@secondlayer/cli 3.1.2-alpha.0 → 3.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@secondlayer/cli",
-	"version": "3.1.2-alpha.0",
+	"version": "3.2.0",
 	"description": "CLI for subgraphs and blockchain indexing on Stacks",
 	"type": "module",
 	"bin": {
@@ -42,11 +42,11 @@
 	"license": "MIT",
 	"dependencies": {
 		"@inquirer/prompts": "^8.2.0",
-		"@secondlayer/bundler": "^0.3.1-alpha.0",
-		"@secondlayer/sdk": "^3.0.0-alpha.0",
-		"@secondlayer/shared": "^3.0.0-alpha.0",
-		"@secondlayer/stacks": "^1.0.0-alpha.0",
-		"@secondlayer/subgraphs": "^1.0.0-alpha.0",
+		"@secondlayer/bundler": "^0.3.1",
+		"@secondlayer/sdk": "^3.0.0",
+		"@secondlayer/shared": "^3.0.0",
+		"@secondlayer/stacks": "^1.0.0",
+		"@secondlayer/subgraphs": "^1.0.0",
 		"@biomejs/js-api": "^0.7.0",
 		"@biomejs/wasm-nodejs": "^1.9.0",
 		"esbuild": "^0.19.0",

package/templates/subscriptions/cloudflare/README.md

@@ -0,0 +1,39 @@
+# {{NAME}} — Cloudflare Workflows subscription receiver
+
+A Cloudflare Workflow triggered by a Secondlayer subscription via the
+`workflows/instances` REST API.
+
+## Run
+
+```bash
+bun install
+npx wrangler login
+npx wrangler dev
+```
+
+`wrangler dev` spins up a local runtime. Your subscription URL should
+point at Cloudflare's API:
+
+```
+https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/workflows/{{NAME}}/instances
+```
+
+With `auth_config`:
+
+```json
+{ "authType": "bearer", "token": "<CF_API_TOKEN>" }
+```
+
+The token must have `Workflows: Edit` scope.
+
+## Signature verification
+
+Cloudflare authenticates the API call with the bearer token. Inside your
+workflow the `event.payload.params._outboxId` is a stable dedup key if
+you want idempotent replay handling.
+
+## Deploy
+
+```bash
+npx wrangler deploy
+```

package/templates/subscriptions/cloudflare/package.json

@@ -0,0 +1,15 @@
+{
+	"name": "{{NAME}}",
+	"version": "0.1.0",
+	"private": true,
+	"scripts": {
+		"dev": "wrangler dev",
+		"deploy": "wrangler deploy",
+		"types": "wrangler types"
+	},
+	"devDependencies": {
+		"@cloudflare/workers-types": "^4.20250101.0",
+		"typescript": "^5",
+		"wrangler": "^4.0.0"
+	}
+}

package/templates/subscriptions/cloudflare/src/index.ts

@@ -0,0 +1,34 @@
+import {
+	WorkflowEntrypoint,
+	type WorkflowEvent,
+	type WorkflowStep,
+} from "cloudflare:workers";
+
+interface Params {
+	_type: string;
+	_outboxId: string;
+	[k: string]: unknown;
+}
+
+export class OnSubgraphEvent extends WorkflowEntrypoint<Env, Params> {
+	async run(event: WorkflowEvent<Params>, step: WorkflowStep): Promise<void> {
+		const params = event.payload;
+		await step.do("handle", async () => {
+			console.log("[subgraph event]", params._type, params);
+			// TODO: plug in your business logic.
+			return { ok: true };
+		});
+	}
+}
+
+interface Env {
+	MY_WORKFLOW: Workflow<Params>;
+}
+
+export default {
+	async fetch(_req: Request): Promise<Response> {
+		return new Response(
+			"This worker is a Workflow receiver — trigger it via the Cloudflare API.",
+		);
+	},
+};

package/templates/subscriptions/cloudflare/tsconfig.json

@@ -0,0 +1,10 @@
+{
+	"compilerOptions": {
+		"target": "ES2022",
+		"module": "ESNext",
+		"moduleResolution": "bundler",
+		"strict": true,
+		"skipLibCheck": true,
+		"types": ["@cloudflare/workers-types"]
+	}
+}

package/templates/subscriptions/cloudflare/wrangler.toml

@@ -0,0 +1,8 @@
+name = "{{NAME}}"
+main = "src/index.ts"
+compatibility_date = "2025-01-01"
+
+[[workflows]]
+name = "{{NAME}}"
+binding = "MY_WORKFLOW"
+class_name = "OnSubgraphEvent"

package/templates/subscriptions/inngest/README.md

@@ -0,0 +1,29 @@
+# {{NAME}} — Inngest subscription receiver
+
+Inngest Dev Server with a function wired to `{{EVENT_NAME}}`. Events come
+from your Secondlayer subscription — Inngest handles retries, concurrency,
+and durable execution.
+
+## Run
+
+```bash
+bun install
+bun run dev
+```
+
+This starts the Inngest dev UI at `http://localhost:8288`. Point your
+subscription URL at the Inngest event endpoint shown in the dev UI
+(typically `http://localhost:8288/e/{eventKey}` for local, or the hosted
+`https://inn.gs/e/{eventKey}` endpoint for cloud).
+
+## Signature verification
+
+Inngest uses its own event key auth — there's no HMAC to verify. The event
+key in the URL IS the auth token. For self-hosted Inngest add an ingress
+allowlist so only the Secondlayer emitter can post.
+
+## Deploy
+
+- **Inngest Cloud**: create an app at https://inngest.com, copy the event
+  key, and set it in the subscription URL: `https://inn.gs/e/{EVENT_KEY}`.
+- **Self-host**: see https://www.inngest.com/docs/self-hosting

package/templates/subscriptions/inngest/package.json

@@ -0,0 +1,18 @@
+{
+	"name": "{{NAME}}",
+	"version": "0.1.0",
+	"private": true,
+	"type": "module",
+	"scripts": {
+		"dev": "npx inngest-cli@latest dev",
+		"start": "bun --hot src/server.ts"
+	},
+	"dependencies": {
+		"hono": "^4.6.0",
+		"inngest": "^3.27.0"
+	},
+	"devDependencies": {
+		"@types/bun": "latest",
+		"typescript": "^5"
+	}
+}

package/templates/subscriptions/inngest/src/inngest.ts

@@ -0,0 +1,19 @@
+import { Inngest } from "inngest";
+
+export const inngest = new Inngest({
+	id: "{{NAME}}",
+});
+
+export const onSubgraphEvent = inngest.createFunction(
+	{ id: "on-subgraph-event", name: "On Subgraph Event" },
+	{ event: "{{EVENT_NAME}}" },
+	async ({ event, step }) => {
+		// `event.data` is the row payload delivered by Secondlayer.
+		const row = event.data as Record<string, unknown>;
+		await step.run("handle", async () => {
+			console.log("[subgraph event]", event.name, row);
+			// TODO: plug in your business logic — AI SDK, HTTP, DB writes, etc.
+			return { ok: true };
+		});
+	},
+);

package/templates/subscriptions/inngest/src/server.ts

@@ -0,0 +1,14 @@
+import { serve } from "inngest/hono";
+import { Hono } from "hono";
+import { inngest, onSubgraphEvent } from "./inngest.ts";
+
+const app = new Hono();
+app.on(
+	["GET", "POST", "PUT"],
+	"/api/inngest",
+	serve({ client: inngest, functions: [onSubgraphEvent] }),
+);
+
+const PORT = Number.parseInt(process.env.PORT ?? "3000", 10);
+Bun.serve({ port: PORT, fetch: app.fetch });
+console.log(`{{NAME}} (Inngest host) listening on :${PORT}`);

package/templates/subscriptions/inngest/tsconfig.json

@@ -0,0 +1,11 @@
+{
+	"compilerOptions": {
+		"target": "ES2022",
+		"module": "ESNext",
+		"moduleResolution": "bundler",
+		"strict": true,
+		"esModuleInterop": true,
+		"skipLibCheck": true,
+		"types": ["bun-types"]
+	}
+}

package/templates/subscriptions/node/.env.example

@@ -0,0 +1,2 @@
+SIGNING_SECRET=
+PORT=3000

package/templates/subscriptions/node/README.md

@@ -0,0 +1,34 @@
+# {{NAME}} — Node.js subscription receiver
+
+Hono HTTP server that verifies Standard Webhooks signatures and routes events
+to your business logic. No framework lock-in.
+
+## Run
+
+```bash
+bun install
+cp .env.example .env   # paste the signingSecret you copied on create
+bun run dev
+```
+
+The server listens on `:3000`. Your subscription's URL should point at
+`http://<host>:3000/webhook`.
+
+## Signature verification
+
+Every request is verified before your handler runs. Forged requests return
+`401`. The logic lives in `src/index.ts`; swap `@secondlayer/shared` for the
+[Svix verify library](https://docs.standardwebhooks.com/libraries) if you
+want to decouple from `@secondlayer/shared`:
+
+```ts
+import { Webhook } from "standardwebhooks";
+const wh = new Webhook(process.env.SIGNING_SECRET!);
+const event = wh.verify(body, headers);
+```
+
+## Deploy
+
+Fly.io, Render, Railway, your own VM — anywhere that can run `bun` works.
+Expose port 3000, set `SIGNING_SECRET`, point the subscription URL at the
+public hostname.

package/templates/subscriptions/node/package.json

@@ -0,0 +1,18 @@
+{
+	"name": "{{NAME}}",
+	"version": "0.1.0",
+	"private": true,
+	"type": "module",
+	"scripts": {
+		"dev": "bun --hot src/index.ts",
+		"start": "bun src/index.ts"
+	},
+	"dependencies": {
+		"@secondlayer/shared": "^3.0.0-beta.0",
+		"hono": "^4.6.0"
+	},
+	"devDependencies": {
+		"@types/bun": "latest",
+		"typescript": "^5"
+	}
+}

package/templates/subscriptions/node/src/index.ts

@@ -0,0 +1,50 @@
+import { verify } from "@secondlayer/shared/crypto/standard-webhooks";
+import { Hono } from "hono";
+
+/**
+ * Minimal Standard Webhooks receiver.
+ *
+ * The signing secret was shown ONCE when you ran `sl create subscription`.
+ * If you lost it, rotate it from the dashboard: `/subscriptions/<id>` → rotate.
+ */
+
+const SIGNING_SECRET = process.env.SIGNING_SECRET;
+if (!SIGNING_SECRET) {
+	console.error("SIGNING_SECRET not set. Copy .env.example → .env and fill it in.");
+	process.exit(1);
+}
+
+const app = new Hono();
+
+interface SubgraphEvent {
+	type: string;
+	timestamp: string;
+	data: Record<string, unknown>;
+}
+
+app.post("/webhook", async (c) => {
+	const body = await c.req.text();
+	const headers: Record<string, string> = {};
+	c.req.raw.headers.forEach((v, k) => {
+		headers[k.toLowerCase()] = v;
+	});
+
+	if (!verify(body, headers, SIGNING_SECRET)) {
+		console.warn("signature verification failed");
+		return c.text("unauthorized", 401);
+	}
+
+	const event = JSON.parse(body) as SubgraphEvent;
+	await onEvent(event);
+	return c.text("ok", 200);
+});
+
+async function onEvent(event: SubgraphEvent): Promise<void> {
+	// TODO: plug in your business logic. `event.type` is
+	// `<subgraph>.<table>.created`; `event.data` is the row payload.
+	console.log("[event]", event.type, event.data);
+}
+
+const PORT = Number.parseInt(process.env.PORT ?? "3000", 10);
+Bun.serve({ port: PORT, fetch: app.fetch });
+console.log(`{{NAME}} listening on :${PORT}`);

package/templates/subscriptions/node/tsconfig.json

@@ -0,0 +1,11 @@
+{
+	"compilerOptions": {
+		"target": "ES2022",
+		"module": "ESNext",
+		"moduleResolution": "bundler",
+		"strict": true,
+		"esModuleInterop": true,
+		"skipLibCheck": true,
+		"types": ["bun-types"]
+	}
+}

package/templates/subscriptions/trigger/README.md

@@ -0,0 +1,35 @@
+# {{NAME}} — Trigger.dev subscription receiver
+
+A Trigger.dev v3 task that receives subgraph events via the
+`{task}/trigger` HTTP API.
+
+## Run
+
+```bash
+bun install
+npx trigger.dev@latest init      # follow prompts
+bun run dev
+```
+
+The Trigger CLI provisions a project and shows the task endpoint URL. Your
+Secondlayer subscription URL should point at:
+
+```
+https://api.trigger.dev/api/v1/tasks/{{TASK_ID}}/trigger
+```
+
+Set the `TRIGGER_SECRET_KEY` on the subscription via `auth_config`:
+
+```json
+{ "authType": "bearer", "token": "tr_secret_abc..." }
+```
+
+## Signature verification
+
+Trigger authenticates requests with the bearer token — there's no separate
+HMAC. Your secret IS the auth. Rotate via the Trigger dashboard when
+needed.
+
+## Deploy
+
+Run `npx trigger.dev deploy` to push to Trigger Cloud.

package/templates/subscriptions/trigger/package.json

@@ -0,0 +1,17 @@
+{
+	"name": "{{NAME}}",
+	"version": "0.1.0",
+	"private": true,
+	"type": "module",
+	"scripts": {
+		"dev": "npx trigger.dev@latest dev",
+		"deploy": "npx trigger.dev@latest deploy"
+	},
+	"dependencies": {
+		"@trigger.dev/sdk": "^3.3.0"
+	},
+	"devDependencies": {
+		"@types/bun": "latest",
+		"typescript": "^5"
+	}
+}

package/templates/subscriptions/trigger/src/tasks/subgraph-event.ts

@@ -0,0 +1,15 @@
+import { task } from "@trigger.dev/sdk/v3";
+
+/**
+ * Task triggered by a Secondlayer subscription. The Secondlayer emitter
+ * POSTs to this task's HTTP endpoint; Trigger.dev handles durable
+ * execution, retries, and concurrency.
+ */
+export const onSubgraphEvent = task({
+	id: "{{TASK_ID}}",
+	run: async (payload: Record<string, unknown>, { ctx: _ctx }) => {
+		console.log("[subgraph event]", payload);
+		// TODO: your business logic — AI SDK, HTTP, DB, chain broadcasts.
+		return { ok: true };
+	},
+});

package/templates/subscriptions/trigger/trigger.config.ts

@@ -0,0 +1,6 @@
+import { defineConfig } from "@trigger.dev/sdk/v3";
+
+export default defineConfig({
+	project: "{{NAME}}",
+	dirs: ["./src/tasks"],
+});

package/templates/subscriptions/trigger/tsconfig.json

@@ -0,0 +1,10 @@
+{
+	"compilerOptions": {
+		"target": "ES2022",
+		"module": "ESNext",
+		"moduleResolution": "bundler",
+		"strict": true,
+		"esModuleInterop": true,
+		"skipLibCheck": true
+	}
+}