Skip to content

fix(verifier): add trust level reason to verify output#705

Merged
mchmarny merged 2 commits into
mainfrom
fix/trust-reason-683
Apr 28, 2026
Merged

fix(verifier): add trust level reason to verify output#705
mchmarny merged 2 commits into
mainfrom
fix/trust-reason-683

Conversation

@mchmarny

Copy link
Copy Markdown
Member

Summary

Add TrustReason field to VerifyResult so every trust-level decision carries a human-readable rationale. Displayed in aicr verify text output as an indented line below the trust level, and included in JSON output via the struct tag.

Example output after fix:

  Trust level: attested
    ↳ external --data files included; verified requires only embedded recipe data

Motivation / Context

aicr verify reports different trust levels for --attest vs --attest --data bundles but gives no explanation for the difference. The tier delta is intentional (external data provenance is unknown) but the lack of signal is confusing.

Fixes: #683
Related: N/A

Type of Change

  • Bug fix (non-breaking change that fixes an issue)

Component(s) Affected

  • Bundlers (pkg/bundler, pkg/component/*)
  • CLI (cmd/aicr, pkg/cli)

Implementation Notes

  • Added TrustReason string field to VerifyResult in pkg/bundler/verifier/trust.go
  • Added setTrust() helper method to set level + reason atomically (also keeps Verify() under the funlen lint limit)
  • Set reason at every trust-level assignment in Verify() and verifyChecksumStep() (10 return paths total)
  • CLI text output renders reason as ↳ <reason> below the trust level line
  • JSON output includes trustReason field automatically via struct tag
  • No changes to trust-level semantics — only adds explanatory context

Testing

make qualify
  • pkg/bundler/verifier: ALL PASS — added TrustReason assertions to 3 integration tests
  • pkg/cli: ALL PASS — added test case verifying reason display in text output
  • golangci-lint: 0 issues on changed packages
  • Pre-existing sandbox failure in pkg/trust (Sigstore TUF) is unrelated

Risk Assessment

  • Low — Additive field, no behavioral changes to trust-level calculation

Rollout notes: N/A — purely additive UX improvement. Existing JSON consumers ignore unknown fields.

Checklist

  • Tests pass locally (make test with -race)
  • Linter passes (make lint)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality
  • I updated docs if user-facing behavior changed
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S) — GPG signing info

Add TrustReason field to VerifyResult so every trust-level decision
carries a human-readable rationale. Displayed in CLI text output as an
indented line below the trust level, and included in JSON output via the
struct tag. This explains why --attest + --data produces "attested"
instead of "verified" (external data provenance is unknown).
@mchmarny mchmarny enabled auto-merge (squash) April 28, 2026 15:35
@coderabbitai

This comment was marked as resolved.

@github-actions

github-actions Bot commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 75.1%
Threshold 70%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-75.1%25-green)

Merging this branch will increase overall coverage

Impacted Packages Coverage Δ 🤖
github.com/NVIDIA/aicr/pkg/bundler/verifier 62.30% (+0.31%) 👍
github.com/NVIDIA/aicr/pkg/cli 52.24% (+0.10%) 👍

Coverage by file

Changed files (no unit tests)

Changed File Coverage Δ Total Covered Missed 🤖
github.com/NVIDIA/aicr/pkg/bundler/verifier/trust.go 78.43% (+0.88%) 51 (+2) 40 (+2) 11 👍
github.com/NVIDIA/aicr/pkg/bundler/verifier/verifier.go 58.03% (ø) 193 112 81
github.com/NVIDIA/aicr/pkg/cli/bundle_verify.go 38.33% (+2.13%) 60 (+2) 23 (+2) 37 👍

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

@mchmarny mchmarny merged commit 7274cab into main Apr 28, 2026
30 checks passed
@mchmarny mchmarny deleted the fix/trust-reason-683 branch April 28, 2026 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bundle --attest + --data: trust level silently drops "verified" → "attested"

2 participants