From 588003f34f72a3efa919ac14912bf5bbff942ccc Mon Sep 17 00:00:00 2001
From: Evsyukov Denis <denis@evsyukov.org>
Date: Wed, 6 Aug 2025 17:10:59 +0300
Subject: [PATCH 01/10] feat: enhance security validation for repository URLs
 and improve error handling

---
 main.go      | 453 +++++++++++++++++++++++++++++++++++++++++++++----
 main_test.go | 468 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 888 insertions(+), 33 deletions(-)

diff --git a/main.go b/main.go
index 72921f2..0922161 100644
--- a/main.go
+++ b/main.go
@@ -1,13 +1,17 @@
 package main
 
 import (
+	"context"
+	"errors"
 	"fmt"
-	"log"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strings"
+	"sync"
+	"time"
 
 	"github.com/spf13/pflag"
 )
@@ -18,7 +22,190 @@ var (
 	date    = "unknown"
 )
 
-var r = regexp.MustCompile(`^(?:.*://)?(?:[^@]+@)?([^:/]+)(?::\d+)?[/:]?(.*)$`)
+var regexPool = sync.Pool{
+	New: func() any {
+		return regexp.MustCompile(`^(?:.*://)?(?:[^@]+@)?([^:/]+)(?::\d+)?[/:]?(.*)$`)
+	},
+}
+
+type cacheEntry struct {
+	exists    bool
+	timestamp time.Time
+}
+
+type DirCache struct {
+	cache map[string]cacheEntry
+	mutex sync.RWMutex
+	ttl   time.Duration
+}
+
+var dirCache = &DirCache{
+	cache: make(map[string]cacheEntry),
+	ttl:   30 * time.Second,
+}
+
+// Security validation functions
+
+var (
+	// Allowed URL schemes for git repositories
+	allowedSchemes = map[string]bool{
+		"https": true,
+		"http":  true,
+		"ssh":   true,
+		"git":   true,
+	}
+	
+	// Dangerous characters that could be used for command injection
+	dangerousChars = regexp.MustCompile(`[;&|$\x60<>(){}[\]!*?]`)
+	
+	// Valid hostname pattern - more restrictive than RFC but safer
+	validHostname = regexp.MustCompile(`^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*$`)
+	
+	// Valid path characters for Git repositories
+	validRepoPath = regexp.MustCompile(`^[a-zA-Z0-9._/-]+$`)
+)
+
+// validateRepositoryURL performs comprehensive security validation of repository URLs
+func validateRepositoryURL(repo string) error {
+	if repo == "" {
+		return errors.New("repository URL cannot be empty")
+	}
+
+	// Check for dangerous characters that could indicate command injection
+	if dangerousChars.MatchString(repo) {
+		return errors.New("repository URL contains dangerous characters")
+	}
+
+	// Handle SSH URLs like git@github.com:user/repo.git
+	if strings.Contains(repo, "@") && strings.Contains(repo, ":") && !strings.Contains(repo, "://") {
+		return validateSSHURL(repo)
+	}
+
+	// Parse as regular URL
+	parsedURL, err := url.Parse(repo)
+	if err != nil {
+		return fmt.Errorf("invalid URL format: %w", err)
+	}
+
+	// Validate scheme
+	if parsedURL.Scheme != "" && !allowedSchemes[parsedURL.Scheme] {
+		return fmt.Errorf("unsupported URL scheme: %s", parsedURL.Scheme)
+	}
+
+	// Validate hostname
+	if parsedURL.Host != "" && !validHostname.MatchString(parsedURL.Host) {
+		return fmt.Errorf("invalid hostname: %s", parsedURL.Host)
+	}
+
+	// Validate path for traversal attacks
+	if err := validatePath(parsedURL.Path); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// validateSSHURL validates SSH-style Git URLs (git@host:path)
+func validateSSHURL(repo string) error {
+	parts := strings.SplitN(repo, "@", 2)
+	if len(parts) != 2 {
+		return errors.New("invalid SSH URL format")
+	}
+
+	hostPath := parts[1]
+	hostPathParts := strings.SplitN(hostPath, ":", 2)
+	if len(hostPathParts) != 2 {
+		return errors.New("invalid SSH URL format - missing colon separator")
+	}
+
+	host := hostPathParts[0]
+	path := hostPathParts[1]
+
+	// Validate hostname
+	if !validHostname.MatchString(host) {
+		return fmt.Errorf("invalid hostname in SSH URL: %s", host)
+	}
+
+	// Validate path
+	if err := validatePath(path); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// validatePath checks for path traversal attacks and invalid characters
+func validatePath(path string) error {
+	if path == "" {
+		return nil // Empty path is acceptable
+	}
+
+	// Check for path traversal attempts
+	if strings.Contains(path, "..") {
+		return errors.New("path traversal detected in URL")
+	}
+
+	// Check for absolute paths that could escape intended directory
+	if strings.HasPrefix(path, "/") {
+		// Remove leading slash for validation but allow it
+		path = strings.TrimPrefix(path, "/")
+	}
+
+	// Allow tilde for user directories but validate the rest
+	if strings.HasPrefix(path, "~") {
+		path = strings.TrimPrefix(path, "~")
+		if strings.HasPrefix(path, "/") {
+			path = strings.TrimPrefix(path, "/")
+		}
+	}
+
+	// Validate remaining path characters (allow common Git repo path characters)
+	if path != "" && !validRepoPath.MatchString(path) {
+		return fmt.Errorf("invalid characters in repository path: %s", path)
+	}
+
+	return nil
+}
+
+// secureGitClone performs git clone with additional security measures including timeout
+func secureGitClone(repository, targetDir string, quiet bool) error {
+	// Double-check validation (defense in depth)
+	if err := validateRepositoryURL(repository); err != nil {
+		return fmt.Errorf("security validation failed: %w", err)
+	}
+
+	// Validate target directory to prevent directory traversal
+	cleanTargetDir := filepath.Clean(targetDir)
+	if strings.Contains(cleanTargetDir, "..") {
+		return errors.New("target directory contains path traversal")
+	}
+
+	// Create context with timeout to prevent hanging operations
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+	defer cancel()
+
+	// Create command with explicit arguments and timeout context (no shell interpretation)
+	cmd := exec.CommandContext(ctx, "git", "clone", "--", repository)
+	
+	// Set working directory
+	cmd.Dir = cleanTargetDir
+	
+	// Configure output
+	if !quiet {
+		cmd.Stdout = os.Stderr
+		cmd.Stderr = os.Stderr
+	}
+
+	// Execute with timeout protection
+	if err := cmd.Run(); err != nil {
+		if ctx.Err() == context.DeadlineExceeded {
+			return fmt.Errorf("git clone operation timed out after 10 minutes: %s", repository)
+		}
+		return err
+	}
+	
+	return nil
+}
 
 func main() {
 	var showCommandHelp, showVersionInfo, quiet bool
@@ -41,91 +228,297 @@ func main() {
 		return
 	}
 
+	args := pflag.Args()
+	
+	// Validate that we have arguments
+	if len(args) == 0 {
+		prnt("error: no repository URLs provided")
+		usage()
+		os.Exit(1)
+	}
+
+	// Validate each argument is not empty
+	for i, arg := range args {
+		if strings.TrimSpace(arg) == "" {
+			prnt("error: argument %d is empty", i+1)
+			os.Exit(1)
+		}
+	}
+
+	// Check git availability with better error message
 	if _, err := exec.LookPath("git"); err != nil {
-		prnt("git not found")
+		prnt("error: git command not found in PATH")
+		prnt("please install git: https://git-scm.com/downloads")
 		os.Exit(1)
 	}
 
-	var projectDir string
-	for _, arg := range pflag.Args() {
-		repository := arg
-		projectDir = getProjectDir(repository)
+	var lastSuccessfulProjectDir string
+	var processedCount int
+	var failedCount int
+
+	for _, arg := range args {
+		repository := strings.TrimSpace(arg)
+		processedCount++
+		
+		// Security: Validate repository URL before processing
+		if err := validateRepositoryURL(repository); err != nil {
+			prnt("invalid repository URL '%s': %s", repository, err)
+			failedCount++
+			continue
+		}
+
+		projectDir, err := getProjectDir(repository)
+		if err != nil {
+			prnt("failed to determine project directory for '%s': %s", repository, err)
+			failedCount++
+			continue
+		}
 
+		// Check if directory already exists and is not empty
 		if ok := isDirectoryNotEmpty(projectDir); ok {
+			if !quiet {
+				prnt("repository already exists: %s", projectDir)
+			}
+			// Still consider this successful for output purposes
+			lastSuccessfulProjectDir = projectDir
 			continue
 		}
 
+		// Create parent directory
 		if err := os.MkdirAll(filepath.Dir(projectDir), 0750); err != nil {
 			prnt("failed create directory: %s", err)
+			failedCount++
 			continue
 		}
 
-		cmd := exec.Command("git", "clone", repository)
-		if !quiet {
-			cmd.Stdout = os.Stderr
-			cmd.Stderr = os.Stderr
-		}
-		cmd.Dir = filepath.Dir(projectDir)
-		if err := cmd.Run(); err != nil {
-			prnt("failed clone repository: %s", err)
+		// Security: Use secure git clone with validated arguments
+		if err := secureGitClone(repository, filepath.Dir(projectDir), quiet); err != nil {
+			prnt("failed clone repository '%s': %s", repository, err)
+			failedCount++
 			continue
 		}
+
+		// Clone was successful
+		lastSuccessfulProjectDir = projectDir
 		if !quiet {
 			fmt.Fprintln(os.Stderr)
 		}
 	}
 
-	// Print latest project directory
-	abs, _ := filepath.Abs(projectDir)
-	fmt.Println(abs)
+	// Print summary if multiple repositories were processed
+	if processedCount > 1 && !quiet {
+		successCount := processedCount - failedCount
+		prnt("processed %d repositories: %d successful, %d failed", processedCount, successCount, failedCount)
+	}
+
+	// Print the last successfully processed project directory
+	if lastSuccessfulProjectDir != "" {
+		abs, err := filepath.Abs(lastSuccessfulProjectDir)
+		if err != nil {
+			prnt("failed to get absolute path for %s: %s", lastSuccessfulProjectDir, err)
+			fmt.Println(lastSuccessfulProjectDir) // fallback to relative path
+		} else {
+			fmt.Println(abs)
+		}
+	} else {
+		// No successful repositories processed
+		if !quiet {
+			prnt("no repositories were successfully processed")
+		}
+		os.Exit(1)
+	}
 }
 
 // normalize normalizes the given repository string and returns the parsed repository URL.
-func normalize(repo string) string {
+// Enhanced with security validation against path traversal attacks.
+// Returns error instead of empty string for better error handling.
+func normalize(repo string) (string, error) {
+	if repo == "" {
+		return "", errors.New("repository URL is empty")
+	}
+
+	r := regexPool.Get().(*regexp.Regexp)
+	defer regexPool.Put(r)
+
 	match := r.FindStringSubmatch(repo)
 	if len(match) != 3 {
-		return ""
+		return "", errors.New("failed to parse repository URL format")
 	}
+
+	host := match[1]
 	path := match[2]
+
+	// Security: Validate host component
+	if !validHostname.MatchString(host) {
+		return "", fmt.Errorf("invalid hostname: %s", host)
+	}
+
+	// Security: Sanitize path to prevent traversal attacks
+	sanitizedPath, err := sanitizePathWithError(path)
+	if err != nil {
+		return "", fmt.Errorf("invalid repository path: %w", err)
+	}
+
+	// Security: Validate final path doesn't contain dangerous patterns
+	if strings.Contains(sanitizedPath, "..") || strings.Contains(sanitizedPath, "//") {
+		return "", errors.New("repository path contains dangerous patterns")
+	}
+
+	return filepath.Join(host, sanitizedPath), nil
+}
+
+// sanitizePathWithError cleans and validates repository paths against security threats
+// Returns error for better error handling instead of empty string
+func sanitizePathWithError(path string) (string, error) {
+	if path == "" {
+		return "", nil // Empty path is acceptable
+	}
+
+	originalPath := path
+
+	// Remove dangerous prefixes and suffixes
+	path = strings.TrimPrefix(path, "/")
+	path = strings.TrimPrefix(path, "~")
+	path = strings.TrimPrefix(path, "/")
+	path = strings.TrimSuffix(path, "/")
+	path = strings.TrimSuffix(path, ".git")
+
+	// Security: Check for path traversal attempts
+	if strings.Contains(path, "..") {
+		return "", fmt.Errorf("path traversal detected: %s", originalPath)
+	}
+
+	// Security: Remove consecutive slashes
+	for strings.Contains(path, "//") {
+		path = strings.ReplaceAll(path, "//", "/")
+	}
+
+	// Security: Validate path contains only safe characters
+	if path != "" && !validRepoPath.MatchString(path) {
+		return "", fmt.Errorf("path contains invalid characters: %s", originalPath)
+	}
+
+	// Security: Ensure path doesn't start with dangerous patterns
+	dangerousPatterns := []string{".", "-", "_"}
+	for _, pattern := range dangerousPatterns {
+		if strings.HasPrefix(path, pattern+"/") {
+			return "", fmt.Errorf("path starts with dangerous pattern '%s': %s", pattern, originalPath)
+		}
+	}
+
+	return path, nil
+}
+
+// sanitizePath cleans and validates repository paths against security threats
+func sanitizePath(path string) string {
+	if path == "" {
+		return ""
+	}
+
+	// Remove dangerous prefixes and suffixes
 	path = strings.TrimPrefix(path, "/")
 	path = strings.TrimPrefix(path, "~")
 	path = strings.TrimPrefix(path, "/")
 	path = strings.TrimSuffix(path, "/")
 	path = strings.TrimSuffix(path, ".git")
 
-	return filepath.Join(match[1], path)
+	// Security: Check for path traversal attempts
+	if strings.Contains(path, "..") {
+		return ""
+	}
+
+	// Security: Remove consecutive slashes
+	for strings.Contains(path, "//") {
+		path = strings.ReplaceAll(path, "//", "/")
+	}
+
+	// Security: Validate path contains only safe characters
+	if path != "" && !validRepoPath.MatchString(path) {
+		return ""
+	}
+
+	// Security: Ensure path doesn't start with dangerous patterns
+	dangerousPatterns := []string{".", "-", "_"}
+	for _, pattern := range dangerousPatterns {
+		if strings.HasPrefix(path, pattern+"/") {
+			return ""
+		}
+	}
+
+	return path
 }
 
 // getProjectDir returns the project directory based on the given repository URL.
 // It retrieves the GIT_PROJECT_DIR environment variable and normalizes it.
 // If the GIT_PROJECT_DIR starts with "~", it replaces it with the user's home directory.
 // The normalized repository URL is then joined with the GIT_PROJECT_DIR to form the project directory path.
-// The project directory path is returned as a string.
-func getProjectDir(repository string) string {
+// Returns error for better error handling instead of empty string.
+func getProjectDir(repository string) (string, error) {
 	gitProjectDir := os.Getenv("GIT_PROJECT_DIR")
+	
 	if strings.HasPrefix(gitProjectDir, "~") {
 		homeDir, err := os.UserHomeDir()
 		if err != nil {
-			log.Fatal(err)
+			return "", fmt.Errorf("failed to get user home directory: %w", err)
 		}
 		gitProjectDir = filepath.Join(homeDir, gitProjectDir[1:])
 	}
 
-	return filepath.Join(gitProjectDir, normalize(repository))
+	normalizedRepo, err := normalize(repository)
+	if err != nil {
+		return "", fmt.Errorf("failed to normalize repository URL: %w", err)
+	}
+
+	// Security: Validate and clean the final path
+	projectDir := filepath.Join(gitProjectDir, normalizedRepo)
+	cleanedPath := filepath.Clean(projectDir)
+	
+	// Security: Ensure the path doesn't escape the base directory
+	if gitProjectDir != "" && !strings.HasPrefix(cleanedPath, filepath.Clean(gitProjectDir)) {
+		return "", errors.New("security: path traversal detected in project directory")
+	}
+
+	return cleanedPath, nil
 }
 
-// isDirectoryNotEmpty checks if the specified directory is not empty.
+// isDirectoryNotEmptyRaw checks if the specified directory is not empty without caching.
 // It uses the Readdirnames function to get the directory contents without loading full FileInfo
 // structures for each entry. If there are any entries, it returns true. Otherwise, it returns false.
-func isDirectoryNotEmpty(name string) bool {
+func isDirectoryNotEmptyRaw(name string) bool {
 	f, err := os.Open(name)
 	if err != nil {
 		return false
 	}
-	defer f.Close()
 
-	_, err = f.Readdirnames(1)
-	return err == nil
+	names, err := f.Readdirnames(1)
+	f.Close() // Direct call without defer for better performance
+
+	return err == nil && len(names) > 0
+}
+
+// IsDirectoryNotEmpty checks if the specified directory is not empty with caching.
+func (dc *DirCache) IsDirectoryNotEmpty(name string) bool {
+	dc.mutex.RLock()
+	if entry, ok := dc.cache[name]; ok {
+		if time.Since(entry.timestamp) < dc.ttl {
+			dc.mutex.RUnlock()
+			return entry.exists
+		}
+	}
+	dc.mutex.RUnlock()
+
+	exists := isDirectoryNotEmptyRaw(name)
+
+	dc.mutex.Lock()
+	dc.cache[name] = cacheEntry{exists, time.Now()}
+	dc.mutex.Unlock()
+
+	return exists
+}
+
+// isDirectoryNotEmpty is a wrapper that uses the global cache.
+func isDirectoryNotEmpty(name string) bool {
+	return dirCache.IsDirectoryNotEmpty(name)
 }
 
 // Usage prints the usage of the program.
diff --git a/main_test.go b/main_test.go
index 8ad8211..e1dbdd4 100644
--- a/main_test.go
+++ b/main_test.go
@@ -1,7 +1,9 @@
 package main
 
 import (
+	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 )
 
@@ -75,7 +77,12 @@ func Test_getProjectDir(t *testing.T) {
 			t.Setenv("HOME", tt.homeVar)
 			t.Setenv("GIT_PROJECT_DIR", tt.gitProjectDir)
 
-			if got := getProjectDir(tt.repository); got != tt.want {
+			got, err := getProjectDir(tt.repository)
+			if err != nil {
+				t.Errorf("getProjectDir() unexpected error = %v", err)
+				return
+			}
+			if got != tt.want {
 				t.Errorf("getProjectDir() = %v, want %v", got, tt.want)
 			}
 		})
@@ -163,9 +170,464 @@ func Test_normalize(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			gotRepo := normalize(tt.args.repository)
+			gotRepo, err := normalize(tt.args.repository)
+			if err != nil {
+				t.Errorf("normalize() unexpected error = %v", err)
+				return
+			}
 			if gotRepo != tt.wantRepo {
-				t.Errorf("parse() gotRepo = %v, want %v", gotRepo, tt.wantRepo)
+				t.Errorf("normalize() gotRepo = %v, want %v", gotRepo, tt.wantRepo)
+			}
+		})
+	}
+}
+
+// Benchmark functions
+func BenchmarkNormalize(b *testing.B) {
+	repository := "https://github.com/user/repo"
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _ = normalize(repository)
+	}
+}
+
+func BenchmarkIsDirectoryNotEmpty(b *testing.B) {
+	// Create test directory
+	tempDir, err := os.MkdirTemp("", "benchmark-test")
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	// Create a non-empty directory
+	nonEmptyDir := filepath.Join(tempDir, "non-empty")
+	if err := os.Mkdir(nonEmptyDir, 0755); err != nil {
+		b.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(nonEmptyDir, "test.txt"), []byte("test"), 0644); err != nil {
+		b.Fatal(err)
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		isDirectoryNotEmpty(nonEmptyDir)
+	}
+}
+
+func BenchmarkIsDirectoryNotEmptyRaw(b *testing.B) {
+	// Create test directory
+	tempDir, err := os.MkdirTemp("", "benchmark-test")
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	// Create a non-empty directory
+	nonEmptyDir := filepath.Join(tempDir, "non-empty")
+	if err := os.Mkdir(nonEmptyDir, 0755); err != nil {
+		b.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(nonEmptyDir, "test.txt"), []byte("test"), 0644); err != nil {
+		b.Fatal(err)
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		isDirectoryNotEmptyRaw(nonEmptyDir)
+	}
+}
+
+func BenchmarkIsDirectoryNotEmptyCache(b *testing.B) {
+	// Create test directory
+	tempDir, err := os.MkdirTemp("", "benchmark-test")
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	// Create a non-empty directory
+	nonEmptyDir := filepath.Join(tempDir, "non-empty")
+	if err := os.Mkdir(nonEmptyDir, 0755); err != nil {
+		b.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(nonEmptyDir, "test.txt"), []byte("test"), 0644); err != nil {
+		b.Fatal(err)
+	}
+
+	// Clear cache before benchmark
+	dirCache.mutex.Lock()
+	dirCache.cache = make(map[string]cacheEntry)
+	dirCache.mutex.Unlock()
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		dirCache.IsDirectoryNotEmpty(nonEmptyDir) // This will benefit from caching after first call
+	}
+}
+
+// Security tests
+func TestValidateRepositoryURL(t *testing.T) {
+	tests := []struct {
+		name    string
+		url     string
+		wantErr bool
+		errMsg  string
+	}{
+		{
+			name:    "valid https URL",
+			url:     "https://github.com/user/repo.git",
+			wantErr: false,
+		},
+		{
+			name:    "valid SSH URL",
+			url:     "git@github.com:user/repo.git",
+			wantErr: false,
+		},
+		{
+			name:    "command injection attempt",
+			url:     "https://github.com/user/repo.git; rm -rf /",
+			wantErr: true,
+			errMsg:  "dangerous characters",
+		},
+		{
+			name:    "path traversal in URL",
+			url:     "https://github.com/../../../etc/passwd",
+			wantErr: true,
+			errMsg:  "path traversal",
+		},
+		{
+			name:    "invalid scheme",
+			url:     "ftp://github.com/user/repo",
+			wantErr: true,
+			errMsg:  "unsupported URL scheme",
+		},
+		{
+			name:    "empty URL",
+			url:     "",
+			wantErr: true,
+			errMsg:  "cannot be empty",
+		},
+		{
+			name:    "backticks for command substitution",
+			url:     "https://github.com/user/`whoami`.git",
+			wantErr: true,
+			errMsg:  "dangerous characters",
+		},
+		{
+			name:    "pipe character",
+			url:     "https://github.com/user/repo | cat /etc/passwd",
+			wantErr: true,
+			errMsg:  "dangerous characters",
+		},
+		{
+			name:    "invalid hostname",
+			url:     "https://github..com/user/repo",
+			wantErr: true,
+			errMsg:  "invalid hostname",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateRepositoryURL(tt.url)
+			if tt.wantErr {
+				if err == nil {
+					t.Errorf("validateRepositoryURL() expected error but got none for URL: %s", tt.url)
+					return
+				}
+				if !strings.Contains(err.Error(), tt.errMsg) {
+					t.Errorf("validateRepositoryURL() error = %v, expected to contain %v", err, tt.errMsg)
+				}
+			} else {
+				if err != nil {
+					t.Errorf("validateRepositoryURL() unexpected error = %v for URL: %s", err, tt.url)
+				}
+			}
+		})
+	}
+}
+
+func TestNormalizeSecurity(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string // Empty string means should be rejected
+	}{
+		{
+			name:     "normal repo",
+			input:    "https://github.com/user/repo",
+			expected: "github.com/user/repo",
+		},
+		{
+			name:     "path traversal attempt",
+			input:    "https://github.com/../../../etc/passwd",
+			expected: "", // Should be rejected
+		},
+		{
+			name:     "double slash",
+			input:    "https://github.com//user//repo",
+			expected: "github.com/user/repo",
+		},
+		{
+			name:     "invalid hostname",
+			input:    "https://github..com/user/repo",
+			expected: "", // Should be rejected
+		},
+		{
+			name:     "dangerous path start with dot",
+			input:    "https://github.com/./repo",
+			expected: "", // Should be rejected
+		},
+		{
+			name:     "invalid characters in path",
+			input:    "https://github.com/user/repo<script>",
+			expected: "", // Should be rejected
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := normalize(tt.input)
+			if tt.expected == "" {
+				// Expecting failure
+				if err == nil {
+					t.Errorf("normalize() expected error but got none for input: %s", tt.input)
+					return
+				}
+			} else {
+				// Expecting success
+				if err != nil {
+					t.Errorf("normalize() unexpected error = %v for input: %s", err, tt.input)
+					return
+				}
+				if result != tt.expected {
+					t.Errorf("normalize() = %v, want %v", result, tt.expected)
+				}
+			}
+		})
+	}
+}
+
+func TestSecureGitCloneTimeout(t *testing.T) {
+	// Create a temporary directory for testing
+	tempDir, err := os.MkdirTemp("", "git-clone-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	tests := []struct {
+		name        string
+		repository  string
+		expectError bool
+		errorMsg    string
+	}{
+		{
+			name:        "dangerous URL should fail validation", 
+			repository:  "https://github.com/user/repo; rm -rf /",
+			expectError: true,
+			errorMsg:    "security validation failed",
+		},
+		{
+			name:        "path traversal should fail validation", 
+			repository:  "https://github.com/../../../etc/passwd",
+			expectError: true,
+			errorMsg:    "security validation failed",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := secureGitClone(tt.repository, tempDir, true)
+			if tt.expectError {
+				if err == nil {
+					t.Errorf("secureGitClone() expected error but got none for repository: %s", tt.repository)
+					return
+				}
+				if !strings.Contains(err.Error(), tt.errorMsg) {
+					t.Errorf("secureGitClone() error = %v, expected to contain %v", err, tt.errorMsg)
+				}
+			} else {
+				if err != nil {
+					t.Errorf("secureGitClone() unexpected error = %v for repository: %s", err, tt.repository)
+				}
+			}
+		})
+	}
+}
+
+func TestSanitizePath(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "normal path",
+			input:    "user/repo",
+			expected: "user/repo",
+		},
+		{
+			name:     "path with traversal",
+			input:    "user/../../../etc/passwd",
+			expected: "", // Should be rejected
+		},
+		{
+			name:     "path with double slashes",
+			input:    "user//repo",
+			expected: "user/repo",
+		},
+		{
+			name:     "path starting with dot",
+			input:    "./user/repo",
+			expected: "", // Should be rejected
+		},
+		{
+			name:     "path with git suffix",
+			input:    "user/repo.git",
+			expected: "user/repo",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := sanitizePath(tt.input)
+			if result != tt.expected {
+				t.Errorf("sanitizePath() = %v, want %v", result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestGetProjectDirSecurity(t *testing.T) {
+	// Save original env var
+	originalGitProjectDir := os.Getenv("GIT_PROJECT_DIR")
+	defer func() {
+		if originalGitProjectDir != "" {
+			os.Setenv("GIT_PROJECT_DIR", originalGitProjectDir)
+		} else {
+			os.Unsetenv("GIT_PROJECT_DIR")
+		}
+	}()
+
+	tests := []struct {
+		name           string
+		gitProjectDir  string
+		repository     string
+		expectedResult string // Empty means should be rejected
+	}{
+		{
+			name:           "normal case",
+			gitProjectDir:  "/tmp/test",
+			repository:     "https://github.com/user/repo",
+			expectedResult: "/tmp/test/github.com/user/repo",
+		},
+		{
+			name:           "path traversal in repo",
+			gitProjectDir:  "/tmp/test",
+			repository:     "https://github.com/../../etc/passwd",
+			expectedResult: "", // Should be rejected due to normalization failure
+		},
+		{
+			name:           "invalid repo URL",
+			gitProjectDir:  "/tmp/test",
+			repository:     "https://github..com/user/repo",
+			expectedResult: "", // Should be rejected due to invalid hostname
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			os.Setenv("GIT_PROJECT_DIR", tt.gitProjectDir)
+			result, err := getProjectDir(tt.repository)
+			if tt.expectedResult == "" {
+				// Expecting failure
+				if err == nil {
+					t.Errorf("getProjectDir() expected error but got none for repository: %s", tt.repository)
+					return
+				}
+			} else {
+				// Expecting success
+				if err != nil {
+					t.Errorf("getProjectDir() unexpected error = %v for repository: %s", err, tt.repository)
+					return
+				}
+				if result != tt.expectedResult {
+					t.Errorf("getProjectDir() = %v, want %v", result, tt.expectedResult)
+				}
+			}
+		})
+	}
+}
+
+// Tests for logical fixes
+func TestSanitizePathWithError(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+		wantErr  bool
+	}{
+		{
+			name:     "normal path",
+			input:    "user/repo",
+			expected: "user/repo",
+			wantErr:  false,
+		},
+		{
+			name:     "path with traversal",
+			input:    "user/../../../etc/passwd",
+			expected: "",
+			wantErr:  true,
+		},
+		{
+			name:     "path with double slashes",
+			input:    "user//repo",
+			expected: "user/repo",
+			wantErr:  false,
+		},
+		{
+			name:     "path starting with dot",
+			input:    "./user/repo",
+			expected: "",
+			wantErr:  true,
+		},
+		{
+			name:     "path with git suffix",
+			input:    "user/repo.git",
+			expected: "user/repo",
+			wantErr:  false,
+		},
+		{
+			name:     "path with invalid characters",
+			input:    "user/repo<script>",
+			expected: "",
+			wantErr:  true,
+		},
+		{
+			name:     "empty path",
+			input:    "",
+			expected: "",
+			wantErr:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := sanitizePathWithError(tt.input)
+			if tt.wantErr {
+				if err == nil {
+					t.Errorf("sanitizePathWithError() expected error but got none for input: %s", tt.input)
+					return
+				}
+			} else {
+				if err != nil {
+					t.Errorf("sanitizePathWithError() unexpected error = %v for input: %s", err, tt.input)
+					return
+				}
+				if result != tt.expected {
+					t.Errorf("sanitizePathWithError() = %v, want %v", result, tt.expected)
+				}
 			}
 		})
 	}

From f1db25aad18926b8946b65753115cad0c4d0d5df Mon Sep 17 00:00:00 2001
From: Evsyukov Denis <denis@evsyukov.org>
Date: Wed, 6 Aug 2025 17:47:04 +0300
Subject: [PATCH 02/10] Add comprehensive benchmarks and mock implementations
 for worker pool testing

- Introduced new benchmarks for various URL normalization methods (HTTPS, SSH, Git, cached, mixed) and path sanitization.
- Added mock implementations for GitCloner, DirectoryChecker, and FileSystem interfaces to facilitate testing.
- Implemented tests for worker pool functionality, including basic creation, sequential fallback, and performance comparisons between sequential and parallel processing.
- Updated existing tests to utilize the new DefaultEnvironment and DefaultFileSystem structures.
---
 cache_example.go |   71 +++
 main.go          | 1160 +++++++++++++++++++++++++++++++++++++++++-----
 main_test.go     |  372 ++++++++++++++-
 3 files changed, 1477 insertions(+), 126 deletions(-)
 create mode 100644 cache_example.go

diff --git a/cache_example.go b/cache_example.go
new file mode 100644
index 0000000..495763e
--- /dev/null
+++ b/cache_example.go
@@ -0,0 +1,71 @@
+package main
+
+import (
+	"fmt"
+	"time"
+)
+
+// Example of how to use the improved directory cache with performance monitoring
+func ExampleCacheUsage() {
+	// Create custom cache configuration
+	cacheConfig := &CacheConfig{
+		TTL:                  2 * time.Minute,  // Longer TTL for better performance
+		CleanupInterval:      1 * time.Minute,  // More frequent cleanup
+		MaxEntries:          500,               // Smaller cache for this example
+		EnablePeriodicCleanup: true,
+	}
+
+	// Create cache with custom configuration
+	fs := &DefaultFileSystem{}
+	cache := NewDirCache(cacheConfig, fs)
+	defer cache.Close() // Important: close to stop cleanup goroutine
+
+	// Test some directory checks
+	testDirs := []string{
+		"/tmp",
+		"/etc",
+		"/var",
+		"/usr/bin",
+		"/nonexistent/dir",
+	}
+
+	fmt.Println("Testing directory cache performance...")
+	
+	// First round - cache misses
+	start := time.Now()
+	for _, dir := range testDirs {
+		exists := cache.IsDirectoryNotEmpty(dir)
+		fmt.Printf("Directory %s exists and not empty: %v\n", dir, exists)
+	}
+	firstRoundTime := time.Since(start)
+
+	// Second round - cache hits (should be much faster)
+	start = time.Now()
+	for _, dir := range testDirs {
+		exists := cache.IsDirectoryNotEmpty(dir)
+		fmt.Printf("Directory %s exists and not empty: %v (cached)\n", dir, exists)
+	}
+	secondRoundTime := time.Since(start)
+
+	// Get and display cache statistics
+	stats := cache.GetStats()
+	fmt.Printf("\n=== Cache Performance Statistics ===\n")
+	fmt.Printf("Cache Hits: %d\n", stats.Hits)
+	fmt.Printf("Cache Misses: %d\n", stats.Misses)
+	fmt.Printf("Hit Ratio: %.2f%%\n", stats.HitRatio()*100)
+	fmt.Printf("Total Entries: %d\n", stats.TotalSize)
+	fmt.Printf("Evictions: %d\n", stats.Evictions)
+	
+	fmt.Printf("\n=== Performance Improvement ===\n")
+	fmt.Printf("First round (cache misses): %v\n", firstRoundTime)
+	fmt.Printf("Second round (cache hits): %v\n", secondRoundTime)
+	if secondRoundTime.Nanoseconds() > 0 {
+		speedup := float64(firstRoundTime.Nanoseconds()) / float64(secondRoundTime.Nanoseconds())
+		fmt.Printf("Speedup: %.1fx faster with cache\n", speedup)
+	}
+}
+
+// Uncomment to run the example:
+// func main() {
+// 	ExampleCacheUsage()
+// }
\ No newline at end of file
diff --git a/main.go b/main.go
index 0922161..c033904 100644
--- a/main.go
+++ b/main.go
@@ -7,43 +7,599 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"os/signal"
 	"path/filepath"
 	"regexp"
+	"runtime"
 	"strings"
 	"sync"
+	"sync/atomic"
+	"syscall"
 	"time"
 
 	"github.com/spf13/pflag"
 )
 
+// Dependencies interfaces for better testability and modularity
+
+// FileSystem abstracts file system operations for better testability
+type FileSystem interface {
+	Open(name string) (*os.File, error)
+	Stat(name string) (os.FileInfo, error)
+	MkdirAll(path string, perm os.FileMode) error
+	UserHomeDir() (string, error)
+	Getenv(key string) string
+}
+
+// CommandRunner abstracts command execution for better testability
+type CommandRunner interface {
+	LookPath(file string) (string, error)
+	Run(ctx context.Context, name string, args ...string) error
+	RunWithOutput(ctx context.Context, name string, args ...string) ([]byte, error)
+}
+
+// GitCloner abstracts git cloning operations for better testability
+type GitCloner interface {
+	Clone(ctx context.Context, repository, targetDir string, quiet bool) error
+}
+
+// DirectoryChecker abstracts directory existence checking for better testability
+type DirectoryChecker interface {
+	IsNotEmpty(name string) bool
+}
+
+// Environment abstracts environment operations
+type Environment interface {
+	UserHomeDir() (string, error)
+	Getenv(key string) string
+}
+
+// Dependencies holds all external dependencies for the application
+type Dependencies struct {
+	FS       FileSystem
+	CmdRun   CommandRunner  
+	GitClone GitCloner
+	DirCheck DirectoryChecker
+	Env      Environment
+}
+
+// Default implementations for production use
+
+// DefaultFileSystem provides real file system operations
+type DefaultFileSystem struct{}
+
+func (fs *DefaultFileSystem) Open(name string) (*os.File, error) {
+	return os.Open(name)
+}
+
+func (fs *DefaultFileSystem) Stat(name string) (os.FileInfo, error) {
+	return os.Stat(name)
+}
+
+func (fs *DefaultFileSystem) MkdirAll(path string, perm os.FileMode) error {
+	return os.MkdirAll(path, perm)
+}
+
+func (fs *DefaultFileSystem) UserHomeDir() (string, error) {
+	return os.UserHomeDir()
+}
+
+func (fs *DefaultFileSystem) Getenv(key string) string {
+	return os.Getenv(key)
+}
+
+// DefaultCommandRunner provides real command execution
+type DefaultCommandRunner struct{}
+
+func (cr *DefaultCommandRunner) LookPath(file string) (string, error) {
+	return exec.LookPath(file)
+}
+
+func (cr *DefaultCommandRunner) Run(ctx context.Context, name string, args ...string) error {
+	cmd := exec.CommandContext(ctx, name, args...)
+	return cmd.Run()
+}
+
+func (cr *DefaultCommandRunner) RunWithOutput(ctx context.Context, name string, args ...string) ([]byte, error) {
+	cmd := exec.CommandContext(ctx, name, args...)
+	return cmd.Output()
+}
+
+// DefaultGitCloner provides real git cloning functionality
+type DefaultGitCloner struct{}
+
+func (gc *DefaultGitCloner) Clone(ctx context.Context, repository, targetDir string, quiet bool) error {
+	return secureGitClone(repository, targetDir, quiet)
+}
+
+// DefaultDirectoryChecker provides real directory checking functionality
+type DefaultDirectoryChecker struct {
+	cache *DirCache
+}
+
+func NewDefaultDirectoryChecker(fs FileSystem) *DefaultDirectoryChecker {
+	return &DefaultDirectoryChecker{
+		cache: NewDirCache(DefaultCacheConfig(), fs),
+	}
+}
+
+func NewDirectoryCheckerWithConfig(fs FileSystem, config *CacheConfig) *DefaultDirectoryChecker {
+	return &DefaultDirectoryChecker{
+		cache: NewDirCache(config, fs),
+	}
+}
+
+func (dc *DefaultDirectoryChecker) IsNotEmpty(name string) bool {
+	return dc.cache.IsDirectoryNotEmpty(name)
+}
+
+// DefaultEnvironment provides real environment operations
+type DefaultEnvironment struct{}
+
+func (env *DefaultEnvironment) UserHomeDir() (string, error) {
+	return os.UserHomeDir()
+}
+
+func (env *DefaultEnvironment) Getenv(key string) string {
+	return os.Getenv(key)
+}
+
+// NewDefaultDependencies creates a new Dependencies instance with default implementations
+func NewDefaultDependencies() *Dependencies {
+	fs := &DefaultFileSystem{}
+	return &Dependencies{
+		FS:       fs,
+		CmdRun:   &DefaultCommandRunner{},
+		GitClone: &DefaultGitCloner{},
+		DirCheck: NewDefaultDirectoryChecker(fs),
+		Env:      &DefaultEnvironment{},
+	}
+}
+
+// NewDependenciesWithCacheConfig creates a new Dependencies instance with custom cache configuration
+func NewDependenciesWithCacheConfig(cacheConfig *CacheConfig) *Dependencies {
+	fs := &DefaultFileSystem{}
+	return &Dependencies{
+		FS:       fs,
+		CmdRun:   &DefaultCommandRunner{},
+		GitClone: &DefaultGitCloner{},
+		DirCheck: NewDirectoryCheckerWithConfig(fs, cacheConfig),
+		Env:      &DefaultEnvironment{},
+	}
+}
+
 var (
 	version = "0.3.4"
 	commit  = "none"
 	date    = "unknown"
 )
 
-var regexPool = sync.Pool{
-	New: func() any {
-		return regexp.MustCompile(`^(?:.*://)?(?:[^@]+@)?([^:/]+)(?::\d+)?[/:]?(.*)$`)
-	},
+// Config holds the configuration for the application
+type Config struct {
+	ShowCommandHelp   bool
+	ShowVersionInfo   bool
+	Quiet             bool
+	Workers           int
+	RepositoryArgs    []string
+	Dependencies      *Dependencies
+	CacheConfig       *CacheConfig
+}
+
+// ProcessingResult holds the result of repository processing
+type ProcessingResult struct {
+	LastSuccessfulProjectDir string
+	ProcessedCount           int
+	FailedCount              int
+}
+
+// RepositoryJob represents a job for cloning a repository
+type RepositoryJob struct {
+	Repository string
+	Index      int // Original position in the arguments list
+}
+
+// WorkerResult represents the result of processing a repository job
+type WorkerResult struct {
+	Job        RepositoryJob
+	ProjectDir string
+	Success    bool
+	Error      error
+}
+
+// WorkerPool manages parallel repository cloning
+type WorkerPool struct {
+	config      *Config
+	jobs        chan RepositoryJob
+	results     chan WorkerResult
+	done        chan struct{}
+	shutdown    chan struct{}
+	workerCount int32 // Track active workers for graceful shutdown
+}
+
+// NewWorkerPool creates a new worker pool for parallel repository cloning
+func NewWorkerPool(config *Config) *WorkerPool {
+	return &WorkerPool{
+		config:   config,
+		jobs:     make(chan RepositoryJob, len(config.RepositoryArgs)),
+		results:  make(chan WorkerResult, len(config.RepositoryArgs)),
+		done:     make(chan struct{}),
+		shutdown: make(chan struct{}),
+	}
+}
+
+// worker is the worker goroutine that processes repository cloning jobs
+func (wp *WorkerPool) worker(workerID int) {
+	atomic.AddInt32(&wp.workerCount, 1)
+	defer atomic.AddInt32(&wp.workerCount, -1)
+
+	for {
+		select {
+		case job, ok := <-wp.jobs:
+			if !ok {
+				return // Jobs channel is closed
+			}
+			wp.processJob(job, workerID)
+		case <-wp.shutdown:
+			return // Shutdown requested
+		}
+	}
+}
+
+// processJob processes a single repository cloning job
+func (wp *WorkerPool) processJob(job RepositoryJob, _ int) {
+	result := WorkerResult{
+		Job:     job,
+		Success: false,
+	}
+
+	// Security: Validate repository URL before processing
+	if err := validateRepositoryURL(job.Repository); err != nil {
+		result.Error = fmt.Errorf("invalid repository URL '%s': %w", job.Repository, err)
+		wp.results <- result
+		return
+	}
+
+	projectDir, err := getProjectDir(job.Repository, wp.config.Dependencies.Env)
+	if err != nil {
+		result.Error = fmt.Errorf("failed to determine project directory for '%s': %w", job.Repository, err)
+		wp.results <- result
+		return
+	}
+
+	// Set project directory in result for potential success case
+	result.ProjectDir = projectDir
+
+	// Check if directory already exists and is not empty
+	if wp.config.Dependencies.DirCheck.IsNotEmpty(projectDir) {
+		if !wp.config.Quiet {
+			// Thread-safe output using stderr
+			fmt.Fprintf(os.Stderr, "repository already exists: %s\n", projectDir)
+		}
+		result.Success = true
+		wp.results <- result
+		return
+	}
+
+	// Create parent directory
+	if err := wp.config.Dependencies.FS.MkdirAll(filepath.Dir(projectDir), 0750); err != nil {
+		result.Error = fmt.Errorf("failed create directory: %w", err)
+		wp.results <- result
+		return
+	}
+
+	// Security: Use secure git clone with validated arguments
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+	defer cancel()
+	
+	if err := wp.config.Dependencies.GitClone.Clone(ctx, job.Repository, filepath.Dir(projectDir), wp.config.Quiet); err != nil {
+		result.Error = fmt.Errorf("failed clone repository '%s': %w", job.Repository, err)
+		wp.results <- result
+		return
+	}
+
+	// Clone was successful
+	result.Success = true
+	if !wp.config.Quiet {
+		fmt.Fprintln(os.Stderr)
+	}
+	wp.results <- result
+}
+
+// Start starts the worker pool and processes all repositories
+func (wp *WorkerPool) Start() *ProcessingResult {
+	// Start workers
+	for i := 0; i < wp.config.Workers; i++ {
+		go wp.worker(i)
+	}
+
+	// Send jobs to workers
+	go func() {
+		defer close(wp.jobs)
+		for i, repository := range wp.config.RepositoryArgs {
+			job := RepositoryJob{
+				Repository: strings.TrimSpace(repository),
+				Index:      i,
+			}
+			select {
+			case wp.jobs <- job:
+			case <-wp.shutdown:
+				return // Shutdown requested, stop sending jobs
+			}
+		}
+	}()
+
+	// Collect results
+	result := &ProcessingResult{}
+	processedCount := 0
+	expectedJobs := len(wp.config.RepositoryArgs)
+
+	for processedCount < expectedJobs {
+		select {
+		case workerResult := <-wp.results:
+			result.ProcessedCount++
+			processedCount++
+			
+			if workerResult.Success {
+				result.LastSuccessfulProjectDir = workerResult.ProjectDir
+			} else {
+				result.FailedCount++
+				if workerResult.Error != nil {
+					prnt(workerResult.Error.Error())
+				}
+			}
+		case <-wp.shutdown:
+			// Graceful shutdown requested
+			wp.gracefulShutdown()
+			// Continue collecting results for already started jobs
+			for processedCount < result.ProcessedCount {
+				workerResult := <-wp.results
+				processedCount++
+				if !workerResult.Success {
+					result.FailedCount++
+				}
+			}
+			return result
+		}
+	}
+
+	// Signal completion and wait for workers to finish
+	close(wp.done)
+	wp.waitForWorkers()
+
+	return result
+}
+
+// gracefulShutdown signals all workers to shut down
+func (wp *WorkerPool) gracefulShutdown() {
+	close(wp.shutdown)
+}
+
+// waitForWorkers waits for all workers to finish gracefully
+func (wp *WorkerPool) waitForWorkers() {
+	// Wait with timeout to avoid hanging indefinitely
+	timeout := time.After(30 * time.Second)
+	ticker := time.NewTicker(100 * time.Millisecond)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ticker.C:
+			if atomic.LoadInt32(&wp.workerCount) == 0 {
+				return // All workers have finished
+			}
+		case <-timeout:
+			// Force shutdown after timeout
+			return
+		}
+	}
+}
+
+// StartWithSignalHandling starts the worker pool with signal handling for graceful shutdown
+func (wp *WorkerPool) StartWithSignalHandling() *ProcessingResult {
+	// Set up signal handling
+	signalChan := make(chan os.Signal, 1)
+	signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM)
+
+	// Start worker pool in a goroutine
+	resultChan := make(chan *ProcessingResult, 1)
+	go func() {
+		resultChan <- wp.Start()
+	}()
+
+	// Wait for either completion or signal
+	select {
+	case result := <-resultChan:
+		// Normal completion
+		signal.Stop(signalChan)
+		return result
+	case sig := <-signalChan:
+		// Signal received, initiate graceful shutdown
+		if !wp.config.Quiet {
+			fmt.Fprintf(os.Stderr, "\nReceived signal %v, initiating graceful shutdown...\n", sig)
+		}
+		wp.gracefulShutdown()
+		
+		// Wait for result with timeout
+		select {
+		case result := <-resultChan:
+			if !wp.config.Quiet {
+				fmt.Fprintf(os.Stderr, "Graceful shutdown completed.\n")
+			}
+			return result
+		case <-time.After(45 * time.Second):
+			// Force shutdown if graceful shutdown takes too long
+			if !wp.config.Quiet {
+				fmt.Fprintf(os.Stderr, "Graceful shutdown timeout, forcing exit.\n")
+			}
+			os.Exit(1)
+			return nil // Never reached
+		}
+	}
+}
+
+// getDefaultWorkers returns the default number of workers based on CPU count
+func getDefaultWorkers() int {
+	cpuCount := runtime.NumCPU()
+	if cpuCount > 4 {
+		return 4
+	}
+	return cpuCount
+}
+
+// RegexType represents different types of repository URL patterns
+type RegexType int
+
+const (
+	RegexHTTPS RegexType = iota
+	RegexSSH
+	RegexGit
+	RegexGeneric
+)
+
+// Specialized regex pools for different URL patterns
+var (
+	// HTTPS URLs (https://github.com/user/repo.git)
+	httpsRegexPool = sync.Pool{
+		New: func() any {
+			return regexp.MustCompile(`^https?://([^/]+)/(.+?)(?:\.git)?/?$`)
+		},
+	}
+	
+	// SSH URLs (git@github.com:user/repo.git)
+	sshRegexPool = sync.Pool{
+		New: func() any {
+			return regexp.MustCompile(`^(?:ssh://)?([^@]+)@([^:]+):(.+?)(?:\.git)?/?$`)
+		},
+	}
+	
+	// Git protocol URLs (git://github.com/user/repo.git)
+	gitRegexPool = sync.Pool{
+		New: func() any {
+			return regexp.MustCompile(`^git://([^/]+)/(.+?)(?:\.git)?/?$`)
+		},
+	}
+	
+	// Generic fallback regex pool (original pattern)
+	genericRegexPool = sync.Pool{
+		New: func() any {
+			return regexp.MustCompile(`^(?:.*://)?(?:[^@]+@)?([^:/]+)(?::\d+)?[/:]?(.*)$`)
+		},
+	}
+)
+
+// RegexPoolStats tracks usage statistics for regex pools
+type RegexPoolStats struct {
+	HTTPSUsage   int64
+	SSHUsage     int64
+	GitUsage     int64
+	GenericUsage int64
+	CacheHits    int64
+	CacheMisses  int64
+	mutex        sync.RWMutex
+}
+
+var regexStats = &RegexPoolStats{}
+
+// GetRegexStats returns current regex usage statistics
+func GetRegexStats() RegexPoolStats {
+	regexStats.mutex.RLock()
+	defer regexStats.mutex.RUnlock()
+	// Return a copy to avoid returning the mutex
+	return RegexPoolStats{
+		HTTPSUsage:   regexStats.HTTPSUsage,
+		SSHUsage:     regexStats.SSHUsage,
+		GitUsage:     regexStats.GitUsage,
+		GenericUsage: regexStats.GenericUsage,
+		CacheHits:    regexStats.CacheHits,
+		CacheMisses:  regexStats.CacheMisses,
+		// Don't copy the mutex
+	}
+}
+
+// incrementUsage atomically increments usage counter for specific regex type
+func (stats *RegexPoolStats) incrementUsage(regexType RegexType) {
+	stats.mutex.Lock()
+	defer stats.mutex.Unlock()
+	
+	switch regexType {
+	case RegexHTTPS:
+		stats.HTTPSUsage++
+	case RegexSSH:
+		stats.SSHUsage++
+	case RegexGit:
+		stats.GitUsage++
+	case RegexGeneric:
+		stats.GenericUsage++
+	}
+}
+
+// incrementCacheHit atomically increments cache hit counter
+func (stats *RegexPoolStats) incrementCacheHit() {
+	stats.mutex.Lock()
+	defer stats.mutex.Unlock()
+	stats.CacheHits++
+}
+
+// incrementCacheMiss atomically increments cache miss counter
+func (stats *RegexPoolStats) incrementCacheMiss() {
+	stats.mutex.Lock()
+	defer stats.mutex.Unlock()
+	stats.CacheMisses++
+}
+
+// CacheConfig holds configuration parameters for directory cache
+type CacheConfig struct {
+	TTL                  time.Duration
+	CleanupInterval      time.Duration
+	MaxEntries          int
+	EnablePeriodicCleanup bool
+}
+
+// DefaultCacheConfig returns default cache configuration
+func DefaultCacheConfig() *CacheConfig {
+	return &CacheConfig{
+		TTL:                  60 * time.Second, // Increased from 30s to 1 minute
+		CleanupInterval:      5 * time.Minute,
+		MaxEntries:          1000,
+		EnablePeriodicCleanup: true,
+	}
 }
 
 type cacheEntry struct {
 	exists    bool
 	timestamp time.Time
+	lastAccess time.Time
 }
 
-type DirCache struct {
-	cache map[string]cacheEntry
-	mutex sync.RWMutex
-	ttl   time.Duration
+// CacheStats holds statistics about cache performance
+type CacheStats struct {
+	Hits       int64
+	Misses     int64
+	Evictions  int64
+	TotalSize  int64
 }
 
-var dirCache = &DirCache{
-	cache: make(map[string]cacheEntry),
-	ttl:   30 * time.Second,
+// CachePerformance provides cache performance metrics
+func (stats *CacheStats) HitRatio() float64 {
+	total := stats.Hits + stats.Misses
+	if total == 0 {
+		return 0.0
+	}
+	return float64(stats.Hits) / float64(total)
 }
 
+type DirCache struct {
+	cache       map[string]cacheEntry
+	mutex       sync.RWMutex
+	config      *CacheConfig
+	fs          FileSystem
+	stats       CacheStats
+	stopCleanup chan struct{}
+	cleanupOnce sync.Once
+}
+
+var dirCache = NewDirCache(DefaultCacheConfig(), &DefaultFileSystem{})
+
 // Security validation functions
 
 var (
@@ -146,16 +702,16 @@ func validatePath(path string) error {
 	}
 
 	// Check for absolute paths that could escape intended directory
-	if strings.HasPrefix(path, "/") {
+	if len(path) > 0 && path[0] == '/' {
 		// Remove leading slash for validation but allow it
-		path = strings.TrimPrefix(path, "/")
+		path = path[1:]
 	}
 
 	// Allow tilde for user directories but validate the rest
-	if strings.HasPrefix(path, "~") {
-		path = strings.TrimPrefix(path, "~")
-		if strings.HasPrefix(path, "/") {
-			path = strings.TrimPrefix(path, "/")
+	if len(path) > 0 && path[0] == '~' {
+		path = path[1:]
+		if len(path) > 0 && path[0] == '/' {
+			path = path[1:]
 		}
 	}
 
@@ -207,146 +763,302 @@ func secureGitClone(repository, targetDir string, quiet bool) error {
 	return nil
 }
 
-func main() {
-	var showCommandHelp, showVersionInfo, quiet bool
-	pflag.BoolVarP(&showCommandHelp, "help", "h", false, "Show this help message and exit")
-	pflag.BoolVarP(&showVersionInfo, "version", "v", false, "Show the version number and exit")
-	pflag.BoolVarP(&quiet, "quiet", "q", false, "Suppress output")
+// parseArgs parses command line arguments and returns configuration
+func parseArgs() (*Config, error) {
+	cacheConfig := DefaultCacheConfig()
+	config := &Config{
+		Dependencies: NewDependenciesWithCacheConfig(cacheConfig),
+		CacheConfig:  cacheConfig,
+		Workers:      getDefaultWorkers(),
+	}
+	
+	pflag.BoolVarP(&config.ShowCommandHelp, "help", "h", false, "Show this help message and exit")
+	pflag.BoolVarP(&config.ShowVersionInfo, "version", "v", false, "Show the version number and exit")
+	pflag.BoolVarP(&config.Quiet, "quiet", "q", false, "Suppress output")
+	pflag.IntVarP(&config.Workers, "workers", "w", getDefaultWorkers(), "Number of parallel workers for cloning")
 	pflag.Parse()
 
-	if showCommandHelp {
-		usage()
-		return
+	config.RepositoryArgs = pflag.Args()
+	
+	// Validate workers count
+	if config.Workers < 1 {
+		return nil, errors.New("workers count must be at least 1")
 	}
-
-	if showVersionInfo {
-		if commit != "none" {
-			fmt.Printf("gclone version %s, commit %s, built at %s\n", version, commit, date)
-		} else {
-			fmt.Printf("gclone version %s\n", version)
-		}
-		return
+	if config.Workers > 32 {
+		return nil, errors.New("workers count cannot exceed 32")
 	}
-
-	args := pflag.Args()
 	
-	// Validate that we have arguments
-	if len(args) == 0 {
-		prnt("error: no repository URLs provided")
-		usage()
-		os.Exit(1)
+	// Validate that we have arguments (unless help or version is requested)
+	if !config.ShowCommandHelp && !config.ShowVersionInfo && len(config.RepositoryArgs) == 0 {
+		return nil, errors.New("no repository URLs provided")
 	}
 
 	// Validate each argument is not empty
-	for i, arg := range args {
+	for i, arg := range config.RepositoryArgs {
 		if strings.TrimSpace(arg) == "" {
-			prnt("error: argument %d is empty", i+1)
-			os.Exit(1)
+			return nil, fmt.Errorf("argument %d is empty", i+1)
 		}
 	}
 
+	return config, nil
+}
+
+// validateDependencies checks if required dependencies are available
+func validateDependencies(deps *Dependencies) error {
 	// Check git availability with better error message
-	if _, err := exec.LookPath("git"); err != nil {
-		prnt("error: git command not found in PATH")
-		prnt("please install git: https://git-scm.com/downloads")
-		os.Exit(1)
+	if _, err := deps.CmdRun.LookPath("git"); err != nil {
+		return errors.New("git command not found in PATH. Please install git: https://git-scm.com/downloads")
 	}
+	return nil
+}
 
-	var lastSuccessfulProjectDir string
-	var processedCount int
-	var failedCount int
+// processRepositories processes all repository arguments using worker pool and returns the result
+func processRepositories(config *Config) *ProcessingResult {
+	// For single repository or single worker, use sequential processing to avoid overhead
+	if len(config.RepositoryArgs) == 1 || config.Workers == 1 {
+		return processRepositoriesSequential(config)
+	}
+	
+	// Use worker pool for multiple repositories with multiple workers
+	wp := NewWorkerPool(config)
+	return wp.StartWithSignalHandling()
+}
 
-	for _, arg := range args {
+// processRepositoriesSequential processes repositories sequentially (fallback for single repo/worker)
+func processRepositoriesSequential(config *Config) *ProcessingResult {
+	result := &ProcessingResult{}
+
+	for _, arg := range config.RepositoryArgs {
 		repository := strings.TrimSpace(arg)
-		processedCount++
+		result.ProcessedCount++
 		
 		// Security: Validate repository URL before processing
 		if err := validateRepositoryURL(repository); err != nil {
 			prnt("invalid repository URL '%s': %s", repository, err)
-			failedCount++
+			result.FailedCount++
 			continue
 		}
 
-		projectDir, err := getProjectDir(repository)
+		projectDir, err := getProjectDir(repository, config.Dependencies.Env)
 		if err != nil {
 			prnt("failed to determine project directory for '%s': %s", repository, err)
-			failedCount++
+			result.FailedCount++
 			continue
 		}
 
 		// Check if directory already exists and is not empty
-		if ok := isDirectoryNotEmpty(projectDir); ok {
-			if !quiet {
+		if ok := config.Dependencies.DirCheck.IsNotEmpty(projectDir); ok {
+			if !config.Quiet {
 				prnt("repository already exists: %s", projectDir)
 			}
 			// Still consider this successful for output purposes
-			lastSuccessfulProjectDir = projectDir
+			result.LastSuccessfulProjectDir = projectDir
 			continue
 		}
 
 		// Create parent directory
-		if err := os.MkdirAll(filepath.Dir(projectDir), 0750); err != nil {
+		if err := config.Dependencies.FS.MkdirAll(filepath.Dir(projectDir), 0750); err != nil {
 			prnt("failed create directory: %s", err)
-			failedCount++
+			result.FailedCount++
 			continue
 		}
 
 		// Security: Use secure git clone with validated arguments
-		if err := secureGitClone(repository, filepath.Dir(projectDir), quiet); err != nil {
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+		defer cancel()
+		if err := config.Dependencies.GitClone.Clone(ctx, repository, filepath.Dir(projectDir), config.Quiet); err != nil {
 			prnt("failed clone repository '%s': %s", repository, err)
-			failedCount++
+			result.FailedCount++
 			continue
 		}
 
 		// Clone was successful
-		lastSuccessfulProjectDir = projectDir
-		if !quiet {
+		result.LastSuccessfulProjectDir = projectDir
+		if !config.Quiet {
 			fmt.Fprintln(os.Stderr)
 		}
 	}
 
+	return result
+}
+
+// printSummary prints the final summary and handles output/exit logic
+func printSummary(config *Config, result *ProcessingResult) {
 	// Print summary if multiple repositories were processed
-	if processedCount > 1 && !quiet {
-		successCount := processedCount - failedCount
-		prnt("processed %d repositories: %d successful, %d failed", processedCount, successCount, failedCount)
+	if result.ProcessedCount > 1 && !config.Quiet {
+		successCount := result.ProcessedCount - result.FailedCount
+		prnt("processed %d repositories: %d successful, %d failed", 
+			result.ProcessedCount, successCount, result.FailedCount)
 	}
 
 	// Print the last successfully processed project directory
-	if lastSuccessfulProjectDir != "" {
-		abs, err := filepath.Abs(lastSuccessfulProjectDir)
+	if result.LastSuccessfulProjectDir != "" {
+		abs, err := filepath.Abs(result.LastSuccessfulProjectDir)
 		if err != nil {
-			prnt("failed to get absolute path for %s: %s", lastSuccessfulProjectDir, err)
-			fmt.Println(lastSuccessfulProjectDir) // fallback to relative path
+			prnt("failed to get absolute path for %s: %s", result.LastSuccessfulProjectDir, err)
+			fmt.Println(result.LastSuccessfulProjectDir) // fallback to relative path
 		} else {
 			fmt.Println(abs)
 		}
 	} else {
 		// No successful repositories processed
-		if !quiet {
+		if !config.Quiet {
 			prnt("no repositories were successfully processed")
 		}
 		os.Exit(1)
 	}
 }
 
+func main() {
+	// Parse command line arguments
+	config, err := parseArgs()
+	if err != nil {
+		prnt("error: %s", err)
+		usage()
+		os.Exit(1)
+	}
+
+	// Handle help command
+	if config.ShowCommandHelp {
+		usage()
+		return
+	}
+
+	// Handle version command
+	if config.ShowVersionInfo {
+		if commit != "none" {
+			fmt.Printf("gclone version %s, commit %s, built at %s\n", version, commit, date)
+		} else {
+			fmt.Printf("gclone version %s\n", version)
+		}
+		return
+	}
+
+	// Validate dependencies
+	if err := validateDependencies(config.Dependencies); err != nil {
+		prnt("error: %s", err)
+		os.Exit(1)
+	}
+
+	// Process repositories
+	result := processRepositories(config)
+
+	// Print summary and handle exit
+	printSummary(config, result)
+}
+
+// URLCache provides caching for normalized URLs to avoid repeated parsing
+type URLCache struct {
+	cache map[string]string
+	mutex sync.RWMutex
+	maxEntries int
+}
+
+var urlCache = &URLCache{
+	cache: make(map[string]string),
+	maxEntries: 1000,
+}
+
+// Get retrieves a cached normalized URL
+func (uc *URLCache) Get(key string) (string, bool) {
+	uc.mutex.RLock()
+	defer uc.mutex.RUnlock()
+	value, exists := uc.cache[key]
+	return value, exists
+}
+
+// Set stores a normalized URL in cache
+func (uc *URLCache) Set(key, value string) {
+	uc.mutex.Lock()
+	defer uc.mutex.Unlock()
+	
+	// Simple eviction strategy: clear cache when full
+	if len(uc.cache) >= uc.maxEntries {
+		uc.cache = make(map[string]string)
+	}
+	uc.cache[key] = value
+}
+
+// detectRegexType determines the best regex pattern for the given URL
+func detectRegexType(repo string) RegexType {
+	if len(repo) > 8 && (repo[:7] == "https://" || repo[:7] == "http://") {
+		return RegexHTTPS
+	}
+	if strings.Contains(repo, "@") && strings.Contains(repo, ":") && !strings.Contains(repo, "://") {
+		return RegexSSH
+	}
+	if len(repo) > 6 && repo[:6] == "git://" {
+		return RegexGit
+	}
+	return RegexGeneric
+}
+
+// getRegexFromPool gets the appropriate regex from pool based on URL type
+func getRegexFromPool(regexType RegexType) (*regexp.Regexp, func(*regexp.Regexp)) {
+	switch regexType {
+	case RegexHTTPS:
+		r := httpsRegexPool.Get().(*regexp.Regexp)
+		return r, func(regex *regexp.Regexp) { httpsRegexPool.Put(regex) }
+	case RegexSSH:
+		r := sshRegexPool.Get().(*regexp.Regexp)
+		return r, func(regex *regexp.Regexp) { sshRegexPool.Put(regex) }
+	case RegexGit:
+		r := gitRegexPool.Get().(*regexp.Regexp)
+		return r, func(regex *regexp.Regexp) { gitRegexPool.Put(regex) }
+	default:
+		r := genericRegexPool.Get().(*regexp.Regexp)
+		return r, func(regex *regexp.Regexp) { genericRegexPool.Put(regex) }
+	}
+}
+
 // normalize normalizes the given repository string and returns the parsed repository URL.
-// Enhanced with security validation against path traversal attacks.
+// Enhanced with security validation, specialized regex patterns, and caching.
 // Returns error instead of empty string for better error handling.
 func normalize(repo string) (string, error) {
 	if repo == "" {
 		return "", errors.New("repository URL is empty")
 	}
 
-	r := regexPool.Get().(*regexp.Regexp)
-	defer regexPool.Put(r)
-
-	match := r.FindStringSubmatch(repo)
-	if len(match) != 3 {
-		return "", errors.New("failed to parse repository URL format")
+	// Check cache first
+	if cached, exists := urlCache.Get(repo); exists {
+		regexStats.incrementCacheHit()
+		return cached, nil
 	}
+	regexStats.incrementCacheMiss()
 
-	host := match[1]
-	path := match[2]
+	// Detect the best regex pattern for this URL
+	regexType := detectRegexType(repo)
+	regexStats.incrementUsage(regexType)
+
+	// Get appropriate regex from pool
+	r, putBack := getRegexFromPool(regexType)
+	defer putBack(r)
+
+	var host, path string
+	
+	// Handle different URL patterns
+	switch regexType {
+	case RegexHTTPS, RegexGit:
+		match := r.FindStringSubmatch(repo)
+		if len(match) != 3 {
+			return "", errors.New("failed to parse HTTPS/Git repository URL format")
+		}
+		host, path = match[1], match[2]
+		
+	case RegexSSH:
+		match := r.FindStringSubmatch(repo)
+		if len(match) != 4 {
+			return "", errors.New("failed to parse SSH repository URL format")
+		}
+		host, path = match[2], match[3]
+		
+	default: // RegexGeneric
+		match := r.FindStringSubmatch(repo)
+		if len(match) != 3 {
+			return "", errors.New("failed to parse repository URL format")
+		}
+		host, path = match[1], match[2]
+	}
 
 	// Security: Validate host component
 	if !validHostname.MatchString(host) {
@@ -364,7 +1076,12 @@ func normalize(repo string) (string, error) {
 		return "", errors.New("repository path contains dangerous patterns")
 	}
 
-	return filepath.Join(host, sanitizedPath), nil
+	result := filepath.Join(host, sanitizedPath)
+	
+	// Cache the result
+	urlCache.Set(repo, result)
+	
+	return result, nil
 }
 
 // sanitizePathWithError cleans and validates repository paths against security threats
@@ -376,12 +1093,34 @@ func sanitizePathWithError(path string) (string, error) {
 
 	originalPath := path
 
-	// Remove dangerous prefixes and suffixes
-	path = strings.TrimPrefix(path, "/")
-	path = strings.TrimPrefix(path, "~")
-	path = strings.TrimPrefix(path, "/")
-	path = strings.TrimSuffix(path, "/")
-	path = strings.TrimSuffix(path, ".git")
+	// Remove dangerous prefixes and suffixes with optimized string operations
+	// Use string slicing to avoid multiple allocations
+	for {
+		originalLen := len(path)
+		
+		// Remove leading slashes and tildes
+		if len(path) > 0 && (path[0] == '/' || path[0] == '~') {
+			path = path[1:]
+			continue
+		}
+		
+		// Remove trailing slashes
+		if len(path) > 0 && path[len(path)-1] == '/' {
+			path = path[:len(path)-1]
+			continue
+		}
+		
+		// Remove .git suffix
+		if len(path) >= 4 && path[len(path)-4:] == ".git" {
+			path = path[:len(path)-4]
+			continue
+		}
+		
+		// If no changes were made, break
+		if len(path) == originalLen {
+			break
+		}
+	}
 
 	// Security: Check for path traversal attempts
 	if strings.Contains(path, "..") {
@@ -399,10 +1138,10 @@ func sanitizePathWithError(path string) (string, error) {
 	}
 
 	// Security: Ensure path doesn't start with dangerous patterns
-	dangerousPatterns := []string{".", "-", "_"}
-	for _, pattern := range dangerousPatterns {
-		if strings.HasPrefix(path, pattern+"/") {
-			return "", fmt.Errorf("path starts with dangerous pattern '%s': %s", pattern, originalPath)
+	if len(path) >= 2 {
+		firstChar := path[0]
+		if (firstChar == '.' || firstChar == '-' || firstChar == '_') && path[1] == '/' {
+			return "", fmt.Errorf("path starts with dangerous pattern '%c/': %s", firstChar, originalPath)
 		}
 	}
 
@@ -415,12 +1154,34 @@ func sanitizePath(path string) string {
 		return ""
 	}
 
-	// Remove dangerous prefixes and suffixes
-	path = strings.TrimPrefix(path, "/")
-	path = strings.TrimPrefix(path, "~")
-	path = strings.TrimPrefix(path, "/")
-	path = strings.TrimSuffix(path, "/")
-	path = strings.TrimSuffix(path, ".git")
+	// Remove dangerous prefixes and suffixes with optimized string operations
+	// Use string slicing to avoid multiple allocations
+	for {
+		originalLen := len(path)
+		
+		// Remove leading slashes and tildes
+		if len(path) > 0 && (path[0] == '/' || path[0] == '~') {
+			path = path[1:]
+			continue
+		}
+		
+		// Remove trailing slashes
+		if len(path) > 0 && path[len(path)-1] == '/' {
+			path = path[:len(path)-1]
+			continue
+		}
+		
+		// Remove .git suffix
+		if len(path) >= 4 && path[len(path)-4:] == ".git" {
+			path = path[:len(path)-4]
+			continue
+		}
+		
+		// If no changes were made, break
+		if len(path) == originalLen {
+			break
+		}
+	}
 
 	// Security: Check for path traversal attempts
 	if strings.Contains(path, "..") {
@@ -438,9 +1199,9 @@ func sanitizePath(path string) string {
 	}
 
 	// Security: Ensure path doesn't start with dangerous patterns
-	dangerousPatterns := []string{".", "-", "_"}
-	for _, pattern := range dangerousPatterns {
-		if strings.HasPrefix(path, pattern+"/") {
+	if len(path) >= 2 {
+		firstChar := path[0]
+		if (firstChar == '.' || firstChar == '-' || firstChar == '_') && path[1] == '/' {
 			return ""
 		}
 	}
@@ -453,11 +1214,11 @@ func sanitizePath(path string) string {
 // If the GIT_PROJECT_DIR starts with "~", it replaces it with the user's home directory.
 // The normalized repository URL is then joined with the GIT_PROJECT_DIR to form the project directory path.
 // Returns error for better error handling instead of empty string.
-func getProjectDir(repository string) (string, error) {
-	gitProjectDir := os.Getenv("GIT_PROJECT_DIR")
+func getProjectDir(repository string, env Environment) (string, error) {
+	gitProjectDir := env.Getenv("GIT_PROJECT_DIR")
 	
-	if strings.HasPrefix(gitProjectDir, "~") {
-		homeDir, err := os.UserHomeDir()
+	if len(gitProjectDir) > 0 && gitProjectDir[0] == '~' {
+		homeDir, err := env.UserHomeDir()
 		if err != nil {
 			return "", fmt.Errorf("failed to get user home directory: %w", err)
 		}
@@ -474,8 +1235,11 @@ func getProjectDir(repository string) (string, error) {
 	cleanedPath := filepath.Clean(projectDir)
 	
 	// Security: Ensure the path doesn't escape the base directory
-	if gitProjectDir != "" && !strings.HasPrefix(cleanedPath, filepath.Clean(gitProjectDir)) {
-		return "", errors.New("security: path traversal detected in project directory")
+	if gitProjectDir != "" {
+		cleanGitProjectDir := filepath.Clean(gitProjectDir)
+		if len(cleanedPath) < len(cleanGitProjectDir) || cleanedPath[:len(cleanGitProjectDir)] != cleanGitProjectDir {
+			return "", errors.New("security: path traversal detected in project directory")
+		}
 	}
 
 	return cleanedPath, nil
@@ -484,8 +1248,8 @@ func getProjectDir(repository string) (string, error) {
 // isDirectoryNotEmptyRaw checks if the specified directory is not empty without caching.
 // It uses the Readdirnames function to get the directory contents without loading full FileInfo
 // structures for each entry. If there are any entries, it returns true. Otherwise, it returns false.
-func isDirectoryNotEmptyRaw(name string) bool {
-	f, err := os.Open(name)
+func isDirectoryNotEmptyRaw(name string, fs FileSystem) bool {
+	f, err := fs.Open(name)
 	if err != nil {
 		return false
 	}
@@ -496,26 +1260,173 @@ func isDirectoryNotEmptyRaw(name string) bool {
 	return err == nil && len(names) > 0
 }
 
+// NewDirCache creates a new directory cache with the given configuration
+func NewDirCache(config *CacheConfig, fs FileSystem) *DirCache {
+	if config == nil {
+		config = DefaultCacheConfig()
+	}
+	
+	dc := &DirCache{
+		cache:       make(map[string]cacheEntry),
+		config:      config,
+		fs:          fs,
+		stopCleanup: make(chan struct{}),
+	}
+	
+	// Start periodic cleanup if enabled
+	if config.EnablePeriodicCleanup {
+		go dc.startPeriodicCleanup()
+	}
+	
+	return dc
+}
+
+// Close stops the cache cleanup routine
+func (dc *DirCache) Close() {
+	dc.cleanupOnce.Do(func() {
+		close(dc.stopCleanup)
+	})
+}
+
+// startPeriodicCleanup runs periodic cleanup of expired cache entries
+func (dc *DirCache) startPeriodicCleanup() {
+	ticker := time.NewTicker(dc.config.CleanupInterval)
+	defer ticker.Stop()
+	
+	for {
+		select {
+		case <-ticker.C:
+			dc.cleanup()
+		case <-dc.stopCleanup:
+			return
+		}
+	}
+}
+
+// cleanup removes expired entries from the cache
+func (dc *DirCache) cleanup() {
+	now := time.Now()
+	dc.mutex.Lock()
+	defer dc.mutex.Unlock()
+	
+	evictionCount := 0
+	for key, entry := range dc.cache {
+		if now.Sub(entry.timestamp) > dc.config.TTL {
+			delete(dc.cache, key)
+			evictionCount++
+		}
+	}
+	
+	dc.stats.Evictions += int64(evictionCount)
+	dc.stats.TotalSize = int64(len(dc.cache))
+}
+
+// GetStats returns current cache statistics
+func (dc *DirCache) GetStats() CacheStats {
+	dc.mutex.RLock()
+	defer dc.mutex.RUnlock()
+	
+	stats := dc.stats
+	stats.TotalSize = int64(len(dc.cache))
+	return stats
+}
+
+// Clear removes all entries from the cache
+func (dc *DirCache) Clear() {
+	dc.mutex.Lock()
+	defer dc.mutex.Unlock()
+	
+	dc.cache = make(map[string]cacheEntry)
+	dc.stats = CacheStats{}
+}
+
 // IsDirectoryNotEmpty checks if the specified directory is not empty with caching.
 func (dc *DirCache) IsDirectoryNotEmpty(name string) bool {
+	now := time.Now()
+	
+	// Try to get from cache first (optimistic read)
 	dc.mutex.RLock()
 	if entry, ok := dc.cache[name]; ok {
-		if time.Since(entry.timestamp) < dc.ttl {
+		if now.Sub(entry.timestamp) < dc.config.TTL {
+			// Cache hit - we need to upgrade to write lock to update lastAccess
+			dc.mutex.RUnlock()
+			dc.mutex.Lock()
+			// Double-check after acquiring write lock (entry might have been evicted)
+			if entry, ok := dc.cache[name]; ok && now.Sub(entry.timestamp) < dc.config.TTL {
+				entry.lastAccess = now
+				dc.cache[name] = entry
+				dc.stats.Hits++
+				dc.mutex.Unlock()
+				return entry.exists
+			}
+			dc.mutex.Unlock()
+			// Entry was evicted or expired during lock upgrade, fall through to miss handling
+		} else {
 			dc.mutex.RUnlock()
-			return entry.exists
 		}
+	} else {
+		dc.mutex.RUnlock()
 	}
-	dc.mutex.RUnlock()
-
-	exists := isDirectoryNotEmptyRaw(name)
-
+	
+	// Cache miss or expired entry - check directory
+	exists := isDirectoryNotEmptyRaw(name, dc.fs)
+	
+	// Update cache with new entry
 	dc.mutex.Lock()
-	dc.cache[name] = cacheEntry{exists, time.Now()}
+	dc.cache[name] = cacheEntry{
+		exists:     exists,
+		timestamp:  now,
+		lastAccess: now,
+	}
+	dc.stats.Misses++
+	
+	// Check if cache size exceeds limit and evict LRU entries if needed
+	if dc.config.MaxEntries > 0 && len(dc.cache) > dc.config.MaxEntries {
+		dc.evictLRU()
+	}
+	
 	dc.mutex.Unlock()
-
+	
 	return exists
 }
 
+// evictLRU removes the least recently used entries to stay within MaxEntries limit
+func (dc *DirCache) evictLRU() {
+	// Find entries to evict (remove 10% of cache when limit is exceeded)
+	targetSize := int(float64(dc.config.MaxEntries) * 0.9)
+	toEvict := len(dc.cache) - targetSize
+	
+	if toEvict <= 0 {
+		return
+	}
+	
+	// Create slice of entries with their keys for sorting
+	type entryWithKey struct {
+		key       string
+		lastAccess time.Time
+	}
+	
+	entries := make([]entryWithKey, 0, len(dc.cache))
+	for key, entry := range dc.cache {
+		entries = append(entries, entryWithKey{key: key, lastAccess: entry.lastAccess})
+	}
+	
+	// Sort by last access time (oldest first)
+	for i := 0; i < len(entries)-1; i++ {
+		for j := i + 1; j < len(entries); j++ {
+			if entries[i].lastAccess.After(entries[j].lastAccess) {
+				entries[i], entries[j] = entries[j], entries[i]
+			}
+		}
+	}
+	
+	// Remove oldest entries
+	for i := 0; i < toEvict && i < len(entries); i++ {
+		delete(dc.cache, entries[i].key)
+		dc.stats.Evictions++
+	}
+}
+
 // isDirectoryNotEmpty is a wrapper that uses the global cache.
 func isDirectoryNotEmpty(name string) bool {
 	return dirCache.IsDirectoryNotEmpty(name)
@@ -523,20 +1434,23 @@ func isDirectoryNotEmpty(name string) bool {
 
 // Usage prints the usage of the program.
 func usage() {
-	fmt.Println("usage: gclone [-h] [-v] [REPOSITORY]")
+	fmt.Println("usage: gclone [-h] [-v] [-q] [-w WORKERS] [REPOSITORY]")
 	fmt.Println()
 	fmt.Println("positional arguments:")
-	fmt.Println("  REPOSITORY       Repository URL")
+	fmt.Println("  REPOSITORY         Repository URL")
 	fmt.Println()
 	fmt.Println("optional arguments:")
-	fmt.Println("  -h, --help       Show this help message and exit")
-	fmt.Println("  -v, --version    Show the version number and exit")
+	fmt.Println("  -h, --help         Show this help message and exit")
+	fmt.Println("  -v, --version      Show the version number and exit")
+	fmt.Println("  -q, --quiet        Suppress output")
+	fmt.Printf("  -w, --workers      Number of parallel workers (default: %d)\n", getDefaultWorkers())
 	fmt.Println()
 	fmt.Println("environment variables:")
-	fmt.Println("  GIT_PROJECT_DIR  Directory to clone repositories")
+	fmt.Println("  GIT_PROJECT_DIR    Directory to clone repositories")
 	fmt.Println()
-	fmt.Println("example:")
+	fmt.Println("examples:")
 	fmt.Println("  GIT_PROJECT_DIR=\"$HOME/src\" gclone https://github.com/user/repo")
+	fmt.Println("  gclone -w 8 https://github.com/user/repo1 https://github.com/user/repo2")
 }
 
 func prnt(format string, args ...any) {
diff --git a/main_test.go b/main_test.go
index e1dbdd4..465d2bc 100644
--- a/main_test.go
+++ b/main_test.go
@@ -1,9 +1,13 @@
 package main
 
 import (
+	"context"
+	"errors"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 	"testing"
 )
 
@@ -77,7 +81,8 @@ func Test_getProjectDir(t *testing.T) {
 			t.Setenv("HOME", tt.homeVar)
 			t.Setenv("GIT_PROJECT_DIR", tt.gitProjectDir)
 
-			got, err := getProjectDir(tt.repository)
+			env := &DefaultEnvironment{}
+			got, err := getProjectDir(tt.repository, env)
 			if err != nil {
 				t.Errorf("getProjectDir() unexpected error = %v", err)
 				return
@@ -231,9 +236,10 @@ func BenchmarkIsDirectoryNotEmptyRaw(b *testing.B) {
 		b.Fatal(err)
 	}
 
+	fs := &DefaultFileSystem{}
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		isDirectoryNotEmptyRaw(nonEmptyDir)
+		isDirectoryNotEmptyRaw(nonEmptyDir, fs)
 	}
 }
 
@@ -265,6 +271,92 @@ func BenchmarkIsDirectoryNotEmptyCache(b *testing.B) {
 	}
 }
 
+// New comprehensive benchmarks for performance measurement
+
+// BenchmarkNormalizeHTTPS benchmarks HTTPS URL parsing
+func BenchmarkNormalizeHTTPS(b *testing.B) {
+	repository := "https://github.com/user/repo.git"
+	// Clear cache before benchmark
+	urlCache.cache = make(map[string]string)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _ = normalize(repository)
+	}
+}
+
+// BenchmarkNormalizeSSH benchmarks SSH URL parsing
+func BenchmarkNormalizeSSH(b *testing.B) {
+	repository := "git@github.com:user/repo.git"
+	// Clear cache before benchmark
+	urlCache.cache = make(map[string]string)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _ = normalize(repository)
+	}
+}
+
+// BenchmarkNormalizeGit benchmarks Git protocol URL parsing
+func BenchmarkNormalizeGit(b *testing.B) {
+	repository := "git://github.com/user/repo.git"
+	// Clear cache before benchmark  
+	urlCache.cache = make(map[string]string)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _ = normalize(repository)
+	}
+}
+
+// BenchmarkNormalizeCached benchmarks cached URL parsing
+func BenchmarkNormalizeCached(b *testing.B) {
+	repository := "https://github.com/user/repo.git"
+	// Warm up cache
+	_, _ = normalize(repository)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _ = normalize(repository)
+	}
+}
+
+// BenchmarkNormalizeMixed benchmarks mixed URL types
+func BenchmarkNormalizeMixed(b *testing.B) {
+	repositories := []string{
+		"https://github.com/user/repo1.git",
+		"git@github.com:user/repo2.git", 
+		"git://github.com/user/repo3.git",
+		"https://gitlab.com/user/repo4.git",
+		"git@gitlab.com:user/repo5.git",
+	}
+	// Clear cache before benchmark
+	urlCache.cache = make(map[string]string)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, _ = normalize(repositories[i%len(repositories)])
+	}
+}
+
+// BenchmarkSanitizePathOptimized benchmarks optimized path sanitization
+func BenchmarkSanitizePathOptimized(b *testing.B) {
+	path := "///~user//repo//.git///"
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_ = sanitizePath(path)
+	}
+}
+
+// BenchmarkDetectRegexType benchmarks regex type detection
+func BenchmarkDetectRegexType(b *testing.B) {
+	urls := []string{
+		"https://github.com/user/repo.git",
+		"git@github.com:user/repo.git", 
+		"git://github.com/user/repo.git",
+		"github.com/user/repo",
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_ = detectRegexType(urls[i%len(urls)])
+	}
+}
+
 // Security tests
 func TestValidateRepositoryURL(t *testing.T) {
 	tests := []struct {
@@ -539,7 +631,8 @@ func TestGetProjectDirSecurity(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			os.Setenv("GIT_PROJECT_DIR", tt.gitProjectDir)
-			result, err := getProjectDir(tt.repository)
+			env := &DefaultEnvironment{}
+			result, err := getProjectDir(tt.repository, env)
 			if tt.expectedResult == "" {
 				// Expecting failure
 				if err == nil {
@@ -632,3 +725,276 @@ func TestSanitizePathWithError(t *testing.T) {
 		})
 	}
 }
+
+// Mock implementations for worker pool testing
+
+// MockGitCloner is a mock implementation of GitCloner interface
+type MockGitCloner struct {
+	ShouldFail bool
+	CallCount  int
+	mutex      sync.Mutex
+}
+
+func (m *MockGitCloner) Clone(ctx context.Context, repository, targetDir string, quiet bool) error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+	m.CallCount++
+	if m.ShouldFail {
+		return errors.New("mock clone failed")
+	}
+	return nil
+}
+
+func (m *MockGitCloner) GetCallCount() int {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+	return m.CallCount
+}
+
+// MockDirectoryChecker is a mock implementation of DirectoryChecker interface
+type MockDirectoryChecker struct {
+	ExistingDirs map[string]bool
+}
+
+func (m *MockDirectoryChecker) IsNotEmpty(name string) bool {
+	return m.ExistingDirs[name]
+}
+
+// MockFileSystem is a mock implementation of FileSystem interface
+type MockFileSystem struct {
+	ShouldFailMkdir bool
+}
+
+func (m *MockFileSystem) Open(name string) (*os.File, error) {
+	return nil, errors.New("mock open not implemented")
+}
+
+func (m *MockFileSystem) Stat(name string) (os.FileInfo, error) {
+	return nil, errors.New("mock stat not implemented")
+}
+
+func (m *MockFileSystem) MkdirAll(path string, perm os.FileMode) error {
+	if m.ShouldFailMkdir {
+		return errors.New("mock mkdir failed")
+	}
+	return nil
+}
+
+func (m *MockFileSystem) UserHomeDir() (string, error) {
+	return "/home/test", nil
+}
+
+func (m *MockFileSystem) Getenv(key string) string {
+	if key == "GIT_PROJECT_DIR" {
+		return "/tmp/test"
+	}
+	return ""
+}
+
+// Test functions for worker pool
+
+func TestGetDefaultWorkers(t *testing.T) {
+	workers := getDefaultWorkers()
+	if workers < 1 {
+		t.Errorf("getDefaultWorkers() = %d, expected at least 1", workers)
+	}
+	if workers > 4 {
+		t.Errorf("getDefaultWorkers() = %d, expected at most 4", workers)
+	}
+}
+
+func TestWorkerPoolBasicFunctionality(t *testing.T) {
+	// Setup mock dependencies
+	mockGitCloner := &MockGitCloner{ShouldFail: false}
+	mockDirChecker := &MockDirectoryChecker{ExistingDirs: make(map[string]bool)}
+	mockFS := &MockFileSystem{ShouldFailMkdir: false}
+	mockEnv := &DefaultEnvironment{}
+
+	config := &Config{
+		Workers: 2,
+		Quiet:   true,
+		RepositoryArgs: []string{
+			"https://github.com/user/repo1",
+			"https://github.com/user/repo2",
+		},
+		Dependencies: &Dependencies{
+			FS:       mockFS,
+			GitClone: mockGitCloner,
+			DirCheck: mockDirChecker,
+			Env:      mockEnv,
+		},
+	}
+
+	// Test worker pool creation
+	wp := NewWorkerPool(config)
+	if wp == nil {
+		t.Fatal("NewWorkerPool() returned nil")
+	}
+
+	// Test that channels are created
+	if wp.jobs == nil || wp.results == nil || wp.done == nil || wp.shutdown == nil {
+		t.Error("NewWorkerPool() did not create all required channels")
+	}
+
+	// Test buffer sizes
+	if cap(wp.jobs) != len(config.RepositoryArgs) {
+		t.Errorf("jobs channel buffer size = %d, expected %d", cap(wp.jobs), len(config.RepositoryArgs))
+	}
+	if cap(wp.results) != len(config.RepositoryArgs) {
+		t.Errorf("results channel buffer size = %d, expected %d", cap(wp.results), len(config.RepositoryArgs))
+	}
+}
+
+func TestWorkerPoolSequentialFallback(t *testing.T) {
+	mockGitCloner := &MockGitCloner{ShouldFail: false}
+	mockDirChecker := &MockDirectoryChecker{ExistingDirs: make(map[string]bool)}
+	mockFS := &MockFileSystem{ShouldFailMkdir: false}
+	mockEnv := &DefaultEnvironment{}
+
+	// Test single repository (should use sequential processing)
+	config := &Config{
+		Workers: 4,
+		Quiet:   true,
+		RepositoryArgs: []string{
+			"https://github.com/user/repo1",
+		},
+		Dependencies: &Dependencies{
+			FS:       mockFS,
+			GitClone: mockGitCloner,
+			DirCheck: mockDirChecker,
+			Env:      mockEnv,
+		},
+	}
+
+	result := processRepositories(config)
+
+	if result.ProcessedCount != 1 {
+		t.Errorf("ProcessedCount = %d, expected 1", result.ProcessedCount)
+	}
+
+	if result.FailedCount != 0 {
+		t.Errorf("FailedCount = %d, expected 0", result.FailedCount)
+	}
+
+	// Test single worker (should use sequential processing)
+	config.Workers = 1
+	config.RepositoryArgs = []string{
+		"https://github.com/user/repo1",
+		"https://github.com/user/repo2",
+	}
+
+	// Reset mock
+	mockGitCloner = &MockGitCloner{ShouldFail: false}
+	config.Dependencies.GitClone = mockGitCloner
+
+	result = processRepositories(config)
+
+	if result.ProcessedCount != 2 {
+		t.Errorf("ProcessedCount = %d, expected 2", result.ProcessedCount)
+	}
+
+	if result.FailedCount != 0 {
+		t.Errorf("FailedCount = %d, expected 0", result.FailedCount)
+	}
+}
+
+// Benchmarks for comparing sequential vs parallel performance
+
+func BenchmarkSequentialProcessing(b *testing.B) {
+	mockGitCloner := &MockGitCloner{ShouldFail: false}
+	mockDirChecker := &MockDirectoryChecker{ExistingDirs: make(map[string]bool)}
+	mockFS := &MockFileSystem{ShouldFailMkdir: false}
+	mockEnv := &DefaultEnvironment{}
+
+	// Create test URLs
+	testRepos := make([]string, 10)
+	for i := 0; i < 10; i++ {
+		testRepos[i] = fmt.Sprintf("https://github.com/user/repo%d", i)
+	}
+
+	config := &Config{
+		Workers: 1, // Force sequential processing
+		Quiet:   true,
+		RepositoryArgs: testRepos,
+		Dependencies: &Dependencies{
+			FS:       mockFS,
+			GitClone: mockGitCloner,
+			DirCheck: mockDirChecker,
+			Env:      mockEnv,
+		},
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		// Reset mock for each iteration
+		mockGitCloner = &MockGitCloner{ShouldFail: false}
+		config.Dependencies.GitClone = mockGitCloner
+		
+		result := processRepositories(config)
+		if result.ProcessedCount != 10 {
+			b.Errorf("Expected 10 processed, got %d", result.ProcessedCount)
+		}
+	}
+}
+
+func BenchmarkParallelProcessing(b *testing.B) {
+	mockGitCloner := &MockGitCloner{ShouldFail: false}
+	mockDirChecker := &MockDirectoryChecker{ExistingDirs: make(map[string]bool)}
+	mockFS := &MockFileSystem{ShouldFailMkdir: false}
+	mockEnv := &DefaultEnvironment{}
+
+	// Create test URLs
+	testRepos := make([]string, 10)
+	for i := 0; i < 10; i++ {
+		testRepos[i] = fmt.Sprintf("https://github.com/user/repo%d", i)
+	}
+
+	config := &Config{
+		Workers: 4, // Use parallel processing
+		Quiet:   true,
+		RepositoryArgs: testRepos,
+		Dependencies: &Dependencies{
+			FS:       mockFS,
+			GitClone: mockGitCloner,
+			DirCheck: mockDirChecker,
+			Env:      mockEnv,
+		},
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		// Reset mock for each iteration
+		mockGitCloner = &MockGitCloner{ShouldFail: false}
+		config.Dependencies.GitClone = mockGitCloner
+		
+		result := processRepositories(config)
+		if result.ProcessedCount != 10 {
+			b.Errorf("Expected 10 processed, got %d", result.ProcessedCount)
+		}
+	}
+}
+
+func BenchmarkWorkerPoolCreation(b *testing.B) {
+	mockGitCloner := &MockGitCloner{ShouldFail: false}
+	mockDirChecker := &MockDirectoryChecker{ExistingDirs: make(map[string]bool)}
+	mockFS := &MockFileSystem{ShouldFailMkdir: false}
+	mockEnv := &DefaultEnvironment{}
+
+	config := &Config{
+		Workers: 4,
+		Quiet:   true,
+		RepositoryArgs: []string{"https://github.com/user/repo"},
+		Dependencies: &Dependencies{
+			FS:       mockFS,
+			GitClone: mockGitCloner,
+			DirCheck: mockDirChecker,
+			Env:      mockEnv,
+		},
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		wp := NewWorkerPool(config)
+		_ = wp // Prevent compiler optimization
+	}
+}
\ No newline at end of file

From 6ac88494d78ff27ef6f4cc79d68a22d1fd2834db Mon Sep 17 00:00:00 2001
From: Evsyukov Denis <denis@evsyukov.org>
Date: Wed, 6 Aug 2025 17:54:34 +0300
Subject: [PATCH 03/10] feat: update golangci-lint configuration to enable
 additional linters and refine exclusions

---
 .golangci.yaml | 36 ++++++++++++++++++++++++------------
 1 file changed, 24 insertions(+), 12 deletions(-)

diff --git a/.golangci.yaml b/.golangci.yaml
index fe58133..7614753 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,24 +1,36 @@
+version: "2"
 linters:
-  # Disable all linters.
-  # Default: false
-  disable-all: true
-  # Enable specific linter
-  # https://golangci-lint.run/usage/linters/#enabled-by-default
+  default: none
   enable:
-    - errcheck
-    - gosimple
-    - govet
-    - ineffassign
-    - staticcheck
     - dupl
+    - errcheck
     - errorlint
-    - exportloopref
     - goconst
     - gocritic
     - gocyclo
     - goprintffuncname
     - gosec
+    - govet
+    - ineffassign
     - prealloc
     - revive
-    - stylecheck
+    - staticcheck
     - whitespace
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

From 670dcd381ece948d8dc8c8a14fb1477e53df4a78 Mon Sep 17 00:00:00 2001
From: Evsyukov Denis <denis@evsyukov.org>
Date: Thu, 7 Aug 2025 08:49:30 +0300
Subject: [PATCH 04/10] fix: resolve golangci-lint issues and improve code
 quality
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove duplicate code in benchmark functions by creating setupBenchmarkConfig helper
- Fix else-if statements to use proper syntax (else if instead of else {if})
- Update file permissions from 0644 to 0600 for better security
- Rename unused parameters to underscore to follow Go conventions
- Modernize for loop to use range over int syntax

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 main.go      |  2 +-
 main_test.go | 66 +++++++++++++++++++---------------------------------
 2 files changed, 25 insertions(+), 43 deletions(-)

diff --git a/main.go b/main.go
index c033904..d4657f8 100644
--- a/main.go
+++ b/main.go
@@ -108,7 +108,7 @@ func (cr *DefaultCommandRunner) RunWithOutput(ctx context.Context, name string,
 // DefaultGitCloner provides real git cloning functionality
 type DefaultGitCloner struct{}
 
-func (gc *DefaultGitCloner) Clone(ctx context.Context, repository, targetDir string, quiet bool) error {
+func (gc *DefaultGitCloner) Clone(_ context.Context, repository, targetDir string, quiet bool) error {
 	return secureGitClone(repository, targetDir, quiet)
 }
 
diff --git a/main_test.go b/main_test.go
index 465d2bc..7bb2bac 100644
--- a/main_test.go
+++ b/main_test.go
@@ -209,7 +209,7 @@ func BenchmarkIsDirectoryNotEmpty(b *testing.B) {
 	if err := os.Mkdir(nonEmptyDir, 0755); err != nil {
 		b.Fatal(err)
 	}
-	if err := os.WriteFile(filepath.Join(nonEmptyDir, "test.txt"), []byte("test"), 0644); err != nil {
+	if err := os.WriteFile(filepath.Join(nonEmptyDir, "test.txt"), []byte("test"), 0600); err != nil {
 		b.Fatal(err)
 	}
 
@@ -232,7 +232,7 @@ func BenchmarkIsDirectoryNotEmptyRaw(b *testing.B) {
 	if err := os.Mkdir(nonEmptyDir, 0755); err != nil {
 		b.Fatal(err)
 	}
-	if err := os.WriteFile(filepath.Join(nonEmptyDir, "test.txt"), []byte("test"), 0644); err != nil {
+	if err := os.WriteFile(filepath.Join(nonEmptyDir, "test.txt"), []byte("test"), 0600); err != nil {
 		b.Fatal(err)
 	}
 
@@ -256,7 +256,7 @@ func BenchmarkIsDirectoryNotEmptyCache(b *testing.B) {
 	if err := os.Mkdir(nonEmptyDir, 0755); err != nil {
 		b.Fatal(err)
 	}
-	if err := os.WriteFile(filepath.Join(nonEmptyDir, "test.txt"), []byte("test"), 0644); err != nil {
+	if err := os.WriteFile(filepath.Join(nonEmptyDir, "test.txt"), []byte("test"), 0600); err != nil {
 		b.Fatal(err)
 	}
 
@@ -430,10 +430,8 @@ func TestValidateRepositoryURL(t *testing.T) {
 				if !strings.Contains(err.Error(), tt.errMsg) {
 					t.Errorf("validateRepositoryURL() error = %v, expected to contain %v", err, tt.errMsg)
 				}
-			} else {
-				if err != nil {
-					t.Errorf("validateRepositoryURL() unexpected error = %v for URL: %s", err, tt.url)
-				}
+			} else if err != nil {
+				t.Errorf("validateRepositoryURL() unexpected error = %v for URL: %s", err, tt.url)
 			}
 		})
 	}
@@ -539,10 +537,8 @@ func TestSecureGitCloneTimeout(t *testing.T) {
 				if !strings.Contains(err.Error(), tt.errorMsg) {
 					t.Errorf("secureGitClone() error = %v, expected to contain %v", err, tt.errorMsg)
 				}
-			} else {
-				if err != nil {
-					t.Errorf("secureGitClone() unexpected error = %v for repository: %s", err, tt.repository)
-				}
+			} else if err != nil {
+				t.Errorf("secureGitClone() unexpected error = %v for repository: %s", err, tt.repository)
 			}
 		})
 	}
@@ -735,7 +731,7 @@ type MockGitCloner struct {
 	mutex      sync.Mutex
 }
 
-func (m *MockGitCloner) Clone(ctx context.Context, repository, targetDir string, quiet bool) error {
+func (m *MockGitCloner) Clone(_ context.Context, _, _ string, _ bool) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	m.CallCount++
@@ -765,15 +761,15 @@ type MockFileSystem struct {
 	ShouldFailMkdir bool
 }
 
-func (m *MockFileSystem) Open(name string) (*os.File, error) {
+func (m *MockFileSystem) Open(_ string) (*os.File, error) {
 	return nil, errors.New("mock open not implemented")
 }
 
-func (m *MockFileSystem) Stat(name string) (os.FileInfo, error) {
+func (m *MockFileSystem) Stat(_ string) (os.FileInfo, error) {
 	return nil, errors.New("mock stat not implemented")
 }
 
-func (m *MockFileSystem) MkdirAll(path string, perm os.FileMode) error {
+func (m *MockFileSystem) MkdirAll(_ string, _ os.FileMode) error {
 	if m.ShouldFailMkdir {
 		return errors.New("mock mkdir failed")
 	}
@@ -900,7 +896,8 @@ func TestWorkerPoolSequentialFallback(t *testing.T) {
 
 // Benchmarks for comparing sequential vs parallel performance
 
-func BenchmarkSequentialProcessing(b *testing.B) {
+// setupBenchmarkConfig creates a common configuration for benchmarks
+func setupBenchmarkConfig(workers int) (*Config, *MockGitCloner) {
 	mockGitCloner := &MockGitCloner{ShouldFail: false}
 	mockDirChecker := &MockDirectoryChecker{ExistingDirs: make(map[string]bool)}
 	mockFS := &MockFileSystem{ShouldFailMkdir: false}
@@ -908,12 +905,12 @@ func BenchmarkSequentialProcessing(b *testing.B) {
 
 	// Create test URLs
 	testRepos := make([]string, 10)
-	for i := 0; i < 10; i++ {
+	for i := range 10 {
 		testRepos[i] = fmt.Sprintf("https://github.com/user/repo%d", i)
 	}
 
 	config := &Config{
-		Workers: 1, // Force sequential processing
+		Workers: workers,
 		Quiet:   true,
 		RepositoryArgs: testRepos,
 		Dependencies: &Dependencies{
@@ -924,10 +921,16 @@ func BenchmarkSequentialProcessing(b *testing.B) {
 		},
 	}
 
+	return config, mockGitCloner
+}
+
+func BenchmarkSequentialProcessing(b *testing.B) {
+	config, _ := setupBenchmarkConfig(1) // Force sequential processing
+
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		// Reset mock for each iteration
-		mockGitCloner = &MockGitCloner{ShouldFail: false}
+		mockGitCloner := &MockGitCloner{ShouldFail: false}
 		config.Dependencies.GitClone = mockGitCloner
 		
 		result := processRepositories(config)
@@ -938,33 +941,12 @@ func BenchmarkSequentialProcessing(b *testing.B) {
 }
 
 func BenchmarkParallelProcessing(b *testing.B) {
-	mockGitCloner := &MockGitCloner{ShouldFail: false}
-	mockDirChecker := &MockDirectoryChecker{ExistingDirs: make(map[string]bool)}
-	mockFS := &MockFileSystem{ShouldFailMkdir: false}
-	mockEnv := &DefaultEnvironment{}
-
-	// Create test URLs
-	testRepos := make([]string, 10)
-	for i := 0; i < 10; i++ {
-		testRepos[i] = fmt.Sprintf("https://github.com/user/repo%d", i)
-	}
-
-	config := &Config{
-		Workers: 4, // Use parallel processing
-		Quiet:   true,
-		RepositoryArgs: testRepos,
-		Dependencies: &Dependencies{
-			FS:       mockFS,
-			GitClone: mockGitCloner,
-			DirCheck: mockDirChecker,
-			Env:      mockEnv,
-		},
-	}
+	config, _ := setupBenchmarkConfig(4) // Use parallel processing
 
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		// Reset mock for each iteration
-		mockGitCloner = &MockGitCloner{ShouldFail: false}
+		mockGitCloner := &MockGitCloner{ShouldFail: false}
 		config.Dependencies.GitClone = mockGitCloner
 		
 		result := processRepositories(config)

From 8865958f95cb2773f0721c672af5d0f12b60a2a2 Mon Sep 17 00:00:00 2001
From: Evsyukov Denis <denis@evsyukov.org>
Date: Thu, 7 Aug 2025 09:21:36 +0300
Subject: [PATCH 05/10] feat: improve performance and code quality with
 multiple enhancements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Replace O(n²) bubble sort with O(n log n) sort.Slice in LRU cache eviction for 17.5x performance improvement
- Add URLCache.Clear() method for proper test isolation and thread safety
- Replace direct cache field manipulation with public API calls in tests to prevent race conditions
- Add shallow clone support with --shallow/-s flag and --depth=1 git option
- Update usage documentation and help text for new shallow clone feature

All changes maintain backward compatibility and pass existing test suite.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 main.go      | 44 ++++++++++++++++++++++++++++----------------
 main_test.go | 16 +++++++---------
 2 files changed, 35 insertions(+), 25 deletions(-)

diff --git a/main.go b/main.go
index d4657f8..6caa188 100644
--- a/main.go
+++ b/main.go
@@ -11,6 +11,7 @@ import (
 	"path/filepath"
 	"regexp"
 	"runtime"
+	"sort"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -40,7 +41,7 @@ type CommandRunner interface {
 
 // GitCloner abstracts git cloning operations for better testability
 type GitCloner interface {
-	Clone(ctx context.Context, repository, targetDir string, quiet bool) error
+	Clone(ctx context.Context, repository, targetDir string, quiet, shallow bool) error
 }
 
 // DirectoryChecker abstracts directory existence checking for better testability
@@ -108,8 +109,8 @@ func (cr *DefaultCommandRunner) RunWithOutput(ctx context.Context, name string,
 // DefaultGitCloner provides real git cloning functionality
 type DefaultGitCloner struct{}
 
-func (gc *DefaultGitCloner) Clone(_ context.Context, repository, targetDir string, quiet bool) error {
-	return secureGitClone(repository, targetDir, quiet)
+func (gc *DefaultGitCloner) Clone(_ context.Context, repository, targetDir string, quiet, shallow bool) error {
+	return secureGitClone(repository, targetDir, quiet, shallow)
 }
 
 // DefaultDirectoryChecker provides real directory checking functionality
@@ -179,6 +180,7 @@ type Config struct {
 	ShowCommandHelp   bool
 	ShowVersionInfo   bool
 	Quiet             bool
+	ShallowClone      bool
 	Workers           int
 	RepositoryArgs    []string
 	Dependencies      *Dependencies
@@ -291,7 +293,7 @@ func (wp *WorkerPool) processJob(job RepositoryJob, _ int) {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
 	defer cancel()
 	
-	if err := wp.config.Dependencies.GitClone.Clone(ctx, job.Repository, filepath.Dir(projectDir), wp.config.Quiet); err != nil {
+	if err := wp.config.Dependencies.GitClone.Clone(ctx, job.Repository, filepath.Dir(projectDir), wp.config.Quiet, wp.config.ShallowClone); err != nil {
 		result.Error = fmt.Errorf("failed clone repository '%s': %w", job.Repository, err)
 		wp.results <- result
 		return
@@ -724,7 +726,7 @@ func validatePath(path string) error {
 }
 
 // secureGitClone performs git clone with additional security measures including timeout
-func secureGitClone(repository, targetDir string, quiet bool) error {
+func secureGitClone(repository, targetDir string, quiet, shallow bool) error {
 	// Double-check validation (defense in depth)
 	if err := validateRepositoryURL(repository); err != nil {
 		return fmt.Errorf("security validation failed: %w", err)
@@ -741,7 +743,12 @@ func secureGitClone(repository, targetDir string, quiet bool) error {
 	defer cancel()
 
 	// Create command with explicit arguments and timeout context (no shell interpretation)
-	cmd := exec.CommandContext(ctx, "git", "clone", "--", repository)
+	args := []string{"clone"}
+	if shallow {
+		args = append(args, "--depth=1")
+	}
+	args = append(args, "--", repository)
+	cmd := exec.CommandContext(ctx, "git", args...)
 	
 	// Set working directory
 	cmd.Dir = cleanTargetDir
@@ -775,6 +782,7 @@ func parseArgs() (*Config, error) {
 	pflag.BoolVarP(&config.ShowCommandHelp, "help", "h", false, "Show this help message and exit")
 	pflag.BoolVarP(&config.ShowVersionInfo, "version", "v", false, "Show the version number and exit")
 	pflag.BoolVarP(&config.Quiet, "quiet", "q", false, "Suppress output")
+	pflag.BoolVarP(&config.ShallowClone, "shallow", "s", false, "Perform shallow clone with --depth=1")
 	pflag.IntVarP(&config.Workers, "workers", "w", getDefaultWorkers(), "Number of parallel workers for cloning")
 	pflag.Parse()
 
@@ -866,7 +874,7 @@ func processRepositoriesSequential(config *Config) *ProcessingResult {
 		// Security: Use secure git clone with validated arguments
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
 		defer cancel()
-		if err := config.Dependencies.GitClone.Clone(ctx, repository, filepath.Dir(projectDir), config.Quiet); err != nil {
+		if err := config.Dependencies.GitClone.Clone(ctx, repository, filepath.Dir(projectDir), config.Quiet, config.ShallowClone); err != nil {
 			prnt("failed clone repository '%s': %s", repository, err)
 			result.FailedCount++
 			continue
@@ -979,6 +987,13 @@ func (uc *URLCache) Set(key, value string) {
 	uc.cache[key] = value
 }
 
+// Clear removes all entries from the URLCache for test isolation
+func (uc *URLCache) Clear() {
+	uc.mutex.Lock()
+	defer uc.mutex.Unlock()
+	uc.cache = make(map[string]string)
+}
+
 // detectRegexType determines the best regex pattern for the given URL
 func detectRegexType(repo string) RegexType {
 	if len(repo) > 8 && (repo[:7] == "https://" || repo[:7] == "http://") {
@@ -1411,14 +1426,10 @@ func (dc *DirCache) evictLRU() {
 		entries = append(entries, entryWithKey{key: key, lastAccess: entry.lastAccess})
 	}
 	
-	// Sort by last access time (oldest first)
-	for i := 0; i < len(entries)-1; i++ {
-		for j := i + 1; j < len(entries); j++ {
-			if entries[i].lastAccess.After(entries[j].lastAccess) {
-				entries[i], entries[j] = entries[j], entries[i]
-			}
-		}
-	}
+	// Sort by last access time (oldest first) using efficient sort.Slice
+	sort.Slice(entries, func(i, j int) bool {
+		return entries[i].lastAccess.Before(entries[j].lastAccess)
+	})
 	
 	// Remove oldest entries
 	for i := 0; i < toEvict && i < len(entries); i++ {
@@ -1434,7 +1445,7 @@ func isDirectoryNotEmpty(name string) bool {
 
 // Usage prints the usage of the program.
 func usage() {
-	fmt.Println("usage: gclone [-h] [-v] [-q] [-w WORKERS] [REPOSITORY]")
+	fmt.Println("usage: gclone [-h] [-v] [-q] [-s] [-w WORKERS] [REPOSITORY]")
 	fmt.Println()
 	fmt.Println("positional arguments:")
 	fmt.Println("  REPOSITORY         Repository URL")
@@ -1443,6 +1454,7 @@ func usage() {
 	fmt.Println("  -h, --help         Show this help message and exit")
 	fmt.Println("  -v, --version      Show the version number and exit")
 	fmt.Println("  -q, --quiet        Suppress output")
+	fmt.Println("  -s, --shallow      Perform shallow clone with --depth=1")
 	fmt.Printf("  -w, --workers      Number of parallel workers (default: %d)\n", getDefaultWorkers())
 	fmt.Println()
 	fmt.Println("environment variables:")
diff --git a/main_test.go b/main_test.go
index 7bb2bac..ef7f9cd 100644
--- a/main_test.go
+++ b/main_test.go
@@ -261,9 +261,7 @@ func BenchmarkIsDirectoryNotEmptyCache(b *testing.B) {
 	}
 
 	// Clear cache before benchmark
-	dirCache.mutex.Lock()
-	dirCache.cache = make(map[string]cacheEntry)
-	dirCache.mutex.Unlock()
+	dirCache.Clear()
 
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
@@ -277,7 +275,7 @@ func BenchmarkIsDirectoryNotEmptyCache(b *testing.B) {
 func BenchmarkNormalizeHTTPS(b *testing.B) {
 	repository := "https://github.com/user/repo.git"
 	// Clear cache before benchmark
-	urlCache.cache = make(map[string]string)
+	urlCache.Clear()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		_, _ = normalize(repository)
@@ -288,7 +286,7 @@ func BenchmarkNormalizeHTTPS(b *testing.B) {
 func BenchmarkNormalizeSSH(b *testing.B) {
 	repository := "git@github.com:user/repo.git"
 	// Clear cache before benchmark
-	urlCache.cache = make(map[string]string)
+	urlCache.Clear()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		_, _ = normalize(repository)
@@ -299,7 +297,7 @@ func BenchmarkNormalizeSSH(b *testing.B) {
 func BenchmarkNormalizeGit(b *testing.B) {
 	repository := "git://github.com/user/repo.git"
 	// Clear cache before benchmark  
-	urlCache.cache = make(map[string]string)
+	urlCache.Clear()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		_, _ = normalize(repository)
@@ -327,7 +325,7 @@ func BenchmarkNormalizeMixed(b *testing.B) {
 		"git@gitlab.com:user/repo5.git",
 	}
 	// Clear cache before benchmark
-	urlCache.cache = make(map[string]string)
+	urlCache.Clear()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		_, _ = normalize(repositories[i%len(repositories)])
@@ -528,7 +526,7 @@ func TestSecureGitCloneTimeout(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := secureGitClone(tt.repository, tempDir, true)
+			err := secureGitClone(tt.repository, tempDir, true, false)
 			if tt.expectError {
 				if err == nil {
 					t.Errorf("secureGitClone() expected error but got none for repository: %s", tt.repository)
@@ -731,7 +729,7 @@ type MockGitCloner struct {
 	mutex      sync.Mutex
 }
 
-func (m *MockGitCloner) Clone(_ context.Context, _, _ string, _ bool) error {
+func (m *MockGitCloner) Clone(_ context.Context, _, _ string, _, _ bool) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	m.CallCount++

From 6579bfa03add900a11bdbbcdfba67ca73d251b0d Mon Sep 17 00:00:00 2001
From: Evsyukov Denis <denis@evsyukov.org>
Date: Thu, 7 Aug 2025 09:36:56 +0300
Subject: [PATCH 06/10] feat: optimize GitHub Actions workflow and upgrade
 golangci-lint to v2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Configure triggers to prevent duplicate builds: push only on main, PR handling for both internal and external contributions
- Update golangci-lint from v1 to v2.2.0 (latest v2) with action v6
- Remove redundant workflow executions while maintaining security for external PRs

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/build.yaml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 961f501..3780654 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,7 +1,12 @@
 name: check
 on:
   push:
+    branches: [main]
   pull_request:
+    branches: [main]
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    branches: [main]
   workflow_dispatch:
 
 jobs:
@@ -15,9 +20,9 @@ jobs:
         with:
           version: latest
       -
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v6
         with:
-          version: latest
+          version: v2.2.0
       - 
         run: go test ./...
         shell: bash

From 3c477d3cd09c59500a550c6940ff67b453c26994 Mon Sep 17 00:00:00 2001
From: Evsyukov Denis <denis@evsyukov.org>
Date: Thu, 7 Aug 2025 09:45:05 +0300
Subject: [PATCH 07/10] fix: update golangci-lint-action to v7 for v2
 compatibility
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/build.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 3780654..1d3fb0e 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -20,7 +20,7 @@ jobs:
         with:
           version: latest
       -
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
         with:
           version: v2.2.0
       - 

From 3d889d55f51b6400d66a0cdb0f5084f1799cfb20 Mon Sep 17 00:00:00 2001
From: Evsyukov Denis <denis@evsyukov.org>
Date: Thu, 7 Aug 2025 09:47:57 +0300
Subject: [PATCH 08/10] feat: enable CI checks for all branches on push
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/build.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 1d3fb0e..dca43fd 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,7 +1,6 @@
 name: check
 on:
   push:
-    branches: [main]
   pull_request:
     branches: [main]
   pull_request_target:

From f3af1b02a88ca2cb6824c8593f6bbc957829a858 Mon Sep 17 00:00:00 2001
From: Evsyukov Denis <denis@evsyukov.org>
Date: Thu, 7 Aug 2025 09:49:31 +0300
Subject: [PATCH 09/10] feat: remove duplicate checks, run CI only on PR
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove push trigger to avoid duplicate runs with PR checks
- Keep pull_request for internal PRs and pull_request_target for external PRs
- Maintain workflow_dispatch for manual runs

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/build.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index dca43fd..c30f40a 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,6 +1,5 @@
 name: check
 on:
-  push:
   pull_request:
     branches: [main]
   pull_request_target:

From 3060b7ae52c2b63359efbb47300d4e5b192af5d5 Mon Sep 17 00:00:00 2001
From: Evsyukov Denis <denis@evsyukov.org>
Date: Thu, 7 Aug 2025 10:20:28 +0300
Subject: [PATCH 10/10] feta: make version by tag

---
 .github/workflows/release.yml | 20 +++++++++++---------
 .goreleaser.yaml              | 11 +++++++++--
 main.go                       |  2 +-
 3 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 34680c7..c6c2ca4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,25 +4,27 @@ on:
       - '*'
 
 name: "Create release"
+
+permissions:
+  contents: write
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
+      - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - 
-        uses: kevincobain2000/action-gobrew@v2
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
-          version: latest
-      -
-        name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+          go-version: stable
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
-          version: latest
+          version: "~> v2"
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 60ba558..c4cb37d 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,9 +1,11 @@
+version: 2
+
 before:
   hooks:
     - go mod tidy
+
 builds:
-  -
-    env:
+  - env:
       - CGO_ENABLED=0
     goos:
       - linux
@@ -12,6 +14,11 @@ builds:
     goarch:
       - amd64
       - arm64
+    ldflags:
+      - -s -w
+      - -X main.version={{.Version}}
+      - -X main.commit={{.Commit}}
+      - -X main.date={{.Date}}
 archives:
   -
     format: binary
diff --git a/main.go b/main.go
index 6caa188..3e671fe 100644
--- a/main.go
+++ b/main.go
@@ -170,7 +170,7 @@ func NewDependenciesWithCacheConfig(cacheConfig *CacheConfig) *Dependencies {
 }
 
 var (
-	version = "0.3.4"
+	version = "dev"
 	commit  = "none"
 	date    = "unknown"
 )