@superblocksteam/sdk 2.0.123 → 2.0.124-next.0

package/dist/cli-replacement/home-npmrc.mjs

@@ -0,0 +1,283 @@
+import { mkdir } from "node:fs/promises";
+import * as os from "node:os";
+import * as path from "node:path";
+import { PRESERVE_NPMRC_SCOPES, restoreInitialNpmrc, snapshotInitialNpmrc, writeNpmrc, } from "@superblocksteam/vite-plugin-file-sync/npm-registry";
+import { getErrorMeta } from "../telemetry/logging.js";
+/**
+ * File mode applied to the userconfig after every write. `0o400` (owner
+ * read, no write) strips the owner write bit so any `npm config set` or
+ * stray write that opens the file `O_WRONLY` fails loudly instead of
+ * silently retargeting the configured registry. The atomic rename inside
+ * `writeNpmrc` is governed by parent-dir perms — not the target's mode —
+ * so this writer can still re-sync the file on subsequent config changes.
+ * The stricter mode is a speed bump, not a security boundary: the CLI
+ * user can always `chmod +w` first.
+ */
+export const HOME_NPMRC_MODE = 0o400;
+const LOG_PREFIX = "[home-npmrc]";
+/**
+ * Most recent `snapshotInitialNpmrc` outcome, keyed by userconfig target
+ * path. `syncHomeNpmrc` runs once per `NpmRegistryClient` cache refresh,
+ * so the snapshot (taken on a `configured`/`stale` resolve) and the
+ * destructive restore (on a later `not-configured` resolve) happen on
+ * SEPARATE invocations within one pod's lifetime. We remember the outcome
+ * across invocations so the not-configured branch can refuse to unlink the
+ * userconfig when the snapshot is known to have FAILED — a silent EXDEV
+ * (target and backup on different filesystems) leaves a real baked-in file
+ * with no backup, and unlinking it would fail the customer's install open
+ * to public npm (APPS-4428).
+ *
+ * Keyed by path so the test suite's per-test tmpdir `homeDir`s stay
+ * isolated. Absent (never snapshotted this process — e.g. not-configured
+ * from boot, or the policy-only path that deliberately skips the snapshot)
+ * preserves the original APPS-4328 behaviour: a missing backup is "nothing
+ * to preserve", so the unlink is allowed.
+ */
+const lastSnapshotOutcomeByPath = new Map();
+/**
+ * Resolves the Superblocks-owned npm userconfig path. Centralised so the
+ * image-build and CLI auto-upgrade `--userconfig=` plumbing and the
+ * runtime writer all agree on the same location. The file lives inside a
+ * hidden directory, so it is named `npmrc` (without a leading dot) by
+ * convention; the directory itself carries the visibility bit. `homeDir`
+ * defaults to `os.homedir()`; tests override it.
+ */
+export function superblocksNpmrcPath(homeDir) {
+    return path.join(homeDir ?? os.homedir(), ".superblocks", "npmrc");
+}
+/**
+ * Resolves the directory npm should write its per-run debug logs to during
+ * Superblocks-spawned installs in the live-edit pod. Unlike
+ * `superblocksNpmrcPath` (home-based), this is rooted at the application
+ * working directory — `<app>/.superblocks/logs` — so each app's install
+ * logs are co-located with the app and collectable from a predictable
+ * place. Wired into the subprocess env as `NPM_CONFIG_LOGS_DIR` via
+ * `buildInstallEnv`; npm creates the directory if it does not exist.
+ */
+export function superblocksLogsPath(appDir) {
+    return path.join(appDir, ".superblocks", "logs");
+}
+/**
+ * Resolves the on-disk backup path for the Superblocks-owned npm
+ * userconfig. Symmetric with `superblocksNpmrcPath`: lives next to the
+ * userconfig under `~/.superblocks/`. `syncHomeNpmrc` hardlinks the
+ * image-baked userconfig to this path on the first `configured` resolve
+ * so a later transition to `not-configured` has a baseline to restore
+ * from (APPS-4328) — mirroring the project-`.npmrc` capture/restore added
+ * in APPS-4320.
+ *
+ * The leading-dot filename mirrors the project-side `NPMRC_DEFAULT_FILENAME`
+ * convention even though the live userconfig is `npmrc` (no dot). The dot
+ * here is a convention-only marker that this file is the backup, not the
+ * active userconfig.
+ */
+export function superblocksNpmrcBackupPath(homeDir) {
+    return path.join(homeDir ?? os.homedir(), ".superblocks", "npmrc.default");
+}
+/**
+ * Materialises `~/.superblocks/npmrc` from the server-fetched per-org
+ * npm registry config. Designed to run at dev-server CLI startup, after
+ * the `NpmRegistryClient` is wired but BEFORE the global Superblocks CLI
+ * auto-upgrade: with the file in place and the auto-upgrade invoking
+ * npm with `NPM_CONFIG_USERCONFIG=~/.superblocks/npmrc`, the
+ * `npm install -g @superblocksteam/cli@…` invocation resolves through
+ * the customer's private registry rather than `registry.npmjs.org`.
+ *
+ * Behaviour:
+ *
+ *   - `client.getConfig()` resolves `configured` (or `stale`): snapshot
+ *     the image-default userconfig to `~/.superblocks/npmrc.default`
+ *     (once per pod boot via `link(2)`), then write
+ *     `~/.superblocks/npmrc` atomically with mode `0o400`. The snapshot
+ *     captures whatever the image baked (EE GHPR scope + token, or a
+ *     no-file baseline on a fresh developer laptop) so the
+ *     `not-configured` branch below has a baseline to restore from. The
+ *     parent dir is `mkdir -p`'d first so a fresh `$HOME` on a
+ *     developer's laptop is handled the same as a pod where the image
+ *     already pre-creates `/home/node/.superblocks/`. If the snapshot
+ *     attempt FAILS against a real baked file (e.g. EXDEV), we fail
+ *     closed and SKIP the rewrite: see `skipped-snapshot-failed` in
+ *     `SyncHomeNpmrcOutcome` for why (APPS-4428).
+ *
+ *   - `client.getConfig()` resolves `not-configured`: restore the
+ *     image-default userconfig from the `~/.superblocks/npmrc.default`
+ *     backup captured on a prior `configured` boot. When no backup
+ *     exists (cold boot where the org was deconfigured before the first
+ *     `configured` resolve), the userconfig is unlinked entirely so a
+ *     long-lived Superblocks-spawned npm/pnpm process cannot silently
+ *     inherit a previously-configured org's registry/token. Closes the
+ *     stale-userconfig hole flagged on PR #19621 (APPS-4328). One
+ *     exception: if this process already SAW a snapshot attempt FAIL for
+ *     this path, the configured branch above will have left the baked
+ *     userconfig in place (no managed rewrite happened), so unlinking
+ *     here would delete the baked baseline. Withhold the unlink (APPS-4428).
+ *
+ *   - `client.getConfig()` resolves `unreachable`: cold cache + the
+ *     registry server is down (or JWT refresh failed). Leave the file
+ *     alone — the fail-closed gate in the CLI auto-upgrade is the
+ *     backstop if the upgrade reaches a public registry.
+ *
+ *   - Any throw (fs error, etc.): log + return `outcome: "error"`. We
+ *     must not crash dev-server startup on a best-effort step.
+ *
+ * Idempotent for a given resolved config — safe to invoke on every
+ * `NpmRegistryClient` cache refresh as well as on startup.
+ */
+export async function syncHomeNpmrc(deps) {
+    const targetPath = superblocksNpmrcPath(deps.homeDir);
+    const backupPath = superblocksNpmrcBackupPath(deps.homeDir);
+    let result;
+    try {
+        result = await deps.npmRegistryClient.getConfig();
+    }
+    catch (error) {
+        // `NpmRegistryClient` only throws for the deliberate-denial branches
+        // (RBAC 403, malformed request 400, double-401). All three signal a
+        // structurally broken session — surface the warn but keep the
+        // userconfig as-is rather than forging a "default" file that masks
+        // the real failure.
+        deps.logger.warn(`${LOG_PREFIX} client.getConfig() failed; ~/.superblocks/npmrc left unchanged`, { path: targetPath, ...getErrorMeta(error) });
+        return { outcome: "error", path: targetPath };
+    }
+    if (result.source === "unreachable") {
+        deps.logger.warn(`${LOG_PREFIX} registry server unreachable with no cached config; ~/.superblocks/npmrc left unchanged`, { path: targetPath });
+        return { outcome: "skipped-unreachable", path: targetPath };
+    }
+    if (!result.config.configured) {
+        if (result.config.allowInstallScripts === false) {
+            // Org policy disallows install scripts even without registry rows.
+            // Write a policy-only userconfig with `ignore-scripts=true`.
+            //
+            // IMPORTANT: we deliberately skip `snapshotInitialNpmrc` here.
+            // On a repeated sync the target already contains our own policy
+            // file; snapshotting it would poison the backup with policy content
+            // instead of the image-baked baseline, so a later flip to
+            // allowInstallScripts=true could never restore the original.
+            try {
+                await mkdir(path.dirname(targetPath), { recursive: true });
+                await writeNpmrc(targetPath, result.config, {
+                    preserveScopeLines: PRESERVE_NPMRC_SCOPES,
+                    mode: HOME_NPMRC_MODE,
+                });
+                deps.logger.info(`${LOG_PREFIX} wrote policy-only userconfig (ignore-scripts)`, { path: targetPath });
+                return { outcome: "written", path: targetPath };
+            }
+            catch (error) {
+                deps.logger.warn(`${LOG_PREFIX} policy-only write failed`, {
+                    path: targetPath,
+                    ...getErrorMeta(error),
+                });
+                return { outcome: "error", path: targetPath };
+            }
+        }
+        else {
+            // Restore the image-default userconfig from the backup captured on a
+            // prior configured boot. When the backup is absent (the org was never
+            // configured on this pod, OR the pod was rewritten before this
+            // commit landed) the userconfig is unlinked instead — leaving a
+            // stale Superblocks-owned userconfig in place would silently pin
+            // npm/pnpm at a previous org's registry/token, the exact hole
+            // gpoulios-sb flagged on PR #19621.
+            //
+            // EXCEPT when this process's most recent snapshot attempt FAILED:
+            // the snapshot ran against a real baked-in userconfig but `link(2)`
+            // failed silently (e.g. EXDEV across filesystems), so no backup
+            // exists for an unrelated reason. Unlinking here would delete a file
+            // that SHOULD have been preserved and restored. We can't distinguish
+            // that from "no backup" inside `restoreInitialNpmrc`, so we withhold
+            // the unlink option and leave the userconfig in place (APPS-4428).
+            // Absent state (never snapshotted: not-configured from boot, or the
+            // policy-only path) keeps the original APPS-4328 unlink behaviour.
+            const snapshotFailed = lastSnapshotOutcomeByPath.get(targetPath) === "failed";
+            if (snapshotFailed) {
+                deps.logger.warn(`${LOG_PREFIX} registry not configured but the userconfig snapshot failed earlier; leaving the userconfig in place rather than risk deleting an un-backed-up baseline`, { path: targetPath });
+            }
+            // Best-effort: `restoreInitialNpmrc` swallows fs errors as
+            // warn-and-no-op so dev-server startup never crashes on cleanup.
+            try {
+                await restoreInitialNpmrc(targetPath, backupPath, {
+                    unlinkTargetWhenBackupMissing: !snapshotFailed,
+                });
+                // On the `snapshotFailed` branch we passed
+                // `unlinkTargetWhenBackupMissing: false`, so `restoreInitialNpmrc`
+                // intentionally no-ops (leaves the userconfig in place). Return
+                // the dedicated `skipped-snapshot-failed` outcome rather than
+                // `restored-not-configured` — nothing was restored or removed,
+                // and conflating the two would mislead telemetry/dashboards into
+                // thinking the baseline rollback ran when it didn't. The warn
+                // above already describes the decision; an info log here would
+                // contradict it during incident investigation.
+                if (snapshotFailed) {
+                    return { outcome: "skipped-snapshot-failed", path: targetPath };
+                }
+                deps.logger.info(`${LOG_PREFIX} registry not configured; restored image-default userconfig (or removed Superblocks-owned file when no backup exists)`, { path: targetPath });
+                return { outcome: "restored-not-configured", path: targetPath };
+            }
+            catch (error) {
+                deps.logger.warn(`${LOG_PREFIX} restore failed`, {
+                    path: targetPath,
+                    ...getErrorMeta(error),
+                });
+                return { outcome: "error", path: targetPath };
+            }
+        }
+    }
+    try {
+        // `mkdir -p` so a fresh `$HOME` (developer laptop, unprovisioned
+        // sandbox) doesn't ENOENT inside `writeNpmrc`'s atomic-rename. Pod
+        // images already create `/home/node/.superblocks/` at build time, so
+        // this is a no-op there.
+        await mkdir(path.dirname(targetPath), { recursive: true });
+        // Snapshot the image-default userconfig BEFORE the first rewrite so
+        // the not-configured branch above has a restore baseline. Hardlink
+        // is atomic + idempotent: only one of N concurrent callers wins
+        // (kernel-serialised), and a subsequent `writeNpmrc` tmp+rename
+        // gives the userconfig a fresh inode while the backup inode (the
+        // baked content) stays alive. EEXIST after the first capture is
+        // expected and not a warning.
+        //
+        // Remember the outcome so a later `not-configured` resolve (a
+        // separate `syncHomeNpmrc` invocation) can tell whether a usable
+        // backup actually exists before it asks `restoreInitialNpmrc` to
+        // unlink the userconfig. A silent `failed` here (e.g. EXDEV) must
+        // NOT lead the not-configured branch to delete a real baked file
+        // that has no backup (APPS-4428).
+        const snapshotOutcome = await snapshotInitialNpmrc(targetPath, backupPath);
+        lastSnapshotOutcomeByPath.set(targetPath, snapshotOutcome);
+        // FAIL CLOSED on snapshot failure (APPS-4428, gpoulios-sb review of
+        // PR #19690). When a real baked file existed but the hardlink to
+        // `backupPath` failed (only `"failed"` reports this — `"no-source"`
+        // means there was nothing to snapshot in the first place), we have
+        // no way to undo a managed rewrite later: a `not-configured`
+        // transition could not restore the baseline (no backup) and could
+        // not safely unlink the file (it would delete the baseline). The
+        // earlier guard only addressed the unlink side and let the rewrite
+        // happen anyway, which still left stale private-registry config and
+        // auth on disk after deconfigure. The only safe choice is to leave
+        // the baked userconfig alone here — the install path falls back to
+        // whatever the image baked (typically EE GHPR), which is the
+        // pre-private-registry default behaviour.
+        if (snapshotOutcome === "failed") {
+            deps.logger.warn(`${LOG_PREFIX} userconfig snapshot failed; refusing to overwrite the baked userconfig with managed private-registry content (no restore baseline exists)`, { path: targetPath, source: result.source });
+            return { outcome: "skipped-snapshot-failed", path: targetPath };
+        }
+        await writeNpmrc(targetPath, result.config, {
+            preserveScopeLines: PRESERVE_NPMRC_SCOPES,
+            mode: HOME_NPMRC_MODE,
+        });
+        deps.logger.info(`${LOG_PREFIX} wrote ~/.superblocks/npmrc`, {
+            path: targetPath,
+            source: result.source,
+            mode: HOME_NPMRC_MODE.toString(8).padStart(4, "0"),
+        });
+        return { outcome: "written", path: targetPath, source: result.source };
+    }
+    catch (error) {
+        deps.logger.warn(`${LOG_PREFIX} write failed`, {
+            path: targetPath,
+            ...getErrorMeta(error),
+        });
+        return { outcome: "error", path: targetPath };
+    }
+}
+//# sourceMappingURL=home-npmrc.mjs.map

package/dist/cli-replacement/home-npmrc.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"home-npmrc.mjs","sourceRoot":"","sources":["../../src/cli-replacement/home-npmrc.mts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACzC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAGL,qBAAqB,EACrB,mBAAmB,EACnB,oBAAoB,EAEpB,UAAU,GACX,MAAM,qDAAqD,CAAC;AAE7D,OAAO,EAAE,YAAY,EAAe,MAAM,yBAAyB,CAAC;AAEpE;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,KAAK,CAAC;AAErC,MAAM,UAAU,GAAG,cAAc,CAAC;AAElC;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,yBAAyB,GAAG,IAAI,GAAG,EAGtC,CAAC;AAEJ;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAgB;IACnD,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,OAAO,EAAE,EAAE,cAAc,EAAE,OAAO,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAc;IAChD,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,cAAc,EAAE,MAAM,CAAC,CAAC;AACnD,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAAgB;IACzD,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,OAAO,EAAE,EAAE,cAAc,EAAE,eAAe,CAAC,CAAC;AAC7E,CAAC;AAuFD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgDG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAAuB;IAEvB,MAAM,UAAU,GAAG,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,0BAA0B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAE5D,IAAI,MAA8B,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC;IACpD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,qEAAqE;QACrE,oEAAoE;QACpE,8DAA8D;QAC9D,mEAAmE;QACnE,oBAAoB;QACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,GAAG,UAAU,iEAAiE,EAC9E,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,EAAE,CAC7C,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IAChD,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,aAAa,EAAE,CAAC;QACpC,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,GAAG,UAAU,yFAAyF,EACtG,EAAE,IAAI,EAAE,UAAU,EAAE,CACrB,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IAC9D,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;QAC9B,IAAI,MAAM,CAAC,MAAM,CAAC,mBAAmB,KAAK,KAAK,EAAE,CAAC;YAChD,mEAAmE;YACnE,6DAA6D;YAC7D,EAAE;YACF,+DAA+D;YAC/D,gEAAgE;YAChE,oEAAoE;YACpE,0DAA0D;YAC1D,6DAA6D;YAC7D,IAAI,CAAC;gBACH,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC3D,MAAM,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE;oBAC1C,kBAAkB,EAAE,qBAAqB;oBACzC,IAAI,EAAE,eAAe;iBACtB,CAAC,CAAC;gBACH,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,GAAG,UAAU,gDAAgD,EAC7D,EAAE,IAAI,EAAE,UAAU,EAAE,CACrB,CAAC;gBACF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;YAClD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,UAAU,2BAA2B,EAAE;oBACzD,IAAI,EAAE,UAAU;oBAChB,GAAG,YAAY,CAAC,KAAK,CAAC;iBACvB,CAAC,CAAC;gBACH,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;YAChD,CAAC;QACH,CAAC;aAAM,CAAC;YACN,qEAAqE;YACrE,sEAAsE;YACtE,+DAA+D;YAC/D,gEAAgE;YAChE,iEAAiE;YACjE,8DAA8D;YAC9D,oCAAoC;YACpC,EAAE;YACF,kEAAkE;YAClE,oEAAoE;YACpE,gEAAgE;YAChE,qEAAqE;YACrE,qEAAqE;YACrE,qEAAqE;YACrE,mEAAmE;YACnE,oEAAoE;YACpE,mEAAmE;YACnE,MAAM,cAAc,GAClB,yBAAyB,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,QAAQ,CAAC;YACzD,IAAI,cAAc,EAAE,CAAC;gBACnB,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,GAAG,UAAU,yJAAyJ,EACtK,EAAE,IAAI,EAAE,UAAU,EAAE,CACrB,CAAC;YACJ,CAAC;YACD,2DAA2D;YAC3D,iEAAiE;YACjE,IAAI,CAAC;gBACH,MAAM,mBAAmB,CAAC,UAAU,EAAE,UAAU,EAAE;oBAChD,6BAA6B,EAAE,CAAC,cAAc;iBAC/C,CAAC,CAAC;gBACH,2CAA2C;gBAC3C,mEAAmE;gBACnE,gEAAgE;gBAChE,8DAA8D;gBAC9D,+DAA+D;gBAC/D,iEAAiE;gBACjE,8DAA8D;gBAC9D,+DAA+D;gBAC/D,+CAA+C;gBAC/C,IAAI,cAAc,EAAE,CAAC;oBACnB,OAAO,EAAE,OAAO,EAAE,yBAAyB,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;gBAClE,CAAC;gBACD,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,GAAG,UAAU,uHAAuH,EACpI,EAAE,IAAI,EAAE,UAAU,EAAE,CACrB,CAAC;gBACF,OAAO,EAAE,OAAO,EAAE,yBAAyB,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;YAClE,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,UAAU,iBAAiB,EAAE;oBAC/C,IAAI,EAAE,UAAU;oBAChB,GAAG,YAAY,CAAC,KAAK,CAAC;iBACvB,CAAC,CAAC;gBACH,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;YAChD,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,iEAAiE;QACjE,mEAAmE;QACnE,qEAAqE;QACrE,yBAAyB;QACzB,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,oEAAoE;QACpE,mEAAmE;QACnE,gEAAgE;QAChE,gEAAgE;QAChE,iEAAiE;QACjE,gEAAgE;QAChE,8BAA8B;QAC9B,EAAE;QACF,8DAA8D;QAC9D,iEAAiE;QACjE,iEAAiE;QACjE,kEAAkE;QAClE,iEAAiE;QACjE,kCAAkC;QAClC,MAAM,eAAe,GAAG,MAAM,oBAAoB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QAC3E,yBAAyB,CAAC,GAAG,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC;QAE3D,oEAAoE;QACpE,iEAAiE;QACjE,oEAAoE;QACpE,mEAAmE;QACnE,6DAA6D;QAC7D,kEAAkE;QAClE,iEAAiE;QACjE,mEAAmE;QACnE,oEAAoE;QACpE,mEAAmE;QACnE,mEAAmE;QACnE,6DAA6D;QAC7D,0CAA0C;QAC1C,IAAI,eAAe,KAAK,QAAQ,EAAE,CAAC;YACjC,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,GAAG,UAAU,4IAA4I,EACzJ,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAC5C,CAAC;YACF,OAAO,EAAE,OAAO,EAAE,yBAAyB,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;QAClE,CAAC;QAED,MAAM,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE;YAC1C,kBAAkB,EAAE,qBAAqB;YACzC,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,UAAU,6BAA6B,EAAE;YAC3D,IAAI,EAAE,UAAU;YAChB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,IAAI,EAAE,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC;SACnD,CAAC,CAAC;QACH,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;IACzE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,UAAU,eAAe,EAAE;YAC7C,IAAI,EAAE,UAAU;YAChB,GAAG,YAAY,CAAC,KAAK,CAAC;SACvB,CAAC,CAAC;QACH,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IAChD,CAAC;AACH,CAAC"}

package/dist/cli-replacement/home-npmrc.test.d.mts

@@ -0,0 +1,10 @@
+/**
+ * Tests for the CLI-startup `~/.superblocks/npmrc` writer.
+ *
+ * Strategy: stand up a tmpdir as a fake `$HOME` and a fake
+ * `NpmRegistryClient` whose `getConfig()` returns the canned response
+ * under test. Asserts cover the four state transitions plus the 0o400
+ * mode bit.
+ */
+export {};
+//# sourceMappingURL=home-npmrc.test.d.mts.map

package/dist/cli-replacement/home-npmrc.test.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"home-npmrc.test.d.mts","sourceRoot":"","sources":["../../src/cli-replacement/home-npmrc.test.mts"],"names":[],"mappings":"AAAA;;;;;;;GAOG"}