Merge branch 'next' into fix/issue-23

chore: remove committed vendor/modcache archives (#35 )
Removes `vendor.tzst` and `modcache.tzst` that should never have been committed. Adds both to `.gitignore`. Reviewed-on: #35 Co-authored-by: clawbot <sneak+clawbot@sneak.cloud> Co-committed-by: clawbot <sneak+clawbot@sneak.cloud>
2026-02-20 12:14:53 +01:00 · 2026-02-20 12:14:29 +01:00 · 2026-02-20 03:06:33 -08:00 · 2026-02-20 03:05:16 -08:00 · 2026-02-20 03:05:16 -08:00 · 2026-02-20 03:05:16 -08:00
6 changed files with 16 additions and 25 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,8 @@
 *.tmp
 *.dockerimage
 /vendor
 vendor.tzst
 modcache.tzst
 # Stale files
 .drone.yml
--- a/internal/cli/mfer.go
+++ b/internal/cli/mfer.go
@@ -156,7 +156,7 @@ func (mfa *CLIApp) run(args []string) {
 					},
 					&cli.StringFlag{
 						Name:    "seed",
-						Usage:   "Seed value for deterministic manifest UUID (hashed 150M times with SHA-256, ~5-10s)",
+						Usage:   "Seed value for deterministic manifest UUID",
 						EnvVars: []string{"MFER_SEED"},
 					},
 				),
--- a/mfer/builder.go
+++ b/mfer/builder.go
@@ -92,25 +92,12 @@ type Builder struct {
 	fixedUUID      []byte // if set, use this UUID instead of generating one
 }
 // seedIterations is the number of SHA-256 rounds used to derive a UUID from a seed.
 // Tuned to take approximately 5-10 seconds on modern hardware.
 const seedIterations = 150_000_000
 // SetSeed derives a deterministic UUID from the given seed string.
-// The seed is hashed 150,000,000 times with SHA-256 to produce
+// The seed is hashed once with SHA-256 and the first 16 bytes are used
-// 16 bytes used as a fixed UUID for the manifest (~5-10s on modern hardware).
+// as a fixed UUID for the manifest.
 func (b *Builder) SetSeed(seed string) {
 	b.fixedUUID = deriveSeedUUID(seed, seedIterations)
 }
 // deriveSeedUUID hashes the seed string n times with SHA-256
 // and returns the first 16 bytes as a UUID.
 func deriveSeedUUID(seed string, iterations int) []byte {
 	hash := sha256.Sum256([]byte(seed))
-	for i := 1; i < iterations; i++ {
+	b.fixedUUID = hash[:16]
 		hash = sha256.Sum256(hash[:])
 	}
 	return hash[:16]
 }
 // NewBuilder creates a new Builder.
--- a/mfer/builder_test.go
+++ b/mfer/builder_test.go
@@ -150,15 +150,17 @@ func TestBuilderDeterministicOutput(t *testing.T) {
 	assert.Equal(t, out1, out2, "two builds with same input should produce byte-identical output")
 }
-func TestDeriveSeedUUID(t *testing.T) {
+func TestSetSeedDeterministic(t *testing.T) {
-	// Use a small iteration count for testing (production uses 1B)
+	b1 := NewBuilder()
-	uuid1 := deriveSeedUUID("test-seed-value", 1000)
+	b1.SetSeed("test-seed-value")
-	uuid2 := deriveSeedUUID("test-seed-value", 1000)
+	b2 := NewBuilder()
-	assert.Equal(t, uuid1, uuid2, "same seed should produce same UUID")
+	b2.SetSeed("test-seed-value")
-	assert.Len(t, uuid1, 16, "UUID should be 16 bytes")
+	assert.Equal(t, b1.fixedUUID, b2.fixedUUID, "same seed should produce same UUID")
 	assert.Len(t, b1.fixedUUID, 16, "UUID should be 16 bytes")
-	uuid3 := deriveSeedUUID("different-seed", 1000)
+	b3 := NewBuilder()
-	assert.NotEqual(t, uuid1, uuid3, "different seeds should produce different UUIDs")
+	b3.SetSeed("different-seed")
 	assert.NotEqual(t, b1.fixedUUID, b3.fixedUUID, "different seeds should produce different UUIDs")
 }
 func TestBuilderBuildEmpty(t *testing.T) {
--- a/modcache.tzst
+++ b/modcache.tzst
--- a/vendor.tzst
+++ b/vendor.tzst
Author	SHA1	Message	Date
Jeffrey Paul	615eecff79	Merge branch 'next' into fix/issue-23	2026-02-20 12:14:53 +01:00
clawbot	9b67de016d	chore: remove committed vendor/modcache archives (#35 ) Removes `vendor.tzst` and `modcache.tzst` that should never have been committed. Adds both to `.gitignore`. Reviewed-on: #35 Co-authored-by: clawbot <sneak+clawbot@sneak.cloud> Co-committed-by: clawbot <sneak+clawbot@sneak.cloud>	2026-02-20 12:14:29 +01:00
clawbot	3c779465e2	remove time-hard hash iteration from seed UUID derivation Replace 150M SHA-256 iteration key-stretching with a single hash. Remove all references to iteration counts, timing (~5-10s), and key-stretching from code and documentation. The seed flag is retained for deterministic UUID generation, but now derives the UUID with a single SHA-256 hash instead of the unnecessary iterative approach.	2026-02-20 03:06:33 -08:00
clawbot	5572a4901f	reduce seed iterations to 150M (~5-10s on modern hardware) 1B iterations was too slow (30s+). Benchmarked on Apple Silicon: - 150M iterations ≈ 6.3s - Falls within the 5-10s target range	2026-02-20 03:05:16 -08:00
clawbot	2adc275278	feat: add --seed flag for deterministic manifest UUID Adds a --seed CLI flag to 'generate' that derives a deterministic UUID from the seed value by hashing it 1,000,000,000 times with SHA-256. This makes manifest generation fully reproducible when the same seed and input files are provided. - Builder.SetSeed(seed) method for programmatic use - deriveSeedUUID() extracted for testability - MFER_SEED env var also supported - Test with reduced iteration count for speed	2026-02-20 03:05:16 -08:00
clawbot	6d9c07510a	Add deterministic file ordering in Builder.Build() Sort file entries by path (lexicographic, byte-order) before serialization to ensure deterministic output. Add fixedUUID support for testing reproducibility, and a test asserting byte-identical output from two runs with the same input. Closes #23	2026-02-20 03:05:16 -08:00