switchyard-fs 1.0.0

Switchyard: safe, atomic, reversible filesystem swaps with policy and audit
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

use std::path::PathBuf;

/// Risk handling level for potentially dangerous conditions (e.g., SUID/SGID bits, hardlinks).
#[derive(Clone, Copy, Debug)]
pub enum RiskLevel {
    Stop,
    Warn,
    Allow,
}

/// Cross‑filesystem behavior policy for atomic rename failures (EXDEV).
#[derive(Clone, Copy, Debug, Default)]
pub enum ExdevPolicy {
    #[default]
    Fail,
    DegradedFallback,
}

/// Locking policy for serialize‑mutations requirement in Commit mode.
#[derive(Clone, Copy, Debug)]
pub enum LockingPolicy {
    Required,
    Optional,
}

/// Preservation requirement policy for metadata dimensions.
#[derive(Clone, Copy, Debug)]
pub enum PreservationPolicy {
    Off,
    RequireBasic,
}

/// Source trust policy for evaluating whether a source path is acceptable.
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub enum SourceTrustPolicy {
    RequireTrusted,
    WarnOnUntrusted,
    AllowUntrusted,
}

/// Smoke testing policy for Commit mode.
#[derive(Clone, Copy, Debug)]
pub enum SmokePolicy {
    Off,
    Require { auto_rollback: bool },
}

/// Scope policy restricting allowed roots and forbidding specific absolute paths.
#[derive(Clone, Debug, Default)]
pub struct Scope {
    pub allow_roots: Vec<PathBuf>,
    pub forbid_paths: Vec<PathBuf>,
}

/// Rescue expectations for production safety.
#[derive(Debug, Copy, Clone, Default)]
pub struct Rescue {
    pub require: bool,
    pub exec_check: bool,
    pub min_count: usize,
}

/// Risk controls toggles.
#[derive(Debug, Copy, Clone)]
pub struct Risks {
    pub suid_sgid: RiskLevel,
    pub hardlinks: RiskLevel,
    pub source_trust: SourceTrustPolicy,
    pub ownership_strict: bool,
}

impl Default for Risks {
    fn default() -> Self {
        Self {
            suid_sgid: RiskLevel::Stop,
            hardlinks: RiskLevel::Stop,
            source_trust: SourceTrustPolicy::RequireTrusted,
            ownership_strict: false,
        }
    }
}

/// Durability requirements for backups and preservation.
#[derive(Debug, Copy, Clone)]
pub struct Durability {
    pub backup_durability: bool,
    pub sidecar_integrity: bool,
    pub preservation: PreservationPolicy,
}

impl Default for Durability {
    fn default() -> Self {
        Self {
            backup_durability: true,
            sidecar_integrity: true,
            preservation: PreservationPolicy::Off,
        }
    }
}

/// Apply stage policy affecting degraded paths and preflight parity.
#[derive(Clone, Debug, Default)]
pub struct ApplyFlow {
    pub exdev: ExdevPolicy,
    pub override_preflight: bool,
    pub best_effort_restore: bool,
    pub extra_mount_checks: Vec<PathBuf>,
    pub capture_restore_snapshot: bool,
}

/// Governance policy defining required adapters and allowances.
#[derive(Debug, Copy, Clone)]
pub struct Governance {
    pub locking: LockingPolicy,
    pub smoke: SmokePolicy,
    pub allow_unlocked_commit: bool,
}

impl Default for Governance {
    fn default() -> Self {
        Self {
            locking: LockingPolicy::Optional,
            smoke: SmokePolicy::Off,
            allow_unlocked_commit: true,
        }
    }
}

/// Backup configuration.
#[derive(Clone, Debug, Default)]
pub struct Backup {
    pub tag: String,
}