- Atomic state writes (tempfile + os.replace) so a crash mid-write cannot
corrupt linked.json.
- Managed-symlink guards in FileSystem.create_symlink and the new
remove_symlink: refuse to overwrite or delete a path unless it is
absent or already a symlink pointing to the expected source. Stops
silent user-file deletion in the plan/apply race window.
- plan_link adopts orphan symlinks whose readlink already matches the
desired source, so a partial-apply failure can be recovered by rerun.
- _load_state warns loudly on each stale entry it drops, and status()
no longer rewrites linked.json as a side effect of read.
- _apply_plan dispatches exhaustively; unknown LinkOp types raise.
- Remove _checkout_module_ref early-return for branch == "main" -- it
assumed the remote default was main, breaking master-default repos.
Always run the explicit checkout (idempotent).
- Warn when a module's cache_dir is absent during link, suggesting
flow dotfiles repos pull.
- LinkOp.type and ModuleRef.ref_type tightened to Literal[...]; dead
"create_dir" enum value removed from the model.
Tests: +29 covering atomic writes, overwrite guards, remove_symlink
semantics, orphan adoption (match/mismatch), partial-failure rerun,
status read-only, branch/tag/commit checkout argv, uncloned-module
warning, stale-state warnings.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
