batpak 0.8.2

Event sourcing with causal graphs and caller-defined gates. Sync API, no async runtime.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

use crate::store::stats::ParentDirSyncEvidence;
use crate::store::{StoreError, SyncMode};
use std::fs::File;
use std::path::Path;

/// Persist `named_temp` as `final_path` with parent-directory fsync.
///
/// The tempfile's contents must already be fsynced by the caller (this
/// function only handles the rename + directory-entry durability). On
/// unix the parent directory is opened and `sync_all`-ed after the
/// rename, so a crash immediately after this returns cannot lose the
/// directory entry that points at the new inode. On non-unix targets
/// `File::sync_all` on a directory is not meaningful, so the parent
/// fsync is skipped — the asymmetry is platform-level, not a shortcut:
/// windows POSIX semantics for directory fsync simply do not exist.
pub(crate) fn persist_temp_with_parent_sync(
    named_temp: tempfile::NamedTempFile,
    final_path: &Path,
    _admission: ParentDirSyncAdmission,
) -> std::io::Result<()> {
    // Fsync the temp file one more time defensively — callers that construct
    // their own NamedTempFile can rely on this helper being the durability
    // boundary.
    {
        let handle = named_temp.as_file();
        handle.sync_all()?;
    }

    named_temp
        .persist(final_path)
        .map_err(|error| error.error)?;

    sync_parent_dir_io(final_path)?;
    Ok(())
}

pub(crate) fn sync_parent_dir(path: &Path) -> Result<(), StoreError> {
    let evidence = crate::store::platform::evidence::parent_dir_sync_evidence();
    let _admission = admit_parent_dir_sync(evidence)?;
    sync_parent_dir_io(path).map_err(StoreError::Io)
}

fn sync_parent_dir_io(path: &Path) -> std::io::Result<()> {
    #[cfg(unix)]
    {
        if let Some(parent) = path.parent() {
            // Opening the parent dir read-only and calling sync_all is the
            // POSIX-idiomatic way to flush the directory entry for the
            // renamed-in file. Without this, a crash after the rename
            // returns can leave the rename itself undone on disk.
            let dir = File::open(parent)?;
            dir.sync_all()?;
        }
    }
    #[cfg(not(unix))]
    {
        // Non-unix: File::sync_all on a directory handle is not meaningful
        // and returns an error on some platforms. The rename itself is
        // the durability point the OS provides here.
        let _path_is_intentionally_unused_on_non_unix = path;
    }
    Ok(())
}

pub(crate) fn sync_file_with_mode(file: &File, mode: &SyncMode) -> Result<(), StoreError> {
    match mode {
        SyncMode::SyncAll => file.sync_all().map_err(StoreError::Io),
        SyncMode::SyncData => file.sync_data().map_err(StoreError::Io),
    }
}

pub(crate) fn sync_file_all_io(file: &File) -> std::io::Result<()> {
    file.sync_all()
}

#[derive(Clone, Copy, Debug)]
pub(crate) struct ParentDirSyncAdmission {
    _private: (),
}

pub(crate) fn admit_parent_dir_sync(
    evidence: ParentDirSyncEvidence,
) -> Result<ParentDirSyncAdmission, StoreError> {
    match evidence {
        ParentDirSyncEvidence::UnixFsync | ParentDirSyncEvidence::RenameOnly => {}
        ParentDirSyncEvidence::Unknown | ParentDirSyncEvidence::ProbeFailed => {
            return Err(StoreError::PlatformAdmissionFailed {
                capability: "parent directory sync",
                reason: format!("parent directory sync evidence {evidence:?} is not admissible"),
            });
        }
    };
    Ok(ParentDirSyncAdmission { _private: () })
}

pub(crate) fn admit_current_parent_dir_sync() -> Result<ParentDirSyncAdmission, StoreError> {
    admit_parent_dir_sync(crate::store::platform::evidence::parent_dir_sync_evidence())
}

#[cfg(all(test, unix))]
mod tests {
    use super::*;
    use std::error::Error;

    #[test]
    fn sync_file_with_mode_surfaces_platform_sync_errors() -> Result<(), Box<dyn Error>> {
        let file = File::open("/dev/null")?;

        assert!(
            matches!(
                sync_file_with_mode(&file, &SyncMode::SyncAll),
                Err(StoreError::Io(_))
            ),
            "PROPERTY: sync_file_with_mode must map platform sync errors to StoreError::Io, not report success"
        );
        Ok(())
    }
}

#[cfg(test)]
mod admission_tests {
    use super::*;

    #[test]
    fn parent_dir_sync_admission_accepts_only_reported_sync_modes() {
        for evidence in [
            ParentDirSyncEvidence::UnixFsync,
            ParentDirSyncEvidence::RenameOnly,
        ] {
            assert!(
                admit_parent_dir_sync(evidence).is_ok(),
                "PROPERTY: parent-dir sync evidence {evidence:?} must be admissible"
            );
        }

        for evidence in [
            ParentDirSyncEvidence::Unknown,
            ParentDirSyncEvidence::ProbeFailed,
        ] {
            assert!(
                matches!(
                    admit_parent_dir_sync(evidence),
                    Err(StoreError::PlatformAdmissionFailed {
                        capability: "parent directory sync",
                        ..
                    })
                ),
                "PROPERTY: parent-dir sync evidence {evidence:?} must reject with a parent-dir admission failure"
            );
        }
    }
}