cfgd-core 0.4.0

Core library for cfgd — shared types, providers, reconciler, state
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301

use super::*;
use crate::PathDisplayExt;

// --- Sync Handler ---

/// Returns true if changes were detected during sync.
///
/// Async because state mutation goes through `tokio::sync::Mutex`. The
/// blocking git operations (pull/push) are dispatched via `spawn_blocking`
/// internally so callers may invoke `handle_sync` from any async context
/// without deadlock risk.
pub(crate) async fn handle_sync(
    repo_path: &Path,
    auto_pull: bool,
    auto_push: bool,
    source_name: &str,
    state: &Arc<Mutex<DaemonState>>,
    require_signed_commits: bool,
    allow_unsigned: bool,
) -> bool {
    let timestamp = crate::utc_now_iso8601();
    let mut changes = false;

    if auto_pull {
        let repo = repo_path.to_path_buf();
        let pull_result = tokio::task::spawn_blocking(move || git_pull(&repo)).await;
        match pull_result {
            Ok(Ok(true)) => {
                // Verify signature on new HEAD after pull if required
                if require_signed_commits && !allow_unsigned {
                    let src = source_name.to_string();
                    let repo = repo_path.to_path_buf();
                    let verify_result = tokio::task::spawn_blocking(move || {
                        crate::sources::verify_head_signature(&src, &repo)
                    })
                    .await;
                    match verify_result {
                        Ok(Ok(())) => {}
                        Ok(Err(e)) => {
                            tracing::error!(
                                source = %source_name,
                                error = %e,
                                "sync: signature verification failed after pull"
                            );
                            // Don't treat this as "changes" — the content is untrusted
                            return false;
                        }
                        Err(e) => {
                            tracing::error!(
                                source = %source_name,
                                error = %e,
                                "sync: signature verification task panicked"
                            );
                            return false;
                        }
                    }
                }
                tracing::info!("sync: pulled new changes from remote");
                changes = true;
            }
            Ok(Ok(false)) => tracing::debug!("sync: already up to date"),
            Ok(Err(e)) => tracing::warn!(error = %e, "sync: pull failed"),
            Err(e) => tracing::error!(error = %e, "sync: pull task panicked"),
        }
    }

    if auto_push {
        let repo = repo_path.to_path_buf();
        let push_result = tokio::task::spawn_blocking(move || git_auto_commit_push(&repo)).await;
        match push_result {
            Ok(Ok(true)) => tracing::info!("sync: pushed local changes to remote"),
            Ok(Ok(false)) => tracing::debug!("sync: nothing to push"),
            Ok(Err(e)) => tracing::warn!(error = %e, "sync: push failed"),
            Err(e) => tracing::error!(error = %e, "sync: push task panicked"),
        }
    }

    {
        let mut st = state.lock().await;
        st.last_sync = Some(timestamp.clone());
        for s in &mut st.sources {
            if s.name == source_name {
                s.last_sync = Some(timestamp.clone());
            }
        }
    }

    changes
}

// --- Version Check Handler ---

/// Async because state mutation goes through `tokio::sync::Mutex` and the
/// blocking HTTP probe is dispatched via `spawn_blocking` internally.
pub(crate) async fn handle_version_check(
    state: &Arc<Mutex<DaemonState>>,
    notifier: &Arc<Notifier>,
) {
    tracing::info!("checking for cfgd updates");

    // Propagate the test-home thread-local across the spawn_blocking boundary;
    // the cache lookup in `check_with_cache` reads it to redirect $HOME away
    // from real filesystem during tests. No-op in production.
    let test_home = crate::test_home_override();
    let check_result = tokio::task::spawn_blocking(move || {
        let _guard = test_home.as_deref().map(crate::with_test_home_guard);
        crate::upgrade::check_with_cache(None, None)
    })
    .await;

    let check = match check_result {
        Ok(Ok(c)) => c,
        Ok(Err(e)) => {
            tracing::warn!(error = %e, "version check failed");
            return;
        }
        Err(e) => {
            tracing::error!(error = %e, "version check task panicked");
            return;
        }
    };

    if !check.update_available {
        tracing::debug!(
            version = %check.current,
            "cfgd is up to date"
        );
        return;
    }

    let version_str = check.latest.to_string();
    tracing::info!(
        current = %check.current,
        latest = %check.latest,
        "update available"
    );

    // Check if we already notified about this version + record it.
    let already_notified = {
        let mut st = state.lock().await;
        let already = st.update_available.as_deref() == Some(version_str.as_str());
        st.update_available = Some(version_str.clone());
        already
    };

    if !already_notified {
        notifier.notify(
            "cfgd: update available",
            &format!(
                "Version {} is available (current: {}). Run 'cfgd upgrade' to update.",
                version_str, check.current
            ),
        );
    }
}

// --- Compliance Snapshot Handler ---

pub(crate) fn handle_compliance_snapshot(
    config_path: &Path,
    profile_override: Option<&str>,
    hooks: &dyn DaemonHooks,
    compliance_cfg: &config::ComplianceConfig,
    state_dir_override: Option<&Path>,
) {
    tracing::info!("running compliance snapshot");

    let cfg = match config::load_config(config_path) {
        Ok(c) => c,
        Err(e) => {
            tracing::error!(error = %e, "compliance: config load failed");
            return;
        }
    };

    let config_dir = config_path
        .parent()
        .unwrap_or_else(|| Path::new("."))
        .to_path_buf();
    let profiles_dir = config_dir.join("profiles");
    let profile_name = match profile_override.or(cfg.spec.profile.as_deref()) {
        Some(p) => p,
        None => {
            tracing::error!("compliance: no profile configured — skipping");
            return;
        }
    };

    let resolved = match config::resolve_profile(profile_name, &profiles_dir) {
        Ok(r) => r,
        Err(e) => {
            tracing::error!(error = %e, "compliance: profile resolution failed");
            return;
        }
    };

    let mut registry = hooks.build_registry(&cfg);
    hooks.extend_registry_custom_managers(&mut registry, &resolved.merged.packages);

    let source_names: Vec<String> = std::iter::once("local".to_string())
        .chain(cfg.spec.sources.iter().map(|s| s.name.clone()))
        .collect();

    let snapshot = match crate::compliance::collect_snapshot(
        profile_name,
        &resolved.merged,
        &registry,
        &compliance_cfg.scope,
        &source_names,
    ) {
        Ok(s) => s,
        Err(e) => {
            tracing::error!(error = %e, "compliance: snapshot collection failed");
            return;
        }
    };

    // Serialize for hashing and storage
    let json = match serde_json::to_string_pretty(&snapshot) {
        Ok(j) => j,
        Err(e) => {
            tracing::error!(error = %e, "compliance: snapshot serialization failed");
            return;
        }
    };

    let hash = crate::sha256_hex(json.as_bytes());

    let store = match state_dir_override {
        Some(d) => {
            std::fs::create_dir_all(d).ok();
            match StateStore::open(&d.join("cfgd.db")) {
                Ok(s) => s,
                Err(e) => {
                    tracing::error!(error = %e, "compliance: state store error");
                    return;
                }
            }
        }
        None => match StateStore::open_default() {
            Ok(s) => s,
            Err(e) => {
                tracing::error!(error = %e, "compliance: state store error");
                return;
            }
        },
    };

    // Only store if state actually changed
    let latest_hash = match store.latest_compliance_hash() {
        Ok(h) => h,
        Err(e) => {
            tracing::warn!(error = %e, "compliance: failed to query latest hash");
            None
        }
    };

    if latest_hash.as_deref() == Some(&hash) {
        tracing::debug!("compliance: no state change, skipping snapshot");
        return;
    }

    // Store the new snapshot
    if let Err(e) = store.store_compliance_snapshot(&snapshot, &hash) {
        tracing::error!(error = %e, "compliance: failed to store snapshot");
        return;
    }

    tracing::info!(
        compliant = snapshot.summary.compliant,
        warning = snapshot.summary.warning,
        violation = snapshot.summary.violation,
        "compliance snapshot stored"
    );

    // Export if configured
    match crate::compliance::export_snapshot_to_file(&snapshot, &compliance_cfg.export) {
        Ok(file_path) => {
            tracing::info!(path = %file_path.posix(), "compliance snapshot exported");
        }
        Err(e) => {
            tracing::error!(error = %e, "compliance: failed to export snapshot");
            return;
        }
    }

    // Prune old snapshots based on retention
    if let Ok(retention_dur) = crate::parse_duration_str(&compliance_cfg.retention) {
        let cutoff_secs = crate::unix_secs_now().saturating_sub(retention_dur.as_secs());
        let cutoff_str = crate::unix_secs_to_iso8601(cutoff_secs);
        match store.prune_compliance_snapshots(&cutoff_str) {
            Ok(deleted) if deleted > 0 => {
                tracing::info!(deleted = deleted, "compliance: pruned old snapshots");
            }
            Ok(_) => {}
            Err(e) => {
                tracing::warn!(error = %e, "compliance: failed to prune snapshots");
            }
        }
    }
}