Struct DataDir 

pub struct DataDir { /* private fields */ }

A capability handle to a base directory.

Every relative path passed to a method is resolved against the base and cannot escape it.

Implementations

impl DataDir

pub fn open(base: impl AsRef<Path>) -> Result<Self>

Open an existing base directory.

This is the single place ambient filesystem authority enters the capability boundary.

pub fn open_or_create(base: impl AsRef<Path>) -> Result<Self>

Open a base directory, first creating it (and any missing parents) with ambient authority.

The base path is the trust boundary, not attacker input, so creating it ambiently is intentional; everything joined onto the returned handle afterwards stays confined.

pub fn resolve(&self, rel: &str) -> PathBuf

Absolute path of a confined relative path, for logging and return values only.

The result is never re-opened through ambient authority — all filesystem access goes through the capability-scoped Dir. This is purely a display/identity helper.

pub fn read_to_string(&self, rel: &str) -> Result<String>

Read a confined relative path to a String.

pub fn read(&self, rel: &str) -> Result<Vec<u8>>

Read a confined relative path to bytes.

pub fn create_dir_all(&self, rel: &str) -> Result<()>

Create all directories along a confined relative path.

pub fn exists(&self, rel: &str) -> bool

Whether a confined relative path exists.

pub fn file_len(&self, rel: &str) -> Result<u64>

Length in bytes of a confined relative file.

pub fn subdir(&self, rel: &str) -> Result<Self>

Open a confined relative subdirectory as its own capability handle.

pub fn write(&self, rel: &str, bytes: &[u8]) -> Result<()>

Write bytes to a confined relative path, creating or truncating it.

pub fn write_atomic(&self, rel: &str, bytes: &[u8]) -> Result<()>

Atomically replace a confined relative path.

Writes to a sibling temp file inside the same Dir, fsyncs, then renames over the target. Both the temp file and the rename are *at-relative to the open base fd, so neither can escape it.

pub fn remove_file(&self, rel: &str) -> Result<()>

Remove a confined relative file.

pub fn walk_files(&self) -> Result<Vec<String>>

Recursively collect the relative paths of every regular file under the base directory.

Each directory level is descended through its own re-opened Dir handle, so the walk never round-trips a path back through ambient authority. Symlinks, sockets, and devices are reported via file_type() and never followed — the walk cannot escape the base.