@nickderobertis/allowlister-remote-plugin 0.2.3 → 0.3.0

package/README.md

@@ -9,5 +9,23 @@ allowlister-remote-plugin --version
 ```
 
 Configure allowlister to run `allowlister-remote-plugin --server-url <url>` as a
-dynamic plugin command. The package includes the release-built native binary for
-the current platform.
+dynamic plugin command.
+
+## How it installs
+
+The native binary for each platform ships in its own package
+(`@nickderobertis/allowlister-remote-plugin-darwin-arm64`, `-linux-x64`,
+`-win32-x64`), declared here as optional dependencies and gated by `os`/`cpu`, so
+npm downloads only the one matching your machine. On install, a small step links
+that native binary directly onto the `allowlister-remote-plugin` command, so the
+command on your `PATH` **is** the Rust executable — no Node process is started per
+invocation. This matters because allowlister may call the plugin hundreds of
+times in a single agent session.
+
+A JS launcher is shipped as a fallback and is used only when the in-place link
+cannot be made — on Windows (where npm's command shims require it) or when
+install scripts are disabled (`npm install --ignore-scripts`).
+
+On macOS and Linux the resolved `allowlister-remote-plugin` command is already the
+native binary, so pointing allowlister (or `ALLOWLISTER_REMOTE_PLUGIN_BIN`) at it
+keeps the hot path free of Node.

package/bin/allowlister-remote-plugin

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+// JS launcher fallback.
+//
+// On install, `install.mjs` replaces this file in place with the native binary
+// (on macOS and Linux) so the command on PATH *is* the Rust executable with no
+// Node in the hot path. This launcher only runs when that replacement was
+// skipped — on Windows, or when install scripts were disabled (`--ignore-scripts`).
+// In that case it resolves the native binary from the matching platform package
+// and execs it, forwarding stdio and the exit code unchanged.
+
+import { spawnSync } from "node:child_process";
+import { createRequire } from "node:module";
+import { binarySpecifier } from "../lib/platform.mjs";
+
+const require = createRequire(import.meta.url);
+
+let binary;
+try {
+  binary = require.resolve(binarySpecifier());
+} catch (error) {
+  console.error(
+    `Missing native allowlister-remote-plugin binary for ${process.platform}-${process.arch}.`,
+  );
+  console.error(error instanceof Error ? error.message : String(error));
+  process.exit(1);
+}
+
+const result = spawnSync(binary, process.argv.slice(2), { stdio: "inherit" });
+if (result.error) {
+  console.error(result.error.message);
+  process.exit(1);
+}
+process.exit(result.status ?? 1);

package/install.mjs

@@ -0,0 +1,76 @@
+// Post-install step: link the native binary directly onto the command path.
+//
+// npm has already installed the one platform package that matches this host
+// (the others are skipped by their `os`/`cpu` fields). On macOS and Linux we
+// copy that native binary over the JS launcher at `bin/allowlister-remote-plugin`,
+// which is the file the `allowlister-remote-plugin` command symlinks to. After
+// this the command on PATH is the Rust executable itself -- no Node process is
+// spawned per invocation, which matters because allowlister can call the plugin
+// hundreds of times in a single agent session.
+//
+// On Windows npm generates `.cmd`/`.ps1` shims that invoke the launcher through
+// Node, so replacing the target in place would break them; we keep the JS
+// launcher there instead. Either way, if anything goes wrong we leave the
+// launcher in place as a working fallback and never fail the install.
+
+import { chmodSync, copyFileSync, existsSync, readFileSync, realpathSync } from "node:fs";
+import { createRequire } from "node:module";
+import { basename, dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { binarySpecifier } from "./lib/platform.mjs";
+
+const require = createRequire(import.meta.url);
+// Resolve symlinks so a workspace link does not make us look like an install.
+const here = realpathSync(dirname(fileURLToPath(import.meta.url)));
+
+// When this package lives in its source monorepo (linked as a workspace rather
+// than installed under node_modules), overwriting the launcher would clobber the
+// committed source file. Detect that by walking up to a `workspaces`-bearing
+// package.json without first crossing a `node_modules` boundary.
+function inWorkspaceCheckout(startDir) {
+  let dir = startDir;
+  for (;;) {
+    if (basename(dir) === "node_modules") {
+      return false;
+    }
+    const manifestPath = join(dir, "package.json");
+    if (existsSync(manifestPath)) {
+      try {
+        if (JSON.parse(readFileSync(manifestPath, "utf8")).workspaces) {
+          return true;
+        }
+      } catch {
+        // Ignore unreadable/partial manifests and keep walking up.
+      }
+    }
+    const parent = dirname(dir);
+    if (parent === dir) {
+      return false;
+    }
+    dir = parent;
+  }
+}
+
+if (inWorkspaceCheckout(here)) {
+  console.log("allowlister-remote-plugin: source checkout detected, keeping the JS launcher");
+} else {
+  try {
+    const native = require.resolve(binarySpecifier());
+
+    if (process.platform === "win32") {
+      console.log(
+        "allowlister-remote-plugin: keeping the JS launcher (required by npm shims on Windows)",
+      );
+    } else {
+      const onPath = join(here, "bin", "allowlister-remote-plugin");
+      copyFileSync(native, onPath);
+      chmodSync(onPath, 0o755);
+      console.log(
+        "allowlister-remote-plugin: linked the native binary directly onto the command path",
+      );
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    console.log(`allowlister-remote-plugin: keeping the JS launcher fallback (${message})`);
+  }
+}

package/lib/platform.mjs

@@ -0,0 +1,51 @@
+// Shared resolution for the per-platform native binary packages.
+//
+// Each supported platform ships the native `allowlister-remote-plugin` binary in
+// its own npm package (declared as an optional dependency of this package). npm
+// installs only the package whose `os`/`cpu` match the host, so resolving the
+// binary is a matter of mapping the running platform/arch onto that package and
+// asking Node where it landed in `node_modules`.
+
+const PLATFORM_PACKAGES = new Map([
+  [
+    "darwin-arm64",
+    { pkg: "allowlister-remote-plugin-darwin-arm64", file: "allowlister-remote-plugin" },
+  ],
+  ["linux-x64", { pkg: "allowlister-remote-plugin-linux-x64", file: "allowlister-remote-plugin" }],
+  [
+    "win32-x64",
+    { pkg: "allowlister-remote-plugin-win32-x64", file: "allowlister-remote-plugin.exe" },
+  ],
+]);
+
+const SCOPE = "@nickderobertis";
+
+/**
+ * Describe the platform package for a given platform/arch, throwing for any
+ * combination we do not publish a binary for.
+ */
+export function platformPackage(platform = process.platform, arch = process.arch) {
+  const entry = PLATFORM_PACKAGES.get(`${platform}-${arch}`);
+  if (!entry) {
+    throw new Error(`Unsupported platform: ${platform}-${arch}`);
+  }
+  return { name: `${SCOPE}/${entry.pkg}`, file: entry.file };
+}
+
+/**
+ * The bare specifier Node uses to locate the native binary inside the installed
+ * platform package, e.g. `@nickderobertis/allowlister-remote-plugin-linux-x64/bin/allowlister-remote-plugin`.
+ */
+export function binarySpecifier(platform = process.platform, arch = process.arch) {
+  const { name, file } = platformPackage(platform, arch);
+  return `${name}/bin/${file}`;
+}
+
+/**
+ * Resolve the absolute path to the native binary using the caller's `require`
+ * (created with `createRequire(import.meta.url)`). Throws if the matching
+ * platform package is not installed.
+ */
+export function resolveNativeBinary(require, platform = process.platform, arch = process.arch) {
+  return require.resolve(binarySpecifier(platform, arch));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nickderobertis/allowlister-remote-plugin",
-  "version": "0.2.3",
+  "version": "0.3.0",
   "description": "npm installer for the allowlister remote dynamic approval plugin",
   "type": "module",
   "license": "UNLICENSED",
@@ -9,12 +9,16 @@
     "url": "git+https://github.com/nickderobertis/allowlister-remote.git"
   },
   "bin": {
-    "allowlister-remote-plugin": "bin/allowlister-remote-plugin.js"
+    "allowlister-remote-plugin": "bin/allowlister-remote-plugin"
+  },
+  "scripts": {
+    "postinstall": "node install.mjs"
   },
   "files": [
     "README.md",
     "bin/",
-    "vendor/"
+    "lib/",
+    "install.mjs"
   ],
   "publishConfig": {
     "access": "public",
@@ -22,5 +26,10 @@
   },
   "engines": {
     "node": ">=20"
+  },
+  "optionalDependencies": {
+    "@nickderobertis/allowlister-remote-plugin-darwin-arm64": "0.3.0",
+    "@nickderobertis/allowlister-remote-plugin-linux-x64": "0.3.0",
+    "@nickderobertis/allowlister-remote-plugin-win32-x64": "0.3.0"
   }
 }

package/bin/allowlister-remote-plugin.js

@@ -1,53 +0,0 @@
-#!/usr/bin/env node
-
-import { spawnSync } from "node:child_process";
-import { existsSync, realpathSync } from "node:fs";
-import { dirname, join } from "node:path";
-import { fileURLToPath } from "node:url";
-
-const supportedPlatforms = new Map([
-  ["darwin-arm64", "darwin-arm64/allowlister-remote-plugin"],
-  ["linux-x64", "linux-x64/allowlister-remote-plugin"],
-  ["win32-x64", "win32-x64/allowlister-remote-plugin.exe"],
-]);
-
-export function nativeBinaryPath(platform = process.platform, arch = process.arch) {
-  const relativePath = supportedPlatforms.get(`${platform}-${arch}`);
-  if (!relativePath) {
-    throw new Error(`Unsupported platform: ${platform}-${arch}`);
-  }
-
-  return join(dirname(fileURLToPath(import.meta.url)), "..", "vendor", relativePath);
-}
-
-function main() {
-  const binary = nativeBinaryPath();
-
-  if (!existsSync(binary)) {
-    console.error(
-      `Missing native allowlister-remote-plugin binary for ${process.platform}-${process.arch}.`,
-    );
-    process.exit(1);
-  }
-
-  const result = spawnSync(binary, process.argv.slice(2), { stdio: "inherit" });
-
-  if (result.error) {
-    console.error(result.error.message);
-    process.exit(1);
-  }
-
-  process.exit(result.status ?? 1);
-}
-
-function isMainModule() {
-  if (!process.argv[1]) {
-    return false;
-  }
-
-  return realpathSync(process.argv[1]) === fileURLToPath(import.meta.url);
-}
-
-if (isMainModule()) {
-  main();
-}

package/bin/allowlister-remote-plugin.test.mjs

@@ -1,15 +0,0 @@
-import assert from "node:assert/strict";
-import { join } from "node:path";
-import { nativeBinaryPath } from "./allowlister-remote-plugin.js";
-
-assert.ok(
-  nativeBinaryPath("linux", "x64").endsWith(
-    join("vendor", "linux-x64", "allowlister-remote-plugin"),
-  ),
-);
-assert.ok(
-  nativeBinaryPath("win32", "x64").endsWith(
-    join("vendor", "win32-x64", "allowlister-remote-plugin.exe"),
-  ),
-);
-assert.throws(() => nativeBinaryPath("sunos", "x64"), /Unsupported platform: sunos-x64/);