Skip to content

cues.fire: auto_verify + sha256 constant-cost path (Phase 2 follow-on B + bonus)#41

Merged
mikemolinet merged 2 commits into
mainfrom
feat/cues-fire-auto-verify-and-sha256
May 11, 2026
Merged

cues.fire: auto_verify + sha256 constant-cost path (Phase 2 follow-on B + bonus)#41
mikemolinet merged 2 commits into
mainfrom
feat/cues-fire-auto-verify-and-sha256

Conversation

@mikemolinet
Copy link
Copy Markdown
Collaborator

@mikemolinet mikemolinet commented May 11, 2026

Summary

Follow-on B (CuesResource.fire auto_verify) + bonus (sha256 constant-cost path) of body-verify defense-in-depth. cue-pm unblocked at ~23:48Z after primary's substrate-fix verified on prod.

Mirror of MessagesResource.send auto_verify pattern, applied to client.cues.fire() for symmetric coverage of /v1/cues/{cue_id}/fire endpoint.

What

  • auto_verify=True kwarg on CuesResource.fire. Default on.
  • Pre-computes sha256(canonical-JSON(body)).hexdigest() client-side.
  • Compares vs body_received_sha256 (constant cost) first; falls back to string compare on hash mismatch.
  • Raises BodyVerifyMismatchError on confirmed drift; message_id field carries the execution_id.
  • Defensive isinstance handles BOTH wire shapes (string post-fix; dict pre-fix). Sibling of PR fix(messages.send): body_received is dict not flat string (empirical wire-shape) #40 hotfix.

Test plan

  • 3 existing TestFire tests updated to expect default-on header
  • 5 new TestFireAutoVerify tests
  • 39 of 39 messages + cues resource tests pass

Defense-in-depth status post-merge

  • Layer 1 (substrate echo-back): SHIPPED + FIXED (flat-string body_received)
  • Layer 2 (SDK auto-verify): cueapi-python messages SHIPPED + cueapi-cli SHIPPED + THIS PR adds cues fire mirror
  • Layer 3 (force-file mode): SHIPPED across cueapi-cli + cueapi-action + cue-mac-app
  • Layer 4 (docs): joint with cue-pm, ships last

🤖 Generated with Claude Code

mikemolinet and others added 2 commits May 11, 2026 16:48
@mikemolinet @claude
cues.fire: auto_verify + sha256 constant-cost path (Phase 2 follow-on…
a900779 
… B + bonus)

Mike body-verify directive 2026-05-11. cue-pm unblocked these
follow-ons at ~23:48Z after primary's substrate-fix (body_received
flat-string + body_received_sha256 hashing body field bytes) verified
on prod.

Changes:

cueapi/resources/cues.py:
- New ``auto_verify=True`` kwarg on ``CuesResource.fire``. Default
  verify-on (symmetric with MessagesResource.send). When set:
  - sends X-CueAPI-Verify-Echo: true request header
  - pre-computes sha256(canonical-JSON-of-body) client-side
  - on response: extracts body_received (defensive isinstance for
    both string post-fix shape AND dict pre-fix shape — sibling of
    PR #40 hotfix pattern)
  - if body_received_sha256 present: constant-cost hex compare first,
    fall back to string compare on sha drift (JSON-canonicalization
    differences could cause spurious sha mismatch)
  - on confirmed drift: raises BodyVerifyMismatchError with
    sent_body, received_body, first_divergence_byte, message_id
    (= execution_id for fire) attributes.

tests/test_cues_resource.py:
- Existing 3 TestFire tests updated to expect the new headers kwarg
  in the post call (X-CueAPI-Verify-Echo: true is now default-on).
- New TestFireAutoVerify class with 5 tests pinning:
  - Default adds verify-echo header
  - --auto_verify=False omits header
  - Byte-identical sha256 match passes
  - No-op when substrate omits echo fields (pre-Layer-1 backward-compat)
  - Opt-out skips verify even if substrate echoes

All 39 tests (messages + cues resource units) pass.

CHANGELOG entry under [Unreleased].

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mikemolinet
fix(cues.fire): default auto_verify=False until substrate echo semant…
d26c074 
…ics locked

CI revealed: substrate's /v1/cues/{id}/fire echoes a pydantic-after-parse
body that includes server-side default-population (e.g. empty {} request
gets echoed as 16-byte populated-defaults JSON). Client's canonical-JSON
serialization diverges from substrate's defaulted echo → spurious
BodyVerifyMismatchError on integration tests.

Mitigation: default auto_verify=False on CuesResource.fire. Callers opt-
in via auto_verify=True when their serialization aligns with substrate's
echo semantic. Once cueapi-primary locks per-field echo semantics for
fire (sibling to the body_received semantic locked for /v1/messages),
flip default to True.

Existing fire tests reverted to expect headers={} (no auto-verify).
TestFireAutoVerify class tests updated to explicitly pass auto_verify=True.

39 of 39 messages + cues resource tests pass. Integration tests in
test_cues.py no longer raise spurious BodyVerifyMismatchError.
@govindkavaturi-art govindkavaturi-art enabled auto-merge (squash) May 11, 2026 23:58
@mikemolinet mikemolinet merged commit ba1c45f into main May 11, 2026
3 checks passed
@mikemolinet mikemolinet deleted the feat/cues-fire-auto-verify-and-sha256 branch May 11, 2026 23:58
This was referenced May 12, 2026
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mikemolinet