npm - @edge-base/server - Versions diffs - 0.2.2 → 0.2.4 - Mend

@edge-base/server 0.2.2 → 0.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (97) hide show

package/src/__tests__/functions-d1-proxy.test.ts CHANGED Viewed

@@ -226,4 +226,58 @@ describe('buildFunctionContext admin.db D1 routing', () => {
     expect(workerFetch).not.toHaveBeenCalled();
     expect(databaseFetch).not.toHaveBeenCalled();
   });
+  it('rejects instance ids for single-instance namespaces before touching D1 handlers', async () => {
+    const handleD1Request = vi.fn();
+    vi.doMock('../lib/d1-handler.js', () => ({
+      handleD1Request,
+    }));
+    const workerFetch = vi.fn();
+    vi.stubGlobal('fetch', workerFetch);
+    const databaseFetch = vi.fn();
+    const { buildFunctionContext } = await import('../lib/functions.js');
+    const ctx = buildFunctionContext({
+      request: new Request('http://localhost/api/functions/save-room-signal'),
+      auth: null,
+      databaseNamespace: {
+        idFromName: vi.fn(() => 'shared-id'),
+        get: vi.fn(() => ({ fetch: databaseFetch })),
+      } as unknown as DurableObjectNamespace,
+      authNamespace: {
+        idFromName: vi.fn(() => 'auth-id'),
+        get: vi.fn(() => ({ fetch: vi.fn() })),
+      } as unknown as DurableObjectNamespace,
+      d1Database: {} as D1Database,
+      env: {
+        DATABASE: {} as DurableObjectNamespace,
+        AUTH: {} as DurableObjectNamespace,
+        AUTH_DB: {} as D1Database,
+        DB_D1_SHARED: {} as D1Database,
+      } as never,
+      executionCtx: { waitUntil: vi.fn() } as unknown as ExecutionContext,
+      config: {
+        databases: {
+          shared: {
+            tables: {
+              signals: {
+                schema: {
+                  title: { type: 'string', required: true },
+                },
+              },
+            },
+          },
+        },
+      },
+    });
+    await expect(
+      ctx.admin.db('shared', 'shadow').table('signals').getList(),
+    ).rejects.toThrow("instanceId is not allowed for single-instance namespace 'shared'");
+    expect(handleD1Request).not.toHaveBeenCalled();
+    expect(workerFetch).not.toHaveBeenCalled();
+    expect(databaseFetch).not.toHaveBeenCalled();
+  });
 });

package/src/__tests__/plugin-migration-routing.test.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import { describe, expect, it } from 'vitest';
+import { shouldRunPluginMigrationsForRequestPath } from '../lib/plugin-migration-routing.js';
+describe('shouldRunPluginMigrationsForRequestPath', () => {
+  it.each([
+    '/api/auth/sign-in',
+    '/api/db/shared/tables/posts',
+    '/api/functions/send-welcome-email',
+    '/api/sql/shared',
+    '/api/storage/assets/upload',
+    '/admin/api/data/tables/posts',
+  ])('runs plugin migrations before %s', (path) => {
+    expect(shouldRunPluginMigrationsForRequestPath(path)).toBe(true);
+  });
+  it.each([
+    '/',
+    '/api/health',
+    '/openapi.json',
+    '/admin',
+    '/admin/login',
+    '/_app/version.json',
+    '/harness/scenarios/demo',
+    '/admin/api/backup',
+    '/admin/api/backup/shared',
+    '/admin/api/data/backup/shared',
+    '/internal/backup',
+    '/internal/backup/shared',
+  ])('skips plugin migrations for %s', (path) => {
+    expect(shouldRunPluginMigrationsForRequestPath(path)).toBe(false);
+  });
+});

package/src/__tests__/postgres-field-ops-compat.test.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import type { Env } from '../types.js';
 describe('postgres field operator compatibility', () => {
   afterEach(() => {
+    vi.restoreAllMocks();
     vi.resetModules();
     vi.clearAllMocks();
     vi.unstubAllGlobals();
@@ -219,4 +220,113 @@ describe('postgres field operator compatibility', () => {
     expect(typeof updateParams[2]).toBe('string');
     expect(waitUntil).toHaveBeenCalledTimes(1);
   });
+  it('catches rejected db-live promises for batch-by-filter updates before scheduling background work', async () => {
+    const executePostgresQuery = vi.fn()
+      .mockResolvedValueOnce({
+        rows: [{ id: 'post-1' }],
+        rowCount: 1,
+      })
+      .mockResolvedValueOnce({
+        rows: [{
+          id: 'post-1',
+          viewCount: 3,
+        }],
+        rowCount: 1,
+      });
+    const emitDbLiveEvent = vi.fn().mockRejectedValue(new Error('database-live unavailable'));
+    vi.doMock('../lib/postgres-executor.js', () => ({
+      executePostgresQuery,
+      ensureLocalDevPostgresSchema: vi.fn().mockResolvedValue(undefined),
+      withPostgresConnection: vi.fn(async (_connectionString, fn) =>
+        fn((sql: string, params: unknown[] = []) => executePostgresQuery(_connectionString, sql, params))),
+      getLocalDevPostgresExecOptions: vi.fn(() => undefined),
+      getProviderBindingName: () => 'DB_SHARED',
+    }));
+    vi.doMock('../lib/postgres-schema-init.js', () => ({
+      ensurePgSchema: vi.fn().mockResolvedValue(undefined),
+    }));
+    vi.doMock('../lib/database-live-emitter.js', () => ({
+      emitDbLiveEvent,
+      emitDbLiveBatchEvent: vi.fn().mockResolvedValue(undefined),
+    }));
+    const warn = vi.spyOn(console, 'warn').mockImplementation(() => {});
+    const { handlePgRequest } = await import('../lib/postgres-handler.js');
+    const env = {
+      EDGEBASE_CONFIG: defineConfig({
+        release: true,
+        databases: {
+          shared: {
+            provider: 'postgres',
+            connectionString: 'DB_POSTGRES_SHARED_URL',
+            tables: {
+              posts: {
+                schema: {
+                  viewCount: { type: 'number' },
+                },
+                access: {
+                  update: () => true,
+                },
+              },
+            },
+          },
+        },
+      }),
+      DB_POSTGRES_SHARED_URL: 'postgres://edgebase:test@localhost/shared',
+    } as unknown as Env;
+    const request = new Request(
+      'http://internal/api/db/shared/tables/posts/batch-by-filter',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Is-Service-Key': 'true',
+        },
+      },
+    );
+    const pending: Promise<unknown>[] = [];
+    const executionCtx = {
+      waitUntil(promise: Promise<unknown>) {
+        pending.push(promise);
+      },
+    } as unknown as ExecutionContext;
+    const ctx = buildInternalHandlerContext({
+      env,
+      request,
+      executionCtx,
+      body: {
+        action: 'update',
+        filter: [['id', '==', 'post-1']],
+        update: {
+          viewCount: { $op: 'increment', value: 2 },
+        },
+      },
+    });
+    const response = await handlePgRequest(ctx, 'shared', 'posts', '/tables/posts/batch-by-filter');
+    const json = await response.json() as {
+      processed: number;
+      succeeded: number;
+      updated: number;
+    };
+    expect(response.status).toBe(200);
+    expect(json).toMatchObject({
+      processed: 1,
+      succeeded: 1,
+      updated: 1,
+    });
+    expect(emitDbLiveEvent).toHaveBeenCalledTimes(1);
+    expect(pending).toHaveLength(1);
+    await expect(pending[0]).resolves.toBeUndefined();
+    expect(warn).toHaveBeenCalledWith(
+      '[db-live] emit bulk shared.posts (update) failed',
+      expect.any(Error),
+    );
+  });
 });

package/src/__tests__/provider-aware-sql.test.ts ADDED Viewed

@@ -0,0 +1,163 @@
+import { afterEach, describe, expect, it, vi } from 'vitest';
+import {
+  executeProviderAwareSql,
+  normalizePostgresSqlPlaceholders,
+} from '../lib/provider-aware-sql.js';
+describe('provider-aware raw SQL helpers', () => {
+  afterEach(() => {
+    vi.unstubAllGlobals();
+  });
+  it('normalizes question-mark placeholders while preserving quoted and commented question marks', () => {
+    const query = `
+      SELECT '?' AS literal, "weird?" AS "column?"
+      FROM posts
+      WHERE title = ?
+        AND body = $$literal ?$$
+        /* keep ? */
+        -- keep ?
+        AND status = ?
+    `;
+    const normalized = normalizePostgresSqlPlaceholders(query, 2);
+    expect(normalized).toContain('WHERE title = $1');
+    expect(normalized).toContain('AND status = $2');
+    expect(normalized).toContain('SELECT \'?\' AS literal, "weird?" AS "column?"');
+    expect(normalized).toContain('$$literal ?$$');
+    expect(normalized).toContain('/* keep ? */');
+  });
+  it('rejects mixed question-mark and PostgreSQL-style positional placeholders', () => {
+    expect(() =>
+      normalizePostgresSqlPlaceholders('SELECT * FROM posts WHERE id = $1 AND title = ?', 1),
+    ).toThrow('Cannot mix ? placeholders with PostgreSQL-style $n placeholders.');
+  });
+  it('allows PostgreSQL question-mark operators alongside positional placeholders', () => {
+    expect(
+      normalizePostgresSqlPlaceholders(
+        "SELECT * FROM posts WHERE metadata ? 'featured' AND title = $1",
+        1,
+      ),
+    ).toBe("SELECT * FROM posts WHERE metadata ? 'featured' AND title = $1");
+  });
+  it('leaves PostgreSQL question-mark operators alone when no params are provided', () => {
+    expect(
+      normalizePostgresSqlPlaceholders("SELECT * FROM posts WHERE metadata ? 'featured'", 0),
+    ).toBe("SELECT * FROM posts WHERE metadata ? 'featured'");
+  });
+  it('normalizes bind placeholders without touching PostgreSQL question-mark operators', () => {
+    expect(
+      normalizePostgresSqlPlaceholders(
+        "SELECT * FROM posts WHERE metadata ? 'featured' AND id = ?",
+        1,
+      ),
+    ).toBe("SELECT * FROM posts WHERE metadata ? 'featured' AND id = $1");
+  });
+  it('preserves PostgreSQL @? operators while still normalizing bind placeholders', () => {
+    expect(
+      normalizePostgresSqlPlaceholders(
+        "SELECT * FROM posts WHERE metadata @? '$.featured' AND id = ?",
+        1,
+      ),
+    ).toBe("SELECT * FROM posts WHERE metadata @? '$.featured' AND id = $1");
+  });
+  it('preserves PostgreSQL ?| operators while still normalizing bind placeholders', () => {
+    expect(
+      normalizePostgresSqlPlaceholders(
+        "SELECT * FROM posts WHERE tags ?| ARRAY['featured', 'pinned'] AND id = ?",
+        1,
+      ),
+    ).toBe("SELECT * FROM posts WHERE tags ?| ARRAY['featured', 'pinned'] AND id = $1");
+  });
+  it('supports escaped PostgreSQL question-mark operators as a raw SQL escape hatch', () => {
+    expect(
+      normalizePostgresSqlPlaceholders(
+        "SELECT * FROM posts WHERE metadata @\\? '$.featured' AND id = ?",
+        1,
+      ),
+    ).toBe("SELECT * FROM posts WHERE metadata @? '$.featured' AND id = $1");
+  });
+  it('unescapes escaped PostgreSQL question-mark operators when only positional placeholders are present', () => {
+    expect(
+      normalizePostgresSqlPlaceholders(
+        "SELECT * FROM posts WHERE metadata @\\? '$.featured' AND id = $1",
+        1,
+      ),
+    ).toBe("SELECT * FROM posts WHERE metadata @? '$.featured' AND id = $1");
+  });
+  it('does not rewrite escaped question marks inside PostgreSQL E-strings', () => {
+    const query = String.raw`SELECT E'it\'s\?' AS literal, id FROM posts WHERE id = $1`;
+    expect(normalizePostgresSqlPlaceholders(query, 1)).toBe(query);
+  });
+  it('still treats question marks after prefix operators as bind placeholders when an expression is expected', () => {
+    expect(normalizePostgresSqlPlaceholders('SELECT @?::int', 1)).toBe('SELECT @$1::int');
+  });
+  it('treats SELECT-list question marks as bind placeholders, not operators', () => {
+    expect(normalizePostgresSqlPlaceholders('SELECT ?, ? FROM posts', 2)).toBe(
+      'SELECT $1, $2 FROM posts',
+    );
+  });
+  it('falls back to the worker /api/sql route when direct execution bindings are unavailable', async () => {
+    const fetchMock = vi.fn().mockResolvedValue(
+      new Response(JSON.stringify({ items: [{ id: 'p1' }], rowCount: 1 }), {
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+      }),
+    );
+    vi.stubGlobal('fetch', fetchMock);
+    const result = await executeProviderAwareSql(
+      {
+        config: {
+          databases: {
+            shared: {
+              tables: { posts: {} },
+            },
+          },
+        },
+        workerUrl: 'http://localhost:8787',
+        serviceKey: 'service-key',
+      },
+      'shared',
+      undefined,
+      'SELECT ? AS id',
+      ['p1'],
+    );
+    expect(result).toEqual({
+      columns: ['id'],
+      rows: [{ id: 'p1' }],
+      rowCount: 1,
+    });
+    expect(fetchMock).toHaveBeenCalledWith(
+      'http://localhost:8787/api/sql',
+      expect.objectContaining({
+        method: 'POST',
+        headers: expect.objectContaining({
+          'Content-Type': 'application/json',
+          'X-EdgeBase-Service-Key': 'service-key',
+        }),
+        body: JSON.stringify({
+          namespace: 'shared',
+          id: undefined,
+          sql: 'SELECT ? AS id',
+          params: ['p1'],
+        }),
+      }),
+    );
+  });
+});

package/src/__tests__/room-auth-state-loss.test.ts ADDED Viewed

@@ -0,0 +1,124 @@
+import { describe, expect, it, vi } from 'vitest';
+vi.mock('cloudflare:workers', () => ({
+  DurableObject: class DurableObject {},
+}));
+describe('room auth-state loss recovery', () => {
+  it('marks websocket metadata rebuilt from hibernation tags as auth-state-lost', async () => {
+    const { RoomRuntimeBaseDO } = await import('../durable-objects/room-runtime-base.js');
+    const room: any = Object.create(RoomRuntimeBaseDO.prototype);
+    room._metaCache = new Map();
+    room.ctx = {
+      getTags: vi.fn(() => [
+        'conn:conn-1',
+        'ip:127.0.0.1',
+        'room:test-signals::room-1',
+      ]),
+    };
+    room.config = {
+      rooms: {
+        'test-signals': {},
+      },
+    };
+    room.namespace = null;
+    room.roomId = null;
+    room.namespaceConfig = null;
+    const ws = {} as WebSocket;
+    const meta = room.getWSMeta(ws);
+    expect(meta).toMatchObject({
+      authenticated: false,
+      authStateLost: true,
+      connectionId: 'conn-1',
+      ip: '127.0.0.1',
+    });
+    expect(room.namespace).toBe('test-signals');
+    expect(room.roomId).toBe('room-1');
+  });
+  it('keeps normal pre-auth protocol errors as NOT_AUTHENTICATED without closing the socket', async () => {
+    const { RoomRuntimeBaseDO } = await import('../durable-objects/room-runtime-base.js');
+    const room: any = Object.create(RoomRuntimeBaseDO.prototype);
+    const ws = { close: vi.fn() } as unknown as WebSocket;
+    room._metaCache = new Map([[ws, {
+      authenticated: false,
+      authStateLost: false,
+      connectionId: 'conn-1',
+    }]]);
+    room.safeSend = vi.fn();
+    await room.webSocketMessage(ws, JSON.stringify({ type: 'ping' }));
+    expect(room.safeSend).toHaveBeenCalledWith(ws, {
+      type: 'error',
+      code: 'NOT_AUTHENTICATED',
+      message: 'Authenticate first',
+    });
+    expect(ws.close).not.toHaveBeenCalled();
+  });
+  it('closes stale sockets after auth-state loss in the shared room runtime guard', async () => {
+    const { RoomRuntimeBaseDO } = await import('../durable-objects/room-runtime-base.js');
+    const room: any = Object.create(RoomRuntimeBaseDO.prototype);
+    const ws = { close: vi.fn() } as unknown as WebSocket;
+    room._metaCache = new Map([[ws, {
+      authenticated: false,
+      authStateLost: true,
+      connectionId: 'conn-1',
+    }]]);
+    room.safeSend = vi.fn();
+    await room.webSocketMessage(ws, JSON.stringify({ type: 'ping' }));
+    expect(room.safeSend).toHaveBeenCalledWith(ws, {
+      type: 'error',
+      code: 'AUTH_STATE_LOST',
+      message: 'Room authentication state lost. Reconnect required.',
+    });
+    expect(ws.close).toHaveBeenCalledWith(4006, 'Room authentication state lost');
+  });
+  it('closes stale sockets for room-specific signal and member-state messages too', async () => {
+    const { RoomsDO } = await import('../durable-objects/rooms-do.js');
+    const room: any = Object.create(RoomsDO.prototype);
+    const ws = { close: vi.fn() } as unknown as WebSocket;
+    room._metaCache = new Map([[ws, {
+      authenticated: false,
+      authStateLost: true,
+      connectionId: 'conn-1',
+    }]]);
+    room.safeSend = vi.fn();
+    await room.webSocketMessage(ws, JSON.stringify({
+      type: 'signal',
+      event: 'chat.message',
+      payload: { text: 'hello' },
+      requestId: 'signal-1',
+    }));
+    await room.webSocketMessage(ws, JSON.stringify({
+      type: 'member_state',
+      state: { mood: 'awake' },
+      requestId: 'member-1',
+    }));
+    expect(room.safeSend).toHaveBeenNthCalledWith(1, ws, {
+      type: 'error',
+      code: 'AUTH_STATE_LOST',
+      message: 'Room authentication state lost. Reconnect required.',
+    });
+    expect(room.safeSend).toHaveBeenNthCalledWith(2, ws, {
+      type: 'error',
+      code: 'AUTH_STATE_LOST',
+      message: 'Room authentication state lost. Reconnect required.',
+    });
+    expect(ws.close).toHaveBeenNthCalledWith(1, 4006, 'Room authentication state lost');
+    expect(ws.close).toHaveBeenNthCalledWith(2, 4006, 'Room authentication state lost');
+  });
+});

package/src/__tests__/runtime-surface-accounting.test.ts CHANGED Viewed

@@ -35,10 +35,6 @@ const KNOWN_INDIRECT_RUNTIME_COVERAGE = new Map<string, string>([
     'durable-objects/logs-do.ts',
     'Covered indirectly via analytics/logging flows; keep explicit until a direct file reference lands in tests.',
   ],
-  [
-    'durable-objects/room-runtime-base.ts',
-    'Covered through RoomsDO and room protocol/state tests, but the shared runtime base is not referenced by filename.',
-  ],
 ]);
 function collectFiles(dir: string, predicate: (path: string) => boolean): string[] {

package/src/__tests__/scheduled.test.ts CHANGED Viewed

@@ -6,12 +6,14 @@ const {
   ensureAuthSchemaMock,
   deleteAnonMock,
   resolveAuthDbMock,
+  executePluginMigrationsMock,
 } = vi.hoisted(() => ({
   cleanExpiredSessionsMock: vi.fn(),
   cleanStaleAnonymousAccountsMock: vi.fn(),
   ensureAuthSchemaMock: vi.fn(),
   deleteAnonMock: vi.fn(),
   resolveAuthDbMock: vi.fn(),
+  executePluginMigrationsMock: vi.fn(),
 }));
 vi.mock('cloudflare:workers', () => ({
@@ -44,6 +46,10 @@ vi.mock('../lib/auth-db-adapter.js', async () => {
   };
 });
+vi.mock('../lib/plugin-migrations.js', () => ({
+  executePluginMigrations: executePluginMigrationsMock,
+}));
 describe('scheduled handler', () => {
   beforeEach(() => {
     vi.resetModules();
@@ -52,6 +58,7 @@ describe('scheduled handler', () => {
     ensureAuthSchemaMock.mockReset().mockResolvedValue(undefined);
     deleteAnonMock.mockReset().mockResolvedValue(undefined);
     resolveAuthDbMock.mockReset().mockReturnValue({ kind: 'auth-db' });
+    executePluginMigrationsMock.mockReset().mockResolvedValue(undefined);
   });
   it('runs system cleanup even when no user schedule functions are registered', async () => {
@@ -77,4 +84,52 @@ describe('scheduled handler', () => {
     expect(cleanStaleAnonymousAccountsMock.mock.calls[0]?.[0]).toEqual({ kind: 'auth-db' });
     expect(deleteAnonMock).not.toHaveBeenCalled();
   }, 15_000);
+  it('runs plugin migration reconciliation before scheduled work when plugins are configured', async () => {
+    const worker = (await import('../index.js')).default;
+    const pending: Promise<unknown>[] = [];
+    const ctx = {
+      waitUntil: vi.fn((promise: Promise<unknown>) => {
+        pending.push(Promise.resolve(promise));
+      }),
+    };
+    const env = {
+      EDGEBASE_CONFIG: {
+        release: true,
+        plugins: [
+          {
+            name: 'cert-plugin',
+            version: '0.1.0',
+            config: {},
+          },
+        ],
+      },
+    };
+    await worker.scheduled(
+      { scheduledTime: Date.parse('2026-03-07T03:00:00Z') } as never,
+      env as never,
+      ctx as never,
+    );
+    expect(executePluginMigrationsMock).toHaveBeenCalledWith(
+      [
+        expect.objectContaining({
+          name: 'cert-plugin',
+          version: '0.1.0',
+        }),
+      ],
+      env,
+      expect.objectContaining({
+        plugins: [
+          expect.objectContaining({
+            name: 'cert-plugin',
+            version: '0.1.0',
+          }),
+        ],
+      }),
+      'http://internal',
+    );
+    await Promise.all(pending);
+  }, 15_000);
 });