fix(api): include build-flag env vars in hosted bundle cache key#83
Merged
skullcrushercmd merged 1 commit intomainfrom Apr 28, 2026
Merged
fix(api): include build-flag env vars in hosted bundle cache key#83skullcrushercmd merged 1 commit intomainfrom
skullcrushercmd merged 1 commit intomainfrom
Conversation
When the API process runs with ANYSCAN_USE_AF_XDP=1 (or any of the sibling ANYSCAN_USE_DPDK / ANYSCAN_USE_PFRING_ZC / ANYSCAN_INSTALL_KERNEL_BACKPORT knobs), package-worker-bundle.sh rebuilds the scanner with matching feature linkage. The resulting bundle carries a feature-flagged scanner binary even though the *installed* /opt/anyscan/bin/scanner stays the same. `current_hosted_agent_bundle_source_fingerprint` previously only hashed the embedded asset payload and the installed binaries — the build-flag env vars were absent from the cache key. So a default-flags rebuild produced a fingerprint identical to a feature-flagged one and silently overwrote the cached AF_XDP/DPDK bundle. Operators bootstrapping via /api/agent/install.sh?rebuild=false then received an AF_PACKET-only stub scanner. Reported in PR #65 issuecomment-4339242358 (anygpt-52): "/api/agent/install.sh?rebuild=false served a stub scanner". Fix: fold each documented build-flag env var name + value into the fingerprint hash. Bundles built with different flags now land in different cache slots; rebuild=false serves the bundle that matches the API's current build-flag environment instead of a stale one. - BUNDLE_BUILD_FLAG_ENV_VARS pins the exact set so future ANYSCAN_USE_* knobs surface as a static-array compile-time decision. - hash_bundle_build_flag_env_vars takes an env-lookup closure so unit tests can hash hermetic inputs without poking std::env (which would race with parallel test execution). - bundle_build_flag_env_fingerprint is a #[cfg(test)] helper that produces just the build-flag contribution as a SHA-256 hex digest. Tests: - Default vs ANYSCAN_USE_AF_XDP=1 produce different fingerprints. - Each flag flipped on its own produces a unique fingerprint (no collisions between AF_XDP-only and DPDK-only builds). - Same flag with values "1" / "0" / unset are all distinct. - Repeated lookup with same input returns same fingerprint. - Static check that the four documented flags are all in the const. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When the API process runs with
ANYSCAN_USE_AF_XDP=1(or any of the siblingANYSCAN_USE_DPDK/ANYSCAN_USE_PFRING_ZC/ANYSCAN_INSTALL_KERNEL_BACKPORTknobs),package-worker-bundle.shrebuilds the scanner with matching feature linkage. The bundle carries a feature-flagged scanner even though the installed/opt/anyscan/bin/scanneris unchanged.current_hosted_agent_bundle_source_fingerprintpreviously only hashed the embedded asset payload + the installed binaries — the build-flag env vars were absent from the cache key. A default-flags rebuild produced a fingerprint identical to a feature-flagged one and silently overwrote the cached AF_XDP/DPDK bundle. Operators bootstrapping via/api/agent/install.sh?rebuild=falsethen received an AF_PACKET-only stub scanner.Reported in PR #65 issuecomment-4339242358 (anygpt-52): "/api/agent/install.sh?rebuild=false served a stub scanner".
Fix
Fold each documented build-flag env var name + value into the fingerprint hash. Bundles built with different flags now land in different cache slots;
rebuild=falseserves the bundle that matches the API's current build-flag environment instead of a stale one.BUNDLE_BUILD_FLAG_ENV_VARSpins the exact set as aconst &[&str]so any futureANYSCAN_USE_*knob surfaces as a compile-time decision (the test pin at the bottom of the test module enforces this).hash_bundle_build_flag_env_varstakes an env-lookup closure so unit tests can hash hermetic inputs without pokingstd::env(which would race with parallelcargo testexecution).Test plan
cargo test --bin anyscan-api— 36 tests pass (including 5 new)ANYSCAN_USE_AF_XDP=1produce different fingerprints\"1\"/\"0\"/ unset are all distinct🤖 Generated with Claude Code