@dcl/content-validator 7.1.6-24943341641.commit-69601e0 → 7.2.0

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -1,29 +1,236 @@
 <img src="https://ui.decentraland.org/decentraland_256x256.png" height="128" width="128" />
 
-# @dcl/content-validator — DEPRECATED
+# @dcl/content-validator
 
-> ⚠️ **This repository is deprecated.**
->
-> `@dcl/content-validator` has moved into the [`decentraland/core-libs`](https://github.com/decentraland/core-libs) monorepo and now lives under [`libs/content-validator`](https://github.com/decentraland/core-libs/tree/main/libs/content-validator).
->
-> Future development, issues, and pull requests should happen there. This repository is kept around only for historical reference and will not receive new releases.
+[![Coverage Status](https://coveralls.io/repos/github/decentraland/content-validator/badge.svg?branch=main)](https://coveralls.io/github/decentraland/content-validator?branch=main)
 
-## Migrating
+Decentraland entity deployment validation library for Catalyst servers. Contains all validations to ensure only valid and authorized content is deployed to the [Decentraland content network](https://docs.decentraland.org/contributor/content/entities/).
 
-The npm package name is unchanged — `@dcl/content-validator`. New versions are published from the monorepo and will continue to appear on the same npm dist-tags. To pick up the latest fixes, simply bump the dependency as usual:
+## Table of Contents
+
+- [@dcl/content-validator](#dclcontent-validator)
+  - [Table of Contents](#table-of-contents)
+  - [Features](#features)
+  - [Installation](#installation)
+  - [Design Guidelines](#design-guidelines)
+  - [Validation Types](#validation-types)
+    - [Size Limits (ADR-51)](#size-limits-adr-51)
+  - [Usage](#usage)
+    - [Basic Usage](#basic-usage)
+    - [Access Validation Strategies](#access-validation-strategies)
+      - [On-Chain Validation](#on-chain-validation)
+      - [Subgraph Validation](#subgraph-validation)
+  - [Getting Started](#getting-started)
+    - [Development](#development)
+    - [Debugging Tests](#debugging-tests)
+  - [Adding New Entity Types](#adding-new-entity-types)
+  - [Project Structure](#project-structure)
+  - [External Dependencies](#external-dependencies)
+  - [Versioning and Publishing](#versioning-and-publishing)
+  - [AI Agent Context](#ai-agent-context)
+
+## Features
+
+- **Entity Structure Validation** - Validates JSON structure, required fields, and content references for all Decentraland entity types
+- **Access Permission Checking** - Verifies deployer ownership via blockchain (on-chain) or The Graph (subgraph)
+- **IPFS Content Integrity** - Ensures content file hashes are valid IPFS CIDs and files exist
+- **Size Enforcement** - Enforces max size limits per entity type following ADR-51 specifications
+- **Metadata Schema Validation** - Validates metadata against `@dcl/schemas` definitions
+- **Signature Authentication** - Verifies AuthChain signatures for entity authenticity
+- **Multi-Entity Support** - Validates scenes, profiles, wearables, emotes, stores, and outfits
+- **Dual Access Strategies** - Supports both on-chain and subgraph-based ownership verification
+- **Legacy Compatibility** - Maintains backwards compatibility with legacy content migrations
+
+## Installation
 
 ```bash
-npm install @dcl/content-validator@latest
-# or
-yarn add @dcl/content-validator@latest
-# or
-pnpm add @dcl/content-validator@latest
+npm i @dcl/content-validator
+```
+
+## Design Guidelines
+
+- Validate as early as possible to prevent invalid content from being stored
+- Provide clear, actionable error messages for deployment failures
+- Support both on-chain and subgraph-based access verification
+- Maintain backwards compatibility with legacy content migrations
+- Ensure all validation functions are stateless where possible
+
+Implementation decisions:
+
+- The library exports a `createValidator` factory function as the main entry point
+- Validation functions return `{ ok: boolean, errors?: string[] }` responses
+- Access checking supports two strategies: on-chain (direct blockchain) and subgraph (The Graph)
+- Size limits are defined per entity type following [ADR-51](https://adr.decentraland.org/adr/ADR-51)
+
+## Validation Types
+
+The validator performs the following checks on entity deployments:
+
+| Validation | Description |
+|------------|-------------|
+| **Entity Structure** | Validates JSON structure, required fields, and content references |
+| **IPFS Hashing** | Ensures content file hashes are valid IPFS CIDs |
+| **Metadata Schema** | Validates metadata against `@dcl/schemas` definitions |
+| **Signature** | Verifies AuthChain signatures for entity authenticity |
+| **Size** | Enforces max size limits per entity type (see below) |
+| **Access** | Verifies deployer owns the entity pointers (LAND, NFTs, names) |
+| **Content** | Ensures all referenced content files exist and are accessible |
+| **Entity-Specific** | Additional validations per type (wearables, emotes, profiles, scenes, outfits) |
+
+### Size Limits (ADR-51)
+
+| Entity Type | Max Size | Notes |
+|-------------|----------|-------|
+| Scene | 15 MB | Per parcel |
+| Profile | 2 MB | |
+| Wearable | 3 MB | |
+| Wearable (Skin) | 9 MB | Special category |
+| Emote | 3 MB | |
+| Store | 1 MB | |
+| Outfits | 1 MB | |
+
+## Usage
+
+### Basic Usage
+
+```typescript
+import { createValidator, ContentValidatorComponents, DeploymentToValidate } from '@dcl/content-validator'
+
+// Create validator with required components
+const validator = createValidator({
+  logs: logsComponent,
+  externalCalls: {
+    isContentStoredAlready: async (hashes) => { /* ... */ },
+    fetchContentFileSize: async (hash) => { /* ... */ },
+    validateSignature: async (entityId, auditInfo, timestamp) => { /* ... */ },
+    ownerAddress: (auditInfo) => { /* ... */ },
+    isAddressOwnedByDecentraland: (address) => { /* ... */ },
+    calculateFilesHashes: async (files) => { /* ... */ }
+  },
+  accessValidateFn: accessValidator // on-chain or subgraph-based
+})
+
+// Validate a deployment
+const deployment: DeploymentToValidate = {
+  entity: { /* entity data */ },
+  files: new Map([/* content files */]),
+  auditInfo: { authChain: [/* auth chain */] }
+}
+
+const result = await validator(deployment)
+if (!result.ok) {
+  console.error('Validation failed:', result.errors)
+}
 ```
 
-The public API is unchanged, so no code changes are required for consumers.
+### Access Validation Strategies
+
+The library supports two access validation strategies:
+
+#### On-Chain Validation
+
+Direct blockchain queries for ownership verification:
+
+```typescript
+import { createOnChainAccessCheckValidateFns, createOnChainClient } from '@dcl/content-validator'
+
+const validateFns = createOnChainAccessCheckValidateFns({
+  logs,
+  externalCalls,
+  client: createOnChainClient({ logs, L1, L2 }),
+  L1: { checker, collections, thirdParty, blockSearch },
+  L2: { checker, collections, thirdParty, blockSearch }
+})
+```
+
+#### Subgraph Validation
+
+Uses The Graph for ownership queries (more efficient for bulk queries):
+
+```typescript
+import { createSubgraphAccessCheckValidateFns, createTheGraphClient } from '@dcl/content-validator'
+
+const validateFns = createSubgraphAccessCheckValidateFns({
+  logs,
+  externalCalls,
+  theGraphClient: createTheGraphClient({ logs, subGraphs }),
+  subGraphs,
+  tokenAddresses: { land: '0x...', estate: '0x...' }
+})
+```
+
+## Getting Started
+
+### Development
+
+Install dependencies and run tests:
+
+```bash
+yarn
+yarn build
+yarn test
+```
+
+### Debugging Tests
+
+If you are using VS Code, install the recommended extensions and debug tests using the Jest extension which adds UI support.
+
+## Adding New Entity Types
+
+Before adding any validation for new entities:
+
+1. **Create entity schema** on [@dcl/schemas](https://github.com/decentraland/common-schemas)
+2. **Add entity type and schema** on [catalyst-commons](https://github.com/decentraland/catalyst-commons/)
+3. **Add access checker** in [access/index.ts](./src/validations/access/index.ts) and implement entity-specific validation
+4. **Add size limit** in [ADR51.ts](./src/validations/ADR51.ts)
+5. **Verify URN resolution** - if required, add a new resolver in [@dcl/urn-resolver](https://github.com/decentraland/urn-resolver)
+
+## Project Structure
+
+```
+src/
+├── index.ts                 # Main entry point, createValidator factory
+├── types.ts                 # Core types (DeploymentToValidate, ValidationResponse, etc.)
+├── utils.ts                 # Utility functions
+└── validations/
+    ├── index.ts             # Validation function aggregator
+    ├── access/              # Access permission validators
+    │   ├── common/          # Shared access validation logic
+    │   ├── on-chain/        # Direct blockchain access checking
+    │   └── subgraph/        # The Graph-based access checking
+    ├── items/               # Item-specific validations
+    │   ├── emotes.ts
+    │   └── wearables.ts
+    ├── ADR45.ts             # ADR-45 validation rules
+    ├── ADR51.ts             # Size limits per entity type
+    ├── content.ts           # Content file validation
+    ├── entity-structure.ts  # Entity JSON structure validation
+    ├── ipfs-hashing.ts      # IPFS hash validation
+    ├── metadata-schema.ts   # Metadata schema validation
+    ├── outfits.ts           # Outfits-specific validation
+    ├── profile.ts           # Profile-specific validation
+    ├── scene.ts             # Scene-specific validation
+    ├── signature.ts         # AuthChain signature validation
+    ├── size.ts              # Entity size validation
+    └── timestamps.ts        # Important timestamp constants
+```
+
+## External Dependencies
+
+| Dependency | Purpose |
+|------------|---------|
+| `@dcl/schemas` | Entity type definitions and validation schemas |
+| `@dcl/urn-resolver` | URN parsing and validation for items |
+| `@dcl/block-indexer` | Blockchain block search for timestamp-based queries |
+| `@dcl/hashing` | IPFS content hashing |
+| `@well-known-components/thegraph-component` | The Graph subgraph queries |
+
+## Versioning and Publishing
+
+Versions are handled manually using GitHub releases and semver.
+
+Main branch is automatically published to the `@next` dist tag to test integrations before final releases happen.
 
-## Where to file issues / PRs
+## AI Agent Context
 
-- **Issues:** https://github.com/decentraland/core-libs/issues
-- **Pull requests:** https://github.com/decentraland/core-libs/pulls
-- **Source for `@dcl/content-validator`:** https://github.com/decentraland/core-libs/tree/main/libs/content-validator
+For detailed AI Agent context including service purpose, key capabilities, technology stack, and validation details, see [docs/ai-agent-context.md](./docs/ai-agent-context.md).

package/dist/image-metadata.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Minimal image-metadata reader used by thumbnail validations.
+ *
+ * The library only needs to know the format ("png" vs anything else) and the
+ * pixel dimensions to enforce the catalyst thumbnail rules. We deliberately
+ * avoid pulling in `sharp` for that — a full image pipeline with native
+ * bindings is overkill for a header read, and ships a multi-MB libvips that
+ * needs an extra system dependency on every CI runner.
+ *
+ * Beyond reading dimensions, the reader applies structural sanity checks per
+ * format: PNG chunk-chain integrity (single IHDR, terminating IEND, no
+ * trailing data, spec-allowed bit-depth/color-type combination), JPEG
+ * EOI termination, WebP RIFF chunk-size match, and a uniform "non-zero,
+ * non-negative dimensions" contract on the returned width/height.
+ */
+/**
+ * Image formats recognised by {@link readImageMetadata}.
+ *
+ * The reader detects each format by its magic bytes and validates the
+ * minimum structural invariants needed to extract dimensions safely.
+ * @public
+ */
+export type ImageFormat = 'png' | 'jpeg' | 'webp' | 'gif' | 'bmp';
+/**
+ * Header-derived dimensions and format of an image.
+ *
+ * Width and height are guaranteed to be positive integers — the reader
+ * throws rather than returning zero, negative, or non-integer values.
+ * @public
+ */
+export interface ImageMetadata {
+    format: ImageFormat;
+    width: number;
+    height: number;
+}
+/**
+ * Reads the format and pixel dimensions of a recognised image buffer.
+ *
+ * Recognises PNG, JPEG, WebP, GIF, and BMP by their magic bytes. The library
+ * only enforces a PNG-format check on top of this, but recognising the other
+ * common formats means a user uploading a JPEG/WebP/GIF/BMP thumbnail gets
+ * the precise "Invalid format" error instead of a generic parse failure.
+ *
+ * Throws if the buffer is not a recognised, structurally-valid image with
+ * non-zero, non-negative dimensions. Callers are expected to wrap calls in
+ * try/catch to translate the throw into a "couldn't parse" validation error.
+ * @public
+ */
+export declare function readImageMetadata(input: Uint8Array): ImageMetadata;
+//# sourceMappingURL=image-metadata.d.ts.map

package/dist/image-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"image-metadata.d.ts","sourceRoot":"","sources":["../src/image-metadata.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AA+CH;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,MAAM,GAAG,MAAM,GAAG,KAAK,GAAG,KAAK,CAAA;AAEjE;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,WAAW,CAAA;IACnB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,MAAM,CAAA;CACf;AAYD;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,UAAU,GAAG,aAAa,CAmBlE"}