v2.2.0

changelog.md

@@ -1,5 +1,75 @@
 # Changelog
 
+## 2025-11-25 - 2.2.0 - feat(core/registrystorage)
+Persist OCI manifest content-type in sidecar and normalize manifest body handling
+
+- Add getOciManifestContentType(repository, digest) to read stored manifest Content-Type
+- Store manifest Content-Type in a .type sidecar file when putOciManifest is called
+- Update putOciManifest to persist both manifest data and its content type
+- OciRegistry now retrieves stored content type (with fallback to detectManifestContentType) when serving manifests
+- Add toBuffer helper in OciRegistry to consistently convert various request body forms to Buffer for digest calculation and uploads
+
+## 2025-11-25 - 2.1.2 - fix(oci)
+Prefer raw request body for content-addressable OCI operations and expose rawBody on request context
+
+- Add rawBody?: Buffer to IRequestContext to allow callers to provide the exact raw request bytes for digest calculation (falls back to body if absent).
+- OCI registry handlers now prefer context.rawBody over context.body for content-addressable operations (manifests, blobs, and blob uploads) to preserve exact bytes and ensure digest calculation matches client expectations.
+- Upload flow updates: upload init, PATCH (upload chunk) and PUT (complete upload) now pass rawBody when available.
+
+## 2025-11-25 - 2.1.1 - fix(oci)
+Preserve raw manifest bytes for digest calculation and handle string/JSON manifest bodies in OCI registry
+
+- Preserve the exact bytes of the manifest payload when computing the sha256 digest to comply with the OCI spec and avoid mismatches caused by re-serialization.
+- Accept string request bodies (converted using UTF-8) and treat already-parsed JSON objects by re-serializing as a fallback.
+- Keep existing content-type fallback logic while ensuring accurate digest calculation prior to storing manifests.
+
+## 2025-11-25 - 2.1.0 - feat(oci)
+Support configurable OCI token realm/service and centralize unauthorized responses
+
+- SmartRegistry now forwards optional ociTokens (realm and service) from auth configuration to OciRegistry when OCI is enabled
+- OciRegistry constructor accepts an optional ociTokens parameter and stores it for use in auth headers
+- Replaced repeated construction of WWW-Authenticate headers with createUnauthorizedResponse and createUnauthorizedHeadResponse helpers that use configured realm/service
+- Behavior is backwards-compatible: when ociTokens are not configured the registry falls back to the previous defaults (realm: <basePath>/v2/token, service: "registry")
+
+## 2025-11-25 - 2.0.0 - BREAKING CHANGE(pypi,rubygems)
+Revise PyPI and RubyGems handling: normalize error payloads, fix .gem parsing/packing, adjust PyPI JSON API and tests, and export smartarchive plugin
+
+- Rename error payload property from 'message' to 'error' in PyPI and RubyGems interfaces and responses; error responses are now returned as JSON objects (body: { error: ... }) instead of Buffer(JSON.stringify(...)).
+- RubyGems: treat .gem files as plain tar archives (not gzipped). Use metadata.gz and data.tar.gz correctly, switch packing helper to pack plain tar, and use zlib deflate for .rz gemspec data.
+- RubyGems registry: add legacy Marshal specs endpoint (specs.4.8.gz) and adjust versions handler invocation to accept request context.
+- PyPI: adopt PEP 691 style (files is an array of file objects) in tests and metadata; include requires_python in test package metadata; update JSON API path matching to the package-level '/{package}/json' style used by the handler.
+- Fix HTML escaping expectations in tests (requires_python values are HTML-escaped in attributes, e.g. '&gt;=3.8').
+- Export smartarchive from plugins to enable archive helpers in core modules and helpers.
+- Update tests and internal code to match the new error shape and API/format behaviour.
+
+## 2025-11-25 - 1.9.0 - feat(auth)
+Implement HMAC-SHA256 OCI JWTs; enhance PyPI & RubyGems uploads and normalize responses
+
+- AuthManager: create and validate OCI JWTs signed with HMAC-SHA256 (header.payload.signature). Signature verification, exp/nbf checks and payload decoding implemented.
+- PyPI: improved Simple API handling (PEP-691 JSON responses returned as objects), Simple HTML responses updated, upload handling enhanced to support nested/flat multipart fields, verify hashes (sha256/md5/blake2b), store files and return 201 on success.
+- RubyGems: upload flow now attempts to extract gem metadata from the .gem binary when name/version are not provided, improved validation, and upload returns 201. Added extractGemMetadata helper.
+- OCI: centralized 401 response creation (including proper WWW-Authenticate header) and HEAD behavior fixed to return no body per HTTP spec.
+- SmartRegistry: use nullish coalescing for protocol basePath defaults to avoid falsy-value bugs when basePath is an empty string.
+- Tests and helpers: test expectations adjusted (Content-Type startsWith check for HTML, PEP-691 projects is an array), test helper switched to smartarchive for packaging.
+- Package.json: added devDependency @push.rocks/smartarchive and updated dev deps.
+- Various response normalization: avoid unnecessary Buffer.from() for already-serialized objects/strings and standardize status codes for create/upload endpoints (201).
+
+## 2025-11-24 - 1.8.0 - feat(smarts3)
+Add local smarts3 testing support and documentation
+
+- Added @push.rocks/smarts3 ^5.1.0 to devDependencies to enable a local S3-compatible test server.
+- Updated README with a new "Testing with smarts3" section including a Quick Start example and integration test commands.
+- Documented benefits and CI-friendly usage for running registry integration tests locally without cloud credentials.
+
+## 2025-11-23 - 1.7.0 - feat(core)
+Standardize S3 storage config using @tsclass/tsclass IS3Descriptor and wire it into RegistryStorage and plugins exports; update README and package dependencies.
+
+- Add @tsclass/tsclass dependency to package.json to provide a standardized IS3Descriptor for S3 configuration.
+- Export tsclass from ts/plugins.ts so plugin types are available to core modules.
+- Update IStorageConfig to extend plugins.tsclass.storage.IS3Descriptor, consolidating storage configuration typing.
+- Change RegistryStorage.init() to pass the storage config directly as an IS3Descriptor to SmartBucket (bucketName remains part of IStorageConfig).
+- Update README storage section with example config and mention IS3Descriptor integration.
+
 ## 2025-11-21 - 1.6.0 - feat(core)
 Add PyPI and RubyGems registries, integrate into SmartRegistry, extend storage and auth
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartregistry",
-  "version": "1.6.0",
+  "version": "2.2.0",
   "private": false,
   "description": "A composable TypeScript library implementing OCI, NPM, Maven, Cargo, Composer, PyPI, and RubyGems registries for building unified container and package registries",
   "main": "dist_ts/index.js",
@@ -18,6 +18,8 @@
     "@git.zone/tsbundle": "^2.0.5",
     "@git.zone/tsrun": "^2.0.0",
     "@git.zone/tstest": "^3.1.0",
+    "@push.rocks/smartarchive": "^5.0.1",
+    "@push.rocks/smarts3": "^5.1.0",
     "@types/node": "^24.10.1"
   },
   "repository": {
@@ -48,6 +50,7 @@
     "@push.rocks/smartbucket": "^4.3.0",
     "@push.rocks/smartlog": "^3.1.10",
     "@push.rocks/smartpath": "^6.0.0",
+    "@tsclass/tsclass": "^9.3.0",
     "adm-zip": "^0.5.10"
   },
   "packageManager": "pnpm@10.18.1+sha512.77a884a165cbba2d8d1c19e3b4880eee6d2fcabd0d879121e282196b80042351d5eb3ca0935fa599da1dc51265cc68816ad2bddd2a2de5ea9fdf92adbec7cd34"

pnpm-lock.yaml

@@ -20,6 +20,9 @@ importers:
       '@push.rocks/smartpath':
         specifier: ^6.0.0
         version: 6.0.0
+      '@tsclass/tsclass':
+        specifier: ^9.3.0
+        version: 9.3.0
       adm-zip:
         specifier: ^0.5.10
         version: 0.5.16
@@ -36,6 +39,12 @@ importers:
       '@git.zone/tstest':
         specifier: ^3.1.0
         version: 3.1.0(socks@2.8.7)(typescript@5.9.3)
+      '@push.rocks/smartarchive':
+        specifier: ^5.0.1
+        version: 5.0.1(@push.rocks/smartfs@1.1.0)
+      '@push.rocks/smarts3':
+        specifier: ^5.1.0
+        version: 5.1.0
       '@types/node':
         specifier: ^24.10.1
         version: 24.10.1
@@ -573,7 +582,6 @@ packages:
   '@koa/router@9.4.0':
     resolution: {integrity: sha512-dOOXgzqaDoHu5qqMEPLKEgLz5CeIA7q8+1W62mCvFVCOqeC71UoTGJ4u1xUSOpIl2J1x2pqrNULkFteUeZW3/A==}
     engines: {node: '>= 8.0.0'}
-    deprecated: '**IMPORTANT 10x+ PERFORMANCE UPGRADE**: Please upgrade to v12.0.1+ as we have fixed an issue with debuglog causing 10x slower router benchmark performance, see https://github.com/koajs/router/pull/173'
 
   '@leichtgewicht/ip-codec@2.0.5':
     resolution: {integrity: sha512-Vo+PSpZG2/fmgmiNzYK9qWRh8h/CHrwD0mo1h1DzL4yzHNSfWYujGTYsWGreD000gcgmZ7K4Ys6Tx9TxtsKdDw==}
@@ -700,6 +708,9 @@ packages:
   '@push.rocks/smartarchive@4.2.2':
     resolution: {integrity: sha512-6EpqbKU32D6Gcqsc9+Tn1dOCU5HoTlrqqs/7IdUr9Tirp9Ngtptkapca1Fw/D0kVJ7SSw3kG/miAYnuPMZLEoA==}
 
+  '@push.rocks/smartarchive@5.0.1':
+    resolution: {integrity: sha512-x4bie9IIdL9BZqBZLc8Pemp8xZOJGa6mXSVgKJRL4/Rw+E5N4rVHjQOYGRV75nC2mAMJh9GIbixuxLnWjj77ag==}
+
   '@push.rocks/smartbrowser@2.0.8':
     resolution: {integrity: sha512-0KWRZj3TuKo/sNwgPbiSE6WL+TMeR19t1JmXBZWh9n8iA2mpc4HhMrQAndEUdRCkx5ofSaHWojIRVFzGChj0Dg==}
 
@@ -760,6 +771,17 @@ packages:
   '@push.rocks/smartfile@11.2.7':
     resolution: {integrity: sha512-8Yp7/sAgPpWJBHohV92ogHWKzRomI5MEbSG6b5W2n18tqwfAmjMed0rQvsvGrSBlnEWCKgoOrYIIZbLO61+J0Q==}
 
+  '@push.rocks/smartfile@13.0.1':
+    resolution: {integrity: sha512-phtryDFtBYHo7R2H9V3Y7VeiYQU9YzKL140gKD3bTicBgXoIYrJ6+b3mbZunSO2yQt1Vy1AxCxYXrFE/K+4grw==}
+    peerDependencies:
+      '@push.rocks/smartfs': ^1.0.0
+    peerDependenciesMeta:
+      '@push.rocks/smartfs':
+        optional: true
+
+  '@push.rocks/smartfs@1.1.0':
+    resolution: {integrity: sha512-fg8JIjFUPPX5laRoBpTaGwhMfZ3Y8mFT4fUaW54Y4J/BfOBa/y0+rIFgvgvqcOZgkQlyZU+FIfL8Z6zezqxyTg==}
+
   '@push.rocks/smartguard@3.1.0':
     resolution: {integrity: sha512-J23q84f1O+TwFGmd4lrO9XLHUh2DaLXo9PN/9VmTWYzTkQDv5JehmifXVI0esophXcCIfbdIu6hbt7/aHlDF4A==}
 
@@ -847,6 +869,9 @@ packages:
   '@push.rocks/smarts3@2.2.7':
     resolution: {integrity: sha512-9ZXGMlmUL2Wd+YJO0xOB8KyqPf4V++fWJvTq4s76bnqEuaCr9OLfq6czhban+i4cD3ZdIjehfuHqctzjuLw8Jw==}
 
+  '@push.rocks/smarts3@5.1.0':
+    resolution: {integrity: sha512-jmoSaJkdWOWxiS5aiTXvE6+zS7n6+OZe1jxIOq3weX54tPmDCjpLLTl12rdgvvpDE1ai5ayftirWhLGk96hkaw==}
+
   '@push.rocks/smartshell@3.3.0':
     resolution: {integrity: sha512-m0w618H6YBs+vXGz1CgS4nPi5CUAnqRtckcS9/koGwfcIx1IpjqmiP47BoCTbdgcv0IPUxQVBG1IXTHPuZ8Z5g==}
 
@@ -1751,7 +1776,7 @@ packages:
     engines: {node: '>=12'}
 
   co@4.6.0:
-    resolution: {integrity: sha512-QVb0dM5HvG+uaxitm8wONl7jltx8dqhfU33DcqtOZcLSVIKSDDLDi7+0LbAKiyI8hD9u42m2YxXSkMGWThaecQ==}
+    resolution: {integrity: sha1-bqa989hTrlTMuOR7+gvz+QMfsYQ=}
     engines: {iojs: '>= 1.0.0', node: '>= 0.12.0'}
 
   color-convert@1.9.3:
@@ -1766,7 +1791,7 @@ packages:
     engines: {node: '>=14.6'}
 
   color-name@1.1.3:
-    resolution: {integrity: sha512-72fSenhMw2HZMTVHeCA9KCmpEIbzWiQsjN+BHcBbS9vr1mtt+vJjPdksIBNUmKAW8TFUDPJK5SUU3QhE9NEXDw==}
+    resolution: {integrity: sha1-p9BVi9icQveV3UIyj3QIMcpTvCU=}
 
   color-name@1.1.4:
     resolution: {integrity: sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==}
@@ -1891,7 +1916,7 @@ packages:
     engines: {node: '>=10'}
 
   deep-equal@1.0.1:
-    resolution: {integrity: sha512-bHtC0iYvWhyaTzvV3CZgPeZQqCOBGyGsVV7v4eevpdkLHfiSrXUdBG+qAuSz4RI70sszvjQ1QSZ98An1yNwpSw==}
+    resolution: {integrity: sha1-9dJgKStmDghO/0zbyfCK0yR0SLU=}
 
   deep-extend@0.6.0:
     resolution: {integrity: sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==}
@@ -1922,10 +1947,10 @@ packages:
     engines: {node: '>=0.4.0'}
 
   delegates@1.0.0:
-    resolution: {integrity: sha512-bd2L678uiWATM6m5Z1VzNCErI3jiGzt6HGY8OVICs40JQq/HALfbyNJmp0UDakEY4pMMaN0Ly5om/B1VI/+xfQ==}
+    resolution: {integrity: sha1-hMbhWbgZBP3KWaDvRM2HDTElD5o=}
 
   depd@1.1.2:
-    resolution: {integrity: sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==}
+    resolution: {integrity: sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak=}
     engines: {node: '>= 0.6'}
 
   depd@2.0.0:
@@ -1977,7 +2002,7 @@ packages:
     resolution: {integrity: sha512-AKrN98kuwOzMIdAizXGI86UFBoo26CL21UM763y1h/GMSJ4/OHU9k2YlsmBpyScFo/wbLzWQJBMCW4+IO3/+OQ==}
 
   encodeurl@1.0.2:
-    resolution: {integrity: sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==}
+    resolution: {integrity: sha1-rT/0yG7C0CkyL1oCw6mmBslbP1k=}
     engines: {node: '>= 0.8'}
 
   encodeurl@2.0.0:
@@ -2038,7 +2063,7 @@ packages:
     resolution: {integrity: sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==}
 
   escape-string-regexp@1.0.5:
-    resolution: {integrity: sha512-vbRorB5FUQWvla16U8R/qgaFIya2qGzwDrNmCZuYKrbdSUMG6I1ZCGQRefkRVhuOkIGVne7BQ35DSfo1qvJqFg==}
+    resolution: {integrity: sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ=}
     engines: {node: '>=0.8.0'}
 
   escape-string-regexp@5.0.0:
@@ -2199,7 +2224,7 @@ packages:
     engines: {node: '>= 0.6'}
 
   fresh@0.5.2:
-    resolution: {integrity: sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==}
+    resolution: {integrity: sha1-PYyt2Q2XZWn6g1qx+OSyOhBWBac=}
     engines: {node: '>= 0.6'}
 
   fresh@2.0.0:
@@ -2288,7 +2313,7 @@ packages:
     engines: {node: '>=18.0.0'}
 
   has-flag@3.0.0:
-    resolution: {integrity: sha512-sKJf1+ceQBr4SMkvQnBDNDtf4TXpVhVGateu0t918bl30FnbE2m4vNLX+VWe/dpjlb+HugGYzW7uQXH98HPEYw==}
+    resolution: {integrity: sha1-tdRU3CGZriJWmfNGfloH87lVuv0=}
     engines: {node: '>=4'}
 
   has-property-descriptors@1.0.2:
@@ -2364,7 +2389,7 @@ packages:
     resolution: {integrity: sha512-Fl70vYtsAFb/C06PTS9dZBo7ihau+Tu/DNCk/OyHhea07S+aeMWpFFkUaXRa8fI+ScZbEI8dfSxwY7gxZ9SAVQ==}
 
   humanize-number@0.0.2:
-    resolution: {integrity: sha512-un3ZAcNQGI7RzaWGZzQDH47HETM4Wrj6z6E4TId8Yeq9w5ZKUVB1nrT2jwFheTUjEmqcgTjXDc959jum+ai1kQ==}
+    resolution: {integrity: sha1-EcCvakcWQ2M1iFiASPF5lUFInBg=}
 
   iconv-lite@0.6.3:
     resolution: {integrity: sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==}
@@ -2493,7 +2518,7 @@ packages:
     resolution: {integrity: sha512-xyFwyhro/JEof6Ghe2iz2NcXoj2sloNsWr/XsERDK/oiPCfaNhl5ONfp+jQdAZRQQ0IJWNzH9zIZF7li91kh2w==}
 
   jsonfile@4.0.0:
-    resolution: {integrity: sha512-m6F1R3z8jjlf2imQHS2Qez5sjKWQzbuuhuJ/FKYFRZvPE3PuHcSMVZzfsLhGVOkfd20obL5SWEBew5ShlquNxg==}
+    resolution: {integrity: sha1-h3Gq4HmbZAdrdmQPygWPnBDjPss=}
 
   jsonfile@6.2.0:
     resolution: {integrity: sha512-FGuPw30AdOIUTRMC2OMRtQV+jkVj2cfPqSeWXv1NEAJ1qZ5zb1X6z1mFhbfOB/iy3ssJCD+3KuZ8r8C3uVFlAg==}
@@ -2501,7 +2526,6 @@ packages:
   keygrip@1.1.0:
     resolution: {integrity: sha512-iYSchDJ+liQ8iwbSI2QqsQOvqv58eJCEanyJPJi+Khyu8smkcKSFUCbPwzFcL7YVtZ6eONjqRX/38caJ7QjRAQ==}
     engines: {node: '>= 0.6'}
-    deprecated: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
 
   keyv@4.5.4:
     resolution: {integrity: sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw==}
@@ -2683,7 +2707,7 @@ packages:
     resolution: {integrity: sha512-0H44vDimn51F0YwvxSJSm0eCDOJTRlmN0R1yBh4HLj9wiV1Dn0QoXGbvFAWj2hSItVTlCmBF1hqKlIyUBVFLPg==}
 
   media-typer@0.3.0:
-    resolution: {integrity: sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==}
+    resolution: {integrity: sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g=}
     engines: {node: '>= 0.6'}
 
   media-typer@1.1.0:
@@ -2698,7 +2722,7 @@ packages:
     engines: {node: '>=18'}
 
   methods@1.1.2:
-    resolution: {integrity: sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==}
+    resolution: {integrity: sha1-VSmk1nZUE07cxSZmVoNbD4Ua/O4=}
     engines: {node: '>= 0.6'}
 
   micromark-core-commonmark@2.0.3:
@@ -2951,7 +2975,7 @@ packages:
     resolution: {integrity: sha512-5DXOiRKwuSEcQ/l0kGCF6Q3jcADFv5tSmRaJck/OqkVFcOzutB134KRSfF0xDrL39MNnqxbHBbUUcjZIhTgb2g==}
 
   only@0.0.2:
-    resolution: {integrity: sha512-Fvw+Jemq5fjjyWz6CpKx6w9s7xxqo3+JCyM0WXWeCSOboZ8ABkyvP8ID4CZuChA/wxSx+XSJmdOm8rGVyJ1hdQ==}
+    resolution: {integrity: sha1-Kv3oTQPlC5qO3EROMGEKcCle37Q=}
 
   open@8.4.2:
     resolution: {integrity: sha512-7x81NCL719oNbsq/3mh+hVrAWmFuEYUqrq/Iw3kUzH8ReypT9QQ0BLoJS7/G9k6N81XjW4qHWtjWwe/9eLy1EQ==}
@@ -3023,7 +3047,7 @@ packages:
     engines: {node: '>= 0.8'}
 
   passthrough-counter@1.0.0:
-    resolution: {integrity: sha512-Wy8PXTLqPAN0oEgBrlnsXPMww3SYJ44tQ8aVrGAI4h4JZYCS0oYqsPqtPR8OhJpv6qFbpbB7XAn0liKV7EXubA==}
+    resolution: {integrity: sha1-GWfZ5m2lcrXAI8eH2xEqOHqxZvo=}
 
   path-exists@4.0.0:
     resolution: {integrity: sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==}
@@ -3349,10 +3373,10 @@ packages:
     resolution: {integrity: sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==}
 
   stack-trace@0.0.10:
-    resolution: {integrity: sha512-KGzahc7puUKkzyMt+IqAep+TVNbKP+k2Lmwhub39m1AsTSkaDutx56aDCo+HLDzf/D26BIHTJWNiTG1KAJiQCg==}
+    resolution: {integrity: sha1-VHxws0fo0ytOEI6hoqFZ5f3eGcA=}
 
   statuses@1.5.0:
-    resolution: {integrity: sha512-OpZ3zP+jT1PI7I8nemJX4AKmAX070ZkYPVWV/AaKTJl+tXCTGyVdC1a4SL8RUQYEwk/f34ZX8UTykN68FwrqAA==}
+    resolution: {integrity: sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow=}
     engines: {node: '>= 0.6'}
 
   statuses@2.0.1:
@@ -3364,7 +3388,7 @@ packages:
     engines: {node: '>= 0.8'}
 
   streamsearch@0.1.2:
-    resolution: {integrity: sha512-jos8u++JKm0ARcSUTAZXOVC0mSox7Bhn6sBgty73P1f3JGf7yG2clTbBNHUdde/kdvP2FESam+vM6l8jBrNxHA==}
+    resolution: {integrity: sha1-gIudDlb8Jz2Am6VzOOkpkZoanxo=}
     engines: {node: '>=0.8.0'}
 
   streamx@2.23.0:
@@ -5255,6 +5279,27 @@ snapshots:
       - react-native-b4a
       - supports-color
 
+  '@push.rocks/smartarchive@5.0.1(@push.rocks/smartfs@1.1.0)':
+    dependencies:
+      '@push.rocks/smartdelay': 3.0.5
+      '@push.rocks/smartfile': 13.0.1(@push.rocks/smartfs@1.1.0)
+      '@push.rocks/smartpath': 6.0.0
+      '@push.rocks/smartpromise': 4.2.3
+      '@push.rocks/smartrequest': 4.4.2
+      '@push.rocks/smartrx': 3.0.10
+      '@push.rocks/smartstream': 3.2.5
+      '@push.rocks/smartunique': 3.0.9
+      '@push.rocks/smarturl': 3.1.0
+      '@types/tar-stream': 3.1.4
+      fflate: 0.8.2
+      file-type: 21.1.0
+      tar-stream: 3.1.7
+    transitivePeerDependencies:
+      - '@push.rocks/smartfs'
+      - bare-abort-controller
+      - react-native-b4a
+      - supports-color
+
   '@push.rocks/smartbrowser@2.0.8(typescript@5.9.3)':
     dependencies:
       '@push.rocks/smartdelay': 3.0.5
@@ -5443,6 +5488,28 @@ snapshots:
       glob: 11.1.0
       js-yaml: 4.1.1
 
+  '@push.rocks/smartfile@13.0.1(@push.rocks/smartfs@1.1.0)':
+    dependencies:
+      '@push.rocks/lik': 6.2.2
+      '@push.rocks/smartdelay': 3.0.5
+      '@push.rocks/smartfile-interfaces': 1.0.7
+      '@push.rocks/smarthash': 3.2.6
+      '@push.rocks/smartjson': 5.2.0
+      '@push.rocks/smartmime': 2.0.4
+      '@push.rocks/smartpath': 6.0.0
+      '@push.rocks/smartpromise': 4.2.3
+      '@push.rocks/smartrequest': 4.4.2
+      '@push.rocks/smartstream': 3.2.5
+      '@types/js-yaml': 4.0.9
+      glob: 11.1.0
+      js-yaml: 4.1.1
+    optionalDependencies:
+      '@push.rocks/smartfs': 1.1.0
+
+  '@push.rocks/smartfs@1.1.0':
+    dependencies:
+      '@push.rocks/smartpath': 6.0.0
+
   '@push.rocks/smartguard@3.1.0':
     dependencies:
       '@push.rocks/smartpromise': 4.2.3
@@ -5691,6 +5758,13 @@ snapshots:
       - aws-crt
       - supports-color
 
+  '@push.rocks/smarts3@5.1.0':
+    dependencies:
+      '@push.rocks/smartfs': 1.1.0
+      '@push.rocks/smartpath': 6.0.0
+      '@push.rocks/smartxml': 2.0.0
+      '@tsclass/tsclass': 9.3.0
+
   '@push.rocks/smartshell@3.3.0':
     dependencies:
       '@push.rocks/smartdelay': 3.0.5

readme.md

@@ -19,7 +19,7 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 
 ### 🏗️ Unified Architecture
 - **Composable Design**: Core infrastructure with protocol plugins
-- **Shared Storage**: Cloud-agnostic S3-compatible backend ([@push.rocks/smartbucket](https://www.npmjs.com/package/@push.rocks/smartbucket))
+- **Shared Storage**: Cloud-agnostic S3-compatible backend using [@push.rocks/smartbucket](https://www.npmjs.com/package/@push.rocks/smartbucket) with standardized `IS3Descriptor` from [@tsclass/tsclass](https://www.npmjs.com/package/@tsclass/tsclass)
 - **Unified Authentication**: Scope-based permissions across all protocols
 - **Path-based Routing**: `/oci/*` for containers, `/npm/*` for packages, `/maven/*` for Java artifacts, `/cargo/*` for Rust crates, `/composer/*` for PHP packages, `/pypi/*` for Python packages, `/rubygems/*` for Ruby gems
 
@@ -652,15 +652,24 @@ const canWrite = await authManager.authorize(
 
 ### Storage Configuration
 
+The storage configuration extends `IS3Descriptor` from `@tsclass/tsclass` for standardized S3 configuration:
+
 ```typescript
+import type { IS3Descriptor } from '@tsclass/tsclass';
+
+storage: IS3Descriptor & {
+  bucketName: string;       // Bucket name for registry storage
+}
+
+// Example:
 storage: {
   accessKey: string;        // S3 access key
   accessSecret: string;     // S3 secret key
-  endpoint: string;         // S3 endpoint
+  endpoint: string;         // S3 endpoint (e.g., 's3.amazonaws.com')
   port?: number;            // Default: 443
   useSsl?: boolean;         // Default: true
-  region?: string;          // Default: 'us-east-1'
+  region?: string;          // AWS region (e.g., 'us-east-1')
-  bucketName: string;       // Bucket name
+  bucketName: string;       // Bucket name for this registry
 }
 ```
 
@@ -1015,6 +1024,82 @@ pnpm run build
 pnpm test
 ```
 
+## 🧪 Testing with smarts3
+
+smartregistry works seamlessly with [@push.rocks/smarts3](https://code.foss.global/push.rocks/smarts3), a local S3-compatible server for testing. This allows you to test the registry without needing cloud credentials or external services.
+
+### Quick Start with smarts3
+
+```typescript
+import { Smarts3 } from '@push.rocks/smarts3';
+import { SmartRegistry } from '@push.rocks/smartregistry';
+
+// Start local S3 server
+const s3Server = await Smarts3.createAndStart({
+  server: { port: 3456 },
+  storage: { cleanSlate: true },
+});
+
+// Manually create IS3Descriptor matching smarts3 configuration
+// Note: smarts3 v5.1.0 doesn't properly expose getS3Descriptor() yet
+const s3Descriptor = {
+  endpoint: 'localhost',
+  port: 3456,
+  accessKey: 'test',
+  accessSecret: 'test',
+  useSsl: false,
+  region: 'us-east-1',
+};
+
+// Create registry with smarts3 configuration
+const registry = new SmartRegistry({
+  storage: {
+    ...s3Descriptor,
+    bucketName: 'my-test-registry',
+  },
+  auth: {
+    jwtSecret: 'test-secret',
+    tokenStore: 'memory',
+    npmTokens: { enabled: true },
+    ociTokens: {
+      enabled: true,
+      realm: 'https://auth.example.com/token',
+      service: 'my-registry',
+    },
+  },
+  npm: { enabled: true, basePath: '/npm' },
+  oci: { enabled: true, basePath: '/oci' },
+  pypi: { enabled: true, basePath: '/pypi' },
+  cargo: { enabled: true, basePath: '/cargo' },
+});
+
+await registry.init();
+
+// Use registry...
+// Your tests here
+
+// Cleanup
+await s3Server.stop();
+```
+
+### Benefits of Testing with smarts3
+
+- ✅ **Zero Setup** - No cloud credentials or external services needed
+- ✅ **Fast** - Local filesystem storage, no network latency
+- ✅ **Isolated** - Clean slate per test run, no shared state
+- ✅ **CI/CD Ready** - Works in automated pipelines without configuration
+- ✅ **Full Compatibility** - Implements S3 API, works with IS3Descriptor
+
+### Running Integration Tests
+
+```bash
+# Run smarts3 integration test
+pnpm exec tstest test/test.integration.smarts3.node.ts --verbose
+
+# Run all tests (includes smarts3)
+pnpm test
+```
+
 ## License and Legal Information
 
 This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository.

test/helpers/registry.ts

@@ -1,5 +1,6 @@
 import * as qenv from '@push.rocks/qenv';
 import * as crypto from 'crypto';
+import * as smartarchive from '@push.rocks/smartarchive';
 import { SmartRegistry } from '../../ts/classes.smartregistry.js';
 import type { IRegistryConfig } from '../../ts/core/interfaces.core.js';
 
@@ -241,7 +242,7 @@ export function calculateMavenChecksums(data: Buffer) {
 }
 
 /**
- * Helper to create a Composer package ZIP
+ * Helper to create a Composer package ZIP using smartarchive
  */
 export async function createComposerZip(
   vendorPackage: string,
@@ -252,8 +253,7 @@ export async function createComposerZip(
     authors?: Array<{ name: string; email?: string }>;
   }
 ): Promise<Buffer> {
-  const AdmZip = (await import('adm-zip')).default;
+  const zipTools = new smartarchive.ZipTools();
-  const zip = new AdmZip();
 
   const composerJson = {
     name: vendorPackage,
@@ -272,9 +272,6 @@ export async function createComposerZip(
     },
   };
 
-  // Add composer.json
-  zip.addFile('composer.json', Buffer.from(JSON.stringify(composerJson, null, 2), 'utf-8'));
-
   // Add a test PHP file
   const [vendor, pkg] = vendorPackage.split('/');
   const namespace = `${vendor.charAt(0).toUpperCase() + vendor.slice(1)}\\${pkg.charAt(0).toUpperCase() + pkg.slice(1).replace(/-/g, '')}`;
@@ -290,24 +287,33 @@ class TestClass
 }
 `;
 
-  zip.addFile('src/TestClass.php', Buffer.from(testPhpContent, 'utf-8'));
+  const entries: smartarchive.IArchiveEntry[] = [
+    {
+      archivePath: 'composer.json',
+      content: Buffer.from(JSON.stringify(composerJson, null, 2), 'utf-8'),
+    },
+    {
+      archivePath: 'src/TestClass.php',
+      content: Buffer.from(testPhpContent, 'utf-8'),
+    },
+    {
+      archivePath: 'README.md',
+      content: Buffer.from(`# ${vendorPackage}\n\nTest package`, 'utf-8'),
+    },
+  ];
 
-  // Add README
+  return zipTools.createZip(entries);
-  zip.addFile('README.md', Buffer.from(`# ${vendorPackage}\n\nTest package`, 'utf-8'));
-
-  return zip.toBuffer();
 }
 
 /**
- * Helper to create a test Python wheel file (minimal ZIP structure)
+ * Helper to create a test Python wheel file (minimal ZIP structure) using smartarchive
  */
 export async function createPythonWheel(
   packageName: string,
   version: string,
   pyVersion: string = 'py3'
 ): Promise<Buffer> {
-  const AdmZip = (await import('adm-zip')).default;
+  const zipTools = new smartarchive.ZipTools();
-  const zip = new AdmZip();
 
   const normalizedName = packageName.replace(/-/g, '_');
   const distInfoDir = `${normalizedName}-${version}.dist-info`;
@@ -331,8 +337,6 @@ Description-Content-Type: text/markdown
 Test package for SmartRegistry
 `;
 
-  zip.addFile(`${distInfoDir}/METADATA`, Buffer.from(metadata, 'utf-8'));
-
   // Create WHEEL file
   const wheelContent = `Wheel-Version: 1.0
 Generator: test 1.0.0
@@ -340,14 +344,6 @@ Root-Is-Purelib: true
 Tag: ${pyVersion}-none-any
 `;
 
-  zip.addFile(`${distInfoDir}/WHEEL`, Buffer.from(wheelContent, 'utf-8'));
-
-  // Create RECORD file (empty for test)
-  zip.addFile(`${distInfoDir}/RECORD`, Buffer.from('', 'utf-8'));
-
-  // Create top_level.txt
-  zip.addFile(`${distInfoDir}/top_level.txt`, Buffer.from(normalizedName, 'utf-8'));
-
   // Create a simple Python module
   const moduleContent = `"""${packageName} module"""
 
@@ -357,27 +353,44 @@ def hello():
     return "Hello from ${packageName}!"
 `;
 
-  zip.addFile(`${normalizedName}/__init__.py`, Buffer.from(moduleContent, 'utf-8'));
+  const entries: smartarchive.IArchiveEntry[] = [
+    {
+      archivePath: `${distInfoDir}/METADATA`,
+      content: Buffer.from(metadata, 'utf-8'),
+    },
+    {
+      archivePath: `${distInfoDir}/WHEEL`,
+      content: Buffer.from(wheelContent, 'utf-8'),
+    },
+    {
+      archivePath: `${distInfoDir}/RECORD`,
+      content: Buffer.from('', 'utf-8'),
+    },
+    {
+      archivePath: `${distInfoDir}/top_level.txt`,
+      content: Buffer.from(normalizedName, 'utf-8'),
+    },
+    {
+      archivePath: `${normalizedName}/__init__.py`,
+      content: Buffer.from(moduleContent, 'utf-8'),
+    },
+  ];
 
-  return zip.toBuffer();
+  return zipTools.createZip(entries);
 }
 
 /**
- * Helper to create a test Python source distribution (sdist)
+ * Helper to create a test Python source distribution (sdist) using smartarchive
  */
 export async function createPythonSdist(
   packageName: string,
   version: string
 ): Promise<Buffer> {
-  const tar = await import('tar-stream');
+  const tarTools = new smartarchive.TarTools();
-  const zlib = await import('zlib');
-  const { Readable } = await import('stream');
 
   const normalizedName = packageName.replace(/-/g, '_');
   const dirPrefix = `${packageName}-${version}`;
 
-  const pack = tar.pack();
-
   // PKG-INFO
   const pkgInfo = `Metadata-Version: 2.1
 Name: ${packageName}
@@ -389,8 +402,6 @@ Author-email: test@example.com
 License: MIT
 `;
 
-  pack.entry({ name: `${dirPrefix}/PKG-INFO` }, pkgInfo);
-
   // setup.py
   const setupPy = `from setuptools import setup, find_packages
 
@@ -402,8 +413,6 @@ setup(
 )
 `;
 
-  pack.entry({ name: `${dirPrefix}/setup.py` }, setupPy);
-
   // Module file
   const moduleContent = `"""${packageName} module"""
 
@@ -413,20 +422,22 @@ def hello():
     return "Hello from ${packageName}!"
 `;
 
-  pack.entry({ name: `${dirPrefix}/${normalizedName}/__init__.py` }, moduleContent);
+  const entries: smartarchive.IArchiveEntry[] = [
+    {
+      archivePath: `${dirPrefix}/PKG-INFO`,
+      content: Buffer.from(pkgInfo, 'utf-8'),
+    },
+    {
+      archivePath: `${dirPrefix}/setup.py`,
+      content: Buffer.from(setupPy, 'utf-8'),
+    },
+    {
+      archivePath: `${dirPrefix}/${normalizedName}/__init__.py`,
+      content: Buffer.from(moduleContent, 'utf-8'),
+    },
+  ];
 
-  pack.finalize();
+  return tarTools.packFilesToTarGz(entries);
-
-  // Convert to gzipped tar
-  const chunks: Buffer[] = [];
-  const gzip = zlib.createGzip();
-
-  return new Promise((resolve, reject) => {
-    pack.pipe(gzip);
-    gzip.on('data', (chunk) => chunks.push(chunk));
-    gzip.on('end', () => resolve(Buffer.concat(chunks)));
-    gzip.on('error', reject);
-  });
 }
 
 /**
@@ -441,17 +452,15 @@ export function calculatePypiHashes(data: Buffer) {
 }
 
 /**
- * Helper to create a test RubyGem file (minimal tar.gz structure)
+ * Helper to create a test RubyGem file (minimal tar.gz structure) using smartarchive
  */
 export async function createRubyGem(
   gemName: string,
   version: string,
   platform: string = 'ruby'
 ): Promise<Buffer> {
-  const tar = await import('tar-stream');
+  const tarTools = new smartarchive.TarTools();
-  const zlib = await import('zlib');
+  const gzipTools = new smartarchive.GzipTools();
-
-  const pack = tar.pack();
 
   // Create metadata.gz (simplified)
   const metadataYaml = `--- !ruby/object:Gem::Specification
@@ -499,10 +508,9 @@ summary: Test gem for SmartRegistry
 test_files: []
 `;
 
-  pack.entry({ name: 'metadata.gz' }, zlib.gzipSync(Buffer.from(metadataYaml, 'utf-8')));
+  const metadataGz = await gzipTools.compress(Buffer.from(metadataYaml, 'utf-8'));
 
-  // Create data.tar.gz (simplified)
+  // Create data.tar.gz content
-  const dataPack = tar.pack();
   const libContent = `# ${gemName}
 
 module ${gemName.charAt(0).toUpperCase() + gemName.slice(1).replace(/-/g, '')}
@@ -514,32 +522,29 @@ module ${gemName.charAt(0).toUpperCase() + gemName.slice(1).replace(/-/g, '')}
 end
 `;
 
-  dataPack.entry({ name: `lib/${gemName}.rb` }, libContent);
+  const dataEntries: smartarchive.IArchiveEntry[] = [
-  dataPack.finalize();
+    {
+      archivePath: `lib/${gemName}.rb`,
+      content: Buffer.from(libContent, 'utf-8'),
+    },
+  ];
 
-  const dataChunks: Buffer[] = [];
+  const dataTarGz = await tarTools.packFilesToTarGz(dataEntries);
-  const dataGzip = zlib.createGzip();
-  dataPack.pipe(dataGzip);
 
-  await new Promise((resolve) => {
+  // Create the outer gem (tar.gz containing metadata.gz and data.tar.gz)
-    dataGzip.on('data', (chunk) => dataChunks.push(chunk));
+  const gemEntries: smartarchive.IArchiveEntry[] = [
-    dataGzip.on('end', resolve);
+    {
-  });
+      archivePath: 'metadata.gz',
+      content: metadataGz,
+    },
+    {
+      archivePath: 'data.tar.gz',
+      content: dataTarGz,
+    },
+  ];
 
-  pack.entry({ name: 'data.tar.gz' }, Buffer.concat(dataChunks));
+  // RubyGems .gem files are plain tar archives (NOT gzipped), containing metadata.gz and data.tar.gz
-
+  return tarTools.packFiles(gemEntries);
-  pack.finalize();
-
-  // Convert to gzipped tar
-  const chunks: Buffer[] = [];
-  const gzip = zlib.createGzip();
-
-  return new Promise((resolve, reject) => {
-    pack.pipe(gzip);
-    gzip.on('data', (chunk) => chunks.push(chunk));
-    gzip.on('end', () => resolve(Buffer.concat(chunks)));
-    gzip.on('error', reject);
-  });
 }
 
 /**

test/test.integration.crossprotocol.ts

@@ -78,7 +78,7 @@ tap.test('Integration: should handle /simple path for PyPI', async () => {
   });
 
   expect(response.status).toEqual(200);
-  expect(response.headers['Content-Type']).toEqual('text/html');
+  expect(response.headers['Content-Type']).toStartWith('text/html');
   expect(response.body).toContain('integration-test-py');
 });
 

test/test.integration.smarts3.node.ts

@@ -0,0 +1,291 @@
+/**
+ * Integration test for smartregistry with smarts3
+ * Verifies that smartregistry works with a local S3-compatible server
+ */
+
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import * as smarts3Module from '@push.rocks/smarts3';
+import { SmartRegistry } from '../ts/classes.smartregistry.js';
+import type { IRegistryConfig } from '../ts/core/interfaces.core.js';
+import * as crypto from 'crypto';
+
+let s3Server: smarts3Module.Smarts3;
+let registry: SmartRegistry;
+
+/**
+ * Setup: Start smarts3 server
+ */
+tap.test('should start smarts3 server', async () => {
+  s3Server = await smarts3Module.Smarts3.createAndStart({
+    server: {
+      port: 3456, // Use different port to avoid conflicts with other tests
+      host: '0.0.0.0',
+    },
+    storage: {
+      cleanSlate: true, // Fresh storage for each test run
+      bucketsDir: './.nogit/smarts3-test-buckets',
+    },
+    logging: {
+      silent: true, // Reduce test output noise
+    },
+  });
+
+  expect(s3Server).toBeDefined();
+});
+
+/**
+ * Setup: Create SmartRegistry with smarts3 configuration
+ */
+tap.test('should create SmartRegistry instance with smarts3 IS3Descriptor', async () => {
+  // Manually construct IS3Descriptor based on smarts3 configuration
+  // Note: smarts3.getS3Descriptor() returns empty object as of v5.1.0
+  // This is a known limitation - smarts3 doesn't expose its config properly
+  const s3Descriptor = {
+    endpoint: 'localhost',
+    port: 3456,
+    accessKey: 'test',  // smarts3 doesn't require real credentials
+    accessSecret: 'test',
+    useSsl: false,
+    region: 'us-east-1',
+  };
+
+  const config: IRegistryConfig = {
+    storage: {
+      ...s3Descriptor,
+      bucketName: 'test-registry-smarts3',
+    },
+    auth: {
+      jwtSecret: 'test-secret-key',
+      tokenStore: 'memory',
+      npmTokens: {
+        enabled: true,
+      },
+      ociTokens: {
+        enabled: true,
+        realm: 'https://auth.example.com/token',
+        service: 'test-registry-smarts3',
+      },
+      pypiTokens: {
+        enabled: true,
+      },
+      rubygemsTokens: {
+        enabled: true,
+      },
+    },
+    npm: {
+      enabled: true,
+      basePath: '/npm',
+    },
+    oci: {
+      enabled: true,
+      basePath: '/oci',
+    },
+    pypi: {
+      enabled: true,
+      basePath: '/pypi',
+    },
+    cargo: {
+      enabled: true,
+      basePath: '/cargo',
+    },
+  };
+
+  registry = new SmartRegistry(config);
+  await registry.init();
+
+  expect(registry).toBeDefined();
+});
+
+/**
+ * Test NPM protocol with smarts3
+ */
+tap.test('NPM: should publish package to smarts3', async () => {
+  const authManager = registry.getAuthManager();
+  const userId = await authManager.authenticate({
+    username: 'testuser',
+    password: 'testpass',
+  });
+  const token = await authManager.createNpmToken(userId, false);
+
+  const packageData = {
+    name: 'test-package-smarts3',
+    'dist-tags': {
+      latest: '1.0.0',
+    },
+    versions: {
+      '1.0.0': {
+        name: 'test-package-smarts3',
+        version: '1.0.0',
+        description: 'Test package for smarts3 integration',
+      },
+    },
+    _attachments: {
+      'test-package-smarts3-1.0.0.tgz': {
+        content_type: 'application/octet-stream',
+        data: Buffer.from('test tarball content').toString('base64'),
+        length: 20,
+      },
+    },
+  };
+
+  const response = await registry.handleRequest({
+    method: 'PUT',
+    path: '/npm/test-package-smarts3',
+    headers: {
+      'Authorization': `Bearer ${token}`,
+      'Content-Type': 'application/json',
+    },
+    query: {},
+    body: packageData,
+  });
+
+  expect(response.status).toEqual(201); // 201 Created is correct for publishing
+});
+
+tap.test('NPM: should retrieve package from smarts3', async () => {
+  const response = await registry.handleRequest({
+    method: 'GET',
+    path: '/npm/test-package-smarts3',
+    headers: {},
+    query: {},
+  });
+
+  expect(response.status).toEqual(200);
+  expect(response.body).toHaveProperty('name');
+  expect(response.body.name).toEqual('test-package-smarts3');
+});
+
+/**
+ * Test OCI protocol with smarts3
+ */
+tap.test('OCI: should store blob in smarts3', async () => {
+  const authManager = registry.getAuthManager();
+  const userId = await authManager.authenticate({
+    username: 'testuser',
+    password: 'testpass',
+  });
+  const token = await authManager.createOciToken(
+    userId,
+    ['oci:repository:test-image:push'],
+    3600
+  );
+
+  // Initiate blob upload
+  const initiateResponse = await registry.handleRequest({
+    method: 'POST',
+    path: '/oci/v2/test-image/blobs/uploads/',
+    headers: {
+      'Authorization': `Bearer ${token}`,
+    },
+    query: {},
+  });
+
+  expect(initiateResponse.status).toEqual(202);
+  expect(initiateResponse.headers).toHaveProperty('Location');
+
+  // Extract upload ID from location
+  const location = initiateResponse.headers['Location'];
+  const uploadId = location.split('/').pop();
+
+  // Upload blob data
+  const blobData = Buffer.from('test blob content');
+  const digest = 'sha256:' + crypto
+    .createHash('sha256')
+    .update(blobData)
+    .digest('hex');
+
+  const uploadResponse = await registry.handleRequest({
+    method: 'PUT',
+    path: `/oci/v2/test-image/blobs/uploads/${uploadId}`,
+    headers: {
+      'Authorization': `Bearer ${token}`,
+      'Content-Type': 'application/octet-stream',
+    },
+    query: { digest },
+    body: blobData,
+  });
+
+  expect(uploadResponse.status).toEqual(201);
+});
+
+/**
+ * Test PyPI protocol with smarts3
+ */
+tap.test('PyPI: should upload package to smarts3', async () => {
+  const authManager = registry.getAuthManager();
+  const userId = await authManager.authenticate({
+    username: 'testuser',
+    password: 'testpass',
+  });
+  const token = await authManager.createPypiToken(userId, false);
+
+  // Note: In a real test, this would be multipart/form-data
+  // For simplicity, we're testing the storage layer
+  const storage = registry.getStorage();
+
+  // Store a test package file
+  const packageContent = Buffer.from('test wheel content');
+  await storage.putPypiPackageFile(
+    'test-package',
+    'test_package-1.0.0-py3-none-any.whl',
+    packageContent
+  );
+
+  // Store metadata
+  const metadata = {
+    name: 'test-package',
+    version: '1.0.0',
+    files: [
+      {
+        filename: 'test_package-1.0.0-py3-none-any.whl',
+        url: '/packages/test-package/test_package-1.0.0-py3-none-any.whl',
+        hashes: { sha256: 'abc123' },
+      },
+    ],
+  };
+  await storage.putPypiPackageMetadata('test-package', metadata);
+
+  // Verify stored
+  const retrievedMetadata = await storage.getPypiPackageMetadata('test-package');
+  expect(retrievedMetadata).toBeDefined();
+  expect(retrievedMetadata.name).toEqual('test-package');
+});
+
+/**
+ * Test Cargo protocol with smarts3
+ */
+tap.test('Cargo: should store crate in smarts3', async () => {
+  const storage = registry.getStorage();
+
+  // Store a test crate index entry
+  const indexEntry = {
+    name: 'test-crate',
+    vers: '1.0.0',
+    deps: [],
+    cksum: 'abc123',
+    features: {},
+    yanked: false,
+  };
+
+  await storage.putCargoIndex('test-crate', [indexEntry]);
+
+  // Store the actual .crate file
+  const crateContent = Buffer.from('test crate tarball');
+  await storage.putCargoCrate('test-crate', '1.0.0', crateContent);
+
+  // Verify stored
+  const retrievedIndex = await storage.getCargoIndex('test-crate');
+  expect(retrievedIndex).toBeDefined();
+  expect(retrievedIndex.length).toEqual(1);
+  expect(retrievedIndex[0].name).toEqual('test-crate');
+});
+
+/**
+ * Cleanup: Stop smarts3 server
+ */
+tap.test('should stop smarts3 server', async () => {
+  await s3Server.stop();
+  expect(true).toEqual(true); // Just verify it completes without error
+});
+
+export default tap.start();

test/test.oci.nativecli.node.ts

@@ -0,0 +1,406 @@
+/**
+ * Native Docker CLI Testing
+ * Tests the OCI registry implementation using the actual Docker CLI
+ */
+
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { tapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
+import { SmartRegistry } from '../ts/index.js';
+import type { IRequestContext, IResponse, IRegistryConfig } from '../ts/core/interfaces.core.js';
+import * as qenv from '@push.rocks/qenv';
+import * as http from 'http';
+import * as url from 'url';
+import * as fs from 'fs';
+import * as path from 'path';
+
+const testQenv = new qenv.Qenv('./', './.nogit');
+
+/**
+ * Create a test registry with local token endpoint realm
+ */
+async function createDockerTestRegistry(port: number): Promise<SmartRegistry> {
+  const s3AccessKey = await testQenv.getEnvVarOnDemand('S3_ACCESSKEY');
+  const s3SecretKey = await testQenv.getEnvVarOnDemand('S3_SECRETKEY');
+  const s3Endpoint = await testQenv.getEnvVarOnDemand('S3_ENDPOINT');
+  const s3Port = await testQenv.getEnvVarOnDemand('S3_PORT');
+
+  const config: IRegistryConfig = {
+    storage: {
+      accessKey: s3AccessKey || 'minioadmin',
+      accessSecret: s3SecretKey || 'minioadmin',
+      endpoint: s3Endpoint || 'localhost',
+      port: parseInt(s3Port || '9000', 10),
+      useSsl: false,
+      region: 'us-east-1',
+      bucketName: 'test-registry',
+    },
+    auth: {
+      jwtSecret: 'test-secret-key',
+      tokenStore: 'memory',
+      npmTokens: {
+        enabled: true,
+      },
+      ociTokens: {
+        enabled: true,
+        realm: `http://localhost:${port}/v2/token`,
+        service: 'test-registry',
+      },
+    },
+    oci: {
+      enabled: true,
+      basePath: '/oci',
+    },
+  };
+
+  const reg = new SmartRegistry(config);
+  await reg.init();
+  return reg;
+}
+
+/**
+ * Create test tokens for the registry
+ */
+async function createDockerTestTokens(reg: SmartRegistry) {
+  const authManager = reg.getAuthManager();
+
+  const userId = await authManager.authenticate({
+    username: 'testuser',
+    password: 'testpass',
+  });
+
+  if (!userId) {
+    throw new Error('Failed to authenticate test user');
+  }
+
+  // Create OCI token with full access
+  const ociToken = await authManager.createOciToken(
+    userId,
+    ['oci:repository:*:*'],
+    3600
+  );
+
+  return { ociToken, userId };
+}
+
+// Test context
+let registry: SmartRegistry;
+let server: http.Server;
+let registryUrl: string;
+let registryPort: number;
+let ociToken: string;
+let testDir: string;
+let testImageName: string;
+
+/**
+ * Create HTTP server wrapper around SmartRegistry
+ * CRITICAL: Always passes rawBody for content-addressable operations (OCI manifests/blobs)
+ *
+ * Docker expects registry at /v2/ but SmartRegistry serves at /oci/v2/
+ * This wrapper rewrites paths for Docker compatibility
+ *
+ * Also implements a simple /v2/token endpoint for Docker Bearer auth flow
+ */
+async function createHttpServer(
+  registryInstance: SmartRegistry,
+  port: number,
+  tokenForAuth: string
+): Promise<{ server: http.Server; url: string }> {
+  return new Promise((resolve, reject) => {
+    const httpServer = http.createServer(async (req, res) => {
+      try {
+        // Parse request
+        const parsedUrl = url.parse(req.url || '', true);
+        let pathname = parsedUrl.pathname || '/';
+        const query = parsedUrl.query;
+
+        // Handle token endpoint for Docker Bearer auth
+        if (pathname === '/v2/token' || pathname === '/token') {
+          console.log(`[Token Request] ${req.method} ${req.url}`);
+          res.statusCode = 200;
+          res.setHeader('Content-Type', 'application/json');
+          res.end(JSON.stringify({
+            token: tokenForAuth,
+            access_token: tokenForAuth,
+            expires_in: 3600,
+            issued_at: new Date().toISOString(),
+          }));
+          return;
+        }
+
+        // Log all requests for debugging
+        console.log(`[Registry] ${req.method} ${pathname}`);
+
+        // Docker expects /v2/ but SmartRegistry serves at /oci/v2/
+        if (pathname.startsWith('/v2')) {
+          pathname = '/oci' + pathname;
+        }
+
+        // Read raw body - ALWAYS preserve exact bytes for OCI
+        const chunks: Buffer[] = [];
+        for await (const chunk of req) {
+          chunks.push(chunk);
+        }
+        const bodyBuffer = Buffer.concat(chunks);
+
+        // Parse body based on content type (for non-OCI protocols that need it)
+        let parsedBody: any;
+        if (bodyBuffer.length > 0) {
+          const contentType = req.headers['content-type'] || '';
+          if (contentType.includes('application/json')) {
+            try {
+              parsedBody = JSON.parse(bodyBuffer.toString('utf-8'));
+            } catch (error) {
+              parsedBody = bodyBuffer;
+            }
+          } else {
+            parsedBody = bodyBuffer;
+          }
+        }
+
+        // Convert to IRequestContext
+        const context: IRequestContext = {
+          method: req.method || 'GET',
+          path: pathname,
+          headers: req.headers as Record<string, string>,
+          query: query as Record<string, string>,
+          body: parsedBody,
+          rawBody: bodyBuffer,
+        };
+
+        // Handle request
+        const response: IResponse = await registryInstance.handleRequest(context);
+        console.log(`[Registry] Response: ${response.status} for ${pathname}`);
+
+        // Convert IResponse to HTTP response
+        res.statusCode = response.status;
+
+        // Set headers
+        for (const [key, value] of Object.entries(response.headers || {})) {
+          res.setHeader(key, value);
+        }
+
+        // Send body
+        if (response.body) {
+          if (Buffer.isBuffer(response.body)) {
+            res.end(response.body);
+          } else if (typeof response.body === 'string') {
+            res.end(response.body);
+          } else {
+            res.setHeader('Content-Type', 'application/json');
+            res.end(JSON.stringify(response.body));
+          }
+        } else {
+          res.end();
+        }
+      } catch (error) {
+        console.error('Server error:', error);
+        res.statusCode = 500;
+        res.setHeader('Content-Type', 'application/json');
+        res.end(JSON.stringify({ error: 'INTERNAL_ERROR', message: String(error) }));
+      }
+    });
+
+    httpServer.listen(port, '0.0.0.0', () => {
+      const serverUrl = `http://localhost:${port}`;
+      resolve({ server: httpServer, url: serverUrl });
+    });
+
+    httpServer.on('error', reject);
+  });
+}
+
+/**
+ * Create a test Dockerfile
+ */
+function createTestDockerfile(targetDir: string, content?: string): string {
+  const dockerfilePath = path.join(targetDir, 'Dockerfile');
+  const dockerfileContent = content || `FROM alpine:latest
+RUN echo "Hello from SmartRegistry test" > /hello.txt
+CMD ["cat", "/hello.txt"]
+`;
+  fs.writeFileSync(dockerfilePath, dockerfileContent, 'utf-8');
+  return dockerfilePath;
+}
+
+/**
+ * Run Docker command using the main Docker daemon (not rootless)
+ * Rootless Docker runs in its own network namespace and can't access host localhost
+ *
+ * IMPORTANT: DOCKER_HOST env var overrides --context flag, so we must unset it
+ * and explicitly set the socket path to use the main Docker daemon.
+ */
+async function runDockerCommand(
+  command: string,
+  cwd?: string
+): Promise<{ stdout: string; stderr: string; exitCode: number }> {
+  // First unset DOCKER_HOST then set it to main Docker daemon socket
+  // Using both unset and export ensures we override any inherited env var
+  const dockerCommand = `unset DOCKER_HOST && export DOCKER_HOST=unix:///var/run/docker.sock && ${command}`;
+  const fullCommand = cwd ? `cd "${cwd}" && ${dockerCommand}` : dockerCommand;
+
+  try {
+    const result = await tapNodeTools.runCommand(fullCommand);
+    return {
+      stdout: result.stdout || '',
+      stderr: result.stderr || '',
+      exitCode: result.exitCode || 0,
+    };
+  } catch (error: any) {
+    return {
+      stdout: error.stdout || '',
+      stderr: error.stderr || String(error),
+      exitCode: error.exitCode || 1,
+    };
+  }
+}
+
+/**
+ * Cleanup test directory
+ */
+function cleanupTestDir(dir: string): void {
+  if (fs.existsSync(dir)) {
+    fs.rmSync(dir, { recursive: true, force: true });
+  }
+}
+
+/**
+ * Cleanup Docker resources
+ */
+async function cleanupDocker(imageName: string): Promise<void> {
+  await runDockerCommand(`docker rmi ${imageName} 2>/dev/null || true`);
+  await runDockerCommand(`docker rmi ${imageName}:v1 2>/dev/null || true`);
+  await runDockerCommand(`docker rmi ${imageName}:v2 2>/dev/null || true`);
+}
+
+// ========================================================================
+// TESTS
+// ========================================================================
+
+tap.test('Docker CLI: should verify Docker is installed', async () => {
+  const result = await runDockerCommand('docker version');
+  console.log('Docker version output:', result.stdout.substring(0, 200));
+  expect(result.exitCode).toEqual(0);
+});
+
+tap.test('Docker CLI: should setup registry and HTTP server', async () => {
+  // Use localhost - Docker allows HTTP for localhost without any special config
+  registryPort = 15000 + Math.floor(Math.random() * 1000);
+  console.log(`Using port: ${registryPort}`);
+
+  registry = await createDockerTestRegistry(registryPort);
+  const tokens = await createDockerTestTokens(registry);
+  ociToken = tokens.ociToken;
+
+  expect(registry).toBeInstanceOf(SmartRegistry);
+  expect(ociToken).toBeTypeOf('string');
+
+  const serverSetup = await createHttpServer(registry, registryPort, ociToken);
+  server = serverSetup.server;
+  registryUrl = serverSetup.url;
+
+  expect(server).toBeDefined();
+  console.log(`Registry server started at ${registryUrl}`);
+
+  // Setup test directory
+  testDir = path.join(process.cwd(), '.nogit', 'test-docker-cli');
+  cleanupTestDir(testDir);
+  fs.mkdirSync(testDir, { recursive: true });
+
+  testImageName = `localhost:${registryPort}/test-image`;
+});
+
+tap.test('Docker CLI: should verify server is responding', async () => {
+  // Give the server a moment to fully initialize
+  await new Promise(resolve => setTimeout(resolve, 500));
+
+  const response = await fetch(`${registryUrl}/oci/v2/`);
+  expect(response.status).toEqual(200);
+  console.log('OCI v2 response:', await response.json());
+});
+
+tap.test('Docker CLI: should login to registry', async () => {
+  const result = await runDockerCommand(
+    `echo "${ociToken}" | docker login localhost:${registryPort} -u testuser --password-stdin`
+  );
+  console.log('docker login output:', result.stdout);
+  console.log('docker login stderr:', result.stderr);
+
+  const combinedOutput = result.stdout + result.stderr;
+  expect(combinedOutput).toContain('Login Succeeded');
+});
+
+tap.test('Docker CLI: should build test image', async () => {
+  createTestDockerfile(testDir);
+
+  const result = await runDockerCommand(
+    `docker build -t ${testImageName}:v1 .`,
+    testDir
+  );
+  console.log('docker build output:', result.stdout.substring(0, 500));
+
+  expect(result.exitCode).toEqual(0);
+});
+
+tap.test('Docker CLI: should push image to registry', async () => {
+  // This is the critical test - if the digest mismatch bug is fixed,
+  // this should succeed. The manifest bytes must be preserved exactly.
+  const result = await runDockerCommand(`docker push ${testImageName}:v1`);
+  console.log('docker push output:', result.stdout);
+  console.log('docker push stderr:', result.stderr);
+
+  expect(result.exitCode).toEqual(0);
+});
+
+tap.test('Docker CLI: should verify manifest in registry via API', async () => {
+  const response = await fetch(`${registryUrl}/oci/v2/test-image/tags/list`, {
+    headers: { Authorization: `Bearer ${ociToken}` },
+  });
+
+  expect(response.status).toEqual(200);
+
+  const tagList = await response.json();
+  console.log('Tags list:', tagList);
+
+  expect(tagList.name).toEqual('test-image');
+  expect(tagList.tags).toContain('v1');
+});
+
+tap.test('Docker CLI: should pull pushed image', async () => {
+  // First remove the local image
+  await runDockerCommand(`docker rmi ${testImageName}:v1 || true`);
+
+  const result = await runDockerCommand(`docker pull ${testImageName}:v1`);
+  console.log('docker pull output:', result.stdout);
+
+  expect(result.exitCode).toEqual(0);
+});
+
+tap.test('Docker CLI: should run pulled image', async () => {
+  const result = await runDockerCommand(`docker run --rm ${testImageName}:v1`);
+  console.log('docker run output:', result.stdout);
+
+  expect(result.exitCode).toEqual(0);
+  expect(result.stdout).toContain('Hello from SmartRegistry test');
+});
+
+tap.postTask('cleanup docker cli tests', async () => {
+  if (testImageName) {
+    await cleanupDocker(testImageName);
+  }
+
+  if (server) {
+    await new Promise<void>((resolve) => {
+      server.close(() => resolve());
+    });
+  }
+
+  if (testDir) {
+    cleanupTestDir(testDir);
+  }
+
+  if (registry) {
+    registry.destroy();
+  }
+});
+
+export default tap.start();

test/test.pypi.ts

@@ -80,6 +80,7 @@ tap.test('PyPI: should upload wheel file (POST /pypi/)', async () => {
       pyversion: 'py3',
       metadata_version: '2.1',
       sha256_digest: hashes.sha256,
+      requires_python: '>=3.7',
       content: testWheelData,
       filename: filename,
     },
@@ -99,7 +100,7 @@ tap.test('PyPI: should retrieve Simple API root index HTML (GET /simple/)', asyn
   });
 
   expect(response.status).toEqual(200);
-  expect(response.headers['Content-Type']).toEqual('text/html');
+  expect(response.headers['Content-Type']).toStartWith('text/html');
   expect(response.body).toBeTypeOf('string');
 
   const html = response.body as string;
@@ -125,8 +126,10 @@ tap.test('PyPI: should retrieve Simple API root index JSON (GET /simple/ with Ac
   const json = response.body as any;
   expect(json).toHaveProperty('meta');
   expect(json).toHaveProperty('projects');
-  expect(json.projects).toBeTypeOf('object');
+  expect(json.projects).toBeInstanceOf(Array);
-  expect(json.projects).toHaveProperty(normalizedPackageName);
+  // Check that the package is in the projects list (PEP 691 format: array of { name } objects)
+  const packageNames = json.projects.map((p: any) => p.name);
+  expect(packageNames).toContain(normalizedPackageName);
 });
 
 tap.test('PyPI: should retrieve Simple API package HTML (GET /simple/{package}/)', async () => {
@@ -140,7 +143,7 @@ tap.test('PyPI: should retrieve Simple API package HTML (GET /simple/{package}/)
   });
 
   expect(response.status).toEqual(200);
-  expect(response.headers['Content-Type']).toEqual('text/html');
+  expect(response.headers['Content-Type']).toStartWith('text/html');
   expect(response.body).toBeTypeOf('string');
 
   const html = response.body as string;
@@ -210,6 +213,7 @@ tap.test('PyPI: should upload sdist file (POST /pypi/)', async () => {
       pyversion: 'source',
       metadata_version: '2.1',
       sha256_digest: hashes.sha256,
+      requires_python: '>=3.7',
       content: testSdistData,
       filename: filename,
     },
@@ -231,10 +235,11 @@ tap.test('PyPI: should list both wheel and sdist in Simple API', async () => {
   expect(response.status).toEqual(200);
 
   const json = response.body as any;
-  expect(Object.keys(json.files).length).toEqual(2);
+  // PEP 691: files is an array of file objects
+  expect(json.files.length).toEqual(2);
 
-  const hasWheel = Object.keys(json.files).some(f => f.endsWith('.whl'));
+  const hasWheel = json.files.some((f: any) => f.filename.endsWith('.whl'));
-  const hasSdist = Object.keys(json.files).some(f => f.endsWith('.tar.gz'));
+  const hasSdist = json.files.some((f: any) => f.filename.endsWith('.tar.gz'));
 
   expect(hasWheel).toEqual(true);
   expect(hasSdist).toEqual(true);
@@ -263,6 +268,7 @@ tap.test('PyPI: should upload a second version', async () => {
       pyversion: 'py3',
       metadata_version: '2.1',
       sha256_digest: hashes.sha256,
+      requires_python: '>=3.7',
       content: newWheelData,
       filename: filename,
     },
@@ -284,10 +290,11 @@ tap.test('PyPI: should list multiple versions in Simple API', async () => {
   expect(response.status).toEqual(200);
 
   const json = response.body as any;
-  expect(Object.keys(json.files).length).toBeGreaterThan(2);
+  // PEP 691: files is an array of file objects
+  expect(json.files.length).toBeGreaterThan(2);
 
-  const hasVersion1 = Object.keys(json.files).some(f => f.includes('1.0.0'));
+  const hasVersion1 = json.files.some((f: any) => f.filename.includes('1.0.0'));
-  const hasVersion2 = Object.keys(json.files).some(f => f.includes('2.0.0'));
+  const hasVersion2 = json.files.some((f: any) => f.filename.includes('2.0.0'));
 
   expect(hasVersion1).toEqual(true);
   expect(hasVersion2).toEqual(true);
@@ -420,7 +427,8 @@ tap.test('PyPI: should handle package with requires-python metadata', async () =
 
   const html = getResponse.body as string;
   expect(html).toContain('data-requires-python');
-  expect(html).toContain('>=3.8');
+  // Note: >= gets HTML-escaped to >= in attribute values
+  expect(html).toContain('>=3.8');
 });
 
 tap.test('PyPI: should support JSON API for package metadata', async () => {

test/test.rubygems.nativecli.node.ts

@@ -0,0 +1,448 @@
+/**
+ * Native gem CLI Testing
+ * Tests the RubyGems registry implementation using the actual gem CLI
+ */
+
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { tapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
+import { SmartRegistry } from '../ts/index.js';
+import { createTestRegistry, createTestTokens, createRubyGem } from './helpers/registry.js';
+import type { IRequestContext, IResponse } from '../ts/core/interfaces.core.js';
+import * as http from 'http';
+import * as url from 'url';
+import * as fs from 'fs';
+import * as path from 'path';
+
+// Test context
+let registry: SmartRegistry;
+let server: http.Server;
+let registryUrl: string;
+let registryPort: number;
+let rubygemsToken: string;
+let testDir: string;
+let gemHome: string;
+
+/**
+ * Create HTTP server wrapper around SmartRegistry
+ */
+async function createHttpServer(
+  registryInstance: SmartRegistry,
+  port: number
+): Promise<{ server: http.Server; url: string }> {
+  return new Promise((resolve, reject) => {
+    const httpServer = http.createServer(async (req, res) => {
+      try {
+        // Parse request
+        const parsedUrl = url.parse(req.url || '', true);
+        const pathname = parsedUrl.pathname || '/';
+        const query = parsedUrl.query;
+
+        // Read body
+        const chunks: Buffer[] = [];
+        for await (const chunk of req) {
+          chunks.push(chunk);
+        }
+        const bodyBuffer = Buffer.concat(chunks);
+
+        // Parse body based on content type
+        let body: any;
+        if (bodyBuffer.length > 0) {
+          const contentType = req.headers['content-type'] || '';
+          if (contentType.includes('application/json')) {
+            try {
+              body = JSON.parse(bodyBuffer.toString('utf-8'));
+            } catch (error) {
+              body = bodyBuffer;
+            }
+          } else {
+            body = bodyBuffer;
+          }
+        }
+
+        // Convert to IRequestContext
+        const context: IRequestContext = {
+          method: req.method || 'GET',
+          path: pathname,
+          headers: req.headers as Record<string, string>,
+          query: query as Record<string, string>,
+          body: body,
+        };
+
+        // Handle request
+        const response: IResponse = await registryInstance.handleRequest(context);
+
+        // Convert IResponse to HTTP response
+        res.statusCode = response.status;
+
+        // Set headers
+        for (const [key, value] of Object.entries(response.headers || {})) {
+          res.setHeader(key, value);
+        }
+
+        // Send body
+        if (response.body) {
+          if (Buffer.isBuffer(response.body)) {
+            res.end(response.body);
+          } else if (typeof response.body === 'string') {
+            res.end(response.body);
+          } else {
+            res.setHeader('Content-Type', 'application/json');
+            res.end(JSON.stringify(response.body));
+          }
+        } else {
+          res.end();
+        }
+      } catch (error) {
+        console.error('Server error:', error);
+        res.statusCode = 500;
+        res.setHeader('Content-Type', 'application/json');
+        res.end(JSON.stringify({ error: 'INTERNAL_ERROR', message: String(error) }));
+      }
+    });
+
+    httpServer.listen(port, () => {
+      const serverUrl = `http://localhost:${port}`;
+      resolve({ server: httpServer, url: serverUrl });
+    });
+
+    httpServer.on('error', reject);
+  });
+}
+
+/**
+ * Setup gem credentials file
+ * Format: YAML with :rubygems_api_key: TOKEN
+ */
+function setupGemCredentials(token: string, gemHomeArg: string): string {
+  const gemDir = path.join(gemHomeArg, '.gem');
+  fs.mkdirSync(gemDir, { recursive: true });
+
+  // Create credentials file in YAML format
+  const credentialsContent = `:rubygems_api_key: ${token}\n`;
+
+  const credentialsPath = path.join(gemDir, 'credentials');
+  fs.writeFileSync(credentialsPath, credentialsContent, 'utf-8');
+
+  // Set restrictive permissions (gem requires 0600)
+  fs.chmodSync(credentialsPath, 0o600);
+
+  return credentialsPath;
+}
+
+/**
+ * Create a test gem file
+ */
+async function createTestGemFile(
+  gemName: string,
+  version: string,
+  targetDir: string
+): Promise<string> {
+  const gemData = await createRubyGem(gemName, version);
+  const gemFilename = `${gemName}-${version}.gem`;
+  const gemPath = path.join(targetDir, gemFilename);
+
+  fs.writeFileSync(gemPath, gemData);
+
+  return gemPath;
+}
+
+/**
+ * Run gem command with proper environment
+ */
+async function runGemCommand(
+  command: string,
+  cwd: string,
+  includeAuth: boolean = true
+): Promise<{ stdout: string; stderr: string; exitCode: number }> {
+  // Prepare environment variables
+  const envVars = [
+    `HOME="${gemHome}"`,
+    `GEM_HOME="${gemHome}"`,
+    includeAuth ? '' : 'RUBYGEMS_API_KEY=""',
+  ].filter(Boolean).join(' ');
+
+  // Build command with cd to correct directory and environment variables
+  const fullCommand = `cd "${cwd}" && ${envVars} ${command}`;
+
+  try {
+    const result = await tapNodeTools.runCommand(fullCommand);
+    return {
+      stdout: result.stdout || '',
+      stderr: result.stderr || '',
+      exitCode: result.exitCode || 0,
+    };
+  } catch (error: any) {
+    return {
+      stdout: error.stdout || '',
+      stderr: error.stderr || String(error),
+      exitCode: error.exitCode || 1,
+    };
+  }
+}
+
+/**
+ * Cleanup test directory
+ */
+function cleanupTestDir(dir: string): void {
+  if (fs.existsSync(dir)) {
+    fs.rmSync(dir, { recursive: true, force: true });
+  }
+}
+
+// ========================================================================
+// TESTS
+// ========================================================================
+
+tap.test('RubyGems CLI: should setup registry and HTTP server', async () => {
+  // Create registry
+  registry = await createTestRegistry();
+  const tokens = await createTestTokens(registry);
+  rubygemsToken = tokens.rubygemsToken;
+
+  expect(registry).toBeInstanceOf(SmartRegistry);
+  expect(rubygemsToken).toBeTypeOf('string');
+
+  // Use port 36000 (avoids npm:35000, cargo:5000 conflicts)
+  registryPort = 36000;
+  const serverSetup = await createHttpServer(registry, registryPort);
+  server = serverSetup.server;
+  registryUrl = serverSetup.url;
+
+  expect(server).toBeDefined();
+  expect(registryUrl).toEqual(`http://localhost:${registryPort}`);
+
+  // Setup test directory
+  testDir = path.join(process.cwd(), '.nogit', 'test-rubygems-cli');
+  cleanupTestDir(testDir);
+  fs.mkdirSync(testDir, { recursive: true });
+
+  // Setup GEM_HOME
+  gemHome = path.join(testDir, '.gem-home');
+  fs.mkdirSync(gemHome, { recursive: true });
+
+  // Setup gem credentials
+  const credentialsPath = setupGemCredentials(rubygemsToken, gemHome);
+  expect(fs.existsSync(credentialsPath)).toEqual(true);
+
+  // Verify credentials file has correct permissions
+  const stats = fs.statSync(credentialsPath);
+  const mode = stats.mode & 0o777;
+  expect(mode).toEqual(0o600);
+});
+
+tap.test('RubyGems CLI: should verify server is responding', async () => {
+  // Check server is up by doing a direct HTTP request to the Compact Index
+  const response = await fetch(`${registryUrl}/rubygems/versions`);
+  expect(response.status).toBeGreaterThanOrEqual(200);
+  expect(response.status).toBeLessThan(500);
+});
+
+tap.test('RubyGems CLI: should build and push a gem', async () => {
+  const gemName = 'test-gem-cli';
+  const version = '1.0.0';
+  const gemPath = await createTestGemFile(gemName, version, testDir);
+
+  expect(fs.existsSync(gemPath)).toEqual(true);
+
+  const result = await runGemCommand(
+    `gem push ${gemPath} --host ${registryUrl}/rubygems`,
+    testDir
+  );
+  console.log('gem push output:', result.stdout);
+  console.log('gem push stderr:', result.stderr);
+
+  expect(result.exitCode).toEqual(0);
+  expect(result.stdout || result.stderr).toContain(gemName);
+});
+
+tap.test('RubyGems CLI: should verify gem in Compact Index /versions', async () => {
+  const gemName = 'test-gem-cli';
+
+  const response = await fetch(`${registryUrl}/rubygems/versions`);
+  expect(response.status).toEqual(200);
+
+  const versionsData = await response.text();
+  console.log('Versions data:', versionsData);
+
+  // Format: GEMNAME VERSION[,VERSION...] MD5
+  expect(versionsData).toContain(gemName);
+  expect(versionsData).toContain('1.0.0');
+});
+
+tap.test('RubyGems CLI: should verify gem in Compact Index /info file', async () => {
+  const gemName = 'test-gem-cli';
+
+  const response = await fetch(`${registryUrl}/rubygems/info/${gemName}`);
+  expect(response.status).toEqual(200);
+
+  const infoData = await response.text();
+  console.log('Info data:', infoData);
+
+  // Format: VERSION [DEPS]|REQS
+  expect(infoData).toContain('1.0.0');
+});
+
+tap.test('RubyGems CLI: should download gem file', async () => {
+  const gemName = 'test-gem-cli';
+  const version = '1.0.0';
+
+  const response = await fetch(`${registryUrl}/rubygems/gems/${gemName}-${version}.gem`);
+  expect(response.status).toEqual(200);
+
+  const gemData = await response.arrayBuffer();
+  expect(gemData.byteLength).toBeGreaterThan(0);
+
+  // Verify content type
+  expect(response.headers.get('content-type')).toContain('application/octet-stream');
+});
+
+tap.test('RubyGems CLI: should fetch gem metadata JSON', async () => {
+  const gemName = 'test-gem-cli';
+
+  const response = await fetch(`${registryUrl}/rubygems/api/v1/versions/${gemName}.json`);
+  expect(response.status).toEqual(200);
+
+  const metadata = await response.json();
+  console.log('Metadata:', metadata);
+
+  expect(metadata).toBeInstanceOf(Array);
+  expect(metadata.length).toBeGreaterThan(0);
+  expect(metadata[0].number).toEqual('1.0.0');
+});
+
+tap.test('RubyGems CLI: should push second version', async () => {
+  const gemName = 'test-gem-cli';
+  const version = '2.0.0';
+  const gemPath = await createTestGemFile(gemName, version, testDir);
+
+  const result = await runGemCommand(
+    `gem push ${gemPath} --host ${registryUrl}/rubygems`,
+    testDir
+  );
+  console.log('gem push v2.0.0 output:', result.stdout);
+
+  expect(result.exitCode).toEqual(0);
+});
+
+tap.test('RubyGems CLI: should list all versions in /versions file', async () => {
+  const gemName = 'test-gem-cli';
+
+  const response = await fetch(`${registryUrl}/rubygems/versions`);
+  expect(response.status).toEqual(200);
+
+  const versionsData = await response.text();
+  console.log('All versions data:', versionsData);
+
+  // Should contain both versions
+  expect(versionsData).toContain(gemName);
+  expect(versionsData).toContain('1.0.0');
+  expect(versionsData).toContain('2.0.0');
+});
+
+tap.test('RubyGems CLI: should yank a version', async () => {
+  const gemName = 'test-gem-cli';
+  const version = '1.0.0';
+
+  const result = await runGemCommand(
+    `gem yank ${gemName} -v ${version} --host ${registryUrl}/rubygems`,
+    testDir
+  );
+  console.log('gem yank output:', result.stdout);
+  console.log('gem yank stderr:', result.stderr);
+
+  expect(result.exitCode).toEqual(0);
+
+  // Verify version is yanked in /versions file
+  // Yanked versions are prefixed with '-'
+  const response = await fetch(`${registryUrl}/rubygems/versions`);
+  const versionsData = await response.text();
+  console.log('Versions after yank:', versionsData);
+
+  // Yanked version should have '-' prefix
+  expect(versionsData).toContain('-1.0.0');
+});
+
+tap.test('RubyGems CLI: should unyank a version', async () => {
+  const gemName = 'test-gem-cli';
+  const version = '1.0.0';
+
+  const result = await runGemCommand(
+    `gem yank ${gemName} -v ${version} --undo --host ${registryUrl}/rubygems`,
+    testDir
+  );
+  console.log('gem unyank output:', result.stdout);
+  console.log('gem unyank stderr:', result.stderr);
+
+  expect(result.exitCode).toEqual(0);
+
+  // Verify version is not yanked in /versions file
+  const response = await fetch(`${registryUrl}/rubygems/versions`);
+  const versionsData = await response.text();
+  console.log('Versions after unyank:', versionsData);
+
+  // Should not have '-' prefix anymore (or have both without prefix)
+  // Check that we have the version without yank marker
+  const lines = versionsData.trim().split('\n');
+  const gemLine = lines.find(line => line.startsWith(gemName));
+
+  if (gemLine) {
+    // Parse format: "gemname version[,version...] md5"
+    const parts = gemLine.split(' ');
+    const versions = parts[1];
+
+    // Should have 1.0.0 without '-' prefix
+    expect(versions).toContain('1.0.0');
+    expect(versions).not.toContain('-1.0.0');
+  }
+});
+
+tap.test('RubyGems CLI: should fetch dependencies', async () => {
+  const gemName = 'test-gem-cli';
+
+  const response = await fetch(`${registryUrl}/rubygems/api/v1/dependencies?gems=${gemName}`);
+  expect(response.status).toEqual(200);
+
+  const dependencies = await response.json();
+  console.log('Dependencies:', dependencies);
+
+  expect(dependencies).toBeInstanceOf(Array);
+});
+
+tap.test('RubyGems CLI: should fail to push without auth', async () => {
+  const gemName = 'unauth-gem';
+  const version = '1.0.0';
+  const gemPath = await createTestGemFile(gemName, version, testDir);
+
+  // Run without auth
+  const result = await runGemCommand(
+    `gem push ${gemPath} --host ${registryUrl}/rubygems`,
+    testDir,
+    false
+  );
+  console.log('gem push unauth output:', result.stdout);
+  console.log('gem push unauth stderr:', result.stderr);
+
+  // Should fail with auth error
+  expect(result.exitCode).not.toEqual(0);
+});
+
+tap.postTask('cleanup rubygems cli tests', async () => {
+  // Stop server
+  if (server) {
+    await new Promise<void>((resolve) => {
+      server.close(() => resolve());
+    });
+  }
+
+  // Cleanup test directory
+  if (testDir) {
+    cleanupTestDir(testDir);
+  }
+
+  // Destroy registry
+  if (registry) {
+    registry.destroy();
+  }
+});
+
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartregistry',
-  version: '1.6.0',
+  version: '2.2.0',
   description: 'A composable TypeScript library implementing OCI, NPM, Maven, Cargo, Composer, PyPI, and RubyGems registries for building unified container and package registries'
 }

ts/classes.smartregistry.ts

@@ -41,15 +41,19 @@ export class SmartRegistry {
 
     // Initialize OCI registry if enabled
     if (this.config.oci?.enabled) {
-      const ociBasePath = this.config.oci.basePath || '/oci';
+      const ociBasePath = this.config.oci.basePath ?? '/oci';
-      const ociRegistry = new OciRegistry(this.storage, this.authManager, ociBasePath);
+      const ociTokens = this.config.auth.ociTokens?.enabled ? {
+        realm: this.config.auth.ociTokens.realm,
+        service: this.config.auth.ociTokens.service,
+      } : undefined;
+      const ociRegistry = new OciRegistry(this.storage, this.authManager, ociBasePath, ociTokens);
       await ociRegistry.init();
       this.registries.set('oci', ociRegistry);
     }
 
     // Initialize NPM registry if enabled
     if (this.config.npm?.enabled) {
-      const npmBasePath = this.config.npm.basePath || '/npm';
+      const npmBasePath = this.config.npm.basePath ?? '/npm';
       const registryUrl = `http://localhost:5000${npmBasePath}`; // TODO: Make configurable
       const npmRegistry = new NpmRegistry(this.storage, this.authManager, npmBasePath, registryUrl);
       await npmRegistry.init();
@@ -58,7 +62,7 @@ export class SmartRegistry {
 
     // Initialize Maven registry if enabled
     if (this.config.maven?.enabled) {
-      const mavenBasePath = this.config.maven.basePath || '/maven';
+      const mavenBasePath = this.config.maven.basePath ?? '/maven';
       const registryUrl = `http://localhost:5000${mavenBasePath}`; // TODO: Make configurable
       const mavenRegistry = new MavenRegistry(this.storage, this.authManager, mavenBasePath, registryUrl);
       await mavenRegistry.init();
@@ -67,7 +71,7 @@ export class SmartRegistry {
 
     // Initialize Cargo registry if enabled
     if (this.config.cargo?.enabled) {
-      const cargoBasePath = this.config.cargo.basePath || '/cargo';
+      const cargoBasePath = this.config.cargo.basePath ?? '/cargo';
       const registryUrl = `http://localhost:5000${cargoBasePath}`; // TODO: Make configurable
       const cargoRegistry = new CargoRegistry(this.storage, this.authManager, cargoBasePath, registryUrl);
       await cargoRegistry.init();
@@ -76,7 +80,7 @@ export class SmartRegistry {
 
     // Initialize Composer registry if enabled
     if (this.config.composer?.enabled) {
-      const composerBasePath = this.config.composer.basePath || '/composer';
+      const composerBasePath = this.config.composer.basePath ?? '/composer';
       const registryUrl = `http://localhost:5000${composerBasePath}`; // TODO: Make configurable
       const composerRegistry = new ComposerRegistry(this.storage, this.authManager, composerBasePath, registryUrl);
       await composerRegistry.init();
@@ -85,7 +89,7 @@ export class SmartRegistry {
 
     // Initialize PyPI registry if enabled
     if (this.config.pypi?.enabled) {
-      const pypiBasePath = this.config.pypi.basePath || '/pypi';
+      const pypiBasePath = this.config.pypi.basePath ?? '/pypi';
       const registryUrl = `http://localhost:5000`; // TODO: Make configurable
       const pypiRegistry = new PypiRegistry(this.storage, this.authManager, pypiBasePath, registryUrl);
       await pypiRegistry.init();
@@ -94,7 +98,7 @@ export class SmartRegistry {
 
     // Initialize RubyGems registry if enabled
     if (this.config.rubygems?.enabled) {
-      const rubygemsBasePath = this.config.rubygems.basePath || '/rubygems';
+      const rubygemsBasePath = this.config.rubygems.basePath ?? '/rubygems';
       const registryUrl = `http://localhost:5000${rubygemsBasePath}`; // TODO: Make configurable
       const rubygemsRegistry = new RubyGemsRegistry(this.storage, this.authManager, rubygemsBasePath, registryUrl);
       await rubygemsRegistry.init();
@@ -153,7 +157,7 @@ export class SmartRegistry {
 
     // Route to PyPI registry (also handles /simple prefix)
     if (this.config.pypi?.enabled) {
-      const pypiBasePath = this.config.pypi.basePath || '/pypi';
+      const pypiBasePath = this.config.pypi.basePath ?? '/pypi';
       if (path.startsWith(pypiBasePath) || path.startsWith('/simple')) {
         const pypiRegistry = this.registries.get('pypi');
         if (pypiRegistry) {

ts/core/classes.authmanager.ts

@@ -1,4 +1,5 @@
 import type { IAuthConfig, IAuthToken, ICredentials, TRegistryProtocol } from './interfaces.core.js';
+import * as crypto from 'crypto';
 
 /**
  * Unified authentication manager for all registry protocols
@@ -136,7 +137,7 @@ export class AuthManager {
    * @param userId - User ID
    * @param scopes - Permission scopes
    * @param expiresIn - Expiration time in seconds
-   * @returns JWT token string
+   * @returns JWT token string (HMAC-SHA256 signed)
    */
   public async createOciToken(
     userId: string,
@@ -158,9 +159,17 @@ export class AuthManager {
       access: this.scopesToOciAccess(scopes),
     };
 
-    // In production, use proper JWT library with signing
+    // Create JWT with HMAC-SHA256 signature
-    // For now, return JSON string (mock JWT)
+    const header = { alg: 'HS256', typ: 'JWT' };
-    return JSON.stringify(payload);
+    const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64url');
+    const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+
+    const signature = crypto
+      .createHmac('sha256', this.config.jwtSecret)
+      .update(`${headerB64}.${payloadB64}`)
+      .digest('base64url');
+
+    return `${headerB64}.${payloadB64}.${signature}`;
   }
 
   /**
@@ -170,8 +179,25 @@ export class AuthManager {
    */
   public async validateOciToken(jwt: string): Promise<IAuthToken | null> {
     try {
-      // In production, verify JWT signature
+      const parts = jwt.split('.');
-      const payload = JSON.parse(jwt);
+      if (parts.length !== 3) {
+        return null;
+      }
+
+      const [headerB64, payloadB64, signatureB64] = parts;
+
+      // Verify signature
+      const expectedSignature = crypto
+        .createHmac('sha256', this.config.jwtSecret)
+        .update(`${headerB64}.${payloadB64}`)
+        .digest('base64url');
+
+      if (signatureB64 !== expectedSignature) {
+        return null;
+      }
+
+      // Decode and parse payload
+      const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString('utf-8'));
 
       // Check expiration
       const now = Math.floor(Date.now() / 1000);
@@ -179,6 +205,11 @@ export class AuthManager {
         return null;
       }
 
+      // Check not-before time
+      if (payload.nbf && payload.nbf > now) {
+        return null;
+      }
+
       // Convert to unified token format
       const scopes = this.ociAccessToScopes(payload.access || []);
 

ts/core/classes.registrystorage.ts

@@ -18,14 +18,8 @@ export class RegistryStorage implements IStorageBackend {
    * Initialize the storage backend
    */
   public async init(): Promise<void> {
-    this.smartBucket = new plugins.smartbucket.SmartBucket({
+    // Pass config as IS3Descriptor to SmartBucket (bucketName is extra, SmartBucket ignores it)
-      accessKey: this.config.accessKey,
+    this.smartBucket = new plugins.smartbucket.SmartBucket(this.config as plugins.tsclass.storage.IS3Descriptor);
-      accessSecret: this.config.accessSecret,
-      endpoint: this.config.endpoint,
-      port: this.config.port || 443,
-      useSsl: this.config.useSsl !== false,
-      region: this.config.region || 'us-east-1',
-    });
 
     // Ensure bucket exists
     await this.smartBucket.createBucket(this.bucketName).catch(() => {
@@ -135,7 +129,7 @@ export class RegistryStorage implements IStorageBackend {
   }
 
   /**
-   * Get OCI manifest
+   * Get OCI manifest and its content type
    */
   public async getOciManifest(repository: string, digest: string): Promise<Buffer | null> {
     const path = this.getOciManifestPath(repository, digest);
@@ -143,7 +137,17 @@ export class RegistryStorage implements IStorageBackend {
   }
 
   /**
-   * Store OCI manifest
+   * Get OCI manifest content type
+   * Returns the stored content type or null if not found
+   */
+  public async getOciManifestContentType(repository: string, digest: string): Promise<string | null> {
+    const typePath = this.getOciManifestPath(repository, digest) + '.type';
+    const data = await this.getObject(typePath);
+    return data ? data.toString('utf-8') : null;
+  }
+
+  /**
+   * Store OCI manifest with its content type
    */
   public async putOciManifest(
     repository: string,
@@ -152,7 +156,11 @@ export class RegistryStorage implements IStorageBackend {
     contentType: string
   ): Promise<void> {
     const path = this.getOciManifestPath(repository, digest);
-    return this.putObject(path, data, { 'Content-Type': contentType });
+    // Store manifest data
+    await this.putObject(path, data, { 'Content-Type': contentType });
+    // Store content type in sidecar file for later retrieval
+    const typePath = path + '.type';
+    await this.putObject(typePath, Buffer.from(contentType, 'utf-8'));
   }
 
   /**

ts/core/interfaces.core.ts

@@ -2,6 +2,8 @@
  * Core interfaces for the composable registry system
  */
 
+import type * as plugins from '../plugins.js';
+
 /**
  * Registry protocol types
  */
@@ -40,14 +42,9 @@ export interface ICredentials {
 
 /**
  * Storage backend configuration
+ * Extends IS3Descriptor from @tsclass/tsclass with bucketName
  */
-export interface IStorageConfig {
+export interface IStorageConfig extends plugins.tsclass.storage.IS3Descriptor {
-  accessKey: string;
-  accessSecret: string;
-  endpoint: string;
-  port?: number;
-  useSsl?: boolean;
-  region?: string;
   bucketName: string;
 }
 
@@ -161,6 +158,12 @@ export interface IRequestContext {
   headers: Record<string, string>;
   query: Record<string, string>;
   body?: any;
+  /**
+   * Raw request body as bytes. MUST be provided for content-addressable operations
+   * (OCI manifests, blobs) to ensure digest calculation matches client expectations.
+   * If not provided, falls back to 'body' field.
+   */
+  rawBody?: Buffer;
   token?: string;
 }
 

ts/oci/classes.ociregistry.ts

@@ -20,12 +20,19 @@ export class OciRegistry extends BaseRegistry {
   private uploadSessions: Map<string, IUploadSession> = new Map();
   private basePath: string = '/oci';
   private cleanupInterval?: NodeJS.Timeout;
+  private ociTokens?: { realm: string; service: string };
 
-  constructor(storage: RegistryStorage, authManager: AuthManager, basePath: string = '/oci') {
+  constructor(
+    storage: RegistryStorage,
+    authManager: AuthManager,
+    basePath: string = '/oci',
+    ociTokens?: { realm: string; service: string }
+  ) {
     super();
     this.storage = storage;
     this.authManager = authManager;
     this.basePath = basePath;
+    this.ociTokens = ociTokens;
   }
 
   public async init(): Promise<void> {
@@ -55,7 +62,9 @@ export class OciRegistry extends BaseRegistry {
     const manifestMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/manifests\/([^\/]+)$/);
     if (manifestMatch) {
       const [, name, reference] = manifestMatch;
-      return this.handleManifestRequest(context.method, name, reference, token, context.body, context.headers);
+      // Prefer rawBody for content-addressable operations to preserve exact bytes
+      const bodyData = context.rawBody || context.body;
+      return this.handleManifestRequest(context.method, name, reference, token, bodyData, context.headers);
     }
 
     // Blob operations: /v2/{name}/blobs/{digest}
@@ -69,7 +78,9 @@ export class OciRegistry extends BaseRegistry {
     const uploadInitMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/blobs\/uploads\/?$/);
     if (uploadInitMatch && context.method === 'POST') {
       const [, name] = uploadInitMatch;
-      return this.handleUploadInit(name, token, context.query, context.body);
+      // Prefer rawBody for content-addressable operations to preserve exact bytes
+      const bodyData = context.rawBody || context.body;
+      return this.handleUploadInit(name, token, context.query, bodyData);
     }
 
     // Blob upload operations: /v2/{name}/blobs/uploads/{uuid}
@@ -180,18 +191,14 @@ export class OciRegistry extends BaseRegistry {
     body?: Buffer | any
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'push')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'push');
-        status: 401,
-        headers: {},
-        body: this.createError('DENIED', 'Insufficient permissions'),
-      };
     }
 
     // Check for monolithic upload (digest + body provided)
     const digest = query.digest;
     if (digest && body) {
       // Monolithic upload: complete upload in single POST
-      const blobData = Buffer.isBuffer(body) ? body : Buffer.from(JSON.stringify(body));
+      const blobData = this.toBuffer(body);
 
       // Verify digest
       const calculatedDigest = await this.calculateDigest(blobData);
@@ -255,18 +262,17 @@ export class OciRegistry extends BaseRegistry {
     }
 
     if (!await this.checkPermission(token, session.repository, 'push')) {
-      return {
+      return this.createUnauthorizedResponse(session.repository, 'push');
-        status: 401,
-        headers: {},
-        body: this.createError('DENIED', 'Insufficient permissions'),
-      };
     }
 
+    // Prefer rawBody for content-addressable operations to preserve exact bytes
+    const bodyData = context.rawBody || context.body;
+
     switch (method) {
       case 'PATCH':
-        return this.uploadChunk(uploadId, context.body, context.headers['content-range']);
+        return this.uploadChunk(uploadId, bodyData, context.headers['content-range']);
       case 'PUT':
-        return this.completeUpload(uploadId, context.query['digest'], context.body);
+        return this.completeUpload(uploadId, context.query['digest'], bodyData);
       case 'GET':
         return this.getUploadStatus(uploadId);
       default:
@@ -288,13 +294,7 @@ export class OciRegistry extends BaseRegistry {
     headers?: Record<string, string>
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'pull')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'pull');
-        status: 401,
-        headers: {
-          'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:pull"`,
-        },
-        body: this.createError('DENIED', 'Insufficient permissions'),
-      };
     }
 
     // Resolve tag to digest if needed
@@ -320,10 +320,17 @@ export class OciRegistry extends BaseRegistry {
       };
     }
 
+    // Get stored content type, falling back to detecting from manifest content
+    let contentType = await this.storage.getOciManifestContentType(repository, digest);
+    if (!contentType) {
+      // Fallback: detect content type from manifest content
+      contentType = this.detectManifestContentType(manifestData);
+    }
+
     return {
       status: 200,
       headers: {
-        'Content-Type': 'application/vnd.oci.image.manifest.v1+json',
+        'Content-Type': contentType,
         'Docker-Content-Digest': digest,
       },
       body: manifestData,
@@ -336,11 +343,7 @@ export class OciRegistry extends BaseRegistry {
     token: IAuthToken | null
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'pull')) {
-      return {
+      return this.createUnauthorizedHeadResponse(repository, 'pull');
-        status: 401,
-        headers: {},
-        body: null,
-      };
     }
 
     // Similar logic as getManifest but return headers only
@@ -360,10 +363,18 @@ export class OciRegistry extends BaseRegistry {
 
     const manifestData = await this.storage.getOciManifest(repository, digest);
 
+    // Get stored content type, falling back to detecting from manifest content
+    let contentType = await this.storage.getOciManifestContentType(repository, digest);
+    if (!contentType && manifestData) {
+      // Fallback: detect content type from manifest content
+      contentType = this.detectManifestContentType(manifestData);
+    }
+    contentType = contentType || 'application/vnd.oci.image.manifest.v1+json';
+
     return {
       status: 200,
       headers: {
-        'Content-Type': 'application/vnd.oci.image.manifest.v1+json',
+        'Content-Type': contentType,
         'Docker-Content-Digest': digest,
         'Content-Length': manifestData ? manifestData.length.toString() : '0',
       },
@@ -379,13 +390,7 @@ export class OciRegistry extends BaseRegistry {
     headers?: Record<string, string>
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'push')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'push');
-        status: 401,
-        headers: {
-          'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:push"`,
-        },
-        body: this.createError('DENIED', 'Insufficient permissions'),
-      };
     }
 
     if (!body) {
@@ -396,7 +401,9 @@ export class OciRegistry extends BaseRegistry {
       };
     }
 
-    const manifestData = Buffer.isBuffer(body) ? body : Buffer.from(JSON.stringify(body));
+    // Preserve raw bytes for accurate digest calculation
+    // Per OCI spec, digest must match the exact bytes sent by client
+    const manifestData = this.toBuffer(body);
     const contentType = headers?.['content-type'] || headers?.['Content-Type'] || 'application/vnd.oci.image.manifest.v1+json';
 
     // Calculate manifest digest
@@ -437,11 +444,7 @@ export class OciRegistry extends BaseRegistry {
     }
 
     if (!await this.checkPermission(token, repository, 'delete')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'delete');
-        status: 401,
-        headers: {},
-        body: this.createError('DENIED', 'Insufficient permissions'),
-      };
     }
 
     await this.storage.deleteOciManifest(repository, digest);
@@ -460,11 +463,7 @@ export class OciRegistry extends BaseRegistry {
     range?: string
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'pull')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'pull');
-        status: 401,
-        headers: {},
-        body: this.createError('DENIED', 'Insufficient permissions'),
-      };
     }
 
     const data = await this.storage.getOciBlob(digest);
@@ -492,7 +491,7 @@ export class OciRegistry extends BaseRegistry {
     token: IAuthToken | null
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'pull')) {
-      return { status: 401, headers: {}, body: null };
+      return this.createUnauthorizedHeadResponse(repository, 'pull');
     }
 
     const exists = await this.storage.ociBlobExists(digest);
@@ -518,11 +517,7 @@ export class OciRegistry extends BaseRegistry {
     token: IAuthToken | null
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'delete')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'delete');
-        status: 401,
-        headers: {},
-        body: this.createError('DENIED', 'Insufficient permissions'),
-      };
     }
 
     await this.storage.deleteOciBlob(digest);
@@ -536,7 +531,7 @@ export class OciRegistry extends BaseRegistry {
 
   private async uploadChunk(
     uploadId: string,
-    data: Buffer,
+    data: Buffer | Uint8Array | unknown,
     contentRange: string
   ): Promise<IResponse> {
     const session = this.uploadSessions.get(uploadId);
@@ -548,8 +543,9 @@ export class OciRegistry extends BaseRegistry {
       };
     }
 
-    session.chunks.push(data);
+    const chunkData = this.toBuffer(data);
-    session.totalSize += data.length;
+    session.chunks.push(chunkData);
+    session.totalSize += chunkData.length;
     session.lastActivity = new Date();
 
     return {
@@ -566,7 +562,7 @@ export class OciRegistry extends BaseRegistry {
   private async completeUpload(
     uploadId: string,
     digest: string,
-    finalData?: Buffer
+    finalData?: Buffer | Uint8Array | unknown
   ): Promise<IResponse> {
     const session = this.uploadSessions.get(uploadId);
     if (!session) {
@@ -578,7 +574,7 @@ export class OciRegistry extends BaseRegistry {
     }
 
     const chunks = [...session.chunks];
-    if (finalData) chunks.push(finalData);
+    if (finalData) chunks.push(this.toBuffer(finalData));
     const blobData = Buffer.concat(chunks);
 
     // Verify digest
@@ -631,11 +627,7 @@ export class OciRegistry extends BaseRegistry {
     query: Record<string, string>
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'pull')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'pull');
-        status: 401,
-        headers: {},
-        body: this.createError('DENIED', 'Insufficient permissions'),
-      };
     }
 
     const tags = await this.getTagsData(repository);
@@ -660,11 +652,7 @@ export class OciRegistry extends BaseRegistry {
     query: Record<string, string>
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'pull')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'pull');
-        status: 401,
-        headers: {},
-        body: this.createError('DENIED', 'Insufficient permissions'),
-      };
     }
 
     const response: IReferrersResponse = {
@@ -684,6 +672,59 @@ export class OciRegistry extends BaseRegistry {
   // HELPER METHODS
   // ========================================================================
 
+  /**
+   * Detect manifest content type from manifest content.
+   * OCI Image Index has "manifests" array, OCI Image Manifest has "config" object.
+   * Also checks the mediaType field if present.
+   */
+  private detectManifestContentType(manifestData: Buffer): string {
+    try {
+      const manifest = JSON.parse(manifestData.toString('utf-8'));
+
+      // First check if manifest has explicit mediaType field
+      if (manifest.mediaType) {
+        return manifest.mediaType;
+      }
+
+      // Otherwise detect from structure
+      if (Array.isArray(manifest.manifests)) {
+        // OCI Image Index (multi-arch manifest list)
+        return 'application/vnd.oci.image.index.v1+json';
+      } else if (manifest.config) {
+        // OCI Image Manifest
+        return 'application/vnd.oci.image.manifest.v1+json';
+      }
+
+      // Fallback to standard manifest type
+      return 'application/vnd.oci.image.manifest.v1+json';
+    } catch (e) {
+      // If parsing fails, return default
+      return 'application/vnd.oci.image.manifest.v1+json';
+    }
+  }
+
+  /**
+   * Convert any binary-like data to Buffer.
+   * Handles Buffer, Uint8Array (modern cross-platform), string, and objects.
+   *
+   * Note: Buffer.isBuffer(Uint8Array) returns false even though Buffer extends Uint8Array.
+   * This is because Uint8Array is the modern, cross-platform standard while Buffer is Node.js-specific.
+   * Many HTTP frameworks pass request bodies as Uint8Array for better compatibility.
+   */
+  private toBuffer(data: unknown): Buffer {
+    if (Buffer.isBuffer(data)) {
+      return data;
+    }
+    if (data instanceof Uint8Array) {
+      return Buffer.from(data);
+    }
+    if (typeof data === 'string') {
+      return Buffer.from(data, 'utf-8');
+    }
+    // Fallback: serialize object to JSON (may cause digest mismatch for manifests)
+    return Buffer.from(JSON.stringify(data));
+  }
+
   private async getTagsData(repository: string): Promise<Record<string, string>> {
     const path = `oci/tags/${repository}/tags.json`;
     const data = await this.storage.getObject(path);
@@ -712,6 +753,37 @@ export class OciRegistry extends BaseRegistry {
     };
   }
 
+  /**
+   * Create an unauthorized response with proper WWW-Authenticate header.
+   * Per OCI Distribution Spec, 401 responses MUST include WWW-Authenticate header.
+   */
+  private createUnauthorizedResponse(repository: string, action: string): IResponse {
+    const realm = this.ociTokens?.realm || `${this.basePath}/v2/token`;
+    const service = this.ociTokens?.service || 'registry';
+    return {
+      status: 401,
+      headers: {
+        'WWW-Authenticate': `Bearer realm="${realm}",service="${service}",scope="repository:${repository}:${action}"`,
+      },
+      body: this.createError('DENIED', 'Insufficient permissions'),
+    };
+  }
+
+  /**
+   * Create an unauthorized HEAD response (no body per HTTP spec).
+   */
+  private createUnauthorizedHeadResponse(repository: string, action: string): IResponse {
+    const realm = this.ociTokens?.realm || `${this.basePath}/v2/token`;
+    const service = this.ociTokens?.service || 'registry';
+    return {
+      status: 401,
+      headers: {
+        'WWW-Authenticate': `Bearer realm="${realm}",service="${service}",scope="repository:${repository}:${action}"`,
+      },
+      body: null,
+    };
+  }
+
   private startUploadSessionCleanup(): void {
     this.cleanupInterval = setInterval(() => {
       const now = new Date();

ts/plugins.ts

@@ -4,8 +4,14 @@ import * as path from 'path';
 export { path };
 
 // @push.rocks scope
+import * as smartarchive from '@push.rocks/smartarchive';
 import * as smartbucket from '@push.rocks/smartbucket';
 import * as smartlog from '@push.rocks/smartlog';
 import * as smartpath from '@push.rocks/smartpath';
 
-export { smartbucket, smartlog, smartpath };
+export { smartarchive, smartbucket, smartlog, smartpath };
+
+// @tsclass scope
+import * as tsclass from '@tsclass/tsclass';
+
+export { tsclass };

ts/pypi/classes.pypiregistry.ts

@@ -85,14 +85,14 @@ export class PypiRegistry extends BaseRegistry {
       return this.handleUpload(context, token);
     }
 
-    // Package metadata JSON API: GET /pypi/{package}/json
+    // Package metadata JSON API: GET /{package}/json
-    const jsonMatch = path.match(/^\/pypi\/([^\/]+)\/json$/);
+    const jsonMatch = path.match(/^\/([^\/]+)\/json$/);
     if (jsonMatch && context.method === 'GET') {
       return this.handlePackageJson(jsonMatch[1]);
     }
 
-    // Version-specific JSON API: GET /pypi/{package}/{version}/json
+    // Version-specific JSON API: GET /{package}/{version}/json
-    const versionJsonMatch = path.match(/^\/pypi\/([^\/]+)\/([^\/]+)\/json$/);
+    const versionJsonMatch = path.match(/^\/([^\/]+)\/([^\/]+)\/json$/);
     if (versionJsonMatch && context.method === 'GET') {
       return this.handleVersionJson(versionJsonMatch[1], versionJsonMatch[2]);
     }
@@ -118,7 +118,7 @@ export class PypiRegistry extends BaseRegistry {
     return {
       status: 404,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify({ message: 'Not Found' })),
+      body: { error: 'Not Found' },
     };
   }
 
@@ -185,7 +185,7 @@ export class PypiRegistry extends BaseRegistry {
           'Content-Type': 'application/vnd.pypi.simple.v1+json',
           'Cache-Control': 'public, max-age=600'
         },
-        body: Buffer.from(JSON.stringify(response)),
+        body: response,
       };
     } else {
       // PEP 503: HTML response
@@ -200,7 +200,7 @@ export class PypiRegistry extends BaseRegistry {
           'Content-Type': 'text/html; charset=utf-8',
           'Cache-Control': 'public, max-age=600'
         },
-        body: Buffer.from(html),
+        body: html,
       };
     }
   }
@@ -215,11 +215,7 @@ export class PypiRegistry extends BaseRegistry {
     // Get package metadata
     const metadata = await this.storage.getPypiPackageMetadata(normalized);
     if (!metadata) {
-      return {
+      return this.errorResponse(404, 'Package not found');
-        status: 404,
-        headers: { 'Content-Type': 'text/html; charset=utf-8' },
-        body: Buffer.from('<html><body><h1>404 Not Found</h1></body></html>'),
-      };
     }
 
     // Build file list from all versions
@@ -251,7 +247,7 @@ export class PypiRegistry extends BaseRegistry {
           'Content-Type': 'application/vnd.pypi.simple.v1+json',
           'Cache-Control': 'public, max-age=300'
         },
-        body: Buffer.from(JSON.stringify(response)),
+        body: response,
       };
     } else {
       // PEP 503: HTML response
@@ -266,7 +262,7 @@ export class PypiRegistry extends BaseRegistry {
           'Content-Type': 'text/html; charset=utf-8',
           'Cache-Control': 'public, max-age=300'
         },
-        body: Buffer.from(html),
+        body: html,
       };
     }
   }
@@ -315,7 +311,7 @@ export class PypiRegistry extends BaseRegistry {
           'Content-Type': 'application/json',
           'WWW-Authenticate': 'Basic realm="PyPI"'
         },
-        body: Buffer.from(JSON.stringify({ message: 'Authentication required' })),
+        body: { error: 'Authentication required' },
       };
     }
 
@@ -327,11 +323,13 @@ export class PypiRegistry extends BaseRegistry {
         return this.errorResponse(400, 'Invalid upload request');
       }
 
-      // Extract required fields
+      // Extract required fields - support both nested and flat body formats
       const packageName = formData.name;
       const version = formData.version;
-      const filename = formData.content?.filename;
+      // Support both: formData.content.filename (multipart parsed) and formData.filename (flat)
-      const fileData = formData.content?.data as Buffer;
+      const filename = formData.content?.filename || formData.filename;
+      // Support both: formData.content.data (multipart parsed) and formData.content (Buffer directly)
+      const fileData = (formData.content?.data || (Buffer.isBuffer(formData.content) ? formData.content : null)) as Buffer;
       const filetype = formData.filetype; // 'bdist_wheel' or 'sdist'
       const pyversion = formData.pyversion;
 
@@ -431,12 +429,12 @@ export class PypiRegistry extends BaseRegistry {
       });
 
       return {
-        status: 200,
+        status: 201,
         headers: { 'Content-Type': 'application/json' },
-        body: Buffer.from(JSON.stringify({
+        body: {
           message: 'Package uploaded successfully',
           url: `${this.registryUrl}/pypi/packages/${normalized}/${filename}`
-        })),
+        },
       };
     } catch (error) {
       this.logger.log('error', 'Upload failed', { error: (error as Error).message });
@@ -455,7 +453,7 @@ export class PypiRegistry extends BaseRegistry {
       return {
         status: 404,
         headers: { 'Content-Type': 'application/json' },
-        body: Buffer.from(JSON.stringify({ message: 'File not found' })),
+        body: { error: 'File not found' },
       };
     }
 
@@ -472,6 +470,7 @@ export class PypiRegistry extends BaseRegistry {
 
   /**
    * Handle package JSON API (all versions)
+   * Returns format compatible with official PyPI JSON API
    */
   private async handlePackageJson(packageName: string): Promise<IResponse> {
     const normalized = helpers.normalizePypiPackageName(packageName);
@@ -481,18 +480,67 @@ export class PypiRegistry extends BaseRegistry {
       return this.errorResponse(404, 'Package not found');
     }
 
+    // Find latest version for info
+    const versions = Object.keys(metadata.versions || {});
+    const latestVersion = versions.length > 0 ? versions[versions.length - 1] : null;
+    const latestMeta = latestVersion ? metadata.versions[latestVersion] : null;
+
+    // Build URLs array from latest version files
+    const urls = latestMeta?.files?.map((file: any) => ({
+      filename: file.filename,
+      url: `${this.registryUrl}/pypi/packages/${normalized}/${file.filename}`,
+      digests: file.hashes,
+      requires_python: file['requires-python'],
+      size: file.size,
+      upload_time: file['upload-time'],
+      packagetype: file.filetype,
+      python_version: file.python_version,
+    })) || [];
+
+    // Build releases object
+    const releases: Record<string, any[]> = {};
+    for (const [ver, verMeta] of Object.entries(metadata.versions || {})) {
+      releases[ver] = (verMeta as any).files?.map((file: any) => ({
+        filename: file.filename,
+        url: `${this.registryUrl}/pypi/packages/${normalized}/${file.filename}`,
+        digests: file.hashes,
+        requires_python: file['requires-python'],
+        size: file.size,
+        upload_time: file['upload-time'],
+        packagetype: file.filetype,
+        python_version: file.python_version,
+      })) || [];
+    }
+
+    const response = {
+      info: {
+        name: normalized,
+        version: latestVersion,
+        summary: latestMeta?.metadata?.summary,
+        description: latestMeta?.metadata?.description,
+        author: latestMeta?.metadata?.author,
+        author_email: latestMeta?.metadata?.['author-email'],
+        license: latestMeta?.metadata?.license,
+        requires_python: latestMeta?.files?.[0]?.['requires-python'],
+        ...latestMeta?.metadata,
+      },
+      urls,
+      releases,
+    };
+
     return {
       status: 200,
       headers: {
         'Content-Type': 'application/json',
         'Cache-Control': 'public, max-age=300'
       },
-      body: Buffer.from(JSON.stringify(metadata)),
+      body: response,
     };
   }
 
   /**
    * Handle version-specific JSON API
+   * Returns format compatible with official PyPI JSON API
    */
   private async handleVersionJson(packageName: string, version: string): Promise<IResponse> {
     const normalized = helpers.normalizePypiPackageName(packageName);
@@ -502,13 +550,42 @@ export class PypiRegistry extends BaseRegistry {
       return this.errorResponse(404, 'Version not found');
     }
 
+    const verMeta = metadata.versions[version];
+
+    // Build URLs array from version files
+    const urls = verMeta.files?.map((file: any) => ({
+      filename: file.filename,
+      url: `${this.registryUrl}/pypi/packages/${normalized}/${file.filename}`,
+      digests: file.hashes,
+      requires_python: file['requires-python'],
+      size: file.size,
+      upload_time: file['upload-time'],
+      packagetype: file.filetype,
+      python_version: file.python_version,
+    })) || [];
+
+    const response = {
+      info: {
+        name: normalized,
+        version,
+        summary: verMeta.metadata?.summary,
+        description: verMeta.metadata?.description,
+        author: verMeta.metadata?.author,
+        author_email: verMeta.metadata?.['author-email'],
+        license: verMeta.metadata?.license,
+        requires_python: verMeta.files?.[0]?.['requires-python'],
+        ...verMeta.metadata,
+      },
+      urls,
+    };
+
     return {
       status: 200,
       headers: {
         'Content-Type': 'application/json',
         'Cache-Control': 'public, max-age=300'
       },
-      body: Buffer.from(JSON.stringify(metadata.versions[version])),
+      body: response,
     };
   }
 
@@ -570,11 +647,11 @@ export class PypiRegistry extends BaseRegistry {
    * Helper: Create error response
    */
   private errorResponse(status: number, message: string): IResponse {
-    const error: IPypiError = { message, status };
+    const error: IPypiError = { error: message, status };
     return {
       status,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify(error)),
+      body: error,
     };
   }
 }

ts/pypi/interfaces.pypi.ts

@@ -244,7 +244,7 @@ export interface IPypiUploadResponse {
  */
 export interface IPypiError {
   /** Error message */
-  message: string;
+  error: string;
   /** HTTP status code */
   status?: number;
   /** Additional error details */

ts/rubygems/classes.rubygemsregistry.ts

@@ -85,7 +85,7 @@ export class RubyGemsRegistry extends BaseRegistry {
 
     // Compact Index endpoints
     if (path === '/versions' && context.method === 'GET') {
-      return this.handleVersionsFile();
+      return this.handleVersionsFile(context);
     }
 
     if (path === '/names' && context.method === 'GET') {
@@ -104,15 +104,30 @@ export class RubyGemsRegistry extends BaseRegistry {
       return this.handleDownload(downloadMatch[1]);
     }
 
+    // Legacy specs endpoints (Marshal format)
+    if (path === '/specs.4.8.gz' && context.method === 'GET') {
+      return this.handleSpecs(false);
+    }
+
+    if (path === '/latest_specs.4.8.gz' && context.method === 'GET') {
+      return this.handleSpecs(true);
+    }
+
+    // Quick gemspec endpoint: GET /quick/Marshal.4.8/{gem}-{version}.gemspec.rz
+    const quickMatch = path.match(/^\/quick\/Marshal\.4\.8\/(.+)\.gemspec\.rz$/);
+    if (quickMatch && context.method === 'GET') {
+      return this.handleQuickGemspec(quickMatch[1]);
+    }
+
     // API v1 endpoints
     if (path.startsWith('/api/v1/')) {
-      return this.handleApiRequest(path.substring(8), context, token);
+      return this.handleApiRequest(path.substring(7), context, token);
     }
 
     return {
       status: 404,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify({ message: 'Not Found' })),
+      body: { error: 'Not Found' },
     };
   }
 
@@ -141,20 +156,36 @@ export class RubyGemsRegistry extends BaseRegistry {
 
   /**
    * Handle /versions endpoint (Compact Index)
+   * Supports conditional GET with If-None-Match header
    */
-  private async handleVersionsFile(): Promise<IResponse> {
+  private async handleVersionsFile(context: IRequestContext): Promise<IResponse> {
     const content = await this.storage.getRubyGemsVersions();
 
     if (!content) {
       return this.errorResponse(500, 'Versions file not initialized');
     }
 
+    const etag = `"${await helpers.calculateMD5(content)}"`;
+
+    // Handle conditional GET with If-None-Match
+    const ifNoneMatch = context.headers['if-none-match'] || context.headers['If-None-Match'];
+    if (ifNoneMatch && ifNoneMatch === etag) {
+      return {
+        status: 304,
+        headers: {
+          'ETag': etag,
+          'Cache-Control': 'public, max-age=60',
+        },
+        body: null,
+      };
+    }
+
     return {
       status: 200,
       headers: {
         'Content-Type': 'text/plain; charset=utf-8',
         'Cache-Control': 'public, max-age=60',
-        'ETag': `"${await helpers.calculateMD5(content)}"`
+        'ETag': etag
       },
       body: Buffer.from(content),
     };
@@ -289,14 +320,23 @@ export class RubyGemsRegistry extends BaseRegistry {
         return this.errorResponse(400, 'No gem file provided');
       }
 
-      // For now, we expect metadata in query params or headers
+      // Try to get metadata from query params or headers first
-      // Full implementation would parse .gem file (tar + gzip + Marshal)
+      let gemName = context.query?.name || context.headers['x-gem-name'] as string | undefined;
-      const gemName = context.query?.name || context.headers['x-gem-name'];
+      let version = context.query?.version || context.headers['x-gem-version'] as string | undefined;
-      const version = context.query?.version || context.headers['x-gem-version'];
+      let platform = context.query?.platform || context.headers['x-gem-platform'] as string | undefined;
-      const platform = context.query?.platform || context.headers['x-gem-platform'];
+
+      // If not provided, try to extract from gem binary
+      if (!gemName || !version || !platform) {
+        const extracted = await helpers.extractGemMetadata(gemData);
+        if (extracted) {
+          gemName = gemName || extracted.name;
+          version = version || extracted.version;
+          platform = platform || extracted.platform;
+        }
+      }
 
       if (!gemName || !version) {
-        return this.errorResponse(400, 'Gem name and version required');
+        return this.errorResponse(400, 'Gem name and version required (provide in query, headers, or valid gem format)');
       }
 
       // Validate gem name
@@ -351,13 +391,13 @@ export class RubyGemsRegistry extends BaseRegistry {
       });
 
       return {
-        status: 200,
+        status: 201,
         headers: { 'Content-Type': 'application/json' },
-        body: Buffer.from(JSON.stringify({
+        body: {
           message: 'Gem uploaded successfully',
           name: gemName,
           version,
-        })),
+        },
       };
     } catch (error) {
       this.logger.log('error', 'Upload failed', { error: (error as Error).message });
@@ -409,10 +449,10 @@ export class RubyGemsRegistry extends BaseRegistry {
     return {
       status: 200,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify({
+      body: {
         success: true,
         message: 'Gem yanked successfully'
-      })),
+      },
     };
   }
 
@@ -459,10 +499,10 @@ export class RubyGemsRegistry extends BaseRegistry {
     return {
       status: 200,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify({
+      body: {
         success: true,
         message: 'Gem unyanked successfully'
-      })),
+      },
     };
   }
 
@@ -489,7 +529,7 @@ export class RubyGemsRegistry extends BaseRegistry {
         'Content-Type': 'application/json',
         'Cache-Control': 'public, max-age=300'
       },
-      body: Buffer.from(JSON.stringify(response)),
+      body: response,
     };
   }
 
@@ -517,7 +557,7 @@ export class RubyGemsRegistry extends BaseRegistry {
     return {
       status: 200,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify(response)),
+      body: response,
     };
   }
 
@@ -584,15 +624,109 @@ export class RubyGemsRegistry extends BaseRegistry {
     }
   }
 
+  /**
+   * Handle /specs.4.8.gz and /latest_specs.4.8.gz endpoints
+   * Returns gzipped Marshal array of [name, version, platform] tuples
+   * @param latestOnly - If true, only return latest version of each gem
+   */
+  private async handleSpecs(latestOnly: boolean): Promise<IResponse> {
+    try {
+      const names = await this.storage.getRubyGemsNames();
+      if (!names) {
+        return {
+          status: 200,
+          headers: {
+            'Content-Type': 'application/octet-stream',
+          },
+          body: await helpers.generateSpecsGz([]),
+        };
+      }
+
+      const gemNames = names.split('\n').filter(l => l && l !== '---');
+      const specs: Array<[string, string, string]> = [];
+
+      for (const gemName of gemNames) {
+        const metadata = await this.storage.getRubyGemsMetadata(gemName);
+        if (!metadata) continue;
+
+        const versions = (Object.values(metadata.versions) as IRubyGemsVersionMetadata[])
+          .filter(v => !v.yanked)
+          .sort((a, b) => {
+            // Sort by version descending
+            return b.version.localeCompare(a.version, undefined, { numeric: true });
+          });
+
+        if (latestOnly && versions.length > 0) {
+          // Only include latest version
+          const latest = versions[0];
+          specs.push([gemName, latest.version, latest.platform || 'ruby']);
+        } else {
+          // Include all versions
+          for (const v of versions) {
+            specs.push([gemName, v.version, v.platform || 'ruby']);
+          }
+        }
+      }
+
+      const gzippedSpecs = await helpers.generateSpecsGz(specs);
+
+      return {
+        status: 200,
+        headers: {
+          'Content-Type': 'application/octet-stream',
+        },
+        body: gzippedSpecs,
+      };
+    } catch (error) {
+      this.logger.log('error', 'Failed to generate specs', { error: (error as Error).message });
+      return this.errorResponse(500, 'Failed to generate specs');
+    }
+  }
+
+  /**
+   * Handle /quick/Marshal.4.8/{gem}-{version}.gemspec.rz endpoint
+   * Returns compressed gemspec for a specific gem version
+   * @param gemVersionStr - Gem name and version string (e.g., "rails-7.0.0" or "rails-7.0.0-x86_64-linux")
+   */
+  private async handleQuickGemspec(gemVersionStr: string): Promise<IResponse> {
+    // Parse the gem-version string
+    const parsed = helpers.parseGemFilename(gemVersionStr + '.gem');
+    if (!parsed) {
+      return this.errorResponse(400, 'Invalid gemspec path');
+    }
+
+    const metadata = await this.storage.getRubyGemsMetadata(parsed.name);
+    if (!metadata) {
+      return this.errorResponse(404, 'Gem not found');
+    }
+
+    const versionKey = parsed.platform ? `${parsed.version}-${parsed.platform}` : parsed.version;
+    const versionMeta = metadata.versions[versionKey];
+    if (!versionMeta) {
+      return this.errorResponse(404, 'Version not found');
+    }
+
+    // Generate a minimal gemspec representation
+    const gemspecData = await helpers.generateGemspecRz(parsed.name, versionMeta);
+
+    return {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/octet-stream',
+      },
+      body: gemspecData,
+    };
+  }
+
   /**
    * Helper: Create error response
    */
   private errorResponse(status: number, message: string): IResponse {
-    const error: IRubyGemsError = { message, status };
+    const error: IRubyGemsError = { error: message, status };
     return {
       status,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify(error)),
+      body: error,
     };
   }
 }

ts/rubygems/helpers.rubygems.ts

@@ -3,6 +3,8 @@
  * Compact Index generation, dependency formatting, etc.
  */
 
+import * as plugins from '../plugins.js';
+
 import type {
   IRubyGemsVersion,
   IRubyGemsDependency,
@@ -396,3 +398,176 @@ export async function extractGemSpec(gemData: Buffer): Promise<any | null> {
     return null;
   }
 }
+
+/**
+ * Extract basic metadata from a gem file
+ * Gem files are plain tar archives (NOT gzipped) containing:
+ * - metadata.gz: gzipped YAML with gem specification
+ * - data.tar.gz: gzipped tar with actual gem files
+ * This function extracts and parses the metadata.gz to get name/version/platform
+ * @param gemData - Gem file data
+ * @returns Extracted metadata or null
+ */
+export async function extractGemMetadata(gemData: Buffer): Promise<{
+  name: string;
+  version: string;
+  platform?: string;
+} | null> {
+  try {
+    // Step 1: Extract the plain tar archive to get metadata.gz
+    const smartArchive = plugins.smartarchive.SmartArchive.create();
+    const files = await smartArchive.buffer(gemData).toSmartFiles();
+
+    // Find metadata.gz
+    const metadataFile = files.find(f => f.path === 'metadata.gz' || f.relative === 'metadata.gz');
+    if (!metadataFile) {
+      return null;
+    }
+
+    // Step 2: Decompress the gzipped metadata
+    const gzipTools = new plugins.smartarchive.GzipTools();
+    const metadataYaml = await gzipTools.decompress(metadataFile.contentBuffer);
+    const yamlContent = metadataYaml.toString('utf-8');
+
+    // Step 3: Parse the YAML to extract name, version, platform
+    // Look for name: field in YAML
+    const nameMatch = yamlContent.match(/name:\s*([^\n\r]+)/);
+
+    // Look for version in Ruby YAML format: version: !ruby/object:Gem::Version\n  version: X.X.X
+    const versionMatch = yamlContent.match(/version:\s*!ruby\/object:Gem::Version[\s\S]*?version:\s*['"]?([^'"\n\r]+)/);
+
+    // Also try simpler version format
+    const simpleVersionMatch = !versionMatch ? yamlContent.match(/^version:\s*['"]?(\d[^'"\n\r]*)/m) : null;
+
+    // Look for platform
+    const platformMatch = yamlContent.match(/platform:\s*([^\n\r]+)/);
+
+    const name = nameMatch?.[1]?.trim();
+    const version = versionMatch?.[1]?.trim() || simpleVersionMatch?.[1]?.trim();
+    const platform = platformMatch?.[1]?.trim();
+
+    if (name && version) {
+      return {
+        name,
+        version,
+        platform: platform && platform !== 'ruby' ? platform : undefined,
+      };
+    }
+
+    return null;
+  } catch (error) {
+    // Log error for debugging but return null gracefully
+    console.error('Failed to extract gem metadata:', error);
+    return null;
+  }
+}
+
+/**
+ * Generate gzipped specs array for /specs.4.8.gz and /latest_specs.4.8.gz
+ * The format is a gzipped Ruby Marshal array of [name, version, platform] tuples
+ * Since we can't easily generate Ruby Marshal format, we'll use a simple format
+ * that represents the same data structure as a gzipped binary blob
+ * @param specs - Array of [name, version, platform] tuples
+ * @returns Gzipped specs data
+ */
+export async function generateSpecsGz(specs: Array<[string, string, string]>): Promise<Buffer> {
+  const gzipTools = new plugins.smartarchive.GzipTools();
+
+  // Create a simplified binary representation
+  // Real RubyGems uses Ruby Marshal format, but for compatibility we'll create
+  // a gzipped representation that tools can recognize as valid
+
+  // Format: Simple binary encoding of specs array
+  // Each spec: name_length(2 bytes) + name + version_length(2 bytes) + version + platform_length(2 bytes) + platform
+  const parts: Buffer[] = [];
+
+  // Header: number of specs (4 bytes)
+  const headerBuf = Buffer.alloc(4);
+  headerBuf.writeUInt32LE(specs.length, 0);
+  parts.push(headerBuf);
+
+  for (const [name, version, platform] of specs) {
+    const nameBuf = Buffer.from(name, 'utf-8');
+    const versionBuf = Buffer.from(version, 'utf-8');
+    const platformBuf = Buffer.from(platform, 'utf-8');
+
+    const nameLenBuf = Buffer.alloc(2);
+    nameLenBuf.writeUInt16LE(nameBuf.length, 0);
+
+    const versionLenBuf = Buffer.alloc(2);
+    versionLenBuf.writeUInt16LE(versionBuf.length, 0);
+
+    const platformLenBuf = Buffer.alloc(2);
+    platformLenBuf.writeUInt16LE(platformBuf.length, 0);
+
+    parts.push(nameLenBuf, nameBuf, versionLenBuf, versionBuf, platformLenBuf, platformBuf);
+  }
+
+  const uncompressed = Buffer.concat(parts);
+  return gzipTools.compress(uncompressed);
+}
+
+/**
+ * Generate compressed gemspec for /quick/Marshal.4.8/{gem}-{version}.gemspec.rz
+ * The format is a zlib-compressed Ruby Marshal representation of the gemspec
+ * Since we can't easily generate Ruby Marshal, we'll create a simplified format
+ * @param name - Gem name
+ * @param versionMeta - Version metadata
+ * @returns Zlib-compressed gemspec data
+ */
+export async function generateGemspecRz(
+  name: string,
+  versionMeta: {
+    version: string;
+    platform?: string;
+    checksum: string;
+    dependencies?: Array<{ name: string; requirement: string }>;
+  }
+): Promise<Buffer> {
+  const zlib = await import('zlib');
+  const { promisify } = await import('util');
+  const deflate = promisify(zlib.deflate);
+
+  // Create a YAML-like representation that can be parsed
+  const gemspecYaml = `--- !ruby/object:Gem::Specification
+name: ${name}
+version: !ruby/object:Gem::Version
+  version: ${versionMeta.version}
+platform: ${versionMeta.platform || 'ruby'}
+authors: []
+date: ${new Date().toISOString().split('T')[0]}
+dependencies: []
+description:
+email:
+executables: []
+extensions: []
+extra_rdoc_files: []
+files: []
+homepage:
+licenses: []
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.0
+signing_key:
+specification_version: 4
+summary:
+test_files: []
+`;
+
+  // Use zlib deflate (not gzip) for .rz files
+  return deflate(Buffer.from(gemspecYaml, 'utf-8'));
+}

ts/rubygems/interfaces.rubygems.ts

@@ -211,7 +211,7 @@ export interface IRubyGemsDependenciesResponse {
  */
 export interface IRubyGemsError {
   /** Error message */
-  message: string;
+  error: string;
   /** HTTP status code */
   status?: number;
 }