chore(tui): document non-interactive validation path#15
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces local state log chains and evidence event verification, replacing the previous Merkle tree concept. It adds new JSON schemas, updates the CLI and TUI to support file-based verification, implements pattern and minItems validation, and includes comprehensive tests. The review feedback highlights a critical bug in pattern matching where re.match should be replaced with re.search to align with JSON Schema specifications. Additionally, the feedback suggests enforcing a minimum of one entry in state log chains to match schema constraints, cleaning up an inline import in the status screen, and strengthening the evidence event schema with pattern constraints for hashes.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| if "pattern" in schema and isinstance(instance, str): | ||
| import re | ||
| if not re.match(schema["pattern"], instance): | ||
| raise ValueError(f"{location} does not match pattern {schema['pattern']}") |
There was a problem hiding this comment.
In JSON Schema, the pattern keyword is not implicitly anchored (it behaves as a partial match unless explicitly anchored with ^ and $). Using Python's re.match restricts the match to the beginning of the string, which can cause valid JSON instances to fail validation if the pattern is not anchored but matches later in the string. Using re.search is the correct way to implement JSON Schema pattern matching in Python.
| if "pattern" in schema and isinstance(instance, str): | |
| import re | |
| if not re.match(schema["pattern"], instance): | |
| raise ValueError(f"{location} does not match pattern {schema['pattern']}") | |
| if "pattern" in schema and isinstance(instance, str): | |
| import re | |
| if not re.search(schema["pattern"], instance): | |
| raise ValueError(f"{location} does not match pattern {schema['pattern']}") |
| def verify_state_log_chain(entries: list[dict[str, Any]]) -> dict[str, Any]: | ||
| """Verify sequence, previous state hashes, git commit refs, and content hashes in a state log chain.""" | ||
| previous_hash = GENESIS_HASH |
There was a problem hiding this comment.
The schema schemas/evidence-state-log.v0.schema.json defines a minItems constraint of 1 for the state log array. However, verify_state_log_chain currently accepts an empty list of entries and returns {"ok": True}. To ensure consistency between schema validation and cryptographic verification, we should explicitly reject empty state log chains.
def verify_state_log_chain(entries: list[dict[str, Any]]) -> dict[str, Any]:
"""Verify sequence, previous state hashes, git commit refs, and content hashes in a state log chain."""
if not entries:
return {"ok": False, "error": "state log chain must contain at least one entry"}
previous_hash = GENESIS_HASH| state_log_path = repo_root / "examples/workspace/evidence-state-log.sample.json" | ||
| from modules.evidence.evidence import verify_file_state_log | ||
| state_log_res = verify_file_state_log(filepath=state_log_path) | ||
| evidence_ok = bool(evidence_res.get("ok")) and bool(state_log_res.get("ok")) |
There was a problem hiding this comment.
The inline import of verify_file_state_log is unnecessary and can be moved to the top of the file alongside other imports from modules.evidence.evidence (such as verify_sample_evidence on line 9) to keep the imports clean and consistent with modules/cli/tui.py.
| state_log_path = repo_root / "examples/workspace/evidence-state-log.sample.json" | |
| from modules.evidence.evidence import verify_file_state_log | |
| state_log_res = verify_file_state_log(filepath=state_log_path) | |
| evidence_ok = bool(evidence_res.get("ok")) and bool(state_log_res.get("ok")) | |
| state_log_path = repo_root / "examples/workspace/evidence-state-log.sample.json" | |
| state_log_res = verify_file_state_log(filepath=state_log_path) | |
| evidence_ok = bool(evidence_res.get("ok")) and bool(state_log_res.get("ok")) |
| }, | ||
| "previous_hash": { | ||
| "type": "string" | ||
| }, | ||
| "hash": { | ||
| "type": "string" |
There was a problem hiding this comment.
To make the schema validation more robust and consistent with evidence-state-log-entry.v0.schema.json, we should add a regex pattern constraint to enforce that previous_hash and hash are valid 64-character hexadecimal strings.
"previous_hash": {
"type": "string",
"pattern": "^[0-9a-fA-F]{64}$"
},
"hash": {
"type": "string",
"pattern": "^[0-9a-fA-F]{64}$"
}
Summary:
Changed files:
Validation:
Risk:
Low. Documentation and schema-description alignment only; no runtime behavior changes.