feat(nuts): add update-nuts and verify-nuts commands#19463
Open
feat(nuts): add update-nuts and verify-nuts commands#19463
Conversation
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
maurelian
commented
Mar 10, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #19463 +/- ##
===========================================
+ Coverage 75.6% 75.9% +0.2%
===========================================
Files 195 684 +489
Lines 11343 73097 +61754
===========================================
+ Hits 8581 55500 +46919
- Misses 2618 17453 +14835
Partials 144 144
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
sebastianst
reviewed
Mar 10, 2026
maurelian
force-pushed
the
feat/nut-update-verify
branch
from
3665df7 to
f528e73
Compare
![wiz-inc-a178a98b5d[bot]](https://avatars.githubusercontent.com/u/58791460?s=60&v=4){kind=small}
Generates a fresh NUT bundle from contracts and snapshots it to the fork-specific location, updating fork_lock.toml with hash and commit.
Let the caller generate the bundle separately. update-nuts should only snapshot and lock what already exists.
Covers generation, snapshotting, verification, CI checks, and the process for adding a new fork's bundle.
Moves the duplicated struct and lock file read/write logic into a shared package, addressing review feedback.
maurelian
force-pushed
the
feat/nut-update-verify
branch
from
f528e73 to
4bf25a6
Compare
Wiz SAST flagged 0644 as overly permissive for generated bundle files.
maurelian
commented
Apr 1, 2026
maurelian
commented
Apr 1, 2026
maurelian
commented
Apr 1, 2026
Prevents accidental overwrites of finalized NUT bundles. A `locked` boolean in fork_lock.toml gates update-nuts and CI enforcement.
check-nut-locks -> nut-lock-check update-nuts -> nut-snapshot-for verify-nuts -> nut-provenance-verify
The original bundle predated the snapshot workflow, so the commit field couldn't be verified. Regenerated from current contracts.
The current-upgrade-bundle.json and nut-bundle-check are contracts-bedrock concerns, not relevant to the op-core/nuts package.
Hash verification and code review are sufficient protection. The locked field, base-branch comparison, and update guard added unnecessary complexity.
Update fork_lock.toml header with reviewer guidance. Add nut-provenance-verify to CI, gated on op-core/nuts/ changes.
Compare each fork's hash against origin/develop to skip unchanged ones.
sebastianst
reviewed
Apr 2, 2026
nut-snapshot-for now records git merge-base HEAD origin/develop instead of HEAD, so the commit persists after squash-merge. check-nut-locks verifies the commit is an ancestor of origin/develop.
refactor(nuts): use multiline strings in WriteLockFile
Extract validateEntry for testability. Tests cover: matching hash, hash mismatch, empty commit, and modified bundle detection.
Inject bundleGenerator to test the worktree checkout and comparison flow without requiring forge. Covers matching, mismatched, and generator-modified bundle scenarios.
sebastianst
approved these changes
Apr 2, 2026
maurelian
force-pushed
the
feat/nut-update-verify
branch
from
8a3d102 to
0da7f52
Compare
0xOneTony
approved these changes
Apr 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Here we establish a workflow for canonicalizing a bundle for a given fork.
New commands:
just nut-snapshot-for <fork>— snapshotscurrent-upgrade-bundle.jsonas a fork's NUT bundle and updatesfork_lock.tomlwith the hash and commit.just nut-provenance-verify <fork>— for a given fork in the lock file, verifies that bundle hash matches the bundle as generated from the recorded commit. Runs in CI only on changed hashes.Modifications to existing commands:
fork_lock.tomlschema with acommitfield to track which commit produced each bundlejust check-nut-locksto ensure that commits in the lockfile are available in the git history.Test plan
just nut-snapshot-for karst— copies bundle, updates lock with hash + commitjust check-nut-locks— passes with newcommitfield in schemajust nut-provenance-verify karst— passes (hash matches lock)just check-nut-locksfails (hash mismatch) (broken commit/job demo)just check-nut-locksfails (commit not found in history) (broken commit/job demo)just nut-provenance-verify karstafter modifying the bundle → fails (regenerated bundle differs)