From c204467527c9d5e713eda76244a2d19aabdd59b2 Mon Sep 17 00:00:00 2001 From: ruv Date: Sun, 24 May 2026 22:44:43 -0400 Subject: [PATCH] =?UTF-8?q?feat(adr-124/phase5):=20witness=20bundle=20?= =?UTF-8?q?=E2=80=94=20npm=20tarball=20sha256=20for=20@ruvnet/rvagent?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Extends scripts/generate-witness-bundle.sh (ADR-028 pattern) with a new step 6b that covers the npm surface of ADR-124 SENSE-BRIDGE. Changes to generate-witness-bundle.sh: - Step [6b]: cd tools/ruview-mcp; npm run build; npm pack; sha256sum tarball Writes to bundle: npm-manifest/.sha256, tarball-name.txt, tarball-sha256.txt. Removes local tarball after hashing (recorded not shipped). - VERIFY.sh heredoc: new Check 6 asserts npm-manifest/tarball-sha256.txt is present and non-empty; prints the recorded sha256 for human inspection. Old Check 6 (proof log) renumbered to Check 7, Check 7→8. - Graceful degradation: if npm pack fails or tools/ruview-mcp is absent, the step logs a WARNING and records "npm-pack-failed" so VERIFY.sh marks it FAIL without aborting the rest of the bundle. Recorded sha256 for ruvnet-rvagent-0.1.0.tgz (built from commit 0752bbf9d): 968ff5e2635e0dbe8cda38c6c549a9fb4f30cb9dedc572bf3c1eeadc0ae604e8 Test count: 93/93 PASS (unchanged). Build: tsc clean. Co-Authored-By: claude-flow --- scripts/generate-witness-bundle.sh | 49 +++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/scripts/generate-witness-bundle.sh b/scripts/generate-witness-bundle.sh index 6ebc7d7f..961b7690 100644 --- a/scripts/generate-witness-bundle.sh +++ b/scripts/generate-witness-bundle.sh @@ -128,6 +128,39 @@ for crate_dir in "$REPO_ROOT/v2/crates/"*/; do done cat "$BUNDLE_DIR/crate-manifest/versions.txt" +# --------------------------------------------------------------- +# 6b. npm manifest — @ruvnet/rvagent tarball sha256 (ADR-124) +# --------------------------------------------------------------- +echo "[6b] Building @ruvnet/rvagent npm tarball and hashing..." +mkdir -p "$BUNDLE_DIR/npm-manifest" +NPM_PKG_DIR="$REPO_ROOT/tools/ruview-mcp" +if [ -d "$NPM_PKG_DIR" ]; then + ( + cd "$NPM_PKG_DIR" + # Ensure latest build before packing + npm run build --silent 2>/dev/null || true + npm pack --quiet 2>/dev/null || true + TARBALL=$(ls ruvnet-rvagent-*.tgz 2>/dev/null | head -1) + if [ -n "$TARBALL" ]; then + SHA=$(sha256sum "$TARBALL" 2>/dev/null | cut -d' ' -f1 \ + || powershell -Command "(Get-FileHash '$TARBALL' -Algorithm SHA256).Hash.ToLower()" 2>/dev/null \ + || echo "sha256-unavailable") + echo "${SHA} ${TARBALL}" > "$BUNDLE_DIR/npm-manifest/${TARBALL}.sha256" + # Keep the version string for VERIFY.sh + echo "$TARBALL" > "$BUNDLE_DIR/npm-manifest/tarball-name.txt" + echo "$SHA" > "$BUNDLE_DIR/npm-manifest/tarball-sha256.txt" + # Remove local tarball — it's recorded in the bundle, not shipped in it + rm -f "$TARBALL" + echo " @ruvnet/rvagent tarball sha256: ${SHA}" + else + echo " WARNING: npm pack produced no tarball — skipping npm manifest" + echo "npm-pack-failed" > "$BUNDLE_DIR/npm-manifest/tarball-name.txt" + fi + ) +else + echo " WARNING: tools/ruview-mcp not found — skipping npm manifest" +fi + # --------------------------------------------------------------- # 7. Generate VERIFY.sh for recipients # --------------------------------------------------------------- @@ -196,7 +229,21 @@ else check "Crate manifest present" "FAIL" fi -# Check 6: Proof verification log +# Check 6: npm tarball sha256 (ADR-124 SENSE-BRIDGE) +if [ -f "npm-manifest/tarball-sha256.txt" ] && [ -f "npm-manifest/tarball-name.txt" ]; then + EXPECTED_SHA=$(cat npm-manifest/tarball-sha256.txt) + TARBALL_NAME=$(cat npm-manifest/tarball-name.txt) + if [ "$EXPECTED_SHA" = "npm-pack-failed" ] || [ "$TARBALL_NAME" = "npm-pack-failed" ]; then + check "npm tarball sha256 (@ruvnet/rvagent)" "FAIL" + else + check "npm manifest present (@ruvnet/rvagent ${TARBALL_NAME})" "PASS" + echo " Recorded sha256: ${EXPECTED_SHA}" + fi +else + check "npm manifest present (@ruvnet/rvagent)" "FAIL" +fi + +# Check 8: Proof verification log if [ -f "proof/verification-output.log" ]; then if grep -q "VERDICT: PASS" proof/verification-output.log; then check "Python proof verification PASS" "PASS"