npm - movehat - Versions diffs - 0.2.5 → 0.2.6 - Mend

movehat 0.2.5 → 0.2.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/commands/run.d.ts +17 -0
package/dist/commands/run.js +46 -32
package/dist/core/config.js +109 -27
package/dist/utils/parseCliOutput.d.ts +6 -3
package/dist/utils/parseCliOutput.js +10 -5
package/package.json +1 -1

package/dist/commands/run.d.ts CHANGED Viewed

@@ -1,4 +1,21 @@
 import type { RunResult } from "../utils/childProcessAdapter.js";
+/**
+ * Resolve the tsx CLI entrypoint (`<tsx-pkg>/dist/cli.mjs`) used by
+ * `movehat run` to execute user scripts. Prefers movehat's bundled tsx
+ * by default; falls back to the cwd's tsx only if bundled is missing
+ * (defensive — should not happen for normal installs). Set
+ * `MOVEHAT_TSX_FROM_CWD=1` or pass `preferCwd: true` to flip the
+ * order — power-users who pinned a different tsx in their project.
+ *
+ * Security: the default order closes #52 (untrusted cwd could ship a
+ * malicious `node_modules/tsx/dist/cli.mjs`).
+ *
+ * Exported so the resolution logic can be unit-tested without
+ * spawning a real process.
+ */
+export declare function resolveTsxCliPath(opts?: {
+    preferCwd?: boolean;
+}): string | null;
 /**
  * Apply the exit policy for a child whose output was inherited by the
  * parent. When the child dies via signal, re-raise it on the parent so

package/dist/commands/run.js CHANGED Viewed

@@ -4,6 +4,45 @@ import { fileURLToPath } from "url";
 import { createRequire } from "module";
 import { runCli } from "../utils/runCli.js";
 import { logger } from "../ui/index.js";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const requireFromHere = createRequire(import.meta.url);
+/**
+ * Resolve the tsx CLI entrypoint (`<tsx-pkg>/dist/cli.mjs`) used by
+ * `movehat run` to execute user scripts. Prefers movehat's bundled tsx
+ * by default; falls back to the cwd's tsx only if bundled is missing
+ * (defensive — should not happen for normal installs). Set
+ * `MOVEHAT_TSX_FROM_CWD=1` or pass `preferCwd: true` to flip the
+ * order — power-users who pinned a different tsx in their project.
+ *
+ * Security: the default order closes #52 (untrusted cwd could ship a
+ * malicious `node_modules/tsx/dist/cli.mjs`).
+ *
+ * Exported so the resolution logic can be unit-tested without
+ * spawning a real process.
+ */
+export function resolveTsxCliPath(opts) {
+    const preferCwd = opts?.preferCwd ?? process.env.MOVEHAT_TSX_FROM_CWD === "1";
+    const bundledRoot = __dirname;
+    const cwdRoot = process.cwd();
+    const lookupOrder = preferCwd
+        ? [cwdRoot, bundledRoot]
+        : [bundledRoot, cwdRoot];
+    for (const root of lookupOrder) {
+        try {
+            const tsxEntry = requireFromHere.resolve("tsx", { paths: [root] });
+            // require.resolve("tsx") returns .../tsx/dist/loader.mjs; walk up
+            // to the package root and into dist/cli.mjs.
+            const packageRoot = dirname(dirname(tsxEntry));
+            const cliPath = join(packageRoot, "dist", "cli.mjs");
+            if (existsSync(cliPath))
+                return cliPath;
+        }
+        catch {
+            // Lookup failed at this root; try the next one.
+        }
+    }
+    return null;
+}
 /**
  * Apply the exit policy for a child whose output was inherited by the
  * parent. When the child dies via signal, re-raise it on the parent so
@@ -50,39 +89,14 @@ export default async function runCommand(scriptPath) {
         logger.plain(`   Network: ${network}`);
     }
     logger.newline();
-    // Find tsx binary - try multiple locations for compatibility
-    // Uses require.resolve for cross-platform compatibility (works on Windows, macOS, Linux)
-    const __filename = fileURLToPath(import.meta.url);
-    const __dirname = dirname(__filename);
-    // Create require function for ESM (needed to use require.resolve in ESM modules)
-    const require = createRequire(import.meta.url);
-    let tsxPath;
-    try {
-        // Try to resolve tsx package from user's project first
-        const tsxPackagePath = require.resolve("tsx", { paths: [process.cwd()] });
-        // require.resolve("tsx") returns .../tsx/dist/loader.mjs
-        // We need to go up to the tsx package root, then into dist/cli.mjs
-        const tsxPackageRoot = dirname(dirname(tsxPackagePath));
-        tsxPath = join(tsxPackageRoot, "dist", "cli.mjs");
-        // Verify the file exists
-        if (!existsSync(tsxPath)) {
-            throw new Error("cli.mjs not found");
-        }
-    }
-    catch {
-        try {
-            // Fallback to movehat's own tsx
-            const tsxPackagePath = require.resolve("tsx", { paths: [__dirname] });
-            const tsxPackageRoot = dirname(dirname(tsxPackagePath));
-            tsxPath = join(tsxPackageRoot, "dist", "cli.mjs");
-            if (!existsSync(tsxPath)) {
-                throw new Error("cli.mjs not found");
-            }
-        }
-        catch {
-            tsxPath = "";
-        }
+    // Find tsx binary — bundled-first per #52 (supply-chain hardening).
+    // Cwd resolution stays available behind an opt-in env var for users
+    // who pinned a different tsx in their project.
+    if (process.env.MOVEHAT_TSX_FROM_CWD === "1") {
+        logger.warning("MOVEHAT_TSX_FROM_CWD=1: resolving tsx from cwd first. " +
+            "Only use this in trusted project directories.");
     }
+    const tsxPath = resolveTsxCliPath();
     if (!tsxPath) {
         logger.error("tsx binary not found");
         logger.plain("   Make sure 'tsx' is installed in your project:");

package/dist/core/config.js CHANGED Viewed

@@ -13,6 +13,45 @@ import { logger } from "../ui/index.js";
 // same value here. No corruption, no in-flight-promise memoization
 // needed.
 const configCache = new Map();
+// In-flight load deduplication (#47). When two callers hit a cold cache
+// for the same config file concurrently, both would invoke
+// `register()` from `tsx/esm/api` and race on the unregister cleanup.
+// The dedup map ensures only ONE load runs per (path, mtime) burst —
+// concurrent callers await the same Promise. Cleared after the load
+// settles so a later edit (new mtime) can re-trigger a cold load.
+const inFlightLoads = new Map();
+// Hostnames recognized as safe targets for the deterministic test key
+// auto-injection. Any URL whose hostname is not in this set causes the
+// test-key path to be skipped even if the network NAME is 'testnet' or
+// 'local' (#40 — name-only gating was spoofable when users named a
+// production-pointing network 'testnet').
+const TEST_ENDPOINT_HOSTS = new Set([
+    "testnet.movementnetwork.xyz",
+    "localhost",
+    "127.0.0.1",
+    "::1",
+]);
+function isKnownTestEndpoint(url) {
+    try {
+        return TEST_ENDPOINT_HOSTS.has(new URL(url).hostname.toLowerCase());
+    }
+    catch {
+        return false;
+    }
+}
+// Render a URL for log output without exposing userinfo (`user:pass@`)
+// or query strings (`?apiKey=…`). Returns the protocol + host + pathname
+// only, which is enough for the operator to identify the endpoint
+// without leaking embedded credentials to CI logs.
+function sanitizeUrlForLog(url) {
+    try {
+        const parsed = new URL(url);
+        return `${parsed.protocol}//${parsed.host}${parsed.pathname}`;
+    }
+    catch {
+        return "<invalid-url>";
+    }
+}
 /**
  * Loads the user's movehat.config.{ts,js} from the current working directory.
  *
@@ -47,32 +86,58 @@ export async function loadUserConfig() {
         if (cached && cached.mtimeMs === mtimeMs) {
             return cached.config;
         }
-        let configModule;
-        if (configPath.endsWith('.ts')) {
-            const { register } = await import('tsx/esm/api');
-            const unregister = register();
-            try {
-                const configUrl = pathToFileURL(configPath).href;
-                configModule = await import(configUrl + '?mtime=' + mtimeMs);
-            }
-            finally {
-                unregister();
-            }
+        // Dedup concurrent cold-cache loads of the same file (#47).
+        // Without this, two callers race on tsx's register/unregister and
+        // the second may run its `await import()` after the first calls
+        // unregister(), removing the loader mid-flight. All callers go
+        // through the same `return await loadPromise` below so the outer
+        // try/catch wraps a consistent error regardless of who started the
+        // load.
+        let loadPromise = inFlightLoads.get(configPath);
+        if (!loadPromise) {
+            loadPromise = doLoadConfig(configPath, mtimeMs);
+            inFlightLoads.set(configPath, loadPromise);
+            // Clean up after settles. `.catch(() => undefined)` after the
+            // finally chain swallows the cleanup-promise rejection so it
+            // does not become an unhandled rejection — the actual awaiters
+            // still see the original rejection via `return await loadPromise`.
+            void loadPromise
+                .finally(() => {
+                if (inFlightLoads.get(configPath) === loadPromise) {
+                    inFlightLoads.delete(configPath);
+                }
+            })
+                .catch(() => undefined);
         }
-        else {
+        return await loadPromise;
+    }
+    catch (error) {
+        throw new Error(`Failed to load configuration file '${configPath}': ${error}`);
+    }
+}
+async function doLoadConfig(configPath, mtimeMs) {
+    let configModule;
+    if (configPath.endsWith('.ts')) {
+        const { register } = await import('tsx/esm/api');
+        const unregister = register();
+        try {
             const configUrl = pathToFileURL(configPath).href;
             configModule = await import(configUrl + '?mtime=' + mtimeMs);
         }
-        const userConfig = configModule.default;
-        if (!userConfig.networks || Object.keys(userConfig.networks).length === 0) {
-            throw new Error("No networks defined in configuration. Add at least one network in the 'networks' field.");
+        finally {
+            unregister();
         }
-        configCache.set(configPath, { mtimeMs, config: userConfig });
-        return userConfig;
     }
-    catch (error) {
-        throw new Error(`Failed to load configuration file '${configPath}': ${error}`);
+    else {
+        const configUrl = pathToFileURL(configPath).href;
+        configModule = await import(configUrl + '?mtime=' + mtimeMs);
     }
+    const userConfig = configModule.default;
+    if (!userConfig.networks || Object.keys(userConfig.networks).length === 0) {
+        throw new Error("No networks defined in configuration. Add at least one network in the 'networks' field.");
+    }
+    configCache.set(configPath, { mtimeMs, config: userConfig });
+    return userConfig;
 }
 /**
  * Clear the in-memory config cache. Test-only escape hatch.
@@ -82,6 +147,7 @@ export async function loadUserConfig() {
  */
 export function _resetConfigCache() {
     configCache.clear();
+    inFlightLoads.clear();
 }
 /**
  * Resolve configuration for a specific network
@@ -136,15 +202,30 @@ export async function resolveNetworkConfig(userConfig, networkName) {
     if (accounts.length === 0 && process.env.PRIVATE_KEY) {
         accounts = [process.env.PRIVATE_KEY];
     }
-    // 4. Validate we have at least one account (unless using testnet/local)
+    // 4. Validate we have at least one account (unless using testnet/local
+    //    AND the URL is a recognized test endpoint — name alone is not enough
+    //    per #40, since a user can name a network 'testnet' but point it at
+    //    a production RPC and would otherwise inherit the deterministic test
+    //    key with a production endpoint).
     if (accounts.length === 0 || !accounts[0]) {
-        // Special case: Auto-generate test accounts for testing networks
-        // testnet = public Movement test network (recommended)
-        // local = local fork server
-        if (selectedNetwork === "testnet" || selectedNetwork === "local") {
+        const isTestNetworkName = selectedNetwork === "testnet" || selectedNetwork === "local";
+        const isTestEndpoint = isTestNetworkName && isKnownTestEndpoint(networkConfig.url);
+        if (isTestNetworkName && !isTestEndpoint) {
+            // Name matches the reserved convention but URL is not a recognized
+            // test endpoint — block the deterministic test-key injection. Falls
+            // through to the standard "no accounts" throw below so the user gets
+            // actionable guidance.
+            logger.warning(`Network '${selectedNetwork}' uses a name reserved for testnet/local ` +
+                `but '${sanitizeUrlForLog(networkConfig.url)}' is not a recognized test endpoint. ` +
+                `Skipping auto-injection of the deterministic test key to protect ` +
+                `against accidental production use. Set PRIVATE_KEY explicitly, ` +
+                `configure 'accounts' in movehat.config.ts, or rename this network.`);
+        }
+        if (isTestEndpoint) {
             // Security: Using a deterministic test account (like Hardhat's default accounts)
             // This is SAFE because:
-            // 1. Only used for testnet/local (never mainnet - that throws error below)
+            // 1. Only used for testnet/local against a known test endpoint
+            //    (network NAME + URL allowlist enforced above; bypassed otherwise)
             // 2. Perfect for transaction simulation (no real funds)
             // 3. Deterministic = consistent test results
             const testPrivateKey = "0x0000000000000000000000000000000000000000000000000000000000000001";
@@ -155,8 +236,9 @@ export async function resolveNetworkConfig(userConfig, networkName) {
             logger.newline();
         }
         else {
-            // For any other network (especially mainnet), REQUIRE explicit configuration
-            // This prevents accidentally using the test key on production networks
+            // For any other network (mainnet, or testnet/local with a non-test
+            // URL), REQUIRE explicit configuration. This prevents accidentally
+            // using the test key on production networks.
             throw new Error(`Network '${selectedNetwork}' has no accounts configured.\n` +
                 `\n` +
                 `SECURITY: This network requires explicit account configuration.\n` +

package/dist/utils/parseCliOutput.d.ts CHANGED Viewed

@@ -6,9 +6,12 @@
 /**
  * Extract the transaction hash from a `movement` CLI subcommand's stdout.
  *
- * Tries the context-bearing pattern first (`transaction hash: 0x…`,
- * `txn hash: 0x…`, `hash: 0x…`) and falls back to any 64-char hex
- * literal in the buffer. Returns `undefined` if no candidate matches.
+ * Only the context-bearing pattern is accepted (`transaction hash: 0x…`,
+ * `txn hash: 0x…`, `hash: 0x…`). When the context is absent we log a
+ * warning and return `undefined` so callers decide whether to throw —
+ * the previous behavior of falling back to "any 64-hex literal" was
+ * fragile: a padded module address or state root printed before the
+ * actual txhash would silently corrupt the cached deployment record.
  *
  * Shared by `core/Publisher.ts` (publish), `harness/codeObject.ts`
  * (deploy-object / upgrade-object), and `harness/script.ts`

package/dist/utils/parseCliOutput.js CHANGED Viewed

@@ -3,12 +3,16 @@
  *
  * @internal — not exported from `src/index.ts`.
  */
+import { logger } from '../ui/index.js';
 /**
  * Extract the transaction hash from a `movement` CLI subcommand's stdout.
  *
- * Tries the context-bearing pattern first (`transaction hash: 0x…`,
- * `txn hash: 0x…`, `hash: 0x…`) and falls back to any 64-char hex
- * literal in the buffer. Returns `undefined` if no candidate matches.
+ * Only the context-bearing pattern is accepted (`transaction hash: 0x…`,
+ * `txn hash: 0x…`, `hash: 0x…`). When the context is absent we log a
+ * warning and return `undefined` so callers decide whether to throw —
+ * the previous behavior of falling back to "any 64-hex literal" was
+ * fragile: a padded module address or state root printed before the
+ * actual txhash would silently corrupt the cached deployment record.
  *
  * Shared by `core/Publisher.ts` (publish), `harness/codeObject.ts`
  * (deploy-object / upgrade-object), and `harness/script.ts`
@@ -20,6 +24,7 @@ export function parseTxHash(stdout) {
     const withContext = stdout.match(/(?:transaction\s*(?:hash)?|txn\s*(?:hash)?|hash):\s*(0x[a-fA-F0-9]{64})\b/i);
     if (withContext?.[1])
         return withContext[1];
-    const fallback = stdout.match(/\b(0x[a-fA-F0-9]{64})\b/);
-    return fallback?.[1];
+    logger.warning(`parseTxHash: no contextual 'transaction|txn|hash: 0x…' match in ${stdout.length}-byte CLI output. ` +
+        `Returning undefined; the caller decides whether to error.`);
+    return undefined;
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "movehat",
-  "version": "0.2.5",
+  "version": "0.2.6",
   "type": "module",
   "description": "Hardhat-like development framework for Movement L1 smart contracts",
   "bin": {