fix: address remaining CodeRabbit findings on PR #6

- network: add shared http_client() helper with bounded
  connect_timeout + total timeout; replace bare Client::new()
- network: stream tarball into a tempfile and extract from there
  so peak memory no longer scales with archive size
- update: use saturating_sub for the 24h throttle so a future
  guard timestamp (clock skew, restored snapshot, manual edit)
  cannot underflow and disable the check
- ls_remote: make the version-prefix filter segment-aware so
  "8.2" no longer matches "8.20.x"
- install: do not wipe a pre-existing version dir if a follow-up
  package install fails; only the cli package is offered for
  immediate "use now"
- shell: shell-escape values in set_env_var/path via single-quote
  quoting so embedded "$, backticks, quotes in PVM_DIR cannot
  break eval; add coverage for hostile inputs
- docs: GEMINI.md uses canonical macOS casing

Author: Fahl-Design

Cargo.toml

@@ -26,6 +26,7 @@ semver = "1.0.28"
 serde = { version = "1.0.228", features = ["derive"] }
 serde_json = "1.0.149"
 tar = "0.4.45"
+tempfile = "3.27.0"
 tokio = { version = "1.52.1", features = ["full"] }
 
 [dev-dependencies]

GEMINI.md

@@ -28,7 +28,7 @@ When running `git commit -m "..."` in the shell (like Zsh/Bash), backticks are i
 
 ### static-php-cli Integration
 - **Endpoint:** `https://dl.static-php.dev/static-php-cli/bulk/`
-- **Supported OS:** `linux`, `macos`.
+- **Supported OS:** `linux`, `macOS`.
 - **Supported Arch:** `x86_64`, `aarch64`.
 - **Packages:** `cli`, `fpm`, `micro`.
 - **Format:** `tar.gz` only.

src/commands/install.rs

@@ -59,6 +59,7 @@ pub async fn execute_install(version: &str) -> Result<()> {
         .collect();
 
     let dest = versions_dir.join(&resolved_version);
+    let dest_existed = dest.exists();
     std::fs::create_dir_all(&dest)?;
 
     for package in &selected_packages {
@@ -69,8 +70,11 @@ pub async fn execute_install(version: &str) -> Result<()> {
             package
         );
         if let Err(e) = network::download_and_extract(&resolved_version, package, &dest).await {
-            // Atomic install: any package failure removes the entire version dir
-            std::fs::remove_dir_all(&dest).ok();
+            // Only wipe the dest if it didn't exist before this install attempt;
+            // a pre-existing install must not be destroyed by a follow-up failure.
+            if !dest_existed {
+                std::fs::remove_dir_all(&dest).ok();
+            }
             anyhow::bail!(
                 "Failed to install PHP {} (package {}): {}",
                 resolved_version,
@@ -88,17 +92,19 @@ pub async fn execute_install(version: &str) -> Result<()> {
         resolved_version
     );
 
-    // Ask user if they want to use it right away
-    let use_now = dialoguer::Confirm::with_theme(&theme)
-        .with_prompt(
-            format!("Do you want to use PHP {} now?", resolved_version)
-                .bold()
-                .to_string(),
-        )
-        .default(true)
-        .interact_opt()
-        .unwrap_or(Some(false))
-        .unwrap_or(false);
+    // Only the cli package places a `php` binary on PATH; without it, switching is meaningless.
+    let cli_selected = selected_packages.iter().any(|p| p == "cli");
+    let use_now = cli_selected
+        && dialoguer::Confirm::with_theme(&theme)
+            .with_prompt(
+                format!("Do you want to use PHP {} now?", resolved_version)
+                    .bold()
+                    .to_string(),
+            )
+            .default(true)
+            .interact_opt()
+            .unwrap_or(Some(false))
+            .unwrap_or(false);
 
     if use_now {
         let v = crate::fs::resolve_local_version(&resolved_version)?;
@@ -124,6 +130,11 @@ pub async fn execute_install(version: &str) -> Result<()> {
             }
         }
         println!("{} Switched to PHP {}", "✓".green(), v.bold());
+    } else if !cli_selected {
+        println!(
+            "{} The 'cli' package was not selected; this version cannot be activated via PATH.",
+            "💡".yellow()
+        );
     } else {
         println!(
             "{} To use this version later, run `{}`",

src/commands/ls_remote.rs

@@ -16,7 +16,7 @@ impl LsRemote {
         let mut versions_info = network::get_available_versions().await?;
 
         if let Some(prefix) = &self.version_prefix {
-            versions_info.retain(|(v, _)| v.starts_with(prefix) || v == prefix);
+            versions_info.retain(|(v, _)| v == prefix || v.starts_with(&format!("{}.", prefix)));
         }
 
         if versions_info.is_empty() {

src/network.rs

@@ -11,10 +11,20 @@ use tar::Archive;
 use colored::Colorize;
 use indicatif::{ProgressBar, ProgressStyle};
 use std::fs::File;
-use std::io::{Read, Write};
+use std::io::{Read, Seek, SeekFrom, Write};
 use std::time::Duration;
 
 const CACHE_DURATION: Duration = Duration::from_secs(24 * 60 * 60); // 24 hours
+const HTTP_CONNECT_TIMEOUT: Duration = Duration::from_secs(10);
+const HTTP_REQUEST_TIMEOUT: Duration = Duration::from_secs(300);
+
+fn http_client() -> Result<Client> {
+    Client::builder()
+        .connect_timeout(HTTP_CONNECT_TIMEOUT)
+        .timeout(HTTP_REQUEST_TIMEOUT)
+        .build()
+        .context("Failed to initialize HTTP client")
+}
 
 #[derive(Deserialize)]
 struct RemoteFile {
@@ -72,7 +82,7 @@ pub async fn get_available_versions() -> Result<Vec<(String, Vec<String>)>> {
     spinner.set_message("Fetching...");
     spinner.enable_steady_tick(Duration::from_millis(100));
 
-    let client = Client::new();
+    let client = http_client()?;
     let json_url = format!("{}?format=json", BASE_URL);
     let res = client
         .get(json_url)
@@ -194,7 +204,7 @@ pub async fn download_and_extract(
         "{}php-{}-{}-{}.tar.gz",
         BASE_URL, resolved_version, package, target
     );
-    let client = Client::new();
+    let client = http_client()?;
     let response = client
         .get(&url)
         .send()
@@ -222,19 +232,24 @@ pub async fn download_and_extract(
         pb
     };
 
+    // Stream the archive into a temp file to avoid materializing the whole tarball in memory.
+    let mut tmp = tempfile::tempfile().context("Failed to create temporary archive file")?;
+    let mut downloaded: u64 = 0;
     let mut stream = response.bytes_stream();
-    let mut buffer = Vec::new();
-
     while let Some(item) = stream.next().await {
         let chunk = item.context("Error while downloading chunk")?;
-        buffer.extend_from_slice(&chunk);
-        pb.set_position(buffer.len() as u64);
+        tmp.write_all(&chunk)
+            .context("Failed to write archive chunk to temp file")?;
+        downloaded += chunk.len() as u64;
+        pb.set_position(downloaded);
     }
+    tmp.flush().context("Failed to flush temp archive file")?;
+    tmp.seek(SeekFrom::Start(0))
+        .context("Failed to rewind temp archive file")?;
 
     pb.finish_with_message(format!("Downloaded package {}", package));
 
-    let cursor = std::io::Cursor::new(buffer);
-    let tar = GzDecoder::new(cursor);
+    let tar = GzDecoder::new(tmp);
     let mut archive = Archive::new(tar);
 
     let bin_dir = dest.join("bin");

src/shell.rs

@@ -8,15 +8,49 @@ pub trait Shell {
     fn wrapper_fn(&self) -> String;
 }
 
+/// Quote a string for POSIX shells (bash/zsh) by wrapping it in single quotes
+/// and escaping any embedded single quotes via the `'\''` idiom.
+fn posix_single_quote(value: &str) -> String {
+    let mut out = String::with_capacity(value.len() + 2);
+    out.push('\'');
+    for c in value.chars() {
+        if c == '\'' {
+            out.push_str("'\\''");
+        } else {
+            out.push(c);
+        }
+    }
+    out.push('\'');
+    out
+}
+
+/// Quote a string for fish by wrapping it in single quotes and escaping `\` and `'`.
+fn fish_single_quote(value: &str) -> String {
+    let mut out = String::with_capacity(value.len() + 2);
+    out.push('\'');
+    for c in value.chars() {
+        match c {
+            '\\' => out.push_str("\\\\"),
+            '\'' => out.push_str("\\'"),
+            other => out.push(other),
+        }
+    }
+    out.push('\'');
+    out
+}
+
 pub struct Bash;
 
 impl Shell for Bash {
     fn path(&self, path: &Path) -> String {
-        format!("export PATH=\"{}:$PATH\"", path.display())
+        format!(
+            "export PATH={}:\"$PATH\"",
+            posix_single_quote(&path.display().to_string())
+        )
     }
 
     fn set_env_var(&self, name: &str, value: &str) -> String {
-        format!("export {}=\"{}\"", name, value)
+        format!("export {}={}", name, posix_single_quote(value))
     }
 
     fn use_on_cd(&self) -> String {
@@ -70,11 +104,14 @@ pub struct Zsh;
 
 impl Shell for Zsh {
     fn path(&self, path: &Path) -> String {
-        format!("export PATH=\"{}:$PATH\"", path.display())
+        format!(
+            "export PATH={}:\"$PATH\"",
+            posix_single_quote(&path.display().to_string())
+        )
     }
 
     fn set_env_var(&self, name: &str, value: &str) -> String {
-        format!("export {}=\"{}\"", name, value)
+        format!("export {}={}", name, posix_single_quote(value))
     }
 
     fn use_on_cd(&self) -> String {
@@ -125,11 +162,14 @@ pub struct Fish;
 
 impl Shell for Fish {
     fn path(&self, path: &Path) -> String {
-        format!("set -gx PATH \"{}\" $PATH", path.display())
+        format!(
+            "set -gx PATH {} $PATH",
+            fish_single_quote(&path.display().to_string())
+        )
     }
 
     fn set_env_var(&self, name: &str, value: &str) -> String {
-        format!("set -gx {} \"{}\"", name, value)
+        format!("set -gx {} {}", name, fish_single_quote(value))
     }
 
     fn use_on_cd(&self) -> String {
@@ -197,7 +237,7 @@ mod tests {
         let path = std::path::Path::new("/home/user/.local/share/pvm/versions/8.3.1/bin");
         assert_eq!(
             bash.path(path),
-            "export PATH=\"/home/user/.local/share/pvm/versions/8.3.1/bin:$PATH\""
+            "export PATH='/home/user/.local/share/pvm/versions/8.3.1/bin':\"$PATH\""
         );
     }
 
@@ -206,7 +246,16 @@ mod tests {
         let bash = Bash;
         assert_eq!(
             bash.set_env_var("PVM_MULTISHELL_PATH", "/some/path"),
-            "export PVM_MULTISHELL_PATH=\"/some/path\""
+            "export PVM_MULTISHELL_PATH='/some/path'"
+        );
+    }
+
+    #[test]
+    fn test_bash_set_env_escapes_special_chars() {
+        let bash = Bash;
+        assert_eq!(
+            bash.set_env_var("X", "evil$(whoami)`id`\"$PATH\"'quote"),
+            "export X='evil$(whoami)`id`\"$PATH\"'\\''quote'"
         );
     }
 
@@ -216,7 +265,7 @@ mod tests {
         let path = std::path::Path::new("/home/user/.local/share/pvm/versions/8.3.1/bin");
         assert_eq!(
             zsh.path(path),
-            "export PATH=\"/home/user/.local/share/pvm/versions/8.3.1/bin:$PATH\""
+            "export PATH='/home/user/.local/share/pvm/versions/8.3.1/bin':\"$PATH\""
         );
     }
 
@@ -226,7 +275,13 @@ mod tests {
         let path = std::path::Path::new("/home/user/.local/share/pvm/versions/8.3.1/bin");
         assert_eq!(
             fish.path(path),
-            "set -gx PATH \"/home/user/.local/share/pvm/versions/8.3.1/bin\" $PATH"
+            "set -gx PATH '/home/user/.local/share/pvm/versions/8.3.1/bin' $PATH"
         );
     }
+
+    #[test]
+    fn test_fish_set_env_escapes_special_chars() {
+        let fish = Fish;
+        assert_eq!(fish.set_env_var("X", "a'b\\c"), "set -gx X 'a\\'b\\\\c'");
+    }
 }

src/update.rs

@@ -30,7 +30,7 @@ pub async fn check_for_updates(target_version: &str) -> Result<Option<String>> {
     let now = SystemTime::now().duration_since(UNIX_EPOCH)?.as_secs();
     if !contents.is_empty()
         && let Ok(last_check) = contents.trim().parse::<u64>()
-        && now - last_check < 86400
+        && now.saturating_sub(last_check) < 86400
     {
         file.unlock().ok();
         return Ok(None);