forjar 1.4.2

Rust-native Infrastructure as Code — bare-metal first, BLAKE3 state, provenance tracing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

//! FJ-005: Script generation — dispatch to resource handlers.
//! FJ-036: bashrs purification pipeline integrated (Invariant I8).
//!
//! Each resource type produces three scripts:
//! - check: read current state
//! - apply: converge to desired state
//! - state_query: query observable state for BLAKE3 hashing
//!
//! All scripts can be validated/purified via `core::purifier`.

use crate::core::types::{Resource, ResourceType};
use crate::resources;
use provable_contracts_macros::contract;

/// Generate a check script for a resource.
#[contract("codegen-dispatch-v1", equation = "check_script")]
pub fn check_script(resource: &Resource) -> Result<String, String> {
    // Contract: codegen-dispatch-v1.yaml precondition (pv codegen)
    contract_pre_check_script!(resource);
    match &resource.resource_type {
        ResourceType::Package => Ok(resources::package::check_script(resource)),
        ResourceType::File => Ok(resources::file::check_script(resource)),
        ResourceType::Service => Ok(resources::service::check_script(resource)),
        ResourceType::Mount => Ok(resources::mount::check_script(resource)),
        ResourceType::User => Ok(resources::user::check_script(resource)),
        ResourceType::Docker => Ok(resources::docker::check_script(resource)),
        ResourceType::Cron => Ok(resources::cron::check_script(resource)),
        ResourceType::Network => Ok(resources::network::check_script(resource)),
        ResourceType::Pepita => Ok(resources::pepita::check_script(resource)),
        ResourceType::Model => Ok(resources::model::check_script(resource)),
        ResourceType::Gpu => Ok(resources::gpu::check_script(resource)),
        ResourceType::Task => Ok(resources::task::check_script(resource)),
        ResourceType::WasmBundle => Ok(resources::wasm_bundle::check_script(resource)),
        ResourceType::Image => Ok(resources::file::check_script(resource)),
        ResourceType::Build => Ok(resources::build::check_script(resource)),
        ResourceType::GithubRelease => Ok(resources::github_release::check_script(resource)),
        ResourceType::Recipe => {
            Err("codegen not implemented for recipe (expand first)".to_string())
        }
    }
}

/// Generate an apply script for a resource.
///
/// FJ-1394: If `resource.sudo` is true, wraps the entire script in a sudo
/// heredoc so all commands run with elevated privileges.
#[contract("codegen-dispatch-v1", equation = "apply_script")]
pub fn apply_script(resource: &Resource) -> Result<String, String> {
    // Contract: codegen-dispatch-v1.yaml precondition (pv codegen)
    contract_pre_apply_script!(resource);
    let script = match &resource.resource_type {
        ResourceType::Package => Ok(resources::package::apply_script(resource)),
        ResourceType::File => Ok(resources::file::apply_script(resource)),
        ResourceType::Service => Ok(resources::service::apply_script(resource)),
        ResourceType::Mount => Ok(resources::mount::apply_script(resource)),
        ResourceType::User => Ok(resources::user::apply_script(resource)),
        ResourceType::Docker => Ok(resources::docker::apply_script(resource)),
        ResourceType::Cron => Ok(resources::cron::apply_script(resource)),
        ResourceType::Network => Ok(resources::network::apply_script(resource)),
        ResourceType::Pepita => Ok(resources::pepita::apply_script(resource)),
        ResourceType::Model => Ok(resources::model::apply_script(resource)),
        ResourceType::Gpu => Ok(resources::gpu::apply_script(resource)),
        ResourceType::Task => Ok(resources::task::apply_script(resource)),
        ResourceType::WasmBundle => Ok(resources::wasm_bundle::apply_script(resource)),
        ResourceType::Image => Ok(resources::file::apply_script(resource)),
        ResourceType::Build => Ok(resources::build::apply_script(resource)),
        ResourceType::GithubRelease => Ok(resources::github_release::apply_script(resource)),
        ResourceType::Recipe => {
            Err("codegen not implemented for recipe (expand first)".to_string())
        }
    }?;
    Ok(sudo_wrap(resource, script))
}

/// FJ-1394 / FJ-29: Wrap script with sudo if the resource has `sudo: true`.
///
/// Uses heredoc to pass the script to sudo bash — avoids single-quote escaping
/// that triggers bashrs SC2075 false positives.
fn sudo_wrap(resource: &Resource, script: String) -> String {
    if !resource.sudo {
        return script;
    }
    // Wrap: if already root, run as-is; otherwise elevate via sudo bash with heredoc
    format!(
        "if [ \"$(id -u)\" -eq 0 ]; then\n{script}\nelse\nsudo bash <<'FORJAR_SUDO'\n{script}\nFORJAR_SUDO\nfi"
    )
}

/// Generate a state query script for a resource.
#[contract("codegen-dispatch-v1", equation = "state_query_script")]
pub fn state_query_script(resource: &Resource) -> Result<String, String> {
    // Contract: codegen-dispatch-v1.yaml precondition (pv codegen)
    contract_pre_state_query_script!(resource);
    match &resource.resource_type {
        ResourceType::Package => Ok(resources::package::state_query_script(resource)),
        ResourceType::File => Ok(resources::file::state_query_script(resource)),
        ResourceType::Service => Ok(resources::service::state_query_script(resource)),
        ResourceType::Mount => Ok(resources::mount::state_query_script(resource)),
        ResourceType::User => Ok(resources::user::state_query_script(resource)),
        ResourceType::Docker => Ok(resources::docker::state_query_script(resource)),
        ResourceType::Cron => Ok(resources::cron::state_query_script(resource)),
        ResourceType::Network => Ok(resources::network::state_query_script(resource)),
        ResourceType::Pepita => Ok(resources::pepita::state_query_script(resource)),
        ResourceType::Model => Ok(resources::model::state_query_script(resource)),
        ResourceType::Gpu => Ok(resources::gpu::state_query_script(resource)),
        ResourceType::Task => Ok(resources::task::state_query_script(resource)),
        ResourceType::WasmBundle => Ok(resources::wasm_bundle::state_query_script(resource)),
        ResourceType::Image => Ok(resources::file::state_query_script(resource)),
        ResourceType::Build => Ok(resources::build::state_query_script(resource)),
        ResourceType::GithubRelease => Ok(resources::github_release::state_query_script(resource)),
        ResourceType::Recipe => {
            Err("codegen not implemented for recipe (expand first)".to_string())
        }
    }
}