opmsec 0.1.0

package/packages/cli/src/index.tsx

@@ -0,0 +1,111 @@
+#!/usr/bin/env bun
+import React from 'react';
+import { render, Box, Text } from 'ink';
+import { PushCommand } from './commands/push';
+import { InstallCommand } from './commands/install';
+import { AuditCommand } from './commands/audit';
+import { InfoCommand } from './commands/info';
+import { AuthorViewCommand } from './commands/author-view';
+import { PassthroughCommand } from './commands/passthrough';
+import { Header } from './components/Header';
+
+const args = process.argv.slice(2);
+const command = args[0];
+const rest = args.slice(1);
+
+function parsePackageArg(pkg?: string) {
+  if (!pkg) return {};
+  const atIdx = pkg.lastIndexOf('@');
+  if (atIdx > 0) return { name: pkg.slice(0, atIdx), version: pkg.slice(atIdx + 1) };
+  return { name: pkg };
+}
+
+function isENSName(arg?: string): boolean {
+  return !!arg && arg.endsWith('.eth');
+}
+
+const PASSTHROUGH = new Set(['init', 'run', 'test', 'uninstall', 'remove', 'rm', 'ls', 'list', 'outdated', 'update', 'link', 'pack', 'start', 'build']);
+
+function App() {
+  switch (command) {
+    case 'push': {
+      const tokenIdx = rest.findIndex((a) => a === '--token' || a === '--access-token');
+      const npmToken = tokenIdx >= 0 ? rest[tokenIdx + 1] : undefined;
+      const otpIdx = rest.findIndex((a) => a === '--otp');
+      const otp = otpIdx >= 0 ? rest[otpIdx + 1] : undefined;
+      return <PushCommand npmToken={npmToken} otp={otp} />;
+    }
+    case 'install':
+    case 'i':
+    case 'add': {
+      const { name, version } = parsePackageArg(rest[0]);
+      return <InstallCommand packageName={name} version={version} />;
+    }
+    case 'audit':
+      return <AuditCommand />;
+    case 'info': {
+      const { name, version } = parsePackageArg(rest[0]);
+      if (!name) return <Help />;
+      return <InfoCommand packageName={name} version={version} />;
+    }
+    case 'view': {
+      if (isENSName(rest[0])) {
+        return <AuthorViewCommand ensName={rest[0]} />;
+      }
+      const { name, version } = parsePackageArg(rest[0]);
+      if (!name) return <Help />;
+      return <InfoCommand packageName={name} version={version} />;
+    }
+    case 'whois': {
+      if (!rest[0]) return <Help />;
+      const ensArg = rest[0].endsWith('.eth') ? rest[0] : `${rest[0]}.eth`;
+      return <AuthorViewCommand ensName={ensArg} />;
+    }
+    default:
+      if (command && PASSTHROUGH.has(command)) {
+        return <PassthroughCommand command={command} args={rest} />;
+      }
+      return <Help />;
+  }
+}
+
+function Help() {
+  return (
+    <Box flexDirection="column">
+      <Header />
+      <Box flexDirection="column" marginLeft={2}>
+        <Text color="cyan" bold>Security commands:</Text>
+        <Text>  opm push [--token t] [--otp c]  Sign, scan, publish, register</Text>
+        <Text>  opm install [pkg]       Install with on-chain security verification</Text>
+        <Text>  opm audit               Scan all deps against on-chain security data</Text>
+        <Text>  opm info {'<pkg>'}            Show on-chain security info for a package</Text>
+        <Text>  opm view {'<name.eth>'}      Show author profile, packages, and risk scores</Text>
+        <Text>  opm whois {'<name>'}          Look up an ENS identity on OPM</Text>
+        <Text> </Text>
+        <Text color="cyan" bold>Standard commands (npm passthrough):</Text>
+        <Text>  opm init                Initialize a new package</Text>
+        <Text>  opm run {'<script>'}         Run a package script</Text>
+        <Text>  opm test                Run tests</Text>
+        <Text>  opm start               Run start script</Text>
+        <Text>  opm build               Run build script</Text>
+        <Text>  opm uninstall {'<pkg>'}      Remove a dependency</Text>
+        <Text>  opm outdated             Check for outdated deps</Text>
+        <Text>  opm update               Update dependencies</Text>
+        <Text>  opm list                 List installed packages</Text>
+        <Text>  opm link                 Symlink a package</Text>
+        <Text>  opm pack                 Create a tarball</Text>
+        <Text> </Text>
+        <Text color="gray">Aliases:  i/add → install, rm → uninstall, ls → list</Text>
+        <Text color="gray">          view name.eth → author profile, view pkg → info</Text>
+        <Text> </Text>
+        <Text color="cyan" bold>Environment:</Text>
+        <Text>  OPM_PRIVATE_KEY        Author signing key</Text>
+        <Text>  CONTRACT_ADDRESS       OPMRegistry contract on Base Sepolia</Text>
+        <Text>  OPENAI_API_KEY         For AI security scanning</Text>
+        <Text>  NPM_TOKEN              npm automation token (alt to --token)</Text>
+      </Box>
+    </Box>
+  );
+}
+
+render(<App />);

package/packages/cli/src/services/avatar.ts

@@ -0,0 +1,10 @@
+import terminalImage from 'terminal-image';
+
+export async function renderAvatar(url: string, width = 16): Promise<string | null> {
+  try {
+    const res = await fetch(url, { redirect: 'follow' });
+    if (!res.ok) return null;
+    const buffer = Buffer.from(await res.arrayBuffer());
+    return await terminalImage.buffer(buffer, { width, preserveAspectRatio: true, preferNativeRender: false });
+  } catch { return null; }
+}

package/packages/cli/src/services/chainpatrol.ts

@@ -0,0 +1,25 @@
+import { CHAINPATROL_API_URL, getEnvOrThrow } from '@opm/core';
+import type { ChainPatrolResult } from '@opm/core';
+
+export async function checkPackageWithChainPatrol(packageName: string): Promise<ChainPatrolResult> {
+  const apiKey = getEnvOrThrow('CHAINPATROL_API_KEY');
+
+  const res = await fetch(`${CHAINPATROL_API_URL}/asset/check`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'X-API-KEY': apiKey,
+    },
+    body: JSON.stringify({ content: `npm:${packageName}` }),
+  });
+
+  if (!res.ok) {
+    return { status: 'UNKNOWN', source: 'error' };
+  }
+
+  const data = await res.json() as { status: string; source: string };
+  return {
+    status: (data.status as ChainPatrolResult['status']) || 'UNKNOWN',
+    source: data.source || 'chainpatrol',
+  };
+}

package/packages/cli/src/services/contract.ts

@@ -0,0 +1,182 @@
+import { ethers } from 'ethers';
+import { OPM_REGISTRY_ABI, getEnvOrThrow, getEnvOrDefault, BASE_SEPOLIA_RPC } from '@opm/core';
+import type { OnChainPackageInfo, AuthorProfile } from '@opm/core';
+
+function getReadContract() {
+  const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
+  const provider = new ethers.JsonRpcProvider(rpc);
+  const address = getEnvOrThrow('CONTRACT_ADDRESS');
+  return new ethers.Contract(address, OPM_REGISTRY_ABI, provider);
+}
+
+function getWriteContract() {
+  const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
+  const provider = new ethers.JsonRpcProvider(rpc);
+  const wallet = new ethers.Wallet(getEnvOrThrow('OPM_PRIVATE_KEY'), provider);
+  const address = getEnvOrThrow('CONTRACT_ADDRESS');
+  return new ethers.Contract(address, OPM_REGISTRY_ABI, wallet);
+}
+
+export async function getPackageInfo(name: string, version: string): Promise<OnChainPackageInfo> {
+  const contract = getReadContract();
+  const [author, checksum, sig, ensName, reportURI, aggregateScore, exists] =
+    await contract.getPackageInfo(name, version);
+
+  let scores: OnChainPackageInfo['scores'] = [];
+  if (exists) {
+    const rawScores = await contract.getScores(name, version);
+    scores = rawScores.map((s: { agent: string; riskScore: number; reasoning: string }) => ({
+      agent: s.agent,
+      riskScore: Number(s.riskScore),
+      reasoning: s.reasoning,
+    }));
+  }
+
+  return {
+    author,
+    checksum,
+    signature: ethers.hexlify(sig),
+    ensName,
+    reportURI,
+    scores,
+    aggregateScore: Number(aggregateScore),
+    exists,
+  };
+}
+
+export async function registerPackageOnChain(
+  name: string,
+  version: string,
+  checksum: string,
+  signature: Uint8Array,
+  ensName: string,
+): Promise<string> {
+  const contract = getWriteContract();
+  const tx = await contract.registerPackage(name, version, checksum, signature, ensName);
+  const receipt = await tx.wait();
+  return receipt.hash;
+}
+
+export async function getVersions(name: string): Promise<string[]> {
+  const contract = getReadContract();
+  return contract.getVersions(name);
+}
+
+export async function getSafestVersion(name: string, lookback: number = 3): Promise<string> {
+  const contract = getReadContract();
+  return contract.getSafestVersion(name, lookback);
+}
+
+export async function getAuthorProfile(address: string): Promise<AuthorProfile> {
+  const contract = getReadContract();
+  const p = await contract.getAuthorByAddress(address);
+  return {
+    addr: p.addr,
+    ensName: p.ensName,
+    reputationScore: p.reputationCount > 0
+      ? Number(p.reputationTotal) / Number(p.reputationCount)
+      : 0,
+    packagesPublished: Number(p.packagesPublished),
+  };
+}
+
+export async function getAuthorByENS(ensName: string): Promise<AuthorProfile> {
+  const contract = getReadContract();
+  const p = await contract.getAuthorByENS(ensName);
+  return {
+    addr: p.addr,
+    ensName: p.ensName,
+    reputationScore: p.reputationCount > 0
+      ? Number(p.reputationTotal) / Number(p.reputationCount)
+      : 0,
+    packagesPublished: Number(p.packagesPublished),
+  };
+}
+
+export interface AuthorPackageSummary {
+  name: string;
+  version: string;
+  aggregateScore: number;
+  reportURI: string;
+  checksum: string;
+  signature: string;
+}
+
+export async function getPackagesByAuthor(authorAddress: string): Promise<AuthorPackageSummary[]> {
+  const rpc = getEnvOrDefault('BASE_SEPOLIA_RPC_URL', BASE_SEPOLIA_RPC);
+  const provider = new ethers.JsonRpcProvider(rpc);
+  const contractAddr = getEnvOrThrow('CONTRACT_ADDRESS');
+  const contract = new ethers.Contract(contractAddr, OPM_REGISTRY_ABI, provider);
+
+  const packageMap = new Map<string, { name: string; version: string }>();
+
+  try {
+    const latest = await provider.getBlockNumber();
+    const CHUNK = 5_000;
+    const startBlock = Math.max(0, latest - 50_000);
+
+    for (let from = startBlock; from <= latest; from += CHUNK) {
+      const to = Math.min(from + CHUNK - 1, latest);
+      try {
+        const events = await contract.queryFilter(
+          contract.filters.PackageRegistered(), from, to,
+        );
+        for (const event of events) {
+          const parsed = contract.interface.parseLog({
+            topics: event.topics as string[], data: event.data,
+          });
+          if (!parsed) continue;
+          const [name, version, author] = parsed.args;
+          if (author.toLowerCase() === authorAddress.toLowerCase()) {
+            packageMap.set(`${name}@${version}`, { name, version });
+          }
+        }
+      } catch { /* chunk failed, continue */ }
+    }
+  } catch { /* event scan failed entirely */ }
+
+  const results: AuthorPackageSummary[] = [];
+  for (const { name, version } of packageMap.values()) {
+    try {
+      const info = await getPackageInfo(name, version);
+      if (info.exists) {
+        results.push({
+          name, version,
+          aggregateScore: info.aggregateScore,
+          reportURI: info.reportURI,
+          checksum: info.checksum,
+          signature: info.signature,
+        });
+      }
+    } catch { /* skip */ }
+  }
+
+  return results;
+}
+
+export async function getPackagesByAuthorDirect(
+  authorAddress: string,
+  knownPackageNames: string[],
+): Promise<AuthorPackageSummary[]> {
+  const results: AuthorPackageSummary[] = [];
+
+  for (const name of knownPackageNames) {
+    try {
+      const versions = await getVersions(name);
+      for (const version of versions) {
+        const info = await getPackageInfo(name, version);
+        if (info.exists && info.author.toLowerCase() === authorAddress.toLowerCase()) {
+          results.push({
+            name, version,
+            aggregateScore: info.aggregateScore,
+            reportURI: info.reportURI,
+            checksum: info.checksum,
+            signature: info.signature,
+          });
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  return results;
+}

package/packages/cli/src/services/ens.ts

@@ -0,0 +1,143 @@
+import { createPublicClient, http } from 'viem';
+import { mainnet, sepolia } from 'viem/chains';
+import { addEnsContracts } from '@ensdomains/ensjs';
+import { getName } from '@ensdomains/ensjs/public';
+import { getRecords } from '@ensdomains/ensjs/public';
+import { getAddressRecord } from '@ensdomains/ensjs/public';
+import { getEnvOrDefault } from '@opm/core';
+
+function getSepoliaClient() {
+  const rpc = getEnvOrDefault('ETH_SEPOLIA_RPC_URL', 'https://ethereum-sepolia-rpc.publicnode.com');
+  return createPublicClient({
+    chain: addEnsContracts(sepolia),
+    transport: http(rpc),
+  });
+}
+
+function getMainnetClient() {
+  const rpc = getEnvOrDefault('ETH_MAINNET_RPC_URL', 'https://eth.llamarpc.com');
+  return createPublicClient({
+    chain: addEnsContracts(mainnet),
+    transport: http(rpc),
+  });
+}
+
+export async function resolveENSName(address: string): Promise<string | null> {
+  const addr = address as `0x${string}`;
+  const clients = [
+    { client: getSepoliaClient(), label: 'sepolia' },
+    { client: getMainnetClient(), label: 'mainnet' },
+  ];
+
+  const results = await Promise.allSettled(
+    clients.map(({ client }) =>
+      getName(client as any, { address: addr, allowMismatch: true }),
+    ),
+  );
+
+  for (const result of results) {
+    if (result.status === 'fulfilled' && result.value?.name) {
+      return result.value.name;
+    }
+  }
+  return null;
+}
+
+export async function resolveAddress(ensName: string): Promise<string | null> {
+  const clients = [
+    { client: getSepoliaClient(), label: 'sepolia' },
+    { client: getMainnetClient(), label: 'mainnet' },
+  ];
+
+  const results = await Promise.allSettled(
+    clients.map(({ client }) =>
+      getAddressRecord(client as any, { name: ensName, coin: 'ETH' }),
+    ),
+  );
+
+  for (const result of results) {
+    if (result.status === 'fulfilled' && result.value?.value) {
+      return result.value.value;
+    }
+  }
+  return null;
+}
+
+export interface ENSProfile {
+  name: string | null;
+  avatar: string | null;
+  url: string | null;
+  github: string | null;
+  twitter: string | null;
+  description: string | null;
+  email: string | null;
+}
+
+export async function getENSProfile(address: string): Promise<ENSProfile> {
+  const profile: ENSProfile = {
+    name: null, avatar: null, url: null,
+    github: null, twitter: null, description: null, email: null,
+  };
+
+  const name = await resolveENSName(address);
+  if (!name) return profile;
+  profile.name = name;
+
+  const clients = [
+    getSepoliaClient(),
+    getMainnetClient(),
+  ];
+
+  for (const client of clients) {
+    try {
+      const records = await getRecords(client as any, {
+        name,
+        texts: ['avatar', 'url', 'com.github', 'com.twitter', 'description', 'email'],
+        contentHash: false,
+        abi: false,
+      });
+
+      if (records?.texts?.length > 0) {
+        for (const t of records.texts) {
+          if (t.key === 'avatar' && t.value) profile.avatar = t.value;
+          if (t.key === 'url' && t.value) profile.url = t.value;
+          if (t.key === 'com.github' && t.value) profile.github = t.value;
+          if (t.key === 'com.twitter' && t.value) profile.twitter = t.value;
+          if (t.key === 'description' && t.value) profile.description = t.value;
+          if (t.key === 'email' && t.value) profile.email = t.value;
+        }
+        if (records.texts.some((t) => t.value)) return profile;
+      }
+    } catch { /* try next client */ }
+  }
+
+  return profile;
+}
+
+export async function getENSTextRecords(
+  ensName: string,
+  keys: string[],
+): Promise<Record<string, string>> {
+  const clients = [getSepoliaClient(), getMainnetClient()];
+
+  for (const client of clients) {
+    try {
+      const records = await getRecords(client as any, {
+        name: ensName,
+        texts: keys,
+        contentHash: false,
+        abi: false,
+      });
+
+      if (records?.texts?.length > 0) {
+        const result: Record<string, string> = {};
+        for (const t of records.texts) {
+          if (t.value) result[t.key] = t.value;
+        }
+        if (Object.keys(result).length > 0) return result;
+      }
+    } catch { /* try next client */ }
+  }
+
+  return {};
+}

package/packages/cli/src/services/fileverse.ts

@@ -0,0 +1,36 @@
+import type { ScanReport } from '@opm/core';
+import { getEnvOrDefault, safeJsonParse } from '@opm/core';
+
+const DEFAULT_API_URL = 'http://localhost:8001';
+
+export async function fetchReportFromFileverse(reportURI: string): Promise<ScanReport | null> {
+  if (!reportURI || reportURI.startsWith('local://')) return null;
+
+  const apiKey = process.env.FILEVERSE_API_KEY;
+  const apiUrl = getEnvOrDefault('FILEVERSE_API_URL', DEFAULT_API_URL);
+
+  const ddocId = extractDdocId(reportURI);
+  if (ddocId && apiKey) {
+    try {
+      const res = await fetch(`${apiUrl}/api/ddocs/${ddocId}?apiKey=${encodeURIComponent(apiKey)}`);
+      if (res.ok) {
+        const doc = await res.json() as { content: string };
+        return safeJsonParse<ScanReport>(doc.content);
+      }
+    } catch { /* local API not running */ }
+  }
+
+  return null;
+}
+
+function extractDdocId(link: string): string | null {
+  try {
+    const url = new URL(link);
+    const parts = url.pathname.split('/');
+    const dIdx = parts.indexOf('d');
+    if (dIdx >= 0 && parts[dIdx + 1]) return parts[dIdx + 1];
+    const pendingIdx = parts.indexOf('pending');
+    if (pendingIdx >= 0 && parts[pendingIdx + 1]) return parts[pendingIdx + 1];
+  } catch { /* not a URL */ }
+  return null;
+}

package/packages/cli/src/services/osv.ts

@@ -0,0 +1,141 @@
+const OSV_API = 'https://api.osv.dev/v1/query';
+
+export interface OSVVulnerability {
+  id: string;
+  summary: string;
+  details: string;
+  severity: Array<{ type: string; score: string }>;
+  affected: Array<{
+    ranges: Array<{ events: Array<{ introduced?: string; fixed?: string }> }>;
+  }>;
+  references: Array<{ type: string; url: string }>;
+  database_specific?: { severity?: string; [key: string]: unknown };
+}
+
+export async function queryOSV(packageName: string, version: string): Promise<OSVVulnerability[]> {
+  if (!version || version === 'latest') return [];
+
+  try {
+    const res = await fetch(OSV_API, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        package: { name: packageName, ecosystem: 'npm' },
+        version,
+      }),
+    });
+    if (!res.ok) return [];
+    const data = await res.json() as { vulns?: OSVVulnerability[] };
+    return data.vulns || [];
+  } catch {
+    return [];
+  }
+}
+
+export function getOSVSeverity(vuln: OSVVulnerability): string {
+  const dbSev = vuln.database_specific?.severity;
+  if (typeof dbSev === 'string' && dbSev.length > 0) {
+    const norm = dbSev.toUpperCase();
+    if (norm === 'CRITICAL') return 'CRITICAL';
+    if (norm === 'HIGH') return 'HIGH';
+    if (norm === 'MODERATE' || norm === 'MEDIUM') return 'MEDIUM';
+    if (norm === 'LOW') return 'LOW';
+  }
+
+  if (vuln.severity?.length > 0) {
+    const cvss = vuln.severity.find((s) => s.type === 'CVSS_V3' || s.type === 'CVSS_V4');
+    if (cvss?.score) {
+      const numericScore = computeCVSSv3BaseScore(cvss.score);
+      if (numericScore !== null) {
+        if (numericScore >= 9.0) return 'CRITICAL';
+        if (numericScore >= 7.0) return 'HIGH';
+        if (numericScore >= 4.0) return 'MEDIUM';
+        return 'LOW';
+      }
+    }
+  }
+
+  return 'UNKNOWN';
+}
+
+const CVSS_V3_METRICS: Record<string, Record<string, number>> = {
+  AV: { N: 0.85, A: 0.62, L: 0.55, P: 0.20 },
+  AC: { L: 0.77, H: 0.44 },
+  PR_U: { N: 0.85, L: 0.62, H: 0.27 },
+  PR_C: { N: 0.85, L: 0.68, H: 0.50 },
+  UI: { N: 0.85, R: 0.62 },
+  C: { H: 0.56, L: 0.22, N: 0 },
+  I: { H: 0.56, L: 0.22, N: 0 },
+  A: { H: 0.56, L: 0.22, N: 0 },
+};
+
+function computeCVSSv3BaseScore(vector: string): number | null {
+  const parts = vector.split('/');
+  const metrics: Record<string, string> = {};
+  for (const part of parts) {
+    const [key, val] = part.split(':');
+    if (key && val) metrics[key] = val;
+  }
+
+  const scope = metrics['S'];
+  if (!scope || !metrics['AV'] || !metrics['AC'] || !metrics['PR'] || !metrics['UI']) return null;
+  if (!metrics['C'] || !metrics['I'] || !metrics['A']) return null;
+
+  const av = CVSS_V3_METRICS.AV[metrics['AV']];
+  const ac = CVSS_V3_METRICS.AC[metrics['AC']];
+  const prTable = scope === 'C' ? CVSS_V3_METRICS.PR_C : CVSS_V3_METRICS.PR_U;
+  const pr = prTable[metrics['PR']];
+  const ui = CVSS_V3_METRICS.UI[metrics['UI']];
+  const c = CVSS_V3_METRICS.C[metrics['C']];
+  const i = CVSS_V3_METRICS.I[metrics['I']];
+  const a = CVSS_V3_METRICS.A[metrics['A']];
+
+  if ([av, ac, pr, ui, c, i, a].some((v) => v === undefined)) return null;
+
+  const iscBase = 1 - (1 - c) * (1 - i) * (1 - a);
+  const impact = scope === 'U'
+    ? 6.42 * iscBase
+    : 7.52 * (iscBase - 0.029) - 3.25 * Math.pow(Math.max(iscBase - 0.02, 0), 15);
+
+  if (impact <= 0) return 0;
+
+  const exploitability = 8.22 * av * ac * pr * ui;
+  const raw = scope === 'U'
+    ? Math.min(impact + exploitability, 10)
+    : Math.min(1.08 * (impact + exploitability), 10);
+
+  return Math.ceil(raw * 10) / 10;
+}
+
+export function getFixedVersion(vuln: OSVVulnerability, forVersion?: string): string | null {
+  const majorMinor = forVersion ? getMajorMinor(forVersion) : null;
+  let bestMatch: string | null = null;
+  let anyFix: string | null = null;
+
+  for (const aff of vuln.affected || []) {
+    for (const range of aff.ranges || []) {
+      let introduced: string | null = null;
+      let fixed: string | null = null;
+      for (const event of range.events || []) {
+        if (event.introduced) introduced = event.introduced;
+        if (event.fixed) fixed = event.fixed;
+      }
+      if (!fixed) continue;
+      if (!anyFix) anyFix = fixed;
+
+      if (majorMinor && introduced) {
+        const introMM = getMajorMinor(introduced);
+        if (introMM === majorMinor) {
+          bestMatch = fixed;
+        }
+      }
+    }
+  }
+
+  return bestMatch || anyFix;
+}
+
+function getMajorMinor(version: string): string {
+  const parts = version.replace(/^v/, '').split('.');
+  return parts.length >= 2 ? `${parts[0]}.${parts[1]}` : parts[0];
+}

package/packages/cli/src/services/signature.ts

@@ -0,0 +1,22 @@
+import { ethers } from 'ethers';
+import * as fs from 'fs';
+
+export function computeChecksum(filePath: string): string {
+  const data = fs.readFileSync(filePath);
+  return ethers.keccak256(data);
+}
+
+export async function signChecksumAsync(checksum: string, privateKey: string): Promise<{ signature: string; address: string }> {
+  const wallet = new ethers.Wallet(privateKey);
+  const signature = await wallet.signMessage(ethers.getBytes(checksum));
+  return { signature, address: wallet.address };
+}
+
+export function verifyChecksum(checksum: string, signature: string, expectedAddress: string): boolean {
+  try {
+    const recovered = ethers.verifyMessage(ethers.getBytes(checksum), signature);
+    return recovered.toLowerCase() === expectedAddress.toLowerCase();
+  } catch {
+    return false;
+  }
+}

package/packages/cli/src/services/version.ts

@@ -0,0 +1,10 @@
+import { getVersions } from './contract';
+
+export async function resolveVersion(name: string, version: string): Promise<string> {
+  if (version && version !== 'latest') return version;
+  try {
+    const versions = await getVersions(name);
+    if (versions.length > 0) return versions[versions.length - 1];
+  } catch { /* no versions on-chain */ }
+  return version;
+}