fix: three backlog items from v0.4.0 session hand-off

#1  cron scanner default-off
    `is_scanner_enabled` now defaults to false for "cron" — it reads
    `crontab -l` (host-state, not repo-state) and produced spurious
    cron_job resources on CI runners that have their own crontab.
    Opt back in with `scan { scanners { cron = true } }`.

#2  composit init refuses to overwrite without --force
    run_init now errors with a clear message when Compositfile already
    exists. Pass --force to overwrite; a timestamped .backup file is
    written first. Removes the interactive y/N prompt that blocked
    non-interactive (agent) callers.

#3  resolution_disabled info is silenceable via resolvable = []
    `scan.resolvable` is now Option<Vec<String>>: None = absent (diff
    still emits the info), Some([]) = explicit opt-out (diff stays
    silent), Some([...]) = resolution enabled. Repos that deliberately
    don't commit .env files can set `resolvable = []` once and never
    see the noise again.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 7schmiede

src/cli.rs

@@ -60,6 +60,10 @@ pub enum Commands {
         /// Generate a minimal template without running a scan
         #[arg(long)]
         minimal: bool,
+
+        /// Overwrite an existing Compositfile (writes a timestamped .backup first)
+        #[arg(long)]
+        force: bool,
     },
     /// Compare Compositfile governance against scan report
     Diff {

src/commands/diff.rs

@@ -8,7 +8,7 @@ use serde::{Deserialize, Serialize};
 
 use crate::cli::DiffOutputFormat;
 use crate::core::compositfile::parse_compositfile;
-use crate::core::governance::{Governance, Predicate, ProviderRule, Role};
+use crate::core::governance::{Governance, Predicate, ProviderRule, Role, ScanSettings};
 use crate::core::types::{AuthMode, Provider, Report, Resource, ScanMode};
 
 // ─────────────────────────────────────────────────────────
@@ -142,7 +142,7 @@ pub fn compute_diff_opts(
         check_providers(governance, report, offline),
         check_budgets(governance, report),
         check_resources(governance, report),
-        check_resolution(report),
+        check_resolution(report, &governance.scan),
         check_policies(governance, base_dir, report),
     ];
 
@@ -762,12 +762,14 @@ fn check_resources(governance: &Governance, report: &Report) -> ViolationCategor
 }
 
 /// Surface RFC 006 resolution artefacts as diff signals. Emits:
-/// - `resolution_disabled` (Info) once, when the report carries no
-///   resolution metadata but scanners found `${VAR}` references that
-///   could benefit from it. Points the operator at `scan.resolvable`.
-/// - `unresolved_variable` (Info) per variable that couldn't be filled
-///   in by the resolver.
-fn check_resolution(report: &Report) -> ViolationCategory {
+/// - `resolution_disabled` (Info) once, when the report carries no resolution
+///   metadata, `${VAR}` references were found, AND the Compositfile has no
+///   `scan { resolvable = [...] }` block (i.e. `scan.resolvable` is `None`).
+///   Silenced when `resolvable = []` is declared explicitly — that signals a
+///   deliberate opt-out.
+/// - `unresolved_variable` (Info) per variable that couldn't be filled in by
+///   the resolver.
+fn check_resolution(report: &Report, scan: &ScanSettings) -> ViolationCategory {
     let mut violations = Vec::new();
     let mut passed = 0;
 
@@ -787,7 +789,9 @@ fn check_resolution(report: &Report) -> ViolationCategory {
 
     match &report.resolution {
         None => {
-            if has_templated {
+            // Only nag when resolvable is absent entirely — `resolvable = []`
+            // means the operator deliberately opted out and wants silence.
+            if has_templated && scan.resolvable.is_none() {
                 violations.push(Violation {
                     severity: Severity::Info,
                     rule: "resolution_disabled".to_string(),
@@ -798,7 +802,8 @@ fn check_resolution(report: &Report) -> ViolationCategory {
                          block when env files are detected — uncomment it to enable RFC 006 \
                          variable substitution. If your Compositfile is hand-written, add the \
                          block at the top of the workspace block. Default redaction applies to \
-                         *_KEY, *_SECRET, *_TOKEN, *_PASSWORD."
+                         *_KEY, *_SECRET, *_TOKEN, *_PASSWORD. \
+                         To silence this diagnostic permanently, set `scan { resolvable = [] }`."
                             .to_string(),
                     ),
                     expected: Some("resolvable = [\".env\"]".to_string()),
@@ -2895,6 +2900,23 @@ mod tests {
         );
     }
 
+    #[test]
+    fn resolution_disabled_silenced_when_resolvable_explicitly_empty() {
+        // `scan { resolvable = [] }` means "I know, I deliberately opted out".
+        // The info must not fire even when ${VAR} refs are present.
+        let report = report_with_templated_image();
+        let mut gov = make_governance(vec![], "500 EUR");
+        gov.scan.resolvable = Some(vec![]); // explicit opt-out
+        let diff = compute_diff(&gov, &report, Path::new("."));
+        let cat = find_category(&diff, "resolution");
+        assert!(
+            cat.violations
+                .iter()
+                .all(|v| v.rule != "resolution_disabled"),
+            "resolution_disabled must be silent when resolvable = [] (explicit opt-out)"
+        );
+    }
+
     #[test]
     fn resolution_unresolved_variable_surfaces_per_variable() {
         use crate::core::scanner::{ResolutionInfo, UnresolvedVariable};

src/commands/init.rs

@@ -1,7 +1,7 @@
 use std::collections::{BTreeSet, HashMap};
 use std::path::Path;
 
-use anyhow::Result;
+use anyhow::{bail, Result};
 use colored::Colorize;
 
 use crate::core::types::{Report, Resource};
@@ -23,15 +23,38 @@ const AGENT_HEADER: &str = "\
 
 ";
 
-pub fn run_init(dir: &Path, workspace_name: Option<String>, report: Option<&Report>) -> Result<()> {
+pub fn run_init(
+    dir: &Path,
+    workspace_name: Option<String>,
+    report: Option<&Report>,
+    force: bool,
+) -> Result<()> {
+    let compositfile_path = dir.join("Compositfile");
+
+    if compositfile_path.exists() {
+        if !force {
+            bail!(
+                "Compositfile already exists at {}; pass --force to overwrite",
+                compositfile_path.display()
+            );
+        }
+        let ts = chrono::Utc::now().format("%Y%m%dT%H%M%SZ");
+        let backup_path = dir.join(format!("Compositfile.backup.{ts}"));
+        std::fs::copy(&compositfile_path, &backup_path)?;
+        println!(
+            "  {} {}",
+            "Backup written:".yellow(),
+            backup_path.display()
+        );
+    }
+
     let workspace = workspace_name.unwrap_or_else(|| workspace_from_dir(dir));
 
     let content = match report {
         Some(r) => generate_from_report(&workspace, r),
         None => generate_minimal(&workspace),
     };
 
-    let compositfile_path = dir.join("Compositfile");
     std::fs::write(&compositfile_path, &content)?;
 
     let display_path = std::env::current_dir()
@@ -511,6 +534,61 @@ mod tests {
         }
     }
 
+    #[test]
+    fn init_refuses_if_compositfile_exists_without_force() {
+        let dir = tempfile::tempdir().unwrap();
+        let path = dir.path().join("Compositfile");
+        std::fs::write(&path, "old content").unwrap();
+
+        let err = run_init(dir.path(), None, None, false).unwrap_err();
+        assert!(
+            err.to_string().contains("--force"),
+            "error should mention --force: {}",
+            err
+        );
+        assert_eq!(
+            std::fs::read_to_string(&path).unwrap(),
+            "old content",
+            "existing file must not be modified"
+        );
+    }
+
+    #[test]
+    fn init_force_writes_backup_and_overwrites() {
+        let dir = tempfile::tempdir().unwrap();
+        let path = dir.path().join("Compositfile");
+        std::fs::write(&path, "old content").unwrap();
+
+        run_init(dir.path(), Some("test-ws".to_string()), None, true).unwrap();
+
+        let new_content = std::fs::read_to_string(&path).unwrap();
+        assert!(!new_content.contains("old content"), "old content must be gone");
+        assert!(new_content.contains("test-ws"), "new file must use workspace name");
+
+        let backups: Vec<_> = std::fs::read_dir(dir.path())
+            .unwrap()
+            .filter_map(|e| e.ok())
+            .filter(|e| {
+                e.file_name()
+                    .to_string_lossy()
+                    .starts_with("Compositfile.backup.")
+            })
+            .collect();
+        assert_eq!(backups.len(), 1, "expected exactly one backup file");
+        assert_eq!(
+            std::fs::read_to_string(backups[0].path()).unwrap(),
+            "old content"
+        );
+    }
+
+    #[test]
+    fn init_without_existing_file_does_not_need_force() {
+        let dir = tempfile::tempdir().unwrap();
+        run_init(dir.path(), Some("fresh".to_string()), None, false).unwrap();
+        let content = std::fs::read_to_string(dir.path().join("Compositfile")).unwrap();
+        assert!(content.contains("fresh"));
+    }
+
     #[test]
     fn database_role_stub_emitted_for_postgres_image() {
         let report = mk_report(vec![mk_resource(

src/core/compositfile.rs

@@ -61,7 +61,7 @@ pub fn parse_compositfile(path: &Path) -> Result<Governance> {
 /// valid no-op.
 fn parse_scan_block(block: &hcl::Block) -> Result<ScanSettings> {
     let exclude_paths = get_string_array_attr(&block.body, "exclude");
-    let resolvable = get_string_array_attr(&block.body, "resolvable");
+    let resolvable = get_optional_string_array_attr(&block.body, "resolvable");
     let redact = get_string_array_attr(&block.body, "redact");
 
     let mut extra_patterns = Vec::new();
@@ -515,6 +515,12 @@ fn get_string_attr(body: &Body, key: &str) -> Option<String> {
 
 /// Extract a string array attribute from an HCL body.
 fn get_string_array_attr(body: &Body, key: &str) -> Vec<String> {
+    get_optional_string_array_attr(body, key).unwrap_or_default()
+}
+
+/// Like `get_string_array_attr` but returns `None` when the attribute is absent.
+/// Use this when the caller needs to distinguish "not declared" from "declared as []".
+fn get_optional_string_array_attr(body: &Body, key: &str) -> Option<Vec<String>> {
     body.attributes()
         .find(|a| a.key.as_str() == key)
         .map(|a| match &a.expr {
@@ -527,7 +533,6 @@ fn get_string_array_attr(body: &Body, key: &str) -> Vec<String> {
                 .collect(),
             _ => vec![],
         })
-        .unwrap_or_default()
 }
 
 /// Extract an unsigned integer attribute from an HCL body.
@@ -1095,8 +1100,6 @@ mod tests {
 
     #[test]
     fn test_missing_scan_block_yields_default_empty_settings() {
-        // A Compositfile without a scan block must still produce a valid
-        // Governance — governance and scan tuning are independently optional.
         let gov = parse_hcl(
             r#"
             workspace "test" {
@@ -1108,5 +1111,87 @@ mod tests {
         assert!(gov.scan.exclude_paths.is_empty());
         assert!(gov.scan.extra_patterns.is_empty());
         assert!(gov.scan.scanners.is_empty());
+        // No scan block → resolvable absent → None (not opted out)
+        assert!(gov.scan.resolvable.is_none());
+    }
+
+    #[test]
+    fn test_resolvable_absent_is_none() {
+        // No resolvable key → None (diff should suggest it)
+        let gov = parse_hcl(
+            r#"
+            workspace "test" {
+              scan { exclude = [] }
+            }
+            "#,
+        )
+        .unwrap();
+        assert!(gov.scan.resolvable.is_none());
+    }
+
+    #[test]
+    fn test_resolvable_empty_array_is_some_empty() {
+        // resolvable = [] → Some([]) — explicit opt-out, diff stays silent.
+        let gov = parse_hcl(
+            r#"
+            workspace "test" {
+              scan { resolvable = [] }
+            }
+            "#,
+        )
+        .unwrap();
+        assert_eq!(gov.scan.resolvable, Some(vec![]));
+    }
+
+    #[test]
+    fn test_resolvable_with_values() {
+        let gov = parse_hcl(
+            r#"
+            workspace "test" {
+              scan { resolvable = [".env", ".env.local"] }
+            }
+            "#,
+        )
+        .unwrap();
+        assert_eq!(
+            gov.scan.resolvable,
+            Some(vec![".env".to_string(), ".env.local".to_string()])
+        );
+    }
+
+    #[test]
+    fn test_cron_scanner_disabled_by_default() {
+        let gov = parse_hcl(
+            r#"
+            workspace "test" {}
+            "#,
+        )
+        .unwrap();
+        assert!(
+            !gov.scan.is_scanner_enabled("cron"),
+            "cron scanner must be opt-in (host-state, not repo-state)"
+        );
+        assert!(
+            gov.scan.is_scanner_enabled("docker"),
+            "docker scanner must remain enabled by default"
+        );
+    }
+
+    #[test]
+    fn test_cron_scanner_opt_in_via_scanners_block() {
+        let gov = parse_hcl(
+            r#"
+            workspace "test" {
+              scan {
+                scanners { cron = true }
+              }
+            }
+            "#,
+        )
+        .unwrap();
+        assert!(
+            gov.scan.is_scanner_enabled("cron"),
+            "cron must be enabled when explicitly set to true"
+        );
     }
 }

src/core/governance.rs

@@ -40,12 +40,14 @@ pub struct ScanSettings {
     pub scanners: HashMap<String, bool>,
 
     /// RFC 006: env-file globs whose values may be substituted into other
-    /// resources (e.g. `${VAR}` in docker-compose). Empty = no resolution;
-    /// values never leave disk. Keys matching any `redact` pattern are
-    /// replaced with `<redacted>` before substitution so secret-looking
-    /// variables don't end up in the report.
+    /// resources (e.g. `${VAR}` in docker-compose). Values never leave disk.
+    /// Keys matching any `redact` pattern are replaced with `<redacted>`.
+    ///
+    /// `None`       = field absent from Compositfile → diff suggests it when `${VAR}` found.
+    /// `Some([])`   = deliberately opted out → diff stays silent.
+    /// `Some([..])` = resolution enabled with these env-file globs.
     #[serde(default)]
-    pub resolvable: Vec<String>,
+    pub resolvable: Option<Vec<String>>,
 
     /// RFC 006: glob-style patterns on env-var *keys* whose values MUST
     /// be redacted even when `resolvable` allows substitution. Matched
@@ -94,7 +96,11 @@ pub struct ExtraPattern {
 
 impl ScanSettings {
     pub fn is_scanner_enabled(&self, scanner_id: &str) -> bool {
-        self.scanners.get(scanner_id).copied().unwrap_or(true)
+        match self.scanners.get(scanner_id).copied() {
+            Some(v) => v,
+            // cron reads host-state (`crontab -l`), not repo-state — opt-in only.
+            None => scanner_id != "cron",
+        }
     }
 }
 

src/core/registry.rs

@@ -114,7 +114,9 @@ impl ScannerRegistry {
         // which env-file globs are allowed to supply values. Without it,
         // `${VAR}` stays literal in the report and shows up as
         // `unresolved_variable` in the diff.
-        let resolvable = scan.map(|s| s.resolvable.as_slice()).unwrap_or(&[]);
+        let resolvable = scan
+            .and_then(|s| s.resolvable.as_deref())
+            .unwrap_or(&[]);
         let redact = scan.map(|s| s.redact.as_slice()).unwrap_or(&[]);
         let resolution =
             resolve_docker_service_variables(&mut all_resources, &context.dir, resolvable, redact);