feat: version-aware JIT source provisioning with TTL-based cleanup (#2010)

* fix: JIT source provisioning now takes precedence over local components

When both source.uri and provision.workdir.enabled are configured on a
component, the JIT source provisioner now always runs, even if a local
component already exists. This ensures that source + workdir provisioning
always vendors from the remote source to the workdir path, respecting the
version specified in stack config rather than using a potentially stale
local component.

Added regression test to verify source provisioning takes precedence when
both local component and source config are present.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* feat: version-aware JIT source provisioning with TTL-based cleanup

- Implement intelligent re-provisioning for remote sources based on version/URI changes
- Add incremental local sync with per-file checksum comparison using SyncDir
- Support TTL-based cleanup for stale workdirs via duration parsing
- Move workdir metadata from flat file to .atmos/metadata.json for better organization
- Track source_uri, source_version, and last_accessed timestamps
- Add new CLI flags: --expired, --ttl, --dry-run for workdir clean command
- Update workdir list and show commands with version and access information
- Extract duration parsing to new pkg/duration package for reusability

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: Reduce cyclomatic and cognitive complexity in workdir/source packages

- Extract helper functions to reduce function complexity:
  - duration.go: Use maps for unit multipliers and keywords, extract parseInteger/parseWithSuffix/parseKeyword
  - provision_hook.go: Extract isNonEmptyDir and checkMetadataChanges
  - clean.go: Extract checkWorkdirExpiry, getLastAccessedTime, getModTimeFromEntry
  - fs.go: Extract syncSourceToDest, fileNeedsCopy, deleteRemovedFiles
  - workdir.go: Extract validateComponentPath, computeContentHash, create localMetadataParams struct

- Pass localMetadataParams by pointer to avoid hugeParam warning

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: Update source-provisioning example to use demo-library

Replace terraform-null-label (which is a module, not a component) with
demo-library components that can actually be run with terraform apply.

The example now demonstrates both source types:
- weather: LOCAL source (../demo-library/weather)
- ipinfo: REMOTE source (github.com/cloudposse/atmos//examples/demo-library/ipinfo)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Address PR review comments for JIT source provisioning

- Add duration overflow guard in ParseDuration (Comment #6)
- Fix non-workdir re-provisioning: skip metadata check for non-workdir targets (Comments #7, #11)
- Detect version removal: trigger re-provisioning when version is removed (Comments #8, #14)
- Fix blog date 2025 → 2026 (Comments #9, #16)
- Surface metadata read failures as warnings in ListWorkdirs (Comment #10)
- Add periods to comment block in needsProvisioning (Comment #12)
- Treat .atmos-only directories as empty in isNonEmptyDir (Comment #13)
- Skip .atmos during source walk in syncSourceToDest (Comment #15)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Update golden snapshot for atmos describe config

Add the new provision.workdir section to the expected output,
matching the new JIT source provisioning configuration schema.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Address additional PR review comments

- Guard against int64 overflow in parseWithSuffix (Comment #2)
- Branch metadata writing by source type - local vs remote (Comment #3)
- Add permission checks to fileNeedsCopy for mode changes (Comment #4)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test: Add tests to improve coverage for workdir and source provisioning

Adds comprehensive tests for:
- CleanExpiredWorkdirs with mock filesystem
- formatDuration for human-readable output
- getLastAccessedTime with atime fallback to mtime
- checkWorkdirExpiry with valid/corrupt/missing metadata
- isLocalSource for local vs remote URI detection

Also fixes linter issues:
- godot: Fix comment in duration.go
- revive: Refactor formatWithOptions to map-based dispatch

Addresses CodeRabbit comment #1 requesting improved patch coverage.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Return wrapped error from ReadMetadata instead of warning

Changes error handling in ListWorkdirs to return a wrapped error when
ReadMetadata fails, surfacing permission/corruption issues to callers.
Directories without metadata (metadata == nil) still skip silently.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test: Improve test coverage and address CodeRabbit review comments

- Add metadata_test.go with tests for UpdateLastAccessed and readMetadataUnlocked
- Add buildLocalMetadata tests covering all timestamp preservation branches
- Add cleanExpiredWorkdirs and CleanExpiredWorkdirs tests
- Fix ListWorkdirs to skip invalid metadata instead of failing entire operation
- Fix zero timestamp display to show "-" instead of "0001-01-01"
- Fix isLocalSource to use filepath.IsAbs for Windows path support
- Fix godot lint issues in log_utils.go

Coverage improvements:
- pkg/provisioner/workdir: 82.1% -> 88.1%
- cmd/terraform/workdir: 58.7% -> 92.2% (function coverage)
- UpdateLastAccessed: 0% -> 84.2%
- readMetadataUnlocked: 0% -> 100%
- buildLocalMetadata: 57% -> 100%
- cleanExpiredWorkdirs: 0% -> 100%

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test: Add JIT source provisioning tests for destroy and init commands

Add test coverage to confirm that JIT source provisioning correctly
takes precedence over local components for all terraform subcommands,
not just plan. These tests verify that when:
- source.uri is configured
- provision.workdir.enabled: true
- A local component exists at components/terraform/<component>/

The workdir is populated from the remote source, NOT copied from
the local component. This confirms the fix in ExecuteTerraform()
works universally for destroy and init commands.

Uses table-driven test pattern to avoid code duplication.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test: Expand JIT source tests to cover all terraform subcommands

Expand table-driven test to verify JIT source provisioning works for
all 22 terraform subcommands that operate on a component with a stack:

Core execution: apply, deploy, destroy, init, workspace
State/resource: console, force-unlock, get, graph, import, output,
                refresh, show, state, taint, untaint
Validation/info: metadata, modules, providers, test, validate

All commands correctly trigger JIT source provisioning when:
- source.uri is configured
- provision.workdir.enabled: true
- A local component exists

The workdir is populated from remote source, not local component.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test: Improve test coverage and address CodeRabbit review comments

- Make tests fail-fast instead of silently skipping when files don't exist
- Verify context.tf exists (proving remote source was used)
- Assert main.tf does NOT exist (proving local component wasn't copied)
- Remove unused strings import
- Update roadmap with JIT source provisioning precedence milestone
- Update vendoring initiative progress from 86% to 89%

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Add JIT source provisioning to generate commands (#2019)

- Add JIT source provisioning to terraform generate varfile
- Add JIT source provisioning to terraform generate backend
- Add JIT source provisioning to helmfile generate varfile
- Add JIT source provisioning to packer output
- Update golden snapshot for secrets-masking_describe_config test

The generate commands were missing JIT source provisioning that exists
in ExecuteTerraform(), causing them to fail with JIT-vendored components.
This fix adds the same pattern to all affected commands.

Closes #2019

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: Add automatic component refresh milestone to roadmap

Add new milestone to Vendoring & Resilience initiative:
- "Automatic component refresh on version changes"
- Links to PR #2010 and version-aware-jit-provisioning blog post
- Update progress from 89% to 95%

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test: Improve test coverage and address CodeRabbit review comments

- Add tests for workdir clean command edge cases
- Add tests for workdir show command scenarios
- Add duration parsing tests for TTL validation
- Add filesystem tests for workdir operations
- Add metadata lock tests for Unix file locking

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Windows test compatibility and improve error hint accuracy

- Skip permission-based tests on Windows (Unix permissions not supported)
  - TestFileNeedsCopy_DifferentPermissions
  - TestCopyFile_PreservesPermissions
  - TestServiceProvision_WriteMetadataFails (read-only dirs work differently)
- Use actual componentPath in error hint instead of hardcoded path

Addresses CodeRabbit review feedback.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Address CodeRabbit review comments

- Wrap auto-provision error with ErrSourceProvision sentinel (packer_output.go)
- Add error wrapping with ErrWorkdirMetadata in Windows metadata loader
- Document circular import limitation preventing cmd.NewTestKit usage

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Use runtime.GOOS instead of os.Getenv for Windows detection

GOOS is a compile-time constant, not a runtime environment variable.
os.Getenv("GOOS") returns empty unless explicitly set.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* chore: Ignore flaky kubernetes.io URLs in link checker

The kubernetes.io domain frequently has connection failures/timeouts
in CI, causing spurious link check failures.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test: Improve JIT source test assertions with explicit failure

Instead of silently passing when main.tf doesn't exist, the tests now:
- Explicitly fail if main.tf exists (unexpected)
- Read and check for LOCAL_VERSION_MARKER to provide better diagnostics
- Use t.Fatalf to fail fast with clear error messages

Addresses CodeRabbit feedback about test assertion clarity.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test: improve coverage for JIT source provisioning

Add comprehensive tests for:

- pkg/provisioner/workdir/metadata.go:
  - MetadataPath function
  - WriteMetadata with all fields populated
  - ReadMetadata new location priority over legacy
  - UpdateLastAccessed preserves all fields

- pkg/provisioner/workdir/clean.go:
  - checkWorkdirExpiry for expired/non-expired workdirs
  - getModTimeFromEntry
  - findExpiredWorkdirs with mixed workdirs
  - CleanExpiredWorkdirs with empty base path
  - Clean with Expired option precedence
  - formatDuration edge cases

- pkg/provisioner/workdir/fs.go:
  - DefaultPathFilter.Match with patterns
  - SyncDir with nested directories
  - SyncDir updating changed files

- pkg/provisioner/source/provision_hook.go:
  - checkMetadataChanges with version scenarios
  - isNonEmptyDir edge cases
  - needsProvisioning for non-workdir targets
  - writeWorkdirMetadata source type detection
  - writeWorkdirMetadata preserving ContentHash

Coverage improvements:
- workdir package: ~79% → 92.5%
- source package: ~76% → 83.6%

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Co-authored-by: aknysh <andriy.knysh@gmail.com>

Author: 3 people

cmd/terraform/workdir/mock_workdir_manager_test.go

@@ -21,12 +21,19 @@ var cleanCmd = &cobra.Command{
 	Long: `Remove component working directories.
 
 Use --all to clean all workdirs, or specify a component and stack to clean a specific workdir.
+Use --expired with --ttl to clean only workdirs that haven't been accessed within the TTL.
 Workdirs are ephemeral and can be regenerated by running 'atmos terraform init'.`,
 	Example: `  # Clean a specific workdir
   atmos terraform workdir clean vpc --stack dev
 
   # Clean all workdirs
-  atmos terraform workdir clean --all`,
+  atmos terraform workdir clean --all
+
+  # Clean expired workdirs (not accessed in 7 days)
+  atmos terraform workdir clean --expired --ttl=7d
+
+  # Dry run - show what would be cleaned
+  atmos terraform workdir clean --expired --ttl=24h --dry-run`,
 	Args: cobra.MaximumNArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		defer perf.Track(atmosConfigPtr, "workdir.clean.RunE")()
@@ -37,28 +44,48 @@ Workdirs are ephemeral and can be regenerated by running 'atmos terraform init'.
 			return err
 		}
 		all := v.GetBool("all")
+		expired := v.GetBool("expired")
+		ttl := v.GetString("ttl")
+		dryRun := v.GetBool("dry-run")
 		stack := v.GetString("stack")
 
 		// Validate arguments.
-		if all && len(args) > 0 {
-			return errUtils.Build(errUtils.ErrWorkdirClean).
-				WithExplanation("Cannot specify both --all and a component").
-				WithHint("Use --all alone to clean all workdirs, or specify a component and stack").
-				Err()
-		}
-
-		if !all && len(args) == 0 {
-			return errUtils.Build(errUtils.ErrWorkdirClean).
-				WithExplanation("Either --all or a component is required").
-				WithHint("Use --all to clean all workdirs, or specify a component with --stack").
-				Err()
-		}
-
-		if !all && stack == "" {
-			return errUtils.Build(errUtils.ErrWorkdirClean).
-				WithExplanation("Stack is required when cleaning a specific workdir").
-				WithHint("Use --stack to specify the stack").
-				Err()
+		if expired {
+			// --expired mode: requires --ttl, ignores --all and component.
+			if ttl == "" {
+				return errUtils.Build(errUtils.ErrWorkdirClean).
+					WithExplanation("TTL is required when using --expired").
+					WithHint("Specify a TTL like --ttl=7d or --ttl=24h").
+					Err()
+			}
+			if all || len(args) > 0 {
+				return errUtils.Build(errUtils.ErrWorkdirClean).
+					WithExplanation("Cannot use --all or component with --expired").
+					WithHint("Use --expired --ttl=<duration> alone to clean expired workdirs").
+					Err()
+			}
+		} else {
+			// Non-expired mode: standard validation.
+			if all && len(args) > 0 {
+				return errUtils.Build(errUtils.ErrWorkdirClean).
+					WithExplanation("Cannot specify both --all and a component").
+					WithHint("Use --all alone to clean all workdirs, or specify a component and stack").
+					Err()
+			}
+
+			if !all && len(args) == 0 {
+				return errUtils.Build(errUtils.ErrWorkdirClean).
+					WithExplanation("Either --all, --expired, or a component is required").
+					WithHint("Use --all to clean all workdirs, --expired --ttl to clean stale workdirs, or specify a component with --stack").
+					Err()
+			}
+
+			if !all && len(args) > 0 && stack == "" {
+				return errUtils.Build(errUtils.ErrWorkdirClean).
+					WithExplanation("Stack is required when cleaning a specific workdir").
+					WithHint("Use --stack to specify the stack").
+					Err()
+			}
 		}
 
 		// Initialize config with global flags (--base-path, --config, etc.).
@@ -71,7 +98,10 @@ Workdirs are ephemeral and can be regenerated by running 'atmos terraform init'.
 				Err()
 		}
 
-		// Clean workdirs.
+		// Clean workdirs based on mode.
+		if expired {
+			return cleanExpiredWorkdirs(&atmosConfig, ttl, dryRun)
+		}
 		if all {
 			return cleanAllWorkdirs(&atmosConfig)
 		}
@@ -103,14 +133,27 @@ func cleanSpecificWorkdir(atmosConfig *schema.AtmosConfiguration, component, sta
 	return nil
 }
 
+func cleanExpiredWorkdirs(atmosConfig *schema.AtmosConfiguration, ttl string, dryRun bool) error {
+	defer perf.Track(atmosConfig, "workdir.cleanExpiredWorkdirs")()
+
+	// Use the workdir manager's CleanExpiredWorkdirs.
+	return workdirManager.CleanExpiredWorkdirs(atmosConfig, ttl, dryRun)
+}
+
 func init() {
 	cleanCmd.DisableFlagParsing = false
 
 	// Create parser with functional options.
 	cleanParser = flags.NewStandardParser(
 		flags.WithStackFlag(),
 		flags.WithBoolFlag("all", "a", false, "Clean all workdirs"),
+		flags.WithBoolFlag("expired", "e", false, "Clean only expired workdirs (requires --ttl)"),
+		flags.WithStringFlag("ttl", "t", "", "TTL for expired cleanup (e.g., 7d, 24h, weekly)"),
+		flags.WithBoolFlag("dry-run", "n", false, "Show what would be cleaned without deleting"),
 		flags.WithEnvVars("all", "ATMOS_WORKDIR_CLEAN_ALL"),
+		flags.WithEnvVars("expired", "ATMOS_WORKDIR_CLEAN_EXPIRED"),
+		flags.WithEnvVars("ttl", "ATMOS_WORKDIR_TTL"),
+		flags.WithEnvVars("dry-run", "ATMOS_WORKDIR_DRY_RUN"),
 	)
 
 	// Register flags with the command.

cmd/terraform/workdir/workdir_clean.go

@@ -404,3 +404,135 @@ func TestCleanSpecificWorkdir_VariousInputs(t *testing.T) {
 		})
 	}
 }
+
+func TestCleanExpiredWorkdirs_Success(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	mock := NewMockWorkdirManager(ctrl)
+	mock.EXPECT().CleanExpiredWorkdirs(gomock.Any(), "7d", false).Return(nil)
+
+	// Save and restore.
+	original := workdirManager
+	defer func() { workdirManager = original }()
+	SetWorkdirManager(mock)
+
+	atmosConfig := &schema.AtmosConfiguration{}
+	err := cleanExpiredWorkdirs(atmosConfig, "7d", false)
+	assert.NoError(t, err)
+}
+
+func TestCleanExpiredWorkdirs_DryRun(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	mock := NewMockWorkdirManager(ctrl)
+	mock.EXPECT().CleanExpiredWorkdirs(gomock.Any(), "30d", true).Return(nil)
+
+	// Save and restore.
+	original := workdirManager
+	defer func() { workdirManager = original }()
+	SetWorkdirManager(mock)
+
+	atmosConfig := &schema.AtmosConfiguration{}
+	err := cleanExpiredWorkdirs(atmosConfig, "30d", true)
+	assert.NoError(t, err)
+}
+
+func TestCleanExpiredWorkdirs_Error(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	mock := NewMockWorkdirManager(ctrl)
+	expectedErr := errUtils.Build(errUtils.ErrWorkdirClean).
+		WithExplanation("invalid TTL").
+		Err()
+	mock.EXPECT().CleanExpiredWorkdirs(gomock.Any(), "invalid", false).Return(expectedErr)
+
+	// Save and restore.
+	original := workdirManager
+	defer func() { workdirManager = original }()
+	SetWorkdirManager(mock)
+
+	atmosConfig := &schema.AtmosConfiguration{}
+	err := cleanExpiredWorkdirs(atmosConfig, "invalid", false)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, errUtils.ErrWorkdirClean)
+}
+
+// RunE validation tests - test the command entry point validation logic.
+
+// resetViperForTest resets viper flags for test isolation.
+// Note: cmd.NewTestKit cannot be used here due to circular import between
+// cmd/terraform/workdir and cmd packages.
+func resetViperForTest(t *testing.T) {
+	t.Helper()
+	v := viper.GetViper()
+	v.Set("all", false)
+	v.Set("expired", false)
+	v.Set("ttl", "")
+	v.Set("dry-run", false)
+	v.Set("stack", "")
+}
+
+func TestCleanCmd_RunE_ExpiredWithoutTTL(t *testing.T) {
+	resetViperForTest(t)
+	v := viper.GetViper()
+	v.Set("expired", true)
+	v.Set("ttl", "") // No TTL provided.
+
+	err := cleanCmd.RunE(cleanCmd, []string{})
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, errUtils.ErrWorkdirClean)
+}
+
+func TestCleanCmd_RunE_ExpiredWithAll(t *testing.T) {
+	resetViperForTest(t)
+	v := viper.GetViper()
+	v.Set("expired", true)
+	v.Set("ttl", "7d")
+	v.Set("all", true) // Cannot use --all with --expired.
+
+	err := cleanCmd.RunE(cleanCmd, []string{})
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, errUtils.ErrWorkdirClean)
+}
+
+func TestCleanCmd_RunE_ExpiredWithComponent(t *testing.T) {
+	resetViperForTest(t)
+	v := viper.GetViper()
+	v.Set("expired", true)
+	v.Set("ttl", "7d")
+
+	err := cleanCmd.RunE(cleanCmd, []string{"vpc"}) // Component arg with --expired.
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, errUtils.ErrWorkdirClean)
+}
+
+func TestCleanCmd_RunE_ActualCall_AllWithComponent(t *testing.T) {
+	resetViperForTest(t)
+	v := viper.GetViper()
+	v.Set("all", true)
+
+	err := cleanCmd.RunE(cleanCmd, []string{"vpc"}) // --all with component arg.
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, errUtils.ErrWorkdirClean)
+}
+
+func TestCleanCmd_RunE_ActualCall_NoFlagsNoArgs(t *testing.T) {
+	resetViperForTest(t)
+
+	err := cleanCmd.RunE(cleanCmd, []string{}) // No flags, no args.
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, errUtils.ErrWorkdirClean)
+}
+
+func TestCleanCmd_RunE_ActualCall_ComponentWithoutStack(t *testing.T) {
+	resetViperForTest(t)
+	v := viper.GetViper()
+	v.Set("stack", "") // No stack provided.
+
+	err := cleanCmd.RunE(cleanCmd, []string{"vpc"}) // Component without --stack.
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, errUtils.ErrWorkdirClean)
+}