fix(security): harden npm publish — add .npmrc + publishConfig to all 57 packages

- Created .npmrc with @bytelyst scoped registry pointing to local Gitea - Added publishConfig.registry to all 57 @bytelyst/* package.json files - Created scripts/harden-publish-config.sh for future re-runs - Prevents accidental publish to npmjs.org or corporate JFrog registry
2026-03-26 21:51:05 -07:00 · 2026-03-26 21:51:05 -07:00 · b6348fd4fe
commit b6348fd4fe
parent 911539f228
59 changed files with 251 additions and 5 deletions
--- a/.npmrc
+++ b/.npmrc
@ -0,0 +1,3 @@
+@bytelyst:registry=http://localhost:3300/api/packages/bytelyst/npm/
+//localhost:3300/api/packages/bytelyst/npm/:_authToken=${GITEA_NPM_TOKEN}
+strict-ssl=false
--- a/packages/accessibility/package.json
+++ b/packages/accessibility/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/api-client/package.json
+++ b/packages/api-client/package.json
@ -16,5 +16,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/auth-client/package.json
+++ b/packages/auth-client/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/auth-ui/package.json
+++ b/packages/auth-ui/package.json
@ -29,5 +29,8 @@
    "happy-dom": "^18.0.1",
    "react": "^19.2.4",
    "react-dom": "^19.2.4"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/auth/package.json
+++ b/packages/auth/package.json
@ -23,5 +23,8 @@
  "peerDependencies": {
    "jose": ">=5.0.0",
    "bcryptjs": ">=2.4.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/backend-config/package.json
+++ b/packages/backend-config/package.json
@ -26,5 +26,8 @@
  },
  "files": [
    "dist"
-  ]
+  ],
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
+  }
 }
--- a/packages/backend-flags/package.json
+++ b/packages/backend-flags/package.json
@ -23,5 +23,8 @@
  },
  "files": [
    "dist"
-  ]
+  ],
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
+  }
 }
--- a/packages/backend-telemetry/package.json
+++ b/packages/backend-telemetry/package.json
@ -23,5 +23,8 @@
  },
  "files": [
    "dist"
-  ]
+  ],
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
+  }
 }
--- a/packages/blob-client/package.json
+++ b/packages/blob-client/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/blob/package.json
+++ b/packages/blob/package.json
@ -20,5 +20,8 @@
  },
  "dependencies": {
    "@bytelyst/storage": "workspace:*"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/broadcast-client/package.json
+++ b/packages/broadcast-client/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/celebrations/package.json
+++ b/packages/celebrations/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/client-encrypt/package.json
+++ b/packages/client-encrypt/package.json
@ -19,5 +19,8 @@
  },
  "devDependencies": {
    "vitest": "^3.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/config/package.json
+++ b/packages/config/package.json
@ -41,5 +41,8 @@
  "devDependencies": {
    "@azure/identity": "^4.13.0",
    "@azure/keyvault-secrets": "^4.10.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/cosmos/package.json
+++ b/packages/cosmos/package.json
@ -19,5 +19,8 @@
  },
  "peerDependencies": {
    "@azure/cosmos": ">=4.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/create-app/package.json
+++ b/packages/create-app/package.json
@ -20,5 +20,8 @@
    "tsx": "^4.19.2",
    "typescript": "^5.7.3",
    "vitest": "^3.0.5"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/dashboard-components/package.json
+++ b/packages/dashboard-components/package.json
@ -32,5 +32,8 @@
    "react-dom": "^19.2.4",
    "typescript": "^5.7.3",
    "vitest": "^4.0.18"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/dashboard-shell/package.json
+++ b/packages/dashboard-shell/package.json
@ -32,5 +32,8 @@
    "react-dom": "^19.2.4",
    "typescript": "^5.7.3",
    "vitest": "^4.0.18"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/datastore/package.json
+++ b/packages/datastore/package.json
@ -31,5 +31,8 @@
  },
  "devDependencies": {
    "vitest": "^3.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/design-tokens/package.json
+++ b/packages/design-tokens/package.json
@ -26,5 +26,8 @@
  },
  "devDependencies": {
    "tsx": "^4.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/diagnostics-client/package.json
+++ b/packages/diagnostics-client/package.json
@ -28,5 +28,8 @@
    "@types/node": "^22.0.0",
    "typescript": "^5.7.0",
    "vitest": "^3.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/errors/package.json
+++ b/packages/errors/package.json
@ -16,5 +16,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/event-store/package.json
+++ b/packages/event-store/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/events/package.json
+++ b/packages/events/package.json
@ -26,5 +26,8 @@
  },
  "peerDependencies": {
    "zod": "^3.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/extraction/package.json
+++ b/packages/extraction/package.json
@ -20,5 +20,8 @@
  },
  "peerDependencies": {
    "@bytelyst/api-client": "workspace:*"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/fastify-auth/package.json
+++ b/packages/fastify-auth/package.json
@ -32,5 +32,8 @@
  },
  "files": [
    "dist"
-  ]
+  ],
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
+  }
 }
--- a/packages/fastify-core/package.json
+++ b/packages/fastify-core/package.json
@ -38,5 +38,8 @@
    "@fastify/swagger": "^9.7.0",
    "@fastify/swagger-ui": "^5.2.5",
    "fastify-metrics": "^10.6.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/fastify-sse/package.json
+++ b/packages/fastify-sse/package.json
@ -20,5 +20,8 @@
  },
  "peerDependencies": {
    "fastify": "^5.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/feature-flag-client/package.json
+++ b/packages/feature-flag-client/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/feedback-client/package.json
+++ b/packages/feedback-client/package.json
@ -27,5 +27,8 @@
  "devDependencies": {
    "typescript": "^5.7.0",
    "vitest": "^3.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/field-encrypt/package.json
+++ b/packages/field-encrypt/package.json
@ -36,5 +36,8 @@
  "devDependencies": {
    "vitest": "^3.0.0",
    "zod": "^3.24.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/gentle-notifications/package.json
+++ b/packages/gentle-notifications/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/kill-switch-client/package.json
+++ b/packages/kill-switch-client/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/llm-router/package.json
+++ b/packages/llm-router/package.json
@ -22,5 +22,8 @@
  "devDependencies": {
    "vitest": "^3.0.0",
    "typescript": "^5.7.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/llm/package.json
+++ b/packages/llm/package.json
@ -23,5 +23,8 @@
  },
  "devDependencies": {
    "vitest": "^3.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/logger/package.json
+++ b/packages/logger/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/marketplace-client/package.json
+++ b/packages/marketplace-client/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/monitoring/package.json
+++ b/packages/monitoring/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/offline-queue/package.json
+++ b/packages/offline-queue/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/org-client/package.json
+++ b/packages/org-client/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/platform-client/package.json
+++ b/packages/platform-client/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/push/package.json
+++ b/packages/push/package.json
@ -23,5 +23,8 @@
  },
  "devDependencies": {
    "vitest": "^3.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/queue/package.json
+++ b/packages/queue/package.json
@ -21,5 +21,8 @@
  "devDependencies": {
    "@types/node": "^22.12.0",
    "vitest": "^3.0.5"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/quick-actions/package.json
+++ b/packages/quick-actions/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/react-auth/package.json
+++ b/packages/react-auth/package.json
@ -30,5 +30,8 @@
    "happy-dom": "^18.0.1",
    "react": "^19.2.4",
    "react-dom": "^19.2.4"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/react-native-platform-sdk/package.json
+++ b/packages/react-native-platform-sdk/package.json
@ -59,5 +59,8 @@
    "expo",
    "mobile"
  ],
-  "license": "MIT"
+  "license": "MIT",
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
+  }
 }
--- a/packages/referral-client/package.json
+++ b/packages/referral-client/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/secure-storage-web/package.json
+++ b/packages/secure-storage-web/package.json
@ -20,5 +20,8 @@
  "devDependencies": {
    "vitest": "^3.0.0",
    "fake-indexeddb": "^6.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/speech/package.json
+++ b/packages/speech/package.json
@ -20,5 +20,8 @@
  "devDependencies": {
    "typescript": "^5.7.0",
    "vitest": "^3.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/storage/package.json
+++ b/packages/storage/package.json
@ -26,5 +26,8 @@
  },
  "devDependencies": {
    "vitest": "^3.0.0"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/subscription-client/package.json
+++ b/packages/subscription-client/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/survey-client/package.json
+++ b/packages/survey-client/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/sync/package.json
+++ b/packages/sync/package.json
@ -27,5 +27,8 @@
  },
  "peerDependencies": {
    "@bytelyst/api-client": "workspace:*"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/telemetry-client/package.json
+++ b/packages/telemetry-client/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/testing/package.json
+++ b/packages/testing/package.json
@ -30,5 +30,8 @@
    "fastify": {
      "optional": true
    }
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/time-references/package.json
+++ b/packages/time-references/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/packages/webhook-dispatch/package.json
+++ b/packages/webhook-dispatch/package.json
@ -17,5 +17,8 @@
  "scripts": {
    "build": "tsc",
    "test": "vitest run"
+  },
+  "publishConfig": {
+    "registry": "http://localhost:3300/api/packages/bytelyst/npm/"
  }
 }
--- a/scripts/harden-publish-config.sh
+++ b/scripts/harden-publish-config.sh
@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ─────────────────────────────────────────────────────────────
+# Hardening: Add publishConfig to all @bytelyst/* packages
+# to prevent accidental publish to npmjs.org or JFrog
+# ─────────────────────────────────────────────────────────────
+
+REGISTRY="http://localhost:3300/api/packages/bytelyst/npm/"
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+PACKAGES_DIR="$REPO_ROOT/packages"
+
+# Skip native SDKs (not published to npm)
+SKIP_DIRS="swift-platform-sdk swift-diagnostics kotlin-platform-sdk"
+
+fixed=0
+skipped=0
+already=0
+
+for pkg_json in "$PACKAGES_DIR"/*/package.json; do
+  dir_name=$(basename "$(dirname "$pkg_json")")
+
+  # Skip native SDKs
+  if echo "$SKIP_DIRS" | grep -qw "$dir_name"; then
+    echo "SKIP (native): $dir_name"
+    ((skipped++))
+    continue
+  fi
+
+  # Check if publishConfig already exists with correct registry
+  if node -e "
+    const p = JSON.parse(require('fs').readFileSync('$pkg_json', 'utf8'));
+    process.exit(p.publishConfig && p.publishConfig.registry === '$REGISTRY' ? 0 : 1);
+  " 2>/dev/null; then
+    echo "OK: $dir_name"
+    ((already++))
+    continue
+  fi
+
+  # Add publishConfig
+  node -e "
+    const fs = require('fs');
+    const pkg = JSON.parse(fs.readFileSync('$pkg_json', 'utf8'));
+    pkg.publishConfig = { registry: '$REGISTRY' };
+    fs.writeFileSync('$pkg_json', JSON.stringify(pkg, null, 2) + '\n');
+  "
+  echo "FIXED: $dir_name"
+  ((fixed++))
+done
+
+# Also fix @actiontrail/sdk
+SDK_FILE="/Users/sd9235/code/mygh/learning_ai_trails/sdk/package.json"
+if [ -f "$SDK_FILE" ]; then
+  if ! node -e "
+    const p = JSON.parse(require('fs').readFileSync('$SDK_FILE', 'utf8'));
+    process.exit(p.publishConfig && p.publishConfig.registry === '$REGISTRY' ? 0 : 1);
+  " 2>/dev/null; then
+    node -e "
+      const fs = require('fs');
+      const pkg = JSON.parse(fs.readFileSync('$SDK_FILE', 'utf8'));
+      pkg.publishConfig = { registry: '$REGISTRY' };
+      fs.writeFileSync('$SDK_FILE', JSON.stringify(pkg, null, 2) + '\n');
+    "
+    echo "FIXED: @actiontrail/sdk"
+    ((fixed++))
+  else
+    echo "OK: @actiontrail/sdk"
+  fi
+fi
+
+echo ""
+echo "✅ Done: $fixed fixed, $already already ok, $skipped skipped (native)"