feat(make): support local formula path and improve test coverage

[MeteorsLiu]

Add support for local filesystem patterns (., ./path, ./path@ver) in
llar make, enabling CI workflows within the llarhub repository to build
local formulas while resolving dependencies from the remote store.

Key changes:

• Extract Store interface from concrete struct in repo package
• Add overlayStore to serve local modules with remote fallback
• Add modlocal package for local module discovery via versions.json
• Update parseModuleArg to detect and validate local patterns
• Split runMake into local/remote branches with overlay composition

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the llar make command by introducing the ability to use local formula repositories. This feature is particularly beneficial for continuous integration environments and local development workflows, removing the dependency on remote VCS for formula resolution. The change is implemented through a clean architectural refactoring, introducing a Store interface for formula management, which now supports both remote and local filesystem-backed operations. Concurrently, the PR substantially improves the test coverage for the make command's internal logic, ensuring the reliability of these new capabilities.

Highlights

• Local Formula Path Support: Introduced support for specifying local formula paths (e.g., "./path", "/path") in the llar make command, enabling local formula development and CI/CD use cases without relying on remote VCS.
• Formula Store Interface Refactoring: Refactored the formula repository management by extracting a repo.Store interface, with concrete remoteStore and localStore implementations, allowing flexible formula sourcing from either remote VCS or local filesystems.
• Improved Test Coverage: Significantly increased unit test coverage for the cmd/llar/internal package from 33% to 75%, improving robustness for local/remote path handling, silent mode, and output flag resolution.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• cmd/llar/internal/make.go
  • Modified runMake to dynamically select between remoteStore and localStore based on the module argument.
  • Updated parseModuleArg to detect local path prefixes (./ or /) and return an isLocal flag.
• cmd/llar/internal/make_test.go
  • Added helper functions testdataFormulasDir and runMakeCmdInDir for test setup.
  • Expanded TestParseModuleArg to include test cases for local paths.
  • Introduced new tests (TestRunMake_RemotePath_FailsAtLoad, TestRunMake_LocalPath_ModulesLoad, TestRunMake_LocalPath_NoFormula, TestRunMake_LocalPath_Silent, TestRunMake_LocalPath_WithOutput) to cover local/remote path branching, silent mode, and output flag resolution.
• cmd/llar/internal/testdata/formulas/test/fakepkg/1.0.0/fakepkg_llar.gox
  • Added a new test formula definition file.
• cmd/llar/internal/testdata/formulas/test/fakepkg/versions.json
  • Added a new test formula versions file.
• internal/build/build.go
  • Updated Builder and Options structs to use the repo.Store interface instead of a pointer to the concrete repo.Store type.
• internal/build/build_test.go
  • Modified setupTestStore, setupBuilder, and loadAndBuild functions to align with the repo.Store interface.
• internal/formula/repo/store.go
  • Defined a new Store interface for formula repository access.
  • Renamed the existing Store struct to remoteStore and made it implement the Store interface.
  • Introduced a new localStore struct and NewLocalStore constructor, implementing the Store interface for local filesystem-based formula access.
• internal/formula/repo/store_test.go
  • Adjusted TestNew, TestStore_moduleDirOf, and TestStore_moduleDirOf_MkdirAllError to correctly handle the remoteStore type assertion after the interface extraction.
• internal/modules/load.go
  • Updated the FormulaStore field in Options to use the repo.Store interface.
• internal/modules/load_test.go
  • Modified setupTestStore to return the repo.Store interface.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for local formula paths in llar make, which is a great feature for local development and CI. The refactoring to a Store interface with remoteStore and localStore implementations is well-executed. My review includes a few suggestions to improve code consistency, idiomatic Go usage, and reduce code duplication. Overall, this is a solid contribution that also significantly improves test coverage.

[fennoai]

Path traversal / missing validation (CWE-22): remoteStore.ModuleFS validates modPath via module.EscapePath (in moduleDirOf), and localStore.LockModule also calls module.EscapePath — but localStore.ModuleFS does not. A crafted path like ../../etc would survive parseModuleArg's prefix stripping and cause filepath.Join(s.root, "../../etc") to escape the root directory.

Suggested change

	func (s *localStore) ModuleFS(_ context.Context, modPath string) (fs.FS, error) {
	func (s *localStore) ModuleFS(_ context.Context, modPath string) (fs.FS, error) {
	escapedModPath, err := module.EscapePath(modPath)
	if err != nil {
	return nil, err
	}
	return os.DirFS(filepath.Join(s.root, escapedModPath)), nil
	}

[MeteorsLiu]

@xgopilot help me fix it

[fennoai]

Fix applied

Added module.EscapePath validation to localStore.ModuleFS to match the validation already present in remoteStore.ModuleFS and localStore.LockModule. This prevents path traversal (CWE-22) where crafted paths like ../../etc could escape the root directory.

Changes:

• internal/formula/repo/store.go: Added module.EscapePath(modPath) call before filepath.Join in localStore.ModuleFS
• internal/formula/repo/store_test.go: Added TestLocalStore_ModuleFS_InvalidPath test verifying rejection of "", "../../../etc", and "owner//repo"

All internal/formula/repo tests pass.

PR: MeteorsLiu#5

View job run

[codecov]

Codecov Report

❌ Patch coverage is 89.26174% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.11%. Comparing base (0b1b75a) to head (bc56b2e).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/llar/internal/make.go	85.96%	4 Missing and 4 partials ⚠️
internal/modules/load.go	80.95%	2 Missing and 2 partials ⚠️
internal/modules/modlocal/modlocal.go	93.10%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #104      +/-   ##
==========================================
+ Coverage   76.15%   78.11%   +1.95%     
==========================================
  Files          32       34       +2     
  Lines        1732     1855     +123     
==========================================
+ Hits         1319     1449     +130     
+ Misses        314      303      -11     
- Partials       99      103       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[MeteorsLiu]

NOTE: allow mock for test

[MeteorsLiu]

/review

[MeteorsLiu]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a significant and well-implemented feature to support local formula builds, which is crucial for CI workflows. The refactoring of repo.Store into an interface to accommodate the overlayStore is a clean and effective design choice. The new modlocal package provides a solid foundation for local module discovery. The test coverage has been substantially improved with comprehensive unit and integration tests for the new functionality. I have one suggestion for a minor refactoring to improve the readability of the runMake function.

[MeteorsLiu]

/review

[MeteorsLiu]

/review

[fennoai]

findLocalRoot (lines 66-78) and resolveCurrentDir (lines 82-101) contain near-identical upward-walk logic (filepath.Dir, parent == dir termination). resolveCurrentDir could reuse findLocalRoot to locate the root directory, then parse the versions.json at the returned path, eliminating one copy of the walk.

[fennoai]

Review Summary

Well-structured PR. The Store interface extraction, overlayStore pattern, and modlocal package separation are clean. Path traversal protections via validatePattern and validateModulePath are solid. No critical issues found. No performance concerns for current usage patterns.

Key feedback (inline):

• makeOutput global mutation is fragile across test calls -- prefer passing as a parameter
• versions.json path field should be validated in modlocal.Resolve rather than relying solely on downstream validateModulePath
• Duplicated upward-walk logic between findLocalRoot and resolveCurrentDir could be consolidated
• Use t.Setenv over os.Setenv in tests for t.Parallel() safety
• Minor doc/README inconsistencies noted inline

[luoliwoshang]

seems current only return a Module ?

[MeteorsLiu]

Currently, yes. However, the reason we still return multiple modules is to reserve for the future ... support.

[luoliwoshang]

LGTM