Function write_atomic 

pub fn write_atomic(
    target: &Path,
    bytes: &[u8],
    overwrite: bool,
    durable: bool,
) -> Result<()>

Atomically write bytes to target.

We always write the content to a temp file in the same directory (so the final step stays within one filesystem) and then publish it atomically:

• overwrite = false (the default): publish with hard_link(temp → target), which the kernel performs as an atomic exclusive create — it fails with EEXIST if target already exists. This closes the check-then-act (TOCTOU) race that a separate exists() test would leave open: there is no window between testing and creating.
• overwrite = true (--force): publish with rename, which atomically replaces any existing file.

Either way a reader never observes a partially-written file. When durable is set, the parent directory is fsync’d after the publish (T17.4 layer 3) so the new directory entry is crash-durable — the install path sets it; ephemeral scratch writes (e.g. the release-diff zdump tree, the compare oracle tree) pass false to skip the (pointless, for soon-deleted files) directory fsync.