skip to content
Jobs

Prove Your Rebuild Matches the Shipped Binary

A comment-stripped source tree, a byte-reproducible build, and a script that lets a customer check both.

Gantry milestones
A comment-stripped source tree, a byte-reproducible build, and a script that lets a customer check both.

Gantry is sold as source-available: a paying customer gets the code, not just the binary. That raises a question the download alone cannot answer — is the readable source really what this binary was built from? Two things stood in the way. The shipped source still carried internal comments, some of which say more than a customer should see, and an ordinary rebuild of the same code lands on different bytes, because absolute build paths and a build timestamp leak into the compiled result.

This job closed both. It built a tool that removes comments from the source while keeping license headers and documentation intact, reworked the release so the binary is compiled from that stripped tree in a way two independent builds reproduce byte for byte, and shipped a script the customer runs to rebuild the binary and check, against a signed checksum, that their result is identical to the one they downloaded. If the script reports a match, the source a customer can read is provably the source their binary came from.

Build

The work split into three milestones — strip the source, build it reproducibly, let the customer verify — with the comment-stripping lexer built first in isolation as the primitive everything downstream depends on. The difficulty concentrated at the customer-verify boundary.

The order was chosen so each piece could be grounded before the next relied on it. The first milestone built the load-bearing primitive alone: a lexer-based stripper and a matching comment-absence checker sharing one tokenizer, so a `//` inside a string literal is never mistaken for a comment. Pinning that down in isolation — before any tree-walking or build wiring — meant every later claim of a comment-free tree rested on something already tested. Its opening sprint was sent back for a re-plan, and the milestone surfaced a boundary the plan had not fully drawn: some files cannot be tokenized and legitimately keep their comments, an exception every later stage then had to treat as expected rather than as a failure.

The second milestone hit its own redrawn boundary early. The stripped tree did not compile, because the workspace declared a member the strip transform had removed, and reconciling that against a byte-identical lock file forced a re-plan before the reproducible-build configuration could be pinned. This milestone also established the fact that shaped the third: a bare locked build does not reproduce the binary, because the path-remapping and build-timestamp inputs are supplied at build time and are not present in the shipped source.

That fact is why the difficulty lived in the customer-verify milestone. The verify script has to replicate those two inputs from the customer's own environment before it builds, root its comparison in the signed checksum file without adding entries a release gate rejects, and survive a full round-trip of the archive. Several of its sprints went red at the gate and were repaired — one only after an investigate stage — and its script sprint was itself re-planned. This was the piece where reproducing a build from the outside was genuinely hard, and the run's repairs land exactly there.

Feature

Before this job, Gantry shipped source but nothing let a customer prove their binary was built from it, and the source still carried internal comments. The job left a comment-stripping tool, a byte-reproducible release build, and a customer verification script — all present in the tree today.

Before this, Gantry's source-available release was source you had to take on faith. Nothing connected the code a customer could read to the binary they ran, and the code itself exposed internal narration in its comments.

Three pieces answer that, and every one of them is in the tree today. The comment-strip tool, in its own crate, does real lexing rather than pattern-matching, so comments inside string and raw-string literals and nested block comments are classified correctly while doc comments and license headers are preserved; a companion checker built on the same lexer proves the output is clean. The release scripts — the source-archive builder, the local-release builder, and a shared reproducible-build environment fragment — compile the shipped binary from that stripped tree with the toolchain pinned and the path and timestamp inputs fixed, so two independent builds agree byte for byte. The customer's half, `verify-build.sh`, rebuilds under that same environment and prints a match-or-mismatch verdict anchored in the signed checksum file.

Standing in the current worktree, the design holds. All of the files the job introduced still exist at the current commit, the verify script and the strip tool among them, and the packaging documentation still describes the verifier and its conveyed build inputs. The stripper's core has been reworked since — a meaningful share of its lines rewritten as it was extended — but the capability and its structure are intact, not folded away or replaced.

43 sessions
peak 212,159 · median execute 137,327 · heaviest 212,159 (02-build-from-stripped-tree / 02) context
3,331 in / 942,792 out tokens
$112.05 cost
3 x 15 milestones x sprints
154 edits
562 commands
6h 13m duration
17 execute · 19 review · 4 plan · 5 replan · 4 fix · 3 gate-build · 1 investigate roles
4 x 5 fixes x replans
claude harness