Fix purl namespace corruption when path contains ".git" mid-path

[spoorcc]

The generic VCS branch in _vcs_namespace_and_name used str.replace to
strip a ".git" suffix from the path, which silently removed every
occurrence anywhere in the path. A URL like
https://gitlab.com/group/foo.github/project.git produced the namespace
"group/foohub" instead of "group/foo.github". Use removesuffix so only
the trailing .git is stripped.

https://claude.ai/code/session_01KKvrvnVvsBChohuxbRRmzA

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Fixed remote URL matching to use path-boundary aware comparisons (avoids false prefix matches).
  • Corrected Version equality when comparing to non-Version values, and made Version hashable consistently with equality.
  • Improved Git remote URL handling by trimming trailing whitespace/newlines.
  • Refined repository URL parsing to strip only a trailing .git suffix.
  • Prevented unintended SHA prefix matching when the revision is empty.

• Tests

  • Added coverage for the updated remote URL matching, Version comparisons/hash behavior, and Git URL/SHA edge cases.

[coderabbitai]

Warning

Review limit reached

@spoorcc, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 53 minutes and 12 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 93d214b9-e5a8-4342-93f5-54c7c375a3b7

📥 Commits

Reviewing files that changed from the base of the PR and between ba1ff56 and 45dc18f.

📒 Files selected for processing (2)

• CHANGELOG.rst
• tests/test_manifest.py

Walkthrough

Four independent bug fixes for dfetch 0.14.1: Version.__eq__ gains an isinstance type guard and a new __hash__ method; find_remote_for_url requires a /-delimited path boundary instead of a plain prefix match; purl.py uses removesuffix to strip only a trailing .git; and git.py adds an early return for empty SHA revisions and strips whitespace from remote URL output.

Changes

dfetch 0.14.1 Bug Fixes

Layer / File(s)	Summary
Version equality type guard and hash restoration dfetch/manifest/version.py, tests/test_project_version.py	Version.__eq__ now uses isinstance(other, Version) instead of a generic falsy check; a new __hash__ method hashes self.tag when non-empty, otherwise (self.branch, self.revision). Tests verify False is returned for non-Version operands and that instances remain usable in sets.
Remote URL path-boundary matching fix dfetch/manifest/manifest.py, tests/test_add.py	find_remote_for_url now requires the remote base URL to be either exactly equal to or a /-delimited prefix of the candidate URL. Tests assert no match for a shared-org-prefix URL and correct matches for the exact remote and its subpaths.
PURL trailing .git suffix normalization dfetch/util/purl.py, tests/test_purl.py	Generic VCS path normalization switches from replace to removesuffix(".git"). A new parametrized test with a .git-embedded path component verifies the namespace/name are derived correctly.
Git SHA scan and remote URL whitespace strip dfetch/vcs/git.py, tests/test_git_vcs.py	_find_branch_tip_or_tag_from_sha adds an early-return for empty rev to prevent SHA prefix matching against an empty string. get_remote_url adds .strip() to remove trailing whitespace from git remote output. Tests cover both behaviors.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main issue fixed in this PR: preventing '.git' substring corruption in the PURL namespace when the path contains '.git' as a mid-path component.
Docstring Coverage	✅ Passed	Docstring coverage is 83.33% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/dfetch-bug-fixes-A5KXW

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@dfetch/manifest/version.py`:
- Around line 22-25: The `__hash__` method does not match the semantics of the
`__eq__` method in the Version class. The `__eq__` method prioritizes tag
comparison—if either version has a tag, only tags are compared, ignoring branch
and revision. However, `__hash__` currently hashes all three fields
unconditionally. This violates Python's hash/equality contract where equal
objects must have equal hashes. Update the `__hash__` method to hash only the
fields that determine equality: if the tag exists, hash only the tag; otherwise,
hash the tuple of branch and revision. This ensures two versions that are equal
under `__eq__` will always produce the same hash value.

In `@tests/test_project_version.py`:
- Around line 220-223: The test_version_remains_hashable function only verifies
that a single Version instance can be in a set, but doesn't validate the
critical __eq__/__hash__ contract for equal-but-distinct instances. Strengthen
the test by creating two separate Version objects with identical tag values
(both "1.0"), asserting they compare as equal, verifying they have the same hash
value, and confirming that a set containing one Version instance will correctly
identify the other equal Version instance as a member (using the 'in' operator).
This will catch violations of Python's rule that equal objects must have equal
hashes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 541af782-9a2f-47f8-ad81-cb804f1f2704

📥 Commits

Reviewing files that changed from the base of the PR and between e35c251 and 91b2a19.

📒 Files selected for processing (9)

• CHANGELOG.rst
• dfetch/manifest/manifest.py
• dfetch/manifest/version.py
• dfetch/util/purl.py
• dfetch/vcs/git.py
• tests/test_add.py
• tests/test_git_vcs.py
• tests/test_project_version.py
• tests/test_purl.py

[spoorcc]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[spoorcc]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[spoorcc]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.rst`:
- Line 6: The CHANGELOG.rst file contains duplicate entries describing the same
fix for the dfetch import namespace mangling issue (issue `#1268`) related to
generic VCS URLs containing .git in the path. Remove the duplicate entry on line
6 and keep only the clearer version from line 8 which explicitly specifies that
.git should be removed only as a suffix, consolidating them into a single
changelog entry.

In `@tests/test_add.py`:
- Around line 154-171: The test functions
test_determine_remote_requires_path_boundary and
test_determine_remote_matches_exact_and_subpath are testing
Manifest.find_remote_for_url but are currently in tests/test_add.py. Move these
two test functions to tests/test_manifest.py to follow the repository's test
layout convention where test files should mirror the module names they test.
Ensure any necessary imports (Mock, _make_remote, Manifest) are available in the
target test file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c14579c8-ceac-482f-bccc-231887e70733

📥 Commits

Reviewing files that changed from the base of the PR and between 91b2a19 and ba1ff56.

📒 Files selected for processing (9)

• CHANGELOG.rst
• dfetch/manifest/manifest.py
• dfetch/manifest/version.py
• dfetch/util/purl.py
• dfetch/vcs/git.py
• tests/test_add.py
• tests/test_git_vcs.py
• tests/test_project_version.py
• tests/test_purl.py