Skip to content

feat(metadata): support local metadata source#181

Merged
QaidVoid merged 2 commits into
mainfrom
feat/metadata-local-source
Jul 7, 2026
Merged

feat(metadata): support local metadata source#181
QaidVoid merged 2 commits into
mainfrom
feat/metadata-local-source

Conversation

@QaidVoid

@QaidVoid QaidVoid commented Jul 7, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • New Features
    • Added support for loading repository metadata from local filesystem paths and file:// sources, alongside existing remote endpoints.
    • Improved handling of remote URLs: https is always allowed; http is supported only when signature verification is enabled (with a warning when used).
  • Bug Fixes
    • Strengthened metadata integrity checks with consistent signature verification for both local and remote sources.
    • Enforced metadata size limits and added local change detection to avoid unnecessary reprocessing.
  • Tests
    • Added unit tests covering local/remote URL handling and remote scheme validation rules.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d4ecd4d0-bdca-43fe-bc8e-e6a7a1900a12

📥 Commits

Reviewing files that changed from the base of the PR and between 78f77f0 and 79a57a6.

📒 Files selected for processing (1)
  • crates/soar-registry/src/metadata.rs
🚧 Files skipped from review as they are similar to previous changes (1)
  • crates/soar-registry/src/metadata.rs

📝 Walkthrough

Walkthrough

This PR extends metadata fetching in crates/soar-registry/src/metadata.rs to support local file:// URLs and filesystem paths alongside remote HTTP(S) sources. Signature verification is refactored to use a shared closure-based flow, and remote scheme handling now allows http with a warning.

Changes

Local Metadata Fetch and Signature Verification

Layer / File(s) Summary
Imports and fetch routing
crates/soar-registry/src/metadata.rs
Adds resolve_path, UNIX_EPOCH, and warn imports, and routes fetch_metadata to local or remote handling based on repository URL form.
Remote signature verification
crates/soar-registry/src/metadata.rs
Updates the remote flow to use the closure-based signature verification API, including detached signature loading and updated missing-signature error mapping.
Local metadata helpers
crates/soar-registry/src/metadata.rs
Adds local path resolution, remote scheme authorization, local metadata fetching with mtime-based cache tokens and size limits, and detached local signature loading.
Scheme and path tests
crates/soar-registry/src/metadata.rs
Adds unit tests for local path resolution and remote scheme rules, including conditional http allowance.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding support for local metadata sources.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/metadata-local-source

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 7, 2026

Copy link
Copy Markdown

Deploying soar-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 79a57a6
Status: ✅  Deploy successful!
Preview URL: https://ba35595b.soar-docs.pages.dev
Branch Preview URL: https://feat-metadata-local-source.soar-docs.pages.dev

View logs

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
crates/soar-registry/src/metadata.rs (1)

214-227: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low value

file:// parsing ignores a possible authority/host component.

strip_prefix("file://") leaves the authority in the remainder, so an input like file://localhost/srv/repo/metadata.sdb.zstd yields localhost/srv/..., which resolve_path treats as relative and joins against the CWD — resolving to the wrong location instead of /srv/.... Using Url::parse(...).and_then(|u| u.to_file_path().ok()) for the file:// branch would handle the authority and percent-encoding correctly.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/soar-registry/src/metadata.rs` around lines 214 - 227, The file URL
handling in local_metadata_path currently strips the file:// prefix manually,
which leaves any authority/host portion in the path and can resolve
file://localhost/... incorrectly as a relative path. Update the file:// branch
in local_metadata_path to parse the URL with Url::parse and convert it with
to_file_path so authority components and percent-encoding are handled correctly,
while keeping the existing resolve_path behavior for non-file local paths.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/soar-registry/src/metadata.rs`:
- Around line 150-164: The URL validation in `metadata.rs` currently only warns
for `http` in the `parsed_url.scheme()` match, which still allows
unauthenticated metadata fetches. Update this branch to reject `http` unless
`Repository::signature_verification()` is enabled and a pubkey is configured,
using the existing `repo`/`parsed_url` checks in the same match flow. Also
revise the `RegistryError::InsecureUrl` message for unsupported or insecure
schemes so it clearly states that `http` metadata is only allowed when signature
verification is active and a pubkey is present.

---

Nitpick comments:
In `@crates/soar-registry/src/metadata.rs`:
- Around line 214-227: The file URL handling in local_metadata_path currently
strips the file:// prefix manually, which leaves any authority/host portion in
the path and can resolve file://localhost/... incorrectly as a relative path.
Update the file:// branch in local_metadata_path to parse the URL with
Url::parse and convert it with to_file_path so authority components and
percent-encoding are handled correctly, while keeping the existing resolve_path
behavior for non-file local paths.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d1b529e3-67e6-47ac-9c5d-b579e5596437

📥 Commits

Reviewing files that changed from the base of the PR and between 6ff1b3e and 78f77f0.

📒 Files selected for processing (1)
  • crates/soar-registry/src/metadata.rs

Comment thread crates/soar-registry/src/metadata.rs
@QaidVoid QaidVoid merged commit 487850d into main Jul 7, 2026
9 checks passed
@QaidVoid QaidVoid mentioned this pull request Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant