Add recursive directory synchronization (AI one-shot)

[messa]

This is a completely AI one-shotted design plan + implementation.

There was only one intervention - to steer it away from completely removing the block-checksum-based incremental copy :)

---

Summary

This PR adds comprehensive design documentation for implementing recursive directory synchronization (--recursive flag) in blockcopy, along with a minor flake8 configuration adjustment.

Changes

Documentation

• add_recursive_plan.md: New 558-line design document detailing the complete implementation plan for recursive directory synchronization
  • Overview of current blockcopy functionality and proposed usage
  • Detailed architecture with three phases: file list exchange, file transfer, and metadata application
  • Binary protocol extensions with new commands (list, file, dirs, link, ends, getc, mkdr, syml, dele)
  • Step-by-step synchronization flow with Python pseudocode
  • New CLI arguments for --recursive, --delete, --exclude, --include, and --dry-run
  • Comprehensive test plan covering unit tests, integration tests, and edge cases
  • Implementation roadmap across 5 stages
  • Discussion of backward compatibility, version detection, and risk mitigation

Configuration

• .flake8: Increased max-complexity threshold from 70 to 80 to accommodate the more complex recursive implementation

Implementation Details

The design document establishes:

• Protocol changes: New binary commands for directory listing, file metadata, and deletion operations
• Three-stage synchronization: List exchange → change detection → atomic application
• Fast path optimization: Quick comparison using mtime/size before full checksum validation
• Special case handling: Empty directories, symlinks, hardlinks, sparse files, and permission preservation
• Comprehensive testing strategy: 30+ test cases covering normal operations, edge cases, and error conditions
• Phased rollout: 5 implementation stages from basic infrastructure to advanced filtering

This document serves as the specification for the recursive feature implementation and will guide development efforts.

[Copilot]

Pull request overview

This PR adds comprehensive design documentation and implementation for recursive directory synchronization to blockcopy, enabling it to sync entire directory trees similar to rsync -r.

Changes:

• Added 558-line design document (in Czech) detailing the recursive sync architecture, protocol extensions, and implementation roadmap
• Implemented recursive directory synchronization with three new functions: do_checksum_recursive, do_retrieve_recursive, and do_save_recursive
• Added comprehensive test suite with 15 integration tests covering basic operations, incremental sync, symlinks, deletion, and block-level diff
• Bumped version from 0.0.2 to 0.0.3 and increased flake8 max-complexity threshold

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
add_recursive_plan.md	Design document describing the recursive sync architecture, binary protocol extensions, and implementation plan
blockcopy.py	Core implementation adding data classes for entries, directory scanning, serialization functions, and three recursive mode functions
tests/test_recursive.py	Comprehensive test suite with 15 tests covering recursive synchronization scenarios
uv.lock	Version bump from 0.0.2 to 0.0.3
.flake8	Increased max-complexity from 70 to 80 to accommodate recursive implementation

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

If a file read fails during hashing (line 1227), the code logs a warning but continues to send 'fend' for that file. This could cause the retrieve side to receive a file entry with no hashes, which may not be handled correctly. Consider either skipping the file entirely (not sending the file entry) or sending an error marker so the retrieve side can handle the missing file appropriately.

[Copilot]

When receiving a file (FILE command), the code doesn't handle the case where a directory or symlink already exists at that path. The code tries to open() the path (line 1600), which will fail if it's a directory. The symlink handler (line 1569-1570) correctly removes existing files/symlinks before creating a new symlink, but the FILE handler should do the same to handle type conflicts (e.g., when a directory on the destination needs to be replaced with a file from the source).

Suggested change

	# Open file for writing (create if doesn't exist)
	if full_path.exists():
	f = open(full_path, 'r+b')
	# Open file for writing (create if doesn't exist).
	# If a non-regular file (e.g. directory or symlink) exists at this path,
	# remove it first so that type conflicts are handled correctly.
	if full_path.exists():
	if full_path.is_file():
	f = open(full_path, 'r+b')
	else:
	# Remove existing non-file (directory, symlink, etc.)
	if full_path.is_dir() and not full_path.is_symlink():
	# Recursively delete directory contents
	for p in sorted(full_path.rglob('*'), reverse=True):
	if p.is_file() or p.is_symlink():
	p.unlink()
	else:
	p.rmdir()
	full_path.rmdir()
	else:
	full_path.unlink()
	f = open(full_path, 'wb')

[Copilot]

The retrieve logic doesn't handle type conflicts. For example, if a path is a directory on the destination but a file on the source, the code will send a FILE command but won't send a deletion command for the directory first. Similarly, if a path is a file on destination but a directory on source, it will send mkdr but won't delete the file first. The code should detect these conflicts and send appropriate dele commands before sending the new entry type.

[Copilot]

The symlink handling creates symlinks with arbitrary target paths received from the network without validation. A malicious source could send symlinks pointing to sensitive files (e.g., '../../../etc/passwd') which could lead to security issues if the symlinks are later followed. Consider adding validation to detect and warn about or reject symlinks that point outside the destination directory tree.

Suggested change

	symlink(target, full_path)
	logger.debug('Created symlink: %s -> %s', full_path, target)
	# Validate symlink target to avoid pointing outside destination tree
	base_dir = dir_path.resolve()
	parent_dir = full_path.parent.resolve()
	from pathlib import Path # Path is likely already imported elsewhere; repeated import is harmless
	if Path(target).is_absolute():
	effective_target = Path(target).resolve(strict=False)
	else:
	effective_target = (parent_dir / target).resolve(strict=False)
	if not effective_target.is_relative_to(base_dir):
	logger.warning(
	'Refusing to create symlink %s -> %s: target %s is outside destination tree %s',
	full_path,
	target,
	effective_target,
	base_dir,
	)
	else:
	symlink(target, full_path)
	logger.debug('Created symlink: %s -> %s', full_path, target)

[Copilot]

The metadata is read after writing the file blocks, which could result in a race condition. If the file is modified between when the blocks are read (lines 1391-1430) and when the metadata is read (line 1438), the metadata (particularly size and mtime) may not match the actual data that was sent. Consider reading the metadata before processing the file blocks, or using the file descriptor from the already-open file handle.

[Copilot]

The deletion logic for directories should check for symlinks first before checking is_dir(). A symlink to a directory will return True for both is_symlink() and is_dir(), which could lead to unexpected behavior. The code should handle the case where a directory entry in the delete list is actually a symlink to a directory on the destination, to avoid following and deleting the linked directory's contents.

Suggested change

	if full_path.is_dir():
	if full_path.is_symlink():
	# Avoid following symlinks to directories; delete the link itself.
	full_path.unlink()
	logger.debug('Deleted symlink to directory: %s', full_path)
	elif full_path.is_dir():

[Copilot]

This assignment to 'mtime_ns' is unnecessary as it is redefined before this value is used.
This assignment to 'mtime_ns' is unnecessary as it is redefined before this value is used.

Suggested change

	mtime_ns = int.from_bytes(input_stream.read(8), 'big', signed=True)
	input_stream.read(8) # mtime_ns, ignored for symlinks

[Copilot]

File may not be closed if this operation raises an exception.

[Copilot]

File may not be closed if this operation raises an exception.

[Copilot]

The do_save_recursive design currently trusts path values received over the wire and directly uses dir_path / path for file creation, directory creation, symlink creation, and deletion without constraining them to stay under the destination root. A malicious or compromised peer running retrieve (or any process that can speak the protocol) can send paths containing .. segments or absolute paths and cause save to create, overwrite, or delete files and directories outside the intended destination tree (for example, modifying ~/.ssh/authorized_keys or /etc if permissions allow). To prevent this, treat incoming path values as untrusted: normalize and reject any that are absolute or escape the destination directory, and ensure operations do not follow attacker-controlled symlinks when resolving paths.

Suggested change

	def do_save_recursive(dir_path, input_stream):
	while True:
	cmd = read_command()
	if cmd == 'file':
	path = read_path()
	file_path = dir_path / path
	file_path.parent.mkdir(parents=True, exist_ok=True)
	receive_and_write_file(file_path)
	elif cmd == 'mkdr':
	path, meta = read_mkdir_data()
	(dir_path / path).mkdir(parents=True, exist_ok=True)
	apply_metadata(dir_path / path, meta)
	elif cmd == 'syml':
	path, target, meta = read_symlink_data()
	(dir_path / path).symlink_to(target)
	apply_metadata(dir_path / path, meta)
	elif cmd == 'dele':
	path, type = read_delete_data()
	if type == 'file':
	(dir_path / path).unlink()
	elif type == 'dir':
	shutil.rmtree(dir_path / path)
	from pathlib import Path
	def _resolve_under_root(root: Path, rel_path) -> Path:
	"""
	Resolve rel_path against root and ensure the resulting path
	stays within root. Reject absolute paths and any path that
	escapes the root directory.
	"""
	# Normalize input to Path
	rel = Path(rel_path)
	# Absolute paths are not allowed
	if rel.is_absolute():
	raise ValueError(f"Refusing absolute path in recursive save: {rel}")
	base = root.resolve()
	candidate = (base / rel).resolve(strict=False)
	# Ensure candidate is under base (or equal to it)
	if candidate != base and base not in candidate.parents:
	raise ValueError(f"Refusing to operate outside destination root: {candidate}")
	return candidate
	def do_save_recursive(dir_path, input_stream):
	while True:
	cmd = read_command()
	if cmd == 'file':
	path = read_path()
	file_path = _resolve_under_root(dir_path, path)
	file_path.parent.mkdir(parents=True, exist_ok=True)
	receive_and_write_file(file_path)
	elif cmd == 'mkdr':
	path, meta = read_mkdir_data()
	dir_to_create = _resolve_under_root(dir_path, path)
	dir_to_create.mkdir(parents=True, exist_ok=True)
	apply_metadata(dir_to_create, meta)
	elif cmd == 'syml':
	path, target, meta = read_symlink_data()
	link_path = _resolve_under_root(dir_path, path)
	link_path.parent.mkdir(parents=True, exist_ok=True)
	link_path.symlink_to(target)
	apply_metadata(link_path, meta)
	elif cmd == 'dele':
	path, type = read_delete_data()
	target_path = _resolve_under_root(dir_path, path)
	if type == 'file':
	target_path.unlink()
	elif type == 'dir':
	shutil.rmtree(target_path)