From a7fd52ccfc4b984bc3417c8259334bff32a1e20f Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 21 Dec 2024 01:23:06 +0100
Subject: [PATCH 01/29] Fixes #26089: Implement augeas module

---
 Cargo.lock                                    |   8 +-
 policies/module-types/augeas/Cargo.toml       |   4 +-
 policies/module-types/augeas/README.md        |   5 +
 policies/module-types/augeas/src/augeas.rs    |  61 +-
 policies/module-types/augeas/src/check.rs     |  33 --
 policies/module-types/augeas/src/dsl.rs       |  84 +--
 .../module-types/augeas/src/dsl/changes.rs    | 529 ++++++++++++++++++
 .../module-types/augeas/src/dsl/checks.rs     |  57 ++
 policies/module-types/augeas/src/main.rs      |   1 -
 .../module-types/augeas/src/parameters.rs     |  34 +-
 10 files changed, 677 insertions(+), 139 deletions(-)
 delete mode 100644 policies/module-types/augeas/src/check.rs
 create mode 100644 policies/module-types/augeas/src/dsl/changes.rs
 create mode 100644 policies/module-types/augeas/src/dsl/checks.rs

diff --git a/Cargo.lock b/Cargo.lock
index 044f449165..778731d806 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3071,8 +3071,7 @@ dependencies = [
 [[package]]
 name = "raugeas"
 version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b0aeef2b5e9cb2aca61802a4622597b2e0be5467b2344d91eb6340d0ea050cb"
+source = "git+https://github.com/Normation/raugeas.git#ca2790e6ecc127a9062324f60227a907cc56e7db"
 dependencies = [
  "bitflags 2.6.0",
  "libc",
@@ -3082,8 +3081,7 @@ dependencies = [
 [[package]]
 name = "raugeas_sys"
 version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae9dc7ba072353d6dff50ade0ffc23a679c7f645ac0c21ae7edb7efa22f8a1f9"
+source = "git+https://github.com/Normation/raugeas.git#ca2790e6ecc127a9062324f60227a907cc56e7db"
 dependencies = [
  "bindgen 0.70.1",
  "pkg-config",
@@ -3302,7 +3300,9 @@ name = "rudder-module-augeas"
 version = "0.0.0-dev"
 dependencies = [
  "anyhow",
+ "nom",
  "raugeas",
+ "regex",
  "rudder_commons_test",
  "rudder_module_type",
  "serde",
diff --git a/policies/module-types/augeas/Cargo.toml b/policies/module-types/augeas/Cargo.toml
index 1568c859a4..aa7494b10f 100644
--- a/policies/module-types/augeas/Cargo.toml
+++ b/policies/module-types/augeas/Cargo.toml
@@ -10,11 +10,13 @@ license.workspace = true
 
 [dependencies]
 anyhow = "1"
+nom = "7"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 serde-inline-default = "0.2"
+regex = "1.11.1"
 rudder_module_type = { path = "../../rudder-module-type" }
-raugeas = "0.2.2"
+raugeas = { git = "https://github.com/Normation/raugeas.git" }
 
 [dev-dependencies]
 rudder_commons_test = { path = "../../rudder-commons-test" }
diff --git a/policies/module-types/augeas/README.md b/policies/module-types/augeas/README.md
index 6370adf0ef..d7c09eafa5 100644
--- a/policies/module-types/augeas/README.md
+++ b/policies/module-types/augeas/README.md
@@ -18,3 +18,8 @@ There are different ways to use this module:
 * By passing `commands`. This is the most flexible way to use the module, but it also bypasses all safeguards
   and makes reporting less precise. It exposes the full power of Augeas (but also the full danger).
   Use with caution.
+
+## License
+
+from https://github.com/puppetlabs/puppetlabs-augeas_core.git
+under Apache-2.0
\ No newline at end of file
diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index de25035a48..d0541d7d6b 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -6,8 +6,40 @@ use raugeas::{CommandsNumber, Flags, SaveMode};
 use rudder_module_type::{rudder_debug, CheckApplyResult, Outcome, PolicyMode};
 use std::env;
 
+/// Augeas module implementation.
+///
+/// NOTE: We only support UTF-8 paths and values. This is constrained by
+/// the usage of JSON in the API.
+///
+/// We don't store the Augeas instance across runs.
+///
+/// We never load the tree. Reading the lenses takes time, but is quite convenient, so we offer
+/// the options.
+///
+/// Below are some metrics for the different ways to run Augeas, based on `augtool` options:
+///
+/// * `-L` is for skipping loading the tree.
+/// * `-A` is for skipping autoloading lenses (and hence the tree)
+///
+/// | Command | Mean \[ms\] | Min \[ms\] | Max \[ms\] | Relative |
+/// |:---|---:|---:|---:|---:|
+/// | `augtool -LA get /augeas/version` | 2.6 ± 0.5 | 1.6 | 4.6 | 1.00 |
+/// | `augtool -L get /augeas/version` | 209.5 ± 5.2 | 200.2 | 221.5 | 80.72 ± 15.16 |
+/// | `augtool get /augeas/version` | 663.0 ± 37.2 | 632.0 | 755.7 | 255.46 ± 49.69 |
+///
+/// Using:
+///
+/// ```shell
+/// hyperfine -N  --export-markdown augtool.md
+///     "augtool -LA get /augeas/version"
+///     "augtool -L get /augeas/version"
+///     "augtool get /augeas/version"
+/// ```
 pub struct Augeas {}
 
+// TODO: study allowing to store the instance and keeping it until we see
+//       potential problems (e.g. commands).
+
 impl Augeas {
     pub(crate) fn new() -> anyhow::Result<Self> {
         // Cleanup the environment first to avoid any interference.
@@ -43,7 +75,9 @@ impl Augeas {
             flags.insert(Flags::TYPE_CHECK);
         }
 
-        let mut aug = raugeas::Augeas::init(p.root.as_deref(), &p.load_paths(), flags)?;
+        let root: Option<&str> = p.root.as_deref();
+        // FIXME root
+        let mut aug = raugeas::Augeas::init("/", &p.load_paths(), flags)?;
 
         // Show version for debugging purposes.
         let version = aug.version()?;
@@ -77,12 +111,14 @@ impl Augeas {
         // * We guarantee that the policy mode is respected.
         //////////////////////////////////
 
-        let path = p.path.clone().unwrap();
+        let lens_opt = p.lens_name();
+        let _context = p.context();
+        let path = p.path.as_deref().unwrap().to_string();
 
-        if let Some(l) = p.lens() {
+        if let Some(l) = lens_opt {
             // If we have a lens, we need to load it and load the file.
-            aug.set(&format!("/augeas/load/${l}/lens"), &l.to_string())?;
-            aug.set(&format!("/augeas/load/${l}/incl"), &path.to_string())?;
+            aug.set(&format!("/augeas/load/${l}/lens"), l.as_ref())?;
+            aug.set(&format!("/augeas/load/${l}/incl"), &path)?;
             aug.load()?;
         } else {
             // Else load it with the detected lens.
@@ -90,10 +126,22 @@ impl Augeas {
             aug.load_file(&path.to_string())?;
         }
 
-        if !p.changes.is_empty() {
+        // Do the changes before the checks.
+
+        let do_changes = if !p.change_if.is_empty() {
+            rudder_debug!("Running change conditions: {:?}", p.change_if);
+            // FIXME handle policy mode
+            todo!()
+        } else {
+            true
+        };
+
+        if do_changes && !p.changes.is_empty() {
             rudder_debug!("Running changes: {:?}", p.changes);
+            // FIXME handle policy mode
             todo!()
         }
+
         if !p.checks.is_empty() {
             rudder_debug!("Running checks: {:?}", p.checks);
             todo!()
@@ -112,7 +160,6 @@ impl Augeas {
         // Get information about changes
 
         // make backups
-
         todo!()
     }
 }
diff --git a/policies/module-types/augeas/src/check.rs b/policies/module-types/augeas/src/check.rs
deleted file mode 100644
index f3beccafac..0000000000
--- a/policies/module-types/augeas/src/check.rs
+++ /dev/null
@@ -1,33 +0,0 @@
-// SPDX-License-Identifier: GPL-3.0-or-later
-// SPDX-FileCopyrightText: 2024 Normation SAS
-
-//! Implements augeas-based checks, used either for audits or conditions.
-
-/*
-pub enum Constraint {
-    /// Is present
-    Present,
-    /// Is absent
-    Absent,
-    /// Equals a value
-    Equal,
-    /// Does not equal a value
-    NotEqual,
-    /// Match a regular expression
-    Match,
-    /// Does not match a regular expression
-    NotMatch,
-    /// Is greater than a value
-    GreaterThan,
-    /// Is greater than or equal to a value
-    GreaterThanOrEqual,
-    /// Is less than a value
-    LessThan,
-    /// Is less than or equal to a value
-    LessThanOrEqual,
-    // Is in a list of values
-    InList(Vec<String>),
-    // Is not in a list of forbidden values
-    NotInList(Vec<String>),
-}
-*/
diff --git a/policies/module-types/augeas/src/dsl.rs b/policies/module-types/augeas/src/dsl.rs
index 4e6ac8bbd2..7d64a08ec7 100644
--- a/policies/module-types/augeas/src/dsl.rs
+++ b/policies/module-types/augeas/src/dsl.rs
@@ -1,82 +1,2 @@
-// SPDX-License-Identifier: GPL-3.0-or-later
-// SPDX-FileCopyrightText: 2024 Normation SAS
-
-//! Implements two DSLs to define a safe subset of augeas commands
-//! and handle checks.
-
-/*
-
-use anyhow::Error;
-use std::str::FromStr;
-
-pub type Path = String;
-pub type Value = String;
-pub type Sub = String;
-
-pub enum Changes {
-    Set(Path, Value),
-    SetM(Path, Sub, Value),
-    Rm(Path),
-    Remove(Path),
-    Clear(Path),
-    ClearM(Path, Sub),
-    Touch(Path),
-    Ins(String, String, Path),
-    Insert(String, String, Path),
-    Mv(Path, Path),
-    Move(Path, Path),
-    Rename(Path, String),
-    DefVar(String, Path),
-    DefNode(String, Path, Value),
-}
-
-impl FromStr for Changes {
-    type Err = Error;
-
-    fn from_str(_s: &str) -> Result<Self, Self::Err> {
-        todo!()
-    }
-}
-
-
-
-from https://github.com/puppetlabs/puppetlabs-augeas_core.git
-under Apache-2.0
-
-changes:
-    set <PATH> <VALUE> --- Sets the value VALUE at location PATH
-    setm <PATH> <SUB> <VALUE> --- Sets multiple nodes (matching SUB relative to PATH) to VALUE
-    rm <PATH> --- Removes the node at location PATH
-    remove <PATH> --- Synonym for rm
-    clear <PATH> --- Sets the node at PATH to NULL, creating it if needed
-    clearm <PATH> <SUB> --- Sets multiple nodes (matching SUB relative to PATH) to NULL
-    touch <PATH> --- Creates PATH with the value NULL if it does not exist
-    ins <LABEL> (before|after) <PATH> --- Inserts an empty node LABEL either before or after PATH.
-    insert <LABEL> <WHERE> <PATH> --- Synonym for ins
-    mv <PATH> <OTHER PATH> --- Moves a node at PATH to the new location OTHER PATH
-    move <PATH> <OTHER PATH> --- Synonym for mv
-    rename <PATH> <LABEL> --- Rename a node at PATH to a new LABEL
-    defvar <NAME> <PATH> --- Sets Augeas variable $NAME to PATH
-    defnode <NAME> <PATH> <VALUE> --- Sets Augeas variable $NAME to PATH, creating it with VALUE if needed
-
-ifonly:
-    get <AUGEAS_PATH> <COMPARATOR> <STRING>
-    values <MATCH_PATH> include <STRING>
-    values <MATCH_PATH> not_include <STRING>
-    values <MATCH_PATH> == <AN_ARRAY>
-    values <MATCH_PATH> != <AN_ARRAY>
-    match <MATCH_PATH> size <COMPARATOR> <INT>
-    match <MATCH_PATH> include <STRING>
-    match <MATCH_PATH> not_include <STRING>
-    match <MATCH_PATH> == <AN_ARRAY>
-    match <MATCH_PATH> != <AN_ARRAY>
-
-where:
-    AUGEAS_PATH is a valid path scoped by the context
-    MATCH_PATH is a valid match syntax scoped by the context
-    COMPARATOR is one of >, >=, !=, ==, <=, or <
-      ~ for regex match
-    STRING is a string
-    INT is a number
-    AN_ARRAY is in the form ['a string', 'another']
-*/
+mod changes;
+mod checks;
diff --git a/policies/module-types/augeas/src/dsl/changes.rs b/policies/module-types/augeas/src/dsl/changes.rs
new file mode 100644
index 0000000000..74d19a63d2
--- /dev/null
+++ b/policies/module-types/augeas/src/dsl/changes.rs
@@ -0,0 +1,529 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// SPDX-FileCopyrightText: 2024 Normation SAS
+
+//#![deny(elided_lifetimes_in_paths)]
+
+//! Implements two DSLs to define a safe subset of augeas commands.
+
+use nom::branch::alt;
+use nom::bytes::complete::{is_not, tag};
+use nom::character::complete::{
+    alpha1, char, line_ending, multispace0, not_line_ending, space0, space1,
+};
+use nom::combinator::{eof, not, opt};
+use nom::multi::many0;
+use nom::sequence::delimited;
+use nom::{Finish, IResult};
+use std::borrow::Cow;
+use std::str::FromStr;
+
+use anyhow::{anyhow, Result};
+use nom::error::VerboseError;
+use raugeas::Augeas;
+
+/// A path in the Augeas tree.
+#[derive(Debug, PartialEq)]
+pub struct AugPath<'a> {
+    inner: &'a str,
+}
+pub type Value<'a> = &'a str;
+pub type Sub<'a> = &'a str;
+
+impl<'a> From<&'a str> for AugPath<'a> {
+    fn from(s: &'a str) -> Self {
+        AugPath { inner: s }
+    }
+}
+
+impl<'a> AugPath<'a> {
+    pub fn new<T: AsRef<&'a str>>(path: T) -> AugPath<'a> {
+        AugPath {
+            inner: path.as_ref(),
+        }
+    }
+
+    pub fn with_context(&self, context: Option<&str>) -> Cow<str> {
+        match context {
+            Some(c) => format!("{}/{}", c, self.inner).into(),
+            None => self.inner.into(),
+        }
+    }
+}
+
+/// The ordered list of changes to apply.
+///
+/// FIXME: *excellent* reporting for each change.
+/// FIXME: make it as close as possible to the augeas command line & srun syntax.
+#[derive(Debug, PartialEq)]
+pub struct Changes<'a> {
+    changes: Vec<Change<'a>>,
+}
+
+impl<'a> Changes<'a> {
+    pub fn from(input: &'a str) -> Result<Changes<'a>> {
+        let (_, changes) = changes(&input)
+            .finish()
+            .map_err(|e| anyhow!(format!("{:?}", e)))?;
+        Ok(Changes { changes })
+    }
+
+    pub fn evaluate(&self, context: Option<&str>, augeas: &mut Augeas) -> Result<()> {
+        for change in &self.changes {
+            change.evaluate(context, augeas)?;
+        }
+        Ok(())
+    }
+}
+
+#[derive(Debug, PartialEq)]
+pub enum Change<'a> {
+    /// Sets the value VALUE at location PATH
+    Set(AugPath<'a>, Value<'a>),
+    /// Sets multiple nodes (matching SUB relative to PATH) to VALUE
+    SetM(AugPath<'a>, Sub<'a>, Value<'a>),
+    /// Removes the node at location PATH
+    Rm(AugPath<'a>),
+    /// Synonym for Rm
+    Remove(AugPath<'a>),
+    /// Sets the node at PATH to NULL, creating it if needed
+    Clear(AugPath<'a>),
+    /// Sets multiple nodes (matching SUB relative to PATH) to NULL
+    ClearM(AugPath<'a>, Sub<'a>),
+    /// Creates PATH with the value NULL if it does not exist
+    Touch(AugPath<'a>),
+    /// Inserts an empty node LABEL either before or after PATH.
+    Ins(Value<'a>, Value<'a>, AugPath<'a>),
+    /// Synonym for Ins
+    Insert(Value<'a>, Value<'a>, AugPath<'a>),
+    /// Moves a node at PATH to the new location OTHER PATH
+    Mv(AugPath<'a>, AugPath<'a>),
+    /// Synonym for Mv
+    Move(AugPath<'a>, AugPath<'a>),
+    /// Rename a node at PATH to a new LABEL
+    Rename(AugPath<'a>, Value<'a>),
+    /// Sets Augeas variable $NAME to PATH
+    DefVar(Value<'a>, AugPath<'a>),
+    /// Sets Augeas variable $NAME to PATH, creating it with VALUE if needed
+    DefNode(Value<'a>, AugPath<'a>, Value<'a>),
+}
+
+impl<'a> Change<'a> {
+    fn evaluate(&self, context: Option<&str>, augeas: &'a mut Augeas) -> Result<()> {
+        match self {
+            Change::Set(path, value) => augeas.set(path.with_context(context).as_ref(), value)?,
+            //Change::SetM(path, sub, value) => augeas.setm(path, sub, value).map(|_| ())?,
+            //Change::Rm(path) => augeas.rm(path).map(|_| ())?,
+            //Change::Remove(path) => augeas.rm(path).map(|_| ())?,
+            //Change::Clear(path) => augeas.clear(path)?,
+            //Change::ClearM(path, sub) => augeas.clearm(path, sub)?,
+            //Change::Touch(path) => augeas.touch(path)?,
+            //Change::Ins(label, position, path) => augeas.insert(label, position, path)?,
+            //Change::Insert(label, position, path) => augeas.insert(label, position, path)?,
+            //Change::Mv(path, other) => augeas.mv(path, other)?,
+            //Change::Move(path, other) => augeas.mv(path, other)?,
+            //Change::Rename(path, label) => augeas.rename(path, label).map(|_| ())?,
+            //Change::DefVar(name, path) => augeas.defvar(name, path)?,
+            //Change::DefNode(name, path, value) => augeas.defnode(name, path, value).map(|_| ())?,
+            _ => todo!(),
+        }
+        Ok(())
+    }
+}
+
+/// Read a comment.
+///
+/// A comment starts with a `#` and ends with a newline.
+fn comment(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
+    let (input, _) = tag("#")(input)?;
+    let (input, comment) = not_line_ending(input)?;
+    Ok((input, comment))
+}
+
+/// Read a command name.
+fn command(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
+    let (input, command) = alpha1(input)?;
+    Ok((input, command))
+}
+
+/// Read a path or a value.
+///
+/// It can contain spaces, in which case it must be quoted.
+fn arg(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
+    let (input, _) = space0(input)?;
+    // either a quoted string or an unquoted string
+    let (input, arg) = alt((
+        // FIXME cleanup eol & delimiters
+        delimited(char('"'), is_not("\"\r\n"), char('"')),
+        delimited(char('\''), is_not("'\r\n"), char('\'')),
+        is_not("\"' \t\r\n"),
+    ))(input)?;
+    Ok((input, arg))
+}
+
+fn cmd_set(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
+    let (input, _) = tag("set")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = arg(input)?;
+    let (input, value) = arg(input)?;
+    Ok((input, Change::Set(path.into(), value)))
+}
+
+fn cmd_setm(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
+    let (input, _) = tag("setm")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = arg(input)?;
+    let (input, sub) = arg(input)?;
+    let (input, value) = arg(input)?;
+    Ok((input, Change::SetM(path.into(), sub, value)))
+}
+
+fn cmd_rm(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
+    let (input, _) = alt((tag("rm"), tag("remove")))(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = arg(input)?;
+    Ok((input, Change::Rm(path.into())))
+}
+
+fn cmd_clear(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
+    let (input, _) = tag("clear")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = arg(input)?;
+    Ok((input, Change::Clear(path.into())))
+}
+
+fn cmd_clearm(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
+    let (input, _) = tag("clearm")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = arg(input)?;
+    let (input, sub) = arg(input)?;
+    Ok((input, Change::ClearM(path.into(), sub)))
+}
+
+fn cmd_touch(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
+    let (input, _) = tag("touch")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = arg(input)?;
+    Ok((input, Change::Touch(path.into())))
+}
+
+fn cmd_ins(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
+    let (input, _) = alt((tag("ins"), tag("insert")))(input)?;
+    let (input, _) = space1(input)?;
+    let (input, label) = arg(input)?;
+    let (input, position) = arg(input)?;
+    let (input, path) = arg(input)?;
+    Ok((input, Change::Ins(label, position, path.into())))
+}
+
+fn cmd_mv(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
+    let (input, _) = alt((tag("mv"), tag("move")))(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = arg(input)?;
+    let (input, other) = arg(input)?;
+    Ok((input, Change::Mv(path.into(), other.into())))
+}
+
+fn cmd_rename(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
+    let (input, _) = tag("rename")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = arg(input)?;
+    let (input, label) = arg(input)?;
+    Ok((input, Change::Rename(path.into(), label)))
+}
+
+fn cmd_defvar(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
+    let (input, _) = tag("defvar")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, name) = arg(input)?;
+    let (input, path) = arg(input)?;
+    Ok((input, Change::DefVar(name, path.into())))
+}
+
+fn cmd_defnode(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
+    let (input, _) = tag("defnode")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, name) = arg(input)?;
+    let (input, path) = arg(input)?;
+    let (input, value) = arg(input)?;
+    Ok((input, Change::DefNode(name, path.into(), value)))
+}
+
+/// Read a valid change.
+fn change(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
+    alt((
+        cmd_set,
+        cmd_setm,
+        cmd_rm,
+        cmd_clear,
+        cmd_clearm,
+        cmd_touch,
+        cmd_ins,
+        cmd_mv,
+        cmd_rename,
+        cmd_defvar,
+        cmd_defnode,
+    ))(input)
+}
+
+fn line(input: &str) -> IResult<&str, Option<Change>, VerboseError<&str>> {
+    let (input, _) = not(eof)(input)?;
+    let (input, _) = space0(input)?;
+    let (input, _) = opt(comment)(input)?;
+    let (input, change) = opt(change)(input)?;
+    let (input, _) = space0(input)?;
+    let (input, _) = opt(comment)(input)?;
+    let (input, _) = opt(line_ending)(input)?;
+    Ok((input, change))
+}
+
+fn changes(input: &str) -> IResult<&str, Vec<Change>, VerboseError<&str>> {
+    // many0 -> allow empty changes (only comments, etc.)
+    let (input, changes) = many0(line)(input)?;
+    let changes = changes.into_iter().filter_map(|c| c).collect();
+    let (input, _) = multispace0(input)?;
+    let (input, _) = eof(input)?;
+    Ok((input, changes))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_comment() {
+        let input = "# This is a comment";
+        let expected = " This is a comment";
+        let result = comment(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_command() {
+        let input = "set /path/to/node value";
+        let expected = "set";
+        let result = command(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_command_with_multiple_words() {
+        let input = "set /path/to/node value";
+        let expected = "set";
+        let result = command(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_command_with_no_space() {
+        let input = "set";
+        let expected = "set";
+        let result = command(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_command_with_empty_input() {
+        let input = "";
+        let result = command(input);
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_arg_with_quoted_value() {
+        let input = r#""quoted value""#;
+        let expected = "quoted value";
+        let result = arg(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_arg_with_single_quoted_value() {
+        let input = r#"'quoted value'"#;
+        let expected = "quoted value";
+        let result = arg(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_arg_with_unquoted_value() {
+        let input = "unquoted value";
+        let expected = "unquoted";
+        let result = arg(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_arg_with_empty_input() {
+        let input = "";
+        let result = arg(input);
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_change_set() {
+        let input = "set /path/to/node value";
+        let expected = Change::Set("/path/to/node".into(), "value");
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_setm() {
+        let input = "setm /path/to/nodes subnode value";
+        let expected = Change::SetM("/path/to/nodes".into(), "subnode", "value");
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_rm() {
+        let input = "rm /path/to/node";
+        let expected = Change::Rm("/path/to/node".into());
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_clear() {
+        let input = "clear /path/to/node";
+        let expected = Change::Clear("/path/to/node".into());
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_clearm() {
+        let input = "clearm /path/to/nodes subnode";
+        let expected = Change::ClearM("/path/to/nodes".into(), "subnode");
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_touch() {
+        let input = "touch /path/to/node";
+        let expected = Change::Touch("/path/to/node".into());
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_ins() {
+        let input = "ins label before /path/to/node";
+        let expected = Change::Ins("label", "before", "/path/to/node".into());
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_mv() {
+        let input = "mv /path/to/node /new/path";
+        let expected = Change::Mv("/path/to/node".into(), "/new/path".into());
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_rename() {
+        let input = "rename /path/to/node new_label";
+        let expected = Change::Rename("/path/to/node".into(), "new_label");
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_defvar() {
+        let input = "defvar name /path/to/node";
+        let expected = Change::DefVar("name", "/path/to/node".into());
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_defnode() {
+        let input = "defnode name /path/to/node value";
+        let expected = Change::DefNode("name", "/path/to/node".into(), "value");
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_empty_line() {
+        let input = "";
+        let result = line(input);
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_empty_line_break() {
+        let input = "\n";
+        let result = line(input).unwrap();
+        assert_eq!(result.1, None);
+    }
+
+    #[test]
+    fn test_empty_line_carriage_return() {
+        let input = "\r\n";
+        let result = line(input).unwrap();
+        assert_eq!(result.1, None);
+    }
+
+    #[test]
+    fn test_line() {
+        let input = "set /path/to/node value\n";
+        let expected = Change::Set("/path/to/node".into(), "value");
+        let result = line(input).unwrap();
+        assert_eq!(result.1, Some(expected));
+    }
+
+    #[test]
+    fn test_line_command_and_comment() {
+        let input = "set /path/to/node value # comment\n";
+        let expected = Change::Set("/path/to/node".into(), "value");
+        let result = line(input).unwrap();
+        assert_eq!(result.1, Some(expected));
+    }
+
+    #[test]
+    fn test_line_comment() {
+        let input = "# comment\n";
+        let result = line(input).unwrap();
+        assert_eq!(result.1, None);
+    }
+
+    #[test]
+    fn test_changes() {
+        let input = r#"
+            # This is a comment
+            set /path/to/node value
+            setm /path/to/nodes 'sub node' value
+            rm /path/to/node
+            # other comment
+
+            clear /path/to/node # another command
+            clearm /path/to/nodes "sub node"
+            touch /path/to/node
+
+            ins  label  before        /path/to/node
+            mv /path/to/node /new/path
+            rename /path/to/node new_label
+            defvar name /path/to/node
+            defnode name /path/to/node value
+        "#;
+        let expected = vec![
+            Change::Set("/path/to/node".into(), "value"),
+            Change::SetM("/path/to/nodes".into(), "sub node", "value"),
+            Change::Rm("/path/to/node".into()),
+            Change::Clear("/path/to/node".into()),
+            Change::ClearM("/path/to/nodes".into(), "sub node"),
+            Change::Touch("/path/to/node".into()),
+            Change::Ins("label", "before", "/path/to/node".into()),
+            Change::Mv("/path/to/node".into(), "/new/path".into()),
+            Change::Rename("/path/to/node".into(), "new_label"),
+            Change::DefVar("name", "/path/to/node".into()),
+            Change::DefNode("name", "/path/to/node".into(), "value"),
+        ];
+        let result = changes(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+}
diff --git a/policies/module-types/augeas/src/dsl/checks.rs b/policies/module-types/augeas/src/dsl/checks.rs
new file mode 100644
index 0000000000..9ef901c8f2
--- /dev/null
+++ b/policies/module-types/augeas/src/dsl/checks.rs
@@ -0,0 +1,57 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// SPDX-FileCopyrightText: 2024 Normation SAS
+
+use regex::Regex;
+
+pub type MatchPath = String;
+
+/*
+
+
+changes:
+
+ifonly:
+    get <AUGEAS_PATH> <COMPARATOR> <STRING>
+    values <MATCH_PATH> include <STRING>
+    values <MATCH_PATH> not_include <STRING>
+    values <MATCH_PATH> == <AN_ARRAY>
+    values <MATCH_PATH> != <AN_ARRAY>
+    match <MATCH_PATH> size <COMPARATOR> <INT>
+    match <MATCH_PATH> include <STRING>
+    match <MATCH_PATH> not_include <STRING>
+    match <MATCH_PATH> == <AN_ARRAY>
+    match <MATCH_PATH> != <AN_ARRAY>
+
+where:
+    AUGEAS_PATH is a valid path scoped by the context
+    MATCH_PATH is a valid match syntax scoped by the context
+    COMPARATOR is one of >, >=, !=, ==, <=, or <
+      ~ for regex match
+    STRING is a string
+    INT is a number
+    AN_ARRAY is in the form ['a string', 'another']
+*/
+
+pub enum Comparator {
+    GreaterThan,
+    GreaterThanOrEqual,
+    NotEqual,
+    Equal,
+    LessThanOrEqual,
+    LessThan,
+    MatchRegex(Regex),
+    NotMatchRegex(Regex),
+}
+
+pub enum Check {
+    Get(String, Comparator, String),
+    ValuesInclude(String, String),
+    ValuesNotInclude(String, String),
+    ValuesEqual(String, Vec<String>),
+    ValuesNotEqual(String, Vec<String>),
+    MatchSize(String, String, usize),
+    MatchInclude(String, String),
+    MatchNotInclude(String, String),
+    MatchEqual(String, Vec<String>),
+    MatchNotEqual(String, Vec<String>),
+}
diff --git a/policies/module-types/augeas/src/main.rs b/policies/module-types/augeas/src/main.rs
index e17b56d3ff..9fd8dfe64a 100644
--- a/policies/module-types/augeas/src/main.rs
+++ b/policies/module-types/augeas/src/main.rs
@@ -2,7 +2,6 @@
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
 mod augeas;
-mod check;
 mod dsl;
 mod parameters;
 
diff --git a/policies/module-types/augeas/src/parameters.rs b/policies/module-types/augeas/src/parameters.rs
index e5e54c95dd..5aee4d941f 100644
--- a/policies/module-types/augeas/src/parameters.rs
+++ b/policies/module-types/augeas/src/parameters.rs
@@ -6,6 +6,7 @@ use anyhow::{anyhow, Result};
 use rudder_module_type::PolicyMode;
 use serde::{Deserialize, Serialize};
 use serde_inline_default::serde_inline_default;
+use std::borrow::Cow;
 use std::iter;
 
 /// Parameters for the augeas module.
@@ -26,7 +27,7 @@ pub struct AugeasParameters {
     // same syntax as only if?
     pub checks: Vec<String>,
     // only_if
-    pub condition: Vec<String>,
+    pub change_if: Vec<String>,
     /// Prefix to add.
     ///
     /// By default,
@@ -82,19 +83,31 @@ impl AugeasParameters {
     }
 
     /// Returns the lens name with the `.lns` extension if missing.
-    pub fn lens(&self) -> Option<String> {
-        match self.lens.as_ref() {
+    pub fn lens_name(&self) -> Option<Cow<str>> {
+        match self.lens.as_deref() {
             Some(lens) => {
                 if lens.ends_with(".lns") {
-                    Some(lens.clone())
+                    Some(Cow::from(lens))
                 } else {
-                    Some(format!("{lens}.lns"))
+                    Some(Cow::from(format!("{lens}.lns")))
                 }
             }
             None => None,
         }
     }
 
+    pub fn context(&self) -> Option<Cow<str>> {
+        match (self.context.as_deref(), self.path.as_deref()) {
+            (Some(context), _) => Some(Cow::from(context)),
+            (None, Some(p)) => Some(Cow::from(format!("files/{p}"))),
+            (_, None) => None,
+        }
+    }
+
+    /// Validate the parameters.
+    ///
+    /// Enforce consistency between the different fields, as this module
+    /// provides a lot of flexibility, with different operating modes.
     pub fn validate(&self, policy_mode: Option<PolicyMode>) -> Result<()> {
         if !self.commands.is_empty() {
             if let Some(p) = policy_mode {
@@ -117,11 +130,10 @@ impl AugeasParameters {
             }
         }
 
-        if !self.changes.is_empty() && !self.checks.is_empty() {
-            return Err(anyhow!("Cannot use both `changes` and `checks`"));
-        }
         if self.changes.is_empty() && self.checks.is_empty() {
-            return Err(anyhow!("One of `changes` or `checks` must be used"));
+            return Err(anyhow!(
+                "At least one of `changes` or `checks` must be used"
+            ));
         }
 
         if self.path.is_none() {
@@ -143,7 +155,7 @@ mod tests {
             lens: Some(lens),
             ..Default::default()
         };
-        let result = p.lens().unwrap();
+        let result = p.lens_name().unwrap();
         assert_eq!(result, "test_lens.lns");
     }
 
@@ -154,7 +166,7 @@ mod tests {
             lens: Some(lens),
             ..Default::default()
         };
-        let result = p.lens().unwrap();
+        let result = p.lens_name().unwrap();
         assert_eq!(result, "test_lens.lns");
     }
 }

From c8561a3ae0193ae6ebf1a15d2bc6bc1a9ada9ca7 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 21 Dec 2024 01:46:36 +0100
Subject: [PATCH 02/29] fixup! Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/augeas.rs    | 27 ++++---
 policies/module-types/augeas/src/dsl.rs       | 43 ++++++++++
 .../module-types/augeas/src/dsl/changes.rs    | 79 +------------------
 policies/module-types/augeas/src/main.rs      |  1 +
 .../module-types/augeas/src/parameters.rs     |  8 +-
 5 files changed, 66 insertions(+), 92 deletions(-)

diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index d0541d7d6b..4938bf2c41 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -77,7 +77,7 @@ impl Augeas {
 
         let root: Option<&str> = p.root.as_deref();
         // FIXME root
-        let mut aug = raugeas::Augeas::init("/", &p.load_paths(), flags)?;
+        let mut aug = raugeas::Augeas::init("/", p.load_paths(), flags)?;
 
         // Show version for debugging purposes.
         let version = aug.version()?;
@@ -94,7 +94,7 @@ impl Augeas {
             assert_eq!(policy_mode, PolicyMode::Enforce);
 
             rudder_debug!("Running commands: {:?}", p.commands);
-            let (num, out) = aug.srun(&p.commands.join("\n"))?;
+            let (num, out) = aug.srun(&p.commands)?;
             let summary = match num {
                 CommandsNumber::Success(n) => format!("{n} success"),
                 CommandsNumber::Quit => "has quit".to_string(),
@@ -117,13 +117,13 @@ impl Augeas {
 
         if let Some(l) = lens_opt {
             // If we have a lens, we need to load it and load the file.
-            aug.set(&format!("/augeas/load/${l}/lens"), l.as_ref())?;
-            aug.set(&format!("/augeas/load/${l}/incl"), &path)?;
+            aug.set(format!("/augeas/load/${l}/lens"), l.as_ref())?;
+            aug.set(format!("/augeas/load/${l}/incl"), &path)?;
             aug.load()?;
         } else {
             // Else load it with the detected lens.
             // FIXME handle errors.
-            aug.load_file(&path.to_string())?;
+            aug.load_file(&path)?;
         }
 
         // Do the changes before the checks.
@@ -170,7 +170,7 @@ mod tests {
     use std::fs::read_to_string;
     use tempfile::tempdir;
 
-    fn arguments(commands: Vec<String>) -> AugeasParameters {
+    fn arguments(commands: String) -> AugeasParameters {
         AugeasParameters {
             commands,
             ..Default::default()
@@ -186,13 +186,14 @@ mod tests {
 
         let r = augeas
             .handle_check_apply(
-                arguments(vec![
-                    format!("set /augeas/load/${lens}/lens \"{lens}.lns\""),
-                    format!("set /augeas/load/${lens}/incl \"{}\"", f.display()),
-                    "load".to_string(),
-                    format!("set /files{}/0 \"hello world\"", f.display()),
-                    "save".to_string(),
-                ]),
+                arguments(
+                    [format!("set /augeas/load/${lens}/lens \"{lens}.lns\""),
+                        format!("set /augeas/load/${lens}/incl \"{}\"", f.display()),
+                        "load".to_string(),
+                        format!("set /files{}/0 \"hello world\"", f.display()),
+                        "save".to_string()]
+                    .join("\n"),
+                ),
                 PolicyMode::Enforce,
             )
             .unwrap();
diff --git a/policies/module-types/augeas/src/dsl.rs b/policies/module-types/augeas/src/dsl.rs
index 7d64a08ec7..a6f1bcaee3 100644
--- a/policies/module-types/augeas/src/dsl.rs
+++ b/policies/module-types/augeas/src/dsl.rs
@@ -1,2 +1,45 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// SPDX-FileCopyrightText: 2024 Normation SAS
+
+use std::borrow::Cow;
+
 mod changes;
 mod checks;
+
+/// A path in the Augeas tree.
+#[derive(Debug, PartialEq)]
+pub struct AugPath<'a> {
+    inner: &'a str,
+}
+
+pub type Value<'a> = &'a str;
+pub type Sub<'a> = &'a str;
+
+impl<'a> From<&'a str> for AugPath<'a> {
+    fn from(s: &'a str) -> Self {
+        AugPath { inner: s }
+    }
+}
+
+impl<'a> AugPath<'a> {
+    pub fn new<T: AsRef<&'a str>>(path: T) -> AugPath<'a> {
+        AugPath {
+            inner: path.as_ref(),
+        }
+    }
+
+    pub fn is_absolute(&self) -> bool {
+        self.inner.starts_with('/')
+    }
+
+    pub fn is_relative(&self) -> bool {
+        !self.is_absolute()
+    }
+
+    pub fn with_context(&self, context: Option<&str>) -> Cow<str> {
+        match context {
+            Some(c) if self.is_relative() => format!("{}/{}", c, self.inner).into(),
+            _ => self.inner.into(),
+        }
+    }
+}
diff --git a/policies/module-types/augeas/src/dsl/changes.rs b/policies/module-types/augeas/src/dsl/changes.rs
index 74d19a63d2..7d254cf3be 100644
--- a/policies/module-types/augeas/src/dsl/changes.rs
+++ b/policies/module-types/augeas/src/dsl/changes.rs
@@ -1,55 +1,21 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-//#![deny(elided_lifetimes_in_paths)]
-
-//! Implements two DSLs to define a safe subset of augeas commands.
-
 use nom::branch::alt;
 use nom::bytes::complete::{is_not, tag};
 use nom::character::complete::{
-    alpha1, char, line_ending, multispace0, not_line_ending, space0, space1,
+    char, line_ending, multispace0, not_line_ending, space0, space1,
 };
 use nom::combinator::{eof, not, opt};
 use nom::multi::many0;
 use nom::sequence::delimited;
 use nom::{Finish, IResult};
-use std::borrow::Cow;
-use std::str::FromStr;
 
+use crate::dsl::{AugPath, Sub, Value};
 use anyhow::{anyhow, Result};
 use nom::error::VerboseError;
 use raugeas::Augeas;
 
-/// A path in the Augeas tree.
-#[derive(Debug, PartialEq)]
-pub struct AugPath<'a> {
-    inner: &'a str,
-}
-pub type Value<'a> = &'a str;
-pub type Sub<'a> = &'a str;
-
-impl<'a> From<&'a str> for AugPath<'a> {
-    fn from(s: &'a str) -> Self {
-        AugPath { inner: s }
-    }
-}
-
-impl<'a> AugPath<'a> {
-    pub fn new<T: AsRef<&'a str>>(path: T) -> AugPath<'a> {
-        AugPath {
-            inner: path.as_ref(),
-        }
-    }
-
-    pub fn with_context(&self, context: Option<&str>) -> Cow<str> {
-        match context {
-            Some(c) => format!("{}/{}", c, self.inner).into(),
-            None => self.inner.into(),
-        }
-    }
-}
-
 /// The ordered list of changes to apply.
 ///
 /// FIXME: *excellent* reporting for each change.
@@ -61,7 +27,7 @@ pub struct Changes<'a> {
 
 impl<'a> Changes<'a> {
     pub fn from(input: &'a str) -> Result<Changes<'a>> {
-        let (_, changes) = changes(&input)
+        let (_, changes) = changes(input)
             .finish()
             .map_err(|e| anyhow!(format!("{:?}", e)))?;
         Ok(Changes { changes })
@@ -139,12 +105,6 @@ fn comment(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
     Ok((input, comment))
 }
 
-/// Read a command name.
-fn command(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
-    let (input, command) = alpha1(input)?;
-    Ok((input, command))
-}
-
 /// Read a path or a value.
 ///
 /// It can contain spaces, in which case it must be quoted.
@@ -279,7 +239,7 @@ fn line(input: &str) -> IResult<&str, Option<Change>, VerboseError<&str>> {
 fn changes(input: &str) -> IResult<&str, Vec<Change>, VerboseError<&str>> {
     // many0 -> allow empty changes (only comments, etc.)
     let (input, changes) = many0(line)(input)?;
-    let changes = changes.into_iter().filter_map(|c| c).collect();
+    let changes = changes.into_iter().flatten().collect();
     let (input, _) = multispace0(input)?;
     let (input, _) = eof(input)?;
     Ok((input, changes))
@@ -297,37 +257,6 @@ mod tests {
         assert_eq!(result.1, expected);
     }
 
-    #[test]
-    fn test_command() {
-        let input = "set /path/to/node value";
-        let expected = "set";
-        let result = command(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_command_with_multiple_words() {
-        let input = "set /path/to/node value";
-        let expected = "set";
-        let result = command(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_command_with_no_space() {
-        let input = "set";
-        let expected = "set";
-        let result = command(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_command_with_empty_input() {
-        let input = "";
-        let result = command(input);
-        assert!(result.is_err());
-    }
-
     #[test]
     fn test_arg_with_quoted_value() {
         let input = r#""quoted value""#;
diff --git a/policies/module-types/augeas/src/main.rs b/policies/module-types/augeas/src/main.rs
index 9fd8dfe64a..560bf467df 100644
--- a/policies/module-types/augeas/src/main.rs
+++ b/policies/module-types/augeas/src/main.rs
@@ -27,6 +27,7 @@ impl ModuleType0 for Augeas {
     }
 
     fn validate(&self, parameters: &Parameters) -> ValidateResult {
+        // from_value does not allow zero-copy deserialization
         let parameters: AugeasParameters =
             serde_json::from_value(Value::Object(parameters.data.clone()))?;
         parameters.validate(None)
diff --git a/policies/module-types/augeas/src/parameters.rs b/policies/module-types/augeas/src/parameters.rs
index 5aee4d941f..8677304267 100644
--- a/policies/module-types/augeas/src/parameters.rs
+++ b/policies/module-types/augeas/src/parameters.rs
@@ -21,13 +21,13 @@ pub struct AugeasParameters {
     ///
     /// Should be used with care, as it can lead to override any configuration, including
     /// making changes in audit mode.
-    pub commands: Vec<String>,
-    pub changes: Vec<String>,
+    pub commands: String,
+    pub changes: String,
     // changes
     // same syntax as only if?
-    pub checks: Vec<String>,
+    pub checks: String,
     // only_if
-    pub change_if: Vec<String>,
+    pub change_if: String,
     /// Prefix to add.
     ///
     /// By default,

From 15581f553016d6092e7cbc9d7589cd6c3deca48d Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 21 Dec 2024 01:52:05 +0100
Subject: [PATCH 03/29] fixup! fixup! Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/augeas.rs      | 10 +++++++---
 policies/module-types/augeas/src/dsl.rs         |  4 ++--
 policies/module-types/augeas/src/dsl/changes.rs |  8 +++-----
 policies/module-types/template/Cargo.toml       |  2 +-
 4 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index 4938bf2c41..86a97c70e9 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
+use crate::dsl::changes::Changes;
 use crate::AugeasParameters;
 use raugeas::{CommandsNumber, Flags, SaveMode};
 use rudder_module_type::{rudder_debug, CheckApplyResult, Outcome, PolicyMode};
@@ -138,8 +139,9 @@ impl Augeas {
 
         if do_changes && !p.changes.is_empty() {
             rudder_debug!("Running changes: {:?}", p.changes);
+            let changes = Changes::from_str(&p.changes)?;
+            changes.run(p.context.as_deref(), &mut aug)?;
             // FIXME handle policy mode
-            todo!()
         }
 
         if !p.checks.is_empty() {
@@ -187,11 +189,13 @@ mod tests {
         let r = augeas
             .handle_check_apply(
                 arguments(
-                    [format!("set /augeas/load/${lens}/lens \"{lens}.lns\""),
+                    [
+                        format!("set /augeas/load/${lens}/lens \"{lens}.lns\""),
                         format!("set /augeas/load/${lens}/incl \"{}\"", f.display()),
                         "load".to_string(),
                         format!("set /files{}/0 \"hello world\"", f.display()),
-                        "save".to_string()]
+                        "save".to_string(),
+                    ]
                     .join("\n"),
                 ),
                 PolicyMode::Enforce,
diff --git a/policies/module-types/augeas/src/dsl.rs b/policies/module-types/augeas/src/dsl.rs
index a6f1bcaee3..5e9f2fef5a 100644
--- a/policies/module-types/augeas/src/dsl.rs
+++ b/policies/module-types/augeas/src/dsl.rs
@@ -3,8 +3,8 @@
 
 use std::borrow::Cow;
 
-mod changes;
-mod checks;
+pub mod changes;
+pub mod checks;
 
 /// A path in the Augeas tree.
 #[derive(Debug, PartialEq)]
diff --git a/policies/module-types/augeas/src/dsl/changes.rs b/policies/module-types/augeas/src/dsl/changes.rs
index 7d254cf3be..92fd7ed3dc 100644
--- a/policies/module-types/augeas/src/dsl/changes.rs
+++ b/policies/module-types/augeas/src/dsl/changes.rs
@@ -3,9 +3,7 @@
 
 use nom::branch::alt;
 use nom::bytes::complete::{is_not, tag};
-use nom::character::complete::{
-    char, line_ending, multispace0, not_line_ending, space0, space1,
-};
+use nom::character::complete::{char, line_ending, multispace0, not_line_ending, space0, space1};
 use nom::combinator::{eof, not, opt};
 use nom::multi::many0;
 use nom::sequence::delimited;
@@ -26,14 +24,14 @@ pub struct Changes<'a> {
 }
 
 impl<'a> Changes<'a> {
-    pub fn from(input: &'a str) -> Result<Changes<'a>> {
+    pub fn from_str(input: &'a str) -> Result<Changes<'a>> {
         let (_, changes) = changes(input)
             .finish()
             .map_err(|e| anyhow!(format!("{:?}", e)))?;
         Ok(Changes { changes })
     }
 
-    pub fn evaluate(&self, context: Option<&str>, augeas: &mut Augeas) -> Result<()> {
+    pub fn run(&self, context: Option<&str>, augeas: &mut Augeas) -> Result<()> {
         for change in &self.changes {
             change.evaluate(context, augeas)?;
         }
diff --git a/policies/module-types/template/Cargo.toml b/policies/module-types/template/Cargo.toml
index f0edd78506..35961f8b99 100644
--- a/policies/module-types/template/Cargo.toml
+++ b/policies/module-types/template/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "rudder-module-template"
 version = "0.0.0-dev"
-description = "Directory management"
+description = "Template management"
 authors.workspace = true
 edition.workspace = true
 homepage.workspace = true

From b5c184867946b20199c1c3636bbca25c5006b886 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 21 Dec 2024 02:57:37 +0100
Subject: [PATCH 04/29] fixup! fixup! fixup! Fixes #26089: Implement augeas
 module

Fixes #26089: Implement augeas module
---
 Cargo.lock                                    |  73 ++++----
 policies/module-types/augeas/src/dsl.rs       |  93 +++++++++-
 .../module-types/augeas/src/dsl/changes.rs    | 174 ++++++------------
 .../module-types/augeas/src/dsl/checks.rs     |   1 +
 policies/module-types/augeas/tests/module.rs  |   2 +
 5 files changed, 179 insertions(+), 164 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 778731d806..867f9d4625 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -457,9 +457,9 @@ checksum = "37b2a672a2cb129a2e41c10b1224bb368f9f37a2b16b612598138befd7b37eb5"
 
 [[package]]
 name = "cc"
-version = "1.2.4"
+version = "1.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9157bbaa6b165880c27a4293a474c91cdcf265cc68cc829bf10be0964a391caf"
+checksum = "c31a0499c1dc64f458ad13872de75c0eb7e3fdb0e67964610c914b034fc5956e"
 dependencies = [
  "shlex",
 ]
@@ -1082,19 +1082,25 @@ dependencies = [
 
 [[package]]
 name = "env_filter"
-version = "0.1.2"
+version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f2c92ceda6ceec50f43169f9ee8424fe2db276791afde7b2cd8bc084cb376ab"
+checksum = "186e05a59d4c50738528153b83b0b0194d3a29507dfec16eccd4b342903397d0"
 dependencies = [
  "log 0.4.22",
  "regex",
 ]
 
+[[package]]
+name = "env_home"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c7f84e12ccf0a7ddc17a6c41c93326024c42920d7ee630d04950e6926645c0fe"
+
 [[package]]
 name = "env_logger"
-version = "0.11.5"
+version = "0.11.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e13fa619b91fb2381732789fc5de83b45675e882f66623b7d8cb4f643017018d"
+checksum = "dcaee3d8e3cfc3fd92428d477bc97fc29ec8716d180c0d74c643bb26166660e0"
 dependencies = [
  "anstream",
  "anstyle",
@@ -1187,9 +1193,9 @@ dependencies = [
 
 [[package]]
 name = "float-cmp"
-version = "0.9.0"
+version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "98de4bbd547a563b716d8dfa9aad1cb19bfab00f4fa09a6a4ed21dbcf44ce9c4"
+checksum = "b09cf3155332e944990140d967ff5eceb70df778b34f77d8075db46e4704e6d8"
 dependencies = [
  "num-traits",
 ]
@@ -1211,9 +1217,9 @@ checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
 [[package]]
 name = "foldhash"
-version = "0.1.3"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f81ec6369c545a7d40e4589b5597581fa1c441fe1cce96dd1de43159910a36a2"
+checksum = "a0d2fde1f7b3d48b8395d5f2de76c18a528bd6a9cdde438df747bfcba3e05d6f"
 
 [[package]]
 name = "foreign-types"
@@ -1537,15 +1543,6 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
-[[package]]
-name = "home"
-version = "0.5.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "589533453244b0995c858700322199b2becb13b627df2851f64a2775d024abcf"
-dependencies = [
- "windows-sys 0.59.0",
-]
-
 [[package]]
 name = "hostname"
 version = "0.4.0"
@@ -2084,9 +2081,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
 
 [[package]]
 name = "libc"
-version = "0.2.168"
+version = "0.2.169"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5aaeb2981e0606ca11d79718f8bb01164f1d6ed75080182d3abf017e6d244b6d"
+checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"
 
 [[package]]
 name = "libdbus-sys"
@@ -2832,9 +2829,9 @@ checksum = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c"
 
 [[package]]
 name = "predicates"
-version = "3.1.2"
+version = "3.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e9086cc7640c29a356d1a29fd134380bee9d8f79a17410aa76e7ad295f42c97"
+checksum = "a5d19ee57562043d37e82899fade9a22ebab7be9cef5026b07fda9cdd4293573"
 dependencies = [
  "anstyle",
  "difflib",
@@ -2846,15 +2843,15 @@ dependencies = [
 
 [[package]]
 name = "predicates-core"
-version = "1.0.8"
+version = "1.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae8177bee8e75d6846599c6b9ff679ed51e882816914eec639944d7c9aa11931"
+checksum = "727e462b119fe9c93fd0eb1429a5f7647394014cf3c04ab2c0350eeb09095ffa"
 
 [[package]]
 name = "predicates-tree"
-version = "1.0.11"
+version = "1.0.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "41b740d195ed3166cd147c8047ec98db0e22ec019eb8eeb76d343b795304fb13"
+checksum = "72dd2d6d381dfb73a193c7fca536518d7caee39fc8503f74e7dc0be0531b425c"
 dependencies = [
  "predicates-core",
  "termtree",
@@ -3071,7 +3068,7 @@ dependencies = [
 [[package]]
 name = "raugeas"
 version = "0.2.2"
-source = "git+https://github.com/Normation/raugeas.git#ca2790e6ecc127a9062324f60227a907cc56e7db"
+source = "git+https://github.com/Normation/raugeas.git#95b3c2b29d56c95049ff04868ae631677d4f00e2"
 dependencies = [
  "bitflags 2.6.0",
  "libc",
@@ -3081,7 +3078,7 @@ dependencies = [
 [[package]]
 name = "raugeas_sys"
 version = "0.2.0"
-source = "git+https://github.com/Normation/raugeas.git#ca2790e6ecc127a9062324f60227a907cc56e7db"
+source = "git+https://github.com/Normation/raugeas.git#95b3c2b29d56c95049ff04868ae631677d4f00e2"
 dependencies = [
  "bindgen 0.70.1",
  "pkg-config",
@@ -4199,9 +4196,9 @@ dependencies = [
 
 [[package]]
 name = "termtree"
-version = "0.4.1"
+version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3369f5ac52d5eb6ab48c6b4ffdc8efbcad6b89c765749064ba298f2c68a16a76"
+checksum = "8f50febec83f5ee1df3015341d8bd429f2d1cc62bcba7ea2076759d315084683"
 
 [[package]]
 name = "test-generator"
@@ -4326,9 +4323,9 @@ dependencies = [
 
 [[package]]
 name = "tinyvec"
-version = "1.8.0"
+version = "1.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "445e881f4f6d382d5f27c034e25eb92edd7c784ceab92a0937db7f2e9471b938"
+checksum = "022db8904dfa342efe721985167e9fcd16c29b226db4397ed752a761cfce81e8"
 dependencies = [
  "tinyvec_macros",
 ]
@@ -4851,12 +4848,12 @@ dependencies = [
 
 [[package]]
 name = "which"
-version = "7.0.0"
+version = "7.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c9cad3279ade7346b96e38731a641d7343dd6a53d55083dd54eadfa5a1b38c6b"
+checksum = "fb4a9e33648339dc1642b0e36e21b3385e6148e289226f657c809dee59df5028"
 dependencies = [
  "either",
- "home",
+ "env_home",
  "rustix",
  "winsafe",
 ]
@@ -5192,9 +5189,9 @@ dependencies = [
 
 [[package]]
 name = "xxhash-rust"
-version = "0.8.12"
+version = "0.8.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a5cbf750400958819fb6178eaa83bee5cd9c29a26a40cc241df8c70fdd46984"
+checksum = "a08fd76779ae1883bbf1e46c2c46a75a0c4e37c445e68a24b01479d438f26ae6"
 
 [[package]]
 name = "yansi"
diff --git a/policies/module-types/augeas/src/dsl.rs b/policies/module-types/augeas/src/dsl.rs
index 5e9f2fef5a..3c6b253587 100644
--- a/policies/module-types/augeas/src/dsl.rs
+++ b/policies/module-types/augeas/src/dsl.rs
@@ -1,19 +1,34 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
+use nom::branch::alt;
+use nom::bytes::complete::{is_not, tag};
+use nom::character::complete::{char, not_line_ending, space0};
+use nom::error::VerboseError;
+use nom::sequence::delimited;
+use nom::IResult;
 use std::borrow::Cow;
+use std::ops::Deref;
 
 pub mod changes;
 pub mod checks;
 
+pub type Value<'a> = &'a str;
+pub type Sub<'a> = &'a str;
+
 /// A path in the Augeas tree.
 #[derive(Debug, PartialEq)]
 pub struct AugPath<'a> {
     inner: &'a str,
 }
 
-pub type Value<'a> = &'a str;
-pub type Sub<'a> = &'a str;
+impl Deref for AugPath<'_> {
+    type Target = str;
+
+    fn deref(&self) -> &Self::Target {
+        self.inner
+    }
+}
 
 impl<'a> From<&'a str> for AugPath<'a> {
     fn from(s: &'a str) -> Self {
@@ -22,12 +37,6 @@ impl<'a> From<&'a str> for AugPath<'a> {
 }
 
 impl<'a> AugPath<'a> {
-    pub fn new<T: AsRef<&'a str>>(path: T) -> AugPath<'a> {
-        AugPath {
-            inner: path.as_ref(),
-        }
-    }
-
     pub fn is_absolute(&self) -> bool {
         self.inner.starts_with('/')
     }
@@ -43,3 +52,71 @@ impl<'a> AugPath<'a> {
         }
     }
 }
+
+/// Read a comment.
+///
+/// A comment starts with a `#` and ends with a newline.
+fn comment(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
+    let (input, _) = tag("#")(input)?;
+    let (input, comment) = not_line_ending(input)?;
+    Ok((input, comment))
+}
+
+/// Read a path or a value.
+///
+/// It can contain spaces, in which case it must be quoted.
+fn arg(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
+    let (input, _) = space0(input)?;
+    // either a quoted string or an unquoted string
+    let (input, arg) = alt((
+        // FIXME cleanup eol & delimiters
+        delimited(char('"'), is_not("\"\r\n"), char('"')),
+        delimited(char('\''), is_not("'\r\n"), char('\'')),
+        is_not("\"' \t\r\n"),
+    ))(input)?;
+    Ok((input, arg))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_comment() {
+        let input = "# This is a comment";
+        let expected = " This is a comment";
+        let result = comment(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_arg_with_quoted_value() {
+        let input = r#""quoted value""#;
+        let expected = "quoted value";
+        let result = arg(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_arg_with_single_quoted_value() {
+        let input = r#"'quoted value'"#;
+        let expected = "quoted value";
+        let result = arg(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_arg_with_unquoted_value() {
+        let input = "unquoted value";
+        let expected = "unquoted";
+        let result = arg(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_arg_with_empty_input() {
+        let input = "";
+        let result = arg(input);
+        assert!(result.is_err());
+    }
+}
diff --git a/policies/module-types/augeas/src/dsl/changes.rs b/policies/module-types/augeas/src/dsl/changes.rs
index 92fd7ed3dc..cf9574a5c5 100644
--- a/policies/module-types/augeas/src/dsl/changes.rs
+++ b/policies/module-types/augeas/src/dsl/changes.rs
@@ -2,17 +2,18 @@
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
 use nom::branch::alt;
-use nom::bytes::complete::{is_not, tag};
-use nom::character::complete::{char, line_ending, multispace0, not_line_ending, space0, space1};
-use nom::combinator::{eof, not, opt};
+use nom::bytes::complete::tag;
+use nom::character::complete::{line_ending, multispace0, space0, space1};
+use nom::combinator::{eof, map_res, not, opt};
 use nom::multi::many0;
-use nom::sequence::delimited;
 use nom::{Finish, IResult};
 
+use crate::dsl;
 use crate::dsl::{AugPath, Sub, Value};
 use anyhow::{anyhow, Result};
 use nom::error::VerboseError;
-use raugeas::Augeas;
+use raugeas::{Augeas, Position};
+use rudder_module_type::rudder_debug;
 
 /// The ordered list of changes to apply.
 ///
@@ -27,11 +28,13 @@ impl<'a> Changes<'a> {
     pub fn from_str(input: &'a str) -> Result<Changes<'a>> {
         let (_, changes) = changes(input)
             .finish()
+            // We can't keep the verbose error as it contains references to the input.
             .map_err(|e| anyhow!(format!("{:?}", e)))?;
         Ok(Changes { changes })
     }
 
     pub fn run(&self, context: Option<&str>, augeas: &mut Augeas) -> Result<()> {
+        rudder_debug!("Running {} changes", self.changes.len());
         for change in &self.changes {
             change.evaluate(context, augeas)?;
         }
@@ -46,8 +49,6 @@ pub enum Change<'a> {
     /// Sets multiple nodes (matching SUB relative to PATH) to VALUE
     SetM(AugPath<'a>, Sub<'a>, Value<'a>),
     /// Removes the node at location PATH
-    Rm(AugPath<'a>),
-    /// Synonym for Rm
     Remove(AugPath<'a>),
     /// Sets the node at PATH to NULL, creating it if needed
     Clear(AugPath<'a>),
@@ -56,12 +57,8 @@ pub enum Change<'a> {
     /// Creates PATH with the value NULL if it does not exist
     Touch(AugPath<'a>),
     /// Inserts an empty node LABEL either before or after PATH.
-    Ins(Value<'a>, Value<'a>, AugPath<'a>),
-    /// Synonym for Ins
-    Insert(Value<'a>, Value<'a>, AugPath<'a>),
+    Insert(Value<'a>, Position, AugPath<'a>),
     /// Moves a node at PATH to the new location OTHER PATH
-    Mv(AugPath<'a>, AugPath<'a>),
-    /// Synonym for Mv
     Move(AugPath<'a>, AugPath<'a>),
     /// Rename a node at PATH to a new LABEL
     Rename(AugPath<'a>, Value<'a>),
@@ -75,16 +72,20 @@ impl<'a> Change<'a> {
     fn evaluate(&self, context: Option<&str>, augeas: &'a mut Augeas) -> Result<()> {
         match self {
             Change::Set(path, value) => augeas.set(path.with_context(context).as_ref(), value)?,
-            //Change::SetM(path, sub, value) => augeas.setm(path, sub, value).map(|_| ())?,
-            //Change::Rm(path) => augeas.rm(path).map(|_| ())?,
-            //Change::Remove(path) => augeas.rm(path).map(|_| ())?,
-            //Change::Clear(path) => augeas.clear(path)?,
-            //Change::ClearM(path, sub) => augeas.clearm(path, sub)?,
-            //Change::Touch(path) => augeas.touch(path)?,
-            //Change::Ins(label, position, path) => augeas.insert(label, position, path)?,
-            //Change::Insert(label, position, path) => augeas.insert(label, position, path)?,
-            //Change::Mv(path, other) => augeas.mv(path, other)?,
-            //Change::Move(path, other) => augeas.mv(path, other)?,
+            Change::SetM(path, sub, value) => augeas
+                .setm(path.with_context(context).as_ref(), sub, value)
+                .map(|_| ())?,
+            Change::Remove(path) => augeas.rm(path.with_context(context).as_ref()).map(|_| ())?,
+            //Change::Clear(path) => augeas.clear(path.with_context(context).as_ref())?,
+            //Change::ClearM(path, sub) => augeas.clearm(path.with_context(context).as_ref(), sub)?,
+            //Change::Touch(path) => augeas.touch(path.with_context(context).as_ref())?,
+            Change::Insert(label, position, path) => {
+                augeas.insert(path.with_context(context).as_ref(), label, *position)?
+            }
+            Change::Move(path, other) => augeas.mv(
+                path.with_context(context).as_ref(),
+                other.with_context(context).as_ref(),
+            )?,
             //Change::Rename(path, label) => augeas.rename(path, label).map(|_| ())?,
             //Change::DefVar(name, path) => augeas.defvar(name, path)?,
             //Change::DefNode(name, path, value) => augeas.defnode(name, path, value).map(|_| ())?,
@@ -94,115 +95,91 @@ impl<'a> Change<'a> {
     }
 }
 
-/// Read a comment.
-///
-/// A comment starts with a `#` and ends with a newline.
-fn comment(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
-    let (input, _) = tag("#")(input)?;
-    let (input, comment) = not_line_ending(input)?;
-    Ok((input, comment))
-}
-
-/// Read a path or a value.
-///
-/// It can contain spaces, in which case it must be quoted.
-fn arg(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
-    let (input, _) = space0(input)?;
-    // either a quoted string or an unquoted string
-    let (input, arg) = alt((
-        // FIXME cleanup eol & delimiters
-        delimited(char('"'), is_not("\"\r\n"), char('"')),
-        delimited(char('\''), is_not("'\r\n"), char('\'')),
-        is_not("\"' \t\r\n"),
-    ))(input)?;
-    Ok((input, arg))
-}
-
 fn cmd_set(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = tag("set")(input)?;
     let (input, _) = space1(input)?;
-    let (input, path) = arg(input)?;
-    let (input, value) = arg(input)?;
+    let (input, path) = dsl::arg(input)?;
+    let (input, value) = dsl::arg(input)?;
     Ok((input, Change::Set(path.into(), value)))
 }
 
 fn cmd_setm(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = tag("setm")(input)?;
     let (input, _) = space1(input)?;
-    let (input, path) = arg(input)?;
-    let (input, sub) = arg(input)?;
-    let (input, value) = arg(input)?;
+    let (input, path) = dsl::arg(input)?;
+    let (input, sub) = dsl::arg(input)?;
+    let (input, value) = dsl::arg(input)?;
     Ok((input, Change::SetM(path.into(), sub, value)))
 }
 
 fn cmd_rm(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = alt((tag("rm"), tag("remove")))(input)?;
     let (input, _) = space1(input)?;
-    let (input, path) = arg(input)?;
-    Ok((input, Change::Rm(path.into())))
+    let (input, path) = dsl::arg(input)?;
+    Ok((input, Change::Remove(path.into())))
 }
 
 fn cmd_clear(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = tag("clear")(input)?;
     let (input, _) = space1(input)?;
-    let (input, path) = arg(input)?;
+    let (input, path) = dsl::arg(input)?;
     Ok((input, Change::Clear(path.into())))
 }
 
 fn cmd_clearm(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = tag("clearm")(input)?;
     let (input, _) = space1(input)?;
-    let (input, path) = arg(input)?;
-    let (input, sub) = arg(input)?;
+    let (input, path) = dsl::arg(input)?;
+    let (input, sub) = dsl::arg(input)?;
     Ok((input, Change::ClearM(path.into(), sub)))
 }
 
 fn cmd_touch(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = tag("touch")(input)?;
     let (input, _) = space1(input)?;
-    let (input, path) = arg(input)?;
+    let (input, path) = dsl::arg(input)?;
     Ok((input, Change::Touch(path.into())))
 }
 
 fn cmd_ins(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = alt((tag("ins"), tag("insert")))(input)?;
     let (input, _) = space1(input)?;
-    let (input, label) = arg(input)?;
-    let (input, position) = arg(input)?;
-    let (input, path) = arg(input)?;
-    Ok((input, Change::Ins(label, position, path.into())))
+    let (input, label) = dsl::arg(input)?;
+    let (input, position) = map_res(dsl::arg, |p| p.parse())(input)?;
+    let (input, path) = dsl::arg(input)?;
+    Ok((input, Change::Insert(label, position, path.into())))
 }
 
 fn cmd_mv(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = alt((tag("mv"), tag("move")))(input)?;
     let (input, _) = space1(input)?;
-    let (input, path) = arg(input)?;
-    let (input, other) = arg(input)?;
-    Ok((input, Change::Mv(path.into(), other.into())))
+    let (input, path) = dsl::arg(input)?;
+    let (input, other) = dsl::arg(input)?;
+    Ok((input, Change::Move(path.into(), other.into())))
 }
 
 fn cmd_rename(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = tag("rename")(input)?;
     let (input, _) = space1(input)?;
-    let (input, path) = arg(input)?;
-    let (input, label) = arg(input)?;
+    let (input, path) = dsl::arg(input)?;
+    let (input, label) = dsl::arg(input)?;
     Ok((input, Change::Rename(path.into(), label)))
 }
 
 fn cmd_defvar(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = tag("defvar")(input)?;
     let (input, _) = space1(input)?;
-    let (input, name) = arg(input)?;
-    let (input, path) = arg(input)?;
+    let (input, name) = dsl::arg(input)?;
+    let (input, path) = dsl::arg(input)?;
     Ok((input, Change::DefVar(name, path.into())))
 }
 
 fn cmd_defnode(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = tag("defnode")(input)?;
     let (input, _) = space1(input)?;
-    let (input, name) = arg(input)?;
-    let (input, path) = arg(input)?;
-    let (input, value) = arg(input)?;
+    let (input, name) = dsl::arg(input)?;
+    let (input, path) = dsl::arg(input)?;
+    let (input, value) = dsl::arg(input)?;
     Ok((input, Change::DefNode(name, path.into(), value)))
 }
 
@@ -226,10 +203,10 @@ fn change(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
 fn line(input: &str) -> IResult<&str, Option<Change>, VerboseError<&str>> {
     let (input, _) = not(eof)(input)?;
     let (input, _) = space0(input)?;
-    let (input, _) = opt(comment)(input)?;
+    let (input, _) = opt(dsl::comment)(input)?;
     let (input, change) = opt(change)(input)?;
     let (input, _) = space0(input)?;
-    let (input, _) = opt(comment)(input)?;
+    let (input, _) = opt(dsl::comment)(input)?;
     let (input, _) = opt(line_ending)(input)?;
     Ok((input, change))
 }
@@ -247,45 +224,6 @@ fn changes(input: &str) -> IResult<&str, Vec<Change>, VerboseError<&str>> {
 mod tests {
     use super::*;
 
-    #[test]
-    fn test_comment() {
-        let input = "# This is a comment";
-        let expected = " This is a comment";
-        let result = comment(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_arg_with_quoted_value() {
-        let input = r#""quoted value""#;
-        let expected = "quoted value";
-        let result = arg(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_arg_with_single_quoted_value() {
-        let input = r#"'quoted value'"#;
-        let expected = "quoted value";
-        let result = arg(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_arg_with_unquoted_value() {
-        let input = "unquoted value";
-        let expected = "unquoted";
-        let result = arg(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_arg_with_empty_input() {
-        let input = "";
-        let result = arg(input);
-        assert!(result.is_err());
-    }
-
     #[test]
     fn test_change_set() {
         let input = "set /path/to/node value";
@@ -305,7 +243,7 @@ mod tests {
     #[test]
     fn test_change_rm() {
         let input = "rm /path/to/node";
-        let expected = Change::Rm("/path/to/node".into());
+        let expected = Change::Remove("/path/to/node".into());
         let result = change(input).unwrap();
         assert_eq!(result.1, expected);
     }
@@ -337,7 +275,7 @@ mod tests {
     #[test]
     fn test_change_ins() {
         let input = "ins label before /path/to/node";
-        let expected = Change::Ins("label", "before", "/path/to/node".into());
+        let expected = Change::Insert("label", Position::Before, "/path/to/node".into());
         let result = change(input).unwrap();
         assert_eq!(result.1, expected);
     }
@@ -345,7 +283,7 @@ mod tests {
     #[test]
     fn test_change_mv() {
         let input = "mv /path/to/node /new/path";
-        let expected = Change::Mv("/path/to/node".into(), "/new/path".into());
+        let expected = Change::Move("/path/to/node".into(), "/new/path".into());
         let result = change(input).unwrap();
         assert_eq!(result.1, expected);
     }
@@ -440,12 +378,12 @@ mod tests {
         let expected = vec![
             Change::Set("/path/to/node".into(), "value"),
             Change::SetM("/path/to/nodes".into(), "sub node", "value"),
-            Change::Rm("/path/to/node".into()),
+            Change::Remove("/path/to/node".into()),
             Change::Clear("/path/to/node".into()),
             Change::ClearM("/path/to/nodes".into(), "sub node"),
             Change::Touch("/path/to/node".into()),
-            Change::Ins("label", "before", "/path/to/node".into()),
-            Change::Mv("/path/to/node".into(), "/new/path".into()),
+            Change::Insert("label", Position::Before, "/path/to/node".into()),
+            Change::Move("/path/to/node".into(), "/new/path".into()),
             Change::Rename("/path/to/node".into(), "new_label"),
             Change::DefVar("name", "/path/to/node".into()),
             Change::DefNode("name", "/path/to/node".into(), "value"),
diff --git a/policies/module-types/augeas/src/dsl/checks.rs b/policies/module-types/augeas/src/dsl/checks.rs
index 9ef901c8f2..3f164a909c 100644
--- a/policies/module-types/augeas/src/dsl/checks.rs
+++ b/policies/module-types/augeas/src/dsl/checks.rs
@@ -32,6 +32,7 @@ where:
     AN_ARRAY is in the form ['a string', 'another']
 */
 
+// FIXME: = stirng vs equal number
 pub enum Comparator {
     GreaterThan,
     GreaterThanOrEqual,
diff --git a/policies/module-types/augeas/tests/module.rs b/policies/module-types/augeas/tests/module.rs
index 39da430720..985601023f 100644
--- a/policies/module-types/augeas/tests/module.rs
+++ b/policies/module-types/augeas/tests/module.rs
@@ -11,6 +11,8 @@ use tempfile::tempdir;
 
 const BIN: &str = concat!("../../../target/debug/", env!("CARGO_PKG_NAME"));
 
+// FIXME fichiers YAML de cas de test avec les parameters
+
 #[test]
 #[ignore]
 fn it_renders_mustache_inlined() {

From 8e5f3b59a8b4df9df1e43a53370c88fe299c8dee Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 21 Dec 2024 15:36:45 +0100
Subject: [PATCH 05/29] fixup! fixup! fixup! fixup! Fixes #26089: Implement
 augeas module

Fixes #26089: Implement augeas module
---
 Cargo.lock                                 | 8 ++++----
 policies/module-types/augeas/src/augeas.rs | 3 +--
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 867f9d4625..5b7784b7ed 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2497,9 +2497,9 @@ dependencies = [
 
 [[package]]
 name = "object"
-version = "0.36.5"
+version = "0.36.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aedf0a2d09c573ed1d8d85b30c119153926a2b36dce0ab28322c09a117a4683e"
+checksum = "62948e14d923ea95ea2c7c86c71013138b66525b86bdc08d2dcc262bdb497b87"
 dependencies = [
  "memchr",
 ]
@@ -3068,7 +3068,7 @@ dependencies = [
 [[package]]
 name = "raugeas"
 version = "0.2.2"
-source = "git+https://github.com/Normation/raugeas.git#95b3c2b29d56c95049ff04868ae631677d4f00e2"
+source = "git+https://github.com/Normation/raugeas.git#36058dfc73fc14070030f2d7bf18dcca788fcae9"
 dependencies = [
  "bitflags 2.6.0",
  "libc",
@@ -3078,7 +3078,7 @@ dependencies = [
 [[package]]
 name = "raugeas_sys"
 version = "0.2.0"
-source = "git+https://github.com/Normation/raugeas.git#95b3c2b29d56c95049ff04868ae631677d4f00e2"
+source = "git+https://github.com/Normation/raugeas.git#36058dfc73fc14070030f2d7bf18dcca788fcae9"
 dependencies = [
  "bindgen 0.70.1",
  "pkg-config",
diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index 86a97c70e9..e4fbcdf600 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -77,8 +77,7 @@ impl Augeas {
         }
 
         let root: Option<&str> = p.root.as_deref();
-        // FIXME root
-        let mut aug = raugeas::Augeas::init("/", p.load_paths(), flags)?;
+        let mut aug = raugeas::Augeas::init(root, p.load_paths(), flags)?;
 
         // Show version for debugging purposes.
         let version = aug.version()?;

From 3c69244cb16579bef659f420e3f9324e8001b87f Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 21 Dec 2024 17:58:22 +0100
Subject: [PATCH 06/29] fixup! fixup! fixup! fixup! fixup! Fixes #26089:
 Implement augeas module

Fixes #26089: Implement augeas module
---
 Cargo.lock                                    |   4 +-
 policies/module-types/augeas/src/dsl.rs       |  13 +-
 .../module-types/augeas/src/dsl/changes.rs    |  72 +++--
 .../module-types/augeas/src/dsl/checks.rs     | 263 +++++++++++++++++-
 .../module-types/augeas/src/parameters.rs     |   1 -
 5 files changed, 311 insertions(+), 42 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 5b7784b7ed..272842aa09 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3068,7 +3068,7 @@ dependencies = [
 [[package]]
 name = "raugeas"
 version = "0.2.2"
-source = "git+https://github.com/Normation/raugeas.git#36058dfc73fc14070030f2d7bf18dcca788fcae9"
+source = "git+https://github.com/Normation/raugeas.git#a9e3bc7e13eecabf5494367d440aaa9ee2df5af0"
 dependencies = [
  "bitflags 2.6.0",
  "libc",
@@ -3078,7 +3078,7 @@ dependencies = [
 [[package]]
 name = "raugeas_sys"
 version = "0.2.0"
-source = "git+https://github.com/Normation/raugeas.git#36058dfc73fc14070030f2d7bf18dcca788fcae9"
+source = "git+https://github.com/Normation/raugeas.git#a9e3bc7e13eecabf5494367d440aaa9ee2df5af0"
 dependencies = [
  "bindgen 0.70.1",
  "pkg-config",
diff --git a/policies/module-types/augeas/src/dsl.rs b/policies/module-types/augeas/src/dsl.rs
index 3c6b253587..94325adc1e 100644
--- a/policies/module-types/augeas/src/dsl.rs
+++ b/policies/module-types/augeas/src/dsl.rs
@@ -45,9 +45,20 @@ impl<'a> AugPath<'a> {
         !self.is_absolute()
     }
 
+    /// Return the path with the given context.
+    ///
+    /// If the path is relative, it is appended to the context.
+    /// If the path is absolute, it is returned as is.
+    ///
+    /// Handles the case where the context does not end with a `/`.
     pub fn with_context(&self, context: Option<&str>) -> Cow<str> {
         match context {
-            Some(c) if self.is_relative() => format!("{}/{}", c, self.inner).into(),
+            Some(c) if self.is_relative() && c.ends_with('/') => {
+                format!("{}{}", c, self.inner).into()
+            }
+            Some(c) if self.is_relative() && !c.ends_with('/') => {
+                format!("{}/{}", c, self.inner).into()
+            }
             _ => self.inner.into(),
         }
     }
diff --git a/policies/module-types/augeas/src/dsl/changes.rs b/policies/module-types/augeas/src/dsl/changes.rs
index cf9574a5c5..7914fb9045 100644
--- a/policies/module-types/augeas/src/dsl/changes.rs
+++ b/policies/module-types/augeas/src/dsl/changes.rs
@@ -47,13 +47,13 @@ pub enum Change<'a> {
     /// Sets the value VALUE at location PATH
     Set(AugPath<'a>, Value<'a>),
     /// Sets multiple nodes (matching SUB relative to PATH) to VALUE
-    SetM(AugPath<'a>, Sub<'a>, Value<'a>),
+    SetMultiple(AugPath<'a>, Sub<'a>, Value<'a>),
     /// Removes the node at location PATH
     Remove(AugPath<'a>),
     /// Sets the node at PATH to NULL, creating it if needed
     Clear(AugPath<'a>),
     /// Sets multiple nodes (matching SUB relative to PATH) to NULL
-    ClearM(AugPath<'a>, Sub<'a>),
+    ClearMultiple(AugPath<'a>, Sub<'a>),
     /// Creates PATH with the value NULL if it does not exist
     Touch(AugPath<'a>),
     /// Inserts an empty node LABEL either before or after PATH.
@@ -63,22 +63,29 @@ pub enum Change<'a> {
     /// Rename a node at PATH to a new LABEL
     Rename(AugPath<'a>, Value<'a>),
     /// Sets Augeas variable $NAME to PATH
-    DefVar(Value<'a>, AugPath<'a>),
+    DefineVar(Value<'a>, AugPath<'a>),
     /// Sets Augeas variable $NAME to PATH, creating it with VALUE if needed
-    DefNode(Value<'a>, AugPath<'a>, Value<'a>),
+    DefineNode(Value<'a>, AugPath<'a>, Value<'a>),
 }
 
 impl<'a> Change<'a> {
     fn evaluate(&self, context: Option<&str>, augeas: &'a mut Augeas) -> Result<()> {
         match self {
             Change::Set(path, value) => augeas.set(path.with_context(context).as_ref(), value)?,
-            Change::SetM(path, sub, value) => augeas
-                .setm(path.with_context(context).as_ref(), sub, value)
-                .map(|_| ())?,
-            Change::Remove(path) => augeas.rm(path.with_context(context).as_ref()).map(|_| ())?,
-            //Change::Clear(path) => augeas.clear(path.with_context(context).as_ref())?,
-            //Change::ClearM(path, sub) => augeas.clearm(path.with_context(context).as_ref(), sub)?,
-            //Change::Touch(path) => augeas.touch(path.with_context(context).as_ref())?,
+            Change::SetMultiple(path, sub, value) => {
+                let n = augeas.setm(path.with_context(context).as_ref(), sub, value)?;
+                rudder_debug!("setm: modified {n} nodes");
+            }
+            Change::Remove(path) => {
+                let n = augeas.rm(path.with_context(context).as_ref())?;
+                rudder_debug!("rm: removed {n} nodes");
+            }
+            Change::Clear(path) => augeas.clear(path.with_context(context).as_ref())?,
+            Change::ClearMultiple(path, sub) => {
+                let n = augeas.clearm(path.with_context(context).as_ref(), sub)?;
+                rudder_debug!("clearm: cleared {n} nodes");
+            }
+            Change::Touch(path) => augeas.touch(path.with_context(context).as_ref())?,
             Change::Insert(label, position, path) => {
                 augeas.insert(path.with_context(context).as_ref(), label, *position)?
             }
@@ -86,10 +93,21 @@ impl<'a> Change<'a> {
                 path.with_context(context).as_ref(),
                 other.with_context(context).as_ref(),
             )?,
-            //Change::Rename(path, label) => augeas.rename(path, label).map(|_| ())?,
-            //Change::DefVar(name, path) => augeas.defvar(name, path)?,
-            //Change::DefNode(name, path, value) => augeas.defnode(name, path, value).map(|_| ())?,
-            _ => todo!(),
+            Change::Rename(path, label) => {
+                let n = augeas.rename(path.with_context(context).as_ref(), label)?;
+                rudder_debug!("rename: renamed {n} nodes");
+            }
+            Change::DefineVar(name, path) => {
+                augeas.defvar(name, path.with_context(context).as_ref())?
+            }
+            Change::DefineNode(name, path, value) => {
+                let created = augeas.defnode(name, path.with_context(context).as_ref(), value)?;
+                if created {
+                    rudder_debug!("defnode: 1 node was created");
+                } else {
+                    rudder_debug!("defnode: no nodes were created");
+                }
+            }
         }
         Ok(())
     }
@@ -109,7 +127,7 @@ fn cmd_setm(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, path) = dsl::arg(input)?;
     let (input, sub) = dsl::arg(input)?;
     let (input, value) = dsl::arg(input)?;
-    Ok((input, Change::SetM(path.into(), sub, value)))
+    Ok((input, Change::SetMultiple(path.into(), sub, value)))
 }
 
 fn cmd_rm(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
@@ -131,7 +149,7 @@ fn cmd_clearm(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = space1(input)?;
     let (input, path) = dsl::arg(input)?;
     let (input, sub) = dsl::arg(input)?;
-    Ok((input, Change::ClearM(path.into(), sub)))
+    Ok((input, Change::ClearMultiple(path.into(), sub)))
 }
 
 fn cmd_touch(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
@@ -171,7 +189,7 @@ fn cmd_defvar(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, _) = space1(input)?;
     let (input, name) = dsl::arg(input)?;
     let (input, path) = dsl::arg(input)?;
-    Ok((input, Change::DefVar(name, path.into())))
+    Ok((input, Change::DefineVar(name, path.into())))
 }
 
 fn cmd_defnode(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
@@ -180,7 +198,7 @@ fn cmd_defnode(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
     let (input, name) = dsl::arg(input)?;
     let (input, path) = dsl::arg(input)?;
     let (input, value) = dsl::arg(input)?;
-    Ok((input, Change::DefNode(name, path.into(), value)))
+    Ok((input, Change::DefineNode(name, path.into(), value)))
 }
 
 /// Read a valid change.
@@ -235,7 +253,7 @@ mod tests {
     #[test]
     fn test_change_setm() {
         let input = "setm /path/to/nodes subnode value";
-        let expected = Change::SetM("/path/to/nodes".into(), "subnode", "value");
+        let expected = Change::SetMultiple("/path/to/nodes".into(), "subnode", "value");
         let result = change(input).unwrap();
         assert_eq!(result.1, expected);
     }
@@ -259,7 +277,7 @@ mod tests {
     #[test]
     fn test_change_clearm() {
         let input = "clearm /path/to/nodes subnode";
-        let expected = Change::ClearM("/path/to/nodes".into(), "subnode");
+        let expected = Change::ClearMultiple("/path/to/nodes".into(), "subnode");
         let result = change(input).unwrap();
         assert_eq!(result.1, expected);
     }
@@ -299,7 +317,7 @@ mod tests {
     #[test]
     fn test_change_defvar() {
         let input = "defvar name /path/to/node";
-        let expected = Change::DefVar("name", "/path/to/node".into());
+        let expected = Change::DefineVar("name", "/path/to/node".into());
         let result = change(input).unwrap();
         assert_eq!(result.1, expected);
     }
@@ -307,7 +325,7 @@ mod tests {
     #[test]
     fn test_change_defnode() {
         let input = "defnode name /path/to/node value";
-        let expected = Change::DefNode("name", "/path/to/node".into(), "value");
+        let expected = Change::DefineNode("name", "/path/to/node".into(), "value");
         let result = change(input).unwrap();
         assert_eq!(result.1, expected);
     }
@@ -377,16 +395,16 @@ mod tests {
         "#;
         let expected = vec![
             Change::Set("/path/to/node".into(), "value"),
-            Change::SetM("/path/to/nodes".into(), "sub node", "value"),
+            Change::SetMultiple("/path/to/nodes".into(), "sub node", "value"),
             Change::Remove("/path/to/node".into()),
             Change::Clear("/path/to/node".into()),
-            Change::ClearM("/path/to/nodes".into(), "sub node"),
+            Change::ClearMultiple("/path/to/nodes".into(), "sub node"),
             Change::Touch("/path/to/node".into()),
             Change::Insert("label", Position::Before, "/path/to/node".into()),
             Change::Move("/path/to/node".into(), "/new/path".into()),
             Change::Rename("/path/to/node".into(), "new_label"),
-            Change::DefVar("name", "/path/to/node".into()),
-            Change::DefNode("name", "/path/to/node".into(), "value"),
+            Change::DefineVar("name", "/path/to/node".into()),
+            Change::DefineNode("name", "/path/to/node".into(), "value"),
         ];
         let result = changes(input).unwrap();
         assert_eq!(result.1, expected);
diff --git a/policies/module-types/augeas/src/dsl/checks.rs b/policies/module-types/augeas/src/dsl/checks.rs
index 3f164a909c..cde47bcec0 100644
--- a/policies/module-types/augeas/src/dsl/checks.rs
+++ b/policies/module-types/augeas/src/dsl/checks.rs
@@ -1,15 +1,16 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
+use anyhow::{anyhow, bail};
+use anyhow::{Error, Result};
 use regex::Regex;
+use std::num::{ParseFloatError, ParseIntError};
+use std::str::FromStr;
 
 pub type MatchPath = String;
 
 /*
 
-
-changes:
-
 ifonly:
     get <AUGEAS_PATH> <COMPARATOR> <STRING>
     values <MATCH_PATH> include <STRING>
@@ -26,22 +27,126 @@ where:
     AUGEAS_PATH is a valid path scoped by the context
     MATCH_PATH is a valid match syntax scoped by the context
     COMPARATOR is one of >, >=, !=, ==, <=, or <
-      ~ for regex match
+      ~ for regex match, !~ for regex not match
     STRING is a string
     INT is a number
     AN_ARRAY is in the form ['a string', 'another']
 */
 
-// FIXME: = stirng vs equal number
+#[derive(Debug, Clone)]
 pub enum Comparator {
-    GreaterThan,
-    GreaterThanOrEqual,
-    NotEqual,
-    Equal,
-    LessThanOrEqual,
-    LessThan,
+    GreaterThan(Number),
+    GreaterThanOrEqual(Number),
+    NotEqual(Number),
+    Equal(Number),
+    LessThanOrEqual(Number),
+    LessThan(Number),
     MatchRegex(Regex),
     NotMatchRegex(Regex),
+    StrNotEqual(String),
+    StrEqual(String),
+}
+
+#[derive(Debug, PartialEq, Copy, Clone)]
+pub enum Number {
+    Int(isize),
+    Float(f32),
+}
+
+impl FromStr for Number {
+    type Err = Error;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        let num_int: Result<isize, ParseIntError> = s.parse();
+        match num_int {
+            Ok(n) => Ok(Number::Int(n)),
+            Err(_) => {
+                let num_float: Result<f32, ParseFloatError> = s.parse();
+                match num_float {
+                    Ok(n) => Ok(Number::Float(n)),
+                    Err(_) => Err(anyhow!("Could not parse number '{}'", s)),
+                }
+            }
+        }
+    }
+}
+
+impl Comparator {
+    fn matches_int(&self, value: isize) -> Result<bool> {
+        Ok(match self {
+            Comparator::GreaterThan(n) => match n {
+                Number::Int(n) => value > *n,
+                Number::Float(n) => value as f32 > *n,
+            },
+            Comparator::GreaterThanOrEqual(n) => match n {
+                Number::Int(n) => value >= *n,
+                Number::Float(n) => value as f32 >= *n,
+            },
+            Comparator::NotEqual(n) => match n {
+                Number::Int(n) => value != *n,
+                Number::Float(n) => value as f32 != *n,
+            },
+            Comparator::Equal(n) => match n {
+                Number::Int(n) => value == *n,
+                Number::Float(n) => value as f32 == *n,
+            },
+            Comparator::LessThanOrEqual(n) => match n {
+                Number::Int(n) => value <= *n,
+                Number::Float(n) => value as f32 <= *n,
+            },
+            Comparator::LessThan(n) => match n {
+                Number::Int(n) => value < *n,
+                Number::Float(n) => (value as f32) < *n,
+            },
+            _ => bail!("Invalid comparator for integer number"),
+        })
+    }
+
+    fn matches_float(&self, value: f32) -> Result<bool> {
+        Ok(match self {
+            Comparator::GreaterThan(n) => match n {
+                Number::Int(n) => value > *n as f32,
+                Number::Float(n) => value > *n,
+            },
+            Comparator::GreaterThanOrEqual(n) => match n {
+                Number::Int(n) => value >= *n as f32,
+                Number::Float(n) => value >= *n,
+            },
+            Comparator::NotEqual(n) => match n {
+                Number::Int(n) => value != *n as f32,
+                Number::Float(n) => value != *n,
+            },
+            Comparator::Equal(n) => match n {
+                Number::Int(n) => value == *n as f32,
+                Number::Float(n) => value == *n,
+            },
+            Comparator::LessThanOrEqual(n) => match n {
+                Number::Int(n) => value <= *n as f32,
+                Number::Float(n) => value <= *n,
+            },
+            Comparator::LessThan(n) => match n {
+                Number::Int(n) => value < *n as f32,
+                Number::Float(n) => value < *n,
+            },
+            _ => bail!("Invalid comparator for float number"),
+        })
+    }
+
+    pub fn matches(&self, value: &str) -> Result<bool> {
+        match self {
+            Comparator::MatchRegex(re) => Ok(re.is_match(value)),
+            Comparator::NotMatchRegex(re) => Ok(!re.is_match(value)),
+            Comparator::StrNotEqual(s) => Ok(value != s),
+            Comparator::StrEqual(s) => Ok(value == s),
+            _ => {
+                let value: Number = value.parse()?;
+                match value {
+                    Number::Int(value) => self.matches_int(value),
+                    Number::Float(value) => self.matches_float(value),
+                }
+            }
+        }
+    }
 }
 
 pub enum Check {
@@ -56,3 +161,139 @@ pub enum Check {
     MatchEqual(String, Vec<String>),
     MatchNotEqual(String, Vec<String>),
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_number_from_str() {
+        let n: Number = "42".parse().unwrap();
+        assert_eq!(n, Number::Int(42));
+
+        let n: Number = "42.0".parse().unwrap();
+        assert_eq!(n, Number::Float(42.0));
+
+        let n: Number = "42.5".parse().unwrap();
+        assert_eq!(n, Number::Float(42.5));
+
+        let r: Result<Number, Error> = "42.5.0".parse();
+        assert!(r.is_err());
+    }
+
+    #[test]
+    fn test_comparator_matches_int() {
+        let c = Comparator::GreaterThan(Number::Int(42));
+        assert!(c.matches_int(43).unwrap());
+        assert!(!c.matches_int(42).unwrap());
+        assert!(!c.matches_int(41).unwrap());
+
+        let c = Comparator::GreaterThanOrEqual(Number::Int(42));
+        assert!(c.matches_int(43).unwrap());
+        assert!(c.matches_int(42).unwrap());
+        assert!(!c.matches_int(41).unwrap());
+
+        let c = Comparator::NotEqual(Number::Int(42));
+        assert!(c.matches_int(43).unwrap());
+        assert!(!c.matches_int(42).unwrap());
+        assert!(c.matches_int(41).unwrap());
+
+        let c = Comparator::Equal(Number::Int(42));
+        assert!(!c.matches_int(43).unwrap());
+        assert!(c.matches_int(42).unwrap());
+        assert!(!c.matches_int(41).unwrap());
+
+        let c = Comparator::LessThanOrEqual(Number::Int(42));
+        assert!(!c.matches_int(43).unwrap());
+        assert!(c.matches_int(42).unwrap());
+        assert!(c.matches_int(41).unwrap());
+
+        let c = Comparator::LessThan(Number::Int(42));
+        assert!(!c.matches_int(43).unwrap());
+        assert!(!c.matches_int(42).unwrap());
+        assert!(c.matches_int(41).unwrap());
+    }
+
+    #[test]
+    fn test_comparator_matches_float() {
+        let c = Comparator::GreaterThan(Number::Float(42.0));
+        assert!(c.matches_float(43.0).unwrap());
+        assert!(!c.matches_float(42.0).unwrap());
+        assert!(!c.matches_float(41.0).unwrap());
+
+        let c = Comparator::GreaterThanOrEqual(Number::Float(42.0));
+        assert!(c.matches_float(43.0).unwrap());
+        assert!(c.matches_float(42.0).unwrap());
+        assert!(!c.matches_float(41.0).unwrap());
+
+        let c = Comparator::NotEqual(Number::Float(42.0));
+        assert!(c.matches_float(43.0).unwrap());
+        assert!(!c.matches_float(42.0).unwrap());
+        assert!(c.matches_float(41.0).unwrap());
+
+        let c = Comparator::Equal(Number::Float(42.0));
+        assert!(!c.matches_float(43.0).unwrap());
+        assert!(c.matches_float(42.0).unwrap());
+        assert!(!c.matches_float(41.0).unwrap());
+
+        let c = Comparator::LessThanOrEqual(Number::Float(42.0));
+        assert!(!c.matches_float(43.0).unwrap());
+        assert!(c.matches_float(42.0).unwrap());
+        assert!(c.matches_float(41.0).unwrap());
+
+        let c = Comparator::LessThan(Number::Float(42.0));
+        assert!(!c.matches_float(43.0).unwrap());
+        assert!(!c.matches_float(42.0).unwrap());
+        assert!(c.matches_float(41.0).unwrap());
+    }
+
+    #[test]
+    fn test_comparator_match() {
+        let c = Comparator::MatchRegex(Regex::new(r"^\d+$").unwrap());
+        assert!(c.matches("42").unwrap());
+        assert!(!c.matches("42.0").unwrap());
+
+        let c = Comparator::NotMatchRegex(Regex::new(r"^\d+$").unwrap());
+        assert!(!c.matches("42").unwrap());
+        assert!(c.matches("42.0").unwrap());
+
+        let c = Comparator::StrNotEqual("42.0".to_string());
+        assert!(!c.matches("42.0").unwrap());
+        assert!(c.matches("42.00").unwrap());
+
+        let c = Comparator::StrEqual("42.0".to_string());
+        assert!(c.matches("42.0").unwrap());
+        assert!(!c.matches("42").unwrap());
+        assert!(!c.matches("42.00").unwrap());
+
+        let c = Comparator::GreaterThan(Number::Int(42));
+        assert!(c.matches("43").unwrap());
+        assert!(!c.matches("42").unwrap());
+        assert!(!c.matches("41").unwrap());
+
+        let c = Comparator::GreaterThanOrEqual(Number::Int(42));
+        assert!(c.matches("43").unwrap());
+        assert!(c.matches("42").unwrap());
+        assert!(!c.matches("41").unwrap());
+
+        let c = Comparator::NotEqual(Number::Int(42));
+        assert!(c.matches("43").unwrap());
+        assert!(!c.matches("42").unwrap());
+        assert!(c.matches("41").unwrap());
+
+        let c = Comparator::Equal(Number::Int(42));
+        assert!(!c.matches("43").unwrap());
+        assert!(c.matches("42").unwrap());
+        assert!(!c.matches("41").unwrap());
+
+        let c = Comparator::LessThanOrEqual(Number::Int(42));
+        assert!(!c.matches("43").unwrap());
+        assert!(c.matches("42").unwrap());
+        assert!(c.matches("41").unwrap());
+
+        let c = Comparator::LessThan(Number::Int(42));
+        assert!(!c.matches("43").unwrap());
+        assert!(!c.matches("42").unwrap());
+        assert!(c.matches("41").unwrap());
+    }
+}
diff --git a/policies/module-types/augeas/src/parameters.rs b/policies/module-types/augeas/src/parameters.rs
index 8677304267..49fb2aa881 100644
--- a/policies/module-types/augeas/src/parameters.rs
+++ b/policies/module-types/augeas/src/parameters.rs
@@ -16,7 +16,6 @@ use std::iter;
 #[serde(rename_all = "snake_case")]
 #[serde_inline_default]
 pub struct AugeasParameters {
-    // force ?? FIXME: check why puppet needed it.
     /// Raw commands to run.
     ///
     /// Should be used with care, as it can lead to override any configuration, including

From d7abc8cf0fca72268210d62bd0aef9a3cdd393f3 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 21 Dec 2024 18:48:07 +0100
Subject: [PATCH 07/29] fixup! fixup! fixup! fixup! fixup! fixup! Fixes #26089:
 Implement augeas module

Fixes #26089: Implement augeas module
---
 Cargo.lock                                    |   7 +
 policies/module-types/augeas/Cargo.toml       |   1 +
 policies/module-types/augeas/src/dsl.rs       |   5 +-
 .../module-types/augeas/src/dsl/checks.rs     | 289 ++----------------
 .../module-types/augeas/src/dsl/comparator.rs | 266 ++++++++++++++++
 5 files changed, 294 insertions(+), 274 deletions(-)
 create mode 100644 policies/module-types/augeas/src/dsl/comparator.rs

diff --git a/Cargo.lock b/Cargo.lock
index 272842aa09..6d94202077 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -428,6 +428,12 @@ version = "1.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "325918d6fe32f23b19878fe4b34794ae41fc19ddbe53b10571a4874d44ffd39b"
 
+[[package]]
+name = "bytesize"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a3e368af43e418a04d52505cf3dbc23dda4e3407ae2fa99fd0e4f308ce546acc"
+
 [[package]]
 name = "bzip2"
 version = "0.5.0"
@@ -3297,6 +3303,7 @@ name = "rudder-module-augeas"
 version = "0.0.0-dev"
 dependencies = [
  "anyhow",
+ "bytesize",
  "nom",
  "raugeas",
  "regex",
diff --git a/policies/module-types/augeas/Cargo.toml b/policies/module-types/augeas/Cargo.toml
index aa7494b10f..833175cfc7 100644
--- a/policies/module-types/augeas/Cargo.toml
+++ b/policies/module-types/augeas/Cargo.toml
@@ -10,6 +10,7 @@ license.workspace = true
 
 [dependencies]
 anyhow = "1"
+bytesize = { version = "1.3.0" }
 nom = "7"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
diff --git a/policies/module-types/augeas/src/dsl.rs b/policies/module-types/augeas/src/dsl.rs
index 94325adc1e..9d220b7224 100644
--- a/policies/module-types/augeas/src/dsl.rs
+++ b/policies/module-types/augeas/src/dsl.rs
@@ -11,7 +11,8 @@ use std::borrow::Cow;
 use std::ops::Deref;
 
 pub mod changes;
-pub mod checks;
+mod checks;
+pub mod comparator;
 
 pub type Value<'a> = &'a str;
 pub type Sub<'a> = &'a str;
@@ -36,7 +37,7 @@ impl<'a> From<&'a str> for AugPath<'a> {
     }
 }
 
-impl<'a> AugPath<'a> {
+impl AugPath<'_> {
     pub fn is_absolute(&self) -> bool {
         self.inner.starts_with('/')
     }
diff --git a/policies/module-types/augeas/src/dsl/checks.rs b/policies/module-types/augeas/src/dsl/checks.rs
index cde47bcec0..ce506794c1 100644
--- a/policies/module-types/augeas/src/dsl/checks.rs
+++ b/policies/module-types/augeas/src/dsl/checks.rs
@@ -1,16 +1,10 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use anyhow::{anyhow, bail};
-use anyhow::{Error, Result};
-use regex::Regex;
-use std::num::{ParseFloatError, ParseIntError};
-use std::str::FromStr;
-
-pub type MatchPath = String;
+use crate::dsl::comparator::Comparison;
+use crate::dsl::AugPath;
 
 /*
-
 ifonly:
     get <AUGEAS_PATH> <COMPARATOR> <STRING>
     values <MATCH_PATH> include <STRING>
@@ -27,273 +21,24 @@ where:
     AUGEAS_PATH is a valid path scoped by the context
     MATCH_PATH is a valid match syntax scoped by the context
     COMPARATOR is one of >, >=, !=, ==, <=, or <
-      ~ for regex match, !~ for regex not match
+                         ~ for regex match, !~ for regex not match
     STRING is a string
     INT is a number
     AN_ARRAY is in the form ['a string', 'another']
 */
 
-#[derive(Debug, Clone)]
-pub enum Comparator {
-    GreaterThan(Number),
-    GreaterThanOrEqual(Number),
-    NotEqual(Number),
-    Equal(Number),
-    LessThanOrEqual(Number),
-    LessThan(Number),
-    MatchRegex(Regex),
-    NotMatchRegex(Regex),
-    StrNotEqual(String),
-    StrEqual(String),
-}
-
-#[derive(Debug, PartialEq, Copy, Clone)]
-pub enum Number {
-    Int(isize),
-    Float(f32),
-}
-
-impl FromStr for Number {
-    type Err = Error;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        let num_int: Result<isize, ParseIntError> = s.parse();
-        match num_int {
-            Ok(n) => Ok(Number::Int(n)),
-            Err(_) => {
-                let num_float: Result<f32, ParseFloatError> = s.parse();
-                match num_float {
-                    Ok(n) => Ok(Number::Float(n)),
-                    Err(_) => Err(anyhow!("Could not parse number '{}'", s)),
-                }
-            }
-        }
-    }
-}
-
-impl Comparator {
-    fn matches_int(&self, value: isize) -> Result<bool> {
-        Ok(match self {
-            Comparator::GreaterThan(n) => match n {
-                Number::Int(n) => value > *n,
-                Number::Float(n) => value as f32 > *n,
-            },
-            Comparator::GreaterThanOrEqual(n) => match n {
-                Number::Int(n) => value >= *n,
-                Number::Float(n) => value as f32 >= *n,
-            },
-            Comparator::NotEqual(n) => match n {
-                Number::Int(n) => value != *n,
-                Number::Float(n) => value as f32 != *n,
-            },
-            Comparator::Equal(n) => match n {
-                Number::Int(n) => value == *n,
-                Number::Float(n) => value as f32 == *n,
-            },
-            Comparator::LessThanOrEqual(n) => match n {
-                Number::Int(n) => value <= *n,
-                Number::Float(n) => value as f32 <= *n,
-            },
-            Comparator::LessThan(n) => match n {
-                Number::Int(n) => value < *n,
-                Number::Float(n) => (value as f32) < *n,
-            },
-            _ => bail!("Invalid comparator for integer number"),
-        })
-    }
-
-    fn matches_float(&self, value: f32) -> Result<bool> {
-        Ok(match self {
-            Comparator::GreaterThan(n) => match n {
-                Number::Int(n) => value > *n as f32,
-                Number::Float(n) => value > *n,
-            },
-            Comparator::GreaterThanOrEqual(n) => match n {
-                Number::Int(n) => value >= *n as f32,
-                Number::Float(n) => value >= *n,
-            },
-            Comparator::NotEqual(n) => match n {
-                Number::Int(n) => value != *n as f32,
-                Number::Float(n) => value != *n,
-            },
-            Comparator::Equal(n) => match n {
-                Number::Int(n) => value == *n as f32,
-                Number::Float(n) => value == *n,
-            },
-            Comparator::LessThanOrEqual(n) => match n {
-                Number::Int(n) => value <= *n as f32,
-                Number::Float(n) => value <= *n,
-            },
-            Comparator::LessThan(n) => match n {
-                Number::Int(n) => value < *n as f32,
-                Number::Float(n) => value < *n,
-            },
-            _ => bail!("Invalid comparator for float number"),
-        })
-    }
-
-    pub fn matches(&self, value: &str) -> Result<bool> {
-        match self {
-            Comparator::MatchRegex(re) => Ok(re.is_match(value)),
-            Comparator::NotMatchRegex(re) => Ok(!re.is_match(value)),
-            Comparator::StrNotEqual(s) => Ok(value != s),
-            Comparator::StrEqual(s) => Ok(value == s),
-            _ => {
-                let value: Number = value.parse()?;
-                match value {
-                    Number::Int(value) => self.matches_int(value),
-                    Number::Float(value) => self.matches_float(value),
-                }
-            }
-        }
-    }
-}
-
-pub enum Check {
-    Get(String, Comparator, String),
-    ValuesInclude(String, String),
-    ValuesNotInclude(String, String),
-    ValuesEqual(String, Vec<String>),
-    ValuesNotEqual(String, Vec<String>),
-    MatchSize(String, String, usize),
-    MatchInclude(String, String),
-    MatchNotInclude(String, String),
-    MatchEqual(String, Vec<String>),
-    MatchNotEqual(String, Vec<String>),
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_number_from_str() {
-        let n: Number = "42".parse().unwrap();
-        assert_eq!(n, Number::Int(42));
-
-        let n: Number = "42.0".parse().unwrap();
-        assert_eq!(n, Number::Float(42.0));
-
-        let n: Number = "42.5".parse().unwrap();
-        assert_eq!(n, Number::Float(42.5));
-
-        let r: Result<Number, Error> = "42.5.0".parse();
-        assert!(r.is_err());
-    }
-
-    #[test]
-    fn test_comparator_matches_int() {
-        let c = Comparator::GreaterThan(Number::Int(42));
-        assert!(c.matches_int(43).unwrap());
-        assert!(!c.matches_int(42).unwrap());
-        assert!(!c.matches_int(41).unwrap());
-
-        let c = Comparator::GreaterThanOrEqual(Number::Int(42));
-        assert!(c.matches_int(43).unwrap());
-        assert!(c.matches_int(42).unwrap());
-        assert!(!c.matches_int(41).unwrap());
-
-        let c = Comparator::NotEqual(Number::Int(42));
-        assert!(c.matches_int(43).unwrap());
-        assert!(!c.matches_int(42).unwrap());
-        assert!(c.matches_int(41).unwrap());
-
-        let c = Comparator::Equal(Number::Int(42));
-        assert!(!c.matches_int(43).unwrap());
-        assert!(c.matches_int(42).unwrap());
-        assert!(!c.matches_int(41).unwrap());
-
-        let c = Comparator::LessThanOrEqual(Number::Int(42));
-        assert!(!c.matches_int(43).unwrap());
-        assert!(c.matches_int(42).unwrap());
-        assert!(c.matches_int(41).unwrap());
-
-        let c = Comparator::LessThan(Number::Int(42));
-        assert!(!c.matches_int(43).unwrap());
-        assert!(!c.matches_int(42).unwrap());
-        assert!(c.matches_int(41).unwrap());
-    }
-
-    #[test]
-    fn test_comparator_matches_float() {
-        let c = Comparator::GreaterThan(Number::Float(42.0));
-        assert!(c.matches_float(43.0).unwrap());
-        assert!(!c.matches_float(42.0).unwrap());
-        assert!(!c.matches_float(41.0).unwrap());
-
-        let c = Comparator::GreaterThanOrEqual(Number::Float(42.0));
-        assert!(c.matches_float(43.0).unwrap());
-        assert!(c.matches_float(42.0).unwrap());
-        assert!(!c.matches_float(41.0).unwrap());
-
-        let c = Comparator::NotEqual(Number::Float(42.0));
-        assert!(c.matches_float(43.0).unwrap());
-        assert!(!c.matches_float(42.0).unwrap());
-        assert!(c.matches_float(41.0).unwrap());
-
-        let c = Comparator::Equal(Number::Float(42.0));
-        assert!(!c.matches_float(43.0).unwrap());
-        assert!(c.matches_float(42.0).unwrap());
-        assert!(!c.matches_float(41.0).unwrap());
-
-        let c = Comparator::LessThanOrEqual(Number::Float(42.0));
-        assert!(!c.matches_float(43.0).unwrap());
-        assert!(c.matches_float(42.0).unwrap());
-        assert!(c.matches_float(41.0).unwrap());
-
-        let c = Comparator::LessThan(Number::Float(42.0));
-        assert!(!c.matches_float(43.0).unwrap());
-        assert!(!c.matches_float(42.0).unwrap());
-        assert!(c.matches_float(41.0).unwrap());
-    }
-
-    #[test]
-    fn test_comparator_match() {
-        let c = Comparator::MatchRegex(Regex::new(r"^\d+$").unwrap());
-        assert!(c.matches("42").unwrap());
-        assert!(!c.matches("42.0").unwrap());
-
-        let c = Comparator::NotMatchRegex(Regex::new(r"^\d+$").unwrap());
-        assert!(!c.matches("42").unwrap());
-        assert!(c.matches("42.0").unwrap());
-
-        let c = Comparator::StrNotEqual("42.0".to_string());
-        assert!(!c.matches("42.0").unwrap());
-        assert!(c.matches("42.00").unwrap());
-
-        let c = Comparator::StrEqual("42.0".to_string());
-        assert!(c.matches("42.0").unwrap());
-        assert!(!c.matches("42").unwrap());
-        assert!(!c.matches("42.00").unwrap());
-
-        let c = Comparator::GreaterThan(Number::Int(42));
-        assert!(c.matches("43").unwrap());
-        assert!(!c.matches("42").unwrap());
-        assert!(!c.matches("41").unwrap());
-
-        let c = Comparator::GreaterThanOrEqual(Number::Int(42));
-        assert!(c.matches("43").unwrap());
-        assert!(c.matches("42").unwrap());
-        assert!(!c.matches("41").unwrap());
-
-        let c = Comparator::NotEqual(Number::Int(42));
-        assert!(c.matches("43").unwrap());
-        assert!(!c.matches("42").unwrap());
-        assert!(c.matches("41").unwrap());
-
-        let c = Comparator::Equal(Number::Int(42));
-        assert!(!c.matches("43").unwrap());
-        assert!(c.matches("42").unwrap());
-        assert!(!c.matches("41").unwrap());
-
-        let c = Comparator::LessThanOrEqual(Number::Int(42));
-        assert!(!c.matches("43").unwrap());
-        assert!(c.matches("42").unwrap());
-        assert!(c.matches("41").unwrap());
-
-        let c = Comparator::LessThan(Number::Int(42));
-        assert!(!c.matches("43").unwrap());
-        assert!(!c.matches("42").unwrap());
-        assert!(c.matches("41").unwrap());
-    }
+// FIXME NumComparators ?
+
+pub enum Check<'a> {
+    // Comparison contains both the typed value and the comparator
+    Get(AugPath<'a>, Comparison),
+    ValuesInclude(AugPath<'a>, &'a str),
+    ValuesNotInclude(AugPath<'a>, &'a str),
+    ValuesEqual(AugPath<'a>, Vec<&'a str>),
+    ValuesNotEqual(AugPath<'a>, Vec<&'a str>),
+    MatchSize(AugPath<'a>, String, usize),
+    MatchInclude(AugPath<'a>, String),
+    MatchNotInclude(AugPath<'a>, &'a str),
+    MatchEqual(AugPath<'a>, Vec<&'a str>),
+    MatchNotEqual(AugPath<'a>, Vec<&'a str>),
 }
diff --git a/policies/module-types/augeas/src/dsl/comparator.rs b/policies/module-types/augeas/src/dsl/comparator.rs
new file mode 100644
index 0000000000..b74f697490
--- /dev/null
+++ b/policies/module-types/augeas/src/dsl/comparator.rs
@@ -0,0 +1,266 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// SPDX-FileCopyrightText: 2024 Normation SAS
+
+use anyhow::bail;
+use anyhow::{Error, Result};
+use bytesize::ByteSize;
+use regex::Regex;
+use std::fmt::Debug;
+use std::num::{ParseFloatError, ParseIntError};
+use std::str::FromStr;
+
+#[derive(Debug, Clone)]
+pub enum NumComparator {
+    /// Greater than.
+    GreaterThan,
+    /// Greater than or equal.
+    GreaterThanOrEqual,
+    /// Not equal, for values parsed as numbers.
+    NotEqual,
+    /// Equal, for values parsed as numbers.
+    Equal,
+    /// Less than or equal.
+    LessThanOrEqual,
+    /// Less than.
+    LessThan,
+}
+
+#[derive(Debug, Clone)]
+pub struct NumericComparison {
+    pub comparator: NumComparator,
+    pub value: Number,
+}
+
+#[derive(Debug, Clone)]
+pub enum StrComparison {
+    /// Match a regex.
+    MatchRegex(Regex),
+    /// Not match a regex.
+    NotMatchRegex(Regex),
+    /// Not equal.
+    StrNotEqual(String),
+    /// Equal.
+    StrEqual(String),
+}
+
+#[derive(Debug, Clone)]
+pub enum Comparison {
+    Num(NumericComparison),
+    Str(StrComparison),
+}
+
+#[derive(PartialEq, Copy, Clone)]
+pub enum Number {
+    Int(isize),
+    Float(f32),
+    Bytes(ByteSize),
+}
+
+impl Debug for Number {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Number::Int(n) => write!(f, "int:{}", n),
+            Number::Float(n) => write!(f, "float:{}", n),
+            Number::Bytes(n) => write!(f, "bytes:{}", n),
+        }
+    }
+}
+
+impl FromStr for Number {
+    type Err = Error;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        let num_int: Result<isize, ParseIntError> = s.parse();
+        match num_int {
+            Ok(n) => Ok(Number::Int(n)),
+            Err(_) => {
+                let num_float: Result<f32, ParseFloatError> = s.parse();
+                match num_float {
+                    Ok(n) => Ok(Number::Float(n)),
+                    Err(_) => {
+                        let num_bytes: Result<ByteSize, String> = s.parse();
+                        match num_bytes {
+                            Ok(n) => Ok(Number::Bytes(n)),
+                            Err(_) => bail!("Invalid number '{}'", s),
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+
+// Generic number comparison.
+//
+// "a operator b"
+#[macro_use]
+macro_rules! match_comparator {
+    ($a:expr, $b:expr, $comparator:expr) => {
+        match $comparator {
+            NumComparator::GreaterThan => Ok($a > $b),
+            NumComparator::GreaterThanOrEqual => Ok($a >= $b),
+            NumComparator::NotEqual => Ok($a != $b),
+            NumComparator::Equal => Ok($a == $b),
+            NumComparator::LessThanOrEqual => Ok($a <= $b),
+            NumComparator::LessThan => Ok($a < $b),
+        }
+    };
+}
+
+impl NumericComparison {
+    /// Compare the given value with the stored one.
+    ///
+    /// evaluates `value self.comparator self.value`
+    fn matches(&self, value: Number) -> Result<bool> {
+        match (value, self.value) {
+            (Number::Int(a), Number::Int(b)) => match_comparator!(a, b, self.comparator),
+            (Number::Float(a), Number::Float(b)) => match_comparator!(a, b, self.comparator),
+            (Number::Int(a), Number::Float(b)) => {
+                let a = a as f32;
+                match_comparator!(a, b, self.comparator)
+            }
+            (Number::Float(a), Number::Int(b)) => {
+                let b = b as f32;
+                match_comparator!(a, b, self.comparator)
+            }
+            (Number::Bytes(a), Number::Bytes(b)) => match_comparator!(a, b, self.comparator),
+            // When comparing int and bytes, convert the int to bytes
+            (Number::Int(a), Number::Bytes(b)) if a >= 0 => {
+                let a = ByteSize(a as u64);
+                match_comparator!(a, b, self.comparator)
+            }
+            (Number::Bytes(a), Number::Int(b)) if b >= 0 => {
+                let b = ByteSize(b as u64);
+                match_comparator!(a, b, self.comparator)
+            }
+            _ => bail!(
+                "Invalid comparison between numbers '{:?}' and '{:?}'",
+                self.value,
+                value
+            ),
+        }
+    }
+}
+
+impl StrComparison {
+    pub fn matches(&self, value: &str) -> Result<bool> {
+        match self {
+            StrComparison::MatchRegex(re) => Ok(re.is_match(value)),
+            StrComparison::NotMatchRegex(re) => Ok(!re.is_match(value)),
+            StrComparison::StrNotEqual(s) => Ok(value != s),
+            StrComparison::StrEqual(s) => Ok(value == s),
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_number_from_str() {
+        let n: Number = "42".parse().unwrap();
+        assert_eq!(n, Number::Int(42));
+
+        let n: Number = "42.0".parse().unwrap();
+        assert_eq!(n, Number::Float(42.0));
+
+        let n: Number = "42.5".parse().unwrap();
+        assert_eq!(n, Number::Float(42.5));
+
+        let r: Result<Number, Error> = "42.5.0".parse();
+        assert!(r.is_err());
+
+        let n: Number = "42B".parse().unwrap();
+        assert_eq!(n, Number::Bytes(ByteSize::b(42)));
+
+        let n: Number = "42KB".parse().unwrap();
+        assert_eq!(n, Number::Bytes(ByteSize::kb(42)));
+    }
+
+    #[test]
+    fn test_numeric_comparison_int() {
+        let c = NumericComparison {
+            comparator: NumComparator::GreaterThan,
+            value: Number::Int(42),
+        };
+
+        let r = c.matches(Number::Int(41)).unwrap();
+        assert!(!r);
+
+        let r = c.matches(Number::Int(42)).unwrap();
+        assert!(!r);
+
+        let r = c.matches(Number::Int(43)).unwrap();
+        assert!(r);
+
+        let r = c.matches(Number::Float(42.0)).unwrap();
+        assert!(!r);
+
+        let r = c.matches(Number::Float(42.1)).unwrap();
+        assert!(r);
+
+        let r = c.matches(Number::Bytes(ByteSize::b(42))).unwrap();
+        assert!(!r);
+
+        let r = c.matches(Number::Bytes(ByteSize::b(43))).unwrap();
+        assert!(r);
+    }
+
+    #[test]
+    fn test_numeric_comparison_float() {
+        let c = NumericComparison {
+            comparator: NumComparator::GreaterThan,
+            value: Number::Float(42.0),
+        };
+
+        let r = c.matches(Number::Int(41)).unwrap();
+        assert!(!r);
+
+        let r = c.matches(Number::Int(42)).unwrap();
+        assert!(!r);
+
+        let r = c.matches(Number::Int(43)).unwrap();
+        assert!(r);
+
+        let r = c.matches(Number::Float(42.0)).unwrap();
+        assert!(!r);
+
+        let r = c.matches(Number::Float(42.1)).unwrap();
+        assert!(r);
+
+        let r = c.matches(Number::Bytes(ByteSize::b(42)));
+        assert!(r.is_err());
+    }
+
+    #[test]
+    fn test_str_comparison_matches() {
+        let c = StrComparison::StrEqual("foo".to_string());
+        let r = c.matches("foo").unwrap();
+        assert!(r);
+
+        let r = c.matches("bar").unwrap();
+        assert!(!r);
+
+        let c = StrComparison::StrNotEqual("foo".to_string());
+        let r = c.matches("foo").unwrap();
+        assert!(!r);
+
+        let r = c.matches("bar").unwrap();
+        assert!(r);
+
+        let c = StrComparison::MatchRegex(Regex::new(r"^\d+$").unwrap());
+        let r = c.matches("42").unwrap();
+        assert!(r);
+
+        let r = c.matches("foo").unwrap();
+        assert!(!r);
+
+        let c = StrComparison::NotMatchRegex(Regex::new(r"^\d+$").unwrap());
+        let r = c.matches("42").unwrap();
+        assert!(!r);
+
+        let r = c.matches("foo").unwrap();
+        assert!(r);
+    }
+}

From bcdc91aa9ad4ce6391abba8cf1677727fe94add8 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 21 Dec 2024 19:11:14 +0100
Subject: [PATCH 08/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! Fixes
 #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 .../module-types/augeas/src/dsl/comparator.rs | 168 ++++++++++++++----
 1 file changed, 137 insertions(+), 31 deletions(-)

diff --git a/policies/module-types/augeas/src/dsl/comparator.rs b/policies/module-types/augeas/src/dsl/comparator.rs
index b74f697490..147d5c7a2f 100644
--- a/policies/module-types/augeas/src/dsl/comparator.rs
+++ b/policies/module-types/augeas/src/dsl/comparator.rs
@@ -25,24 +25,28 @@ pub enum NumComparator {
     LessThan,
 }
 
+impl FromStr for NumComparator {
+    type Err = Error;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match s {
+            ">" => Ok(NumComparator::GreaterThan),
+            ">=" => Ok(NumComparator::GreaterThanOrEqual),
+            "!=" => Ok(NumComparator::NotEqual),
+            "==" => Ok(NumComparator::Equal),
+            "<=" => Ok(NumComparator::LessThanOrEqual),
+            "<" => Ok(NumComparator::LessThan),
+            _ => bail!("Invalid comparator '{}'", s),
+        }
+    }
+}
+
 #[derive(Debug, Clone)]
 pub struct NumericComparison {
     pub comparator: NumComparator,
     pub value: Number,
 }
 
-#[derive(Debug, Clone)]
-pub enum StrComparison {
-    /// Match a regex.
-    MatchRegex(Regex),
-    /// Not match a regex.
-    NotMatchRegex(Regex),
-    /// Not equal.
-    StrNotEqual(String),
-    /// Equal.
-    StrEqual(String),
-}
-
 #[derive(Debug, Clone)]
 pub enum Comparison {
     Num(NumericComparison),
@@ -142,13 +146,70 @@ impl NumericComparison {
     }
 }
 
+#[derive(Debug, Clone)]
+pub enum StrComparator {
+    Equal,
+    NotEqual,
+}
+
+#[derive(Debug, Clone)]
+pub struct StrComparison {
+    comparator: StrComparator,
+    value: String,
+}
+
+impl FromStr for StrComparator {
+    type Err = Error;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match s {
+            "==" => Ok(StrComparator::Equal),
+            "!=" => Ok(StrComparator::NotEqual),
+            _ => bail!("Invalid string comparator '{}'", s),
+        }
+    }
+}
+
 impl StrComparison {
-    pub fn matches(&self, value: &str) -> Result<bool> {
-        match self {
-            StrComparison::MatchRegex(re) => Ok(re.is_match(value)),
-            StrComparison::NotMatchRegex(re) => Ok(!re.is_match(value)),
-            StrComparison::StrNotEqual(s) => Ok(value != s),
-            StrComparison::StrEqual(s) => Ok(value == s),
+    pub fn matches(&self, value: &str) -> bool {
+        let is_equal = value == self.value;
+        match self.comparator {
+            StrComparator::NotEqual => !is_equal,
+            StrComparator::Equal => is_equal,
+        }
+    }
+}
+
+#[derive(Debug, Clone)]
+pub enum RegexComparator {
+    Match,
+    NotMatch,
+}
+
+#[derive(Debug, Clone)]
+pub struct RegexComparison {
+    comparator: RegexComparator,
+    re: Regex,
+}
+
+impl FromStr for RegexComparator {
+    type Err = Error;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        match s {
+            "~" | "=~" => Ok(RegexComparator::Match),
+            "!~" => Ok(RegexComparator::NotMatch),
+            _ => bail!("Invalid regex comparator '{}'", s),
+        }
+    }
+}
+
+impl RegexComparison {
+    pub fn matches(&self, value: &str) -> bool {
+        let is_match = self.re.is_match(value);
+        match self.comparator {
+            RegexComparator::Match => is_match,
+            RegexComparator::NotMatch => !is_match,
         }
     }
 }
@@ -234,33 +295,78 @@ mod tests {
     }
 
     #[test]
-    fn test_str_comparison_matches() {
-        let c = StrComparison::StrEqual("foo".to_string());
-        let r = c.matches("foo").unwrap();
+    fn test_numeric_comparison_bytes() {
+        let c = NumericComparison {
+            comparator: NumComparator::GreaterThan,
+            value: Number::Bytes(ByteSize::b(42)),
+        };
+
+        let r = c.matches(Number::Int(41)).unwrap();
+        assert!(!r);
+
+        let r = c.matches(Number::Int(42)).unwrap();
+        assert!(!r);
+
+        let r = c.matches(Number::Int(43)).unwrap();
+        assert!(r);
+
+        let r = c.matches(Number::Float(42.0));
+        assert!(r.is_err());
+
+        let r = c.matches(Number::Bytes(ByteSize::b(42))).unwrap();
+        assert!(!r);
+
+        let r = c.matches(Number::Bytes(ByteSize::b(43))).unwrap();
+        assert!(r);
+    }
+
+    #[test]
+    fn test_str_comparison() {
+        let c = StrComparison {
+            comparator: StrComparator::Equal,
+            value: "foo".to_string(),
+        };
+
+        let r = c.matches("foo");
         assert!(r);
 
-        let r = c.matches("bar").unwrap();
+        let r = c.matches("bar");
         assert!(!r);
 
-        let c = StrComparison::StrNotEqual("foo".to_string());
-        let r = c.matches("foo").unwrap();
+        let c = StrComparison {
+            comparator: StrComparator::NotEqual,
+            value: "foo".to_string(),
+        };
+
+        let r = c.matches("foo");
         assert!(!r);
 
-        let r = c.matches("bar").unwrap();
+        let r = c.matches("bar");
         assert!(r);
+    }
 
-        let c = StrComparison::MatchRegex(Regex::new(r"^\d+$").unwrap());
-        let r = c.matches("42").unwrap();
+    #[test]
+    fn test_regex_comparison() {
+        let c = RegexComparison {
+            comparator: RegexComparator::Match,
+            re: r"\d+".parse().unwrap(),
+        };
+
+        let r = c.matches("34");
         assert!(r);
 
-        let r = c.matches("foo").unwrap();
+        let r = c.matches("bar");
         assert!(!r);
 
-        let c = StrComparison::NotMatchRegex(Regex::new(r"^\d+$").unwrap());
-        let r = c.matches("42").unwrap();
+        let c = RegexComparison {
+            comparator: RegexComparator::NotMatch,
+            re: r"\d+".parse().unwrap(),
+        };
+
+        let r = c.matches("34");
         assert!(!r);
 
-        let r = c.matches("foo").unwrap();
+        let r = c.matches("bar");
         assert!(r);
     }
 }

From 873e6c40bb24c3f63eb58d70c57091af1d3bd6dc Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 21 Dec 2024 19:24:03 +0100
Subject: [PATCH 09/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 .../module-types/augeas/src/dsl/comparator.rs | 52 +++++++++----------
 1 file changed, 25 insertions(+), 27 deletions(-)

diff --git a/policies/module-types/augeas/src/dsl/comparator.rs b/policies/module-types/augeas/src/dsl/comparator.rs
index 147d5c7a2f..7fa96669ed 100644
--- a/policies/module-types/augeas/src/dsl/comparator.rs
+++ b/policies/module-types/augeas/src/dsl/comparator.rs
@@ -7,6 +7,7 @@ use bytesize::ByteSize;
 use regex::Regex;
 use std::fmt::Debug;
 use std::num::{ParseFloatError, ParseIntError};
+use std::ops::Deref;
 use std::str::FromStr;
 
 #[derive(Debug, Clone)]
@@ -25,6 +26,20 @@ pub enum NumComparator {
     LessThan,
 }
 
+impl NumComparator {
+    /// Computes `a comparator b`.
+    fn numeric_compare<T: PartialEq + PartialOrd>(&self, a: &T, b: &T) -> bool {
+        match self {
+            NumComparator::GreaterThan => a.gt(b),
+            NumComparator::GreaterThanOrEqual => a.ge(b),
+            NumComparator::NotEqual => a.ne(b),
+            NumComparator::Equal => a.eq(b),
+            NumComparator::LessThanOrEqual => a.lt(b),
+            NumComparator::LessThan => a.le(b),
+        }
+    }
+}
+
 impl FromStr for NumComparator {
     type Err = Error;
 
@@ -94,55 +109,38 @@ impl FromStr for Number {
     }
 }
 
-// Generic number comparison.
-//
-// "a operator b"
-#[macro_use]
-macro_rules! match_comparator {
-    ($a:expr, $b:expr, $comparator:expr) => {
-        match $comparator {
-            NumComparator::GreaterThan => Ok($a > $b),
-            NumComparator::GreaterThanOrEqual => Ok($a >= $b),
-            NumComparator::NotEqual => Ok($a != $b),
-            NumComparator::Equal => Ok($a == $b),
-            NumComparator::LessThanOrEqual => Ok($a <= $b),
-            NumComparator::LessThan => Ok($a < $b),
-        }
-    };
-}
-
 impl NumericComparison {
     /// Compare the given value with the stored one.
     ///
-    /// evaluates `value self.comparator self.value`
+    /// Evaluates `value self.comparator self.value`.
     fn matches(&self, value: Number) -> Result<bool> {
-        match (value, self.value) {
-            (Number::Int(a), Number::Int(b)) => match_comparator!(a, b, self.comparator),
-            (Number::Float(a), Number::Float(b)) => match_comparator!(a, b, self.comparator),
+        Ok(match (value, self.value) {
+            (Number::Int(a), Number::Int(b)) => self.comparator.numeric_compare(&a, &b),
+            (Number::Float(a), Number::Float(b)) => self.comparator.numeric_compare(&a, &b),
             (Number::Int(a), Number::Float(b)) => {
                 let a = a as f32;
-                match_comparator!(a, b, self.comparator)
+                self.comparator.numeric_compare(&a, &b)
             }
             (Number::Float(a), Number::Int(b)) => {
                 let b = b as f32;
-                match_comparator!(a, b, self.comparator)
+                self.comparator.numeric_compare(&a, &b)
             }
-            (Number::Bytes(a), Number::Bytes(b)) => match_comparator!(a, b, self.comparator),
+            (Number::Bytes(a), Number::Bytes(b)) => self.comparator.numeric_compare(&a, &b),
             // When comparing int and bytes, convert the int to bytes
             (Number::Int(a), Number::Bytes(b)) if a >= 0 => {
                 let a = ByteSize(a as u64);
-                match_comparator!(a, b, self.comparator)
+                self.comparator.numeric_compare(&a, &b)
             }
             (Number::Bytes(a), Number::Int(b)) if b >= 0 => {
                 let b = ByteSize(b as u64);
-                match_comparator!(a, b, self.comparator)
+                self.comparator.numeric_compare(&a, &b)
             }
             _ => bail!(
                 "Invalid comparison between numbers '{:?}' and '{:?}'",
                 self.value,
                 value
             ),
-        }
+        })
     }
 }
 

From 6810cfb52c0d39375492992cf074b0bf5acab0d9 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 21 Dec 2024 19:37:00 +0100
Subject: [PATCH 10/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/dsl/changes.rs    | 4 ++--
 policies/module-types/augeas/src/dsl/checks.rs     | 6 ++----
 policies/module-types/augeas/src/dsl/comparator.rs | 1 -
 policies/module-types/augeas/src/main.rs           | 1 +
 policies/module-types/augeas/tests/module.rs       | 2 +-
 5 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/policies/module-types/augeas/src/dsl/changes.rs b/policies/module-types/augeas/src/dsl/changes.rs
index 7914fb9045..aef341136a 100644
--- a/policies/module-types/augeas/src/dsl/changes.rs
+++ b/policies/module-types/augeas/src/dsl/changes.rs
@@ -17,8 +17,8 @@ use rudder_module_type::rudder_debug;
 
 /// The ordered list of changes to apply.
 ///
-/// FIXME: *excellent* reporting for each change.
-/// FIXME: make it as close as possible to the augeas command line & srun syntax.
+/// TODO: make it as close as possible to the augeas command line & srun syntax to ease
+///       development and debugging.
 #[derive(Debug, PartialEq)]
 pub struct Changes<'a> {
     changes: Vec<Change<'a>>,
diff --git a/policies/module-types/augeas/src/dsl/checks.rs b/policies/module-types/augeas/src/dsl/checks.rs
index ce506794c1..e4a2501569 100644
--- a/policies/module-types/augeas/src/dsl/checks.rs
+++ b/policies/module-types/augeas/src/dsl/checks.rs
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use crate::dsl::comparator::Comparison;
+use crate::dsl::comparator::{Comparison, NumComparator};
 use crate::dsl::AugPath;
 
 /*
@@ -27,8 +27,6 @@ where:
     AN_ARRAY is in the form ['a string', 'another']
 */
 
-// FIXME NumComparators ?
-
 pub enum Check<'a> {
     // Comparison contains both the typed value and the comparator
     Get(AugPath<'a>, Comparison),
@@ -36,7 +34,7 @@ pub enum Check<'a> {
     ValuesNotInclude(AugPath<'a>, &'a str),
     ValuesEqual(AugPath<'a>, Vec<&'a str>),
     ValuesNotEqual(AugPath<'a>, Vec<&'a str>),
-    MatchSize(AugPath<'a>, String, usize),
+    MatchSize(AugPath<'a>, NumComparator, usize),
     MatchInclude(AugPath<'a>, String),
     MatchNotInclude(AugPath<'a>, &'a str),
     MatchEqual(AugPath<'a>, Vec<&'a str>),
diff --git a/policies/module-types/augeas/src/dsl/comparator.rs b/policies/module-types/augeas/src/dsl/comparator.rs
index 7fa96669ed..3d7b2d10a5 100644
--- a/policies/module-types/augeas/src/dsl/comparator.rs
+++ b/policies/module-types/augeas/src/dsl/comparator.rs
@@ -7,7 +7,6 @@ use bytesize::ByteSize;
 use regex::Regex;
 use std::fmt::Debug;
 use std::num::{ParseFloatError, ParseIntError};
-use std::ops::Deref;
 use std::str::FromStr;
 
 #[derive(Debug, Clone)]
diff --git a/policies/module-types/augeas/src/main.rs b/policies/module-types/augeas/src/main.rs
index 560bf467df..d0d976f8c2 100644
--- a/policies/module-types/augeas/src/main.rs
+++ b/policies/module-types/augeas/src/main.rs
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
+#![allow(dead_code)]
 mod augeas;
 mod dsl;
 mod parameters;
diff --git a/policies/module-types/augeas/tests/module.rs b/policies/module-types/augeas/tests/module.rs
index 985601023f..6bd74ccafa 100644
--- a/policies/module-types/augeas/tests/module.rs
+++ b/policies/module-types/augeas/tests/module.rs
@@ -11,7 +11,7 @@ use tempfile::tempdir;
 
 const BIN: &str = concat!("../../../target/debug/", env!("CARGO_PKG_NAME"));
 
-// FIXME fichiers YAML de cas de test avec les parameters
+// FIXME: fichiers YAML de cas de test avec les parameters
 
 #[test]
 #[ignore]

From e9b92dfb6adcce187d2003c2021105775d4bc986 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 21 Dec 2024 23:12:00 +0100
Subject: [PATCH 11/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 Cargo.lock                                    |  7 +++
 policies/module-types/augeas/Cargo.toml       |  1 +
 policies/module-types/augeas/src/augeas.rs    | 25 +++++++++-
 policies/module-types/augeas/src/dsl.rs       | 26 +++--------
 .../module-types/augeas/src/dsl/changes.rs    | 35 ++++++--------
 policies/module-types/augeas/src/main.rs      |  8 +++-
 policies/module-types/augeas/src/report.rs    | 46 +++++++++++++++++++
 7 files changed, 105 insertions(+), 43 deletions(-)
 create mode 100644 policies/module-types/augeas/src/report.rs

diff --git a/Cargo.lock b/Cargo.lock
index 6d94202077..7dd292e40f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3312,6 +3312,7 @@ dependencies = [
  "serde",
  "serde-inline-default",
  "serde_json",
+ "similar",
  "tempfile",
 ]
 
@@ -3921,6 +3922,12 @@ version = "0.3.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d66dc143e6b11c1eddc06d5c423cfc97062865baf299914ab64caa38182078fe"
 
+[[package]]
+name = "similar"
+version = "2.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1de1d4f81173b03af4c0cbed3c898f6bff5b870e4a7f5d6f4057d62a7a4b686e"
+
 [[package]]
 name = "siphasher"
 version = "0.3.11"
diff --git a/policies/module-types/augeas/Cargo.toml b/policies/module-types/augeas/Cargo.toml
index 833175cfc7..98360e5c67 100644
--- a/policies/module-types/augeas/Cargo.toml
+++ b/policies/module-types/augeas/Cargo.toml
@@ -15,6 +15,7 @@ nom = "7"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 serde-inline-default = "0.2"
+similar = "2.6.0"
 regex = "1.11.1"
 rudder_module_type = { path = "../../rudder-module-type" }
 raugeas = { git = "https://github.com/Normation/raugeas.git" }
diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index e4fbcdf600..2a9dedbd2d 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -5,6 +5,8 @@ use crate::dsl::changes::Changes;
 use crate::AugeasParameters;
 use raugeas::{CommandsNumber, Flags, SaveMode};
 use rudder_module_type::{rudder_debug, CheckApplyResult, Outcome, PolicyMode};
+use similar::TextDiffConfig;
+use std::borrow::Cow;
 use std::env;
 
 /// Augeas module implementation.
@@ -58,6 +60,7 @@ impl Augeas {
     pub(crate) fn handle_check_apply(
         &self,
         p: AugeasParameters,
+        differ: TextDiffConfig,
         policy_mode: PolicyMode,
     ) -> CheckApplyResult {
         let mut flags = Flags::NONE;
@@ -83,6 +86,17 @@ impl Augeas {
         let version = aug.version()?;
         rudder_debug!("Augeas version: {}", version);
 
+        // Set context if needed.
+        let context: Option<Cow<str>> = if let Some(c) = p.context.as_deref() {
+            Some(c.into())
+        } else {
+            p.path.as_deref().map(|p| format!("files/{p}").into())
+        };
+        if let Some(c) = &context {
+            rudder_debug!("Setting context to: {c}");
+            aug.set("/augeas/context", c.as_ref())?;
+        }
+
         //////////////////////////////////
         // Start with the special unsafe mode
         //////////////////////////////////
@@ -112,7 +126,7 @@ impl Augeas {
         //////////////////////////////////
 
         let lens_opt = p.lens_name();
-        let _context = p.context();
+
         let path = p.path.as_deref().unwrap().to_string();
 
         if let Some(l) = lens_opt {
@@ -139,7 +153,7 @@ impl Augeas {
         if do_changes && !p.changes.is_empty() {
             rudder_debug!("Running changes: {:?}", p.changes);
             let changes = Changes::from_str(&p.changes)?;
-            changes.run(p.context.as_deref(), &mut aug)?;
+            changes.run(&mut aug)?;
             // FIXME handle policy mode
         }
 
@@ -158,6 +172,11 @@ impl Augeas {
         }
         aug.save()?;
 
+        let diff = differ.diff_lines("", "");
+        let mut udiff = diff.unified_diff();
+        udiff.context_radius(3).header("a", "b");
+        rudder_debug!("Diff: {udiff}");
+
         // Get information about changes
 
         // make backups
@@ -181,6 +200,7 @@ mod tests {
     #[test]
     fn it_writes_file_from_commands() {
         let augeas = Augeas::new().unwrap();
+        let differ = TextDiffConfig::default();
         let d = tempdir().unwrap().into_path();
         let f = d.join("test");
         let lens = "Simplelines";
@@ -197,6 +217,7 @@ mod tests {
                     ]
                     .join("\n"),
                 ),
+                differ,
                 PolicyMode::Enforce,
             )
             .unwrap();
diff --git a/policies/module-types/augeas/src/dsl.rs b/policies/module-types/augeas/src/dsl.rs
index 9d220b7224..da684aef4f 100644
--- a/policies/module-types/augeas/src/dsl.rs
+++ b/policies/module-types/augeas/src/dsl.rs
@@ -7,7 +7,7 @@ use nom::character::complete::{char, not_line_ending, space0};
 use nom::error::VerboseError;
 use nom::sequence::delimited;
 use nom::IResult;
-use std::borrow::Cow;
+use std::ffi::OsStr;
 use std::ops::Deref;
 
 pub mod changes;
@@ -31,6 +31,12 @@ impl Deref for AugPath<'_> {
     }
 }
 
+impl AsRef<OsStr> for AugPath<'_> {
+    fn as_ref(&self) -> &OsStr {
+        self.inner.as_ref()
+    }
+}
+
 impl<'a> From<&'a str> for AugPath<'a> {
     fn from(s: &'a str) -> Self {
         AugPath { inner: s }
@@ -45,24 +51,6 @@ impl AugPath<'_> {
     pub fn is_relative(&self) -> bool {
         !self.is_absolute()
     }
-
-    /// Return the path with the given context.
-    ///
-    /// If the path is relative, it is appended to the context.
-    /// If the path is absolute, it is returned as is.
-    ///
-    /// Handles the case where the context does not end with a `/`.
-    pub fn with_context(&self, context: Option<&str>) -> Cow<str> {
-        match context {
-            Some(c) if self.is_relative() && c.ends_with('/') => {
-                format!("{}{}", c, self.inner).into()
-            }
-            Some(c) if self.is_relative() && !c.ends_with('/') => {
-                format!("{}/{}", c, self.inner).into()
-            }
-            _ => self.inner.into(),
-        }
-    }
 }
 
 /// Read a comment.
diff --git a/policies/module-types/augeas/src/dsl/changes.rs b/policies/module-types/augeas/src/dsl/changes.rs
index aef341136a..16c1efb2dd 100644
--- a/policies/module-types/augeas/src/dsl/changes.rs
+++ b/policies/module-types/augeas/src/dsl/changes.rs
@@ -33,10 +33,10 @@ impl<'a> Changes<'a> {
         Ok(Changes { changes })
     }
 
-    pub fn run(&self, context: Option<&str>, augeas: &mut Augeas) -> Result<()> {
+    pub fn run(&self, augeas: &mut Augeas) -> Result<()> {
         rudder_debug!("Running {} changes", self.changes.len());
         for change in &self.changes {
-            change.evaluate(context, augeas)?;
+            change.evaluate(augeas)?;
         }
         Ok(())
     }
@@ -69,39 +69,32 @@ pub enum Change<'a> {
 }
 
 impl<'a> Change<'a> {
-    fn evaluate(&self, context: Option<&str>, augeas: &'a mut Augeas) -> Result<()> {
+    fn evaluate(&self, augeas: &'a mut Augeas) -> Result<()> {
         match self {
-            Change::Set(path, value) => augeas.set(path.with_context(context).as_ref(), value)?,
+            Change::Set(path, value) => augeas.set(path, value)?,
             Change::SetMultiple(path, sub, value) => {
-                let n = augeas.setm(path.with_context(context).as_ref(), sub, value)?;
+                let n = augeas.setm(path, sub, value)?;
                 rudder_debug!("setm: modified {n} nodes");
             }
             Change::Remove(path) => {
-                let n = augeas.rm(path.with_context(context).as_ref())?;
+                let n = augeas.rm(path)?;
                 rudder_debug!("rm: removed {n} nodes");
             }
-            Change::Clear(path) => augeas.clear(path.with_context(context).as_ref())?,
+            Change::Clear(path) => augeas.clear(path)?,
             Change::ClearMultiple(path, sub) => {
-                let n = augeas.clearm(path.with_context(context).as_ref(), sub)?;
+                let n = augeas.clearm(path, sub)?;
                 rudder_debug!("clearm: cleared {n} nodes");
             }
-            Change::Touch(path) => augeas.touch(path.with_context(context).as_ref())?,
-            Change::Insert(label, position, path) => {
-                augeas.insert(path.with_context(context).as_ref(), label, *position)?
-            }
-            Change::Move(path, other) => augeas.mv(
-                path.with_context(context).as_ref(),
-                other.with_context(context).as_ref(),
-            )?,
+            Change::Touch(path) => augeas.touch(path)?,
+            Change::Insert(label, position, path) => augeas.insert(path, label, *position)?,
+            Change::Move(path, other) => augeas.mv(path, other)?,
             Change::Rename(path, label) => {
-                let n = augeas.rename(path.with_context(context).as_ref(), label)?;
+                let n = augeas.rename(path, label)?;
                 rudder_debug!("rename: renamed {n} nodes");
             }
-            Change::DefineVar(name, path) => {
-                augeas.defvar(name, path.with_context(context).as_ref())?
-            }
+            Change::DefineVar(name, path) => augeas.defvar(name, path)?,
             Change::DefineNode(name, path, value) => {
-                let created = augeas.defnode(name, path.with_context(context).as_ref(), value)?;
+                let created = augeas.defnode(name, path, value)?;
                 if created {
                     rudder_debug!("defnode: 1 node was created");
                 } else {
diff --git a/policies/module-types/augeas/src/main.rs b/policies/module-types/augeas/src/main.rs
index d0d976f8c2..e608d96c61 100644
--- a/policies/module-types/augeas/src/main.rs
+++ b/policies/module-types/augeas/src/main.rs
@@ -5,8 +5,10 @@
 mod augeas;
 mod dsl;
 mod parameters;
+mod report;
 
 use crate::parameters::AugeasParameters;
+use crate::report::diff_config;
 use anyhow::{bail, Result};
 use augeas::Augeas;
 use rudder_module_type::cfengine::called_from_agent;
@@ -38,7 +40,11 @@ impl ModuleType0 for Augeas {
         let p: AugeasParameters = serde_json::from_value(Value::Object(parameters.data.clone()))?;
         p.validate(Some(mode))?;
 
-        self.handle_check_apply(p, mode)
+        let differ = diff_config();
+        self.handle_check_apply(p, differ, mode)
+
+        // FIXME : reporting structuré, sérialisé ici
+        //         also to be used tests!
     }
 }
 
diff --git a/policies/module-types/augeas/src/report.rs b/policies/module-types/augeas/src/report.rs
new file mode 100644
index 0000000000..cd8efc1a07
--- /dev/null
+++ b/policies/module-types/augeas/src/report.rs
@@ -0,0 +1,46 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// SPDX-FileCopyrightText: 2024 Normation SAS
+
+//! Report module for the Augeas module type.
+//!
+//! Structured reporting.
+
+use anyhow::Error;
+use rudder_module_type::Outcome;
+use similar::{Algorithm, TextDiff, TextDiffConfig};
+use std::time::Duration;
+
+pub fn diff_config() -> TextDiffConfig {
+    let mut c = TextDiff::configure();
+    // We use the Myers algorithm, which is also the default in Git.
+    // Patience is also a good choice, but it's slower.
+    c.algorithm(Algorithm::Myers);
+    // By safety, we limit the diff time.
+    // This is a bit arbitrary, but we don't want to hang forever, and 1 second should
+    // be more than enough.
+    c.timeout(Duration::from_secs(1));
+    c
+}
+
+/// Report a change in a file.
+///
+/// We don't repeat the parameters.
+pub struct ChangeReport<'a> {
+    pub outcome: Outcome,
+    /// The unified diff of the change.
+    ///
+    /// <https://www.gnu.org/software/diffutils/manual/html_node/Detailed-Unified.html>
+    pub diff: Option<TextDiff<'a, 'a, 'a, str>>,
+    /// The error that occurred.
+    pub error: Option<Error>,
+}
+
+impl ChangeReport<'_> {
+    pub fn new(outcome: Outcome) -> Self {
+        Self {
+            outcome,
+            diff: None,
+            error: None,
+        }
+    }
+}

From 67aa0ca2c813793a66aa7b90512f493141590e23 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sun, 22 Dec 2024 12:40:06 +0100
Subject: [PATCH 12/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/augeas.rs | 11 +++--------
 policies/module-types/augeas/src/main.rs   |  4 +---
 policies/module-types/augeas/src/report.rs | 16 ++++------------
 3 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index 2a9dedbd2d..7f00fa6d92 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -2,10 +2,10 @@
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
 use crate::dsl::changes::Changes;
+use crate::report::diff;
 use crate::AugeasParameters;
 use raugeas::{CommandsNumber, Flags, SaveMode};
 use rudder_module_type::{rudder_debug, CheckApplyResult, Outcome, PolicyMode};
-use similar::TextDiffConfig;
 use std::borrow::Cow;
 use std::env;
 
@@ -60,7 +60,6 @@ impl Augeas {
     pub(crate) fn handle_check_apply(
         &self,
         p: AugeasParameters,
-        differ: TextDiffConfig,
         policy_mode: PolicyMode,
     ) -> CheckApplyResult {
         let mut flags = Flags::NONE;
@@ -172,10 +171,8 @@ impl Augeas {
         }
         aug.save()?;
 
-        let diff = differ.diff_lines("", "");
-        let mut udiff = diff.unified_diff();
-        udiff.context_radius(3).header("a", "b");
-        rudder_debug!("Diff: {udiff}");
+        let diff = diff("", "");
+        rudder_debug!("Diff: {diff:?}");
 
         // Get information about changes
 
@@ -200,7 +197,6 @@ mod tests {
     #[test]
     fn it_writes_file_from_commands() {
         let augeas = Augeas::new().unwrap();
-        let differ = TextDiffConfig::default();
         let d = tempdir().unwrap().into_path();
         let f = d.join("test");
         let lens = "Simplelines";
@@ -217,7 +213,6 @@ mod tests {
                     ]
                     .join("\n"),
                 ),
-                differ,
                 PolicyMode::Enforce,
             )
             .unwrap();
diff --git a/policies/module-types/augeas/src/main.rs b/policies/module-types/augeas/src/main.rs
index e608d96c61..4ef7cec36b 100644
--- a/policies/module-types/augeas/src/main.rs
+++ b/policies/module-types/augeas/src/main.rs
@@ -8,7 +8,6 @@ mod parameters;
 mod report;
 
 use crate::parameters::AugeasParameters;
-use crate::report::diff_config;
 use anyhow::{bail, Result};
 use augeas::Augeas;
 use rudder_module_type::cfengine::called_from_agent;
@@ -40,8 +39,7 @@ impl ModuleType0 for Augeas {
         let p: AugeasParameters = serde_json::from_value(Value::Object(parameters.data.clone()))?;
         p.validate(Some(mode))?;
 
-        let differ = diff_config();
-        self.handle_check_apply(p, differ, mode)
+        self.handle_check_apply(p, mode)
 
         // FIXME : reporting structuré, sérialisé ici
         //         also to be used tests!
diff --git a/policies/module-types/augeas/src/report.rs b/policies/module-types/augeas/src/report.rs
index cd8efc1a07..4cec593e53 100644
--- a/policies/module-types/augeas/src/report.rs
+++ b/policies/module-types/augeas/src/report.rs
@@ -7,19 +7,11 @@
 
 use anyhow::Error;
 use rudder_module_type::Outcome;
-use similar::{Algorithm, TextDiff, TextDiffConfig};
-use std::time::Duration;
+use similar::udiff::unified_diff;
+use similar::{Algorithm, TextDiff};
 
-pub fn diff_config() -> TextDiffConfig {
-    let mut c = TextDiff::configure();
-    // We use the Myers algorithm, which is also the default in Git.
-    // Patience is also a good choice, but it's slower.
-    c.algorithm(Algorithm::Myers);
-    // By safety, we limit the diff time.
-    // This is a bit arbitrary, but we don't want to hang forever, and 1 second should
-    // be more than enough.
-    c.timeout(Duration::from_secs(1));
-    c
+pub fn diff(a: &str, b: &str) -> String {
+    unified_diff(Algorithm::Myers, a, b, 3, None)
 }
 
 /// Report a change in a file.

From 935c8dcecac93954865b238da469aaf895cb8b1e Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sun, 22 Dec 2024 15:46:37 +0100
Subject: [PATCH 13/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 Cargo.lock                                    | 94 ++++++++++++++++++-
 policies/module-types/augeas/Cargo.toml       |  2 +
 policies/module-types/augeas/README.md        |  2 +
 policies/module-types/augeas/src/augeas.rs    | 54 ++++++++---
 .../module-types/augeas/src/bin/raugtool.rs   | 79 ++++++++++++++++
 policies/module-types/augeas/src/dsl.rs       |  1 +
 .../module-types/augeas/src/dsl/changes.rs    |  6 +-
 policies/module-types/augeas/src/dsl/repl.rs  | 72 ++++++++++++++
 policies/module-types/augeas/src/lib.rs       | 61 ++++++++++++
 policies/module-types/augeas/src/main.rs      | 61 +++---------
 policies/module-types/augeas/src/report.rs    | 11 ++-
 .../rudder-module-type/src/cfengine/log.rs    |  2 +-
 12 files changed, 374 insertions(+), 71 deletions(-)
 create mode 100644 policies/module-types/augeas/src/bin/raugtool.rs
 create mode 100644 policies/module-types/augeas/src/dsl/repl.rs
 create mode 100644 policies/module-types/augeas/src/lib.rs

diff --git a/Cargo.lock b/Cargo.lock
index 7dd292e40f..800cf9490d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -603,7 +603,7 @@ dependencies = [
  "cli-table-derive",
  "csv",
  "termcolor",
- "unicode-width",
+ "unicode-width 0.1.14",
 ]
 
 [[package]]
@@ -617,6 +617,15 @@ dependencies = [
  "syn 1.0.109",
 ]
 
+[[package]]
+name = "clipboard-win"
+version = "5.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "15efe7a882b08f34e38556b14f2fb3daa98769d06c7f0c1b076dfd0d983bc892"
+dependencies = [
+ "error-code",
+]
+
 [[package]]
 name = "codespan-reporting"
 version = "0.11.1"
@@ -624,7 +633,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3538270d33cc669650c4b093848450d380def10c331d38c768e34cac80576e6e"
 dependencies = [
  "termcolor",
- "unicode-width",
+ "unicode-width 0.1.14",
 ]
 
 [[package]]
@@ -1086,6 +1095,12 @@ dependencies = [
  "cfg-if",
 ]
 
+[[package]]
+name = "endian-type"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c34f04666d835ff5d62e058c3995147c06f42fe86ff053337632bca83e42702d"
+
 [[package]]
 name = "env_filter"
 version = "0.1.3"
@@ -1131,6 +1146,12 @@ dependencies = [
  "windows-sys 0.59.0",
 ]
 
+[[package]]
+name = "error-code"
+version = "3.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5d9305ccc6942a704f4335694ecd3de2ea531b114ac2d51f5f843750787a92f"
+
 [[package]]
 name = "fallible-iterator"
 version = "0.3.0"
@@ -1160,6 +1181,17 @@ version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
 
+[[package]]
+name = "fd-lock"
+version = "4.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e5768da2206272c81ef0b5e951a41862938a6070da63bcea197899942d3b947"
+dependencies = [
+ "cfg-if",
+ "rustix",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "file-owner"
 version = "0.1.2"
@@ -1549,6 +1581,15 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
+[[package]]
+name = "home"
+version = "0.5.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "589533453244b0995c858700322199b2becb13b627df2851f64a2775d024abcf"
+dependencies = [
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "hostname"
 version = "0.4.0"
@@ -2415,6 +2456,15 @@ version = "1.0.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "650eef8c711430f1a879fdd01d4745a7deea475becfb90269c06775983bbf086"
 
+[[package]]
+name = "nibble_vec"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77a5d83df9f36fe23f0c3648c6bbb8b0298bb5f1939c8f2704431371f4b84d43"
+dependencies = [
+ "smallvec",
+]
+
 [[package]]
 name = "nix"
 version = "0.29.0"
@@ -3032,6 +3082,16 @@ dependencies = [
  "scheduled-thread-pool",
 ]
 
+[[package]]
+name = "radix_trie"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c069c179fcdc6a2fe24d8d18305cf085fdbd4f922c041943e203685d6a1c58fd"
+dependencies = [
+ "endian-type",
+ "nibble_vec",
+]
+
 [[package]]
 name = "rand"
 version = "0.8.5"
@@ -3304,11 +3364,13 @@ version = "0.0.0-dev"
 dependencies = [
  "anyhow",
  "bytesize",
+ "gumdrop",
  "nom",
  "raugeas",
  "regex",
  "rudder_commons_test",
  "rudder_module_type",
+ "rustyline",
  "serde",
  "serde-inline-default",
  "serde_json",
@@ -3642,6 +3704,28 @@ dependencies = [
  "wait-timeout",
 ]
 
+[[package]]
+name = "rustyline"
+version = "15.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2ee1e066dc922e513bda599c6ccb5f3bb2b0ea5870a579448f2622993f0a9a2f"
+dependencies = [
+ "bitflags 2.6.0",
+ "cfg-if",
+ "clipboard-win",
+ "fd-lock",
+ "home",
+ "libc",
+ "log 0.4.22",
+ "memchr",
+ "nix",
+ "radix_trie",
+ "unicode-segmentation",
+ "unicode-width 0.2.0",
+ "utf8parse",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "ryu"
 version = "1.0.18"
@@ -4623,6 +4707,12 @@ version = "0.1.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7dd6e30e90baa6f72411720665d41d89b9a3d039dc45b8faea1ddd07f617f6af"
 
+[[package]]
+name = "unicode-width"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fc81956842c57dac11422a97c3b8195a1ff727f06e85c84ed2e8aa277c9a0fd"
+
 [[package]]
 name = "unicode-xid"
 version = "0.1.0"
diff --git a/policies/module-types/augeas/Cargo.toml b/policies/module-types/augeas/Cargo.toml
index 98360e5c67..c524c896f0 100644
--- a/policies/module-types/augeas/Cargo.toml
+++ b/policies/module-types/augeas/Cargo.toml
@@ -11,6 +11,7 @@ license.workspace = true
 [dependencies]
 anyhow = "1"
 bytesize = { version = "1.3.0" }
+gumdrop = "0.8.1"
 nom = "7"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
@@ -19,6 +20,7 @@ similar = "2.6.0"
 regex = "1.11.1"
 rudder_module_type = { path = "../../rudder-module-type" }
 raugeas = { git = "https://github.com/Normation/raugeas.git" }
+rustyline = "15"
 
 [dev-dependencies]
 rudder_commons_test = { path = "../../rudder-commons-test" }
diff --git a/policies/module-types/augeas/README.md b/policies/module-types/augeas/README.md
index d7c09eafa5..33ff4c3277 100644
--- a/policies/module-types/augeas/README.md
+++ b/policies/module-types/augeas/README.md
@@ -7,6 +7,8 @@ Augeas module type.
 This module provides a type to manage configuration files using Augeas.
 It uses the C API through Rust bindings.
 
+Provide an improved experience of Augeas.
+
 ## Usage
 
 There are different ways to use this module:
diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index 7f00fa6d92..d7778278f2 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -8,6 +8,7 @@ use raugeas::{CommandsNumber, Flags, SaveMode};
 use rudder_module_type::{rudder_debug, CheckApplyResult, Outcome, PolicyMode};
 use std::borrow::Cow;
 use std::env;
+use std::fs::read_to_string;
 
 /// Augeas module implementation.
 ///
@@ -44,7 +45,7 @@ pub struct Augeas {}
 //       potential problems (e.g. commands).
 
 impl Augeas {
-    pub(crate) fn new() -> anyhow::Result<Self> {
+    pub fn new() -> anyhow::Result<Self> {
         // Cleanup the environment first to avoid any interference.
         //
         // SAFETY: Safe as the module is single threaded.
@@ -57,14 +58,17 @@ impl Augeas {
         Ok(Augeas {})
     }
 
-    pub(crate) fn handle_check_apply(
-        &self,
-        p: AugeasParameters,
-        policy_mode: PolicyMode,
-    ) -> CheckApplyResult {
+    pub fn new_aug(
+        root: Option<&str>,
+        context: Option<&str>,
+        path: Option<&str>,
+        load_paths: &str,
+        lens: Option<&str>,
+        type_check_lenses: bool,
+    ) -> anyhow::Result<raugeas::Augeas> {
         let mut flags = Flags::NONE;
 
-        if let Some(l) = p.lens.as_ref() {
+        if let Some(l) = lens {
             rudder_debug!("Using lens: {l}, skipping autoloading");
             flags.insert(Flags::NO_MODULE_AUTOLOAD);
         } else {
@@ -73,28 +77,45 @@ impl Augeas {
             flags.insert(Flags::NO_LOAD);
         }
 
-        if p.type_check_lenses {
+        if type_check_lenses {
             rudder_debug!("Type checking lenses");
             flags.insert(Flags::TYPE_CHECK);
         }
 
-        let root: Option<&str> = p.root.as_deref();
-        let mut aug = raugeas::Augeas::init(root, p.load_paths(), flags)?;
+        let root: Option<&str> = root;
+        // FIXME gneric load path
+        let mut aug = raugeas::Augeas::init(root, load_paths, flags)?;
 
         // Show version for debugging purposes.
         let version = aug.version()?;
         rudder_debug!("Augeas version: {}", version);
 
         // Set context if needed.
-        let context: Option<Cow<str>> = if let Some(c) = p.context.as_deref() {
+        let context: Option<Cow<str>> = if let Some(c) = context {
             Some(c.into())
         } else {
-            p.path.as_deref().map(|p| format!("files/{p}").into())
+            path.map(|p| format!("files/{p}").into())
         };
         if let Some(c) = &context {
             rudder_debug!("Setting context to: {c}");
             aug.set("/augeas/context", c.as_ref())?;
         }
+        Ok(aug)
+    }
+
+    pub(crate) fn handle_check_apply(
+        &self,
+        p: AugeasParameters,
+        policy_mode: PolicyMode,
+    ) -> CheckApplyResult {
+        let mut aug = Self::new_aug(
+            p.root.as_deref(),
+            p.context.as_deref(),
+            p.path.as_deref(),
+            &p.load_paths(),
+            p.lens.as_deref(),
+            p.type_check_lenses,
+        )?;
 
         //////////////////////////////////
         // Start with the special unsafe mode
@@ -161,6 +182,7 @@ impl Augeas {
             todo!()
         }
 
+        // Avoid writing if we are in audit mode.
         match policy_mode {
             PolicyMode::Enforce => {
                 aug.set_save_mode(SaveMode::Backup)?;
@@ -169,11 +191,15 @@ impl Augeas {
                 aug.set_save_mode(SaveMode::Noop)?;
             }
         }
-        aug.save()?;
 
-        let diff = diff("", "");
+        let src = read_to_string(&path)?;
+        let preview = aug.preview(path)?;
+
+        let diff = diff(&src, &preview.unwrap());
         rudder_debug!("Diff: {diff:?}");
 
+        aug.save()?;
+
         // Get information about changes
 
         // make backups
diff --git a/policies/module-types/augeas/src/bin/raugtool.rs b/policies/module-types/augeas/src/bin/raugtool.rs
new file mode 100644
index 0000000000..c9b4197941
--- /dev/null
+++ b/policies/module-types/augeas/src/bin/raugtool.rs
@@ -0,0 +1,79 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// SPDX-FileCopyrightText: 2024 Normation SAS
+
+//! Provides a REPL for the languages used by the module.
+//!
+//! It is designed to help users interactively develop and test their configurations.
+//! It is a companion to the `rudder-module-augeas` module type.
+
+use anyhow::Result;
+use gumdrop::Options;
+use rudder_module_augeas::augeas::Augeas;
+use rudder_module_augeas::dsl::repl;
+use rudder_module_type::cfengine::log::{set_max_level, LevelFilter};
+use std::env;
+
+#[derive(Debug, Options)]
+pub struct Cli {
+    #[options(help = "print help message")]
+    help: bool,
+    #[options(help = "be verbose")]
+    verbose: bool,
+    /// Prefix to add.
+    ///
+    /// By default,
+    ///
+    /// * If a `path` is passed, it is used as context
+    /// * If no `path` is passed, the context is empty.
+    context: Option<String>,
+    /// Output file path
+    // used as incl
+    path: Option<String>,
+    /// Augeas root
+    ///
+    /// The root of the filesystem to use for augeas.
+    ///
+    /// WARNING: Should not be used in most cases.
+    root: Option<String>,
+    /// Additional load paths for lenses.
+    ///
+    /// `/var/rudder/lib/lenses` is always added.
+    lens_paths: Vec<String>,
+    /// A lens to use.
+    ///
+    /// If not passed, all lenses are loaded, and the `path` is used
+    /// to detect the lens to use.
+    /// Passing a lens makes the call faster as it avoids having to
+    /// load all lenses.
+    lens: Option<String>,
+    /// Force augeas to type-check the lenses.
+    ///
+    /// This is slow and should only be used for debugging.
+    type_check_lenses: bool,
+}
+
+impl Cli {
+    pub fn run() -> Result<()> {
+        let opts = Self::parse_args_default_or_exit();
+        if opts.verbose {
+            println!("Parsed options: {:#?}", &opts);
+        }
+
+        let mut aug = Augeas::new_aug(
+            opts.root.as_deref(),
+            opts.context.as_deref(),
+            opts.path.as_deref(),
+            "",
+            None,
+            false,
+        )?;
+        repl::start(&mut aug)
+    }
+}
+
+fn main() -> Result<(), anyhow::Error> {
+    env::set_var("LC_ALL", "C");
+    // FIXME: allow changing the level display
+    set_max_level(LevelFilter::Trace);
+    Cli::run()
+}
diff --git a/policies/module-types/augeas/src/dsl.rs b/policies/module-types/augeas/src/dsl.rs
index da684aef4f..ec8d056ab0 100644
--- a/policies/module-types/augeas/src/dsl.rs
+++ b/policies/module-types/augeas/src/dsl.rs
@@ -13,6 +13,7 @@ use std::ops::Deref;
 pub mod changes;
 mod checks;
 pub mod comparator;
+pub mod repl;
 
 pub type Value<'a> = &'a str;
 pub type Sub<'a> = &'a str;
diff --git a/policies/module-types/augeas/src/dsl/changes.rs b/policies/module-types/augeas/src/dsl/changes.rs
index 16c1efb2dd..7cafca6383 100644
--- a/policies/module-types/augeas/src/dsl/changes.rs
+++ b/policies/module-types/augeas/src/dsl/changes.rs
@@ -17,6 +17,10 @@ use rudder_module_type::rudder_debug;
 
 /// The ordered list of changes to apply.
 ///
+/// It is compatible with the augeas command line and srun syntax.
+/// The goal is to restrict the DSL to a subset of the augeas command line syntax
+/// to prevent the user from shooting themselves in the foot.
+///
 /// TODO: make it as close as possible to the augeas command line & srun syntax to ease
 ///       development and debugging.
 #[derive(Debug, PartialEq)]
@@ -29,7 +33,7 @@ impl<'a> Changes<'a> {
         let (_, changes) = changes(input)
             .finish()
             // We can't keep the verbose error as it contains references to the input.
-            .map_err(|e| anyhow!(format!("{:?}", e)))?;
+            .map_err(|e| anyhow!(format!("{}", e)))?;
         Ok(Changes { changes })
     }
 
diff --git a/policies/module-types/augeas/src/dsl/repl.rs b/policies/module-types/augeas/src/dsl/repl.rs
new file mode 100644
index 0000000000..812c50b228
--- /dev/null
+++ b/policies/module-types/augeas/src/dsl/repl.rs
@@ -0,0 +1,72 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// SPDX-FileCopyrightText: 2024 Normation SAS
+
+use crate::dsl::changes::Changes;
+use crate::{CRATE_NAME, CRATE_VERSION};
+use anyhow::{Context, Result};
+use raugeas::CommandsNumber;
+use rustyline::error::ReadlineError;
+
+/// Run a line of the DSL.
+///
+/// Returns `true` if the REPL should exit.
+fn run(aug: &mut raugeas::Augeas, line: &str) -> Result<bool> {
+    let try_changes = Changes::from_str(line);
+    match try_changes {
+        Ok(c) => {
+            c.run(aug)?;
+            Ok(false)
+        }
+        Err(_) => {
+            let (r, out) = aug.srun(line).context("Failed to run augeas command")?;
+            println!("{}", out.trim());
+            match r {
+                CommandsNumber::Quit => Ok(true),
+                CommandsNumber::Success(_) => Ok(false),
+            }
+        }
+    }
+}
+
+/// Start the `augtool`-like REPL.
+pub fn start(aug: &mut raugeas::Augeas) -> Result<()> {
+    let config = rustyline::Config::builder()
+        .auto_add_history(true)
+        .history_ignore_space(true)
+        .build();
+
+    let mut rl = rustyline::DefaultEditor::with_config(config)?;
+
+    println!("Rudder Augeas. Type 'quit' to leave.");
+    println!(
+        "{} {} (augeas: {})",
+        CRATE_NAME,
+        CRATE_VERSION,
+        aug.version()?
+    );
+
+    loop {
+        let readline = rl.readline("raugtool> ");
+        match readline {
+            Ok(l) => match l.trim() {
+                "" => continue,
+                line => {
+                    let res = run(aug, line);
+                    match res {
+                        Ok(true) => break,
+                        Ok(false) => (),
+                        Err(e) => {
+                            eprintln!("error: {:?}", e);
+                        }
+                    }
+                }
+            },
+            // Ctrl-D
+            Err(ReadlineError::Eof) => break,
+            // Ctrl-C
+            Err(ReadlineError::Interrupted) => break,
+            Err(e) => return Err(e.into()),
+        }
+    }
+    Ok(())
+}
diff --git a/policies/module-types/augeas/src/lib.rs b/policies/module-types/augeas/src/lib.rs
new file mode 100644
index 0000000000..d719aebe6e
--- /dev/null
+++ b/policies/module-types/augeas/src/lib.rs
@@ -0,0 +1,61 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// SPDX-FileCopyrightText: 2024 Normation SAS
+
+#![allow(dead_code)]
+pub mod augeas;
+pub mod dsl;
+mod parameters;
+mod report;
+
+use crate::parameters::AugeasParameters;
+use anyhow::bail;
+use augeas::Augeas;
+use rudder_module_type::{
+    parameters::Parameters, CheckApplyResult, ModuleType0, ModuleTypeMetadata, PolicyMode,
+    ValidateResult,
+};
+use serde_json::Value;
+use std::env;
+
+pub const RUDDER_LENS_LIB: &str = "/var/rudder/lib/lenses";
+
+pub const CRATE_NAME: &str = env!("CARGO_PKG_NAME");
+pub const CRATE_VERSION: &str = env!("CARGO_PKG_VERSION");
+
+impl ModuleType0 for Augeas {
+    fn metadata(&self) -> ModuleTypeMetadata {
+        let meta = include_str!("../rudder_module_type.yml");
+        let docs = include_str!("../README.md");
+        ModuleTypeMetadata::from_metadata(meta)
+            .expect("invalid metadata")
+            .documentation(docs)
+    }
+
+    fn validate(&self, parameters: &Parameters) -> ValidateResult {
+        // from_value does not allow zero-copy deserialization
+        let parameters: AugeasParameters =
+            serde_json::from_value(Value::Object(parameters.data.clone()))?;
+        parameters.validate(None)
+    }
+
+    fn check_apply(&mut self, mode: PolicyMode, parameters: &Parameters) -> CheckApplyResult {
+        let p: AugeasParameters = serde_json::from_value(Value::Object(parameters.data.clone()))?;
+        p.validate(Some(mode))?;
+
+        self.handle_check_apply(p, mode)
+
+        // FIXME : reporting structuré, sérialisé ici
+        //         also to be used tests!
+    }
+}
+
+pub fn entry() -> Result<(), anyhow::Error> {
+    env::set_var("LC_ALL", "C");
+
+    let promise_type = Augeas::new()?;
+    if rudder_module_type::cfengine::called_from_agent() {
+        rudder_module_type::run_module(promise_type)
+    } else {
+        bail!("This module is meant to be run from the agent, use `raugtool` instead");
+    }
+}
diff --git a/policies/module-types/augeas/src/main.rs b/policies/module-types/augeas/src/main.rs
index 4ef7cec36b..f3f61bdf9a 100644
--- a/policies/module-types/augeas/src/main.rs
+++ b/policies/module-types/augeas/src/main.rs
@@ -1,57 +1,20 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
-// SPDX-FileCopyrightText: 2024 Normation SAS
+// SPDX-FileCopyrightText: 2024 Normation SAS ;
 
-#![allow(dead_code)]
-mod augeas;
-mod dsl;
-mod parameters;
-mod report;
+use anyhow::Result;
 
-use crate::parameters::AugeasParameters;
-use anyhow::{bail, Result};
-use augeas::Augeas;
-use rudder_module_type::cfengine::called_from_agent;
-use rudder_module_type::{
-    parameters::Parameters, run_module, CheckApplyResult, ModuleType0, ModuleTypeMetadata,
-    PolicyMode, ValidateResult,
-};
-use serde_json::Value;
+// binaire raugtool ("rudder agent augeas" séparé ??
+// mode hybride augtool / rudder)
+// implémenter une commande pour le diff!
+// intercepter le help et le modifier!
 
-pub const RUDDER_LENS_LIB: &str = "/var/rudder/lib/lenses";
+// faire juste un reload du tree devrait virer les trucs en cours
+// on devrit pas avoir de pb avec les lens.
 
-impl ModuleType0 for Augeas {
-    fn metadata(&self) -> ModuleTypeMetadata {
-        let meta = include_str!("../rudder_module_type.yml");
-        let docs = include_str!("../README.md");
-        ModuleTypeMetadata::from_metadata(meta)
-            .expect("invalid metadata")
-            .documentation(docs)
-    }
-
-    fn validate(&self, parameters: &Parameters) -> ValidateResult {
-        // from_value does not allow zero-copy deserialization
-        let parameters: AugeasParameters =
-            serde_json::from_value(Value::Object(parameters.data.clone()))?;
-        parameters.validate(None)
-    }
-
-    fn check_apply(&mut self, mode: PolicyMode, parameters: &Parameters) -> CheckApplyResult {
-        let p: AugeasParameters = serde_json::from_value(Value::Object(parameters.data.clone()))?;
-        p.validate(Some(mode))?;
-
-        self.handle_check_apply(p, mode)
-
-        // FIXME : reporting structuré, sérialisé ici
-        //         also to be used tests!
-    }
-}
+// très important!
+// https://github.com/hercules-team/augeas/issues/68
+// https://github.com/dominikh/go-augeas/blob/master/augeas.go
 
 fn main() -> Result<(), anyhow::Error> {
-    let promise_type = Augeas::new()?;
-
-    if called_from_agent() {
-        run_module(promise_type)
-    } else {
-        bail!("Only agent mode is supported, use 'augtool' for manual testing")
-    }
+    rudder_module_augeas::entry()
 }
diff --git a/policies/module-types/augeas/src/report.rs b/policies/module-types/augeas/src/report.rs
index 4cec593e53..91344717d3 100644
--- a/policies/module-types/augeas/src/report.rs
+++ b/policies/module-types/augeas/src/report.rs
@@ -8,8 +8,11 @@
 use anyhow::Error;
 use rudder_module_type::Outcome;
 use similar::udiff::unified_diff;
-use similar::{Algorithm, TextDiff};
+use similar::Algorithm;
 
+/// Compute the unified diff between two strings.
+///
+/// TODO: Use structured diff?
 pub fn diff(a: &str, b: &str) -> String {
     unified_diff(Algorithm::Myers, a, b, 3, None)
 }
@@ -17,17 +20,17 @@ pub fn diff(a: &str, b: &str) -> String {
 /// Report a change in a file.
 ///
 /// We don't repeat the parameters.
-pub struct ChangeReport<'a> {
+pub struct ChangeReport {
     pub outcome: Outcome,
     /// The unified diff of the change.
     ///
     /// <https://www.gnu.org/software/diffutils/manual/html_node/Detailed-Unified.html>
-    pub diff: Option<TextDiff<'a, 'a, 'a, str>>,
+    pub diff: Option<String>,
     /// The error that occurred.
     pub error: Option<Error>,
 }
 
-impl ChangeReport<'_> {
+impl ChangeReport {
     pub fn new(outcome: Outcome) -> Self {
         Self {
             outcome,
diff --git a/policies/rudder-module-type/src/cfengine/log.rs b/policies/rudder-module-type/src/cfengine/log.rs
index b945d5e1f5..c85aa9e431 100644
--- a/policies/rudder-module-type/src/cfengine/log.rs
+++ b/policies/rudder-module-type/src/cfengine/log.rs
@@ -173,7 +173,7 @@ impl PartialOrd<LevelFilter> for Level {
 static MAX_LOG_LEVEL_FILTER: AtomicUsize = AtomicUsize::new(0);
 
 #[inline]
-pub(crate) fn set_max_level(level: LevelFilter) {
+pub fn set_max_level(level: LevelFilter) {
     MAX_LOG_LEVEL_FILTER.store(level as usize, Ordering::SeqCst)
 }
 

From c472530c9194cebd1af2101754f835176e2f4df9 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sun, 22 Dec 2024 17:39:39 +0100
Subject: [PATCH 14/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 .../module-types/augeas/src/bin/raugtool.rs     | 10 ++++++++++
 policies/module-types/augeas/src/main.rs        | 17 +++++++++++++++++
 policies/module-types/augeas/src/report.rs      |  6 ++++++
 3 files changed, 33 insertions(+)

diff --git a/policies/module-types/augeas/src/bin/raugtool.rs b/policies/module-types/augeas/src/bin/raugtool.rs
index c9b4197941..03ffde3597 100644
--- a/policies/module-types/augeas/src/bin/raugtool.rs
+++ b/policies/module-types/augeas/src/bin/raugtool.rs
@@ -38,6 +38,11 @@ pub struct Cli {
     /// Additional load paths for lenses.
     ///
     /// `/var/rudder/lib/lenses` is always added.
+    #[options(
+        short = "i",
+        long = "include",
+        help = "additional load paths for lenses"
+    )]
     lens_paths: Vec<String>,
     /// A lens to use.
     ///
@@ -49,6 +54,11 @@ pub struct Cli {
     /// Force augeas to type-check the lenses.
     ///
     /// This is slow and should only be used for debugging.
+    #[options(
+        short = "c",
+        long = "typecheck",
+        help = "force type checking of lenses"
+    )]
     type_check_lenses: bool,
 }
 
diff --git a/policies/module-types/augeas/src/main.rs b/policies/module-types/augeas/src/main.rs
index f3f61bdf9a..b7c15ea23d 100644
--- a/policies/module-types/augeas/src/main.rs
+++ b/policies/module-types/augeas/src/main.rs
@@ -3,11 +3,28 @@
 
 use anyhow::Result;
 
+// raugeas = augeas + audit
+
+// transofrmer un diff en conf augeas??
+
+// https://github.com/georgehansper/augprint.py
+// outil pour savoir comment écrire le set ??
+// ou pour prendre l'état d'un fichier ?
+
+// voir si les span peuvent ider à faire du debug/reporting
+
+// diff de valeur pour les audits TODO
+// rendre augeas bavard !
+
 // binaire raugtool ("rudder agent augeas" séparé ??
 // mode hybride augtool / rudder)
 // implémenter une commande pour le diff!
 // intercepter le help et le modifier!
 
+// change language?? is it really useful?
+// => oui, pur la gestion d'erreur plus fine et pouvoir dire
+// où ça a cassé, et autant que possible pourquoi.
+
 // faire juste un reload du tree devrait virer les trucs en cours
 // on devrit pas avoir de pb avec les lens.
 
diff --git a/policies/module-types/augeas/src/report.rs b/policies/module-types/augeas/src/report.rs
index 91344717d3..7b55a02c5b 100644
--- a/policies/module-types/augeas/src/report.rs
+++ b/policies/module-types/augeas/src/report.rs
@@ -17,6 +17,12 @@ pub fn diff(a: &str, b: &str) -> String {
     unified_diff(Algorithm::Myers, a, b, 3, None)
 }
 
+// diff de valeur d'audit expected vs constraint
+
+// diff de valeur sur les set ??
+
+// observabilité d'augeas !
+
 /// Report a change in a file.
 ///
 /// We don't repeat the parameters.

From d3870f5e9b2b24641d22da87cf5d375815d0b4bc Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sun, 22 Dec 2024 19:47:49 +0100
Subject: [PATCH 15/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! Fixes #26089: Implement augeas
 module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/augeas.rs    | 143 ++----
 .../module-types/augeas/src/bin/raugtool.rs   |  24 +-
 policies/module-types/augeas/src/dsl.rs       |   4 +-
 .../module-types/augeas/src/dsl/changes.rs    | 409 ------------------
 .../module-types/augeas/src/dsl/checks.rs     |  42 --
 .../module-types/augeas/src/dsl/comparator.rs |  17 +-
 .../module-types/augeas/src/dsl/parser.rs     | 315 ++++++++++++++
 policies/module-types/augeas/src/dsl/repl.rs  |  39 +-
 .../module-types/augeas/src/dsl/script.rs     | 240 ++++++++++
 .../module-types/augeas/src/parameters.rs     |  56 +--
 10 files changed, 640 insertions(+), 649 deletions(-)
 delete mode 100644 policies/module-types/augeas/src/dsl/changes.rs
 delete mode 100644 policies/module-types/augeas/src/dsl/checks.rs
 create mode 100644 policies/module-types/augeas/src/dsl/parser.rs
 create mode 100644 policies/module-types/augeas/src/dsl/script.rs

diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index d7778278f2..f58a2d9347 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -1,11 +1,11 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use crate::dsl::changes::Changes;
+use crate::dsl::script::{Interpreter, InterpreterMode, Script};
 use crate::report::diff;
-use crate::AugeasParameters;
+use crate::{AugeasParameters, RUDDER_LENS_LIB};
 use raugeas::{CommandsNumber, Flags, SaveMode};
-use rudder_module_type::{rudder_debug, CheckApplyResult, Outcome, PolicyMode};
+use rudder_module_type::{rudder_debug, rudder_error, CheckApplyResult, Outcome, PolicyMode};
 use std::borrow::Cow;
 use std::env;
 use std::fs::read_to_string;
@@ -15,10 +15,10 @@ use std::fs::read_to_string;
 /// NOTE: We only support UTF-8 paths and values. This is constrained by
 /// the usage of JSON in the API.
 ///
-/// We don't store the Augeas instance across runs.
+/// We store the Augeas instance across runs.
 ///
-/// We never load the tree. Reading the lenses takes time, but is quite convenient, so we offer
-/// the options.
+/// We never load the tree. Reading the lenses takes time, but is quite convenient, so we do it
+/// once.
 ///
 /// Below are some metrics for the different ways to run Augeas, based on `augtool` options:
 ///
@@ -39,10 +39,9 @@ use std::fs::read_to_string;
 ///     "augtool -L get /augeas/version"
 ///     "augtool get /augeas/version"
 /// ```
-pub struct Augeas {}
-
-// TODO: study allowing to store the instance and keeping it until we see
-//       potential problems (e.g. commands).
+pub struct Augeas {
+    aug: raugeas::Augeas,
+}
 
 impl Augeas {
     pub fn new() -> anyhow::Result<Self> {
@@ -55,100 +54,57 @@ impl Augeas {
             env::remove_var("AUGEAS_DEBUG");
         }
 
-        Ok(Augeas {})
+        let aug = Self::new_aug(
+            None, // Root is global in an agent context.
+            false,
+        )?;
+
+        Ok(Augeas { aug })
     }
 
-    pub fn new_aug(
-        root: Option<&str>,
-        context: Option<&str>,
-        path: Option<&str>,
-        load_paths: &str,
-        lens: Option<&str>,
-        type_check_lenses: bool,
-    ) -> anyhow::Result<raugeas::Augeas> {
+    pub fn new_aug(root: Option<&str>, type_check_lenses: bool) -> anyhow::Result<raugeas::Augeas> {
         let mut flags = Flags::NONE;
 
-        if let Some(l) = lens {
-            rudder_debug!("Using lens: {l}, skipping autoloading");
-            flags.insert(Flags::NO_MODULE_AUTOLOAD);
-        } else {
-            // We never want to load the whole tree.
-            rudder_debug!("Autoloading lenses");
-            flags.insert(Flags::NO_LOAD);
-        }
+        // We never want to load the whole tree, but we load the lenses once.
+        rudder_debug!("Autoloading lenses");
+        flags.insert(Flags::NO_LOAD);
 
         if type_check_lenses {
             rudder_debug!("Type checking lenses");
             flags.insert(Flags::TYPE_CHECK);
         }
 
-        let root: Option<&str> = root;
-        // FIXME gneric load path
-        let mut aug = raugeas::Augeas::init(root, load_paths, flags)?;
+        let aug = raugeas::Augeas::init(root, RUDDER_LENS_LIB, flags)?;
 
         // Show version for debugging purposes.
         let version = aug.version()?;
-        rudder_debug!("Augeas version: {}", version);
+        rudder_debug!("augeas version: {}", version);
 
-        // Set context if needed.
-        let context: Option<Cow<str>> = if let Some(c) = context {
-            Some(c.into())
-        } else {
-            path.map(|p| format!("files/{p}").into())
-        };
-        if let Some(c) = &context {
-            rudder_debug!("Setting context to: {c}");
-            aug.set("/augeas/context", c.as_ref())?;
-        }
         Ok(aug)
     }
 
     pub(crate) fn handle_check_apply(
-        &self,
+        &mut self,
         p: AugeasParameters,
         policy_mode: PolicyMode,
     ) -> CheckApplyResult {
-        let mut aug = Self::new_aug(
-            p.root.as_deref(),
-            p.context.as_deref(),
-            p.path.as_deref(),
-            &p.load_paths(),
-            p.lens.as_deref(),
-            p.type_check_lenses,
-        )?;
+        let aug = &mut self.aug;
 
-        //////////////////////////////////
-        // Start with the special unsafe mode
-        //////////////////////////////////
-
-        if !p.commands.is_empty() {
-            // Only allowed in "enforce" mode.
-            // Makes little sense for audit mode, and risks making changes.
-            // Already validated but make sure.
-            assert_eq!(policy_mode, PolicyMode::Enforce);
-
-            rudder_debug!("Running commands: {:?}", p.commands);
-            let (num, out) = aug.srun(&p.commands)?;
-            let summary = match num {
-                CommandsNumber::Success(n) => format!("{n} success"),
-                CommandsNumber::Quit => "has quit".to_string(),
-            };
-            rudder_debug!("{summary}, output: {out}");
-            return Ok(Outcome::repaired(summary));
+        // Set context if needed.
+        let context: Option<Cow<str>> = if let Some(c) = p.context.as_deref() {
+            Some(c.into())
+        } else {
+            p.path.as_deref().map(|p| format!("files/{p}").into())
+        };
+        if let Some(c) = &context {
+            rudder_debug!("Setting context to: {c}");
+            aug.set("/augeas/context", c.as_ref())?;
         }
 
-        //////////////////////////////////
-        // Now in "normal" mode:
-        //
-        // * We only work on one file.
-        // * We handle backups, diffs, precise reporting.
-        // * We guarantee that the policy mode is respected.
-        //////////////////////////////////
-
         let lens_opt = p.lens_name();
-
         let path = p.path.as_deref().unwrap().to_string();
 
+        // FIXME XFM
         if let Some(l) = lens_opt {
             // If we have a lens, we need to load it and load the file.
             aug.set(format!("/augeas/load/${l}/lens"), l.as_ref())?;
@@ -162,26 +118,23 @@ impl Augeas {
 
         // Do the changes before the checks.
 
-        let do_changes = if !p.change_if.is_empty() {
-            rudder_debug!("Running change conditions: {:?}", p.change_if);
-            // FIXME handle policy mode
-            todo!()
-        } else {
-            true
+        let mut interpreter = Interpreter::new(aug);
+
+        // FIXME: handle check only and check script_if
+        let do_changes = match interpreter.run(InterpreterMode::Check, &p.if_script) {
+            Ok(_) => true,
+            Err(e) => {
+                rudder_error!("Error in if_script: {e}");
+                false
+            }
         };
 
-        if do_changes && !p.changes.is_empty() {
-            rudder_debug!("Running changes: {:?}", p.changes);
-            let changes = Changes::from_str(&p.changes)?;
-            changes.run(&mut aug)?;
+        if do_changes {
+            rudder_debug!("Running script: {:?}", p.script);
+            interpreter.run(InterpreterMode::CheckApply, &p.script)?;
             // FIXME handle policy mode
         }
 
-        if !p.checks.is_empty() {
-            rudder_debug!("Running checks: {:?}", p.checks);
-            todo!()
-        }
-
         // Avoid writing if we are in audit mode.
         match policy_mode {
             PolicyMode::Enforce => {
@@ -213,16 +166,16 @@ mod tests {
     use std::fs::read_to_string;
     use tempfile::tempdir;
 
-    fn arguments(commands: String) -> AugeasParameters {
+    fn arguments(script: String) -> AugeasParameters {
         AugeasParameters {
-            commands,
+            script,
             ..Default::default()
         }
     }
 
     #[test]
     fn it_writes_file_from_commands() {
-        let augeas = Augeas::new().unwrap();
+        let mut augeas = Augeas::new().unwrap();
         let d = tempdir().unwrap().into_path();
         let f = d.join("test");
         let lens = "Simplelines";
diff --git a/policies/module-types/augeas/src/bin/raugtool.rs b/policies/module-types/augeas/src/bin/raugtool.rs
index 03ffde3597..146192f752 100644
--- a/policies/module-types/augeas/src/bin/raugtool.rs
+++ b/policies/module-types/augeas/src/bin/raugtool.rs
@@ -10,6 +10,8 @@ use anyhow::Result;
 use gumdrop::Options;
 use rudder_module_augeas::augeas::Augeas;
 use rudder_module_augeas::dsl::repl;
+use rudder_module_augeas::dsl::script::Interpreter;
+use rudder_module_augeas::{CRATE_NAME, CRATE_VERSION};
 use rudder_module_type::cfengine::log::{set_max_level, LevelFilter};
 use std::env;
 
@@ -69,15 +71,19 @@ impl Cli {
             println!("Parsed options: {:#?}", &opts);
         }
 
-        let mut aug = Augeas::new_aug(
-            opts.root.as_deref(),
-            opts.context.as_deref(),
-            opts.path.as_deref(),
-            "",
-            None,
-            false,
-        )?;
-        repl::start(&mut aug)
+        let mut aug = Augeas::new_aug(opts.root.as_deref(), opts.type_check_lenses)?;
+
+        // FIXME handle other parameters
+
+        println!("Rudder Augeas. Type 'quit' to leave.");
+        println!(
+            "{} {} (augeas: {})",
+            CRATE_NAME,
+            CRATE_VERSION,
+            aug.version()?
+        );
+        let mut interpreter = Interpreter::new(&mut aug);
+        repl::start(&mut interpreter)
     }
 }
 
diff --git a/policies/module-types/augeas/src/dsl.rs b/policies/module-types/augeas/src/dsl.rs
index ec8d056ab0..0c98cef545 100644
--- a/policies/module-types/augeas/src/dsl.rs
+++ b/policies/module-types/augeas/src/dsl.rs
@@ -10,10 +10,10 @@ use nom::IResult;
 use std::ffi::OsStr;
 use std::ops::Deref;
 
-pub mod changes;
-mod checks;
 pub mod comparator;
+mod parser;
 pub mod repl;
+pub mod script;
 
 pub type Value<'a> = &'a str;
 pub type Sub<'a> = &'a str;
diff --git a/policies/module-types/augeas/src/dsl/changes.rs b/policies/module-types/augeas/src/dsl/changes.rs
deleted file mode 100644
index 7cafca6383..0000000000
--- a/policies/module-types/augeas/src/dsl/changes.rs
+++ /dev/null
@@ -1,409 +0,0 @@
-// SPDX-License-Identifier: GPL-3.0-or-later
-// SPDX-FileCopyrightText: 2024 Normation SAS
-
-use nom::branch::alt;
-use nom::bytes::complete::tag;
-use nom::character::complete::{line_ending, multispace0, space0, space1};
-use nom::combinator::{eof, map_res, not, opt};
-use nom::multi::many0;
-use nom::{Finish, IResult};
-
-use crate::dsl;
-use crate::dsl::{AugPath, Sub, Value};
-use anyhow::{anyhow, Result};
-use nom::error::VerboseError;
-use raugeas::{Augeas, Position};
-use rudder_module_type::rudder_debug;
-
-/// The ordered list of changes to apply.
-///
-/// It is compatible with the augeas command line and srun syntax.
-/// The goal is to restrict the DSL to a subset of the augeas command line syntax
-/// to prevent the user from shooting themselves in the foot.
-///
-/// TODO: make it as close as possible to the augeas command line & srun syntax to ease
-///       development and debugging.
-#[derive(Debug, PartialEq)]
-pub struct Changes<'a> {
-    changes: Vec<Change<'a>>,
-}
-
-impl<'a> Changes<'a> {
-    pub fn from_str(input: &'a str) -> Result<Changes<'a>> {
-        let (_, changes) = changes(input)
-            .finish()
-            // We can't keep the verbose error as it contains references to the input.
-            .map_err(|e| anyhow!(format!("{}", e)))?;
-        Ok(Changes { changes })
-    }
-
-    pub fn run(&self, augeas: &mut Augeas) -> Result<()> {
-        rudder_debug!("Running {} changes", self.changes.len());
-        for change in &self.changes {
-            change.evaluate(augeas)?;
-        }
-        Ok(())
-    }
-}
-
-#[derive(Debug, PartialEq)]
-pub enum Change<'a> {
-    /// Sets the value VALUE at location PATH
-    Set(AugPath<'a>, Value<'a>),
-    /// Sets multiple nodes (matching SUB relative to PATH) to VALUE
-    SetMultiple(AugPath<'a>, Sub<'a>, Value<'a>),
-    /// Removes the node at location PATH
-    Remove(AugPath<'a>),
-    /// Sets the node at PATH to NULL, creating it if needed
-    Clear(AugPath<'a>),
-    /// Sets multiple nodes (matching SUB relative to PATH) to NULL
-    ClearMultiple(AugPath<'a>, Sub<'a>),
-    /// Creates PATH with the value NULL if it does not exist
-    Touch(AugPath<'a>),
-    /// Inserts an empty node LABEL either before or after PATH.
-    Insert(Value<'a>, Position, AugPath<'a>),
-    /// Moves a node at PATH to the new location OTHER PATH
-    Move(AugPath<'a>, AugPath<'a>),
-    /// Rename a node at PATH to a new LABEL
-    Rename(AugPath<'a>, Value<'a>),
-    /// Sets Augeas variable $NAME to PATH
-    DefineVar(Value<'a>, AugPath<'a>),
-    /// Sets Augeas variable $NAME to PATH, creating it with VALUE if needed
-    DefineNode(Value<'a>, AugPath<'a>, Value<'a>),
-}
-
-impl<'a> Change<'a> {
-    fn evaluate(&self, augeas: &'a mut Augeas) -> Result<()> {
-        match self {
-            Change::Set(path, value) => augeas.set(path, value)?,
-            Change::SetMultiple(path, sub, value) => {
-                let n = augeas.setm(path, sub, value)?;
-                rudder_debug!("setm: modified {n} nodes");
-            }
-            Change::Remove(path) => {
-                let n = augeas.rm(path)?;
-                rudder_debug!("rm: removed {n} nodes");
-            }
-            Change::Clear(path) => augeas.clear(path)?,
-            Change::ClearMultiple(path, sub) => {
-                let n = augeas.clearm(path, sub)?;
-                rudder_debug!("clearm: cleared {n} nodes");
-            }
-            Change::Touch(path) => augeas.touch(path)?,
-            Change::Insert(label, position, path) => augeas.insert(path, label, *position)?,
-            Change::Move(path, other) => augeas.mv(path, other)?,
-            Change::Rename(path, label) => {
-                let n = augeas.rename(path, label)?;
-                rudder_debug!("rename: renamed {n} nodes");
-            }
-            Change::DefineVar(name, path) => augeas.defvar(name, path)?,
-            Change::DefineNode(name, path, value) => {
-                let created = augeas.defnode(name, path, value)?;
-                if created {
-                    rudder_debug!("defnode: 1 node was created");
-                } else {
-                    rudder_debug!("defnode: no nodes were created");
-                }
-            }
-        }
-        Ok(())
-    }
-}
-
-fn cmd_set(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
-    let (input, _) = tag("set")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    let (input, value) = dsl::arg(input)?;
-    Ok((input, Change::Set(path.into(), value)))
-}
-
-fn cmd_setm(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
-    let (input, _) = tag("setm")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    let (input, sub) = dsl::arg(input)?;
-    let (input, value) = dsl::arg(input)?;
-    Ok((input, Change::SetMultiple(path.into(), sub, value)))
-}
-
-fn cmd_rm(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
-    let (input, _) = alt((tag("rm"), tag("remove")))(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    Ok((input, Change::Remove(path.into())))
-}
-
-fn cmd_clear(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
-    let (input, _) = tag("clear")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    Ok((input, Change::Clear(path.into())))
-}
-
-fn cmd_clearm(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
-    let (input, _) = tag("clearm")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    let (input, sub) = dsl::arg(input)?;
-    Ok((input, Change::ClearMultiple(path.into(), sub)))
-}
-
-fn cmd_touch(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
-    let (input, _) = tag("touch")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    Ok((input, Change::Touch(path.into())))
-}
-
-fn cmd_ins(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
-    let (input, _) = alt((tag("ins"), tag("insert")))(input)?;
-    let (input, _) = space1(input)?;
-    let (input, label) = dsl::arg(input)?;
-    let (input, position) = map_res(dsl::arg, |p| p.parse())(input)?;
-    let (input, path) = dsl::arg(input)?;
-    Ok((input, Change::Insert(label, position, path.into())))
-}
-
-fn cmd_mv(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
-    let (input, _) = alt((tag("mv"), tag("move")))(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    let (input, other) = dsl::arg(input)?;
-    Ok((input, Change::Move(path.into(), other.into())))
-}
-
-fn cmd_rename(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
-    let (input, _) = tag("rename")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    let (input, label) = dsl::arg(input)?;
-    Ok((input, Change::Rename(path.into(), label)))
-}
-
-fn cmd_defvar(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
-    let (input, _) = tag("defvar")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, name) = dsl::arg(input)?;
-    let (input, path) = dsl::arg(input)?;
-    Ok((input, Change::DefineVar(name, path.into())))
-}
-
-fn cmd_defnode(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
-    let (input, _) = tag("defnode")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, name) = dsl::arg(input)?;
-    let (input, path) = dsl::arg(input)?;
-    let (input, value) = dsl::arg(input)?;
-    Ok((input, Change::DefineNode(name, path.into(), value)))
-}
-
-/// Read a valid change.
-fn change(input: &str) -> IResult<&str, Change, VerboseError<&str>> {
-    alt((
-        cmd_set,
-        cmd_setm,
-        cmd_rm,
-        cmd_clear,
-        cmd_clearm,
-        cmd_touch,
-        cmd_ins,
-        cmd_mv,
-        cmd_rename,
-        cmd_defvar,
-        cmd_defnode,
-    ))(input)
-}
-
-fn line(input: &str) -> IResult<&str, Option<Change>, VerboseError<&str>> {
-    let (input, _) = not(eof)(input)?;
-    let (input, _) = space0(input)?;
-    let (input, _) = opt(dsl::comment)(input)?;
-    let (input, change) = opt(change)(input)?;
-    let (input, _) = space0(input)?;
-    let (input, _) = opt(dsl::comment)(input)?;
-    let (input, _) = opt(line_ending)(input)?;
-    Ok((input, change))
-}
-
-fn changes(input: &str) -> IResult<&str, Vec<Change>, VerboseError<&str>> {
-    // many0 -> allow empty changes (only comments, etc.)
-    let (input, changes) = many0(line)(input)?;
-    let changes = changes.into_iter().flatten().collect();
-    let (input, _) = multispace0(input)?;
-    let (input, _) = eof(input)?;
-    Ok((input, changes))
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_change_set() {
-        let input = "set /path/to/node value";
-        let expected = Change::Set("/path/to/node".into(), "value");
-        let result = change(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_change_setm() {
-        let input = "setm /path/to/nodes subnode value";
-        let expected = Change::SetMultiple("/path/to/nodes".into(), "subnode", "value");
-        let result = change(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_change_rm() {
-        let input = "rm /path/to/node";
-        let expected = Change::Remove("/path/to/node".into());
-        let result = change(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_change_clear() {
-        let input = "clear /path/to/node";
-        let expected = Change::Clear("/path/to/node".into());
-        let result = change(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_change_clearm() {
-        let input = "clearm /path/to/nodes subnode";
-        let expected = Change::ClearMultiple("/path/to/nodes".into(), "subnode");
-        let result = change(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_change_touch() {
-        let input = "touch /path/to/node";
-        let expected = Change::Touch("/path/to/node".into());
-        let result = change(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_change_ins() {
-        let input = "ins label before /path/to/node";
-        let expected = Change::Insert("label", Position::Before, "/path/to/node".into());
-        let result = change(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_change_mv() {
-        let input = "mv /path/to/node /new/path";
-        let expected = Change::Move("/path/to/node".into(), "/new/path".into());
-        let result = change(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_change_rename() {
-        let input = "rename /path/to/node new_label";
-        let expected = Change::Rename("/path/to/node".into(), "new_label");
-        let result = change(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_change_defvar() {
-        let input = "defvar name /path/to/node";
-        let expected = Change::DefineVar("name", "/path/to/node".into());
-        let result = change(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_change_defnode() {
-        let input = "defnode name /path/to/node value";
-        let expected = Change::DefineNode("name", "/path/to/node".into(), "value");
-        let result = change(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-
-    #[test]
-    fn test_empty_line() {
-        let input = "";
-        let result = line(input);
-        assert!(result.is_err());
-    }
-
-    #[test]
-    fn test_empty_line_break() {
-        let input = "\n";
-        let result = line(input).unwrap();
-        assert_eq!(result.1, None);
-    }
-
-    #[test]
-    fn test_empty_line_carriage_return() {
-        let input = "\r\n";
-        let result = line(input).unwrap();
-        assert_eq!(result.1, None);
-    }
-
-    #[test]
-    fn test_line() {
-        let input = "set /path/to/node value\n";
-        let expected = Change::Set("/path/to/node".into(), "value");
-        let result = line(input).unwrap();
-        assert_eq!(result.1, Some(expected));
-    }
-
-    #[test]
-    fn test_line_command_and_comment() {
-        let input = "set /path/to/node value # comment\n";
-        let expected = Change::Set("/path/to/node".into(), "value");
-        let result = line(input).unwrap();
-        assert_eq!(result.1, Some(expected));
-    }
-
-    #[test]
-    fn test_line_comment() {
-        let input = "# comment\n";
-        let result = line(input).unwrap();
-        assert_eq!(result.1, None);
-    }
-
-    #[test]
-    fn test_changes() {
-        let input = r#"
-            # This is a comment
-            set /path/to/node value
-            setm /path/to/nodes 'sub node' value
-            rm /path/to/node
-            # other comment
-
-            clear /path/to/node # another command
-            clearm /path/to/nodes "sub node"
-            touch /path/to/node
-
-            ins  label  before        /path/to/node
-            mv /path/to/node /new/path
-            rename /path/to/node new_label
-            defvar name /path/to/node
-            defnode name /path/to/node value
-        "#;
-        let expected = vec![
-            Change::Set("/path/to/node".into(), "value"),
-            Change::SetMultiple("/path/to/nodes".into(), "sub node", "value"),
-            Change::Remove("/path/to/node".into()),
-            Change::Clear("/path/to/node".into()),
-            Change::ClearMultiple("/path/to/nodes".into(), "sub node"),
-            Change::Touch("/path/to/node".into()),
-            Change::Insert("label", Position::Before, "/path/to/node".into()),
-            Change::Move("/path/to/node".into(), "/new/path".into()),
-            Change::Rename("/path/to/node".into(), "new_label"),
-            Change::DefineVar("name", "/path/to/node".into()),
-            Change::DefineNode("name", "/path/to/node".into(), "value"),
-        ];
-        let result = changes(input).unwrap();
-        assert_eq!(result.1, expected);
-    }
-}
diff --git a/policies/module-types/augeas/src/dsl/checks.rs b/policies/module-types/augeas/src/dsl/checks.rs
deleted file mode 100644
index e4a2501569..0000000000
--- a/policies/module-types/augeas/src/dsl/checks.rs
+++ /dev/null
@@ -1,42 +0,0 @@
-// SPDX-License-Identifier: GPL-3.0-or-later
-// SPDX-FileCopyrightText: 2024 Normation SAS
-
-use crate::dsl::comparator::{Comparison, NumComparator};
-use crate::dsl::AugPath;
-
-/*
-ifonly:
-    get <AUGEAS_PATH> <COMPARATOR> <STRING>
-    values <MATCH_PATH> include <STRING>
-    values <MATCH_PATH> not_include <STRING>
-    values <MATCH_PATH> == <AN_ARRAY>
-    values <MATCH_PATH> != <AN_ARRAY>
-    match <MATCH_PATH> size <COMPARATOR> <INT>
-    match <MATCH_PATH> include <STRING>
-    match <MATCH_PATH> not_include <STRING>
-    match <MATCH_PATH> == <AN_ARRAY>
-    match <MATCH_PATH> != <AN_ARRAY>
-
-where:
-    AUGEAS_PATH is a valid path scoped by the context
-    MATCH_PATH is a valid match syntax scoped by the context
-    COMPARATOR is one of >, >=, !=, ==, <=, or <
-                         ~ for regex match, !~ for regex not match
-    STRING is a string
-    INT is a number
-    AN_ARRAY is in the form ['a string', 'another']
-*/
-
-pub enum Check<'a> {
-    // Comparison contains both the typed value and the comparator
-    Get(AugPath<'a>, Comparison),
-    ValuesInclude(AugPath<'a>, &'a str),
-    ValuesNotInclude(AugPath<'a>, &'a str),
-    ValuesEqual(AugPath<'a>, Vec<&'a str>),
-    ValuesNotEqual(AugPath<'a>, Vec<&'a str>),
-    MatchSize(AugPath<'a>, NumComparator, usize),
-    MatchInclude(AugPath<'a>, String),
-    MatchNotInclude(AugPath<'a>, &'a str),
-    MatchEqual(AugPath<'a>, Vec<&'a str>),
-    MatchNotEqual(AugPath<'a>, Vec<&'a str>),
-}
diff --git a/policies/module-types/augeas/src/dsl/comparator.rs b/policies/module-types/augeas/src/dsl/comparator.rs
index 3d7b2d10a5..9985230e1e 100644
--- a/policies/module-types/augeas/src/dsl/comparator.rs
+++ b/policies/module-types/augeas/src/dsl/comparator.rs
@@ -9,7 +9,14 @@ use std::fmt::Debug;
 use std::num::{ParseFloatError, ParseIntError};
 use std::str::FromStr;
 
-#[derive(Debug, Clone)]
+// FIXME: add
+// - support for arrays
+// - support for IP ranges
+// - support for type validation (IP, int)
+// - password complexity checks
+// - compare str len
+
+#[derive(Debug, Clone, PartialEq)]
 pub enum NumComparator {
     /// Greater than.
     GreaterThan,
@@ -55,13 +62,13 @@ impl FromStr for NumComparator {
     }
 }
 
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, PartialEq)]
 pub struct NumericComparison {
     pub comparator: NumComparator,
     pub value: Number,
 }
 
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, PartialEq)]
 pub enum Comparison {
     Num(NumericComparison),
     Str(StrComparison),
@@ -143,13 +150,13 @@ impl NumericComparison {
     }
 }
 
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, PartialEq)]
 pub enum StrComparator {
     Equal,
     NotEqual,
 }
 
-#[derive(Debug, Clone)]
+#[derive(Debug, Clone, PartialEq)]
 pub struct StrComparison {
     comparator: StrComparator,
     value: String,
diff --git a/policies/module-types/augeas/src/dsl/parser.rs b/policies/module-types/augeas/src/dsl/parser.rs
new file mode 100644
index 0000000000..8411220434
--- /dev/null
+++ b/policies/module-types/augeas/src/dsl/parser.rs
@@ -0,0 +1,315 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// SPDX-FileCopyrightText: 2024 Normation SAS
+
+use crate::dsl;
+use crate::dsl::script::Expression;
+use nom::branch::alt;
+use nom::bytes::complete::tag;
+use nom::character::complete::{line_ending, multispace0, space0, space1};
+use nom::combinator::{eof, map_res, not, opt};
+use nom::error::VerboseError;
+use nom::multi::many0;
+use nom::IResult;
+
+fn cmd_set(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, _) = tag("set")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = dsl::arg(input)?;
+    let (input, value) = dsl::arg(input)?;
+    Ok((input, Expression::Set(path.into(), value)))
+}
+
+fn cmd_setm(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, _) = tag("setm")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = dsl::arg(input)?;
+    let (input, sub) = dsl::arg(input)?;
+    let (input, value) = dsl::arg(input)?;
+    Ok((input, Expression::SetMultiple(path.into(), sub, value)))
+}
+
+fn cmd_rm(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, _) = alt((tag("rm"), tag("remove")))(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = dsl::arg(input)?;
+    Ok((input, Expression::Remove(path.into())))
+}
+
+fn cmd_clear(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, _) = tag("clear")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = dsl::arg(input)?;
+    Ok((input, Expression::Clear(path.into())))
+}
+
+fn cmd_clearm(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, _) = tag("clearm")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = dsl::arg(input)?;
+    let (input, sub) = dsl::arg(input)?;
+    Ok((input, Expression::ClearMultiple(path.into(), sub)))
+}
+
+fn cmd_touch(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, _) = tag("touch")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = dsl::arg(input)?;
+    Ok((input, Expression::Touch(path.into())))
+}
+
+fn cmd_ins(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, _) = alt((tag("ins"), tag("insert")))(input)?;
+    let (input, _) = space1(input)?;
+    let (input, label) = dsl::arg(input)?;
+    let (input, position) = map_res(dsl::arg, |p| p.parse())(input)?;
+    let (input, path) = dsl::arg(input)?;
+    Ok((input, Expression::Insert(label, position, path.into())))
+}
+
+fn cmd_mv(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, _) = alt((tag("mv"), tag("move")))(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = dsl::arg(input)?;
+    let (input, other) = dsl::arg(input)?;
+    Ok((input, Expression::Move(path.into(), other.into())))
+}
+
+fn cmd_rename(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, _) = tag("rename")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, path) = dsl::arg(input)?;
+    let (input, label) = dsl::arg(input)?;
+    Ok((input, Expression::Rename(path.into(), label)))
+}
+
+fn cmd_defvar(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, _) = tag("defvar")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, name) = dsl::arg(input)?;
+    let (input, path) = dsl::arg(input)?;
+    Ok((input, Expression::DefineVar(name, path.into())))
+}
+
+fn cmd_defnode(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, _) = tag("defnode")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, name) = dsl::arg(input)?;
+    let (input, path) = dsl::arg(input)?;
+    let (input, value) = dsl::arg(input)?;
+    Ok((input, Expression::DefineNode(name, path.into(), value)))
+}
+
+/// Read a valid change.
+fn change(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    alt((
+        cmd_set,
+        cmd_setm,
+        cmd_rm,
+        cmd_clear,
+        cmd_clearm,
+        cmd_touch,
+        cmd_ins,
+        cmd_mv,
+        cmd_rename,
+        cmd_defvar,
+        cmd_defnode,
+    ))(input)
+}
+
+fn line(input: &str) -> IResult<&str, Option<Expression>, VerboseError<&str>> {
+    let (input, _) = not(eof)(input)?;
+    let (input, _) = space0(input)?;
+    let (input, _) = opt(dsl::comment)(input)?;
+    let (input, change) = opt(change)(input)?;
+    let (input, _) = space0(input)?;
+    let (input, _) = opt(dsl::comment)(input)?;
+    let (input, _) = opt(line_ending)(input)?;
+    Ok((input, change))
+}
+
+pub fn changes(input: &str) -> IResult<&str, Vec<Expression>, VerboseError<&str>> {
+    // many0 -> allow empty changes (only comments, etc.)
+    let (input, changes) = many0(line)(input)?;
+    let changes = changes.into_iter().flatten().collect();
+    let (input, _) = multispace0(input)?;
+    let (input, _) = eof(input)?;
+    Ok((input, changes))
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::dsl::parser::{change, changes, line};
+    use crate::dsl::script::*;
+    use raugeas::Position;
+
+    #[test]
+    fn test_change_set() {
+        let input = "set /path/to/node value";
+        let expected = Expression::Set("/path/to/node".into(), "value");
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_setm() {
+        let input = "setm /path/to/nodes subnode value";
+        let expected = Expression::SetMultiple("/path/to/nodes".into(), "subnode", "value");
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_rm() {
+        let input = "rm /path/to/node";
+        let expected = Expression::Remove("/path/to/node".into());
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_clear() {
+        let input = "clear /path/to/node";
+        let expected = Expression::Clear("/path/to/node".into());
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_clearm() {
+        let input = "clearm /path/to/nodes subnode";
+        let expected = Expression::ClearMultiple("/path/to/nodes".into(), "subnode");
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_touch() {
+        let input = "touch /path/to/node";
+        let expected = Expression::Touch("/path/to/node".into());
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_ins() {
+        let input = "ins label before /path/to/node";
+        let expected = Expression::Insert("label", Position::Before, "/path/to/node".into());
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_mv() {
+        let input = "mv /path/to/node /new/path";
+        let expected = Expression::Move("/path/to/node".into(), "/new/path".into());
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_rename() {
+        let input = "rename /path/to/node new_label";
+        let expected = Expression::Rename("/path/to/node".into(), "new_label");
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_defvar() {
+        let input = "defvar name /path/to/node";
+        let expected = Expression::DefineVar("name", "/path/to/node".into());
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_change_defnode() {
+        let input = "defnode name /path/to/node value";
+        let expected = Expression::DefineNode("name", "/path/to/node".into(), "value");
+        let result = change(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    #[test]
+    fn test_empty_line() {
+        let input = "";
+        let result = line(input);
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_empty_line_break() {
+        let input = "\n";
+        let result = line(input).unwrap();
+        assert_eq!(result.1, None);
+    }
+
+    #[test]
+    fn test_empty_line_carriage_return() {
+        let input = "\r\n";
+        let result = line(input).unwrap();
+        assert_eq!(result.1, None);
+    }
+
+    #[test]
+    fn test_line() {
+        let input = "set /path/to/node value\n";
+        let expected = Expression::Set("/path/to/node".into(), "value");
+        let result = line(input).unwrap();
+        assert_eq!(result.1, Some(expected));
+    }
+
+    #[test]
+    fn test_line_command_and_comment() {
+        let input = "set /path/to/node value # comment\n";
+        let expected = Expression::Set("/path/to/node".into(), "value");
+        let result = line(input).unwrap();
+        assert_eq!(result.1, Some(expected));
+    }
+
+    #[test]
+    fn test_line_comment() {
+        let input = "# comment\n";
+        let result = line(input).unwrap();
+        assert_eq!(result.1, None);
+    }
+
+    #[test]
+    fn test_script_parser() {
+        let input = r#"
+            # This is a comment
+            set /path/to/node value
+            setm /path/to/nodes 'sub node' value
+            rm /path/to/node
+            # other comment
+
+            clear /path/to/node # another command
+            clearm /path/to/nodes "sub node"
+            touch /path/to/node
+
+            ins  label  before        /path/to/node
+            mv /path/to/node /new/path
+            rename /path/to/node new_label
+            defvar name /path/to/node
+            defnode name /path/to/node value
+
+            quit
+        "#;
+        let expected = vec![
+            Expression::Set("/path/to/node".into(), "value"),
+            Expression::SetMultiple("/path/to/nodes".into(), "sub node", "value"),
+            Expression::Remove("/path/to/node".into()),
+            Expression::Clear("/path/to/node".into()),
+            Expression::ClearMultiple("/path/to/nodes".into(), "sub node"),
+            Expression::Touch("/path/to/node".into()),
+            Expression::Insert("label", Position::Before, "/path/to/node".into()),
+            Expression::Move("/path/to/node".into(), "/new/path".into()),
+            Expression::Rename("/path/to/node".into(), "new_label"),
+            Expression::DefineVar("name", "/path/to/node".into()),
+            Expression::DefineNode("name", "/path/to/node".into(), "value"),
+            Expression::Quit,
+        ];
+        let result = changes(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+}
diff --git a/policies/module-types/augeas/src/dsl/repl.rs b/policies/module-types/augeas/src/dsl/repl.rs
index 812c50b228..a4a7e8a47b 100644
--- a/policies/module-types/augeas/src/dsl/repl.rs
+++ b/policies/module-types/augeas/src/dsl/repl.rs
@@ -1,35 +1,12 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use crate::dsl::changes::Changes;
-use crate::{CRATE_NAME, CRATE_VERSION};
-use anyhow::{Context, Result};
-use raugeas::CommandsNumber;
+use crate::dsl::script::{Interpreter, InterpreterMode};
+use anyhow::Result;
 use rustyline::error::ReadlineError;
 
-/// Run a line of the DSL.
-///
-/// Returns `true` if the REPL should exit.
-fn run(aug: &mut raugeas::Augeas, line: &str) -> Result<bool> {
-    let try_changes = Changes::from_str(line);
-    match try_changes {
-        Ok(c) => {
-            c.run(aug)?;
-            Ok(false)
-        }
-        Err(_) => {
-            let (r, out) = aug.srun(line).context("Failed to run augeas command")?;
-            println!("{}", out.trim());
-            match r {
-                CommandsNumber::Quit => Ok(true),
-                CommandsNumber::Success(_) => Ok(false),
-            }
-        }
-    }
-}
-
 /// Start the `augtool`-like REPL.
-pub fn start(aug: &mut raugeas::Augeas) -> Result<()> {
+pub fn start(interpreter: &mut Interpreter) -> Result<()> {
     let config = rustyline::Config::builder()
         .auto_add_history(true)
         .history_ignore_space(true)
@@ -37,21 +14,13 @@ pub fn start(aug: &mut raugeas::Augeas) -> Result<()> {
 
     let mut rl = rustyline::DefaultEditor::with_config(config)?;
 
-    println!("Rudder Augeas. Type 'quit' to leave.");
-    println!(
-        "{} {} (augeas: {})",
-        CRATE_NAME,
-        CRATE_VERSION,
-        aug.version()?
-    );
-
     loop {
         let readline = rl.readline("raugtool> ");
         match readline {
             Ok(l) => match l.trim() {
                 "" => continue,
                 line => {
-                    let res = run(aug, line);
+                    let res = interpreter.run(InterpreterMode::Unrestricted, line);
                     match res {
                         Ok(true) => break,
                         Ok(false) => (),
diff --git a/policies/module-types/augeas/src/dsl/script.rs b/policies/module-types/augeas/src/dsl/script.rs
new file mode 100644
index 0000000000..089f181fc8
--- /dev/null
+++ b/policies/module-types/augeas/src/dsl/script.rs
@@ -0,0 +1,240 @@
+// SPDX-License-Identifier: GPL-3.0-or-later
+// SPDX-FileCopyrightText: 2024 Normation SAS
+
+use nom::Finish;
+
+use crate::dsl::comparator::{Comparison, NumComparator};
+use crate::dsl::{parser, AugPath, Sub, Value};
+use anyhow::{anyhow, bail, Result};
+use raugeas::{Augeas, Position};
+use rudder_module_type::rudder_debug;
+
+/// The mode of the interpreter.
+///
+/// Different from policy mode, which only affects the save operation.
+/// Here we limit what the script can do based on the mode, to allow pure conditions.
+///
+/// The unrestricted mode is only available in the REPL.
+#[derive(Debug, PartialEq, Copy, Clone)]
+pub enum InterpreterMode {
+    /// Fail if running changes. Only check some assertions.
+    Check,
+    /// Check and apply the changes to the tree, but writing to the disk is impossible in the script.
+    CheckApply,
+    /// Anything goes. Full access to the tree and the system.
+    Unrestricted,
+}
+
+/// Interpreter for the extended Augeas DSL.
+pub struct Interpreter<'a> {
+    aug: &'a mut Augeas,
+}
+
+impl<'a> Interpreter<'a> {
+    pub fn new(aug: &'a mut Augeas) -> Self {
+        Self { aug }
+    }
+
+    pub fn run(&mut self, mode: InterpreterMode, script: &str) -> Result<bool> {
+        let script = Script::from_str(script)?;
+
+        rudder_debug!("Running {} changes", script.expressions.len());
+        for expr in &script.expressions {
+            if expr.expr_type() == ExprType::Write && mode == InterpreterMode::Check {
+                bail!("Cannot run an action ({:?}) in check mode", expr);
+            }
+            let quit = self.eval(expr)?;
+            if quit {
+                return Ok(true);
+            }
+        }
+        // FIXME handle write/save??
+        // Handle convergence/idempotency test
+        Ok(false)
+    }
+
+    fn eval(&mut self, expr: &Expression) -> Result<bool> {
+        match expr {
+            Expression::Set(path, value) => self.aug.set(path, value)?,
+            Expression::SetMultiple(path, sub, value) => {
+                let n = self.aug.setm(path, sub, value)?;
+                rudder_debug!("setm: modified {n} nodes");
+            }
+            Expression::Remove(path) => {
+                let n = self.aug.rm(path)?;
+                rudder_debug!("rm: removed {n} nodes");
+            }
+            Expression::Clear(path) => self.aug.clear(path)?,
+            Expression::ClearMultiple(path, sub) => {
+                let n = self.aug.clearm(path, sub)?;
+                rudder_debug!("clearm: cleared {n} nodes");
+            }
+            Expression::Touch(path) => self.aug.touch(path)?,
+            Expression::Insert(label, position, path) => self.aug.insert(path, label, *position)?,
+            Expression::Move(path, other) => self.aug.mv(path, other)?,
+            Expression::Copy(path, other) => self.aug.cp(path, other)?,
+            Expression::Rename(path, label) => {
+                let n = self.aug.rename(path, label)?;
+                rudder_debug!("rename: renamed {n} nodes");
+            }
+            Expression::DefineVar(name, path) => self.aug.defvar(name, path)?,
+            Expression::DefineNode(name, path, value) => {
+                let created = self.aug.defnode(name, path, value)?;
+                if created {
+                    rudder_debug!("defnode: 1 node was created");
+                } else {
+                    rudder_debug!("defnode: no nodes were created");
+                }
+            }
+            Expression::GenericAugeas(cmd) => {
+                let (num, out) = self.aug.srun(cmd)?;
+                let summary = match num {
+                    raugeas::CommandsNumber::Success(n) => format!("{n} success"),
+                    // FIXME: should be an error, no sense in this context.
+                    raugeas::CommandsNumber::Quit => "has quit".to_string(),
+                };
+                rudder_debug!("{summary}, output: {out}");
+            }
+            Expression::Save => self.aug.save()?,
+            Expression::Quit => return Ok(true),
+            _ => todo!(),
+        }
+        Ok(false)
+    }
+}
+
+/// The ordered list of changes to apply.
+///
+/// It is compatible with the augeas command line and srun syntax.
+/// The goal is to restrict the DSL to a subset of the augeas command line syntax
+/// to prevent the user from shooting themselves in the foot.
+///
+/// TODO: make it as close as possible to the augeas command line & srun syntax to ease
+///       development and debugging.
+#[derive(Debug, PartialEq)]
+pub struct Script<'a> {
+    expressions: Vec<Expression<'a>>,
+}
+
+impl<'a> Script<'a> {
+    pub fn from_str(input: &'a str) -> Result<Script<'a>> {
+        let (_, changes) = parser::changes(input)
+            .finish()
+            // We can't keep the verbose error as it contains references to the input.
+            .map_err(|e| anyhow!(format!("{}", e)))?;
+        Ok(Script {
+            expressions: changes,
+        })
+    }
+}
+
+#[derive(Debug, PartialEq)]
+pub enum Expression<'a> {
+    /// A generic augeas command, not parsed.
+    GenericAugeas(&'a str),
+    /// Sets the value VALUE at location PATH
+    Set(AugPath<'a>, Value<'a>),
+    /// Sets multiple nodes (matching SUB relative to PATH) to VALUE
+    SetMultiple(AugPath<'a>, Sub<'a>, Value<'a>),
+    /// Removes the node at location PATH
+    Remove(AugPath<'a>),
+    /// Sets the node at PATH to NULL, creating it if needed
+    Clear(AugPath<'a>),
+    /// Sets multiple nodes (matching SUB relative to PATH) to NULL
+    ClearMultiple(AugPath<'a>, Sub<'a>),
+    /// Creates PATH with the value NULL if it does not exist
+    Touch(AugPath<'a>),
+    /// Inserts an empty node LABEL either before or after PATH.
+    Insert(Value<'a>, Position, AugPath<'a>),
+    /// Moves a node at PATH to the new location OTHER PATH
+    Move(AugPath<'a>, AugPath<'a>),
+    /// Copies a node at PATH to the new location OTHER PATH
+    Copy(AugPath<'a>, AugPath<'a>),
+    /// Rename a node at PATH to a new LABEL
+    Rename(AugPath<'a>, Value<'a>),
+    /// Sets Augeas variable $NAME to PATH
+    DefineVar(Value<'a>, AugPath<'a>),
+    /// Sets Augeas variable $NAME to PATH, creating it with VALUE if needed
+    DefineNode(Value<'a>, AugPath<'a>, Value<'a>),
+    // Comparison contains both the typed value and the comparator
+    Compare(AugPath<'a>, Comparison),
+    ValuesInclude(AugPath<'a>, &'a str),
+    ValuesNotInclude(AugPath<'a>, &'a str),
+    ValuesEqual(AugPath<'a>, Vec<&'a str>),
+    ValuesNotEqual(AugPath<'a>, Vec<&'a str>),
+    MatchSize(AugPath<'a>, NumComparator, usize),
+    MatchInclude(AugPath<'a>, String),
+    MatchNotInclude(AugPath<'a>, &'a str),
+    MatchEqual(AugPath<'a>, Vec<&'a str>),
+    MatchNotEqual(AugPath<'a>, Vec<&'a str>),
+    Save,
+    Quit,
+    Load,
+}
+
+/*
+ifonly:
+    get <AUGEAS_PATH> <COMPARATOR> <STRING>
+    values <MATCH_PATH> include <STRING>
+    values <MATCH_PATH> not_include <STRING>
+    values <MATCH_PATH> == <AN_ARRAY>
+    values <MATCH_PATH> != <AN_ARRAY>
+    match <MATCH_PATH> size <COMPARATOR> <INT>
+    match <MATCH_PATH> include <STRING>
+    match <MATCH_PATH> not_include <STRING>
+    match <MATCH_PATH> == <AN_ARRAY>
+    match <MATCH_PATH> != <AN_ARRAY>
+
+where:
+    AUGEAS_PATH is a valid path scoped by the context
+    MATCH_PATH is a valid match syntax scoped by the context
+    COMPARATOR is one of >, >=, !=, ==, <=, or <
+                         ~ for regex match, !~ for regex not match
+    STRING is a string
+    INT is a number
+    AN_ARRAY is in the form ['a string', 'another']
+*/
+
+#[derive(Debug, PartialEq)]
+enum ExprType {
+    /// Only reads the tree and return data.
+    Read,
+    /// Only reads the tree, but can fail.
+    Assert,
+    /// Changes the tree.
+    Write,
+    /// Changes the system from the tree (a.k.a. save)
+    Effect,
+}
+
+impl Expression<'_> {
+    fn expr_type(&self) -> ExprType {
+        match self {
+            Expression::GenericAugeas(..)
+            | Expression::DefineVar(..)
+            | Expression::DefineNode(..)
+            | Expression::Set(..)
+            | Expression::SetMultiple(..)
+            | Expression::Remove(..)
+            | Expression::Clear(..)
+            | Expression::ClearMultiple(..)
+            | Expression::Touch(..)
+            | Expression::Insert(..)
+            | Expression::Move(..)
+            | Expression::Copy(..)
+            | Expression::Load
+            | Expression::Rename(..) => ExprType::Write,
+            Expression::MatchEqual(..)
+            | Expression::MatchNotEqual(..)
+            | Expression::MatchInclude(..)
+            | Expression::MatchNotInclude(..)
+            | Expression::MatchSize(..)
+            | Expression::ValuesEqual(..)
+            | Expression::ValuesNotEqual(..)
+            | Expression::ValuesInclude(..)
+            | Expression::Compare(..)
+            | Expression::ValuesNotInclude(..) => ExprType::Assert,
+            Expression::Save | Expression::Quit => ExprType::Effect,
+        }
+    }
+}
diff --git a/policies/module-types/augeas/src/parameters.rs b/policies/module-types/augeas/src/parameters.rs
index 49fb2aa881..4e38377b27 100644
--- a/policies/module-types/augeas/src/parameters.rs
+++ b/policies/module-types/augeas/src/parameters.rs
@@ -10,23 +10,14 @@ use std::borrow::Cow;
 use std::iter;
 
 /// Parameters for the augeas module.
-///
-/// Only one of `commands`, `changes+path+(lens)` or `checks+path+(lens)` can be used.
 #[derive(Clone, Debug, PartialEq, Eq, Default, Serialize, Deserialize)]
 #[serde(rename_all = "snake_case")]
 #[serde_inline_default]
 pub struct AugeasParameters {
-    /// Raw commands to run.
-    ///
-    /// Should be used with care, as it can lead to override any configuration, including
-    /// making changes in audit mode.
-    pub commands: String,
-    pub changes: String,
-    // changes
-    // same syntax as only if?
-    pub checks: String,
+    /// Expressions to run
+    pub script: String,
     // only_if
-    pub change_if: String,
+    pub if_script: String,
     /// Prefix to add.
     ///
     /// By default,
@@ -63,11 +54,6 @@ pub struct AugeasParameters {
     /// load all lenses.
     #[serde(skip_serializing_if = "Option::is_none")]
     pub lens: Option<String>,
-    /// Force augeas to type-check the lenses.
-    ///
-    /// This is slow and should only be used for debugging.
-    #[serde_inline_default(false)]
-    pub type_check_lenses: bool,
 }
 
 impl AugeasParameters {
@@ -104,41 +90,7 @@ impl AugeasParameters {
     }
 
     /// Validate the parameters.
-    ///
-    /// Enforce consistency between the different fields, as this module
-    /// provides a lot of flexibility, with different operating modes.
-    pub fn validate(&self, policy_mode: Option<PolicyMode>) -> Result<()> {
-        if !self.commands.is_empty() {
-            if let Some(p) = policy_mode {
-                if p != PolicyMode::Enforce {
-                    return Err(anyhow!("`commands` can only be used in enforce mode"));
-                }
-            }
-
-            if !self.changes.is_empty() {
-                return Err(anyhow!("Cannot use both `commands` and `changes`"));
-            }
-            if !self.checks.is_empty() {
-                return Err(anyhow!("Cannot use both `commands` and `checks`"));
-            }
-            if self.path.is_some() {
-                return Err(anyhow!("Cannot use both `commands` and `path`"));
-            }
-            if self.lens.is_some() {
-                return Err(anyhow!("Cannot use both `commands` and `lens`"));
-            }
-        }
-
-        if self.changes.is_empty() && self.checks.is_empty() {
-            return Err(anyhow!(
-                "At least one of `changes` or `checks` must be used"
-            ));
-        }
-
-        if self.path.is_none() {
-            return Err(anyhow!("`path` is required when not in `commands` mode"));
-        }
-
+    pub fn validate(&self, _policy_mode: Option<PolicyMode>) -> Result<()> {
         Ok(())
     }
 }

From a87d8017d6f69e9d488cc9ecd1b129cde9009012 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sun, 22 Dec 2024 23:56:06 +0100
Subject: [PATCH 16/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! Fixes #26089: Implement
 augeas module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/augeas.rs    |  77 ++++---
 policies/module-types/augeas/src/dsl.rs       |  33 +--
 .../module-types/augeas/src/dsl/parser.rs     | 206 +++++++++++-------
 policies/module-types/augeas/src/dsl/repl.rs  |   2 +-
 .../module-types/augeas/src/dsl/script.rs     |  15 +-
 .../module-types/augeas/src/parameters.rs     |   2 +-
 6 files changed, 177 insertions(+), 158 deletions(-)

diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index f58a2d9347..493d535e80 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -1,11 +1,13 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use crate::dsl::script::{Interpreter, InterpreterMode, Script};
+use crate::dsl::script::{Interpreter, InterpreterMode};
 use crate::report::diff;
 use crate::{AugeasParameters, RUDDER_LENS_LIB};
-use raugeas::{CommandsNumber, Flags, SaveMode};
-use rudder_module_type::{rudder_debug, rudder_error, CheckApplyResult, Outcome, PolicyMode};
+use raugeas::{Flags, SaveMode};
+use rudder_module_type::{
+    rudder_debug, rudder_error, rudder_info, CheckApplyResult, Outcome, PolicyMode,
+};
 use std::borrow::Cow;
 use std::env;
 use std::fs::read_to_string;
@@ -101,19 +103,17 @@ impl Augeas {
             aug.set("/augeas/context", c.as_ref())?;
         }
 
-        let lens_opt = p.lens_name();
-        let path = p.path.as_deref().unwrap().to_string();
-
-        // FIXME XFM
-        if let Some(l) = lens_opt {
-            // If we have a lens, we need to load it and load the file.
-            aug.set(format!("/augeas/load/${l}/lens"), l.as_ref())?;
-            aug.set(format!("/augeas/load/${l}/incl"), &path)?;
-            aug.load()?;
-        } else {
-            // Else load it with the detected lens.
-            // FIXME handle errors.
-            aug.load_file(&path)?;
+        match (p.lens.as_deref(), p.path.as_deref()) {
+            (Some(l), Some(p)) => {
+                rudder_debug!("Using lens: {l}");
+                aug.transform(l, p, false)?;
+                aug.load()?;
+            }
+            (None, Some(p)) => {
+                rudder_debug!("Detecting lens for path: {p}");
+                aug.load_file(p)?;
+            }
+            _ => (),
         }
 
         // Do the changes before the checks.
@@ -121,18 +121,16 @@ impl Augeas {
         let mut interpreter = Interpreter::new(aug);
 
         // FIXME: handle check only and check script_if
-        let do_changes = match interpreter.run(InterpreterMode::Check, &p.if_script) {
+        let do_script = match interpreter.run(InterpreterMode::ReadTree, &p.if_script) {
             Ok(_) => true,
             Err(e) => {
                 rudder_error!("Error in if_script: {e}");
                 false
             }
         };
-
-        if do_changes {
+        if do_script {
             rudder_debug!("Running script: {:?}", p.script);
-            interpreter.run(InterpreterMode::CheckApply, &p.script)?;
-            // FIXME handle policy mode
+            interpreter.run(InterpreterMode::WriteTree, &p.script)?;
         }
 
         // Avoid writing if we are in audit mode.
@@ -145,30 +143,42 @@ impl Augeas {
             }
         }
 
-        let src = read_to_string(&path)?;
-        let preview = aug.preview(path)?;
+        if let Some(path) = p.path.as_deref() {
+            let src = read_to_string(path)?;
+            let preview = aug.preview(path)?;
 
-        let diff = diff(&src, &preview.unwrap());
-        rudder_debug!("Diff: {diff:?}");
+            let diff = diff(&src, &preview.unwrap());
+
+            if p.show_diff {
+                rudder_info!("Diff: {diff:?}");
+            }
+        }
 
         aug.save()?;
 
-        // Get information about changes
+        // FIXME reload in case the tree is not clean
 
+        // Ensure `files` are clean before next call.
+        aug.load()?;
+
+        // Get information about changes
         // make backups
-        todo!()
+        Ok(Outcome::Repaired("5 success".to_string()))
     }
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
+    use rudder_module_type::Outcome;
     use std::fs::read_to_string;
     use tempfile::tempdir;
 
-    fn arguments(script: String) -> AugeasParameters {
+    fn arguments(script: String, path: Option<String>, lens: Option<String>) -> AugeasParameters {
         AugeasParameters {
             script,
+            path,
+            lens,
             ..Default::default()
         }
     }
@@ -183,14 +193,9 @@ mod tests {
         let r = augeas
             .handle_check_apply(
                 arguments(
-                    [
-                        format!("set /augeas/load/${lens}/lens \"{lens}.lns\""),
-                        format!("set /augeas/load/${lens}/incl \"{}\"", f.display()),
-                        "load".to_string(),
-                        format!("set /files{}/0 \"hello world\"", f.display()),
-                        "save".to_string(),
-                    ]
-                    .join("\n"),
+                    format!("set /files{}/0 \"hello world\"", f.display()),
+                    Some(f.display().to_string()),
+                    Some(lens.to_string()),
                 ),
                 PolicyMode::Enforce,
             )
diff --git a/policies/module-types/augeas/src/dsl.rs b/policies/module-types/augeas/src/dsl.rs
index 0c98cef545..f573370283 100644
--- a/policies/module-types/augeas/src/dsl.rs
+++ b/policies/module-types/augeas/src/dsl.rs
@@ -1,12 +1,6 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use nom::branch::alt;
-use nom::bytes::complete::{is_not, tag};
-use nom::character::complete::{char, not_line_ending, space0};
-use nom::error::VerboseError;
-use nom::sequence::delimited;
-use nom::IResult;
 use std::ffi::OsStr;
 use std::ops::Deref;
 
@@ -54,34 +48,9 @@ impl AugPath<'_> {
     }
 }
 
-/// Read a comment.
-///
-/// A comment starts with a `#` and ends with a newline.
-fn comment(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
-    let (input, _) = tag("#")(input)?;
-    let (input, comment) = not_line_ending(input)?;
-    Ok((input, comment))
-}
-
-/// Read a path or a value.
-///
-/// It can contain spaces, in which case it must be quoted.
-fn arg(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
-    let (input, _) = space0(input)?;
-    // either a quoted string or an unquoted string
-    let (input, arg) = alt((
-        // FIXME cleanup eol & delimiters
-        delimited(char('"'), is_not("\"\r\n"), char('"')),
-        delimited(char('\''), is_not("'\r\n"), char('\'')),
-        is_not("\"' \t\r\n"),
-    ))(input)?;
-    Ok((input, arg))
-}
-
 #[cfg(test)]
 mod tests {
-    use super::*;
-
+    use crate::dsl::parser::{arg, comment};
     #[test]
     fn test_comment() {
         let input = "# This is a comment";
diff --git a/policies/module-types/augeas/src/dsl/parser.rs b/policies/module-types/augeas/src/dsl/parser.rs
index 8411220434..f2d09d20af 100644
--- a/policies/module-types/augeas/src/dsl/parser.rs
+++ b/policies/module-types/augeas/src/dsl/parser.rs
@@ -1,133 +1,163 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use crate::dsl;
 use crate::dsl::script::Expression;
 use nom::branch::alt;
-use nom::bytes::complete::tag;
-use nom::character::complete::{line_ending, multispace0, space0, space1};
+use nom::bytes::complete::{is_not, tag};
+use nom::character::complete::{
+    alpha1, char, line_ending, multispace0, not_line_ending, space0, space1,
+};
 use nom::combinator::{eof, map_res, not, opt};
 use nom::error::VerboseError;
-use nom::multi::many0;
+use nom::multi::{many0, separated_list0};
+use nom::sequence::delimited;
 use nom::IResult;
 
-fn cmd_set(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
-    let (input, _) = tag("set")(input)?;
+/// Read a comment.
+///
+/// A comment starts with a `#` and ends with a newline.
+pub fn comment(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
+    let (input, _) = tag("#")(input)?;
+    let (input, comment) = not_line_ending(input)?;
+    Ok((input, comment))
+}
+
+/// Read an array of arguments.
+pub fn arg_array(input: &str) -> IResult<&str, Vec<&str>, VerboseError<&str>> {
+    let (input, _) = space0(input)?;
+    let (input, _) = char('[')(input)?;
+    let (input, args) = separated_list0(delimited(space0, char(','), space0), arg)(input)?;
+    let (input, _) = space0(input)?;
+    let (input, _) = char(']')(input)?;
+    Ok((input, args))
+}
+
+/// Read a path or a value.
+///
+/// It can contain spaces, in which case it must be quoted.
+pub fn arg(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
+    let (input, _) = space0(input)?;
+    // either a quoted string or an unquoted string
+    let (input, arg) = alt((
+        // FIXME cleanup eol & delimiters
+        delimited(char('"'), is_not("\"\r\n"), char('"')),
+        delimited(char('\''), is_not("'\r\n"), char('\'')),
+        is_not("\"' \t\r\n"),
+    ))(input)?;
+    Ok((input, arg))
+}
+
+fn cmd(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
+    let (input, cmd) = alpha1(input)?;
     let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    let (input, value) = dsl::arg(input)?;
+    Ok((input, cmd))
+}
+
+fn cmd_set(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, path) = arg(input)?;
+    let (input, value) = arg(input)?;
     Ok((input, Expression::Set(path.into(), value)))
 }
 
 fn cmd_setm(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
-    let (input, _) = tag("setm")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    let (input, sub) = dsl::arg(input)?;
-    let (input, value) = dsl::arg(input)?;
+    let (input, path) = arg(input)?;
+    let (input, sub) = arg(input)?;
+    let (input, value) = arg(input)?;
     Ok((input, Expression::SetMultiple(path.into(), sub, value)))
 }
 
 fn cmd_rm(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
-    let (input, _) = alt((tag("rm"), tag("remove")))(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
+    let (input, path) = arg(input)?;
     Ok((input, Expression::Remove(path.into())))
 }
 
 fn cmd_clear(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
-    let (input, _) = tag("clear")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
+    let (input, path) = arg(input)?;
     Ok((input, Expression::Clear(path.into())))
 }
 
 fn cmd_clearm(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
-    let (input, _) = tag("clearm")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    let (input, sub) = dsl::arg(input)?;
+    let (input, path) = arg(input)?;
+    let (input, sub) = arg(input)?;
     Ok((input, Expression::ClearMultiple(path.into(), sub)))
 }
 
 fn cmd_touch(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
-    let (input, _) = tag("touch")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
+    let (input, path) = arg(input)?;
     Ok((input, Expression::Touch(path.into())))
 }
 
 fn cmd_ins(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
-    let (input, _) = alt((tag("ins"), tag("insert")))(input)?;
-    let (input, _) = space1(input)?;
-    let (input, label) = dsl::arg(input)?;
-    let (input, position) = map_res(dsl::arg, |p| p.parse())(input)?;
-    let (input, path) = dsl::arg(input)?;
+    let (input, label) = arg(input)?;
+    let (input, position) = map_res(arg, |p| p.parse())(input)?;
+    let (input, path) = arg(input)?;
     Ok((input, Expression::Insert(label, position, path.into())))
 }
 
 fn cmd_mv(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
-    let (input, _) = alt((tag("mv"), tag("move")))(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    let (input, other) = dsl::arg(input)?;
+    let (input, path) = arg(input)?;
+    let (input, other) = arg(input)?;
     Ok((input, Expression::Move(path.into(), other.into())))
 }
 
 fn cmd_rename(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
-    let (input, _) = tag("rename")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, path) = dsl::arg(input)?;
-    let (input, label) = dsl::arg(input)?;
+    let (input, path) = arg(input)?;
+    let (input, label) = arg(input)?;
     Ok((input, Expression::Rename(path.into(), label)))
 }
 
 fn cmd_defvar(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
-    let (input, _) = tag("defvar")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, name) = dsl::arg(input)?;
-    let (input, path) = dsl::arg(input)?;
+    let (input, name) = arg(input)?;
+    let (input, path) = arg(input)?;
     Ok((input, Expression::DefineVar(name, path.into())))
 }
 
 fn cmd_defnode(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
-    let (input, _) = tag("defnode")(input)?;
-    let (input, _) = space1(input)?;
-    let (input, name) = dsl::arg(input)?;
-    let (input, path) = dsl::arg(input)?;
-    let (input, value) = dsl::arg(input)?;
+    let (input, name) = arg(input)?;
+    let (input, path) = arg(input)?;
+    let (input, value) = arg(input)?;
     Ok((input, Expression::DefineNode(name, path.into(), value)))
 }
 
+fn cmd_generic(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, cmd) = not_line_ending(input)?;
+    Ok((input, Expression::GenericAugeas(cmd)))
+}
+
 /// Read a valid change.
-fn change(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
-    alt((
-        cmd_set,
-        cmd_setm,
-        cmd_rm,
-        cmd_clear,
-        cmd_clearm,
-        cmd_touch,
-        cmd_ins,
-        cmd_mv,
-        cmd_rename,
-        cmd_defvar,
-        cmd_defnode,
-    ))(input)
+fn expression(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (i, c) = cmd(input)?;
+    match c {
+        "set" => cmd_set(i),
+        "setm" => cmd_setm(i),
+        "rm" | "remove" => cmd_rm(i),
+        "clear" => cmd_clear(i),
+        "clearm" => cmd_clearm(i),
+        "touch" => cmd_touch(i),
+        "ins" | "insert" => cmd_ins(i),
+        "mv" | "move" => cmd_mv(i),
+        "rename" => cmd_rename(i),
+        "defvar" => cmd_defvar(i),
+        "defnode" => cmd_defnode(i),
+        "save" => Ok((i, Expression::Save)),
+        "quit" => Ok((i, Expression::Quit)),
+        "load" => Ok((i, Expression::Load)),
+        _ => cmd_generic(input),
+    }
 }
 
 fn line(input: &str) -> IResult<&str, Option<Expression>, VerboseError<&str>> {
     let (input, _) = not(eof)(input)?;
     let (input, _) = space0(input)?;
-    let (input, _) = opt(dsl::comment)(input)?;
-    let (input, change) = opt(change)(input)?;
+    let (input, _) = opt(comment)(input)?;
+    let (input, e) = opt(expression)(input)?;
     let (input, _) = space0(input)?;
-    let (input, _) = opt(dsl::comment)(input)?;
+    let (input, _) = opt(comment)(input)?;
     let (input, _) = opt(line_ending)(input)?;
-    Ok((input, change))
+    Ok((input, e))
 }
 
-pub fn changes(input: &str) -> IResult<&str, Vec<Expression>, VerboseError<&str>> {
+pub fn script(input: &str) -> IResult<&str, Vec<Expression>, VerboseError<&str>> {
     // many0 -> allow empty changes (only comments, etc.)
     let (input, changes) = many0(line)(input)?;
     let changes = changes.into_iter().flatten().collect();
@@ -138,15 +168,29 @@ pub fn changes(input: &str) -> IResult<&str, Vec<Expression>, VerboseError<&str>
 
 #[cfg(test)]
 mod tests {
-    use crate::dsl::parser::{change, changes, line};
+    use crate::dsl::parser::{arg_array, expression, line, script};
     use crate::dsl::script::*;
     use raugeas::Position;
 
+    fn test_arg_array() {
+        let input = "[arg1, 'arg2', \"arg3\"]";
+        let expected = vec!["arg1", "arg2", "arg3"];
+        let result = arg_array(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
+    fn test_cmd_generic() {
+        let input = "generic command";
+        let expected = Expression::GenericAugeas("generic command".into());
+        let result = expression(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
     #[test]
     fn test_change_set() {
         let input = "set /path/to/node value";
         let expected = Expression::Set("/path/to/node".into(), "value");
-        let result = change(input).unwrap();
+        let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
 
@@ -154,7 +198,7 @@ mod tests {
     fn test_change_setm() {
         let input = "setm /path/to/nodes subnode value";
         let expected = Expression::SetMultiple("/path/to/nodes".into(), "subnode", "value");
-        let result = change(input).unwrap();
+        let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
 
@@ -162,7 +206,7 @@ mod tests {
     fn test_change_rm() {
         let input = "rm /path/to/node";
         let expected = Expression::Remove("/path/to/node".into());
-        let result = change(input).unwrap();
+        let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
 
@@ -170,7 +214,7 @@ mod tests {
     fn test_change_clear() {
         let input = "clear /path/to/node";
         let expected = Expression::Clear("/path/to/node".into());
-        let result = change(input).unwrap();
+        let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
 
@@ -178,7 +222,7 @@ mod tests {
     fn test_change_clearm() {
         let input = "clearm /path/to/nodes subnode";
         let expected = Expression::ClearMultiple("/path/to/nodes".into(), "subnode");
-        let result = change(input).unwrap();
+        let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
 
@@ -186,7 +230,7 @@ mod tests {
     fn test_change_touch() {
         let input = "touch /path/to/node";
         let expected = Expression::Touch("/path/to/node".into());
-        let result = change(input).unwrap();
+        let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
 
@@ -194,7 +238,7 @@ mod tests {
     fn test_change_ins() {
         let input = "ins label before /path/to/node";
         let expected = Expression::Insert("label", Position::Before, "/path/to/node".into());
-        let result = change(input).unwrap();
+        let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
 
@@ -202,7 +246,7 @@ mod tests {
     fn test_change_mv() {
         let input = "mv /path/to/node /new/path";
         let expected = Expression::Move("/path/to/node".into(), "/new/path".into());
-        let result = change(input).unwrap();
+        let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
 
@@ -210,7 +254,7 @@ mod tests {
     fn test_change_rename() {
         let input = "rename /path/to/node new_label";
         let expected = Expression::Rename("/path/to/node".into(), "new_label");
-        let result = change(input).unwrap();
+        let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
 
@@ -218,7 +262,7 @@ mod tests {
     fn test_change_defvar() {
         let input = "defvar name /path/to/node";
         let expected = Expression::DefineVar("name", "/path/to/node".into());
-        let result = change(input).unwrap();
+        let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
 
@@ -226,7 +270,7 @@ mod tests {
     fn test_change_defnode() {
         let input = "defnode name /path/to/node value";
         let expected = Expression::DefineNode("name", "/path/to/node".into(), "value");
-        let result = change(input).unwrap();
+        let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
 
@@ -293,7 +337,6 @@ mod tests {
             defvar name /path/to/node
             defnode name /path/to/node value
 
-            quit
         "#;
         let expected = vec![
             Expression::Set("/path/to/node".into(), "value"),
@@ -307,9 +350,8 @@ mod tests {
             Expression::Rename("/path/to/node".into(), "new_label"),
             Expression::DefineVar("name", "/path/to/node".into()),
             Expression::DefineNode("name", "/path/to/node".into(), "value"),
-            Expression::Quit,
         ];
-        let result = changes(input).unwrap();
+        let result = script(input).unwrap();
         assert_eq!(result.1, expected);
     }
 }
diff --git a/policies/module-types/augeas/src/dsl/repl.rs b/policies/module-types/augeas/src/dsl/repl.rs
index a4a7e8a47b..9443c72c13 100644
--- a/policies/module-types/augeas/src/dsl/repl.rs
+++ b/policies/module-types/augeas/src/dsl/repl.rs
@@ -20,7 +20,7 @@ pub fn start(interpreter: &mut Interpreter) -> Result<()> {
             Ok(l) => match l.trim() {
                 "" => continue,
                 line => {
-                    let res = interpreter.run(InterpreterMode::Unrestricted, line);
+                    let res = interpreter.run(InterpreterMode::WriteSystem, line);
                     match res {
                         Ok(true) => break,
                         Ok(false) => (),
diff --git a/policies/module-types/augeas/src/dsl/script.rs b/policies/module-types/augeas/src/dsl/script.rs
index 089f181fc8..bffaf87b9c 100644
--- a/policies/module-types/augeas/src/dsl/script.rs
+++ b/policies/module-types/augeas/src/dsl/script.rs
@@ -17,12 +17,12 @@ use rudder_module_type::rudder_debug;
 /// The unrestricted mode is only available in the REPL.
 #[derive(Debug, PartialEq, Copy, Clone)]
 pub enum InterpreterMode {
-    /// Fail if running changes. Only check some assertions.
-    Check,
+    /// Fail if running changes on the tree. Only check some assertions.
+    ReadTree,
     /// Check and apply the changes to the tree, but writing to the disk is impossible in the script.
-    CheckApply,
+    WriteTree,
     /// Anything goes. Full access to the tree and the system.
-    Unrestricted,
+    WriteSystem,
 }
 
 /// Interpreter for the extended Augeas DSL.
@@ -40,7 +40,7 @@ impl<'a> Interpreter<'a> {
 
         rudder_debug!("Running {} changes", script.expressions.len());
         for expr in &script.expressions {
-            if expr.expr_type() == ExprType::Write && mode == InterpreterMode::Check {
+            if expr.expr_type() == ExprType::Write && mode == InterpreterMode::ReadTree {
                 bail!("Cannot run an action ({:?}) in check mode", expr);
             }
             let quit = self.eval(expr)?;
@@ -118,7 +118,7 @@ pub struct Script<'a> {
 
 impl<'a> Script<'a> {
     pub fn from_str(input: &'a str) -> Result<Script<'a>> {
-        let (_, changes) = parser::changes(input)
+        let (_, changes) = parser::script(input)
             .finish()
             // We can't keep the verbose error as it contains references to the input.
             .map_err(|e| anyhow!(format!("{}", e)))?;
@@ -167,8 +167,11 @@ pub enum Expression<'a> {
     MatchNotInclude(AugPath<'a>, &'a str),
     MatchEqual(AugPath<'a>, Vec<&'a str>),
     MatchNotEqual(AugPath<'a>, Vec<&'a str>),
+    /// Save the changes to the tree.
     Save,
+    /// Quit the script.
     Quit,
+    /// (Re)load the tree.
     Load,
 }
 
diff --git a/policies/module-types/augeas/src/parameters.rs b/policies/module-types/augeas/src/parameters.rs
index 4e38377b27..6f02646678 100644
--- a/policies/module-types/augeas/src/parameters.rs
+++ b/policies/module-types/augeas/src/parameters.rs
@@ -2,7 +2,7 @@
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
 use crate::RUDDER_LENS_LIB;
-use anyhow::{anyhow, Result};
+use anyhow::Result;
 use rudder_module_type::PolicyMode;
 use serde::{Deserialize, Serialize};
 use serde_inline_default::serde_inline_default;

From 3957e13cafcfcc2cd8f6ec56ef94a38a11d6678c Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Mon, 23 Dec 2024 00:15:40 +0100
Subject: [PATCH 17/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Fixes #26089:
 Implement augeas module

Fixes #26089: Implement augeas module
---
 .../module-types/augeas/src/dsl/parser.rs     | 24 ++++++++++++++++++-
 .../module-types/augeas/src/dsl/script.rs     |  2 +-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/policies/module-types/augeas/src/dsl/parser.rs b/policies/module-types/augeas/src/dsl/parser.rs
index f2d09d20af..ebd4d7fbd3 100644
--- a/policies/module-types/augeas/src/dsl/parser.rs
+++ b/policies/module-types/augeas/src/dsl/parser.rs
@@ -119,6 +119,20 @@ fn cmd_defnode(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
     Ok((input, Expression::DefineNode(name, path.into(), value)))
 }
 
+fn cmd_match_include(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, path) = arg(input)?;
+    let (input, _) = tag("include")(input)?;
+    let (input, value) = arg(input)?;
+    Ok((input, Expression::MatchInclude(path.into(), value)))
+}
+
+fn cmd_match_not_include(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, path) = arg(input)?;
+    let (input, _) = tag("not_include")(input)?;
+    let (input, value) = arg(input)?;
+    Ok((input, Expression::MatchInclude(path.into(), value)))
+}
+
 fn cmd_generic(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
     let (input, cmd) = not_line_ending(input)?;
     Ok((input, Expression::GenericAugeas(cmd)))
@@ -139,6 +153,7 @@ fn expression(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
         "rename" => cmd_rename(i),
         "defvar" => cmd_defvar(i),
         "defnode" => cmd_defnode(i),
+        "match" => alt((cmd_match_include, cmd_match_not_include))(i),
         "save" => Ok((i, Expression::Save)),
         "quit" => Ok((i, Expression::Quit)),
         "load" => Ok((i, Expression::Load)),
@@ -172,6 +187,13 @@ mod tests {
     use crate::dsl::script::*;
     use raugeas::Position;
 
+    fn test_match_include() {
+        let input = "match /files/etc include token";
+        let expected = Expression::MatchInclude("/files/etc".into(), "token");
+        let result = expression(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
     fn test_arg_array() {
         let input = "[arg1, 'arg2', \"arg3\"]";
         let expected = vec!["arg1", "arg2", "arg3"];
@@ -313,7 +335,7 @@ mod tests {
 
     #[test]
     fn test_line_comment() {
-        let input = "# comment\n";
+        let input = " comment\n";
         let result = line(input).unwrap();
         assert_eq!(result.1, None);
     }
diff --git a/policies/module-types/augeas/src/dsl/script.rs b/policies/module-types/augeas/src/dsl/script.rs
index bffaf87b9c..f5c62cd54e 100644
--- a/policies/module-types/augeas/src/dsl/script.rs
+++ b/policies/module-types/augeas/src/dsl/script.rs
@@ -163,7 +163,7 @@ pub enum Expression<'a> {
     ValuesEqual(AugPath<'a>, Vec<&'a str>),
     ValuesNotEqual(AugPath<'a>, Vec<&'a str>),
     MatchSize(AugPath<'a>, NumComparator, usize),
-    MatchInclude(AugPath<'a>, String),
+    MatchInclude(AugPath<'a>, &'a str),
     MatchNotInclude(AugPath<'a>, &'a str),
     MatchEqual(AugPath<'a>, Vec<&'a str>),
     MatchNotEqual(AugPath<'a>, Vec<&'a str>),

From 04491bb4584b352efccc0da596223674338fdbac Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Mon, 23 Dec 2024 01:44:48 +0100
Subject: [PATCH 18/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Fixes #26089:
 Implement augeas module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/augeas.rs    |  6 ++--
 .../module-types/augeas/src/dsl/parser.rs     |  9 +++++-
 policies/module-types/augeas/src/dsl/repl.rs  |  4 +--
 .../module-types/augeas/src/dsl/script.rs     | 31 ++++++++++++++-----
 4 files changed, 37 insertions(+), 13 deletions(-)

diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index 493d535e80..5056f5770d 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use crate::dsl::script::{Interpreter, InterpreterMode};
+use crate::dsl::script::{Interpreter, InterpreterPerms};
 use crate::report::diff;
 use crate::{AugeasParameters, RUDDER_LENS_LIB};
 use raugeas::{Flags, SaveMode};
@@ -121,7 +121,7 @@ impl Augeas {
         let mut interpreter = Interpreter::new(aug);
 
         // FIXME: handle check only and check script_if
-        let do_script = match interpreter.run(InterpreterMode::ReadTree, &p.if_script) {
+        let do_script = match interpreter.run(InterpreterPerms::ReadTree, &p.if_script) {
             Ok(_) => true,
             Err(e) => {
                 rudder_error!("Error in if_script: {e}");
@@ -130,7 +130,7 @@ impl Augeas {
         };
         if do_script {
             rudder_debug!("Running script: {:?}", p.script);
-            interpreter.run(InterpreterMode::WriteTree, &p.script)?;
+            interpreter.run(InterpreterPerms::ReadWriteTree, &p.script)?;
         }
 
         // Avoid writing if we are in audit mode.
diff --git a/policies/module-types/augeas/src/dsl/parser.rs b/policies/module-types/augeas/src/dsl/parser.rs
index ebd4d7fbd3..db6beed6c8 100644
--- a/policies/module-types/augeas/src/dsl/parser.rs
+++ b/policies/module-types/augeas/src/dsl/parser.rs
@@ -194,6 +194,13 @@ mod tests {
         assert_eq!(result.1, expected);
     }
 
+    fn test_match_not_include() {
+        let input = "match /files/etc not_include token";
+        let expected = Expression::MatchNotInclude("/files/etc".into(), "token");
+        let result = expression(input).unwrap();
+        assert_eq!(result.1, expected);
+    }
+
     fn test_arg_array() {
         let input = "[arg1, 'arg2', \"arg3\"]";
         let expected = vec!["arg1", "arg2", "arg3"];
@@ -203,7 +210,7 @@ mod tests {
 
     fn test_cmd_generic() {
         let input = "generic command";
-        let expected = Expression::GenericAugeas("generic command".into());
+        let expected = Expression::GenericAugeas("generic command");
         let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
diff --git a/policies/module-types/augeas/src/dsl/repl.rs b/policies/module-types/augeas/src/dsl/repl.rs
index 9443c72c13..8e9aa8591e 100644
--- a/policies/module-types/augeas/src/dsl/repl.rs
+++ b/policies/module-types/augeas/src/dsl/repl.rs
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use crate::dsl::script::{Interpreter, InterpreterMode};
+use crate::dsl::script::{Interpreter, InterpreterPerms};
 use anyhow::Result;
 use rustyline::error::ReadlineError;
 
@@ -20,7 +20,7 @@ pub fn start(interpreter: &mut Interpreter) -> Result<()> {
             Ok(l) => match l.trim() {
                 "" => continue,
                 line => {
-                    let res = interpreter.run(InterpreterMode::WriteSystem, line);
+                    let res = interpreter.run(InterpreterPerms::ReadWriteSystem, line);
                     match res {
                         Ok(true) => break,
                         Ok(false) => (),
diff --git a/policies/module-types/augeas/src/dsl/script.rs b/policies/module-types/augeas/src/dsl/script.rs
index f5c62cd54e..62040d5941 100644
--- a/policies/module-types/augeas/src/dsl/script.rs
+++ b/policies/module-types/augeas/src/dsl/script.rs
@@ -16,13 +16,21 @@ use rudder_module_type::rudder_debug;
 ///
 /// The unrestricted mode is only available in the REPL.
 #[derive(Debug, PartialEq, Copy, Clone)]
-pub enum InterpreterMode {
+pub enum InterpreterPerms {
     /// Fail if running changes on the tree. Only check some assertions.
     ReadTree,
     /// Check and apply the changes to the tree, but writing to the disk is impossible in the script.
-    WriteTree,
+    ReadWriteTree,
     /// Anything goes. Full access to the tree and the system.
-    WriteSystem,
+    ReadWriteSystem,
+}
+
+/// When running a script containing several expressions,
+/// should the interpreter accumulate the results or fail early.
+#[derive(Debug, PartialEq, Copy, Clone)]
+pub enum ErrorMode {
+    FailEarly,
+    StackErrors,
 }
 
 /// Interpreter for the extended Augeas DSL.
@@ -35,12 +43,12 @@ impl<'a> Interpreter<'a> {
         Self { aug }
     }
 
-    pub fn run(&mut self, mode: InterpreterMode, script: &str) -> Result<bool> {
-        let script = Script::from_str(script)?;
+    pub fn run(&mut self, mode: InterpreterPerms, script: &str) -> Result<bool> {
+        let script = Script::from(script)?;
 
         rudder_debug!("Running {} changes", script.expressions.len());
         for expr in &script.expressions {
-            if expr.expr_type() == ExprType::Write && mode == InterpreterMode::ReadTree {
+            if expr.expr_type() == ExprType::Write && mode == InterpreterPerms::ReadTree {
                 bail!("Cannot run an action ({:?}) in check mode", expr);
             }
             let quit = self.eval(expr)?;
@@ -53,6 +61,9 @@ impl<'a> Interpreter<'a> {
         Ok(false)
     }
 
+    // FIXME : accumulate check errors in audit mode
+    //         BUT abort early in enforce....
+
     fn eval(&mut self, expr: &Expression) -> Result<bool> {
         match expr {
             Expression::Set(path, value) => self.aug.set(path, value)?,
@@ -86,6 +97,12 @@ impl<'a> Interpreter<'a> {
                     rudder_debug!("defnode: no nodes were created");
                 }
             }
+            Expression::MatchInclude(path, value) => {
+                let matches = self.aug.matches(path)?;
+                if !matches.iter().any(|v| v == value) {
+                    todo!()
+                }
+            }
             Expression::GenericAugeas(cmd) => {
                 let (num, out) = self.aug.srun(cmd)?;
                 let summary = match num {
@@ -117,7 +134,7 @@ pub struct Script<'a> {
 }
 
 impl<'a> Script<'a> {
-    pub fn from_str(input: &'a str) -> Result<Script<'a>> {
+    pub fn from(input: &'a str) -> Result<Script<'a>> {
         let (_, changes) = parser::script(input)
             .finish()
             // We can't keep the verbose error as it contains references to the input.

From 785e6414f1704851c1a24cb5d177f7bbdb8ce367 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Mon, 23 Dec 2024 17:00:47 +0100
Subject: [PATCH 19/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Fixes
 #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 .../module-types/augeas/src/dsl/parser.rs     | 16 +++++++++++++-
 .../module-types/augeas/src/dsl/script.rs     | 22 ++++++++++++++++---
 policies/module-types/augeas/src/main.rs      |  4 ++++
 3 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/policies/module-types/augeas/src/dsl/parser.rs b/policies/module-types/augeas/src/dsl/parser.rs
index db6beed6c8..31d38ef7ff 100644
--- a/policies/module-types/augeas/src/dsl/parser.rs
+++ b/policies/module-types/augeas/src/dsl/parser.rs
@@ -130,7 +130,21 @@ fn cmd_match_not_include(input: &str) -> IResult<&str, Expression, VerboseError<
     let (input, path) = arg(input)?;
     let (input, _) = tag("not_include")(input)?;
     let (input, value) = arg(input)?;
-    Ok((input, Expression::MatchInclude(path.into(), value)))
+    Ok((input, Expression::MatchNotInclude(path.into(), value)))
+}
+
+fn cmd_match_equal(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, path) = arg(input)?;
+    let (input, _) = tag("==")(input)?;
+    let (input, value) = arg_array(input)?;
+    Ok((input, Expression::MatchEqual(path.into(), value)))
+}
+
+fn cmd_match_not_equal(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
+    let (input, path) = arg(input)?;
+    let (input, _) = tag("!=")(input)?;
+    let (input, value) = arg_array(input)?;
+    Ok((input, Expression::MatchNotEqual(path.into(), value)))
 }
 
 fn cmd_generic(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
diff --git a/policies/module-types/augeas/src/dsl/script.rs b/policies/module-types/augeas/src/dsl/script.rs
index 62040d5941..7091818fa5 100644
--- a/policies/module-types/augeas/src/dsl/script.rs
+++ b/policies/module-types/augeas/src/dsl/script.rs
@@ -103,6 +103,24 @@ impl<'a> Interpreter<'a> {
                     todo!()
                 }
             }
+            Expression::MatchNotInclude(path, value) => {
+                let matches = self.aug.matches(path)?;
+                if !matches.iter().any(|v| v == value) {
+                    todo!()
+                }
+            }
+            Expression::MatchEqual(path, value) => {
+                let matches = self.aug.matches(path)?;
+                if matches == *value {
+                    todo!()
+                }
+            }
+            Expression::MatchNotEqual(path, value) => {
+                let matches = self.aug.matches(path)?;
+                if matches != *value {
+                    todo!()
+                }
+            }
             Expression::GenericAugeas(cmd) => {
                 let (num, out) = self.aug.srun(cmd)?;
                 let summary = match num {
@@ -210,9 +228,7 @@ where:
     MATCH_PATH is a valid match syntax scoped by the context
     COMPARATOR is one of >, >=, !=, ==, <=, or <
                          ~ for regex match, !~ for regex not match
-    STRING is a string
-    INT is a number
-    AN_ARRAY is in the form ['a string', 'another']
+
 */
 
 #[derive(Debug, PartialEq)]
diff --git a/policies/module-types/augeas/src/main.rs b/policies/module-types/augeas/src/main.rs
index b7c15ea23d..30122e510e 100644
--- a/policies/module-types/augeas/src/main.rs
+++ b/policies/module-types/augeas/src/main.rs
@@ -7,6 +7,10 @@ use anyhow::Result;
 
 // transofrmer un diff en conf augeas??
 
+// vraie attention sur les perfs
+
+// Pas de modif des lens au runtime, il faut les placer dan sle rpeo magisue de l'agent.
+
 // https://github.com/georgehansper/augprint.py
 // outil pour savoir comment écrire le set ??
 // ou pour prendre l'état d'un fichier ?

From a4e02b94306a124ff14ab8012f4429996f32c30c Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Tue, 24 Dec 2024 14:07:23 +0100
Subject: [PATCH 20/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 Cargo.lock                                    |   8 +-
 policies/module-types/augeas/Cargo.toml       |   3 +-
 policies/module-types/augeas/src/augeas.rs    | 126 ++++++++++--------
 .../module-types/augeas/src/bin/raugtool.rs   |  13 +-
 policies/module-types/augeas/src/lib.rs       |   6 +-
 .../module-types/augeas/src/parameters.rs     |  89 +++----------
 6 files changed, 107 insertions(+), 138 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 800cf9490d..8879b3dcb7 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3133,8 +3133,9 @@ dependencies = [
 
 [[package]]
 name = "raugeas"
-version = "0.2.2"
-source = "git+https://github.com/Normation/raugeas.git#a9e3bc7e13eecabf5494367d440aaa9ee2df5af0"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42af285eec9192e9882b0683c03de6128a99509c830e589de8e075e9f5990937"
 dependencies = [
  "bitflags 2.6.0",
  "libc",
@@ -3144,7 +3145,8 @@ dependencies = [
 [[package]]
 name = "raugeas_sys"
 version = "0.2.0"
-source = "git+https://github.com/Normation/raugeas.git#a9e3bc7e13eecabf5494367d440aaa9ee2df5af0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae9dc7ba072353d6dff50ade0ffc23a679c7f645ac0c21ae7edb7efa22f8a1f9"
 dependencies = [
  "bindgen 0.70.1",
  "pkg-config",
diff --git a/policies/module-types/augeas/Cargo.toml b/policies/module-types/augeas/Cargo.toml
index c524c896f0..a9959d4926 100644
--- a/policies/module-types/augeas/Cargo.toml
+++ b/policies/module-types/augeas/Cargo.toml
@@ -19,7 +19,8 @@ serde-inline-default = "0.2"
 similar = "2.6.0"
 regex = "1.11.1"
 rudder_module_type = { path = "../../rudder-module-type" }
-raugeas = { git = "https://github.com/Normation/raugeas.git" }
+#raugeas = { git = "https://github.com/Normation/raugeas.git" }
+raugeas = "0.3.0"
 rustyline = "15"
 
 [dev-dependencies]
diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index 5056f5770d..f458c5bae0 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -4,6 +4,7 @@
 use crate::dsl::script::{Interpreter, InterpreterPerms};
 use crate::report::diff;
 use crate::{AugeasParameters, RUDDER_LENS_LIB};
+use anyhow::bail;
 use raugeas::{Flags, SaveMode};
 use rudder_module_type::{
     rudder_debug, rudder_error, rudder_info, CheckApplyResult, Outcome, PolicyMode,
@@ -11,6 +12,7 @@ use rudder_module_type::{
 use std::borrow::Cow;
 use std::env;
 use std::fs::read_to_string;
+use std::path::Path;
 
 /// Augeas module implementation.
 ///
@@ -21,32 +23,16 @@ use std::fs::read_to_string;
 ///
 /// We never load the tree. Reading the lenses takes time, but is quite convenient, so we do it
 /// once.
-///
-/// Below are some metrics for the different ways to run Augeas, based on `augtool` options:
-///
-/// * `-L` is for skipping loading the tree.
-/// * `-A` is for skipping autoloading lenses (and hence the tree)
-///
-/// | Command | Mean \[ms\] | Min \[ms\] | Max \[ms\] | Relative |
-/// |:---|---:|---:|---:|---:|
-/// | `augtool -LA get /augeas/version` | 2.6 ± 0.5 | 1.6 | 4.6 | 1.00 |
-/// | `augtool -L get /augeas/version` | 209.5 ± 5.2 | 200.2 | 221.5 | 80.72 ± 15.16 |
-/// | `augtool get /augeas/version` | 663.0 ± 37.2 | 632.0 | 755.7 | 255.46 ± 49.69 |
-///
-/// Using:
-///
-/// ```shell
-/// hyperfine -N  --export-markdown augtool.md
-///     "augtool -LA get /augeas/version"
-///     "augtool -L get /augeas/version"
-///     "augtool get /augeas/version"
-/// ```
+//
 pub struct Augeas {
     aug: raugeas::Augeas,
 }
 
 impl Augeas {
-    pub fn new() -> anyhow::Result<Self> {
+    /// Additional load paths for lenses.
+    ///
+    /// `/var/rudder/lib/lenses` is always added.
+    pub fn new(root: Option<&Path>, load_paths: Vec<&Path>) -> anyhow::Result<Self> {
         // Cleanup the environment first to avoid any interference.
         //
         // SAFETY: Safe as the module is single threaded.
@@ -57,14 +43,18 @@ impl Augeas {
         }
 
         let aug = Self::new_aug(
-            None, // Root is global in an agent context.
-            false,
+            root, // Root is global in an agent context.
+            load_paths, false,
         )?;
 
         Ok(Augeas { aug })
     }
 
-    pub fn new_aug(root: Option<&str>, type_check_lenses: bool) -> anyhow::Result<raugeas::Augeas> {
+    pub fn new_aug<T: AsRef<Path>>(
+        root: Option<&Path>,
+        load_paths: Vec<T>,
+        type_check_lenses: bool,
+    ) -> anyhow::Result<raugeas::Augeas> {
         let mut flags = Flags::NONE;
 
         // We never want to load the whole tree, but we load the lenses once.
@@ -76,7 +66,13 @@ impl Augeas {
             flags.insert(Flags::TYPE_CHECK);
         }
 
-        let aug = raugeas::Augeas::init(root, RUDDER_LENS_LIB, flags)?;
+        // Load from the given paths plus the default one.
+        let load_paths = std::iter::once(RUDDER_LENS_LIB.into())
+            .chain(load_paths.iter().map(|p| p.as_ref().to_string_lossy()))
+            .collect::<Vec<Cow<str>>>()
+            .join(":");
+        rudder_debug!("Loading lenses from: {}", load_paths);
+        let aug = raugeas::Augeas::init(root, load_paths, flags)?;
 
         // Show version for debugging purposes.
         let version = aug.version()?;
@@ -92,40 +88,59 @@ impl Augeas {
     ) -> CheckApplyResult {
         let aug = &mut self.aug;
 
-        // Set context if needed.
-        let context: Option<Cow<str>> = if let Some(c) = p.context.as_deref() {
-            Some(c.into())
+        if p.path.exists() {
+            rudder_debug!("Target {} already exists", p.path.display());
         } else {
-            p.path.as_deref().map(|p| format!("files/{p}").into())
-        };
-        if let Some(c) = &context {
-            rudder_debug!("Setting context to: {c}");
-            aug.set("/augeas/context", c.as_ref())?;
+            rudder_debug!("Target {} does not exist", p.path.display());
+            if policy_mode == PolicyMode::Audit {
+                rudder_error!("Target {} does not exist", p.path.display());
+                // Short-circuit the check.
+                bail!("Audit target file '{}' does not exist", p.path.display());
+            } else {
+                rudder_debug!("Target {} does not exist", p.path.display());
+            }
         }
 
-        match (p.lens.as_deref(), p.path.as_deref()) {
-            (Some(l), Some(p)) => {
+        match p.lens.as_deref() {
+            Some(l) => {
                 rudder_debug!("Using lens: {l}");
-                aug.transform(l, p, false)?;
+                aug.transform(l, p.path.as_os_str(), false)?;
                 aug.load()?;
             }
-            (None, Some(p)) => {
-                rudder_debug!("Detecting lens for path: {p}");
-                aug.load_file(p)?;
+            None => {
+                rudder_debug!("Detecting lens for path: {}", p.path.display());
+                aug.load_file(p.path.as_os_str())?;
             }
-            _ => (),
         }
 
-        // Do the changes before the checks.
+        // We have loaded the target, let's check for parsing errors.
+        if let Some(e) = aug.tree_error(format!("/augeas/{}", p.path.display()))? {
+            bail!("Error loading target file '{}': {}", p.path.display(), e);
+            // TODO: some errors might not be fatal?
+        }
+
+        let context: Cow<str> = if let Some(c) = p.context.as_deref() {
+            c.into()
+        } else {
+            format!("files/{}", p.path.display()).into()
+        };
+        rudder_debug!("Setting context to: {context}");
+        aug.set("/augeas/context", context.as_ref())?;
 
         let mut interpreter = Interpreter::new(aug);
 
         // FIXME: handle check only and check script_if
-        let do_script = match interpreter.run(InterpreterPerms::ReadTree, &p.if_script) {
-            Ok(_) => true,
-            Err(e) => {
-                rudder_error!("Error in if_script: {e}");
-                false
+        let do_script = if p.if_script.trim().is_empty() {
+            // No condition, always run the script.
+            true
+        } else {
+            match interpreter.run(InterpreterPerms::ReadTree, &p.if_script) {
+                Ok(_) => true,
+                Err(e) => {
+                    // FIXME: make a difference between audit errors and other errors!
+                    rudder_error!("Error in if_script: {}", e);
+                    false
+                }
             }
         };
         if do_script {
@@ -143,15 +158,13 @@ impl Augeas {
             }
         }
 
-        if let Some(path) = p.path.as_deref() {
-            let src = read_to_string(path)?;
-            let preview = aug.preview(path)?;
+        let src = read_to_string(&p.path)?;
+        let preview = aug.preview(p.path)?;
 
-            let diff = diff(&src, &preview.unwrap());
+        let diff = diff(&src, &preview.unwrap());
 
-            if p.show_diff {
-                rudder_info!("Diff: {diff:?}");
-            }
+        if p.show_diff {
+            rudder_info!("Diff: {diff:?}");
         }
 
         aug.save()?;
@@ -172,9 +185,10 @@ mod tests {
     use super::*;
     use rudder_module_type::Outcome;
     use std::fs::read_to_string;
+    use std::path::PathBuf;
     use tempfile::tempdir;
 
-    fn arguments(script: String, path: Option<String>, lens: Option<String>) -> AugeasParameters {
+    fn arguments(script: String, path: PathBuf, lens: Option<String>) -> AugeasParameters {
         AugeasParameters {
             script,
             path,
@@ -185,7 +199,7 @@ mod tests {
 
     #[test]
     fn it_writes_file_from_commands() {
-        let mut augeas = Augeas::new().unwrap();
+        let mut augeas = Augeas::new(None, vec![]).unwrap();
         let d = tempdir().unwrap().into_path();
         let f = d.join("test");
         let lens = "Simplelines";
@@ -194,7 +208,7 @@ mod tests {
             .handle_check_apply(
                 arguments(
                     format!("set /files{}/0 \"hello world\"", f.display()),
-                    Some(f.display().to_string()),
+                    f.clone(),
                     Some(lens.to_string()),
                 ),
                 PolicyMode::Enforce,
diff --git a/policies/module-types/augeas/src/bin/raugtool.rs b/policies/module-types/augeas/src/bin/raugtool.rs
index 146192f752..b1e8f35d46 100644
--- a/policies/module-types/augeas/src/bin/raugtool.rs
+++ b/policies/module-types/augeas/src/bin/raugtool.rs
@@ -14,6 +14,7 @@ use rudder_module_augeas::dsl::script::Interpreter;
 use rudder_module_augeas::{CRATE_NAME, CRATE_VERSION};
 use rudder_module_type::cfengine::log::{set_max_level, LevelFilter};
 use std::env;
+use std::path::PathBuf;
 
 #[derive(Debug, Options)]
 pub struct Cli {
@@ -30,13 +31,13 @@ pub struct Cli {
     context: Option<String>,
     /// Output file path
     // used as incl
-    path: Option<String>,
+    path: Option<PathBuf>,
     /// Augeas root
     ///
     /// The root of the filesystem to use for augeas.
     ///
     /// WARNING: Should not be used in most cases.
-    root: Option<String>,
+    root: Option<PathBuf>,
     /// Additional load paths for lenses.
     ///
     /// `/var/rudder/lib/lenses` is always added.
@@ -45,7 +46,7 @@ pub struct Cli {
         long = "include",
         help = "additional load paths for lenses"
     )]
-    lens_paths: Vec<String>,
+    lens_paths: Vec<PathBuf>,
     /// A lens to use.
     ///
     /// If not passed, all lenses are loaded, and the `path` is used
@@ -71,7 +72,11 @@ impl Cli {
             println!("Parsed options: {:#?}", &opts);
         }
 
-        let mut aug = Augeas::new_aug(opts.root.as_deref(), opts.type_check_lenses)?;
+        let mut aug = Augeas::new_aug(
+            opts.root.as_deref(),
+            opts.lens_paths,
+            opts.type_check_lenses,
+        )?;
 
         // FIXME handle other parameters
 
diff --git a/policies/module-types/augeas/src/lib.rs b/policies/module-types/augeas/src/lib.rs
index d719aebe6e..59928691b1 100644
--- a/policies/module-types/augeas/src/lib.rs
+++ b/policies/module-types/augeas/src/lib.rs
@@ -35,12 +35,12 @@ impl ModuleType0 for Augeas {
         // from_value does not allow zero-copy deserialization
         let parameters: AugeasParameters =
             serde_json::from_value(Value::Object(parameters.data.clone()))?;
-        parameters.validate(None)
+        parameters.validate()
     }
 
     fn check_apply(&mut self, mode: PolicyMode, parameters: &Parameters) -> CheckApplyResult {
         let p: AugeasParameters = serde_json::from_value(Value::Object(parameters.data.clone()))?;
-        p.validate(Some(mode))?;
+        p.validate()?;
 
         self.handle_check_apply(p, mode)
 
@@ -52,7 +52,7 @@ impl ModuleType0 for Augeas {
 pub fn entry() -> Result<(), anyhow::Error> {
     env::set_var("LC_ALL", "C");
 
-    let promise_type = Augeas::new()?;
+    let promise_type = Augeas::new(None, vec![])?;
     if rudder_module_type::cfengine::called_from_agent() {
         rudder_module_type::run_module(promise_type)
     } else {
diff --git a/policies/module-types/augeas/src/parameters.rs b/policies/module-types/augeas/src/parameters.rs
index 6f02646678..37227d988a 100644
--- a/policies/module-types/augeas/src/parameters.rs
+++ b/policies/module-types/augeas/src/parameters.rs
@@ -1,13 +1,10 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use crate::RUDDER_LENS_LIB;
-use anyhow::Result;
-use rudder_module_type::PolicyMode;
+use anyhow::{bail, Result};
 use serde::{Deserialize, Serialize};
 use serde_inline_default::serde_inline_default;
-use std::borrow::Cow;
-use std::iter;
+use std::path::PathBuf;
 
 /// Parameters for the augeas module.
 #[derive(Clone, Debug, PartialEq, Eq, Default, Serialize, Deserialize)]
@@ -18,34 +15,20 @@ pub struct AugeasParameters {
     pub script: String,
     // only_if
     pub if_script: String,
-    /// Prefix to add.
+    /// Prefix to add to all expressions.
     ///
-    /// By default,
-    ///
-    /// * If a `path` is passed, it is used as context
-    /// * If no `path` is passed, the context is empty.
+    /// By default, the `path` is used as context.
     #[serde(default)]
     pub context: Option<String>,
-    /// Output file path
+    /// Output file `path`
     #[serde(default)]
     // used as incl
-    pub path: Option<String>,
-    /// Augeas root
-    ///
-    /// The root of the filesystem to use for augeas.
-    ///
-    /// WARNING: Should not be used in most cases.
-    #[serde(default)]
-    pub root: Option<String>,
+    pub path: PathBuf,
     /// Show the diff.
     ///
     /// Enabled by default. Disable for files containing secrets.
     #[serde_inline_default(true)]
     pub show_diff: bool,
-    /// Additional load paths for lenses.
-    ///
-    /// `/var/rudder/lib/lenses` is always added.
-    pub lens_paths: Vec<String>,
     /// A lens to use.
     ///
     /// If not passed, all lenses are loaded, and the `path` is used
@@ -57,40 +40,11 @@ pub struct AugeasParameters {
 }
 
 impl AugeasParameters {
-    pub fn load_paths(&self) -> String {
-        // Load from the given paths plus the default one.
-        self.lens_paths
-            .iter()
-            .map(|p| p.as_str())
-            .chain(iter::once(RUDDER_LENS_LIB))
-            .collect::<Vec<&str>>()
-            .join(":")
-    }
-
-    /// Returns the lens name with the `.lns` extension if missing.
-    pub fn lens_name(&self) -> Option<Cow<str>> {
-        match self.lens.as_deref() {
-            Some(lens) => {
-                if lens.ends_with(".lns") {
-                    Some(Cow::from(lens))
-                } else {
-                    Some(Cow::from(format!("{lens}.lns")))
-                }
-            }
-            None => None,
-        }
-    }
-
-    pub fn context(&self) -> Option<Cow<str>> {
-        match (self.context.as_deref(), self.path.as_deref()) {
-            (Some(context), _) => Some(Cow::from(context)),
-            (None, Some(p)) => Some(Cow::from(format!("files/{p}"))),
-            (_, None) => None,
-        }
-    }
-
     /// Validate the parameters.
-    pub fn validate(&self, _policy_mode: Option<PolicyMode>) -> Result<()> {
+    pub fn validate(&self) -> Result<()> {
+        if self.path.is_relative() {
+            bail!("path must be absolute: {}", self.path.display());
+        }
         Ok(())
     }
 }
@@ -100,24 +54,17 @@ mod tests {
     use super::*;
 
     #[test]
-    fn it_appends_lns_extension_if_missing() {
-        let lens = "test_lens".to_string();
-        let p = AugeasParameters {
-            lens: Some(lens),
+    fn test_validate() {
+        let relative = AugeasParameters {
+            path: PathBuf::from("relative"),
             ..Default::default()
         };
-        let result = p.lens_name().unwrap();
-        assert_eq!(result, "test_lens.lns");
-    }
-
-    #[test]
-    fn it_does_not_append_lns_extension_if_present() {
-        let lens = "test_lens.lns".to_string();
-        let p = AugeasParameters {
-            lens: Some(lens),
+        let absolute = AugeasParameters {
+            path: PathBuf::from("/etc/absolute"),
             ..Default::default()
         };
-        let result = p.lens_name().unwrap();
-        assert_eq!(result, "test_lens.lns");
+
+        assert!(relative.validate().is_err());
+        assert!(absolute.validate().is_ok());
     }
 }

From 99a21935e3e064ddf6ca7eddc324f31ce988ab0e Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Tue, 24 Dec 2024 15:00:01 +0100
Subject: [PATCH 21/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/augeas.rs    | 112 ++++++++++++------
 .../module-types/augeas/src/bin/raugtool.rs   |  24 +++-
 .../module-types/augeas/src/dsl/script.rs     |   3 +-
 policies/module-types/augeas/src/lib.rs       |   2 +-
 4 files changed, 102 insertions(+), 39 deletions(-)

diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index f458c5bae0..338a8c8496 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -2,16 +2,14 @@
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
 use crate::dsl::script::{Interpreter, InterpreterPerms};
-use crate::report::diff;
 use crate::{AugeasParameters, RUDDER_LENS_LIB};
 use anyhow::bail;
 use raugeas::{Flags, SaveMode};
 use rudder_module_type::{
-    rudder_debug, rudder_error, rudder_info, CheckApplyResult, Outcome, PolicyMode,
+    rudder_debug, rudder_error, CheckApplyResult, Outcome, PolicyMode,
 };
 use std::borrow::Cow;
 use std::env;
-use std::fs::read_to_string;
 use std::path::Path;
 
 /// Augeas module implementation.
@@ -28,11 +26,16 @@ pub struct Augeas {
     aug: raugeas::Augeas,
 }
 
+#[derive(Debug, PartialEq, Copy, Clone)]
+pub enum LoadMode {
+    All,
+    LensesOnly,
+    Nothing,
+}
+
 impl Augeas {
-    /// Additional load paths for lenses.
-    ///
-    /// `/var/rudder/lib/lenses` is always added.
-    pub fn new(root: Option<&Path>, load_paths: Vec<&Path>) -> anyhow::Result<Self> {
+    /// Create a new Augeas module.
+    pub fn new_module(root: Option<&Path>, load_paths: Vec<&Path>) -> anyhow::Result<Self> {
         // Cleanup the environment first to avoid any interference.
         //
         // SAFETY: Safe as the module is single threaded.
@@ -44,7 +47,9 @@ impl Augeas {
 
         let aug = Self::new_aug(
             root, // Root is global in an agent context.
-            load_paths, false,
+            load_paths,
+            false,
+            LoadMode::LensesOnly, // We only need lenses. We only load them once.
         )?;
 
         Ok(Augeas { aug })
@@ -54,12 +59,23 @@ impl Augeas {
         root: Option<&Path>,
         load_paths: Vec<T>,
         type_check_lenses: bool,
+        load_mode: LoadMode,
     ) -> anyhow::Result<raugeas::Augeas> {
         let mut flags = Flags::NONE;
 
-        // We never want to load the whole tree, but we load the lenses once.
-        rudder_debug!("Autoloading lenses");
-        flags.insert(Flags::NO_LOAD);
+        match load_mode {
+            LoadMode::All => {
+                rudder_debug!("Loading all files into the tree on startup");
+            }
+            LoadMode::LensesOnly => {
+                rudder_debug!("Loading lenses on startup");
+                flags.insert(Flags::NO_LOAD);
+            }
+            LoadMode::Nothing => {
+                rudder_debug!("Not loading lenses on startup");
+                flags.insert(Flags::NO_MODULE_AUTOLOAD);
+            }
+        }
 
         if type_check_lenses {
             rudder_debug!("Type checking lenses");
@@ -90,27 +106,20 @@ impl Augeas {
 
         if p.path.exists() {
             rudder_debug!("Target {} already exists", p.path.display());
+        } else if policy_mode == PolicyMode::Audit {
+            rudder_error!("Target {} does not exist", p.path.display());
+            // Short-circuit the check.
+            bail!("Audit target file '{}' does not exist", p.path.display());
         } else {
             rudder_debug!("Target {} does not exist", p.path.display());
-            if policy_mode == PolicyMode::Audit {
-                rudder_error!("Target {} does not exist", p.path.display());
-                // Short-circuit the check.
-                bail!("Audit target file '{}' does not exist", p.path.display());
-            } else {
-                rudder_debug!("Target {} does not exist", p.path.display());
-            }
         }
 
-        match p.lens.as_deref() {
-            Some(l) => {
-                rudder_debug!("Using lens: {l}");
-                aug.transform(l, p.path.as_os_str(), false)?;
-                aug.load()?;
-            }
-            None => {
-                rudder_debug!("Detecting lens for path: {}", p.path.display());
-                aug.load_file(p.path.as_os_str())?;
-            }
+        if let Some(l) = p.lens.as_deref() {
+            rudder_debug!("Using lens: {l}");
+            aug.transform(l, p.path.as_os_str(), false)?;
+        }
+        if p.path.exists() {
+            aug.load_file(p.path.as_os_str())?;
         }
 
         // We have loaded the target, let's check for parsing errors.
@@ -158,32 +167,38 @@ impl Augeas {
             }
         }
 
-        let src = read_to_string(&p.path)?;
-        let preview = aug.preview(p.path)?;
+        // TODO: Pas de preview dispo en création de fichier
 
-        let diff = diff(&src, &preview.unwrap());
+        /*
+        let src = read_to_string(&p.path).unwrap_or("".to_string());
+        let preview = aug.preview(p.path).unwrap().unwrap_or("".to_string());
+
+        let diff = diff(&src, &preview);
 
         if p.show_diff {
             rudder_info!("Diff: {diff:?}");
-        }
+        }*/
 
         aug.save()?;
 
         // FIXME reload in case the tree is not clean
 
         // Ensure `files` are clean before next call.
-        aug.load()?;
+        //aug.load()?;
 
         // Get information about changes
         // make backups
         Ok(Outcome::Repaired("5 success".to_string()))
+        // TODO text reporting with structured data
     }
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
+    
     use rudder_module_type::Outcome;
+    use std::fs;
     use std::fs::read_to_string;
     use std::path::PathBuf;
     use tempfile::tempdir;
@@ -193,13 +208,15 @@ mod tests {
             script,
             path,
             lens,
+            show_diff: true,
+            context: Some("".to_string()),
             ..Default::default()
         }
     }
 
     #[test]
-    fn it_writes_file_from_commands() {
-        let mut augeas = Augeas::new(None, vec![]).unwrap();
+    fn it_writes_file_from_commands_in_new_file() {
+        let mut augeas = Augeas::new_module(None, vec![]).unwrap();
         let d = tempdir().unwrap().into_path();
         let f = d.join("test");
         let lens = "Simplelines";
@@ -215,8 +232,31 @@ mod tests {
             )
             .unwrap();
         assert_eq!(r, Outcome::repaired("5 success".to_string()));
-
         let content = read_to_string(&f).unwrap();
         assert_eq!(content.trim(), "hello world");
     }
+
+    #[test]
+    fn it_writes_file_from_commands_in_existing_file() {
+        let mut augeas = Augeas::new_module(None, vec![]).unwrap();
+        let d = tempdir().unwrap().into_path();
+        let f = d.join("test");
+        let lens = "Simplelines";
+
+        fs::write(&f, "hello").unwrap();
+
+        let r = augeas
+            .handle_check_apply(
+                arguments(
+                    format!("set /files{}/1 \"world\"", f.display()),
+                    f.clone(),
+                    Some(lens.to_string()),
+                ),
+                PolicyMode::Enforce,
+            )
+            .unwrap();
+        assert_eq!(r, Outcome::repaired("5 success".to_string()));
+        let content = read_to_string(&f).unwrap();
+        assert_eq!(content.trim(), "world");
+    }
 }
diff --git a/policies/module-types/augeas/src/bin/raugtool.rs b/policies/module-types/augeas/src/bin/raugtool.rs
index b1e8f35d46..e0ff3bc758 100644
--- a/policies/module-types/augeas/src/bin/raugtool.rs
+++ b/policies/module-types/augeas/src/bin/raugtool.rs
@@ -8,7 +8,7 @@
 
 use anyhow::Result;
 use gumdrop::Options;
-use rudder_module_augeas::augeas::Augeas;
+use rudder_module_augeas::augeas::{Augeas, LoadMode};
 use rudder_module_augeas::dsl::repl;
 use rudder_module_augeas::dsl::script::Interpreter;
 use rudder_module_augeas::{CRATE_NAME, CRATE_VERSION};
@@ -63,6 +63,21 @@ pub struct Cli {
         help = "force type checking of lenses"
     )]
     type_check_lenses: bool,
+
+    /// Do not load any files into the tree on startup.
+    #[options(
+        short = "L",
+        long = "noload",
+        help = "do not load any files into the tree on startup"
+    )]
+    dont_load_tree: bool,
+    /// Do not autoload modules from the search path.
+    #[options(
+        short = "A",
+        long = "noautoload",
+        help = "do not autoload modules from the search path"
+    )]
+    dont_load_lenses: bool,
 }
 
 impl Cli {
@@ -72,10 +87,17 @@ impl Cli {
             println!("Parsed options: {:#?}", &opts);
         }
 
+        let load_mode = match (!opts.dont_load_lenses, !opts.dont_load_tree) {
+            (false, _) => LoadMode::Nothing,
+            (true, false) => LoadMode::LensesOnly,
+            (true, true) => LoadMode::All,
+        };
+
         let mut aug = Augeas::new_aug(
             opts.root.as_deref(),
             opts.lens_paths,
             opts.type_check_lenses,
+            load_mode,
         )?;
 
         // FIXME handle other parameters
diff --git a/policies/module-types/augeas/src/dsl/script.rs b/policies/module-types/augeas/src/dsl/script.rs
index 7091818fa5..c9139e93a9 100644
--- a/policies/module-types/augeas/src/dsl/script.rs
+++ b/policies/module-types/augeas/src/dsl/script.rs
@@ -7,7 +7,7 @@ use crate::dsl::comparator::{Comparison, NumComparator};
 use crate::dsl::{parser, AugPath, Sub, Value};
 use anyhow::{anyhow, bail, Result};
 use raugeas::{Augeas, Position};
-use rudder_module_type::rudder_debug;
+use rudder_module_type::{rudder_debug, rudder_trace};
 
 /// The mode of the interpreter.
 ///
@@ -65,6 +65,7 @@ impl<'a> Interpreter<'a> {
     //         BUT abort early in enforce....
 
     fn eval(&mut self, expr: &Expression) -> Result<bool> {
+        rudder_trace!("Running expression: {:?}", expr);
         match expr {
             Expression::Set(path, value) => self.aug.set(path, value)?,
             Expression::SetMultiple(path, sub, value) => {
diff --git a/policies/module-types/augeas/src/lib.rs b/policies/module-types/augeas/src/lib.rs
index 59928691b1..092ff5391a 100644
--- a/policies/module-types/augeas/src/lib.rs
+++ b/policies/module-types/augeas/src/lib.rs
@@ -52,7 +52,7 @@ impl ModuleType0 for Augeas {
 pub fn entry() -> Result<(), anyhow::Error> {
     env::set_var("LC_ALL", "C");
 
-    let promise_type = Augeas::new(None, vec![])?;
+    let promise_type = Augeas::new_module(None, vec![])?;
     if rudder_module_type::cfengine::called_from_agent() {
         rudder_module_type::run_module(promise_type)
     } else {

From 8bf94d8472113e195939adb15ca3dd5ada9d7a1e Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Tue, 24 Dec 2024 15:09:40 +0100
Subject: [PATCH 22/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/augeas.rs    | 41 +++++++++++++------
 .../module-types/augeas/src/bin/raugtool.rs   |  2 +-
 2 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index 338a8c8496..de83c19937 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -5,12 +5,10 @@ use crate::dsl::script::{Interpreter, InterpreterPerms};
 use crate::{AugeasParameters, RUDDER_LENS_LIB};
 use anyhow::bail;
 use raugeas::{Flags, SaveMode};
-use rudder_module_type::{
-    rudder_debug, rudder_error, CheckApplyResult, Outcome, PolicyMode,
-};
+use rudder_module_type::{rudder_debug, rudder_error, CheckApplyResult, Outcome, PolicyMode};
 use std::borrow::Cow;
 use std::env;
-use std::path::Path;
+use std::path::{Path, PathBuf};
 
 /// Augeas module implementation.
 ///
@@ -24,6 +22,8 @@ use std::path::Path;
 //
 pub struct Augeas {
     aug: raugeas::Augeas,
+    root: Option<PathBuf>,
+    load_paths: Vec<PathBuf>,
 }
 
 #[derive(Debug, PartialEq, Copy, Clone)]
@@ -35,7 +35,7 @@ pub enum LoadMode {
 
 impl Augeas {
     /// Create a new Augeas module.
-    pub fn new_module(root: Option<&Path>, load_paths: Vec<&Path>) -> anyhow::Result<Self> {
+    pub fn new_module(root: Option<PathBuf>, load_paths: Vec<PathBuf>) -> anyhow::Result<Self> {
         // Cleanup the environment first to avoid any interference.
         //
         // SAFETY: Safe as the module is single threaded.
@@ -46,18 +46,33 @@ impl Augeas {
         }
 
         let aug = Self::new_aug(
-            root, // Root is global in an agent context.
-            load_paths,
+            root.as_deref(), // Root is global in an agent context.
+            &load_paths,
             false,
             LoadMode::LensesOnly, // We only need lenses. We only load them once.
         )?;
 
-        Ok(Augeas { aug })
+        Ok(Augeas {
+            aug,
+            root,
+            load_paths,
+        })
+    }
+
+    fn reset_augeas(&mut self) -> anyhow::Result<()> {
+        let new = Self::new_aug(
+            self.root.as_deref(), // Root is global in an agent context.
+            &self.load_paths,
+            false,
+            LoadMode::LensesOnly, // We only need lenses. We only load them once.
+        )?;
+        self.aug = new;
+        Ok(())
     }
 
     pub fn new_aug<T: AsRef<Path>>(
         root: Option<&Path>,
-        load_paths: Vec<T>,
+        load_paths: &[T],
         type_check_lenses: bool,
         load_mode: LoadMode,
     ) -> anyhow::Result<raugeas::Augeas> {
@@ -104,7 +119,9 @@ impl Augeas {
     ) -> CheckApplyResult {
         let aug = &mut self.aug;
 
-        if p.path.exists() {
+        let already_exists = p.path.exists();
+
+        if already_exists {
             rudder_debug!("Target {} already exists", p.path.display());
         } else if policy_mode == PolicyMode::Audit {
             rudder_error!("Target {} does not exist", p.path.display());
@@ -118,7 +135,7 @@ impl Augeas {
             rudder_debug!("Using lens: {l}");
             aug.transform(l, p.path.as_os_str(), false)?;
         }
-        if p.path.exists() {
+        if already_exists {
             aug.load_file(p.path.as_os_str())?;
         }
 
@@ -196,7 +213,7 @@ impl Augeas {
 #[cfg(test)]
 mod tests {
     use super::*;
-    
+
     use rudder_module_type::Outcome;
     use std::fs;
     use std::fs::read_to_string;
diff --git a/policies/module-types/augeas/src/bin/raugtool.rs b/policies/module-types/augeas/src/bin/raugtool.rs
index e0ff3bc758..403c6f0681 100644
--- a/policies/module-types/augeas/src/bin/raugtool.rs
+++ b/policies/module-types/augeas/src/bin/raugtool.rs
@@ -95,7 +95,7 @@ impl Cli {
 
         let mut aug = Augeas::new_aug(
             opts.root.as_deref(),
-            opts.lens_paths,
+            &opts.lens_paths,
             opts.type_check_lenses,
             load_mode,
         )?;

From c532c37ca423fa1f3e53c0b885d07a07696d9761 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Tue, 24 Dec 2024 15:56:01 +0100
Subject: [PATCH 23/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/augeas.rs    |  41 +++--
 .../module-types/augeas/src/dsl/parser.rs     |   4 +-
 policies/module-types/augeas/src/dsl/repl.rs  |  12 +-
 .../module-types/augeas/src/dsl/script.rs     | 157 ++++++++++++++----
 4 files changed, 161 insertions(+), 53 deletions(-)

diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index de83c19937..2be0ca18cd 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use crate::dsl::script::{Interpreter, InterpreterPerms};
+use crate::dsl::script::{CheckMode, Interpreter, InterpreterPerms};
 use crate::{AugeasParameters, RUDDER_LENS_LIB};
 use anyhow::bail;
 use raugeas::{Flags, SaveMode};
@@ -45,12 +45,7 @@ impl Augeas {
             env::remove_var("AUGEAS_DEBUG");
         }
 
-        let aug = Self::new_aug(
-            root.as_deref(), // Root is global in an agent context.
-            &load_paths,
-            false,
-            LoadMode::LensesOnly, // We only need lenses. We only load them once.
-        )?;
+        let aug = Self::new_aug_for_module(root.as_deref(), &load_paths)?;
 
         Ok(Augeas {
             aug,
@@ -59,17 +54,21 @@ impl Augeas {
         })
     }
 
+    /// Close and recreate the Augeas instance.
+    ///
+    /// Allows recovering from errors and starting fresh.
     fn reset_augeas(&mut self) -> anyhow::Result<()> {
-        let new = Self::new_aug(
-            self.root.as_deref(), // Root is global in an agent context.
-            &self.load_paths,
-            false,
-            LoadMode::LensesOnly, // We only need lenses. We only load them once.
-        )?;
-        self.aug = new;
+        self.aug = Self::new_aug_for_module(self.root.as_deref(), &self.load_paths)?;
         Ok(())
     }
 
+    fn new_aug_for_module<T: AsRef<Path>>(
+        root: Option<&Path>,
+        load_paths: &[T],
+    ) -> anyhow::Result<raugeas::Augeas> {
+        Self::new_aug(root.as_deref(), &load_paths, false, LoadMode::LensesOnly)
+    }
+
     pub fn new_aug<T: AsRef<Path>>(
         root: Option<&Path>,
         load_paths: &[T],
@@ -160,7 +159,11 @@ impl Augeas {
             // No condition, always run the script.
             true
         } else {
-            match interpreter.run(InterpreterPerms::ReadTree, &p.if_script) {
+            match interpreter.run(
+                InterpreterPerms::ReadTree,
+                CheckMode::FailEarly,
+                &p.if_script,
+            ) {
                 Ok(_) => true,
                 Err(e) => {
                     // FIXME: make a difference between audit errors and other errors!
@@ -171,7 +174,11 @@ impl Augeas {
         };
         if do_script {
             rudder_debug!("Running script: {:?}", p.script);
-            interpreter.run(InterpreterPerms::ReadWriteTree, &p.script)?;
+            interpreter.run(
+                InterpreterPerms::ReadWriteTree,
+                CheckMode::StackErrors,
+                &p.script,
+            )?;
         }
 
         // Avoid writing if we are in audit mode.
@@ -184,7 +191,7 @@ impl Augeas {
             }
         }
 
-        // TODO: Pas de preview dispo en création de fichier
+        // TODO: Pas de preview() dispo en création de fichier
 
         /*
         let src = read_to_string(&p.path).unwrap_or("".to_string());
diff --git a/policies/module-types/augeas/src/dsl/parser.rs b/policies/module-types/augeas/src/dsl/parser.rs
index 31d38ef7ff..fd67948589 100644
--- a/policies/module-types/augeas/src/dsl/parser.rs
+++ b/policies/module-types/augeas/src/dsl/parser.rs
@@ -149,7 +149,7 @@ fn cmd_match_not_equal(input: &str) -> IResult<&str, Expression, VerboseError<&s
 
 fn cmd_generic(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
     let (input, cmd) = not_line_ending(input)?;
-    Ok((input, Expression::GenericAugeas(cmd)))
+    Ok((input, Expression::GenericAugeasRead(cmd)))
 }
 
 /// Read a valid change.
@@ -224,7 +224,7 @@ mod tests {
 
     fn test_cmd_generic() {
         let input = "generic command";
-        let expected = Expression::GenericAugeas("generic command");
+        let expected = Expression::GenericAugeasRead("generic command");
         let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
diff --git a/policies/module-types/augeas/src/dsl/repl.rs b/policies/module-types/augeas/src/dsl/repl.rs
index 8e9aa8591e..23cb246e3d 100644
--- a/policies/module-types/augeas/src/dsl/repl.rs
+++ b/policies/module-types/augeas/src/dsl/repl.rs
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use crate::dsl::script::{Interpreter, InterpreterPerms};
+use crate::dsl::script::{CheckMode, Interpreter, InterpreterOut, InterpreterPerms};
 use anyhow::Result;
 use rustyline::error::ReadlineError;
 
@@ -20,13 +20,17 @@ pub fn start(interpreter: &mut Interpreter) -> Result<()> {
             Ok(l) => match l.trim() {
                 "" => continue,
                 line => {
-                    let res = interpreter.run(InterpreterPerms::ReadWriteSystem, line);
+                    let res = interpreter.run(
+                        InterpreterPerms::ReadWriteSystem,
+                        CheckMode::StackErrors,
+                        line,
+                    );
                     match res {
-                        Ok(true) => break,
-                        Ok(false) => (),
+                        Ok(InterpreterOut { quit: true, .. }) => break,
                         Err(e) => {
                             eprintln!("error: {:?}", e);
                         }
+                        _ => {}
                     }
                 }
             },
diff --git a/policies/module-types/augeas/src/dsl/script.rs b/policies/module-types/augeas/src/dsl/script.rs
index c9139e93a9..85112d21cf 100644
--- a/policies/module-types/augeas/src/dsl/script.rs
+++ b/policies/module-types/augeas/src/dsl/script.rs
@@ -25,11 +25,65 @@ pub enum InterpreterPerms {
     ReadWriteSystem,
 }
 
+impl InterpreterPerms {
+    pub fn is_authorised(&self, expr_type: ExprType) -> bool {
+        match self {
+            InterpreterPerms::ReadTree => expr_type == ExprType::Read,
+            InterpreterPerms::ReadWriteTree => {
+                expr_type == ExprType::Read || expr_type == ExprType::Write
+            }
+            InterpreterPerms::ReadWriteSystem => true,
+        }
+    }
+}
+
+pub struct InterpreterOut {
+    pub outcome: InterpreterOutcome,
+    pub quit: bool,
+}
+
+impl InterpreterOut {
+    pub fn new(outcome: InterpreterOutcome, quit: bool) -> Self {
+        Self { outcome, quit }
+    }
+
+    pub fn from_res_no_quit(res: Result<()>) -> Result<Self> {
+        Ok(match res {
+            Ok(_) => Self::new(InterpreterOutcome::Ok, false),
+            Err(e) => Self::new(InterpreterOutcome::CheckErrors(vec![e]), false),
+        })
+    }
+}
+
+#[derive(Debug)]
+pub enum InterpreterOutcome {
+    /// Everything went well.
+    Ok,
+    /// The augeas expressions were evaluated correctly,
+    /// and lead to invalidated checks.
+    /// Note: change errors are treated as hard errors and stop the script.
+    ///
+    /// They can be accumulated or not.
+    CheckErrors(Vec<anyhow::Error>),
+}
+
+impl InterpreterOutcome {
+    fn from_errors(errors: Vec<anyhow::Error>) -> Self {
+        if errors.is_empty() {
+            Self::Ok
+        } else {
+            Self::CheckErrors(errors)
+        }
+    }
+}
+
 /// When running a script containing several expressions,
 /// should the interpreter accumulate the results or fail early.
 #[derive(Debug, PartialEq, Copy, Clone)]
-pub enum ErrorMode {
+pub enum CheckMode {
+    /// Fail on first check error.
     FailEarly,
+    /// Stack all check errors.
     StackErrors,
 }
 
@@ -43,53 +97,90 @@ impl<'a> Interpreter<'a> {
         Self { aug }
     }
 
-    pub fn run(&mut self, mode: InterpreterPerms, script: &str) -> Result<bool> {
+    pub fn run(
+        &mut self,
+        mode: InterpreterPerms,
+        check_mode: CheckMode,
+        script: &str,
+    ) -> Result<InterpreterOut> {
         let script = Script::from(script)?;
+        let mut check_errors = vec![];
 
         rudder_debug!("Running {} changes", script.expressions.len());
         for expr in &script.expressions {
-            if expr.expr_type() == ExprType::Write && mode == InterpreterPerms::ReadTree {
-                bail!("Cannot run an action ({:?}) in check mode", expr);
+            let expr_type = expr.expr_type();
+            if !mode.is_authorised(expr_type) {
+                bail!(
+                    "Expression type {:?} not allowed in {:?} mode",
+                    expr_type,
+                    mode
+                );
+            }
+
+            let eval_r = self.eval(expr)?;
+            match eval_r.outcome {
+                InterpreterOutcome::CheckErrors(mut e) => match check_mode {
+                    CheckMode::FailEarly => {
+                        if !e.is_empty() {
+                            return Ok(InterpreterOut::new(
+                                InterpreterOutcome::CheckErrors(e),
+                                eval_r.quit,
+                            ));
+                        }
+                    }
+                    CheckMode::StackErrors => check_errors.append(&mut e),
+                },
+                InterpreterOutcome::Ok => {}
             }
-            let quit = self.eval(expr)?;
-            if quit {
-                return Ok(true);
+
+            if eval_r.quit {
+                return Ok(InterpreterOut::new(
+                    InterpreterOutcome::from_errors(check_errors),
+                    true,
+                ));
             }
         }
         // FIXME handle write/save??
         // Handle convergence/idempotency test
-        Ok(false)
+        Ok(InterpreterOut::new(
+            InterpreterOutcome::from_errors(check_errors),
+            false,
+        ))
     }
 
-    // FIXME : accumulate check errors in audit mode
-    //         BUT abort early in enforce....
-
-    fn eval(&mut self, expr: &Expression) -> Result<bool> {
+    fn eval(&mut self, expr: &Expression) -> Result<InterpreterOut> {
         rudder_trace!("Running expression: {:?}", expr);
-        match expr {
-            Expression::Set(path, value) => self.aug.set(path, value)?,
+        InterpreterOut::from_res_no_quit(match expr {
+            Expression::Set(path, value) => self.aug.set(path, value).map_err(|e| e.into()),
             Expression::SetMultiple(path, sub, value) => {
                 let n = self.aug.setm(path, sub, value)?;
                 rudder_debug!("setm: modified {n} nodes");
+                Ok(())
             }
             Expression::Remove(path) => {
                 let n = self.aug.rm(path)?;
                 rudder_debug!("rm: removed {n} nodes");
+                Ok(())
             }
-            Expression::Clear(path) => self.aug.clear(path)?,
+            Expression::Clear(path) => self.aug.clear(path).map_err(|e| e.into()),
             Expression::ClearMultiple(path, sub) => {
                 let n = self.aug.clearm(path, sub)?;
                 rudder_debug!("clearm: cleared {n} nodes");
+                Ok(())
             }
-            Expression::Touch(path) => self.aug.touch(path)?,
-            Expression::Insert(label, position, path) => self.aug.insert(path, label, *position)?,
-            Expression::Move(path, other) => self.aug.mv(path, other)?,
-            Expression::Copy(path, other) => self.aug.cp(path, other)?,
+            Expression::Touch(path) => self.aug.touch(path).map_err(|e| e.into()),
+            Expression::Insert(label, position, path) => self
+                .aug
+                .insert(path, label, *position)
+                .map_err(|e| e.into()),
+            Expression::Move(path, other) => self.aug.mv(path, other).map_err(|e| e.into()),
+            Expression::Copy(path, other) => self.aug.cp(path, other).map_err(|e| e.into()),
             Expression::Rename(path, label) => {
                 let n = self.aug.rename(path, label)?;
                 rudder_debug!("rename: renamed {n} nodes");
+                Ok(())
             }
-            Expression::DefineVar(name, path) => self.aug.defvar(name, path)?,
+            Expression::DefineVar(name, path) => self.aug.defvar(name, path).map_err(|e| e.into()),
             Expression::DefineNode(name, path, value) => {
                 let created = self.aug.defnode(name, path, value)?;
                 if created {
@@ -97,45 +188,50 @@ impl<'a> Interpreter<'a> {
                 } else {
                     rudder_debug!("defnode: no nodes were created");
                 }
+                Ok(())
             }
             Expression::MatchInclude(path, value) => {
                 let matches = self.aug.matches(path)?;
                 if !matches.iter().any(|v| v == value) {
                     todo!()
                 }
+                Ok(())
             }
             Expression::MatchNotInclude(path, value) => {
                 let matches = self.aug.matches(path)?;
                 if !matches.iter().any(|v| v == value) {
                     todo!()
                 }
+                Ok(())
             }
             Expression::MatchEqual(path, value) => {
                 let matches = self.aug.matches(path)?;
                 if matches == *value {
                     todo!()
                 }
+                Ok(())
             }
             Expression::MatchNotEqual(path, value) => {
                 let matches = self.aug.matches(path)?;
                 if matches != *value {
                     todo!()
                 }
+                Ok(())
             }
-            Expression::GenericAugeas(cmd) => {
+            Expression::GenericAugeasRead(cmd) => {
                 let (num, out) = self.aug.srun(cmd)?;
                 let summary = match num {
                     raugeas::CommandsNumber::Success(n) => format!("{n} success"),
                     // FIXME: should be an error, no sense in this context.
                     raugeas::CommandsNumber::Quit => "has quit".to_string(),
                 };
-                rudder_debug!("{summary}, output: {out}");
+                rudder_debug!("{}, output: {}", summary, out);
+                Ok(())
             }
-            Expression::Save => self.aug.save()?,
-            Expression::Quit => return Ok(true),
+            Expression::Save => self.aug.save().map_err(|e| e.into()),
+            Expression::Quit => return Ok(InterpreterOut::new(InterpreterOutcome::Ok, true)),
             _ => todo!(),
-        }
-        Ok(false)
+        })
     }
 }
 
@@ -167,7 +263,7 @@ impl<'a> Script<'a> {
 #[derive(Debug, PartialEq)]
 pub enum Expression<'a> {
     /// A generic augeas command, not parsed.
-    GenericAugeas(&'a str),
+    GenericAugeasRead(&'a str),
     /// Sets the value VALUE at location PATH
     Set(AugPath<'a>, Value<'a>),
     /// Sets multiple nodes (matching SUB relative to PATH) to VALUE
@@ -232,7 +328,7 @@ where:
 
 */
 
-#[derive(Debug, PartialEq)]
+#[derive(Debug, PartialEq, Copy, Clone)]
 enum ExprType {
     /// Only reads the tree and return data.
     Read,
@@ -247,8 +343,9 @@ enum ExprType {
 impl Expression<'_> {
     fn expr_type(&self) -> ExprType {
         match self {
-            Expression::GenericAugeas(..)
-            | Expression::DefineVar(..)
+            // FIXME: ensure we cover all changes!
+            Expression::GenericAugeasRead(..) => ExprType::Read,
+            Expression::DefineVar(..)
             | Expression::DefineNode(..)
             | Expression::Set(..)
             | Expression::SetMultiple(..)

From 05fc2cf8b9cd07fe1506eebd76f445a9e8766ad5 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Tue, 24 Dec 2024 16:47:43 +0100
Subject: [PATCH 24/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/augeas.rs    |   2 +-
 .../module-types/augeas/src/dsl/parser.rs     |  15 +-
 policies/module-types/augeas/src/dsl/repl.rs  |  24 +++-
 .../module-types/augeas/src/dsl/script.rs     | 136 ++++++++++++------
 4 files changed, 124 insertions(+), 53 deletions(-)

diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index 2be0ca18cd..65002419bd 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -66,7 +66,7 @@ impl Augeas {
         root: Option<&Path>,
         load_paths: &[T],
     ) -> anyhow::Result<raugeas::Augeas> {
-        Self::new_aug(root.as_deref(), &load_paths, false, LoadMode::LensesOnly)
+        Self::new_aug(root, load_paths, false, LoadMode::LensesOnly)
     }
 
     pub fn new_aug<T: AsRef<Path>>(
diff --git a/policies/module-types/augeas/src/dsl/parser.rs b/policies/module-types/augeas/src/dsl/parser.rs
index fd67948589..2a08576cd3 100644
--- a/policies/module-types/augeas/src/dsl/parser.rs
+++ b/policies/module-types/augeas/src/dsl/parser.rs
@@ -5,7 +5,7 @@ use crate::dsl::script::Expression;
 use nom::branch::alt;
 use nom::bytes::complete::{is_not, tag};
 use nom::character::complete::{
-    alpha1, char, line_ending, multispace0, not_line_ending, space0, space1,
+    alpha1, char, line_ending, multispace0, not_line_ending, space0,
 };
 use nom::combinator::{eof, map_res, not, opt};
 use nom::error::VerboseError;
@@ -49,7 +49,7 @@ pub fn arg(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
 
 fn cmd(input: &str) -> IResult<&str, &str, VerboseError<&str>> {
     let (input, cmd) = alpha1(input)?;
-    let (input, _) = space1(input)?;
+    let (input, _) = space0(input)?;
     Ok((input, cmd))
 }
 
@@ -149,7 +149,7 @@ fn cmd_match_not_equal(input: &str) -> IResult<&str, Expression, VerboseError<&s
 
 fn cmd_generic(input: &str) -> IResult<&str, Expression, VerboseError<&str>> {
     let (input, cmd) = not_line_ending(input)?;
-    Ok((input, Expression::GenericAugeasRead(cmd)))
+    Ok((input, Expression::GenericAugeas(cmd)))
 }
 
 /// Read a valid change.
@@ -224,7 +224,7 @@ mod tests {
 
     fn test_cmd_generic() {
         let input = "generic command";
-        let expected = Expression::GenericAugeasRead("generic command");
+        let expected = Expression::GenericAugeas("generic command");
         let result = expression(input).unwrap();
         assert_eq!(result.1, expected);
     }
@@ -356,7 +356,7 @@ mod tests {
 
     #[test]
     fn test_line_comment() {
-        let input = " comment\n";
+        let input = "# comment\n";
         let result = line(input).unwrap();
         assert_eq!(result.1, None);
     }
@@ -374,6 +374,9 @@ mod tests {
             clearm /path/to/nodes "sub node"
             touch /path/to/node
 
+            print /path/to/node
+            quit
+
             ins  label  before        /path/to/node
             mv /path/to/node /new/path
             rename /path/to/node new_label
@@ -388,6 +391,8 @@ mod tests {
             Expression::Clear("/path/to/node".into()),
             Expression::ClearMultiple("/path/to/nodes".into(), "sub node"),
             Expression::Touch("/path/to/node".into()),
+            Expression::GenericAugeas("print /path/to/node"),
+            Expression::Quit,
             Expression::Insert("label", Position::Before, "/path/to/node".into()),
             Expression::Move("/path/to/node".into(), "/new/path".into()),
             Expression::Rename("/path/to/node".into(), "new_label"),
diff --git a/policies/module-types/augeas/src/dsl/repl.rs b/policies/module-types/augeas/src/dsl/repl.rs
index 23cb246e3d..d752b0d0e6 100644
--- a/policies/module-types/augeas/src/dsl/repl.rs
+++ b/policies/module-types/augeas/src/dsl/repl.rs
@@ -1,7 +1,9 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use crate::dsl::script::{CheckMode, Interpreter, InterpreterOut, InterpreterPerms};
+use crate::dsl::script::{
+    CheckMode, Interpreter, InterpreterOut, InterpreterOutcome, InterpreterPerms,
+};
 use anyhow::Result;
 use rustyline::error::ReadlineError;
 
@@ -26,11 +28,27 @@ pub fn start(interpreter: &mut Interpreter) -> Result<()> {
                         line,
                     );
                     match res {
-                        Ok(InterpreterOut { quit: true, .. }) => break,
+                        Ok(InterpreterOut {
+                            quit,
+                            output,
+                            outcome,
+                        }) => {
+                            match outcome {
+                                InterpreterOutcome::Ok => {}
+                                InterpreterOutcome::CheckErrors(errors) => {
+                                    for e in errors {
+                                        eprintln!("check error: {:?}", e);
+                                    }
+                                }
+                            }
+                            println!("{}", output.trim());
+                            if quit {
+                                break;
+                            }
+                        }
                         Err(e) => {
                             eprintln!("error: {:?}", e);
                         }
-                        _ => {}
                     }
                 }
             },
diff --git a/policies/module-types/augeas/src/dsl/script.rs b/policies/module-types/augeas/src/dsl/script.rs
index 85112d21cf..9d27b7119b 100644
--- a/policies/module-types/augeas/src/dsl/script.rs
+++ b/policies/module-types/augeas/src/dsl/script.rs
@@ -26,7 +26,7 @@ pub enum InterpreterPerms {
 }
 
 impl InterpreterPerms {
-    pub fn is_authorised(&self, expr_type: ExprType) -> bool {
+    fn is_authorised(&self, expr_type: ExprType) -> bool {
         match self {
             InterpreterPerms::ReadTree => expr_type == ExprType::Read,
             InterpreterPerms::ReadWriteTree => {
@@ -39,19 +39,63 @@ impl InterpreterPerms {
 
 pub struct InterpreterOut {
     pub outcome: InterpreterOutcome,
+    pub output: String,
     pub quit: bool,
 }
 
 impl InterpreterOut {
-    pub fn new(outcome: InterpreterOutcome, quit: bool) -> Self {
-        Self { outcome, quit }
+    pub fn new(outcome: InterpreterOutcome, output: String, quit: bool) -> Self {
+        Self {
+            outcome,
+            output,
+            quit,
+        }
     }
 
-    pub fn from_res_no_quit(res: Result<()>) -> Result<Self> {
-        Ok(match res {
-            Ok(_) => Self::new(InterpreterOutcome::Ok, false),
-            Err(e) => Self::new(InterpreterOutcome::CheckErrors(vec![e]), false),
-        })
+    pub fn ok() -> Result<Self> {
+        Ok(Self::new(InterpreterOutcome::Ok, String::new(), false))
+    }
+
+    pub fn ok_quit() -> Result<Self> {
+        Ok(Self::new(InterpreterOutcome::Ok, String::new(), true))
+    }
+
+    pub fn from_res_out(res: Result<String>) -> Result<Self> {
+        match res {
+            Ok(o) => Ok(Self::new(InterpreterOutcome::Ok, o, false)),
+            Err(e) => Err(e),
+        }
+    }
+
+    pub fn from_out(out: String) -> Result<Self> {
+        Ok(Self::new(InterpreterOutcome::Ok, out, false))
+    }
+
+    pub fn from_res(res: Result<()>) -> Result<Self> {
+        match res {
+            Ok(()) => Ok(Self::new(InterpreterOutcome::Ok, String::new(), false)),
+            Err(e) => Err(e),
+        }
+    }
+
+    pub fn from_aug_res(res: raugeas::Result<()>) -> Result<Self> {
+        match res {
+            Ok(()) => Ok(Self::new(InterpreterOutcome::Ok, String::new(), false)),
+            Err(e) => Err(e.into()),
+        }
+    }
+
+    // FIXME: check res structured type
+    pub fn from_check_res(res: Result<Result<String>>) -> Result<Self> {
+        match res {
+            Ok(Ok(o)) => Ok(Self::new(InterpreterOutcome::Ok, o, false)),
+            Ok(Err(e)) => Ok(Self::new(
+                InterpreterOutcome::CheckErrors(vec![e]),
+                String::new(),
+                false,
+            )),
+            Err(e) => Err(e),
+        }
     }
 }
 
@@ -105,6 +149,7 @@ impl<'a> Interpreter<'a> {
     ) -> Result<InterpreterOut> {
         let script = Script::from(script)?;
         let mut check_errors = vec![];
+        let mut output = String::new();
 
         rudder_debug!("Running {} changes", script.expressions.len());
         for expr in &script.expressions {
@@ -118,17 +163,21 @@ impl<'a> Interpreter<'a> {
             }
 
             let eval_r = self.eval(expr)?;
+            output.push_str(&eval_r.output);
             match eval_r.outcome {
                 InterpreterOutcome::CheckErrors(mut e) => match check_mode {
                     CheckMode::FailEarly => {
                         if !e.is_empty() {
                             return Ok(InterpreterOut::new(
                                 InterpreterOutcome::CheckErrors(e),
+                                output,
                                 eval_r.quit,
                             ));
                         }
                     }
-                    CheckMode::StackErrors => check_errors.append(&mut e),
+                    CheckMode::StackErrors => {
+                        check_errors.append(&mut e);
+                    }
                 },
                 InterpreterOutcome::Ok => {}
             }
@@ -136,6 +185,7 @@ impl<'a> Interpreter<'a> {
             if eval_r.quit {
                 return Ok(InterpreterOut::new(
                     InterpreterOutcome::from_errors(check_errors),
+                    output,
                     true,
                 ));
             }
@@ -144,43 +194,46 @@ impl<'a> Interpreter<'a> {
         // Handle convergence/idempotency test
         Ok(InterpreterOut::new(
             InterpreterOutcome::from_errors(check_errors),
+            output,
             false,
         ))
     }
 
     fn eval(&mut self, expr: &Expression) -> Result<InterpreterOut> {
         rudder_trace!("Running expression: {:?}", expr);
-        InterpreterOut::from_res_no_quit(match expr {
-            Expression::Set(path, value) => self.aug.set(path, value).map_err(|e| e.into()),
+        // FIXME : errors are not handled correctly (check vs no check)
+        match expr {
+            Expression::Set(path, value) => InterpreterOut::from_aug_res(self.aug.set(path, value)),
             Expression::SetMultiple(path, sub, value) => {
                 let n = self.aug.setm(path, sub, value)?;
                 rudder_debug!("setm: modified {n} nodes");
-                Ok(())
+                InterpreterOut::ok()
             }
             Expression::Remove(path) => {
                 let n = self.aug.rm(path)?;
                 rudder_debug!("rm: removed {n} nodes");
-                Ok(())
+                InterpreterOut::ok()
             }
-            Expression::Clear(path) => self.aug.clear(path).map_err(|e| e.into()),
+            Expression::Clear(path) => InterpreterOut::from_aug_res(self.aug.clear(path)),
             Expression::ClearMultiple(path, sub) => {
                 let n = self.aug.clearm(path, sub)?;
                 rudder_debug!("clearm: cleared {n} nodes");
-                Ok(())
+                InterpreterOut::ok()
+            }
+            Expression::Touch(path) => InterpreterOut::from_aug_res(self.aug.touch(path)),
+            Expression::Insert(label, position, path) => {
+                InterpreterOut::from_aug_res(self.aug.insert(path, label, *position))
             }
-            Expression::Touch(path) => self.aug.touch(path).map_err(|e| e.into()),
-            Expression::Insert(label, position, path) => self
-                .aug
-                .insert(path, label, *position)
-                .map_err(|e| e.into()),
-            Expression::Move(path, other) => self.aug.mv(path, other).map_err(|e| e.into()),
-            Expression::Copy(path, other) => self.aug.cp(path, other).map_err(|e| e.into()),
+            Expression::Move(path, other) => InterpreterOut::from_aug_res(self.aug.mv(path, other)),
+            Expression::Copy(path, other) => InterpreterOut::from_aug_res(self.aug.cp(path, other)),
             Expression::Rename(path, label) => {
                 let n = self.aug.rename(path, label)?;
                 rudder_debug!("rename: renamed {n} nodes");
-                Ok(())
+                InterpreterOut::ok()
+            }
+            Expression::DefineVar(name, path) => {
+                InterpreterOut::from_aug_res(self.aug.defvar(name, path))
             }
-            Expression::DefineVar(name, path) => self.aug.defvar(name, path).map_err(|e| e.into()),
             Expression::DefineNode(name, path, value) => {
                 let created = self.aug.defnode(name, path, value)?;
                 if created {
@@ -188,50 +241,44 @@ impl<'a> Interpreter<'a> {
                 } else {
                     rudder_debug!("defnode: no nodes were created");
                 }
-                Ok(())
+                InterpreterOut::ok()
             }
             Expression::MatchInclude(path, value) => {
                 let matches = self.aug.matches(path)?;
                 if !matches.iter().any(|v| v == value) {
                     todo!()
                 }
-                Ok(())
+                todo!()
             }
             Expression::MatchNotInclude(path, value) => {
                 let matches = self.aug.matches(path)?;
                 if !matches.iter().any(|v| v == value) {
                     todo!()
                 }
-                Ok(())
+                todo!()
             }
             Expression::MatchEqual(path, value) => {
                 let matches = self.aug.matches(path)?;
                 if matches == *value {
                     todo!()
                 }
-                Ok(())
+                todo!()
             }
             Expression::MatchNotEqual(path, value) => {
                 let matches = self.aug.matches(path)?;
                 if matches != *value {
                     todo!()
                 }
-                Ok(())
+                todo!()
             }
-            Expression::GenericAugeasRead(cmd) => {
-                let (num, out) = self.aug.srun(cmd)?;
-                let summary = match num {
-                    raugeas::CommandsNumber::Success(n) => format!("{n} success"),
-                    // FIXME: should be an error, no sense in this context.
-                    raugeas::CommandsNumber::Quit => "has quit".to_string(),
-                };
-                rudder_debug!("{}, output: {}", summary, out);
-                Ok(())
+            Expression::GenericAugeas(cmd) => {
+                let (_num, out) = self.aug.srun(cmd)?;
+                InterpreterOut::from_out(out)
             }
-            Expression::Save => self.aug.save().map_err(|e| e.into()),
-            Expression::Quit => return Ok(InterpreterOut::new(InterpreterOutcome::Ok, true)),
+            Expression::Save => InterpreterOut::from_aug_res(self.aug.save()),
+            Expression::Quit => InterpreterOut::ok_quit(),
             _ => todo!(),
-        })
+        }
     }
 }
 
@@ -263,7 +310,7 @@ impl<'a> Script<'a> {
 #[derive(Debug, PartialEq)]
 pub enum Expression<'a> {
     /// A generic augeas command, not parsed.
-    GenericAugeasRead(&'a str),
+    GenericAugeas(&'a str),
     /// Sets the value VALUE at location PATH
     Set(AugPath<'a>, Value<'a>),
     /// Sets multiple nodes (matching SUB relative to PATH) to VALUE
@@ -343,8 +390,9 @@ enum ExprType {
 impl Expression<'_> {
     fn expr_type(&self) -> ExprType {
         match self {
-            // FIXME: ensure we cover all changes!
-            Expression::GenericAugeasRead(..) => ExprType::Read,
+            // We only guarantee that the generic augeas command does not modify the system.
+            // There are both read and write commands there.
+            Expression::GenericAugeas(..) => ExprType::Write,
             Expression::DefineVar(..)
             | Expression::DefineNode(..)
             | Expression::Set(..)

From 7eea4c2c59511a2d7dedbf0422742281ad01a7e7 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Tue, 24 Dec 2024 17:01:52 +0100
Subject: [PATCH 25/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! Fixes #26089: Implement augeas module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/augeas.rs    | 36 ++++++++++++++++---
 .../module-types/augeas/src/dsl/script.rs     | 11 +++---
 policies/module-types/augeas/src/main.rs      | 17 +--------
 3 files changed, 37 insertions(+), 27 deletions(-)

diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index 65002419bd..efa6484500 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -1,7 +1,9 @@
 // SPDX-License-Identifier: GPL-3.0-or-later
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
-use crate::dsl::script::{CheckMode, Interpreter, InterpreterPerms};
+use crate::dsl::script::{
+    CheckMode, Interpreter, InterpreterOut, InterpreterOutcome, InterpreterPerms,
+};
 use crate::{AugeasParameters, RUDDER_LENS_LIB};
 use anyhow::bail;
 use raugeas::{Flags, SaveMode};
@@ -155,7 +157,10 @@ impl Augeas {
         let mut interpreter = Interpreter::new(aug);
 
         // FIXME: handle check only and check script_if
-        let do_script = if p.if_script.trim().is_empty() {
+
+        let no_if_script = p.if_script.trim().is_empty();
+
+        let do_script = if no_if_script {
             // No condition, always run the script.
             true
         } else {
@@ -164,14 +169,32 @@ impl Augeas {
                 CheckMode::FailEarly,
                 &p.if_script,
             ) {
-                Ok(_) => true,
+                Ok(InterpreterOut {
+                    outcome,
+                    output,
+                    quit,
+                }) => {
+                    if quit {
+                        bail!("if_script quit unexpectedly: {}", output);
+                    }
+                    match outcome {
+                        InterpreterOutcome::Ok => true,
+                        // Some checks failed, do not run the script.
+                        InterpreterOutcome::CheckErrors(errors) => {
+                            for e in errors {
+                                rudder_error!("if_script check error: {:?}", e);
+                            }
+                            false
+                        }
+                    }
+                }
                 Err(e) => {
-                    // FIXME: make a difference between audit errors and other errors!
                     rudder_error!("Error in if_script: {}", e);
                     false
                 }
             }
         };
+
         if do_script {
             rudder_debug!("Running script: {:?}", p.script);
             interpreter.run(
@@ -179,6 +202,11 @@ impl Augeas {
                 CheckMode::StackErrors,
                 &p.script,
             )?;
+            // TODO check:
+            // - if running twice changes the result (or triggers checks)
+            // - is if_script now returns false
+            //
+            // This allows detecting non-idempotent configurations and avoid writing them.
         }
 
         // Avoid writing if we are in audit mode.
diff --git a/policies/module-types/augeas/src/dsl/script.rs b/policies/module-types/augeas/src/dsl/script.rs
index 9d27b7119b..cb6d67246e 100644
--- a/policies/module-types/augeas/src/dsl/script.rs
+++ b/policies/module-types/augeas/src/dsl/script.rs
@@ -86,15 +86,14 @@ impl InterpreterOut {
     }
 
     // FIXME: check res structured type
-    pub fn from_check_res(res: Result<Result<String>>) -> Result<Self> {
+    pub fn from_check_res(res: Result<String>) -> Result<Self> {
         match res {
-            Ok(Ok(o)) => Ok(Self::new(InterpreterOutcome::Ok, o, false)),
-            Ok(Err(e)) => Ok(Self::new(
+            Ok(o) => Ok(Self::new(InterpreterOutcome::Ok, o, false)),
+            Err(e) => Ok(Self::new(
                 InterpreterOutcome::CheckErrors(vec![e]),
                 String::new(),
                 false,
             )),
-            Err(e) => Err(e),
         }
     }
 }
@@ -190,8 +189,6 @@ impl<'a> Interpreter<'a> {
                 ));
             }
         }
-        // FIXME handle write/save??
-        // Handle convergence/idempotency test
         Ok(InterpreterOut::new(
             InterpreterOutcome::from_errors(check_errors),
             output,
@@ -201,7 +198,6 @@ impl<'a> Interpreter<'a> {
 
     fn eval(&mut self, expr: &Expression) -> Result<InterpreterOut> {
         rudder_trace!("Running expression: {:?}", expr);
-        // FIXME : errors are not handled correctly (check vs no check)
         match expr {
             Expression::Set(path, value) => InterpreterOut::from_aug_res(self.aug.set(path, value)),
             Expression::SetMultiple(path, sub, value) => {
@@ -276,6 +272,7 @@ impl<'a> Interpreter<'a> {
                 InterpreterOut::from_out(out)
             }
             Expression::Save => InterpreterOut::from_aug_res(self.aug.save()),
+            Expression::Load => InterpreterOut::from_aug_res(self.aug.load()),
             Expression::Quit => InterpreterOut::ok_quit(),
             _ => todo!(),
         }
diff --git a/policies/module-types/augeas/src/main.rs b/policies/module-types/augeas/src/main.rs
index 30122e510e..64e2fe5ead 100644
--- a/policies/module-types/augeas/src/main.rs
+++ b/policies/module-types/augeas/src/main.rs
@@ -3,14 +3,7 @@
 
 use anyhow::Result;
 
-// raugeas = augeas + audit
-
 // transofrmer un diff en conf augeas??
-
-// vraie attention sur les perfs
-
-// Pas de modif des lens au runtime, il faut les placer dan sle rpeo magisue de l'agent.
-
 // https://github.com/georgehansper/augprint.py
 // outil pour savoir comment écrire le set ??
 // ou pour prendre l'état d'un fichier ?
@@ -18,19 +11,11 @@ use anyhow::Result;
 // voir si les span peuvent ider à faire du debug/reporting
 
 // diff de valeur pour les audits TODO
-// rendre augeas bavard !
 
-// binaire raugtool ("rudder agent augeas" séparé ??
-// mode hybride augtool / rudder)
 // implémenter une commande pour le diff!
 // intercepter le help et le modifier!
 
-// change language?? is it really useful?
-// => oui, pur la gestion d'erreur plus fine et pouvoir dire
-// où ça a cassé, et autant que possible pourquoi.
-
-// faire juste un reload du tree devrait virer les trucs en cours
-// on devrit pas avoir de pb avec les lens.
+// Pourquoi pas du srun : pour pouvoir interrompre au premier problème
 
 // très important!
 // https://github.com/hercules-team/augeas/issues/68

From b8d6aaf4f595455804119d09b7e1a706c2e8ce9d Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Wed, 25 Dec 2024 15:37:38 +0100
Subject: [PATCH 26/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! Fixes #26089: Implement augeas
 module

Fixes #26089: Implement augeas module
---
 policies/module-types/augeas/src/augeas.rs    | 41 +++++++++++++++++++
 .../module-types/augeas/src/dsl/script.rs     | 19 +++++++--
 2 files changed, 56 insertions(+), 4 deletions(-)

diff --git a/policies/module-types/augeas/src/augeas.rs b/policies/module-types/augeas/src/augeas.rs
index efa6484500..8e9bab202a 100644
--- a/policies/module-types/augeas/src/augeas.rs
+++ b/policies/module-types/augeas/src/augeas.rs
@@ -4,12 +4,14 @@
 use crate::dsl::script::{
     CheckMode, Interpreter, InterpreterOut, InterpreterOutcome, InterpreterPerms,
 };
+use crate::report::diff;
 use crate::{AugeasParameters, RUDDER_LENS_LIB};
 use anyhow::bail;
 use raugeas::{Flags, SaveMode};
 use rudder_module_type::{rudder_debug, rudder_error, CheckApplyResult, Outcome, PolicyMode};
 use std::borrow::Cow;
 use std::env;
+use std::os::unix::fs::MetadataExt;
 use std::path::{Path, PathBuf};
 
 /// Augeas module implementation.
@@ -123,6 +125,17 @@ impl Augeas {
         let already_exists = p.path.exists();
 
         if already_exists {
+            // Avoid memory exhaustion by not loading the file if it is too big.
+            // NOTE: this is not a security feature, as we don't defend against TOCTOU attacks.
+            let size = p.path.metadata()?.size();
+            // 10MB is a reasonable limit for config file.
+            if size > 10_000_000 {
+                bail!(
+                    "File too big to load: {} ({}B > 10MB)",
+                    p.path.display(),
+                    size
+                );
+            }
             rudder_debug!("Target {} already exists", p.path.display());
         } else if policy_mode == PolicyMode::Audit {
             rudder_error!("Target {} does not exist", p.path.display());
@@ -202,6 +215,34 @@ impl Augeas {
                 CheckMode::StackErrors,
                 &p.script,
             )?;
+
+            if already_exists {
+                // FIXME : bug in preview??
+                dbg!("ONE");
+
+                let content_after1 = interpreter.preview(&p.path)?.unwrap();
+
+                dbg!("ONE");
+
+                interpreter.run(
+                    InterpreterPerms::ReadWriteTree,
+                    CheckMode::StackErrors,
+                    &p.script,
+                )?;
+                dbg!("ONE");
+
+                let content_after2 = interpreter.preview(&p.path)?.unwrap();
+                dbg!("ONE");
+
+                if content_after1 != content_after2 {
+                    let diff = diff(&content_after1, &content_after2);
+                    bail!("Non-idempotent script: {}, stopping:\n{}", p.script, diff);
+                }
+            }
+
+            // FIXME: comment détecter les non-convergences sur les nouveaux fichiers ??
+            // peut-être pas possible
+
             // TODO check:
             // - if running twice changes the result (or triggers checks)
             // - is if_script now returns false
diff --git a/policies/module-types/augeas/src/dsl/script.rs b/policies/module-types/augeas/src/dsl/script.rs
index cb6d67246e..5b30d7b548 100644
--- a/policies/module-types/augeas/src/dsl/script.rs
+++ b/policies/module-types/augeas/src/dsl/script.rs
@@ -2,6 +2,7 @@
 // SPDX-FileCopyrightText: 2024 Normation SAS
 
 use nom::Finish;
+use std::path::Path;
 
 use crate::dsl::comparator::{Comparison, NumComparator};
 use crate::dsl::{parser, AugPath, Sub, Value};
@@ -140,6 +141,18 @@ impl<'a> Interpreter<'a> {
         Self { aug }
     }
 
+    pub fn preview(&mut self, file: &Path) -> Result<Option<String>> {
+        println!("{}", self.aug.print("").unwrap());
+
+        let path = format!("{}", file.display());
+
+        let path = path.strip_prefix("/").unwrap();
+        dbg!(path);
+
+        self.aug.set("/augeas/context", "")?;
+        self.aug.preview(path).map_err(Into::into)
+    }
+
     pub fn run(
         &mut self,
         mode: InterpreterPerms,
@@ -376,11 +389,9 @@ where:
 enum ExprType {
     /// Only reads the tree and return data.
     Read,
-    /// Only reads the tree, but can fail.
-    Assert,
     /// Changes the tree.
     Write,
-    /// Changes the system from the tree (a.k.a. save)
+    /// Changes the system (from the tree, a.k.a. save)
     Effect,
 }
 
@@ -412,7 +423,7 @@ impl Expression<'_> {
             | Expression::ValuesNotEqual(..)
             | Expression::ValuesInclude(..)
             | Expression::Compare(..)
-            | Expression::ValuesNotInclude(..) => ExprType::Assert,
+            | Expression::ValuesNotInclude(..) => ExprType::Read,
             Expression::Save | Expression::Quit => ExprType::Effect,
         }
     }

From 092210e7d7bd1ed4b9c51298e82115d7945b222b Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Wed, 25 Dec 2024 17:13:10 +0100
Subject: [PATCH 27/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! Fixes #26089: Implement
 augeas module

Fixes #26089: Implement augeas module
---
 policies/arch-doc/Makefile                    |  11 +
 policies/arch-doc/README.md                   |  53 +++
 policies/arch-doc/agent-schedulers/Makefile   |   4 +
 .../agent-schedulers/src/images/campaign.png  | Bin 0 -> 25043 bytes
 .../agent-schedulers/src/images/histogram.png | Bin 0 -> 9604 bytes
 .../agent-schedulers/src/images/schedule.png  | Bin 0 -> 26448 bytes
 .../arch-doc/agent-schedulers/src/main.md     | 428 ++++++++++++++++++
 policies/arch-doc/arch-doc.bib                |  23 +
 policies/arch-doc/method-logger-v4.1/Makefile |   4 +
 .../arch-doc/method-logger-v4.1/src/main.md   | 228 ++++++++++
 policies/arch-doc/module-augeas/Makefile      |   4 +
 .../arch-doc/module-augeas/src/arch-doc.bib   |   1 +
 policies/arch-doc/module-augeas/src/main.md   | 252 +++++++++++
 policies/arch-doc/pandoc.mk                   |  78 ++++
 14 files changed, 1086 insertions(+)
 create mode 100644 policies/arch-doc/Makefile
 create mode 100644 policies/arch-doc/README.md
 create mode 100644 policies/arch-doc/agent-schedulers/Makefile
 create mode 100644 policies/arch-doc/agent-schedulers/src/images/campaign.png
 create mode 100644 policies/arch-doc/agent-schedulers/src/images/histogram.png
 create mode 100644 policies/arch-doc/agent-schedulers/src/images/schedule.png
 create mode 100644 policies/arch-doc/agent-schedulers/src/main.md
 create mode 100644 policies/arch-doc/arch-doc.bib
 create mode 100644 policies/arch-doc/method-logger-v4.1/Makefile
 create mode 100644 policies/arch-doc/method-logger-v4.1/src/main.md
 create mode 100644 policies/arch-doc/module-augeas/Makefile
 create mode 120000 policies/arch-doc/module-augeas/src/arch-doc.bib
 create mode 100644 policies/arch-doc/module-augeas/src/main.md
 create mode 100644 policies/arch-doc/pandoc.mk

diff --git a/policies/arch-doc/Makefile b/policies/arch-doc/Makefile
new file mode 100644
index 0000000000..e9d9cd77a9
--- /dev/null
+++ b/policies/arch-doc/Makefile
@@ -0,0 +1,11 @@
+# Run commands on all documents.
+
+TOP_TARGETS := all release clean
+
+SUB_DIRS := $(wildcard */.)
+
+$(TOP_TARGETS): $(SUB_DIRS)
+$(SUB_DIRS):
+	$(MAKE) -C $@ $(MAKECMDGOALS)
+
+.PHONY: $(TOP_TARGETS) $(SUB_DIRS)
diff --git a/policies/arch-doc/README.md b/policies/arch-doc/README.md
new file mode 100644
index 0000000000..03492891dd
--- /dev/null
+++ b/policies/arch-doc/README.md
@@ -0,0 +1,53 @@
+# Rudder agent & policies architecture documents
+
+This folder contains the documentation for Rudder
+agent and policies related components.
+
+## Tooling
+
+The sources are in Markdown, with [small extensions available in *pandoc*](https://pandoc.org/MANUAL.html#pandocs-markdown).
+The provided `Makefile` allows compiling to HTML and PDF (with *typst*). See the included comments for
+usage. There are targets to optimize images, check for typos, etc.
+
+### Rationale
+
+The user documentation is written in *AsciiDoc*, which is fine but not currently parseable by pandoc.
+Using a format readable by pandoc gives more options
+and flexibility.
+In particular, *Asciidoctor*'s PDF output is not the best, and using *pandoc*
+gives access to *LaTeX* or *Typst*, which are way better.
+
+On the opposite, *pandoc* can easily translate Markdown into AsciiDoc
+for inclusion in the user documentation if needed.
+
+For the choice of Mermaid, is is based both on the
+fact it is rendered by GitHub, allowing to consult the sources
+directly in place, and the general quality of output,
+which seems to make it the best currently available option.
+
+The bibliography is stored as a *BibLaTeX* file
+making it convenient to use with tools like Zotero,
+or write manually.
+
+### Dependencies
+
+Except for C4 diagrams, everything is rendered automatically by GitHub,
+so it is possible to work without any specific dependency.
+
+* `pandoc` ([install docs](https://pandoc.org/)): optional, for HTML and PDF output
+  * Should be in your distribution's repos, if not follow the docs.
+* `typst` ([install docs](https://github.com/typst/typst?tab=readme-ov-file#installation)): optional, for PDF output
+  * May be in your distribution's repos, if not follow the docs.
+* `typos` cli ([install docs](https://github.com/crate-ci/typos?tab=readme-ov-file#install): optional, for typo check
+  * Additionally, it is strongly advised to use an editor supporting grammatical spell check.
+* `structurizr` ([install docs](https://github.com/structurizr/cli))): optional, for C4 diagrams
+  * Translates the C4 DSL into Mermaid.
+  * A standalone `.jar` file in GitHub releases.
+* Mermaid's `mmdc` ([install docs](https://github.com/mermaid-js/mermaid-cli?tab=readme-ov-file#installation)): optional, for Mermaid-based diagrams
+  * Installed with `npm`.
+* `svgo` ([install docs](https://svgo.dev/docs/introduction/)): optional, for SVG optimization
+  * Installed with `npm`.
+* `zopflipng`: optional, for image optimization
+  * Should be in your distribution's repos.
+* `qpdf`: optional, for PDF compression
+  * Should be in your distribution's repos.
\ No newline at end of file
diff --git a/policies/arch-doc/agent-schedulers/Makefile b/policies/arch-doc/agent-schedulers/Makefile
new file mode 100644
index 0000000000..4b201143f1
--- /dev/null
+++ b/policies/arch-doc/agent-schedulers/Makefile
@@ -0,0 +1,4 @@
+name := rudder-agent-schedulers
+version := 1.0
+
+include ../pandoc.mk
diff --git a/policies/arch-doc/agent-schedulers/src/images/campaign.png b/policies/arch-doc/agent-schedulers/src/images/campaign.png
new file mode 100644
index 0000000000000000000000000000000000000000..2e5ad1406d159d8a2f44b843d4edb15b131a466a
GIT binary patch
literal 25043
zcmZU51z1#F*ES$1gY?jy1A=sSNQew2DLo+F-JnPa3aHf3(p}QsBGTP0-O~M^(dT`?
z=l?!0Je=9R*Is+Ad)<2vVXDgVSQum&NJvOn3eRO;A|au40{=14QGk@f@c~>UBv_(?
zjFg5a^6osEtH$Kr*^zch!=m2#OAil^T*Ga)E-NPvhS~<y_mB69P(VbqwOwMg`@(qp
zUTNdUXEzqXpK#F=FfaWl9Lmpjg@jz_`u)G1i;v#NCL|=Jr5Wk#>l+#xYHDh#tE=nj
z`D~Bn-`{mw5&)gUfDzzA{`DdmjSdDr27!=}B;o&lp@AYHy>TakV1$RW6c&8cI<oDK
z@^|W~a&vQ&J9Z-%gi@0yeVWSH@bE`MYVUNz5lufDY!>#vOc~Y<fAQkZb+5Qa;t~bu
zZ>bX<+|uyvo!pB;BF{@wV(727j)2;$by`zM0h=a&(wEK#BR5*0w`3C73N__Ew{Gvk
zgHYZ%Y)4Xyv1jmFU{vT}t|L%D<9Zx6jzsZ1<~Sc;qUgnJga-p8cRN4ZMquuEw=kf2
zzxt7(Fa2wkTJNl^%A)h3&yx}tza$*$uh(!S2KzZKwy*Cdh8nn-b@s|fEz;hHsdp5l
z!0^1aA|4ret7C;JLcMn?9Pa&k#k3br4{Q7$t`QUEkBZ7|++Q@LdT)OZP1CLLDul_;
z-NtXzx%JmSjJPtlkaqqlV&vNVtNOa6?p!UUpKO=Vtfc9nym#Nz_+;!=$QEXr_DoM-
zjl@AwX;f<c_I_yb;B%wO-UDA%tl{Y~YO=aTaVW3vfIA9OYbq$>c0280tMF`T7#tFn
zmht_!8~J!0JLmJgZleH?zRGE`sC(~@y;nkY+X2f>%G;B*g|tRik{n~ka8<#JEJcp0
z0GBQ-9%Ap;ugzvd!x{tI@8`Tr2c}IA-)}73>fByUVt@<c#V?>7=~1`6r!`g;!B<M5
zktstJ=VJFWzl7{{B@;H5P4{;+KB_jVe%ze%D7z|dyPN1vI~c2~S@}$8Np{m11KRh!
z$~H3ePQkuwl&7W~D&ibIoWwwSb5>@tqNDNgYVB0nD1kmt&ZDB6Vl~rbmGE&+zfsoN
zw<_{VENLvI=OpfAm|!e+7af?%O<$cg>udOJjp$jj+e1FyHRH2@Lpu+#xeAZ8nVkMv
zkGzd4m1Yg@AqZxL%SbZX_Lz{0QAl21k%k^eRyDTB=tg!ODqqnpMdB|@Ww_-<@<Sw~
zJ?lZ4moE}YA>oQIu#T6msVARZ|JMIDXVZh>q9H!Wd8B#ZZ@q(5VFZ%HsX4%|l8}>w
z!ZSkO(u$1pk55ck$;lLgwkL&qYe`*-DxPd6TdBMo_*&iji`3$(Q4}REpUdgY*Je=0
zrCp|DgBJ<OQX96ibMOeBX?(9{y7y@HBI|Y4juNKt%$`q&@+9)J@%-GeGrhX+7~pl@
zkneY+9i3%P(R+^$LXEuia7KA55;4ILy94wEO7}?~j-6L~aU{Ql4I^Zmk(ENi9!hZR
zASrp~vCWjjf<gU>mQ~r6Mf!Hd>0^(<7y_q*Af#5=mcC(|AI}T>kf#F1bt8ho=KZ54
zp=Vf@1B)|{zTzZsPufk;4W>Tx9}}vw{z`RfBN0^1>pxskYG_}+h<|F?k|p%aI2g3o
zKgL<qAEmy*Hr8rOO;CCL(j#Kqj)|A)XkpS|{QlKBHKr8{RHnPjMkLr>cC(;T>1A3Z
zKa?UOeB$wzt)E=2^=zp0GkRD?+n^#VWPLZ#q|@UzWa=PcC^*4~<D{nm7=LkCo|yAU
zW&6s?!$GS`!00Sgz7Vjt?D)DbHB_6F==74D%I#TD-G<X%+*f%+KlwpxaL4tctGb|S
z?%mzQ#B-PHtcSL4+odkIJ$L8W9@~(|d&)zkeVnwq;<Z<)@~&C#FD4#iG|<yknW{Zn
zJRFL~c$8=>n8b-!e!ryd;P({`+pebZyl!&BVcz`AVZK~3zMx{Oy%MY9GpAF|prQzs
ztGV5{?|Mp9OnDJ!dU57p%X!#9QQ^2oI3c7`E|YZ<8kO^Uz*QLu$y3DcA8Uy)l1S~S
zNJxKQWTI`yt6tRwqsf|WI0Kee5-ylvuvEeFdVKwGE)YM{2{5Ug=^d`F2J=q}M|h6s
zZ>m2g5|uft>qx2P52GV0Fte445=A>NSq5reM|PHiK9cbFcytonyGi*d_Of98X)`*n
zwo+=f=_<mVT6AHyKx%btb-3H?=oea{DLywQqKM_ENFlP6k;!qtn`FXXfsn*1*V}zB
z@g%}0A<#pRP6KP{Q3|jEZ#cP(i*lvkjpttrR$e=I5=f-Q($0Le;(d&mQC4bS(oR#4
z-&XZ%c|Kt*f95NM-;hS8qh;J#D(`Gf3B{&T;Y~zCcoZ3d_bgD%l+6ln#oA#(#1KdX
zC)AVJu|%q>+&+h{0^J%mF}5QdOqg6J#2o6Rmr01#lqREOXK?&ifCNPGdtwCS)e^#v
z8*O7B=hlP&_@pw;Ns12&DQk7Gl^f0LsP6*we`Fqn9Tl#Uv{&V{Bv=}J_m;_I^vkHT
zMtzd0`r#eqZ-c*n5&9IPPt2O*Q0(xTPjD+K-`pqGytvQgnC~x#lzrwzMtGLXF7G5o
zCB@Bs)!?w{RPw!EKdVnfB7dYP2&RN5$2GM&^hT-Q#IjV@e>T#w)>N<x=2sy(L&$=z
zr7sSy?#^3$A?e(9mlgOUs8I>e2~1q#l2B!0c8GT>Sj`-s!5lt9Qv6wWwMuTUnh@eD
zRsU_YRL9H2MJBmBaj4Y~<a>`ORG<|5-Ja*Apg1&ZJ^uLiD<X}FEn*cL8_WPgG(xA6
z>;oT~d)`zCiW=0T`n*n*TxRSeDyv2yt7ccsD`%56;c4K2Itky0bHZ9wRvdLdv)f-E
z6&0<ph|NC)<{B|fmd|HsGd3}0*Amc<49i%k3@X`rZk-O~CBK!ki<m!UV$v0YZkFI*
zk7JopJU~Jc#EF<c+o2?z))RqFl{zucSPlR{25I1#Y0d4gAi1*%Z1B2>dP4R*#Wo7k
z21;3gG=1&u^{Xm(c$tye@V+Xd3G#>~_XooN13cP+?*73c6c$@ESW(Rr<y*k6N~VOZ
z6c4uC7I;W>3~+EX?MJgWVTuekT^~uOA+^f@P0>JWy{?Vi&O0VLo^>nVtbDP#_no%`
zAjGt~+N;a!Li-mY2?}t_KT3Ae_cS|nDoCcP%k5`hTPBnKeJhx}+Frn?8ug&@cq?9K
zT@cs+BRtB@R}(%BXF;U7YPqQ+$iy!2PYr2)W~rf3)BcCq0v+eny8_P84e@t<R8^1a
zA_ZmvB*M|SxCH=}`kjRMn*Av=ccS<h|69L%z~?W`TvH`+PZk^6=M@(EoENgEx!p@?
zTe_vb54%2H6Zi!n3O2w(Id~o_0Q1?%!mD$sS-=s$vuzSh58b{gxjq+OqQe0Lvm5a&
zl{0sb<bJD6Qhm^xU9(skA{<NZ9wM8kW~k<LDi&2V-Kcp<W4W>4q92eHseM12<}vX)
zq_|%A38T`ZqQ&}taVT?4<K?sfumR6foChmPub%3eRbSr;>P{LXAuUzf^3Q6gG_VTG
z?9N-9<pJG~sT1GNQ-ovRH*VRdSd=e*ak$3Rh#GM3GQbIz+aLVdbL$f-aw@!iVo-iH
z9Z6jX^Iqx_h%27|s)@gsmv<-RcuLJzef@P=%bsLYct5{JJg=xg*e}5paNGxe^W(Ng
z9`~#AnHhi$V~-P6lTgq<fk|6joU@(pOZaNIVA|B6CZvcxj3Qa$Rz_aAb*N7e%gh}Z
z*$>yF4p=A{PeQ4ZRx5S+0S_~`uf6<i;cEI`yr4}CoKMQcSCej+`Y4L3WiN~v*tp4Q
zavP-$Cjf}aPY>PO^n+C9!p44Wg%jxZa{2^%gwCJ*7&SWE-q~*%+db0#CjF|-msatG
zZhd>ugb3N3O@7`{w~hTY34yOS99K!#GHK)RNWHHW8L74FGgI@{jC!`*wfAVjoAI3(
zP-R`)_AvV+v&U}cug#Lgg1frn7caj;sCZMpYK!~c1Wn)nlsC%z=5jn1sR(6x!d5Ye
zl{kB`gH@AMNHSBA9}zd>oL>F(@b_pWhLU0@6C*hiQfq!kP+*|*vnG$6t6D{sVs#St
zjMWvRgOhQ_n)%!(;mQU+J8aB-QG3G1n|$Zu1r0(A7biAr53f0C>6w&9D`x!Dcl<6p
z2FJw{Qi}cO`_qZX7ajx3cIZB{vEC!FC~yD)EOt<s`DkaznQ=~*1qs3rIAPyt7yE6l
z)%-Pl0;PVx*8o5W;Hm$*I6;-aL4x3?8;R0AqU5jafELN{y4#@E$hk!97E?kZa|rb~
zT14sC3TuD<V<qGqZFnbtEX=^@xN`fvFApyo_qr>9K9)rPUGaCXtvBqtCyYKn80gXQ
zAz9U4E~CaDt23szC77(0W%Kg;aB^6xeG(Fqaaxd^b;KlD6`%X0-m0S{yeuubY(m7<
zX{JAYJ{>TI1hQ3C2#Y)8@79qR=Lm&=8oO~eczaCr$5fK_V>wB}X;f4ZB^5Gc+k@&B
zVEbu~ae#@<V18j*Q&qow!3mSanAgl;<yjm=nBI)MYAv!%zLz$Q)h0o!9e}_8zkw9s
zN)UovjzNfQY&>PghxzQe#y7y&4Islzl#FGl<GTumZinSufTZ@I>k&J1xGFuv&D53M
z=PLn5`i+?RBkL|k3;TJuyl(|FWseZfiS*Uw3;f*4GKJ;^*1%XcU+q1|l=89NvB38*
z9E97ow%LinPb{i1!VpSGnYUXiBd7BIeXc$43K$6Ak!)>y|F=&3h|y*=W~=}>{(jtS
zQsPXvd$9igaH!Y8&GTZbzFt`Dbi!isZh1S&?aeU7=SMg@nIRt&EGvN#;6nKA9$$7b
zPWmroMmZ&FOWaAT@CiV7#T=hg^R=2K4^tsry-ow;bJKfDl_t+$GBL1?cMc7Oi$xY9
z{#jH9W`$H<rztHSwa1G!bI1GI1|vKbV|6@Fr5|~+y*g_5NjZs0s%fFp&9(r{f}>Mt
zSoqJMKsYu^aqZxHk$=Rq5f>AeA7H9lHZA0SwHr&$U)XK-8<R2QF7tcy#a-@pz}CA#
z0IiLff5=_DJM^?Is@C6Jb||TZtxHFJEV2dkUVjcIed63ZX@`Jzl`hgkOA<8;NncWj
zFSxtyR2mN(SVb&tf=MBjF2^hS>xd=9^QZYPXfs{sRqC6C<W#)Qq>KXwVlKcmseZhe
z>_5*l($s%x9RgC)#)Tx~Bi3Blw8wTZ;_>YR`9Xbe?=SFXPXhoY3^S(`m(@;r=gDHp
zz6DjR=ikmS85J0)YGhSgc61t*w6O6y2fXs?0*t#uaG3Y7l!r@RE)cfL=>eMnX0j=h
z*0+n&p{#6pH1K}ayPHMezIBcKS?22K>5<Y*nOnn|fau*-LrVSGgq$LqAv0GeBV;R|
zI;4S_$Py=L@h6|R=P3Q)<}xCfj7-V;p3ok&kSWd7xEuK>XF!i6=@Z~6-&B)A<dhzB
z>IT}c0O8(Yf0Xz&VEoijJXc3c&#A?)T!ecj3%b)vnluNu>)nIo=I(wy7KW-57@h8W
z<Z#kbA@^2NAD0Tui4S&k1A0cR`IkdDRW_)daJh5`<j?ySfwP7T5xeHUw&c&t|Hni8
z*-&r(LNdf60Cmv8Y6`L}nb~WE)A%Eb8PRUe-IGS5b2FY*V-_#eG<4lx#TE}ZS|h>Q
zwftUi0am9dt8zxmV3O!X=IP?bu60FrFVD=!^*c_-;QCbl(`{dM3`N^|s*M3KfMONs
z8osux)xG7Eg3~|`mDEy)Zi1GxfQ_joz{`|=l=LSZ7gEar*v80Fd^;1jcmE_M6G*~`
zB76DqXwbnypmtPPyAW~^C?(=wH4ts$LJ-++{z*l=10+kk4C~(<U~+%z20CECP!LHM
zgmV@_Hu3(?bT=>zAcGfWE;zRWBjzn8fcwriGeZ;}LT&HdBvrhwf2ws#y~pJ~;e5_G
z`(?zLf*i8{d!bN;HnY#Y=SJ-8R=`JQYFn9b)|!$80{A<t8<8e+jx*;UrN*V%tS8$x
z{AjvjfUmf}x<;P$2-X$Lgs9xtDwc--d=VNHX8$0R?}D&*px;FU4&PW-KQQserh@Ul
zzPNaj=DG)H?^s}|p^ir54-bV>S_${<v!-T29wP6Un7FFDA1UxJ!d3%;?6;x56Stv&
zE?%%3DZvFf0Cir{8H`P8k1tu|={0>O5#M#IKYzaa!QB)7>1_l4?)3)cfNHL3hYVCY
zLk?y9BEf|Z9g9k=&6fn9Z2yx{8-N?!NLS7K)bx0tZl%A7w>aC}P<=P?BW#p{k7v2X
zy7-cDd(Pt%yKTD4n@iRB?I}(!w*_f~kXMQmMFM2plO2eSMMxOScDl{4SJm83?Ki2;
zWd?-C>84C)RKf+HOC<p+CwIPOa<a^<1>K5?M`CAq<Cx0tyK<VCUE4~tMC3#lE@a>_
z5ZH+KOnQ6L@%yz}MzyUrIUg%hQbE447I5g5b?-Lz&^H#G#dLH8tsNdQV?9^oLl-*H
zF7yAv%iud)SSm!bH{GD3oh^}bx?%376yY7&-C1C9nj;y?;etsnP-p1sXbXS-Lc!+t
zV6x4$JBcrfFfFENmCtVITl{i^NtJS;6@Q%2o5z8i>AKbaQCec{IGqJe_BOvRgjgR&
z96Kivm07!ZdYQSYDXhKWqN2~eN_w<G9B0MdVdLfaAr!<2x)rfi$(R<}aFqL8%wL!F
z69YW?6jRUlDNpfOPU>EMa1<H^=k@t(g3y$wss1!<Rh2BI-^^E<$0k5vkq){saHUJs
z<)gfr%-sH$dS6CI408G|zG+L`CNwa5TJ+vwqzd{p8?rv(>%URd1tS&m+iFF9XFGkW
z*C1tQ@MZ?!4!!eihGL;`J`RBv$rOCbcuv<{2Dik=bj1`9-k0vwyf+R0@3ifwY|m_l
z+v*>R6`JzWj$yz|x~`P2PH-rM_=n8q1SBw@vX*j|sxJ1&d7t`)Mr{V&%0((D4Cd9G
zr5A2<Sq81sR&JL0dE^O?s+eyZ7iO5O>bbi?UGQbQ7(;kZd5Yq-d`7E{*)pEgS?e;=
z^L*e$<_+P*bK=y3ne0t8SvOpwu^Zx7TDx=x)v=D(nRU~;v7am!xLeDm&ZJ+Pj)}X9
z)^&BrNJ8CTYlV%p656Lz&ULWbs6<3Th2pgBL&5@X2*^&%3<%>Jp7P5Zt=$wPk`sj{
z!KA5EHT3I5`E#@Cwe~zFsN9U<L*Whn_twcnB&EpX6zh72+J_UA4Shx@);1vD$cA`G
z`S|L73sg*ZX-LrS4%M4OFW+CuatB9U$-pwwASIlDtkpI6!);t-s<8T_N@w_x{*S(3
zs&MXg&uMFz$yHz%V4(ZL!#@ag1YK!jfTK6+^K-j8f{N?C0UW(v$UJUUp=hQVdsX!%
zBPji89v`t^%ZaV6w8<;4I(Ln{;`bF+de0x*&#Mxs>T+{DTO?Mp+`1ll4OiXr?mJk0
z4^jt#B~8)6pF>w-aZo&{z8&<jG4CC0i%;4_&j3NcTWj^a{Fu8@z1=1%b-zxfC;TvK
zz~5t@i%-8j+JgE8M`3=0y&9YlVyNq-qhbgBsjau>C8~~dz5BkVJ!qY6jH--BYOmZ!
zoq`zBNBiQofsY?vF#$}sa;bEw@dhQu<)?nl*vDvVOJmM%Q_U)VD8M??{!ETj)pJ3r
z$BcEy++6xH^3rA7<oFEt*cR|vlRsh7tA#UUPsa^w81u&4gZ$7!b}O6J)d}dK#5B<N
z{^UUi5_t+Vd&xsREqgqwi&7oRQ_T;yCq?^%_0~VJB-wRL?9H&HAKw#T=WH@%9dU9E
zj!riE_xo>IC`43~KmaOSNV_*Aj8Bg)h7emmJ1^zamtsatN}kt&HNs4TM#Tf)oM)Gu
z438THG&RQa79CEN-3;GzrdLCl#^S6VjhqZ&fW@l23tTjGzRVPqR?BQH|MJV%f)DwI
z%s7;a6;#KGQjkE_Q~6!{ozCs2joQfYc_GD*F-Lm(^&SB9<UIkN`{v@%kK1+3pqWz^
zCJrMWQftd0=iOA$@lO8oTzN0WwuI-&1sWDOZsp5J`RIm@z$!D^Hf-|l*?8v2i%uYe
zh^^Lg23m?A4<GY{m$9#QhpC^cwk)B8B|Ff;3RZO(7^~)`%%yqk?8Ov<-(3o36F(NA
zhymV$Hz3vvJ{fK-mfe~@kU5-B%npS|gPk*dYW?7wwflL(HQ7W3#fe^=1~?6<U4ooY
z%Ra3r0H|2o?AI^!1?`VFI?hh`#+8mJZi+uE)}LBjOTQL8*(hD7?MndJ^^FM@%QZEy
z6+J;7rf2{xEI*c|$zt-o(bAp=S8!OpdhSnFmZH!?e*59eN!tbQiwh9nNsl$#GaGh5
ze)AO8tYp=@Q4#y#2|Y_4oYQw#>hR|!=R8n2QsP^)NGVe>KJxU2XI0OnYn(BYHo@^R
z*}1OILix2>tSx)!jrZ7X%%#n~qXSH7MXY8OFtxm^y^jZ#TR~)Ju$3=f4XYTeu2YFY
zqUWXw-uEE8FGI!D*qGpiX(6&YzT3hs&s#r-Te<;`r(-j3_v?nrid!yuIXBsebkDR8
zk2ZChl3&;mO*F7skq6b$*`Mk7Kq^DoIbX-$kxe|U@rqySHt^n-1NOoYInE|hXeelJ
zoAdl7yaGb34j<ZAUSlYJVwv<_xg;%)!~1MpCDMz0fM)V&=Ru9zKF<#faH7S?(F@Nj
z^OU{;`}|(jtFfqVxK+hz_QZ$nwW}zy!nA}diH;!9*E-KpmZsUDZ|&c(($QqsCMrbQ
zqjtVW(5^NSKSJ$4n*x|(Hb+1>g;Bco_BB+7L!2-pEx79ZR+Wc=bn2PGx|W6w`MO;y
z-nOeT9G9)hhG7Ept^X^V?glr3P<I|^GM^D^zwXDOlv{vBVY_CX3dcTsS8}$k*HHl|
ziY~^MNW12+)Vt8rb9>;BX!~Y86nVyQqs2J_SnWGuj}&h8%%X?$RY^65P?)q0Mxy`F
z*a!Yr7P`$;vL>$>A=C2KUX^rp35IaI^_K1UPhzmEu#t0Zys~U|)BDe+(Hl>P9+LGN
zSVeU7&l=T4^WGp9A013wSs5=4qhk?&S2MbP-`{qM2$h``fSi)ic*}^)5iLak&+(GO
z0y&X^=zuaU-3nxvrHX)vmiz$zLje$IK!1t(eD{BFA5fJ|^)J3dQ~}BXl;q#)QgBCr
zFb3Y29RdDOIN?92G3yuzwg8y>;zc3oA84qEf)3tbF8vV~rz!Ujpw!0)DCN?gu-!n6
zKaBvb#kAw=>AEK@Hv-tT_$uai&^lA)!hZ%*oW|fPrdciA;RQfco2F-<>4aY~dH7mY
z+OLkkOnV}$mKaT=fE0-Xj{FmD{sX*c(Ef+g{vXtiVDJueH2(zHR+vgZnfp1aNgGq#
zli1cxk&x{4%{1-gl<VkZ-TI&0$r~ZKf&n#ur`X@9_m7<s?QJL@gLMxqIbhPG_-xJf
zQb43owvgTvc7_kB)XVCU_d^sSgUu?yho%Af;UK+%gs}Y)FG65I=fJaF4G}~j0*C*3
zBI0f!D<k7uPFXFmM2Kj&96&-tlV(R-u?gzDrbqS2nPLD=0|6xg45zbGEyr%qBF|^?
zEseYLi(5l~D4^{Ah3+2{>WXSBzx-`tE3w%!rClbwc;eL=v}hjRb!T-@C0WeKPS35X
zH-^+h?D%(DX~SNsh0#0-fo*b%CV7qM#YocqrsL#JN;AMjTAl7(^LcL<B~g2={}!R%
z6*kTraNw2I{{2C*MDzCQH~Gn1;IyW&xLExjIPV<G57-HKXR;dLHhr4@`5K6ZVJjwB
z;0iH;g51ivoNBUOfgtavv*NyA4yIo90-j}ehMW(!|1%xzccXpqw6us{g5e39N94wL
zT5uy@b~*jc1sVpJ3{LG=yy`dD;t!B`2{4oC87u%Q3E_d`qvIv~*XJbk{agU%YdD6j
zO$0dkY?}25-OlvJq;i_SjnYepP1W|Cw;Xx{fWX9gd$qLXS|Q%h0t{KWYjiO%Fz}L<
z9U7R|UOfH*AORo<FUzPFOHsewV}=5Q2M}uFL4{Ykk#T^wM-?GGKwXfWj>dgh8p;%w
zYhVrec<!Fk{MzM*)UmC6#!Ge?_!J&lIc&$BPyArG8xwqL`Muqv%R2LkO4Dguk!<RO
zM&~Jx=yH>5_6%dTSwPeBS*F^swW70iB82?Q%Msudjk4utz<aa8Hdfg(1SCtemg*N8
zsWT|o-L-fzqz;_uI*MR`0j`1u`Y{z?P_$ErI>6;y*78ir8nZy4S|xx+t?Dzm0Iq+;
zATFf0XSQ>$UuzaA*DezpnpRLVQvO3g@|lm5LjHKB!h6KwXJFv?aff64fZxOXbgy8W
z1E0RK%xrLWw0UqCaBeyGd$YnEKJ>H;Kw}R6XA!5ixg|~giq^}3ZqY!KU8<zv@a^jF
zyG9j^(l~_lV}M^!*E^E7vzyYGZRT|wzJf`290%Ap)l?QWE`)#gG4iNdy!v|jxR_gG
za!f~Tbe+Q+AU?(%&yB98Y$&lr9Q^L~fCI|`Zs?{66*%oH4>Yl&6$1=V;}9ln3ZWb-
zu|ksc_`9?}-Qz-v62j&`tDWWAt#PK`V$6gHb<g)&hMzrShH7YOz7o^@?YS4tG46PL
z7H|<;gC%m{KQ7y|^i;t3?(8SIgU?EE9o52Bjvfp+%~iHk4<<`<zxIC{pGMY?iP(xV
ztd5rOA3dz3!fh6Zf*kYq1$zms{2^QYEV?|<O~u;*;>DDHbA|l8qOn%$c=+p6OlQi)
z?0Z~3fNC0k8VHl0rZYaRhjau%I4hAW7S3k?|CKxh0i|@$ZM~8JbPEwWYa+0?cQ3~L
zN&0+Zd00X*5#)sMu6j^%FJI#Y=RoBCBwVz+-`jIzl!NV6g<-_p4az)@$zFWlK>ujR
zNnerqUP2x*q^Jjnkwi&1Z!Zh5FOqOaNnl+#qdUP4joMm<FkTrS7K#0lQUB1OqPeom
z1Iqm|^%=O3?+w9TJntf@v^N%M{u(}8aB|;(|LH1+tMjt~5vZlJv<T0M!z`d|2&;q$
zT-N>33Qx2&LQ;aok?W;0^Rha(%k7smED>B1^P|^mzjSYPivh}9ncBI(DQcS?$B#*m
z0jfiRFmr$t2?9tIgx>yr0%vQ8M8H)3-z<QP3kutOjmRW639=J_(a|;mS0NHPhXaw2
z05Tr1*>)T-x_>;1r4$m<>t8V&#IrMsa84$sZ;x33vx|cC=4OS(MK^;o7^HXlWDV4>
zlDy&l2#`<fcE~zI3`2p9a#blOtk{G3rDe@?4g5c(YCn5KdN|(1cF6ybqm|>F<>CU`
zW`e+|{>A(JU(yFbl>C?R`R~jBy^x~(5n-7BRhFO9mKQiP{nKLdKc|A?=JK$+<jP-N
zr1`^ZX5Xg)*#(8g6#UGkdv;INI9;$X++CoO!u^L5RS1hEtO*W*ldgQBe0zT(q;e7_
zWDn%D%S0=zObi*zh6aS#4wK361>7eYsm~uBik~uTGH7c3CCnjaZdK<&dz{fh0p=m&
zX|TeVxj%Ppfjk;$-wP$~XYW+Zy*-_l@4nDgw3Ow1-#r&kFh?}rx%G2r`{W>0{*0AN
zv_%41<Dg$puSyP~`|x2*LXiE%Z9zviqnsE*5T9SZa`LhK5i)1%;?OA)O1H}Lvvh$l
z>#X9sojbsAb*SQRF*Q|n)BR|YBmx0$TDgdTP+JfOOLAIjMm0;Xd4u!Dg#6k5gfcYq
z4^>O@`xyWGc5>fIK>@3~z2<e*J3LynOY;C**@W|+lg90kFM#sUK<92pD?2T^u?yH{
zAOGIRS@imvbrA|*-M&}(LF6JL+kueZN<oSg1{V0s3YN&II{tY6w)4t+V1dY_;GVy8
zYx*ZzylZy76;_tt&&yWv0gR?4;J)`ZBI2SB=6P6XCmPeAovL=0BwHsTD#^o#T+*mT
z@=lD6qW0$JUB3W51c6vpJX4`QRsk1mK7ncP=Q3}>7EN3D|19~xGyx$j*k~KjiJ*2+
z*lArIOUDsnhyZB#t8af`!T+j&03bjgh;8-XmwzcLkcQYujwb)B2#~IXxUKY0%m3{n
zqhx<<;aPdNsXBtm#zqI*pwM5{KGl+?isS+MaKVGj#oP0A1a*J2qh0QvaQHCR@`O|<
zcQ<mf`#Z$k_Al%IXCOX*Sby_V7q^<34#=f<DY{nmp+QxL+jsm5^~ZGIgJV*X&H)f{
z3*7ht^jlC7o(F)47bKz!*R8`rEP4^#K~xX-MJw5vo!jSP&D#(4n{QjoQLCPv%abeB
z?Z0IrK;JD~jbFqA>`U#Bj?O$QWa|&4kPPt1_(Y3!VYle+Zb#=q$?lNd5+~xy)<5Nf
z@H^H&Jy4&Y_(ceiecIM;&+2GbjBSmy&jAclNs!@}Xh99R8(uCstLg)m6xLp_^2OPW
z{ctv;`ffZTQ_ab0U44TTq7RUpz&YZE*TtV(TMb8%QO!HAUh3xf507=RMTwms=<RzQ
z-2$8RkHsV5oN!S;^q>F6<u_da#NMX*K<Jz6t^IwKh?}JCh=P)G(G-dIfDeTKAzBiw
z-S<Lvuz8)UqgzGoex!<gZ2$0Zv?(<52C%gHq6l?3gLX2!z7ZS`7zrG|7i$p%cW0Os
zaV}T*#?COAtc>{s*Q%@~ZqGuksUyO*L}-P&o*;PZpfEi3n={HVqq-+W_ar!C`UGXC
zOXV{2i!i%ZQM~vZ_lvji<5%lt=1;b_x5xZXsv@n8Tn;h=>d&+cQb!LG0R0pLhZBqv
zm89&|sbLjX+*?MKSHu@``5o1N83`xC0bgnF{dgBTuB@Qw@$(P<Y;QE{*d9wKeT7B~
zllRjKuDyK3zDPnwnO34K)N2-L_)Jc>>W9GB&zxL~quO?U8ZDnqfqQ3M8`yv?Ewji_
z*f`74j0gf5r0&EdXwTo4ed&w>=Wd5Yx`TmL|EuOf-ns1hg#vxR0g)sau{n_T_z;SX
zQ2YOGgnw<K|ET)^+DCY?8d==Bx`v<GXqy=RgcrA69mNsaihel+ve{<wn$z2uNXnED
z+woii`jKxxfe6QL+|4eXSNGm;poCwqUNp1cav$e`cHWMadg*{bc3Ef6j?=y<GA<;B
z0dPtbvE+Zr@<jrKHzGkw=7n0iJ#)b)Yx(~oB|)}fh?c-VygJI8=n&9ett}Wi@Sg|^
zNzmd?VDUFBL&R2p-+=5thyrldh@yX7Z6(T|Pk%zUKjeH4U`7y0Ms2`dC-*IZEVq&&
zv)><aM9zl-=<Uu}we<9~b+r&t8lWrp-2+0cn*(-Og4Or;GyEp=Is$jLvm43fcC*!p
zpPg}<I+X$C#GdOE3iljhgXx5#rWvdA*?m_r1DieZj5;)nr25X$zIl8xX&3OfZ6dAe
z*x<01T-Rgpgz~Axd+P@K`)4NccfYrv2c!dmX{Gzpee-<#N;IJtDwD;A(^*Eib<fH#
z@{?tQ4_9&SJuAD!C*Lg=Eh}|pjaMEkHas#cFHSMYHm2j|8n@&$(i0JNRPo`s7m#SF
z2=HWHoyNhAS{eD)T<+w%^PxdMd1<P1HF|XReC}AWw|RLuEn&9tc&*9jjNPg(m<5`b
z@slSE0~|-Ca7maloo$yMW@gTQWL^TYYl;r<KsA}>_L!#<sti$k1&1dlb%Tc*rRf}{
zC+rt8W~UbNf6#lrHu(bcd>HzH-9C&xVj1-K7&mwA7dTJjHC^Uc9sLXyXfcV7t#!^O
zw}u&vj)q(7V^Ex?##O5rJ-+(El&}@AZrwo1BzbLnX}}d99G@)y_0F<O_rxWwwz0j_
z)*i=!GuB!YI_nPkfv?%`eQgMp6zuKrQBI^ird%*cQ^O0Q25VmsP}+`EDb=lI)b(LJ
z*iB)^2J4Y^L}knd9i4}z)PG>@f=Pc#F9%V)<X3(^EYBH@8GpDSkkd|E<#x`^VwmGK
z&zqcPN}81T{iTjtv1ek(z~~@4WlV5baCYo$i_wEjQx$^lL<61I0qqZeW7D&he(JzC
zS0AM)$aAL8Xh&tst&Av=x47r^R#1x4_Dqen_@-!VE@ifnFyZJ~ROP7Ritz(i<bX06
zzwh~g-6u*24d`yBs{gU+#n4Rpoyn07Q(Gs8iO7n)fR^%!&UQS`-REhJT{|0j${l&B
zTh?BtdV{?>m4n}Vtuik1#Bnq0{6{F^`$Qxx{A?vf^%sv??juM`>ol?Ye~SnDwPy%U
zw*L<IjD{eos%nLywFEQf)?%h0e>E~R95KWE*eSy6Y~esn&n?7bv9tU^jX}nq6ml42
zq&pp8ZJuJJ^<<ZUGK;G$)(;(h9tHX<R_pNiI#iy`KvbgM!pl1ckN%haPq(v$bQref
z`mg57dh?iTV-2HMLb#zcTdIpQkxp)Y?^3e)xx`o<+&{uQmxs&CM18SctWU!0AAYg?
z#0rb8iclhiXsE5hGTLP(TX{Lv^hYD8q75n2H1$-c*C;<nl^0myn%c@?UHzV6_x4#N
zxLTUZ*ya2zR5f1Vg^6{;kaOz+N}2h<TAG?YJkNs+z7L=#t1Uv~5fK`l)n5~vzjRm;
zL4zJ1JeHrC+uAejK)ZU}MGx>Tq#mg)7a-q8$GloEQtCE7CAJl*C}j*$QQ8C={<xrz
z6i*oh4@XTN=KT6)%JjAW!;|#KCc7k37!)M*A5{k3AEU!U^+G@<w6x`6Uq2qk*E|GE
z4IhOi2xTbs^<ltUl^;NE=uFCfV1vEiwSAwLPev=qoRTdZg)v2=z*+-;>DL<BrlclG
zh>2uopip+^=h?)RyFMUz6W7UE%Yj<i>E|T~9U_UUjly0)W`T-AHPmE-!&2K`U3{(g
zI;?lHxbK|fqou1uX|i}vxw4}hIt>1{W80)2rUUdy8m-3>`!S=|l|2NjBsJCOj-}*T
zU|7I9PI<mB3@0Uyw_0j4%StN{v_iB=)bFxMHLv)yEyz)AO794Z&YChUm2s8c)59Un
z^h&<-X=!oh5=oFm4k<JI;s%@jMG)gq7&0d&8R3InUtecBY2w(^h!sofIj#mXcxy|>
z>eFGx0&52>NJ-81ck?Y}C&p|svrte_u9U?hk`xUKli)=+ByLV>_lxVvnJJU9i;ESu
zOzvd-_?S8yZONN=H4;3(mO1efVj$mDPCnEHWwZye6x@ikcd83`!7}m+9&3>#>PV;Q
z&Cmt6iSsW!A-T=K;7U#1Di({TS7+g^ciG(v?k90Tfee9^ztX?GWp!nQUljP0Wx8~u
z2=Bcs0M+|9_2NTu2PFfVJyBC)LIXMRj@Tv%Q$Nui(38Z!QDMn1Sz9u(k~A^j_mi<)
zaqv+|doTHwylQV=jE<C9kj=~n(s|mM!kV<+D$dF6p2<nu1FXBeYHcOSBaE!;x;i!@
zvV`~K!61d_wYdDNPkD|X<Aj2&NFv3NUA<cKIggChWC;l&L|X1hXoF>qJQ2&AGB#VO
z1i0#z)paVw@WTie+y=%CzB15Ks~~rsuL~z_Aozy^Sh%#K^8+J2$xa;3kQMENLRX2x
zl$W@W!)cw7;}1h&2IR7ktg1wTWx|&(j|I_oFlE=Jb=TU2u?+*lp1uEp8k}%pMUXj8
z^zu0p?e`Kvs4B0du~FxJruxWzlJUy#?QLl0=X$g?O^TMhZ|0V^6v5Pr?C+94pn{9m
zB_Cm}rSKPl*TG~j<HNkEAw&`DWx(C@yx*u9IYLFEU*5}=3CCc7;+&^0vj(2pehWjR
zB+w2d%M#`OpqKRnRmm8&D#3Pqo82B8VrkxA;h_2Pu|Z%MwM_K@h2>PSrM&>m_1%Gr
zDnr`{4jRnF)P{Ue=_3BM=)w8OJI{lqH*?4~?2dq&S|+*Z3~Y>AD(|sUmZ!I%^|K4(
zM*oZl+`=;tB&*;4PP7mb=KMi3(82eN?=f0_`BKM&-LJq*$7!vf$c+7J0YUQigQ9;t
zQH8X(C9oa%+5POp>vb&BZ+cO<BhFR+#W+w9eErOGuIRLwtu6%Fk6Uc+K}YRaa?EIg
zh!3a5$Bn;}&dTtw3@=q`#Sk*vyAHJ&naCO7BC?<I%<i<92w{v<;FJpN7+{LH|H*EZ
z?E|PsA|7<;E^f|%yGC(-E%Li0>3UjpJtq*Iqvv~wa^ay+O=vVK77FE=AA%z2Mxoq+
zvA60KE`aq$6DAQdus&rx|M-3hH6K^~k@gVs25r;9873y|W-}FS&5iU@7Vydr8zpzN
zp0ASaoy__Jz|c?XG&ho)!6-VoZ~6FqMPJA~&4?a-s|*2=(B7HIlg$dl)#i+FRZCze
zSW#EO^6HY$cEc&;p)VfxDo}BU-ghnd=?f5|8k4XkVndOKP+=gpT6Cc&8_6z$Cd_Y^
zhM5<A?%1Xbw?;phpmcVY6P0A6bA9$I^iHn!aOpg>$Br6(*xA`VxEPSOs$<_71osr+
zqJ<!F9i3=lg)%nZ`krKPaN#|Jz6VJ{eQ%F0O0ETgLbzZP6kPBT7;GZ_C+B_G$)D6W
zh#b09;OV&4*{LoCWCE>W(?BGluURvPJsBaLG7LaUC+hpK0pnNp(7$c9m!g`ie0>M*
zUx5CtF_0~x8<!M)dy2wUuD>U(5<?#Sr!u1FT#m5A>!)$Ex7o;Ccuvjq3|;E9Hyay9
z7nRM2*;k7FMRUpe&I)gUuo7q-c%UND0HB)-83`B*;(;Uyz-*A0CF0vUVuTMbw`)c8
zy_3(*Og20*k%;Y^r!@3NKM@q34t!_^>dI_m6Q?sZ2I@nRBpa=5W+>SY7$M(c)qYoy
zn*f(?MShPTH32h)eY#OMf+Dr5!yGxdKKFb8AwB1aCI+PRXAo}?(gDT*2$lvJ@svbN
z6B!|`ipzS5<S-BtE;wMeBiDhN%D>zLTk;!&6p8rkS;ZgB%0KxBxX$w5H8gK-Ztxv{
zkkaCtP+xp)cKWl)TXB#D_X|(+jVi534g7T=4SFEWbI5`xPxaXZw^P?1e<>M-^ypNu
z)jDBJ!Ip?P{sj9|cBTYGG4wBC9*d}E5wzg7Sibpeb2>U<^PY7B2`o|(zb<bdVvl_Y
zZ~4|n`sy8p*yU1PuhQi@F=70!h~ILQTC`lBF2mEz*7+<4b0M=WGT*P7BIiuG*#f+8
zORuo6H_z{CmtAz~OpP2pQAb-$t_^wd8avN2a}PoEe@EyY1AWhun4Vi(iO+>XsV;zK
z*Ptg_5G7mrpaY!J)Sec$Gw)fF0T6Y%hFui+X~}FkmhQI++%L%@snYkD5GQ*r*l9G7
z(im-3n$nU}x0dDIHxcFcY2~9QP_{A^>6hOk%U`K03)+m!S<1_4RTst&9?&zrU@hdi
zjXP7mkaTCa2X2)ymCjRfT4|X9-_?5E&cU3OlSB0TZKgjt7jhaVJ(v^I;l4G#2t9=X
zEJlqG>vM=>v_|<SwTk)^Nh&U0Y0br>g#bq4GyArwN8^N(X)F@BW0j7F76U{CsZ+|_
zP8&k^-*4ro*Y9|Uagv*YzE)SePn}$1mr%V=!saIZp<ujgk@zC9{$1`s7Y_E(T$P^8
zYr+Ko8{9|Asl`RvlLQIq7>_NY$hhs;T?k&A^fhJ|dQeLCeLJ2?m@X9f3_bA$RxyDl
z!IL?w>!gEe2=l`WDGI!#5FNE{?DD!MY7>i6&LZS6g&#6Sb}KW=+;3$9GjgzJc`M7l
zzlmt=<v{9rS3{wrX&~miE=|St#D1fnsS&<voD?kE^_(y(%Yp`UbVU8&(}J-;N`u?|
z;boyxJSfDfchZW4gopdB?axKi+^dHVd6MW%O&%#F&=(d+aZBN%4x4|1R_;z9bGLEW
z{Wu}l_09lANG2y41(JBbB|%GiUnh{oKBEA+icGWL+w9}NefO+olLvM2H5>hCFnLYk
zHW_AG`O>viCa1J~cb5xJr}z)lM&9%CjbE4KQC_uTf)n%I9PG3pE#!OSYcvM4c>C#j
z*92zvC$Vb7n*y+hIi@5Dty!4X+!OmkL69l8o2NM%pK1Ux{gu^)1kdsc<pMGqJRl;$
z1h(;mUybwaHxR1l;=R&6UU%tS&?93S3AbD99Kr>!YD#$(BfrC#*>~*<8vHU{-=!eH
zDfg5=)Qgia#^I4Xmq3h>t+3-$h&Xae5mZA%E2H26O3*QV6v`_Am7)h)3NwHy<-2=j
zw3LS<ELbK}nPGKLe)72W&pDNcyMGDG@10nol$Z_Dp&@*W<Q7lTKE3_u<LD0^hU}cC
zTU%`^QK|YsyLKwaF92u$?YA@P+}y+D)y?c3^o4<VzmN<hFdBs|jy8nk$*Y$0AN$}9
z1_F&ChJ*`Z#NGyd0nL4R>4LlZg;3|@t#yB1?FrE12M=mkI%HPn;mXt+Ir^thZ^T+3
z!2NGfIZHN(iJEV1ArsZlWy^YbU6uOEC1Wl>E9o|dYeN&~!Cu%(&!TfwTpAT1pOTGV
z5?_2xp#h@;%iV)|>k!!)Gj{MWlHf~R_bKhCh*nt|PP10q8RyN;3?&g0F#a-bZt0>~
zA$TegG^R@i*J~ORvTt+#1uDDa;pD|s$6=Yd>VqWTbkmyJChM!ldhI-+{!RVdr_vCD
z6qmdd@)i8ot^ul!q=U<4(Z5dpFzS2#3ml_>eFijhI@OprtXh<Hj#w{_My#=mDE-)3
z!r+R^hIi}lx}6k2zo^Qp0~<glT<&+@j6xz7%MQ@lWrjOHXz_isz!7zM2qTfZcd^ss
zvIf|JhTGk$V#~l8&%qu_HWU4XjSpOSH$MSh0{TA82<NXy0Sx$^GvHJJ@9@W^v>^Q5
z-_JK_ot?e*fSZw6?A`y-+1YRhh3Mgdkq*Ixid7|VZ8c2j;#khHHaa_1P>~*FUV7G3
zgu&6H!1Q5(@QWu%G^y;t7GZgvGIb-HCo+qU`;QJN0T(hE@pjmEQnLD`oeV3ay(u%A
zfTKa3qrR`NZ#U`uo5(odC#=bc7KE4kx3l}l=lyYaCMy9C|Ks|A27%!s{r&aFO`;;b
zfdf?jf4rlp_k!E6-ITj@&m9q<+{#p4LxuL9PQ|V3z3T4cfJaE3G8@|2FBy%PgR!C*
zYba}Z{iY|d8V0c<7<7S_E@B31u2tsXP1fBX*Jj&=Nx7_+bB>NDRP@W74vuz?URR?b
zy$_2j5FjHzubdWnOi~xihQ-lg>L33En9)D~k})5Kw0rUh03VYvkAGe(FvdO=G1%@?
z=1-VE&L^xZ+;g7Z-?}e#iA?c(z*Iyf&>ir*UFj;giG<fm>Hes&dQXB7kI?2e4Z`WF
z7nX=sbRsA7daT9w5`3?V@R5gB{it=A(s&!Cb00paXmGq>jJw{W67{k(o=PV!rPshQ
z&*9JyFPk>9^FF%|u!kro3w3)f8OdLdlh@qs?R=D1PE|HCU%6Rh9Z#w%9&Rl5_Sv2b
zPGp<$OQ=}VuETKK6=2|InQ@jfZCH4qLo1*E;#j+=+!obtQ8UXrrR8;xUZL4_s7k8t
zy=iKT@3`q^o`m_&Y`qfwmRH4ANfKrQw{{B|O(9WXD$g(8(-Qz2jYrCQb-P%;p38MG
zY<ZOb;vu!~*-A0YB{U&#GRGwx>rA-;4$As5ypUnzFe9PDb9A-Wuz2%{4Z=UMaB(qx
z95;XEn^vmR_JXe}!E&fXakHd}!>~!*W%*?ZcWeU=sZ|}bW+5!J`CVF*r`JX26Wi|J
zr~U<glWz}OECyTdhw%6hglt_yq_gqy!IZN^1^PA{ckkke86b=iiNYW5Y-+Y!L241c
z4+2<poZE{o9Tu8Q52gZX!8uuL=>350eV<V4cCa-(Iyqp_>~l0D#^FK%2aR<NGn=DG
zndtU07z!9Rc(JMvb1$y3olPf#u3X_^xr0Ve4V$R=4EBig`h!+c&DpgkhCP>t)XZ;s
zdY)|W)xYVdsQm^v+u?sz=3HDd)1z8@Qs2rJ*?$~USnqd$-1~kXHnFlM1KFSRc>{hK
z;c+0raFdydXLBQfpZ&ZSFA)zR*fw_t5q{KLQ9p&Dz3ai3c94?A`rCuW*CzJ43sj=c
zqBcjrpK_Mv9}^#U+{#9xq+H=>js(+GZ7+B%O)1<oN2T)bB#FwlyB}mzehQL!-RE_`
zOn<vN@O0Wk@x8Z**S_@0fx&Br-WLyV0;OL~Ra*o!{~iaaYg^3$w|B2~-^`v<p1AF|
zL-o{XLKBRIXUqI1C&aFVlxG$WpUD=En_;4{Ol0XbX=cl@C3<XieLM@j>54BobxH!w
zfKn%|=G6qayNtG0qXc0P%oLvCjlP)D#gEK>3%|$xh1{j9T(%+oui)j+NkuUXta!Lg
zhrcCfv)-R|?<Q*osiR#AUBVy4Ee{<<+nP-~I-m$E#um$<^#(KXELRA@^Ccb=m*{sf
z<qt<Db4Ozac3g>iUty~ME;TZ%Jzq+{%UjGlq9`(Z$CDG%X4OVC6sSgXcsN;fNwQao
zrno?U{w)dg6vc=kQq3=5ibx{HoSv5+&;)a7Jo5Omc8BxM%eMjt;>&g{)(~{OLe6hm
zuTY(THp)KjGpNQOmD~8CL$6GNp51TD=X4gB<gt&RxW18e!L#?KkU4B>c1fMVhz;!1
z?PWVf(D{4z{rkn+m<O6PXLqJ=@zGf<Oy>IPI{U_d{xS(sN)FMbQDeTH5WC(rM`@G%
zK13^DjO32YL_khl<8L}t+A<hUvxUsl5D^|JrSzHFeS;s&Oxix^8Pm`%ha0DD-ah12
z(?-9UjBV8H-_hp$W?R_g4Tg5U-_E|+z``3Ya8<&RWMqnX?@#F0BitfM(>n~l&1f{^
zHN0pG9WtCGL3;2)LRf*4?ke`H+WSo|rcW8TaZeJRc0UJ(0N=5qx!etm{yMwy)Ib3z
z<OeF#qvLMku(wVNWnVsMmGUHk1bvRU?ZZmjN}GGXdF^29j<^N^7L1Gw`~)7>H22f#
zcEHrf2h+UWA!-^5w}FiLf2Piv^v=n{m_`o^r4}0q45vQ)P+CdaHbj{!>XTZFc3U>r
zJSa)&qV<*8_a|}&7Q=4BPKC$J1L^9Qgn71Y7YWBYs@SU%&5V-26BU@Oi)BrQYI|aK
zt$3uAQ}X2WeH&MY>M<$A&97{4iNNo!hxMkraMs+DKt$-udCPd-uc`;)(aZo{G;It~
zNh~2VYV!J^?sa$p>h0?-=UC@`gcqp<o7LP+R|~Z-_*`_~RXF(+Cr|061*FVLU+^3f
z6M~t-IldsR|F+kA^^DRTCNZe5Uy|4c#kF1;*^JV<e8}u!$qyz8o-->{rO<7Z^Fv{}
zsN*G12h2Jg^e9xtK+J#tdmXC>wYXO-JSG`~2bPy$JTYJ!m36(J)-gU8d6YMVc6z)m
z8`ECg|I-CGxjT4?ocZ(Up75v?8;WoQ3Ao3YWA{TH<a;3D=4kU{Lk+x<q)favtp><_
zpfQ-ZTz_bM=8e+XE>b?$`5T3tuT}Ou>Fv8g6Swa=G$_;f!65^C<|v%cm>K1j(BHa7
z%|dZImZm;vmTKoHo04f_qu)y<zG*5HsyFKxg-}~V1Tj!A=CWDi9`})kk=zp5<ybU>
zf=G2}?y@ALha0fT>^Z^u#6IFEO-yQL{NOeb_v2eN3q7=s_ejh1qvi-@Fo94o<lao?
zKdv!ne{5I}WAdl7>kkTNeX3s-`2uY{-a8J8-lmTRsznWabnP!xG#B!&nZ8@C&?sGs
zCzhDzNhC!EmkiCAau0zZzf?%9ZllMf4i*OboNR!d50){>6&tro$-ECwdT#ZuZuVYP
z!r@fiBc3)CN^a@UgeB?B7?HEvq8%#1<@&&&DI5V2LEkUAN-+uVBaePUmuTPf)6Uj+
zeU@vpuoPk%e&eIQD7S*aL(Eol{qX$!t(;s*FO$OlR4MTmPelTWh-su)Tq~ZFe#}5t
zKRTKeZYNZ*)^qP}mykBo;u0_8>ppjXKWdjfYJ!5nPAwOjE5U=8?5*6ikDRG>lPFJ<
zpzJ*|xD(a-jvUm>LA#8s+hmgF_iNjHnhrg_nXG!%d%qZP%fGUY4@Bd8s$C9ptE+_b
z?>6Ls=_n#yk-Df`20wv87KVlUB%Lw7c?mS4k_#yTd*<!x8xMKjveA5(RDC<mgU0+5
zN)sA`<{0;$S#>}mvw#Nq8_R3oDVbOqOHsRaPRor{m4T#bC^J*~7kV;wM#7?P+vBcG
zq_|G3vq+nWcVkvGCB11CzhEtxsq`6BqiVS*Q!?D*m=B(xe7%Y>a~yLWkX<CH@3)1N
zg;4weCSm!D&+~?$nawrUoPO+&EB&frvR}ZN`bNm#zIEkPMC<C{6=_-MB=@2LAf?3q
zpmUt!6}xC<u@gNOT4n|r{5;mz+aEb=t6pvVo{oDOl4+2uhzm+lS>9`0D?G(u=JinE
zyw8!2_9`ezqcM3~LEEpw`CxHriqGbEK7C<ek7U#lDe#9rGAxHt4*G*0+d)L#0HuT@
zy?7$zF!fXhTS(gqJDhnMu%@a8?=cILgClu2t(v}<f!rcJ$*$zvvCIRVQM(B@g6Mlb
zMtHw8*c+}j_3$<|FC9@Kd!5vvaTmuXK{e)7?S{grSnhlh(*1Jq$I6Xk9P{Vl^Hjj5
zp(h-owHD%)(s^a+>n291{_!Fv_sfq>Ev}EJc9FqaILWn%@|K0fy}ZhLjcWt%EGBZ_
z`N(|sC3+blsen4sj}JKdps3f74AYed?bui;_4eOKXs9&0Rtr4Kg8Yx3+IfEyr|g4k
z{t|LS|Am&<_A8ZG5f`W<{v~0l!s9bnbK7!9Zn06zW$P%h!}N>H>RXLG5ux$XyqBSp
z!>sB4e+#E3s5VBtKf}SoS#aAOPa1q)SEuswwwowlZYlDin>GS?()jB0v<d&eI=(V2
zu4Y*m4G?UAU<nQxT!KT;0fJ2+fk1GVU_k=GgS$He!QI_mf;)WJ-~@MfI4jxvoV)LR
z&iymfzPf8w*Q%<1yM%xnnNjbDm@)qrnLz$L3PpU#_fG?0H~-CnxTyc+0Galu4utZC
z;BVtV*#Fk}y6^uf|L<<y(7%HKAKm{P<p1-GZYaajJ4sQu)7@Wtfxly449fp|CU|L)
z^$+bkw%_jWB6M?fB=U+i0aBbL9I^bJTQ@Y(`SgC+*BOxn{mNpjo2Pd~tM1=jSA%A(
zv)+vyckq$u(2p)xH;aJ|MP2TbDJx&ofi((p+?T}xAZDG2wF!$x?L7OKoJG=i0D`c~
z1CW$@5f+4MQ9I|})mZ~yY7SX)I1X*GJ^o#T7xjjSq`_vx9N_WF7tB|1$|_TK^>H=~
zq|bDK3i*l`RozT7IrX6li|ng2HWC1~Yz8>}K}2HYp3vNK*;UNL{$R6&DNOU>wfxc=
z&n_ju{Zw-+m`x<rLfB=V#g!IKtwR4>4H+rnV(FD<nH}N4$HIwwLW^@j#k96B<26^y
zRa>KK*+b<)lS=s`6&>og8?zW)OA?L;IbA!L3A;pH(*7Ap9#kQp%h*3wbpV_FM$mCJ
z{J|e!kFfwz$GO5blVQiTA%R}iBN|%ur}LW-md{_tEN@&y2cLEI;OZAXZVaX^l&!|(
zzIs&a8A(*mbCCW+5O-LR=2fboHwb>2lKHTdMI3&)qTS0%yN6Wg7L(Uk>Cnn|wBUZZ
zwvp=7X1Q23db>>H)O)B@^HL*?^g&v2Yz<L)leN+9z(4MtCDtNQ<+o9^5>cD|Y~~s3
zR;LS>-TPnNxWI*Q$-A?Jvat)PqL~)wtMEDA`JUgi<*g>|i9v05i~$lEZ*fU--_w20
zmRRm^BgIMMzc3#04lLzV0rXXJF89m5x}y=D=AUJ54kOV^_a{|bOyws_Em?c$9)S7L
zHmo_dN+RTD^s;dJaXoKz4Ht((AROC#t|X#TQk0NoE?t}W_p%lEm=X{<1|51}wRSp2
z&KFEIhRdVour9v)it?c-14)4MeC>_Eknfa^#InUW3w+;e+p^pzyu;#6DTLj7$PNkK
zeW|mAt7n^&?{Q^a9as4DDprWdCwAOf;+P<6ThF!@eYIXTrPBDKrfa)@J|`EZaZVyQ
zkTEtV_lc^s9SIM|03R?i3f;BaO&~aKtnAt?;Y)iLCj@;$8l_9OXaO19sh8nP*6=D_
zDPywmj^il9{Ab75q3?rQZaJSK+v?%aPgWBe8~j5ikeCdcokh_A*PC9YviGK;DX-DJ
zBg2QfpFauXOoB+slOq$Wug09?$=PqKg*dD_@C|BN>R~NLsBf$u;)7;VTyfR5MU3b~
zZ!h5A!3IM^EPzd0bm$HX%@pf<#jMrl&}5et-@O#%P=&;5UZn645MQ>uuL%1#S!$12
z^Wn{Jz$WR>iw{%YVv8+-`^Le@!xM#kh$Kc`go^Hwo*t5+LqRnkj9GPbh6`b@X@hlt
zGqi^r7#Nz_M`-2!bCD0C&k2<KG>g)2Ih{lNz=6D}99t>&E2&t$MP0KJ!Qa-KqWrll
z2NO}G@Vk-ypCw=D+VpS|P1#iA7rcTgi?L_3;X&Vzqx9Va6=fK-axNF|a9wd;S$+Nj
zo^I4L_#F!i758|7NBXNkOgiGH(1Z4pL8GuBIR3i<@@+c0W#ZMNPVdTNAIDUj$RoOt
zL}gh|`%8yy|Bqu~sY57pq^b%jFpj5+_Aw0QyKpj73~#DzTCNJCE`<O?rxPacO9}e2
z`e8`}rOFM&so3Q)Tpoh_z@vE3kL?>qX<g^HwwFjqZQby3vmd>9yfj^|UAP&Qat2M<
z6dmT0ZGgHzX+7m+@QW;qnzQ5R8W15nl%_U!OYRy%7yBf*_)YdD5vu&0FIXZaO~d8g
zQq4VI4#N$ozSxH@fMDgx7`z=>W24bLuhhOSRJ_G|)O0-3cb~s}sYj9rhptEkqJds*
z4R9^1XoRQJY{jFELENC9>_aEyo0O?P9Ty!{+NcVbl%XgNr;?i(D9?U}MiV(4EWPj;
zirw2T;36abj4l2iDz_F|b2uK+wRKwHU>8>qD$X4`?aHN3vRjJ0di_lM^)B&?Tfkh?
zBYADXyRw@+j8Z`qx*4-Is%#1#@?a6OR^p{bhX`^Jh;*Qlha<Y4=y1KU+;th`>h2GK
zCZ1-Pbc%eF(uHO1)eTMEz^1KXTG5hq%nZ#gXGGXe$JarCR$i0ajZ3e8I44Z8Hrp*4
z>jbiMy8c~|MES?|KmvUlRd1|x{jHOP0YPtk771%i{l0FpJ<Xv|2UDx)NNYIFSf_W`
z?!&TE$d~Ayh`LO<!`)S^ppAV`GA-(SDHJa5UPIR4qtn%^S2)E<Oio>A34)ty60)rw
zpAb0@s9?ie5@;lisW<}nUxxAR14^nsMPZXrd=l0^qaklHh8(n<e0F#WhH*xTX}Q!W
z;T{9%loMgF6;gbh$#Pq`{ye)@3!l-chU?w)w#9f;^ds69Kqaqcwb^D)m%TU2YQ2>T
z%5g1vy5=QlAsy;&kpJ8Vrur!PqHoQ0nd?k%DqIhNQ*2waK;+eYU5=vg>8E52s*VmT
zbaUsY4BEgV{hwdCycS^%Uj#ZZg2~Lp-G}+&A_ppT@dl_XXm442yi0{j6#2a_{t<9w
z<}QrL`#8A$8Zhzi82QPhZBVak?HpohvF2Mtl+7thu1q?GK1ncQ*i!kx^kgKz+9UW>
zzc^tU?8z^vnoa0{l02$;!gUz#tAQ`?L=-GAM3L-`yU!x`c5s7nYt#Ngg0)b&kc0|(
z<Kq&XkEmEH1OlkI={gZ<4qMk@Cf*HA8(y>Z{7lCl5ALeI(}SrhjBA}Ldx^&Q&pxxh
z&_VIFbg%^ME}x$Fz?M7aP?+>==&Jg#p%Dn%Ky+C@l;&jo30jn?%vBw{yxc}=pi|r{
zTPBh0lxnm8h|c&*Nhnrnw;oCN83eESAA+yFtJ^YI{iroiJp@c+l7B62kjpKE|7<e}
zgAJ6j{bpU2^%WhXj5g_z?`njUHqN1N#lO~NgGTR^je<L|X>6UXFv*GZi7<USW{XX7
zqFz1C9sy=H4=X&K?2llK_RKu?IShlPqjeq?iwVJy1wC$p=b+_pDP+XJaJ*f5Qt{6}
z(ZCB(22!5{VdM(OOma~ohK^#5gpsHZACf;<${coCf&-nDT{|{IcO`~>U4Nzybp!st
z>)46sOdJfeMvo;(5TWY!1G@UWs3hrL!`w(UCiz)1#dj@RVQ@#Ry|+E-d3SUy`=wFC
z4F@sN=yp&nTuT4OJ&WNv+5#{6^&K3+Z{1-jZkkwG7faB@0J;4P=L8*JHV!co5pzx%
z*hdx!H!8B^2{3C=L8h-VtMaC|pFso}9w`VSNyezp>I37rugGr_C@+tvLWkUP60}#n
z#)@eB*~G~rLfwCgw0m91W95TFqagG}Ccp#s72j*i5k|v5fC;z@-i(^`4EcZIK>X(B
z*#Wg_{(=iptCD)_ik_lQYfM1L!XQcYe#L$Cd2vL`F-1pejgvqG$r=gljdHghFG0RM
zOfbwj7}=4*EfU5NI%x%Fn2_{ui1Q(j!uufijxbMn31OgrPFL_v_gMl7{Z%v7(!xta
zwdM4&ZoPe5RIv<37UNG-@4j5T=9e6AU#{H9%Z(=MfMF(_A5hGS(~xeq<ORW~O1iEh
z?>^$$6-s_fDCsN}7<JHeTvJy9IHcWa74N_iYc-SqX{yx*7W<1k5u=L|b0jD#zpNS{
z1t8FDb~{VnR6Q(={zRX5hQ1a->A?Cf`HN5q%`T)~V+V1Kl!TouF>d+;M+Qqe(4&!?
zpgkpRO56WHV3ioZ)wp+@Hm^)d@)zJOuBQsgHefZw)aQs+wR3q&UKAt(aGD4tzpaJC
z$fd@K`vCtraHPzMhybLh0N48er2ZCD6Z~J*e=EiIr@j7+fe`s*LHjA+B(pFnsL&i-
zSonWZu=Y|O1lcl_RnxP&e?u4H{C^>g2W94kN&?15JLP3<&(RiR=9Ui2=nKN{y)z@8
z_soM8v}EnI2GE>orLV-sQ!r4Fyu_$Lu)e+_f$s<FK6SfVL3z6Ta<LAUevNqOe``5c
z*9cGVt46vUU-p)|3w_f(?U!b)U3AF^jh4qXwq-3bPfgJMAYuA<By>se$U?l(_k*my
z;fam_aO1o4H2%r4h00qVvB1Fan;iLN@6OIPR(*I>%nYT-o#@a%74kC`51JF)*r5TV
zYGSz%D$s5al&tNsfX%40yC;hmBfRu*x%%Mp-Up@aIOgZt+WWWN4m~aR_i)^ogfCuB
z+xMe1U)G>020)YVT(1zjaz|%)c-IR#t19a#1ed<9$Ow&8U8VWK&nj$}fwT9|C-T{G
z|Cki3(No3Cig@h(xQZfxpHsG)%y|8t;%@a#H3VzUy`9coY#*{)^|vB_7V&l3Vr+pY
z+5O()y1Tcl*Kui{^=!sUzwUHbW1X1gscK8?OY_wlwp?MCD1*~wVHm3mE-9Y}3|2$l
zCii|u@BHVleD9_FS^hU*0wbpO6w|WCh@^APx<|t;)(uUFHWaD#swZp9z308pL`&WX
zSE?jP6L=#d{k>=eG<9py`1+iPM`T2J7r6Z>KX)3EuXe50lqM#kur_{gKK>J4u(Lz_
zRn&8^=q(I1t@#v_m0j>{ZQ%W~XL|SV7f#SndK#uAmG@fp26s`)Cqc5j;UiXPp-%L#
z=@(MP;e99~b#lIcjzOcP5GxS6J29nux*=2sSfVIB-Sp*_HM|Fu#)Kf&XeFhV2PB-I
zEmIEH*Z3q%Wq1B90dH~1-x_Qp5mB$~C0NZFAFcVPAt1kN{x~&Nz{!On+h1~r?Rq1N
z-^Mv~JyZJ7PTt_@%cN|fiG{oi`iFzJg6<DB&`6y>Ao8(OCU$pyKGI`V*$yd}ZI=rD
zS;N6W$IUH-uUP$Kl-f2Nf<p5LY>PjTOT*We&Va~?c>3dXw*<yKBe5t-O%O1mE#PqQ
z-8~v(j0)w#<;QTxj+Ic1Pt;(3{yNeQF((k$5MPz8Al=&+xAv2!tN;1XP{!nD%PpPC
zYsfjdD0zQox!Sb>zm_TxJi}MhP~PGzp_g${=X`@Ch&q^+7>M3NXCPy9SpJR;a$IqA
z?w8U#@`<t8?PxsM%C#PD6`-j1@Kak+y)sGD%SSM=B|EdQJ{p5FjukD!2V`T_E-EI`
zps61tmg{vNoRzT}^>Nv8yMKc91jVb*_ZW`-m8;T@7);=Nb7O;cl(SJ36BIhcQg7Hy
zyv=KXgf1c{c3g2Dfa1raR%x~c+jBf@a|;2597Iqc^HXXk`+BZ`?ggT-%byX|;`CA5
zc;%Jq9Z~2p%r)?PqNTMR&;1J>^6%f7S8cj>(J`9}xeZO@21!>--#5R{E4aEmKKab`
zl4ZE_Lslgbc=rg#=Ztz6)diG?tNNrqYZEJyGC#gKQyS;^P}=rTS}(L(e8!!QsO-34
z)4Rw*$XAg1qYp)!_b!^*sX!n>XJ^{=&^p|8nKpvGcD}K>Ovh$aBI3DEKPYxag>SKN
zc*4T^llo6DpJzudW2>7`RO`AcFM)sN;?=z9ku#lqbpd<*M{!^W7AE_zubAJ00~)lP
zeOziw+-cZC#^7=29hF#y6%!>7w@<NL?zg`ZZU_k7P8*29vjH_4l-l&o(=zS#Tq6QT
z+hZnoyqw|?@3fYOM>ORjfTb|2W-CpTn<(76ZB`ARw&*4ye)ncaT@j28GRDkS!(P3q
zGAzAmW``-4qI6NGJ`tj*UbzR1A~#?d)fRJc8!541+XJnlu(Dmc@$}rR*kNyVoap22
zAPs??COgz{FPVzToMX^n(Ag#jyACwGBbh_Pw59#yA{3L|YI}?$W24hB<EsH-RJ$ER
zQKjkKtLj{4ZPKPb-=nvwE+^WggaH4>ZRt9PO@F&|>Fb`?JhVBsrGM)bD8K^XKiUly
z6+~trQ<T42#s(~4cE7H_UV`K(S!Go0*5<Z~emb0NI3Z7_8H+L6I6Z@<N2m$e%s794
zbQWi(KzgYkqJ0%ESVzA^oBnDbNn9f6ToKIhQsZ<kLC1?3eAKa7U)Fp=WXg!f;)m*6
z3MBaq(Y;n@mVYG70j~<X7LGc}$!C~B&bI#OL7#>=;r2ACc+TEE@6@{p|322UszW60
zKDc;^7q7~wa*0{ix->0P%lYg;96dpwWxDA#{hoDGRiZbc7|MHi^1D}bERmI*f@l|Q
z;FJ*!ygX01NWZVUZ_^vJIgeb#`F}9f=5X1so^lh%1=fmrpZoB82%cpQirMK**PV7U
zm;E|}rt<qOxcKGA_|7c3NGCg;upB01@k%&(5@h4bf;?vuv0eoh@6v_eyiB&nEG(hx
zZRMdZ5-wx;Uez9K;dZ(4Ior6bE4)V)(VU*iDih*IVSBnWuUNMd-3Jrrs@8uQ?jc2Y
z?nBix%ngG`JLE7M;=$VK)-=Z~j+`nzIPpp~#D}AyD@6N2Le`noL)%6O?GcUkV7Smt
z90gVfzq0;T#l3G=7s&b6FJS^|WQPh<tLC2-LYY~xllFu9;#7Ka_(vNA>Tw+|+t0KV
zSvA(kJsEj_jvqMFOA?Q>HAIxs`4$M=w4drCLqJgPA6fOyOX?@9TfU<5%b#G$MU-iW
zY6b6~;>Tf=Omb9~2+Nq*`Go}jQm5%Y3?O4fELpN@X7to&to;2&(_cF=(Z0?NHAD+$
zMbugvQr4Q<dU*)&nGV@H@2jp&G)j*`Xf03JtenNGTC*3A2a#wwt#OR36%qJIG#imw
zMcL&PJ11tWO@}?sL1=2L{QP7XH*0+r+(@Uo;I(wB_oFCB+9r533`qA*&VPvMU0U%v
z5_yE~rT<_y*4mU5BsJjYaAn0T>C;*wuC(?}U$-`H+xg9mD23YuPd}ZG+XL;DbRblW
zCtO^EvmYgE!8xnsG;PX<<(cT}HDPn{`HC$VQ!|VL%c6bIT%C6_=SwukJO3ROF<~0=
zvep~kG>!-c`93j!LoRBfhnOJfr9WwG3W#NXiY%eyxs)4!I_!>f+{HhiT_J)mPI!PX
zHAdFOx0>fFJW@u6MY+pq-8ggOwUpUQqJ|P-zi_4kZai-$zLp=2te9m#J_zrb-0fCb
zZHkRuKSTy`u{D3XM{nkNbrxe>tsu@)jWx%+#W{v^)()MzTbA?U^3Fy=7r<u{AULj(
zK0R_<S*762xHmoB=_hO=6UhG!jWlPKPZOF&F0#s;2nt@nF-wNUhXkj%_Y=-lvf-~f
zv%Xp<!hb7R|ME;;8r=G@`Z+<@<4K+)XiN9b#@7yf8m$yV;&2b!LWQl^T1}$PBS2zB
zJ^T{LaE+5)aP2GV!SroH{`C@Rxt#+_^aME<X?_HWrKZHexdF)PM5w(yP3DsQl1#K`
zS_WYk$?KWQ-u(LK`}NDzWc0!kpNOQlQ6R?}TMSCF{@9dDxR6NfX@Obh7BE!BUoYGh
z-h#U=J!o=Al5!;c)L)Fl5a^Y`Gp^VIuPiT@8Yos&+r2Fqs#PymZ2y)54J_`DWXL*F
zKaKI4_(G%_*!cT?a-=QW-ZrQFqAgAqJTyS>N61NiRo)<HWz;F^rbm|%?a5f$q5T<5
zADn8RIq@Ry*fBWhI50NC=v=uV1jQ6X8qbFgH+K*n(a{)-ogBu$KehMc`X-|OW}%3(
zp3BY%66LZ<W-{WdSoc7%gQO;OWU$RLEvhZXddsu9gKP@}Sw`8@tGb}CLCBS(cFbZU
zf64B-p7iam-IYXQWDu;{nDYe;t|fE(2Y#xt=l7u$C%vF>0+EJ|IjN6AKH9NJI2w}w
znAj<<*sS;FfvTyVCLgtyX<n)lcrk@Yn00at3>p+lV&#W}3T&d1e{(yhiN7<;d>@Y|
zV0f=Ge-&BF&3EK{{jtZO1s*Ea<=|@0=a+MO^kYTeq-5H3FxXGnV6|LM2?;IQvPlq-
zHHo3C&HWGsr;PR7S)xcopCtS=(e43ubgk10WW8i#K4%urIHdw>;~401-CkICrx0^G
z_6HW%F05`XGSKNdRI~0m>_f#h3UJN*8T`PFNAwdlAty*S%9c9qrY=a1p6P{O*K6ST
z`kMV0euFZK7;l}j7BR+tTCd-6pw#YUanE!9T{&s+8vE$u&Wvb`Y$!Kur9GiO9Gb0Q
z1ov|Lfevn^s(!m0D?`P+*wFzpPY7O}?d#sJr8uQ$a_Ty8ROy!~9~F*7&`6|Nc@Gd+
z>Na`RNF!D^(zIJrEhDrKArTCVd~0HGE~6-1b;2koF~(mX$YA+RtKU)8)7GD)B7VM;
z%qql(t3NSWZ_}A290NI35GLcJ__QHv_BuJbuiDEqtXv_-9hExK){I59F>K$x9Ifr+
z>ulEbJ(0bu+l%oaY^1G4eIM3v1~F9X6@n!AB%v*;2Fkl>qv|?Zoo;$uj)E-<vG!-w
zq4kH;Z#8aGz05V|s0aq+%UY-lA-rQaFEVa;0&v;tW$A+F-;a1yXF<T8M9U(VU0Ncy
z)m2HU7^cHMl2dH6n0@m>a(+;~Ed!!=FS58}uznQqTR=1%qS8Y+NLX3<lSl+MwMh+u
zEqy6^I1tTEW^=Ei&i>@QcH?-P_Th6Q5>uxdSpyQ>Eo+u_efy)}#~r!Pf}AHSF=do4
z12vDh<Z&Jf4cp;u@H))BKz%AtZ@5QBuZg_Ai2~LtjOkI6q3{yxe}ilxAhhxUm@k6{
zt>AxwngK}Hb<3M^?l1srycra<zP^szgMuJdtXh=Gkd!OS7!;I&;Hg$NL;PmE)=JLI
z!$TK}1pt&ysu%}PX~1?P1_lfWRJCv`6&39n?cVP3@hD&*5jKiPKMFFkz#wr1&-x|X
z?AUhz%1ms^VbNjn%qJ+~PX<aVkANV#e1+SK?*mMN%5G$|7oRc|1L(jOWNY{z|4wT7
z61~73Vp}(TOIZM~))h+f60n%x<j?^Nk$VS(k42t{-cMmXDg=VDA|S|0DM*$=^t}HI
DJ8cf)

literal 0
HcmV?d00001

diff --git a/policies/arch-doc/agent-schedulers/src/images/histogram.png b/policies/arch-doc/agent-schedulers/src/images/histogram.png
new file mode 100644
index 0000000000000000000000000000000000000000..f169e5164ad83b56948829ac90cb29f099d290cd
GIT binary patch
literal 9604
zcmb_i2{@E%*!~bYR63_5Au2_-3JEc!vSf{rEJKYY8WkD)b_zvW$j)d(vJ7J@gOL(r
z-x-V{Tf^9wX&5vA$8<WUv!DO}uj}=>%=5j^`@GNd-uH8V-?(RFptY524;KIcTXnS0
z7y|$&0suCh*~|uhQh^0{0f5!nNbkbg73voTgR!=@Hat8$J3Bi!HwWH8CX>_C(^pnj
z^78URLqp}|<+p6v!pqBRXlU5e(*uP<Pn<aM<;$0A*RJi@v4e|?OJ84qdV1Q*%4*xT
zZ8I}7LqkJ)dU|j;oJyr?X=$aVrgn66w6wJ7>gw*@yLWMMQCnMke0+RrYRbvUNkBjV
zgTXX4HJv(j>d28JG#X7xO6udsk9+p)nV6V(_wF4#JNv6wuSQ2lSy@@%ym`~r)m2+t
zTT@e0TwI)yk-^Ey+1J<C-rml`!*lT9K^P21B9Y3=%VlI_0s;b3Qc{peq`$v^MMVXj
zPFGP;DJ(2RqtTL*l4)sa92^{H&z^N~a0m$rvA4HhT3T{;b`};E9vd6W$;ml$=8U7G
z<Do-`L`6lz!ooB)H3bC)2L=Z2-o5MM;?mpO`|R1X%*;$24tMqH)ym4s<>lptg#~wa
zcOsF9#bT9|l;-E>%gV|$G&H28rB9ze{pr&u3Wf61Pe1+e!w;60mRq-OotXd9Kd~U}
zS&08U-#s=rNM0n(E%%e=M`o5<2FCH@bAf?@{QUfzH*Z!`Q!_U=-@SWxe0)5CKrk>c
zu(7eJuCDGJow;}KUT$u#g@pwK0zsirzP`TA&CL%UJmBNw6A=-~&dzRYYwPI$)HO04
z85tQI96UHUXl!iU+1VKr6C*1tTUAw+l$3P+`gLw@ZUqGeadB}kFE2JWHdj~I53RjI
zH(uA{hueu`&HW?YgX8_fpBsCJoBD=(hsN*Rxg#bfcKGn&8#ivm#>OftDi#$L;qiDM
zAD<t8{4qH>xxT)B=gytp-rl99rI#;X)_${=4FLN)b<Ui+;Kf2FaNjkh1lP<FmE`zu
zmB~fN>(z)J+Gp37cT3}v_F*U1yN8oFZoO3Ds$D%_+%|3|&fO?fsU?iD53bS>zGJTI
zeakM}{)Exb7TGezL6-^z-f3Mcf^9jc6?swEodVhQO1`k9q1?QAWPt?+yqz5nY^EaJ
z>Ep?khYkZlr^Mw%0Cj#q9l-*Qr-?8=03463fk%Yrf_pdsdcTpyq6((5ndT0tD|M`r
z#}F@S!qH9_kamd%!}5B=@=blD(};RYRkPU9oH{wZ_N&RESCc<lEQ?}*ppyyfUV~(T
zATldB05mti+c^FCb#Kp?Gf}HEE<Pf-2~OcentB4vx$!*@%3Boo!bMEjhdd{>6{wwt
z^>Ie4P&-Tv^$#XECj=-YTx`E^sM!E=^!RbAYb*x<qmV5f4Tyn={kT3cgJdr`{@0xk
zgaw3z8cXG}wh8Ap8p8alKj#k@k%pxBfs1`Y^%tYYKPpswxd$75T!4Fa@19=S4H0TJ
z_oN);rnu70*)%C$aM^UCpBr@kS^oG(nGUmzV($vmPY&S`^1Rnyc7@N=#!@qKtXi*F
zqV3O)@~4yJ4c^Ne3`=3^U8ky34^l^w{_f4mzDh!p=7(I`7ke_I=j7Lxhp$Tdzzvso
zb~?tVw<~UKSBxykB106FOXD91`+M2v(r-!NLb%_~V-WCh_a(om%mc$$T^4)w9QOQX
zMg-Y)rD4Z=wOWRNlH8MSwfRigWR=FQ<?Fg#Gis0Oxh<o`y2@jVt0z?z;@(cid|S#r
zKY|Pia3cs9s;yD|h9ZR5+TzqGO|Sbae6Fl69_Y>;9gNOE1_rEkXvjdJC(G9ou9Tof
zfx+0<GgFLdQhNp^{pRRMa5>7AjzHVH!p3Tj2<z89g!ddp#|!$8i^&~ukK8C%V{yrR
ziaCllF(O>?cw~~#b4Iy)Ww<frB!W!yk6Oq;OjUS+N6u50?bqV~o`_nR^<l)Zaq6tU
zo<so8{&oC%BEduXPiCJNkUnD`pw^YhE5rgiuoW?11SeUwMq3A!nux>rY>mQ;gUEEa
zU~U{}_jt3dl5k;TWvQ1qnKwGSq+agBY<`i#E`l+dJNk3C<~|JI1%E<T?v;uLx;~vk
z2*G7lUP<1}y?n_Hz=wRa^&ER3X)VQy4;k{MJ~8hIi?a)s23;tQZ@mrm_t2?g=cxlO
z`m-~411nh-6Ir1j-8ATNP6Tr{%$IFYhEVC;cUu<F_yIk6++(oB^q3ABqcRX<<YQFz
zNvL9#_i_}h8}ri*{hyc!4QiX%57g#%o~<0-(WDCF3xY`YCi~XP<Xww{#WJpEeZt$~
zm)yq@(*s6s6kZ{N*a2)s7hX|SKnhb%?DM@-A~89oF#qmdX66+s{8Z-isfv@>FqulP
zg|WPo26;!x0aEy!&smv1p0AvES~KnN4AnF5vxgG2GqCj#Ov~z?-qW^`>8mfyVBH7L
z`;-*CYAz-#=qNhdC&1#K=hUz-50lD!Eq207V(0B#Cucrk{Tn5oIUd=qj>v!NLam+R
znPPOk!nQ#!@0pcv|GZ=uxaw|`$-|B>_k?CRtZmv8SavwAek2bo9-b6fc60n~VYCZg
z=*wh>PkzA9`n!%)yq<Vl$R}_?4bu~PbGyQb7cWPwb>*q}h<)|6V{9<bp6=>uO{*<K
z{uI3^axdC`Ic7z26mWH2n%27ECJ9ao3r}jagwFIHD~)zp|Ag0@c%E>|mQiBIvzZO;
zq6WRyZ^AOS-;0|XMAl%$IYw;brUnSb(jkzC<WjjV-U%+U#;rVz?oZ``&5@+f&Icw&
zCDD%wK70>{FjLJrq($uQvo(N%aQpdD0U>e!gM{UAzTNqtvroK-0_PH5#<pOSIskmN
z$7M%t8HHl+XVpT1%N~)t@$5IQ(our9OFi^KzHD2Qzj%)05n->5^gCnOt}kHewQ@u-
z0Z+O5MJM5R(qri2s?IZ20*kIMoC81j7krvLo(1MartGaG7b?{)b^^(XXZJiyO%N9>
z7r_L{f^f?nyuE&51MyaW95cP^*3i}<7Ff6HKAAEW5exv1T@K(fo@c<@0DB-P+&(Ui
z!MaDCfLg@K+`cr!Dz5x9lfb_r76dJGCKJu;{63TMjpzUFHqiE;%|})GF7Tka`{hoK
z%GU3Se11@BhTP@IS$L2QQ3qm4Yn?ZKC5>s#^}j-fPN^Djh+vi{<-?0X)T}9gC7VA9
z{ZC`6RDHa`IJ=SX!(d`sJR_e=GwF)Cb9D*`?EgSeObmxQT22IyrV?6Bi}L60i6&K0
za{{T|V$s<Fv(IomPju3|RA{q_T2U&ci1}wVdwJ9Y!SE~Rn>YI5ar3~n)M`g;lwOgZ
zT9RJ&Rf%XvG2!^cM86Y2WgFUeIY%yIM(yNd{XoVt4`s>+4i9xM8m`gQ(khs4c>O-i
zWnl+D^q3FX3+|%`R7Q0pYGh+0p=+rlZ4E{WdzF#|6XR<?aC1gM%km(@JHn!Na6->n
zzI|R(466^P9E}R+Ck4dUziYDAm&{UABV-NUG7CH~VZ)x$z9@yFlEpFg%=Q_ImcYF`
zkO@a#k9m{uX}^B8KxX8@1R`yrkhi>8%r~53ly2{_nu?uw<YT~rR1<_+!>H|N2a_C)
z=nKm<OWzsEnXZp{%C}QrPUt)0`2#!-U7c+=sctO5kh^SX7KwBjTy=MQzMDN-LI0t@
zGQVN_bv0zMCaMvZKDT#QyIba3Gn85o!B7Zlwji%ZeA#!9H}PflDL<Dih|cX)RGOi&
zN5(>vzZLs0p1*eF{-##2BvDyvDd*gVG;(RV)_qhf)l}F-tyk|Z6s5;%EEgLlkQpyP
z;3-&ny`F=STZu2Z^fE{mHVgRtp0kJ({$uxsghjpAl2Y~e65UUt0!K`6T_GV-WMXVK
zF;FCqulSH*wy!jpe%DMN+DPdMWWdS-eih4@n-QQ>)7;<sFMV7lY2{kizY{Z5WzbeK
zL#!$)5I(DNHLmQyMPmfEgn`L0OdUunTjS~Gi(st$Wn%^a-TG;;F-Mg{*D@IN8h@RN
zfSZ(DccS+ESd-961Ra8-nqUynvL`YuAnyM+J@-F#Y$jM>e6cA*_;eo-J1eO3g)ep2
z`QT3}VF@3*PGA1!w>GVd(tqmze;W%EeZTU=FR^?lJpQAZ8Psp$5=tJz$NGSAtmd9C
z{DmCW`*dcrLd+=y%V+F!Y09qu%o+bNEYSZW!pb!he()DvvUgtWdwTp=%dgYadcYXX
z*01rdd;Px_;Ww%J6NMLBv~o?CAArSGNGgLt{~^1~DgLfgCDW^}fByslp8SUCx)oIW
z@`#C{>hT!ZYx@;E?6ST|g33v1Wk<&dh6RX?C#<DX?Rp0wH$Qzy!WrctXg!}lJ9VX4
zczn4557<8}srgU{rO%V01yuG<yI&E2($1jgYVjj2AI==IQG7)E6tcvhs`w;X@r$t!
z8~8kO`bu-8^{X5M_<~<le*S&ls}cj+a4FpSL&FQ^Lqm0nrm^(_>n#PJUaP5=GrAIA
zV${@P5)A~-SC19=+Lty@AEA(we8>9hNf+PBS|p{{KvM2!kV=FNwOU<#(HU<{64E=b
zS`eyJt!X9i{0;EcM<sK~_uoc=yh*pTOwoB==_l<UAR(JVm>JeH?o?==F6di+!Gmh(
zOf@+8_QpQ*fbQHWzg(oDtOra*DAFbgr#Ea6akcbGtgbZ;UmYmWKQ4th)(~#F;k2-4
z^*Y?+P$ug_(IPdo_7(#BP)^6RPlfT3{2-aXZc><f0qtS8k9)P`;3P%3b~Gdhw`0;q
zx8~E*-lY2erIQ4055nim@x111B+^<*mndP4n%Qxy_pXFOD#4Px9|QeDr^qd?X<=up
z9|n->Q+*vxU7_Xq{wt4Ny4_}RCe3Qt0Ox&iC{)S-y&>NcEEz(#v!xhLB^P@Nm>cZv
zS)CZWE@nBV=@3AhZ+%JY3Eg@i0@vypAS)-^y;&W)wOOH)tzH?!KopGf5WSb`PzLlN
zfv+T(qc+h0_DW3?QA{b&xqCVyj<v-cR2G9N4PPHv*EP*=nTgr;!7Eepe6@Wet_^b~
z(BYU=2bvb4t+5!Ezc|9bFvGtxt0U~ZiqrOjf~LY{C;Y2RCY${#dHxlq9}%#dzY{D>
zFMnhg`a^3B@Zf-c!%>=tu2?k8v_a6pA<x>h#?LLD|6#(6Lu>+9mC<&G(~1`0OCtx<
z`!@^c^wQIA=oOr_K5vMuX`rtyK~d~q^%gU4g}pJdpn58j9NYAJ*+lRL(essEH2Y%A
zK;%1jOFL}9Jyd=}pMIBerU?7DGLAX*_r=_por6fzn*zx(LJ8E1LT-Ohw7;$Xx8;uZ
zPG3z608NDFQE`UfbSJX{zii`cEBbwE|5d@koBp)Cm!^=iOKgv<#U0Y@{#6;j<7;Lp
zyW!@SGKFeo)Jx)dzpcYG1=%%EpMWb)nqm`2rW}zT%Sx%KF#J5Pq<M^v8Oj2KXe<?-
zJdtgcf78TfAJ|#W=JXj`6wDN3B?hQNFptr!3WWr#c9TO;%)Gl9%I2*aYCHHkWmJuF
zlH|P_r?zmCFLmXFfUGPeU|cAI??{uUO4-O*QcY?~Lt9A1%o}%FmL}UG&m+Qnuc;c8
zL3)Pfe6QtR{oIt~hLJAGXvt#NrZ${Qv@goXgo71;d5Y>rS$XJwB+gxn0^j89BpsH)
zfv=SuiF1?$6B)rgIKFt67-_F~Ux*$bc|zgZ!s0U)_dS^`?ui-qe3zf843Nz##BmXP
z4o%O`;zAd%(de+NK6_WY8V+;7wGcZQxq9|^vZKFW5d(UDVa8-H=*2wU(PCIjf^)S)
zA@Jo2<#pi8^ahJ`bT;Wgr<&mv)cBku#mH5EewoLS*wm?m^p)`yPR*Grz*AsRoh4F@
z$<t5u?O(6XC}-+52Xxh#uQGU#GaxDNg$w4CNeQkr?UZ+rqDJ9NdijKK=3#e)af0iL
z_EK|u&!jgEUq0L5c_;}XSQi4NSmStR22u!dSV_DeH3na>8W!EW_5h1ZZhFVkhn(VM
z5cERdHw-<*d&#|5FcjW%G~+S&<DK}%QCPX=F@dtSf^r<`?w%=KH4G$mruwz-P%6AW
zb^uy5T^Ve(MCEbCqrI1=$x3gAvLN%Fo;2MDI{>4xJk5cn+_DAh)rAHD9z-}6asprM
ze{F(7baOEdSjd8^cImkK(+$%<7JIS*WmRM(!+2D<U~*WvbdgWSz-=WWBW2|Szs|JM
z=t#7ow*)Sl2kFxr(ar*_G=2Xl`6oiu3AO>VOH=3g)e*tHyzZ=99KQkY_iXY9^lVTH
zjBkTd{uEeWaWWWa|GmUv;$od-{~f(<sH1PFVv_UI&fF)Uj(TN%Obld@qgJ4^zx8Kd
zNNDE*(7J1-XAiFPCzCwC(%=81L@x=*K^U$J#1-CxjW$P1b^K-bzuUsE0k3BgG;U;)
zxskuwOOV4ihs>=1KAnHTl_6#rV-5hHhNw>dy8GX^+=WN~%NGqVrjTY}6cgRj5-i^$
z|7{qy5DB*Ly4GJbkLd)|1hw(6Xc7Q!*SQWXvqNXuu}`w`o_$c>8QKkW>AWd4NiUal
zm<`w>h2a_Sohd&tHU*_O%vkwN5U<tNe)*E(DP>cpNSvFEO1i!`5FraxK1HuCT3|h<
z*}eaY6_eeDg5dSVA*xsS6|RISIa~o*k3xD+OLcG1T<|vVe04;>9BHqHUyCR(OX*A5
zEr5#>H77*Pd8#DAF7MxQ)+bz7He+|85dQq)6Ou)29U6l5i5E`d!5VtUUr{his6*TB
z$rP+KISHjXW6=2zhfmm|ASYhiHT6!n9KC;m0*Nd~uE8ktskD111CL`9{LV-59cf5D
z8xggYg#WUZ&@NP%spsJfa-0Dua8Y~5YR2Brv@10n6Ud6LTRa-s!N2ZXWv)3!Yeg}D
zZF$1|#h$V3scl=|YkSOq?1wi*NK&9~z0dl=z9igKk&+dyLa|zgAdxl5#$Pzk*FpB0
z!#4MZkBPXJ1kj-il3LJOmf9{fp=*M2%pj6wFmvsENNN+T{lV$Cvy&B))FA?<V0GT}
zVA2t+Y-JEIkT$V4LrrLmz+!qlD5><eEH!Gnn41%^L94=<5X|-#{C=t*ZND%<;NK3y
zMnB1QEu)~~Q`le9;Sa#kSLA>%SGtLdr`6)gD__E7)<Pnplj)zXW<YLgM)?{jQAbRW
z=Y+v-zsmaEsr&tb|6XIRqv9(eFa-*l`+l+SrA%QFjC#qdO-!&c+2>d2g0Kb07slC*
zuX_FgicUqobsao-_NVc@zeUG)o|%*={;%NjmBs|?oiJ_Zrocc-tF!-P7vJUJFOc^=
zBZ4<=$ncZ4*m*p{Frk+vhzwaWKL5k7)Ty2TzUyc1o*Dl??ERZLs1;!-xfE>;eBKqq
zWZ^&N{kw>NZwA?$IW}f*$v4Af=&gaRB-~>CdokwtS|(;PnNfn*?`+?Q>XEgr`2AwZ
zoQ`cUzNeNA^E|=d9#H<~fE4zs+D~xS${00pF?aFZ(fK9DO2#aT+<(mA!_n>Pt@q2G
zBnSDnxJmEfu~yDi-`c<Z;7{VZLs6IC^~~DD1fc2Ya;`YA5x2kJ$2VAmlbN0F3;)II
zYE9atR;8O5X3>XTS1|WMjcIU=<-RV3gif!}Xt+uM<h@z3YOG>3fvAyO#GsRh%cDLP
zl;Fs0kzvL6OXlL6<CDTkw<R&aGqed@;uDlG1y*=6h@2G0k*sVr`!iWtgl$Zv<qRS?
z+X5q~IoMOjX=cxNcM2Y{Ije>5t|25(0`o?vN@7!OZjvaV)relD-J;BwHdJ!#sl^?+
zAT(b)JvF>!R@dmp@+{k;ouicV+DlPe1lpJJu7bZxeha(Z8#}vg!EEpSerDAc7_06n
zt&)`ww+*fG^^=Xz_)$=_Pmn9hd&^~3Hm+(xxOaEBnn0XN+mkdB{m4-BQWQpO06S@!
zI6XO%iD~oHUcN2s%~`Y0FF;*3pxG)-r(RA+1yLfwrzt7CZAc59{DA~dp|^-uiQNoQ
zM4Z4pYfW;zcO}ETF`;)EnU|zpy#1aA1&=@B#bzfi`<m;(@x^N{Z`kaf#6H{RAL_j8
zho@!$k7QhrXuj6$V)<!>*3u=$%}$8KuI?K-4t6|+cLGR<?u9q-oF;VDq)1m_{aaL9
z`}6w3&%YOmBZ~UF7xfWZoTIY%4s1$<7QIUE%LjZ6lA9$>yT@i|@~Vi{n@xJkHC5*&
z5;R1^iDFLN721-!E;;wmEmO@dg(@%36-oW1jsoD>Wt$GMuMF%<a+0$Y7K(6rV}{P-
zycB@_S?MH=YUk9uvZ<gtEG2aM-dJd-+5J5nZ)t}}Nm&Eaepx!fHutwX1?WG&=UT)1
zdEA{`K}_LKsW>MX_87f=-<|Cm&yU7kp-B53D=praPonB?-goB_@y>Y&PXg*=<n5Z~
z%+s5xo}2g4SX#fht%aqy14SNNgFavD>cSMm`@W6k@|t3}A4%;#ie!n;F*|<K?QQO7
zHrCCLv_*gVfl7WpKIg7Fu%A%NnQdBnahYYxEXSsxczaNT1=^uLmt%+NLT=ZThVcU>
zx3Rhyxf2NvAK$!8a5^4&s9+Skg{%}J=HIN<KHlhS^{_mBR?kJBiqoS9br#<ks_F|)
zW=Tb5Y3j4MeK=ptdiQ7pV~fb)nk`CK&PQK;Zgj0p(6+N-m*KJH<f`cM@lb^HB_|E8
z{O+B|t0<fbW}an|h=O7Vo>?D`d%+V+XyA^-)26aooi_bw7%I#Tq+Nl#w1@FHbZ@zk
z7^HixE!DQOuqeN{&M7HaHDeYw<DG9qDD_Yfazq_gX}5{?MvSt>E=;UVDm=&C=L<6D
z+?wcD$Zlg_3qYPc;Ga-sLw04c$-KUlC=cgw(C3y~1a}tL%(c{w&jTaM?0iy?<yX0X
zWMYCm`CQs(s~&(1yz{nP5{O{;6Bm+}0E|>O@m5QlO1q9Vd`O(CDDkO8ns~KQRJ>gC
z5tolFCsxT7CAuMEcrM;i;g_H7lOeN(v(A=<ZQ8=I{rRm1Zh-0&6y6=T*Gg)<CGlc=
z|DuGi!4Qt<PLCBFUK0E4!qt4ixejj%v3)#0J~XfG$J*k`#VRun432St@za+9+i@=C
z2QkNHogI$tdC}v}Wk^RNcw7)Ffyni;<fJECkFxDLoIq@RTjIR)5yMz?+LXLyac+rS
z_?#9|>_xD$Au@Pdc~Pio0b!Q4w|u>@-iD_-gw`Y9dVG{TuV$;i`()vR{D_IVhwgm>
zjn1T?+Mv8ldv{Lu;Jb6a%jyMU58LLvp9OkMcHxF})06@<((XlnEKRz2e1Va(mUrgf
z&FxBfRh(}HM0IYkK+LlT+?0IBlY)9iP>dQQW3V%AwKDCj_LGT^%1?*S`iJevQ48MO
z__=lWab+XYW{)Dx$i?$kiLLa&RBJpDY35Fewl*^}GZ%3~`$kbNKnsOEy>*YThYJV8
z4d;|HPS*=usPH^8Sa%=yP!j^=Rk>4T!(wbNpY{@joYSINmBMhwVls`=t7}Bsl7&td
z|K5jN&ln&K=aHrlQx~A7krnB)G)Cuz1L@_;k66HehuS@I-T%S$gFgaKt$`MqU#~rd
f+<+4w0A4pqnJ;Rv5gD7ny8)fE24`|LY=8bAlBG17

literal 0
HcmV?d00001

diff --git a/policies/arch-doc/agent-schedulers/src/images/schedule.png b/policies/arch-doc/agent-schedulers/src/images/schedule.png
new file mode 100644
index 0000000000000000000000000000000000000000..a5e566cc0c05d5770f279c7bc1ebbb03aabc7fa1
GIT binary patch
literal 26448
zcmbrl1yEeg*FK25yA#~qVQ}{Vf#7Zl?t{BKB)9|*7J@_2!QI^lcLoUrU*5dG@7w*h
z_W!Tl+FMgoU43tNpYC(cbDr*VZ}fXLd2|#K6euVtbVUUjO(-b1_fSyKg-9@OHR_Qi
z8&FU-go-kfAAr!Oi?C4{&`?3snPyGn?Q3zIt4+CFk;_dE9B3}a3w}*!ewT4~0i>6e
zDSDF7P*6w|P*4((w_g4!K!ISPpxy!B3UHWEP(fR7_y4<q1$e6tLHxfw{l91?A%yw2
ztKKkg<<AYLcm&vbWCEM*9v|b=a>e`~HLhylprH2N0nf#}jf<?xPA~u5kG{0LjTMA~
z4@f0ot(^a*{Pt*sN`~<<Wll~C4jv8(AteX!A4x*Weo_||oitx?ISf}oThQCssGB+~
z90fqKy(r(tYVeqZ2GP99j|B+#*dO^#!X~or`(XYW&9lrRKWT&q_(y(b1qd32c(vJL
zXSAYX*UMA&be-01=@$0e{N7`S98A6jWmOAL>a~hF)o(&H8uh)9kx(WA_rHqV$*bhe
zv&MF~1tqf$^*FaQUD~fUIsBi$<L4A5W&ys;iJKc%pX)&HimcgYr%jAw-?EAFzE3Y{
zybi6x@d>%Y*9S7?@+vvU@!nUb-a8mZT6;`!l2%Om5th@5l;WrA>iJ#WD82`sp*#ev
z?0Q8To2ezSU+GZ|j<DEl@Xw$5tR`Ugd#}pE%Jn_Z{2w=-QGRDZE^L{2C<J|S?q&2`
zubmhK9XieXmcSY1Jgw6F7r!a^Q9zH<A$W>)d(xy&gc!N4&b2z%O@^-@YjIxr6!pcn
zs$`Wrpee-yPQ`42x7&LGgdBQtA2O9c)U;VGQd}Htqp<zD*`~rxVh_ChbWN~wU?Jpv
z>(~FFx>GtiVSxAjy~E%JtXg+Ehsh%bWoosq9y^YR!@|Ci&w|7J1`FVhLd;yZQ3EwU
z@?*^==di;c!n_)jE_5Qkgv9P^#pFuUHsj~bPSj;{W~wkODI_W|F}EX5<%WkrQ#Mts
zQN)hTm}d`3!%-ig(pl%p>NB5=Z(RI4fH7rM9y6}7q)Il0zY7}7dnS3{pMIs>62Rv#
zjk<afRi~8V{?_JcKlIdh;OGMhM4<(GYjABQ!WjUct_b4uxyrC%pMv@P`@#p;kduc<
z^V!Yz4bj}vf9w)P?QPZKb|vJ7#m;?N{^8aIYVcM_;dAQ3ws7dKZo5l4U=0#Af3GU+
zS-H?+mE*n)Y&UL`pl=n;Q~yn0-Gav>8X4zYmEyzfSo*2#JbuM1I#Za3&~mb1(SRF|
z6@+@<j=t)--|>?pLW3IMw9(nS-J;mJecOSESFITfCAR;FN$K~t3U5mhRtQOoH``OS
z;N@ut?lIe~8I~~nSWHpTD;6h#IC-jq$iX1opXq_L>Q1wKn_Yo}o>9xcd~0X`yk_-;
z40Jtc%U>m$8;H%`wVGX^z~E4{_XIe<BzO5~(=R%$gUgcFe`h!QgM(<FsI8^0&DiqA
z0&iDjYYJ%25*3P)SsuOP;CSOXd2}gT>HQ{A5X6<zil9<$qrL7{eqL&wdbE^$$Dxo(
z$b6g4N@lqmA$PCWF798!sdvL7bI?YY9~^{z7*ee#Cr4ghisU`%<)g2<;<Mw<K5zWA
zvJ(J?N9KM+LyXVdif?r}N%%_40ysTFX~UA|r)B`0UexgfqfB0TkaloY3OHEJ&^wR;
zkpO9x0*+Y)u%u68@~GcUBLGCHzL?}((siO}igex<*6fDnd~xJng4+AkCAqNzCu=l7
zFsM#}9skFNS+wfGl(G@s@5SnW*ET8%H&4wUv36HAhYpj)<1v;vAU<1cH6q#Un?>Wb
ze%h8Xn2UTv*SiS)mN0iSfP^jJC=2}wDX~>d3I`dinAw&@j=%xHo8*iR%P4@w49kDv
zGE?%*s$OoNS7gz!?Nk5gu!fTa$%q^X<(8(v>+P>x^v<Wk7^Y3W#qdR=plJFe3F)z5
zPgn(R=9-jW6M#{#kpG%Lwti1<;KnRZ_o3>N$%3<SyH9@-y3tE`nRfFA*r-A?)cPeH
z5&zx<i^6d-5t30%&@Y8Ik0pn%HP{Jzw$a`s`pD&dxD*`}7P$&R!TgN9!ILBC#tzN0
z;8e#>vey%u8*z8ukPi9p!RqZ^sTS(KEQ(xrv(u;juF8%l)TmOo;Ck)h@$12ha3kQj
z3-1lo1TxaaXo6iHS5&k361f>d%7Y3&L@UO)jp@mOkT8wbiDsU<5y8A_?}8>iVPjLQ
zY{Jt5tUprlX^8#n)KW%3`yIZ9!OZ4HI*YRLx+aN9-ZH;%2P0$fa=V*=^n;J=SIGM*
z93k-VhZekkes|O;SFp>sweUaJ=|3{gKR;z-OoNcr(_f^CvIZP6_*WyM%-z-YaPH}9
zAn%W*iK<IraVU)YU!)C_jUE1LOno2(+RZaw@x9=Cxk=3oZhxNL2IBhRarT5R|HpyR
zj-Fn$Jxc3d?W7*J^KGjhK^uD49_e^=4u%~|8)qEr5IhPTjvS4hTqf;$u}fY99%d;o
zdtsDQ5x+UoUW@1!$eKSSY1WA`!-ajj#51<3Jq$ML^y`}&f!#mB`Y2lXM<(Vs@YEBs
zxrIgIVet^Mn|Sm^r!ALCDgJAM@9`-X9<0~xBQSKaUT4+Qg6LX^2`cqh=Um?t_ek=d
zdZYScOfI9Q3p&iUpqybvB;=1NihMzK>9mpP>D8o2rK*#gU4WHOEK}8!=#e(D_Zhi#
zO;FtHIJ~k~tB|A(!KOG*`bCa$215CTPL@_<h#ykP``Hn8pUp@zBJ2ZEDj8+p0M9M7
ztCZ~<3R=dr7#M~FjaLJA1u0sZ*+^IC1%0AEx@a;B3HJaobbvV&KJG?4)_({D8wUHZ
zF33QA8-Vi#OAm#sDT6iMQ+k7NURM&#NOCs4jtPdpKrVxXjEU;C(D;~0=C+>;7(Qg;
zse-9}vf_(V-r}r^(92qNa7tTr+9(tbn;u6KHO*CZL1l^x3L7leYLWiYJ)GVCQKARd
zl1*vh`yi9R8uK8c!&+yo^{k{d@UVLzxZviLUy;ZWxLf?`4eMRAv{G-uK%I)bG3X+B
zwHy=$;MU5xL9vUiX}7H4(AOeahOr!Jy02btB$KqVKSJP~l`tn1<tDHx+<b6M;Jij%
zzPnR&`JD-ObanJdQ+~FOffB>>a_q7tp`FSOKBe5`(+}s!bnyKTG{-^UCgb2^&#1n>
ze*CLVBq~|}S*wLX%)g#RC4+>TSWkE|*Lr<g#*NSV)=Y}@A6IxYFtPAcyps3*6I8_w
zG(~d#4ZQzEy|-IYQv?)Bw@ia&h}}-xv?b5HxyXlyB^UIc?+G70-orwn!EnBRg&QML
zXElW;hI38NVuXSs`iE`xz7aRme~25}Kg13EM%*~x_{@J7pduLR22yDiQ)qi>-u{Lm
z_W$+#|8qmAh&Q72PY-_!-T&~z|2fS6r)FDdz1IQtZUkc<yM`n$lf3|3YqhblF+c=o
zXy)7HldnHt;qy2#@3kX%KXCat7xbe_hf;A}`{2y2xa#}``+~RjSLfwfCZg}-WAK$t
z$8>txw{0`4XVi<GPZt#J*xA13dD8!a49E?vMv~{XmERT(4<;KQKDzJv!7w?&;cXJu
z+uIxKHM`m5?wg-FR@iktnypr_Rcj#*9ddw#8TwZNNn1jK0Nz(i!o`nI&ucGe3_yPV
z=1LM{M~4gG;9zx2`;X3KXYrH#_S`Hzh#12-xxa%^Xuc$b)5t*FIBI!${dp0ELgbbP
zH7_Nr?B*68ZgQFu;jdr?Uz&1e5Y`r6m6)d+4^JmHz+00XlLy!U_mHjo7_F6<3X1ea
zQ7xtHzj6qAheRrEvvnE9#Evo=80(<|kBe}5?owj|I>-WFJoT-lr-B0(SKRoRv+b}s
z$H|{d>xyg+eN-l#KH`|qC?61{l`D?@;PrNI$T2ZQe!6*VYdLDQiq~N3U%T{ipXi2!
zp=-{I`bax&WM(rp++X{oh(rCpG8!!LB`$4mZdRZ4%<vE0c^XCuQh>w!dSmi(=jK{T
z1V3zwh=@2RJ=uMD_Q!8b4u?}k>r*`($L1s&J|O&SV#Y7GW=*>+<7xF4rn+}IEjz8N
z<>E$BRz?wnrBy*pmHs5DIwNE6#Ra*Kel+hiS`AhUG&e=RJbSYp9fz_W!-kYyF8j6_
zJ7u+%Qwje0V}-i2S6X{yHR~4JRNKou7=8<l^u-%$sH2$c^^BZIdAx?H+W+$fPOi>X
zX~}9n=`iQyh7#YI%|3yuRd1>n>mKDIj(0<baXoL<&<UoI?$x^z!H%ClS{`c8A_p)0
z4LIO^Op(U$6V26Mzw=#4`(EUR!5p7SGyVmxmy(c!N4IIh3+r!g5dR`A<r$REu-s7b
zmxoq7%;paMJX={Dtkp>);T*9flFiQeUoBGWTT-;@Q6CWz8!=6GPUUdGm#7qu<9l|b
z*>rsBFTaxGV$oD5H)in>u+%_%CGne!hMP;~?*`g$&#8X&fJ)F>*71K&it9k$-=C_I
za+}(^r))54iF5Hq(jHQhY_6~OPFkPh&bqyF^@Qqw%TK-}wypyoi45ZDDMEg=#&)r@
z)!=^=FQEJCY5mj8*X9m<jrr#$ZpDZa3y@&IV5x1HK9@Su^0VP#effJn$G|TdfVxR@
z)}E>DfWm$sk6;zLml+W#bi=e~TByy}cSp;O#g3GA->4<k5!O!JB<@-qA&LubZ2OA2
z$bvFUZ$X|TYg(4K)XL9VXfo6&tKo@+KFo2twu*ZuO8k<n$g+h7HO6y00kFX<aXLMd
zakrj{IOk0BFZ0Uz_N6Ip0=j)T2u;w9h8PsIaw)a-A(V1L{<?AX;`9oeTzzE#eTvHP
zQ6mHqwK@(|-*-_KXV&+b5h~B_ZP)37ob!oi0Q1bhrJ`l%sSj4po=g(*{*%A|L$SnG
zIAi=P9$fpukk(2DW1NeM29$_qgNdm%)N&Ae%=eA7-Zh_3R^wfW$b_4@GYD|wr>@@+
zk<6BXgkkl}YvEuxOb}O7j<;Bb%G}WI7{E$cWup4luN}AuatnbGnCTD7yP(YbIn5@e
z>-h=Gf}dAL0i8)X6ABO2p)g&eobH9{C;mu=yzP*P%U?iOfMAVFFu(ykEMd(kXDa`w
zI2vgy+Z{k5J3aALwgd#YEL#%0u&u8IrhQyYqz6JJ<~U-CqG-TTl7%4Jq;tZH@k+w_
zc@-;o>?r>b_2mg46_<s~i3h|saY<kM{t9!PL5`AT1(w<nM&}5Y4oM}&RCTpQhu@{d
z*bbXW+t3&NOi-zgI(85mt5zhH2Fi3sM&4T*MO`d+;Rt!ZG_BW%)&4u_Bg<gNcx#&0
z>0QMYRwY>CP#GAFuYKVyA}l@R#5I9KW8LCEL^KKfWrGb{3Z|J**627tIvByOINmh=
z#W!RMSgxG1npJzUcTi_X#1}c-nHqv^uRz;ibeN@lY!nI<q6i6BB#ItMT5^{w16Rkd
z%RXT{kGtBadB40=LJ&1R?#H@LQQ0i(fuviy*?>RutKTIsUF9P?Y6qJ@zOgy*>|#M9
zdilSHgthYVs1zpzB^p5f3?@{du~IS_=h4M!gW2EU`u&QImEQYxID-s_+ufxpbEqbS
zX@q`dVm5jE@eW=IHTqe#AGzyja&XAX7#^KHi}C-!EiKSl-6h=RaSBH~C-Jf^!~VYe
zajj_m1$v^y#ra-1ft^|;ftRXXv)+Yl2!r}qiViM7jv81&YLXn+w~vdqwY2>nWB~)y
zK!rQJ&+XD9xj6;wJ{n|x@+C726v6?`iU<yrV!Na6Sn&sRW!Z+PJy}{$A;-}*P)Z@H
zyvw_Z&oJD^PhjFs(v^J|)j?<Y`&haRA5cYZbv}BF1EX4nrv?6g5QdDG6?mFpQ18j)
zJzw0MEGCZ`)(_*ROug1oEahl6F!W8A8zZqaB3^Omqb~()SpA3#RZJ8JAy1JP2iYEw
z_9e4>z7ah&V4$v!V~90|(%klxgnDGK9@N{-BTeT;H5u<SawG9#ELbo~!T)3XsE#Sn
z{?u#(*t3jh>4St1(Czuwo*MNxIKg2CP?#()4@g6HD-@3|gWFU>umZ#lW`vGW_{^n=
z$*kn`r^lBJ{Uld~HYYCMxrD%q(_jOLdiCHN<OiHHBqbnARs4aXByssIUC?Eej9a`k
z8ZcJPThMcO*WLD56Lkk=&}Af?m`ifshBq<4e#ekPd_tZi(jwEc{D$6k?{Xu=l+c1A
z-GohHy-G$R2eQSN7u86x(^y7Q7V#XcUM|o7q9uz7CpX1kfK4$F!e}l?>q8tb9~ox%
zU2(jUi-3eoM~IzPC|)Uz6{6z03#BE`5Z7=0Axn$pDVe(MF-r21cSZ=YCNqN+Q)2cS
zGwd-#F(N1mg#oB*$Q(~y=cbTH>lUtPxfh;S169T0(7y98bqkSq7A8n0xZpLDjV*eC
z)Ad!s`Ya7oFd+ILVsiZ(ROSzZjRPptfnbGF>m2>d5|Q(25OC)8g&&vyNM7L+>p2<x
zq64Z`Z&4A?<eC24lor^Du%rh<Kx?uwY|ozP#JKoE1+pL}&IfauawPprv}u8V!`9nh
zi2Q$%(f>^q4&Yy*k*Gj4|7rODsw!y<`#%klDgG5M?EhUAT;gBb!IDyd{71a7|6P@z
zL&$-gy`%5lw<6FBNK)-n?;Epm96ZpvrMC9)-&y6syuH2apt&sQxNtNN_Ns~siHZFB
zn?vP(B=j#~{Ieyw?Q)d>|DUzT&DTpP+{&lq=rfET3Aimib3@8Ia9T|k&Nf&bWwE2k
z(FM`a0$EdMuK_tPflW<b2~)!+i>WpT>41NFh?)$8o7_of!}EMQ`Dlv_=p<U57jQid
zVd!cvuK<_W2vuyg;-??**HqhW8Eb;OK0<U+)md=>Y2ey&w`Q#lbqfo(?2kK0O2f~>
ze`gPuyv4Pq&Q3k#b{Z1t*R&E@BW?sSjGZ_?CHHJ_IwE`b<>mq(u+W1W3zt~pWqSHX
zk1o0*A3grAArdu+hl|f^-+E-`Y6S!an+T*J|H*jh=y*0^?`LDJetA{s-}-$>*0e`!
zsr}^5HjI*&kXLZRB{Vl!oIb(EO8UA)`!uDfIG&o>+TV9NB3{Gr>?4%dGqMuVn$)$@
zmp4#$!4vy}fkZ*F8n93J@#QkM%^}HP!4_`vjUT%ApG|BiHR_*3AV0ywZEuYFwIxkq
zG<V%-QeF^Mad?#Z#{tgT+V=6_0>{BMASR)Yw)0Lv^wqRc$6a61N0Keo!ioGd)zU3-
zxQA7vdaIM_Y-R1RURrmTO3j8>#0kLyKmY8N-OqR*5*~@k!P^N(v%R8v0j)zob3<})
zh7UrByV<)X+;j~B1wl)Fq;anA`Rsi-D&4?00FiIT;9-0t?-oLYS4%Anp6=!ddJ{7_
zUAa2TLBwf+onh`u6dzWhz~kS@Dy=^j{JJc8WZS}bw);pQV<x7+wBM6m+bUg@3g^bY
zF}`)SrQU88%m8rTAghssctrXA`s*laU$>%_*e;!<y4iTx$w%N0qG7hK*Hu}0txja0
z1Nds4oXPStlHdtRK%v<I=Q_u8r!Wk-TYB4ck#fMd7@sZjkfyV+)Pa?&9}?z_oTr`u
zarRb!W$fH)TgbbZ0Ce*oQ+C+O@!Q)wY9s=>LBG+|P?J5E>3;9N<C5LXji-K|oMYJg
zpfe{vsPLpFgOoD4k;T+A+T4uM$Z7g{y+}X>rWuI^*yBEmwo~p#^*e+75WrUxfsk#W
z+ZpmYuCDdkdvDv<J#s8O^Ch_yf6hk?GH4>;H7!ok((-`JLK?i~;z9a(0Gs}{C$~YK
zBRiSW?j&1IgS5w}2Zv^<^njomBweI+u3cZb6@Z!%NK#}BB%J!BgQXugCogWn{E&7v
z>P3zg=xmAe>ET$~W(yfJS75Lb+mD<&pZ%{ZX_10KvpqJ{V$y!5mVOBNV}4-+#Qs+m
z{nsEbyF#qngST)<1B4t`{RGuMz8La4rqPtdR|+zLf$)iMrP0j>cdacJ-`BS-jG_=u
zYE}3l<%EaC)^g1wJyz{g*YC$i#4iO^=fsj|gVp3AgI!d#Ra?ljY@Z|ftzlq)R_P8=
zu#E&Q+BGdA?xIAzvD@?T;9EmkGA0}l?n-rUTw?ALk3fpc$++9zpbPS3iuV(J=|R*V
zA$<fL&@;iijO38FEl{N$X;|nR3JiYh*?Xzwja$Uvsi}$<LCAwldB^HPWH^off+P-r
zz9slEeAD^^bbjIG0p#BK2ter<u)i93NI}s<Z<w%Y{aVl)v?Zx3>Nh=x7{KiS*>#ra
z%Gd()0P3JGzKT72nm2vg`sr*63@QFLRZXv=VLJ4u1?+f60BG<+rI2q{!2=_uI?Cgu
zAHbr*`ko*cV0j_|muL;K36Q3JrHj?Dms`?5^l|EqC*lB_3?hjsMQY!OeV7>1%FoX-
zzfQvwlx^iQVgA|B#{12$IY~mLeH}6r1cf%#3*)}=n*wjLkiiLqun>l;Bb<MxBsd>}
zI2g;yR8JQ~gs~aDoJl?f8#JnIe8>6$0>LL^nDn;=rGBh-SJ?l0DRVi)2vsgA=<uom
z!Af#LrO1{)NJ0cIQLgxQV383_aImMk$Sg5$rKg6=!nREg`kw@aC)^g76d(@C#Jq<P
zMakY^B-EOPYS(|QqA%dL6ViHkZe{fGM5XXG=RUIe0@i{{eA8E!E^2b&8}WQ9pc<r8
zFyw9{!Z;2O(%h}w_d^YNhnk!<$O3$G;4Kfq9{0ZyH%Ay0Dj;W#asCJVdbU0&Nz1jr
z_n6SFEec!Y=dpjnosg9bCkOc{0#k;PpZ5+qB$z@99uwXZ1uV?LUXy}q1CNP8mn{rg
z`d*eo##TR0?nGp=d@g9-g`Nw`&OLsbk49UOtS57ehfa3&?QMT{6)spD%$<K0kBjDr
ziu|W|S38wl#+q<~G5bQ*-%w8Ib*nXNjIMOr#jYzH<0C2NSK=RmPie%agLwQc@R%+*
zRVCel(X#J+?Mdx~tlyR@n9qX|SNU~HurO8^S8F^1mj$@==y=Bm-n%YCf=e9zXGIMC
zPR-5*lkX$1`Q<TsjA86YqZL`=RXK{t?kie1VMwkaZ<(b7G&BsOts_xm&<>Cfrbc>q
zwtqG+$G~Aj^<O`w0xr={lzF+s%Qt|Bw&xzC1q5|ZH*Tf6C+Qba84@qX|0K&npqQi9
zD2}Jm{Kzr!0XGAxm&HP~@lFTs<^n=nqC0z=ii}%iY>&jG>Dax8o50`(hDFp1^l}RU
zSzXA}l1U$-iz7G*QASE|;P~oU<yX(@eiY2)R^8O8OGTj@FV#MmM4JKfVw&i4v3>1p
zo<hjZ0yHXlExe(&TOpyMm0+DCC{$YA!dztRYwl;%!i0AE+XV}%0-<f@WF(4q%L(Rg
zs03D)3ZF5<Oq)<xs2{RcI}Tco=Z7|1hnCG-E*aPvx^Z3D0p>zzp%hE$J#JE0#s-T)
zHppEBro}LWXzvsLaSG6Cnq!_et69L$%^ZqL@zeF-QW#0RLGWE*d5{FHL===yw8|@)
zf`aF4=H8=W5bEepagl?Y)vbGH-i?IbyF`}U{J>U2BPUp>CQ87`UL&iMnuXH+hZJ9>
zqG7PRV*s}x{99hr=6U8=ABMlcudv*^fZ+ZrwQCxs%v9(tBdZnbXqV+D)k^-s7ygCb
zE9}aE<?dkO+`y4*{ts4s&RYT)RKMmJ=$?9@t>a<kNw<SVeEbvKoUiqN&*c7h0{6cQ
z|BD3f|4ab?&!_)K0{Cyb*gj*+`==9z$`5!+yqC$zrnAO>Qlg}_To=WT+5j&tT!!cV
zLq&%RclCVGU{`--wr{dPjs2;^F_~E%THJWoQ`YtQN6_>Uyt2}q{`y&ZAe#=$oxcXZ
z7l!yVTfhsQub*{zKYAGO8!~5o%Oy)?3LTuu><GcfW<4w{P}#|rZ<Z;2Tp*ep?u+Ic
zk6snO!6&1|)Wl42Ze~bMI0+oK6w^o%6=ujg1xWjIW}*t%qaUhQi*>LpouhL%$Amcp
zu)Qy^XjVqJh`Cu}WXQxP>~HHvhD;%1!O^*|GG3E8W}Ukc<rP(UoDdU1fdilgB8h<&
z7bo%tqDPikL+*QX?#jRffVUGOqNtLC-qhG6VV_Wq@|i6wDHMtyzQ`f(Ko<3@C3cFc
zHWq_Fuj$llzacrElX&dwP{8a5FPhDwo^;h$_JGlG0L<~dhNdqyO&;$bYUrR)Sq#p}
z?L9wPn8~)kOVGQxgpG$w^sCtlezI<P<;PEjS4>a*^8zljyUg2<8_~rBZ1j@7&O%W0
z-ekxF6CVlPPz5aBPv6~KeU0zv!v(0_(fe6q!y!{h{#=SbW?*k>P#yd6GFpiqiK_rH
zWSQqA<g9W$ce15aLff2Rb24N8uqJlf!9ZwB3+(fShr{e)V1iGa6@PLkf60?GSlNyI
z)3o7oFgnRZH+s_6P!c~t6XGlpg6L#UaX9^WbJOEf73yo1_FPmiE;OGgZrOgHyg9em
zfIdfdqHyMqyQFn@Wx)QKgN!6ulRwV}kFR)lv2c%rsl=d7{(RiL8DGB}f4tD;DAJl>
zG0<Aa+>2ZP=jxdetkx38%c+}=o_}-wA3@PBwPCl0dzMP(=Jq}D_5E&INjzAvxc`48
z<sWY=eGJOMK9nivY6HX*<+DIPPg(eMqQQ&ZwXBDZU#*m>8o}dn+j7TTA7})czu{DR
zurX2GVNQDEJ9KKaq7mij3U>YSKv%Q4kpF#7o)=C}V5g@WVmXU(vYn;&df5K$PtWv`
zl_ZRHl3Ph<r$5rV%<#&BWFKY%$LV4I)AKVQqx~QZdeO{CK{vmXnMWjn8P&>_Pk{Fc
zX>Mq;ye<8EhJ)OZ_gR`B)}dXU3yBPg=y8|3utWC`b)|Y>Dx`=LPS*^LH_Lf#kI9A^
zKNlxU6cymDqpPyY6@Qt@(_51P#hrE*S?Wu6@H?E=;SuU0z|shKB{T$KCQOE-A~Yf*
z*ea*-d&J|Yny*iB`2k(aQ&8j{<!$O-CHHZww!);;YF47@DaMce{Q|I;zqP=uY4hJ|
zgcr&xG&$E1?DWA~L8%mVm^YpE*jauSQmZfP(L@fY9;~^zc(^s2iIZ(?FOc8+40J`d
zl6~j?(~Yn_;Z&HcTl~fXY-Rml*M6Hglh49Xc~Q=^o>@`&r!3^9*NkoVxOtQ%?DjsG
zIKiDlQZ>NAXZ~4~HH_P+Bcs4a>8VN<89QGY7eTC@ENxeykHqcwr4~MF79z2e@VNVo
zbiH633TyvJL73(PBbUlF<49qL7mkG=USkH-txL9<VvQ~5wMNJ&B~tpXi^Ho;=<q!p
zEm!<?qO=7K@HL2cEN;twg0P6>UeLdy#hzXsDXS^=jjZ}qx2li|Gw?Zy;D2}CpGVfF
z#W{UcsHc;0>bh_V8QNo1UNEzrY@-0ia9>dm6Py=5n8JZP_WK0}201z(_<zBBm{2t?
zic0k8UYg~vVad!w_4I;?qcHa71vV`}CrZAgGUK%Lh&d=J18$9qb}nD;1sCu{8xgHT
zGm~nwumvSMGCLs0*%xKG+N(yZb!>K{3*h_37Y1Aw{xbhnT8$KXKl}mF=w9xG4$;?#
zbxbi?_=hwL=d)@|R@tV5M6u_PEBY)U+CX&ah~i%HJJDn`4`J|52d21m&XJbW2QjT0
zMS^E6n>e&9saMOrZm@>B+-y-wThwA{#n(VeXKv8lnU^>#p_P!1&uh^n$zE(t=VjUm
zje6_NrH#oaC%tt|PVH3MDAm*7&0<rSdQKYEEIN&AuyYVM7<V=h`4?I_MMZST_5@;{
zp=OJIf4WH^%SpuiC}Z()17!{bYg2_-x=4s{qJs3pcil|beI~PCVnsu1<)y`L%qFm3
zg?aCTK#`Pzj$eE!e6svr!SWciCr_;iq^M36H_e*?iMKv#KaVs}U~kA$3E@@Zs0&mp
zqx4;YXjJ$ViyOcLX|1cWcm=0SMZ3TSI)M%6L1~@fb_A*35ZgWE$=3As!VY+I0_D*`
z_sQd08)JTU#6}GXE5+JhVhdI;o^}>VQd|u46Kgl}JiK9%-4)gfTm#2MOHXpY1w-~%
zoB=vpp6&9dK3{ed_>rerBhYu`n4pNie{Yf#2A30XZ&@^sq2+mJ;FI$we8ayjh_)fJ
z0PDdU92Ztze2-)lSosrX6L-eSSolE!^@gBMv_*Y}{`}(s>~2|_A%<f?&iC&J65BM`
z8rWeYrs=-ZDoI}q_!d$w&rm)Qgtzfc<sn%`AfQLuT!kSb?4krbpWSs!gCu(-E}6!>
z9LEyH!TVmXYZtWXjUN(Z5heR(B^X&ssDo$K^~Ox=_CJ6jc-aj&@}iW3S%qbujhmT>
zTjK=WxCsQ!egPc2x$`ui4VtXHM)^y|({NRkW@PN6Z<<eBP26fKsoZA@{7}|w$4>na
zKuch~mpmeH4-tBijB|f4?qsKwtsE({rC$%t7o1<g0CNm|>qbV&S&PY`tUQ)&vU1Vb
zzOYR03`@qc_X;<Xfy<!|>-oD#NL<rtzvr3P_KQ0j%A7pE%*YWpKsaMj3T}ARMvhyx
zRFA+6CNhfrnLn+*I?H<h#1M^IM6f@kYLM-Qw)gomqYkM*%}mJm0*34#Vkwtq_*>!W
z$D_RNB#Ik!?7Vxbh-ymqsX`Hj^ZMSvY(mG6A*!!oU$?RL^hKvWF_UIgw?)<rm*(AP
z&zSiNuFM@v?&E$WL5dS+k$QQo)?7p6Qb#fYB^XON*;>AoUM)7uvB7{$QV<Vj{g2);
zF%~?3%+<y7cL~Q-Bk}y6z=0*T5Oai2T=9db%f>EU9M9!~<v72S#7kRe>)na1tLS!C
z@n`G{B$dvNhUm1Mw3V_|%|5|8OmOIL=<X2pAx}!U3x2MDOruB!Zj#ZXs^Md(*D5N@
zz*92t$rj#*Eo1#=xWqiTlUmUu)_B8%HiIUNM5N63@+tJ}GBG!T9G<$^JziHHIMoi1
z!M(T)vI(lp=vfFe)d5c$%P$!Qqchl1`dKm-k%I=KYENd<I<YDG@9b04)WwmJkbC_g
z(>AKQEWL`>lBX)|su5AV28e4nzna<G&d-gjl$UUgl;8A}=X<1TWR~-jcm;!u0>q3G
zEwUI<3ble&g%XXpu-8)L3FP*wVB)GFzjIm2SkYAvz2!6=R)moe2AY21(6h#XUAkd}
zkKjd&)@C8gizwvO@v~y9+MR3l@-0LsqYxcB)D4KOXB&4ii*08E%it_t+8E6bR5SAH
zCDx;d-2t9dcy<ai5_wX2!QNFEB&hgq9WzE*_$|3>G+t|WaGaO}@iVa8@3~e;hQZ~8
znwPcu)|hX8_?w(Qffl9xcHyxK;u>XMq$&*HYpVZ7M8j69F?yTwSY?^g`b;JIkfx%Z
zW?NB%Bt?D6Fndd8H~hyloY&4u)Axrn5cr2SXci$zl2U=l)-BreDSjJ6ok@5qn6E1i
zZ6;4EBWLS_&$+;-@b7tvxLMR%z618}|F}-%?*F4M^1|DI<ur$7VL&yKMhh%fa^C&o
zJXTBFA*9bG#@Sk*JX+53Mrj&^%GArIh=GaznPfVko$=s;luwjOxpl*Dk!IKW!$K;n
zc3UbnHhIPO@Il6kJZwg$y?65;E0L<>j##Tlz+BX!9KhmEa+t7ab<E*JpR@71?BRg*
zuwI_L6n7X6UOYQaT?9wsaJFCcHc;B>&ms?$J@iFiYEP=WBGP44EpmH%Q7)6XDVYl!
zQ@%5Z^z7<EK=cFXQKk8f=pyCu1{(H;lz6z|d@P|ou&Oy3<}kPWpR07@m#Np<Ew`(>
z9k?7nUFqy3K>vk7K|qv{#A8NcKQ|9hr<+wchnKyQsv@4?rkp&FWYvy5Prr$9twtTV
z{qax9<nIGy*pQZ>WWc{6R=K`PbWs?<<&MW`EhhlQQ|ck|-mkPzv3q<M5+{pT<6F+8
zqN~3`OK&5HKiN;uhCP4nQpLpGc=GI+?M5R#L!EV<Ioy%tsbl7KwpYitTIT_bQeOQk
z=#2Gr0lV$&dHXy2!skl^PUz(}`JH&J0Y)O63F0|UxM<+rb7I1}fezH~3l@vUdJC5+
zdcMBeLn-s`dw~MWcelQjxO8yn1xG9{>7YVE<Q_I^w^Otb)+@z1!JVc7g$8ofI)c6*
zKVo!g5~dP}e@PR6`9c~5|B#+$(UMda_NftNC4`<vchCCgZbr}7-Xi2Cv8%aQ8D_pJ
zV{22?(@zT|v2?R?dF7hr!#}>0RE9|M(G6-T1p6%5dIU{FeUh1)DT{iiDG;PrCno-K
zqx^eF!69}K({#3IPJYmbgeJuDWFXus+2K!Ds9LJ4X^Myk5YPrWP8?t>7%D_5lpUVy
z#Up5kV?bz#bl;`!%1J+Wo{=)tiFRR$(f)n@RW_lMdg9nT=-ZA-?(euEcOjxbJAJNY
zy455+gJ)uL2r2w0G12uf&HXJU!>D7Vga0^MLE#F?eyOq3$_G^9>sk|Q_&mi75Aq3N
zz&zHxoWV>P-XdSqM-hN!Tid!~Q;joFW}JL<)WGdsH}{0-99%8j;>M735J;8U>R)JN
zMbRNxaa#a`@LDZ1N?75O8@s8VrkE@u8Cn!i%)Tq#T?`f$L8GaiiUrBwHXi{~v@%!)
zzcv^rH7^y@75a!J@X3~Xc5I@bCGJ(?B}mqmcf3C=qR`m)yDbqIbp8i14c`#+S^Zpr
z!Ah7cEy3r2jN<i|gW|WADJj{rv|efb+STHs!%T_j;#IGWSDAN7tGywYzJg{IIF$4f
zRwHZ$V?&*SJk!QeQCP)k1Frc1{LpD+-|6t4J*T<SB^9AzeXQ%gCkX25kRM~B!eRk4
zQB|S*{sp&>E!&)%t(t+oA$%=k#DP(9(k}@s49%6K6_Q37GTwBYDU65s?=y@AlH-F?
z?kB4#2>51nfxZg`i<4bf{Q3o;ZU7gmwrCh{BmfnUc)n%*GdWxy%NG>Uru+kLQ6}Tz
zk7XYXuQ`9<cHv`SI_%=}z#$YN?Gnnwrj!pN@;gxe-eL{;rOK3iE|8s<R9r-b#qFqC
zTStM7A%0|TAAiHFyaZH<Oi=)Pm|F0i<5g-~^uuZ)(72!IhX{Q)3|<XbTiG4oNkJF}
zA3<koXxPVlZk({STSpO^TlT%hLwq2;*@Bm#jUj<F9x2=Oe`&qLzD!3)5CAk&n%HP;
zNL!Ou#e%$#_6Ml6Wta*7!)DY<^!!v-Qm<j9-c0q7BW|JhY8&N_=<$>$JDHKFtbvK(
zL|}w7H)~etUA*kzl^RBtpp$)<C1?0>h?e3BymzdsK6S;xj;<E%=frV@3;krD8RW9R
zc<Z~=1{)vI!wJ>9{<`N*m7HRU@+<z{hYu};FLxqfG8AgW@^RCxGxuWf^}AA)_#@;}
z=pFF3#?5n))0*X==$P`vzy2q2(+bWG{^M_!<w1voiV?FHMRm$wSIyFc4;!uyF3XsY
zo)gfpNO_L+?$NfjTSDWb^RA&=%l;5vL6;4J#?~LXUPi6?Zt#b0#p<{qw>CIT=jM%o
z!@+dv`q6cfb9U$J##s2t-q~#U;bt5_NE!Ib(|w}J$6Y=(zYISo-T}?<$E;<M*5FQU
zjTGPGoL~8tUf32is6MFklb1fxT8r}unBERv9k*F@&C^pIf|NIbH6G<8uCZY2OLL0;
zjSyh;NYrAO*nM0{vWa?i(N@&?YQY<VsLT6bFZ2KJ4t4(je*=(bve~uNj6y%?LG+ZL
zn3;K>_Rou5nYCkM4&N@?E>#9nS#Kt;>nz!LEtgZQ^zsV>#(t>T*<MUto!j*9V8Zjn
zW(W2|&L(53MQJ|T8?C<g-K33mC0O+A+FLaGaR15sRiGD1ws0~31y4ppz2GK?P)*gy
z;*S;hz2>5WN6W16+v&+u1qOwP^knb(Ap54Ux!1c(861a8acRV%i6mTy*YqStQd8Z~
z^z~mvv`VyE;wYqWlDk3js@mhvLRM@yUlU%+t5WtykHswY0)AJ!J9?i?x(Gk-T7aKM
zJh{Kd4B(swMOy#B{3>v>(1hXI-3vYGvOm2cPK+cwN1=7+otb44X-$*~^n*sCj?q*d
zHFdiqLIk*P?@vGaNn#0YfrBDpDZZ|@>gN0{8x`iu#!KVIl0m*Rk;RJwvzt5p71W-C
zAsvfC80i-{2g(m}2d8Qr7$IQs)gVSiVmVsfc!poVm{#M4hR(KM-kM|B@%>I+V=#p~
zK?mm0d6PnX*==$IKzP#@8z6ycUXz>uzN{6Hpv^aF`4vGrnRGG${H@jv&YKtmh{ycn
z?3nBiYPfTE{jb*7j&CoUEz=G>Ci15n8L$+d&An=IIUZ1en+*{3<UAaJh4ite^Xo7f
z#P*Y)=kMQl+!|k;4fQwOG&IXj&wB}xKq=h2Q&U_sD?9;UrInx15^@+ocCsz+*EUy+
z!ET}&UXOU{aT=uU@q?}<o>?15U@Z{lh={D=x9Uy&m`it2yRKZ)!6m%l)^JXmz-`y=
z!V9UuFNggT1w^MY=)@P21<;G$Ed~bg2mMyE<vqB~kNJKA8ne-anvRpV)|OM`{dS2h
zL3q&bv))NDd@u|9{5WhB|By!?8GB+r8D<>YH+#8$PCBIc+@eWwLh<JhAC~7LS%9H8
zY+Wxe*=r1xD9O3~mRKBU6V)BKjIg~1^p-_*%*fS%sTrP^D?287%<1gu?I)u(I5En)
z3Jlez)WPV`k%7*^3seYOZq<x+3+9T*juF8aQWq9t*R#cSKI3ahyI{=om)YP;_&xA)
z30n^wri4>VNLIH5XO-(S&_hRaHCz}M?Ok&_zLL%vR;-<f$@TF&LA*SZWihU1IY(l)
z1e^TWVJ<lg!k}c94zlJG3xj8)nGgDl@#j-y@6rGg5%HS>;v>WOWAF`;0R_0t0^i6d
zhvu##H?@@r*QI$fNbITpygn&k=B6(vt(Z3DqXA<+3ttjhS66j1;KZ{i6DozG2Vp8E
zeu6!DJB$lK9zreW`k)Dbl2ALR_KajzN^C<Ua8*_wL|?M>C~U{4zu8ts9_jdUz$MB_
zH7Agw)i-;nP)o<Fr@Iaco;{NWF*Ly8J6vQYzyerlpg|OPzSn<3XpKLe<Ocn`Q4(?l
zpv0?jNOuVSF`kn6A<^yC#S9|I-ky1&m=^y<!vfEOomP}fc=piG;n%;iP{7Txb@V&Z
zxrz^fFQChZH9A=JnOAa=zYI}M>eSOUfE<&|=DWhk6SHFvG{I=#=~{SAuOJQrMEpS)
z`1V%mf35~ds+^r(-W{LfD!$m}nPYbP(oV2bcPe{)(H~Q0q#y-KvJHAxsp!3phrGnL
z`*q3(6^{|o*RM{^NoT#m+}f|D)(YHIBjbVkme}JxPZ6OvQatVb=*a3{J`t|*N-RH9
zzSz%Ni^=RBrKp-}_Ih(y0PN&nm|2yr4X&5IrN?%^dydTUbivH(sGcUkYU3%U!t}dE
zdh7vD`W<Ee@O!E^5eYu9cV1ew+jszFp)0NO>FDkuioeL#t-YKQMQ7d|*z?jCefN-5
zMyKw@O5CYWSSW%rU%B(Yaa%i=&Vx`7aBo-dmZ97vsI>@k*Y=^BJgbpjezBD~^LX;u
zz1HKYffYG?>K^Qrh_z(}@ArKgYsVkh#p(}r9v<ygm=F4LBmQSR!UE(~Ja2dEg<>{M
ze{RaBfhg6}>)J;pC{3AnUDy1QWsa!4nI}Y43K~PMwLfSR|Dz|+5oW(mn@UF_=`_oK
zoe&aGT9SYDv?vtYsR~@s*plr|x~n&NS!nr_ve=oO$(1Pnbi{!+vzUvV$nwIm{kppO
zs&~w;;WBU>W9%mUF-xCO<u)y;BP!qT+=B^8d1>?Yk|S#NHSqVUct#{NZ0xMN>#!8r
zGhmxDmlM-x*NwnEPaQbs-4!W1`t@N%FYR|JE`@*y*Oy?3=H6WTaI%b6HHKrr{mJIt
z&z(+8Zv=x1{8XCO*WP@1dARm#W+regA#%{(R{Ahk#mDx5+tJPKZ1GRdDZ|}GYM73&
zcufK?H%0j`F;+9^m@z+?LjcJTT@AlzA;+{bmtP*w;WYt>=|xjWQD@kGtYSxmT@U0k
z-)LW-FJ8s&zB*mIZS<ybfIVelsqKAwwoU?u?4&3k6yU_SnK+(@%DPx3%5wG%C!`~|
zwV+V7Kd3e`Vm6u5)b;ye;nom^d}E^p5WdGz1BzXhb8w{L97cx*n;u~XUMb(beMG?<
z$qLCy&g%P6Z<z9IzKBFU94@a|vS7tOgXj4UpBL7u*@b^;^sZj3Dk>%`^1GVvLH^5?
zK+}Mx@qOtX18c=|Oi(b<b%R|ev3PP!b5BTO;BBQNZtk`87&P>LaYLC*+BEC<q}mC^
zVypV3R0i!Vd&?d?MX>#@v|Qf1WhDB;4?WK0$!bDtG+;$*k$sn3=d(GRtvIPFTz2;r
zVRMEE)*)$M<VALcakJ8Up1eU^ie2OoQH9#*{R!Jva2NwmJ?|@kSFFH8QCa-D-w9;`
zO7OBk=E)yVLS{aymLSB#?^G3-pxy$>uhVc6d2_R=u@evm0kVqf_Aj`Mz~xlPE+>72
z=8mMc#^<1lZ?7OHelpZfnyP?2E!)@)#y8uQe6w9x+7oNbMOwzz>6vC5j0i>aZv^D;
z@n*k8U0M4eFJ~ztC|4!_=C|iLWjwOc&w{TlS`9nc2R%y+yP!#4DmJ$`nfi12^MDJW
zlfn(vd7TtKJ_v~fiW7n#(61tsUFUq47L?pw@7*{!vK!jIK<2(lP(F@*M1`>x60fZ<
ziGNLv<yh3PlZsOkh1&4~*U=zXhJ_)%Oe778wZXo}-_ny8{aOt9IV)Z2L3;f|w<5nb
zB=HMGAy58@FoDzQHSIM?!9$G%<NP~Fs&!<_uu4iUv%&Racr<U{^B>p(KdXbEW0CyS
zASL=7`7<BlwXZ$VKFIy=FJ0^UW?O#jN`KKtcI)A6RzhWW>v79S*=h(Wq4l}?7O!c$
zN_;!R7ilQC9?-GMF=6phdlazE`-$i3kX6$l*Ft{88dXo@&NCFtq=)*;ki@`8M6ZyG
z%ipsmPYC=3W@D;koEVmMLv?XiPp+R94=hP7QdQcv(#V+<>BTH}kyFM^3ju)aGRQQ}
zuzk8Wrv|p=_XdZGxrs`|z67N_5>r5lQtqW+TZw8oye0Bt${zdVxy`<iZB8TmC#C|9
z8fP+iEPOi9^3tD;u!BEgJg+8vblp^7<ScK|C5^rh`s8}N`0JVfs{i+vL|O6cvJ(c`
zXeUigK$8|xEWHb2C9*IU4h0UefEyQvW)zLy!@wAb^LaJXCSs5*$vqV<O_%1xVaa+)
zV`j3`9aYZ>H;?}Y0=)L{>+kH(nIqlp%SKK_+?(q77@T)G;s*fVCzmAPA#rL49W{>U
zy8cORV3<DonQ}YU8OQ@R>!`D#6niS?NLM^n0m6-tKVWl2VPk8KfN39g-o9L_JXHW%
zA|3m!Loa=+DJ6d$>{Y|GaO+1*eI$<1=$9{(>U{Zb{xabOlp+1xOWVl0&LqEqCNNQx
z3zM!`8G!u@C#nOAyvEio_;~NKv0dV)%CKZ64XYh~DXWo#g2xEj{)eC6g(GFy=)~uV
z>g_?vE^5F8jg%anhA$G6`)zUdQ-vsG0s~l{$L}3~QJghH(sjdAZk}qGE#+wv7b+YB
ztcmdXFm)&G=Q+kDK9ebS7kYF71?BbYT73FS#crZGM!tXIkZnw6tz#_$be-T!vu>qX
zuD}aOv$rYuDKrt&WrO;XlUE#kBN?(B#%C`CIv;!U*&5*c63{Y}<y-NZzn<9<eqh|X
z-|zzNQe@<?dU<<_^Gr(bRCx&4GGXC%v6J&fLiM42KENPOU;sois5~Y9<Li~(7{a0=
zvx#6toII?7Vk|3f&ZAd~E@FRq<7d~hq(1+md9oR30UimDm{uaAm_;_x@%B#{!k7Fo
z^<nnow5eU+lW+JPc+MCPZ44h|YrM-8_W8lfUm=2Pv}iHhSgB}aVD0BT{F1Oi#a|+X
z;n#AJVHrF>iZdmRS-^_!bp|aL4=-Wzwv|>BG*xp5zCG6qG{}?RQtbq)Q)lfzez-RJ
zxwD}Rlp|J*+e;pARvR8JsNT`Qt{zEc5ksAeaLH2xzGK}Y-B*$rGVRW*2;B*Thw`$n
z8-6DGIBzKHG?HfDqHmYcOam{a_>hD2qadqfwCmM8#lkA&ePczcogRS#pZdJ3j4#o=
zR#gVXPy(5>++4lsi{vEOOv*~Z$M`9~T0;IxGgIx>P62f|){!GwQmefPS^fPSVD4)A
z{ph7c8isCze#|XG`0#zrD5i5}A3DzIUnPoP<MB3!F^o1KJE9$1X0I7<NjKfRTZW_e
zEIypY$uMm~#LWv^3Z+7Rz?z&*M4C+FGQ*vuW0PiQ0xPDq0ow924+>o7etj$1s3BSt
z#FP*u;b}l}T~#N~<-DY9(%LCPp4|IMv*)~!Y_<>VNtG_&0~NpeK9yqo$s7Jv9eLG$
z2FCZTr5=0im9dbL$joLmtpS+v!lS()+6>DZLd7>8vGbQl_)~B!@4I9}R2U^R$mC(L
zDQ%yId>Vu6x|N7-9ND@sB=aSN=pe88uUF0NVsAktMLRWfY>CG8#EuRSJ>g>X{a77O
z;ZlqaV4<+-p&qj+VtFEpRc?D{$?uCp0Z)3p$b7s>=2ur)@g-{OxfsE;A|0dV%|uY{
zq<C&v>pJ3l#f0olyy3s*?V2acs2CTMULb!*JK~osAadlS#Je?q^0ClVkIEiyh@p;1
z_kPOPJ)!Ne*LCWE)q|<#Jd{lIW7m>zx*0%)Et&`>vawp55j2>hy6&KS_M>G+C5|@z
zvmMhvmdL|tS3VHkJ7iAwpeNhmhZoaeYatj}V4@T1Wb|>QPUh7QnJ$GLQLoPuP8s=T
z7d)nfb!zPuDvQAFm%VSg4XLLC#CTh`(mwJXVoLrL%+<e^GP=Z&qmb0NHqG0Z?bh8d
zokvNAj@404R<7Iv;^MtlOWn+W1rx$UKxm#0T^A2qHg!X;DwzjfMuO)8XofXnxQIQ9
zrAE%rA6HaT{v;(aDDa0UHXiY)hkf9e^&7TNqyrGwrlw%-x@5B2zQZoU(tbmPOG6u^
zEWW2LV<q4}ke+9~|FfumTJW>cl;*7hB3^}|JfM^u9!nU(UVFBBFRW|3`m_w;kUWo*
z4&a=D#0h#fx!=EA?_vPAl6fxCnBgxcR9*h$4~NR^ePauenrEPIuftCKI<%YEI^u&&
ztZz8aP`Nx8Y&NZ}M8lCqzfFzD`QsZdtLRv}RfaPWH)>_YY+_6Hk*wtj{W6;i4_I+E
zP6Xw_duK+*$;()&>Uw56gK*HHC$u2NlzX4ExTlD@dl!mq@*wK{ueEVfexdAM$LN4(
zZN&`^YED>L)yqMAgB7)@VXFIiLdzlde(0kxn@^&yR=YQ-TtB;+B?8rZcKB<*Wytl}
z|DH8Ngx$}s{gQUV(wO{ai@#$<hvZbA^+`_X;IRgnxI@1{@Z97=KuvV`8RdS5hVWx%
z0r>b7cVi#N<J%*QlIns69C*VxDE~y6YNM0712wz$pcu*1+Z2q8S}9q+WVPoB-VIGi
zAYl8IAQa(TH%%vIBR3IfPX`%Pouiw2d<LM1Gv3XgM7v?b@3ll)Xg;Hex#JX3Dvll~
zGg6(Kzf(YeW0S+uG9~(w#NSI;G4j&(b)z0y&k4CJ=o^MgRxil<3mv@enpifbhiDi-
zlOY8OG0r`Y1)MROX<*`=Ce&evrBebAr=^{Y;_Ben`FN>fSs4J{0n)T)p=nzsOYqLh
z+#MRu*HG?CiOHD6-oGr>L!&YGWwO`HBR;_3j@?T1q+*G1SxQpWob?Pmm<fNxs*gT^
zfvKU@Lv7RSNtJN&zQyAq?If4o`Ded_+Gvm1h~j`Y@=G4NFW2}hKdi81<{9k9ZW+Op
z2(OtEa3nY@Oc(x;U?mk|h#^82gQlk$`GK&KpK89GzqJ=x9iwC=RPr@+)4nRIlcqXg
zjfpoF;{mtIS{jicHqCSj(LgTf%4Zyl)!%o2x69I<LbAfc%0D)R_RVyNSzTzr(W_%3
z#}AolI;fsxaOKRx)J1K}ZLzSC!Hh_S_k*?A4iXXEJoV4VpPPzb=CU*(rr8bO-Y@Q5
z>Y0#!GSNH?1iq+2ey19<mkw#`dWtApog;}Nk{nt=2=K&^EMG1L{*TJOI~>k#-CHLK
z5kZhJBoZQOf(Rx=lp$L5=!s4+x?!{-c(sV$M+>4y?>&0&ok6tGMrX9|k$3NX&c4q6
zzH@#5tXbFdtaYz`|9)%Dy6*=Wp{RoSR^HH$?fVg;1UGD74nAuuZ^>9`P~P{=+pJ_)
zWZwS1`sVc^5r;RPh_4@*Y(v44FApVlnH$A>ld;*xf{1pZs>rI!2yMYCjH)@H?~pIG
zd+LsR6Z91JUMw+TKk^Fq&a`^BLw#dE(SUvMWFbCa5DMG}yBe3O9Ki5_)zs8lRMgb?
z|3`#OQB7?WqpGI%KO_G+!?g$?!$b`+lWcfd$WpRZ;q~>eP}}jNuRvrP*;Z;b-ByZ*
zADKwB1_;)e!d(^n9r`b>9xX{B^Mv?EU1$zB6QX9P#x&oL#fGcM+8Yi>S{QHwwZ$V>
z;2Qdh?E8$K=BSLyRHc+%x%Ni_LK!JPOxqc{9S0fy3_Q34^NNsEBVj?T1NZ0%KwhkN
zJavHOYa>2J;&vv@^?Mv-N1WatfsK@c!?yqrCMaCkBU4u(GYR+&d2)xp+j(o;_>A59
z)^YahgP{jwyOqm>rnPw9d6xl=fT1i27)SAU;q5b@EYFlt_NE008vP&-^clJXJHAl7
zacw0_07_&cK(fxmxcOd82|b+p3c6@uxBjV6-ki3`igagt`gp`HO^jjahUX9hu&liU
zi?*6LUXLZTNDkHJGoN$48u;+}BOYQEX{uL`M*2fN7f-|V-LyX_TL_+b?2)#n3MacQ
zl(Iw5PtJ-;?r}G4?XHd_SDD3K%&whCIBvuC2&1g6T~FBZziL<621y0J>n^C=c<A^`
z-~<C)xYSrZb@sm+HD8^_pdxN*<c~tg8yY|Fcy2Z)?0C3zJXK-Ss&&0sb{2sx&ytH`
zyQbBX&7n}nm*^JlZC6xmPkQKmdJ!yh(i_yN3Q&6lD-%aSZcWXW8T_5pTt!5TZ~J5I
zi&5*)Z}=jg#<+12tgqQ?G7AdQa<I9!5m9bJLP8Aq{rRD<r)Ot%)l|+zV|1^!ewp9z
z;eK`*vtRg>joq0Pe3LU!9Q`;W^J=&%rmVDFh!|=34BTpLygF;+udsneV>h#I%*(}U
z%@3R;$LI_XOngs=Pzz#}wY8^HKBZGbo0%W={w0L{A;wVrVTkB@%)}OUkJ{bmQgh4c
zi?O*$#6CwZ4CO!*IJ-Cl*vyaG88dr+1_?q#ux9O-;+dZF_JvXs?Nf;MBIbAUlU1h;
zbg=TR*C`hLl!XnsnI8@pQz+hv<WOXnn2+lvnRf<sfeVIi|2>$uPko`2OIZq^WLgz@
z)di9FC?e7nER|Q%%4)`~j?ZnUx{6B1=)cO9{t~lu-JYQqR%OGQV{>%<y;X%@EM-uS
z290fwozzANkL_TT^V@=BG{!jeYF2C5y0f^a5|L^jiL$sRe!S}oexh9;SL(2it#dpK
zxql!`Z>T<R&hvt+*KS~TcIyHCYuoK=#?1VQ;_)3bcn#OtX{B$7Jm<=nyqQOw6KAcw
z{1XEsVC%7X=A!I~Rp^JGuH*4mAUIf@&w6b&Bv`S8Ck3zHksMrbx0jm;*~I8>O^k%-
zd2~yn1_SviVO&*PdNc@#@RKzmH2wbgcYT|+wZeLh1LeU^v|)aJz7M3f@JD*)R}rnR
zz=8o*VEPqHlJ@%-CT%&1=Xb{ukT7Q6ENNL(8s(7agOWEgZFb-ERgv*=^Aj^^!Kpoz
z6bWf!NqM<!3~V2%sA4v5=8T%@Fh<4SRk4o@8Y;OJX@q`|z<=3#BH1N+NG2aO>KG{V
zxdL8YfFbZ}WsBzfe5y39G>e`SZKHm|E*xq#&xoR=Km2U^46_zJX1zb4nEznlLN2yM
zVJVHb0a>Zas=YRkfZ!S?$0(YbW?{Q{W9E0gqD!luV9dnJJw<l*zC@~qxV`r1^5L#8
z_<ET#Tv**%TaZp@>AKJ^`dH5WBDI&3vpO!Z7EjnUDK?*q%FZv?O<$g&TMBSx1So_O
zLj)UgjUObdLxikiFP~l-zGr2pbn%|fv>oxr(V_2LO_-t0N8T3_X1)+VdvubQp}iE&
zI~rH~(NIgho-SCiQ~lhA0mjm&n;fNK8566@qzn<LwK?R9SoTP)FD|d&9q;2qK(c#+
zogJKV7FCt?GA_d^RZH3mlbJD39nG}S_Js|))KTqv?yQ`=-FKY{K#pUUa~^G@0-vj<
zWPKna7h@mo9WDd;$3-!}Cg|)(#wE91(UMy+DX+f&R?*cyn-Oj)sM=8?^ANNSzr0zh
zz=a3+7D#DM@A7*`_pFaz1EpDO9ZFXLtX8(39?g2)8xS^w4LwgXS3)W4sjVg2FC#sb
zeM+@O+6ER!&k+zuRyBkU0n)mANRqxV{r*=r_PFpct}>%pJsQ*a#`MJW`qWYDY5_-e
zOQAb4iN>Gah=%$6t<!gJ2ad>cB<bp+V<OeuU)u(Zt<pnLnstW*9?9=H*Ofe{MLeUt
z<cf@simmz(kVDFh+ezpSN7Up770l>-v#dylE}AkU5B1lVUbvg#U0$8Ub$VE-iQ+Pg
zBugDSom&1L5tdRg7Ql!%DD$1Q_oV~cTq`u4x!^@gstkXR{V{oR{806<?40x%y})<u
zhn!Z@DNUIx>YR7?$pXfV54FCwmF4tC`lv#NE(zYL-_&Z&h$_GjHEpD*i%UP_Lv&@b
zf1XS@brm-((X3;cbZNb*HTCU{zO8MhJ!<f<y+?=P&i$HCSrvqT1C`B9CQNLMMQK=k
zIXzEd<yr_0AvNcQR&{+AH7Fx}JxCx|===9nydcdX78hUR`-832h|<QMIimc$Vw2Oh
zi>ZD2hme{IHi{||@H-YQw&RNtYLmJ+c{pfIBQpn_aq^wAC+Lk|c(9YMy*p3?irG{m
z{u}rHM#RPdaTMK2X`5Vj3wr*A-A(GF9=rx5p5kvgZUE*GkizzZtFD0PezsUmR6yeO
z@GxP{SvZw)bFzmoYq7mxEJKQxmdPQsS_U3rjgja(04}KCf$7{J2^!9QrS-Vn;bJbn
znkd(ExKMF)LuyL839b14{n!VUd6QIfGXws*d)LLR8sTb93#s`s?H@=^4gRul&5r<J
z8$j|Gp*Ja9g`5r3&ELrg|3P^mIk4ESL#Asl6+mVHq5c_O>!CkzfBkbkd;bUlLVzCp
zE5so{&R@Uz&tl%F*u$Nabl)jhiCXe$>6weme)b1i?Mef~0mup4zN|%eE|JCXMFoSE
zXn?%HM=~3e+h?Y^Kdi^L!d(7TsxEcvtBf!K2v5<o51h0A;ZNxYi!v45Z%GjTjV+Jy
zuL%hW7)U{WU3on6H>iggpt0AjV8UQH6#iByUXAuSB0-e@{v2q?9hgU=&{?rCsPcFD
znF)v9a}=JUfdv+T^R-udBMCl7@UtY8sVxBc2_O%2n)dc7Dj^xbWMXyHApPZqCXMOx
zvheNg{k@BR*#b4zij=kBTqsvz-hJ3VYol3evQ*b!r}bV38HsdX=yl!^`E6fo{-rS@
zK|dwCo1H^wYVH!iM?=#dIvd1lp@Q($1=PcVzILZd<7)YweZ<_{O65ebU_J1!fMh<?
zhkwhp+51BZoEupi53>67v3uVJtplFg%47p~S)1#{=lcBleuxV#MBV_;%g2kD_u&mI
z%JhR*tEV}fpK?6&Se%UUe*2b__5R4iBve78{pjn^A7C{dEo&(}ab`VQzGhXJ>mc71
z_id1%7d|lb1W4ltNA5x<2t(O--Rs-i$XCv~s&4V4+`bT2Ma`ePv0`^%mltWdzyg<>
z7kG7!B}UrFqS(0dVbHa;|KdS>o8&^Nh4_jJ9t*rs@<FB7y*pr(`B#f&Ju%yCp<d4X
z6@*^ypx*r#=pv1I!L6=@Qkz_w{>A=!-VtG*iOUm48vWUU38M?^t*xyVDfb`iLM;1h
z=|ujam(r}2?3kJJj$z7GjuWRvKHj|pZ69%FLq1WHw9Bn#cKKCNuKJa-g&lp@vkQ%x
z!}lFwPss`<iw%F7&c{O6H+X5d3k$MU>ZIj8ISC;W7CIVZ@tyn7+Wn1P6(Tuc4tX_F
z-nlnEI%`#7Ez6ON`Z2U;k!$J%|3Z(sQG%5Nlr+FVHbW&dqApX5?$O_Y?FDsTp4N76
zg+33+UY)b?7qT|@eX<NCyI%mYCx?3SrhOH$c<(<``CWb|S;uBr*J)VM2(SO5zoFb>
z_@!eSW%%WB;Dh4*n;x8)wRP|dF5rI4V#VuA9V5%y3#E+kTJN{r3{z86L}X`z0)7yQ
zcnZe@B_AQ9fHOQrW5<wtD{7-7ZI2&|?saM3cfJjd{}G%BK3wJ0cOM_-zA!)uW;U0&
zU!@Z3yNR>?$ShdsW7Qu>MNk0Cg9$_6+pgWv-{&KCR(o69okipc96*L>*_7se#Z}!*
z8kn3Y4~H^zE_awFu3d2Jz}z=0N2)b9_d$GoFX{oas7{5|cp)LOT_1jYoLBC;7jg`~
zz~2hJvY$KzFdtp{djC}xg8&i8u|AGRZD-D`0DR$-h#xwu#Quy^cojPhzYCLc-<{P@
z_CVY;v!I!G-N|cZC$jl71nK;S=9;HyOMsrx+%2)&Z-TON%l1Drv$WQ%>0R<SXZJ`f
zSDsfB>)5dg*1UDx`#mGf);zj*y#_b6Xu}CM328|DS(%gBmsoCGINv;4<1lp~nNYGH
z$Vu$tn{jmL7%ycI@nW@LqTnkC*E6x+u5f(ehW(hksAH>jDC#_IPx7<Vm0MD4g8i*`
zJ=6{n^-Y6X-?OI2s1IJ2`>H(0=)kWGYhJs_dCmovL4(hw83f9`7mF+WgGUUj<Aty=
zgO{97ISauTISE@$t8;Ya#>XC%Fjcf53ucYIffeJ1U4p^W@kX6g7m8+b%E}xue;xPI
z=cI>5ABdrpf|XuX?WVGhIy1nY<>YKN@}8t~1B`&XT>&t+;o1T8H_y-cg;VpkXRD3r
zyK7$#a^hXLlxkc;cd!h4y_{Cq7*`q1sN9>O!_K+{pd@uIrF_1Ofi(D<ljedgDHv;D
zrmFmTdN8lnV40rZK8b-Cuf12xu#cQHNW0Xj0%YqD?=e@0e0WcxwJ|;a$Brxd3AIb{
z-p#_=vjuSvvHK426&KSEX?{nA-&|I%Hu}X*=|XW;r>45_To>jm1dU#Dol%C6j5(cF
z%5rpLddSVb`lFYUNd*N3$08>VQ{GRaYuJ91(w)}F%Luzu!A49tw46EwQdSY|+^<w`
zEtJwLT%`=uD6?R`NVd*l*Gg7;8h<ih?{99zJ*!zS#iax0E{XxP+E`*96Y5?+^tE1D
zN$qS}b}F%c;}K?}5Qm??!sDfhn3b+!KfWTwG|L@&WHrLixBlKxB?wEoTA)GyVySbz
zN@Ws*q9OxZBwzCFrfKh}O=(tITx1`>VN~YZ?nl%NbxQ%O?mptZN_9bn6c<0WDi8Hz
zs<WDzg^w7kv2zfI<^Fa#)y*O-VvZ0r><WVQr15VZr)aotyR1-C!baxYuT(fgXUca{
zu-yWdRoj>Cj^27?L#}VH0XC~6{H1V6Y;fwM;4we8mp@7u0aMBOEf-W+e>>+8j2kcX
zNZ~!N`x5~M<xM3o6^OiOn0e082iiu2=^FuI%t8IG@bfd9+i^zMJ2<Drjt;gFY*Fy$
zTT0l`5wNZyzt}AgxG+6h)n(2I$i;5ScpHoHhXO>SH~^VEo!9VQn(kF@qz1Xl6$&*7
z#UgPbrB)7bh<`b;4F$|@PnOEWVe;tc>q#UBVK|5g#3_B|3S30+W6^D(L9`1z)~dNr
z6{DUrKQN)AJ#Y3;xqa741x6@^j-nlPYU|O-Pc$sFPiU~nI+7Vy0`j@(PS=Dam94DG
z6PgsRe?lqsO%}KB0Q)z`iaHW7dgJ&=4%r|!{cufWDf}w=!u6*C6OPx@2~R|k)$|$@
zxUZJez;oRXa6zgBI4^yJc|$+~YGS^2cuE4g1NMdh3&We3Ae5U6m>^B|KJVajYf{yw
z1feK8g_nnOdqhAo*tqNd`9??qAY(8;$<ncWHpv=r;EL#v&l*CS=9ZB3<;`j5FaVBG
z0a|fw#P_ere=q|4H!rXR=spkKSRSgzkF+zMO&=Ydohxwl!rr02dU}66t-tYaY5(Cd
z_NNwOSH7ldrU{$+2G`5!r9%e5sqC9A31h7txwG`Vpe~0B(Q_N6IK2q?EKfJllA~&7
zJTc&DmWsW?q{;#U+-}p@AE^#v2XdughA(6?fbLk@yq1Ca(=k97d7*Y)Zh`(QatF)=
z13Cn7;`)zNf6_CVV`e6VSD8AaIf8+6DcV22TJ!%l4|8%(&7Xw|2v|F)Zf&e(S3&j0
zf1N(MI@#{5b&Eak6^uL7(X?M&9KF)1RPG&++xBA3N--M>=VxZt4o%!6yK(i_WNzh1
z0eJm(+lzP}Gu?0nF*hFVNKv$zP`nbv&rGX6su*73FDt!^`6m7NZh%Ci_@hon4DE->
z!U>m@>H@ZkADhtqXcwX{U2TsEz#+YyK`(c(XXnd%Bw+osL;V5~SCJQ$cB=@+bK@6s
z&WhZq)jAOkW!Gr$=t~$b2oU%vj07fK<-2SlrI1c)a~N`POWy1BK%%ka<B~$d0APge
z7;>Cc)pIM&Xyu;eMENu;lSK6`F^5l$tVCc4_v~K^((ymdo`AV?vh$~F4WSN}wGK4i
zYt1<IUZ&{1!#8Esek}I_0u`s+(RkgMjseWYabmqR(26kW$Kmw&p#e$c@eVU>{2c>r
zw@fy3pqB2b7K1ZWVvXY1w_dC5p2=F%13hjZ<QDTr6I^hS)qX1xrriDd)mq*zHh-bA
z?KOB%`$WjSocOKwz7(1g7v~11v7oLxbTv_I!8Yh+DmiKB6ntf<4Zq#<wK3Pt3Zn!U
zIH4a{>Ae*V35)=Fd3gyqYhALJ;UT|G0ros4BEk@Y_s5{{tc>H6q?<vO!mdIhPm<gj
z-F`4$Sl#3mJ#9bm0m$ixQj5KzvZBsx5-q_h-OByHl6;3p$>gV}2s>y}7v?i!zf=9P
zH6D?>H0}%chel3F>+-To*n~Nref_F}dI+@rZh+V7k!)SgRAyLHTeK6wJPoY68h+7o
z7w&on3<x75EC+qR;c8W8=98;JQ?d!S-$KUdhycTDN07>X<2RCfh^B|$Yl}tS$u<-(
zg`C;OF;b*3^(`T@1r%OHbkbROXG!<7T+v%F9%04Ko@kd9PO1Qn9g&gY>FKe-CT7f=
zy1Kfoz6<{clo84w2#EYi(r)>K@f2mXg)Q!DPYVx~?2qk;23GQ6P~y}v8qFKAT3oZ`
z$5(iv5`OKY0v~&kEh#BZ2(!-U*|p{n9EC~>SIH#ZB`VmTN%{z-^xTH0?3jVB)bZBX
zb7#{=X6{F*RMP(AOEASPSZwG!>9`te_WfGkP`OfOxL;NoLuan}j2jlyy77_=luQUt
zxQ#sdHkBiLoGkH+rBND>e7=WSMz|J_yeGY)>jT^eN=-$<Nd`_7%e68)U&@m-#6`*;
zBi$|pJSFkSwis`zo6*L9QW{7s({@UF73%rut?lY7!hcS8gNPFS9L<lJ9gpNWx1eQ~
zcZc_AF$agoH763aW2LT`G3l0xs^U!CrsA$@)_0kBsk9)rr1AUer>#-3-yU-F@x1D&
zZ0=;&=^t7O^De3mQ;~Fh9WJ_4YGr$`+RxAbIm-)?mNrgWzx7M)mN6$>IVtM^L{wJU
z=K)@7-Wh=>B|MxpB(y%VbkkUpR^7XWUV{EUkTrX1d*jz|FfTC}#sewjQJq|PM6pXZ
z)JO@6`Kp4^1Ehz)*rN!L?^9xIl5J9AtHcY|`OC|+EhhwtNbT8()nu%P;rq3#>yE=V
zdnDzC2S3`J*uLa6GqX7D9dXgIS>3f)K-QDOzM;c#K#7ldF;vl!9><}SCWVvUM_HOd
z-|!K;<RK?Cp6K;;LHC7cXMQ}djBMu+#I*RYa6=kHZ-aaDt>`g{^|nwdRMpkH-KhBT
zUktlfbUdT2HKAc)E%NQm|I|?tkx0g*SmPB`dxrC(iammk6z0X!8AnLgYsG+91bIU`
z;YS9XdbC&Zc#-utexSX9LJ$iF2-hUlwk(LfXNuU%as5cTX5fHoIvEPo>Uq4VY=_EE
z#3xMai++hH@U5wX{P@Mr^m-XZ7wBDGetR%U14}+nS5#S*o(weuBeTkMPu{gWEBx^m
z4|WH)A)uyux7b;KV+o6K)_;(q=SzljP8Frz(&0-2`$>H`ln+O2XGHO<MCack36=Wh
zydvna^5}j~`%DHIr8Dzqcx-rJ&V2ueM)lw6M{>g*^eh!WX>ImCH8N+9IbHIC>Gu<>
zVAS&7PA7yQK7RZNub&-7_=+$&@Xdwy8Gcv$AM>g3kzYoF2_HE93{$$%>4~h16=SI<
z_e-UYj4Ya?V;3;+`C@w$e68IdQD8_(N$XWB^75f=(fClld}3n%SEz+wb}WtL?{UFx
zKkf_RMZ6*Ox@nGDsKgtWppSdxw6@8xutLKxgfUB~YUY_~_Ic?3>vkAgOo7Nx#s7UU
zWmV8B)p_A}dCdGPP<U&d&yvls(z_`ebrU_dGp6S<lRQ=oZ;e9y{A>uTC@yaIZ_(^r
z)_){4gUmM{sbCpEOuc~&XM;7c{eqvdu(6=BlfO{LN|lEtH+X*&!i*wF8(XF(5dPHp
zpBjic)-~(hMe#wUlp4@<@K9?z<J?G}`AUvFtyhNF4_1jivIH49?IMt@>vk<Hs9~5c
z>u(^qi%TviryO0C-jD<*34ivA{sy?pmm24R6|VrtCT=y;Wb>k=@#rfKj(l%MLKrQJ
zZ2}#^7gmHz8wr?H^5+Zx)5X2}gbdmRLDb`jf$!rOrl>Co&(<gH$@-ahKT2yaxR=T4
zetXsYae&J38UAO**p4r9ZPI(pcpyPD7$LUP^Ah2IC6$~6V4?JP#oMrNzni`%Gv6Zu
z&zKBLJ2#5cW0;N&jFv)1MN)hh7CzB=5&uP4dh!O<#CAMKi{e&);zhh{RhfO@&A8o!
z>5)d+R56p91SIK2?y$$Byi<hVQ$Bi(2f_nY5d*<LAU7pEP>XLx5Y?o0KQAyl8%l)#
zaf^%?yil}`1F{sw;UNi<iNJ+<QGVd@AyD$XdZX^a*4BXozVlc2kRVQw@B7dGWkQ7`
zoSO8)^eGG3A2b=@I1N7u%5ReNyX=H~GH?ZTEqus%#-ID`jO>x6omc*CFWWzLIQ?&R
z_|9iHjJK)gH9LyTjjuU_G`ugt!KjYD6j6KGf~AW#6yyGD%^l%y<>SY9>nUNYAr9%J
z7vw2g;yDN@)-oaZ^ab5g)$BBecET7}qpgidTCFIVR(a5Q;K~{9+%(-*+-Q3+Eb>nq
z?zR**9e=^EOCu+jA%{oB+*E*{{Xyx#BZV>TplwColG7RI_Nz8GhcWx&Puv>CarqO?
zF~ogE$rJ!}jSL00y-h9ho!j*suc>#|r2uxP{D-DhvdMl<5KQ2Ed;R3@HF2wCI~C6r
zJ!wsb05nfU3ZSV3<N^;(zuD1uc$C{|StIkHv&OyvG47xH1h+b~BmjtS>}IX|($)Cz
zHBFw8EQ=tnUptTjn6C@R09bQXQ%A6#-S3l;6=dsw{hYxcZx;WTuOM8r<v-;14)}Q|
z@t6j(>ebnA-#Aw8^KlrdA&b67eJKU-`G6Hvc49?=GNc6@7FNimk0Qard1{K8`H|$Z
zz9-Rs9<o9Q{59}|6lvLYms3D=(+VHQ>jhD0uVsZnq+J+5$_e^8U1br^d4V(2E*h}b
z@>nn+6(F|2#_I1d()XI;0#*4tbP=->Q9L<lrMqU~6)`9m$8>Dra72V&g)qIPzMhAv
zvn;@vad2Y&P%hTST-p1FNxc%%ZD(WA^EKrhf8@%EW87>E4^!Z?(J!y1sL+C;TG{0O
zEysDBqDINu#w(i#dE*-gXT15tG^6+Ic6YMc8-!-KS4O7t6<?0GMX;~tJ2lMLZh{>U
zYji;+r}-_`$Cc9;`@5egz@oGBvvnSE^Vo~QCKVbJy9@jc_U<hwk=@eq-ooFDFgwta
z=~)e&JTY;1D#PNi)^Tu$yKLH1RPeI3NsmipXx}ZTs@`$3ik{SN*KmC7x*ujJO=0yF
zHA$osYYz2QC5N@>nUlq!&$k#G%8$aQnm1xT2Lv|IGcFrcKV{pC%$<|Q%XoU1w?D53
z<XFQv_d(v@=&dz>LAt^D;qRwQr=zFeyR|hQNMei_XYHTaL$$4bBlV{&R<H>g=t-5B
zxE&qcuGW4lYpMv|1+j=^wYUdYiNvsByVv#}?$n0lXJGC^ZYTeiio%z6yUQW(w%M+?
z@Omz?+FFlJiw3JIMQ9(xK?nMxrA6^&VdvjQI^W7$JQnq|s)=ij-tCf!b`9+OoD>u}
zbm3fh=-=|I^9!fdjVMtNqsW?giOzmP%f*cd(b*ZZ(*B^+2JlROA$VxNHb<$`@VCFI
zs)?03Fn{0&Wh2R!1*^^_KO@Rz@J6TeB_!|36dzlH7yRME4Rz>m%Rx?K+HJQaPNQn)
z@@X}7*{n~Fa{1#rfqty1NqUlE>-<DZooniJK<=bvaN$em{QPVuQPml-a@&{H(~dR^
z>jZ&8<FaQ#VDD8VP$0@>s=4RmtDcwTg_Z*Lq$ag5_6y3E7yV>>33}M?M?FG_49`fb
z%E4A0txq;*R-Y5}Hz+E46gLRZy@**(r!SA=5qvN=CbZ>G)c<?6bN14~Eq3pEHuGFG
z?YAv!soN>P($sa)bbnscQ4HrK)~#=-h+wc5?A#y18hkyTx$+Ynin#aeQm5a(uy5$G
z>d@o$j2ZOhaew|0r)FU1V0^IK%oo2-_0l}_Z<)EDI^AE~y1sM@q9ep5=I3U+xXLtM
zK8uUcwF*4|3noNbc1Hy>ZtajD;lPsfX5|)=H8iSXF~zn+mAXC3Z6EfO_1S%A-H|#w
zZPF`3M(k!^LE$x5FZwJuN=J8$&7VMJ+50-Fg5FlCEk0%lSC1RuaXD@*Q($F`&qx4w
z{^qozgKC=R>6PwBmwz98yTQQ@2FhJJE-%Ag$n}ZTo#zq)Q(DdwBiGv@RR-O(JQW6d
zf(e#s^V`bulvm_>qfXEt8GNoZxEa&^JhirwDPeoh2hgZEO}tN-3$<UNo$Q6462tcF
zd>5<#JT|;u@4%tKpDn)kDsXZE92v+eU>@+M7hh-F?`hSnvfF3YU;1Hr{VkW7aM5>$
zzdzGQ0e`TNAPvGy^-95m&-E9V8Lq`d?MH`L36#Wf>Z5)nUMHu5PZt!o3zLGDVmrr;
zS+yr|f$CZVMgBuO{<p}VV}^e}UHE@!*Z;pmiGP*$zh=86R@OD{^ChF#1$qKUMp8kd
J;O$56{{v-u<bMDF

literal 0
HcmV?d00001

diff --git a/policies/arch-doc/agent-schedulers/src/main.md b/policies/arch-doc/agent-schedulers/src/main.md
new file mode 100644
index 0000000000..10a9162ea9
--- /dev/null
+++ b/policies/arch-doc/agent-schedulers/src/main.md
@@ -0,0 +1,428 @@
+---
+title: "Rudder agent schedulers"
+#subtitle: "Extending the agent"
+author: Alexis Mousset - Rudder
+lang: en
+region: US
+#toc: true
+papersize: a4
+date: 2024-09-23
+#bibliography:
+#  - config-mgmt.bib
+abstract: This document describes all the scheduling processes used for events happening on the agents, as of Rudder 8.1.7/8.2.0.
+
+# Use link style & font from the nice "ilm" package
+# https://github.com/talal/ilm/blob/main/lib.typ
+mainfont: "Libertinus Serif"
+header-includes: |
+    ```{=typst}
+    #show link: it => {
+      it
+      h(1.6pt)
+      super(box(height: 3.8pt, circle(radius: 1.2pt, stroke: 0.7pt + rgb("#993333"))))
+    }
+    #set heading(numbering: "1.")
+    ```
+...
+
+# Rudder agent schedulers
+
+This document describes all the scheduling processes used for events happening on the agents. It does not cover events happening inside the server services (`webapp`, `relayd`, etc.). The main goal of these scheduling systems is to avoid running anything synchronously over the nodes, as it could result in performance impacts for the users. It also gives time to stop a change or action breaking the systems before everything is impacted. There are two types of schedulers: a main one triggering the agent, and others, inside the policies, that schedule events in specific agent runs.
+
+## Agent schedulers
+
+The Rudder agents are programs designed to be un regularly on a system. The agent scheduling configuration is done either globally or overridden by node, in the Web application. The parameters are:
+
+* A run frequency, with a limited set of possible values:
+    * 5, 10, 15, 20 or 30 minutes
+    * 1, 2, 4 or 6 hours
+* A splay time: a value that will be spread uniformly across the nodes, shorter that the run frequency to prevent overlapping runs.
+    * Can take any value from `0 minutes` to `run_frequency - 1 minute`.
+* A start time, providing the start point from the beginning of the day or the hour.
+    * For example, a 10 minutes run schedule starting at 3 minutes will run at 3:03, 3:13, 3:23, etc.
+
+They are exposed in the [settings API](https://docs.rudder.io/api/v/19/alt/#get-/settings) as:
+
+* `run_frequency` (_integer_): Agent run schedule - time between agent runs (in minutes)
+* `first_run_hour` (_integer_): First agent run time - hour
+* `first_run_minute` (_integer_): First agent run time - minute
+* `splay_time` (_integer_): Maximum delay after scheduled run time (random interval)
+
+And in the Web interface:
+
+![](images/schedule.png)
+
+Policy server (root and relays) are excluded from these settings' effect and use a hard-coded schedule, as they need to run frequently to ensure smooth operation of the Rudder infrastructure:
+
+* _root server_: 5 minutes frequency, start at 0 minutes, 0 minutes of splay time
+* _relay servers_:
+    * Before 8.1.7/8.2.0 : like root servers
+    * After 8.1.7/8.2.0: 5 minutes frequency, start at 2 minutes, 2 minutes of splay time
+
+The values are exposed as generic system variables:
+
+* `AGENT_RUN_INTERVAL`: a number in minutes, e.g. `5`
+* `AGENT_RUN_SPLAYTIME` : a number in minutes, e.g. `4`
+
+Plus additional variables targeting specific agents:
+
+* `AGENT_RUN_SCHEDULE` (_Linux_): a list of CFEngine class expressions, represented as a string with comma separated values, e.g. `"Min00", "Min05", "Min10", "Min15", "Min20", "Min25", "Min30", "Min35", "Min40", "Min45", "Min50", "Min55"`
+* `AGENT_RUN_STARTTIME` (_Windows_): a time of the day, e.g. `00:00:00`
+
+See the following section for more details about how they are used by the agents.
+
+### Windows agent run
+
+The agent runs are scheduled using Windows' built-in task scheduler ("`taskschd`"). 
+
+#### Splay computation
+
+As the Windows scheduler does not provide stable splaying capabilities we use in Rudder, but only a completely random option, we create the splay as part of the policy generation in the Web application (in the `ComputeSchedule` object).
+
+```scala
+def computeSplayTime(nodeId: String, interval: Duration, maxSplaytime: Duration): Duration = {
+  if (nodeId.isEmpty || maxSplaytime.isZero || interval.isZero) Duration.ofSeconds(0)
+  else {
+    val splay        = if (maxSplaytime.compareTo(interval) > 0) interval else maxSplaytime
+    val bigInt       = BigInt.apply(nodeId.getBytes(StandardCharsets.UTF_8))
+    val secondPerDay = 86400
+    Duration.ofSeconds(bigInt.mod(splay.getSeconds).mod(secondPerDay).toLong)
+  }
+}
+```
+
+This function takes a max value for the splay which is actually the run frequency, to prevent outputting splay times longer that the run frequency.
+
+#### Task configuration
+
+The configuration format is specific for Windows, as it gets inserted into the task configuration directly. Note that we don't use the [newer PowerShell-based interface](https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2022-ps) as we require compatibility with older system, so we use the [XML-based interface](https://learn.microsoft.com/en-us/windows/win32/taskschd/taskschedulerschema-repetition-triggerbasetype-element). This excerpt is taken from `Rudder-Agent.xml.mustache`:
+
+```xml
+<Triggers>
+  <TimeTrigger>
+    <Repetition>
+      <Interval>PT{{{vars.systemParams.AGENT_RUN_INTERVAL}}}M</Interval>
+      <StopAtDurationEnd>false</StopAtDurationEnd>
+    </Repetition>
+    <StartBoundary>2017-05-19T{{{vars.systemParams.AGENT_RUN_STARTTIME}}}</StartBoundary>
+    <ExecutionTimeLimit>PT2H</ExecutionTimeLimit>
+    <Enabled>true</Enabled>
+  </TimeTrigger>
+</Triggers>
+```
+
+The important parameters:
+
+* `Interval`: Specifies the amount of time between each restart of the task. The format for this string is `P<days>DT<hours>H<minutes>M<seconds>S` (for example, `PT5M` is 5 minutes, `PT1H` is 1 hour, and `PT20M` is 20 minutes). Here we pass directly the splay time in minutes.
+* `StartBoundary`: The date and time when the trigger is activated. The date and time must be in the following format: `YYYY-MM-DDTHH:MM:SS(+-)HH:MM`. As our schedules are all shorter than a day, we hard code the start day in the task.
+* `ExecutionTimeLimit`: Limits the agent run to 2 hours before killing the process.
+
+As the `StartBoundary` is templated from system variables, we need to compute the start time plus splay time on the server, and format it as the expected `hh:mm:ss` for the start time:
+
+```scala
+def getSplayedStartTime(nodeId: String, startTime: LocalTime, interval: Duration, maxSplaytime: Duration): LocalTime = {
+  startTime.plus(computeSplayTime(nodeId, interval, maxSplaytime))
+}
+
+def formatStartTime(startTime: LocalTime): String = {
+  // the withNano(0) is to only print "hh:mm:ss", not "hh:mm:ss.sss"
+  startTime.withNano(0).format(DateTimeFormatter.ISO_TIME)
+}
+```
+
+#### Inventory scheduling
+
+```xml
+<Triggers>
+  <CalendarTrigger>
+    <StartBoundary>2017-06-14T00:00:38</StartBoundary>
+    <ExecutionTimeLimit>PT2H</ExecutionTimeLimit>
+    <Enabled>true</Enabled>
+    <RandomDelay>PT2H</RandomDelay>
+    <ScheduleByDay>
+      <DaysInterval>1</DaysInterval>
+    </ScheduleByDay>
+  </CalendarTrigger>
+</Triggers>
+```
+
+This task uses a different type of scheduling, with a daily run using a `CalendarTrigger`, and:
+
+* `StartBoundary`: As the task runs daily, we can use a completely hard coded value. To mimic the Linux behavior, the inventory process starts at (actually a bit after) midnight.
+* `ExecutionTimeLimit`: this is the maximal run time before the task is killed. For the inventory, this value is 2 hours.
+* `RandomDelay`: The delay time that is randomly added to the start time of the trigger. The format for this string is the same as the `RepetitionInterval`. It is actually a number chosen independently at each trigger, and not stable in time like the usual Rudder splay. Here its value is 2 hours which means the inventories run between midnight and 2 a.m., while Linux inventories run between midnight and 6 a.m.
+
+### Linux agent run
+
+The Linux agent is scheduled by the `cf-execd` daemon, part of CFEngine (named `rudder-cf-execd` in Rudder), run as a system service (usually via systemd). It runs in background, and wakes up every minute to check if the agent should be triggered. It follows scheduling parameters present in the policies themselves. The sources of the `promises.st` file of the Linux agent contain:
+
+```
+body executor control {
+        schedule  => { &AGENT_RUN_SCHEDULE& };
+        splaytime => "&AGENT_RUN_SPLAYTIME&";
+        exec_command => "/opt/rudder/bin/rudder agent run -uRN";
+}
+```
+
+
+* `schedule`: The list should contain class expressions comprised of classes which are visible to the `cf-execd` daemon. In principle, any defined class expression will cause the daemon to wake up and schedule the execution of the `cf-agent`). In practice, the classes listed in the list are usually date- and time-based.
+    * A general rule for scaling of small updates is to set the splay time to `run interval-1 minutes` for up a few thousand hosts. The `splaytime` should be set to a value less than the `cf-execd` scheduling interval, else multiple clients might contend for data.
+    * The actual execution of `cf-agent` may be delayed by `splaytime`, and may be deferred by promise caching and the value of `ifelapsed`.
+* `splaytime`: Time in minutes to splay this host over. The actual execution will be delayed an integer number of seconds between 0 and `splaytime` minutes. The specific amount of delay for "this" host is based on a hash of the hostname. Thus, a collection of hosts will all execute at different times, and surges in network traffic can be avoided.
+* The `exec_command` does not include any delay and runs the agent immediately through the shell wrapper. The `ifelapsed` valued are ignored since the wrapper uses the `-K` option to ignore locks.
+
+With a 15 minutes frequency and a 7 minutes splay, the Web application generates:
+
+```
+body executor control {
+        splaytime => "7";
+        schedule  => { "Min00", "Min15", "Min30", "Min45" };
+}
+```
+
+The schedule class expressions list is generated directly in the CFEngine syntax in the Web application (in the `ComputeSchedule` object), and templated into `promises.cf`. It generates the list of `MinXX` or `HrXX.MinYY` classes with the required start and frequency, depending if the schedule is expressed in minutes or hours.
+
+The `cf-execd` daemon is responsible for computing the local splay value, based on system information and the maximum value provided in the policies. The splay uses the system's hostname as seen by the kernel, its IP (resolved from hostname) and the current user ID (in Rudder, always 0), to provide a stable value, then hashes these to get a uniform distribution. The hash function used is [Jenkins' one-at-a-time](https://en.wikipedia.org/wiki/Jenkins_hash_function#one-at-a-time), which is enough to provide uniformity (and we don't ask for more).
+
+```c
+// returns a value in [0, 1)
+static double GetSplay(void) {
+    char splay[CF_BUFSIZE];
+    snprintf(splay, CF_BUFSIZE, "%s+%s+%ju", VFQNAME, VIPADDRESS, (uintmax_t)getuid());
+    return ((double) MIN(StringHash(splay, 0), UINT_MAX - 1)) / UINT_MAX;
+}
+
+ExecdConfig *ExecdConfigNew(int configured_splaytime) {
+// ...
+   int splay = (int) (configured_splaytime * SECONDS_PER_MINUTE * GetSplay());
+// ...
+}
+```
+
+`cf-execd` works at the minute resolution. It wakes in the first seconds of each minute to check for schedule classes, and run the agent if needed. In this case the agent is run in a separate thread and does not impact the scheduling. When waking at a scheduled minute, `cf-execd` will wait for the computed splay in seconds before actually running the agent.
+
+Below is an example of the agent start times over an hour (3600 seconds) on a big Rudder instance. The nodes have a 15 minutes schedule with a 7 minutes splay time, and there are tens of relays. We can see the 5 minutes schedule of the relays and root server, plus the 15 minutes schedule of the nodes uniformly splayed over 7 minutes.
+
+![](images/histogram.png)
+
+To help users understand and debug the agent, we added the planned time of the next agent run in `rudder agent info` output:
+
+```
+Run interval: 5 min
+Next run: 2024-09-23 10:18:04+0200
+```
+
+This time is based on a re-computation of `cf-execd`'s splay time, starting in the agent policies to dump dme values:
+
+```cfengine
+      "inventory_splay_hex" string => string_head(hash("${sys.host}", "md5"), "7");
+      "executor_data"       string => execresult("printf '${sys.fqhost}+${sys.ipv4}+0\n${sys.systime}\n&AGENT_RUN_SPLAYTIME&\n${agent_run_interval}\n${inventory_splay_hex}\n' > /var/rudder/tmp/cf-execd.data ", "useshell");
+```
+
+Then the `rudder agent info` calls a Perl script, `get-splay.pl`, that simulates the computations done in `cf-execd` to then display a time for the user:
+
+```bash
+splays=$(/opt/rudder/bin/rudder-perl /opt/rudder/share/lib/get-splay.pl)
+if [ "${splays}" != "" ];then
+  RUN_TIME=$(date -d "+${splays% *} seconds" +"${DATE_FORMAT}")
+  INVENTORY_TIME=$(date -d "$(LANG=C date -I) +${splays#* } seconds" +"${DATE_FORMAT}")
+fi
+```
+
+#### [Bug 25505](https://issues.rudder.io/issues/25505) - 2024-09-20
+There was a change in the `cf-execd` scheduling in Rudder 8.1.7 and 8.2.0 to fix a bug (CFEngine commit [fa6474c](https://github.com/cfengine/core/commit/fa6474c3f8495258ba16eeb701895ff73858a637)) that made around 0.1% of agent runs being skipped. It was discovered on a customer's large Rudder instance, so we back-ported the fix to 8.1.
+The problem was that the target resolution of `cf-execd` being one minute, the main loop would wait exactly one minute between checks. When starting very close to the beginning or the end of a minute, the 60 seconds sleep could make the schedule check totally skip one specific minute, hence skipping a run in some cases.
+The exact second the check was done was drifting over time, producing a random skip pattern. With the fix, the daemon sleeps for the amount of seconds until the beginning of every minute (around mm:02), which prevents skipping a minute. But without this "poor man's splay" of one minute, all the relays would now trigger at the exact same time, with a risk of overloading the root server (or an underlying hypervisor). We hence decided to also add a 2 minutes splay to relays, and add a 1-minute shift of start time, which is also likely a good idea regardless of the bug fix.
+
+#### Inventory scheduling
+
+The inventory is scheduled inside the policies, using the `schedule_simple` method described below. It hence relies on the agent schedule as primary "heartbeat". We also choose to run an inventory each day, even if the agent starts for the first time after 6 a.m. ("catch-up" mode).
+
+```cfengine
+schedule_simple(# Frequency of the agent runs, required to compute the target schedule
+                "&AGENT_RUN_INTERVAL&",
+                # Starting at midnight, over 6 hours, every "1" day
+                "0", "6", "0", "0", "0", "0", "0", "1",
+                # If missed due to skipped agent runs, run it even after the end of the window
+                "catchup");
+```
+
+#### Agent check scheduler
+
+To provide a fallback mechanism in case `cf-execd` fails to run the agent, we also set up a cron job responsible from triggering the agent. It tries to follow the run schedule with some awk-based computations to avoid causing problems when it needs to run agents.
+
+```cfengine
+bundle agent setup_cronjob
+{
+  vars:
+    in_hours::
+      "interval_str" string => eval("${system_common.agent_run_interval} / 60", "math", "infix");
+      "interval" string => format("%d", "${interval_str}");
+      "steps" string => execresult("echo '0 23' | ${paths.awk} '{ for (i=$1;i<=$2;i=i+${interval}) { printf \"%s%s\", sep, i; sep=\",\"}} END{print \"\"}'", "useshell");
+      "cron_prefix" string => "0 ${steps} * * *";
+
+    !in_hours::
+      "steps" string => execresult("echo '0 59' | ${paths.awk} '{ for (i=$1;i<=$2;i=i+${system_common.agent_run_interval}) { printf \"%s%s\", sep, i; sep=\",\"}} END{print \"\"}'", "useshell");
+      "cron_prefix" string => "${steps} * * * *";
+#...
+}
+```
+
+and the cron script template contains something along the lines of:
+
+```
+{{{vars.setup_cronjob.cron_prefix}}} root /opt/rudder/bin/rudder agent check -q >> /var/log/rudder/agent-check/check.log 2>&1
+```
+
+On a system with a 5 minutes schedule, it gives:
+
+```
+0,5,10,15,20,25,30,35,40,45,50,55 * * * * root /opt/rudder/bin/rudder agent check -q >> /var/log/rudder/agent-check/check.log 2>&1
+```
+
+In addition to this, the `rudder agent check` command, when started in non-interactive mode, adds a sleep to model a time splaying. This is a purely random splay, with a maximal value of half the run frequency, not stable between calls.
+
+```bash
+MAX_SLEEP=`expr ${AGENT_RUN_INTERVAL} \* 30` # in second
+SLEEP_DURATION=$(awk -v m="$MAX_SLEEP" 'BEGIN{srand(); print int(rand()*m)}')
+sleep $SLEEP_DURATION
+```
+
+## In-policies schedulers
+
+These "secondary" schedulers rely on the regular agent runs to wake the scheduler up and allow triggering actions. They are hence limited to the agent run frequency resolution.
+
+### System update campaigns
+
+The campaign scheduling parameters are defined as part of the campaign:
+
+![](images/campaign.png)
+
+The main scheduling work (recurrence, overlapping, etc.) is done by a dedicated campaign scheduler in the web application. It outputs a time window for each campaign event (translated as a directive), with a start and an end timestamp. The local scheduler is then only responsible for splaying the upgrades across the whole time windows.
+
+The campaign module, both on Linux and Windows, use a similar method for scheduling the upgrade. The campaign takes a time windows (start and end timestamps), the agent run frequency, and the node ID. It is then responsible for choosing a local start timestamp, based on the node ID uniqueness and agent run frequency.
+The actual end date for the scheduler is not the end of the window, as we want to make reasonable effort to avoid having upgrades finishing after the end of the window. Given the amount of time taken by system upgrades, and the opposite need to allow small windows, we settled on 5 minutes + one agent schedule period. The agent schedule allows avoiding missing the upgrade if the schedule ends up close to the end of the window.
+The node ID is used to uniformly splay the upgrades across nodes. To avoid relying on the assumption the node ID are uniform (they are unique but depending on the UUID types and method of generation they may not be uniformly distributed), we add a simple hash ([FNV](https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function) on Linux, [MD5](https://en.wikipedia.org/wiki/MD5) on Windows) to ensure uniformity of the scheduling.
+
+Implementation in the Linux module:
+
+```rust
+pub fn splayed_start(
+    start: DateTime<Utc>,
+    end: DateTime<Utc>,
+    agent_schedule: Duration,
+    unique_value: &str,
+) -> Result<DateTime<Utc>> {
+    let mut hasher = FnvHasher::default();
+    hasher.write(unique_value.as_bytes());
+    let hash = hasher.finish();
+
+    let real_end = end - (agent_schedule + Duration::minutes(5));
+    if real_end <= start {
+        // error
+    }
+    let splay = Duration::seconds((hash % (real_end - start).to_std()?.as_secs()) as i64);
+    let real_start = start + splay;
+    Ok(real_start)
+}
+```
+
+In the Windows technique:
+
+```powershell
+function Get-SplayedStart {
+  param(
+    $startDate,
+    $endDate,
+    $nodeId,
+    $agentSchedule
+  )
+  $md5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
+  $ascii = New-Object -TypeName System.Text.ASCIIEncoding
+  $hash = ([System.BitConverter]::ToString($md5.ComputeHash($ascii.GetBytes($nodeId)))).ToLower() -replace '-', ''
+  $splay = ConvertFrom-Hexadecimal -hexadecimal ('{0:X}' -f $hash)
+  $realEnd = $endDate.AddSeconds(-$agentSchedule * 60).AddSeconds(-5 * 60)
+  if ($realEnd -le $startDate) {
+    # Error
+  }
+  $delay = $splay % ((ConvertTo-UnixTimeStamp -Date $realEnd)- (ConvertTo-UnixTimeStamp -Date $startDate))
+  $realStart = $startDate.AddSeconds($delay)
+  return $realStart
+}
+```
+
+As the server does not know when an event is scheduled, the campaigns API provide a special type of report for the nodes to inform the server about the chosen start date, containing a RFC3339-formatted UTC timestamp:
+
+```rust
+let schedule_datetime = match schedule {
+    FullSchedule::Immediate => Utc::now(),
+    FullSchedule::Scheduled(ref s) => {
+        scheduler::splayed_start(s.start, s.end, s.agent_frequency, s.node_id.as_str())?
+    }
+};
+// ...
+let report = ScheduleReport::new(schedule_datetime);
+```
+
+### In the Linux policies
+
+The method library provides a few way for scheduling events part of the policies, only on Linux:
+
+* [`schedule_simple`](https://docs.rudder.io/techniques/8.1/schedule_simple.html) is used for Rudder inventory scheduling
+* [`schedule_simple_catchup`](https://docs.rudder.io/techniques/8.1/schedule_simple_catchup.html)
+* [`schedule_simple_nodups`](https://docs.rudder.io/techniques/8.1/schedule_simple_nodups.html)
+* [`schedule_simple_stateless`](https://docs.rudder.io/techniques/8.1/schedule_simple_stateless.html)
+
+The implementation is based on the "time library", which is written in pure CFEngine (probably one of the worst languages to express these calculations). The splaying is achieved based on a `sha256(${sys.host})`, which means hosts sharing the same hostname (short, from the kernel) will share the same schedule with identical parameters.
+
+```cfengine
+bundle agent ncf_splay {
+  vars:
+    # maximum value of splay integer = 7 nibbles (2^28-1)
+    "splay_max" string => "268435455";
+    # pseudorandon deterministic hex number of 7 nibbles
+    "splay_hex" string => string_head(hash("${sys.host}", "sha256"), "7");
+    # decimal version of the splay integer
+    "splay" string => execresult("/usr/bin/printf '%d' 0x${splay_hex}", "noshell");
+}
+```
+
+## System schedulers
+
+### `systemd.timer`
+
+The [scheduling features of systemd](https://www.freedesktop.org/software/systemd/man/latest/systemd.timer.html) could match most of our needs. However, it would only support a (large) subset of our Linux agent target (not the old versions or non-systemd based distributions).
+
+* There are two types of schedules:
+  * `OnActiveSec`, `OnBootSec`, etc.: These are monotonic timers, independent of wall-clock time and timezones.
+  * `OnCalendar`: Defines realtime (i.e. wallclock) timers with calendar event expressions.
+* `RandomizedDelaySec`: Delay the timer by a randomly selected, evenly distributed amount of time between 0 and the specified time value.
+* `FixedRandomDelay`: Takes a boolean argument. When enabled, the randomized offset specified by `RandomizedDelaySec=` is reused for all firings of the same timer. For a given timer unit, the offset depends on the machine ID, user identifier and timer name. The machine ID works like the Rudder node ID (i.e. a UUID unique to each system).
+* `AccuracySec`: The resolution of the scheduler, by default 1 minute to optimize power consumption. Within this time window, the expiry time will be placed at a host-specific, randomized, but stable position that is synchronized between all local timer units.
+* `Persistent`: persists the latest run time to allow catching up if the calendar target was missed.
+
+### `cron`
+
+`cron` does not have built-in features for splaying commands and only supports calendar-based schedules. However, it can be extended using shell wrappers around the commands.
+
+## Conclusion
+
+The different agent scheduling systems are quite inconsistent, but seem to work well enough to cover our current needs.
+
+### Simple improvements
+
+* The computation of next inventory schedule is wrong as the hash used in the time lib was changed from md5 to sha256. This confirms this implementation is very fragile.
+* Splay the Windows inventories on a longer duration, and maybe make it stable too. Currently, they run between midnight and 2 a.m, at a different time each day.
+* Add a uniform hash to the Windows agent splay to only require ID uniqueness and not uniformity (which could not be the case in case of custom ID generation for example).
+* Use more uniqueness than the hostname for the scheduler methods and the Windows splay, as it could become an issue when running on cloned systems.
+* Replace the usage of MD5 in the Windows system upgrade technique. While it is only used for its output uniformity (and is not a security issue) it is flagged by security code scanners and might also be unavailable on FIPS-enabled systems.
+* The cron fallback on Linux could be replaced by a systemd timer in most cases, with a simpler and likely more reliable configuration.
+
+### Other topics
+
+We should decide if we actually want to keep agent scheduling local, or if we want the server to decide everything centrally. The Windows agent run splay could easily be implemented as part of the F# library for example, and the Linux splaying could be implemented on the server as well.
+
+There is also a topic about time representations (including time zones), which are not consistently handled in Rudder. For anything happening inside Rudder (and not related to the user's systems), using UTC times everywhere, with RFC3339 formatting when serialized as string, is probably the best option. For an introduction to why time is a really hard problem, read the excellent "[UTC is enough for everyone ...right?](https://zachholman.com/talk/utc-is-enough-for-everyone-right)" page (by Zach Holman).
+
+Finally, we have a project of writing a `cf-execd`-like daemon in Rust that would also replace the remote trigger feature of `cf-serverd` and could be used both on the Linux and Windows agent, which currently does not support remote run. This could allow making all agent-side schedulers more consistent, with an API fitting our needs.
+
diff --git a/policies/arch-doc/arch-doc.bib b/policies/arch-doc/arch-doc.bib
new file mode 100644
index 0000000000..b129958ab8
--- /dev/null
+++ b/policies/arch-doc/arch-doc.bib
@@ -0,0 +1,23 @@
+
+@inproceedings{lutterkortAugeasConfigurationAPI2008,
+	title = {Augeas–a configuration {API}},
+	url = {https://www.landley.net/kdocs/ols/2008/ols2008v2-pages-47-56.pdf},
+	pages = {47--56},
+	booktitle = {Linux Symposium, Ottawa, {ON}},
+	author = {Lutterkort, David},
+	urldate = {2024-11-26},
+	date = {2008},
+	langid = {english},
+	keywords = {archdoc},
+	file = {Available Version (via Google Scholar):/home/amousset/amo/Zotero/storage/H23SJJEF/Lutterkort - 2008 - Augeas–a configuration API.pdf:application/pdf},
+}
+
+@book{pinsonAugeasConfigurationAPI2013,
+	title = {Augeas: A Configuration {API}},
+	url = {http://r.pinson.free.fr/augeas/augeas-book.pdf},
+	author = {Pinson, Raphaël},
+	date = {2013},
+	langid = {english},
+	keywords = {archdoc},
+	file = {PDF:/home/amousset/amo/Zotero/storage/5C9X239U/Pinson - Augeas A Configuration API.pdf:application/pdf},
+}
diff --git a/policies/arch-doc/method-logger-v4.1/Makefile b/policies/arch-doc/method-logger-v4.1/Makefile
new file mode 100644
index 0000000000..5398e58cfc
--- /dev/null
+++ b/policies/arch-doc/method-logger-v4.1/Makefile
@@ -0,0 +1,4 @@
+name := rudder-agent-linux-logger-4-1
+version := 1.1
+
+include ../pandoc.mk
diff --git a/policies/arch-doc/method-logger-v4.1/src/main.md b/policies/arch-doc/method-logger-v4.1/src/main.md
new file mode 100644
index 0000000000..4961f40a99
--- /dev/null
+++ b/policies/arch-doc/method-logger-v4.1/src/main.md
@@ -0,0 +1,228 @@
+---
+title: "Rudder Linux agent logger v4.1"
+author: Alexis Mousset - Rudder
+lang: en
+region: US
+#toc: true
+papersize: a4
+date: 2024-11-12
+#bibliography:
+#  - config-mgmt.bib
+abstract: This document describes the current behavior of the execution model of our CFEngine policies, and the evolutions in the "logger v4.1" project for Rudder 8.3.
+
+# Use link style & font from the nice "ilm" package
+# https://github.com/talal/ilm/blob/main/lib.typ
+mainfont: "Libertinus Serif"
+header-includes: |
+    ```{=typst}
+    #show link: it => {
+      it
+      h(1.6pt)
+      super(box(height: 3.8pt, circle(radius: 1.2pt, stroke: 0.7pt + rgb("#993333"))))
+    }
+    #set heading(numbering: "1.")
+    ```
+...
+
+# Rudder Linux agent runtime model - logger v4.1
+Making CFEngine execute all parts of the policies and send all reports has been a constant fight in Rudder development. This is due to the way we bend the execution model, and to our custom reporting tooling. This document describes a new iteration of workarounds, hopefully more reliably than previous ones.
+
+## Context: CFEngine, ncf & Rudder
+### The CFEngine runtime model
+
+```cfengine
+bundle agent do_things {
+  vars:
+    "name" string => "value";
+
+  methods:
+    "placeholder" usebundle => other_bundle("${name}");
+}
+```
+
+The CFEngine policies' structure is declarative, and made of promises and bundles. The promises are the leaves, and control individual items on the system. The bundles are collections of promises of different types. Bundle can also reference other bundles (as `methods` promises), leading to a tree structure made of bundles, starting from a `main` bundle (or a main sequence of bundles), with promises as leaves. Even though bundle call in `methods` promises look a lot like function, they do not behave as such. They are to be seen as persistent objects, that can be re-evaluated several times. The agent travels across the policies, evaluating what is ready, and does it 3 times in each bundle. This way it is expected to reach the target state, i.e., to converge.
+
+Evaluation of the bundles themselves follow predefined steps: a pre-evaluation, then three passes of full evaluation. The passes evaluate promises types in a hard-coded order, called _normal ordering_. A crucial behavior of CFEngine is that a promise will only be evaluated once. If the agent encounters the same promise twice, it will skip it the second time.
+
+### The Rudder runtime model - `ncf`
+In the early days, Rudder techniques used to be implemented in "standard" CFEngine. To allow the users to build their own policies, a new type of techniques was introduced, `ncf`/the technique editor. The model used in `ncf`, the library which is the preferred way of creating policies, it to use single purpose bundles, called methods like functions, and assemble the policies by listing calls to methods bundles in what is called a technique (basically, a bundle containing only methods promises).
+
+This model has several drawbacks:
+
+* It breaks the evaluation model of CFEngine, where the policies are declarative, by forcing an imperative model. We hence have to ensure unicity of all bundle parameters everywhere to make sure nothing is skipped.
+* The function API is not suited to configuration management: the ressources and attributes model is better.
+
+But it has the big quality of providing a simpler representation of configuration, allowing the creation of the visual editor, and the YAML technique format.
+
+### `ncf` reporting
+One of the big problems is that we need to carry a lot of data to be able to make the expected reporting. And this data is not passed by CFEngine in its promises, so we need to carry it in the global execution context. We do so by storing the data in a `report_data` storage bundle, and we provide methods to update the context before calling bundles that will output reports. This technique is also used for storing other important context, like the dry-run information (providing the policy modes feature).
+
+#### Logger v1
+It was a dark age, with CSV files containing information about reports to be made. _No further explanation shall be made._
+
+#### Logger v2
+It relied on what is now called the `old_class_prefix`, i.e. a class uses for outcomes in original `ncf`. It is not used anymore.
+
+#### Logger v3 (Rudder 4.3+)
+Adds a new class prefix that contains all parameter values., named `class_prefix`. The old class prefix is kept (as it is used in the techniques themselves as conditions), under the `old_class_prefix` name. It is also used as fallback is the new class prefix is too long (as conditions are limited to 4k characters).
+
+#### Logger v4 (Rudder 7.1+)
+This logger introduced in Rudder 7.1 is centered around the concept of `report_id`. It also embraces the `report_data` storage, with context setting APIs for providing the required user information (about techniques, directives, etc.) and keeping the direct reporting methods simpler. The report ID has the advantage of being opaque and independent of business data.
+
+The API made of:
+
+* reporting context bundles, to be called before calling the method itself
+* execution context bundles to be called inside the method, when calling sub-methods
+* a log bundle called once in each method, at the end
+
+There is one remaining problem with it: iterators breaks the expectation that `report_id` is unique, and merges the outcome classes of different calls to the same method.
+
+## Logger v4.1
+The goal of the 4.1 logger is to address the iterator problem with minimal impact, and to document things (at last). It is made possible by the Rudder 8.2 server version which enforces the usage of `rudderc` to generate techniques. We can encode some new invariants reliably in the generated code, and fix the issue without too much trouble.
+
+We have three very distinct contexts:
+
+* The library, `ncf`, context. Code is static with methods as entry points, and reporting and outcome classes on `old_class_prefix` (and`report_id` for v4+ methods).
+* The generated user code, from `rudderc`. It only calls methods (and soon modules).
+* The legacy techniques, calling the library by hand, and sometimes using pure CFEngine too.
+
+When calling a method, we need to give it enough unicity through context, and the library code also needs to provide enough unicity for the internal operations.
+
+### User code
+The `report_id` is encoded directly in the generated bundle names. What is needed to be able to ensure we properly run all methods with iterator parameters is enough uniqueness. To consider the most "extreme" case, we can configure a method to take an iterator as parameter, and make this iterator contain the same value several times. This will lead to calling the same method, with the exact same parameters (`args`, `report_id`, etc.). The call stack is also identical, and there is no observable difference from inside the evaluation context. But we still want the outcome to be somewhat different, so we will need some form of non-determinism. The two main options are some randomness (like we do with UUIDs for reporting) or a kind of clock, measuring time advancement. This source needs to provide a unique value, more than for each method bundle, for each method bundle call. The bright side is that once we have it (and if it is globally unique for a run), we can remove other unique tokens used in the generated techniques. As we want to keep it as simple and efficient as possible, let's rule out randomness and create our own "clock" by counting the entries in one of the bundles generated by `rudderc` (i.e. the techniques themselves, plus on for each called method, allowing iterating over the parameters). As each iterator iteration will re-enter the bundle, we will get an incremented counter, and unique value. Everything can be done in the generated code, we only need to initialize the value to zero at some point.
+
+We chose to inline the value increment as opposed to creating a dedicated method in the library. This has two goals: keeping the performance impact low, and more importantly, guarantee that the value will stay the same for the whole method run, as we can enforce the increment to be the first promise to run easily. If it was a method, the value would change in the middle of the bundle execution. Inside a bundle, we need to keep a second  "uniqueness" factor, as the global bundle index can stay the same. As we work with generated techniques, we can keep a simple counter of promises in the promiser in each bundle.
+
+We end up with a light system of 2 integers as coordinates identifying each promise uniquely: spatially by its position inside the bundle,and by `report_id` as it is part of the bundle name) and in time by its "bundle call instance" index. A nice property of this new set of unification ids is that contrary to previous versions, it is totally separate from business data. This prevents issues with unexpected data (too long value, etc.)
+
+```
+   vars:
+     "report_data.index" int => int(eval("${report_data.index}+1", "math", "infix")),
+                      unless => "rudder_increment_guard";
+     "local_index"       int => ${report_data.index},
+                      unless => "rudder_increment_guard";
+ 
+   classes:
+     "rudder_increment_guard" expression => "any";
+
+```
+
+We create a local snapshot of the value for local usage (as the index will be increment by called methods in techniques). The counter could be internal to the bundle, but as we also need to pass it to the library for proper iterator handling, we have to make it global. Finally, due to the pre-evaluation of the policies, the counter increments two by two.
+
+To sum things up, the user code guarantees:
+
+* That every time we change context to the lib, the `report_data.index` variable will have a different value
+* All iterators have evaluated in a previous level
+
+### Library code
+The main goal here is to avoid having to modify all methods and make a fix contained in the logger v4 implementation. We actually only need to make `method_id`, used everywhere as uniqueness source in the logger v4 methods, more unique to allow running it in the case of iterators. This can be done by adding the current global bundle index as suffix to the existing value. The method stack is not affected, so the classes copies are not affected either.
+
+We have a few constraints:
+
+* We can't add parameters to methods
+* We want to avoid having to modify all methods as much as possible.
+
+#### Reporting
+The reporting is now based on three main context variables:
+
+* `report_data.report_id`: Fixed for the whole method call. Unique to each component, common when parameters are iterators. Target for reporting, the outcome classes must be defined on it.
+* `report_data.index`: Set by the generated user code. Stays identical until control is given back to the user code. Is guaranteed to be different at each context switch.
+* `report_data.method_id`: Unique to the current method instance.
+    * Contains `report_id + index + ${method_call_stack}`
+        * The `report_id` and `index` never change inside of lib code.
+        * Note: the name of the methods are arbitrary and set by the policy developer.
+    * Used to copy classes between inner and outer methods.
+
+#### Report ID
+The `report_id` is a UUID generated on the serveur side for each component (= each method call). It is unique, and allows matching the received reports against what is expected. It solves a lot of issues, but leaves two problems in logger v4.0:
+
+* It breaks with iterators, as the web app does not know about them, and iterated methods will report several times for the same `report_id`.
+* We can't just report on it (i.e.make a report based on classes defined with the `report_id` prefix) as it would break when calling methods from other methods.
+    * We need to construct intermediary class prefixes for inner methods. Here comes the `method_id`.
+
+#### Method ID
+The method ID is used to overcome the `report_id`'s limitations. It starts with the `report_id` value, and is expanded with additional unicity and specificity values. 
+
+Before calling a method, we set it to `${report_id}_${report_data.index}` to ensure unicity over method parameters, including iterators. Then we need unicity for what happens next. In addition to unicity, we need predictability as we need to get the classes back. To achieve this, we stack the method names in the `method_id`, like `${report_id}_${index}_method1_method2`. The was a directive ID on v4.0 but the index removes the need for it (and improves separation with business data). The method ID has two goals:
+
+* Provide unicity to ensure all bundle calls are honored
+* Provide a stable base for passing outcome classes
+    * In order for it to stay stable, the library code MUST NOT increment the index, and leave it only to the user code.
+
+## Future
+Once all methods use the v4 logger, we will be able to start relying on the `report_id` for outcome classes, removing the dependency on the class parameter value.
+
+## Annex: Using the v4.1 logger
+This section is a developer documentation for the v4.1 logger. It explains how to port methods to using it.
+
+### Simple method
+A simple method looks like:
+
+```cfengine
+bundle agent create_a_file(id) {
+  vars:
+      "flag_file"    string => "/path/to/file";
+      "class_prefix" string => canonify("rudder_inventory_trigger_${id}");
+
+  files:
+      "${flag_file}"
+        create        => "true",
+        classes       => classes_generic_two("${report_data.method_id}", "${class_prefix}");
+
+  methods:
+      "${report_data.method_id}" usebundle => log_rudder_v4("${id}", "Create a file", "");
+}
+```
+
+The only required things are:
+
+* A class prefix definition, matching what is called `old_class_prefix` in logger v3, i.e. the class prefix of the method plus the value of the class parameters.
+    * It is required as it is how methods are linked through the technique editor
+    * Once we have a v4 logger everywhere, we will be able to rely on  `report_id` instead.
+* A call to `log_rudder_v4` at the end of the method. It expects the outcome classes to be defined on (`method_id`).
+
+Note: You should not use `report_id` directly as it prevents reusing the method from another method. The class copy from `method_id` to `report_id` is handled by the logger itself.
+
+### Method chaining
+A method that just calls another one works like this:
+
+```cfengine
+bundle agent package_present(name, version, architecture, provider) {
+  vars:
+      "class_prefix" string => "package_present_${name}";
+
+  classes:
+      "pass3" expression => "pass2";
+      "pass2" expression => "pass1";
+      "pass1" expression => "any";      
+
+  methods:
+    pass3::
+      "${report_data.method_id}" usebundle => call_method("ncf_package");
+      "${report_data.method_id}" usebundle => ncf_package("${name}", "${version}", "${architecture}", "${provider}", "present", "");
+      "${report_data.method_id}" usebundle => call_method_classes("${class_prefix}");
+      "${report_data.method_id}" usebundle => call_method_classes_caller;
+      "${report_data.method_id}" usebundle => call_method_end("ncf_package");
+      "${report_data.method_id}" usebundle => log_rudder_v4("${name}", "${ncf_package.message}", "");
+}
+```
+
+It requires:
+
+* The `class_prefix` as usual.
+* Calling a sub-method:
+    * `call_method` will set the right context:
+        * Disable reporting (after storing the value)
+        * Push the passed method name to the `method_id` class.
+        * The name passed to this method is by convention the name of the called bundle. It could still be different, for example in case you need to cal the same bundle several times.
+    * Then call the method normally.
+    * Call `call_method_classes_caller` to copy the outcome classes of the current method to its parent.
+        * We do this to make the outcome of the inner method the outcome of the current one.
+    * End the call with `call_method_end`
+        * Put the reporting back in its previous state.
+        * Pop the method name from `method_id`
+    * End the method call with a normal call to `log_rudder_v4`.
+
+### Complex method chaining
+
+A method that calls another method and uses its output uses the same process as described above, but without calling `call_method_classes_caller`, and by manually copying or defined the wanted classes.
\ No newline at end of file
diff --git a/policies/arch-doc/module-augeas/Makefile b/policies/arch-doc/module-augeas/Makefile
new file mode 100644
index 0000000000..ecf067cd6e
--- /dev/null
+++ b/policies/arch-doc/module-augeas/Makefile
@@ -0,0 +1,4 @@
+name := rudder-agent-modules
+version := 1.0
+
+include ../pandoc.mk
diff --git a/policies/arch-doc/module-augeas/src/arch-doc.bib b/policies/arch-doc/module-augeas/src/arch-doc.bib
new file mode 120000
index 0000000000..59731a971c
--- /dev/null
+++ b/policies/arch-doc/module-augeas/src/arch-doc.bib
@@ -0,0 +1 @@
+../../arch-doc.bib
\ No newline at end of file
diff --git a/policies/arch-doc/module-augeas/src/main.md b/policies/arch-doc/module-augeas/src/main.md
new file mode 100644
index 0000000000..5a8e86288e
--- /dev/null
+++ b/policies/arch-doc/module-augeas/src/main.md
@@ -0,0 +1,252 @@
+---
+title: "Rudder Augeas module"
+author: Alexis Mousset \<amo@rudder.io\>
+lang: en
+region: US
+toc: true
+papersize: a4
+date: 2024-12-23
+bibliography:
+  - arch-doc.bib
+abstract: TODO
+
+# Use link style & font from the nice "ilm" package
+# https://github.com/talal/ilm/blob/main/lib.typ
+mainfont: "Libertinus Serif"
+header-includes: |
+    ```{=typst}
+    #show link: it => {
+      it
+      h(1.6pt)
+      super(box(height: 3.8pt, circle(radius: 1.2pt, stroke: 0.7pt + rgb("#993333"))))
+    }
+    #set heading(numbering: "1.")
+    ```
+...
+
+# Rudder Augeas module
+
+## Needs
+
+Rudder has supported file editing for a long time, mainly through CFEngine's 
+[`edit_line`](https://docs.cfengine.com/docs/3.24/reference-promise-types-files-edit_line.html) bundles. This is a low-level way to edit files, based on regular expressions, and it's not
+easy to use.
+
+```cfengine
+bundle edit_line inner_bundle
+{
+  insert_lines:
+    "/* This file is maintained by CFEngine */",
+    location => first_line;
+
+  replace_patterns:
+   # replace shell comments with C comments
+
+   "#(.*)"
+      replace_with => C_comment,
+     select_region => MySection("New section");
+}
+
+body replace_with C_comment
+{
+  replace_value => "/* $(match.1) */"; # backreference
+  occurrences => "all";          # first, last all
+}
+
+body select_region MySection(x)
+{
+  select_start => "\[$(x)\]";
+  select_end => "\[.*\]";
+}
+
+body location first_line
+{
+  before_after => "before";
+  first_last => "first";
+  select_line_matching => ".*";
+}
+```
+
+We provide a built-in technique (the dreaded [`checkGenericFileContent`](https://github.com/Normation/rudder-techniques/blob/c44f6ebedf760da17b2be0c26470f9fd7e6a5f7b/techniques/fileDistribution/checkGenericFileContent/8.0/checkGenericFileContent.st)), and various methods
+to perform file editions.
+
+Even if template-base solutions are usually advised, as they allow maintaining consistency
+over nodes and are proven to be way easier to use, the need for file _editions_ persists.
+Usual examples include configuring and securing existing infrastructure while trying to limit the
+associated risk and cost. It is also common that different parts of a configuration file need to be
+maintained by different teams or tools. In this case, file editions are often the only option.
+
+Additionally, Rudder has seen a growing need for auditing configuration files, a use case
+not well-supported by the current system. In particular, we need to be able to audit against
+an expected state, which may not be precisely defined, but made of a set of rules that should be followed.
+But as CFEngine is a configuration management tool, it always expects an exact enforceable expected state.
+We also want to be able to report the current state of the system when auditing, also
+something not well-supported. As the audit mode in CFEngine is implemented on the basis of a dry-run feature
+thought for testing changes, it does not allow collecting information about the current state.
+
+## Why Augeas
+
+[Augeas](https://augeas.net/) is a Linux configuration editing tool and library that allows programs to read and modify
+configuration files in their native formats. It parses various config file formats into a tree
+structure, enables consistent programmatic edits, and writes changes back while preserving comments and
+file structure. It comes with a set of default supported file format, through "lenses", which
+cover most needs for Linux system administration.
+Its principles are covered in the introduction article [@lutterkortAugeasConfigurationAPI2008] and book [@pinsonAugeasConfigurationAPI2013].
+
+It's commonly used for configuration management tools and system administration scripts.
+The most popular use case is in [Puppet](https://forge.puppet.com/modules/puppetlabs/augeas_core/reference) 
+where it's used to manage configuration files, but
+it is also used by [libguestfs](https://libguestfs.org/), [osquery](https://fleetdm.com/tables/augeas), etc.
+
+Augeas was created in 2007 by Raphaël Pinson, at the beginning of the configuration management tools era, and has seen
+intense development for around ten years, mostly by the Puppet developers and community.
+Since 2019, it's been maintained, but with mostly bug fixes and no more major features.
+
+The library and CLIs are written in C, and there are existing bindings for various other languages
+(Ruby, Python, Perl, etc.)
+
+Even if written with classic configuration management in mind, its flexibility makes it
+very capable for addressing audit needs.
+
+A big issue is the current state of Augeas documentation, which is mostly outdated, in split between the 
+website, the GitHub repository's wiki and the source code.
+As users of the module will need to learn Augeas, we will have to provide a proper documentation source somehow.
+
+documenter raugeas comme un ensemble cohérent
+gestion d'erreur, toutes les éditions possibles
+
+Expliquer la magie faite par le module rudder
+mais pointer vers doc augeas ???
+
+Regarding Rudder.
+Pas de plus haut niveau que ça (openstack api in puppet)
+tout est du TEXTE.
+
+Our file management story would, eventually, be re-built on:
+
+* An Augeas module for file editions
+* A templating module for whole file content management, supporting Mustache, MiniJinja and Jinja2.
+* An `rsync` based solution for file copies
+
+## Module
+
+Once we settle on Augeas to address our file edition needs, and decide to make it available
+through ou module API, we still have some open questions.
+
+### Rust bindings
+
+There was an [official Rust bindings repository](https://github.com/hercules-team/rust-augeas), but not maintained and missing important parts.
+After enquiring about the current status of the project, we came to the conclusion we had to fork
+the project.
+The new project is named [`raugeas`](https://github.com/Normation/raugeas), R (for Rust) + Augeas, a common pattern for naming Rust bindings libraries.
+We decided not to include it in our existing workflows, but to let it live aside in a dedicated repository,
+using GitHub CI, and to publish and use it through the public crates.io repository.
+This makes potential external contributions way easier.
+We kept the original Apache 2.0 license for the added code, in consistence with other non-Rudder-specific libraries we maintain.
+
+### Packaging
+
+We have several options: build the library statically in the module, use the system library and lenses whenever 
+possible, or build dynamically but always embed the library and lenses.
+Providing the lenses with Rudder has the advantage of being able to provide a consistent experience across
+all supported systems, without having to make special cases to work around bugs.
+
+As we generally build dynamically, and as Augeas depends on `libxml2`, we decided to build the library
+dynamically in the module, but to embed the lenses in the Rudder packages, and
+skip loading the system lenses.
+We also build Augeas on all systems where the last version is not available, also to
+ensure a consistent experience, as the lens library is part of the core business of Rudder.
+
+### Performance
+
+Below are some metrics for the different ways to run Augeas, based on `augtool` options, for
+the simple task of getting the Augeas version. They show the cost of loading
+the tree and lenses.
+
+* `-L`, `--noload` is for skipping loading the tree.
+* `-A`, `--noautoload` is for skipping autoloading lenses (and hence the tree).
+
+| Command       |  Mean \[ms\] | Min \[ms\] | Max \[ms\] |       Relative |
+|:--------------|-------------:|-----------:|-----------:|---------------:|
+| `augtool -LA` |    2.6 ± 0.5 |        1.6 |        4.6 |           1.00 |
+| `augtool -L`  |  209.5 ± 5.2 |      200.2 |      221.5 |  80.72 ± 15.16 |
+| `augtool`     | 663.0 ± 37.2 |      632.0 |      755.7 | 255.46 ± 49.69 |
+
+Obtained using:
+
+```shell
+hyperfine -N  --export-markdown augtool.md
+    "augtool -LA get /augeas/version"
+    "augtool -L get /augeas/version"
+    "augtool get /augeas/version"
+```
+
+We can see that loading the full tree is expensive (~ 700ms), and loading the lenses only
+is also costly (~ 200ms).
+In a Rudder module context, it does not make sense to load the default tree
+as we always operate on a specific files we can load on-demand, so we can save some time there.
+Regarding the lenses, it's possible to explicitly require a lens name, 
+and hence skip loading them. But it is really convenient to have them autoloaded,
+and avoid bothering the user with stuff the module can figure out by itself.
+
+But this puts a constraint on how we can use the library, as loading all the lenses
+at each call is unacceptable: tens or hundreds of calls to augeas in a policy, which is not uncommon,
+would lead to adding tens of seconds to the run time.
+We want Rudder to be snappy and keep the "continuous" aspect practical.
+
+## Usage
+
+The main goal it to make the module's API as approchable as possible, and especially focus
+on the policy development and debugging use cases.
+
+But we won't try to abstract Augeas. First, because it's already the abstraction we need,
+and second, because it's a very powerful tool that we want to expose as much as possible.
+So instead of abstracting over Auges, we'll embrace it, extend it with the missing part for audits,
+and provide a way to use it in the best conditions.
+
+We'll also build upon the existing Puppet resource, as it's a well-known and well-documented
+way to use Augeas.
+
+### User story
+
+_As a system administrator, I want to be able to edit configuration files on my systems, in a reliable and
+auditable way, so that I can maintain my infrastructure in a consistent state._
+
+Starting from this, what does the usage workflow look like?
+
+1. Decide exactly which change or audit I want to perform.
+2. Translate this into an Raugeas script.
+
+
+
+
+We limit the amount of configuration that can be done in the module.
+This makes it simpler to use the same tree across calls.
+For example, it is not possible to add additional paths for lenses
+to be loaded, or to change the tree root.
+We also require a unique target file path.
+
+
+
+fournir des methodes idempotente (ensure line present)
+
+Never load the full tree
+
+il faut assi preparer l'experience de dev, avec augtool en companion
+
+
+ifonly pour l'idempotence avec check intégré
+
+risque de sécurité à parser des trucs ???
+TODO fuzzing
+
+
+auditer avec des templates c'est pas bon.
+
+* configurer mon postfix
+* auditer ma conf ssh
+
+augeas vs jinja
+
+
+
diff --git a/policies/arch-doc/pandoc.mk b/policies/arch-doc/pandoc.mk
new file mode 100644
index 0000000000..fc38400150
--- /dev/null
+++ b/policies/arch-doc/pandoc.mk
@@ -0,0 +1,78 @@
+# Work with pandoc Markdown sources, producing HTML & PDF outputs.
+#
+# The build is fast, we start clean everytime to avoid managing dependencies.
+
+src_dir := src
+dest_dir := target
+file := main
+reader := xdg-open
+
+out_release := ${dest_dir}/${name}-${version}
+out := ${out_release}-pre
+tmp := ${dest_dir}/${file}
+
+all: pdf html
+
+# Build an intermediary Markdown file, including rendered diagrams (C4+Mermaid).
+markdown: clean
+	if [ -f ${src_dir}/workspace.dsl ]; then structurizr export --workspace ${src_dir}/workspace.dsl --output ${src_dir} --format mermaid >/dev/null; fi
+	find ${src_dir} -name "*.mmd" -exec mmdc --input {} --output {}.png >/dev/null \;
+	cp -r ${src_dir} ${dest_dir}
+	# SVG output does not work well, fallback to png
+	mmdc --quiet --outputFormat png --input ${tmp}.md --output ${tmp}-mm.md >/dev/null
+
+# Build the typst source file
+typst: markdown
+	pandoc --standalone --from markdown ${tmp}-mm.md --to typst --output ${tmp}.typ
+
+# Build the HTML output
+html: markdown
+	pandoc --standalone --from markdown ${tmp}-mm.md --to html5 --output ${out}.html
+
+# Build the PDF
+pdf: typst
+	typst compile --root ${dest_dir} ${tmp}.typ ${out}.pdf
+
+# Build a PDF release, including version in file name and
+# additional compression.
+pdf-release: typst optimize-images pdf
+	qpdf ${out}.pdf --recompress-flate --compression-level=9 --object-streams=generate ${out_release}.pdf
+
+# Build an HTML release, including version in file name and
+# additional compression.
+html-release: html optimize-images
+	mv ${out}.html ${out_release}.html
+
+release: pdf-release html-release
+
+# Open the PDF in the local default reader
+open-pdf: pdf
+	${reader} ${out}.pdf
+
+# Open the HTML in the local default browser
+open-html: html
+	${reader} ${out}.html
+
+# Check for typos in the source
+lint:
+	typos ${src_dir}
+
+# Fix the typos automatically
+typos-fix:
+	typos --write-changes ${src_dir}
+
+# Format the markdown source in-place
+#fmt:
+#   # mdformat & pandoc both break the front matter is different ways.
+#	mdformat ${src_dir}/${file}.md
+
+# Optimize images in-place. Work on dest dir to also optimize generated diagrams.
+optimize-images:
+	find ${dest_dir} -name "*.svg" -exec svgo --multipass {} >/dev/null \;
+	find ${dest_dir} -name "*.png" -exec zopflipng -y {} {} >/dev/null \;
+
+# Clean all produced files
+clean:
+	rm -rf ${dest_dir} ${src_dir}/*.png ${src_dir}/*.mmd
+
+.DEFAULT_GOAL=open-pdf
\ No newline at end of file

From d12a36a59a8e18df7fde244c5edac20fee0eaaf7 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Wed, 25 Dec 2024 22:36:00 +0100
Subject: [PATCH 28/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Fixes #26089:
 Implement augeas module

Fixes #26089: Implement augeas module
---
 Cargo.lock                                  | 130 ++++++++++----------
 policies/arch-doc/module-augeas/src/main.md | 104 ++++++++--------
 2 files changed, 118 insertions(+), 116 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 8879b3dcb7..65f0f6b6a2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -124,9 +124,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.94"
+version = "1.0.95"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1fd03a028ef38ba2276dce7e33fcd6369c158a1bca17946c4b1b701891c1ff7"
+checksum = "34ac096ce696dc2fcabef30516bb13c0a68a11d30131d3df6f04711467681b04"
 
 [[package]]
 name = "appendlist"
@@ -184,7 +184,7 @@ dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
  "serde",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -293,7 +293,7 @@ dependencies = [
  "regex",
  "rustc-hash",
  "shlex",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -313,7 +313,7 @@ dependencies = [
  "regex",
  "rustc-hash",
  "shlex",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -585,7 +585,7 @@ dependencies = [
  "heck 0.5.0",
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -810,9 +810,9 @@ dependencies = [
 
 [[package]]
 name = "cxx"
-version = "1.0.135"
+version = "1.0.136"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d44ff199ff93242c3afe480ab588d544dd08d72e92885e152ffebc670f076ad"
+checksum = "ad7c7515609502d316ab9a24f67dc045132d93bfd3f00713389e90d9898bf30d"
 dependencies = [
  "cc",
  "cxxbridge-cmd",
@@ -824,47 +824,47 @@ dependencies = [
 
 [[package]]
 name = "cxx-build"
-version = "1.0.135"
+version = "1.0.136"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "66fd8f17ad454fc1e4f4ab83abffcc88a532e90350d3ffddcb73030220fcbd52"
+checksum = "8bfd16fca6fd420aebbd80d643c201ee4692114a0de208b790b9cd02ceae65fb"
 dependencies = [
  "cc",
  "codespan-reporting",
  "proc-macro2 1.0.92",
  "quote 1.0.37",
  "scratch",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
 name = "cxxbridge-cmd"
-version = "1.0.135"
+version = "1.0.136"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4717c9c806a9e07fdcb34c84965a414ea40fafe57667187052cf1eb7f5e8a8a9"
+checksum = "6c33fd49f5d956a1b7ee5f7a9768d58580c6752838d92e39d0d56439efdedc35"
 dependencies = [
  "clap",
  "codespan-reporting",
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
 name = "cxxbridge-flags"
-version = "1.0.135"
+version = "1.0.136"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f6515329bf3d98f4073101c7866ff2bec4e635a13acb82e3f3753fff0bf43cb"
+checksum = "be0f1077278fac36299cce8446effd19fe93a95eedb10d39265f3bf67b3036c9"
 
 [[package]]
 name = "cxxbridge-macro"
-version = "1.0.135"
+version = "1.0.136"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fb93e6a7ce8ec985c02bbb758237a31598b340acbbc3c19c5a4fa6adaaac92ab"
+checksum = "3da7e4d6e74af6b79031d264b2f13c3ea70af1978083741c41ffce9308f1f24f"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
  "rustversion",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -888,7 +888,7 @@ dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
  "strsim",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -899,7 +899,7 @@ checksum = "d336a2a514f6ccccaa3e09b02d41d35330c07ddf03a62165fcec10bb561c7806"
 dependencies = [
  "darling_core",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -930,7 +930,7 @@ checksum = "30542c1ad912e0e3d22a1935c290e12e8a29d704a420177a31faad4a601a0800"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -958,7 +958,7 @@ dependencies = [
  "dsl_auto_type",
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -967,7 +967,7 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "209c735641a413bc68c4923a9d6ad4bcb3ca306b794edaa7eb0b3228a99ffb25"
 dependencies = [
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -1030,7 +1030,7 @@ checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -1050,7 +1050,7 @@ dependencies = [
  "heck 0.5.0",
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -1362,7 +1362,7 @@ checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -1612,7 +1612,7 @@ dependencies = [
  "markup5ever",
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -1927,7 +1927,7 @@ checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -2607,7 +2607,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -2682,7 +2682,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b7cafe60d6cf8e62e1b9b2ea516a089c008945bb5a275416789e7db0bc199dc"
 dependencies = [
  "memchr",
- "thiserror 2.0.8",
+ "thiserror 2.0.9",
  "ucd-trie",
 ]
 
@@ -2706,7 +2706,7 @@ dependencies = [
  "pest_meta",
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -2804,7 +2804,7 @@ checksum = "3c0f5fad0874fc7abcd4d750e76917eaebbecaa2c20bde22e1dbeeba8beb758c"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -2930,7 +2930,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "64d1ec885c64d0457d564db4ec299b2dae3f9c02808b8ad9c3a089c591b18033"
 dependencies = [
  "proc-macro2 1.0.92",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -3356,7 +3356,7 @@ dependencies = [
  "regex",
  "relative-path",
  "rustc_version",
- "syn 2.0.90",
+ "syn 2.0.91",
  "unicode-ident",
 ]
 
@@ -3499,7 +3499,7 @@ dependencies = [
  "serde_json",
  "sha2",
  "tempfile",
- "thiserror 2.0.8",
+ "thiserror 2.0.9",
  "tokio",
  "tokio-stream",
  "toml 0.8.19",
@@ -3875,7 +3875,7 @@ checksum = "59fb1bedd774187d304179493b0d3c41fbe97b04b14305363f68d2bdf5e47cb9"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -3886,7 +3886,7 @@ checksum = "46f859dbbf73865c6627ed570e78961cd3ac92407a2d117204c49232485da55e"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -3902,9 +3902,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.133"
+version = "1.0.134"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c7fceb2473b9166b2294ef05efcb65a3db80803f0b03ef86a5fc88a2b85ee377"
+checksum = "d00f4175c42ee48b15416f6193a959ba3a0d67fc699a0db9ad12df9f83991c7d"
 dependencies = [
  "itoa",
  "memchr",
@@ -4149,9 +4149,9 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "2.0.90"
+version = "2.0.91"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "919d3b74a5dd0ccd15aeb8f93e7006bd9e14c295087c9896a110f490752bcf31"
+checksum = "d53cbcb5a243bd33b7858b1d7f4aca2153490815872d86d955d6ea29f743c035"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
@@ -4181,7 +4181,7 @@ checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -4322,11 +4322,11 @@ dependencies = [
 
 [[package]]
 name = "thiserror"
-version = "2.0.8"
+version = "2.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08f5383f3e0071702bf93ab5ee99b52d26936be9dedd9413067cbdcddcb6141a"
+checksum = "f072643fd0190df67a8bab670c20ef5d8737177d6ac6b2e9a236cb096206b2cc"
 dependencies = [
- "thiserror-impl 2.0.8",
+ "thiserror-impl 2.0.9",
 ]
 
 [[package]]
@@ -4337,18 +4337,18 @@ checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
 name = "thiserror-impl"
-version = "2.0.8"
+version = "2.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2f357fcec90b3caef6623a099691be676d033b40a058ac95d2a6ade6fa0c943"
+checksum = "7b50fa271071aae2e6ee85f842e2e28ba8cd2c5fb67f11fcb1fd70b276f9e7d4"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -4461,7 +4461,7 @@ checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -4585,7 +4585,7 @@ checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -4672,9 +4672,9 @@ checksum = "eaea85b334db583fe3274d12b4cd1880032beab409c0d774be044d4480ab9a94"
 
 [[package]]
 name = "unicase"
-version = "2.8.0"
+version = "2.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e51b68083f157f853b6379db119d1c1be0e6e4dec98101079dec41f6f5cf6df"
+checksum = "75b844d17643ee918803943289730bec8aac480150456169e647ed0b576ba539"
 
 [[package]]
 name = "unicode-bidi"
@@ -4883,7 +4883,7 @@ dependencies = [
  "log 0.4.22",
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
  "wasm-bindgen-shared",
 ]
 
@@ -4918,7 +4918,7 @@ checksum = "30d7a95b763d3c45903ed6c81f156801839e5ee968bb07e534c44df0fcd330c2"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
  "wasm-bindgen-backend",
  "wasm-bindgen-shared",
 ]
@@ -5044,7 +5044,7 @@ checksum = "9107ddc059d5b6fbfbffdfa7a7fe3e22a226def0b2608f72e9d552763d3e1ad7"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -5055,7 +5055,7 @@ checksum = "29bee4b38ea3cde66011baa44dba677c432a78593e202392d1e9070cf2a7fca7"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -5295,9 +5295,9 @@ dependencies = [
 
 [[package]]
 name = "xxhash-rust"
-version = "0.8.13"
+version = "0.8.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a08fd76779ae1883bbf1e46c2c46a75a0c4e37c445e68a24b01479d438f26ae6"
+checksum = "d7d48f1b18be023c95e7b75f481cac649d74be7c507ff4a407c55cfb957f7934"
 
 [[package]]
 name = "yansi"
@@ -5325,7 +5325,7 @@ checksum = "2380878cad4ac9aac1e2435f3eb4020e8374b5f13c296cb75b4620ff8e229154"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
  "synstructure",
 ]
 
@@ -5347,7 +5347,7 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -5367,7 +5367,7 @@ checksum = "595eed982f7d355beb85837f651fa22e90b3c044842dc7f2c2842c086f295808"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
  "synstructure",
 ]
 
@@ -5396,7 +5396,7 @@ checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6"
 dependencies = [
  "proc-macro2 1.0.92",
  "quote 1.0.37",
- "syn 2.0.90",
+ "syn 2.0.91",
 ]
 
 [[package]]
@@ -5412,7 +5412,7 @@ dependencies = [
  "flate2",
  "indexmap",
  "memchr",
- "thiserror 2.0.8",
+ "thiserror 2.0.9",
  "time",
  "zopfli",
 ]
diff --git a/policies/arch-doc/module-augeas/src/main.md b/policies/arch-doc/module-augeas/src/main.md
index 5a8e86288e..b2189f18b6 100644
--- a/policies/arch-doc/module-augeas/src/main.md
+++ b/policies/arch-doc/module-augeas/src/main.md
@@ -5,31 +5,34 @@ lang: en
 region: US
 toc: true
 papersize: a4
-date: 2024-12-23
+date: 2024-12-26
 bibliography:
   - arch-doc.bib
 abstract: TODO
 
-# Use link style & font from the nice "ilm" package
-# https://github.com/talal/ilm/blob/main/lib.typ
+# Use link style and font from the nice "ilm" package
+# ([link](https://github.com/talal/ilm/blob/main/lib.typ))
 mainfont: "Libertinus Serif"
 header-includes: |
-    ```{=typst}
-    #show link: it => {
-      it
-      h(1.6pt)
-      super(box(height: 3.8pt, circle(radius: 1.2pt, stroke: 0.7pt + rgb("#993333"))))
-    }
-    #set heading(numbering: "1.")
-    ```
+  ```{=typst}
+  #show link: it => {
+    it
+    h(1.6pt)
+    super(box(height: 3.8pt, circle(radius: 1.2pt, stroke: 0.7pt + rgb("#993333"))))
+  }
+  #set heading(numbering: "1.")
+  ```
 ...
 
 # Rudder Augeas module
 
-## Needs
+## The file edition and audit problems
 
-Rudder has supported file editing for a long time, mainly through CFEngine's 
-[`edit_line`](https://docs.cfengine.com/docs/3.24/reference-promise-types-files-edit_line.html) bundles. This is a low-level way to edit files, based on regular expressions, and it's not
+### File edition
+
+Rudder has supported file editing for a long time, mainly through CFEngine's
+[`edit_line`](https://docs.cfengine.com/docs/3.24/reference-promise-types-files-edit_line.html) bundles.
+This is a low-level way to edit files, based on regular expressions, and it's not
 easy to use.
 
 ```cfengine
@@ -67,15 +70,20 @@ body location first_line
 }
 ```
 
-We provide a built-in technique (the dreaded [`checkGenericFileContent`](https://github.com/Normation/rudder-techniques/blob/c44f6ebedf760da17b2be0c26470f9fd7e6a5f7b/techniques/fileDistribution/checkGenericFileContent/8.0/checkGenericFileContent.st)), and various methods
+We provide a built-in technique (the dreaded [
+`checkGenericFileContent`](https://github.com/Normation/rudder-techniques/blob/c44f6ebedf760da17b2be0c26470f9fd7e6a5f7b/techniques/fileDistribution/checkGenericFileContent/8.0/checkGenericFileContent.st)),
+and various methods
 to perform file editions.
 
 Even if template-base solutions are usually advised, as they allow maintaining consistency
 over nodes and are proven to be way easier to use, the need for file _editions_ persists.
 Usual examples include configuring and securing existing infrastructure while trying to limit the
-associated risk and cost. It is also common that different parts of a configuration file need to be
+associated risk and cost.
+It is also common different parts of a configuration file need to be
 maintained by different teams or tools. In this case, file editions are often the only option.
 
+### File audit
+
 Additionally, Rudder has seen a growing need for auditing configuration files, a use case
 not well-supported by the current system. In particular, we need to be able to audit against
 an expected state, which may not be precisely defined, but made of a set of rules that should be followed.
@@ -84,17 +92,18 @@ We also want to be able to report the current state of the system when auditing,
 something not well-supported. As the audit mode in CFEngine is implemented on the basis of a dry-run feature
 thought for testing changes, it does not allow collecting information about the current state.
 
-## Why Augeas
+## Augeas to the rescue
 
 [Augeas](https://augeas.net/) is a Linux configuration editing tool and library that allows programs to read and modify
 configuration files in their native formats. It parses various config file formats into a tree
 structure, enables consistent programmatic edits, and writes changes back while preserving comments and
 file structure. It comes with a set of default supported file format, through "lenses", which
 cover most needs for Linux system administration.
-Its principles are covered in the introduction article [@lutterkortAugeasConfigurationAPI2008] and book [@pinsonAugeasConfigurationAPI2013].
+Its principles are covered in the introduction article [@lutterkortAugeasConfigurationAPI2008] and
+book [@pinsonAugeasConfigurationAPI2013].
 
 It's commonly used for configuration management tools and system administration scripts.
-The most popular use case is in [Puppet](https://forge.puppet.com/modules/puppetlabs/augeas_core/reference) 
+The most popular use case is in [Puppet](https://forge.puppet.com/modules/puppetlabs/augeas_core/reference)
 where it's used to manage configuration files, but
 it is also used by [libguestfs](https://libguestfs.org/), [osquery](https://fleetdm.com/tables/augeas), etc.
 
@@ -106,14 +115,14 @@ The library and CLIs are written in C, and there are existing bindings for vario
 (Ruby, Python, Perl, etc.)
 
 Even if written with classic configuration management in mind, its flexibility makes it
-very capable for addressing audit needs.
+capable for addressing audit needs.
 
-A big issue is the current state of Augeas documentation, which is mostly outdated, in split between the 
+A big issue is the current state of Augeas documentation, which is mostly outdated, in split between the
 website, the GitHub repository's wiki and the source code.
 As users of the module will need to learn Augeas, we will have to provide a proper documentation source somehow.
 
-documenter raugeas comme un ensemble cohérent
-gestion d'erreur, toutes les éditions possibles
+Documenter raugeas comme un ensemble cohérent.
+Gestion d'erreur, toutes les éditions possibles.
 
 Expliquer la magie faite par le module rudder
 mais pointer vers doc augeas ???
@@ -128,25 +137,28 @@ Our file management story would, eventually, be re-built on:
 * A templating module for whole file content management, supporting Mustache, MiniJinja and Jinja2.
 * An `rsync` based solution for file copies
 
-## Module
+## The module
 
 Once we settle on Augeas to address our file edition needs, and decide to make it available
 through ou module API, we still have some open questions.
 
 ### Rust bindings
 
-There was an [official Rust bindings repository](https://github.com/hercules-team/rust-augeas), but not maintained and missing important parts.
+There was an [official Rust bindings repository](https://github.com/hercules-team/rust-augeas), but not maintained and
+missing important parts.
 After enquiring about the current status of the project, we came to the conclusion we had to fork
 the project.
-The new project is named [`raugeas`](https://github.com/Normation/raugeas), R (for Rust) + Augeas, a common pattern for naming Rust bindings libraries.
+The new project is named [`raugeas`](https://github.com/Normation/raugeas), R (for Rust) + Augeas, a common pattern for
+naming Rust bindings libraries.
 We decided not to include it in our existing workflows, but to let it live aside in a dedicated repository,
 using GitHub CI, and to publish and use it through the public crates.io repository.
 This makes potential external contributions way easier.
-We kept the original Apache 2.0 license for the added code, in consistence with other non-Rudder-specific libraries we maintain.
+We kept the original Apache 2.0 license for the added code, in consistence with other non-Rudder-specific libraries we
+maintain.
 
 ### Packaging
 
-We have several options: build the library statically in the module, use the system library and lenses whenever 
+We have several options: build the library statically in the module, use the system library and lenses whenever
 possible, or build dynamically but always embed the library and lenses.
 Providing the lenses with Rudder has the advantage of being able to provide a consistent experience across
 all supported systems, without having to make special cases to work around bugs.
@@ -181,11 +193,11 @@ hyperfine -N  --export-markdown augtool.md
     "augtool get /augeas/version"
 ```
 
-We can see that loading the full tree is expensive (~ 700ms), and loading the lenses only
-is also costly (~ 200ms).
+We can see that loading the full tree is expensive (~700 ms), and loading the lenses only
+is also costly (~200 ms).
 In a Rudder module context, it does not make sense to load the default tree
 as we always operate on a specific files we can load on-demand, so we can save some time there.
-Regarding the lenses, it's possible to explicitly require a lens name, 
+Regarding the lenses, it's possible to explicitly require a lens name,
 and hence skip loading them. But it is really convenient to have them autoloaded,
 and avoid bothering the user with stuff the module can figure out by itself.
 
@@ -194,59 +206,49 @@ at each call is unacceptable: tens or hundreds of calls to augeas in a policy, w
 would lead to adding tens of seconds to the run time.
 We want Rudder to be snappy and keep the "continuous" aspect practical.
 
-## Usage
+### Usage
 
 The main goal it to make the module's API as approchable as possible, and especially focus
 on the policy development and debugging use cases.
 
 But we won't try to abstract Augeas. First, because it's already the abstraction we need,
-and second, because it's a very powerful tool that we want to expose as much as possible.
+and second, because it's a powerful tool that we want to expose as much as possible.
 So instead of abstracting over Auges, we'll embrace it, extend it with the missing part for audits,
 and provide a way to use it in the best conditions.
 
 We'll also build upon the existing Puppet resource, as it's a well-known and well-documented
 way to use Augeas.
 
-### User story
+#### User stories
 
 _As a system administrator, I want to be able to edit configuration files on my systems, in a reliable and
 auditable way, so that I can maintain my infrastructure in a consistent state._
 
 Starting from this, what does the usage workflow look like?
 
-1. Decide exactly which change or audit I want to perform.
+1. Decide exactly what change or audit I want to perform.
 2. Translate this into an Raugeas script.
 
-
-
-
 We limit the amount of configuration that can be done in the module.
 This makes it simpler to use the same tree across calls.
-For example, it is not possible to add additional paths for lenses
+For example, it is impossible to add additional paths for lenses
 to be loaded, or to change the tree root.
 We also require a unique target file path.
 
-
-
-fournir des methodes idempotente (ensure line present)
+Fournir des méthodes idempotentes (`ensure_line_present`).
 
 Never load the full tree
 
-il faut assi preparer l'experience de dev, avec augtool en companion
-
-
-ifonly pour l'idempotence avec check intégré
-
-risque de sécurité à parser des trucs ???
+Risque de sécurité à parser des trucs ?
 TODO fuzzing
 
-
-auditer avec des templates c'est pas bon.
+Auditer avec des templates ça ne marche pas.
 
 * configurer mon postfix
 * auditer ma conf ssh
 
 augeas vs jinja
 
+### Workflow
 
-
+## Conclusion

From 01b5400809263a4ccbd318e0986cf1f78cdc31ac Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Fri, 27 Dec 2024 11:45:34 +0100
Subject: [PATCH 29/29] fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup!
 fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Fixes #26089:
 Implement augeas module

Fixes #26089: Implement augeas module
---
 Cargo.lock                                    |   36 +-
 Cargo.toml                                    |    1 -
 policies/arch-doc/module-augeas/src/main.md   |   25 +
 policies/minifusion/src/properties.rs         |   94 --
 .../inventory}/Cargo.toml                     |    4 +-
 .../inventory}/README.md                      |    0
 .../inventory}/src/main.rs                    |    1 -
 .../inventory}/src/os_release.rs              |    0
 .../inventory}/src/packages.rs                |    0
 .../inventory}/src/packages/rpm.rs            |    0
 .../inventory}/src/packages/yum.rs            |    0
 .../inventory}/tools/example-minifusion.xml   |    0
 .../inventory}/tools/example.xml              |    0
 policies/rudder-module-type/src/lib.rs        |    8 +-
 policies/supply-chain/audits.toml             |  942 -----------
 policies/supply-chain/config.toml             |  281 ---
 policies/supply-chain/imports.lock            | 1502 -----------------
 17 files changed, 52 insertions(+), 2842 deletions(-)
 delete mode 100644 policies/minifusion/src/properties.rs
 rename policies/{minifusion => module-types/inventory}/Cargo.toml (91%)
 rename policies/{minifusion => module-types/inventory}/README.md (100%)
 rename policies/{minifusion => module-types/inventory}/src/main.rs (99%)
 rename policies/{minifusion => module-types/inventory}/src/os_release.rs (100%)
 rename policies/{minifusion => module-types/inventory}/src/packages.rs (100%)
 rename policies/{minifusion => module-types/inventory}/src/packages/rpm.rs (100%)
 rename policies/{minifusion => module-types/inventory}/src/packages/yum.rs (100%)
 rename policies/{minifusion => module-types/inventory}/tools/example-minifusion.xml (100%)
 rename policies/{minifusion => module-types/inventory}/tools/example.xml (100%)
 delete mode 100644 policies/supply-chain/audits.toml
 delete mode 100644 policies/supply-chain/config.toml
 delete mode 100644 policies/supply-chain/imports.lock

diff --git a/Cargo.lock b/Cargo.lock
index 65f0f6b6a2..1214e2e4df 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2342,22 +2342,6 @@ dependencies = [
  "unicase",
 ]
 
-[[package]]
-name = "minifusion"
-version = "0.0.0-dev"
-dependencies = [
- "anyhow",
- "chrono",
- "clap",
- "hostname",
- "pretty_assertions",
- "quick-xml",
- "regex",
- "serde",
- "sysinfo",
- "uname-rs",
-]
-
 [[package]]
 name = "minijinja"
 version = "2.5.0"
@@ -3393,6 +3377,22 @@ dependencies = [
  "tempfile",
 ]
 
+[[package]]
+name = "rudder-module-inventory"
+version = "0.0.0-dev"
+dependencies = [
+ "anyhow",
+ "chrono",
+ "clap",
+ "hostname",
+ "pretty_assertions",
+ "quick-xml",
+ "regex",
+ "serde",
+ "sysinfo",
+ "uname-rs",
+]
+
 [[package]]
 name = "rudder-module-system-updates"
 version = "0.0.0-dev"
@@ -4186,9 +4186,9 @@ dependencies = [
 
 [[package]]
 name = "sysinfo"
-version = "0.32.1"
+version = "0.33.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c33cd241af0f2e9e3b5c32163b873b29956890b5342e6745b917ce9d490f4af"
+checksum = "948512566b1895f93b1592c7574baeb2de842f224f2aab158799ecadb8ebbb46"
 dependencies = [
  "core-foundation-sys",
  "libc",
diff --git a/Cargo.toml b/Cargo.toml
index da0e9a889d..2fbe261faf 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -6,7 +6,6 @@ members = ["policies/rudderc",
            "policies/rudder-commons-test",
            "policies/rudder-report",
            "policies/module-types/*",
-           "policies/minifusion",
            "relay/sources/relayd",
            "relay/sources/rudder-package"]
 resolver = "2"
diff --git a/policies/arch-doc/module-augeas/src/main.md b/policies/arch-doc/module-augeas/src/main.md
index b2189f18b6..562b5aaa97 100644
--- a/policies/arch-doc/module-augeas/src/main.md
+++ b/policies/arch-doc/module-augeas/src/main.md
@@ -252,3 +252,28 @@ augeas vs jinja
 ### Workflow
 
 ## Conclusion
+
+L'audit demande plus de sémantique que la configuration.
+Pour savoir si c'est bon, on ne peut pas faire une comparaison
+bit à bit, il faut un peu plus comprendre.
+
+Mais ça peut se faire en surcouche, pas besoin de toucher à la base.
+Au contraire, c'est une bonne abstraction comme base.
+
+On fait de la validation de data dans un contexte de lens.
+On va avoir besoin d'un backend de validation dans d'autres contextes,
+autant le rendre réutilisable.
+Il y a des libs de validation mais c'est souvent peu orienté sur un
+retour structuré, souvent ça renvoie une erreur et c'est tout.
+
+La clé d'augeas est le niveau d'abstraction choisi.
+
+Pour installer augeas sur les systèmes:
+https://github.com/voxpupuli/puppet-augeas/tree/master
+
+Comment mêler avec la théorie des promesses ?
+Avec les principes de cf-serverd.
+
+Puissance du modèle en mémoire -> pour tout ce qui est édition, grouper dans une seule GM au max.
+
+L'enjeu c'est l'UX. LUA, DSL, etc.
\ No newline at end of file
diff --git a/policies/minifusion/src/properties.rs b/policies/minifusion/src/properties.rs
deleted file mode 100644
index 4e927e2be8..0000000000
--- a/policies/minifusion/src/properties.rs
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
-
-sub _getCustomProperties {
-    my (%params) = @_;
-    my $logger   = $params{logger};
-
-    my $custom_properties_dir = ($OSNAME eq 'MSWin32') ? 'C:\Program Files\Rudder\hooks.d' : '/var/rudder/hooks.d';
-    my $custom_properties;
-    if (-d "$custom_properties_dir") {
-        my @custom_properties_list = ();
-        my @ordered_script_list = ();
-        opendir(DIR, $custom_properties_dir);
-        # List each file in the custom_properties directory, each files being a script
-        @ordered_script_list = sort readdir(DIR);
-        closedir(DIR);
-        while (my $file = shift @ordered_script_list) {
-            my $script_file = $custom_properties_dir . "/" . $file;
-            my $properties;
-            if (-f $script_file) {
-                next if ($file =~ m/^\./);
-
-                if ($OSNAME eq 'MSWin32') {
-                  # We assume the files are non world-writtable on windows
-                  # -x does not make sense since the files are just interpreted by the powershell exe
-
-                  $logger->debug("Executing Rudder inventory hook $script_file") if $logger;
-                  $properties =  `powershell.exe -file "$script_file"`;
-                  my $exit_code = $? >> 8;
-                  if ($exit_code > 0) {
-                      $logger->error("Script $script_file failed to run properly, with exit code $exit_code") if $logger;
-                      next;
-                  }
-                } else {
-                  # Ignore non-executable file, or folders
-                  next unless -x $script_file;
-                  # Check that the file is owned by current user (or root), and not world writable
-                  my $stats = stat($script_file);
-                  my $owner = $stats->uid;
-                  my $currentUser = $<;
-
-                  # file must be owned by root or current user
-                  if (($owner != 0) && ($owner != $currentUser)) {
-                      $logger->error("Skipping script $script_file as it is not owned by root nor current user (owner is $owner)") if $logger;
-                      next;
-                  }
-
-                  my $retMode = $stats->mode;
-                  $retMode = $retMode & 0777;
-                  if (($retMode & 002) || ($retMode & 020)) {
-                      $logger->error("Skipping script $script_file as it is world or group writable") if $logger;
-                      next;
-                  }
-
-                  # Execute the inventory script
-                  $logger->debug2("executing $script_file") if $logger;
-                  $properties = qx($script_file);
-                  my $exit_code = $? >> 8;
-                  if ($exit_code > 0) {
-                      $logger->error("Script $script_file failed to run properly, with exit code $exit_code") if $logger;
-                      next;
-                  }
-                }
-
-                # check that it is valid JSON
-                eval {
-                    my $package = "JSON::PP";
-                    $package->require();
-                    if ($EVAL_ERROR) {
-                        print STDERR
-                            "Failed to load JSON module: ($EVAL_ERROR)\n";
-                        next;
-                    }
-                    my $coder = JSON::PP->new;
-                    my $propertiesData = $coder->decode($properties);
-                    push @custom_properties_list, $coder->encode($propertiesData);
-                };
-                if ($@) {
-                    $logger->error("Script $script_file didn't return valid JSON entry, error is:$@") if $logger;
-                    my $rudderTmp = ($OSNAME eq 'MSWin32') ? 'C:\Program Files\Rudder\tmp' : '/var/rudder/tmp';
-                    my $filename = "$rudderTmp/inventory-json-error-".time();
-                    open(my $fh, '>', $filename);
-                    print $fh $properties;
-                    close($fh);
-                    $logger->error("Invalid JSON data stored in $filename") if $logger;
-                }
-            }
-        }
-        $custom_properties = "[". join(",", @custom_properties_list) . "]";
-   }
-   return $custom_properties;
-}
-
-
-*/
diff --git a/policies/minifusion/Cargo.toml b/policies/module-types/inventory/Cargo.toml
similarity index 91%
rename from policies/minifusion/Cargo.toml
rename to policies/module-types/inventory/Cargo.toml
index c93f115c5f..6d7d103947 100644
--- a/policies/minifusion/Cargo.toml
+++ b/policies/module-types/inventory/Cargo.toml
@@ -1,5 +1,5 @@
 [package]
-name = "minifusion"
+name = "rudder-module-inventory"
 version = "0.0.0-dev"
 description = "Minimal inventory agent generating Fusion Inventory compatible output"
 authors.workspace = true
@@ -10,7 +10,7 @@ license.workspace = true
 
 [dependencies]
 quick-xml = { version = "0.37.0", features = ["serialize"] }
-sysinfo = "0.32.0"
+sysinfo = "0.33.0"
 serde = { version = "1", features = ["derive"] }
 hostname = "0.4"
 anyhow = "1"
diff --git a/policies/minifusion/README.md b/policies/module-types/inventory/README.md
similarity index 100%
rename from policies/minifusion/README.md
rename to policies/module-types/inventory/README.md
diff --git a/policies/minifusion/src/main.rs b/policies/module-types/inventory/src/main.rs
similarity index 99%
rename from policies/minifusion/src/main.rs
rename to policies/module-types/inventory/src/main.rs
index 36fa99a6a8..8183ec1f10 100644
--- a/policies/minifusion/src/main.rs
+++ b/policies/module-types/inventory/src/main.rs
@@ -1,6 +1,5 @@
 mod os_release;
 pub mod packages;
-mod properties;
 
 use std::{env, fs, fs::read_to_string, path::PathBuf, process::Command, str};
 
diff --git a/policies/minifusion/src/os_release.rs b/policies/module-types/inventory/src/os_release.rs
similarity index 100%
rename from policies/minifusion/src/os_release.rs
rename to policies/module-types/inventory/src/os_release.rs
diff --git a/policies/minifusion/src/packages.rs b/policies/module-types/inventory/src/packages.rs
similarity index 100%
rename from policies/minifusion/src/packages.rs
rename to policies/module-types/inventory/src/packages.rs
diff --git a/policies/minifusion/src/packages/rpm.rs b/policies/module-types/inventory/src/packages/rpm.rs
similarity index 100%
rename from policies/minifusion/src/packages/rpm.rs
rename to policies/module-types/inventory/src/packages/rpm.rs
diff --git a/policies/minifusion/src/packages/yum.rs b/policies/module-types/inventory/src/packages/yum.rs
similarity index 100%
rename from policies/minifusion/src/packages/yum.rs
rename to policies/module-types/inventory/src/packages/yum.rs
diff --git a/policies/minifusion/tools/example-minifusion.xml b/policies/module-types/inventory/tools/example-minifusion.xml
similarity index 100%
rename from policies/minifusion/tools/example-minifusion.xml
rename to policies/module-types/inventory/tools/example-minifusion.xml
diff --git a/policies/minifusion/tools/example.xml b/policies/module-types/inventory/tools/example.xml
similarity index 100%
rename from policies/minifusion/tools/example.xml
rename to policies/module-types/inventory/tools/example.xml
diff --git a/policies/rudder-module-type/src/lib.rs b/policies/rudder-module-type/src/lib.rs
index 83bdbaf4b2..5d451136fd 100644
--- a/policies/rudder-module-type/src/lib.rs
+++ b/policies/rudder-module-type/src/lib.rs
@@ -166,6 +166,8 @@ pub enum ProtocolResult {
 }
 
 /// Represents a connector able to run the given module_type implementation
+///
+/// Version 0 is for CFEgine custom promise types.
 pub trait Runner0 {
     fn run<T: ModuleType0>(&self, module_type: T) -> Result<(), Error>;
 }
@@ -201,7 +203,11 @@ pub fn run_module<T: ModuleType0>(module_type: T) -> Result<(), Error> {
     }
 
     #[cfg(target_family = "unix")]
-    CfengineRunner::new().run(module_type)
+    CfengineRunner::new().run(module_type)?;
+    #[cfg(not(target_family = "unix"))]
+    unimplemented!("Only Unix-like systems are supported")?;
+
+    Ok(())
 }
 
 #[derive(Debug, Options)]
diff --git a/policies/supply-chain/audits.toml b/policies/supply-chain/audits.toml
deleted file mode 100644
index bb110c066c..0000000000
--- a/policies/supply-chain/audits.toml
+++ /dev/null
@@ -1,942 +0,0 @@
-
-# cargo-vet audits file
-
-[[audits.boon]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "0.5.0 -> 0.5.1"
-
-[[audits.colored]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "2.0.0 -> 2.0.4"
-
-[[audits.cpufeatures]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "0.2.7 -> 0.2.8"
-
-[[audits.errno]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "0.3.1 -> 0.3.2"
-
-[[audits.errno]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "0.3.2 -> 0.3.3"
-
-[[audits.format_serde_error]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-version = "0.3.0"
-
-[[audits.format_serde_error]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "0.3.0 -> 0.3.1@git:06ef275ce1f2c56b91fa0a4785e28c3aa9c67b31"
-
-[[audits.hermit-abi]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "0.3.1 -> 0.3.2"
-
-[[audits.iana-time-zone]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "0.1.56 -> 0.1.57"
-
-[[audits.mdbook]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "0.4.30 -> 0.4.32"
-
-[[audits.memoffset]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-version = "0.6.5"
-
-[[audits.nu-ansi-term]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-version = "0.46.0"
-
-[[audits.overload]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-version = "0.1.1"
-
-[[audits.powershell_script]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-version = "1.1.0"
-
-[[audits.pretty_assertions]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "1.3.0 -> 1.4.0"
-
-[[audits.shlex]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "1.1.0 -> 1.3.0"
-
-[[audits.static_assertions]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-version = "1.1.0"
-
-[[audits.tempfile]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "3.5.0 -> 3.6.0"
-
-[[audits.tempfile]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "3.6.0 -> 3.7.0"
-
-[[audits.tempfile]]
-who = "Alexis Mousset <alexis.mousset@rudder.io>"
-criteria = "safe-to-deploy"
-delta = "3.7.0 -> 3.8.0"
-
-[[trusted.aho-corasick]]
-criteria = "safe-to-deploy"
-user-id = 189 # Andrew Gallant (BurntSushi)
-start = "2019-03-28"
-end = "2024-06-27"
-
-[[trusted.anstream]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2023-03-16"
-end = "2024-06-27"
-
-[[trusted.anstyle]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2022-05-18"
-end = "2024-06-27"
-
-[[trusted.anstyle-parse]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2023-03-08"
-end = "2024-06-27"
-
-[[trusted.anstyle-query]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2023-04-13"
-end = "2024-06-27"
-
-[[trusted.anstyle-wincon]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2023-03-08"
-end = "2024-06-27"
-
-[[trusted.anyhow]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2019-10-05"
-end = "2024-08-03"
-
-[[trusted.askama]]
-criteria = "safe-to-deploy"
-user-id = 4556 # Dirkjan Ochtman (djc)
-start = "2020-01-15"
-end = "2024-11-22"
-
-[[trusted.askama_derive]]
-criteria = "safe-to-deploy"
-user-id = 4556 # Dirkjan Ochtman (djc)
-start = "2020-01-15"
-end = "2024-11-22"
-
-[[trusted.askama_escape]]
-criteria = "safe-to-deploy"
-user-id = 4556 # Dirkjan Ochtman (djc)
-start = "2020-01-15"
-end = "2024-11-22"
-
-[[trusted.askama_parser]]
-criteria = "safe-to-deploy"
-user-id = 4556 # Dirkjan Ochtman (djc)
-start = "2023-09-29"
-end = "2024-11-22"
-
-[[trusted.assert_cmd]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2019-03-23"
-end = "2024-06-27"
-
-[[trusted.basic-toml]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2023-01-25"
-end = "2024-06-27"
-
-[[trusted.bitflags]]
-criteria = "safe-to-deploy"
-user-id = 3204 # Ashley Mannix (KodrAus)
-start = "2019-05-02"
-end = "2024-08-30"
-
-[[trusted.bstr]]
-criteria = "safe-to-deploy"
-user-id = 189 # Andrew Gallant (BurntSushi)
-start = "2019-04-02"
-end = "2024-06-27"
-
-[[trusted.byteorder]]
-criteria = "safe-to-deploy"
-user-id = 189 # Andrew Gallant (BurntSushi)
-start = "2019-06-09"
-end = "2024-11-22"
-
-[[trusted.cc]]
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2019-03-01"
-end = "2024-06-27"
-
-[[trusted.cc]]
-criteria = "safe-to-deploy"
-user-id = 4357 # Thom Chiovoloni (thomcc)
-start = "2023-08-02"
-end = "2024-08-03"
-
-[[trusted.chrono]]
-criteria = "safe-to-deploy"
-user-id = 4556 # Dirkjan Ochtman (djc)
-start = "2022-07-25"
-end = "2024-11-22"
-
-[[trusted.chrono]]
-criteria = "safe-to-deploy"
-user-id = 228432 # Paul Dicker (pitdicker)
-start = "2023-08-30"
-end = "2024-11-28"
-
-[[trusted.clap]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2021-12-08"
-end = "2024-06-27"
-
-[[trusted.clap_builder]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2023-03-28"
-end = "2024-06-27"
-
-[[trusted.clap_complete]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2021-12-31"
-end = "2024-06-27"
-
-[[trusted.clap_derive]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2021-12-08"
-end = "2024-06-27"
-
-[[trusted.clap_lex]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2022-04-15"
-end = "2024-06-27"
-
-[[trusted.cpufeatures]]
-criteria = "safe-to-deploy"
-user-id = 5059 # Artyom Pavlov (newpavlov)
-start = "2022-08-18"
-end = "2024-08-03"
-
-[[trusted.crc32fast]]
-criteria = "safe-to-deploy"
-user-id = 1546 # Sam Rijs (srijs)
-start = "2019-03-05"
-end = "2024-11-22"
-
-[[trusted.crossbeam-deque]]
-criteria = "safe-to-deploy"
-user-id = 33035 # Taiki Endo (taiki-e)
-start = "2020-10-12"
-end = "2024-11-22"
-
-[[trusted.crossbeam-epoch]]
-criteria = "safe-to-deploy"
-user-id = 33035 # Taiki Endo (taiki-e)
-start = "2020-10-12"
-end = "2024-11-22"
-
-[[trusted.crossbeam-utils]]
-criteria = "safe-to-deploy"
-user-id = 33035 # Taiki Endo (taiki-e)
-start = "2020-10-12"
-end = "2024-11-22"
-
-[[trusted.deranged]]
-criteria = "safe-to-deploy"
-user-id = 15682 # Jacob Pratt (jhpratt)
-start = "2020-12-10"
-end = "2024-11-22"
-
-[[trusted.either]]
-criteria = "safe-to-deploy"
-user-id = 539 # Josh Stone (cuviper)
-start = "2019-04-02"
-end = "2024-08-03"
-
-[[trusted.env_logger]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2022-11-24"
-end = "2024-06-27"
-
-[[trusted.equivalent]]
-criteria = "safe-to-deploy"
-user-id = 539 # Josh Stone (cuviper)
-start = "2023-02-05"
-end = "2024-06-27"
-
-[[trusted.errno]]
-criteria = "safe-to-deploy"
-user-id = 6825 # Dan Gohman (sunfishcode)
-start = "2023-08-29"
-end = "2024-11-22"
-
-[[trusted.fastrand]]
-criteria = "safe-to-deploy"
-user-id = 33035 # Taiki Endo (taiki-e)
-start = "2021-04-24"
-end = "2024-08-03"
-
-[[trusted.flate2]]
-criteria = "safe-to-deploy"
-user-id = 980 # Sebastian Thiel (Byron)
-start = "2023-08-15"
-end = "2024-11-22"
-
-[[trusted.form_urlencoded]]
-criteria = "safe-to-deploy"
-user-id = 72883 # Valentin Gosu (valenting)
-start = "2022-09-08"
-end = "2024-06-27"
-
-[[trusted.handlebars]]
-criteria = "safe-to-deploy"
-user-id = 250 # Ning Sun (sunng87)
-start = "2019-03-16"
-end = "2024-11-22"
-
-[[trusted.hashbrown]]
-criteria = "safe-to-deploy"
-user-id = 2915 # Amanieu d'Antras (Amanieu)
-start = "2019-04-02"
-end = "2024-06-27"
-
-[[trusted.iana-time-zone]]
-criteria = "safe-to-deploy"
-user-id = 649 # Andrew Straw (astraw)
-start = "2020-06-27"
-end = "2024-11-28"
-
-[[trusted.idna]]
-criteria = "safe-to-deploy"
-user-id = 72883 # Valentin Gosu (valenting)
-start = "2021-02-05"
-end = "2024-11-28"
-
-[[trusted.indexmap]]
-criteria = "safe-to-deploy"
-user-id = 539 # Josh Stone (cuviper)
-start = "2020-01-15"
-end = "2024-06-27"
-
-[[trusted.is-terminal]]
-criteria = "safe-to-deploy"
-user-id = 6825 # Dan Gohman (sunfishcode)
-start = "2022-01-22"
-end = "2024-08-03"
-
-[[trusted.itoa]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2019-05-02"
-end = "2024-06-27"
-
-[[trusted.js-sys]]
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2019-03-04"
-end = "2024-06-27"
-
-[[trusted.libc]]
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2019-03-29"
-end = "2024-06-27"
-
-[[trusted.libc]]
-criteria = "safe-to-deploy"
-user-id = 2915 # Amanieu d'Antras (Amanieu)
-start = "2021-01-27"
-end = "2024-06-27"
-
-[[trusted.libc]]
-criteria = "safe-to-deploy"
-user-id = 51017 # Yuki Okushi (JohnTitor)
-start = "2020-03-17"
-end = "2024-06-27"
-
-[[trusted.libm]]
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2019-05-14"
-end = "2024-06-27"
-
-[[trusted.libm]]
-criteria = "safe-to-deploy"
-user-id = 2915 # Amanieu d'Antras (Amanieu)
-start = "2022-02-06"
-end = "2024-06-27"
-
-[[trusted.linux-raw-sys]]
-criteria = "safe-to-deploy"
-user-id = 6825 # Dan Gohman (sunfishcode)
-start = "2021-06-12"
-end = "2024-08-03"
-
-[[trusted.lock_api]]
-criteria = "safe-to-deploy"
-user-id = 2915 # Amanieu d'Antras (Amanieu)
-start = "2019-05-04"
-end = "2024-06-27"
-
-[[trusted.log]]
-criteria = "safe-to-deploy"
-user-id = 3204 # Ashley Mannix (KodrAus)
-start = "2019-07-10"
-end = "2024-08-30"
-
-[[trusted.mdbook]]
-criteria = "safe-to-deploy"
-user-id = 55123 # rust-lang-owner
-start = "2023-08-04"
-end = "2024-08-30"
-
-[[trusted.memchr]]
-criteria = "safe-to-deploy"
-user-id = 189 # Andrew Gallant (BurntSushi)
-start = "2019-07-07"
-end = "2024-06-27"
-
-[[trusted.mime]]
-criteria = "safe-to-deploy"
-user-id = 359 # Sean McArthur (seanmonstar)
-start = "2019-09-09"
-end = "2024-08-30"
-
-[[trusted.minijinja]]
-criteria = "safe-to-deploy"
-user-id = 39 # Armin Ronacher (mitsuhiko)
-start = "2021-09-23"
-end = "2024-06-09"
-
-[[trusted.nix]]
-criteria = "safe-to-deploy"
-user-id = 6094 # Alan Somers (asomers)
-start = "2019-05-22"
-end = "2024-08-30"
-
-[[trusted.num-traits]]
-criteria = "safe-to-deploy"
-user-id = 539 # Josh Stone (cuviper)
-start = "2019-05-20"
-end = "2024-08-03"
-
-[[trusted.parking_lot]]
-criteria = "safe-to-deploy"
-user-id = 2915 # Amanieu d'Antras (Amanieu)
-start = "2019-05-04"
-end = "2024-06-27"
-
-[[trusted.parking_lot_core]]
-criteria = "safe-to-deploy"
-user-id = 2915 # Amanieu d'Antras (Amanieu)
-start = "2019-05-04"
-end = "2024-06-27"
-
-[[trusted.percent-encoding]]
-criteria = "safe-to-deploy"
-user-id = 72883 # Valentin Gosu (valenting)
-start = "2022-09-08"
-end = "2024-06-27"
-
-[[trusted.pest]]
-criteria = "safe-to-deploy"
-user-id = 95892 # Tomas Tauber (tomtau)
-start = "2022-07-29"
-end = "2024-06-27"
-
-[[trusted.pest_derive]]
-criteria = "safe-to-deploy"
-user-id = 95892 # Tomas Tauber (tomtau)
-start = "2022-07-29"
-end = "2024-06-27"
-
-[[trusted.pest_generator]]
-criteria = "safe-to-deploy"
-user-id = 95892 # Tomas Tauber (tomtau)
-start = "2022-07-29"
-end = "2024-06-27"
-
-[[trusted.pest_meta]]
-criteria = "safe-to-deploy"
-user-id = 95892 # Tomas Tauber (tomtau)
-start = "2022-07-29"
-end = "2024-06-27"
-
-[[trusted.phf]]
-criteria = "safe-to-deploy"
-user-id = 51017 # Yuki Okushi (JohnTitor)
-start = "2021-06-17"
-end = "2024-06-27"
-
-[[trusted.phf_codegen]]
-criteria = "safe-to-deploy"
-user-id = 51017 # Yuki Okushi (JohnTitor)
-start = "2021-06-17"
-end = "2024-06-27"
-
-[[trusted.phf_generator]]
-criteria = "safe-to-deploy"
-user-id = 51017 # Yuki Okushi (JohnTitor)
-start = "2021-06-17"
-end = "2024-06-27"
-
-[[trusted.phf_shared]]
-criteria = "safe-to-deploy"
-user-id = 51017 # Yuki Okushi (JohnTitor)
-start = "2021-06-17"
-end = "2024-06-27"
-
-[[trusted.pin-project-lite]]
-criteria = "safe-to-deploy"
-user-id = 33035 # Taiki Endo (taiki-e)
-start = "2019-10-22"
-end = "2024-08-01"
-
-[[trusted.powerfmt]]
-criteria = "safe-to-deploy"
-user-id = 15682 # Jacob Pratt (jhpratt)
-start = "2023-10-08"
-end = "2024-11-22"
-
-[[trusted.predicates]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2019-04-22"
-end = "2024-06-27"
-
-[[trusted.predicates-core]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2020-12-29"
-end = "2024-06-27"
-
-[[trusted.predicates-tree]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2020-12-29"
-end = "2024-06-27"
-
-[[trusted.proc-macro2]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2019-04-23"
-end = "2024-06-27"
-
-[[trusted.quick-xml]]
-criteria = "safe-to-deploy"
-user-id = 2927 # Mingun
-start = "2022-05-25"
-end = "2024-06-27"
-
-[[trusted.quote]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2019-04-09"
-end = "2024-06-27"
-
-[[trusted.regex]]
-criteria = "safe-to-deploy"
-user-id = 189 # Andrew Gallant (BurntSushi)
-start = "2019-02-27"
-end = "2024-06-27"
-
-[[trusted.regex-automata]]
-criteria = "safe-to-deploy"
-user-id = 189 # Andrew Gallant (BurntSushi)
-start = "2019-02-25"
-end = "2024-06-27"
-
-[[trusted.regex-syntax]]
-criteria = "safe-to-deploy"
-user-id = 189 # Andrew Gallant (BurntSushi)
-start = "2019-03-30"
-end = "2024-06-27"
-
-[[trusted.rustix]]
-criteria = "safe-to-deploy"
-user-id = 6825 # Dan Gohman (sunfishcode)
-start = "2021-10-29"
-end = "2024-06-27"
-
-[[trusted.ryu]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2019-05-02"
-end = "2024-06-27"
-
-[[trusted.same-file]]
-criteria = "safe-to-deploy"
-user-id = 189 # Andrew Gallant (BurntSushi)
-start = "2019-07-16"
-end = "2024-06-27"
-
-[[trusted.scopeguard]]
-criteria = "safe-to-deploy"
-user-id = 2915 # Amanieu d'Antras (Amanieu)
-start = "2020-02-16"
-end = "2024-06-27"
-
-[[trusted.serde]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2019-03-01"
-end = "2024-06-27"
-
-[[trusted.serde_derive]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2019-03-01"
-end = "2024-06-27"
-
-[[trusted.serde_json]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2019-02-28"
-end = "2024-06-27"
-
-[[trusted.serde_spanned]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2023-01-20"
-end = "2024-08-03"
-
-[[trusted.serde_yaml]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2019-05-02"
-end = "2024-06-27"
-
-[[trusted.sha2]]
-criteria = "safe-to-deploy"
-user-id = 5059 # Artyom Pavlov (newpavlov)
-start = "2020-01-06"
-end = "2024-06-27"
-
-[[trusted.sharded-slab]]
-criteria = "safe-to-deploy"
-user-id = 1249 # Eliza Weisman (hawkw)
-start = "2019-10-02"
-end = "2024-08-01"
-
-[[trusted.siphasher]]
-criteria = "safe-to-deploy"
-user-id = 468 # Frank Denis (jedisct1)
-start = "2019-09-20"
-end = "2024-08-30"
-
-[[trusted.smallvec]]
-criteria = "safe-to-deploy"
-user-id = 2017 # Matt Brubeck (mbrubeck)
-start = "2019-10-28"
-end = "2024-08-03"
-
-[[trusted.syn]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2019-03-01"
-end = "2024-06-27"
-
-[[trusted.sysinfo]]
-criteria = "safe-to-deploy"
-user-id = 111 # Guillaume Gomez (GuillaumeGomez)
-start = "2019-03-01"
-end = "2024-11-22"
-
-[[trusted.tempfile]]
-criteria = "safe-to-deploy"
-user-id = 280 # Steven Allen (Stebalien)
-start = "2019-05-19"
-end = "2024-11-28"
-
-[[trusted.termcolor]]
-criteria = "safe-to-deploy"
-user-id = 189 # Andrew Gallant (BurntSushi)
-start = "2019-06-04"
-end = "2024-06-27"
-
-[[trusted.termtree]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2021-10-07"
-end = "2024-06-27"
-
-[[trusted.thiserror]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2019-10-09"
-end = "2024-08-03"
-
-[[trusted.thiserror-impl]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2019-10-09"
-end = "2024-08-03"
-
-[[trusted.thread_local]]
-criteria = "safe-to-deploy"
-user-id = 2915 # Amanieu d'Antras (Amanieu)
-start = "2019-09-07"
-end = "2024-08-01"
-
-[[trusted.time]]
-criteria = "safe-to-deploy"
-user-id = 15682 # Jacob Pratt (jhpratt)
-start = "2019-12-19"
-end = "2024-11-22"
-
-[[trusted.time-core]]
-criteria = "safe-to-deploy"
-user-id = 15682 # Jacob Pratt (jhpratt)
-start = "2020-12-17"
-end = "2024-11-22"
-
-[[trusted.toml]]
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2019-05-16"
-end = "2024-06-27"
-
-[[trusted.toml]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2022-12-14"
-end = "2024-08-03"
-
-[[trusted.toml_edit]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2021-09-13"
-end = "2024-08-03"
-
-[[trusted.tracing]]
-criteria = "safe-to-deploy"
-user-id = 1249 # Eliza Weisman (hawkw)
-start = "2019-06-28"
-end = "2024-08-01"
-
-[[trusted.tracing-attributes]]
-criteria = "safe-to-deploy"
-user-id = 1249 # Eliza Weisman (hawkw)
-start = "2019-08-08"
-end = "2024-08-01"
-
-[[trusted.tracing-core]]
-criteria = "safe-to-deploy"
-user-id = 1249 # Eliza Weisman (hawkw)
-start = "2019-06-20"
-end = "2024-08-01"
-
-[[trusted.tracing-log]]
-criteria = "safe-to-deploy"
-user-id = 1249 # Eliza Weisman (hawkw)
-start = "2019-06-27"
-end = "2024-08-01"
-
-[[trusted.tracing-serde]]
-criteria = "safe-to-deploy"
-user-id = 1249 # Eliza Weisman (hawkw)
-start = "2019-06-27"
-end = "2024-08-01"
-
-[[trusted.tracing-subscriber]]
-criteria = "safe-to-deploy"
-user-id = 1249 # Eliza Weisman (hawkw)
-start = "2019-06-27"
-end = "2024-08-01"
-
-[[trusted.ucd-trie]]
-criteria = "safe-to-deploy"
-user-id = 189 # Andrew Gallant (BurntSushi)
-start = "2019-07-21"
-end = "2024-06-27"
-
-[[trusted.unicase]]
-criteria = "safe-to-deploy"
-user-id = 359 # Sean McArthur (seanmonstar)
-start = "2019-03-05"
-end = "2024-08-30"
-
-[[trusted.unicode-ident]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2021-10-02"
-end = "2024-08-03"
-
-[[trusted.unsafe-libyaml]]
-criteria = "safe-to-deploy"
-user-id = 3618 # David Tolnay (dtolnay)
-start = "2022-07-03"
-end = "2024-06-27"
-
-[[trusted.url]]
-criteria = "safe-to-deploy"
-user-id = 72883 # Valentin Gosu (valenting)
-start = "2020-01-09"
-end = "2024-06-27"
-
-[[trusted.uuid]]
-criteria = "safe-to-deploy"
-user-id = 3204 # Ashley Mannix (KodrAus)
-start = "2019-10-18"
-end = "2024-07-19"
-
-[[trusted.walkdir]]
-criteria = "safe-to-deploy"
-user-id = 189 # Andrew Gallant (BurntSushi)
-start = "2019-06-09"
-end = "2024-06-27"
-
-[[trusted.wasi]]
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2020-06-03"
-end = "2024-06-27"
-
-[[trusted.wasm-bindgen]]
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2019-03-04"
-end = "2024-06-27"
-
-[[trusted.wasm-bindgen-backend]]
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2019-03-04"
-end = "2024-06-27"
-
-[[trusted.wasm-bindgen-macro]]
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2019-03-04"
-end = "2024-06-27"
-
-[[trusted.wasm-bindgen-macro-support]]
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2019-03-04"
-end = "2024-06-27"
-
-[[trusted.wasm-bindgen-shared]]
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2019-03-04"
-end = "2024-06-27"
-
-[[trusted.winapi-util]]
-criteria = "safe-to-deploy"
-user-id = 189 # Andrew Gallant (BurntSushi)
-start = "2020-01-11"
-end = "2024-06-27"
-
-[[trusted.windows-core]]
-criteria = "safe-to-deploy"
-user-id = 64539 # Kenny Kerr (kennykerr)
-start = "2021-11-15"
-end = "2024-11-22"
-
-[[trusted.windows-sys]]
-criteria = "safe-to-deploy"
-user-id = 64539 # Kenny Kerr (kennykerr)
-start = "2021-11-15"
-end = "2024-06-22"
-
-[[trusted.windows-targets]]
-criteria = "safe-to-deploy"
-user-id = 64539 # Kenny Kerr (kennykerr)
-start = "2022-09-09"
-end = "2024-06-22"
-
-[[trusted.windows_aarch64_gnullvm]]
-criteria = "safe-to-deploy"
-user-id = 64539 # Kenny Kerr (kennykerr)
-start = "2022-09-01"
-end = "2024-06-22"
-
-[[trusted.windows_aarch64_msvc]]
-criteria = "safe-to-deploy"
-user-id = 64539 # Kenny Kerr (kennykerr)
-start = "2021-11-05"
-end = "2024-06-22"
-
-[[trusted.windows_i686_gnu]]
-criteria = "safe-to-deploy"
-user-id = 64539 # Kenny Kerr (kennykerr)
-start = "2021-10-28"
-end = "2024-06-22"
-
-[[trusted.windows_i686_msvc]]
-criteria = "safe-to-deploy"
-user-id = 64539 # Kenny Kerr (kennykerr)
-start = "2021-10-27"
-end = "2024-06-22"
-
-[[trusted.windows_x86_64_gnu]]
-criteria = "safe-to-deploy"
-user-id = 64539 # Kenny Kerr (kennykerr)
-start = "2021-10-28"
-end = "2024-06-22"
-
-[[trusted.windows_x86_64_gnullvm]]
-criteria = "safe-to-deploy"
-user-id = 64539 # Kenny Kerr (kennykerr)
-start = "2022-09-01"
-end = "2024-06-22"
-
-[[trusted.windows_x86_64_msvc]]
-criteria = "safe-to-deploy"
-user-id = 64539 # Kenny Kerr (kennykerr)
-start = "2021-10-27"
-end = "2024-06-22"
-
-[[trusted.winnow]]
-criteria = "safe-to-deploy"
-user-id = 6743 # Ed Page (epage)
-start = "2023-02-22"
-end = "2024-08-03"
-
-[[trusted.zip]]
-criteria = "safe-to-deploy"
-user-id = 84480 # Plecra
-start = "2020-12-06"
-end = "2024-11-22"
diff --git a/policies/supply-chain/config.toml b/policies/supply-chain/config.toml
deleted file mode 100644
index 222d3f3642..0000000000
--- a/policies/supply-chain/config.toml
+++ /dev/null
@@ -1,281 +0,0 @@
-
-# cargo-vet config file
-
-[cargo-vet]
-version = "0.8"
-
-[imports.bytecode-alliance]
-url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
-
-[imports.embark-studios]
-url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml"
-
-[imports.google]
-url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"
-
-[imports.isrg]
-url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"
-
-[imports.mozilla]
-url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
-
-[imports.zcash]
-url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml"
-
-[policy.format_serde_error]
-audit-as-crates-io = true
-
-[policy.test-generator]
-audit-as-crates-io = true
-
-[[exemptions.ahash]]
-version = "0.8.6"
-criteria = "safe-to-deploy"
-
-[[exemptions.ammonia]]
-version = "3.3.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.android-tzdata]]
-version = "0.1.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.base64]]
-version = "0.21.5"
-criteria = "safe-to-deploy"
-
-[[exemptions.boon]]
-version = "0.5.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.colored]]
-version = "2.0.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.diff]]
-version = "0.1.13"
-criteria = "safe-to-run"
-
-[[exemptions.difflib]]
-version = "0.4.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.digest]]
-version = "0.10.7"
-criteria = "safe-to-deploy"
-
-[[exemptions.elasticlunr-rs]]
-version = "3.0.2"
-criteria = "safe-to-deploy"
-
-[[exemptions.fancy-regex]]
-version = "0.12.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.file-owner]]
-version = "0.1.2"
-criteria = "safe-to-deploy"
-
-[[exemptions.float-cmp]]
-version = "0.9.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.fluent-uri]]
-version = "0.1.4"
-criteria = "safe-to-deploy"
-
-[[exemptions.futf]]
-version = "0.1.5"
-criteria = "safe-to-deploy"
-
-[[exemptions.generic-array]]
-version = "0.14.7"
-criteria = "safe-to-deploy"
-
-[[exemptions.getrandom]]
-version = "0.2.9"
-criteria = "safe-to-deploy"
-
-[[exemptions.gumdrop]]
-version = "0.8.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.gumdrop_derive]]
-version = "0.8.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.hermit-abi]]
-version = "0.3.3"
-criteria = "safe-to-deploy"
-
-[[exemptions.hostname]]
-version = "0.3.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.html5ever]]
-version = "0.26.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.humansize]]
-version = "2.1.3"
-criteria = "safe-to-deploy"
-
-[[exemptions.humantime]]
-version = "2.1.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.iana-time-zone-haiku]]
-version = "0.1.2"
-criteria = "safe-to-deploy"
-
-[[exemptions.include_dir]]
-version = "0.7.3"
-criteria = "safe-to-deploy"
-
-[[exemptions.include_dir_macros]]
-version = "0.7.3"
-criteria = "safe-to-deploy"
-
-[[exemptions.itertools]]
-version = "0.11.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.log]]
-version = "0.3.9"
-criteria = "safe-to-deploy"
-
-[[exemptions.mac]]
-version = "0.1.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.maplit]]
-version = "1.0.2"
-criteria = "safe-to-deploy"
-
-[[exemptions.markup5ever]]
-version = "0.11.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.mime_guess]]
-version = "2.0.4"
-criteria = "safe-to-deploy"
-
-[[exemptions.minimal-lexical]]
-version = "0.2.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.mustache]]
-version = "0.9.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.nom]]
-version = "7.1.3"
-criteria = "safe-to-deploy"
-
-[[exemptions.normalize-line-endings]]
-version = "0.3.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.normpath]]
-version = "1.1.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.ntapi]]
-version = "0.4.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.once_cell]]
-version = "1.17.2"
-criteria = "safe-to-deploy"
-
-[[exemptions.opener]]
-version = "0.6.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.ppv-lite86]]
-version = "0.2.17"
-criteria = "safe-to-deploy"
-
-[[exemptions.pretty_assertions]]
-version = "1.3.0"
-criteria = "safe-to-run"
-
-[[exemptions.rand]]
-version = "0.8.5"
-criteria = "safe-to-deploy"
-
-[[exemptions.redox_syscall]]
-version = "0.4.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.shlex]]
-version = "1.2.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.string_cache]]
-version = "0.8.7"
-criteria = "safe-to-deploy"
-
-[[exemptions.string_cache_codegen]]
-version = "0.5.2"
-criteria = "safe-to-deploy"
-
-[[exemptions.strsim]]
-version = "0.10.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.tendril]]
-version = "0.4.3"
-criteria = "safe-to-deploy"
-
-[[exemptions.terminal_size]]
-version = "0.3.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.test-generator]]
-version = "0.3.0@git:82e799979980962aec1aa324ec6e0e4cad781f41"
-criteria = "safe-to-run"
-
-[[exemptions.topological-sort]]
-version = "0.2.2"
-criteria = "safe-to-deploy"
-
-[[exemptions.typenum]]
-version = "1.16.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.uname-rs]]
-version = "0.1.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.utf-8]]
-version = "0.7.6"
-criteria = "safe-to-deploy"
-
-[[exemptions.wait-timeout]]
-version = "0.2.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.winapi]]
-version = "0.3.9"
-criteria = "safe-to-deploy"
-
-[[exemptions.winapi-i686-pc-windows-gnu]]
-version = "0.4.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.winapi-x86_64-pc-windows-gnu]]
-version = "0.4.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.yansi]]
-version = "0.5.1"
-criteria = "safe-to-run"
-
-[[exemptions.zerocopy]]
-version = "0.7.26"
-criteria = "safe-to-deploy"
-
-[[exemptions.zerocopy-derive]]
-version = "0.7.26"
-criteria = "safe-to-deploy"
diff --git a/policies/supply-chain/imports.lock b/policies/supply-chain/imports.lock
deleted file mode 100644
index 27145cfe4d..0000000000
--- a/policies/supply-chain/imports.lock
+++ /dev/null
@@ -1,1502 +0,0 @@
-
-# cargo-vet imports lock
-
-[[publisher.aho-corasick]]
-version = "1.1.2"
-when = "2023-10-09"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.anstream]]
-version = "0.6.4"
-when = "2023-09-29"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.anstyle]]
-version = "1.0.4"
-when = "2023-09-28"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.anstyle-parse]]
-version = "0.2.2"
-when = "2023-09-28"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.anstyle-query]]
-version = "1.0.0"
-when = "2023-04-13"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.anstyle-wincon]]
-version = "3.0.1"
-when = "2023-09-29"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.anyhow]]
-version = "1.0.75"
-when = "2023-08-17"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.askama]]
-version = "0.12.1"
-when = "2023-09-29"
-user-id = 4556
-user-login = "djc"
-user-name = "Dirkjan Ochtman"
-
-[[publisher.askama_derive]]
-version = "0.12.2"
-when = "2023-09-29"
-user-id = 4556
-user-login = "djc"
-user-name = "Dirkjan Ochtman"
-
-[[publisher.askama_escape]]
-version = "0.10.3"
-when = "2022-02-16"
-user-id = 4556
-user-login = "djc"
-user-name = "Dirkjan Ochtman"
-
-[[publisher.askama_parser]]
-version = "0.1.1"
-when = "2023-10-02"
-user-id = 4556
-user-login = "djc"
-user-name = "Dirkjan Ochtman"
-
-[[publisher.assert_cmd]]
-version = "2.0.12"
-when = "2023-07-14"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.basic-toml]]
-version = "0.1.7"
-when = "2023-10-27"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.bitflags]]
-version = "1.3.2"
-when = "2021-08-16"
-user-id = 3204
-user-login = "KodrAus"
-user-name = "Ashley Mannix"
-
-[[publisher.bitflags]]
-version = "2.4.1"
-when = "2023-10-15"
-user-id = 3204
-user-login = "KodrAus"
-user-name = "Ashley Mannix"
-
-[[publisher.bstr]]
-version = "1.8.0"
-when = "2023-11-09"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.bumpalo]]
-version = "3.14.0"
-when = "2023-09-14"
-user-id = 696
-user-login = "fitzgen"
-user-name = "Nick Fitzgerald"
-
-[[publisher.byteorder]]
-version = "1.5.0"
-when = "2023-10-06"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.cc]]
-version = "1.0.83"
-when = "2023-08-20"
-user-id = 4357
-user-login = "thomcc"
-user-name = "Thom Chiovoloni"
-
-[[publisher.chrono]]
-version = "0.4.31"
-when = "2023-09-15"
-user-id = 228432
-user-login = "pitdicker"
-user-name = "Paul Dicker"
-
-[[publisher.clap]]
-version = "4.4.10"
-when = "2023-11-28"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.clap_builder]]
-version = "4.4.9"
-when = "2023-11-27"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.clap_complete]]
-version = "4.4.4"
-when = "2023-10-24"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.clap_derive]]
-version = "4.4.7"
-when = "2023-10-24"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.clap_lex]]
-version = "0.6.0"
-when = "2023-10-24"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.core-foundation-sys]]
-version = "0.8.4"
-when = "2023-04-03"
-user-id = 5946
-user-login = "jrmuizel"
-user-name = "Jeff Muizelaar"
-
-[[publisher.cpufeatures]]
-version = "0.2.11"
-when = "2023-10-26"
-user-id = 5059
-user-login = "newpavlov"
-user-name = "Artyom Pavlov"
-
-[[publisher.crc32fast]]
-version = "1.3.2"
-when = "2022-02-08"
-user-id = 1546
-user-login = "srijs"
-user-name = "Sam Rijs"
-
-[[publisher.crossbeam-deque]]
-version = "0.8.3"
-when = "2023-02-28"
-user-id = 33035
-user-login = "taiki-e"
-user-name = "Taiki Endo"
-
-[[publisher.crossbeam-epoch]]
-version = "0.9.15"
-when = "2023-06-12"
-user-id = 33035
-user-login = "taiki-e"
-user-name = "Taiki Endo"
-
-[[publisher.crossbeam-utils]]
-version = "0.8.16"
-when = "2023-06-12"
-user-id = 33035
-user-login = "taiki-e"
-user-name = "Taiki Endo"
-
-[[publisher.deranged]]
-version = "0.3.9"
-when = "2023-10-13"
-user-id = 15682
-user-login = "jhpratt"
-user-name = "Jacob Pratt"
-
-[[publisher.either]]
-version = "1.9.0"
-when = "2023-07-22"
-user-id = 539
-user-login = "cuviper"
-user-name = "Josh Stone"
-
-[[publisher.env_logger]]
-version = "0.10.1"
-when = "2023-11-10"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.equivalent]]
-version = "1.0.1"
-when = "2023-07-10"
-user-id = 539
-user-login = "cuviper"
-user-name = "Josh Stone"
-
-[[publisher.errno]]
-version = "0.3.8"
-when = "2023-11-28"
-user-id = 6825
-user-login = "sunfishcode"
-user-name = "Dan Gohman"
-
-[[publisher.flate2]]
-version = "1.0.28"
-when = "2023-10-13"
-user-id = 980
-user-login = "Byron"
-user-name = "Sebastian Thiel"
-
-[[publisher.form_urlencoded]]
-version = "1.2.1"
-when = "2023-11-22"
-user-id = 72883
-user-login = "valenting"
-user-name = "Valentin Gosu"
-
-[[publisher.handlebars]]
-version = "4.5.0"
-when = "2023-11-09"
-user-id = 250
-user-login = "sunng87"
-user-name = "Ning Sun"
-
-[[publisher.hashbrown]]
-version = "0.14.3"
-when = "2023-11-26"
-user-id = 2915
-user-login = "Amanieu"
-user-name = "Amanieu d'Antras"
-
-[[publisher.iana-time-zone]]
-version = "0.1.58"
-when = "2023-10-17"
-user-id = 649
-user-login = "astraw"
-user-name = "Andrew Straw"
-
-[[publisher.idna]]
-version = "0.5.0"
-when = "2023-11-22"
-user-id = 72883
-user-login = "valenting"
-user-name = "Valentin Gosu"
-
-[[publisher.indexmap]]
-version = "1.9.3"
-when = "2023-03-24"
-user-id = 539
-user-login = "cuviper"
-user-name = "Josh Stone"
-
-[[publisher.indexmap]]
-version = "2.1.0"
-when = "2023-10-31"
-user-id = 539
-user-login = "cuviper"
-user-name = "Josh Stone"
-
-[[publisher.is-terminal]]
-version = "0.4.9"
-when = "2023-07-06"
-user-id = 6825
-user-login = "sunfishcode"
-user-name = "Dan Gohman"
-
-[[publisher.itoa]]
-version = "1.0.9"
-when = "2023-07-15"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.js-sys]]
-version = "0.3.66"
-when = "2023-11-27"
-user-id = 1
-user-login = "alexcrichton"
-user-name = "Alex Crichton"
-
-[[publisher.libc]]
-version = "0.2.150"
-when = "2023-11-05"
-user-id = 51017
-user-login = "JohnTitor"
-user-name = "Yuki Okushi"
-
-[[publisher.libm]]
-version = "0.2.8"
-when = "2023-10-06"
-user-id = 2915
-user-login = "Amanieu"
-user-name = "Amanieu d'Antras"
-
-[[publisher.linux-raw-sys]]
-version = "0.4.11"
-when = "2023-11-08"
-user-id = 6825
-user-login = "sunfishcode"
-user-name = "Dan Gohman"
-
-[[publisher.lock_api]]
-version = "0.4.11"
-when = "2023-10-17"
-user-id = 2915
-user-login = "Amanieu"
-user-name = "Amanieu d'Antras"
-
-[[publisher.log]]
-version = "0.4.20"
-when = "2023-08-12"
-user-id = 3204
-user-login = "KodrAus"
-user-name = "Ashley Mannix"
-
-[[publisher.mdbook]]
-version = "0.4.35"
-when = "2023-09-29"
-user-id = 55123
-user-login = "rust-lang-owner"
-
-[[publisher.memchr]]
-version = "2.6.4"
-when = "2023-10-01"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.mime]]
-version = "0.3.17"
-when = "2023-03-20"
-user-id = 359
-user-login = "seanmonstar"
-user-name = "Sean McArthur"
-
-[[publisher.minijinja]]
-version = "1.0.10"
-when = "2023-11-10"
-user-id = 39
-user-login = "mitsuhiko"
-user-name = "Armin Ronacher"
-
-[[publisher.nix]]
-version = "0.27.1"
-when = "2023-08-28"
-user-id = 6094
-user-login = "asomers"
-user-name = "Alan Somers"
-
-[[publisher.num-traits]]
-version = "0.2.17"
-when = "2023-10-07"
-user-id = 539
-user-login = "cuviper"
-user-name = "Josh Stone"
-
-[[publisher.parking_lot]]
-version = "0.12.1"
-when = "2022-05-31"
-user-id = 2915
-user-login = "Amanieu"
-user-name = "Amanieu d'Antras"
-
-[[publisher.parking_lot_core]]
-version = "0.9.9"
-when = "2023-10-17"
-user-id = 2915
-user-login = "Amanieu"
-user-name = "Amanieu d'Antras"
-
-[[publisher.percent-encoding]]
-version = "2.3.1"
-when = "2023-11-22"
-user-id = 72883
-user-login = "valenting"
-user-name = "Valentin Gosu"
-
-[[publisher.pest]]
-version = "2.7.5"
-when = "2023-10-24"
-user-id = 95892
-user-login = "tomtau"
-user-name = "Tomas Tauber"
-
-[[publisher.pest_derive]]
-version = "2.7.5"
-when = "2023-10-24"
-user-id = 95892
-user-login = "tomtau"
-user-name = "Tomas Tauber"
-
-[[publisher.pest_generator]]
-version = "2.7.5"
-when = "2023-10-24"
-user-id = 95892
-user-login = "tomtau"
-user-name = "Tomas Tauber"
-
-[[publisher.pest_meta]]
-version = "2.7.5"
-when = "2023-10-24"
-user-id = 95892
-user-login = "tomtau"
-user-name = "Tomas Tauber"
-
-[[publisher.phf]]
-version = "0.10.1"
-when = "2021-12-13"
-user-id = 51017
-user-login = "JohnTitor"
-user-name = "Yuki Okushi"
-
-[[publisher.phf_codegen]]
-version = "0.10.0"
-when = "2021-08-10"
-user-id = 51017
-user-login = "JohnTitor"
-user-name = "Yuki Okushi"
-
-[[publisher.phf_generator]]
-version = "0.10.0"
-when = "2021-08-10"
-user-id = 51017
-user-login = "JohnTitor"
-user-name = "Yuki Okushi"
-
-[[publisher.phf_shared]]
-version = "0.10.0"
-when = "2021-08-10"
-user-id = 51017
-user-login = "JohnTitor"
-user-name = "Yuki Okushi"
-
-[[publisher.pin-project-lite]]
-version = "0.2.13"
-when = "2023-08-25"
-user-id = 33035
-user-login = "taiki-e"
-user-name = "Taiki Endo"
-
-[[publisher.powerfmt]]
-version = "0.2.0"
-when = "2023-10-13"
-user-id = 15682
-user-login = "jhpratt"
-user-name = "Jacob Pratt"
-
-[[publisher.predicates]]
-version = "3.0.4"
-when = "2023-09-18"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.predicates-core]]
-version = "1.0.6"
-when = "2023-03-15"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.predicates-tree]]
-version = "1.0.9"
-when = "2023-03-15"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.proc-macro2]]
-version = "0.4.30"
-when = "2019-05-08"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.proc-macro2]]
-version = "1.0.70"
-when = "2023-11-26"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.quick-xml]]
-version = "0.31.0"
-when = "2023-10-23"
-user-id = 2927
-user-login = "Mingun"
-
-[[publisher.quote]]
-version = "0.6.13"
-when = "2019-07-11"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.quote]]
-version = "1.0.33"
-when = "2023-08-17"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.regex]]
-version = "1.10.2"
-when = "2023-10-16"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.regex-automata]]
-version = "0.1.10"
-when = "2021-06-01"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.regex-automata]]
-version = "0.4.3"
-when = "2023-10-16"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.regex-syntax]]
-version = "0.6.29"
-when = "2023-03-21"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.regex-syntax]]
-version = "0.8.2"
-when = "2023-10-14"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.rustix]]
-version = "0.38.25"
-when = "2023-11-19"
-user-id = 6825
-user-login = "sunfishcode"
-user-name = "Dan Gohman"
-
-[[publisher.ryu]]
-version = "1.0.15"
-when = "2023-07-15"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.same-file]]
-version = "1.0.6"
-when = "2020-01-11"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.scopeguard]]
-version = "1.2.0"
-when = "2023-07-17"
-user-id = 2915
-user-login = "Amanieu"
-user-name = "Amanieu d'Antras"
-
-[[publisher.serde]]
-version = "1.0.193"
-when = "2023-11-21"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.serde_derive]]
-version = "1.0.193"
-when = "2023-11-21"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.serde_json]]
-version = "1.0.108"
-when = "2023-10-30"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.serde_yaml]]
-version = "0.9.27"
-when = "2023-10-26"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.sha2]]
-version = "0.10.8"
-when = "2023-09-26"
-user-id = 5059
-user-login = "newpavlov"
-user-name = "Artyom Pavlov"
-
-[[publisher.sharded-slab]]
-version = "0.1.7"
-when = "2023-10-04"
-user-id = 1249
-user-login = "hawkw"
-user-name = "Eliza Weisman"
-
-[[publisher.siphasher]]
-version = "0.3.11"
-when = "2023-08-23"
-user-id = 468
-user-login = "jedisct1"
-user-name = "Frank Denis"
-
-[[publisher.smallvec]]
-version = "1.11.2"
-when = "2023-11-09"
-user-id = 2017
-user-login = "mbrubeck"
-user-name = "Matt Brubeck"
-
-[[publisher.syn]]
-version = "0.15.44"
-when = "2019-08-10"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.syn]]
-version = "1.0.109"
-when = "2023-02-24"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.syn]]
-version = "2.0.39"
-when = "2023-11-06"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.sysinfo]]
-version = "0.29.11"
-when = "2023-11-26"
-user-id = 111
-user-login = "GuillaumeGomez"
-user-name = "Guillaume Gomez"
-
-[[publisher.tempfile]]
-version = "3.8.1"
-when = "2023-10-26"
-user-id = 280
-user-login = "Stebalien"
-user-name = "Steven Allen"
-
-[[publisher.termcolor]]
-version = "1.4.0"
-when = "2023-11-14"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.termtree]]
-version = "0.4.1"
-when = "2023-03-15"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.thiserror]]
-version = "1.0.50"
-when = "2023-10-19"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.thiserror-impl]]
-version = "1.0.50"
-when = "2023-10-19"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.thread_local]]
-version = "1.1.7"
-when = "2023-02-12"
-user-id = 2915
-user-login = "Amanieu"
-user-name = "Amanieu d'Antras"
-
-[[publisher.time]]
-version = "0.3.30"
-when = "2023-10-14"
-user-id = 15682
-user-login = "jhpratt"
-user-name = "Jacob Pratt"
-
-[[publisher.time-core]]
-version = "0.1.2"
-when = "2023-09-24"
-user-id = 15682
-user-login = "jhpratt"
-user-name = "Jacob Pratt"
-
-[[publisher.toml]]
-version = "0.5.11"
-when = "2023-01-20"
-user-id = 6743
-user-login = "epage"
-user-name = "Ed Page"
-
-[[publisher.tracing]]
-version = "0.1.40"
-when = "2023-10-19"
-user-id = 1249
-user-login = "hawkw"
-user-name = "Eliza Weisman"
-
-[[publisher.tracing-attributes]]
-version = "0.1.27"
-when = "2023-10-13"
-user-id = 1249
-user-login = "hawkw"
-user-name = "Eliza Weisman"
-
-[[publisher.tracing-core]]
-version = "0.1.32"
-when = "2023-10-13"
-user-id = 1249
-user-login = "hawkw"
-user-name = "Eliza Weisman"
-
-[[publisher.tracing-log]]
-version = "0.2.0"
-when = "2023-10-25"
-user-id = 1249
-user-login = "hawkw"
-user-name = "Eliza Weisman"
-
-[[publisher.tracing-serde]]
-version = "0.1.3"
-when = "2022-02-04"
-user-id = 1249
-user-login = "hawkw"
-user-name = "Eliza Weisman"
-
-[[publisher.tracing-subscriber]]
-version = "0.3.18"
-when = "2023-11-13"
-user-id = 1249
-user-login = "hawkw"
-user-name = "Eliza Weisman"
-
-[[publisher.ucd-trie]]
-version = "0.1.6"
-when = "2023-07-07"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.unicase]]
-version = "2.7.0"
-when = "2023-08-21"
-user-id = 359
-user-login = "seanmonstar"
-user-name = "Sean McArthur"
-
-[[publisher.unicode-ident]]
-version = "1.0.12"
-when = "2023-09-13"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.unicode-normalization]]
-version = "0.1.22"
-when = "2022-09-16"
-user-id = 1139
-user-login = "Manishearth"
-user-name = "Manish Goregaokar"
-
-[[publisher.unicode-segmentation]]
-version = "1.10.1"
-when = "2023-01-31"
-user-id = 1139
-user-login = "Manishearth"
-user-name = "Manish Goregaokar"
-
-[[publisher.unsafe-libyaml]]
-version = "0.2.9"
-when = "2023-07-15"
-user-id = 3618
-user-login = "dtolnay"
-user-name = "David Tolnay"
-
-[[publisher.url]]
-version = "2.5.0"
-when = "2023-11-22"
-user-id = 72883
-user-login = "valenting"
-user-name = "Valentin Gosu"
-
-[[publisher.uuid]]
-version = "1.6.1"
-when = "2023-11-20"
-user-id = 3204
-user-login = "KodrAus"
-user-name = "Ashley Mannix"
-
-[[publisher.walkdir]]
-version = "2.4.0"
-when = "2023-09-05"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.wasi]]
-version = "0.11.0+wasi-snapshot-preview1"
-when = "2022-01-19"
-user-id = 1
-user-login = "alexcrichton"
-user-name = "Alex Crichton"
-
-[[publisher.wasm-bindgen]]
-version = "0.2.89"
-when = "2023-11-27"
-user-id = 1
-user-login = "alexcrichton"
-user-name = "Alex Crichton"
-
-[[publisher.wasm-bindgen-backend]]
-version = "0.2.89"
-when = "2023-11-27"
-user-id = 1
-user-login = "alexcrichton"
-user-name = "Alex Crichton"
-
-[[publisher.wasm-bindgen-macro]]
-version = "0.2.89"
-when = "2023-11-27"
-user-id = 1
-user-login = "alexcrichton"
-user-name = "Alex Crichton"
-
-[[publisher.wasm-bindgen-macro-support]]
-version = "0.2.89"
-when = "2023-11-27"
-user-id = 1
-user-login = "alexcrichton"
-user-name = "Alex Crichton"
-
-[[publisher.wasm-bindgen-shared]]
-version = "0.2.89"
-when = "2023-11-27"
-user-id = 1
-user-login = "alexcrichton"
-user-name = "Alex Crichton"
-
-[[publisher.winapi-util]]
-version = "0.1.6"
-when = "2023-09-20"
-user-id = 189
-user-login = "BurntSushi"
-user-name = "Andrew Gallant"
-
-[[publisher.windows-core]]
-version = "0.51.1"
-when = "2023-08-17"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows-sys]]
-version = "0.48.0"
-when = "2023-03-31"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows-sys]]
-version = "0.52.0"
-when = "2023-11-15"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows-targets]]
-version = "0.48.5"
-when = "2023-08-18"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows-targets]]
-version = "0.52.0"
-when = "2023-11-15"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_aarch64_gnullvm]]
-version = "0.48.5"
-when = "2023-08-18"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_aarch64_gnullvm]]
-version = "0.52.0"
-when = "2023-11-15"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_aarch64_msvc]]
-version = "0.48.5"
-when = "2023-08-18"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_aarch64_msvc]]
-version = "0.52.0"
-when = "2023-11-15"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_i686_gnu]]
-version = "0.48.5"
-when = "2023-08-18"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_i686_gnu]]
-version = "0.52.0"
-when = "2023-11-15"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_i686_msvc]]
-version = "0.48.5"
-when = "2023-08-18"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_i686_msvc]]
-version = "0.52.0"
-when = "2023-11-15"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_x86_64_gnu]]
-version = "0.48.5"
-when = "2023-08-18"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_x86_64_gnu]]
-version = "0.52.0"
-when = "2023-11-15"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_x86_64_gnullvm]]
-version = "0.48.5"
-when = "2023-08-18"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_x86_64_gnullvm]]
-version = "0.52.0"
-when = "2023-11-15"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_x86_64_msvc]]
-version = "0.48.5"
-when = "2023-08-18"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.windows_x86_64_msvc]]
-version = "0.52.0"
-when = "2023-11-15"
-user-id = 64539
-user-login = "kennykerr"
-user-name = "Kenny Kerr"
-
-[[publisher.zip]]
-version = "0.6.6"
-when = "2023-05-16"
-user-id = 84480
-user-login = "Plecra"
-
-[[audits.bytecode-alliance.wildcard-audits.bumpalo]]
-who = "Nick Fitzgerald <fitzgen@gmail.com>"
-criteria = "safe-to-deploy"
-user-id = 696 # Nick Fitzgerald (fitzgen)
-start = "2019-03-16"
-end = "2024-03-10"
-
-[[audits.bytecode-alliance.audits.adler]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-version = "1.0.2"
-notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm."
-
-[[audits.bytecode-alliance.audits.block-buffer]]
-who = "Benjamin Bouvier <public@benj.me>"
-criteria = "safe-to-deploy"
-delta = "0.9.0 -> 0.10.2"
-
-[[audits.bytecode-alliance.audits.cfg-if]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-version = "1.0.0"
-notes = "I am the author of this crate."
-
-[[audits.bytecode-alliance.audits.crypto-common]]
-who = "Benjamin Bouvier <public@benj.me>"
-criteria = "safe-to-deploy"
-version = "0.1.3"
-
-[[audits.bytecode-alliance.audits.fastrand]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-delta = "2.0.0 -> 2.0.1"
-notes = """
-This update had a few doc updates but no otherwise-substantial source code
-updates.
-"""
-
-[[audits.bytecode-alliance.audits.heck]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-version = "0.4.0"
-notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation."
-
-[[audits.bytecode-alliance.audits.idna]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-version = "0.3.0"
-notes = """
-This is a crate without unsafe code or usage of the standard library. The large
-size of this crate comes from the large generated unicode tables file. This
-crate is broadly used throughout the ecosystem and does not contain anything
-suspicious.
-"""
-
-[[audits.bytecode-alliance.audits.matchers]]
-who = "Pat Hickey <phickey@fastly.com>"
-criteria = "safe-to-deploy"
-version = "0.1.0"
-
-[[audits.bytecode-alliance.audits.memoffset]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-delta = "0.7.1 -> 0.8.0"
-notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes."
-
-[[audits.bytecode-alliance.audits.memoffset]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-delta = "0.8.0 -> 0.9.0"
-notes = "No major changes in the crate, mostly updates to use new nightly Rust features."
-
-[[audits.bytecode-alliance.audits.miniz_oxide]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-version = "0.7.1"
-notes = """
-This crate is a Rust implementation of zlib compression/decompression and has
-been used by default by the Rust standard library for quite some time. It's also
-a default dependency of the popular `backtrace` crate for decompressing debug
-information. This crate forbids unsafe code and does not otherwise access system
-resources. It's originally a port of the `miniz.c` library as well, and given
-its own longevity should be relatively hardened against some of the more common
-compression-related issues.
-"""
-
-[[audits.bytecode-alliance.audits.pulldown-cmark]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-version = "0.8.0"
-notes = """
-This crate has `unsafe` blocks and they're all related to SIMD-acceleration and
-are otherwise not doing other `unsafe` operations. Additionally the crate does
-not do anything other than markdown rendering as is expected.
-"""
-
-[[audits.bytecode-alliance.audits.pulldown-cmark]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-delta = "0.8.0 -> 0.9.3"
-notes = """
-This is a large change to the `pulldown-cmark` crate but it tightens
-restrictions on `unsafe` code to forbid it in non-SIMD mode and additionally
-many changes look to be related to refactoring, improving, and restructuring.
-This crate is not fundamentally different from before, which was trusted, but
-looks to be receiving new assistance for maintainership as well.
-"""
-
-[[audits.bytecode-alliance.audits.tinyvec]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-version = "1.6.0"
-notes = """
-This crate, while it implements collections, does so without `std::*` APIs and
-without `unsafe`. Skimming the crate everything looks reasonable and what one
-would expect from idiomatic safe collections in Rust.
-"""
-
-[[audits.bytecode-alliance.audits.tinyvec_macros]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-version = "0.1.0"
-notes = """
-This is a trivial crate which only contains a singular macro definition which is
-intended to multiplex across the internal representation of a tinyvec,
-presumably. This trivially doesn't contain anything bad.
-"""
-
-[[audits.bytecode-alliance.audits.unicode-bidi]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-version = "0.3.8"
-notes = """
-This crate has no unsafe code and does not use `std::*`. Skimming the crate it
-does not attempt to out of the bounds of what it's already supposed to be doing.
-"""
-
-[[audits.embark-studios.audits.colorchoice]]
-who = "Johan Andersson <opensource@embark-studios.com>"
-criteria = "safe-to-deploy"
-version = "1.0.0"
-notes = "No unsafe usage or ambient capabilities"
-
-[[audits.embark-studios.audits.utf8parse]]
-who = "Johan Andersson <opensource@embark-studios.com>"
-criteria = "safe-to-deploy"
-version = "0.2.1"
-notes = "Single unsafe usage that looks sound, no ambient capabilities"
-
-[[audits.embark-studios.audits.valuable]]
-who = "Johan Andersson <opensource@embark-studios.com>"
-criteria = "safe-to-deploy"
-version = "0.1.0"
-notes = "No unsafe usage or ambient capabilities, sane build script"
-
-[[audits.google.audits.fastrand]]
-who = "George Burgess IV <gbiv@google.com>"
-criteria = "safe-to-deploy"
-version = "1.9.0"
-notes = """
-`does-not-implement-crypto` is certified because this crate explicitly says
-that the RNG here is not cryptographically secure.
-"""
-aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
-
-[[audits.google.audits.glob]]
-who = "George Burgess IV <gbiv@google.com>"
-criteria = "safe-to-deploy"
-version = "0.3.1"
-aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
-
-[[audits.google.audits.match_cfg]]
-who = "George Burgess IV <gbiv@google.com>"
-criteria = "safe-to-deploy"
-version = "0.1.0"
-aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
-
-[[audits.google.audits.unicode-xid]]
-who = "George Burgess IV <gbiv@google.com>"
-criteria = "safe-to-deploy"
-version = "0.1.0"
-aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
-
-[[audits.google.audits.version_check]]
-who = "George Burgess IV <gbiv@google.com>"
-criteria = "safe-to-deploy"
-version = "0.9.4"
-aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
-
-[[audits.isrg.audits.block-buffer]]
-who = "David Cook <dcook@divviup.org>"
-criteria = "safe-to-deploy"
-version = "0.9.0"
-
-[[audits.isrg.audits.getrandom]]
-who = "Tim Geoghegan <timg@letsencrypt.org>"
-criteria = "safe-to-deploy"
-delta = "0.2.9 -> 0.2.10"
-notes = "These changes include some new `unsafe` code for the `emscripten` and `psvita` targets, but all it does is call `libc::getentropy`."
-
-[[audits.isrg.audits.getrandom]]
-who = "Brandon Pitman <bran@bran.land>"
-criteria = "safe-to-deploy"
-delta = "0.2.10 -> 0.2.11"
-
-[[audits.isrg.audits.once_cell]]
-who = "David Cook <dcook@divviup.org>"
-criteria = "safe-to-deploy"
-delta = "1.17.2 -> 1.18.0"
-
-[[audits.isrg.audits.rand_chacha]]
-who = "David Cook <dcook@divviup.org>"
-criteria = "safe-to-deploy"
-version = "0.3.1"
-
-[[audits.isrg.audits.rand_core]]
-who = "David Cook <dcook@divviup.org>"
-criteria = "safe-to-deploy"
-version = "0.6.3"
-
-[[audits.isrg.audits.rayon]]
-who = "Brandon Pitman <bran@bran.land>"
-criteria = "safe-to-deploy"
-delta = "1.6.1 -> 1.7.0"
-
-[[audits.isrg.audits.rayon]]
-who = "David Cook <dcook@divviup.org>"
-criteria = "safe-to-deploy"
-delta = "1.7.0 -> 1.8.0"
-
-[[audits.isrg.audits.rayon-core]]
-who = "Brandon Pitman <bran@bran.land>"
-criteria = "safe-to-deploy"
-delta = "1.10.2 -> 1.11.0"
-
-[[audits.isrg.audits.rayon-core]]
-who = "David Cook <dcook@divviup.org>"
-criteria = "safe-to-deploy"
-delta = "1.11.0 -> 1.12.0"
-
-[[audits.mozilla.wildcard-audits.core-foundation-sys]]
-who = "Bobby Holley <bobbyholley@gmail.com>"
-criteria = "safe-to-deploy"
-user-id = 5946 # Jeff Muizelaar (jrmuizel)
-start = "2020-10-14"
-end = "2023-05-04"
-renew = false
-notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.wildcard-audits.unicode-normalization]]
-who = "Manish Goregaokar <manishsmail@gmail.com>"
-criteria = "safe-to-deploy"
-user-id = 1139 # Manish Goregaokar (Manishearth)
-start = "2019-11-06"
-end = "2024-05-03"
-notes = "All code written or reviewed by Manish"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.wildcard-audits.unicode-segmentation]]
-who = "Manish Goregaokar <manishsmail@gmail.com>"
-criteria = "safe-to-deploy"
-user-id = 1139 # Manish Goregaokar (Manishearth)
-start = "2019-05-15"
-end = "2024-05-03"
-notes = "All code written or reviewed by Manish"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.android_system_properties]]
-who = "Nicolas Silva <nical@fastmail.com>"
-criteria = "safe-to-deploy"
-version = "0.1.2"
-notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship."
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.android_system_properties]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
-criteria = "safe-to-deploy"
-delta = "0.1.2 -> 0.1.4"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.android_system_properties]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
-criteria = "safe-to-deploy"
-delta = "0.1.4 -> 0.1.5"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.autocfg]]
-who = "Josh Stone <jistone@redhat.com>"
-criteria = "safe-to-deploy"
-version = "1.1.0"
-notes = "All code written or reviewed by Josh Stone."
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.bit-set]]
-who = "Aria Beingessner <a.beingessner@gmail.com>"
-criteria = "safe-to-deploy"
-version = "0.5.2"
-notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues."
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.bit-set]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
-criteria = "safe-to-deploy"
-delta = "0.5.2 -> 0.5.3"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.bit-vec]]
-who = "Aria Beingessner <a.beingessner@gmail.com>"
-criteria = "safe-to-deploy"
-version = "0.6.3"
-notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.block-buffer]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
-criteria = "safe-to-deploy"
-delta = "0.10.2 -> 0.10.3"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.crypto-common]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
-criteria = "safe-to-deploy"
-delta = "0.1.3 -> 0.1.6"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.doc-comment]]
-who = "Nika Layzell <nika@thelayzells.com>"
-criteria = "safe-to-deploy"
-version = "0.3.3"
-notes = """
-Trivial macro crate implementing a trick for expanding macros within doc
-comments on older versions of rustc.
-"""
-aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.fastrand]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
-criteria = "safe-to-deploy"
-delta = "1.9.0 -> 2.0.0"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.hashbrown]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
-criteria = "safe-to-deploy"
-version = "0.12.3"
-notes = "This version is used in rust's libstd, so effectively we're already trusting it"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.heck]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
-criteria = "safe-to-deploy"
-delta = "0.4.0 -> 0.4.1"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.lazy_static]]
-who = "Nika Layzell <nika@thelayzells.com>"
-criteria = "safe-to-deploy"
-version = "1.4.0"
-notes = "I have read over the macros, and audited the unsafe code."
-aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.memoffset]]
-who = "Gabriele Svelto <gsvelto@mozilla.com>"
-criteria = "safe-to-deploy"
-delta = "0.6.5 -> 0.7.1"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.new_debug_unreachable]]
-who = "Bobby Holley <bobbyholley@gmail.com>"
-criteria = "safe-to-deploy"
-version = "1.0.4"
-notes = "This is a trivial crate."
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.precomputed-hash]]
-who = "Bobby Holley <bobbyholley@gmail.com>"
-criteria = "safe-to-deploy"
-version = "0.1.1"
-notes = "This is a trivial crate."
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.rand_core]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
-criteria = "safe-to-deploy"
-delta = "0.6.3 -> 0.6.4"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.rayon]]
-who = "Josh Stone <jistone@redhat.com>"
-criteria = "safe-to-deploy"
-version = "1.5.3"
-notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.rayon]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
-criteria = "safe-to-deploy"
-delta = "1.5.3 -> 1.6.1"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.rayon-core]]
-who = "Josh Stone <jistone@redhat.com>"
-criteria = "safe-to-deploy"
-version = "1.9.3"
-notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.rayon-core]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
-criteria = "safe-to-deploy"
-delta = "1.9.3 -> 1.10.1"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.rayon-core]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
-criteria = "safe-to-deploy"
-delta = "1.10.1 -> 1.10.2"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.mozilla.audits.unicode-bidi]]
-who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
-criteria = "safe-to-deploy"
-delta = "0.3.8 -> 0.3.13"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
-
-[[audits.zcash.audits.block-buffer]]
-who = "Jack Grigg <jack@electriccoin.co>"
-criteria = "safe-to-deploy"
-delta = "0.10.3 -> 0.10.4"
-notes = "Adds panics to prevent a block size of zero from causing unsoundness."
-aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
-
-[[audits.zcash.audits.tinyvec_macros]]
-who = "Jack Grigg <jack@z.cash>"
-criteria = "safe-to-deploy"
-delta = "0.1.0 -> 0.1.1"
-notes = "Adds `#![forbid(unsafe_code)]` and license files."
-aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
-
-[[audits.zcash.audits.typenum]]
-who = "Jack Grigg <jack@electriccoin.co>"
-criteria = "safe-to-deploy"
-delta = "1.16.0 -> 1.17.0"
-aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"