npm - @drawcall/market - Versions diffs - 0.1.13 → 0.1.14 - Mend

@drawcall/market 0.1.13 → 0.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/install.d.ts +3 -2
package/dist/install.d.ts.map +1 -1
package/dist/install.js +45 -21
package/dist/install.js.map +1 -1
package/package.json +2 -1
package/src/install.ts +54 -23
package/tests/install-layout.test.ts +114 -0

package/dist/install.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * Install resolved assets into a local project.
  *
- * 1. Downloads asset files into ./src/{assetName}/ via the oRPC client.
+ * 1. Downloads public asset files into ./public/... via the oRPC client.
  * 2. Merges npm dependencies into package.json.
  * 3. Runs the package manager to install npm deps.
  *
@@ -11,10 +11,11 @@
 import type { MarketClient } from './client.js';
 import type { ResolveResult } from './resolve.js';
 export interface InstallOptions {
-    /** Project root directory (default: cwd) */
+    /** Directory to start project root discovery from (default: cwd) */
     cwd?: string;
     /** Log progress */
     onProgress?: (message: string) => void;
 }
 export declare function install(client: MarketClient, resolution: ResolveResult, opts?: InstallOptions): Promise<void>;
+export declare function findInstallRoot(cwd?: string): Promise<string>;
 //# sourceMappingURL=install.d.ts.map

package/dist/install.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"install.d.ts","sourceRoot":"","sources":["../src/install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAMH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC/C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AASjD,MAAM,WAAW,cAAc;IAC7B,~~4CAA4C~~;~~IAC5C~~,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,mBAAmB;IACnB,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAA;CACvC;AAED,wBAAsB,OAAO,CAC3B,MAAM,EAAE,YAAY,EACpB,UAAU,EAAE,aAAa,EACzB,IAAI,GAAE,cAAmB,GACxB,OAAO,CAAC,IAAI,CAAC,~~CASf~~"}
1	+ {"version":3,"file":"install.d.ts","sourceRoot":"","sources":["../src/install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAMH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC/C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AASjD,MAAM,WAAW,cAAc;IAC7B,oEAAoE;IACpE,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,mBAAmB;IACnB,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAA;CACvC;AAED,wBAAsB,OAAO,CAC3B,MAAM,EAAE,YAAY,EACpB,UAAU,EAAE,aAAa,EACzB,IAAI,GAAE,cAAmB,GACxB,OAAO,CAAC,IAAI,CAAC,CAQf;AAED,wBAAsB,eAAe,CAAC,GAAG,GAAE,MAAsB,GAAG,OAAO,CAAC,MAAM,CAAC,CAgBlF"}

package/dist/install.js CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * Install resolved assets into a local project.
  *
- * 1. Downloads asset files into ./src/{assetName}/ via the oRPC client.
+ * 1. Downloads public asset files into ./public/... via the oRPC client.
  * 2. Merges npm dependencies into package.json.
  * 3. Runs the package manager to install npm deps.
  *
@@ -13,42 +13,68 @@ import * as path from 'path';
 import { unzipSync } from 'fflate';
 import { detectPackageManager, installDependencies } from 'nypm';
 export async function install(client, resolution, opts = {}) {
-    const cwd = opts.cwd ?? process.cwd();
     const log = opts.onProgress ?? (() => { });
-    // Run asset file downloads and npm dep installation in parallel
+    const installRoot = await findInstallRoot(opts.cwd ?? process.cwd());
     await Promise.all([
-        downloadAssets(client, resolution, cwd, log),
-        installNpmDeps(resolution, cwd, log),
+        downloadAssets(client, resolution, installRoot, log),
+        installNpmDeps(resolution, installRoot, log),
     ]);
 }
-async function downloadAssets(client, resolution, cwd, log) {
+export async function findInstallRoot(cwd = process.cwd()) {
+    const start = path.resolve(cwd);
+    let packageRoot = null;
+    let dir = start;
+    while (true) {
+        if (await isFile(path.join(dir, 'package.json'))) {
+            packageRoot = dir;
+        }
+        const parent = path.dirname(dir);
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    return packageRoot ?? start;
+}
+async function downloadAssets(client, resolution, projectRoot, log) {
     for (const asset of resolution.assets) {
-        const destDir = path.join(cwd, 'src', asset.name);
-        await fs.mkdir(destDir, { recursive: true });
         log(`Downloading ${asset.name}@${asset.version}...`);
         const zip = await client.asset.downloadZip({ name: asset.name, version: asset.version });
         const files = unzipSync(new Uint8Array(await zip.arrayBuffer()));
+        let installedFiles = 0;
         for (const [relativePath, content] of Object.entries(files)) {
-            const filePath = path.join(destDir, relativePath);
-            if (!isInside(destDir, filePath)) {
+            const zipPath = relativePath.replace(/\\/g, '/');
+            if (zipPath.split('/').includes('..') ||
+                path.posix.isAbsolute(zipPath) ||
+                path.win32.isAbsolute(zipPath)) {
                 throw new Error(`Zip contains an unsafe path: ${relativePath}`);
             }
+            const normalizedPath = path.posix.normalize(zipPath);
+            if (normalizedPath === '.' ||
+                normalizedPath === 'README.md' ||
+                normalizedPath.endsWith('/')) {
+                continue;
+            }
+            const filePath = path.join(projectRoot, normalizedPath);
             await fs.mkdir(path.dirname(filePath), { recursive: true });
             await fs.writeFile(filePath, content);
+            installedFiles += 1;
         }
-        log(`Downloaded ${Object.keys(files).length} files to src/${asset.name}/`);
+        log(`Downloaded ${installedFiles} files.`);
     }
 }
-function isInside(root, target) {
-    const relative = path.relative(root, target);
-    return relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative));
+async function isFile(file) {
+    try {
+        return (await fs.stat(file)).isFile();
+    }
+    catch {
+        return false;
+    }
 }
-async function installNpmDeps(resolution, cwd, log) {
+async function installNpmDeps(resolution, projectRoot, log) {
     const deps = resolution.npmDependencies;
     if (Object.keys(deps).length === 0)
         return;
-    // Read existing package.json
-    const pkgPath = path.join(cwd, 'package.json');
+    const pkgPath = path.join(projectRoot, 'package.json');
     let pkg;
     try {
         pkg = JSON.parse(await fs.readFile(pkgPath, 'utf-8'));
@@ -56,15 +82,13 @@ async function installNpmDeps(resolution, cwd, log) {
     catch {
         pkg = { name: 'my-project', private: true, dependencies: {} };
     }
-    // Merge dependencies
     pkg.dependencies = { ...pkg.dependencies, ...deps };
     await fs.writeFile(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
     log(`Installing npm dependencies: ${Object.keys(deps).join(', ')}`);
-    // Detect package manager, fall back to npm
-    const pm = await detectPackageManager(cwd).catch(() => null);
+    const pm = await detectPackageManager(projectRoot).catch(() => null);
     const pmName = pm?.name ?? 'npm';
     log(`Using ${pmName}...`);
-    await installDependencies({ cwd, packageManager: { name: pmName, command: pmName } });
+    await installDependencies({ cwd: projectRoot, packageManager: { name: pmName, command: pmName } });
     log('npm dependencies installed.');
 }
 //# sourceMappingURL=install.js.map

package/dist/install.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"install.js","sourceRoot":"","sources":["../src/install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,MAAM,aAAa,CAAA;AACjC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAA;AAClC,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,MAAM,CAAA;AAkBhE,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,MAAoB,EACpB,UAAyB,EACzB,OAAuB,EAAE;IAEzB,MAAM,GAAG,GAAG,IAAI,CAAC,~~GAAG~~,IAAI,~~OAAO,~~CAAC,GAAG,EAAE,CAAA;~~IACrC~~,MAAM,~~GAAG~~,GAAG,IAAI,CAAC,~~UAAU~~,IAAI,CAAC,GAAG,EAAE,~~GAAE,~~CAAC,~~CAAC,~~CAAA;~~IAEzC~~,~~gEAAgE;IAChE,~~MAAM,OAAO,CAAC,GAAG,CAAC;QAChB,cAAc,CAAC,MAAM,EAAE,UAAU,EAAE,~~GAAG~~,EAAE,GAAG,CAAC;~~QAC5C~~,cAAc,CAAC,UAAU,EAAE,~~GAAG~~,EAAE,GAAG,CAAC;~~KACrC~~,CAAC,CAAA;AACJ,CAAC;AAED,KAAK,UAAU,~~cAAc~~,~~CAC3B~~,~~MAAoB~~,~~EACpB~~,~~UAAyB~~,~~EACzB~~,~~GAAW,EACX,GAA0B~~;~~IAE1B~~,~~KAAK,~~MAAM,KAAK,IAAI,~~UAAU~~,CAAC,~~MAAM~~,EAAE,CAAC;~~QACtC~~,MAAM,~~OAAO~~,~~GAAG~~,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,~~KAAK~~,EAAE,~~KAAK~~,CAAC,IAAI,CAAC,CAAA;~~QACjD~~,MAAM,~~EAAE~~,CAAC,KAAK,CAAC,~~OAAO~~,~~EAAE~~,~~EAAE~~,~~SAAS~~,~~EAAE~~,IAAI,EAAE,CAAC~~,CAAA~~;~~QAE5C~~,GAAG,CAAC,eAAe,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,KAAK,CAAC,CAAA;QAEpD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;QACxF,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAA;~~QAEhE~~,KAAK,MAAM,CAAC,YAAY,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAA2B,EAAE,CAAC;YACtF,MAAM,~~QAAQ~~,GAAG,~~IAAI~~,CAAC,~~IAAI~~,CAAC,~~OAAO~~,EAAE,~~YAAY~~,CAAC,CAAA;~~YACjD~~,~~IAAI~~,CAAC,~~QAAQ~~,CAAC,~~OAAO~~,~~EAAE~~,QAAQ,CAAC,~~EAAE~~,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,gCAAgC,YAAY,EAAE,CAAC,CAAA;YACjE,CAAC;~~YACD~~,MAAM,~~EAAE~~,CAAC,KAAK,CAAC,~~IAAI~~,CAAC,OAAO,CAAC,~~QAAQ~~,~~CAAC~~,~~EAAE~~,~~EAAE~~,~~SAAS~~,~~EAAE~~,~~IAAI~~,~~EAAE~~,CAAC,~~CAAA~~;~~YAC3D~~,MAAM,~~EAAE~~,CAAC,~~SAAS~~,CAAC,~~QAAQ~~,EAAE,~~OAAO~~,CAAC,CAAA;~~QACvC~~,~~CAAC;QAED~~,~~GAAG~~,CAAC,~~cAAc~~,~~MAAM,~~CAAC,IAAI,CAAC,~~KAAK~~,CAAC,CAAC,~~MAAM~~,~~iBAAiB~~,~~KAAK~~,~~CAAC~~,IAAI,~~GAAG~~,CAAC,CAAA;~~IAC5E~~,~~CAAC;AACH~~,CAAC~~;AAED~~,SAAS,~~QAAQ,~~CAAC,~~IAAY~~,EAAE,~~MAAc;IAC5C~~,~~MAAM~~,~~QAAQ~~,~~GAAG~~,IAAI,CAAC,~~QAAQ~~,CAAC,~~IAAI~~,~~EAAE~~,~~MAAM~~,CAAC,CAAA;IAC5C,~~OAAO~~,~~QAAQ~~,KAAK,~~EAAE~~,~~IAAI~~,CAAC,~~CAAC~~,~~QAAQ~~,CAAC,~~UAAU~~,CAAC,~~IAAI~~,CAAC,IAAI,CAAC,IAAI,CAAC,~~UAAU~~,CAAC,~~QAAQ~~,CAAC,CAAC,CAAA;~~AACtF~~,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,UAAyB,EACzB,~~GAAW~~,~~EACX~~,GAA0B;IAE1B,MAAM,IAAI,GAAG,UAAU,CAAC,eAAe,CAAA;IACvC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAM;IAE1C,~~6BAA6B;IAC7B,~~MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,~~GAAG~~,EAAE,cAAc,CAAC,CAAA;~~IAC9C~~,IAAI,GAAgB,CAAA;IACpB,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAgB,CAAA;IACtE,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,GAAG,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,EAAE,CAAA;IAC/D,CAAC;IAED,~~qBAAqB;IACrB,~~GAAG,CAAC,YAAY,GAAG,EAAE,GAAG,GAAG,CAAC,YAAY,EAAE,GAAG,IAAI,EAAE,CAAA;IACnD,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;IAEhE,GAAG,CAAC,gCAAgC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IAEnE,~~2CAA2C;IAC3C,~~MAAM,EAAE,GAAG,MAAM,oBAAoB,CAAC,~~GAAG~~,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;~~IAC5D~~,MAAM,MAAM,GAAG,EAAE,EAAE,IAAI,IAAI,KAAK,CAAA;IAEhC,GAAG,CAAC,SAAS,MAAM,KAAK,CAAC,CAAA;IACzB,MAAM,mBAAmB,CAAC,EAAE,GAAG,EAAE,cAAc,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,CAAC,CAAA;~~IACrF~~,GAAG,CAAC,6BAA6B,CAAC,CAAA;AACpC,CAAC"}
1	+ {"version":3,"file":"install.js","sourceRoot":"","sources":["../src/install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,MAAM,aAAa,CAAA;AACjC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAA;AAClC,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,MAAM,CAAA;AAkBhE,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,MAAoB,EACpB,UAAyB,EACzB,OAAuB,EAAE;IAEzB,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;IACzC,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAEpE,MAAM,OAAO,CAAC,GAAG,CAAC;QAChB,cAAc,CAAC,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,CAAC;QACpD,cAAc,CAAC,UAAU,EAAE,WAAW,EAAE,GAAG,CAAC;KAC7C,CAAC,CAAA;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC/D,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC/B,IAAI,WAAW,GAAkB,IAAI,CAAA;IAErC,IAAI,GAAG,GAAG,KAAK,CAAA;IACf,OAAO,IAAI,EAAE,CAAC;QACZ,IAAI,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC;YACjD,WAAW,GAAG,GAAG,CAAA;QACnB,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAChC,IAAI,MAAM,KAAK,GAAG;YAAE,MAAK;QACzB,GAAG,GAAG,MAAM,CAAA;IACd,CAAC;IAED,OAAO,WAAW,IAAI,KAAK,CAAA;AAC7B,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,MAAoB,EACpB,UAAyB,EACzB,WAAmB,EACnB,GAA0B;IAE1B,KAAK,MAAM,KAAK,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtC,GAAG,CAAC,eAAe,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,KAAK,CAAC,CAAA;QAEpD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;QACxF,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAA;QAChE,IAAI,cAAc,GAAG,CAAC,CAAA;QAEtB,KAAK,MAAM,CAAC,YAAY,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAA2B,EAAE,CAAC;YACtF,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;YAChD,IACE,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACjC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC;gBAC9B,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,EAC9B,CAAC;gBACD,MAAM,IAAI,KAAK,CAAC,gCAAgC,YAAY,EAAE,CAAC,CAAA;YACjE,CAAC;YAED,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;YACpD,IACE,cAAc,KAAK,GAAG;gBACtB,cAAc,KAAK,WAAW;gBAC9B,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,EAC5B,CAAC;gBACD,SAAQ;YACV,CAAC;YAED,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAA;YACvD,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;YAC3D,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;YACrC,cAAc,IAAI,CAAC,CAAA;QACrB,CAAC;QAED,GAAG,CAAC,cAAc,cAAc,SAAS,CAAC,CAAA;IAC5C,CAAC;AACH,CAAC;AAED,KAAK,UAAU,MAAM,CAAC,IAAY;IAChC,IAAI,CAAC;QACH,OAAO,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAA;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,UAAyB,EACzB,WAAmB,EACnB,GAA0B;IAE1B,MAAM,IAAI,GAAG,UAAU,CAAC,eAAe,CAAA;IACvC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAM;IAE1C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAA;IACtD,IAAI,GAAgB,CAAA;IACpB,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAgB,CAAA;IACtE,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,GAAG,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,EAAE,CAAA;IAC/D,CAAC;IAED,GAAG,CAAC,YAAY,GAAG,EAAE,GAAG,GAAG,CAAC,YAAY,EAAE,GAAG,IAAI,EAAE,CAAA;IACnD,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;IAEhE,GAAG,CAAC,gCAAgC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IAEnE,MAAM,EAAE,GAAG,MAAM,oBAAoB,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;IACpE,MAAM,MAAM,GAAG,EAAE,EAAE,IAAI,IAAI,KAAK,CAAA;IAEhC,GAAG,CAAC,SAAS,MAAM,KAAK,CAAC,CAAA;IACzB,MAAM,mBAAmB,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,cAAc,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,CAAC,CAAA;IAClG,GAAG,CAAC,6BAA6B,CAAC,CAAA;AACpC,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@drawcall/market",
-  "version": "0.1.13",
+  "version": "0.1.14",
   "repository": {
     "type": "git",
     "url": "https://github.com/drawcall-ai/market",
@@ -31,6 +31,7 @@
   "scripts": {
     "build": "tsc",
     "dev": "tsx src/cli.ts",
+    "test:install-layout": "tsx --test tests/install-layout.test.ts",
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {

package/src/install.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * Install resolved assets into a local project.
  *
- * 1. Downloads asset files into ./src/{assetName}/ via the oRPC client.
+ * 1. Downloads public asset files into ./public/... via the oRPC client.
  * 2. Merges npm dependencies into package.json.
  * 3. Runs the package manager to install npm deps.
  *
@@ -24,7 +24,7 @@ interface PackageJson {
 }
 export interface InstallOptions {
-  /** Project root directory (default: cwd) */
+  /** Directory to start project root discovery from (default: cwd) */
   cwd?: string
   /** Log progress */
   onProgress?: (message: string) => void
@@ -35,59 +35,92 @@ export async function install(
   resolution: ResolveResult,
   opts: InstallOptions = {},
 ): Promise<void> {
-  const cwd = opts.cwd ?? process.cwd()
   const log = opts.onProgress ?? (() => {})
+  const installRoot = await findInstallRoot(opts.cwd ?? process.cwd())
-  // Run asset file downloads and npm dep installation in parallel
   await Promise.all([
-    downloadAssets(client, resolution, cwd, log),
-    installNpmDeps(resolution, cwd, log),
+    downloadAssets(client, resolution, installRoot, log),
+    installNpmDeps(resolution, installRoot, log),
   ])
 }
+export async function findInstallRoot(cwd: string = process.cwd()): Promise<string> {
+  const start = path.resolve(cwd)
+  let packageRoot: string | null = null
+  let dir = start
+  while (true) {
+    if (await isFile(path.join(dir, 'package.json'))) {
+      packageRoot = dir
+    }
+    const parent = path.dirname(dir)
+    if (parent === dir) break
+    dir = parent
+  }
+  return packageRoot ?? start
+}
 async function downloadAssets(
   client: MarketClient,
   resolution: ResolveResult,
-  cwd: string,
+  projectRoot: string,
   log: (msg: string) => void,
 ): Promise<void> {
   for (const asset of resolution.assets) {
-    const destDir = path.join(cwd, 'src', asset.name)
-    await fs.mkdir(destDir, { recursive: true })
     log(`Downloading ${asset.name}@${asset.version}...`)
     const zip = await client.asset.downloadZip({ name: asset.name, version: asset.version })
     const files = unzipSync(new Uint8Array(await zip.arrayBuffer()))
+    let installedFiles = 0
     for (const [relativePath, content] of Object.entries(files) as [string, Uint8Array][]) {
-      const filePath = path.join(destDir, relativePath)
-      if (!isInside(destDir, filePath)) {
+      const zipPath = relativePath.replace(/\\/g, '/')
+      if (
+        zipPath.split('/').includes('..') ||
+        path.posix.isAbsolute(zipPath) ||
+        path.win32.isAbsolute(zipPath)
+      ) {
         throw new Error(`Zip contains an unsafe path: ${relativePath}`)
       }
+      const normalizedPath = path.posix.normalize(zipPath)
+      if (
+        normalizedPath === '.' ||
+        normalizedPath === 'README.md' ||
+        normalizedPath.endsWith('/')
+      ) {
+        continue
+      }
+      const filePath = path.join(projectRoot, normalizedPath)
       await fs.mkdir(path.dirname(filePath), { recursive: true })
       await fs.writeFile(filePath, content)
+      installedFiles += 1
     }
-    log(`Downloaded ${Object.keys(files).length} files to src/${asset.name}/`)
+    log(`Downloaded ${installedFiles} files.`)
   }
 }
-function isInside(root: string, target: string): boolean {
-  const relative = path.relative(root, target)
-  return relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative))
+async function isFile(file: string): Promise<boolean> {
+  try {
+    return (await fs.stat(file)).isFile()
+  } catch {
+    return false
+  }
 }
 async function installNpmDeps(
   resolution: ResolveResult,
-  cwd: string,
+  projectRoot: string,
   log: (msg: string) => void,
 ): Promise<void> {
   const deps = resolution.npmDependencies
   if (Object.keys(deps).length === 0) return
-  // Read existing package.json
-  const pkgPath = path.join(cwd, 'package.json')
+  const pkgPath = path.join(projectRoot, 'package.json')
   let pkg: PackageJson
   try {
     pkg = JSON.parse(await fs.readFile(pkgPath, 'utf-8')) as PackageJson
@@ -95,17 +128,15 @@ async function installNpmDeps(
     pkg = { name: 'my-project', private: true, dependencies: {} }
   }
-  // Merge dependencies
   pkg.dependencies = { ...pkg.dependencies, ...deps }
   await fs.writeFile(pkgPath, JSON.stringify(pkg, null, 2) + '\n')
   log(`Installing npm dependencies: ${Object.keys(deps).join(', ')}`)
-  // Detect package manager, fall back to npm
-  const pm = await detectPackageManager(cwd).catch(() => null)
+  const pm = await detectPackageManager(projectRoot).catch(() => null)
   const pmName = pm?.name ?? 'npm'
   log(`Using ${pmName}...`)
-  await installDependencies({ cwd, packageManager: { name: pmName, command: pmName } })
+  await installDependencies({ cwd: projectRoot, packageManager: { name: pmName, command: pmName } })
   log('npm dependencies installed.')
 }

package/tests/install-layout.test.ts ADDED Viewed

@@ -0,0 +1,114 @@
+import assert from 'node:assert/strict'
+import * as fs from 'node:fs/promises'
+import * as os from 'node:os'
+import * as path from 'node:path'
+import test from 'node:test'
+import { zipSync } from 'fflate'
+import { findInstallRoot, install } from '../src/install.js'
+const textEncoder = new TextEncoder()
+test('install writes zip files into the package root', async () => {
+  const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'market-install-'))
+  const appRoot = path.join(tempDir, 'app')
+  const cwd = path.join(appRoot, 'src', 'feature')
+  await fs.mkdir(path.join(appRoot, 'public'), { recursive: true })
+  await fs.mkdir(cwd, { recursive: true })
+  await fs.writeFile(path.join(appRoot, 'package.json'), '{}\n')
+  await fs.writeFile(path.join(appRoot, 'README.md'), 'project readme\n')
+  await install(
+    clientWithZip({
+      'public/humanoid-animation/idle-loop.glb': textEncoder.encode('glb'),
+      'src/generated/idle-loop.ts': textEncoder.encode('export const idleLoop = true\n'),
+      'README.md': textEncoder.encode('asset readme'),
+    }),
+    {
+      assets: [
+        {
+          name: 'idle-loop',
+          version: '1.0.0',
+          npmDependencies: {},
+          assetDependencies: {},
+        },
+      ],
+      npmDependencies: {},
+    },
+    { cwd },
+  )
+  assert.equal(
+    await fs.readFile(path.join(appRoot, 'public', 'humanoid-animation', 'idle-loop.glb'), 'utf-8'),
+    'glb',
+  )
+  assert.equal(
+    await fs.readFile(path.join(appRoot, 'src', 'generated', 'idle-loop.ts'), 'utf-8'),
+    'export const idleLoop = true\n',
+  )
+  assert.equal(await fs.readFile(path.join(appRoot, 'README.md'), 'utf-8'), 'project readme\n')
+  assert.equal(await exists(path.join(cwd, 'src', 'idle-loop', 'public')), false)
+})
+test('install rejects zip paths that escape through parent segments', async () => {
+  const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'market-install-'))
+  await fs.writeFile(path.join(tempDir, 'package.json'), '{}\n')
+  await assert.rejects(
+    install(
+      clientWithZip({
+        'public/../package.json': textEncoder.encode('nope\n'),
+      }),
+      {
+        assets: [
+          {
+            name: 'bad-path',
+            version: '1.0.0',
+            npmDependencies: {},
+            assetDependencies: {},
+          },
+        ],
+        npmDependencies: {},
+      },
+      { cwd: tempDir },
+    ),
+    /unsafe path/u,
+  )
+})
+test('findInstallRoot ignores public directories and uses the highest package.json', async () => {
+  const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'market-root-'))
+  const repoRoot = path.join(tempDir, 'repo')
+  const appRoot = path.join(repoRoot, 'packages', 'app')
+  const cwd = path.join(appRoot, 'src', 'routes')
+  await fs.mkdir(path.join(appRoot, 'public'), { recursive: true })
+  await fs.mkdir(cwd, { recursive: true })
+  await fs.writeFile(path.join(repoRoot, 'package.json'), '{}\n')
+  await fs.writeFile(path.join(appRoot, 'package.json'), '{}\n')
+  assert.equal(await findInstallRoot(cwd), repoRoot)
+})
+test('findInstallRoot falls back to cwd when no package.json exists', async () => {
+  const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'market-root-'))
+  const cwd = path.join(tempDir, 'repo', 'src')
+  await fs.mkdir(cwd, { recursive: true })
+  assert.equal(await findInstallRoot(cwd), cwd)
+})
+function clientWithZip(files: Record<string, Uint8Array>) {
+  return {
+    asset: {
+      downloadZip: async () => new Blob([zipSync(files)]),
+    },
+  } as never
+}
+async function exists(file: string): Promise<boolean> {
+  try {
+    await fs.stat(file)
+    return true
+  } catch {
+    return false
+  }
+}