jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/internal/manifest/schema_version.go
Jeremie Fraeys 4a4d3de8e1
feat(security): Manifest security - nonce generation, environment tracking, schema validation 
Add cryptographically secure manifest filename nonce generation:
- GenerateManifestNonce() creates 16-byte random nonce (32 hex chars)
- GenerateManifestFilename() creates unique filenames: run_manifest_<nonce>.json
- Prevents enumeration attacks on manifest files

Add ExecutionEnvironment struct to manifest:
- Captures ConfigHash for reproducibility verification
- Records GPU detection method (auto-detected, env override, config, etc.)
- Records sandbox settings (NoNewPrivileges, DropAllCaps, NetworkMode)
- Records compliance mode and manifest nonce
- Records artifact scan exclusions with reason

Add JSON Schema validation:
- schema.json: Canonical schema for manifest validation
- schema_version.go: Schema versioning and compatibility checking
- schema_test.go: Drift detection with SHA-256 hash verification
- Validates required fields (run_id, environment.config_hash, etc.)
- Validates compliance_mode enum values (hipaa, standard)
- Validates no negative sizes in artifacts

Closes: manifest nonce, environment tracking, scan exclusions from security plan
2026-02-23 19:43:39 -05:00

35 lines
1 KiB
Go
Raw Blame History

package manifest
// SchemaVersion represents the current version of the manifest schema.
// This must be incremented when making breaking changes to the schema.
const SchemaVersion = "1.0.0"
// SchemaVersionInfo provides metadata about schema changes
type SchemaVersionInfo struct {
Version string
Date string
Breaking bool
Description string
}
// SchemaChangeHistory documents all schema versions
var SchemaChangeHistory = []SchemaVersionInfo{
{
Version: "1.0.0",
Date: "2026-02-23",
Breaking: false,
Description: "Initial schema version with RunManifest, Artifacts, and ExecutionEnvironment",
},
}
// GetSchemaVersion returns the current schema version
func GetSchemaVersion() string {
return SchemaVersion
}
// IsCompatibleVersion checks if a stored manifest version is compatible
// with the current schema version (same major version)
func IsCompatibleVersion(storedVersion string) bool {
// For now, simple string comparison - can be enhanced with semver parsing
return storedVersion == SchemaVersion
}
Reference in a new issue View git blame Copy permalink