v2.1.1

changelog.md

@@ -1,5 +1,31 @@
 # Changelog
 
+## 2025-11-25 - 2.1.1 - fix(oci)
+Preserve raw manifest bytes for digest calculation and handle string/JSON manifest bodies in OCI registry
+
+- Preserve the exact bytes of the manifest payload when computing the sha256 digest to comply with the OCI spec and avoid mismatches caused by re-serialization.
+- Accept string request bodies (converted using UTF-8) and treat already-parsed JSON objects by re-serializing as a fallback.
+- Keep existing content-type fallback logic while ensuring accurate digest calculation prior to storing manifests.
+
+## 2025-11-25 - 2.1.0 - feat(oci)
+Support configurable OCI token realm/service and centralize unauthorized responses
+
+- SmartRegistry now forwards optional ociTokens (realm and service) from auth configuration to OciRegistry when OCI is enabled
+- OciRegistry constructor accepts an optional ociTokens parameter and stores it for use in auth headers
+- Replaced repeated construction of WWW-Authenticate headers with createUnauthorizedResponse and createUnauthorizedHeadResponse helpers that use configured realm/service
+- Behavior is backwards-compatible: when ociTokens are not configured the registry falls back to the previous defaults (realm: <basePath>/v2/token, service: "registry")
+
+## 2025-11-25 - 2.0.0 - BREAKING CHANGE(pypi,rubygems)
+Revise PyPI and RubyGems handling: normalize error payloads, fix .gem parsing/packing, adjust PyPI JSON API and tests, and export smartarchive plugin
+
+- Rename error payload property from 'message' to 'error' in PyPI and RubyGems interfaces and responses; error responses are now returned as JSON objects (body: { error: ... }) instead of Buffer(JSON.stringify(...)).
+- RubyGems: treat .gem files as plain tar archives (not gzipped). Use metadata.gz and data.tar.gz correctly, switch packing helper to pack plain tar, and use zlib deflate for .rz gemspec data.
+- RubyGems registry: add legacy Marshal specs endpoint (specs.4.8.gz) and adjust versions handler invocation to accept request context.
+- PyPI: adopt PEP 691 style (files is an array of file objects) in tests and metadata; include requires_python in test package metadata; update JSON API path matching to the package-level '/{package}/json' style used by the handler.
+- Fix HTML escaping expectations in tests (requires_python values are HTML-escaped in attributes, e.g. '&gt;=3.8').
+- Export smartarchive from plugins to enable archive helpers in core modules and helpers.
+- Update tests and internal code to match the new error shape and API/format behaviour.
+
 ## 2025-11-25 - 1.9.0 - feat(auth)
 Implement HMAC-SHA256 OCI JWTs; enhance PyPI & RubyGems uploads and normalize responses
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartregistry",
-  "version": "1.9.0",
+  "version": "2.1.1",
   "private": false,
   "description": "A composable TypeScript library implementing OCI, NPM, Maven, Cargo, Composer, PyPI, and RubyGems registries for building unified container and package registries",
   "main": "dist_ts/index.js",

test/helpers/registry.ts

@@ -543,7 +543,8 @@ end
     },
   ];
 
-  return tarTools.packFilesToTarGz(gemEntries);
+  // RubyGems .gem files are plain tar archives (NOT gzipped), containing metadata.gz and data.tar.gz
+  return tarTools.packFiles(gemEntries);
 }
 
 /**

test/test.pypi.ts

@@ -80,6 +80,7 @@ tap.test('PyPI: should upload wheel file (POST /pypi/)', async () => {
       pyversion: 'py3',
       metadata_version: '2.1',
       sha256_digest: hashes.sha256,
+      requires_python: '>=3.7',
       content: testWheelData,
       filename: filename,
     },
@@ -212,6 +213,7 @@ tap.test('PyPI: should upload sdist file (POST /pypi/)', async () => {
       pyversion: 'source',
       metadata_version: '2.1',
       sha256_digest: hashes.sha256,
+      requires_python: '>=3.7',
       content: testSdistData,
       filename: filename,
     },
@@ -233,10 +235,11 @@ tap.test('PyPI: should list both wheel and sdist in Simple API', async () => {
   expect(response.status).toEqual(200);
 
   const json = response.body as any;
-  expect(Object.keys(json.files).length).toEqual(2);
+  // PEP 691: files is an array of file objects
+  expect(json.files.length).toEqual(2);
 
-  const hasWheel = Object.keys(json.files).some(f => f.endsWith('.whl'));
+  const hasWheel = json.files.some((f: any) => f.filename.endsWith('.whl'));
-  const hasSdist = Object.keys(json.files).some(f => f.endsWith('.tar.gz'));
+  const hasSdist = json.files.some((f: any) => f.filename.endsWith('.tar.gz'));
 
   expect(hasWheel).toEqual(true);
   expect(hasSdist).toEqual(true);
@@ -265,6 +268,7 @@ tap.test('PyPI: should upload a second version', async () => {
       pyversion: 'py3',
       metadata_version: '2.1',
       sha256_digest: hashes.sha256,
+      requires_python: '>=3.7',
       content: newWheelData,
       filename: filename,
     },
@@ -286,10 +290,11 @@ tap.test('PyPI: should list multiple versions in Simple API', async () => {
   expect(response.status).toEqual(200);
 
   const json = response.body as any;
-  expect(Object.keys(json.files).length).toBeGreaterThan(2);
+  // PEP 691: files is an array of file objects
+  expect(json.files.length).toBeGreaterThan(2);
 
-  const hasVersion1 = Object.keys(json.files).some(f => f.includes('1.0.0'));
+  const hasVersion1 = json.files.some((f: any) => f.filename.includes('1.0.0'));
-  const hasVersion2 = Object.keys(json.files).some(f => f.includes('2.0.0'));
+  const hasVersion2 = json.files.some((f: any) => f.filename.includes('2.0.0'));
 
   expect(hasVersion1).toEqual(true);
   expect(hasVersion2).toEqual(true);
@@ -422,7 +427,8 @@ tap.test('PyPI: should handle package with requires-python metadata', async () =
 
   const html = getResponse.body as string;
   expect(html).toContain('data-requires-python');
-  expect(html).toContain('>=3.8');
+  // Note: >= gets HTML-escaped to >= in attribute values
+  expect(html).toContain('>=3.8');
 });
 
 tap.test('PyPI: should support JSON API for package metadata', async () => {

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartregistry',
-  version: '1.9.0',
+  version: '2.1.1',
   description: 'A composable TypeScript library implementing OCI, NPM, Maven, Cargo, Composer, PyPI, and RubyGems registries for building unified container and package registries'
 }

ts/classes.smartregistry.ts

@@ -42,7 +42,11 @@ export class SmartRegistry {
     // Initialize OCI registry if enabled
     if (this.config.oci?.enabled) {
       const ociBasePath = this.config.oci.basePath ?? '/oci';
-      const ociRegistry = new OciRegistry(this.storage, this.authManager, ociBasePath);
+      const ociTokens = this.config.auth.ociTokens?.enabled ? {
+        realm: this.config.auth.ociTokens.realm,
+        service: this.config.auth.ociTokens.service,
+      } : undefined;
+      const ociRegistry = new OciRegistry(this.storage, this.authManager, ociBasePath, ociTokens);
       await ociRegistry.init();
       this.registries.set('oci', ociRegistry);
     }

ts/oci/classes.ociregistry.ts

@@ -20,12 +20,19 @@ export class OciRegistry extends BaseRegistry {
   private uploadSessions: Map<string, IUploadSession> = new Map();
   private basePath: string = '/oci';
   private cleanupInterval?: NodeJS.Timeout;
+  private ociTokens?: { realm: string; service: string };
 
-  constructor(storage: RegistryStorage, authManager: AuthManager, basePath: string = '/oci') {
+  constructor(
+    storage: RegistryStorage,
+    authManager: AuthManager,
+    basePath: string = '/oci',
+    ociTokens?: { realm: string; service: string }
+  ) {
     super();
     this.storage = storage;
     this.authManager = authManager;
     this.basePath = basePath;
+    this.ociTokens = ociTokens;
   }
 
   public async init(): Promise<void> {
@@ -280,13 +287,7 @@ export class OciRegistry extends BaseRegistry {
     headers?: Record<string, string>
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'pull')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'pull');
-        status: 401,
-        headers: {
-          'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:pull"`,
-        },
-        body: this.createError('DENIED', 'Insufficient permissions'),
-      };
     }
 
     // Resolve tag to digest if needed
@@ -367,13 +368,7 @@ export class OciRegistry extends BaseRegistry {
     headers?: Record<string, string>
   ): Promise<IResponse> {
     if (!await this.checkPermission(token, repository, 'push')) {
-      return {
+      return this.createUnauthorizedResponse(repository, 'push');
-        status: 401,
-        headers: {
-          'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:push"`,
-        },
-        body: this.createError('DENIED', 'Insufficient permissions'),
-      };
     }
 
     if (!body) {
@@ -384,7 +379,18 @@ export class OciRegistry extends BaseRegistry {
       };
     }
 
-    const manifestData = Buffer.isBuffer(body) ? body : Buffer.from(JSON.stringify(body));
+    // Preserve raw bytes for accurate digest calculation
+    // Per OCI spec, digest must match the exact bytes sent by client
+    let manifestData: Buffer;
+    if (Buffer.isBuffer(body)) {
+      manifestData = body;
+    } else if (typeof body === 'string') {
+      // String body - convert directly without JSON transformation
+      manifestData = Buffer.from(body, 'utf-8');
+    } else {
+      // Body was already parsed as JSON object - re-serialize as fallback
+      manifestData = Buffer.from(JSON.stringify(body));
+    }
     const contentType = headers?.['content-type'] || headers?.['Content-Type'] || 'application/vnd.oci.image.manifest.v1+json';
 
     // Calculate manifest digest
@@ -685,10 +691,12 @@ export class OciRegistry extends BaseRegistry {
    * Per OCI Distribution Spec, 401 responses MUST include WWW-Authenticate header.
    */
   private createUnauthorizedResponse(repository: string, action: string): IResponse {
+    const realm = this.ociTokens?.realm || `${this.basePath}/v2/token`;
+    const service = this.ociTokens?.service || 'registry';
     return {
       status: 401,
       headers: {
-        'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:${action}"`,
+        'WWW-Authenticate': `Bearer realm="${realm}",service="${service}",scope="repository:${repository}:${action}"`,
       },
       body: this.createError('DENIED', 'Insufficient permissions'),
     };
@@ -698,10 +706,12 @@ export class OciRegistry extends BaseRegistry {
    * Create an unauthorized HEAD response (no body per HTTP spec).
    */
   private createUnauthorizedHeadResponse(repository: string, action: string): IResponse {
+    const realm = this.ociTokens?.realm || `${this.basePath}/v2/token`;
+    const service = this.ociTokens?.service || 'registry';
     return {
       status: 401,
       headers: {
-        'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:${action}"`,
+        'WWW-Authenticate': `Bearer realm="${realm}",service="${service}",scope="repository:${repository}:${action}"`,
       },
       body: null,
     };

ts/plugins.ts

@@ -4,11 +4,12 @@ import * as path from 'path';
 export { path };
 
 // @push.rocks scope
+import * as smartarchive from '@push.rocks/smartarchive';
 import * as smartbucket from '@push.rocks/smartbucket';
 import * as smartlog from '@push.rocks/smartlog';
 import * as smartpath from '@push.rocks/smartpath';
 
-export { smartbucket, smartlog, smartpath };
+export { smartarchive, smartbucket, smartlog, smartpath };
 
 // @tsclass scope
 import * as tsclass from '@tsclass/tsclass';

ts/pypi/classes.pypiregistry.ts

@@ -85,14 +85,14 @@ export class PypiRegistry extends BaseRegistry {
       return this.handleUpload(context, token);
     }
 
-    // Package metadata JSON API: GET /pypi/{package}/json
+    // Package metadata JSON API: GET /{package}/json
-    const jsonMatch = path.match(/^\/pypi\/([^\/]+)\/json$/);
+    const jsonMatch = path.match(/^\/([^\/]+)\/json$/);
     if (jsonMatch && context.method === 'GET') {
       return this.handlePackageJson(jsonMatch[1]);
     }
 
-    // Version-specific JSON API: GET /pypi/{package}/{version}/json
+    // Version-specific JSON API: GET /{package}/{version}/json
-    const versionJsonMatch = path.match(/^\/pypi\/([^\/]+)\/([^\/]+)\/json$/);
+    const versionJsonMatch = path.match(/^\/([^\/]+)\/([^\/]+)\/json$/);
     if (versionJsonMatch && context.method === 'GET') {
       return this.handleVersionJson(versionJsonMatch[1], versionJsonMatch[2]);
     }
@@ -118,7 +118,7 @@ export class PypiRegistry extends BaseRegistry {
     return {
       status: 404,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify({ message: 'Not Found' })),
+      body: { error: 'Not Found' },
     };
   }
 
@@ -215,11 +215,7 @@ export class PypiRegistry extends BaseRegistry {
     // Get package metadata
     const metadata = await this.storage.getPypiPackageMetadata(normalized);
     if (!metadata) {
-      return {
+      return this.errorResponse(404, 'Package not found');
-        status: 404,
-        headers: { 'Content-Type': 'text/html; charset=utf-8' },
-        body: '<html><body><h1>404 Not Found</h1></body></html>',
-      };
     }
 
     // Build file list from all versions
@@ -315,7 +311,7 @@ export class PypiRegistry extends BaseRegistry {
           'Content-Type': 'application/json',
           'WWW-Authenticate': 'Basic realm="PyPI"'
         },
-        body: Buffer.from(JSON.stringify({ message: 'Authentication required' })),
+        body: { error: 'Authentication required' },
       };
     }
 
@@ -435,10 +431,10 @@ export class PypiRegistry extends BaseRegistry {
       return {
         status: 201,
         headers: { 'Content-Type': 'application/json' },
-        body: Buffer.from(JSON.stringify({
+        body: {
           message: 'Package uploaded successfully',
           url: `${this.registryUrl}/pypi/packages/${normalized}/${filename}`
-        })),
+        },
       };
     } catch (error) {
       this.logger.log('error', 'Upload failed', { error: (error as Error).message });
@@ -457,7 +453,7 @@ export class PypiRegistry extends BaseRegistry {
       return {
         status: 404,
         headers: { 'Content-Type': 'application/json' },
-        body: Buffer.from(JSON.stringify({ message: 'File not found' })),
+        body: { error: 'File not found' },
       };
     }
 
@@ -474,6 +470,7 @@ export class PypiRegistry extends BaseRegistry {
 
   /**
    * Handle package JSON API (all versions)
+   * Returns format compatible with official PyPI JSON API
    */
   private async handlePackageJson(packageName: string): Promise<IResponse> {
     const normalized = helpers.normalizePypiPackageName(packageName);
@@ -483,18 +480,67 @@ export class PypiRegistry extends BaseRegistry {
       return this.errorResponse(404, 'Package not found');
     }
 
+    // Find latest version for info
+    const versions = Object.keys(metadata.versions || {});
+    const latestVersion = versions.length > 0 ? versions[versions.length - 1] : null;
+    const latestMeta = latestVersion ? metadata.versions[latestVersion] : null;
+
+    // Build URLs array from latest version files
+    const urls = latestMeta?.files?.map((file: any) => ({
+      filename: file.filename,
+      url: `${this.registryUrl}/pypi/packages/${normalized}/${file.filename}`,
+      digests: file.hashes,
+      requires_python: file['requires-python'],
+      size: file.size,
+      upload_time: file['upload-time'],
+      packagetype: file.filetype,
+      python_version: file.python_version,
+    })) || [];
+
+    // Build releases object
+    const releases: Record<string, any[]> = {};
+    for (const [ver, verMeta] of Object.entries(metadata.versions || {})) {
+      releases[ver] = (verMeta as any).files?.map((file: any) => ({
+        filename: file.filename,
+        url: `${this.registryUrl}/pypi/packages/${normalized}/${file.filename}`,
+        digests: file.hashes,
+        requires_python: file['requires-python'],
+        size: file.size,
+        upload_time: file['upload-time'],
+        packagetype: file.filetype,
+        python_version: file.python_version,
+      })) || [];
+    }
+
+    const response = {
+      info: {
+        name: normalized,
+        version: latestVersion,
+        summary: latestMeta?.metadata?.summary,
+        description: latestMeta?.metadata?.description,
+        author: latestMeta?.metadata?.author,
+        author_email: latestMeta?.metadata?.['author-email'],
+        license: latestMeta?.metadata?.license,
+        requires_python: latestMeta?.files?.[0]?.['requires-python'],
+        ...latestMeta?.metadata,
+      },
+      urls,
+      releases,
+    };
+
     return {
       status: 200,
       headers: {
         'Content-Type': 'application/json',
         'Cache-Control': 'public, max-age=300'
       },
-      body: Buffer.from(JSON.stringify(metadata)),
+      body: response,
     };
   }
 
   /**
    * Handle version-specific JSON API
+   * Returns format compatible with official PyPI JSON API
    */
   private async handleVersionJson(packageName: string, version: string): Promise<IResponse> {
     const normalized = helpers.normalizePypiPackageName(packageName);
@@ -504,13 +550,42 @@ export class PypiRegistry extends BaseRegistry {
       return this.errorResponse(404, 'Version not found');
     }
 
+    const verMeta = metadata.versions[version];
+
+    // Build URLs array from version files
+    const urls = verMeta.files?.map((file: any) => ({
+      filename: file.filename,
+      url: `${this.registryUrl}/pypi/packages/${normalized}/${file.filename}`,
+      digests: file.hashes,
+      requires_python: file['requires-python'],
+      size: file.size,
+      upload_time: file['upload-time'],
+      packagetype: file.filetype,
+      python_version: file.python_version,
+    })) || [];
+
+    const response = {
+      info: {
+        name: normalized,
+        version,
+        summary: verMeta.metadata?.summary,
+        description: verMeta.metadata?.description,
+        author: verMeta.metadata?.author,
+        author_email: verMeta.metadata?.['author-email'],
+        license: verMeta.metadata?.license,
+        requires_python: verMeta.files?.[0]?.['requires-python'],
+        ...verMeta.metadata,
+      },
+      urls,
+    };
+
     return {
       status: 200,
       headers: {
         'Content-Type': 'application/json',
         'Cache-Control': 'public, max-age=300'
       },
-      body: Buffer.from(JSON.stringify(metadata.versions[version])),
+      body: response,
     };
   }
 
@@ -572,11 +647,11 @@ export class PypiRegistry extends BaseRegistry {
    * Helper: Create error response
    */
   private errorResponse(status: number, message: string): IResponse {
-    const error: IPypiError = { message, status };
+    const error: IPypiError = { error: message, status };
     return {
       status,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify(error)),
+      body: error,
     };
   }
 }

ts/pypi/interfaces.pypi.ts

@@ -244,7 +244,7 @@ export interface IPypiUploadResponse {
  */
 export interface IPypiError {
   /** Error message */
-  message: string;
+  error: string;
   /** HTTP status code */
   status?: number;
   /** Additional error details */

ts/rubygems/classes.rubygemsregistry.ts

@@ -85,7 +85,7 @@ export class RubyGemsRegistry extends BaseRegistry {
 
     // Compact Index endpoints
     if (path === '/versions' && context.method === 'GET') {
-      return this.handleVersionsFile();
+      return this.handleVersionsFile(context);
     }
 
     if (path === '/names' && context.method === 'GET') {
@@ -104,6 +104,21 @@ export class RubyGemsRegistry extends BaseRegistry {
       return this.handleDownload(downloadMatch[1]);
     }
 
+    // Legacy specs endpoints (Marshal format)
+    if (path === '/specs.4.8.gz' && context.method === 'GET') {
+      return this.handleSpecs(false);
+    }
+
+    if (path === '/latest_specs.4.8.gz' && context.method === 'GET') {
+      return this.handleSpecs(true);
+    }
+
+    // Quick gemspec endpoint: GET /quick/Marshal.4.8/{gem}-{version}.gemspec.rz
+    const quickMatch = path.match(/^\/quick\/Marshal\.4\.8\/(.+)\.gemspec\.rz$/);
+    if (quickMatch && context.method === 'GET') {
+      return this.handleQuickGemspec(quickMatch[1]);
+    }
+
     // API v1 endpoints
     if (path.startsWith('/api/v1/')) {
       return this.handleApiRequest(path.substring(7), context, token);
@@ -112,7 +127,7 @@ export class RubyGemsRegistry extends BaseRegistry {
     return {
       status: 404,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify({ message: 'Not Found' })),
+      body: { error: 'Not Found' },
     };
   }
 
@@ -141,20 +156,36 @@ export class RubyGemsRegistry extends BaseRegistry {
 
   /**
    * Handle /versions endpoint (Compact Index)
+   * Supports conditional GET with If-None-Match header
    */
-  private async handleVersionsFile(): Promise<IResponse> {
+  private async handleVersionsFile(context: IRequestContext): Promise<IResponse> {
     const content = await this.storage.getRubyGemsVersions();
 
     if (!content) {
       return this.errorResponse(500, 'Versions file not initialized');
     }
 
+    const etag = `"${await helpers.calculateMD5(content)}"`;
+
+    // Handle conditional GET with If-None-Match
+    const ifNoneMatch = context.headers['if-none-match'] || context.headers['If-None-Match'];
+    if (ifNoneMatch && ifNoneMatch === etag) {
+      return {
+        status: 304,
+        headers: {
+          'ETag': etag,
+          'Cache-Control': 'public, max-age=60',
+        },
+        body: null,
+      };
+    }
+
     return {
       status: 200,
       headers: {
         'Content-Type': 'text/plain; charset=utf-8',
         'Cache-Control': 'public, max-age=60',
-        'ETag': `"${await helpers.calculateMD5(content)}"`
+        'ETag': etag
       },
       body: Buffer.from(content),
     };
@@ -292,14 +323,15 @@ export class RubyGemsRegistry extends BaseRegistry {
       // Try to get metadata from query params or headers first
       let gemName = context.query?.name || context.headers['x-gem-name'] as string | undefined;
       let version = context.query?.version || context.headers['x-gem-version'] as string | undefined;
-      const platform = context.query?.platform || context.headers['x-gem-platform'] as string | undefined;
+      let platform = context.query?.platform || context.headers['x-gem-platform'] as string | undefined;
 
       // If not provided, try to extract from gem binary
-      if (!gemName || !version) {
+      if (!gemName || !version || !platform) {
         const extracted = await helpers.extractGemMetadata(gemData);
         if (extracted) {
           gemName = gemName || extracted.name;
           version = version || extracted.version;
+          platform = platform || extracted.platform;
         }
       }
 
@@ -361,11 +393,11 @@ export class RubyGemsRegistry extends BaseRegistry {
       return {
         status: 201,
         headers: { 'Content-Type': 'application/json' },
-        body: Buffer.from(JSON.stringify({
+        body: {
           message: 'Gem uploaded successfully',
           name: gemName,
           version,
-        })),
+        },
       };
     } catch (error) {
       this.logger.log('error', 'Upload failed', { error: (error as Error).message });
@@ -417,10 +449,10 @@ export class RubyGemsRegistry extends BaseRegistry {
     return {
       status: 200,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify({
+      body: {
         success: true,
         message: 'Gem yanked successfully'
-      })),
+      },
     };
   }
 
@@ -467,10 +499,10 @@ export class RubyGemsRegistry extends BaseRegistry {
     return {
       status: 200,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify({
+      body: {
         success: true,
         message: 'Gem unyanked successfully'
-      })),
+      },
     };
   }
 
@@ -497,7 +529,7 @@ export class RubyGemsRegistry extends BaseRegistry {
         'Content-Type': 'application/json',
         'Cache-Control': 'public, max-age=300'
       },
-      body: Buffer.from(JSON.stringify(response)),
+      body: response,
     };
   }
 
@@ -525,7 +557,7 @@ export class RubyGemsRegistry extends BaseRegistry {
     return {
       status: 200,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify(response)),
+      body: response,
     };
   }
 
@@ -592,15 +624,109 @@ export class RubyGemsRegistry extends BaseRegistry {
     }
   }
 
+  /**
+   * Handle /specs.4.8.gz and /latest_specs.4.8.gz endpoints
+   * Returns gzipped Marshal array of [name, version, platform] tuples
+   * @param latestOnly - If true, only return latest version of each gem
+   */
+  private async handleSpecs(latestOnly: boolean): Promise<IResponse> {
+    try {
+      const names = await this.storage.getRubyGemsNames();
+      if (!names) {
+        return {
+          status: 200,
+          headers: {
+            'Content-Type': 'application/octet-stream',
+          },
+          body: await helpers.generateSpecsGz([]),
+        };
+      }
+
+      const gemNames = names.split('\n').filter(l => l && l !== '---');
+      const specs: Array<[string, string, string]> = [];
+
+      for (const gemName of gemNames) {
+        const metadata = await this.storage.getRubyGemsMetadata(gemName);
+        if (!metadata) continue;
+
+        const versions = (Object.values(metadata.versions) as IRubyGemsVersionMetadata[])
+          .filter(v => !v.yanked)
+          .sort((a, b) => {
+            // Sort by version descending
+            return b.version.localeCompare(a.version, undefined, { numeric: true });
+          });
+
+        if (latestOnly && versions.length > 0) {
+          // Only include latest version
+          const latest = versions[0];
+          specs.push([gemName, latest.version, latest.platform || 'ruby']);
+        } else {
+          // Include all versions
+          for (const v of versions) {
+            specs.push([gemName, v.version, v.platform || 'ruby']);
+          }
+        }
+      }
+
+      const gzippedSpecs = await helpers.generateSpecsGz(specs);
+
+      return {
+        status: 200,
+        headers: {
+          'Content-Type': 'application/octet-stream',
+        },
+        body: gzippedSpecs,
+      };
+    } catch (error) {
+      this.logger.log('error', 'Failed to generate specs', { error: (error as Error).message });
+      return this.errorResponse(500, 'Failed to generate specs');
+    }
+  }
+
+  /**
+   * Handle /quick/Marshal.4.8/{gem}-{version}.gemspec.rz endpoint
+   * Returns compressed gemspec for a specific gem version
+   * @param gemVersionStr - Gem name and version string (e.g., "rails-7.0.0" or "rails-7.0.0-x86_64-linux")
+   */
+  private async handleQuickGemspec(gemVersionStr: string): Promise<IResponse> {
+    // Parse the gem-version string
+    const parsed = helpers.parseGemFilename(gemVersionStr + '.gem');
+    if (!parsed) {
+      return this.errorResponse(400, 'Invalid gemspec path');
+    }
+
+    const metadata = await this.storage.getRubyGemsMetadata(parsed.name);
+    if (!metadata) {
+      return this.errorResponse(404, 'Gem not found');
+    }
+
+    const versionKey = parsed.platform ? `${parsed.version}-${parsed.platform}` : parsed.version;
+    const versionMeta = metadata.versions[versionKey];
+    if (!versionMeta) {
+      return this.errorResponse(404, 'Version not found');
+    }
+
+    // Generate a minimal gemspec representation
+    const gemspecData = await helpers.generateGemspecRz(parsed.name, versionMeta);
+
+    return {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/octet-stream',
+      },
+      body: gemspecData,
+    };
+  }
+
   /**
    * Helper: Create error response
    */
   private errorResponse(status: number, message: string): IResponse {
-    const error: IRubyGemsError = { message, status };
+    const error: IRubyGemsError = { error: message, status };
     return {
       status,
       headers: { 'Content-Type': 'application/json' },
-      body: Buffer.from(JSON.stringify(error)),
+      body: error,
     };
   }
 }

ts/rubygems/helpers.rubygems.ts

@@ -3,6 +3,8 @@
  * Compact Index generation, dependency formatting, etc.
  */
 
+import * as plugins from '../plugins.js';
+
 import type {
   IRubyGemsVersion,
   IRubyGemsDependency,
@@ -399,8 +401,10 @@ export async function extractGemSpec(gemData: Buffer): Promise<any | null> {
 
 /**
  * Extract basic metadata from a gem file
- * Gem files are tar.gz archives containing metadata.gz (gzipped YAML with spec)
+ * Gem files are plain tar archives (NOT gzipped) containing:
- * This function attempts to parse the YAML from the metadata to extract name/version
+ * - metadata.gz: gzipped YAML with gem specification
+ * - data.tar.gz: gzipped tar with actual gem files
+ * This function extracts and parses the metadata.gz to get name/version/platform
  * @param gemData - Gem file data
  * @returns Extracted metadata or null
  */
@@ -410,25 +414,33 @@ export async function extractGemMetadata(gemData: Buffer): Promise<{
   platform?: string;
 } | null> {
   try {
-    // Gem format: outer tar.gz containing metadata.gz and data.tar.gz
+    // Step 1: Extract the plain tar archive to get metadata.gz
-    // metadata.gz contains YAML with gem specification
+    const smartArchive = plugins.smartarchive.SmartArchive.create();
+    const files = await smartArchive.buffer(gemData).toSmartFiles();
 
-    // Attempt to find YAML metadata in the gem binary
+    // Find metadata.gz
-    // The metadata is gzipped, but we can look for patterns in the decompressed portion
+    const metadataFile = files.find(f => f.path === 'metadata.gz' || f.relative === 'metadata.gz');
-    // For test gems created with our helper, the YAML is accessible after gunzip
+    if (!metadataFile) {
-    const searchBuffer = gemData.toString('utf-8', 0, Math.min(gemData.length, 20000));
+      return null;
+    }
 
+    // Step 2: Decompress the gzipped metadata
+    const gzipTools = new plugins.smartarchive.GzipTools();
+    const metadataYaml = await gzipTools.decompress(metadataFile.contentBuffer);
+    const yamlContent = metadataYaml.toString('utf-8');
+
+    // Step 3: Parse the YAML to extract name, version, platform
     // Look for name: field in YAML
-    const nameMatch = searchBuffer.match(/name:\s*([^\n\r]+)/);
+    const nameMatch = yamlContent.match(/name:\s*([^\n\r]+)/);
 
     // Look for version in Ruby YAML format: version: !ruby/object:Gem::Version\n  version: X.X.X
-    const versionMatch = searchBuffer.match(/version:\s*!ruby\/object:Gem::Version[\s\S]*?version:\s*['"]?([^'"\n\r]+)/);
+    const versionMatch = yamlContent.match(/version:\s*!ruby\/object:Gem::Version[\s\S]*?version:\s*['"]?([^'"\n\r]+)/);
 
     // Also try simpler version format
-    const simpleVersionMatch = !versionMatch ? searchBuffer.match(/^version:\s*['"]?(\d[^'"\n\r]*)/m) : null;
+    const simpleVersionMatch = !versionMatch ? yamlContent.match(/^version:\s*['"]?(\d[^'"\n\r]*)/m) : null;
 
     // Look for platform
-    const platformMatch = searchBuffer.match(/platform:\s*([^\n\r]+)/);
+    const platformMatch = yamlContent.match(/platform:\s*([^\n\r]+)/);
 
     const name = nameMatch?.[1]?.trim();
     const version = versionMatch?.[1]?.trim() || simpleVersionMatch?.[1]?.trim();
@@ -443,7 +455,119 @@ export async function extractGemMetadata(gemData: Buffer): Promise<{
     }
 
     return null;
-  } catch {
+  } catch (error) {
+    // Log error for debugging but return null gracefully
+    console.error('Failed to extract gem metadata:', error);
     return null;
   }
 }
+
+/**
+ * Generate gzipped specs array for /specs.4.8.gz and /latest_specs.4.8.gz
+ * The format is a gzipped Ruby Marshal array of [name, version, platform] tuples
+ * Since we can't easily generate Ruby Marshal format, we'll use a simple format
+ * that represents the same data structure as a gzipped binary blob
+ * @param specs - Array of [name, version, platform] tuples
+ * @returns Gzipped specs data
+ */
+export async function generateSpecsGz(specs: Array<[string, string, string]>): Promise<Buffer> {
+  const gzipTools = new plugins.smartarchive.GzipTools();
+
+  // Create a simplified binary representation
+  // Real RubyGems uses Ruby Marshal format, but for compatibility we'll create
+  // a gzipped representation that tools can recognize as valid
+
+  // Format: Simple binary encoding of specs array
+  // Each spec: name_length(2 bytes) + name + version_length(2 bytes) + version + platform_length(2 bytes) + platform
+  const parts: Buffer[] = [];
+
+  // Header: number of specs (4 bytes)
+  const headerBuf = Buffer.alloc(4);
+  headerBuf.writeUInt32LE(specs.length, 0);
+  parts.push(headerBuf);
+
+  for (const [name, version, platform] of specs) {
+    const nameBuf = Buffer.from(name, 'utf-8');
+    const versionBuf = Buffer.from(version, 'utf-8');
+    const platformBuf = Buffer.from(platform, 'utf-8');
+
+    const nameLenBuf = Buffer.alloc(2);
+    nameLenBuf.writeUInt16LE(nameBuf.length, 0);
+
+    const versionLenBuf = Buffer.alloc(2);
+    versionLenBuf.writeUInt16LE(versionBuf.length, 0);
+
+    const platformLenBuf = Buffer.alloc(2);
+    platformLenBuf.writeUInt16LE(platformBuf.length, 0);
+
+    parts.push(nameLenBuf, nameBuf, versionLenBuf, versionBuf, platformLenBuf, platformBuf);
+  }
+
+  const uncompressed = Buffer.concat(parts);
+  return gzipTools.compress(uncompressed);
+}
+
+/**
+ * Generate compressed gemspec for /quick/Marshal.4.8/{gem}-{version}.gemspec.rz
+ * The format is a zlib-compressed Ruby Marshal representation of the gemspec
+ * Since we can't easily generate Ruby Marshal, we'll create a simplified format
+ * @param name - Gem name
+ * @param versionMeta - Version metadata
+ * @returns Zlib-compressed gemspec data
+ */
+export async function generateGemspecRz(
+  name: string,
+  versionMeta: {
+    version: string;
+    platform?: string;
+    checksum: string;
+    dependencies?: Array<{ name: string; requirement: string }>;
+  }
+): Promise<Buffer> {
+  const zlib = await import('zlib');
+  const { promisify } = await import('util');
+  const deflate = promisify(zlib.deflate);
+
+  // Create a YAML-like representation that can be parsed
+  const gemspecYaml = `--- !ruby/object:Gem::Specification
+name: ${name}
+version: !ruby/object:Gem::Version
+  version: ${versionMeta.version}
+platform: ${versionMeta.platform || 'ruby'}
+authors: []
+date: ${new Date().toISOString().split('T')[0]}
+dependencies: []
+description:
+email:
+executables: []
+extensions: []
+extra_rdoc_files: []
+files: []
+homepage:
+licenses: []
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.0
+signing_key:
+specification_version: 4
+summary:
+test_files: []
+`;
+
+  // Use zlib deflate (not gzip) for .rz files
+  return deflate(Buffer.from(gemspecYaml, 'utf-8'));
+}

ts/rubygems/interfaces.rubygems.ts

@@ -211,7 +211,7 @@ export interface IRubyGemsDependenciesResponse {
  */
 export interface IRubyGemsError {
   /** Error message */
-  message: string;
+  error: string;
   /** HTTP status code */
   status?: number;
 }