@objectstack/service-datasource 10.0.0 → 10.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/.turbo/turbo-build.log +28 -16
  2. package/CHANGELOG.md +100 -0
  3. package/dist/chunk-76HQ74MX.cjs +82 -0
  4. package/dist/chunk-76HQ74MX.cjs.map +1 -0
  5. package/dist/chunk-BI2SYWLC.cjs +9 -0
  6. package/dist/chunk-BI2SYWLC.cjs.map +1 -0
  7. package/dist/chunk-JRBGOCRJ.js +82 -0
  8. package/dist/chunk-JRBGOCRJ.js.map +1 -0
  9. package/dist/chunk-XLS4RP7B.js +9 -0
  10. package/dist/chunk-XLS4RP7B.js.map +1 -0
  11. package/dist/contracts/index.cjs +7 -1
  12. package/dist/contracts/index.cjs.map +1 -1
  13. package/dist/contracts/index.d.cts +59 -1
  14. package/dist/contracts/index.d.ts +59 -1
  15. package/dist/contracts/index.js +6 -0
  16. package/dist/index.cjs +284 -106
  17. package/dist/index.cjs.map +1 -1
  18. package/dist/index.d.cts +270 -5
  19. package/dist/index.d.ts +270 -5
  20. package/dist/index.js +216 -38
  21. package/dist/index.js.map +1 -1
  22. package/dist/sqlite-driver-fallback-BPFQYLX7.js +11 -0
  23. package/dist/sqlite-driver-fallback-BPFQYLX7.js.map +1 -0
  24. package/dist/sqlite-driver-fallback-JX4XOICD.cjs +11 -0
  25. package/dist/sqlite-driver-fallback-JX4XOICD.cjs.map +1 -0
  26. package/package.json +8 -7
  27. package/src/__tests__/datasource-connection-service.test.ts +294 -0
  28. package/src/contracts/connect-policy.ts +69 -0
  29. package/src/contracts/index.ts +11 -0
  30. package/src/datasource-admin-plugin.ts +37 -40
  31. package/src/datasource-admin-service.ts +2 -0
  32. package/src/datasource-connection-service.ts +364 -0
  33. package/src/default-datasource-driver-factory.ts +26 -9
  34. package/src/index.ts +29 -0
  35. package/src/logger.ts +2 -0
  36. package/src/sqlite-driver-fallback.test.ts +184 -0
  37. package/src/sqlite-driver-fallback.ts +195 -0
package/dist/index.d.cts CHANGED
@@ -1,8 +1,8 @@
1
1
  import { IExternalDatasourceService, IntrospectedSchema, RemoteTable, GenerateDraftOpts, ObjectDraft, ImportObjectOpts, ImportObjectResult, SchemaValidationResult, SchemaValidationReport, ICryptoProvider, IHttpServer } from '@objectstack/spec/contracts';
2
2
  import { ExternalCatalog } from '@objectstack/spec/data';
3
3
  import { Plugin, PluginContext } from '@objectstack/core';
4
- import { IDatasourceAdminService, TestConnectionResult, SecretInput, DatasourceSummary, DatasourceDraft, IDatasourceDriverFactory } from './contracts/index.cjs';
5
- export { DatasourceConnectionSpec, DatasourceDriverHandle, DatasourceOrigin } from './contracts/index.cjs';
4
+ import { IDatasourceDriverFactory, DatasourceConnectPolicy, DatasourceConnectContext, IDatasourceAdminService, TestConnectionResult, SecretInput, DatasourceSummary, DatasourceDraft } from './contracts/index.cjs';
5
+ export { DatasourceConnectDecision, DatasourceConnectSubject, DatasourceConnectionSpec, DatasourceDriverHandle, DatasourceOrigin, allowAllConnectPolicy } from './contracts/index.cjs';
6
6
 
7
7
  /**
8
8
  * ExternalDatasourceService — implements {@link IExternalDatasourceService}
@@ -137,6 +137,168 @@ declare class ExternalDatasourceServicePlugin implements Plugin {
137
137
  interface Logger {
138
138
  warn: (message: string, meta?: unknown) => void;
139
139
  info?: (message: string, meta?: unknown) => void;
140
+ debug?: (message: string, meta?: unknown) => void;
141
+ error?: (message: string, meta?: unknown) => void;
142
+ }
143
+
144
+ /**
145
+ * DatasourceConnectionService — the single "definition → live driver" path
146
+ * (ADR-0062 D1).
147
+ *
148
+ * Given a datasource definition, it: consults the injectable connect policy
149
+ * (D5/epic seam), builds a driver via the host-provided driver factory,
150
+ * resolves any `external.credentialsRef` to a cleartext secret via the
151
+ * `SecretBinder` (D3, wired in Phase 2), opens the connection, and registers
152
+ * the live driver + the datasource *definition* into the ObjectQL engine under
153
+ * the datasource name (the engine routes by `driver.name === <datasource>`).
154
+ *
155
+ * Both origins converge here (D1):
156
+ * - **code-defined** datasources auto-connect at boot via
157
+ * {@link connectDeclared} (gated per D2 — see {@link isDatasourceAddressed}),
158
+ * called from `AppPlugin.start()`.
159
+ * - **runtime** (UI-created) datasources connect via {@link connect}, called
160
+ * from `DatasourceAdminServicePlugin`'s `registerPool` (create/update + boot
161
+ * rehydration).
162
+ *
163
+ * Idempotent: a datasource already registered as a live driver is skipped, so
164
+ * an app's legacy `onEnable` driver registration (the escape hatch, ADR-0062
165
+ * D8) and auto-connect never double-register.
166
+ */
167
+
168
+ /** A datasource definition this service can connect (code- or runtime-origin). */
169
+ interface ConnectableDatasource {
170
+ name: string;
171
+ label?: string;
172
+ driver: string;
173
+ schemaMode?: 'managed' | 'external' | 'validate-only';
174
+ config?: Record<string, unknown>;
175
+ external?: (Record<string, unknown> & {
176
+ credentialsRef?: string;
177
+ validation?: {
178
+ onMismatch?: 'fail' | 'warn' | 'ignore';
179
+ };
180
+ }) | undefined;
181
+ pool?: Record<string, unknown>;
182
+ active?: boolean;
183
+ origin?: 'code' | 'runtime';
184
+ /**
185
+ * ADR-0062 D2(c): explicit opt-in to auto-connect even for a managed,
186
+ * unrouted datasource. Defaults to false.
187
+ */
188
+ autoConnect?: boolean;
189
+ }
190
+ /** Minimal object shape used for the D2 routing gate + post-connect schema sync. */
191
+ interface DatasourceBoundObject {
192
+ name?: string;
193
+ /** The object's explicit `datasource` binding (ADR-0015 federation). */
194
+ datasource?: string;
195
+ }
196
+ /** Engine surface this service drives (the ObjectQL `'data'` engine). */
197
+ interface ConnectionEngineLike {
198
+ registerDriver?: (driver: unknown, isDefault?: boolean) => void;
199
+ registerDatasourceDef?: (def: {
200
+ name: string;
201
+ schemaMode?: string;
202
+ external?: {
203
+ allowWrites?: boolean;
204
+ };
205
+ }) => void;
206
+ getDriverByName?: (name: string) => unknown;
207
+ /**
208
+ * Register read metadata (DDL-free) for a federated object so its physical
209
+ * remote table/columns resolve for queries. Idempotent; called per bound
210
+ * external object after the driver is registered, because boot schema-sync
211
+ * ran before this driver existed (ADR-0015 §18; matches what the legacy
212
+ * `onEnable` bridge does manually).
213
+ */
214
+ syncObjectSchema?: (objectName: string) => Promise<void>;
215
+ }
216
+ /** Secret dereference surface (the `SecretBinder.resolve`, Phase 2 / D3). */
217
+ interface ConnectionSecretResolver {
218
+ resolve?: (credentialsRef: string) => Promise<string | undefined>;
219
+ }
220
+ interface DatasourceConnectionServiceConfig {
221
+ /** Resolve the host driver factory (lazy — may be registered after init). */
222
+ factory: () => IDatasourceDriverFactory | undefined;
223
+ /** Resolve the ObjectQL engine (lazy). */
224
+ engine: () => ConnectionEngineLike | undefined;
225
+ /** Dereference `credentialsRef` → cleartext (Phase 2). Optional in Phase 1. */
226
+ secrets?: ConnectionSecretResolver;
227
+ /** Injectable connect policy. Defaults to {@link allowAllConnectPolicy}. */
228
+ policy?: DatasourceConnectPolicy;
229
+ logger?: Logger;
230
+ }
231
+ /** Outcome of a single {@link DatasourceConnectionService.connect} attempt. */
232
+ type ConnectStatus = 'connected' | 'already-registered' | 'skipped-policy' | 'skipped-no-infra' | 'skipped-unsupported' | 'failed-credentials' | 'failed-degraded';
233
+ interface ConnectResult {
234
+ name: string;
235
+ status: ConnectStatus;
236
+ reason?: string;
237
+ }
238
+ /**
239
+ * ADR-0062 D2 — is this declared datasource "meaningfully addressed", such that
240
+ * auto-connecting it is safe and intended?
241
+ *
242
+ * Returns true when:
243
+ * - (a) it is external (`schemaMode !== 'managed'`), OR
244
+ * - (b) some object **explicitly** binds to it (`object.datasource === name`), OR
245
+ * - (c) it sets `autoConnect: true`.
246
+ *
247
+ * Deliberately NOT triggered by a `datasourceMapping` rule alone. A managed
248
+ * datasource that is only *mapped* (namespace/package/default) but has no live
249
+ * driver historically falls through to the `default` driver at query time
250
+ * (`engine.getDriver` step 4) — e.g. `examples/app-crm`'s `crm_primary`
251
+ * (`:memory:`, mapped + default-fallback, no `onEnable`). Connecting it would
252
+ * divert those objects to a fresh, empty connection and silently change app
253
+ * behavior. So mapping-only routing to a *managed* datasource is treated as
254
+ * decorative, keeping existing apps byte-for-byte unchanged (D2's load-bearing
255
+ * backward-compat guarantee). External datasources and explicit
256
+ * `object.datasource` bindings never resolved to `default` (they throw when
257
+ * unregistered), so auto-connecting them is a strict improvement, not a change.
258
+ */
259
+ declare function isDatasourceAddressed(ds: Pick<ConnectableDatasource, 'name' | 'schemaMode' | 'autoConnect'>, ctx: {
260
+ objects?: readonly DatasourceBoundObject[];
261
+ }): boolean;
262
+ declare class DatasourceConnectionService {
263
+ private readonly cfg;
264
+ private readonly policy;
265
+ private readonly logger?;
266
+ constructor(cfg: DatasourceConnectionServiceConfig);
267
+ /**
268
+ * Auto-connect the declared (code-defined) datasources that pass the D2 gate.
269
+ * Called from `AppPlugin.start()` with the app bundle's datasources + objects.
270
+ * Each connected external datasource also has its bound objects' read metadata
271
+ * synced so they are immediately queryable with zero app code.
272
+ */
273
+ connectDeclared(input: {
274
+ datasources: readonly ConnectableDatasource[];
275
+ objects?: readonly DatasourceBoundObject[];
276
+ }): Promise<ConnectResult[]>;
277
+ /**
278
+ * Build + connect + register a single datasource's live driver. The shared
279
+ * core used by both auto-connect and the runtime-admin pool registration.
280
+ *
281
+ * Failure policy (ADR-0062 D5): an `external` datasource with
282
+ * `validation.onMismatch: 'fail'` fails fast (re-throws, bricking boot as
283
+ * intended); everything else degrades with a warning so an optional replica's
284
+ * connectivity blip never bricks boot.
285
+ */
286
+ connect(record: ConnectableDatasource, opts?: {
287
+ objects?: readonly string[];
288
+ context?: DatasourceConnectContext;
289
+ }): Promise<ConnectResult>;
290
+ /** Gracefully disconnect a previously-registered datasource pool. */
291
+ disconnect(name: string): Promise<void>;
292
+ /**
293
+ * Apply the D5 connect-failure policy (also covers D3 credential failures). A
294
+ * code-defined `external` datasource with `onMismatch:'fail'` auto-connected at
295
+ * boot re-throws (fail-fast, bricking boot as intended). Runtime-admin
296
+ * create/update + boot rehydration always degrade-with-warning — a UI action
297
+ * or a replica blip must never brick the running server (preserves the
298
+ * pre-ADR-0062 admin behavior). Either way the datasource is left unconnected
299
+ * with a clear message — never a silent skip.
300
+ */
301
+ private handleFailure;
140
302
  }
141
303
 
142
304
  /**
@@ -176,6 +338,8 @@ interface StoredDatasource {
176
338
  }) | undefined;
177
339
  pool?: Record<string, unknown>;
178
340
  active?: boolean;
341
+ /** Force a live connection at boot even when managed + unrouted (ADR-0062 D2(c)). */
342
+ autoConnect?: boolean;
179
343
  origin?: 'code' | 'runtime';
180
344
  /** Package that defines a code-origin datasource, when known. */
181
345
  definedIn?: string;
@@ -276,6 +440,13 @@ interface DatasourceAdminServicePluginOptions {
276
440
  secrets?: SecretBinder;
277
441
  /** Override the driver factory (defaults to the `'datasource-driver-factory'` service). */
278
442
  driverFactory?: IDatasourceDriverFactory;
443
+ /**
444
+ * Host-injectable connect policy consulted before opening any datasource
445
+ * connection (ADR-0062 D5 / epic #2163 seam). Open-core default is permissive
446
+ * (allow); a multi-tenant host binds a stricter, fail-closed policy. Shared by
447
+ * both code-defined auto-connect and runtime-admin pool registration.
448
+ */
449
+ connectPolicy?: DatasourceConnectPolicy;
279
450
  logger?: Logger;
280
451
  }
281
452
  /**
@@ -301,6 +472,8 @@ declare class DatasourceAdminServicePlugin implements Plugin {
301
472
  dependencies: string[];
302
473
  private service?;
303
474
  private config?;
475
+ /** Shared "definition → live driver" path (ADR-0062 D1); also exposed as the `'datasource-connection'` service. */
476
+ private connection?;
304
477
  private readonly options;
305
478
  constructor(options?: DatasourceAdminServicePluginOptions);
306
479
  init(ctx: PluginContext): Promise<void>;
@@ -318,7 +491,6 @@ declare class DatasourceAdminServicePlugin implements Plugin {
318
491
  */
319
492
  private rehydratePools;
320
493
  destroy(): Promise<void>;
321
- private toSpec;
322
494
  /** Probe a connection via the driver factory: build → connect → ping → close. */
323
495
  private probe;
324
496
  }
@@ -351,7 +523,100 @@ declare class DatasourceAdminServicePlugin implements Plugin {
351
523
  * lazily so a host that never builds (e.g.) a mongo connection doesn't pay for
352
524
  * the mongo SDK.
353
525
  */
354
- declare function createDefaultDatasourceDriverFactory(): IDatasourceDriverFactory;
526
+ interface DefaultDatasourceDriverFactoryOptions {
527
+ /**
528
+ * Enables the dev-only native-`better-sqlite3` → wasm → in-memory step-down
529
+ * for sqlite construction (#2229). When omitted, defaults per call to
530
+ * `process.env.NODE_ENV === 'development'`. In production a native load
531
+ * failure is NOT silently swapped for a different engine (fail-closed).
532
+ */
533
+ dev?: boolean;
534
+ }
535
+ declare function createDefaultDatasourceDriverFactory(options?: DefaultDatasourceDriverFactoryOptions): IDatasourceDriverFactory;
536
+
537
+ /**
538
+ * Shared native-`better-sqlite3` → wasm SQLite → in-memory step-down for any
539
+ * sqlite-via-`better-sqlite3` construction (issue #2229).
540
+ *
541
+ * ## Why a probe is necessary
542
+ *
543
+ * `better-sqlite3` loads its native `.node` addon LAZILY — not at
544
+ * `require('better-sqlite3')`, and not even at knex construction, but at the
545
+ * first pool-connection acquire (`new Database(file)`), i.e. the first query.
546
+ * So an ABI mismatch (a cached prebuilt binary built for a different Node
547
+ * version — `NODE_MODULE_VERSION` mismatch) is invisible at boot and only
548
+ * surfaces much later as a runtime `Find operation failed` on the first read.
549
+ *
550
+ * This helper makes the failure observable up-front by actively probing: it
551
+ * opens a connection and runs a cheap `SELECT 1`, which forces the native addon
552
+ * to load. (`connect()` alone is NOT a reliable probe: for SQLite it only runs
553
+ * `mkdir` + a `PRAGMA` whose error is swallowed internally — so we additionally
554
+ * issue a raw `SELECT 1`, which propagates the load error.) On failure it steps
555
+ * down:
556
+ *
557
+ * 1. native `better-sqlite3` — fast, real SQL
558
+ * 2. wasm SQLite — pure-JS, real SQL + on-disk persistence, slower [dev only]
559
+ * 3. in-memory (mingo) — neither real SQL nor persistent [dev only, last resort]
560
+ *
561
+ * ## Dev vs production
562
+ *
563
+ * The wasm + in-memory step-down is GATED to dev. In production a native load
564
+ * failure is NOT silently swapped for a different engine: the error is re-thrown
565
+ * so it surfaces loudly (fail-closed) instead of an operator unknowingly running
566
+ * on wasm/mingo. This mirrors the existing `serve.ts` default-dev fallback and
567
+ * hoists it into one place shared by every sqlite construction site.
568
+ */
569
+ /** Which engine the resolver ultimately produced. */
570
+ type SqliteFallbackEngine = 'better-sqlite3' | 'sqlite-wasm' | 'memory';
571
+ interface ResolveSqliteDriverOptions {
572
+ /**
573
+ * SQLite filename — `:memory:` for an ephemeral database, or an absolute /
574
+ * relative path for a persistent file. Preserved across the wasm fallback so
575
+ * a persistent `file:` database keeps its on-disk persistence through wasm.
576
+ * Pass the raw filename (callers strip any `file:` / `sqlite:` scheme first).
577
+ */
578
+ filename: string;
579
+ /**
580
+ * Gates the wasm + in-memory step-down. When `true` (dev) a native ABI/load
581
+ * failure steps down the chain with a warning. When `false` (production) the
582
+ * native driver is returned unprobed so a failure surfaces loudly at first use
583
+ * (fail-closed) — we never silently degrade behind the operator's back.
584
+ * Defaults to `process.env.NODE_ENV === 'development'`.
585
+ */
586
+ dev?: boolean;
587
+ /** Forwarded to the native SqlDriver (dev loosen-only self-heal, #2186). */
588
+ autoMigrate?: 'off' | 'safe';
589
+ /** Forwarded to the SQL drivers (external schema mode, ADR-0015). */
590
+ schemaMode?: string;
591
+ /**
592
+ * Warning sink for the step-down messages. Defaults to `console.warn`.
593
+ * `serve.ts` passes a `chalk.yellow` wrapper so the banner stays consistent.
594
+ */
595
+ warn?: (message: string) => void;
596
+ }
597
+ interface ResolvedSqliteDriver {
598
+ /** The concrete engine driver to register (e.g. via `DriverPlugin`). */
599
+ driver: any;
600
+ /** Which engine actually resolved. */
601
+ engine: SqliteFallbackEngine;
602
+ /** Banner label, matching `serve.ts`'s existing strings. */
603
+ label: string;
604
+ }
605
+ /**
606
+ * Warning emitted when native `better-sqlite3` is unavailable but wasm SQLite
607
+ * loads. Kept byte-for-byte identical to the original `serve.ts` text so the
608
+ * dev experience is the same regardless of which construction site triggers it.
609
+ */
610
+ declare const NATIVE_SQLITE_WASM_FALLBACK_WARNING: string;
611
+ /** Warning emitted when neither native nor wasm SQLite loads (dev last resort). */
612
+ declare const NATIVE_SQLITE_MEMORY_FALLBACK_WARNING: string;
613
+ /**
614
+ * Probe a `better-sqlite3` SQLite construction and, in dev, step down to wasm
615
+ * SQLite (then in-memory) when the native addon cannot load.
616
+ *
617
+ * @see {@link ResolveSqliteDriverOptions}
618
+ */
619
+ declare function resolveSqliteDriver(opts: ResolveSqliteDriverOptions): Promise<ResolvedSqliteDriver>;
355
620
 
356
621
  /**
357
622
  * Default datasource SecretBinder — persists a runtime datasource's cleartext
@@ -439,4 +704,4 @@ declare function createDatasourceSecretBinder(deps: DatasourceSecretBinderDeps):
439
704
  */
440
705
  declare function registerDatasourceAdminRoutes(server: IHttpServer, ctx: PluginContext, basePath?: string): void;
441
706
 
442
- export { DatasourceAdminService, type DatasourceAdminServiceConfig, DatasourceAdminServicePlugin, type DatasourceAdminServicePluginOptions, DatasourceDraft, type DatasourceLike, type DatasourceSecretBinder, type DatasourceSecretBinderDeps, DatasourceSummary, ExternalDatasourceService, type ExternalDatasourceServiceConfig, ExternalDatasourceServicePlugin, type ExternalDatasourceServicePluginOptions, IDatasourceAdminService, IDatasourceDriverFactory, type Logger$1 as Logger, type ObjectLike, type ProbeInput, type SecretBinder, SecretInput, type SecretStoreEngineLike, type StoredDatasource, TestConnectionResult, createDatasourceSecretBinder, createDefaultDatasourceDriverFactory, parseCredentialsRef, registerDatasourceAdminRoutes, toCredentialsRef };
707
+ export { type ConnectResult, type ConnectStatus, type ConnectableDatasource, type ConnectionEngineLike, type ConnectionSecretResolver, DatasourceAdminService, type DatasourceAdminServiceConfig, DatasourceAdminServicePlugin, type DatasourceAdminServicePluginOptions, type DatasourceBoundObject, DatasourceConnectContext, DatasourceConnectPolicy, DatasourceConnectionService, type DatasourceConnectionServiceConfig, DatasourceDraft, type DatasourceLike, type DatasourceSecretBinder, type DatasourceSecretBinderDeps, DatasourceSummary, ExternalDatasourceService, type ExternalDatasourceServiceConfig, ExternalDatasourceServicePlugin, type ExternalDatasourceServicePluginOptions, IDatasourceAdminService, IDatasourceDriverFactory, type Logger$1 as Logger, NATIVE_SQLITE_MEMORY_FALLBACK_WARNING, NATIVE_SQLITE_WASM_FALLBACK_WARNING, type ObjectLike, type ProbeInput, type ResolveSqliteDriverOptions, type ResolvedSqliteDriver, type SecretBinder, SecretInput, type SecretStoreEngineLike, type SqliteFallbackEngine, type StoredDatasource, TestConnectionResult, createDatasourceSecretBinder, createDefaultDatasourceDriverFactory, isDatasourceAddressed, parseCredentialsRef, registerDatasourceAdminRoutes, resolveSqliteDriver, toCredentialsRef };
package/dist/index.d.ts CHANGED
@@ -1,8 +1,8 @@
1
1
  import { IExternalDatasourceService, IntrospectedSchema, RemoteTable, GenerateDraftOpts, ObjectDraft, ImportObjectOpts, ImportObjectResult, SchemaValidationResult, SchemaValidationReport, ICryptoProvider, IHttpServer } from '@objectstack/spec/contracts';
2
2
  import { ExternalCatalog } from '@objectstack/spec/data';
3
3
  import { Plugin, PluginContext } from '@objectstack/core';
4
- import { IDatasourceAdminService, TestConnectionResult, SecretInput, DatasourceSummary, DatasourceDraft, IDatasourceDriverFactory } from './contracts/index.js';
5
- export { DatasourceConnectionSpec, DatasourceDriverHandle, DatasourceOrigin } from './contracts/index.js';
4
+ import { IDatasourceDriverFactory, DatasourceConnectPolicy, DatasourceConnectContext, IDatasourceAdminService, TestConnectionResult, SecretInput, DatasourceSummary, DatasourceDraft } from './contracts/index.js';
5
+ export { DatasourceConnectDecision, DatasourceConnectSubject, DatasourceConnectionSpec, DatasourceDriverHandle, DatasourceOrigin, allowAllConnectPolicy } from './contracts/index.js';
6
6
 
7
7
  /**
8
8
  * ExternalDatasourceService — implements {@link IExternalDatasourceService}
@@ -137,6 +137,168 @@ declare class ExternalDatasourceServicePlugin implements Plugin {
137
137
  interface Logger {
138
138
  warn: (message: string, meta?: unknown) => void;
139
139
  info?: (message: string, meta?: unknown) => void;
140
+ debug?: (message: string, meta?: unknown) => void;
141
+ error?: (message: string, meta?: unknown) => void;
142
+ }
143
+
144
+ /**
145
+ * DatasourceConnectionService — the single "definition → live driver" path
146
+ * (ADR-0062 D1).
147
+ *
148
+ * Given a datasource definition, it: consults the injectable connect policy
149
+ * (D5/epic seam), builds a driver via the host-provided driver factory,
150
+ * resolves any `external.credentialsRef` to a cleartext secret via the
151
+ * `SecretBinder` (D3, wired in Phase 2), opens the connection, and registers
152
+ * the live driver + the datasource *definition* into the ObjectQL engine under
153
+ * the datasource name (the engine routes by `driver.name === <datasource>`).
154
+ *
155
+ * Both origins converge here (D1):
156
+ * - **code-defined** datasources auto-connect at boot via
157
+ * {@link connectDeclared} (gated per D2 — see {@link isDatasourceAddressed}),
158
+ * called from `AppPlugin.start()`.
159
+ * - **runtime** (UI-created) datasources connect via {@link connect}, called
160
+ * from `DatasourceAdminServicePlugin`'s `registerPool` (create/update + boot
161
+ * rehydration).
162
+ *
163
+ * Idempotent: a datasource already registered as a live driver is skipped, so
164
+ * an app's legacy `onEnable` driver registration (the escape hatch, ADR-0062
165
+ * D8) and auto-connect never double-register.
166
+ */
167
+
168
+ /** A datasource definition this service can connect (code- or runtime-origin). */
169
+ interface ConnectableDatasource {
170
+ name: string;
171
+ label?: string;
172
+ driver: string;
173
+ schemaMode?: 'managed' | 'external' | 'validate-only';
174
+ config?: Record<string, unknown>;
175
+ external?: (Record<string, unknown> & {
176
+ credentialsRef?: string;
177
+ validation?: {
178
+ onMismatch?: 'fail' | 'warn' | 'ignore';
179
+ };
180
+ }) | undefined;
181
+ pool?: Record<string, unknown>;
182
+ active?: boolean;
183
+ origin?: 'code' | 'runtime';
184
+ /**
185
+ * ADR-0062 D2(c): explicit opt-in to auto-connect even for a managed,
186
+ * unrouted datasource. Defaults to false.
187
+ */
188
+ autoConnect?: boolean;
189
+ }
190
+ /** Minimal object shape used for the D2 routing gate + post-connect schema sync. */
191
+ interface DatasourceBoundObject {
192
+ name?: string;
193
+ /** The object's explicit `datasource` binding (ADR-0015 federation). */
194
+ datasource?: string;
195
+ }
196
+ /** Engine surface this service drives (the ObjectQL `'data'` engine). */
197
+ interface ConnectionEngineLike {
198
+ registerDriver?: (driver: unknown, isDefault?: boolean) => void;
199
+ registerDatasourceDef?: (def: {
200
+ name: string;
201
+ schemaMode?: string;
202
+ external?: {
203
+ allowWrites?: boolean;
204
+ };
205
+ }) => void;
206
+ getDriverByName?: (name: string) => unknown;
207
+ /**
208
+ * Register read metadata (DDL-free) for a federated object so its physical
209
+ * remote table/columns resolve for queries. Idempotent; called per bound
210
+ * external object after the driver is registered, because boot schema-sync
211
+ * ran before this driver existed (ADR-0015 §18; matches what the legacy
212
+ * `onEnable` bridge does manually).
213
+ */
214
+ syncObjectSchema?: (objectName: string) => Promise<void>;
215
+ }
216
+ /** Secret dereference surface (the `SecretBinder.resolve`, Phase 2 / D3). */
217
+ interface ConnectionSecretResolver {
218
+ resolve?: (credentialsRef: string) => Promise<string | undefined>;
219
+ }
220
+ interface DatasourceConnectionServiceConfig {
221
+ /** Resolve the host driver factory (lazy — may be registered after init). */
222
+ factory: () => IDatasourceDriverFactory | undefined;
223
+ /** Resolve the ObjectQL engine (lazy). */
224
+ engine: () => ConnectionEngineLike | undefined;
225
+ /** Dereference `credentialsRef` → cleartext (Phase 2). Optional in Phase 1. */
226
+ secrets?: ConnectionSecretResolver;
227
+ /** Injectable connect policy. Defaults to {@link allowAllConnectPolicy}. */
228
+ policy?: DatasourceConnectPolicy;
229
+ logger?: Logger;
230
+ }
231
+ /** Outcome of a single {@link DatasourceConnectionService.connect} attempt. */
232
+ type ConnectStatus = 'connected' | 'already-registered' | 'skipped-policy' | 'skipped-no-infra' | 'skipped-unsupported' | 'failed-credentials' | 'failed-degraded';
233
+ interface ConnectResult {
234
+ name: string;
235
+ status: ConnectStatus;
236
+ reason?: string;
237
+ }
238
+ /**
239
+ * ADR-0062 D2 — is this declared datasource "meaningfully addressed", such that
240
+ * auto-connecting it is safe and intended?
241
+ *
242
+ * Returns true when:
243
+ * - (a) it is external (`schemaMode !== 'managed'`), OR
244
+ * - (b) some object **explicitly** binds to it (`object.datasource === name`), OR
245
+ * - (c) it sets `autoConnect: true`.
246
+ *
247
+ * Deliberately NOT triggered by a `datasourceMapping` rule alone. A managed
248
+ * datasource that is only *mapped* (namespace/package/default) but has no live
249
+ * driver historically falls through to the `default` driver at query time
250
+ * (`engine.getDriver` step 4) — e.g. `examples/app-crm`'s `crm_primary`
251
+ * (`:memory:`, mapped + default-fallback, no `onEnable`). Connecting it would
252
+ * divert those objects to a fresh, empty connection and silently change app
253
+ * behavior. So mapping-only routing to a *managed* datasource is treated as
254
+ * decorative, keeping existing apps byte-for-byte unchanged (D2's load-bearing
255
+ * backward-compat guarantee). External datasources and explicit
256
+ * `object.datasource` bindings never resolved to `default` (they throw when
257
+ * unregistered), so auto-connecting them is a strict improvement, not a change.
258
+ */
259
+ declare function isDatasourceAddressed(ds: Pick<ConnectableDatasource, 'name' | 'schemaMode' | 'autoConnect'>, ctx: {
260
+ objects?: readonly DatasourceBoundObject[];
261
+ }): boolean;
262
+ declare class DatasourceConnectionService {
263
+ private readonly cfg;
264
+ private readonly policy;
265
+ private readonly logger?;
266
+ constructor(cfg: DatasourceConnectionServiceConfig);
267
+ /**
268
+ * Auto-connect the declared (code-defined) datasources that pass the D2 gate.
269
+ * Called from `AppPlugin.start()` with the app bundle's datasources + objects.
270
+ * Each connected external datasource also has its bound objects' read metadata
271
+ * synced so they are immediately queryable with zero app code.
272
+ */
273
+ connectDeclared(input: {
274
+ datasources: readonly ConnectableDatasource[];
275
+ objects?: readonly DatasourceBoundObject[];
276
+ }): Promise<ConnectResult[]>;
277
+ /**
278
+ * Build + connect + register a single datasource's live driver. The shared
279
+ * core used by both auto-connect and the runtime-admin pool registration.
280
+ *
281
+ * Failure policy (ADR-0062 D5): an `external` datasource with
282
+ * `validation.onMismatch: 'fail'` fails fast (re-throws, bricking boot as
283
+ * intended); everything else degrades with a warning so an optional replica's
284
+ * connectivity blip never bricks boot.
285
+ */
286
+ connect(record: ConnectableDatasource, opts?: {
287
+ objects?: readonly string[];
288
+ context?: DatasourceConnectContext;
289
+ }): Promise<ConnectResult>;
290
+ /** Gracefully disconnect a previously-registered datasource pool. */
291
+ disconnect(name: string): Promise<void>;
292
+ /**
293
+ * Apply the D5 connect-failure policy (also covers D3 credential failures). A
294
+ * code-defined `external` datasource with `onMismatch:'fail'` auto-connected at
295
+ * boot re-throws (fail-fast, bricking boot as intended). Runtime-admin
296
+ * create/update + boot rehydration always degrade-with-warning — a UI action
297
+ * or a replica blip must never brick the running server (preserves the
298
+ * pre-ADR-0062 admin behavior). Either way the datasource is left unconnected
299
+ * with a clear message — never a silent skip.
300
+ */
301
+ private handleFailure;
140
302
  }
141
303
 
142
304
  /**
@@ -176,6 +338,8 @@ interface StoredDatasource {
176
338
  }) | undefined;
177
339
  pool?: Record<string, unknown>;
178
340
  active?: boolean;
341
+ /** Force a live connection at boot even when managed + unrouted (ADR-0062 D2(c)). */
342
+ autoConnect?: boolean;
179
343
  origin?: 'code' | 'runtime';
180
344
  /** Package that defines a code-origin datasource, when known. */
181
345
  definedIn?: string;
@@ -276,6 +440,13 @@ interface DatasourceAdminServicePluginOptions {
276
440
  secrets?: SecretBinder;
277
441
  /** Override the driver factory (defaults to the `'datasource-driver-factory'` service). */
278
442
  driverFactory?: IDatasourceDriverFactory;
443
+ /**
444
+ * Host-injectable connect policy consulted before opening any datasource
445
+ * connection (ADR-0062 D5 / epic #2163 seam). Open-core default is permissive
446
+ * (allow); a multi-tenant host binds a stricter, fail-closed policy. Shared by
447
+ * both code-defined auto-connect and runtime-admin pool registration.
448
+ */
449
+ connectPolicy?: DatasourceConnectPolicy;
279
450
  logger?: Logger;
280
451
  }
281
452
  /**
@@ -301,6 +472,8 @@ declare class DatasourceAdminServicePlugin implements Plugin {
301
472
  dependencies: string[];
302
473
  private service?;
303
474
  private config?;
475
+ /** Shared "definition → live driver" path (ADR-0062 D1); also exposed as the `'datasource-connection'` service. */
476
+ private connection?;
304
477
  private readonly options;
305
478
  constructor(options?: DatasourceAdminServicePluginOptions);
306
479
  init(ctx: PluginContext): Promise<void>;
@@ -318,7 +491,6 @@ declare class DatasourceAdminServicePlugin implements Plugin {
318
491
  */
319
492
  private rehydratePools;
320
493
  destroy(): Promise<void>;
321
- private toSpec;
322
494
  /** Probe a connection via the driver factory: build → connect → ping → close. */
323
495
  private probe;
324
496
  }
@@ -351,7 +523,100 @@ declare class DatasourceAdminServicePlugin implements Plugin {
351
523
  * lazily so a host that never builds (e.g.) a mongo connection doesn't pay for
352
524
  * the mongo SDK.
353
525
  */
354
- declare function createDefaultDatasourceDriverFactory(): IDatasourceDriverFactory;
526
+ interface DefaultDatasourceDriverFactoryOptions {
527
+ /**
528
+ * Enables the dev-only native-`better-sqlite3` → wasm → in-memory step-down
529
+ * for sqlite construction (#2229). When omitted, defaults per call to
530
+ * `process.env.NODE_ENV === 'development'`. In production a native load
531
+ * failure is NOT silently swapped for a different engine (fail-closed).
532
+ */
533
+ dev?: boolean;
534
+ }
535
+ declare function createDefaultDatasourceDriverFactory(options?: DefaultDatasourceDriverFactoryOptions): IDatasourceDriverFactory;
536
+
537
+ /**
538
+ * Shared native-`better-sqlite3` → wasm SQLite → in-memory step-down for any
539
+ * sqlite-via-`better-sqlite3` construction (issue #2229).
540
+ *
541
+ * ## Why a probe is necessary
542
+ *
543
+ * `better-sqlite3` loads its native `.node` addon LAZILY — not at
544
+ * `require('better-sqlite3')`, and not even at knex construction, but at the
545
+ * first pool-connection acquire (`new Database(file)`), i.e. the first query.
546
+ * So an ABI mismatch (a cached prebuilt binary built for a different Node
547
+ * version — `NODE_MODULE_VERSION` mismatch) is invisible at boot and only
548
+ * surfaces much later as a runtime `Find operation failed` on the first read.
549
+ *
550
+ * This helper makes the failure observable up-front by actively probing: it
551
+ * opens a connection and runs a cheap `SELECT 1`, which forces the native addon
552
+ * to load. (`connect()` alone is NOT a reliable probe: for SQLite it only runs
553
+ * `mkdir` + a `PRAGMA` whose error is swallowed internally — so we additionally
554
+ * issue a raw `SELECT 1`, which propagates the load error.) On failure it steps
555
+ * down:
556
+ *
557
+ * 1. native `better-sqlite3` — fast, real SQL
558
+ * 2. wasm SQLite — pure-JS, real SQL + on-disk persistence, slower [dev only]
559
+ * 3. in-memory (mingo) — neither real SQL nor persistent [dev only, last resort]
560
+ *
561
+ * ## Dev vs production
562
+ *
563
+ * The wasm + in-memory step-down is GATED to dev. In production a native load
564
+ * failure is NOT silently swapped for a different engine: the error is re-thrown
565
+ * so it surfaces loudly (fail-closed) instead of an operator unknowingly running
566
+ * on wasm/mingo. This mirrors the existing `serve.ts` default-dev fallback and
567
+ * hoists it into one place shared by every sqlite construction site.
568
+ */
569
+ /** Which engine the resolver ultimately produced. */
570
+ type SqliteFallbackEngine = 'better-sqlite3' | 'sqlite-wasm' | 'memory';
571
+ interface ResolveSqliteDriverOptions {
572
+ /**
573
+ * SQLite filename — `:memory:` for an ephemeral database, or an absolute /
574
+ * relative path for a persistent file. Preserved across the wasm fallback so
575
+ * a persistent `file:` database keeps its on-disk persistence through wasm.
576
+ * Pass the raw filename (callers strip any `file:` / `sqlite:` scheme first).
577
+ */
578
+ filename: string;
579
+ /**
580
+ * Gates the wasm + in-memory step-down. When `true` (dev) a native ABI/load
581
+ * failure steps down the chain with a warning. When `false` (production) the
582
+ * native driver is returned unprobed so a failure surfaces loudly at first use
583
+ * (fail-closed) — we never silently degrade behind the operator's back.
584
+ * Defaults to `process.env.NODE_ENV === 'development'`.
585
+ */
586
+ dev?: boolean;
587
+ /** Forwarded to the native SqlDriver (dev loosen-only self-heal, #2186). */
588
+ autoMigrate?: 'off' | 'safe';
589
+ /** Forwarded to the SQL drivers (external schema mode, ADR-0015). */
590
+ schemaMode?: string;
591
+ /**
592
+ * Warning sink for the step-down messages. Defaults to `console.warn`.
593
+ * `serve.ts` passes a `chalk.yellow` wrapper so the banner stays consistent.
594
+ */
595
+ warn?: (message: string) => void;
596
+ }
597
+ interface ResolvedSqliteDriver {
598
+ /** The concrete engine driver to register (e.g. via `DriverPlugin`). */
599
+ driver: any;
600
+ /** Which engine actually resolved. */
601
+ engine: SqliteFallbackEngine;
602
+ /** Banner label, matching `serve.ts`'s existing strings. */
603
+ label: string;
604
+ }
605
+ /**
606
+ * Warning emitted when native `better-sqlite3` is unavailable but wasm SQLite
607
+ * loads. Kept byte-for-byte identical to the original `serve.ts` text so the
608
+ * dev experience is the same regardless of which construction site triggers it.
609
+ */
610
+ declare const NATIVE_SQLITE_WASM_FALLBACK_WARNING: string;
611
+ /** Warning emitted when neither native nor wasm SQLite loads (dev last resort). */
612
+ declare const NATIVE_SQLITE_MEMORY_FALLBACK_WARNING: string;
613
+ /**
614
+ * Probe a `better-sqlite3` SQLite construction and, in dev, step down to wasm
615
+ * SQLite (then in-memory) when the native addon cannot load.
616
+ *
617
+ * @see {@link ResolveSqliteDriverOptions}
618
+ */
619
+ declare function resolveSqliteDriver(opts: ResolveSqliteDriverOptions): Promise<ResolvedSqliteDriver>;
355
620
 
356
621
  /**
357
622
  * Default datasource SecretBinder — persists a runtime datasource's cleartext
@@ -439,4 +704,4 @@ declare function createDatasourceSecretBinder(deps: DatasourceSecretBinderDeps):
439
704
  */
440
705
  declare function registerDatasourceAdminRoutes(server: IHttpServer, ctx: PluginContext, basePath?: string): void;
441
706
 
442
- export { DatasourceAdminService, type DatasourceAdminServiceConfig, DatasourceAdminServicePlugin, type DatasourceAdminServicePluginOptions, DatasourceDraft, type DatasourceLike, type DatasourceSecretBinder, type DatasourceSecretBinderDeps, DatasourceSummary, ExternalDatasourceService, type ExternalDatasourceServiceConfig, ExternalDatasourceServicePlugin, type ExternalDatasourceServicePluginOptions, IDatasourceAdminService, IDatasourceDriverFactory, type Logger$1 as Logger, type ObjectLike, type ProbeInput, type SecretBinder, SecretInput, type SecretStoreEngineLike, type StoredDatasource, TestConnectionResult, createDatasourceSecretBinder, createDefaultDatasourceDriverFactory, parseCredentialsRef, registerDatasourceAdminRoutes, toCredentialsRef };
707
+ export { type ConnectResult, type ConnectStatus, type ConnectableDatasource, type ConnectionEngineLike, type ConnectionSecretResolver, DatasourceAdminService, type DatasourceAdminServiceConfig, DatasourceAdminServicePlugin, type DatasourceAdminServicePluginOptions, type DatasourceBoundObject, DatasourceConnectContext, DatasourceConnectPolicy, DatasourceConnectionService, type DatasourceConnectionServiceConfig, DatasourceDraft, type DatasourceLike, type DatasourceSecretBinder, type DatasourceSecretBinderDeps, DatasourceSummary, ExternalDatasourceService, type ExternalDatasourceServiceConfig, ExternalDatasourceServicePlugin, type ExternalDatasourceServicePluginOptions, IDatasourceAdminService, IDatasourceDriverFactory, type Logger$1 as Logger, NATIVE_SQLITE_MEMORY_FALLBACK_WARNING, NATIVE_SQLITE_WASM_FALLBACK_WARNING, type ObjectLike, type ProbeInput, type ResolveSqliteDriverOptions, type ResolvedSqliteDriver, type SecretBinder, SecretInput, type SecretStoreEngineLike, type SqliteFallbackEngine, type StoredDatasource, TestConnectionResult, createDatasourceSecretBinder, createDefaultDatasourceDriverFactory, isDatasourceAddressed, parseCredentialsRef, registerDatasourceAdminRoutes, resolveSqliteDriver, toCredentialsRef };