forjar 1.4.2

Rust-native Infrastructure as Code — bare-metal first, BLAKE3 state, provenance tracing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232

//! FJ-1328: Recipe conversion strategy.
//!
//! Automates the 5-step conversion ladder for making recipes reproducible:
//! 1. Add version pins to all packages
//! 2. Add `store: true` to cacheable resources
//! 3. Generate `forjar.inputs.lock.yaml`
//! 4. Add `sandbox:` blocks (manual step — reported only)
//! 5. Replace imperative hooks (manual step — reported only)

use super::purity::PurityLevel;
use serde::{Deserialize, Serialize};

/// A single resource's conversion analysis.
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
pub struct ResourceConversion {
    /// Resource name
    pub name: String,

    /// Provider (apt, cargo, nix, etc.)
    pub provider: String,

    /// Current purity level
    pub current_purity: PurityLevel,

    /// Target purity level after automated steps
    pub target_purity: PurityLevel,

    /// Automated changes to apply
    pub auto_changes: Vec<ConversionChange>,

    /// Manual changes required (reported but not applied)
    pub manual_changes: Vec<String>,
}

/// A single automated change.
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
pub struct ConversionChange {
    /// Type of change
    pub change_type: ChangeType,
    /// Human-readable description
    pub description: String,
}

/// Types of automated conversion changes.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub enum ChangeType {
    /// Add version pin (step 1)
    AddVersionPin,
    /// Enable store (step 2)
    EnableStore,
    /// Generate lock file entry (step 3)
    GenerateLockPin,
}

/// Signals from a recipe resource for conversion analysis.
#[derive(Debug, Clone)]
pub struct ConversionSignals {
    /// Resource name.
    pub name: String,
    /// Whether the resource has a version pin.
    pub has_version: bool,
    /// Whether the resource uses the content store.
    pub has_store: bool,
    /// Whether the resource has sandbox isolation.
    pub has_sandbox: bool,
    /// Whether a curl|bash pattern was detected.
    pub has_curl_pipe: bool,
    /// Package provider (e.g., "apt", "cargo").
    pub provider: String,
    /// Currently pinned version, if any.
    pub current_version: Option<String>,
}

/// Overall conversion report for a recipe.
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
pub struct ConversionReport {
    /// Resource conversions
    pub resources: Vec<ResourceConversion>,

    /// Count of automated changes
    pub auto_change_count: usize,

    /// Count of manual changes needed
    pub manual_change_count: usize,

    /// Current overall purity
    pub current_purity: PurityLevel,

    /// Projected purity after automated steps
    pub projected_purity: PurityLevel,
}

/// Analyze a set of resources and produce conversion recommendations.
pub fn analyze_conversion(signals: &[ConversionSignals]) -> ConversionReport {
    let mut resources = Vec::new();
    let mut auto_count = 0;
    let mut manual_count = 0;

    for sig in signals {
        let conv = analyze_resource(sig);
        auto_count += conv.auto_changes.len();
        manual_count += conv.manual_changes.len();
        resources.push(conv);
    }

    let current_levels: Vec<PurityLevel> = resources.iter().map(|r| r.current_purity).collect();
    let projected_levels: Vec<PurityLevel> = resources.iter().map(|r| r.target_purity).collect();

    let current_purity = worst_purity(&current_levels);
    let projected_purity = worst_purity(&projected_levels);

    ConversionReport {
        resources,
        auto_change_count: auto_count,
        manual_change_count: manual_count,
        current_purity,
        projected_purity,
    }
}

fn analyze_resource(sig: &ConversionSignals) -> ResourceConversion {
    let mut auto_changes = Vec::new();
    let mut manual_changes = Vec::new();

    // Step 1: Version pin
    if !sig.has_version {
        auto_changes.push(ConversionChange {
            change_type: ChangeType::AddVersionPin,
            description: format!("Add version pin to {} ({})", sig.name, sig.provider),
        });
    }

    // Step 2: Enable store
    if !sig.has_store && is_cacheable_provider(&sig.provider) {
        auto_changes.push(ConversionChange {
            change_type: ChangeType::EnableStore,
            description: format!("Add store: true to {}", sig.name),
        });
    }

    // Step 3: Lock file pin
    if !sig.has_store {
        auto_changes.push(ConversionChange {
            change_type: ChangeType::GenerateLockPin,
            description: format!("Generate lock file entry for {}", sig.name),
        });
    }

    // Step 4: Sandbox (manual)
    if !sig.has_sandbox && !sig.has_curl_pipe {
        manual_changes.push(format!(
            "Add sandbox: block to {} for full purity",
            sig.name
        ));
    }

    // Step 5: Replace curl|bash (manual)
    if sig.has_curl_pipe {
        manual_changes.push(format!(
            "Replace curl|bash pattern in {} with declarative resource",
            sig.name
        ));
    }

    let current = classify_purity(sig);
    let target = projected_purity_after_auto(sig, &auto_changes);

    ResourceConversion {
        name: sig.name.clone(),
        provider: sig.provider.clone(),
        current_purity: current,
        target_purity: target,
        auto_changes,
        manual_changes,
    }
}

fn classify_purity(sig: &ConversionSignals) -> PurityLevel {
    if sig.has_curl_pipe {
        return PurityLevel::Impure;
    }
    if sig.has_version && sig.has_store && sig.has_sandbox {
        return PurityLevel::Pure;
    }
    if sig.has_version && sig.has_store {
        return PurityLevel::Pinned;
    }
    PurityLevel::Constrained
}

fn projected_purity_after_auto(
    sig: &ConversionSignals,
    changes: &[ConversionChange],
) -> PurityLevel {
    if sig.has_curl_pipe {
        return PurityLevel::Impure;
    }

    let will_have_version = sig.has_version
        || changes
            .iter()
            .any(|c| c.change_type == ChangeType::AddVersionPin);
    let will_have_store = sig.has_store
        || changes
            .iter()
            .any(|c| c.change_type == ChangeType::EnableStore);

    if will_have_version && will_have_store && sig.has_sandbox {
        PurityLevel::Pure
    } else if will_have_version && will_have_store {
        PurityLevel::Pinned
    } else {
        PurityLevel::Constrained
    }
}

fn is_cacheable_provider(provider: &str) -> bool {
    matches!(provider, "apt" | "cargo" | "uv" | "nix" | "docker" | "pip")
}

fn worst_purity(levels: &[PurityLevel]) -> PurityLevel {
    levels
        .iter()
        .max_by_key(|l| match l {
            PurityLevel::Pure => 0,
            PurityLevel::Pinned => 1,
            PurityLevel::Constrained => 2,
            PurityLevel::Impure => 3,
        })
        .copied()
        .unwrap_or(PurityLevel::Pure)
}