test: increase test coverage in pkg/flags, pkg/filesystem, pkg/http, and pkg/function

[Copilot]

• Fix missing trailing newlines in CHANGELOG.md, errors/errors.go, pkg/http/client.go
• Fix Windows test: replace TestWriteFileAtomicWindows_OverwriteWhileOpenForRead with TestWriteFileAtomicWindows_ModePreserved
• Add logging when ATMOS_FS_GLOB_CACHE_TTL / ATMOS_FS_GLOB_CACHE_MAX_ENTRIES are clamped to minimums (log.Warn)
• Exclude taskfile.dev from lychee link check to prevent flaky CI failures

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Summary by CodeRabbit

• New Features

  • Bounded, configurable LRU glob-pattern cache with TTL and optional empty-result caching
  • Glob-cache metrics exposed for observability
  • HTTP client: configurable GitHub host matching and safer cross-host redirect auth handling
  • Makefile: new race-test target

• Bug Fixes

  • GetGlobMatches now guarantees a non-nil slice and fixes empty-result/missing-base-dir behaviors

• Tests

  • Large expansion of tests covering glob/cache, atomic writes, flags, HTTP client, and race scenarios

• Documentation

  • Minimum Go version and CI/tooling notes; package docs and changelog updates

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA fa508cc.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[codecov]

Codecov Report

❌ Patch coverage is 93.12977% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.56%. Comparing base (eb963b9) to head (fa508cc).

Files with missing lines	Patch %	Lines
pkg/filesystem/glob_metrics.go	81.25%	2 Missing and 1 partial ⚠️
pkg/filesystem/glob.go	96.72%	2 Missing ⚠️
pkg/http/client.go	95.34%	1 Missing and 1 partial ⚠️
internal/exec/stack_processor_utils.go	0.00%	0 Missing and 1 partial ⚠️
pkg/utils/glob_utils.go	90.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2173      +/-   ##
==========================================
+ Coverage   77.23%   77.56%   +0.33%     
==========================================
  Files        1020     1021       +1     
  Lines       96481    96589     +108     
==========================================
+ Hits        74515    74918     +403     
+ Misses      17766    17481     -285     
+ Partials     4200     4190      -10     

Flag	Coverage Δ
unittests	77.56% <93.12%> (+0.33%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
errors/errors.go	100.00% <ø> (ø)
pkg/flags/compat/separated.go	100.00% <ø> (+29.41%)	⬆️
internal/exec/stack_processor_utils.go	81.80% <0.00%> (ø)
pkg/utils/glob_utils.go	97.77% <90.00%> (-2.23%)	⬇️
pkg/filesystem/glob.go	96.87% <96.72%> (+19.79%)	⬆️
pkg/http/client.go	95.61% <95.34%> (+11.19%)	⬆️
pkg/filesystem/glob_metrics.go	81.25% <81.25%> (ø)

... and 15 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[nitrocode]

@copilot fix all the failures

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

pkg/http/client.go (2)

257-261: ⚠️ Potential issue | 🟡 Minor

Keep User-Agent inside the auth-injection branch.

The transport still rewrites User-Agent even when it intentionally preserves a caller-supplied Authorization. Move that write under the inner Authorization == "" check so caller-managed requests stay untouched.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/http/client.go` around lines 257 - 261, The transport currently sets the
"User-Agent" header whenever scheme=="https" && matcher(host) && t.GitHubToken
!= "", even for requests where the caller already provided an Authorization
header; move the reqClone.Header.Set("User-Agent", userAgent) into the inner if
that checks reqClone.Header.Get("Authorization") == "" so that User-Agent is
only injected when the transport also injects Authorization (i.e., inside the
same branch that sets Authorization), leaving caller-supplied Authorization and
User-Agent untouched; update the block around variables scheme, matcher(host),
t.GitHubToken and reqClone.Header accordingly.

---

97-103: ⚠️ Potential issue | 🟡 Minor

Canonicalize redirect origins before stripping auth.

This guard still compares raw Host strings. Case-only, trailing-dot, and default-port variants of the same origin can be treated as cross-host here, which can drop a caller-supplied Authorization on a same-origin redirect and let the wrapper replace it on the next hop.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/http/client.go` around lines 97 - 103, stripAuthOnCrossHostRedirect
currently compares raw req.URL.Host vs via[0].URL.Host which can differ by case,
trailing dots, or implicit default ports and incorrectly drop Authorization;
update the function to canonicalize both endpoints before comparing by using
URL.Hostname() lowercased (trim any trailing dot) and resolve port via
URL.Port() with the scheme's default (80 for http, 443 for https) so you compare
normalized host + port pairs, and only call req.Header.Del("Authorization") when
those normalized origins differ; ensure the function still enforces the
redirect-limit error and returns nil on success.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CHANGELOG.md`:
- Around line 14-18: Update the CHANGELOG text to accurately reflect the runtime
behavior implemented in applyGlobCacheConfig: state that only positive values
below the minimums are clamped up to the floor, whereas zero or negative values
for ATMOS_FS_GLOB_CACHE_MAX_ENTRIES, ATMOS_FS_GLOB_CACHE_TTL, and
ATMOS_FS_GLOB_CACHE_EMPTY cause the code to fall back to the default values
rather than being clamped; mention applyGlobCacheConfig by name so readers and
reviewers can find the exact logic.

In `@pkg/http/client.go`:
- Around line 98-99: Replace the ad-hoc errors.New("stopped after 10 redirects")
in the redirect handling branch (the code that checks len(via) >= 10) with a
static sentinel error from the repo error taxonomy: either reference the
existing sentinel in errors/errors.go (e.g., errutils.ErrTooManyRedirects) or
add a new exported sentinel like ErrRedirectLimitExceeded to errors/errors.go
and use that here; ensure you return the sentinel (not a new error string) so
the checkable static error from errors/errors.go is used throughout the
codebase.

---

Duplicate comments:
In `@pkg/http/client.go`:
- Around line 257-261: The transport currently sets the "User-Agent" header
whenever scheme=="https" && matcher(host) && t.GitHubToken != "", even for
requests where the caller already provided an Authorization header; move the
reqClone.Header.Set("User-Agent", userAgent) into the inner if that checks
reqClone.Header.Get("Authorization") == "" so that User-Agent is only injected
when the transport also injects Authorization (i.e., inside the same branch that
sets Authorization), leaving caller-supplied Authorization and User-Agent
untouched; update the block around variables scheme, matcher(host),
t.GitHubToken and reqClone.Header accordingly.
- Around line 97-103: stripAuthOnCrossHostRedirect currently compares raw
req.URL.Host vs via[0].URL.Host which can differ by case, trailing dots, or
implicit default ports and incorrectly drop Authorization; update the function
to canonicalize both endpoints before comparing by using URL.Hostname()
lowercased (trim any trailing dot) and resolve port via URL.Port() with the
scheme's default (80 for http, 443 for https) so you compare normalized host +
port pairs, and only call req.Header.Del("Authorization") when those normalized
origins differ; ensure the function still enforces the redirect-limit error and
returns nil on success.

🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 602ff525-3eaa-44e0-bd23-d013c3bef84b

📥 Commits

Reviewing files that changed from the base of the PR and between 69b1d82 and bc5657f.

📒 Files selected for processing (6)

• CHANGELOG.md
• pkg/filesystem/doc.go
• pkg/filesystem/glob.go
• pkg/filesystem/glob_atomic_test.go
• pkg/http/client.go
• pkg/http/client_test.go

✅ Files skipped from review due to trivial changes (3)

• pkg/filesystem/doc.go
• pkg/http/client_test.go
• pkg/filesystem/glob_atomic_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Clarify how non-positive cache settings behave.

applyGlobCacheConfig only clamps positive values below the floor. 0 and negative values currently fall back to defaults, so "values below the respective minimums are clamped up" reads broader than the shipped behavior.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CHANGELOG.md` around lines 14 - 18, Update the CHANGELOG text to accurately
reflect the runtime behavior implemented in applyGlobCacheConfig: state that
only positive values below the minimums are clamped up to the floor, whereas
zero or negative values for ATMOS_FS_GLOB_CACHE_MAX_ENTRIES,
ATMOS_FS_GLOB_CACHE_TTL, and ATMOS_FS_GLOB_CACHE_EMPTY cause the code to fall
back to the default values rather than being clamped; mention
applyGlobCacheConfig by name so readers and reviewers can find the exact logic.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use a static sentinel for the redirect cap.

This new errors.New(...) path bypasses the repo’s error taxonomy. Please wrap an existing errUtils sentinel here, or add a dedicated redirect-limit sentinel in errors/errors.go. As per coding guidelines, "All errors MUST be wrapped using static errors defined in errors/errors.go."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/http/client.go` around lines 98 - 99, Replace the ad-hoc
errors.New("stopped after 10 redirects") in the redirect handling branch (the
code that checks len(via) >= 10) with a static sentinel error from the repo
error taxonomy: either reference the existing sentinel in errors/errors.go
(e.g., errutils.ErrTooManyRedirects) or add a new exported sentinel like
ErrRedirectLimitExceeded to errors/errors.go and use that here; ensure you
return the sentinel (not a new error string) so the checkable static error from
errors/errors.go is used throughout the codebase.

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Fixes Applied Successfully

Fixed 3 file(s) based on 2 unresolved review comments.

Files modified:

• CHANGELOG.md
• errors/errors.go
• pkg/http/client.go

Commit: 7704902e63ffeb3f8257368e4603d75055df92c4

The changes have been pushed to the copilot/increase-test-coverage-high-impact branch.

Time taken: 19m 42s

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

An unexpected error occurred while generating fixes: Request timed out after 1200000ms (requestId=e0c6c363-29bc-4b92-a8a2-dbeb271d7e1e)