@blaxel/core 0.2.87-preview.169 → 0.2.87-preview.171

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/dist/cjs/.tsbuildinfo +1 -1
  2. package/dist/cjs/authentication/credentials.js +11 -1
  3. package/dist/cjs/authentication/index.js +3 -1
  4. package/dist/cjs/common/credentials.test.js +71 -0
  5. package/dist/cjs/common/errors.js +15 -0
  6. package/dist/cjs/common/h2fetch.js +55 -52
  7. package/dist/cjs/common/settings.js +40 -2
  8. package/dist/cjs/common/settings.test.js +10 -1
  9. package/dist/cjs/types/authentication/credentials.d.ts +9 -0
  10. package/dist/cjs/types/common/credentials.test.d.ts +1 -0
  11. package/dist/cjs/types/common/errors.d.ts +10 -0
  12. package/dist/cjs/types/common/h2fetch.d.ts +9 -4
  13. package/dist/cjs/types/common/settings.d.ts +9 -0
  14. package/dist/cjs-browser/.tsbuildinfo +1 -1
  15. package/dist/cjs-browser/authentication/credentials.js +11 -1
  16. package/dist/cjs-browser/authentication/index.js +3 -1
  17. package/dist/cjs-browser/common/credentials.test.js +71 -0
  18. package/dist/cjs-browser/common/errors.js +15 -0
  19. package/dist/cjs-browser/common/settings.js +40 -2
  20. package/dist/cjs-browser/common/settings.test.js +10 -1
  21. package/dist/cjs-browser/types/authentication/credentials.d.ts +9 -0
  22. package/dist/cjs-browser/types/common/credentials.test.d.ts +1 -0
  23. package/dist/cjs-browser/types/common/errors.d.ts +10 -0
  24. package/dist/cjs-browser/types/common/h2fetch.d.ts +9 -4
  25. package/dist/cjs-browser/types/common/settings.d.ts +9 -0
  26. package/dist/esm/.tsbuildinfo +1 -1
  27. package/dist/esm/authentication/credentials.js +9 -0
  28. package/dist/esm/authentication/index.js +4 -2
  29. package/dist/esm/common/credentials.test.js +69 -0
  30. package/dist/esm/common/errors.js +13 -0
  31. package/dist/esm/common/h2fetch.js +55 -52
  32. package/dist/esm/common/settings.js +40 -2
  33. package/dist/esm/common/settings.test.js +10 -1
  34. package/dist/esm-browser/.tsbuildinfo +1 -1
  35. package/dist/esm-browser/authentication/credentials.js +9 -0
  36. package/dist/esm-browser/authentication/index.js +4 -2
  37. package/dist/esm-browser/common/credentials.test.js +69 -0
  38. package/dist/esm-browser/common/errors.js +13 -0
  39. package/dist/esm-browser/common/settings.js +40 -2
  40. package/dist/esm-browser/common/settings.test.js +10 -1
  41. package/package.json +1 -1
@@ -11,3 +11,12 @@ export class Credentials {
11
11
  return "";
12
12
  }
13
13
  }
14
+ /**
15
+ * Marker returned by `authentication()` when no usable Blaxel credentials were
16
+ * resolved (no env vars, no matching config workspace). Construction is
17
+ * side-effect free so importing `@blaxel/core` never fails; the actionable
18
+ * error is raised when an authenticated request is actually attempted
19
+ * (see `Settings.assertCredentials`).
20
+ */
21
+ export class MissingCredentials extends Credentials {
22
+ }
@@ -3,7 +3,7 @@ import { env } from "../common/env.js";
3
3
  import { fs, os, path } from "../common/node.js";
4
4
  import { ApiKey } from "./apikey.js";
5
5
  import { ClientCredentials } from "./clientcredentials.js";
6
- import { Credentials } from "./credentials.js";
6
+ import { Credentials, MissingCredentials } from "./credentials.js";
7
7
  import { DeviceMode } from "./deviceMode.js";
8
8
  function getCredentials() {
9
9
  if (env.BL_API_KEY) {
@@ -45,7 +45,9 @@ function getCredentials() {
45
45
  export function authentication() {
46
46
  const credentials = getCredentials();
47
47
  if (!credentials) {
48
- return new Credentials();
48
+ // Never silently fall back to empty headers: a marker that triggers a
49
+ // clear CredentialsError when an authenticated request is attempted.
50
+ return new MissingCredentials();
49
51
  }
50
52
  if (credentials.apiKey) {
51
53
  return new ApiKey(credentials);
@@ -0,0 +1,69 @@
1
+ import { afterEach, beforeEach, describe, expect, it } from 'vitest';
2
+ import { ApiKey } from '../authentication/apikey.js';
3
+ import { MissingCredentials } from '../authentication/credentials.js';
4
+ import { authentication } from '../authentication/index.js';
5
+ import { CredentialsError } from './errors.js';
6
+ import { settings } from './settings.js';
7
+ /**
8
+ * ENG-2698: missing / partial BL_WORKSPACE / BL_API_KEY must fail fast with a
9
+ * clear, actionable error instead of silently sending empty headers and
10
+ * surfacing the server's misleading "workspace is required".
11
+ *
12
+ * `env` reads through to `process.env`, so env state is controlled there.
13
+ */
14
+ describe('credential validation', () => {
15
+ const AUTH_ENV = ['BL_API_KEY', 'BL_WORKSPACE', 'BL_CLIENT_CREDENTIALS'];
16
+ let savedEnv;
17
+ let savedCredentials;
18
+ let savedConfig;
19
+ beforeEach(() => {
20
+ savedEnv = {};
21
+ for (const key of AUTH_ENV) {
22
+ savedEnv[key] = process.env[key];
23
+ delete process.env[key];
24
+ }
25
+ savedCredentials = settings.credentials;
26
+ savedConfig = settings.config;
27
+ settings.config = { proxy: '', apikey: '', workspace: '' };
28
+ });
29
+ afterEach(() => {
30
+ for (const key of AUTH_ENV) {
31
+ if (savedEnv[key] === undefined)
32
+ delete process.env[key];
33
+ else
34
+ process.env[key] = savedEnv[key];
35
+ }
36
+ settings.credentials = savedCredentials;
37
+ settings.config = savedConfig;
38
+ });
39
+ it('API key without workspace throws a clear BL_WORKSPACE error from headers', () => {
40
+ settings.credentials = new ApiKey({ apiKey: 'test-key' });
41
+ expect(() => settings.headers).toThrow(CredentialsError);
42
+ expect(() => settings.headers).toThrow(/BL_WORKSPACE/);
43
+ });
44
+ it('API key without workspace rejects from authenticate()', async () => {
45
+ settings.credentials = new ApiKey({ apiKey: 'test-key' });
46
+ await expect(settings.authenticate()).rejects.toThrow(/BL_WORKSPACE/);
47
+ });
48
+ it('workspace set but no API key names the missing API key', () => {
49
+ process.env.BL_WORKSPACE = 'my-workspace';
50
+ settings.credentials = new MissingCredentials();
51
+ expect(() => settings.headers).toThrow(/API key is missing/);
52
+ });
53
+ it('no credentials at all names both env vars', () => {
54
+ settings.credentials = new MissingCredentials();
55
+ expect(() => settings.headers).toThrow(CredentialsError);
56
+ expect(() => settings.headers).toThrow(/BL_API_KEY and BL_WORKSPACE/);
57
+ });
58
+ it('api key + workspace builds clean headers with no empty values', () => {
59
+ settings.credentials = new ApiKey({ apiKey: 'test-key', workspace: 'my-workspace' });
60
+ const headers = settings.headers;
61
+ expect(headers['x-blaxel-workspace']).toBe('my-workspace');
62
+ expect(headers['x-blaxel-authorization']).toBe('Bearer test-key');
63
+ expect(Object.values(headers)).not.toContain('');
64
+ });
65
+ it('authentication() returns a real ApiKey when BL_API_KEY is set', () => {
66
+ process.env.BL_API_KEY = 'test-key';
67
+ expect(authentication()).toBeInstanceOf(ApiKey);
68
+ });
69
+ });
@@ -1,3 +1,16 @@
1
+ /**
2
+ * Thrown when Blaxel credentials are missing or incomplete.
3
+ *
4
+ * Surfaced eagerly with an actionable message (which env var / login step is
5
+ * missing) instead of silently sending empty workspace/authorization headers
6
+ * and letting the user hit a misleading server-side "workspace is required".
7
+ */
8
+ export class CredentialsError extends Error {
9
+ constructor(message) {
10
+ super(message);
11
+ this.name = "CredentialsError";
12
+ }
13
+ }
1
14
  export function handleDynamicImportError(err) {
2
15
  if (err instanceof Error) {
3
16
  // We check if it's module import error and retrieve package name from the error message with a regex
@@ -97,64 +97,44 @@ export function createH2Fetch(session) {
97
97
  };
98
98
  }
99
99
  /**
100
- * Creates a fetch()-compatible function backed by the H2 session pool.
100
+ * The single HTTP/2 request gateway (ENG-2679).
101
101
  *
102
- * The pool validates idle sessions before reuse. If no usable H2 session is
103
- * available, the request falls back to regular fetch before any H2 frames
104
- * are sent.
102
+ * Every pool-backed request funnels through here, no matter which entry point
103
+ * it came from: the generated client's fetch (`createPoolBackedH2Fetch`),
104
+ * `SandboxAction.h2Fetch`, and the interpreter's direct path (both via
105
+ * `h2RequestDirectFromPool`). It owns the shared request lifecycle in one place:
106
+ * 1. take a per-domain open-stream slot,
107
+ * 2. get a live session from the pool,
108
+ * 3. send the request on it,
109
+ * 4. evict the session if the send fails after a stream was opened,
110
+ * 5. fall back to globalThis.fetch when the pool has no usable session.
111
+ *
112
+ * This is the chokepoint where reliability behavior that must protect EVERY
113
+ * consumer belongs: the open-stream concurrency limit today, and retry,
114
+ * timeouts, typed errors, and observability in later phases. Adding it once here
115
+ * (instead of re-implementing it per entry point) is what stops the recurring
116
+ * "fixed on one path, still broken on another" regressions.
117
+ *
118
+ * `send` performs the actual wire send on a live session; the caller supplies it
119
+ * so the gateway stays agnostic to the `Request` vs `(url, init)` call shapes,
120
+ * and it receives the slot-release and request-created hooks. `fallback` runs
121
+ * only when the pool has no usable session (a fresh connection, no shared
122
+ * stream is opened).
105
123
  */
106
- export function createPoolBackedH2Fetch(pool, domain) {
107
- return async (input) => {
108
- // Acquire the slot here, but hand its release to the send path: it is held
109
- // for the OPEN-STREAM lifetime and freed on the stream terminal. Paths that
110
- // never open a stream on the shared session (fetch fallbacks go over a
111
- // different connection) release it immediately so they do not count against
112
- // the open-stream budget. `rel` is idempotent, so the explicit releases
113
- // below are safe even though the send path may also release.
114
- const rel = await acquireH2Slot(domain);
115
- try {
116
- const session = await pool.get(domain);
117
- if (session) {
118
- let h2RequestCreated = false;
119
- try {
120
- return await _h2Request(session, input, {
121
- onH2RequestCreated: () => {
122
- h2RequestCreated = true;
123
- },
124
- releaseSlot: rel,
125
- });
126
- }
127
- catch (err) {
128
- if (h2RequestCreated) {
129
- pool.evictSession(domain, session);
130
- }
131
- throw err;
132
- }
133
- }
134
- // No usable session: this fetch does not open a stream on the shared
135
- // session, so free the slot before falling back.
136
- rel();
137
- return await globalThis.fetch(input);
138
- }
139
- catch (err) {
140
- // Pre-send throw (e.g. pool.get() or Request body read): release the slot
141
- // so a failed request never pins it. Idempotent if already released.
142
- rel();
143
- throw err;
144
- }
145
- };
146
- }
147
- export async function h2RequestDirectFromPool(pool, domain, url, init) {
148
- // See createPoolBackedH2Fetch: the slot is held for the OPEN-STREAM lifetime
149
- // and released by the send path on the stream terminal; non-stream fallbacks
150
- // release it immediately. `rel` is idempotent.
124
+ async function h2GatewayRequest(pool, domain, send, fallback) {
125
+ // Take the slot here, but hand its release to the send path: it is held for
126
+ // the OPEN-STREAM lifetime and freed on the stream terminal (ENG-2678). A
127
+ // request that never opens a stream on the shared session (the fallback goes
128
+ // over a different connection) releases it immediately so it does not count
129
+ // against the open-stream budget. `rel` is idempotent, so releasing here when
130
+ // the send path may also release is safe.
151
131
  const rel = await acquireH2Slot(domain);
152
132
  try {
153
133
  const session = await pool.get(domain);
154
134
  if (session) {
155
135
  let h2RequestCreated = false;
156
136
  try {
157
- return await h2RequestDirectInternal(session, url, init, {
137
+ return await send(session, {
158
138
  onH2RequestCreated: () => {
159
139
  h2RequestCreated = true;
160
140
  },
@@ -162,21 +142,44 @@ export async function h2RequestDirectFromPool(pool, domain, url, init) {
162
142
  });
163
143
  }
164
144
  catch (err) {
145
+ // A failure AFTER a stream opened means the session is suspect: drop it
146
+ // so the next caller gets a fresh one.
165
147
  if (h2RequestCreated) {
166
148
  pool.evictSession(domain, session);
167
149
  }
168
150
  throw err;
169
151
  }
170
152
  }
171
- // No usable session: fetch over a different connection, no stream opened.
153
+ // No usable session: free the slot before falling back over a different
154
+ // connection (no stream opens on the shared session).
172
155
  rel();
173
- return await globalThis.fetch(url, init);
156
+ return await fallback();
174
157
  }
175
158
  catch (err) {
159
+ // Pre-send throw (pool.get(), Request body read, or the fallback itself):
160
+ // release the slot so a failed request never pins it. Idempotent.
176
161
  rel();
177
162
  throw err;
178
163
  }
179
164
  }
165
+ /**
166
+ * Creates a fetch()-compatible function backed by the H2 session pool, routed
167
+ * through the single gateway. Used as the generated client's `fetch`.
168
+ *
169
+ * If no usable H2 session is available, the request falls back to regular fetch
170
+ * before any H2 frames are sent.
171
+ */
172
+ export function createPoolBackedH2Fetch(pool, domain) {
173
+ return (input) => h2GatewayRequest(pool, domain, (session, options) => _h2Request(session, input, options), () => globalThis.fetch(input));
174
+ }
175
+ /**
176
+ * Pool-backed H2 request taking raw url + init (skips Request allocation),
177
+ * routed through the same single gateway. Used by `SandboxAction.h2Fetch` and
178
+ * the code interpreter.
179
+ */
180
+ export function h2RequestDirectFromPool(pool, domain, url, init) {
181
+ return h2GatewayRequest(pool, domain, (session, options) => h2RequestDirectInternal(session, url, init, options), () => globalThis.fetch(url, init));
182
+ }
180
183
  /**
181
184
  * Low-level H2 request that takes raw URL + init, skipping Request construction.
182
185
  * Used by SandboxAction.h2Fetch() for direct calls from subsystems.
@@ -1,12 +1,29 @@
1
1
  import yaml from 'yaml';
2
2
  import { ApiKey } from "../authentication/apikey.js";
3
3
  import { ClientCredentials } from "../authentication/clientcredentials.js";
4
+ import { MissingCredentials } from "../authentication/credentials.js";
4
5
  import { authentication } from "../authentication/index.js";
5
6
  import { env } from "../common/env.js";
7
+ import { CredentialsError } from "../common/errors.js";
6
8
  import { fs, os, path } from "../common/node.js";
9
+ /**
10
+ * Build an actionable "credentials missing" message naming exactly which piece
11
+ * is absent, based on the env vars currently set.
12
+ */
13
+ function missingCredentialsMessage() {
14
+ const hasWorkspace = !!env.BL_WORKSPACE;
15
+ const hasApiKey = !!env.BL_API_KEY;
16
+ if (hasWorkspace && !hasApiKey) {
17
+ return "Blaxel API key is missing. Set the BL_API_KEY environment variable, or run `bl login`, to authenticate (BL_WORKSPACE is already set).";
18
+ }
19
+ if (hasApiKey && !hasWorkspace) {
20
+ return "Blaxel workspace is missing. Set the BL_WORKSPACE environment variable, or run `bl login`, to authenticate (BL_API_KEY is already set).";
21
+ }
22
+ return "No Blaxel credentials found. Set the BL_API_KEY and BL_WORKSPACE environment variables, or run `bl login`.";
23
+ }
7
24
  // Build info - these placeholders are replaced at build time by build:replace-imports
8
- const BUILD_VERSION = "0.2.87-preview.169";
9
- const BUILD_COMMIT = "5357b12d98548db2b306537be7d96d2888ac8cb1";
25
+ const BUILD_VERSION = "0.2.87-preview.171";
26
+ const BUILD_COMMIT = "06530fbea3b8ff89d51d0b834de6725ad5ad80ee";
10
27
  const BUILD_SENTRY_DSN = "https://fd5e60e1c9820e1eef5ccebb84a07127@o4508714045276160.ingest.us.sentry.io/4510465864564736";
11
28
  const BLAXEL_API_VERSION = "2026-04-16";
12
29
  // Cache for config.yaml tracking value
@@ -167,6 +184,7 @@ class Settings {
167
184
  return env.BL_API_VERSION || BLAXEL_API_VERSION;
168
185
  }
169
186
  get headers() {
187
+ this.assertCredentials();
170
188
  const osArch = getOsArch();
171
189
  return {
172
190
  "x-blaxel-authorization": this.authorization,
@@ -252,7 +270,27 @@ class Settings {
252
270
  }
253
271
  return 0;
254
272
  }
273
+ /**
274
+ * Fail fast with a clear, actionable error when credentials are missing or
275
+ * incomplete, instead of sending empty workspace/authorization headers and
276
+ * surfacing a misleading server-side "workspace is required". Skipped for
277
+ * `forceUrl` sandbox sessions, which carry their own headers and never read
278
+ * `settings.headers`. Leaves `workspace` itself non-throwing so telemetry
279
+ * tagging stays safe.
280
+ */
281
+ assertCredentials() {
282
+ const hasConfigCredentials = !!(this.config.apikey ||
283
+ this.config.apiKey ||
284
+ this.config.clientCredentials);
285
+ if (!hasConfigCredentials && this.credentials instanceof MissingCredentials) {
286
+ throw new CredentialsError(missingCredentialsMessage());
287
+ }
288
+ if (!this.workspace) {
289
+ throw new CredentialsError("Blaxel workspace is missing. Set the BL_WORKSPACE environment variable, or run `bl login`, to authenticate your requests.");
290
+ }
291
+ }
255
292
  async authenticate() {
293
+ this.assertCredentials();
256
294
  await this.credentials.authenticate();
257
295
  }
258
296
  }
@@ -1,4 +1,5 @@
1
1
  import { afterEach, beforeEach, describe, expect, it } from 'vitest';
2
+ import { ApiKey } from '../authentication/apikey.js';
2
3
  import { env } from './env.js';
3
4
  describe('Settings.apiVersion', () => {
4
5
  beforeEach(() => {
@@ -15,6 +16,14 @@ describe('Settings.apiVersion', () => {
15
16
  it('headers include Blaxel-Version set to the default', async () => {
16
17
  delete env.BL_API_VERSION;
17
18
  const { settings } = await import('./settings.js');
18
- expect(settings.headers['Blaxel-Version']).toBe('2026-04-16');
19
+ // headers now requires resolvable credentials; run in an authenticated context
20
+ const previous = settings.credentials;
21
+ settings.credentials = new ApiKey({ apiKey: 'test-key', workspace: 'test-ws' });
22
+ try {
23
+ expect(settings.headers['Blaxel-Version']).toBe('2026-04-16');
24
+ }
25
+ finally {
26
+ settings.credentials = previous;
27
+ }
19
28
  });
20
29
  });