npm - @venturewild/workspace - Versions diffs - 0.5.2 → 0.5.3 - Mend

@venturewild/workspace 0.5.2 → 0.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/server/src/bazaar/core.mjs +39 -1
package/web/dist/assets/{index-BXq-Irj8.js → index-BxTh3dyq.js} +6 -6
package/web/dist/index.html +1 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@venturewild/workspace",
-  "version": "0.5.2",
+  "version": "0.5.3",
   "description": "Claude Code Web — Replit/Lovable-style chat-first browser UI that wraps the AI agent already installed on your machine.",
   "license": "MIT",
   "bin": {

package/server/src/bazaar/core.mjs CHANGED Viewed

@@ -322,12 +322,50 @@ export function createBazaar({ baseDir, seedDir = SEED_DIR, rails = null } = {})
   // The cross-user theme pool from the local rails cache, RE-VALIDATED on read —
   // never trust the pool blindly (spike 2: 15/15 hostile bundles neutralized by
   // normalizeTheme). A tampered cache file degrades to a clean bundle, not exec.
+  //
+  // Trust/ranking/payout fields are NEVER trusted from the pool (audit 2026-06-15):
+  // a producer could otherwise publish a theme that renders "Verified" with a
+  // perfect outcome score, 5 stars, and an inflated payout. We rebuild a clean card
+  // input keeping only display fields + the re-validated bundle, and RESET the
+  // trust signals so OUR provenanceFor derives the honest Class-A 'auto' verdict and
+  // a neutral outcome (local build-results then accrue). Display text is clamped.
+  function str(v, max) {
+    return typeof v === 'string' ? v.slice(0, max) : '';
+  }
   function readRailsThemes() {
     const raw = readJsonSafe(railsThemesFile, []);
     if (!Array.isArray(raw)) return [];
     return raw
       .filter((r) => r && typeof r === 'object' && r.id && r.kind === 'theme')
-      .map((r) => ({ ...r, theme: normalizeTheme(r.theme || {}), source: 'rails' }));
+      .map((r) => {
+        const p = r.producer && typeof r.producer === 'object' ? r.producer : {};
+        return {
+          id: String(r.id).slice(0, 120),
+          kind: 'theme',
+          source: 'rails',
+          title: str(r.title, 80) || 'Untitled',
+          pitch: str(r.pitch, 200),
+          summary: str(r.summary, 400),
+          tags: Array.isArray(r.tags) ? r.tags.slice(0, 8).map((t) => String(t).slice(0, 24)) : [],
+          producer: {
+            name: str(p.name, 60) || 'A maker',
+            handle: str(p.handle, 40) || 'maker',
+            kind: 'maker',
+          },
+          theme: normalizeTheme(r.theme || {}),
+          // Remix lineage is safe to surface (it's just a pointer + label).
+          ...(r.builtFrom && r.builtFrom.id
+            ? { builtFrom: { id: String(r.builtFrom.id).slice(0, 120), title: str(r.builtFrom.title, 80) } }
+            : {}),
+          // RESET publisher-controlled trust/ranking/payout → our derivation governs.
+          outcomeScore: 0.7, //                  the new-listing prior (proven locally over time)
+          outcomeStats: { builds: 0, working: 0 },
+          rating: { stars: 0, count: 0 }, //      no fake stars
+          reward: { model: 'one-time', unit: 'per apply', oneTimeValue: 1.5, perUseValue: 0 },
+          // No vetting/safetyBadge → provenanceFor derives Class-A 'auto'.
+          createdAt: typeof r.createdAt === 'number' ? r.createdAt : 0,
+        };
+      });
   }
   // Overwrite the local cache of the global theme pool (called by the main