fixes

pkg/vcs/credentials.go

@@ -0,0 +1,247 @@
+package vcs
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/rs/zerolog/log"
+)
+
+// CredentialStore manages git credentials for different repository patterns
+type CredentialStore struct {
+	credentials []CredentialEntry
+}
+
+// CredentialEntry represents credentials for a specific pattern
+type CredentialEntry struct {
+	Pattern  string `json:"pattern"`  // Glob pattern: "github.com/myorg/*"
+	Host     string `json:"host"`     // Git host: "github.com"
+	Username string `json:"username"` // Usually "oauth2" for tokens
+	Token    string `json:"token"`    // Access token
+	Fallback bool   `json:"fallback"` // Use as fallback if no match
+}
+
+// CredentialConfig represents the JSON configuration format
+type CredentialConfig struct {
+	Credentials []CredentialEntry `json:"credentials"`
+}
+
+// NewCredentialStore creates a new credential store
+func NewCredentialStore() *CredentialStore {
+	return &CredentialStore{
+		credentials: make([]CredentialEntry, 0),
+	}
+}
+
+// LoadFromFile loads credentials from a JSON file
+func (cs *CredentialStore) LoadFromFile(path string) error {
+	if path == "" {
+		log.Debug().Msg("No credential file specified, using system git config")
+		return nil
+	}
+
+	// Check if file exists
+	if _, err := os.Stat(path); os.IsNotExist(err) {
+		log.Warn().Str("path", path).Msg("Credential file not found, using system git config")
+		return nil
+	}
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return fmt.Errorf("failed to read credential file: %w", err)
+	}
+
+	var config CredentialConfig
+	if err := json.Unmarshal(data, &config); err != nil {
+		return fmt.Errorf("failed to parse credential file: %w", err)
+	}
+
+	cs.credentials = config.Credentials
+
+	log.Info().
+		Str("file", path).
+		Int("credentials", len(cs.credentials)).
+		Msg("Loaded git credentials from file")
+
+	// Log patterns (not tokens!) for debugging
+	for i, cred := range cs.credentials {
+		log.Debug().
+			Int("index", i).
+			Str("pattern", cred.Pattern).
+			Str("host", cred.Host).
+			Bool("fallback", cred.Fallback).
+			Msg("Registered credential pattern")
+	}
+
+	return nil
+}
+
+// GetCredentialsForModule finds the best matching credentials for a module path
+// Returns (username, token, found)
+func (cs *CredentialStore) GetCredentialsForModule(modulePath string) (string, string, bool) {
+	if len(cs.credentials) == 0 {
+		// No credentials configured, rely on system git config
+		return "", "", false
+	}
+
+	// Find best match
+	var bestMatch *CredentialEntry
+	var fallbackMatch *CredentialEntry
+	bestMatchLen := 0
+
+	for i := range cs.credentials {
+		cred := &cs.credentials[i]
+
+		// Check for fallback
+		if cred.Fallback {
+			fallbackMatch = cred
+			continue
+		}
+
+		// Check if pattern matches
+		if cs.matchPattern(cred.Pattern, modulePath) {
+			// Use longest matching pattern (most specific)
+			if len(cred.Pattern) > bestMatchLen {
+				bestMatch = cred
+				bestMatchLen = len(cred.Pattern)
+			}
+		}
+	}
+
+	// Use best match if found
+	if bestMatch != nil {
+		log.Debug().
+			Str("module", modulePath).
+			Str("pattern", bestMatch.Pattern).
+			Str("host", bestMatch.Host).
+			Msg("Matched credential pattern")
+		return bestMatch.Username, bestMatch.Token, true
+	}
+
+	// Use fallback if available
+	if fallbackMatch != nil {
+		log.Debug().
+			Str("module", modulePath).
+			Str("pattern", fallbackMatch.Pattern).
+			Msg("Using fallback credentials")
+		return fallbackMatch.Username, fallbackMatch.Token, true
+	}
+
+	// No match found
+	log.Debug().
+		Str("module", modulePath).
+		Msg("No credential pattern matched, using system git config")
+	return "", "", false
+}
+
+// matchPattern checks if a module path matches a credential pattern
+// Supports glob-style patterns:
+//   - github.com/myorg/* matches github.com/myorg/repo1, github.com/myorg/repo2
+//   - github.com/myorg/repo matches exactly github.com/myorg/repo
+//   - * matches everything
+func (cs *CredentialStore) matchPattern(pattern, modulePath string) bool {
+	// Exact match
+	if pattern == modulePath {
+		return true
+	}
+
+	// Wildcard match all
+	if pattern == "*" {
+		return true
+	}
+
+	// Glob-style matching
+	matched, err := filepath.Match(pattern, modulePath)
+	if err != nil {
+		log.Warn().Err(err).Str("pattern", pattern).Msg("Invalid pattern")
+		return false
+	}
+
+	if matched {
+		return true
+	}
+
+	// Prefix matching with /*
+	if strings.HasSuffix(pattern, "/*") {
+		prefix := strings.TrimSuffix(pattern, "/*")
+		return strings.HasPrefix(modulePath, prefix+"/")
+	}
+
+	return false
+}
+
+// CreateNetrcContent creates .netrc file content for a specific host
+func (cs *CredentialStore) CreateNetrcContent(host, username, token string) string {
+	return fmt.Sprintf("machine %s\nlogin %s\npassword %s\n", host, username, token)
+}
+
+// GetCredentialsForHost finds credentials for a specific git host (e.g., "github.com")
+// This is useful when you need credentials for a host but don't have a full module path
+func (cs *CredentialStore) GetCredentialsForHost(host string) (string, string, bool) {
+	if len(cs.credentials) == 0 {
+		return "", "", false
+	}
+
+	// Look for exact host match first
+	for i := range cs.credentials {
+		cred := &cs.credentials[i]
+		if cred.Host == host && !cred.Fallback {
+			log.Debug().
+				Str("host", host).
+				Str("pattern", cred.Pattern).
+				Msg("Found credentials for host")
+			return cred.Username, cred.Token, true
+		}
+	}
+
+	// Try fallback
+	for i := range cs.credentials {
+		cred := &cs.credentials[i]
+		if cred.Fallback {
+			log.Debug().
+				Str("host", host).
+				Msg("Using fallback credentials for host")
+			return cred.Username, cred.Token, true
+		}
+	}
+
+	return "", "", false
+}
+
+// ValidateConfig validates the credential configuration
+func (cs *CredentialStore) ValidateConfig() error {
+	hostPatterns := make(map[string]bool)
+
+	for i, cred := range cs.credentials {
+		// Check required fields
+		if cred.Pattern == "" {
+			return fmt.Errorf("credential entry %d: pattern is required", i)
+		}
+		if cred.Host == "" && cred.Pattern != "*" {
+			return fmt.Errorf("credential entry %d: host is required (pattern: %s)", i, cred.Pattern)
+		}
+		if cred.Token == "" {
+			return fmt.Errorf("credential entry %d: token is required (pattern: %s)", i, cred.Pattern)
+		}
+
+		// Set default username if not provided
+		if cred.Username == "" {
+			cs.credentials[i].Username = "oauth2"
+		}
+
+		// Check for duplicate patterns
+		key := cred.Pattern + ":" + cred.Host
+		if hostPatterns[key] && !cred.Fallback {
+			log.Warn().
+				Str("pattern", cred.Pattern).
+				Str("host", cred.Host).
+				Msg("Duplicate credential pattern, last one wins")
+		}
+		hostPatterns[key] = true
+	}
+
+	return nil
+}

pkg/vcs/git.go

@@ -0,0 +1,283 @@
+package vcs
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/rs/zerolog/log"
+)
+
+// GitFetcher handles git repository operations
+type GitFetcher struct {
+	workDir     string
+	timeout     time.Duration
+	credStore   *CredentialStore
+}
+
+// NewGitFetcher creates a new git fetcher
+func NewGitFetcher(workDir string, credStore *CredentialStore) *GitFetcher {
+	if workDir == "" {
+		workDir = os.TempDir()
+	}
+
+	if credStore == nil {
+		credStore = NewCredentialStore()
+	}
+
+	return &GitFetcher{
+		workDir:   workDir,
+		timeout:   30 * time.Second,
+		credStore: credStore,
+	}
+}
+
+// FetchModule clones a git repository and checks out a specific version
+// Returns the path to the checked-out source directory
+func (g *GitFetcher) FetchModule(ctx context.Context, modulePath, version, credentials string) (string, error) {
+	// Create context with timeout
+	ctx, cancel := context.WithTimeout(ctx, g.timeout)
+	defer cancel()
+
+	// Parse module path to extract repository URL
+	repoURL, err := g.modulePathToRepoURL(modulePath)
+	if err != nil {
+		return "", err
+	}
+
+	// Create temporary directory for this clone
+	cloneDir, err := os.MkdirTemp(g.workDir, "gohoarder-git-*")
+	if err != nil {
+		return "", fmt.Errorf("failed to create temp directory: %w", err)
+	}
+
+	log.Debug().
+		Str("module", modulePath).
+		Str("version", version).
+		Str("repo_url", repoURL).
+		Str("clone_dir", cloneDir).
+		Msg("Fetching module from git")
+
+	// Set up credentials
+	credentialHelper, cleanup, err := g.setupCredentials(repoURL, modulePath, credentials)
+	if err != nil {
+		os.RemoveAll(cloneDir)
+		return "", fmt.Errorf("failed to setup credentials: %w", err)
+	}
+	defer cleanup()
+
+	// Try shallow clone with specific version first (fastest)
+	if err := g.shallowClone(ctx, repoURL, version, cloneDir, credentialHelper); err != nil {
+		log.Debug().Err(err).Msg("Shallow clone failed, trying full clone")
+
+		// Fallback to full clone
+		if err := g.fullClone(ctx, repoURL, cloneDir, credentialHelper); err != nil {
+			os.RemoveAll(cloneDir)
+			return "", fmt.Errorf("git clone failed: %w", err)
+		}
+
+		// Checkout specific version
+		if err := g.checkout(ctx, cloneDir, version); err != nil {
+			os.RemoveAll(cloneDir)
+			return "", fmt.Errorf("git checkout failed: %w", err)
+		}
+	}
+
+	log.Debug().
+		Str("module", modulePath).
+		Str("version", version).
+		Str("path", cloneDir).
+		Msg("Successfully fetched module from git")
+
+	return cloneDir, nil
+}
+
+// modulePathToRepoURL converts a Go module path to a git repository URL
+// Examples:
+//   github.com/user/repo → https://github.com/user/repo.git
+//   gitlab.com/group/project → https://gitlab.com/group/project.git
+func (g *GitFetcher) modulePathToRepoURL(modulePath string) (string, error) {
+	// Remove any path components after the repository
+	// e.g., github.com/user/repo/v2 → github.com/user/repo
+	parts := strings.Split(modulePath, "/")
+	if len(parts) < 3 {
+		return "", fmt.Errorf("invalid module path: %s", modulePath)
+	}
+
+	// For github.com, gitlab.com, bitbucket.org, etc.
+	// Format: host/owner/repo
+	host := parts[0]
+	owner := parts[1]
+	repo := parts[2]
+
+	// Remove version suffix if present (e.g., /v2, /v3)
+	repo = strings.TrimPrefix(repo, "v")
+	if strings.HasPrefix(repo, "2") || strings.HasPrefix(repo, "3") {
+		// This might be a version suffix, but we need to be careful
+		// For now, keep it as-is
+	}
+
+	repoURL := fmt.Sprintf("https://%s/%s/%s.git", host, owner, repo)
+	return repoURL, nil
+}
+
+// setupCredentials configures git credentials for authentication
+// Returns credential helper configuration and cleanup function
+func (g *GitFetcher) setupCredentials(repoURL, modulePath, credentials string) (map[string]string, func(), error) {
+	env := make(map[string]string)
+	cleanup := func() {}
+
+	// Priority 1: Check credential store for pattern-based credentials
+	if g.credStore != nil {
+		username, token, found := g.credStore.GetCredentialsForModule(modulePath)
+		if found {
+			log.Debug().
+				Str("module", modulePath).
+				Msg("Using credentials from credential store")
+			return g.createTempNetrc(repoURL, username, token)
+		}
+	}
+
+	// Priority 2: Use credentials from HTTP Authorization header (if provided)
+	if credentials != "" {
+		log.Debug().Msg("Using credentials from Authorization header")
+		return g.createTempNetrcFromHeader(repoURL, credentials)
+	}
+
+	// Priority 3: Rely on system git config (.netrc, etc.)
+	log.Debug().Msg("No credentials provided, using system git config")
+	return env, cleanup, nil
+}
+
+// createTempNetrc creates a temporary .netrc file with the provided credentials
+func (g *GitFetcher) createTempNetrc(repoURL, username, token string) (map[string]string, func(), error) {
+	// Create temporary .netrc file
+	tempDir, err := os.MkdirTemp("", "gohoarder-netrc-*")
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create temp netrc directory: %w", err)
+	}
+
+	// Extract host from repo URL
+	host := g.extractHost(repoURL)
+
+	// Create .netrc file
+	netrcPath := filepath.Join(tempDir, ".netrc")
+	netrcContent := fmt.Sprintf("machine %s\nlogin %s\npassword %s\n", host, username, token)
+	if err := os.WriteFile(netrcPath, []byte(netrcContent), 0600); err != nil {
+		os.RemoveAll(tempDir)
+		return nil, nil, fmt.Errorf("failed to write .netrc: %w", err)
+	}
+
+	env := map[string]string{
+		"HOME":                tempDir,
+		"GIT_TERMINAL_PROMPT": "0",
+	}
+
+	cleanup := func() {
+		os.RemoveAll(tempDir)
+	}
+
+	log.Debug().Str("host", host).Msg("Created temporary .netrc for git authentication")
+
+	return env, cleanup, nil
+}
+
+// createTempNetrcFromHeader creates a temporary .netrc from Authorization header credentials
+func (g *GitFetcher) createTempNetrcFromHeader(repoURL, credentials string) (map[string]string, func(), error) {
+	// Extract token from credentials
+	token := strings.TrimPrefix(credentials, "Bearer ")
+	token = strings.TrimPrefix(token, "Token ")
+	token = strings.TrimPrefix(token, "Private-Token ")
+
+	if token == "" || token == credentials {
+		// Not in expected format, rely on system config
+		log.Debug().Msg("Credentials not in Bearer/Token format, using system git config")
+		return make(map[string]string), func() {}, nil
+	}
+
+	// Use oauth2 as default username for token-based auth
+	return g.createTempNetrc(repoURL, "oauth2", token)
+}
+
+// extractHost extracts the git host from a repository URL
+func (g *GitFetcher) extractHost(repoURL string) string {
+	if strings.Contains(repoURL, "github.com") {
+		return "github.com"
+	}
+	if strings.Contains(repoURL, "gitlab.com") {
+		return "gitlab.com"
+	}
+	if strings.Contains(repoURL, "bitbucket.org") {
+		return "bitbucket.org"
+	}
+
+	// Generic extraction
+	parts := strings.Split(repoURL, "/")
+	if len(parts) >= 3 {
+		return strings.TrimPrefix(parts[2], "//")
+	}
+
+	return ""
+}
+
+// shallowClone performs a shallow clone of a specific version
+func (g *GitFetcher) shallowClone(ctx context.Context, repoURL, version, cloneDir string, credentialHelper map[string]string) error {
+	cmd := exec.CommandContext(ctx, "git", "clone", "--depth", "1", "--branch", version, repoURL, cloneDir)
+	cmd.Env = append(os.Environ(), g.envMapToSlice(credentialHelper)...)
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("shallow clone failed: %w (output: %s)", err, string(output))
+	}
+
+	return nil
+}
+
+// fullClone performs a full clone of the repository
+func (g *GitFetcher) fullClone(ctx context.Context, repoURL, cloneDir string, credentialHelper map[string]string) error {
+	cmd := exec.CommandContext(ctx, "git", "clone", repoURL, cloneDir)
+	cmd.Env = append(os.Environ(), g.envMapToSlice(credentialHelper)...)
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("full clone failed: %w (output: %s)", err, string(output))
+	}
+
+	return nil
+}
+
+// checkout checks out a specific version (tag, branch, or commit)
+func (g *GitFetcher) checkout(ctx context.Context, repoDir, version string) error {
+	cmd := exec.CommandContext(ctx, "git", "checkout", version)
+	cmd.Dir = repoDir
+	cmd.Env = append(os.Environ(), "GIT_TERMINAL_PROMPT=0")
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("checkout failed: %w (output: %s)", err, string(output))
+	}
+
+	return nil
+}
+
+// envMapToSlice converts environment map to slice
+func (g *GitFetcher) envMapToSlice(envMap map[string]string) []string {
+	var env []string
+	for k, v := range envMap {
+		env = append(env, fmt.Sprintf("%s=%s", k, v))
+	}
+	return env
+}
+
+// Cleanup removes temporary directories
+func (g *GitFetcher) Cleanup(paths ...string) {
+	for _, path := range paths {
+		if err := os.RemoveAll(path); err != nil {
+			log.Warn().Err(err).Str("path", path).Msg("Failed to cleanup temporary directory")
+		}
+	}
+}

pkg/vcs/module.go

@@ -0,0 +1,252 @@
+package vcs
+
+import (
+	"archive/zip"
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/rs/zerolog/log"
+)
+
+// ModuleBuilder builds Go module artifacts from source
+type ModuleBuilder struct{}
+
+// NewModuleBuilder creates a new module builder
+func NewModuleBuilder() *ModuleBuilder {
+	return &ModuleBuilder{}
+}
+
+// ModuleInfo represents Go module version metadata (.info file)
+type ModuleInfo struct {
+	Version string    `json:"Version"`
+	Time    time.Time `json:"Time"`
+}
+
+// BuildModuleZip creates a Go module zip from source directory
+// Follows the Go module zip format specification: https://go.dev/ref/mod#zip-files
+func (b *ModuleBuilder) BuildModuleZip(ctx context.Context, srcPath, modulePath, version string) (io.ReadCloser, error) {
+	log.Debug().
+		Str("src_path", srcPath).
+		Str("module", modulePath).
+		Str("version", version).
+		Msg("Building module zip")
+
+	// Create in-memory zip
+	var buf bytes.Buffer
+	zipWriter := zip.NewWriter(&buf)
+
+	// Collect all files to include in zip
+	files, err := b.collectFiles(srcPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to collect files: %w", err)
+	}
+
+	// Sort files for deterministic zip
+	sort.Strings(files)
+
+	// Add files to zip with proper prefix
+	prefix := fmt.Sprintf("%s@%s/", modulePath, version)
+	for _, relPath := range files {
+		if err := b.addFileToZip(zipWriter, srcPath, relPath, prefix); err != nil {
+			zipWriter.Close()
+			return nil, fmt.Errorf("failed to add file %s: %w", relPath, err)
+		}
+	}
+
+	if err := zipWriter.Close(); err != nil {
+		return nil, fmt.Errorf("failed to close zip writer: %w", err)
+	}
+
+	log.Debug().
+		Str("module", modulePath).
+		Str("version", version).
+		Int("files", len(files)).
+		Int("size", buf.Len()).
+		Msg("Successfully built module zip")
+
+	return io.NopCloser(bytes.NewReader(buf.Bytes())), nil
+}
+
+// collectFiles walks the source directory and collects files to include
+func (b *ModuleBuilder) collectFiles(srcPath string) ([]string, error) {
+	var files []string
+
+	err := filepath.Walk(srcPath, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Skip directories
+		if info.IsDir() {
+			// Skip .git directory
+			if info.Name() == ".git" {
+				return filepath.SkipDir
+			}
+			// Skip vendor directory (per Go module zip spec)
+			if info.Name() == "vendor" {
+				return filepath.SkipDir
+			}
+			return nil
+		}
+
+		// Get relative path
+		relPath, err := filepath.Rel(srcPath, path)
+		if err != nil {
+			return err
+		}
+
+		// Skip hidden files (except .gitignore, etc. if needed)
+		if strings.HasPrefix(filepath.Base(relPath), ".") && relPath != ".gitignore" {
+			return nil
+		}
+
+		// Include file
+		files = append(files, relPath)
+		return nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return files, nil
+}
+
+// addFileToZip adds a single file to the zip archive
+func (b *ModuleBuilder) addFileToZip(zipWriter *zip.Writer, srcPath, relPath, prefix string) error {
+	// Create zip header
+	header := &zip.FileHeader{
+		Name:   prefix + filepath.ToSlash(relPath),
+		Method: zip.Deflate,
+	}
+
+	// Get file info for permissions
+	fullPath := filepath.Join(srcPath, relPath)
+	info, err := os.Stat(fullPath)
+	if err != nil {
+		return err
+	}
+
+	// Set modification time to a fixed value for deterministic zips
+	// Go uses the timestamp from the version info
+	header.Modified = time.Date(2000, 1, 1, 0, 0, 0, 0, time.UTC)
+	header.SetMode(info.Mode())
+
+	// Create file in zip
+	writer, err := zipWriter.CreateHeader(header)
+	if err != nil {
+		return err
+	}
+
+	// Copy file contents
+	file, err := os.Open(fullPath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	if _, err := io.Copy(writer, file); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// GenerateModInfo creates .info file (JSON metadata)
+func (b *ModuleBuilder) GenerateModInfo(ctx context.Context, srcPath, version string) ([]byte, error) {
+	// Get commit timestamp from git
+	timestamp, err := b.getGitCommitTime(srcPath)
+	if err != nil {
+		// Fallback to current time if git info not available
+		log.Warn().Err(err).Msg("Failed to get git commit time, using current time")
+		timestamp = time.Now()
+	}
+
+	info := ModuleInfo{
+		Version: version,
+		Time:    timestamp,
+	}
+
+	data, err := json.Marshal(info)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal module info: %w", err)
+	}
+
+	return data, nil
+}
+
+// getGitCommitTime retrieves the commit timestamp from git
+func (b *ModuleBuilder) getGitCommitTime(repoPath string) (time.Time, error) {
+	cmd := exec.Command("git", "log", "-1", "--format=%cI")
+	cmd.Dir = repoPath
+
+	output, err := cmd.Output()
+	if err != nil {
+		return time.Time{}, err
+	}
+
+	// Parse ISO 8601 timestamp
+	timestamp, err := time.Parse(time.RFC3339, strings.TrimSpace(string(output)))
+	if err != nil {
+		return time.Time{}, err
+	}
+
+	return timestamp, nil
+}
+
+// ExtractGoMod extracts go.mod content
+func (b *ModuleBuilder) ExtractGoMod(ctx context.Context, srcPath string) ([]byte, error) {
+	goModPath := filepath.Join(srcPath, "go.mod")
+
+	data, err := os.ReadFile(goModPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read go.mod: %w", err)
+	}
+
+	// Validate go.mod (basic check)
+	if !strings.Contains(string(data), "module ") {
+		return nil, fmt.Errorf("invalid go.mod: missing module directive")
+	}
+
+	return data, nil
+}
+
+// ValidateModule performs basic validation on the module
+func (b *ModuleBuilder) ValidateModule(ctx context.Context, srcPath, expectedModulePath string) error {
+	// Read go.mod
+	goModData, err := b.ExtractGoMod(ctx, srcPath)
+	if err != nil {
+		return err
+	}
+
+	// Extract module path from go.mod
+	lines := strings.Split(string(goModData), "\n")
+	var declaredModulePath string
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, "module ") {
+			declaredModulePath = strings.TrimSpace(strings.TrimPrefix(line, "module "))
+			break
+		}
+	}
+
+	if declaredModulePath == "" {
+		return fmt.Errorf("go.mod missing module declaration")
+	}
+
+	// Check if module path matches (allow version suffixes)
+	if !strings.HasPrefix(expectedModulePath, declaredModulePath) {
+		return fmt.Errorf("module path mismatch: expected %s, got %s", expectedModulePath, declaredModulePath)
+	}
+
+	return nil
+}