agpm-cli 0.4.14

AGent Package Manager - A Git-based package manager for coding agents
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345

use crate::common::{ManifestBuilder, TestProject};
use anyhow::Result;

/// Regression test for version conflict false positives with pattern + transitive deps.
///
/// Bug scenario (GitHub issue): When combining:
/// 1. Pattern dependency `commands/*.md` with version `commands-^v1.0.0`
/// 2. Commands that declare transitive deps on a snippet with `directives-^v1.0.0`
/// 3. Direct manifest dependency on that snippet with `directives-^v1.0.0`
///
/// BEFORE FIX: Error "Version conflict detected for 'snippets/directives/ai-attribution'"
/// because pattern expansion stored resolved SHA instead of version constraint.
/// The transitive deps showed raw SHA while manifest dep showed the constraint.
///
/// AFTER FIX: Install succeeds - pattern expansion preserves original constraint.
#[tokio::test]
async fn test_pattern_transitive_prefixed_version_no_false_conflict() -> Result<()> {
    let project = TestProject::new().await?;
    let repo = project.create_source_repo("tooling").await?;

    // Add snippet at directives-v1.0.0
    repo.add_resource(
        "snippets/directives",
        "ai-attribution",
        "---\nname: AI Attribution\n---\n# AI Attribution\n",
    )
    .await?;
    repo.commit_all("Add snippet")?;
    repo.tag_version("directives-v1.0.0")?;

    // Add commands that have transitive deps on the snippet WITH explicit version.
    // The bug: When pattern expansion stored SHA instead of constraint, the conflict
    // detector saw the transitive dep's version as the parent's SHA, not this constraint.
    repo.add_resource(
        "commands",
        "commit",
        r#"---
name: Commit
dependencies:
  snippets:
    - path: snippets/directives/ai-attribution.md
      version: directives-^v1.0.0
---
# Commit
"#,
    )
    .await?;

    repo.add_resource(
        "commands",
        "squash",
        r#"---
name: Squash
dependencies:
  snippets:
    - path: snippets/directives/ai-attribution.md
      version: directives-^v1.0.0
---
# Squash
"#,
    )
    .await?;

    repo.commit_all("Add commands")?;
    repo.tag_version("commands-v1.0.0")?;

    let repo_url = repo.bare_file_url(project.sources_path()).await?;

    // Manifest: pattern dep on commands + direct dep on snippet
    let manifest = ManifestBuilder::new()
        .add_source("tooling", &repo_url)
        .add_command("utils", |d| {
            d.source("tooling").path("commands/*.md").version("commands-^v1.0.0")
        })
        .add_snippet("ai-attribution", |d| {
            d.source("tooling")
                .path("snippets/directives/ai-attribution.md")
                .version("directives-^v1.0.0")
        })
        .build();

    project.write_manifest(&manifest).await?;

    // KEY ASSERTION: Before fix, this failed with "Version conflict detected"
    let output = project.run_agpm(&["install"])?;

    assert!(
        output.success,
        "Install should succeed. BEFORE FIX: 'Version conflict detected for ai-attribution'\nstderr: {}\nstdout: {}",
        output.stderr, output.stdout
    );

    assert!(
        !output.stderr.contains("Version conflict"),
        "Should NOT report version conflict. stderr: {}",
        output.stderr
    );

    // Verify Fix 1: Commands should have the version constraint, not SHA
    let lockfile = project.load_lockfile()?;
    for cmd in &lockfile.commands {
        let version = cmd.version.as_ref().expect("command should have version");
        assert!(
            !version.chars().all(|c| c.is_ascii_hexdigit()),
            "Command '{}' version should be constraint 'commands-v1.0.0', not SHA '{}'. Fix 1 not working.",
            cmd.name,
            version
        );
    }

    // Verify Fix 2: The manifest dep should be present in the lockfile.
    // Note: There may be multiple entries if transitive deps use different tools,
    // but the manifest dep (with manifest_alias) should always be present.
    let manifest_snippet =
        lockfile.snippets.iter().find(|s| s.manifest_alias == Some("ai-attribution".to_string()));
    assert!(
        manifest_snippet.is_some(),
        "Should have manifest dep snippet with alias 'ai-attribution'. Got: {:?}",
        lockfile
            .snippets
            .iter()
            .map(|s| (&s.name, &s.manifest_alias, &s.version))
            .collect::<Vec<_>>()
    );

    // The manifest dep should have the correct version constraint
    let snippet = manifest_snippet.unwrap();
    assert_eq!(
        snippet.version,
        Some("directives-v1.0.0".to_string()),
        "Manifest snippet should have version constraint, not SHA"
    );

    Ok(())
}

/// Tests that explicit version specifications in transitive dependencies prevent conflicts
/// when multiple dependency chains (including direct dependencies) all specify the same version.
///
/// Dependency Graph (all from same repository):
/// ```
/// Manifest
/// ├── A (v1.0.0) → B (v1.0.0) → C (v1.0.0)
/// ├── D (v1.0.0) → C (v1.0.0)
/// └── C (v1.0.0)  # Direct dependency
/// ```
///
/// Three paths to C, all requiring v1.0.0:
/// 1. Manifest → A → B → C (transitive)
/// 2. Manifest → D → C (transitive)
/// 3. Manifest → C (direct)
#[tokio::test]
async fn test_explicit_version_specs_prevent_conflicts() -> Result<()> {
    let project = TestProject::new().await?;

    // Create repository with all resources at v1.0.0
    let repo = project.create_source_repo("community").await?;

    // Add resource C (the shared transitive dependency)
    repo.add_resource(
        "agents",
        "resource-c",
        r#"---
name: Resource C
---
# Resource C
This is resource C at v1.0.0.
"#,
    )
    .await?;

    // Add resource B that depends on C
    repo.add_resource(
        "agents",
        "resource-b",
        r#"---
name: Resource B
dependencies:
  agents:
    - path: ./resource-c.md
      version: v1.0.0
---
# Resource B
This is resource B at v1.0.0, depending on C at v1.0.0.
"#,
    )
    .await?;

    // Add resource D that also depends on C
    repo.add_resource(
        "agents",
        "resource-d",
        r#"---
name: Resource D
dependencies:
  agents:
    - path: ./resource-c.md
      version: v1.0.0
---
# Resource D
This is resource D at v1.0.0, depending on C at v1.0.0.
"#,
    )
    .await?;

    // Add resource A that depends on B (which transitively depends on C)
    repo.add_resource(
        "agents",
        "resource-a",
        r#"---
name: Resource A
dependencies:
  agents:
    - path: ./resource-b.md
      version: v1.0.0
---
# Resource A
This is resource A at v1.0.0, depending on B at v1.0.0.
"#,
    )
    .await?;

    repo.commit_all("Add all resources")?;
    repo.tag_version("v1.0.0")?;

    // Create manifest with direct dependencies on A, D, and C
    let repo_url = repo.bare_file_url(project.sources_path()).await?;

    let manifest = ManifestBuilder::new()
        .add_source("community", &repo_url)
        .add_standard_agent("resource-a", "community", "agents/resource-a.md")
        .add_standard_agent("resource-d", "community", "agents/resource-d.md")
        .add_standard_agent("resource-c", "community", "agents/resource-c.md")
        .build();

    project.write_manifest(&manifest).await?;

    // Run install - should succeed with no conflicts
    let output = project.run_agpm(&["install"])?;

    assert!(
        output.success,
        "Install should succeed with no conflicts. stderr: {}\nstdout: {}",
        output.stderr, output.stdout
    );

    // Verify the lockfile
    let lockfile = project.load_lockfile()?;

    // Should have exactly 4 agent entries: A, B, C, D
    assert_eq!(lockfile.agents.len(), 4, "Should have exactly 4 agents in lockfile");

    // Find each resource in the lockfile
    let resource_a = lockfile
        .agents
        .iter()
        .find(|a| a.name == "agents/resource-a")
        .expect("Resource A should be in lockfile");

    let resource_b = lockfile
        .agents
        .iter()
        .find(|a| a.name == "agents/resource-b")
        .expect("Resource B should be in lockfile");

    let resource_c = lockfile
        .agents
        .iter()
        .find(|a| a.name == "agents/resource-c")
        .expect("Resource C should be in lockfile");

    let resource_d = lockfile
        .agents
        .iter()
        .find(|a| a.name == "agents/resource-d")
        .expect("Resource D should be in lockfile");

    // Verify versions
    assert_eq!(resource_a.version, Some("v1.0.0".to_string()));
    assert_eq!(resource_b.version, Some("v1.0.0".to_string()));
    assert_eq!(resource_c.version, Some("v1.0.0".to_string()));
    assert_eq!(resource_d.version, Some("v1.0.0".to_string()));

    // Verify resource C has manifest_alias (direct dependency wins)
    assert_eq!(
        resource_c.manifest_alias,
        Some("resource-c".to_string()),
        "Resource C should have manifest_alias since it's a direct dependency"
    );

    // Verify resource B is transitive (no manifest_alias)
    assert_eq!(
        resource_b.manifest_alias, None,
        "Resource B should not have manifest_alias since it's transitive"
    );

    // Verify all resources resolved to commits from the same repository
    assert_eq!(
        resource_a.source,
        Some("community".to_string()),
        "Resource A should be from community"
    );
    assert_eq!(
        resource_b.source,
        Some("community".to_string()),
        "Resource B should be from community"
    );
    assert_eq!(
        resource_c.source,
        Some("community".to_string()),
        "Resource C should be from community"
    );
    assert_eq!(
        resource_d.source,
        Some("community".to_string()),
        "Resource D should be from community"
    );

    // Verify that all dependencies point to the same commit (v1.0.0)
    // All resources should have the same resolved_commit since they're all from v1.0.0
    assert!(
        resource_c.resolved_commit.as_ref().map(|c| !c.is_empty()).unwrap_or(false),
        "Resource C should have a resolved commit"
    );

    // All resources should have the same SHA since they're from the same tag
    assert_eq!(
        resource_a.resolved_commit, resource_b.resolved_commit,
        "Resources A and B should have same commit"
    );
    assert_eq!(
        resource_b.resolved_commit, resource_c.resolved_commit,
        "Resources B and C should have same commit"
    );
    assert_eq!(
        resource_c.resolved_commit, resource_d.resolved_commit,
        "Resources C and D should have same commit"
    );

    // Verify there's exactly one entry for C (no duplicates)
    let c_count = lockfile.agents.iter().filter(|a| a.name == "agents/resource-c").count();
    assert_eq!(c_count, 1, "Should have exactly one entry for resource C");

    Ok(())
}