feat(cues): add --verify opt-in flag to fire (cueapi-python #41 parity)#55
Merged
Conversation
…y, Mike body-verify directive 2026-05-11) Parity port of cueapi-python #41 — body-verify Phase 2 on cues.fire, but **OPT-IN** (not default-on) because the substrate's /v1/cues/{id}/fire endpoint echoes a pydantic-after-parse body that may include server-side default-population, causing spurious diff vs the CLI's canonical-JSON serialization. Mirrors primary's #41 design rationale: default OFF; caller opts in with --verify when they know substrate echo semantics match their serialization (typical for the sha256 constant-cost path). Diverges from messages-send body-verify which is default-on (--no-verify opt-out) because that endpoint echoes the raw STRING body field per the spec-lock — no parsed-defaulted shape concern. Implementation: - New --verify click flag (is_flag, default False). Help text documents the OPT-IN rationale + the substrate-echo-shape concern. - When --verify: send X-CueAPI-Verify-Echo: true header; pre-compute sha256(canonical-JSON(body)) hexdigest client-side. - On 2xx response: compare sha256 first (constant-cost). If sha mismatch, fall back to string compare of body_received vs canonical body JSON. Spurious sha mismatch (e.g. canonical-JSON serialization diff) is rescued by the string compare. - Defensive isinstance: body_received as string (post-#798 spec-lock) OR dict (pre-#798 wire shape). Matches the same pattern in cueapi-cli messages-send (#53) and cueapi-python messages.send (#40). - On confirmed mismatch: exit 7 with byte-divergence diagnostic. Uses click.echo + raise SystemExit(7) directly (NOT echo_error which would raise SystemExit(1) and shadow the verify-specific exit code). Tests (4 new): - test_fire_verify_off_by_default_omits_header — no --verify ⇒ no X-CueAPI-Verify-Echo header (preserves pre-#791 wire format) - test_fire_verify_on_sends_header — --verify ⇒ header set + sha match path passes silently - test_fire_verify_help_lists_flag — --help mentions --verify + the opt-in rationale so users discover the design context - test_fire_verify_mismatch_exits_7 — substrate echoes corrupted body ⇒ exit 7 with "body-verify mismatch" diagnostic Full file: 219/219 passing (was 215 + 4 new = 219). Backlog row: cmp1wj0q3. Out of scope: - cueapi-mcp parity (Backlog cmp1wj2a6) — separate PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Parity port of cueapi-python #41 — body-verify Phase 2 on
cues fire, but OPT-IN (default off).Design rationale (mirrors primary's #41)
Substrate's
/v1/cues/{id}/fireechoes a pydantic-after-parse body that may include server-side default-population, causing spurious diff vs the CLI's canonical-JSON serialization. So--verifyis opt-in — caller flips it on when they know substrate echo semantics match their serialization (typical for the sha256 constant-cost path).This diverges from messages-send body-verify which is default-on (
--no-verifyopt-out): that endpoint echoes the raw STRING body field per the #798 spec-lock — no parsed-defaulted shape concern.Wire shape
X-CueAPI-Verify-Echoheadercueapi fire cue_xcueapi fire cue_x --verify"true"Verify logic
sha256(canonical-JSON(body))hex client-side.body_received_sha256field (constant-cost).body_receivedvs canonical body JSON. Spurious SHA mismatch (e.g. JSON serialization diff) is rescued by string compare.body_received: string (post-#798 spec-lock) OR dict (pre-#798 wire shape) — matchescueapi-climessages-send fix(messages send + message-to): body_received is dict not flat string #53 andcueapi-pythonfeat: cueapi message-to <name> + agents list --online-only + agents describe alias #40.click.echo+raise SystemExit(7)directly (NOTecho_error, which raisesSystemExit(1)and would shadow the verify-specific exit code).Tests (4 new)
test_fire_verify_off_by_default_omits_header— preserves pre-#791 wire formattest_fire_verify_on_sends_header—--verifysends header + matching SHA path passes silentlytest_fire_verify_help_lists_flag—--helpdiscovers the opt-in rationaletest_fire_verify_mismatch_exits_7— substrate echoes corrupted body ⇒ exit 7 with "body-verify mismatch"Full file: 219/219 passing (215 + 4 new).
Parity-impact checklist
body_receivedshapesmessages sendverify)cmp1wj2a6— separate PR)Backlog row:
cmp1wj0q3.🤖 Generated with Claude Code