From 26ef905c5a09a3309c28c72f5a4b91d55184353a Mon Sep 17 00:00:00 2001 From: Nathan Gillett Date: Sat, 30 May 2026 13:46:19 -0500 Subject: [PATCH 1/2] Read signing golden fixtures from spec checkout Signed-off-by: Nathan Gillett --- .github/workflows/ci.yml | 14 ++++++++ scripts/check-sdk-signing-fixtures-sync.sh | 38 ++++++++++++++++++++++ tests/test_sdk.py | 10 +++++- 3 files changed, 61 insertions(+), 1 deletion(-) create mode 100755 scripts/check-sdk-signing-fixtures-sync.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c374ac9..38a1d1d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,13 @@ jobs: steps: - uses: actions/checkout@v6 + - name: Checkout spec repository + uses: actions/checkout@v4 + with: + repository: IntentProof/intentproof-spec + ref: main + path: intentproof-spec + - uses: actions/setup-python@v6 with: python-version: '3.11' @@ -22,4 +29,11 @@ jobs: pip install -e ".[dev]" - name: Run tests with coverage + env: + INTENTPROOF_SPEC_DIR: intentproof-spec run: bash ./scripts/run-coverage-gate.sh + + - name: Verify sdk-signing fixtures synced with spec + env: + INTENTPROOF_SPEC_DIR: intentproof-spec + run: bash ./scripts/check-sdk-signing-fixtures-sync.sh diff --git a/scripts/check-sdk-signing-fixtures-sync.sh b/scripts/check-sdk-signing-fixtures-sync.sh new file mode 100755 index 0000000..44acef8 --- /dev/null +++ b/scripts/check-sdk-signing-fixtures-sync.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash +# Fail when mirrored SDK signing fixtures drift from intentproof-spec. +set -euo pipefail + +ROOT="$(cd "$(dirname "$0")/.." && pwd)" +LOCAL="${ROOT}/tests/fixtures" +CANONICAL="${INTENTPROOF_SPEC_DIR:?INTENTPROOF_SPEC_DIR must point at intentproof-spec}/golden/sdk-signing" + +if [[ ! -d "$CANONICAL" ]]; then + echo "canonical sdk-signing fixtures not found at ${CANONICAL}" >&2 + exit 1 +fi + +shopt -s nullglob +files=("${CANONICAL}"/signing_*) +if [[ ${#files[@]} -eq 0 ]]; then + echo "no signing fixtures under ${CANONICAL}" >&2 + exit 1 +fi + +fail=0 +for canonical in "${files[@]}"; do + base="$(basename "$canonical")" + local_path="${LOCAL}/${base}" + if [[ ! -f "$local_path" ]]; then + continue + fi + if ! cmp -s "$canonical" "$local_path"; then + echo "sdk-signing fixture drift: ${base} differs from spec golden/sdk-signing" >&2 + fail=1 + fi +done + +if [[ "$fail" -ne 0 ]]; then + exit 1 +fi + +echo "PASS: sdk-signing fixture mirrors match spec golden." diff --git a/tests/test_sdk.py b/tests/test_sdk.py index e396c2a..6a81e53 100644 --- a/tests/test_sdk.py +++ b/tests/test_sdk.py @@ -4,6 +4,7 @@ import base64 import json +import os import tempfile import threading from pathlib import Path @@ -287,8 +288,15 @@ def fake_post(url: str, event: dict) -> None: assert len(posted) == 1 +def _signing_fixture_dir() -> Path: + spec_dir = os.environ.get("INTENTPROOF_SPEC_DIR", "").strip() + if spec_dir: + return Path(spec_dir) / "golden" / "sdk-signing" + return Path(__file__).parent / "fixtures" + + def test_signing_golden_bytes() -> None: - fixture_dir = Path(__file__).parent / "fixtures" + fixture_dir = _signing_fixture_dir() unsigned = json.loads( (fixture_dir / "signing_unsigned_event.json").read_text(encoding="utf-8") ) From bf59b99f3a4013bb32fd9d504b961d9aba81e890 Mon Sep 17 00:00:00 2001 From: Nathan Gillett Date: Sat, 30 May 2026 14:11:36 -0500 Subject: [PATCH 2/2] Fallback spec checkout when sdk-signing golden absent Signed-off-by: Nathan Gillett --- .github/workflows/ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 38a1d1d..2e1e87d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,6 +20,14 @@ jobs: ref: main path: intentproof-spec + - name: Ensure spec sdk-signing golden checkout + run: | + if [[ -d intentproof-spec/golden/sdk-signing ]]; then + exit 0 + fi + git -C intentproof-spec fetch origin phase3-ecosystem-conformance + git -C intentproof-spec checkout FETCH_HEAD + - uses: actions/setup-python@v6 with: python-version: '3.11'