@highstate/backend 0.9.16 → 0.9.19

package/prisma/project/worker.prisma

@@ -0,0 +1,138 @@
+model Worker {
+    /// The CUIDv2 of the worker.
+    id String @id @default(cuid(2))
+
+    /// The ID of the worker.
+    ///
+    /// This is the fully qualified image name without the tag or digest.
+    /// The format is `{<registry>/}[<namespace>/]<name>`.
+    ///
+    /// For example: `ghcr.io/highstate/worker` or `docker.io/library/ubuntu`.
+    identity String @unique
+
+    /// The ID of the service account this worker uses.
+    serviceAccountId String @unique
+
+    /// The time this worker first appeared in the system.
+    createdAt DateTime @default(now())
+
+    /// The service account impersonating this worker.
+    serviceAccount ServiceAccount @relation(fields: [serviceAccountId], references: [id])
+
+    /// The versions of this worker.
+    versions WorkerVersion[]
+}
+
+enum WorkerVersionStatus {
+    /// The status is unknown.
+    unknown
+
+    /// The worker is being started by one of the runtimes.
+    starting
+
+    /// The worker is running and serving registrations.
+    running
+
+    /// The worker is being stopping (after was starting/running and was disabled).
+    stopping
+
+    /// The worker is stopped and not serving registrations.
+    stopped
+
+    /// The worker failed to start/crashed more than the allowed number of times.
+    error
+}
+
+model WorkerVersion {
+    /// The CUIDv2 of the worker version.
+    id String @id @default(cuid(2))
+
+    /// The metadata of the worker version managed by the backend.
+    ///
+    /// [CommonObjectMeta]
+    meta Json
+
+    /// The current status of the worker version reported by the runtime.
+    status WorkerVersionStatus @default(unknown)
+
+    /// Whether this worker version is enabled and will be launched when project is unclocked.
+    enabled Boolean @default(true)
+
+    /// The ID of the runtime where this worker version currently runs.
+    runtimeId String?
+
+    /// The ID of the worker this version belongs to.
+    workerId String
+
+    /// The digest of the worker version used to identify it.
+    /// The format is raw SHA256 digest without the `sha256:` prefix.
+    digest String @unique
+
+    /// The ID of the API key this worker version uses.
+    apiKeyId String @unique
+
+    /// The time this worker version was created.
+    createdAt DateTime @default(now())
+
+    /// The time this worker version was last updated.
+    updatedAt DateTime @updatedAt
+
+    /// The worker this version belongs to.
+    worker Worker @relation(fields: [workerId], references: [id])
+
+    /// The API key this worker version uses.
+    apiKey ApiKey @relation(fields: [apiKeyId], references: [id])
+
+    /// The unit registrations for this worker version.
+    unitRegistrations WorkerUnitRegistration[]
+
+    /// The logs produced by this worker version.
+    logs WorkerVersionLog[]
+}
+
+model WorkerUnitRegistration {
+    /// The ID of the state of the unit instance requesting the registration.
+    stateId String
+
+    /// The name of the workor within the instance.
+    name String
+
+    /// The parameters of the registration passed by the unit.
+    ///
+    /// [WorkerUnitRegistrationParams]
+    params Json
+
+    /// The ID of the worker version this registration currently uses.
+    workerVersionId String
+
+    /// The time this registration was created.
+    createdAt DateTime @default(now())
+
+    /// The time this registration was last updated.
+    updatedAt DateTime @updatedAt
+
+    /// The unit instance requesting the registration.
+    state InstanceState @relation(fields: [stateId], references: [id])
+
+    /// The worker version this registration currently uses.
+    workerVersion WorkerVersion @relation(fields: [workerVersionId], references: [id])
+
+    @@id([stateId, name]) // the registration is identified by the instance and name
+}
+
+model WorkerVersionLog {
+    /// The ULID of the worker log. Also used to extract the timestamp.
+    id String @id @default(ulid())
+
+    /// The ID of the worker version that produced this log.
+    workerVersionId String
+
+    /// The log content.
+    content String
+    
+    /// Whether this log is a system/runtime message (vs worker output).
+    isSystem Boolean @default(false)
+
+    /// The worker version that produced this log.
+    workerVersion WorkerVersion @relation(fields: [workerVersionId], references: [id], onDelete: Cascade)
+}

package/src/artifact/abstractions.ts

@@ -1,46 +1,46 @@
 export interface ArtifactBackend {
   /**
-   * Stores content and returns its hash.
-   * If content with the same hash already exists, returns existing hash.
+   * Stores content in the backend.
+   * If content with the same id already exists, does nothing.
    *
    * @param projectId The project ID to which the content belongs.
-   * @param hsah The content hash.
+   * @param artifactId The ID of the artifact to store.
    * @param chunkSize The size of each chunk to store. Only the last chunk may be smaller.
    * @param content The async iterable of content chunks.
    */
   store(
     projectId: string,
-    hash: string,
+    artifactId: string,
     chunkSize: number,
     content: AsyncIterable<Uint8Array>,
   ): Promise<void>
 
   /**
-   * Retrieves content by hash.
+   * Retrieves content by artifact ID.
    *
    * @param projectId The project ID to which the content belongs.
-   * @param hash The content hash.
+   * @param artifactId The ID of the artifact to retrieve.
    * @param chunkSize The size of each chunk to retrieve. Only the last chunk may be smaller.
    */
   retrieve(
     projectId: string,
-    hash: string,
+    artifactId: string,
     chunkSize: number,
   ): Promise<AsyncIterable<Uint8Array> | null>
 
   /**
-   * Deletes content by hash.
+   * Deletes content by artifact ID.
    *
    * @param projectId The project ID to which the content belongs.
-   * @param hash The content hash.
+   * @param artifactId The ID of the artifact to delete.
    */
-  delete(projectId: string, hash: string): Promise<void>
+  delete(projectId: string, artifactId: string): Promise<void>
 
   /**
-   * Checks if content exists by hash.
+   * Checks if content exists by artifact ID.
    *
    * @param projectId The project ID to which the content belongs.
-   * @param hash The content hash.
+   * @param artifactId The ID of the artifact to check.
    */
-  exists(projectId: string, hash: string): Promise<boolean>
+  exists(projectId: string, artifactId: string): Promise<boolean>
 }

package/src/artifact/encryption.ts

@@ -1,45 +1,54 @@
-import type { EncryptionBackend, StateManager } from "../state"
+import type { DatabaseManager } from "../database"
 import type { ArtifactBackend } from "./abstractions"
+import { xchacha20poly1305 } from "@noble/ciphers/chacha"
+import { managedNonce } from "@noble/ciphers/webcrypto"
 
 const nonceSize = 24
 
+/**
+ * The ArtifactBackend decorator that adds encryption and key obfuscation to the artifact storage.
+ */
 export class EncryptionArtifactBackend implements ArtifactBackend {
   constructor(
     private readonly artifactBackend: ArtifactBackend,
-    private readonly stateManager: StateManager,
+    private readonly database: DatabaseManager,
   ) {}
 
   async store(
     projectId: string,
-    hash: string,
+    artifactId: string,
     chunkSize: number,
     content: AsyncIterable<Uint8Array>,
   ): Promise<void> {
-    const encryptionBackend = this.stateManager.getEncryptionBackend(projectId)
-    const encryptedContent = this.getEncryptedContent(encryptionBackend, content)
+    const encryptedContent = this.getEncryptedContent(projectId, content)
 
-    await this.artifactBackend.store(projectId, hash, chunkSize + nonceSize, encryptedContent)
+    await this.artifactBackend.store(projectId, artifactId, chunkSize + nonceSize, encryptedContent)
   }
 
   private async *getEncryptedContent(
-    encryptionBackend: EncryptionBackend,
+    projectId: string,
     content: AsyncIterable<Uint8Array>,
   ): AsyncIterable<Uint8Array> {
+    const masterKey = await this.database.getProjectMasterKey(projectId)
+    if (!masterKey) {
+      throw new Error(`No master key found for project ${projectId}`)
+    }
+
+    const xchacha = managedNonce(xchacha20poly1305)(masterKey)
+
     for await (const chunk of content) {
-      yield await encryptionBackend.encrypt(chunk)
+      yield xchacha.encrypt(chunk)
     }
   }
 
   async retrieve(
     projectId: string,
-    hash: string,
+    artifactId: string,
     chunkSize: number,
   ): Promise<AsyncIterable<Uint8Array> | null> {
-    const encryptionBackend = this.stateManager.getEncryptionBackend(projectId)
-
     const encryptedContent = await this.artifactBackend.retrieve(
       projectId,
-      hash,
+      artifactId,
       chunkSize + nonceSize,
     )
 
@@ -47,15 +56,22 @@ export class EncryptionArtifactBackend implements ArtifactBackend {
       return null
     }
 
-    return this.getDecryptedContent(encryptionBackend, encryptedContent)
+    return this.getDecryptedContent(projectId, encryptedContent)
   }
 
   private async *getDecryptedContent(
-    encryptionBackend: EncryptionBackend,
+    projectId: string,
     encryptedContent: AsyncIterable<Uint8Array>,
   ): AsyncIterable<Uint8Array> {
+    const masterKey = await this.database.getProjectMasterKey(projectId)
+    if (!masterKey) {
+      throw new Error(`No master key found for project ${projectId}`)
+    }
+
+    const xchacha = managedNonce(xchacha20poly1305)(masterKey)
+
     for await (const chunk of encryptedContent) {
-      yield await encryptionBackend.decrypt(chunk)
+      yield xchacha.decrypt(chunk)
     }
   }
 

package/src/artifact/factory.ts

@@ -1,19 +1,18 @@
-import type { ArtifactBackend } from "./abstractions"
 import type { Logger } from "pino"
-import type { StateManager } from "../state"
+import type { DatabaseManager } from "../database"
+import type { ArtifactBackend } from "./abstractions"
 import { z } from "zod"
-import { LocalArtifactBackend, localArtifactBackendConfig } from "./local"
 import { EncryptionArtifactBackend } from "./encryption"
+import { LocalArtifactBackend, localArtifactBackendConfig } from "./local"
 
 export const artifactBackendConfig = z.object({
   HIGHSTATE_ARTIFACT_BACKEND_TYPE: z.enum(["local"]).default("local"),
-  HIGHSTATE_ARTIFACT_ENABLE_ENCRYPTION: z.coerce.boolean().default(true),
   ...localArtifactBackendConfig.shape,
 })
 
 export async function createArtifactBackend(
   config: z.infer<typeof artifactBackendConfig> & Record<string, unknown>,
-  stateManager: StateManager,
+  database: DatabaseManager,
   logger: Logger,
 ): Promise<ArtifactBackend> {
   let backend: ArtifactBackend
@@ -22,14 +21,12 @@ export async function createArtifactBackend(
 
   switch (config.HIGHSTATE_ARTIFACT_BACKEND_TYPE) {
     case "local": {
-      backend = await LocalArtifactBackend.create(config, fileExtension, stateManager, logger)
+      backend = await LocalArtifactBackend.create(config, fileExtension, logger)
     }
   }
 
-  if (config.HIGHSTATE_ARTIFACT_ENABLE_ENCRYPTION) {
-    backend = new EncryptionArtifactBackend(backend, stateManager)
-  } else {
-    logger.warn("artifact encryption is disabled, this is not recommended")
+  if (database.isEncryptionEnabled) {
+    backend = new EncryptionArtifactBackend(backend, database)
   }
 
   return backend

package/src/artifact/local.ts

@@ -1,61 +1,54 @@
 import type { Logger } from "pino"
-import type { StateManager } from "../state"
+import type z from "zod"
+import type { ArtifactBackend } from "./abstractions"
 import { createReadStream, createWriteStream } from "node:fs"
-import { access, mkdir, readdir, rmdir, unlink } from "node:fs/promises"
+import { access, mkdir, readdir, rm, unlink } from "node:fs/promises"
 import { join, resolve } from "node:path"
-import { z } from "zod"
-import { type ArtifactBackend } from "./abstractions"
+import { codebaseConfig, createProjectLogger, getCodebaseHighstatePath } from "../common"
 
-export const localArtifactBackendConfig = z.object({
-  HIGHSTATE_ARTIFACT_BACKEND_LOCAL_DIR: z.string().optional(),
-})
+export const localArtifactBackendConfig = codebaseConfig
 
 /**
  * A local artifact backend that stores artifacts in the filesystem.
  *
- * The default artifact location is `~/.highstate/artifacts`.
- *
  * File structure:
- * - `{artifactDir}/{first2chars}/{hash}` - actual artifact content files
+ * - `{codebase}/.highstate/projects/{projectId}/artifacts/{id}.{extension}`
  */
 export class LocalArtifactBackend implements ArtifactBackend {
   constructor(
-    private readonly storageDir: string,
-    private readonly fileExtension: string,
-    private readonly stateManager: StateManager,
+    private readonly hsCodebasePath: string,
+    private readonly extension: string,
     private readonly logger: Logger,
-  ) {
-    this.logger.debug({ msg: "initialized", baseDir: storageDir })
-  }
+  ) {}
 
   async store(
     projectId: string,
-    hash: string,
+    artifactId: string,
     chunkSize: number,
     content: AsyncIterable<Uint8Array>,
   ): Promise<void> {
-    const [baseDir, fileName] = this.getArtifactPath(projectId, hash)
+    const logger = createProjectLogger(this.logger, projectId)
+    const [baseDir, fileName] = this.getArtifactPath(projectId, artifactId)
     await mkdir(baseDir, { recursive: true })
 
     // check if the artifact already exists
     try {
       await access(fileName)
-      this.logger.debug({ msg: "artifact already exists", hash })
-
+      logger.debug({ artifactId }, "artifact already exists")
       return
     } catch {
       // artifact does not exist, continue with storing
     }
 
     const file = createWriteStream(fileName, { highWaterMark: chunkSize })
-    this.logger.debug({ msg: "opened file for writing", hash, fileName })
+    logger.debug({ artifactId, fileName }, "opened file for writing")
 
     for await (const chunk of content) {
       file.write(chunk)
     }
 
     file.end()
-    this.logger.info({ msg: "artifact stored", hash, fileName })
+    logger.info({ artifactId, fileName }, "artifact stored")
   }
 
   async retrieve(
@@ -63,41 +56,41 @@ export class LocalArtifactBackend implements ArtifactBackend {
     hash: string,
     chunkSize: number,
   ): Promise<AsyncIterable<Uint8Array> | null> {
+    const logger = createProjectLogger(this.logger, projectId)
     const [, fileName] = this.getArtifactPath(projectId, hash)
 
     try {
       return Promise.resolve(createReadStream(fileName, { highWaterMark: chunkSize }))
     } catch (error) {
-      this.logger.debug({ msg: "artifact retrieval failed", hash, error })
-
+      logger.debug({ hash, error }, "artifact retrieval failed")
       return null
     }
   }
 
   async delete(projectId: string, hash: string): Promise<void> {
+    const logger = createProjectLogger(this.logger, projectId)
     const [baseDir, fileName] = this.getArtifactPath(projectId, hash)
 
     try {
       await unlink(fileName)
-      await this.deleteDirectoryIfEmpty(baseDir)
-
-      this.logger.info({ msg: "artifact deleted", hash, fileName })
+      await this.deleteDirectoryIfEmpty(baseDir, logger)
+      logger.info({ hash, fileName }, "artifact deleted")
     } catch (error) {
-      this.logger.error({ msg: "artifact deletion failed", hash, fileName, error })
+      logger.error({ hash, fileName, error }, "artifact deletion failed")
     }
   }
 
-  async deleteDirectoryIfEmpty(dirPath: string): Promise<void> {
+  async deleteDirectoryIfEmpty(dirPath: string, logger: Logger): Promise<void> {
     try {
       const files = await readdir(dirPath)
       if (files.length === 0) {
-        await rmdir(dirPath)
-        this.logger.info({ msg: "deleted empty directory", dirPath })
+        await rm(dirPath)
+        logger.info({ dirPath }, "deleted empty directory")
       } else {
-        this.logger.debug({ msg: "directory not empty, skipping deletion", dirPath, files })
+        logger.debug({ dirPath, fileCount: files.length }, "directory not empty, skipping deletion")
       }
     } catch (error) {
-      this.logger.error({ msg: "failed to delete directory", dirPath, error })
+      logger.error({ dirPath, error }, "failed to delete directory")
     }
   }
 
@@ -113,30 +106,20 @@ export class LocalArtifactBackend implements ArtifactBackend {
   }
 
   private getArtifactPath(projectId: string, hash: string): [baseDir: string, fileName: string] {
-    const hashedProjectId = this.stateManager.getHashedProjectId(projectId)
-    const baseDir = resolve(this.storageDir, hashedProjectId, hash.substring(0, 2))
-    const fileName = join(baseDir, `${hash}${this.fileExtension}`)
+    const baseDir = resolve(this.hsCodebasePath, "projects", projectId, "artifacts")
+    const fileName = join(baseDir, `${hash}${this.extension}`)
 
     return [baseDir, fileName]
   }
 
   static async create(
-    config: z.infer<typeof localArtifactBackendConfig>,
-    fileExtension: string,
-    stateManager: StateManager,
+    config: z.infer<typeof codebaseConfig>,
+    extension: string,
     logger: Logger,
   ): Promise<LocalArtifactBackend> {
-    const childLogger = logger.child({
-      backend: "ArtifactBackend",
-      service: "LocalArtifactBackend",
-    })
-
-    let location = config.HIGHSTATE_ARTIFACT_BACKEND_LOCAL_DIR
-    if (!location) {
-      location = resolve(process.env.HOME!, ".highstate", "artifacts")
-    }
+    const serviceLogger = logger.child({ service: "LocalArtifactBackend" })
+    const codebasePath = await getCodebaseHighstatePath(config, logger)
 
-    await mkdir(location, { recursive: true })
-    return new LocalArtifactBackend(location, fileExtension, stateManager, childLogger)
+    return new LocalArtifactBackend(codebasePath, extension, serviceLogger)
   }
 }

package/src/business/api-key.ts

@@ -1,12 +1,13 @@
-import type { LockManager } from "../lock"
-import type { StateManager } from "../state"
+import type { Logger } from "pino"
+import type { ApiKey, DatabaseManager } from "../database"
 import { randomBytes } from "node:crypto"
-import { AccessError, type ProjectApiKey } from "../shared"
+import { createProjectLogger } from "../common"
+import { AccessError } from "../shared"
 
 export class ApiKeyService {
   constructor(
-    private readonly stateManager: StateManager,
-    private readonly lockManager: LockManager,
+    private readonly database: DatabaseManager,
+    private readonly logger: Logger,
   ) {}
 
   /**
@@ -15,35 +16,20 @@ export class ApiKeyService {
    * @param projectId The ID of the project containing the API key.
    * @param apiKeyId The ID of the API key to regenerate.
    */
-  async regenerateToken(projectId: string, apiKeyId: string): Promise<ProjectApiKey> {
-    return await this.lockManager.acquire([["api-key", projectId, apiKeyId]], async () => {
-      const apiKey = await this.stateManager.getApiKeyRepository(projectId).get(apiKeyId)
-      if (!apiKey) {
-        throw new Error(`API key with ID "${apiKeyId}" not found in project "${projectId}"`)
-      }
-
-      const batch = this.stateManager.batch()
-
-      // delete the old token from the index
-      await this.stateManager
-        .getApiKeyTokenIndexRepository(projectId)
-        .indexRepository.delete(apiKey.token, batch)
-
-      // generate a new token
-      apiKey.token = randomBytes(32).toString("hex")
-
-      // update the API key with the new token and update the index
-      await Promise.all([
-        this.stateManager.getApiKeyRepository(projectId).putItem(apiKey, batch),
-        this.stateManager
-          .getApiKeyTokenIndexRepository(projectId)
-          .indexRepository.put(apiKey.token, apiKey.id, batch),
-      ])
+  async regenerateToken(projectId: string, apiKeyId: string): Promise<ApiKey> {
+    const logger = createProjectLogger(this.logger, projectId)
+    const database = await this.database.forProject(projectId)
+
+    const apiKey = await database.apiKey.update({
+      where: { id: apiKeyId },
+      data: {
+        token: randomBytes(32).toString("hex"),
+      },
+    })
 
-      await batch.write()
+    logger.info(`regenerated API key token with ID "%s",`, apiKeyId)
 
-      return apiKey
-    })
+    return apiKey
   }
 
   /**
@@ -54,10 +40,12 @@ export class ApiKeyService {
    * @returns The ProjectApiKey object if found.
    * @throws AccessError if the token is not valid for the project.
    */
-  async getApiKeyByToken(projectId: string, token: string): Promise<ProjectApiKey> {
-    const apiKey = await this.stateManager.getApiKeyTokenIndexRepository(projectId).get(token)
-    if (!apiKey || apiKey.token !== token) {
-      throw new AccessError(`Token is not valid for project "${projectId}"`)
+  async getApiKeyByToken(projectId: string, token: string): Promise<ApiKey> {
+    const database = await this.database.forProject(projectId)
+    const apiKey = await database.apiKey.findUnique({ where: { token } })
+
+    if (!apiKey) {
+      throw new AccessError(`API key token is not valid for project "${projectId}"`)
     }
 
     return apiKey