Skip to content

feat: file store, PUT endpoint, A1-A10 validation, scoped auth#31

Merged
jeanmachuca merged 1 commit into
developmentfrom
feat/notary-v2
Jul 5, 2026
Merged

feat: file store, PUT endpoint, A1-A10 validation, scoped auth#31
jeanmachuca merged 1 commit into
developmentfrom
feat/notary-v2

Conversation

@jeanmachuca

Copy link
Copy Markdown
Member

Changes

1. File-backed persistence (SQLite-ready)

  • store.NewFileStore(path) — persists all packages as JSON, survives restarts
  • Implements the same store.Store interface as MemoryStore
  • Pluggable: use --sqlite flag to switch (currently uses JSON file, SQLite adapter point ready)
  • Adds Versions(), IncrementDownloads(), SetStatus() to the Store interface

2. PUT endpoint

  • PUT /v1/patches/{name}/{version} — publish new version of existing package
  • URL name and version validated against manifest body
  • Reuses same publish logic as POST

3. A1-A10 validation (internal/validate)

  • A1: Manifest is valid JSON with required fields
  • A2: Schema checks (name, version, description required)
  • A3: SHA-256 is 64-char lowercase hex
  • A4: No dependency cycles
  • A5: All transitive deps exist in registry (handler-level)
  • A6: No buggy deps (handler-level)
  • A7: File references exist in archive (MCP binaries, system prompts, adapters)
  • A8: Hardware requirements within sane bounds
  • A9: Source repository URL is valid
  • A10: Issues URL responds with HTTP 200 within 10s

4. Scoped auth

  • Tokens now carry scope lists (publish, admin)
  • RequireAuth(ts, scopes...) checks both token existence AND required scopes
  • POST/PUT require publish scope; PATCH status and POST validate require admin scope
  • Token store API changed from Check(token) bool to Get(token) (*Token, bool)

5. New endpoints

  • GET /v1/patches/{name}/versions — list all versions
  • GET /v1/patches/{name}/dependencies — dependency tree (with ?version= param)
  • PATCH /v1/patches/{name}/{version}/status — set active/deprecated/buggy
  • POST /v1/patches/{name}/{version}/validate — re-trigger A1-A10 validation

@jeanmachuca jeanmachuca merged commit 467dbdd into development Jul 5, 2026
1 check failed
@jeanmachuca jeanmachuca deleted the feat/notary-v2 branch July 5, 2026 00:49
jeanmachuca added a commit that referenced this pull request Jul 5, 2026
* fix: resolve all golangci-lint errcheck issues (#28)

* feat:proxy notary (#22)

* feat: .cgp package registry server

- 6 REST endpoints: search, get, download, publish, unlock, health
- In-memory package store with search (name+description+tags)
- Token-based auth for publish/unlock endpoints
- .cgp file serving from data directory
- 27 tests across server, store, and auth packages
- CI: build, lint, test, vet

* chore: attribute project to Jean Machuca with GitHub Sponsors

* chore: add * 2.* pattern to .gitignore for editor backups

* docs: expand README with build, API, and usage details (#4)

* docs: add cross-repo navigation links to README (#7)

* docs: add contributing section to README (#9)

* Fix CI blockers: commit go.sum, fix errcheck, fix build paths, wire up CI

* feat: add source URL validation (source_repository, source_issues) on publish

* fix: CI integrity and .gitignore repairs across repos (#17)

* feat: refactor to proxy/notary — 302 redirect + checksum ledger

BREAKING: registry-server no longer stores .cgp files on disk.
- handleDownload() now returns 302 redirect to package's download_url
- handlePublish() computes SHA-256 from multipart upload (discards file)
- handlePublish() accepts sha256 + download_url via JSON (no fetch)
- Package struct gains DownloadURL field
- Removed cgpPath(), downloadFile(), DataDir filesystem usage
- Notary audit trail logged on each publish
- Updated all tests for proxy/redirect mode

* fix:ci blockers (#25)

* feat: .cgp package registry server

- 6 REST endpoints: search, get, download, publish, unlock, health
- In-memory package store with search (name+description+tags)
- Token-based auth for publish/unlock endpoints
- .cgp file serving from data directory
- 27 tests across server, store, and auth packages
- CI: build, lint, test, vet

* chore: attribute project to Jean Machuca with GitHub Sponsors

* chore: add * 2.* pattern to .gitignore for editor backups

* docs: expand README with build, API, and usage details (#4)

* docs: add cross-repo navigation links to README (#7)

* docs: add contributing section to README (#9)

* Fix CI blockers: commit go.sum, fix errcheck, fix build paths, wire up CI

* feat: add source URL validation (source_repository, source_issues) on publish

* fix:ci integrity (#26)

* feat: .cgp package registry server

- 6 REST endpoints: search, get, download, publish, unlock, health
- In-memory package store with search (name+description+tags)
- Token-based auth for publish/unlock endpoints
- .cgp file serving from data directory
- 27 tests across server, store, and auth packages
- CI: build, lint, test, vet

* chore: attribute project to Jean Machuca with GitHub Sponsors

* chore: add * 2.* pattern to .gitignore for editor backups

* docs: expand README with build, API, and usage details (#4)

* docs: add cross-repo navigation links to README (#7)

* docs: add contributing section to README (#9)

* Fix CI blockers: commit go.sum, fix errcheck, fix build paths, wire up CI

* feat: add source URL validation (source_repository, source_issues) on publish

* fix: CI integrity and .gitignore repairs across repos

* fix: add CI workflow and gitignore trailing-space pattern (#27)

* feat: .cgp package registry server (#24)

- 6 REST endpoints: search, get, download, publish, unlock, health
- In-memory package store with search (name+description+tags)
- Token-based auth for publish/unlock endpoints
- .cgp file serving from data directory
- 27 tests across server, store, and auth packages
- CI: build, lint, test, vet

* feat: add source_repository and source_issues fields to package publish (#30)

* feat: SQLite-ready file store, PUT endpoint, A1-A10 validation, scoped auth (#31)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant