feat(cli): add strict verification profile and lenient profile hint#5
Merged
Conversation
spine-cli verify exposed only the lenient profile, so the demo WAL (signed under the strict, domain-separated contract that backs the browser playground) failed every signature check and read INVALID. Add --strict, routing to spine_core::verify_demo_wal: the signing key is pinned from --trusted-pubkey, --expected-root is mandatory, and each payload_hash is recomputed from the inline payload's canonical JSON. The two profiles stay cryptographically distinct; this exposes the strict contract on the CLI instead of merging it with lenient. Also surface a hint when every record fails the lenient signature check, pointing at --strict rather than leaving a wall of identical errors. Covered by six new cli_smoke tests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
spine-cli verifyonly exposed the lenient profile. The demo WAL issigned under the strict, domain-separated contract that backs the browser
playground, so running the CLI against it failed every signature check and
reported
INVALID, even though the WAL is genuinely valid.This adds the strict profile to the CLI so the same WAL verifies on the CLI
and in the playground, and adds a hint so a profile mismatch no longer reads
as catastrophic failure.
Changes
verify --strict: routes tospine_core::verify_demo_wal(theplayground contract). The signing key is pinned from
--trusted-pubkey,--expected-rootis mandatory, and eachpayload_hashis recomputed fromthe inline payload's canonical JSON. The two profiles stay cryptographically
distinct (domain separation preserved); the CLI now exposes the strict
contract rather than merging it with lenient.
under lenient, the report points at
--strictinstead of leaving a wall ofidentical errors.
--trusted-pubkey/--expected-root, or combined with--keystore, exits2(usage error); a malformed pinned key surfaces asERROR/ exit2.Tests
Six new
cli_smokeintegration tests: strict valid, strict payload tamper(
payload_hash_mismatch), wrong pinned key (pubkey_mismatch, never asignature failure), mandatory flags,
--keystorerejection, and the lenientprofile hint. CLI smoke suite: 13 -> 19.
Verification
cargo fmt --all --check,cargo clippy --workspace --all-targets -- -D warnings: clean.cargo test --workspace --all-features: green.spine-cliclean under pedantic + nursery (--no-deps).