npm - mapterrain - Versions diffs - 0.1.1 → 0.1.2 - Mend

mapterrain 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md +2 -0
package/bin/terrain-installer.js +117 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -58,6 +58,8 @@ terrain impact      "What validations matter for this change?"
 terrain explain     "Why did Terrain make this decision?"
 ```
+> **About the example outputs below.** The CLI dumps in this section illustrate the *shape* of Terrain's reports on a large pandas-style repository — they are not literal output from a single live run. A few specific signals shown (`xfailAccumulation` age, statistical flaky-test failure rates, the `0.91+` duplicate similarity threshold) are marked `[experimental]` or `[planned]` in 0.1.2; see [docs/release/feature-status.md](docs/release/feature-status.md) for what's stable, what's experimental, and what's planned. The headline "30 seconds" promise refers to small-to-medium repos (≤ 1,000 test files) on commodity hardware; expect 5–15 seconds on a typical service repo and longer on monorepos.
 ### 1. Analyze — understand the test system
 ```bash

package/bin/terrain-installer.js CHANGED Viewed

@@ -78,6 +78,116 @@ function archiveDownloadUrl(version) {
   return `${baseUrl}/v${version}/${archiveFileName(version)}`;
 }
+function signatureDownloadUrl(version) {
+  return `${archiveDownloadUrl(version)}.sig`;
+}
+function certificateDownloadUrl(version) {
+  return `${archiveDownloadUrl(version)}.pem`;
+}
+function expectedSignerIdentity(version) {
+  // The keyless Sigstore signature is anchored to the GitHub Actions workflow
+  // that ran goreleaser at release time. The workflow runs on the v<version>
+  // tag, so the OIDC subject identity is deterministic.
+  return (
+    `https://github.com/${GITHUB_OWNER}/${GITHUB_REPO}` +
+    `/.github/workflows/release.yml@refs/tags/v${version}`
+  );
+}
+const SIGSTORE_OIDC_ISSUER = 'https://token.actions.githubusercontent.com';
+function isCosignAvailable() {
+  try {
+    execFileSync('cosign', ['version'], { stdio: 'pipe' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+// Best-effort signature verification. In 0.1.2 this is warn-only: a missing
+// cosign, missing signature artifact, or verification failure logs to stderr
+// and does NOT block install. The signing pipeline is still maturing and we
+// don't want to break npm installs while it stabilises.
+//
+// In 0.2 this becomes hard-fail unless TERRAIN_INSTALLER_SKIP_VERIFY=1 is set,
+// at which point the warning escalates to an error.
+async function verifySignatureBestEffort({
+  archivePath,
+  version,
+  tempDir,
+  quiet,
+  env,
+}) {
+  if (env.TERRAIN_INSTALLER_SKIP_VERIFY === '1') {
+    log(
+      'Skipping signature verification (TERRAIN_INSTALLER_SKIP_VERIFY=1).',
+      quiet
+    );
+    return { verified: false, reason: 'skipped-by-env' };
+  }
+  if (!isCosignAvailable()) {
+    log(
+      'cosign not found on PATH; skipping signature verification. ' +
+        'Install cosign (https://github.com/sigstore/cosign) for stronger ' +
+        'integrity guarantees in future releases.',
+      quiet
+    );
+    return { verified: false, reason: 'cosign-missing' };
+  }
+  const sigPath = path.join(tempDir, `${path.basename(archivePath)}.sig`);
+  const certPath = path.join(tempDir, `${path.basename(archivePath)}.pem`);
+  try {
+    await downloadFile(signatureDownloadUrl(version), sigPath);
+    await downloadFile(certificateDownloadUrl(version), certPath);
+  } catch (error) {
+    log(
+      `Could not fetch signature artifacts (${error.message}); ` +
+        'skipping verification.',
+      quiet
+    );
+    return { verified: false, reason: 'sig-download-failed' };
+  }
+  try {
+    execFileSync(
+      'cosign',
+      [
+        'verify-blob',
+        '--certificate',
+        certPath,
+        '--signature',
+        sigPath,
+        '--certificate-identity',
+        expectedSignerIdentity(version),
+        '--certificate-oidc-issuer',
+        SIGSTORE_OIDC_ISSUER,
+        archivePath,
+      ],
+      { stdio: 'pipe' }
+    );
+    log(
+      `Verified Sigstore signature for ${path.basename(archivePath)}.`,
+      quiet
+    );
+    return { verified: true, reason: 'ok' };
+  } catch (error) {
+    log(
+      `WARNING: cosign verify-blob failed for ${path.basename(archivePath)}. ` +
+        'The downloaded archive may be tampered with. Continuing install ' +
+        '(verification will become mandatory in 0.2). Error: ' +
+        (error.stderr ? error.stderr.toString().trim() : error.message),
+      quiet
+    );
+    return { verified: false, reason: 'verify-failed' };
+  }
+}
 async function ensureDirectory(dir) {
   await fs.mkdir(dir, { recursive: true });
 }
@@ -233,6 +343,13 @@ export async function ensureTerrainBinary({
       quiet
     );
     await downloadFile(archiveDownloadUrl(version), archivePath);
+    await verifySignatureBestEffort({
+      archivePath,
+      version,
+      tempDir,
+      quiet,
+      env,
+    });
     await ensureDirectory(extractDir);
     extractArchive(archivePath, extractDir);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mapterrain",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "Terrain test intelligence CLI.",
   "type": "module",
   "bin": {