movehat 0.2.8 → 0.2.9

package/dist/core/Publisher.d.ts

@@ -1,4 +1,4 @@
-import { Account } from "@aptos-labs/ts-sdk";
+import { Account, Aptos } from "@aptos-labs/ts-sdk";
 import { MovehatConfig } from "../types/config.js";
 import { DeploymentInfo } from "./deployments.js";
 import type { ChildProcessAdapter } from "../utils/childProcessAdapter.js";
@@ -12,6 +12,13 @@ export interface PublishInput {
     config: MovehatConfig;
     account: Account;
     packageDir?: string | undefined;
+    /**
+     * Publish via the TypeScript SDK instead of the Movement CLI. Set when the
+     * backend is movelite, whose REST responses the Movement CLI cannot parse.
+     * Requires `aptos`.
+     */
+    sdkPublish?: boolean | undefined;
+    aptos?: Aptos | undefined;
 }
 /**
  * Publishes a Move module via the Movement CLI.
@@ -22,4 +29,16 @@ export declare class Publisher {
     private readonly deps;
     constructor(deps?: PublisherDeps);
     deploy(input: PublishInput): Promise<DeploymentInfo>;
+    /**
+     * Publish via the Movement CLI (`movement move publish`). The default path
+     * for real Movement nodes, forks, and testnet. Returns the parsed tx hash.
+     */
+    private publishViaCli;
+    /**
+     * Publish the already-built package via the TypeScript SDK. Used when the
+     * backend is movelite. Reads the compiled artifacts the CLI build produced
+     * under `<dir>/build/<pkg>/`, submits a `0x1::code::publish_package_txn`,
+     * and waits for it. Returns the on-chain tx hash.
+     */
+    private publishViaSdk;
 }

package/dist/core/Publisher.js

@@ -1,4 +1,6 @@
 import { PrivateKey, PrivateKeyVariants } from "@aptos-labs/ts-sdk";
+import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { join } from "node:path";
 import { extractNamedAddresses } from "../commands/compile.js";
 import { saveDeployment, loadDeployment, validateSafeName, } from "./deployments.js";
 import { validatePathSafety } from "./shell.js";
@@ -74,103 +76,34 @@ export class Publisher {
                         .join(","),
                 ]
                 : [];
+            // The SDK publish path reads package-metadata.bcs from the build
+            // output; `--save-metadata` makes the build emit it. The CLI path
+            // doesn't need it (`move publish` rebuilds metadata internally).
+            const saveMetadataArgs = input.sdkPublish ? ["--save-metadata"] : [];
             // Build first with named addresses
             const buildResult = await withSpinner("Building package", () => runCli({
                 command: "movement",
-                args: ["move", "build", "--package-dir", safeDir, ...namedAddrArgs],
+                args: [
+                    "move",
+                    "build",
+                    "--package-dir",
+                    safeDir,
+                    ...namedAddrArgs,
+                    ...saveMetadataArgs,
+                ],
                 timeoutMs: 120000, // 2 minutes for git dependency downloads
             }, { adapter: this.deps.adapter }));
             if (isVerbose() && buildResult.stdout) {
                 logger.info(buildResult.stdout.trim(), 2);
             }
-            // Publish using direct parameters (avoid config file issues)
-            // Format the private key into AIP-80 shape so the Movement CLI
-            // doesn't emit its raw-hex deprecation warning. `formatPrivateKey`
-            // is idempotent for already-prefixed inputs.
-            const formattedPrivateKey = PrivateKey.formatPrivateKey(config.privateKey, PrivateKeyVariants.Ed25519);
-            // Move.toml is NOT mutated. All address overrides flow through
-            // the `--named-addresses` flag above, which Movement CLI applies
-            // during build + publish. Rewriting Move.toml on disk would risk
-            // leaving the user's file mutated if the process died before the
-            // restore step.
-            let publishOut = "";
-            let publishErr = "";
-            // Pass the private key to Movement CLI via a 0o600 temp file
-            // (`--private-key-file <path>`) and the on-chain address via
-            // `--sender-account <addr>`. This avoids the CLI's profile-yaml
-            // lookup chain entirely — no CWD / HOME / .aptos / .movement
-            // dance, no CLI-variant dependency.
-            const keyFilePath = writeTempKeyFile(formattedPrivateKey);
-            // Register a sync cleanup hook BEFORE invoking the CLI. If the
-            // user Ctrl+C's (or the process is SIGTERM'd) between the file
-            // write and our finally, the SIGINT handler iterates every
-            // registered callback and unlinks this deploy's key file
-            // synchronously so the private key never persists on disk after
-            // an abnormal exit. The signal-handler path uses the
-            // best-effort variant because the event loop is dead and we
-            // cannot logger.warning.
-            ensureSignalHandler();
-            const syncCleanup = () => removeKeyFileSyncBestEffort(keyFilePath);
-            cleanupCallbacks.add(syncCleanup);
-            try {
-                // Execute publish command. Private key reaches the CLI via the
-                // temp key file path (--private-key-file) — never on the
-                // command line — so it can't leak through `ps aux`. runCli's
-                // stdout/stderr redaction still applies as defense in depth
-                // for any `ed25519-priv-…` substring that surfaces in CLI
-                // output (Movement CLI sometimes echoes the key on error).
-                const publishResult = await withSpinner("Publishing to blockchain", () => runCli({
-                    command: "movement",
-                    args: [
-                        "move",
-                        "publish",
-                        "--package-dir",
-                        safeDir,
-                        "--url",
-                        config.rpc,
-                        "--private-key-file",
-                        keyFilePath,
-                        "--sender-account",
-                        deployerAddress,
-                        "--assume-yes",
-                        ...namedAddrArgs,
-                    ],
-                    timeoutMs: 120000, // 2 minutes for blockchain transactions
-                }, { adapter: this.deps.adapter }));
-                publishOut = publishResult.stdout;
-                publishErr = publishResult.stderr;
-                // Both stdout and stderr from the publish subprocess are gated
-                // behind isVerbose() — Movement CLI emits progress to both
-                // streams ("Compiling, may take a little while..."), so a
-                // visible stderr line is not by itself a failure signal. The
-                // surrounding withSpinner converts the runCli throw on real
-                // failure into the visible spinner.fail() output instead.
-                if (isVerbose() && publishOut)
-                    logger.info(publishOut.trim(), 2);
-                if (isVerbose() && publishErr)
-                    logger.info(publishErr.trim(), 2);
-            }
-            finally {
-                // Unlink the temp key file via the observable cleanup helper.
-                // ENOENT and other already-gone outcomes are benign (null).
-                // A non-null Error means the unlink failed AND the file still
-                // exists on disk — the private key would persist silently
-                // otherwise, so we emit a warning with the manual-cleanup
-                // hint. The SIGINT signal handler's sync callback below also
-                // tries to remove the same file; if SIGINT fires before this
-                // finally runs the file is gone and the next finally call
-                // sees ENOENT (benign).
-                const cleanupErr = removeKeyFile(keyFilePath);
-                if (cleanupErr) {
-                    logger.warning(`Failed to remove temp key file '${keyFilePath}': ${cleanupErr.message}. ` +
-                        `The file has mode 0o600 but should be removed manually: rm ${keyFilePath}`);
-                }
-                cleanupCallbacks.delete(syncCleanup);
-            }
-            // Extract transaction hash from output via the shared helper
-            // (`utils/parseCliOutput.ts`). Same regex pair as before; lifted
-            // for reuse by harness/codeObject.ts and harness/script.ts.
-            const txHash = parseTxHash(publishOut);
+            // Publish the freshly-built package. movelite cannot consume the
+            // Movement CLI's `move publish` REST flow (its responses omit the
+            // ledger headers and fields the CLI requires), so when the backend
+            // is movelite we publish via the TypeScript SDK instead. Every other
+            // backend keeps the CLI path.
+            const txHash = input.sdkPublish
+                ? await this.publishViaSdk(input, safeDir)
+                : await this.publishViaCli(config, safeDir, deployerAddress, namedAddrArgs);
             logger.success("Module published successfully!");
             // ←← "Publish succeeded" boundary. Anything thrown below this
             // point did NOT cause the publish to fail — the module is on
@@ -226,4 +159,149 @@ export class Publisher {
             throw error;
         }
     }
+    /**
+     * Publish via the Movement CLI (`movement move publish`). The default path
+     * for real Movement nodes, forks, and testnet. Returns the parsed tx hash.
+     */
+    async publishViaCli(config, safeDir, deployerAddress, namedAddrArgs) {
+        // Format the private key into AIP-80 shape so the Movement CLI
+        // doesn't emit its raw-hex deprecation warning. `formatPrivateKey`
+        // is idempotent for already-prefixed inputs.
+        const formattedPrivateKey = PrivateKey.formatPrivateKey(config.privateKey, PrivateKeyVariants.Ed25519);
+        // Move.toml is NOT mutated. All address overrides flow through
+        // the `--named-addresses` flag above, which Movement CLI applies
+        // during build + publish. Rewriting Move.toml on disk would risk
+        // leaving the user's file mutated if the process died before the
+        // restore step.
+        let publishOut = "";
+        let publishErr = "";
+        // Pass the private key to Movement CLI via a 0o600 temp file
+        // (`--private-key-file <path>`) and the on-chain address via
+        // `--sender-account <addr>`. This avoids the CLI's profile-yaml
+        // lookup chain entirely — no CWD / HOME / .aptos / .movement
+        // dance, no CLI-variant dependency.
+        const keyFilePath = writeTempKeyFile(formattedPrivateKey);
+        // Register a sync cleanup hook BEFORE invoking the CLI. If the
+        // user Ctrl+C's (or the process is SIGTERM'd) between the file
+        // write and our finally, the SIGINT handler iterates every
+        // registered callback and unlinks this deploy's key file
+        // synchronously so the private key never persists on disk after
+        // an abnormal exit. The signal-handler path uses the
+        // best-effort variant because the event loop is dead and we
+        // cannot logger.warning.
+        ensureSignalHandler();
+        const syncCleanup = () => removeKeyFileSyncBestEffort(keyFilePath);
+        cleanupCallbacks.add(syncCleanup);
+        try {
+            // Execute publish command. Private key reaches the CLI via the
+            // temp key file path (--private-key-file) — never on the
+            // command line — so it can't leak through `ps aux`. runCli's
+            // stdout/stderr redaction still applies as defense in depth
+            // for any `ed25519-priv-…` substring that surfaces in CLI
+            // output (Movement CLI sometimes echoes the key on error).
+            const publishResult = await withSpinner("Publishing to blockchain", () => runCli({
+                command: "movement",
+                args: [
+                    "move",
+                    "publish",
+                    "--package-dir",
+                    safeDir,
+                    "--url",
+                    config.rpc,
+                    "--private-key-file",
+                    keyFilePath,
+                    "--sender-account",
+                    deployerAddress,
+                    "--assume-yes",
+                    ...namedAddrArgs,
+                ],
+                timeoutMs: 120000, // 2 minutes for blockchain transactions
+            }, { adapter: this.deps.adapter }));
+            publishOut = publishResult.stdout;
+            publishErr = publishResult.stderr;
+            // Both stdout and stderr from the publish subprocess are gated
+            // behind isVerbose() — Movement CLI emits progress to both
+            // streams ("Compiling, may take a little while..."), so a
+            // visible stderr line is not by itself a failure signal. The
+            // surrounding withSpinner converts the runCli throw on real
+            // failure into the visible spinner.fail() output instead.
+            if (isVerbose() && publishOut)
+                logger.info(publishOut.trim(), 2);
+            if (isVerbose() && publishErr)
+                logger.info(publishErr.trim(), 2);
+        }
+        finally {
+            // Unlink the temp key file via the observable cleanup helper.
+            // ENOENT and other already-gone outcomes are benign (null).
+            // A non-null Error means the unlink failed AND the file still
+            // exists on disk — the private key would persist silently
+            // otherwise, so we emit a warning with the manual-cleanup
+            // hint. The SIGINT signal handler's sync callback below also
+            // tries to remove the same file; if SIGINT fires before this
+            // finally runs the file is gone and the next finally call
+            // sees ENOENT (benign).
+            const cleanupErr = removeKeyFile(keyFilePath);
+            if (cleanupErr) {
+                logger.warning(`Failed to remove temp key file '${keyFilePath}': ${cleanupErr.message}. ` +
+                    `The file has mode 0o600 but should be removed manually: rm ${keyFilePath}`);
+            }
+            cleanupCallbacks.delete(syncCleanup);
+        }
+        // Extract transaction hash from output via the shared helper
+        // (`utils/parseCliOutput.ts`). Same regex pair as before; lifted
+        // for reuse by harness/codeObject.ts and harness/script.ts.
+        return parseTxHash(publishOut);
+    }
+    /**
+     * Publish the already-built package via the TypeScript SDK. Used when the
+     * backend is movelite. Reads the compiled artifacts the CLI build produced
+     * under `<dir>/build/<pkg>/`, submits a `0x1::code::publish_package_txn`,
+     * and waits for it. Returns the on-chain tx hash.
+     */
+    async publishViaSdk(input, safeDir) {
+        const aptos = input.aptos;
+        if (!aptos) {
+            throw new Error("sdkPublish requires an Aptos client");
+        }
+        const buildRoot = join(safeDir, "build");
+        // The root package's compiled output is the single directory under
+        // build/ that carries a package-metadata.bcs; dependency builds live
+        // in nested bytecode_modules/dependencies/ and have no metadata here.
+        const pkgDirs = existsSync(buildRoot)
+            ? readdirSync(buildRoot, { withFileTypes: true })
+                .filter((e) => e.isDirectory())
+                .map((e) => join(buildRoot, e.name))
+                .filter((d) => existsSync(join(d, "package-metadata.bcs")))
+            : [];
+        if (pkgDirs.length !== 1) {
+            throw new Error(`Expected exactly one compiled package under ${buildRoot}, found ${pkgDirs.length}.`);
+        }
+        const pkgDir = pkgDirs[0];
+        const metadataBytes = new Uint8Array(readFileSync(join(pkgDir, "package-metadata.bcs")));
+        const modulesDir = join(pkgDir, "bytecode_modules");
+        const moduleBytecode = readdirSync(modulesDir)
+            .filter((f) => f.endsWith(".mv"))
+            .sort()
+            .map((f) => new Uint8Array(readFileSync(join(modulesDir, f))));
+        if (moduleBytecode.length === 0) {
+            throw new Error(`No compiled modules (*.mv) found in ${modulesDir}`);
+        }
+        return withSpinner("Publishing to blockchain", async () => {
+            const tx = await aptos.publishPackageTransaction({
+                account: input.account.accountAddress,
+                metadataBytes,
+                moduleBytecode,
+            });
+            const senderAuth = aptos.transaction.sign({
+                signer: input.account,
+                transaction: tx,
+            });
+            const committed = await aptos.transaction.submit.simple({
+                transaction: tx,
+                senderAuthenticator: senderAuth,
+            });
+            await aptos.waitForTransaction({ transactionHash: committed.hash });
+            return committed.hash;
+        });
+    }
 }

package/dist/helpers/setupLocalTesting.js

@@ -96,6 +96,17 @@ export async function setupLocalTesting(options = {}) {
         };
     }
 }
+/**
+ * Resolve whether to prefer movelite. Explicit `useMovelite` wins; otherwise
+ * the `MOVEHAT_USE_MOVELITE` env var acts as an override (`0` disables, `1`
+ * enables); default is enabled. Lets tooling force a backend without editing
+ * test code.
+ */
+function resolveUseMovelite(useMovelite) {
+    if (useMovelite !== undefined)
+        return useMovelite;
+    return process.env.MOVEHAT_USE_MOVELITE !== "0";
+}
 /**
  * Setup using local Movement node (full blockchain)
  */
@@ -112,7 +123,7 @@ async function setupWithLocalNode(options, accountLabels, autoFund, defaultBalan
         }
         nodeInfo = localNode.getNodeInfo();
     }
-    else if (options.useMovelite !== false && findMoveliteBinary()) {
+    else if (resolveUseMovelite(options.useMovelite) && findMoveliteBinary()) {
         localNode = new MoveliteManager(findMoveliteBinary());
         nodeInfo = await localNode.start();
         ownsNode = true;
@@ -179,11 +190,14 @@ async function setupWithLocalNode(options, accountLabels, autoFund, defaultBalan
             logger.step(`Auto-deploying ${options.autoDeploy.length} module(s)...`);
             const previousRedeploy = process.env.MH_CLI_REDEPLOY;
             process.env.MH_CLI_REDEPLOY = 'true';
+            // movelite's REST responses can't drive the Movement CLI publish flow,
+            // so deploy through the TypeScript SDK when it is the spawned backend.
+            const sdkPublish = localNode instanceof MoveliteManager;
             try {
                 for (const moduleName of options.autoDeploy) {
                     try {
                         logger.plain(`   Deploying ${moduleName}...`);
-                        await runtime.deployContract(moduleName);
+                        await runtime.deployContract(moduleName, { sdkPublish });
                         logger.success(`${moduleName} deployed`, 2);
                     }
                     catch (error) {

package/dist/runtime.js

@@ -64,6 +64,8 @@ export async function initRuntime(options = {}) {
             config,
             account,
             packageDir: options?.packageDir,
+            sdkPublish: options?.sdkPublish,
+            aptos,
         });
     };
     const getDeployment = (moduleName) => {

package/dist/types/runtime.d.ts

@@ -24,6 +24,12 @@ export interface MovehatRuntime {
          * leave this undefined so the default spawn-based adapter is used.
          */
         adapter?: ChildProcessAdapter;
+        /**
+         * Publish the compiled package via the TypeScript SDK instead of the
+         * Movement CLI. Internal: setupLocalTesting sets this when the backend
+         * is movelite, whose REST responses the Movement CLI cannot consume.
+         */
+        sdkPublish?: boolean;
     }) => Promise<DeploymentInfo>;
     getDeployment: (moduleName: string) => DeploymentInfo | null;
     getDeployments: () => Record<string, DeploymentInfo>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "movehat",
-  "version": "0.2.8",
+  "version": "0.2.9",
   "type": "module",
   "description": "Hardhat-like development framework for Movement L1 smart contracts",
   "bin": {