@agfpd/iapeer 0.2.8 → 0.2.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agfpd/iapeer",
-  "version": "0.2.8",
+  "version": "0.2.9",
   "description": "Foundation core for the iapeer multi-agent ecosystem: identity, registry, storage, codec.",
   "type": "module",
   "bin": {

package/src/update/index.ts

@@ -6,9 +6,10 @@
 // Flow:
 //   1. latest = `npm view @agfpd/iapeer version`           (the cloud's truth)
 //   2. installed == latest && !--force → "already latest"  (no needless rebuild/restart)
-//   3. `npx @agfpd/iapeer@<latest> install`                (fetch + rebuild ~/.local/bin/iapeer
-//      atomically; the COMPILED binary can't rebuild itself from source, so we shell to
-//      npx, which runs the freshly-fetched package's own install — same path consumers use)
+//   3. fetch the published tarball + build from its SOURCE (defaultRunInstall) — the
+//      COMPILED binary can't rebuild itself, so we pull the freshly-published package
+//      and run ITS own source installer. DELIBERATELY NOT `npx … install` (see
+//      defaultRunInstall for why npx is unsafe here).
 //   4. kickstart com.agfpd.iapeer IF loaded                (activate the new binary)
 //
 // Scope: the foundation ONLY (the @agfpd/iapeer binary + its daemon). It never
@@ -20,7 +21,10 @@
 // unit-testable with no network and no launchctl; the defaults are the real impls.
 
 import { spawnSync } from 'child_process'
+import { mkdtempSync, readdirSync, rmSync } from 'fs'
 import { connect } from 'net'
+import { tmpdir } from 'os'
+import { join } from 'path'
 import { IapError } from '../core/errors.ts'
 import { IAPEER_VERSION } from '../core/version.ts'
 import { kickstartDaemon, type DaemonRestartResult } from '../launch/launchd.ts'
@@ -144,14 +148,51 @@ function defaultResolveVersion(spec: string, env: NodeJS.ProcessEnv): string | n
   return SEMVER_RE.test(v) ? v : null
 }
 
-/** Default installer: `npx -y @agfpd/iapeer@<version> install` (pull from cloud + rebuild). */
+/**
+ * Default installer — fetch the published tarball and build from its SOURCE,
+ * DELIBERATELY bypassing `npx`. Pull from the cloud + rebuild ~/.local/bin/iapeer.
+ *
+ * Why not `npx -y @agfpd/iapeer@<v> install`: the package's bin is named `iapeer`,
+ * and once `~/.local/bin/iapeer` is on PATH (true on every host AFTER the first
+ * install) npx resolves that bin NAME to the COMPILED binary already on PATH and
+ * runs ITS `install` — which cannot rebuild itself from source (`bun build --compile`
+ * gets a `/$bunfs/root` entrypoint → FileNotFound) — instead of fetching + running the
+ * freshly-published source. Verified reproducible (09.06, 0.2.8 deploy): with NO
+ * `iapeer` on PATH the same npx invocation prints `command not found` — it never
+ * installs the package — so this is a structural bin-name collision, NOT the
+ * publish-propagation transient (waiting/retry does not cure it).
+ *
+ * Deterministic path instead — no npx command-resolution in the loop:
+ *   1. `npm pack <pkg>@<v>` → the published tarball (rooted at `package/`).
+ *   2. `tar xzf` → extract.
+ *   3. `npm install --omit=dev` in the extracted dir — the tarball ships only
+ *      src/bin (no node_modules), and the source build imports prod deps
+ *      (@modelcontextprotocol/sdk, …).
+ *   4. run the package's OWN bin shim `bash <pkg>/bin/iapeer install` — that is
+ *      `bun src/cli/index.ts install` from the REAL fetched source → builds the prod
+ *      binary atomically (keeps `.prev`).
+ * Needs npm + tar + bash + bun on PATH (the toolchain the bootstrap already assumes).
+ */
 function defaultRunInstall(version: string, env: NodeJS.ProcessEnv): boolean {
   if (env.IAPEER_TEST_SANDBOX === '1') {
-    // A real npx install rebuilds the prod ~/.local/bin/iapeer — never under a test.
-    throw new IapError('refusing a real `npx install` under IAPEER_TEST_SANDBOX=1 — inject runInstall in tests')
+    // A real install rebuilds the prod ~/.local/bin/iapeer — never under a test.
+    throw new IapError('refusing a real install under IAPEER_TEST_SANDBOX=1 — inject runInstall in tests')
+  }
+  const tmp = mkdtempSync(join(tmpdir(), 'iapeer-deploy-'))
+  try {
+    const pack = spawnSync('npm', ['pack', '--silent', '--pack-destination', tmp, `${IAPEER_PACKAGE}@${version}`], { encoding: 'utf8', env })
+    if (pack.status !== 0) return false
+    const tgz = readdirSync(tmp).find(f => f.endsWith('.tgz'))
+    if (!tgz) return false
+    if (spawnSync('tar', ['xzf', join(tmp, tgz), '-C', tmp], { env }).status !== 0) return false
+    const pkg = join(tmp, 'package') // npm-pack tarballs always root at `package/`
+    const deps = spawnSync('npm', ['install', '--omit=dev', '--no-audit', '--no-fund', '--silent'], { cwd: pkg, stdio: 'inherit', env })
+    if (deps.status !== 0) return false
+    const build = spawnSync('bash', [join(pkg, 'bin', 'iapeer'), 'install'], { stdio: 'inherit', env })
+    return build.status === 0
+  } finally {
+    rmSync(tmp, { recursive: true, force: true })
   }
-  const r = spawnSync('npx', ['-y', `${IAPEER_PACKAGE}@${version}`, 'install'], { stdio: 'inherit', env })
-  return r.status === 0
 }
 
 /**

package/src/update/update.test.ts

@@ -137,9 +137,9 @@ describe('updateIapeer — failure paths', () => {
 })
 
 describe('updateIapeer — real-installer sandbox guard', () => {
-  test('default runInstall refuses a real npx install under IAPEER_TEST_SANDBOX', () => {
+  test('default runInstall refuses a real install under IAPEER_TEST_SANDBOX', () => {
     // fetchLatest injected (newer) so the gate proceeds to the DEFAULT installer,
-    // which must refuse rather than npx-install over the prod ~/.local/bin/iapeer.
+    // which must refuse rather than fetch+build over the prod ~/.local/bin/iapeer.
     expect(() =>
       updateIapeer({
         env: { IAPEER_TEST_SANDBOX: '1' },