forjar 1.4.2

Rust-native Infrastructure as Code — bare-metal first, BLAKE3 state, provenance tracing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265

//! FJ-1360: Cache SSH execution.
//!
//! Bridges the substitution protocol → actual SSH rsync transport.
//! Handles pull/push to SSH caches, hash verification, and the
//! full substitution protocol execution with I/O.

use super::cache::CacheSource;
use super::substitution::{SubstitutionOutcome, SubstitutionPlan, SubstitutionStep};
use crate::core::types::Machine;
use crate::transport;
use std::path::Path;

/// Result of pulling from a cache source.
#[derive(Debug, Clone)]
pub struct CachePullResult {
    /// Store hash that was pulled
    pub store_hash: String,
    /// Local store path after pull
    pub store_path: String,
    /// Bytes transferred
    pub bytes_transferred: u64,
    /// Whether the hash was verified after pull
    pub verified: bool,
}

/// Pull a store entry from an SSH cache to the local store.
///
/// 1. rsync to a temp staging directory
/// 2. Verify hash (BLAKE3)
/// 3. Atomic rename to final store location
pub fn pull_from_cache(
    source: &CacheSource,
    store_hash: &str,
    store_dir: &Path,
    machine: &Machine,
    timeout_secs: Option<u64>,
) -> Result<CachePullResult, String> {
    let hash_bare = store_hash.strip_prefix("blake3:").unwrap_or(store_hash);
    let target = store_dir.join(hash_bare);
    let staging = store_dir.join(format!(".staging-{hash_bare}"));

    // Generate pull command
    let pull_cmd = pull_command(source, store_hash, &staging);

    // Execute rsync/cp
    let output = transport::exec_script_timeout(machine, &pull_cmd, timeout_secs)
        .map_err(|e| format!("cache pull failed: {e}"))?;

    if !output.success() {
        let _ = std::fs::remove_dir_all(&staging);
        return Err(format!(
            "cache pull exit code {}: {}",
            output.exit_code,
            output.stderr.trim()
        ));
    }

    // Verify via hash of pulled content
    let verified = verify_pulled_content(&staging, store_hash);

    // Atomic move to store
    if target.exists() {
        // Already exists (race condition safe — content-addressed = idempotent)
        let _ = std::fs::remove_dir_all(&staging);
    } else {
        std::fs::rename(&staging, &target).map_err(|e| {
            let _ = std::fs::remove_dir_all(&staging);
            format!("atomic move staging → store: {e}")
        })?;
    }

    let bytes = super::gc_exec::dir_size(&target);

    Ok(CachePullResult {
        store_hash: store_hash.to_string(),
        store_path: target.display().to_string(),
        bytes_transferred: bytes,
        verified,
    })
}

/// Push a local store entry to an SSH cache.
pub fn push_to_cache(
    source: &CacheSource,
    store_hash: &str,
    store_dir: &Path,
    machine: &Machine,
    timeout_secs: Option<u64>,
) -> Result<(), String> {
    let push_cmd = push_command(source, store_hash, store_dir);

    let output = transport::exec_script_timeout(machine, &push_cmd, timeout_secs)
        .map_err(|e| format!("cache push failed: {e}"))?;

    if !output.success() {
        return Err(format!(
            "cache push exit code {}: {}",
            output.exit_code,
            output.stderr.trim()
        ));
    }

    Ok(())
}

/// Verify a remote cache entry by checking if it exists.
pub fn verify_remote_entry(
    source: &CacheSource,
    store_hash: &str,
    machine: &Machine,
) -> Result<bool, String> {
    let check_cmd = remote_check_command(source, store_hash);
    let output = transport::exec_script_timeout(machine, &check_cmd, Some(30))
        .map_err(|e| format!("remote verify: {e}"))?;
    Ok(output.success())
}

/// Execute the full substitution protocol with I/O.
///
/// Runs the substitution plan: local check → cache pull → build → push.
/// Returns the store path of the resolved entry.
pub fn execute_substitution(
    plan: &SubstitutionPlan,
    machine: &Machine,
    store_dir: &Path,
    timeout_secs: Option<u64>,
) -> Result<String, String> {
    match &plan.outcome {
        SubstitutionOutcome::LocalHit { store_path } => Ok(store_path.clone()),

        SubstitutionOutcome::CacheHit { source, store_hash } => {
            // Find the SSH source from the plan steps
            let cache_source = extract_cache_source_from_plan(plan)
                .ok_or("cache hit but no SSH source in plan")?;

            let result =
                pull_from_cache(&cache_source, store_hash, store_dir, machine, timeout_secs)?;

            if !result.verified {
                return Err(format!("cache pull from {source} failed hash verification"));
            }

            Ok(result.store_path)
        }

        SubstitutionOutcome::CacheMiss { store_hash } => {
            // Build from scratch not handled here — caller must build.
            // We return an error indicating the caller should invoke the build pipeline.
            Err(format!(
                "cache miss for {store_hash}: build required (use sandbox_run)"
            ))
        }
    }
}

/// Generate the rsync pull command for a cache source.
pub fn pull_command(source: &CacheSource, hash: &str, staging: &Path) -> String {
    let hash_bare = hash.strip_prefix("blake3:").unwrap_or(hash);
    match source {
        CacheSource::Ssh {
            host,
            user,
            path,
            port,
        } => {
            let port_flag = port.map_or(String::new(), |p| format!(" -p {p}"));
            format!(
                "mkdir -p '{}' && rsync -az -e 'ssh{port_flag}' '{user}@{host}:{path}/{hash_bare}/' '{}'",
                staging.display(),
                staging.display()
            )
        }
        CacheSource::Local { path } => {
            format!(
                "mkdir -p '{}' && cp -a '{path}/{hash_bare}/.' '{}'",
                staging.display(),
                staging.display()
            )
        }
    }
}

/// Generate the rsync push command for a cache source.
pub fn push_command(source: &CacheSource, hash: &str, store_dir: &Path) -> String {
    let hash_bare = hash.strip_prefix("blake3:").unwrap_or(hash);
    match source {
        CacheSource::Ssh {
            host,
            user,
            path,
            port,
        } => {
            let port_flag = port.map_or(String::new(), |p| format!(" -p {p}"));
            format!(
                "rsync -az -e 'ssh{port_flag}' '{}/{hash_bare}/' '{user}@{host}:{path}/{hash_bare}/'",
                store_dir.display()
            )
        }
        CacheSource::Local { path } => {
            format!(
                "cp -a '{}/{hash_bare}' '{path}/{hash_bare}'",
                store_dir.display()
            )
        }
    }
}

/// Generate SSH command to check if an entry exists remotely.
fn remote_check_command(source: &CacheSource, hash: &str) -> String {
    let hash_bare = hash.strip_prefix("blake3:").unwrap_or(hash);
    match source {
        CacheSource::Ssh {
            host,
            user,
            path,
            port,
        } => {
            let port_flag = port.map_or(String::new(), |p| format!(" -p {p}"));
            format!("ssh{port_flag} '{user}@{host}' test -d '{path}/{hash_bare}'")
        }
        CacheSource::Local { path } => {
            format!("test -d '{path}/{hash_bare}'")
        }
    }
}

/// Verify pulled content matches expected hash via BLAKE3 re-hash.
fn verify_pulled_content(staging: &Path, expected_hash: &str) -> bool {
    let content_dir = staging.join("content");
    let dir_to_hash = if content_dir.is_dir() {
        &content_dir
    } else {
        staging
    };
    match crate::tripwire::hasher::hash_directory(dir_to_hash) {
        Ok(actual) => {
            let expected = if expected_hash.starts_with("blake3:") {
                expected_hash.to_string()
            } else {
                format!("blake3:{expected_hash}")
            };
            actual == expected
        }
        Err(_) => false,
    }
}

/// Extract the CacheSource from a substitution plan's pull step.
fn extract_cache_source_from_plan(plan: &SubstitutionPlan) -> Option<CacheSource> {
    for step in &plan.steps {
        if let SubstitutionStep::PullFromCache { source, .. } = step {
            // Parse "user@host" back into a CacheSource
            let parts: Vec<&str> = source.splitn(2, '@').collect();
            if parts.len() == 2 {
                return Some(CacheSource::Ssh {
                    host: parts[1].to_string(),
                    user: parts[0].to_string(),
                    path: "/var/lib/forjar/cache".to_string(),
                    port: None,
                });
            }
        }
    }
    None
}