feat: CDN module imports with SHA-384 integrity verification (CPL-206)#268
Merged
feat: CDN module imports with SHA-384 integrity verification (CPL-206)#268
Conversation
The self-hosted runner doesn't have npm in PATH, causing cloudflare/wrangler-action@v3 to fail when trying to install wrangler. Add actions/setup-node@v4 with Node 20 before the deploy step, matching the pattern used by other workflows in this repo. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ains (#261) - api.dev.litprotocol.com → api.chipotle.litprotocol.com - dashboard.dev.litprotocol.com → dashboard.chipotle.litprotocol.com - docs.dev.litprotocol.com → developer.litprotocol.com - Fix broken swagger-ui path (/swagger-ui/ → /core/v1/swagger-ui) - Remove broken Support navbar link - Fix broken SDK link in encryption migration doc Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: migrate README URLs from dev.litprotocol.com to new domains Same migration as the docs/ directory (PR #261): - api.dev.litprotocol.com → api.chipotle.litprotocol.com - dashboard.dev.litprotocol.com → dashboard.chipotle.litprotocol.com - docs.dev.litprotocol.com → developer.litprotocol.com Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: update "dev API" to "API" in README quickstart Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: add usage API key step to README quickstart Adds step 2 showing how to create a scoped usage API key before using the API, reinforcing the best practice of not embedding the account key in apps. Renumbers subsequent steps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * docs: reorder quickstart — add funds before usage API key Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace localhost:8000 and api.dev.litprotocol.com references in curl examples across MDX docs with https://api.chipotle.litprotocol.com. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Replace NoopModuleLoader with CdnModuleLoader that allows ES module imports only from cdn.jsdelivr.net. Modules are verified against an integrity.lock manifest using SHA-384 hashes with constant-time comparison. New modules use trust-on-first-use (TOFU): double-fetch from CDN, compare hashes, and auto-pin to the lockfile on match. All events are logged with structured fields for auditability. Includes: shared reqwest client with timeouts, redirect blocking, 10MB response size limit, in-memory module cache, and CLI args for lockfile path and strict mode. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add docs/lit-actions/imports.mdx with full CDN module import guide - Update docs/lit-actions/index.mdx to link imports page - Update docs/docs.json to register new imports page in nav - Add press release for 2026-04-03 CDN imports launch - Extend cdn_module_loader.rs with three-way SRI verification via CDN header
…nning (CPL-206) Developers can now write short npm specifiers (zod@3.22.4/+esm) instead of full URLs. The resolver constructs the jsDelivr URL automatically. Adds inline integrity verification via #sha384-<hash> fragment on import specifiers. The hash is stripped before fetching and verified locally. TOFU flow: new modules are double-fetched with three-way verification (first fetch, second fetch, CDN SRI header) and auto-pinned to the integrity lockfile.
…ine hashes (CPL-206)
Contributor
|
Preview deployment for your docs. Learn more about Mintlify Previews.
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds support for importing third-party ES modules from jsDelivr inside the Lit Actions runtime by replacing the prior no-op module loader with a CDN-aware loader that verifies SHA-384 integrity (lockfile and inline hashes), optionally supports TOFU pinning, and documents the feature for developers.
Changes:
- Introduces
CdnModuleLoader(DenoModuleLoader) with jsDelivr/npm-specifier resolution, integrity verification, caching, and TOFU pinning tointegrity.lock. - Wires the loader/config through the Lit Actions server runtime and CLI flags/env vars.
- Adds new documentation (guide + nav updates) and a press release.
Reviewed changes
Copilot reviewed 11 out of 13 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| lit-actions/server/server.rs | Threads integrity manifest / strict mode / cache / lockfile path through server execution flow and start_server. |
| lit-actions/server/runtime.rs | Installs CdnModuleLoader as the Deno module loader and passes loader config into worker construction. |
| lit-actions/server/lib.rs | Exposes the new cdn_module_loader module publicly. |
| lit-actions/server/cdn_module_loader.rs | New CDN module loader implementation with integrity checks, TOFU, caching, and unit tests. |
| lit-actions/server/Cargo.toml | Adds dependencies needed for hashing, base64, futures, and HTTP fetching (reqwest). |
| lit-actions/integrity.lock | Adds initial lockfile format and instructions for generating hashes. |
| lit-actions/cli/main.rs | Adds CLI flags/env vars to load the integrity manifest and configure strict imports / lockfile path. |
| lit-actions/cli/Cargo.toml | Enables clap env feature for env-backed flags. |
| lit-actions/Cargo.lock | Locks new transitive dependencies (reqwest 0.12, base64, etc.). |
| docs/press_releases/2026-04-03.md | Announces the feature publicly with examples and security model. |
| docs/lit-actions/index.mdx | Adds “Module Imports” to Lit Actions next steps. |
| docs/lit-actions/imports.mdx | New end-user guide describing syntax, integrity model, TOFU, and limits. |
| docs/docs.json | Adds the new docs page to navigation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…206) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Resolve relative imports (./dep.js) against jsDelivr referrer URLs - Stream response body with hard size cap to prevent OOM (both fetches) - TOFU second fetch now has identical redirect/status/size protections - Replace unwrap() with proper error propagation in ModuleSpecifier::parse - Share reqwest::Client across all worker instances (connection pooling) - Bound module cache at 100MB total - Fix CLI help text to clarify strict+lockfile TOFU behavior - Replace expect() with anyhow error on lockfile read - Fix docs: module fetches don't count toward JS fetch() limit Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…rrows, too_many_arguments (CPL-206) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces
NoopModuleLoaderwith a customCdnModuleLoaderthat enables ES module imports from jsDelivr inside Lit Actions. Developers can now use third-party npm packages directly in their action code.Core implementation:
ModuleLoaderthat resolves npm specifiers (zod@3.22.4/+esm) to jsDelivr URLsintegrity.lockmanifest with constant-time hash comparison#sha384-<hash>fragment on import specifiersreqwest::Clientwith 30s timeout, redirect blocking, and 10MB response size limitSecurity hardening (from /review):
Documentation:
docs/lit-actions/imports.mdxwith import syntax, examples, compatibility guide, and security modeldocs/press_releases/2026-04-03.mdPre-Landing Review
No issues found. All findings from the earlier /review pass (redirect blocking, size limits, constant-time comparison, shared client, caching) have been implemented.
Scope Drift
Scope Check: CLEAN
Intent: CDN module imports with integrity verification (CPL-206)
Delivered: CdnModuleLoader with TOFU, inline hashes, npm specifier resolution, docs, and press release
Test plan
cargo check -p lit-actions-server -p lit_actionspasses🤖 Generated with Claude Code