@edge-base/server 0.1.5 → 0.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@edge-base/server",
-  "version": "0.1.5",
+  "version": "0.2.0",
   "description": "EdgeBase runtime assets consumed by the EdgeBase CLI",
   "license": "MIT",
   "repository": {
@@ -34,7 +34,7 @@
     "jose": "^6.0.0",
     "pg": "^8.16.3",
     "zod": "^4.3.6",
-    "@edge-base/shared": "0.1.5"
+    "@edge-base/shared": "0.2.0"
   },
   "devDependencies": {
     "@cloudflare/vitest-pool-workers": "^0.8.71",

package/src/__tests__/functions-route.test.ts

@@ -1,4 +1,5 @@
 import { afterEach, describe, expect, it } from 'vitest';
+import type { FunctionDefinition } from '@edge-base/shared';
 import { OpenAPIHono } from '../lib/hono.js';
 import { setConfig } from '../lib/do-router.js';
 import {
@@ -73,6 +74,29 @@ function createExecutionContext(): ExecutionContext {
   } as unknown as ExecutionContext;
 }
 
+function httpFunction(
+  method: 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE',
+  handler: (ctx: Record<string, any>) => Promise<unknown> | unknown,
+  path?: string,
+): FunctionDefinition {
+  return {
+    trigger: {
+      type: 'http' as const,
+      method,
+      ...(path ? { path } : {}),
+    },
+    handler: async (ctx: unknown) => handler(ctx as Record<string, any>),
+  };
+}
+
+async function invokeFunction(path: string, method = 'GET') {
+  return createApp().fetch(
+    new Request(`http://localhost/api/functions/${path}`, { method }),
+    createEnv(),
+    createExecutionContext(),
+  );
+}
+
 afterEach(() => {
   clearFunctionRegistry();
   clearMiddlewareRegistry();
@@ -137,3 +161,132 @@ describe('functionsRoute FunctionError compatibility', () => {
     });
   });
 });
+
+describe('functionsRoute HTTP contracts', () => {
+  it('serializes plain objects as JSON responses', async () => {
+    registerFunction('reports/summary', httpFunction('GET', async () => ({
+      ok: true,
+      total: 3,
+    })));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('reports/summary');
+
+    expect(response.status).toBe(200);
+    expect(response.headers.get('content-type')).toContain('application/json');
+    await expect(response.json()).resolves.toEqual({ ok: true, total: 3 });
+  });
+
+  it('returns text/plain when handler returns a string', async () => {
+    registerFunction('health', httpFunction('GET', async () => 'healthy'));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('health');
+
+    expect(response.status).toBe(200);
+    expect(response.headers.get('content-type')).toContain('text/plain');
+    await expect(response.text()).resolves.toBe('healthy');
+  });
+
+  it('returns 204 when handler returns null', async () => {
+    registerFunction('empty', httpFunction('POST', async () => null));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('empty', 'POST');
+
+    expect(response.status).toBe(204);
+    await expect(response.text()).resolves.toBe('');
+  });
+
+  it('passes through native Response objects untouched', async () => {
+    registerFunction('created', httpFunction('POST', async () => (
+      new Response('created-body', {
+        status: 201,
+        headers: { 'content-type': 'text/plain', 'x-fn': 'direct-response' },
+      })
+    )));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('created', 'POST');
+
+    expect(response.status).toBe(201);
+    expect(response.headers.get('x-fn')).toBe('direct-response');
+    await expect(response.text()).resolves.toBe('created-body');
+  });
+
+  it('executes directory middleware before the handler', async () => {
+    const executionOrder: string[] = [];
+    registerMiddleware('secure', async () => {
+      executionOrder.push('middleware');
+    });
+    registerFunction('secure/audit', httpFunction('GET', async () => {
+      executionOrder.push('handler');
+      return { executionOrder };
+    }));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('secure/audit');
+
+    expect(response.status).toBe(200);
+    await expect(response.json()).resolves.toEqual({
+      executionOrder: ['middleware', 'handler'],
+    });
+  });
+
+  it('supports custom trigger.path params and preserves query strings', async () => {
+    registerFunction(
+      'shortlink/resolve',
+      httpFunction(
+        'GET',
+        async (ctx) => {
+          const requestUrl = new URL(ctx.request.url);
+          return {
+            code: ctx.params.code,
+            target: requestUrl.searchParams.get('target'),
+          };
+        },
+        '/s/:code',
+      ),
+    );
+    rebuildCompiledRoutes();
+
+    const response = await createApp().fetch(
+      new Request('http://localhost/api/functions/s/abc123?target=docs', { method: 'GET' }),
+      createEnv(),
+      createExecutionContext(),
+    );
+
+    expect(response.status).toBe(200);
+    await expect(response.json()).resolves.toEqual({
+      code: 'abc123',
+      target: 'docs',
+    });
+  });
+
+  it('supports catch-all params at execution time', async () => {
+    registerFunction('docs/[...slug]', httpFunction('GET', async (ctx) => ({
+      slug: ctx.params.slug,
+    })));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('docs/guides/getting-started/install');
+
+    expect(response.status).toBe(200);
+    await expect(response.json()).resolves.toEqual({
+      slug: 'guides/getting-started/install',
+    });
+  });
+
+  it('returns 405 with structured JSON when method does not match', async () => {
+    registerFunction('users', httpFunction('GET', async () => ({ ok: true })));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('users', 'POST');
+
+    expect(response.status).toBe(405);
+    await expect(response.json()).resolves.toEqual({
+      code: 405,
+      message: "Method POST not allowed for 'users'.",
+    });
+  });
+});

package/src/__tests__/internal-request.test.ts

@@ -21,16 +21,16 @@ function makeContext(
 }
 
 describe('internal request helpers', () => {
-  it('isTrustedInternalRequestUrl only trusts worker-internal hosts', () => {
-    expect(isTrustedInternalRequestUrl('http://internal/api/db/shared')).toBe(true);
-    expect(isTrustedInternalRequestUrl('http://do/internal/functions/reindex')).toBe(true);
+  it('isTrustedInternalRequestUrl never trusts hostnames', () => {
+    expect(isTrustedInternalRequestUrl('http://internal/api/db/shared')).toBe(false);
+    expect(isTrustedInternalRequestUrl('http://do/internal/functions/reindex')).toBe(false);
     expect(isTrustedInternalRequestUrl('http://localhost:8787/api/db/shared')).toBe(false);
     expect(isTrustedInternalRequestUrl('not-a-url')).toBe(false);
   });
 
-  it('isTrustedInternalContext accepts explicit internal flags or trusted internal hosts', () => {
+  it('isTrustedInternalContext only accepts explicit internal flags', () => {
     expect(isTrustedInternalContext(makeContext('http://localhost/api/db/shared', true))).toBe(true);
-    expect(isTrustedInternalContext(makeContext('http://do/api/db/shared'))).toBe(true);
+    expect(isTrustedInternalContext(makeContext('http://do/api/db/shared'))).toBe(false);
     expect(isTrustedInternalContext(makeContext('http://example.com/api/db/shared'))).toBe(false);
   });
 

package/src/__tests__/meta-export-coverage.test.ts

@@ -9,10 +9,11 @@
  */
 import { readFileSync, readdirSync } from 'fs';
 import { resolve } from 'path';
+import { fileURLToPath } from 'url';
 import { describe, it, expect } from 'vitest';
 
-const LIB_DIR = resolve(new URL('../lib', import.meta.url).pathname);
-const TEST_DIR = resolve(new URL('.', import.meta.url).pathname);
+const LIB_DIR = resolve(fileURLToPath(new URL('../lib', import.meta.url)));
+const TEST_DIR = resolve(fileURLToPath(new URL('.', import.meta.url)));
 
 // ─── Lib files that do NOT yet have dedicated tests ─────────────────────────
 // Remove entries as tests are added — each removal is a net win.

package/src/__tests__/meta-route-registration.test.ts

@@ -6,14 +6,15 @@
  */
 import { readFileSync, readdirSync } from 'fs';
 import { resolve } from 'path';
+import { fileURLToPath } from 'url';
 import { describe, it, expect } from 'vitest';
 
 describe('index.ts route registration completeness', () => {
   const source = readFileSync(
-    new URL('../index.ts', import.meta.url),
+    fileURLToPath(new URL('../index.ts', import.meta.url)),
     'utf-8',
   );
-  const routesDir = resolve(new URL('../routes', import.meta.url).pathname);
+  const routesDir = resolve(fileURLToPath(new URL('../routes', import.meta.url)));
   const EXPECTED_ROUTES = readdirSync(routesDir)
     .filter((fileName) => fileName.endsWith('.ts'))
     .sort()

package/src/__tests__/openapi-coverage.test.ts

@@ -12,10 +12,11 @@
  */
 import { readFileSync, readdirSync } from 'fs';
 import { resolve } from 'path';
+import { fileURLToPath } from 'url';
 import { describe, it, expect } from 'vitest';
 import { normalizeOpenApiDocument, type OpenApiSpec } from '../lib/openapi.js';
 
-const ROUTES_DIR = resolve(new URL('../routes', import.meta.url).pathname);
+const ROUTES_DIR = resolve(fileURLToPath(new URL('../routes', import.meta.url)));
 
 // ─── Intentionally non-OpenAPI route registrations ───────────────────────────
 // Format: "filename.ts:<line-content-substring>"
@@ -118,6 +119,7 @@ describe('OpenAPI route coverage', () => {
         '/admin/api/setup': { get: {} },
         '/admin/api/data/users': { get: {} },
         '/api/room/media/realtime/session': { post: {} },
+        '/api/room/media/cloudflare_realtimekit/session': { post: {} },
       },
     };
 
@@ -134,6 +136,8 @@ describe('OpenAPI route coverage', () => {
       .toEqual([{ userBearerAuth: [] }]);
     expect((normalized.paths?.['/api/room/media/realtime/session'] as Record<string, { security?: unknown }>).post.security)
       .toEqual([{ userBearerAuth: [] }]);
+    expect((normalized.paths?.['/api/room/media/cloudflare_realtimekit/session'] as Record<string, { security?: unknown }>).post.security)
+      .toEqual([{ userBearerAuth: [] }]);
     expect((normalized.paths?.['/api/sql'] as Record<string, { security?: unknown }>).post.security)
       .toEqual([{ serviceKeyAuth: [] }]);
     expect((normalized.paths?.['/admin/api/setup'] as Record<string, { security?: unknown }>).get.security)

package/src/__tests__/rate-limit.test.ts

@@ -11,7 +11,6 @@ import {
   getLimit,
   parseWindow,
   FixedWindowCounter,
-  RATE_LIMIT_DEFAULTS,
   RATE_LIMIT_DEV_DEFAULTS,
   rateLimitMiddleware,
 } from '../middleware/rate-limit.js';

package/src/__tests__/room-handler-context.test.ts

@@ -127,4 +127,35 @@ describe('RoomsDO handler context', () => {
       }),
     );
   });
+
+  it('returns 409 when creating a Cloudflare RealtimeKit session while media is already published', async () => {
+    const { RoomsDO } = await import('../durable-objects/rooms-do.js');
+
+    const room: any = Object.create(RoomsDO.prototype);
+    room.readJsonBody = vi.fn().mockResolvedValue({ connectionId: 'conn-1' });
+    room.authenticateRealtimeRequest = vi.fn().mockResolvedValue({
+      memberId: 'member-1',
+      connectionId: 'conn-1',
+      meta: {
+        authenticated: true,
+        connectionId: 'conn-1',
+      },
+    });
+    room.hasPublishedTracks = vi.fn().mockReturnValue(true);
+
+    const response = await room.handleCloudflareRealtimeKitSessionCreate(
+      new Request('http://do/media/cloudflare_realtimekit/session?room=game::room-1', {
+        method: 'POST',
+        body: JSON.stringify({ connectionId: 'conn-1' }),
+        headers: { 'Content-Type': 'application/json' },
+      }),
+      new URL('http://do/media/cloudflare_realtimekit/session?room=game::room-1'),
+    );
+
+    expect(response.status).toBe(409);
+    await expect(response.json()).resolves.toEqual({
+      code: 409,
+      message: 'Unpublish existing room media before creating a new Cloudflare RealtimeKit session',
+    });
+  });
 });

package/src/__tests__/room-runtime-routing.test.ts

@@ -219,4 +219,52 @@ describe('room route runtime routing', () => {
     expect(doFetch).toHaveBeenCalledTimes(1);
     expect(new URL((doFetch.mock.calls[0][0] as Request).url).searchParams.get('room')).toBe('game::room-1');
   });
+
+  it('routes room cloudflare realtimekit session requests to the rooms runtime', async () => {
+    setConfig(defineConfig({
+      rooms: {
+        game: {
+          runtime: {
+            target: 'rooms',
+          },
+        },
+      },
+    }));
+
+    const doFetch = vi.fn(async (request: Request) => new Response(JSON.stringify({
+      runtime: 'rooms',
+      path: new URL(request.url).pathname,
+      auth: request.headers.get('Authorization'),
+      body: await request.clone().json(),
+    }), {
+      headers: { 'Content-Type': 'application/json' },
+      status: 201,
+    }));
+
+    const env = createRoomRuntimeEnv();
+    env.ROOMS = {
+      idFromName: (name: string) => name as unknown as DurableObjectId,
+      get: () => ({ fetch: doFetch }),
+    } as unknown as DurableObjectNamespace;
+
+    const app = createAuthedRoomApp();
+    const response = await app.request('/api/room/media/cloudflare_realtimekit/session?namespace=game&id=room-1', {
+      method: 'POST',
+      headers: {
+        Authorization: 'Bearer room-token',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ connectionId: 'conn-1' }),
+    }, env);
+
+    expect(response.status).toBe(201);
+    await expect(response.json()).resolves.toMatchObject({
+      runtime: 'rooms',
+      path: '/media/cloudflare_realtimekit/session',
+      auth: 'Bearer room-token',
+      body: { connectionId: 'conn-1' },
+    });
+    expect(doFetch).toHaveBeenCalledTimes(1);
+    expect(new URL((doFetch.mock.calls[0][0] as Request).url).searchParams.get('room')).toBe('game::room-1');
+  });
 });

package/src/__tests__/runtime-surface-accounting.test.ts

@@ -7,10 +7,11 @@
  * indirectly covered.
  */
 import { readFileSync, readdirSync } from 'fs';
-import { resolve } from 'path';
+import { basename, relative, resolve } from 'path';
+import { fileURLToPath } from 'url';
 import { describe, expect, it } from 'vitest';
 
-const SRC_ROOT = resolve(new URL('..', import.meta.url).pathname);
+const SRC_ROOT = resolve(fileURLToPath(new URL('..', import.meta.url)));
 const PACKAGE_ROOT = resolve(SRC_ROOT, '..');
 const RUNTIME_DIRS = [
   resolve(SRC_ROOT, 'routes'),
@@ -21,7 +22,7 @@ const TEST_DIRS = [
   resolve(SRC_ROOT, '__tests__'),
   resolve(PACKAGE_ROOT, 'test/integration'),
 ];
-const THIS_TEST_PATH = resolve(new URL(import.meta.url).pathname);
+const THIS_TEST_PATH = resolve(fileURLToPath(import.meta.url));
 
 // Files below are exercised indirectly, but the test sources do not mention the
 // exact filename/stem yet. Tracking them here keeps the gap reviewable.
@@ -60,7 +61,7 @@ function collectFiles(dir: string, predicate: (path: string) => boolean): string
 function toRuntimeKey(absPath: string): string {
   for (const dir of RUNTIME_DIRS) {
     if (absPath.startsWith(dir)) {
-      return absPath.slice(dir.length + 1).replace(/^/, `${dir.split('/').at(-1)}/`);
+      return `${basename(dir)}/${relative(dir, absPath).replace(/\\/g, '/')}`;
     }
   }
   throw new Error(`Unexpected runtime path: ${absPath}`);

package/src/__tests__/smoke-skip-report.test.ts

@@ -1,5 +1,6 @@
 import { readFileSync } from 'fs';
 import { resolve } from 'path';
+import { fileURLToPath } from 'url';
 import { describe, expect, it } from 'vitest';
 
 interface SmokeSkipEntry {
@@ -18,7 +19,7 @@ interface SmokeSkipReport {
 }
 
 const REPORT_PATH = resolve(
-  new URL('../../test/integration/generated/smoke-skip-report.json', import.meta.url).pathname,
+  fileURLToPath(new URL('../../test/integration/generated/smoke-skip-report.json', import.meta.url)),
 );
 
 function readReport(): SmokeSkipReport {
@@ -37,7 +38,7 @@ describe('smoke skip report', () => {
       {
         "skippedRouteCount": 0,
         "summaryByReason": {},
-        "totalRoutes": 192,
+        "totalRoutes": 197,
       }
     `);
   });

package/src/durable-objects/database-do.ts

@@ -48,7 +48,7 @@ import {
   type FilterTuple,
 } from '../lib/query-engine.js';
 import { summarizeValidationErrors, validateInsert, validateUpdate } from '../lib/validation.js';
-import { hookRejectedError, validationError, notFoundError } from '../lib/errors.js';
+import { hookRejectedError, validationError, notFoundError, normalizeDatabaseError } from '../lib/errors.js';
 import {
   executeDbTriggers,
   getRegisteredFunctions,
@@ -1936,6 +1936,11 @@ export class DatabaseDO extends DurableObject<DOEnv> {
         const e = err as { code: number; message: string; data?: unknown };
         return c.json({ code: e.code, message: e.message, data: e.data }, e.code as 200);
       }
+      // Normalize well-known database errors (e.g. UNIQUE constraint violations → 409)
+      const normalizedDbError = normalizeDatabaseError(err);
+      if (normalizedDbError) {
+        return c.json(normalizedDbError.toJSON(), normalizedDbError.code as 400);
+      }
       console.error('DatabaseDO Error:', err);
       return c.json({ code: 500, message: 'Internal server error.' }, 500);
     });

package/src/durable-objects/database-live-do.ts

@@ -573,11 +573,13 @@ export class DatabaseLiveDO extends DurableObject<DOEnv> {
           if (!canRead) continue;
 
           let shouldSend = true;
-          if (change.data && (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0)) {
+          if (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0) {
             const filters = meta.channelFilters.get(batch.channel) || [];
             const orFilters = meta.channelOrFilters.get(batch.channel) || [];
             if (filters.length > 0 || orFilters.length > 0) {
-              shouldSend = evaluateDatabaseLiveFilters(change.data as Record<string, unknown>, filters, orFilters);
+              shouldSend = change.data
+                ? evaluateDatabaseLiveFilters(change.data as Record<string, unknown>, filters, orFilters)
+                : true; // DELETE events (null data) pass filters
             }
           }
 
@@ -608,11 +610,13 @@ export class DatabaseLiveDO extends DurableObject<DOEnv> {
         if (!canRead) continue;
 
         let shouldSend = true;
-        if (change.data && (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0)) {
+        if (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0) {
           const filters = meta.channelFilters.get(batch.channel) || [];
           const orFilters = meta.channelOrFilters.get(batch.channel) || [];
           if (filters.length > 0 || orFilters.length > 0) {
-            shouldSend = evaluateDatabaseLiveFilters(change.data as Record<string, unknown>, filters, orFilters);
+            shouldSend = change.data
+              ? evaluateDatabaseLiveFilters(change.data as Record<string, unknown>, filters, orFilters)
+              : true; // DELETE events (null data) pass filters
           }
         }
 
@@ -727,11 +731,13 @@ export class DatabaseLiveDO extends DurableObject<DOEnv> {
       if (!canRead) continue;
 
       let shouldSend = true;
-      if (eventData && (meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0) && msgChannel) {
+      if ((meta.channelFilters.size > 0 || meta.channelOrFilters.size > 0) && msgChannel) {
         const filters = meta.channelFilters.get(msgChannel) || [];
         const orFilters = meta.channelOrFilters.get(msgChannel) || [];
         if (filters.length > 0 || orFilters.length > 0) {
-          shouldSend = evaluateDatabaseLiveFilters(eventData, filters, orFilters);
+          shouldSend = eventData
+            ? evaluateDatabaseLiveFilters(eventData, filters, orFilters)
+            : true; // DELETE events (null data) pass filters
         }
       }
 
@@ -820,11 +826,14 @@ export class DatabaseLiveDO extends DurableObject<DOEnv> {
       const result = await Promise.race([
         Promise.resolve(rule(authCtx as Record<string, unknown> | null, row)),
         new Promise<never>((_, reject) =>
-          setTimeout(() => reject(new Error('Database live row access timeout')), 50),
+          setTimeout(() => reject(new Error('Database live row access timeout')), 500),
         ),
       ]);
       return Boolean(result);
-    } catch {
+    } catch (e) {
+      if (e instanceof Error && e.message.includes('timeout')) {
+        console.warn('DatabaseLive: row access rule timed out after 500ms');
+      }
       return false;
     }
   }
@@ -848,11 +857,14 @@ export class DatabaseLiveDO extends DurableObject<DOEnv> {
       const result = await Promise.race([
         Promise.resolve(tableRules(authCtx as Record<string, unknown> | null, {})),
         new Promise<never>((_, reject) =>
-          setTimeout(() => reject(new Error('Database live channel access timeout')), 50),
+          setTimeout(() => reject(new Error('Database live channel access timeout')), 500),
         ),
       ]);
       return Boolean(result);
-    } catch {
+    } catch (e) {
+      if (e instanceof Error && e.message.includes('timeout')) {
+        console.warn('DatabaseLive: channel access rule timed out after 500ms');
+      }
       return false;
     }
   }