feat: patch-package for SES-compat patches; root patches/ as single source of truth

.gitignore

@@ -81,6 +81,9 @@ node_modules/
 # Bundle files
 *.bundle
 
+# Generated per-package patches dirs (populated by scripts/copy-patches.cjs at publish time)
+packages/*/patches/
+
 # Playwright reports
 playwright-report
 

README.md

@@ -66,6 +66,30 @@ See [`packages/create-package/README.md`](packages/create-package/README.md).
 
 For information on creating releases, see the [MetaMask/core release documentation](https://github.com/MetaMask/core/blob/main/docs/contributing.md#releasing-changes).
 
+### Patches
+
+Some third-party dependencies require patches for SES/lockdown compatibility. The root
+`patches/` directory is the single source of truth for all patches, applied automatically
+on `yarn install` via `patch-package`.
+
+Published packages that ship patches to consumers are called "sinks". Sinks are determined
+by analyzing the dependency graph: a non-private package that directly depends on a patched
+dependency is a sink if none of its transitive internal dependencies also depend on that
+patched dependency. Only `dependencies` are considered for sink analysis (not
+`peerDependencies` or `devDependencies`).
+
+Sink packages include `patches/` in their `files` field, declare `patch-package` as a
+`peerDependency`, and have a `postinstall` script that runs `patch-package --patch-dir patches`.
+The `scripts/copy-patches.cjs` script copies root patches into each sink at publish time,
+and `yarn constraints` enforces the correct configuration.
+
+**Adding a patch:** Place the `.patch` file in the root `patches/` directory. Run
+`yarn constraints --fix` to update sink packages, and verify with
+`node scripts/copy-patches.cjs`.
+
+**Removing a patch:** Delete the `.patch` file from the root `patches/` directory and run
+`yarn constraints --fix` to clean up sink packages.
+
 ## References
 
 - [Glossary](./docs/glossary.md)

package.json

@@ -25,7 +25,7 @@
     "lint:eslint": "yarn eslint . --cache",
     "lint:fix": "yarn constraints --fix && yarn lint:eslint --fix && yarn lint:misc --write && yarn lint:dependencies:fix",
     "lint:misc": "prettier --no-error-on-unmatched-pattern '**/*.json' '**/*.md' '**/*.html'  '**/*.yml' '!**/CHANGELOG.old.md' '!.yarnrc.yml' '!CLAUDE.md' '!merged-packages/**' --ignore-path .gitignore  --log-level error",
-    "postinstall": "simple-git-hooks && yarn rebuild:native",
+    "postinstall": "patch-package && simple-git-hooks && yarn rebuild:native",
     "prepack": "./scripts/prepack.sh",
     "rebuild:native": "./scripts/rebuild-native.sh",
     "test": "vitest run",
@@ -89,6 +89,7 @@
     "globals": "^16.0.0",
     "lint-staged": "^15.5.0",
     "lodash": "^4.17.21",
+    "patch-package": "^8.0.0",
     "playwright": "^1.58.2",
     "prettier": "^3.5.3",
     "prettier-plugin-packagejson": "^2.5.10",
@@ -126,7 +127,8 @@
       "@metamask/kernel-cli>@metamask/kernel-node-runtime>@libp2p/webrtc>@ipshipyard/node-datachannel": false,
       "@metamask/kernel-cli>@metamask/kernel-node-runtime>@metamask/kernel-store>better-sqlite3": false,
       "@metamask/kernel-cli>@metamask/kernel-node-runtime>@metamask/streams": false,
-      "@metamask/kernel-cli>@metamask/kernel-shims>@libp2p/webrtc>@ipshipyard/node-datachannel": false
+      "@metamask/kernel-cli>@metamask/kernel-shims>@libp2p/webrtc>@ipshipyard/node-datachannel": false,
+      "@metamask/kernel-cli>@metamask/kernel-utils": false
     }
   },
   "resolutions": {

packages/brow-2-brow/package.json

@@ -30,7 +30,7 @@
   },
   "dependencies": {
     "@chainsafe/libp2p-noise": "^16.1.3",
-    "@chainsafe/libp2p-yamux": "patch:@chainsafe/libp2p-yamux@npm%3A7.0.4#~/.yarn/patches/@chainsafe-libp2p-yamux-npm-7.0.4-284c2f6812.patch",
+    "@chainsafe/libp2p-yamux": "7.0.4",
     "@libp2p/autonat": "2.0.38",
     "@libp2p/bootstrap": "11.0.47",
     "@libp2p/circuit-relay-v2": "3.2.24",

packages/kernel-browser-runtime/package.json

@@ -73,7 +73,7 @@
     "@metamask/logger": "workspace:^",
     "@metamask/ocap-kernel": "workspace:^",
     "@metamask/rpc-errors": "^7.0.3",
-    "@metamask/snaps-utils": "^11.7.1",
+    "@metamask/snaps-utils": "^12.1.0",
     "@metamask/streams": "workspace:^",
     "@metamask/superstruct": "^3.2.1",
     "@metamask/utils": "^11.9.0",

packages/kernel-ui/package.json

@@ -60,7 +60,7 @@
     "test:dev:quiet": "yarn test:dev --reporter @ocap/repo-tools/vitest-reporters/silent"
   },
   "dependencies": {
-    "@metamask/design-system-react": "^0.6.0",
+    "@metamask/design-system-react": "^0.9.0",
     "@metamask/design-system-tailwind-preset": "^0.6.1",
     "@metamask/design-tokens": "^8.1.1",
     "@metamask/kernel-browser-runtime": "workspace:^",

packages/kernel-utils/README.md

@@ -10,6 +10,22 @@ or
 
 `npm install @metamask/kernel-utils`
 
+## SES/Lockdown Compatibility
+
+This package is designed to run under [SES](https://github.com/endojs/endo/tree/master/packages/ses) (Secure ECMAScript lockdown). Some of its dependencies require patches to work in a locked-down environment. The required patch files are included in the `patches/` directory of this package and are applied automatically via the `postinstall` script using [`patch-package`](https://github.com/ds300/patch-package).
+
+Add `patch-package` as a development dependency of your project:
+
+```sh
+yarn add --dev patch-package
+```
+
+or
+
+```sh
+npm install --save-dev patch-package
+```
+
 ## Contributing
 
 This package is part of a monorepo. Instructions for contributing can be found in the [monorepo README](https://github.com/MetaMask/ocap-kernel#readme).

packages/kernel-utils/package.json

@@ -75,7 +75,8 @@
   "module": "./dist/index.mjs",
   "types": "./dist/index.d.cts",
   "files": [
-    "dist/"
+    "dist/",
+    "patches/"
   ],
   "scripts": {
     "build": "ts-bridge --project tsconfig.build.json --no-references --clean",
@@ -88,6 +89,7 @@
     "lint:eslint": "eslint . --cache",
     "lint:fix": "yarn lint:eslint --fix && yarn lint:misc --write && yarn constraints --fix && yarn lint:dependencies",
     "lint:misc": "prettier --no-error-on-unmatched-pattern '**/*.json' '**/*.md' '**/*.html' '!**/CHANGELOG.old.md' '**/*.yml' '!.yarnrc.yml' '!merged-packages/**' --ignore-path ../../.gitignore --log-level error",
+    "postinstall": "[ ! -d patches ] || patch-package --patch-dir patches",
     "publish:preview": "yarn npm publish --tag preview",
     "test": "vitest run --config vitest.config.ts",
     "test:clean": "yarn test --no-cache --coverage.clean",
@@ -98,7 +100,7 @@
   },
   "dependencies": {
     "@chainsafe/libp2p-noise": "^16.1.3",
-    "@chainsafe/libp2p-yamux": "patch:@chainsafe/libp2p-yamux@npm%3A7.0.4#~/.yarn/patches/@chainsafe-libp2p-yamux-npm-7.0.4-284c2f6812.patch",
+    "@chainsafe/libp2p-yamux": "7.0.4",
     "@endo/captp": "^4.4.8",
     "@endo/errors": "^1.2.13",
     "@endo/exo": "^1.5.12",
@@ -153,6 +155,7 @@
   },
   "peerDependencies": {
     "acorn": "^8.15.0",
+    "patch-package": "^8.0.0",
     "vite": "^7.3.0"
   },
   "peerDependenciesMeta": {

packages/ocap-kernel/README.md

@@ -10,6 +10,34 @@ or
 
 `npm install @metamask/ocap-kernel`
 
+## SES/Lockdown Compatibility
+
+This package is designed to run under [SES](https://github.com/endojs/endo/tree/master/packages/ses) (Secure ECMAScript lockdown). One of its dependencies, `@chainsafe/libp2p-yamux`, requires a patch to work in a locked-down environment. The required patches are listed in the `patchedDependencies` field of this package's `package.json`, and the patch files are included in the `patches/` directory of this package.
+
+Apply them using [`patch-package`](https://github.com/ds300/patch-package):
+
+1. Install `patch-package`:
+
+   ```sh
+   npm install --save-dev patch-package
+   ```
+
+2. Copy the patch file(s) to your project's `patches/` directory:
+
+   ```sh
+   cp node_modules/@metamask/ocap-kernel/patches/* patches/
+   ```
+
+3. Add a `postinstall` script to your `package.json`:
+
+   ```json
+   "scripts": {
+     "postinstall": "patch-package"
+   }
+   ```
+
+4. Run `npm install` (or your package manager's equivalent) to apply the patches.
+
 ## Contributing
 
 This package is part of a monorepo. Instructions for contributing can be found in the [monorepo README](https://github.com/MetaMask/ocap-kernel#readme).

packages/ocap-kernel/package.json

@@ -70,7 +70,7 @@
   "dependencies": {
     "@agoric/swingset-liveslots": "0.10.3-u21.0.1",
     "@chainsafe/libp2p-noise": "^16.1.3",
-    "@chainsafe/libp2p-yamux": "patch:@chainsafe/libp2p-yamux@npm%3A7.0.4#~/.yarn/patches/@chainsafe-libp2p-yamux-npm-7.0.4-284c2f6812.patch",
+    "@chainsafe/libp2p-yamux": "7.0.4",
     "@endo/errors": "^1.2.13",
     "@endo/eventual-send": "^1.3.4",
     "@endo/marshal": "^1.8.0",

patches/@chainsafe+libp2p-yamux+7.0.4.patch

@@ -0,0 +1,21 @@
+diff --git a/node_modules/@chainsafe/libp2p-yamux/dist/src/decode.js b/node_modules/@chainsafe/libp2p-yamux/dist/src/decode.js
+index 58728fddc7355906bcb8d8273d41e73ecbbc9d67..7aa39de8fc9268d632be340d10f87a2522f18c45 100644
+--- a/node_modules/@chainsafe/libp2p-yamux/dist/src/decode.js
++++ b/node_modules/@chainsafe/libp2p-yamux/dist/src/decode.js
+@@ -111,14 +111,14 @@ export class Decoder {
+ export function returnlessSource(source) {
+     if (source[Symbol.iterator] !== undefined) {
+         const iterator = source[Symbol.iterator]();
+-        iterator.return = undefined;
++        Object.defineProperty(iterator, 'return', {});
+         return {
+             [Symbol.iterator]() { return iterator; }
+         };
+     }
+     else if (source[Symbol.asyncIterator] !== undefined) {
+         const iterator = source[Symbol.asyncIterator]();
+-        iterator.return = undefined;
++        Object.defineProperty(iterator, 'return', {});
+         return {
+             [Symbol.asyncIterator]() { return iterator; }
+         };