@mh-gg/base 0.1.1-alpha.20260613T085325975Z
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +20 -0
- package/src/capabilities.cjs +113 -0
- package/src/constants.cjs +15 -0
- package/src/errors.cjs +12 -0
- package/src/index.cjs +13 -0
- package/src/manifest/factory.cjs +72 -0
- package/src/manifest/hashing.cjs +73 -0
- package/src/manifest/validators.cjs +203 -0
- package/src/packs/artifacts.cjs +174 -0
- package/src/packs/registry.cjs +28 -0
- package/src/players/index.cjs +80 -0
- package/src/plugins/graph.cjs +194 -0
- package/src/trust/store.cjs +124 -0
- package/test/matterhorn-core.test.cjs +731 -0
- package/test/pack-security.test.cjs +51 -0
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
const assert = require("node:assert/strict");
|
|
2
|
+
const fs = require("node:fs/promises");
|
|
3
|
+
const os = require("node:os");
|
|
4
|
+
const path = require("node:path");
|
|
5
|
+
const test = require("node:test");
|
|
6
|
+
|
|
7
|
+
const { APP_PACK_KIND, loadPackArtifact, loadPackReference, manifestHash } = require("../src/index.cjs");
|
|
8
|
+
|
|
9
|
+
function appPack() {
|
|
10
|
+
return {
|
|
11
|
+
kind: APP_PACK_KIND,
|
|
12
|
+
id: "com.matterhorn.security-pack",
|
|
13
|
+
name: "Security Pack",
|
|
14
|
+
version: "1.0.0",
|
|
15
|
+
publisher: { id: "pub", name: "Publisher", publicKey: "pubkey" },
|
|
16
|
+
matterhornVersion: ">=0.1 <0.2",
|
|
17
|
+
hostPack: { url: "workspace:@mh-gg/security#host", integrity: "sha256-host" },
|
|
18
|
+
playerPacks: [{ id: "player", name: "Player", url: "workspace:@mh-gg/security#player", integrity: "sha256-player" }],
|
|
19
|
+
compatibility: { appProtocolHash: "sha256-protocol", operationSchemaHash: "sha256-ops", stateSchemaHash: "sha256-state" },
|
|
20
|
+
capabilities: { required: ["room.state"] },
|
|
21
|
+
trust: { createdAt: "2026-05-28T00:00:00.000Z", signatures: [{ publicKey: "pubkey", signature: "sig" }] }
|
|
22
|
+
};
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
test("remote pack artifacts require https and pinned integrity by default", async () => {
|
|
26
|
+
await assert.rejects(
|
|
27
|
+
() => loadPackArtifact({ url: "http://registry.example/app.json", integrity: "sha256-pinned" }, { fetch: async () => ({ ok: true, arrayBuffer: async () => Buffer.from("{}") }) }),
|
|
28
|
+
/Insecure HTTP pack references are disabled/
|
|
29
|
+
);
|
|
30
|
+
|
|
31
|
+
await assert.rejects(
|
|
32
|
+
() => loadPackArtifact({ url: "https://registry.example/app.json" }, { fetch: async () => ({ ok: true, arrayBuffer: async () => Buffer.from("{}") }) }),
|
|
33
|
+
/Remote pack artifact integrity is required/
|
|
34
|
+
);
|
|
35
|
+
});
|
|
36
|
+
|
|
37
|
+
test("file pack references cannot escape an explicit base directory by default", async () => {
|
|
38
|
+
const root = await fs.mkdtemp(path.join(os.tmpdir(), "matterhorn-pack-security-"));
|
|
39
|
+
const baseDir = path.join(root, "base");
|
|
40
|
+
const outsideDir = path.join(root, "outside");
|
|
41
|
+
await fs.mkdir(baseDir, { recursive: true });
|
|
42
|
+
await fs.mkdir(outsideDir, { recursive: true });
|
|
43
|
+
const manifest = appPack();
|
|
44
|
+
const outsideFile = path.join(outsideDir, "app.json");
|
|
45
|
+
await fs.writeFile(outsideFile, JSON.stringify(manifest));
|
|
46
|
+
|
|
47
|
+
await assert.rejects(
|
|
48
|
+
() => loadPackReference({ url: `file:${path.relative(baseDir, outsideFile)}`, integrity: manifestHash(manifest) }, { baseDir }),
|
|
49
|
+
/escapes the configured base directory/
|
|
50
|
+
);
|
|
51
|
+
});
|