarn's
--cwd ('corgea uv --color always add x' and 'corgea yarn --cwd dir add
x' installed unchecked). Unit + e2e regression tests with valued flags.
- classify_uv_command skips flags between 'pip' and its verb, so
'uv pip --quiet install x' gates instead of passing through.
- uv add's --optional/--bounds/--script values no longer parse as specs.
- 'uv run' / 'uv tool install|run|upgrade' print an ungated-install note
(and SKILL.md lists them as limitations) instead of passing silently;
same for 'yarn global add'.
- Workspace-member walk now checks dir membership against the declared
globs (package.json workspaces / pnpm-workspace.yaml packages), so a
standalone project nested under an unrelated monorepo keeps its leaf
boundary instead of being wrong-manager-refused.
- uv.lock parsing discloses skipped non-registry pin counts and warns on
non-default registry sources; run_uv_sync echoes the command correctly
behind global flags.
juangaitanv
force-pushed
the
install-gate-phase-2
branch
from
c86aa2d to
33da96b
Compare
juangaitanv
force-pushed
the
install-gate-phase-3-uv
branch
from
36350f3 to
f8426b6
Compare
leenk7991
reviewed
Jun 15, 2026
| { | ||
| set.non_default_registries.insert(registry.to_string()); | ||
| } | ||
| } |
There was a problem hiding this comment.
should we add a continue here? non default registries might still have versions (e.g internal package) and stil be added to set.packages. then it fails when vulnerability api tries to validate it
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR is Phase 3, lane 1 of the install-gate feature for the Corgea CLI.
Lane 1 expands package-manager breadth. It adds uv coverage, adds named-only wrappers for yarn and pnpm, and adds wrong-package-manager guards so installs are steered toward the manager that owns the project.
This lane remains public mode only and does not add
--jsonoutput.Stacked on #112. Base branch:
install-gate-phase-2. Review this PR's diff in isolation; it contains the Phase 3 lane 1 slice.What Phase 3 Lane 1 Includes
uv pip install,uv add, anduv pip syncthroughuv pip compile, with--only-binary :all:and a temporary input file so the full resolved set is checked.uv synclockfile gating from the nearest ancestoruv.lock. Local/editable stanzas are skipped, registry packages are checked, unparsable locks refuse unless--forceis used, and skipped non-registry pins are disclosed.uv --project ./app syncanduv pip --quiet install xdo not pass through ungated.--index,--default-index, and--find-links.yarnrouting throughyarn installsemantics.packageManager, package workspaces, andpnpm-workspace.yaml; and for pip/uv usinguv.lockand requirements files.uv run,uv tool install, andyarn global add.skills/corgea/SKILL.mdfor the new managers and limitations.Deliberately Out Of Scope
Later lanes add:
--jsonmachine-readable outputExit Criteria - Met
Covered by
tests/cli_uv_sync.rsand extensions to the install, tree, and bare-install suites. Confirmed live withcorgea uv pip install mezzanine==6.0.0, which resolves a 24-package tree through realuv pip compileand blocks; also confirmedcorgea pnpm addin an npm project refuses with a corrected command suggestion../harness checkpasses.