@supatype/cli 0.1.0-alpha.12 → 0.1.0-alpha.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. package/.turbo/turbo-build.log +1 -1
  2. package/.turbo/turbo-test.log +82 -81
  3. package/.turbo/turbo-typecheck.log +1 -1
  4. package/dist/binary-cache.d.ts +11 -3
  5. package/dist/binary-cache.d.ts.map +1 -1
  6. package/dist/binary-cache.js +62 -39
  7. package/dist/binary-cache.js.map +1 -1
  8. package/dist/engine-client.d.ts.map +1 -1
  9. package/dist/engine-client.js +12 -4
  10. package/dist/engine-client.js.map +1 -1
  11. package/dist/scripts/postinstall.js +5 -1
  12. package/dist/scripts/postinstall.js.map +1 -1
  13. package/package.json +1 -1
  14. package/src/binary-cache.ts +64 -42
  15. package/src/engine-client.ts +11 -4
  16. package/src/scripts/postinstall.ts +7 -1
  17. package/tests/minisign.test.ts +102 -0
  18. package/tsconfig.tsbuildinfo +1 -1
package/dist/engine-client.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"engine-client.js","sourceRoot":"","sources":["../src/engine-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC9C,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AACvF,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,SAAS,CAAA;AACzC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAChC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAA;AAiD7E,MAAM,OAAO,WAAY,SAAQ,KAAK;IAGlB;IACA;IAHlB,YACE,OAAe,EACC,QAAgB,EAChB,QAAuB;QAEvC,KAAK,CAAC,OAAO,CAAC,CAAA;QAHE,aAAQ,GAAR,QAAQ,CAAQ;QAChB,aAAQ,GAAR,QAAQ,CAAe;QAGvC,IAAI,CAAC,IAAI,GAAG,aAAa,CAAA;IAC3B,CAAC;CACF;AAED,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E,IAAI,UAAU,GAAkB,IAAI,CAAA;AAEpC,KAAK,UAAU,YAAY;IACzB,IAAI,UAAU;QAAE,OAAO,UAAU,CAAA;IAEjC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IAEzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAA;QAC9B,UAAU,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;QAClD,OAAO,UAAU,CAAA;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,gEAAgE;IAClE,CAAC;IAED,oEAAoE;IACpE,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAA;IAClC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAA;IACtE,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC,IAAI,EAAE,CAAA;QACzD,KAAK,MAAM,OAAO,IAAI,cAAc,CAAC,OAAO,EAAE,EAAE,CAAC;YAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,mBAAmB,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAA;YACjG,IAAI,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACpB,UAAU,GAAG,GAAG,CAAA;gBAChB,OAAO,UAAU,CAAA;YACnB,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,6BAA6B,CAAC,CAAC;IAEzC,MAAM,IAAI,KAAK,CACb,+CAA+C,CAChD,CAAA;AACH,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,mEAAmE;AACnE,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,MAAM,YAAY,EAAE,CAAA;AACtB,CAAC;AAED,8DAA8D;AAC9D,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,YAAY,EAAE,CAAA;QAChC,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAClE,OAAO,MAAM,CAAC,MAAM,KAAK,CAAC,CAAA;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAgB,EAChB,IAA6B;IAE7B,MAAM,GAAG,GAAG,MAAM,YAAY,EAAE,CAAA;IAEhC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAA;IAChD,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACtC,MAAM,OAAO,GAAa,EAAE,CAAA;IAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;IACtD,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACnE,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAA;IACpD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAErB,IAAI,MAA0B,CAAA;IAC9B,IAAI,YAAgC,CAAA;IACpC,IAAI,OAAO,IAAI,CAAC,0BAA0B,CAAC,KAAK,QAAQ,EAAE,CAAC;QACzD,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,WAAW,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;QACjD,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,0BAA0B,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAA;QAC9E,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;IACtB,CAAC;IACD,IAAI,IAAI,CAAC,yBAAyB,CAAC,KAAK,SAAS,EAAE,CAAC;QAClD,YAAY,GAAG,IAAI,CAAC,MAAM,EAAE,YAAY,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC1D,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,CAAC,CAAA;QAC5E,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;IAC5B,CAAC;IAED,MAAM,IAAI,GAAG,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE;QACnD,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3C,GAAG,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACxD,CAAC,CAAA;IAEF,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE;QAClC,QAAQ,EAAE,MAAM;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;KACnB,CAAC,CAAA;IAEF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC;YAAC,UAAU,CAAC,CAAC,CAAC,CAAA;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;IAC9C,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,aAAa,CAAA;QACrD,MAAM,IAAI,WAAW,CACnB,UAAU,QAAQ,iBAAiB,MAAM,CAAC,MAAM,MAAM,MAAM,EAAE,EAC9D,QAAQ,EACR,MAAM,CAAC,MAAM,CACd,CAAA;IACH,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC;QAC3B,6CAA6C;QAC7C,OAAO,EAAO,CAAA;IAChB,CAAC;IAED,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAM,CAAA;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,uCAAuC;QACvC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,EAAO,CAAA;IAC/C,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E,SAAS,cAAc,CACrB,QAAgB,EAChB,IAA6B,EAC7B,OAAe,EACf,OAAoD;IAEpD,MAAM,KAAK,GAAI,IAAI,CAAC,cAAc,CAAwB,IAAI,EAAE,CAAA;IAChE,MAAM,MAAM,GAAI,IAAI,CAAC,QAAQ,CAAwB,IAAI,QAAQ,CAAA;IACjE,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAC9C,MAAM,cAAc,GAClB,IAAI,CAAC,iBAAiB,CAAC,KAAK,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAEzF,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,CAAA;QAElF,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,UAAU,GAAa,EAAE,CAAA;YAC/B,IAAI,OAAO,EAAE,MAAM;gBAAE,UAAU,CAAC,IAAI,CAAC,qBAAqB,EAAE,OAAO,CAAC,MAAM,CAAC,CAAA;YAC3E,IAAI,OAAO,EAAE,YAAY;gBAAE,UAAU,CAAC,IAAI,CAAC,2BAA2B,EAAE,OAAO,CAAC,YAAY,CAAC,CAAA;YAC7F,OAAO;gBACL,MAAM;gBACN,SAAS;gBACT,OAAO;gBACP,gBAAgB;gBAChB,KAAK;gBACL,UAAU;gBACV,MAAM;gBACN,GAAG,KAAK;gBACR,GAAG,cAAc;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,KAAK,WAAW;YACd,OAAO,CAAC,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,CAAA;QAElE,KAAK,QAAQ;YACX,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;QAEtC,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,IAAI,GAAI,IAAI,CAAC,MAAM,CAAwB,IAAI,YAAY,CAAA;YACjE,OAAO,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAA;QACzD,CAAC;QAED,KAAK,aAAa;YAChB,OAAO,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,CAAA;QAEpE,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YACjD,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YACtD,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,GAAG,OAAO,CAAC,CAAA;QAC3G,CAAC;QAED,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YACxC,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YACtD,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC,CAAA;QACvG,CAAC;QAED,KAAK,WAAW;YACd,OAAO,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;QAEzC,KAAK,QAAQ;YACX,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;QAEtC;YACE,IAAI,QAAQ,KAAK,aAAa,IAAI,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;gBACrE,MAAM,MAAM,GAAI,IAAI,CAAC,QAAQ,CAAwB,IAAI,MAAM,CAAA;gBAC/D,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;oBAC1B,OAAO,CAAC,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,CAAA;gBAClE,CAAC;gBACD,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAuB,CAAA;gBAC/C,IAAI,IAAI,EAAE,CAAC;oBACT,OAAO,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAA;gBAChE,CAAC;gBACD,OAAO,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAA;YAChD,CAAC;YACD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IAC5D,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"engine-client.js","sourceRoot":"","sources":["../src/engine-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC9C,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AACvF,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,SAAS,CAAA;AACzC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAChC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAA;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAiDjD,MAAM,OAAO,WAAY,SAAQ,KAAK;IAGlB;IACA;IAHlB,YACE,OAAe,EACC,QAAgB,EAChB,QAAuB;QAEvC,KAAK,CAAC,OAAO,CAAC,CAAA;QAHE,aAAQ,GAAR,QAAQ,CAAQ;QAChB,aAAQ,GAAR,QAAQ,CAAe;QAGvC,IAAI,CAAC,IAAI,GAAG,aAAa,CAAA;IAC3B,CAAC;CACF;AAED,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E,IAAI,UAAU,GAAkB,IAAI,CAAA;AAEpC,KAAK,UAAU,YAAY;IACzB,IAAI,UAAU;QAAE,OAAO,UAAU,CAAA;IAEjC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IAEzB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAA;QAC9B,2EAA2E;QAC3E,2EAA2E;QAC3E,UAAU,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;QACjD,OAAO,UAAU,CAAA;IACnB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,wEAAwE;QACxE,yDAAyD;QACzD,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAChE,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC;YAAE,MAAM,GAAG,CAAA;QACrD,0EAA0E;IAC5E,CAAC;IAED,oEAAoE;IACpE,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAA;IAClC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAA;IACtE,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC,IAAI,EAAE,CAAA;QACzD,KAAK,MAAM,OAAO,IAAI,cAAc,CAAC,OAAO,EAAE,EAAE,CAAC;YAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,mBAAmB,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAA;YACjG,IAAI,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACpB,UAAU,GAAG,GAAG,CAAA;gBAChB,OAAO,UAAU,CAAA;YACnB,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,6BAA6B,CAAC,CAAC;IAEzC,MAAM,IAAI,KAAK,CACb,+CAA+C,CAChD,CAAA;AACH,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,mEAAmE;AACnE,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,MAAM,YAAY,EAAE,CAAA;AACtB,CAAC;AAED,8DAA8D;AAC9D,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,YAAY,EAAE,CAAA;QAChC,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAClE,OAAO,MAAM,CAAC,MAAM,KAAK,CAAC,CAAA;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAgB,EAChB,IAA6B;IAE7B,MAAM,GAAG,GAAG,MAAM,YAAY,EAAE,CAAA;IAEhC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAA;IAChD,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACtC,MAAM,OAAO,GAAa,EAAE,CAAA;IAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;IACtD,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACnE,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAA;IACpD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAErB,IAAI,MAA0B,CAAA;IAC9B,IAAI,YAAgC,CAAA;IACpC,IAAI,OAAO,IAAI,CAAC,0BAA0B,CAAC,KAAK,QAAQ,EAAE,CAAC;QACzD,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,WAAW,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;QACjD,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,0BAA0B,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAA;QAC9E,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;IACtB,CAAC;IACD,IAAI,IAAI,CAAC,yBAAyB,CAAC,KAAK,SAAS,EAAE,CAAC;QAClD,YAAY,GAAG,IAAI,CAAC,MAAM,EAAE,YAAY,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC1D,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,CAAC,CAAA;QAC5E,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;IAC5B,CAAC;IAED,MAAM,IAAI,GAAG,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE;QACnD,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3C,GAAG,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACxD,CAAC,CAAA;IAEF,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE;QAClC,QAAQ,EAAE,MAAM;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;KACnB,CAAC,CAAA;IAEF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC;YAAC,UAAU,CAAC,CAAC,CAAC,CAAA;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;IAC9C,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,aAAa,CAAA;QACrD,MAAM,IAAI,WAAW,CACnB,UAAU,QAAQ,iBAAiB,MAAM,CAAC,MAAM,MAAM,MAAM,EAAE,EAC9D,QAAQ,EACR,MAAM,CAAC,MAAM,CACd,CAAA;IACH,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,CAAC;QAC3B,6CAA6C;QAC7C,OAAO,EAAO,CAAA;IAChB,CAAC;IAED,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAM,CAAA;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,uCAAuC;QACvC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,EAAO,CAAA;IAC/C,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E,SAAS,cAAc,CACrB,QAAgB,EAChB,IAA6B,EAC7B,OAAe,EACf,OAAoD;IAEpD,MAAM,KAAK,GAAI,IAAI,CAAC,cAAc,CAAwB,IAAI,EAAE,CAAA;IAChE,MAAM,MAAM,GAAI,IAAI,CAAC,QAAQ,CAAwB,IAAI,QAAQ,CAAA;IACjE,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAC9C,MAAM,cAAc,GAClB,IAAI,CAAC,iBAAiB,CAAC,KAAK,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAEzF,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,CAAA;QAElF,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,UAAU,GAAa,EAAE,CAAA;YAC/B,IAAI,OAAO,EAAE,MAAM;gBAAE,UAAU,CAAC,IAAI,CAAC,qBAAqB,EAAE,OAAO,CAAC,MAAM,CAAC,CAAA;YAC3E,IAAI,OAAO,EAAE,YAAY;gBAAE,UAAU,CAAC,IAAI,CAAC,2BAA2B,EAAE,OAAO,CAAC,YAAY,CAAC,CAAA;YAC7F,OAAO;gBACL,MAAM;gBACN,SAAS;gBACT,OAAO;gBACP,gBAAgB;gBAChB,KAAK;gBACL,UAAU;gBACV,MAAM;gBACN,GAAG,KAAK;gBACR,GAAG,cAAc;gBACjB,GAAG,UAAU;aACd,CAAA;QACH,CAAC;QAED,KAAK,WAAW;YACd,OAAO,CAAC,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,CAAA;QAElE,KAAK,QAAQ;YACX,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;QAEtC,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,IAAI,GAAI,IAAI,CAAC,MAAM,CAAwB,IAAI,YAAY,CAAA;YACjE,OAAO,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAA;QACzD,CAAC;QAED,KAAK,aAAa;YAChB,OAAO,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,CAAA;QAEpE,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YACjD,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YACtD,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,GAAG,OAAO,CAAC,CAAA;QAC3G,CAAC;QAED,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YACxC,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;YACtD,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC,CAAA;QACvG,CAAC;QAED,KAAK,WAAW;YACd,OAAO,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;QAEzC,KAAK,QAAQ;YACX,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;QAEtC;YACE,IAAI,QAAQ,KAAK,aAAa,IAAI,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;gBACrE,MAAM,MAAM,GAAI,IAAI,CAAC,QAAQ,CAAwB,IAAI,MAAM,CAAA;gBAC/D,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;oBAC1B,OAAO,CAAC,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,CAAA;gBAClE,CAAC;gBACD,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAuB,CAAA;gBAC/C,IAAI,IAAI,EAAE,CAAC;oBACT,OAAO,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAA;gBAChE,CAAC;gBACD,OAAO,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAA;YAChD,CAAC;YACD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,EAAE,SAAS,EAAE,OAAO,CAAC,CAAA;IAC5D,CAAC;AACH,CAAC"}
package/dist/scripts/postinstall.js CHANGED
@@ -33,7 +33,11 @@ async function main() {
33
33
  }
34
34
  }
35
35
  if (anyFailed) {
36
- console.error("[supatype] Some downloads failed. Run 'supatype update' to retry.");
36
+ // npm hides postinstall output unless --foreground-scripts, so don't rely on
37
+ // this being seen: the CLI re-attempts the download (with retry) on first use.
38
+ console.error("[supatype] Some component binaries failed to download. " +
39
+ "They will be re-downloaded automatically on first use; " +
40
+ "run 'supatype update' to retry now.");
37
41
  }
38
42
  else {
39
43
  console.log("[supatype] All component binaries downloaded successfully.");
package/dist/scripts/postinstall.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"postinstall.js","sourceRoot":"","sources":["../../src/scripts/postinstall.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,sBAAsB,EAAkB,MAAM,oBAAoB,CAAA;AAEtG,KAAK,UAAU,IAAI;IACjB,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAA;IAElC,IAAI,QAAmC,CAAA;IACvC,IAAI,CAAC;QACH,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAA;QAC/D,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAA;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,+CAAgD,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;QACtF,OAAO,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAA;QACjF,OAAM;IACR,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,iDAAiD,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,IAAI,KAAK,CAAC,CAAA;IAE/F,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAA0B,CAAA;IAEpE,IAAI,SAAS,GAAG,KAAK,CAAA;IACrB,KAAK,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,UAAU,EAAE,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAA;QAC9C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,iCAAiC,SAAS,KAAK,OAAO,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;YAClG,SAAS,GAAG,IAAI,CAAA;QAClB,CAAC;IACH,CAAC;IAED,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,mEAAmE,CAAC,CAAA;IACpF,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAA;IAC3E,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,iEAAiE;IACjE,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,GAAG,CAAC,CAAA;IACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}
1
+ {"version":3,"file":"postinstall.js","sourceRoot":"","sources":["../../src/scripts/postinstall.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,sBAAsB,EAAkB,MAAM,oBAAoB,CAAA;AAEtG,KAAK,UAAU,IAAI;IACjB,MAAM,QAAQ,GAAG,eAAe,EAAE,CAAA;IAElC,IAAI,QAAmC,CAAA;IACvC,IAAI,CAAC;QACH,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAA;QAC/D,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAA;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,+CAAgD,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;QACtF,OAAO,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAA;QACjF,OAAM;IACR,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,iDAAiD,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,IAAI,KAAK,CAAC,CAAA;IAE/F,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAA0B,CAAA;IAEpE,IAAI,SAAS,GAAG,KAAK,CAAA;IACrB,KAAK,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,UAAU,EAAE,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAA;QAC9C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,iCAAiC,SAAS,KAAK,OAAO,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAA;YAClG,SAAS,GAAG,IAAI,CAAA;QAClB,CAAC;IACH,CAAC;IAED,IAAI,SAAS,EAAE,CAAC;QACd,6EAA6E;QAC7E,+EAA+E;QAC/E,OAAO,CAAC,KAAK,CACX,yDAAyD;YACvD,yDAAyD;YACzD,qCAAqC,CACxC,CAAA;IACH,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAA;IAC3E,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,iEAAiE;IACjE,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,GAAG,CAAC,CAAA;IACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@supatype/cli",
3
- "version": "0.1.0-alpha.12",
3
+ "version": "0.1.0-alpha.13",
4
4
  "description": "Supatype CLI — schema push, introspect, generate",
5
5
  "type": "module",
6
6
  "bin": {
package/src/binary-cache.ts CHANGED
@@ -7,10 +7,13 @@
7
7
  *
8
8
  * Security model:
9
9
  * 1. Download checksums.sha256 + checksums.sha256.minisig from CDN.
10
- * 2. Verify Ed25519 minisign signature on the checksum file using the
11
- * embedded public key (SUPATYPE_RELEASE_PUBLIC_KEY).
10
+ * 2. Verify the Ed25519 minisign signature on the checksum file using the
11
+ * release public key (embedded at publish, overridable via
12
+ * SUPATYPE_RELEASE_PUBLIC_KEY).
12
13
  * 3. Verify SHA256 of the downloaded binary against the signed checksum.
13
- * Both checks are mandatory when SUPATYPE_RELEASE_PUBLIC_KEY is set.
14
+ * Verification is mandatory and fails closed: if no public key is configured,
15
+ * the download errors out rather than silently degrading to SHA256-only.
16
+ * The only escape hatch is the explicit SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS=1.
14
17
  */
15
18
 
16
19
  import { createHash, createPublicKey, verify as cryptoVerify } from "node:crypto"
@@ -23,6 +26,7 @@ import {
23
26
  openSync,
24
27
  readFileSync,
25
28
  readSync,
29
+ rmdirSync,
26
30
  statSync,
27
31
  unlinkSync,
28
32
  writeFileSync,
@@ -135,17 +139,6 @@ export function postgresArchiveTag(version: string): string {
135
139
  return version.split(".")[0]!
136
140
  }
137
141
 
138
- /**
139
- * Supatype release signing public key (minisign format).
140
- * Generated with: minisign -G
141
- * Rotate by: generating a new pair, updating this constant, and updating
142
- * the MINISIGN_PRIVATE_KEY GitHub Actions secret.
143
- *
144
- * ⚠ PLACEHOLDER — replace with actual public key before first release.
145
- * When empty, minisign verification is skipped with a warning (SHA256 only).
146
- */
147
- const SUPATYPE_RELEASE_PUBLIC_KEY = ""
148
-
149
142
  // CDN path templates per component.
150
143
  const CDN_PATHS: Record<Component, (version: string, platform: PlatformId) => string> = {
151
144
  engine: (v, p) => `/engine/v${v}/supatype-engine-${p.os}-${p.arch}${p.os === "windows" ? ".exe" : ""}`,
@@ -340,14 +333,14 @@ export async function download(
340
333
 
341
334
  console.log(`[supatype] Downloading ${component} v${version} (${platform.os}/${platform.arch})...`)
342
335
 
343
- // ── Fetch checksums + optional minisig ────────────────────────────────────
344
- const expectedChecksum = await withRetry(() =>
345
- fetchChecksums(checksumsUrl, minisigUrl, name),
346
- )
347
-
348
- // ── Stream-download binary with progress ─────────────────────────────────
349
336
  const tmpPath = destPath + ".tmp"
350
337
  try {
338
+ // ── Fetch checksums + optional minisig (retried on transient failures) ───
339
+ const expectedChecksum = await withRetry(() =>
340
+ fetchChecksums(checksumsUrl, minisigUrl, name),
341
+ )
342
+
343
+ // ── Stream-download binary with progress (retried on transient failures) ─
351
344
  await withRetry(() => streamToFileWithProgress(binaryUrl, tmpPath))
352
345
 
353
346
  // ── Verify SHA256 ────────────────────────────────────────────────────────
@@ -359,9 +352,17 @@ export async function download(
359
352
  if (process.platform !== "win32" && EXECUTABLE_COMPONENTS.has(component)) {
360
353
  await chmod(destPath, 0o755)
361
354
  }
355
+ } catch (err) {
356
+ // Never leave a partial binary or an empty version directory behind: a stale
357
+ // empty dir makes the next resolve look fine while silently lacking a binary.
358
+ try { if (existsSync(destPath)) unlinkSync(destPath) } catch { /* ignore */ }
359
+ try { rmdirSync(dir) } catch { /* dir not empty or already removed */ }
360
+ throw new Error(
361
+ `Failed to download ${component} v${version} from ${CDN_BASE}: ${(err as Error).message}`,
362
+ )
362
363
  } finally {
363
364
  if (existsSync(tmpPath)) {
364
- try { require("node:fs").unlinkSync(tmpPath) } catch { /* ignore */ }
365
+ try { unlinkSync(tmpPath) } catch { /* ignore */ }
365
366
  }
366
367
  }
367
368
 
@@ -384,24 +385,36 @@ async function fetchChecksums(
384
385
  const checksumsText = await csResp.text()
385
386
 
386
387
  const pubKey = releasePublicKey()
387
- if (pubKey) {
388
- // Minisign signature is required when a public key is embedded.
389
- const sigResp = await fetch(minisigUrl)
390
- if (!sigResp.ok) {
391
- throw new Error(
392
- `Failed to fetch checksum signature from ${minisigUrl}: HTTP ${sigResp.status}\n` +
393
- "Cannot verify release integrity. Aborting download.",
388
+ if (!pubKey) {
389
+ // Fail closed: a missing public key means we cannot verify authenticity, only
390
+ // integrity (SHA256). Published builds always embed the key, so this only
391
+ // happens in source/contributor builds — never silently downgrade.
392
+ if (process.env["SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS"] === "1") {
393
+ console.warn(
394
+ "[supatype] \u26a0 SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS=1 no minisign public " +
395
+ "key configured; verifying SHA256 only (authenticity NOT checked).",
394
396
  )
397
+ return extractChecksum(checksumsText, binaryFilename)
395
398
  }
396
- const sigText = await sigResp.text()
397
- verifyMinisign(Buffer.from(checksumsText, "utf8"), sigText, pubKey)
398
- } else {
399
- console.warn(
400
- "[supatype] \u26a0 Minisign public key not configured " +
401
- "skipping signature verification (SHA256 only).",
399
+ throw new Error(
400
+ "No minisign public key configured — cannot verify release authenticity.\n" +
401
+ "Published @supatype/cli builds embed the key automatically; if you are building " +
402
+ "from source, set SUPATYPE_RELEASE_PUBLIC_KEY to the release public key, or set " +
403
+ "SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS=1 to download with SHA256-only verification (unsafe).",
402
404
  )
403
405
  }
404
406
 
407
+ // Minisign signature is mandatory when a public key is configured.
408
+ const sigResp = await fetch(minisigUrl)
409
+ if (!sigResp.ok) {
410
+ throw new Error(
411
+ `Failed to fetch checksum signature from ${minisigUrl}: HTTP ${sigResp.status}\n` +
412
+ "Cannot verify release integrity. Aborting download.",
413
+ )
414
+ }
415
+ const sigText = await sigResp.text()
416
+ verifyMinisign(Buffer.from(checksumsText, "utf8"), sigText, pubKey)
417
+
405
418
  return extractChecksum(checksumsText, binaryFilename)
406
419
  }
407
420
 
@@ -425,10 +438,10 @@ async function fetchChecksums(
425
438
  const ED25519_SPKI_PREFIX = Buffer.from("302a300506032b6570032100", "hex")
426
439
 
427
440
  /**
428
- * Verify a minisign signature (Ed25519 legacy mode, algorithm bytes "Ed").
429
- * Throws if verification fails.
441
+ * Verify a minisign signature. Supports both Ed25519 legacy mode ("Ed", over the
442
+ * raw file) and prehashed mode ("ED", over BLAKE2b-512(file)). Throws if invalid.
430
443
  */
431
- function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: string): void {
444
+ export function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: string): void {
432
445
  // Parse public key: [2 algo][8 keyId][32 ed25519 key]
433
446
  const pkLines = pubKeyStr.trim().split("\n")
434
447
  const pkBytes = Buffer.from(pkLines[pkLines.length - 1]!.trim(), "base64")
@@ -450,14 +463,17 @@ function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: st
450
463
  const sigKeyId = sigBytes.subarray(2, 10)
451
464
  const signature = sigBytes.subarray(10, 74)
452
465
 
453
- // Only Ed25519 legacy mode ("Ed" = 0x45, 0x64) is supported.
454
- // Hashed mode ("ED") requires BLAKE2b prehashing not implemented.
455
- if (algo[0] !== 0x45 || algo[1] !== 0x64) {
466
+ // Both Ed25519 modes are supported:
467
+ // "Ed" (0x45, 0x64) legacy: signature is over the raw file bytes.
468
+ // "ED" (0x45, 0x44) prehashed: signature is over BLAKE2b-512(file).
469
+ // Modern minisign (and our release pipeline) default to prehashed mode.
470
+ if (algo[0] !== 0x45 || (algo[1] !== 0x64 && algo[1] !== 0x44)) {
456
471
  throw new Error(
457
- "Unsupported minisign algorithm — only Ed25519 legacy mode supported.\n" +
472
+ "Unsupported minisign algorithm — expected Ed25519 ('Ed' legacy or 'ED' prehashed).\n" +
458
473
  `Got: 0x${algo[0]?.toString(16)}${algo[1]?.toString(16)}`,
459
474
  )
460
475
  }
476
+ const prehashed = algo[1] === 0x44
461
477
 
462
478
  if (!sigKeyId.equals(pkKeyId)) {
463
479
  throw new Error(
@@ -469,7 +485,13 @@ function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: st
469
485
  const spkiDer = Buffer.concat([ED25519_SPKI_PREFIX, pkEd25519])
470
486
  const keyObject = createPublicKey({ key: spkiDer, format: "der", type: "spki" })
471
487
 
472
- const valid = cryptoVerify(null, fileBytes, keyObject, signature)
488
+ // Pure Ed25519 (PureEdDSA) verifies over the message directly; for prehashed
489
+ // minisign the "message" is the BLAKE2b-512 digest of the file.
490
+ const signedData = prehashed
491
+ ? createHash("blake2b512").update(fileBytes).digest()
492
+ : fileBytes
493
+
494
+ const valid = cryptoVerify(null, signedData, keyObject, signature)
473
495
  if (!valid) {
474
496
  throw new Error(
475
497
  "Minisign signature verification FAILED — the checksum file may have been tampered with.\n" +
package/src/engine-client.ts CHANGED
@@ -13,7 +13,8 @@ import { mkdirSync, writeFileSync, unlinkSync, existsSync, readdirSync } from "n
13
13
  import { tmpdir, homedir } from "node:os"
14
14
  import { join } from "node:path"
15
15
  import { loadConfig } from "./config.js"
16
- import { resolveBinary, currentPlatform, cachePath } from "./binary-cache.js"
16
+ import { currentPlatform, cachePath } from "./binary-cache.js"
17
+ import { ensureBinary } from "./ensure-binary.js"
17
18
 
18
19
  // ---------------------------------------------------------------------------
19
20
  // Types (kept for backward compatibility with existing callers)
@@ -86,10 +87,16 @@ async function getEngineBin(): Promise<string> {
86
87
 
87
88
  try {
88
89
  const config = loadConfig(cwd)
89
- _engineBin = await resolveBinary("engine", config)
90
+ // Download-on-miss (with retry) so a fresh machine or a failed postinstall
91
+ // self-heals on first use instead of silently skipping type/admin refresh.
92
+ _engineBin = await ensureBinary("engine", config)
90
93
  return _engineBin
91
- } catch {
92
- // No valid project config fall through to default cache path.
94
+ } catch (err) {
95
+ // A real download/verification failure must surface, not fall back to a
96
+ // possibly-stale cached binary from a different version.
97
+ const message = err instanceof Error ? err.message : String(err)
98
+ if (message.includes("Failed to download")) throw err
99
+ // Otherwise (no valid project config) fall through to default cache scan.
93
100
  }
94
101
 
95
102
  // No config found — scan the cache for any available engine binary.
package/src/scripts/postinstall.ts CHANGED
@@ -38,7 +38,13 @@ async function main() {
38
38
  }
39
39
 
40
40
  if (anyFailed) {
41
- console.error("[supatype] Some downloads failed. Run 'supatype update' to retry.")
41
+ // npm hides postinstall output unless --foreground-scripts, so don't rely on
42
+ // this being seen: the CLI re-attempts the download (with retry) on first use.
43
+ console.error(
44
+ "[supatype] Some component binaries failed to download. " +
45
+ "They will be re-downloaded automatically on first use; " +
46
+ "run 'supatype update' to retry now.",
47
+ )
42
48
  } else {
43
49
  console.log("[supatype] All component binaries downloaded successfully.")
44
50
  }
package/tests/minisign.test.ts ADDED
@@ -0,0 +1,102 @@
1
+ import { describe, it, expect } from "vitest"
2
+ import {
3
+ createHash,
4
+ generateKeyPairSync,
5
+ randomBytes,
6
+ sign as edSign,
7
+ type KeyObject,
8
+ } from "node:crypto"
9
+ import { verifyMinisign } from "../src/binary-cache.js"
10
+
11
+ /**
12
+ * Build a minisign public-key string + signature file for the given mode so we
13
+ * can exercise {@link verifyMinisign} without shelling out to the minisign tool.
14
+ *
15
+ * Layout mirrors the minisign format the verifier parses:
16
+ * public key payload: [2 algo]["Ed"][8 keyId][32 raw ed25519 pubkey]
17
+ * signature payload : [2 algo][8 keyId][64 ed25519 signature]
18
+ */
19
+ function makeMinisign(
20
+ data: Buffer,
21
+ mode: "legacy" | "prehashed",
22
+ opts: { keyId?: Buffer; privateKey?: KeyObject; publicKey?: KeyObject } = {},
23
+ ): { pubKeyStr: string; sigFile: string } {
24
+ const { publicKey, privateKey } =
25
+ opts.privateKey && opts.publicKey
26
+ ? { publicKey: opts.publicKey, privateKey: opts.privateKey }
27
+ : generateKeyPairSync("ed25519")
28
+
29
+ const keyId = opts.keyId ?? randomBytes(8)
30
+
31
+ // Raw 32-byte ed25519 key = SPKI DER minus its 12-byte prefix.
32
+ const rawPub = publicKey.export({ format: "der", type: "spki" }).subarray(12)
33
+ const pkPayload = Buffer.concat([Buffer.from("Ed"), keyId, rawPub])
34
+ const pubKeyStr = `untrusted comment: test\n${pkPayload.toString("base64")}`
35
+
36
+ const prehashed = mode === "prehashed"
37
+ const signedData = prehashed
38
+ ? createHash("blake2b512").update(data).digest()
39
+ : data
40
+ const signature = edSign(null, signedData, privateKey)
41
+
42
+ const algo = prehashed ? Buffer.from("ED") : Buffer.from("Ed")
43
+ const sigPayload = Buffer.concat([algo, keyId, signature])
44
+ const sigFile =
45
+ `untrusted comment: signature\n${sigPayload.toString("base64")}\n` +
46
+ `trusted comment: timestamp\n${Buffer.alloc(64).toString("base64")}`
47
+
48
+ return { pubKeyStr, sigFile }
49
+ }
50
+
51
+ describe("verifyMinisign", () => {
52
+ const data = Buffer.from("the quick brown fox\n")
53
+
54
+ it("accepts a valid legacy ('Ed') signature", () => {
55
+ const keyId = randomBytes(8)
56
+ const { publicKey, privateKey } = generateKeyPairSync("ed25519")
57
+ const { pubKeyStr, sigFile } = makeMinisign(data, "legacy", { keyId, privateKey, publicKey })
58
+ expect(() => verifyMinisign(data, sigFile, pubKeyStr)).not.toThrow()
59
+ })
60
+
61
+ it("accepts a valid prehashed ('ED', BLAKE2b-512) signature", () => {
62
+ const keyId = randomBytes(8)
63
+ const { publicKey, privateKey } = generateKeyPairSync("ed25519")
64
+ const { pubKeyStr, sigFile } = makeMinisign(data, "prehashed", { keyId, privateKey, publicKey })
65
+ expect(() => verifyMinisign(data, sigFile, pubKeyStr)).not.toThrow()
66
+ })
67
+
68
+ it("rejects a prehashed signature when the file was tampered", () => {
69
+ const { pubKeyStr, sigFile } = makeMinisign(data, "prehashed")
70
+ const tampered = Buffer.from("the quick brown dog\n")
71
+ expect(() => verifyMinisign(tampered, sigFile, pubKeyStr)).toThrow(/verification FAILED/i)
72
+ })
73
+
74
+ it("rejects when the signature key id does not match the public key", () => {
75
+ const { publicKey, privateKey } = generateKeyPairSync("ed25519")
76
+ const { sigFile } = makeMinisign(data, "prehashed", {
77
+ keyId: randomBytes(8),
78
+ privateKey,
79
+ publicKey,
80
+ })
81
+ // Public key advertising a different key id.
82
+ const { pubKeyStr } = makeMinisign(data, "prehashed", {
83
+ keyId: randomBytes(8),
84
+ privateKey,
85
+ publicKey,
86
+ })
87
+ expect(() => verifyMinisign(data, sigFile, pubKeyStr)).toThrow(/key ID mismatch/i)
88
+ })
89
+
90
+ it("rejects an unsupported algorithm", () => {
91
+ const { pubKeyStr, sigFile } = makeMinisign(data, "legacy")
92
+ // Corrupt the algorithm bytes in the signature payload to "XX".
93
+ const lines = sigFile.split("\n")
94
+ const sigBytes = Buffer.from(lines[1]!, "base64")
95
+ sigBytes[0] = 0x58
96
+ sigBytes[1] = 0x58
97
+ lines[1] = sigBytes.toString("base64")
98
+ expect(() => verifyMinisign(data, lines.join("\n"), pubKeyStr)).toThrow(
99
+ /Unsupported minisign algorithm/i,
100
+ )
101
+ })
102
+ })