@rigkit/provider-freestyle 0.2.8 → 0.2.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigkit/provider-freestyle",
-  "version": "0.2.8",
+  "version": "0.2.10",
   "type": "module",
   "repository": {
     "type": "git",
@@ -17,16 +17,16 @@
   ],
   "dependencies": {
     "zod": "^4",
-    "@rigkit/sdk": "0.2.8",
-    "@rigkit/engine": "0.2.8",
-    "@rigkit/provider-cmux": "0.2.8"
+    "@rigkit/sdk": "0.2.10",
+    "@rigkit/engine": "0.2.10",
+    "@rigkit/provider-cmux": "0.2.10"
   },
   "peerDependencies": {
-    "freestyle": "^0.1.51"
+    "freestyle": "^0.1.52"
   },
   "devDependencies": {
     "@types/bun": "latest",
-    "freestyle": "^0.1.51",
+    "freestyle": "^0.1.52",
     "typescript": "latest"
   },
   "publishConfig": {

package/src/host-auth.test.ts

@@ -8,7 +8,7 @@ import type {
   WorkflowEvent,
 } from "@rigkit/engine";
 import { FREESTYLE_PROVIDER_ID, freestyle, freestyleProviderPlugin } from "./index.ts";
-import { createFreestyleProxyFetch } from "./host-auth.ts";
+import { createFreestyleProxyFetch, createFreestyleSdkFetch } from "./host-auth.ts";
 import type { FreestyleRuntime } from "./provider.ts";
 import { RIGKIT_PROVIDER_FREESTYLE_VERSION } from "./version.ts";
 
@@ -293,6 +293,102 @@ describe("Freestyle provider host auth", () => {
 });
 
 describe("Freestyle provider proxy fetch", () => {
+  test("logs a replayable API-key fetch with the Freestyle API key redacted", async () => {
+    const sdkFetch = createFreestyleSdkFetch(testFetch(async () =>
+      Response.json({
+        code: "INTERNAL_ERROR",
+        message: "Internal server error",
+      }, { status: 500, statusText: "Internal Server Error" })
+    ));
+
+    const messages = await captureConsoleError(async () => {
+      const response = await sdkFetch("https://api.freestyle.sh/v1/vms", {
+        method: "POST",
+        headers: {
+          Authorization: "Bearer real-api-key",
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          image: "ubuntu-24.04",
+          apiKey: "body-api-key",
+        }),
+      });
+      expect(response.status).toBe(500);
+      await response.text();
+    });
+
+    expect(messages).toHaveLength(1);
+    expect(messages[0]).toContain('await fetch("https://api.freestyle.sh/v1/vms", {');
+    expect(messages[0]).toContain('"Authorization": "Bearer <redacted FREESTYLE_API_KEY>"');
+    expect(messages[0]).toContain('"image": "ubuntu-24.04"');
+    expect(messages[0]).toContain('"apiKey": "[redacted]"');
+    expect(messages[0]).toContain('Response: 500 Internal Server Error');
+    expect(messages[0]).not.toContain("real-api-key");
+    expect(messages[0]).not.toContain("body-api-key");
+  });
+
+  test("logs the original replayable request when a background request fails through the proxy", async () => {
+    const proxyFetch = createFreestyleProxyFetch({
+      dashboardUrl: "https://dash.freestyle.sh",
+      accessToken: "stack-access-token",
+      teamId: "team_123",
+      fetch: testFetch(async (resource, init) => {
+        const url = resourceUrl(resource);
+        expect(url.href).toBe("https://dash.freestyle.sh/api/proxy/request");
+        const body = JSON.parse(String(init?.body));
+        if (body.data.path === "v1/vms") {
+          return Response.json({
+            requestId: "ri_test_123",
+            status: "pending",
+          });
+        }
+        if (body.data.path === "auth/v1/background-requests/ri_test_123") {
+          return Response.json({
+            code: "INTERNAL_ERROR",
+            message: "Internal server error",
+            accessToken: "should-redact",
+          }, { status: 500, statusText: "Internal Server Error" });
+        }
+        return Response.json({ error: "unexpected request", body }, { status: 500 });
+      }),
+    });
+
+    const first = await proxyFetch("https://api.freestyle.sh/v1/vms", {
+      method: "POST",
+      headers: {
+        Authorization: "Bearer rigkit-browser-auth",
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        image: "ubuntu-24.04",
+      }),
+    });
+    expect(first.status).toBe(202);
+
+    const messages = await captureConsoleError(async () => {
+      const failed = await proxyFetch("https://api.freestyle.sh/auth/v1/background-requests/ri_test_123", {
+        method: "GET",
+        headers: {
+          Authorization: "Bearer rigkit-browser-auth",
+        },
+      });
+      expect(failed.status).toBe(500);
+      await failed.text();
+    });
+
+    expect(messages).toHaveLength(1);
+    expect(messages[0]).toContain("Freestyle background request ri_test_123 failed. Original API request:");
+    expect(messages[0]).toContain('await fetch("https://api.freestyle.sh/v1/vms", {');
+    expect(messages[0]).toContain('method: "POST"');
+    expect(messages[0]).toContain('"Authorization": "Bearer <redacted FREESTYLE_API_KEY>"');
+    expect(messages[0]).toContain('"image": "ubuntu-24.04"');
+    expect(messages[0]).toContain('Response: 500 Internal Server Error');
+    expect(messages[0]).toContain('"accessToken":"[redacted]"');
+    expect(messages[0]).not.toContain("stack-access-token");
+    expect(messages[0]).not.toContain("rigkit-browser-auth");
+    expect(messages[0]).not.toContain("should-redact");
+  });
+
   test("preserves Freestyle background request semantics through the browser-auth proxy", async () => {
     const proxyFetch = createFreestyleProxyFetch({
       dashboardUrl: "https://dash.freestyle.sh",
@@ -356,13 +452,16 @@ describe("Freestyle provider proxy fetch", () => {
       ),
     });
 
-    const response = await proxyFetch("https://api.freestyle.sh/v1/vms", {
-      method: "POST",
-      body: "{}",
+    let response: Response | undefined;
+    await captureConsoleError(async () => {
+      response = await proxyFetch("https://api.freestyle.sh/v1/vms", {
+        method: "POST",
+        body: "{}",
+      });
     });
 
-    expect(response.status).toBe(500);
-    await expect(response.json()).resolves.toEqual({
+    expect(response?.status).toBe(500);
+    await expect(response?.json()).resolves.toEqual({
       code: "INTERNAL_ERROR",
       message: "VM setup failed",
       details: {
@@ -389,10 +488,13 @@ describe("Freestyle provider proxy fetch", () => {
       ),
     });
 
-    const response = await proxyFetch("https://api.freestyle.sh/v1/vms");
+    let response: Response | undefined;
+    await captureConsoleError(async () => {
+      response = await proxyFetch("https://api.freestyle.sh/v1/vms");
+    });
 
-    expect(response.status).toBe(500);
-    await expect(response.json()).resolves.toEqual({
+    expect(response?.status).toBe(500);
+    await expect(response?.json()).resolves.toEqual({
       code: "INTERNAL_ERROR",
       message: "Internal server error",
       requestId: "req_123",
@@ -475,6 +577,20 @@ function resourceUrl(resource: Parameters<typeof fetch>[0]): URL {
   return new URL(resource.url);
 }
 
+async function captureConsoleError(action: () => Promise<void>): Promise<string[]> {
+  const previous = console.error;
+  const messages: string[] = [];
+  console.error = (...args: unknown[]) => {
+    messages.push(args.map((arg) => String(arg)).join(" "));
+  };
+  try {
+    await action();
+  } finally {
+    console.error = previous;
+  }
+  return messages;
+}
+
 function setEnv(name: string, value: string | undefined): void {
   if (value === undefined) {
     delete process.env[name];

package/src/host-auth.ts

@@ -8,6 +8,7 @@ import { RIGKIT_PROVIDER_FREESTYLE_VERSION } from "./version.ts";
 
 const DEFAULT_STACK_API_URL = "https://api.stack-auth.com";
 const DEFAULT_STACK_APP_URL = "https://dash.freestyle.sh";
+const DEFAULT_FREESTYLE_API_URL = "https://api.freestyle.sh";
 const DEFAULT_STACK_PROJECT_ID = "0edf478c-f123-46fb-818f-34c0024a9f35";
 const DEFAULT_STACK_PUBLISHABLE_CLIENT_KEY = "pck_h2aft7g9pqjzrkdnzs199h1may5wjtdtdxeex7m2wzp1r";
 const DEFAULT_CLI_AUTH_TIMEOUT_MILLIS = 10 * 60 * 1000;
@@ -112,10 +113,15 @@ export function createFreestyleProxyFetch(input: {
 }): typeof fetch {
   const fetchFn = input.fetch ?? globalThis.fetch;
   const dashboardUrl = trimTrailingSlash(input.dashboardUrl);
+  const backgroundRequests = new Map<string, string>();
 
   const proxyFetch = async (resource: Parameters<typeof fetch>[0], init?: Parameters<typeof fetch>[1]) => {
     const url = resourceUrl(resource);
     const path = `${url.pathname}${url.search}`.replace(/^\/+/, "");
+    const freestyleRequestInit: RequestInit = {
+      ...init,
+      headers: withRigkitHeaders(init?.headers),
+    };
     const proxyResponse = await fetchFn(`${dashboardUrl}/api/proxy/request`, {
       method: "POST",
       headers: withRigkitHeaders({
@@ -126,8 +132,8 @@ export function createFreestyleProxyFetch(input: {
           accessToken: input.accessToken,
           teamId: input.teamId,
           path,
-          method: init?.method ?? "GET",
-          headers: Object.fromEntries(withRigkitHeaders(init?.headers).entries()),
+          method: resolveRequestMethod(resource, init),
+          headers: Object.fromEntries(new Headers(freestyleRequestInit.headers).entries()),
           body: init?.body ? String(init.body) : undefined,
         },
       }),
@@ -135,6 +141,13 @@ export function createFreestyleProxyFetch(input: {
 
     if (!proxyResponse.ok) {
       const errorText = await proxyResponse.text();
+      await logFreestyleApiRequestFailure({
+        backgroundRequests,
+        resource,
+        init: freestyleRequestInit,
+        response: proxyResponse,
+        responseText: errorText,
+      });
       const normalized = normalizeProxyError(errorText, proxyResponse.status);
       return new Response(normalized.body, {
         status: proxyResponse.status,
@@ -146,6 +159,9 @@ export function createFreestyleProxyFetch(input: {
     const data = await proxyResponse.json();
     if (isBackgroundRequestPending(data)) {
       const requestId = backgroundRequestId(data);
+      if (requestId) {
+        backgroundRequests.set(requestId, formatReplayableFetchRequest(resource, freestyleRequestInit));
+      }
       return Response.json(data, {
         status: 202,
         headers: {
@@ -162,11 +178,24 @@ export function createFreestyleProxyFetch(input: {
 }
 
 export function createFreestyleSdkFetch(fetchFn: typeof fetch = globalThis.fetch): typeof fetch {
-  const rigkitFetch = (async (resource, init) =>
-    await fetchFn(resource, {
+  const backgroundRequests = new Map<string, string>();
+  const rigkitFetch = (async (resource, init) => {
+    const requestInit: RequestInit = {
       ...init,
       headers: withRigkitHeaders(init?.headers),
-    })) as typeof fetch;
+    };
+    const response = await fetchFn(resource, requestInit);
+    await rememberBackgroundRequest(backgroundRequests, resource, requestInit, response);
+    if (!response.ok) {
+      await logFreestyleApiRequestFailure({
+        backgroundRequests,
+        resource,
+        init: requestInit,
+        response,
+      });
+    }
+    return response;
+  }) as typeof fetch;
   return Object.assign(rigkitFetch, {
     preconnect: fetchFn.preconnect?.bind(fetchFn) ?? (() => {}),
   }) as typeof fetch;
@@ -269,6 +298,162 @@ function withRigkitHeaders(headers: HeadersInit | undefined): Headers {
   return next;
 }
 
+async function rememberBackgroundRequest(
+  backgroundRequests: Map<string, string>,
+  resource: Parameters<typeof fetch>[0],
+  init: RequestInit,
+  response: Response,
+): Promise<void> {
+  if (response.status !== 202) return;
+  const requestId = await responseBackgroundRequestId(response);
+  if (!requestId) return;
+  backgroundRequests.set(requestId, formatReplayableFetchRequest(resource, init));
+}
+
+async function logFreestyleApiRequestFailure(input: {
+  backgroundRequests: Map<string, string>;
+  resource: Parameters<typeof fetch>[0];
+  init: RequestInit;
+  response: Response;
+  responseText?: string;
+}): Promise<void> {
+  if (isFreestyleBackgroundLogRequest(input.resource)) return;
+
+  const requestId = backgroundRequestIdFromResource(input.resource);
+  const replayRequest = requestId ? input.backgroundRequests.get(requestId) : undefined;
+  const responseSummary = await formatResponseSummary(input.response, input.responseText);
+  const heading = requestId
+    ? `Freestyle background request ${requestId} failed. Original API request:`
+    : "Freestyle API request failed. Replay request:";
+  const request = replayRequest ?? formatReplayableFetchRequest(input.resource, input.init);
+  console.error(`${heading}\n${request}\n${responseSummary}`);
+}
+
+async function responseBackgroundRequestId(response: Response): Promise<string | undefined> {
+  const header = response.headers.get("x-freestyle-background-request-id");
+  if (header) return header;
+  const data = await response.clone().json().catch(() => undefined);
+  return backgroundRequestId(data);
+}
+
+function backgroundRequestIdFromResource(resource: Parameters<typeof fetch>[0]): string | undefined {
+  const path = resourceUrl(resource).pathname;
+  const match = path.match(/\/auth\/v1\/background-requests\/([^/]+)$/);
+  return match?.[1] ? decodeURIComponent(match[1]) : undefined;
+}
+
+function isFreestyleBackgroundLogRequest(resource: Parameters<typeof fetch>[0]): boolean {
+  return resourceUrl(resource).pathname === "/observability/v1/logs";
+}
+
+async function formatResponseSummary(response: Response, responseText?: string): Promise<string> {
+  const text = responseText ?? await response.clone().text().catch(() => "");
+  const status = [response.status, response.statusText].filter(Boolean).join(" ");
+  const redactedBody = formatRedactedResponseBody(text);
+  return [
+    `Response: ${status}`,
+    ...(redactedBody ? [`Response body: ${redactedBody}`] : []),
+  ].join("\n");
+}
+
+function formatRedactedResponseBody(text: string): string | undefined {
+  if (!text) return undefined;
+  try {
+    return JSON.stringify(redactSensitiveFields(JSON.parse(text)));
+  } catch {
+    return text;
+  }
+}
+
+function formatReplayableFetchRequest(resource: Parameters<typeof fetch>[0], init: RequestInit): string {
+  const lines = [
+    `await fetch(${JSON.stringify(resourceUrl(resource).href)}, {`,
+    `  method: ${JSON.stringify(resolveRequestMethod(resource, init))},`,
+  ];
+  const headers = replayableHeaders(resource, init);
+  if (Object.keys(headers).length > 0) {
+    lines.push(`  headers: ${indentContinuation(JSON.stringify(headers, null, 2), 2)},`);
+  }
+  const body = replayableBody(init.body);
+  if (body) {
+    lines.push(`  body: ${indentContinuation(body, 2)},`);
+  }
+  lines.push("});");
+  return lines.join("\n");
+}
+
+function replayableHeaders(resource: Parameters<typeof fetch>[0], init: RequestInit): Record<string, string> {
+  const headers = resource instanceof Request ? new Headers(resource.headers) : new Headers();
+  new Headers(init.headers).forEach((value, key) => {
+    headers.set(key, value);
+  });
+  const result: Record<string, string> = {};
+  headers.forEach((value, key) => {
+    result[displayHeaderName(key)] = redactHeaderValue(key, value);
+  });
+  return result;
+}
+
+function resolveRequestMethod(resource: Parameters<typeof fetch>[0], init?: RequestInit): string {
+  return init?.method ?? (resource instanceof Request ? resource.method : "GET");
+}
+
+function replayableBody(body: BodyInit | null | undefined): string | undefined {
+  if (body === undefined || body === null) return undefined;
+  if (typeof body === "string") {
+    try {
+      const parsed = JSON.parse(body) as unknown;
+      return `JSON.stringify(${JSON.stringify(redactSensitiveFields(parsed), null, 2)})`;
+    } catch {
+      return JSON.stringify(body);
+    }
+  }
+  if (body instanceof URLSearchParams) {
+    return `new URLSearchParams(${JSON.stringify(body.toString())})`;
+  }
+  return JSON.stringify(String(body));
+}
+
+function indentContinuation(value: string, spaces: number): string {
+  const lines = value.split("\n");
+  const indent = " ".repeat(spaces);
+  return [lines[0], ...lines.slice(1).map((line) => `${indent}${line}`)].join("\n");
+}
+
+function displayHeaderName(name: string): string {
+  const normalized = name.toLowerCase();
+  return {
+    authorization: "Authorization",
+    "content-type": "Content-Type",
+    "user-agent": "User-Agent",
+    "x-freestyle-identity-access-token": "X-Freestyle-Identity-Access-Token",
+    [RIGKIT_HEADER]: RIGKIT_HEADER,
+    [RIGKIT_VERSION_HEADER]: RIGKIT_VERSION_HEADER,
+  }[normalized] ?? name;
+}
+
+function redactHeaderValue(name: string, value: string): string {
+  if (name.toLowerCase() === "authorization" && /^Bearer\s+/i.test(value)) {
+    return "Bearer <redacted FREESTYLE_API_KEY>";
+  }
+  return isSensitiveFieldName(name) ? "[redacted]" : value;
+}
+
+function redactSensitiveFields(value: unknown): unknown {
+  if (Array.isArray(value)) return value.map(redactSensitiveFields);
+  if (!value || typeof value !== "object") return value;
+  const next: Record<string, unknown> = {};
+  for (const [key, field] of Object.entries(value)) {
+    next[key] = isSensitiveFieldName(key) ? "[redacted]" : redactSensitiveFields(field);
+  }
+  return next;
+}
+
+function isSensitiveFieldName(name: string): boolean {
+  return /authorization|api[-_]?key|access[-_]?token|refresh[-_]?token|password|secret|credential|cookie/i
+    .test(name);
+}
+
 async function resolveStackAccessToken(input: {
   config: StackAuthConfig;
   storage: ProviderStorage;
@@ -512,7 +697,7 @@ function saveStackAuthState(storage: ProviderStorage, key: string, state: StackA
 }
 
 function resourceUrl(resource: Parameters<typeof fetch>[0]): URL {
-  if (typeof resource === "string") return new URL(resource);
+  if (typeof resource === "string") return new URL(resource, DEFAULT_FREESTYLE_API_URL);
   if (resource instanceof URL) return resource;
   return new URL(resource.url);
 }

package/src/version.ts

@@ -1 +1 @@
-export const RIGKIT_PROVIDER_FREESTYLE_VERSION = "0.2.8";
+export const RIGKIT_PROVIDER_FREESTYLE_VERSION = "0.2.10";