@powerhousedao/registry 6.0.0-dev.99 → 6.0.0

package/dist/cli.mjs

@@ -0,0 +1,1059 @@
+import { binary, command, flag, number, option, optional, run, string } from "cmd-ts";
+import express, { Router } from "express";
+import { findUp } from "find-up";
+import crypto, { randomBytes } from "node:crypto";
+import { mkdir } from "node:fs/promises";
+import path from "node:path";
+import { runServer } from "verdaccio";
+import { signPayload } from "@verdaccio/signature";
+import { verifyAuthBearerToken } from "@renown/sdk/node";
+import fs from "node:fs";
+import { Readable } from "node:stream";
+import { pipeline } from "node:stream/promises";
+import { extract } from "tar";
+//#endregion
+//#region src/auth/renown-middleware.ts
+function audienceMatches(aud, expected) {
+	if (!aud) return false;
+	if (Array.isArray(aud)) return aud.includes(expected);
+	return aud === expected;
+}
+/**
+* Translates a Renown-signed Bearer token (verifiable from the issuer's DID,
+* stateless) into a verdaccio-format Bearer token (signed with verdaccio's
+* own secret) that verdaccio's normal auth pipeline accepts.
+*
+* Falls through (calls `next()` without modifying auth) on any verification
+* failure: malformed token, bad signature, expired, audience mismatch, or
+* non-renown bearer token. This keeps the legacy htpasswd path usable during
+* the migration grace period — verdaccio's own apiJWTmiddleware sees the
+* original Authorization header and decides what to do with it.
+*/
+function createRenownAuthMiddleware(opts) {
+	const expectedAud = opts.publicUrl;
+	return async (req, _res, next) => {
+		const header = req.headers.authorization;
+		if (!header?.startsWith("Bearer ")) return next();
+		const token = header.slice(7).trim();
+		if (!token) return next();
+		let verified;
+		try {
+			verified = await verifyAuthBearerToken(token, { audience: expectedAud });
+		} catch {
+			return next();
+		}
+		if (!verified) return next();
+		const payload = verified.payload;
+		if (!audienceMatches(payload?.aud, expectedAud)) return next();
+		const subject = verified.verifiableCredential.credentialSubject;
+		if (!subject?.address) return next();
+		const address = subject.address.toLowerCase();
+		const groups = ["$authenticated", "renown"];
+		let verdaccioJwt;
+		try {
+			verdaccioJwt = await signPayload({
+				name: address,
+				real_groups: groups,
+				groups
+			}, opts.verdaccioSecret, { expiresIn: "5m" });
+		} catch (err) {
+			console.error("[registry] failed to mint internal verdaccio token:", err);
+			return next();
+		}
+		req.headers.authorization = `Bearer ${verdaccioJwt}`;
+		req.renownUser = {
+			address,
+			did: payload?.iss,
+			chainId: subject.chainId,
+			networkId: subject.networkId
+		};
+		return next();
+	};
+}
+//#endregion
+//#region src/semver.ts
+/**
+* Compare two semver version strings for sorting.
+* Returns negative if a < b, positive if a > b, 0 if equal.
+*
+* Handles numeric component comparison (so "1.0.10" > "1.0.9")
+* and prerelease ordering (release > prerelease).
+*/
+function compareSemver(a, b) {
+	const [coreA, preA] = a.split("-", 2);
+	const [coreB, preB] = b.split("-", 2);
+	const partsA = coreA.split(".").map(Number);
+	const partsB = coreB.split(".").map(Number);
+	for (let i = 0; i < Math.max(partsA.length, partsB.length); i++) {
+		const na = partsA[i] ?? 0;
+		const nb = partsB[i] ?? 0;
+		if (na !== nb) return na - nb;
+	}
+	if (!preA && preB) return 1;
+	if (preA && !preB) return -1;
+	if (preA && preB) return preA < preB ? -1 : preA > preB ? 1 : 0;
+	return 0;
+}
+//#endregion
+//#region src/cdn.ts
+/**
+* Parse a package specifier into name and version/tag.
+* Supports:
+*   "@scope/pkg"           -> { name: "@scope/pkg", tag: undefined }
+*   "@scope/pkg@dev"       -> { name: "@scope/pkg", tag: "dev" }
+*   "@scope/pkg@1.0.0"     -> { name: "@scope/pkg", tag: "1.0.0" }
+*   "pkg@latest"           -> { name: "pkg", tag: "latest" }
+*/
+function parsePackageSpec(spec) {
+	if (spec.startsWith("@")) {
+		const lastAt = spec.lastIndexOf("@");
+		if (lastAt > 0 && lastAt !== spec.indexOf("@")) return {
+			name: spec.slice(0, lastAt),
+			tag: spec.slice(lastAt + 1)
+		};
+		return {
+			name: spec,
+			tag: void 0
+		};
+	}
+	const atIndex = spec.indexOf("@");
+	if (atIndex > 0) return {
+		name: spec.slice(0, atIndex),
+		tag: spec.slice(atIndex + 1)
+	};
+	return {
+		name: spec,
+		tag: void 0
+	};
+}
+var CdnCache = class {
+	#extractionLocks = /* @__PURE__ */ new Map();
+	constructor(registryUrl, cdnCachePath) {
+		this.registryUrl = registryUrl;
+		this.cdnCachePath = cdnCachePath;
+	}
+	async getFileByVersion(packageName, version, filePath) {
+		const versionDir = path.join(this.cdnCachePath, packageName, version);
+		const resolved = this.#resolveFile(versionDir, filePath);
+		if (resolved) return resolved;
+		await this.#extractWithLock(packageName, version);
+		return this.#resolveFile(versionDir, filePath);
+	}
+	#resolveFile(versionDir, filePath) {
+		const candidates = [
+			path.join(versionDir, filePath),
+			path.join(versionDir, "cdn", filePath),
+			path.join(versionDir, "dist", "cdn", filePath),
+			path.join(versionDir, "dist", filePath)
+		];
+		for (const candidate of candidates) if (this.isSafePath(candidate) && fs.existsSync(candidate)) return candidate;
+		return null;
+	}
+	async #extractWithLock(packageName, version) {
+		const key = `${packageName}@${version}`;
+		const existing = this.#extractionLocks.get(key);
+		if (existing) return existing;
+		const promise = this.extractTarball(packageName, version).finally(() => {
+			this.#extractionLocks.delete(key);
+		});
+		this.#extractionLocks.set(key, promise);
+		return promise;
+	}
+	getLatestCachedVersion(packageName) {
+		const pkgDir = path.join(this.cdnCachePath, packageName);
+		try {
+			const versions = fs.readdirSync(pkgDir, { withFileTypes: true }).filter((e) => e.isDirectory()).map((e) => e.name);
+			if (versions.length === 0) return null;
+			versions.sort(compareSemver);
+			return versions[versions.length - 1];
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* Resolve a version for a package. If tag is a semver version that exists
+	* in the registry, return it directly. If tag is a dist-tag name (e.g.
+	* "dev", "latest"), resolve it to the concrete version. If no tag is
+	* provided, prefer "latest", then fall back to any available dist-tag.
+	*/
+	async resolveVersion(packageName, tag) {
+		try {
+			const url = `${this.registryUrl}/${encodeURIComponent(packageName)}`;
+			const res = await fetch(url, { headers: { Accept: "application/json" } });
+			if (!res.ok) return null;
+			const metadata = await res.json();
+			const distTags = metadata["dist-tags"];
+			const versions = metadata["versions"];
+			if (tag) {
+				if (versions && tag in versions) return tag;
+				if (distTags && tag in distTags) return distTags[tag];
+				return null;
+			}
+			if (!distTags) return null;
+			return distTags.latest ?? Object.values(distTags)[0] ?? null;
+		} catch {
+			return null;
+		}
+	}
+	async extractTarball(packageName, version) {
+		const destDir = path.join(this.cdnCachePath, packageName, version);
+		if (fs.existsSync(path.join(destDir, "package.json"))) return;
+		const shortName = packageName.startsWith("@") ? packageName.split("/")[1] : packageName;
+		const tarballUrl = `${this.registryUrl}/${encodeURIComponent(packageName)}/-/${shortName}-${version}.tgz`;
+		let res;
+		try {
+			res = await fetch(tarballUrl);
+			if (!res.ok || !res.body) return;
+		} catch {
+			return;
+		}
+		fs.mkdirSync(destDir, { recursive: true });
+		const tmpFile = path.join(destDir, `.tmp-tarball-${crypto.randomUUID()}.tgz`);
+		try {
+			const fileStream = fs.createWriteStream(tmpFile);
+			await pipeline(Readable.fromWeb(res.body), fileStream);
+			await extract({
+				file: tmpFile,
+				cwd: destDir,
+				strip: 1
+			});
+		} finally {
+			fs.rmSync(tmpFile, { force: true });
+		}
+	}
+	invalidate(packageName) {
+		const cacheDir = path.join(this.cdnCachePath, packageName);
+		if (!this.isSafePath(cacheDir)) return;
+		fs.rmSync(cacheDir, {
+			recursive: true,
+			force: true
+		});
+	}
+	invalidateVersion(packageName, version) {
+		const versionDir = path.join(this.cdnCachePath, packageName, version);
+		if (!this.isSafePath(versionDir)) return;
+		fs.rmSync(versionDir, {
+			recursive: true,
+			force: true
+		});
+		const pkgDir = path.join(this.cdnCachePath, packageName);
+		try {
+			if (fs.readdirSync(pkgDir).length === 0) fs.rmdirSync(pkgDir);
+		} catch {}
+	}
+	/** Remove all cached version directories except the specified one. */
+	pruneOldVersions(packageName, keepVersion) {
+		const pkgDir = path.join(this.cdnCachePath, packageName);
+		try {
+			const entries = fs.readdirSync(pkgDir, { withFileTypes: true });
+			for (const entry of entries) if (entry.isDirectory() && entry.name !== keepVersion) {
+				const dir = path.join(pkgDir, entry.name);
+				if (this.isSafePath(dir)) fs.rmSync(dir, {
+					recursive: true,
+					force: true
+				});
+			}
+		} catch {}
+	}
+	isSafePath(filePath) {
+		const resolved = path.resolve(filePath);
+		const cacheRoot = path.resolve(this.cdnCachePath);
+		return resolved.startsWith(cacheRoot + path.sep) || resolved === cacheRoot;
+	}
+};
+//#endregion
+//#region src/packages.ts
+/**
+* Read dist-tags, the full version list, and the local-publish flag for a
+* package from verdaccio's on-disk storage (`{storagePath}/{name}/package.json`).
+*
+* `locallyPublished` is tri-state:
+*   - `true`  → storage metadata has `_attachments` (tarball uploaded here).
+*   - `false` → storage metadata exists but `_attachments` is empty (proxy
+*               from the npm uplink only; no local publish at this registry).
+*   - `undefined` → metadata file wasn't readable. Happens with non-filesystem
+*               backends (S3, etc.) or if verdaccio stores metadata elsewhere.
+*               Callers should treat this as "unknown" and default to including
+*               the package, to avoid filtering the whole /packages list to an
+*               empty array on deployments where we can't observe _attachments.
+*/
+function readPackageMetadata(storagePath, packageName) {
+	if (!storagePath) return { locallyPublished: void 0 };
+	try {
+		const metadataPath = path.join(storagePath, packageName, "package.json");
+		const raw = fs.readFileSync(metadataPath, "utf-8");
+		const parsed = JSON.parse(raw);
+		const distTags = parsed["dist-tags"];
+		const versions = (parsed.versions ? Object.keys(parsed.versions) : []).slice().sort(compareSemver);
+		const locallyPublished = !!parsed._attachments && Object.keys(parsed._attachments).length > 0;
+		return {
+			distTags: distTags && Object.keys(distTags).length > 0 ? distTags : void 0,
+			versions: versions.length > 0 ? versions : void 0,
+			locallyPublished
+		};
+	} catch {
+		return { locallyPublished: void 0 };
+	}
+}
+function readManifest(dir) {
+	const candidates = [
+		path.join(dir, "powerhouse.manifest.json"),
+		path.join(dir, "cdn", "powerhouse.manifest.json"),
+		path.join(dir, "dist", "powerhouse.manifest.json")
+	];
+	for (const manifestPath of candidates) try {
+		const raw = fs.readFileSync(manifestPath, "utf-8");
+		return JSON.parse(raw);
+	} catch {}
+	return null;
+}
+function readPackageJsonVersion(dir) {
+	try {
+		const raw = fs.readFileSync(path.join(dir, "package.json"), "utf-8");
+		const pkg = JSON.parse(raw);
+		return typeof pkg.version === "string" ? pkg.version : void 0;
+	} catch {
+		return;
+	}
+}
+function getLatestVersionDir(pkgDir) {
+	let entries;
+	try {
+		entries = fs.readdirSync(pkgDir, { withFileTypes: true });
+	} catch {
+		return null;
+	}
+	const versions = entries.filter((e) => e.isDirectory()).map((e) => e.name);
+	if (versions.length === 0) return null;
+	versions.sort(compareSemver);
+	return path.join(pkgDir, versions[versions.length - 1]);
+}
+function loadPackage(cdnCachePath, name, version) {
+	const pkgDir = path.join(cdnCachePath, name);
+	const manifestDir = (version ? path.join(pkgDir, version) : getLatestVersionDir(pkgDir)) ?? pkgDir;
+	const manifest = readManifest(manifestDir);
+	if (!manifest) return null;
+	return {
+		name: manifest.name ?? name,
+		path: `/-/cdn/${name}`,
+		manifest,
+		documentTypes: getDocumentTypesFromManifest(manifest),
+		version: readPackageJsonVersion(manifestDir)
+	};
+}
+function getDocumentTypesFromManifest(manifest) {
+	if (!manifest) return [];
+	const documentTypes = [];
+	const { apps, documentModels, editors, subgraphs } = manifest;
+	if (apps?.length) documentTypes.push("powerhouse/document-drive");
+	documentTypes.push(...(documentModels ?? []).map((dm) => dm.id), ...(editors ?? []).flatMap((e) => e.documentTypes).filter((dt) => dt !== void 0), ...(subgraphs ?? []).flatMap((e) => e.documentTypes).filter((dt) => dt !== void 0));
+	return documentTypes;
+}
+function scanPackages(cdnCachePath, storagePath) {
+	const absDir = path.resolve(cdnCachePath);
+	const packages = [];
+	let entries;
+	try {
+		entries = fs.readdirSync(absDir, { withFileTypes: true });
+	} catch {
+		return packages;
+	}
+	for (const entry of entries) {
+		if (!entry.isDirectory()) continue;
+		if (entry.name.startsWith("@")) {
+			const scopeDir = path.join(absDir, entry.name);
+			let scopedEntries;
+			try {
+				scopedEntries = fs.readdirSync(scopeDir, { withFileTypes: true });
+			} catch (error) {
+				console.log(error);
+				continue;
+			}
+			for (const scopedEntry of scopedEntries) {
+				if (!scopedEntry.isDirectory()) continue;
+				const dirName = `${entry.name}/${scopedEntry.name}`;
+				const pkgDir = path.join(scopeDir, scopedEntry.name);
+				const manifestDir = getLatestVersionDir(pkgDir) ?? pkgDir;
+				const manifest = readManifest(manifestDir);
+				const name = manifest?.name ?? dirName;
+				const { distTags, versions, locallyPublished } = readPackageMetadata(storagePath, name);
+				if (locallyPublished === false) continue;
+				packages.push({
+					name,
+					path: `/-/cdn/${dirName}`,
+					manifest,
+					documentTypes: getDocumentTypesFromManifest(manifest),
+					version: readPackageJsonVersion(manifestDir),
+					distTags,
+					versions
+				});
+			}
+		} else {
+			const pkgDir = path.join(absDir, entry.name);
+			const manifestDir = getLatestVersionDir(pkgDir) ?? pkgDir;
+			const manifest = readManifest(manifestDir);
+			const name = manifest?.name ?? entry.name;
+			const { distTags, versions, locallyPublished } = readPackageMetadata(storagePath, name);
+			if (locallyPublished === false) continue;
+			packages.push({
+				name,
+				path: `/-/cdn/${entry.name}`,
+				manifest,
+				documentTypes: getDocumentTypesFromManifest(manifest),
+				version: readPackageJsonVersion(manifestDir),
+				distTags,
+				versions
+			});
+		}
+	}
+	return packages;
+}
+function findPackagesByDocumentType(packagesDir, documentType) {
+	return scanPackages(packagesDir).filter((pkg) => {
+		if (!pkg.manifest?.documentModels) return false;
+		return pkg.manifest.documentModels.some((dm) => dm.id === documentType);
+	});
+}
+//#endregion
+//#region src/middleware.ts
+const MIME_TYPES = {
+	".js": "application/javascript",
+	".mjs": "application/javascript",
+	".css": "text/css",
+	".json": "application/json",
+	".wasm": "application/wasm",
+	".map": "application/json",
+	".html": "text/html",
+	".svg": "image/svg+xml"
+};
+function getContentType(filePath) {
+	return MIME_TYPES[path.extname(filePath).toLowerCase()] ?? "application/octet-stream";
+}
+function createPowerhouseRouter(config, sse, webhooks) {
+	const cdn = new CdnCache(`http://localhost:${config.port}`, config.cdnCachePath);
+	const router = Router();
+	router.use((_req, res, next) => {
+		res.setHeader("Access-Control-Allow-Origin", "*");
+		next();
+	});
+	router.get("/-/events", (_req, res) => {
+		sse.addClient(res);
+	});
+	router.get("/-/webhooks", (_req, res) => {
+		res.json(webhooks.getWebhooks());
+	});
+	router.post("/-/webhooks", express.json(), (req, res) => {
+		const { endpoint, headers } = req.body;
+		if (!endpoint) {
+			res.status(400).json({ error: "Missing required field: endpoint" });
+			return;
+		}
+		webhooks.addWebhook({
+			endpoint,
+			headers
+		});
+		res.status(201).json({
+			endpoint,
+			headers
+		});
+	});
+	router.delete("/-/webhooks", express.json(), (req, res) => {
+		const { endpoint } = req.body;
+		if (!endpoint) {
+			res.status(400).json({ error: "Missing required field: endpoint" });
+			return;
+		}
+		if (!webhooks.removeWebhook(endpoint)) {
+			res.status(404).json({ error: "Webhook not found" });
+			return;
+		}
+		res.status(204).end();
+	});
+	const WARM_INTERVAL_MS = 3e4;
+	let warmInFlight = false;
+	let lastWarmAt = 0;
+	async function warmCdnCacheFromVerdaccio() {
+		if (warmInFlight) return;
+		if (Date.now() - lastWarmAt < WARM_INTERVAL_MS) return;
+		warmInFlight = true;
+		try {
+			const r = await fetch(`http://localhost:${config.port}/-/verdaccio/data/packages`);
+			if (!r.ok) {
+				console.error(`[registry] verdaccio package listing returned ${r.status}`);
+				return;
+			}
+			const known = await r.json();
+			const concurrency = 8;
+			let cursor = 0;
+			const workers = Array.from({ length: concurrency }).map(async () => {
+				while (cursor < known.length) {
+					const pkg = known[cursor++];
+					if (!pkg.version) continue;
+					try {
+						await cdn.extractTarball(pkg.name, pkg.version);
+					} catch (err) {
+						console.error(`[registry] failed to warm cache for ${pkg.name}@${pkg.version}:`, err);
+					}
+				}
+			});
+			await Promise.all(workers);
+			console.log(`[registry] /packages warm-up done (${known.length} pkgs)`);
+		} catch (err) {
+			console.error("[registry] /packages warm-up failed:", err);
+		} finally {
+			warmInFlight = false;
+			lastWarmAt = Date.now();
+		}
+	}
+	warmCdnCacheFromVerdaccio();
+	router.get("/packages", (req, res) => {
+		warmCdnCacheFromVerdaccio();
+		const packages = scanPackages(config.cdnCachePath, config.storagePath);
+		const documentType = req.query.documentType;
+		if (documentType) {
+			const filtered = packages.filter((pkg) => pkg.manifest?.documentModels?.some((m) => m.id === documentType));
+			res.json(filtered);
+			return;
+		}
+		res.json(packages);
+	});
+	router.get("/packages/by-document-type", (req, res) => {
+		const documentType = req.query.type;
+		if (typeof documentType !== "string" || !documentType) {
+			res.status(400).json({ error: "Missing required query parameter: type" });
+			return;
+		}
+		const packageNames = findPackagesByDocumentType(config.cdnCachePath, documentType).map((pkg) => pkg.name);
+		res.json(packageNames);
+	});
+	router.get("/packages/*", async (req, res) => {
+		const raw = req.params[0];
+		const { name, tag } = parsePackageSpec(raw);
+		const version = await cdn.resolveVersion(name, tag) ?? cdn.getLatestCachedVersion(name);
+		const pkg = loadPackage(config.cdnCachePath, name, version ?? void 0);
+		if (!pkg) {
+			res.status(404).send("Package not found");
+			return;
+		}
+		res.json(pkg);
+	});
+	router.get("/-/cdn/*", async (req, res) => {
+		const fullPath = req.params[0];
+		let packageSpec;
+		let filePath;
+		if (fullPath.startsWith("@")) {
+			const segments = fullPath.split("/");
+			if (segments.length < 2) {
+				res.status(400).send("Invalid package path");
+				return;
+			}
+			packageSpec = `${segments[0]}/${segments[1]}`;
+			filePath = segments.slice(2).join("/") || "index.js";
+		} else {
+			const segments = fullPath.split("/");
+			packageSpec = segments[0];
+			filePath = segments.slice(1).join("/") || "index.js";
+		}
+		const { name: packageName, tag } = parsePackageSpec(packageSpec);
+		const version = await cdn.resolveVersion(packageName, tag) ?? cdn.getLatestCachedVersion(packageName);
+		if (!version) {
+			res.status(404).send("File not found");
+			return;
+		}
+		const resolved = await cdn.getFileByVersion(packageName, version, filePath);
+		if (!resolved) {
+			res.status(404).send("File not found");
+			return;
+		}
+		res.setHeader("Content-Type", getContentType(filePath));
+		const content = fs.readFileSync(resolved);
+		res.send(content);
+	});
+	return router;
+}
+/**
+* Parse verdaccio's unpublish URL shape:
+*   DELETE /<pkg>/-rev/<rev>                           → full package
+*   DELETE /<pkg>/-/<tarball-name>/-rev/<rev>          → single version
+* where <pkg> may be scoped (@scope%2Fname, encoded) or unscoped, and the
+* tarball name is `<short-name>-<version>.tgz`.
+*/
+function parseUnpublishRequest(reqPath) {
+	const revIdx = reqPath.indexOf("/-rev/");
+	if (revIdx <= 0) return null;
+	const beforeRev = reqPath.slice(1, revIdx);
+	const tarballIdx = beforeRev.indexOf("/-/");
+	if (tarballIdx === -1) return {
+		packageName: decodeURIComponent(beforeRev),
+		version: null
+	};
+	const packageName = decodeURIComponent(beforeRev.slice(0, tarballIdx));
+	const tarballName = beforeRev.slice(tarballIdx + 3);
+	if (!tarballName.endsWith(".tgz")) return null;
+	const prefix = `${packageName.startsWith("@") ? packageName.split("/")[1] : packageName}-`;
+	if (!tarballName.startsWith(prefix)) return null;
+	const version = tarballName.slice(prefix.length, -4);
+	if (!version) return null;
+	return {
+		packageName,
+		version
+	};
+}
+function createUnpublishHook(config, notifications) {
+	const cdn = new CdnCache(`http://localhost:${config.port}`, config.cdnCachePath);
+	return (req, res, next) => {
+		if (req.method !== "DELETE") {
+			next();
+			return;
+		}
+		const parsed = parseUnpublishRequest(req.path);
+		if (!parsed) {
+			next();
+			return;
+		}
+		const originalEnd = res.end.bind(res);
+		res.end = function(chunk, encoding, cb) {
+			if (res.statusCode >= 200 && res.statusCode < 300) try {
+				if (parsed.version) cdn.invalidateVersion(parsed.packageName, parsed.version);
+				else cdn.invalidate(parsed.packageName);
+				const renownUser = req.renownUser;
+				notifications.notifyUnpublish({
+					packageName: parsed.packageName,
+					version: parsed.version,
+					publishedBy: renownUser ? {
+						address: renownUser.address,
+						did: renownUser.did
+					} : void 0
+				});
+			} catch (err) {
+				console.error(`[registry] CDN purge failed for ${parsed.packageName}${parsed.version ? `@${parsed.version}` : ""}:`, err);
+			}
+			return originalEnd(chunk, encoding, cb);
+		};
+		next();
+	};
+}
+function createPublishHook(config, notifications) {
+	const cdn = new CdnCache(`http://localhost:${config.port}`, config.cdnCachePath);
+	return (req, res, next) => {
+		if (req.method !== "PUT" || req.path.includes("/-rev/")) {
+			next();
+			return;
+		}
+		const originalEnd = res.end.bind(res);
+		res.end = function(chunk, encoding, cb) {
+			const urlPath = req.path.replace(/^\//, "");
+			if (res.statusCode < 200 || res.statusCode >= 300 || !urlPath || urlPath.startsWith("-")) return originalEnd(chunk, encoding, cb);
+			const packageName = decodeURIComponent(urlPath);
+			const versionsObj = req.body.versions;
+			const versions = Object.keys(versionsObj);
+			const version = versions.at(0);
+			if (!version) {
+				console.error(`[registry] No version found for ${packageName}`);
+				return originalEnd(chunk, encoding, cb);
+			}
+			if (versions.length > 1) console.warn(`[registry] Multiple versions published for ${packageName}: ${JSON.stringify(versions)}`);
+			const renownUser = req.renownUser;
+			const publishedBy = renownUser ? {
+				address: renownUser.address,
+				did: renownUser.did
+			} : void 0;
+			cdn.extractTarball(packageName, version).then(() => {
+				notifications.notifyPublish({
+					packageName,
+					version,
+					publishedBy
+				});
+			}).catch((err) => {
+				console.error(`[registry] Failed to extract ${packageName} to CDN cache:`, err);
+			});
+			return originalEnd(chunk, encoding, cb);
+		};
+		next();
+	};
+}
+//#endregion
+//#region src/notifications/manager.ts
+var NotificationManager = class {
+	#channels;
+	constructor(channels) {
+		this.#channels = channels;
+	}
+	notifyPublish(event) {
+		for (const channel of this.#channels) channel.notifyPublish(event);
+	}
+	notifyUnpublish(event) {
+		for (const channel of this.#channels) channel.notifyUnpublish(event);
+	}
+};
+//#endregion
+//#region src/notifications/sse.ts
+var SSEChannel = class {
+	#clients = /* @__PURE__ */ new Set();
+	addClient(res) {
+		res.writeHead(200, {
+			"Content-Type": "text/event-stream",
+			"Cache-Control": "no-cache",
+			Connection: "keep-alive",
+			"Access-Control-Allow-Origin": "*"
+		});
+		res.write("event: connected\ndata: {}\n\n");
+		this.#clients.add(res);
+		res.on("close", () => {
+			this.#clients.delete(res);
+		});
+	}
+	notifyPublish(event) {
+		this.#broadcast("publish", event);
+	}
+	notifyUnpublish(event) {
+		this.#broadcast("unpublish", event);
+	}
+	#broadcast(eventName, event) {
+		const payload = `event: ${eventName}\ndata: ${JSON.stringify(event)}\n\n`;
+		for (const client of this.#clients) try {
+			client.write(payload);
+		} catch (err) {
+			console.error("[registry] SSE client write failed:", err);
+			this.#clients.delete(client);
+		}
+	}
+};
+//#endregion
+//#region src/notifications/webhook.ts
+const WEBHOOKS_FILE = "webhooks.json";
+var WebhookChannel = class {
+	#predefined;
+	#dynamic;
+	#storagePath;
+	constructor(storagePath, config) {
+		this.#storagePath = storagePath;
+		this.#predefined = config?.webhooks ?? [];
+		this.#dynamic = this.#load();
+	}
+	getWebhooks() {
+		return [...this.#predefined, ...this.#dynamic];
+	}
+	addWebhook(webhook) {
+		if (this.getWebhooks().some((w) => w.endpoint === webhook.endpoint)) return;
+		this.#dynamic.push(webhook);
+		this.#save();
+	}
+	removeWebhook(endpoint) {
+		const before = this.#dynamic.length;
+		this.#dynamic = this.#dynamic.filter((w) => w.endpoint !== endpoint);
+		if (this.#dynamic.length === before) return false;
+		this.#save();
+		return true;
+	}
+	notifyPublish(event) {
+		this.#post({
+			type: "publish",
+			...event
+		});
+	}
+	notifyUnpublish(event) {
+		this.#post({
+			type: "unpublish",
+			...event
+		});
+	}
+	#post(body) {
+		for (const webhook of this.getWebhooks()) {
+			const headers = {
+				"Content-Type": "application/json",
+				...webhook.headers
+			};
+			fetch(webhook.endpoint, {
+				method: "POST",
+				headers,
+				body: JSON.stringify(body)
+			}).catch((err) => {
+				console.error(`[registry] Webhook to ${webhook.endpoint} failed:`, err);
+			});
+		}
+	}
+	#filePath() {
+		return path.join(this.#storagePath, WEBHOOKS_FILE);
+	}
+	#load() {
+		try {
+			const raw = fs.readFileSync(this.#filePath(), "utf-8");
+			return JSON.parse(raw);
+		} catch {
+			return [];
+		}
+	}
+	#save() {
+		fs.mkdirSync(this.#storagePath, { recursive: true });
+		fs.writeFileSync(this.#filePath(), JSON.stringify(this.#dynamic, null, 2));
+	}
+};
+//#endregion
+//#region src/verdaccio-config.ts
+function buildVerdaccioConfig(config) {
+	const htpasswdPath = path.join(config.storagePath, "htpasswd");
+	const uplinkUrl = config.uplink ?? "https://registry.npmjs.org/";
+	const base = {
+		storage: config.storagePath,
+		self_path: "./",
+		...config.verdaccioSecret ? { secret: config.verdaccioSecret } : {},
+		security: { api: { jwt: {
+			sign: { expiresIn: "5m" },
+			verify: {}
+		} } },
+		auth: { htpasswd: { file: htpasswdPath } },
+		uplinks: { npmjs: {
+			url: uplinkUrl,
+			maxage: "15m",
+			timeout: "30s",
+			cache: true
+		} },
+		packages: (() => {
+			const local = config.localPackagePatterns ?? [];
+			const localSet = new Set(local);
+			const access = {
+				access: "$all",
+				publish: "$authenticated",
+				unpublish: "$authenticated"
+			};
+			const entries = [];
+			for (const pattern of local) entries.push([pattern, { ...access }]);
+			if (!localSet.has("@powerhousedao/*")) entries.push(["@powerhousedao/*", {
+				...access,
+				proxy: "npmjs"
+			}]);
+			if (!localSet.has("**")) entries.push(["**", {
+				...access,
+				proxy: "npmjs"
+			}]);
+			return Object.fromEntries(entries);
+		})(),
+		web: {
+			enable: config.webEnabled !== false,
+			title: "Powerhouse Registry",
+			logo: "https://raw.githubusercontent.com/powerhouse-inc/powerhouse/main/packages/registry/static/logo.svg",
+			favicon: "/-/static/favicon.ico",
+			primary_color: "#38C780",
+			darkMode: true
+		},
+		server: { keepAliveTimeout: 60 },
+		log: {
+			type: "stdout",
+			format: "pretty",
+			level: "warn"
+		},
+		max_body_size: config.maxBodySize ?? "300mb"
+	};
+	if (config.s3) base.store = { "aws-s3-storage": {
+		bucket: config.s3.bucket,
+		endpoint: config.s3.endpoint,
+		region: config.s3.region,
+		s3ForcePathStyle: config.s3.s3ForcePathStyle ?? true,
+		...config.s3.keyPrefix && { keyPrefix: config.s3.keyPrefix },
+		...config.s3.accessKeyId && { accessKeyId: config.s3.accessKeyId },
+		...config.s3.secretAccessKey && { secretAccessKey: config.s3.secretAccessKey }
+	} };
+	return base;
+}
+//#endregion
+//#region src/run.ts
+async function resolveDir(dir) {
+	if (path.isAbsolute(dir)) {
+		await mkdir(dir, { recursive: true });
+		return dir;
+	}
+	const found = await findUp(dir, { type: "directory" });
+	if (!found) {
+		await mkdir(dir, { recursive: true });
+		return dir;
+	}
+	return found;
+}
+async function runRegistry(args) {
+	const { port, storageDir, cdnCacheDir, uplink, webEnabled, webhooks, s3AccessKeyId, s3Bucket, s3Endpoint, s3ForcePathStyle, s3KeyPrefix, s3Region, s3SecretAccessKey, publicUrl, authRenown, verdaccioSecret: verdaccioSecretArg, localPackages } = args;
+	const storagePath = await resolveDir(storageDir);
+	const cdnCachePath = await resolveDir(cdnCacheDir);
+	const verdaccioSecret = verdaccioSecretArg ?? randomBytes(32).toString("hex");
+	const renownEnabled = authRenown === true && Boolean(publicUrl);
+	if (authRenown === true && !publicUrl) console.warn("[registry] auth-renown is enabled but --public-url / PH_REGISTRY_PUBLIC_URL is not set; Renown auth will be disabled.");
+	console.log({
+		storagePath,
+		cdnCachePath
+	});
+	const webhookConfigs = webhooks?.split(",").map((url) => url.trim()).filter(Boolean).map((endpoint) => ({ endpoint }));
+	const localPackagePatterns = localPackages?.split(",").map((p) => p.trim()).filter(Boolean);
+	const config = {
+		port,
+		storagePath,
+		cdnCachePath,
+		uplink,
+		webEnabled,
+		verdaccioSecret,
+		...localPackagePatterns?.length ? { localPackagePatterns } : {},
+		...renownEnabled && publicUrl ? { renown: { publicUrl } } : {},
+		...webhookConfigs?.length && { notify: { webhooks: webhookConfigs } },
+		...s3Bucket && s3Endpoint && s3Region && { s3: {
+			bucket: s3Bucket,
+			endpoint: s3Endpoint,
+			region: s3Region,
+			accessKeyId: s3AccessKeyId,
+			secretAccessKey: s3SecretAccessKey,
+			keyPrefix: s3KeyPrefix,
+			s3ForcePathStyle
+		} }
+	};
+	await mkdir(storagePath, { recursive: true });
+	await mkdir(cdnCachePath, { recursive: true });
+	const verdaccioHandler = (await runServer(buildVerdaccioConfig(config))).listeners("request")[0];
+	const app = express();
+	const sseChannel = new SSEChannel();
+	const webhookChannel = new WebhookChannel(config.storagePath, config.notify);
+	const notifications = new NotificationManager([sseChannel, webhookChannel]);
+	const staticDir = await findUp("static", { type: "directory" });
+	if (staticDir) app.use("/-/static", express.static(staticDir));
+	app.use(createPowerhouseRouter(config, sseChannel, webhookChannel));
+	if (config.renown) app.use(createRenownAuthMiddleware({
+		publicUrl: config.renown.publicUrl,
+		verdaccioSecret
+	}));
+	app.use(createPublishHook(config, notifications));
+	app.use(createUnpublishHook(config, notifications));
+	app.use((req, res) => verdaccioHandler(req, res));
+	return app.listen(port, () => {
+		console.log(`Powerhouse Registry running on http://localhost:${port}`);
+		console.log(`  CDN:      http://localhost:${port}/-/cdn/`);
+		console.log(`  Packages: http://localhost:${port}/packages`);
+		console.log(`  npm:      http://localhost:${port}/`);
+		console.log(`  Storage:  ${storagePath}`);
+		console.log(`  CDN cache: ${cdnCachePath}`);
+		if (config.s3) console.log(`  S3:       ${config.s3.endpoint}/${config.s3.bucket}`);
+		if (config.renown) console.log(`  Renown auth: ${config.renown.publicUrl}`);
+	});
+}
+//#endregion
+//#region cli.ts
+const registryCommand = command({
+	name: "Package registry",
+	args: {
+		port: option({
+			long: "port",
+			type: number,
+			defaultValue: () => Number(process.env.PORT) || 8080,
+			defaultValueIsSerializable: true
+		}),
+		storageDir: option({
+			long: "storage-dir",
+			type: string,
+			defaultValue: () => process.env.REGISTRY_STORAGE || "./storage",
+			defaultValueIsSerializable: true
+		}),
+		cdnCacheDir: option({
+			long: "cdn-cache-dir",
+			type: string,
+			defaultValue: () => process.env.REGISTRY_CDN_CACHE || "./cdn-cache",
+			defaultValueIsSerializable: true
+		}),
+		uplink: option({
+			long: "uplink",
+			type: optional(string),
+			defaultValue: () => process.env.REGISTRY_UPLINK,
+			defaultValueIsSerializable: true
+		}),
+		s3Bucket: option({
+			long: "s3-bucket",
+			type: optional(string),
+			defaultValue: () => process.env.S3_BUCKET,
+			defaultValueIsSerializable: true
+		}),
+		s3Endpoint: option({
+			long: "s3-endpoint",
+			type: optional(string),
+			defaultValue: () => process.env.S3_ENDPOINT,
+			defaultValueIsSerializable: true
+		}),
+		s3Region: option({
+			long: "s3-region",
+			type: optional(string),
+			defaultValue: () => process.env.S3_REGION,
+			defaultValueIsSerializable: true
+		}),
+		s3AccessKeyId: option({
+			long: "s3-access-key-id",
+			type: optional(string),
+			defaultValue: () => process.env.S3_ACCESS_KEY_ID,
+			defaultValueIsSerializable: true
+		}),
+		s3SecretAccessKey: option({
+			long: "s3-secret-access-key",
+			type: optional(string),
+			defaultValue: () => process.env.S3_SECRET_ACCESS_KEY,
+			defaultValueIsSerializable: true
+		}),
+		s3KeyPrefix: option({
+			long: "s3-key-prefix",
+			type: optional(string),
+			defaultValue: () => process.env.S3_KEY_PREFIX,
+			defaultValueIsSerializable: true
+		}),
+		s3ForcePathStyle: flag({
+			long: "s3-force-path-style",
+			defaultValue: () => process.env.S3_FORCE_PATH_STYLE !== "false",
+			defaultValueIsSerializable: true
+		}),
+		webEnabled: flag({
+			long: "web-enabled",
+			defaultValue: () => process.env.REGISTRY_WEB !== "false",
+			defaultValueIsSerializable: true
+		}),
+		webhooks: option({
+			long: "webhook",
+			type: optional(string),
+			description: "Comma-separated webhook URLs to notify on publish",
+			defaultValue: () => process.env.REGISTRY_WEBHOOKS,
+			defaultValueIsSerializable: true
+		}),
+		publicUrl: option({
+			long: "public-url",
+			type: optional(string),
+			description: "Public origin of this registry (used as the JWT `aud` claim for Renown bearer tokens). Required when --auth-renown is true.",
+			defaultValue: () => process.env.PH_REGISTRY_PUBLIC_URL,
+			defaultValueIsSerializable: true
+		}),
+		authRenown: flag({
+			long: "auth-renown",
+			description: "Verify Renown-signed bearer tokens in front of verdaccio (stateless). Disabled when --public-url is unset.",
+			defaultValue: () => process.env.PH_REGISTRY_AUTH_RENOWN === "true",
+			defaultValueIsSerializable: true
+		}),
+		verdaccioSecret: option({
+			long: "verdaccio-secret",
+			type: optional(string),
+			description: "Override verdaccio's internal JWT signing secret. Default: random per pod (fine — the swapped JWT never leaves this process).",
+			defaultValue: () => process.env.PH_REGISTRY_VERDACCIO_SECRET,
+			defaultValueIsSerializable: true
+		}),
+		localPackages: option({
+			long: "local-packages",
+			type: optional(string),
+			description: "Comma-separated globs (e.g. '@powerhousedao/*,document-model,ph-cmd') served locally only — no npmjs uplink proxy. Lets you re-publish a workspace package whose version already exists on npmjs without bumping.",
+			defaultValue: () => process.env.PH_REGISTRY_LOCAL_PACKAGES,
+			defaultValueIsSerializable: true
+		})
+	},
+	handler: async (args) => {
+		console.log(args);
+		try {
+			await runRegistry(args);
+		} catch (error) {
+			console.error("Failed to start registry:");
+			console.error(error);
+			process.exit(1);
+		}
+	}
+});
+await run(binary(registryCommand), process.argv);
+//#endregion
+export { registryCommand };
+
+//# sourceMappingURL=cli.mjs.map