feat(install): implicit-trust model for user-declared sources

[QaidVoid]

Summary by CodeRabbit

Release Notes

• New Features

  • Added optional BLAKE3 checksum verification for package downloads to enhance security and integrity validation.

• Tests

  • Added unit tests for checksum handling and integrity gate logic across various package sources.

[coderabbitai]

Lost in the diff? Review this PR in Change Stack to follow the change map from intent to exact ranges.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 137559c5-f02e-486b-956b-8edca15c65ac

📥 Commits

Reviewing files that changed from the base of the PR and between fe7a6f4 and d37562a.

📒 Files selected for processing (3)

• crates/soar-config/src/packages.rs
• crates/soar-operations/src/apply.rs
• crates/soar-operations/src/install.rs

---

📝 Walkthrough

Walkthrough

This PR extends the package configuration model with an optional bsum field for BLAKE3 checksums, routes it through configuration resolution, applies it to install targets, and refactors integrity gating to skip exempted sources (local, ghcr) while enforcing checksum/signature requirements for pinned checksums.

Changes

Checksum field and integrity gating integration

Layer / File(s)	Summary
Config schema: bsum field definition crates/soar-config/src/packages.rs	PackageOptions and ResolvedPackage structs extended with pub bsum: Option<String> field to carry BLAKE3 hex checksums through configuration resolution.
Checksum resolution and tests crates/soar-config/src/packages.rs	Resolution logic updated to set bsum to None for simple specs and propagate from opts.bsum for detailed specs; new tests verify checksum is preserved in resolved configuration for URL-based packages and remains unset for wildcard specs.
Checksum application to install targets crates/soar-operations/src/apply.rs	create_url_install_target mutates the package and applies normalized (trimmed, lowercased) bsum from resolved configuration before returning the InstallTarget.
Integrity gate logic with source exemptions crates/soar-operations/src/install.rs	New source_skips_integrity_gate helper classifies exempt sources (local, ghcr); integrity-gate refusal logic updated to skip exempted sources while preserving checksum/signature requirement when explicit bsum is pinned; post-signature-verification condition tightened to respect exemption status; comprehensive tests validate helper across local, ghcr, and registry sources.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• pkgforge/soar#168: Both PRs wire Package.bsum into integrity checking: the main PR propagates/uses bsum during install/integrity gating, while the retrieved PR updates the downloader paths to actually verify downloaded content against self.package.bsum.

Poem

A checksum hops through configs with care,
Traveling simple specs to detailed pairs,
Exemptions for locals, ghcr so bright,
Integrity gates guard the install's flight,
BLAKE3 checksums make packages right! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(install): implicit-trust model for user-declared sources' accurately describes the main change across the PR, which introduces an implicit-trust mechanism (via source_skips_integrity_gate) that exempts local and ghcr-sourced packages from checksum requirements.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/implicit-trust-model

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}