sh3-core 0.20.3 → 0.21.2

package/dist/registry/schema.js

@@ -113,29 +113,8 @@ function validatePackageVersion(data, path) {
     const obj = data;
     requireString(obj, 'version', path);
     requireString(obj, 'contractVersion', path);
-    // Client bundle fields — optional individually, but if either is present both must be.
-    const hasBundleUrl = 'bundleUrl' in obj && obj.bundleUrl !== undefined;
-    const hasIntegrity = 'integrity' in obj && obj.integrity !== undefined;
-    if (hasBundleUrl)
-        requireString(obj, 'bundleUrl', path);
-    if (hasIntegrity)
-        requireString(obj, 'integrity', path);
-    if (hasBundleUrl !== hasIntegrity) {
-        throw new RegistryValidationError(path, 'bundleUrl and integrity must be provided together');
-    }
-    // Optional server bundle URL.
-    const hasServerBundleUrl = 'serverBundleUrl' in obj && obj.serverBundleUrl !== undefined;
-    if (hasServerBundleUrl) {
-        requireString(obj, 'serverBundleUrl', path);
-    }
-    // Optional server bundle integrity hash — provisional, see ADR-015.
-    if ('serverIntegrity' in obj && obj.serverIntegrity !== undefined) {
-        requireString(obj, 'serverIntegrity', path);
-    }
-    // A version must ship at least one bundle.
-    if (!hasBundleUrl && !hasServerBundleUrl) {
-        throw new RegistryValidationError(path, 'expected at least one of bundleUrl+integrity or serverBundleUrl');
-    }
+    requireString(obj, 'archiveUrl', path);
+    requireString(obj, 'integrity', path);
     let requires;
     if (obj['requires'] !== undefined) {
         if (!Array.isArray(obj['requires'])) {
@@ -146,10 +125,8 @@ function validatePackageVersion(data, path) {
     return {
         version: obj['version'],
         contractVersion: obj['contractVersion'],
-        bundleUrl: typeof obj['bundleUrl'] === 'string' ? obj['bundleUrl'] : undefined,
-        integrity: typeof obj['integrity'] === 'string' ? obj['integrity'] : undefined,
-        serverBundleUrl: typeof obj['serverBundleUrl'] === 'string' ? obj['serverBundleUrl'] : undefined,
-        serverIntegrity: typeof obj['serverIntegrity'] === 'string' ? obj['serverIntegrity'] : undefined,
+        archiveUrl: obj['archiveUrl'],
+        integrity: obj['integrity'],
         requires,
     };
 }

package/dist/registry/schema.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/registry/schema.test.js

@@ -0,0 +1,41 @@
+import { describe, it, expect } from 'vitest';
+import { validateRegistryIndex, RegistryValidationError } from './schema.js';
+const VALID_VERSION = {
+    version: '1.0.0',
+    contractVersion: '1',
+    archiveUrl: 'https://example.com/pkg-1.0.0.sh3pkg',
+    integrity: 'sha384-abc123',
+};
+const VALID_ENTRY = {
+    id: 'my-shard',
+    type: 'shard',
+    label: 'My Shard',
+    description: 'A test shard',
+    author: { name: 'Test Author' },
+    versions: [VALID_VERSION],
+};
+const VALID_INDEX = { version: 1, packages: [VALID_ENTRY] };
+describe('validateRegistryIndex', () => {
+    it('accepts a valid index with archiveUrl and integrity', () => {
+        const result = validateRegistryIndex(VALID_INDEX);
+        expect(result.packages[0].versions[0].archiveUrl).toBe('https://example.com/pkg-1.0.0.sh3pkg');
+        expect(result.packages[0].versions[0].integrity).toBe('sha384-abc123');
+    });
+    it('rejects a version missing archiveUrl', () => {
+        const bad = Object.assign(Object.assign({}, VALID_INDEX), { packages: [Object.assign(Object.assign({}, VALID_ENTRY), { versions: [{ version: '1.0.0', contractVersion: '1', integrity: 'sha384-abc' }] })] });
+        expect(() => validateRegistryIndex(bad)).toThrow(RegistryValidationError);
+    });
+    it('rejects a version missing integrity', () => {
+        const bad = Object.assign(Object.assign({}, VALID_INDEX), { packages: [Object.assign(Object.assign({}, VALID_ENTRY), { versions: [{ version: '1.0.0', contractVersion: '1', archiveUrl: 'https://x.com/a.sh3pkg' }] })] });
+        expect(() => validateRegistryIndex(bad)).toThrow(RegistryValidationError);
+    });
+    it('accepts optional requires array', () => {
+        const withRequires = Object.assign(Object.assign({}, VALID_INDEX), { packages: [Object.assign(Object.assign({}, VALID_ENTRY), { versions: [Object.assign(Object.assign({}, VALID_VERSION), { requires: [{ id: 'dep-shard', versionRange: '^1.0.0' }] })] })] });
+        const result = validateRegistryIndex(withRequires);
+        expect(result.packages[0].versions[0].requires[0].id).toBe('dep-shard');
+    });
+    it('rejects a version with requires that has an invalid entry', () => {
+        const bad = Object.assign(Object.assign({}, VALID_INDEX), { packages: [Object.assign(Object.assign({}, VALID_ENTRY), { versions: [Object.assign(Object.assign({}, VALID_VERSION), { requires: [{ id: 'dep' }] })] })] });
+        expect(() => validateRegistryIndex(bad)).toThrow(RegistryValidationError);
+    });
+});

package/dist/registry/types.d.ts

@@ -81,9 +81,9 @@ export interface PackageEntry {
 /**
  * A specific published version of a package.
  *
- * Each version ships a self-contained pre-built ESM bundle at `bundleUrl`.
- * The `integrity` field is an SRI hash (sha384 recommended) used to verify
- * the download before execution.
+ * Each version ships a `.sh3pkg` ZIP archive at `archiveUrl`.
+ * The archive contains `manifest.json` and at least one of `client.js` / `server.js`.
+ * The `integrity` SRI hash verifies the download before execution.
  */
 export interface PackageVersion {
     /**
@@ -98,36 +98,17 @@ export interface PackageVersion {
      */
     contractVersion: string;
     /**
-     * Absolute or registry-relative URL to the pre-built ESM bundle.
-     * The client fetches this URL and verifies the download against `integrity`
-     * before executing. Optional for server-only packages that ship only a
-     * `serverBundleUrl` — in that case `integrity` must also be omitted.
+     * URL to the `.sh3pkg` ZIP archive for this version.
+     * Absolute or registry-relative. The archive contains `manifest.json`
+     * plus at least one of `client.js` / `server.js`.
      */
-    bundleUrl?: string;
+    archiveUrl: string;
     /**
-     * SRI integrity hash for the bundle file.
+     * SRI integrity hash of the archive ZIP.
      * Format: `"<algorithm>-<base64digest>"` (e.g. `"sha384-abc123..."`).
      * Algorithms: sha256, sha384 (recommended), sha512.
-     * See: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
-     * Omitted when the package has no client bundle.
      */
-    integrity?: string;
-    /**
-     * Optional URL to the server-side bundle for shards that have a backend
-     * component. Same resolution rules as `bundleUrl` (absolute or registry-
-     * relative). Only present when the shard declares `serverBundle` in its
-     * manifest.
-     */
-    serverBundleUrl?: string;
-    /**
-     * SRI integrity hash for the server bundle. Same format as `integrity`.
-     * Optional in contract v1 for back-compat with registries that predate
-     * server bundles. Will become required when the formal registry spec
-     * lands (see ADR-015 proposal). When absent, the client skips the SRI
-     * check at download time and logs a warning — the unverified bundle is
-     * still installed.
-     */
-    serverIntegrity?: string;
+    integrity: string;
     /**
      * Other shards that must be installed and active before this package
      * can be loaded. Optional — omit if the package has no dependencies.
@@ -260,9 +241,7 @@ export interface PackageMeta {
      */
     sourceRegistry: string;
     /**
-     * SRI hash to verify the downloaded bundle against before executing.
-     * Must match `PackageVersion.integrity`. Omitted for server-only packages
-     * that ship no client bundle.
+     * SRI hash of the archive this package was installed from. Kept for audit purposes.
      */
     integrity?: string;
     /**
@@ -270,14 +249,10 @@ export interface PackageMeta {
      * Undefined if no dependencies.
      */
     requires?: RequiredDependency[];
-    /**
-     * SRI hash for the server bundle. Only present when the package has a
-     * server component.
-     */
-    serverIntegrity?: string;
-    /**
-     * Whether this package includes a server bundle that needs to be pushed
-     * to the server after client-side installation.
-     */
-    hasServerBundle?: boolean;
+}
+/** Payload sent to the server to trigger a server-side install. */
+export interface RemoteInstallRequest {
+    registryUrl: string;
+    packageId: string;
+    version: string;
 }

package/dist/version.d.ts

@@ -1,2 +1,2 @@
 /** Auto-generated from package.json — do not edit manually. */
-export declare const VERSION = "0.20.3";
+export declare const VERSION = "0.21.2";

package/dist/version.js

@@ -1,2 +1,2 @@
 /** Auto-generated from package.json — do not edit manually. */
-export const VERSION = '0.20.3';
+export const VERSION = '0.21.2';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sh3-core",
-  "version": "0.20.3",
+  "version": "0.21.2",
   "type": "module",
   "files": [
     "dist"
@@ -39,7 +39,8 @@
     "test:watch": "vitest"
   },
   "dependencies": {
-    "esm-env": "^1.1.0"
+    "esm-env": "^1.1.0",
+    "fflate": "^0.8.3"
   },
   "peerDependencies": {
     "svelte": "^5.0.0",