@dk/hipp 0.1.7 → 0.1.12

package/README.md

@@ -148,13 +148,43 @@ INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
 OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
+
+
 ```json
 {
   "origin": "git@github.com:dmytri/hipp.git",
-  "tag": "v0.1.7"
+  "tag": "v0.1.10"
 }
 ```
 
-```npx @dk/hipp @dk/hipp@0.1.7```
+```npx @dk/hipp @dk/hipp@0.1.10
+```
+
+<!-- HIPP-META -->
+```json
+{
+  "origin": "git@github.com:dmytri/hipp.git",
+  "tag": "v0.1.11"
+}
+```
+
+```npx @dk/hipp @dk/hipp@0.1.11
+```
+<!-- /HIPP-META -->
 
-<!-- HIPP-MANIFEST -->```eyJoYXNoIjoiODYxNDgxZmM3Yzk0ZTM4YTJhZjdjNDc3ZmJkMDcyMTA2YTMyYTI2MjdkYmM1ZTg4MTI1OTk1ODMyYjdlMzhhMiIsInNpZ25hdHVyZSI6IkVnUTBSZUMzU0hKanovdFZoWlY0V3U1SVJOMDJTSlFPWUtxOFBrdHFpcUhvWnRTbE5pQWxrN25nWDcySldxL0ZRa2JTVE10TldlZUNrSG9hczAwR0N3PT0ifQ==```<!-- /HIPP-MANIFEST -->
+```json
+{
+  "origin": "git@github.com:dmytri/hipp.git",
+  "tag": "v0.1.12"
+}
+```
+
+```npx @dk/hipp @dk/hipp@0.1.12```
+<!-- HIPP-MANIFEST -->
+```json
+{
+  "hash": "9213a0bc269441f5dc3dc07fe07eba4d127815ae78f0d7e07474547bb342ce1b",
+  "signature": "Bg5/in81S3ia4x4W2C1WzvXeZPxspCdXEcSHCyLT3aUaEF5JrSANcIerZXrgbAvDyrxsf9O2wDJ/0cZNI4KOAA=="
+}
+```
+<!-- /HIPP-MANIFEST -->

package/hipp.js

@@ -108,12 +108,12 @@ function verifySignature(data, signature, publicKey) {
 }
 
 function createManifest(hash, signature) {
-  return Buffer.from(JSON.stringify({ hash, signature })).toString('base64');
+  return JSON.stringify({ hash, signature }, null, 2);
 }
 
-function parseManifest(manifestBase64) {
+function parseManifest(manifestStr) {
   try {
-    return JSON.parse(Buffer.from(manifestBase64, 'base64').toString('utf8'));
+    return JSON.parse(manifestStr);
   } catch {
     return null;
   }
@@ -127,7 +127,7 @@ const MANIFEST_START = '<!-- HIPP-MANIFEST -->';
 const MANIFEST_END = '<!-- /HIPP-MANIFEST -->';
 
 function appendManifestToReadme(readmeContent, manifest) {
-  return `${readmeContent}${MANIFEST_START}\`\`\`${manifest}\`\`\`${MANIFEST_END}\n`;
+  return `${readmeContent}${MANIFEST_START}\n\`\`\`json\n${manifest}\n\`\`\`\n${MANIFEST_END}\n`;
 }
 
 function extractManifestFromReadme(readmeContent) {
@@ -136,7 +136,7 @@ function extractManifestFromReadme(readmeContent) {
   const endIdx = readmeContent.indexOf(MANIFEST_END, startIdx);
   if (endIdx === -1) return null;
   const content = readmeContent.slice(startIdx + MANIFEST_START.length, endIdx).trim();
-  const match = content.match(/^```(.+)```$/s);
+  const match = content.match(/^```json\n(.+)\n```$/s);
   if (!match) return null;
   return match[1];
 }
@@ -162,6 +162,42 @@ function computeReadmeHash(readmeContent) {
   return sha256(stripped);
 }
 
+function extractJsonMetaFromReadme(readmeContent) {
+  const lines = readmeContent.split('\n');
+  let jsonStart = -1;
+  let braceCount = 0;
+  let inJson = false;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line === '```json') {
+      jsonStart = i + 1;
+      inJson = true;
+      braceCount = 0;
+      continue;
+    }
+    if (inJson) {
+      for (const char of line) {
+        if (char === '{') braceCount++;
+        if (char === '}') braceCount--;
+      }
+      if (braceCount === 0 && line.includes('}')) {
+        const jsonStr = lines.slice(jsonStart, i + 1).join('\n');
+        try {
+          const parsed = JSON.parse(jsonStr);
+          if (parsed.origin && parsed.tag) {
+            return parsed;
+          }
+        } catch {
+          // continue searching
+        }
+        inJson = false;
+      }
+    }
+  }
+  return null;
+}
+
 function safeStageName(name) {
   return name.replace(/[^a-zA-Z0-9._-]/g, '-');
 }
@@ -336,6 +372,19 @@ function getTrackedFiles() {
     .filter(Boolean);
 }
 
+function getTrackedFilesFromDir(repoDir) {
+  const out = execFileSync('git', ['ls-files', '-z'], {
+    encoding: 'buffer',
+    stdio: ['pipe', 'pipe', 'pipe'],
+    cwd: repoDir,
+  });
+
+  return out
+    .toString('utf8')
+    .split('\0')
+    .filter(Boolean);
+}
+
 function copyTrackedFiles(stageDir, files) {
   const repoRoot = process.cwd();
 
@@ -357,83 +406,143 @@ function copyTrackedFiles(stageDir, files) {
   }
 }
 
+function copyTrackedFilesFromDir(stageDir, repoDir, files) {
+  for (const rel of files) {
+    const src = path.join(repoDir, rel);
+    const dest = path.join(stageDir, rel);
+    const stat = fs.lstatSync(src);
+
+    fs.mkdirSync(path.dirname(dest), { recursive: true });
+
+    if (stat.isSymbolicLink()) {
+      const target = fs.readlinkSync(src);
+      fs.symlinkSync(target, dest);
+    } else if (stat.isDirectory()) {
+      fs.mkdirSync(dest, { recursive: true });
+    } else if (stat.isFile()) {
+      fs.copyFileSync(src, dest);
+    }
+  }
+}
+
 async function runVerify(packageSpec) {
-  const [pkgName, pkgVersion] = packageSpec.split('@');
+  let pkgName, pkgVersion;
+  if (packageSpec.startsWith('@')) {
+    const atIndex = packageSpec.indexOf('@', 1);
+    if (atIndex === -1) {
+      pkgName = packageSpec;
+      pkgVersion = undefined;
+    } else {
+      pkgName = packageSpec.slice(0, atIndex);
+      pkgVersion = packageSpec.slice(atIndex + 1);
+    }
+  } else {
+    const atIndex = packageSpec.indexOf('@');
+    if (atIndex === -1) {
+      pkgName = packageSpec;
+      pkgVersion = undefined;
+    } else {
+      pkgName = packageSpec.slice(0, atIndex);
+      pkgVersion = packageSpec.slice(atIndex + 1);
+    }
+  }
   log.info(`🔍 HIPP Verify: ${pkgName}${pkgVersion ? '@' + pkgVersion : ''}`);
 
-  const registryUrl = 'https://registry.npmjs.org';
-  const fetchUrl = `${registryUrl}/${encodeURIComponent(pkgName)}/${pkgVersion ? pkgVersion : 'latest'}`;
+  const registryUrl = `https://registry.npmjs.org/${encodeURIComponent(pkgName)}/${pkgVersion || 'latest'}`;
 
   log.info(`📦 Fetching from npm...`);
+  const registryJson = runCmd('curl', ['-s', '-L', registryUrl]);
   let tarballUrl;
   try {
-    const fetchResult = runCmd('curl', ['-s', '-L', '-w', '%{url_effective}', '-o', '/dev/null', fetchUrl]);
-    tarballUrl = fetchResult.stdout.trim();
+    const json = JSON.parse(registryJson.stdout.trim());
+    tarballUrl = json.dist.tarball;
   } catch {
-    fail(`❌ Failed to fetch package info for ${pkgName}`);
+    fail(`❌ Failed to parse npm registry response for ${pkgName}`);
   }
 
   const tarballPath = path.join(os.tmpdir(), `hipp-verify-${safeStageName(pkgName)}-tgz`);
+  const extractDir = path.join(os.tmpdir(), `hipp-verify-extract-${safeStageName(pkgName)}`);
+
   try {
-    log.info(`📦 Downloading tarball...`);
+    log.info(`📦 Downloading tarball from ${tarballUrl}...`);
     const curlResult = runCmd('curl', ['-s', '-L', '-o', tarballPath, tarballUrl]);
     if (curlResult.status !== 0) {
       fail(`❌ Failed to download tarball`);
     }
 
+    if (fs.existsSync(extractDir)) {
+      fs.rmSync(extractDir, { recursive: true });
+    }
+    fs.mkdirSync(extractDir, { recursive: true });
+
     log.info(`📦 Extracting tarball...`);
-    runCmd('tar', ['-xzf', tarballPath, '-C', os.tmpdir()], { stdio: 'pipe' });
+    const tarResult = spawnSync('tar', ['-xzf', tarballPath, '-C', extractDir], { encoding: 'utf8', stdio: 'pipe' });
+    if (tarResult.status !== 0) {
+      fail(`❌ Failed to extract tarball: ${tarResult.stderr}`);
+    }
 
-    const packageDir = path.join(os.tmpdir(), 'package');
+    const packageDir = path.join(extractDir, 'package');
     const stagedReadmePath = path.join(packageDir, 'README.md');
 
     if (!fs.existsSync(stagedReadmePath)) {
-      fail(`❌ README.md not found in package`);
+      fail(`❌ README.md not found in package at ${stagedReadmePath}`);
     }
 
     const stagedReadme = fs.readFileSync(stagedReadmePath, 'utf8');
-    const manifestBase64 = extractManifestFromReadme(stagedReadme);
-    if (!manifestBase64) {
+    const jsonMeta = extractJsonMetaFromReadme(stagedReadme);
+    if (!jsonMeta || !jsonMeta.origin || !jsonMeta.tag) {
+      fail(`❌ JSON meta (origin/tag) not found in README`);
+    }
+
+    const manifestStr = extractManifestFromReadme(stagedReadme);
+    if (!manifestStr) {
       fail(`❌ Manifest not found in README`);
     }
 
-    const manifest = parseManifest(manifestBase64);
+    const manifest = parseManifest(manifestStr);
     if (!manifest || !manifest.hash || !manifest.signature) {
       fail(`❌ Invalid manifest format`);
     }
 
-    log.info(`📦 Extracting tarball to staging...`);
-    runCmd('tar', ['-xzf', tarballPath, '-C', os.tmpdir()], { stdio: 'pipe' });
+    const originUrl = jsonMeta.origin;
+    const tag = jsonMeta.tag;
 
     const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), `hipp-verify-git-`));
+    const stageDir = fs.mkdtempSync(path.join(os.tmpdir(), `hipp-verify-stage-`));
+
     try {
-      log.info(`🌿 Fetching from git origin...`);
+      log.info(`🌿 Fetching from git origin at tag ${tag}...`);
+      git(['clone', '--branch', tag, '--depth', '1', originUrl, tmpDir], { stdio: 'pipe' });
 
-      const originUrl = manifest.origin;
-      const tag = manifest.tag;
+      const publicKeyPath = path.join(tmpDir, 'hipp.pub');
+      if (!fs.existsSync(publicKeyPath)) {
+        fail(`❌ hipp.pub not found in git at tag ${tag}`);
+      }
 
-      git(['clone', '--branch', tag, '--depth', '1', originUrl, tmpDir], { stdio: 'pipe' });
+      const publicKey = fs.readFileSync(publicKeyPath, 'utf8');
 
-      const clonedReadmePath = path.join(tmpDir, 'README.md');
-      if (!fs.existsSync(clonedReadmePath)) {
+      log.info(`🏗️  Staging git files...`);
+      const trackedFiles = getTrackedFilesFromDir(tmpDir);
+      copyTrackedFilesFromDir(stageDir, tmpDir, trackedFiles);
+
+      const stagedReadmePath = path.join(stageDir, 'README.md');
+      if (!fs.existsSync(stagedReadmePath)) {
         fail(`❌ README.md not found in git at tag ${tag}`);
       }
 
-      const clonedReadme = fs.readFileSync(clonedReadmePath, 'utf8');
-      const clonedHash = computeReadmeHash(clonedReadme);
+      let stagedReadme = fs.readFileSync(stagedReadmePath, 'utf8');
+      const verifyBlock = '```npx @dk/hipp ' + pkgName + '@' + tag + '```';
+      const jsonMetaStr = '```json\n{\n  "origin": "' + originUrl + '",\n  "tag": "' + tag + '"\n}\n```';
+      stagedReadme = stagedReadme.trimEnd() + '\n\n' + jsonMetaStr + '\n\n' + verifyBlock + '\n';
+
+      const stagedHash = computeReadmeHash(stagedReadme);
 
-      if (clonedHash !== manifest.hash) {
+      if (stagedHash !== manifest.hash) {
         fail(`❌ Hash mismatch: git content does not match npm manifest`);
       }
 
       log.success(`🔒 Content hash verified: ${manifest.hash.slice(0, 12)}...`);
 
-      const publicKeyPath = path.join(tmpDir, 'hipp.pub');
-      if (!fs.existsSync(publicKeyPath)) {
-        fail(`❌ hipp.pub not found in git at tag ${tag}`);
-      }
-
-      const publicKey = fs.readFileSync(publicKeyPath, 'utf8');
       const signData = buildSignData(manifest.hash, originUrl, tag);
       const signatureValid = verifySignature(signData, manifest.signature, publicKey);
 
@@ -447,12 +556,12 @@ async function runVerify(packageSpec) {
       log.info(`📍 Tag: ${tag}`);
     } finally {
       fs.rmSync(tmpDir, { recursive: true, force: true });
+      fs.rmSync(stageDir, { recursive: true, force: true });
     }
   } finally {
     fs.rmSync(tarballPath, { recursive: true, force: true });
-    const packageExtractDir = path.join(os.tmpdir(), 'package');
-    if (fs.existsSync(packageExtractDir)) {
-      fs.rmSync(packageExtractDir, { recursive: true, force: true });
+    if (fs.existsSync(extractDir)) {
+      fs.rmSync(extractDir, { recursive: true, force: true });
     }
   }
 }
@@ -499,9 +608,10 @@ async function run() {
     log.success('📝 hipp.pub committed.');
   }
 
+  const { rawTag, version } = getVersionFromExactTagOnHead();
+
   ensureCleanRepo(pkg);
 
-  const { rawTag, version } = getVersionFromExactTagOnHead();
   const refInfo = ensureMutableRefPolicy();
   const provenance = ensureRemoteProvenance(rawTag, refInfo.head);
   const lockInfo = ensureLockIntegrity(pkg);
@@ -542,7 +652,9 @@ async function run() {
       stagedReadme = fs.readFileSync(stagedReadmePath, 'utf8');
     }
 
-    stagedReadme += '\n```json\n{\n  "origin": "' + provenance.remoteUrl + '",\n  "tag": "' + rawTag + '"\n}\n```\n\n```npx @dk/hipp ' + pkg.name + '@' + version + '```\n\n';
+    const verifyBlock = '```npx @dk/hipp ' + pkg.name + '@' + version + '```';
+    const jsonMetaStr = '```json\n{\n  "origin": "' + provenance.remoteUrl + '",\n  "tag": "' + rawTag + '"\n}\n```';
+    stagedReadme = stagedReadme.trimEnd() + '\n\n' + jsonMetaStr + '\n\n' + verifyBlock + '\n';
 
     const readmeHash = computeReadmeHash(stagedReadme);
     const dataToSign = buildSignData(readmeHash, provenance.remoteUrl, rawTag);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dk/hipp",
-  "version": "0.1.7",
+  "version": "0.1.12",
   "description": "High Integrity Package Publisher",
   "main": "hipp.js",
   "bin": {