@gjsify/cli 0.4.5 → 0.4.10

package/lib/commands/publish.js

@@ -0,0 +1,319 @@
+// `gjsify publish [path] [--tag <tag>] [--access <a>] [--tolerate-republish] [--dry-run]`
+//
+// Packs the workspace via `packWorkspace()` (Phase E.1), then PUTs the
+// tarball to the configured npm registry. Mirrors `npm publish`'s observable
+// behavior:
+//
+//   - Reads .npmrc for registry URL + auth (project-local + ~/.npmrc), with
+//     `npm_config_registry` env override.
+//   - Scoped packages route to the scope's registry if configured
+//     (`@scope:registry=...` in .npmrc).
+//   - Auth: bearer token (`_authToken`) or basic (`_auth`).
+//   - --tolerate-republish: surface a 409 conflict as a notice + exit 0
+//     (matches yarn's flag of the same name).
+//   - --tag: published version gets this dist-tag (default `latest`).
+//   - --access: public | restricted — required for first publish of a
+//     scoped package on the public registry.
+//   - --provenance: pass-through only — actual provenance generation requires
+//     a sigstore signer that gjsify doesn't ship; we record the flag in the
+//     publish manifest but don't sign yet. Surface a warning so callers know.
+//   - --dry-run: pack only, no PUT.
+//
+// The request body matches npm's "publish" payload shape:
+//   {
+//     "_id": "<name>",
+//     "name": "<name>",
+//     "description": "<from package.json>",
+//     "dist-tags": { "<tag>": "<version>" },
+//     "versions": { "<version>": { ...full package.json + dist } },
+//     "_attachments": { "<filename>": { content_type, data: base64, length } }
+//   }
+//
+// Source: documented in https://docs.npmjs.com/cli/v10/commands/npm-publish
+// and npm's @npmcli/registry-fetch internals — verified against npm's
+// in-the-wild publish payloads.
+import { existsSync, readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join, resolve } from 'node:path';
+import { DEFAULT_REGISTRY, parseNpmrc, registryFor, buildHeaders, } from '@gjsify/npm-registry';
+import { packWorkspace } from './pack.js';
+export const publishCommand = {
+    command: 'publish [path]',
+    description: 'Pack + upload the workspace at <path> (default: cwd) to its npm registry. Drop-in for `npm publish` with workspace:^ rewrite handled automatically.',
+    builder: (yargs) => yargs
+        .positional('path', { description: 'Workspace path (default: cwd).', type: 'string' })
+        .option('tag', {
+        description: 'Dist-tag to publish under. Default: latest.',
+        type: 'string',
+        default: 'latest',
+    })
+        .option('access', {
+        description: 'Package access — `public` or `restricted` (required for first publish of scoped packages on the public registry).',
+        type: 'string',
+    })
+        .option('tolerate-republish', {
+        description: 'Treat a 409 conflict (version already published) as success. Matches yarn `--tolerate-republish`.',
+        type: 'boolean',
+        default: false,
+    })
+        .option('provenance', {
+        description: 'Pass-through flag — recorded in the payload but no signing happens (gjsify doesn\'t ship a sigstore signer yet).',
+        type: 'boolean',
+        default: false,
+    })
+        .option('dry-run', {
+        description: 'Pack only, do not PUT.',
+        type: 'boolean',
+        default: false,
+    })
+        .option('json', {
+        description: 'Emit publish metadata as JSON on stdout.',
+        type: 'boolean',
+        default: false,
+    }),
+    handler: async (args) => {
+        const wsDir = resolve(args.path ?? process.cwd());
+        const tag = args.tag ?? 'latest';
+        const access = args.access;
+        const tolerate = args['tolerate-republish'] === true;
+        const provenance = args.provenance === true;
+        const dryRun = args['dry-run'] === true;
+        if (provenance) {
+            console.warn('gjsify publish: --provenance recorded but not signed (no sigstore integration yet).');
+        }
+        // 1. Pack the workspace (rewrites workspace:^, computes integrity)
+        const packOpts = { dryRun: true };
+        const packed = await packWorkspace(wsDir, packOpts);
+        // We need the raw bytes — re-run with destination=null and capture.
+        // packWorkspace returns metadata only; for the bytes we re-pack into
+        // memory by reading + rebuilding. Cheap because the second pack runs
+        // off the same source files. (A future optimization: have
+        // packWorkspace optionally return the bytes itself.)
+        const tarBytes = await packWorkspaceToBytes(wsDir);
+        // 2. Read the workspace's (rewritten) package.json to assemble the
+        // publish payload.
+        const pkgPath = join(wsDir, 'package.json');
+        const pkgSource = readFileSync(pkgPath, 'utf-8');
+        const pkg = JSON.parse(pkgSource);
+        // We need the rewritten manifest (workspace:^ → resolved) for the
+        // payload — packWorkspace already wrote it into the tarball. Mirror
+        // the same rewrite here so the registry's "package metadata" matches
+        // the tarball's package.json byte-for-byte.
+        const rewrittenPkg = await loadRewrittenManifest(wsDir, pkg);
+        if (dryRun) {
+            const message = {
+                ok: true,
+                action: 'dry-run',
+                name: packed.name,
+                version: packed.version,
+                filename: packed.filename,
+                size: packed.size,
+                shasum: packed.shasum,
+                integrity: packed.integrity,
+            };
+            if (args.json)
+                process.stdout.write(`${JSON.stringify(message, null, 2)}\n`);
+            else
+                process.stdout.write(`+ ${packed.name}@${packed.version} (dry-run, ${packed.size} bytes, ${packed.entryCount} files)\n`);
+            return;
+        }
+        // 3. Resolve registry URL + auth
+        const npmrc = await loadNpmrc(wsDir);
+        const registry = process.env.npm_config_registry ?? registryFor(packed.name, npmrc) ?? DEFAULT_REGISTRY;
+        const registryClean = registry.endsWith('/') ? registry.slice(0, -1) : registry;
+        // npm-package-arg's escapedName convention for scoped packages:
+        // `@${scope-without-leading-@}%2f${name}` (lowercase %2f, literal @).
+        // Unscoped: `encodeURIComponent(name)`. Match it exactly — the
+        // npm registry is picky about the publish PUT URL shape.
+        const escapedName = packed.name.startsWith('@')
+            ? (() => {
+                const slash = packed.name.indexOf('/');
+                const scope = packed.name.slice(1, slash);
+                const base = packed.name.slice(slash + 1);
+                return `@${encodeURIComponent(scope)}%2f${encodeURIComponent(base)}`;
+            })()
+            : encodeURIComponent(packed.name);
+        const url = `${registryClean}/${escapedName}`;
+        // npm publish convention: the dist.tarball URL + _attachments key both
+        // use the UNSCOPED basename — `cli-0.4.5.tgz`, not
+        // `gjsify-cli-0.4.5.tgz`. This is what libnpmpublish does (see
+        // `attachments[\`${unscopedName}-${version}.tgz\`]` in
+        // libnpmpublish/lib/publish.js). The full scoped filename is what
+        // `npm pack` writes to disk, but the registry stores tarballs at
+        // the unscoped path.
+        const unscopedName = packed.name.includes('/')
+            ? packed.name.slice(packed.name.indexOf('/') + 1)
+            : packed.name;
+        const wireFilename = `${unscopedName}-${packed.version}.tgz`;
+        const tarballUrl = `${registryClean}/${packed.name}/-/${wireFilename}`;
+        // 4. Build payload + PUT
+        const payload = buildPublishPayload({
+            pkg: rewrittenPkg,
+            tag,
+            access,
+            tarballBytes: tarBytes,
+            tarballUrl,
+            packed: { ...packed, wireFilename },
+            provenance,
+        });
+        const headers = buildHeaders(url, { npmrc });
+        headers['content-type'] = 'application/json';
+        headers['accept'] = '*/*';
+        if (process.env.GJSIFY_PUBLISH_DEBUG) {
+            console.error(`gjsify publish: PUT ${url} (${packed.name}@${packed.version})`);
+            console.error(`  authorization: ${headers['authorization'] ? '(set)' : '(none)'}`);
+            console.error(`  payload size: ${JSON.stringify(payload).length} bytes`);
+        }
+        const res = await fetch(url, {
+            method: 'PUT',
+            headers,
+            body: JSON.stringify(payload),
+        });
+        if (res.ok) {
+            const out = {
+                ok: true,
+                name: packed.name,
+                version: packed.version,
+                filename: packed.filename,
+                size: packed.size,
+                integrity: packed.integrity,
+                tag,
+                registry: registryClean,
+            };
+            if (args.json)
+                process.stdout.write(`${JSON.stringify(out, null, 2)}\n`);
+            else
+                process.stdout.write(`+ ${packed.name}@${packed.version}\n`);
+            return;
+        }
+        const text = await res.text().catch(() => '<no body>');
+        if (res.status === 409 && tolerate) {
+            const out = {
+                ok: true,
+                action: 'republish-tolerated',
+                name: packed.name,
+                version: packed.version,
+                status: 409,
+            };
+            if (args.json)
+                process.stdout.write(`${JSON.stringify(out, null, 2)}\n`);
+            else
+                process.stdout.write(`= ${packed.name}@${packed.version} (already published, tolerated)\n`);
+            return;
+        }
+        console.error(`gjsify publish: ${packed.name}@${packed.version} — ${res.status} ${res.statusText}`);
+        console.error(text);
+        process.exit(1);
+    },
+};
+async function packWorkspaceToBytes(wsDir) {
+    // Cheap re-run that writes to a tempdir, then read back. Avoids
+    // duplicating the file-walking + tar-building logic here.
+    const tmp = `/tmp/gjsify-publish-${process.pid}-${Date.now()}`;
+    const res = await packWorkspace(wsDir, { destination: tmp, dryRun: false });
+    if (!res.absolutePath)
+        throw new Error('gjsify publish: pack did not produce a file');
+    const bytes = new Uint8Array(readFileSync(res.absolutePath));
+    try {
+        (await import('node:fs')).rmSync(res.absolutePath);
+    }
+    catch { /* best effort */ }
+    try {
+        (await import('node:fs')).rmdirSync(tmp);
+    }
+    catch { /* best effort */ }
+    return bytes;
+}
+async function loadRewrittenManifest(wsDir, pkg) {
+    // Pack + re-read the tarball's package.json. Easier than duplicating the
+    // rewrite logic — pack already does it correctly, including handling
+    // workspace:^ patterns we'd otherwise have to reimplement here.
+    const tmp = `/tmp/gjsify-publish-manifest-${process.pid}-${Date.now()}.tgz`;
+    const res = await packWorkspace(wsDir, {
+        destination: tmp.substring(0, tmp.lastIndexOf('/')),
+        dryRun: false,
+    });
+    const { rmSync } = await import('node:fs');
+    if (!res.absolutePath)
+        throw new Error('gjsify publish: pack did not produce a file');
+    const { gunzip, parseTar } = await import('@gjsify/tar');
+    const bytes = new Uint8Array(readFileSync(res.absolutePath));
+    rmSync(res.absolutePath);
+    const tar = await gunzip(bytes);
+    for (const entry of parseTar(tar)) {
+        if (entry.name === 'package/package.json' && entry.body) {
+            return JSON.parse(new TextDecoder().decode(entry.body));
+        }
+    }
+    return pkg;
+}
+async function loadNpmrc(cwd) {
+    // npm CLI's npmrc resolution order (lowest → highest precedence):
+    //   1. globalconfig:  /etc/npmrc  (system)
+    //   2. userconfig:    $NPM_CONFIG_USERCONFIG  (overrides ~/.npmrc)
+    //                     or ~/.npmrc  (default)
+    //   3. projectconfig: ./.npmrc  (closest)
+    //
+    // actions/setup-node writes the auth-token npmrc to $RUNNER_TEMP/.npmrc
+    // and exports NPM_CONFIG_USERCONFIG pointing at it — it does NOT touch
+    // ~/.npmrc. Honor the env var so CI authentication works end-to-end.
+    const sources = [];
+    const projectNpmrc = join(cwd, '.npmrc');
+    if (existsSync(projectNpmrc))
+        sources.push(readFileSync(projectNpmrc, 'utf-8'));
+    const userConfig = process.env.NPM_CONFIG_USERCONFIG;
+    if (userConfig && existsSync(userConfig)) {
+        sources.push(readFileSync(userConfig, 'utf-8'));
+    }
+    else {
+        const homeNpmrc = join(homedir(), '.npmrc');
+        if (existsSync(homeNpmrc))
+            sources.push(readFileSync(homeNpmrc, 'utf-8'));
+    }
+    // Inline `${VAR}` placeholders (npm CLI's expand-on-read behavior).
+    // The auth-token npmrc from actions/setup-node ships
+    // `_authToken=${NODE_AUTH_TOKEN}` as a literal placeholder; the env var
+    // is set on the publish step.
+    const merged = sources.join('\n').replace(/\$\{([A-Z_][A-Z0-9_]*)\}/gi, (_, name) => process.env[name] ?? '');
+    return parseNpmrc(merged);
+}
+function buildPublishPayload(opts) {
+    const { pkg, tag, access, tarballBytes, tarballUrl, packed, provenance } = opts;
+    const versionEntry = {
+        ...pkg,
+        _id: `${packed.name}@${packed.version}`,
+        dist: {
+            integrity: packed.integrity,
+            shasum: packed.shasum,
+            tarball: tarballUrl,
+        },
+    };
+    if (provenance)
+        versionEntry._hasShrinkwrap = false;
+    const payload = {
+        _id: packed.name,
+        name: packed.name,
+        description: typeof pkg.description === 'string' ? pkg.description : '',
+        'dist-tags': { [tag]: packed.version },
+        versions: { [packed.version]: versionEntry },
+        readme: '',
+        _attachments: {
+            [packed.wireFilename]: {
+                content_type: 'application/octet-stream',
+                data: base64Encode(tarballBytes),
+                length: tarballBytes.byteLength,
+            },
+        },
+    };
+    if (access)
+        payload.access = access;
+    return payload;
+}
+function base64Encode(bytes) {
+    let str = '';
+    const chunk = 0x8000;
+    for (let i = 0; i < bytes.length; i += chunk) {
+        str += String.fromCharCode(...bytes.subarray(i, i + chunk));
+    }
+    return btoa(str);
+}

package/lib/commands/self-update.d.ts

@@ -0,0 +1,8 @@
+import type { Command } from '../types/index.js';
+interface SelfUpdateOptions {
+    check?: boolean;
+    force?: boolean;
+    tag: string;
+}
+export declare const selfUpdateCommand: Command<any, SelfUpdateOptions>;
+export {};

package/lib/commands/self-update.js

@@ -0,0 +1,138 @@
+// `gjsify self-update` — refresh the installed @gjsify/cli to a newer release.
+//
+// Walks `import.meta.url` to find this CLI's own package.json (works whether
+// running from `lib/index.js` under Node or the published `dist/cli.gjs.mjs`
+// bundle under GJS). Compares against the latest version on the npm registry
+// (or the requested `--tag`); when an upgrade is needed, re-uses the existing
+// `installPackages` + `linkGlobalBins` pipeline to lay down the new tree at
+// the user-global XDG location.
+//
+// Limitation: only works when the current CLI is installed under
+// `defaultGlobalLayout().prefix` (i.e. via `gjsify install -g` or via the
+// `install.mjs` bootstrap). Installs from `npm install -g @gjsify/cli` land
+// elsewhere and we don't try to chase them — we print a warning and exit.
+import { existsSync, readFileSync } from 'node:fs';
+import { dirname, join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { fetchPackument } from '@gjsify/npm-registry';
+import { installPackages } from '../utils/install-backend.js';
+import { defaultGlobalLayout, linkGlobalBins } from '../utils/install-global.js';
+const PACKAGE_NAME = '@gjsify/cli';
+export const selfUpdateCommand = {
+    command: 'self-update',
+    description: `Update the installed ${PACKAGE_NAME} to the latest release (or pinned --tag).`,
+    builder: (yargs) => yargs
+        .option('check', {
+        description: 'Only check whether a newer version is available; do not install.',
+        type: 'boolean',
+        default: false,
+    })
+        .option('force', {
+        description: 'Reinstall even when the current version already matches the target tag.',
+        type: 'boolean',
+        default: false,
+    })
+        .option('tag', {
+        description: 'npm dist-tag or pinned version to install (e.g. `latest`, `next`, `0.5.0`).',
+        type: 'string',
+        default: 'latest',
+    }),
+    handler: async (args) => {
+        const layout = defaultGlobalLayout();
+        const installedPkgDir = join(layout.prefix, 'node_modules', PACKAGE_NAME);
+        const installedPkgJson = join(installedPkgDir, 'package.json');
+        const currentVersion = readCurrentVersion();
+        const installedAtPrefix = existsSync(installedPkgJson);
+        console.log(`Current ${PACKAGE_NAME}: v${currentVersion ?? '(unknown)'}`);
+        if (!installedAtPrefix) {
+            console.warn(`\nWarning: no @gjsify/cli install found under ${layout.prefix}.\n` +
+                `self-update only manages installs created by install.mjs or \`gjsify install -g\`.\n` +
+                `If you installed via \`npm install -g\`, remove that and use:\n` +
+                `  curl -fsSL https://github.com/gjsify/gjsify/releases/latest/download/install.mjs -o /tmp/g.mjs && gjs -m /tmp/g.mjs && rm /tmp/g.mjs`);
+        }
+        console.log(`Fetching dist-tags for ${PACKAGE_NAME}@${args.tag} ...`);
+        let packument;
+        try {
+            packument = await fetchPackument(PACKAGE_NAME);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            console.error(`Failed to fetch packument: ${msg}`);
+            process.exit(1);
+            return;
+        }
+        const target = resolveTag(packument, args.tag);
+        if (!target) {
+            console.error(`Unknown dist-tag '${args.tag}' on ${PACKAGE_NAME}. ` +
+                `Known tags: ${Object.keys(packument['dist-tags'] ?? {}).join(', ') || '(none)'}`);
+            process.exit(1);
+            return;
+        }
+        console.log(`Latest matching --tag ${args.tag}: v${target}`);
+        if (currentVersion === target && !args.force) {
+            console.log(`Already up to date (v${target}).`);
+            if (!args.check)
+                console.log(`Run with --force to reinstall anyway.`);
+            return;
+        }
+        if (args.check) {
+            console.log(currentVersion
+                ? `Update available: v${currentVersion} → v${target}`
+                : `Install required: → v${target}`);
+            process.exit(1);
+            return;
+        }
+        console.log(`Installing ${PACKAGE_NAME}@${target} ...`);
+        await installPackages({
+            prefix: layout.prefix,
+            specs: [`${PACKAGE_NAME}@${target}`],
+            verbose: false,
+        });
+        const linked = linkGlobalBins([PACKAGE_NAME], layout);
+        if (linked.length === 0) {
+            console.warn('self-update: install completed but no bins were linked — package.json may be missing a `bin` field.');
+        }
+        else {
+            for (const bin of linked) {
+                console.log(`  • ${bin.link}  →  ${bin.target}`);
+            }
+        }
+        console.log(`\nUpdated ${PACKAGE_NAME} to v${target}.`);
+    },
+};
+/**
+ * Resolve the CLI's own `package.json#version`. Walks up from
+ * `import.meta.url` (the bundle file under GJS, or `lib/index.js` under
+ * Node) until it finds a package.json with `name === '@gjsify/cli'`.
+ */
+function readCurrentVersion() {
+    try {
+        const here = fileURLToPath(import.meta.url);
+        let dir = dirname(resolve(here));
+        for (let i = 0; i < 8 && dir !== dirname(dir); i++) {
+            const candidate = join(dir, 'package.json');
+            if (existsSync(candidate)) {
+                const pkg = JSON.parse(readFileSync(candidate, 'utf-8'));
+                if (pkg.name === PACKAGE_NAME && typeof pkg.version === 'string') {
+                    return pkg.version;
+                }
+            }
+            dir = dirname(dir);
+        }
+    }
+    catch {
+        /* not in a recognizable layout */
+    }
+    return null;
+}
+function resolveTag(packument, tag) {
+    const distTags = (packument['dist-tags'] ?? {});
+    if (distTags[tag])
+        return distTags[tag];
+    // Allow pinned versions via `--tag 0.5.0`
+    if (packument.versions && typeof packument.versions === 'object') {
+        if (packument.versions[tag])
+            return tag;
+    }
+    return null;
+}

package/lib/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
-import { buildCommand as build, runCommand as run, infoCommand as info, checkCommand as check, showcaseCommand as showcase, createCommand as create, gresourceCommand as gresource, gettextCommand as gettext, gsettingsCommand as gsettings, flatpakCommand as flatpak, dlxCommand as dlx, installCommand as install, foreachCommand as foreach, workspaceCommand as workspace, } from './commands/index.js';
+import { buildCommand as build, runCommand as run, infoCommand as info, checkCommand as check, showcaseCommand as showcase, createCommand as create, gresourceCommand as gresource, gettextCommand as gettext, gsettingsCommand as gsettings, flatpakCommand as flatpak, dlxCommand as dlx, installCommand as install, foreachCommand as foreach, workspaceCommand as workspace, packCommand as pack, publishCommand as publish, selfUpdateCommand as selfUpdate, generateInstallerCommand as generateInstaller, } from './commands/index.js';
 import { APP_NAME } from './constants.js';
 // `parseAsync()` instead of `.argv` so the top-level await keeps the
 // process alive until command handlers complete. Under Node this is
@@ -25,6 +25,10 @@ await yargs(hideBin(process.argv))
     .command(flatpak.command, flatpak.description, flatpak.builder, flatpak.handler)
     .command(foreach.command, foreach.description, foreach.builder, foreach.handler)
     .command(workspace.command, workspace.description, workspace.builder, workspace.handler)
+    .command(pack.command, pack.description, pack.builder, pack.handler)
+    .command(publish.command, publish.description, publish.builder, publish.handler)
+    .command(selfUpdate.command, selfUpdate.description, selfUpdate.builder, selfUpdate.handler)
+    .command(generateInstaller.command, generateInstaller.description, generateInstaller.builder, generateInstaller.handler)
     .demandCommand(1)
     .help()
     .parseAsync();