Add atomic multi-file mode with write-ahead journal and recovery (#19)

* Add atomic multi-file two-phase commit with write-ahead journal

Implement --atomic flag for all-or-nothing multi-file operations using a
two-phase commit protocol with a JSON write-ahead journal. When enabled,
all file changes are first staged to temp files (phase 1), then atomically
renamed over originals (phase 2). If the process is interrupted, a
subsequent --recover run can roll back or --recover-forward to complete.

Key features:
- --atomic flag implies --backup via hard-links for safe rollback
- --no-backup opt-out with explicit warning about rollback limitations
- .toggle-atomic.journal WAL in CWD for crash recovery
- .toggle-atomic.lock advisory lock prevents concurrent --atomic runs
- Signal handling (SIGTERM/SIGINT) for graceful interrupt with journal preservation
- Platform helpers: macOS F_FULLFSYNC, Windows rename retry with backoff
- SHA-256 integrity verification for forward recovery
- into_temp_path() fd release pattern for large batch support (>500 files)
- CLI validation: --atomic rejects --dry-run, --no-backup requires --atomic
- 13 new integration tests covering happy path, recovery, validation, and edge cases

New files: src/journal.rs, src/platform.rs
New deps: sha2, signal-hook, fd-lock

https://claude.ai/code/session_01JTuqZjgo3pPPF5YUeGKarz

* Fix clippy warnings and formatting for CI compliance

- Replace io::Error::new(io::ErrorKind::Other, ...) with io::Error::other()
- Remove identical if/else branches in stage() encoding check
- Prefix unused encoding parameter with underscore
- Apply cargo fmt formatting

https://claude.ai/code/session_01JTuqZjgo3pPPF5YUeGKarz

* Add libc dependency for macOS F_FULLFSYNC support

The platform.rs macOS cfg block uses libc::fcntl and libc::F_FULLFSYNC
but libc was missing from Cargo.toml, causing macOS CI builds to fail.

Author: smorin

Cargo.lock

@@ -36,6 +36,16 @@ serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 # Encoding support
 encoding_rs = "0.8"
+# SHA-256 checksums for atomic journal integrity
+sha2 = "0.10"
+# Signal handling for graceful interrupt during atomic commits
+signal-hook = "0.3"
+# Cross-platform advisory file locking for concurrent atomic execution prevention
+fd-lock = "4"
+
+[target.'cfg(target_os = "macos")'.dependencies]
+# macOS F_FULLFSYNC support for durable fsync
+libc = "0.2"
 
 [package.metadata.cargo-semver-checks.lints]
 constructible_struct_adds_field = "allow"

Cargo.toml

@@ -93,4 +93,23 @@ pub struct Cli {
     /// Path to .toggleConfig TOML file
     #[arg(long = "config")]
     pub config: Option<PathBuf>,
+
+    /// Enable atomic multi-file mode: all files succeed or none are modified.
+    /// Implies --backup unless --no-backup is explicitly passed.
+    #[arg(long = "atomic")]
+    pub atomic: bool,
+
+    /// Disable backup creation in atomic mode. Only valid with --atomic.
+    /// WARNING: Without backups, rollback is not possible if the rename phase fails.
+    #[arg(long = "no-backup")]
+    pub no_backup: bool,
+
+    /// Recover from an interrupted atomic operation. Default: rollback.
+    #[arg(long = "recover")]
+    pub recover: bool,
+
+    /// Complete an interrupted atomic commit instead of rolling back.
+    /// Must be combined with --recover.
+    #[arg(long = "recover-forward")]
+    pub recover_forward: bool,
 }