Module migration 

Structs

GenerateOptions

Options for generate.

MigrateReport

Result of an on-disk migration. Returned by migrate_file_in_place when migration ran (vs. Ok(None) when input was already current).

ResilientLoad

Result of a resilient (never-failing) config load.

Constants

CURRENT_SCHEMA_VERSION

The schema version this binary writes and expects on disk.

SECURITY_CRITICAL_KEYS

Top-level keys whose silent loss could weaken security posture: dropping a malformed one to its Default may grant a broader posture than intended. Salvage still drops them (so the daemon boots) but logs ERROR and reports them in ResilientLoad::dropped_security for exposure gating.

V1_LEGACY_KEYS

Top-level TOML keys that legacy schema versions had but V3 either removed or restructured. Suppresses “unknown key” warnings on V1/V2 configs flowing through migrate_to_current: every key here is consumed by V1Config::migrate or V2Config::migrate, so it’s expected on a stale-but-being-migrated config.

WHOLE_CONFIG_SENTINEL

Sentinel dropped_security entry used when the whole config is replaced by Config::default() (unparseable TOML, unsupported future schema, broken migration chain, or a root that cannot be salvaged section-by-section). In that case every security-critical section is lost at once, so the posture is degraded and the serving gate must refuse to start without an explicit operator override — exactly as it does for a single dropped section.

Functions

detect_version

Detect a config’s schema version from its parsed TOML representation.

encrypt_secret_strings

Walk a TOML tree and encrypt every string leaf whose terminal key name appears in secret_key_names. Strings already in enc2: / enc: form are left alone (idempotent). Arrays of strings under a matching key (e.g. paired_tokens) are encrypted element-wise.

ensure_disk_at_current_version

Refuse to proceed if the on-disk config is at a stale schema version.

generate

Generate a canonical TOML config at target_version, derived by running the V1 fixture forward through the typed migration chain.

migrate_file

Pure migration from any supported version’s TOML string into the current schema version’s TOML string. Returns Ok(None) when the input is already at CURRENT_SCHEMA_VERSION.

migrate_file_in_place

File-API wrapper: read disk config, migrate, write <file>.backup adjacent to the original, then atomically replace the original. Returns Ok(None) when already current.

migrate_to_current

Versioned TOML → validated V3 Config, strict: any defect errors. Used by repair tooling (zeroclaw config migrate, model_routing_config) that needs the precise failure. Daemon load uses the resilient path.

migrate_to_current_resilient

Daemon load path: versioned TOML → usable Config, never failing. Thin wrapper over migrate_to_current_salvaged that drops the report.

migrate_to_current_salvaged

Daemon load path with a salvage report. Degrades instead of failing: strict deserialize first; else drop each invalid channel alias, channel type, and top-level section (substituting Default); else fall back to Config::default(). Security-critical drops log ERROR and surface in dropped_security. Config::validate() is intentionally not run.