Reconcile working tree for the 6.7.0 release

Consolidate the unreleased changelog into a release summary: 8 entries to 7, ordered breaking-first, each tightened to a single sentence.

In cli.py, lift the cooldown-supported manager list to a pool-derived `COOLDOWN_SUPPORTED_MANAGERS` constant and fix the `--cooldown` help to list pnpm; drop an unused `Context` import. Repair two docstring cross-references in execution.py.

Add targeted type-ignore comments clearing 24 mypy errors in the new concurrency, pool, and metadata tests.

Fix two lint violations in the Guix deps-check workflow: a shellcheck SC2024 redirect warning and an over-length line.

List pnpm among the cooldown-enforcing managers in docs/configuration.md.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: kdeldycke

.github/workflows/check-guix-deps.yaml

@@ -66,6 +66,10 @@ jobs:
           echo "${guix_root}/bin" >> "${GITHUB_PATH}"
           # Authorize the build farm so substitutes are usable.
           for pub in "${guix_root}"/share/guix/*.pub; do
+            # The *.pub keys are world-readable, so reading them via the input
+            # redirect works as the unprivileged user; only the ACL write that
+            # `guix archive --authorize` performs needs root, hence sudo.
+            # shellcheck disable=SC2024
             sudo "${guix_root}/bin/guix" archive --authorize < "${pub}"
           done
 
@@ -110,7 +114,11 @@ jobs:
           echo "log files: ${paths:-<none>}"
           for logf in ${paths}; do
             echo "=================== ${logf} ==================="
-            { sudo zcat "${logf}" 2>/dev/null || sudo bzcat "${logf}" 2>/dev/null || zcat "${logf}" 2>/dev/null; } | tail -250
+            {
+              sudo zcat "${logf}" 2>/dev/null \
+                || sudo bzcat "${logf}" 2>/dev/null \
+                || zcat "${logf}" 2>/dev/null
+            } | tail -250
           done
           exit 1
 

changelog.md

@@ -5,14 +5,13 @@
 > [!WARNING]
 > This version is **not released yet** and is under active development.
 
-- **Breaking:** [mpm] Rename the `--allow-no-cooldown` flag (shipped in `6.6.0`) to the `--require-cooldown-support`/`--allow-unsupported-managers` boolean pair, and rename its `allow_no_cooldown` config to `require_cooldown_support` (default `true`). Pass `--allow-unsupported-managers` (or set `require_cooldown_support = false`) for the previous `--allow-no-cooldown` behavior.
-- [pnpm] Add the pnpm package manager, with `installed`, `outdated`, `search`, `install`, `upgrade`, `remove` and `cleanup` support. Enforce the supply-chain `--cooldown` through pnpm's native `minimumReleaseAge` gate.
-- [mpm] Bundle the click-extra config-format extras (`toml`, `yaml`, `json5`, `jsonc`, `hjson`, `xml`) into the standalone binary via `[tool.repomatic] nuitka.extras` plus matching `[tool.nuitka] include-package` entries, so the binary can read configs in all six formats (the source distribution already supported them as optional extras).
-- [mpm] `install` and `remove` now exit with a non-zero status when a requested package could not be installed or removed by any selected manager. Both commands previously always exited `0`, masking failures. As part of this, `install` installs every requested package instead of stopping after the first one that succeeds.
-- [mpm] `--timeout` now defaults to a per-operation value instead of a flat 500s: read-only queries (`installed`, `outdated`, `search`) and the version-detection probe get a shorter 120s cap so a wedged or pathologically slow CLI (like `guix search` scanning every package) fails fast, while state-changing operations (`install`, `upgrade`, `remove`, `sync`, `cleanup`) keep the 500s cap for source builds and channel syncs. Passing `--timeout` or setting a per-manager `timeout` still overrides every operation.
-- [mpm] Read-only operations (`installed`, `outdated`, `search`) now query managers in parallel: a slow manager (like `guix search` scanning every package) no longer blocks the others, dropping the wall-clock from the sum of every manager to the slowest single one. Manager availability detection (the per-manager `--version` probe run while selecting managers) is warmed in parallel the same way, shaving startup latency off every command that touches many managers. Add a `--jobs`/`-j` option (default: CPU count minus one) to size the thread pool; `--jobs 1` or `--verbosity DEBUG` runs sequentially. State-changing operations (`install`, `upgrade`, `remove`, `sync`, `cleanup`) stay sequential, and a single aggregate spinner replaces the per-manager ones while a batch runs concurrently: it shows a live `8/12 managers` count, leaves a `✓`/`✗` trail naming each manager (and whether it erred) as it finishes, and ends with a persistent `✓ Searched 12 managers (15s)` line when it was on screen. Refs {issue}`529`.
-- [mpm] Show a progress spinner on stderr while a manager CLI call runs longer than a second, so a slow operation (like `guix search` scanning every package) no longer looks like a hang. It carries the elapsed time (`⠙ guix search (12.3s)`) so a long call reads as progressing rather than stuck. Built on the `Spinner` widget and the `--progress`/`--no-progress` default option from click-extra; mpm additionally suppresses it for serialized output and at DEBUG verbosity (where logs already narrate). The spinner self-disables off a terminal (pipes, `TERM=dumb`, CI) and under `--no-progress`/`--accessible`.
-- [mpm] Widen the binary smoke tests in `tests/cli-test-plan.yaml`: per-format `--validate-config` against a tiny fixture for each of the seven readers; `--table-format` rendering in JSON, YAML, TOML, and XML; the cycle's new `--man`, `--show-params`, `--accessible`, `--summary`, and `--cooldown` globals; the `config-template`, `help`, and `search` subcommands; and negative cases that assert click-extra's usage errors stay surfaced as exit code 2 instead of leaking a Python traceback from the onefile binary.
+- **Breaking:** [mpm] Rename the `--allow-no-cooldown` flag to the `--require-cooldown-support`/`--allow-unsupported-managers` pair, and its `allow_no_cooldown` config to `require_cooldown_support` (default `true`).
+- [pnpm] Add the pnpm package manager (`installed`, `outdated`, `search`, `install`, `upgrade`, `remove`, `cleanup`), enforcing `--cooldown` via pnpm's native `minimumReleaseAge` gate.
+- [mpm] Read-only operations (`installed`, `outdated`, `search`) now query managers in parallel, as does the manager-availability probe, via a new `--jobs`/`-j` option (default: CPU count minus one); state-changing operations stay sequential. Refs {issue}`529`.
+- [mpm] Show a progress spinner with elapsed time on stderr for manager CLI calls running longer than a second, with a single aggregate spinner during parallel batches; toggle it with click-extra's `--progress`/`--no-progress`.
+- [mpm] The standalone binary now reads configuration in all six formats (`toml`, `yaml`, `json5`, `jsonc`, `hjson`, `xml`), matching the source distribution.
+- [mpm] `--timeout` now defaults per-operation — 120s for read-only queries (`installed`, `outdated`, `search`) and 500s for state-changing operations — instead of a flat 500s; an explicit `--timeout` still overrides.
+- [mpm] `install` and `remove` now exit non-zero when no manager could fulfill a request (previously always `0`); `install` also installs every requested package, not just the first to succeed.
 
 ## [`6.6.0` (2026-06-17)](https://github.com/kdeldycke/meta-package-manager/compare/v6.5.1...v6.6.0)
 

docs/configuration.md

@@ -78,7 +78,7 @@ These go under `[mpm]` (or `[tool.mpm]` in `pyproject.toml`):
 
 `cooldown` is a supply-chain safeguard: it refuses to install or upgrade any package version published more recently than the given age, giving a freshly-published (and possibly compromised) release time to be caught and pulled before it reaches the system.
 
-`mpm` enforces the cooldown through each manager's own release-age mechanism, so only managers that ship one are covered: `uv` and `uvx` (via `exclude-newer`), `npm` (via `min-release-age`), `pip` (via `--uploaded-prior-to`), and `pipx` (which inherits the pip setting). Managers without native support cannot honor the gate. By default they are skipped during install and upgrade (fail-closed), so nothing slips in unguarded. Pass `--allow-unsupported-managers` (or set `require_cooldown_support = false`) to run them anyway, without the safeguard. Read-only operations (`outdated`, `installed`, `search`) are never blocked.
+`mpm` enforces the cooldown through each manager's own release-age mechanism, so only managers that ship one are covered: `uv` and `uvx` (via `exclude-newer`), `npm` (via `min-release-age`), `pnpm` (via `minimumReleaseAge`), `pip` (via `--uploaded-prior-to`), and `pipx` (which inherits the pip setting). Managers without native support cannot honor the gate. By default they are skipped during install and upgrade (fail-closed), so nothing slips in unguarded. Pass `--allow-unsupported-managers` (or set `require_cooldown_support = false`) to run them anyway, without the safeguard. Read-only operations (`outdated`, `installed`, `search`) are never blocked.
 
 See {doc}`cooldown` for the full support matrix and the rationale.
 

meta_package_manager/cli.py

@@ -44,7 +44,6 @@
 from click_extra import (
     STRING,
     Choice,
-    Context,
     EnumChoice,
     File,
     IntRange,
@@ -157,6 +156,17 @@ class SortableField(StrEnum):
 See the corresponding :issue:`implementation rationale in issue #10 <10>`.
 """
 
+COOLDOWN_SUPPORTED_MANAGERS = tuple(
+    sorted(mid for mid, manager in pool.items() if manager.supports_cooldown)
+)
+"""IDs of the managers that natively enforce a release-age :option:`mpm --cooldown`.
+
+Derived from the pool so the ``--cooldown`` help text never drifts from the set of
+managers that actually carry a :py:attr:`cooldown_env_var
+<meta_package_manager.execution.CLIExecutor.cooldown_env_var>`: adding cooldown
+support to a manager surfaces it here automatically.
+"""
+
 
 class Duration(ParamType):
     """Parse a cooldown spec into a :py:class:`datetime.timedelta`.
@@ -655,8 +665,8 @@ def bar_plugin_path(ctx: Context, param: Parameter, value: str | None):
         "attacks. Accepts a friendly duration ('7 days', '1 week', '12h'), an "
         "ISO 8601 duration ('P7D', 'PT12H'), or an RFC 3339 absolute timestamp "
         "('2024-05-01T00:00:00Z'). Only honored by managers with native "
-        "release-age support (uv, npm, pip, pipx); the others are skipped "
-        "unless --allow-unsupported-managers is set.",
+        "release-age support (" + ", ".join(COOLDOWN_SUPPORTED_MANAGERS) + "); the "
+        "others are skipped unless --allow-unsupported-managers is set.",
     ),
     option(
         "--require-cooldown-support/--allow-unsupported-managers",

meta_package_manager/execution.py

@@ -278,7 +278,7 @@ class CLIExecutor:
     """Maximum number of seconds to wait for a CLI call to complete.
 
     ``None`` means the user expressed no explicit preference: the effective cap is
-    then resolved per-operation by :py:meth:`_resolve_timeout` from
+    then resolved per-operation by ``_resolve_timeout()`` from
     :py:data:`OPERATION_TIMEOUTS`. A non-``None`` value (the ``--timeout`` flag or a
     per-manager override) wins for every operation.
     """
@@ -297,8 +297,8 @@ class CLIExecutor:
 
     Set by the CLI to an interactive, human-facing run only (a TTY, no serialized
     output, not at DEBUG verbosity). Even when ``True`` the spinner still
-    self-suppresses off a TTY: see :py:meth:`_make_spinner`. Defaults to ``False``
-    so programmatic use stays silent.
+    self-suppresses off a TTY: see ``_make_spinner()``. Defaults to ``False`` so
+    programmatic use stays silent.
     """
 
     cooldown: timedelta | None = None

tests/test_cli_concurrency.py

@@ -84,7 +84,11 @@ def test_runs_sequentially_in_main_thread(jobs, verbosity, manager_count):
     managers = [FakeManager(f"m{i}") for i in range(manager_count)]
     threads: list = []
     collect_from_managers(
-        ctx, "Testing", "Tested", managers, _record_thread(threads, threading.Lock())
+        ctx,  # type: ignore[arg-type]
+        "Testing",
+        "Tested",
+        managers,  # type: ignore[arg-type]
+        _record_thread(threads, threading.Lock()),
     )
     assert threads, "work was never called"
     assert all(thread is threading.main_thread() for thread in threads)
@@ -95,7 +99,11 @@ def test_runs_concurrently_off_the_main_thread():
     managers = [FakeManager(f"m{i}") for i in range(4)]
     threads: list = []
     collect_from_managers(
-        ctx, "Testing", "Tested", managers, _record_thread(threads, threading.Lock())
+        ctx,  # type: ignore[arg-type]
+        "Testing",
+        "Tested",
+        managers,  # type: ignore[arg-type]
+        _record_thread(threads, threading.Lock()),
     )
     assert len(threads) == 4
     assert all(thread is not threading.main_thread() for thread in threads)
@@ -112,7 +120,13 @@ def work(manager):
         time.sleep(0.01 * (len(managers) - index))
         return manager.id, {"index": index}
 
-    results = collect_from_managers(ctx, "Testing", "Tested", managers, work)
+    results = collect_from_managers(
+        ctx,  # type: ignore[arg-type]
+        "Testing",
+        "Tested",
+        managers,  # type: ignore[arg-type]
+        work,
+    )
     assert [manager_id for manager_id, _ in results] == [f"m{i}" for i in range(8)]
 
 
@@ -121,7 +135,11 @@ def test_suppresses_per_manager_spinners_when_concurrent():
     ctx = FakeContext(jobs=4)
     managers = [FakeManager(f"m{i}", progress=True) for i in range(4)]
     collect_from_managers(
-        ctx, "Testing", "Tested", managers, lambda manager: (manager.id, {})
+        ctx,  # type: ignore[arg-type]
+        "Testing",
+        "Tested",
+        managers,  # type: ignore[arg-type]
+        lambda manager: (manager.id, {}),
     )
     assert all(manager.progress is False for manager in managers)
 
@@ -131,7 +149,11 @@ def test_keeps_per_manager_spinners_when_sequential():
     ctx = FakeContext(jobs=1)
     managers = [FakeManager(f"m{i}", progress=True) for i in range(3)]
     collect_from_managers(
-        ctx, "Testing", "Tested", managers, lambda manager: (manager.id, {})
+        ctx,  # type: ignore[arg-type]
+        "Testing",
+        "Tested",
+        managers,  # type: ignore[arg-type]
+        lambda manager: (manager.id, {}),
     )
     assert all(manager.progress is True for manager in managers)
 
@@ -140,7 +162,11 @@ def test_empty_manager_list_returns_empty():
     ctx = FakeContext(jobs=4)
     assert (
         collect_from_managers(
-            ctx, "Testing", "Tested", [], lambda manager: (manager.id, {})
+            ctx,  # type: ignore[arg-type]
+            "Testing",
+            "Tested",
+            [],
+            lambda manager: (manager.id, {}),
         )
         == []
     )
@@ -155,7 +181,11 @@ def test_no_finisher_line_off_terminal(capsys):
     ctx = FakeContext(jobs=4)
     managers = [FakeManager(f"m{i}", progress=True) for i in range(4)]
     collect_from_managers(
-        ctx, "Searching", "Searched", managers, lambda manager: (manager.id, {})
+        ctx,  # type: ignore[arg-type]
+        "Searching",
+        "Searched",
+        managers,  # type: ignore[arg-type]
+        lambda manager: (manager.id, {}),
     )
     assert "Searched" not in capsys.readouterr().err
 
@@ -174,7 +204,13 @@ def slow_work(manager):
         time.sleep(0.1)  # Outlast the zeroed delay so the spinner draws a frame.
         return manager.id, {}
 
-    collect_from_managers(ctx, "Searching", "Searched", managers, slow_work)
+    collect_from_managers(
+        ctx,  # type: ignore[arg-type]
+        "Searching",
+        "Searched",
+        managers,  # type: ignore[arg-type]
+        slow_work,
+    )
     output = tty.getvalue()
     # The spinner draws its seeded running count before any manager lands...
     assert "Searching 0/4 managers" in output
@@ -200,7 +236,13 @@ def work(manager):
         errors = ["boom"] if manager.id == "m2" else []
         return manager.id, {"errors": errors}
 
-    collect_from_managers(ctx, "Searching", "Searched", managers, work)
+    collect_from_managers(
+        ctx,  # type: ignore[arg-type]
+        "Searching",
+        "Searched",
+        managers,  # type: ignore[arg-type]
+        work,
+    )
     output = tty.getvalue()
     assert KO_GLYPH in output  # The failure glyph, for m2.
     assert OK_GLYPH in output  # The success glyph, for the other managers.
@@ -229,7 +271,13 @@ def work(manager):
         time.sleep(0.03 if int(manager.id[1:]) < 3 else 0.4)
         return manager.id, {}
 
-    collect_from_managers(ctx, "Checking", "Checked", managers, work)
+    collect_from_managers(
+        ctx,  # type: ignore[arg-type]
+        "Checking",
+        "Checked",
+        managers,  # type: ignore[arg-type]
+        work,
+    )
     output = tty.getvalue()
     # Every manager — fast and slow alike — appears, not just the slow three.
     assert all(f"m{i}" in output for i in range(6))

tests/test_metadata.py

@@ -52,7 +52,8 @@
 def _load_pyproject() -> dict:
     """Parse the project's ``pyproject.toml`` into a dictionary."""
     path = PROJECT_ROOT.joinpath("pyproject.toml")
-    return tomllib.loads(path.read_text(encoding="UTF-8"))
+    content = path.read_text(encoding="UTF-8")
+    return tomllib.loads(content)  # type: ignore[no-any-return]
 
 
 def _major_minor(version: str) -> tuple[int, int]:

tests/test_pool.py

@@ -277,7 +277,8 @@ def _jobs_context(jobs: int, verbosity: str = "INFO") -> click.Context:
 def test_warm_availability_skips_without_context():
     """No active CLI context: leave probing to the lazy, sequential filter loop."""
     accessed: list = []
-    warm_availability([_RecordingManager(accessed), _RecordingManager(accessed)])
+    managers = [_RecordingManager(accessed), _RecordingManager(accessed)]
+    warm_availability(managers)  # type: ignore[arg-type]
     assert accessed == []
 
 
@@ -293,7 +294,7 @@ def test_warm_availability_skips_when_not_concurrent(jobs, verbosity, count):
     accessed: list = []
     managers = [_RecordingManager(accessed) for _ in range(count)]
     with _jobs_context(jobs, verbosity):
-        warm_availability(managers)
+        warm_availability(managers)  # type: ignore[arg-type]
     assert accessed == []
 
 
@@ -302,6 +303,6 @@ def test_warm_availability_probes_concurrently():
     threads: list = []
     managers = [_RecordingManager(threads) for _ in range(4)]
     with _jobs_context(jobs=4):
-        warm_availability(managers)
+        warm_availability(managers)  # type: ignore[arg-type]
     assert len(threads) == 4
     assert all(thread is not threading.main_thread() for thread in threads)