use std::path::Path;
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use tokio::fs;
use tracing::{debug, info, warn};
use crate::error::{RegistryError, RegistryResult};
use crate::reference::PackRef;
use crate::resolver::{PackResolver, ResolveSource};
pub const LOCKFILE_NAME: &str = "assay.packs.lock";
pub const LOCKFILE_VERSION: u8 = 2;
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Lockfile {
pub version: u8,
pub generated_at: DateTime<Utc>,
pub generated_by: String,
#[serde(default)]
pub packs: Vec<LockedPack>,
}
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct LockedPack {
pub name: String,
pub version: String,
pub digest: String,
pub source: LockSource,
#[serde(default, skip_serializing_if = "Option::is_none")]
pub registry_url: Option<String>,
#[serde(default, skip_serializing_if = "Option::is_none")]
pub byos_url: Option<String>,
#[serde(default, skip_serializing_if = "Option::is_none")]
pub signature: Option<LockSignature>,
}
#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
#[serde(rename_all = "lowercase")]
pub enum LockSource {
Bundled,
Registry,
Byos,
Local,
}
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub struct LockSignature {
pub algorithm: String,
pub key_id: String,
}
#[derive(Debug, Clone)]
pub struct VerifyLockResult {
pub all_match: bool,
pub matched: Vec<String>,
pub mismatched: Vec<LockMismatch>,
pub missing: Vec<String>,
pub extra: Vec<String>,
}
#[derive(Debug, Clone)]
pub struct LockMismatch {
pub name: String,
pub version: String,
pub expected: String,
pub actual: String,
}
impl Lockfile {
pub fn new() -> Self {
Self {
version: LOCKFILE_VERSION,
generated_at: Utc::now(),
generated_by: format!("assay-cli/{}", env!("CARGO_PKG_VERSION")),
packs: Vec::new(),
}
}
pub async fn load(path: impl AsRef<Path>) -> RegistryResult<Self> {
let path = path.as_ref();
if !path.exists() {
return Err(RegistryError::Lockfile {
message: format!("lockfile not found: {}", path.display()),
});
}
let content = fs::read_to_string(path)
.await
.map_err(|e| RegistryError::Lockfile {
message: format!("failed to read lockfile: {}", e),
})?;
Self::parse(&content)
}
pub fn parse(content: &str) -> RegistryResult<Self> {
let lockfile: Lockfile =
serde_yaml::from_str(content).map_err(|e| RegistryError::Lockfile {
message: format!("failed to parse lockfile: {}", e),
})?;
if lockfile.version > LOCKFILE_VERSION {
return Err(RegistryError::Lockfile {
message: format!(
"lockfile version {} is newer than supported version {}",
lockfile.version, LOCKFILE_VERSION
),
});
}
Ok(lockfile)
}
pub async fn save(&self, path: impl AsRef<Path>) -> RegistryResult<()> {
let path = path.as_ref();
let content = self.to_yaml()?;
fs::write(path, content)
.await
.map_err(|e| RegistryError::Lockfile {
message: format!("failed to write lockfile: {}", e),
})?;
info!(path = %path.display(), "saved lockfile");
Ok(())
}
pub fn to_yaml(&self) -> RegistryResult<String> {
serde_yaml::to_string(self).map_err(|e| RegistryError::Lockfile {
message: format!("failed to serialize lockfile: {}", e),
})
}
pub fn add_pack(&mut self, pack: LockedPack) {
self.packs.retain(|p| p.name != pack.name);
self.packs.push(pack);
self.packs.sort_by(|a, b| a.name.cmp(&b.name));
self.generated_at = Utc::now();
}
pub fn remove_pack(&mut self, name: &str) -> bool {
let len_before = self.packs.len();
self.packs.retain(|p| p.name != name);
self.packs.len() != len_before
}
pub fn get_pack(&self, name: &str) -> Option<&LockedPack> {
self.packs.iter().find(|p| p.name == name)
}
pub fn contains(&self, name: &str) -> bool {
self.packs.iter().any(|p| p.name == name)
}
pub fn pack_names(&self) -> Vec<&str> {
self.packs.iter().map(|p| p.name.as_str()).collect()
}
}
impl Default for Lockfile {
fn default() -> Self {
Self::new()
}
}
pub async fn generate_lockfile(
references: &[String],
resolver: &PackResolver,
) -> RegistryResult<Lockfile> {
let mut lockfile = Lockfile::new();
for reference in references {
debug!(reference, "locking pack");
let pack_ref = PackRef::parse(reference)?;
let resolved = resolver.resolve_ref(&pack_ref).await?;
let (name, version) = match &pack_ref {
PackRef::Bundled(name) => (name.clone(), "bundled".to_string()),
PackRef::Registry { name, version, .. } => (name.clone(), version.clone()),
PackRef::Byos(url) => {
let name = url
.rsplit('/')
.next()
.unwrap_or("unknown")
.trim_end_matches(".yaml")
.trim_end_matches(".yml")
.to_string();
(name, "byos".to_string())
}
PackRef::Local(path) => {
let name = path
.file_stem()
.and_then(|s| s.to_str())
.unwrap_or("unknown")
.to_string();
warn!(
path = %path.display(),
"locking local file - consider using registry or bundled packs instead"
);
(name, "local".to_string())
}
};
let (source, registry_url, byos_url) = match &resolved.source {
ResolveSource::Local(_) => (LockSource::Local, None, None),
ResolveSource::Bundled(_) => (LockSource::Bundled, None, None),
ResolveSource::Cache => (LockSource::Registry, None, None),
ResolveSource::Registry(url) => (LockSource::Registry, Some(url.clone()), None),
ResolveSource::Byos(url) => (LockSource::Byos, None, Some(url.clone())),
};
let signature = resolved.verification.as_ref().and_then(|v| {
v.key_id.as_ref().map(|key_id| LockSignature {
algorithm: "Ed25519".to_string(),
key_id: key_id.clone(),
})
});
let locked = LockedPack {
name,
version,
digest: resolved.digest,
source,
registry_url,
byos_url,
signature,
};
lockfile.add_pack(locked);
}
Ok(lockfile)
}
pub async fn verify_lockfile(
lockfile: &Lockfile,
resolver: &PackResolver,
) -> RegistryResult<VerifyLockResult> {
let mut matched = Vec::new();
let mut mismatched = Vec::new();
let mut missing = Vec::new();
for locked in &lockfile.packs {
debug!(name = %locked.name, version = %locked.version, "verifying locked pack");
let reference = match locked.source {
LockSource::Bundled => locked.name.clone(),
LockSource::Registry => {
format!("{}@{}#{}", locked.name, locked.version, locked.digest)
}
LockSource::Byos => locked
.byos_url
.clone()
.unwrap_or_else(|| locked.name.clone()),
LockSource::Local => {
warn!(
name = %locked.name,
"cannot verify local pack - skipping"
);
continue;
}
};
match resolver.resolve(&reference).await {
Ok(resolved) => {
if resolved.digest == locked.digest {
matched.push(locked.name.clone());
} else {
mismatched.push(LockMismatch {
name: locked.name.clone(),
version: locked.version.clone(),
expected: locked.digest.clone(),
actual: resolved.digest,
});
}
}
Err(e) => {
warn!(name = %locked.name, error = %e, "failed to resolve locked pack");
missing.push(locked.name.clone());
}
}
}
let all_match = mismatched.is_empty() && missing.is_empty();
Ok(VerifyLockResult {
all_match,
matched,
mismatched,
missing,
extra: Vec::new(), })
}
pub async fn check_lockfile(
lockfile: &Lockfile,
resolver: &PackResolver,
) -> RegistryResult<Vec<LockMismatch>> {
let result = verify_lockfile(lockfile, resolver).await?;
if !result.all_match {
return Err(RegistryError::Lockfile {
message: format!(
"lockfile verification failed: {} mismatched, {} missing",
result.mismatched.len(),
result.missing.len()
),
});
}
Ok(result.mismatched)
}
pub async fn update_lockfile(
lockfile: &mut Lockfile,
resolver: &PackResolver,
) -> RegistryResult<Vec<String>> {
let mut updated = Vec::new();
for locked in &mut lockfile.packs {
if locked.source != LockSource::Registry {
continue;
}
debug!(name = %locked.name, version = %locked.version, "checking for updates");
let reference = format!("{}@{}", locked.name, locked.version);
match resolver.resolve(&reference).await {
Ok(resolved) => {
if resolved.digest != locked.digest {
info!(
name = %locked.name,
old_digest = %locked.digest,
new_digest = %resolved.digest,
"updating locked digest"
);
locked.digest = resolved.digest;
updated.push(locked.name.clone());
}
}
Err(e) => {
warn!(name = %locked.name, error = %e, "failed to update pack");
}
}
}
if !updated.is_empty() {
lockfile.generated_at = Utc::now();
}
Ok(updated)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_lockfile_new() {
let lockfile = Lockfile::new();
assert_eq!(lockfile.version, LOCKFILE_VERSION);
assert!(lockfile.packs.is_empty());
}
#[test]
fn test_lockfile_parse() {
let yaml = r#"
version: 2
generated_at: "2026-01-29T10:00:00Z"
generated_by: "assay-cli/2.10.1"
packs:
- name: eu-ai-act-pro
version: "1.2.0"
digest: sha256:abc123def456
source: registry
registry_url: "https://registry.getassay.dev/v1"
signature:
algorithm: Ed25519
key_id: sha256:keyid123
"#;
let lockfile = Lockfile::parse(yaml).unwrap();
assert_eq!(lockfile.version, 2);
assert_eq!(lockfile.packs.len(), 1);
let pack = &lockfile.packs[0];
assert_eq!(pack.name, "eu-ai-act-pro");
assert_eq!(pack.version, "1.2.0");
assert_eq!(pack.digest, "sha256:abc123def456");
assert_eq!(pack.source, LockSource::Registry);
assert!(pack.signature.is_some());
}
#[test]
fn test_lockfile_parse_unsupported_version() {
let yaml = r#"
version: 99
generated_at: "2026-01-29T10:00:00Z"
generated_by: "future-cli/9.0.0"
packs: []
"#;
let result = Lockfile::parse(yaml);
assert!(matches!(result, Err(RegistryError::Lockfile { .. })));
}
#[test]
fn test_lockfile_add_pack() {
let mut lockfile = Lockfile::new();
let pack1 = LockedPack {
name: "pack-b".to_string(),
version: "1.0.0".to_string(),
digest: "sha256:bbb".to_string(),
source: LockSource::Registry,
registry_url: None,
byos_url: None,
signature: None,
};
let pack2 = LockedPack {
name: "pack-a".to_string(),
version: "1.0.0".to_string(),
digest: "sha256:aaa".to_string(),
source: LockSource::Registry,
registry_url: None,
byos_url: None,
signature: None,
};
lockfile.add_pack(pack1);
lockfile.add_pack(pack2);
assert_eq!(lockfile.packs[0].name, "pack-a");
assert_eq!(lockfile.packs[1].name, "pack-b");
}
#[test]
fn test_lockfile_add_pack_update() {
let mut lockfile = Lockfile::new();
let pack1 = LockedPack {
name: "my-pack".to_string(),
version: "1.0.0".to_string(),
digest: "sha256:old".to_string(),
source: LockSource::Registry,
registry_url: None,
byos_url: None,
signature: None,
};
let pack2 = LockedPack {
name: "my-pack".to_string(),
version: "1.1.0".to_string(),
digest: "sha256:new".to_string(),
source: LockSource::Registry,
registry_url: None,
byos_url: None,
signature: None,
};
lockfile.add_pack(pack1);
lockfile.add_pack(pack2);
assert_eq!(lockfile.packs.len(), 1);
assert_eq!(lockfile.packs[0].version, "1.1.0");
assert_eq!(lockfile.packs[0].digest, "sha256:new");
}
#[test]
fn test_lockfile_remove_pack() {
let mut lockfile = Lockfile::new();
let pack = LockedPack {
name: "my-pack".to_string(),
version: "1.0.0".to_string(),
digest: "sha256:abc".to_string(),
source: LockSource::Registry,
registry_url: None,
byos_url: None,
signature: None,
};
lockfile.add_pack(pack);
assert!(lockfile.contains("my-pack"));
let removed = lockfile.remove_pack("my-pack");
assert!(removed);
assert!(!lockfile.contains("my-pack"));
let removed_again = lockfile.remove_pack("my-pack");
assert!(!removed_again);
}
#[test]
fn test_lockfile_get_pack() {
let mut lockfile = Lockfile::new();
let pack = LockedPack {
name: "my-pack".to_string(),
version: "1.0.0".to_string(),
digest: "sha256:abc".to_string(),
source: LockSource::Registry,
registry_url: None,
byos_url: None,
signature: None,
};
lockfile.add_pack(pack);
let found = lockfile.get_pack("my-pack");
assert!(found.is_some());
assert_eq!(found.unwrap().version, "1.0.0");
let not_found = lockfile.get_pack("other-pack");
assert!(not_found.is_none());
}
#[test]
fn test_lockfile_to_yaml() {
let mut lockfile = Lockfile::new();
let pack = LockedPack {
name: "my-pack".to_string(),
version: "1.0.0".to_string(),
digest: "sha256:abc123".to_string(),
source: LockSource::Registry,
registry_url: Some("https://registry.example.com/v1".to_string()),
byos_url: None,
signature: Some(LockSignature {
algorithm: "Ed25519".to_string(),
key_id: "sha256:key123".to_string(),
}),
};
lockfile.add_pack(pack);
let yaml = lockfile.to_yaml().unwrap();
assert!(yaml.contains("version: 2"));
assert!(yaml.contains("my-pack"));
assert!(yaml.contains("sha256:abc123"));
assert!(yaml.contains("Ed25519"));
}
#[test]
fn test_lock_source_serialize() {
let sources = vec![
(LockSource::Bundled, "bundled"),
(LockSource::Registry, "registry"),
(LockSource::Byos, "byos"),
(LockSource::Local, "local"),
];
for (source, expected) in sources {
let yaml = serde_yaml::to_string(&source).unwrap();
assert!(yaml.contains(expected));
}
}
#[test]
fn test_pack_not_in_lockfile() {
let lockfile = Lockfile::new();
assert!(!lockfile.contains("unknown-pack"));
assert!(lockfile.get_pack("unknown-pack").is_none());
assert!(lockfile.pack_names().is_empty());
}
#[test]
fn test_lockfile_v2_roundtrip() {
let mut lockfile = Lockfile::new();
lockfile.add_pack(LockedPack {
name: "pack-z".to_string(),
version: "2.0.0".to_string(),
digest: "sha256:zzz".to_string(),
source: LockSource::Registry,
registry_url: Some("https://registry.example.com/v1".to_string()),
byos_url: None,
signature: Some(LockSignature {
algorithm: "Ed25519".to_string(),
key_id: "sha256:keyzzz".to_string(),
}),
});
lockfile.add_pack(LockedPack {
name: "pack-a".to_string(),
version: "1.0.0".to_string(),
digest: "sha256:aaa".to_string(),
source: LockSource::Bundled,
registry_url: None,
byos_url: None,
signature: None,
});
lockfile.add_pack(LockedPack {
name: "pack-m".to_string(),
version: "1.5.0".to_string(),
digest: "sha256:mmm".to_string(),
source: LockSource::Byos,
registry_url: None,
byos_url: Some("s3://bucket/pack.yaml".to_string()),
signature: None,
});
let yaml = lockfile.to_yaml().unwrap();
let parsed = Lockfile::parse(&yaml).unwrap();
assert_eq!(parsed.version, LOCKFILE_VERSION);
assert_eq!(parsed.packs.len(), 3);
assert_eq!(parsed.packs[0].name, "pack-a");
assert_eq!(parsed.packs[1].name, "pack-m");
assert_eq!(parsed.packs[2].name, "pack-z");
let pack_z = parsed.get_pack("pack-z").unwrap();
assert_eq!(pack_z.version, "2.0.0");
assert_eq!(pack_z.digest, "sha256:zzz");
assert_eq!(pack_z.source, LockSource::Registry);
assert!(pack_z.signature.is_some());
let pack_m = parsed.get_pack("pack-m").unwrap();
assert_eq!(pack_m.byos_url, Some("s3://bucket/pack.yaml".to_string()));
}
#[test]
fn test_lockfile_stable_ordering() {
let mut lockfile = Lockfile::new();
for name in ["zebra", "alpha", "middle", "beta"] {
lockfile.add_pack(LockedPack {
name: name.to_string(),
version: "1.0.0".to_string(),
digest: format!("sha256:{}", name),
source: LockSource::Registry,
registry_url: None,
byos_url: None,
signature: None,
});
}
let names: Vec<&str> = lockfile.pack_names().into_iter().collect();
assert_eq!(names, vec!["alpha", "beta", "middle", "zebra"]);
}
#[test]
fn test_lockfile_digest_mismatch_detection() {
let mut lockfile = Lockfile::new();
lockfile.add_pack(LockedPack {
name: "my-pack".to_string(),
version: "1.0.0".to_string(),
digest: "sha256:expected_digest_here".to_string(),
source: LockSource::Registry,
registry_url: None,
byos_url: None,
signature: None,
});
let locked = lockfile.get_pack("my-pack").unwrap();
let actual_digest = "sha256:different_digest";
let mismatch = LockMismatch {
name: locked.name.clone(),
version: locked.version.clone(),
expected: locked.digest.clone(),
actual: actual_digest.to_string(),
};
assert_ne!(mismatch.expected, mismatch.actual);
assert_eq!(mismatch.expected, "sha256:expected_digest_here");
assert_eq!(mismatch.actual, "sha256:different_digest");
}
#[test]
fn test_lockfile_version_1_rejected() {
let yaml_v1 = r#"
version: 1
generated_at: "2025-01-01T00:00:00Z"
generated_by: "assay-cli/1.0.0"
packs: []
"#;
let result = Lockfile::parse(yaml_v1);
assert!(result.is_ok());
}
#[test]
fn test_lockfile_future_version_rejected() {
let yaml_future = r#"
version: 99
generated_at: "2030-01-01T00:00:00Z"
generated_by: "future-cli/99.0.0"
packs: []
"#;
let result = Lockfile::parse(yaml_future);
assert!(
matches!(result, Err(RegistryError::Lockfile { .. })),
"Should reject future lockfile version"
);
}
#[test]
fn test_lockfile_signature_fields() {
let yaml = r#"
version: 2
generated_at: "2026-01-29T10:00:00Z"
generated_by: "assay-cli/2.10.0"
packs:
- name: signed-pack
version: "1.0.0"
digest: sha256:abc123
source: registry
signature:
algorithm: Ed25519
key_id: sha256:keyid123
"#;
let lockfile = Lockfile::parse(yaml).unwrap();
let pack = lockfile.get_pack("signed-pack").unwrap();
assert!(pack.signature.is_some());
let sig = pack.signature.as_ref().unwrap();
assert_eq!(sig.algorithm, "Ed25519");
assert_eq!(sig.key_id, "sha256:keyid123");
}
}