Skip to content

Preserve per-tag directories to prevent bundle overwrites (merges into #96)#103

Merged
DevOpsMadDog merged 1 commit into
codex/implement-parser-hardening-and-safety-improvementsfrom
cubic-fix-evidence-packager-py-L268-1760701090
Oct 17, 2025
Merged

Preserve per-tag directories to prevent bundle overwrites (merges into #96)#103
DevOpsMadDog merged 1 commit into
codex/implement-parser-hardening-and-safety-improvementsfrom
cubic-fix-evidence-packager-py-L268-1760701090

Conversation

@cubic-dev-ai
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot commented Oct 17, 2025
edited
Loading

🤖 PR by cubic

This PR addresses the comment in #96 – Harden parser validation and evidence guardrails

File: evidence/packager.py
Line: 268
Comment:

resolve_within_root flattens tag names, so different namespaced tags now produce the same bundle filename and overwrite existing bundles. Please keep the per-tag directory structure when constructing the bundle path.

This fix was automatically generated. Please review the changes carefully before merging.

Summary by cubic

Preserves per-tag directory structure for evidence bundles and manifests to prevent overwrites from namespaced tags. Implements the feedback from #96 by using nested paths and creating parent directories.

  • Bug Fixes

    • Keep per-tag directories in bundle and manifest paths (replace ":" with "_" and create parent dirs), preventing filename collisions.
    • Include manifest signature in the archive and clean up temporary signature files.
    • Update tests to assert the new nested paths.

  • Migration

    • Update any consumers expecting flat paths. New locations:
      • evidence/bundles/<namespaced/tag with ":" replaced>.zip
      • evidence/manifests/<namespaced/tag with ":" replaced>.yaml

@cubic-dev-ai cubic-dev-ai Bot requested a review from DevOpsMadDog October 17, 2025 11:38
@cubic-dev-ai cubic-dev-ai Bot mentioned this pull request Oct 17, 2025
Closed
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Oct 17, 2025
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Fixops/backend/api/evidence/router.py

Lines 18 to 47 in 7617726

@router.get("/")
async def list_evidence(request: Request) -> dict[str, Any]:
manifest_dir, bundle_dir = _resolve_directories(request)
releases: list[dict[str, Any]] = []
for manifest_path in sorted(manifest_dir.glob("*.yaml")):
tag = manifest_path.stem
bundle_path = bundle_dir / f"{tag}.zip"
releases.append(
{
"tag": tag,
"manifest_path": str(manifest_path),
"bundle_available": bundle_path.is_file(),
"bundle_path": str(bundle_path) if bundle_path.is_file() else None,
"updated_at": manifest_path.stat().st_mtime,
}
)
return {"count": len(releases), "releases": releases}
@router.get("/{release}")
async def evidence_manifest(release: str, request: Request) -> dict[str, Any]:
manifest_dir, bundle_dir = _resolve_directories(request)
manifest_path = manifest_dir / f"{release}.yaml"
if not manifest_path.is_file():
raise HTTPException(status_code=404, detail="Evidence manifest not found")
with manifest_path.open("r", encoding="utf-8") as handle:
payload = yaml.safe_load(handle) or {}
if not isinstance(payload, dict):
raise HTTPException(status_code=500, detail="Malformed evidence manifest")
bundle_path = bundle_dir / f"{release}.zip"

P1 Badge Update evidence API for directory-based tags

The packager now persists bundles and manifests into tag-derived subdirectories (tag_path = Path(tag.replace(':', '_')) followed by parent.mkdir()), so tags containing namespaces like ghcr.io/org/app:1.0 produce files in nested folders. The evidence API still assumes everything lives directly under the root, using manifest_dir.glob("*.yaml") and constructing paths with f"{tag}.zip"/f"{release}.yaml", and the route parameter cannot capture /. As a result, namespaced bundles created after this change will neither be listed nor retrievable via /evidence. The API needs to mirror the new path transformation (e.g. recursive globbing or matching on the same translated tag) to avoid returning empty results or 404s for valid bundles.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR.

cubic-dev-ai[bot]
cubic-dev-ai Bot commented Oct 17, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

@DevOpsMadDog DevOpsMadDog merged commit 88b9980 into codex/implement-parser-hardening-and-safety-improvements Oct 17, 2025
2 of 6 checks passed
DevOpsMadDog added a commit that referenced this pull request May 7, 2026
@DevOpsMadDog @claude
qa: full Beast Mode #103 + UI build verify post-commercial-wave — 122…
a7bbb3b 
…/123 + build:5.50s (perf flake 1217ms vs 1000ms)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@DevOpsMadDog DevOpsMadDog Awaiting requested review from DevOpsMadDog

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DevOpsMadDog