npm - @lotics/app-sdk - Versions diffs - 0.6.0 → 0.7.0 - Mend

@lotics/app-sdk 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/src/rpc.d.ts CHANGED Viewed

@@ -1,17 +1,22 @@
 /**
- * postMessage RPC bridge to the parent Lotics frontend.
+ * RPC bridge for a custom-code app's data operations.
  *
- * The iframe runs `sandbox="allow-scripts"` with a unique (null) origin, so
- * direct fetch with credentials isn't possible. Every data operation flows
- * through the parent: the iframe posts an op + payload, the parent makes
- * the authenticated API call and posts the result back.
+ * An app reaches the Lotics API one of two ways, chosen automatically:
  *
- * Wire protocol (must match `frontend/features/app_ui/app_iframe_host.tsx`):
- *   iframe → parent: { id: number, op: string, payload: unknown }
- *   parent → iframe: { id: number, type: "result", data } | { id, type: "error", message }
+ *  - **Bridged** — the app is embedded by a Lotics host (the authenticated
+ *    product, or `lotics app dev`), which passes its origin via the
+ *    `?lotics_host=` query param. The host holds the session; the app posts
+ *    ops over postMessage and the host makes the API call. Used by internal
+ *    apps — the member's credentials must never reach the app.
  *
- * Bumping protocol version requires a coordinated change in the parent.
- * Add new ops alongside existing ones; never repurpose them.
+ *  - **Standalone** — the app is served on its own at `<slug>.lotics.app`
+ *    with no host. It calls the public `/v1/apps/{id}/*` endpoints directly;
+ *    those are anonymous-accessible for a publicly-shared app. The app holds
+ *    no credentials, so there is nothing to protect.
+ *
+ * Wire protocol (bridged — must match `app_iframe_host.tsx`):
+ *   app  → host: { id, op, payload }
+ *   host → app:  { id, type: "result", data } | { id, type: "error", message }
  */
 export type RpcOp = "query" | "workflow" | "upload";
 export declare function rpc<T = unknown>(op: RpcOp, payload: unknown): Promise<T>;

package/dist/src/rpc.js CHANGED Viewed

@@ -1,18 +1,30 @@
 /**
- * postMessage RPC bridge to the parent Lotics frontend.
+ * RPC bridge for a custom-code app's data operations.
  *
- * The iframe runs `sandbox="allow-scripts"` with a unique (null) origin, so
- * direct fetch with credentials isn't possible. Every data operation flows
- * through the parent: the iframe posts an op + payload, the parent makes
- * the authenticated API call and posts the result back.
+ * An app reaches the Lotics API one of two ways, chosen automatically:
  *
- * Wire protocol (must match `frontend/features/app_ui/app_iframe_host.tsx`):
- *   iframe → parent: { id: number, op: string, payload: unknown }
- *   parent → iframe: { id: number, type: "result", data } | { id, type: "error", message }
+ *  - **Bridged** — the app is embedded by a Lotics host (the authenticated
+ *    product, or `lotics app dev`), which passes its origin via the
+ *    `?lotics_host=` query param. The host holds the session; the app posts
+ *    ops over postMessage and the host makes the API call. Used by internal
+ *    apps — the member's credentials must never reach the app.
  *
- * Bumping protocol version requires a coordinated change in the parent.
- * Add new ops alongside existing ones; never repurpose them.
+ *  - **Standalone** — the app is served on its own at `<slug>.lotics.app`
+ *    with no host. It calls the public `/v1/apps/{id}/*` endpoints directly;
+ *    those are anonymous-accessible for a publicly-shared app. The app holds
+ *    no credentials, so there is nothing to protect.
+ *
+ * Wire protocol (bridged — must match `app_iframe_host.tsx`):
+ *   app  → host: { id, op, payload }
+ *   host → app:  { id, type: "result", data } | { id, type: "error", message }
  */
+/** The embedding Lotics host's origin — present iff the app is bridged. */
+const hostOrigin = new URLSearchParams(window.location.search).get("lotics_host");
+export function rpc(op, payload) {
+    return hostOrigin
+        ? rpcBridged(op, payload, hostOrigin)
+        : rpcStandalone(op, payload);
+}
 const pending = new Map();
 let nextRpcId = 0;
 let listenerInstalled = false;
@@ -21,10 +33,8 @@ function ensureListener() {
         return;
     listenerInstalled = true;
     window.addEventListener("message", (event) => {
-        // Trust only messages from the parent window. The iframe's origin is null
-        // (sandboxed), so we can't compare origins meaningfully — we trust the
-        // window reference instead.
-        if (event.source !== window.parent)
+        // Accept only messages from the parent window, at the host origin.
+        if (event.source !== window.parent || event.origin !== hostOrigin)
             return;
         const msg = event.data;
         if (!msg || typeof msg.id !== "number")
@@ -41,11 +51,98 @@ function ensureListener() {
         }
     });
 }
-export function rpc(op, payload) {
+function rpcBridged(op, payload, host) {
     ensureListener();
     return new Promise((resolve, reject) => {
         const id = nextRpcId++;
         pending.set(id, { resolve: resolve, reject });
-        window.parent.postMessage({ id, op, payload }, "*");
+        window.parent.postMessage({ id, op, payload }, host);
+    });
+}
+// ── Standalone transport ────────────────────────────────────────────────────
+// Standalone apps run only at `<slug>.lotics.app` (production); dev apps are
+// always bridged by the `lotics app dev` wrapper.
+const API_BASE = "https://api.lotics.ai";
+/** Resolved once — the app_id this standalone app's data calls are keyed by. */
+let appIdPromise = null;
+function resolveAppId() {
+    if (!appIdPromise) {
+        const slug = window.location.hostname.split(".")[0];
+        const attempt = apiCall("GET", `/v1/apps/by-subdomain/${encodeURIComponent(slug)}`).then((r) => r.app_id);
+        // Don't cache a rejection — a transient failure on first load would
+        // otherwise brick every later data call for the session. Clear the slot
+        // so the next call retries.
+        attempt.catch(() => {
+            if (appIdPromise === attempt)
+                appIdPromise = null;
+        });
+        appIdPromise = attempt;
+    }
+    return appIdPromise;
+}
+async function apiCall(method, path, body) {
+    const res = await fetch(`${API_BASE}${path}`, {
+        method,
+        headers: body ? { "content-type": "application/json" } : undefined,
+        body: body ? JSON.stringify(body) : undefined,
+    });
+    const text = await res.text();
+    if (!res.ok) {
+        let message = text;
+        try {
+            message = JSON.parse(text).message ?? text;
+        }
+        catch {
+            // response body is not JSON — use it verbatim
+        }
+        throw new Error(message || `HTTP ${res.status}`);
+    }
+    return text ? JSON.parse(text) : {};
+}
+function rpcStandalone(op, payload) {
+    switch (op) {
+        case "query":
+            return standaloneQuery(payload);
+        case "workflow":
+            return standaloneWorkflow(payload);
+        case "upload":
+            return standaloneUpload(payload.file);
+    }
+}
+async function standaloneQuery(p) {
+    const appId = await resolveAppId();
+    const r = (await apiCall("POST", `/v1/apps/${appId}/query`, {
+        alias: p.alias,
+        params: p.params,
+    }));
+    return { rows: r.rows ?? [] };
+}
+async function standaloneWorkflow(p) {
+    const appId = await resolveAppId();
+    return apiCall("POST", `/v1/apps/${appId}/workflows/${encodeURIComponent(p.alias)}/execute`, { inputs: p.inputs });
+}
+async function standaloneUpload(file) {
+    if (!(file instanceof File)) {
+        throw new Error("upload payload must include a File");
+    }
+    const appId = await resolveAppId();
+    const init = (await apiCall("POST", `/v1/apps/${appId}/files/upload-url`, {
+        filename: file.name,
+        mime_type: file.type,
+        file_size: file.size,
+    }));
+    const put = await fetch(init.upload_url, {
+        method: "PUT",
+        body: file,
+        headers: { "Content-Type": file.type },
     });
+    if (!put.ok) {
+        throw new Error(`Storage upload failed (${put.status})`);
+    }
+    const done = (await apiCall("POST", `/v1/apps/${appId}/files/complete`, {
+        file_id: init.file_id,
+        file_storage_key: init.file_storage_key,
+        filename: file.name,
+    }));
+    return done.file;
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lotics/app-sdk",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "Runtime SDK for Lotics custom-code apps — typed hooks, postMessage bridge, mount entry point",
   "type": "module",
   "exports": {