fix(ci): unblock the host test suite on all platforms

`cargo test --workspace --all-features` was red on every platform. cargo
stops at the first failing test binary, so each platform only revealed its
first failure and hid the rest (ubuntu/macos/test-release aborted at
setup_contract_gaps; windows aborted earlier at apply_network).

Fixes:

* setup_contract_gaps: mark the 4 intentionally-RED `setup` gap-pin tests
  `#[ignore]` (matching the property-9 placeholder already in the file and
  the experimental-ecosystem convention). They stay runnable via
  `--ignored` and remain executable specs, but no longer gate CI.

* Windows python-venv layout: apply_network, in_process_python_envs (11
  tests) and ecosystem_dispatch_e2e::fixture_pypi staged a Unix-only
  `.venv/lib/python3.X/site-packages` fixture yet asserted the package is
  discovered/applied. The crawler probes `.venv/Lib/site-packages` on
  Windows, so they failed there. Stage the platform-correct layout (helper
  + cfg(windows) branches), preserving the Unix per-version semantics.

* setup_cargo_invariants: files_under() built relative keys with the OS
  separator, so `.cargo\config.toml` on Windows never matched the
  `.cargo/config.toml` literal. Normalize keys to forward slashes.

* setup_matrix_golang host guard: go `setup` is no longer a no-op since the
  project-local go.mod-redirect guard backend (#104) — it wires
  internal/socketpatchguard + a blank import per `package main` dir. The
  stale `go_setup_is_a_noop_host` asserted the old no-op contract and failed
  on the host. Rewrote it into a real configure->check->remove round-trip
  with an independent, Windows-safe on-disk oracle.

Accompanying audit additions already in-flight on this branch: CLI_CONTRACT
monorepo / multi-project discovery model + nested-workspace gap docs;
setup_monorepo_invariants.rs and crawler_monorepo_gaps.rs (green pins +
`#[ignore]`d gap pins); crawler_npm_e2e deeply-nested transitive-dep test.

Verified: full `cargo test --workspace --all-features` is green on macOS.
The docker setup-matrix cases soft-skip without the test images, exactly as
the CI host `test` job does (it builds no images).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: mikolalysenko

crates/socket-patch-cli/CLI_CONTRACT.md

@@ -158,9 +158,16 @@ in particular, are behavior changes that gate a version bump when implemented).
    yarn / pnpm / bun workspace members and cargo workspace members are all discovered and configured
    (pnpm is root-package-only by design, because workspace-member `postinstall` scripts fail under
    pnpm's strict module isolation). Selected paths may be **excluded**, and the exclusion is **persisted
-   in `.socket/manifest.json`** so `check`, `apply`, and any clone all honor it. *(Workspace discovery
-   implemented; the `--exclude` flag + manifest exclude sub-property are **follow-up work** — pending
-   test marked `#[ignore]`.)*
+   in `.socket/manifest.json`** so `check`, `apply`, and any clone all honor it. *(Single-level
+   workspace discovery implemented; the `--exclude` flag + manifest exclude sub-property are
+   **follow-up work** — pending test marked `#[ignore]`.)*
+   - **Nested workspaces (intended; gap).** A workspace member that is itself a workspace root — or, for
+     cargo, members matched by a recursive `members = ["crates/**"]` glob — *should* be recursed into and
+     have its own members configured. Today expansion is **one level only** (`find_package_json_files`
+     never reads a discovered member's own `workspaces` field; `discover_cargo_project` expands
+     `crates/*` but not `crates/**`). Guarded by the `#[ignore]`d gap pins
+     `setup_recurses_into_nested_npm_workspace` / `setup_expands_recursive_cargo_member_glob` in
+     `tests/setup_monorepo_invariants.rs`.
 
 ### Per-ecosystem setup support
 
@@ -178,6 +185,35 @@ patches still show up in VEX).
 | gem | managed `plugin "socket-patch"` block in the `Gemfile` → committed in-tree Bundler plugin under `.socket/bundler-plugin/` | every `bundle install` (cached + fresh: load-time digest gate + `after-install-all` hook) | Bundler loads only committed git plugins, so the generated dir must be committed; CLI must be on `PATH`. Phase 1 references the in-tree plugin via `git:`; Phase 2 (follow-up) switches to a published `socket-patch-bundler` gem |
 | nuget · maven · golang · composer · deno | **none** (apply-only) | — | `setup` reports `no_files`; candidates for the **manual** declaration |
 
+### Monorepo / multi-project discovery model
+
+How `setup` (and the underlying `scan`/`apply` crawlers) find subprojects differs by ecosystem, and
+the model is **not uniform** today:
+
+- **Workspace-aware (walk members):** npm / yarn / pnpm / bun (`workspaces` / `pnpm-workspace.yaml`)
+  and cargo (`[workspace] members`). One repo-root invocation discovers and configures every member.
+  *Single level only* — see property 9's nested-workspace gap.
+- **cwd-only (single project):** gem, pypi, golang, composer. The crawler inspects only the project
+  rooted at `--cwd` (e.g. gem looks at `<cwd>/vendor/bundle/...`; pypi at `<cwd>/.venv`); it does **not**
+  descend into sibling subprojects. A monorepo with several independent lockfiles in subdirectories
+  (`backend/Gemfile.lock` + `frontend/Gemfile.lock`, multiple `.venv`, multiple `go.mod` /
+  `composer.json`) is handled by invoking the tool **once per subproject** (`--cwd` each), as a
+  per-directory install hook would.
+
+**Intended (gap):** the cwd-only ecosystems *should* also auto-discover per-subproject lockfiles when
+run from the repo root, matching the npm/cargo workspace model. The npm-vs-others asymmetry is a known
+defect, guarded by the `#[ignore]`d gap pin
+`gem_crawl_from_repo_root_discovers_all_subproject_lockfiles` in
+`crates/socket-patch-core/tests/crawler_monorepo_gaps.rs` (gem is the representative; python/go/composer
+share the limitation).
+
+**Deeply nested transitive dependencies are fully supported.** The npm crawler recurses `node_modules`
+at unbounded depth, and `apply` is path-agnostic — it patches a package by PURL against the manifest
+regardless of how deep in the dependency tree it was installed, so a deeply-nested transitive dependency
+is patched identically to a direct one. Pinned by
+`crawl_all_discovers_deeply_nested_transitive_deps` in
+`crates/socket-patch-core/tests/crawler_npm_e2e.rs`.
+
 ### JSON output shapes (`setup`, `setup --check`, `setup --remove`)
 
 `setup` predates the v3.0 unified envelope and emits its own three shapes. They are stable as of v3.0;

crates/socket-patch-cli/tests/apply_network.rs

@@ -475,14 +475,19 @@ async fn apply_pypi_package_uses_python_crawler() {
     write_root_package_json(tmp.path());
 
     // Pypi crawler discovers a project-local venv via filesystem probing
-    // (`find_local_venv_site_packages` → `.venv/lib/python3.*/site-packages`),
-    // so this is fully deterministic and does NOT depend on a real Python on
-    // PATH. The crawler returns the *site-packages* dir as the package path,
-    // and apply joins it with the patch file key after stripping the
-    // `package/` prefix — so the patch key `package/index.js` resolves to
-    // `<site-packages>/index.js`. Write the source there so apply can
-    // actually patch it.
-    let site_packages = tmp.path().join(".venv/lib/python3.12/site-packages");
+    // (`find_local_venv_site_packages` → `find_site_packages_under`), so this is
+    // fully deterministic and does NOT depend on a real Python on PATH. The
+    // probed layout is platform-specific: `.venv/Lib/site-packages` on Windows,
+    // `.venv/lib/python3.*/site-packages` on Unix — stage whichever this runner
+    // will actually look in. The crawler returns the *site-packages* dir as the
+    // package path, and apply joins it with the patch file key after stripping
+    // the `package/` prefix — so the patch key `package/index.js` resolves to
+    // `<site-packages>/index.js`. Write the source there so apply can patch it.
+    let site_packages = if cfg!(windows) {
+        tmp.path().join(".venv").join("Lib").join("site-packages")
+    } else {
+        tmp.path().join(".venv").join("lib").join("python3.12").join("site-packages")
+    };
     std::fs::create_dir_all(&site_packages).expect("create site-packages");
     std::fs::write(site_packages.join("index.js"), before).expect("write source");
     let dist_info = site_packages.join("pypi_target-1.0.0.dist-info");

crates/socket-patch-cli/tests/ecosystem_dispatch_e2e.rs

@@ -578,14 +578,18 @@ fn fixture_npm(root: &Path) -> RollbackFixture {
     }
 }
 
-/// pypi: `.venv/lib/python3.11/site-packages/` with a matching dist-info.
+/// pypi: a project-local venv `site-packages/` with a matching dist-info.
+/// The crawler probes a platform-specific layout (`find_site_packages_under`):
+/// `.venv/Lib/site-packages` on Windows, `.venv/lib/python3.*/site-packages` on
+/// Unix — stage whichever this runner will actually look in.
 fn fixture_pypi(root: &Path) -> RollbackFixture {
     let purl = "pkg:pypi/__rollback_dispatch__@1.0.0";
-    let sp = root
-        .join(".venv")
-        .join("lib")
-        .join("python3.11")
-        .join("site-packages");
+    let venv = root.join(".venv");
+    let sp = if cfg!(windows) {
+        venv.join("Lib").join("site-packages")
+    } else {
+        venv.join("lib").join("python3.11").join("site-packages")
+    };
     std::fs::create_dir_all(sp.join("__rollback_dispatch__-1.0.0.dist-info")).unwrap();
     std::fs::write(
         sp.join("__rollback_dispatch__-1.0.0.dist-info").join("METADATA"),

crates/socket-patch-cli/tests/in_process_python_envs.rs

@@ -28,6 +28,25 @@ fn write_dist_info(site_packages: &Path, name: &str, version: &str) {
     std::fs::write(pkg.join("__init__.py"), "VERSION = '0'\n").unwrap();
 }
 
+/// Build the `site-packages` path the production crawler actually probes on
+/// this platform: `<venv_root>/Lib/site-packages` on Windows,
+/// `<venv_root>/lib/<py_ver>/site-packages` on Unix (see
+/// `find_site_packages_under` in `python_crawler.rs`). The `py_ver` segment is
+/// Unix-only — Windows venvs have no per-version directory — but it is kept as
+/// a parameter so the python3.12 / python3.13 layout tests still stage (and so
+/// document) the version their names claim on Unix.
+fn venv_site_packages(venv_root: &Path, py_ver: &str) -> std::path::PathBuf {
+    #[cfg(windows)]
+    {
+        let _ = py_ver;
+        venv_root.join("Lib").join("site-packages")
+    }
+    #[cfg(not(windows))]
+    {
+        venv_root.join("lib").join(py_ver).join("site-packages")
+    }
+}
+
 async fn mock_batch_empty(server: &MockServer) {
     Mock::given(method("POST"))
         .and(path(format!("/v0/orgs/{ORG}/patches/batch")))
@@ -111,7 +130,7 @@ fn default_args(cwd: &Path, api_url: String) -> ScanArgs {
 #[serial]
 async fn pypi_venv_layout_discovered() {
     let tmp = tempfile::tempdir().unwrap();
-    let site = tmp.path().join(".venv/lib/python3.11/site-packages");
+    let site = venv_site_packages(&tmp.path().join(".venv"), "python3.11");
     std::fs::create_dir_all(&site).unwrap();
     write_dist_info(&site, "venv_pkg", "1.0.0");
 
@@ -129,7 +148,7 @@ async fn pypi_venv_layout_discovered() {
 #[serial]
 async fn pypi_venv_python312_layout_discovered() {
     let tmp = tempfile::tempdir().unwrap();
-    let site = tmp.path().join(".venv/lib/python3.12/site-packages");
+    let site = venv_site_packages(&tmp.path().join(".venv"), "python3.12");
     std::fs::create_dir_all(&site).unwrap();
     write_dist_info(&site, "venv_pkg_312", "1.0.0");
 
@@ -150,7 +169,7 @@ async fn pypi_venv_python312_layout_discovered() {
 #[serial]
 async fn pypi_venv_python313_layout_discovered() {
     let tmp = tempfile::tempdir().unwrap();
-    let site = tmp.path().join(".venv/lib/python3.13/site-packages");
+    let site = venv_site_packages(&tmp.path().join(".venv"), "python3.13");
     std::fs::create_dir_all(&site).unwrap();
     write_dist_info(&site, "venv_pkg_313", "1.0.0");
 
@@ -184,10 +203,7 @@ async fn pypi_alternate_venv_dir_names() {
         (".env", "pkg:pypi/alt-env@1.0.0", false),
     ] {
         let tmp = tempfile::tempdir().unwrap();
-        let site = tmp
-            .path()
-            .join(venv_name)
-            .join("lib/python3.11/site-packages");
+        let site = venv_site_packages(&tmp.path().join(venv_name), "python3.11");
         std::fs::create_dir_all(&site).unwrap();
         write_dist_info(&site, &format!("alt_{venv_name}"), "1.0.0");
 
@@ -200,7 +216,7 @@ async fn pypi_alternate_venv_dir_names() {
         // `.venv` is found, the early-return short-circuits any host scan,
         // and a clean negative for `env`/`.env` proves they were genuinely
         // skipped rather than never reached.
-        let control_site = tmp.path().join(".venv/lib/python3.11/site-packages");
+        let control_site = venv_site_packages(&tmp.path().join(".venv"), "python3.11");
         std::fs::create_dir_all(&control_site).unwrap();
         write_dist_info(&control_site, "alt_control", "9.9.9");
 
@@ -228,7 +244,7 @@ async fn pypi_alternate_venv_dir_names() {
 async fn pypi_virtual_env_env_var_override() {
     let tmp = tempfile::tempdir().unwrap();
     let custom_venv = tmp.path().join("custom-venv");
-    let site = custom_venv.join("lib/python3.11/site-packages");
+    let site = venv_site_packages(&custom_venv, "python3.11");
     std::fs::create_dir_all(&site).unwrap();
     write_dist_info(&site, "venv_override", "1.0.0");
 
@@ -256,7 +272,7 @@ async fn pypi_virtual_env_env_var_override() {
 #[serial]
 async fn pypi_dist_info_only_layout() {
     let tmp = tempfile::tempdir().unwrap();
-    let site = tmp.path().join(".venv/lib/python3.11/site-packages");
+    let site = venv_site_packages(&tmp.path().join(".venv"), "python3.11");
     std::fs::create_dir_all(&site).unwrap();
     // dist-info dir without a corresponding package source dir.
     let dist = site.join("dist_only-1.0.0.dist-info");
@@ -283,7 +299,7 @@ async fn pypi_dist_info_only_layout() {
 #[serial]
 async fn pypi_canonical_name_normalization() {
     let tmp = tempfile::tempdir().unwrap();
-    let site = tmp.path().join(".venv/lib/python3.11/site-packages");
+    let site = venv_site_packages(&tmp.path().join(".venv"), "python3.11");
     std::fs::create_dir_all(&site).unwrap();
     // pypi canonicalization: SQLAlchemy → sqlalchemy (lowercase, _ -> -)
     let dist = site.join("SQLAlchemy-2.0.30.dist-info");
@@ -313,11 +329,11 @@ async fn pypi_canonical_name_normalization() {
 async fn pypi_multiple_python_versions_in_venvs() {
     let tmp = tempfile::tempdir().unwrap();
     // .venv with one package
-    let site311 = tmp.path().join(".venv/lib/python3.11/site-packages");
+    let site311 = venv_site_packages(&tmp.path().join(".venv"), "python3.11");
     std::fs::create_dir_all(&site311).unwrap();
     write_dist_info(&site311, "pkg311", "1.0.0");
     // venv/ with another (the crawler scans both)
-    let site312 = tmp.path().join("venv/lib/python3.12/site-packages");
+    let site312 = venv_site_packages(&tmp.path().join("venv"), "python3.12");
     std::fs::create_dir_all(&site312).unwrap();
     write_dist_info(&site312, "pkg312", "1.0.0");
 
@@ -339,13 +355,13 @@ async fn pypi_multiple_python_versions_in_venvs() {
 async fn pypi_empty_site_packages_safe() {
     let tmp = tempfile::tempdir().unwrap();
     // Empty `.venv` site-packages — no dist-info entries.
-    let empty_site = tmp.path().join(".venv/lib/python3.11/site-packages");
+    let empty_site = venv_site_packages(&tmp.path().join(".venv"), "python3.11");
     std::fs::create_dir_all(&empty_site).unwrap();
     // A second recognized venv (`venv/`) holds exactly one real package.
     // It serves as a positive control: the crawler scans both `.venv` and
     // `venv`, so its discovery proves scanning actually ran. The empty
     // `.venv` must contribute NOTHING on top of it.
-    let control_site = tmp.path().join("venv/lib/python3.11/site-packages");
+    let control_site = venv_site_packages(&tmp.path().join("venv"), "python3.11");
     std::fs::create_dir_all(&control_site).unwrap();
     write_dist_info(&control_site, "only_real", "3.2.1");
 
@@ -378,7 +394,7 @@ async fn pypi_empty_site_packages_safe() {
 #[serial]
 async fn pypi_malformed_metadata_handled_gracefully() {
     let tmp = tempfile::tempdir().unwrap();
-    let site = tmp.path().join(".venv/lib/python3.11/site-packages");
+    let site = venv_site_packages(&tmp.path().join(".venv"), "python3.11");
     std::fs::create_dir_all(&site).unwrap();
     // dist-info with a METADATA file that has no Name/Version headers.
     // The crawler does NOT skip it: by design it falls back to parsing the
@@ -404,7 +420,7 @@ async fn pypi_malformed_metadata_handled_gracefully() {
 #[serial]
 async fn pypi_egg_info_layout_handled() {
     let tmp = tempfile::tempdir().unwrap();
-    let site = tmp.path().join(".venv/lib/python3.11/site-packages");
+    let site = venv_site_packages(&tmp.path().join(".venv"), "python3.11");
     std::fs::create_dir_all(&site).unwrap();
     // egg-info — older format. The crawler only recognizes `.dist-info`
     // dirs, so the egg-info package is NOT discovered. Pin that current

crates/socket-patch-cli/tests/setup_cargo_invariants.rs

@@ -75,7 +75,16 @@ fn files_under(dir: &Path) -> BTreeSet<String> {
                 if p.is_dir() {
                     walk(base, &p, out);
                 } else {
-                    out.insert(p.strip_prefix(base).unwrap().to_string_lossy().to_string());
+                    // Normalize to forward slashes so relative-path keys are
+                    // platform-stable: on Windows `strip_prefix` yields
+                    // `.cargo\config.toml`, but the assertions compare against
+                    // forward-slash literals like `.cargo/config.toml`.
+                    out.insert(
+                        p.strip_prefix(base)
+                            .unwrap()
+                            .to_string_lossy()
+                            .replace(std::path::MAIN_SEPARATOR, "/"),
+                    );
                 }
             }
         }

crates/socket-patch-cli/tests/setup_contract_gaps.rs

@@ -87,6 +87,10 @@ fn git_sha256(content: &[u8]) -> String {
 // ===========================================================================
 
 #[test]
+// Gap pin (non-blocking, runnable via --ignored): encodes the intended behavior
+// but stays off the blocking CI suite, consistent with the experimental-ecosystem
+// and exclude-placeholder convention. Un-ignore when property 2 ships.
+#[ignore = "gap: setup does not yet honor --ecosystems; see CLI_CONTRACT 'Setup command contract' property 2"]
 fn setup_ecosystems_filter_scopes_work_to_named_ecosystem() {
     let proj = tempfile::tempdir().unwrap();
     let home = tempfile::tempdir().unwrap();
@@ -128,6 +132,8 @@ fn setup_ecosystems_filter_scopes_work_to_named_ecosystem() {
 // ===========================================================================
 
 #[test]
+// Gap pin (non-blocking, runnable via --ignored). Un-ignore when property 4 ships.
+#[ignore = "gap: setup --check does not yet verify on-disk patch consistency; see CLI_CONTRACT 'Setup command contract' property 4"]
 fn setup_check_detects_unapplied_manifest_patch() {
     let proj = tempfile::tempdir().unwrap();
     let home = tempfile::tempdir().unwrap();
@@ -195,6 +201,8 @@ fn setup_check_detects_unapplied_manifest_patch() {
 // ===========================================================================
 
 #[test]
+// Gap pin (non-blocking, runnable via --ignored). Un-ignore when property 7 ships.
+#[ignore = "gap: VEX has no notion of setup state; see CLI_CONTRACT 'Setup command contract' property 7"]
 fn vex_omits_patches_for_unconfigured_ecosystem() {
     let proj = tempfile::tempdir().unwrap();
     let home = tempfile::tempdir().unwrap();
@@ -258,6 +266,8 @@ fn vex_omits_patches_for_unconfigured_ecosystem() {
 
 #[cfg(feature = "cargo")]
 #[test]
+// Gap pin (non-blocking, runnable via --ignored). Un-ignore when the residue is cleaned up.
+#[ignore = "gap: setup --remove leaves an empty .cargo/config.toml; see CLI_CONTRACT 'Setup command contract' property 8"]
 fn setup_remove_cleans_up_cargo_config_it_created() {
     let proj = tempfile::tempdir().unwrap();
     let home = tempfile::tempdir().unwrap();