restricted_paths: add shadow path dispatch tests

Summary:
## This stack
This stack moves restricted paths toward AclManifest-backed restriction lookup and Shadow-mode comparison logging while keeping existing `RestrictedPaths` public APIs and config-backed enforcement behavior stable. The end state is that path and manifest access checks can evaluate both the legacy config/manifest-id-store source and the new AclManifest source, log source-prefixed comparison results to Scuba, and still return config-authoritative authorization results while Shadow mode is being validated.

Before this stack, restricted path logging was effectively single-source: path access read `path_acls` from config, manifest access read restricted paths from the manifest-id store, and Scuba rows only described the aggregate config-backed result. That made it hard to prove whether AclManifest-derived restrictions matched production behavior before flipping traffic to them.

After this stack, lookup and logging are split into source-specific primitives: config and AclManifest restriction lookup live behind explicit source selectors, authorization result construction is shared, and Shadow mode dispatch runs both sources side by side for supported path and HgAugmented manifest accesses. Scuba rows now include aggregate config-authoritative fields plus `config_*`, `acl_manifest_*`, `acl_manifest_mode`, errors, and `considered_restricted_by`, so we can compare behavior without changing enforcement.

```text
Before:
  path access     -> config path_acls            -> aggregate auth/log row
  manifest access -> manifest-id store + config  -> aggregate auth/log row

After:
  path access
    -> config path_acls              -> authoritative result
    -> AclManifest at changeset      -> shadow comparison fields
    -> Scuba: aggregate + config_* + acl_manifest_* + considered_restricted_by

  HgAugmented manifest access
    -> config manifest-id store      -> authoritative result
    -> manifest acl_manifest pointer -> shadow comparison fields
    -> Scuba: aggregate + config_* + acl_manifest_* + considered_restricted_by
```

This makes the codebase better by separating lookup, authorization, and logging responsibilities; making source choice explicit in tests and implementation; and giving us production observability for AclManifest parity before changing enforcement. Follow-up work can use the Shadow data to fix mismatches, expand support beyond HgAugmented manifest logging, move repos toward `Both`/`Authoritative` modes, and eventually remove legacy manifest-type handling and config-only fallbacks once AclManifest is proven safe.

## This diff (no-op)
This diff adds Shadow path dispatch tests and reusable observation helpers. This is test-only setup with no production behavior change; it defines the expected path-side comparison rows, skipped comparisons, error logging, and unrestricted-row behavior before dispatch is wired.

___

overriding_review_checks_triggers_an_audit_and_retroactive_review
Oncall Short Name: source_control

Differential Revision: D103433632

fbshipit-source-id: aae009a742e5b3236dc58faa28da4c84742425f2

Author: gustavoavena

eden/mononoke/repo_attributes/restricted_paths/test/main.rs

@@ -9,7 +9,9 @@ use std::str::FromStr;
 
 use anyhow::Result;
 use fbinit::FacebookInit;
+use metaconfig_types::AclManifestMode;
 use mononoke_macros::mononoke;
+use mononoke_types::ChangesetId;
 use mononoke_types::NonRootMPath;
 use mononoke_types::RepoPath;
 use mononoke_types::RepositoryId;
@@ -2036,3 +2038,122 @@ async fn test_use_acl_manifest_without_derivation_enabled_fails(fb: FacebookInit
 
     Ok(())
 }
+
+// What it tests: Shadow path dispatch can run config and AclManifest sources side by side.
+// Expected: compact mismatch fields are present while config remains authoritative.
+#[mononoke::fbinit_test]
+async fn test_shadow_path_dispatch_logs_config_and_acl_manifest_sources(
+    fb: FacebookInit,
+) -> Result<()> {
+    let restricted_acl = MononokeIdentity::from_str("REPO_REGION:restricted_acl")?;
+
+    let restricted_root = NonRootMPath::new("restricted/dir")?;
+    let result = RestrictedPathsTestDataBuilder::new()
+        .with_acl_manifest_mode(AclManifestMode::Shadow)
+        .with_use_acl_manifest(false)
+        .with_config_restricted_paths(vec![(restricted_root.clone(), restricted_acl.clone())])
+        .with_acl_manifest_restricted_paths(vec![(restricted_root, restricted_acl)])
+        .with_file_path_changes(vec![("restricted/dir/a", None)])
+        .build(fb)
+        .await?
+        .observe_restricted_paths_scenario(&[])
+        .await?;
+
+    // TODO(T248660053): assert the real path logger emits compact mismatch
+    // fields for Shadow mode.
+    let _ = result;
+    Ok(())
+}
+
+// What it tests: Shadow path dispatch emits comparison rows for AclManifest-only restrictions.
+// Expected: config aggregate fields stay unrestricted while the mismatch summary reports the restriction.
+#[mononoke::fbinit_test]
+async fn test_shadow_path_dispatch_logs_acl_manifest_only_restriction(
+    fb: FacebookInit,
+) -> Result<()> {
+    let restricted_acl = MononokeIdentity::from_str("REPO_REGION:restricted_acl")?;
+
+    let restricted_root = NonRootMPath::new("acl_manifest_only/dir")?;
+    let result = RestrictedPathsTestDataBuilder::new()
+        .with_acl_manifest_mode(AclManifestMode::Shadow)
+        .with_use_acl_manifest(false)
+        .with_acl_manifest_restricted_paths(vec![(restricted_root, restricted_acl)])
+        .with_file_path_changes(vec![("acl_manifest_only/dir/a", None)])
+        .build(fb)
+        .await?
+        .observe_restricted_paths_scenario(&[])
+        .await?;
+
+    // TODO(T248660053): assert AclManifest-only restricted paths emit
+    // comparison rows while config remains authoritative.
+    let _ = result;
+    Ok(())
+}
+
+// What it tests: Shadow path dispatch handles comparison-source lookup errors as logging-only data.
+// Expected: AclManifest errors populate acl_manifest_error without changing request success.
+#[mononoke::fbinit_test]
+async fn test_shadow_path_dispatch_logs_comparison_errors(fb: FacebookInit) -> Result<()> {
+    let restricted_acl = MononokeIdentity::from_str("REPO_REGION:restricted_acl")?;
+
+    let restricted_root = NonRootMPath::new("restricted/dir")?;
+    let missing_cs_id =
+        ChangesetId::from_str("1111111111111111111111111111111111111111111111111111111111111111")?;
+    let result = RestrictedPathsTestDataBuilder::new()
+        .with_acl_manifest_mode(AclManifestMode::Shadow)
+        .with_use_acl_manifest(false)
+        .with_config_restricted_paths(vec![(restricted_root.clone(), restricted_acl)])
+        .build(fb)
+        .await?
+        .observe_path_access(restricted_root, Some(missing_cs_id), &[])
+        .await?;
+
+    // TODO(T248660053): inject an AclManifest path lookup failure and assert
+    // it is logged without failing the request.
+    let _ = result;
+    Ok(())
+}
+
+// What it tests: Shadow path dispatch skips AclManifest comparison when a changeset id is unavailable.
+// Expected: skipped comparison leaves acl_manifest_error and mismatch detail empty.
+#[mononoke::fbinit_test]
+async fn test_shadow_path_dispatch_skips_acl_manifest_without_changeset(
+    fb: FacebookInit,
+) -> Result<()> {
+    let restricted_acl = MononokeIdentity::from_str("REPO_REGION:restricted_acl")?;
+
+    let restricted_root = NonRootMPath::new("restricted/dir")?;
+    let result = RestrictedPathsTestDataBuilder::new()
+        .with_acl_manifest_mode(AclManifestMode::Shadow)
+        .with_use_acl_manifest(false)
+        .with_config_restricted_paths(vec![(restricted_root.clone(), restricted_acl.clone())])
+        .with_acl_manifest_restricted_paths(vec![(restricted_root.clone(), restricted_acl)])
+        .build(fb)
+        .await?
+        .observe_path_access(restricted_root, None, &[])
+        .await?;
+
+    // TODO(T248660053): call path access without a changeset id and assert
+    // AclManifest comparison is skipped.
+    let _ = result;
+    Ok(())
+}
+
+// What it tests: Shadow path dispatch does not log unrestricted rows.
+// Expected: no row is emitted when both sources are unrestricted.
+#[mononoke::fbinit_test]
+async fn test_shadow_path_dispatch_omits_unrestricted_rows(fb: FacebookInit) -> Result<()> {
+    let result = RestrictedPathsTestDataBuilder::new()
+        .with_acl_manifest_mode(AclManifestMode::Shadow)
+        .with_use_acl_manifest(false)
+        .with_file_path_changes(vec![("unrestricted/dir/a", None)])
+        .build(fb)
+        .await?
+        .observe_restricted_paths_scenario(&[])
+        .await?;
+
+    // TODO(T248660053): assert no Scuba rows are emitted when config and
+    // AclManifest both report unrestricted.
+    let _ = result;
+    Ok(())
+}