@lunora/config 0.0.0 → 1.0.0-alpha.1

package/dist/packem_shared/policy-scaffold.d-DCmwn7zQ.d.ts

@@ -0,0 +1,74 @@
+/** Scaffold a new policy/role/permission stub file under `lunora/`. */
+interface ScaffoldPolicyEdit {
+  readonly kind: "scaffoldPolicy";
+  /**
+  * Base name for the generated file and its exported policy-set identifier,
+  * e.g. `invoices` → `lunora/invoices.policies.ts` exporting `invoicesPolicies`.
+  */
+  readonly name: string;
+  /** Logical table the scaffolded policy guards (used in the stub body). */
+  readonly table: string;
+}
+/** Append `.use(rls(<policies>))` to an existing procedure's builder chain. */
+interface WireRlsEdit {
+  /** Exported procedure name to wire, e.g. `listInvoices`. */
+  readonly exportName: string;
+  readonly kind: "wireRls";
+  /** Identifier of the policy set passed to `rls(...)`, e.g. `invoicesPolicies`. */
+  readonly policies: string;
+}
+/** Additive scaffolder edits — the only requests the scaffolder applies. */
+type AdditivePolicyEdit = ScaffoldPolicyEdit | WireRlsEdit;
+/**
+* Destructive scaffolder requests — never applied. Rewriting an existing `when`
+* body changes evaluation semantics silently, so it is refused (STOP condition
+* in plan 025); carried as data so the editor can describe the request.
+*/
+interface DestructivePolicyEdit {
+  readonly exportName?: string;
+  readonly kind: "rewritePolicyWhen";
+  readonly table?: string;
+}
+/** Any request the scaffolder can receive. */
+type PolicyEdit = AdditivePolicyEdit | DestructivePolicyEdit;
+/**
+* Classify a scaffolder request. Additive requests ({@link AdditivePolicyEdit})
+* apply directly; everything else (rewriting an existing predicate) changes
+* evaluation semantics and is destructive.
+*/
+declare const classifyPolicyEdit: (edit: PolicyEdit) => "additive" | "destructive";
+/** Failure reasons a scaffolder request can report. */
+type PolicyScaffoldFailureReason = "already-wired" | "destructive" | "invalid-identifier" | "unknown-procedure" | "unsupported-procedure-shape";
+/** Tagged result of generating a stub file. */
+type ScaffoldFileResult = {
+  fileName: string;
+  ok: true;
+  source: string;
+} | {
+  ok: false;
+  reason: PolicyScaffoldFailureReason;
+};
+/** Tagged result of wiring a procedure. */
+type WireResult = {
+  ok: false;
+  reason: PolicyScaffoldFailureReason;
+} | {
+  ok: true;
+  text: string;
+};
+/**
+* Generate the source of a new policy/role/permission stub file. The `when`
+* predicate is a `() => false` skeleton with a TODO — the scaffolder never
+* authors real logic, the developer fills it in. Pure (no I/O); the handler
+* writes the returned source and refuses to overwrite an existing file.
+*/
+declare const scaffoldPolicyFile: (edit: ScaffoldPolicyEdit) => ScaffoldFileResult;
+/**
+* Append `.use(rls(<policies>))` to a procedure's builder chain, preserving the
+* terminal `.query(handler)` (and its handler body) byte-for-byte. Only the
+* **builder** form can be wired; the bare-factory form (`query({ handler })`)
+* has no chain and is reported `unsupported-procedure-shape` so the editor can
+* tell the developer to convert it rather than silently rewriting their code.
+*/
+declare const wireRlsIntoProcedure: (source: string, edit: WireRlsEdit) => WireResult;
+export { AdditivePolicyEdit as A, DestructivePolicyEdit as D, PolicyEdit as P, ScaffoldPolicyEdit as S, WireRlsEdit as W, PolicyScaffoldFailureReason as a, ScaffoldFileResult as b, WireResult as c, classifyPolicyEdit as d, scaffoldPolicyFile as s, wireRlsIntoProcedure as w };

package/dist/packem_shared/reconcileWranglerBindings-ByJk3yLU.mjs

@@ -0,0 +1,277 @@
+import { writeFileSync } from 'node:fs';
+import { containerBuildTag } from '@lunora/container';
+import { modify, applyEdits } from 'jsonc-parser';
+import { findWranglerFile, readWranglerJsonc } from './findWranglerFile-DwSuC-Kn.mjs';
+
+const FORMATTING = { formattingOptions: { insertSpaces: true, tabSize: 4 } };
+const D1_PLACEHOLDER_ID = "<replace-with-d1-create-id>";
+const collectExportGaps = (inferred) => {
+  const gaps = [];
+  for (const container of inferred.containers) {
+    if (!container.exported) {
+      gaps.push({ className: container.className, exportName: container.exportName, kind: "container", module: "containers" });
+    }
+  }
+  for (const workflow of inferred.workflows) {
+    if (!workflow.exported) {
+      gaps.push({ className: workflow.className, exportName: workflow.exportName, kind: "workflow", module: "workflows" });
+    }
+  }
+  return gaps;
+};
+const collectHintBindingWarnings = (inferred, parsed) => {
+  const rules = [
+    [
+      inferred.usesKv && (parsed?.kv_namespaces?.length ?? 0) === 0,
+      "@lunora/kv is used but no kv_namespaces binding exists; add a kv_namespaces entry ({ binding, id }) and pass env.<BINDING> to createKv() — the namespace id can't be auto-provisioned."
+    ],
+    [
+      inferred.usesHyperdrive && (parsed?.hyperdrive?.length ?? 0) === 0,
+      "@lunora/hyperdrive is used but no hyperdrive binding exists; run 'wrangler hyperdrive create' and add a 'hyperdrive' binding ({ binding, id }) — the id can't be auto-provisioned."
+    ],
+    [
+      inferred.usesPipelines && (parsed?.pipelines?.length ?? 0) === 0,
+      "@lunora/pipelines is used but no pipelines binding exists; run 'wrangler pipelines create <name>' and add a 'pipelines' binding ({ binding, pipeline }) — the pipeline resource can't be auto-provisioned."
+    ]
+  ];
+  return rules.filter(([active]) => active).map(([, warning]) => warning);
+};
+const collectWarnings = (inferred, parsed) => {
+  const exported = new Set(inferred.durableObjects.map((object) => object.className));
+  const warnings = [];
+  const hasR2Bucket = (parsed?.r2_buckets?.length ?? 0) > 0;
+  const hasSessionStore = (parsed?.d1_databases?.some((binding) => binding.binding === "DB") ?? false) || inferred.needsD1;
+  if (inferred.usesStorage && !hasR2Bucket) {
+    warnings.push(
+      "@lunora/storage is used but R2 bucket bindings have user-defined names; add an r2_buckets entry and pass env.<BINDING> to createStorage()."
+    );
+  }
+  if (inferred.usesAuth && !exported.has("SessionDO") && !hasSessionStore) {
+    warnings.push(
+      "@lunora/auth is used but the worker entry exports no SessionDO; sessions are D1-backed, or export SessionDO to enable DO-backed sessions."
+    );
+  }
+  if (inferred.usesScheduler && !exported.has("SchedulerDO")) {
+    warnings.push("@lunora/scheduler is used but the worker entry exports no SchedulerDO; export it so the SCHEDULER binding can be provisioned.");
+  }
+  for (const container of inferred.containers) {
+    if (!container.exported) {
+      warnings.push(
+        `container "${container.exportName}" is declared but ${container.className} is not exported by the worker entry; add \`export * from "./lunora/_generated/containers"\` so its binding can be provisioned.`
+      );
+    }
+  }
+  for (const workflow of inferred.workflows) {
+    if (!workflow.exported) {
+      warnings.push(
+        `workflow "${workflow.exportName}" is declared but ${workflow.className} is not exported by the worker entry; add \`export * from "./lunora/_generated/workflows"\` so its binding can be provisioned.`
+      );
+    }
+  }
+  if (inferred.containers.length > 0 && parsed?.observability?.enabled === false) {
+    warnings.push("containers are declared but observability is explicitly disabled in wrangler.jsonc — container logs will not be captured.");
+  }
+  if (inferred.usesPayment) {
+    warnings.push(
+      "@lunora/payment is used; set the provider secrets in .dev.vars — STRIPE_SECRET_KEY + STRIPE_WEBHOOK_SECRET (Stripe) or POLAR_ACCESS_TOKEN + POLAR_WEBHOOK_SECRET (Polar)."
+    );
+  }
+  warnings.push(...collectHintBindingWarnings(inferred, parsed));
+  return warnings;
+};
+const applyModify = (text, path, value) => {
+  const edits = modify(text, [...path], value, FORMATTING);
+  return edits.length > 0 ? applyEdits(text, edits) : text;
+};
+const nextMigrationTag = (migrations) => {
+  const used = new Set(migrations.map((migration) => migration.tag));
+  let index = 1;
+  while (used.has(`v${String(index)}`)) {
+    index += 1;
+  }
+  return `v${String(index)}`;
+};
+const reconcileDurableObjects = (text, parsed, required) => {
+  const existingBindings = parsed.durable_objects?.bindings ?? [];
+  const existingNames = new Set(existingBindings.map((binding) => binding.name));
+  const missing = required.filter((object) => !existingNames.has(object.binding));
+  let nextText = text;
+  const added = [];
+  if (missing.length > 0) {
+    const nextBindings = [
+      ...existingBindings,
+      ...missing.map((object) => {
+        return { class_name: object.className, name: object.binding };
+      })
+    ];
+    nextText = applyModify(nextText, ["durable_objects", "bindings"], nextBindings);
+    added.push(...missing.map((object) => `${object.binding}/${object.className}`));
+  }
+  const migrations = parsed.migrations ?? [];
+  const registered = new Set(migrations.flatMap((migration) => [...migration.new_sqlite_classes ?? [], ...migration.new_classes ?? []]));
+  const missingClasses = required.map((object) => object.className).filter((className) => !registered.has(className));
+  if (missingClasses.length > 0) {
+    const nextMigrations = [...migrations, { new_sqlite_classes: missingClasses, tag: nextMigrationTag(migrations) }];
+    nextText = applyModify(nextText, ["migrations"], nextMigrations);
+  }
+  return { added, text: nextText };
+};
+const reconcileD1 = (text, parsed) => {
+  const d1Bindings = parsed.d1_databases ?? [];
+  if (d1Bindings.some((binding) => binding.binding === "DB")) {
+    return { added: [], text };
+  }
+  const databaseName = typeof parsed.name === "string" && parsed.name.length > 0 ? parsed.name : "lunora";
+  const nextD1 = [...d1Bindings, { binding: "DB", database_id: D1_PLACEHOLDER_ID, database_name: databaseName }];
+  return { added: ["DB (D1)"], text: applyModify(text, ["d1_databases"], nextD1) };
+};
+const reconcileSelfDescribing = (text, parsed, key, binding, label) => {
+  const current = parsed[key]?.binding;
+  if (typeof current === "string" && current.length > 0) {
+    return { added: [], text };
+  }
+  return { added: [label], text: applyModify(text, [key], { binding }) };
+};
+const reconcileAnalytics = (text, parsed) => {
+  if ((parsed.analytics_engine_datasets?.length ?? 0) > 0) {
+    return { added: [], text };
+  }
+  const nextDatasets = [{ binding: "ANALYTICS", dataset: "ANALYTICS" }];
+  return { added: ["ANALYTICS (Analytics Engine)"], text: applyModify(text, ["analytics_engine_datasets"], nextDatasets) };
+};
+const wranglerInstanceType = (instanceType) => {
+  if (typeof instanceType === "string") {
+    return instanceType;
+  }
+  const custom = {};
+  if (instanceType.diskMb !== void 0) {
+    custom.disk_mb = instanceType.diskMb;
+  }
+  if (instanceType.memoryMib !== void 0) {
+    custom.memory_mib = instanceType.memoryMib;
+  }
+  if (instanceType.vcpu !== void 0) {
+    custom.vcpu = instanceType.vcpu;
+  }
+  return custom;
+};
+const imageRefFor = (container) => {
+  if (container.image.kind === "dockerfile") {
+    return container.image.dockerfilePath;
+  }
+  if (container.image.kind === "registry") {
+    return container.image.reference;
+  }
+  return containerBuildTag(container.exportName);
+};
+const containerEntryFor = (container) => {
+  const entry = {
+    class_name: container.className,
+    image: imageRefFor(container)
+  };
+  if (container.image.kind === "dockerfile") {
+    entry.image_build_context = container.image.buildContext;
+  }
+  if (container.buildArgs !== void 0 && container.image.kind !== "registry") {
+    entry.image_vars = container.buildArgs;
+  }
+  if (container.instanceType !== void 0) {
+    entry.instance_type = wranglerInstanceType(container.instanceType);
+  }
+  if (container.maxInstances !== void 0) {
+    entry.max_instances = container.maxInstances;
+  }
+  if (container.name !== void 0) {
+    entry.name = container.name;
+  }
+  if (container.rollout?.stepPercentage !== void 0) {
+    entry.rollout_step_percentage = container.rollout.stepPercentage;
+  }
+  if (container.rollout?.gracePeriodSeconds !== void 0) {
+    entry.rollout_active_grace_period = container.rollout.gracePeriodSeconds;
+  }
+  return entry;
+};
+const reconcileContainers = (text, parsed, containers) => {
+  const existing = parsed.containers ?? [];
+  const existingClasses = new Set(existing.map((entry) => entry.class_name));
+  const missing = containers.filter((container) => !existingClasses.has(container.className));
+  if (missing.length === 0) {
+    return { added: [], text };
+  }
+  const nextText = applyModify(text, ["containers"], [...existing, ...missing.map((container) => containerEntryFor(container))]);
+  return { added: missing.map((container) => `containers/${container.className}`), text: nextText };
+};
+const reconcileObservability = (text, parsed) => {
+  if (parsed.observability !== void 0) {
+    return { added: [], text };
+  }
+  const nextText = applyModify(text, ["observability"], { enabled: true, head_sampling_rate: 1 });
+  return { added: ["observability"], text: nextText };
+};
+const workflowEntryFor = (workflow) => {
+  return { binding: workflow.bindingName, class_name: workflow.className, name: workflow.name };
+};
+const reconcileWorkflows = (text, parsed, workflows) => {
+  const existing = parsed.workflows ?? [];
+  const existingClasses = new Set(existing.map((entry) => entry.class_name));
+  const missing = workflows.filter((workflow) => !existingClasses.has(workflow.className));
+  if (missing.length === 0) {
+    return { added: [], text };
+  }
+  const nextText = applyModify(text, ["workflows"], [...existing, ...missing.map((workflow) => workflowEntryFor(workflow))]);
+  return { added: missing.map((workflow) => `workflows/${workflow.className}`), text: nextText };
+};
+const reconcileWranglerBindings = (projectRoot, inferred) => {
+  const wranglerPath = findWranglerFile(projectRoot);
+  const exportGaps = collectExportGaps(inferred);
+  if (!wranglerPath) {
+    return { added: [], changed: false, exportGaps, reason: "wrangler.jsonc not found", warnings: collectWarnings(inferred) };
+  }
+  const { parsed, text: original } = readWranglerJsonc(wranglerPath);
+  if (parsed === void 0) {
+    return { added: [], changed: false, exportGaps, reason: `failed to parse ${wranglerPath} as JSONC`, warnings: collectWarnings(inferred), wranglerPath };
+  }
+  const warnings = collectWarnings(inferred, parsed);
+  const exportedContainers = inferred.containers.filter((container) => container.exported);
+  const requiredDurableObjects = [
+    ...inferred.durableObjects,
+    ...exportedContainers.map((container) => {
+      return { binding: container.bindingName, className: container.className };
+    })
+  ];
+  const exportedWorkflows = inferred.workflows.filter((workflow) => workflow.exported);
+  const pipeline = [
+    { enabled: true, run: (text2) => reconcileDurableObjects(text2, parsed, requiredDurableObjects) },
+    { enabled: inferred.needsD1, run: (text2) => reconcileD1(text2, parsed) },
+    { enabled: inferred.usesAi, run: (text2) => reconcileSelfDescribing(text2, parsed, "ai", "AI", "AI (Workers AI)") },
+    { enabled: inferred.usesBrowser, run: (text2) => reconcileSelfDescribing(text2, parsed, "browser", "BROWSER", "BROWSER (Browser Rendering)") },
+    { enabled: inferred.usesImages, run: (text2) => reconcileSelfDescribing(text2, parsed, "images", "IMAGES", "IMAGES (Cloudflare Images)") },
+    { enabled: inferred.usesAnalytics, run: (text2) => reconcileAnalytics(text2, parsed) },
+    { enabled: true, run: (text2) => reconcileObservability(text2, parsed) },
+    { enabled: exportedContainers.length > 0, run: (text2) => reconcileContainers(text2, parsed, exportedContainers) },
+    { enabled: exportedWorkflows.length > 0, run: (text2) => reconcileWorkflows(text2, parsed, exportedWorkflows) }
+  ];
+  let text = original;
+  const added = [];
+  for (const step of pipeline) {
+    if (!step.enabled) {
+      continue;
+    }
+    const result = step.run(text);
+    text = result.text;
+    added.push(...result.added);
+  }
+  if (added.includes("DB (D1)")) {
+    warnings.push(
+      `wrote a DB binding with a placeholder database_id ("${D1_PLACEHOLDER_ID}") — run \`wrangler d1 create <name>\` and replace it before deploying.`
+    );
+  }
+  if (text === original) {
+    return { added: [], changed: false, exportGaps, reason: "bindings already in sync", warnings, wranglerPath };
+  }
+  writeFileSync(wranglerPath, text, "utf8");
+  return { added, changed: true, exportGaps, warnings, wranglerPath };
+};
+
+export { reconcileWranglerBindings };

package/dist/packem_shared/renderStudioHtml-449Ysn75.mjs

@@ -0,0 +1,37 @@
+const forInlineScript = (value) => JSON.stringify(value).replaceAll("<", String.raw`\u003c`);
+const forAttribute = (value) => value.replaceAll("&", "&amp;").replaceAll('"', "&quot;").replaceAll("<", "&lt;");
+const renderStudioHtml = (config) => {
+  const settings = [`window.__LUNORA_BASE_PATH__=${forInlineScript(config.basePath)};`];
+  if (config.adminToken !== void 0 && config.adminToken !== "") {
+    settings.push(`window.__LUNORA_ADMIN_TOKEN__=${forInlineScript(config.adminToken)};`);
+  }
+  if (config.dataEditable === true) {
+    settings.push("window.__LUNORA_DATA_EDITABLE__=true;");
+  }
+  if (config.runAsIdentity === true) {
+    settings.push("window.__LUNORA_RUN_AS_IDENTITY__=true;");
+  }
+  if (config.schemaEditable === true) {
+    settings.push("window.__LUNORA_SCHEMA_EDITABLE__=true;");
+  }
+  if (config.rulesInstalled === false) {
+    settings.push("window.__LUNORA_RULES_INSTALLED__=false;");
+  }
+  return `<!doctype html>
+<html lang="en">
+    <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+        <title>Lunora Studio</title>
+        <script>${settings.join("")}<\/script>
+        <link rel="stylesheet" href="${forAttribute(config.styleHref)}" />
+    </head>
+    <body>
+        <div id="root"></div>
+        <script type="module" src="${forAttribute(config.scriptSrc)}"><\/script>
+    </body>
+</html>
+`;
+};
+
+export { renderStudioHtml as default };

package/dist/packem_shared/serveJsonHandler-B4OLTGLS.mjs

@@ -0,0 +1,86 @@
+const MAX_BODY_BYTES = 1e6;
+const readBody = async (request) => await new Promise((resolve, reject) => {
+  const chunks = [];
+  let size = 0;
+  request.on("data", (chunk) => {
+    size += chunk.length;
+    if (size > MAX_BODY_BYTES) {
+      reject(new Error("request body too large"));
+      return;
+    }
+    chunks.push(chunk);
+  });
+  request.on("end", () => {
+    resolve(Buffer.concat(chunks).toString("utf8"));
+  });
+  request.on("error", reject);
+});
+const respondJson = (response, status, body) => {
+  response.statusCode = status;
+  response.setHeader("Content-Type", "application/json; charset=utf-8");
+  response.end(JSON.stringify(body));
+};
+const headerValue = (raw) => {
+  const value = Array.isArray(raw) ? raw[0] : raw;
+  return typeof value === "string" ? value.trim().toLowerCase() : void 0;
+};
+const SAME_SITE_FETCH_VALUES = /* @__PURE__ */ new Set(["none", "same-origin", "same-site"]);
+const originRejectionReason = (request) => {
+  const secFetchSite = headerValue(request.headers["sec-fetch-site"]);
+  if (secFetchSite !== void 0) {
+    return SAME_SITE_FETCH_VALUES.has(secFetchSite) ? void 0 : "cross-origin request rejected";
+  }
+  const origin = headerValue(request.headers.origin);
+  if (origin === void 0 || origin === "null") {
+    return void 0;
+  }
+  let originHost;
+  try {
+    originHost = new URL(origin).host.toLowerCase();
+  } catch {
+    return "invalid origin header";
+  }
+  return originHost === headerValue(request.headers.host) ? void 0 : "cross-origin request rejected";
+};
+const csrfRejectionReason = (request) => {
+  const method = (request.method ?? "GET").toUpperCase();
+  const isStateChanging = method !== "GET" && method !== "HEAD";
+  const originReason = originRejectionReason(request);
+  if (originReason !== void 0) {
+    return originReason;
+  }
+  if (isStateChanging) {
+    const contentType = headerValue(request.headers["content-type"]);
+    if (!contentType?.startsWith("application/json")) {
+      return "content-type must be application/json";
+    }
+  }
+  return void 0;
+};
+const serveJsonHandler = (request, response, handle, projectRoot) => {
+  const run = async () => {
+    try {
+      const rejection = csrfRejectionReason(request);
+      if (rejection !== void 0) {
+        respondJson(response, 403, { error: rejection, ok: false });
+        return;
+      }
+      const raw = request.method === "GET" ? "" : await readBody(request);
+      let parsed;
+      try {
+        parsed = raw === "" ? void 0 : JSON.parse(raw);
+      } catch {
+        respondJson(response, 400, { error: "invalid-json", ok: false });
+        return;
+      }
+      const result = handle({ body: parsed, method: request.method ?? "POST", projectRoot });
+      respondJson(response, result.status, result.body);
+    } catch (error) {
+      respondJson(response, 500, { error: error instanceof Error ? error.message : String(error), ok: false });
+    }
+  };
+  run().catch(() => {
+  });
+};
+
+export { serveJsonHandler };

package/dist/packem_shared/studioAssetsStamp-Csk5RS4E.mjs

@@ -0,0 +1,28 @@
+import { readFileSync, statSync } from 'node:fs';
+import { createRequire } from 'node:module';
+
+const loadStudioAssets = (logger, resolveFrom = import.meta.url) => {
+  try {
+    const require = createRequire(resolveFrom);
+    return {
+      script: readFileSync(require.resolve("@lunora/studio/standalone/studio.js")),
+      styles: readFileSync(require.resolve("@lunora/studio/styles.css"))
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    logger?.warnOnce?.(`[lunora] studio assets unavailable (build @lunora/studio?): ${message}`);
+    return void 0;
+  }
+};
+const studioAssetsStamp = (resolveFrom = import.meta.url) => {
+  try {
+    const require = createRequire(resolveFrom);
+    const scriptMtime = statSync(require.resolve("@lunora/studio/standalone/studio.js")).mtimeMs;
+    const stylesMtime = statSync(require.resolve("@lunora/studio/styles.css")).mtimeMs;
+    return Math.max(scriptMtime, stylesMtime);
+  } catch {
+    return void 0;
+  }
+};
+
+export { loadStudioAssets as default, studioAssetsStamp };