Elgato_dark/ring
1
0
Fork 0
mirror of https://github.com/LerianStudio/ring synced 2026-04-21 21:47:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
ring/default/lib/codereview/README.md
Fred Amaral 753908661c
docs(codereview): add security model and checksum verification documentation 
- Add Security Model section to codereview README with verification instructions

- Add Binary Security reference to root README

- Document RING_ALLOW_UNVERIFIED environment variable in MANUAL.md

X-Lerian-Ref: 0x1
2026-01-14 19:05:48 -03:00

181 lines
5.2 KiB
Markdown
Raw Blame History

# Ring Codereview Binaries
Pre-compiled binaries for the Ring codereview pipeline. These tools perform static analysis, AST extraction, call graph generation, and context compilation for AI-assisted code review.
## Binaries
| Binary | Purpose |
|--------|---------|
| `run-all` | Pipeline orchestrator - runs all analysis phases in sequence |
| `scope-detector` | Detects changed files and determines review scope |
| `static-analysis` | Runs language-specific static analysis tools |
| `ast-extractor` | Extracts Abstract Syntax Tree data from source files |
| `call-graph` | Generates function/method call relationships |
| `data-flow` | Analyzes data flow patterns and dependencies |
| `compile-context` | Compiles analysis results into reviewer-specific context |
## Platform Support
| Platform | Architecture | Directory |
|----------|--------------|-----------|
| macOS Intel | amd64 | `bin/darwin_amd64/` |
| macOS Apple Silicon | arm64 | `bin/darwin_arm64/` |
| Linux x86_64 | amd64 | `bin/linux_amd64/` |
| Linux ARM | arm64 | `bin/linux_arm64/` |
## Directory Structure
```
default/lib/codereview/
├── README.md
└── bin/
├── darwin_amd64/
│ ├── run-all
│ ├── scope-detector
│ ├── static-analysis
│ ├── ast-extractor
│ ├── call-graph
│ ├── data-flow
│ └── compile-context
├── darwin_arm64/
│ └── ... (same binaries)
├── linux_amd64/
│ └── ... (same binaries)
└── linux_arm64/
└── ... (same binaries)
```
## Security Model
The codereview binaries use a hybrid security approach combining checksum verification with build-from-source fallback.
### How It Works
```
Binary Found? ──Yes──> Verify Checksum ──Pass──> Execute
│ │
No Fail
│ │
└────> Build from Source <────┘
┌─────┴─────┐
Success Fail
│ │
Execute Degraded Mode
```
### Checksum Verification
Each platform directory contains a `CHECKSUMS.sha256` file with SHA256 hashes for all binaries:
```
default/lib/codereview/bin/
├── CHECKSUMS.sha256 # All platforms (28 entries)
├── darwin_amd64/
│ └── CHECKSUMS.sha256 # 7 entries
├── darwin_arm64/
│ └── CHECKSUMS.sha256 # 7 entries
├── linux_amd64/
│ └── CHECKSUMS.sha256 # 7 entries
└── linux_arm64/
└── CHECKSUMS.sha256 # 7 entries
```
**Manual verification:**
```bash
# Linux
cd default/lib/codereview/bin/linux_amd64
sha256sum --check CHECKSUMS.sha256
# macOS
cd default/lib/codereview/bin/darwin_arm64
shasum -a 256 --check CHECKSUMS.sha256
```
### Environment Variables
| Variable | Default | Description |
|----------|---------|-------------|
| `RING_ALLOW_UNVERIFIED` | `false` | Set to `true` to bypass checksum verification (development only) |
**Security implications:**
- When `false` (default): Missing or invalid checksums cause the pipeline to fail or trigger build-from-source
- When `true`: Binaries execute without verification (NOT recommended for production)
### What This Protects Against
| Threat | Protection |
|--------|------------|
| Tampered binaries | Checksum mismatch triggers rebuild |
| Missing checksums | Fails closed (requires explicit bypass) |
| TOCTOU race conditions | Atomic verify-and-execute pattern |
| Partial string bypass | Exact match verification |
### Limitations
- **Integrity, not authenticity**: Checksums verify the binary hasn't changed, not who created it
- **Future enhancement**: GPG/Sigstore signatures planned for authenticity verification
## Rebuilding Binaries
### Prerequisites
- Go 1.21 or later
- Access to the Ring repository
### Build Commands
From the repository root:
```bash
# Build all platforms
./scripts/codereview/build-release.sh
# Clean and rebuild all platforms
./scripts/codereview/build-release.sh --clean
# Build specific platform only
./scripts/codereview/build-release.sh --platform=darwin/arm64
./scripts/codereview/build-release.sh --platform=linux/amd64
```
### Build Options
| Option | Description |
|--------|-------------|
| `--clean` | Remove existing binaries before building |
| `--platform=<os/arch>` | Build only for specific platform |
| `--help` | Show usage information |
### Build Flags
Binaries are built with the following flags for optimization:
- `-ldflags="-s -w"` - Strips debug symbols for smaller binary size
### Source Location
Source code is located at: `scripts/codereview/cmd/<binary>/`
## Usage
The binaries are automatically selected based on the current platform when invoked through the Ring codereview pipeline. For manual usage:
```bash
# Direct invocation (example for macOS ARM)
./default/lib/codereview/bin/darwin_arm64/run-all --help
# Or add to PATH
export PATH="$PATH:$(pwd)/default/lib/codereview/bin/darwin_arm64"
run-all --help
```
## Version Information
Binaries are rebuilt when:
- Source code changes in `scripts/codereview/cmd/`
- Go version is updated
- Build flags are modified
To verify binary integrity, compare SHA256 checksums after building locally.
Reference in a new issue View git blame Copy permalink