[DNM] POC: diff severity scoring based on rules and model.

README.md

@@ -7,9 +7,9 @@
 ## About
 - The Ansible Network Backup Validated Content provides a comprehensive solution for managing network backups and restores across supported network platforms. This validated content offers two key functionalities: `backup` and `restore`, each designed to be platform-agnostic and user-friendly.
 
-- The `backup` role allows users to create, compare, and tag backups, supporting both local and remote data stores. This ensures that network configurations are regularly and securely backed up, providing a reliable method to safeguard network infrastructure.
+- The `backup` role allows users to create, compare, and tag backups, supporting both local and remote data stores. This ensures that network configurations are regularly and securely backed up, providing a reliable method to safeguard network infrastructure. The role includes SHA-256 hash verification to ensure backup file integrity and detect tampering or corruption.
 
-- The `restore` role enables users to fetch backups from local or remote data stores and perform configuration restores. This functionality ensures that network configurations can be swiftly and accurately restored when needed, minimizing downtime and maintaining network stability.
+- The `restore` role enables users to fetch backups from local or remote data stores and perform configuration restores. This functionality ensures that network configurations can be swiftly and accurately restored when needed, minimizing downtime and maintaining network stability. The role automatically verifies backup file integrity using SHA-256 hashes before restoring, preventing corrupted or tampered configurations from being applied.
 
 - The Network Backup Content is ideal for system administrators and IT professionals who need to manage and maintain network infrastructure, automate the backup and restore process, and ensure data is regularly and securely backed up and available for restoration as required.
 
@@ -71,6 +71,13 @@ ansible-galaxy collection install network.backup
 **Restore Configuration**:
 - Allows users to restore a previously backed-up configuration.
 - Users can compare the running configuration with the backup to identify differences and restore the configuration only if differences are found.
+- Automatically verifies backup file integrity using SHA-256 hashes before restoring, ensuring corrupted or tampered files are not applied.
+
+**Hash Verification**:
+- Calculates SHA-256 hashes for all backup files to ensure data integrity.
+- Stores hash files alongside backup files for easy verification.
+- Automatically verifies backup file integrity during restore operations.
+- Prevents restoring corrupted or tampered configurations.
 
 ## Testing
 

logs.log

@@ -0,0 +1,12 @@
+2026-01-25 22:12:41,674 p=57299 u=rohit n=ansible INFO| ansible-playbook [core 2.19.4]
+  config file = None
+  configured module search path = ['/Users/rohit/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
+  ansible python module location = /Users/rohit/venvs/ansible312/lib/python3.12/site-packages/ansible
+  ansible collection location = /Users/rohit/.ansible/collections:/usr/share/ansible/collections
+  executable location = /Users/rohit/venvs/ansible312/bin/ansible-playbook
+  python version = 3.12.12 (main, Oct  9 2025, 11:07:00) [Clang 17.0.0 (clang-1700.0.13.3)] (/Users/rohit/venvs/ansible312/bin/python3.12)
+  jinja version = 3.1.6
+  pyyaml version = 6.0.3 (with libyaml v0.2.5)
+2026-01-25 22:12:41,674 p=57299 u=rohit n=ansible INFO| No config file found; using defaults
+2026-01-25 22:12:41,674 p=57299 u=rohit n=ansible ERROR| [ERROR]: the playbook: demo_backup_restore.yml could not be found
+

roles/backup/README.md

@@ -17,6 +17,14 @@ This role supports full and differential backups, storing them locally or in a r
 - Backs up the configuration **only if** there are changes compared to the last saved version.
 - Works with both local and Git-based data stores.
 - Helps reduce storage and SCM noise by saving only when diff exists.
+- **Ignores timestamps and metadata** - only detects actual configuration changes.
+
+### SHA-256 Hash Verification
+- Calculates SHA-256 hash for every backup file to ensure data integrity.
+- Stores hash in a separate `.sha256` file alongside the backup file.
+- Provides cryptographic proof of backup file integrity.
+- Enables detection of file corruption or tampering.
+- Hash files are automatically created and stored with backups.
 
 ---
 
@@ -34,8 +42,10 @@ This role supports full and differential backups, storing them locally or in a r
 | `data_store.scm.origin.path` | Directory path inside the repo to save backup | `str` | No | N/A |
 | `data_store.scm.origin.ssh_key_file` | Path to the SSH private key file for Git authentication | `str` | Yes (if using SCM SSH) | N/A |
 | `data_store.scm.origin.ssh_key_content` | The content of the SSH private key | `str` | Yes (if using SCM SSH) | N/A |
+| `type` | Type of backup to perform. Options: `"full"`, `"incremental"`, or `"diff"` | `str` | No | `"full"` |
+| `enable_hash_file` | Enable SHA-256 hash file creation. When `true`, creates a `.sha256` file alongside the backup file | `bool` | No | `true` |
 
-> Note: Either `data_store.local` or `data_store.scm` must be provided.
+> **Note**: When `enable_hash_file` is enabled (default), the role creates a hash file with the same name as the backup file but with a `.sha256` extension. For example, if the backup file is `ios_device_backup.txt`, the hash file will be `ios_device_backup.txt.sha256`. The hash file contains the SHA-256 hash of the backup file and can be used to verify backup integrity during restore operations.
 
 ---
 
@@ -136,6 +146,58 @@ This role supports full and differential backups, storing them locally or in a r
               path: "backups/{{ ansible_date_time.date }}/{{ inventory_hostname }}"
 ```
 
+### Create Differential Backup (Only Publish if Config Changed)
+
+```yaml
+- name: Create Network Backup and Push to GitHub
+  hosts: network
+  gather_facts: false
+  tasks:
+    - name: Create Network Backup
+      ansible.builtin.include_role:
+        name: network.backup.backup
+      vars:
+        type: "diff"  # Enable differential backup
+        data_store:
+          scm:
+            origin:
+              user:
+                name: "your_name"
+                email: "your_email@example.com"
+              url: "git@github.com:youruser/your-backup-repo.git"
+              ssh_key_file: "/path/to/ssh/key"
+              filename: "{{ ansible_date_time.date }}_{{ inventory_hostname }}.txt"
+              path: "backups/{{ ansible_date_time.date }}/{{ inventory_hostname }}"
+```
+
+> **Note**: With `type: "diff"`, the backup will only be published to SCM if actual configuration changes are detected. Timestamps and metadata differences are ignored. See [Differential Backup Documentation](Differential_Backup_Documentation.md) for more details.
+
+### Create Backup with Hash Verification
+
+```yaml
+- name: Create Network Backup with Hash Verification
+  hosts: network
+  gather_facts: false
+  tasks:
+    - name: Create Network Backup
+      ansible.builtin.include_role:
+        name: network.backup.backup
+      vars:
+        enable_hash_file: true  # Enable hash file creation (default)
+        data_store:
+          scm:
+            origin:
+              user:
+                name: "your_name"
+                email: "your_email@example.com"
+              url: "git@github.com:youruser/your-backup-repo.git"
+              ssh_key_file: "/path/to/ssh/key"
+              filename: "{{ ansible_date_time.date }}_{{ inventory_hostname }}.txt"
+              path: "backups/{{ ansible_date_time.date }}/{{ inventory_hostname }}"
+```
+
+> **Note**: When `enable_hash_file: true` (default), the role creates a `.sha256` file alongside the backup file. This hash file contains the SHA-256 hash of the backup file and is used by the restore role to verify backup integrity before restoring. The hash file is automatically stored in the same location as the backup file.
+
 ## License
 
 GNU General Public License v3.0 or later.
@@ -144,4 +206,4 @@ See [LICENSE](https://www.gnu.org/licenses/gpl-3.0.txt) to see the full text.
 
 ## Author Information
 
-- Ansible Network Content Team
+- Ansible Network Content Team

roles/backup/meta/argument_specs.yml

@@ -45,6 +45,13 @@ argument_specs:
             type: dict
             required: false
             options:
+              parent_directory:
+                type: str
+                required: false
+                description:
+                  - Parent directory where the Git repository will be cloned (e.g., /tmp or role_path).
+                  - If not specified, defaults to role_path.
+                  - Best practice: Use temp directory (e.g., /tmp) for isolated operations.
               origin:
                 type: dict
                 required: true