Skip to content

Piece 7: verify git delivery before payment#14

Open
orveth wants to merge 3 commits into
mainfrom
rebuild/piece-7-git-delivery
Open

Piece 7: verify git delivery before payment#14
orveth wants to merge 3 commits into
mainfrom
rebuild/piece-7-git-delivery

Conversation

@orveth

@orveth orveth commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • fetch the advertised Git branch into buyer-owned custody and require the fetched full commit OID to match
  • bind the offer/result target, verified commit, payment key, and receipt integrity field
  • refuse delivery failures before the first durable payment intent or wallet effect

Verification

  • cargo test -p mobee-core --all-features: green
  • cargo test -p mobee-core (default): 39 green
  • cargo clippy -p mobee-core --all-targets --all-features: green; one pre-existing gateway too-many-arguments warning
  • git diff --check: green
  • non-vacuous controls: disabling tip comparison makes the moved-tip test red; moving payment before delivery verification makes the no-Intent test red

The workspace-only CLI AgentMessage("working") expectation failure is pre-existing and outside this diff.

Runtime and reality

The git-delivery adapter requires a git executable at runtime. The default dependency graph remains unchanged. This lands BUILT-BUT-OFF until a composed caller drives the delivery-gated path.

orveth and others added 2 commits July 14, 2026 16:53
Legacy field names never existed in production journals; aliases enabled
fail-open deserialize. Refuse old names; keep result_content_hash_hex.

Co-authored-by: Cursor <cursoragent@cursor.com>
@orveth
orveth marked this pull request as ready for review July 15, 2026 06:08
}

fn fetch(&self, delivery: &GitDelivery) -> Result<CommitOid, DeliveryError> {
let fetched_ref = format!("refs/mobee/deliveries/{}", delivery.commit_oid().as_str());

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this hardoceded to this?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question — added a clarifying comment in 6d484b2. Short version: refs/mobee/deliveries/<commit_oid> is a deliberately isolated, OID-keyed local ref namespace where the buyer stages the untrusted seller branch before verifying it.

Why it's hardcoded (and deliberately not a config knob):

  • Isolation — it lives under refs/mobee/deliveries/*, not refs/heads/* or refs/remotes/*, so a fetched delivery can't masquerade as (or collide with) a real local branch or remote-tracking ref.
  • OID-keyed — each delivery lands under its own /<commit_oid>, so repeated/concurrent deliveries never clobber each other, and the staging ref is bound to the exact commit we're about to check.
  • Verify-before-pay — the buyer then resolves <fetched_ref>^{commit} and tip-matches the expected OID before authorize_pay. Making the namespace configurable would be a footgun (a wrong value could route untrusted content into refs/heads), so it's fixed by design.

The only real gap was the missing explanation — now in the code.

…ace (PR #14 review)

The delivery fetch stages the untrusted seller branch in an isolated,
OID-keyed local ref namespace (not refs/heads or refs/remotes) so it cannot
masquerade as a real branch or remote-tracking ref, keyed by the claimed
commit OID to avoid cross-delivery collision. Internal verify-staging, not a
config knob. Answers the review comment on delivery_git.rs line 75.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants