test: increase test coverage in pkg/flags, pkg/filesystem, pkg/http, and pkg/function

CHANGELOG.md

@@ -0,0 +1,40 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+See [Conventional Commits](https://www.conventionalcommits.org/) for commit message format.
+
+---
+
+## [Unreleased]
+
+### Changed
+
+- **`pkg/filesystem.GetGlobMatches`**: always returns a non-nil `[]string{}` (never `nil`).
+  Callers must use `len(result) == 0` to detect no matches instead of `result == nil`.
+  The cache is now bounded and configurable via three environment variables:
+  - `ATMOS_FS_GLOB_CACHE_MAX_ENTRIES` (default `1024`, minimum `16`) — maximum number of cached glob patterns.
+  - `ATMOS_FS_GLOB_CACHE_TTL` (default `5m`, minimum `1s`) — time-to-live for each cache entry.
+    Values below the respective minimums are clamped up rather than rejected.
+  - `ATMOS_FS_GLOB_CACHE_EMPTY` (default `1`) — set to `0` to skip caching patterns that match no files.
+- **`pkg/http.normalizeHost`**: now strips default ports (`:443`, `:80`) in addition to
+  lower-casing and removing trailing dots, so that `api.github.com:443` is treated
+  identically to `api.github.com` for allowlist matching.
+
+### Added
+
+- **`pkg/filesystem`**: expvar observability counters (`atmos_glob_cache_hits`,
+  `atmos_glob_cache_misses`, `atmos_glob_cache_evictions`, `atmos_glob_cache_len`) published
+  via `RegisterGlobCacheExpvars()` and accessible at `/debug/vars` when the HTTP debug
+  server is enabled.
+- **`pkg/http`**: host-matcher three-level precedence documented and tested:
+  1. `WithGitHubHostMatcher` — custom predicate always wins.
+  2. `GITHUB_API_URL` — GHES hostname added to allowlist when set.
+  3. Built-in allowlist — `api.github.com`, `raw.githubusercontent.com`, `uploads.github.com`.
+  Authorization is only injected over HTTPS and stripped on cross-host redirects
+  (301 / 302 / 303 / 307 / 308) to prevent token leakage.
+
+### Security
+
+- Cross-host HTTP redirects (all five status codes: 301, 302, 303, 307, 308) no longer
+  forward the `Authorization` header to the redirect target, preventing accidental token
+  leakage via open redirects.

CLAUDE.md

@@ -444,6 +444,8 @@ Auto-enabled via `RootCmd.ExecuteC()`. Non-standard paths use `telemetry.Capture
 
 **Prerequisites**: Go 1.26+, golangci-lint, Make. See `.cursor/rules/atmos-rules.mdc`.
 
+> **Minimum Go version**: `go.mod` requires Go 1.26. Test helpers use `sync.Map.Clear` (added in Go 1.23) and range-over-int (Go 1.22). CI pins the Go version via `go-version-file: go.mod`. Local development with an older toolchain will fail to compile test-only files.
+
 **Build**: CGO disabled, cross-platform, version via ldflags, output to `./build/`
 
 ### Compilation (MANDATORY)

Makefile

@@ -124,4 +124,11 @@ link-check:
 	@command -v lychee >/dev/null 2>&1 || { echo "Install lychee: brew install lychee"; exit 1; }
 	lychee --config lychee.toml --root-dir "$(CURDIR)" '**/*.md'
 
-.PHONY: readme lint lintroller gomodcheck build version build-linux build-windows build-macos deps version-linux version-windows version-macos testacc testacc-cover testacc-coverage test-short test-short-cover generate-mocks link-check
+# Run quick tests with race detector and shuffled order.
+# This target is recommended for CI to catch data races and order-dependent failures.
+# Usage: make test-race
+test-race: deps
+	@echo "Running tests with -race -shuffle=on"
+	go test -race -shuffle=on $(TEST) $(TESTARGS) -timeout 10m
+
+.PHONY: readme lint lintroller gomodcheck build version build-linux build-windows build-macos deps version-linux version-windows version-macos testacc testacc-cover testacc-coverage test-short test-short-cover test-race generate-mocks link-check

internal/exec/stack_processor_utils.go

@@ -1102,7 +1102,10 @@ func processYAMLConfigFileWithContextInternal(
 							err,
 						)
 						return nil, nil, nil, nil, nil, nil, nil, nil, errors.New(errorMessage)
-					} else if importMatches == nil {
+					} else {
+						// err == nil but importMatches is an empty slice (not nil): pkg/filesystem.GetGlobMatches
+						// guarantees a non-nil result, so the old "else if importMatches == nil" check was dead
+						// code. We reach this branch when no files matched and the call returned ([]string{}, nil).
 						errorMessage := fmt.Sprintf("no matches found for the import '%s' in the file '%s'",
 							imp,
 							relativeFilePath,

pkg/filesystem/doc.go

@@ -0,0 +1,32 @@
+// Package filesystem provides file-system utilities for the Atmos CLI, including
+// atomic file writes (POSIX rename and a Windows-compatible remove-before-rename
+// variant) and glob-pattern matching with a bounded, time-limited LRU cache.
+//
+// # GetGlobMatches contract
+//
+// [GetGlobMatches] always returns a non-nil []string.  An empty result set is
+// returned as []string{}, never nil.  Callers must check len(result) == 0, not
+// result == nil.
+//
+// # Cache configuration
+//
+// The glob LRU cache is configurable at startup via environment variables:
+//
+//   - ATMOS_FS_GLOB_CACHE_MAX_ENTRIES – maximum number of cached patterns
+//     (default: 1024, minimum: 16; values below 16 are clamped up).
+//   - ATMOS_FS_GLOB_CACHE_TTL – TTL per entry as a Go duration string, e.g.
+//     "10m" (default: 5m, minimum: 1s; values below 1s are clamped up).
+//   - ATMOS_FS_GLOB_CACHE_EMPTY – set to "0" or "false" to disable caching
+//     of empty (no-match) results (default: "1" = enabled).
+//
+// # Observability
+//
+// Three atomic int64 counters track cache activity:
+//   - hits, misses, evictions (accessible via [GlobCacheHits], [GlobCacheMisses],
+//     [GlobCacheEvictions] in tests).
+//
+// Call [RegisterGlobCacheExpvars] once at startup to expose these counters via
+// the expvar /debug/vars HTTP endpoint:
+//
+//	filesystem.RegisterGlobCacheExpvars()
+package filesystem

pkg/filesystem/export_test.go

@@ -0,0 +1,100 @@
+package filesystem
+
+import (
+	"path/filepath"
+	"sync"
+	"sync/atomic"
+	"time"
+)
+
+// ResetGlobMatchesCache clears the glob matches LRU cache and resets all counters.
+// This is exported only for testing to avoid data races from direct struct assignment.
+func ResetGlobMatchesCache() {
+	globMatchesLRUMu.Lock()
+	globMatchesLRU.Purge()
+	globMatchesLRUMu.Unlock()
+	atomic.StoreInt64(&globMatchesEvictions, 0)
+	atomic.StoreInt64(&globMatchesHits, 0)
+	atomic.StoreInt64(&globMatchesMisses, 0)
+}
+
+// ResetPathMatchCache clears the path match cache.
+// This is exported only for testing to ensure consistent state between tests.
+func ResetPathMatchCache() {
+	pathMatchCacheMu.Lock()
+	pathMatchCache = make(map[pathMatchKey]bool)
+	pathMatchCacheMu.Unlock()
+}
+
+// SetGlobCacheEntryExpired forcibly marks a cache entry as expired for testing TTL eviction.
+// It re-adds the entry with an expiry in the past, simulating TTL expiry.
+func SetGlobCacheEntryExpired(pattern string) {
+	normalizedPattern := filepath.ToSlash(pattern)
+	globMatchesLRUMu.Lock()
+	if entry, ok := globMatchesLRU.Get(normalizedPattern); ok {
+		entry.expiry = time.Time{} // zero time is in the past
+		globMatchesLRU.Add(normalizedPattern, entry)
+	}
+	globMatchesLRUMu.Unlock()
+}
+
+// GlobCacheLen returns the number of entries currently in the glob LRU cache.
+func GlobCacheLen() int {
+	globMatchesLRUMu.RLock()
+	defer globMatchesLRUMu.RUnlock()
+	return globMatchesLRU.Len()
+}
+
+// GlobCacheEvictions returns the total number of LRU evictions since the last cache reset.
+// This counter is incremented atomically by the LRU eviction callback.
+func GlobCacheEvictions() int64 {
+	return atomic.LoadInt64(&globMatchesEvictions)
+}
+
+// GlobCacheHits returns the total number of cache hits since the last cache reset.
+func GlobCacheHits() int64 {
+	return atomic.LoadInt64(&globMatchesHits)
+}
+
+// GlobCacheMisses returns the total number of cache misses since the last cache reset.
+func GlobCacheMisses() int64 {
+	return atomic.LoadInt64(&globMatchesMisses)
+}
+
+// ApplyGlobCacheConfigForTest re-reads ATMOS_FS_GLOB_CACHE_* env vars and reinitializes
+// the glob LRU cache.  Tests should call this after setting env vars via t.Setenv.
+// It also resets all counters so tests start from a clean baseline.
+func ApplyGlobCacheConfigForTest() {
+	applyGlobCacheConfig()
+	atomic.StoreInt64(&globMatchesEvictions, 0)
+	atomic.StoreInt64(&globMatchesHits, 0)
+	atomic.StoreInt64(&globMatchesMisses, 0)
+}
+
+// GlobCacheEmptyEnabled returns the current empty-result caching setting.
+func GlobCacheEmptyEnabled() bool {
+	globMatchesLRUMu.RLock()
+	defer globMatchesLRUMu.RUnlock()
+	return globCacheEmptyEnabled
+}
+
+// ResetGlobExpvarOnce resets the sync.Once guard so RegisterGlobCacheExpvars
+// can be called again in the same test binary.  Only for use in tests that
+// need to verify expvar registration after a cache reset.
+func ResetGlobExpvarOnce() {
+	globExpvarOnce = sync.Once{}
+}
+
+// GlobCacheTTL returns the currently active cache TTL for test introspection.
+func GlobCacheTTL() time.Duration {
+	globMatchesLRUMu.RLock()
+	defer globMatchesLRUMu.RUnlock()
+	return globCacheTTL
+}
+
+// GlobCacheMaxEntries returns the currently configured LRU capacity for test introspection.
+func GlobCacheMaxEntries() int {
+	globMatchesLRUMu.RLock()
+	defer globMatchesLRUMu.RUnlock()
+	return globCacheMaxEntries
+}