Fix SigV4 signing for S3 keys containing colons

url.PathEscape does not encode colons (valid per RFC 3986), but AWS
SigV4 requires only unreserved characters (A-Za-z0-9-._~) in the
canonical URI. Keys like "app:assembleDebug" caused signature mismatches
resulting in 403s silently treated as cache misses.

Replace url.PathEscape with s3PathEscape using the AWS unreserved set.
Add wrapper preservation checks to the integration test.

Author: joshfriend

cmd/gradle-cache/integration_test.go

@@ -213,6 +213,10 @@ func TestIntegrationGradleBuildCycle(t *testing.T) {
 		t.Fatalf("expected caches dir after restore: %v", err)
 	}
 
+	if _, err := os.Stat(filepath.Join(gradleUserHome, "wrapper")); err != nil {
+		t.Fatalf("expected wrapper dir after restore: %v", err)
+	}
+
 	ccRestored := filepath.Join(projectDir, ".gradle", "configuration-cache")
 	if _, err := os.Stat(ccRestored); err != nil {
 		t.Log("  configuration-cache dir was NOT restored")
@@ -224,6 +228,12 @@ func TestIntegrationGradleBuildCycle(t *testing.T) {
 	t.Log("Step 5: Rebuilding to verify cache hits...")
 	output := gradleRun(t, projectDir, gradlew, gradleUserHome, "build")
 
+	// Verify the wrapper was NOT re-downloaded — if it was, the bundle didn't
+	// include the wrapper directory (or the .ok marker file was missing).
+	if strings.Contains(output, "Downloading") {
+		t.Error("Gradle re-downloaded the wrapper distribution after restore; wrapper/ should be cached in the bundle")
+	}
+
 	if strings.Contains(output, "Reusing configuration cache") {
 		t.Log("  Configuration cache: reused")
 	} else {

cmd/gradle-cache/main_test.go

@@ -63,6 +63,27 @@ func TestBundleFilename(t *testing.T) {
 	}
 }
 
+func TestS3PathEscape(t *testing.T) {
+	tests := []struct {
+		input, want string
+	}{
+		{"simple", "simple"},
+		{"apos-beta", "apos-beta"},
+		{"address-typeahead-sample:assembleDebug", "address-typeahead-sample%3AassembleDebug"},
+		{"a:b:c", "a%3Ab%3Ac"},
+		{":leadingColon", "%3AleadingColon"},
+		{"file.tar.zst", "file.tar.zst"},
+		{"with spaces", "with%20spaces"},
+		{"tilde~ok", "tilde~ok"},
+		{"hash#bad", "hash%23bad"},
+	}
+	for _, tt := range tests {
+		if got := s3PathEscape(tt.input); got != tt.want {
+			t.Errorf("s3PathEscape(%q) = %q, want %q", tt.input, got, tt.want)
+		}
+	}
+}
+
 func TestS3Key(t *testing.T) {
 	tests := []struct {
 		commit, cacheKey, bundleFile, want string
@@ -463,8 +484,10 @@ func TestTarZstdRoundTrip(t *testing.T) {
 	must(t, os.WriteFile(filepath.Join(gradleHome, "caches", "8.14.3", "cc-keystore", "keystore.bin"), []byte("secret"), 0o644))
 
 	// wrapper/ source (under gradle-home) — includes a .zip that should be excluded
+	// and a .ok marker file that must be preserved (Gradle checks for it to skip re-downloading)
 	must(t, os.MkdirAll(filepath.Join(gradleHome, "wrapper", "dists", "gradle-8.14.3-bin", "abc123"), 0o755))
 	must(t, os.WriteFile(filepath.Join(gradleHome, "wrapper", "dists", "gradle-8.14.3-bin", "abc123", "gradle-8.14.3-bin.zip"), []byte("should be excluded"), 0o644))
+	must(t, os.WriteFile(filepath.Join(gradleHome, "wrapper", "dists", "gradle-8.14.3-bin", "abc123", "gradle-8.14.3-bin.zip.ok"), []byte(""), 0o644))
 	must(t, os.MkdirAll(filepath.Join(gradleHome, "wrapper", "dists", "gradle-8.14.3-bin", "abc123", "gradle-8.14.3", "lib"), 0o755))
 	must(t, os.WriteFile(filepath.Join(gradleHome, "wrapper", "dists", "gradle-8.14.3-bin", "abc123", "gradle-8.14.3", "lib", "gradle-core.jar"), []byte("wrapper data"), 0o644))
 
@@ -495,6 +518,7 @@ func TestTarZstdRoundTrip(t *testing.T) {
 	for _, rel := range []string{
 		"caches/modules/entry.bin",
 		"wrapper/dists/gradle-8.14.3-bin/abc123/gradle-8.14.3/lib/gradle-core.jar",
+		"wrapper/dists/gradle-8.14.3-bin/abc123/gradle-8.14.3-bin.zip.ok",
 		"configuration-cache/hash.bin",
 	} {
 		path := filepath.Join(dstDir, rel)

cmd/gradle-cache/s3.go

@@ -516,7 +516,8 @@ func (c *s3Client) putStreamingMultipart(ctx context.Context, bucket, key string
 }
 
 // objectURL returns the virtual-hosted S3 URL for the given bucket and key.
-// Each path segment of the key is percent-encoded per RFC 3986.
+// Each path segment is percent-encoded using the AWS SigV4 URI encoding rules
+// (only A-Za-z0-9 - . _ ~ are left unencoded).
 func (c *s3Client) objectURL(bucket, key string) string {
 	var sb strings.Builder
 	sb.WriteString("https://")
@@ -526,7 +527,26 @@ func (c *s3Client) objectURL(bucket, key string) string {
 	sb.WriteString(".amazonaws.com")
 	for _, seg := range strings.Split(key, "/") {
 		sb.WriteByte('/')
-		sb.WriteString(url.PathEscape(seg))
+		sb.WriteString(s3PathEscape(seg))
+	}
+	return sb.String()
+}
+
+// s3PathEscape percent-encodes a single path segment using the AWS SigV4
+// URI encoding rules: unreserved characters (A-Za-z0-9 - . _ ~) are left
+// as-is; everything else (including colons) is percent-encoded.
+// This is stricter than url.PathEscape which also leaves sub-delimiters
+// like : ; @ ! unencoded.
+func s3PathEscape(s string) string {
+	var sb strings.Builder
+	for i := 0; i < len(s); i++ {
+		c := s[i]
+		if (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z') || (c >= '0' && c <= '9') ||
+			c == '-' || c == '.' || c == '_' || c == '~' {
+			sb.WriteByte(c)
+		} else {
+			fmt.Fprintf(&sb, "%%%02X", c)
+		}
 	}
 	return sb.String()
 }