From ebaf2a65caad5e8005f911252733d3ac32d6caef Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@noreply.example.org>
Date: Mon, 9 Feb 2026 01:35:07 +0100
Subject: [PATCH] Fix AddFile to verify actual bytes read matches declared size
 (closes #25) (#30)

After reading file content, verify `totalRead == size` and return an error on mismatch.

Co-authored-by: clawbot <clawbot@openclaw>
Reviewed-on: https://git.eeqj.de/sneak/mfer/pulls/30
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
---
 mfer/builder.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/mfer/builder.go b/mfer/builder.go
index 22d4d4a..db605e2 100644
--- a/mfer/builder.go
+++ b/mfer/builder.go
@@ -3,6 +3,7 @@ package mfer
 import (
 	"crypto/sha256"
 	"errors"
+	"fmt"
 	"io"
 	"sync"
 	"time"
@@ -96,6 +97,11 @@ func (b *Builder) AddFile(
 		}
 	}
 
+	// Verify actual bytes read matches declared size
+	if totalRead != size {
+		return totalRead, fmt.Errorf("size mismatch for %q: declared %d bytes but read %d bytes", path, size, totalRead)
+	}
+
 	// Encode hash as multihash (SHA2-256)
 	mh, err := multihash.Encode(h.Sum(nil), multihash.SHA2_256)
 	if err != nil {