perf,refactor: indexed apt lookups, parallel repo syncs, shared install helpers

Speedups:
- aptcache: Lookup's last-resort path did a full O(n) scan of all
  entries (60k+ on Debian) on every miss — and misses are the common
  case during dep resolution (virtual packages). Use the existing
  byBareName secondary index (scanEntryByName) instead: O(1) per miss.
- pacmandb.Sync / apkindex.Update: repo syncs were sequential; both now
  fetch in parallel (errgroup, limit 4) like the dnf/apt fetchers.
  apkindex parses sequentially after the parallel download phase since
  Index mutation is not concurrency-safe.

Dedup:
- pkg/signing.SignerName: shared OpenPGP identity extraction; the
  byte-identical copies in aptrepo/verify.go and dnfinstall/verify.go
  are now thin delegators.
- pkg/shell.FilterEnv / HasEnvKey: shared scriptlet-environment
  mechanics (allow-list filter + defaults); aptinstall and dnfinstall
  keep their format-specific allow-lists and delegate the machinery.
- project: localArtifactExists reuses signingFormatForArtifact instead
  of duplicating the artifact-extension switch.

Deliberately NOT merged: the local fileExists helpers (files.Exists
treats permission errors as "exists" — different semantics) and
stripVersionConstraint (apkindex/pkgbuild can't share a home without an
awkward new leaf package).

Author: M0Rf30

pkg/apkindex/fetch.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/cavaliergopher/grab/v3"
 	"github.com/klauspost/compress/gzip"
+	"golang.org/x/sync/errgroup"
 
 	apperrors "github.com/M0Rf30/yap/v2/pkg/errors"
 	"github.com/M0Rf30/yap/v2/pkg/httpclient"
@@ -61,26 +62,55 @@ func Update(ctx context.Context) (*Index, error) {
 	idx := NewIndex()
 	succeeded := 0
 
-	for _, repo := range repos {
-		indexURL := repo.URL + "/" + arch + "/APKINDEX.tar.gz"
-		cachePath := filepath.Join(apkCacheDir, "APKINDEX."+sha1Hex(indexURL)+".tar.gz")
+	// Phase 1: download all APKINDEX tarballs in parallel (network-bound;
+	// destinations are distinct cache files keyed by URL hash).
+	type fetchResult struct {
+		indexURL  string
+		cachePath string
+		err       error
+	}
 
-		logger.Debug(i18n.T("logger.apkindex.debug.fetching_repo"), "url", repo.URL, "arch", arch)
+	results := make([]fetchResult, len(repos))
 
-		if err := downloadFile(ctx, indexURL, cachePath, maxAPKIndexBytes); err != nil {
-			// Log warning and continue with other repos.
-			logger.Warn(i18n.T("logger.apkindex.warn.fetch_failed"), "url", indexURL, "error", err)
+	g := new(errgroup.Group)
+	g.SetLimit(4)
+
+	for i, repo := range repos {
+		g.Go(func() error {
+			indexURL := repo.URL + "/" + arch + "/APKINDEX.tar.gz"
+			cachePath := filepath.Join(apkCacheDir, "APKINDEX."+sha1Hex(indexURL)+".tar.gz")
+
+			logger.Debug(i18n.T("logger.apkindex.debug.fetching_repo"), "url", repo.URL, "arch", arch)
+
+			results[i] = fetchResult{
+				indexURL:  indexURL,
+				cachePath: cachePath,
+				err:       downloadFile(ctx, indexURL, cachePath, maxAPKIndexBytes),
+			}
 
+			return nil
+		})
+	}
+
+	_ = g.Wait()
+
+	// Phase 2: parse sequentially — Index mutation is not concurrency-safe
+	// and parsing is cheap compared to the network fetch.
+	for i, repo := range repos {
+		res := results[i]
+		if res.err != nil {
+			// Log warning and continue with other repos.
+			logger.Warn(i18n.T("logger.apkindex.warn.fetch_failed"), "url", res.indexURL, "error", res.err)
 			continue
 		}
 
 		var sizeBytes int64
-		if fi, statErr := os.Stat(cachePath); statErr == nil {
+		if fi, statErr := os.Stat(res.cachePath); statErr == nil {
 			sizeBytes = fi.Size()
 		}
 
-		if err := loadIndexTarball(idx, cachePath, repo.URL); err != nil {
-			logger.Warn(i18n.T("logger.apkindex.warn.parse_failed"), "path", cachePath, "error", err)
+		if err := loadIndexTarball(idx, res.cachePath, repo.URL); err != nil {
+			logger.Warn(i18n.T("logger.apkindex.warn.parse_failed"), "path", res.cachePath, "error", err)
 
 			continue
 		}

pkg/aptcache/aptcache.go

@@ -279,14 +279,14 @@ func (c *Cache) Lookup(name string) (PackageInfo, bool) {
 		return *p, true
 	}
 
-	// Last resort: scan for any entry matching name:*.
-	// This handles edge cases where a package only exists for a foreign
-	// architecture (e.g. a test or cross-build situation with arm64-only
-	// packages on an amd64 host).
-	for key, candidate := range c.entries {
-		if bare, _, has := strings.Cut(key, ":"); has && bare == name {
-			return *candidate, true
-		}
+	// Last resort: any entry matching name:* via the byBareName secondary
+	// index — O(1) instead of a full-map scan. This handles edge cases
+	// where a package only exists for a foreign architecture (e.g. a test
+	// or cross-build situation with arm64-only packages on an amd64 host).
+	// Misses are the common case during dependency resolution (virtual
+	// packages), so this path must stay cheap.
+	if candidate, ok := c.scanEntryByName(name); ok {
+		return *candidate, true
 	}
 
 	return PackageInfo{}, false

pkg/aptinstall/scriptlet.go

@@ -11,6 +11,7 @@ import (
 	"github.com/M0Rf30/yap/v2/pkg/errors"
 	"github.com/M0Rf30/yap/v2/pkg/i18n"
 	"github.com/M0Rf30/yap/v2/pkg/logger"
+	"github.com/M0Rf30/yap/v2/pkg/shell"
 )
 
 // scriptletEnvAllowList enumerates the environment variables we forward to
@@ -37,40 +38,18 @@ var scriptletEnvAllowList = map[string]bool{
 }
 
 // filterScriptletEnv returns the subset of os.Environ() that's safe to
-// forward to a maintainer script.
+// forward to a maintainer script. A sane PATH is always provided so
+// /usr/bin lookups (debconf, dpkg-trigger, update-alternatives, ldconfig)
+// work even if the parent env stripped it.
 func filterScriptletEnv() []string {
-	parent := os.Environ()
-	filtered := make([]string, 0, len(parent))
-
-	for _, kv := range parent {
-		k, _, ok := strings.Cut(kv, "=")
-		if !ok {
-			continue
-		}
-
-		if scriptletEnvAllowList[k] {
-			filtered = append(filtered, kv)
-		}
-	}
-
-	// Always provide a sane PATH so /usr/bin lookups (debconf, dpkg-trigger,
-	// update-alternatives, ldconfig) work even if the parent env stripped it.
-	if !hasEnvKey(filtered, "PATH") {
-		filtered = append(filtered, "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin")
-	}
-
-	return filtered
+	return shell.FilterEnv(scriptletEnvAllowList, map[string]string{
+		"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+	})
 }
 
+// hasEnvKey reports whether key is present in env ("key=value" entries).
 func hasEnvKey(env []string, key string) bool {
-	prefix := key + "="
-	for _, kv := range env {
-		if strings.HasPrefix(kv, prefix) {
-			return true
-		}
-	}
-
-	return false
+	return shell.HasEnvKey(env, key)
 }
 
 // runScriptlet executes a maintainer scriptlet via /bin/sh as a child

pkg/aptrepo/verify.go

@@ -28,7 +28,6 @@ package aptrepo
 import (
 	"bytes"
 	"errors"
-	"fmt"
 	"io"
 	"os"
 	"path/filepath"
@@ -39,6 +38,7 @@ import (
 	pgperrors "github.com/ProtonMail/go-crypto/openpgp/errors"
 
 	yaperrors "github.com/M0Rf30/yap/v2/pkg/errors"
+	"github.com/M0Rf30/yap/v2/pkg/signing"
 )
 
 // defaultAptKeyringPaths is the set of files/directories apt itself trusts
@@ -259,15 +259,7 @@ func loadKeyringFile(path string) (openpgp.EntityList, error) {
 // Automatic Signing Key (2018) <[email protected]>") from a
 // verified entity, or returns the hex key ID when no UID is present.
 func signerName(e *openpgp.Entity) string {
-	if e == nil {
-		return ""
-	}
-
-	for name := range e.Identities {
-		return name
-	}
-
-	return fmt.Sprintf("%X", e.PrimaryKey.KeyId)
+	return signing.SignerName(e)
 }
 
 // wrapPGPError translates ProtonMail's sentinel + typed errors into a

pkg/dnfinstall/scriptlet.go

@@ -14,6 +14,7 @@ import (
 	"github.com/M0Rf30/yap/v2/pkg/errors"
 	"github.com/M0Rf30/yap/v2/pkg/i18n"
 	"github.com/M0Rf30/yap/v2/pkg/logger"
+	"github.com/M0Rf30/yap/v2/pkg/shell"
 )
 
 // scriptletKind identifies which scriptlet to run.
@@ -94,33 +95,14 @@ var scriptletEnvAllowList = map[string]bool{
 }
 
 // filterScriptletEnv returns a filtered environment suitable for scriptlet
-// execution. Mirrors the deb/apt approach but for RPM.
+// execution. Mirrors the deb/apt approach but for RPM: a sane PATH is
+// always provided so lookups (ldconfig, systemctl, etc.) work, and HOME
+// defaults to / as rpm does.
 func filterScriptletEnv() []string {
-	parent := os.Environ()
-	filtered := make([]string, 0, len(parent))
-
-	for _, kv := range parent {
-		k, _, ok := strings.Cut(kv, "=")
-		if !ok {
-			continue
-		}
-
-		if scriptletEnvAllowList[k] {
-			filtered = append(filtered, kv)
-		}
-	}
-
-	// Always provide a sane PATH so lookups (ldconfig, systemctl, etc.) work.
-	if !hasEnvKey(filtered, "PATH") {
-		filtered = append(filtered, "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin")
-	}
-
-	// Always provide HOME.
-	if !hasEnvKey(filtered, "HOME") {
-		filtered = append(filtered, "HOME=/")
-	}
-
-	return filtered
+	return shell.FilterEnv(scriptletEnvAllowList, map[string]string{
+		"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+		"HOME": "/",
+	})
 }
 
 // looksLikeLua returns true when the body appears to be an RPM Lua scriptlet
@@ -155,16 +137,9 @@ func looksLikeLua(body string) bool {
 	return false
 }
 
-// hasEnvKey checks if an environment variable key exists in the list.
+// hasEnvKey reports whether key is present in env ("key=value" entries).
 func hasEnvKey(env []string, key string) bool {
-	prefix := key + "="
-	for _, kv := range env {
-		if strings.HasPrefix(kv, prefix) {
-			return true
-		}
-	}
-
-	return false
+	return shell.HasEnvKey(env, key)
 }
 
 // runScriptlet executes a single scriptlet from the RPM header.

pkg/dnfinstall/verify.go

@@ -17,6 +17,7 @@ import (
 	yaperrors "github.com/M0Rf30/yap/v2/pkg/errors"
 	"github.com/M0Rf30/yap/v2/pkg/i18n"
 	"github.com/M0Rf30/yap/v2/pkg/logger"
+	"github.com/M0Rf30/yap/v2/pkg/signing"
 )
 
 // ErrUnsignedRPM is returned when an RPM has no signature header.
@@ -285,13 +286,5 @@ func wrapRPMSignatureError(err error) error {
 // <[email protected]>") from a verified entity, or returns the hex key ID
 // when no UID is present.
 func signerName(e *openpgp.Entity) string {
-	if e == nil {
-		return ""
-	}
-
-	for name := range e.Identities {
-		return name
-	}
-
-	return fmt.Sprintf("%X", e.PrimaryKey.KeyId)
+	return signing.SignerName(e)
 }

pkg/pacmandb/pacmandb.go

@@ -12,6 +12,9 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
+	"sync"
+
+	"golang.org/x/sync/errgroup"
 
 	"github.com/M0Rf30/yap/v2/pkg/errors"
 	"github.com/M0Rf30/yap/v2/pkg/i18n"
@@ -40,22 +43,41 @@ func Sync(ctx context.Context) (succeeded int, err error) {
 	logger.Info(i18n.T("logger.pacmandb.info.syncing_repos"), "repos", len(cfg.Repos),
 		"arch", arch)
 
-	var firstErr error
+	// Repos are independent (separate .db destinations) — sync them in
+	// parallel, bounded like the other repo fetchers. Failures are
+	// per-repo warnings; the first error is reported to the caller.
+	var (
+		mu       sync.Mutex
+		firstErr error
+	)
+
+	g := new(errgroup.Group)
+	g.SetLimit(4)
 
 	for _, repo := range cfg.Repos {
-		if err := syncRepo(ctx, repo, arch); err != nil {
-			if firstErr == nil {
-				firstErr = err
-			}
+		g.Go(func() error {
+			if err := syncRepo(ctx, repo, arch); err != nil {
+				mu.Lock()
+				if firstErr == nil {
+					firstErr = err
+				}
+				mu.Unlock()
 
-			logger.Warn(i18n.T("logger.pacmandb.warn.repo_sync_failed"), "repo", repo.Name, "error", err)
+				logger.Warn(i18n.T("logger.pacmandb.warn.repo_sync_failed"), "repo", repo.Name, "error", err)
 
-			continue
-		}
+				return nil // best-effort: don't abort sibling repos
+			}
 
-		succeeded++
+			mu.Lock()
+			succeeded++
+			mu.Unlock()
+
+			return nil
+		})
 	}
 
+	_ = g.Wait()
+
 	logger.Info(i18n.T("logger.pacmandb.info.sync_complete"), "succeeded", succeeded,
 		"total", len(cfg.Repos))
 

pkg/project/project.go

@@ -706,14 +706,7 @@ func (mpc *MultipleProject) localArtifactExists(pkgName string) bool {
 		}
 
 		for _, m := range matches {
-			low := strings.ToLower(m)
-			switch {
-			case strings.HasSuffix(low, ".deb"),
-				strings.HasSuffix(low, ".rpm"),
-				strings.HasSuffix(low, ".apk"),
-				strings.HasSuffix(low, ".pkg.tar.zst"),
-				strings.HasSuffix(low, ".pkg.tar.xz"),
-				strings.HasSuffix(low, ".pkg.tar.gz"):
+			if _, ok := signingFormatForArtifact(m); ok {
 				return true
 			}
 		}