sverklo 0.20.25 → 0.20.26
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/src/indexer/grammars-install.js +6 -0
- package/dist/src/indexer/grammars-install.js.map +1 -1
- package/dist/src/indexer/setup.js +9 -2
- package/dist/src/indexer/setup.js.map +1 -1
- package/dist/src/server/assets/dashboard.css +675 -0
- package/dist/src/server/assets/dashboard.js +654 -0
- package/dist/src/server/dashboard-html.js +19 -1333
- package/dist/src/server/dashboard-html.js.map +1 -1
- package/dist/src/server/http-server.js +41 -24
- package/dist/src/server/http-server.js.map +1 -1
- package/dist/src/utils/integrity.d.ts +46 -0
- package/dist/src/utils/integrity.js +80 -0
- package/dist/src/utils/integrity.js.map +1 -0
- package/models.lock.json +46 -0
- package/package.json +4 -3
|
@@ -9,6 +9,7 @@
|
|
|
9
9
|
import { existsSync, mkdirSync, writeFileSync, statSync } from "node:fs";
|
|
10
10
|
import { join } from "node:path";
|
|
11
11
|
import { homedir } from "node:os";
|
|
12
|
+
import { verifyArtifact } from "../utils/integrity.js";
|
|
12
13
|
// Update these pins together with parser-tree-sitter.ts. Keep the
|
|
13
14
|
// version stable across releases so existing user installs don't
|
|
14
15
|
// invalidate caches when sverklo updates. Tested URLs as of 2026-04.
|
|
@@ -90,6 +91,11 @@ export async function installGrammars(opts) {
|
|
|
90
91
|
if (buf.length < 1024 || buf[0] !== 0x00 || buf[1] !== 0x61 || buf[2] !== 0x73 || buf[3] !== 0x6d) {
|
|
91
92
|
throw new Error(`response is not a valid WASM blob (${buf.length} bytes)`);
|
|
92
93
|
}
|
|
94
|
+
// Integrity check (Tier 3.2 / Security review 2026-05-13). The
|
|
95
|
+
// 4-byte magic above is shape; this is authenticity. A
|
|
96
|
+
// compromised CDN-served WASM still starts with \0asm. Lock
|
|
97
|
+
// entries pin sha256 per filename.
|
|
98
|
+
verifyArtifact("grammars", g.wasm, buf);
|
|
93
99
|
writeFileSync(out, buf);
|
|
94
100
|
results.push({ lang: g.lang, path: out, status: "fresh", bytes: buf.length });
|
|
95
101
|
opts.onProgress?.(` ok ${g.lang} → ${out} (${(buf.length / 1024).toFixed(0)} KB)`);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"grammars-install.js","sourceRoot":"","sources":["../../../src/indexer/grammars-install.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,mEAAmE;AACnE,uEAAuE;AACvE,uEAAuE;AACvE,oEAAoE;AACpE,kEAAkE;AAClE,qDAAqD;AAErD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACzE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"grammars-install.js","sourceRoot":"","sources":["../../../src/indexer/grammars-install.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,EAAE;AACF,mEAAmE;AACnE,uEAAuE;AACvE,uEAAuE;AACvE,oEAAoE;AACpE,kEAAkE;AAClE,qDAAqD;AAErD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACzE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAWvD,kEAAkE;AAClE,iEAAiE;AACjE,qEAAqE;AACrE,MAAM,CAAC,MAAM,QAAQ,GAAkB;IACrC;QACE,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,6BAA6B;QACnC,GAAG,EAAE,wFAAwF;KAC9F;IACD;QACE,IAAI,EAAE,KAAK;QACX,IAAI,EAAE,sBAAsB;QAC5B,GAAG,EAAE,iFAAiF;KACvF;IACD;QACE,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,6BAA6B;QACnC,GAAG,EAAE,wFAAwF;KAC9F;IACD;QACE,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,yBAAyB;QAC/B,GAAG,EAAE,gFAAgF;KACtF;IACD;QACE,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,qBAAqB;QAC3B,GAAG,EAAE,wEAAwE;KAC9E;IACD;QACE,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,uBAAuB;QAC7B,GAAG,EAAE,4EAA4E;KAClF;IACD;QACE,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,0BAA0B;QAChC,GAAG,EAAE,kFAAkF;KACxF;CACF,CAAC;AAEF,MAAM,UAAU,WAAW;IACzB,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;AACjD,CAAC;AAWD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAIrC;IACC,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;IAC1B,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEpC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QACjD,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,KAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtD,CAAC,CAAC,QAAQ,CAAC;IAEb,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC1B,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC;YACvB,MAAM,EAAE,SAAkB;SAC3B,CAAC,CAAC,CAAC;IACN,CAAC;IAED,MAAM,OAAO,GAAoB,EAAE,CAAC;IACpC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,GAAG,IAAI,EAAE,CAAC;YAChE,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YACvF,IAAI,CAAC,UAAU,EAAE,CAAC,aAAa,CAAC,CAAC,IAAI,MAAM,GAAG,GAAG,CAAC,CAAC;YACnD,SAAS;QACX,CAAC;QACD,IAAI,CAAC;YACH,IAAI,CAAC,UAAU,EAAE,CAAC,aAAa,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;YACrD,MAAM,CAAC,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YAC7B,IAAI,CAAC,CAAC,CAAC,EAAE;gBAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;YAC/D,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YAC/C,8DAA8D;YAC9D,6DAA6D;YAC7D,2DAA2D;YAC3D,IAAI,GAAG,CAAC,MAAM,GAAG,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAClG,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,CAAC,MAAM,SAAS,CAAC,CAAC;YAC7E,CAAC;YACD,+DAA+D;YAC/D,uDAAuD;YACvD,4DAA4D;YAC5D,mCAAmC;YACnC,cAAc,CAAC,UAAU,EAAE,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YACxC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACxB,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YAC9E,IAAI,CAAC,UAAU,EAAE,CAAC,aAAa,CAAC,CAAC,IAAI,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAC5F,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,GAAG,GAA2B,CAAC;YACtC,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,IAAI,EAAE,GAAG;gBACT,MAAM,EAAE,OAAO;gBACf,KAAK,EAAE,CAAC,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC;aAChC,CAAC,CAAC;YACH,IAAI,CAAC,UAAU,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { existsSync, mkdirSync } from "node:fs";
|
|
2
2
|
import { join } from "node:path";
|
|
3
3
|
import { homedir } from "node:os";
|
|
4
|
+
import { verifyArtifact } from "../utils/integrity.js";
|
|
4
5
|
const MODEL_DIR = join(homedir(), ".sverklo", "models");
|
|
5
6
|
const MODEL_URL = "https://huggingface.co/sentence-transformers/all-MiniLM-L6-v2/resolve/main/onnx/model.onnx";
|
|
6
7
|
const TOKENIZER_URL = "https://huggingface.co/sentence-transformers/all-MiniLM-L6-v2/resolve/main/tokenizer.json";
|
|
@@ -23,9 +24,13 @@ export async function setupModels() {
|
|
|
23
24
|
if (!resp.ok)
|
|
24
25
|
throw new Error(`Failed to download model: ${resp.status}`);
|
|
25
26
|
const buffer = Buffer.from(await resp.arrayBuffer());
|
|
27
|
+
// Integrity check (Tier 3.2 / Security review 2026-05-13). Throws
|
|
28
|
+
// with a clear remediation message on hash mismatch — refusing to
|
|
29
|
+
// write attacker bytes is the whole point of the lock file.
|
|
30
|
+
verifyArtifact("model", "model.onnx", buffer);
|
|
26
31
|
const { writeFileSync } = await import("node:fs");
|
|
27
32
|
writeFileSync(modelPath, buffer);
|
|
28
|
-
console.error(" model.onnx downloaded");
|
|
33
|
+
console.error(" model.onnx downloaded (integrity verified)");
|
|
29
34
|
}
|
|
30
35
|
if (!existsSync(tokenizerPath)) {
|
|
31
36
|
console.error(" Downloading tokenizer.json...");
|
|
@@ -33,9 +38,11 @@ export async function setupModels() {
|
|
|
33
38
|
if (!resp.ok)
|
|
34
39
|
throw new Error(`Failed to download tokenizer: ${resp.status}`);
|
|
35
40
|
const text = await resp.text();
|
|
41
|
+
const buffer = Buffer.from(text, "utf-8");
|
|
42
|
+
verifyArtifact("model", "tokenizer.json", buffer);
|
|
36
43
|
const { writeFileSync } = await import("node:fs");
|
|
37
44
|
writeFileSync(tokenizerPath, text);
|
|
38
|
-
console.error(" tokenizer.json downloaded");
|
|
45
|
+
console.error(" tokenizer.json downloaded (integrity verified)");
|
|
39
46
|
}
|
|
40
47
|
console.error("Setup complete! Models saved to", MODEL_DIR);
|
|
41
48
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"setup.js","sourceRoot":"","sources":["../../../src/indexer/setup.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAChD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"setup.js","sourceRoot":"","sources":["../../../src/indexer/setup.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAChD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAEvD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AACxD,MAAM,SAAS,GACb,4FAA4F,CAAC;AAC/F,MAAM,aAAa,GACjB,2FAA2F,CAAC;AAE9F,uEAAuE;AACvE,yEAAyE;AACzE,qEAAqE;AACrE,yCAAyC;AACzC,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IAChD,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;IAExD,IAAI,UAAU,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACvD,OAAO,CAAC,KAAK,CAAC,8BAA8B,EAAE,SAAS,CAAC,CAAC;QACzD,OAAO;IACT,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAExD,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAC7C,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,CAAC;QACpC,IAAI,CAAC,IAAI,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1E,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACrD,kEAAkE;QAClE,kEAAkE;QAClE,4DAA4D;QAC5D,cAAc,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;QAC9C,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QAClD,aAAa,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACjD,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,aAAa,CAAC,CAAC;QACxC,IAAI,CAAC,IAAI,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9E,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1C,cAAc,CAAC,OAAO,EAAE,gBAAgB,EAAE,MAAM,CAAC,CAAC;QAClD,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QAClD,aAAa,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;QACnC,OAAO,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,SAAS,CAAC,CAAC;AAC9D,CAAC"}
|