1#![forbid(unsafe_code)]
2
3use std::collections::{BTreeMap, HashMap};
4use std::fs;
5use std::path::{Path, PathBuf};
6
7use anyhow::{Context, Result, anyhow, bail};
8use greentic_distributor_client::{DistClient, DistOptions};
9use greentic_flow::wizard_ops::{WizardMode, decode_component_qa_spec, fetch_wizard_spec};
10use greentic_pack::PackLoad;
11use greentic_pack::pack_lock::{LockedComponent, PackLockV1, read_pack_lock, validate_pack_lock};
12use greentic_types::cbor::canonical;
13use greentic_types::pack::extensions::component_sources::{
14 ArtifactLocationV1, ComponentSourceEntryV1, ComponentSourcesV1,
15};
16use greentic_types::schemas::common::schema_ir::{AdditionalProperties, SchemaIr};
17use greentic_types::schemas::component::v0_6_0::{ComponentDescribe, schema_hash};
18use greentic_types::validate::{Diagnostic, Severity};
19use serde_json::{Value, json};
20use sha2::{Digest, Sha256};
21use tokio::runtime::Handle;
22use wasmtime::Engine;
23use wasmtime::component::{Component as WasmtimeComponent, Linker};
24
25use crate::component_host_stubs::{
26 DescribeHostState, add_describe_host_imports, stub_remaining_imports,
27};
28use crate::runtime::{NetworkPolicy, RuntimeContext};
29
30pub struct PackLockDoctorInput<'a> {
31 pub load: &'a PackLoad,
32 pub pack_dir: Option<&'a Path>,
33 pub runtime: &'a RuntimeContext,
34 pub allow_oci_tags: bool,
35 pub use_describe_cache: bool,
36 pub online: bool,
37}
38
39pub struct PackLockDoctorOutput {
40 pub diagnostics: Vec<Diagnostic>,
41 pub has_errors: bool,
42}
43
44#[derive(Clone)]
45struct ComponentDiagnostic {
46 component_id: String,
47 diagnostic: Diagnostic,
48}
49
50struct WasmSource {
51 bytes: Vec<u8>,
52 source_path: Option<PathBuf>,
53 describe_bytes: Option<Vec<u8>>,
54}
55
56struct DescribeResolution {
57 describe: ComponentDescribe,
58 requires_typed_instance: bool,
59}
60
61pub fn run_pack_lock_doctor(input: PackLockDoctorInput<'_>) -> Result<PackLockDoctorOutput> {
62 let mut diagnostics: Vec<ComponentDiagnostic> = Vec::new();
63 let mut has_errors = false;
64
65 let pack_lock = match load_pack_lock(input.load, input.pack_dir) {
66 Ok(Some(lock)) => lock,
67 Ok(None) => {
68 diagnostics.push(ComponentDiagnostic {
69 component_id: String::new(),
70 diagnostic: Diagnostic {
71 severity: Severity::Warn,
72 code: "PACK_LOCK_MISSING".to_string(),
73 message: "pack.lock.cbor missing; skipping pack lock doctor checks".to_string(),
74 path: Some("pack.lock.cbor".to_string()),
75 hint: Some(
76 "run `greentic-pack resolve` to generate pack.lock.cbor".to_string(),
77 ),
78 data: Value::Null,
79 },
80 });
81 return Ok(finish_diagnostics(diagnostics));
82 }
83 Err(err) => {
84 diagnostics.push(ComponentDiagnostic {
85 component_id: String::new(),
86 diagnostic: Diagnostic {
87 severity: Severity::Error,
88 code: "PACK_LOCK_INVALID".to_string(),
89 message: format!("failed to load pack.lock.cbor: {err}"),
90 path: Some("pack.lock.cbor".to_string()),
91 hint: Some("regenerate the lock with `greentic-pack resolve`".to_string()),
92 data: Value::Null,
93 },
94 });
95 return Ok(finish_diagnostics(diagnostics));
96 }
97 };
98
99 let component_sources = match load_component_sources(input.load) {
100 Ok(sources) => sources,
101 Err(err) => {
102 diagnostics.push(ComponentDiagnostic {
103 component_id: String::new(),
104 diagnostic: Diagnostic {
105 severity: Severity::Warn,
106 code: "PACK_LOCK_COMPONENT_SOURCES_INVALID".to_string(),
107 message: format!("component sources extension invalid: {err}"),
108 path: Some("manifest.cbor".to_string()),
109 hint: Some("rebuild the pack to refresh component sources".to_string()),
110 data: Value::Null,
111 },
112 });
113 None
114 }
115 };
116
117 let component_sources_map = build_component_sources_map(component_sources.as_ref());
118 let manifest_map: HashMap<_, _> = input
119 .load
120 .manifest
121 .components
122 .iter()
123 .map(|entry| (entry.name.clone(), entry))
124 .collect();
125
126 let engine = Engine::default();
127
128 for (component_id, locked) in &pack_lock.components {
129 if locked.abi_version != "0.6.0" {
130 continue;
131 }
132
133 let wasm = match resolve_component_wasm(
134 &input,
135 &manifest_map,
136 &component_sources_map,
137 component_id,
138 locked,
139 ) {
140 Ok(wasm) => wasm,
141 Err(err) => {
142 has_errors = true;
143 diagnostics.push(component_diag(
144 component_id,
145 Severity::Error,
146 "PACK_LOCK_COMPONENT_WASM_MISSING",
147 format!("component wasm unavailable: {err}"),
148 Some(format!("components/{component_id}")),
149 Some(
150 "bundle artifacts into the pack or allow online resolution with --online"
151 .to_string(),
152 ),
153 Value::Null,
154 ));
155 continue;
156 }
157 };
158
159 let digest = format!("sha256:{:x}", Sha256::digest(&wasm.bytes));
160 if digest != locked.resolved_digest {
161 has_errors = true;
162 diagnostics.push(component_diag(
163 component_id,
164 Severity::Error,
165 "PACK_LOCK_COMPONENT_DIGEST_MISMATCH",
166 "resolved_digest does not match component bytes".to_string(),
167 Some(format!("components/{component_id}")),
168 Some("re-run `greentic-pack resolve` after updating components".to_string()),
169 json!({ "expected": locked.resolved_digest, "actual": digest }),
170 ));
171 }
172
173 let describe_resolution = match describe_component_with_cache(
174 &engine,
175 &wasm,
176 input.use_describe_cache,
177 component_id,
178 ) {
179 Ok(describe) => describe,
180 Err(err) => {
181 has_errors = true;
182 diagnostics.push(component_diag(
183 component_id,
184 Severity::Error,
185 "PACK_LOCK_COMPONENT_DESCRIBE_FAILED",
186 format!("describe() failed: {err}"),
187 Some(format!("components/{component_id}")),
188 Some("ensure the component exports greentic:component@0.6.0".to_string()),
189 Value::Null,
190 ));
191 continue;
192 }
193 };
194 let describe = describe_resolution.describe;
195
196 if describe.info.id != locked.component_id {
197 has_errors = true;
198 diagnostics.push(component_diag(
199 component_id,
200 Severity::Error,
201 "PACK_LOCK_COMPONENT_ID_MISMATCH",
202 "describe id does not match pack.lock component_id".to_string(),
203 Some(format!("components/{component_id}")),
204 None,
205 json!({ "describe_id": describe.info.id, "component_id": locked.component_id }),
206 ));
207 }
208
209 let describe_hash = compute_describe_hash(&describe)?;
210 if describe_hash != locked.describe_hash {
211 has_errors = true;
212 diagnostics.push(component_diag(
213 component_id,
214 Severity::Error,
215 "PACK_LOCK_DESCRIBE_HASH_MISMATCH",
216 "describe_hash does not match describe() output".to_string(),
217 Some(format!("components/{component_id}")),
218 Some("re-run `greentic-pack resolve` after updating components".to_string()),
219 json!({ "expected": locked.describe_hash, "actual": describe_hash }),
220 ));
221 }
222
223 let mut describe_ops = BTreeMap::new();
224 for op in &describe.operations {
225 describe_ops.insert(op.id.clone(), op);
226 }
227
228 for op in &describe.operations {
229 let recomputed =
230 match schema_hash(&op.input.schema, &op.output.schema, &describe.config_schema) {
231 Ok(hash) => hash,
232 Err(err) => {
233 has_errors = true;
234 diagnostics.push(component_diag(
235 component_id,
236 Severity::Error,
237 "PACK_LOCK_SCHEMA_HASH_COMPUTE_FAILED",
238 format!("schema_hash failed for {}: {err}", op.id),
239 Some(format!(
240 "components/{component_id}/operations/{}/schema_hash",
241 op.id
242 )),
243 None,
244 Value::Null,
245 ));
246 continue;
247 }
248 };
249
250 if recomputed != op.schema_hash {
251 has_errors = true;
252 diagnostics.push(component_diag(
253 component_id,
254 Severity::Error,
255 "PACK_LOCK_SCHEMA_HASH_DESCRIBE_MISMATCH",
256 "schema_hash does not match describe() payload".to_string(),
257 Some(format!(
258 "components/{component_id}/operations/{}/schema_hash",
259 op.id
260 )),
261 None,
262 json!({ "expected": op.schema_hash, "actual": recomputed }),
263 ));
264 }
265
266 match locked
267 .operations
268 .iter()
269 .find(|entry| entry.operation_id == op.id)
270 {
271 Some(lock_op) => {
272 if recomputed != lock_op.schema_hash {
273 has_errors = true;
274 diagnostics.push(component_diag(
275 component_id,
276 Severity::Error,
277 "PACK_LOCK_SCHEMA_HASH_LOCK_MISMATCH",
278 "schema_hash does not match pack.lock entry".to_string(),
279 Some(format!(
280 "components/{component_id}/operations/{}/schema_hash",
281 op.id
282 )),
283 None,
284 json!({ "expected": lock_op.schema_hash, "actual": recomputed }),
285 ));
286 }
287 }
288 None => {
289 has_errors = true;
290 diagnostics.push(component_diag(
291 component_id,
292 Severity::Error,
293 "PACK_LOCK_OPERATION_MISSING",
294 "operation missing from pack.lock".to_string(),
295 Some(format!("components/{component_id}/operations/{}", op.id)),
296 Some(
297 "re-run `greentic-pack resolve` to refresh lock operations".to_string(),
298 ),
299 Value::Null,
300 ));
301 }
302 }
303
304 validate_schema_ir(
305 component_id,
306 &op.input.schema,
307 &format!(
308 "components/{component_id}/operations/{}/input.schema",
309 op.id
310 ),
311 &mut diagnostics,
312 &mut has_errors,
313 );
314 validate_schema_ir(
315 component_id,
316 &op.output.schema,
317 &format!(
318 "components/{component_id}/operations/{}/output.schema",
319 op.id
320 ),
321 &mut diagnostics,
322 &mut has_errors,
323 );
324 }
325
326 for lock_op in &locked.operations {
327 if !describe_ops.contains_key(&lock_op.operation_id) {
328 has_errors = true;
329 diagnostics.push(component_diag(
330 component_id,
331 Severity::Error,
332 "PACK_LOCK_OPERATION_STALE",
333 "pack.lock operation not present in describe()".to_string(),
334 Some(format!(
335 "components/{component_id}/operations/{}",
336 lock_op.operation_id
337 )),
338 Some("re-run `greentic-pack resolve` to refresh lock operations".to_string()),
339 Value::Null,
340 ));
341 }
342 }
343
344 validate_schema_ir(
345 component_id,
346 &describe.config_schema,
347 &format!("components/{component_id}/config_schema"),
348 &mut diagnostics,
349 &mut has_errors,
350 );
351
352 if let Err(err) = WasmtimeComponent::from_binary(&engine, &wasm.bytes) {
353 has_errors = true;
354 diagnostics.push(component_diag(
355 component_id,
356 Severity::Error,
357 "PACK_LOCK_COMPONENT_DECODE_FAILED",
358 format!("component bytes are not a valid component: {err}"),
359 Some(format!("components/{component_id}")),
360 Some("rebuild the pack with a valid component artifact".to_string()),
361 Value::Null,
362 ));
363 continue;
364 }
365
366 if !describe_resolution.requires_typed_instance {
367 diagnostics.push(component_diag(
368 component_id,
369 Severity::Warn,
370 "PACK_LOCK_COMPONENT_WORLD_FALLBACK",
371 "describe was resolved via fallback; qa/i18n contract checks were skipped"
372 .to_string(),
373 Some(format!("components/{component_id}")),
374 None,
375 Value::Null,
376 ));
377 }
378
379 for (mode, label) in [
380 (WizardMode::Default, "default"),
381 (WizardMode::Setup, "setup"),
382 (WizardMode::Update, "update"),
383 (WizardMode::Remove, "remove"),
384 ] {
385 let spec = match fetch_wizard_spec(&wasm.bytes, mode) {
386 Ok(spec) => spec,
387 Err(err) => {
388 has_errors = true;
389 diagnostics.push(component_diag(
390 component_id,
391 Severity::Error,
392 "PACK_LOCK_QA_SPEC_MISSING",
393 format!("wizard qa_spec fetch failed for {label}: {err}"),
394 Some(format!("components/{component_id}/qa/{label}")),
395 Some(
396 "ensure setup contract and setup.apply_answers are exported"
397 .to_string(),
398 ),
399 Value::Null,
400 ));
401 continue;
402 }
403 };
404 if let Err(err) = decode_component_qa_spec(&spec.qa_spec_cbor, mode) {
405 has_errors = true;
406 diagnostics.push(component_diag(
407 component_id,
408 Severity::Error,
409 "PACK_LOCK_QA_SPEC_DECODE_FAILED",
410 format!("qa_spec decode failed for {label}: {err}"),
411 Some(format!("components/{component_id}/qa/{label}")),
412 Some("ensure qa_spec is valid canonical CBOR/legacy JSON".to_string()),
413 Value::Null,
414 ));
415 }
416 }
417 }
418
419 Ok(finish_diagnostics(diagnostics))
420}
421
422fn finish_diagnostics(mut diagnostics: Vec<ComponentDiagnostic>) -> PackLockDoctorOutput {
423 diagnostics.sort_by(|a, b| {
424 let path_a = a.diagnostic.path.as_deref().unwrap_or_default();
425 let path_b = b.diagnostic.path.as_deref().unwrap_or_default();
426 a.component_id
427 .cmp(&b.component_id)
428 .then_with(|| a.diagnostic.code.cmp(&b.diagnostic.code))
429 .then_with(|| path_a.cmp(path_b))
430 });
431 let mut has_errors = false;
432 let diagnostics: Vec<Diagnostic> = diagnostics
433 .into_iter()
434 .map(|entry| {
435 if matches!(entry.diagnostic.severity, Severity::Error) {
436 has_errors = true;
437 }
438 entry.diagnostic
439 })
440 .collect();
441 PackLockDoctorOutput {
442 diagnostics,
443 has_errors,
444 }
445}
446
447fn load_pack_lock(load: &PackLoad, pack_dir: Option<&Path>) -> Result<Option<PackLockV1>> {
448 if let Some(bytes) = load.files.get("pack.lock.cbor") {
449 return read_pack_lock_from_bytes(bytes).map(Some);
450 }
451 let Some(pack_dir) = pack_dir else {
452 return Ok(None);
453 };
454 let path = pack_dir.join("pack.lock.cbor");
455 if !path.exists() {
456 return Ok(None);
457 }
458 read_pack_lock(&path).map(Some)
459}
460
461fn read_pack_lock_from_bytes(bytes: &[u8]) -> Result<PackLockV1> {
462 canonical::ensure_canonical(bytes).context("pack.lock.cbor must be canonical")?;
463 let lock: PackLockV1 = canonical::from_cbor(bytes).context("decode pack.lock.cbor")?;
464 validate_pack_lock(&lock)?;
465 Ok(lock)
466}
467
468fn load_component_sources(load: &PackLoad) -> Result<Option<ComponentSourcesV1>> {
469 let Some(manifest) = load.gpack_manifest.as_ref() else {
470 return Ok(None);
471 };
472 manifest
473 .get_component_sources_v1()
474 .map_err(|err| anyhow!(err.to_string()))
475}
476
477fn build_component_sources_map(
478 sources: Option<&ComponentSourcesV1>,
479) -> HashMap<String, ComponentSourceEntryV1> {
480 let mut map = HashMap::new();
481 let Some(sources) = sources else {
482 return map;
483 };
484 for entry in &sources.components {
485 let key = entry
486 .component_id
487 .as_ref()
488 .map(|id| id.to_string())
489 .unwrap_or_else(|| entry.name.clone());
490 map.insert(key, entry.clone());
491 }
492 map
493}
494
495fn resolve_component_wasm(
496 input: &PackLockDoctorInput<'_>,
497 manifest_map: &HashMap<String, &greentic_pack::builder::ComponentEntry>,
498 component_sources_map: &HashMap<String, ComponentSourceEntryV1>,
499 component_id: &str,
500 locked: &LockedComponent,
501) -> Result<WasmSource> {
502 if let Some(entry) = manifest_map.get(component_id) {
503 let logical = entry.file_wasm.clone();
504 if let Some(bytes) = input.load.files.get(&logical) {
505 return Ok(WasmSource {
506 bytes: bytes.clone(),
507 source_path: input
508 .pack_dir
509 .map(|dir| dir.join(&entry.file_wasm))
510 .filter(|path| path.exists()),
511 describe_bytes: load_describe_sidecar_from_pack(input.load, &logical),
512 });
513 }
514 if let Some(pack_dir) = input.pack_dir {
515 let disk_path = pack_dir.join(&entry.file_wasm);
516 if disk_path.exists() {
517 let bytes = fs::read(&disk_path)
518 .with_context(|| format!("read {}", disk_path.display()))?;
519 return Ok(WasmSource {
520 bytes,
521 source_path: Some(disk_path),
522 describe_bytes: None,
523 });
524 }
525 }
526 }
527
528 if let Some(entry) = component_sources_map.get(component_id)
529 && let ArtifactLocationV1::Inline { wasm_path, .. } = &entry.artifact
530 {
531 if let Some(bytes) = input.load.files.get(wasm_path) {
532 return Ok(WasmSource {
533 bytes: bytes.clone(),
534 source_path: input
535 .pack_dir
536 .map(|dir| dir.join(wasm_path))
537 .filter(|path| path.exists()),
538 describe_bytes: load_describe_sidecar_from_pack(input.load, wasm_path),
539 });
540 }
541 if let Some(pack_dir) = input.pack_dir {
542 let disk_path = pack_dir.join(wasm_path);
543 if disk_path.exists() {
544 let bytes = fs::read(&disk_path)
545 .with_context(|| format!("read {}", disk_path.display()))?;
546 return Ok(WasmSource {
547 bytes,
548 source_path: Some(disk_path),
549 describe_bytes: None,
550 });
551 }
552 }
553 }
554
555 if let Some(reference) = locked.r#ref.as_ref()
556 && reference.starts_with("file://")
557 {
558 let path = strip_file_uri_prefix(reference);
559 let bytes = fs::read(path).with_context(|| format!("read {}", path))?;
560 return Ok(WasmSource {
561 bytes,
562 source_path: Some(PathBuf::from(path)),
563 describe_bytes: None,
564 });
565 }
566
567 let reference = locked
568 .r#ref
569 .as_ref()
570 .ok_or_else(|| anyhow!("component {} missing ref", component_id))?;
571 if input.online {
572 input
573 .runtime
574 .require_online("pack lock doctor component download")?;
575 }
576 let offline = !input.online || input.runtime.network_policy() == NetworkPolicy::Offline;
577 let dist = DistClient::new(DistOptions {
578 cache_dir: input.runtime.cache_dir(),
579 allow_tags: input.allow_oci_tags,
580 offline,
581 allow_insecure_local_http: false,
582 ..DistOptions::default()
583 });
584
585 let handle = Handle::try_current().context("component resolution requires a Tokio runtime")?;
586 let resolved = if offline {
587 dist.open_cached(&locked.resolved_digest)
588 .map_err(|err| anyhow!("offline cache miss for {}: {}", reference, err))?
589 } else {
590 let source = dist
591 .parse_source(reference)
592 .map_err(|err| anyhow!("resolve {}: {}", reference, err))?;
593 let descriptor = block_on(
594 &handle,
595 dist.resolve(source, greentic_distributor_client::ResolvePolicy),
596 )
597 .map_err(|err| anyhow!("resolve {}: {}", reference, err))?;
598 block_on(
599 &handle,
600 dist.fetch(&descriptor, greentic_distributor_client::CachePolicy),
601 )
602 .map_err(|err| anyhow!("resolve {}: {}", reference, err))?
603 };
604 let path = resolved
605 .cache_path
606 .ok_or_else(|| anyhow!("resolved component missing path for {}", reference))?;
607 let bytes = fs::read(&path).with_context(|| format!("read {}", path.display()))?;
608 Ok(WasmSource {
609 bytes,
610 source_path: Some(path),
611 describe_bytes: None,
612 })
613}
614
615fn block_on<F, T, E>(handle: &Handle, fut: F) -> std::result::Result<T, E>
616where
617 F: std::future::Future<Output = std::result::Result<T, E>>,
618{
619 tokio::task::block_in_place(|| handle.block_on(fut))
620}
621
622fn describe_component_with_cache(
623 engine: &Engine,
624 wasm: &WasmSource,
625 use_cache: bool,
626 component_id: &str,
627) -> Result<DescribeResolution> {
628 match describe_component(engine, &wasm.bytes) {
629 Ok(describe) => Ok(DescribeResolution {
630 describe,
631 requires_typed_instance: true,
632 }),
633 Err(err) => {
634 if should_fallback_to_untyped_describe(&err)
635 && let Ok(describe) = describe_component_untyped(engine, &wasm.bytes)
636 {
637 return Ok(DescribeResolution {
638 describe,
639 requires_typed_instance: false,
640 });
641 }
642 if use_cache || should_fallback_to_describe_cache(&err) {
643 if let Some(describe) = load_describe_from_cache(
644 wasm.describe_bytes.as_deref(),
645 wasm.source_path.as_deref(),
646 )? {
647 return Ok(DescribeResolution {
648 describe,
649 requires_typed_instance: false,
650 });
651 }
652 bail!("describe failed and no describe cache found for {component_id}: {err}");
653 }
654 Err(err)
655 }
656 }
657}
658
659fn describe_component_untyped(engine: &Engine, bytes: &[u8]) -> Result<ComponentDescribe> {
660 let component = WasmtimeComponent::from_binary(engine, bytes)
661 .map_err(|err| anyhow!("decode component bytes: {err}"))?;
662 let mut store = wasmtime::Store::new(engine, DescribeHostState::default());
663 let mut linker = Linker::new(engine);
664 add_describe_host_imports(&mut linker)?;
665 stub_remaining_imports(&mut linker, &component)?;
668 let instance = linker
669 .instantiate(&mut store, &component)
670 .map_err(|err| anyhow!("instantiate component root world: {err}"))?;
671
672 let descriptor = [
673 "component-descriptor",
674 "greentic:component/component-descriptor",
675 "greentic:component/component-descriptor@0.6.0",
676 ]
677 .iter()
678 .find_map(|name| instance.get_export_index(&mut store, None, name))
679 .ok_or_else(|| anyhow!("missing exported descriptor instance"))?;
680 let describe_export = [
681 "describe",
682 "greentic:component/component-descriptor@0.6.0#describe",
683 ]
684 .iter()
685 .find_map(|name| instance.get_export_index(&mut store, Some(&descriptor), name))
686 .ok_or_else(|| anyhow!("missing exported describe function"))?;
687 let describe_func = instance
688 .get_typed_func::<(), (Vec<u8>,)>(&mut store, &describe_export)
689 .map_err(|err| anyhow!("lookup component-descriptor.describe: {err}"))?;
690 let (describe_bytes,) = describe_func
691 .call(&mut store, ())
692 .map_err(|err| anyhow!("call component-descriptor.describe: {err}"))?;
693 canonical::from_cbor(&describe_bytes).context("decode ComponentDescribe")
694}
695
696fn should_fallback_to_describe_cache(err: &anyhow::Error) -> bool {
697 err.to_string().contains("instantiate component-v0-v6-v0")
698}
699
700fn should_fallback_to_untyped_describe(err: &anyhow::Error) -> bool {
701 err.to_string().contains("instantiate component-v0-v6-v0")
702}
703
704fn describe_component(engine: &Engine, bytes: &[u8]) -> Result<ComponentDescribe> {
705 describe_component_untyped(engine, bytes)
706}
707
708fn load_describe_from_cache(
709 inline_bytes: Option<&[u8]>,
710 source_path: Option<&Path>,
711) -> Result<Option<ComponentDescribe>> {
712 if let Some(bytes) = inline_bytes {
713 canonical::ensure_canonical(bytes).context("describe cache must be canonical")?;
714 let describe =
715 canonical::from_cbor(bytes).context("decode ComponentDescribe from cache")?;
716 return Ok(Some(describe));
717 }
718 if let Some(path) = source_path {
719 let describe_path = PathBuf::from(format!("{}.describe.cbor", path.display()));
720 if !describe_path.exists() {
721 return Ok(None);
722 }
723 let bytes = fs::read(&describe_path)
724 .with_context(|| format!("read {}", describe_path.display()))?;
725 canonical::ensure_canonical(&bytes).context("describe cache must be canonical")?;
726 let describe =
727 canonical::from_cbor(&bytes).context("decode ComponentDescribe from cache")?;
728 return Ok(Some(describe));
729 }
730 Ok(None)
731}
732
733fn load_describe_sidecar_from_pack(load: &PackLoad, logical_path: &str) -> Option<Vec<u8>> {
734 let describe_path = format!("{logical_path}.describe.cbor");
735 load.files.get(&describe_path).cloned()
736}
737
738fn compute_describe_hash(describe: &ComponentDescribe) -> Result<String> {
739 let bytes =
740 canonical::to_canonical_cbor_allow_floats(describe).context("canonicalize describe")?;
741 let digest = Sha256::digest(bytes.as_slice());
742 Ok(hex::encode(digest))
743}
744
745fn validate_schema_ir(
746 component_id: &str,
747 schema: &SchemaIr,
748 path: &str,
749 diagnostics: &mut Vec<ComponentDiagnostic>,
750 has_errors: &mut bool,
751) {
752 match schema {
753 SchemaIr::Object {
754 properties,
755 required,
756 additional,
757 } => {
758 if properties.is_empty()
759 && required.is_empty()
760 && matches!(additional, AdditionalProperties::Allow)
761 {
762 *has_errors = true;
763 diagnostics.push(component_diag(
764 component_id,
765 Severity::Error,
766 "PACK_LOCK_SCHEMA_UNCONSTRAINED_OBJECT",
767 "object schema is unconstrained".to_string(),
768 Some(path.to_string()),
769 Some("add properties or set additional=forbid".to_string()),
770 Value::Null,
771 ));
772 }
773 for req in required {
774 if !properties.contains_key(req) {
775 *has_errors = true;
776 diagnostics.push(component_diag(
777 component_id,
778 Severity::Error,
779 "PACK_LOCK_SCHEMA_REQUIRED_MISSING",
780 format!("required property `{req}` missing from properties"),
781 Some(path.to_string()),
782 None,
783 Value::Null,
784 ));
785 }
786 }
787 for (name, prop) in properties {
788 let child_path = format!("{path}/properties/{name}");
789 validate_schema_ir(component_id, prop, &child_path, diagnostics, has_errors);
790 }
791 if let AdditionalProperties::Schema(schema) = additional {
792 let child_path = format!("{path}/additional");
793 validate_schema_ir(component_id, schema, &child_path, diagnostics, has_errors);
794 }
795 }
796 SchemaIr::Array {
797 items,
798 min_items,
799 max_items,
800 } => {
801 if let (Some(min), Some(max)) = (min_items, max_items)
802 && min > max
803 {
804 *has_errors = true;
805 diagnostics.push(component_diag(
806 component_id,
807 Severity::Error,
808 "PACK_LOCK_SCHEMA_ARRAY_BOUNDS",
809 format!("min_items {min} exceeds max_items {max}"),
810 Some(path.to_string()),
811 None,
812 Value::Null,
813 ));
814 }
815 let child_path = format!("{path}/items");
816 validate_schema_ir(component_id, items, &child_path, diagnostics, has_errors);
817 }
818 SchemaIr::String {
819 min_len,
820 max_len,
821 regex,
822 format,
823 } => {
824 if let (Some(min), Some(max)) = (min_len, max_len)
825 && min > max
826 {
827 *has_errors = true;
828 diagnostics.push(component_diag(
829 component_id,
830 Severity::Error,
831 "PACK_LOCK_SCHEMA_STRING_BOUNDS",
832 format!("min_len {min} exceeds max_len {max}"),
833 Some(path.to_string()),
834 None,
835 Value::Null,
836 ));
837 }
838 if regex.is_some() || format.is_some() {
839 diagnostics.push(component_diag(
840 component_id,
841 Severity::Warn,
842 "PACK_LOCK_SCHEMA_STRING_CONSTRAINT",
843 "string regex/format constraints are not validated by pack doctor".to_string(),
844 Some(path.to_string()),
845 None,
846 Value::Null,
847 ));
848 }
849 }
850 SchemaIr::Int { min, max } => {
851 if let (Some(min), Some(max)) = (min, max)
852 && min > max
853 {
854 *has_errors = true;
855 diagnostics.push(component_diag(
856 component_id,
857 Severity::Error,
858 "PACK_LOCK_SCHEMA_INT_BOUNDS",
859 format!("min {min} exceeds max {max}"),
860 Some(path.to_string()),
861 None,
862 Value::Null,
863 ));
864 }
865 }
866 SchemaIr::Float { min, max } => {
867 if let (Some(min), Some(max)) = (min, max)
868 && min > max
869 {
870 *has_errors = true;
871 diagnostics.push(component_diag(
872 component_id,
873 Severity::Error,
874 "PACK_LOCK_SCHEMA_FLOAT_BOUNDS",
875 format!("min {min} exceeds max {max}"),
876 Some(path.to_string()),
877 None,
878 Value::Null,
879 ));
880 }
881 }
882 SchemaIr::Enum { values } => {
883 if values.is_empty() {
884 *has_errors = true;
885 diagnostics.push(component_diag(
886 component_id,
887 Severity::Error,
888 "PACK_LOCK_SCHEMA_ENUM_EMPTY",
889 "enum has no values".to_string(),
890 Some(path.to_string()),
891 None,
892 Value::Null,
893 ));
894 }
895 }
896 SchemaIr::OneOf { variants } => {
897 if variants.is_empty() {
898 *has_errors = true;
899 diagnostics.push(component_diag(
900 component_id,
901 Severity::Error,
902 "PACK_LOCK_SCHEMA_ONEOF_EMPTY",
903 "oneOf has no variants".to_string(),
904 Some(path.to_string()),
905 None,
906 Value::Null,
907 ));
908 }
909 for (idx, variant) in variants.iter().enumerate() {
910 let child_path = format!("{path}/variants/{idx}");
911 validate_schema_ir(component_id, variant, &child_path, diagnostics, has_errors);
912 }
913 }
914 SchemaIr::Bool | SchemaIr::Null | SchemaIr::Bytes | SchemaIr::Ref { .. } => {}
915 }
916}
917
918fn component_diag(
919 component_id: &str,
920 severity: Severity,
921 code: &str,
922 message: String,
923 path: Option<String>,
924 hint: Option<String>,
925 data: Value,
926) -> ComponentDiagnostic {
927 ComponentDiagnostic {
928 component_id: component_id.to_string(),
929 diagnostic: Diagnostic {
930 severity,
931 code: code.to_string(),
932 message,
933 path,
934 hint,
935 data,
936 },
937 }
938}
939
940fn strip_file_uri_prefix(reference: &str) -> &str {
941 reference.strip_prefix("file://").unwrap_or(reference)
942}