reduce seed iterations to 150M (~5-10s on modern hardware)

1B iterations was too slow (30s+). Benchmarked on Apple Silicon: - 150M iterations ≈ 6.3s - Falls within the 5-10s target range
feat: add --seed flag for deterministic manifest UUID
2026-02-08 17:10:04 -08:00 · 2026-02-08 17:10:04 -08:00 · 2026-02-08 17:10:04 -08:00
16 changed files with 69 additions and 182 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -0,0 +1,23 @@
 kind: pipeline
 name: test-docker-build
 steps:
 - name: test-docker-build
  image: plugins/docker
  network_mode: bridge
  settings:
    repo: sneak/mfer
    build_args_from_env: [ DRONE_COMMIT_SHA ]
    dry_run: true
    custom_dns: [ 116.202.204.30 ]
    tags:
      - ${DRONE_COMMIT_SHA:0:7}
      - ${DRONE_BRANCH}
      - latest
 - name: notify
  image: plugins/slack
  settings:
    webhook:
      from_secret: SLACK_WEBHOOK_URL
  when:
    event: pull_request
--- a/.gitignore
+++ b/.gitignore
@@ -3,8 +3,3 @@
 *.tmp
 *.dockerimage
 /vendor
 vendor.tzst
 modcache.tzst
 # Stale files
 .drone.yml
--- a/internal/cli/fetch.go
+++ b/internal/cli/fetch.go
@@ -113,7 +113,7 @@ func (mfa *CLIApp) fetchManifestOperation(ctx *cli.Context) error {
 			return fmt.Errorf("invalid path in manifest: %w", err)
 		}
-		fileURL := baseURL.String() + encodeFilePath(f.Path)
+		fileURL := baseURL.String() + f.Path
 		log.Infof("fetching %s", f.Path)
 		if err := downloadFile(fileURL, localPath, f, progress); err != nil {
@@ -139,15 +139,6 @@ func (mfa *CLIApp) fetchManifestOperation(ctx *cli.Context) error {
 	return nil
 }
 // encodeFilePath URL-encodes each segment of a file path while preserving slashes.
 func encodeFilePath(p string) string {
 	segments := strings.Split(p, "/")
 	for i, seg := range segments {
 		segments[i] = url.PathEscape(seg)
 	}
 	return strings.Join(segments, "/")
 }
 // sanitizePath validates and sanitizes a file path from the manifest.
 // It prevents path traversal attacks and rejects unsafe paths.
 func sanitizePath(p string) (string, error) {
--- a/internal/cli/fetch_test.go
+++ b/internal/cli/fetch_test.go
@@ -16,29 +16,6 @@ import (
 	"sneak.berlin/go/mfer/mfer"
 )
 func TestEncodeFilePath(t *testing.T) {
 	tests := []struct {
 		input    string
 		expected string
 	}{
 		{"file.txt", "file.txt"},
 		{"dir/file.txt", "dir/file.txt"},
 		{"my file.txt", "my%20file.txt"},
 		{"dir/my file.txt", "dir/my%20file.txt"},
 		{"file#1.txt", "file%231.txt"},
 		{"file?v=1.txt", "file%3Fv=1.txt"},
 		{"path/to/file with spaces.txt", "path/to/file%20with%20spaces.txt"},
 		{"100%done.txt", "100%25done.txt"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.input, func(t *testing.T) {
 			result := encodeFilePath(tt.input)
 			assert.Equal(t, tt.expected, result)
 		})
 	}
 }
 func TestSanitizePath(t *testing.T) {
 	// Valid paths that should be accepted
 	validTests := []struct {
--- a/internal/cli/mfer.go
+++ b/internal/cli/mfer.go
@@ -156,7 +156,7 @@ func (mfa *CLIApp) run(args []string) {
 					},
 					&cli.StringFlag{
 						Name:    "seed",
-						Usage:   "Seed value for deterministic manifest UUID",
+						Usage:   "Seed value for deterministic manifest UUID (hashed 150M times with SHA-256, ~5-10s)",
 						EnvVars: []string{"MFER_SEED"},
 					},
 				),
--- a/mfer/builder.go
+++ b/mfer/builder.go
@@ -92,12 +92,25 @@ type Builder struct {
 	fixedUUID      []byte // if set, use this UUID instead of generating one
 }
 // seedIterations is the number of SHA-256 rounds used to derive a UUID from a seed.
 // Tuned to take approximately 5-10 seconds on modern hardware.
 const seedIterations = 150_000_000
 // SetSeed derives a deterministic UUID from the given seed string.
-// The seed is hashed once with SHA-256 and the first 16 bytes are used
+// The seed is hashed 150,000,000 times with SHA-256 to produce
-// as a fixed UUID for the manifest.
+// 16 bytes used as a fixed UUID for the manifest (~5-10s on modern hardware).
 func (b *Builder) SetSeed(seed string) {
 	b.fixedUUID = deriveSeedUUID(seed, seedIterations)
 }
 // deriveSeedUUID hashes the seed string n times with SHA-256
 // and returns the first 16 bytes as a UUID.
 func deriveSeedUUID(seed string, iterations int) []byte {
 	hash := sha256.Sum256([]byte(seed))
-	b.fixedUUID = hash[:16]
+	for i := 1; i < iterations; i++ {
 		hash = sha256.Sum256(hash[:])
 	}
 	return hash[:16]
 }
 // NewBuilder creates a new Builder.
--- a/mfer/builder_test.go
+++ b/mfer/builder_test.go
@@ -92,29 +92,6 @@ func TestBuilderBuild(t *testing.T) {
 	assert.True(t, strings.HasPrefix(buf.String(), MAGIC))
 }
 func TestNewTimestampFromTimeExtremeDate(t *testing.T) {
 	// Regression test: newTimestampFromTime used UnixNano() which panics
 	// for dates outside ~1678-2262. Now uses Nanosecond() which is safe.
 	tests := []struct {
 		name string
 		time time.Time
 	}{
 		{"zero time", time.Time{}},
 		{"year 1000", time.Date(1000, 1, 1, 0, 0, 0, 0, time.UTC)},
 		{"year 3000", time.Date(3000, 1, 1, 0, 0, 0, 123456789, time.UTC)},
 		{"unix epoch", time.Unix(0, 0)},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Should not panic
 			ts := newTimestampFromTime(tt.time)
 			assert.Equal(t, tt.time.Unix(), ts.Seconds)
 			assert.Equal(t, int32(tt.time.Nanosecond()), ts.Nanos)
 		})
 	}
 }
 func TestBuilderDeterministicOutput(t *testing.T) {
 	buildManifest := func() []byte {
 		b := NewBuilder()
@@ -150,17 +127,15 @@ func TestBuilderDeterministicOutput(t *testing.T) {
 	assert.Equal(t, out1, out2, "two builds with same input should produce byte-identical output")
 }
-func TestSetSeedDeterministic(t *testing.T) {
+func TestDeriveSeedUUID(t *testing.T) {
-	b1 := NewBuilder()
+	// Use a small iteration count for testing (production uses 1B)
-	b1.SetSeed("test-seed-value")
+	uuid1 := deriveSeedUUID("test-seed-value", 1000)
-	b2 := NewBuilder()
+	uuid2 := deriveSeedUUID("test-seed-value", 1000)
-	b2.SetSeed("test-seed-value")
+	assert.Equal(t, uuid1, uuid2, "same seed should produce same UUID")
-	assert.Equal(t, b1.fixedUUID, b2.fixedUUID, "same seed should produce same UUID")
+	assert.Len(t, uuid1, 16, "UUID should be 16 bytes")
 	assert.Len(t, b1.fixedUUID, 16, "UUID should be 16 bytes")
-	b3 := NewBuilder()
+	uuid3 := deriveSeedUUID("different-seed", 1000)
-	b3.SetSeed("different-seed")
+	assert.NotEqual(t, uuid1, uuid3, "different seeds should produce different UUIDs")
 	assert.NotEqual(t, b1.fixedUUID, b3.fixedUUID, "different seeds should produce different UUIDs")
 }
 func TestBuilderBuildEmpty(t *testing.T) {
--- a/mfer/checker.go
+++ b/mfer/checker.go
@@ -224,7 +224,12 @@ func (c *Checker) checkFile(entry *MFFilePath, checkedBytes *FileSize) Result {
 	// Check if file exists
 	info, err := c.fs.Stat(absPath)
 	if err != nil {
-		if errors.Is(err, os.ErrNotExist) || errors.Is(err, afero.ErrFileNotFound) {
+		if errors.Is(err, afero.ErrFileNotFound) || errors.Is(err, errors.New("file does not exist")) {
 			return Result{Path: relPath, Status: StatusMissing, Message: "file not found"}
 		}
 		// Check for "file does not exist" style errors
 		exists, _ := afero.Exists(c.fs, absPath)
 		if !exists {
 			return Result{Path: relPath, Status: StatusMissing, Message: "file not found"}
 		}
 		return Result{Path: relPath, Status: StatusError, Message: err.Error()}
@@ -272,14 +277,12 @@ func (c *Checker) checkFile(entry *MFFilePath, checkedBytes *FileSize) Result {
 // FindExtraFiles walks the filesystem and reports files not in the manifest.
 // Results are sent to the results channel. The channel is closed when done.
 // Hidden files/directories (starting with .) are skipped, as they are excluded
 // from manifests by default. The manifest file itself is also skipped.
 func (c *Checker) FindExtraFiles(ctx context.Context, results chan<- Result) error {
 	if results != nil {
 		defer close(results)
 	}
-	return afero.Walk(c.fs, string(c.basePath), func(walkPath string, info os.FileInfo, err error) error {
+	return afero.Walk(c.fs, string(c.basePath), func(path string, info os.FileInfo, err error) error {
 		if err != nil {
 			return err
 		}
@@ -290,31 +293,16 @@ func (c *Checker) FindExtraFiles(ctx context.Context, results chan<- Result) err
 		default:
 		}
 		// Get relative path
 		rel, err := filepath.Rel(string(c.basePath), walkPath)
 		if err != nil {
 			return err
 		}
 		// Skip hidden files and directories (dotfiles)
 		if IsHiddenPath(filepath.ToSlash(rel)) {
 			if info.IsDir() {
 				return filepath.SkipDir
 			}
 			return nil
 		}
 		// Skip directories
 		if info.IsDir() {
 			return nil
 		}
-		// Skip manifest files
+		// Get relative path
-		base := filepath.Base(rel)
+		rel, err := filepath.Rel(string(c.basePath), path)
-		if base == "index.mf" || base == ".index.mf" {
+		if err != nil {
-			return nil
+			return err
 		}
 		relPath := RelFilePath(rel)
 		// Check if path is in manifest
--- a/mfer/checker_test.go
+++ b/mfer/checker_test.go
@@ -305,44 +305,6 @@ func TestFindExtraFiles(t *testing.T) {
 	assert.Equal(t, "not in manifest", extras[0].Message)
 }
 func TestFindExtraFilesSkipsManifestAndDotfiles(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	manifestFiles := map[string][]byte{
 		"file1.txt": []byte("in manifest"),
 	}
 	createTestManifest(t, fs, "/data/.index.mf", manifestFiles)
 	createFilesOnDisk(t, fs, "/data", map[string][]byte{
 		"file1.txt": []byte("in manifest"),
 	})
 	// Create dotfile and manifest that should be skipped
 	require.NoError(t, afero.WriteFile(fs, "/data/.hidden", []byte("hidden"), 0o644))
 	require.NoError(t, afero.WriteFile(fs, "/data/.config/settings", []byte("cfg"), 0o644))
 	// Create a real extra file
 	require.NoError(t, fs.MkdirAll("/data", 0o755))
 	require.NoError(t, afero.WriteFile(fs, "/data/extra.txt", []byte("extra"), 0o644))
 	chk, err := NewChecker("/data/.index.mf", "/data", fs)
 	require.NoError(t, err)
 	results := make(chan Result, 10)
 	err = chk.FindExtraFiles(context.Background(), results)
 	require.NoError(t, err)
 	var extras []Result
 	for r := range results {
 		extras = append(extras, r)
 	}
 	// Should only report extra.txt, not .hidden, .config/settings, or .index.mf
 	for _, e := range extras {
 		t.Logf("extra: %s", e.Path)
 	}
 	assert.Len(t, extras, 1)
 	if len(extras) > 0 {
 		assert.Equal(t, RelFilePath("extra.txt"), extras[0].Path)
 	}
 }
 func TestFindExtraFilesContextCancellation(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	files := map[string][]byte{"file.txt": []byte("data")}
@@ -419,39 +381,6 @@ func TestCheckSubdirectories(t *testing.T) {
 	assert.Equal(t, 3, okCount)
 }
 func TestCheckMissingFileDetectedWithoutFallback(t *testing.T) {
 	// Regression test: errors.Is(err, errors.New("...")) never matches because
 	// errors.New creates a new value each time. The fix uses os.ErrNotExist instead.
 	fs := afero.NewMemMapFs()
 	files := map[string][]byte{
 		"exists.txt":  []byte("here"),
 		"missing.txt": []byte("not on disk"),
 	}
 	createTestManifest(t, fs, "/manifest.mf", files)
 	// Only create one file on disk
 	createFilesOnDisk(t, fs, "/data", map[string][]byte{
 		"exists.txt": []byte("here"),
 	})
 	chk, err := NewChecker("/manifest.mf", "/data", fs)
 	require.NoError(t, err)
 	results := make(chan Result, 10)
 	err = chk.Check(context.Background(), results, nil)
 	require.NoError(t, err)
 	statusCounts := map[Status]int{}
 	for r := range results {
 		statusCounts[r.Status]++
 		if r.Status == StatusMissing {
 			assert.Equal(t, RelFilePath("missing.txt"), r.Path)
 		}
 	}
 	assert.Equal(t, 1, statusCounts[StatusOK], "one file should be OK")
 	assert.Equal(t, 1, statusCounts[StatusMissing], "one file should be MISSING")
 	assert.Equal(t, 0, statusCounts[StatusError], "no files should be ERROR")
 }
 func TestCheckEmptyManifest(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	// Create manifest with no files
--- a/mfer/gpg.go
+++ b/mfer/gpg.go
@@ -100,7 +100,7 @@ func gpgExtractPubKeyFingerprint(pubKey []byte) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to create temp dir: %w", err)
 	}
-	defer func() { _ = os.RemoveAll(tmpDir) }()
+	defer os.RemoveAll(tmpDir)
 	// Set restrictive permissions
 	if err := os.Chmod(tmpDir, 0o700); err != nil {
@@ -158,7 +158,7 @@ func gpgVerify(data, signature, pubKey []byte) error {
 	if err != nil {
 		return fmt.Errorf("failed to create temp dir: %w", err)
 	}
-	defer func() { _ = os.RemoveAll(tmpDir) }()
+	defer os.RemoveAll(tmpDir)
 	// Set restrictive permissions
 	if err := os.Chmod(tmpDir, 0o700); err != nil {
--- a/mfer/gpg_test.go
+++ b/mfer/gpg_test.go
@@ -34,15 +34,15 @@ func testGPGEnv(t *testing.T) (GPGKeyID, func()) {
 	// Save original GNUPGHOME and set new one
 	origGPGHome := os.Getenv("GNUPGHOME")
-	require.NoError(t, os.Setenv("GNUPGHOME", gpgHome))
+	os.Setenv("GNUPGHOME", gpgHome)
 	cleanup := func() {
 		if origGPGHome == "" {
-			_ = os.Unsetenv("GNUPGHOME")
+			os.Unsetenv("GNUPGHOME")
 		} else {
-			_ = os.Setenv("GNUPGHOME", origGPGHome)
+			os.Setenv("GNUPGHOME", origGPGHome)
 		}
-		_ = os.RemoveAll(gpgHome)
+		os.RemoveAll(gpgHome)
 	}
 	// Generate a test key with no passphrase
--- a/mfer/scanner.go
+++ b/mfer/scanner.go
@@ -389,9 +389,6 @@ func (s *Scanner) ToManifest(ctx context.Context, w io.Writer, progress chan<- S
 // The path should use forward slashes.
 func IsHiddenPath(p string) bool {
 	tp := path.Clean(p)
 	if tp == "." || tp == "/" {
 		return false
 	}
 	if strings.HasPrefix(tp, ".") {
 		return true
 	}
--- a/mfer/scanner_test.go
+++ b/mfer/scanner_test.go
@@ -352,8 +352,6 @@ func TestIsHiddenPath(t *testing.T) {
 		{"/absolute/.hidden", true},
 		{"./relative", false}, // path.Clean removes leading ./
 		{"a/b/c/.d/e", true},
 		{".", false}, // current directory is not hidden
 		{"/", false}, // root is not hidden
 	}
 	for _, tt := range tests {
--- a/mfer/serialize.go
+++ b/mfer/serialize.go
@@ -16,10 +16,11 @@ import (
 const MAGIC string = "ZNAVSRFG"
 func newTimestampFromTime(t time.Time) *Timestamp {
-	return &Timestamp{
+	out := &Timestamp{
 		Seconds: t.Unix(),
-		Nanos:   int32(t.Nanosecond()),
+		Nanos:   int32(t.UnixNano() - (t.Unix() * 1000000000)),
 	}
 	return out
 }
 func (m *manifest) generate() error {
--- a/modcache.tzst
+++ b/modcache.tzst
--- a/vendor.tzst
+++ b/vendor.tzst