v2.1.2

fix(oci): Prefer raw request body for content-addressable OCI operations and expose rawBody on request context
v2.1.1
2025-11-25 17:15:47 +00:00 · 2025-11-25 17:15:47 +00:00 · 2025-11-25 16:59:37 +00:00 · 2025-11-25 16:59:37 +00:00 · 2025-11-25 16:48:08 +00:00 · 2025-11-25 16:48:08 +00:00
18 changed files with 1221 additions and 221 deletions
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,50 @@
 # Changelog
 ## 2025-11-25 - 2.1.2 - fix(oci)
 Prefer raw request body for content-addressable OCI operations and expose rawBody on request context
 - Add rawBody?: Buffer to IRequestContext to allow callers to provide the exact raw request bytes for digest calculation (falls back to body if absent).
 - OCI registry handlers now prefer context.rawBody over context.body for content-addressable operations (manifests, blobs, and blob uploads) to preserve exact bytes and ensure digest calculation matches client expectations.
 - Upload flow updates: upload init, PATCH (upload chunk) and PUT (complete upload) now pass rawBody when available.
 ## 2025-11-25 - 2.1.1 - fix(oci)
 Preserve raw manifest bytes for digest calculation and handle string/JSON manifest bodies in OCI registry
 - Preserve the exact bytes of the manifest payload when computing the sha256 digest to comply with the OCI spec and avoid mismatches caused by re-serialization.
 - Accept string request bodies (converted using UTF-8) and treat already-parsed JSON objects by re-serializing as a fallback.
 - Keep existing content-type fallback logic while ensuring accurate digest calculation prior to storing manifests.
 ## 2025-11-25 - 2.1.0 - feat(oci)
 Support configurable OCI token realm/service and centralize unauthorized responses
 - SmartRegistry now forwards optional ociTokens (realm and service) from auth configuration to OciRegistry when OCI is enabled
 - OciRegistry constructor accepts an optional ociTokens parameter and stores it for use in auth headers
 - Replaced repeated construction of WWW-Authenticate headers with createUnauthorizedResponse and createUnauthorizedHeadResponse helpers that use configured realm/service
 - Behavior is backwards-compatible: when ociTokens are not configured the registry falls back to the previous defaults (realm: <basePath>/v2/token, service: "registry")
 ## 2025-11-25 - 2.0.0 - BREAKING CHANGE(pypi,rubygems)
 Revise PyPI and RubyGems handling: normalize error payloads, fix .gem parsing/packing, adjust PyPI JSON API and tests, and export smartarchive plugin
 - Rename error payload property from 'message' to 'error' in PyPI and RubyGems interfaces and responses; error responses are now returned as JSON objects (body: { error: ... }) instead of Buffer(JSON.stringify(...)).
 - RubyGems: treat .gem files as plain tar archives (not gzipped). Use metadata.gz and data.tar.gz correctly, switch packing helper to pack plain tar, and use zlib deflate for .rz gemspec data.
 - RubyGems registry: add legacy Marshal specs endpoint (specs.4.8.gz) and adjust versions handler invocation to accept request context.
 - PyPI: adopt PEP 691 style (files is an array of file objects) in tests and metadata; include requires_python in test package metadata; update JSON API path matching to the package-level '/{package}/json' style used by the handler.
 - Fix HTML escaping expectations in tests (requires_python values are HTML-escaped in attributes, e.g. '&gt;=3.8').
 - Export smartarchive from plugins to enable archive helpers in core modules and helpers.
 - Update tests and internal code to match the new error shape and API/format behaviour.
 ## 2025-11-25 - 1.9.0 - feat(auth)
 Implement HMAC-SHA256 OCI JWTs; enhance PyPI & RubyGems uploads and normalize responses
 - AuthManager: create and validate OCI JWTs signed with HMAC-SHA256 (header.payload.signature). Signature verification, exp/nbf checks and payload decoding implemented.
 - PyPI: improved Simple API handling (PEP-691 JSON responses returned as objects), Simple HTML responses updated, upload handling enhanced to support nested/flat multipart fields, verify hashes (sha256/md5/blake2b), store files and return 201 on success.
 - RubyGems: upload flow now attempts to extract gem metadata from the .gem binary when name/version are not provided, improved validation, and upload returns 201. Added extractGemMetadata helper.
 - OCI: centralized 401 response creation (including proper WWW-Authenticate header) and HEAD behavior fixed to return no body per HTTP spec.
 - SmartRegistry: use nullish coalescing for protocol basePath defaults to avoid falsy-value bugs when basePath is an empty string.
 - Tests and helpers: test expectations adjusted (Content-Type startsWith check for HTML, PEP-691 projects is an array), test helper switched to smartarchive for packaging.
 - Package.json: added devDependency @push.rocks/smartarchive and updated dev deps.
 - Various response normalization: avoid unnecessary Buffer.from() for already-serialized objects/strings and standardize status codes for create/upload endpoints (201).
 ## 2025-11-24 - 1.8.0 - feat(smarts3)
 Add local smarts3 testing support and documentation
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartregistry",
-  "version": "1.8.0",
+  "version": "2.1.2",
  "private": false,
  "description": "A composable TypeScript library implementing OCI, NPM, Maven, Cargo, Composer, PyPI, and RubyGems registries for building unified container and package registries",
  "main": "dist_ts/index.js",
@@ -18,6 +18,7 @@
    "@git.zone/tsbundle": "^2.0.5",
    "@git.zone/tsrun": "^2.0.0",
    "@git.zone/tstest": "^3.1.0",
    "@push.rocks/smartarchive": "^5.0.1",
    "@push.rocks/smarts3": "^5.1.0",
    "@types/node": "^24.10.1"
  },
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -39,6 +39,9 @@ importers:
      '@git.zone/tstest':
        specifier: ^3.1.0
        version: 3.1.0(socks@2.8.7)(typescript@5.9.3)
      '@push.rocks/smartarchive':
        specifier: ^5.0.1
        version: 5.0.1(@push.rocks/smartfs@1.1.0)
      '@push.rocks/smarts3':
        specifier: ^5.1.0
        version: 5.1.0
@@ -705,6 +708,9 @@ packages:
  '@push.rocks/smartarchive@4.2.2':
    resolution: {integrity: sha512-6EpqbKU32D6Gcqsc9+Tn1dOCU5HoTlrqqs/7IdUr9Tirp9Ngtptkapca1Fw/D0kVJ7SSw3kG/miAYnuPMZLEoA==}
  '@push.rocks/smartarchive@5.0.1':
    resolution: {integrity: sha512-x4bie9IIdL9BZqBZLc8Pemp8xZOJGa6mXSVgKJRL4/Rw+E5N4rVHjQOYGRV75nC2mAMJh9GIbixuxLnWjj77ag==}
  '@push.rocks/smartbrowser@2.0.8':
    resolution: {integrity: sha512-0KWRZj3TuKo/sNwgPbiSE6WL+TMeR19t1JmXBZWh9n8iA2mpc4HhMrQAndEUdRCkx5ofSaHWojIRVFzGChj0Dg==}
@@ -765,6 +771,14 @@ packages:
  '@push.rocks/smartfile@11.2.7':
    resolution: {integrity: sha512-8Yp7/sAgPpWJBHohV92ogHWKzRomI5MEbSG6b5W2n18tqwfAmjMed0rQvsvGrSBlnEWCKgoOrYIIZbLO61+J0Q==}
  '@push.rocks/smartfile@13.0.1':
    resolution: {integrity: sha512-phtryDFtBYHo7R2H9V3Y7VeiYQU9YzKL140gKD3bTicBgXoIYrJ6+b3mbZunSO2yQt1Vy1AxCxYXrFE/K+4grw==}
    peerDependencies:
      '@push.rocks/smartfs': ^1.0.0
    peerDependenciesMeta:
      '@push.rocks/smartfs':
        optional: true
  '@push.rocks/smartfs@1.1.0':
    resolution: {integrity: sha512-fg8JIjFUPPX5laRoBpTaGwhMfZ3Y8mFT4fUaW54Y4J/BfOBa/y0+rIFgvgvqcOZgkQlyZU+FIfL8Z6zezqxyTg==}
@@ -5265,6 +5279,27 @@ snapshots:
      - react-native-b4a
      - supports-color
  '@push.rocks/smartarchive@5.0.1(@push.rocks/smartfs@1.1.0)':
    dependencies:
      '@push.rocks/smartdelay': 3.0.5
      '@push.rocks/smartfile': 13.0.1(@push.rocks/smartfs@1.1.0)
      '@push.rocks/smartpath': 6.0.0
      '@push.rocks/smartpromise': 4.2.3
      '@push.rocks/smartrequest': 4.4.2
      '@push.rocks/smartrx': 3.0.10
      '@push.rocks/smartstream': 3.2.5
      '@push.rocks/smartunique': 3.0.9
      '@push.rocks/smarturl': 3.1.0
      '@types/tar-stream': 3.1.4
      fflate: 0.8.2
      file-type: 21.1.0
      tar-stream: 3.1.7
    transitivePeerDependencies:
      - '@push.rocks/smartfs'
      - bare-abort-controller
      - react-native-b4a
      - supports-color
  '@push.rocks/smartbrowser@2.0.8(typescript@5.9.3)':
    dependencies:
      '@push.rocks/smartdelay': 3.0.5
@@ -5453,6 +5488,24 @@ snapshots:
      glob: 11.1.0
      js-yaml: 4.1.1
  '@push.rocks/smartfile@13.0.1(@push.rocks/smartfs@1.1.0)':
    dependencies:
      '@push.rocks/lik': 6.2.2
      '@push.rocks/smartdelay': 3.0.5
      '@push.rocks/smartfile-interfaces': 1.0.7
      '@push.rocks/smarthash': 3.2.6
      '@push.rocks/smartjson': 5.2.0
      '@push.rocks/smartmime': 2.0.4
      '@push.rocks/smartpath': 6.0.0
      '@push.rocks/smartpromise': 4.2.3
      '@push.rocks/smartrequest': 4.4.2
      '@push.rocks/smartstream': 3.2.5
      '@types/js-yaml': 4.0.9
      glob: 11.1.0
      js-yaml: 4.1.1
    optionalDependencies:
      '@push.rocks/smartfs': 1.1.0
  '@push.rocks/smartfs@1.1.0':
    dependencies:
      '@push.rocks/smartpath': 6.0.0
--- a/test/helpers/registry.ts
+++ b/test/helpers/registry.ts
@@ -1,5 +1,6 @@
 import * as qenv from '@push.rocks/qenv';
 import * as crypto from 'crypto';
 import * as smartarchive from '@push.rocks/smartarchive';
 import { SmartRegistry } from '../../ts/classes.smartregistry.js';
 import type { IRegistryConfig } from '../../ts/core/interfaces.core.js';
@@ -241,7 +242,7 @@ export function calculateMavenChecksums(data: Buffer) {
 }
 /**
- * Helper to create a Composer package ZIP
+ * Helper to create a Composer package ZIP using smartarchive
 */
 export async function createComposerZip(
  vendorPackage: string,
@@ -252,8 +253,7 @@ export async function createComposerZip(
    authors?: Array<{ name: string; email?: string }>;
  }
 ): Promise<Buffer> {
-  const AdmZip = (await import('adm-zip')).default;
+  const zipTools = new smartarchive.ZipTools();
  const zip = new AdmZip();
  const composerJson = {
    name: vendorPackage,
@@ -272,9 +272,6 @@ export async function createComposerZip(
    },
  };
  // Add composer.json
  zip.addFile('composer.json', Buffer.from(JSON.stringify(composerJson, null, 2), 'utf-8'));
  // Add a test PHP file
  const [vendor, pkg] = vendorPackage.split('/');
  const namespace = `${vendor.charAt(0).toUpperCase() + vendor.slice(1)}\\${pkg.charAt(0).toUpperCase() + pkg.slice(1).replace(/-/g, '')}`;
@@ -290,24 +287,33 @@ class TestClass
 }
 `;
-  zip.addFile('src/TestClass.php', Buffer.from(testPhpContent, 'utf-8'));
+  const entries: smartarchive.IArchiveEntry[] = [
    {
      archivePath: 'composer.json',
      content: Buffer.from(JSON.stringify(composerJson, null, 2), 'utf-8'),
    },
    {
      archivePath: 'src/TestClass.php',
      content: Buffer.from(testPhpContent, 'utf-8'),
    },
    {
      archivePath: 'README.md',
      content: Buffer.from(`# ${vendorPackage}\n\nTest package`, 'utf-8'),
    },
  ];
-  // Add README
+  return zipTools.createZip(entries);
  zip.addFile('README.md', Buffer.from(`# ${vendorPackage}\n\nTest package`, 'utf-8'));
  return zip.toBuffer();
 }
 /**
- * Helper to create a test Python wheel file (minimal ZIP structure)
+ * Helper to create a test Python wheel file (minimal ZIP structure) using smartarchive
 */
 export async function createPythonWheel(
  packageName: string,
  version: string,
  pyVersion: string = 'py3'
 ): Promise<Buffer> {
-  const AdmZip = (await import('adm-zip')).default;
+  const zipTools = new smartarchive.ZipTools();
  const zip = new AdmZip();
  const normalizedName = packageName.replace(/-/g, '_');
  const distInfoDir = `${normalizedName}-${version}.dist-info`;
@@ -331,8 +337,6 @@ Description-Content-Type: text/markdown
 Test package for SmartRegistry
 `;
  zip.addFile(`${distInfoDir}/METADATA`, Buffer.from(metadata, 'utf-8'));
  // Create WHEEL file
  const wheelContent = `Wheel-Version: 1.0
 Generator: test 1.0.0
@@ -340,14 +344,6 @@ Root-Is-Purelib: true
 Tag: ${pyVersion}-none-any
 `;
  zip.addFile(`${distInfoDir}/WHEEL`, Buffer.from(wheelContent, 'utf-8'));
  // Create RECORD file (empty for test)
  zip.addFile(`${distInfoDir}/RECORD`, Buffer.from('', 'utf-8'));
  // Create top_level.txt
  zip.addFile(`${distInfoDir}/top_level.txt`, Buffer.from(normalizedName, 'utf-8'));
  // Create a simple Python module
  const moduleContent = `"""${packageName} module"""
@@ -357,27 +353,44 @@ def hello():
    return "Hello from ${packageName}!"
 `;
-  zip.addFile(`${normalizedName}/__init__.py`, Buffer.from(moduleContent, 'utf-8'));
+  const entries: smartarchive.IArchiveEntry[] = [
    {
      archivePath: `${distInfoDir}/METADATA`,
      content: Buffer.from(metadata, 'utf-8'),
    },
    {
      archivePath: `${distInfoDir}/WHEEL`,
      content: Buffer.from(wheelContent, 'utf-8'),
    },
    {
      archivePath: `${distInfoDir}/RECORD`,
      content: Buffer.from('', 'utf-8'),
    },
    {
      archivePath: `${distInfoDir}/top_level.txt`,
      content: Buffer.from(normalizedName, 'utf-8'),
    },
    {
      archivePath: `${normalizedName}/__init__.py`,
      content: Buffer.from(moduleContent, 'utf-8'),
    },
  ];
-  return zip.toBuffer();
+  return zipTools.createZip(entries);
 }
 /**
- * Helper to create a test Python source distribution (sdist)
+ * Helper to create a test Python source distribution (sdist) using smartarchive
 */
 export async function createPythonSdist(
  packageName: string,
  version: string
 ): Promise<Buffer> {
-  const tar = await import('tar-stream');
+  const tarTools = new smartarchive.TarTools();
  const zlib = await import('zlib');
  const { Readable } = await import('stream');
  const normalizedName = packageName.replace(/-/g, '_');
  const dirPrefix = `${packageName}-${version}`;
  const pack = tar.pack();
  // PKG-INFO
  const pkgInfo = `Metadata-Version: 2.1
 Name: ${packageName}
@@ -389,8 +402,6 @@ Author-email: test@example.com
 License: MIT
 `;
  pack.entry({ name: `${dirPrefix}/PKG-INFO` }, pkgInfo);
  // setup.py
  const setupPy = `from setuptools import setup, find_packages
@@ -402,8 +413,6 @@ setup(
 )
 `;
  pack.entry({ name: `${dirPrefix}/setup.py` }, setupPy);
  // Module file
  const moduleContent = `"""${packageName} module"""
@@ -413,20 +422,22 @@ def hello():
    return "Hello from ${packageName}!"
 `;
-  pack.entry({ name: `${dirPrefix}/${normalizedName}/__init__.py` }, moduleContent);
+  const entries: smartarchive.IArchiveEntry[] = [
    {
      archivePath: `${dirPrefix}/PKG-INFO`,
      content: Buffer.from(pkgInfo, 'utf-8'),
    },
    {
      archivePath: `${dirPrefix}/setup.py`,
      content: Buffer.from(setupPy, 'utf-8'),
    },
    {
      archivePath: `${dirPrefix}/${normalizedName}/__init__.py`,
      content: Buffer.from(moduleContent, 'utf-8'),
    },
  ];
-  pack.finalize();
+  return tarTools.packFilesToTarGz(entries);
  // Convert to gzipped tar
  const chunks: Buffer[] = [];
  const gzip = zlib.createGzip();
  return new Promise((resolve, reject) => {
    pack.pipe(gzip);
    gzip.on('data', (chunk) => chunks.push(chunk));
    gzip.on('end', () => resolve(Buffer.concat(chunks)));
    gzip.on('error', reject);
  });
 }
 /**
@@ -441,17 +452,15 @@ export function calculatePypiHashes(data: Buffer) {
 }
 /**
- * Helper to create a test RubyGem file (minimal tar.gz structure)
+ * Helper to create a test RubyGem file (minimal tar.gz structure) using smartarchive
 */
 export async function createRubyGem(
  gemName: string,
  version: string,
  platform: string = 'ruby'
 ): Promise<Buffer> {
-  const tar = await import('tar-stream');
+  const tarTools = new smartarchive.TarTools();
-  const zlib = await import('zlib');
+  const gzipTools = new smartarchive.GzipTools();
  const pack = tar.pack();
  // Create metadata.gz (simplified)
  const metadataYaml = `--- !ruby/object:Gem::Specification
@@ -499,10 +508,9 @@ summary: Test gem for SmartRegistry
 test_files: []
 `;
-  pack.entry({ name: 'metadata.gz' }, zlib.gzipSync(Buffer.from(metadataYaml, 'utf-8')));
+  const metadataGz = await gzipTools.compress(Buffer.from(metadataYaml, 'utf-8'));
-  // Create data.tar.gz (simplified)
+  // Create data.tar.gz content
  const dataPack = tar.pack();
  const libContent = `# ${gemName}
 module ${gemName.charAt(0).toUpperCase() + gemName.slice(1).replace(/-/g, '')}
@@ -514,32 +522,29 @@ module ${gemName.charAt(0).toUpperCase() + gemName.slice(1).replace(/-/g, '')}
 end
 `;
-  dataPack.entry({ name: `lib/${gemName}.rb` }, libContent);
+  const dataEntries: smartarchive.IArchiveEntry[] = [
-  dataPack.finalize();
+    {
      archivePath: `lib/${gemName}.rb`,
      content: Buffer.from(libContent, 'utf-8'),
    },
  ];
-  const dataChunks: Buffer[] = [];
+  const dataTarGz = await tarTools.packFilesToTarGz(dataEntries);
  const dataGzip = zlib.createGzip();
  dataPack.pipe(dataGzip);
-  await new Promise((resolve) => {
+  // Create the outer gem (tar.gz containing metadata.gz and data.tar.gz)
-    dataGzip.on('data', (chunk) => dataChunks.push(chunk));
+  const gemEntries: smartarchive.IArchiveEntry[] = [
-    dataGzip.on('end', resolve);
+    {
-  });
+      archivePath: 'metadata.gz',
      content: metadataGz,
    },
    {
      archivePath: 'data.tar.gz',
      content: dataTarGz,
    },
  ];
-  pack.entry({ name: 'data.tar.gz' }, Buffer.concat(dataChunks));
+  // RubyGems .gem files are plain tar archives (NOT gzipped), containing metadata.gz and data.tar.gz
-
+  return tarTools.packFiles(gemEntries);
  pack.finalize();
  // Convert to gzipped tar
  const chunks: Buffer[] = [];
  const gzip = zlib.createGzip();
  return new Promise((resolve, reject) => {
    pack.pipe(gzip);
    gzip.on('data', (chunk) => chunks.push(chunk));
    gzip.on('end', () => resolve(Buffer.concat(chunks)));
    gzip.on('error', reject);
  });
 }
 /**
--- a/test/test.integration.crossprotocol.ts
+++ b/test/test.integration.crossprotocol.ts
@@ -78,7 +78,7 @@ tap.test('Integration: should handle /simple path for PyPI', async () => {
  });
  expect(response.status).toEqual(200);
-  expect(response.headers['Content-Type']).toEqual('text/html');
+  expect(response.headers['Content-Type']).toStartWith('text/html');
  expect(response.body).toContain('integration-test-py');
 });
--- a/test/test.pypi.ts
+++ b/test/test.pypi.ts
@@ -80,6 +80,7 @@ tap.test('PyPI: should upload wheel file (POST /pypi/)', async () => {
      pyversion: 'py3',
      metadata_version: '2.1',
      sha256_digest: hashes.sha256,
      requires_python: '>=3.7',
      content: testWheelData,
      filename: filename,
    },
@@ -99,7 +100,7 @@ tap.test('PyPI: should retrieve Simple API root index HTML (GET /simple/)', asyn
  });
  expect(response.status).toEqual(200);
-  expect(response.headers['Content-Type']).toEqual('text/html');
+  expect(response.headers['Content-Type']).toStartWith('text/html');
  expect(response.body).toBeTypeOf('string');
  const html = response.body as string;
@@ -125,8 +126,10 @@ tap.test('PyPI: should retrieve Simple API root index JSON (GET /simple/ with Ac
  const json = response.body as any;
  expect(json).toHaveProperty('meta');
  expect(json).toHaveProperty('projects');
-  expect(json.projects).toBeTypeOf('object');
+  expect(json.projects).toBeInstanceOf(Array);
-  expect(json.projects).toHaveProperty(normalizedPackageName);
+  // Check that the package is in the projects list (PEP 691 format: array of { name } objects)
  const packageNames = json.projects.map((p: any) => p.name);
  expect(packageNames).toContain(normalizedPackageName);
 });
 tap.test('PyPI: should retrieve Simple API package HTML (GET /simple/{package}/)', async () => {
@@ -140,7 +143,7 @@ tap.test('PyPI: should retrieve Simple API package HTML (GET /simple/{package}/)
  });
  expect(response.status).toEqual(200);
-  expect(response.headers['Content-Type']).toEqual('text/html');
+  expect(response.headers['Content-Type']).toStartWith('text/html');
  expect(response.body).toBeTypeOf('string');
  const html = response.body as string;
@@ -210,6 +213,7 @@ tap.test('PyPI: should upload sdist file (POST /pypi/)', async () => {
      pyversion: 'source',
      metadata_version: '2.1',
      sha256_digest: hashes.sha256,
      requires_python: '>=3.7',
      content: testSdistData,
      filename: filename,
    },
@@ -231,10 +235,11 @@ tap.test('PyPI: should list both wheel and sdist in Simple API', async () => {
  expect(response.status).toEqual(200);
  const json = response.body as any;
-  expect(Object.keys(json.files).length).toEqual(2);
+  // PEP 691: files is an array of file objects
  expect(json.files.length).toEqual(2);
-  const hasWheel = Object.keys(json.files).some(f => f.endsWith('.whl'));
+  const hasWheel = json.files.some((f: any) => f.filename.endsWith('.whl'));
-  const hasSdist = Object.keys(json.files).some(f => f.endsWith('.tar.gz'));
+  const hasSdist = json.files.some((f: any) => f.filename.endsWith('.tar.gz'));
  expect(hasWheel).toEqual(true);
  expect(hasSdist).toEqual(true);
@@ -263,6 +268,7 @@ tap.test('PyPI: should upload a second version', async () => {
      pyversion: 'py3',
      metadata_version: '2.1',
      sha256_digest: hashes.sha256,
      requires_python: '>=3.7',
      content: newWheelData,
      filename: filename,
    },
@@ -284,10 +290,11 @@ tap.test('PyPI: should list multiple versions in Simple API', async () => {
  expect(response.status).toEqual(200);
  const json = response.body as any;
-  expect(Object.keys(json.files).length).toBeGreaterThan(2);
+  // PEP 691: files is an array of file objects
  expect(json.files.length).toBeGreaterThan(2);
-  const hasVersion1 = Object.keys(json.files).some(f => f.includes('1.0.0'));
+  const hasVersion1 = json.files.some((f: any) => f.filename.includes('1.0.0'));
-  const hasVersion2 = Object.keys(json.files).some(f => f.includes('2.0.0'));
+  const hasVersion2 = json.files.some((f: any) => f.filename.includes('2.0.0'));
  expect(hasVersion1).toEqual(true);
  expect(hasVersion2).toEqual(true);
@@ -420,7 +427,8 @@ tap.test('PyPI: should handle package with requires-python metadata', async () =
  const html = getResponse.body as string;
  expect(html).toContain('data-requires-python');
-  expect(html).toContain('>=3.8');
+  // Note: >= gets HTML-escaped to &gt;= in attribute values
  expect(html).toContain('&gt;=3.8');
 });
 tap.test('PyPI: should support JSON API for package metadata', async () => {
--- a/test/test.rubygems.nativecli.node.ts
+++ b/test/test.rubygems.nativecli.node.ts
@@ -0,0 +1,448 @@
 /**
 * Native gem CLI Testing
 * Tests the RubyGems registry implementation using the actual gem CLI
 */
 import { expect, tap } from '@git.zone/tstest/tapbundle';
 import { tapNodeTools } from '@git.zone/tstest/tapbundle_serverside';
 import { SmartRegistry } from '../ts/index.js';
 import { createTestRegistry, createTestTokens, createRubyGem } from './helpers/registry.js';
 import type { IRequestContext, IResponse } from '../ts/core/interfaces.core.js';
 import * as http from 'http';
 import * as url from 'url';
 import * as fs from 'fs';
 import * as path from 'path';
 // Test context
 let registry: SmartRegistry;
 let server: http.Server;
 let registryUrl: string;
 let registryPort: number;
 let rubygemsToken: string;
 let testDir: string;
 let gemHome: string;
 /**
 * Create HTTP server wrapper around SmartRegistry
 */
 async function createHttpServer(
  registryInstance: SmartRegistry,
  port: number
 ): Promise<{ server: http.Server; url: string }> {
  return new Promise((resolve, reject) => {
    const httpServer = http.createServer(async (req, res) => {
      try {
        // Parse request
        const parsedUrl = url.parse(req.url || '', true);
        const pathname = parsedUrl.pathname || '/';
        const query = parsedUrl.query;
        // Read body
        const chunks: Buffer[] = [];
        for await (const chunk of req) {
          chunks.push(chunk);
        }
        const bodyBuffer = Buffer.concat(chunks);
        // Parse body based on content type
        let body: any;
        if (bodyBuffer.length > 0) {
          const contentType = req.headers['content-type'] || '';
          if (contentType.includes('application/json')) {
            try {
              body = JSON.parse(bodyBuffer.toString('utf-8'));
            } catch (error) {
              body = bodyBuffer;
            }
          } else {
            body = bodyBuffer;
          }
        }
        // Convert to IRequestContext
        const context: IRequestContext = {
          method: req.method || 'GET',
          path: pathname,
          headers: req.headers as Record<string, string>,
          query: query as Record<string, string>,
          body: body,
        };
        // Handle request
        const response: IResponse = await registryInstance.handleRequest(context);
        // Convert IResponse to HTTP response
        res.statusCode = response.status;
        // Set headers
        for (const [key, value] of Object.entries(response.headers || {})) {
          res.setHeader(key, value);
        }
        // Send body
        if (response.body) {
          if (Buffer.isBuffer(response.body)) {
            res.end(response.body);
          } else if (typeof response.body === 'string') {
            res.end(response.body);
          } else {
            res.setHeader('Content-Type', 'application/json');
            res.end(JSON.stringify(response.body));
          }
        } else {
          res.end();
        }
      } catch (error) {
        console.error('Server error:', error);
        res.statusCode = 500;
        res.setHeader('Content-Type', 'application/json');
        res.end(JSON.stringify({ error: 'INTERNAL_ERROR', message: String(error) }));
      }
    });
    httpServer.listen(port, () => {
      const serverUrl = `http://localhost:${port}`;
      resolve({ server: httpServer, url: serverUrl });
    });
    httpServer.on('error', reject);
  });
 }
 /**
 * Setup gem credentials file
 * Format: YAML with :rubygems_api_key: TOKEN
 */
 function setupGemCredentials(token: string, gemHomeArg: string): string {
  const gemDir = path.join(gemHomeArg, '.gem');
  fs.mkdirSync(gemDir, { recursive: true });
  // Create credentials file in YAML format
  const credentialsContent = `:rubygems_api_key: ${token}\n`;
  const credentialsPath = path.join(gemDir, 'credentials');
  fs.writeFileSync(credentialsPath, credentialsContent, 'utf-8');
  // Set restrictive permissions (gem requires 0600)
  fs.chmodSync(credentialsPath, 0o600);
  return credentialsPath;
 }
 /**
 * Create a test gem file
 */
 async function createTestGemFile(
  gemName: string,
  version: string,
  targetDir: string
 ): Promise<string> {
  const gemData = await createRubyGem(gemName, version);
  const gemFilename = `${gemName}-${version}.gem`;
  const gemPath = path.join(targetDir, gemFilename);
  fs.writeFileSync(gemPath, gemData);
  return gemPath;
 }
 /**
 * Run gem command with proper environment
 */
 async function runGemCommand(
  command: string,
  cwd: string,
  includeAuth: boolean = true
 ): Promise<{ stdout: string; stderr: string; exitCode: number }> {
  // Prepare environment variables
  const envVars = [
    `HOME="${gemHome}"`,
    `GEM_HOME="${gemHome}"`,
    includeAuth ? '' : 'RUBYGEMS_API_KEY=""',
  ].filter(Boolean).join(' ');
  // Build command with cd to correct directory and environment variables
  const fullCommand = `cd "${cwd}" && ${envVars} ${command}`;
  try {
    const result = await tapNodeTools.runCommand(fullCommand);
    return {
      stdout: result.stdout || '',
      stderr: result.stderr || '',
      exitCode: result.exitCode || 0,
    };
  } catch (error: any) {
    return {
      stdout: error.stdout || '',
      stderr: error.stderr || String(error),
      exitCode: error.exitCode || 1,
    };
  }
 }
 /**
 * Cleanup test directory
 */
 function cleanupTestDir(dir: string): void {
  if (fs.existsSync(dir)) {
    fs.rmSync(dir, { recursive: true, force: true });
  }
 }
 // ========================================================================
 // TESTS
 // ========================================================================
 tap.test('RubyGems CLI: should setup registry and HTTP server', async () => {
  // Create registry
  registry = await createTestRegistry();
  const tokens = await createTestTokens(registry);
  rubygemsToken = tokens.rubygemsToken;
  expect(registry).toBeInstanceOf(SmartRegistry);
  expect(rubygemsToken).toBeTypeOf('string');
  // Use port 36000 (avoids npm:35000, cargo:5000 conflicts)
  registryPort = 36000;
  const serverSetup = await createHttpServer(registry, registryPort);
  server = serverSetup.server;
  registryUrl = serverSetup.url;
  expect(server).toBeDefined();
  expect(registryUrl).toEqual(`http://localhost:${registryPort}`);
  // Setup test directory
  testDir = path.join(process.cwd(), '.nogit', 'test-rubygems-cli');
  cleanupTestDir(testDir);
  fs.mkdirSync(testDir, { recursive: true });
  // Setup GEM_HOME
  gemHome = path.join(testDir, '.gem-home');
  fs.mkdirSync(gemHome, { recursive: true });
  // Setup gem credentials
  const credentialsPath = setupGemCredentials(rubygemsToken, gemHome);
  expect(fs.existsSync(credentialsPath)).toEqual(true);
  // Verify credentials file has correct permissions
  const stats = fs.statSync(credentialsPath);
  const mode = stats.mode & 0o777;
  expect(mode).toEqual(0o600);
 });
 tap.test('RubyGems CLI: should verify server is responding', async () => {
  // Check server is up by doing a direct HTTP request to the Compact Index
  const response = await fetch(`${registryUrl}/rubygems/versions`);
  expect(response.status).toBeGreaterThanOrEqual(200);
  expect(response.status).toBeLessThan(500);
 });
 tap.test('RubyGems CLI: should build and push a gem', async () => {
  const gemName = 'test-gem-cli';
  const version = '1.0.0';
  const gemPath = await createTestGemFile(gemName, version, testDir);
  expect(fs.existsSync(gemPath)).toEqual(true);
  const result = await runGemCommand(
    `gem push ${gemPath} --host ${registryUrl}/rubygems`,
    testDir
  );
  console.log('gem push output:', result.stdout);
  console.log('gem push stderr:', result.stderr);
  expect(result.exitCode).toEqual(0);
  expect(result.stdout || result.stderr).toContain(gemName);
 });
 tap.test('RubyGems CLI: should verify gem in Compact Index /versions', async () => {
  const gemName = 'test-gem-cli';
  const response = await fetch(`${registryUrl}/rubygems/versions`);
  expect(response.status).toEqual(200);
  const versionsData = await response.text();
  console.log('Versions data:', versionsData);
  // Format: GEMNAME VERSION[,VERSION...] MD5
  expect(versionsData).toContain(gemName);
  expect(versionsData).toContain('1.0.0');
 });
 tap.test('RubyGems CLI: should verify gem in Compact Index /info file', async () => {
  const gemName = 'test-gem-cli';
  const response = await fetch(`${registryUrl}/rubygems/info/${gemName}`);
  expect(response.status).toEqual(200);
  const infoData = await response.text();
  console.log('Info data:', infoData);
  // Format: VERSION [DEPS]|REQS
  expect(infoData).toContain('1.0.0');
 });
 tap.test('RubyGems CLI: should download gem file', async () => {
  const gemName = 'test-gem-cli';
  const version = '1.0.0';
  const response = await fetch(`${registryUrl}/rubygems/gems/${gemName}-${version}.gem`);
  expect(response.status).toEqual(200);
  const gemData = await response.arrayBuffer();
  expect(gemData.byteLength).toBeGreaterThan(0);
  // Verify content type
  expect(response.headers.get('content-type')).toContain('application/octet-stream');
 });
 tap.test('RubyGems CLI: should fetch gem metadata JSON', async () => {
  const gemName = 'test-gem-cli';
  const response = await fetch(`${registryUrl}/rubygems/api/v1/versions/${gemName}.json`);
  expect(response.status).toEqual(200);
  const metadata = await response.json();
  console.log('Metadata:', metadata);
  expect(metadata).toBeInstanceOf(Array);
  expect(metadata.length).toBeGreaterThan(0);
  expect(metadata[0].number).toEqual('1.0.0');
 });
 tap.test('RubyGems CLI: should push second version', async () => {
  const gemName = 'test-gem-cli';
  const version = '2.0.0';
  const gemPath = await createTestGemFile(gemName, version, testDir);
  const result = await runGemCommand(
    `gem push ${gemPath} --host ${registryUrl}/rubygems`,
    testDir
  );
  console.log('gem push v2.0.0 output:', result.stdout);
  expect(result.exitCode).toEqual(0);
 });
 tap.test('RubyGems CLI: should list all versions in /versions file', async () => {
  const gemName = 'test-gem-cli';
  const response = await fetch(`${registryUrl}/rubygems/versions`);
  expect(response.status).toEqual(200);
  const versionsData = await response.text();
  console.log('All versions data:', versionsData);
  // Should contain both versions
  expect(versionsData).toContain(gemName);
  expect(versionsData).toContain('1.0.0');
  expect(versionsData).toContain('2.0.0');
 });
 tap.test('RubyGems CLI: should yank a version', async () => {
  const gemName = 'test-gem-cli';
  const version = '1.0.0';
  const result = await runGemCommand(
    `gem yank ${gemName} -v ${version} --host ${registryUrl}/rubygems`,
    testDir
  );
  console.log('gem yank output:', result.stdout);
  console.log('gem yank stderr:', result.stderr);
  expect(result.exitCode).toEqual(0);
  // Verify version is yanked in /versions file
  // Yanked versions are prefixed with '-'
  const response = await fetch(`${registryUrl}/rubygems/versions`);
  const versionsData = await response.text();
  console.log('Versions after yank:', versionsData);
  // Yanked version should have '-' prefix
  expect(versionsData).toContain('-1.0.0');
 });
 tap.test('RubyGems CLI: should unyank a version', async () => {
  const gemName = 'test-gem-cli';
  const version = '1.0.0';
  const result = await runGemCommand(
    `gem yank ${gemName} -v ${version} --undo --host ${registryUrl}/rubygems`,
    testDir
  );
  console.log('gem unyank output:', result.stdout);
  console.log('gem unyank stderr:', result.stderr);
  expect(result.exitCode).toEqual(0);
  // Verify version is not yanked in /versions file
  const response = await fetch(`${registryUrl}/rubygems/versions`);
  const versionsData = await response.text();
  console.log('Versions after unyank:', versionsData);
  // Should not have '-' prefix anymore (or have both without prefix)
  // Check that we have the version without yank marker
  const lines = versionsData.trim().split('\n');
  const gemLine = lines.find(line => line.startsWith(gemName));
  if (gemLine) {
    // Parse format: "gemname version[,version...] md5"
    const parts = gemLine.split(' ');
    const versions = parts[1];
    // Should have 1.0.0 without '-' prefix
    expect(versions).toContain('1.0.0');
    expect(versions).not.toContain('-1.0.0');
  }
 });
 tap.test('RubyGems CLI: should fetch dependencies', async () => {
  const gemName = 'test-gem-cli';
  const response = await fetch(`${registryUrl}/rubygems/api/v1/dependencies?gems=${gemName}`);
  expect(response.status).toEqual(200);
  const dependencies = await response.json();
  console.log('Dependencies:', dependencies);
  expect(dependencies).toBeInstanceOf(Array);
 });
 tap.test('RubyGems CLI: should fail to push without auth', async () => {
  const gemName = 'unauth-gem';
  const version = '1.0.0';
  const gemPath = await createTestGemFile(gemName, version, testDir);
  // Run without auth
  const result = await runGemCommand(
    `gem push ${gemPath} --host ${registryUrl}/rubygems`,
    testDir,
    false
  );
  console.log('gem push unauth output:', result.stdout);
  console.log('gem push unauth stderr:', result.stderr);
  // Should fail with auth error
  expect(result.exitCode).not.toEqual(0);
 });
 tap.postTask('cleanup rubygems cli tests', async () => {
  // Stop server
  if (server) {
    await new Promise<void>((resolve) => {
      server.close(() => resolve());
    });
  }
  // Cleanup test directory
  if (testDir) {
    cleanupTestDir(testDir);
  }
  // Destroy registry
  if (registry) {
    registry.destroy();
  }
 });
 export default tap.start();
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartregistry',
-  version: '1.8.0',
+  version: '2.1.2',
  description: 'A composable TypeScript library implementing OCI, NPM, Maven, Cargo, Composer, PyPI, and RubyGems registries for building unified container and package registries'
 }
--- a/ts/classes.smartregistry.ts
+++ b/ts/classes.smartregistry.ts
@@ -41,15 +41,19 @@ export class SmartRegistry {
    // Initialize OCI registry if enabled
    if (this.config.oci?.enabled) {
-      const ociBasePath = this.config.oci.basePath || '/oci';
+      const ociBasePath = this.config.oci.basePath ?? '/oci';
-      const ociRegistry = new OciRegistry(this.storage, this.authManager, ociBasePath);
+      const ociTokens = this.config.auth.ociTokens?.enabled ? {
        realm: this.config.auth.ociTokens.realm,
        service: this.config.auth.ociTokens.service,
      } : undefined;
      const ociRegistry = new OciRegistry(this.storage, this.authManager, ociBasePath, ociTokens);
      await ociRegistry.init();
      this.registries.set('oci', ociRegistry);
    }
    // Initialize NPM registry if enabled
    if (this.config.npm?.enabled) {
-      const npmBasePath = this.config.npm.basePath || '/npm';
+      const npmBasePath = this.config.npm.basePath ?? '/npm';
      const registryUrl = `http://localhost:5000${npmBasePath}`; // TODO: Make configurable
      const npmRegistry = new NpmRegistry(this.storage, this.authManager, npmBasePath, registryUrl);
      await npmRegistry.init();
@@ -58,7 +62,7 @@ export class SmartRegistry {
    // Initialize Maven registry if enabled
    if (this.config.maven?.enabled) {
-      const mavenBasePath = this.config.maven.basePath || '/maven';
+      const mavenBasePath = this.config.maven.basePath ?? '/maven';
      const registryUrl = `http://localhost:5000${mavenBasePath}`; // TODO: Make configurable
      const mavenRegistry = new MavenRegistry(this.storage, this.authManager, mavenBasePath, registryUrl);
      await mavenRegistry.init();
@@ -67,7 +71,7 @@ export class SmartRegistry {
    // Initialize Cargo registry if enabled
    if (this.config.cargo?.enabled) {
-      const cargoBasePath = this.config.cargo.basePath || '/cargo';
+      const cargoBasePath = this.config.cargo.basePath ?? '/cargo';
      const registryUrl = `http://localhost:5000${cargoBasePath}`; // TODO: Make configurable
      const cargoRegistry = new CargoRegistry(this.storage, this.authManager, cargoBasePath, registryUrl);
      await cargoRegistry.init();
@@ -76,7 +80,7 @@ export class SmartRegistry {
    // Initialize Composer registry if enabled
    if (this.config.composer?.enabled) {
-      const composerBasePath = this.config.composer.basePath || '/composer';
+      const composerBasePath = this.config.composer.basePath ?? '/composer';
      const registryUrl = `http://localhost:5000${composerBasePath}`; // TODO: Make configurable
      const composerRegistry = new ComposerRegistry(this.storage, this.authManager, composerBasePath, registryUrl);
      await composerRegistry.init();
@@ -85,7 +89,7 @@ export class SmartRegistry {
    // Initialize PyPI registry if enabled
    if (this.config.pypi?.enabled) {
-      const pypiBasePath = this.config.pypi.basePath || '/pypi';
+      const pypiBasePath = this.config.pypi.basePath ?? '/pypi';
      const registryUrl = `http://localhost:5000`; // TODO: Make configurable
      const pypiRegistry = new PypiRegistry(this.storage, this.authManager, pypiBasePath, registryUrl);
      await pypiRegistry.init();
@@ -94,7 +98,7 @@ export class SmartRegistry {
    // Initialize RubyGems registry if enabled
    if (this.config.rubygems?.enabled) {
-      const rubygemsBasePath = this.config.rubygems.basePath || '/rubygems';
+      const rubygemsBasePath = this.config.rubygems.basePath ?? '/rubygems';
      const registryUrl = `http://localhost:5000${rubygemsBasePath}`; // TODO: Make configurable
      const rubygemsRegistry = new RubyGemsRegistry(this.storage, this.authManager, rubygemsBasePath, registryUrl);
      await rubygemsRegistry.init();
@@ -153,7 +157,7 @@ export class SmartRegistry {
    // Route to PyPI registry (also handles /simple prefix)
    if (this.config.pypi?.enabled) {
-      const pypiBasePath = this.config.pypi.basePath || '/pypi';
+      const pypiBasePath = this.config.pypi.basePath ?? '/pypi';
      if (path.startsWith(pypiBasePath) || path.startsWith('/simple')) {
        const pypiRegistry = this.registries.get('pypi');
        if (pypiRegistry) {
--- a/ts/core/classes.authmanager.ts
+++ b/ts/core/classes.authmanager.ts
@@ -1,4 +1,5 @@
 import type { IAuthConfig, IAuthToken, ICredentials, TRegistryProtocol } from './interfaces.core.js';
 import * as crypto from 'crypto';
 /**
 * Unified authentication manager for all registry protocols
@@ -136,7 +137,7 @@ export class AuthManager {
   * @param userId - User ID
   * @param scopes - Permission scopes
   * @param expiresIn - Expiration time in seconds
-   * @returns JWT token string
+   * @returns JWT token string (HMAC-SHA256 signed)
   */
  public async createOciToken(
    userId: string,
@@ -158,9 +159,17 @@ export class AuthManager {
      access: this.scopesToOciAccess(scopes),
    };
-    // In production, use proper JWT library with signing
+    // Create JWT with HMAC-SHA256 signature
-    // For now, return JSON string (mock JWT)
+    const header = { alg: 'HS256', typ: 'JWT' };
-    return JSON.stringify(payload);
+    const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64url');
    const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
    const signature = crypto
      .createHmac('sha256', this.config.jwtSecret)
      .update(`${headerB64}.${payloadB64}`)
      .digest('base64url');
    return `${headerB64}.${payloadB64}.${signature}`;
  }
  /**
@@ -170,8 +179,25 @@ export class AuthManager {
   */
  public async validateOciToken(jwt: string): Promise<IAuthToken | null> {
    try {
-      // In production, verify JWT signature
+      const parts = jwt.split('.');
-      const payload = JSON.parse(jwt);
+      if (parts.length !== 3) {
        return null;
      }
      const [headerB64, payloadB64, signatureB64] = parts;
      // Verify signature
      const expectedSignature = crypto
        .createHmac('sha256', this.config.jwtSecret)
        .update(`${headerB64}.${payloadB64}`)
        .digest('base64url');
      if (signatureB64 !== expectedSignature) {
        return null;
      }
      // Decode and parse payload
      const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString('utf-8'));
      // Check expiration
      const now = Math.floor(Date.now() / 1000);
@@ -179,6 +205,11 @@ export class AuthManager {
        return null;
      }
      // Check not-before time
      if (payload.nbf && payload.nbf > now) {
        return null;
      }
      // Convert to unified token format
      const scopes = this.ociAccessToScopes(payload.access || []);
--- a/ts/core/interfaces.core.ts
+++ b/ts/core/interfaces.core.ts
@@ -158,6 +158,12 @@ export interface IRequestContext {
  headers: Record<string, string>;
  query: Record<string, string>;
  body?: any;
  /**
   * Raw request body as bytes. MUST be provided for content-addressable operations
   * (OCI manifests, blobs) to ensure digest calculation matches client expectations.
   * If not provided, falls back to 'body' field.
   */
  rawBody?: Buffer;
  token?: string;
 }
--- a/ts/oci/classes.ociregistry.ts
+++ b/ts/oci/classes.ociregistry.ts
@@ -20,12 +20,19 @@ export class OciRegistry extends BaseRegistry {
  private uploadSessions: Map<string, IUploadSession> = new Map();
  private basePath: string = '/oci';
  private cleanupInterval?: NodeJS.Timeout;
  private ociTokens?: { realm: string; service: string };
-  constructor(storage: RegistryStorage, authManager: AuthManager, basePath: string = '/oci') {
+  constructor(
    storage: RegistryStorage,
    authManager: AuthManager,
    basePath: string = '/oci',
    ociTokens?: { realm: string; service: string }
  ) {
    super();
    this.storage = storage;
    this.authManager = authManager;
    this.basePath = basePath;
    this.ociTokens = ociTokens;
  }
  public async init(): Promise<void> {
@@ -55,7 +62,9 @@ export class OciRegistry extends BaseRegistry {
    const manifestMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/manifests\/([^\/]+)$/);
    if (manifestMatch) {
      const [, name, reference] = manifestMatch;
-      return this.handleManifestRequest(context.method, name, reference, token, context.body, context.headers);
+      // Prefer rawBody for content-addressable operations to preserve exact bytes
      const bodyData = context.rawBody || context.body;
      return this.handleManifestRequest(context.method, name, reference, token, bodyData, context.headers);
    }
    // Blob operations: /v2/{name}/blobs/{digest}
@@ -69,7 +78,9 @@ export class OciRegistry extends BaseRegistry {
    const uploadInitMatch = path.match(/^\/v2\/([^\/]+(?:\/[^\/]+)*)\/blobs\/uploads\/?$/);
    if (uploadInitMatch && context.method === 'POST') {
      const [, name] = uploadInitMatch;
-      return this.handleUploadInit(name, token, context.query, context.body);
+      // Prefer rawBody for content-addressable operations to preserve exact bytes
      const bodyData = context.rawBody || context.body;
      return this.handleUploadInit(name, token, context.query, bodyData);
    }
    // Blob upload operations: /v2/{name}/blobs/uploads/{uuid}
@@ -180,11 +191,7 @@ export class OciRegistry extends BaseRegistry {
    body?: Buffer | any
  ): Promise<IResponse> {
    if (!await this.checkPermission(token, repository, 'push')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'push');
        status: 401,
        headers: {},
        body: this.createError('DENIED', 'Insufficient permissions'),
      };
    }
    // Check for monolithic upload (digest + body provided)
@@ -255,18 +262,17 @@ export class OciRegistry extends BaseRegistry {
    }
    if (!await this.checkPermission(token, session.repository, 'push')) {
-      return {
+      return this.createUnauthorizedResponse(session.repository, 'push');
        status: 401,
        headers: {},
        body: this.createError('DENIED', 'Insufficient permissions'),
      };
    }
    // Prefer rawBody for content-addressable operations to preserve exact bytes
    const bodyData = context.rawBody || context.body;
    switch (method) {
      case 'PATCH':
-        return this.uploadChunk(uploadId, context.body, context.headers['content-range']);
+        return this.uploadChunk(uploadId, bodyData, context.headers['content-range']);
      case 'PUT':
-        return this.completeUpload(uploadId, context.query['digest'], context.body);
+        return this.completeUpload(uploadId, context.query['digest'], bodyData);
      case 'GET':
        return this.getUploadStatus(uploadId);
      default:
@@ -288,13 +294,7 @@ export class OciRegistry extends BaseRegistry {
    headers?: Record<string, string>
  ): Promise<IResponse> {
    if (!await this.checkPermission(token, repository, 'pull')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'pull');
        status: 401,
        headers: {
          'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:pull"`,
        },
        body: this.createError('DENIED', 'Insufficient permissions'),
      };
    }
    // Resolve tag to digest if needed
@@ -336,11 +336,7 @@ export class OciRegistry extends BaseRegistry {
    token: IAuthToken | null
  ): Promise<IResponse> {
    if (!await this.checkPermission(token, repository, 'pull')) {
-      return {
+      return this.createUnauthorizedHeadResponse(repository, 'pull');
        status: 401,
        headers: {},
        body: null,
      };
    }
    // Similar logic as getManifest but return headers only
@@ -379,13 +375,7 @@ export class OciRegistry extends BaseRegistry {
    headers?: Record<string, string>
  ): Promise<IResponse> {
    if (!await this.checkPermission(token, repository, 'push')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'push');
        status: 401,
        headers: {
          'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:push"`,
        },
        body: this.createError('DENIED', 'Insufficient permissions'),
      };
    }
    if (!body) {
@@ -396,7 +386,18 @@ export class OciRegistry extends BaseRegistry {
      };
    }
-    const manifestData = Buffer.isBuffer(body) ? body : Buffer.from(JSON.stringify(body));
+    // Preserve raw bytes for accurate digest calculation
    // Per OCI spec, digest must match the exact bytes sent by client
    let manifestData: Buffer;
    if (Buffer.isBuffer(body)) {
      manifestData = body;
    } else if (typeof body === 'string') {
      // String body - convert directly without JSON transformation
      manifestData = Buffer.from(body, 'utf-8');
    } else {
      // Body was already parsed as JSON object - re-serialize as fallback
      manifestData = Buffer.from(JSON.stringify(body));
    }
    const contentType = headers?.['content-type'] || headers?.['Content-Type'] || 'application/vnd.oci.image.manifest.v1+json';
    // Calculate manifest digest
@@ -437,11 +438,7 @@ export class OciRegistry extends BaseRegistry {
    }
    if (!await this.checkPermission(token, repository, 'delete')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'delete');
        status: 401,
        headers: {},
        body: this.createError('DENIED', 'Insufficient permissions'),
      };
    }
    await this.storage.deleteOciManifest(repository, digest);
@@ -460,11 +457,7 @@ export class OciRegistry extends BaseRegistry {
    range?: string
  ): Promise<IResponse> {
    if (!await this.checkPermission(token, repository, 'pull')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'pull');
        status: 401,
        headers: {},
        body: this.createError('DENIED', 'Insufficient permissions'),
      };
    }
    const data = await this.storage.getOciBlob(digest);
@@ -492,7 +485,7 @@ export class OciRegistry extends BaseRegistry {
    token: IAuthToken | null
  ): Promise<IResponse> {
    if (!await this.checkPermission(token, repository, 'pull')) {
-      return { status: 401, headers: {}, body: null };
+      return this.createUnauthorizedHeadResponse(repository, 'pull');
    }
    const exists = await this.storage.ociBlobExists(digest);
@@ -518,11 +511,7 @@ export class OciRegistry extends BaseRegistry {
    token: IAuthToken | null
  ): Promise<IResponse> {
    if (!await this.checkPermission(token, repository, 'delete')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'delete');
        status: 401,
        headers: {},
        body: this.createError('DENIED', 'Insufficient permissions'),
      };
    }
    await this.storage.deleteOciBlob(digest);
@@ -631,11 +620,7 @@ export class OciRegistry extends BaseRegistry {
    query: Record<string, string>
  ): Promise<IResponse> {
    if (!await this.checkPermission(token, repository, 'pull')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'pull');
        status: 401,
        headers: {},
        body: this.createError('DENIED', 'Insufficient permissions'),
      };
    }
    const tags = await this.getTagsData(repository);
@@ -660,11 +645,7 @@ export class OciRegistry extends BaseRegistry {
    query: Record<string, string>
  ): Promise<IResponse> {
    if (!await this.checkPermission(token, repository, 'pull')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'pull');
        status: 401,
        headers: {},
        body: this.createError('DENIED', 'Insufficient permissions'),
      };
    }
    const response: IReferrersResponse = {
@@ -712,6 +693,37 @@ export class OciRegistry extends BaseRegistry {
    };
  }
  /**
   * Create an unauthorized response with proper WWW-Authenticate header.
   * Per OCI Distribution Spec, 401 responses MUST include WWW-Authenticate header.
   */
  private createUnauthorizedResponse(repository: string, action: string): IResponse {
    const realm = this.ociTokens?.realm || `${this.basePath}/v2/token`;
    const service = this.ociTokens?.service || 'registry';
    return {
      status: 401,
      headers: {
        'WWW-Authenticate': `Bearer realm="${realm}",service="${service}",scope="repository:${repository}:${action}"`,
      },
      body: this.createError('DENIED', 'Insufficient permissions'),
    };
  }
  /**
   * Create an unauthorized HEAD response (no body per HTTP spec).
   */
  private createUnauthorizedHeadResponse(repository: string, action: string): IResponse {
    const realm = this.ociTokens?.realm || `${this.basePath}/v2/token`;
    const service = this.ociTokens?.service || 'registry';
    return {
      status: 401,
      headers: {
        'WWW-Authenticate': `Bearer realm="${realm}",service="${service}",scope="repository:${repository}:${action}"`,
      },
      body: null,
    };
  }
  private startUploadSessionCleanup(): void {
    this.cleanupInterval = setInterval(() => {
      const now = new Date();
--- a/ts/plugins.ts
+++ b/ts/plugins.ts
@@ -4,11 +4,12 @@ import * as path from 'path';
 export { path };
 // @push.rocks scope
 import * as smartarchive from '@push.rocks/smartarchive';
 import * as smartbucket from '@push.rocks/smartbucket';
 import * as smartlog from '@push.rocks/smartlog';
 import * as smartpath from '@push.rocks/smartpath';
-export { smartbucket, smartlog, smartpath };
+export { smartarchive, smartbucket, smartlog, smartpath };
 // @tsclass scope
 import * as tsclass from '@tsclass/tsclass';
--- a/ts/pypi/classes.pypiregistry.ts
+++ b/ts/pypi/classes.pypiregistry.ts
@@ -85,14 +85,14 @@ export class PypiRegistry extends BaseRegistry {
      return this.handleUpload(context, token);
    }
-    // Package metadata JSON API: GET /pypi/{package}/json
+    // Package metadata JSON API: GET /{package}/json
-    const jsonMatch = path.match(/^\/pypi\/([^\/]+)\/json$/);
+    const jsonMatch = path.match(/^\/([^\/]+)\/json$/);
    if (jsonMatch && context.method === 'GET') {
      return this.handlePackageJson(jsonMatch[1]);
    }
-    // Version-specific JSON API: GET /pypi/{package}/{version}/json
+    // Version-specific JSON API: GET /{package}/{version}/json
-    const versionJsonMatch = path.match(/^\/pypi\/([^\/]+)\/([^\/]+)\/json$/);
+    const versionJsonMatch = path.match(/^\/([^\/]+)\/([^\/]+)\/json$/);
    if (versionJsonMatch && context.method === 'GET') {
      return this.handleVersionJson(versionJsonMatch[1], versionJsonMatch[2]);
    }
@@ -118,7 +118,7 @@ export class PypiRegistry extends BaseRegistry {
    return {
      status: 404,
      headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify({ message: 'Not Found' })),
+      body: { error: 'Not Found' },
    };
  }
@@ -185,7 +185,7 @@ export class PypiRegistry extends BaseRegistry {
          'Content-Type': 'application/vnd.pypi.simple.v1+json',
          'Cache-Control': 'public, max-age=600'
        },
-        body: Buffer.from(JSON.stringify(response)),
+        body: response,
      };
    } else {
      // PEP 503: HTML response
@@ -200,7 +200,7 @@ export class PypiRegistry extends BaseRegistry {
          'Content-Type': 'text/html; charset=utf-8',
          'Cache-Control': 'public, max-age=600'
        },
-        body: Buffer.from(html),
+        body: html,
      };
    }
  }
@@ -215,11 +215,7 @@ export class PypiRegistry extends BaseRegistry {
    // Get package metadata
    const metadata = await this.storage.getPypiPackageMetadata(normalized);
    if (!metadata) {
-      return {
+      return this.errorResponse(404, 'Package not found');
        status: 404,
        headers: { 'Content-Type': 'text/html; charset=utf-8' },
        body: Buffer.from('<html><body><h1>404 Not Found</h1></body></html>'),
      };
    }
    // Build file list from all versions
@@ -251,7 +247,7 @@ export class PypiRegistry extends BaseRegistry {
          'Content-Type': 'application/vnd.pypi.simple.v1+json',
          'Cache-Control': 'public, max-age=300'
        },
-        body: Buffer.from(JSON.stringify(response)),
+        body: response,
      };
    } else {
      // PEP 503: HTML response
@@ -266,7 +262,7 @@ export class PypiRegistry extends BaseRegistry {
          'Content-Type': 'text/html; charset=utf-8',
          'Cache-Control': 'public, max-age=300'
        },
-        body: Buffer.from(html),
+        body: html,
      };
    }
  }
@@ -315,7 +311,7 @@ export class PypiRegistry extends BaseRegistry {
          'Content-Type': 'application/json',
          'WWW-Authenticate': 'Basic realm="PyPI"'
        },
-        body: Buffer.from(JSON.stringify({ message: 'Authentication required' })),
+        body: { error: 'Authentication required' },
      };
    }
@@ -327,11 +323,13 @@ export class PypiRegistry extends BaseRegistry {
        return this.errorResponse(400, 'Invalid upload request');
      }
-      // Extract required fields
+      // Extract required fields - support both nested and flat body formats
      const packageName = formData.name;
      const version = formData.version;
-      const filename = formData.content?.filename;
+      // Support both: formData.content.filename (multipart parsed) and formData.filename (flat)
-      const fileData = formData.content?.data as Buffer;
+      const filename = formData.content?.filename || formData.filename;
      // Support both: formData.content.data (multipart parsed) and formData.content (Buffer directly)
      const fileData = (formData.content?.data || (Buffer.isBuffer(formData.content) ? formData.content : null)) as Buffer;
      const filetype = formData.filetype; // 'bdist_wheel' or 'sdist'
      const pyversion = formData.pyversion;
@@ -431,12 +429,12 @@ export class PypiRegistry extends BaseRegistry {
      });
      return {
-        status: 200,
+        status: 201,
        headers: { 'Content-Type': 'application/json' },
-        body: Buffer.from(JSON.stringify({
+        body: {
          message: 'Package uploaded successfully',
          url: `${this.registryUrl}/pypi/packages/${normalized}/${filename}`
-        })),
+        },
      };
    } catch (error) {
      this.logger.log('error', 'Upload failed', { error: (error as Error).message });
@@ -455,7 +453,7 @@ export class PypiRegistry extends BaseRegistry {
      return {
        status: 404,
        headers: { 'Content-Type': 'application/json' },
-        body: Buffer.from(JSON.stringify({ message: 'File not found' })),
+        body: { error: 'File not found' },
      };
    }
@@ -472,6 +470,7 @@ export class PypiRegistry extends BaseRegistry {
  /**
   * Handle package JSON API (all versions)
   * Returns format compatible with official PyPI JSON API
   */
  private async handlePackageJson(packageName: string): Promise<IResponse> {
    const normalized = helpers.normalizePypiPackageName(packageName);
@@ -481,18 +480,67 @@ export class PypiRegistry extends BaseRegistry {
      return this.errorResponse(404, 'Package not found');
    }
    // Find latest version for info
    const versions = Object.keys(metadata.versions || {});
    const latestVersion = versions.length > 0 ? versions[versions.length - 1] : null;
    const latestMeta = latestVersion ? metadata.versions[latestVersion] : null;
    // Build URLs array from latest version files
    const urls = latestMeta?.files?.map((file: any) => ({
      filename: file.filename,
      url: `${this.registryUrl}/pypi/packages/${normalized}/${file.filename}`,
      digests: file.hashes,
      requires_python: file['requires-python'],
      size: file.size,
      upload_time: file['upload-time'],
      packagetype: file.filetype,
      python_version: file.python_version,
    })) || [];
    // Build releases object
    const releases: Record<string, any[]> = {};
    for (const [ver, verMeta] of Object.entries(metadata.versions || {})) {
      releases[ver] = (verMeta as any).files?.map((file: any) => ({
        filename: file.filename,
        url: `${this.registryUrl}/pypi/packages/${normalized}/${file.filename}`,
        digests: file.hashes,
        requires_python: file['requires-python'],
        size: file.size,
        upload_time: file['upload-time'],
        packagetype: file.filetype,
        python_version: file.python_version,
      })) || [];
    }
    const response = {
      info: {
        name: normalized,
        version: latestVersion,
        summary: latestMeta?.metadata?.summary,
        description: latestMeta?.metadata?.description,
        author: latestMeta?.metadata?.author,
        author_email: latestMeta?.metadata?.['author-email'],
        license: latestMeta?.metadata?.license,
        requires_python: latestMeta?.files?.[0]?.['requires-python'],
        ...latestMeta?.metadata,
      },
      urls,
      releases,
    };
    return {
      status: 200,
      headers: {
        'Content-Type': 'application/json',
        'Cache-Control': 'public, max-age=300'
      },
-      body: Buffer.from(JSON.stringify(metadata)),
+      body: response,
    };
  }
  /**
   * Handle version-specific JSON API
   * Returns format compatible with official PyPI JSON API
   */
  private async handleVersionJson(packageName: string, version: string): Promise<IResponse> {
    const normalized = helpers.normalizePypiPackageName(packageName);
@@ -502,13 +550,42 @@ export class PypiRegistry extends BaseRegistry {
      return this.errorResponse(404, 'Version not found');
    }
    const verMeta = metadata.versions[version];
    // Build URLs array from version files
    const urls = verMeta.files?.map((file: any) => ({
      filename: file.filename,
      url: `${this.registryUrl}/pypi/packages/${normalized}/${file.filename}`,
      digests: file.hashes,
      requires_python: file['requires-python'],
      size: file.size,
      upload_time: file['upload-time'],
      packagetype: file.filetype,
      python_version: file.python_version,
    })) || [];
    const response = {
      info: {
        name: normalized,
        version,
        summary: verMeta.metadata?.summary,
        description: verMeta.metadata?.description,
        author: verMeta.metadata?.author,
        author_email: verMeta.metadata?.['author-email'],
        license: verMeta.metadata?.license,
        requires_python: verMeta.files?.[0]?.['requires-python'],
        ...verMeta.metadata,
      },
      urls,
    };
    return {
      status: 200,
      headers: {
        'Content-Type': 'application/json',
        'Cache-Control': 'public, max-age=300'
      },
-      body: Buffer.from(JSON.stringify(metadata.versions[version])),
+      body: response,
    };
  }
@@ -570,11 +647,11 @@ export class PypiRegistry extends BaseRegistry {
   * Helper: Create error response
   */
  private errorResponse(status: number, message: string): IResponse {
-    const error: IPypiError = { message, status };
+    const error: IPypiError = { error: message, status };
    return {
      status,
      headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify(error)),
+      body: error,
    };
  }
 }
--- a/ts/pypi/interfaces.pypi.ts
+++ b/ts/pypi/interfaces.pypi.ts
@@ -244,7 +244,7 @@ export interface IPypiUploadResponse {
 */
 export interface IPypiError {
  /** Error message */
-  message: string;
+  error: string;
  /** HTTP status code */
  status?: number;
  /** Additional error details */
--- a/ts/rubygems/classes.rubygemsregistry.ts
+++ b/ts/rubygems/classes.rubygemsregistry.ts
@@ -85,7 +85,7 @@ export class RubyGemsRegistry extends BaseRegistry {
    // Compact Index endpoints
    if (path === '/versions' && context.method === 'GET') {
-      return this.handleVersionsFile();
+      return this.handleVersionsFile(context);
    }
    if (path === '/names' && context.method === 'GET') {
@@ -104,15 +104,30 @@ export class RubyGemsRegistry extends BaseRegistry {
      return this.handleDownload(downloadMatch[1]);
    }
    // Legacy specs endpoints (Marshal format)
    if (path === '/specs.4.8.gz' && context.method === 'GET') {
      return this.handleSpecs(false);
    }
    if (path === '/latest_specs.4.8.gz' && context.method === 'GET') {
      return this.handleSpecs(true);
    }
    // Quick gemspec endpoint: GET /quick/Marshal.4.8/{gem}-{version}.gemspec.rz
    const quickMatch = path.match(/^\/quick\/Marshal\.4\.8\/(.+)\.gemspec\.rz$/);
    if (quickMatch && context.method === 'GET') {
      return this.handleQuickGemspec(quickMatch[1]);
    }
    // API v1 endpoints
    if (path.startsWith('/api/v1/')) {
-      return this.handleApiRequest(path.substring(8), context, token);
+      return this.handleApiRequest(path.substring(7), context, token);
    }
    return {
      status: 404,
      headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify({ message: 'Not Found' })),
+      body: { error: 'Not Found' },
    };
  }
@@ -141,20 +156,36 @@ export class RubyGemsRegistry extends BaseRegistry {
  /**
   * Handle /versions endpoint (Compact Index)
   * Supports conditional GET with If-None-Match header
   */
-  private async handleVersionsFile(): Promise<IResponse> {
+  private async handleVersionsFile(context: IRequestContext): Promise<IResponse> {
    const content = await this.storage.getRubyGemsVersions();
    if (!content) {
      return this.errorResponse(500, 'Versions file not initialized');
    }
    const etag = `"${await helpers.calculateMD5(content)}"`;
    // Handle conditional GET with If-None-Match
    const ifNoneMatch = context.headers['if-none-match'] || context.headers['If-None-Match'];
    if (ifNoneMatch && ifNoneMatch === etag) {
      return {
        status: 304,
        headers: {
          'ETag': etag,
          'Cache-Control': 'public, max-age=60',
        },
        body: null,
      };
    }
    return {
      status: 200,
      headers: {
        'Content-Type': 'text/plain; charset=utf-8',
        'Cache-Control': 'public, max-age=60',
-        'ETag': `"${await helpers.calculateMD5(content)}"`
+        'ETag': etag
      },
      body: Buffer.from(content),
    };
@@ -289,14 +320,23 @@ export class RubyGemsRegistry extends BaseRegistry {
        return this.errorResponse(400, 'No gem file provided');
      }
-      // For now, we expect metadata in query params or headers
+      // Try to get metadata from query params or headers first
-      // Full implementation would parse .gem file (tar + gzip + Marshal)
+      let gemName = context.query?.name || context.headers['x-gem-name'] as string | undefined;
-      const gemName = context.query?.name || context.headers['x-gem-name'];
+      let version = context.query?.version || context.headers['x-gem-version'] as string | undefined;
-      const version = context.query?.version || context.headers['x-gem-version'];
+      let platform = context.query?.platform || context.headers['x-gem-platform'] as string | undefined;
-      const platform = context.query?.platform || context.headers['x-gem-platform'];
+
      // If not provided, try to extract from gem binary
      if (!gemName || !version || !platform) {
        const extracted = await helpers.extractGemMetadata(gemData);
        if (extracted) {
          gemName = gemName || extracted.name;
          version = version || extracted.version;
          platform = platform || extracted.platform;
        }
      }
      if (!gemName || !version) {
-        return this.errorResponse(400, 'Gem name and version required');
+        return this.errorResponse(400, 'Gem name and version required (provide in query, headers, or valid gem format)');
      }
      // Validate gem name
@@ -351,13 +391,13 @@ export class RubyGemsRegistry extends BaseRegistry {
      });
      return {
-        status: 200,
+        status: 201,
        headers: { 'Content-Type': 'application/json' },
-        body: Buffer.from(JSON.stringify({
+        body: {
          message: 'Gem uploaded successfully',
          name: gemName,
          version,
-        })),
+        },
      };
    } catch (error) {
      this.logger.log('error', 'Upload failed', { error: (error as Error).message });
@@ -409,10 +449,10 @@ export class RubyGemsRegistry extends BaseRegistry {
    return {
      status: 200,
      headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify({
+      body: {
        success: true,
        message: 'Gem yanked successfully'
-      })),
+      },
    };
  }
@@ -459,10 +499,10 @@ export class RubyGemsRegistry extends BaseRegistry {
    return {
      status: 200,
      headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify({
+      body: {
        success: true,
        message: 'Gem unyanked successfully'
-      })),
+      },
    };
  }
@@ -489,7 +529,7 @@ export class RubyGemsRegistry extends BaseRegistry {
        'Content-Type': 'application/json',
        'Cache-Control': 'public, max-age=300'
      },
-      body: Buffer.from(JSON.stringify(response)),
+      body: response,
    };
  }
@@ -517,7 +557,7 @@ export class RubyGemsRegistry extends BaseRegistry {
    return {
      status: 200,
      headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify(response)),
+      body: response,
    };
  }
@@ -584,15 +624,109 @@ export class RubyGemsRegistry extends BaseRegistry {
    }
  }
  /**
   * Handle /specs.4.8.gz and /latest_specs.4.8.gz endpoints
   * Returns gzipped Marshal array of [name, version, platform] tuples
   * @param latestOnly - If true, only return latest version of each gem
   */
  private async handleSpecs(latestOnly: boolean): Promise<IResponse> {
    try {
      const names = await this.storage.getRubyGemsNames();
      if (!names) {
        return {
          status: 200,
          headers: {
            'Content-Type': 'application/octet-stream',
          },
          body: await helpers.generateSpecsGz([]),
        };
      }
      const gemNames = names.split('\n').filter(l => l && l !== '---');
      const specs: Array<[string, string, string]> = [];
      for (const gemName of gemNames) {
        const metadata = await this.storage.getRubyGemsMetadata(gemName);
        if (!metadata) continue;
        const versions = (Object.values(metadata.versions) as IRubyGemsVersionMetadata[])
          .filter(v => !v.yanked)
          .sort((a, b) => {
            // Sort by version descending
            return b.version.localeCompare(a.version, undefined, { numeric: true });
          });
        if (latestOnly && versions.length > 0) {
          // Only include latest version
          const latest = versions[0];
          specs.push([gemName, latest.version, latest.platform || 'ruby']);
        } else {
          // Include all versions
          for (const v of versions) {
            specs.push([gemName, v.version, v.platform || 'ruby']);
          }
        }
      }
      const gzippedSpecs = await helpers.generateSpecsGz(specs);
      return {
        status: 200,
        headers: {
          'Content-Type': 'application/octet-stream',
        },
        body: gzippedSpecs,
      };
    } catch (error) {
      this.logger.log('error', 'Failed to generate specs', { error: (error as Error).message });
      return this.errorResponse(500, 'Failed to generate specs');
    }
  }
  /**
   * Handle /quick/Marshal.4.8/{gem}-{version}.gemspec.rz endpoint
   * Returns compressed gemspec for a specific gem version
   * @param gemVersionStr - Gem name and version string (e.g., "rails-7.0.0" or "rails-7.0.0-x86_64-linux")
   */
  private async handleQuickGemspec(gemVersionStr: string): Promise<IResponse> {
    // Parse the gem-version string
    const parsed = helpers.parseGemFilename(gemVersionStr + '.gem');
    if (!parsed) {
      return this.errorResponse(400, 'Invalid gemspec path');
    }
    const metadata = await this.storage.getRubyGemsMetadata(parsed.name);
    if (!metadata) {
      return this.errorResponse(404, 'Gem not found');
    }
    const versionKey = parsed.platform ? `${parsed.version}-${parsed.platform}` : parsed.version;
    const versionMeta = metadata.versions[versionKey];
    if (!versionMeta) {
      return this.errorResponse(404, 'Version not found');
    }
    // Generate a minimal gemspec representation
    const gemspecData = await helpers.generateGemspecRz(parsed.name, versionMeta);
    return {
      status: 200,
      headers: {
        'Content-Type': 'application/octet-stream',
      },
      body: gemspecData,
    };
  }
  /**
   * Helper: Create error response
   */
  private errorResponse(status: number, message: string): IResponse {
-    const error: IRubyGemsError = { message, status };
+    const error: IRubyGemsError = { error: message, status };
    return {
      status,
      headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify(error)),
+      body: error,
    };
  }
 }
--- a/ts/rubygems/helpers.rubygems.ts
+++ b/ts/rubygems/helpers.rubygems.ts
@@ -3,6 +3,8 @@
 * Compact Index generation, dependency formatting, etc.
 */
 import * as plugins from '../plugins.js';
 import type {
  IRubyGemsVersion,
  IRubyGemsDependency,
@@ -396,3 +398,176 @@ export async function extractGemSpec(gemData: Buffer): Promise<any | null> {
    return null;
  }
 }
 /**
 * Extract basic metadata from a gem file
 * Gem files are plain tar archives (NOT gzipped) containing:
 * - metadata.gz: gzipped YAML with gem specification
 * - data.tar.gz: gzipped tar with actual gem files
 * This function extracts and parses the metadata.gz to get name/version/platform
 * @param gemData - Gem file data
 * @returns Extracted metadata or null
 */
 export async function extractGemMetadata(gemData: Buffer): Promise<{
  name: string;
  version: string;
  platform?: string;
 } | null> {
  try {
    // Step 1: Extract the plain tar archive to get metadata.gz
    const smartArchive = plugins.smartarchive.SmartArchive.create();
    const files = await smartArchive.buffer(gemData).toSmartFiles();
    // Find metadata.gz
    const metadataFile = files.find(f => f.path === 'metadata.gz' || f.relative === 'metadata.gz');
    if (!metadataFile) {
      return null;
    }
    // Step 2: Decompress the gzipped metadata
    const gzipTools = new plugins.smartarchive.GzipTools();
    const metadataYaml = await gzipTools.decompress(metadataFile.contentBuffer);
    const yamlContent = metadataYaml.toString('utf-8');
    // Step 3: Parse the YAML to extract name, version, platform
    // Look for name: field in YAML
    const nameMatch = yamlContent.match(/name:\s*([^\n\r]+)/);
    // Look for version in Ruby YAML format: version: !ruby/object:Gem::Version\n  version: X.X.X
    const versionMatch = yamlContent.match(/version:\s*!ruby\/object:Gem::Version[\s\S]*?version:\s*['"]?([^'"\n\r]+)/);
    // Also try simpler version format
    const simpleVersionMatch = !versionMatch ? yamlContent.match(/^version:\s*['"]?(\d[^'"\n\r]*)/m) : null;
    // Look for platform
    const platformMatch = yamlContent.match(/platform:\s*([^\n\r]+)/);
    const name = nameMatch?.[1]?.trim();
    const version = versionMatch?.[1]?.trim() || simpleVersionMatch?.[1]?.trim();
    const platform = platformMatch?.[1]?.trim();
    if (name && version) {
      return {
        name,
        version,
        platform: platform && platform !== 'ruby' ? platform : undefined,
      };
    }
    return null;
  } catch (error) {
    // Log error for debugging but return null gracefully
    console.error('Failed to extract gem metadata:', error);
    return null;
  }
 }
 /**
 * Generate gzipped specs array for /specs.4.8.gz and /latest_specs.4.8.gz
 * The format is a gzipped Ruby Marshal array of [name, version, platform] tuples
 * Since we can't easily generate Ruby Marshal format, we'll use a simple format
 * that represents the same data structure as a gzipped binary blob
 * @param specs - Array of [name, version, platform] tuples
 * @returns Gzipped specs data
 */
 export async function generateSpecsGz(specs: Array<[string, string, string]>): Promise<Buffer> {
  const gzipTools = new plugins.smartarchive.GzipTools();
  // Create a simplified binary representation
  // Real RubyGems uses Ruby Marshal format, but for compatibility we'll create
  // a gzipped representation that tools can recognize as valid
  // Format: Simple binary encoding of specs array
  // Each spec: name_length(2 bytes) + name + version_length(2 bytes) + version + platform_length(2 bytes) + platform
  const parts: Buffer[] = [];
  // Header: number of specs (4 bytes)
  const headerBuf = Buffer.alloc(4);
  headerBuf.writeUInt32LE(specs.length, 0);
  parts.push(headerBuf);
  for (const [name, version, platform] of specs) {
    const nameBuf = Buffer.from(name, 'utf-8');
    const versionBuf = Buffer.from(version, 'utf-8');
    const platformBuf = Buffer.from(platform, 'utf-8');
    const nameLenBuf = Buffer.alloc(2);
    nameLenBuf.writeUInt16LE(nameBuf.length, 0);
    const versionLenBuf = Buffer.alloc(2);
    versionLenBuf.writeUInt16LE(versionBuf.length, 0);
    const platformLenBuf = Buffer.alloc(2);
    platformLenBuf.writeUInt16LE(platformBuf.length, 0);
    parts.push(nameLenBuf, nameBuf, versionLenBuf, versionBuf, platformLenBuf, platformBuf);
  }
  const uncompressed = Buffer.concat(parts);
  return gzipTools.compress(uncompressed);
 }
 /**
 * Generate compressed gemspec for /quick/Marshal.4.8/{gem}-{version}.gemspec.rz
 * The format is a zlib-compressed Ruby Marshal representation of the gemspec
 * Since we can't easily generate Ruby Marshal, we'll create a simplified format
 * @param name - Gem name
 * @param versionMeta - Version metadata
 * @returns Zlib-compressed gemspec data
 */
 export async function generateGemspecRz(
  name: string,
  versionMeta: {
    version: string;
    platform?: string;
    checksum: string;
    dependencies?: Array<{ name: string; requirement: string }>;
  }
 ): Promise<Buffer> {
  const zlib = await import('zlib');
  const { promisify } = await import('util');
  const deflate = promisify(zlib.deflate);
  // Create a YAML-like representation that can be parsed
  const gemspecYaml = `--- !ruby/object:Gem::Specification
 name: ${name}
 version: !ruby/object:Gem::Version
  version: ${versionMeta.version}
 platform: ${versionMeta.platform || 'ruby'}
 authors: []
 date: ${new Date().toISOString().split('T')[0]}
 dependencies: []
 description:
 email:
 executables: []
 extensions: []
 extra_rdoc_files: []
 files: []
 homepage:
 licenses: []
 metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
  requirements:
  - - ">="
    - !ruby/object:Gem::Version
      version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
  requirements:
  - - ">="
    - !ruby/object:Gem::Version
      version: '0'
 requirements: []
 rubygems_version: 3.0.0
 signing_key:
 specification_version: 4
 summary:
 test_files: []
 `;
  // Use zlib deflate (not gzip) for .rz files
  return deflate(Buffer.from(gemspecYaml, 'utf-8'));
 }
--- a/ts/rubygems/interfaces.rubygems.ts
+++ b/ts/rubygems/interfaces.rubygems.ts
@@ -211,7 +211,7 @@ export interface IRubyGemsDependenciesResponse {
 */
 export interface IRubyGemsError {
  /** Error message */
-  message: string;
+  error: string;
  /** HTTP status code */
  status?: number;
 }
Author	SHA1	Message	Date
Juergen Kunz	67188a4e9f	v2.1.2 Some checks failed Default (tags) / security (push) Successful in 39s Details Default (tags) / test (push) Failing after 36s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-11-25 17:15:47 +00:00
Juergen Kunz	a2f7f43027	fix(oci): Prefer raw request body for content-addressable OCI operations and expose rawBody on request context	2025-11-25 17:15:47 +00:00
Juergen Kunz	37a89239d9	v2.1.1 Some checks failed Default (tags) / security (push) Successful in 35s Details Default (tags) / test (push) Failing after 36s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-11-25 16:59:37 +00:00
Juergen Kunz	93fee289e7	fix(oci): Preserve raw manifest bytes for digest calculation and handle string/JSON manifest bodies in OCI registry	2025-11-25 16:59:37 +00:00
Juergen Kunz	30fd9a4238	v2.1.0 Some checks failed Default (tags) / security (push) Successful in 47s Details Default (tags) / test (push) Failing after 48s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-11-25 16:48:08 +00:00
Juergen Kunz	3b5bf5e789	feat(oci): Support configurable OCI token realm/service and centralize unauthorized responses	2025-11-25 16:48:08 +00:00
Juergen Kunz	9b92e1c0d2	v2.0.0 Some checks failed Default (tags) / security (push) Successful in 49s Details Default (tags) / test (push) Failing after 50s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-11-25 15:07:59 +00:00
Juergen Kunz	6291ebf79b	BREAKING CHANGE(pypi,rubygems): Revise PyPI and RubyGems handling: normalize error payloads, fix .gem parsing/packing, adjust PyPI JSON API and tests, and export smartarchive plugin	2025-11-25 15:07:59 +00:00
Juergen Kunz	fcd95677a0	v1.9.0 Some checks failed Default (tags) / security (push) Successful in 51s Details Default (tags) / test (push) Failing after 52s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-11-25 14:28:19 +00:00
Juergen Kunz	547c262578	feat(auth): Implement HMAC-SHA256 OCI JWTs; enhance PyPI & RubyGems uploads and normalize responses	2025-11-25 14:28:19 +00:00