v1.3.0

feat(core): Add Cargo and Composer registries with storage, auth and helpers
2025-11-21 09:13:02 +00:00 · 2025-11-21 09:13:02 +00:00
19 changed files with 1870 additions and 57 deletions
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,17 @@
 # Changelog
 ## 2025-11-21 - 1.3.0 - feat(core)
 Add Cargo and Composer registries with storage, auth and helpers
 - Add Cargo registry implementation (ts/cargo) including index, publish, download, yank/unyank and search handlers
 - Add Composer registry implementation (ts/composer) including package upload/download, metadata, packages.json and helpers
 - Extend RegistryStorage with Cargo and Composer-specific storage helpers and path conventions
 - Extend AuthManager with Composer token creation/validation and unified token validation support
 - Wire SmartRegistry to initialize and route requests to cargo and composer handlers
 - Add adm-zip dependency and Composer ZIP parsing helpers (extractComposerJsonFromZip, sha1 calculation, version sorting)
 - Add tests for Cargo index path calculation and config handling
 - Export new modules from ts/index.ts and add module entry files for composer and cargo
 ## 2025-11-21 - 1.2.0 - feat(maven)
 Add Maven registry protocol support (storage, auth, routing, interfaces, and exports)
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartregistry",
-  "version": "1.2.0",
+  "version": "1.3.0",
  "private": false,
  "description": "a registry for npm modules and oci images",
  "main": "dist_ts/index.js",
@@ -47,7 +47,8 @@
    "@push.rocks/qenv": "^6.1.3",
    "@push.rocks/smartbucket": "^4.3.0",
    "@push.rocks/smartlog": "^3.1.10",
-    "@push.rocks/smartpath": "^6.0.0"
+    "@push.rocks/smartpath": "^6.0.0",
    "adm-zip": "^0.5.10"
  },
  "packageManager": "pnpm@10.18.1+sha512.77a884a165cbba2d8d1c19e3b4880eee6d2fcabd0d879121e282196b80042351d5eb3ca0935fa599da1dc51265cc68816ad2bddd2a2de5ea9fdf92adbec7cd34"
 }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -20,6 +20,9 @@ importers:
      '@push.rocks/smartpath':
        specifier: ^6.0.0
        version: 6.0.0
      adm-zip:
        specifier: ^0.5.10
        version: 0.5.16
    devDependencies:
      '@git.zone/tsbuild':
        specifier: ^3.1.0
@@ -1507,6 +1510,10 @@ packages:
    resolution: {integrity: sha512-mORqg60S8iML6XSmVjqjGHJkINrCGLMj2QvDmFzI9vIlv1RGlyjmw3nrzaINJjkNsYXC41XhhD5pfy7CtuGcbA==}
    engines: {node: '>= 16'}
  adm-zip@0.5.16:
    resolution: {integrity: sha512-TGw5yVi4saajsSEgz25grObGHEUaDrniwvA2qwSC060KfqGPdglhvPMA2lPIoxs3PQIItj2iag35fONcQqgUaQ==}
    engines: {node: '>=12.0'}
  agent-base@7.1.4:
    resolution: {integrity: sha512-MnA+YT8fwfJPgBx3m60MNqakm30XOkyIoH1y6huTQvC0PwZG7ki8NacLBcrPbNoo8vEZy7Jpuk7+jMO+CUovTQ==}
    engines: {node: '>= 14'}
@@ -6557,6 +6564,8 @@ snapshots:
    transitivePeerDependencies:
      - supports-color
  adm-zip@0.5.16: {}
  agent-base@7.1.4: {}
  agentkeepalive@4.6.0:
--- a/readme.md
+++ b/readme.md
@@ -1,18 +1,21 @@
 # @push.rocks/smartregistry
-> 🚀 A composable TypeScript library implementing both **OCI Distribution Specification v1.1** and **NPM Registry API** for building unified container and package registries.
+> 🚀 A composable TypeScript library implementing **OCI Distribution Specification v1.1**, **NPM Registry API**, **Maven Repository**, **Cargo/crates.io Registry**, and **Composer/Packagist** for building unified container and package registries.
 ## ✨ Features
-### 🔄 Dual Protocol Support
+### 🔄 Multi-Protocol Support
 - **OCI Distribution Spec v1.1**: Full container registry with manifest/blob operations
 - **NPM Registry API**: Complete package registry with publish/install/search
 - **Maven Repository**: Java/JVM artifact management with POM support
 - **Cargo/crates.io Registry**: Rust crate registry with sparse HTTP protocol
 - **Composer/Packagist**: PHP package registry with Composer v2 protocol
 ### 🏗️ Unified Architecture
 - **Composable Design**: Core infrastructure with protocol plugins
 - **Shared Storage**: Cloud-agnostic S3-compatible backend ([@push.rocks/smartbucket](https://www.npmjs.com/package/@push.rocks/smartbucket))
- **Unified Authentication**: Scope-based permissions across both protocols
+- **Unified Authentication**: Scope-based permissions across all protocols
- **Path-based Routing**: `/oci/*` for containers, `/npm/*` for packages
+- **Path-based Routing**: `/oci/*` for containers, `/npm/*` for packages, `/maven/*` for Java artifacts, `/cargo/*` for Rust crates, `/composer/*` for PHP packages
 ### 🔐 Authentication & Authorization
 - NPM UUID tokens for package operations
@@ -35,6 +38,27 @@
 - ✅ Dist-tag management
 - ✅ Token management
 **Maven Features:**
 - ✅ Artifact upload/download
 - ✅ POM and metadata management
 - ✅ Snapshot and release versions
 - ✅ Checksum verification (MD5, SHA1)
 **Cargo Features:**
 - ✅ Crate publish (.crate files)
 - ✅ Sparse HTTP protocol (modern index)
 - ✅ Version yank/unyank
 - ✅ Dependency resolution
 - ✅ Search functionality
 **Composer Features:**
 - ✅ Package publish/download (ZIP format)
 - ✅ Composer v2 repository API
 - ✅ Package metadata (packages.json)
 - ✅ Version management
 - ✅ Dependency resolution
 - ✅ PSR-4/PSR-0 autoloading support
 ## 📥 Installation
 ```bash
@@ -78,6 +102,18 @@ const config: IRegistryConfig = {
    enabled: true,
    basePath: '/npm',
  },
  maven: {
    enabled: true,
    basePath: '/maven',
  },
  cargo: {
    enabled: true,
    basePath: '/cargo',
  },
  composer: {
    enabled: true,
    basePath: '/composer',
  },
 };
 const registry = new SmartRegistry(config);
@@ -212,6 +248,167 @@ const searchResults = await registry.handleRequest({
 });
 ```
 ### 🦀 Cargo Registry (Rust Crates)
 ```typescript
 // Get config.json (required for Cargo)
 const config = await registry.handleRequest({
  method: 'GET',
  path: '/cargo/config.json',
  headers: {},
  query: {},
 });
 // Get index file for a crate
 const index = await registry.handleRequest({
  method: 'GET',
  path: '/cargo/se/rd/serde',  // Path based on crate name length
  headers: {},
  query: {},
 });
 // Download a crate file
 const crateFile = await registry.handleRequest({
  method: 'GET',
  path: '/cargo/api/v1/crates/serde/1.0.0/download',
  headers: {},
  query: {},
 });
 // Publish a crate (binary format: [4 bytes JSON len][JSON][4 bytes crate len][.crate])
 const publishResponse = await registry.handleRequest({
  method: 'PUT',
  path: '/cargo/api/v1/crates/new',
  headers: { 'Authorization': '<cargo-token>' },  // No "Bearer" prefix
  query: {},
  body: binaryPublishData,  // Length-prefixed binary format
 });
 // Yank a version (deprecate without deleting)
 const yankResponse = await registry.handleRequest({
  method: 'DELETE',
  path: '/cargo/api/v1/crates/my-crate/0.1.0/yank',
  headers: { 'Authorization': '<cargo-token>' },
  query: {},
 });
 // Unyank a version
 const unyankResponse = await registry.handleRequest({
  method: 'PUT',
  path: '/cargo/api/v1/crates/my-crate/0.1.0/unyank',
  headers: { 'Authorization': '<cargo-token>' },
  query: {},
 });
 // Search crates
 const search = await registry.handleRequest({
  method: 'GET',
  path: '/cargo/api/v1/crates',
  headers: {},
  query: { q: 'serde', per_page: '10' },
 });
 ```
 **Using with Cargo CLI:**
 ```toml
 # .cargo/config.toml
 [registries.myregistry]
 index = "sparse+https://registry.example.com/cargo/"
 [registries.myregistry.credential-provider]
 # Or use credentials directly:
 # [registries.myregistry]
 # token = "your-api-token"
 ```
 ```bash
 # Publish to custom registry
 cargo publish --registry=myregistry
 # Install from custom registry
 cargo install --registry=myregistry my-crate
 # Search custom registry
 cargo search --registry=myregistry tokio
 ```
 ### 🎼 Composer Registry (PHP Packages)
 ```typescript
 // Get repository root (packages.json)
 const packagesJson = await registry.handleRequest({
  method: 'GET',
  path: '/composer/packages.json',
  headers: {},
  query: {},
 });
 // Get package metadata
 const metadata = await registry.handleRequest({
  method: 'GET',
  path: '/composer/p2/vendor/package.json',
  headers: {},
  query: {},
 });
 // Upload a package (ZIP with composer.json)
 const zipBuffer = await readFile('package.zip');
 const uploadResponse = await registry.handleRequest({
  method: 'PUT',
  path: '/composer/packages/vendor/package',
  headers: { 'Authorization': `Bearer <composer-token>` },
  query: {},
  body: zipBuffer,
 });
 // Download package ZIP
 const download = await registry.handleRequest({
  method: 'GET',
  path: '/composer/dists/vendor/package/ref123.zip',
  headers: {},
  query: {},
 });
 // List all packages
 const list = await registry.handleRequest({
  method: 'GET',
  path: '/composer/packages/list.json',
  headers: {},
  query: {},
 });
 // Delete a specific version
 const deleteVersion = await registry.handleRequest({
  method: 'DELETE',
  path: '/composer/packages/vendor/package/1.0.0',
  headers: { 'Authorization': `Bearer <composer-token>` },
  query: {},
 });
 ```
 **Using with Composer CLI:**
 ```json
 // composer.json
 {
  "repositories": [
    {
      "type": "composer",
      "url": "https://registry.example.com/composer"
    }
  ]
 }
 ```
 ```bash
 # Install from custom registry
 composer require vendor/package
 # Update packages
 composer update
 ```
 ### 🔐 Authentication
 ```typescript
@@ -374,6 +571,48 @@ NPM registry API compliant implementation.
 - `POST /-/npm/v1/tokens` - Create token
 - `PUT /-/package/{pkg}/dist-tags/{tag}` - Update tag
 #### CargoRegistry
 Cargo/crates.io registry with sparse HTTP protocol support.
 **Endpoints:**
 - `GET /config.json` - Registry configuration (sparse protocol)
 - `GET /index/{path}` - Index files (hierarchical structure)
  - `/1/{name}` - 1-character crate names
  - `/2/{name}` - 2-character crate names
  - `/3/{c}/{name}` - 3-character crate names
  - `/{p1}/{p2}/{name}` - 4+ character crate names
 - `PUT /api/v1/crates/new` - Publish crate (binary format)
 - `GET /api/v1/crates/{crate}/{version}/download` - Download .crate file
 - `DELETE /api/v1/crates/{crate}/{version}/yank` - Yank (deprecate) version
 - `PUT /api/v1/crates/{crate}/{version}/unyank` - Unyank version
 - `GET /api/v1/crates?q={query}` - Search crates
 **Index Format:**
 - Newline-delimited JSON (one line per version)
 - SHA256 checksums for .crate files
 - Yanked flag (keep files, mark unavailable)
 #### ComposerRegistry
 Composer v2 repository API compliant implementation.
 **Endpoints:**
 - `GET /packages.json` - Repository metadata and configuration
 - `GET /p2/{vendor}/{package}.json` - Package version metadata
 - `GET /p2/{vendor}/{package}~dev.json` - Dev versions metadata
 - `GET /packages/list.json` - List all packages
 - `GET /dists/{vendor}/{package}/{ref}.zip` - Download package ZIP
 - `PUT /packages/{vendor}/{package}` - Upload package (requires auth)
 - `DELETE /packages/{vendor}/{package}` - Delete entire package
 - `DELETE /packages/{vendor}/{package}/{version}` - Delete specific version
 **Package Format:**
 - ZIP archives with composer.json in root
 - SHA-1 checksums for verification
 - Version normalization (1.0.0 → 1.0.0.0)
 - PSR-4/PSR-0 autoloading configuration
 ## 🗄️ Storage Structure
 ```
@@ -385,16 +624,38 @@ bucket/
 │   │   └── {repository}/{digest}
 │   └── tags/
 │       └── {repository}/tags.json
-└── npm/
+├── npm/
-    ├── packages/
+│   ├── packages/
-    │   ├── {name}/
+│   │   ├── {name}/
-    │   │   ├── index.json          # Packument
+│   │   │   ├── index.json          # Packument
-    │   │   └── {name}-{ver}.tgz    # Tarball
+│   │   │   └── {name}-{ver}.tgz    # Tarball
-    │   └── @{scope}/{name}/
+│   │   └── @{scope}/{name}/
-    │       ├── index.json
+│   │       ├── index.json
-    │       └── {name}-{ver}.tgz
+│   │       └── {name}-{ver}.tgz
-    └── users/
+│   └── users/
-        └── {username}.json
+│       └── {username}.json
 ├── maven/
 │   ├── artifacts/
 │   │   └── {group-path}/{artifact}/{version}/
 │   │       ├── {artifact}-{version}.jar
 │   │       ├── {artifact}-{version}.pom
 │   │       └── {artifact}-{version}.{ext}
 │   └── metadata/
 │       └── {group-path}/{artifact}/maven-metadata.xml
 ├── cargo/
 │   ├── config.json                 # Registry configuration (sparse protocol)
 │   ├── index/                      # Hierarchical index structure
 │   │   ├── 1/{name}               # 1-char crate names (e.g., "a")
 │   │   ├── 2/{name}               # 2-char crate names (e.g., "io")
 │   │   ├── 3/{c}/{name}           # 3-char crate names (e.g., "3/a/axo")
 │   │   └── {p1}/{p2}/{name}       # 4+ char (e.g., "se/rd/serde")
 │   └── crates/
 │       └── {name}/{name}-{version}.crate  # Gzipped tar archives
 └── composer/
    └── packages/
        └── {vendor}/{package}/
            ├── metadata.json       # All versions metadata
            └── {reference}.zip     # Package ZIP files
 ```
 ## 🎯 Scope Format
@@ -408,9 +669,22 @@ Examples:
  npm:package:express:read          # Read express package
  npm:package:*:write               # Write any package
  npm:*:*:*                         # Full NPM access
  oci:repository:nginx:pull         # Pull nginx image
  oci:repository:*:push             # Push any image
  oci:*:*:*                         # Full OCI access
  maven:artifact:com.example:read   # Read Maven artifact
  maven:artifact:*:write            # Write any artifact
  maven:*:*:*                       # Full Maven access
  cargo:crate:serde:write           # Write serde crate
  cargo:crate:*:read                # Read any crate
  cargo:*:*:*                       # Full Cargo access
  composer:package:vendor/package:read   # Read Composer package
  composer:package:*:write          # Write any package
  composer:*:*:*                    # Full Composer access
 ```
 ## 🔌 Integration Examples
--- a/test/cargo.test.node.ts
+++ b/test/cargo.test.node.ts
@@ -0,0 +1,131 @@
 import { tap, expect } from '@git.zone/tstest';
 import { RegistryStorage } from '../ts/core/classes.registrystorage.js';
 import { CargoRegistry } from '../ts/cargo/classes.cargoregistry.js';
 import { AuthManager } from '../ts/core/classes.authmanager.js';
 // Test index path calculation
 tap.test('should calculate correct index paths for different crate names', async () => {
  const storage = new RegistryStorage({
    accessKey: 'test',
    accessSecret: 'test',
    endpoint: 's3.test.com',
    bucketName: 'test-bucket',
  });
  // Access private method for testing
  const getPath = (storage as any).getCargoIndexPath.bind(storage);
  // 1-character names
  expect(getPath('a')).to.equal('cargo/index/1/a');
  expect(getPath('z')).to.equal('cargo/index/1/z');
  // 2-character names
  expect(getPath('io')).to.equal('cargo/index/2/io');
  expect(getPath('ab')).to.equal('cargo/index/2/ab');
  // 3-character names
  expect(getPath('axo')).to.equal('cargo/index/3/a/axo');
  expect(getPath('foo')).to.equal('cargo/index/3/f/foo');
  // 4+ character names
  expect(getPath('serde')).to.equal('cargo/index/se/rd/serde');
  expect(getPath('tokio')).to.equal('cargo/index/to/ki/tokio');
  expect(getPath('my-crate')).to.equal('cargo/index/my/--/my-crate');
 });
 // Test crate file path calculation
 tap.test('should calculate correct crate file paths', async () => {
  const storage = new RegistryStorage({
    accessKey: 'test',
    accessSecret: 'test',
    endpoint: 's3.test.com',
    bucketName: 'test-bucket',
  });
  // Access private method for testing
  const getPath = (storage as any).getCargoCratePath.bind(storage);
  expect(getPath('serde', '1.0.0')).to.equal('cargo/crates/serde/serde-1.0.0.crate');
  expect(getPath('tokio', '1.28.0')).to.equal('cargo/crates/tokio/tokio-1.28.0.crate');
  expect(getPath('my-crate', '0.1.0')).to.equal('cargo/crates/my-crate/my-crate-0.1.0.crate');
 });
 // Test crate name validation
 tap.test('should validate crate names correctly', async () => {
  const storage = new RegistryStorage({
    accessKey: 'test',
    accessSecret: 'test',
    endpoint: 's3.test.com',
    bucketName: 'test-bucket',
  });
  const authManager = new AuthManager({
    jwtSecret: 'test-secret',
    tokenStore: 'memory',
    npmTokens: { enabled: true },
    ociTokens: { enabled: false, realm: '', service: '' },
  });
  const registry = new CargoRegistry(storage, authManager, '/cargo', 'http://localhost:5000/cargo');
  // Access private method for testing
  const validate = (registry as any).validateCrateName.bind(registry);
  // Valid names
  expect(validate('serde')).to.be.true;
  expect(validate('tokio')).to.be.true;
  expect(validate('my-crate')).to.be.true;
  expect(validate('my_crate')).to.be.true;
  expect(validate('crate123')).to.be.true;
  expect(validate('a')).to.be.true;
  // Invalid names (uppercase not allowed)
  expect(validate('Serde')).to.be.false;
  expect(validate('MyCreate')).to.be.false;
  // Invalid names (special characters)
  expect(validate('my.crate')).to.be.false;
  expect(validate('my@crate')).to.be.false;
  expect(validate('my crate')).to.be.false;
  // Invalid names (too long)
  const longName = 'a'.repeat(65);
  expect(validate(longName)).to.be.false;
  // Invalid names (empty)
  expect(validate('')).to.be.false;
 });
 // Test config.json response
 tap.test('should return valid config.json', async () => {
  const storage = new RegistryStorage({
    accessKey: 'test',
    accessSecret: 'test',
    endpoint: 's3.test.com',
    bucketName: 'test-bucket',
  });
  const authManager = new AuthManager({
    jwtSecret: 'test-secret',
    tokenStore: 'memory',
    npmTokens: { enabled: true },
    ociTokens: { enabled: false, realm: '', service: '' },
  });
  const registry = new CargoRegistry(storage, authManager, '/cargo', 'http://localhost:5000/cargo');
  const response = await registry.handleRequest({
    method: 'GET',
    path: '/cargo/config.json',
    headers: {},
    query: {},
  });
  expect(response.status).to.equal(200);
  expect(response.headers['Content-Type']).to.equal('application/json');
  expect(response.body).to.be.an('object');
  expect(response.body.dl).to.include('/api/v1/crates/{crate}/{version}/download');
  expect(response.body.api).to.equal('http://localhost:5000/cargo');
 });
 export default tap.start();
--- a/test/helpers/registry.ts
+++ b/test/helpers/registry.ts
@@ -6,7 +6,7 @@ import type { IRegistryConfig } from '../../ts/core/interfaces.core.js';
 const testQenv = new qenv.Qenv('./', './.nogit');
 /**
- * Create a test SmartRegistry instance with OCI, NPM, and Maven enabled
+ * Create a test SmartRegistry instance with OCI, NPM, Maven, and Composer enabled
 */
 export async function createTestRegistry(): Promise<SmartRegistry> {
  // Read S3 config from env.json
@@ -49,6 +49,10 @@ export async function createTestRegistry(): Promise<SmartRegistry> {
      enabled: true,
      basePath: '/maven',
    },
    composer: {
      enabled: true,
      basePath: '/composer',
    },
  };
  const registry = new SmartRegistry(config);
@@ -86,7 +90,10 @@ export async function createTestTokens(registry: SmartRegistry) {
  // Create Maven token with full access
  const mavenToken = await authManager.createMavenToken(userId, false);
-  return { npmToken, ociToken, mavenToken, userId };
+  // Create Composer token with full access
  const composerToken = await authManager.createComposerToken(userId, false);
  return { npmToken, ociToken, mavenToken, composerToken, userId };
 }
 /**
@@ -205,3 +212,61 @@ export function calculateMavenChecksums(data: Buffer) {
    sha512: crypto.createHash('sha512').update(data).digest('hex'),
  };
 }
 /**
 * Helper to create a Composer package ZIP
 */
 export async function createComposerZip(
  vendorPackage: string,
  version: string,
  options?: {
    description?: string;
    license?: string[];
    authors?: Array<{ name: string; email?: string }>;
  }
 ): Promise<Buffer> {
  const AdmZip = (await import('adm-zip')).default;
  const zip = new AdmZip();
  const composerJson = {
    name: vendorPackage,
    version: version,
    type: 'library',
    description: options?.description || 'Test Composer package',
    license: options?.license || ['MIT'],
    authors: options?.authors || [{ name: 'Test Author', email: 'test@example.com' }],
    require: {
      php: '>=7.4',
    },
    autoload: {
      'psr-4': {
        'Vendor\\TestPackage\\': 'src/',
      },
    },
  };
  // Add composer.json
  zip.addFile('composer.json', Buffer.from(JSON.stringify(composerJson, null, 2), 'utf-8'));
  // Add a test PHP file
  const [vendor, pkg] = vendorPackage.split('/');
  const namespace = `${vendor.charAt(0).toUpperCase() + vendor.slice(1)}\\${pkg.charAt(0).toUpperCase() + pkg.slice(1).replace(/-/g, '')}`;
  const testPhpContent = `<?php
 namespace ${namespace};
 class TestClass
 {
    public function greet(): string
    {
        return "Hello from ${vendorPackage}!";
    }
 }
 `;
  zip.addFile('src/TestClass.php', Buffer.from(testPhpContent, 'utf-8'));
  // Add README
  zip.addFile('README.md', Buffer.from(`# ${vendorPackage}\n\nTest package`, 'utf-8'));
  return zip.toBuffer();
 }
--- a/test/test.composer.ts
+++ b/test/test.composer.ts
@@ -0,0 +1,296 @@
 import { expect, tap } from '@git.zone/tstest/tapbundle';
 import { SmartRegistry } from '../ts/index.js';
 import { createTestRegistry, createTestTokens, createComposerZip } from './helpers/registry.js';
 let registry: SmartRegistry;
 let composerToken: string;
 let userId: string;
 // Test data
 const testPackageName = 'vendor/test-package';
 const testVersion = '1.0.0';
 let testZipData: Buffer;
 tap.test('Composer: should create registry instance', async () => {
  registry = await createTestRegistry();
  const tokens = await createTestTokens(registry);
  composerToken = tokens.composerToken;
  userId = tokens.userId;
  expect(registry).toBeInstanceOf(SmartRegistry);
  expect(composerToken).toBeTypeOf('string');
 });
 tap.test('Composer: should create test ZIP package', async () => {
  testZipData = await createComposerZip(testPackageName, testVersion, {
    description: 'Test Composer package for registry',
    license: ['MIT'],
    authors: [{ name: 'Test Author', email: 'test@example.com' }],
  });
  expect(testZipData).toBeInstanceOf(Buffer);
  expect(testZipData.length).toBeGreaterThan(0);
 });
 tap.test('Composer: should return packages.json (GET /packages.json)', async () => {
  const response = await registry.handleRequest({
    method: 'GET',
    path: '/composer/packages.json',
    headers: {},
    query: {},
  });
  expect(response.status).toEqual(200);
  expect(response.body).toHaveProperty('metadata-url');
  expect(response.body).toHaveProperty('available-packages');
  expect(response.body['available-packages']).toBeInstanceOf(Array);
 });
 tap.test('Composer: should upload a package (PUT /packages/{vendor/package})', async () => {
  const response = await registry.handleRequest({
    method: 'PUT',
    path: `/composer/packages/${testPackageName}`,
    headers: {
      Authorization: `Bearer ${composerToken}`,
      'Content-Type': 'application/zip',
    },
    query: {},
    body: testZipData,
  });
  expect(response.status).toEqual(201);
  expect(response.body.status).toEqual('success');
  expect(response.body.package).toEqual(testPackageName);
  expect(response.body.version).toEqual(testVersion);
 });
 tap.test('Composer: should retrieve package metadata (GET /p2/{vendor/package}.json)', async () => {
  const response = await registry.handleRequest({
    method: 'GET',
    path: `/composer/p2/${testPackageName}.json`,
    headers: {},
    query: {},
  });
  expect(response.status).toEqual(200);
  expect(response.body).toHaveProperty('packages');
  expect(response.body.packages[testPackageName]).toBeInstanceOf(Array);
  expect(response.body.packages[testPackageName].length).toEqual(1);
  const packageData = response.body.packages[testPackageName][0];
  expect(packageData.name).toEqual(testPackageName);
  expect(packageData.version).toEqual(testVersion);
  expect(packageData.version_normalized).toEqual('1.0.0.0');
  expect(packageData).toHaveProperty('dist');
  expect(packageData.dist.type).toEqual('zip');
  expect(packageData.dist).toHaveProperty('url');
  expect(packageData.dist).toHaveProperty('shasum');
  expect(packageData.dist).toHaveProperty('reference');
 });
 tap.test('Composer: should download package ZIP (GET /dists/{vendor/package}/{ref}.zip)', async () => {
  // First get metadata to find reference
  const metadataResponse = await registry.handleRequest({
    method: 'GET',
    path: `/composer/p2/${testPackageName}.json`,
    headers: {},
    query: {},
  });
  const reference = metadataResponse.body.packages[testPackageName][0].dist.reference;
  const response = await registry.handleRequest({
    method: 'GET',
    path: `/composer/dists/${testPackageName}/${reference}.zip`,
    headers: {},
    query: {},
  });
  expect(response.status).toEqual(200);
  expect(response.body).toBeInstanceOf(Buffer);
  expect(response.headers['Content-Type']).toEqual('application/zip');
  expect(response.headers['Content-Disposition']).toContain('attachment');
 });
 tap.test('Composer: should list packages (GET /packages/list.json)', async () => {
  const response = await registry.handleRequest({
    method: 'GET',
    path: '/composer/packages/list.json',
    headers: {},
    query: {},
  });
  expect(response.status).toEqual(200);
  expect(response.body).toHaveProperty('packageNames');
  expect(response.body.packageNames).toBeInstanceOf(Array);
  expect(response.body.packageNames).toContain(testPackageName);
 });
 tap.test('Composer: should filter package list (GET /packages/list.json?filter=vendor/*)', async () => {
  const response = await registry.handleRequest({
    method: 'GET',
    path: '/composer/packages/list.json',
    headers: {},
    query: { filter: 'vendor/*' },
  });
  expect(response.status).toEqual(200);
  expect(response.body.packageNames).toBeInstanceOf(Array);
  expect(response.body.packageNames).toContain(testPackageName);
 });
 tap.test('Composer: should prevent duplicate version upload', async () => {
  const response = await registry.handleRequest({
    method: 'PUT',
    path: `/composer/packages/${testPackageName}`,
    headers: {
      Authorization: `Bearer ${composerToken}`,
      'Content-Type': 'application/zip',
    },
    query: {},
    body: testZipData,
  });
  expect(response.status).toEqual(409);
  expect(response.body.status).toEqual('error');
  expect(response.body.message).toContain('already exists');
 });
 tap.test('Composer: should upload a second version', async () => {
  const testVersion2 = '1.1.0';
  const testZipData2 = await createComposerZip(testPackageName, testVersion2);
  const response = await registry.handleRequest({
    method: 'PUT',
    path: `/composer/packages/${testPackageName}`,
    headers: {
      Authorization: `Bearer ${composerToken}`,
      'Content-Type': 'application/zip',
    },
    query: {},
    body: testZipData2,
  });
  expect(response.status).toEqual(201);
  expect(response.body.status).toEqual('success');
  expect(response.body.version).toEqual(testVersion2);
 });
 tap.test('Composer: should return multiple versions in metadata', async () => {
  const response = await registry.handleRequest({
    method: 'GET',
    path: `/composer/p2/${testPackageName}.json`,
    headers: {},
    query: {},
  });
  expect(response.status).toEqual(200);
  expect(response.body.packages[testPackageName]).toBeInstanceOf(Array);
  expect(response.body.packages[testPackageName].length).toEqual(2);
  const versions = response.body.packages[testPackageName].map((p: any) => p.version);
  expect(versions).toContain('1.0.0');
  expect(versions).toContain('1.1.0');
 });
 tap.test('Composer: should delete a specific version (DELETE /packages/{vendor/package}/{version})', async () => {
  const response = await registry.handleRequest({
    method: 'DELETE',
    path: `/composer/packages/${testPackageName}/1.0.0`,
    headers: {
      Authorization: `Bearer ${composerToken}`,
    },
    query: {},
  });
  expect(response.status).toEqual(204);
  // Verify version was removed
  const metadataResponse = await registry.handleRequest({
    method: 'GET',
    path: `/composer/p2/${testPackageName}.json`,
    headers: {},
    query: {},
  });
  expect(metadataResponse.body.packages[testPackageName].length).toEqual(1);
  expect(metadataResponse.body.packages[testPackageName][0].version).toEqual('1.1.0');
 });
 tap.test('Composer: should require auth for package upload', async () => {
  const testZipData3 = await createComposerZip('vendor/unauth-package', '1.0.0');
  const response = await registry.handleRequest({
    method: 'PUT',
    path: '/composer/packages/vendor/unauth-package',
    headers: {
      'Content-Type': 'application/zip',
    },
    query: {},
    body: testZipData3,
  });
  expect(response.status).toEqual(401);
  expect(response.body.status).toEqual('error');
 });
 tap.test('Composer: should reject invalid ZIP (no composer.json)', async () => {
  const invalidZip = Buffer.from('invalid zip content');
  const response = await registry.handleRequest({
    method: 'PUT',
    path: `/composer/packages/${testPackageName}`,
    headers: {
      Authorization: `Bearer ${composerToken}`,
      'Content-Type': 'application/zip',
    },
    query: {},
    body: invalidZip,
  });
  expect(response.status).toEqual(400);
  expect(response.body.status).toEqual('error');
  expect(response.body.message).toContain('composer.json');
 });
 tap.test('Composer: should delete entire package (DELETE /packages/{vendor/package})', async () => {
  const response = await registry.handleRequest({
    method: 'DELETE',
    path: `/composer/packages/${testPackageName}`,
    headers: {
      Authorization: `Bearer ${composerToken}`,
    },
    query: {},
  });
  expect(response.status).toEqual(204);
  // Verify package was removed
  const metadataResponse = await registry.handleRequest({
    method: 'GET',
    path: `/composer/p2/${testPackageName}.json`,
    headers: {},
    query: {},
  });
  expect(metadataResponse.status).toEqual(404);
 });
 tap.test('Composer: should return 404 for non-existent package', async () => {
  const response = await registry.handleRequest({
    method: 'GET',
    path: '/composer/p2/non/existent.json',
    headers: {},
    query: {},
  });
  expect(response.status).toEqual(404);
 });
 tap.postTask('cleanup registry', async () => {
  if (registry) {
    registry.destroy();
  }
 });
 export default tap.start();
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartregistry',
-  version: '1.2.0',
+  version: '1.3.0',
  description: 'a registry for npm modules and oci images'
 }
--- a/ts/classes.smartregistry.ts
+++ b/ts/classes.smartregistry.ts
@@ -5,10 +5,12 @@ import type { IRegistryConfig, IRequestContext, IResponse } from './core/interfa
 import { OciRegistry } from './oci/classes.ociregistry.js';
 import { NpmRegistry } from './npm/classes.npmregistry.js';
 import { MavenRegistry } from './maven/classes.mavenregistry.js';
 import { CargoRegistry } from './cargo/classes.cargoregistry.js';
 import { ComposerRegistry } from './composer/classes.composerregistry.js';
 /**
 * Main registry orchestrator
- * Routes requests to appropriate protocol handlers (OCI, NPM, or Maven)
+ * Routes requests to appropriate protocol handlers (OCI, NPM, Maven, Cargo, or Composer)
 */
 export class SmartRegistry {
  private storage: RegistryStorage;
@@ -61,6 +63,24 @@ export class SmartRegistry {
      this.registries.set('maven', mavenRegistry);
    }
    // Initialize Cargo registry if enabled
    if (this.config.cargo?.enabled) {
      const cargoBasePath = this.config.cargo.basePath || '/cargo';
      const registryUrl = `http://localhost:5000${cargoBasePath}`; // TODO: Make configurable
      const cargoRegistry = new CargoRegistry(this.storage, this.authManager, cargoBasePath, registryUrl);
      await cargoRegistry.init();
      this.registries.set('cargo', cargoRegistry);
    }
    // Initialize Composer registry if enabled
    if (this.config.composer?.enabled) {
      const composerBasePath = this.config.composer.basePath || '/composer';
      const registryUrl = `http://localhost:5000${composerBasePath}`; // TODO: Make configurable
      const composerRegistry = new ComposerRegistry(this.storage, this.authManager, composerBasePath, registryUrl);
      await composerRegistry.init();
      this.registries.set('composer', composerRegistry);
    }
    this.initialized = true;
  }
@@ -95,6 +115,22 @@ export class SmartRegistry {
      }
    }
    // Route to Cargo registry
    if (this.config.cargo?.enabled && path.startsWith(this.config.cargo.basePath)) {
      const cargoRegistry = this.registries.get('cargo');
      if (cargoRegistry) {
        return cargoRegistry.handleRequest(context);
      }
    }
    // Route to Composer registry
    if (this.config.composer?.enabled && path.startsWith(this.config.composer.basePath)) {
      const composerRegistry = this.registries.get('composer');
      if (composerRegistry) {
        return composerRegistry.handleRequest(context);
      }
    }
    // No matching registry
    return {
      status: 404,
@@ -123,7 +159,7 @@ export class SmartRegistry {
  /**
   * Get a specific registry handler
   */
-  public getRegistry(protocol: 'oci' | 'npm' | 'maven'): BaseRegistry | undefined {
+  public getRegistry(protocol: 'oci' | 'npm' | 'maven' | 'cargo' | 'composer'): BaseRegistry | undefined {
    return this.registries.get(protocol);
  }
--- a/ts/composer/classes.composerregistry.ts
+++ b/ts/composer/classes.composerregistry.ts
@@ -0,0 +1,475 @@
 /**
 * Composer Registry Implementation
 * Compliant with Composer v2 repository API
 */
 import { BaseRegistry } from '../core/classes.baseregistry.js';
 import type { RegistryStorage } from '../core/classes.registrystorage.js';
 import type { AuthManager } from '../core/classes.authmanager.js';
 import type { IRequestContext, IResponse, IAuthToken } from '../core/interfaces.core.js';
 import type {
  IComposerPackage,
  IComposerPackageMetadata,
  IComposerRepository,
 } from './interfaces.composer.js';
 import {
  normalizeVersion,
  validateComposerJson,
  extractComposerJsonFromZip,
  calculateSha1,
  parseVendorPackage,
  generatePackagesJson,
  sortVersions,
 } from './helpers.composer.js';
 export class ComposerRegistry extends BaseRegistry {
  private storage: RegistryStorage;
  private authManager: AuthManager;
  private basePath: string = '/composer';
  private registryUrl: string;
  constructor(
    storage: RegistryStorage,
    authManager: AuthManager,
    basePath: string = '/composer',
    registryUrl: string = 'http://localhost:5000/composer'
  ) {
    super();
    this.storage = storage;
    this.authManager = authManager;
    this.basePath = basePath;
    this.registryUrl = registryUrl;
  }
  public async init(): Promise<void> {
    // Composer registry initialization
  }
  public getBasePath(): string {
    return this.basePath;
  }
  public async handleRequest(context: IRequestContext): Promise<IResponse> {
    const path = context.path.replace(this.basePath, '');
    // Extract token from Authorization header
    const authHeader = context.headers['authorization'] || context.headers['Authorization'];
    let token: IAuthToken | null = null;
    if (authHeader) {
      if (authHeader.startsWith('Bearer ')) {
        const tokenString = authHeader.replace(/^Bearer\s+/i, '');
        token = await this.authManager.validateToken(tokenString, 'composer');
      } else if (authHeader.startsWith('Basic ')) {
        // Handle HTTP Basic Auth
        const credentials = Buffer.from(authHeader.replace(/^Basic\s+/i, ''), 'base64').toString('utf-8');
        const [username, password] = credentials.split(':');
        const userId = await this.authManager.authenticate({ username, password });
        if (userId) {
          // Create temporary token for this request
          token = {
            type: 'composer',
            userId,
            scopes: ['composer:*:*:read'],
            readonly: true,
          };
        }
      }
    }
    // Root packages.json
    if (path === '/packages.json' || path === '' || path === '/') {
      return this.handlePackagesJson();
    }
    // Package metadata: /p2/{vendor}/{package}.json or /p2/{vendor}/{package}~dev.json
    const metadataMatch = path.match(/^\/p2\/([^\/]+\/[^\/]+?)(~dev)?\.json$/);
    if (metadataMatch) {
      const [, vendorPackage, devSuffix] = metadataMatch;
      const includeDev = !!devSuffix;
      return this.handlePackageMetadata(vendorPackage, includeDev, token);
    }
    // Package list: /packages/list.json?filter=vendor/*
    if (path.startsWith('/packages/list.json')) {
      const filter = context.query['filter'];
      return this.handlePackageList(filter, token);
    }
    // Package ZIP download: /dists/{vendor}/{package}/{reference}.zip
    const distMatch = path.match(/^\/dists\/([^\/]+\/[^\/]+)\/([^\/]+)\.zip$/);
    if (distMatch) {
      const [, vendorPackage, reference] = distMatch;
      return this.handlePackageDownload(vendorPackage, reference, token);
    }
    // Package upload: PUT /packages/{vendor}/{package}
    const uploadMatch = path.match(/^\/packages\/([^\/]+\/[^\/]+)$/);
    if (uploadMatch && context.method === 'PUT') {
      const vendorPackage = uploadMatch[1];
      return this.handlePackageUpload(vendorPackage, context.body, token);
    }
    // Package delete: DELETE /packages/{vendor}/{package}
    if (uploadMatch && context.method === 'DELETE') {
      const vendorPackage = uploadMatch[1];
      return this.handlePackageDelete(vendorPackage, token);
    }
    // Version delete: DELETE /packages/{vendor}/{package}/{version}
    const versionDeleteMatch = path.match(/^\/packages\/([^\/]+\/[^\/]+)\/(.+)$/);
    if (versionDeleteMatch && context.method === 'DELETE') {
      const [, vendorPackage, version] = versionDeleteMatch;
      return this.handleVersionDelete(vendorPackage, version, token);
    }
    return {
      status: 404,
      headers: { 'Content-Type': 'application/json' },
      body: { status: 'error', message: 'Not found' },
    };
  }
  protected async checkPermission(
    token: IAuthToken | null,
    resource: string,
    action: string
  ): Promise<boolean> {
    if (!token) return false;
    return this.authManager.authorize(token, `composer:package:${resource}`, action);
  }
  // ========================================================================
  // REQUEST HANDLERS
  // ========================================================================
  private async handlePackagesJson(): Promise<IResponse> {
    const availablePackages = await this.storage.listComposerPackages();
    const packagesJson = generatePackagesJson(this.registryUrl, availablePackages);
    return {
      status: 200,
      headers: { 'Content-Type': 'application/json' },
      body: packagesJson,
    };
  }
  private async handlePackageMetadata(
    vendorPackage: string,
    includeDev: boolean,
    token: IAuthToken | null
  ): Promise<IResponse> {
    // Check read permission
    if (!await this.checkPermission(token, vendorPackage, 'read')) {
      return {
        status: 401,
        headers: { 'WWW-Authenticate': 'Bearer realm="composer"' },
        body: { status: 'error', message: 'Authentication required' },
      };
    }
    const metadata = await this.storage.getComposerPackageMetadata(vendorPackage);
    if (!metadata) {
      return {
        status: 404,
        headers: { 'Content-Type': 'application/json' },
        body: { status: 'error', message: 'Package not found' },
      };
    }
    // Filter dev versions if needed
    let packages = metadata.packages[vendorPackage] || [];
    if (!includeDev) {
      packages = packages.filter((pkg: IComposerPackage) =>
        !pkg.version.includes('dev') && !pkg.version.includes('alpha') && !pkg.version.includes('beta')
      );
    }
    const response: IComposerPackageMetadata = {
      minified: 'composer/2.0',
      packages: {
        [vendorPackage]: packages,
      },
    };
    return {
      status: 200,
      headers: {
        'Content-Type': 'application/json',
        'Last-Modified': metadata.lastModified || new Date().toUTCString(),
      },
      body: response,
    };
  }
  private async handlePackageList(
    filter: string | undefined,
    token: IAuthToken | null
  ): Promise<IResponse> {
    let packages = await this.storage.listComposerPackages();
    // Apply filter if provided
    if (filter) {
      const regex = new RegExp('^' + filter.replace(/\*/g, '.*') + '$');
      packages = packages.filter(pkg => regex.test(pkg));
    }
    return {
      status: 200,
      headers: { 'Content-Type': 'application/json' },
      body: { packageNames: packages },
    };
  }
  private async handlePackageDownload(
    vendorPackage: string,
    reference: string,
    token: IAuthToken | null
  ): Promise<IResponse> {
    // Check read permission
    if (!await this.checkPermission(token, vendorPackage, 'read')) {
      return {
        status: 401,
        headers: { 'WWW-Authenticate': 'Bearer realm="composer"' },
        body: { status: 'error', message: 'Authentication required' },
      };
    }
    const zipData = await this.storage.getComposerPackageZip(vendorPackage, reference);
    if (!zipData) {
      return {
        status: 404,
        headers: {},
        body: { status: 'error', message: 'Package file not found' },
      };
    }
    return {
      status: 200,
      headers: {
        'Content-Type': 'application/zip',
        'Content-Length': zipData.length.toString(),
        'Content-Disposition': `attachment; filename="${reference}.zip"`,
      },
      body: zipData,
    };
  }
  private async handlePackageUpload(
    vendorPackage: string,
    body: any,
    token: IAuthToken | null
  ): Promise<IResponse> {
    // Check write permission
    if (!await this.checkPermission(token, vendorPackage, 'write')) {
      return {
        status: 401,
        headers: {},
        body: { status: 'error', message: 'Write permission required' },
      };
    }
    if (!body || !Buffer.isBuffer(body)) {
      return {
        status: 400,
        headers: {},
        body: { status: 'error', message: 'ZIP file required' },
      };
    }
    // Extract and validate composer.json from ZIP
    const composerJson = await extractComposerJsonFromZip(body);
    if (!composerJson || !validateComposerJson(composerJson)) {
      return {
        status: 400,
        headers: {},
        body: { status: 'error', message: 'Invalid composer.json in ZIP' },
      };
    }
    // Verify package name matches
    if (composerJson.name !== vendorPackage) {
      return {
        status: 400,
        headers: {},
        body: { status: 'error', message: 'Package name mismatch' },
      };
    }
    const version = composerJson.version;
    if (!version) {
      return {
        status: 400,
        headers: {},
        body: { status: 'error', message: 'Version required in composer.json' },
      };
    }
    // Calculate SHA-1 hash
    const shasum = await calculateSha1(body);
    // Generate reference (use version or commit hash)
    const reference = composerJson.source?.reference || version.replace(/[^a-zA-Z0-9.-]/g, '-');
    // Store ZIP file
    await this.storage.putComposerPackageZip(vendorPackage, reference, body);
    // Get or create metadata
    let metadata = await this.storage.getComposerPackageMetadata(vendorPackage);
    if (!metadata) {
      metadata = {
        packages: {
          [vendorPackage]: [],
        },
        lastModified: new Date().toUTCString(),
      };
    }
    // Build package entry
    const packageEntry: IComposerPackage = {
      ...composerJson,
      version_normalized: normalizeVersion(version),
      dist: {
        type: 'zip',
        url: `${this.registryUrl}/dists/${vendorPackage}/${reference}.zip`,
        reference,
        shasum,
      },
      time: new Date().toISOString(),
    };
    // Add to metadata (check if version already exists)
    const packages = metadata.packages[vendorPackage] || [];
    const existingIndex = packages.findIndex((p: IComposerPackage) => p.version === version);
    if (existingIndex >= 0) {
      return {
        status: 409,
        headers: {},
        body: { status: 'error', message: 'Version already exists' },
      };
    }
    packages.push(packageEntry);
    // Sort by version
    const sortedVersions = sortVersions(packages.map((p: IComposerPackage) => p.version));
    packages.sort((a: IComposerPackage, b: IComposerPackage) => {
      return sortedVersions.indexOf(a.version) - sortedVersions.indexOf(b.version);
    });
    metadata.packages[vendorPackage] = packages;
    metadata.lastModified = new Date().toUTCString();
    // Store updated metadata
    await this.storage.putComposerPackageMetadata(vendorPackage, metadata);
    return {
      status: 201,
      headers: {},
      body: {
        status: 'success',
        message: 'Package uploaded successfully',
        package: vendorPackage,
        version,
      },
    };
  }
  private async handlePackageDelete(
    vendorPackage: string,
    token: IAuthToken | null
  ): Promise<IResponse> {
    // Check delete permission
    if (!await this.checkPermission(token, vendorPackage, 'delete')) {
      return {
        status: 401,
        headers: {},
        body: { status: 'error', message: 'Delete permission required' },
      };
    }
    const metadata = await this.storage.getComposerPackageMetadata(vendorPackage);
    if (!metadata) {
      return {
        status: 404,
        headers: {},
        body: { status: 'error', message: 'Package not found' },
      };
    }
    // Delete all ZIP files
    const packages = metadata.packages[vendorPackage] || [];
    for (const pkg of packages) {
      if (pkg.dist?.reference) {
        await this.storage.deleteComposerPackageZip(vendorPackage, pkg.dist.reference);
      }
    }
    // Delete metadata
    await this.storage.deleteComposerPackageMetadata(vendorPackage);
    return {
      status: 204,
      headers: {},
      body: null,
    };
  }
  private async handleVersionDelete(
    vendorPackage: string,
    version: string,
    token: IAuthToken | null
  ): Promise<IResponse> {
    // Check delete permission
    if (!await this.checkPermission(token, vendorPackage, 'delete')) {
      return {
        status: 401,
        headers: {},
        body: { status: 'error', message: 'Delete permission required' },
      };
    }
    const metadata = await this.storage.getComposerPackageMetadata(vendorPackage);
    if (!metadata) {
      return {
        status: 404,
        headers: {},
        body: { status: 'error', message: 'Package not found' },
      };
    }
    const packages = metadata.packages[vendorPackage] || [];
    const versionIndex = packages.findIndex((p: IComposerPackage) => p.version === version);
    if (versionIndex === -1) {
      return {
        status: 404,
        headers: {},
        body: { status: 'error', message: 'Version not found' },
      };
    }
    // Delete ZIP file
    const pkg = packages[versionIndex];
    if (pkg.dist?.reference) {
      await this.storage.deleteComposerPackageZip(vendorPackage, pkg.dist.reference);
    }
    // Remove from metadata
    packages.splice(versionIndex, 1);
    metadata.packages[vendorPackage] = packages;
    metadata.lastModified = new Date().toUTCString();
    // Save updated metadata
    await this.storage.putComposerPackageMetadata(vendorPackage, metadata);
    return {
      status: 204,
      headers: {},
      body: null,
    };
  }
 }
--- a/ts/composer/helpers.composer.ts
+++ b/ts/composer/helpers.composer.ts
@@ -0,0 +1,139 @@
 /**
 * Composer Registry Helper Functions
 */
 import type { IComposerPackage } from './interfaces.composer.js';
 /**
 * Normalize version string to Composer format
 * Example: "1.0.0" -> "1.0.0.0", "v2.3.1" -> "2.3.1.0"
 */
 export function normalizeVersion(version: string): string {
  // Remove 'v' prefix if present
  let normalized = version.replace(/^v/i, '');
  // Handle special versions (dev, alpha, beta, rc)
  if (normalized.includes('dev') || normalized.includes('alpha') || normalized.includes('beta') || normalized.includes('RC')) {
    // For dev versions, just return as-is with .0 appended if needed
    const parts = normalized.split(/[-+]/)[0].split('.');
    while (parts.length < 4) {
      parts.push('0');
    }
    return parts.slice(0, 4).join('.');
  }
  // Split by dots
  const parts = normalized.split('.');
  // Ensure 4 parts (major.minor.patch.build)
  while (parts.length < 4) {
    parts.push('0');
  }
  return parts.slice(0, 4).join('.');
 }
 /**
 * Validate composer.json structure
 */
 export function validateComposerJson(composerJson: any): boolean {
  return !!(
    composerJson &&
    typeof composerJson.name === 'string' &&
    composerJson.name.includes('/') &&
    (composerJson.version || composerJson.require)
  );
 }
 /**
 * Extract composer.json from ZIP buffer
 */
 export async function extractComposerJsonFromZip(zipBuffer: Buffer): Promise<any | null> {
  try {
    const AdmZip = (await import('adm-zip')).default;
    const zip = new AdmZip(zipBuffer);
    const entries = zip.getEntries();
    // Look for composer.json in root or first-level directory
    for (const entry of entries) {
      if (entry.entryName.endsWith('composer.json')) {
        const parts = entry.entryName.split('/');
        if (parts.length <= 2) { // Root or first-level dir
          const content = entry.getData().toString('utf-8');
          return JSON.parse(content);
        }
      }
    }
    return null;
  } catch (error) {
    return null;
  }
 }
 /**
 * Calculate SHA-1 hash for ZIP file
 */
 export async function calculateSha1(data: Buffer): Promise<string> {
  const crypto = await import('crypto');
  return crypto.createHash('sha1').update(data).digest('hex');
 }
 /**
 * Parse vendor/package format
 */
 export function parseVendorPackage(name: string): { vendor: string; package: string } | null {
  const parts = name.split('/');
  if (parts.length !== 2) {
    return null;
  }
  return { vendor: parts[0], package: parts[1] };
 }
 /**
 * Generate packages.json root repository file
 */
 export function generatePackagesJson(
  registryUrl: string,
  availablePackages: string[]
 ): any {
  return {
    'metadata-url': `${registryUrl}/p2/%package%.json`,
    'available-packages': availablePackages,
  };
 }
 /**
 * Sort versions in semantic version order
 */
 export function sortVersions(versions: string[]): string[] {
  return versions.sort((a, b) => {
    const aParts = a.replace(/^v/i, '').split(/[.-]/).map(part => {
      const num = parseInt(part, 10);
      return isNaN(num) ? part : num;
    });
    const bParts = b.replace(/^v/i, '').split(/[.-]/).map(part => {
      const num = parseInt(part, 10);
      return isNaN(num) ? part : num;
    });
    for (let i = 0; i < Math.max(aParts.length, bParts.length); i++) {
      const aPart = aParts[i] ?? 0;
      const bPart = bParts[i] ?? 0;
      // Compare numbers numerically, strings lexicographically
      if (typeof aPart === 'number' && typeof bPart === 'number') {
        if (aPart !== bPart) {
          return aPart - bPart;
        }
      } else {
        const aStr = String(aPart);
        const bStr = String(bPart);
        if (aStr !== bStr) {
          return aStr.localeCompare(bStr);
        }
      }
    }
    return 0;
  });
 }
--- a/ts/composer/index.ts
+++ b/ts/composer/index.ts
@@ -0,0 +1,8 @@
 /**
 * Composer Registry Module
 * Export all public interfaces, classes, and helpers
 */
 export { ComposerRegistry } from './classes.composerregistry.js';
 export * from './interfaces.composer.js';
 export * from './helpers.composer.js';
--- a/ts/composer/interfaces.composer.ts
+++ b/ts/composer/interfaces.composer.ts
@@ -0,0 +1,111 @@
 /**
 * Composer Registry Type Definitions
 * Compliant with Composer v2 repository API
 */
 /**
 * Composer package metadata
 */
 export interface IComposerPackage {
  name: string;                    // vendor/package-name
  version: string;                 // 1.0.0
  version_normalized: string;      // 1.0.0.0
  type?: string;                   // library, project, metapackage
  description?: string;
  keywords?: string[];
  homepage?: string;
  license?: string[];
  authors?: IComposerAuthor[];
  require?: Record<string, string>;
  'require-dev'?: Record<string, string>;
  suggest?: Record<string, string>;
  provide?: Record<string, string>;
  conflict?: Record<string, string>;
  replace?: Record<string, string>;
  autoload?: IComposerAutoload;
  'autoload-dev'?: IComposerAutoload;
  dist?: IComposerDist;
  source?: IComposerSource;
  time?: string;                   // ISO 8601 timestamp
  support?: Record<string, string>;
  funding?: IComposerFunding[];
  extra?: Record<string, any>;
 }
 /**
 * Author information
 */
 export interface IComposerAuthor {
  name: string;
  email?: string;
  homepage?: string;
  role?: string;
 }
 /**
 * PSR-4/PSR-0 autoloading configuration
 */
 export interface IComposerAutoload {
  'psr-4'?: Record<string, string | string[]>;
  'psr-0'?: Record<string, string | string[]>;
  classmap?: string[];
  files?: string[];
  'exclude-from-classmap'?: string[];
 }
 /**
 * Distribution information (ZIP download)
 */
 export interface IComposerDist {
  type: 'zip' | 'tar' | 'phar';
  url: string;
  reference?: string;              // commit hash or tag
  shasum?: string;                 // SHA-1 hash
 }
 /**
 * Source repository information
 */
 export interface IComposerSource {
  type: 'git' | 'svn' | 'hg';
  url: string;
  reference: string;               // commit hash, branch, or tag
 }
 /**
 * Funding information
 */
 export interface IComposerFunding {
  type: string;                    // github, patreon, etc.
  url: string;
 }
 /**
 * Repository metadata (packages.json)
 */
 export interface IComposerRepository {
  packages?: Record<string, Record<string, IComposerPackage>>;
  'metadata-url'?: string;         // /p2/%package%.json
  'available-packages'?: string[];
  'available-package-patterns'?: string[];
  'providers-url'?: string;
  'notify-batch'?: string;
  minified?: string;               // "composer/2.0"
 }
 /**
 * Package metadata response (/p2/vendor/package.json)
 */
 export interface IComposerPackageMetadata {
  packages: Record<string, IComposerPackage[]>;
  minified?: string;
  lastModified?: string;
 }
 /**
 * Error structure
 */
 export interface IComposerError {
  status: string;
  message: string;
 }
--- a/ts/core/classes.authmanager.ts
+++ b/ts/core/classes.authmanager.ts
@@ -270,6 +270,53 @@ export class AuthManager {
    this.tokenStore.delete(token);
  }
  // ========================================================================
  // COMPOSER TOKEN MANAGEMENT
  // ========================================================================
  /**
   * Create a Composer token
   * @param userId - User ID
   * @param readonly - Whether the token is readonly
   * @returns Composer UUID token
   */
  public async createComposerToken(userId: string, readonly: boolean = false): Promise<string> {
    const scopes = readonly ? ['composer:*:*:read'] : ['composer:*:*:*'];
    return this.createUuidToken(userId, 'composer', scopes, readonly);
  }
  /**
   * Validate a Composer token
   * @param token - Composer UUID token
   * @returns Auth token object or null
   */
  public async validateComposerToken(token: string): Promise<IAuthToken | null> {
    if (!this.isValidUuid(token)) {
      return null;
    }
    const authToken = this.tokenStore.get(token);
    if (!authToken || authToken.type !== 'composer') {
      return null;
    }
    // Check expiration if set
    if (authToken.expiresAt && authToken.expiresAt < new Date()) {
      this.tokenStore.delete(token);
      return null;
    }
    return authToken;
  }
  /**
   * Revoke a Composer token
   * @param token - Composer UUID token
   */
  public async revokeComposerToken(token: string): Promise<void> {
    this.tokenStore.delete(token);
  }
  // ========================================================================
  // UNIFIED AUTHENTICATION
  // ========================================================================
@@ -284,7 +331,7 @@ export class AuthManager {
    tokenString: string,
    protocol?: TRegistryProtocol
  ): Promise<IAuthToken | null> {
-    // Try UUID-based tokens (NPM, Maven)
+    // Try UUID-based tokens (NPM, Maven, Composer)
    if (this.isValidUuid(tokenString)) {
      // Try NPM token
      const npmToken = await this.validateNpmToken(tokenString);
@@ -297,6 +344,12 @@ export class AuthManager {
      if (mavenToken && (!protocol || protocol === 'maven')) {
        return mavenToken;
      }
      // Try Composer token
      const composerToken = await this.validateComposerToken(tokenString);
      if (composerToken && (!protocol || protocol === 'composer')) {
        return composerToken;
      }
    }
    // Try OCI JWT
--- a/ts/core/classes.registrystorage.ts
+++ b/ts/core/classes.registrystorage.ts
@@ -392,4 +392,202 @@ export class RegistryStorage implements IStorageBackend {
    const groupPath = groupId.replace(/\./g, '/');
    return `maven/metadata/${groupPath}/${artifactId}/maven-metadata.xml`;
  }
  // ========================================================================
  // CARGO-SPECIFIC HELPERS
  // ========================================================================
  /**
   * Get Cargo config.json
   */
  public async getCargoConfig(): Promise<any | null> {
    const data = await this.getObject('cargo/config.json');
    return data ? JSON.parse(data.toString('utf-8')) : null;
  }
  /**
   * Store Cargo config.json
   */
  public async putCargoConfig(config: any): Promise<void> {
    const data = Buffer.from(JSON.stringify(config, null, 2), 'utf-8');
    return this.putObject('cargo/config.json', data, { 'Content-Type': 'application/json' });
  }
  /**
   * Get Cargo index file (newline-delimited JSON)
   */
  public async getCargoIndex(crateName: string): Promise<any[] | null> {
    const path = this.getCargoIndexPath(crateName);
    const data = await this.getObject(path);
    if (!data) return null;
    // Parse newline-delimited JSON
    const lines = data.toString('utf-8').split('\n').filter(line => line.trim());
    return lines.map(line => JSON.parse(line));
  }
  /**
   * Store Cargo index file
   */
  public async putCargoIndex(crateName: string, entries: any[]): Promise<void> {
    const path = this.getCargoIndexPath(crateName);
    // Convert to newline-delimited JSON
    const data = Buffer.from(entries.map(e => JSON.stringify(e)).join('\n') + '\n', 'utf-8');
    return this.putObject(path, data, { 'Content-Type': 'text/plain' });
  }
  /**
   * Get Cargo .crate file
   */
  public async getCargoCrate(crateName: string, version: string): Promise<Buffer | null> {
    const path = this.getCargoCratePath(crateName, version);
    return this.getObject(path);
  }
  /**
   * Store Cargo .crate file
   */
  public async putCargoCrate(
    crateName: string,
    version: string,
    crateFile: Buffer
  ): Promise<void> {
    const path = this.getCargoCratePath(crateName, version);
    return this.putObject(path, crateFile, { 'Content-Type': 'application/gzip' });
  }
  /**
   * Check if Cargo crate exists
   */
  public async cargoCrateExists(crateName: string, version: string): Promise<boolean> {
    const path = this.getCargoCratePath(crateName, version);
    return this.objectExists(path);
  }
  /**
   * Delete Cargo crate (for cleanup, not for unpublishing)
   */
  public async deleteCargoCrate(crateName: string, version: string): Promise<void> {
    const path = this.getCargoCratePath(crateName, version);
    return this.deleteObject(path);
  }
  // ========================================================================
  // CARGO PATH HELPERS
  // ========================================================================
  private getCargoIndexPath(crateName: string): string {
    const lower = crateName.toLowerCase();
    const len = lower.length;
    if (len === 1) {
      return `cargo/index/1/${lower}`;
    } else if (len === 2) {
      return `cargo/index/2/${lower}`;
    } else if (len === 3) {
      return `cargo/index/3/${lower.charAt(0)}/${lower}`;
    } else {
      // 4+ characters: {first-two}/{second-two}/{name}
      const prefix1 = lower.substring(0, 2);
      const prefix2 = lower.substring(2, 4);
      return `cargo/index/${prefix1}/${prefix2}/${lower}`;
    }
  }
  private getCargoCratePath(crateName: string, version: string): string {
    return `cargo/crates/${crateName}/${crateName}-${version}.crate`;
  }
  // ========================================================================
  // COMPOSER-SPECIFIC HELPERS
  // ========================================================================
  /**
   * Get Composer package metadata
   */
  public async getComposerPackageMetadata(vendorPackage: string): Promise<any | null> {
    const path = this.getComposerMetadataPath(vendorPackage);
    const data = await this.getObject(path);
    return data ? JSON.parse(data.toString('utf-8')) : null;
  }
  /**
   * Store Composer package metadata
   */
  public async putComposerPackageMetadata(vendorPackage: string, metadata: any): Promise<void> {
    const path = this.getComposerMetadataPath(vendorPackage);
    const data = Buffer.from(JSON.stringify(metadata, null, 2), 'utf-8');
    return this.putObject(path, data, { 'Content-Type': 'application/json' });
  }
  /**
   * Get Composer package ZIP
   */
  public async getComposerPackageZip(vendorPackage: string, reference: string): Promise<Buffer | null> {
    const path = this.getComposerZipPath(vendorPackage, reference);
    return this.getObject(path);
  }
  /**
   * Store Composer package ZIP
   */
  public async putComposerPackageZip(vendorPackage: string, reference: string, zipData: Buffer): Promise<void> {
    const path = this.getComposerZipPath(vendorPackage, reference);
    return this.putObject(path, zipData, { 'Content-Type': 'application/zip' });
  }
  /**
   * Check if Composer package metadata exists
   */
  public async composerPackageMetadataExists(vendorPackage: string): Promise<boolean> {
    const path = this.getComposerMetadataPath(vendorPackage);
    return this.objectExists(path);
  }
  /**
   * Delete Composer package metadata
   */
  public async deleteComposerPackageMetadata(vendorPackage: string): Promise<void> {
    const path = this.getComposerMetadataPath(vendorPackage);
    return this.deleteObject(path);
  }
  /**
   * Delete Composer package ZIP
   */
  public async deleteComposerPackageZip(vendorPackage: string, reference: string): Promise<void> {
    const path = this.getComposerZipPath(vendorPackage, reference);
    return this.deleteObject(path);
  }
  /**
   * List all Composer packages
   */
  public async listComposerPackages(): Promise<string[]> {
    const prefix = 'composer/packages/';
    const objects = await this.listObjects(prefix);
    const packages = new Set<string>();
    // Extract vendor/package from paths like: composer/packages/vendor/package/metadata.json
    for (const obj of objects) {
      const match = obj.match(/^composer\/packages\/([^\/]+\/[^\/]+)\/metadata\.json$/);
      if (match) {
        packages.add(match[1]);
      }
    }
    return Array.from(packages).sort();
  }
  // ========================================================================
  // COMPOSER PATH HELPERS
  // ========================================================================
  private getComposerMetadataPath(vendorPackage: string): string {
    return `composer/packages/${vendorPackage}/metadata.json`;
  }
  private getComposerZipPath(vendorPackage: string, reference: string): string {
    return `composer/packages/${vendorPackage}/${reference}.zip`;
  }
 }
--- a/ts/core/interfaces.core.ts
+++ b/ts/core/interfaces.core.ts
@@ -5,7 +5,7 @@
 /**
 * Registry protocol types
 */
-export type TRegistryProtocol = 'oci' | 'npm' | 'maven';
+export type TRegistryProtocol = 'oci' | 'npm' | 'maven' | 'cargo' | 'composer';
 /**
 * Unified action types across protocols
@@ -90,6 +90,8 @@ export interface IRegistryConfig {
  oci?: IProtocolConfig;
  npm?: IProtocolConfig;
  maven?: IProtocolConfig;
  cargo?: IProtocolConfig;
  composer?: IProtocolConfig;
 }
 /**
--- a/ts/index.ts
+++ b/ts/index.ts
@@ -1,6 +1,6 @@
 /**
 * @push.rocks/smartregistry
- * Composable registry supporting OCI, NPM, and Maven protocols
+ * Composable registry supporting OCI, NPM, Maven, Cargo, and Composer protocols
 */
 // Main orchestrator
@@ -17,3 +17,9 @@ export * from './npm/index.js';
 // Maven Registry
 export * from './maven/index.js';
 // Cargo Registry
 export * from './cargo/index.js';
 // Composer Registry
 export * from './composer/index.js';
--- a/ts/maven/classes.mavenregistry.ts
+++ b/ts/maven/classes.mavenregistry.ts
@@ -118,17 +118,7 @@ export class MavenRegistry extends BaseRegistry {
    switch (method) {
      case 'GET':
      case 'HEAD':
-        // Read permission required
+        // Maven repositories typically allow anonymous reads
        if (!await this.checkPermission(token, resource, 'read')) {
          return {
            status: 401,
            headers: {
              'WWW-Authenticate': `Bearer realm="${this.basePath}",service="maven-registry"`,
            },
            body: { error: 'UNAUTHORIZED', message: 'Authentication required' },
          };
        }
        return method === 'GET'
          ? this.getArtifact(groupId, artifactId, version, filename)
          : this.headArtifact(groupId, artifactId, version, filename);
@@ -181,24 +171,15 @@ export class MavenRegistry extends BaseRegistry {
  private async handleChecksumRequest(
    method: string,
    coordinate: IMavenCoordinate,
-    token: IAuthToken | null
+    token: IAuthToken | null,
    path: string
  ): Promise<IResponse> {
    const { groupId, artifactId, version, extension } = coordinate;
    const resource = `${groupId}:${artifactId}`;
-    // Checksums follow the same permissions as their artifacts
+    // Checksums follow the same permissions as their artifacts (public read)
    if (method === 'GET' || method === 'HEAD') {
-      if (!await this.checkPermission(token, resource, 'read')) {
+      return this.getChecksum(groupId, artifactId, version, coordinate, path);
        return {
          status: 401,
          headers: {
            'WWW-Authenticate': `Bearer realm="${this.basePath}",service="maven-registry"`,
          },
          body: { error: 'UNAUTHORIZED', message: 'Authentication required' },
        };
      }
      return this.getChecksum(groupId, artifactId, version, coordinate);
    }
    return {
@@ -402,9 +383,14 @@ export class MavenRegistry extends BaseRegistry {
    groupId: string,
    artifactId: string,
    version: string,
-    coordinate: IMavenCoordinate
+    coordinate: IMavenCoordinate,
    fullPath: string
  ): Promise<IResponse> {
-    const checksumFilename = buildFilename(coordinate);
+    // Extract the filename from the full path (last component)
    // The fullPath might be something like /com/example/test/test-artifact/1.0.0/test-artifact-1.0.0.jar.md5
    const pathParts = fullPath.split('/');
    const checksumFilename = pathParts[pathParts.length - 1];
    const data = await this.storage.getMavenArtifact(groupId, artifactId, version, checksumFilename);
    if (!data) {
@@ -567,10 +553,8 @@ export class MavenRegistry extends BaseRegistry {
    const xml = generateMetadataXml(metadata);
    await this.storage.putMavenMetadata(groupId, artifactId, Buffer.from(xml, 'utf-8'));
-    // Also store checksums for metadata
+    // Note: Checksums for maven-metadata.xml are optional and not critical
-    const checksums = await calculateChecksums(Buffer.from(xml, 'utf-8'));
+    // They would need special handling since metadata uses a different storage path
    const metadataFilename = 'maven-metadata.xml';
    await this.storeChecksums(groupId, artifactId, '', metadataFilename, checksums);
  }
  // ========================================================================
--- a/ts/maven/helpers.maven.ts
+++ b/ts/maven/helpers.maven.ts
@@ -65,22 +65,35 @@ export function pathToGAV(path: string): IMavenCoordinate | null {
 /**
 * Parse Maven artifact filename
 * Example: my-lib-1.0.0-sources.jar → {classifier: 'sources', extension: 'jar'}
 * Example: my-lib-1.0.0.jar.md5 → {extension: 'md5'}
 */
 export function parseFilename(
  filename: string,
  artifactId: string,
  version: string
 ): { classifier?: string; extension: string } | null {
-  // Expected format: {artifactId}-{version}[-{classifier}].{extension}
+  // Expected format: {artifactId}-{version}[-{classifier}].{extension}[.checksum]
  const prefix = `${artifactId}-${version}`;
  if (!filename.startsWith(prefix)) {
    return null;
  }
-  const remainder = filename.substring(prefix.length);
+  let remainder = filename.substring(prefix.length);
-  // Check for classifier
+  // Check if this is a checksum file (double extension like .jar.md5)
  const checksumExtensions = ['md5', 'sha1', 'sha256', 'sha512'];
  const lastDotIndex = remainder.lastIndexOf('.');
  if (lastDotIndex !== -1) {
    const possibleChecksum = remainder.substring(lastDotIndex + 1);
    if (checksumExtensions.includes(possibleChecksum)) {
      // This is a checksum file - just return the checksum extension
      // The base artifact extension doesn't matter for checksum retrieval
      return { extension: possibleChecksum };
    }
  }
  // Regular artifact file parsing
  const dotIndex = remainder.lastIndexOf('.');
  if (dotIndex === -1) {
    return null; // No extension
Author	SHA1	Message	Date
Juergen Kunz	80005af576	v1.3.0 Some checks failed Default (tags) / security (push) Successful in 33s Details Default (tags) / test (push) Failing after 36s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-11-21 09:13:02 +00:00
Juergen Kunz	8d48627301	feat(core): Add Cargo and Composer registries with storage, auth and helpers	2025-11-21 09:13:02 +00:00