@objectstack/runtime 6.5.0 → 6.6.0

package/dist/index.cjs

@@ -2141,6 +2141,7 @@ __export(index_exports, {
   resolveDefaultArtifactPath: () => resolveDefaultArtifactPath,
   resolveErrorReporter: () => resolveErrorReporter,
   resolveMetrics: () => resolveMetrics,
+  resolveObjectStackHome: () => resolveObjectStackHome,
   resolveRequestId: () => resolveRequestId,
   seedPlatformSsoClient: () => seedPlatformSsoClient
 });
@@ -2196,8 +2197,17 @@ var Runtime = class {
 // src/standalone-stack.ts
 var import_node_path2 = require("path");
 var import_node_fs = require("fs");
+var import_node_os = require("os");
 var import_zod = require("zod");
 init_load_artifact_bundle();
+function resolveObjectStackHome() {
+  const raw = process.env.OS_HOME?.trim();
+  if (raw && raw.length > 0) {
+    if (raw.startsWith("~")) return (0, import_node_path2.resolve)((0, import_node_os.homedir)(), raw.slice(1).replace(/^[/\\]/, ""));
+    return (0, import_node_path2.resolve)(raw);
+  }
+  return (0, import_node_path2.resolve)((0, import_node_os.homedir)(), ".objectstack");
+}
 var StandaloneStackConfigSchema = import_zod.z.object({
   databaseUrl: import_zod.z.string().optional(),
   databaseAuthToken: import_zod.z.string().optional(),
@@ -2228,7 +2238,7 @@ async function createStandaloneStack(config) {
   const environmentId = cfg.environmentId ?? process.env.OS_ENVIRONMENT_ID ?? "proj_local";
   const artifactPathInput = cfg.artifactPath ?? process.env.OS_ARTIFACT_PATH ?? (0, import_node_path2.resolve)(cwd, "dist/objectstack.json");
   const artifactPath = isHttpUrl(artifactPathInput) ? artifactPathInput : artifactPathInput.startsWith("/") ? artifactPathInput : (0, import_node_path2.resolve)(cwd, artifactPathInput);
-  const dbUrl = cfg.databaseUrl ?? process.env.OS_DATABASE_URL?.trim() ?? process.env.TURSO_DATABASE_URL?.trim() ?? `file:${(0, import_node_path2.resolve)(cwd, ".objectstack/data/standalone.db")}`;
+  const dbUrl = cfg.databaseUrl ?? process.env.OS_DATABASE_URL?.trim() ?? process.env.TURSO_DATABASE_URL?.trim() ?? `file:${(0, import_node_path2.resolve)(resolveObjectStackHome(), "data/standalone.db")}`;
   const dbAuthToken = cfg.databaseAuthToken ?? process.env.OS_DATABASE_AUTH_TOKEN?.trim() ?? process.env.TURSO_AUTH_TOKEN?.trim();
   const explicitDriver = cfg.databaseDriver ?? process.env.OS_DATABASE_DRIVER?.trim();
   const dbDriver = explicitDriver ?? detectDriverFromUrl(dbUrl);
@@ -2348,12 +2358,42 @@ function resolveDefaultArtifactPath(explicitPath, cwd = process.cwd()) {
 }
 async function createDefaultHostConfig(options = {}) {
   const { requireArtifact = true, ...standaloneOpts } = options;
-  const resolvedArtifact = resolveDefaultArtifactPath(standaloneOpts.artifactPath);
+  let resolvedArtifact = resolveDefaultArtifactPath(standaloneOpts.artifactPath);
   if (!resolvedArtifact && requireArtifact) {
     throw new Error(
       "[createDefaultHostConfig] No artifact source available. Set OS_ARTIFACT_PATH (file path or http(s):// URL), place the artifact at <cwd>/dist/objectstack.json, or pass `{ artifactPath: ... }` explicitly. To boot an empty kernel anyway, pass `{ requireArtifact: false }`."
     );
   }
+  if (!resolvedArtifact && !requireArtifact) {
+    const home = resolveObjectStackHome();
+    const stubPath = (0, import_node_path3.resolve)(home, "dist/objectstack.json");
+    if (!(0, import_node_fs2.existsSync)(stubPath)) {
+      (0, import_node_fs2.mkdirSync)((0, import_node_path3.resolve)(stubPath, ".."), { recursive: true });
+      (0, import_node_fs2.writeFileSync)(
+        stubPath,
+        JSON.stringify(
+          {
+            manifest: {
+              id: "com.objectstack.empty",
+              name: "empty",
+              version: "0.0.0",
+              type: "app",
+              description: "Empty starter kernel \u2014 install apps via the Studio marketplace."
+            },
+            objects: [],
+            views: [],
+            apps: [],
+            flows: [],
+            requires: []
+          },
+          null,
+          2
+        ),
+        "utf8"
+      );
+    }
+    resolvedArtifact = stubPath;
+  }
   return createStandaloneStack({
     ...standaloneOpts,
     artifactPath: resolvedArtifact
@@ -6901,6 +6941,8 @@ var KernelManager = class {
     this.maxSize = config.maxSize ?? 32;
     this.ttlMs = config.ttlMs ?? 15 * 60 * 1e3;
     this.logger = config.logger ?? console;
+    this.freshnessProbe = config.freshnessProbe;
+    this.staleCheckIntervalMs = config.staleCheckIntervalMs ?? 1e4;
   }
   /** Returns the currently cached environmentIds (ordered by insertion). */
   keys() {
@@ -6923,8 +6965,31 @@ var KernelManager = class {
       if (this.ttlMs > 0 && Date.now() - existing.lastAccess > this.ttlMs) {
         await this.evict(environmentId);
       } else {
-        existing.lastAccess = Date.now();
-        return existing.kernel;
+        if (this.freshnessProbe) {
+          const now = Date.now();
+          if (now - existing.lastStaleCheckAt >= this.staleCheckIntervalMs) {
+            existing.lastStaleCheckAt = now;
+            let stale = false;
+            try {
+              stale = await this.freshnessProbe(environmentId, existing.createdAt);
+            } catch (err) {
+              this.logger.warn?.("[KernelManager] freshness probe failed", { environmentId, err });
+            }
+            if (stale) {
+              this.logger.info?.("[KernelManager] kernel evicted by freshness probe", { environmentId });
+              await this.evict(environmentId);
+            } else {
+              existing.lastAccess = Date.now();
+              return existing.kernel;
+            }
+          } else {
+            existing.lastAccess = Date.now();
+            return existing.kernel;
+          }
+        } else {
+          existing.lastAccess = Date.now();
+          return existing.kernel;
+        }
       }
     }
     const inflight = this.pending.get(environmentId);
@@ -6932,7 +6997,7 @@ var KernelManager = class {
     const promise = (async () => {
       const kernel = await this.factory.create(environmentId);
       const now = Date.now();
-      this.cache.set(environmentId, { kernel, createdAt: now, lastAccess: now });
+      this.cache.set(environmentId, { kernel, createdAt: now, lastAccess: now, lastStaleCheckAt: now });
       await this.enforceMaxSize();
       return kernel;
     })();
@@ -7100,6 +7165,30 @@ var ArtifactApiClient = class {
     if (!found?.headCommitId) return null;
     return { commitId: String(found.headCommitId), publishedAt: found.headPublishedAt ?? null };
   }
+  /**
+   * Cheap freshness probe — returns the env's `last_published_at`
+   * (and best-effort current commit) without rebuilding the artifact.
+   * Used by `KernelManager` on cache hits to detect when a per-env
+   * kernel has been invalidated by an upstream change (marketplace
+   * install/uninstall, artifact publish) so it can be rebuilt
+   * without waiting for the 15-minute LRU TTL to expire.
+   *
+   * Returns `null` on definitive 404 / unknown env. Errors propagate
+   * (caller decides whether to treat unreachable cloud as fresh or
+   * stale — typically fresh, so a brief outage doesn't churn every
+   * cached kernel).
+   */
+  async getFreshness(environmentId) {
+    const url = `${this.base}/api/v1/cloud/environments/${encodeURIComponent(environmentId)}/freshness`;
+    const res = await this.request(url);
+    if (res === null) return null;
+    const body = res.success === false ? null : res.data ?? res;
+    if (!body || typeof body !== "object") return null;
+    const envId = typeof body.environmentId === "string" ? body.environmentId : environmentId;
+    const lastPublishedAt = typeof body.lastPublishedAt === "string" ? body.lastPublishedAt : null;
+    const commitId = typeof body.commitId === "string" ? body.commitId : null;
+    return { environmentId: envId, lastPublishedAt, commitId };
+  }
   /** Drop cached entries for a project (and any matching hostname). */
   invalidate(environmentId) {
     this.artifactCache.delete(environmentId);
@@ -7851,7 +7940,30 @@ var ArtifactKernelFactory = class {
 };
 
 // src/cloud/auth-proxy-plugin.ts
+var import_node_crypto3 = require("crypto");
 var AUTH_PREFIX = "/api/v1/auth";
+function signSessionCookieValue(rawToken, secret) {
+  const signature = (0, import_node_crypto3.createHmac)("sha256", secret).update(rawToken).digest("base64");
+  return encodeURIComponent(`${rawToken}.${signature}`);
+}
+function buildSetCookieHeader(name, encodedValue, attrs, maxAgeSec) {
+  const parts = [`${name}=${encodedValue}`];
+  const a = attrs ?? {};
+  if (a.path) parts.push(`Path=${a.path}`);
+  else parts.push("Path=/");
+  if (Number.isFinite(maxAgeSec) && maxAgeSec > 0) parts.push(`Max-Age=${Math.floor(maxAgeSec)}`);
+  if (a.domain) parts.push(`Domain=${a.domain}`);
+  if (a.sameSite) {
+    const ss = String(a.sameSite);
+    parts.push(`SameSite=${ss.charAt(0).toUpperCase() + ss.slice(1)}`);
+  } else {
+    parts.push("SameSite=Lax");
+  }
+  if (a.secure) parts.push("Secure");
+  if (a.httpOnly !== false) parts.push("HttpOnly");
+  if (a.partitioned) parts.push("Partitioned");
+  return parts.join("; ");
+}
 function pickHandler(svc) {
   if (!svc) return void 0;
   if (typeof svc.handleRequest === "function") return svc.handleRequest.bind(svc);
@@ -7945,6 +8057,115 @@ var AuthProxyPlugin = class {
                 return c.json({ hasOwner: true });
               }
             }
+            if (c.req.method === "POST" && subPath === "sso-handoff-issue") {
+              try {
+                const expected = (process.env.OS_CLOUD_API_KEY ?? "").trim();
+                if (!expected) {
+                  return c.json({ error: "sso_handoff_disabled", reason: "OS_CLOUD_API_KEY unset on env runtime" }, 503);
+                }
+                const authz = c.req.header("authorization") ?? "";
+                const provided = authz.toLowerCase().startsWith("bearer ") ? authz.slice(7).trim() : "";
+                if (!provided || provided !== expected) {
+                  return c.json({ error: "unauthorized" }, 401);
+                }
+                if (typeof authSvc?.getAuthContext !== "function") {
+                  return c.json({ error: "auth_service_unavailable" }, 503);
+                }
+                const handoffAuthCtx = await authSvc.getAuthContext();
+                const internal = handoffAuthCtx?.internalAdapter;
+                if (!internal?.createVerificationValue) {
+                  return c.json({ error: "verification_api_unavailable" }, 503);
+                }
+                let body = {};
+                try {
+                  body = await c.req.json();
+                } catch {
+                  body = {};
+                }
+                const email = String(body?.email ?? "").toLowerCase().trim();
+                if (!email) return c.json({ error: "email_required" }, 400);
+                const name = body?.name == null ? null : String(body.name);
+                const by = body?.by == null ? "service" : String(body.by);
+                const envIdInBody = body?.envId == null ? null : String(body.envId);
+                const handoff = (0, import_node_crypto3.randomUUID)().replace(/-/g, "") + (0, import_node_crypto3.randomUUID)().replace(/-/g, "");
+                const ttlSec = 60;
+                const expiresAt = new Date(Date.now() + ttlSec * 1e3);
+                await internal.createVerificationValue({
+                  identifier: `sso-handoff:${handoff}`,
+                  value: JSON.stringify({ email, name, by, envId: envIdInBody ?? environmentId }),
+                  expiresAt
+                });
+                return c.json({
+                  token: handoff,
+                  expiresAt: expiresAt.toISOString(),
+                  ttlSec
+                });
+              } catch (err) {
+                ctx.logger?.error?.("[AuthProxyPlugin] sso-handoff-issue failed", err instanceof Error ? err : new Error(String(err)));
+                return c.json({ error: "sso_handoff_issue_failed", message: String(err?.message ?? err) }, 500);
+              }
+            }
+            if (c.req.method === "GET" && subPath === "sso-exchange") {
+              try {
+                const token = (url.searchParams.get("token") ?? "").trim();
+                const nextRaw = url.searchParams.get("next") ?? "/";
+                const next = nextRaw.startsWith("/") ? nextRaw : "/";
+                if (!token) return c.text("missing token", 400);
+                if (typeof authSvc?.getAuthContext !== "function") {
+                  return c.text("auth service unavailable", 503);
+                }
+                const authCtx = await authSvc.getAuthContext();
+                const internal = authCtx?.internalAdapter;
+                if (!internal?.consumeVerificationValue) {
+                  return c.text("verification API unavailable", 503);
+                }
+                const consumed = await internal.consumeVerificationValue(`sso-handoff:${token}`);
+                if (!consumed) return c.text("invalid or expired token", 401);
+                const expiresAt = consumed?.expiresAt ? new Date(consumed.expiresAt).getTime() : 0;
+                if (!expiresAt || expiresAt < Date.now()) return c.text("expired token", 401);
+                let payload = {};
+                try {
+                  payload = JSON.parse(String(consumed.value));
+                } catch {
+                  payload = { email: String(consumed.value) };
+                }
+                const email = String(payload.email ?? "").toLowerCase().trim();
+                if (!email) return c.text("handoff missing email", 400);
+                const found = await internal.findUserByEmail(email, { includeAccounts: true });
+                let userId = found?.user?.id;
+                let hasCredentialAccount = (found?.accounts ?? []).some((a) => a.providerId === "credential" && a.password);
+                if (!userId) {
+                  const created = await internal.createUser({
+                    email,
+                    name: payload.name ?? email,
+                    emailVerified: true
+                  });
+                  userId = created?.id;
+                  hasCredentialAccount = false;
+                }
+                if (!userId) return c.text("failed to provision user", 500);
+                const session = await internal.createSession(userId, false);
+                const rawToken = session?.token;
+                const sessionExpiresAt = session?.expiresAt ? new Date(session.expiresAt) : new Date(Date.now() + 7 * 24 * 3600 * 1e3);
+                if (!rawToken) return c.text("failed to mint session", 500);
+                const secret = authCtx?.secret ?? "";
+                if (!secret) return c.text("auth secret unavailable", 503);
+                const cookieName = authCtx?.authCookies?.sessionToken?.name ?? "better-auth.session_token";
+                const cookieAttrs = authCtx?.authCookies?.sessionToken?.attributes ?? {};
+                const encoded = signSessionCookieValue(rawToken, secret);
+                const maxAgeSec = Math.max(60, Math.floor((sessionExpiresAt.getTime() - Date.now()) / 1e3));
+                const setCookie = buildSetCookieHeader(cookieName, encoded, cookieAttrs, maxAgeSec);
+                const finalNext = hasCredentialAccount ? next : `/_console/system/profile?recovery_needed=true&next=${encodeURIComponent(next)}`;
+                const headers = new Headers();
+                headers.set("Set-Cookie", setCookie);
+                headers.set("Location", finalNext);
+                headers.set("Cache-Control", "no-store");
+                return new Response(null, { status: 302, headers });
+              } catch (err) {
+                ctx.logger?.error?.("[AuthProxyPlugin] sso-exchange failed", err instanceof Error ? err : new Error(String(err)));
+                return c.text(`sso-exchange failed: ${err?.message ?? String(err)}`, 500);
+              }
+            }
             const fn = await resolveAuthHandler(authSvc);
             if (!fn) {
               return c.json({ error: "auth_service_unavailable", environmentId }, 503);
@@ -8127,20 +8348,46 @@ var RuntimeConfigPlugin = class {
           return;
         }
         const rawApp = httpServer.getRawApp();
-        const payload = {
-          cloudUrl: this.cloudUrl,
-          singleEnvironment: this.singleEnvironment,
-          features: {
-            installLocal: this.installLocal,
-            marketplace: true
+        const features = {
+          installLocal: this.installLocal,
+          marketplace: true
+        };
+        let envRegistry = null;
+        try {
+          envRegistry = ctx.getService("env-registry");
+        } catch {
+        }
+        const handler = async (c) => {
+          const rawHost = c.req.header("host") ?? "";
+          const host = rawHost.split(":")[0].toLowerCase().trim();
+          let defaultEnvironmentId;
+          let defaultOrgId;
+          let resolvedSingleEnv = this.singleEnvironment;
+          if (envRegistry && host && typeof envRegistry.resolveHostname === "function") {
+            try {
+              const resolved = await envRegistry.resolveHostname(host);
+              if (resolved?.environmentId) {
+                defaultEnvironmentId = resolved.environmentId;
+                if (resolved.organizationId) defaultOrgId = String(resolved.organizationId);
+                resolvedSingleEnv = true;
+              }
+            } catch {
+            }
           }
+          return c.json({
+            cloudUrl: this.cloudUrl,
+            singleEnvironment: resolvedSingleEnv,
+            defaultOrgId,
+            defaultEnvironmentId,
+            features
+          });
         };
-        const handler = (c) => c.json(payload);
         rawApp.get("/api/v1/runtime/config", handler);
         rawApp.get("/api/v1/studio/runtime-config", handler);
         ctx.logger?.info?.("[RuntimeConfigPlugin] mounted /api/v1/runtime/config", {
           cloudUrl: this.cloudUrl || "(empty)",
-          installLocal: this.installLocal
+          installLocal: this.installLocal,
+          perHostEnvResolution: !!envRegistry
         });
       });
     };
@@ -8341,7 +8588,21 @@ var ObjectOSEnvironmentPlugin = class {
         factory,
         maxSize: this.config.kernelCacheSize,
         ttlMs: this.config.kernelTtlMs,
-        logger: ctx.logger
+        logger: ctx.logger,
+        // Only the HTTP client exposes /freshness; file-mode (CLI dev)
+        // has no upstream to probe.
+        freshnessProbe: this.config.controlPlaneUrl === "file" ? void 0 : async (envId, builtAtMs) => {
+          const fresh = await client.getFreshness(envId);
+          if (!fresh) return false;
+          const t = fresh.lastPublishedAt ? Date.parse(fresh.lastPublishedAt) : NaN;
+          if (!Number.isFinite(t)) return false;
+          if (t <= builtAtMs) return false;
+          try {
+            client.invalidate(envId);
+          } catch {
+          }
+          return true;
+        }
       });
       this.kernelManager = kernelManager;
       ctx.registerService("env-registry", envRegistry);
@@ -8942,6 +9203,7 @@ __reExport(index_exports, require("@objectstack/core"), module.exports);
   resolveDefaultArtifactPath,
   resolveErrorReporter,
   resolveMetrics,
+  resolveObjectStackHome,
   resolveRequestId,
   seedPlatformSsoClient,
   ...require("@objectstack/core")