@supatype/cli 0.1.0-alpha.6 → 0.1.0-alpha.8

package/src/engine/resolve.ts

@@ -1,197 +0,0 @@
-/**
- * Engine resolver — orchestrates binary download, verification, and caching.
- *
- * Resolution flow:
- * 1. Check local cache for the pinned version
- * 2. If cached and valid, return cached path
- * 3. If not cached, download from CDN (with GitHub Releases fallback)
- * 4. Verify signature + checksum
- * 5. Cache the verified binary
- * 6. Return the cached path
- */
-
-import { chmodSync, existsSync } from "node:fs"
-import { rename, unlink, copyFile } from "node:fs/promises"
-import { join } from "node:path"
-import { detectPlatform, getArtifactName, getCdnUrl } from "./platform.js"
-import { getCachedBinaryPath, hasCachedBinary, ensureCacheDir } from "./cache.js"
-import { downloadFile, fetchJson } from "./download.js"
-import { verifyBinary, verifyChecksumOnly } from "./verify.js"
-import {
-  ENGINE_VERSION,
-  CDN_BASE_URL,
-  GITHUB_RELEASES_FALLBACK_URL,
-} from "../engine-version.js"
-
-export interface ResolveResult {
-  binaryPath: string
-  version: string
-  fromCache: boolean
-}
-
-/**
- * Resolve the engine binary path, downloading if necessary.
- */
-export async function resolveEngine(
-  version: string = ENGINE_VERSION,
-): Promise<ResolveResult> {
-  const platform = detectPlatform()
-
-  // Check cache first
-  if (hasCachedBinary(version, platform)) {
-    return {
-      binaryPath: getCachedBinaryPath(version, platform),
-      version,
-      fromCache: true,
-    }
-  }
-
-  // Not cached — need to download
-  const artifactName = getArtifactName(version, platform)
-  const cacheDir = ensureCacheDir(version)
-  const binaryDest = getCachedBinaryPath(version, platform)
-  const tempBinary = `${binaryDest}.tmp`
-  const checksumDest = join(cacheDir, "checksums.sha256")
-  const signatureDest = join(cacheDir, "checksums.sha256.minisig")
-
-  // Try CDN first, then GitHub Releases fallback
-  let downloaded = false
-
-  try {
-    downloaded = await downloadFromSource(
-      CDN_BASE_URL,
-      version,
-      artifactName,
-      tempBinary,
-      checksumDest,
-      signatureDest,
-    )
-  } catch {
-    // CDN failed, try fallback
-  }
-
-  if (!downloaded) {
-    try {
-      downloaded = await downloadFromSource(
-        GITHUB_RELEASES_FALLBACK_URL,
-        version,
-        artifactName,
-        tempBinary,
-        checksumDest,
-        signatureDest,
-      )
-    } catch {
-      // Fallback also failed
-    }
-  }
-
-  if (!downloaded) {
-    throw new Error(
-      "Cannot download Supatype engine. Check your internet connection.\n" +
-      "If this persists, report at https://github.com/supatype/supatype/issues",
-    )
-  }
-
-  // Verify the downloaded binary
-  if (existsSync(signatureDest)) {
-    // Full two-step verification: signature + checksum
-    await verifyBinary(tempBinary, checksumDest, signatureDest, artifactName)
-  } else {
-    // Checksum-only verification (GitHub Releases may not have .minisig)
-    await verifyChecksumOnly(tempBinary, checksumDest, artifactName)
-  }
-
-  // Move verified binary to final location
-  await rename(tempBinary, binaryDest)
-
-  // Set executable permission on Unix
-  if (process.platform !== "win32") {
-    chmodSync(binaryDest, 0o755)
-  }
-
-  return {
-    binaryPath: binaryDest,
-    version,
-    fromCache: false,
-  }
-}
-
-async function downloadFromSource(
-  baseUrl: string,
-  version: string,
-  artifactName: string,
-  binaryDest: string,
-  checksumDest: string,
-  signatureDest: string,
-): Promise<boolean> {
-  const binaryUrl = getCdnUrl(baseUrl, version, artifactName)
-  const checksumUrl = getCdnUrl(baseUrl, version, "checksums.sha256")
-  const signatureUrl = getCdnUrl(baseUrl, version, "checksums.sha256.minisig")
-
-  // Download binary with progress
-  await downloadFile({
-    url: binaryUrl,
-    dest: binaryDest,
-    showProgress: true,
-    label: `Downloading Supatype engine v${version} for ${detectPlatform().os}-${detectPlatform().arch}`,
-  })
-
-  // Download checksum file
-  await downloadFile({
-    url: checksumUrl,
-    dest: checksumDest,
-  })
-
-  // Try to download signature file (may not exist for GitHub Releases)
-  try {
-    await downloadFile({
-      url: signatureUrl,
-      dest: signatureDest,
-    })
-  } catch {
-    // Signature file optional for fallback sources
-    // But for CDN, we require it — verifyBinary will enforce this
-  }
-
-  return true
-}
-
-/**
- * Check for the latest engine version from CDN.
- */
-export interface LatestVersionInfo {
-  version: string
-  date: string
-}
-
-export async function checkLatestVersion(): Promise<LatestVersionInfo | undefined> {
-  return fetchJson<LatestVersionInfo>(`${CDN_BASE_URL}/latest.json`)
-}
-
-/**
- * Check version compatibility.
- * Engine and CLI must share the same major version.
- */
-export function checkVersionCompatibility(
-  engineVersion: string,
-  expectedVersion: string,
-): { compatible: boolean; message?: string } {
-  const engineMajor = parseMajor(engineVersion)
-  const expectedMajor = parseMajor(expectedVersion)
-
-  if (engineMajor !== expectedMajor) {
-    return {
-      compatible: false,
-      message:
-        `Engine version ${engineVersion} is not compatible with CLI version ${expectedVersion}.\n` +
-        `Run: npm update @supatype/cli`,
-    }
-  }
-
-  return { compatible: true }
-}
-
-function parseMajor(version: string): number {
-  const match = version.match(/^(\d+)/)
-  return match ? parseInt(match[1]!, 10) : 0
-}

package/src/engine/update-notify.ts

@@ -1,50 +0,0 @@
-/**
- * Non-blocking update notification shown after CLI commands.
- * Checks once per 24 hours. Skips in CI environments.
- */
-
-import { ENGINE_VERSION } from "../engine-version.js"
-import {
-  shouldCheckForUpdates,
-  saveUpdateCheck,
-  getLastKnownLatestVersion,
-} from "./cache.js"
-import { checkLatestVersion } from "./resolve.js"
-
-/**
- * Show an update notification if a newer engine version is available.
- * This runs after every CLI command, but only actually checks the network
- * once per 24 hours (throttled via ~/.supatype/update-check.json).
- */
-export async function showUpdateNotification(): Promise<void> {
-  try {
-    const shouldCheck = await shouldCheckForUpdates()
-
-    if (shouldCheck) {
-      // Perform network check
-      const latest = await checkLatestVersion()
-      if (latest) {
-        await saveUpdateCheck(latest.version)
-        if (latest.version !== ENGINE_VERSION) {
-          printNotification(latest.version)
-        }
-      }
-    } else {
-      // Use cached info from last check
-      const cachedLatest = await getLastKnownLatestVersion()
-      if (cachedLatest && cachedLatest !== ENGINE_VERSION) {
-        printNotification(cachedLatest)
-      }
-    }
-  } catch {
-    // Never fail the CLI command because of update check
-  }
-}
-
-function printNotification(latestVersion: string): void {
-  console.log()
-  console.log(
-    `Supatype engine v${latestVersion} is available. ` +
-    `Run: npm update @supatype/cli`,
-  )
-}

package/src/engine/verify.ts

@@ -1,206 +0,0 @@
-/**
- * Checksum and signature verification for engine binaries.
- *
- * Two-step verification:
- * 1. Verify minisign signature on checksums.sha256 file
- * 2. Verify SHA256 hash of binary against signed checksum file
- *
- * Both steps MUST pass before the CLI executes the binary.
- */
-
-import { createHash } from "node:crypto"
-import { readFile, unlink } from "node:fs/promises"
-
-/**
- * Embedded minisign public key.
- *
- * This key is used to verify the signature on the checksum file.
- * It ensures the checksum file was produced by Supatype's CI,
- * not by an attacker who compromised the CDN.
- *
- * Generated with: minisign -G
- * The corresponding private key is stored as a GitHub Actions secret.
- *
- * TODO: Replace with actual public key once generated.
- */
-export const MINISIGN_PUBLIC_KEY = "RWS0000000000000000000000000000000000000000000000000"
-
-/**
- * Verify the minisign signature on a checksum file.
- *
- * Uses a pure-JS minisign verification (Ed25519).
- * Returns true if the signature is valid, false otherwise.
- */
-export async function verifySignature(
-  checksumPath: string,
-  signaturePath: string,
-  publicKey: string = MINISIGN_PUBLIC_KEY,
-): Promise<boolean> {
-  // Minisign signature format:
-  // Line 1: untrusted comment
-  // Line 2: base64-encoded signature
-  // Line 3 (optional): trusted comment
-  // Line 4 (optional): base64-encoded global signature
-
-  try {
-    const sigContent = await readFile(signaturePath, "utf8")
-    const checksumContent = await readFile(checksumPath)
-
-    const sigLines = sigContent.trim().split("\n")
-    if (sigLines.length < 2) return false
-
-    // Parse the signature (line 2 is the base64-encoded signature)
-    const sigBase64 = sigLines[1]!.trim()
-    const sigBytes = Buffer.from(sigBase64, "base64")
-
-    // Minisign signature: 2 bytes algorithm + 8 bytes key ID + 64 bytes Ed25519 sig
-    if (sigBytes.length < 74) return false
-
-    const algorithm = sigBytes.subarray(0, 2)
-    const keyId = sigBytes.subarray(2, 10)
-    const signature = sigBytes.subarray(10, 74)
-
-    // Parse public key
-    const pkBytes = Buffer.from(publicKey.slice(2), "base64") // Skip "RW" prefix
-    if (pkBytes.length < 42) return false
-
-    // Public key: 2 bytes algorithm + 8 bytes key ID + 32 bytes Ed25519 pubkey
-    const pkKeyId = pkBytes.subarray(2, 10)
-    const pk = pkBytes.subarray(10, 42)
-
-    // Verify key IDs match
-    if (!keyId.equals(pkKeyId)) return false
-
-    // Verify Ed25519 signature using Node.js crypto
-    const { verify, createPublicKey } = await import("node:crypto")
-
-    const publicKeyObj = createPublicKey({
-      key: Buffer.concat([
-        // Ed25519 public key DER prefix
-        Buffer.from("302a300506032b6570032100", "hex"),
-        pk,
-      ]),
-      format: "der",
-      type: "spki",
-    })
-
-    const isValid = verify(null, checksumContent, publicKeyObj, signature)
-
-    // If there's a trusted comment (line 3-4), verify the global signature too
-    if (sigLines.length >= 4 && isValid) {
-      const trustedComment = sigLines[2]?.replace(/^trusted comment: ?/, "") || ""
-      const globalSigBase64 = sigLines[3]!.trim()
-      const globalSig = Buffer.from(globalSigBase64, "base64")
-
-      const globalMessage = Buffer.concat([signature, Buffer.from(trustedComment)])
-      const globalValid = verify(null, globalMessage, publicKeyObj, globalSig)
-      return globalValid
-    }
-
-    return isValid
-  } catch {
-    return false
-  }
-}
-
-/**
- * Verify the SHA256 checksum of a binary against a signed checksum file.
- *
- * The checksum file format follows sha256sum output:
- * <hash>  <filename>
- */
-export async function verifyChecksum(
-  binaryPath: string,
-  checksumPath: string,
-  expectedFilename: string,
-): Promise<boolean> {
-  const checksumContent = await readFile(checksumPath, "utf8")
-
-  // Find the line matching our filename
-  const lines = checksumContent.trim().split("\n")
-  let expectedHash: string | undefined
-
-  for (const line of lines) {
-    // Format: "<hash>  <filename>" (two spaces)
-    const parts = line.trim().split(/\s+/)
-    if (parts.length >= 2 && parts[1] === expectedFilename) {
-      expectedHash = parts[0]!.toLowerCase()
-      break
-    }
-  }
-
-  if (!expectedHash) {
-    throw new Error(
-      `No checksum found for ${expectedFilename} in checksum file`,
-    )
-  }
-
-  const binaryData = await readFile(binaryPath)
-  const actualHash = createHash("sha256").update(binaryData).digest("hex")
-
-  return actualHash === expectedHash
-}
-
-/**
- * Run the full two-step verification pipeline.
- * Deletes the binary if verification fails.
- *
- * Step 1: Verify minisign signature on checksums.sha256
- * Step 2: Verify SHA256 hash of binary against signed checksum
- */
-export async function verifyBinary(
-  binaryPath: string,
-  checksumPath: string,
-  signaturePath: string,
-  artifactName: string,
-): Promise<void> {
-  // Step 1: Verify signature
-  const sigValid = await verifySignature(checksumPath, signaturePath)
-  if (!sigValid) {
-    await safeDelete(binaryPath)
-    throw new Error(
-      "Engine checksum signature verification failed.\n" +
-      "The checksum file may have been tampered with.\n" +
-      "If this persists, report at https://github.com/supatype/supatype/issues",
-    )
-  }
-
-  // Step 2: Verify checksum
-  const checksumValid = await verifyChecksum(binaryPath, checksumPath, artifactName)
-  if (!checksumValid) {
-    await safeDelete(binaryPath)
-    throw new Error(
-      "Engine binary checksum mismatch.\n" +
-      "This could indicate a corrupt download or a tampered binary.\n" +
-      "Try again or report at https://github.com/supatype/supatype/issues",
-    )
-  }
-}
-
-/**
- * Simple checksum-only verification (no signature).
- * Used as a fallback when signature files are not available.
- */
-export async function verifyChecksumOnly(
-  binaryPath: string,
-  checksumPath: string,
-  artifactName: string,
-): Promise<void> {
-  const valid = await verifyChecksum(binaryPath, checksumPath, artifactName)
-  if (!valid) {
-    await safeDelete(binaryPath)
-    throw new Error(
-      "Engine binary checksum mismatch.\n" +
-      "This could indicate a corrupt download or a tampered binary.\n" +
-      "Try again or report at https://github.com/supatype/supatype/issues",
-    )
-  }
-}
-
-async function safeDelete(path: string): Promise<void> {
-  try {
-    await unlink(path)
-  } catch {
-    // Ignore deletion errors
-  }
-}

package/src/engine-version.ts

@@ -1,39 +0,0 @@
-/**
- * The engine binary version this CLI package expects.
- * Update this whenever a new engine binary is released.
- *
- * The CLI always downloads and uses this exact version.
- * Upgrading the CLI (npm update) may bump the pinned engine version.
- * This ensures CLI and engine are always compatible.
- *
- * Versioning policy:
- *   0.x.y-alpha.N  — alpha
- *   0.x.y-beta.N   — beta
- *   0.x.y          — stable pre-1.0
- *   1.0.0          — cloud launch
- *   Major bumps (1.0 → 2.0) indicate breaking changes to the schema AST format.
- */
-export const ENGINE_VERSION = "0.1.0"
-
-/**
- * Primary CDN for engine binary distribution.
- * Hetzner Object Storage behind Cloudflare edge caching.
- */
-export const CDN_BASE_URL = "https://releases.supatype.io/engine"
-
-/**
- * Fallback: GitHub Releases on the public engine-releases repo.
- * Used when the primary CDN is unavailable.
- * Contains only binaries — no source code.
- */
-export const ENGINE_RELEASES_REPO = "supatype/engine-releases"
-export const GITHUB_RELEASES_FALLBACK_URL =
-  `https://github.com/${ENGINE_RELEASES_REPO}/releases/download`
-
-/**
- * Legacy: GitHub repository for direct engine releases (before CDN).
- * Kept for backwards compatibility with existing downloads.
- */
-export const ENGINE_REPO = "supatype/schema-engine"
-export const ENGINE_DOWNLOAD_BASE =
-  `https://github.com/${ENGINE_REPO}/releases/download/v${ENGINE_VERSION}`

package/src/engine.ts

@@ -1,99 +0,0 @@
-/**
- * Locates the engine binary (from cache) and provides a helper to invoke it.
- *
- * The engine binary is cached at ~/.supatype/engine/{version}/supatype-engine[.exe].
- * On first use, it's automatically downloaded, verified, and cached.
- */
-
-import { spawnSync, type SpawnSyncReturns } from "node:child_process"
-import { ENGINE_VERSION } from "./engine-version.js"
-import { detectPlatform } from "./engine/platform.js"
-import { getCachedBinaryPath, hasCachedBinary } from "./engine/cache.js"
-import { resolveEngine, checkVersionCompatibility } from "./engine/resolve.js"
-
-export interface EngineResult {
-  stdout: string
-  stderr: string
-  exitCode: number
-}
-
-/**
- * Get the path to the engine binary, downloading if needed.
- * This is the async version — use when you can await.
- */
-export async function getEnginePathAsync(): Promise<string> {
-  const platform = detectPlatform()
-
-  // Fast path: binary already cached
-  if (hasCachedBinary(ENGINE_VERSION, platform)) {
-    return getCachedBinaryPath(ENGINE_VERSION, platform)
-  }
-
-  // Need to download
-  const result = await resolveEngine(ENGINE_VERSION)
-  return result.binaryPath
-}
-
-/**
- * Get the path to the engine binary (sync).
- * Throws if the binary is not cached — caller must ensure it's downloaded first.
- */
-export function getEnginePath(): string {
-  const platform = detectPlatform()
-  const path = getCachedBinaryPath(ENGINE_VERSION, platform)
-
-  if (!hasCachedBinary(ENGINE_VERSION, platform)) {
-    throw new Error(
-      `Supatype engine binary not found in cache.\n` +
-      `Expected: ${path}\n` +
-      `Run any supatype command to trigger automatic download,\n` +
-      `or run: npx supatype engine version`,
-    )
-  }
-
-  return path
-}
-
-/**
- * Ensure the engine binary is available, downloading if necessary.
- * Call this before invokeEngine() in command handlers.
- */
-export async function ensureEngine(): Promise<string> {
-  const result = await resolveEngine(ENGINE_VERSION)
-
-  if (!result.fromCache) {
-    // Just downloaded — version is correct
-    return result.binaryPath
-  }
-
-  // Cached — check compatibility
-  const compat = checkVersionCompatibility(ENGINE_VERSION, ENGINE_VERSION)
-  if (!compat.compatible) {
-    throw new Error(compat.message)
-  }
-
-  return result.binaryPath
-}
-
-/**
- * Invoke the engine binary with the given arguments.
- * Input JSON is passed via stdin.
- *
- * The caller must call ensureEngine() first to guarantee the binary exists.
- */
-export function invokeEngine(
-  args: string[],
-  input?: string,
-): EngineResult {
-  const enginePath = getEnginePath()
-  const result: SpawnSyncReturns<Buffer> = spawnSync(enginePath, args, {
-    input: input ? Buffer.from(input, "utf8") : undefined,
-    maxBuffer: 50 * 1024 * 1024, // 50MB
-  })
-
-  return {
-    stdout: result.stdout?.toString("utf8") ?? "",
-    stderr: result.stderr?.toString("utf8") ?? "",
-    exitCode: result.status ?? 1,
-  }
-}