fix: propagate component-type level dependencies through stack processor

[osterman]

what

• Stack processor now extracts and merges dependencies from global (Scope 1) and component-type (Scope 2) sections
• Component-type level dependencies defined via terraform.dependencies.tools (and helmfile/packer/ansible equivalents) now flow through to component configs
• Toolchain auto-install is now triggered for mixin-pattern dependencies defined at the component-type level
• Dependencies merge chain now includes all 3 scopes: global/component-type → base component → component instance

why

The bug prevented users from configuring dependencies at the component-type level (Scope 2) via mixin patterns like:

terraform:
  dependencies:
    tools:
      terraform: "1.6.0"

The stack processor dropped this data before it reached the toolchain resolver, so auto-install never triggered. Users reported exec: "terraform": executable file not found in $PATH errors when they configured Scope 2 dependencies.

This fix ensures all 3 scopes of dependencies are properly extracted, merged with correct precedence, and propagated through to component sections where the resolver can access them.

references

Fixes the bug discussed in the Slack conversation where Jonathan Rose configured Scope 2 dependencies but toolchain auto-install wasn't triggered.

Changes:

• errors/errors.go: Added 5 sentinel errors for dependencies validation
• internal/exec/stack_processor_process_stacks_helpers.go: Added GlobalDependencies field to ComponentProcessorOptions
• internal/exec/stack_processor_process_stacks.go: Extract and merge dependencies from all 3 scopes, pass through opts builders
• internal/exec/stack_processor_merge.go: Updated merge chain to include global dependencies with lowest priority
• tests/: Added 2 integration tests proving Scope 2 dependencies trigger toolchain auto-install

Summary by CodeRabbit

• New Features

  • Declare dependencies at global, component-type, and component scopes; these are merged with defined precedence and propagated into component processing.

• Chores

  • Added validation error sentinels to surface invalid dependencies sections across component types.

• Tests

  • Added integration fixtures and unit tests covering dependency propagation, precedence, inheritance, binary/toolchain handling, and invalid-section error paths.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

None

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds sentinel errors for invalid dependencies sections and wires per-component dependency handling: stack processing now reads global (Scope 1), component-type (Scope 2), and component-instance (Scope 3) dependencies, merges them with defined precedence, exposes merged results via a new GlobalDependencies field, and extends tests/fixtures for Terraform toolchain scenarios.

Changes

Cohort / File(s)	Summary
Error Definitions errors/errors.go	Added sentinel errors: ErrInvalidDependenciesSection, ErrInvalidTerraformDependencies, ErrInvalidHelmfileDependencies, ErrInvalidPackerDependencies, ErrInvalidAnsibleDependencies.
Stack Processor — Read & Wire internal/exec/stack_processor_process_stacks.go	Read and validate global (Scope 1) and component-type (Scope 2) dependency sections for Terraform/Helmfile/Packer/Ansible; merge with component-instance (Scope 3) dependencies and pass merged map via GlobalDependencies in ComponentProcessorOptions.
Dependency Merging Logic internal/exec/stack_processor_merge.go	Include global dependencies as a low-priority source in merge sequence; enforce precedence global → component-type → component-instance.
Options Struct internal/exec/stack_processor_process_stacks_helpers.go	Added GlobalDependencies map[string]any field to ComponentProcessorOptions.
Terraform Test Fixtures tests/fixtures/scenarios/toolchain-terraform-integration/components/terraform/*/main.tf	Added variables environment, test_var and outputs environment, test_var, terraform_version to test Terraform components.
Stack Fixture Configs tests/fixtures/scenarios/toolchain-terraform-integration/stacks/.../mixin-test.yaml, .../override-test.yaml	Added Scope 2 (component-type) and Scope 3 (component-instance) dependency configurations demonstrating inheritance and overrides for Terraform toolchain.
Integration Tests tests/terraform_toolchain_integration_test.go	Added/adjusted integration tests validating Scope 2 propagation, toolchain installation on plan, precedence merging across scopes, and path/binary-location assertions.
Unit Tests — Error Paths internal/exec/stack_processor_process_stacks_test.go	Added error-path unit tests for invalid dependency-section types across terraform/helmfile/packer/ansible and generic dependencies section type errors.
Test Expectations tests/test-cases/toolchain.yaml	Updated expect.diff rules to ignore dynamic date/table lines in test outputs.

Sequence Diagram(s)

sequenceDiagram
    actor Stack as Stack Config
    participant Proc as Stack Processor
    participant Merge as Dependency Merger
    participant Comp as Component Processor

    Stack->>Proc: Load stack YAML
    activate Proc
    Proc->>Proc: Extract global dependencies (Scope 1)
    Proc->>Proc: Extract component-type dependencies (Scope 2)
    Proc->>Proc: Extract component-instance dependencies (Scope 3)
    Proc->>Merge: Merge sources [Global, Component-Type, Component-Instance]
    activate Merge
    Merge->>Merge: Apply precedence: rgba(0,128,255,0.5) Global → rgba(0,200,100,0.5) Component-Type → rgba(255,128,0,0.5) Component-Instance
    Merge-->>Proc: Return merged GlobalDependencies
    deactivate Merge
    Proc->>Comp: Invoke with ComponentProcessorOptions (includes GlobalDependencies)
    activate Comp
    Comp->>Comp: Process component using merged dependencies
    Comp-->>Proc: Return processed component
    deactivate Comp
    Proc-->>Stack: Finish processing
    deactivate Proc

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: add error handling infrastructure with context-aware capabilities #1763 — Modifies sentinel errors in errors/errors.go; overlaps with added ErrInvalid*Dependencies declarations.
• Improve Atmos Auth #1602 — Related stack-processing refactor that introduced component processing patterns this change extends with dependency merging.
• fix: redirect telemetry notice to stderr instead of stdout #1426 — Previously adjusted centralized error sentinels and stack processing validation; shares the same error-surface touched here.

Suggested reviewers

• aknysh

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: propagating component-type level dependencies through the stack processor to fix toolchain auto-install.
Docstring Coverage	✅ Passed	Docstring coverage is 90.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch osterman/fix-auto-tool-install

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

internal/exec/stack_processor_process_stacks.go (1)

343-355: Consider extracting a shared helper for dependency parse+merge.

The same read/validate/merge sequence is repeated four times. A helper would reduce drift risk and keep precedence/error behavior consistent.

♻️ Refactor sketch

+func readAndMergeDependencies(
+	atmosConfig *schema.AtmosConfiguration,
+	stackName string,
+	globalDeps map[string]any,
+	componentSection map[string]any,
+	invalidSectionErr error,
+) (map[string]any, error) {
+	componentDeps := map[string]any{}
+	if i, ok := componentSection[cfg.DependenciesSectionName]; ok {
+		deps, ok := i.(map[string]any)
+		if !ok {
+			return nil, fmt.Errorf(errFormatWithFile, invalidSectionErr, stackName)
+		}
+		componentDeps = deps
+	}
+
+	return m.Merge(atmosConfig, []map[string]any{globalDeps, componentDeps})
+}

Also applies to: 413-425, 483-495, 553-564

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/exec/stack_processor_process_stacks.go` around lines 343 - 355,
Extract a small helper (e.g., parseAndMergeDependencies) that encapsulates the
repeated read/validate/merge sequence: look up the section map (like
globalTerraformSection[cfg.DependenciesSectionName]), assert it to
map[string]any (terraformDependencies), then call m.Merge(atmosConfig,
[]map[string]any{globalDependenciesSection, terraformDependencies}) and return
the merged map or error; replace each duplicated block (the instances using
globalTerraformSection, globalDependenciesSection, terraformDependencies and
calls to m.Merge) with a call to that helper so precedence and error handling
remain consistent across the four locations.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/terraform_toolchain_integration_test.go`:
- Around line 422-423: Replace hardcoded path strings assigned to the workDir
variable and passed to t.Chdir in the three new tests with platform-safe
filepath.Join(...) calls; specifically, update the workDir assignments (the ones
currently using "fixtures/scenarios/toolchain-terraform-integration" and the two
other occurrences referenced) to call filepath.Join("fixtures", "scenarios",
"toolchain-terraform-integration") (and the corresponding folder segments for
the other two tests), keep the subsequent t.Chdir(workDir) calls unchanged, and
add an import for "path/filepath" if not already present so these tests use
cross-platform path separators.

---

Nitpick comments:
In `@internal/exec/stack_processor_process_stacks.go`:
- Around line 343-355: Extract a small helper (e.g., parseAndMergeDependencies)
that encapsulates the repeated read/validate/merge sequence: look up the section
map (like globalTerraformSection[cfg.DependenciesSectionName]), assert it to
map[string]any (terraformDependencies), then call m.Merge(atmosConfig,
[]map[string]any{globalDependenciesSection, terraformDependencies}) and return
the merged map or error; replace each duplicated block (the instances using
globalTerraformSection, globalDependenciesSection, terraformDependencies and
calls to m.Merge) with a call to that helper so precedence and error handling
remain consistent across the four locations.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 314b3d5 and 8fd8589.

📒 Files selected for processing (10)

• errors/errors.go
• internal/exec/stack_processor_merge.go
• internal/exec/stack_processor_process_stacks.go
• internal/exec/stack_processor_process_stacks_helpers.go
• tests/fixtures/scenarios/toolchain-terraform-integration/components/terraform/test-component-inherit/main.tf
• tests/fixtures/scenarios/toolchain-terraform-integration/components/terraform/test-component-mixin/main.tf
• tests/fixtures/scenarios/toolchain-terraform-integration/components/terraform/test-component-override/main.tf
• tests/fixtures/scenarios/toolchain-terraform-integration/stacks/deploy/mixin-test.yaml
• tests/fixtures/scenarios/toolchain-terraform-integration/stacks/deploy/override-test.yaml
• tests/terraform_toolchain_integration_test.go

[codecov]

Codecov Report

❌ Patch coverage is 81.39535% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.58%. Comparing base (4f0f243) to head (92b1642).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/exec/stack_processor_process_stacks.go	80.48%	4 Missing and 4 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2127      +/-   ##
==========================================
+ Coverage   76.54%   76.58%   +0.04%     
==========================================
  Files         832      832              
  Lines       79458    79500      +42     
==========================================
+ Hits        60820    60887      +67     
+ Misses      14842    14817      -25     
  Partials     3796     3796              

Flag	Coverage Δ
unittests	76.58% <81.39%> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
errors/errors.go	100.00% <ø> (ø)
internal/exec/stack_processor_merge.go	78.94% <100.00%> (+3.74%)	⬆️
...nal/exec/stack_processor_process_stacks_helpers.go	73.33% <ø> (ø)
internal/exec/stack_processor_process_stacks.go	81.55% <80.48%> (+1.24%)	⬆️

... and 5 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/terraform_toolchain_integration_test.go`:
- Around line 501-523: The test currently ignores errors from os.Pipe() and
never closes the read ends (rOut, rErr), risking descriptor leaks and losing
visibility if the test aborts; update the setup around os.Pipe() and
stdout/stderr redirection to check and handle errors returned by os.Pipe(), and
use defer to restore os.Stdout/os.Stderr and to Close() both writer ends (wOut,
wErr) and reader ends (rOut, rErr) so they are closed even on early returns;
keep the exec.ExecuteTerraform(info) call but ensure the defer runs after
assigning os.Stdout/os.Stderr so cleanup always happens, and then read from
rOut/rErr (e.g., via buf.ReadFrom) before returning.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e762b8a and 7dea027.

📒 Files selected for processing (2)

• internal/exec/stack_processor_process_stacks_test.go
• tests/terraform_toolchain_integration_test.go

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tests/terraform_toolchain_integration_test.go (1)

560-634: Prefer a table-driven structure for the precedence scenarios.

This block tests multiple scenarios (override, inherit); converting to table-driven subtests (t.Run) will cut duplication and scale better as precedence cases grow.

♻️ Refactor sketch

-// --- Test component that OVERRIDES Scope 2 at Scope 3 ---
-overrideInfo := ...
-...
-// --- Test component that INHERITS from Scope 1+2 only ---
-inheritInfo := ...
+cases := []struct {
+	name          string
+	component     string
+	expectTF      string
+	expectTFLint  string
+	expectJQ      string
+	expectCheckov bool
+}{
+	{name: "override", component: "test-component-override", expectTF: "1.10.3", expectTFLint: "^0.54.0", expectJQ: "latest", expectCheckov: true},
+	{name: "inherit", component: "test-component-inherit", expectTF: "1.6.0", expectTFLint: "^0.54.0", expectJQ: "latest", expectCheckov: false},
+}
+for _, tc := range cases {
+	tc := tc
+	t.Run(tc.name, func(t *testing.T) {
+		// init config, process stacks, assert merged dependencies
+	})
+}

As per coding guidelines: "Use table-driven tests for testing multiple scenarios in Go."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/terraform_toolchain_integration_test.go` around lines 560 - 634, The
test TestTerraformToolchain_DependencyPrecedence contains two almost-identical
scenarios (override and inherit); refactor it into a table-driven test with
subtests using t.Run to reduce duplication. Create a slice of test cases
describing inputs (ComponentFromArg and expected tool values) and loop over
them, calling cfg.InitCliConfig and exec.ProcessStacks inside each case and
asserting against the case's expected values (use the existing symbols
overrideInfo/inheritInfo only as templates for fields like ComponentFromArg, and
reuse compSection/compSection2 logic inside the loop). Ensure each case has a
descriptive name and keeps the same assertions for tools["terraform"],
tools["tflint"], tools["jq"], and presence/absence of tools["checkov"] so
behavior remains identical.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/terraform_toolchain_integration_test.go`:
- Around line 475-547: The test
TestTerraformToolchain_MixinLevelDependencies_PlanCommand must restore PATH to
avoid leaking state because exec.ExecuteTerraform can mutate process-wide PATH;
capture the current PATH (oldPath := os.Getenv("PATH")) and call
t.Setenv("PATH", oldPath) (using testing.T.Setenv) inside the test before
invoking exec.ExecuteTerraform so the original PATH is automatically restored
after the test finishes; update the test around the exec.ExecuteTerraform call
to use t.Setenv rather than manual os.Setenv/os.Unsetenv.

---

Nitpick comments:
In `@tests/terraform_toolchain_integration_test.go`:
- Around line 560-634: The test TestTerraformToolchain_DependencyPrecedence
contains two almost-identical scenarios (override and inherit); refactor it into
a table-driven test with subtests using t.Run to reduce duplication. Create a
slice of test cases describing inputs (ComponentFromArg and expected tool
values) and loop over them, calling cfg.InitCliConfig and exec.ProcessStacks
inside each case and asserting against the case's expected values (use the
existing symbols overrideInfo/inheritInfo only as templates for fields like
ComponentFromArg, and reuse compSection/compSection2 logic inside the loop).
Ensure each case has a descriptive name and keeps the same assertions for
tools["terraform"], tools["tflint"], tools["jq"], and presence/absence of
tools["checkov"] so behavior remains identical.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 7dea027 and f44ddca.

📒 Files selected for processing (1)

• tests/terraform_toolchain_integration_test.go

[coderabbitai]

🧹 Nitpick comments (1)

tests/terraform_toolchain_integration_test.go (1)

569-637: Convert precedence scenarios to a table-driven test.

The two scenario blocks are nearly identical; a table-driven subtest matrix will reduce duplication and make future precedence cases easier to add.

♻️ Refactor sketch

- // --- Test component that OVERRIDES Scope 2 at Scope 3 ---
- overrideInfo := schema.ConfigAndStacksInfo{...}
- ...
- // --- Test component that INHERITS from Scope 1+2 only ---
- inheritInfo := schema.ConfigAndStacksInfo{...}
- ...
+ cases := []struct {
+   name          string
+   component     string
+   wantTerraform string
+   wantTflint    string
+   wantJQ        string
+   wantCheckov   bool
+ }{
+   {"override", "test-component-override", "1.10.3", "^0.54.0", "latest", true},
+   {"inherit", "test-component-inherit", "1.6.0", "^0.54.0", "latest", false},
+ }
+
+ for _, tc := range cases {
+   t.Run(tc.name, func(t *testing.T) {
+     info := schema.ConfigAndStacksInfo{
+       Stack:            "override-test",
+       ComponentType:    "terraform",
+       ComponentFromArg: tc.component,
+       SubCommand:       "plan",
+     }
+     atmosConfig, err := cfg.InitCliConfig(info, true)
+     require.NoError(t, err)
+     info, err = exec.ProcessStacks(&atmosConfig, info, true, false, false, nil, nil)
+     require.NoError(t, err)
+
+     deps := info.ComponentSection["dependencies"].(map[string]any)
+     tools := deps["tools"].(map[string]any)
+     assert.Equal(t, tc.wantTerraform, tools["terraform"])
+     assert.Equal(t, tc.wantTflint, tools["tflint"])
+     assert.Equal(t, tc.wantJQ, tools["jq"])
+     _, hasCheckov := tools["checkov"]
+     assert.Equal(t, tc.wantCheckov, hasCheckov)
+   })
+ }

As per coding guidelines: "Use table-driven tests for testing multiple scenarios in Go."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/terraform_toolchain_integration_test.go` around lines 569 - 637, The
test duplicates two very similar scenarios (overrideInfo and inheritInfo) —
refactor into a table-driven test; create a slice of test cases each containing
fields for ComponentFromArg and expected tools map, then iterate with t.Run per
case and reuse the existing setup: call cfg.InitCliConfig with a
ConfigAndStacksInfo, call exec.ProcessStacks, extract ComponentSection and
dependencies/tools and assert expectations; reference the existing symbols
overrideInfo/inheritInfo only to map their values into table entries, and keep
calls to cfg.InitCliConfig, exec.ProcessStacks, compSection, deps/tools and the
same assertions but driven by the per-case expected values.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/terraform_toolchain_integration_test.go`:
- Around line 569-637: The test duplicates two very similar scenarios
(overrideInfo and inheritInfo) — refactor into a table-driven test; create a
slice of test cases each containing fields for ComponentFromArg and expected
tools map, then iterate with t.Run per case and reuse the existing setup: call
cfg.InitCliConfig with a ConfigAndStacksInfo, call exec.ProcessStacks, extract
ComponentSection and dependencies/tools and assert expectations; reference the
existing symbols overrideInfo/inheritInfo only to map their values into table
entries, and keep calls to cfg.InitCliConfig, exec.ProcessStacks, compSection,
deps/tools and the same assertions but driven by the per-case expected values.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f44ddca and 9eda426.

📒 Files selected for processing (1)

• tests/terraform_toolchain_integration_test.go

[github-actions]

These changes were released in v1.208.1-rc.0.