Preserve per-tag directories to prevent bundle overwrites (merges into #96)

[cubic-dev-ai]

🤖 PR by cubic

This PR addresses the comment in #96 – Harden parser validation and evidence guardrails

File: evidence/packager.py
Line: 268
Comment:

resolve_within_root flattens tag names, so different namespaced tags now produce the same bundle filename and overwrite existing bundles. Please keep the per-tag directory structure when constructing the bundle path.

This fix was automatically generated. Please review the changes carefully before merging.

---

Summary by cubic

Preserves per-tag directory structure for evidence bundles and manifests to prevent overwrites from namespaced tags. Implements the feedback from #96 by using nested paths and creating parent directories.

• Bug Fixes

  • Keep per-tag directories in bundle and manifest paths (replace ":" with "_" and create parent dirs), preventing filename collisions.
  • Include manifest signature in the archive and clean up temporary signature files.
  • Update tests to assert the new nested paths.

• Migration

  • Update any consumers expecting flat paths. New locations:
    • evidence/bundles/<namespaced/tag with ":" replaced>.zip
    • evidence/manifests/<namespaced/tag with ":" replaced>.yaml

[chatgpt-codex-connector]

💡 Codex Review

Fixops/backend/api/evidence/router.py

Lines 18 to 47 in 7617726

	@router.get("/")
	async def list_evidence(request: Request) -> dict[str, Any]:
	manifest_dir, bundle_dir = _resolve_directories(request)
	releases: list[dict[str, Any]] = []
	for manifest_path in sorted(manifest_dir.glob("*.yaml")):
	tag = manifest_path.stem
	bundle_path = bundle_dir / f"{tag}.zip"
	releases.append(
	{
	"tag": tag,
	"manifest_path": str(manifest_path),
	"bundle_available": bundle_path.is_file(),
	"bundle_path": str(bundle_path) if bundle_path.is_file() else None,
	"updated_at": manifest_path.stat().st_mtime,
	}
	)
	return {"count": len(releases), "releases": releases}
	@router.get("/{release}")
	async def evidence_manifest(release: str, request: Request) -> dict[str, Any]:
	manifest_dir, bundle_dir = _resolve_directories(request)
	manifest_path = manifest_dir / f"{release}.yaml"
	if not manifest_path.is_file():
	raise HTTPException(status_code=404, detail="Evidence manifest not found")
	with manifest_path.open("r", encoding="utf-8") as handle:
	payload = yaml.safe_load(handle) or {}
	if not isinstance(payload, dict):
	raise HTTPException(status_code=500, detail="Malformed evidence manifest")
	bundle_path = bundle_dir / f"{release}.zip"

Update evidence API for directory-based tags

The packager now persists bundles and manifests into tag-derived subdirectories (tag_path = Path(tag.replace(':', '_')) followed by parent.mkdir()), so tags containing namespaces like ghcr.io/org/app:1.0 produce files in nested folders. The evidence API still assumes everything lives directly under the root, using manifest_dir.glob("*.yaml") and constructing paths with f"{tag}.zip"/f"{release}.yaml", and the route parameter cannot capture /. As a result, namespaced bundles created after this change will neither be listed nor retrievable via /evidence. The API needs to mirror the new path transformation (e.g. recursive globbing or matching on the same translated tag) to avoid returning empty results or 404s for valid bundles.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR.

• @codex fix this CI failure
• @codex address that feedback

[cubic-dev-ai]

No issues found across 2 files