@ezcoder.dev/sdk 1.3.2 → 1.4.0

package/dist/{chunk-UAY64NNA.js → chunk-5QYGP7G7.js}

@@ -1,17 +1,56 @@
 import {
   ezcoder
-} from "./chunk-HJ2EIZ4S.js";
+} from "./chunk-DU6N3HVQ.js";
 import {
   isSupabaseConfigured,
   supabase
-} from "./chunk-I2YGB7Z6.js";
+} from "./chunk-KKTY5NCR.js";
 import {
   env,
   features
-} from "./chunk-LIUE7M7K.js";
+} from "./chunk-X4JP7DCK.js";
 
 // src/database/DatabaseProvider.tsx
-import { createContext, useContext, useMemo } from "react";
+import { createContext, useContext, useEffect, useMemo, useState } from "react";
+
+// src/core/bootstrap.ts
+var cached = null;
+var inflight = null;
+function apiBase() {
+  return (env.EZCODER_API_URL || "https://ezcoder.dev").replace(/\/$/, "");
+}
+async function loadBootstrap(opts = {}) {
+  if (cached && !opts.force) return cached;
+  if (inflight && !opts.force) return inflight;
+  if (typeof fetch === "undefined") return null;
+  inflight = (async () => {
+    try {
+      const headers = {};
+      const tok = env.EZC_PROJECT_TOKEN_PUBLIC || env.EZC_PROJECT_TOKEN_LEGACY || "";
+      if (tok) headers["X-EzCoder-Public-Token"] = tok;
+      const qs = env.EZC_PROJECT_ID ? `?projectId=${encodeURIComponent(env.EZC_PROJECT_ID)}` : "";
+      const res = await fetch(`${apiBase()}/api/sdk/bootstrap${qs}`, { method: "GET", headers });
+      if (!res.ok) return null;
+      const body = await res.json().catch(() => null);
+      if (!body?.success || !body.config?.projectId) return null;
+      cached = body.config;
+      return cached;
+    } catch {
+      return null;
+    } finally {
+      inflight = null;
+    }
+  })();
+  return inflight;
+}
+function getRuntimeConfig() {
+  return cached;
+}
+function configValue(key, bakedFallback) {
+  const rc = cached;
+  const v = rc ? rc[key] : null;
+  return typeof v === "string" && v ? v : bakedFallback;
+}
 
 // src/database/errors.ts
 var DatabaseError = class extends Error {
@@ -56,58 +95,6 @@ function mapRpcError(rpcResult) {
   return new QueryError(msg);
 }
 
-// src/database/publicReadProxy.ts
-var PROXY_TIMEOUT_MS = 1e4;
-var AUTH_FAILURE_PATTERN = /authentication required|permission denied|project binding|unauthorized|jwt|42501/i;
-function isAuthShapedFailure(message) {
-  return typeof message === "string" && AUTH_FAILURE_PATTERN.test(message);
-}
-function publicReadToken() {
-  return env.EZC_PROJECT_TOKEN_PUBLIC || env.EZC_PROJECT_TOKEN_LEGACY || "";
-}
-function publicReadAvailable() {
-  return Boolean(env.EZCODER_API_URL);
-}
-var stickyPublicMode = false;
-function shouldSkipRpc() {
-  return stickyPublicMode && publicReadAvailable();
-}
-async function hasActiveSession(supabase2) {
-  try {
-    if (!supabase2?.auth?.getSession) return false;
-    const { data } = await supabase2.auth.getSession();
-    return Boolean(data?.session);
-  } catch {
-    return true;
-  }
-}
-async function publicReadQuery(projectId, sql) {
-  if (!publicReadAvailable()) {
-    return { success: false, error: "Public read proxy not configured (missing public token or API URL)" };
-  }
-  try {
-    const base = env.EZCODER_API_URL.replace(/\/$/, "");
-    const token = publicReadToken();
-    const headers = { "Content-Type": "application/json" };
-    if (token) headers["X-EzCoder-Public-Token"] = token;
-    const res = await fetch(`${base}/api/platform/db/${encodeURIComponent(projectId)}/query`, {
-      method: "POST",
-      headers,
-      body: JSON.stringify({ sql }),
-      signal: typeof AbortSignal !== "undefined" && AbortSignal.timeout ? AbortSignal.timeout(PROXY_TIMEOUT_MS) : void 0
-    });
-    const payload = await res.json().catch(() => null);
-    if (!res.ok || !payload) {
-      return { success: false, error: payload?.error || `Public read proxy HTTP ${res.status}` };
-    }
-    if (payload.success) stickyPublicMode = true;
-    return payload;
-  } catch (err) {
-    const message = err instanceof Error ? err.message : "Public read proxy request failed";
-    return { success: false, error: message };
-  }
-}
-
 // src/database/QueryBuilder.ts
 function escapeSqlValue(value) {
   if (value === null) return "NULL";
@@ -124,6 +111,18 @@ function escapeIdentifier(name) {
   }
   return `"${name}"`;
 }
+function assertSafeSelectColumns(columns) {
+  if (columns === "*") return;
+  if (/[;]|--|\/\*|\*\//.test(columns)) {
+    throw new ValidationError("select() columns may not contain statement separators or comments");
+  }
+  if (/\bselect\b/i.test(columns)) {
+    throw new ValidationError("select() columns may not contain a sub-SELECT");
+  }
+  if (!/^[A-Za-z0-9_.,*()\s"']+$/.test(columns)) {
+    throw new ValidationError("select() columns contain unsupported characters");
+  }
+}
 var QueryBuilder = class {
   constructor(supabase2, projectId, table, serverProxy) {
     this.operation = "select";
@@ -143,6 +142,7 @@ var QueryBuilder = class {
     this.serverProxy = serverProxy;
   }
   select(columns = "*") {
+    assertSafeSelectColumns(columns);
     this.operation = "select";
     this.selectColumns = columns;
     return this;
@@ -330,71 +330,18 @@ var QueryBuilder = class {
       default:
         throw new QueryError(`Unknown operation: ${this.operation}`);
     }
-    if (this.serverProxy?.serverQuery && this.serverProxy?.serverExec) {
-      const fn = isRead ? this.serverProxy.serverQuery : this.serverProxy.serverExec;
-      const data2 = await fn(sql);
-      if (!data2.success) {
-        const dbError = mapRpcError(data2);
-        if (dbError) throw dbError;
-        throw new QueryError(data2.error || "Query failed", sql);
-      }
-      return {
-        success: true,
-        data: isRead ? data2.data || [] : [],
-        rowCount: data2.rowCount ?? (isRead ? data2.data?.length || 0 : 0),
-        schema: data2.schema
-      };
-    }
-    const publicQuery = this.serverProxy?.publicQuery;
-    if (isRead && publicQuery && shouldSkipRpc() && !await hasActiveSession(this.supabase)) {
-      return this.runPublicQuery(publicQuery, sql);
-    }
-    const rpcName = isRead ? "sdk_query_project" : "sdk_exec_project";
-    const { data, error } = await this.supabase.rpc(rpcName, {
-      p_project_id: this.projectId,
-      p_sql: sql
-    });
-    if (error) {
-      if (isRead && publicQuery && isAuthShapedFailure(error.message) && !await hasActiveSession(this.supabase)) {
-        return this.runPublicQuery(publicQuery, sql, error.message);
-      }
-      throw new QueryError(error.message, sql);
-    }
+    const fn = isRead ? this.serverProxy?.serverQuery : this.serverProxy?.serverExec;
+    if (!fn) throw new QueryError("Database client is not configured", sql);
+    const data = await fn(sql);
     if (!data.success) {
-      if (isRead && publicQuery && isAuthShapedFailure(data.error) && !await hasActiveSession(this.supabase)) {
-        return this.runPublicQuery(publicQuery, sql, data.error);
-      }
       const dbError = mapRpcError(data);
       if (dbError) throw dbError;
       throw new QueryError(data.error || "Query failed", sql);
     }
-    if (isRead) {
-      return {
-        success: true,
-        data: data.data || [],
-        rowCount: data.rowCount ?? (data.data?.length || 0),
-        schema: data.schema
-      };
-    }
-    return {
-      success: true,
-      data: [],
-      rowCount: data.rowCount ?? 0,
-      schema: data.schema
-    };
-  }
-  /** Execute a read through the platform public proxy (anonymous-visitor path). */
-  async runPublicQuery(publicQuery, sql, rpcError) {
-    const data = await publicQuery(sql);
-    if (!data.success) {
-      const dbError = mapRpcError(data);
-      if (dbError) throw dbError;
-      throw new QueryError(data.error || rpcError || "Query failed", sql);
-    }
     return {
       success: true,
-      data: data.data || [],
-      rowCount: data.rowCount ?? (data.data?.length || 0),
+      data: isRead ? data.data || [] : [],
+      rowCount: data.rowCount ?? (isRead ? data.data?.length || 0 : 0),
       schema: data.schema
     };
   }
@@ -428,29 +375,25 @@ function trackDbEvent(event, props) {
   }
 }
 var MAX_RETRIES = 3;
-var SERVER_TIMEOUT_MS = 5e3;
+var SERVER_TIMEOUT_MS = 8e3;
 var DatabaseClient = class _DatabaseClient {
   constructor(supabase2, projectId) {
     this.serverMode = false;
     this.supabase = supabase2;
     this.projectId = projectId;
+    this.platformUrl = env.EZCODER_API_URL || "https://ezcoder.dev";
   }
   static createServerClient(projectId, apiKey, platformUrl) {
     const client = new _DatabaseClient(null, projectId);
     client.apiKey = apiKey;
-    client.platformUrl = platformUrl || typeof process !== "undefined" && process.env?.EZCODER_API_URL || "https://ezcoder.app";
+    client.platformUrl = platformUrl || typeof process !== "undefined" && process.env?.EZCODER_API_URL || env.EZCODER_API_URL || "https://ezcoder.dev";
     client.serverMode = true;
     return client;
   }
   from(table) {
-    if (this.serverMode) {
-      return new QueryBuilder(null, this.projectId, table, {
-        serverQuery: (sql) => this._serverRequest("/query", sql),
-        serverExec: (sql) => this._serverRequest("/execute", sql)
-      });
-    }
-    return new QueryBuilder(this.supabase, this.projectId, table, {
-      publicQuery: (sql) => publicReadQuery(this.projectId, sql)
+    return new QueryBuilder(null, this.projectId, table, {
+      serverQuery: (sql) => this._proxy("/query", sql),
+      serverExec: (sql) => this._proxy("/execute", sql)
     });
   }
   async sql(query) {
@@ -458,116 +401,93 @@ var DatabaseClient = class _DatabaseClient {
     if (!trimmed.startsWith("select")) {
       throw new QueryError("sql() is for read-only queries. Use execute() for mutations.");
     }
-    if (this.serverMode) {
-      return this._serverQuery(query);
-    }
     const start = Date.now();
-    if (shouldSkipRpc() && !await hasActiveSession(this.supabase)) {
-      return this._publicFallback(query, start, null);
-    }
-    const { data, error } = await this.supabase.rpc("sdk_query_project", {
-      p_project_id: this.projectId,
-      p_sql: query
-    });
-    const latencyMs = Date.now() - start;
-    if (error) {
-      if (publicReadAvailable() && isAuthShapedFailure(error.message) && !await hasActiveSession(this.supabase)) {
-        return this._publicFallback(query, start, error.message);
-      }
-      trackDbEvent("db_query", { projectId: this.projectId, latencyMs, success: false, error: error.message });
-      throw new QueryError(error.message, query);
-    }
-    if (!data.success) {
-      if (publicReadAvailable() && isAuthShapedFailure(data.error) && !await hasActiveSession(this.supabase)) {
-        return this._publicFallback(query, start, data.error);
-      }
-      trackDbEvent("db_query", { projectId: this.projectId, latencyMs, success: false, error: data.error });
-      throw new QueryError(data.error || "Query failed", query);
-    }
-    trackDbEvent("db_query", { projectId: this.projectId, latencyMs, success: true, rowCount: data.rowCount ?? 0 });
-    return {
-      success: true,
-      data: data.data || [],
-      rowCount: data.rowCount ?? (data.data?.length || 0),
-      schema: data.schema
-    };
-  }
-  /** Read via the platform public proxy (anonymous-visitor path). */
-  async _publicFallback(query, start, rpcError) {
-    const data = await publicReadQuery(this.projectId, query);
+    const result = await this._proxy("/query", query);
     const latencyMs = Date.now() - start;
-    if (!data.success) {
-      trackDbEvent("db_query", { projectId: this.projectId, latencyMs, success: false, error: data.error, publicProxy: true });
-      throw new QueryError(data.error || rpcError || "Query failed", query);
+    if (!result.success) {
+      trackDbEvent("db_query", { projectId: this.projectId, latencyMs, success: false, error: result.error });
+      throw new QueryError(result.error || "Query failed", query);
     }
-    trackDbEvent("db_query", { projectId: this.projectId, latencyMs, success: true, rowCount: data.rowCount ?? 0, publicProxy: true });
+    trackDbEvent("db_query", { projectId: this.projectId, latencyMs, success: true, rowCount: result.rowCount ?? 0 });
     return {
       success: true,
-      data: data.data || [],
-      rowCount: data.rowCount ?? (data.data?.length || 0),
-      schema: data.schema
+      data: result.data || [],
+      rowCount: result.rowCount ?? (result.data?.length || 0),
+      schema: result.schema
     };
   }
   async execute(sql) {
-    if (this.serverMode) {
-      return this._serverExecute(sql);
-    }
     const start = Date.now();
-    const { data, error } = await this.supabase.rpc("sdk_exec_project", {
-      p_project_id: this.projectId,
-      p_sql: sql
-    });
+    const result = await this._proxy("/execute", sql);
     const latencyMs = Date.now() - start;
-    if (error) {
-      trackDbEvent("db_mutation", { projectId: this.projectId, latencyMs, success: false, error: error.message });
-      throw new QueryError(error.message, sql);
-    }
-    if (!data.success) {
-      trackDbEvent("db_mutation", { projectId: this.projectId, latencyMs, success: false, error: data.error });
-      throw new QueryError(data.error || "Execution failed", sql);
+    if (!result.success) {
+      trackDbEvent("db_mutation", { projectId: this.projectId, latencyMs, success: false, error: result.error });
+      throw new QueryError(result.error || "Execution failed", sql);
     }
-    trackDbEvent("db_mutation", { projectId: this.projectId, latencyMs, success: true, rowCount: data.rowCount ?? 0 });
+    trackDbEvent("db_mutation", { projectId: this.projectId, latencyMs, success: true, rowCount: result.rowCount ?? 0 });
     return {
       success: true,
-      rowCount: data.rowCount ?? 0,
-      schema: data.schema,
-      executed_sql: data.executed_sql
+      rowCount: result.rowCount ?? 0,
+      schema: result.schema,
+      executed_sql: result.executed_sql
     };
   }
   async getSchema() {
-    if (this.serverMode) {
-      return this._serverGetSchema();
-    }
-    const { data, error } = await this.supabase.rpc("sdk_get_schema_info", {
-      p_project_id: this.projectId
-    });
-    if (error) throw new ConnectionError(error.message);
+    const result = await this._proxy("/schema", null);
+    if (!result.success) throw new ConnectionError(result.error || "Schema fetch failed");
     return {
-      exists: data.exists ?? false,
-      schema: data.schema,
-      tables: data.tables || [],
-      tablesCount: data.tablesCount ?? 0,
-      createdAt: data.createdAt,
-      lastAccessedAt: data.lastAccessedAt
+      exists: result.exists ?? false,
+      schema: result.schema,
+      tables: result.tables || [],
+      tablesCount: result.tablesCount ?? 0,
+      createdAt: result.createdAt,
+      lastAccessedAt: result.lastAccessedAt
     };
   }
-  async _serverRequest(endpoint, sql) {
-    const url = `${this.platformUrl}/api/platform/db/${this.projectId}${endpoint}`;
+  /**
+   * Resolve the credential for this call. Order mirrors the server's auth tiers:
+   * server key → end-user session JWT → public/legacy token → none (origin).
+   */
+  async _authHeaders() {
+    if (this.serverMode && this.apiKey) {
+      return { Authorization: `Bearer ${this.apiKey}` };
+    }
+    if (this.supabase?.auth?.getSession) {
+      let sessionResult;
+      try {
+        sessionResult = await this.supabase.auth.getSession();
+      } catch {
+        return {};
+      }
+      const token = sessionResult?.data?.session?.access_token;
+      if (token) return { Authorization: `Bearer ${token}` };
+    }
+    const pub = getRuntimeConfig()?.publicToken || env.EZC_PROJECT_TOKEN_PUBLIC || env.EZC_PROJECT_TOKEN_LEGACY || "";
+    if (pub) return { "X-EzCoder-Public-Token": pub };
+    return {};
+  }
+  /** Platform API base — runtime bootstrap wins over the baked value so an
+   *  env-less build still reaches the right host. */
+  baseUrl() {
+    return (getRuntimeConfig()?.apiUrl || this.platformUrl).replace(/\/$/, "");
+  }
+  async _proxy(endpoint, sql) {
+    const url = `${this.baseUrl()}/api/platform/db/${this.projectId}${endpoint}`;
+    const method = endpoint === "/schema" ? "GET" : "POST";
     let lastError;
     for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
       try {
+        const headers = { ...await this._authHeaders() };
+        if (method === "POST") headers["Content-Type"] = "application/json";
         const res = await fetch(url, {
-          method: "POST",
-          headers: {
-            "Authorization": `Bearer ${this.apiKey}`,
-            "Content-Type": "application/json"
-          },
-          body: JSON.stringify({ sql }),
+          method,
+          headers,
+          body: method === "POST" ? JSON.stringify({ sql }) : void 0,
           signal: AbortSignal.timeout(SERVER_TIMEOUT_MS)
         });
         if (res.status === 429) {
           const retryAfter = parseInt(res.headers.get("retry-after") || "60", 10);
-          await new Promise((r) => setTimeout(r, retryAfter * 1e3));
+          await new Promise((r) => setTimeout(r, Math.min(retryAfter, 5) * 1e3));
           continue;
         }
         if (res.status === 503) {
@@ -577,72 +497,11 @@ var DatabaseClient = class _DatabaseClient {
         return await res.json();
       } catch (e) {
         lastError = e instanceof Error ? e : new Error(String(e));
+        if (endpoint === "/execute") break;
       }
     }
     return { success: false, error: lastError?.message || "Request failed after retries" };
   }
-  async _serverQuery(query) {
-    const start = Date.now();
-    const result = await this._serverRequest("/query", query);
-    const latencyMs = Date.now() - start;
-    if (!result.success) {
-      trackDbEvent("db_query", { projectId: this.projectId, latencyMs, success: false, error: result.error, serverMode: true });
-      throw new QueryError(result.error || "Query failed", query);
-    }
-    trackDbEvent("db_query", { projectId: this.projectId, latencyMs, success: true, rowCount: result.rowCount ?? 0, serverMode: true });
-    return {
-      success: true,
-      data: result.data || [],
-      rowCount: result.rowCount ?? (result.data?.length || 0),
-      schema: result.schema
-    };
-  }
-  async _serverExecute(sql) {
-    const start = Date.now();
-    const result = await this._serverRequest("/execute", sql);
-    const latencyMs = Date.now() - start;
-    if (!result.success) {
-      trackDbEvent("db_mutation", { projectId: this.projectId, latencyMs, success: false, error: result.error, serverMode: true });
-      throw new QueryError(result.error || "Execution failed", sql);
-    }
-    trackDbEvent("db_mutation", { projectId: this.projectId, latencyMs, success: true, rowCount: result.rowCount ?? 0, serverMode: true });
-    return {
-      success: true,
-      rowCount: result.rowCount ?? 0,
-      schema: result.schema,
-      executed_sql: result.executed_sql
-    };
-  }
-  async _serverGetSchema() {
-    const url = `${this.platformUrl}/api/platform/db/${this.projectId}/schema`;
-    let lastError;
-    for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
-      try {
-        const res = await fetch(url, {
-          method: "GET",
-          headers: { "Authorization": `Bearer ${this.apiKey}` },
-          signal: AbortSignal.timeout(SERVER_TIMEOUT_MS)
-        });
-        if (res.status === 503) {
-          await new Promise((r) => setTimeout(r, (attempt + 1) * 2e3));
-          continue;
-        }
-        const data = await res.json();
-        if (!data.success) throw new ConnectionError(data.error || "Schema fetch failed");
-        return {
-          exists: data.exists ?? false,
-          schema: data.schema,
-          tables: data.tables || [],
-          tablesCount: data.tablesCount ?? 0,
-          createdAt: data.createdAt,
-          lastAccessedAt: data.lastAccessedAt
-        };
-      } catch (e) {
-        lastError = e instanceof Error ? e : new Error(String(e));
-      }
-    }
-    throw new ConnectionError(lastError?.message || "Schema request failed after retries");
-  }
 };
 
 // src/database/DatabaseProvider.tsx
@@ -652,20 +511,38 @@ var DatabaseContext = createContext({
   isConfigured: false
 });
 function DatabaseProvider({ children, projectId }) {
-  const resolvedProjectId = projectId || env.EZC_PROJECT_ID;
-  const configured = isSupabaseConfigured && Boolean(resolvedProjectId);
+  const bakedProjectId = projectId || env.EZC_PROJECT_ID || "";
+  const [runtimeProjectId, setRuntimeProjectId] = useState(getRuntimeConfig()?.projectId || "");
+  const [bootstrapAttempted, setBootstrapAttempted] = useState(Boolean(getRuntimeConfig()));
+  useEffect(() => {
+    if (bakedProjectId) return;
+    let cancelled = false;
+    loadBootstrap().then((rc) => {
+      if (cancelled) return;
+      if (rc?.projectId) setRuntimeProjectId(rc.projectId);
+      setBootstrapAttempted(true);
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [bakedProjectId]);
+  const resolvedProjectId = bakedProjectId || runtimeProjectId;
+  const configured = Boolean(resolvedProjectId);
   const db = useMemo(
     () => configured ? new DatabaseClient(supabase, resolvedProjectId) : null,
     [configured, resolvedProjectId]
   );
   const value = useMemo(() => ({ db, isConfigured: configured }), [db, configured]);
+  if (!bakedProjectId && !bootstrapAttempted && !runtimeProjectId) {
+    return null;
+  }
   return /* @__PURE__ */ jsx(DatabaseContext.Provider, { value, children });
 }
 function useDatabase() {
   const { db } = useContext(DatabaseContext);
   if (!db) {
     throw new Error(
-      "useDatabase() must be used within <DatabaseProvider>. Ensure EZC_PROJECT_ID and Supabase credentials are configured."
+      "useDatabase() must be used within <DatabaseProvider>. Ensure the app is wrapped in <DatabaseProvider> and the project has a deployment origin or EZC_PROJECT_ID."
     );
   }
   return db;
@@ -680,14 +557,14 @@ function useIsDatabaseConfigured() {
 }
 
 // src/database/useRealtime.ts
-import { useEffect, useState, useRef } from "react";
+import { useEffect as useEffect2, useState as useState2, useRef } from "react";
 function useRealtime(table, options = {}) {
-  const [data, setData] = useState([]);
-  const [status, setStatus] = useState("connecting");
+  const [data, setData] = useState2([]);
+  const [status, setStatus] = useState2("connecting");
   const optionsRef = useRef(options);
   optionsRef.current = options;
   const projectId = env.EZC_PROJECT_ID;
-  useEffect(() => {
+  useEffect2(() => {
     if (!isSupabaseConfigured || !projectId) {
       setStatus("disabled");
       return;
@@ -730,6 +607,9 @@ function useRealtime(table, options = {}) {
 }
 
 export {
+  loadBootstrap,
+  getRuntimeConfig,
+  configValue,
   DatabaseError,
   QueryError,
   ValidationError,
@@ -743,4 +623,4 @@ export {
   useIsDatabaseConfigured,
   useRealtime
 };
-//# sourceMappingURL=chunk-UAY64NNA.js.map
+//# sourceMappingURL=chunk-5QYGP7G7.js.map