Update dependencies

Note: `--remote-host` must still be set, but it can be an 'alias' represented by the 'Host' value in the ssh config.

.forgejo/workflows/build-deb.yml

@@ -21,6 +21,7 @@ jobs:
           python3-poetry-core \
           python3-yaml \
           python3-paramiko \
+          python3-jsonschema \
           rsync \
           ca-certificates
 

.forgejo/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
         run: |
           apt-get update
           DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-            ansible ansible-lint python3-venv pipx systemctl python3-apt jq
+            ansible ansible-lint python3-venv pipx systemctl python3-apt jq python3-jsonschema
 
       - name: Install Poetry
         run: |

CHANGELOG.md

@@ -1,3 +1,26 @@
+# 0.4.3
+
+ * Add support for AddressFamily and ConnectTimeout in the .ssh/config when using `--remote-ssh-config`.
+ * Update dependencies
+
+# 0.4.2
+
+ * Support `--remote-ssh-config [path-to-ssh-config]` as an argument in case extra params are required beyond `--remote-port` or `--remote-user`. Note: `--remote-host` must still be set, but it can be an 'alias' represented by the 'Host' value in the ssh config.
+
+# 0.4.1
+
+ * Add interactive output when 'enroll diff --enforce' is invoking Ansible.
+
+# 0.4.0
+
+ * Introduce `enroll validate` - a tool to validate a harvest against the state schema, or check for missing or orphaned obsolete artifacts in a harvest.
+ * Attempt to generate Jinja2 templates of systemd unit files and Postfix main.cf (now that JinjaTurtle supports it)
+ * Update pynacl dependency to resolve CVE-2025-69277
+ * Add `--exclude-path` to `enroll diff` command, so that you can ignore certain churn from the diff (stuff you still wanted to harvest as a baseline but don't care if it changes day to day)
+ * Add `--ignore-package-versions` to `enroll diff` command, to optionally ignore package upgrades (e.g due to patching) from the diff.
+ * Add tags to the playbook for each role, to allow easier targeting of specific roles during play later.
+ * Add `--enforce` mode to `enroll diff`. If there is diff detected between the two harvests, and it can enforce restoring the state from the older harvest, it will manifest the state and apply it with ansible. Only the specific roles that had diffed will be applied (via the new tags capability)
+
 # 0.3.0
 
  * Introduce `enroll explain` - a tool to analyze and explain what's in (or not in) a harvest and why.
@@ -17,7 +40,7 @@
 
 # 0.2.1
 
- * Don't accidentally add extra_paths role to usr_local_custom list, resulting in extra_paths appearing twice in manifested playbook
+ * Don't accidentally add `extra_paths` role to `usr_local_custom` list, resulting in `extra_paths` appearing twice in manifested playbook
  * Ensure directories in the tree of anything included with --include are defined in the state and manifest so we make dirs before we try to create files
 
 # 0.2.0
@@ -38,8 +61,8 @@
 # 0.1.5
 
  * Consolidate logrotate and cron files into their main service/package roles if they exist.
- * Standardise on MAX_FILES_CAP in one place
- * Manage apt stuff in its own role, not in etc_custom
+ * Standardise on `MAX_FILES_CAP` in one place
+ * Manage apt stuff in its own role, not in `etc_custom`
 
 # 0.1.4
 

Dockerfile.debbuild

@@ -26,6 +26,7 @@ RUN set -eux; \
       python3-poetry-core \
       python3-yaml \
       python3-paramiko \
+      python3-jsonschema \
       rsync \
       ca-certificates \
     ; \

Dockerfile.rpmbuild

@@ -22,6 +22,7 @@ RUN set -eux; \
         python3-rpm-macros \
         python3-yaml \
         python3-paramiko \
+        python3-jsonschema \
         openssl-devel \
         python3-poetry-core ; \
         dnf -y clean all
@@ -34,25 +35,8 @@ set -euo pipefail
 SRC="${SRC:-/src}"
 WORKROOT="${WORKROOT:-/work}"
 OUT="${OUT:-/out}"
-DEPS_DIR="${DEPS_DIR:-/deps}"
 VERSION_ID="$(grep VERSION_ID /etc/os-release | cut -d= -f2)"
 echo "Version ID is ${VERSION_ID}"
-# Install jinjaturtle from local rpm
-# Filter out .src.rpm and debug* subpackages if present.
-if [ -d "${DEPS_DIR}" ] && compgen -G "${DEPS_DIR}/*.rpm" > /dev/null; then
-  mapfile -t rpms < <(ls -1 "${DEPS_DIR}"/*.rpm | grep -vE '(\.src\.rpm$|-(debuginfo|debugsource)-)' | grep "${VERSION_ID}")
-  if [ "${#rpms[@]}" -gt 0 ]; then
-    echo "Installing dependency RPMs from ${DEPS_DIR}:"
-    printf '  - %s\n' "${rpms[@]}"
-    dnf -y install "${rpms[@]}"
-    dnf -y clean all
-  else
-    echo "NOTE: Only src/debug RPMs found in ${DEPS_DIR}; nothing installed." >&2
-  fi
-else
-  echo "NOTE: No RPMs found in ${DEPS_DIR}. If the build fails with missing python3dist(jinjaturtle)," >&2
-  echo "      mount your jinjaturtle RPM directory as -v <dir>:/deps" >&2
-fi
 
 mkdir -p "${WORKROOT}" "${OUT}"
 WORK="${WORKROOT}/src"

README.md

@@ -74,7 +74,7 @@ Harvest state about a host and write a harvest bundle.
 
 **Common flags**
 - Remote harvesting:
-  - `--remote-host`, `--remote-user`, `--remote-port`
+  - `--remote-host`, `--remote-user`, `--remote-port`, `--remote-ssh-config`
   - `--no-sudo` (if you don't want/need sudo)
 - Sensitive-data behaviour:
   - default: tries to avoid likely secrets
@@ -108,6 +108,17 @@ Generate Ansible output from an existing harvest bundle.
 **Common flags**
 - `--fqdn <host>`: enables **multi-site** output style
 
+**Role tags**
+Generated playbooks tag each role so you can target just the parts you need:
+
+- Tag format: `role_<role_name>` (e.g. `role_services`, `role_users`)
+- Fallback/safe tag: `role_other`
+
+Example:
+```bash
+ansible-playbook -i "localhost," -c local /tmp/enroll-ansible/playbook.yml --tags role_services,role_users
+```
+
 ---
 
 ### `enroll single-shot`
@@ -131,6 +142,26 @@ Compare two harvest bundles and report what changed.
 **Inputs**
 - `--old <harvest>` and `--new <harvest>` (directories or `state.json` paths)
 - `--sops` when comparing SOPS-encrypted harvest bundles
+- `--exclude-path <PATTERN>` (repeatable) to ignore file/dir drift under matching paths (same pattern syntax as harvest)
+- `--ignore-package-versions` to ignore package version-only drift (upgrades/downgrades)
+- `--enforce` to apply the **old** harvest state locally (requires `ansible-playbook` on `PATH`)
+
+**Noise suppression**
+- `--exclude-path` is useful for things that change often but you still want in the harvest baseline (e.g. `/var/anacron`).
+- `--ignore-package-versions` keeps routine upgrades from alerting; package add/remove drift is still reported.
+
+**Enforcement (`--enforce`)**
+If a diff exists and `ansible-playbook` is available, Enroll will:
+1) generate a manifest from the **old** harvest into a temporary directory
+2) run `ansible-playbook -i localhost, -c local <tmp>/playbook.yml` (often with `--tags role_<...>` to limit runtime)
+3) record in the diff report that the old harvest was enforced
+
+Enforcement is intentionally “safe”:
+- reinstalls packages that were removed (`state: present`), but does **not** attempt downgrades/pinning
+- restores users, files (contents + permissions/ownership), and service enable/start state
+
+If `ansible-playbook` is not on `PATH`, Enroll returns an error and does not enforce.
+
 
 **Output formats**
 - `--format json` (default for webhooks)
@@ -157,6 +188,61 @@ Output can be provided in plaintext or json.
 
 ---
 
+### `enroll validate`
+
+Validates a harvest by checking:
+
+ * state.json exists and is valid JSON
+ * state.json validates against a JSON Schema (by default the vendored one)
+ * Every `managed_file` entry has a corresponding artifact at: `artifacts/<role_name>/<src_rel>`
+ * That there are no **unreferenced files** sitting in `artifacts/` that aren't in the state.
+
+#### Schema location + overrides
+
+The master schema lives at: `enroll/schema/state.schema.json`.
+
+You can override with a local file or URL:
+
+```
+enroll validate /path/to/harvest --schema ./state.schema.json
+enroll validate /path/to/harvest --schema https://enroll.sh/schema/state.schema.json
+```
+
+Or skip schema checks (still does artifact consistency checks):
+
+```
+enroll validate /path/to/harvest --no-schema
+```
+
+#### CLI usage examples
+
+Validate a local harvest:
+
+```
+enroll validate ./harvest
+```
+
+Validate a harvest tarball or a sops bundle:
+
+```
+enroll validate ./harvest.tar.gz
+enroll validate ./harvest.sops --sops
+```
+
+JSON output + write to file:
+
+```
+enroll validate ./harvest --format json --out validate.json
+```
+
+Return exit code 1 for any warnings, not just errors (useful for CI):
+
+```
+enroll validate ./harvest --fail-on-warnings
+```
+
+---
+
 ## Sensitive data
 
 By default, `enroll` does **not** assume how you handle secrets in Ansible. It will attempt to avoid harvesting likely sensitive data (private keys, passwords, tokens, etc.). This can mean it skips some config files you may ultimately want to manage.
@@ -269,6 +355,14 @@ enroll harvest --out /tmp/enroll-harvest
 enroll harvest --remote-host myhost.example.com --remote-user myuser --out /tmp/enroll-harvest
 ```
 
+### Remote harvest over SSH, where the SSH configuration is in ~/.ssh/config (e.g a different SSH key)
+
+Note: you must still pass `--remote-host`, but in this case, its value can be the 'Host' alias of an entry in your `~/.ssh/config`.
+
+```bash
+enroll harvest --remote-host myhostalias --remote-ssh-config ~/.ssh/config --out /tmp/enroll-harvest
+```
+
 ### Include paths (`--include-path`)
 ```bash
 # Add a few dotfiles from /home (still secret-safe unless --dangerous)
@@ -344,7 +438,7 @@ enroll single-shot --remote-host myhost.example.com --remote-user myuser   --har
 
 ## Diff
 
-### Compare two harvest directories
+### Compare two harvest directories, output in json
 ```bash
 enroll diff --old /path/to/harvestA --new /path/to/harvestB --format json
 ```
@@ -356,6 +450,21 @@ enroll diff   --old /path/to/golden/harvest   --new /path/to/new/harvest   --web
 
 `diff` mode also supports email sending and text or markdown format, as well as `--exit-code` mode to trigger a return code of 2 (useful for crons or CI)
 
+### Ignore a specific directory or file from the diff
+```bash
+enroll diff --old /path/to/harvestA --new /path/to/harvestB --exclude-path /var/anacron
+```
+
+### Ignore package version drift (routine upgrades) but still alert on add/remove
+```bash
+enroll diff --old /path/to/harvestA --new /path/to/harvestB --ignore-package-versions
+```
+
+### Enforce the old harvest state when drift is detected (requires Ansible)
+```bash
+enroll diff --old /path/to/harvestA --new /path/to/harvestB --enforce --ignore-package-versions --exclude-path /var/anacron
+```
+
 ---
 
 ## Explain
@@ -431,6 +540,12 @@ ansible-playbook -i "localhost," -c local /tmp/enroll-ansible/playbook.yml
 ansible-playbook /tmp/enroll-ansible/playbooks/"$(hostname -f)".yml
 ```
 
+### Run only specific roles (tags)
+Generated playbooks tag each role as `role_<name>` (e.g. `role_users`, `role_services`), so you can speed up targeted runs:
+```bash
+ansible-playbook -i "localhost," -c local /tmp/enroll-ansible/playbook.yml --tags role_users
+```
+
 ## Configuration file
 
 As can be seen above, there are a lot of powerful 'permutations' available to all four subcommands.
@@ -480,6 +595,12 @@ exclude_path = /usr/local/bin/docker-*, /usr/local/bin/some-tool
 no_jinjaturtle = true
 sops = 00AE817C24A10C2540461A9C1D7CDE0234DB458D
 
+[diff]
+# ignore noisy drift
+exclude_path = /var/anacron
+ignore_package_versions = true
+# enforce = true  # requires ansible-playbook on PATH
+
 [single-shot]
 # if you use single-shot, put its defaults here.
 # It does not inherit those of the subsections above, so you

debian/changelog

@@ -1,3 +1,32 @@
+enroll (0.4.3) unstable; urgency=medium
+
+ *  Add support for AddressFamily and ConnectTimeout in the .ssh/config when using `--remote-ssh-config`.
+
+ -- Miguel Jacq <mig@mig5.net>  Fri, 16 Jan 2026 11:00 +1100
+
+enroll (0.4.2) unstable; urgency=medium
+
+ * Support `--remote-ssh-config [path-to-ssh-config]` as an argument in case extra params are required beyond `--remote-port` or `--remote-user`. Note: `--remote-host` must still be set, but it can be an 'alias' represented by the 'Host' value in the ssh config.
+
+ -- Miguel Jacq <mig@mig5.net>  Tue, 13 Jan 2026 21:55:00 +1100
+
+enroll (0.4.1) unstable; urgency=medium
+ * Add interactive output when 'enroll diff --enforce' is invoking Ansible.
+
+ -- Miguel Jacq <mig@mig5.net>  Sun, 11 Jan 2026 10:00:00 +1100
+
+enroll (0.4.0) unstable; urgency=medium
+ * Introduce `enroll validate` - a tool to validate a harvest against the state schema, or check for missing or orphaned obsolete artifacts in a harvest.
+ * Attempt to generate Jinja2 templates of systemd unit files and Postfix main.cf (now that JinjaTurtle supports it)
+ * Update pynacl dependency to resolve CVE-2025-69277
+ * Add `--exclude-path` to `enroll diff` command, so that you can ignore certain churn from the diff (stuff you still wanted to harvest as a baseline but don't care if it changes day to day)
+ * Add `--ignore-package-versions` to `enroll diff` command, to optionally ignore package upgrades (e.g due to patching) from the diff.
+ * Add tags to the playbook for each role, to allow easier targeting of specific roles during play later.
+ * Add `--enforce` mode to `enroll diff`. If there is diff detected between the two harvests, and it can enforce restoring the state from the older harvest, it will manifest the state and apply it with ansible.
+Only the specific roles that had diffed will be applied (via the new tags capability)
+
+ -- Miguel Jacq <mig@mig5.net>  Sat, 10 Jan 2026 10:30:00 +1100
+
 enroll (0.3.0) unstable; urgency=medium
 
   * Introduce `enroll explain` - a tool to analyze and explain what's in (or not in) a harvest and why.

debian/control

@@ -10,12 +10,13 @@ Build-Depends:
  python3-all,
  python3-yaml,
  python3-poetry-core,
- python3-paramiko
+ python3-paramiko,
+ python3-jsonschema
 Standards-Version: 4.6.2
 Homepage: https://git.mig5.net/mig5/enroll
 
 Package: enroll
 Architecture: all
-Depends: ${misc:Depends}, ${python3:Depends}, python3-yaml, python3-paramiko
+Depends: ${misc:Depends}, ${python3:Depends}, python3-yaml, python3-paramiko, python3-jsonschema
 Description: Harvest a host into Ansible roles
  A tool that inspects a system and emits Ansible roles/playbooks to reproduce it.

enroll/cli.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 import argparse
 import configparser
+import json
 import os
 import sys
 import tarfile
@@ -10,12 +11,20 @@ from pathlib import Path
 from typing import Optional
 
 from .cache import new_harvest_cache_dir
-from .diff import compare_harvests, format_report, post_webhook, send_email
+from .diff import (
+    compare_harvests,
+    enforce_old_harvest,
+    format_report,
+    has_enforceable_drift,
+    post_webhook,
+    send_email,
+)
 from .explain import explain_state
 from .harvest import harvest
 from .manifest import manifest
 from .remote import remote_harvest, RemoteSudoPasswordRequired
 from .sopsutil import SopsError, encrypt_file_binary
+from .validate import validate_harvest
 from .version import get_enroll_version
 
 
@@ -341,16 +350,33 @@ def _add_remote_args(p: argparse.ArgumentParser) -> None:
         "--remote-host",
         help="SSH host to run harvesting on (if set, harvest runs remotely and is pulled locally).",
     )
+    p.add_argument(
+        "--remote-ssh-config",
+        nargs="?",
+        const=str(Path.home() / ".ssh" / "config"),
+        default=None,
+        help=(
+            "Use OpenSSH-style ssh_config settings for --remote-host. "
+            "If provided without a value, defaults to ~/.ssh/config. "
+            "(Applies HostName/User/Port/IdentityFile/ProxyCommand/HostKeyAlias when supported.)"
+        ),
+    )
     p.add_argument(
         "--remote-port",
         type=int,
-        default=22,
-        help="SSH port for --remote-host (default: 22).",
+        default=None,
+        help=(
+            "SSH port for --remote-host. If omitted, defaults to 22, or a value from ssh_config when "
+            "--remote-ssh-config is set."
+        ),
     )
     p.add_argument(
         "--remote-user",
-        default=os.environ.get("USER") or None,
-        help="SSH username for --remote-host (default: local $USER).",
+        default=None,
+        help=(
+            "SSH username for --remote-host. If omitted, defaults to local $USER, or a value from ssh_config when "
+            "--remote-ssh-config is set."
+        ),
     )
 
     # Align terminology with Ansible: "become" == sudo.
@@ -548,6 +574,33 @@ def main() -> None:
         default="text",
         help="Report output format (default: text).",
     )
+    d.add_argument(
+        "--exclude-path",
+        action="append",
+        default=[],
+        metavar="PATTERN",
+        help=(
+            "Exclude file paths from the diff report (repeatable). Supports globs (including '**') and regex via 're:<regex>'. "
+            "This affects file drift reporting only (added/removed/changed files), not package/service/user diffs."
+        ),
+    )
+    d.add_argument(
+        "--ignore-package-versions",
+        action="store_true",
+        help=(
+            "Ignore package version changes in the diff report and exit status. "
+            "Package additions/removals are still reported. Useful when routine upgrades would otherwise create noisy drift."
+        ),
+    )
+    d.add_argument(
+        "--enforce",
+        action="store_true",
+        help=(
+            "If differences are detected, attempt to enforce the old harvest state locally by generating a manifest and "
+            "running ansible-playbook. Requires ansible-playbook on PATH. "
+            "Enroll does not attempt to downgrade packages; if the only drift is package version upgrades (or newly installed packages), enforcement is skipped."
+        ),
+    )
     d.add_argument(
         "--out",
         help="Write the report to this file instead of stdout.",
@@ -632,6 +685,49 @@ def main() -> None:
         help="How many example paths/refs to show per reason.",
     )
 
+    v = sub.add_parser(
+        "validate", help="Validate a harvest bundle (state.json + artifacts)"
+    )
+    _add_config_args(v)
+    v.add_argument(
+        "harvest",
+        help=(
+            "Harvest input (directory, a path to state.json, a tarball, or a SOPS-encrypted bundle)."
+        ),
+    )
+    v.add_argument(
+        "--sops",
+        action="store_true",
+        help="Treat the input as a SOPS-encrypted bundle (auto-detected if the filename ends with .sops).",
+    )
+    v.add_argument(
+        "--schema",
+        help=(
+            "Optional JSON schema source (file path or https:// URL). "
+            "If omitted, uses the schema vendored in the enroll codebase."
+        ),
+    )
+    v.add_argument(
+        "--no-schema",
+        action="store_true",
+        help="Skip JSON schema validation and only perform bundle consistency checks.",
+    )
+    v.add_argument(
+        "--fail-on-warnings",
+        action="store_true",
+        help="Exit non-zero if validation produces warnings.",
+    )
+    v.add_argument(
+        "--format",
+        choices=["text", "json"],
+        default="text",
+        help="Output format.",
+    )
+    v.add_argument(
+        "--out",
+        help="Write the report to this file instead of stdout.",
+    )
+
     argv = sys.argv[1:]
     cfg_path = _discover_config_path(argv)
     argv = _inject_config_argv(
@@ -644,10 +740,22 @@ def main() -> None:
             "single-shot": s,
             "diff": d,
             "explain": e,
+            "validate": v,
         },
     )
     args = ap.parse_args(argv)
 
+    # Preserve historical defaults for remote harvesting unless ssh_config lookup is enabled.
+    # This lets ssh_config values take effect when the user did not explicitly set
+    # --remote-user / --remote-port.
+    if hasattr(args, "remote_host"):
+        rsc = getattr(args, "remote_ssh_config", None)
+        if not rsc:
+            if getattr(args, "remote_port", None) is None:
+                setattr(args, "remote_port", 22)
+            if getattr(args, "remote_user", None) is None:
+                setattr(args, "remote_user", os.environ.get("USER") or None)
+
     try:
         if args.cmd == "harvest":
             sops_fps = getattr(args, "sops", None)
@@ -665,8 +773,9 @@ def main() -> None:
                             ask_become_pass=args.ask_become_pass,
                             local_out_dir=tmp_bundle,
                             remote_host=args.remote_host,
-                            remote_port=int(args.remote_port),
+                            remote_port=args.remote_port,
                             remote_user=args.remote_user,
+                            remote_ssh_config=args.remote_ssh_config,
                             dangerous=bool(args.dangerous),
                             no_sudo=bool(args.no_sudo),
                             include_paths=list(getattr(args, "include_path", []) or []),
@@ -686,8 +795,9 @@ def main() -> None:
                         ask_become_pass=args.ask_become_pass,
                         local_out_dir=out_dir,
                         remote_host=args.remote_host,
-                        remote_port=int(args.remote_port),
+                        remote_port=args.remote_port,
                         remote_user=args.remote_user,
+                        remote_ssh_config=args.remote_ssh_config,
                         dangerous=bool(args.dangerous),
                         no_sudo=bool(args.no_sudo),
                         include_paths=list(getattr(args, "include_path", []) or []),
@@ -739,6 +849,33 @@ def main() -> None:
             )
             sys.stdout.write(out)
 
+        elif args.cmd == "validate":
+            res = validate_harvest(
+                args.harvest,
+                sops_mode=bool(getattr(args, "sops", False)),
+                schema=getattr(args, "schema", None),
+                no_schema=bool(getattr(args, "no_schema", False)),
+            )
+
+            fmt = str(getattr(args, "format", "text"))
+            if fmt == "json":
+                txt = json.dumps(res.to_dict(), indent=2, sort_keys=True) + "\n"
+            else:
+                txt = res.to_text()
+
+            out_path = getattr(args, "out", None)
+            if out_path:
+                p = Path(out_path).expanduser()
+                p.parent.mkdir(parents=True, exist_ok=True)
+                p.write_text(txt, encoding="utf-8")
+            else:
+                sys.stdout.write(txt)
+
+            if res.errors:
+                raise SystemExit(1)
+            if res.warnings and bool(getattr(args, "fail_on_warnings", False)):
+                raise SystemExit(1)
+
         elif args.cmd == "manifest":
             out_enc = manifest(
                 args.harvest,
@@ -754,8 +891,47 @@ def main() -> None:
                 args.old,
                 args.new,
                 sops_mode=bool(getattr(args, "sops", False)),
+                exclude_paths=list(getattr(args, "exclude_path", []) or []),
+                ignore_package_versions=bool(
+                    getattr(args, "ignore_package_versions", False)
+                ),
             )
 
+            # Optional enforcement: if drift is detected, attempt to restore the
+            # system to the *old* (baseline) state using ansible-playbook.
+            if bool(getattr(args, "enforce", False)):
+                if has_changes:
+                    if not has_enforceable_drift(report):
+                        report["enforcement"] = {
+                            "requested": True,
+                            "status": "skipped",
+                            "reason": (
+                                "no enforceable drift detected (only additions and/or package version changes); "
+                                "enroll does not attempt to downgrade packages"
+                            ),
+                        }
+                    else:
+                        try:
+                            info = enforce_old_harvest(
+                                args.old,
+                                sops_mode=bool(getattr(args, "sops", False)),
+                                report=report,
+                            )
+                        except Exception as e:
+                            raise SystemExit(
+                                f"error: could not enforce old harvest state: {e}"
+                            ) from e
+                        report["enforcement"] = {
+                            "requested": True,
+                            **(info or {}),
+                        }
+                else:
+                    report["enforcement"] = {
+                        "requested": True,
+                        "status": "skipped",
+                        "reason": "no differences detected",
+                    }
+
             txt = format_report(report, fmt=str(getattr(args, "format", "text")))
             out_path = getattr(args, "out", None)
             if out_path:
@@ -822,8 +998,9 @@ def main() -> None:
                             ask_become_pass=args.ask_become_pass,
                             local_out_dir=tmp_bundle,
                             remote_host=args.remote_host,
-                            remote_port=int(args.remote_port),
+                            remote_port=args.remote_port,
                             remote_user=args.remote_user,
+                            remote_ssh_config=args.remote_ssh_config,
                             dangerous=bool(args.dangerous),
                             no_sudo=bool(args.no_sudo),
                             include_paths=list(getattr(args, "include_path", []) or []),
@@ -852,8 +1029,9 @@ def main() -> None:
                         ask_become_pass=args.ask_become_pass,
                         local_out_dir=harvest_dir,
                         remote_host=args.remote_host,
-                        remote_port=int(args.remote_port),
+                        remote_port=args.remote_port,
                         remote_user=args.remote_user,
+                        remote_ssh_config=args.remote_ssh_config,
                         dangerous=bool(args.dangerous),
                         no_sudo=bool(args.no_sudo),
                         include_paths=list(getattr(args, "include_path", []) or []),

enroll/diff.py

@@ -3,10 +3,15 @@ from __future__ import annotations
 import hashlib
 import json
 import os
+import re
 import shutil
 import subprocess  # nosec
 import tarfile
 import tempfile
+import sys
+import threading
+import time
+import itertools
 import urllib.request
 from contextlib import ExitStack
 from dataclasses import dataclass
@@ -16,9 +21,73 @@ from pathlib import Path
 from typing import Any, Dict, Iterable, List, Optional, Tuple
 
 from .remote import _safe_extract_tar
+from .pathfilter import PathFilter
 from .sopsutil import decrypt_file_binary_to, require_sops_cmd
 
 
+def _progress_enabled() -> bool:
+    """Return True if we should display interactive progress UI on the CLI.
+
+    We only emit progress when stderr is a TTY, so it won't pollute JSON/text reports
+    captured by systemd, CI, webhooks, etc. Users can also disable this explicitly via
+    ENROLL_NO_PROGRESS=1.
+    """
+    if os.environ.get("ENROLL_NO_PROGRESS", "").strip() in {"1", "true", "yes"}:
+        return False
+    try:
+        return sys.stderr.isatty()
+    except Exception:
+        return False
+
+
+class _Spinner:
+    """A tiny terminal spinner with an elapsed-time counter (stderr-only)."""
+
+    def __init__(self, message: str, *, interval: float = 0.12) -> None:
+        self.message = message.rstrip()
+        self.interval = interval
+        self._stop = threading.Event()
+        self._thread: Optional[threading.Thread] = None
+        self._last_len = 0
+        self._start = 0.0
+
+    def start(self) -> None:
+        if self._thread is not None:
+            return
+        self._start = time.monotonic()
+        self._thread = threading.Thread(
+            target=self._run, name="enroll-spinner", daemon=True
+        )
+        self._thread.start()
+
+    def stop(self, final_line: Optional[str] = None) -> None:
+        self._stop.set()
+        if self._thread is not None:
+            self._thread.join(timeout=1.0)
+
+        # Clear spinner line.
+        try:
+            sys.stderr.write("\r" + (" " * max(self._last_len, 0)) + "\r")
+            if final_line:
+                sys.stderr.write(final_line.rstrip() + "\n")
+            sys.stderr.flush()
+        except Exception:
+            pass  # nosec
+
+    def _run(self) -> None:
+        frames = itertools.cycle("|/-\\")
+        while not self._stop.is_set():
+            elapsed = time.monotonic() - self._start
+            line = f"{self.message} {next(frames)} {elapsed:0.1f}s"
+            try:
+                sys.stderr.write("\r" + line)
+                sys.stderr.flush()
+                self._last_len = max(self._last_len, len(line))
+            except Exception:
+                return
+            self._stop.wait(self.interval)
+
+
 def _utc_now_iso() -> str:
     return datetime.now(tz=timezone.utc).isoformat()
 
@@ -289,6 +358,8 @@ def compare_harvests(
     new_path: str,
     *,
     sops_mode: bool = False,
+    exclude_paths: Optional[List[str]] = None,
+    ignore_package_versions: bool = False,
 ) -> Tuple[Dict[str, Any], bool]:
     """Compare two harvests.
 
@@ -315,17 +386,21 @@ def compare_harvests(
         pkgs_removed = sorted(old_pkgs - new_pkgs)
 
         pkgs_version_changed: List[Dict[str, Any]] = []
+        pkgs_version_changed_ignored_count = 0
         for pkg in sorted(old_pkgs & new_pkgs):
             a = old_inv.get(pkg) or {}
             b = new_inv.get(pkg) or {}
             if _pkg_version_key(a) != _pkg_version_key(b):
-                pkgs_version_changed.append(
-                    {
-                        "package": pkg,
-                        "old": _pkg_version_display(a),
-                        "new": _pkg_version_display(b),
-                    }
-                )
+                if ignore_package_versions:
+                    pkgs_version_changed_ignored_count += 1
+                else:
+                    pkgs_version_changed.append(
+                        {
+                            "package": pkg,
+                            "old": _pkg_version_display(a),
+                            "new": _pkg_version_display(b),
+                        }
+                    )
 
         old_units = _service_units(old_state)
         new_units = _service_units(new_state)
@@ -387,6 +462,17 @@ def compare_harvests(
 
         old_files = _file_index(old_b.dir, old_state)
         new_files = _file_index(new_b.dir, new_state)
+
+        # Optional user-supplied path exclusions (same semantics as harvest --exclude-path),
+        # applied only to file drift reporting.
+        diff_filter = PathFilter(include=(), exclude=exclude_paths or ())
+        if exclude_paths:
+            old_files = {
+                p: r for p, r in old_files.items() if not diff_filter.is_excluded(p)
+            }
+            new_files = {
+                p: r for p, r in new_files.items() if not diff_filter.is_excluded(p)
+            }
         old_paths_set = set(old_files)
         new_paths_set = set(new_files)
 
@@ -462,6 +548,10 @@ def compare_harvests(
 
         report: Dict[str, Any] = {
             "generated_at": _utc_now_iso(),
+            "filters": {
+                "exclude_paths": list(exclude_paths or []),
+                "ignore_package_versions": bool(ignore_package_versions),
+            },
             "old": {
                 "input": old_path,
                 "bundle_dir": str(old_b.dir),
@@ -478,6 +568,9 @@ def compare_harvests(
                 "added": pkgs_added,
                 "removed": pkgs_removed,
                 "version_changed": pkgs_version_changed,
+                "version_changed_ignored_count": int(
+                    pkgs_version_changed_ignored_count
+                ),
             },
             "services": {
                 "enabled_added": units_added,
@@ -513,6 +606,302 @@ def compare_harvests(
         return report, has_changes
 
 
+def has_enforceable_drift(report: Dict[str, Any]) -> bool:
+    """Return True if the diff report contains drift that is safe/meaningful to enforce.
+
+    Enforce mode is intended to restore *state* (files/users/services) and to
+    reinstall packages that were removed.
+
+    It is deliberately conservative about package drift:
+      - Package *version* changes alone are not enforced (no downgrades).
+      - Newly installed packages are not removed.
+
+    This helper lets the CLI decide whether `--enforce` should actually run.
+    """
+
+    pk = report.get("packages", {}) or {}
+    if pk.get("removed"):
+        return True
+
+    sv = report.get("services", {}) or {}
+    # We do not try to disable newly-enabled services; we only restore units
+    # that were enabled in the baseline but are now missing.
+    if sv.get("enabled_removed") or []:
+        return True
+
+    for ch in sv.get("changed", []) or []:
+        changes = ch.get("changes") or {}
+        # Ignore package set drift for enforceability decisions; package
+        # enforcement is handled via reinstalling removed packages, and we
+        # avoid trying to "undo" upgrades/renames.
+        for k in changes.keys():
+            if k != "packages":
+                return True
+
+    us = report.get("users", {}) or {}
+    # We restore baseline users (missing/changed). We do not remove newly-added users.
+    if (us.get("removed") or []) or (us.get("changed") or []):
+        return True
+
+    fl = report.get("files", {}) or {}
+    # We restore baseline files (missing/changed). We do not delete newly-managed files.
+    if (fl.get("removed") or []) or (fl.get("changed") or []):
+        return True
+
+    return False
+
+
+def _role_tag(role: str) -> str:
+    """Return the Ansible tag name for a role (must match manifest generation)."""
+    r = str(role or "").strip()
+    safe = re.sub(r"[^A-Za-z0-9_-]+", "_", r).strip("_")
+    if not safe:
+        safe = "other"
+    return f"role_{safe}"
+
+
+def _enforcement_plan(
+    report: Dict[str, Any],
+    old_state: Dict[str, Any],
+    old_bundle_dir: Path,
+) -> Dict[str, Any]:
+    """Return a best-effort enforcement plan (roles/tags) for this diff report.
+
+    We only plan for drift that the baseline manifest can safely restore:
+      - packages that were removed (reinstall, no downgrades)
+      - baseline users that were removed/changed
+      - baseline files that were removed/changed
+      - baseline systemd units that were disabled/changed
+
+    We do NOT plan to remove newly-added packages/users/files/services.
+    """
+    roles: set[str] = set()
+
+    # --- Packages (only removals)
+    pk = report.get("packages", {}) or {}
+    removed_pkgs = set(pk.get("removed") or [])
+    if removed_pkgs:
+        pkg_to_roles: Dict[str, set[str]] = {}
+
+        for svc in _roles(old_state).get("services") or []:
+            r = str(svc.get("role_name") or "").strip()
+            for p in svc.get("packages", []) or []:
+                if p:
+                    pkg_to_roles.setdefault(str(p), set()).add(r)
+
+        for pr in _roles(old_state).get("packages") or []:
+            r = str(pr.get("role_name") or "").strip()
+            p = pr.get("package")
+            if p:
+                pkg_to_roles.setdefault(str(p), set()).add(r)
+
+        for p in removed_pkgs:
+            for r in pkg_to_roles.get(str(p), set()):
+                if r:
+                    roles.add(r)
+
+    # --- Users (removed/changed)
+    us = report.get("users", {}) or {}
+    if (us.get("removed") or []) or (us.get("changed") or []):
+        u = _roles(old_state).get("users") or {}
+        u_role = str(u.get("role_name") or "users")
+        if u_role:
+            roles.add(u_role)
+
+    # --- Files (removed/changed)
+    fl = report.get("files", {}) or {}
+    file_paths: List[str] = []
+    for e in fl.get("removed", []) or []:
+        if isinstance(e, dict):
+            p = e.get("path")
+        else:
+            p = e
+        if p:
+            file_paths.append(str(p))
+    for e in fl.get("changed", []) or []:
+        if isinstance(e, dict):
+            p = e.get("path")
+        else:
+            p = e
+        if p:
+            file_paths.append(str(p))
+
+    if file_paths:
+        idx = _file_index(old_bundle_dir, old_state)
+        for p in file_paths:
+            rec = idx.get(p)
+            if rec and rec.role:
+                roles.add(str(rec.role))
+
+    # --- Services (enabled_removed + meaningful changes)
+    sv = report.get("services", {}) or {}
+    units: List[str] = []
+    for u in sv.get("enabled_removed", []) or []:
+        if u:
+            units.append(str(u))
+    for ch in sv.get("changed", []) or []:
+        if not isinstance(ch, dict):
+            continue
+        unit = ch.get("unit")
+        changes = ch.get("changes") or {}
+        if unit and any(k != "packages" for k in changes.keys()):
+            units.append(str(unit))
+
+    if units:
+        old_units = _service_units(old_state)
+        for u in units:
+            snap = old_units.get(u)
+            if snap and snap.get("role_name"):
+                roles.add(str(snap.get("role_name")))
+
+    # Drop empty/unknown roles.
+    roles = {r for r in roles if r and str(r).strip() and str(r).strip() != "unknown"}
+
+    tags = sorted({_role_tag(r) for r in roles})
+    return {
+        "roles": sorted(roles),
+        "tags": tags,
+    }
+
+
+def enforce_old_harvest(
+    old_path: str,
+    *,
+    sops_mode: bool = False,
+    report: Optional[Dict[str, Any]] = None,
+) -> Dict[str, Any]:
+    """Enforce the *old* (baseline) harvest state on the current machine.
+
+    When Ansible is available, this:
+      1) renders a temporary manifest from the old harvest, and
+      2) runs ansible-playbook locally to apply it.
+
+    Returns a dict suitable for attaching to the diff report under
+    report['enforcement'].
+    """
+
+    ansible_playbook = shutil.which("ansible-playbook")
+    if not ansible_playbook:
+        raise RuntimeError(
+            "ansible-playbook not found on PATH (cannot enforce; install Ansible)"
+        )
+
+    # Import lazily to avoid heavy import cost and potential CLI cycles.
+    from .manifest import manifest
+
+    started_at = _utc_now_iso()
+
+    with ExitStack() as stack:
+        old_b = _bundle_from_input(old_path, sops_mode=sops_mode)
+        if old_b.tempdir:
+            stack.callback(old_b.tempdir.cleanup)
+
+        old_state = _load_state(old_b.dir)
+
+        plan: Optional[Dict[str, Any]] = None
+        tags: Optional[List[str]] = None
+        roles: List[str] = []
+        if report is not None:
+            plan = _enforcement_plan(report, old_state, old_b.dir)
+            roles = list(plan.get("roles") or [])
+            t = list(plan.get("tags") or [])
+            tags = t if t else None
+
+        with tempfile.TemporaryDirectory(prefix="enroll-enforce-") as td:
+            td_path = Path(td)
+            try:
+                os.chmod(td_path, 0o700)
+            except OSError:
+                pass
+
+            # 1) Generate a manifest in a temp directory.
+            manifest(str(old_b.dir), str(td_path))
+
+            playbook = td_path / "playbook.yml"
+            if not playbook.exists():
+                raise RuntimeError(
+                    f"manifest did not produce expected playbook.yml at {playbook}"
+                )
+
+            # 2) Apply it locally.
+            env = dict(os.environ)
+            cfg = td_path / "ansible.cfg"
+            if cfg.exists():
+                env["ANSIBLE_CONFIG"] = str(cfg)
+
+            cmd = [
+                ansible_playbook,
+                "-i",
+                "localhost,",
+                "-c",
+                "local",
+                str(playbook),
+            ]
+            if tags:
+                cmd.extend(["--tags", ",".join(tags)])
+
+            spinner: Optional[_Spinner] = None
+            p: Optional[subprocess.CompletedProcess[str]] = None
+            t0 = time.monotonic()
+            if _progress_enabled():
+                if tags:
+                    sys.stderr.write(
+                        f"Enforce: running ansible-playbook (tags: {','.join(tags)})\n",
+                    )
+                else:
+                    sys.stderr.write("Enforce: running ansible-playbook\n")
+                sys.stderr.flush()
+                spinner = _Spinner("  ansible-playbook")
+                spinner.start()
+
+            try:
+                p = subprocess.run(
+                    cmd,
+                    cwd=str(td_path),
+                    env=env,
+                    capture_output=True,
+                    text=True,
+                    check=False,
+                )  # nosec
+            finally:
+                if spinner:
+                    elapsed = time.monotonic() - t0
+                    rc = p.returncode if p is not None else None
+                    spinner.stop(
+                        final_line=(
+                            f"Enforce: ansible-playbook finished in {elapsed:0.1f}s"
+                            + (f" (rc={rc})" if rc is not None else ""),
+                        ),
+                    )
+
+            finished_at = _utc_now_iso()
+
+            info: Dict[str, Any] = {
+                "status": "applied" if p.returncode == 0 else "failed",
+                "started_at": started_at,
+                "finished_at": finished_at,
+                "ansible_playbook": ansible_playbook,
+                "command": cmd,
+                "returncode": int(p.returncode),
+            }
+
+            # Record tag selection (if we could attribute drift to specific roles).
+            info["roles"] = roles
+            info["tags"] = list(tags or [])
+            if not tags:
+                info["scope"] = "full_playbook"
+
+            if p.returncode != 0:
+                err = (p.stderr or p.stdout or "").strip()
+                raise RuntimeError(
+                    "ansible-playbook failed"
+                    + (f" (rc={p.returncode})" if p.returncode is not None else "")
+                    + (f": {err}" if err else "")
+                )
+
+            return info
+
+
 def format_report(report: Dict[str, Any], *, fmt: str = "text") -> str:
     fmt = (fmt or "text").lower()
     if fmt == "json":
@@ -532,11 +921,60 @@ def _report_text(report: Dict[str, Any]) -> str:
         f"new: {new.get('input')} (host={new.get('host')}, state_mtime={new.get('state_mtime')})"
     )
 
+    filt = report.get("filters", {}) or {}
+    ex_paths = filt.get("exclude_paths", []) or []
+    if ex_paths:
+        lines.append(f"file exclude patterns: {', '.join(str(p) for p in ex_paths)}")
+
+    if filt.get("ignore_package_versions"):
+        ignored = int(
+            (report.get("packages", {}) or {}).get("version_changed_ignored_count") or 0
+        )
+        msg = "package version drift: ignored (--ignore-package-versions)"
+        if ignored:
+            msg += f" (ignored {ignored} change{'s' if ignored != 1 else ''})"
+        lines.append(msg)
+
+    enf = report.get("enforcement") or {}
+    if enf:
+        lines.append("\nEnforcement")
+        status = str(enf.get("status") or "").strip().lower()
+        if status == "applied":
+            extra = ""
+            tags = enf.get("tags") or []
+            scope = enf.get("scope")
+            if tags:
+                extra = f" (tags={','.join(str(t) for t in tags)})"
+            elif scope:
+                extra = f" ({scope})"
+            lines.append(
+                f"  applied old harvest via ansible-playbook (rc={enf.get('returncode')})"
+                + extra
+                + (
+                    f" (finished {enf.get('finished_at')})"
+                    if enf.get("finished_at")
+                    else ""
+                )
+            )
+        elif status == "failed":
+            lines.append(
+                f"  attempted enforcement but ansible-playbook failed (rc={enf.get('returncode')})"
+            )
+        elif status == "skipped":
+            r = enf.get("reason")
+            lines.append("  skipped" + (f": {r}" if r else ""))
+        else:
+            # Best-effort formatting for future fields.
+            lines.append("  " + json.dumps(enf, sort_keys=True))
+
     pk = report.get("packages", {})
     lines.append("\nPackages")
     lines.append(f"  added:   {len(pk.get('added', []) or [])}")
     lines.append(f"  removed: {len(pk.get('removed', []) or [])}")
-    lines.append(f"  version_changed: {len(pk.get('version_changed', []) or [])}")
+    ignored_v = int(pk.get("version_changed_ignored_count") or 0)
+    vc = len(pk.get("version_changed", []) or [])
+    suffix = f" (ignored {ignored_v})" if ignored_v else ""
+    lines.append(f"  version_changed: {vc}{suffix}")
     for p in pk.get("added", []) or []:
         lines.append(f"    + {p}")
     for p in pk.get("removed", []) or []:
@@ -638,6 +1076,67 @@ def _report_markdown(report: Dict[str, Any]) -> str:
         f"- **New**: `{new.get('input')}` (host={new.get('host')}, state_mtime={new.get('state_mtime')})\n"
     )
 
+    filt = report.get("filters", {}) or {}
+    ex_paths = filt.get("exclude_paths", []) or []
+    if ex_paths:
+        out.append(
+            "- **File exclude patterns**: "
+            + ", ".join(f"`{p}`" for p in ex_paths)
+            + "\n"
+        )
+
+    if filt.get("ignore_package_versions"):
+        ignored = int(
+            (report.get("packages", {}) or {}).get("version_changed_ignored_count") or 0
+        )
+        msg = "- **Package version drift**: ignored (`--ignore-package-versions`)"
+        if ignored:
+            msg += f" (ignored {ignored} change{'s' if ignored != 1 else ''})"
+        out.append(msg + "\n")
+
+    enf = report.get("enforcement") or {}
+    if enf:
+        out.append("\n## Enforcement\n")
+        status = str(enf.get("status") or "").strip().lower()
+        if status == "applied":
+            extra = ""
+            tags = enf.get("tags") or []
+            scope = enf.get("scope")
+            if tags:
+                extra = " (tags=" + ",".join(str(t) for t in tags) + ")"
+            elif scope:
+                extra = f" ({scope})"
+            out.append(
+                "- ✅ Applied old harvest via ansible-playbook"
+                + extra
+                + (
+                    f" (rc={enf.get('returncode')})"
+                    if enf.get("returncode") is not None
+                    else ""
+                )
+                + (
+                    f" (finished `{enf.get('finished_at')}`)"
+                    if enf.get("finished_at")
+                    else ""
+                )
+                + "\n"
+            )
+        elif status == "failed":
+            out.append(
+                "- ⚠️ Attempted enforcement but ansible-playbook failed"
+                + (
+                    f" (rc={enf.get('returncode')})"
+                    if enf.get("returncode") is not None
+                    else ""
+                )
+                + "\n"
+            )
+        elif status == "skipped":
+            r = enf.get("reason")
+            out.append("- Skipped" + (f": {r}" if r else "") + "\n")
+        else:
+            out.append(f"- {json.dumps(enf, sort_keys=True)}\n")
+
     pk = report.get("packages", {})
     out.append("## Packages\n")
     out.append(f"- Added: {len(pk.get('added', []) or [])}\n")
@@ -647,7 +1146,10 @@ def _report_markdown(report: Dict[str, Any]) -> str:
     for p in pk.get("removed", []) or []:
         out.append(f"  - `- {p}`\n")
 
-    out.append(f"- Version changed: {len(pk.get('version_changed', []) or [])}\n")
+    ignored_v = int(pk.get("version_changed_ignored_count") or 0)
+    vc = len(pk.get("version_changed", []) or [])
+    suffix = f" (ignored {ignored_v})" if ignored_v else ""
+    out.append(f"- Version changed: {vc}{suffix}\n")
     for ch in pk.get("version_changed", []) or []:
         out.append(
             f"  - `~ {ch.get('package')}`: `{ch.get('old')}` → `{ch.get('new')}`\n"

enroll/jinjaturtle.py

@@ -8,7 +8,45 @@ from pathlib import Path
 from typing import Optional
 
 
-SUPPORTED_EXTS = {".ini", ".json", ".toml", ".yaml", ".yml", ".xml"}
+SYSTEMD_SUFFIXES = {
+    ".service",
+    ".socket",
+    ".target",
+    ".timer",
+    ".path",
+    ".mount",
+    ".automount",
+    ".slice",
+    ".swap",
+    ".scope",
+    ".link",
+    ".netdev",
+    ".network",
+}
+
+SUPPORTED_SUFFIXES = {
+    ".ini",
+    ".cfg",
+    ".json",
+    ".toml",
+    ".yaml",
+    ".yml",
+    ".xml",
+    ".repo",
+} | SYSTEMD_SUFFIXES
+
+
+def infer_other_formats(dest_path: str) -> Optional[str]:
+    p = Path(dest_path)
+    name = p.name.lower()
+    suffix = p.suffix.lower()
+    # postfix
+    if name == "main.cf":
+        return "postfix"
+    # systemd units
+    if suffix in SYSTEMD_SUFFIXES:
+        return "systemd"
+    return None
 
 
 @dataclass(frozen=True)
@@ -22,9 +60,15 @@ def find_jinjaturtle_cmd() -> Optional[str]:
     return shutil.which("jinjaturtle")
 
 
-def can_jinjify_path(path: str) -> bool:
-    p = Path(path)
-    return p.suffix.lower() in SUPPORTED_EXTS
+def can_jinjify_path(dest_path: str) -> bool:
+    p = Path(dest_path)
+    suffix = p.suffix.lower()
+    if infer_other_formats(dest_path):
+        return True
+    # allow unambiguous structured formats
+    if suffix in SUPPORTED_SUFFIXES:
+        return True
+    return False
 
 
 def run_jinjaturtle(

enroll/manifest.py

@@ -11,8 +11,9 @@ from pathlib import Path
 from typing import Any, Dict, List, Optional, Set, Tuple
 
 from .jinjaturtle import (
-    find_jinjaturtle_cmd,
     can_jinjify_path,
+    find_jinjaturtle_cmd,
+    infer_other_formats,
     run_jinjaturtle,
 )
 
@@ -162,6 +163,19 @@ def _write_role_scaffold(role_dir: str) -> None:
     os.makedirs(os.path.join(role_dir, "templates"), exist_ok=True)
 
 
+def _role_tag(role: str) -> str:
+    """Return a stable Ansible tag name for a role.
+
+    Used by `enroll diff --enforce` to run only the roles needed to repair drift.
+    """
+    r = str(role or "").strip()
+    # Ansible tag charset is fairly permissive, but keep it portable and consistent.
+    safe = re.sub(r"[^A-Za-z0-9_-]+", "_", r).strip("_")
+    if not safe:
+        safe = "other"
+    return f"role_{safe}"
+
+
 def _write_playbook_all(path: str, roles: List[str]) -> None:
     pb_lines = [
         "---",
@@ -172,7 +186,8 @@ def _write_playbook_all(path: str, roles: List[str]) -> None:
         "  roles:",
     ]
     for r in roles:
-        pb_lines.append(f"    - {r}")
+        pb_lines.append(f"    - role: {r}")
+        pb_lines.append(f"      tags: [{_role_tag(r)}]")
     with open(path, "w", encoding="utf-8") as f:
         f.write("\n".join(pb_lines) + "\n")
 
@@ -187,7 +202,8 @@ def _write_playbook_host(path: str, fqdn: str, roles: List[str]) -> None:
         "  roles:",
     ]
     for r in roles:
-        pb_lines.append(f"    - {r}")
+        pb_lines.append(f"    - role: {r}")
+        pb_lines.append(f"      tags: [{_role_tag(r)}]")
     with open(path, "w", encoding="utf-8") as f:
         f.write("\n".join(pb_lines) + "\n")
 
@@ -309,7 +325,10 @@ def _jinjify_managed_files(
             continue
 
         try:
-            res = run_jinjaturtle(jt_exe, artifact_path, role_name=role)
+            force_fmt = infer_other_formats(dest_path)
+            res = run_jinjaturtle(
+                jt_exe, artifact_path, role_name=role, force_format=force_fmt
+            )
         except Exception:
             # If jinjaturtle cannot process a file for any reason, skip silently.
             # (Enroll's core promise is to be optimistic and non-interactive.)

enroll/remote.py

@@ -330,8 +330,9 @@ def _remote_harvest(
     *,
     local_out_dir: Path,
     remote_host: str,
-    remote_port: int = 22,
+    remote_port: Optional[int] = None,
     remote_user: Optional[str] = None,
+    remote_ssh_config: Optional[str] = None,
     remote_python: str = "python3",
     dangerous: bool = False,
     no_sudo: bool = False,
@@ -370,12 +371,113 @@ def _remote_harvest(
         # Users should add the key to known_hosts.
         ssh.set_missing_host_key_policy(paramiko.RejectPolicy())
 
+        # Resolve SSH connection parameters.
+        connect_host = remote_host
+        connect_port = int(remote_port) if remote_port is not None else 22
+        connect_user = remote_user
+        key_filename = None
+        sock = None
+        hostkey_name = connect_host
+
+        # Timeouts derived from ssh_config if set (ConnectTimeout).
+        # Used both for socket connect (when we create one) and Paramiko handshake/auth.
+        connect_timeout: Optional[float] = None
+
+        if remote_ssh_config:
+            from paramiko.config import SSHConfig  # type: ignore
+            from paramiko.proxy import ProxyCommand  # type: ignore
+            import socket as _socket
+
+            cfg_path = Path(str(remote_ssh_config)).expanduser()
+            if not cfg_path.exists():
+                raise RuntimeError(f"SSH config file not found: {cfg_path}")
+
+            cfg = SSHConfig()
+            with cfg_path.open("r", encoding="utf-8") as _fp:
+                cfg.parse(_fp)
+            hcfg = cfg.lookup(remote_host)
+
+            connect_host = str(hcfg.get("hostname") or remote_host)
+            hostkey_name = str(hcfg.get("hostkeyalias") or connect_host)
+
+            if remote_port is None and hcfg.get("port"):
+                try:
+                    connect_port = int(str(hcfg.get("port")))
+                except ValueError:
+                    pass
+            if connect_user is None and hcfg.get("user"):
+                connect_user = str(hcfg.get("user"))
+
+            ident = hcfg.get("identityfile")
+            if ident:
+                if isinstance(ident, (list, tuple)):
+                    key_filename = [str(Path(p).expanduser()) for p in ident]
+                else:
+                    key_filename = str(Path(str(ident)).expanduser())
+
+            # Honour OpenSSH ConnectTimeout (seconds) if present.
+            if hcfg.get("connecttimeout"):
+                try:
+                    connect_timeout = float(str(hcfg.get("connecttimeout")))
+                except (TypeError, ValueError):
+                    connect_timeout = None
+
+            proxycmd = hcfg.get("proxycommand")
+
+            # AddressFamily support: inet (IPv4 only), inet6 (IPv6 only), any (default).
+            addrfam = str(hcfg.get("addressfamily") or "any").strip().lower()
+            family: Optional[int] = None
+            if addrfam == "inet":
+                family = _socket.AF_INET
+            elif addrfam == "inet6":
+                family = _socket.AF_INET6
+
+            if proxycmd:
+                # ProxyCommand provides the transport; AddressFamily doesn't apply here.
+                sock = ProxyCommand(str(proxycmd))
+            elif family is not None:
+                # Enforce the requested address family by pre-connecting the socket and
+                # passing it into Paramiko via sock=.
+                last_err: Optional[OSError] = None
+                infos = _socket.getaddrinfo(
+                    connect_host, connect_port, family, _socket.SOCK_STREAM
+                )
+                for af, socktype, proto, _, sa in infos:
+                    s = _socket.socket(af, socktype, proto)
+                    if connect_timeout is not None:
+                        s.settimeout(connect_timeout)
+                    try:
+                        s.connect(sa)
+                        sock = s
+                        break
+                    except OSError as e:
+                        last_err = e
+                        try:
+                            s.close()
+                        except Exception:
+                            pass  # nosec
+                if sock is None and last_err is not None:
+                    raise last_err
+            elif hostkey_name != connect_host:
+                # If HostKeyAlias is used, connect to HostName via a socket but
+                # use HostKeyAlias for known_hosts lookups.
+                sock = _socket.create_connection(
+                    (connect_host, connect_port), timeout=connect_timeout
+                )
+
+        # If we created a socket (sock!=None), pass hostkey_name as hostname so
+        # known_hosts lookup uses HostKeyAlias (or whatever hostkey_name resolved to).
         ssh.connect(
-            hostname=remote_host,
-            port=int(remote_port),
-            username=remote_user,
+            hostname=hostkey_name if sock is not None else connect_host,
+            port=connect_port,
+            username=connect_user,
+            key_filename=key_filename,
+            sock=sock,
             allow_agent=True,
             look_for_keys=True,
+            timeout=connect_timeout,
+            banner_timeout=connect_timeout,
+            auth_timeout=connect_timeout,
         )
 
         # If no username was explicitly provided, SSH may have selected a default.

enroll/schema/__init__.py

@@ -0,0 +1,4 @@
+"""Vendored JSON schemas.
+
+These are used by `enroll validate` so validation can run offline.
+"""

enroll/schema/state.schema.json

@@ -0,0 +1,712 @@
+{
+  "$defs": {
+    "AptConfigSnapshot": {
+      "allOf": [
+        {
+          "$ref": "#/$defs/RoleCommon"
+        },
+        {
+          "properties": {
+            "role_name": {
+              "const": "apt_config"
+            }
+          },
+          "type": "object"
+        }
+      ],
+      "unevaluatedProperties": false
+    },
+    "DnfConfigSnapshot": {
+      "allOf": [
+        {
+          "$ref": "#/$defs/RoleCommon"
+        },
+        {
+          "properties": {
+            "role_name": {
+              "const": "dnf_config"
+            }
+          },
+          "type": "object"
+        }
+      ],
+      "unevaluatedProperties": false
+    },
+    "EtcCustomSnapshot": {
+      "allOf": [
+        {
+          "$ref": "#/$defs/RoleCommon"
+        },
+        {
+          "properties": {
+            "role_name": {
+              "const": "etc_custom"
+            }
+          },
+          "type": "object"
+        }
+      ],
+      "unevaluatedProperties": false
+    },
+    "ExcludedFile": {
+      "additionalProperties": false,
+      "properties": {
+        "path": {
+          "minLength": 1,
+          "pattern": "^/.*",
+          "type": "string"
+        },
+        "reason": {
+          "enum": [
+            "user_excluded",
+            "unreadable",
+	    "backup_file",
+            "log_file",
+            "denied_path",
+            "too_large",
+            "not_regular_file",
+            "not_symlink",
+            "binary_like",
+            "sensitive_content"
+          ],
+          "type": "string"
+        }
+      },
+      "required": [
+        "path",
+        "reason"
+      ],
+      "type": "object"
+    },
+    "ExtraPathsSnapshot": {
+      "allOf": [
+        {
+          "$ref": "#/$defs/RoleCommon"
+        },
+        {
+          "properties": {
+            "exclude_patterns": {
+              "items": {
+                "type": "string"
+              },
+              "type": "array"
+            },
+            "include_patterns": {
+              "items": {
+                "type": "string"
+              },
+              "type": "array"
+            },
+            "role_name": {
+              "const": "extra_paths"
+            }
+          },
+          "required": [
+            "include_patterns",
+            "exclude_patterns"
+          ],
+          "type": "object"
+        }
+      ],
+      "unevaluatedProperties": false
+    },
+    "InstalledPackageInstance": {
+      "additionalProperties": false,
+      "properties": {
+        "arch": {
+          "minLength": 1,
+          "type": "string"
+        },
+        "version": {
+          "minLength": 1,
+          "type": "string"
+        }
+      },
+      "required": [
+        "version",
+        "arch"
+      ],
+      "type": "object"
+    },
+    "ManagedDir": {
+      "additionalProperties": false,
+      "properties": {
+        "group": {
+          "minLength": 1,
+          "type": "string"
+        },
+        "mode": {
+          "pattern": "^[0-7]{4}$",
+          "type": "string"
+        },
+        "owner": {
+          "minLength": 1,
+          "type": "string"
+        },
+        "path": {
+          "minLength": 1,
+          "pattern": "^/.*",
+          "type": "string"
+        },
+        "reason": {
+          "enum": [
+            "parent_of_managed_file",
+            "user_include_dir"
+          ],
+          "type": "string"
+        }
+      },
+      "required": [
+        "path",
+        "owner",
+        "group",
+        "mode",
+        "reason"
+      ],
+      "type": "object"
+    },
+    "ManagedFile": {
+      "additionalProperties": false,
+      "properties": {
+        "group": {
+          "minLength": 1,
+          "type": "string"
+        },
+        "mode": {
+          "pattern": "^[0-7]{4}$",
+          "type": "string"
+        },
+        "owner": {
+          "minLength": 1,
+          "type": "string"
+        },
+        "path": {
+          "minLength": 1,
+          "pattern": "^/.*",
+          "type": "string"
+        },
+        "reason": {
+          "enum": [
+            "apt_config",
+            "apt_keyring",
+            "apt_signed_by_keyring",
+            "apt_source",
+            "authorized_keys",
+            "cron_snippet",
+            "custom_specific_path",
+            "custom_unowned",
+            "dnf_config",
+            "logrotate_snippet",
+            "modified_conffile",
+            "modified_packaged_file",
+            "related_timer",
+            "rpm_gpg_key",
+            "ssh_public_key",
+            "system_cron",
+            "system_firewall",
+            "system_logrotate",
+            "system_modprobe",
+            "system_mounts",
+            "system_network",
+            "system_rc",
+            "system_security",
+            "system_sysctl",
+            "systemd_dropin",
+            "systemd_envfile",
+            "user_include",
+            "user_profile",
+            "user_shell_aliases",
+            "user_shell_logout",
+            "user_shell_rc",
+            "usr_local_bin_script",
+            "usr_local_etc_custom",
+            "yum_conf",
+            "yum_config",
+            "yum_repo"
+          ],
+          "type": "string"
+        },
+        "src_rel": {
+          "minLength": 1,
+          "pattern": "^[^/].*",
+          "type": "string"
+        }
+      },
+      "required": [
+        "path",
+        "src_rel",
+        "owner",
+        "group",
+        "mode",
+        "reason"
+      ],
+      "type": "object"
+    },
+    "ManagedLink": {
+      "additionalProperties": false,
+      "type": "object",
+      "properties": {
+        "path": {
+          "type": "string",
+          "minLength": 1,
+          "pattern": "^/.*"
+        },
+        "target": {
+          "type": "string",
+          "minLength": 1
+        },
+        "reason": {
+          "type": "string",
+          "enum": [
+            "enabled_symlink"
+          ]
+        }
+      },
+      "required": [
+        "path",
+        "target",
+        "reason"
+      ]
+    },
+    "ObservedVia": {
+      "oneOf": [
+        {
+          "additionalProperties": false,
+          "properties": {
+            "kind": {
+              "const": "user_installed"
+            }
+          },
+          "required": [
+            "kind"
+          ],
+          "type": "object"
+        },
+        {
+          "additionalProperties": false,
+          "properties": {
+            "kind": {
+              "const": "systemd_unit"
+            },
+            "ref": {
+              "minLength": 1,
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind",
+            "ref"
+          ],
+          "type": "object"
+        },
+        {
+          "additionalProperties": false,
+          "properties": {
+            "kind": {
+              "const": "package_role"
+            },
+            "ref": {
+              "minLength": 1,
+              "type": "string"
+            }
+          },
+          "required": [
+            "kind",
+            "ref"
+          ],
+          "type": "object"
+        }
+      ]
+    },
+    "PackageInventoryEntry": {
+      "additionalProperties": false,
+      "properties": {
+        "arches": {
+          "items": {
+            "minLength": 1,
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "installations": {
+          "items": {
+            "$ref": "#/$defs/InstalledPackageInstance"
+          },
+          "type": "array"
+        },
+        "observed_via": {
+          "items": {
+            "$ref": "#/$defs/ObservedVia"
+          },
+          "type": "array"
+        },
+        "roles": {
+          "items": {
+            "minLength": 1,
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "version": {
+          "type": [
+            "string",
+            "null"
+          ]
+        }
+      },
+      "required": [
+        "version",
+        "arches",
+        "installations",
+        "observed_via",
+        "roles"
+      ],
+      "type": "object"
+    },
+    "PackageSnapshot": {
+      "allOf": [
+        {
+          "$ref": "#/$defs/RoleCommon"
+        },
+        {
+          "properties": {
+            "package": {
+              "minLength": 1,
+              "type": "string"
+            }
+          },
+          "required": [
+            "package"
+          ],
+          "type": "object"
+        }
+      ],
+      "unevaluatedProperties": false
+    },
+    "RoleCommon": {
+      "properties": {
+        "excluded": {
+          "items": {
+            "$ref": "#/$defs/ExcludedFile"
+          },
+          "type": "array"
+        },
+        "managed_dirs": {
+          "items": {
+            "$ref": "#/$defs/ManagedDir"
+          },
+          "type": "array"
+        },
+        "managed_files": {
+          "items": {
+            "$ref": "#/$defs/ManagedFile"
+          },
+          "type": "array"
+        },
+        "managed_links": {
+          "items": {
+            "$ref": "#/$defs/ManagedLink"
+          },
+          "type": "array"
+        },
+        "notes": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "role_name": {
+          "minLength": 1,
+          "pattern": "^[A-Za-z0-9_]+$",
+          "type": "string"
+        }
+      },
+      "required": [
+        "role_name",
+        "managed_dirs",
+        "managed_files",
+        "excluded",
+        "notes"
+      ],
+      "type": "object"
+    },
+    "ServiceSnapshot": {
+      "allOf": [
+        {
+          "$ref": "#/$defs/RoleCommon"
+        },
+        {
+          "properties": {
+            "active_state": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
+            "condition_result": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
+            "packages": {
+              "items": {
+                "minLength": 1,
+                "type": "string"
+              },
+              "type": "array"
+            },
+            "role_name": {
+              "minLength": 1,
+              "pattern": "^[a-z_][a-z0-9_]*$",
+              "type": "string"
+            },
+            "sub_state": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
+            "unit": {
+              "minLength": 1,
+              "type": "string"
+            },
+            "unit_file_state": {
+              "type": [
+                "string",
+                "null"
+              ]
+            }
+          },
+          "required": [
+            "unit",
+            "packages",
+            "active_state",
+            "sub_state",
+            "unit_file_state",
+            "condition_result"
+          ],
+          "type": "object"
+        }
+      ],
+      "unevaluatedProperties": false
+    },
+    "UserEntry": {
+      "additionalProperties": false,
+      "properties": {
+        "gecos": {
+          "type": "string"
+        },
+        "gid": {
+          "minimum": 0,
+          "type": "integer"
+        },
+        "home": {
+          "type": "string"
+        },
+        "name": {
+          "minLength": 1,
+          "type": "string"
+        },
+        "primary_group": {
+          "minLength": 1,
+          "type": "string"
+        },
+        "shell": {
+          "type": "string"
+        },
+        "supplementary_groups": {
+          "items": {
+            "minLength": 1,
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "uid": {
+          "minimum": 0,
+          "type": "integer"
+        }
+      },
+      "required": [
+        "name",
+        "uid",
+        "gid",
+        "gecos",
+        "home",
+        "shell",
+        "primary_group",
+        "supplementary_groups"
+      ],
+      "type": "object"
+    },
+    "UsersSnapshot": {
+      "allOf": [
+        {
+          "$ref": "#/$defs/RoleCommon"
+        },
+        {
+          "properties": {
+            "role_name": {
+              "const": "users"
+            },
+            "users": {
+              "items": {
+                "$ref": "#/$defs/UserEntry"
+              },
+              "type": "array"
+            }
+          },
+          "required": [
+            "users"
+          ],
+          "type": "object"
+        }
+      ],
+      "unevaluatedProperties": false
+    },
+    "UsrLocalCustomSnapshot": {
+      "allOf": [
+        {
+          "$ref": "#/$defs/RoleCommon"
+        },
+        {
+          "properties": {
+            "role_name": {
+              "const": "usr_local_custom"
+            }
+          },
+          "type": "object"
+        }
+      ],
+      "unevaluatedProperties": false
+    }
+  },
+  "$id": "https://enroll.sh/schema/state.schema.json",
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "additionalProperties": false,
+  "properties": {
+    "enroll": {
+      "additionalProperties": false,
+      "properties": {
+        "harvest_time": {
+          "minimum": 0,
+          "type": "integer"
+        },
+        "version": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "version",
+        "harvest_time"
+      ],
+      "type": "object"
+    },
+    "host": {
+      "additionalProperties": false,
+      "properties": {
+        "hostname": {
+          "minLength": 1,
+          "type": "string"
+        },
+        "os": {
+          "enum": [
+            "debian",
+            "redhat",
+            "unknown"
+          ],
+          "type": "string"
+        },
+        "os_release": {
+          "additionalProperties": {
+            "type": "string"
+          },
+          "type": "object"
+        },
+        "pkg_backend": {
+          "enum": [
+            "dpkg",
+            "rpm"
+          ],
+          "type": "string"
+        }
+      },
+      "required": [
+        "hostname",
+        "os",
+        "pkg_backend",
+        "os_release"
+      ],
+      "type": "object"
+    },
+    "inventory": {
+      "additionalProperties": false,
+      "properties": {
+        "packages": {
+          "additionalProperties": {
+            "$ref": "#/$defs/PackageInventoryEntry"
+          },
+          "type": "object"
+        }
+      },
+      "required": [
+        "packages"
+      ],
+      "type": "object"
+    },
+    "roles": {
+      "additionalProperties": false,
+      "properties": {
+        "apt_config": {
+          "$ref": "#/$defs/AptConfigSnapshot"
+        },
+        "dnf_config": {
+          "$ref": "#/$defs/DnfConfigSnapshot"
+        },
+        "etc_custom": {
+          "$ref": "#/$defs/EtcCustomSnapshot"
+        },
+        "extra_paths": {
+          "$ref": "#/$defs/ExtraPathsSnapshot"
+        },
+        "packages": {
+          "items": {
+            "$ref": "#/$defs/PackageSnapshot"
+          },
+          "type": "array"
+        },
+        "services": {
+          "items": {
+            "$ref": "#/$defs/ServiceSnapshot"
+          },
+          "type": "array"
+        },
+        "users": {
+          "$ref": "#/$defs/UsersSnapshot"
+        },
+        "usr_local_custom": {
+          "$ref": "#/$defs/UsrLocalCustomSnapshot"
+        }
+      },
+      "required": [
+        "users",
+        "services",
+        "packages",
+        "apt_config",
+        "dnf_config",
+        "etc_custom",
+        "usr_local_custom",
+        "extra_paths"
+      ],
+      "type": "object"
+    }
+  },
+  "required": [
+    "enroll",
+    "host",
+    "inventory",
+    "roles"
+  ],
+  "title": "Enroll harvest state.json schema (latest)",
+  "type": "object"
+}

enroll/validate.py

@@ -0,0 +1,223 @@
+from __future__ import annotations
+
+import json
+import urllib.request
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any, Dict, List, Optional, Set, Tuple
+
+import jsonschema
+
+from .diff import BundleRef, _bundle_from_input
+
+
+@dataclass
+class ValidationResult:
+    errors: List[str]
+    warnings: List[str]
+
+    @property
+    def ok(self) -> bool:
+        return not self.errors
+
+    def to_dict(self) -> Dict[str, Any]:
+        return {
+            "ok": self.ok,
+            "errors": list(self.errors),
+            "warnings": list(self.warnings),
+        }
+
+    def to_text(self) -> str:
+        lines: List[str] = []
+        if not self.errors and not self.warnings:
+            lines.append("OK: harvest bundle validated")
+        elif not self.errors and self.warnings:
+            lines.append(f"WARN: {len(self.warnings)} warning(s)")
+        else:
+            lines.append(f"ERROR: {len(self.errors)} validation error(s)")
+
+        if self.errors:
+            lines.append("")
+            lines.append("Errors:")
+            for e in self.errors:
+                lines.append(f"- {e}")
+        if self.warnings:
+            lines.append("")
+            lines.append("Warnings:")
+            for w in self.warnings:
+                lines.append(f"- {w}")
+        return "\n".join(lines) + "\n"
+
+
+def _default_schema_path() -> Path:
+    # Keep the schema vendored with the codebase so enroll can validate offline.
+    return Path(__file__).resolve().parent / "schema" / "state.schema.json"
+
+
+def _load_schema(schema: Optional[str]) -> Dict[str, Any]:
+    """Load a JSON schema.
+
+    If schema is None, load the vendored schema.
+    If schema begins with http(s)://, fetch it.
+    Otherwise, treat it as a local file path.
+    """
+
+    if not schema:
+        p = _default_schema_path()
+        with open(p, "r", encoding="utf-8") as f:
+            return json.load(f)
+
+    if schema.startswith("http://") or schema.startswith("https://"):
+        with urllib.request.urlopen(schema, timeout=10) as resp:  # nosec
+            data = resp.read()
+        return json.loads(data.decode("utf-8"))
+
+    p = Path(schema).expanduser()
+    with open(p, "r", encoding="utf-8") as f:
+        return json.load(f)
+
+
+def _json_pointer(err: jsonschema.ValidationError) -> str:
+    # Build a JSON pointer-ish path that is easy to read.
+    if err.absolute_path:
+        parts = [str(p) for p in err.absolute_path]
+        return "/" + "/".join(parts)
+    return "/"
+
+
+def _iter_managed_files(state: Dict[str, Any]) -> List[Tuple[str, Dict[str, Any]]]:
+    """Return (role_name, managed_file_dict) tuples across all roles."""
+
+    roles = state.get("roles") or {}
+    out: List[Tuple[str, Dict[str, Any]]] = []
+
+    # Singleton roles
+    for rn in [
+        "users",
+        "apt_config",
+        "dnf_config",
+        "etc_custom",
+        "usr_local_custom",
+        "extra_paths",
+    ]:
+        snap = roles.get(rn) or {}
+        for mf in snap.get("managed_files") or []:
+            if isinstance(mf, dict):
+                out.append((rn, mf))
+
+    # Array roles
+    for s in roles.get("services") or []:
+        if not isinstance(s, dict):
+            continue
+        role_name = str(s.get("role_name") or "unknown")
+        for mf in s.get("managed_files") or []:
+            if isinstance(mf, dict):
+                out.append((role_name, mf))
+
+    for p in roles.get("packages") or []:
+        if not isinstance(p, dict):
+            continue
+        role_name = str(p.get("role_name") or "unknown")
+        for mf in p.get("managed_files") or []:
+            if isinstance(mf, dict):
+                out.append((role_name, mf))
+
+    return out
+
+
+def validate_harvest(
+    harvest_input: str,
+    *,
+    sops_mode: bool = False,
+    schema: Optional[str] = None,
+    no_schema: bool = False,
+) -> ValidationResult:
+    """Validate an enroll harvest bundle.
+
+    Checks:
+      - state.json parses
+      - state.json validates against the schema (unless no_schema)
+      - every managed_file src_rel exists in artifacts/<role>/<src_rel>
+    """
+
+    errors: List[str] = []
+    warnings: List[str] = []
+
+    bundle: BundleRef = _bundle_from_input(harvest_input, sops_mode=sops_mode)
+    try:
+        state_path = bundle.state_path
+        if not state_path.exists():
+            return ValidationResult(
+                errors=[f"missing state.json at {state_path}"], warnings=[]
+            )
+
+        try:
+            state = json.loads(state_path.read_text(encoding="utf-8"))
+        except Exception as e:  # noqa: BLE001
+            return ValidationResult(
+                errors=[f"failed to parse state.json: {e!r}"], warnings=[]
+            )
+
+        if not no_schema:
+            try:
+                sch = _load_schema(schema)
+                validator = jsonschema.Draft202012Validator(sch)
+                for err in sorted(validator.iter_errors(state), key=str):
+                    ptr = _json_pointer(err)
+                    msg = err.message
+                    errors.append(f"schema {ptr}: {msg}")
+            except Exception as e:  # noqa: BLE001
+                errors.append(f"failed to load/validate schema: {e!r}")
+
+        # Artifact existence checks
+        artifacts_dir = bundle.dir / "artifacts"
+        referenced: Set[Tuple[str, str]] = set()
+        for role_name, mf in _iter_managed_files(state):
+            src_rel = str(mf.get("src_rel") or "")
+            if not src_rel:
+                errors.append(
+                    f"managed_file missing src_rel for role {role_name} (path={mf.get('path')!r})"
+                )
+                continue
+            if src_rel.startswith("/") or ".." in src_rel.split("/"):
+                errors.append(
+                    f"managed_file has suspicious src_rel for role {role_name}: {src_rel!r}"
+                )
+                continue
+
+            referenced.add((role_name, src_rel))
+            p = artifacts_dir / role_name / src_rel
+            if not p.exists():
+                errors.append(
+                    f"missing artifact for role {role_name}: artifacts/{role_name}/{src_rel}"
+                )
+                continue
+            if not p.is_file():
+                errors.append(
+                    f"artifact is not a file for role {role_name}: artifacts/{role_name}/{src_rel}"
+                )
+
+        # Warn if there are extra files in artifacts not referenced.
+        if artifacts_dir.exists() and artifacts_dir.is_dir():
+            for fp in artifacts_dir.rglob("*"):
+                if not fp.is_file():
+                    continue
+                try:
+                    rel = fp.relative_to(artifacts_dir)
+                except ValueError:
+                    continue
+                parts = rel.parts
+                if len(parts) < 2:
+                    continue
+                role_name = parts[0]
+                src_rel = "/".join(parts[1:])
+                if (role_name, src_rel) not in referenced:
+                    warnings.append(
+                        f"unreferenced artifact present: artifacts/{role_name}/{src_rel}"
+                    )
+
+        return ValidationResult(errors=errors, warnings=warnings)
+    finally:
+        # Ensure any temp extraction dirs are cleaned up.
+        if bundle.tempdir is not None:
+            bundle.tempdir.cleanup()

poetry.lock

@@ -1,5 +1,16 @@
 # This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
 
+[[package]]
+name = "attrs"
+version = "25.4.0"
+description = "Classes Without Boilerplate"
+optional = false
+python-versions = ">=3.9"
+files = [
+    {file = "attrs-25.4.0-py3-none-any.whl", hash = "sha256:adcf7e2a1fb3b36ac48d97835bb6d8ade15b8dcce26aba8bf1d14847b57a3373"},
+    {file = "attrs-25.4.0.tar.gz", hash = "sha256:16d5969b87f0859ef33a48b35d55ac1be6e42ae49d5e853b597db70c35c57e11"},
+]
+
 [[package]]
 name = "bcrypt"
 version = "5.0.0"
@@ -78,13 +89,13 @@ typecheck = ["mypy"]
 
 [[package]]
 name = "certifi"
-version = "2025.11.12"
+version = "2026.1.4"
 description = "Python package for providing Mozilla's CA Bundle."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "certifi-2025.11.12-py3-none-any.whl", hash = "sha256:97de8790030bbd5c2d96b7ec782fc2f7820ef8dba6db909ccf95449f2d062d4b"},
-    {file = "certifi-2025.11.12.tar.gz", hash = "sha256:d8ab5478f2ecd78af242878415affce761ca6bc54a22a27e026d7c25357c3316"},
+    {file = "certifi-2026.1.4-py3-none-any.whl", hash = "sha256:9943707519e4add1115f44c2bc244f782c0249876bf51b6599fee1ffbedd685c"},
+    {file = "certifi-2026.1.4.tar.gz", hash = "sha256:ac726dd470482006e014ad384921ed6438c457018f4b3d204aea4281258b2120"},
 ]
 
 [[package]]
@@ -318,103 +329,103 @@ files = [
 
 [[package]]
 name = "coverage"
-version = "7.13.0"
+version = "7.13.1"
 description = "Code coverage measurement for Python"
 optional = false
 python-versions = ">=3.10"
 files = [
-    {file = "coverage-7.13.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:02d9fb9eccd48f6843c98a37bd6817462f130b86da8660461e8f5e54d4c06070"},
-    {file = "coverage-7.13.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:367449cf07d33dc216c083f2036bb7d976c6e4903ab31be400ad74ad9f85ce98"},
-    {file = "coverage-7.13.0-cp310-cp310-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:cdb3c9f8fef0a954c632f64328a3935988d33a6604ce4bf67ec3e39670f12ae5"},
-    {file = "coverage-7.13.0-cp310-cp310-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:d10fd186aac2316f9bbb46ef91977f9d394ded67050ad6d84d94ed6ea2e8e54e"},
-    {file = "coverage-7.13.0-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:7f88ae3e69df2ab62fb0bc5219a597cb890ba5c438190ffa87490b315190bb33"},
-    {file = "coverage-7.13.0-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:c4be718e51e86f553bcf515305a158a1cd180d23b72f07ae76d6017c3cc5d791"},
-    {file = "coverage-7.13.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:a00d3a393207ae12f7c49bb1c113190883b500f48979abb118d8b72b8c95c032"},
-    {file = "coverage-7.13.0-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:3a7b1cd820e1b6116f92c6128f1188e7afe421c7e1b35fa9836b11444e53ebd9"},
-    {file = "coverage-7.13.0-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:37eee4e552a65866f15dedd917d5e5f3d59805994260720821e2c1b51ac3248f"},
-    {file = "coverage-7.13.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:62d7c4f13102148c78d7353c6052af6d899a7f6df66a32bddcc0c0eb7c5326f8"},
-    {file = "coverage-7.13.0-cp310-cp310-win32.whl", hash = "sha256:24e4e56304fdb56f96f80eabf840eab043b3afea9348b88be680ec5986780a0f"},
-    {file = "coverage-7.13.0-cp310-cp310-win_amd64.whl", hash = "sha256:74c136e4093627cf04b26a35dab8cbfc9b37c647f0502fc313376e11726ba303"},
-    {file = "coverage-7.13.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:0dfa3855031070058add1a59fdfda0192fd3e8f97e7c81de0596c145dea51820"},
-    {file = "coverage-7.13.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:4fdb6f54f38e334db97f72fa0c701e66d8479af0bc3f9bfb5b90f1c30f54500f"},
-    {file = "coverage-7.13.0-cp311-cp311-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:7e442c013447d1d8d195be62852270b78b6e255b79b8675bad8479641e21fd96"},
-    {file = "coverage-7.13.0-cp311-cp311-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:1ed5630d946859de835a85e9a43b721123a8a44ec26e2830b296d478c7fd4259"},
-    {file = "coverage-7.13.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:7f15a931a668e58087bc39d05d2b4bf4b14ff2875b49c994bbdb1c2217a8daeb"},
-    {file = "coverage-7.13.0-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:30a3a201a127ea57f7e14ba43c93c9c4be8b7d17a26e03bb49e6966d019eede9"},
-    {file = "coverage-7.13.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:7a485ff48fbd231efa32d58f479befce52dcb6bfb2a88bb7bf9a0b89b1bc8030"},
-    {file = "coverage-7.13.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:22486cdafba4f9e471c816a2a5745337742a617fef68e890d8baf9f3036d7833"},
-    {file = "coverage-7.13.0-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:263c3dbccc78e2e331e59e90115941b5f53e85cfcc6b3b2fbff1fd4e3d2c6ea8"},
-    {file = "coverage-7.13.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:e5330fa0cc1f5c3c4c3bb8e101b742025933e7848989370a1d4c8c5e401ea753"},
-    {file = "coverage-7.13.0-cp311-cp311-win32.whl", hash = "sha256:0f4872f5d6c54419c94c25dd6ae1d015deeb337d06e448cd890a1e89a8ee7f3b"},
-    {file = "coverage-7.13.0-cp311-cp311-win_amd64.whl", hash = "sha256:51a202e0f80f241ccb68e3e26e19ab5b3bf0f813314f2c967642f13ebcf1ddfe"},
-    {file = "coverage-7.13.0-cp311-cp311-win_arm64.whl", hash = "sha256:d2a9d7f1c11487b1c69367ab3ac2d81b9b3721f097aa409a3191c3e90f8f3dd7"},
-    {file = "coverage-7.13.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:0b3d67d31383c4c68e19a88e28fc4c2e29517580f1b0ebec4a069d502ce1e0bf"},
-    {file = "coverage-7.13.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:581f086833d24a22c89ae0fe2142cfaa1c92c930adf637ddf122d55083fb5a0f"},
-    {file = "coverage-7.13.0-cp312-cp312-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:0a3a30f0e257df382f5f9534d4ce3d4cf06eafaf5192beb1a7bd066cb10e78fb"},
-    {file = "coverage-7.13.0-cp312-cp312-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:583221913fbc8f53b88c42e8dbb8fca1d0f2e597cb190ce45916662b8b9d9621"},
-    {file = "coverage-7.13.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:5f5d9bd30756fff3e7216491a0d6d520c448d5124d3d8e8f56446d6412499e74"},
-    {file = "coverage-7.13.0-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:a23e5a1f8b982d56fa64f8e442e037f6ce29322f1f9e6c2344cd9e9f4407ee57"},
-    {file = "coverage-7.13.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:9b01c22bc74a7fb44066aaf765224c0d933ddf1f5047d6cdfe4795504a4493f8"},
-    {file = "coverage-7.13.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:898cce66d0836973f48dda4e3514d863d70142bdf6dfab932b9b6a90ea5b222d"},
-    {file = "coverage-7.13.0-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:3ab483ea0e251b5790c2aac03acde31bff0c736bf8a86829b89382b407cd1c3b"},
-    {file = "coverage-7.13.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:1d84e91521c5e4cb6602fe11ece3e1de03b2760e14ae4fcf1a4b56fa3c801fcd"},
-    {file = "coverage-7.13.0-cp312-cp312-win32.whl", hash = "sha256:193c3887285eec1dbdb3f2bd7fbc351d570ca9c02ca756c3afbc71b3c98af6ef"},
-    {file = "coverage-7.13.0-cp312-cp312-win_amd64.whl", hash = "sha256:4f3e223b2b2db5e0db0c2b97286aba0036ca000f06aca9b12112eaa9af3d92ae"},
-    {file = "coverage-7.13.0-cp312-cp312-win_arm64.whl", hash = "sha256:086cede306d96202e15a4b77ace8472e39d9f4e5f9fd92dd4fecdfb2313b2080"},
-    {file = "coverage-7.13.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:28ee1c96109974af104028a8ef57cec21447d42d0e937c0275329272e370ebcf"},
-    {file = "coverage-7.13.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:d1e97353dcc5587b85986cda4ff3ec98081d7e84dd95e8b2a6d59820f0545f8a"},
-    {file = "coverage-7.13.0-cp313-cp313-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:99acd4dfdfeb58e1937629eb1ab6ab0899b131f183ee5f23e0b5da5cba2fec74"},
-    {file = "coverage-7.13.0-cp313-cp313-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:ff45e0cd8451e293b63ced93161e189780baf444119391b3e7d25315060368a6"},
-    {file = "coverage-7.13.0-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:f4f72a85316d8e13234cafe0a9f81b40418ad7a082792fa4165bd7d45d96066b"},
-    {file = "coverage-7.13.0-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:11c21557d0e0a5a38632cbbaca5f008723b26a89d70db6315523df6df77d6232"},
-    {file = "coverage-7.13.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:76541dc8d53715fb4f7a3a06b34b0dc6846e3c69bc6204c55653a85dd6220971"},
-    {file = "coverage-7.13.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:6e9e451dee940a86789134b6b0ffbe31c454ade3b849bb8a9d2cca2541a8e91d"},
-    {file = "coverage-7.13.0-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:5c67dace46f361125e6b9cace8fe0b729ed8479f47e70c89b838d319375c8137"},
-    {file = "coverage-7.13.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:f59883c643cb19630500f57016f76cfdcd6845ca8c5b5ea1f6e17f74c8e5f511"},
-    {file = "coverage-7.13.0-cp313-cp313-win32.whl", hash = "sha256:58632b187be6f0be500f553be41e277712baa278147ecb7559983c6d9faf7ae1"},
-    {file = "coverage-7.13.0-cp313-cp313-win_amd64.whl", hash = "sha256:73419b89f812f498aca53f757dd834919b48ce4799f9d5cad33ca0ae442bdb1a"},
-    {file = "coverage-7.13.0-cp313-cp313-win_arm64.whl", hash = "sha256:eb76670874fdd6091eedcc856128ee48c41a9bbbb9c3f1c7c3cf169290e3ffd6"},
-    {file = "coverage-7.13.0-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:6e63ccc6e0ad8986386461c3c4b737540f20426e7ec932f42e030320896c311a"},
-    {file = "coverage-7.13.0-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:494f5459ffa1bd45e18558cd98710c36c0b8fbfa82a5eabcbe671d80ecffbfe8"},
-    {file = "coverage-7.13.0-cp313-cp313t-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:06cac81bf10f74034e055e903f5f946e3e26fc51c09fc9f584e4a1605d977053"},
-    {file = "coverage-7.13.0-cp313-cp313t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:f2ffc92b46ed6e6760f1d47a71e56b5664781bc68986dbd1836b2b70c0ce2071"},
-    {file = "coverage-7.13.0-cp313-cp313t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:0602f701057c6823e5db1b74530ce85f17c3c5be5c85fc042ac939cbd909426e"},
-    {file = "coverage-7.13.0-cp313-cp313t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:25dc33618d45456ccb1d37bce44bc78cf269909aa14c4db2e03d63146a8a1493"},
-    {file = "coverage-7.13.0-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:71936a8b3b977ddd0b694c28c6a34f4fff2e9dd201969a4ff5d5fc7742d614b0"},
-    {file = "coverage-7.13.0-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:936bc20503ce24770c71938d1369461f0c5320830800933bc3956e2a4ded930e"},
-    {file = "coverage-7.13.0-cp313-cp313t-musllinux_1_2_riscv64.whl", hash = "sha256:af0a583efaacc52ae2521f8d7910aff65cdb093091d76291ac5820d5e947fc1c"},
-    {file = "coverage-7.13.0-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:f1c23e24a7000da892a312fb17e33c5f94f8b001de44b7cf8ba2e36fbd15859e"},
-    {file = "coverage-7.13.0-cp313-cp313t-win32.whl", hash = "sha256:5f8a0297355e652001015e93be345ee54393e45dc3050af4a0475c5a2b767d46"},
-    {file = "coverage-7.13.0-cp313-cp313t-win_amd64.whl", hash = "sha256:6abb3a4c52f05e08460bd9acf04fec027f8718ecaa0d09c40ffbc3fbd70ecc39"},
-    {file = "coverage-7.13.0-cp313-cp313t-win_arm64.whl", hash = "sha256:3ad968d1e3aa6ce5be295ab5fe3ae1bf5bb4769d0f98a80a0252d543a2ef2e9e"},
-    {file = "coverage-7.13.0-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:453b7ec753cf5e4356e14fe858064e5520c460d3bbbcb9c35e55c0d21155c256"},
-    {file = "coverage-7.13.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:af827b7cbb303e1befa6c4f94fd2bf72f108089cfa0f8abab8f4ca553cf5ca5a"},
-    {file = "coverage-7.13.0-cp314-cp314-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:9987a9e4f8197a1000280f7cc089e3ea2c8b3c0a64d750537809879a7b4ceaf9"},
-    {file = "coverage-7.13.0-cp314-cp314-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:3188936845cd0cb114fa6a51842a304cdbac2958145d03be2377ec41eb285d19"},
-    {file = "coverage-7.13.0-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:a2bdb3babb74079f021696cb46b8bb5f5661165c385d3a238712b031a12355be"},
-    {file = "coverage-7.13.0-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:7464663eaca6adba4175f6c19354feea61ebbdd735563a03d1e472c7072d27bb"},
-    {file = "coverage-7.13.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:8069e831f205d2ff1f3d355e82f511eb7c5522d7d413f5db5756b772ec8697f8"},
-    {file = "coverage-7.13.0-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:6fb2d5d272341565f08e962cce14cdf843a08ac43bd621783527adb06b089c4b"},
-    {file = "coverage-7.13.0-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:5e70f92ef89bac1ac8a99b3324923b4749f008fdbd7aa9cb35e01d7a284a04f9"},
-    {file = "coverage-7.13.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:4b5de7d4583e60d5fd246dd57fcd3a8aa23c6e118a8c72b38adf666ba8e7e927"},
-    {file = "coverage-7.13.0-cp314-cp314-win32.whl", hash = "sha256:a6c6e16b663be828a8f0b6c5027d36471d4a9f90d28444aa4ced4d48d7d6ae8f"},
-    {file = "coverage-7.13.0-cp314-cp314-win_amd64.whl", hash = "sha256:0900872f2fdb3ee5646b557918d02279dc3af3dfb39029ac4e945458b13f73bc"},
-    {file = "coverage-7.13.0-cp314-cp314-win_arm64.whl", hash = "sha256:3a10260e6a152e5f03f26db4a407c4c62d3830b9af9b7c0450b183615f05d43b"},
-    {file = "coverage-7.13.0-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:9097818b6cc1cfb5f174e3263eba4a62a17683bcfe5c4b5d07f4c97fa51fbf28"},
-    {file = "coverage-7.13.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:0018f73dfb4301a89292c73be6ba5f58722ff79f51593352759c1790ded1cabe"},
-    {file = "coverage-7.13.0-cp314-cp314t-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:166ad2a22ee770f5656e1257703139d3533b4a0b6909af67c6b4a3adc1c98657"},
-    {file = "coverage-7.13.0-cp314-cp314t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:f6aaef16d65d1787280943f1c8718dc32e9cf141014e4634d64446702d26e0ff"},
-    {file = "coverage-7.13.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:e999e2dcc094002d6e2c7bbc1fb85b58ba4f465a760a8014d97619330cdbbbf3"},
-    {file = "coverage-7.13.0-cp314-cp314t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:00c3d22cf6fb1cf3bf662aaaa4e563be8243a5ed2630339069799835a9cc7f9b"},
-    {file = "coverage-7.13.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:22ccfe8d9bb0d6134892cbe1262493a8c70d736b9df930f3f3afae0fe3ac924d"},
-    {file = "coverage-7.13.0-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:9372dff5ea15930fea0445eaf37bbbafbc771a49e70c0aeed8b4e2c2614cc00e"},
-    {file = "coverage-7.13.0-cp314-cp314t-musllinux_1_2_riscv64.whl", hash = "sha256:69ac2c492918c2461bc6ace42d0479638e60719f2a4ef3f0815fa2df88e9f940"},
-    {file = "coverage-7.13.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:739c6c051a7540608d097b8e13c76cfa85263ced467168dc6b477bae3df7d0e2"},
-    {file = "coverage-7.13.0-cp314-cp314t-win32.whl", hash = "sha256:fe81055d8c6c9de76d60c94ddea73c290b416e061d40d542b24a5871bad498b7"},
-    {file = "coverage-7.13.0-cp314-cp314t-win_amd64.whl", hash = "sha256:445badb539005283825959ac9fa4a28f712c214b65af3a2c464f1adc90f5fcbc"},
-    {file = "coverage-7.13.0-cp314-cp314t-win_arm64.whl", hash = "sha256:de7f6748b890708578fc4b7bb967d810aeb6fcc9bff4bb77dbca77dab2f9df6a"},
-    {file = "coverage-7.13.0-py3-none-any.whl", hash = "sha256:850d2998f380b1e266459ca5b47bc9e7daf9af1d070f66317972f382d46f1904"},
-    {file = "coverage-7.13.0.tar.gz", hash = "sha256:a394aa27f2d7ff9bc04cf703817773a59ad6dfbd577032e690f961d2460ee936"},
+    {file = "coverage-7.13.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:e1fa280b3ad78eea5be86f94f461c04943d942697e0dac889fa18fff8f5f9147"},
+    {file = "coverage-7.13.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c3d8c679607220979434f494b139dfb00131ebf70bb406553d69c1ff01a5c33d"},
+    {file = "coverage-7.13.1-cp310-cp310-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:339dc63b3eba969067b00f41f15ad161bf2946613156fb131266d8debc8e44d0"},
+    {file = "coverage-7.13.1-cp310-cp310-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:db622b999ffe49cb891f2fff3b340cdc2f9797d01a0a202a0973ba2562501d90"},
+    {file = "coverage-7.13.1-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d1443ba9acbb593fa7c1c29e011d7c9761545fe35e7652e85ce7f51a16f7e08d"},
+    {file = "coverage-7.13.1-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:c832ec92c4499ac463186af72f9ed4d8daec15499b16f0a879b0d1c8e5cf4a3b"},
+    {file = "coverage-7.13.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:562ec27dfa3f311e0db1ba243ec6e5f6ab96b1edfcfc6cf86f28038bc4961ce6"},
+    {file = "coverage-7.13.1-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:4de84e71173d4dada2897e5a0e1b7877e5eefbfe0d6a44edee6ce31d9b8ec09e"},
+    {file = "coverage-7.13.1-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:a5a68357f686f8c4d527a2dc04f52e669c2fc1cbde38f6f7eb6a0e58cbd17cae"},
+    {file = "coverage-7.13.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:77cc258aeb29a3417062758975521eae60af6f79e930d6993555eeac6a8eac29"},
+    {file = "coverage-7.13.1-cp310-cp310-win32.whl", hash = "sha256:bb4f8c3c9a9f34423dba193f241f617b08ffc63e27f67159f60ae6baf2dcfe0f"},
+    {file = "coverage-7.13.1-cp310-cp310-win_amd64.whl", hash = "sha256:c8e2706ceb622bc63bac98ebb10ef5da80ed70fbd8a7999a5076de3afaef0fb1"},
+    {file = "coverage-7.13.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:1a55d509a1dc5a5b708b5dad3b5334e07a16ad4c2185e27b40e4dba796ab7f88"},
+    {file = "coverage-7.13.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:4d010d080c4888371033baab27e47c9df7d6fb28d0b7b7adf85a4a49be9298b3"},
+    {file = "coverage-7.13.1-cp311-cp311-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:d938b4a840fb1523b9dfbbb454f652967f18e197569c32266d4d13f37244c3d9"},
+    {file = "coverage-7.13.1-cp311-cp311-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:bf100a3288f9bb7f919b87eb84f87101e197535b9bd0e2c2b5b3179633324fee"},
+    {file = "coverage-7.13.1-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ef6688db9bf91ba111ae734ba6ef1a063304a881749726e0d3575f5c10a9facf"},
+    {file = "coverage-7.13.1-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:0b609fc9cdbd1f02e51f67f51e5aee60a841ef58a68d00d5ee2c0faf357481a3"},
+    {file = "coverage-7.13.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:c43257717611ff5e9a1d79dce8e47566235ebda63328718d9b65dd640bc832ef"},
+    {file = "coverage-7.13.1-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:e09fbecc007f7b6afdfb3b07ce5bd9f8494b6856dd4f577d26c66c391b829851"},
+    {file = "coverage-7.13.1-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:a03a4f3a19a189919c7055098790285cc5c5b0b3976f8d227aea39dbf9f8bfdb"},
+    {file = "coverage-7.13.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:3820778ea1387c2b6a818caec01c63adc5b3750211af6447e8dcfb9b6f08dbba"},
+    {file = "coverage-7.13.1-cp311-cp311-win32.whl", hash = "sha256:ff10896fa55167371960c5908150b434b71c876dfab97b69478f22c8b445ea19"},
+    {file = "coverage-7.13.1-cp311-cp311-win_amd64.whl", hash = "sha256:a998cc0aeeea4c6d5622a3754da5a493055d2d95186bad877b0a34ea6e6dbe0a"},
+    {file = "coverage-7.13.1-cp311-cp311-win_arm64.whl", hash = "sha256:fea07c1a39a22614acb762e3fbbb4011f65eedafcb2948feeef641ac78b4ee5c"},
+    {file = "coverage-7.13.1-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:6f34591000f06e62085b1865c9bc5f7858df748834662a51edadfd2c3bfe0dd3"},
+    {file = "coverage-7.13.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:b67e47c5595b9224599016e333f5ec25392597a89d5744658f837d204e16c63e"},
+    {file = "coverage-7.13.1-cp312-cp312-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:3e7b8bd70c48ffb28461ebe092c2345536fb18bbbf19d287c8913699735f505c"},
+    {file = "coverage-7.13.1-cp312-cp312-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:c223d078112e90dc0e5c4e35b98b9584164bea9fbbd221c0b21c5241f6d51b62"},
+    {file = "coverage-7.13.1-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:794f7c05af0763b1bbd1b9e6eff0e52ad068be3b12cd96c87de037b01390c968"},
+    {file = "coverage-7.13.1-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:0642eae483cc8c2902e4af7298bf886d605e80f26382124cddc3967c2a3df09e"},
+    {file = "coverage-7.13.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:9f5e772ed5fef25b3de9f2008fe67b92d46831bd2bc5bdc5dd6bfd06b83b316f"},
+    {file = "coverage-7.13.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:45980ea19277dc0a579e432aef6a504fe098ef3a9032ead15e446eb0f1191aee"},
+    {file = "coverage-7.13.1-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:e4f18eca6028ffa62adbd185a8f1e1dd242f2e68164dba5c2b74a5204850b4cf"},
+    {file = "coverage-7.13.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:f8dca5590fec7a89ed6826fce625595279e586ead52e9e958d3237821fbc750c"},
+    {file = "coverage-7.13.1-cp312-cp312-win32.whl", hash = "sha256:ff86d4e85188bba72cfb876df3e11fa243439882c55957184af44a35bd5880b7"},
+    {file = "coverage-7.13.1-cp312-cp312-win_amd64.whl", hash = "sha256:16cc1da46c04fb0fb128b4dc430b78fa2aba8a6c0c9f8eb391fd5103409a6ac6"},
+    {file = "coverage-7.13.1-cp312-cp312-win_arm64.whl", hash = "sha256:8d9bc218650022a768f3775dd7fdac1886437325d8d295d923ebcfef4892ad5c"},
+    {file = "coverage-7.13.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:cb237bfd0ef4d5eb6a19e29f9e528ac67ac3be932ea6b44fb6cc09b9f3ecff78"},
+    {file = "coverage-7.13.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:1dcb645d7e34dcbcc96cd7c132b1fc55c39263ca62eb961c064eb3928997363b"},
+    {file = "coverage-7.13.1-cp313-cp313-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:3d42df8201e00384736f0df9be2ced39324c3907607d17d50d50116c989d84cd"},
+    {file = "coverage-7.13.1-cp313-cp313-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:fa3edde1aa8807de1d05934982416cb3ec46d1d4d91e280bcce7cca01c507992"},
+    {file = "coverage-7.13.1-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9edd0e01a343766add6817bc448408858ba6b489039eaaa2018474e4001651a4"},
+    {file = "coverage-7.13.1-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:985b7836931d033570b94c94713c6dba5f9d3ff26045f72c3e5dbc5fe3361e5a"},
+    {file = "coverage-7.13.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:ffed1e4980889765c84a5d1a566159e363b71d6b6fbaf0bebc9d3c30bc016766"},
+    {file = "coverage-7.13.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:8842af7f175078456b8b17f1b73a0d16a65dcbdc653ecefeb00a56b3c8c298c4"},
+    {file = "coverage-7.13.1-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:ccd7a6fca48ca9c131d9b0a2972a581e28b13416fc313fb98b6d24a03ce9a398"},
+    {file = "coverage-7.13.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:0403f647055de2609be776965108447deb8e384fe4a553c119e3ff6bfbab4784"},
+    {file = "coverage-7.13.1-cp313-cp313-win32.whl", hash = "sha256:549d195116a1ba1e1ae2f5ca143f9777800f6636eab917d4f02b5310d6d73461"},
+    {file = "coverage-7.13.1-cp313-cp313-win_amd64.whl", hash = "sha256:5899d28b5276f536fcf840b18b61a9fce23cc3aec1d114c44c07fe94ebeaa500"},
+    {file = "coverage-7.13.1-cp313-cp313-win_arm64.whl", hash = "sha256:868a2fae76dfb06e87291bcbd4dcbcc778a8500510b618d50496e520bd94d9b9"},
+    {file = "coverage-7.13.1-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:67170979de0dacac3f3097d02b0ad188d8edcea44ccc44aaa0550af49150c7dc"},
+    {file = "coverage-7.13.1-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:f80e2bb21bfab56ed7405c2d79d34b5dc0bc96c2c1d2a067b643a09fb756c43a"},
+    {file = "coverage-7.13.1-cp313-cp313t-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:f83351e0f7dcdb14d7326c3d8d8c4e915fa685cbfdc6281f9470d97a04e9dfe4"},
+    {file = "coverage-7.13.1-cp313-cp313t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:bb3f6562e89bad0110afbe64e485aac2462efdce6232cdec7862a095dc3412f6"},
+    {file = "coverage-7.13.1-cp313-cp313t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:77545b5dcda13b70f872c3b5974ac64c21d05e65b1590b441c8560115dc3a0d1"},
+    {file = "coverage-7.13.1-cp313-cp313t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:a4d240d260a1aed814790bbe1f10a5ff31ce6c21bc78f0da4a1e8268d6c80dbd"},
+    {file = "coverage-7.13.1-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:d2287ac9360dec3837bfdad969963a5d073a09a85d898bd86bea82aa8876ef3c"},
+    {file = "coverage-7.13.1-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:0d2c11f3ea4db66b5cbded23b20185c35066892c67d80ec4be4bab257b9ad1e0"},
+    {file = "coverage-7.13.1-cp313-cp313t-musllinux_1_2_riscv64.whl", hash = "sha256:3fc6a169517ca0d7ca6846c3c5392ef2b9e38896f61d615cb75b9e7134d4ee1e"},
+    {file = "coverage-7.13.1-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:d10a2ed46386e850bb3de503a54f9fe8192e5917fcbb143bfef653a9355e9a53"},
+    {file = "coverage-7.13.1-cp313-cp313t-win32.whl", hash = "sha256:75a6f4aa904301dab8022397a22c0039edc1f51e90b83dbd4464b8a38dc87842"},
+    {file = "coverage-7.13.1-cp313-cp313t-win_amd64.whl", hash = "sha256:309ef5706e95e62578cda256b97f5e097916a2c26247c287bbe74794e7150df2"},
+    {file = "coverage-7.13.1-cp313-cp313t-win_arm64.whl", hash = "sha256:92f980729e79b5d16d221038dbf2e8f9a9136afa072f9d5d6ed4cb984b126a09"},
+    {file = "coverage-7.13.1-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:97ab3647280d458a1f9adb85244e81587505a43c0c7cff851f5116cd2814b894"},
+    {file = "coverage-7.13.1-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:8f572d989142e0908e6acf57ad1b9b86989ff057c006d13b76c146ec6a20216a"},
+    {file = "coverage-7.13.1-cp314-cp314-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:d72140ccf8a147e94274024ff6fd8fb7811354cf7ef88b1f0a988ebaa5bc774f"},
+    {file = "coverage-7.13.1-cp314-cp314-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:d3c9f051b028810f5a87c88e5d6e9af3c0ff32ef62763bf15d29f740453ca909"},
+    {file = "coverage-7.13.1-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:f398ba4df52d30b1763f62eed9de5620dcde96e6f491f4c62686736b155aa6e4"},
+    {file = "coverage-7.13.1-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:132718176cc723026d201e347f800cd1a9e4b62ccd3f82476950834dad501c75"},
+    {file = "coverage-7.13.1-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:9e549d642426e3579b3f4b92d0431543b012dcb6e825c91619d4e93b7363c3f9"},
+    {file = "coverage-7.13.1-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:90480b2134999301eea795b3a9dbf606c6fbab1b489150c501da84a959442465"},
+    {file = "coverage-7.13.1-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:e825dbb7f84dfa24663dd75835e7257f8882629fc11f03ecf77d84a75134b864"},
+    {file = "coverage-7.13.1-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:623dcc6d7a7ba450bbdbeedbaa0c42b329bdae16491af2282f12a7e809be7eb9"},
+    {file = "coverage-7.13.1-cp314-cp314-win32.whl", hash = "sha256:6e73ebb44dca5f708dc871fe0b90cf4cff1a13f9956f747cc87b535a840386f5"},
+    {file = "coverage-7.13.1-cp314-cp314-win_amd64.whl", hash = "sha256:be753b225d159feb397bd0bf91ae86f689bad0da09d3b301478cd39b878ab31a"},
+    {file = "coverage-7.13.1-cp314-cp314-win_arm64.whl", hash = "sha256:228b90f613b25ba0019361e4ab81520b343b622fc657daf7e501c4ed6a2366c0"},
+    {file = "coverage-7.13.1-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:60cfb538fe9ef86e5b2ab0ca8fc8d62524777f6c611dcaf76dc16fbe9b8e698a"},
+    {file = "coverage-7.13.1-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:57dfc8048c72ba48a8c45e188d811e5efd7e49b387effc8fb17e97936dde5bf6"},
+    {file = "coverage-7.13.1-cp314-cp314t-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:3f2f725aa3e909b3c5fdb8192490bdd8e1495e85906af74fe6e34a2a77ba0673"},
+    {file = "coverage-7.13.1-cp314-cp314t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:9ee68b21909686eeb21dfcba2c3b81fee70dcf38b140dcd5aa70680995fa3aa5"},
+    {file = "coverage-7.13.1-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:724b1b270cb13ea2e6503476e34541a0b1f62280bc997eab443f87790202033d"},
+    {file = "coverage-7.13.1-cp314-cp314t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:916abf1ac5cf7eb16bc540a5bf75c71c43a676f5c52fcb9fe75a2bd75fb944e8"},
+    {file = "coverage-7.13.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:776483fd35b58d8afe3acbd9988d5de592ab6da2d2a865edfdbc9fdb43e7c486"},
+    {file = "coverage-7.13.1-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:b6f3b96617e9852703f5b633ea01315ca45c77e879584f283c44127f0f1ec564"},
+    {file = "coverage-7.13.1-cp314-cp314t-musllinux_1_2_riscv64.whl", hash = "sha256:bd63e7b74661fed317212fab774e2a648bc4bb09b35f25474f8e3325d2945cd7"},
+    {file = "coverage-7.13.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:933082f161bbb3e9f90d00990dc956120f608cdbcaeea15c4d897f56ef4fe416"},
+    {file = "coverage-7.13.1-cp314-cp314t-win32.whl", hash = "sha256:18be793c4c87de2965e1c0f060f03d9e5aff66cfeae8e1dbe6e5b88056ec153f"},
+    {file = "coverage-7.13.1-cp314-cp314t-win_amd64.whl", hash = "sha256:0e42e0ec0cd3e0d851cb3c91f770c9301f48647cb2877cb78f74bdaa07639a79"},
+    {file = "coverage-7.13.1-cp314-cp314t-win_arm64.whl", hash = "sha256:eaecf47ef10c72ece9a2a92118257da87e460e113b83cc0d2905cbbe931792b4"},
+    {file = "coverage-7.13.1-py3-none-any.whl", hash = "sha256:2016745cb3ba554469d02819d78958b571792bb68e31302610e898f80dd3a573"},
+    {file = "coverage-7.13.1.tar.gz", hash = "sha256:b7593fe7eb5feaa3fbb461ac79aac9f9fc0387a5ca8080b0c6fe2ca27b091afd"},
 ]
 
 [package.dependencies]
@@ -567,6 +578,41 @@ files = [
     {file = "invoke-2.2.1.tar.gz", hash = "sha256:515bf49b4a48932b79b024590348da22f39c4942dff991ad1fb8b8baea1be707"},
 ]
 
+[[package]]
+name = "jsonschema"
+version = "4.26.0"
+description = "An implementation of JSON Schema validation for Python"
+optional = false
+python-versions = ">=3.10"
+files = [
+    {file = "jsonschema-4.26.0-py3-none-any.whl", hash = "sha256:d489f15263b8d200f8387e64b4c3a75f06629559fb73deb8fdfb525f2dab50ce"},
+    {file = "jsonschema-4.26.0.tar.gz", hash = "sha256:0c26707e2efad8aa1bfc5b7ce170f3fccc2e4918ff85989ba9ffa9facb2be326"},
+]
+
+[package.dependencies]
+attrs = ">=22.2.0"
+jsonschema-specifications = ">=2023.03.6"
+referencing = ">=0.28.4"
+rpds-py = ">=0.25.0"
+
+[package.extras]
+format = ["fqdn", "idna", "isoduration", "jsonpointer (>1.13)", "rfc3339-validator", "rfc3987", "uri-template", "webcolors (>=1.11)"]
+format-nongpl = ["fqdn", "idna", "isoduration", "jsonpointer (>1.13)", "rfc3339-validator", "rfc3986-validator (>0.1.0)", "rfc3987-syntax (>=1.1.0)", "uri-template", "webcolors (>=24.6.0)"]
+
+[[package]]
+name = "jsonschema-specifications"
+version = "2025.9.1"
+description = "The JSON Schema meta-schemas and vocabularies, exposed as a Registry"
+optional = false
+python-versions = ">=3.9"
+files = [
+    {file = "jsonschema_specifications-2025.9.1-py3-none-any.whl", hash = "sha256:98802fee3a11ee76ecaca44429fda8a41bff98b00a0f2838151b113f210cc6fe"},
+    {file = "jsonschema_specifications-2025.9.1.tar.gz", hash = "sha256:b540987f239e745613c7a9176f3edb72b832a4ac465cf02712288397832b5e8d"},
+]
+
+[package.dependencies]
+referencing = ">=0.31.0"
+
 [[package]]
 name = "packaging"
 version = "25.0"
@@ -640,38 +686,36 @@ windows-terminal = ["colorama (>=0.4.6)"]
 
 [[package]]
 name = "pynacl"
-version = "1.6.1"
+version = "1.6.2"
 description = "Python binding to the Networking and Cryptography (NaCl) library"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pynacl-1.6.1-cp314-cp314t-macosx_10_10_universal2.whl", hash = "sha256:7d7c09749450c385301a3c20dca967a525152ae4608c0a096fe8464bfc3df93d"},
-    {file = "pynacl-1.6.1-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:fc734c1696ffd49b40f7c1779c89ba908157c57345cf626be2e0719488a076d3"},
-    {file = "pynacl-1.6.1-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:3cd787ec1f5c155dc8ecf39b1333cfef41415dc96d392f1ce288b4fe970df489"},
-    {file = "pynacl-1.6.1-cp314-cp314t-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6b35d93ab2df03ecb3aa506be0d3c73609a51449ae0855c2e89c7ed44abde40b"},
-    {file = "pynacl-1.6.1-cp314-cp314t-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:dece79aecbb8f4640a1adbb81e4aa3bfb0e98e99834884a80eb3f33c7c30e708"},
-    {file = "pynacl-1.6.1-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:c2228054f04bf32d558fb89bb99f163a8197d5a9bf4efa13069a7fa8d4b93fc3"},
-    {file = "pynacl-1.6.1-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:2b12f1b97346f177affcdfdc78875ff42637cb40dcf79484a97dae3448083a78"},
-    {file = "pynacl-1.6.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:e735c3a1bdfde3834503baf1a6d74d4a143920281cb724ba29fb84c9f49b9c48"},
-    {file = "pynacl-1.6.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:3384a454adf5d716a9fadcb5eb2e3e72cd49302d1374a60edc531c9957a9b014"},
-    {file = "pynacl-1.6.1-cp314-cp314t-win32.whl", hash = "sha256:d8615ee34d01c8e0ab3f302dcdd7b32e2bcf698ba5f4809e7cc407c8cdea7717"},
-    {file = "pynacl-1.6.1-cp314-cp314t-win_amd64.whl", hash = "sha256:5f5b35c1a266f8a9ad22525049280a600b19edd1f785bccd01ae838437dcf935"},
-    {file = "pynacl-1.6.1-cp314-cp314t-win_arm64.whl", hash = "sha256:d984c91fe3494793b2a1fb1e91429539c6c28e9ec8209d26d25041ec599ccf63"},
-    {file = "pynacl-1.6.1-cp38-abi3-macosx_10_10_universal2.whl", hash = "sha256:a6f9fd6d6639b1e81115c7f8ff16b8dedba1e8098d2756275d63d208b0e32021"},
-    {file = "pynacl-1.6.1-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:e49a3f3d0da9f79c1bec2aa013261ab9fa651c7da045d376bd306cf7c1792993"},
-    {file = "pynacl-1.6.1-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:7713f8977b5d25f54a811ec9efa2738ac592e846dd6e8a4d3f7578346a841078"},
-    {file = "pynacl-1.6.1-cp38-abi3-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:5a3becafc1ee2e5ea7f9abc642f56b82dcf5be69b961e782a96ea52b55d8a9fc"},
-    {file = "pynacl-1.6.1-cp38-abi3-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:4ce50d19f1566c391fedc8dc2f2f5be265ae214112ebe55315e41d1f36a7f0a9"},
-    {file = "pynacl-1.6.1-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:543f869140f67d42b9b8d47f922552d7a967e6c116aad028c9bfc5f3f3b3a7b7"},
-    {file = "pynacl-1.6.1-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:a2bb472458c7ca959aeeff8401b8efef329b0fc44a89d3775cffe8fad3398ad8"},
-    {file = "pynacl-1.6.1-cp38-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:3206fa98737fdc66d59b8782cecc3d37d30aeec4593d1c8c145825a345bba0f0"},
-    {file = "pynacl-1.6.1-cp38-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:53543b4f3d8acb344f75fd4d49f75e6572fce139f4bfb4815a9282296ff9f4c0"},
-    {file = "pynacl-1.6.1-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:319de653ef84c4f04e045eb250e6101d23132372b0a61a7acf91bac0fda8e58c"},
-    {file = "pynacl-1.6.1-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:262a8de6bba4aee8a66f5edf62c214b06647461c9b6b641f8cd0cb1e3b3196fe"},
-    {file = "pynacl-1.6.1-cp38-abi3-win32.whl", hash = "sha256:9fd1a4eb03caf8a2fe27b515a998d26923adb9ddb68db78e35ca2875a3830dde"},
-    {file = "pynacl-1.6.1-cp38-abi3-win_amd64.whl", hash = "sha256:a569a4069a7855f963940040f35e87d8bc084cb2d6347428d5ad20550a0a1a21"},
-    {file = "pynacl-1.6.1-cp38-abi3-win_arm64.whl", hash = "sha256:5953e8b8cfadb10889a6e7bd0f53041a745d1b3d30111386a1bb37af171e6daf"},
-    {file = "pynacl-1.6.1.tar.gz", hash = "sha256:8d361dac0309f2b6ad33b349a56cd163c98430d409fa503b10b70b3ad66eaa1d"},
+    {file = "pynacl-1.6.2-cp314-cp314t-macosx_10_10_universal2.whl", hash = "sha256:622d7b07cc5c02c666795792931b50c91f3ce3c2649762efb1ef0d5684c81594"},
+    {file = "pynacl-1.6.2-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:d071c6a9a4c94d79eb665db4ce5cedc537faf74f2355e4d502591d850d3913c0"},
+    {file = "pynacl-1.6.2-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:fe9847ca47d287af41e82be1dd5e23023d3c31a951da134121ab02e42ac218c9"},
+    {file = "pynacl-1.6.2-cp314-cp314t-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:04316d1fc625d860b6c162fff704eb8426b1a8bcd3abacea11142cbd99a6b574"},
+    {file = "pynacl-1.6.2-cp314-cp314t-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:44081faff368d6c5553ccf55322ef2819abb40e25afaec7e740f159f74813634"},
+    {file = "pynacl-1.6.2-cp314-cp314t-manylinux_2_34_aarch64.whl", hash = "sha256:a9f9932d8d2811ce1a8ffa79dcbdf3970e7355b5c8eb0c1a881a57e7f7d96e88"},
+    {file = "pynacl-1.6.2-cp314-cp314t-manylinux_2_34_x86_64.whl", hash = "sha256:bc4a36b28dd72fb4845e5d8f9760610588a96d5a51f01d84d8c6ff9849968c14"},
+    {file = "pynacl-1.6.2-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:3bffb6d0f6becacb6526f8f42adfb5efb26337056ee0831fb9a7044d1a964444"},
+    {file = "pynacl-1.6.2-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:2fef529ef3ee487ad8113d287a593fa26f48ee3620d92ecc6f1d09ea38e0709b"},
+    {file = "pynacl-1.6.2-cp314-cp314t-win32.whl", hash = "sha256:a84bf1c20339d06dc0c85d9aea9637a24f718f375d861b2668b2f9f96fa51145"},
+    {file = "pynacl-1.6.2-cp314-cp314t-win_amd64.whl", hash = "sha256:320ef68a41c87547c91a8b58903c9caa641ab01e8512ce291085b5fe2fcb7590"},
+    {file = "pynacl-1.6.2-cp314-cp314t-win_arm64.whl", hash = "sha256:d29bfe37e20e015a7d8b23cfc8bd6aa7909c92a1b8f41ee416bbb3e79ef182b2"},
+    {file = "pynacl-1.6.2-cp38-abi3-macosx_10_10_universal2.whl", hash = "sha256:c949ea47e4206af7c8f604b8278093b674f7c79ed0d4719cc836902bf4517465"},
+    {file = "pynacl-1.6.2-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:8845c0631c0be43abdd865511c41eab235e0be69c81dc66a50911594198679b0"},
+    {file = "pynacl-1.6.2-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:22de65bb9010a725b0dac248f353bb072969c94fa8d6b1f34b87d7953cf7bbe4"},
+    {file = "pynacl-1.6.2-cp38-abi3-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:46065496ab748469cdd999246d17e301b2c24ae2fdf739132e580a0e94c94a87"},
+    {file = "pynacl-1.6.2-cp38-abi3-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:8a66d6fb6ae7661c58995f9c6435bda2b1e68b54b598a6a10247bfcdadac996c"},
+    {file = "pynacl-1.6.2-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:26bfcd00dcf2cf160f122186af731ae30ab120c18e8375684ec2670dccd28130"},
+    {file = "pynacl-1.6.2-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:c8a231e36ec2cab018c4ad4358c386e36eede0319a0c41fed24f840b1dac59f6"},
+    {file = "pynacl-1.6.2-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:68be3a09455743ff9505491220b64440ced8973fe930f270c8e07ccfa25b1f9e"},
+    {file = "pynacl-1.6.2-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:8b097553b380236d51ed11356c953bf8ce36a29a3e596e934ecabe76c985a577"},
+    {file = "pynacl-1.6.2-cp38-abi3-win32.whl", hash = "sha256:5811c72b473b2f38f7e2a3dc4f8642e3a3e9b5e7317266e4ced1fba85cae41aa"},
+    {file = "pynacl-1.6.2-cp38-abi3-win_amd64.whl", hash = "sha256:62985f233210dee6548c223301b6c25440852e13d59a8b81490203c3227c5ba0"},
+    {file = "pynacl-1.6.2-cp38-abi3-win_arm64.whl", hash = "sha256:834a43af110f743a754448463e8fd61259cd4ab5bbedcf70f9dabad1d28a394c"},
+    {file = "pynacl-1.6.2.tar.gz", hash = "sha256:018494d6d696ae03c7e656e5e74cdfd8ea1326962cc401bcf018f1ed8436811c"},
 ]
 
 [package.dependencies]
@@ -820,6 +864,22 @@ files = [
     {file = "pyyaml-6.0.3.tar.gz", hash = "sha256:d76623373421df22fb4cf8817020cbb7ef15c725b9d5e45f17e189bfc384190f"},
 ]
 
+[[package]]
+name = "referencing"
+version = "0.37.0"
+description = "JSON Referencing + Python"
+optional = false
+python-versions = ">=3.10"
+files = [
+    {file = "referencing-0.37.0-py3-none-any.whl", hash = "sha256:381329a9f99628c9069361716891d34ad94af76e461dcb0335825aecc7692231"},
+    {file = "referencing-0.37.0.tar.gz", hash = "sha256:44aefc3142c5b842538163acb373e24cce6632bd54bdb01b21ad5863489f50d8"},
+]
+
+[package.dependencies]
+attrs = ">=22.2.0"
+rpds-py = ">=0.7.0"
+typing-extensions = {version = ">=4.4.0", markers = "python_version < \"3.13\""}
+
 [[package]]
 name = "requests"
 version = "2.32.5"
@@ -841,55 +901,184 @@ urllib3 = ">=1.21.1,<3"
 socks = ["PySocks (>=1.5.6,!=1.5.7)"]
 use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
 
+[[package]]
+name = "rpds-py"
+version = "0.30.0"
+description = "Python bindings to Rust's persistent data structures (rpds)"
+optional = false
+python-versions = ">=3.10"
+files = [
+    {file = "rpds_py-0.30.0-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:679ae98e00c0e8d68a7fda324e16b90fd5260945b45d3b824c892cec9eea3288"},
+    {file = "rpds_py-0.30.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:4cc2206b76b4f576934f0ed374b10d7ca5f457858b157ca52064bdfc26b9fc00"},
+    {file = "rpds_py-0.30.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:389a2d49eded1896c3d48b0136ead37c48e221b391c052fba3f4055c367f60a6"},
+    {file = "rpds_py-0.30.0-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:32c8528634e1bf7121f3de08fa85b138f4e0dc47657866630611b03967f041d7"},
+    {file = "rpds_py-0.30.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f207f69853edd6f6700b86efb84999651baf3789e78a466431df1331608e5324"},
+    {file = "rpds_py-0.30.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:67b02ec25ba7a9e8fa74c63b6ca44cf5707f2fbfadae3ee8e7494297d56aa9df"},
+    {file = "rpds_py-0.30.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0c0e95f6819a19965ff420f65578bacb0b00f251fefe2c8b23347c37174271f3"},
+    {file = "rpds_py-0.30.0-cp310-cp310-manylinux_2_31_riscv64.whl", hash = "sha256:a452763cc5198f2f98898eb98f7569649fe5da666c2dc6b5ddb10fde5a574221"},
+    {file = "rpds_py-0.30.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:e0b65193a413ccc930671c55153a03ee57cecb49e6227204b04fae512eb657a7"},
+    {file = "rpds_py-0.30.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:858738e9c32147f78b3ac24dc0edb6610000e56dc0f700fd5f651d0a0f0eb9ff"},
+    {file = "rpds_py-0.30.0-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:da279aa314f00acbb803da1e76fa18666778e8a8f83484fba94526da5de2cba7"},
+    {file = "rpds_py-0.30.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:7c64d38fb49b6cdeda16ab49e35fe0da2e1e9b34bc38bd78386530f218b37139"},
+    {file = "rpds_py-0.30.0-cp310-cp310-win32.whl", hash = "sha256:6de2a32a1665b93233cde140ff8b3467bdb9e2af2b91079f0333a0974d12d464"},
+    {file = "rpds_py-0.30.0-cp310-cp310-win_amd64.whl", hash = "sha256:1726859cd0de969f88dc8673bdd954185b9104e05806be64bcd87badbe313169"},
+    {file = "rpds_py-0.30.0-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:a2bffea6a4ca9f01b3f8e548302470306689684e61602aa3d141e34da06cf425"},
+    {file = "rpds_py-0.30.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:dc4f992dfe1e2bc3ebc7444f6c7051b4bc13cd8e33e43511e8ffd13bf407010d"},
+    {file = "rpds_py-0.30.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:422c3cb9856d80b09d30d2eb255d0754b23e090034e1deb4083f8004bd0761e4"},
+    {file = "rpds_py-0.30.0-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:07ae8a593e1c3c6b82ca3292efbe73c30b61332fd612e05abee07c79359f292f"},
+    {file = "rpds_py-0.30.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:12f90dd7557b6bd57f40abe7747e81e0c0b119bef015ea7726e69fe550e394a4"},
+    {file = "rpds_py-0.30.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:99b47d6ad9a6da00bec6aabe5a6279ecd3c06a329d4aa4771034a21e335c3a97"},
+    {file = "rpds_py-0.30.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:33f559f3104504506a44bb666b93a33f5d33133765b0c216a5bf2f1e1503af89"},
+    {file = "rpds_py-0.30.0-cp311-cp311-manylinux_2_31_riscv64.whl", hash = "sha256:946fe926af6e44f3697abbc305ea168c2c31d3e3ef1058cf68f379bf0335a78d"},
+    {file = "rpds_py-0.30.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:495aeca4b93d465efde585977365187149e75383ad2684f81519f504f5c13038"},
+    {file = "rpds_py-0.30.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:d9a0ca5da0386dee0655b4ccdf46119df60e0f10da268d04fe7cc87886872ba7"},
+    {file = "rpds_py-0.30.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:8d6d1cc13664ec13c1b84241204ff3b12f9bb82464b8ad6e7a5d3486975c2eed"},
+    {file = "rpds_py-0.30.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:3896fa1be39912cf0757753826bc8bdc8ca331a28a7c4ae46b7a21280b06bb85"},
+    {file = "rpds_py-0.30.0-cp311-cp311-win32.whl", hash = "sha256:55f66022632205940f1827effeff17c4fa7ae1953d2b74a8581baaefb7d16f8c"},
+    {file = "rpds_py-0.30.0-cp311-cp311-win_amd64.whl", hash = "sha256:a51033ff701fca756439d641c0ad09a41d9242fa69121c7d8769604a0a629825"},
+    {file = "rpds_py-0.30.0-cp311-cp311-win_arm64.whl", hash = "sha256:47b0ef6231c58f506ef0b74d44e330405caa8428e770fec25329ed2cb971a229"},
+    {file = "rpds_py-0.30.0-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:a161f20d9a43006833cd7068375a94d035714d73a172b681d8881820600abfad"},
+    {file = "rpds_py-0.30.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:6abc8880d9d036ecaafe709079969f56e876fcf107f7a8e9920ba6d5a3878d05"},
+    {file = "rpds_py-0.30.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ca28829ae5f5d569bb62a79512c842a03a12576375d5ece7d2cadf8abe96ec28"},
+    {file = "rpds_py-0.30.0-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:a1010ed9524c73b94d15919ca4d41d8780980e1765babf85f9a2f90d247153dd"},
+    {file = "rpds_py-0.30.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f8d1736cfb49381ba528cd5baa46f82fdc65c06e843dab24dd70b63d09121b3f"},
+    {file = "rpds_py-0.30.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d948b135c4693daff7bc2dcfc4ec57237a29bd37e60c2fabf5aff2bbacf3e2f1"},
+    {file = "rpds_py-0.30.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47f236970bccb2233267d89173d3ad2703cd36a0e2a6e92d0560d333871a3d23"},
+    {file = "rpds_py-0.30.0-cp312-cp312-manylinux_2_31_riscv64.whl", hash = "sha256:2e6ecb5a5bcacf59c3f912155044479af1d0b6681280048b338b28e364aca1f6"},
+    {file = "rpds_py-0.30.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:a8fa71a2e078c527c3e9dc9fc5a98c9db40bcc8a92b4e8858e36d329f8684b51"},
+    {file = "rpds_py-0.30.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:73c67f2db7bc334e518d097c6d1e6fed021bbc9b7d678d6cc433478365d1d5f5"},
+    {file = "rpds_py-0.30.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:5ba103fb455be00f3b1c2076c9d4264bfcb037c976167a6047ed82f23153f02e"},
+    {file = "rpds_py-0.30.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:7cee9c752c0364588353e627da8a7e808a66873672bcb5f52890c33fd965b394"},
+    {file = "rpds_py-0.30.0-cp312-cp312-win32.whl", hash = "sha256:1ab5b83dbcf55acc8b08fc62b796ef672c457b17dbd7820a11d6c52c06839bdf"},
+    {file = "rpds_py-0.30.0-cp312-cp312-win_amd64.whl", hash = "sha256:a090322ca841abd453d43456ac34db46e8b05fd9b3b4ac0c78bcde8b089f959b"},
+    {file = "rpds_py-0.30.0-cp312-cp312-win_arm64.whl", hash = "sha256:669b1805bd639dd2989b281be2cfd951c6121b65e729d9b843e9639ef1fd555e"},
+    {file = "rpds_py-0.30.0-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:f83424d738204d9770830d35290ff3273fbb02b41f919870479fab14b9d303b2"},
+    {file = "rpds_py-0.30.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:e7536cd91353c5273434b4e003cbda89034d67e7710eab8761fd918ec6c69cf8"},
+    {file = "rpds_py-0.30.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2771c6c15973347f50fece41fc447c054b7ac2ae0502388ce3b6738cd366e3d4"},
+    {file = "rpds_py-0.30.0-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:0a59119fc6e3f460315fe9d08149f8102aa322299deaa5cab5b40092345c2136"},
+    {file = "rpds_py-0.30.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:76fec018282b4ead0364022e3c54b60bf368b9d926877957a8624b58419169b7"},
+    {file = "rpds_py-0.30.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:692bef75a5525db97318e8cd061542b5a79812d711ea03dbc1f6f8dbb0c5f0d2"},
+    {file = "rpds_py-0.30.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9027da1ce107104c50c81383cae773ef5c24d296dd11c99e2629dbd7967a20c6"},
+    {file = "rpds_py-0.30.0-cp313-cp313-manylinux_2_31_riscv64.whl", hash = "sha256:9cf69cdda1f5968a30a359aba2f7f9aa648a9ce4b580d6826437f2b291cfc86e"},
+    {file = "rpds_py-0.30.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:a4796a717bf12b9da9d3ad002519a86063dcac8988b030e405704ef7d74d2d9d"},
+    {file = "rpds_py-0.30.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:5d4c2aa7c50ad4728a094ebd5eb46c452e9cb7edbfdb18f9e1221f597a73e1e7"},
+    {file = "rpds_py-0.30.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ba81a9203d07805435eb06f536d95a266c21e5b2dfbf6517748ca40c98d19e31"},
+    {file = "rpds_py-0.30.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:945dccface01af02675628334f7cf49c2af4c1c904748efc5cf7bbdf0b579f95"},
+    {file = "rpds_py-0.30.0-cp313-cp313-win32.whl", hash = "sha256:b40fb160a2db369a194cb27943582b38f79fc4887291417685f3ad693c5a1d5d"},
+    {file = "rpds_py-0.30.0-cp313-cp313-win_amd64.whl", hash = "sha256:806f36b1b605e2d6a72716f321f20036b9489d29c51c91f4dd29a3e3afb73b15"},
+    {file = "rpds_py-0.30.0-cp313-cp313-win_arm64.whl", hash = "sha256:d96c2086587c7c30d44f31f42eae4eac89b60dabbac18c7669be3700f13c3ce1"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-macosx_10_12_x86_64.whl", hash = "sha256:eb0b93f2e5c2189ee831ee43f156ed34e2a89a78a66b98cadad955972548be5a"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:922e10f31f303c7c920da8981051ff6d8c1a56207dbdf330d9047f6d30b70e5e"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cdc62c8286ba9bf7f47befdcea13ea0e26bf294bda99758fd90535cbaf408000"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:47f9a91efc418b54fb8190a6b4aa7813a23fb79c51f4bb84e418f5476c38b8db"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1f3587eb9b17f3789ad50824084fa6f81921bbf9a795826570bda82cb3ed91f2"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:39c02563fc592411c2c61d26b6c5fe1e51eaa44a75aa2c8735ca88b0d9599daa"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51a1234d8febafdfd33a42d97da7a43f5dcb120c1060e352a3fbc0c6d36e2083"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-manylinux_2_31_riscv64.whl", hash = "sha256:eb2c4071ab598733724c08221091e8d80e89064cd472819285a9ab0f24bcedb9"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:6bdfdb946967d816e6adf9a3d8201bfad269c67efe6cefd7093ef959683c8de0"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:c77afbd5f5250bf27bf516c7c4a016813eb2d3e116139aed0096940c5982da94"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:61046904275472a76c8c90c9ccee9013d70a6d0f73eecefd38c1ae7c39045a08"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:4c5f36a861bc4b7da6516dbdf302c55313afa09b81931e8280361a4f6c9a2d27"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-win32.whl", hash = "sha256:3d4a69de7a3e50ffc214ae16d79d8fbb0922972da0356dcf4d0fdca2878559c6"},
+    {file = "rpds_py-0.30.0-cp313-cp313t-win_amd64.whl", hash = "sha256:f14fc5df50a716f7ece6a80b6c78bb35ea2ca47c499e422aa4463455dd96d56d"},
+    {file = "rpds_py-0.30.0-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:68f19c879420aa08f61203801423f6cd5ac5f0ac4ac82a2368a9fcd6a9a075e0"},
+    {file = "rpds_py-0.30.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:ec7c4490c672c1a0389d319b3a9cfcd098dcdc4783991553c332a15acf7249be"},
+    {file = "rpds_py-0.30.0-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f251c812357a3fed308d684a5079ddfb9d933860fc6de89f2b7ab00da481e65f"},
+    {file = "rpds_py-0.30.0-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ac98b175585ecf4c0348fd7b29c3864bda53b805c773cbf7bfdaffc8070c976f"},
+    {file = "rpds_py-0.30.0-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3e62880792319dbeb7eb866547f2e35973289e7d5696c6e295476448f5b63c87"},
+    {file = "rpds_py-0.30.0-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4e7fc54e0900ab35d041b0601431b0a0eb495f0851a0639b6ef90f7741b39a18"},
+    {file = "rpds_py-0.30.0-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47e77dc9822d3ad616c3d5759ea5631a75e5809d5a28707744ef79d7a1bcfcad"},
+    {file = "rpds_py-0.30.0-cp314-cp314-manylinux_2_31_riscv64.whl", hash = "sha256:b4dc1a6ff022ff85ecafef7979a2c6eb423430e05f1165d6688234e62ba99a07"},
+    {file = "rpds_py-0.30.0-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:4559c972db3a360808309e06a74628b95eaccbf961c335c8fe0d590cf587456f"},
+    {file = "rpds_py-0.30.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:0ed177ed9bded28f8deb6ab40c183cd1192aa0de40c12f38be4d59cd33cb5c65"},
+    {file = "rpds_py-0.30.0-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:ad1fa8db769b76ea911cb4e10f049d80bf518c104f15b3edb2371cc65375c46f"},
+    {file = "rpds_py-0.30.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:46e83c697b1f1c72b50e5ee5adb4353eef7406fb3f2043d64c33f20ad1c2fc53"},
+    {file = "rpds_py-0.30.0-cp314-cp314-win32.whl", hash = "sha256:ee454b2a007d57363c2dfd5b6ca4a5d7e2c518938f8ed3b706e37e5d470801ed"},
+    {file = "rpds_py-0.30.0-cp314-cp314-win_amd64.whl", hash = "sha256:95f0802447ac2d10bcc69f6dc28fe95fdf17940367b21d34e34c737870758950"},
+    {file = "rpds_py-0.30.0-cp314-cp314-win_arm64.whl", hash = "sha256:613aa4771c99f03346e54c3f038e4cc574ac09a3ddfb0e8878487335e96dead6"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:7e6ecfcb62edfd632e56983964e6884851786443739dbfe3582947e87274f7cb"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:a1d0bc22a7cdc173fedebb73ef81e07faef93692b8c1ad3733b67e31e1b6e1b8"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0d08f00679177226c4cb8c5265012eea897c8ca3b93f429e546600c971bcbae7"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:5965af57d5848192c13534f90f9dd16464f3c37aaf166cc1da1cae1fd5a34898"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9a4e86e34e9ab6b667c27f3211ca48f73dba7cd3d90f8d5b11be56e5dbc3fb4e"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e5d3e6b26f2c785d65cc25ef1e5267ccbe1b069c5c21b8cc724efee290554419"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:626a7433c34566535b6e56a1b39a7b17ba961e97ce3b80ec62e6f1312c025551"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-manylinux_2_31_riscv64.whl", hash = "sha256:acd7eb3f4471577b9b5a41baf02a978e8bdeb08b4b355273994f8b87032000a8"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:fe5fa731a1fa8a0a56b0977413f8cacac1768dad38d16b3a296712709476fbd5"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:74a3243a411126362712ee1524dfc90c650a503502f135d54d1b352bd01f2404"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:3e8eeb0544f2eb0d2581774be4c3410356eba189529a6b3e36bbbf9696175856"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:dbd936cde57abfee19ab3213cf9c26be06d60750e60a8e4dd85d1ab12c8b1f40"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-win32.whl", hash = "sha256:dc824125c72246d924f7f796b4f63c1e9dc810c7d9e2355864b3c3a73d59ade0"},
+    {file = "rpds_py-0.30.0-cp314-cp314t-win_amd64.whl", hash = "sha256:27f4b0e92de5bfbc6f86e43959e6edd1425c33b5e69aab0984a72047f2bcf1e3"},
+    {file = "rpds_py-0.30.0-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:c2262bdba0ad4fc6fb5545660673925c2d2a5d9e2e0fb603aad545427be0fc58"},
+    {file = "rpds_py-0.30.0-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:ee6af14263f25eedc3bb918a3c04245106a42dfd4f5c2285ea6f997b1fc3f89a"},
+    {file = "rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3adbb8179ce342d235c31ab8ec511e66c73faa27a47e076ccc92421add53e2bb"},
+    {file = "rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:250fa00e9543ac9b97ac258bd37367ff5256666122c2d0f2bc97577c60a1818c"},
+    {file = "rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9854cf4f488b3d57b9aaeb105f06d78e5529d3145b1e4a41750167e8c213c6d3"},
+    {file = "rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:993914b8e560023bc0a8bf742c5f303551992dcb85e247b1e5c7f4a7d145bda5"},
+    {file = "rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58edca431fb9b29950807e301826586e5bbf24163677732429770a697ffe6738"},
+    {file = "rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_31_riscv64.whl", hash = "sha256:dea5b552272a944763b34394d04577cf0f9bd013207bc32323b5a89a53cf9c2f"},
+    {file = "rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:ba3af48635eb83d03f6c9735dfb21785303e73d22ad03d489e88adae6eab8877"},
+    {file = "rpds_py-0.30.0-pp311-pypy311_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:dff13836529b921e22f15cb099751209a60009731a68519630a24d61f0b1b30a"},
+    {file = "rpds_py-0.30.0-pp311-pypy311_pp73-musllinux_1_2_i686.whl", hash = "sha256:1b151685b23929ab7beec71080a8889d4d6d9fa9a983d213f07121205d48e2c4"},
+    {file = "rpds_py-0.30.0-pp311-pypy311_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:ac37f9f516c51e5753f27dfdef11a88330f04de2d564be3991384b2f3535d02e"},
+    {file = "rpds_py-0.30.0.tar.gz", hash = "sha256:dd8ff7cf90014af0c0f787eea34794ebf6415242ee1d6fa91eaba725cc441e84"},
+]
+
 [[package]]
 name = "tomli"
-version = "2.3.0"
+version = "2.4.0"
 description = "A lil' TOML parser"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "tomli-2.3.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:88bd15eb972f3664f5ed4b57c1634a97153b4bac4479dcb6a495f41921eb7f45"},
-    {file = "tomli-2.3.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:883b1c0d6398a6a9d29b508c331fa56adbcdff647f6ace4dfca0f50e90dfd0ba"},
-    {file = "tomli-2.3.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d1381caf13ab9f300e30dd8feadb3de072aeb86f1d34a8569453ff32a7dea4bf"},
-    {file = "tomli-2.3.0-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:a0e285d2649b78c0d9027570d4da3425bdb49830a6156121360b3f8511ea3441"},
-    {file = "tomli-2.3.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:0a154a9ae14bfcf5d8917a59b51ffd5a3ac1fd149b71b47a3a104ca4edcfa845"},
-    {file = "tomli-2.3.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:74bf8464ff93e413514fefd2be591c3b0b23231a77f901db1eb30d6f712fc42c"},
-    {file = "tomli-2.3.0-cp311-cp311-win32.whl", hash = "sha256:00b5f5d95bbfc7d12f91ad8c593a1659b6387b43f054104cda404be6bda62456"},
-    {file = "tomli-2.3.0-cp311-cp311-win_amd64.whl", hash = "sha256:4dc4ce8483a5d429ab602f111a93a6ab1ed425eae3122032db7e9acf449451be"},
-    {file = "tomli-2.3.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:d7d86942e56ded512a594786a5ba0a5e521d02529b3826e7761a05138341a2ac"},
-    {file = "tomli-2.3.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:73ee0b47d4dad1c5e996e3cd33b8a76a50167ae5f96a2607cbe8cc773506ab22"},
-    {file = "tomli-2.3.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:792262b94d5d0a466afb5bc63c7daa9d75520110971ee269152083270998316f"},
-    {file = "tomli-2.3.0-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:4f195fe57ecceac95a66a75ac24d9d5fbc98ef0962e09b2eddec5d39375aae52"},
-    {file = "tomli-2.3.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:e31d432427dcbf4d86958c184b9bfd1e96b5b71f8eb17e6d02531f434fd335b8"},
-    {file = "tomli-2.3.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:7b0882799624980785240ab732537fcfc372601015c00f7fc367c55308c186f6"},
-    {file = "tomli-2.3.0-cp312-cp312-win32.whl", hash = "sha256:ff72b71b5d10d22ecb084d345fc26f42b5143c5533db5e2eaba7d2d335358876"},
-    {file = "tomli-2.3.0-cp312-cp312-win_amd64.whl", hash = "sha256:1cb4ed918939151a03f33d4242ccd0aa5f11b3547d0cf30f7c74a408a5b99878"},
-    {file = "tomli-2.3.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:5192f562738228945d7b13d4930baffda67b69425a7f0da96d360b0a3888136b"},
-    {file = "tomli-2.3.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:be71c93a63d738597996be9528f4abe628d1adf5e6eb11607bc8fe1a510b5dae"},
-    {file = "tomli-2.3.0-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:c4665508bcbac83a31ff8ab08f424b665200c0e1e645d2bd9ab3d3e557b6185b"},
-    {file = "tomli-2.3.0-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:4021923f97266babc6ccab9f5068642a0095faa0a51a246a6a02fccbb3514eaf"},
-    {file = "tomli-2.3.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:a4ea38c40145a357d513bffad0ed869f13c1773716cf71ccaa83b0fa0cc4e42f"},
-    {file = "tomli-2.3.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:ad805ea85eda330dbad64c7ea7a4556259665bdf9d2672f5dccc740eb9d3ca05"},
-    {file = "tomli-2.3.0-cp313-cp313-win32.whl", hash = "sha256:97d5eec30149fd3294270e889b4234023f2c69747e555a27bd708828353ab606"},
-    {file = "tomli-2.3.0-cp313-cp313-win_amd64.whl", hash = "sha256:0c95ca56fbe89e065c6ead5b593ee64b84a26fca063b5d71a1122bf26e533999"},
-    {file = "tomli-2.3.0-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:cebc6fe843e0733ee827a282aca4999b596241195f43b4cc371d64fc6639da9e"},
-    {file = "tomli-2.3.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:4c2ef0244c75aba9355561272009d934953817c49f47d768070c3c94355c2aa3"},
-    {file = "tomli-2.3.0-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:c22a8bf253bacc0cf11f35ad9808b6cb75ada2631c2d97c971122583b129afbc"},
-    {file = "tomli-2.3.0-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0eea8cc5c5e9f89c9b90c4896a8deefc74f518db5927d0e0e8d4a80953d774d0"},
-    {file = "tomli-2.3.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:b74a0e59ec5d15127acdabd75ea17726ac4c5178ae51b85bfe39c4f8a278e879"},
-    {file = "tomli-2.3.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:b5870b50c9db823c595983571d1296a6ff3e1b88f734a4c8f6fc6188397de005"},
-    {file = "tomli-2.3.0-cp314-cp314-win32.whl", hash = "sha256:feb0dacc61170ed7ab602d3d972a58f14ee3ee60494292d384649a3dc38ef463"},
-    {file = "tomli-2.3.0-cp314-cp314-win_amd64.whl", hash = "sha256:b273fcbd7fc64dc3600c098e39136522650c49bca95df2d11cf3b626422392c8"},
-    {file = "tomli-2.3.0-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:940d56ee0410fa17ee1f12b817b37a4d4e4dc4d27340863cc67236c74f582e77"},
-    {file = "tomli-2.3.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:f85209946d1fe94416debbb88d00eb92ce9cd5266775424ff81bc959e001acaf"},
-    {file = "tomli-2.3.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:a56212bdcce682e56b0aaf79e869ba5d15a6163f88d5451cbde388d48b13f530"},
-    {file = "tomli-2.3.0-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:c5f3ffd1e098dfc032d4d3af5c0ac64f6d286d98bc148698356847b80fa4de1b"},
-    {file = "tomli-2.3.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:5e01decd096b1530d97d5d85cb4dff4af2d8347bd35686654a004f8dea20fc67"},
-    {file = "tomli-2.3.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:8a35dd0e643bb2610f156cca8db95d213a90015c11fee76c946aa62b7ae7e02f"},
-    {file = "tomli-2.3.0-cp314-cp314t-win32.whl", hash = "sha256:a1f7f282fe248311650081faafa5f4732bdbfef5d45fe3f2e702fbc6f2d496e0"},
-    {file = "tomli-2.3.0-cp314-cp314t-win_amd64.whl", hash = "sha256:70a251f8d4ba2d9ac2542eecf008b3c8a9fc5c3f9f02c56a9d7952612be2fdba"},
-    {file = "tomli-2.3.0-py3-none-any.whl", hash = "sha256:e95b1af3c5b07d9e643909b5abbec77cd9f1217e6d0bca72b0234736b9fb1f1b"},
-    {file = "tomli-2.3.0.tar.gz", hash = "sha256:64be704a875d2a59753d80ee8a533c3fe183e3f06807ff7dc2232938ccb01549"},
+    {file = "tomli-2.4.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:b5ef256a3fd497d4973c11bf142e9ed78b150d36f5773f1ca6088c230ffc5867"},
+    {file = "tomli-2.4.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:5572e41282d5268eb09a697c89a7bee84fae66511f87533a6f88bd2f7b652da9"},
+    {file = "tomli-2.4.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:551e321c6ba03b55676970b47cb1b73f14a0a4dce6a3e1a9458fd6d921d72e95"},
+    {file = "tomli-2.4.0-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:5e3f639a7a8f10069d0e15408c0b96a2a828cfdec6fca05296ebcdcc28ca7c76"},
+    {file = "tomli-2.4.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:1b168f2731796b045128c45982d3a4874057626da0e2ef1fdd722848b741361d"},
+    {file = "tomli-2.4.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:133e93646ec4300d651839d382d63edff11d8978be23da4cc106f5a18b7d0576"},
+    {file = "tomli-2.4.0-cp311-cp311-win32.whl", hash = "sha256:b6c78bdf37764092d369722d9946cb65b8767bfa4110f902a1b2542d8d173c8a"},
+    {file = "tomli-2.4.0-cp311-cp311-win_amd64.whl", hash = "sha256:d3d1654e11d724760cdb37a3d7691f0be9db5fbdaef59c9f532aabf87006dbaa"},
+    {file = "tomli-2.4.0-cp311-cp311-win_arm64.whl", hash = "sha256:cae9c19ed12d4e8f3ebf46d1a75090e4c0dc16271c5bce1c833ac168f08fb614"},
+    {file = "tomli-2.4.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:920b1de295e72887bafa3ad9f7a792f811847d57ea6b1215154030cf131f16b1"},
+    {file = "tomli-2.4.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:7d6d9a4aee98fac3eab4952ad1d73aee87359452d1c086b5ceb43ed02ddb16b8"},
+    {file = "tomli-2.4.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:36b9d05b51e65b254ea6c2585b59d2c4cb91c8a3d91d0ed0f17591a29aaea54a"},
+    {file = "tomli-2.4.0-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:1c8a885b370751837c029ef9bc014f27d80840e48bac415f3412e6593bbc18c1"},
+    {file = "tomli-2.4.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:8768715ffc41f0008abe25d808c20c3d990f42b6e2e58305d5da280ae7d1fa3b"},
+    {file = "tomli-2.4.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:7b438885858efd5be02a9a133caf5812b8776ee0c969fea02c45e8e3f296ba51"},
+    {file = "tomli-2.4.0-cp312-cp312-win32.whl", hash = "sha256:0408e3de5ec77cc7f81960c362543cbbd91ef883e3138e81b729fc3eea5b9729"},
+    {file = "tomli-2.4.0-cp312-cp312-win_amd64.whl", hash = "sha256:685306e2cc7da35be4ee914fd34ab801a6acacb061b6a7abca922aaf9ad368da"},
+    {file = "tomli-2.4.0-cp312-cp312-win_arm64.whl", hash = "sha256:5aa48d7c2356055feef06a43611fc401a07337d5b006be13a30f6c58f869e3c3"},
+    {file = "tomli-2.4.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:84d081fbc252d1b6a982e1870660e7330fb8f90f676f6e78b052ad4e64714bf0"},
+    {file = "tomli-2.4.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:9a08144fa4cba33db5255f9b74f0b89888622109bd2776148f2597447f92a94e"},
+    {file = "tomli-2.4.0-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:c73add4bb52a206fd0c0723432db123c0c75c280cbd67174dd9d2db228ebb1b4"},
+    {file = "tomli-2.4.0-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:1fb2945cbe303b1419e2706e711b7113da57b7db31ee378d08712d678a34e51e"},
+    {file = "tomli-2.4.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:bbb1b10aa643d973366dc2cb1ad94f99c1726a02343d43cbc011edbfac579e7c"},
+    {file = "tomli-2.4.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:4cbcb367d44a1f0c2be408758b43e1ffb5308abe0ea222897d6bfc8e8281ef2f"},
+    {file = "tomli-2.4.0-cp313-cp313-win32.whl", hash = "sha256:7d49c66a7d5e56ac959cb6fc583aff0651094ec071ba9ad43df785abc2320d86"},
+    {file = "tomli-2.4.0-cp313-cp313-win_amd64.whl", hash = "sha256:3cf226acb51d8f1c394c1b310e0e0e61fecdd7adcb78d01e294ac297dd2e7f87"},
+    {file = "tomli-2.4.0-cp313-cp313-win_arm64.whl", hash = "sha256:d20b797a5c1ad80c516e41bc1fb0443ddb5006e9aaa7bda2d71978346aeb9132"},
+    {file = "tomli-2.4.0-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:26ab906a1eb794cd4e103691daa23d95c6919cc2fa9160000ac02370cc9dd3f6"},
+    {file = "tomli-2.4.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:20cedb4ee43278bc4f2fee6cb50daec836959aadaf948db5172e776dd3d993fc"},
+    {file = "tomli-2.4.0-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:39b0b5d1b6dd03684b3fb276407ebed7090bbec989fa55838c98560c01113b66"},
+    {file = "tomli-2.4.0-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:a26d7ff68dfdb9f87a016ecfd1e1c2bacbe3108f4e0f8bcd2228ef9a766c787d"},
+    {file = "tomli-2.4.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:20ffd184fb1df76a66e34bd1b36b4a4641bd2b82954befa32fe8163e79f1a702"},
+    {file = "tomli-2.4.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:75c2f8bbddf170e8effc98f5e9084a8751f8174ea6ccf4fca5398436e0320bc8"},
+    {file = "tomli-2.4.0-cp314-cp314-win32.whl", hash = "sha256:31d556d079d72db7c584c0627ff3a24c5d3fb4f730221d3444f3efb1b2514776"},
+    {file = "tomli-2.4.0-cp314-cp314-win_amd64.whl", hash = "sha256:43e685b9b2341681907759cf3a04e14d7104b3580f808cfde1dfdb60ada85475"},
+    {file = "tomli-2.4.0-cp314-cp314-win_arm64.whl", hash = "sha256:3d895d56bd3f82ddd6faaff993c275efc2ff38e52322ea264122d72729dca2b2"},
+    {file = "tomli-2.4.0-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:5b5807f3999fb66776dbce568cc9a828544244a8eb84b84b9bafc080c99597b9"},
+    {file = "tomli-2.4.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:c084ad935abe686bd9c898e62a02a19abfc9760b5a79bc29644463eaf2840cb0"},
+    {file = "tomli-2.4.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:0f2e3955efea4d1cfbcb87bc321e00dc08d2bcb737fd1d5e398af111d86db5df"},
+    {file = "tomli-2.4.0-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0e0fe8a0b8312acf3a88077a0802565cb09ee34107813bba1c7cd591fa6cfc8d"},
+    {file = "tomli-2.4.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:413540dce94673591859c4c6f794dfeaa845e98bf35d72ed59636f869ef9f86f"},
+    {file = "tomli-2.4.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:0dc56fef0e2c1c470aeac5b6ca8cc7b640bb93e92d9803ddaf9ea03e198f5b0b"},
+    {file = "tomli-2.4.0-cp314-cp314t-win32.whl", hash = "sha256:d878f2a6707cc9d53a1be1414bbb419e629c3d6e67f69230217bb663e76b5087"},
+    {file = "tomli-2.4.0-cp314-cp314t-win_amd64.whl", hash = "sha256:2add28aacc7425117ff6364fe9e06a183bb0251b03f986df0e78e974047571fd"},
+    {file = "tomli-2.4.0-cp314-cp314t-win_arm64.whl", hash = "sha256:2b1e3b80e1d5e52e40e9b924ec43d81570f0e7d09d11081b797bc4692765a3d4"},
+    {file = "tomli-2.4.0-py3-none-any.whl", hash = "sha256:1f776e7d669ebceb01dee46484485f43a4048746235e683bcdffacdf1fb4785a"},
+    {file = "tomli-2.4.0.tar.gz", hash = "sha256:aa89c3f6c277dd275d8e243ad24f3b5e701491a860d5121f2cdd399fbb31fc9c"},
 ]
 
 [[package]]
@@ -905,13 +1094,13 @@ files = [
 
 [[package]]
 name = "urllib3"
-version = "2.6.2"
+version = "2.6.3"
 description = "HTTP library with thread-safe connection pooling, file post, and more."
 optional = false
 python-versions = ">=3.9"
 files = [
-    {file = "urllib3-2.6.2-py3-none-any.whl", hash = "sha256:ec21cddfe7724fc7cb4ba4bea7aa8e2ef36f607a4bab81aa6ce42a13dc3f03dd"},
-    {file = "urllib3-2.6.2.tar.gz", hash = "sha256:016f9c98bb7e98085cb2b4b17b87d2c702975664e4f060c6532e64d1c1a5e797"},
+    {file = "urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4"},
+    {file = "urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed"},
 ]
 
 [package.extras]
@@ -923,4 +1112,4 @@ zstd = ["backports-zstd (>=1.0.0)"]
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.10"
-content-hash = "20623104a1a5f4c6d4aaa759f25b2591d5de345d1464e727eb4140a6ef9a5b6e"
+content-hash = "30e16396439f2cdd69005a5b7bdf8144aac33422a77a63accbc9eaa74151d851"

pyproject.toml

@@ -1,17 +1,21 @@
 [tool.poetry]
 name = "enroll"
-version = "0.3.0"
+version = "0.4.3"
 description = "Enroll a server's running state retrospectively into Ansible"
 authors = ["Miguel Jacq <mig@mig5.net>"]
 license = "GPL-3.0-or-later"
 readme = "README.md"
 packages = [{ include = "enroll" }]
 repository = "https://git.mig5.net/mig5/enroll"
+include = [
+  { path = "enroll/schema/state.schema.json", format = ["sdist", "wheel"] }
+]
 
 [tool.poetry.dependencies]
 python = "^3.10"
 pyyaml = "^6"
 paramiko = ">=3.5"
+jsonschema = "^4.23.0"
 
 [tool.poetry.scripts]
 enroll = "enroll.cli:main"

release.sh

@@ -72,7 +72,7 @@ for dist in ${DISTS[@]}; do
   rm -rf "$PWD/dist/rpm"/*
   mkdir -p "$PWD/dist/rpm"
 
-  docker run --rm -v "$PWD":/src -v "$PWD/dist/rpm":/out -v "$HOME/git/jinjaturtle/dist/rpm":/deps:ro enroll-rpm:${release}
+  docker run --rm -v "$PWD":/src -v "$PWD/dist/rpm":/out enroll-rpm:${release}
   sudo chown -R "${USER}" "$PWD/dist"
 
   for file in `ls -1 "${BUILD_OUTPUT}/rpm"`; do

rpm/enroll.spec

@@ -1,4 +1,4 @@
-%global upstream_version 0.3.0
+%global upstream_version 0.4.3
 
 Name:           enroll
 Version:        %{upstream_version}
@@ -17,8 +17,8 @@ BuildRequires:  python3-poetry-core
 
 Requires: python3-yaml
 Requires: python3-paramiko
+Requires: python3-jsonschema
 
-# Make sure private repo dependency is pulled in by package name as well.
 Recommends:       jinjaturtle
 
 %description
@@ -43,6 +43,22 @@ Enroll a server's running state retrospectively into Ansible.
 %{_bindir}/enroll
 
 %changelog
+* Fri Jan 16 2026 Miguel Jacq <mig@mig5.net> - %{version}-%{release}
+- Add support for AddressFamily and ConnectTimeout in the .ssh/config when using `--remote-ssh-config`.
+* Tue Jan 13 2026 Miguel Jacq <mig@mig5.net> - %{version}-%{release}
+- Support `--remote-ssh-config [path-to-ssh-config]` as an argument in case extra params are required beyond `--remote-port` or `--remote-user`. Note: `--remote-host` must still be s
+et, but it can be an 'alias' represented by the 'Host' value in the ssh config.
+* Sun Jan 11 2026 Miguel Jacq <mig@mig5.net> - %{version}-%{release}
+- Add interactive output when 'enroll diff --enforce' is invoking Ansible.
+* Sat Jan 10 2026 Miguel Jacq <mig@mig5.net> - %{version}-%{release}
+- Introduce `enroll validate` - a tool to validate a harvest against the state schema, or check for missing or orphaned obsolete artifacts in a harvest.
+- Attempt to generate Jinja2 templates of systemd unit files and Postfix main.cf (now that JinjaTurtle supports it)
+- Update pynacl dependency to resolve CVE-2025-69277
+- Add `--exclude-path` to `enroll diff` command, so that you can ignore certain churn from the diff (stuff you still wanted to harvest as a baseline but don't care if it changes day to day)
+- Add `--ignore-package-versions` to `enroll diff` command, to optionally ignore package upgrades (e.g due to patching) from the diff.
+- Add tags to the playbook for each role, to allow easier targeting of specific roles during play later.
+- Add `--enforce` mode to `enroll diff`. If there is diff detected between the two harvests, and it can enforce restoring the state from the older harvest, it will manifest the state and apply it with ansible.
+Only the specific roles that had diffed will be applied (via the new tags capability)
 * Mon Jan 05 2026 Miguel Jacq <mig@mig5.net> - %{version}-%{release}
 - Introduce `enroll explain` - a tool to analyze and explain what's in (or not in) a harvest and why.
 - Centralise the cron and logrotate stuff into their respective roles, we had a bit of duplication between roles based on harvest discovery.

tests.sh

@@ -25,11 +25,18 @@ poetry run \
 poetry run \
         enroll explain "${BUNDLE_DIR}" --format json | jq
 
+# Validate
+poetry run \
+	enroll validate --fail-on-warnings "${BUNDLE_DIR}"
+
 # Install/remove something, harvest again and diff the harvests
 DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cowsay
-
 poetry run \
 	enroll harvest --out "${BUNDLE_DIR}2"
+# Validate
+poetry run \
+	enroll validate --fail-on-warnings "${BUNDLE_DIR}2"
+# Diff
 poetry run \
 	enroll diff \
 	  --old "${BUNDLE_DIR}" \

tests/test_cli.py

@@ -607,7 +607,7 @@ def test_cli_diff_notifies_webhook_and_email_and_respects_exit_code(
 ):
     calls: dict[str, object] = {}
 
-    def fake_compare(old, new, sops_mode=False):
+    def fake_compare(old, new, sops_mode=False, **kwargs):
         calls["compare"] = (old, new, sops_mode)
         return {"dummy": True}, True
 
@@ -662,7 +662,7 @@ def test_cli_diff_notifies_webhook_and_email_and_respects_exit_code(
 
 
 def test_cli_diff_webhook_http_error_raises_system_exit(monkeypatch):
-    def fake_compare(old, new, sops_mode=False):
+    def fake_compare(old, new, sops_mode=False, **kwargs):
         return {"dummy": True}, True
 
     monkeypatch.setattr(cli, "compare_harvests", fake_compare)

tests/test_diff_ignore_versions_exclude_enforce.py

@@ -0,0 +1,400 @@
+from __future__ import annotations
+
+import json
+import sys
+import types
+from pathlib import Path
+
+import pytest
+
+
+def _write_bundle(
+    root: Path, state: dict, artifacts: dict[str, bytes] | None = None
+) -> None:
+    root.mkdir(parents=True, exist_ok=True)
+    (root / "state.json").write_text(json.dumps(state, indent=2), encoding="utf-8")
+    artifacts = artifacts or {}
+    for rel, data in artifacts.items():
+        p = root / rel
+        p.parent.mkdir(parents=True, exist_ok=True)
+        p.write_bytes(data)
+
+
+def _minimal_roles() -> dict:
+    """A small roles structure that's sufficient for enroll.diff file indexing."""
+    return {
+        "users": {
+            "role_name": "users",
+            "users": [],
+            "managed_files": [],
+            "excluded": [],
+            "notes": [],
+        },
+        "services": [],
+        "packages": [],
+        "apt_config": {
+            "role_name": "apt_config",
+            "managed_files": [],
+            "excluded": [],
+            "notes": [],
+        },
+        "etc_custom": {
+            "role_name": "etc_custom",
+            "managed_files": [],
+            "excluded": [],
+            "notes": [],
+        },
+        "usr_local_custom": {
+            "role_name": "usr_local_custom",
+            "managed_files": [],
+            "excluded": [],
+            "notes": [],
+        },
+        "extra_paths": {
+            "role_name": "extra_paths",
+            "include_patterns": [],
+            "exclude_patterns": [],
+            "managed_files": [],
+            "excluded": [],
+            "notes": [],
+        },
+    }
+
+
+def test_diff_ignore_package_versions_suppresses_version_drift(tmp_path: Path):
+    from enroll.diff import compare_harvests
+
+    old = tmp_path / "old"
+    new = tmp_path / "new"
+
+    old_state = {
+        "schema_version": 3,
+        "host": {"hostname": "h1"},
+        "inventory": {
+            "packages": {
+                "curl": {
+                    "version": "1.0",
+                    "installations": [{"version": "1.0", "arch": "amd64"}],
+                }
+            }
+        },
+        "roles": _minimal_roles(),
+    }
+    new_state = {
+        **old_state,
+        "inventory": {
+            "packages": {
+                "curl": {
+                    "version": "1.1",
+                    "installations": [{"version": "1.1", "arch": "amd64"}],
+                }
+            }
+        },
+    }
+
+    _write_bundle(old, old_state)
+    _write_bundle(new, new_state)
+
+    # Without ignore flag, version drift is reported and counts as changes.
+    report, has_changes = compare_harvests(str(old), str(new))
+    assert has_changes is True
+    assert report["packages"]["version_changed"]
+
+    # With ignore flag, version drift is suppressed and does not count as changes.
+    report2, has_changes2 = compare_harvests(
+        str(old), str(new), ignore_package_versions=True
+    )
+    assert has_changes2 is False
+    assert report2["packages"]["version_changed"] == []
+    assert report2["packages"]["version_changed_ignored_count"] == 1
+    assert report2["filters"]["ignore_package_versions"] is True
+
+
+def test_diff_exclude_path_filters_file_drift_and_affects_has_changes(tmp_path: Path):
+    from enroll.diff import compare_harvests
+
+    old = tmp_path / "old"
+    new = tmp_path / "new"
+
+    # Only file drift is under /var/anacron, which is excluded.
+    old_state = {
+        "schema_version": 3,
+        "host": {"hostname": "h1"},
+        "inventory": {"packages": {}},
+        "roles": {
+            **_minimal_roles(),
+            "extra_paths": {
+                **_minimal_roles()["extra_paths"],
+                "managed_files": [
+                    {
+                        "path": "/var/anacron/daily.stamp",
+                        "src_rel": "var/anacron/daily.stamp",
+                        "owner": "root",
+                        "group": "root",
+                        "mode": "0644",
+                        "reason": "extra_path",
+                    }
+                ],
+            },
+        },
+    }
+    new_state = json.loads(json.dumps(old_state))
+
+    _write_bundle(
+        old,
+        old_state,
+        {"artifacts/extra_paths/var/anacron/daily.stamp": b"yesterday\n"},
+    )
+    _write_bundle(
+        new,
+        new_state,
+        {"artifacts/extra_paths/var/anacron/daily.stamp": b"today\n"},
+    )
+
+    report, has_changes = compare_harvests(
+        str(old), str(new), exclude_paths=["/var/anacron"]
+    )
+    assert has_changes is False
+    assert report["files"]["changed"] == []
+    assert report["filters"]["exclude_paths"] == ["/var/anacron"]
+
+
+def test_diff_exclude_path_only_filters_files_not_packages(tmp_path: Path):
+    from enroll.diff import compare_harvests
+
+    old = tmp_path / "old"
+    new = tmp_path / "new"
+
+    old_state = {
+        "schema_version": 3,
+        "host": {"hostname": "h1"},
+        "inventory": {"packages": {"curl": {"version": "1.0"}}},
+        "roles": {
+            **_minimal_roles(),
+            "extra_paths": {
+                **_minimal_roles()["extra_paths"],
+                "managed_files": [
+                    {
+                        "path": "/var/anacron/daily.stamp",
+                        "src_rel": "var/anacron/daily.stamp",
+                        "owner": "root",
+                        "group": "root",
+                        "mode": "0644",
+                        "reason": "extra_path",
+                    }
+                ],
+            },
+        },
+    }
+    new_state = {
+        **old_state,
+        "inventory": {
+            "packages": {
+                "curl": {"version": "1.0"},
+                "htop": {"version": "3.0"},
+            }
+        },
+    }
+
+    _write_bundle(
+        old,
+        old_state,
+        {"artifacts/extra_paths/var/anacron/daily.stamp": b"yesterday\n"},
+    )
+    _write_bundle(
+        new,
+        new_state,
+        {
+            "artifacts/extra_paths/var/anacron/daily.stamp": b"today\n",
+        },
+    )
+
+    report, has_changes = compare_harvests(
+        str(old), str(new), exclude_paths=["/var/anacron"]
+    )
+    assert has_changes is True
+    # File drift is filtered, but package drift remains.
+    assert report["files"]["changed"] == []
+    assert report["packages"]["added"] == ["htop"]
+
+
+def test_enforce_old_harvest_requires_ansible_playbook(monkeypatch, tmp_path: Path):
+    import enroll.diff as d
+
+    monkeypatch.setattr(d.shutil, "which", lambda name: None)
+
+    old = tmp_path / "old"
+    _write_bundle(old, {"inventory": {"packages": {}}, "roles": _minimal_roles()})
+
+    with pytest.raises(RuntimeError, match="ansible-playbook not found"):
+        d.enforce_old_harvest(str(old))
+
+
+def test_enforce_old_harvest_runs_ansible_with_tags_from_file_drift(
+    monkeypatch, tmp_path: Path
+):
+    import enroll.diff as d
+    import enroll.manifest as mf
+
+    # Pretend ansible-playbook is installed.
+    monkeypatch.setattr(d.shutil, "which", lambda name: "/usr/bin/ansible-playbook")
+
+    calls: dict[str, object] = {}
+
+    # Stub manifest generation to only create playbook.yml (fast, no real roles needed).
+    def fake_manifest(_harvest_dir: str, out_dir: str, **_kwargs):
+        out = Path(out_dir)
+        (out / "playbook.yml").write_text(
+            "---\n- hosts: all\n  gather_facts: false\n  roles: []\n",
+            encoding="utf-8",
+        )
+
+    monkeypatch.setattr(mf, "manifest", fake_manifest)
+
+    def fake_run(
+        argv, cwd=None, env=None, capture_output=False, text=False, check=False
+    ):
+        calls["argv"] = list(argv)
+        calls["cwd"] = cwd
+        return types.SimpleNamespace(returncode=0, stdout="ok", stderr="")
+
+    monkeypatch.setattr(d.subprocess, "run", fake_run)
+
+    old = tmp_path / "old"
+    old_state = {
+        "schema_version": 3,
+        "host": {"hostname": "h1"},
+        "inventory": {"packages": {}},
+        "roles": {
+            **_minimal_roles(),
+            "usr_local_custom": {
+                **_minimal_roles()["usr_local_custom"],
+                "managed_files": [
+                    {
+                        "path": "/etc/myapp.conf",
+                        "src_rel": "etc/myapp.conf",
+                        "owner": "root",
+                        "group": "root",
+                        "mode": "0644",
+                        "reason": "custom",
+                    }
+                ],
+            },
+        },
+    }
+    _write_bundle(old, old_state)
+
+    # Minimal report containing enforceable drift: a baseline file is "removed".
+    report = {
+        "packages": {"added": [], "removed": [], "version_changed": []},
+        "services": {"enabled_added": [], "enabled_removed": [], "changed": []},
+        "users": {"added": [], "removed": [], "changed": []},
+        "files": {
+            "added": [],
+            "removed": [{"path": "/etc/myapp.conf", "role": "usr_local_custom"}],
+            "changed": [],
+        },
+    }
+
+    info = d.enforce_old_harvest(str(old), report=report)
+    assert info["status"] == "applied"
+    assert "--tags" in info["command"]
+    assert "role_usr_local_custom" in ",".join(info.get("tags") or [])
+
+    argv = calls.get("argv")
+    assert argv and argv[0].endswith("ansible-playbook")
+    assert "--tags" in argv
+    # Ensure we pass the computed tag.
+    i = argv.index("--tags")
+    assert "role_usr_local_custom" in str(argv[i + 1])
+
+
+def test_cli_diff_forwards_exclude_and_ignore_flags(monkeypatch, capsys):
+    import enroll.cli as cli
+
+    calls: dict[str, object] = {}
+
+    def fake_compare(
+        old, new, *, sops_mode=False, exclude_paths=None, ignore_package_versions=False
+    ):
+        calls["compare"] = {
+            "old": old,
+            "new": new,
+            "sops_mode": sops_mode,
+            "exclude_paths": exclude_paths,
+            "ignore_package_versions": ignore_package_versions,
+        }
+        # No changes -> should not try to enforce.
+        return {"packages": {}, "services": {}, "users": {}, "files": {}}, False
+
+    monkeypatch.setattr(cli, "compare_harvests", fake_compare)
+    monkeypatch.setattr(cli, "format_report", lambda report, fmt="text": "R\n")
+    monkeypatch.setattr(
+        sys,
+        "argv",
+        [
+            "enroll",
+            "diff",
+            "--old",
+            "/tmp/old",
+            "--new",
+            "/tmp/new",
+            "--exclude-path",
+            "/var/anacron",
+            "--ignore-package-versions",
+        ],
+    )
+
+    cli.main()
+    _ = capsys.readouterr()
+    assert calls["compare"]["exclude_paths"] == ["/var/anacron"]
+    assert calls["compare"]["ignore_package_versions"] is True
+
+
+def test_cli_diff_enforce_skips_when_no_enforceable_drift(monkeypatch):
+    import enroll.cli as cli
+
+    # Drift exists, but is not enforceable (only additions / version changes).
+    report = {
+        "packages": {"added": ["htop"], "removed": [], "version_changed": []},
+        "services": {
+            "enabled_added": ["x.service"],
+            "enabled_removed": [],
+            "changed": [],
+        },
+        "users": {"added": ["bob"], "removed": [], "changed": []},
+        "files": {"added": [{"path": "/tmp/new"}], "removed": [], "changed": []},
+    }
+
+    monkeypatch.setattr(cli, "compare_harvests", lambda *a, **k: (report, True))
+    monkeypatch.setattr(cli, "has_enforceable_drift", lambda r: False)
+    called = {"enforce": False}
+    monkeypatch.setattr(
+        cli, "enforce_old_harvest", lambda *a, **k: called.update({"enforce": True})
+    )
+
+    captured = {}
+
+    def fake_format(rep, fmt="text"):
+        captured["report"] = rep
+        return "R\n"
+
+    monkeypatch.setattr(cli, "format_report", fake_format)
+
+    monkeypatch.setattr(
+        sys,
+        "argv",
+        [
+            "enroll",
+            "diff",
+            "--old",
+            "/tmp/old",
+            "--new",
+            "/tmp/new",
+            "--enforce",
+        ],
+    )
+
+    cli.main()
+    assert called["enforce"] is False
+    assert captured["report"]["enforcement"]["status"] == "skipped"

tests/test_ignore.py

@@ -8,21 +8,3 @@ def test_ignore_policy_denies_common_backup_files():
     assert pol.deny_reason("/etc/group-") == "backup_file"
     assert pol.deny_reason("/etc/something~") == "backup_file"
     assert pol.deny_reason("/foobar") == "unreadable"
-
-
-def test_ignore_policy_deny_reason_link(tmp_path):
-    pol = IgnorePolicy()
-
-    target = tmp_path / "target.txt"
-    target.write_text("hello", encoding="utf-8")
-    link = tmp_path / "link.txt"
-    link.symlink_to(target)
-
-    # File is not a symlink.
-    assert pol.deny_reason_link(str(target)) == "not_symlink"
-
-    # Symlink is accepted if readable.
-    assert pol.deny_reason_link(str(link)) is None
-
-    # Missing path should be unreadable.
-    assert pol.deny_reason_link(str(tmp_path / "missing")) == "unreadable"

tests/test_manifest.py

@@ -206,11 +206,11 @@ def test_manifest_writes_roles_and_playbook_with_clean_when(tmp_path: Path):
 
     # Playbook should include users, etc_custom, packages, and services
     pb = (out / "playbook.yml").read_text(encoding="utf-8")
-    assert "- users" in pb
-    assert "- etc_custom" in pb
-    assert "- usr_local_custom" in pb
-    assert "- curl" in pb
-    assert "- foo" in pb
+    assert "role: users" in pb
+    assert "role: etc_custom" in pb
+    assert "role: usr_local_custom" in pb
+    assert "role: curl" in pb
+    assert "role: foo" in pb
 
 
 def test_manifest_site_mode_creates_host_inventory_and_raw_files(tmp_path: Path):
@@ -490,7 +490,7 @@ def test_manifest_includes_dnf_config_role_when_present(tmp_path: Path):
     manifest.manifest(str(bundle), str(out))
 
     pb = (out / "playbook.yml").read_text(encoding="utf-8")
-    assert "- dnf_config" in pb
+    assert "role: dnf_config" in pb
 
     tasks = (out / "roles" / "dnf_config" / "tasks" / "main.yml").read_text(
         encoding="utf-8"
@@ -632,9 +632,9 @@ def test_manifest_orders_cron_and_logrotate_at_playbook_tail(tmp_path: Path):
     ]
 
     # Ensure tail ordering.
-    assert roles[-2:] == ["cron", "logrotate"]
-    assert "users" in roles
-    assert roles.index("users") < roles.index("cron")
+    assert roles[-2:] == ["role: cron", "role: logrotate"]
+    assert "role: users" in roles
+    assert roles.index("role: users") < roles.index("role: cron")
 
 
 def test_yaml_helpers_fallback_when_yaml_unavailable(monkeypatch):

tests/test_validate.py

@@ -0,0 +1,182 @@
+from __future__ import annotations
+
+import json
+import sys
+from pathlib import Path
+
+import pytest
+
+import enroll.cli as cli
+from enroll.validate import validate_harvest
+
+
+def _base_state() -> dict:
+    return {
+        "enroll": {"version": "0.0.test", "harvest_time": 0},
+        "host": {
+            "hostname": "testhost",
+            "os": "unknown",
+            "pkg_backend": "dpkg",
+            "os_release": {},
+        },
+        "inventory": {"packages": {}},
+        "roles": {
+            "users": {
+                "role_name": "users",
+                "users": [],
+                "managed_dirs": [],
+                "managed_files": [],
+                "excluded": [],
+                "notes": [],
+            },
+            "services": [],
+            "packages": [],
+            "apt_config": {
+                "role_name": "apt_config",
+                "managed_dirs": [],
+                "managed_files": [],
+                "excluded": [],
+                "notes": [],
+            },
+            "dnf_config": {
+                "role_name": "dnf_config",
+                "managed_dirs": [],
+                "managed_files": [],
+                "excluded": [],
+                "notes": [],
+            },
+            "etc_custom": {
+                "role_name": "etc_custom",
+                "managed_dirs": [],
+                "managed_files": [],
+                "excluded": [],
+                "notes": [],
+            },
+            "usr_local_custom": {
+                "role_name": "usr_local_custom",
+                "managed_dirs": [],
+                "managed_files": [],
+                "excluded": [],
+                "notes": [],
+            },
+            "extra_paths": {
+                "role_name": "extra_paths",
+                "include_patterns": [],
+                "exclude_patterns": [],
+                "managed_dirs": [],
+                "managed_files": [],
+                "managed_links": [],
+                "excluded": [],
+                "notes": [],
+            },
+        },
+    }
+
+
+def _write_bundle(tmp_path: Path, state: dict) -> Path:
+    bundle = tmp_path / "bundle"
+    bundle.mkdir(parents=True)
+    (bundle / "artifacts").mkdir()
+    (bundle / "state.json").write_text(json.dumps(state, indent=2), encoding="utf-8")
+    return bundle
+
+
+def test_validate_ok_bundle(tmp_path: Path):
+    state = _base_state()
+    state["roles"]["etc_custom"]["managed_files"].append(
+        {
+            "path": "/etc/hosts",
+            "src_rel": "etc/hosts",
+            "owner": "root",
+            "group": "root",
+            "mode": "0644",
+            "reason": "custom_specific_path",
+        }
+    )
+
+    bundle = _write_bundle(tmp_path, state)
+    art = bundle / "artifacts" / "etc_custom" / "etc" / "hosts"
+    art.parent.mkdir(parents=True, exist_ok=True)
+    art.write_text("127.0.0.1 localhost\n", encoding="utf-8")
+
+    res = validate_harvest(str(bundle))
+    assert res.ok
+    assert res.errors == []
+
+
+def test_validate_missing_artifact_is_error(tmp_path: Path):
+    state = _base_state()
+    state["roles"]["etc_custom"]["managed_files"].append(
+        {
+            "path": "/etc/hosts",
+            "src_rel": "etc/hosts",
+            "owner": "root",
+            "group": "root",
+            "mode": "0644",
+            "reason": "custom_specific_path",
+        }
+    )
+    bundle = _write_bundle(tmp_path, state)
+    res = validate_harvest(str(bundle))
+    assert not res.ok
+    assert any("missing artifact" in e for e in res.errors)
+
+
+def test_validate_schema_error_is_reported(tmp_path: Path):
+    state = _base_state()
+    state["host"]["os"] = "not_a_real_os"
+    bundle = _write_bundle(tmp_path, state)
+    res = validate_harvest(str(bundle))
+    assert not res.ok
+    assert any(e.startswith("schema /host/os") for e in res.errors)
+
+
+def test_cli_validate_exits_1_on_validation_error(monkeypatch, tmp_path: Path):
+    state = _base_state()
+    state["roles"]["etc_custom"]["managed_files"].append(
+        {
+            "path": "/etc/hosts",
+            "src_rel": "etc/hosts",
+            "owner": "root",
+            "group": "root",
+            "mode": "0644",
+            "reason": "custom_specific_path",
+        }
+    )
+    bundle = _write_bundle(tmp_path, state)
+
+    monkeypatch.setattr(sys, "argv", ["enroll", "validate", str(bundle)])
+    with pytest.raises(SystemExit) as e:
+        cli.main()
+    assert e.value.code == 1
+
+
+def test_cli_validate_exits_1_on_validation_warning_with_flag(
+    monkeypatch, tmp_path: Path
+):
+    state = _base_state()
+    state["roles"]["etc_custom"]["managed_files"].append(
+        {
+            "path": "/etc/hosts",
+            "src_rel": "etc/hosts",
+            "owner": "root",
+            "group": "root",
+            "mode": "0644",
+            "reason": "custom_specific_path",
+        }
+    )
+
+    bundle = _write_bundle(tmp_path, state)
+    art = bundle / "artifacts" / "etc_custom" / "etc" / "hosts"
+    art.parent.mkdir(parents=True, exist_ok=True)
+    art.write_text("127.0.0.1 localhost\n", encoding="utf-8")
+
+    art2 = bundle / "artifacts" / "etc_custom" / "etc" / "hosts2"
+    art2.write_text("hello\n", encoding="utf-8")
+
+    monkeypatch.setattr(
+        sys, "argv", ["enroll", "validate", str(bundle), "--fail-on-warnings"]
+    )
+    with pytest.raises(SystemExit) as e:
+        cli.main()
+    assert e.value.code == 1