cargo-rail:

feat(split/sync): add safety rails with --allow-dirty and --yes flags

  Add dirty worktree validation and confirmation skip flags to split and
  sync commands for safer CI/automation usage.

  Changes:
  - Add --allow-dirty flag to bypass dirty worktree check
  - Add --yes/-y flag to skip interactive confirmation prompts
  - Add is_dirty() and dirty_files() methods to SystemGit
  - Add GitError::DirtyWorktree error variant with helpful message
  - Refactor to SplitRunArgs/SyncArgs structs for cleaner API
  - Add integration tests for safety rail behavior

  CLI pattern remains consistent with other commands:
    cargo rail split foo              # Execute with confirmation
    cargo rail split foo --check      # Preview only
    cargo rail split foo --yes        # Skip confirmation (CI)
    cargo rail split foo --allow-dirty --yes  # Force on dirty worktree

Author: loadingalias

src/commands/cli.rs

@@ -251,6 +251,12 @@ pub enum Commands {
     /// Dry-run mode: preview changes without executing
     #[arg(long, short = 'c')]
     check: bool,
+    /// Allow running on dirty worktree (uncommitted changes)
+    #[arg(long)]
+    allow_dirty: bool,
+    /// Skip confirmation prompts (for CI/automation)
+    #[arg(short = 'y', long)]
+    yes: bool,
     /// Output format
     #[arg(long, short = 'f', default_value_t, value_enum)]
     format: OutputFormat,
@@ -369,6 +375,12 @@ pub enum SplitCommand {
     /// Dry-run mode: preview changes
     #[arg(long, short = 'c')]
     check: bool,
+    /// Allow running on dirty worktree (uncommitted changes)
+    #[arg(long)]
+    allow_dirty: bool,
+    /// Skip confirmation prompts (for CI/automation)
+    #[arg(short = 'y', long)]
+    yes: bool,
     /// Output format
     #[arg(long, short = 'f', default_value_t, value_enum)]
     format: OutputFormat,

src/commands/mod.rs

@@ -139,8 +139,21 @@ pub fn dispatch(cmd: Commands, ctx: &WorkspaceContext) -> RailResult<()> {
         all,
         remote,
         check,
+        allow_dirty,
+        yes,
         format,
-      } => run_split(ctx, crate_name, all, remote, check, format),
+      } => run_split(
+        ctx,
+        split::SplitRunArgs {
+          crate_name,
+          all,
+          remote,
+          check,
+          allow_dirty,
+          yes,
+          format,
+        },
+      ),
     },
 
     Commands::Sync {
@@ -151,17 +164,23 @@ pub fn dispatch(cmd: Commands, ctx: &WorkspaceContext) -> RailResult<()> {
       to_remote,
       strategy,
       check,
+      allow_dirty,
+      yes,
       format,
     } => run_sync(
       ctx,
-      crate_name,
-      all,
-      remote,
-      from_remote,
-      to_remote,
-      strategy,
-      check,
-      format,
+      sync::SyncArgs {
+        crate_name,
+        all,
+        remote,
+        from_remote,
+        to_remote,
+        strategy,
+        check,
+        allow_dirty,
+        yes,
+        format,
+      },
     ),
 
     // Release

src/commands/split.rs

@@ -4,40 +4,57 @@ use std::io::IsTerminal;
 
 use crate::commands::common::{OutputFormat, SplitSyncConfigBuilder};
 use crate::config::RailConfig;
-use crate::error::RailResult;
+use crate::error::{GitError, RailError, RailResult};
 use crate::progress;
 use crate::split::SplitEngine;
 use crate::utils;
 use crate::workspace::WorkspaceContext;
 use rayon::prelude::*;
 
+/// Arguments for the split run command
+pub struct SplitRunArgs {
+  /// Crate name to split (mutually exclusive with `all`)
+  pub crate_name: Option<String>,
+  /// Split all configured crates
+  pub all: bool,
+  /// Override remote repository URL
+  pub remote: Option<String>,
+  /// Dry-run mode: preview changes without executing
+  pub check: bool,
+  /// Allow running on dirty worktree (uncommitted changes)
+  pub allow_dirty: bool,
+  /// Skip confirmation prompts (for CI/automation)
+  pub yes: bool,
+  /// Output format
+  pub format: OutputFormat,
+}
+
 /// Run the split command
-pub fn run_split(
-  ctx: &WorkspaceContext,
-  crate_name: Option<String>,
-  all: bool,
-  remote: Option<String>,
-  check: bool,
-  format: OutputFormat,
-) -> RailResult<()> {
-  let json = format.is_json();
+pub fn run_split(ctx: &WorkspaceContext, args: SplitRunArgs) -> RailResult<()> {
+  let json = args.format.is_json();
 
   // JSON mode enables structured error output and suppresses progress
   if json {
     crate::output::set_json_mode(true);
   }
 
+  // Dirty worktree check (unless --allow-dirty or --check mode)
+  if !args.check && !args.allow_dirty && ctx.git.git().is_dirty()? {
+    let files = ctx.git.git().dirty_files()?;
+    return Err(RailError::Git(GitError::DirtyWorktree { files }));
+  }
+
   let builder = SplitSyncConfigBuilder::new(ctx)?
-    .with_crate_or_all(crate_name.clone(), all)?
-    .with_remote_override(remote)
+    .with_crate_or_all(args.crate_name.clone(), args.all)?
+    .with_remote_override(args.remote)
     .validate()?;
 
   let config_count = builder.count();
   let configs = builder.build_split_configs()?;
 
   // Check mode: show plan
-  if check {
-    match format {
+  if args.check {
+    match args.format {
       OutputFormat::Json => {
         let crates: Vec<_> = configs
           .iter()
@@ -98,8 +115,8 @@ pub fn run_split(
     return Err(crate::error::RailError::CheckHasPendingChanges);
   }
 
-  // Interactive confirmation
-  if std::io::stdin().is_terminal() && !json {
+  // Interactive confirmation (unless --yes)
+  if !args.yes && std::io::stdin().is_terminal() && !json {
     println!("splitting {} crate(s):\n", config_count);
     for config in &configs {
       println!("  {} -> {}", config.crate_name, config.target_repo_path.display());
@@ -112,7 +129,7 @@ pub fn run_split(
   }
 
   // Execute splits
-  if config_count > 1 && all {
+  if config_count > 1 && args.all {
     progress!("splitting {} crates...", config_count);
     let ctx = ctx.clone();
     let results: Vec<RailResult<()>> = configs

src/commands/sync.rs

@@ -3,7 +3,7 @@
 use std::io::IsTerminal;
 
 use crate::commands::common::{OutputFormat, SplitSyncConfigBuilder};
-use crate::error::RailResult;
+use crate::error::{GitError, RailError, RailResult};
 use crate::progress;
 use crate::sync::{ConflictStrategy, SyncDirection, SyncEngine, SyncResult};
 use crate::utils;
@@ -17,40 +17,59 @@ struct CrateSyncResult {
   skipped: bool,
 }
 
+/// Arguments for the sync command
+pub struct SyncArgs {
+  /// Crate name to sync (mutually exclusive with `all`)
+  pub crate_name: Option<String>,
+  /// Sync all configured crates
+  pub all: bool,
+  /// Override remote repository URL
+  pub remote: Option<String>,
+  /// Sync from remote to monorepo only
+  pub from_remote: bool,
+  /// Sync from monorepo to remote only
+  pub to_remote: bool,
+  /// Conflict resolution strategy
+  pub strategy: ConflictStrategy,
+  /// Dry-run mode: preview changes without executing
+  pub check: bool,
+  /// Allow running on dirty worktree (uncommitted changes)
+  pub allow_dirty: bool,
+  /// Skip confirmation prompts (for CI/automation)
+  pub yes: bool,
+  /// Output format
+  pub format: OutputFormat,
+}
+
 /// Run the sync command
-#[allow(clippy::too_many_arguments)]
-pub fn run_sync(
-  ctx: &WorkspaceContext,
-  crate_name: Option<String>,
-  all: bool,
-  remote: Option<String>,
-  from_remote: bool,
-  to_remote: bool,
-  strategy: ConflictStrategy,
-  check: bool,
-  format: OutputFormat,
-) -> RailResult<()> {
-  let json = format.is_json();
+pub fn run_sync(ctx: &WorkspaceContext, args: SyncArgs) -> RailResult<()> {
+  let json = args.format.is_json();
 
   // JSON mode enables structured error output and suppresses progress
   if json {
     crate::output::set_json_mode(true);
   }
 
+  // Dirty worktree check (unless --allow-dirty or --check mode)
+  if !args.check && !args.allow_dirty && ctx.git.git().is_dirty()? {
+    let files = ctx.git.git().dirty_files()?;
+    return Err(RailError::Git(GitError::DirtyWorktree { files }));
+  }
+
   let builder = SplitSyncConfigBuilder::new(ctx)?
-    .with_crate_or_all(crate_name.clone(), all)?
-    .with_remote_override(remote);
+    .with_crate_or_all(args.crate_name.clone(), args.all)?
+    .with_remote_override(args.remote);
 
   let config_count = builder.count();
 
-  if config_count == 0 && all {
+  if config_count == 0 && args.all {
     return Err(crate::error::RailError::with_help(
       "no crates configured for sync",
       "run 'cargo rail split init' first",
     ));
   }
 
-  let direction = match (from_remote, to_remote) {
+  let direction = match (args.from_remote, args.to_remote) {
     (true, true) => {
       return Err(crate::error::RailError::with_help(
         "cannot use both --from-remote and --to-remote",
@@ -65,7 +84,7 @@ pub fn run_sync(
   let configs = builder.build_sync_configs()?;
 
   // Check mode
-  if check {
+  if args.check {
     if json {
       let dir_str = match direction {
         SyncDirection::MonoToRemote => "to_remote",
@@ -92,7 +111,7 @@ pub fn run_sync(
         "command": "sync",
         "check": true,
         "direction": dir_str,
-        "strategy": format!("{:?}", strategy).to_lowercase(),
+        "strategy": format!("{:?}", args.strategy).to_lowercase(),
         "crates": crates,
         "count": configs.len()
       });
@@ -113,7 +132,7 @@ pub fn run_sync(
       println!("    direction: {}", dir_display);
       println!("    target: {}", sync_config.target_repo_path.display());
       println!("    remote: {}", sync_config.remote_url);
-      println!("    strategy: {}", format!("{:?}", strategy).to_lowercase());
+      println!("    strategy: {}", format!("{:?}", args.strategy).to_lowercase());
       if !target_exists {
         println!("    warning: target repo missing (run split first)");
       }
@@ -123,8 +142,8 @@ pub fn run_sync(
     return Err(crate::error::RailError::CheckHasPendingChanges);
   }
 
-  // Interactive confirmation
-  if std::io::stdin().is_terminal() && !json {
+  // Interactive confirmation (unless --yes)
+  if !args.yes && std::io::stdin().is_terminal() && !json {
     let dir_sym = match direction {
       SyncDirection::MonoToRemote => "->",
       SyncDirection::RemoteToMono => "<-",
@@ -155,10 +174,11 @@ pub fn run_sync(
   }
 
   // Execute syncs and collect per-crate results
-  let crate_results: Vec<CrateSyncResult> = if config_count > 1 && all {
+  let crate_results: Vec<CrateSyncResult> = if config_count > 1 && args.all {
     progress!("syncing {} crates...", config_count);
 
     let ctx = ctx.clone();
+    let strategy = args.strategy;
     let results: Vec<RailResult<CrateSyncResult>> = configs
       .into_par_iter()
       .map(|(sync_config, target_exists)| {
@@ -208,7 +228,7 @@ pub fn run_sync(
       }
 
       progress!("syncing {}...", crate_name);
-      let mut engine = SyncEngine::new(ctx, sync_config, strategy)?;
+      let mut engine = SyncEngine::new(ctx, sync_config, args.strategy)?;
 
       let result = match direction {
         SyncDirection::MonoToRemote => engine.sync_to_remote()?,

src/error.rs

@@ -352,6 +352,12 @@ pub enum GitError {
     /// Failure reason
     reason: String,
   },
+
+  /// Worktree has uncommitted changes
+  DirtyWorktree {
+    /// List of dirty files
+    files: Vec<String>,
+  },
 }
 
 impl GitError {
@@ -367,6 +373,7 @@ impl GitError {
         }
       }
       GitError::RepoNotFound { path } => Some(format!("run 'git init {}' or verify the path", path.display())),
+      GitError::DirtyWorktree { .. } => Some("commit or stash changes, or use --allow-dirty".to_string()),
       _ => None,
     }
   }
@@ -392,6 +399,20 @@ impl fmt::Display for GitError {
       GitError::PushFailed { remote, branch, reason } => {
         write!(f, "push to {}/{} failed: {}", remote, branch, reason.trim())
       }
+      GitError::DirtyWorktree { files } => {
+        let count = files.len();
+        if count <= 5 {
+          write!(f, "working tree has uncommitted changes:\n{}", files.join("\n"))
+        } else {
+          let shown: Vec<_> = files.iter().take(5).cloned().collect();
+          write!(
+            f,
+            "working tree has uncommitted changes:\n{}\n  ... and {} more",
+            shown.join("\n"),
+            count - 5
+          )
+        }
+      }
     }
   }
 }

src/git/system.rs

@@ -121,6 +121,24 @@ impl SystemGit {
     Ok(None)
   }
 
+  /// Check if the worktree has uncommitted changes
+  ///
+  /// Returns `true` if there are staged or unstaged changes, including untracked files.
+  /// This is useful for safety checks before destructive operations.
+  pub fn is_dirty(&self) -> RailResult<bool> {
+    let output = self.run_git_stdout(&["status", "--porcelain"])?;
+    Ok(!output.is_empty())
+  }
+
+  /// Get list of dirty files in the worktree
+  ///
+  /// Returns the files with their status prefixes (e.g., " M file.txt", "?? new.txt").
+  /// Useful for displaying what's dirty when refusing to run on a dirty worktree.
+  pub fn dirty_files(&self) -> RailResult<Vec<String>> {
+    let output = self.run_git_stdout(&["status", "--porcelain"])?;
+    Ok(output.lines().map(|s| s.to_string()).collect())
+  }
+
   /// Create a safe git command with isolated environment
   ///
   /// - Sets working directory to repo path