@positronic/cloudflare 0.0.67 → 0.0.69

package/dist/src/api/auth-middleware.js

@@ -126,6 +126,31 @@ function _ts_generator(thisArg, body) {
     }
 }
 import { jwtVerify, decodeJwt, importJWK } from 'jose';
+/**
+ * Middleware that restricts access to root users only.
+ * Returns 403 if the authenticated user is not root.
+ */ export function requireRoot() {
+    return function(c, next) {
+        return _async_to_generator(function() {
+            var auth;
+            return _ts_generator(this, function(_state) {
+                auth = c.get('auth');
+                if (!(auth === null || auth === void 0 ? void 0 : auth.isRoot)) {
+                    return [
+                        2,
+                        c.json({
+                            error: 'Root access required'
+                        }, 403)
+                    ];
+                }
+                return [
+                    2,
+                    next()
+                ];
+            });
+        })();
+    };
+}
 /**
  * Get the JWT algorithm based on JWK key type
  */ function getAlgorithmForJwk(jwk) {

package/dist/src/api/brains.js

@@ -160,9 +160,18 @@ import Fuse from 'fuse.js';
 import { isSignalValid, brainMachineDefinition } from '@positronic/core';
 import { getManifest } from '../brain-runner-do.js';
 var brains = new Hono();
+/**
+ * Get the userId for ownership filtering from the auth context.
+ * Root users get null (no filter — sees everything).
+ * Non-root users get their userId (sees only their own).
+ */ function scopeUserId(context) {
+    var auth = context.get('auth');
+    var _auth_userId;
+    return (auth === null || auth === void 0 ? void 0 : auth.isRoot) ? null : (_auth_userId = auth === null || auth === void 0 ? void 0 : auth.userId) !== null && _auth_userId !== void 0 ? _auth_userId : null;
+}
 brains.post('/runs', function(context) {
     return _async_to_generator(function() {
-        var requestBody, options, identifier, manifest, resolution, brain, brainRunId, namespace, doId, stub, initialData, brainTitle, response;
+        var requestBody, options, identifier, manifest, resolution, brain, brainRunId, namespace, doId, stub, auth, currentUser, initialData, brainTitle, response;
         return _ts_generator(this, function(_state) {
             switch(_state.label){
                 case 0:
@@ -218,6 +227,19 @@ brains.post('/runs', function(context) {
                     namespace = context.env.BRAIN_RUNNER_DO;
                     doId = namespace.idFromName(brainRunId);
                     stub = namespace.get(doId);
+                    // Read auth context for currentUser (every brain run must have an owner)
+                    auth = context.get('auth');
+                    if (!(auth === null || auth === void 0 ? void 0 : auth.userId) && !(auth === null || auth === void 0 ? void 0 : auth.isRoot)) {
+                        return [
+                            2,
+                            context.json({
+                                error: 'Authentication required to run a brain'
+                            }, 401)
+                        ];
+                    }
+                    currentUser = {
+                        id: auth.userId || 'root'
+                    };
                     // Pass options to the brain runner if provided
                     initialData = options ? {
                         options: options
@@ -226,7 +248,7 @@ brains.post('/runs', function(context) {
                     brainTitle = brain.title || identifier;
                     return [
                         4,
-                        stub.start(brainTitle, brainRunId, initialData)
+                        stub.start(brainTitle, brainRunId, currentUser, initialData)
                     ];
                 case 2:
                     _state.sent();
@@ -243,7 +265,7 @@ brains.post('/runs', function(context) {
 });
 brains.post('/runs/rerun', function(context) {
     return _async_to_generator(function() {
-        var requestBody, runId, startsAt, stopsAfter, identifier, manifest, resolution, brain, monitorId, monitorStub, existingRun, newBrainRunId, namespace, doId, stub, rerunOptions, brainTitle, response;
+        var requestBody, runId, startsAt, stopsAfter, identifier, manifest, resolution, brain, monitorId, monitorStub, existingRun, auth, currentUser, newBrainRunId, namespace, doId, stub, rerunOptions, brainTitle, response;
         return _ts_generator(this, function(_state) {
             switch(_state.label){
                 case 0:
@@ -317,6 +339,19 @@ brains.post('/runs/rerun', function(context) {
                     }
                     _state.label = 3;
                 case 3:
+                    // Read auth context for currentUser (every brain run must have an owner)
+                    auth = context.get('auth');
+                    if (!(auth === null || auth === void 0 ? void 0 : auth.userId) && !(auth === null || auth === void 0 ? void 0 : auth.isRoot)) {
+                        return [
+                            2,
+                            context.json({
+                                error: 'Authentication required to run a brain'
+                            }, 401)
+                        ];
+                    }
+                    currentUser = {
+                        id: auth.userId || 'root'
+                    };
                     // Create a new brain run with rerun parameters
                     newBrainRunId = uuidv4();
                     namespace = context.env.BRAIN_RUNNER_DO;
@@ -334,7 +369,7 @@ brains.post('/runs/rerun', function(context) {
                     brainTitle = brain.title || identifier;
                     return [
                         4,
-                        stub.start(brainTitle, newBrainRunId, rerunOptions)
+                        stub.start(brainTitle, newBrainRunId, currentUser, rerunOptions)
                     ];
                 case 4:
                     _state.sent();
@@ -375,16 +410,17 @@ brains.get('/runs/:runId/watch', function(context) {
 });
 brains.get('/runs/:runId', function(context) {
     return _async_to_generator(function() {
-        var runId, monitorId, monitorStub, run;
+        var runId, userId, monitorId, monitorStub, run;
         return _ts_generator(this, function(_state) {
             switch(_state.label){
                 case 0:
                     runId = context.req.param('runId');
+                    userId = scopeUserId(context);
                     monitorId = context.env.MONITOR_DO.idFromName('singleton');
                     monitorStub = context.env.MONITOR_DO.get(monitorId);
                     return [
                         4,
-                        monitorStub.getRun(runId)
+                        monitorStub.getRun(runId, userId)
                     ];
                 case 1:
                     run = _state.sent();
@@ -640,7 +676,7 @@ brains.post('/runs/:runId/resume', function(context) {
 });
 brains.get('/:identifier/history', function(context) {
     return _async_to_generator(function() {
-        var identifier, limit, manifest, resolution, brain, brainTitle, monitorId, monitorStub, runs;
+        var identifier, limit, manifest, resolution, brain, brainTitle, monitorId, monitorStub, userId, runs;
         return _ts_generator(this, function(_state) {
             switch(_state.label){
                 case 0:
@@ -681,9 +717,10 @@ brains.get('/:identifier/history', function(context) {
                     // Get the monitor singleton instance
                     monitorId = context.env.MONITOR_DO.idFromName('singleton');
                     monitorStub = context.env.MONITOR_DO.get(monitorId);
+                    userId = scopeUserId(context);
                     return [
                         4,
-                        monitorStub.history(brainTitle, limit)
+                        monitorStub.history(brainTitle, limit, userId)
                     ];
                 case 1:
                     runs = _state.sent();
@@ -699,7 +736,7 @@ brains.get('/:identifier/history', function(context) {
 });
 brains.get('/:identifier/active-runs', function(context) {
     return _async_to_generator(function() {
-        var identifier, manifest, resolution, brain, brainTitle, monitorId, monitorStub, runs;
+        var identifier, manifest, resolution, brain, brainTitle, monitorId, monitorStub, userId, runs;
         return _ts_generator(this, function(_state) {
             switch(_state.label){
                 case 0:
@@ -739,9 +776,10 @@ brains.get('/:identifier/active-runs', function(context) {
                     // Get the monitor singleton instance
                     monitorId = context.env.MONITOR_DO.idFromName('singleton');
                     monitorStub = context.env.MONITOR_DO.get(monitorId);
+                    userId = scopeUserId(context);
                     return [
                         4,
-                        monitorStub.activeRuns(brainTitle)
+                        monitorStub.activeRuns(brainTitle, userId)
                     ];
                 case 1:
                     runs = _state.sent();
@@ -922,7 +960,7 @@ brains.get('/', function(context) {
 // Create a new schedule
 brains.post('/schedules', function(context) {
     return _async_to_generator(function() {
-        var body, cronExpression, identifier, manifest, resolution, brain, brainTitle, scheduleDoId, scheduleStub, timezone, schedule, error, errorMessage;
+        var body, cronExpression, identifier, manifest, resolution, brain, brainTitle, scheduleDoId, scheduleStub, auth, runAsUserId, timezone, schedule, error, errorMessage;
         return _ts_generator(this, function(_state) {
             switch(_state.label){
                 case 0:
@@ -1003,6 +1041,17 @@ brains.post('/schedules', function(context) {
                     // Get the schedule singleton instance
                     scheduleDoId = context.env.SCHEDULE_DO.idFromName('singleton');
                     scheduleStub = context.env.SCHEDULE_DO.get(scheduleDoId);
+                    // Require authentication — scheduled runs will execute as this user
+                    auth = context.get('auth');
+                    if (!(auth === null || auth === void 0 ? void 0 : auth.userId) && !(auth === null || auth === void 0 ? void 0 : auth.isRoot)) {
+                        return [
+                            2,
+                            context.json({
+                                error: 'Authentication required to create a schedule'
+                            }, 401)
+                        ];
+                    }
+                    runAsUserId = auth.userId || 'root';
                     // Determine timezone: use provided value, fall back to project timezone
                     timezone = body.timezone;
                     if (!!timezone) return [
@@ -1032,7 +1081,7 @@ brains.post('/schedules', function(context) {
                     }
                     return [
                         4,
-                        scheduleStub.createSchedule(brainTitle, cronExpression, timezone)
+                        scheduleStub.createSchedule(brainTitle, cronExpression, timezone, runAsUserId)
                     ];
                 case 4:
                     schedule = _state.sent();
@@ -1060,15 +1109,16 @@ brains.post('/schedules', function(context) {
 // List all schedules
 brains.get('/schedules', function(context) {
     return _async_to_generator(function() {
-        var scheduleId, scheduleStub, result;
+        var scheduleId, scheduleStub, userId, result;
         return _ts_generator(this, function(_state) {
             switch(_state.label){
                 case 0:
                     scheduleId = context.env.SCHEDULE_DO.idFromName('singleton');
                     scheduleStub = context.env.SCHEDULE_DO.get(scheduleId);
+                    userId = scopeUserId(context);
                     return [
                         4,
-                        scheduleStub.listSchedules()
+                        scheduleStub.listSchedules(userId)
                     ];
                 case 1:
                     result = _state.sent();
@@ -1083,7 +1133,7 @@ brains.get('/schedules', function(context) {
 // Get scheduled run history - MUST be before :scheduleId route
 brains.get('/schedules/runs', function(context) {
     return _async_to_generator(function() {
-        var scheduleIdParam, limit, scheduleDoId, scheduleStub, result;
+        var scheduleIdParam, limit, scheduleDoId, scheduleStub, userId, result;
         return _ts_generator(this, function(_state) {
             switch(_state.label){
                 case 0:
@@ -1091,9 +1141,10 @@ brains.get('/schedules/runs', function(context) {
                     limit = Number(context.req.query('limit') || '100');
                     scheduleDoId = context.env.SCHEDULE_DO.idFromName('singleton');
                     scheduleStub = context.env.SCHEDULE_DO.get(scheduleDoId);
+                    userId = scopeUserId(context);
                     return [
                         4,
-                        scheduleStub.getAllRuns(scheduleIdParam, limit)
+                        scheduleStub.getAllRuns(scheduleIdParam, limit, userId)
                     ];
                 case 1:
                     result = _state.sent();

package/dist/src/api/secrets.js

@@ -178,6 +178,7 @@ function _ts_generator(thisArg, body) {
     }
 }
 import { Hono } from 'hono';
+import { requireRoot } from './auth-middleware.js';
 /**
  * Helper to check if Cloudflare API credentials are configured
  */ function getSecretsApiConfig(env) {
@@ -214,6 +215,8 @@ import { Hono } from 'hono';
     }).apply(this, arguments);
 }
 var secrets = new Hono();
+// Only root users can manage secrets
+secrets.use('*', requireRoot());
 // Protected secret name that cannot be managed via the API
 var PROTECTED_SECRET = 'ROOT_PUBLIC_KEY';
 // List all secrets (names only, not values)

package/dist/src/brain-runner-do.js

@@ -298,7 +298,9 @@ import { TimeoutAdapter } from './timeout-adapter.js';
 import { PageAdapter } from './page-adapter.js';
 import { EventLoader } from './event-loader.js';
 import { createPagesService } from './pages-service.js';
+import { setGovernorBinding, rateGoverned } from './governor-client-wrapper.js';
 import { CloudflareR2Loader } from './r2-loader.js';
+import { createR2Backend } from './create-r2-store.js';
 import { createResources } from '@positronic/core';
 var manifest = null;
 export function setManifest(generatedManifest) {
@@ -503,6 +505,8 @@ var ScheduleAdapter = /*#__PURE__*/ function() {
     ]);
     return BatchChunkAdapter;
 }();
+// SQL to initialize the run owner table (stores who started this brain run)
+var runOwnerTableSQL = "\nCREATE TABLE IF NOT EXISTS run_owner (\n  user_id TEXT NOT NULL\n);\n";
 // SQL to initialize the signals table
 var signalsTableSQL = "\nCREATE TABLE IF NOT EXISTS brain_signals (\n  id INTEGER PRIMARY KEY AUTOINCREMENT,\n  signal_type TEXT NOT NULL,\n  content TEXT,\n  queued_at INTEGER NOT NULL\n);\n";
 // SQL to initialize the wait timeout table
@@ -516,13 +520,37 @@ export var BrainRunnerDO = /*#__PURE__*/ function(DurableObject) {
         _this = _call_super(this, BrainRunnerDO, [
             state,
             env
-        ]), _define_property(_this, "sql", void 0), _define_property(_this, "brainRunId", void 0), _define_property(_this, "eventStreamAdapter", new EventStreamAdapter()), _define_property(_this, "abortController", null), _define_property(_this, "pageAdapter", null), _define_property(_this, "signalsTableInitialized", false), _define_property(_this, "waitTimeoutTableInitialized", false);
+        ]), _define_property(_this, "sql", void 0), _define_property(_this, "brainRunId", void 0), _define_property(_this, "eventStreamAdapter", new EventStreamAdapter()), _define_property(_this, "abortController", null), _define_property(_this, "pageAdapter", null), _define_property(_this, "runOwnerTableInitialized", false), _define_property(_this, "signalsTableInitialized", false), _define_property(_this, "waitTimeoutTableInitialized", false);
         _this.sql = state.storage.sql;
         _this.brainRunId = state.id.toString();
         _this.env = env;
         return _this;
     }
     _create_class(BrainRunnerDO, [
+        {
+            key: "initializeRunOwnerTable",
+            value: function initializeRunOwnerTable() {
+                if (!this.runOwnerTableInitialized) {
+                    this.sql.exec(runOwnerTableSQL);
+                    this.runOwnerTableInitialized = true;
+                }
+            }
+        },
+        {
+            key: "storeRunOwner",
+            value: function storeRunOwner(userId) {
+                this.initializeRunOwnerTable();
+                this.sql.exec("INSERT INTO run_owner (user_id) VALUES (?)", userId);
+            }
+        },
+        {
+            key: "getRunOwner",
+            value: function getRunOwner() {
+                this.initializeRunOwnerTable();
+                var results = this.sql.exec("SELECT user_id FROM run_owner LIMIT 1").toArray();
+                return results.length > 0 ? results[0].user_id : null;
+            }
+        },
         {
             key: "initializeSignalsTable",
             value: function initializeSignalsTable() {
@@ -1018,7 +1046,7 @@ export var BrainRunnerDO = /*#__PURE__*/ function(DurableObject) {
         },
         {
             key: "start",
-            value: function start(brainTitle, brainRunId, initialData) {
+            value: function start(brainTitle, brainRunId, currentUser, initialData) {
                 return _async_to_generator(function() {
                     var _this, sql, resolution, brainToRun, sqliteAdapter, eventStreamAdapter, monitorDOStub, monitorAdapter, scheduleAdapter, webhookAdapter, env, pagesService, r2Resources, runnerWithResources, signalProvider, options, initialState, batchChunkAdapter, timeoutAdapter;
                     return _ts_generator(this, function(_state) {
@@ -1055,6 +1083,7 @@ export var BrainRunnerDO = /*#__PURE__*/ function(DurableObject) {
                                 env = this.buildRuntimeEnv();
                                 // Create pages service for brain to use
                                 pagesService = createPagesService(brainRunId, this.env.RESOURCES_BUCKET, monitorDOStub, env);
+                                setGovernorBinding(this.env.GOVERNOR_DO);
                                 if (!brainRunner) {
                                     throw new Error('BrainRunner not initialized');
                                 }
@@ -1076,10 +1105,14 @@ export var BrainRunnerDO = /*#__PURE__*/ function(DurableObject) {
                                 signalProvider = new CloudflareSignalProvider(function(filter) {
                                     return _this.getAndConsumeSignals(filter);
                                 });
-                                runnerWithResources = runnerWithResources.withSignalProvider(signalProvider);
+                                runnerWithResources = runnerWithResources.withSignalProvider(signalProvider).withGovernor(function(c) {
+                                    return rateGoverned(c);
+                                }).withStoreProvider(createR2Backend(this.env.RESOURCES_BUCKET));
                                 // Extract options from initialData if present
                                 options = initialData === null || initialData === void 0 ? void 0 : initialData.options;
                                 initialState = initialData && !initialData.options ? initialData : {};
+                                // Persist run owner durably (immutable, not derived from events)
+                                this.storeRunOwner(currentUser.id);
                                 // Create abort controller for this run
                                 this.abortController = new AbortController();
                                 batchChunkAdapter = new BatchChunkAdapter(function(signal) {
@@ -1102,6 +1135,7 @@ export var BrainRunnerDO = /*#__PURE__*/ function(DurableObject) {
                                     batchChunkAdapter,
                                     timeoutAdapter
                                 ]).run(brainToRun, _object_spread_props(_object_spread({
+                                    currentUser: currentUser,
                                     initialState: initialState,
                                     brainRunId: brainRunId
                                 }, options && {
@@ -1131,7 +1165,7 @@ export var BrainRunnerDO = /*#__PURE__*/ function(DurableObject) {
    * This method reconstructs state and calls BrainRunner.resume().
    */ function wakeUp(brainRunId) {
                 return _async_to_generator(function() {
-                    var _this, sql, pendingTimeout, eventLoader, startEvent, brainTitle, initialState, originalBrainRunId, resolution, brainToRun, allEvents, machine, _iteratorNormalCompletion, _didIteratorError, _iteratorError, _iterator, _step, event, sqliteAdapter, eventStreamAdapter, monitorDOStub, monitorAdapter, scheduleAdapter, webhookAdapter, env, pagesService, r2Resources, runnerWithResources, signalProvider, batchChunkAdapter, timeoutAdapter;
+                    var _this, sql, pendingTimeout, eventLoader, startEvent, brainTitle, initialState, ownerId, currentUser, originalBrainRunId, resolution, brainToRun, allEvents, machine, _iteratorNormalCompletion, _didIteratorError, _iteratorError, _iterator, _step, event, sqliteAdapter, eventStreamAdapter, monitorDOStub, monitorAdapter, scheduleAdapter, webhookAdapter, env, pagesService, r2Resources, runnerWithResources, signalProvider, batchChunkAdapter, timeoutAdapter;
                     return _ts_generator(this, function(_state) {
                         switch(_state.label){
                             case 0:
@@ -1170,6 +1204,14 @@ export var BrainRunnerDO = /*#__PURE__*/ function(DurableObject) {
                                 }
                                 brainTitle = startEvent.brainTitle;
                                 initialState = startEvent.initialState || {};
+                                // Read run owner from durable storage (set once in start(), not from events)
+                                ownerId = this.getRunOwner();
+                                if (!ownerId) {
+                                    throw new Error("No run owner found for brain run ".concat(brainRunId));
+                                }
+                                currentUser = {
+                                    id: ownerId
+                                };
                                 // Use the brainRunId from the START event, not the parameter.
                                 // alarm() passes state.id.toString() (the DO hex ID), but the brain was
                                 // originally started with a UUID. Events must use the original UUID so
@@ -1233,6 +1275,7 @@ export var BrainRunnerDO = /*#__PURE__*/ function(DurableObject) {
                                 env = this.buildRuntimeEnv();
                                 // Create pages service for brain to use
                                 pagesService = createPagesService(brainRunId, this.env.RESOURCES_BUCKET, monitorDOStub, env);
+                                setGovernorBinding(this.env.GOVERNOR_DO);
                                 if (!brainRunner) {
                                     throw new Error('BrainRunner not initialized');
                                 }
@@ -1253,7 +1296,9 @@ export var BrainRunnerDO = /*#__PURE__*/ function(DurableObject) {
                                 signalProvider = new CloudflareSignalProvider(function(filter) {
                                     return _this.getAndConsumeSignals(filter);
                                 });
-                                runnerWithResources = runnerWithResources.withSignalProvider(signalProvider);
+                                runnerWithResources = runnerWithResources.withSignalProvider(signalProvider).withGovernor(function(c) {
+                                    return rateGoverned(c);
+                                }).withStoreProvider(createR2Backend(this.env.RESOURCES_BUCKET));
                                 // Create abort controller for this run
                                 this.abortController = new AbortController();
                                 batchChunkAdapter = new BatchChunkAdapter(function(signal) {
@@ -1276,6 +1321,7 @@ export var BrainRunnerDO = /*#__PURE__*/ function(DurableObject) {
                                     batchChunkAdapter,
                                     timeoutAdapter
                                 ]).resume(brainToRun, {
+                                    currentUser: currentUser,
                                     machine: machine,
                                     brainRunId: originalBrainRunId,
                                     signal: this.abortController.signal