npm - @kata.dev/challenge-cli - Versions diffs - 1.0.0 → 1.1.0 - Mend

@kata.dev/challenge-cli 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@kata.dev/challenge-cli",
-    "version": "1.0.0",
+    "version": "1.1.0",
     "type": "module",
     "description": "CLI for authoring, packing, validating, and publishing Eval Engine challenges",
     "bin": {

package/src/commands/login.js CHANGED Viewed

@@ -7,7 +7,6 @@ export function registerLoginCommand(program) {
         .description('Save API credentials to ~/.challengerc.json')
         .requiredOption('--api <url>', 'Eval Engine API base URL')
         .requiredOption('--token <token>', 'Authentication token (JWT)')
-        .option('--signing-secret <secret>', 'Challenge artifact signing secret (optional, for local validation)')
         .action(async (opts) => {
             const existing = loadConfig();
@@ -17,17 +16,10 @@ export function registerLoginCommand(program) {
                 token: opts.token,
             };
-            if (opts.signingSecret) {
-                config.signingSecret = opts.signingSecret;
-            }
             const configPath = saveConfig(config);
             console.log(chalk.green('✔') + ' Credentials saved to ' + chalk.dim(configPath));
             console.log('  API:   ' + chalk.cyan(config.apiUrl));
             console.log('  Token: ' + chalk.dim(config.token.slice(0, 20) + '…'));
-            if (config.signingSecret) {
-                console.log('  Signing secret: ' + chalk.dim('configured'));
-            }
         });
 }

package/src/commands/pack.js CHANGED Viewed

@@ -11,7 +11,6 @@ import {
     resolveRuntimeMode,
 } from '../lib/helpers.js';
 import { resolveRuntimeDepsSourceDir } from '../lib/runtime-deps.js';
-import { resolveSigningSecret } from '../lib/config.js';
 export function registerPackCommand(program) {
     program
@@ -20,19 +19,11 @@ export function registerPackCommand(program) {
         .requiredOption('--dir <challengeDir>', 'Path to the challenge directory')
         .option('--out <outDir>', 'Output directory (defaults to <challengeDir>/dist)')
         .option('--runtime-mode <mode>', 'Runtime deps mode: auto (default) or manual', 'auto')
-        .option('--signing-secret <secret>', 'Artifact signing secret (falls back to config)')
         .action(async (opts) => {
             const challengeDir = path.resolve(opts.dir);
             const outDir = path.resolve(opts.out || path.join(challengeDir, 'dist'));
             const runtimeMode = resolveRuntimeMode(opts.runtimeMode);
-            const signingSecret = resolveSigningSecret(opts.signingSecret);
-            if (!signingSecret) {
-                throw new Error(
-                    'Signing secret is required. Set it via --signing-secret, CHALLENGE_ARTIFACT_SIGNING_SECRET env var, or run "challenge login --signing-secret <secret>".'
-                );
-            }
             const challengeJsonPath = path.join(challengeDir, 'challenge.json');
             if (!fs.existsSync(challengeJsonPath)) {
                 throw new Error(`challenge.json not found: ${challengeJsonPath}`);
@@ -63,11 +54,10 @@ export function registerPackCommand(program) {
                     }
                     const outputFile = path.join(outDir, `${type}.tar.gz`);
-                    const packed = await packArtifact(sourceDir, outputFile, signingSecret);
+                    const packed = await packArtifact(sourceDir, outputFile);
                     artifacts[type] = {
                         sha256: packed.sha256,
-                        signature: packed.signature,
                         sizeBytes: packed.sizeBytes,
                         file: path.basename(outputFile),
                     };
@@ -94,7 +84,7 @@ export function registerPackCommand(program) {
             console.log(chalk.green('✔') + ` Manifest: ${chalk.cyan(manifestPath)}`);
             console.log();
             console.log('  Next steps:');
-            console.log(`    ${chalk.cyan(`npx @kata.dev/challenge-cli validate --manifest ${path.relative(process.cwd(), manifestPath)}`)}`);
-            console.log(`    ${chalk.cyan(`npx @kata.dev/challenge-cli publish --manifest ${path.relative(process.cwd(), manifestPath)}`)}`);
+            console.log(`    ${chalk.cyan(`npx "@kata.dev/challenge-cli" validate --manifest ${path.relative(process.cwd(), manifestPath)}`)}`);
+            console.log(`    ${chalk.cyan(`npx "@kata.dev/challenge-cli" publish --manifest ${path.relative(process.cwd(), manifestPath)}`)}`);
         });
 }

package/src/commands/validate.js CHANGED Viewed

@@ -5,27 +5,17 @@ import ora from 'ora';
 import {
     REQUIRED_ARTIFACT_TYPES,
     computeSha256Hex,
-    signSha256Hex,
     validateTarGzBuffer,
 } from '../lib/artifacts.js';
 import { readJson } from '../lib/helpers.js';
-import { resolveSigningSecret } from '../lib/config.js';
 export function registerValidateCommand(program) {
     program
         .command('validate')
-        .description('Validate packed artifacts locally')
+        .description('Validate packed artifacts locally (SHA-256 + tar safety)')
         .requiredOption('--manifest <path>', 'Path to cks-manifest.json')
-        .option('--signing-secret <secret>', 'Artifact signing secret (falls back to config)')
         .action(async (opts) => {
             const manifestPath = path.resolve(opts.manifest);
-            const signingSecret = resolveSigningSecret(opts.signingSecret);
-            if (!signingSecret) {
-                throw new Error(
-                    'Signing secret is required for validation. Set it via --signing-secret, CHALLENGE_ARTIFACT_SIGNING_SECRET env var, or run "challenge login --signing-secret <secret>".'
-                );
-            }
             const manifest = readJson(manifestPath);
             const slug = manifest.metadata?.slug || 'unknown';
@@ -56,14 +46,7 @@ export function registerValidateCommand(program) {
                     throw new Error(`SHA mismatch for ${type}. expected=${artifact.sha256} actual=${actualSha}`);
                 }
-                // Verify HMAC signature
-                const actualSig = signSha256Hex(actualSha, signingSecret);
-                if (actualSig !== artifact.signature) {
-                    spinner.fail(`${type}: signature mismatch`);
-                    throw new Error(`Signature mismatch for ${type}. expected=${artifact.signature} actual=${actualSig}`);
-                }
-                // Validate tar contents
+                // Validate tar contents (path safety, symlinks, size limits)
                 spinner.text = `Validating ${type} tar contents…`;
                 const { entryCount, totalSize } = await validateTarGzBuffer({ buffer });
@@ -73,5 +56,6 @@ export function registerValidateCommand(program) {
             console.log();
             console.log(chalk.green('✔') + ' All artifacts validated successfully');
+            console.log(chalk.dim('  Note: HMAC signature verification happens server-side during publish.'));
         });
 }

package/src/lib/artifacts.js CHANGED Viewed

@@ -14,15 +14,7 @@ export function computeSha256Hex(buffer) {
     return crypto.createHash('sha256').update(buffer).digest('hex');
 }
-export function signSha256Hex(sha256Hex, secret) {
-    if (!sha256Hex || typeof sha256Hex !== 'string') {
-        throw new Error('sha256Hex is required to compute signature.');
-    }
-    if (!secret || typeof secret !== 'string') {
-        throw new Error('Signing secret is required to compute signature.');
-    }
-    return crypto.createHmac('sha256', secret).update(sha256Hex).digest('hex');
-}
 export function assertSafeTarPath(entryPath) {
     const normalized = String(entryPath || '').replace(/\\/g, '/');
@@ -96,7 +88,7 @@ export async function validateTarGzBuffer({ buffer, maxEntries = 2000, maxExtrac
     return { entryCount, totalSize };
 }
-export async function packArtifact(sourceDir, outputFile, signingSecret) {
+export async function packArtifact(sourceDir, outputFile) {
     fs.mkdirSync(path.dirname(outputFile), { recursive: true });
     await tarCreate(
@@ -112,12 +104,10 @@ export async function packArtifact(sourceDir, outputFile, signingSecret) {
     const buffer = fs.readFileSync(outputFile);
     const sha256 = computeSha256Hex(buffer);
-    const signature = signSha256Hex(sha256, signingSecret);
     return {
         file: outputFile,
         sha256,
-        signature,
         sizeBytes: buffer.length,
     };
 }

package/src/lib/config.js CHANGED Viewed

@@ -39,11 +39,4 @@ export function resolveToken(flagValue) {
     return flagValue || process.env.CKS_API_TOKEN || loadConfig().token || null;
 }
-export function resolveSigningSecret(flagValue) {
-    return (
-        flagValue ||
-        process.env.CHALLENGE_ARTIFACT_SIGNING_SECRET ||
-        loadConfig().signingSecret ||
-        null
-    );
-}