@sinch/functions-runtime 0.3.8 → 0.4.0

package/dist/bin/sinch-runtime.js

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
 
 // src/bin/sinch-runtime.ts
-import path5 from "path";
+import path6 from "path";
 import { createRequire as createRequire3 } from "module";
 import { pathToFileURL as pathToFileURL2 } from "url";
-import fs4 from "fs";
+import fs5 from "fs";
 
 // ../runtime-shared/dist/ai/connect-agent.js
 var AgentProvider;
@@ -247,11 +247,11 @@ function isVoiceCallback(functionName) {
 function isNotificationEvent(functionName) {
   return NOTIFICATION_EVENTS.includes(functionName);
 }
-function extractFunctionName(path6, body) {
+function extractFunctionName(path7, body) {
   if (body?.event && isVoiceCallback(body.event)) {
     return body.event;
   }
-  const pathname = path6.split("?")[0];
+  const pathname = path7.split("?")[0];
   const segments = pathname.split("/").filter((s) => s && s !== "*");
   if (segments.length === 1 && isVoiceCallback(segments[0])) {
     return segments[0];
@@ -268,10 +268,10 @@ function generateRequestId() {
   return `req_${Date.now()}_${Math.random().toString(36).substring(7)}`;
 }
 function findFunctionPath() {
-  const fs5 = requireCjs2("fs");
+  const fs6 = requireCjs2("fs");
   const distPath = nodePath.join(process.cwd(), "dist", "function.js");
   const rootPath = nodePath.join(process.cwd(), "function.js");
-  if (fs5.existsSync(distPath)) {
+  if (fs6.existsSync(distPath)) {
     return distPath;
   }
   return rootPath;
@@ -349,6 +349,15 @@ var noOpCache = {
   keys: async () => [],
   getMany: async () => ({})
 };
+var noOpStorage = {
+  write: async () => {
+  },
+  read: async () => Buffer.alloc(0),
+  list: async () => [],
+  exists: async () => false,
+  delete: async () => {
+  }
+};
 function buildBaseContext(req, config = {}) {
   return {
     requestId: req.headers["x-request-id"] || generateRequestId(),
@@ -361,6 +370,8 @@ function buildBaseContext(req, config = {}) {
       variables: config.variables
     },
     cache: noOpCache,
+    storage: noOpStorage,
+    database: "",
     assets: (filename) => {
       const filePath = nodePath.join(process.cwd(), "assets", filename);
       return nodeFs.promises.readFile(filePath, "utf-8");
@@ -763,10 +774,306 @@ function createCacheClient(_projectId, _functionName) {
   return new LocalCache();
 }
 
+// src/storage/local.ts
+import * as fs3 from "fs/promises";
+import * as path4 from "path";
+var LocalStorage = class {
+  baseDir;
+  constructor(baseDir) {
+    this.baseDir = baseDir ?? path4.join(process.cwd(), "storage");
+  }
+  resolvePath(key) {
+    const sanitized = key.replace(/^\/+/, "").replace(/\.\./g, "_");
+    return path4.join(this.baseDir, sanitized);
+  }
+  async write(key, data) {
+    const filePath = this.resolvePath(key);
+    await fs3.mkdir(path4.dirname(filePath), { recursive: true });
+    await fs3.writeFile(filePath, data);
+  }
+  async read(key) {
+    const filePath = this.resolvePath(key);
+    return fs3.readFile(filePath);
+  }
+  async list(prefix) {
+    const results = [];
+    await this.walkDir(this.baseDir, "", results);
+    if (prefix) {
+      return results.filter((f) => f.startsWith(prefix));
+    }
+    return results;
+  }
+  async exists(key) {
+    const filePath = this.resolvePath(key);
+    try {
+      await fs3.access(filePath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async delete(key) {
+    const filePath = this.resolvePath(key);
+    await fs3.rm(filePath, { force: true });
+  }
+  async walkDir(dir, relative, results) {
+    let entries;
+    try {
+      entries = await fs3.readdir(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const rel = relative ? `${relative}/${entry.name}` : entry.name;
+      if (entry.isDirectory()) {
+        await this.walkDir(path4.join(dir, entry.name), rel, results);
+      } else {
+        results.push(rel);
+      }
+    }
+  }
+};
+function createStorageClient(baseDir) {
+  return new LocalStorage(baseDir);
+}
+
 // src/secrets/index.ts
-import fs3 from "fs";
-import path4 from "path";
+import fs4 from "fs";
+import path5 from "path";
 import os from "os";
+
+// src/secrets/keychain.ts
+import { execFile, spawn } from "child_process";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+function b64(value) {
+  return Buffer.from(value, "utf8").toString("base64");
+}
+function psParam(name, value) {
+  return `$${name} = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('${b64(value)}'));`;
+}
+var WIN32_CRED_READ_SCRIPT = `
+Add-Type -TypeDefinition @'
+using System;
+using System.Runtime.InteropServices;
+public class CredManager {
+  [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+  private struct CREDENTIAL {
+    public int Flags;
+    public int Type;
+    public IntPtr TargetName;
+    public IntPtr Comment;
+    public long LastWritten;
+    public int CredentialBlobSize;
+    public IntPtr CredentialBlob;
+    public int Persist;
+    public int AttributeCount;
+    public IntPtr Attributes;
+    public IntPtr TargetAlias;
+    public IntPtr UserName;
+  }
+  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+  private static extern bool CredReadW(string target, int type, int flags, out IntPtr cred);
+  [DllImport("advapi32.dll")]
+  private static extern void CredFree(IntPtr cred);
+  public static string Read(string target) {
+    IntPtr credPtr;
+    if (!CredReadW(target, 1, 0, out credPtr)) return null;
+    try {
+      CREDENTIAL c = (CREDENTIAL)Marshal.PtrToStructure(credPtr, typeof(CREDENTIAL));
+      if (c.CredentialBlobSize > 0 && c.CredentialBlob != IntPtr.Zero)
+        return Marshal.PtrToStringUni(c.CredentialBlob, c.CredentialBlobSize / 2);
+      return "";
+    } finally { CredFree(credPtr); }
+  }
+}
+'@
+$r = [CredManager]::Read($target)
+if ($r -ne $null) { [Console]::Write($r) }
+else { exit 1 }
+`;
+var WIN32_CRED_WRITE_SCRIPT = `
+Add-Type -TypeDefinition @'
+using System;
+using System.Runtime.InteropServices;
+using System.Text;
+public class CredWriter {
+  [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+  private struct CREDENTIAL {
+    public int Flags;
+    public int Type;
+    public string TargetName;
+    public string Comment;
+    public long LastWritten;
+    public int CredentialBlobSize;
+    public IntPtr CredentialBlob;
+    public int Persist;
+    public int AttributeCount;
+    public IntPtr Attributes;
+    public string TargetAlias;
+    public string UserName;
+  }
+  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+  private static extern bool CredWriteW(ref CREDENTIAL cred, int flags);
+  public static bool Write(string target, string password) {
+    byte[] blob = Encoding.Unicode.GetBytes(password);
+    CREDENTIAL c = new CREDENTIAL();
+    c.Type = 1;
+    c.TargetName = target;
+    c.CredentialBlobSize = blob.Length;
+    c.CredentialBlob = Marshal.AllocHGlobal(blob.Length);
+    Marshal.Copy(blob, 0, c.CredentialBlob, blob.Length);
+    c.Persist = 2;
+    try { return CredWriteW(ref c, 0); }
+    finally { Marshal.FreeHGlobal(c.CredentialBlob); }
+  }
+}
+'@
+if (-not [CredWriter]::Write($target, $password)) { exit 1 }
+`;
+var WIN32_CRED_DELETE_SCRIPT = `
+Add-Type -TypeDefinition @'
+using System;
+using System.Runtime.InteropServices;
+public class CredDeleter {
+  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+  private static extern bool CredDeleteW(string target, int type, int flags);
+  public static bool Delete(string target) { return CredDeleteW(target, 1, 0); }
+}
+'@
+if (-not [CredDeleter]::Delete($target)) { exit 1 }
+`;
+function winTarget(service, account) {
+  return `${service}/${account}`;
+}
+var windowsKeychain = {
+  async getPassword(service, account) {
+    try {
+      const params = psParam("target", winTarget(service, account));
+      const { stdout } = await execFileAsync(
+        "powershell.exe",
+        ["-NoProfile", "-NonInteractive", "-Command", params + WIN32_CRED_READ_SCRIPT],
+        { timeout: 15e3, windowsHide: true }
+      );
+      return stdout;
+    } catch {
+      return null;
+    }
+  },
+  async setPassword(service, account, password) {
+    const params = psParam("target", winTarget(service, account)) + psParam("password", password);
+    await execFileAsync(
+      "powershell.exe",
+      ["-NoProfile", "-NonInteractive", "-Command", params + WIN32_CRED_WRITE_SCRIPT],
+      { timeout: 15e3, windowsHide: true }
+    );
+  },
+  async deletePassword(service, account) {
+    try {
+      const params = psParam("target", winTarget(service, account));
+      await execFileAsync(
+        "powershell.exe",
+        ["-NoProfile", "-NonInteractive", "-Command", params + WIN32_CRED_DELETE_SCRIPT],
+        { timeout: 15e3, windowsHide: true }
+      );
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
+var macKeychain = {
+  async getPassword(service, account) {
+    try {
+      const { stdout } = await execFileAsync(
+        "security",
+        ["find-generic-password", "-s", service, "-a", account, "-w"],
+        { timeout: 15e3 }
+      );
+      return stdout.trimEnd();
+    } catch {
+      return null;
+    }
+  },
+  async setPassword(service, account, password) {
+    await execFileAsync(
+      "security",
+      ["add-generic-password", "-U", "-s", service, "-a", account, "-w", password],
+      { timeout: 15e3 }
+    );
+  },
+  async deletePassword(service, account) {
+    try {
+      await execFileAsync(
+        "security",
+        ["delete-generic-password", "-s", service, "-a", account],
+        { timeout: 15e3 }
+      );
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
+var linuxKeychain = {
+  async getPassword(service, account) {
+    try {
+      const { stdout } = await execFileAsync(
+        "secret-tool",
+        ["lookup", "service", service, "account", account],
+        { timeout: 15e3 }
+      );
+      return stdout.trimEnd();
+    } catch {
+      return null;
+    }
+  },
+  // secret-tool reads password from stdin (avoids exposing it in process args)
+  async setPassword(service, account, password) {
+    const child = spawn(
+      "secret-tool",
+      ["store", "--label", `${service}/${account}`, "service", service, "account", account],
+      { stdio: ["pipe", "pipe", "pipe"] }
+    );
+    child.stdin.write(password);
+    child.stdin.end();
+    await new Promise((resolve, reject) => {
+      child.on(
+        "close",
+        (code) => code === 0 ? resolve() : reject(new Error("secret-tool store failed"))
+      );
+      child.on("error", reject);
+    });
+  },
+  async deletePassword(service, account) {
+    try {
+      await execFileAsync(
+        "secret-tool",
+        ["clear", "service", service, "account", account],
+        { timeout: 15e3 }
+      );
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
+function getBackend() {
+  switch (process.platform) {
+    case "win32":
+      return windowsKeychain;
+    case "darwin":
+      return macKeychain;
+    default:
+      return linuxKeychain;
+  }
+}
+var backend = getBackend();
+async function getPassword(service, account) {
+  return backend.getPassword(service, account);
+}
+
+// src/secrets/index.ts
 var SecretsLoader = class {
   // Same service name as CLI uses
   SERVICE_NAME = "sinch-functions-cli";
@@ -780,24 +1087,12 @@ var SecretsLoader = class {
       return false;
     }
     try {
-      let keytar;
-      try {
-        keytar = await import("keytar");
-      } catch (error) {
-        if (error.code === "MODULE_NOT_FOUND" || error.code === "ERR_MODULE_NOT_FOUND") {
-          console.debug("[Secrets] Keytar not available - secrets not loaded");
-          return false;
-        } else {
-          console.error("[Secrets] Error loading keytar:", error.message);
-        }
-        return false;
-      }
-      const envPath = path4.join(process.cwd(), ".env");
-      if (!fs3.existsSync(envPath)) {
+      const envPath = path5.join(process.cwd(), ".env");
+      if (!fs4.existsSync(envPath)) {
         console.debug("[Secrets] No .env file found, skipping keychain load");
         return false;
       }
-      const envContent = fs3.readFileSync(envPath, "utf8");
+      const envContent = fs4.readFileSync(envPath, "utf8");
       const envLines = envContent.replace(/\r\n/g, "\n").split("\n");
       const secretsToLoad = [];
       envLines.forEach((line) => {
@@ -819,7 +1114,7 @@ var SecretsLoader = class {
       }
       let secretsLoaded = 0;
       if (secretsToLoad.includes("PROJECT_ID_API_SECRET")) {
-        const apiSecret = await keytar.getPassword(this.SERVICE_NAME, `${this.username}-keySecret`);
+        const apiSecret = await getPassword(this.SERVICE_NAME, `${this.username}-keySecret`);
         if (apiSecret) {
           process.env.PROJECT_ID_API_SECRET = apiSecret;
           console.log("\u2705 Loaded PROJECT_ID_API_SECRET from secure storage");
@@ -829,7 +1124,7 @@ var SecretsLoader = class {
       if (secretsToLoad.includes("VOICE_APPLICATION_SECRET")) {
         const applicationKey = process.env.VOICE_APPLICATION_KEY || this.getApplicationKeyFromConfig();
         if (applicationKey) {
-          const appSecret = await keytar.getPassword(this.SERVICE_NAME, applicationKey);
+          const appSecret = await getPassword(this.SERVICE_NAME, applicationKey);
           if (appSecret) {
             process.env.VOICE_APPLICATION_SECRET = appSecret;
             console.log("\u2705 Loaded VOICE_APPLICATION_SECRET from secure storage");
@@ -843,7 +1138,7 @@ var SecretsLoader = class {
           continue;
         }
         if (functionName) {
-          const value = await keytar.getPassword(
+          const value = await getPassword(
             this.SERVICE_NAME,
             `${functionName}-${secretName}`
           );
@@ -871,9 +1166,9 @@ var SecretsLoader = class {
    */
   getApplicationKeyFromConfig() {
     try {
-      const sinchJsonPath = path4.join(process.cwd(), "sinch.json");
-      if (fs3.existsSync(sinchJsonPath)) {
-        const sinchConfig = JSON.parse(fs3.readFileSync(sinchJsonPath, "utf8"));
+      const sinchJsonPath = path5.join(process.cwd(), "sinch.json");
+      if (fs4.existsSync(sinchJsonPath)) {
+        const sinchConfig = JSON.parse(fs4.readFileSync(sinchJsonPath, "utf8"));
         return sinchConfig.voiceAppId || sinchConfig.applicationKey || null;
       }
     } catch (error) {
@@ -886,9 +1181,9 @@ var SecretsLoader = class {
    */
   getFunctionNameFromConfig() {
     try {
-      const sinchJsonPath = path4.join(process.cwd(), "sinch.json");
-      if (fs3.existsSync(sinchJsonPath)) {
-        const sinchConfig = JSON.parse(fs3.readFileSync(sinchJsonPath, "utf8"));
+      const sinchJsonPath = path5.join(process.cwd(), "sinch.json");
+      if (fs4.existsSync(sinchJsonPath)) {
+        const sinchConfig = JSON.parse(fs4.readFileSync(sinchJsonPath, "utf8"));
         return sinchConfig.name || null;
       }
     } catch (error) {
@@ -902,14 +1197,13 @@ var SecretsLoader = class {
   async loadCustomSecrets(secretNames = []) {
     const secrets = {};
     try {
-      const keytar = await import("keytar");
       const functionName = this.getFunctionNameFromConfig();
       if (!functionName) {
         console.debug("[Secrets] Could not determine function name for custom secrets");
         return secrets;
       }
       for (const secretName of secretNames) {
-        const value = await keytar.getPassword(this.SERVICE_NAME, `${functionName}-${secretName}`);
+        const value = await getPassword(this.SERVICE_NAME, `${functionName}-${secretName}`);
         if (value) {
           secrets[secretName] = value;
           process.env[secretName] = value;
@@ -921,15 +1215,13 @@ var SecretsLoader = class {
     return secrets;
   }
   /**
-   * Check if keytar is available
+   * Check if the native keychain is available.
+   * Always true — no native npm deps required. The underlying OS tool
+   * (secret-tool, security, CredManager) may still be absent, in which
+   * case getPassword() silently returns null per credential.
    */
   async isAvailable() {
-    try {
-      await import("keytar");
-      return true;
-    } catch {
-      return false;
-    }
+    return true;
   }
 };
 var secretsLoader = new SecretsLoader();
@@ -1320,9 +1612,9 @@ var TunnelClient = class {
 // src/bin/sinch-runtime.ts
 var requireCjs3 = createRequire3(import.meta.url);
 function findFunctionPath3() {
-  const distPath = path5.join(process.cwd(), "dist", "function.js");
-  const rootPath = path5.join(process.cwd(), "function.js");
-  if (fs4.existsSync(distPath)) {
+  const distPath = path6.join(process.cwd(), "dist", "function.js");
+  const rootPath = path6.join(process.cwd(), "function.js");
+  if (fs5.existsSync(distPath)) {
     return distPath;
   }
   return rootPath;
@@ -1334,6 +1626,8 @@ function loadRuntimeConfig() {
     functionId: process.env.FUNCTION_ID || process.env.SINCH_FUNCTION_ID || "local-dev"
   };
 }
+var storage = createStorageClient();
+var databasePath = path6.join(process.cwd(), "data", "app.db");
 function buildLocalContext(req, runtimeConfig) {
   const baseContext = buildBaseContext(req);
   const cache = createCacheClient();
@@ -1341,6 +1635,8 @@ function buildLocalContext(req, runtimeConfig) {
   return {
     ...baseContext,
     cache,
+    storage,
+    database: databasePath,
     ...sinchClients,
     env: process.env,
     config: {
@@ -1367,12 +1663,12 @@ function displayStartupInfo(config, verbose, _port) {
 function displayEnvironmentVariables() {
   console.log("\nEnvironment Variables:");
   try {
-    const envPath = path5.join(process.cwd(), ".env");
-    if (!fs4.existsSync(envPath)) {
+    const envPath = path6.join(process.cwd(), ".env");
+    if (!fs5.existsSync(envPath)) {
       console.log("   (no .env file found)");
       return;
     }
-    const envContent = fs4.readFileSync(envPath, "utf8");
+    const envContent = fs5.readFileSync(envPath, "utf8");
     const envLines = envContent.split("\n");
     const variables = [];
     const secrets = [];
@@ -1432,7 +1728,7 @@ function displayApplicationCredentials() {
 async function displayDetectedFunctions() {
   try {
     const functionPath = findFunctionPath3();
-    if (!fs4.existsSync(functionPath)) return;
+    if (!fs5.existsSync(functionPath)) return;
     const functionUrl = pathToFileURL2(functionPath).href;
     const module = await import(functionUrl);
     const userFunction = module.default || module;
@@ -1459,6 +1755,8 @@ async function main() {
   } catch {
   }
   await secretsLoader.loadFromKeychain();
+  fs5.mkdirSync(path6.join(process.cwd(), "storage"), { recursive: true });
+  fs5.mkdirSync(path6.join(process.cwd(), "data"), { recursive: true });
   const config = loadRuntimeConfig();
   const staticDir = process.env.STATIC_DIR;
   const landingPageEnabled = process.env.LANDING_PAGE_ENABLED !== "false";