feat(core): native add-on object-storage mirror (build-signing §4.2) (#3425) #3478

Merged

mfreeman451 merged 1 commit from feat/native-addon-artifact-mirror into staging

2026-05-31 23:44:39 +00:00

mfreeman451 commented

2026-05-31 23:42:51 +00:00

Owner

What

build-signing §4.2 — the object-storage mirror that supplies the :mirror callback ServiceRadar.Plugins.NativeAddonImporter.import_entry/4 (#3476) takes.

ServiceRadar.Plugins.NativeAddonArtifactMirror.mirror_fun/3 returns (os, arch, bytes -> {:ok, object_key} | {:error, term}):

uploads each verified per-arch tarball to the datasvc object store via ServiceRadar.Sync.Client.upload_object (the ReleaseArtifactMirror channel pattern),
under a deterministic, traversal-safe key native-addons/<addon_id>/<version>/<os>/<arch>/<sha256>.tar.gz, carrying sha256 + addon/os/arch attributes,
and the importer records the resolved {object_key, sha256, signature} on AddonPackage.artifacts (the "os/arch" shape AgentConfigGenerator already reads back).

Tests

The upload fn is injected (the ReleaseArtifactMirror DI pattern), so the key/metadata logic is unit-tested without a channel/DB: key + sha256 + size + attributes, error propagation, and segment sanitization — slashes collapsed, all-dots segments (./..) neutralized so a crafted addon_id/version/os/arch can't add a path component or escape the native-addons/ prefix. mix test (5/0), mix compile --warnings-as-errors, and mix credo --strict clean.

Where §4 stands

§4.1 importer core: merged (#3476), DB-verified (#3477).
§4.2 object-storage mirror: this PR.
Remaining §4.1: the web-ng OCI-fetch orchestration wiring fetch+verify → this mirror → import_entry/4 (the last piece; mostly registry/HTTP I/O).

🤖 Generated with Claude Code

## What build-signing **§4.2** — the object-storage mirror that supplies the `:mirror` callback `ServiceRadar.Plugins.NativeAddonImporter.import_entry/4` (#3476) takes. `ServiceRadar.Plugins.NativeAddonArtifactMirror.mirror_fun/3` returns `(os, arch, bytes -> {:ok, object_key} | {:error, term})`: - uploads each verified per-arch tarball to the datasvc object store via `ServiceRadar.Sync.Client.upload_object` (the `ReleaseArtifactMirror` channel pattern), - under a **deterministic, traversal-safe** key `native-addons/<addon_id>/<version>/<os>/<arch>/<sha256>.tar.gz`, carrying `sha256` + addon/os/arch attributes, - and the importer records the resolved `{object_key, sha256, signature}` on `AddonPackage.artifacts` (the `"os/arch"` shape `AgentConfigGenerator` already reads back). ## Tests The upload fn is injected (the `ReleaseArtifactMirror` DI pattern), so the key/metadata logic is unit-tested without a channel/DB: key + sha256 + size + attributes, error propagation, and **segment sanitization** — slashes collapsed, all-dots segments (`.`/`..`) neutralized so a crafted `addon_id`/`version`/`os`/`arch` can't add a path component or escape the `native-addons/` prefix. `mix test` (5/0), `mix compile --warnings-as-errors`, and `mix credo --strict` clean. ## Where §4 stands - §4.1 importer core: merged (#3476), DB-verified (#3477). - §4.2 object-storage mirror: **this PR**. - Remaining §4.1: the **web-ng OCI-fetch orchestration** wiring fetch+verify → this mirror → `import_entry/4` (the last piece; mostly registry/HTTP I/O). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

Rows
Columns