implement "cue-verified" field as a check that a yaml file has been

verified by the cue schema

Author: douwe

R/guide.R

@@ -8,10 +8,22 @@
 #' type, as well as instructions how to create and test the validity, please
 #' see the vignettes.
 #'
+#' @param verify_hash If \code{TRUE}, checks that the guide file contains a
+#'   \code{cue.verified} field with a valid SHA256 hash, confirming it was
+#'   signed by \code{validate_and_sign.sh} after successful CUE validation.
+#'   Issues a warning when the field is absent; aborts when the field is
+#'   present but malformed. Does not recompute the hash (use
+#'   \code{verify_guide.sh} in \code{data-raw/} for full hash verification).
+#'   Defaults to \code{FALSE}.
 #' @export
 #'
-read_guide <- function(path) {
+read_guide <- function(path, verify_hash = FALSE) {
   guide <- yaml::read_yaml(path)
+
+  if (verify_hash) {
+    check_cue_hash(path, guide)
+  }
+
   check_guide(guide)
 
   if ("translations" %in% names(guide)) {

R/utils.R

@@ -1,3 +1,45 @@
+#' Verify the CUE validation hash embedded in a guide file
+#'
+#' Checks that the \code{cue.verified} field is present and correctly formatted.
+#' This confirms the guide was processed by \code{validate_and_sign.sh} after
+#' passing CUE schema validation. The hash itself is not recomputed from R;
+#' use \code{verify_guide.sh} in \code{data-raw/} for full hash verification.
+#'
+#' @param path Path to the guide YAML file (used only in messages)
+#' @param guide Already-parsed guide list (from \code{yaml::read_yaml})
+#' @return Invisibly \code{NULL}; called for its side effects (warnings/errors)
+#' @noRd
+#'
+check_cue_hash <- function(path, guide) {
+  stored_hash <- guide[["cue.verified"]]
+
+  if (is.null(stored_hash)) {
+    rlang::warn(
+      c(
+        "!" = glue::glue("Guide file has no 'cue.verified' field: {path}"),
+        "i" = "Run validate_and_sign.sh to validate with CUE and embed a verification hash."
+      ),
+      use_cli_format = TRUE
+    )
+    return(invisible(NULL))
+  }
+
+  if (!grepl("^sha256:[a-f0-9]{64}$", stored_hash)) {
+    rlang::abort(glue::glue(
+      "The 'cue.verified' field has an invalid format in {path}.\n",
+      "  Found:    '{stored_hash}'\n",
+      "  Expected: 'sha256:<64 lowercase hex characters>'"
+    ))
+  }
+
+  rlang::inform(
+    c("v" = glue::glue("Guide CUE-verified: {stored_hash}")),
+    use_cli_format = TRUE
+  )
+
+  invisible(NULL)
+}
+
 #' Create a table from a list of key-value pairs
 #' @param kvlist A list of key-value pairs
 #' @param guide A data guide

data-raw/excelguide_schema.cue

@@ -1,4 +1,4 @@
-// usage: cue vet -c schema.cue file.yml
+// usage: cue vet -c excelguide_schema.cue file.yml
 
 // Excel Data Guide Schema
 // This schema validates Excel template guide files that describe how to extract
@@ -13,6 +13,21 @@
 "locations"!: [...#Location]
 "translations": [...#Translation]
 
+// Optional field added by validate_and_sign.sh after successful CUE validation.
+// Format: sha256:<64 lowercase hex characters>
+"cue.verified"?: =~"^sha256:[a-f0-9]{64}$"
+
+// Validate that exactly one location uses the reserved varname ".template"
+// (list comprehension filters locations; [_] asserts exactly one match exists)
+// _templateLocations: [for loc in locations if loc.varname == ".template" {loc}]
+// _templateLocations: [_]
+// NOTE: the constraint "at least one location must have varname == '.template'" cannot
+// be expressed here. CUE comprehensions require a closed, concrete list to iterate
+// over, but "locations" is an open list type ([...#Location]). Additionally,
+// string-labelled fields ("locations"!) are not resolvable as identifier references
+// inside a for expression, which causes a "reference not found" error at vet time.
+// This constraint is enforced at runtime by check_guide() in R/guide.R instead.
+
 // Version constraint: must be in major.minor format (e.g., "1.0", "2.3")
 #Version: =~"^\\d+\\.\\d+$"
 

data-raw/shell.nix

@@ -11,5 +11,6 @@ in
 pkgs.mkShellNoCC {
   packages = with pkgs; [
     cue
+    yq-go  # YAML processor used by validate_and_sign.sh and verify_guide.sh
   ];
 }

data-raw/validate_and_sign.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+# validate_and_sign.sh
+#
+# Validates a guide YAML file against the CUE schema and, on success, embeds a
+# SHA256 hash of the validated content into the file as the 'cue.verified' field.
+# Running this script a second time on an already-signed file is safe: the
+# existing 'cue.verified' field is stripped before hashing so the hash is stable.
+#
+# Usage:
+#   ./validate_and_sign.sh <guide.yml>
+#
+# Example:
+#   ./validate_and_sign.sh guide_competition_1_0_source.yml
+#
+# Requirements: cue, yq (go-yq), sha256sum
+# Install via the accompanying shell.nix: nix-shell
+
+set -euo pipefail
+
+FILE="${1:?Usage: validate_and_sign.sh <guide.yml>}"
+SCHEMA="$(dirname "$0")/excelguide_schema.cue"
+
+# --------------------------------------------------------------------------- #
+# Sanity checks
+# --------------------------------------------------------------------------- #
+
+if [ ! -f "$FILE" ]; then
+  echo "Error: file not found: $FILE" >&2
+  exit 1
+fi
+
+if [ ! -f "$SCHEMA" ]; then
+  echo "Error: schema not found: $SCHEMA" >&2
+  exit 1
+fi
+
+for cmd in cue yq sha256sum; do
+  if ! command -v "$cmd" &>/dev/null; then
+    echo "Error: required command not found: $cmd" >&2
+    echo "       Start a nix-shell in this directory to get all dependencies." >&2
+    exit 1
+  fi
+done
+
+# --------------------------------------------------------------------------- #
+# Prepare a stripped temporary copy (without any existing cue.verified field)
+# --------------------------------------------------------------------------- #
+
+TMPFILE=$(mktemp /tmp/guide_XXXXXX.yml)
+trap 'rm -f "$TMPFILE"' EXIT
+
+yq 'del(.["cue.verified"])' "$FILE" > "$TMPFILE"
+
+# --------------------------------------------------------------------------- #
+# CUE validation
+# --------------------------------------------------------------------------- #
+
+echo "Validating ${FILE} ..."
+
+if ! cue vet -c "$SCHEMA" "$TMPFILE"; then
+  echo ""
+  echo "CUE validation FAILED — 'cue.verified' was NOT embedded." >&2
+  exit 1
+fi
+
+# --------------------------------------------------------------------------- #
+# Hash the yq-normalised content and embed it in the original file
+#
+# The hash is computed over the yq-normalised YAML (without cue.verified).
+# yq normalises whitespace, quoting style, and key order within scalars,
+# making the hash stable across cosmetic edits to the original file.
+# --------------------------------------------------------------------------- #
+
+HASH=$(sha256sum "$TMPFILE" | cut -d' ' -f1)
+
+yq -i ".\"cue.verified\" = \"sha256:${HASH}\"" "$FILE"
+
+echo "Validation passed."
+echo "Embedded: sha256:${HASH}"

data-raw/verify_guide.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+# verify_guide.sh
+# Verifies that a guide YAML has been CUE-validated and has not changed since
+# it was signed by validate_and_sign.sh.
+#
+# Usage:  ./verify_guide.sh <guide.yml>
+# Exit code 0: valid and unmodified
+# Exit code 1: missing signature or hash mismatch
+
+set -euo pipefail
+
+FILE="${1:?Usage: verify_guide.sh <guide.yml>}"
+
+if [ ! -f "$FILE" ]; then
+  echo "Error: file not found: $FILE" >&2
+  exit 1
+fi
+
+# Extract the stored hash value
+STORED_HASH=$(yq '."cue.verified" // ""' "$FILE")
+
+if [ -z "$STORED_HASH" ] || [ "$STORED_HASH" = "null" ]; then
+  echo "FAIL: no 'cue.verified' field found in $FILE" >&2
+  echo "      Run validate_and_sign.sh to validate with CUE and embed a hash." >&2
+  exit 1
+fi
+
+# Strip the cue.verified field and recompute the hash, identical to validate_and_sign.sh
+TMPFILE=$(mktemp /tmp/guide_XXXXXX.yml)
+trap 'rm -f "$TMPFILE"' EXIT
+
+yq 'del(.["cue.verified"])' "$FILE" > "$TMPFILE"
+CURRENT_HASH="sha256:$(sha256sum "$TMPFILE" | cut -d' ' -f1)"
+
+# Compare stored vs recomputed
+if [ "$STORED_HASH" = "$CURRENT_HASH" ]; then
+  echo "OK: $FILE"
+  echo "    Signed with: $STORED_HASH"
+else
+  echo "FAIL: $FILE — hash mismatch, file was modified after signing." >&2
+  echo "  stored:  $STORED_HASH" >&2
+  echo "  current: $CURRENT_HASH" >&2
+  exit 1
+fi

tests/testthat/fixtures/guide_competition_1_0.yml

@@ -1,6 +1,6 @@
-guide.version: '1.0'
+guide.version: "1.0"
 template.name: competition
-template.min.version: '9.3'
+template.min.version: "9.3"
 template.max.version: ~
 plate.format: 96
 locations:
@@ -142,3 +142,4 @@ translations:
     short: itm2Mw
   - long: Run identifier 2
     short: run2ID
+cue.verified: sha256:872121d48d04cb6d17c29f3ffff7af432fa619f641757a423e2bb0dc64deab00