Skip to main content

Module fix_forward

shipper_core::engine

Module fix_forward 

Source
Expand description

Fix-forward: supersession plan from a compromised receipt (#98 PR 3). Fix-forward: supersession plan from a compromised receipt (#98 PR 3).

When a published release turns out to be compromised (CVE, leaked secret, broken artifact), the remediation options are:

  1. Yank — containment. Prevents NEW resolves but leaves existing lockfiles unchanged. Covered by shipper yank (PR 1) and shipper plan-yank (PR 2).
  2. Fix-forward — ship a successor release that replaces the compromised one. Downstream consumers pick it up on cargo update. This module plans that.

The two strategies are complementary: an operator typically runs the yank plan alongside a fix-forward so new resolves steer away from the bad chain AND existing consumers have something cleaner to upgrade to.

§What this module does

  • Read a receipt, find the compromised packages (those with compromised_at.is_some())
  • Compute a minimal supersession plan: each compromised package needs its successor version to be published, in the same topological order as the original plan (dependencies first)
  • Present the plan as either a human-readable step list or JSON

§What this module does NOT do (yet)

  • Edit Cargo.toml files to bump versions. That’s workspace-edit territory — invasive enough to deserve its own PR with dry-run / –apply / git-guard semantics.
  • Run the bumped publish. Once the operator has bumped versions and committed them, shipper publish handles the actual train exactly as for any release. Fix-forward’s job is the planning layer, not the execution.
  • Chain successor → receipt via the superseded_by field. Wiring that requires post-publish receipt amendment from the successor run; another follow-on.

Keeping the first PR to planning only matches the scope pattern of plan-yank (PR 2) — give operators a text blueprint, let them apply it, leave execution orchestration for a later pass once the shape is validated in the field.

Structs§

FixForwardPlan
A fix-forward plan produced from a receipt.
FixForwardStep
One step in a fix-forward plan.

Enums§

SuccessorStrategy
Default successor-version bump strategy. None means “operator-supplied suggestion”; the plan just echoes a placeholder.

Functions§

build_plan
Build a fix-forward plan from a receipt.
plan_from_path
Load a receipt and build a fix-forward plan. Convenience wrapper used by the shipper fix-forward --from-receipt CLI path.
render_text
Render a fix-forward plan as a human-readable step list. The output is a numbered sequence: bump the Cargo.toml version for each crate, then a single shipper publish at the end to ship the lot.