Class: RosettAi::Content::PackInstaller

Inherits:

Object

• Object
• RosettAi::Content::PackInstaller

Defined in:

lib/rosett_ai/content/pack_installer.rb

Overview

Verifies Ed25519 signatures and extracts content pack tarballs.

Security:

• Signature verified BEFORE extraction
• Path traversal entries (../) rejected
• Atomic install: extract to temp dir, validate manifest, then move
• Uses same PUBLIC_KEY_HEX as LicenseKey for verification

Constant Summary

SAFE_DIR_MODE =

0o700

Instance Method Summary

• #install(tarball_bytes, signature_bytes, pack_name) ⇒ PackManifest

  Verifies signature and installs a content pack atomically.

Instance Method Details

#install(tarball_bytes, signature_bytes, pack_name) ⇒ PackManifest

Verifies signature and installs a content pack atomically.

Parameters:

• tarball_bytes (String) —

  raw .tar.gz bytes

• signature_bytes (String) —

  Ed25519 signature bytes

• pack_name (String) —

  target pack directory name

Returns:

• (PackManifest) —

  manifest from the installed pack

Raises:

• (RosettAi::ContentError) —

  if signature is invalid or manifest is missing

# File 'lib/rosett_ai/content/pack_installer.rb', line 31

def install(tarball_bytes, signature_bytes, pack_name)
  verify_signature!(tarball_bytes, signature_bytes)

  temp_dir = Dir.mktmpdir('rosett-ai-pack-')
  extract_tarball(tarball_bytes, temp_dir)
  manifest = validate_extracted_manifest(temp_dir)
  move_to_final(temp_dir, pack_name)
  manifest
rescue StandardError
  FileUtils.rm_rf(temp_dir) if temp_dir && Dir.exist?(temp_dir)
  raise
end