oathbound 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli.ts +11 -1
- package/package.json +1 -1
package/cli.ts
CHANGED
|
@@ -7,7 +7,7 @@ import { writeFileSync, readFileSync, unlinkSync, existsSync, readdirSync, statS
|
|
|
7
7
|
import { join, relative } from 'node:path';
|
|
8
8
|
import { tmpdir } from 'node:os';
|
|
9
9
|
|
|
10
|
-
const VERSION = '0.1.
|
|
10
|
+
const VERSION = '0.1.1';
|
|
11
11
|
|
|
12
12
|
// --- Supabase ---
|
|
13
13
|
const SUPABASE_URL = 'https://mjnfqagwuewhgwbtrdgs.supabase.co';
|
|
@@ -243,10 +243,13 @@ async function verify(): Promise<void> {
|
|
|
243
243
|
for (const [name, localHash] of Object.entries(localHashes)) {
|
|
244
244
|
const registryHash = registryHashes.get(name);
|
|
245
245
|
if (!registryHash) {
|
|
246
|
+
process.stderr.write(`${DIM} ${name}: ${localHash} (not in registry)${RESET}\n`);
|
|
246
247
|
rejected.push({ name, reason: 'not in registry' });
|
|
247
248
|
} else if (localHash !== registryHash) {
|
|
249
|
+
process.stderr.write(`${RED} ${name}: ${localHash} ≠ ${registryHash}${RESET}\n`);
|
|
248
250
|
rejected.push({ name, reason: `content hash mismatch (local: ${localHash.slice(0, 8)}…, registry: ${registryHash.slice(0, 8)}…)` });
|
|
249
251
|
} else {
|
|
252
|
+
process.stderr.write(`${GREEN} ${name}: ${localHash} ✓${RESET}\n`);
|
|
250
253
|
verified[name] = localHash;
|
|
251
254
|
}
|
|
252
255
|
}
|
|
@@ -312,6 +315,7 @@ async function verifyCheck(): Promise<void> {
|
|
|
312
315
|
const sessionHash = state.verified[baseName];
|
|
313
316
|
|
|
314
317
|
if (!sessionHash) {
|
|
318
|
+
process.stderr.write(`${RED} ${baseName}: ${currentHash} (not verified at session start)${RESET}\n`);
|
|
315
319
|
console.log(JSON.stringify({
|
|
316
320
|
hookSpecificOutput: {
|
|
317
321
|
hookEventName: 'PreToolUse',
|
|
@@ -323,6 +327,7 @@ async function verifyCheck(): Promise<void> {
|
|
|
323
327
|
}
|
|
324
328
|
|
|
325
329
|
if (currentHash !== sessionHash) {
|
|
330
|
+
process.stderr.write(`${RED} ${baseName}: ${currentHash} ≠ ${sessionHash} (tampered)${RESET}\n`);
|
|
326
331
|
console.log(JSON.stringify({
|
|
327
332
|
hookSpecificOutput: {
|
|
328
333
|
hookEventName: 'PreToolUse',
|
|
@@ -333,6 +338,8 @@ async function verifyCheck(): Promise<void> {
|
|
|
333
338
|
process.exit(0);
|
|
334
339
|
}
|
|
335
340
|
|
|
341
|
+
process.stderr.write(`${GREEN} ${baseName}: ${currentHash} ✓${RESET}\n`);
|
|
342
|
+
|
|
336
343
|
// Hash matches — allow
|
|
337
344
|
process.exit(0);
|
|
338
345
|
}
|
|
@@ -380,7 +387,10 @@ async function pull(skillArg: string): Promise<void> {
|
|
|
380
387
|
const hash = createHash('sha256').update(buffer).digest('hex');
|
|
381
388
|
verify.stop();
|
|
382
389
|
|
|
390
|
+
console.log(`${DIM} tar hash: ${hash}${RESET}`);
|
|
391
|
+
|
|
383
392
|
if (hash !== skill.tar_hash) {
|
|
393
|
+
console.log(`${RED} expected: ${skill.tar_hash}${RESET}`);
|
|
384
394
|
fail('Verification failed', `Downloaded file does not match expected hash for ${fullName}`);
|
|
385
395
|
}
|
|
386
396
|
|