@peers-app/peers-sdk 0.18.8 → 0.19.0

package/dist/package-installer/package-remote-checker.test.js

@@ -0,0 +1,263 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const mockPackageVersionsGet = jest.fn();
+const mockPackageVersionsSignAndSave = jest.fn();
+jest.mock("../data/package-versions", () => {
+    const actual = jest.requireActual("../data/package-versions");
+    return {
+        ...actual,
+        PackageVersions: (ctx) => ({
+            get: (packageVersionId) => mockPackageVersionsGet(ctx, packageVersionId),
+            signAndSave: (pv) => mockPackageVersionsSignAndSave(ctx, pv),
+        }),
+    };
+});
+const mockPackagesGet = jest.fn();
+const mockPackagesSignAndSave = jest.fn();
+jest.mock("../data/packages", () => ({
+    Packages: (ctx) => ({
+        get: (packageId) => mockPackagesGet(ctx, packageId),
+        signAndSave: (pkg) => mockPackagesSignAndSave(ctx, pkg),
+    }),
+}));
+const mockSaveBundleFile = jest.fn();
+jest.mock("./package-installer", () => ({
+    saveBundleFile: (...args) => mockSaveBundleFile(...args),
+}));
+const mockActivateBestEligibleVersion = jest.fn();
+jest.mock("./package-propagation", () => ({
+    activateBestEligibleVersion: (...args) => mockActivateBestEligibleVersion(...args),
+}));
+const file_types_1 = require("../data/files/file.types");
+const keys_1 = require("../keys");
+const package_author_signing_1 = require("./package-author-signing");
+const package_remote_checker_1 = require("./package-remote-checker");
+const package_tarball_1 = require("./package-tarball");
+const PKG_ID = "00mh0wlipjixk2gqmurbwee0o";
+const PV_ID = "00mpdg7xstwt3oe51x9brk15i";
+function makeContext(dataContextId) {
+    return { dataContextId };
+}
+async function makeSignedRemoteResult(secretKey, publicKey, overrides = {}) {
+    const bundleCode = overrides.packageBundleFileHash
+        ? "console.log('different');"
+        : "console.log('hello');";
+    const bundleHash = (0, file_types_1.computeFileHash)(bundleCode);
+    const payloadBase = {
+        packageId: PKG_ID,
+        packageVersionId: PV_ID,
+        version: "1.0.0",
+        versionTag: "stable",
+        packageBundleFileHash: bundleHash,
+        routesBundleFileHash: undefined,
+        uiBundleFileHash: undefined,
+        ...overrides,
+    };
+    const signature = (0, package_author_signing_1.signPackageAuthor)({
+        packageId: payloadBase.packageId,
+        packageVersionId: payloadBase.packageVersionId,
+        version: payloadBase.version,
+        versionTag: payloadBase.versionTag,
+        packageBundleFileHash: payloadBase.packageBundleFileHash,
+        routesBundleFileHash: payloadBase.routesBundleFileHash,
+        uiBundleFileHash: payloadBase.uiBundleFileHash,
+    }, secretKey);
+    const payload = {
+        ...payloadBase,
+        publicKey,
+        packageAuthorSignature: signature,
+    };
+    const tarball = await (0, package_tarball_1.packPeersTarball)({ payload, packageBundle: bundleCode });
+    const pointer = {
+        packageVersionId: payload.packageVersionId,
+        version: payload.version,
+        versionTag: payload.versionTag,
+        path: "v1.0.0-stable.peers-pkg.tar.gz",
+        sha256: (0, keys_1.hashBytes)(tarball),
+        publishedAt: new Date().toISOString(),
+    };
+    return { payload, bundleCode, bundleHash, tarball, pointer };
+}
+describe("package-remote-checker", () => {
+    let keys;
+    beforeAll(() => {
+        keys = (0, keys_1.newKeys)();
+    });
+    beforeEach(() => {
+        (0, package_remote_checker_1.clearRemoteCheckCache)();
+        jest.clearAllMocks();
+        mockSaveBundleFile.mockImplementation(async (_ctx, content, name) => ({
+            fileId: `file-${name}`,
+            fileHash: (0, file_types_1.computeFileHash)(content),
+        }));
+        mockPackageVersionsSignAndSave.mockImplementation(async (_ctx, pv) => pv);
+        mockPackagesSignAndSave.mockImplementation(async (_ctx, pkg) => pkg);
+        mockActivateBestEligibleVersion.mockResolvedValue({
+            activated: true,
+            activePackageVersionId: PV_ID,
+        });
+    });
+    describe("checkPackageRemoteForNewVersion", () => {
+        it("downloads and verifies tarball when new version available", async () => {
+            const { pointer, tarball, bundleCode } = await makeSignedRemoteResult(keys.secretKey, keys.publicKey);
+            const http = {
+                fetchJson: jest.fn().mockResolvedValue(pointer),
+                fetchBinary: jest.fn().mockResolvedValue(tarball),
+            };
+            const result = await (0, package_remote_checker_1.checkPackageRemoteForNewVersion)(PKG_ID, "https://example.com/packages/test", "stable", http);
+            expect(result).not.toBeNull();
+            expect(result?.packageId).toBe(PKG_ID);
+            expect(result?.unpacked.payload.version).toBe("1.0.0");
+            expect(result?.unpacked.packageBundle).toBe(bundleCode);
+        });
+        it("verifies tarball integrity with byte-level hash", async () => {
+            const { pointer, tarball } = await makeSignedRemoteResult(keys.secretKey, keys.publicKey);
+            const badPointer = { ...pointer, sha256: (0, keys_1.hashValue)(new TextDecoder().decode(tarball)) };
+            const http = {
+                fetchJson: jest.fn().mockResolvedValue(badPointer),
+                fetchBinary: jest.fn().mockResolvedValue(tarball),
+            };
+            const result = await (0, package_remote_checker_1.checkPackageRemoteForNewVersion)(PKG_ID, "https://example.com/packages/test", "stable", http);
+            expect(result).toBeNull();
+        });
+        it("rejects tarball with invalid author signature", async () => {
+            const bundleCode = "console.log('bad');";
+            const bundleHash = (0, file_types_1.computeFileHash)(bundleCode);
+            const payload = {
+                packageId: PKG_ID,
+                packageVersionId: PV_ID,
+                version: "1.0.0",
+                versionTag: "stable",
+                packageBundleFileHash: bundleHash,
+                publicKey: keys.publicKey,
+                packageAuthorSignature: "invalidSignatureHere", // invalid
+            };
+            const tarball = await (0, package_tarball_1.packPeersTarball)({ payload, packageBundle: bundleCode });
+            const pointer = {
+                packageVersionId: PV_ID,
+                version: "1.0.0",
+                versionTag: "stable",
+                path: "v1.0.0-stable.peers-pkg.tar.gz",
+                sha256: "",
+                publishedAt: new Date().toISOString(),
+            };
+            const http = {
+                fetchJson: jest.fn().mockResolvedValue(pointer),
+                fetchBinary: jest.fn().mockResolvedValue(tarball),
+            };
+            // Should return null (error caught internally and logged)
+            const result = await (0, package_remote_checker_1.checkPackageRemoteForNewVersion)(PKG_ID, "https://example.com/packages/test", "stable", http);
+            expect(result).toBeNull();
+        });
+        it("memoizes results per (updateUrl, tag)", async () => {
+            const { pointer, tarball } = await makeSignedRemoteResult(keys.secretKey, keys.publicKey);
+            const http = {
+                fetchJson: jest.fn().mockResolvedValue(pointer),
+                fetchBinary: jest.fn().mockResolvedValue(tarball),
+            };
+            await (0, package_remote_checker_1.checkPackageRemoteForNewVersion)(PKG_ID, "https://example.com/pkg", "stable", http);
+            await (0, package_remote_checker_1.checkPackageRemoteForNewVersion)(PKG_ID, "https://example.com/pkg", "stable", http);
+            expect(http.fetchJson).toHaveBeenCalledTimes(1);
+            expect(http.fetchBinary).toHaveBeenCalledTimes(1);
+        });
+        it("rejects tarball with mismatched bundle hash", async () => {
+            const bundleCode = "console.log('real');";
+            const fakeHash = "notTheRealHash";
+            const signature = (0, package_author_signing_1.signPackageAuthor)({
+                packageId: PKG_ID,
+                packageVersionId: PV_ID,
+                version: "1.0.0",
+                versionTag: "stable",
+                packageBundleFileHash: fakeHash, // hash in payload doesn't match actual bundle
+            }, keys.secretKey);
+            const payload = {
+                packageId: PKG_ID,
+                packageVersionId: PV_ID,
+                version: "1.0.0",
+                versionTag: "stable",
+                packageBundleFileHash: fakeHash,
+                publicKey: keys.publicKey,
+                packageAuthorSignature: signature,
+            };
+            const tarball = await (0, package_tarball_1.packPeersTarball)({ payload, packageBundle: bundleCode });
+            const http = {
+                fetchJson: jest.fn().mockResolvedValue({
+                    packageVersionId: PV_ID,
+                    version: "1.0.0",
+                    versionTag: "stable",
+                    path: "test.tar.gz",
+                    sha256: "",
+                    publishedAt: new Date().toISOString(),
+                }),
+                fetchBinary: jest.fn().mockResolvedValue(tarball),
+            };
+            const result = await (0, package_remote_checker_1.checkPackageRemoteForNewVersion)(PKG_ID, "https://example.com/pkg2", "stable", http);
+            // Error logged, returns null
+            expect(result).toBeNull();
+        });
+        it("rejects pointer and payload mismatches", async () => {
+            const { pointer, tarball } = await makeSignedRemoteResult(keys.secretKey, keys.publicKey);
+            const http = {
+                fetchJson: jest.fn().mockResolvedValue({ ...pointer, version: "2.0.0" }),
+                fetchBinary: jest.fn().mockResolvedValue(tarball),
+            };
+            const result = await (0, package_remote_checker_1.checkPackageRemoteForNewVersion)(PKG_ID, "https://example.com/pkg3", "stable", http);
+            expect(result).toBeNull();
+        });
+    });
+    describe("checkAndInstallPackageRemoteVersion", () => {
+        it("checks local version existence per context outside the remote cache", async () => {
+            const groupA = makeContext("group-a");
+            const groupB = makeContext("group-b");
+            const { pointer, tarball } = await makeSignedRemoteResult(keys.secretKey, keys.publicKey);
+            const pkg = {
+                packageId: PKG_ID,
+                name: "test",
+                publishPublicKey: keys.publicKey,
+                updateUrl: "https://example.com/pkg",
+            };
+            const http = {
+                fetchJson: jest.fn().mockResolvedValue(pointer),
+                fetchBinary: jest.fn().mockResolvedValue(tarball),
+            };
+            mockPackageVersionsGet.mockImplementation(async (ctx, pvId) => ctx.dataContextId === "group-a" ? { packageVersionId: pvId } : undefined);
+            mockPackagesGet.mockResolvedValue(pkg);
+            const first = await (0, package_remote_checker_1.checkAndInstallPackageRemoteVersion)(groupA, pkg, "stable", http);
+            const second = await (0, package_remote_checker_1.checkAndInstallPackageRemoteVersion)(groupB, pkg, "stable", http);
+            expect(first).toBeNull();
+            expect(second?.packageVersion.packageVersionId).toBe(PV_ID);
+            expect(http.fetchJson).toHaveBeenCalledTimes(1);
+            expect(mockSaveBundleFile).toHaveBeenCalled();
+        });
+    });
+    describe("installRemotePackageVersion", () => {
+        it("rejects publisher key mismatch before saving files", async () => {
+            const { pointer, payload } = await makeSignedRemoteResult(keys.secretKey, keys.publicKey);
+            const result = {
+                packageId: PKG_ID,
+                pointer,
+                unpacked: { payload, packageBundle: "console.log('hello');" },
+            };
+            mockPackagesGet.mockResolvedValue({
+                packageId: PKG_ID,
+                name: "test",
+                publishPublicKey: (0, keys_1.newKeys)().publicKey,
+            });
+            await expect((0, package_remote_checker_1.installRemotePackageVersion)(makeContext("group-a"), result)).rejects.toThrow("Package publisher key mismatch");
+            expect(mockSaveBundleFile).not.toHaveBeenCalled();
+        });
+        it("establishes TOFU key and activates after installing", async () => {
+            const { pointer, payload, bundleCode } = await makeSignedRemoteResult(keys.secretKey, keys.publicKey);
+            const pkg = { packageId: PKG_ID, name: "test", publishPublicKey: "" };
+            mockPackagesGet.mockResolvedValue(pkg);
+            const installed = await (0, package_remote_checker_1.installRemotePackageVersion)(makeContext("group-a"), {
+                packageId: PKG_ID,
+                pointer,
+                unpacked: { payload, packageBundle: bundleCode },
+            });
+            expect(installed.activated).toBe(true);
+            expect(mockPackagesSignAndSave).toHaveBeenCalledWith(expect.anything(), expect.objectContaining({ publishPublicKey: keys.publicKey }));
+            expect(mockPackageVersionsSignAndSave).toHaveBeenCalled();
+        });
+    });
+});

package/dist/package-installer/package-seed-installer.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Generic package seed installer.
+ *
+ * Seeds a package into a data context if it doesn't already exist.
+ * Called at group creation time (not on every startup).
+ */
+import type { DataContext } from "../context/data-context";
+/** Options for seeding a package into a data context. */
+export interface ISeedPackageOpts {
+    packageId: string;
+    name: string;
+    description?: string;
+    createdBy: string;
+    publishPublicKey?: string;
+    versionFollowRange?: "pinned" | "patch" | "minor" | "latest";
+    followVersionTags?: string;
+    updateUrl?: string;
+    remoteRepo?: string;
+    /** Bundle data for the initial PackageVersion. */
+    version: string;
+    versionTag: string;
+    packageBundleCode: string;
+    routesBundleCode?: string;
+    uiBundleCode?: string;
+    /**
+     * If provided, set as the packageAuthorSignature on the initial PV.
+     * Used for bundled seeds where the signature was pre-computed at build time.
+     */
+    packageAuthorSignature?: string;
+    /**
+     * When true, immediately load the seeded package and persist appNavs on the
+     * seeded PackageVersion. Useful for first-run/core package bootstrapping.
+     */
+    loadAfterSeed?: boolean;
+}
+/**
+ * Seed a package into a data context. Creates the Package record and an
+ * initial PackageVersion if the package doesn't already exist.
+ *
+ * This is a no-op if the package is already installed (has any PV).
+ * Intended to be called at group creation time, not on every startup.
+ *
+ * @returns true if seeding occurred, false if package already existed.
+ */
+export declare function seedPackageInContext(dataContext: DataContext, opts: ISeedPackageOpts): Promise<boolean>;

package/dist/package-installer/package-seed-installer.js

@@ -0,0 +1,108 @@
+"use strict";
+/**
+ * Generic package seed installer.
+ *
+ * Seeds a package into a data context if it doesn't already exist.
+ * Called at group creation time (not on every startup).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.seedPackageInContext = seedPackageInContext;
+const package_versions_1 = require("../data/package-versions");
+const packages_1 = require("../data/packages");
+const utils_1 = require("../utils");
+const package_installer_1 = require("./package-installer");
+/**
+ * Seed a package into a data context. Creates the Package record and an
+ * initial PackageVersion if the package doesn't already exist.
+ *
+ * This is a no-op if the package is already installed (has any PV).
+ * Intended to be called at group creation time, not on every startup.
+ *
+ * @returns true if seeding occurred, false if package already existed.
+ */
+async function seedPackageInContext(dataContext, opts) {
+    const pkgTable = (0, packages_1.Packages)(dataContext);
+    const existingPkg = await pkgTable.get(opts.packageId);
+    if (existingPkg) {
+        // Package already exists — check if it has any version installed
+        const pvTable = (0, package_versions_1.PackageVersions)(dataContext);
+        const existingPvs = await pvTable.list({ packageId: opts.packageId });
+        if (existingPvs.length > 0) {
+            return false;
+        }
+        // Package record exists but no versions — install the initial PV
+        applyMissingSeedDefaults(existingPkg, opts);
+        return await installSeedVersion(dataContext, existingPkg, opts);
+    }
+    // Create Package record with provided defaults
+    const pkg = {
+        packageId: opts.packageId,
+        name: opts.name,
+        description: opts.description ?? "",
+        createdBy: opts.createdBy,
+        disabled: false,
+        publishPublicKey: opts.publishPublicKey ?? "",
+        versionFollowRange: opts.versionFollowRange,
+        followVersionTags: opts.followVersionTags,
+        updateUrl: opts.updateUrl,
+        remoteRepo: opts.remoteRepo,
+        signature: "",
+    };
+    await pkgTable.signAndSave(pkg, { saveAsSnapshot: true });
+    await installSeedVersion(dataContext, pkg, opts);
+    return true;
+}
+function applyMissingSeedDefaults(pkg, opts) {
+    pkg.description ||= opts.description ?? "";
+    pkg.publishPublicKey ||= opts.publishPublicKey ?? "";
+    pkg.versionFollowRange ||= opts.versionFollowRange;
+    pkg.followVersionTags ||= opts.followVersionTags;
+    pkg.updateUrl ||= opts.updateUrl;
+    pkg.remoteRepo ||= opts.remoteRepo;
+}
+async function installSeedVersion(dataContext, pkg, opts) {
+    // Save bundle files (deduped by hash)
+    const pkgFile = await (0, package_installer_1.saveBundleFile)(dataContext, opts.packageBundleCode, `${opts.packageId}-package.bundle.js`, opts.packageId);
+    let routesFile;
+    if (opts.routesBundleCode) {
+        routesFile = await (0, package_installer_1.saveBundleFile)(dataContext, opts.routesBundleCode, `${opts.packageId}-routes.bundle.js`, opts.packageId);
+    }
+    let uiFile;
+    if (opts.uiBundleCode) {
+        uiFile = await (0, package_installer_1.saveBundleFile)(dataContext, opts.uiBundleCode, `${opts.packageId}-uis.bundle.js`, opts.packageId);
+    }
+    const pvHash = (0, package_versions_1.computePackageVersionHash)(opts.version, opts.versionTag, pkgFile.fileHash, routesFile?.fileHash, uiFile?.fileHash);
+    const pv = {
+        packageVersionId: (0, utils_1.newid)(),
+        packageId: opts.packageId,
+        version: opts.version,
+        versionTag: opts.versionTag,
+        packageVersionHash: pvHash,
+        packageBundleFileId: pkgFile.fileId,
+        packageBundleFileHash: pkgFile.fileHash,
+        routesBundleFileId: routesFile?.fileId,
+        routesBundleFileHash: routesFile?.fileHash,
+        uiBundleFileId: uiFile?.fileId,
+        uiBundleFileHash: uiFile?.fileHash,
+        packageAuthorSignature: opts.packageAuthorSignature,
+        signature: "",
+        createdBy: opts.createdBy,
+        createdAt: new Date().toISOString(),
+    };
+    const pvTable = (0, package_versions_1.PackageVersions)(dataContext);
+    const savedPv = await pvTable.signAndSave(pv, { saveAsSnapshot: true });
+    // Activate this version
+    pkg.activePackageVersionId = savedPv.packageVersionId;
+    await (0, packages_1.Packages)(dataContext).signAndSave(pkg, { saveAsSnapshot: true });
+    if (opts.loadAfterSeed) {
+        const loaded = await dataContext.packageLoader.loadPackage(pkg, {
+            force: true,
+            packageVersionId: savedPv.packageVersionId,
+        });
+        if (loaded?.appNavs && JSON.stringify(loaded.appNavs) !== JSON.stringify(savedPv.appNavs)) {
+            savedPv.appNavs = loaded.appNavs;
+            await pvTable.signAndSave(savedPv, { saveAsSnapshot: true });
+        }
+    }
+    return true;
+}

package/dist/package-installer/package-seed-installer.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/package-installer/package-seed-installer.test.js

@@ -0,0 +1,123 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const mockPackageVersionsList = jest.fn();
+const mockPackageVersionsSignAndSave = jest.fn();
+jest.mock("../data/package-versions", () => {
+    const actual = jest.requireActual("../data/package-versions");
+    return {
+        ...actual,
+        PackageVersions: (_ctx) => ({
+            list: (filter) => mockPackageVersionsList(filter),
+            signAndSave: (pv, opts) => mockPackageVersionsSignAndSave(pv, opts),
+        }),
+    };
+});
+const mockPackagesGet = jest.fn();
+const mockPackagesSignAndSave = jest.fn();
+jest.mock("../data/packages", () => ({
+    Packages: (_ctx) => ({
+        get: (packageId) => mockPackagesGet(packageId),
+        signAndSave: (pkg, opts) => mockPackagesSignAndSave(pkg, opts),
+    }),
+}));
+const mockSaveBundleFile = jest.fn();
+jest.mock("./package-installer", () => ({
+    saveBundleFile: (...args) => mockSaveBundleFile(...args),
+}));
+const keys_1 = require("../keys");
+const package_seed_installer_1 = require("./package-seed-installer");
+const PKG_ID = "00mh0wlipjixk2gqmurbwee0o";
+function makeContext() {
+    return {
+        dataContextId: "ctx",
+        packageLoader: {
+            loadPackage: jest.fn(),
+        },
+    };
+}
+function makeOpts(overrides = {}) {
+    return {
+        packageId: PKG_ID,
+        name: "peers-core",
+        description: "Core package",
+        createdBy: "00m87fbwu96jzf8qnwllly0fd",
+        publishPublicKey: "publish-key",
+        versionFollowRange: "latest",
+        followVersionTags: "stable",
+        updateUrl: "https://example.com/packages/peers-core",
+        remoteRepo: "https://github.com/peers-app/peers-core",
+        version: "1.2.3",
+        versionTag: "stable",
+        packageBundleCode: "console.log('package');",
+        routesBundleCode: "console.log('routes');",
+        uiBundleCode: "console.log('ui');",
+        ...overrides,
+    };
+}
+describe("package-seed-installer", () => {
+    beforeEach(() => {
+        jest.clearAllMocks();
+        mockSaveBundleFile.mockImplementation(async (_ctx, content, name) => ({
+            fileId: `file-${name}`,
+            fileHash: (0, keys_1.hashValue)(content),
+        }));
+        mockPackagesSignAndSave.mockImplementation(async (pkg) => pkg);
+        mockPackageVersionsSignAndSave.mockImplementation(async (pv) => pv);
+        mockPackageVersionsList.mockResolvedValue([]);
+        mockPackagesGet.mockResolvedValue(undefined);
+    });
+    it("creates package and initial active package version", async () => {
+        const seeded = await (0, package_seed_installer_1.seedPackageInContext)(makeContext(), makeOpts());
+        expect(seeded).toBe(true);
+        expect(mockPackagesSignAndSave).toHaveBeenCalledWith(expect.objectContaining({
+            packageId: PKG_ID,
+            publishPublicKey: "publish-key",
+            versionFollowRange: "latest",
+            followVersionTags: "stable",
+        }), { saveAsSnapshot: true });
+        expect(mockPackageVersionsSignAndSave).toHaveBeenCalledWith(expect.objectContaining({
+            packageId: PKG_ID,
+            version: "1.2.3",
+            versionTag: "stable",
+            packageBundleFileHash: (0, keys_1.hashValue)("console.log('package');"),
+        }), { saveAsSnapshot: true });
+        expect(mockPackagesSignAndSave).toHaveBeenLastCalledWith(expect.objectContaining({ activePackageVersionId: expect.any(String) }), { saveAsSnapshot: true });
+    });
+    it("is a no-op when package already has any version installed", async () => {
+        mockPackagesGet.mockResolvedValue({ packageId: PKG_ID, name: "peers-core" });
+        mockPackageVersionsList.mockResolvedValue([{ packageVersionId: "existing" }]);
+        const seeded = await (0, package_seed_installer_1.seedPackageInContext)(makeContext(), makeOpts());
+        expect(seeded).toBe(false);
+        expect(mockSaveBundleFile).not.toHaveBeenCalled();
+        expect(mockPackageVersionsSignAndSave).not.toHaveBeenCalled();
+    });
+    it("installs initial version when package exists without versions", async () => {
+        mockPackagesGet.mockResolvedValue({
+            packageId: PKG_ID,
+            name: "peers-core",
+            publishPublicKey: "",
+            signature: "",
+        });
+        mockPackageVersionsList.mockResolvedValue([]);
+        const seeded = await (0, package_seed_installer_1.seedPackageInContext)(makeContext(), makeOpts());
+        expect(seeded).toBe(true);
+        expect(mockSaveBundleFile).toHaveBeenCalled();
+        expect(mockPackageVersionsSignAndSave).toHaveBeenCalled();
+        expect(mockPackagesSignAndSave).toHaveBeenLastCalledWith(expect.objectContaining({
+            activePackageVersionId: expect.any(String),
+            publishPublicKey: "publish-key",
+            updateUrl: "https://example.com/packages/peers-core",
+        }), { saveAsSnapshot: true });
+    });
+    it("loads seeded package and persists appNavs when requested", async () => {
+        const ctx = makeContext();
+        ctx.packageLoader.loadPackage.mockResolvedValue({
+            appNavs: [{ appId: "tasks", label: "Tasks", path: "tasks" }],
+        });
+        await (0, package_seed_installer_1.seedPackageInContext)(ctx, makeOpts({ loadAfterSeed: true }));
+        expect(ctx.packageLoader.loadPackage).toHaveBeenCalledWith(expect.objectContaining({ packageId: PKG_ID }), expect.objectContaining({ force: true, packageVersionId: expect.any(String) }));
+        expect(mockPackageVersionsSignAndSave).toHaveBeenLastCalledWith(expect.objectContaining({
+            appNavs: [{ appId: "tasks", label: "Tasks", path: "tasks" }],
+        }), { saveAsSnapshot: true });
+    });
+});

package/dist/package-installer/package-tarball.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Isomorphic tarball pack/unpack for `.peers-pkg.tar.gz` archives.
+ *
+ * Uses `nanotar` (~1KB, zero deps) with native CompressionStream/DecompressionStream
+ * for gzip. Works in Node 18+, modern browsers, and edge runtimes.
+ */
+import type { IAuthorSignedPayload } from "./package-author-signing";
+/** Contents of `pv-payload.json` inside a peers package tarball. */
+export interface ITarballPayload extends IAuthorSignedPayload {
+    packageAuthorSignature: string;
+}
+/** Input for creating a `.peers-pkg.tar.gz`. */
+export interface IPackTarballOpts {
+    payload: ITarballPayload;
+    packageBundle: string;
+    routesBundle?: string;
+    uiBundle?: string;
+}
+/** Result of unpacking a `.peers-pkg.tar.gz`. */
+export interface IUnpackedTarball {
+    payload: ITarballPayload;
+    packageBundle: string;
+    routesBundle?: string;
+    uiBundle?: string;
+}
+/**
+ * Create a `.peers-pkg.tar.gz` from a signed payload and bundle files.
+ * Returns the compressed tarball as a Uint8Array.
+ */
+export declare function packPeersTarball(opts: IPackTarballOpts): Promise<Uint8Array>;
+/**
+ * Extract a `.peers-pkg.tar.gz` and return the payload + bundle contents.
+ * Throws if the required `pv-payload.json` or `package.bundle.js` are missing.
+ */
+export declare function unpackPeersTarball(data: Uint8Array | ArrayBuffer): Promise<IUnpackedTarball>;

package/dist/package-installer/package-tarball.js

@@ -0,0 +1,57 @@
+"use strict";
+/**
+ * Isomorphic tarball pack/unpack for `.peers-pkg.tar.gz` archives.
+ *
+ * Uses `nanotar` (~1KB, zero deps) with native CompressionStream/DecompressionStream
+ * for gzip. Works in Node 18+, modern browsers, and edge runtimes.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.packPeersTarball = packPeersTarball;
+exports.unpackPeersTarball = unpackPeersTarball;
+const nanotar_1 = require("nanotar");
+/**
+ * Create a `.peers-pkg.tar.gz` from a signed payload and bundle files.
+ * Returns the compressed tarball as a Uint8Array.
+ */
+async function packPeersTarball(opts) {
+    const files = [
+        { name: "pv-payload.json", data: JSON.stringify(opts.payload) },
+        { name: "package.bundle.js", data: opts.packageBundle },
+    ];
+    if (opts.routesBundle) {
+        files.push({ name: "routes.bundle.js", data: opts.routesBundle });
+    }
+    if (opts.uiBundle) {
+        files.push({ name: "uis.bundle.js", data: opts.uiBundle });
+    }
+    return (0, nanotar_1.createTarGzip)(files);
+}
+/**
+ * Extract a `.peers-pkg.tar.gz` and return the payload + bundle contents.
+ * Throws if the required `pv-payload.json` or `package.bundle.js` are missing.
+ */
+async function unpackPeersTarball(data) {
+    const input = data instanceof Uint8Array ? data : new Uint8Array(data);
+    const files = await (0, nanotar_1.parseTarGzip)(input);
+    const fileMap = new Map();
+    for (const f of files) {
+        if (f.type === "file" && f.data) {
+            fileMap.set(f.name, f.text ?? new TextDecoder().decode(f.data));
+        }
+    }
+    const payloadJson = fileMap.get("pv-payload.json");
+    if (!payloadJson) {
+        throw new Error("Invalid peers tarball: missing pv-payload.json");
+    }
+    const packageBundle = fileMap.get("package.bundle.js");
+    if (!packageBundle) {
+        throw new Error("Invalid peers tarball: missing package.bundle.js");
+    }
+    const payload = JSON.parse(payloadJson);
+    return {
+        payload,
+        packageBundle,
+        routesBundle: fileMap.get("routes.bundle.js"),
+        uiBundle: fileMap.get("uis.bundle.js"),
+    };
+}

package/dist/package-installer/package-tarball.test.d.ts

@@ -0,0 +1 @@
+export {};