@run402/functions 3.0.0 → 3.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth/errors.d.ts +30 -1
- package/dist/auth/errors.d.ts.map +1 -1
- package/dist/auth/errors.js +56 -0
- package/dist/auth/errors.js.map +1 -1
- package/dist/auth/index.d.ts +61 -3
- package/dist/auth/index.d.ts.map +1 -1
- package/dist/auth/index.js +399 -25
- package/dist/auth/index.js.map +1 -1
- package/dist/auth/types.d.ts +67 -0
- package/dist/auth/types.d.ts.map +1 -1
- package/dist/index.d.ts +3 -2
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +6 -1
- package/dist/index.js.map +1 -1
- package/dist/lib/actor-context-verify.d.ts +17 -0
- package/dist/lib/actor-context-verify.d.ts.map +1 -1
- package/dist/lib/actor-context-verify.js +84 -5
- package/dist/lib/actor-context-verify.js.map +1 -1
- package/dist/runtime-context.d.ts +10 -1
- package/dist/runtime-context.d.ts.map +1 -1
- package/dist/runtime-context.js +47 -12
- package/dist/runtime-context.js.map +1 -1
- package/package.json +2 -2
package/dist/index.d.ts
CHANGED
|
@@ -2,8 +2,8 @@ export { db, adminDb, QueryBuilder } from "./db.js";
|
|
|
2
2
|
export { getUser, getUserId, getRole } from "./auth.js";
|
|
3
3
|
export type { User } from "./auth.js";
|
|
4
4
|
export { auth } from "./auth/index.js";
|
|
5
|
-
export type { Actor, IdentityProof } from "./auth/index.js";
|
|
6
|
-
export { Run402AuthError, AuthRequiredError, InsufficientRoleError, InsufficientMembershipError, FreshnessRequiredError, FetchAbsoluteUrlError, PrerenderedError, UnknownExportError, SessionBridgeUnverifiedError, IdentityLinkConflictError, UnknownIdentityError, } from "./auth/index.js";
|
|
5
|
+
export type { Actor, IdentityProof, TenantUser, CreateResponseFromTenantAssertionOptions, AccountSecurity, Run402Identity, TenantAssertionRef, } from "./auth/index.js";
|
|
6
|
+
export { Run402AuthError, AuthRequiredError, InsufficientRoleError, InsufficientMembershipError, FreshnessRequiredError, FetchAbsoluteUrlError, PrerenderedError, UnknownExportError, SessionBridgeUnverifiedError, IdentityLinkConflictError, UnknownIdentityError, InvalidCredentialsError, TenantSubjectInvalidError, RenamedExportError, } from "./auth/index.js";
|
|
7
7
|
export { getSession, currentUser, getCurrentUser, getServerSession } from "./auth/index.js";
|
|
8
8
|
export { email } from "./email.js";
|
|
9
9
|
export type { EmailSendOptions, EmailRawOptions, EmailTemplateOptions, EmailSendResult } from "./email.js";
|
|
@@ -22,4 +22,5 @@ export type { Cache, CacheInvalidateResult, InvalidatePrefixOptions, InvalidateA
|
|
|
22
22
|
export { CacheInvalidationHostRequiredError, CacheInvalidationHostForbiddenError, } from "./cache.js";
|
|
23
23
|
export { als, getCurrentContext, runWithContext, requireActiveContext, taintCacheBypass, withPaymentTaint, PAYMENT_PRIMITIVES, Run402OutsideRequestContextError, } from "./runtime-context.js";
|
|
24
24
|
export type { RunRequestContext } from "./runtime-context.js";
|
|
25
|
+
export { ensureActorContextKeysLoaded } from "./lib/actor-context-verify.js";
|
|
25
26
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAQtC,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AACvC,YAAY,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACxD,YAAY,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAQtC,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AACvC,YAAY,EACV,KAAK,EACL,aAAa,EACb,UAAU,EACV,wCAAwC,EACxC,eAAe,EACf,cAAc,EACd,kBAAkB,GACnB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,EAClB,4BAA4B,EAC5B,yBAAyB,EACzB,oBAAoB,EACpB,uBAAuB,EACvB,yBAAyB,EACzB,kBAAkB,GACnB,MAAM,iBAAiB,CAAC;AAMzB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC3G,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAC7B,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,WAAW,EACX,gBAAgB,EAChB,eAAe,EACf,cAAc,GACf,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAIrC,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,YAAY,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAMlG,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,YAAY,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AACjE,YAAY,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,QAAQ,EACR,eAAe,EACf,YAAY,EAEZ,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,gBAAgB,EAChB,cAAc,EACd,SAAS,GACV,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC5E,YAAY,EACV,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EACV,KAAK,EACL,qBAAqB,EACrB,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AAKpB,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAK9D,OAAO,EAAE,4BAA4B,EAAE,MAAM,+BAA+B,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -7,7 +7,7 @@ export { getUser, getUserId, getRole } from "./auth.js";
|
|
|
7
7
|
// `auth.identities.link(...)` are the only documented identity surfaces.
|
|
8
8
|
// See openspec/changes/auth-aware-ssr/specs/auth-sdk-namespace/spec.md.
|
|
9
9
|
export { auth } from "./auth/index.js";
|
|
10
|
-
export { Run402AuthError, AuthRequiredError, InsufficientRoleError, InsufficientMembershipError, FreshnessRequiredError, FetchAbsoluteUrlError, PrerenderedError, UnknownExportError, SessionBridgeUnverifiedError, IdentityLinkConflictError, UnknownIdentityError, } from "./auth/index.js";
|
|
10
|
+
export { Run402AuthError, AuthRequiredError, InsufficientRoleError, InsufficientMembershipError, FreshnessRequiredError, FetchAbsoluteUrlError, PrerenderedError, UnknownExportError, SessionBridgeUnverifiedError, IdentityLinkConflictError, UnknownIdentityError, InvalidCredentialsError, TenantSubjectInvalidError, RenamedExportError, } from "./auth/index.js";
|
|
11
11
|
// Throwing-sentinel exports for the top legacy bare-name imports. These
|
|
12
12
|
// fire `R402_AUTH_UNKNOWN_EXPORT` at runtime with a structured fix-it,
|
|
13
13
|
// catching the case where `run402 doctor` and the ESLint rule didn't run
|
|
@@ -38,4 +38,9 @@ export { CacheInvalidationHostRequiredError, CacheInvalidationHostForbiddenError
|
|
|
38
38
|
// (in @run402/astro) uses `runWithContext` to establish the store; user
|
|
39
39
|
// code typically does not import these directly.
|
|
40
40
|
export { als, getCurrentContext, runWithContext, requireActiveContext, taintCacheBypass, withPaymentTaint, PAYMENT_PRIMITIVES, Run402OutsideRequestContextError, } from "./runtime-context.js";
|
|
41
|
+
// auth-hosted-surface-parity: the generated Lambda entry wrapper awaits this
|
|
42
|
+
// before resolving a cookie-derived actor. It fetches the gateway-only
|
|
43
|
+
// actor-context verify key once at cold start (the key is never in the
|
|
44
|
+
// tenant Lambda env). No-op in local dev / in-process gateway (key in env).
|
|
45
|
+
export { ensureActorContextKeysLoaded } from "./lib/actor-context-verify.js";
|
|
41
46
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGxD,qEAAqE;AACrE,4EAA4E;AAC5E,iEAAiE;AACjE,+DAA+D;AAC/D,yEAAyE;AACzE,wEAAwE;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGxD,qEAAqE;AACrE,4EAA4E;AAC5E,iEAAiE;AACjE,+DAA+D;AAC/D,yEAAyE;AACzE,wEAAwE;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAUvC,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,qBAAqB,EACrB,2BAA2B,EAC3B,sBAAsB,EACtB,qBAAqB,EACrB,gBAAgB,EAChB,kBAAkB,EAClB,4BAA4B,EAC5B,yBAAyB,EACzB,oBAAoB,EACpB,uBAAuB,EACvB,yBAAyB,EACzB,kBAAkB,GACnB,MAAM,iBAAiB,CAAC;AACzB,wEAAwE;AACxE,uEAAuE;AACvE,yEAAyE;AACzE,yEAAyE;AACzE,8DAA8D;AAC9D,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAC5F,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAEnC,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAC;AAS7B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,qEAAqE;AACrE,yEAAyE;AACzE,8BAA8B;AAC9B,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD,qEAAqE;AACrE,gEAAgE;AAChE,qEAAqE;AACrE,2EAA2E;AAC3E,2DAA2D;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAiBxD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAO5E,0CAA0C;AAC1C,mEAAmE;AACnE,2DAA2D;AAC3D,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAOnC,OAAO,EACL,kCAAkC,EAClC,mCAAmC,GACpC,MAAM,YAAY,CAAC;AACpB,wEAAwE;AACxE,yEAAyE;AACzE,wEAAwE;AACxE,iDAAiD;AACjD,OAAO,EACL,GAAG,EACH,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,GACjC,MAAM,sBAAsB,CAAC;AAE9B,6EAA6E;AAC7E,uEAAuE;AACvE,uEAAuE;AACvE,4EAA4E;AAC5E,OAAO,EAAE,4BAA4B,EAAE,MAAM,+BAA+B,CAAC"}
|
|
@@ -89,6 +89,23 @@ export type VerifyOutcome = {
|
|
|
89
89
|
ok: false;
|
|
90
90
|
reason: VerifyFailureReason;
|
|
91
91
|
};
|
|
92
|
+
/**
|
|
93
|
+
* Ensure the actor-context verify keys are available before a synchronous
|
|
94
|
+
* `verifyActorContextEnvelope` call. In production the key is NEVER injected
|
|
95
|
+
* into the tenant Lambda's environment (gateway-only secret — see the
|
|
96
|
+
* `functions.ts` INVARIANT comment); instead the runtime fetches it once,
|
|
97
|
+
* lazily, from the gateway's service-key-authed
|
|
98
|
+
* `GET /internal/v1/actor-context-keys` endpoint using the Lambda's
|
|
99
|
+
* `RUN402_SERVICE_KEY`. The key stays out of the static bundle (can't be
|
|
100
|
+
* grepped) and is cached only in this module's memory. Local dev and the
|
|
101
|
+
* in-process gateway have the key in env, so the fetch path is skipped.
|
|
102
|
+
*
|
|
103
|
+
* Failures are non-fatal: the request stays anonymous and a later request
|
|
104
|
+
* retries the fetch. Callers MUST await this before relying on a cookie-
|
|
105
|
+
* derived actor (the generated Lambda entry wrapper does so when the
|
|
106
|
+
* inbound request carries the actor-context header).
|
|
107
|
+
*/
|
|
108
|
+
export declare function ensureActorContextKeysLoaded(): Promise<void>;
|
|
92
109
|
/** Test injection. NEVER call from production code. */
|
|
93
110
|
export declare function _setActorContextKeyMapForTest(map: Record<string, Buffer | string> | null): void;
|
|
94
111
|
export declare function verifyActorContextEnvelope(encoded: string, ctx: VerifyRequestContext): VerifyOutcome;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"actor-context-verify.d.ts","sourceRoot":"","sources":["../../src/lib/actor-context-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAIH,eAAO,MAAM,8BAA8B,EAAG,CAAU,CAAC;AACzD,eAAO,MAAM,0BAA0B,mBAAmB,CAAC;AAC3D,eAAO,MAAM,0BAA0B,6BAA6B,CAAC;AACrE,eAAO,MAAM,8BAA8B,KAAK,CAAC;AAEjD;kEACkE;AAClE,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAE7D,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,OAAO,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC/B,CAAC,EAAE,CAAC,CAAC;IACL,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,OAAO,0BAA0B,CAAC;IACvC,GAAG,EAAE,OAAO,0BAA0B,CAAC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,oBAAoB,CAAC;CAC7B;AAED,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ;AAED,MAAM,MAAM,mBAAmB,GAC3B,WAAW,GACX,aAAa,GACb,eAAe,GACf,cAAc,GACd,cAAc,GACd,SAAS,GACT,mBAAmB,GACnB,qBAAqB,GACrB,qBAAqB,GACrB,iBAAiB,GACjB,eAAe,GACf,eAAe,GACf,kBAAkB,CAAC;AAEvB,MAAM,MAAM,aAAa,GACrB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,EAAE,gBAAgB,CAAA;CAAE,GACxC;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,mBAAmB,CAAA;CAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"actor-context-verify.d.ts","sourceRoot":"","sources":["../../src/lib/actor-context-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAIH,eAAO,MAAM,8BAA8B,EAAG,CAAU,CAAC;AACzD,eAAO,MAAM,0BAA0B,mBAAmB,CAAC;AAC3D,eAAO,MAAM,0BAA0B,6BAA6B,CAAC;AACrE,eAAO,MAAM,8BAA8B,KAAK,CAAC;AAEjD;kEACkE;AAClE,eAAO,MAAM,oBAAoB,2BAA2B,CAAC;AAE7D,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,OAAO,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC/B,CAAC,EAAE,CAAC,CAAC;IACL,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,OAAO,0BAA0B,CAAC;IACvC,GAAG,EAAE,OAAO,0BAA0B,CAAC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,oBAAoB,CAAC;CAC7B;AAED,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ;AAED,MAAM,MAAM,mBAAmB,GAC3B,WAAW,GACX,aAAa,GACb,eAAe,GACf,cAAc,GACd,cAAc,GACd,SAAS,GACT,mBAAmB,GACnB,qBAAqB,GACrB,qBAAqB,GACrB,iBAAiB,GACjB,eAAe,GACf,eAAe,GACf,kBAAkB,CAAC;AAEvB,MAAM,MAAM,aAAa,GACrB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,EAAE,gBAAgB,CAAA;CAAE,GACxC;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,mBAAmB,CAAA;CAAE,CAAC;AAsE/C;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,4BAA4B,IAAI,OAAO,CAAC,IAAI,CAAC,CAoBlE;AAwBD,uDAAuD;AACvD,wBAAgB,6BAA6B,CAC3C,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,GAAG,IAAI,GAC1C,IAAI,CAeN;AAMD,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,oBAAoB,GACxB,aAAa,CA0Ef"}
|
|
@@ -54,10 +54,18 @@ export const ACTOR_CONTEXT_HEADER = "x-run402-actor-context";
|
|
|
54
54
|
// Key store (env-loaded, test-injectable)
|
|
55
55
|
// ---------------------------------------------------------------------------
|
|
56
56
|
const KEY_MIN_BYTES = 32;
|
|
57
|
+
/** The resolved verify-key map (env ∪ gateway-fetched ∪ test-injected).
|
|
58
|
+
* `null` until first resolve. Once populated with ≥1 key it is treated as
|
|
59
|
+
* authoritative and never re-fetched. */
|
|
57
60
|
let keyMap = null;
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
+
/** De-dupes concurrent cold-start fetches; cleared on completion so a
|
|
62
|
+
* failed fetch can be retried by the next request (rather than pinning the
|
|
63
|
+
* Lambda anonymous for its whole lifetime). */
|
|
64
|
+
let keyFetchInFlight = null;
|
|
65
|
+
/** Pure env read. Does NOT cache — `keyMap` is only set once we have keys,
|
|
66
|
+
* so an empty prod-Lambda env doesn't pin an empty map and block the
|
|
67
|
+
* gateway fetch fallback. */
|
|
68
|
+
function loadKeyMapFromEnv() {
|
|
61
69
|
const map = new Map();
|
|
62
70
|
const mapJson = process.env.ACTOR_CONTEXT_SIGNING_KEY_MAP_JSON;
|
|
63
71
|
if (mapJson) {
|
|
@@ -96,13 +104,84 @@ function loadKeyMap() {
|
|
|
96
104
|
if (buf.length >= KEY_MIN_BYTES)
|
|
97
105
|
map.set(kid, buf);
|
|
98
106
|
}
|
|
99
|
-
|
|
107
|
+
return map;
|
|
108
|
+
}
|
|
109
|
+
/** Sync accessor used by `verifyActorContextEnvelope`. Prefers the resolved
|
|
110
|
+
* `keyMap`; falls back to an env read so callers that have env keys (local
|
|
111
|
+
* dev, the in-process gateway) or that injected via the test helper work
|
|
112
|
+
* without an explicit `ensureActorContextKeysLoaded()`. */
|
|
113
|
+
function currentKeyMap() {
|
|
114
|
+
return keyMap ?? loadKeyMapFromEnv();
|
|
115
|
+
}
|
|
116
|
+
/**
|
|
117
|
+
* Ensure the actor-context verify keys are available before a synchronous
|
|
118
|
+
* `verifyActorContextEnvelope` call. In production the key is NEVER injected
|
|
119
|
+
* into the tenant Lambda's environment (gateway-only secret — see the
|
|
120
|
+
* `functions.ts` INVARIANT comment); instead the runtime fetches it once,
|
|
121
|
+
* lazily, from the gateway's service-key-authed
|
|
122
|
+
* `GET /internal/v1/actor-context-keys` endpoint using the Lambda's
|
|
123
|
+
* `RUN402_SERVICE_KEY`. The key stays out of the static bundle (can't be
|
|
124
|
+
* grepped) and is cached only in this module's memory. Local dev and the
|
|
125
|
+
* in-process gateway have the key in env, so the fetch path is skipped.
|
|
126
|
+
*
|
|
127
|
+
* Failures are non-fatal: the request stays anonymous and a later request
|
|
128
|
+
* retries the fetch. Callers MUST await this before relying on a cookie-
|
|
129
|
+
* derived actor (the generated Lambda entry wrapper does so when the
|
|
130
|
+
* inbound request carries the actor-context header).
|
|
131
|
+
*/
|
|
132
|
+
export async function ensureActorContextKeysLoaded() {
|
|
133
|
+
if (keyMap && keyMap.size > 0)
|
|
134
|
+
return;
|
|
135
|
+
const envMap = loadKeyMapFromEnv();
|
|
136
|
+
if (envMap.size > 0) {
|
|
137
|
+
keyMap = envMap;
|
|
138
|
+
return;
|
|
139
|
+
}
|
|
140
|
+
if (!keyFetchInFlight) {
|
|
141
|
+
keyFetchInFlight = fetchActorContextKeysFromGateway()
|
|
142
|
+
.then((fetched) => {
|
|
143
|
+
if (fetched.size > 0)
|
|
144
|
+
keyMap = fetched;
|
|
145
|
+
})
|
|
146
|
+
.catch(() => {
|
|
147
|
+
/* stay anonymous; next request retries */
|
|
148
|
+
})
|
|
149
|
+
.finally(() => {
|
|
150
|
+
keyFetchInFlight = null;
|
|
151
|
+
});
|
|
152
|
+
}
|
|
153
|
+
await keyFetchInFlight;
|
|
154
|
+
}
|
|
155
|
+
/** Fetch the verify-key map from the gateway. Returns an empty map (never
|
|
156
|
+
* throws to the caller's await) when the env is missing or the call fails. */
|
|
157
|
+
async function fetchActorContextKeysFromGateway() {
|
|
158
|
+
const map = new Map();
|
|
159
|
+
const base = process.env.RUN402_API_BASE;
|
|
160
|
+
const serviceKey = process.env.RUN402_SERVICE_KEY;
|
|
161
|
+
if (!base || !serviceKey)
|
|
162
|
+
return map;
|
|
163
|
+
const url = `${base.replace(/\/+$/, "")}/internal/v1/actor-context-keys`;
|
|
164
|
+
const res = await fetch(url, {
|
|
165
|
+
method: "GET",
|
|
166
|
+
headers: { Authorization: `Bearer ${serviceKey}` },
|
|
167
|
+
});
|
|
168
|
+
if (!res.ok)
|
|
169
|
+
return map;
|
|
170
|
+
const body = (await res.json());
|
|
171
|
+
for (const [kid, b64] of Object.entries(body.keys ?? {})) {
|
|
172
|
+
if (typeof b64 !== "string")
|
|
173
|
+
continue;
|
|
174
|
+
const buf = Buffer.from(b64, "base64");
|
|
175
|
+
if (buf.length >= KEY_MIN_BYTES)
|
|
176
|
+
map.set(kid, buf);
|
|
177
|
+
}
|
|
100
178
|
return map;
|
|
101
179
|
}
|
|
102
180
|
/** Test injection. NEVER call from production code. */
|
|
103
181
|
export function _setActorContextKeyMapForTest(map) {
|
|
104
182
|
if (map === null) {
|
|
105
183
|
keyMap = null;
|
|
184
|
+
keyFetchInFlight = null;
|
|
106
185
|
return;
|
|
107
186
|
}
|
|
108
187
|
const m = new Map();
|
|
@@ -148,7 +227,7 @@ export function verifyActorContextEnvelope(encoded, ctx) {
|
|
|
148
227
|
}
|
|
149
228
|
if (typeof envelope.kid !== "string")
|
|
150
229
|
return { ok: false, reason: "malformed" };
|
|
151
|
-
const key =
|
|
230
|
+
const key = currentKeyMap().get(envelope.kid);
|
|
152
231
|
if (!key)
|
|
153
232
|
return { ok: false, reason: "unknown_kid" };
|
|
154
233
|
const sigBuf = Buffer.from(sigB64, "base64url");
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"actor-context-verify.js","sourceRoot":"","sources":["../../src/lib/actor-context-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAU,CAAC;AACzD,MAAM,CAAC,MAAM,0BAA0B,GAAG,gBAAgB,CAAC;AAC3D,MAAM,CAAC,MAAM,0BAA0B,GAAG,0BAA0B,CAAC;AACrE,MAAM,CAAC,MAAM,8BAA8B,GAAG,EAAE,CAAC;AAEjD;kEACkE;AAClE,MAAM,CAAC,MAAM,oBAAoB,GAAG,wBAAwB,CAAC;AAwD7D,8EAA8E;AAC9E,0CAA0C;AAC1C,8EAA8E;AAE9E,MAAM,aAAa,GAAG,EAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"actor-context-verify.js","sourceRoot":"","sources":["../../src/lib/actor-context-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAU,CAAC;AACzD,MAAM,CAAC,MAAM,0BAA0B,GAAG,gBAAgB,CAAC;AAC3D,MAAM,CAAC,MAAM,0BAA0B,GAAG,0BAA0B,CAAC;AACrE,MAAM,CAAC,MAAM,8BAA8B,GAAG,EAAE,CAAC;AAEjD;kEACkE;AAClE,MAAM,CAAC,MAAM,oBAAoB,GAAG,wBAAwB,CAAC;AAwD7D,8EAA8E;AAC9E,0CAA0C;AAC1C,8EAA8E;AAE9E,MAAM,aAAa,GAAG,EAAE,CAAC;AAEzB;;0CAE0C;AAC1C,IAAI,MAAM,GAA+B,IAAI,CAAC;AAC9C;;gDAEgD;AAChD,IAAI,gBAAgB,GAAyB,IAAI,CAAC;AAElD;;8BAE8B;AAC9B,SAAS,iBAAiB;IACxB,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IAEtC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC;IAC/D,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,MAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC/B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,yDAA0D,GAAa,CAAC,OAAO,EAAE,CAClF,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACnE,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACxF,CAAC;QACD,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAiC,CAAC,EAAE,CAAC;YAC3E,IAAI,OAAO,GAAG,KAAK,QAAQ;gBAAE,SAAS;YACtC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YACvC,IAAI,GAAG,CAAC,MAAM,IAAI,aAAa;gBAAE,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;QACzE,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IACE,OAAO,KAAK,uCAAuC;YACnD,OAAO,KAAK,oCAAoC,EAChD,CAAC;YACD,SAAS;QACX,CAAC;QACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QACpE,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACvD,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QAC3B,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC5C,IAAI,GAAG,CAAC,MAAM,IAAI,aAAa;YAAE,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACrD,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;4DAG4D;AAC5D,SAAS,aAAa;IACpB,OAAO,MAAM,IAAI,iBAAiB,EAAE,CAAC;AACvC,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B;IAChD,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC;QAAE,OAAO;IACtC,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IACnC,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACpB,MAAM,GAAG,MAAM,CAAC;QAChB,OAAO;IACT,CAAC;IACD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,gBAAgB,GAAG,gCAAgC,EAAE;aAClD,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;YAChB,IAAI,OAAO,CAAC,IAAI,GAAG,CAAC;gBAAE,MAAM,GAAG,OAAO,CAAC;QACzC,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,EAAE;YACV,0CAA0C;QAC5C,CAAC,CAAC;aACD,OAAO,CAAC,GAAG,EAAE;YACZ,gBAAgB,GAAG,IAAI,CAAC;QAC1B,CAAC,CAAC,CAAC;IACP,CAAC;IACD,MAAM,gBAAgB,CAAC;AACzB,CAAC;AAED;+EAC+E;AAC/E,KAAK,UAAU,gCAAgC;IAC7C,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IACzC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAClD,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU;QAAE,OAAO,GAAG,CAAC;IACrC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,iCAAiC,CAAC;IACzE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,UAAU,EAAE,EAAE;KACnD,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,GAAG,CAAC;IACxB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAsC,CAAC;IACrE,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,CAAC;QACzD,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,SAAS;QACtC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACvC,IAAI,GAAG,CAAC,MAAM,IAAI,aAAa;YAAE,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,6BAA6B,CAC3C,GAA2C;IAE3C,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QACjB,MAAM,GAAG,IAAI,CAAC;QACd,gBAAgB,GAAG,IAAI,CAAC;QACxB,OAAO;IACT,CAAC;IACD,MAAM,CAAC,GAAG,IAAI,GAAG,EAAkB,CAAC;IACpC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC1E,IAAI,GAAG,CAAC,MAAM,GAAG,aAAa,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,8BAA8B,GAAG,gBAAgB,CAAC,CAAC;QACrE,CAAC;QACD,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,GAAG,CAAC,CAAC;AACb,CAAC;AAED,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E,MAAM,UAAU,0BAA0B,CACxC,OAAe,EACf,GAAyB;IAEzB,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC5C,CAAC;IACD,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,KAAK,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC5C,CAAC;IACD,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IACtC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1E,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC5C,CAAC;IAED,IAAI,OAAe,CAAC;IACpB,IAAI,QAA0B,CAAC;IAC/B,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC5C,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAqB,CAAC;IACtE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC5C,CAAC;IACD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC5C,CAAC;IACD,IAAI,QAAQ,CAAC,CAAC,KAAK,8BAA8B,EAAE,CAAC;QAClD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IACnD,CAAC;IACD,IAAI,OAAO,QAAQ,CAAC,GAAG,KAAK,QAAQ;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAEhF,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC9C,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IAEtD,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAChD,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;IAC9E,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM,EAAE,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,CAAC;QACjD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IAED,IAAI,QAAQ,CAAC,GAAG,KAAK,0BAA0B,EAAE,CAAC;QAChD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAC/C,CAAC;IACD,IAAI,QAAQ,CAAC,GAAG,KAAK,0BAA0B,EAAE,CAAC;QAChD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC;IAC/C,CAAC;IACD,IAAI,OAAO,QAAQ,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,QAAQ,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACzE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC5C,CAAC;IACD,IAAI,QAAQ,CAAC,GAAG,GAAG,QAAQ,CAAC,GAAG,GAAG,8BAA8B,EAAE,CAAC;QACjE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IACpD,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACpE,IAAI,QAAQ,CAAC,GAAG,IAAI,MAAM;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAEpE,IAAI,QAAQ,CAAC,UAAU,KAAK,GAAG,CAAC,SAAS,EAAE,CAAC;QAC1C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;IACtD,CAAC;IACD,IAAI,QAAQ,CAAC,UAAU,KAAK,GAAG,CAAC,SAAS,EAAE,CAAC;QAC1C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;IACtD,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;QACjD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAClD,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,KAAK,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IACD,IAAI,QAAQ,CAAC,SAAS,KAAK,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAChD,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;AAChC,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,SAAS,CAAC,CAAS;IAC1B,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACrE,CAAC"}
|
|
@@ -65,6 +65,15 @@ export interface RunRequestContext {
|
|
|
65
65
|
* gateway-signed envelope. The SDK's `auth.user()` returns this
|
|
66
66
|
* verbatim; consumer code never sees the raw envelope. */
|
|
67
67
|
actor: ActorContext | null;
|
|
68
|
+
/** Capability `auth-hosted-surface-parity`: invocation class. For
|
|
69
|
+
* `"routed_http"` (browser SSR) the actor is resolved ONLY from the
|
|
70
|
+
* verified cookie envelope above — `auth.user()` does NOT fall back
|
|
71
|
+
* to decoding an `Authorization: Bearer` header, so the
|
|
72
|
+
* "cookie is the only browser actor input" invariant holds. For
|
|
73
|
+
* `"direct"` (machine / mobile / CI function invocation) the Bearer
|
|
74
|
+
* fallback is preserved. Defaults to `"direct"` when unset so
|
|
75
|
+
* pre-existing callers keep the machine contract. */
|
|
76
|
+
invocationKind: "routed_http" | "direct";
|
|
68
77
|
/** Mutable ref: SDK functions that read request-scoped auth or invoke
|
|
69
78
|
* payment primitives set `value = true`. The SSR Lambda runtime
|
|
70
79
|
* returns the final value to the gateway in the response metadata
|
|
@@ -98,7 +107,7 @@ export declare function getCurrentContext(): RunRequestContext | undefined;
|
|
|
98
107
|
* runtime) flips it to `false` after the response body is materialized.
|
|
99
108
|
* Don't call this from user code — it's the runtime's primitive.
|
|
100
109
|
*/
|
|
101
|
-
export declare function runWithContext<T>(context: Omit<RunRequestContext, "cacheBypassTainted" | "active" | "actor"> & Partial<Pick<RunRequestContext, "cacheBypassTainted" | "active" | "actor">>, callback: () => Promise<T> | T): Promise<T> | T;
|
|
110
|
+
export declare function runWithContext<T>(context: Omit<RunRequestContext, "cacheBypassTainted" | "active" | "actor" | "invocationKind"> & Partial<Pick<RunRequestContext, "cacheBypassTainted" | "active" | "actor" | "invocationKind">>, callback: () => Promise<T> | T): Promise<T> | T;
|
|
102
111
|
/**
|
|
103
112
|
* Throw a structured `R402_SDK_OUTSIDE_REQUEST_CONTEXT` error. Used by
|
|
104
113
|
* SDK functions when they're invoked with no ALS store OR while the
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"runtime-context.d.ts","sourceRoot":"","sources":["../src/runtime-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAGL,KAAK,oBAAoB,EAE1B,MAAM,+BAA+B,CAAC;AAEvC;;;;2DAI2D;AAC3D,MAAM,MAAM,YAAY,GAAG,oBAAoB,GAAG;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC;AAExE;oCACoC;AACpC,MAAM,WAAW,iBAAiB;IAChC,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB;yBACqB;IACrB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB;qDACiD;IACjD,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;yDACqD;IACrD,IAAI,EAAE,MAAM,CAAC;IACb;;;uBAGmB;IACnB,OAAO,EAAE;QACP,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;QACZ,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;KACxD,CAAC;IACF;;+DAE2D;IAC3D,KAAK,EAAE,YAAY,GAAG,IAAI,CAAC;IAC3B;;;oBAGgB;IAChB,kBAAkB,EAAE;QAAE,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC;IACvC;;;8CAG0C;IAC1C,MAAM,EAAE;QAAE,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC;CAC5B;AAED;oEACoE;AACpE,eAAO,MAAM,GAAG,sCAA6C,CAAC;AAE9D;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,iBAAiB,GAAG,SAAS,CAEjE;AAED;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAC9B,OAAO,EAAE,IAAI,
|
|
1
|
+
{"version":3,"file":"runtime-context.d.ts","sourceRoot":"","sources":["../src/runtime-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAGL,KAAK,oBAAoB,EAE1B,MAAM,+BAA+B,CAAC;AAEvC;;;;2DAI2D;AAC3D,MAAM,MAAM,YAAY,GAAG,oBAAoB,GAAG;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC;AAExE;oCACoC;AACpC,MAAM,WAAW,iBAAiB;IAChC,4DAA4D;IAC5D,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB;yBACqB;IACrB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB;qDACiD;IACjD,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;yDACqD;IACrD,IAAI,EAAE,MAAM,CAAC;IACb;;;uBAGmB;IACnB,OAAO,EAAE;QACP,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;QACZ,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;KACxD,CAAC;IACF;;+DAE2D;IAC3D,KAAK,EAAE,YAAY,GAAG,IAAI,CAAC;IAC3B;;;;;;;0DAOsD;IACtD,cAAc,EAAE,aAAa,GAAG,QAAQ,CAAC;IACzC;;;oBAGgB;IAChB,kBAAkB,EAAE;QAAE,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC;IACvC;;;8CAG0C;IAC1C,MAAM,EAAE;QAAE,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC;CAC5B;AAED;oEACoE;AACpE,eAAO,MAAM,GAAG,sCAA6C,CAAC;AAE9D;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,iBAAiB,GAAG,SAAS,CAEjE;AAED;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAC9B,OAAO,EAAE,IAAI,CACX,iBAAiB,EACjB,oBAAoB,GAAG,QAAQ,GAAG,OAAO,GAAG,gBAAgB,CAC7D,GACC,OAAO,CACL,IAAI,CACF,iBAAiB,EACjB,oBAAoB,GAAG,QAAQ,GAAG,OAAO,GAAG,gBAAgB,CAC7D,CACF,EACH,QAAQ,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,GAC7B,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAoBhB;AAiGD;;;;;;;;;;;GAWG;AACH,qBAAa,gCAAiC,SAAQ,KAAK;IACzD,QAAQ,CAAC,IAAI,sCAAsC;IACnD,QAAQ,CAAC,IAAI,iEAAiE;IAC9E,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,EAAE,YAAY,GAAG,kBAAkB,CAAC;gBAEtC,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,GAAG,kBAAkB;CAc1E;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,iBAAiB,CAS3E;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAKvC;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kBAAkB,EAAE,WAAW,CAAC,MAAM,CAUjD,CAAC;AAEH;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,SAAS,OAAO,EAAE,EAAE,OAAO,EAC/D,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,KAAK,KAAK,OAAO,GAChC,CAAC,GAAG,IAAI,EAAE,KAAK,KAAK,OAAO,CAe7B"}
|
package/dist/runtime-context.js
CHANGED
|
@@ -60,32 +60,54 @@ export function runWithContext(context, callback) {
|
|
|
60
60
|
const full = {
|
|
61
61
|
...context,
|
|
62
62
|
actor,
|
|
63
|
+
// Default to "direct" so pre-existing callers (and tests) keep the
|
|
64
|
+
// machine Bearer-fallback contract; the gateway's routed-HTTP path
|
|
65
|
+
// sets "routed_http" explicitly.
|
|
66
|
+
invocationKind: context.invocationKind ?? "direct",
|
|
63
67
|
cacheBypassTainted: context.cacheBypassTainted ?? { value: false },
|
|
64
68
|
active: context.active ?? { value: true },
|
|
65
69
|
};
|
|
66
70
|
return als.run(full, callback);
|
|
67
71
|
}
|
|
68
72
|
function verifyEnvelopeFromRequest(ctx) {
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
73
|
+
// `ctx.request.headers` is TYPED as a plain record, but the Lambda runtime
|
|
74
|
+
// and @run402/astro both pass a Web `Request` whose `.headers` is a Web
|
|
75
|
+
// `Headers` instance — read via `.get()` when present, falling back to
|
|
76
|
+
// record access for plain-object callers (tests / custom adapters). Bracket
|
|
77
|
+
// access on a Web `Headers` silently returns undefined, which is why the
|
|
78
|
+
// cookie-derived actor never surfaced in production.
|
|
79
|
+
const encoded = readRequestHeader(ctx.request.headers, ACTOR_CONTEXT_HEADER);
|
|
72
80
|
if (!encoded || typeof encoded !== "string")
|
|
73
81
|
return null;
|
|
74
|
-
// The
|
|
75
|
-
//
|
|
76
|
-
//
|
|
77
|
-
//
|
|
78
|
-
//
|
|
79
|
-
|
|
82
|
+
// The gateway binds the envelope to host + path (pathname, query stripped)
|
|
83
|
+
// + request id + method. In the Lambda runtime `ctx.request.url` is the
|
|
84
|
+
// ABSOLUTE URL (`new Request(event.url)`), and `ctx.host` / `ctx.requestId`
|
|
85
|
+
// are NOT populated on the routed-HTTP context — so recover host + pathname
|
|
86
|
+
// from the URL and the request id from the `x-run402-request-id` header the
|
|
87
|
+
// gateway sent alongside the envelope. Plain-object / path-only callers
|
|
88
|
+
// (tests) fall back to the raw url + the ctx fields.
|
|
89
|
+
let host = ctx.host;
|
|
90
|
+
let path = ctx.request.url;
|
|
91
|
+
try {
|
|
92
|
+
const parsed = new URL(ctx.request.url);
|
|
93
|
+
host = parsed.host;
|
|
94
|
+
path = parsed.pathname;
|
|
95
|
+
}
|
|
96
|
+
catch {
|
|
97
|
+
const q = path.indexOf("?");
|
|
98
|
+
if (q >= 0)
|
|
99
|
+
path = path.slice(0, q);
|
|
100
|
+
}
|
|
101
|
+
const requestId = readRequestHeader(ctx.request.headers, "x-run402-request-id") ?? ctx.requestId;
|
|
80
102
|
const outcome = verifyActorContextEnvelope(encoded, {
|
|
81
103
|
projectId: ctx.projectId,
|
|
82
|
-
requestId
|
|
104
|
+
requestId,
|
|
83
105
|
method: ctx.request.method,
|
|
84
|
-
host
|
|
106
|
+
host,
|
|
85
107
|
path,
|
|
86
108
|
});
|
|
87
109
|
if (!outcome.ok) {
|
|
88
|
-
logActorContextSpoof(outcome.reason,
|
|
110
|
+
logActorContextSpoof(outcome.reason, requestId);
|
|
89
111
|
return null;
|
|
90
112
|
}
|
|
91
113
|
return {
|
|
@@ -104,6 +126,19 @@ function verifyEnvelopeFromRequest(ctx) {
|
|
|
104
126
|
sessionId: outcome.envelope.request_id,
|
|
105
127
|
};
|
|
106
128
|
}
|
|
129
|
+
/** Read one header value from either a Web `Headers` instance (the Lambda
|
|
130
|
+
* runtime + @run402/astro pass a real `Request`) or a plain Node-style
|
|
131
|
+
* record (tests / custom adapters). `RunRequestContext.request.headers` is
|
|
132
|
+
* typed as a record, but the production callers pass `Headers` — so bracket
|
|
133
|
+
* access alone silently misses every header. Returns undefined when absent. */
|
|
134
|
+
function readRequestHeader(headers, name) {
|
|
135
|
+
const maybeHeaders = headers;
|
|
136
|
+
if (maybeHeaders && typeof maybeHeaders.get === "function") {
|
|
137
|
+
return maybeHeaders.get(name) ?? undefined;
|
|
138
|
+
}
|
|
139
|
+
const v = headers?.[name];
|
|
140
|
+
return Array.isArray(v) ? v[0] : v;
|
|
141
|
+
}
|
|
107
142
|
function logActorContextSpoof(reason, requestId) {
|
|
108
143
|
// Structured one-line log so observability can alert on rate. The
|
|
109
144
|
// SDK runs in Lambda; CloudWatch picks this up.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"runtime-context.js","sourceRoot":"","sources":["../src/runtime-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EACL,0BAA0B,EAC1B,oBAAoB,GAGrB,MAAM,+BAA+B,CAAC;
|
|
1
|
+
{"version":3,"file":"runtime-context.js","sourceRoot":"","sources":["../src/runtime-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EACL,0BAA0B,EAC1B,oBAAoB,GAGrB,MAAM,+BAA+B,CAAC;AA2DvC;oEACoE;AACpE,MAAM,CAAC,MAAM,GAAG,GAAG,IAAI,iBAAiB,EAAqB,CAAC;AAE9D;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAC5B,OASG,EACH,QAA8B;IAE9B,yEAAyE;IACzE,yEAAyE;IACzE,0EAA0E;IAC1E,iEAAiE;IACjE,uEAAuE;IACvE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,KAAK,SAAS;QACvC,CAAC,CAAC,OAAO,CAAC,KAAK;QACf,CAAC,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;IACvC,MAAM,IAAI,GAAsB;QAC9B,GAAG,OAAO;QACV,KAAK;QACL,mEAAmE;QACnE,mEAAmE;QACnE,iCAAiC;QACjC,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,QAAQ;QAClD,kBAAkB,EAAE,OAAO,CAAC,kBAAkB,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE;QAClE,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE;KAC1C,CAAC;IACF,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,yBAAyB,CAChC,GAA4E;IAE5E,2EAA2E;IAC3E,wEAAwE;IACxE,uEAAuE;IACvE,4EAA4E;IAC5E,yEAAyE;IACzE,qDAAqD;IACrD,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC;IAC7E,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAEzD,2EAA2E;IAC3E,wEAAwE;IACxE,4EAA4E;IAC5E,4EAA4E;IAC5E,4EAA4E;IAC5E,wEAAwE;IACxE,qDAAqD;IACrD,IAAI,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;IACpB,IAAI,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QACnB,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC,IAAI,CAAC;YAAE,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACtC,CAAC;IACD,MAAM,SAAS,GACb,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,qBAAqB,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC;IAEjF,MAAM,OAAO,GAAG,0BAA0B,CAAC,OAAO,EAAE;QAClD,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,SAAS;QACT,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;QAC1B,IAAI;QACJ,IAAI;KACL,CAAC,CAAC;IAEH,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QAChB,oBAAoB,CAAC,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO;QACL,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE;QAC7B,KAAK,EAAE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,KAAK;QACnC,aAAa,EAAE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,aAAa;QACnD,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ;QACzC,GAAG,EAAE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG;QAC/B,QAAQ,EAAE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ;QACzC,YAAY,EAAE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,YAAY;QACjD,mEAAmE;QACnE,mEAAmE;QACnE,mEAAmE;QACnE,iEAAiE;QACjE,0DAA0D;QAC1D,SAAS,EAAE,OAAO,CAAC,QAAQ,CAAC,UAAU;KACvC,CAAC;AACJ,CAAC;AAED;;;;gFAIgF;AAChF,SAAS,iBAAiB,CACxB,OAAgD,EAChD,IAAY;IAEZ,MAAM,YAAY,GAAG,OAEpB,CAAC;IACF,IAAI,YAAY,IAAI,OAAO,YAAY,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;QAC3D,OAAO,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC;IAC7C,CAAC;IACD,MAAM,CAAC,GAAI,OAAyD,EAAE,CAAC,IAAI,CAAC,CAAC;IAC7E,OAAO,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,oBAAoB,CAAC,MAA2B,EAAE,SAAiB;IAC1E,kEAAkE;IAClE,gDAAgD;IAChD,sCAAsC;IACtC,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CAAC;QACb,KAAK,EAAE,MAAM;QACb,KAAK,EAAE,8BAA8B;QACrC,MAAM;QACN,UAAU,EAAE,SAAS;KACtB,CAAC,CACH,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,gCAAiC,SAAQ,KAAK;IAChD,IAAI,GAAG,kCAAkC,CAAC;IAC1C,IAAI,GAAG,6DAA6D,CAAC;IACrE,YAAY,CAAS;IACrB,WAAW,CAAS;IACpB,KAAK,CAAoC;IAElD,YAAY,WAAmB,EAAE,KAAwC;QACvE,MAAM,QAAQ,GACZ,KAAK,KAAK,YAAY;YACpB,CAAC,CAAC,2EAA2E;YAC7E,CAAC,CAAC,sGAAsG,CAAC;QAC7G,KAAK,CAAC,GAAG,WAAW,KAAK,QAAQ,EAAE,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,GAAG,kCAAkC,CAAC;QAC/C,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,YAAY;YACf,KAAK,KAAK,YAAY;gBACpB,CAAC,CAAC,YAAY,WAAW,oIAAoI;gBAC7J,CAAC,CAAC,2BAA2B,WAAW,4HAA4H,CAAC;IAC3K,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAAC,WAAmB;IACtD,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC3B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,MAAM,IAAI,gCAAgC,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QACtB,MAAM,IAAI,gCAAgC,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC3B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,GAAG,CAAC,kBAAkB,CAAC,KAAK,GAAG,IAAI,CAAC;IACtC,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;AAC7D,gEAAgE;AAChE,mEAAmE;AACnE,qEAAqE;AACrE,gBAAgB;AAChB,mEAAmE;AACnE,2BAA2B;AAC3B,wBAAwB;AACxB,qBAAqB;AACrB,wBAAwB;CACzB,CAAC,CAAC;AAEH;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAC9B,IAAY,EACZ,IAAiC;IAEjC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAClC,kEAAkE;QAClE,qEAAqE;QACrE,qEAAqE;QACrE,sCAAsC;QACtC,OAAO,CAAC,IAAI,CACV,8BAA8B,IAAI,kBAAkB,IAAI,kCAAkC;YACxF,kGAAkG,CACrG,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,GAAG,IAAW,EAAW,EAAE;QACjC,gBAAgB,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;IACvB,CAAC,CAAC;AACJ,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@run402/functions",
|
|
3
|
-
"version": "3.
|
|
3
|
+
"version": "3.2.0",
|
|
4
4
|
"description": "In-function helper library for Run402 serverless functions — db, adminDb, getUser, email, ai, assets, verifyWebhook. Auto-bundled into deployed functions; also installable for local TypeScript autocomplete.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -18,7 +18,7 @@
|
|
|
18
18
|
],
|
|
19
19
|
"scripts": {
|
|
20
20
|
"build": "tsc",
|
|
21
|
-
"test": "node --experimental-test-module-mocks --test --import tsx src/db.test.ts src/auth.test.ts src/ai.test.ts src/email.test.ts src/assets.test.ts src/routed-http.test.ts"
|
|
21
|
+
"test": "node --experimental-test-module-mocks --test --import tsx src/db.test.ts src/auth.test.ts src/auth/index.test.ts src/ai.test.ts src/email.test.ts src/assets.test.ts src/routed-http.test.ts src/request-context.test.ts src/runtime-context.test.ts src/lib/actor-context-verify.test.ts src/verify-webhook.test.ts"
|
|
22
22
|
},
|
|
23
23
|
"engines": {
|
|
24
24
|
"node": ">=18"
|