Policy

switchyard::policy::config

Struct Policy 

Source 
pub struct Policy {
    pub scope: Scope,
    pub rescue: Rescue,
    pub risks: Risks,
    pub durability: Durability,
    pub apply: ApplyFlow,
    pub governance: Governance,
    pub backup: Backup,
    pub retention_count_limit: Option<usize>,
    pub retention_age_limit: Option<Duration>,
    pub allow_unreliable_immutable_check: bool,
    pub preservation_tier: PreservationTier,
}
Expand description

Policy governs preflight gates, apply behavior, and production hardening for Switchyard.

Grouped fields provide clearer ownership and ergonomics.

Fields§

§scope: Scope§rescue: Rescue§risks: Risks§durability: Durability§apply: ApplyFlow§governance: Governance§backup: Backup§retention_count_limit: Option<usize>§retention_age_limit: Option<Duration>§allow_unreliable_immutable_check: bool§preservation_tier: PreservationTier

Implementations§

Source§

impl Policy

Source

pub fn production_preset() -> Self

Construct a Policy configured with recommended production defaults.

Enables (hardened-by-default):

  • require_rescue = true (+ rescue_exec_check = true)
  • require_lock_manager = true
  • require_smoke_in_commit = true

Notes:

  • Other flags (e.g., allow_degraded_fs) remain at their defaults and should be set explicitly per environment.
  • In Commit mode, absence of a LockManager yields an early apply.attempt failure with error_id=E_LOCKING (exit_code=30).
  • Missing smoke runner when require_smoke_in_commit=true yields E_SMOKE and triggers auto-rollback unless disabled by policy.
§Example
use switchyard::policy::Policy;
use switchyard::{Switchyard, logging::JsonlSink};
// Optional adapters used in production
use switchyard::adapters::FileLockManager;
use switchyard::adapters::DefaultSmokeRunner;

let policy = Policy::production_preset();
let api = Switchyard::new(JsonlSink::default(), JsonlSink::default(), policy)
    .with_lock_manager(Box::new(FileLockManager::new(std::path::PathBuf::from("/tmp/lock"))))
    .with_smoke_runner(Box::new(DefaultSmokeRunner::default()));
Source

pub const fn apply_production_preset(&mut self) -> &mut Self

Mutate this Policy to apply the recommended production defaults.

Source

pub fn coreutils_switch_preset() -> Self

Construct a Policy tailored for switching system coreutils to uutils-coreutils.

Builds on production_preset and tightens gates:

  • allow_degraded_fs = false (fail on EXDEV; no degraded fallback)
  • strict_ownership = true (requires OwnershipOracle)
  • require_preservation = true (STOP if basic preservation not supported)
  • override_preflight = false (fail-closed)
  • force_untrusted_source = false
  • force_restore_best_effort = false (missing backup → error)
  • backup_tag = "coreutils"

Additionally, for safer toolchain swaps:

  • extra_mount_checks defaults to common tool mount points (/usr, /bin, etc.)
  • forbid_paths blocks virtual/volatile filesystems (/proc, /sys, /dev, /run, /tmp)

Caller must still scope the operation by setting allow_roots to the exact tree being switched (e.g., <root>/usr/bin). Everything else remains blocked.

§Example
use switchyard::policy::Policy;
let mut policy = Policy::coreutils_switch_preset();
policy.scope.allow_roots.push(root.join("usr/bin")); // narrow the blast radius
// Optionally tighten expectations on rescue tool count:
// policy.rescue.min_count = policy.rescue.min_count.max(6);
Source

pub fn apply_coreutils_switch_preset(&mut self) -> &mut Self

Mutate this Policy to apply the coreutils switch preset; see coreutils_switch_preset().

Trait Implementations§

Source§

impl Clone for Policy

Source§

fn clone(&self) -> Policy

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Policy

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for Policy

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

§

impl Freeze for Policy

§

impl RefUnwindSafe for Policy

§

impl Send for Policy

§

impl Sync for Policy

§

impl Unpin for Policy

§

impl UnwindSafe for Policy

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.