fix(deps-dev): Ensure user-scoped pipx installs and reliable version checks for pipx packages.

[Bill-hbrhbr]

Description

This PR improves how pipx-based dev dependencies are installed and verified:

1. User-scoped installs

   • Ensures pipx packages are always installed as the invoking user (never as root).
   • Prevents binaries from being placed in root-owned directories, keeping them under user paths (e.g., ~/.local).

2. Reliable version checks

   • Avoids reliance on pipx ensurepath, which often requires a shell re-login or manual .bashrc sourcing.
   • Instead, we query pipx list to obtain the full binary paths directly and use them for version checks.
   • This ensures CI and local builds consistently find the right executables.

Additionally, changes to pipx package scripts now trigger CI artifact builds to ensure updates are validated.

Left to fix in another PR (potentially #1122):

• install-packages-from-source cannot detect CMake installed by pipx. #1360

Checklist

• The PR satisfies the contribution guidelines.
• This is a breaking change and that has been indicated in the PR title, OR this isn't a
  breaking change.
• Necessary docs have been updated, OR no docs need to be updated.

Validation performed

• Pipx packages are installed into user directories as desired. Github CI unaffected.

Summary by CodeRabbit

• Bug Fixes

  • Installer detects sudo-invoked runs from non-root users, notifies and restarts under the original user so pipx packages install into the user environment with PATH and HOME preserved.

• Enhancements

  • Improved detection and clearer messaging for CMake, Go Task and uv: scripts report discovered binary locations, use the actual binary for version checks, and confirm installed versions.

• New Features

  • Added a helper to locate pipx-installed binaries.

• Chores

  • CI/workflow triggers updated so changes under pipx packages trigger relevant Linux and macOS builds.

[coderabbitai]

Walkthrough

Adds a sudo-from-non-root startup guard to install-all.sh that re-executes the script under the original non-root user (preserving PATH and HOME); adds a helper to locate pipx-installed binaries; refactors cmake/go-task/uv installers to detect and use resolved binary paths; and expands CI path filters to include components/core/tools/scripts/lib_install/pipx-packages/**.

Changes

Cohort / File(s)	Summary
pipx install guard components/core/tools/scripts/lib_install/pipx-packages/install-all.sh	Add startup check for sudo-from-non-root (EUID==0 && SUDO_UID!=0); print notice and re-exec self under the original non-root user preserving PATH and HOME via sudo --preserve-env=PATH,HOME --set-home --user="$SUDO_USER" -- <script> <args>; subsequent steps run after relaunch.
Find pipx binary helper components/core/tools/scripts/lib_install/pipx-packages/find-pipx-bin.sh	New script to locate a binary inside a package's pipx virtualenv using pipx list --json and jq; enforces presence of pipx and jq, validates arguments, and prints the resolved binary path.
CMake detection & usage components/core/tools/scripts/lib_install/pipx-packages/install-cmake.sh	Detect cmake via command -v cmake and assign cmake_bin; install via pipx only if missing; use ${cmake_bin} for version checks and commands; echo final version and path.
go-task detection & usage components/core/tools/scripts/lib_install/pipx-packages/install-go-task.sh	Detect task via command -v task into go_task_bin; install via pipx if missing and locate binary via helper; compute installed_version by invoking the resolved binary; update comparisons and echo installed version and path.
uv detection & usage components/core/tools/scripts/lib_install/pipx-packages/install-uv.sh	Detect uv via command -v uv into uv_bin; install via pipx if missing and resolve binary via helper; use uv_bin for version parsing and checks; echo confirmed version and binary path.
CI path filters — Linux images .github/workflows/clp-artifact-build.yaml	Add components/core/tools/scripts/lib_install/pipx-packages/** to change-detection/path filters for multiple image groups (centos_stream_9_image, manylinux_2_28_x86_64_image, musllinux_1_2_x86_64_image, ubuntu_jammy_image) in both base and per-image filters.
CI path filters — macOS build .github/workflows/clp-core-build-macos.yaml	Add components/core/tools/scripts/lib_install/pipx-packages/** to PR and push trigger paths so macOS workflow triggers on changes under that directory.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant InstallAll as install-all.sh
  participant Sudo as sudo
  note over InstallAll: Script start
  User->>InstallAll: Execute script (maybe via sudo)
  alt EUID == 0 and SUDO_UID != 0
    InstallAll-->>User: "Installing pipx packages to the user environment (sudo lifted)."
    InstallAll->>Sudo: sudo --preserve-env=PATH,HOME --set-home --user="$SUDO_USER" -- <script> <args>
    Sudo->>InstallAll: Re-exec under original non-root user
    note over InstallAll: Then call install-cmake.sh, install-go-task.sh, install-uv.sh
    InstallAll->>InstallAll: invoke find-pipx-bin.sh as needed to resolve binaries
  else Not invoked via sudo-from-non-root
    note over InstallAll: Call installers directly
    InstallAll->>InstallAll: resolve existing binaries or install via pipx as needed
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title concisely communicates that the PR fixes development dependencies by ensuring pipx installs run under the user scope and implements reliable version checks for pipx packages, accurately reflecting the main objectives without extraneous detail.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6bea8cf and 4640164.

📒 Files selected for processing (1)

• .github/workflows/clp-artifact-build.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: ubuntu-jammy-deps-image
• GitHub Check: manylinux_2_28-x86_64-deps-image
• GitHub Check: rust-checks (ubuntu-22.04)
• GitHub Check: rust-checks (ubuntu-24.04)
• GitHub Check: lint-check (ubuntu-24.04)
• GitHub Check: build (macos-15)

🔇 Additional comments (1)

.github/workflows/clp-artifact-build.yaml (1)

61-88: Good call adding pipx-packages to the image filters

This keeps the deps images in sync whenever the pipx installer scripts update, so the rebuild logic stays trustworthy. Nicely done.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 54418b0 and e6817d8.

📒 Files selected for processing (1)

• components/core/tools/scripts/lib_install/pipx-packages/install-all.sh (1 hunks)

🧰 Additional context used

🪛 Shellcheck (0.11.0)

components/core/tools/scripts/lib_install/pipx-packages/install-all.sh

[style] 7-7: $/${} is unnecessary on arithmetic variables.

(SC2004)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: package-image
• GitHub Check: lint-check (ubuntu-24.04)
• GitHub Check: lint-check (macos-15)

🔇 Additional comments (1)

components/core/tools/scripts/lib_install/pipx-packages/install-all.sh (1)

7-11: Confirm intended behaviour when run as root directly (not via sudo).

If invoked as root without sudo, the guard doesn’t trigger and installs proceed as root. Is that desired for CI/containers, or should we warn/exit?

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e6817d8 and 896a9c4.

📒 Files selected for processing (1)

• components/core/tools/scripts/lib_install/pipx-packages/install-all.sh (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: package-image

🔇 Additional comments (3)

components/core/tools/scripts/lib_install/pipx-packages/install-all.sh (3)

7-7: LGTM: arithmetic EUID check with nounset-safe default.
Matches ShellCheck guidance; good fix.

---

10-11: LGTM: robust re-exec using env bash and BASH_SOURCE; PATH preserved.
Prevents $0 pitfalls and keeps PATH intact for user tools.

---

7-12: No remaining sudo-prefixed pipx invocations found — resolved.
Searched repository with rg -nP --hidden --no-ignore-vcs -S '\bsudo\b[^\n]*\bpipx\b' — no matches.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 84c01bf and 22ec79e.

📒 Files selected for processing (3)

• components/core/tools/scripts/lib_install/pipx-packages/install-cmake.sh (2 hunks)
• components/core/tools/scripts/lib_install/pipx-packages/install-go-task.sh (2 hunks)
• components/core/tools/scripts/lib_install/pipx-packages/install-uv.sh (2 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-08-29T07:31:24.032Z

Learnt from: Bill-hbrhbr
PR: y-scope/clp#1271
File: components/core/tools/scripts/lib_install/centos-stream-9/install-prebuilt-packages.sh:41-43
Timestamp: 2025-08-29T07:31:24.032Z
Learning: In CLP's build tool installation scripts, uv version constraints should use lower bound constraints (uv>=0.8) rather than exact version pinning, following the same philosophy used for other build tools to accommodate platform differences while ensuring minimum required functionality.

Applied to files:

• components/core/tools/scripts/lib_install/pipx-packages/install-uv.sh

📚 Learning: 2025-08-29T07:26:53.532Z

Learnt from: Bill-hbrhbr
PR: y-scope/clp#1271
File: components/core/tools/scripts/lib_install/centos-stream-9/install-prebuilt-packages.sh:27-33
Timestamp: 2025-08-29T07:26:53.532Z
Learning: In CLP's build tool installation scripts, CMake version constraints should accommodate platform differences rather than using exact version pinning. Range constraints like "cmake>=3.23,<3.24" are preferred over exact pinning (cmake==3.23.5) to allow for platform-specific package availability while maintaining required version bounds.

Applied to files:

• components/core/tools/scripts/lib_install/pipx-packages/install-cmake.sh

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: ubuntu-jammy-deps-image
• GitHub Check: manylinux_2_28-x86_64-deps-image
• GitHub Check: centos-stream-9-deps-image
• GitHub Check: lint-check (ubuntu-24.04)

🔇 Additional comments (2)

components/core/tools/scripts/lib_install/pipx-packages/install-go-task.sh (1)

15-25: Consistent Task binary handling reads well.

Using go_task_bin to drive both discovery and logging keeps preinstalled-versus-pipx-installed cases aligned. Nice touch.

components/core/tools/scripts/lib_install/pipx-packages/install-cmake.sh (1)

32-34: Thanks for reusing the discovered cmake binary here.

Parsing the capabilities JSON off the resolved path eliminates $PATH dependence and keeps the version gate reliable.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

components/core/tools/scripts/lib_install/pipx-packages/find-pipx-bin.sh (1)

25-29: Fix jq query against pipx JSON and fail fast if not found.

pipx’s JSON exposes main_package.app_paths as a map of app->path, not an array with Path. The current jq returns nothing. Resolve by querying the map (with a safe fallback) and exit non‑zero if no path is found.

Apply:

-pipx list --json | jq --raw-output --arg pkg "$pkg" --arg app "$app" '
-	.venvs[$pkg].metadata.main_package.app_paths[]?.__Path__
-	| select((split("/") | last) == $app)
-' | head -n1
+bin_path="$(
+  pipx list --json \
+  | jq -re --arg pkg "$pkg" --arg app "$app" '
+      .venvs[$pkg].metadata.main_package.app_paths[$app]
+      // (.venvs[$pkg].metadata.main_package.app_paths[]? | select(endswith("/"+$app)))
+    '
+)" || {
+  echo "Error: failed to locate binary '$app' for package '$pkg' via pipx." >&2
+  exit 3
+}
+echo "${bin_path}"

components/core/tools/scripts/lib_install/pipx-packages/install-cmake.sh (1)

7-10: Add a jq dependency check.

This script uses jq to parse CMake capabilities. Without jq, set -e will fail without a clear message.

 if ! command -v pipx >/dev/null 2>&1; then
     echo "Error: pipx not found."
     exit 1
 fi
+
+if ! command -v jq >/dev/null 2>&1; then
+    echo "Error: jq not found."
+    exit 1
+fi

components/core/tools/scripts/lib_install/pipx-packages/install-uv.sh (2)

7-10: Add a jq dependency check.

jq is required to parse uv’s JSON version output.

 if ! command -v pipx >/dev/null 2>&1; then
     echo "Error: pipx not found."
     exit 1
 fi
+
+if ! command -v jq >/dev/null 2>&1; then
+    echo "Error: jq not found."
+    exit 1
+fi

---

29-33: Quote uv_bin and fix version variable typo.

Quote the command path; align variable names for clarity.

-installed_version=$(${uv_bin} self version --output-format json | jq --raw-output ".version")
-IFS=. read -r installd_version_major installed_version_minor _ <<<"${installed_version}"
-
-if (("${installd_version_major}" == "${required_version_major_min}" && \
+installed_version=$("${uv_bin}" self version --output-format json | jq --raw-output ".version")
+IFS=. read -r installed_version_major installed_version_minor _ <<<"${installed_version}"
+
+if (("${installed_version_major}" == "${required_version_major_min}" && \
     "${installed_version_minor}" < "${required_version_minor_min}")); then

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 22ec79e and ac5ec93.

📒 Files selected for processing (6)

• .github/workflows/clp-artifact-build.yaml (1 hunks)
• .github/workflows/clp-core-build-macos.yaml (2 hunks)
• components/core/tools/scripts/lib_install/pipx-packages/find-pipx-bin.sh (1 hunks)
• components/core/tools/scripts/lib_install/pipx-packages/install-cmake.sh (2 hunks)
• components/core/tools/scripts/lib_install/pipx-packages/install-go-task.sh (2 hunks)
• components/core/tools/scripts/lib_install/pipx-packages/install-uv.sh (2 hunks)

🧰 Additional context used

🧠 Learnings (5)

📚 Learning: 2025-07-07T17:41:15.655Z

Learnt from: jackluo923
PR: y-scope/clp#1054
File: components/core/tools/scripts/lib_install/musllinux_1_2/install-prebuilt-packages.sh:27-32
Timestamp: 2025-07-07T17:41:15.655Z
Learning: In CLP installation scripts, consistency across platform scripts is prioritized over defensive programming improvements. For example, when extracting Task binaries with tar in `install-prebuilt-packages.sh`, the extraction pattern should remain consistent with other platform scripts rather than adding defensive flags like `--strip-components=1` to handle potential tarball layout changes.

Applied to files:

• components/core/tools/scripts/lib_install/pipx-packages/install-go-task.sh

📚 Learning: 2025-08-29T07:26:53.532Z

Learnt from: Bill-hbrhbr
PR: y-scope/clp#1271
File: components/core/tools/scripts/lib_install/centos-stream-9/install-prebuilt-packages.sh:27-33
Timestamp: 2025-08-29T07:26:53.532Z
Learning: In CLP's build tool installation scripts, CMake version constraints should accommodate platform differences rather than using exact version pinning. Range constraints like "cmake>=3.23,<3.24" are preferred over exact pinning (cmake==3.23.5) to allow for platform-specific package availability while maintaining required version bounds.

Applied to files:

• components/core/tools/scripts/lib_install/pipx-packages/install-cmake.sh

📚 Learning: 2025-08-20T05:38:30.720Z

Learnt from: junhaoliao
PR: y-scope/clp#1242
File: taskfile.yaml:545-547
Timestamp: 2025-08-20T05:38:30.720Z
Learning: The python component directories in the y-scope/clp repository are kept very clean and only contain essential files: source code directories, pyproject.toml, poetry.lock, README.md, and the dist/ directory. No cache directories, virtual environments, or other transient files exist in the component directories, so additional exclude patterns beyond "dist/**/*" are unnecessary.

Applied to files:

• .github/workflows/clp-core-build-macos.yaml

📚 Learning: 2025-05-26T16:03:05.519Z

Learnt from: quinntaylormitchell
PR: y-scope/clp#918
File: .github/workflows/clp-execution-image-build.yaml:77-97
Timestamp: 2025-05-26T16:03:05.519Z
Learning: In .github/workflows/clp-execution-image-build.yaml, the ubuntu-jammy-execution-image and ubuntu-noble-execution-image jobs are intentionally kept separate (rather than using a matrix strategy) to make it easier to remove individual platform versions when they reach end of life, such as when jammy eventually becomes obsolete.

Applied to files:

• .github/workflows/clp-artifact-build.yaml

📚 Learning: 2025-08-29T07:31:24.032Z

Learnt from: Bill-hbrhbr
PR: y-scope/clp#1271
File: components/core/tools/scripts/lib_install/centos-stream-9/install-prebuilt-packages.sh:41-43
Timestamp: 2025-08-29T07:31:24.032Z
Learning: In CLP's build tool installation scripts, uv version constraints should use lower bound constraints (uv>=0.8) rather than exact version pinning, following the same philosophy used for other build tools to accommodate platform differences while ensuring minimum required functionality.

Applied to files:

• components/core/tools/scripts/lib_install/pipx-packages/install-uv.sh

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: musllinux_1_2-x86_64-deps-image
• GitHub Check: ubuntu-jammy-deps-image
• GitHub Check: manylinux_2_28-x86_64-deps-image
• GitHub Check: centos-stream-9-deps-image
• GitHub Check: lint-check (macos-15)

🔇 Additional comments (2)

.github/workflows/clp-core-build-macos.yaml (1)

12-12: LGTM: ensure pipx-packages changes trigger macOS builds.

The added path filter looks correct and consistent with existing patterns.

Please confirm no other workflows rely on these scripts without similar path filters.

Also applies to: 27-27

.github/workflows/clp-artifact-build.yaml (1)

65-66: LGTM: include pipx-packages in image delta filters.

Consistent additions across all image filters; matches intent to rebuild when pipx installers change.

Also applies to: 72-73, 79-80, 86-87

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Validate resolved cmake_bin after pipx install.

If the helper fails to locate the binary, subsequent invocations will crash obscurely.

-    script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
-    cmake_bin=$("${script_dir}/find-pipx-bin.sh" cmake cmake)
-    echo "Pipx CMake installed at: ${cmake_bin}"
+    script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+    cmake_bin=$("${script_dir}/find-pipx-bin.sh" cmake cmake)
+    if [ -z "${cmake_bin}" ] || [ ! -x "${cmake_bin}" ]; then
+        echo "Error: could not resolve CMake binary after pipx install." >&2
+        echo "       Try: pipx uninstall cmake && pipx install 'cmake>=${required_version_min},<${required_version_major_max_plus_1}'" >&2
+        exit 1
+    fi
+    echo "Pipx CMake installed at: ${cmake_bin}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
	cmake_bin=$("${script_dir}/find-pipx-bin.sh" cmake cmake)
	echo "Pipx CMake installed at: ${cmake_bin}"
	fi
	script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
	cmake_bin=$("${script_dir}/find-pipx-bin.sh" cmake cmake)
	if [ -z "${cmake_bin}" ] || [ ! -x "${cmake_bin}" ]; then
	echo "Error: could not resolve CMake binary after pipx install." >&2
	echo " Try: pipx uninstall cmake && pipx install 'cmake>=${required_version_min},<${required_version_major_max_plus_1}'" >&2
	exit 1
	fi
	echo "Pipx CMake installed at: ${cmake_bin}"
	fi

🤖 Prompt for AI Agents

In components/core/tools/scripts/lib_install/pipx-packages/install-cmake.sh
around lines 28 to 31, the script does not validate the resolved cmake_bin
returned by find-pipx-bin.sh; if it is empty or not executable subsequent calls
will fail obscurely — after calling find-pipx-bin.sh check that cmake_bin is
non-empty and points to an executable file, and if not print a clear error
message to stderr and exit with a non-zero status so the failure is explicit
(optionally include guidance to re-run pipx install or check PATH).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Validate resolved Task binary after pipx install.

Harden against a missing/incorrectly resolved path before using it.

-    go_task_bin=$("${script_dir}/find-pipx-bin.sh" go-task-bin task)
-    echo "Pipx Task installed at: ${go_task_bin}"
+    go_task_bin=$("${script_dir}/find-pipx-bin.sh" go-task-bin task)
+    if [ -z "${go_task_bin}" ] || [ ! -x "${go_task_bin}" ]; then
+        echo "Error: could not resolve Task binary after pipx install." >&2
+        echo "       Try: pipx uninstall go-task-bin && pipx install 'go-task-bin==${required_version}'" >&2
+        exit 1
+    fi
+    echo "Pipx Task installed at: ${go_task_bin}"

🤖 Prompt for AI Agents

In components/core/tools/scripts/lib_install/pipx-packages/install-go-task.sh
around lines 25 to 27, the script echoes the resolved go_task_bin without
verifying it; validate that the variable is non-empty and points to an
executable file before using it, and if validation fails print a clear error
message to stderr and exit with a non-zero status so the failure is caught by
callers; if it passes, continue to echo the install location as currently done.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Quote the resolved binary when invoking.

Prevents breakage if the path contains spaces.

-installed_version=$(${go_task_bin} --silent --taskfile "${script_dir}/print-go-task-version.yaml")
+installed_version=$("${go_task_bin}" --silent --taskfile "${script_dir}/print-go-task-version.yaml")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	installed_version=$(${go_task_bin} --silent --taskfile "${script_dir}/print-go-task-version.yaml")
	if [[ "${installed_version}" != "${required_version}" ]]; then
	echo "Error: Task version ${installed_version} is currently unsupported (must be" \
	installed_version=$("${go_task_bin}" --silent --taskfile "${script_dir}/print-go-task-version.yaml")
	if [[ "${installed_version}" != "${required_version}" ]]; then
	echo "Error: Task version ${installed_version} is currently unsupported (must be"

🤖 Prompt for AI Agents

In components/core/tools/scripts/lib_install/pipx-packages/install-go-task.sh
around lines 29 to 31, the command substitution invokes the resolved binary
unquoted which breaks if the path contains spaces; update the invocation to
quote the binary (replace ${go_task_bin} with "${go_task_bin}") in the command
substitution (and any other places you call the binary) so the resolved path
with spaces is treated as a single argument.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Validate resolved uv binary after pipx install.

Avoids opaque failures when uv_bin isn’t found.

-    script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
-    uv_bin=$("${script_dir}/find-pipx-bin.sh" uv uv)
-    echo "Pipx uv installed at: ${uv_bin}"
+    script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+    uv_bin=$("${script_dir}/find-pipx-bin.sh" uv uv)
+    if [ -z "${uv_bin}" ] || [ ! -x "${uv_bin}" ]; then
+        echo "Error: could not resolve uv binary after pipx install." >&2
+        echo "       Try: pipx uninstall uv && pipx install 'uv>=${required_version_min}'" >&2
+        exit 1
+    fi
+    echo "Pipx uv installed at: ${uv_bin}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
	uv_bin=$("${script_dir}/find-pipx-bin.sh" uv uv)
	echo "Pipx uv installed at: ${uv_bin}"
	fi
	script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
	uv_bin=$("${script_dir}/find-pipx-bin.sh" uv uv)
	if [ -z "${uv_bin}" ] || [ ! -x "${uv_bin}" ]; then
	echo "Error: could not resolve uv binary after pipx install." >&2
	echo " Try: pipx uninstall uv && pipx install 'uv>=${required_version_min}'" >&2
	exit 1
	fi
	echo "Pipx uv installed at: ${uv_bin}"
	fi

🤖 Prompt for AI Agents

In components/core/tools/scripts/lib_install/pipx-packages/install-uv.sh around
lines 24 to 27, the script echoes the resolved uv binary but does not validate
it; update the script to check that uv_bin is non-empty and points to an
executable (e.g., test -n "$uv_bin" && [ -x "$uv_bin" ]) and if the check fails,
print a clear error message including the attempted path and exit with a
non-zero status so downstream steps fail fast and provide actionable
diagnostics.