forjar 1.4.2

Rust-native Infrastructure as Code — bare-metal first, BLAKE3 state, provenance tracing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

//! FJ-118: `reseal` subcommand — regenerate BLAKE3 integrity sidecars from
//! current lock contents without running a full apply.
//!
//! Use when `forjar apply` reports `integrity check failed for <X>: expected
//! <old>, got <new>` after a partial write (old forjar versions silently
//! discarded sidecar-write errors) or after a `git checkout` / merge that
//! restored one file without the other.

use super::helpers_state::list_state_machines;
use std::path::{Path, PathBuf};

/// Collect the target list for `reseal`.
fn collect_targets(
    state_dir: &Path,
    file: Option<PathBuf>,
    all: bool,
    machine: Option<String>,
) -> Result<Vec<PathBuf>, String> {
    if let Some(f) = file {
        if !f.exists() {
            return Err(format!("file not found: {}", f.display()));
        }
        return Ok(vec![f]);
    }
    if let Some(m) = machine {
        let p = state_dir.join(&m).join("state.lock.yaml");
        if !p.exists() {
            return Err(format!("no lock file for machine {m} at {}", p.display()));
        }
        return Ok(vec![p]);
    }
    if all {
        return collect_all_targets(state_dir);
    }
    Err("reseal requires one of --file, --machine, or --all".into())
}

/// Walk state_dir for every machine's lock file + global lock.
fn collect_all_targets(state_dir: &Path) -> Result<Vec<PathBuf>, String> {
    if !state_dir.exists() {
        return Err(format!("state dir not found: {}", state_dir.display()));
    }
    let mut targets: Vec<PathBuf> = list_state_machines(state_dir)?
        .iter()
        .map(|m| state_dir.join(m).join("state.lock.yaml"))
        .filter(|p| p.exists())
        .collect();
    let global = state_dir.join("forjar.lock.yaml");
    if global.exists() {
        targets.push(global);
    }
    Ok(targets)
}

/// Reseal a single target. YAML-parses the lock first so a corrupt file
/// cannot be silently blessed with a fresh sidecar. Returns `true` if
/// the sidecar was resealed (or would be under --dry-run), `false` if
/// the sidecar write failed but the lock was valid.
fn reseal_one(target: &Path, dry_run: bool) -> Result<bool, String> {
    use crate::core::state::integrity;

    let bytes =
        std::fs::read(target).map_err(|e| format!("cannot read {}: {}", target.display(), e))?;
    serde_yaml_ng::from_slice::<serde_yaml_ng::Value>(&bytes)
        .map_err(|e| format!("{} is not valid YAML: {}", target.display(), e))?;

    if dry_run {
        println!("[dry-run] would reseal {}", target.display());
        return Ok(true);
    }

    match integrity::write_b3_sidecar(target) {
        Ok(()) => {
            println!("resealed {}", target.display());
            Ok(true)
        }
        Err(e) => {
            eprintln!("skip {}: {}", target.display(), e);
            Ok(false)
        }
    }
}

/// Regenerate BLAKE3 integrity sidecars from current lock contents.
pub(crate) fn cmd_reseal(
    state_dir: &Path,
    file: Option<PathBuf>,
    all: bool,
    machine: Option<String>,
    dry_run: bool,
) -> Result<(), String> {
    let targets = collect_targets(state_dir, file, all, machine)?;
    if targets.is_empty() {
        println!("nothing to reseal");
        return Ok(());
    }

    let mut resealed = 0usize;
    let mut skipped = 0usize;
    for target in &targets {
        if reseal_one(target, dry_run)? {
            resealed += 1;
        } else {
            skipped += 1;
        }
    }

    println!(
        "{}{resealed} resealed, {skipped} skipped",
        if dry_run { "[dry-run] " } else { "" },
    );
    if skipped > 0 {
        return Err(format!("{skipped} sidecar(s) failed to write"));
    }
    Ok(())
}