@solcreek/dew 0.5.1 → 0.7.0

package/bin/dew

@@ -1,25 +1,215 @@
 #!/usr/bin/env node
-const { execFileSync } = require("child_process");
+"use strict";
+
+// Thin dispatcher for @solcreek/dew.
+//
+// First run downloads the matching native binary from the GitHub Release
+// for this package version, verifies SHA256 against checksums.txt, and
+// caches in DEW_CACHE_DIR. Subsequent runs spawn the cached binary directly.
+//
+// We don't ship the binary inside the npm package — it lives in
+// goreleaser-produced tarballs on GH Releases. This keeps the npm tarball
+// tiny (no binary bytes touched by npm install), avoids per-platform
+// publish setups, and lets brew/install.sh/direct download all consume
+// the same exact bytes from one canonical source.
+//
+// Override: DEW_BINARY=/path/to/dew for local builds and testing.
+// Override: DEW_CACHE_DIR=/path overrides the cache location.
+// Set DEW_VERIFY_COSIGN=1 to hard-require cosign signature verification.
+
+const fs = require("fs");
 const path = require("path");
 const os = require("os");
-const { existsSync } = require("fs");
+const https = require("https");
+const crypto = require("crypto");
+const zlib = require("zlib");
+const { spawnSync } = require("child_process");
+const { pipeline } = require("stream/promises");
+const { createWriteStream, createReadStream } = require("fs");
 
-const binDir = path.join(__dirname);
-let binary;
+const pkg = require("../package.json");
+const VERSION = pkg.version;
+const REPO = "solcreek/dew";
 
-if (os.platform() === "win32") {
-  binary = path.join(binDir, "dew.exe");
-} else {
-  binary = path.join(binDir, "dew-bin");
-}
+const SUPPORTED = {
+  "darwin-arm64": { goos: "darwin",  goarch: "arm64", binName: "dew" },
+  "darwin-x64":   { goos: "darwin",  goarch: "amd64", binName: "dew" },
+  "linux-x64":    { goos: "linux",   goarch: "amd64", binName: "dew" },
+  "linux-arm64":  { goos: "linux",   goarch: "arm64", binName: "dew" },
+  "win32-x64":    { goos: "windows", goarch: "amd64", binName: "dew.exe" },
+};
 
-if (!existsSync(binary)) {
-  console.error("dew: binary not found. Run: npm rebuild @solcreek/dew");
+function fatal(msg) {
+  process.stderr.write(`dew: ${msg}\n`);
   process.exit(1);
 }
 
-try {
-  execFileSync(binary, process.argv.slice(2), { stdio: "inherit" });
-} catch (e) {
-  process.exit(e.status || 1);
+function cacheDir() {
+  if (process.env.DEW_CACHE_DIR) return process.env.DEW_CACHE_DIR;
+  const xdg = process.env.XDG_DATA_HOME;
+  const base = xdg || path.join(os.homedir(), ".local", "share");
+  return path.join(base, "dew", "bin", VERSION);
+}
+
+function get(url) {
+  return new Promise((resolve, reject) => {
+    https.get(url, (res) => {
+      if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+        res.resume();
+        return resolve(get(res.headers.location));
+      }
+      if (res.statusCode !== 200) {
+        return reject(new Error(`HTTP ${res.statusCode} ${url}`));
+      }
+      resolve(res);
+    }).on("error", reject);
+  });
+}
+
+async function downloadTo(url, destPath) {
+  const res = await get(url);
+  await pipeline(res, createWriteStream(destPath));
+}
+
+async function fetchText(url) {
+  const res = await get(url);
+  let body = "";
+  for await (const chunk of res) body += chunk;
+  return body;
+}
+
+function sha256OfFile(p) {
+  const h = crypto.createHash("sha256");
+  return new Promise((resolve, reject) => {
+    const s = createReadStream(p);
+    s.on("data", (d) => h.update(d));
+    s.on("end", () => resolve(h.digest("hex")));
+    s.on("error", reject);
+  });
+}
+
+// Extract a single named file from a tar.gz with no native deps.
+// Tar layout: 512-byte header, payload padded to 512.
+function extractTarGz(archivePath, outDir, binName) {
+  const buf = zlib.gunzipSync(fs.readFileSync(archivePath));
+  let off = 0;
+  while (off + 512 <= buf.length) {
+    const header = buf.subarray(off, off + 512);
+    const nameRaw = header.subarray(0, 100).toString("utf8").replace(/\0.*$/, "");
+    if (!nameRaw) { off += 512; continue; }
+    const sizeOctal = header.subarray(124, 136).toString("utf8").replace(/[\0 ]+$/, "");
+    const size = parseInt(sizeOctal, 8) || 0;
+    const typeflag = String.fromCharCode(header[156]) || "0";
+    const dataStart = off + 512;
+    const dataEnd = dataStart + size;
+    if ((typeflag === "0" || typeflag === "") && path.basename(nameRaw) === binName) {
+      const dest = path.join(outDir, binName);
+      fs.writeFileSync(dest, buf.subarray(dataStart, dataEnd));
+      fs.chmodSync(dest, 0o755);
+      return true;
+    }
+    off = dataEnd + (size % 512 === 0 ? 0 : 512 - (size % 512));
+  }
+  return false;
 }
+
+async function maybeVerifyCosign(dir, sumsBody) {
+  const verifyMode = process.env.DEW_VERIFY_COSIGN || "";
+  const cosignAvailable = spawnSync("cosign", ["version"], { stdio: "ignore" }).status === 0;
+  if (verifyMode !== "1" && !cosignAvailable) return;
+
+  const base = `https://github.com/${REPO}/releases/download/v${VERSION}`;
+  const sumsPath = path.join(dir, "checksums.txt");
+  const sigPath  = path.join(dir, "checksums.txt.sig");
+  const pemPath  = path.join(dir, "checksums.txt.pem");
+  fs.writeFileSync(sumsPath, sumsBody);
+  try {
+    await downloadTo(`${base}/checksums.txt.sig`, sigPath);
+    await downloadTo(`${base}/checksums.txt.pem`, pemPath);
+  } catch (e) {
+    if (verifyMode === "1") fatal(`cosign sig fetch failed: ${e.message}`);
+    process.stderr.write("dew: cosign verification skipped (signature absent)\n");
+    return;
+  }
+  const r = spawnSync("cosign", [
+    "verify-blob",
+    "--certificate", pemPath,
+    "--signature",   sigPath,
+    "--certificate-identity-regexp",
+      `^https://github.com/${REPO}/\\.github/workflows/release\\.yml@refs/tags/v[0-9]+\\.[0-9]+\\.[0-9]+`,
+    "--certificate-oidc-issuer", "https://token.actions.githubusercontent.com",
+    sumsPath,
+  ], { stdio: verifyMode === "1" ? "inherit" : "pipe" });
+  if (r.status !== 0) {
+    if (verifyMode === "1") fatal("cosign verification failed");
+    process.stderr.write("dew: cosign verification failed (continuing — set DEW_VERIFY_COSIGN=1 to enforce)\n");
+    return;
+  }
+  process.stderr.write("dew: cosign verified\n");
+}
+
+async function ensureBinary() {
+  const triple = `${process.platform}-${process.arch}`;
+  const spec = SUPPORTED[triple];
+  if (!spec) {
+    fatal(
+      `${process.platform}/${process.arch} is not a supported platform.\n` +
+      `Supported: ${Object.keys(SUPPORTED).join(", ")}.\n` +
+      `If you have built dew from source, set DEW_BINARY=/path/to/dew.`,
+    );
+  }
+
+  const dir = cacheDir();
+  const binPath = path.join(dir, spec.binName);
+  if (fs.existsSync(binPath)) return binPath;
+
+  fs.mkdirSync(dir, { recursive: true });
+  const tarName = `dew_${VERSION}_${spec.goos}_${spec.goarch}.tar.gz`;
+  const base    = `https://github.com/${REPO}/releases/download/v${VERSION}`;
+  const tarUrl  = `${base}/${tarName}`;
+  const sumUrl  = `${base}/checksums.txt`;
+  const tarPath = path.join(dir, tarName);
+
+  process.stderr.write(`dew: downloading ${tarName}\n`);
+  try {
+    await downloadTo(tarUrl, tarPath);
+  } catch (e) {
+    fatal(`download failed: ${e.message}\n  Set DEW_BINARY=/path/to/dew to bypass.`);
+  }
+
+  process.stderr.write(`dew: verifying checksum\n`);
+  let sums;
+  try { sums = await fetchText(sumUrl); }
+  catch (e) { fatal(`could not fetch checksums.txt: ${e.message}`); }
+  const line = sums.split("\n").find((l) => l.endsWith(`  ${tarName}`));
+  if (!line) fatal(`checksums.txt has no entry for ${tarName}`);
+  const expected = line.split(/\s+/)[0];
+  const actual = await sha256OfFile(tarPath);
+  if (actual !== expected) {
+    fs.unlinkSync(tarPath);
+    fatal(`checksum mismatch for ${tarName}\n  expected ${expected}\n  got      ${actual}`);
+  }
+
+  await maybeVerifyCosign(dir, sums);
+
+  process.stderr.write(`dew: extracting\n`);
+  if (!extractTarGz(tarPath, dir, spec.binName)) {
+    fatal(`tarball missing ${spec.binName}`);
+  }
+  fs.unlinkSync(tarPath);
+  return binPath;
+}
+
+(async () => {
+  const override = process.env.DEW_BINARY;
+  let bin;
+  if (override) {
+    if (!fs.existsSync(override)) fatal(`DEW_BINARY=${override} does not exist`);
+    bin = override;
+  } else {
+    bin = await ensureBinary();
+  }
+  const result = spawnSync(bin, process.argv.slice(2), { stdio: "inherit" });
+  if (result.error) fatal(result.error.message);
+  process.exit(result.status === null ? 1 : result.status);
+})().catch((e) => fatal(e.message));

package/package.json

@@ -1,16 +1,23 @@
 {
   "name": "@solcreek/dew",
-  "version": "0.5.1",
+  "version": "0.7.0",
   "description": "Ultra-lightweight VM + deploy tool. One Go binary for local dev and production.",
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/solcreek/dew"
+    "url": "git+https://github.com/solcreek/dew.git"
   },
   "bin": {
     "dew": "bin/dew"
   },
+  "files": [
+    "bin/dew",
+    "README.md"
+  ],
   "scripts": {
-    "postinstall": "node scripts/postinstall.js"
+    "test": "node --test test/*.test.mjs"
+  },
+  "engines": {
+    "node": ">=18"
   }
 }

package/scripts/postinstall.js

@@ -1,118 +0,0 @@
-const { execSync } = require("child_process");
-const { existsSync, writeFileSync, mkdirSync, chmodSync } = require("fs");
-const path = require("path");
-const os = require("os");
-
-const binDir = path.join(__dirname, "..", "bin");
-const binary = path.join(binDir, "dew-bin");
-
-if (!existsSync(binDir)) {
-  mkdirSync(binDir, { recursive: true });
-}
-
-if (!existsSync(binary)) {
-  const platform = os.platform();
-  const arch = os.arch() === "arm64" ? "arm64" : "amd64";
-  const repo = "solcreek/dew";
-  const pkg = require("../package.json");
-  const tag = `v${pkg.version}`;
-
-  let asset;
-  if (platform === "darwin") {
-    asset = `dew-darwin-${arch}`;
-  } else if (platform === "linux") {
-    asset = `dew-linux-${arch}`;
-  } else if (platform === "win32") {
-    asset = `dew-windows-x86_64.exe`;
-  } else {
-    console.log(`dew: unsupported platform ${platform}`);
-    process.exit(0);
-  }
-
-  const url = `https://github.com/${repo}/releases/download/${tag}/${asset}`;
-  console.log(`dew: downloading ${asset}...`);
-
-  try {
-    execSync(`curl -fsSL -o "${binary}" "${url}"`, { stdio: "pipe" });
-    chmodSync(binary, 0o755);
-    console.log("dew: installed");
-  } catch (e) {
-    console.log(`dew: download failed from ${url}`);
-    console.log("  GitHub Release may not exist yet.");
-    console.log("  Install manually: https://github.com/solcreek/dew/releases");
-    process.exit(0);
-  }
-}
-
-// Show how to invoke dew based on how the user installed the package.
-// npx       → `npx @solcreek/dew ...` (the binary is in a per-run cache)
-// local     → `npx dew ...` or `./node_modules/.bin/dew ...`
-// global    → `dew ...` (on PATH)
-//
-// We can't reliably detect "is this a global install" from inside
-// postinstall, so we surface all three forms once.
-function printInvocationHint() {
-  // Skip in CI / non-interactive shells unless DEW_INSTALL_HINT is set
-  if (process.env.CI && !process.env.DEW_INSTALL_HINT) return;
-
-  const npmConfig = process.env.npm_config_global === "true";
-  console.log("");
-  if (npmConfig) {
-    console.log("dew: installed globally — run `dew --help` from any terminal.");
-  } else {
-    console.log("dew: installed locally. Choose how to invoke:");
-    console.log("  • One-off:   npx @solcreek/dew --help");
-    console.log("  • Local pkg: npx dew --help    (inside this project)");
-    console.log("  • Global:    npm i -g @solcreek/dew  → then `dew --help`");
-  }
-  console.log("");
-}
-printInvocationHint();
-
-// macOS: check whether the downloaded binary already has a Developer ID
-// signature. Release binaries (≥v0.5.0) are notarized + Developer-ID-signed
-// in CI, so we MUST NOT re-sign them — `codesign --force -s -` would strip
-// the Developer ID and replace it with an ad-hoc signature, which macOS
-// rejects for the virtualization entitlement.
-//
-// We only fall back to ad-hoc signing if the binary lacks any usable
-// signature (e.g. a custom build from source, or a hypothetical fork).
-if (os.platform() === "darwin" && existsSync(binary) && !binary.endsWith(".exe")) {
-  let hasDeveloperID = false;
-  try {
-    const info = execSync(`codesign -dv "${binary}" 2>&1`, { encoding: "utf8" });
-    hasDeveloperID = /Developer ID Application/.test(info) && !/Signature=adhoc/.test(info);
-  } catch (_) {
-    // not signed at all
-  }
-
-  if (hasDeveloperID) {
-    console.log("dew: Developer ID signature detected — leaving binary untouched");
-  } else {
-    console.log("dew: binary is unsigned, falling back to ad-hoc signing");
-    console.log("dew: NOTE — ad-hoc signing means VM commands won't work.");
-    console.log("dew:        download a release binary from https://github.com/solcreek/dew/releases/latest for full functionality.");
-    const entitlements = path.join(__dirname, "entitlements.plist");
-    if (!existsSync(entitlements)) {
-      writeFileSync(
-        entitlements,
-        `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>com.apple.security.virtualization</key>
-    <true/>
-</dict>
-</plist>`
-      );
-    }
-    try {
-      execSync(
-        `codesign --entitlements "${entitlements}" --force -s - "${binary}"`,
-        { stdio: "pipe" }
-      );
-    } catch (e) {
-      console.log("dew: ⚠️  ad-hoc codesign also failed (sandboxed terminal?)");
-    }
-  }
-}