movehat 0.2.0 → 0.2.2

package/src/core/movementProfile.ts

@@ -1,154 +1,102 @@
-import {
-  chmodSync,
-  existsSync,
-  mkdirSync,
-  readFileSync,
-  renameSync,
-  unlinkSync,
-  writeFileSync,
-} from "fs";
-import { readFile } from "fs/promises";
-import { dirname } from "path";
+import { chmodSync, existsSync, unlinkSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { join } from "path";
 import { randomUUID } from "crypto";
-import * as yaml from "js-yaml";
 
 /**
- * Shared helpers for working with the Movement CLI's `~/.aptos/config.yaml`
- * profile file and the SIGINT/SIGTERM cleanup pipeline.
+ * Per-deploy private-key file management and SIGINT/SIGTERM cleanup
+ * infrastructure shared across the Movement CLI invocations (`move
+ * publish`, `move deploy-object`, `move upgrade-object`, `move
+ * run-script`).
  *
- * Extracted from `core/Publisher.ts` so both the existing `move publish`
- * flow (`Publisher`) and the new `move deploy-object` / `upgrade-object`
- * flows (`harness/codeObject.ts`) can share the bug #36 / #37 / #43
- * hardening without duplicating it.
+ * **Why a temp key file rather than the CLI's profile yaml?** The
+ * Movement CLI's `--profile <name>` flag requires a config.yaml to
+ * exist in the working directory (older Movement CLI variants look
+ * for `<cwd>/.aptos/config.yaml`; newer variants look for
+ * `<cwd>/.movement/config.yaml`). On fresh user installs neither
+ * directory exists, and the CLI errors out before it would otherwise
+ * fall back to `~/.aptos/config.yaml`. Writing to a temp file and
+ * passing `--private-key-file <path> --sender-account <addr>`
+ * directly avoids the entire profile-yaml lookup chain — no CWD
+ * dependency, no CLI-variant dependency.
+ *
+ * The same SIGINT-safe cleanup pattern applies as the old profile
+ * flow: the temp key file persists private key material on disk and
+ * MUST be removed before process exit even on abnormal termination.
  *
  * @internal — not exported from `src/index.ts`.
  */
 
 /**
- * In-process serializer for `~/.aptos/config.yaml` mutations. Without it,
- * two concurrent profile writes would race in the read-modify-write cycle
- * and the second writer would silently drop the first's profile. See #37.
+ * Write the private key to a `mode 0o600` file in the system temp
+ * directory and return the path. The filename is UUID-suffixed so
+ * concurrent deploys don't collide.
+ *
+ * The key string is written verbatim — callers should format to
+ * AIP-80 before calling (see `PrivateKey.formatPrivateKey` from
+ * `@aptos-labs/ts-sdk`).
  */
-let yamlLock: Promise<unknown> = Promise.resolve();
-export function withYamlLock<T>(fn: () => Promise<T>): Promise<T> {
-  const prev = yamlLock;
-  // .then(success, failure) — continue even if the previous holder rejected,
-  // so a failure in one deploy doesn't poison the lock for the others.
-  const next = prev.then(
-    () => fn(),
-    () => fn()
-  );
-  yamlLock = next.catch(() => {}); // swallow on the shared chain; caller still gets the original
-  return next;
-}
-
-export interface ProfileData {
-  private_key: string;
-  public_key: string;
-  account: string;
-  rest_url: string;
-}
-
-interface AptosConfigYaml {
-  profiles?: Record<string, ProfileData>;
-  [key: string]: unknown;
+export function writeTempKeyFile(privateKey: string): string {
+  const path = join(tmpdir(), `movehat-key-${randomUUID()}`);
+  // mode in the open() call may be filtered by the process umask
+  // (typically 0o022 → resulting perms 0o644). chmod after write
+  // is defense in depth so the file can never be observable as
+  // group-/world-readable while it carries the private key.
+  writeFileSync(path, privateKey, { mode: 0o600 });
+  chmodSync(path, 0o600);
+  return path;
 }
 
 /**
- * Atomic write: write payload to a temp sibling → chmod the temp to 0o600
- * → rename over the target. The chmod-before-rename order eliminates a
- * window where the target file could be observable with default umask
- * perms (typically 0o644) while carrying the private key.
- */
-function atomicWriteYaml(path: string, content: string): void {
-  const tmpPath = `${path}.tmp.${randomUUID().slice(0, 8)}`;
-  writeFileSync(tmpPath, content, { mode: 0o600 });
-  chmodSync(tmpPath, 0o600); // defense in depth in case umask filtered the open mode
-  renameSync(tmpPath, path);
-}
-
-/** Add the deploy's profile to ~/.aptos/config.yaml. Creates the file if absent. */
-export async function addProfile(
-  configPath: string,
-  name: string,
-  data: ProfileData
-): Promise<void> {
-  const configDir = dirname(configPath);
-  if (!existsSync(configDir)) {
-    mkdirSync(configDir, { recursive: true, mode: 0o700 });
-  }
-  let yamlObj: AptosConfigYaml = {};
-  if (existsSync(configPath)) {
-    const raw = await readFile(configPath, "utf-8");
-    yamlObj = (yaml.load(raw) as AptosConfigYaml) || {};
-  }
-  if (!yamlObj.profiles) yamlObj.profiles = {};
-  yamlObj.profiles[name] = data;
-  atomicWriteYaml(configPath, yaml.dump(yamlObj));
-}
-
-/**
- * Remove the deploy's profile from ~/.aptos/config.yaml. Idempotent —
- * a missing file or missing profile is a no-op. If removal leaves the
- * yaml with only an empty `profiles:` block, the whole file is unlinked
- * to preserve the "didn't exist before" semantic for the first-ever deploy.
+ * Sync unlink for SIGINT/SIGTERM handlers — never throws, never logs.
+ * The event loop is dead by the time this runs; observability isn't
+ * possible. Worst case: a stale 0o600 temp file in `os.tmpdir()`
+ * that the OS reaps eventually.
+ *
+ * **Do not use this from a normal `finally` cleanup path** — failures
+ * become invisible there, hiding the case where a private-key temp
+ * file persists on disk after a deploy. Use {@link removeKeyFile}
+ * instead for those paths.
  */
-export async function removeProfile(configPath: string, name: string): Promise<void> {
-  if (!existsSync(configPath)) return;
-  const raw = await readFile(configPath, "utf-8");
-  const yamlObj: AptosConfigYaml = (yaml.load(raw) as AptosConfigYaml) || {};
-  if (!yamlObj.profiles || !(name in yamlObj.profiles)) return;
-  delete yamlObj.profiles[name];
-
-  const profilesEmpty = Object.keys(yamlObj.profiles).length === 0;
-  const onlyProfilesKey =
-    Object.keys(yamlObj).length === 1 && "profiles" in yamlObj;
-  if (profilesEmpty && onlyProfilesKey) {
-    // We created this file fresh; remove it.
-    try {
-      unlinkSync(configPath);
-    } catch {
-      // best-effort
-    }
-    return;
+export function removeKeyFileSyncBestEffort(path: string): void {
+  try {
+    unlinkSync(path);
+  } catch {
+    // event loop dead — best-effort
   }
-  atomicWriteYaml(configPath, yaml.dump(yamlObj));
 }
 
 /**
- * Synchronous twin of `removeProfile` for the SIGINT/SIGTERM handler.
- * The event loop is dead by the time the handler runs — we cannot
- * await. Bypasses the async mutex because signal handlers are
- * sequential by construction; the operation is idempotent so a
- * benign double-delete (handler then finally, or vice versa) is fine.
+ * Sync unlink for the normal cleanup path (a `finally` block after the
+ * Movement CLI invocation returns). Returns `null` on success — either
+ * the file was removed, or it was already gone (ENOENT is treated as
+ * benign success). Returns an `Error` only when the file **still
+ * exists on disk** after the unlink attempt failed (EPERM, EACCES,
+ * EBUSY, EISDIR if the path collided with a directory, etc.).
+ *
+ * Callers SHOULD `logger.warning` when a non-null Error is returned —
+ * a private-key temp file would otherwise persist silently.
  */
-export function removeProfileSync(configPath: string, name: string): void {
+export function removeKeyFile(path: string): Error | null {
   try {
-    if (!existsSync(configPath)) return;
-    const raw = readFileSync(configPath, "utf-8");
-    const yamlObj: AptosConfigYaml = (yaml.load(raw) as AptosConfigYaml) || {};
-    if (!yamlObj.profiles || !(name in yamlObj.profiles)) return;
-    delete yamlObj.profiles[name];
-
-    const profilesEmpty = Object.keys(yamlObj.profiles).length === 0;
-    const onlyProfilesKey =
-      Object.keys(yamlObj).length === 1 && "profiles" in yamlObj;
-    if (profilesEmpty && onlyProfilesKey) {
-      unlinkSync(configPath);
-      return;
-    }
-    atomicWriteYaml(configPath, yaml.dump(yamlObj));
-  } catch {
-    // Signal handlers should never throw — swallow and exit. Better to
-    // leave a stale profile (recoverable by re-running the deploy) than
-    // to crash the parent process mid-shutdown.
+    unlinkSync(path);
+    return null;
+  } catch (err) {
+    const code = (err as NodeJS.ErrnoException).code;
+    if (code === "ENOENT") return null;
+    // The unlink call failed but verify the file actually still exists
+    // before declaring this preocupante — some races (parallel cleanup,
+    // tmpdir reaper) can race with us and the file may already be gone
+    // despite the syscall reporting an unexpected error.
+    if (!existsSync(path)) return null;
+    return err instanceof Error ? err : new Error(String(err));
   }
 }
 
 /**
  * Process-level signal handling. A single registered handler iterates
- * the per-deploy cleanup callbacks. Install-once because multiple
- * concurrent deploys share the same parent process — installing per
+ * the per-deploy cleanup callbacks. Installed once per process because
+ * multiple concurrent deploys share the same parent — installing per
  * deploy would re-add the listener and exceed Node's max-listeners
  * warning threshold under heavy parallelism.
  */
@@ -159,7 +107,7 @@ export function ensureSignalHandler(): void {
   if (signalHandlerInstalled) return;
   signalHandlerInstalled = true;
   const handler = (sig: NodeJS.Signals) => {
-    // Synchronous cleanup of every active deploy's profile entry.
+    // Synchronous cleanup of every active deploy's resources.
     for (const cb of [...cleanupCallbacks]) {
       try {
         cb();

package/src/fork/__tests__/manager.test.ts

@@ -4,7 +4,7 @@ import { tmpdir } from "node:os";
 import { join } from "node:path";
 
 /**
- * Tests for `ForkManager` (M3.3). Strategy:
+ * Tests for `ForkManager`. Strategy:
  *   - `vi.mock` the upstream `MovementApiClient` (network layer) so
  *     tests stay offline and deterministic.
  *   - Use a REAL `ForkStorage` against a tmpdir (storage is already

package/src/fork/__tests__/server.cors.test.ts

@@ -0,0 +1,101 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { mkdtempSync, rmSync, mkdirSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import type { AddressInfo } from "node:net";
+
+import { ForkServer } from "../server.js";
+
+/**
+ * F2 — ForkServer must not advertise `Access-Control-Allow-Origin: *`
+ * by default. Cached fork state may include account resources fetched
+ * from authenticated upstream nodes; any web page open in the dev's
+ * browser should not be able to read it through the loopback listener.
+ *
+ * Default contract:
+ *   - No CORS header emitted unless the caller opts in via
+ *     `corsAllowOrigins`.
+ *   - When opted in, only requests whose `Origin` is in the allowlist
+ *     receive a matching `Access-Control-Allow-Origin` (echo of origin,
+ *     not `*`).
+ */
+
+function makeForkDir(): string {
+  const dir = mkdtempSync(join(tmpdir(), "movehat-fork-cors-"));
+  mkdirSync(join(dir, "resources"), { recursive: true });
+  writeFileSync(
+    join(dir, "metadata.json"),
+    JSON.stringify({
+      network: "test",
+      nodeUrl: "http://example.invalid/v1",
+      chainId: 0,
+      ledgerVersion: "0",
+      timestamp: "0",
+      epoch: "0",
+      blockHeight: "0",
+      createdAt: new Date().toISOString(),
+    }),
+  );
+  writeFileSync(join(dir, "accounts.json"), "{}");
+  return dir;
+}
+
+function boundPort(server: ForkServer): number {
+  const internal = (server as unknown as {
+    server: { address(): AddressInfo };
+  }).server;
+  const addr = internal.address();
+  return addr.port;
+}
+
+async function fetchFromServer(
+  port: number,
+  origin?: string
+): Promise<Response> {
+  const headers: Record<string, string> = {};
+  if (origin !== undefined) headers.Origin = origin;
+  return fetch(`http://127.0.0.1:${port}/v1/`, { headers });
+}
+
+describe("F2 — ForkServer CORS is closed by default", () => {
+  let forkDir: string;
+  let server: ForkServer | null = null;
+
+  beforeEach(() => {
+    forkDir = makeForkDir();
+  });
+
+  afterEach(async () => {
+    if (server) {
+      await server.stop();
+      server = null;
+    }
+    rmSync(forkDir, { recursive: true, force: true });
+  });
+
+  it("does not emit Access-Control-Allow-Origin by default", async () => {
+    server = new ForkServer(forkDir, 0);
+    await server.start();
+    const port = boundPort(server);
+
+    const res = await fetchFromServer(port, "https://evil.example");
+    expect(res.status).toBe(200);
+    expect(res.headers.get("access-control-allow-origin")).toBeNull();
+  });
+
+  it("echoes only allow-listed origins when corsAllowOrigins is set", async () => {
+    server = new ForkServer(forkDir, 0, "127.0.0.1", {
+      corsAllowOrigins: ["https://trusted.example"],
+    });
+    await server.start();
+    const port = boundPort(server);
+
+    const allowed = await fetchFromServer(port, "https://trusted.example");
+    expect(allowed.headers.get("access-control-allow-origin")).toBe(
+      "https://trusted.example"
+    );
+
+    const denied = await fetchFromServer(port, "https://evil.example");
+    expect(denied.headers.get("access-control-allow-origin")).toBeNull();
+  });
+});

package/src/fork/api.ts

@@ -4,6 +4,16 @@ import { URL } from 'url';
 import type { LedgerInfo, AccountData, AccountResource } from '../types/fork.js';
 import { normalizeAddressShort } from '../utils/address.js';
 
+export interface MovementApiClientOptions {
+  /** Abort the request after this many ms (default: 30_000). */
+  timeoutMs?: number;
+  /** Reject responses larger than this many bytes (default: 16 MiB). */
+  maxBytes?: number;
+}
+
+const DEFAULT_TIMEOUT_MS = 30_000;
+const DEFAULT_MAX_BYTES = 16 * 1024 * 1024;
+
 /**
  * Client for interacting with Movement L1 JSON API.
  *
@@ -15,8 +25,14 @@ import { normalizeAddressShort } from '../utils/address.js';
 export class MovementApiClient {
   private nodeUrl: string;
   private readonly apiKey?: string;
-
-  constructor(nodeUrl: string, apiKey?: string) {
+  private readonly timeoutMs: number;
+  private readonly maxBytes: number;
+
+  constructor(
+    nodeUrl: string,
+    apiKey?: string,
+    options: MovementApiClientOptions = {}
+  ) {
     // Remove trailing slash
     let normalized = nodeUrl.replace(/\/$/, '');
 
@@ -28,6 +44,8 @@ export class MovementApiClient {
 
     this.nodeUrl = normalized;
     if (apiKey !== undefined) this.apiKey = apiKey;
+    this.timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    this.maxBytes = options.maxBytes ?? DEFAULT_MAX_BYTES;
   }
 
   /**
@@ -52,31 +70,72 @@ export class MovementApiClient {
       requestOptions.headers = { Authorization: `Bearer ${this.apiKey}` };
     }
 
+    const timeoutMs = this.timeoutMs;
+    const maxBytes = this.maxBytes;
+
     return new Promise((resolve, reject) => {
-      const req = client.get(fullUrl, requestOptions, (res) => {
-        let data = '';
+      let settled = false;
+      const settle = (fn: () => void) => {
+        if (settled) return;
+        settled = true;
+        fn();
+      };
 
-        res.on('data', (chunk) => {
-          data += chunk;
+      const req = client.get(fullUrl, requestOptions, (res) => {
+        const chunks: Buffer[] = [];
+        let totalBytes = 0;
+
+        res.on('data', (chunk: Buffer | string) => {
+          const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+          totalBytes += buf.length;
+          if (totalBytes > maxBytes) {
+            req.destroy();
+            settle(() =>
+              reject(
+                new Error(
+                  `Response exceeded maxBytes (${maxBytes}); ${totalBytes} bytes received before abort`
+                )
+              )
+            );
+            return;
+          }
+          chunks.push(buf);
         });
 
         res.on('end', () => {
+          if (settled) return;
+          const data = Buffer.concat(chunks).toString('utf8');
           if (res.statusCode !== 200) {
-            reject(new Error(`API request failed with status ${res.statusCode}: ${data}`));
+            settle(() =>
+              reject(
+                new Error(
+                  `API request failed with status ${res.statusCode}: ${data}`
+                )
+              )
+            );
             return;
           }
 
           try {
             const parsed = JSON.parse(data);
-            resolve(parsed);
+            settle(() => resolve(parsed));
           } catch (err) {
-            reject(new Error(`Failed to parse JSON response: ${err}`));
+            settle(() =>
+              reject(new Error(`Failed to parse JSON response: ${err}`))
+            );
           }
         });
       });
 
+      req.setTimeout(timeoutMs, () => {
+        req.destroy();
+        settle(() =>
+          reject(new Error(`API request timed out after ${timeoutMs}ms`))
+        );
+      });
+
       req.on('error', (err) => {
-        reject(new Error(`API request failed: ${err.message}`));
+        settle(() => reject(new Error(`API request failed: ${err.message}`)));
       });
 
       req.end();

package/src/fork/manager.ts

@@ -70,16 +70,12 @@ export class ForkManager {
   ): Promise<void> {
     if (apiKey !== undefined) this.apiKey = apiKey;
 
-    // Create API client (with optional Authorization header)
     this.apiClient = new MovementApiClient(nodeUrl, this.apiKey);
 
-    // Fetch network info
     const ledgerInfo = await this.apiClient.getLedgerInfo();
 
-    // Create fork structure
     this.storage.initialize();
 
-    // Save metadata
     this.metadata = {
       network: networkName,
       nodeUrl,
@@ -110,9 +106,6 @@ export class ForkManager {
     this.apiClient = new MovementApiClient(this.metadata.nodeUrl, this.apiKey);
   }
 
-  /**
-   * Get fork metadata
-   */
   getMetadata(): ForkMetadata {
     if (!this.metadata) {
       this.metadata = this.storage.loadMetadata();
@@ -120,18 +113,12 @@ export class ForkManager {
     return this.metadata;
   }
 
-  /**
-   * Get account state (with lazy loading)
-   */
   async getAccount(address: string): Promise<AccountState> {
-    // Normalize address
     const normalizedAddress = normalizeAddress(address);
 
-    // Check cache first
     let accountState = this.storage.getAccount(normalizedAddress);
 
     if (!accountState) {
-      // Fetch from network
       if (!this.apiClient) {
         throw new Error('Fork not initialized. Call initialize() or load() first.');
       }
@@ -144,7 +131,6 @@ export class ForkManager {
         authenticationKey: accountData.authentication_key,
       };
 
-      // Cache it
       this.storage.saveAccount(normalizedAddress, accountState);
       console.log(`  ✓ Cached account ${normalizedAddress}`);
     }
@@ -152,17 +138,12 @@ export class ForkManager {
     return accountState;
   }
 
-  /**
-   * Get a specific resource (with lazy loading)
-   */
   async getResource(address: string, resourceType: string): Promise<any> {
     const normalizedAddress = normalizeAddress(address);
 
-    // Check cache first
     let resource = this.storage.getResource(normalizedAddress, resourceType);
 
     if (!resource) {
-      // Fetch from network
       if (!this.apiClient) {
         throw new Error('Fork not initialized. Call initialize() or load() first.');
       }
@@ -173,7 +154,6 @@ export class ForkManager {
         const resourceData = await this.apiClient.getAccountResource(normalizedAddress, resourceType);
         resource = resourceData.data;
 
-        // Cache it
         this.storage.saveResource(normalizedAddress, resourceType, resource);
         console.log(`  ✓ Cached resource ${resourceType}`);
       } catch (error) {
@@ -188,16 +168,11 @@ export class ForkManager {
     return resource;
   }
 
-  /**
-   * Get all resources for an account (with lazy loading)
-   */
   async getAllResources(address: string): Promise<Record<string, any>> {
     const normalizedAddress = normalizeAddress(address);
 
-    // Check if we have any cached resources
     let resources = this.storage.getAllResources(normalizedAddress);
 
-    // If no cached resources, fetch all from network
     if (Object.keys(resources).length === 0) {
       if (!this.apiClient) {
         throw new Error('Fork not initialized. Call initialize() or load() first.');
@@ -211,7 +186,6 @@ export class ForkManager {
         resources[resource.type] = resource.data;
       }
 
-      // Cache them
       this.storage.saveAllResources(normalizedAddress, resources);
       console.log(`  ✓ Cached ${Object.keys(resources).length} resources`);
     }
@@ -219,18 +193,13 @@ export class ForkManager {
     return resources;
   }
 
-  /**
-   * Set a resource value (for testing/mocking)
-   */
   async setResource(address: string, resourceType: string, data: unknown): Promise<void> {
     const normalizedAddress = normalizeAddress(address);
     this.storage.saveResource(normalizedAddress, resourceType, data);
     console.log(`  ✓ Updated resource ${resourceType} for ${normalizedAddress}`);
   }
 
-  /**
-   * Fund an account with coins (adds to existing balance)
-   */
+  /** Adds to the existing balance rather than replacing it. */
   async fundAccount(address: string, amount: number, coinType: string = '0x1::aptos_coin::AptosCoin'): Promise<void> {
     const normalizedAddress = normalizeAddress(address);
     const resourceType = `0x1::coin::CoinStore<${coinType}>`;
@@ -250,7 +219,6 @@ export class ForkManager {
         throw error;
       }
 
-      // If doesn't exist, create new one
       coinStore = {
         coin: { value: '0' },
         deposit_events: {
@@ -275,15 +243,12 @@ export class ForkManager {
       };
     }
 
-    // Add to existing balance (instead of replacing it)
     const currentBalance = BigInt(coinStore.coin.value ?? '0');
     const newBalance = currentBalance + BigInt(amount);
     coinStore.coin.value = newBalance.toString();
 
-    // Save
     await this.setResource(normalizedAddress, resourceType, coinStore);
 
-    // Also ensure account exists
     let account = this.storage.getAccount(normalizedAddress);
     if (!account) {
       account = {
@@ -296,9 +261,6 @@ export class ForkManager {
     console.log(`  ✓ Funded ${normalizedAddress} with ${amount} coins`);
   }
 
-  /**
-   * List all accounts in the fork
-   */
   listAccounts(): string[] {
     return this.storage.listAccounts();
   }
@@ -364,11 +326,9 @@ export class ForkManager {
   async getOrCreateAccount(address: string): Promise<AccountState> {
     const normalizedAddress = normalizeAddress(address);
 
-    // Try to get existing account
     try {
       return await this.getAccount(normalizedAddress);
     } catch (error) {
-      // If account doesn't exist, create a minimal one
       const newAccount: AccountState = {
         sequenceNumber: '0',
         authenticationKey: forkAuthKeyPlaceholder(normalizedAddress),