movehat 0.2.1 → 0.2.2

package/src/core/movementProfile.ts

@@ -1,154 +1,102 @@
-import {
-  chmodSync,
-  existsSync,
-  mkdirSync,
-  readFileSync,
-  renameSync,
-  unlinkSync,
-  writeFileSync,
-} from "fs";
-import { readFile } from "fs/promises";
-import { dirname } from "path";
+import { chmodSync, existsSync, unlinkSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { join } from "path";
 import { randomUUID } from "crypto";
-import * as yaml from "js-yaml";
 
 /**
- * Shared helpers for working with the Movement CLI's `~/.aptos/config.yaml`
- * profile file and the SIGINT/SIGTERM cleanup pipeline.
+ * Per-deploy private-key file management and SIGINT/SIGTERM cleanup
+ * infrastructure shared across the Movement CLI invocations (`move
+ * publish`, `move deploy-object`, `move upgrade-object`, `move
+ * run-script`).
  *
- * Extracted from `core/Publisher.ts` so both the existing `move publish`
- * flow (`Publisher`) and the new `move deploy-object` / `upgrade-object`
- * flows (`harness/codeObject.ts`) can share the bug #36 / #37 / #43
- * hardening without duplicating it.
+ * **Why a temp key file rather than the CLI's profile yaml?** The
+ * Movement CLI's `--profile <name>` flag requires a config.yaml to
+ * exist in the working directory (older Movement CLI variants look
+ * for `<cwd>/.aptos/config.yaml`; newer variants look for
+ * `<cwd>/.movement/config.yaml`). On fresh user installs neither
+ * directory exists, and the CLI errors out before it would otherwise
+ * fall back to `~/.aptos/config.yaml`. Writing to a temp file and
+ * passing `--private-key-file <path> --sender-account <addr>`
+ * directly avoids the entire profile-yaml lookup chain — no CWD
+ * dependency, no CLI-variant dependency.
+ *
+ * The same SIGINT-safe cleanup pattern applies as the old profile
+ * flow: the temp key file persists private key material on disk and
+ * MUST be removed before process exit even on abnormal termination.
  *
  * @internal — not exported from `src/index.ts`.
  */
 
 /**
- * In-process serializer for `~/.aptos/config.yaml` mutations. Without it,
- * two concurrent profile writes would race in the read-modify-write cycle
- * and the second writer would silently drop the first's profile. See #37.
+ * Write the private key to a `mode 0o600` file in the system temp
+ * directory and return the path. The filename is UUID-suffixed so
+ * concurrent deploys don't collide.
+ *
+ * The key string is written verbatim — callers should format to
+ * AIP-80 before calling (see `PrivateKey.formatPrivateKey` from
+ * `@aptos-labs/ts-sdk`).
  */
-let yamlLock: Promise<unknown> = Promise.resolve();
-export function withYamlLock<T>(fn: () => Promise<T>): Promise<T> {
-  const prev = yamlLock;
-  // .then(success, failure) — continue even if the previous holder rejected,
-  // so a failure in one deploy doesn't poison the lock for the others.
-  const next = prev.then(
-    () => fn(),
-    () => fn()
-  );
-  yamlLock = next.catch(() => {}); // swallow on the shared chain; caller still gets the original
-  return next;
-}
-
-export interface ProfileData {
-  private_key: string;
-  public_key: string;
-  account: string;
-  rest_url: string;
-}
-
-interface AptosConfigYaml {
-  profiles?: Record<string, ProfileData>;
-  [key: string]: unknown;
+export function writeTempKeyFile(privateKey: string): string {
+  const path = join(tmpdir(), `movehat-key-${randomUUID()}`);
+  // mode in the open() call may be filtered by the process umask
+  // (typically 0o022 → resulting perms 0o644). chmod after write
+  // is defense in depth so the file can never be observable as
+  // group-/world-readable while it carries the private key.
+  writeFileSync(path, privateKey, { mode: 0o600 });
+  chmodSync(path, 0o600);
+  return path;
 }
 
 /**
- * Atomic write: write payload to a temp sibling → chmod the temp to 0o600
- * → rename over the target. The chmod-before-rename order eliminates a
- * window where the target file could be observable with default umask
- * perms (typically 0o644) while carrying the private key.
- */
-function atomicWriteYaml(path: string, content: string): void {
-  const tmpPath = `${path}.tmp.${randomUUID().slice(0, 8)}`;
-  writeFileSync(tmpPath, content, { mode: 0o600 });
-  chmodSync(tmpPath, 0o600); // defense in depth in case umask filtered the open mode
-  renameSync(tmpPath, path);
-}
-
-/** Add the deploy's profile to ~/.aptos/config.yaml. Creates the file if absent. */
-export async function addProfile(
-  configPath: string,
-  name: string,
-  data: ProfileData
-): Promise<void> {
-  const configDir = dirname(configPath);
-  if (!existsSync(configDir)) {
-    mkdirSync(configDir, { recursive: true, mode: 0o700 });
-  }
-  let yamlObj: AptosConfigYaml = {};
-  if (existsSync(configPath)) {
-    const raw = await readFile(configPath, "utf-8");
-    yamlObj = (yaml.load(raw) as AptosConfigYaml) || {};
-  }
-  if (!yamlObj.profiles) yamlObj.profiles = {};
-  yamlObj.profiles[name] = data;
-  atomicWriteYaml(configPath, yaml.dump(yamlObj));
-}
-
-/**
- * Remove the deploy's profile from ~/.aptos/config.yaml. Idempotent —
- * a missing file or missing profile is a no-op. If removal leaves the
- * yaml with only an empty `profiles:` block, the whole file is unlinked
- * to preserve the "didn't exist before" semantic for the first-ever deploy.
+ * Sync unlink for SIGINT/SIGTERM handlers — never throws, never logs.
+ * The event loop is dead by the time this runs; observability isn't
+ * possible. Worst case: a stale 0o600 temp file in `os.tmpdir()`
+ * that the OS reaps eventually.
+ *
+ * **Do not use this from a normal `finally` cleanup path** — failures
+ * become invisible there, hiding the case where a private-key temp
+ * file persists on disk after a deploy. Use {@link removeKeyFile}
+ * instead for those paths.
  */
-export async function removeProfile(configPath: string, name: string): Promise<void> {
-  if (!existsSync(configPath)) return;
-  const raw = await readFile(configPath, "utf-8");
-  const yamlObj: AptosConfigYaml = (yaml.load(raw) as AptosConfigYaml) || {};
-  if (!yamlObj.profiles || !(name in yamlObj.profiles)) return;
-  delete yamlObj.profiles[name];
-
-  const profilesEmpty = Object.keys(yamlObj.profiles).length === 0;
-  const onlyProfilesKey =
-    Object.keys(yamlObj).length === 1 && "profiles" in yamlObj;
-  if (profilesEmpty && onlyProfilesKey) {
-    // We created this file fresh; remove it.
-    try {
-      unlinkSync(configPath);
-    } catch {
-      // best-effort
-    }
-    return;
+export function removeKeyFileSyncBestEffort(path: string): void {
+  try {
+    unlinkSync(path);
+  } catch {
+    // event loop dead — best-effort
   }
-  atomicWriteYaml(configPath, yaml.dump(yamlObj));
 }
 
 /**
- * Synchronous twin of `removeProfile` for the SIGINT/SIGTERM handler.
- * The event loop is dead by the time the handler runs — we cannot
- * await. Bypasses the async mutex because signal handlers are
- * sequential by construction; the operation is idempotent so a
- * benign double-delete (handler then finally, or vice versa) is fine.
+ * Sync unlink for the normal cleanup path (a `finally` block after the
+ * Movement CLI invocation returns). Returns `null` on success — either
+ * the file was removed, or it was already gone (ENOENT is treated as
+ * benign success). Returns an `Error` only when the file **still
+ * exists on disk** after the unlink attempt failed (EPERM, EACCES,
+ * EBUSY, EISDIR if the path collided with a directory, etc.).
+ *
+ * Callers SHOULD `logger.warning` when a non-null Error is returned —
+ * a private-key temp file would otherwise persist silently.
  */
-export function removeProfileSync(configPath: string, name: string): void {
+export function removeKeyFile(path: string): Error | null {
   try {
-    if (!existsSync(configPath)) return;
-    const raw = readFileSync(configPath, "utf-8");
-    const yamlObj: AptosConfigYaml = (yaml.load(raw) as AptosConfigYaml) || {};
-    if (!yamlObj.profiles || !(name in yamlObj.profiles)) return;
-    delete yamlObj.profiles[name];
-
-    const profilesEmpty = Object.keys(yamlObj.profiles).length === 0;
-    const onlyProfilesKey =
-      Object.keys(yamlObj).length === 1 && "profiles" in yamlObj;
-    if (profilesEmpty && onlyProfilesKey) {
-      unlinkSync(configPath);
-      return;
-    }
-    atomicWriteYaml(configPath, yaml.dump(yamlObj));
-  } catch {
-    // Signal handlers should never throw — swallow and exit. Better to
-    // leave a stale profile (recoverable by re-running the deploy) than
-    // to crash the parent process mid-shutdown.
+    unlinkSync(path);
+    return null;
+  } catch (err) {
+    const code = (err as NodeJS.ErrnoException).code;
+    if (code === "ENOENT") return null;
+    // The unlink call failed but verify the file actually still exists
+    // before declaring this preocupante — some races (parallel cleanup,
+    // tmpdir reaper) can race with us and the file may already be gone
+    // despite the syscall reporting an unexpected error.
+    if (!existsSync(path)) return null;
+    return err instanceof Error ? err : new Error(String(err));
   }
 }
 
 /**
  * Process-level signal handling. A single registered handler iterates
- * the per-deploy cleanup callbacks. Install-once because multiple
- * concurrent deploys share the same parent process — installing per
+ * the per-deploy cleanup callbacks. Installed once per process because
+ * multiple concurrent deploys share the same parent — installing per
  * deploy would re-add the listener and exceed Node's max-listeners
  * warning threshold under heavy parallelism.
  */
@@ -159,7 +107,7 @@ export function ensureSignalHandler(): void {
   if (signalHandlerInstalled) return;
   signalHandlerInstalled = true;
   const handler = (sig: NodeJS.Signals) => {
-    // Synchronous cleanup of every active deploy's profile entry.
+    // Synchronous cleanup of every active deploy's resources.
     for (const cb of [...cleanupCallbacks]) {
       try {
         cb();

package/src/fork/__tests__/server.cors.test.ts

@@ -0,0 +1,101 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { mkdtempSync, rmSync, mkdirSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import type { AddressInfo } from "node:net";
+
+import { ForkServer } from "../server.js";
+
+/**
+ * F2 — ForkServer must not advertise `Access-Control-Allow-Origin: *`
+ * by default. Cached fork state may include account resources fetched
+ * from authenticated upstream nodes; any web page open in the dev's
+ * browser should not be able to read it through the loopback listener.
+ *
+ * Default contract:
+ *   - No CORS header emitted unless the caller opts in via
+ *     `corsAllowOrigins`.
+ *   - When opted in, only requests whose `Origin` is in the allowlist
+ *     receive a matching `Access-Control-Allow-Origin` (echo of origin,
+ *     not `*`).
+ */
+
+function makeForkDir(): string {
+  const dir = mkdtempSync(join(tmpdir(), "movehat-fork-cors-"));
+  mkdirSync(join(dir, "resources"), { recursive: true });
+  writeFileSync(
+    join(dir, "metadata.json"),
+    JSON.stringify({
+      network: "test",
+      nodeUrl: "http://example.invalid/v1",
+      chainId: 0,
+      ledgerVersion: "0",
+      timestamp: "0",
+      epoch: "0",
+      blockHeight: "0",
+      createdAt: new Date().toISOString(),
+    }),
+  );
+  writeFileSync(join(dir, "accounts.json"), "{}");
+  return dir;
+}
+
+function boundPort(server: ForkServer): number {
+  const internal = (server as unknown as {
+    server: { address(): AddressInfo };
+  }).server;
+  const addr = internal.address();
+  return addr.port;
+}
+
+async function fetchFromServer(
+  port: number,
+  origin?: string
+): Promise<Response> {
+  const headers: Record<string, string> = {};
+  if (origin !== undefined) headers.Origin = origin;
+  return fetch(`http://127.0.0.1:${port}/v1/`, { headers });
+}
+
+describe("F2 — ForkServer CORS is closed by default", () => {
+  let forkDir: string;
+  let server: ForkServer | null = null;
+
+  beforeEach(() => {
+    forkDir = makeForkDir();
+  });
+
+  afterEach(async () => {
+    if (server) {
+      await server.stop();
+      server = null;
+    }
+    rmSync(forkDir, { recursive: true, force: true });
+  });
+
+  it("does not emit Access-Control-Allow-Origin by default", async () => {
+    server = new ForkServer(forkDir, 0);
+    await server.start();
+    const port = boundPort(server);
+
+    const res = await fetchFromServer(port, "https://evil.example");
+    expect(res.status).toBe(200);
+    expect(res.headers.get("access-control-allow-origin")).toBeNull();
+  });
+
+  it("echoes only allow-listed origins when corsAllowOrigins is set", async () => {
+    server = new ForkServer(forkDir, 0, "127.0.0.1", {
+      corsAllowOrigins: ["https://trusted.example"],
+    });
+    await server.start();
+    const port = boundPort(server);
+
+    const allowed = await fetchFromServer(port, "https://trusted.example");
+    expect(allowed.headers.get("access-control-allow-origin")).toBe(
+      "https://trusted.example"
+    );
+
+    const denied = await fetchFromServer(port, "https://evil.example");
+    expect(denied.headers.get("access-control-allow-origin")).toBeNull();
+  });
+});

package/src/fork/api.ts

@@ -4,6 +4,16 @@ import { URL } from 'url';
 import type { LedgerInfo, AccountData, AccountResource } from '../types/fork.js';
 import { normalizeAddressShort } from '../utils/address.js';
 
+export interface MovementApiClientOptions {
+  /** Abort the request after this many ms (default: 30_000). */
+  timeoutMs?: number;
+  /** Reject responses larger than this many bytes (default: 16 MiB). */
+  maxBytes?: number;
+}
+
+const DEFAULT_TIMEOUT_MS = 30_000;
+const DEFAULT_MAX_BYTES = 16 * 1024 * 1024;
+
 /**
  * Client for interacting with Movement L1 JSON API.
  *
@@ -15,8 +25,14 @@ import { normalizeAddressShort } from '../utils/address.js';
 export class MovementApiClient {
   private nodeUrl: string;
   private readonly apiKey?: string;
-
-  constructor(nodeUrl: string, apiKey?: string) {
+  private readonly timeoutMs: number;
+  private readonly maxBytes: number;
+
+  constructor(
+    nodeUrl: string,
+    apiKey?: string,
+    options: MovementApiClientOptions = {}
+  ) {
     // Remove trailing slash
     let normalized = nodeUrl.replace(/\/$/, '');
 
@@ -28,6 +44,8 @@ export class MovementApiClient {
 
     this.nodeUrl = normalized;
     if (apiKey !== undefined) this.apiKey = apiKey;
+    this.timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    this.maxBytes = options.maxBytes ?? DEFAULT_MAX_BYTES;
   }
 
   /**
@@ -52,31 +70,72 @@ export class MovementApiClient {
       requestOptions.headers = { Authorization: `Bearer ${this.apiKey}` };
     }
 
+    const timeoutMs = this.timeoutMs;
+    const maxBytes = this.maxBytes;
+
     return new Promise((resolve, reject) => {
-      const req = client.get(fullUrl, requestOptions, (res) => {
-        let data = '';
+      let settled = false;
+      const settle = (fn: () => void) => {
+        if (settled) return;
+        settled = true;
+        fn();
+      };
 
-        res.on('data', (chunk) => {
-          data += chunk;
+      const req = client.get(fullUrl, requestOptions, (res) => {
+        const chunks: Buffer[] = [];
+        let totalBytes = 0;
+
+        res.on('data', (chunk: Buffer | string) => {
+          const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+          totalBytes += buf.length;
+          if (totalBytes > maxBytes) {
+            req.destroy();
+            settle(() =>
+              reject(
+                new Error(
+                  `Response exceeded maxBytes (${maxBytes}); ${totalBytes} bytes received before abort`
+                )
+              )
+            );
+            return;
+          }
+          chunks.push(buf);
         });
 
         res.on('end', () => {
+          if (settled) return;
+          const data = Buffer.concat(chunks).toString('utf8');
           if (res.statusCode !== 200) {
-            reject(new Error(`API request failed with status ${res.statusCode}: ${data}`));
+            settle(() =>
+              reject(
+                new Error(
+                  `API request failed with status ${res.statusCode}: ${data}`
+                )
+              )
+            );
             return;
           }
 
           try {
             const parsed = JSON.parse(data);
-            resolve(parsed);
+            settle(() => resolve(parsed));
           } catch (err) {
-            reject(new Error(`Failed to parse JSON response: ${err}`));
+            settle(() =>
+              reject(new Error(`Failed to parse JSON response: ${err}`))
+            );
           }
         });
       });
 
+      req.setTimeout(timeoutMs, () => {
+        req.destroy();
+        settle(() =>
+          reject(new Error(`API request timed out after ${timeoutMs}ms`))
+        );
+      });
+
       req.on('error', (err) => {
-        reject(new Error(`API request failed: ${err.message}`));
+        settle(() => reject(new Error(`API request failed: ${err.message}`)));
       });
 
       req.end();

package/src/fork/server.ts

@@ -2,6 +2,19 @@ import http from 'http';
 import { URL } from 'url';
 import { ForkManager } from './manager.js';
 
+export interface ForkServerOptions {
+  /**
+   * Origins allowed to make cross-origin requests. When unset (default),
+   * no `Access-Control-Allow-Origin` header is emitted — any browser
+   * cross-origin read is rejected by the user agent. Setting this to a
+   * non-empty list opts into echoing matching `Origin` request headers
+   * back. Wildcard `'*'` is intentionally NOT supported: cached fork
+   * state may include resources that should not be readable by every
+   * page in the dev's browser.
+   */
+  corsAllowOrigins?: readonly string[];
+}
+
 /**
  * Fork Server - Serves fork data via Movement L1 RPC API
  * Emulates a Movement L1 node using local fork storage
@@ -11,16 +24,38 @@ export class ForkServer {
   private forkManager: ForkManager;
   private port: number;
   private host: string;
+  private readonly corsAllowOrigins: ReadonlySet<string>;
 
   /**
    * @param host Interface to bind. Defaults to `127.0.0.1` so cached fork
    *   state (which may include sensitive resources) is not exposed on the LAN.
    *   Pass `'0.0.0.0'` only if you intentionally need to expose the server.
+   * @param options Optional CORS allowlist (see {@link ForkServerOptions}).
    */
-  constructor(forkPath: string, port: number = 8080, host: string = '127.0.0.1') {
+  constructor(
+    forkPath: string,
+    port: number = 8080,
+    host: string = '127.0.0.1',
+    options: ForkServerOptions = {}
+  ) {
     this.forkManager = new ForkManager(forkPath);
     this.port = port;
     this.host = host;
+    this.corsAllowOrigins = new Set(options.corsAllowOrigins ?? []);
+  }
+
+  /**
+   * Set CORS headers for a request when the request's `Origin` is in
+   * the allowlist. No-op otherwise.
+   */
+  private applyCors(req: http.IncomingMessage, res: http.ServerResponse): void {
+    const origin = req.headers.origin;
+    if (typeof origin === 'string' && this.corsAllowOrigins.has(origin)) {
+      res.setHeader('Access-Control-Allow-Origin', origin);
+      res.setHeader('Vary', 'Origin');
+      res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+      res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+    }
   }
 
   /**
@@ -44,10 +79,7 @@ export class ForkServer {
 
         // Only send response if headers haven't been sent yet
         if (!res.headersSent) {
-          // Add CORS headers (same as in handleRequest)
-          res.setHeader('Access-Control-Allow-Origin', '*');
-          res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-          res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+          this.applyCors(req, res);
 
           // Send generic error response (no internal details exposed)
           this.sendJSON(res, 500, {
@@ -143,10 +175,7 @@ export class ForkServer {
     // Log request
     console.log(`[${new Date().toISOString()}] ${req.method} ${pathname}`);
 
-    // CORS headers
-    res.setHeader('Access-Control-Allow-Origin', '*');
-    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+    this.applyCors(req, res);
 
     // Handle OPTIONS for CORS preflight
     if (req.method === 'OPTIONS') {

package/src/harness/Harness.ts

@@ -92,19 +92,28 @@ export class Harness {
    * and `runMoveScript` throw with a message pointing at `createLocal`.
    * `runViewFunction` works (read-only path).
    *
-   * @param network - Network to fork (e.g. `"testnet"`).
+   * @param network - Network to fork. Built-ins: `"testnet"`, `"mainnet"`.
+   *   Any other name requires `rpcUrl`.
    * @param apiKey - Optional Movement API key. When set, every upstream
    *   request from the fork's `MovementApiClient` carries
    *   `Authorization: Bearer <apiKey>`. Use for rate-limited public
    *   endpoints or auth-gated nodes. The key stays in process memory
    *   (not persisted to the fork's on-disk metadata).
+   * @param rpcUrl - Required when forking a non-built-in network.
+   *   Ignored when a fork already exists on disk (the saved metadata's
+   *   nodeUrl is reused).
    */
-  static async createFork(network: string, apiKey?: string): Promise<Harness> {
+  static async createFork(
+    network: string,
+    apiKey?: string,
+    rpcUrl?: string
+  ): Promise<Harness> {
     const setupOpts: import("../types/config.js").LocalTestOptions = {
       mode: "fork",
       forkNetwork: network,
     };
     if (apiKey !== undefined) setupOpts.forkApiKey = apiKey;
+    if (rpcUrl !== undefined) setupOpts.forkRpcUrl = rpcUrl;
     const ctx = await setupLocalTesting(setupOpts);
     const init: HarnessInit = {
       mode: "fork",