refactor(compile): make AwfMount.mode non-optional

Always store an explicit AwfMountMode instead of Option<AwfMountMode>.
Parsing 'host:container' without a mode suffix now defaults to ReadOnly
(secure default). Display/Serialize always emit the mode suffix so
generated AWF flags are self-documenting.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesadevine

src/compile/extensions/mod.rs

@@ -365,18 +365,18 @@ pub struct AwfMount {
     pub host_path: String,
     /// Corresponding path inside the container.
     pub container_path: String,
-    /// Optional mount access mode. When absent the Docker default applies
-    /// (read-write).
-    pub mode: Option<AwfMountMode>,
+    /// Mount access mode. Defaults to [`AwfMountMode::ReadOnly`] when not
+    /// specified in the input — the secure default for AWF chroot mounts.
+    pub mode: AwfMountMode,
 }
 
 impl AwfMount {
     /// Creates an `AwfMount` with the given host path, container path, and
-    /// optional access mode.
+    /// access mode.
     pub fn new(
         host_path: impl Into<String>,
         container_path: impl Into<String>,
-        mode: Option<AwfMountMode>,
+        mode: AwfMountMode,
     ) -> Self {
         Self {
             host_path: host_path.into(),
@@ -388,11 +388,7 @@ impl AwfMount {
 
 impl fmt::Display for AwfMount {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        if let Some(mode) = &self.mode {
-            write!(f, "{}:{}:{}", self.host_path, self.container_path, mode)
-        } else {
-            write!(f, "{}:{}", self.host_path, self.container_path)
-        }
+        write!(f, "{}:{}:{}", self.host_path, self.container_path, self.mode)
     }
 }
 
@@ -405,12 +401,12 @@ impl FromStr for AwfMount {
             [host, container] => Ok(Self {
                 host_path: (*host).to_string(),
                 container_path: (*container).to_string(),
-                mode: None,
+                mode: AwfMountMode::ReadOnly,
             }),
             [host, container, mode_str] => Ok(Self {
                 host_path: (*host).to_string(),
                 container_path: (*container).to_string(),
-                mode: Some(mode_str.parse()?),
+                mode: mode_str.parse()?,
             }),
             _ => anyhow::bail!(
                 "Invalid AWF mount spec '{}': expected 'host:container[:mode]'",

src/compile/extensions/tests.rs

@@ -29,36 +29,36 @@ fn test_awf_mount_mode_parse() {
 
 #[test]
 fn test_awf_mount_display_with_mode() {
-    let m = AwfMount::new("$HOME/.elan", "$HOME/.elan", Some(AwfMountMode::ReadOnly));
+    let m = AwfMount::new("$HOME/.elan", "$HOME/.elan", AwfMountMode::ReadOnly);
     assert_eq!(m.to_string(), "$HOME/.elan:$HOME/.elan:ro");
 }
 
 #[test]
 fn test_awf_mount_display_no_mode() {
-    let m = AwfMount::new("/tmp/foo", "/tmp/foo", None);
-    assert_eq!(m.to_string(), "/tmp/foo:/tmp/foo");
+    let m = AwfMount::new("/tmp/foo", "/tmp/foo", AwfMountMode::ReadOnly);
+    assert_eq!(m.to_string(), "/tmp/foo:/tmp/foo:ro");
 }
 
 #[test]
 fn test_awf_mount_parse_with_mode() {
     let m: AwfMount = "$HOME/.elan:$HOME/.elan:ro".parse().unwrap();
     assert_eq!(m.host_path, "$HOME/.elan");
     assert_eq!(m.container_path, "$HOME/.elan");
-    assert_eq!(m.mode, Some(AwfMountMode::ReadOnly));
+    assert_eq!(m.mode, AwfMountMode::ReadOnly);
 }
 
 #[test]
 fn test_awf_mount_parse_rw_mode() {
     let m: AwfMount = "/tmp/work:/tmp/work:rw".parse().unwrap();
-    assert_eq!(m.mode, Some(AwfMountMode::ReadWrite));
+    assert_eq!(m.mode, AwfMountMode::ReadWrite);
 }
 
 #[test]
 fn test_awf_mount_parse_no_mode() {
     let m: AwfMount = "/tmp/foo:/tmp/foo".parse().unwrap();
     assert_eq!(m.host_path, "/tmp/foo");
     assert_eq!(m.container_path, "/tmp/foo");
-    assert!(m.mode.is_none());
+    assert_eq!(m.mode, AwfMountMode::ReadOnly);
 }
 
 #[test]
@@ -69,7 +69,7 @@ fn test_awf_mount_parse_invalid_mode_errors() {
 
 #[test]
 fn test_awf_mount_serde_roundtrip() {
-    let m = AwfMount::new("$HOME/.elan", "$HOME/.elan", Some(AwfMountMode::ReadOnly));
+    let m = AwfMount::new("$HOME/.elan", "$HOME/.elan", AwfMountMode::ReadOnly);
     let json = serde_json::to_string(&m).unwrap();
     assert_eq!(json, r#""$HOME/.elan:$HOME/.elan:ro""#);
     let parsed: AwfMount = serde_json::from_str(&json).unwrap();
@@ -212,7 +212,7 @@ fn test_lean_required_awf_mounts() {
     assert_eq!(mounts.len(), 1);
     assert_eq!(mounts[0].host_path, "$HOME/.elan");
     assert_eq!(mounts[0].container_path, "$HOME/.elan");
-    assert_eq!(mounts[0].mode, Some(AwfMountMode::ReadOnly));
+    assert_eq!(mounts[0].mode, AwfMountMode::ReadOnly);
     // Round-trips to Docker format string
     assert_eq!(mounts[0].to_string(), "$HOME/.elan:$HOME/.elan:ro");
 }

src/runtimes/lean/extension.rs

@@ -57,7 +57,7 @@ the toolchain. Lean files use the `.lean` extension.\n"
     }
 
     fn required_awf_mounts(&self) -> Vec<AwfMount> {
-        vec![AwfMount::new("$HOME/.elan", "$HOME/.elan", Some(AwfMountMode::ReadOnly))]
+        vec![AwfMount::new("$HOME/.elan", "$HOME/.elan", AwfMountMode::ReadOnly)]
     }
 
     fn validate(&self, ctx: &CompileContext) -> Result<Vec<String>> {