1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
//! Persistent configuration for Runtimo.
//!
//! Reads/writes a TOML config file at `~/.config/runtimo/config.toml`.
//! Allowed path prefixes are merged from three sources (lowest to highest priority):
//! 1. Built-in defaults (`/tmp`, `/var/tmp`, `/home`)
//! 2. `RUNTIMO_ALLOWED_PATHS` env var (colon-separated)
//! 3. Config file `allowed_paths` array
//! 4. Context-specific prefixes (programmatic override)
use serde::{Deserialize, Serialize};
use std::path::PathBuf;
/// Built-in default allowed prefixes.
const DEFAULT_PREFIXES: &[&str] = &["/tmp", "/var/tmp", "/home"];
/// Runtimo persistent configuration.
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
#[allow(clippy::exhaustive_structs)]
pub struct RuntimoConfig {
/// Additional allowed path prefixes (merged with defaults + env var).
#[serde(default)]
pub allowed_paths: Vec<String>,
}
impl RuntimoConfig {
/// Returns the config file path following XDG spec.
///
/// Uses `XDG_CONFIG_HOME` if set, otherwise `~/.config/runtimo/config.toml`.
///
/// Falls back to `/tmp/runtimo/config.toml` with a stderr warning when
/// neither `XDG_CONFIG_HOME` nor `HOME` is set. Configuration in `/tmp`
/// is not persistent across reboots.
pub fn config_path() -> PathBuf {
let base = std::env::var("XDG_CONFIG_HOME")
.ok()
.map(PathBuf::from)
.or_else(|| {
std::env::var("HOME")
.ok()
.map(|h| PathBuf::from(h).join(".config"))
});
if let Some(dir) = base {
dir.join("runtimo/config.toml")
} else {
eprintln!(
"[runtimo] Warning: XDG_CONFIG_HOME and HOME unset — using /tmp/runtimo \
(config will not survive reboot)"
);
PathBuf::from("/tmp/runtimo/config.toml")
}
}
/// Loads config from disk, returning defaults if the file doesn't exist or is invalid.
///
/// Logs a warning to stderr when the file exists but cannot be read or parsed.
/// Prefer [`Self::load_result`] for new code — it propagates errors so callers can
/// distinguish "file doesn't exist" from "file is corrupt."
#[must_use]
pub fn load() -> Self {
match Self::load_result() {
Ok(config) => config,
Err(e) => {
eprintln!("[runtimo] Config load failed (using defaults): {}", e);
Self::default()
}
}
}
/// Loads config from disk, propagating read and parse errors.
///
/// # Input
///
/// Reads from the path returned by [`Self::config_path`] if it exists.
///
/// # Output
///
/// `Ok(RuntimoConfig)` — Successfully deserialized config, or default if file doesn't exist.
///
/// # Errors
///
/// Returns `Err(String)` when the config file:
/// - Exists but cannot be opened (permission denied, filesystem error)
/// - Can be opened but contains invalid TOML syntax
/// - Contains TOML that deserializes to a different type (schema mismatch)
///
/// Returns `Ok(Self::default())` when:
/// - The config file does not exist (first run / clean install)
/// - The config file is empty (no config needed)
pub fn load_result() -> Result<Self, String> {
let path = Self::config_path();
if path.exists() {
let content = std::fs::read_to_string(&path)
.map_err(|e| format!("Cannot read config file '{}': {}", path.display(), e))?;
toml::from_str(&content)
.map_err(|e| format!("Cannot parse config file '{}': {}", path.display(), e))
} else {
Ok(Self::default())
}
}
/// Saves config to disk, creating parent directories as needed.
///
/// # Errors
///
/// Returns an error if parent directories cannot be created or if the config
/// file cannot be serialized/written to disk.
pub fn save(&self) -> Result<(), String> {
let path = Self::config_path();
if let Some(parent) = path.parent() {
std::fs::create_dir_all(parent).map_err(|e| e.to_string())?;
}
let content = toml::to_string_pretty(self).map_err(|e| e.to_string())?;
std::fs::write(&path, content).map_err(|e| e.to_string())?;
Ok(())
}
/// Returns merged prefixes: defaults + env var + config file.
///
/// Priority (lowest to highest):
/// 1. Built-in defaults
/// 2. `RUNTIMO_ALLOWED_PATHS` env var
/// 3. Config file `allowed_paths`
///
/// Empty strings are filtered out to prevent matching everything
/// via `format!("{}/", "")` which produces `"/"` (N-014).
#[must_use]
pub fn get_allowed_prefixes() -> Vec<String> {
let mut prefixes: Vec<String> = DEFAULT_PREFIXES.iter().map(|s| s.to_string()).collect();
// Env var (colon-separated)
if let Ok(env_paths) = std::env::var("RUNTIMO_ALLOWED_PATHS") {
for p in env_paths.split(':').filter(|s| !s.is_empty()) {
let trimmed = p.trim().to_string();
if trimmed.is_empty() {
continue;
}
if !prefixes.contains(&trimmed) {
prefixes.push(trimmed);
}
}
}
// Config file
let config = Self::load();
for p in &config.allowed_paths {
let trimmed = p.trim().to_string();
if trimmed.is_empty() {
continue;
}
if !prefixes.contains(&trimmed) {
prefixes.push(trimmed);
}
}
prefixes
}
}
#[cfg(test)]
mod tests {
use super::*;
use std::sync::Mutex;
/// Mutex to serialize config tests that set XDG_CONFIG_HOME.
/// Without this, concurrent tests fight over the process-global env var.
static CONFIG_TEST_MUTEX: Mutex<()> = Mutex::new(());
#[test]
fn config_path_is_absolute() {
let path = RuntimoConfig::config_path();
assert!(path.is_absolute());
}
#[test]
fn load_returns_defaults_when_no_file() {
let _guard = CONFIG_TEST_MUTEX.lock().unwrap();
let tmp = std::env::temp_dir().join("runtimo_test_config_defaults");
let _ = std::fs::remove_dir_all(&tmp);
std::env::set_var("XDG_CONFIG_HOME", &tmp);
let config = RuntimoConfig::load();
assert!(config.allowed_paths.is_empty());
let _ = std::fs::remove_dir_all(&tmp);
std::env::remove_var("XDG_CONFIG_HOME");
}
#[test]
fn get_allowed_prefixes_includes_defaults() {
let prefixes = RuntimoConfig::get_allowed_prefixes();
assert!(prefixes.iter().any(|p| p == "/tmp"));
assert!(prefixes.iter().any(|p| p == "/var/tmp"));
assert!(prefixes.iter().any(|p| p == "/home"));
}
#[test]
fn save_and_load_roundtrip() {
let _guard = CONFIG_TEST_MUTEX.lock().unwrap();
// Use a temp config path for this test
let tmp = std::env::temp_dir().join("runtimo_test_config");
std::env::set_var("XDG_CONFIG_HOME", &tmp);
let mut config = RuntimoConfig::default();
config.allowed_paths.push("/srv".to_string());
config.allowed_paths.push("/opt".to_string());
config.save().expect("save failed");
let loaded = RuntimoConfig::load();
assert_eq!(loaded.allowed_paths, vec!["/srv", "/opt"]);
let prefixes = RuntimoConfig::get_allowed_prefixes();
assert!(prefixes.contains(&"/srv".to_string()));
assert!(prefixes.contains(&"/opt".to_string()));
// Cleanup
let _ = std::fs::remove_dir_all(&tmp);
std::env::remove_var("XDG_CONFIG_HOME");
}
#[test]
fn test_toml_parse_failure_returns_defaults() {
let _guard = CONFIG_TEST_MUTEX.lock().unwrap();
// GAP 12: Corrupt TOML file returns defaults, not panic
let tmp = std::env::temp_dir().join("runtimo_test_config_corrupt");
let config_dir = tmp.join("runtimo");
let _ = std::fs::remove_dir_all(&tmp);
std::fs::create_dir_all(&config_dir).unwrap();
let config_path = config_dir.join("config.toml");
// Write corrupt TOML
std::fs::write(&config_path, "this is {{{ not valid toml at all!!!").unwrap();
std::env::set_var("XDG_CONFIG_HOME", &tmp);
let config = RuntimoConfig::load();
// Must return defaults, not panic
assert!(
config.allowed_paths.is_empty(),
"Corrupt TOML should return defaults"
);
let _ = std::fs::remove_dir_all(&tmp);
std::env::remove_var("XDG_CONFIG_HOME");
}
#[test]
fn test_empty_config_file_returns_defaults() {
let _guard = CONFIG_TEST_MUTEX.lock().unwrap();
// GAP 12: Empty config file returns defaults
let tmp = std::env::temp_dir().join("runtimo_test_config_empty");
let config_dir = tmp.join("runtimo");
let _ = std::fs::remove_dir_all(&tmp);
std::fs::create_dir_all(&config_dir).unwrap();
let config_path = config_dir.join("config.toml");
// Write empty file
std::fs::write(&config_path, "").unwrap();
std::env::set_var("XDG_CONFIG_HOME", &tmp);
let config = RuntimoConfig::load();
assert!(
config.allowed_paths.is_empty(),
"Empty config should return defaults"
);
let _ = std::fs::remove_dir_all(&tmp);
std::env::remove_var("XDG_CONFIG_HOME");
}
#[test]
fn test_toml_missing_section_returns_defaults() {
let _guard = CONFIG_TEST_MUTEX.lock().unwrap();
// GAP 12: Valid TOML but missing expected section
let tmp = std::env::temp_dir().join("runtimo_test_config_missing");
let config_dir = tmp.join("runtimo");
let _ = std::fs::remove_dir_all(&tmp);
std::fs::create_dir_all(&config_dir).unwrap();
let config_path = config_dir.join("config.toml");
// Valid TOML but no allowed_paths array
std::fs::write(&config_path, "[other_section]\nfoo = \"bar\"\n").unwrap();
std::env::set_var("XDG_CONFIG_HOME", &tmp);
let config = RuntimoConfig::load();
assert!(
config.allowed_paths.is_empty(),
"Missing section should return defaults"
);
let _ = std::fs::remove_dir_all(&tmp);
std::env::remove_var("XDG_CONFIG_HOME");
}
}