Add access error tracking and resilient scanning

- Add access column to items table tracking permission issues (Ok, MetaError, ReadError)
- Track access state changes in change records (access_old, access_new)
- Generate Access Denied alerts when files cannot be read during analysis
- Permission errors no longer abort scans - items are tracked and can be retried
- Add Access Denied alert type to web UI with amber warning badge
- Add Access Denied filter option to Alerts page dropdown
- Remove BufReader wrapper from hash computation for efficiency
- Database schema v12 migration

Author: gtunes-dev

CHANGELOG.md

@@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- **Access error tracking**: New `access` column on items tracks permission issues encountered during scanning
+  - `Ok`: No access issues
+  - `MetaError`: Unable to read file metadata (detected during scan phase)
+  - `ReadError`: Unable to read file contents (detected during analysis phase)
+- **Access Denied alerts**: New alert type generated when files cannot be read during analysis
+  - Displayed with amber "warning" badge in web UI to distinguish from validation errors
+  - Filterable via new "Access Denied" option in Alerts page type dropdown
+- **Change tracking for access state**: Change records now include `access_old` and `access_new` columns to track permission changes over time
+
+### Changed
+- **Resilient scanning**: Permission errors no longer abort scans. Items with access issues are tracked and can be retried on subsequent scans when permissions are restored
+- **Hashing optimization**: Removed unnecessary `BufReader` wrapper for more efficient large file hashing
+
 ## [v0.3.1] - 2025-11-23
 
 ### Changed

Cargo.lock

@@ -49,7 +49,7 @@ r2d2_sqlite = "0.31"
 rusqlite = { version = "0.37", features = ["bundled", "collation"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
-sha2 = "0.10"
+sha2 =  { version = "0.10", features = ["asm"] }
 strum = "0.27"
 thiserror = "2.0"
 tabled = "0.20"
@@ -93,3 +93,8 @@ codegen-units = 1  # PNG decoder (used by image crate)
 
 [profile.release.package.lopdf]
 codegen-units = 1  # PDF parsing - slow in this application's usage pattern
+
+# Optimize dependencies in dev builds for faster debugging experience
+# Your code remains fully debuggable; only dependencies are optimized
+[profile.dev.package."*"]
+opt-level = 3

Cargo.toml

@@ -471,6 +471,8 @@ export function ItemDetailSheet({
         return <Badge variant="destructive">Suspicious Hash</Badge>
       case 'I':
         return <Badge variant="destructive">Invalid Item</Badge>
+      case 'A':
+        return <Badge variant="warning">Access Denied</Badge>
       default:
         return <Badge variant="secondary">{type}</Badge>
     }

frontend/src/components/shared/ItemDetailSheet.tsx

@@ -226,7 +226,7 @@ export interface ScheduleWithRoot extends Schedule {
 // Insights Page Types
 
 export type AlertStatusValue = 'O' | 'F' | 'D' // Open, Flagged, Dismissed
-export type AlertTypeValue = 'H' | 'I' // Suspicious Hash, Invalid Item
+export type AlertTypeValue = 'H' | 'I' | 'A' // Suspicious Hash, Invalid Item, Access Denied
 export type ContextFilterType = 'all' | 'root' | 'scan'
 
 export interface UpdateAlertStatusRequest {

frontend/src/lib/types.ts

@@ -292,24 +292,30 @@ export function AlertsPage() {
   }
 
   const getAlertTypeBadge = (type: AlertTypeValue) => {
-    if (type === 'H') {
-      return <Badge variant="error">Suspicious Hash</Badge>
-    } else {
-      return <Badge variant="error">Invalid Item</Badge>
+    switch (type) {
+      case 'H':
+        return <Badge variant="error">Suspicious Hash</Badge>
+      case 'I':
+        return <Badge variant="error">Invalid Item</Badge>
+      case 'A':
+        return <Badge variant="warning">Access Denied</Badge>
     }
   }
 
   const getAlertDetails = (alert: AlertRow) => {
-    if (alert.alert_type === 'H') {
-      return (
-        <div className="text-xs space-y-1">
-          <div>Hash changed</div>
-          <div className="font-mono text-muted-foreground">Old: {alert.hash_old || 'N/A'}</div>
-          <div className="font-mono text-muted-foreground">New: {alert.hash_new || 'N/A'}</div>
-        </div>
-      )
-    } else {
-      return <div className="text-xs">{alert.val_error || 'Validation error'}</div>
+    switch (alert.alert_type) {
+      case 'H':
+        return (
+          <div className="text-xs space-y-1">
+            <div>Hash changed</div>
+            <div className="font-mono text-muted-foreground">Old: {alert.hash_old || 'N/A'}</div>
+            <div className="font-mono text-muted-foreground">New: {alert.hash_new || 'N/A'}</div>
+          </div>
+        )
+      case 'I':
+        return <div className="text-xs">{alert.val_error || 'Validation error'}</div>
+      case 'A':
+        return <div className="text-xs">File could not be read</div>
     }
   }
 
@@ -361,6 +367,7 @@ export function AlertsPage() {
                     <SelectItem value="all">All Types</SelectItem>
                     <SelectItem value="H">Suspicious Hash</SelectItem>
                     <SelectItem value="I">Invalid Item</SelectItem>
+                    <SelectItem value="A">Access Denied</SelectItem>
                   </SelectContent>
                 </Select>
               </div>

frontend/src/pages/alerts/AlertsPage.tsx

@@ -9,6 +9,7 @@ use crate::error::FsPulseError;
 pub enum AlertType {
     SuspiciousHash = 0,
     InvalidItem = 1,
+    AccessDenied = 2,
 }
 
 #[repr(i64)]
@@ -28,6 +29,7 @@ impl AlertType {
         match value {
             0 => AlertType::SuspiciousHash,
             1 => AlertType::InvalidItem,
+            2 => AlertType::AccessDenied,
             _ => {
                 warn!(
                     "Invalid AlertType value in database: {}, defaulting to SuspiciousHash",
@@ -42,13 +44,15 @@ impl AlertType {
         match self {
             AlertType::SuspiciousHash => "H",
             AlertType::InvalidItem => "I",
+            AlertType::AccessDenied => "A",
         }
     }
 
     pub fn full_name(&self) -> &'static str {
         match self {
             AlertType::SuspiciousHash => "Suspicious Hash",
             AlertType::InvalidItem => "Invalid Item",
+            AlertType::AccessDenied => "Access Denied",
         }
     }
 
@@ -57,9 +61,11 @@ impl AlertType {
             // Full names
             "SUSPICIOUS HASH" | "SUSPICIOUSHASH" => Some(AlertType::SuspiciousHash),
             "INVALID ITEM" | "INVALIDITEM" => Some(AlertType::InvalidItem),
+            "ACCESS DENIED" | "ACCESSDENIED" => Some(AlertType::AccessDenied),
             // Short names
             "H" => Some(AlertType::SuspiciousHash),
             "I" => Some(AlertType::InvalidItem),
+            "A" => Some(AlertType::AccessDenied),
             _ => None,
         }
     }
@@ -258,6 +264,43 @@ impl Alerts {
         Ok(())
     }
 
+    /// Create an alert when an item becomes inaccessible.
+    /// This is called when access transitions from Ok to MetaError or ReadError.
+    pub fn add_access_denied_alert(
+        conn: &Connection,
+        scan_id: i64,
+        item_id: i64,
+    ) -> Result<(), FsPulseError> {
+        let sql = r#"
+            INSERT INTO alerts (
+                alert_type,
+                alert_status,
+                scan_id,
+                item_id,
+                created_at
+            )
+            VALUES (
+                :alert_type,
+                :alert_status,
+                :scan_id,
+                :item_id,
+                strftime('%s', 'now', 'utc')
+            )
+        "#;
+
+        conn.execute(
+            sql,
+            named_params! {
+                ":alert_type":      AlertType::AccessDenied.as_i64(),
+                ":alert_status":    AlertStatus::Open.as_i64(),
+                ":scan_id":         scan_id,
+                ":item_id":         item_id,
+            },
+        )?;
+
+        Ok(())
+    }
+
     pub fn set_alert_status(
         conn: &Connection,
         alert_id: i64,
@@ -290,13 +333,15 @@ mod tests {
         // Verify the integer values match the expected order
         assert_eq!(AlertType::SuspiciousHash.as_i64(), 0);
         assert_eq!(AlertType::InvalidItem.as_i64(), 1);
+        assert_eq!(AlertType::AccessDenied.as_i64(), 2);
     }
 
     #[test]
     fn test_alert_type_from_i64() {
         // Verify round-trip conversion
         assert_eq!(AlertType::from_i64(0), AlertType::SuspiciousHash);
         assert_eq!(AlertType::from_i64(1), AlertType::InvalidItem);
+        assert_eq!(AlertType::from_i64(2), AlertType::AccessDenied);
 
         // Invalid values should default to SuspiciousHash
         assert_eq!(AlertType::from_i64(999), AlertType::SuspiciousHash);
@@ -307,23 +352,28 @@ mod tests {
     fn test_alert_type_short_name() {
         assert_eq!(AlertType::SuspiciousHash.short_name(), "H");
         assert_eq!(AlertType::InvalidItem.short_name(), "I");
+        assert_eq!(AlertType::AccessDenied.short_name(), "A");
     }
 
     #[test]
     fn test_alert_type_full_name() {
         assert_eq!(AlertType::SuspiciousHash.full_name(), "Suspicious Hash");
         assert_eq!(AlertType::InvalidItem.full_name(), "Invalid Item");
+        assert_eq!(AlertType::AccessDenied.full_name(), "Access Denied");
     }
 
     #[test]
     fn test_alert_type_traits() {
         let suspicious = AlertType::SuspiciousHash;
         let invalid = AlertType::InvalidItem;
+        let access = AlertType::AccessDenied;
 
         // Test PartialEq
         assert_eq!(suspicious, AlertType::SuspiciousHash);
         assert_eq!(invalid, AlertType::InvalidItem);
+        assert_eq!(access, AlertType::AccessDenied);
         assert_ne!(suspicious, invalid);
+        assert_ne!(invalid, access);
 
         // Test Copy
         let suspicious_copy = suspicious;
@@ -402,7 +452,11 @@ mod tests {
     #[test]
     fn test_alert_type_completeness() {
         // Verify we can convert all enum variants to strings
-        let all_types = [AlertType::SuspiciousHash, AlertType::InvalidItem];
+        let all_types = [
+            AlertType::SuspiciousHash,
+            AlertType::InvalidItem,
+            AlertType::AccessDenied,
+        ];
 
         for alert_type in all_types {
             let short_str = alert_type.short_name();

src/alerts.rs

@@ -8,12 +8,14 @@ pub struct Change {
     pub scan_id: i64,
     pub item_id: i64,
     pub change_type: ChangeType,
+    pub access_old: Option<i64>,   // Previous access state (if changed)
+    pub access_new: Option<i64>,   // New access state (if changed)
     pub is_undelete: Option<bool>, // Present if "A". True if add is undelete
     pub meta_change: Option<bool>, // Present if "M". True if metadata changed, else False
     pub mod_date_old: Option<i64>, // Meaningful if undelete or meta_change
     pub mod_date_new: Option<i64>, // Meaningful if metdata_changed
-    pub size_old: Option<i64>, // Meaningful if undelete or meta_change
-    pub size_new: Option<i64>, // Meaningful if undelete or meta_change
+    pub size_old: Option<i64>,     // Meaningful if undelete or meta_change
+    pub size_new: Option<i64>,     // Meaningful if undelete or meta_change
     pub hash_change: Option<bool>, // Present if "M". True if hash changed, else False
     #[allow(dead_code)]
     pub last_hash_scan_old: Option<i64>, // Present if "M" and hash_change
@@ -23,7 +25,7 @@ pub struct Change {
     pub val_change: Option<bool>,  // Present if "M", True if validation changed, else False
     #[allow(dead_code)]
     pub last_val_scan_old: Option<i64>, // Present if "M" and validation changed
-    pub val_old: Option<i64>,   // Validation state of the item if val_change = true
+    pub val_old: Option<i64>,      // Validation state of the item if val_change = true
     #[allow(dead_code)]
     pub val_new: Option<i64>, // Meaningful if undelete or val_change
     #[allow(dead_code)]
@@ -59,7 +61,10 @@ impl ChangeType {
             2 => ChangeType::Modify,
             3 => ChangeType::Delete,
             _ => {
-                warn!("Invalid ChangeType value in database: {}, defaulting to NoChange", value);
+                warn!(
+                    "Invalid ChangeType value in database: {}, defaulting to NoChange",
+                    value
+                );
                 ChangeType::NoChange
             }
         }
@@ -161,15 +166,15 @@ mod tests {
         assert_eq!(ChangeType::Modify.short_name(), "M");
         assert_eq!(ChangeType::NoChange.short_name(), "N");
     }
-    
+
     #[test]
     fn test_change_type_display() {
         assert_eq!(ChangeType::Add.to_string(), "Add");
         assert_eq!(ChangeType::Delete.to_string(), "Delete");
         assert_eq!(ChangeType::Modify.to_string(), "Modify");
         assert_eq!(ChangeType::NoChange.to_string(), "No Change");
     }
-    
+
     #[test]
     fn test_change_type_from_string() {
         assert_eq!(ChangeType::from_string("A"), Some(ChangeType::Add));
@@ -186,21 +191,29 @@ mod tests {
 
     #[test]
     fn test_change_type_round_trip() {
-        let types = [ChangeType::NoChange, ChangeType::Add, ChangeType::Modify, ChangeType::Delete];
+        let types = [
+            ChangeType::NoChange,
+            ChangeType::Add,
+            ChangeType::Modify,
+            ChangeType::Delete,
+        ];
 
         for change_type in types {
             let str_val = change_type.short_name();
             let parsed_back = ChangeType::from_string(str_val).unwrap();
-            assert_eq!(change_type, parsed_back, "Round trip failed for {change_type:?}");
+            assert_eq!(
+                change_type, parsed_back,
+                "Round trip failed for {change_type:?}"
+            );
         }
     }
-    
+
     #[test]
     fn test_change_type_copy_clone() {
         let change_type = ChangeType::Add;
         let change_type_copy = change_type;
         let change_type_clone = change_type;
-        
+
         // All should be equal
         assert_eq!(change_type, change_type_copy);
         assert_eq!(change_type, change_type_clone);