refactor: remove #[allow(dead_code)] directives and fix warnings

[mpiton]

Summary

• Remove all #[allow(dead_code)] annotations per project rules (CLAUDE.md forbids bypassing errors with #[allow(...)])
• Refactor main.rs to use library imports instead of mod declarations, eliminating duplicate module compilation
• Mark test-only code with #[cfg(test)] instead of allow attributes
• Add tests for cache trait methods (contains, remove, clear)
• Remove unused from_env() method from EnvTokenProvider
• Clean up npmrc and cargo_credentials modules by removing untested file I/O wrappers

Test plan

• cargo clippy --all-targets -- -D warnings passes with no warnings
• cargo test --lib - all 275 tests pass
• cargo fmt --all -- --check passes

Summary by CodeRabbit

• Refactor

  • Consolidated authentication and credential parsing internals and moved parsing helpers into test scope; standardized module imports. No change to end-user authentication behavior or public features.

• Tests

  • Expanded unit test coverage for credential parsing and cache operations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR moves several authentication and credential-parsing APIs to test-only scope (#[cfg(test)]), removes disk I/O for .npmrc and Cargo credentials parsing in favor of in-memory parsing helpers used by tests, adds unit tests, and updates crate import paths to dependi_lsp::*.

Changes

Cohort / File(s)	Summary
Cargo credentials parsing dependi-lsp/src/auth/cargo_credentials.rs	Removed pub async fn parse_cargo_credentials() and disk I/O helpers; added test-only serde structs and parse_credentials_content(&str) plus unit tests (gated with #[cfg(test)]). Public API surface unchanged otherwise.
npmrc parsing dependi-lsp/src/auth/npmrc.rs	Removed pub async fn parse_npmrc_token(...) and parse_npmrc_registry(...) (file I/O); added #[cfg(test)] in-memory parsers (parse_token_from_content, parse_registry_from_content, extract_auth_token, resolve_env_var) and tests.
Auth provider gating dependi-lsp/src/auth/mod.rs	Made NoAuthProvider and its TokenProvider impl test-only (#[cfg(test)]); removed EnvTokenProvider::from_env() public constructor; gated TokenProviderManager::get_auth_headers() and has_provider() as test-only. TokenProvider trait signature unchanged.
Cache tests dependi-lsp/src/cache/mod.rs	Removed #[allow(dead_code)] comments; added unit tests exercising ReadCache::contains, WriteCache::remove, and WriteCache::clear via MemoryCache and trait objects.
Crate import paths dependi-lsp/src/main.rs	Replaced local crate::... imports with external dependi_lsp::... paths for backend, parsers, registries, and vulnerabilities. No functional changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(auth): add authentication token support for private npm registries #88 — Touches the same auth modules and public parsing/provider APIs that this PR gates or removes.
• feat: split Cache trait into ReadCache and WriteCache #58 — Related cache test changes and prior Cache interface evolution (ReadCache/WriteCache) connected to added tests.
• test: add coverage infrastructure with cargo-tarpaulin #85 — Other cache test adjustments/fixes that interact with the new cache unit tests.

Poem

🐰 I nibble at lines of code so neat,
Tests chew tokens, no disk to meet,
Parsers tucked into test-time burrows,
Imports hopped to crates and thorough,
A tiny rabbit clap—refactor complete!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main refactoring work: removing dead_code directives and fixing warnings, which aligns with the primary objectives across all modified files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

dependi-lsp/src/auth/mod.rs (1)

102-115: Outdated doc example references removed from_env method.

The example on lines 109-110 references EnvTokenProvider::from_env("GITHUB_TOKEN"), but according to the AI summary, the from_env() method was removed in this PR. While the ignore attribute prevents doc test failures, the example is now misleading.

📝 Suggested fix

 /// ```ignore
 /// use dependi_lsp::auth::{TokenProviderManager, EnvTokenProvider};
 /// use std::sync::Arc;
 ///
 /// let manager = TokenProviderManager::new();
 ///
 /// // Register provider for GitHub npm
-/// if let Some(provider) = EnvTokenProvider::from_env("GITHUB_TOKEN") {
-///     manager.register("https://npm.pkg.github.com", Arc::new(provider)).await;
+/// if let Ok(token) = std::env::var("GITHUB_TOKEN") {
+///     let provider = EnvTokenProvider::new(token);
+///     manager.register("https://npm.pkg.github.com".to_string(), Arc::new(provider)).await;
 /// }
 ///
 /// // Get headers for a request
 /// let headers = manager.get_auth_headers("https://npm.pkg.github.com/@org/package").await;
 /// ```

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3913b07 and 16850cc.

📒 Files selected for processing (5)

• dependi-lsp/src/auth/cargo_credentials.rs
• dependi-lsp/src/auth/mod.rs
• dependi-lsp/src/auth/npmrc.rs
• dependi-lsp/src/cache/mod.rs
• dependi-lsp/src/main.rs

🧰 Additional context used

🧬 Code graph analysis (1)

dependi-lsp/src/cache/mod.rs (1)

dependi-lsp/src/cache/sqlite.rs (2)

• create_test_version_info (349-364)
• get (206-227)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Code coverage
• GitHub Check: test
• GitHub Check: security-audit
• GitHub Check: Analyze (rust)

🔇 Additional comments (8)

dependi-lsp/src/main.rs (1)

8-8: LGTM! Import paths correctly updated for binary-to-library crate imports.

Changing from crate:: to dependi_lsp:: is the correct approach for a binary crate (main.rs) importing from its sibling library crate. This eliminates the duplicate module compilation issue mentioned in the PR summary.

Also applies to: 83-88

dependi-lsp/src/cache/mod.rs (1)

449-483: LGTM! Well-structured tests for cache trait methods.

The new tests properly validate contains, remove, and clear operations through trait objects (&dyn ReadCache, &dyn WriteCache), ensuring the trait implementations work correctly via dynamic dispatch. This addresses the PR goal of adding tests for previously #[allow(dead_code)]-annotated methods.

dependi-lsp/src/auth/cargo_credentials.rs (2)

10-42: LGTM! Parsing utilities correctly scoped to test-only.

The #[cfg(test)] annotations appropriately gate the parsing logic that was previously marked with #[allow(dead_code)]. The documentation note on lines 5-8 clearly explains that I/O integration will be added when this is wired into the main auth flow.

---

44-110: Good test coverage for credential parsing edge cases.

Tests comprehensively cover: valid credentials, empty content, missing registries section, registry without token, and mixed registries with/without tokens. This validates the parsing logic before I/O integration.

dependi-lsp/src/auth/npmrc.rs (2)

114-148: Appropriate use of serial_test and documented unsafe blocks for env var tests.

The #[serial] attribute and unsafe blocks with SAFETY comments correctly document why std::env::set_var/remove_var require unsafe in Rust 2024 edition (they're not thread-safe). The cleanup in each test prevents test pollution.

---

10-89: LGTM! Parsing utilities correctly scoped to test-only with proper env var handling.

The parsing functions are appropriately gated with #[cfg(test)]. The resolve_env_var function correctly handles both ${VAR} and $VAR syntaxes, and the extract_auth_token function properly handles both direct and registry-scoped token formats. The project's Rust edition is set to 2024, which fully supports the let-chain syntax used throughout these functions.

dependi-lsp/src/auth/mod.rs (2)

81-89: LGTM! NoAuthProvider correctly scoped to test-only.

Since NoAuthProvider is only used in test scenarios, gating it with #[cfg(test)] is the appropriate replacement for #[allow(dead_code)].

---

162-163: No changes needed — test-gating is correct.

Verification confirms that get_auth_headers and has_provider on TokenProviderManager are only called from test code (lines 274, 288). Production code only calls provider_count(), which remains available. The #[cfg(test)] gates are appropriate.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

dependi-lsp/src/auth/mod.rs (2)

102-116: Documentation example references test-only API.

The example at line 115 calls manager.get_auth_headers(), but this method is now restricted to tests (marked #[cfg(test)] at line 163). This creates a misleading example for users, as the shown API is not available in production builds.

Consider either:

1. Updating the example to reflect actual production usage patterns
2. Moving this example to test documentation
3. Removing the example if TokenProviderManager is now internal/test-only

---

163-194: Remove #[cfg(test)] or reconsider the public API design.

get_auth_headers() is marked test-only while register() remains public, creating an inconsistent API. Currently, neither method is used in production code—TokenProviderManager is only instantiated and used to call provider_count() for logging.

If this infrastructure is incomplete, either:

• Remove public visibility from register() and mark the entire struct #[cfg(test)], or
• Remove #[cfg(test)] from get_auth_headers() to allow future production integration without requiring code restructuring.

🧹 Nitpick comments (1)

dependi-lsp/src/auth/mod.rs (1)

197-201: Consider the API design implications of test-only accessors.

While register() remains public, has_provider() is now test-only. This creates an asymmetric API where callers can add providers but cannot query them. If TokenProviderManager is meant for production use, consider whether diagnostic methods like this should remain public for observability.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 16850cc and 91a4a89.

📒 Files selected for processing (1)

• dependi-lsp/src/auth/mod.rs

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Code coverage
• GitHub Check: test
• GitHub Check: security-audit
• GitHub Check: Analyze (rust)

🔇 Additional comments (2)

dependi-lsp/src/auth/mod.rs (2)

226-347: Comprehensive test coverage.

The test suite covers the authentication functionality well, including edge cases like UTF-8 safety in token redaction, HTTPS enforcement, and longest-prefix matching for provider selection.

---

81-89: The #[cfg(test)] annotation on NoAuthProvider is appropriate. Verification confirms that NoAuthProvider is not referenced in any production code outside of test modules, so restricting it to test-only is correct.