@concavejs/runtime-cf-base 0.0.1-alpha.6 → 0.0.1-alpha.7

package/dist/durable-objects/concave-do-base.d.ts

@@ -74,6 +74,7 @@ export declare class ConcaveDOBase extends DurableObject {
      * runtime auto-discovery from the global module registry.
      */
     private initializeCronSpecs;
+    private currentSnapshotTimestamp;
     /**
      * Main request handler
      */
@@ -89,7 +90,7 @@ export declare class ConcaveDOBase extends DurableObject {
     /**
      * Execute a UDF
      */
-    protected execute(path: string, args: Record<string, any>, type: "query" | "mutation" | "action", auth?: any, componentPath?: string, requestId?: string): Promise<UdfResult>;
+    protected execute(path: string, args: Record<string, any>, type: "query" | "mutation" | "action", auth?: any, componentPath?: string, requestId?: string, snapshotTimestamp?: bigint): Promise<UdfResult>;
     /**
      * Handle scheduled function alarms
      */

package/dist/durable-objects/concave-do-base.js

@@ -12,7 +12,8 @@ import { getSearchIndexesFromSchema, getVectorIndexesFromSchema } from "@concave
 import { SchemaService } from "@concavejs/core/kernel";
 import { runAsClientCall, runAsServerCall } from "@concavejs/core/udf";
 import { ScheduledFunctionExecutor, CronExecutor } from "@concavejs/core";
-import { resolveAdminAuthConfigFromEnv, resolveJwtValidationConfigFromEnv, resolveSystemAuthConfigFromEnv, setAdminAuthConfig, setJwtValidationConfig, setSystemAuthConfig, } from "@concavejs/core/auth";
+import { resolveAuthContext } from "@concavejs/core/http";
+import { AdminAuthError, identityFromToken, isAdminToken, isSystemToken, JWTValidationError, resolveAdminAuthConfigFromEnv, resolveJwtValidationConfigFromEnv, resolveSystemAuthConfigFromEnv, setAdminAuthConfig, setJwtValidationConfig, setSystemAuthConfig, SystemAuthError, } from "@concavejs/core/auth";
 const VERSIONED_API_PREFIX = /^\/api\/\d+\.\d+(?:\.\d+)?(?=\/|$)/;
 function stripApiVersionPrefix(pathname) {
     return pathname.replace(VERSIONED_API_PREFIX, "/api");
@@ -23,6 +24,8 @@ function isReservedApiPath(pathname) {
         normalizedPath === "/api/sync" ||
         normalizedPath === "/api/reset-test-state" ||
         normalizedPath === "/api/query" ||
+        normalizedPath === "/api/query_ts" ||
+        normalizedPath === "/api/query_at_ts" ||
         normalizedPath === "/api/mutation" ||
         normalizedPath === "/api/action") {
         return true;
@@ -41,6 +44,28 @@ function shouldHandleAsHttpRoute(pathname) {
     }
     return !isReservedApiPath(pathname);
 }
+function parseSnapshotTimestamp(value) {
+    if (value === undefined || value === null) {
+        return undefined;
+    }
+    if (typeof value === "bigint") {
+        return value;
+    }
+    if (typeof value === "number") {
+        if (!Number.isFinite(value) || !Number.isInteger(value) || value < 0) {
+            throw new Error("Invalid snapshotTimestamp");
+        }
+        return BigInt(value);
+    }
+    if (typeof value === "string") {
+        const trimmed = value.trim();
+        if (!/^\d+$/.test(trimmed)) {
+            throw new Error("Invalid snapshotTimestamp");
+        }
+        return BigInt(trimmed);
+    }
+    throw new Error("Invalid snapshotTimestamp");
+}
 /**
  * Base class for Concave Durable Objects
  *
@@ -74,7 +99,6 @@ export class ConcaveDOBase extends DurableObject {
         setAdminAuthConfig(adminConfig);
         setSystemAuthConfig(systemConfig);
         const instanceId = state.id.name ?? state.id.toString();
-        console.log(`[ConcaveDO.constructor] instanceId=${instanceId}`);
         const adapterContext = {
             state,
             env,
@@ -155,11 +179,30 @@ export class ConcaveDOBase extends DurableObject {
             console.warn("[ConcaveDO] Failed to initialize cron specs:", error?.message ?? error);
         }
     }
+    currentSnapshotTimestamp() {
+        const oracle = this._docstore?.timestampOracle;
+        const oracleTimestamp = typeof oracle?.beginSnapshot === "function"
+            ? oracle.beginSnapshot()
+            : typeof oracle?.getCurrentTimestamp === "function"
+                ? oracle.getCurrentTimestamp()
+                : undefined;
+        const wallClock = BigInt(Date.now());
+        if (typeof oracleTimestamp === "bigint" && oracleTimestamp > wallClock) {
+            return oracleTimestamp;
+        }
+        return wallClock;
+    }
     /**
      * Main request handler
      */
     async fetch(request) {
         const url = new URL(request.url);
+        if (url.pathname === "/query_ts") {
+            if (request.method !== "POST") {
+                return new Response("Method not allowed", { status: 405 });
+            }
+            return Response.json({ ts: this.currentSnapshotTimestamp().toString() }, { headers: this.corsHeaders(request) });
+        }
         if (shouldHandleAsHttpRoute(url.pathname)) {
             return this.handleHttp(request);
         }
@@ -173,10 +216,11 @@ export class ConcaveDOBase extends DurableObject {
      */
     async handleUdfRequest(request) {
         try {
-            const { path, args, type, auth, componentPath, caller } = await request.json();
+            const { path, args, type, auth, componentPath, caller, snapshotTimestamp } = await request.json();
             const convexArgs = jsonToConvex(args);
+            const parsedSnapshotTimestamp = parseSnapshotTimestamp(snapshotTimestamp);
             const requestId = crypto.randomUUID();
-            const exec = () => this.execute(path, convexArgs, type, auth, componentPath, requestId);
+            const exec = () => this.execute(path, convexArgs, type, auth, componentPath, requestId, parsedSnapshotTimestamp);
             const result = caller === "server" ? await runAsServerCall(exec, path) : await runAsClientCall(exec);
             if (type === "mutation" || type === "action") {
                 this.doState.waitUntil(this.reschedule());
@@ -196,7 +240,7 @@ export class ConcaveDOBase extends DurableObject {
         }
         catch (e) {
             console.error(e);
-            return new Response(`Error in Durable Object: ${e.message}`, {
+            return new Response("Internal Server Error", {
                 headers: this.corsHeaders(request),
                 status: 500,
             });
@@ -210,33 +254,60 @@ export class ConcaveDOBase extends DurableObject {
             const url = new URL(request.url);
             url.pathname = url.pathname.replace(/^\/api\/http/, "");
             const req = new Request(url.toString(), request);
-            const auth = undefined;
+            const authHeader = req.headers.get("Authorization");
+            const headerToken = authHeader?.replace(/^Bearer\s+/i, "").trim() || undefined;
+            let headerIdentity;
+            try {
+                headerIdentity =
+                    headerToken && !isAdminToken(headerToken) && !isSystemToken(headerToken)
+                        ? await identityFromToken(headerToken)
+                        : undefined;
+            }
+            catch (error) {
+                if (error instanceof JWTValidationError || error instanceof AdminAuthError || error instanceof SystemAuthError) {
+                    return Response.json({ error: "Unauthorized" }, { status: 401, headers: this.corsHeaders(request) });
+                }
+                throw error;
+            }
+            const auth = (await resolveAuthContext(undefined, headerToken, headerIdentity));
             const requestId = crypto.randomUUID();
             return this.udfExecutor.executeHttp(req, auth, requestId);
         }
         catch (e) {
             console.error(e);
-            return new Response(`Error in Durable Object: ${e.message}`, { status: 500 });
+            return new Response("Internal Server Error", { status: 500, headers: this.corsHeaders(request) });
         }
     }
     /**
      * Execute a UDF
      */
-    async execute(path, args, type, auth, componentPath, requestId) {
-        return this.udfExecutor.execute(path, args, type, auth, componentPath, requestId);
+    async execute(path, args, type, auth, componentPath, requestId, snapshotTimestamp) {
+        return this.udfExecutor.execute(path, args, type, auth, componentPath, requestId, snapshotTimestamp);
     }
     /**
      * Handle scheduled function alarms
      */
     async alarm() {
-        const scheduledResult = await this.scheduler.runDueJobs();
-        const cronResult = await this.cronExecutor.runDueJobs();
-        const nextTimes = [scheduledResult.nextScheduledTime, cronResult.nextScheduledTime].filter((t) => t !== null);
-        if (nextTimes.length === 0) {
-            await this.doState.storage.deleteAlarm();
+        try {
+            const scheduledResult = await this.scheduler.runDueJobs();
+            const cronResult = await this.cronExecutor.runDueJobs();
+            const nextTimes = [scheduledResult.nextScheduledTime, cronResult.nextScheduledTime].filter((t) => t !== null);
+            if (nextTimes.length === 0) {
+                await this.doState.storage.deleteAlarm();
+            }
+            else {
+                await this.doState.storage.setAlarm(Math.min(...nextTimes));
+            }
         }
-        else {
-            await this.doState.storage.setAlarm(Math.min(...nextTimes));
+        catch (error) {
+            console.error("[ConcaveDO] Alarm handler failed:", error?.message ?? error);
+            // Re-check for pending jobs so we don't lose scheduled work
+            try {
+                await this.reschedule();
+            }
+            catch (rescheduleError) {
+                console.error("[ConcaveDO] Reschedule after alarm failure also failed:", rescheduleError?.message);
+            }
         }
     }
     /**

package/dist/http/http-api.js

@@ -15,6 +15,8 @@ function isReservedApiPath(pathname) {
         normalizedPath === "/api/sync" ||
         normalizedPath === "/api/reset-test-state" ||
         normalizedPath === "/api/query" ||
+        normalizedPath === "/api/query_ts" ||
+        normalizedPath === "/api/query_at_ts" ||
         normalizedPath === "/api/mutation" ||
         normalizedPath === "/api/action") {
         return true;
@@ -36,6 +38,24 @@ function shouldForwardApiPath(pathname) {
     }
     return !isReservedApiPath(pathname);
 }
+function arrayBufferToBase64(buffer) {
+    const bytes = new Uint8Array(buffer);
+    const chunkSize = 0x8000;
+    let binary = "";
+    for (let offset = 0; offset < bytes.length; offset += chunkSize) {
+        const chunk = bytes.subarray(offset, Math.min(offset + chunkSize, bytes.length));
+        binary += String.fromCharCode(...chunk);
+    }
+    return btoa(binary);
+}
+function base64ToArrayBuffer(base64) {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes.buffer;
+}
 /**
  * Create a storage adapter that routes through the ConcaveDO's storage syscall handler.
  * This ensures storage operations are properly isolated within the DO.
@@ -44,7 +64,7 @@ function createStorageAdapter(concaveDO, _instance) {
     return {
         store: async (blob) => {
             const buffer = await blob.arrayBuffer();
-            const base64 = btoa(String.fromCharCode(...new Uint8Array(buffer)));
+            const base64 = arrayBufferToBase64(buffer);
             const response = await concaveDO.fetch("http://do/storage", {
                 method: "POST",
                 headers: { "Content-Type": "application/json" },
@@ -81,12 +101,8 @@ function createStorageAdapter(concaveDO, _instance) {
             if (!result.result || !result.result.__arrayBuffer) {
                 return { blob: null };
             }
-            const binary = atob(result.result.__arrayBuffer);
-            const bytes = new Uint8Array(binary.length);
-            for (let i = 0; i < binary.length; i++) {
-                bytes[i] = binary.charCodeAt(i);
-            }
-            return { blob: new Blob([bytes.buffer]) };
+            const buffer = base64ToArrayBuffer(result.result.__arrayBuffer);
+            return { blob: new Blob([buffer]) };
         },
     };
 }
@@ -142,10 +158,28 @@ export async function handleHttpApiRequest(request, env, ctx, instance = "single
     }
     // Note: Internal function access control is now handled by core executor (fail-closed)
     const coreResult = await handleCoreHttpApiRequest(request, {
-        executeFunction: async ({ type, path, args, auth, componentPath }) => adapter.executeUdf(path, args, type, auth, componentPath),
+        executeFunction: async ({ type, path, args, auth, componentPath, snapshotTimestamp }) => adapter.executeUdf(path, args, type, auth, componentPath, undefined, snapshotTimestamp),
         notifyWrites,
         storage: storageAdapter,
         corsHeaders,
+        getSnapshotTimestamp: async () => {
+            try {
+                const response = await concave.fetch("http://do/query_ts", {
+                    method: "POST",
+                });
+                if (!response.ok) {
+                    throw new Error(`query_ts failed with status ${response.status}`);
+                }
+                const body = (await response.json());
+                if (typeof body.ts !== "string" || !/^\d+$/.test(body.ts)) {
+                    throw new Error("Invalid query_ts response");
+                }
+                return BigInt(body.ts);
+            }
+            catch {
+                return BigInt(Date.now());
+            }
+        },
     });
     if (coreResult?.handled) {
         return coreResult.response;

package/dist/rpc/docstore-proxy.js

@@ -1,3 +1,4 @@
+import { TimestampOracle } from "@concavejs/core/utils";
 /**
  * Wraps a DO stub as a DocStore.
  * Generator methods are converted from arrays back to async generators.
@@ -16,6 +17,9 @@ export function createGatewayDocStoreProxy(gateway, projectId, instance) {
  * Internal helper that creates a DocStore proxy with configurable argument transformation.
  */
 function createDocStoreProxyInternal(target, transformArgs) {
+    // Use a real TimestampOracle to guarantee monotonic, unique timestamps.
+    // The DO-side oracle cannot be accessed via RPC, so each proxy gets its own.
+    const oracle = new TimestampOracle();
     return new Proxy({}, {
         get(_, prop) {
             // Convert array results back to async generators
@@ -48,25 +52,22 @@ function createDocStoreProxyInternal(target, transformArgs) {
                     return new Map(result);
                 };
             }
-            // Provide a local timestampOracle (DO-side oracle cannot be accessed via RPC)
+            // Provide a local TimestampOracle (DO-side oracle cannot be accessed via RPC)
             if (prop === "timestampOracle") {
-                return {
-                    observeTimestamp: () => { },
-                    allocateTimestamp: () => BigInt(Date.now()),
-                    getCurrentTimestamp: () => BigInt(Date.now()),
-                    beginSnapshot: () => BigInt(Date.now()),
-                };
+                return oracle;
             }
             // No-op close
             if (prop === "close") {
                 return async () => { };
             }
-            // Bind methods to target with transformed args
-            const method = target[prop];
-            if (typeof method === "function") {
-                return (...args) => method.call(target, ...transformArgs(...args));
+            // Bind methods to target with transformed args.
+            // Use direct invocation (target[prop](...)) instead of .call() because
+            // Cloudflare RPC stubs intercept property access - .call() would be
+            // interpreted as an RPC method name rather than Function.prototype.call.
+            if (typeof target[prop] === "function") {
+                return (...args) => target[prop](...transformArgs(...args));
             }
-            return method;
+            return target[prop];
         },
     });
 }

package/dist/udf/executor/do-client-executor.d.ts

@@ -9,6 +9,6 @@ import type { AuthContext } from "@concavejs/core/sync/protocol-handler";
 export declare class ConcaveStubExecutor implements UdfExec {
     private readonly stub;
     constructor(stub: DurableObjectStub);
-    execute(path: string, args: Record<string, any>, type: "query" | "mutation" | "action", auth?: AuthContext | UserIdentityAttributes, componentPath?: string, requestId?: string): Promise<UdfResult>;
+    execute(path: string, args: Record<string, any>, type: "query" | "mutation" | "action", auth?: AuthContext | UserIdentityAttributes, componentPath?: string, requestId?: string, snapshotTimestamp?: bigint): Promise<UdfResult>;
     executeHttp(request: Request): Promise<Response>;
 }

package/dist/udf/executor/do-client-executor.js

@@ -8,7 +8,7 @@ export class ConcaveStubExecutor {
     constructor(stub) {
         this.stub = stub;
     }
-    async execute(path, args, type, auth, componentPath, requestId) {
+    async execute(path, args, type, auth, componentPath, requestId, snapshotTimestamp) {
         const payload = {
             path,
             args: convexToJson(args),
@@ -17,6 +17,7 @@ export class ConcaveStubExecutor {
             componentPath,
             caller: "client",
             requestId,
+            snapshotTimestamp: snapshotTimestamp?.toString(),
         };
         const response = await this.stub.fetch("http://do/execute", {
             method: "POST",

package/dist/udf/executor/isolated-executor.d.ts

@@ -19,6 +19,6 @@ export declare class UdfExecIsolated implements UdfExec {
     private instance;
     private projectId;
     constructor(stubOrOptions: UdfExecutorRpc | UdfExecIsolatedOptions);
-    execute(path: string, args: Record<string, any>, type: "query" | "mutation" | "action", auth?: any, componentPath?: string, requestId?: string): Promise<UdfResult>;
+    execute(path: string, args: Record<string, any>, type: "query" | "mutation" | "action", auth?: any, componentPath?: string, requestId?: string, snapshotTimestamp?: bigint): Promise<UdfResult>;
     executeHttp(request: Request, auth?: any, requestId?: string): Promise<Response>;
 }

package/dist/udf/executor/isolated-executor.js

@@ -21,9 +21,9 @@ export class UdfExecIsolated {
             this.projectId = "default";
         }
     }
-    async execute(path, args, type, auth, componentPath, requestId) {
+    async execute(path, args, type, auth, componentPath, requestId, snapshotTimestamp) {
         // Pass instance context for syscall routing
-        return this.rpc.execute(path, args, type, auth, componentPath, requestId, this.instance, this.projectId);
+        return this.rpc.execute(path, args, type, auth, componentPath, requestId, snapshotTimestamp, this.instance, this.projectId);
     }
     async executeHttp(request, auth, requestId) {
         return this.rpc.executeHttp(request, auth, requestId, this.instance, this.projectId);

package/dist/worker/udf-worker.d.ts

@@ -19,7 +19,7 @@ interface Env {
 export declare class UdfExecutorRpc extends WorkerEntrypoint {
     private udfExecutor;
     constructor(ctx: ExecutionContext, env: Env);
-    execute(path: string, args: Record<string, any>, type: "query" | "mutation" | "action", auth?: any, componentPath?: string, requestId?: string, _instance?: string, _projectId?: string): Promise<import("@concavejs/core").UdfResult>;
+    execute(path: string, args: Record<string, any>, type: "query" | "mutation" | "action", auth?: any, componentPath?: string, requestId?: string, snapshotTimestamp?: bigint, _instance?: string, _projectId?: string): Promise<import("@concavejs/core").UdfResult>;
     executeHttp(request: Request, auth?: any, requestId?: string, _instance?: string, _projectId?: string): Promise<Response>;
 }
 export {};

package/dist/worker/udf-worker.js

@@ -51,11 +51,11 @@ export class UdfExecutorRpc extends WorkerEntrypoint {
         // Pass blobstore if available, otherwise fall back to R2Bucket for direct mode
         this.udfExecutor = new UdfExecInline(docstore, blobstore ?? env.STORAGE_BUCKET, env.R2_PUBLIC_URL);
     }
-    async execute(path, args, type, auth, componentPath, requestId, _instance, _projectId) {
+    async execute(path, args, type, auth, componentPath, requestId, snapshotTimestamp, _instance, _projectId) {
         // Note: instance and projectId are passed for per-request context but
         // currently we rely on the environment settings for syscall routing.
         // This can be enhanced to create per-request syscall clients if needed.
-        return this.udfExecutor.execute(path, args, type, auth, componentPath, requestId);
+        return this.udfExecutor.execute(path, args, type, auth, componentPath, requestId, snapshotTimestamp);
     }
     async executeHttp(request, auth, requestId, _instance, _projectId) {
         return this.udfExecutor.executeHttp(request, auth, requestId);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@concavejs/runtime-cf-base",
-  "version": "0.0.1-alpha.6",
+  "version": "0.0.1-alpha.7",
   "license": "FSL-1.1-Apache-2.0",
   "publishConfig": {
     "access": "public"