forjar 1.4.2

Rust-native Infrastructure as Code — bare-metal first, BLAKE3 state, provenance tracing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264

//! Phase 96 — Transport Diagnostics & Recipe Governance: validate commands.

use crate::core::types;
use std::collections::HashMap;
use std::path::Path;

// ============================================================================
// FJ-1030: Recipe input completeness
// ============================================================================

/// Check for template variables like `{{inputs.X}}` in resource content fields
/// that don't have a corresponding key in the resource's `inputs` map.
/// Since forjar configs don't have a formal global inputs section, this checks
/// each resource's inline content for `{{inputs.*}}` references and validates
/// them against the resource's own `inputs` field.
pub(crate) fn cmd_validate_check_recipe_input_completeness(
    file: &Path,
    json: bool,
) -> Result<(), String> {
    let content = std::fs::read_to_string(file).map_err(|e| e.to_string())?;
    let config: types::ForjarConfig =
        serde_yaml_ng::from_str(&content).map_err(|e| e.to_string())?;

    let warnings = find_recipe_input_completeness_gaps(&config);

    if json {
        let items: Vec<String> = warnings
            .iter()
            .map(|(name, var)| format!("{{\"resource\":\"{name}\",\"missing_input\":\"{var}\"}}"))
            .collect();
        println!("{{\"recipe_input_warnings\":[{}]}}", items.join(","));
    } else if warnings.is_empty() {
        println!("All template input references are satisfied.");
    } else {
        for (name, var) in &warnings {
            println!(
                "warning: {name} references {{{{inputs.{var}}}}} but no such input is defined"
            );
        }
    }
    Ok(())
}

/// Extract `{{inputs.X}}` references from a string and return the variable names.
pub(crate) fn extract_input_references(text: &str) -> Vec<String> {
    let mut refs = Vec::new();
    let pattern = "{{inputs.";
    let mut search_from = 0;
    while let Some(start) = text[search_from..].find(pattern) {
        let abs_start = search_from + start + pattern.len();
        if let Some(end) = text[abs_start..].find("}}") {
            let var_name = &text[abs_start..abs_start + end];
            if !var_name.is_empty() && var_name.chars().all(|c| c.is_alphanumeric() || c == '_') {
                refs.push(var_name.to_string());
            }
            search_from = abs_start + end + 2;
        } else {
            break;
        }
    }
    refs
}

/// Collect all fields that may contain template references for a resource.
fn collect_templatable_fields(resource: &types::Resource) -> Vec<String> {
    let mut fields = Vec::new();
    if let Some(ref c) = resource.content {
        fields.push(c.clone());
    }
    if let Some(ref p) = resource.path {
        fields.push(p.clone());
    }
    if let Some(ref s) = resource.source {
        fields.push(s.clone());
    }
    if let Some(ref t) = resource.target {
        fields.push(t.clone());
    }
    if let Some(ref cmd) = resource.command {
        fields.push(cmd.clone());
    }
    if let Some(ref w) = resource.when {
        fields.push(w.clone());
    }
    fields
}

/// Returns `(resource_name, missing_variable)` for each unresolved `{{inputs.X}}`
/// reference found in resource template fields.
pub(crate) fn find_recipe_input_completeness_gaps(
    config: &types::ForjarConfig,
) -> Vec<(String, String)> {
    let mut warnings = Vec::new();
    for (name, resource) in &config.resources {
        let defined_keys: std::collections::HashSet<&String> = resource.inputs.keys().collect();
        let fields = collect_templatable_fields(resource);
        for field in &fields {
            for var in extract_input_references(field) {
                if !defined_keys.contains(&var) {
                    warnings.push((name.clone(), var));
                }
            }
        }
    }
    warnings.sort_by(|a, b| a.0.cmp(&b.0).then_with(|| a.1.cmp(&b.1)));
    warnings.dedup();
    warnings
}

// ============================================================================
// FJ-1033: Resource content hash consistency
// ============================================================================

/// Check for resources on different machines that have identical content.
/// This may indicate copy-paste issues or missed parameterization — the same
/// content deployed to multiple machines might need machine-specific tweaks.
pub(crate) fn cmd_validate_check_resource_cross_machine_content_duplicates(
    file: &Path,
    json: bool,
) -> Result<(), String> {
    let content = std::fs::read_to_string(file).map_err(|e| e.to_string())?;
    let config: types::ForjarConfig =
        serde_yaml_ng::from_str(&content).map_err(|e| e.to_string())?;

    let warnings = find_content_hash_duplicates(&config);

    if json {
        let items: Vec<String> = warnings
            .iter()
            .map(|(names, machines, hash)| {
                let name_arr: Vec<String> = names.iter().map(|n| format!("\"{n}\"")).collect();
                let mach_arr: Vec<String> = machines.iter().map(|m| format!("\"{m}\"")).collect();
                format!(
                    "{{\"resources\":[{}],\"machines\":[{}],\"content_hash\":\"{}\"}}",
                    name_arr.join(","),
                    mach_arr.join(","),
                    hash
                )
            })
            .collect();
        println!("{{\"content_hash_warnings\":[{}]}}", items.join(","));
    } else if warnings.is_empty() {
        println!("No cross-machine content duplication detected.");
    } else {
        for (names, machines, _) in &warnings {
            println!(
                "warning: resources [{}] on machines [{}] have identical content",
                names.join(", "),
                machines.join(", ")
            );
        }
    }
    Ok(())
}

/// Simple FNV-1a-style hash for content deduplication (not cryptographic).
pub(crate) fn hash_content(s: &str) -> String {
    let mut h: u64 = 0xcbf2_9ce4_8422_2325;
    for b in s.bytes() {
        h ^= u64::from(b);
        h = h.wrapping_mul(0x0100_0000_01b3);
    }
    format!("{h:016x}")
}

/// Returns groups of `(resource_names, machine_names, content_hash)` where
/// different resources targeting different machines share identical content.
pub(crate) fn find_content_hash_duplicates(
    config: &types::ForjarConfig,
) -> Vec<(Vec<String>, Vec<String>, String)> {
    // Group by content hash: hash -> Vec<(resource_name, machine_target)>
    let mut by_hash: HashMap<String, Vec<(String, Vec<String>)>> = HashMap::new();

    for (name, resource) in &config.resources {
        if let Some(ref c) = resource.content {
            if c.is_empty() {
                continue;
            }
            let h = hash_content(c);
            let machines: Vec<String> = resource.machine.iter().map(|s| s.to_owned()).collect();
            by_hash.entry(h).or_default().push((name.clone(), machines));
        }
    }

    let mut warnings = Vec::new();
    for (hash, entries) in &by_hash {
        if entries.len() < 2 {
            continue;
        }
        // Collect all unique machine names across entries.
        let all_machines: std::collections::HashSet<&String> =
            entries.iter().flat_map(|(_, ms)| ms.iter()).collect();
        // Only warn if the duplicate content spans more than one distinct machine.
        if all_machines.len() < 2 {
            continue;
        }
        let mut names: Vec<String> = entries.iter().map(|(n, _)| n.clone()).collect();
        names.sort();
        let mut machines: Vec<String> = all_machines.into_iter().cloned().collect();
        machines.sort();
        warnings.push((names, machines, hash.clone()));
    }
    warnings.sort_by(|a, b| a.0.cmp(&b.0));
    warnings
}

// ============================================================================
// FJ-1036: Resource machine affinity
// ============================================================================

/// Check that every resource's `machine` field references a machine that is
/// actually defined in the config's `machines` section. Resources targeting
/// undefined machines will fail at apply time.
pub(crate) fn cmd_validate_check_resource_machine_reference_validity(
    file: &Path,
    json: bool,
) -> Result<(), String> {
    let content = std::fs::read_to_string(file).map_err(|e| e.to_string())?;
    let config: types::ForjarConfig =
        serde_yaml_ng::from_str(&content).map_err(|e| e.to_string())?;

    let warnings = find_machine_affinity_violations(&config);

    if json {
        let items: Vec<String> = warnings
            .iter()
            .map(|(name, machine)| {
                format!("{{\"resource\":\"{name}\",\"undefined_machine\":\"{machine}\"}}")
            })
            .collect();
        println!("{{\"machine_affinity_warnings\":[{}]}}", items.join(","));
    } else if warnings.is_empty() {
        println!("All resource machine references are valid.");
    } else {
        for (name, machine) in &warnings {
            println!(
                "warning: {name} targets machine '{machine}' which is not defined in machines section"
            );
        }
    }
    Ok(())
}

/// Returns `(resource_name, undefined_machine)` for each resource referencing
/// a machine that does not exist in the config's `machines` map.
/// The sentinel value `localhost` is always considered valid.
fn find_machine_affinity_violations(config: &types::ForjarConfig) -> Vec<(String, String)> {
    let defined: std::collections::HashSet<&str> =
        config.machines.keys().map(|k| k.as_str()).collect();
    let mut warnings = Vec::new();

    for (name, resource) in &config.resources {
        for target in resource.machine.iter() {
            if target == "localhost" {
                continue;
            }
            if !defined.contains(target) {
                warnings.push((name.clone(), target.to_owned()));
            }
        }
    }
    warnings.sort_by(|a, b| a.0.cmp(&b.0).then_with(|| a.1.cmp(&b.1)));
    warnings
}