refactor: consolidate extraction safety, share yapdb tail, split megafiles

Safe extraction (security-sensitive consolidation):
- new pkg/safepath: Join / JoinStrict / SymlinkTarget /
  EntrySymlinkTarget — ONE filepath.Rel-based containment implementation
  with an adversarial test suite (traversal, prefix-aliasing, "/" root
  clamping, symlink escapes)
- the five hand-rolled copies (archive/tar.go, aptinstall/extract.go,
  dnfinstall/safepath.go, apkindex/install.go, container/rootless) are
  now thin delegators keeping their local names and tests
- HARDENING: a member literally named "../etc/passwd" is now rejected
  even when root is "/" — filepath.Clean clamps ".." at the root, and
  the apt/dnf copies silently accepted the clamped form (apk already
  rejected it; rpm >= 4.18 and dpkg reject such names too)
- HARDENING: container rootfs layer extraction (rootless pull) now
  validates symlink targets; previously a malicious layer could plant a
  symlink escaping the rootfs and write through it with a later entry
- archive keeps its stricter any-".."-segment rejection for source
  archives on top of the shared containment

Dedup:
- yapdb.RecordInstalled: shared open/insert/close tail; the
  format-specific writeYapdb functions in aptinstall and dnfinstall now
  only assemble metadata
- cmd/yap/command.ResolveFlexibleDistro: parse-args + auto-detect +
  userProvided tracking shared by build and zap

File splits (mechanical, no behavior change):
- pkg/aptcache: aptcache.go (1957 lines) → aptcache.go (cache+resolver,
  576) + sources.go (449) + parse.go (605) + download.go (356)
- pkg/pkgbuild: filterInstalled* family (253 lines) → filter_installed.go

Author: M0Rf30

.github/workflows/_reusable-docker-build.yml

@@ -17,7 +17,7 @@ on:
         description: "Go version to use"
         required: false
         type: string
-        default: "1.26.1"
+        default: "1.26.4"
       push:
         description: "Push image to registry"
         required: false

.github/workflows/_reusable-go-setup.yml

@@ -8,7 +8,7 @@ on:
         description: "Go version to use"
         required: false
         type: string
-        default: "1.26.1"
+        default: "1.26.4"
       download-deps:
         description: "Download dependencies"
         required: false

.github/workflows/_reusable-security-scan.yml

@@ -8,7 +8,7 @@ on:
         description: "Go version to use"
         required: false
         type: string
-        default: "1.26.1"
+        default: "1.26.4"
       upload-sarif:
         description: "Upload SARIF to GitHub Security"
         required: false

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: "1.26.1"
+  GO_VERSION: "1.26.4"
 
 jobs:
   # ===================================
@@ -75,7 +75,7 @@ jobs:
     name: 🔒 Security Scan
     uses: ./.github/workflows/_reusable-security-scan.yml
     with:
-      go-version: "1.26.1"
+      go-version: "1.26.4"
       upload-sarif: true
       run-vulncheck: false
 
@@ -92,7 +92,7 @@ jobs:
       matrix:
         os: [ubuntu-latest]
         # os: [ubuntu-latest, macos-latest, windows-latest]
-        go-version: ["1.26.1"]
+        go-version: ["1.26.4"]
 
     steps:
       - name: 📂 Checkout code

.github/workflows/coverage.yml

@@ -19,7 +19,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: "1.26.1"
+  GO_VERSION: "1.26.4"
 
 jobs:
   # ===================================

.github/workflows/dependencies.yml

@@ -26,7 +26,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: "1.26.1"
+  GO_VERSION: "1.26.4"
 
 jobs:
   # ===================================

.github/workflows/docker.yml

@@ -20,7 +20,7 @@ concurrency:
 
 env:
   REGISTRY: ghcr.io
-  GO_VERSION: "1.26.1"
+  GO_VERSION: "1.26.4"
 
 jobs:
   # Generate matrix for base OS builds

.github/workflows/release.yml

@@ -21,7 +21,7 @@ concurrency:
   cancel-in-progress: false
 
 env:
-  GO_VERSION: "1.26.1"
+  GO_VERSION: "1.26.4"
   REGISTRY: ghcr.io
 
 jobs:

.github/workflows/security.yml

@@ -21,7 +21,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: "1.26.1"
+  GO_VERSION: "1.26.4"
 
 jobs:
   # ===================================
@@ -31,7 +31,7 @@ jobs:
     name: 🔍 Static Analysis
     uses: ./.github/workflows/_reusable-security-scan.yml
     with:
-      go-version: "1.26.1"
+      go-version: "1.26.4"
       upload-sarif: true
       run-vulncheck: false
 
@@ -42,7 +42,7 @@ jobs:
     name: 🛡️ Vulnerability Scan
     uses: ./.github/workflows/_reusable-security-scan.yml
     with:
-      go-version: "1.26.1"
+      go-version: "1.26.4"
       upload-sarif: false
       run-vulncheck: true
 

AGENTS.md

@@ -29,6 +29,7 @@
 | `pkg/dnfinstall/` | RPM install (GPG verify → CPIO extract → scriptlets → yapdb) |
 | `pkg/yapdb/` | YAP-internal SQLite state DB for installed packages (cross-format) |
 | `pkg/httpclient/` | Shared HTTP client: timeouts, size caps, transient-failure retry with backoff |
+| `pkg/safepath/` | Canonical zip-slip / symlink-escape containment checks for all extractors |
 | `pkg/signing/` | APK RSA + DEB/RPM/Pacman GPG signing |
 | `pkg/sbom/` | CycloneDX 1.5 + SPDX 2.3 generation |
 | `pkg/color/` | Zero-dependency ANSI color helpers |
@@ -259,6 +260,7 @@ Test script: `scripts/e2e-rpm.sh` (runs inside Rocky 8 container)
 - Mirror failover (dnf) — `pkg/dnfcache` keeps every `baseurl=` entry (incl. dnf-style continuation lines) and up to 5 mirrorlist/metalink mirrors; repomd + primary always come from the SAME mirror (no mixed metadata generations); dead (4xx/network) or stale (checksum-mismatch) mirrors are skipped with a warn; the winning mirror is persisted in `.baseurl` and preferred for package downloads
 - Transient-failure retry — `pkg/httpclient` `WithRetry`/`IsRetryable` (3 attempts, exponential backoff + jitter; retries transport errors, mid-body EOF, HTTP 408/429/5xx; never other 4xx/size-cap/ctx-cancel); wired into all dnf/apt/apk/pacman metadata and package fetch paths; tests shrink backoff via `httpclient.SetRetryPolicy` in `TestMain`
 - Source download retry (gensum / pkg/source / pkg/platform) — `pkg/download` (grab-based, resume-capable) classifies retryability with typed checks: `grab.StatusCodeError` 408/429/5xx retried, other 4xx definitive, `grab.ErrBadLength` retried after clearing the unresumable partial, ctx-cancel never retried, transport errors defer to `httpclient.IsRetryable`; backoff is `backoffBase` (1s, doubles; tests shrink it in `TestMain`)
+- Extraction safety — `pkg/safepath` (`Join`, `JoinStrict`, `SymlinkTarget`, `EntrySymlinkTarget`): one Rel-based containment implementation shared by archive, aptinstall, dnfinstall, apkindex, and container/rootless (per-package wrappers keep local names); hostile `..`-bearing member names are rejected even under root "/" (Clean clamping is NOT trusted), and rootfs layer extraction validates symlink targets
 - Transitive cross-build dep extraction — `pkg/builders/common/cross.go` `DownloadClosure`
 - Package signing — APK RSA + DEB/RPM/Pacman GPG
 - SBOM — CycloneDX 1.5 + SPDX 2.3