Skip to content

feat(parsers): wire up cargo, gem, and go shims#28

Open
gok03 wants to merge 1 commit into
mainfrom
feat/cargo-gem-go-parsers
Open

feat(parsers): wire up cargo, gem, and go shims#28
gok03 wants to merge 1 commit into
mainfrom
feat/cargo-gem-go-parsers

Conversation

@gok03
Copy link
Copy Markdown
Contributor

@gok03 gok03 commented May 21, 2026

Why

While testing all platforms, found that `cargo`, `gem`, and `go` were advertised in the README and listed in `KnownManagers`, but:

  • had no argv parser (`ForName` returned nil → the shim passed them through ungated), and
  • weren't in `DefaultShims`, so `refuse install` never laid down shims for them.

The gate worked for those ecosystems only via the explicit `refuse check ` path — a real `cargo add ` at the terminal sailed through.

What

Three new parsers, registered + added to the default install set:

File Manager Forms handled
`cargo.go` `cargo add` / `cargo install` `serde@1.0`, `--vers 1.0`, `--version=1.0`; skips `--path`/`--git` local installs
`gem.go` `gem install` / `gem i` `-v 6.1`, `--version=6.1`, `rails:6.1.0` colon form; skips local `.gem` files
`gomod.go` `go get` / `go install` `module@v1.2.3`; `@latest/@upgrade/@patch/@none` → unpinned; skips `./...`, `all`, local paths

`DefaultShims` now installs all 9: npm, pnpm, yarn, bun, pip, pip3, cargo, gem, go. 27 new table-driven test cases.

Verified end-to-end (live server)

Command Result
`gem install rack:2.0.0` blocked (high) ✅
`go get …/jwt-go@v3.2.0` blocked (high) ✅
`cargo add smallvec@0.6.13` blocked (critical), `@` and `--vers` forms ✅
`cargo add time@0.1.43` allowed (only medium, below default high threshold) ✅ correct

Note for existing installs

Anyone who ran `refuse install` before this ships only has the 6 npm/pip shims. After upgrading they'll need to re-run `refuse install` to pick up the cargo/gem/go shims.

Test plan

  • CI green
  • After release + `brew upgrade`, `refuse install` lays down cargo/gem/go in `~/.refuse/bin`
  • `refuse status` lists all 9 shims

@gok03
feat(parsers): wire up cargo, gem, and go shims
a0c8a86 
The README advertised cargo / gem / go support and KnownManagers listed
them, but they had no argv parser (ForName returned nil → passthrough)
and weren't in DefaultShims. So `refuse install` never dropped shims for
them, and even if invoked directly they'd pass through ungated. The gate
worked for those ecosystems only via the explicit `refuse check <eco>`
path.

This closes the gap:

  internal/parsers/cargo.go  — `cargo add` / `cargo install`. Handles the
      `serde@1.0` form and the `--vers` / `--version` flag form. Skips
      --path / --git local installs.
  internal/parsers/gem.go    — `gem install` / `gem i`. Handles `-v` /
      `--version` and the `rails:6.1.0` colon form. Skips local .gem files.
  internal/parsers/gomod.go  — `go get` / `go install`. module@version,
      with @latest/@upgrade/@patch/@none treated as unpinned. Skips
      ./... , all, and local paths.

Each registered in registry.go and added to DefaultShims so
`refuse install` lays down all 9 shims (npm, pnpm, yarn, bun, pip, pip3,
cargo, gem, go). 27 new table-driven test cases.

Verified end-to-end against the live server:
  - gem install rack:2.0.0          → blocked (high)
  - go get …/jwt-go@v3.2.0          → blocked (high)
  - cargo add smallvec@0.6.13       → blocked (critical), both @ and
                                       --vers forms
  - cargo add time@0.1.43           → allowed (only medium, below the
                                       default high threshold) — correct
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gok03