@peers-app/peers-sdk 0.18.8 → 0.19.6

package/dist/package-installer/package-propagation.d.ts

@@ -0,0 +1,29 @@
+import type { DataContext } from "../context/data-context";
+import type { UserContext } from "../context/user-context";
+import { type IPackage } from "../data/packages";
+/**
+ * Result of a single successful cross-group propagation.
+ */
+export interface IPropagationResult {
+    groupId: string;
+    packageId: string;
+    packageVersionId: string;
+    version: string;
+    versionTag: string;
+    activated: boolean;
+}
+/**
+ * Subscribes to PackageVersion dataChanged events across all groups and
+ * propagates signed PVs to admin groups. Call once at startup.
+ */
+export declare function propagatePvOnChanged(userContext?: UserContext): Promise<void>;
+/**
+ * Catch-up/backfill scanner. Iterates all local signed PVs and propagates
+ * any that are missing from admin groups. Useful for manual repair.
+ */
+export declare function discoverAndPropagateVersions(userContext: UserContext): Promise<IPropagationResult[]>;
+export interface IActivationResult {
+    activated: boolean;
+    activePackageVersionId?: string;
+}
+export declare function activateBestEligibleVersion(dataContext: DataContext, pkg: IPackage): Promise<IActivationResult>;

package/dist/package-installer/package-propagation.js

@@ -0,0 +1,364 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.propagatePvOnChanged = propagatePvOnChanged;
+exports.discoverAndPropagateVersions = discoverAndPropagateVersions;
+exports.activateBestEligibleVersion = activateBestEligibleVersion;
+const context_1 = require("../context");
+const files_1 = require("../data/files/files");
+const group_member_roles_1 = require("../data/group-member-roles");
+const group_permissions_1 = require("../data/group-permissions");
+const package_versions_1 = require("../data/package-versions");
+const packages_1 = require("../data/packages");
+const utils_1 = require("../utils");
+const package_author_signing_1 = require("./package-author-signing");
+// --- Module-level state ---
+const RETRY_DELAYS_MS = [2_000, 10_000, 30_000, 60_000, 120_000];
+const pvPropagateMap = {};
+const activationLocks = new Map();
+// --- Public API ---
+/**
+ * Subscribes to PackageVersion dataChanged events across all groups and
+ * propagates signed PVs to admin groups. Call once at startup.
+ */
+async function propagatePvOnChanged(userContext) {
+    const uc = userContext || (await (0, context_1.getUserContext)());
+    uc.subscribeToDataChangedAcrossAllGroups((0, package_versions_1.PackageVersions)(), (evt) => {
+        if (evt.data.op === "delete")
+            return;
+        const pv = evt.data.dataObject;
+        if (!isPropagatablePackageVersion(pv))
+            return;
+        if (!pvPropagateMap[pv.packageVersionId]) {
+            pvPropagateMap[pv.packageVersionId] = propagatePvToAdminGroups(uc, evt.dataContext, pv).then(() => undefined, (err) => console.error(`[propagation] Unhandled error for ${pv.packageVersionId}:`, err));
+        }
+    });
+}
+/**
+ * Catch-up/backfill scanner. Iterates all local signed PVs and propagates
+ * any that are missing from admin groups. Useful for manual repair.
+ */
+async function discoverAndPropagateVersions(userContext) {
+    const results = [];
+    const adminGroups = await getAdminGroups(userContext);
+    const allContexts = [
+        userContext.userDataContext,
+        ...Array.from(userContext.groupDataContexts.entries())
+            .sort(([a], [b]) => a.localeCompare(b))
+            .map(([, ctx]) => ctx),
+    ];
+    // Phase 1: Install all missing PVs without activating
+    const packagesToActivate = new Map(); // "groupId:packageId" -> set of pvIds installed
+    for (const sourceContext of allContexts) {
+        const pvs = await (0, package_versions_1.PackageVersions)(sourceContext).list();
+        for (const pv of pvs.filter(isPropagatablePackageVersion)) {
+            for (const targetContext of adminGroups) {
+                if (targetContext.dataContextId === sourceContext.dataContextId)
+                    continue;
+                try {
+                    const installed = await installPvInGroupNoActivate(sourceContext, targetContext, pv);
+                    if (installed) {
+                        const key = `${getContextId(targetContext)}:${pv.packageId}`;
+                        const set = packagesToActivate.get(key) ?? new Set();
+                        set.add(pv.packageVersionId);
+                        packagesToActivate.set(key, set);
+                        results.push(makeResult(targetContext, pv, false));
+                    }
+                }
+                catch (err) {
+                    console.error(`[propagation] Error backfilling ${pv.packageVersionId}:`, err);
+                }
+            }
+        }
+    }
+    // Phase 2: Activate best eligible version per (group, package)
+    for (const [key] of packagesToActivate) {
+        const [groupId, packageId] = key.split(":");
+        const targetContext = adminGroups.find((ctx) => getContextId(ctx) === groupId);
+        if (!targetContext)
+            continue;
+        const pkg = await (0, packages_1.Packages)(targetContext).get(packageId);
+        if (!pkg)
+            continue;
+        const activation = await withActivationLock(targetContext, packageId, () => activateBestEligibleVersion(targetContext, pkg));
+        if (activation.activated && activation.activePackageVersionId) {
+            const result = results.find((r) => r.groupId === groupId && r.packageVersionId === activation.activePackageVersionId);
+            if (result)
+                result.activated = true;
+        }
+    }
+    return results;
+}
+// --- Core propagation ---
+async function propagatePvToAdminGroups(userContext, sourceContext, pv) {
+    const adminGroups = await getAdminGroups(userContext);
+    const results = [];
+    await Promise.all(adminGroups.map(async (targetContext) => {
+        if (targetContext.dataContextId === sourceContext.dataContextId)
+            return;
+        try {
+            const result = await installPvInGroup(sourceContext, targetContext, pv);
+            if (result)
+                results.push(result);
+        }
+        catch (err) {
+            console.error(`[propagation] Failed ${pv.packageVersionId} -> ${getContextId(targetContext)}:`, err);
+        }
+    }));
+    return results;
+}
+/**
+ * Install a PV without activation or retries. Used by the backfill scanner.
+ * Returns true if the PV was installed, false/undefined otherwise.
+ */
+async function installPvInGroupNoActivate(source, dest, pv) {
+    const pkg = await (0, packages_1.Packages)(dest).get(pv.packageId);
+    if (!pkg || pkg.disabled)
+        return false;
+    const existingPv = await (0, package_versions_1.PackageVersions)(dest).get(pv.packageVersionId);
+    if (existingPv)
+        return false;
+    if (!(await verifyOrEstablishTofu(source, dest, pkg, pv)))
+        return false;
+    const files = await copyBundleFiles(source, pv);
+    if (!files)
+        return false;
+    for (const file of files) {
+        await copyFileTree(source, dest, file);
+    }
+    const propagatedPv = buildPropagatedPv(pv, files);
+    await (0, package_versions_1.PackageVersions)(dest).signAndSave(propagatedPv, { saveAsSnapshot: true });
+    return true;
+}
+async function installPvInGroup(source, dest, pv, retryCnt = 0) {
+    if (retryCnt > 0) {
+        const delayMs = RETRY_DELAYS_MS[retryCnt - 1];
+        if (!delayMs) {
+            console.error(`[propagation] Gave up on ${pv.packageVersionId} -> ${getContextId(dest)} after ${RETRY_DELAYS_MS.length} retries`);
+            return undefined;
+        }
+        await (0, utils_1.sleep)(delayMs);
+    }
+    const pkg = await (0, packages_1.Packages)(dest).get(pv.packageId);
+    if (!pkg || pkg.disabled)
+        return undefined;
+    const existingPv = await (0, package_versions_1.PackageVersions)(dest).get(pv.packageVersionId);
+    if (existingPv) {
+        // Already installed; still run activation in case policy changed
+        const activation = await withActivationLock(dest, pv.packageId, () => activateBestEligibleVersion(dest, pkg));
+        return activation.activated
+            ? makeResult(dest, pv, activation.activePackageVersionId === pv.packageVersionId)
+            : undefined;
+    }
+    // TOFU verification
+    if (!(await verifyOrEstablishTofu(source, dest, pkg, pv))) {
+        return await retryOrFail(source, dest, pv, retryCnt, "TOFU");
+    }
+    // Copy bundle files
+    const files = await copyBundleFiles(source, pv);
+    if (!files) {
+        return await retryOrFail(source, dest, pv, retryCnt, "missing files");
+    }
+    // Copy file records (including index files) into destination
+    for (const file of files) {
+        await copyFileTree(source, dest, file);
+    }
+    // Save sanitized PV
+    const propagatedPv = buildPropagatedPv(pv, files);
+    await (0, package_versions_1.PackageVersions)(dest).signAndSave(propagatedPv, { saveAsSnapshot: true });
+    // Activation pass
+    const activation = await withActivationLock(dest, pv.packageId, () => activateBestEligibleVersion(dest, pkg));
+    return makeResult(dest, pv, activation.activated && activation.activePackageVersionId === pv.packageVersionId);
+}
+async function retryOrFail(source, dest, pv, retryCnt, reason) {
+    if (retryCnt < RETRY_DELAYS_MS.length) {
+        console.warn(`[propagation] ${reason} for ${pv.packageVersionId}, retrying...`);
+        return installPvInGroup(source, dest, pv, retryCnt + 1);
+    }
+    console.error(`[propagation] ${reason} for ${pv.packageVersionId}, giving up`);
+    return undefined;
+}
+// --- TOFU ---
+/**
+ * Returns true if signature verification passes. Establishes TOFU key
+ * from source if target has no publishPublicKey yet. Returns false on
+ * transient failures (missing source key).
+ */
+async function verifyOrEstablishTofu(sourceContext, targetContext, targetPkg, pv) {
+    if (targetPkg.publishPublicKey) {
+        if (!(0, package_author_signing_1.verifyPackageAuthorSignature)(pv, targetPkg.publishPublicKey).valid) {
+            console.error(`[propagation] Invalid signature for ${pv.packageVersionId}`);
+            return false;
+        }
+        return true;
+    }
+    // TOFU: get key from source
+    const sourcePkg = await (0, packages_1.Packages)(sourceContext).get(targetPkg.packageId);
+    if (!sourcePkg?.publishPublicKey)
+        return false;
+    if (!(0, package_author_signing_1.verifyPackageAuthorSignature)(pv, sourcePkg.publishPublicKey).valid) {
+        console.error(`[propagation] Invalid signature for ${pv.packageVersionId} (TOFU)`);
+        return false;
+    }
+    await (0, packages_1.Packages)(targetContext).signAndSave({
+        ...targetPkg,
+        publishPublicKey: sourcePkg.publishPublicKey,
+    });
+    targetPkg.publishPublicKey = sourcePkg.publishPublicKey;
+    return true;
+}
+/**
+ * Loads and verifies all bundle file records from source. Returns null if
+ * any required file is missing (transient failure).
+ */
+async function copyBundleFiles(source, pv) {
+    const sourceFiles = (0, files_1.Files)(source);
+    const bundles = [];
+    const entries = [
+        [pv.packageBundleFileId, pv.packageBundleFileHash, "packageBundleFileId"],
+        [pv.routesBundleFileId, pv.routesBundleFileHash, "routesBundleFileId"],
+        [pv.uiBundleFileId, pv.uiBundleFileHash, "uiBundleFileId"],
+    ];
+    for (const [fileId, expectedHash, field] of entries) {
+        if (!fileId && !expectedHash)
+            continue;
+        if (!fileId || !expectedHash) {
+            console.error(`[propagation] Malformed ${field} on ${pv.packageVersionId}: id=${fileId}, hash=${expectedHash}`);
+            return null;
+        }
+        const file = await sourceFiles.get(fileId);
+        if (!file)
+            return null;
+        if (file.fileHash !== expectedHash) {
+            console.error(`[propagation] Hash mismatch on ${field} for ${pv.packageVersionId}: expected ${expectedHash}, got ${file.fileHash}`);
+            return null;
+        }
+        bundles.push({ file, expectedHash, field });
+    }
+    if (!bundles.some((b) => b.field === "packageBundleFileId")) {
+        return null;
+    }
+    return bundles;
+}
+async function copyFileTree(source, dest, bundle, copiedIds = new Set()) {
+    await saveFileAndIndexTree((0, files_1.Files)(source), (0, files_1.Files)(dest), bundle.file, copiedIds);
+}
+async function saveFileAndIndexTree(sourceFiles, destFiles, file, copiedIds) {
+    if (copiedIds.has(file.fileId))
+        return;
+    copiedIds.add(file.fileId);
+    if (file.indexFileId) {
+        const indexFile = await sourceFiles.get(file.indexFileId);
+        if (indexFile) {
+            await saveFileAndIndexTree(sourceFiles, destFiles, indexFile, copiedIds);
+        }
+    }
+    await destFiles.saveFileRecord(file);
+}
+async function activateBestEligibleVersion(dataContext, pkg) {
+    const range = pkg.versionFollowRange ?? "pinned";
+    if (range === "pinned")
+        return { activated: false };
+    const pvs = await (0, package_versions_1.PackageVersions)(dataContext).list({ packageId: pkg.packageId });
+    const activePv = pkg.activePackageVersionId
+        ? (pvs.find((p) => p.packageVersionId === pkg.activePackageVersionId) ??
+            (await (0, package_versions_1.PackageVersions)(dataContext).get(pkg.activePackageVersionId)))
+        : undefined;
+    let best;
+    for (const candidate of pvs) {
+        if (!isEligibleForActivation(candidate, pkg, activePv))
+            continue;
+        if (!(0, package_versions_1.doesTagMatch)(activePv?.versionTag, candidate.versionTag, pkg.followVersionTags, undefined))
+            continue;
+        if (activePv && !(0, package_versions_1.isVersionInRange)(activePv.version, candidate.version, range))
+            continue;
+        if (!best || (0, package_versions_1.isNewerVersion)(best.version, candidate.version))
+            best = candidate;
+    }
+    if (!best || best.packageVersionId === pkg.activePackageVersionId) {
+        return { activated: false, activePackageVersionId: pkg.activePackageVersionId };
+    }
+    pkg.activePackageVersionId = best.packageVersionId;
+    await (0, packages_1.Packages)(dataContext).signAndSave(pkg);
+    return { activated: true, activePackageVersionId: best.packageVersionId };
+}
+function isEligibleForActivation(pv, pkg, activePv) {
+    if (pv.versionTag === "dev")
+        return false;
+    if (!pv.packageAuthorSignature)
+        return false;
+    if (!pkg.publishPublicKey)
+        return false;
+    if (activePv && !(0, package_versions_1.isNewerVersion)(activePv.version, pv.version))
+        return false;
+    return (0, package_author_signing_1.verifyPackageAuthorSignature)(pv, pkg.publishPublicKey).valid;
+}
+// --- Utilities ---
+function isPropagatablePackageVersion(pv) {
+    return Boolean(pv.packageAuthorSignature && pv.versionTag !== "dev");
+}
+async function getAdminGroups(userContext) {
+    const adminContexts = [];
+    for (const [groupId, dataContext] of Array.from(userContext.groupDataContexts.entries())) {
+        try {
+            const role = await (0, group_permissions_1.getUserRole)(groupId, userContext.userId);
+            if (role >= group_member_roles_1.GroupMemberRole.Admin) {
+                adminContexts.push(dataContext);
+            }
+        }
+        catch {
+            // Skip groups where role can't be determined
+        }
+    }
+    return adminContexts;
+}
+function withActivationLock(targetContext, packageId, fn) {
+    const key = `${getContextId(targetContext)}:${packageId}`;
+    const previous = activationLocks.get(key) ?? Promise.resolve();
+    const current = previous
+        .catch(() => undefined)
+        .then(fn)
+        .finally(() => {
+        if (activationLocks.get(key) === current) {
+            activationLocks.delete(key);
+        }
+    });
+    activationLocks.set(key, current);
+    return current;
+}
+function buildPropagatedPv(pv, files) {
+    const fileMap = new Map(files.map((f) => [f.field, f]));
+    const pkgBundle = fileMap.get("packageBundleFileId");
+    const routesBundle = fileMap.get("routesBundleFileId");
+    const uiBundle = fileMap.get("uiBundleFileId");
+    return {
+        packageVersionId: pv.packageVersionId,
+        packageId: pv.packageId,
+        version: pv.version,
+        versionTag: pv.versionTag,
+        packageVersionHash: (0, package_versions_1.computePackageVersionHash)(pv.version, pv.versionTag ?? "", pkgBundle.expectedHash, routesBundle?.expectedHash, uiBundle?.expectedHash),
+        packageBundleFileId: pkgBundle.file.fileId,
+        packageBundleFileHash: pkgBundle.expectedHash,
+        routesBundleFileId: routesBundle?.file.fileId,
+        routesBundleFileHash: routesBundle?.expectedHash,
+        uiBundleFileId: uiBundle?.file.fileId,
+        uiBundleFileHash: uiBundle?.expectedHash,
+        appNavs: pv.appNavs,
+        packageAuthorSignature: pv.packageAuthorSignature,
+        signature: "",
+        createdBy: pv.createdBy,
+        createdAt: pv.createdAt,
+    };
+}
+function getContextId(dataContext) {
+    return dataContext.groupId ?? dataContext.dataContextId;
+}
+function makeResult(targetContext, pv, activated) {
+    return {
+        groupId: getContextId(targetContext),
+        packageId: pv.packageId,
+        packageVersionId: pv.packageVersionId,
+        version: pv.version,
+        versionTag: pv.versionTag ?? "stable",
+        activated,
+    };
+}

package/dist/package-installer/package-propagation.test.d.ts

@@ -0,0 +1 @@
+export {};