koala-artifact 1.0.4

Reviewer artifact format and sampling verifier.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359

//! `verify` re-runs a sample of recorded commands and compares hashes.
//!
//! Sampling is deterministic given a seed (defaults to a constant so
//! reruns under tests are reproducible). On hash mismatch, verify
//! synthesises a small per-line diff against the stored output for the
//! reviewer to triage.

use crate::normalize::{compute_hash, sha256_hex};
use crate::path::ArtifactPath;
use crate::record::ArtifactRecord;
use std::fs;
use std::io;
use std::path::{Path, PathBuf};
use std::process::Command;
use walkdir::WalkDir;

#[derive(Debug, Clone)]
pub struct VerifyOptions {
    pub repo_root: PathBuf,
    /// Sample ratio in percent. 1..=100; values are clamped at the boundary.
    /// Default 10 (matches ADR-0005).
    pub sample_ratio_percent: u32,
    /// Seed for deterministic sampling. Reviewer can't predict CI's seed
    /// when it's tied to PR + run id (see ADR-0005). Tests pin an explicit
    /// value.
    pub seed: String,
    /// Cap on diff lines emitted on mismatch.
    pub diff_lines: usize,
}

impl Default for VerifyOptions {
    fn default() -> Self {
        Self {
            repo_root: PathBuf::from("."),
            sample_ratio_percent: 10,
            seed: String::from("koala-artifact-default"),
            diff_lines: 5,
        }
    }
}

#[derive(Debug, Clone, PartialEq, Eq)]
pub struct DiffLine {
    pub side: DiffSide,
    pub text: String,
}

#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum DiffSide {
    /// Line was in the recorded artifact but missing from the rerun.
    Removed,
    /// Line is in the rerun but wasn't in the recorded artifact.
    Added,
}

impl DiffSide {
    pub fn marker(&self) -> char {
        match self {
            Self::Removed => '-',
            Self::Added => '+',
        }
    }
}

#[derive(Debug, Clone)]
pub struct VerifyOutcome {
    /// Path relative to the repo root.
    pub artifact: PathBuf,
    pub status: VerifyStatus,
}

#[derive(Debug, Clone)]
pub enum VerifyStatus {
    /// Re-ran successfully and the hash matched the artifact.
    Match { hash: String },
    /// Hash disagreed — artifact was tampered or the command is non-deterministic.
    Mismatch {
        expected: String,
        actual: String,
        diff: Vec<DiffLine>,
    },
    /// Could not parse the file or run the command. Reported but distinct
    /// from a real tamper finding.
    Error(String),
}

#[derive(Debug, Clone)]
pub struct VerifyReport {
    /// All artifacts found under `.review/round-*/`.
    pub total: usize,
    /// Subset that we actually re-ran.
    pub sampled: usize,
    pub results: Vec<VerifyOutcome>,
}

impl VerifyReport {
    pub fn pass_count(&self) -> usize {
        self.results
            .iter()
            .filter(|r| matches!(r.status, VerifyStatus::Match { .. }))
            .count()
    }

    pub fn mismatch_count(&self) -> usize {
        self.results
            .iter()
            .filter(|r| matches!(r.status, VerifyStatus::Mismatch { .. }))
            .count()
    }

    pub fn error_count(&self) -> usize {
        self.results
            .iter()
            .filter(|r| matches!(r.status, VerifyStatus::Error(_)))
            .count()
    }

    /// Mismatches are gating; parse / spawn errors are also surfaced as
    /// non-zero exit because they indicate a malformed artifact.
    pub fn is_clean(&self) -> bool {
        self.mismatch_count() == 0 && self.error_count() == 0
    }
}

#[derive(Debug)]
pub enum VerifyError {
    Walk(io::Error),
    BadOptions(String),
}

impl std::fmt::Display for VerifyError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::Walk(e) => write!(f, "walking .review failed: {e}"),
            Self::BadOptions(s) => write!(f, "{s}"),
        }
    }
}

impl std::error::Error for VerifyError {}

pub fn verify(opts: &VerifyOptions) -> Result<VerifyReport, VerifyError> {
    if opts.sample_ratio_percent == 0 || opts.sample_ratio_percent > 100 {
        return Err(VerifyError::BadOptions(format!(
            "sample ratio must be 1..=100, got {}",
            opts.sample_ratio_percent
        )));
    }

    let mut artifacts = collect_artifacts(&opts.repo_root);
    artifacts.sort();
    let total = artifacts.len();

    let sample = select_sample(&artifacts, opts.sample_ratio_percent, &opts.seed);
    let sampled = sample.len();

    let mut results = Vec::with_capacity(sampled);
    for rel in sample {
        results.push(verify_one(&opts.repo_root, &rel, opts.diff_lines));
    }

    Ok(VerifyReport {
        total,
        sampled,
        results,
    })
}

/// All `.review/round-*/<file>.md` paths, returned relative to `repo_root`.
/// Files that don't match the canonical layout are silently skipped — they
/// might be `_assets/` directories or stray notes.
fn collect_artifacts(repo_root: &Path) -> Vec<PathBuf> {
    let dir = repo_root.join(".review");
    if !dir.is_dir() {
        return Vec::new();
    }
    WalkDir::new(&dir)
        .into_iter()
        .filter_map(Result::ok)
        .filter(|e| e.file_type().is_file())
        .filter_map(|e| e.path().strip_prefix(repo_root).ok().map(Path::to_path_buf))
        .filter(|rel| ArtifactPath::parse_relative(rel).is_ok())
        .collect()
}

/// Sort artifacts by `sha256(seed || path)`; take the first
/// `ceil(N * ratio / 100)` (always at least 1 when N ≥ 1). Deterministic
/// given seed, opaque to the reviewer.
fn select_sample(items: &[PathBuf], ratio_percent: u32, seed: &str) -> Vec<PathBuf> {
    if items.is_empty() {
        return Vec::new();
    }
    let target = std::cmp::max(1, (items.len() * ratio_percent as usize).div_ceil(100));
    let mut scored: Vec<(String, &PathBuf)> = items
        .iter()
        .map(|p| {
            let key = format!("{seed}\u{1f}{}", p.display());
            (sha256_hex(&key), p)
        })
        .collect();
    scored.sort_by(|a, b| a.0.cmp(&b.0));
    scored
        .into_iter()
        .take(target)
        .map(|(_, p)| p.clone())
        .collect()
}

fn verify_one(repo_root: &Path, rel: &Path, diff_cap: usize) -> VerifyOutcome {
    let abs = repo_root.join(rel);
    let text = match fs::read_to_string(&abs) {
        Ok(s) => s,
        Err(e) => {
            return VerifyOutcome {
                artifact: rel.to_path_buf(),
                status: VerifyStatus::Error(format!("read failed: {e}")),
            };
        }
    };
    let record = match ArtifactRecord::parse(&text) {
        Ok(r) => r,
        Err(e) => {
            return VerifyOutcome {
                artifact: rel.to_path_buf(),
                status: VerifyStatus::Error(format!("parse failed: {e}")),
            };
        }
    };

    let actual = match rerun(repo_root, &record.command) {
        Ok(out) => out,
        Err(e) => {
            return VerifyOutcome {
                artifact: rel.to_path_buf(),
                status: VerifyStatus::Error(format!("rerun failed: {e}")),
            };
        }
    };
    let actual_hash = compute_hash(&record.command, actual.exit_code, &actual.output, repo_root);
    if actual_hash == record.hash {
        VerifyOutcome {
            artifact: rel.to_path_buf(),
            status: VerifyStatus::Match { hash: actual_hash },
        }
    } else {
        let diff = line_diff(&record.output, &actual.output, diff_cap);
        VerifyOutcome {
            artifact: rel.to_path_buf(),
            status: VerifyStatus::Mismatch {
                expected: record.hash.clone(),
                actual: actual_hash,
                diff,
            },
        }
    }
}

struct RerunOutput {
    exit_code: i32,
    output: String,
}

fn rerun(repo_root: &Path, command: &[String]) -> Result<RerunOutput, io::Error> {
    if command.is_empty() {
        return Err(io::Error::new(io::ErrorKind::InvalidInput, "empty command"));
    }
    let out = Command::new(&command[0])
        .args(&command[1..])
        .current_dir(repo_root)
        .output()?;
    let exit_code = out.status.code().unwrap_or(-1);
    let mut combined = Vec::with_capacity(out.stdout.len() + out.stderr.len());
    combined.extend_from_slice(&out.stdout);
    if !out.stderr.is_empty() {
        if !combined.is_empty() && !combined.ends_with(b"\n") {
            combined.push(b'\n');
        }
        combined.extend_from_slice(&out.stderr);
    }
    Ok(RerunOutput {
        exit_code,
        output: String::from_utf8_lossy(&combined).into_owned(),
    })
}

/// Cheap symmetric diff: lines in `expected` and not `actual` are
/// `Removed`, lines in `actual` and not `expected` are `Added`. Capped at
/// `cap` total entries — the verify printout only needs a hint.
fn line_diff(expected: &str, actual: &str, cap: usize) -> Vec<DiffLine> {
    use std::collections::HashSet;
    let exp: HashSet<&str> = expected.lines().collect();
    let act: HashSet<&str> = actual.lines().collect();
    let mut out = Vec::new();

    let mut removed: Vec<&&str> = exp.difference(&act).collect();
    removed.sort();
    for s in removed {
        if out.len() >= cap {
            return out;
        }
        out.push(DiffLine {
            side: DiffSide::Removed,
            text: (*s).to_string(),
        });
    }
    let mut added: Vec<&&str> = act.difference(&exp).collect();
    added.sort();
    for s in added {
        if out.len() >= cap {
            return out;
        }
        out.push(DiffLine {
            side: DiffSide::Added,
            text: (*s).to_string(),
        });
    }
    out
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn select_sample_is_deterministic_per_seed() {
        let items: Vec<PathBuf> = (0..20)
            .map(|i| PathBuf::from(format!("a-{i}.md")))
            .collect();
        let a = select_sample(&items, 25, "seed-X");
        let b = select_sample(&items, 25, "seed-X");
        assert_eq!(a, b);
        let c = select_sample(&items, 25, "seed-Y");
        assert_ne!(a, c, "different seed should pick a different subset");
    }

    #[test]
    fn select_sample_respects_ratio() {
        let items: Vec<PathBuf> = (0..10)
            .map(|i| PathBuf::from(format!("a-{i}.md")))
            .collect();
        assert_eq!(select_sample(&items, 100, "s").len(), 10);
        assert_eq!(select_sample(&items, 50, "s").len(), 5);
        assert_eq!(select_sample(&items, 10, "s").len(), 1);
        // Ceiling: 10% of 1 → at least 1.
        assert_eq!(select_sample(&[PathBuf::from("x.md")], 10, "s").len(), 1);
    }

    #[test]
    fn empty_repo_returns_empty_report() {
        let dir = tempfile::tempdir().unwrap();
        let report = verify(&VerifyOptions {
            repo_root: dir.path().to_path_buf(),
            ..Default::default()
        })
        .unwrap();
        assert_eq!(report.total, 0);
        assert_eq!(report.sampled, 0);
    }
}