@peers-app/peers-sdk 0.18.4 → 0.18.5

package/dist/data/package-version-permissions.d.ts

@@ -1,3 +1,4 @@
+import { GroupMemberRole } from "./group-permissions";
 import type { IPackageVersion } from "./package-versions";
 /**
  * Verifies that a package version update signature is valid.
@@ -6,6 +7,8 @@ import type { IPackageVersion } from "./package-versions";
  * Beta and stable versions require Admin role.
  *
  * @param packageVersion The package version record to verify
+ * @param groupId The group context to check roles against
+ * @param signerRole Optional pre-resolved role (skips `getUserRoleFromPublicKey` lookup; useful in tests)
  * @throws Error if signature is invalid or unauthorized
  */
-export declare function verifyPackageVersionSignature(packageVersion: IPackageVersion, groupId: string): Promise<void>;
+export declare function verifyPackageVersionSignature(packageVersion: IPackageVersion, groupId: string, signerRole?: GroupMemberRole): Promise<void>;

package/dist/data/package-version-permissions.js

@@ -10,12 +10,16 @@ const group_permissions_1 = require("./group-permissions");
  * Beta and stable versions require Admin role.
  *
  * @param packageVersion The package version record to verify
+ * @param groupId The group context to check roles against
+ * @param signerRole Optional pre-resolved role (skips `getUserRoleFromPublicKey` lookup; useful in tests)
  * @throws Error if signature is invalid or unauthorized
  */
-async function verifyPackageVersionSignature(packageVersion, groupId) {
+async function verifyPackageVersionSignature(packageVersion, groupId, signerRole) {
     (0, keys_1.verifyObjectSignature)(packageVersion);
-    const signerPublicKey = (0, keys_1.getPublicKeyFromObjectSignature)(packageVersion) ?? "";
-    const signerRole = await (0, group_permissions_1.getUserRoleFromPublicKey)(groupId, signerPublicKey);
+    if (signerRole === undefined) {
+        const signerPublicKey = (0, keys_1.getPublicKeyFromObjectSignature)(packageVersion) ?? "";
+        signerRole = await (0, group_permissions_1.getUserRoleFromPublicKey)(groupId, signerPublicKey);
+    }
     const isDevVersion = packageVersion.versionTag === "dev";
     const requiredRole = isDevVersion ? group_permissions_1.GroupMemberRole.Writer : group_permissions_1.GroupMemberRole.Admin;
     if (signerRole < requiredRole) {

package/dist/data/package-version-permissions.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/data/package-version-permissions.test.js

@@ -0,0 +1,107 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const keys_1 = require("../keys");
+const utils_1 = require("../utils");
+const group_member_roles_1 = require("./group-member-roles");
+const package_version_permissions_1 = require("./package-version-permissions");
+describe("Package Version Permissions", () => {
+    const writerKeys = (0, keys_1.newKeys)();
+    const adminKeys = (0, keys_1.newKeys)();
+    function makePV(overrides = {}) {
+        return {
+            packageVersionId: (0, utils_1.newid)(),
+            packageId: (0, utils_1.newid)(),
+            version: "1.0.0",
+            versionTag: "dev",
+            packageVersionHash: "testhash",
+            packageBundleFileId: (0, utils_1.newid)(),
+            packageBundleFileHash: "bundlehash",
+            signature: "",
+            createdBy: (0, utils_1.newid)(),
+            createdAt: new Date().toISOString(),
+            ...overrides,
+        };
+    }
+    describe("dev versions", () => {
+        it("allows Writer to sign a dev version", async () => {
+            const pv = (0, keys_1.addSignatureToObject)(makePV({ versionTag: "dev" }), writerKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(pv, "test-group", group_member_roles_1.GroupMemberRole.Writer)).resolves.toBeUndefined();
+        });
+        it("allows Admin to sign a dev version", async () => {
+            const pv = (0, keys_1.addSignatureToObject)(makePV({ versionTag: "dev" }), adminKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(pv, "test-group", group_member_roles_1.GroupMemberRole.Admin)).resolves.toBeUndefined();
+        });
+        it("rejects Reader signing a dev version", async () => {
+            const pv = (0, keys_1.addSignatureToObject)(makePV({ versionTag: "dev" }), writerKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(pv, "test-group", group_member_roles_1.GroupMemberRole.Reader)).rejects.toThrow("Only group writers or above");
+        });
+    });
+    describe("beta versions", () => {
+        it("allows Admin to sign a beta version", async () => {
+            const pv = (0, keys_1.addSignatureToObject)(makePV({ versionTag: "beta" }), adminKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(pv, "test-group", group_member_roles_1.GroupMemberRole.Admin)).resolves.toBeUndefined();
+        });
+        it("allows Owner to sign a beta version", async () => {
+            const pv = (0, keys_1.addSignatureToObject)(makePV({ versionTag: "beta" }), adminKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(pv, "test-group", group_member_roles_1.GroupMemberRole.Owner)).resolves.toBeUndefined();
+        });
+        it("rejects Writer signing a beta version", async () => {
+            const pv = (0, keys_1.addSignatureToObject)(makePV({ versionTag: "beta" }), writerKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(pv, "test-group", group_member_roles_1.GroupMemberRole.Writer)).rejects.toThrow("Only group admins can create or update beta/stable");
+        });
+    });
+    describe("stable versions", () => {
+        it("allows Admin to sign a stable version", async () => {
+            const pv = (0, keys_1.addSignatureToObject)(makePV({ versionTag: "stable" }), adminKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(pv, "test-group", group_member_roles_1.GroupMemberRole.Admin)).resolves.toBeUndefined();
+        });
+        it("rejects Writer signing a stable version", async () => {
+            const pv = (0, keys_1.addSignatureToObject)(makePV({ versionTag: "stable" }), writerKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(pv, "test-group", group_member_roles_1.GroupMemberRole.Writer)).rejects.toThrow("Only group admins can create or update beta/stable");
+        });
+    });
+    describe("promotion scenarios (dev → beta → stable)", () => {
+        it("rejects Writer promoting dev to beta", async () => {
+            const devPV = makePV({ versionTag: "dev" });
+            const promoted = { ...devPV, versionTag: "beta" };
+            const signed = (0, keys_1.addSignatureToObject)(promoted, writerKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(signed, "test-group", group_member_roles_1.GroupMemberRole.Writer)).rejects.toThrow("Only group admins can create or update beta/stable");
+        });
+        it("rejects Writer promoting dev to stable", async () => {
+            const devPV = makePV({ versionTag: "dev" });
+            const promoted = { ...devPV, versionTag: "stable" };
+            const signed = (0, keys_1.addSignatureToObject)(promoted, writerKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(signed, "test-group", group_member_roles_1.GroupMemberRole.Writer)).rejects.toThrow("Only group admins can create or update beta/stable");
+        });
+        it("rejects Writer promoting beta to stable", async () => {
+            const betaPV = makePV({ versionTag: "beta" });
+            const promoted = { ...betaPV, versionTag: "stable" };
+            const signed = (0, keys_1.addSignatureToObject)(promoted, writerKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(signed, "test-group", group_member_roles_1.GroupMemberRole.Writer)).rejects.toThrow("Only group admins can create or update beta/stable");
+        });
+        it("allows Admin promoting dev to beta", async () => {
+            const devPV = makePV({ versionTag: "dev" });
+            const promoted = { ...devPV, versionTag: "beta" };
+            const signed = (0, keys_1.addSignatureToObject)(promoted, adminKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(signed, "test-group", group_member_roles_1.GroupMemberRole.Admin)).resolves.toBeUndefined();
+        });
+        it("allows Admin promoting beta to stable", async () => {
+            const betaPV = makePV({ versionTag: "beta" });
+            const promoted = { ...betaPV, versionTag: "stable" };
+            const signed = (0, keys_1.addSignatureToObject)(promoted, adminKeys.secretKey);
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(signed, "test-group", group_member_roles_1.GroupMemberRole.Admin)).resolves.toBeUndefined();
+        });
+    });
+    describe("signature tampering", () => {
+        it("rejects a tampered package version", async () => {
+            const pv = (0, keys_1.addSignatureToObject)(makePV({ versionTag: "dev" }), writerKeys.secretKey);
+            pv.version = "9.9.9";
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(pv, "test-group", group_member_roles_1.GroupMemberRole.Admin)).rejects.toThrow();
+        });
+        it("rejects a version with tag changed after signing", async () => {
+            const pv = (0, keys_1.addSignatureToObject)(makePV({ versionTag: "dev" }), writerKeys.secretKey);
+            pv.versionTag = "stable";
+            await expect((0, package_version_permissions_1.verifyPackageVersionSignature)(pv, "test-group", group_member_roles_1.GroupMemberRole.Admin)).rejects.toThrow();
+        });
+    });
+});

package/dist/data/package-versions.js

@@ -113,14 +113,7 @@ let PackageVersionsTable = (() => {
                 // users can do whatever they want to package versions in their personal space
                 return super.save(packageVersion, opts);
             }
-            try {
-                await (0, package_version_permissions_1.verifyPackageVersionSignature)(packageVersion, this.groupId);
-            }
-            catch (err) {
-                throw new Error("Package version verification failed.  Did you mean to call `signAndSave`?", {
-                    cause: err,
-                });
-            }
+            await (0, package_version_permissions_1.verifyPackageVersionSignature)(packageVersion, this.groupId);
             return super.save(packageVersion, opts);
         }
         async signAndSave(packageVersion, opts) {
@@ -128,7 +121,7 @@ let PackageVersionsTable = (() => {
                 throw new Error("Package version signing is not enabled. Call PackageVersionsTable.enablePackageVersionSigning(fn) to enable it.");
             }
             packageVersion = await PackageVersionsTable.addSignatureToPackageVersion(packageVersion);
-            return super.save(packageVersion, opts);
+            return this.save(packageVersion, opts);
         }
         static addSignatureToPackageVersion = undefined;
         static enablePackageVersionSigning(fn) {

package/dist/data/package-versions.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/data/package-versions.test.js

@@ -0,0 +1,227 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const SQLiteDB = require("better-sqlite3");
+const user_context_1 = require("../context/user-context");
+const user_context_singleton_1 = require("../context/user-context-singleton");
+const keys_1 = require("../keys");
+const utils_1 = require("../utils");
+const group_member_roles_1 = require("./group-member-roles");
+const group_members_1 = require("./group-members");
+const groups_1 = require("./groups");
+const sql_data_source_1 = require("./orm/sql.data-source");
+const package_versions_1 = require("./package-versions");
+const users_1 = require("./users");
+// ---------------------------------------------------------------------------
+// In-memory SQLite harness (same pattern as sql.data-source.test.ts)
+// ---------------------------------------------------------------------------
+class DBHarness {
+    _db = null;
+    get db() {
+        if (!this._db) {
+            this._db = new SQLiteDB(":memory:");
+            this._db.pragma("journal_mode = WAL");
+        }
+        return this._db;
+    }
+    async get(sql, params = []) {
+        return this.db.prepare(sql).get(params);
+    }
+    async all(sql, params = []) {
+        return this.db.prepare(sql).all(params);
+    }
+    async exec(sql, params = []) {
+        const result = this.db.prepare(sql).run(params);
+        return { changes: result.changes };
+    }
+    async close() {
+        this._db?.close();
+        this._db = null;
+    }
+}
+// ---------------------------------------------------------------------------
+// Test fixtures
+// ---------------------------------------------------------------------------
+const writerKeys = (0, keys_1.newKeys)();
+const adminKeys = (0, keys_1.newKeys)();
+const testGroupId = (0, utils_1.newid)();
+const writerUserId = (0, utils_1.newid)();
+const adminUserId = (0, utils_1.newid)();
+function makePV(overrides = {}) {
+    return {
+        packageVersionId: (0, utils_1.newid)(),
+        packageId: (0, utils_1.newid)(),
+        version: "1.0.0",
+        versionTag: "dev",
+        packageVersionHash: "testhash",
+        packageBundleFileId: (0, utils_1.newid)(),
+        packageBundleFileHash: "bundlehash",
+        signature: "",
+        createdBy: writerUserId,
+        createdAt: new Date().toISOString(),
+        ...overrides,
+    };
+}
+// ---------------------------------------------------------------------------
+// Setup: create a real ephemeral UserContext with Users + GroupMembers seeded
+// so that getUserRoleFromPublicKey resolves Writer vs Admin from real data.
+// ---------------------------------------------------------------------------
+let userContext;
+beforeAll(async () => {
+    const db = new DBHarness();
+    const dataSourceFactory = (metaData, schema) => {
+        return new sql_data_source_1.SQLDataSource(db, metaData, schema);
+    };
+    userContext = new user_context_1.UserContext(writerUserId, dataSourceFactory, true);
+    await userContext.loadingPromise;
+    userContext.deviceId((0, utils_1.newid)());
+    (0, user_context_singleton_1.setUserContext)(userContext);
+    const dc = userContext.userDataContext;
+    // Enable passthrough so seeding skips signature checks on Groups/GroupMembers/Users
+    groups_1.GroupsTable.isPassthrough = true;
+    group_members_1.GroupMembersTable.isPassthrough = true;
+    users_1.UsersTable.isPassthrough = true;
+    // Seed the writer user
+    const { Users } = await Promise.resolve().then(() => require("./users"));
+    const writerUser = {
+        userId: writerUserId,
+        name: "Writer User",
+        publicKey: writerKeys.publicKey,
+        publicBoxKey: "",
+        signature: "",
+    };
+    await Users(dc).save(writerUser);
+    // Seed the admin user
+    const adminUser = {
+        userId: adminUserId,
+        name: "Admin User",
+        publicKey: adminKeys.publicKey,
+        publicBoxKey: "",
+        signature: "",
+    };
+    await Users(dc).save(adminUser);
+    // Seed a group so the group lookup finds real data (not "group not found → Founder")
+    const { Groups } = await Promise.resolve().then(() => require("./groups"));
+    await Groups(dc).save({
+        groupId: testGroupId,
+        name: "Test Group",
+        description: "",
+        founderUserId: (0, utils_1.newid)(), // different from writer/admin so nobody is auto-Founder
+        signature: "",
+        publicKey: "",
+        publicBoxKey: "",
+    });
+    // Seed group memberships with real roles
+    const { GroupMembers } = await Promise.resolve().then(() => require("./group-members"));
+    const writerMembership = {
+        groupMemberId: (0, utils_1.newid)(),
+        groupId: testGroupId,
+        userId: writerUserId,
+        role: group_member_roles_1.GroupMemberRole.Writer,
+        signature: "",
+    };
+    await GroupMembers(dc).save(writerMembership);
+    const adminMembership = {
+        groupMemberId: (0, utils_1.newid)(),
+        groupId: testGroupId,
+        userId: adminUserId,
+        role: group_member_roles_1.GroupMemberRole.Admin,
+        signature: "",
+    };
+    await GroupMembers(dc).save(adminMembership);
+    // Disable passthrough so the real permission checks apply during tests
+    groups_1.GroupsTable.isPassthrough = false;
+    group_members_1.GroupMembersTable.isPassthrough = false;
+    users_1.UsersTable.isPassthrough = false;
+    // Enable real signing
+    package_versions_1.PackageVersionsTable.enablePackageVersionSigning((pv) => (0, keys_1.addSignatureToObject)(pv, activeSecretKey));
+});
+let activeSecretKey = writerKeys.secretKey;
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe("PackageVersionsTable.signAndSave — promotion permission enforcement", () => {
+    // These tests exercise the real signAndSave → save → verifyPackageVersionSignature
+    // chain against a real in-memory database with real group membership data.
+    //
+    // THE BUG: signAndSave previously called super.save() which skipped the
+    // overridden save() and its verifyPackageVersionSignature check. A Writer
+    // could promote dev → beta/stable unchallenged.
+    //
+    // THE FIX: signAndSave now calls this.save(), so the permission check fires.
+    // Helper: get the PackageVersions table in the test group context
+    function pvTable() {
+        const dc = userContext.getDataContext(testGroupId);
+        return (0, package_versions_1.PackageVersions)(dc);
+    }
+    describe("Writer role", () => {
+        beforeEach(() => {
+            activeSecretKey = writerKeys.secretKey;
+        });
+        it("can signAndSave a dev version", async () => {
+            const pv = makePV({ versionTag: "dev" });
+            const saved = await pvTable().signAndSave(pv);
+            expect(saved.versionTag).toBe("dev");
+            expect(saved.signature).toBeTruthy();
+        });
+        it("is blocked from signAndSave with versionTag=beta", async () => {
+            const pv = makePV({ versionTag: "beta" });
+            // Before the fix: this would PASS (super.save skipped the check)
+            // After the fix: this correctly REJECTS
+            await expect(pvTable().signAndSave(pv)).rejects.toThrow("Only group admins can create or update beta/stable package versions");
+        });
+        it("is blocked from signAndSave with versionTag=stable", async () => {
+            const pv = makePV({ versionTag: "stable" });
+            await expect(pvTable().signAndSave(pv)).rejects.toThrow("Only group admins can create or update beta/stable package versions");
+        });
+        it("is blocked from promoting an existing dev version to beta", async () => {
+            const pv = makePV({ versionTag: "dev" });
+            const saved = await pvTable().signAndSave(pv);
+            const promoted = { ...saved, versionTag: "beta" };
+            await expect(pvTable().signAndSave(promoted)).rejects.toThrow("Only group admins can create or update beta/stable package versions");
+        });
+    });
+    describe("Admin role", () => {
+        beforeEach(() => {
+            activeSecretKey = adminKeys.secretKey;
+        });
+        it("can signAndSave a dev version", async () => {
+            const pv = makePV({ versionTag: "dev" });
+            const saved = await pvTable().signAndSave(pv);
+            expect(saved.versionTag).toBe("dev");
+        });
+        it("can signAndSave a beta version", async () => {
+            const pv = makePV({ versionTag: "beta" });
+            const saved = await pvTable().signAndSave(pv);
+            expect(saved.versionTag).toBe("beta");
+        });
+        it("can signAndSave a stable version", async () => {
+            const pv = makePV({ versionTag: "stable" });
+            const saved = await pvTable().signAndSave(pv);
+            expect(saved.versionTag).toBe("stable");
+        });
+        it("can promote an existing dev version to beta", async () => {
+            const pv = makePV({ versionTag: "dev" });
+            const saved = await pvTable().signAndSave(pv);
+            const promoted = { ...saved, versionTag: "beta" };
+            const result = await pvTable().signAndSave(promoted);
+            expect(result.versionTag).toBe("beta");
+        });
+        it("can promote an existing beta version to stable", async () => {
+            const pv = makePV({ versionTag: "beta" });
+            const saved = await pvTable().signAndSave(pv);
+            const promoted = { ...saved, versionTag: "stable" };
+            const result = await pvTable().signAndSave(promoted);
+            expect(result.versionTag).toBe("stable");
+        });
+    });
+    describe("personal space (no group)", () => {
+        it("allows Writer to signAndSave any tag without restriction", async () => {
+            activeSecretKey = writerKeys.secretKey;
+            const dc = userContext.userDataContext;
+            const table = (0, package_versions_1.PackageVersions)(dc);
+            const pv = makePV({ versionTag: "stable" });
+            const saved = await table.signAndSave(pv);
+            expect(saved.versionTag).toBe("stable");
+        });
+    });
+});

package/dist/data/packages.js

@@ -106,14 +106,7 @@ let PackagesTable = (() => {
                 // users can do whatever they want to packages in their personal space
                 return super.save(packageObj, opts);
             }
-            try {
-                await (0, package_permissions_1.verifyPackageSignature)(packageObj, this.groupId);
-            }
-            catch (err) {
-                throw new Error("Package verification failed.  Did you mean to call `signAndSave`?", {
-                    cause: err,
-                });
-            }
+            await (0, package_permissions_1.verifyPackageSignature)(packageObj, this.groupId);
             return super.save(packageObj, opts);
         }
         async signAndSave(packageObj, opts) {
@@ -121,7 +114,7 @@ let PackagesTable = (() => {
                 throw new Error("Package signing is not enabled. Call PackagesTable.enablePackageSigning(fn) to enable it.");
             }
             packageObj = await PackagesTable.addSignatureToPackage(packageObj);
-            return super.save(packageObj, opts);
+            return this.save(packageObj, opts);
         }
         static addSignatureToPackage = undefined;
         static enablePackageSigning(fn) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@peers-app/peers-sdk",
-  "version": "0.18.4",
+  "version": "0.18.5",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/peers-app/peers-sdk.git"