@dk/hipp 0.1.8 → 0.1.13

package/README.md

@@ -148,20 +148,43 @@ INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
 OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
+
+
 ```json
 {
   "origin": "git@github.com:dmytri/hipp.git",
-  "tag": "v0.1.8"
+  "tag": "v0.1.10"
 }
 ```
 
-```npx @dk/hipp @dk/hipp@0.1.8```
+```npx @dk/hipp @dk/hipp@0.1.10
+```
+
+<!-- HIPP-META -->
+```json
+{
+  "origin": "git@github.com:dmytri/hipp.git",
+  "tag": "v0.1.11"
+}
+```
+
+```npx @dk/hipp @dk/hipp@0.1.11
+```
+<!-- /HIPP-META -->
+
+```json
+{
+  "origin": "git@github.com:dmytri/hipp.git",
+  "tag": "v0.1.13"
+}
+```
 
+```npx @dk/hipp @dk/hipp@0.1.13```
 <!-- HIPP-MANIFEST -->
 ```json
 {
-  "hash": "57d56d76a120bbc755700c3aa1f91f756e2cda09076dc0df522beb6a22018dca",
-  "signature": "eclO/AvbMfQMGS7g/vwX1DbB3dbm4XxWvlMFjo06KpE+d3w7KagtIv9klyjTazls74yGy3qcHhoy3i6/zWmZAg=="
+  "hash": "0157b775d49e9715e954bc9838f5017632c0fd2e2418d814b0e2bbb92abe3fc3",
+  "signature": "jyq8xJjFAt5HtqQWPPHw52A2ph7zVxEYD1QClEY3jRFcVFdUlaJj+sGatgP/FChjaI57HZM8flYUvl2r1DA5Dw=="
 }
 ```
 <!-- /HIPP-MANIFEST -->

package/hipp.js

@@ -167,6 +167,7 @@ function extractJsonMetaFromReadme(readmeContent) {
   let jsonStart = -1;
   let braceCount = 0;
   let inJson = false;
+  let lastValid = null;
 
   for (let i = 0; i < lines.length; i++) {
     const line = lines[i];
@@ -186,7 +187,7 @@ function extractJsonMetaFromReadme(readmeContent) {
         try {
           const parsed = JSON.parse(jsonStr);
           if (parsed.origin && parsed.tag) {
-            return parsed;
+            lastValid = parsed;
           }
         } catch {
           // continue searching
@@ -195,7 +196,7 @@ function extractJsonMetaFromReadme(readmeContent) {
       }
     }
   }
-  return null;
+  return lastValid;
 }
 
 function safeStageName(name) {
@@ -372,6 +373,19 @@ function getTrackedFiles() {
     .filter(Boolean);
 }
 
+function getTrackedFilesFromDir(repoDir) {
+  const out = execFileSync('git', ['ls-files', '-z'], {
+    encoding: 'buffer',
+    stdio: ['pipe', 'pipe', 'pipe'],
+    cwd: repoDir,
+  });
+
+  return out
+    .toString('utf8')
+    .split('\0')
+    .filter(Boolean);
+}
+
 function copyTrackedFiles(stageDir, files) {
   const repoRoot = process.cwd();
 
@@ -393,6 +407,25 @@ function copyTrackedFiles(stageDir, files) {
   }
 }
 
+function copyTrackedFilesFromDir(stageDir, repoDir, files) {
+  for (const rel of files) {
+    const src = path.join(repoDir, rel);
+    const dest = path.join(stageDir, rel);
+    const stat = fs.lstatSync(src);
+
+    fs.mkdirSync(path.dirname(dest), { recursive: true });
+
+    if (stat.isSymbolicLink()) {
+      const target = fs.readlinkSync(src);
+      fs.symlinkSync(target, dest);
+    } else if (stat.isDirectory()) {
+      fs.mkdirSync(dest, { recursive: true });
+    } else if (stat.isFile()) {
+      fs.copyFileSync(src, dest);
+    }
+  }
+}
+
 async function runVerify(packageSpec) {
   let pkgName, pkgVersion;
   if (packageSpec.startsWith('@')) {
@@ -462,45 +495,55 @@ async function runVerify(packageSpec) {
       fail(`❌ JSON meta (origin/tag) not found in README`);
     }
 
-    const manifestBase64 = extractManifestFromReadme(stagedReadme);
-    if (!manifestBase64) {
+    const manifestStr = extractManifestFromReadme(stagedReadme);
+    if (!manifestStr) {
       fail(`❌ Manifest not found in README`);
     }
 
-    const manifest = parseManifest(manifestBase64);
+    const manifest = parseManifest(manifestStr);
     if (!manifest || !manifest.hash || !manifest.signature) {
       fail(`❌ Invalid manifest format`);
     }
 
+    const originUrl = jsonMeta.origin;
+    const tag = jsonMeta.tag;
+
     const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), `hipp-verify-git-`));
+    const stageDir = fs.mkdtempSync(path.join(os.tmpdir(), `hipp-verify-stage-`));
+
     try {
-      log.info(`🌿 Fetching from git origin...`);
+      log.info(`🌿 Fetching from git origin at tag ${tag}...`);
+      git(['clone', '--branch', tag, '--depth', '1', originUrl, tmpDir], { stdio: 'pipe' });
 
-      const originUrl = jsonMeta.origin;
-      const tag = jsonMeta.tag;
+      const publicKeyPath = path.join(tmpDir, 'hipp.pub');
+      if (!fs.existsSync(publicKeyPath)) {
+        fail(`❌ hipp.pub not found in git at tag ${tag}`);
+      }
 
-      git(['clone', '--branch', tag, '--depth', '1', originUrl, tmpDir], { stdio: 'pipe' });
+      const publicKey = fs.readFileSync(publicKeyPath, 'utf8');
+
+      log.info(`🏗️  Staging git files...`);
+      const trackedFiles = getTrackedFilesFromDir(tmpDir);
+      copyTrackedFilesFromDir(stageDir, tmpDir, trackedFiles);
 
-      const clonedReadmePath = path.join(tmpDir, 'README.md');
-      if (!fs.existsSync(clonedReadmePath)) {
+      const stagedReadmePath = path.join(stageDir, 'README.md');
+      if (!fs.existsSync(stagedReadmePath)) {
         fail(`❌ README.md not found in git at tag ${tag}`);
       }
 
-      const clonedReadme = fs.readFileSync(clonedReadmePath, 'utf8');
-      const clonedHash = computeReadmeHash(clonedReadme);
+      let stagedReadme = fs.readFileSync(stagedReadmePath, 'utf8');
+      const verifyBlock = '```npx @dk/hipp ' + pkgName + '@' + tag + '```';
+      const jsonMetaStr = '```json\n{\n  "origin": "' + originUrl + '",\n  "tag": "' + tag + '"\n}\n```';
+      stagedReadme = stagedReadme.trimEnd() + '\n\n' + jsonMetaStr + '\n\n' + verifyBlock + '\n';
+
+      const stagedHash = computeReadmeHash(stagedReadme);
 
-      if (clonedHash !== manifest.hash) {
+      if (stagedHash !== manifest.hash) {
         fail(`❌ Hash mismatch: git content does not match npm manifest`);
       }
 
       log.success(`🔒 Content hash verified: ${manifest.hash.slice(0, 12)}...`);
 
-      const publicKeyPath = path.join(tmpDir, 'hipp.pub');
-      if (!fs.existsSync(publicKeyPath)) {
-        fail(`❌ hipp.pub not found in git at tag ${tag}`);
-      }
-
-      const publicKey = fs.readFileSync(publicKeyPath, 'utf8');
       const signData = buildSignData(manifest.hash, originUrl, tag);
       const signatureValid = verifySignature(signData, manifest.signature, publicKey);
 
@@ -514,6 +557,7 @@ async function runVerify(packageSpec) {
       log.info(`📍 Tag: ${tag}`);
     } finally {
       fs.rmSync(tmpDir, { recursive: true, force: true });
+      fs.rmSync(stageDir, { recursive: true, force: true });
     }
   } finally {
     fs.rmSync(tarballPath, { recursive: true, force: true });
@@ -565,9 +609,10 @@ async function run() {
     log.success('📝 hipp.pub committed.');
   }
 
+  const { rawTag, version } = getVersionFromExactTagOnHead();
+
   ensureCleanRepo(pkg);
 
-  const { rawTag, version } = getVersionFromExactTagOnHead();
   const refInfo = ensureMutableRefPolicy();
   const provenance = ensureRemoteProvenance(rawTag, refInfo.head);
   const lockInfo = ensureLockIntegrity(pkg);
@@ -608,7 +653,9 @@ async function run() {
       stagedReadme = fs.readFileSync(stagedReadmePath, 'utf8');
     }
 
-    stagedReadme += '\n```json\n{\n  "origin": "' + provenance.remoteUrl + '",\n  "tag": "' + rawTag + '"\n}\n```\n\n```npx @dk/hipp ' + pkg.name + '@' + version + '```\n\n';
+    const verifyBlock = '```npx @dk/hipp ' + pkg.name + '@' + version + '```';
+    const jsonMetaStr = '```json\n{\n  "origin": "' + provenance.remoteUrl + '",\n  "tag": "' + rawTag + '"\n}\n```';
+    stagedReadme = stagedReadme.trimEnd() + '\n\n' + jsonMetaStr + '\n\n' + verifyBlock + '\n';
 
     const readmeHash = computeReadmeHash(stagedReadme);
     const dataToSign = buildSignData(readmeHash, provenance.remoteUrl, rawTag);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dk/hipp",
-  "version": "0.1.8",
+  "version": "0.1.13",
   "description": "High Integrity Package Publisher",
   "main": "hipp.js",
   "bin": {