From eee6f43ebfa6d004dd666cda069314776a36d5f6 Mon Sep 17 00:00:00 2001 From: YeonGyu-Kim Date: Tue, 5 May 2026 06:06:54 +0900 Subject: [PATCH] =?UTF-8?q?feat(scripts):=20add=20dogfood-build.sh=20?= =?UTF-8?q?=E2=80=94=20build=20from=20checkout=20and=20verify=20provenance?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Builds claw from the current HEAD, then checks that the binary's git_sha matches git rev-parse --short HEAD. Exits non-zero if the binary is stale or provenance is opaque (git_sha: null). Usage: CLAW=$(bash scripts/dogfood-build.sh) # fail-fast if stale $CLAW version --output-format json # provenance confirmed Addresses ROADMAP #69: dogfooders using a stale installed binary cannot attribute behavior to specific commits. This script makes dogfood round zero unambiguous. Also documents the safe workaround for contributors who have a stale system-installed binary. --- scripts/dogfood-build.sh | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100755 scripts/dogfood-build.sh diff --git a/scripts/dogfood-build.sh b/scripts/dogfood-build.sh new file mode 100755 index 00000000..5617a27e --- /dev/null +++ b/scripts/dogfood-build.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash +# dogfood-build.sh — Build claw from current checkout and verify provenance. +# Usage: bash scripts/dogfood-build.sh +# On success: prints the verified binary path. Use as: +# CLAW=$(bash scripts/dogfood-build.sh) && $CLAW version --output-format json +set -euo pipefail + +REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +RUST_DIR="$REPO_ROOT/rust" +BINARY="$RUST_DIR/target/debug/claw" +EXPECTED_SHA="$(git -C "$REPO_ROOT" rev-parse --short HEAD)" + +echo "▶ Building claw from $REPO_ROOT ($(git -C "$REPO_ROOT" log --oneline -1))..." >&2 +cargo build --manifest-path "$RUST_DIR/Cargo.toml" -p rusty-claude-cli -q + +if [[ ! -x "$BINARY" ]]; then + echo "✗ Build succeeded but binary not found at $BINARY" >&2 + exit 1 +fi + +BINARY_SHA=$("$BINARY" version --output-format json 2>/dev/null \ + | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('git_sha','null'))" 2>/dev/null || echo "null") + +if [[ "$BINARY_SHA" == "null" || -z "$BINARY_SHA" ]]; then + echo "✗ Provenance check failed: binary reports git_sha: null" >&2 + echo " Binary: $BINARY" >&2 + exit 1 +fi + +if [[ "$BINARY_SHA" != "$EXPECTED_SHA" ]]; then + echo "✗ Provenance mismatch: binary=$BINARY_SHA, HEAD=$EXPECTED_SHA" >&2 + echo " Rerun after 'git pull' or check for uncommitted changes." >&2 + exit 1 +fi + +echo "✓ Binary verified: $BINARY_SHA == HEAD ($EXPECTED_SHA)" >&2 +echo " To dogfood: export CLAW=$BINARY" >&2 +echo "$BINARY"