npm - ocx - Versions diffs - 1.0.21 → 1.1.0 - Mend

ocx 1.0.21 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -9864,6 +9864,18 @@ function isAbsolutePath(p) {
 var safeRelativePathSchema = exports_external.string().refine((val) => !val.includes("\x00"), "Path cannot contain null bytes").refine((val) => !val.split(/[/\\]/).some((seg) => seg === ".."), "Path cannot contain '..'").refine((val) => !isAbsolutePath(val), "Path must be relative, not absolute");
 // src/schemas/registry.ts
+var npmSpecifierSchema = exports_external.string().refine((val) => val.startsWith("npm:"), {
+  message: 'npm specifier must start with "npm:" prefix'
+}).refine((val) => {
+  const remainder = val.slice(4);
+  if (!remainder)
+    return false;
+  if (remainder.includes("..") || remainder.includes("/./"))
+    return false;
+  return true;
+}, {
+  message: "Invalid npm specifier format"
+});
 var openCodeNameSchema = exports_external.string().min(1, "Name cannot be empty").max(64, "Name cannot exceed 64 characters").regex(/^[a-z0-9]+(-[a-z0-9]+)*$/, {
   message: "Must be lowercase alphanumeric with single hyphen separators (e.g., 'my-component', 'my-plugin'). Cannot start/end with hyphen or have consecutive hyphens."
 });
@@ -10420,7 +10432,7 @@ class GhostConfigProvider {
 // package.json
 var package_default = {
   name: "ocx",
-  version: "1.0.21",
+  version: "1.1.0",
   description: "OCX CLI - ShadCN-style registry for OpenCode extensions. Install agents, plugins, skills, and MCP servers.",
   author: "kdcokenny",
   license: "MIT",
@@ -11082,14 +11094,14 @@ var sharedOptions = {
   cwd: () => new Option("--cwd <path>", "Working directory").default(process.cwd()),
   quiet: () => new Option("-q, --quiet", "Suppress output"),
   json: () => new Option("--json", "Output as JSON"),
-  yes: () => new Option("-y, --yes", "Skip confirmation prompts"),
+  force: () => new Option("-f, --force", "Skip confirmation prompts"),
   verbose: () => new Option("-v, --verbose", "Verbose output")
 };
 function addCommonOptions(cmd) {
   return cmd.addOption(sharedOptions.cwd()).addOption(sharedOptions.quiet()).addOption(sharedOptions.json());
 }
-function addConfirmationOptions(cmd) {
-  return cmd.addOption(sharedOptions.yes());
+function addForceOption(cmd) {
+  return cmd.addOption(sharedOptions.force());
 }
 function addVerboseOption(cmd) {
   return cmd.addOption(sharedOptions.verbose());
@@ -12486,11 +12498,154 @@ function warnCompatIssues(registryName, issues) {
     logger.log(formatCompatWarning(registryName, issue));
   }
 }
+// src/utils/npm-registry.ts
+var NPM_REGISTRY_BASE = "https://registry.npmjs.org";
+var NPM_FETCH_TIMEOUT_MS = 30000;
+var NPM_NAME_REGEX = /^(?:@[a-z0-9][\w.-]*\/)?[a-z0-9][\w.-]*$/;
+var MAX_NAME_LENGTH = 214;
+function validateNpmPackageName(name) {
+  if (!name) {
+    throw new ValidationError("npm package name cannot be empty");
+  }
+  if (name.length > MAX_NAME_LENGTH) {
+    throw new ValidationError(`npm package name exceeds maximum length of ${MAX_NAME_LENGTH} characters: \`${name}\``);
+  }
+  if (name.includes("..") || name.includes("/./") || name.startsWith("./")) {
+    throw new ValidationError(`Invalid npm package name - path traversal detected: \`${name}\``);
+  }
+  if (!NPM_NAME_REGEX.test(name)) {
+    throw new ValidationError(`Invalid npm package name: \`${name}\`. ` + "Must be lowercase, start with alphanumeric, and contain only letters, numbers, hyphens, dots, or underscores.");
+  }
+}
+function parseNpmSpecifier(specifier) {
+  if (!specifier?.trim()) {
+    throw new ValidationError("npm specifier cannot be empty");
+  }
+  const trimmed = specifier.trim();
+  if (!trimmed.startsWith("npm:")) {
+    throw new ValidationError(`Invalid npm specifier: \`${specifier}\`. Must start with \`npm:\` prefix.`);
+  }
+  const remainder = trimmed.slice(4);
+  if (!remainder) {
+    throw new ValidationError(`Invalid npm specifier: \`${specifier}\`. Package name is required.`);
+  }
+  const lastAt = remainder.lastIndexOf("@");
+  let name;
+  let version;
+  if (lastAt > 0) {
+    const beforeAt = remainder.slice(0, lastAt);
+    const afterAt = remainder.slice(lastAt + 1);
+    if (beforeAt.includes("/") || !beforeAt.startsWith("@")) {
+      name = beforeAt;
+      version = afterAt || undefined;
+    } else {
+      throw new ValidationError(`Invalid npm specifier: \`${specifier}\`. Scoped packages must have format @scope/pkg.`);
+    }
+  } else {
+    name = remainder;
+  }
+  validateNpmPackageName(name);
+  return { type: "npm", name, version };
+}
+function isNpmSpecifier(input) {
+  return input.trim().startsWith("npm:");
+}
+async function validateNpmPackage(packageName) {
+  validateNpmPackageName(packageName);
+  const encodedName = packageName.startsWith("@") ? `@${encodeURIComponent(packageName.slice(1))}` : encodeURIComponent(packageName);
+  const url = `${NPM_REGISTRY_BASE}/${encodedName}`;
+  try {
+    const controller = new AbortController;
+    const timeoutId = setTimeout(() => controller.abort(), NPM_FETCH_TIMEOUT_MS);
+    const response = await fetch(url, {
+      signal: controller.signal,
+      headers: {
+        Accept: "application/json"
+      }
+    });
+    clearTimeout(timeoutId);
+    if (response.status === 404) {
+      throw new NotFoundError(`npm package \`${packageName}\` not found on registry`);
+    }
+    if (!response.ok) {
+      throw new NetworkError(`Failed to fetch npm package \`${packageName}\`: HTTP ${response.status} ${response.statusText}`);
+    }
+    const data = await response.json();
+    return data;
+  } catch (error) {
+    if (error instanceof NotFoundError || error instanceof NetworkError) {
+      throw error;
+    }
+    if (error instanceof Error && error.name === "AbortError") {
+      throw new NetworkError(`Request to npm registry timed out after ${NPM_FETCH_TIMEOUT_MS / 1000}s for package \`${packageName}\``);
+    }
+    const message = error instanceof Error ? error.message : String(error);
+    throw new NetworkError(`Failed to fetch npm package \`${packageName}\`: ${message}`);
+  }
+}
+function formatPluginEntry(name, version) {
+  return version ? `${name}@${version}` : name;
+}
+function validateOpenCodePlugin(packageJson) {
+  const warnings = [];
+  if (packageJson.type !== "module") {
+    throw new ValidationError(`Package \`${packageJson.name}\` is not an ESM module (missing "type": "module" in package.json)`);
+  }
+  const hasMain = Boolean(packageJson.main);
+  const hasExports = packageJson.exports !== undefined;
+  if (!hasMain && !hasExports) {
+    throw new ValidationError(`Package \`${packageJson.name}\` has no entry point (missing "main" or "exports")`);
+  }
+  if (!packageJson.name.includes("opencode")) {
+    warnings.push(`Package name \`${packageJson.name}\` doesn't contain "opencode" - this may not be an OpenCode plugin`);
+  }
+  return { valid: true, warnings };
+}
+async function fetchPackageVersion(packageName, version) {
+  const metadata = await validateNpmPackage(packageName);
+  const resolvedVersion = version ?? metadata["dist-tags"].latest;
+  const versionData = metadata.versions[resolvedVersion];
+  if (!versionData) {
+    throw new NotFoundError(`Version \`${resolvedVersion}\` not found for npm package \`${packageName}\``);
+  }
+  return versionData;
+}
+function extractPackageName(pluginEntry) {
+  const trimmed = pluginEntry.trim();
+  const lastAt = trimmed.lastIndexOf("@");
+  if (lastAt <= 0) {
+    return trimmed;
+  }
+  const beforeAt = trimmed.slice(0, lastAt);
+  if (beforeAt.includes("/") || !beforeAt.startsWith("@")) {
+    return beforeAt;
+  }
+  return trimmed;
+}
 // src/commands/add.ts
+function parseAddInput(input) {
+  if (!input?.trim()) {
+    throw new ValidationError("Component name cannot be empty");
+  }
+  const trimmed = input.trim();
+  if (isNpmSpecifier(trimmed)) {
+    const parsed = parseNpmSpecifier(trimmed);
+    return { type: "npm", name: parsed.name, version: parsed.version };
+  }
+  if (trimmed.includes("/")) {
+    const { namespace, component } = parseQualifiedComponent(trimmed);
+    return { type: "registry", namespace, component };
+  }
+  return { type: "registry", namespace: "", component: trimmed };
+}
 function registerAddCommand(program2) {
-  const cmd = program2.command("add").description("Add components to your project").argument("<components...>", "Components to install").option("--dry-run", "Show what would be installed without making changes").option("--skip-compat-check", "Skip version compatibility checks");
+  const cmd = program2.command("add").description(`Add components or npm plugins to your project.
+` + `  Registry components:  ocx add namespace/component
+` + "  npm plugins:          ocx add npm:package-name[@version]").argument("<components...>", "Components to install (namespace/component or npm:package[@version])").option("--dry-run", "Show what would be installed without making changes").option("--skip-compat-check", "Skip version compatibility checks").option("--trust", "Skip npm plugin validation (for packages that don't follow conventions)");
   addCommonOptions(cmd);
-  addConfirmationOptions(cmd);
+  addForceOption(cmd);
   addVerboseOption(cmd);
   cmd.action(async (components, options2) => {
     try {
@@ -12502,6 +12657,104 @@ function registerAddCommand(program2) {
   });
 }
 async function runAddCore(componentNames, options2, provider) {
+  const cwd = provider.cwd;
+  const parsedInputs = componentNames.map(parseAddInput);
+  const npmInputs = parsedInputs.filter((i) => i.type === "npm");
+  const registryInputs = parsedInputs.filter((i) => i.type === "registry");
+  if (npmInputs.length > 0) {
+    await handleNpmPlugins(npmInputs, options2, cwd);
+  }
+  if (registryInputs.length > 0) {
+    const registryComponentNames = registryInputs.map((i) => i.namespace ? `${i.namespace}/${i.component}` : i.component);
+    await runRegistryAddCore(registryComponentNames, options2, provider);
+  }
+}
+async function handleNpmPlugins(inputs, options2, cwd) {
+  const spin = options2.quiet ? null : createSpinner({ text: "Validating npm packages..." });
+  spin?.start();
+  try {
+    const allWarnings = [];
+    for (const input of inputs) {
+      await validateNpmPackage(input.name);
+      if (!options2.trust) {
+        try {
+          const versionData = await fetchPackageVersion(input.name, input.version);
+          const result = validateOpenCodePlugin(versionData);
+          allWarnings.push(...result.warnings);
+        } catch (error) {
+          if (error instanceof ValidationError) {
+            spin?.fail("Plugin validation failed");
+            throw new ValidationError(`${error.message}
+` + `hint  OpenCode plugins must be ESM modules with an entry point
+` + `hint  Use \`--trust\` to add anyway`);
+          }
+          throw error;
+        }
+      }
+    }
+    spin?.succeed(`Validated ${inputs.length} npm package(s)`);
+    if (allWarnings.length > 0 && !options2.quiet) {
+      logger.info("");
+      for (const warning of allWarnings) {
+        logger.warn(warning);
+      }
+    }
+    const existingConfig = await readOpencodeJsonConfig(cwd);
+    const existingPlugins = existingConfig?.config.plugin ?? [];
+    const existingPluginMap = new Map;
+    for (const plugin of existingPlugins) {
+      const name = extractPackageName(plugin);
+      existingPluginMap.set(name, plugin);
+    }
+    const pluginsToAdd = [];
+    const conflicts = [];
+    for (const input of inputs) {
+      const existingEntry = existingPluginMap.get(input.name);
+      if (existingEntry) {
+        if (!options2.force) {
+          conflicts.push(input.name);
+        } else {
+          existingPluginMap.set(input.name, formatPluginEntry(input.name, input.version));
+        }
+      } else {
+        pluginsToAdd.push(formatPluginEntry(input.name, input.version));
+      }
+    }
+    if (conflicts.length > 0) {
+      throw new ConflictError(`Plugin(s) already exist in opencode.json: ${conflicts.join(", ")}.
+` + "Use --force to replace existing entries.");
+    }
+    const finalPlugins = [...existingPluginMap.values(), ...pluginsToAdd];
+    if (options2.dryRun) {
+      logger.info("");
+      logger.info("Dry run - no changes made");
+      logger.info("");
+      logger.info("Would add npm plugins:");
+      for (const input of inputs) {
+        logger.info(`  ${formatPluginEntry(input.name, input.version)}`);
+      }
+      return;
+    }
+    await updateOpencodeJsonConfig(cwd, { plugin: finalPlugins });
+    if (!options2.quiet) {
+      logger.info("");
+      logger.success(`Added ${inputs.length} npm plugin(s) to opencode.json`);
+      for (const input of inputs) {
+        logger.info(`  \u2713 ${formatPluginEntry(input.name, input.version)}`);
+      }
+    }
+    if (options2.json) {
+      console.log(JSON.stringify({
+        success: true,
+        plugins: inputs.map((i) => formatPluginEntry(i.name, i.version))
+      }, null, 2));
+    }
+  } catch (error) {
+    spin?.fail("Failed to add npm plugins");
+    throw error;
+  }
+}
+async function runRegistryAddCore(componentNames, options2, provider) {
   const cwd = provider.cwd;
   const lockPath = join2(cwd, "ocx.lock");
   const registries = provider.getRegistries();
@@ -12595,7 +12848,7 @@ async function runAddCore(componentNames, options2, provider) {
         if (existsSync(targetPath)) {
           const existingContent = await Bun.file(targetPath).text();
           const incomingContent = file.content.toString("utf-8");
-          if (!isContentIdentical(existingContent, incomingContent) && !options2.yes) {
+          if (!isContentIdentical(existingContent, incomingContent) && !options2.force) {
             allConflicts.push(componentFile.target);
           }
         }
@@ -12609,14 +12862,14 @@ async function runAddCore(componentNames, options2, provider) {
       }
       logger.error("");
       logger.error("These files have been modified since installation.");
-      logger.error("Use --yes to overwrite, or review the changes first.");
-      throw new ConflictError(`${allConflicts.length} file(s) have conflicts. Use --yes to overwrite.`);
+      logger.error("Use --force to overwrite, or review the changes first.");
+      throw new ConflictError(`${allConflicts.length} file(s) have conflicts. Use --force to overwrite.`);
     }
     const installSpin = options2.quiet ? null : createSpinner({ text: "Installing components..." });
     installSpin?.start();
     for (const { component, files, computedHash } of componentBundles) {
       const installResult = await installComponent(component, files, cwd, {
-        yes: options2.yes,
+        force: options2.force,
         verbose: options2.verbose
       });
       if (options2.verbose) {
@@ -13871,9 +14124,9 @@ Diff for ${res.name}:`));
 // src/commands/ghost/add.ts
 function registerGhostAddCommand(parent) {
-  const cmd = parent.command("add").description("Add components using ghost mode registries").argument("<components...>", "Components to install").option("--dry-run", "Show what would be installed without making changes").option("--skip-compat-check", "Skip version compatibility checks");
+  const cmd = parent.command("add").description("Add components using ghost mode registries").argument("<components...>", "Components to install").option("--dry-run", "Show what would be installed without making changes").option("--skip-compat-check", "Skip version compatibility checks").option("--trust", "Skip npm plugin validation");
   addCommonOptions(cmd);
-  addConfirmationOptions(cmd);
+  addForceOption(cmd);
   addVerboseOption(cmd);
   cmd.action(async (components, options2) => {
     try {
@@ -14239,7 +14492,7 @@ async function runGhostOpenCode(args, options2) {
 }
 // src/commands/registry.ts
-async function runRegistryAddCore(url, options2, callbacks) {
+async function runRegistryAddCore2(url, options2, callbacks) {
   if (callbacks.isLocked?.()) {
     throw new Error("Registries are locked. Cannot add.");
   }
@@ -14285,7 +14538,7 @@ function registerRegistryCommand(program2) {
         logger.error("No ocx.jsonc found. Run 'ocx init' first.");
         process.exit(1);
       }
-      const result = await runRegistryAddCore(url, options2, {
+      const result = await runRegistryAddCore2(url, options2, {
         getRegistries: () => config.registries,
         isLocked: () => config.lockRegistries ?? false,
         setRegistry: async (name, regConfig) => {
@@ -14380,7 +14633,7 @@ function registerGhostRegistryCommand(parent) {
     try {
       await ensureGhostInitialized();
       const config = await loadGhostConfig();
-      const result = await runRegistryAddCore(url, options2, {
+      const result = await runRegistryAddCore2(url, options2, {
         getRegistries: () => config.registries,
         setRegistry: async (name, regConfig) => {
           config.registries[name] = regConfig;
@@ -15056,7 +15309,7 @@ async function hashBundle2(files) {
 `));
 }
 // src/index.ts
-var version = "1.0.21";
+var version = "1.1.0";
 async function main2() {
   const program2 = new Command().name("ocx").description("OpenCode Extensions - Install agents, skills, plugins, and commands").version(version);
   registerInitCommand(program2);
@@ -15083,4 +15336,4 @@ export {
   buildRegistry
 };
-//# debugId=4A28ED9CEDFE469F64756E2164756E21
+//# debugId=46A2A0DCEF36C6A464756E2164756E21