@ericsanchezok/synergy-plugin-kit 2.2.1 → 2.2.2

package/dist/commands/build.js

@@ -5,6 +5,7 @@ import { PluginManifest } from "@ericsanchezok/synergy-plugin";
 import { cmd } from "../cmd";
 import { UI } from "../ui";
 import { sha256File, sha256JSON } from "../lib/crypto";
+import { collectPackagedAssets, copyPackagedAsset, hashPackagedFiles, rewritePackagedManifestPaths, } from "../lib/artifact-assets";
 function ensureDir(dirPath) {
     fs.mkdirSync(dirPath, { recursive: true });
 }
@@ -19,28 +20,12 @@ function copyDir(src, dest) {
             fs.copyFileSync(srcPath, destPath);
     }
 }
-function copyFilePreserve(pluginDir, distDir, relativePath) {
-    const normalized = relativePath.replace(/^\.\//, "");
-    const src = path.resolve(pluginDir, normalized);
-    if (!fs.existsSync(src) || !fs.statSync(src).isFile())
-        return;
-    const dest = path.join(distDir, normalized);
-    ensureDir(path.dirname(dest));
-    fs.copyFileSync(src, dest);
-}
 function findUiSource(pluginDir) {
     const candidates = ["src/ui.tsx", "src/ui/index.tsx", "src/ui.ts", "src/ui/index.ts"];
     return candidates.map((candidate) => path.join(pluginDir, candidate)).find((candidate) => fs.existsSync(candidate));
 }
 function packagedManifest(manifest) {
-    const next = structuredClone(manifest);
-    next.main = "./runtime/index.js";
-    if (next.contributes?.ui?.entry) {
-        next.contributes.ui.entry = next.contributes.ui.entry.replace(/^\.\//, "").replace(/^dist\//, "./");
-        if (!next.contributes.ui.entry.startsWith("."))
-            next.contributes.ui.entry = `./${next.contributes.ui.entry}`;
-    }
-    return next;
+    return rewritePackagedManifestPaths(manifest);
 }
 function permissionSummary(manifest) {
     const perms = manifest.permissions ?? {};
@@ -136,6 +121,16 @@ export async function buildPluginProject(pluginDir) {
             return false;
         }
     }
+    spinner("Copying declared assets");
+    try {
+        for (const asset of collectPackagedAssets(manifest)) {
+            copyPackagedAsset(pluginDir, distDir, asset);
+        }
+    }
+    catch (error) {
+        UI.error(error instanceof Error ? error.message : String(error));
+        return false;
+    }
     spinner("Normalizing manifest");
     const distManifest = packagedManifest(manifest);
     const distManifestPath = path.join(distDir, "plugin.json");
@@ -157,10 +152,6 @@ export async function buildPluginProject(pluginDir) {
         spinner("Copying assets");
         copyDir(publicAssetsPath, path.join(distDir, "assets"));
     }
-    for (const theme of manifest.contributes?.ui?.themes ?? [])
-        copyFilePreserve(pluginDir, distDir, theme.path);
-    for (const icon of manifest.contributes?.ui?.icons ?? [])
-        copyFilePreserve(pluginDir, distDir, icon.path);
     spinner("Computing integrity hashes");
     const integrity = {
         manifest: sha256File(distManifestPath),
@@ -174,7 +165,11 @@ export async function buildPluginProject(pluginDir) {
         if (fs.existsSync(uiIndex))
             integrity.ui = sha256File(uiIndex);
     }
-    fs.writeFileSync(path.join(distDir, "integrity.json"), JSON.stringify(integrity, null, 2));
+    const integrityPayload = {
+        ...integrity,
+        files: hashPackagedFiles(distDir),
+    };
+    fs.writeFileSync(path.join(distDir, "integrity.json"), JSON.stringify(integrityPayload, null, 2));
     UI.println(`${UI.Style.TEXT_SUCCESS}✔${UI.Style.TEXT_NORMAL} Built ${manifest.name} v${manifest.version} -> ${distDir}`);
     UI.println(`  ${UI.Style.TEXT_DIM}Output:${UI.Style.TEXT_NORMAL} ${distDir}`);
     return true;

package/dist/commands/pack.js

@@ -4,6 +4,7 @@ import { PluginManifest } from "@ericsanchezok/synergy-plugin";
 import { cmd } from "../cmd";
 import { UI } from "../ui";
 import { sha256File } from "../lib/crypto";
+import { missingPackagedAssets } from "../lib/artifact-assets";
 function formatSize(bytes) {
     if (bytes < 1024)
         return `${bytes} B`;
@@ -31,6 +32,17 @@ export function packPluginProject(pluginDir) {
     if (!fs.existsSync(path.join(distDir, "plugin.json"))) {
         throw new Error(`dist/plugin.json not found at ${distDir}. Run "synergy-plugin build" first.`);
     }
+    for (const required of ["runtime/index.js", "integrity.json", "permissions.summary.json"]) {
+        if (!fs.existsSync(path.join(distDir, required))) {
+            throw new Error(`dist/${required} not found at ${distDir}. Run "synergy-plugin build" first.`);
+        }
+    }
+    const distManifest = PluginManifest.parse(JSON.parse(fs.readFileSync(path.join(distDir, "plugin.json"), "utf-8")));
+    const missing = missingPackagedAssets(distDir, distManifest);
+    if (missing.length > 0) {
+        const details = missing.map((asset) => `  - ${asset.label}: ${asset.packageRelative}`).join("\n");
+        throw new Error(`dist/ is missing manifest-declared plugin assets:\n${details}`);
+    }
     const tgzName = `${safePackageName(manifest.name)}-${manifest.version}.synergy-plugin.tgz`;
     const result = Bun.spawnSync(["tar", "-czf", tgzName, "-C", distDir, "."], { cwd: pluginDir });
     if (result.exitCode !== 0) {

package/dist/commands/sign.js

@@ -6,7 +6,9 @@ import { PluginManifest } from "@ericsanchezok/synergy-plugin";
 import { cmd } from "../cmd";
 import { UI } from "../ui";
 import { SIGNING_KEYS_DIR, SIGNING_KEY_FILE } from "../lib/paths";
-import { sha256Content, sha256File } from "../lib/crypto";
+import { sha256File } from "../lib/crypto";
+import { baseCapabilities } from "../lib/capability";
+import { computeManifestHash, computePermissionsHash } from "../lib/hash";
 function extractFromTarball(tarballPath, memberPath) {
     const result = Bun.spawnSync(["tar", "-xOf", tarballPath, memberPath], { stdout: "pipe", stderr: "pipe" });
     if (result.exitCode !== 0)
@@ -52,8 +54,7 @@ export async function signPluginTarball(tarballPath, options = {}) {
     catch {
         throw new Error("Failed to parse plugin.normalized.json from tarball");
     }
-    const permissionsRaw = extractFromTarball(tarballPath, "permissions.summary.json");
-    if (!permissionsRaw) {
+    if (!extractFromTarball(tarballPath, "permissions.summary.json")) {
         throw new Error("Failed to extract permissions.summary.json from tarball. Has the plugin been built?");
     }
     let keyFile = readKeyFile();
@@ -66,8 +67,8 @@ export async function signPluginTarball(tarballPath, options = {}) {
     }
     const payload = {
         tarballHash,
-        manifestHash: sha256Content(manifestRaw),
-        permissionsHash: sha256Content(permissionsRaw),
+        manifestHash: computeManifestHash(manifest),
+        permissionsHash: computePermissionsHash(manifest, baseCapabilities(manifest)),
     };
     const privateKey = await importPrivateKey(keyFile.privateKey);
     const sigRaw = await subtle.sign("Ed25519", privateKey, new TextEncoder().encode(JSON.stringify(payload)));

package/dist/commands/validate.js

@@ -10,6 +10,7 @@ import { computeRisk } from "../lib/risk";
 import { validateRuntimePolicy } from "../lib/runtime-policy";
 import { validateRuntimeDiscovery } from "../lib/runtime-discovery";
 import { assertCanonicalPluginIdentity, importUrlForEntry, resolveEntryFromPluginDir } from "../lib/spec";
+import { collectPackagedAssets, resolveUnder } from "../lib/artifact-assets";
 function scanExports(source) {
     const names = new Set();
     const declRe = /^export\s+(?:const|function|class|interface|type|let|var)\s+(\w+)/gm;
@@ -183,21 +184,35 @@ export async function validatePluginProject(pluginPath, options = {}) {
                 checkExport("uiCommand", ui.commands);
             }
         }
-        for (const icon of ui.icons ?? []) {
-            if (!fs.existsSync(path.resolve(pluginDir, icon.path))) {
-                results.push({ type: "error", message: `icon "${icon.name}" path ${icon.path} not found` });
+    }
+    const uiSource = findUiSource(pluginDir);
+    let packagedAssets = [];
+    try {
+        packagedAssets = collectPackagedAssets(m);
+    }
+    catch (error) {
+        results.push({ type: "error", message: error instanceof Error ? error.message : String(error) });
+    }
+    for (const asset of packagedAssets) {
+        if (asset.label === "UI entry" && uiSource && !fs.existsSync(path.resolve(pluginDir, asset.sourceRelative)))
+            continue;
+        try {
+            const assetPath = resolveUnder(pluginDir, asset.sourceRelative);
+            if (!fs.existsSync(assetPath)) {
+                results.push({ type: "error", message: `${asset.label} ${asset.sourceRelative} not found` });
+                continue;
             }
-        }
-        for (const theme of ui.themes ?? []) {
-            if (!fs.existsSync(path.resolve(pluginDir, theme.path))) {
-                results.push({ type: "error", message: `theme "${theme.id}" path ${theme.path} not found` });
+            const stat = fs.statSync(assetPath);
+            if (asset.kind === "dir" && !stat.isDirectory()) {
+                results.push({ type: "error", message: `${asset.label} ${asset.sourceRelative} is not a directory` });
             }
-        }
-        for (const route of ui.routes ?? []) {
-            if (!fs.existsSync(path.resolve(pluginDir, route.entry))) {
-                results.push({ type: "error", message: `route "${route.path}" entry ${route.entry} not found` });
+            if (asset.kind === "file" && !stat.isFile()) {
+                results.push({ type: "error", message: `${asset.label} ${asset.sourceRelative} is not a file` });
             }
         }
+        catch (error) {
+            results.push({ type: "error", message: error instanceof Error ? error.message : String(error) });
+        }
     }
     for (const tool of m.contributes?.tools ?? []) {
         if (!tool.capabilities)
@@ -207,7 +222,10 @@ export async function validatePluginProject(pluginPath, options = {}) {
         if (isValidJsonSchema(m.contributes.config.schema))
             results.push({ type: "pass", message: "config schema valid" });
         else
-            results.push({ type: "warn", message: "config schema does not appear to be valid JSON Schema" });
+            results.push({
+                type: "warn",
+                message: 'config schema does not appear to be valid JSON Schema; wrap plugin settings in a top-level schema such as { "type": "object", "properties": { ... } }',
+            });
     }
     const pluginRisk = computeRisk(baseCapabilities(m), m);
     results.push(...validateRuntimePolicy({ manifest: m, source: "local", trustTier: "declarative", risk: pluginRisk }));
@@ -225,9 +243,14 @@ export async function validatePluginProject(pluginPath, options = {}) {
             try {
                 const mod = await import(importUrlForEntry(entryPath, Date.now()));
                 const descriptors = [];
+                const seenDescriptors = new Set();
                 for (const value of Object.values(mod)) {
                     if (value && typeof value === "object" && !Array.isArray(value) && "id" in value && "init" in value) {
-                        descriptors.push(value);
+                        const descriptor = value;
+                        if (!seenDescriptors.has(descriptor)) {
+                            descriptors.push(descriptor);
+                            seenDescriptors.add(descriptor);
+                        }
                     }
                 }
                 if (descriptors.length === 0) {

package/dist/lib/artifact-assets.d.ts

@@ -0,0 +1,17 @@
+import type { PluginManifest } from "@ericsanchezok/synergy-plugin";
+export interface PackagedAsset {
+    label: string;
+    kind: "file" | "dir";
+    sourceRelative: string;
+    packageRelative: string;
+}
+export declare function isLocalManifestPath(value: string | undefined): value is string;
+export declare function normalizeManifestPath(value: string): string;
+export declare function packageRelativePath(value: string): string;
+export declare function packageManifestPath(value: string): string;
+export declare function collectPackagedAssets(manifest: PluginManifest): PackagedAsset[];
+export declare function rewritePackagedManifestPaths(manifest: PluginManifest): PluginManifest;
+export declare function resolveUnder(root: string, relativePath: string): string;
+export declare function copyPackagedAsset(pluginDir: string, distDir: string, asset: PackagedAsset): void;
+export declare function hashPackagedFiles(distDir: string): Record<string, string>;
+export declare function missingPackagedAssets(distDir: string, manifest: PluginManifest): PackagedAsset[];

package/dist/lib/artifact-assets.js

@@ -0,0 +1,158 @@
+import path from "path";
+import fs from "fs";
+import { sha256File } from "./crypto";
+function isExternalPath(value) {
+    return /^[a-zA-Z][a-zA-Z0-9+.-]*:/.test(value) || value.startsWith("//");
+}
+export function isLocalManifestPath(value) {
+    return Boolean(value && !isExternalPath(value));
+}
+export function normalizeManifestPath(value) {
+    const normalized = value.replace(/\\/g, "/").replace(/^\.\//, "");
+    if (!normalized || normalized === ".")
+        throw new Error("Manifest path cannot be empty");
+    if (path.posix.isAbsolute(normalized) || path.isAbsolute(value)) {
+        throw new Error(`Manifest path must be relative: ${value}`);
+    }
+    const parts = normalized.split("/");
+    if (parts.includes(".."))
+        throw new Error(`Manifest path cannot escape the plugin directory: ${value}`);
+    return path.posix.normalize(normalized);
+}
+export function packageRelativePath(value) {
+    const normalized = normalizeManifestPath(value);
+    return normalized.startsWith("dist/") ? normalized.slice("dist/".length) : normalized;
+}
+export function packageManifestPath(value) {
+    return `./${packageRelativePath(value)}`;
+}
+function addAsset(assets, input) {
+    if (!isLocalManifestPath(input.path))
+        return;
+    assets.push({
+        label: input.label,
+        kind: input.kind,
+        sourceRelative: normalizeManifestPath(input.path),
+        packageRelative: packageRelativePath(input.path),
+    });
+}
+function addSandboxEntries(assets, label, entries) {
+    for (const entry of entries ?? []) {
+        addAsset(assets, {
+            label: `${label}${entry.id ? ` "${entry.id}"` : ""} sandbox entry`,
+            kind: "file",
+            path: entry.sandboxEntry,
+        });
+    }
+}
+export function collectPackagedAssets(manifest) {
+    const assets = [];
+    for (const skill of manifest.contributes?.skills ?? []) {
+        addAsset(assets, { label: `skill "${skill.name}" directory`, kind: "dir", path: skill.dir });
+    }
+    if (manifest.lifecycle?.install)
+        addAsset(assets, { label: "install lifecycle script", kind: "file", path: manifest.lifecycle.install });
+    if (manifest.lifecycle?.uninstall)
+        addAsset(assets, { label: "uninstall lifecycle script", kind: "file", path: manifest.lifecycle.uninstall });
+    if (manifest.lifecycle?.update)
+        addAsset(assets, { label: "update lifecycle script", kind: "file", path: manifest.lifecycle.update });
+    const ui = manifest.contributes?.ui;
+    if (ui?.entry)
+        addAsset(assets, { label: "UI entry", kind: "file", path: ui.entry });
+    for (const route of ui?.routes ?? []) {
+        addAsset(assets, { label: `route "${route.path}" entry`, kind: "file", path: route.entry });
+    }
+    addSandboxEntries(assets, "workspace panel", ui?.workspacePanels);
+    addSandboxEntries(assets, "global panel", ui?.globalPanels);
+    addSandboxEntries(assets, "settings", ui?.settings);
+    for (const theme of ui?.themes ?? [])
+        addAsset(assets, { label: `theme "${theme.id}"`, kind: "file", path: theme.path });
+    for (const icon of ui?.icons ?? [])
+        addAsset(assets, { label: `icon "${icon.name}"`, kind: "file", path: icon.path });
+    const seen = new Set();
+    return assets.filter((asset) => {
+        const key = `${asset.kind}:${asset.packageRelative}`;
+        if (seen.has(key))
+            return false;
+        seen.add(key);
+        return true;
+    });
+}
+export function rewritePackagedManifestPaths(manifest) {
+    const next = structuredClone(manifest);
+    next.main = "./runtime/index.js";
+    const ui = next.contributes?.ui;
+    if (!ui)
+        return next;
+    if (ui.entry)
+        ui.entry = packageManifestPath(ui.entry);
+    for (const route of ui.routes ?? [])
+        route.entry = packageManifestPath(route.entry);
+    for (const panel of ui.workspacePanels ?? []) {
+        if (panel.sandboxEntry)
+            panel.sandboxEntry = packageManifestPath(panel.sandboxEntry);
+    }
+    for (const panel of ui.globalPanels ?? []) {
+        if (panel.sandboxEntry)
+            panel.sandboxEntry = packageManifestPath(panel.sandboxEntry);
+    }
+    for (const settings of ui.settings ?? []) {
+        if (settings.sandboxEntry)
+            settings.sandboxEntry = packageManifestPath(settings.sandboxEntry);
+    }
+    return next;
+}
+export function resolveUnder(root, relativePath) {
+    const normalized = normalizeManifestPath(relativePath);
+    const resolved = path.resolve(root, normalized);
+    const relative = path.relative(root, resolved);
+    if (relative.startsWith("..") || path.isAbsolute(relative)) {
+        throw new Error(`Manifest path cannot escape ${root}: ${relativePath}`);
+    }
+    return resolved;
+}
+export function copyPackagedAsset(pluginDir, distDir, asset) {
+    const src = resolveUnder(pluginDir, asset.sourceRelative);
+    const dest = resolveUnder(distDir, asset.packageRelative);
+    if (!fs.existsSync(src))
+        throw new Error(`${asset.label} not found at ${asset.sourceRelative}`);
+    const stat = fs.statSync(src);
+    if (asset.kind === "dir") {
+        if (!stat.isDirectory())
+            throw new Error(`${asset.label} must be a directory: ${asset.sourceRelative}`);
+        if (path.resolve(src) === path.resolve(dest))
+            return;
+        fs.mkdirSync(path.dirname(dest), { recursive: true });
+        fs.cpSync(src, dest, { recursive: true });
+        return;
+    }
+    if (!stat.isFile())
+        throw new Error(`${asset.label} must be a file: ${asset.sourceRelative}`);
+    if (path.resolve(src) === path.resolve(dest))
+        return;
+    fs.mkdirSync(path.dirname(dest), { recursive: true });
+    fs.copyFileSync(src, dest);
+}
+function walkFiles(root, dir, output) {
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+        const filepath = path.join(dir, entry.name);
+        if (entry.isDirectory()) {
+            walkFiles(root, filepath, output);
+            continue;
+        }
+        if (!entry.isFile())
+            continue;
+        const relative = path.relative(root, filepath).split(path.sep).join("/");
+        if (relative === "integrity.json")
+            continue;
+        output[relative] = sha256File(filepath);
+    }
+}
+export function hashPackagedFiles(distDir) {
+    const files = {};
+    walkFiles(distDir, distDir, files);
+    return Object.fromEntries(Object.entries(files).sort(([a], [b]) => a.localeCompare(b)));
+}
+export function missingPackagedAssets(distDir, manifest) {
+    return collectPackagedAssets(manifest).filter((asset) => !fs.existsSync(resolveUnder(distDir, asset.packageRelative)));
+}

package/dist/lib/hash.js

@@ -3,12 +3,11 @@ export function computePermissionsHash(manifest, capabilities) {
     const normalized = {
         capabilities: [...capabilities].sort(),
         permissions: manifest.permissions ?? {},
-        contributes: manifest.contributes?.ui != null ? { ui: manifest.contributes.ui } : undefined,
-        hooks: manifest.permissions?.hooks ?? undefined,
+        contributes: manifest.contributes ?? {},
+        lifecycle: manifest.lifecycle ?? {},
     };
     return sha256Content(JSON.stringify(sortKeys(normalized)));
 }
 export function computeManifestHash(manifest) {
-    const { contributes, lifecycle, permissions, ...identity } = manifest;
-    return sha256Content(JSON.stringify(sortKeys(identity)));
+    return sha256Content(JSON.stringify(sortKeys(manifest)));
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "@ericsanchezok/synergy-plugin-kit",
-  "version": "2.2.1",
+  "version": "2.2.2",
   "type": "module",
   "license": "MIT",
   "repository": {
@@ -34,7 +34,7 @@
     "dist"
   ],
   "dependencies": {
-    "@ericsanchezok/synergy-plugin": "2.2.0",
+    "@ericsanchezok/synergy-plugin": "2.2.1",
     "yargs": "18.0.0"
   },
   "peerDependencies": {