Merge branch 'main' into dependabot/npm_and_yarn/web-app/braces-3.0.3

.github/workflows/build.yaml

@@ -46,42 +46,15 @@ jobs:
       - run: npm pack
       - uses: actions/upload-artifact@v4
         with:
-          name: opentdf-client-lib
-          path: ./lib/opentdf-client-*.tgz
+          name: opentdf-sdk-lib
+          path: ./lib/opentdf-sdk-*.tgz
       - name: SonarCloud Scan
         if: fromJSON(env.do_sonarscan)
         uses: SonarSource/sonarcloud-github-action@master
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
-  remote-store:
-    needs:
-      - lib
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ./remote-store
-    timeout-minutes: 5
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-          cache: 'npm'
-          cache-dependency-path: './remote-store/package-lock.json'
-      - uses: actions/download-artifact@v4
-        with:
-          name: opentdf-client-lib
-          path: lib/
-      - run: npm uninstall @opentdf/client && npm ci && npm i ../lib/opentdf-client-*.tgz
-      - run: npm install
-      - run: npm test
-      - run: npm audit
-      - run: npm run license-check
-      - run: npm run lint
-      - run: npm pack
-
   cli:
     needs:
       - lib
@@ -99,23 +72,21 @@ jobs:
           cache-dependency-path: './cli/package-lock.json'
       - uses: actions/download-artifact@v4
         with:
-          name: opentdf-client-lib
+          name: opentdf-sdk-lib
           path: lib/
-      - run: npm uninstall @opentdf/client && npm ci && npm i ../lib/opentdf-client-*.tgz
+      - run: npm uninstall @opentdf/sdk && npm ci && npm i ../lib/opentdf-sdk-*.tgz
       - run: npm test
       - run: npm audit --omit dev && npm audit --audit-level high --omit dev
       - run: npm run license-check
       - run: npm run lint
       - run: npm pack
-      - name: Setup BATS
-        uses: mig4/setup-bats@v1
-        with:
-          bats-version: 1.2.1
+      - name: Setup Bats and bats libs
+        uses: bats-core/[email protected]
       - run: bats bin/opentdf.bats
       - uses: actions/upload-artifact@v4
         with:
-          name: opentdf-cli
-          path: ./cli/opentdf-cli-*.tgz
+          name: opentdf-ctl
+          path: ./cli/opentdf-ctl-*.tgz
 
   web-app:
     needs:
@@ -134,14 +105,15 @@ jobs:
           cache-dependency-path: './web-app/package-lock.json'
       - uses: actions/download-artifact@v4
         with:
-          name: opentdf-client-lib
+          name: opentdf-sdk-lib
           path: lib/
-      - run: npm uninstall @opentdf/client && npm ci && npm i ../lib/opentdf-client-*.tgz
+      - run: npm uninstall @opentdf/sdk && npm ci && npm i ../lib/opentdf-sdk-*.tgz
       - run: npm install
-      - run: npm test
       - run: npm audit --omit dev && npm audit --audit-level high --omit dev
       - run: npm run license-check
       - run: npm run lint
+      - run: npx playwright install
+      - run: npm test
       - run: npm pack
 
   scripts:
@@ -178,11 +150,11 @@ jobs:
           cache-dependency-path: './web-app/package-lock.json'
       - uses: actions/download-artifact@v4
         with:
-          name: opentdf-client-lib
+          name: opentdf-sdk-lib
           path: lib/
       - uses: actions/download-artifact@v4
         with:
-          name: opentdf-cli
+          name: opentdf-ctl
           path: cli/
       - uses: yokawasa/[email protected]
         with:
@@ -231,19 +203,18 @@ jobs:
           cache-dependency-path: './web-app/package-lock.json'
       - uses: actions/download-artifact@v4
         with:
-          name: opentdf-client-lib
+          name: opentdf-sdk-lib
           path: lib/
       - uses: actions/download-artifact@v4
         with:
-          name: opentdf-cli
+          name: opentdf-ctl
           path: cli/
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
         with:
           go-version: '1.22'
       - name: Git clone backend
         run: |
-          git clone --single-branch --branch PLAT-3082-nanotdf-encrypt --depth 1 https://github.com/opentdf/platform.git \
-            || git clone --depth 1 https://github.com/opentdf/platform.git
+          git clone --depth 1 https://github.com/opentdf/platform.git
           go work init
           for x in platform/{protocol/go,lib/{fixtures,ocrypto},sdk,service}; do go work use "$x"; done
       - run: docker compose up -d --wait --wait-timeout 240
@@ -252,14 +223,23 @@ jobs:
         run: |-
           ./wait-and-test.sh platform
 
+  platform-xtest:
+    needs:
+      - cli
+      - lib
+    uses: opentdf/tests/.github/workflows/xtest.yml@main
+    with:
+      js-ref: ${{ github.ref }}
+
   deliver-ghp:
     needs:
       - lib
       - cli
       - web-app
       - scripts
-      - backend-roundtrip
       - platform-roundtrip
+      - platform-xtest
+      # - backend-roundtrip
     runs-on: ubuntu-latest
     timeout-minutes: 5
     # To publish from a release or feature branch, remove the ref == condition below
@@ -282,7 +262,7 @@ jobs:
         run: |-
           if [[ ${{ github.ref }} = refs/heads/release/* ]]; then
             scripts/check-version-is.sh "${GITHUB_REF##*release/}"
-          elif [[ ${{ github.ref }} = refs/tags/v* ]]; then
+          elif [[ ${{ github.ref }} = refs/tags/sdk/v* ]]; then
             scripts/check-version-is.sh "${GITHUB_REF_NAME#v}"
           else
             scripts/check-version-is.sh
@@ -296,7 +276,7 @@ jobs:
       - run: make doc
       - run: >-
           echo "::notice file=lib/package.json::Will be published to
-          [GitHub Packages](https://github.com/opentdf/client-web/pkgs/npm/client)
+          [GitHub Packages](https://github.com/opentdf/web-sdk/pkgs/npm/client)
           as ${{ steps.guess-build-metadata.outputs.DIST_TAG }}
           with version=[${{ steps.guess-build-metadata.outputs.FULL_VERSION }}]"
       - run: >-
@@ -305,8 +285,8 @@ jobs:
           "${{ steps.guess-build-metadata.outputs.DIST_TAG }}"
         env:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - run: echo "- [Client Library](https://github.com/opentdf/client-web/pkgs/npm/client)">>$GITHUB_STEP_SUMMARY
-      - run: echo "- [Command Line Tool](https://github.com/opentdf/client-web/pkgs/npm/cli)">>$GITHUB_STEP_SUMMARY
+      - run: echo "- [Client Library](https://github.com/opentdf/web-sdk/pkgs/npm/client)">>$GITHUB_STEP_SUMMARY
+      - run: echo "- [Command Line Tool](https://github.com/opentdf/web-sdk/pkgs/npm/cli)">>$GITHUB_STEP_SUMMARY
       - name: trigger xtest
         run: >-
           curl -XPOST -u "virtru-cloudnative:${{secrets.PERSONAL_ACCESS_TOKEN}}"
@@ -330,7 +310,7 @@ jobs:
     if: >-
       (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
       (github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release/')) ||
-      (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/'))
+      (github.event_name == 'release' && startsWith(github.ref, 'refs/tags/sdk/v'))
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -345,10 +325,8 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       - run: >-
-          echo "- [Client Library](https://www.npmjs.com/package/@opentdf/client/v/${{ needs.deliver-ghp.outputs.FULL_VERSION }})">>$GITHUB_STEP_SUMMARY
-      - run: >-
-          echo "- [Remote Store](https://www.npmjs.com/package/@opentdf/remote-store/v/${{ needs.deliver-ghp.outputs.FULL_VERSION }})">>$GITHUB_STEP_SUMMARY
+          echo "- [Client Library](https://www.npmjs.com/package/@opentdf/sdk/v/${{ needs.deliver-ghp.outputs.FULL_VERSION }})">>$GITHUB_STEP_SUMMARY
       - run: >-
-          echo "- [Command Line Tool](https://www.npmjs.com/package/@opentdf/cli/v/${{ needs.deliver-ghp.outputs.FULL_VERSION }})">>$GITHUB_STEP_SUMMARY
+          echo "- [Command Line Tool](https://www.npmjs.com/package/@opentdf/ctl/v/${{ needs.deliver-ghp.outputs.FULL_VERSION }})">>$GITHUB_STEP_SUMMARY
       - run: >-
-          echo "- [unpkg](https://unpkg.com/browse/@opentdf/client@${{ needs.deliver-ghp.outputs.FULL_VERSION }})">>$GITHUB_STEP_SUMMARY
+          echo "- [unpkg](https://unpkg.com/browse/@opentdf/sdk@${{ needs.deliver-ghp.outputs.FULL_VERSION }})">>$GITHUB_STEP_SUMMARY

.github/workflows/codeql.yaml

@@ -0,0 +1,42 @@
+name: "CodeQL"
+
+on:
+  schedule:
+    - cron: '0 13 * * 1' # At 1:00 PM UTC every Monday
+  pull_request:
+    paths:
+      - '.github/workflows/codeql.yaml'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize the CodeQL tools for scanning
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+      timeout-minutes: 5
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+      timeout-minutes: 10
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
+      timeout-minutes: 10

.github/workflows/format.yaml

@@ -20,10 +20,10 @@ jobs:
       - run: git diff-files --ignore-submodules
       - name: Check that files have been formatted before PR submission
         run: git diff-files --quiet --ignore-submodules
-        if: ${{ github.event.pull_request.head.repo.full_name != 'opentdf/client-web' }}
+        if: ${{ github.event.pull_request.head.repo.full_name != 'opentdf/web-sdk' }}
       - name: Commit changes
         id: auto-commit
-        if: ${{ github.event.pull_request.head.repo.full_name == 'opentdf/client-web' }}
+        if: ${{ github.event.pull_request.head.repo.full_name == 'opentdf/web-sdk' }}
         uses: stefanzweifel/git-auto-commit-action@v5
         with:
           commit_message: |-

.github/workflows/gh-semver.bats

@@ -20,8 +20,8 @@
 }
 
 
-@test "all tags go to release" {
-  export GITHUB_REF=refs/tags/v12
+@test "sdk/v prefixed tags go to release" {
+  export GITHUB_REF=refs/tags/sdk/v12
   export MMP_VER=0.0.1
   export GITHUB_RUN_NUMBER=1234
   run $BATS_TEST_DIRNAME/gh-semver.sh

.github/workflows/gh-semver.sh

@@ -29,7 +29,7 @@
 # Tags go to release:
 # ```
 #    package.version = 1.2.3
-#    tag = v1.2.3
+#    tag = sdk/v1.2.3
 #    workflow run = 256
 #    git SHA = decaf
 #    ----

.github/workflows/guess-dist-tag.bats

@@ -29,7 +29,7 @@
 }
 
 @test "all tags go to release" {
-  export GITHUB_REF=refs/tags/v12
+  export GITHUB_REF=refs/tags/sdk/v12
   run $BATS_TEST_DIRNAME/guess-dist-tag.sh
   echo output=[$output]
   [[ $output == "latest" ]]

.github/workflows/guess-dist-tag.sh

@@ -1,8 +1,12 @@
 #!/usr/bin/env bash
-# Guess the desired NPM 'dist' tag based on current git ref
-# Release = latest
-# Release candidate = rc
-# Beta = beta
+# Guess the desired NPM distribution tag based on current git ref.
+# For more info, see: https://docs.npmjs.com/adding-dist-tags-to-packages
+# Releases are tagged with `latest`, on tags like `sdk/v1.2.3`
+# Release candidates are tagged `rc`, from branches prefixed with `release/`
+# Betas are the main branch.
+# Alphas can be manually built from feature branches.
+# Aleph is the fallback for unknown branch and tag patterns.
+# Notably, our dist-tags sort lexicographically from least to most stable.
 
 set -euo pipefail
 
@@ -19,7 +23,7 @@ case "${GITHUB_REF}" in
   refs/heads/feature*)
     NPM_DIST_TAG=alpha
     ;;
-  refs/tags/v*)
+  refs/tags/sdk/v*)
     NPM_DIST_TAG=latest
     ;;
 esac

.github/workflows/large-tests.yaml

@@ -29,8 +29,8 @@ jobs:
       - run: npm pack
       - uses: actions/upload-artifact@v4
         with:
-          name: opentdf-client-lib
-          path: ./lib/opentdf-client-*.tgz
+          name: opentdf-sdk-lib
+          path: ./lib/opentdf-sdk-*.tgz
 
   cli:
     needs:
@@ -49,18 +49,18 @@ jobs:
           cache-dependency-path: './cli/package-lock.json'
       - uses: actions/download-artifact@v4
         with:
-          name: opentdf-client-lib
+          name: opentdf-sdk-lib
           path: lib/
-      - run: npm uninstall @opentdf/client && npm ci && npm i ../lib/opentdf-client-*.tgz
+      - run: npm uninstall @opentdf/sdk && npm ci && npm i ../lib/opentdf-sdk-*.tgz
       - run: npm test
       - run: npm audit --omit dev --audit-level moderate
       - run: npm run license-check
       - run: npm run lint
       - run: npm pack
       - uses: actions/upload-artifact@v4
         with:
-          name: opentdf-cli
-          path: ./cli/opentdf-cli-*.tgz
+          name: opentdf-ctl
+          path: ./cli/opentdf-ctl-*.tgz
 
   web-app:
     needs:
@@ -79,9 +79,9 @@ jobs:
           cache-dependency-path: './web-app/package-lock.json'
       - uses: actions/download-artifact@v4
         with:
-          name: opentdf-client-lib
+          name: opentdf-sdk-lib
           path: lib/
-      - run: npm uninstall @opentdf/client && npm ci && npm i ../lib/opentdf-client-*.tgz
+      - run: npm uninstall @opentdf/sdk && npm ci && npm i ../lib/opentdf-sdk-*.tgz
       - run: npm install
       - run: npm test
       - run: npm audit --omit dev --audit-level moderate
@@ -107,11 +107,11 @@ jobs:
           cache-dependency-path: './web-app/package-lock.json'
       - uses: actions/download-artifact@v4
         with:
-          name: opentdf-client-lib
+          name: opentdf-sdk-lib
           path: lib/
       - uses: actions/download-artifact@v4
         with:
-          name: opentdf-cli
+          name: opentdf-ctl
           path: cli
       - name: Git clone backend
         run: |