@dalexto/lexsys-cli 0.0.6 → 0.1.0

package/dist/commands/status.d.ts

@@ -1,5 +1,11 @@
 interface RunStatusOptions {
+    json?: boolean;
     noFallback?: boolean;
 }
+export interface StatusEntry {
+    name: string;
+    canonicalName: string;
+    drift: "synced" | "drift" | "missing";
+}
 export declare const runStatus: (options?: RunStatusOptions) => Promise<void>;
 export {};

package/dist/config/config.d.ts

@@ -17,6 +17,7 @@ export interface LexsysConfig {
     tailwind: LexsysTailwindConfig;
     installed?: string[];
     registryUrl?: string | null;
+    registryAllowlist?: string[];
 }
 export interface LexsysTailwindConfig {
     version: "v4";

package/dist/index.js

@@ -131,7 +131,8 @@ var defaultConfig = {
   aliases: defaultAliasesConfig,
   tailwind: defaultTailwindConfig,
   installed: [],
-  registryUrl: null
+  registryUrl: null,
+  registryAllowlist: []
 };
 var getConfigPath = () => {
   return join(getCwd(), "lexsys.config.json");
@@ -158,7 +159,10 @@ var loadConfig = async () => {
       ...defaultTailwindConfig,
       ...parsed.tailwind
     },
-    installed: normalizeInstalled(parsed.installed)
+    installed: normalizeInstalled(parsed.installed),
+    registryAllowlist: Array.isArray(parsed.registryAllowlist) ? parsed.registryAllowlist.filter((entry) => {
+      return typeof entry === "string" && entry.length > 0;
+    }) : defaultConfig.registryAllowlist
   };
   if (isLegacyInstalledRecord(parsed.installed)) {
     await saveConfig(config);
@@ -822,6 +826,21 @@ var parseRegistryStyles = (styles) => {
   }
   return styles;
 };
+var computeRemoteRegistryChecksum = (manifest) => {
+  return hashContent(JSON.stringify(manifest));
+};
+var verifyRemoteRegistryChecksum = (manifest) => {
+  if (!manifest.checksum) {
+    return;
+  }
+  const { checksum, ...rest } = manifest;
+  const computed = computeRemoteRegistryChecksum(rest);
+  if (computed !== checksum) {
+    throw new Error(
+      `Remote registry checksum mismatch. Expected ${checksum}, computed ${computed}.`
+    );
+  }
+};
 var parseRemoteRegistry = (value) => {
   if (Array.isArray(value)) {
     return {
@@ -846,8 +865,36 @@ var parseRemoteRegistry = (value) => {
     }
     parsed.styles = parseRegistryStyles(manifest.styles);
   }
+  if (manifest.checksum !== void 0) {
+    if (typeof manifest.checksum !== "string" || manifest.checksum.length === 0) {
+      throw new Error(
+        "Remote registry manifest checksum must be a non-empty string."
+      );
+    }
+    parsed.checksum = manifest.checksum;
+  }
+  verifyRemoteRegistryChecksum(parsed);
   return parsed;
 };
+var isRegistryUrlAllowed = (url, allowlist) => {
+  if (!allowlist?.length) {
+    return true;
+  }
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return false;
+  }
+  const host = parsed.hostname;
+  const origin = parsed.origin;
+  return allowlist.some((entry) => {
+    if (entry === host || entry === origin || entry === url) {
+      return true;
+    }
+    return url.startsWith(entry);
+  });
+};
 var fetchRemoteRegistry = async (url) => {
   const response = await fetch(url);
   if (!response.ok) {
@@ -860,7 +907,16 @@ var fetchRemoteRegistry = async (url) => {
 // src/registry/source.ts
 var getRegistrySource = async () => {
   const config = await loadConfig();
-  return config.registryUrl ?? "local";
+  const registryUrl = config.registryUrl;
+  if (!registryUrl) {
+    return "local";
+  }
+  if (!isRegistryUrlAllowed(registryUrl, config.registryAllowlist)) {
+    throw new Error(
+      `Registry URL is not allowed by registryAllowlist: ${registryUrl}`
+    );
+  }
+  return registryUrl;
 };
 
 // src/registry/provider.ts
@@ -1447,8 +1503,13 @@ Shows template drift for tracked components (up to date vs out of sync).
 For project paths and registry connectivity, use \`lexsys doctor\`.
 
 Options
+  --json, -j          Print installed component drift as JSON
   --no-fallback       Fail instead of falling back to local registry
   --help, -h          Show this help
+
+Examples
+  lexsys st
+  lexsys st --json
 `,
   reset: `
 Usage
@@ -2666,6 +2727,10 @@ var runStatus = async (options = {}) => {
   const config = await loadConfig();
   const installed = config.installed ?? [];
   if (!installed.length) {
+    if (options.json) {
+      console.log(JSON.stringify({ installed: [] }, null, 2));
+      return;
+    }
     console.log("No Lexsys components are currently tracked.");
     return;
   }
@@ -2674,19 +2739,52 @@ var runStatus = async (options = {}) => {
       fallback: !options.noFallback
     });
   } catch (error) {
+    if (options.json) {
+      console.log(
+        JSON.stringify(
+          {
+            error: error instanceof Error ? error.message : String(error)
+          },
+          null,
+          2
+        )
+      );
+      process.exitCode = 1;
+      return;
+    }
     printRegistryResolveFailure(error);
     return;
   }
-  console.log("Installed Lexsys components:\n");
+  const entries = [];
   for (const name of installed) {
     const item = await findItem(name);
     if (!item) {
-      console.log(`- ${name} (missing from registry)`);
+      entries.push({
+        name,
+        canonicalName: name,
+        drift: "missing"
+      });
       continue;
     }
     const driftStatus = await getComponentDriftStatus(name);
-    const status = driftStatus === "drift" ? "out of sync with registry" : "up to date with registry";
-    console.log(`- ${item.canonicalName} (${status})`);
+    entries.push({
+      name: item.name,
+      canonicalName: item.canonicalName,
+      drift: driftStatus === "drift" ? "drift" : "synced"
+    });
+  }
+  if (options.json) {
+    console.log(JSON.stringify({ installed: entries }, null, 2));
+    return;
+  }
+  console.log("Installed Lexsys components:\n");
+  for (const entry of entries) {
+    if (entry.drift === "missing") {
+      console.log(`- ${entry.name} (missing from registry)`);
+      continue;
+    }
+    const status = entry.drift === "drift" ? "out of sync with registry" : "up to date with registry";
+    console.log(`- ${entry.canonicalName} (${status})`);
   }
 };
 
@@ -3429,6 +3527,7 @@ try {
       process.exit(0);
     }
     await runStatus({
+      json: hasFlag(args, "--json", "-j"),
       noFallback: args.includes("--no-fallback")
     });
     process.exit(0);

package/dist/registry/remote.d.ts

@@ -3,13 +3,26 @@ export interface RemoteRegistryManifest {
     version: string;
     items: RegistryItem[];
     styles?: RegistryStyle[];
+    checksum?: string;
 }
+/**
+ * Computes a SHA-256 checksum for a remote manifest (excluding the checksum field).
+ */
+export declare const computeRemoteRegistryChecksum: (manifest: Omit<RemoteRegistryManifest, "checksum">) => string;
+/**
+ * Verifies an optional manifest checksum when publishers include one.
+ */
+export declare const verifyRemoteRegistryChecksum: (manifest: RemoteRegistryManifest) => void;
 /**
  * Parses a remote registry JSON payload into a manifest object.
  *
  * Accepts either:
- * - a manifest object `{ version, items, styles? }`
+ * - a manifest object `{ version, items, styles?, checksum? }`
  * - a legacy bare array of registry items (version becomes `"unknown"`)
  */
 export declare const parseRemoteRegistry: (value: unknown) => RemoteRegistryManifest;
+/**
+ * Returns true when the registry URL host or prefix matches an allowlist entry.
+ */
+export declare const isRegistryUrlAllowed: (url: string, allowlist: string[] | undefined) => boolean;
 export declare const fetchRemoteRegistry: (url: string) => Promise<RemoteRegistryManifest>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dalexto/lexsys-cli",
-  "version": "0.0.6",
+  "version": "0.1.0",
   "description": "Registry-first CLI that installs Lexsys React UI components into your project",
   "type": "module",
   "license": "MIT",
@@ -32,7 +32,7 @@
   },
   "dependencies": {
     "prompts": "^2.4.2",
-    "@dalexto/lexsys-registry": "0.0.6"
+    "@dalexto/lexsys-registry": "0.1.0"
   },
   "devDependencies": {
     "@types/node": "^25.9.1",