@charlescms/astro 0.1.0

package/connector/worker.js

@@ -0,0 +1,505 @@
+const githubApiBase = "https://api.github.com";
+const tokenCache = new Map();
+
+export default {
+  async fetch(request, env) {
+    const origin = request.headers.get("origin") || "";
+    const cors = corsHeaders(origin, env);
+    if (request.method === "OPTIONS") return new Response(null, { headers: cors });
+
+    try {
+      if (!isAllowedOrigin(origin, env)) {
+        return json({ error: "Origin is not allowed by this CharlesCMS connector." }, 403, cors);
+      }
+      const url = new URL(request.url);
+      // The unauthenticated health ping (used by `doctor` and uptime checks)
+      // returns before auth — only /api/* actions require the editor password.
+      if (request.method !== "POST" || !url.pathname.startsWith("/api/")) {
+        return json({ ok: true, service: "charlescms-connector" }, 200, cors);
+      }
+      const auth = await authorizeRequest(request, env);
+      if (!auth.ok) {
+        return json({ error: auth.error || "Not authorized to edit this site." }, auth.status || 401, cors);
+      }
+
+      const action = url.pathname.slice("/api/".length);
+      const body = await request.json().catch(() => ({}));
+      const repo = normalizeRepo(body.repo);
+      if (!isAllowedRepo(repo, env)) {
+        return json({ error: "Repository is not allowed by this CharlesCMS connector." }, 403, cors);
+      }
+      const branch = String(body.branch || env.DEFAULT_BRANCH || env.GITHUB_BRANCH || "main");
+      let path = "";
+      let sha;
+      if (action === "file") path = safeCmsPath(body.path);
+      if (action === "write") {
+        path = safeSourcePath(body.path);
+        sha = requiredSha(body.sha);
+      }
+      if (action === "upload") {
+        path = safePublicPath(body.path);
+        sha = body.sha ? requiredSha(body.sha) : undefined;
+        if (!sha && !isNewUploadPath(path)) {
+          throw new ConnectorHttpError("New media files may only be created in public/uploads.", 400);
+        }
+      }
+      const providerApi = await createGitHubApi(env, repo);
+
+      if (action === "verify") {
+        const repository = await providerApi.repo(repo);
+        return json({
+          defaultBranch: repository.default_branch || "main",
+          private: Boolean(repository.private)
+        }, 200, cors);
+      }
+
+      if (action === "file") {
+        const file = await providerApi.getFile(repo, path, String(body.ref || branch));
+        return json(file, 200, cors);
+      }
+
+      if (action === "write") {
+        const commit = await providerApi.putFile(repo, path, String(body.source ?? ""), {
+          branch,
+          sha,
+          message: body.message || `Update content: ${path}`
+        });
+        return json(commit, 200, cors);
+      }
+
+      if (action === "upload") {
+        const commit = await providerApi.putBase64(repo, path, String(body.base64 || ""), {
+          branch,
+          sha,
+          message: body.message || `Upload media: ${path}`
+        });
+        return json(commit, 200, cors);
+      }
+
+      if (action === "commits") {
+        const commits = await providerApi.listCommits(repo, branch, body.limit);
+        return json({ commits }, 200, cors);
+      }
+
+      if (action === "revert") {
+        const result = await providerApi.revertCommit(repo, branch, String(body.sha || ""));
+        return json(result, 200, cors);
+      }
+
+      return json({ error: "Unknown connector action." }, 404, cors);
+    } catch (error) {
+      return json({ error: error.message || "Connector failed." }, error.status || 500, cors);
+    }
+  }
+};
+
+// ── Editor auth ──────────────────────────────────────────────────────────────
+// Editing/publishing requires the shared editor secret AUTH_SECRET (sent as the
+// "x-charlescms-auth" header), checked in constant time, on top of the origin +
+// repo allow-lists. The connector FAILS CLOSED: with no AUTH_SECRET set it
+// refuses every action, so a misconfigured deploy can never publish openly.
+// For multi-user or higher-value sites, upgrade beyond a single shared secret:
+//   • Cloudflare Access (recommended): put this Worker behind Access and verify
+//     the "Cf-Access-Jwt-Assertion" header against your team's JWKS.
+//   • GitHub OAuth: verify the signed-in user has push access to the repo.
+// Also add a Cloudflare rate-limiting rule on /api/* to blunt secret guessing.
+async function authorizeRequest(request, env) {
+  const secret = String(env.AUTH_SECRET || "");
+  // Fail closed: a connector with no editor secret would let anyone who can load
+  // the site from an allowed origin publish to the repo. Refuse to act until an
+  // AUTH_SECRET is configured (set it with `wrangler secret put AUTH_SECRET`).
+  if (!secret) {
+    return { ok: false, status: 503, error: "This connector has no editor secret set. Configure the AUTH_SECRET secret on the Worker before editing." };
+  }
+  const provided = request.headers.get("x-charlescms-auth") || "";
+  if (!(await timingSafeEqual(provided, secret))) {
+    return { ok: false, status: 401, error: "Missing or invalid editor credentials." };
+  }
+  return { ok: true };
+}
+
+// Constant-time secret comparison. Both inputs are hashed to a fixed-length
+// digest first (so neither the length nor an early-mismatch position leaks
+// through timing), then compared with a branchless XOR accumulator.
+async function timingSafeEqual(a, b) {
+  const encoder = new TextEncoder();
+  const [da, db] = await Promise.all([
+    crypto.subtle.digest("SHA-256", encoder.encode(a)),
+    crypto.subtle.digest("SHA-256", encoder.encode(b))
+  ]);
+  const va = new Uint8Array(da);
+  const vb = new Uint8Array(db);
+  let diff = 0;
+  for (let i = 0; i < va.length; i++) diff |= va[i] ^ vb[i];
+  return diff === 0;
+}
+
+async function createGitHubApi(env, repo) {
+  const appJwt = await createAppJwt(env);
+  const installationId = env.GITHUB_INSTALLATION_ID || await findInstallationId(appJwt, repo);
+  const token = await installationToken(env, appJwt, installationId);
+
+  const githubFetch = async (path, init = {}) => {
+    const response = await fetch(`${githubApiBase}${path}`, {
+      ...init,
+      headers: {
+        ...githubHeaders(token),
+        ...init.headers
+      }
+    });
+    if (!response.ok) throw await githubError(response, "GitHub request failed");
+    return response;
+  };
+
+  const getFile = async (targetRepo, path, ref) => {
+    const response = await fetch(`${githubApiBase}/repos/${targetRepo}/contents/${encodeUriPath(path)}?ref=${encodeURIComponent(ref)}`, {
+      headers: githubHeaders(token)
+    });
+    if (response.status === 404) return null;
+    if (!response.ok) throw await githubError(response, "GitHub file read failed");
+    const data = await response.json();
+    if (data.type !== "file" || !data.content || !data.sha) {
+      throw new ConnectorHttpError("GitHub response did not contain an editable file.", 400);
+    }
+    return { sha: data.sha, source: decodeBase64(data.content) };
+  };
+
+  const putFile = async (targetRepo, path, source, options) => putContent(targetRepo, path, encodeBase64(source), options);
+  const putBase64 = async (targetRepo, path, base64, options) => putContent(targetRepo, path, String(base64).replace(/\s/g, ""), options);
+
+  return {
+    repo: async (targetRepo) => (await githubFetch(`/repos/${targetRepo}`)).json(),
+    getFile,
+    putFile,
+    putBase64,
+    listCommits: async (targetRepo, branch, limit = 20) => {
+      const capped = Math.max(1, Math.min(Number(limit) || 20, 50));
+      const response = await githubFetch(`/repos/${targetRepo}/commits?sha=${encodeURIComponent(branch)}&per_page=${capped}`);
+      const commits = await response.json();
+      return commits.map((item) => ({
+        sha: item.sha,
+        url: item.html_url || "",
+        message: item.commit?.message || "",
+        author: item.commit?.author?.name || "",
+        committedAt: item.commit?.committer?.date || ""
+      }));
+    },
+    revertCommit: async (targetRepo, branch, sha) => {
+      if (!/^[a-f0-9]{7,40}$/i.test(sha)) throw new ConnectorHttpError("A valid commit sha is required.", 400);
+      const detail = await (await githubFetch(`/repos/${targetRepo}/commits/${encodeURIComponent(sha)}`)).json();
+      const parentSha = detail.parents?.[0]?.sha;
+      if (!parentSha) throw new ConnectorHttpError("Cannot revert a commit without a parent.", 400);
+      const commits = [];
+      const skipped = [];
+      for (const file of detail.files || []) {
+        // A commit may also touch files outside CharlesCMS-managed source/public
+        // (a workflow, a README, a config). Skip those instead of failing the
+        // whole revert, and report them so the editor knows the undo was partial.
+        const path = cmsManagedPath(file.filename);
+        if (!path) {
+          skipped.push(file.filename);
+          continue;
+        }
+        const current = await getFile(targetRepo, path, branch);
+        const parent = await getFile(targetRepo, path, parentSha);
+        if (!parent && current) {
+          commits.push(await deleteFile(targetRepo, path, current.sha, `Revert ${sha.slice(0, 7)}: remove ${path}`, branch));
+          continue;
+        }
+        if (!parent || current?.source === parent.source) continue;
+        commits.push(await putContent(targetRepo, path, encodeBase64(parent.source), { branch, sha: current?.sha, message: `Revert ${sha.slice(0, 7)}: restore ${path}` }));
+      }
+      return { reverted: sha, parent: parentSha, branch, commits, skipped };
+    }
+  };
+
+  async function putContent(targetRepo, path, content, { branch, sha, message }) {
+    const body = { branch, message, content };
+    if (sha) body.sha = sha;
+    const response = await githubFetch(`/repos/${targetRepo}/contents/${encodeUriPath(path)}`, {
+      method: "PUT",
+      body: JSON.stringify(body)
+    });
+    const data = await response.json();
+    return { sha: data.commit?.sha || "", url: data.commit?.html_url || "", branch };
+  }
+
+  async function deleteFile(targetRepo, path, sha, message, branch) {
+    const response = await githubFetch(`/repos/${targetRepo}/contents/${encodeUriPath(path)}`, {
+      method: "DELETE",
+      body: JSON.stringify({ branch, message, sha })
+    });
+    const data = await response.json();
+    return { sha: data.commit?.sha || "", url: data.commit?.html_url || "", branch };
+  }
+}
+
+async function findInstallationId(appJwt, repo) {
+  const response = await fetch(`${githubApiBase}/repos/${repo}/installation`, {
+    headers: githubHeaders(appJwt)
+  });
+  if (response.status === 404) {
+    throw new ConnectorHttpError("GitHub App is not installed on this repository.", 404);
+  }
+  if (!response.ok) {
+    const fallback = await findInstallationIdFromApp(appJwt);
+    if (fallback.id) return fallback.id;
+    const lookupError = await githubError(response, "GitHub installation lookup failed");
+    lookupError.message += fallback.message ? `; app installations ${fallback.message}` : "";
+    throw lookupError;
+  }
+  const data = await response.json();
+  return data.id;
+}
+
+async function findInstallationIdFromApp(appJwt) {
+  const response = await fetch(`${githubApiBase}/app/installations`, {
+    headers: githubHeaders(appJwt)
+  });
+  if (!response.ok) {
+    const data = await response.json().catch(() => ({}));
+    return { id: null, message: `lookup failed (${response.status})${data.message ? `: ${data.message}` : ""}` };
+  }
+  const installations = await response.json().catch(() => []);
+  if (!Array.isArray(installations)) return { id: null, message: "response was not a list" };
+  if (installations.length !== 1) return { id: null, message: `found ${installations.length} installations` };
+  return { id: installations[0]?.id || null, message: "" };
+}
+
+async function installationToken(env, appJwt, installationId) {
+  const key = String(installationId);
+  const cached = tokenCache.get(key);
+  if (cached && cached.expiresAt > Date.now() + 60000) return cached.token;
+  const response = await fetch(`${githubApiBase}/app/installations/${installationId}/access_tokens`, {
+    method: "POST",
+    headers: githubHeaders(appJwt),
+    body: JSON.stringify({})
+  });
+  if (!response.ok) {
+    throw await githubError(
+      response,
+      `GitHub token exchange failed for app ${env.GITHUB_APP_ID || "(missing)"} installation ${installationId || "(missing)"}`
+    );
+  }
+  const data = await response.json();
+  tokenCache.set(key, { token: data.token, expiresAt: Date.parse(data.expires_at) || Date.now() + 30 * 60 * 1000 });
+  return data.token;
+}
+
+async function githubError(response, label) {
+  const data = await response.json().catch(() => ({}));
+  const detail = data.message ? `: ${data.message}` : "";
+  return new ConnectorHttpError(`${label} (${response.status})${detail}`, response.status);
+}
+
+async function createAppJwt(env) {
+  const appId = env.GITHUB_APP_ID;
+  const issuer = env.GITHUB_CLIENT_ID || appId;
+  const privateKey = env.GITHUB_PRIVATE_KEY;
+  if (!appId || !privateKey) throw new ConnectorHttpError("GitHub App secrets are not configured.", 500);
+  const now = Math.floor(Date.now() / 1000);
+  const header = base64Url(JSON.stringify({ alg: "RS256", typ: "JWT" }));
+  const payload = base64Url(JSON.stringify({ iat: now - 60, exp: now + 9 * 60, iss: String(issuer) }));
+  const unsigned = `${header}.${payload}`;
+  const key = await crypto.subtle.importKey(
+    "pkcs8",
+    pemToArrayBuffer(privateKey),
+    { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("RSASSA-PKCS1-v1_5", key, new TextEncoder().encode(unsigned));
+  return `${unsigned}.${base64UrlBytes(new Uint8Array(signature))}`;
+}
+
+function corsHeaders(origin, env) {
+  const headers = {
+    "access-control-allow-methods": "GET, POST, OPTIONS",
+    "access-control-allow-headers": "Content-Type, X-CharlesCMS-Auth",
+    "cache-control": "no-store"
+  };
+  if (isAllowedOrigin(origin, env)) headers["access-control-allow-origin"] = origin;
+  return headers;
+}
+
+function isAllowedOrigin(origin, env) {
+  if (!origin) return true;
+  return listEnv(env.ALLOWED_ORIGINS).includes(origin);
+}
+
+function isAllowedRepo(repo, env) {
+  return listEnv(env.ALLOWED_REPOS).includes(repo);
+}
+
+function listEnv(value) {
+  return String(value || "").split(",").map((item) => item.trim()).filter(Boolean);
+}
+
+function normalizeRepo(value) {
+  const repo = String(value || "").trim();
+  if (!/^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/.test(repo)) {
+    throw new ConnectorHttpError("Repository must be in owner/name form.", 400);
+  }
+  return repo;
+}
+
+function safePath(value) {
+  const path = String(value || "").replace(/^\/+/, "");
+  if (!path || path.split(/[\\/]/).includes("..")) {
+    throw new ConnectorHttpError("Path points outside the repository.", 400);
+  }
+  return path;
+}
+
+function safeCmsPath(value) {
+  const path = safePath(value);
+  if (isSourcePath(path) || isPublicPath(path)) return path;
+  throw new ConnectorHttpError("Path is outside CharlesCMS-managed source and public files.", 400);
+}
+
+// Same allow-list as safeCmsPath, but returns null instead of throwing — used by
+// revert, which must skip unmanaged or unsafe paths rather than abort the undo.
+function cmsManagedPath(value) {
+  try {
+    return safeCmsPath(value);
+  } catch {
+    return null;
+  }
+}
+
+function safeSourcePath(value) {
+  const path = safePath(value);
+  if (isSourcePath(path)) return path;
+  throw new ConnectorHttpError("Source writes are limited to files below a src directory.", 400);
+}
+
+function safePublicPath(value) {
+  const path = safePath(value);
+  if (isPublicPath(path)) return path;
+  throw new ConnectorHttpError("Media writes are limited to files below a public directory.", 400);
+}
+
+function isSourcePath(path) {
+  const parts = path.split("/");
+  const srcIndex = parts.lastIndexOf("src");
+  const extension = parts.at(-1)?.toLowerCase().match(/\.[a-z0-9]+$/)?.[0] || "";
+  return srcIndex >= 0
+    && srcIndex < parts.length - 1
+    && [".astro", ".md", ".mdx", ".json", ".js", ".mjs", ".cjs", ".ts", ".mts", ".cts"].includes(extension);
+}
+
+function isPublicPath(path) {
+  const parts = path.split("/");
+  const publicIndex = parts.lastIndexOf("public");
+  return publicIndex >= 0 && publicIndex < parts.length - 1;
+}
+
+function isNewUploadPath(path) {
+  return /(?:^|\/)public\/uploads\/[A-Za-z0-9._-]+$/.test(path);
+}
+
+function requiredSha(value) {
+  const sha = String(value || "").trim();
+  if (!/^[a-f0-9]{7,64}$/i.test(sha)) {
+    throw new ConnectorHttpError("An existing file SHA is required for this write.", 400);
+  }
+  return sha;
+}
+
+function githubHeaders(token) {
+  return {
+    accept: "application/vnd.github+json",
+    authorization: `Bearer ${token}`,
+    "content-type": "application/json",
+    "user-agent": "charlescms-connector",
+    "x-github-api-version": "2022-11-28"
+  };
+}
+
+function encodeUriPath(path) {
+  return path.split("/").map(encodeURIComponent).join("/");
+}
+
+function encodeBase64(value) {
+  return base64FromBytes(new TextEncoder().encode(value));
+}
+
+function decodeBase64(value) {
+  const binary = atob(String(value).replace(/\s/g, ""));
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return new TextDecoder().decode(bytes);
+}
+
+function pemToArrayBuffer(pem) {
+  const normalized = String(pem).replace(/\\n/g, "\n");
+  const isPkcs1 = normalized.includes("BEGIN RSA PRIVATE KEY");
+  const clean = normalized.replace(/-----BEGIN (RSA )?PRIVATE KEY-----|-----END (RSA )?PRIVATE KEY-----|\s/g, "");
+  const binary = atob(clean);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return isPkcs1 ? wrapRsaPkcs1AsPkcs8(bytes).buffer : bytes.buffer;
+}
+
+function wrapRsaPkcs1AsPkcs8(pkcs1) {
+  const rsaAlgorithmIdentifier = new Uint8Array([
+    0x30, 0x0d,
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
+    0x05, 0x00
+  ]);
+  const version = new Uint8Array([0x02, 0x01, 0x00]);
+  const privateKey = concatDer(new Uint8Array([0x04]), derLength(pkcs1.length), pkcs1);
+  const body = concatDer(version, rsaAlgorithmIdentifier, privateKey);
+  return concatDer(new Uint8Array([0x30]), derLength(body.length), body);
+}
+
+function derLength(length) {
+  if (length < 128) return new Uint8Array([length]);
+  const bytes = [];
+  let value = length;
+  while (value > 0) {
+    bytes.unshift(value & 0xff);
+    value >>= 8;
+  }
+  return new Uint8Array([0x80 | bytes.length, ...bytes]);
+}
+
+function concatDer(...parts) {
+  const total = parts.reduce((sum, part) => sum + part.length, 0);
+  const result = new Uint8Array(total);
+  let offset = 0;
+  for (const part of parts) {
+    result.set(part, offset);
+    offset += part.length;
+  }
+  return result;
+}
+
+function base64Url(value) {
+  return base64UrlBytes(new TextEncoder().encode(value));
+}
+
+function base64UrlBytes(bytes) {
+  return base64FromBytes(bytes).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+
+function base64FromBytes(bytes) {
+  let binary = "";
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  return btoa(binary);
+}
+
+function json(value, status = 200, headers = {}) {
+  return new Response(JSON.stringify(value), {
+    status,
+    headers: { "content-type": "application/json", ...headers }
+  });
+}
+
+class ConnectorHttpError extends Error {
+  constructor(message, status = 500) {
+    super(message);
+    this.name = "ConnectorHttpError";
+    this.status = status;
+  }
+}

package/connector/wrangler.toml

@@ -0,0 +1,15 @@
+name = "charlescms-connector"
+main = "./worker.js"
+compatibility_date = "2026-06-04"
+
+[vars]
+# Comma-separated lists.
+ALLOWED_ORIGINS = "http://localhost:4321"
+ALLOWED_REPOS = "owner/site"
+DEFAULT_BRANCH = "main"
+
+# Set these with wrangler secret put:
+# GITHUB_APP_ID
+# GITHUB_PRIVATE_KEY
+# Optional: GITHUB_INSTALLATION_ID
+# Required editor password: AUTH_SECRET

package/package.json

@@ -0,0 +1,92 @@
+{
+  "name": "@charlescms/astro",
+  "version": "0.1.0",
+  "description": "Source-native live CMS editor for Astro sites.",
+  "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Charles-CMS/astro.git"
+  },
+  "bugs": {
+    "url": "https://github.com/Charles-CMS/astro/issues"
+  },
+  "homepage": "https://github.com/Charles-CMS/astro#readme",
+  "main": "./src/index.js",
+  "bin": {
+    "charlescms": "./scripts/setup.js"
+  },
+  "exports": {
+    ".": "./src/index.js",
+    "./src/*": "./src/*"
+  },
+  "sideEffects": false,
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "engines": {
+    "node": ">=22.12.0"
+  },
+  "scripts": {
+    "build": "node ./scripts/check-package.js && node ./scripts/check-licenses.js",
+    "check:licenses": "node ./scripts/check-licenses.js",
+    "prepublishOnly": "npm run build",
+    "test": "node --test",
+    "test:coverage": "node --test --experimental-test-coverage --test-coverage-lines=75 --test-coverage-branches=70 --test-coverage-functions=75",
+    "test:e2e": "node ./scripts/e2e.js",
+    "test:windows-smoke": "node ./scripts/windows-smoke.js",
+    "test:browser": "node ./scripts/browser-fixture-flow.js",
+    "test:live": "node ./scripts/live-smoke.js",
+    "update:vendored-site": "node ./scripts/update-vendored-site.js"
+  },
+  "peerDependencies": {
+    "astro": ">=6.2.0 <7"
+  },
+  "devDependencies": {
+    "playwright": "^1.60.0"
+  },
+  "dependencies": {
+    "@astrojs/compiler": "^4.0.0",
+    "@babel/parser": "^7.29.7",
+    "@tiptap/core": "^3.26.0",
+    "@tiptap/extension-bold": "^3.26.0",
+    "@tiptap/extension-code": "^3.26.0",
+    "@tiptap/extension-document": "^3.26.0",
+    "@tiptap/extension-hard-break": "^3.26.0",
+    "@tiptap/extension-italic": "^3.26.0",
+    "@tiptap/extension-link": "^3.26.0",
+    "@tiptap/extension-text": "^3.26.0",
+    "@tiptap/pm": "^3.26.0",
+    "js-yaml": "^4.2.0",
+    "mdast-util-from-markdown": "^2.0.3",
+    "mdast-util-gfm": "^3.1.0",
+    "mdast-util-to-markdown": "^2.1.2",
+    "mdast-util-to-string": "^4.0.0",
+    "micromark-extension-gfm": "^3.0.0",
+    "parse5": "^7.3.0",
+    "vite": "^7.3.5"
+  },
+  "overrides": {
+    "esbuild": "^0.28.1"
+  },
+  "files": [
+    "connector",
+    "src",
+    "scripts/setup.js",
+    "scripts/update-vendored-site.js",
+    "scripts/check-package.js",
+    "scripts/check-licenses.js",
+    "THIRD_PARTY_NOTICES.md",
+    "LICENSE",
+    "README.md",
+    "SECURITY.md",
+    "package.json"
+  ],
+  "keywords": [
+    "astro",
+    "cms",
+    "inline-editing",
+    "visual-cms"
+  ],
+  "license": "MIT"
+}

package/scripts/check-licenses.js

@@ -0,0 +1,45 @@
+import { readFile } from "node:fs/promises";
+
+let lock;
+try {
+  lock = JSON.parse(await readFile(new URL("../package-lock.json", import.meta.url), "utf8"));
+} catch (error) {
+  if (error?.code === "ENOENT") {
+    console.log("Dependency licence check skipped: package-lock.json is not part of the published package.");
+    process.exit(0);
+  }
+  throw error;
+}
+const allowed = new Set([
+  "0BSD",
+  "Apache-2.0",
+  "BlueOak-1.0.0",
+  "BSD-2-Clause",
+  "BSD-3-Clause",
+  "CC0-1.0",
+  "ISC",
+  "LGPL-3.0-or-later",
+  "MIT",
+  "Python-2.0"
+]);
+const failures = [];
+const reviewed = [];
+
+for (const [path, metadata] of Object.entries(lock.packages || {})) {
+  if (!path || metadata.dev) continue;
+  const expression = String(metadata.license || "").trim();
+  const identifiers = expression.split(/\s+(?:AND|OR)\s+/).map((value) => value.replace(/[()]/g, ""));
+  if (!expression || identifiers.some((identifier) => !allowed.has(identifier))) {
+    failures.push(`${path}: ${expression || "missing licence metadata"}`);
+  }
+  if (identifiers.includes("LGPL-3.0-or-later") || identifiers.includes("Python-2.0")) {
+    reviewed.push(`${path}: ${expression}`);
+  }
+}
+
+if (failures.length) {
+  console.error(`Unreviewed production dependency licences:\n${failures.join("\n")}`);
+  process.exit(1);
+}
+
+console.log(`Dependency licence check passed (${reviewed.length} explicitly reviewed package entries).`);