@every-app/sdk 0.1.12 → 0.1.14

package/dist/cloudflare/server/gateway.js

@@ -32,6 +32,11 @@ export async function fetchGateway({ env, url, init, }) {
     return fetch(authenticatedRequest);
 }
 function applyAppTokenAuth(request, env) {
+    const gatewayOrigin = new URL(getGatewayUrl(env)).origin;
+    const requestOrigin = new URL(request.url).origin;
+    if (requestOrigin !== gatewayOrigin) {
+        throw new Error(`Refusing to send gateway token to non-gateway origin: ${requestOrigin}`);
+    }
     const appToken = getGatewayAppApiToken(env);
     if (!appToken) {
         throw new Error("GATEWAY_APP_API_TOKEN is required. Run `npx everyapp app deploy` to provision one.");

package/dist/shared/bypassGatewayLocalOnly.d.ts

@@ -3,7 +3,8 @@ export declare const BYPASS_GATEWAY_LOCAL_ONLY_USER_ID = "demo-local-user";
 export declare const BYPASS_GATEWAY_LOCAL_ONLY_EMAIL = "demo-local-user@local";
 export declare function isBypassGatewayLocalOnlyClient(): boolean;
 export declare function isBypassGatewayLocalOnlyServer(): boolean;
-export declare function createBypassGatewayLocalOnlySessionPayload(audience: string): {
+export declare function createBypassGatewayLocalOnlySessionPayload(audience: string, orgId: string): {
+    orgId: string;
     sub: string;
     email: string;
     iss: string;

package/dist/shared/bypassGatewayLocalOnly.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bypassGatewayLocalOnly.d.ts","sourceRoot":"","sources":["../../src/shared/bypassGatewayLocalOnly.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,+BAA+B,8BAA8B,CAAC;AAC3E,eAAO,MAAM,iCAAiC,oBAAoB,CAAC;AACnE,eAAO,MAAM,+BAA+B,0BAA0B,CAAC;AAEvE,wBAAgB,8BAA8B,IAAI,OAAO,CAYxD;AAED,wBAAgB,8BAA8B,IAAI,OAAO,CAsBxD;AAED,wBAAgB,0CAA0C,CAAC,QAAQ,EAAE,MAAM;;;;;;;EAY1E"}
+{"version":3,"file":"bypassGatewayLocalOnly.d.ts","sourceRoot":"","sources":["../../src/shared/bypassGatewayLocalOnly.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,+BAA+B,8BAA8B,CAAC;AAC3E,eAAO,MAAM,iCAAiC,oBAAoB,CAAC;AACnE,eAAO,MAAM,+BAA+B,0BAA0B,CAAC;AAEvE,wBAAgB,8BAA8B,IAAI,OAAO,CAYxD;AAED,wBAAgB,8BAA8B,IAAI,OAAO,CAsBxD;AAED,wBAAgB,0CAA0C,CACxD,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM;;;;;;;;EAkBd"}

package/dist/shared/bypassGatewayLocalOnly.js

@@ -27,10 +27,10 @@ export function isBypassGatewayLocalOnlyServer() {
     }
     return false;
 }
-export function createBypassGatewayLocalOnlySessionPayload(audience) {
+export function createBypassGatewayLocalOnlySessionPayload(audience, orgId) {
     const issuedAt = Math.floor(Date.now() / 1000);
     const expiresAt = issuedAt + 60 * 60;
-    return {
+    const payload = {
         sub: BYPASS_GATEWAY_LOCAL_ONLY_USER_ID,
         email: BYPASS_GATEWAY_LOCAL_ONLY_EMAIL,
         iss: "local",
@@ -38,4 +38,8 @@ export function createBypassGatewayLocalOnlySessionPayload(audience) {
         iat: issuedAt,
         exp: expiresAt,
     };
+    return {
+        ...payload,
+        orgId,
+    };
 }

package/dist/tanstack/server/authenticateRequest.d.ts

@@ -16,6 +16,8 @@ interface SessionTokenPayload {
     iat: number;
     /** User email - used for user provisioning in apps */
     email?: string;
+    /** Organization ID used for org-bound runtime enforcement */
+    orgId?: string;
 }
 export declare function authenticateRequest(authConfig: AuthConfig, providedRequest?: Request): Promise<SessionTokenPayload | null>;
 /**

package/dist/tanstack/server/authenticateRequest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAQ7C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA8CrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}
+{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAQ7C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAYD,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA+FrC;AA8CD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}

package/dist/tanstack/server/authenticateRequest.js

@@ -5,9 +5,10 @@ import { BYPASS_GATEWAY_LOCAL_ONLY_TOKEN, createBypassGatewayLocalOnlySessionPay
 export async function authenticateRequest(authConfig, providedRequest) {
     const request = providedRequest || getRequest();
     const authHeader = request.headers.get("authorization");
-    const bypassGatewayLocalOnlyEnv = env.BYPASS_GATEWAY_LOCAL_ONLY;
+    const expectedOrganizationId = getOptionalEnvValue("EVERY_APP_ORG_ID");
+    const appTenancyMode = getAppTenancyMode();
     const isBypassGatewayLocalOnly = import.meta.env.PROD !== true &&
-        (bypassGatewayLocalOnlyEnv === "true" ||
+        (getOptionalEnvValue("BYPASS_GATEWAY_LOCAL_ONLY") === "true" ||
             isBypassGatewayLocalOnlyServer() === true);
     if (!authHeader) {
         return null;
@@ -20,24 +21,62 @@ export async function authenticateRequest(authConfig, providedRequest) {
         if (token !== BYPASS_GATEWAY_LOCAL_ONLY_TOKEN) {
             return null;
         }
-        return createBypassGatewayLocalOnlySessionPayload(authConfig.audience);
+        if (!expectedOrganizationId) {
+            console.error(JSON.stringify({
+                message: "BYPASS_GATEWAY_LOCAL_ONLY requires EVERY_APP_ORG_ID to be set.",
+                audience: authConfig.audience,
+                appTenancyMode,
+            }));
+            return null;
+        }
+        const session = createBypassGatewayLocalOnlySessionPayload(authConfig.audience, expectedOrganizationId);
+        if (!validateOrganizationBinding({
+            session,
+            source: "bypass",
+            audience: authConfig.audience,
+            expectedOrganizationId,
+            appTenancyMode,
+        })) {
+            return null;
+        }
+        return session;
     }
     try {
         const session = await verifySessionToken(token, authConfig);
+        if (!validateOrganizationBinding({
+            session,
+            source: "session",
+            audience: authConfig.audience,
+            expectedOrganizationId,
+            appTenancyMode,
+        })) {
+            return null;
+        }
         return session;
     }
     catch (error) {
+        const isProd = import.meta.env.PROD === true;
         console.error(JSON.stringify({
             message: "Error verifying session token",
             error: error instanceof Error ? error.message : String(error),
-            stack: error instanceof Error ? error.stack : undefined,
+            stack: isProd === true
+                ? undefined
+                : error instanceof Error
+                    ? error.stack
+                    : undefined,
             errorType: error instanceof Error ? error.constructor.name : "Unknown",
             issuer: authConfig.issuer,
             audience: authConfig.audience,
+            expectedOrganizationId,
+            appTenancyMode,
         }));
         return null;
     }
 }
+function getAppTenancyMode() {
+    const mode = getOptionalEnvValue("APP_TENANCY_MODE")?.toLowerCase();
+    return mode === "multi" ? "multi" : "single";
+}
 async function verifySessionToken(token, config) {
     const { issuer, audience } = config;
     if (!issuer) {
@@ -75,3 +114,41 @@ export function extractBearerToken(authHeader) {
     }
     return authHeader.substring(7);
 }
+function getOptionalEnvValue(key) {
+    const value = env[key];
+    const trimmed = value?.trim();
+    return trimmed || null;
+}
+function validateOrganizationBinding({ session, source, audience, expectedOrganizationId, appTenancyMode, }) {
+    if (!session.orgId) {
+        console.error(JSON.stringify({
+            message: source === "bypass"
+                ? "Bypass mode requires organization claim"
+                : "Session token is missing orgId. SDK v0.2.0 requires org-bound session tokens. Redeploy the app with EVERY_APP_ORG_ID configured and request a fresh session token.",
+            audience,
+            appTenancyMode,
+        }));
+        return false;
+    }
+    if (appTenancyMode === "single" && !expectedOrganizationId) {
+        console.error(JSON.stringify({
+            message: "EVERY_APP_ORG_ID is required when APP_TENANCY_MODE=single. Configure EVERY_APP_ORG_ID in worker secrets (for example via `every app deploy`) and retry.",
+            audience,
+            appTenancyMode,
+        }));
+        return false;
+    }
+    if (appTenancyMode === "single" && session.orgId !== expectedOrganizationId) {
+        console.error(JSON.stringify({
+            message: source === "bypass"
+                ? "Bypass mode organization mismatch"
+                : "Session token organization mismatch",
+            tokenOrgId: session.orgId,
+            expectedOrganizationId,
+            audience,
+            appTenancyMode,
+        }));
+        return false;
+    }
+    return true;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@every-app/sdk",
-  "version": "0.1.12",
+  "version": "0.1.14",
   "license": "MIT",
   "type": "module",
   "exports": {
@@ -27,11 +27,11 @@
   },
   "files": [
     "dist",
-    "src"
+    "README.md"
   ],
   "scripts": {
-    "postinstall": "tsc -p tsconfig.build.json",
     "build": "tsc -p tsconfig.build.json",
+    "prepack": "npm run build",
     "build:prepublish": "pnpm install --ignore-scripts && npm run types:check && npm run build",
     "prepublishOnly": "npm run build:prepublish",
     "types:check": "tsc --noEmit",

package/src/cloudflare/getLocalD1Url.ts

@@ -1,64 +0,0 @@
-import fs from "fs";
-import path from "path";
-import { execSync } from "child_process";
-import { parse } from "jsonc-parser";
-
-function findSqliteFile(basePath: string): string | undefined {
-  return fs
-    .readdirSync(basePath, { encoding: "utf-8", recursive: true })
-    .find((f) => f.endsWith(".sqlite"));
-}
-
-export function getLocalD1Url() {
-  const basePath = path.resolve(".wrangler");
-
-  // Check if .wrangler directory exists
-  if (!fs.existsSync(basePath)) {
-    console.error(
-      "================================================================================",
-    );
-    console.error("WARNING: .wrangler directory not found");
-    console.error("This is expected in CI/non-development environments.");
-    console.error(
-      "The local D1 database is only available after running 'wrangler dev' which you can trigger by running 'npm run dev'.",
-    );
-    console.error(
-      "================================================================================",
-    );
-    return null;
-  }
-
-  let dbFile = findSqliteFile(basePath);
-
-  if (!dbFile) {
-    // Read wrangler.jsonc to get the database name
-    const wranglerConfigPath = path.resolve("wrangler.jsonc");
-    const wranglerConfig = parse(fs.readFileSync(wranglerConfigPath, "utf-8"));
-
-    const databaseName = wranglerConfig.d1_databases?.[0]?.database_name;
-
-    if (!databaseName) {
-      throw new Error(
-        "Could not find database_name in wrangler.jsonc d1_databases configuration",
-      );
-    }
-
-    // Execute the command to initialize the local database
-    console.log(`Initializing local D1 database: ${databaseName}...`);
-    execSync(
-      `npx wrangler d1 execute ${databaseName} --local --command "SELECT 1;"`,
-      { stdio: "pipe" },
-    );
-
-    // Try to find the db file again after initialization
-    dbFile = findSqliteFile(basePath);
-
-    if (!dbFile) {
-      throw new Error(
-        `Failed to initialize local D1 database. The sqlite file was not created.`,
-      );
-    }
-  }
-
-  return path.resolve(basePath, dbFile);
-}

package/src/cloudflare/index.ts

@@ -1 +0,0 @@
-export { lazyInitForWorkers } from "./lazyInit.js";

package/src/cloudflare/lazyInit.ts

@@ -1,67 +0,0 @@
-/**
- * Wraps a factory function in a Proxy to defer initialization until first access.
- * This prevents async operations (Like creating Tanstack DB Collections) from running in Cloudflare Workers' global scope.
- *
- * @param factory - A function that creates and returns the resource.
- *                  Must be a callback to defer execution; passing the value directly
- *                  would evaluate it at module load time, triggering the Cloudflare error.
- * @returns A Proxy that lazily initializes the resource on first property access
- *
- * @example
- * ```ts
- * export const myCollection = lazyInitForWorkers(() =>
- *   createCollection(queryCollectionOptions({
- *     queryKey: ["myData"],
- *     queryFn: async () => fetchData(),
- *     // ... other options
- *   }))
- * );
- * ```
- */
-export function lazyInitForWorkers<T extends object>(factory: () => T): T {
-  // Closure: This variable is captured by getInstance() and the Proxy traps below.
-  // It remains in memory as long as the returned Proxy is referenced, enabling singleton behavior.
-  let instance: T | null = null;
-
-  function getInstance() {
-    if (!instance) {
-      instance = factory();
-    }
-    return instance;
-  }
-
-  return new Proxy({} as T, {
-    get(_, prop) {
-      const inst = getInstance();
-      const value = inst[prop as keyof T];
-      // Bind methods to the instance to preserve `this` context
-      return typeof value === "function" ? value.bind(inst) : value;
-    },
-    set(_, prop, value) {
-      const inst = getInstance();
-      (inst as any)[prop] = value;
-      return true;
-    },
-    deleteProperty(_, prop) {
-      const inst = getInstance();
-      delete (inst as any)[prop];
-      return true;
-    },
-    has(_, prop) {
-      const inst = getInstance();
-      return prop in inst;
-    },
-    ownKeys(_) {
-      const inst = getInstance();
-      return Reflect.ownKeys(inst);
-    },
-    getOwnPropertyDescriptor(_, prop) {
-      const inst = getInstance();
-      return Reflect.getOwnPropertyDescriptor(inst, prop);
-    },
-    getPrototypeOf(_) {
-      const inst = getInstance();
-      return Reflect.getPrototypeOf(inst);
-    },
-  });
-}

package/src/cloudflare/server/gateway.test.ts

@@ -1,215 +0,0 @@
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { fetchGateway, getGatewayUrl } from "./gateway";
-
-type TestFetcher = {
-  fetch: ReturnType<typeof vi.fn>;
-};
-
-type TestEnv = {
-  GATEWAY_URL?: string;
-  EVERY_APP_GATEWAY?: TestFetcher;
-  GATEWAY_APP_API_TOKEN?: string;
-  APP_TOKEN?: string;
-};
-
-describe("gateway server helpers", () => {
-  beforeEach(() => {
-    vi.restoreAllMocks();
-  });
-
-  afterEach(() => {
-    vi.restoreAllMocks();
-  });
-
-  it("returns gateway URL and throws when missing", () => {
-    expect(getGatewayUrl({ GATEWAY_URL: "https://gateway.example.com" })).toBe(
-      "https://gateway.example.com",
-    );
-
-    expect(() => getGatewayUrl({} as TestEnv)).toThrow(
-      "GATEWAY_URL is required",
-    );
-  });
-
-  it("fetches via HTTP when service binding is unavailable", async () => {
-    const fetchMock = vi
-      .spyOn(globalThis, "fetch")
-      .mockResolvedValue(new Response("ok", { status: 200 }));
-
-    const env: TestEnv = {
-      GATEWAY_URL: "https://gateway.example.com",
-      GATEWAY_APP_API_TOKEN: "eat_test_token",
-    };
-
-    await fetchGateway({
-      env,
-      url: "/api/ai/openai/v1/responses?stream=true",
-      init: { method: "POST" },
-    });
-
-    expect(fetchMock).toHaveBeenCalledTimes(1);
-    const [requestArg] = fetchMock.mock.calls[0];
-    const request = requestArg as Request;
-
-    expect(request.url).toBe(
-      "https://gateway.example.com/api/ai/openai/v1/responses?stream=true",
-    );
-  });
-
-  it("fetches via service binding when available in production", async () => {
-    // Service binding is only used when import.meta.env.PROD is true
-    const originalProd = import.meta.env.PROD;
-    import.meta.env.PROD = true;
-
-    try {
-      const bindingFetch = vi
-        .fn()
-        .mockResolvedValue(new Response("ok", { status: 200 }));
-
-      const env: TestEnv = {
-        GATEWAY_URL: "https://gateway.example.com",
-        EVERY_APP_GATEWAY: { fetch: bindingFetch },
-        GATEWAY_APP_API_TOKEN: "eat_test_token",
-      };
-
-      await fetchGateway({
-        env,
-        url: "/api/ai/openai/v1/chat/completions",
-        init: { method: "POST" },
-      });
-
-      expect(bindingFetch).toHaveBeenCalledTimes(1);
-      const [requestArg] = bindingFetch.mock.calls[0];
-      const request = requestArg as Request;
-      expect(request.url).toBe(
-        "http://localhost/api/ai/openai/v1/chat/completions",
-      );
-    } finally {
-      import.meta.env.PROD = originalProd;
-    }
-  });
-
-  it("skips service binding in development and uses HTTP fetch", async () => {
-    const fetchMock = vi
-      .spyOn(globalThis, "fetch")
-      .mockResolvedValue(new Response("ok", { status: 200 }));
-
-    const bindingFetch = vi.fn();
-
-    const env: TestEnv = {
-      GATEWAY_URL: "https://gateway.example.com",
-      EVERY_APP_GATEWAY: { fetch: bindingFetch },
-      GATEWAY_APP_API_TOKEN: "eat_test_token",
-    };
-
-    await fetchGateway({
-      env,
-      url: "/api/ai/openai/v1/chat/completions",
-      init: { method: "POST" },
-    });
-
-    // In dev, should use HTTP fetch, not service binding
-    expect(bindingFetch).not.toHaveBeenCalled();
-    expect(fetchMock).toHaveBeenCalledTimes(1);
-  });
-
-  it("always injects app token and strips Authorization header", async () => {
-    const fetchMock = vi
-      .spyOn(globalThis, "fetch")
-      .mockResolvedValue(new Response("ok", { status: 200 }));
-
-    const env: TestEnv = {
-      GATEWAY_URL: "https://gateway.example.com",
-      GATEWAY_APP_API_TOKEN: "eat_my_token",
-    };
-
-    await fetchGateway({
-      env,
-      url: "/api/ai/openai/v1/responses",
-      init: {
-        method: "POST",
-        headers: {
-          authorization: "Bearer some-sdk-dummy-value",
-        },
-      },
-    });
-
-    expect(fetchMock).toHaveBeenCalledTimes(1);
-    const [requestArg] = fetchMock.mock.calls[0];
-    const request = requestArg as Request;
-
-    expect(request.headers.get("x-every-app-token")).toBe("eat_my_token");
-    expect(request.headers.get("authorization")).toBeNull();
-  });
-
-  it("throws when app token is missing", async () => {
-    const env: TestEnv = {
-      GATEWAY_URL: "https://gateway.example.com",
-    };
-
-    await expect(
-      fetchGateway({
-        env,
-        url: "/api/ai/openai/v1/responses",
-      }),
-    ).rejects.toThrow("GATEWAY_APP_API_TOKEN is required");
-  });
-
-  it("supports legacy APP_TOKEN env variable", async () => {
-    const fetchMock = vi
-      .spyOn(globalThis, "fetch")
-      .mockResolvedValue(new Response("ok", { status: 200 }));
-
-    const env: TestEnv = {
-      GATEWAY_URL: "https://gateway.example.com",
-      APP_TOKEN: "eat_legacy_token",
-    };
-
-    await fetchGateway({
-      env,
-      url: "/api/ai/openai/v1/responses",
-      init: { method: "POST" },
-    });
-
-    expect(fetchMock).toHaveBeenCalledTimes(1);
-    const [requestArg] = fetchMock.mock.calls[0];
-    const request = requestArg as Request;
-
-    expect(request.headers.get("x-every-app-token")).toBe("eat_legacy_token");
-    expect(request.headers.get("authorization")).toBeNull();
-  });
-
-  it("supports Request input and preserves method/body", async () => {
-    const fetchMock = vi
-      .spyOn(globalThis, "fetch")
-      .mockResolvedValue(new Response("ok", { status: 200 }));
-
-    const env: TestEnv = {
-      GATEWAY_URL: "https://gateway.example.com",
-      GATEWAY_APP_API_TOKEN: "eat_test_token",
-    };
-
-    const sourceRequest = new Request(
-      "https://gateway.example.com/api/ai/openai/v1/responses",
-      {
-        method: "POST",
-        body: JSON.stringify({ model: "gpt-5.2" }),
-        headers: { "content-type": "application/json" },
-      },
-    );
-
-    await fetchGateway({
-      env,
-      url: sourceRequest,
-    });
-
-    expect(fetchMock).toHaveBeenCalledTimes(1);
-    const [requestArg] = fetchMock.mock.calls[0];
-    const request = requestArg as Request;
-    expect(request.url).toBe(
-      "https://gateway.example.com/api/ai/openai/v1/responses",
-    );
-    expect(request.method).toBe("POST");
-    expect(request.headers.get("content-type")).toBe("application/json");
-  });
-});

package/src/cloudflare/server/gateway.ts

@@ -1,106 +0,0 @@
-const SERVICE_BINDING_ORIGIN = "http://localhost";
-const APP_TOKEN_HEADER = "x-every-app-token";
-
-interface GatewayFetcher {
-  fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
-}
-
-interface GatewayEnv {
-  GATEWAY_URL?: string;
-  EVERY_APP_GATEWAY?: GatewayFetcher;
-  GATEWAY_APP_API_TOKEN?: string;
-  APP_TOKEN?: string;
-}
-
-interface FetchGatewayOptions {
-  env: GatewayEnv;
-  /** The URL, path, or Request to send to the gateway. Typically the full URL
-   *  passed by a provider SDK's custom `fetch` override. */
-  url: string | URL | Request;
-  /** Standard `RequestInit` (method, headers, body, etc.) from the provider SDK. */
-  init?: RequestInit;
-}
-
-export function getGatewayUrl(env: GatewayEnv): string {
-  const gatewayUrl = env.GATEWAY_URL?.trim();
-  if (!gatewayUrl) {
-    throw new Error("GATEWAY_URL is required");
-  }
-  return gatewayUrl;
-}
-
-/**
- * Fetch from the gateway proxy, authenticating with the app token.
- *
- * - Strips any existing `Authorization` header (the gateway only accepts
- *   app token auth via `x-every-app-token`).
- * - Requires `GATEWAY_APP_API_TOKEN` (or legacy `APP_TOKEN`) in the env.
- * - Routes via service binding in production, falls back to HTTP in dev.
- */
-export async function fetchGateway({
-  env,
-  url,
-  init,
-}: FetchGatewayOptions): Promise<Response> {
-  const gatewayBaseUrl = getGatewayUrl(env);
-  const resolvedRequest = toRequest(url, init, gatewayBaseUrl);
-  const authenticatedRequest = applyAppTokenAuth(resolvedRequest, env);
-
-  // Use service binding in production for zero-latency internal routing.
-  // In local dev wrangler still exposes the binding object, but the target
-  // service usually isn't running locally, so we skip it and use HTTP fetch.
-  if (import.meta.env.PROD && env.EVERY_APP_GATEWAY) {
-    const url = new URL(authenticatedRequest.url);
-    const bindingUrl = `${SERVICE_BINDING_ORIGIN}${url.pathname}${url.search}`;
-    const bindingRequest = new Request(bindingUrl, authenticatedRequest);
-    return env.EVERY_APP_GATEWAY.fetch(bindingRequest);
-  }
-
-  // HTTP fetch – used in local dev, or as a fallback when no binding exists
-  return fetch(authenticatedRequest);
-}
-
-function applyAppTokenAuth(request: Request, env: GatewayEnv): Request {
-  const appToken = getGatewayAppApiToken(env);
-  if (!appToken) {
-    throw new Error(
-      "GATEWAY_APP_API_TOKEN is required. Run `npx everyapp app deploy` to provision one.",
-    );
-  }
-
-  const headers = new Headers(request.headers);
-  headers.delete("authorization");
-  headers.set(APP_TOKEN_HEADER, appToken);
-  return new Request(request, { headers });
-}
-
-function getGatewayAppApiToken(env: GatewayEnv): string | null {
-  const configuredToken = env.GATEWAY_APP_API_TOKEN?.trim();
-  if (configuredToken) {
-    return configuredToken;
-  }
-
-  const legacyToken = env.APP_TOKEN?.trim();
-  return legacyToken || null;
-}
-
-function toRequest(
-  input: RequestInfo | URL,
-  init?: RequestInit,
-  baseUrl?: string,
-): Request {
-  if (input instanceof Request) {
-    return init ? new Request(input, init) : input;
-  }
-
-  if (input instanceof URL) {
-    return new Request(input.toString(), init);
-  }
-
-  if (typeof input === "string" && baseUrl && !/^https?:\/\//i.test(input)) {
-    const normalizedPath = input.startsWith("/") ? input : `/${input}`;
-    return new Request(new URL(normalizedPath, baseUrl).toString(), init);
-  }
-
-  return new Request(input, init);
-}

package/src/cloudflare/server/index.ts

@@ -1,2 +0,0 @@
-export { getLocalD1Url } from "../getLocalD1Url.js";
-export { fetchGateway, getGatewayUrl } from "./gateway.js";