@objectstack/runtime 9.8.0 → 9.9.0

package/dist/index.d.cts

@@ -1567,6 +1567,26 @@ declare class HttpDispatcher {
      * Resolves the AI service and its built-in route handlers, then dispatches.
      */
     handleAI(subPath: string, method: string, body: any, query: any, context: HttpProtocolContext): Promise<HttpDispatcherResult>;
+    /**
+     * Share-link capability tokens — "anyone with the link" publication of a
+     * single record (ADR-0047). Mirrors the per-env service-dispatch pattern
+     * used by {@link handleI18n} / {@link handleAI}: the `shareLinks` service
+     * is resolved from the request's environment kernel, so links live in (and
+     * resolve against) the same per-environment database that owns the record.
+     * This branch owns URL parsing and the auth/public split.
+     *
+     *   POST   /share-links                   → create a link (authenticated)
+     *   GET    /share-links?object&recordId    → list the caller's links (authenticated)
+     *   DELETE /share-links/:idOrToken         → revoke (authenticated)
+     *   GET    /share-links/:token/resolve     → resolve token → record (PUBLIC)
+     *   GET    /share-links/:token/messages    → ai_conversations messages (PUBLIC)
+     *
+     * The resolve / messages routes are intentionally public — the token IS
+     * the authorisation. The underlying record is fetched with a SYSTEM
+     * context (per-env RLS is bypassed because the token gates access), and
+     * `redactFields` are stripped before the record leaves the server.
+     */
+    handleShareLinks(subPath: string, method: string, body: any, query: any, context: HttpProtocolContext): Promise<HttpDispatcherResult>;
     /**
      * Main Dispatcher Entry Point
      * Routes the request to the appropriate handler based on path and precedence
@@ -1876,8 +1896,9 @@ declare class QuickJSScriptRunner implements ScriptRunner {
      * the body declared it; missing methods throw at call-time inside the VM
      * with a clear diagnostic.
      *
-     * Host API methods are installed via {@link QuickJSAsyncContext.newAsyncifiedFunction}
-     * so they may return Promises (real ObjectQL `find/count/insert/...` are async).
+     * Host API methods are installed as deferred-promise functions (see
+     * {@link installApiMethod}) so they may return Promises (real ObjectQL
+     * `find/count/insert/...` are async) without asyncify's single-unwind limit.
      */
     private installCtx;
 }

package/dist/index.d.ts

@@ -1567,6 +1567,26 @@ declare class HttpDispatcher {
      * Resolves the AI service and its built-in route handlers, then dispatches.
      */
     handleAI(subPath: string, method: string, body: any, query: any, context: HttpProtocolContext): Promise<HttpDispatcherResult>;
+    /**
+     * Share-link capability tokens — "anyone with the link" publication of a
+     * single record (ADR-0047). Mirrors the per-env service-dispatch pattern
+     * used by {@link handleI18n} / {@link handleAI}: the `shareLinks` service
+     * is resolved from the request's environment kernel, so links live in (and
+     * resolve against) the same per-environment database that owns the record.
+     * This branch owns URL parsing and the auth/public split.
+     *
+     *   POST   /share-links                   → create a link (authenticated)
+     *   GET    /share-links?object&recordId    → list the caller's links (authenticated)
+     *   DELETE /share-links/:idOrToken         → revoke (authenticated)
+     *   GET    /share-links/:token/resolve     → resolve token → record (PUBLIC)
+     *   GET    /share-links/:token/messages    → ai_conversations messages (PUBLIC)
+     *
+     * The resolve / messages routes are intentionally public — the token IS
+     * the authorisation. The underlying record is fetched with a SYSTEM
+     * context (per-env RLS is bypassed because the token gates access), and
+     * `redactFields` are stripped before the record leaves the server.
+     */
+    handleShareLinks(subPath: string, method: string, body: any, query: any, context: HttpProtocolContext): Promise<HttpDispatcherResult>;
     /**
      * Main Dispatcher Entry Point
      * Routes the request to the appropriate handler based on path and precedence
@@ -1876,8 +1896,9 @@ declare class QuickJSScriptRunner implements ScriptRunner {
      * the body declared it; missing methods throw at call-time inside the VM
      * with a clear diagnostic.
      *
-     * Host API methods are installed via {@link QuickJSAsyncContext.newAsyncifiedFunction}
-     * so they may return Promises (real ObjectQL `find/count/insert/...` are async).
+     * Host API methods are installed as deferred-promise functions (see
+     * {@link installApiMethod}) so they may return Promises (real ObjectQL
+     * `find/count/insert/...` are async) without asyncify's single-unwind limit.
      */
     private installCtx;
 }

package/dist/index.js

@@ -206,7 +206,7 @@ import {
   newAsyncContext
 } from "quickjs-emscripten";
 function installApiMethod(vm, parent, method, objectName, ctx, caps, required, origin) {
-  const fn = vm.newAsyncifiedFunction(method, async (...argHandles) => {
+  const fn = vm.newFunction(method, (...argHandles) => {
     if (!caps.has(required)) {
       throw new SandboxError(
         `capability '${required}' not granted to ${origin.kind} '${origin.name}' (called ctx.api.object('${objectName}').${method})`
@@ -217,13 +217,27 @@ function installApiMethod(vm, parent, method, objectName, ctx, caps, required, o
       throw new SandboxError(`ctx.api unavailable in ${origin.kind} '${origin.name}'`);
     }
     const args = argHandles.map((h) => vm.dump(h));
-    const proxy = apiAny.object(objectName);
-    const m = proxy[method];
-    if (typeof m !== "function") {
-      throw new SandboxError(`ctx.api.object('${objectName}').${method} not implemented`);
-    }
-    const ret = await Promise.resolve(m.apply(proxy, args));
-    return jsonToHandle(vm, ret);
+    const deferred = vm.newPromise();
+    void (async () => {
+      try {
+        const proxy = apiAny.object(objectName);
+        const m = proxy[method];
+        if (typeof m !== "function") {
+          throw new SandboxError(`ctx.api.object('${objectName}').${method} not implemented`);
+        }
+        const ret = await Promise.resolve(m.apply(proxy, args));
+        if (!vm.alive) return;
+        const h = jsonToHandle(vm, ret);
+        deferred.resolve(h);
+        h.dispose();
+      } catch (err) {
+        if (!vm.alive) return;
+        const errH = err instanceof Error ? vm.newError({ name: err.name || "Error", message: err.message }) : vm.newError({ name: "Error", message: String(err) });
+        deferred.reject(errH);
+        errH.dispose();
+      }
+    })();
+    return deferred.handle;
   });
   vm.setProp(parent, method, fn);
   fn.dispose();
@@ -385,7 +399,7 @@ var init_quickjs_runner = __esm({
           }
           evalRes.value.dispose();
           let pumps = 0;
-          while (pumps < 1e3) {
+          for (; ; ) {
             await new Promise((resolve) => setImmediate(resolve));
             const pending = runtime.executePendingJobs();
             if (pending.error) {
@@ -409,14 +423,11 @@ var init_quickjs_runner = __esm({
             }
             if (Date.now() > deadline) {
               throw new SandboxError(
-                `${args.origin.kind} '${args.origin.name}' exceeded timeout of ${args.timeoutMs}ms`
+                `${args.origin.kind} '${args.origin.name}' exceeded timeout of ${args.timeoutMs}ms (after ${pumps} pump iterations)`
               );
             }
             pumps++;
           }
-          throw new SandboxError(
-            `${args.origin.kind} '${args.origin.name}' did not resolve after ${pumps} pump iterations`
-          );
         } finally {
           vm.dispose();
         }
@@ -426,8 +437,9 @@ var init_quickjs_runner = __esm({
        * the body declared it; missing methods throw at call-time inside the VM
        * with a clear diagnostic.
        *
-       * Host API methods are installed via {@link QuickJSAsyncContext.newAsyncifiedFunction}
-       * so they may return Promises (real ObjectQL `find/count/insert/...` are async).
+       * Host API methods are installed as deferred-promise functions (see
+       * {@link installApiMethod}) so they may return Promises (real ObjectQL
+       * `find/count/insert/...` are async) without asyncify's single-unwind limit.
        */
       installCtx(vm, ctx, caps, origin) {
         setGlobalJson(vm, "__input", ctx.input);
@@ -1939,6 +1951,43 @@ async function tryFind(ql, object, where, limit = 100) {
     return [];
   }
 }
+function isValidTimeZone(tz) {
+  try {
+    new Intl.DateTimeFormat("en-US", { timeZone: tz });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function coerceTimeZone(value) {
+  const s = typeof value === "string" ? value.trim() : value != null ? String(value).trim() : "";
+  return s && isValidTimeZone(s) ? s : void 0;
+}
+function coerceLocale(value) {
+  const s = typeof value === "string" ? value.trim() : value != null ? String(value).trim() : "";
+  return s || void 0;
+}
+async function resolveLocalization(opts, ql, sctx) {
+  try {
+    const settings = await opts.getService("settings");
+    if (settings && typeof settings.get === "function") {
+      const [tzRes, localeRes] = await Promise.all([
+        settings.get("localization", "timezone", sctx).catch(() => void 0),
+        settings.get("localization", "locale", sctx).catch(() => void 0)
+      ]);
+      const tz = coerceTimeZone(tzRes?.value);
+      const locale = coerceLocale(localeRes?.value);
+      if (tz || locale) return { timezone: tz ?? "UTC", locale: locale ?? "en-US" };
+    }
+  } catch {
+  }
+  const tzRows = await tryFind(ql, "sys_setting", { namespace: "localization", key: "timezone", scope: "tenant" }, 1);
+  const localeRows = await tryFind(ql, "sys_setting", { namespace: "localization", key: "locale", scope: "tenant" }, 1);
+  return {
+    timezone: coerceTimeZone(tzRows[0]?.value) ?? "UTC",
+    locale: coerceLocale(localeRows[0]?.value) ?? "en-US"
+  };
+}
 async function resolveExecutionContext(opts) {
   const headers = opts.request?.headers;
   const ctx = {
@@ -2069,6 +2118,9 @@ async function resolveExecutionContext(opts) {
       ctx.tabPermissions = mergedTabs;
     }
   }
+  const localization = await resolveLocalization(opts, ql, { tenantId, userId });
+  ctx.timezone = localization.timezone;
+  ctx.locale = localization.locale;
   return ctx;
 }
 function isPermissionDeniedError(e) {
@@ -2568,6 +2620,7 @@ var _HttpDispatcher = class _HttpDispatcher {
     if (!this.enforceMembership) return null;
     const skipPaths = ["/auth", "/cloud", "/health", "/discovery"];
     if (skipPaths.some((p) => path.startsWith(p))) return null;
+    if (/(^|\/)share-links\/[^/]+\/(resolve|messages)$/.test(path)) return null;
     const environmentId = context.environmentId;
     if (!environmentId) return null;
     if (environmentId === _HttpDispatcher.SYSTEM_ENVIRONMENT_ID) return null;
@@ -4164,6 +4217,174 @@ var _HttpDispatcher = class _HttpDispatcher {
       response: this.routeNotFound(subPath)
     };
   }
+  /**
+   * Share-link capability tokens — "anyone with the link" publication of a
+   * single record (ADR-0047). Mirrors the per-env service-dispatch pattern
+   * used by {@link handleI18n} / {@link handleAI}: the `shareLinks` service
+   * is resolved from the request's environment kernel, so links live in (and
+   * resolve against) the same per-environment database that owns the record.
+   * This branch owns URL parsing and the auth/public split.
+   *
+   *   POST   /share-links                   → create a link (authenticated)
+   *   GET    /share-links?object&recordId    → list the caller's links (authenticated)
+   *   DELETE /share-links/:idOrToken         → revoke (authenticated)
+   *   GET    /share-links/:token/resolve     → resolve token → record (PUBLIC)
+   *   GET    /share-links/:token/messages    → ai_conversations messages (PUBLIC)
+   *
+   * The resolve / messages routes are intentionally public — the token IS
+   * the authorisation. The underlying record is fetched with a SYSTEM
+   * context (per-env RLS is bypassed because the token gates access), and
+   * `redactFields` are stripped before the record leaves the server.
+   */
+  async handleShareLinks(subPath, method, body, query, context) {
+    const svc = await this.resolveService("shareLinks", context.environmentId);
+    if (!svc) {
+      return { handled: true, response: this.error("Sharing is not configured for this environment", 501) };
+    }
+    const SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] };
+    const m = method.toUpperCase();
+    const parts = subPath.replace(/^\/+/, "").split("/").filter(Boolean);
+    const ec = context.executionContext;
+    const callerCtx = { userId: ec?.userId, tenantId: ec?.tenantId };
+    const headerOf = (name) => {
+      const h = context.request?.headers;
+      if (!h) return void 0;
+      const v = typeof h.get === "function" ? h.get(name) : h[name] ?? h[name.toLowerCase()];
+      return Array.isArray(v) ? v[0] : v ?? void 0;
+    };
+    const sendErr = (status, code, msg) => ({
+      handled: true,
+      response: this.error(msg, status, { code })
+    });
+    const getEngine = async () => {
+      try {
+        const k = this.kernel;
+        const e = typeof k?.getServiceAsync === "function" ? await k.getServiceAsync("objectql") : k?.getService?.("objectql");
+        if (e) return e;
+      } catch {
+      }
+      return this.resolveService("objectql", context.environmentId);
+    };
+    const asArray = (rows) => Array.isArray(rows) ? rows : Array.isArray(rows?.value) ? rows.value : [];
+    const applyRedaction = (record, redactFields) => {
+      if (!record || typeof record !== "object" || redactFields.length === 0) return record;
+      const out = {};
+      for (const [k, v] of Object.entries(record)) {
+        if (redactFields.includes(k)) continue;
+        out[k] = v;
+      }
+      return out;
+    };
+    try {
+      if (parts.length === 2 && parts[1] === "resolve" && m === "GET") {
+        const token = decodeURIComponent(parts[0]);
+        const signedInUserId = ec?.userId;
+        const recipientEmail = typeof query?.email === "string" ? query.email : void 0;
+        const providedPassword = typeof query?.password === "string" ? query.password : headerOf("x-share-password");
+        const resolved = await svc.resolveToken(token, { signedInUserId, recipientEmail, providedPassword });
+        if (!resolved) {
+          const engine2 = await getEngine();
+          const probe = engine2 ? asArray(await engine2.find("sys_share_link", { where: { token }, limit: 1, context: SYSTEM_CTX })) : [];
+          const row = probe[0] ?? null;
+          const live = row && !row.revoked_at && (!row.expires_at || Date.parse(row.expires_at) > Date.now());
+          if (live && row.password_hash) {
+            return sendErr(
+              401,
+              providedPassword ? "WRONG_PASSWORD" : "NEEDS_PASSWORD",
+              providedPassword ? "Incorrect password" : "This link requires a password"
+            );
+          }
+          if (live && row.audience === "signed_in" && !signedInUserId) {
+            return sendErr(401, "SIGN_IN_REQUIRED", "Please sign in to view this link");
+          }
+          if (row && (row.revoked_at || row.expires_at && Date.parse(row.expires_at) <= Date.now())) {
+            return sendErr(410, "EXPIRED_OR_REVOKED", "Share link has expired or been revoked");
+          }
+          return sendErr(404, "INVALID_OR_EXPIRED", "Share link is invalid, expired, or revoked");
+        }
+        const engine = await getEngine();
+        const rows = engine ? asArray(await engine.find(resolved.link.object_name, { where: { id: resolved.link.record_id }, limit: 1, context: SYSTEM_CTX })) : [];
+        const record = rows[0] ?? null;
+        if (!record) return sendErr(410, "RECORD_GONE", "The shared record no longer exists");
+        return {
+          handled: true,
+          response: this.success({
+            record: applyRedaction(record, resolved.redactFields),
+            link: {
+              id: resolved.link.id,
+              token: resolved.link.token,
+              object_name: resolved.link.object_name,
+              record_id: resolved.link.record_id,
+              permission: resolved.link.permission,
+              audience: resolved.link.audience,
+              expires_at: resolved.link.expires_at,
+              label: resolved.link.label,
+              created_at: resolved.link.created_at
+            },
+            redactFields: resolved.redactFields
+          })
+        };
+      }
+      if (parts.length === 2 && parts[1] === "messages" && m === "GET") {
+        const token = decodeURIComponent(parts[0]);
+        const providedPassword = typeof query?.password === "string" ? query.password : headerOf("x-share-password");
+        const resolved = await svc.resolveToken(token, { signedInUserId: ec?.userId, providedPassword });
+        if (!resolved) return sendErr(404, "NOT_FOUND", "Share link not found");
+        if (resolved.link.object_name !== "ai_conversations") {
+          return sendErr(400, "UNSUPPORTED", "This share link does not expose messages");
+        }
+        const engine = await getEngine();
+        const rows = engine ? asArray(await engine.find("ai_messages", {
+          where: { conversation_id: resolved.link.record_id },
+          sort: [{ field: "created_at", order: "asc" }],
+          limit: 500,
+          context: SYSTEM_CTX
+        })) : [];
+        return { handled: true, response: this.success(rows) };
+      }
+      if (!callerCtx.userId) return sendErr(401, "UNAUTHENTICATED", "Sign in to manage share links");
+      if (parts.length === 0 && m === "POST") {
+        const b = body ?? {};
+        if (!b.object || !b.recordId) return sendErr(400, "VALIDATION_FAILED", "object and recordId are required");
+        const link = await svc.createLink(
+          {
+            object: b.object,
+            recordId: b.recordId,
+            permission: b.permission,
+            audience: b.audience,
+            expiresAt: b.expiresAt ?? null,
+            emailAllowlist: b.emailAllowlist,
+            password: b.password,
+            redactFields: b.redactFields,
+            label: b.label
+          },
+          callerCtx
+        );
+        return { handled: true, response: { status: 201, body: { success: true, data: link, link } } };
+      }
+      if (parts.length === 0 && m === "GET") {
+        const links = await svc.listLinks(
+          {
+            object: typeof query?.object === "string" ? query.object : void 0,
+            recordId: typeof query?.recordId === "string" ? query.recordId : void 0,
+            // Constrain to links the caller created so a guessed
+            // recordId can never enumerate another user's tokens.
+            createdBy: callerCtx.userId,
+            includeRevoked: query?.includeRevoked === "true" || query?.includeRevoked === "1"
+          },
+          callerCtx
+        );
+        return { handled: true, response: { status: 200, body: { success: true, data: links, links } } };
+      }
+      if (parts.length === 1 && m === "DELETE") {
+        await svc.revokeLink(decodeURIComponent(parts[0]), callerCtx);
+        return { handled: true, response: this.success({ ok: true }) };
+      }
+      return { handled: true, response: this.routeNotFound(`/share-links${subPath}`) };
+    } catch (err) {
+      return sendErr(err?.status ?? 500, err?.code ?? "INTERNAL", err?.message ?? "Share link request failed");
+    }
+  }
   /**
    * Main Dispatcher Entry Point
    * Routes the request to the appropriate handler based on path and precedence
@@ -4259,6 +4480,9 @@ var _HttpDispatcher = class _HttpDispatcher {
       if (cleanPath.startsWith("/ai")) {
         return this.handleAI(cleanPath, method, body, query, context);
       }
+      if (cleanPath === "/share-links" || cleanPath.startsWith("/share-links/")) {
+        return this.handleShareLinks(cleanPath.substring("/share-links".length), method, body, query, context);
+      }
       if (cleanPath === "/openapi.json" && method === "GET") {
         try {
           const metaSvc = await this.resolveService("metadata", context.environmentId);