[codex] Scope manifest SQLite cache to location

[Fieldnote-Echo]

Summary

• include canonical manifest path and canonical base directory in SQLite verification cache keys
• migrate existing SQLite report tables so older rows stop matching cache lookups until reverified
• add regression coverage for copied manifests in separate directories returning fresh canonical paths
• add SQLite row-identity JSONL drift coverage
• add Rustdoc TOCTOU boundary notes for verify_for_load, verify_document_for_load, and VerifiedLoadPlan

Why

Cached verification reports contain canonical paths. Without location scoping, a byte-identical manifest copied to another directory could reuse a prior report and return stale canonical paths from the original location.

Validation

• cargo test -p ordvec-manifest --all-features sqlite_cache_key
• cargo test -p ordvec-manifest --all-features
• cargo test -p ordvec-manifest --no-default-features
• cargo clippy -p ordvec-manifest --all-targets --all-features -- -D warnings
• git diff --check
• adversarial subagent review found no release-blocking issues

Stacked on #177.

[Fieldnote-Echo]

/agentic_review

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

Previous review results

Review updated until commit 3064191

Results up to commit 3064191

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

[gemini-code-assist]

Code Review

This pull request scopes SQLite verification reports to the manifest's location by introducing a manifest_location_sha256 field to the cache key. This prevents copied manifests at distinct locations from incorrectly reusing cached reports. Additionally, it adds documentation comments to key verification functions and introduces new integration tests to verify location-scoping and row-identity drift detection. There are no review comments to address, so no further feedback is provided.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[qodo-code-review]

Review Summary by Qodo

Scope manifest SQLite cache to location with canonical path verification

🐞 Bug fix ✨ Enhancement

Walkthroughs

Description

• Scope SQLite verification cache to manifest location using canonical paths
  - Prevents byte-identical manifests in different directories from reusing stale cached reports
  - Adds manifest_location_sha256 field to cache key and database schema
• Migrate existing SQLite verification_reports table to include location scoping
  - Ensures older cached rows stop matching until reverified
• Add Rustdoc documentation for TOCTOU boundaries in load verification functions
  - Documents that verify_for_load, verify_document_for_load, and VerifiedLoadPlan do not
  provide file locking or immutability guarantees
• Add regression test coverage for copied manifests and JSONL row-identity drift
  - Tests that manifests copied to separate directories return fresh canonical paths
  - Tests that row-identity file changes force fresh verification

Diagram

flowchart LR
  A["Manifest at Location A"] -->|canonicalize path + base_dir| B["manifest_location_sha256"]
  C["Manifest at Location B"] -->|canonicalize path + base_dir| D["manifest_location_sha256"]
  B -->|add to cache key| E["SQLite Cache Lookup"]
  D -->|add to cache key| E
  E -->|location differs| F["Fresh Verification"]
  E -->|location matches| G["Cached Report"]

Loading

File Changes

1. ordvec-manifest/src/lib.rs 📝 Documentation +21/-0

Add TOCTOU boundary documentation to load verification

• Add Rustdoc comments to verify_for_load documenting fail-closed behavior and TOCTOU boundaries
• Add Rustdoc comments to verify_document_for_load explaining relationship to verify_for_load
• Add Rustdoc comments to VerifiedLoadPlan struct clarifying it is not a durable capability over
 mutable storage

ordvec-manifest/src/lib.rs

---

2. ordvec-manifest/src/sqlite.rs 🐞 Bug fix +58/-12

Add manifest location scoping to SQLite cache key

• Add manifest_location_sha256 field to CacheKey struct to scope cache to file location
• Add manifest_location_sha256 column to SQLite verification_reports table schema
• Add manifest_location_sha256 to cache lookup index for efficient queries
• Implement manifest_location_sha256() function that canonicalizes manifest path and base
 directory, then hashes them as JSON
• Update store_report() to persist location hash in database
• Update load_cached_report() to include location hash in WHERE clause with adjusted parameter
 indices
• Update current_cache_key() and cache_key_from_report() to compute and include manifest
 location hash
• Update verification_reports_needs_migration() to check for new manifest_location_sha256 column
• Add CacheableManifestLocation struct to serialize manifest path and base directory for hashing
• Add use std::fs import for path canonicalization

ordvec-manifest/src/sqlite.rs

---

3. ordvec-manifest/tests/manifest.rs 🧪 Tests +146/-0

Add regression tests for location scoping and row-identity drift

• Add sqlite_cache_key_is_scoped_to_manifest_location() test verifying that byte-identical
 manifests in different directories generate separate cache entries and return correct canonical
 paths
• Add sqlite_cache_key_includes_jsonl_row_identity_bytes() test verifying that changes to JSONL
 row-identity files force fresh verification and create new cache entries

ordvec-manifest/tests/manifest.rs

---

[qodo-code-review]

Code review by qodo was updated up to the latest commit 3064191