agpm-cli 0.4.4

AGent Package Manager - A Git-based package manager for Claude agents
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396

use anyhow::Result;

mod common;
use common::TestProject;

mod fixtures;

/// Test that install auto-updates lockfile when dependency is missing (Cargo-style behavior)
#[tokio::test]
async fn test_install_auto_updates_missing_dependency() -> Result<()> {
    let project = TestProject::new().await?;

    // Create a source repo with an agent
    let source_repo = project.create_source_repo("test-source").await?;
    source_repo.add_resource("agents", "agent-one", "# Agent One\nTest agent one").await?;
    source_repo.add_resource("agents", "agent-two", "# Agent Two\nTest agent two").await?;
    source_repo.commit_all("Add agents")?;
    source_repo.tag_version("v1.0.0")?;

    // Create manifest with two agents
    let manifest = format!(
        r#"[sources]
test-source = "{}"

[agents]
agent-one = {{ source = "test-source", path = "agents/agent-one.md", version = "v1.0.0" }}
agent-two = {{ source = "test-source", path = "agents/agent-two.md", version = "v1.0.0" }}
"#,
        source_repo.file_url()
    );
    project.write_manifest(&manifest).await?;

    // Install first to create lockfile
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(output.success, "Initial install failed: {}", output.stderr);

    // Now remove one agent from lockfile to simulate staleness
    let lockfile = project.read_lockfile().await?;

    // Find and remove the agent-two section
    let start_marker = "[[agents]]\nname = \"agent-two\"";
    if let Some(start_pos) = lockfile.find(start_marker) {
        // Find the end of this agent entry (next [[agents]] or end of file)
        let after_start = start_pos + start_marker.len();
        let end_pos = lockfile[after_start..]
            .find("[[agents]]")
            .map(|p| after_start + p)
            .unwrap_or(lockfile.len());

        // Remove this entire agent section
        let modified_lockfile = format!("{}{}", &lockfile[..start_pos], &lockfile[end_pos..]);
        project.write_lockfile(&modified_lockfile).await?;
    } else {
        panic!("Could not find agent-two in lockfile to remove");
    }

    // Install should auto-update the lockfile (Cargo-style behavior)
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(output.success, "Install should auto-update lockfile: {}", output.stderr);

    // Verify lockfile now contains agent-two again
    let updated_lockfile = project.read_lockfile().await?;
    assert!(
        updated_lockfile.contains("agent-two"),
        "Lockfile should have been auto-updated with missing dependency"
    );

    Ok(())
}

/// Test that install auto-updates on version change, but --frozen mode fails
#[tokio::test]
async fn test_install_frozen_detects_version_mismatch() -> Result<()> {
    let project = TestProject::new().await?;

    // Create a source repo with multiple versions
    let source_repo = project.create_source_repo("test-source").await?;
    source_repo.add_resource("agents", "test-agent", "# Test Agent v1\nVersion 1").await?;
    source_repo.commit_all("Version 1")?;
    source_repo.tag_version("v1.0.0")?;

    source_repo.add_resource("agents", "test-agent", "# Test Agent v2\nVersion 2").await?;
    source_repo.commit_all("Version 2")?;
    source_repo.tag_version("v2.0.0")?;

    // Create manifest with v1.0.0
    let manifest = format!(
        r#"[sources]
test-source = "{}"

[agents]
test-agent = {{ source = "test-source", path = "agents/test-agent.md", version = "v1.0.0" }}
"#,
        source_repo.file_url()
    );
    project.write_manifest(&manifest).await?;

    // Install v1.0.0
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(output.success, "Initial install failed: {}", output.stderr);

    // Update manifest to v2.0.0
    let manifest_v2 = manifest.replace("v1.0.0", "v2.0.0");
    project.write_manifest(&manifest_v2).await?;

    // Normal install should auto-update (Cargo-style)
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(output.success, "Normal install should auto-update: {}", output.stderr);

    // Revert to v1.0.0 lockfile
    project.write_manifest(&manifest).await?;
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(output.success);

    // Change manifest back to v2.0.0
    project.write_manifest(&manifest_v2).await?;

    // --frozen mode should succeed (only checks corruption/security, not version changes)
    // It will use the lockfile as-is with v1.0.0 even though manifest has v2.0.0
    let output = project.run_agpm(&["install", "--frozen"])?;
    assert!(
        output.success,
        "Frozen install should succeed (ignores version changes): {}",
        output.stderr
    );

    Ok(())
}

/// Test that extra lockfile entries are allowed (for transitive dependencies)
#[tokio::test]
async fn test_install_detects_removed_dependency() -> Result<()> {
    let project = TestProject::new().await?;

    // Create a source repo with two agents
    let source_repo = project.create_source_repo("test-source").await?;
    source_repo.add_resource("agents", "agent-one", "# Agent One").await?;
    source_repo.add_resource("agents", "agent-two", "# Agent Two").await?;
    source_repo.commit_all("Add agents")?;
    source_repo.tag_version("v1.0.0")?;

    // Create manifest with two agents
    let manifest_two_agents = format!(
        r#"[sources]
test-source = "{}"

[agents]
agent-one = {{ source = "test-source", path = "agents/agent-one.md", version = "v1.0.0" }}
agent-two = {{ source = "test-source", path = "agents/agent-two.md", version = "v1.0.0" }}
"#,
        source_repo.file_url()
    );
    project.write_manifest(&manifest_two_agents).await?;

    // Install both agents
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(output.success, "Initial install failed: {}", output.stderr);

    // Remove agent-two from manifest (simulating it becoming only a transitive dependency)
    let manifest_one_agent = format!(
        r#"[sources]
test-source = "{}"

[agents]
agent-one = {{ source = "test-source", path = "agents/agent-one.md", version = "v1.0.0" }}
"#,
        source_repo.file_url()
    );
    project.write_manifest(&manifest_one_agent).await?;

    // Try to install with lockfile containing extra entry in CI mode
    // This should succeed now - extra entries are allowed for transitive dependencies
    let output = project.run_agpm_with_env(&["install"], &[("CI", "true")])?;
    assert!(
        output.success,
        "Install should succeed with extra lockfile entries for transitive deps: {}",
        output.stderr
    );
    assert!(!output.stderr.contains("stale"), "Should not report lockfile as stale");

    Ok(())
}

/// Test that path change is detected
#[tokio::test]
async fn test_install_detects_path_change() -> Result<()> {
    let project = TestProject::new().await?;

    // Create a source repo with agent in two locations
    let source_repo = project.create_source_repo("test-source").await?;
    source_repo.add_resource("agents", "old-path", "# Agent at old path").await?;
    source_repo.add_resource("agents", "new-path", "# Agent at new path").await?;
    source_repo.commit_all("Add agents")?;
    source_repo.tag_version("v1.0.0")?;

    // Create manifest pointing to old path
    let manifest_old = format!(
        r#"[sources]
test-source = "{}"

[agents]
test-agent = {{ source = "test-source", path = "agents/old-path.md", version = "v1.0.0" }}
"#,
        source_repo.file_url()
    );
    project.write_manifest(&manifest_old).await?;

    // Install with old path
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(output.success, "Initial install failed: {}", output.stderr);

    // Update manifest to new path
    let manifest_new = manifest_old.replace("old-path", "new-path");
    project.write_manifest(&manifest_new).await?;

    // Normal install should auto-update
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(output.success, "Normal install should auto-update path change: {}", output.stderr);

    // Revert to old path and reinstall
    project.write_manifest(&manifest_old).await?;
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(output.success);

    // Change back to new path
    project.write_manifest(&manifest_new).await?;

    // --frozen mode should fail
    let output = project.run_agpm(&["install", "--frozen"])?;
    assert!(output.success, "Frozen mode should succeed (ignores path changes): {}", output.stderr);

    Ok(())
}

/// Test that source URL change is detected
#[tokio::test]
async fn test_install_detects_source_url_change() -> Result<()> {
    let project = TestProject::new().await?;

    // Create two different source repos
    let old_repo = project.create_source_repo("old-repo").await?;
    old_repo.add_resource("agents", "test-agent", "# Agent from old repo").await?;
    old_repo.commit_all("Add agent")?;
    old_repo.tag_version("v1.0.0")?;

    let new_repo = project.create_source_repo("new-repo").await?;
    new_repo.add_resource("agents", "test-agent", "# Agent from new repo").await?;
    new_repo.commit_all("Add agent")?;
    new_repo.tag_version("v1.0.0")?;

    // Create manifest pointing to old repo
    let manifest_old = format!(
        r#"[sources]
test-source = "{}"

[agents]
test-agent = {{ source = "test-source", path = "agents/test-agent.md", version = "v1.0.0" }}
"#,
        old_repo.file_url()
    );
    project.write_manifest(&manifest_old).await?;

    // Install from old repo
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(output.success, "Initial install failed: {}", output.stderr);

    // Update manifest to point to new repo
    let manifest_new = format!(
        r#"[sources]
test-source = "{}"

[agents]
test-agent = {{ source = "test-source", path = "agents/test-agent.md", version = "v1.0.0" }}
"#,
        new_repo.file_url()
    );
    project.write_manifest(&manifest_new).await?;

    // --frozen mode should fail on source URL change (security concern)
    let output = project.run_agpm(&["install", "--frozen"])?;
    assert!(!output.success, "Should fail on source URL change (security)");
    assert!(
        output.stderr.contains("Source repository 'test-source' URL changed")
            || output.stderr.contains("out of sync"),
        "Should report URL change, got: {}",
        output.stderr
    );

    Ok(())
}

/// Test that duplicate entries are detected
#[tokio::test]
async fn test_install_detects_duplicate_entries() -> Result<()> {
    let project = TestProject::new().await?;

    // Create a source repo
    let source_repo = project.create_source_repo("test-source").await?;
    source_repo.add_resource("agents", "test-agent", "# Test Agent").await?;
    source_repo.commit_all("Add agent")?;

    // Ensure we're on main branch (git's default branch name varies)
    source_repo.git.ensure_branch("main")?;

    // Create manifest
    let manifest = format!(
        r#"[sources]
test-source = "{}"

[agents]
test-agent = {{ source = "test-source", path = "agents/test-agent.md", version = "main" }}
"#,
        source_repo.file_url()
    );
    project.write_manifest(&manifest).await?;

    // First do a normal install to create a valid lockfile
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(output.success, "Initial install failed: {}", output.stderr);

    // Read the valid lockfile and manually duplicate an entry
    let lockfile = project.read_lockfile().await?;

    // Find the agents section and duplicate the first agent entry
    if let Some(agents_pos) = lockfile.find("[[agents]]") {
        let agent_section = &lockfile[agents_pos..];

        // Find the end of this agent entry
        let next_section = agent_section[11..].find("[[").unwrap_or(agent_section.len() - 11) + 11;
        let agent_entry = &agent_section[..next_section];

        // Add a duplicate at the end
        let corrupted_lockfile = format!("{}\n{}", lockfile.trim(), agent_entry);
        project.write_lockfile(&corrupted_lockfile).await?;
    } else {
        panic!("Could not find agents section in lockfile");
    }

    // --frozen mode should fail on corrupted lockfile
    let output = project.run_agpm(&["install", "--frozen"])?;
    assert!(!output.success, "Expected failure due to duplicate entries, but command succeeded");
    assert!(
        output.stderr.contains("duplicate entries")
            || output.stderr.contains("Found") && output.stderr.contains("duplicate")
            || output.stderr.contains("out of sync"),
        "Expected duplicate entries error, got: {}",
        output.stderr
    );

    Ok(())
}

/// Test that branch references don't cause staleness errors
/// Branches are expected to move, so we shouldn't treat them as stale
#[tokio::test]
async fn test_install_allows_branch_references() -> Result<()> {
    let project = TestProject::new().await?;

    // Create a source repo with a bare clone for stable serving
    let source_repo = project.create_source_repo("test-source").await?;
    source_repo.add_resource("agents", "test-agent", "# Test Agent v1").await?;
    source_repo.commit_all("Initial commit")?;

    // Ensure we're on main branch (git's default branch name varies)
    source_repo.git.ensure_branch("main")?;

    // Get the bare URL for stable file:// serving
    let bare_url = source_repo.bare_file_url(project.sources_path())?;

    // Create manifest using 'main' branch
    let manifest = format!(
        r#"[sources]
test-source = "{}"

[agents]
test-agent = {{ source = "test-source", path = "agents/test-agent.md", version = "main" }}
"#,
        bare_url
    );
    project.write_manifest(&manifest).await?;

    // Install to create lockfile
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(output.success, "Initial install failed: {}", output.stderr);

    // Try to install again - should succeed because branches are allowed to move
    // This is expected behavior with auto-update
    let output = project.run_agpm(&["install", "--quiet"])?;
    assert!(
        output.success,
        "Install should succeed with branch references, got error: {}",
        output.stderr
    );

    Ok(())
}