This fixes an issue where check_vars() would add machine keys or authorize machines for shared vars.
These write operations should only ever be done on a `clan vars generate`, which `clan vars check` should be a read-only operation
This now gives a clearer error than:
```
Traceback (most recent call last):
File "/nix/store/mznnb8il3njp6jxn5i57d0myjdh6cs0i-clan-cli/bin/.clan-wrapped", line 9, in <module>
sys.exit(main())
~~~~^^
File "/nix/store/mznnb8il3njp6jxn5i57d0myjdh6cs0i-clan-cli/lib/python3.13/site-packages/clan_cli/cli.py", line 516, in main
args.func(args)
~~~~~~~~~^^^^^^
File "/nix/store/mznnb8il3njp6jxn5i57d0myjdh6cs0i-clan-cli/lib/python3.13/site-packages/clan_cli/vars/check.py", line 113, in check_command
ok = check_vars(args.machine, args.flake, generator_name=args.generator)
File "/nix/store/mznnb8il3njp6jxn5i57d0myjdh6cs0i-clan-cli/lib/python3.13/site-packages/clan_cli/vars/check.py", line 103, in check_vars
status = vars_status(machine_name, flake, generator_name=generator_name)
File "/nix/store/mznnb8il3njp6jxn5i57d0myjdh6cs0i-clan-cli/lib/python3.13/site-packages/clan_cli/vars/check.py", line 41, in vars_status
generators = Generator.generators_from_flake(machine.name, machine.flake)
File "/nix/store/mznnb8il3njp6jxn5i57d0myjdh6cs0i-clan-cli/lib/python3.13/site-packages/clan_cli/vars/generate.py", line 67, in generators_from_flake
generators_data = flake.select_machine(
^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'select_machine'
```
When not being in a flake.
Stores now get machine context from generator objects instead of storing
it internally. This enables future machine-independent generators and
reduces coupling.
- StoreBase.__init__ only takes flake parameter
- Store methods receive machine as explicit parameter
- Fixed all callers to pass machine context
- Change Generator class to store machine name as string instead of Machine reference
- Update Generator.generators_from_flake() to only require machine name and flake
- Refactor check_vars() to accept machine name and flake instead of Machine object
- Create Machine instances only when needed for specific operations
This continues the effort to reduce dependencies on the Machine class,
making the codebase more modular and easier to refactor.
Replace all calls to machine.vars_generators() with direct calls to
Generator.generators_from_flake() to make the dependency more explicit
and remove unnecessary indirection.
This reduces coupling to the Machine class, making the codebase more
modular and easier to refactor in the future.
This adds options `invalidationData` to generators.
`invalidationData` can be used by an author of a generator to signal if a re-generation is required after updating the logic.
Whenever a generator with invalidation data is executed, a hash of that data is stored by the respective public and/or secret backends.
The stored hashes will be checked on future deployments, and a re-generation is triggered whenever a hash doesn't match what's defined in nix.
When the users of a secret change, when for example a new admin user is added, an error will be thrown when generating vars, prompting the user to pass --fix to re-encrypt the secrets
