@edge-base/server 0.2.3 → 0.2.4

package/src/__tests__/provider-aware-sql.test.ts

@@ -122,11 +122,17 @@ describe('provider-aware raw SQL helpers', () => {
 
     const result = await executeProviderAwareSql(
       {
-        config: {},
+        config: {
+          databases: {
+            shared: {
+              tables: { posts: {} },
+            },
+          },
+        },
         workerUrl: 'http://localhost:8787',
         serviceKey: 'service-key',
       },
-      'workspace',
+      'shared',
       undefined,
       'SELECT ? AS id',
       ['p1'],
@@ -146,7 +152,7 @@ describe('provider-aware raw SQL helpers', () => {
           'X-EdgeBase-Service-Key': 'service-key',
         }),
         body: JSON.stringify({
-          namespace: 'workspace',
+          namespace: 'shared',
           id: undefined,
           sql: 'SELECT ? AS id',
           params: ['p1'],

package/src/__tests__/scheduled.test.ts

@@ -6,12 +6,14 @@ const {
   ensureAuthSchemaMock,
   deleteAnonMock,
   resolveAuthDbMock,
+  executePluginMigrationsMock,
 } = vi.hoisted(() => ({
   cleanExpiredSessionsMock: vi.fn(),
   cleanStaleAnonymousAccountsMock: vi.fn(),
   ensureAuthSchemaMock: vi.fn(),
   deleteAnonMock: vi.fn(),
   resolveAuthDbMock: vi.fn(),
+  executePluginMigrationsMock: vi.fn(),
 }));
 
 vi.mock('cloudflare:workers', () => ({
@@ -44,6 +46,10 @@ vi.mock('../lib/auth-db-adapter.js', async () => {
   };
 });
 
+vi.mock('../lib/plugin-migrations.js', () => ({
+  executePluginMigrations: executePluginMigrationsMock,
+}));
+
 describe('scheduled handler', () => {
   beforeEach(() => {
     vi.resetModules();
@@ -52,6 +58,7 @@ describe('scheduled handler', () => {
     ensureAuthSchemaMock.mockReset().mockResolvedValue(undefined);
     deleteAnonMock.mockReset().mockResolvedValue(undefined);
     resolveAuthDbMock.mockReset().mockReturnValue({ kind: 'auth-db' });
+    executePluginMigrationsMock.mockReset().mockResolvedValue(undefined);
   });
 
   it('runs system cleanup even when no user schedule functions are registered', async () => {
@@ -77,4 +84,52 @@ describe('scheduled handler', () => {
     expect(cleanStaleAnonymousAccountsMock.mock.calls[0]?.[0]).toEqual({ kind: 'auth-db' });
     expect(deleteAnonMock).not.toHaveBeenCalled();
   }, 15_000);
+
+  it('runs plugin migration reconciliation before scheduled work when plugins are configured', async () => {
+    const worker = (await import('../index.js')).default;
+    const pending: Promise<unknown>[] = [];
+    const ctx = {
+      waitUntil: vi.fn((promise: Promise<unknown>) => {
+        pending.push(Promise.resolve(promise));
+      }),
+    };
+    const env = {
+      EDGEBASE_CONFIG: {
+        release: true,
+        plugins: [
+          {
+            name: 'cert-plugin',
+            version: '0.1.0',
+            config: {},
+          },
+        ],
+      },
+    };
+
+    await worker.scheduled(
+      { scheduledTime: Date.parse('2026-03-07T03:00:00Z') } as never,
+      env as never,
+      ctx as never,
+    );
+
+    expect(executePluginMigrationsMock).toHaveBeenCalledWith(
+      [
+        expect.objectContaining({
+          name: 'cert-plugin',
+          version: '0.1.0',
+        }),
+      ],
+      env,
+      expect.objectContaining({
+        plugins: [
+          expect.objectContaining({
+            name: 'cert-plugin',
+            version: '0.1.0',
+          }),
+        ],
+      }),
+      'http://internal',
+    );
+    await Promise.all(pending);
+  }, 15_000);
 });

package/src/__tests__/service-key-db-proxy.test.ts

@@ -1,4 +1,4 @@
-import { afterEach, describe, expect, it } from 'vitest';
+import { afterEach, describe, expect, it, vi } from 'vitest';
 import { defineConfig } from '@edge-base/shared';
 import { EdgeBaseError } from '@edge-base/shared';
 import { setConfig } from '../lib/do-router.js';
@@ -117,6 +117,7 @@ describe('DB proxy service key forwarding', () => {
       databases: {
         workspace: {
           provider: 'do',
+          instance: true,
           tables: {
             users: {},
           },
@@ -203,6 +204,7 @@ describe('DB proxy service key forwarding', () => {
       databases: {
         workspace: {
           provider: 'do',
+          instance: true,
           tables: {
             users: {},
           },
@@ -375,6 +377,125 @@ describe('DB proxy service key forwarding', () => {
     await expect(response.json()).resolves.toEqual({ id: 'u1', name: 'June' });
   });
 
+  it('auto-retries single-instance provider=do namespaces when the DO asks for bootstrap authorization', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        app: {
+          provider: 'do',
+          tables: {
+            posts: {
+              access: {
+                read: () => true,
+              },
+            },
+          },
+        },
+      },
+    }));
+
+    const forwardedHeaders: Headers[] = [];
+    let callCount = 0;
+    const app = createApp();
+    const response = await app.request('/api/db/app/tables/posts', {
+      method: 'GET',
+    }, createEnv((_input, init) => {
+      forwardedHeaders.push(new Headers(init?.headers));
+      callCount += 1;
+      if (callCount === 1) {
+        return new Response(JSON.stringify({ needsCreate: true, namespace: 'app' }), {
+          status: 201,
+          headers: { 'Content-Type': 'application/json' },
+        });
+      }
+      return new Response(JSON.stringify({ items: [] }), {
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }));
+
+    expect(response.status).toBe(200);
+    await expect(response.json()).resolves.toEqual({ items: [] });
+    expect(forwardedHeaders).toHaveLength(2);
+    expect(forwardedHeaders[0].get('X-DO-Create-Authorized')).toBeNull();
+    expect(forwardedHeaders[1].get('X-DO-Create-Authorized')).toBe('1');
+  });
+
+  it('rejects instanceId route segments for single-instance namespaces before touching the DO', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        app: {
+          provider: 'do',
+          tables: {
+            posts: {
+              access: {
+                read: () => true,
+              },
+            },
+          },
+        },
+      },
+    }));
+
+    const onFetch = vi.fn();
+    const app = createApp();
+    const response = await app.request('/api/db/app/attacker/tables/posts', {
+      method: 'GET',
+    }, createEnv(onFetch));
+
+    expect(response.status).toBe(400);
+    await expect(response.json()).resolves.toMatchObject({
+      code: 400,
+      message: "instanceId is not allowed for single-instance namespace 'app'",
+    });
+    expect(onFetch).not.toHaveBeenCalled();
+  });
+
+  it('rejects missing instanceId for dynamic namespaces even for service key requests', async () => {
+    setConfig(defineConfig({
+      release: true,
+      databases: {
+        workspace: {
+          provider: 'do',
+          instance: true,
+          tables: {
+            users: {},
+          },
+        },
+      },
+      serviceKeys: {
+        keys: [
+          {
+            kid: 'root',
+            tier: 'root',
+            scopes: ['*'],
+            secretSource: 'inline',
+            inlineSecret: 'sk-root',
+          },
+        ],
+      },
+    }));
+
+    const onFetch = vi.fn();
+    const app = createApp();
+    const response = await app.request('/api/db/workspace/tables/users', {
+      method: 'POST',
+      headers: {
+        'X-EdgeBase-Service-Key': 'sk-root',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ id: 'user-1' }),
+    }, createEnv(onFetch));
+
+    expect(response.status).toBe(400);
+    await expect(response.json()).resolves.toMatchObject({
+      code: 400,
+      message: "instanceId is required for dynamic namespace 'workspace'",
+    });
+    expect(onFetch).not.toHaveBeenCalled();
+  });
+
   it('does not trust raw X-EdgeBase-Internal on public DB requests', async () => {
     setConfig(defineConfig({
       release: true,

package/src/__tests__/sql-route.test.ts

@@ -48,6 +48,72 @@ describe('sql route', () => {
     });
   });
 
+  it('rejects ids for single-instance namespaces before touching any backend', async () => {
+    setConfig(
+      defineConfig({
+        databases: {
+          shared: {
+            tables: {
+              posts: { schema: { title: { type: 'string' } } },
+            },
+          },
+        },
+        serviceKeys: {
+          keys: [
+            {
+              kid: 'root',
+              tier: 'root',
+              scopes: ['*'],
+              secretSource: 'inline',
+              inlineSecret: 'sk-root',
+            },
+          ],
+        },
+      }),
+    );
+
+    const env = {
+      DATABASE: {
+        idFromName: vi.fn(),
+        get: vi.fn(),
+      },
+      DB_D1_SHARED: {
+        prepare: vi.fn(),
+      },
+    } as unknown as Env;
+
+    const app = createApp();
+    const response = await app.request(
+      '/api/sql',
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-EdgeBase-Service-Key': 'sk-root',
+        },
+        body: JSON.stringify({
+          namespace: 'shared',
+          id: 'shadow',
+          sql: 'SELECT 1',
+        }),
+      },
+      env,
+    );
+
+    expect(response.status).toBe(400);
+    await expect(response.json()).resolves.toMatchObject({
+      code: 400,
+      message: "id is not allowed for single-instance namespace 'shared'",
+    });
+    expect(
+      (env as unknown as { DATABASE: { get: ReturnType<typeof vi.fn> } }).DATABASE.get,
+    ).not.toHaveBeenCalled();
+    expect(
+      (env as unknown as { DB_D1_SHARED: { prepare: ReturnType<typeof vi.fn> } }).DB_D1_SHARED
+        .prepare,
+    ).not.toHaveBeenCalled();
+  });
+
   it('retries dynamic DO SQL after create handshake and forwards the DO name', async () => {
     setConfig(
       defineConfig({

package/src/__tests__/table-hook-runtime.test.ts

@@ -0,0 +1,137 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import type { Env } from '../types.js';
+
+const {
+  ensureAuthSchemaMock,
+  resolveAuthDbMock,
+  sendToDatabaseLiveDOMock,
+  createPushProviderMock,
+  getDevicesForUserMock,
+  providerSendMock,
+} = vi.hoisted(() => ({
+  ensureAuthSchemaMock: vi.fn(),
+  resolveAuthDbMock: vi.fn(),
+  sendToDatabaseLiveDOMock: vi.fn(),
+  createPushProviderMock: vi.fn(),
+  getDevicesForUserMock: vi.fn(),
+  providerSendMock: vi.fn(),
+}));
+
+vi.mock('../lib/auth-d1.js', () => ({
+  ensureAuthSchema: ensureAuthSchemaMock,
+}));
+
+vi.mock('../lib/auth-db-adapter.js', () => ({
+  resolveAuthDb: resolveAuthDbMock,
+}));
+
+vi.mock('../lib/database-live-emitter.js', () => ({
+  sendToDatabaseLiveDO: sendToDatabaseLiveDOMock,
+}));
+
+vi.mock('../lib/push-provider.js', () => ({
+  createPushProvider: createPushProviderMock,
+}));
+
+vi.mock('../lib/push-token.js', () => ({
+  getDevicesForUser: getDevicesForUserMock,
+}));
+
+describe('buildTableHookRuntimeServices', () => {
+  beforeEach(() => {
+    vi.resetModules();
+    ensureAuthSchemaMock.mockReset().mockResolvedValue(undefined);
+    resolveAuthDbMock.mockReset().mockReturnValue({ kind: 'auth-db' });
+    sendToDatabaseLiveDOMock.mockReset().mockResolvedValue(undefined);
+    createPushProviderMock.mockReset().mockReturnValue({ send: providerSendMock });
+    getDevicesForUserMock.mockReset().mockResolvedValue([]);
+    providerSendMock.mockReset().mockResolvedValue({ success: true });
+  });
+
+  it('broadcasts hook events through DatabaseLiveDO', async () => {
+    const { buildTableHookRuntimeServices } = await import('../lib/table-hook-runtime.js');
+    const env = {
+      DATABASE_LIVE: {} as DurableObjectNamespace,
+    } as Env;
+
+    const services = buildTableHookRuntimeServices({} as never, env);
+    await services.databaseLive.broadcast('posts', 'created', { id: 'post-1' });
+
+    expect(sendToDatabaseLiveDOMock).toHaveBeenCalledWith(
+      env,
+      {
+        channel: 'posts',
+        event: 'created',
+        payload: { id: 'post-1' },
+      },
+      '/internal/broadcast',
+    );
+  });
+
+  it('sends push notifications using auth-backed device lookups when available', async () => {
+    const { buildTableHookRuntimeServices } = await import('../lib/table-hook-runtime.js');
+    const authDb = { kind: 'auth-db' };
+    resolveAuthDbMock.mockReturnValue(authDb);
+    getDevicesForUserMock.mockResolvedValue([
+      { token: 'token-1', platform: 'ios' },
+      { token: 'token-2', platform: 'android' },
+    ]);
+    const env = {
+      KV: {} as KVNamespace,
+      AUTH_DB: {} as D1Database,
+    } as Env;
+
+    const pushConfig = {
+      fcm: {
+        projectId: 'demo-project',
+        serviceAccount: '{"client_email":"demo@example.com"}',
+      },
+    };
+    const services = buildTableHookRuntimeServices({ push: pushConfig } as never, env);
+    await services.push.send('user-123', { title: 'Hello', body: 'World' });
+
+    expect(resolveAuthDbMock).toHaveBeenCalledWith(env);
+    expect(ensureAuthSchemaMock).toHaveBeenCalledWith(authDb);
+    expect(createPushProviderMock).toHaveBeenCalledWith(pushConfig, env);
+    expect(getDevicesForUserMock).toHaveBeenCalledWith({ kv: env.KV, authDb }, 'user-123');
+    expect(providerSendMock).toHaveBeenCalledTimes(2);
+    expect(providerSendMock).toHaveBeenNthCalledWith(1, {
+      token: 'token-1',
+      platform: 'ios',
+      payload: { title: 'Hello', body: 'World' },
+    });
+    expect(providerSendMock).toHaveBeenNthCalledWith(2, {
+      token: 'token-2',
+      platform: 'android',
+      payload: { title: 'Hello', body: 'World' },
+    });
+  });
+
+  it('falls back to KV-only token lookups when auth db resolution fails', async () => {
+    const { buildTableHookRuntimeServices } = await import('../lib/table-hook-runtime.js');
+    resolveAuthDbMock.mockImplementation(() => {
+      throw new Error('missing auth db');
+    });
+    getDevicesForUserMock.mockResolvedValue([{ token: 'token-1', platform: 'web' }]);
+    const env = {
+      KV: {} as KVNamespace,
+    } as Env;
+
+    const pushConfig = {
+      fcm: {
+        projectId: 'demo-project',
+        serviceAccount: '{"client_email":"demo@example.com"}',
+      },
+    };
+    const services = buildTableHookRuntimeServices({ push: pushConfig } as never, env);
+    await services.push.send('user-123', { body: 'Fallback works' });
+
+    expect(ensureAuthSchemaMock).not.toHaveBeenCalled();
+    expect(getDevicesForUserMock).toHaveBeenCalledWith(env.KV, 'user-123');
+    expect(providerSendMock).toHaveBeenCalledWith({
+      token: 'token-1',
+      platform: 'web',
+      payload: { body: 'Fallback works' },
+    });
+  });
+});

package/src/durable-objects/database-do.ts

@@ -54,15 +54,12 @@ import {
   getRegisteredFunctions,
   buildFunctionContext,
 } from '../lib/functions.js';
-import { parseDbDoName, parseConfig as getGlobalConfig } from '../lib/do-router.js';
+import { parseDbDoName, parseConfig as getGlobalConfig, isDynamicDbBlock } from '../lib/do-router.js';
 import { parseDuration } from '../lib/jwt.js';
-import { createPushProvider } from '../lib/push-provider.js';
-import { getDevicesForUser } from '../lib/push-token.js';
-import { ensureAuthSchema } from '../lib/auth-d1.js';
-import { resolveAuthDb, type AuthDb } from '../lib/auth-db-adapter.js';
 import { buildDbLiveChannel, DATABASE_LIVE_HUB_DO_NAME } from '../lib/database-live-emitter.js';
 import { resolveRootServiceKey } from '../lib/service-key.js';
 import { resolveDbLiveBatchThreshold } from '../lib/database-live-config.js';
+import { buildTableHookRuntimeServices } from '../lib/table-hook-runtime.js';
 import type { Env } from '../types.js';
 
 // ─── Types ───
@@ -104,8 +101,36 @@ export class DatabaseDO extends DurableObject<DOEnv> {
     if (!this.initialized) {
       // §36: Newly created DO must be authorized before initialization.
       // If X-DO-Create-Authorized header is absent, signal Worker to evaluate canCreate.
-      // Shared/static DOs (doName === 'shared' or system) skip this gate.
-      const isStaticDO = !this.doName || this.doName === 'shared' || this.doName.startsWith('_');
+      // Single-instance DB blocks and internal/system DOs skip this gate.
+      const parsedDoName = this.doName ? parseDbDoName(this.doName) : null;
+      const dbBlock = parsedDoName ? this.config.databases?.[parsedDoName.namespace] : undefined;
+      const dynamicDbBlock = isDynamicDbBlock(dbBlock);
+      if (parsedDoName && dbBlock) {
+        if (dynamicDbBlock && !parsedDoName.id) {
+          return Response.json(
+            {
+              code: 400,
+              message: `instanceId is required for dynamic namespace '${parsedDoName.namespace}'`,
+              error: 'INVALID_DB_INSTANCE_ID',
+            },
+            { status: 400 },
+          );
+        }
+        if (!dynamicDbBlock && parsedDoName.id) {
+          return Response.json(
+            {
+              code: 400,
+              message: `instanceId is not allowed for single-instance namespace '${parsedDoName.namespace}'`,
+              error: 'INVALID_DB_INSTANCE_ID',
+            },
+            { status: 400 },
+          );
+        }
+      }
+      const isStaticDO =
+        !this.doName
+        || this.doName.startsWith('_')
+        || (!!dbBlock && !dynamicDbBlock && !parsedDoName?.id);
       if (!isStaticDO && !request.headers.get('X-DO-Create-Authorized')) {
         // Check if _meta table already exists (i.e., DO was previously initialized)
         let alreadyExists = false;
@@ -118,9 +143,8 @@ export class DatabaseDO extends DurableObject<DOEnv> {
 
         if (!alreadyExists) {
           // Signal Worker: this DO needs canCreate evaluation before init
-          const parsed = this.doName ? parseDbDoName(this.doName) : null;
           return Response.json(
-            { needsCreate: true, namespace: parsed?.namespace ?? 'shared', id: parsed?.id },
+            { needsCreate: true, namespace: parsedDoName?.namespace ?? 'shared', id: parsedDoName?.id },
             { status: 201 },
           );
         }
@@ -173,6 +197,8 @@ export class DatabaseDO extends DurableObject<DOEnv> {
    * db.get/list/exists use local SQL; databaseLive.broadcast uses emitDbLiveEvent.
    */
   private buildHookCtx(_table: string): HookCtx {
+    const runtimeServices = buildTableHookRuntimeServices(this.config, this.env as unknown as Env);
+
     return {
       db: {
         get: (tbl: string, id: string) => {
@@ -201,42 +227,7 @@ export class DatabaseDO extends DurableObject<DOEnv> {
           return Promise.resolve(rows.length > 0);
         },
       },
-      databaseLive: {
-        broadcast: (channel: string, event: string, data: unknown) => {
-          return this.sendBroadcastToDatabaseLiveDO(
-            channel,
-            { channel, event, payload: data ?? {} },
-          );
-        },
-      },
-      push: {
-        // Push from hooks — direct FCM via push-provider + KV device tokens
-        send: async (userId: string, payload: { title?: string; body: string }) => {
-          // Fire-and-forget — hooks are non-critical side effects
-          try {
-            if (!this.env.KV) return;
-            const provider = createPushProvider(this.config.push, this.env as unknown as Env);
-            if (!provider) return;
-            let tokenStore: KVNamespace | { kv: KVNamespace; authDb?: AuthDb | null } = this.env.KV;
-            try {
-              const authDb = resolveAuthDb(this.env as unknown as Record<string, unknown>);
-              await ensureAuthSchema(authDb);
-              tokenStore = { kv: this.env.KV, authDb };
-            } catch {
-              tokenStore = this.env.KV;
-            }
-            const devices = await getDevicesForUser(tokenStore, userId);
-            if (devices.length === 0) return;
-            await Promise.allSettled(
-              devices.map((device) =>
-                provider.send({ token: device.token, platform: device.platform, payload }),
-              ),
-            );
-          } catch {
-            /* best-effort */
-          }
-        },
-      },
+      ...runtimeServices,
       waitUntil: (p: Promise<unknown>) => this.ctx.waitUntil(p),
     };
   }

package/src/index.ts

@@ -35,6 +35,7 @@ import { createAdminAssetRequest } from './lib/admin-assets.js';
 import { resolveAdminFaviconTarget, resolveAdminRedirectTarget } from './lib/admin-routing.js';
 import { zodDefaultHook } from './lib/schemas.js';
 import { executePluginMigrations } from './lib/plugin-migrations.js';
+import { shouldRunPluginMigrationsForRequestPath } from './lib/plugin-migration-routing.js';
 import { getFunctionsByTrigger, buildFunctionContext, getWorkerUrl } from './lib/functions.js';
 import { parseCron, matchesCron } from './lib/cron.js';
 import { parseDuration } from './lib/jwt.js';
@@ -104,15 +105,12 @@ app.use('*', corsMiddleware);
 // middleware below rejects any request with this header unless it comes via internal
 // stub.fetch (which is allowed by the x-internal whitelist). No stripping needed.
 
-// Plugin migration middleware — lazy, runs once per cold-start
+// Plugin migration middleware — lazily reconciles plugin control state before
+// routes that can execute plugin code or touch plugin-managed tables.
 app.use('*', async (c, next) => {
   const config = parseConfig(c.env);
   const requestPath = new URL(c.req.url).pathname;
-  const shouldSkipPluginMigrations =
-    requestPath.startsWith('/admin/api/backup/') ||
-    requestPath.startsWith('/admin/api/data/backup/') ||
-    requestPath.startsWith('/internal/backup/');
-  if (!shouldSkipPluginMigrations && config?.plugins?.length) {
+  if (config?.plugins?.length && shouldRunPluginMigrationsForRequestPath(requestPath)) {
     await executePluginMigrations(config.plugins, c.env, config, getWorkerUrl(c.req.url, c.env));
   }
   return next();
@@ -306,6 +304,14 @@ export default {
    */
   async scheduled(event: ScheduledEvent, env: Env, ctx: ExecutionContext): Promise<void> {
     const config = parseConfig(env);
+    if (config.plugins?.length) {
+      await executePluginMigrations(
+        config.plugins,
+        env,
+        config,
+        getWorkerUrl('http://internal/scheduled', env),
+      );
+    }
     const scheduleFns = getFunctionsByTrigger('schedule');
 
     const now = new Date(event.scheduledTime);