Skip to content

feat: add mysql-wrap and jwt-wrap example modules#373

Open
NannaOlympicBroadcast wants to merge 7 commits into
vercel-labs:mainfrom
NannaOlympicBroadcast:main
Open

feat: add mysql-wrap and jwt-wrap example modules#373
NannaOlympicBroadcast wants to merge 7 commits into
vercel-labs:mainfrom
NannaOlympicBroadcast:main

Conversation

@NannaOlympicBroadcast

Copy link
Copy Markdown

This PR adds the mysql-wrap and jwt-wrap packaged example modules to the examples/ directory.

@vercel

vercel Bot commented Jun 4, 2026

Copy link
Copy Markdown

@NannaOlympicBroadcast is attempting to deploy a commit to the Vercel Labs Team on Vercel.

A member of the Team first needs to authorize it.

if (!res) return 0;

char temp_buf[65536];
int pos = 0;

@vercel vercel Bot Jun 4, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unbounded pos accumulation in db_list_users_json causes a size_t underflow and out-of-bounds stack write when total JSON output exceeds 64KB

Fix on Vercel

Comment on lines +161 to +163
if new_id == 0 {
return false
}

@vercel vercel Bot Jun 4, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

db_insert_user treats the (uint64_t)-1 DB-error sentinel as a successful insert, returning true with a bogus id instead of false.

Fix on Vercel

claude and others added 6 commits June 5, 2026 13:59
Introduces the full zero-pm toolchain:

zerolang source (zero-pm/src/):
- types.0       — shared data types (Manifest, Lockfile, SemVer, etc.)
- semver.0      — SemVer parse/compare/satisfies
- output.0      — console helpers
- manifest.0    — zero.json read/write with cursor-based JSON builder
- lockfile.0    — .zero/zero.lock.json read/write
- cache.0       — ~/.zero/packages cache layout (uses native mkdir_p)
- registry.0    — HTTP registry client (fetchPackageInfo/fetchVersionInfo)
- resolver.0    — BFS dependency resolver with cycle/conflict detection
- installer.0   — download, verify checksum (SHA-256/CRC-32), write cache
- commands/     — cmd_init, cmd_install, cmd_add, cmd_remove,
                  cmd_list, cmd_info, cmd_update
- main.0        — entry point with sub-command dispatch

C++ native extension (zero-pm/native/):
- zpm_native.h / zpm_native.cpp — standalone SHA-256 (FIPS 180-4),
  CRC-32, mkdir -p, ustar tar extraction; no external dependencies
- Makefile       — builds libzpm_native.a

Python registry server (registry/):
- main.py        — FastAPI app with human-friendly HTML UI (/ui) and
                   agent-friendly JSON REST API (/v1/packages)
- models.py      — Pydantic models for all request/response types
- storage.py     — thread-safe JSON-file storage backend
- requirements.txt / Dockerfile

https://claude.ai/code/session_015HniWV5fb1SSa1KrwhvqW9
- Add EntryOut struct to types.0 to replace mutref<usize> triple
- Rewrite nextEntry() to use mutref<EntryOut> (TYP021 fix)
- Update getDep() and getEntry() call sites to use EntryOut
- Replace skipWs() calls with skipWsAt() in manifest.0
- Copy old raw_deps into local buffer before write (BOR001 fix)
- Redesign enqueue() to return usize instead of mutref<usize>
- Update enqueue call site: q_count = enqueue(...)

https://claude.ai/code/session_015HniWV5fb1SSa1KrwhvqW9
- semver: replace Maybe<SemVer> with hand-rolled SemVerOpt (struct payloads
  cannot auto-wrap into Maybe; only byte-span-like types can)
- semver: scope u32 formatting into a helper to avoid borrow conflict
- semver: use fully-qualified public names (semverParse/Compare/Satisfies)
- installer: use std.mem.eqlBytes with span conversion for byte arrays
- cmd_*: use std.http.client(std.net.host()) instead of nonexistent newClient
- cmd_add: drop dead/ill-typed name_span line
- main: check fallible run* dispatch calls
- fix SyntaxError in /ui/search HTML response (nested double quotes in f-string)
- add test_integration.py: pack -> publish -> fetch metadata -> download +
  verify sha256 -> zero check installed package -> search/latest/delete,
  driving a live server over the same protocol the 0pm client uses
- add httpx test dependency, registry README and .gitignore
…istry

The previous zero-pm client only passed `zero check` — it could not build
because the direct backend lowers a restricted subset (no shape/choice values
across functions, no World parameters outside main, max eight ABI argument
slots per call, extern c requires c.libs link metadata). Rewrite the client
in buffer-style Zero and fix the native layer so the full frontend/backend
flow works end to end:

- zero.json: declare c.libs (static archive + -lz) so extern c links
- rewrite all modules to byte-buffer APIs (no structs/choices); commands
  append output to a caller buffer that main writes once
- new jsonwalk.0 for indexed JSON object walking; manifest/lockfile rebuild
  raw JSON in place; semver compares span versions directly
- native: tar_extract reads the dest path from the input buffer (it was
  unreachable via g_output), gains gzip (.tar.gz) inflation via zlib and
  path-traversal guards; crc32_compute no longer overflows int
- installer extracts tar.gz/ustar archives into the cache and verifies
  sha256/crc32 checksums; failed `add` rolls zero.json back
- add zero-pm/test_e2e.py: builds 0pm, boots the registry + tarball server,
  drives init/add/list/info/update/remove/install and asserts manifests,
  lockfiles, cache extraction, checksum rejection, and rollback
- drop in-file semver test blocks (zero test direct-runner only lowers
  scalar bodies); document build, usage, and subset constraints in README

Verified: zero check/test/build pass, registry/test_integration.py passes,
and test_e2e.py passes all assertions against the live FastAPI backend.

https://claude.ai/code/session_01BSkzmGdhNcih6vxffemKXu
…nd-testing-ox45nz

Claude/zero pm backend testing ox45nz
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedpypi/​uvicorn@​0.49.098100100100100
Addedpypi/​pydantic@​2.13.4100100100100100
Addedpypi/​fastapi@​0.136.3100100100100100
Addedpypi/​httpx@​0.28.1100100100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants