Pio lock file

[Jason2866]

• New Features

  • Optional pio-lock integration with automatic registration when enabled

• Documentation

  • Added comprehensive pio-lock integration guide

Checklist:

• The pull request is done against the latest develop branch
• Only relevant files were touched
• Only one feature/fix was added per PR, more changes are allowed when changing boards.json
• I accept the CLA

Summary by CodeRabbit

• New Features

  • Automatic pio-lock target registration when enabled in environment configuration
  • Improved download resilience with exponential backoff for transient failures
  • Enhanced ESP32 platform toolchain management with improved installation flows
  • Safer file operations with centralized error handling

• Documentation

  • Added comprehensive pio-lock integration guide with usage examples and troubleshooting
  • Updated README documentation

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d27fb47e-4b15-4eee-b519-2b38cd2f07ee

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds optional pio-lock integration: installs pio-lock into the platform Python environment, auto-registers pio-lock targets for enabled environments, adds platform resilience helpers and tooling-install flows, provides integration docs, and removes a FatFS instructions block from the README.

Changes

PIO-lock integration

Layer / File(s)	Summary
Data / Flags builder/main.py, platform.py	Reads environment name (env.subst("$PIOENV")) and custom_pio_lock (env-specific) to decide whether to enable pio-lock behavior.
Installation API builder/penv_setup.py	Adds install_pio_lock(platform, uv_executable, penv_executable, uv_cache_dir=None) and extends install_python_deps(..., additional_deps=None) to merge/handle extra deps and install pio-lock (git spec via uv, pip fallback).
Platform wiring platform.py	Exports/assigns install_pio_lock and GDB_TOOL_PACKAGES from penv setup and invokes install_pio_lock(...) during Python env/tool setup when custom_pio_lock is enabled; also schedules freertos-gdb installation.
Runtime registration builder/main.py	On environment setup, conditionally imports pio_lock and calls pio_lock.register_pio_targets(env); handles ImportError and AttributeError by emitting warnings.
Docs docs/PIO_LOCK_INTEGRATION.md	New integration guide covering enabling, targets, usage, workflow, lockfile format, troubleshooting, and CI snippets.

Platform resilience & tooling additions

Layer / File(s)	Summary
Helpers / Patching platform.py (lines ~100–170)	Introduces patch_file_downloader() (adds retry/backoff to downloads) and safe filesystem wrappers (safe_remove_file, safe_remove_directory, safe_copy_file, safe_copy_directory, etc.).
Tooling flows / Installers platform.py (Espressif32Platform methods)	Enhances tool installation flows: version-aware installs, handling legacy directories, dynamic package configuration, and integration points to install freertos-gdb and optionally pio-lock.
Exports / Symbols platform.py top-level	Adds top-level symbols (patch_file_downloader, safe_* wrappers) and binds install_pio_lock and GDB_TOOL_PACKAGES from penv_setup.
Docs cleanup README.md	Removes the detailed "FatFS Integration" documentation block while retaining the FatFS bullet.

Sequence Diagram

sequenceDiagram
    participant Builder as Builder (builder/main.py)
    participant Platform as Espressif32Platform (platform.py)
    participant UV as UV (uv executable)
    participant Penv as Python Env (penv)
    participant PIO as pio-lock module

    Builder->>Platform: setup_python_env()
    Platform->>Platform: read `custom_pio_lock` for active env
    alt enabled
        Platform->>Penv: attempt import `pio_lock`
        alt not importable
            Platform->>UV: uv install git+https://github.com/m-mcgowan/pio-lock.git@v0.2.0
            UV-->>Penv: package installed (or pip fallback)
        end
        Penv-->>Platform: pio_lock importable
    end
    Builder->>PIO: conditional import `pio_lock`
    alt enabled and import succeeds
        Builder->>PIO: `register_pio_targets(env)`
        PIO-->>Builder: targets registered
    else import fails
        PIO-->>Builder: warning emitted
    end

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly Related PRs

• pioarduino/platform-espressif32#199: Modifies the same pio-lock integration points (installation and auto-registration); directly related.
• pioarduino/platform-espressif32#476: Adds conditional installation of optional platform tools during package configuration; shares pattern and locations.
• pioarduino/platform-espressif32#255: Prior penv_setup and environment-management changes that overlap with these penv/installation edits.

Poem

🐰 I hopped through envs with nimble paws,
I fetched a lock from far-off laws.
With retries, copies, safe removals too,
I wired the tools and made them new.
A rabbit's cheer for builds that queue.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Pio lock file' is vague and does not clearly convey the scope of changes, which include automatic pio-lock integration, new registration functionality, installation helpers, and documentation.	Consider a more descriptive title such as 'Add optional pio-lock integration with automatic registration' to better summarize the main feature being introduced.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pio_lock

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Jason2866]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

docs/PIO_LOCK_INTEGRATION.md (1)

248-251: 💤 Low value

Document the version/commit pio-lock is pinned to.

The integration installs from git+https://github.com/m-mcgowan/pio-lock.git HEAD (see builder/penv_setup.py line 848). Users tracking down build differences across machines should be told which revision of pio-lock is in use, and ideally that revision should be pinned in the installer (see comment on install_pio_lock). Consider adding a "Version" subsection here noting the pinned tag/commit once that pin is added.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/PIO_LOCK_INTEGRATION.md` around lines 248 - 251, The docs must state
which revision of pio-lock is used and the installer should pin it; update the
README section "See Also" by adding a "Version" subsection naming the pinned
tag/commit, and modify the installer call in builder/penv_setup.py (the
install_pio_lock function) to install from that specific git tag/commit instead
of HEAD (e.g., git+https://...@<commit-or-tag>), then document that exact
tag/commit in the PIO_LOCK_INTEGRATION.md Version subsection so users can
reproduce builds.

builder/penv_setup.py (1)

822-823: ⚡ Quick win

Surface a clearer diagnostic when pio-lock can't be installed.

When has_network is false the function returns silently, and on failure the only visible signal is print(f"Warning: Failed to install pio-lock: {exc}") with pip's actual stdout/stderr suppressed (stdout=DEVNULL, stderr=STDOUT redirects stderr into the discarded stdout). Combined with builder/main.py's try: import pio_lock ... except ImportError: pass, a user who sets custom_pio_lock = true but has flaky network or an upstream incompatibility gets no actionable information — pio-lock targets just don't appear. Consider:

• Logging an explicit "skipped: no network" message when has_network is false (since the user opted into the feature).
• Capturing pip output and printing it on failure instead of suppressing it.

Also applies to: 856-857

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@builder/penv_setup.py` around lines 822 - 823, When has_network is false the
installer returns silently; change the code around the has_network check to emit
an explicit message (e.g., a warning like "Skipped installing pio-lock: no
network available and custom_pio_lock enabled") so the user's intent is visible;
also modify the pio-lock installation error handling where you currently print
f"Warning: Failed to install pio-lock: {exc}" and where you call pip with
stdout=DEVNULL, stderr=STDOUT to capture pip's output (use
subprocess.check_output or capture stdout/stderr into variables) and include
that captured output in the error log so pip failure details are surfaced; apply
the same changes to the other installation site that mirrors this logic (the
second occurrence around the other pio-lock install).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@builder/main.py`:
- Around line 76-89: When custom_pio_lock is enabled the current except
ImportError/AttributeError blocks silently swallow errors; update them to log a
one-line warning including the env_name and the caught exception so users know
why pio_lock targets weren’t registered. Specifically, in the block that checks
projectconfig.get(...) and tries "import pio_lock" and
"pio_lock.register_pio_targets(env)", catch ImportError and AttributeError and
call the existing logger (or processLogger) to emit a warning like
"custom_pio_lock requested for <env_name>: failed to import pio_lock: <error>"
or "custom_pio_lock requested for <env_name>: pio_lock missing
register_pio_targets: <error>" so failures are diagnosable; keep the try/except
structure but surface the exception text rather than passing silently.

In `@builder/penv_setup.py`:
- Around line 843-857: The pio-lock install currently pulls the live default
branch and hides installer output; verify whether the GitHub repo
m-mcgowan/pio-lock exists or is private and document access requirements, then
change the install URL in the subprocess call from
"git+https://github.com/m-mcgowan/pio-lock.git" to a pinned ref like
"git+https://github.com/m-mcgowan/pio-lock.git@<tag-or-sha>" to ensure
reproducibility, and change the subprocess invocation (the call that uses
uv_executable, pip, f"--python={penv_executable}", env=uv_env) to surface
failures by capturing and logging command output on non-zero exit (e.g., use
subprocess.run with capture_output=True or remove stdout=DEVNULL/stderr=STDOUT
and log stderr/CALLED_PROCESS_ERROR.stderr) so the except block can print
detailed error output instead of only a generic warning.

In `@docs/PIO_LOCK_INTEGRATION.md`:
- Around line 229-237: Update the docs text around the lock-restore example to
warn that `pio pkg uninstall -e myenv` without package flags removes all
declared lib_deps, the selected platform/framework and associated
toolchains/platform_packages (causing a full re-download), then show the `pio
pkg uninstall -e myenv` followed by `pio run -t lock-restore -e myenv`;
reference the commands `pio pkg uninstall -e myenv` and the target
`lock-restore` so readers see exactly which operations are affected.

---

Nitpick comments:
In `@builder/penv_setup.py`:
- Around line 822-823: When has_network is false the installer returns silently;
change the code around the has_network check to emit an explicit message (e.g.,
a warning like "Skipped installing pio-lock: no network available and
custom_pio_lock enabled") so the user's intent is visible; also modify the
pio-lock installation error handling where you currently print f"Warning: Failed
to install pio-lock: {exc}" and where you call pip with stdout=DEVNULL,
stderr=STDOUT to capture pip's output (use subprocess.check_output or capture
stdout/stderr into variables) and include that captured output in the error log
so pip failure details are surfaced; apply the same changes to the other
installation site that mirrors this logic (the second occurrence around the
other pio-lock install).

In `@docs/PIO_LOCK_INTEGRATION.md`:
- Around line 248-251: The docs must state which revision of pio-lock is used
and the installer should pin it; update the README section "See Also" by adding
a "Version" subsection naming the pinned tag/commit, and modify the installer
call in builder/penv_setup.py (the install_pio_lock function) to install from
that specific git tag/commit instead of HEAD (e.g.,
git+https://...@<commit-or-tag>), then document that exact tag/commit in the
PIO_LOCK_INTEGRATION.md Version subsection so users can reproduce builds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f6301b3d-6a1b-4dfb-bd7b-fa8d6cd8a776

📥 Commits

Reviewing files that changed from the base of the PR and between 568534b and 22f26d9.

📒 Files selected for processing (4)

• builder/main.py
• builder/penv_setup.py
• docs/PIO_LOCK_INTEGRATION.md
• platform.py

[Jason2866]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

builder/penv_setup.py (1)

845-857: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Installer output is still suppressed on failure — only a generic warning is surfaced.

stdout=DEVNULL, stderr=STDOUT plus --quiet means the actual uv pip install error (e.g. tag not found, no pyproject.toml, network issue) never reaches the user — only the generic f"Warning: Failed to install pio-lock: {exc}" from the bare except is shown. With the v0.2.0 pin in place this is the main remaining blocker on diagnosability of failed installs. Consider subprocess.run(..., capture_output=True, text=True, check=True) and printing e.stdout/e.stderr from CalledProcessError in the except branch.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@builder/penv_setup.py` around lines 845 - 857, Replace the current
subprocess.check_call invocation that silences output (the block using
uv_executable, pip install with --quiet and
stdout=subprocess.DEVNULL/stderr=subprocess.STDOUT) with a subprocess.run call
using capture_output=True, text=True, and check=True; on exception catch
subprocess.CalledProcessError and print/format e.stdout and e.stderr (along with
a descriptive message about failing to install pio-lock and the f"v0.2.0"
reference) so failures from the uv pip install (which uses penv_executable and
uv_env) are visible for debugging.

🧹 Nitpick comments (1)

platform.py (1)

863-865: 💤 Low value

Optional: harden the truthy check against non-string config values.

variables.get("custom_pio_lock", "false").lower() assumes the value is always a str. PlatformIO normally returns config values as strings so this is fine today, but if upstream ever returns a bool/None (e.g. via a typed accessor), .lower() will raise AttributeError and abort configure_default_packages. Wrapping with str(...) keeps it safe regardless of source.

-            if variables.get("custom_pio_lock", "false").lower() in ("true", "yes", "1"):
+            if str(variables.get("custom_pio_lock", "false")).strip().lower() in ("true", "yes", "1"):
                 install_pio_lock(self, get_executable_path(str(Path(core_dir) / "penv"), "uv"), penv_python, str(Path(core_dir) / ".cache" / "uv"))

Same pattern would apply to the corresponding check in builder/main.py Line 78 if you adopt this.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@platform.py` around lines 863 - 865, The truthy check on
variables.get("custom_pio_lock", "false").lower() can raise AttributeError if a
non-string (e.g. bool/None) is returned; change the guard in
configure_default_packages to coerce the value to a string before calling
.lower() (e.g., use str(variables.get("custom_pio_lock", "false")).lower() in
the condition that calls install_pio_lock) so it safely handles non-string
config values; apply the same defensive change to the analogous check in
builder/main.py around the check on custom_pio_lock.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@builder/penv_setup.py`:
- Around line 830-841: The pre-check using subprocess.run([penv_executable,
"-c", "import pio_lock; print('pio-lock installed')"]) returns early on any
successful import and ignores version, allowing older pio_lock to bypass the
pinned git+...@v0.2.0 install; change this by either removing the early return
or expanding the check to query the installed version (e.g., run
importlib.metadata.version("pio-lock") via penv_executable) and only return when
the version equals v0.2.0, otherwise fall through so the subsequent pip install
of the pinned git+...@v0.2.0 is executed; adjust the subprocess.run usage around
penv_executable and the result.returncode logic to enforce reinstall on
mismatch.

---

Duplicate comments:
In `@builder/penv_setup.py`:
- Around line 845-857: Replace the current subprocess.check_call invocation that
silences output (the block using uv_executable, pip install with --quiet and
stdout=subprocess.DEVNULL/stderr=subprocess.STDOUT) with a subprocess.run call
using capture_output=True, text=True, and check=True; on exception catch
subprocess.CalledProcessError and print/format e.stdout and e.stderr (along with
a descriptive message about failing to install pio-lock and the f"v0.2.0"
reference) so failures from the uv pip install (which uses penv_executable and
uv_env) are visible for debugging.

---

Nitpick comments:
In `@platform.py`:
- Around line 863-865: The truthy check on variables.get("custom_pio_lock",
"false").lower() can raise AttributeError if a non-string (e.g. bool/None) is
returned; change the guard in configure_default_packages to coerce the value to
a string before calling .lower() (e.g., use str(variables.get("custom_pio_lock",
"false")).lower() in the condition that calls install_pio_lock) so it safely
handles non-string config values; apply the same defensive change to the
analogous check in builder/main.py around the check on custom_pio_lock.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5e9d3582-77ff-4849-9aeb-196614ff40e4

📥 Commits

Reviewing files that changed from the base of the PR and between 568534b and b76838b.

📒 Files selected for processing (9)

• README.md
• builder/main.py
• builder/penv_setup.py
• docs/ARDUINO_RELINKER_INTEGRATION.md
• docs/FATFS_INTEGRATION.md
• docs/PIO_LOCK_INTEGRATION.md
• docs/RELINKER_INTEGRATION.md
• docs/WEAR_LEVELING.md
• platform.py

💤 Files with no reviewable changes (1)

• README.md

[Jason2866]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

builder/penv_setup.py (1)

340-347: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

get_packages_to_install crashes on git+/URL specs when the package is already installed.

Once pio-lock (or any future URL/git-based additional_deps) is installed, on the next build:

• list(get_packages_to_install(all_deps, installed_packages)) iterates all dependencies
• For installed pio-lock, the code reaches semantic_version.SimpleSpec("git+https://github.com/m-mcgowan/pio-lock.git@v0.2.0") which raises ValueError — SimpleSpec only accepts PEP 440-style version constraints

The exception is caught only by the outer try/except Exception in platform.py:configure_default_packages, which logs and swallows it with "Don't re-raise to maintain compatibility". Net effect on every subsequent build with custom_pio_lock=true: the entire dependency-install step short-circuits, so python_deps (esp-idf-size, esp-coredump, etc.) silently stop being version-checked / updated.

The URL handling at lines 487-489 only applies after get_packages_to_install has already succeeded.

Proposed fix — short-circuit URL/git specs in version checking

 def get_packages_to_install(deps, installed_packages):
     """
     Generator for Python packages that need to be installed.
     Compares package names case-insensitively.
     """
     for package, spec in deps.items():
         name = package.lower()
         if name not in installed_packages:
             yield package
+        elif spec.startswith(('http://', 'https://', 'git+', 'file://')):
+            # URL/git/file specs cannot be parsed by semantic_version.SimpleSpec.
+            # Treat the pinned URL as already satisfied if present in the env;
+            # use `uv pip install --upgrade` separately to refresh on demand.
+            continue
         else:
             version_spec = semantic_version.SimpleSpec(spec)
             if not version_spec.match(installed_packages[name]):
                 yield package

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@builder/penv_setup.py` around lines 340 - 347, get_packages_to_install
crashes when a dependency spec is a git/URL (e.g., "git+https://...@vX.Y")
because semantic_version.SimpleSpec can't parse it; modify
get_packages_to_install to detect VCS/URL specs before calling
semantic_version.SimpleSpec and short-circuit version checking for those cases
(i.e., if the spec string starts with "git+", contains "://" or ".git" or other
VCS markers, treat the installed package as acceptable and do not call
SimpleSpec.match). Update the branch that currently creates version_spec =
semantic_version.SimpleSpec(spec) to first test the spec for URL/Git patterns
and skip parsing for such specs so the function yields only missing packages or
valid semver-mismatches.

🧹 Nitpick comments (1)

builder/penv_setup.py (1)

838-841: 💤 Low value

Misleading "Installed pio-lock" message when nothing was installed.

install_python_deps returns True both when installations succeed and when no packages needed installation. Line 839 unconditionally prints "Installed pio-lock for dependency lockfile support" on every truthy return, so a user sees this on every build even when pio-lock was already up-to-date. Demote to a debug log or only print when an install actually ran.

♻️ Sketch — gate the success message

-    # Use the centralized installer
-    if install_python_deps(penv_executable, uv_executable, uv_cache_dir, pio_lock_dep):
-        print("Installed pio-lock for dependency lockfile support")
-    else:
-        print("Warning: Failed to install pio-lock")
+    # Use the centralized installer
+    if not install_python_deps(penv_executable, uv_executable, uv_cache_dir, pio_lock_dep):
+        print("Warning: Failed to install pio-lock")

(Or add a return value to install_python_deps indicating whether anything was actually installed, and only print on first install.)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@builder/penv_setup.py` around lines 838 - 841, The success message is
misleading because install_python_deps can return True when nothing was
installed; change the contract or the call site so the message is only shown
when an actual install occurred: update install_python_deps to return a
two-state result (e.g. (success: bool, installed_any: bool) or raise/return an
enum) or add a separate function to check if installation was performed, then in
the caller that invokes install_python_deps(penv_executable, uv_executable,
uv_cache_dir, pio_lock_dep) only print "Installed pio-lock for dependency
lockfile support" when installed_any is True; otherwise log a debug message (use
the existing logger) or skip printing so up-to-date runs don’t show the success
banner.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@builder/penv_setup.py`:
- Around line 340-347: get_packages_to_install crashes when a dependency spec is
a git/URL (e.g., "git+https://...@vX.Y") because semantic_version.SimpleSpec
can't parse it; modify get_packages_to_install to detect VCS/URL specs before
calling semantic_version.SimpleSpec and short-circuit version checking for those
cases (i.e., if the spec string starts with "git+", contains "://" or ".git" or
other VCS markers, treat the installed package as acceptable and do not call
SimpleSpec.match). Update the branch that currently creates version_spec =
semantic_version.SimpleSpec(spec) to first test the spec for URL/Git patterns
and skip parsing for such specs so the function yields only missing packages or
valid semver-mismatches.

---

Nitpick comments:
In `@builder/penv_setup.py`:
- Around line 838-841: The success message is misleading because
install_python_deps can return True when nothing was installed; change the
contract or the call site so the message is only shown when an actual install
occurred: update install_python_deps to return a two-state result (e.g.
(success: bool, installed_any: bool) or raise/return an enum) or add a separate
function to check if installation was performed, then in the caller that invokes
install_python_deps(penv_executable, uv_executable, uv_cache_dir, pio_lock_dep)
only print "Installed pio-lock for dependency lockfile support" when
installed_any is True; otherwise log a debug message (use the existing logger)
or skip printing so up-to-date runs don’t show the success banner.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bb1c0857-bb53-4dcb-bf8a-98721edf0d9d

📥 Commits

Reviewing files that changed from the base of the PR and between 568534b and aa4a656.

📒 Files selected for processing (9)

• README.md
• builder/main.py
• builder/penv_setup.py
• docs/ARDUINO_RELINKER_INTEGRATION.md
• docs/FATFS_INTEGRATION.md
• docs/PIO_LOCK_INTEGRATION.md
• docs/RELINKER_INTEGRATION.md
• docs/WEAR_LEVELING.md
• platform.py

💤 Files with no reviewable changes (1)

• README.md