Add locked files and directory-only entries.

Locked files (--lock): repo-authoritative entries. Checkpoint skips them (preserves repo version). Status reports "drifted" instead of "modified". Restore always overwrites if hash differs, no prompt. Use case: system-managed files the OS overwrites. Directory-only entries (--dir): track directory itself without recursing. Restore ensures directory exists with correct permissions. Use case: directories that must exist but contents are managed elsewhere. Add refactored to use AddOptions struct (Encrypt, Lock, DirOnly) instead of variadic bools. Proto: ManifestEntry gains locked field. convert.go updated. 7 new tests. ARCHITECTURE.md and README.md updated. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 09:56:57 -07:00
parent 7accc6cac6
commit 0929d77e90
13 changed files with 363 additions and 44 deletions
--- a/proto/sgard/v1/sgard.proto
+++ b/proto/sgard/v1/sgard.proto
@@ -16,6 +16,7 @@ message ManifestEntry {
  google.protobuf.Timestamp updated  = 6;
  string plaintext_hash              = 7; // SHA-256 of plaintext (encrypted entries only)
  bool   encrypted                   = 8;
+  bool   locked                      = 9; // repo-authoritative; restore always overwrites
 }

 // KekSlot describes a single KEK source for unwrapping the DEK.