@gjsify/cli 0.4.4 → 0.4.9

package/lib/commands/publish.js

@@ -0,0 +1,319 @@
+// `gjsify publish [path] [--tag <tag>] [--access <a>] [--tolerate-republish] [--dry-run]`
+//
+// Packs the workspace via `packWorkspace()` (Phase E.1), then PUTs the
+// tarball to the configured npm registry. Mirrors `npm publish`'s observable
+// behavior:
+//
+//   - Reads .npmrc for registry URL + auth (project-local + ~/.npmrc), with
+//     `npm_config_registry` env override.
+//   - Scoped packages route to the scope's registry if configured
+//     (`@scope:registry=...` in .npmrc).
+//   - Auth: bearer token (`_authToken`) or basic (`_auth`).
+//   - --tolerate-republish: surface a 409 conflict as a notice + exit 0
+//     (matches yarn's flag of the same name).
+//   - --tag: published version gets this dist-tag (default `latest`).
+//   - --access: public | restricted — required for first publish of a
+//     scoped package on the public registry.
+//   - --provenance: pass-through only — actual provenance generation requires
+//     a sigstore signer that gjsify doesn't ship; we record the flag in the
+//     publish manifest but don't sign yet. Surface a warning so callers know.
+//   - --dry-run: pack only, no PUT.
+//
+// The request body matches npm's "publish" payload shape:
+//   {
+//     "_id": "<name>",
+//     "name": "<name>",
+//     "description": "<from package.json>",
+//     "dist-tags": { "<tag>": "<version>" },
+//     "versions": { "<version>": { ...full package.json + dist } },
+//     "_attachments": { "<filename>": { content_type, data: base64, length } }
+//   }
+//
+// Source: documented in https://docs.npmjs.com/cli/v10/commands/npm-publish
+// and npm's @npmcli/registry-fetch internals — verified against npm's
+// in-the-wild publish payloads.
+import { existsSync, readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join, resolve } from 'node:path';
+import { DEFAULT_REGISTRY, parseNpmrc, registryFor, buildHeaders, } from '@gjsify/npm-registry';
+import { packWorkspace } from './pack.js';
+export const publishCommand = {
+    command: 'publish [path]',
+    description: 'Pack + upload the workspace at <path> (default: cwd) to its npm registry. Drop-in for `npm publish` with workspace:^ rewrite handled automatically.',
+    builder: (yargs) => yargs
+        .positional('path', { description: 'Workspace path (default: cwd).', type: 'string' })
+        .option('tag', {
+        description: 'Dist-tag to publish under. Default: latest.',
+        type: 'string',
+        default: 'latest',
+    })
+        .option('access', {
+        description: 'Package access — `public` or `restricted` (required for first publish of scoped packages on the public registry).',
+        type: 'string',
+    })
+        .option('tolerate-republish', {
+        description: 'Treat a 409 conflict (version already published) as success. Matches yarn `--tolerate-republish`.',
+        type: 'boolean',
+        default: false,
+    })
+        .option('provenance', {
+        description: 'Pass-through flag — recorded in the payload but no signing happens (gjsify doesn\'t ship a sigstore signer yet).',
+        type: 'boolean',
+        default: false,
+    })
+        .option('dry-run', {
+        description: 'Pack only, do not PUT.',
+        type: 'boolean',
+        default: false,
+    })
+        .option('json', {
+        description: 'Emit publish metadata as JSON on stdout.',
+        type: 'boolean',
+        default: false,
+    }),
+    handler: async (args) => {
+        const wsDir = resolve(args.path ?? process.cwd());
+        const tag = args.tag ?? 'latest';
+        const access = args.access;
+        const tolerate = args['tolerate-republish'] === true;
+        const provenance = args.provenance === true;
+        const dryRun = args['dry-run'] === true;
+        if (provenance) {
+            console.warn('gjsify publish: --provenance recorded but not signed (no sigstore integration yet).');
+        }
+        // 1. Pack the workspace (rewrites workspace:^, computes integrity)
+        const packOpts = { dryRun: true };
+        const packed = await packWorkspace(wsDir, packOpts);
+        // We need the raw bytes — re-run with destination=null and capture.
+        // packWorkspace returns metadata only; for the bytes we re-pack into
+        // memory by reading + rebuilding. Cheap because the second pack runs
+        // off the same source files. (A future optimization: have
+        // packWorkspace optionally return the bytes itself.)
+        const tarBytes = await packWorkspaceToBytes(wsDir);
+        // 2. Read the workspace's (rewritten) package.json to assemble the
+        // publish payload.
+        const pkgPath = join(wsDir, 'package.json');
+        const pkgSource = readFileSync(pkgPath, 'utf-8');
+        const pkg = JSON.parse(pkgSource);
+        // We need the rewritten manifest (workspace:^ → resolved) for the
+        // payload — packWorkspace already wrote it into the tarball. Mirror
+        // the same rewrite here so the registry's "package metadata" matches
+        // the tarball's package.json byte-for-byte.
+        const rewrittenPkg = await loadRewrittenManifest(wsDir, pkg);
+        if (dryRun) {
+            const message = {
+                ok: true,
+                action: 'dry-run',
+                name: packed.name,
+                version: packed.version,
+                filename: packed.filename,
+                size: packed.size,
+                shasum: packed.shasum,
+                integrity: packed.integrity,
+            };
+            if (args.json)
+                process.stdout.write(`${JSON.stringify(message, null, 2)}\n`);
+            else
+                process.stdout.write(`+ ${packed.name}@${packed.version} (dry-run, ${packed.size} bytes, ${packed.entryCount} files)\n`);
+            return;
+        }
+        // 3. Resolve registry URL + auth
+        const npmrc = await loadNpmrc(wsDir);
+        const registry = process.env.npm_config_registry ?? registryFor(packed.name, npmrc) ?? DEFAULT_REGISTRY;
+        const registryClean = registry.endsWith('/') ? registry.slice(0, -1) : registry;
+        // npm-package-arg's escapedName convention for scoped packages:
+        // `@${scope-without-leading-@}%2f${name}` (lowercase %2f, literal @).
+        // Unscoped: `encodeURIComponent(name)`. Match it exactly — the
+        // npm registry is picky about the publish PUT URL shape.
+        const escapedName = packed.name.startsWith('@')
+            ? (() => {
+                const slash = packed.name.indexOf('/');
+                const scope = packed.name.slice(1, slash);
+                const base = packed.name.slice(slash + 1);
+                return `@${encodeURIComponent(scope)}%2f${encodeURIComponent(base)}`;
+            })()
+            : encodeURIComponent(packed.name);
+        const url = `${registryClean}/${escapedName}`;
+        // npm publish convention: the dist.tarball URL + _attachments key both
+        // use the UNSCOPED basename — `cli-0.4.5.tgz`, not
+        // `gjsify-cli-0.4.5.tgz`. This is what libnpmpublish does (see
+        // `attachments[\`${unscopedName}-${version}.tgz\`]` in
+        // libnpmpublish/lib/publish.js). The full scoped filename is what
+        // `npm pack` writes to disk, but the registry stores tarballs at
+        // the unscoped path.
+        const unscopedName = packed.name.includes('/')
+            ? packed.name.slice(packed.name.indexOf('/') + 1)
+            : packed.name;
+        const wireFilename = `${unscopedName}-${packed.version}.tgz`;
+        const tarballUrl = `${registryClean}/${packed.name}/-/${wireFilename}`;
+        // 4. Build payload + PUT
+        const payload = buildPublishPayload({
+            pkg: rewrittenPkg,
+            tag,
+            access,
+            tarballBytes: tarBytes,
+            tarballUrl,
+            packed: { ...packed, wireFilename },
+            provenance,
+        });
+        const headers = buildHeaders(url, { npmrc });
+        headers['content-type'] = 'application/json';
+        headers['accept'] = '*/*';
+        if (process.env.GJSIFY_PUBLISH_DEBUG) {
+            console.error(`gjsify publish: PUT ${url} (${packed.name}@${packed.version})`);
+            console.error(`  authorization: ${headers['authorization'] ? '(set)' : '(none)'}`);
+            console.error(`  payload size: ${JSON.stringify(payload).length} bytes`);
+        }
+        const res = await fetch(url, {
+            method: 'PUT',
+            headers,
+            body: JSON.stringify(payload),
+        });
+        if (res.ok) {
+            const out = {
+                ok: true,
+                name: packed.name,
+                version: packed.version,
+                filename: packed.filename,
+                size: packed.size,
+                integrity: packed.integrity,
+                tag,
+                registry: registryClean,
+            };
+            if (args.json)
+                process.stdout.write(`${JSON.stringify(out, null, 2)}\n`);
+            else
+                process.stdout.write(`+ ${packed.name}@${packed.version}\n`);
+            return;
+        }
+        const text = await res.text().catch(() => '<no body>');
+        if (res.status === 409 && tolerate) {
+            const out = {
+                ok: true,
+                action: 'republish-tolerated',
+                name: packed.name,
+                version: packed.version,
+                status: 409,
+            };
+            if (args.json)
+                process.stdout.write(`${JSON.stringify(out, null, 2)}\n`);
+            else
+                process.stdout.write(`= ${packed.name}@${packed.version} (already published, tolerated)\n`);
+            return;
+        }
+        console.error(`gjsify publish: ${packed.name}@${packed.version} — ${res.status} ${res.statusText}`);
+        console.error(text);
+        process.exit(1);
+    },
+};
+async function packWorkspaceToBytes(wsDir) {
+    // Cheap re-run that writes to a tempdir, then read back. Avoids
+    // duplicating the file-walking + tar-building logic here.
+    const tmp = `/tmp/gjsify-publish-${process.pid}-${Date.now()}`;
+    const res = await packWorkspace(wsDir, { destination: tmp, dryRun: false });
+    if (!res.absolutePath)
+        throw new Error('gjsify publish: pack did not produce a file');
+    const bytes = new Uint8Array(readFileSync(res.absolutePath));
+    try {
+        (await import('node:fs')).rmSync(res.absolutePath);
+    }
+    catch { /* best effort */ }
+    try {
+        (await import('node:fs')).rmdirSync(tmp);
+    }
+    catch { /* best effort */ }
+    return bytes;
+}
+async function loadRewrittenManifest(wsDir, pkg) {
+    // Pack + re-read the tarball's package.json. Easier than duplicating the
+    // rewrite logic — pack already does it correctly, including handling
+    // workspace:^ patterns we'd otherwise have to reimplement here.
+    const tmp = `/tmp/gjsify-publish-manifest-${process.pid}-${Date.now()}.tgz`;
+    const res = await packWorkspace(wsDir, {
+        destination: tmp.substring(0, tmp.lastIndexOf('/')),
+        dryRun: false,
+    });
+    const { rmSync } = await import('node:fs');
+    if (!res.absolutePath)
+        throw new Error('gjsify publish: pack did not produce a file');
+    const { gunzip, parseTar } = await import('@gjsify/tar');
+    const bytes = new Uint8Array(readFileSync(res.absolutePath));
+    rmSync(res.absolutePath);
+    const tar = await gunzip(bytes);
+    for (const entry of parseTar(tar)) {
+        if (entry.name === 'package/package.json' && entry.body) {
+            return JSON.parse(new TextDecoder().decode(entry.body));
+        }
+    }
+    return pkg;
+}
+async function loadNpmrc(cwd) {
+    // npm CLI's npmrc resolution order (lowest → highest precedence):
+    //   1. globalconfig:  /etc/npmrc  (system)
+    //   2. userconfig:    $NPM_CONFIG_USERCONFIG  (overrides ~/.npmrc)
+    //                     or ~/.npmrc  (default)
+    //   3. projectconfig: ./.npmrc  (closest)
+    //
+    // actions/setup-node writes the auth-token npmrc to $RUNNER_TEMP/.npmrc
+    // and exports NPM_CONFIG_USERCONFIG pointing at it — it does NOT touch
+    // ~/.npmrc. Honor the env var so CI authentication works end-to-end.
+    const sources = [];
+    const projectNpmrc = join(cwd, '.npmrc');
+    if (existsSync(projectNpmrc))
+        sources.push(readFileSync(projectNpmrc, 'utf-8'));
+    const userConfig = process.env.NPM_CONFIG_USERCONFIG;
+    if (userConfig && existsSync(userConfig)) {
+        sources.push(readFileSync(userConfig, 'utf-8'));
+    }
+    else {
+        const homeNpmrc = join(homedir(), '.npmrc');
+        if (existsSync(homeNpmrc))
+            sources.push(readFileSync(homeNpmrc, 'utf-8'));
+    }
+    // Inline `${VAR}` placeholders (npm CLI's expand-on-read behavior).
+    // The auth-token npmrc from actions/setup-node ships
+    // `_authToken=${NODE_AUTH_TOKEN}` as a literal placeholder; the env var
+    // is set on the publish step.
+    const merged = sources.join('\n').replace(/\$\{([A-Z_][A-Z0-9_]*)\}/gi, (_, name) => process.env[name] ?? '');
+    return parseNpmrc(merged);
+}
+function buildPublishPayload(opts) {
+    const { pkg, tag, access, tarballBytes, tarballUrl, packed, provenance } = opts;
+    const versionEntry = {
+        ...pkg,
+        _id: `${packed.name}@${packed.version}`,
+        dist: {
+            integrity: packed.integrity,
+            shasum: packed.shasum,
+            tarball: tarballUrl,
+        },
+    };
+    if (provenance)
+        versionEntry._hasShrinkwrap = false;
+    const payload = {
+        _id: packed.name,
+        name: packed.name,
+        description: typeof pkg.description === 'string' ? pkg.description : '',
+        'dist-tags': { [tag]: packed.version },
+        versions: { [packed.version]: versionEntry },
+        readme: '',
+        _attachments: {
+            [packed.wireFilename]: {
+                content_type: 'application/octet-stream',
+                data: base64Encode(tarballBytes),
+                length: tarballBytes.byteLength,
+            },
+        },
+    };
+    if (access)
+        payload.access = access;
+    return payload;
+}
+function base64Encode(bytes) {
+    let str = '';
+    const chunk = 0x8000;
+    for (let i = 0; i < bytes.length; i += chunk) {
+        str += String.fromCharCode(...bytes.subarray(i, i + chunk));
+    }
+    return btoa(str);
+}

package/lib/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
-import { buildCommand as build, runCommand as run, infoCommand as info, checkCommand as check, showcaseCommand as showcase, createCommand as create, gresourceCommand as gresource, gettextCommand as gettext, gsettingsCommand as gsettings, flatpakCommand as flatpak, dlxCommand as dlx, installCommand as install, foreachCommand as foreach, workspaceCommand as workspace, } from './commands/index.js';
+import { buildCommand as build, runCommand as run, infoCommand as info, checkCommand as check, showcaseCommand as showcase, createCommand as create, gresourceCommand as gresource, gettextCommand as gettext, gsettingsCommand as gsettings, flatpakCommand as flatpak, dlxCommand as dlx, installCommand as install, foreachCommand as foreach, workspaceCommand as workspace, packCommand as pack, publishCommand as publish, } from './commands/index.js';
 import { APP_NAME } from './constants.js';
 // `parseAsync()` instead of `.argv` so the top-level await keeps the
 // process alive until command handlers complete. Under Node this is
@@ -25,6 +25,8 @@ await yargs(hideBin(process.argv))
     .command(flatpak.command, flatpak.description, flatpak.builder, flatpak.handler)
     .command(foreach.command, foreach.description, foreach.builder, foreach.handler)
     .command(workspace.command, workspace.description, workspace.builder, workspace.handler)
+    .command(pack.command, pack.description, pack.builder, pack.handler)
+    .command(publish.command, publish.description, publish.builder, publish.handler)
     .demandCommand(1)
     .help()
     .parseAsync();

package/lib/utils/install-backend-native.js

@@ -56,7 +56,7 @@ export async function installPackagesNative(opts) {
     }
     else {
         log("install: resolving %d top-level spec(s) → %s", opts.specs.length, opts.prefix);
-        nodes = await resolveDeps(opts.specs, npmrc, log);
+        nodes = await resolveDeps(opts.specs, npmrc, log, opts.overrides);
         if (opts.lockfile) {
             writeLockfile(lockfilePath, opts.specs, nodes);
             log("install: wrote %s (%d entries)", LOCKFILE_NAME, nodes.length);
@@ -114,7 +114,18 @@ function parseSpecName(spec) {
  * the root. Each placement returns a `ResolvedNode` whose `installPath`
  * captures where it lives in the tree.
  */
-async function resolveDeps(specs, npmrc, log) {
+async function resolveDeps(specs, npmrc, log, overrides) {
+    const applyOverride = (name, range) => {
+        if (!overrides)
+            return range;
+        const override = overrides[name];
+        if (typeof override !== 'string' || override.length === 0)
+            return range;
+        if (override === range)
+            return range;
+        log("install: override %s %s → %s", name, range, override);
+        return override;
+    };
     const packumentCache = new Map();
     const fetchPkg = (name) => {
         const cached = packumentCache.get(name);
@@ -131,7 +142,7 @@ async function resolveDeps(specs, npmrc, log) {
     const queue = specs.map(parseSpec).map((s) => ({
         from: null,
         name: s.name,
-        range: s.range,
+        range: applyOverride(s.name, s.range),
         required: true,
     }));
     while (queue.length > 0) {
@@ -181,10 +192,10 @@ async function resolveDeps(specs, npmrc, log) {
             }
             log("resolve: %s@%s ← %s (at %s)", edge.name, version, edge.range, installPath);
             for (const [depName, depRange] of Object.entries(node.dependencies)) {
-                queue.push({ from: installPath, name: depName, range: depRange, required: true });
+                queue.push({ from: installPath, name: depName, range: applyOverride(depName, depRange), required: true });
             }
             for (const [depName, depRange] of Object.entries(node.optionalDependencies)) {
-                queue.push({ from: installPath, name: depName, range: depRange, required: false });
+                queue.push({ from: installPath, name: depName, range: applyOverride(depName, depRange), required: false });
             }
         }
         catch (e) {

package/lib/utils/install-backend.d.ts

@@ -15,6 +15,18 @@ export interface InstallOptions {
     lockfile?: boolean;
     /** Use `<prefix>/gjsify-lock.json` as the source of truth — fail if missing. */
     frozen?: boolean;
+    /**
+     * Per-package version overrides — `<name> → <range>`. Applied to every
+     * edge during dependency resolution, irrespective of the requester.
+     * Mirrors npm's top-level `overrides` field and yarn's `resolutions`
+     * (the simple, name-only flavour; pattern keys like `typescript@*` are
+     * normalised to bare `typescript` by the caller before passing in).
+     *
+     * Lets a workspace root pin a transitive dep version when the
+     * deduplicated tree would otherwise pick a different one — e.g. for
+     * forcing `typescript@~5.9` across every `typescript@*` devDep.
+     */
+    overrides?: Record<string, string>;
 }
 export interface InstallResult {
     /** Top-level packages that were requested, with the version each

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@gjsify/cli",
-    "version": "0.4.4",
+    "version": "0.4.9",
     "description": "CLI for Gjsify",
     "type": "module",
     "main": "lib/index.js",
@@ -37,18 +37,18 @@
         "cli"
     ],
     "dependencies": {
-        "@gjsify/buffer": "^0.4.4",
-        "@gjsify/create-app": "^0.4.4",
-        "@gjsify/node-globals": "^0.4.4",
-        "@gjsify/node-polyfills": "^0.4.4",
-        "@gjsify/npm-registry": "^0.4.4",
-        "@gjsify/resolve-npm": "^0.4.4",
-        "@gjsify/rolldown-plugin-gjsify": "^0.4.4",
-        "@gjsify/rolldown-plugin-pnp": "^0.4.4",
-        "@gjsify/semver": "^0.4.4",
-        "@gjsify/tar": "^0.4.4",
-        "@gjsify/web-polyfills": "^0.4.4",
-        "@gjsify/workspace": "^0.4.4",
+        "@gjsify/buffer": "^0.4.9",
+        "@gjsify/create-app": "^0.4.9",
+        "@gjsify/node-globals": "^0.4.9",
+        "@gjsify/node-polyfills": "^0.4.9",
+        "@gjsify/npm-registry": "^0.4.9",
+        "@gjsify/resolve-npm": "^0.4.9",
+        "@gjsify/rolldown-plugin-gjsify": "^0.4.9",
+        "@gjsify/rolldown-plugin-pnp": "^0.4.9",
+        "@gjsify/semver": "^0.4.9",
+        "@gjsify/tar": "^0.4.9",
+        "@gjsify/web-polyfills": "^0.4.9",
+        "@gjsify/workspace": "^0.4.9",
         "cosmiconfig": "^9.0.1",
         "get-tsconfig": "^4.14.0",
         "pkg-types": "^2.3.1",
@@ -56,12 +56,12 @@
         "yargs": "^18.0.0"
     },
     "devDependencies": {
-        "@gjsify/unit": "^0.4.4",
+        "@gjsify/unit": "^0.4.9",
         "@types/yargs": "^17.0.35",
         "typescript": "^6.0.3"
     },
     "peerDependencies": {
-        "@gjsify/rolldown-native": "^0.4.4"
+        "@gjsify/rolldown-native": "^0.4.9"
     },
     "peerDependenciesMeta": {
         "@gjsify/rolldown-native": {