@openpalm/lib 0.11.0-rc.3 → 0.11.0-rc.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openpalm/lib",
-  "version": "0.11.0-rc.3",
+  "version": "0.11.0-rc.6",
   "license": "MPL-2.0",
   "type": "module",
   "description": "Shared control-plane library for OpenPalm — lifecycle, staging, secrets, channels, connections, scheduler",

package/src/control-plane/registry.ts

@@ -574,14 +574,18 @@ function execFileNoThrow(
 /**
  * Compute the openpalm/voice image ref for a given GPU variant, matching
  * the substitution chain in the addon compose file:
- *   ${OP_IMAGE_NAMESPACE:-openpalm}/voice:${OP_VOICE_IMAGE_TAG:-${OP_IMAGE_TAG:-latest}-<variant>}
+ *   ${OP_IMAGE_NAMESPACE:-openpalm}/voice:${OP_VOICE_IMAGE_TAG:-latest-<variant>}
+ *
+ * Voice images are published OUT OF BAND (publish-voice.yml), decoupled from the
+ * platform OP_IMAGE_TAG — they are heavy and rarely change. So the default is
+ * the moving `latest-<variant>` voice tag; operators pin a specific build by
+ * setting OP_VOICE_IMAGE_TAG (e.g. `v1.0.0-cpu`).
  */
 function voiceImageRef(variant: 'cpu' | 'cu121' | 'rocm6'): string {
   const namespace = process.env.OP_IMAGE_NAMESPACE?.trim() || 'openpalm';
   const explicit = process.env.OP_VOICE_IMAGE_TAG?.trim();
   if (explicit) return `${namespace}/voice:${explicit}`;
-  const baseTag = process.env.OP_IMAGE_TAG?.trim() || 'latest';
-  return `${namespace}/voice:${baseTag}-${variant}`;
+  return `${namespace}/voice:latest-${variant}`;
 }
 
 /**

package/src/control-plane/ui-assets.test.ts

@@ -1,9 +1,14 @@
-import { describe, it, expect, beforeEach, afterEach } from "bun:test";
+import { describe, it, expect, beforeEach, afterEach, spyOn, mock } from "bun:test";
 import { mkdtempSync, rmSync, mkdirSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { existsSync, readFileSync } from "node:fs";
-import { resolveUiBuildDir, readUiBuildVersion, UI_VERSION_STAMP, seedOpenPalmDir, SKELETON_VERSION_STAMP } from "./ui-assets.js";
+import { createHash } from "node:crypto";
+import {
+  resolveUiBuildDir, readUiBuildVersion, UI_VERSION_STAMP,
+  seedOpenPalmDir, SKELETON_VERSION_STAMP,
+  uiUpdateChannel, checkAndUpdateUiBuild,
+} from "./ui-assets.js";
 
 let root = "";
 let opHome = "";
@@ -128,3 +133,201 @@ describe("seedOpenPalmDir — version guard (P2)", () => {
     expect(readFileSync(stamp(), "utf-8").trim()).toBe("v2");
   });
 });
+
+// ── uiUpdateChannel ───────────────────────────────────────────────────────────
+
+describe("uiUpdateChannel", () => {
+  it("returns 'latest' for a stable version", () => {
+    expect(uiUpdateChannel("0.11.0")).toBe("latest");
+    expect(uiUpdateChannel("1.0.0")).toBe("latest");
+  });
+
+  it("returns 'next' for a prerelease version (contains '-')", () => {
+    expect(uiUpdateChannel("0.11.0-rc.2")).toBe("next");
+    expect(uiUpdateChannel("0.11.0-beta.5")).toBe("next");
+    expect(uiUpdateChannel("1.0.0-alpha.1")).toBe("next");
+  });
+});
+
+// ── npm integrity verification (via checkAndUpdateUiBuild) ────────────────────
+//
+// We mock globalThis.fetch to avoid real network calls.  The integrity paths
+// are exercised through checkAndUpdateUiBuild → downloadNpmUiBundle (for the
+// missing-integrity and mismatch cases) and through checkAndUpdateUiBuild
+// returning {updated:false} early (for the up-to-date case).
+
+/** Build a correct sha512 SRI string for the given bytes. */
+function makeSri(data: Uint8Array): string {
+  const digest = createHash("sha512").update(data).digest("base64");
+  return `sha512-${digest}`;
+}
+
+describe("npm integrity verification (fail-closed)", () => {
+  let savedFetch: typeof globalThis.fetch;
+
+  beforeEach(() => {
+    savedFetch = globalThis.fetch;
+    // Set forceRemote context: no local build available for these tests.
+    // (data/ui has no index.js, bundledUi dir exists but is empty → no local build)
+  });
+
+  afterEach(() => {
+    globalThis.fetch = savedFetch;
+  });
+
+  it("throws when the manifest has no integrity hash (fail-closed)", async () => {
+    // manifest fetch returns a version with no integrity
+    globalThis.fetch = async (_url: string | URL | Request) => {
+      const url = String(typeof _url === "string" ? _url : (_url as Request).url ?? _url);
+      if (url.includes("registry.npmjs.org")) {
+        return new Response(
+          JSON.stringify({
+            version: "0.11.0",
+            dist: { tarball: "https://registry.npmjs.org/tarball.tgz" },
+            // integrity intentionally omitted
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } }
+        );
+      }
+      // tarball fetch — should NOT be reached because we throw before it
+      return new Response("not-reached", { status: 200 });
+    };
+
+    const result = await checkAndUpdateUiBuild("0.11.0-beta.1", join(dataUi, ".."));
+    // Missing integrity → non-fatal error path
+    expect(result.updated).toBe(false);
+    expect(result.error).toMatch(/no integrity hash/i);
+  });
+
+  it("throws when the tarball bytes do not match the stated integrity hash", async () => {
+    const fakeData = new Uint8Array([1, 2, 3, 4]);
+    const wrongSri = `sha512-${Buffer.from("wrong").toString("base64")}`;
+
+    globalThis.fetch = async (_url: string | URL | Request) => {
+      const url = String(typeof _url === "string" ? _url : (_url as Request).url ?? _url);
+      if (url.includes("registry.npmjs.org") && !url.includes("tarball")) {
+        return new Response(
+          JSON.stringify({
+            version: "0.99.0",  // newer than anything on disk
+            dist: { tarball: "https://registry.npmjs.org/tarball.tgz", integrity: wrongSri },
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } }
+        );
+      }
+      // tarball response — bytes deliberately do NOT match wrongSri
+      return new Response(fakeData, { status: 200 });
+    };
+
+    const result = await checkAndUpdateUiBuild("0.11.0", join(dataUi, ".."));
+    expect(result.updated).toBe(false);
+    expect(result.error).toMatch(/integrity mismatch/i);
+  });
+});
+
+// ── checkAndUpdateUiBuild ─────────────────────────────────────────────────────
+
+describe("checkAndUpdateUiBuild", () => {
+  let savedFetch: typeof globalThis.fetch;
+
+  beforeEach(() => {
+    savedFetch = globalThis.fetch;
+  });
+
+  afterEach(() => {
+    globalThis.fetch = savedFetch;
+  });
+
+  /** Make a minimal npm manifest response for a given version. */
+  function manifestResponse(version: string, integrity?: string) {
+    return new Response(
+      JSON.stringify({
+        version,
+        dist: {
+          tarball: "https://registry.npmjs.org/tarball.tgz",
+          ...(integrity !== undefined ? { integrity } : {}),
+        },
+      }),
+      { status: 200, headers: { "Content-Type": "application/json" } }
+    );
+  }
+
+  it("returns {updated:false} when the npm channel version is not newer than on-disk stamp", async () => {
+    // Seed data/ui with a stamped build
+    makeBuild(dataUi, "0.11.0");
+
+    globalThis.fetch = async () => manifestResponse("0.11.0"); // same version
+    const result = await checkAndUpdateUiBuild("0.11.0", join(opHome, "data"));
+    expect(result.updated).toBe(false);
+    expect(result.latestVersion).toBe("0.11.0");
+    expect(result.error).toBeUndefined();
+  });
+
+  it("returns {updated:false} when the npm channel version is older than on-disk stamp", async () => {
+    makeBuild(dataUi, "0.12.0");
+
+    globalThis.fetch = async () => manifestResponse("0.11.0"); // older
+    const result = await checkAndUpdateUiBuild("0.12.0", join(opHome, "data"));
+    expect(result.updated).toBe(false);
+    expect(result.latestVersion).toBe("0.11.0");
+  });
+
+  it("returns {updated:false, error} when the manifest fetch rejects (non-fatal)", async () => {
+    globalThis.fetch = async () => { throw new Error("network failure"); };
+
+    const result = await checkAndUpdateUiBuild("0.11.0", join(opHome, "data"));
+    expect(result.updated).toBe(false);
+    expect(result.latestVersion).toBeNull();
+    expect(result.error).toMatch(/network failure/i);
+  });
+
+  it("returns {updated:false, error} when the registry returns a non-OK status", async () => {
+    globalThis.fetch = async () => new Response("not found", { status: 404 });
+
+    const result = await checkAndUpdateUiBuild("0.11.0", join(opHome, "data"));
+    expect(result.updated).toBe(false);
+    expect(result.error).toBeDefined();
+  });
+
+  it("attempts an update when the on-disk build is unstamped (legacy data/ui)", async () => {
+    // Unstamped data/ui — cannot compare, so it should try to refresh from npm.
+    // We give it a manifest with missing integrity so it fails non-fatally
+    // (avoids needing a real tarball), but we confirm it DID attempt the download.
+    makeBuild(dataUi, null); // unstamped
+
+    let manifestFetched = false;
+    globalThis.fetch = async (_url: string | URL | Request) => {
+      const url = String(typeof _url === "string" ? _url : (_url as Request).url ?? _url);
+      if (url.includes("registry.npmjs.org")) {
+        manifestFetched = true;
+        // Return a manifest without integrity so downloadNpmUiBundle throws
+        return manifestResponse("0.11.1");
+      }
+      return new Response("", { status: 200 });
+    };
+
+    const result = await checkAndUpdateUiBuild("0.11.0", join(opHome, "data"));
+    expect(manifestFetched).toBe(true);
+    // non-fatal: missing integrity → error path
+    expect(result.updated).toBe(false);
+    expect(result.error).toBeDefined();
+  });
+
+  it("attempts an update when npm has a newer version than the on-disk stamp", async () => {
+    makeBuild(dataUi, "0.11.0");
+
+    let manifestFetched = false;
+    globalThis.fetch = async (_url: string | URL | Request) => {
+      const url = String(typeof _url === "string" ? _url : (_url as Request).url ?? _url);
+      if (url.includes("registry.npmjs.org")) {
+        manifestFetched = true;
+        return manifestResponse("0.12.0"); // newer — no integrity → non-fatal error
+      }
+      return new Response("", { status: 200 });
+    };
+
+    const result = await checkAndUpdateUiBuild("0.11.0", join(opHome, "data"));
+    expect(manifestFetched).toBe(true);
+    expect(result.updated).toBe(false);
+    expect(result.error).toMatch(/no integrity hash/i);
+  });
+});

package/src/control-plane/ui-assets.ts

@@ -4,11 +4,12 @@
  * These functions are consumed by both the CLI and the Electron shell — they
  * must use only Node.js-compatible APIs (no Bun.spawn, Bun.write, etc.).
  *
- * Source resolution order (same for UI build and .openpalm/):
+ * Source resolution order (UI build and .openpalm/ skeleton):
  *   1. OPENPALM_REPO_ROOT env var — explicit dev override
  *   2. Relative to import.meta.url — works for `bun run` / source installs
  *   3. Relative to process.execPath — works for compiled Bun binary in repo
- *   4. null → GitHub release download
+ *   4. null → remote download (the UI build from the @openpalm/ui npm registry
+ *      tarball; the .openpalm skeleton from the GitHub repo tarball)
  */
 import {
   existsSync, mkdirSync, readdirSync, copyFileSync,
@@ -175,7 +176,7 @@ export async function seedOpenPalmDir(
 
 /**
  * Locate the compiled SvelteKit UI build on disk.
- * Returns null when not found — triggers GitHub download in seedUiBuild.
+ * Returns null when not found — triggers the npm registry download in seedUiBuild.
  */
 export function resolveLocalUiBuild(): string | null {
   return resolveLocalCandidate(
@@ -230,7 +231,8 @@ export function readUiBuildVersion(dir: string): string | null {
  * Resolve which UI build to run.
  *
  * Two channels exist: the bundled build (shipped inside the AppImage / source
- * tree) and `data/ui` (operator-updatable, seeded from GitHub releases). To fix
+ * tree) and `data/ui` (operator-updatable, seeded from the @openpalm/ui npm
+ * registry tarball). To fix
  * the stale-`data/ui` shadowing bug AND stay forward-compatible with updating the
  * UI without shipping a new app (D5), selection is VERSION-AWARE:
  *