forjar 1.4.2

Rust-native Infrastructure as Code — bare-metal first, BLAKE3 state, provenance tracing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

//! Validation of resource references, machine config, and expansion fields.

use super::*;

/// Check a reference (depends_on or triggers) against config, allowing expandable resources.
fn validate_ref(
    config: &ForjarConfig,
    id: &str,
    ref_id: &str,
    ref_type: &str,
    errors: &mut Vec<ValidationError>,
) {
    // Skip deps containing {{item}} or {{index}} — they resolve after for_each/count expansion.
    if ref_id.contains("{{item}}") || ref_id.contains("{{index}}") {
        return;
    }
    if !config.resources.contains_key(ref_id) {
        let will_expand = config
            .resources
            .get(ref_id)
            .map(|r| r.count.is_some() || r.for_each.is_some())
            .unwrap_or(false);
        if !will_expand {
            errors.push(ValidationError {
                message: format!("resource '{id}' {ref_type} unknown resource '{ref_id}'"),
            });
        }
    }
    if ref_id == id {
        errors.push(ValidationError {
            message: format!("resource '{id}' {ref_type} itself"),
        });
    }
}

/// Validate machine and dependency references for a single resource.
pub(super) fn validate_resource_refs(
    config: &ForjarConfig,
    id: &str,
    resource: &Resource,
    errors: &mut Vec<ValidationError>,
) {
    for machine_name in resource.machine.iter() {
        if !config.machines.contains_key(machine_name) && machine_name != "localhost" {
            errors.push(ValidationError {
                message: format!("resource '{id}' references unknown machine '{machine_name}'"),
            });
        }
    }

    for arch in &resource.arch {
        if !KNOWN_ARCHITECTURES.contains(&arch.as_str()) {
            errors.push(ValidationError {
                message: format!(
                    "resource '{}' has unknown arch '{}' (expected one of: {})",
                    id,
                    arch,
                    KNOWN_ARCHITECTURES.join(", ")
                ),
            });
        }
    }

    for dep in &resource.depends_on {
        validate_ref(config, id, dep, "depends on", errors);
    }

    for trigger in &resource.triggers {
        validate_ref(config, id, trigger, "triggers on", errors);
    }

    if resource.count.is_some() && resource.for_each.is_some() {
        errors.push(ValidationError {
            message: format!("resource '{id}' cannot have both 'count' and 'for_each'"),
        });
    }
    if let Some(count) = resource.count {
        if count == 0 {
            errors.push(ValidationError {
                message: format!("resource '{id}' has count: 0 (must be >= 1)"),
            });
        }
    }
    if let Some(ref items) = resource.for_each {
        if items.is_empty() {
            errors.push(ValidationError {
                message: format!("resource '{id}' has empty for_each list"),
            });
        }
    }
}

/// Validate machine configuration (container transport rules, arch).
pub(super) fn validate_machine(key: &str, machine: &Machine, errors: &mut Vec<ValidationError>) {
    // FJ-064: Validate machine arch
    if !KNOWN_ARCHITECTURES.contains(&machine.arch.as_str()) {
        errors.push(ValidationError {
            message: format!(
                "machine '{}' has unknown arch '{}' (expected one of: {})",
                key,
                machine.arch,
                KNOWN_ARCHITECTURES.join(", ")
            ),
        });
    }

    if machine.is_container_transport() && machine.container.is_none() {
        errors.push(ValidationError {
            message: format!(
                "machine '{key}' uses container transport but has no 'container' block"
            ),
        });
    }

    if let Some(ref container) = machine.container {
        if container.runtime != "docker" && container.runtime != "podman" {
            errors.push(ValidationError {
                message: format!(
                    "machine '{}' container runtime must be 'docker' or 'podman', got '{}'",
                    key, container.runtime
                ),
            });
        }
        if container.ephemeral && container.image.is_none() {
            errors.push(ValidationError {
                message: format!("machine '{key}' is ephemeral but has no container image"),
            });
        }
    }
}