restricted_paths: add typed check primitives

Summary:
## This stack
This stack completes the second half of the restricted_paths AclManifest migration after the shadow comparison logging stack. The end result is that restricted_paths no longer relies on legacy construction flags or source-specific call paths: AclManifestMode owns source selection, config and AclManifest fetches are planned explicitly, the fetch results are shared between logging, enforcement, and metadata, and the public callers adapt to the final manifest-aware shape at the API boundary.

Visual flow: https://pxl.cl/9GjpF

Before this stack:
- Behavior was split across the old use_acl_manifest construction state, config-shaped metadata APIs, conditional_enforcement_acls, duplicated source fetches, and unimplemented AclManifest enforcement modes.
- Logging and enforcement could ask for overlapping source data independently, and Mononoke API/HG, SCS, and SLAPI still had to bridge around the incomplete manifest restriction shape.

After this stack:
- Construction and source planning are mode-driven. Disabled, Shadow, Both, and Authoritative modes choose the sources they need;
- Config and AclManifest fetches can be killed switched independently by rollout knobs;
- Shared typed fetch handles feed both comparison logging and enforcement;
- Conditional enforcement uses `enforcement_condition_sets`
- `AclManifestMode::Both` mode denies if either source denies;
- Authoritative-source errors are surfaced when the authoritative source cannot answer;
- Metadata lookup unions config and AclManifest results in Both mode.

This makes the codebase better because
- Source (config vs acl_manifest) choice is centralized,
- Fetch work is not duplicated
- Rollout controls are easier to reason about
- Restriction check results are typed instead of copied into loosely shaped structs, and API-specific adaptation happens at the edge instead of leaking through the restricted_paths internals.
- **The stack also stays reviewable by putting no-op setup and tests before behavior changes**

Remaining follow-ups after this stack are
- Schematized Scuba source/error parity
- The Eden API vector response shape tracked by TODO(T248658346)
- Reviewing the both-sources-disabled fail-open behavior also tracked by TODO(T248658346)
- Deleting rollout-only fallback paths after AclManifest enforcement is proven.

## This diff (new functionality)
Adds typed restriction-check primitives in `restricted_paths` so callers can get restriction info paired with an authorization decision without re-parsing ACLs or running raw permission checks themselves. The new path and manifest check result types compose the existing restriction-info structs with an internal authorization result and expose only the final authorization decision publicly. The legacy result move and authorization getter refactor are handled by the two no-op parent diffs.

Reviewed By: lmvasquezg

Differential Revision: D103696888

fbshipit-source-id: 5b50bcd1d7923ea03c272bd50af43bb0885f2432

Author: gustavoavena

eden/mononoke/repo_attributes/restricted_paths/src/lib.rs

@@ -40,6 +40,8 @@ pub use crate::access_log::ACCESS_LOG_SCUBA_TABLE;
 pub use crate::access_log::has_read_access_to_repo_region_acls;
 use crate::access_log::is_member_of_groups;
 use crate::access_log::log_access_to_restricted_path;
+pub use crate::restriction_check::ManifestRestrictionCheckResult;
+pub use crate::restriction_check::PathRestrictionCheckResult;
 pub use crate::restriction_check::RestrictionCheckResult;
 pub use crate::restriction_info::ManifestRestrictionInfo;
 pub use crate::restriction_info::PathRestrictionInfo;
@@ -161,15 +163,15 @@ impl RestrictedPaths {
     // Public restriction lookup methods
     // -----------------------------------------------------------------------
 
-    /// Get exact path restriction info for one or more paths.
-    /// Does NOT consider parent directories — only exact matches.
-    pub async fn get_exact_path_restriction(
+    /// Get restriction info for paths that are themselves restriction roots.
+    /// Does NOT consider parent directories.
+    pub async fn get_path_restriction_root_info(
         &self,
         ctx: &CoreContext,
         cs_id: Option<ChangesetId>,
         paths: &[NonRootMPath],
     ) -> Result<Vec<PathRestrictionInfo>> {
-        restriction_info::get_exact_path_restriction(self, ctx, cs_id, paths).await
+        restriction_info::get_path_restriction_root_info(self, ctx, cs_id, paths).await
     }
 
     /// Get restriction info for one or more paths, considering ancestor restrictions.
@@ -183,6 +185,45 @@ impl RestrictedPaths {
         restriction_info::get_path_restriction_info(self, ctx, cs_id, paths).await
     }
 
+    /// Get restriction and authorization checks for paths that are themselves restriction roots.
+    /// Does NOT consider parent directories.
+    pub async fn get_path_restriction_root_check(
+        &self,
+        ctx: &CoreContext,
+        cs_id: Option<ChangesetId>,
+        paths: &[NonRootMPath],
+    ) -> Result<Vec<PathRestrictionCheckResult>> {
+        restriction_check::get_path_restriction_root_check(self, ctx, cs_id, paths).await
+    }
+
+    /// Get restriction and authorization checks for one or more paths,
+    /// considering ancestor restrictions.
+    pub async fn get_path_restriction_check(
+        &self,
+        ctx: &CoreContext,
+        cs_id: Option<ChangesetId>,
+        paths: &[NonRootMPath],
+    ) -> Result<Vec<PathRestrictionCheckResult>> {
+        restriction_check::get_path_restriction_check(self, ctx, cs_id, paths).await
+    }
+
+    /// Get manifest restriction and authorization checks from the config-backed source.
+    pub async fn get_manifest_restriction_check(
+        &self,
+        ctx: &CoreContext,
+        manifest_id: &ManifestId,
+        manifest_type: &ManifestType,
+    ) -> Result<Vec<ManifestRestrictionCheckResult>> {
+        restriction_check::get_manifest_restriction_check(
+            self,
+            ctx,
+            manifest_id,
+            manifest_type,
+            restriction_check::ManifestRestrictionSource::Config,
+        )
+        .await
+    }
+
     /// Check if a path is itself a restriction root (exact match).
     /// Returns false for paths that are merely under a restriction root.
     pub async fn is_restriction_root(
@@ -647,7 +688,7 @@ mod tests {
         let test_path = NonRootMPath::new("test/path")?;
         assert!(
             repo_restricted_paths
-                .get_exact_path_restriction(&ctx, Some(cs_id), &[test_path])
+                .get_path_restriction_root_info(&ctx, Some(cs_id), &[test_path])
                 .await?
                 .is_empty()
         );
@@ -715,7 +756,7 @@ mod tests {
         // Test exact match
         let exact_path = NonRootMPath::new("restricted/dir")?;
         let results = repo_restricted_paths
-            .get_exact_path_restriction(&ctx, Some(cs_id), &[exact_path])
+            .get_path_restriction_root_info(&ctx, Some(cs_id), &[exact_path])
             .await?;
         assert_eq!(results.len(), 1);
         assert_eq!(results[0].repo_region_acl, restricted_acl.to_string());
@@ -724,7 +765,7 @@ mod tests {
         let sub_path = NonRootMPath::new("restricted/dir/subdir/file.txt")?;
         assert!(
             repo_restricted_paths
-                .get_exact_path_restriction(&ctx, Some(cs_id), &[sub_path])
+                .get_path_restriction_root_info(&ctx, Some(cs_id), &[sub_path])
                 .await?
                 .is_empty()
         );
@@ -733,7 +774,7 @@ mod tests {
         let other_path = NonRootMPath::new("other/dir/file.txt")?;
         assert!(
             repo_restricted_paths
-                .get_exact_path_restriction(&ctx, Some(cs_id), &[other_path])
+                .get_path_restriction_root_info(&ctx, Some(cs_id), &[other_path])
                 .await?
                 .is_empty()
         );
@@ -742,7 +783,7 @@ mod tests {
         let partial_path = NonRootMPath::new("restricted/different")?;
         assert!(
             repo_restricted_paths
-                .get_exact_path_restriction(&ctx, Some(cs_id), &[partial_path])
+                .get_path_restriction_root_info(&ctx, Some(cs_id), &[partial_path])
                 .await?
                 .is_empty()
         );
@@ -751,7 +792,7 @@ mod tests {
         let partial_path = NonRootMPath::new("restricted/di")?;
         assert!(
             repo_restricted_paths
-                .get_exact_path_restriction(&ctx, Some(cs_id), &[partial_path])
+                .get_path_restriction_root_info(&ctx, Some(cs_id), &[partial_path])
                 .await?
                 .is_empty()
         );