npm - cli4ai - Versions diffs - 1.0.2 → 1.0.3 - Mend

cli4ai 1.0.2 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cli4ai",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "The package manager for AI CLI tools - cli4ai.com",
   "type": "module",
   "bin": {

package/src/commands/add.ts CHANGED Viewed

@@ -16,9 +16,8 @@ import {
   LOCAL_PACKAGES_DIR,
   loadConfig
 } from '../core/config.js';
-import { lockPackage, computeDirectoryIntegrity, type LockedPackage } from '../core/lockfile.js';
+import { lockPackage, type LockedPackage } from '../core/lockfile.js';
 import { linkPackageDirect, isBinInPath, getPathInstructions } from '../core/link.js';
-import { getRegistryIntegrity, verifyPackageIntegrity } from '../core/registry.js';
 interface AddOptions {
   local?: boolean;
@@ -417,27 +416,6 @@ export async function addCommand(packages: string[], options: AddOptions): Promi
         await installNpmDependencies(result.path, plan.manifest.dependencies);
       }
-      // SECURITY: Verify integrity against registry
-      let integrity: string | undefined;
-      try {
-        const verification = await verifyPackageIntegrity(result.name, result.path);
-        integrity = verification.actual;
-        if (verification.expected) {
-          if (verification.valid) {
-            log(`  integrity: ${integrity.slice(0, 20)}... ✓`);
-          } else {
-            log(`  ⚠️  Integrity mismatch!`);
-            log(`     Expected: ${verification.expected.slice(0, 30)}...`);
-            log(`     Actual:   ${verification.actual.slice(0, 30)}...`);
-          }
-        } else {
-          log(`  integrity: ${integrity.slice(0, 20)}...`);
-        }
-      } catch (err) {
-        log(`  warning: could not compute integrity hash`);
-      }
       // Link to PATH for global installs
       if (options.global) {
         result.binPath = linkPackageDirect(plan.manifest, result.path);
@@ -449,8 +427,7 @@ export async function addCommand(packages: string[], options: AddOptions): Promi
         const lockedPkg: LockedPackage = {
           name: result.name,
           version: result.version,
-          resolved: result.source === 'local' ? result.path : result.path,
-          integrity
+          resolved: result.source === 'local' ? result.path : result.path
         };
         lockPackage(projectDir, lockedPkg);
       }

package/src/core/execute.ts CHANGED Viewed

@@ -15,7 +15,6 @@ import { log } from '../lib/cli.js';
 import { findPackage } from './config.js';
 import { loadManifest, type Manifest } from './manifest.js';
 import { getSecret } from './secrets.js';
-import { checkPackageIntegrity } from './lockfile.js';
 /**
  * Expand ~ to home directory in paths
@@ -389,27 +388,6 @@ export async function executeTool(options: ExecuteToolOptions): Promise<ExecuteT
   const manifest = loadManifest(pkg.path);
-  const integrityCheck = checkPackageIntegrity(invocationDir, options.packageName, pkg.path);
-  if (!integrityCheck.valid) {
-    log(`\n⚠️  SECURITY WARNING: Package integrity check failed for ${options.packageName}`);
-    if (integrityCheck.error) log(`   ${integrityCheck.error}`);
-    if (integrityCheck.expected && integrityCheck.actual) {
-      log(`   Expected: ${integrityCheck.expected.slice(0, 30)}...`);
-      log(`   Actual:   ${integrityCheck.actual.slice(0, 30)}...`);
-    }
-    log(`\n   The package may have been tampered with or modified since installation.`);
-    log(`   To fix: reinstall with "cli4ai remove ${options.packageName} && cli4ai add ${options.packageName}"\n`);
-    const shouldContinue = await confirm('Continue anyway? (NOT RECOMMENDED)');
-    if (!shouldContinue) {
-      throw new ExecuteToolError('INTEGRITY_ERROR', 'Package integrity verification failed', {
-        package: options.packageName,
-        hint: `Reinstall the package with: cli4ai remove ${options.packageName} && cli4ai add ${options.packageName}`
-      });
-    }
-    log('');
-  }
   await ensureRuntimeAvailable();
   await checkPeerDependencies(pkg.path);

package/src/core/lockfile.ts CHANGED Viewed

@@ -3,14 +3,10 @@
  *
  * Tracks installed packages with exact versions and sources
  * for reproducible installations.
- *
- * SECURITY: Includes SRI (Subresource Integrity) hash verification
- * to detect tampered packages.
  */
-import { readFileSync, writeFileSync, renameSync, existsSync, readdirSync, statSync } from 'fs';
-import { resolve, join, relative } from 'path';
-import { createHash } from 'crypto';
+import { readFileSync, writeFileSync, renameSync, existsSync } from 'fs';
+import { resolve } from 'path';
 // ═══════════════════════════════════════════════════════════════════════════
 // TYPES
@@ -36,125 +32,6 @@ export interface Lockfile {
 export const LOCKFILE_NAME = 'cli4ai.lock';
 export const LOCKFILE_VERSION = 1;
-// ═══════════════════════════════════════════════════════════════════════════
-// INTEGRITY HASHING (SRI - Subresource Integrity)
-// ═══════════════════════════════════════════════════════════════════════════
-/**
- * Compute SHA-512 hash of a file and return SRI format string
- */
-export function computeFileIntegrity(filePath: string): string {
-  const content = readFileSync(filePath);
-  const hash = createHash('sha512').update(content).digest('base64');
-  return `sha512-${hash}`;
-}
-/**
- * Compute SHA-512 hash of a directory's contents (deterministic).
- * Hashes all files in sorted order to produce a reproducible hash.
- */
-export function computeDirectoryIntegrity(dirPath: string): string {
-  const hash = createHash('sha512');
-  const files: string[] = [];
-  // Recursively collect all files
-  function collectFiles(dir: string): void {
-    const entries = readdirSync(dir, { withFileTypes: true });
-    for (const entry of entries) {
-      // Skip node_modules and hidden directories
-      if (entry.name === 'node_modules' || entry.name.startsWith('.')) continue;
-      const fullPath = join(dir, entry.name);
-      if (entry.isDirectory()) {
-        collectFiles(fullPath);
-      } else if (entry.isFile()) {
-        files.push(fullPath);
-      }
-    }
-  }
-  collectFiles(dirPath);
-  // Sort files for deterministic ordering
-  files.sort();
-  // Hash each file's relative path and content
-  for (const filePath of files) {
-    const relativePath = relative(dirPath, filePath);
-    const content = readFileSync(filePath);
-    // Include path in hash for structural integrity
-    hash.update(relativePath);
-    hash.update(content);
-  }
-  return `sha512-${hash.digest('base64')}`;
-}
-/**
- * Verify a package's integrity against stored hash
- */
-export function verifyIntegrity(dirPath: string, expectedIntegrity: string): boolean {
-  if (!expectedIntegrity) return true; // No integrity check if not stored
-  try {
-    const actualIntegrity = computeDirectoryIntegrity(dirPath);
-    return actualIntegrity === expectedIntegrity;
-  } catch {
-    return false;
-  }
-}
-/**
- * Result of integrity verification
- */
-export interface IntegrityCheckResult {
-  valid: boolean;
-  expected?: string;
-  actual?: string;
-  error?: string;
-}
-/**
- * Check integrity of a locked package
- */
-export function checkPackageIntegrity(
-  projectDir: string,
-  packageName: string,
-  packagePath: string
-): IntegrityCheckResult {
-  const locked = getLockedPackage(projectDir, packageName);
-  if (!locked) {
-    return { valid: true }; // No lock entry, can't verify
-  }
-  if (!locked.integrity) {
-    return { valid: true }; // No integrity hash stored
-  }
-  try {
-    const actualIntegrity = computeDirectoryIntegrity(packagePath);
-    if (actualIntegrity === locked.integrity) {
-      return { valid: true, expected: locked.integrity, actual: actualIntegrity };
-    }
-    return {
-      valid: false,
-      expected: locked.integrity,
-      actual: actualIntegrity,
-      error: 'Integrity mismatch - package may have been tampered with'
-    };
-  } catch (err) {
-    return {
-      valid: false,
-      expected: locked.integrity,
-      error: `Failed to compute integrity: ${err instanceof Error ? err.message : String(err)}`
-    };
-  }
-}
 // ═══════════════════════════════════════════════════════════════════════════
 // FUNCTIONS
 // ═══════════════════════════════════════════════════════════════════════════