Skip to content

cues.fire: auto_verify + sha256 constant-cost path (Phase 2 follow-on B + bonus)#41

Merged
mikemolinet merged 2 commits into
mainfrom
feat/cues-fire-auto-verify-and-sha256
May 11, 2026
Merged

cues.fire: auto_verify + sha256 constant-cost path (Phase 2 follow-on B + bonus)#41
mikemolinet merged 2 commits into
mainfrom
feat/cues-fire-auto-verify-and-sha256

Conversation

@mikemolinet
Copy link
Copy Markdown
Collaborator

@mikemolinet mikemolinet commented May 11, 2026

Summary

Follow-on B (CuesResource.fire auto_verify) + bonus (sha256 constant-cost path) of body-verify defense-in-depth. cue-pm unblocked at ~23:48Z after primary's substrate-fix verified on prod.

Mirror of MessagesResource.send auto_verify pattern, applied to client.cues.fire() for symmetric coverage of /v1/cues/{cue_id}/fire endpoint.

What

  • auto_verify=True kwarg on CuesResource.fire. Default on.
  • Pre-computes sha256(canonical-JSON(body)).hexdigest() client-side.
  • Compares vs body_received_sha256 (constant cost) first; falls back to string compare on hash mismatch.
  • Raises BodyVerifyMismatchError on confirmed drift; message_id field carries the execution_id.
  • Defensive isinstance handles BOTH wire shapes (string post-fix; dict pre-fix). Sibling of PR fix(messages.send): body_received is dict not flat string (empirical wire-shape) #40 hotfix.

Test plan

  • 3 existing TestFire tests updated to expect default-on header
  • 5 new TestFireAutoVerify tests
  • 39 of 39 messages + cues resource tests pass

Defense-in-depth status post-merge

  • Layer 1 (substrate echo-back): SHIPPED + FIXED (flat-string body_received)
  • Layer 2 (SDK auto-verify): cueapi-python messages SHIPPED + cueapi-cli SHIPPED + THIS PR adds cues fire mirror
  • Layer 3 (force-file mode): SHIPPED across cueapi-cli + cueapi-action + cue-mac-app
  • Layer 4 (docs): joint with cue-pm, ships last

🤖 Generated with Claude Code
mikemolinet and others added 2 commits May 11, 2026 16:48
@mikemolinet @claude
cues.fire: auto_verify + sha256 constant-cost path (Phase 2 follow-on…
a900779 
… B + bonus)

Mike body-verify directive 2026-05-11. cue-pm unblocked these
follow-ons at ~23:48Z after primary's substrate-fix (body_received
flat-string + body_received_sha256 hashing body field bytes) verified
on prod.

Changes:

cueapi/resources/cues.py:
- New ``auto_verify=True`` kwarg on ``CuesResource.fire``. Default
  verify-on (symmetric with MessagesResource.send). When set:
  - sends X-CueAPI-Verify-Echo: true request header
  - pre-computes sha256(canonical-JSON-of-body) client-side
  - on response: extracts body_received (defensive isinstance for
    both string post-fix shape AND dict pre-fix shape — sibling of
    PR #40 hotfix pattern)
  - if body_received_sha256 present: constant-cost hex compare first,
    fall back to string compare on sha drift (JSON-canonicalization
    differences could cause spurious sha mismatch)
  - on confirmed drift: raises BodyVerifyMismatchError with
    sent_body, received_body, first_divergence_byte, message_id
    (= execution_id for fire) attributes.

tests/test_cues_resource.py:
- Existing 3 TestFire tests updated to expect the new headers kwarg
  in the post call (X-CueAPI-Verify-Echo: true is now default-on).
- New TestFireAutoVerify class with 5 tests pinning:
  - Default adds verify-echo header
  - --auto_verify=False omits header
  - Byte-identical sha256 match passes
  - No-op when substrate omits echo fields (pre-Layer-1 backward-compat)
  - Opt-out skips verify even if substrate echoes

All 39 tests (messages + cues resource units) pass.

CHANGELOG entry under [Unreleased].

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mikemolinet
fix(cues.fire): default auto_verify=False until substrate echo semant…
d26c074 
…ics locked

CI revealed: substrate's /v1/cues/{id}/fire echoes a pydantic-after-parse
body that includes server-side default-population (e.g. empty {} request
gets echoed as 16-byte populated-defaults JSON). Client's canonical-JSON
serialization diverges from substrate's defaulted echo → spurious
BodyVerifyMismatchError on integration tests.

Mitigation: default auto_verify=False on CuesResource.fire. Callers opt-
in via auto_verify=True when their serialization aligns with substrate's
echo semantic. Once cueapi-primary locks per-field echo semantics for
fire (sibling to the body_received semantic locked for /v1/messages),
flip default to True.

Existing fire tests reverted to expect headers={} (no auto-verify).
TestFireAutoVerify class tests updated to explicitly pass auto_verify=True.

39 of 39 messages + cues resource tests pass. Integration tests in
test_cues.py no longer raise spurious BodyVerifyMismatchError.
@govindkavaturi-art govindkavaturi-art enabled auto-merge (squash) May 11, 2026 23:58
@mikemolinet mikemolinet merged commit ba1c45f into main May 11, 2026
3 checks passed
@mikemolinet mikemolinet deleted the feat/cues-fire-auto-verify-and-sha256 branch May 11, 2026 23:58
This was referenced May 12, 2026
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@mikemolinet