@sinch/functions-runtime 0.3.9 → 0.4.0

package/dist/index.d.ts

@@ -760,7 +760,7 @@ export declare function createPieBuilder(): PieSvamlBuilder;
 /**
  * Cache interface for Sinch Functions
  *
- * Both dev (LocalCache) and prod (DaprCache) implement this interface,
+ * Both dev (LocalCache) and prod (ApiBackedCache) implement this interface,
  * allowing seamless package swap during deployment.
  */
 /**
@@ -865,6 +865,46 @@ export interface IFunctionCache {
 	 */
 	getMany<T = unknown>(keys: string[]): Promise<Record<string, T | null>>;
 }
+/**
+ * Storage interface for Sinch Functions
+ *
+ * Both dev (LocalStorage) and prod (S3Storage) implement this interface,
+ * allowing seamless package swap during deployment.
+ */
+/**
+ * Function storage interface
+ *
+ * Provides file/blob storage for persistent data.
+ * In development, uses the local filesystem (./storage/ directory).
+ * In production, uses S3 with local disk caching for reads.
+ *
+ * Access via `context.storage` — do not construct directly.
+ *
+ * @example
+ * ```typescript
+ * // Write a file
+ * await context.storage.write('reports/daily.json', JSON.stringify(data));
+ *
+ * // Read it back
+ * const buf = await context.storage.read('reports/daily.json');
+ * const data = JSON.parse(buf.toString());
+ *
+ * // List files
+ * const files = await context.storage.list('reports/');
+ *
+ * // Check existence and delete
+ * if (await context.storage.exists('reports/old.json')) {
+ *   await context.storage.delete('reports/old.json');
+ * }
+ * ```
+ */
+export interface IFunctionStorage {
+	write(key: string, data: string | Buffer): Promise<void>;
+	read(key: string): Promise<Buffer>;
+	list(prefix?: string): Promise<string[]>;
+	exists(key: string): Promise<boolean>;
+	delete(key: string): Promise<void>;
+}
 /**
  * Function configuration with environment variables
  */
@@ -932,6 +972,37 @@ export interface FunctionContext {
 	 * Available when `ENABLE_NUMBERS_API=true` is set.
 	 */
 	numbers?: NumbersService;
+	/**
+	 * Persistent file/blob storage.
+	 * Local filesystem during development, S3-backed in production.
+	 * @see {@link IFunctionStorage} for available methods
+	 */
+	storage: IFunctionStorage;
+	/**
+	 * File path to a SQLite database for persistent structured data.
+	 * The database file is managed by a Litestream sidecar in production
+	 * (continuous WAL replication to S3). In development, it's a local file.
+	 *
+	 * Use any SQLite library — `sql.js` (pure WASM, no native deps) or
+	 * `better-sqlite3` (native C++, fastest but requires build tooling).
+	 *
+	 * @example
+	 * ```typescript
+	 * // sql.js (recommended — works everywhere)
+	 * import initSqlJs from 'sql.js';
+	 * const SQL = await initSqlJs();
+	 * const buf = existsSync(context.database) ? readFileSync(context.database) : undefined;
+	 * const db = new SQL.Database(buf);
+	 * db.run('CREATE TABLE IF NOT EXISTS kv (key TEXT PRIMARY KEY, value TEXT)');
+	 * writeFileSync(context.database, Buffer.from(db.export()));
+	 *
+	 * // better-sqlite3 (fastest — needs python3/make/g++)
+	 * import Database from 'better-sqlite3';
+	 * const db = new Database(context.database);
+	 * db.exec('CREATE TABLE IF NOT EXISTS kv (key TEXT PRIMARY KEY, value TEXT)');
+	 * ```
+	 */
+	database: string;
 	/** Read a file from the assets/ directory (private, not served over HTTP) */
 	assets(filename: string): Promise<string>;
 }
@@ -2292,6 +2363,18 @@ export declare class LocalCache implements IFunctionCache {
  * @internal Dev-only factory — access cache via `context.cache`
  */
 export declare function createCacheClient(_projectId?: string, _functionName?: string): IFunctionCache;
+export declare class LocalStorage implements IFunctionStorage {
+	private baseDir;
+	constructor(baseDir?: string);
+	private resolvePath;
+	write(key: string, data: string | Buffer): Promise<void>;
+	read(key: string): Promise<Buffer>;
+	list(prefix?: string): Promise<string[]>;
+	exists(key: string): Promise<boolean>;
+	delete(key: string): Promise<void>;
+	private walkDir;
+}
+export declare function createStorageClient(baseDir?: string): LocalStorage;
 /**
  * Tunnel Client for Sinch Functions
  *
@@ -2380,7 +2463,10 @@ export declare class SecretsLoader {
 	 */
 	loadCustomSecrets(secretNames?: string[]): Promise<Record<string, string>>;
 	/**
-	 * Check if keytar is available
+	 * Check if the native keychain is available.
+	 * Always true — no native npm deps required. The underlying OS tool
+	 * (secret-tool, security, CredManager) may still be absent, in which
+	 * case getPassword() silently returns null per credential.
 	 */
 	isAvailable(): Promise<boolean>;
 }

package/dist/index.js

@@ -1021,11 +1021,11 @@ function isVoiceCallback(functionName) {
 function isNotificationEvent(functionName) {
   return NOTIFICATION_EVENTS.includes(functionName);
 }
-function extractFunctionName(path5, body) {
+function extractFunctionName(path6, body) {
   if (body?.event && isVoiceCallback(body.event)) {
     return body.event;
   }
-  const pathname = path5.split("?")[0];
+  const pathname = path6.split("?")[0];
   const segments = pathname.split("/").filter((s) => s && s !== "*");
   if (segments.length === 1 && isVoiceCallback(segments[0])) {
     return segments[0];
@@ -1042,10 +1042,10 @@ function generateRequestId() {
   return `req_${Date.now()}_${Math.random().toString(36).substring(7)}`;
 }
 function findFunctionPath() {
-  const fs4 = requireCjs2("fs");
+  const fs5 = requireCjs2("fs");
   const distPath = nodePath.join(process.cwd(), "dist", "function.js");
   const rootPath = nodePath.join(process.cwd(), "function.js");
-  if (fs4.existsSync(distPath)) {
+  if (fs5.existsSync(distPath)) {
     return distPath;
   }
   return rootPath;
@@ -1123,6 +1123,15 @@ var noOpCache = {
   keys: async () => [],
   getMany: async () => ({})
 };
+var noOpStorage = {
+  write: async () => {
+  },
+  read: async () => Buffer.alloc(0),
+  list: async () => [],
+  exists: async () => false,
+  delete: async () => {
+  }
+};
 function buildBaseContext(req, config = {}) {
   return {
     requestId: req.headers["x-request-id"] || generateRequestId(),
@@ -1135,6 +1144,8 @@ function buildBaseContext(req, config = {}) {
       variables: config.variables
     },
     cache: noOpCache,
+    storage: noOpStorage,
+    database: "",
     assets: (filename) => {
       const filePath = nodePath.join(process.cwd(), "assets", filename);
       return nodeFs.promises.readFile(filePath, "utf-8");
@@ -2440,6 +2451,69 @@ function createCacheClient(_projectId, _functionName) {
   return new LocalCache();
 }
 
+// src/storage/local.ts
+import * as fs3 from "fs/promises";
+import * as path4 from "path";
+var LocalStorage = class {
+  baseDir;
+  constructor(baseDir) {
+    this.baseDir = baseDir ?? path4.join(process.cwd(), "storage");
+  }
+  resolvePath(key) {
+    const sanitized = key.replace(/^\/+/, "").replace(/\.\./g, "_");
+    return path4.join(this.baseDir, sanitized);
+  }
+  async write(key, data) {
+    const filePath = this.resolvePath(key);
+    await fs3.mkdir(path4.dirname(filePath), { recursive: true });
+    await fs3.writeFile(filePath, data);
+  }
+  async read(key) {
+    const filePath = this.resolvePath(key);
+    return fs3.readFile(filePath);
+  }
+  async list(prefix) {
+    const results = [];
+    await this.walkDir(this.baseDir, "", results);
+    if (prefix) {
+      return results.filter((f) => f.startsWith(prefix));
+    }
+    return results;
+  }
+  async exists(key) {
+    const filePath = this.resolvePath(key);
+    try {
+      await fs3.access(filePath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async delete(key) {
+    const filePath = this.resolvePath(key);
+    await fs3.rm(filePath, { force: true });
+  }
+  async walkDir(dir, relative, results) {
+    let entries;
+    try {
+      entries = await fs3.readdir(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const rel = relative ? `${relative}/${entry.name}` : entry.name;
+      if (entry.isDirectory()) {
+        await this.walkDir(path4.join(dir, entry.name), rel, results);
+      } else {
+        results.push(rel);
+      }
+    }
+  }
+};
+function createStorageClient(baseDir) {
+  return new LocalStorage(baseDir);
+}
+
 // src/tunnel/index.ts
 import WebSocket from "ws";
 import axios from "axios";
@@ -2831,9 +2905,242 @@ function getTunnelClient(localPort = 3e3) {
 }
 
 // src/secrets/index.ts
-import fs3 from "fs";
-import path4 from "path";
+import fs4 from "fs";
+import path5 from "path";
 import os from "os";
+
+// src/secrets/keychain.ts
+import { execFile, spawn } from "child_process";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+function b64(value) {
+  return Buffer.from(value, "utf8").toString("base64");
+}
+function psParam(name, value) {
+  return `$${name} = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('${b64(value)}'));`;
+}
+var WIN32_CRED_READ_SCRIPT = `
+Add-Type -TypeDefinition @'
+using System;
+using System.Runtime.InteropServices;
+public class CredManager {
+  [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+  private struct CREDENTIAL {
+    public int Flags;
+    public int Type;
+    public IntPtr TargetName;
+    public IntPtr Comment;
+    public long LastWritten;
+    public int CredentialBlobSize;
+    public IntPtr CredentialBlob;
+    public int Persist;
+    public int AttributeCount;
+    public IntPtr Attributes;
+    public IntPtr TargetAlias;
+    public IntPtr UserName;
+  }
+  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+  private static extern bool CredReadW(string target, int type, int flags, out IntPtr cred);
+  [DllImport("advapi32.dll")]
+  private static extern void CredFree(IntPtr cred);
+  public static string Read(string target) {
+    IntPtr credPtr;
+    if (!CredReadW(target, 1, 0, out credPtr)) return null;
+    try {
+      CREDENTIAL c = (CREDENTIAL)Marshal.PtrToStructure(credPtr, typeof(CREDENTIAL));
+      if (c.CredentialBlobSize > 0 && c.CredentialBlob != IntPtr.Zero)
+        return Marshal.PtrToStringUni(c.CredentialBlob, c.CredentialBlobSize / 2);
+      return "";
+    } finally { CredFree(credPtr); }
+  }
+}
+'@
+$r = [CredManager]::Read($target)
+if ($r -ne $null) { [Console]::Write($r) }
+else { exit 1 }
+`;
+var WIN32_CRED_WRITE_SCRIPT = `
+Add-Type -TypeDefinition @'
+using System;
+using System.Runtime.InteropServices;
+using System.Text;
+public class CredWriter {
+  [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+  private struct CREDENTIAL {
+    public int Flags;
+    public int Type;
+    public string TargetName;
+    public string Comment;
+    public long LastWritten;
+    public int CredentialBlobSize;
+    public IntPtr CredentialBlob;
+    public int Persist;
+    public int AttributeCount;
+    public IntPtr Attributes;
+    public string TargetAlias;
+    public string UserName;
+  }
+  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+  private static extern bool CredWriteW(ref CREDENTIAL cred, int flags);
+  public static bool Write(string target, string password) {
+    byte[] blob = Encoding.Unicode.GetBytes(password);
+    CREDENTIAL c = new CREDENTIAL();
+    c.Type = 1;
+    c.TargetName = target;
+    c.CredentialBlobSize = blob.Length;
+    c.CredentialBlob = Marshal.AllocHGlobal(blob.Length);
+    Marshal.Copy(blob, 0, c.CredentialBlob, blob.Length);
+    c.Persist = 2;
+    try { return CredWriteW(ref c, 0); }
+    finally { Marshal.FreeHGlobal(c.CredentialBlob); }
+  }
+}
+'@
+if (-not [CredWriter]::Write($target, $password)) { exit 1 }
+`;
+var WIN32_CRED_DELETE_SCRIPT = `
+Add-Type -TypeDefinition @'
+using System;
+using System.Runtime.InteropServices;
+public class CredDeleter {
+  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+  private static extern bool CredDeleteW(string target, int type, int flags);
+  public static bool Delete(string target) { return CredDeleteW(target, 1, 0); }
+}
+'@
+if (-not [CredDeleter]::Delete($target)) { exit 1 }
+`;
+function winTarget(service, account) {
+  return `${service}/${account}`;
+}
+var windowsKeychain = {
+  async getPassword(service, account) {
+    try {
+      const params = psParam("target", winTarget(service, account));
+      const { stdout } = await execFileAsync(
+        "powershell.exe",
+        ["-NoProfile", "-NonInteractive", "-Command", params + WIN32_CRED_READ_SCRIPT],
+        { timeout: 15e3, windowsHide: true }
+      );
+      return stdout;
+    } catch {
+      return null;
+    }
+  },
+  async setPassword(service, account, password) {
+    const params = psParam("target", winTarget(service, account)) + psParam("password", password);
+    await execFileAsync(
+      "powershell.exe",
+      ["-NoProfile", "-NonInteractive", "-Command", params + WIN32_CRED_WRITE_SCRIPT],
+      { timeout: 15e3, windowsHide: true }
+    );
+  },
+  async deletePassword(service, account) {
+    try {
+      const params = psParam("target", winTarget(service, account));
+      await execFileAsync(
+        "powershell.exe",
+        ["-NoProfile", "-NonInteractive", "-Command", params + WIN32_CRED_DELETE_SCRIPT],
+        { timeout: 15e3, windowsHide: true }
+      );
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
+var macKeychain = {
+  async getPassword(service, account) {
+    try {
+      const { stdout } = await execFileAsync(
+        "security",
+        ["find-generic-password", "-s", service, "-a", account, "-w"],
+        { timeout: 15e3 }
+      );
+      return stdout.trimEnd();
+    } catch {
+      return null;
+    }
+  },
+  async setPassword(service, account, password) {
+    await execFileAsync(
+      "security",
+      ["add-generic-password", "-U", "-s", service, "-a", account, "-w", password],
+      { timeout: 15e3 }
+    );
+  },
+  async deletePassword(service, account) {
+    try {
+      await execFileAsync(
+        "security",
+        ["delete-generic-password", "-s", service, "-a", account],
+        { timeout: 15e3 }
+      );
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
+var linuxKeychain = {
+  async getPassword(service, account) {
+    try {
+      const { stdout } = await execFileAsync(
+        "secret-tool",
+        ["lookup", "service", service, "account", account],
+        { timeout: 15e3 }
+      );
+      return stdout.trimEnd();
+    } catch {
+      return null;
+    }
+  },
+  // secret-tool reads password from stdin (avoids exposing it in process args)
+  async setPassword(service, account, password) {
+    const child = spawn(
+      "secret-tool",
+      ["store", "--label", `${service}/${account}`, "service", service, "account", account],
+      { stdio: ["pipe", "pipe", "pipe"] }
+    );
+    child.stdin.write(password);
+    child.stdin.end();
+    await new Promise((resolve, reject) => {
+      child.on(
+        "close",
+        (code) => code === 0 ? resolve() : reject(new Error("secret-tool store failed"))
+      );
+      child.on("error", reject);
+    });
+  },
+  async deletePassword(service, account) {
+    try {
+      await execFileAsync(
+        "secret-tool",
+        ["clear", "service", service, "account", account],
+        { timeout: 15e3 }
+      );
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
+function getBackend() {
+  switch (process.platform) {
+    case "win32":
+      return windowsKeychain;
+    case "darwin":
+      return macKeychain;
+    default:
+      return linuxKeychain;
+  }
+}
+var backend = getBackend();
+async function getPassword(service, account) {
+  return backend.getPassword(service, account);
+}
+
+// src/secrets/index.ts
 var SecretsLoader = class {
   // Same service name as CLI uses
   SERVICE_NAME = "sinch-functions-cli";
@@ -2847,24 +3154,12 @@ var SecretsLoader = class {
       return false;
     }
     try {
-      let keytar;
-      try {
-        keytar = await import("keytar");
-      } catch (error) {
-        if (error.code === "MODULE_NOT_FOUND" || error.code === "ERR_MODULE_NOT_FOUND") {
-          console.debug("[Secrets] Keytar not available - secrets not loaded");
-          return false;
-        } else {
-          console.error("[Secrets] Error loading keytar:", error.message);
-        }
-        return false;
-      }
-      const envPath = path4.join(process.cwd(), ".env");
-      if (!fs3.existsSync(envPath)) {
+      const envPath = path5.join(process.cwd(), ".env");
+      if (!fs4.existsSync(envPath)) {
         console.debug("[Secrets] No .env file found, skipping keychain load");
         return false;
       }
-      const envContent = fs3.readFileSync(envPath, "utf8");
+      const envContent = fs4.readFileSync(envPath, "utf8");
       const envLines = envContent.replace(/\r\n/g, "\n").split("\n");
       const secretsToLoad = [];
       envLines.forEach((line) => {
@@ -2886,7 +3181,7 @@ var SecretsLoader = class {
       }
       let secretsLoaded = 0;
       if (secretsToLoad.includes("PROJECT_ID_API_SECRET")) {
-        const apiSecret = await keytar.getPassword(this.SERVICE_NAME, `${this.username}-keySecret`);
+        const apiSecret = await getPassword(this.SERVICE_NAME, `${this.username}-keySecret`);
         if (apiSecret) {
           process.env.PROJECT_ID_API_SECRET = apiSecret;
           console.log("\u2705 Loaded PROJECT_ID_API_SECRET from secure storage");
@@ -2896,7 +3191,7 @@ var SecretsLoader = class {
       if (secretsToLoad.includes("VOICE_APPLICATION_SECRET")) {
         const applicationKey = process.env.VOICE_APPLICATION_KEY || this.getApplicationKeyFromConfig();
         if (applicationKey) {
-          const appSecret = await keytar.getPassword(this.SERVICE_NAME, applicationKey);
+          const appSecret = await getPassword(this.SERVICE_NAME, applicationKey);
           if (appSecret) {
             process.env.VOICE_APPLICATION_SECRET = appSecret;
             console.log("\u2705 Loaded VOICE_APPLICATION_SECRET from secure storage");
@@ -2910,7 +3205,7 @@ var SecretsLoader = class {
           continue;
         }
         if (functionName) {
-          const value = await keytar.getPassword(
+          const value = await getPassword(
             this.SERVICE_NAME,
             `${functionName}-${secretName}`
           );
@@ -2938,9 +3233,9 @@ var SecretsLoader = class {
    */
   getApplicationKeyFromConfig() {
     try {
-      const sinchJsonPath = path4.join(process.cwd(), "sinch.json");
-      if (fs3.existsSync(sinchJsonPath)) {
-        const sinchConfig = JSON.parse(fs3.readFileSync(sinchJsonPath, "utf8"));
+      const sinchJsonPath = path5.join(process.cwd(), "sinch.json");
+      if (fs4.existsSync(sinchJsonPath)) {
+        const sinchConfig = JSON.parse(fs4.readFileSync(sinchJsonPath, "utf8"));
         return sinchConfig.voiceAppId || sinchConfig.applicationKey || null;
       }
     } catch (error) {
@@ -2953,9 +3248,9 @@ var SecretsLoader = class {
    */
   getFunctionNameFromConfig() {
     try {
-      const sinchJsonPath = path4.join(process.cwd(), "sinch.json");
-      if (fs3.existsSync(sinchJsonPath)) {
-        const sinchConfig = JSON.parse(fs3.readFileSync(sinchJsonPath, "utf8"));
+      const sinchJsonPath = path5.join(process.cwd(), "sinch.json");
+      if (fs4.existsSync(sinchJsonPath)) {
+        const sinchConfig = JSON.parse(fs4.readFileSync(sinchJsonPath, "utf8"));
         return sinchConfig.name || null;
       }
     } catch (error) {
@@ -2969,14 +3264,13 @@ var SecretsLoader = class {
   async loadCustomSecrets(secretNames = []) {
     const secrets = {};
     try {
-      const keytar = await import("keytar");
       const functionName = this.getFunctionNameFromConfig();
       if (!functionName) {
         console.debug("[Secrets] Could not determine function name for custom secrets");
         return secrets;
       }
       for (const secretName of secretNames) {
-        const value = await keytar.getPassword(this.SERVICE_NAME, `${functionName}-${secretName}`);
+        const value = await getPassword(this.SERVICE_NAME, `${functionName}-${secretName}`);
         if (value) {
           secrets[secretName] = value;
           process.env[secretName] = value;
@@ -2988,15 +3282,13 @@ var SecretsLoader = class {
     return secrets;
   }
   /**
-   * Check if keytar is available
+   * Check if the native keychain is available.
+   * Always true — no native npm deps required. The underlying OS tool
+   * (secret-tool, security, CredManager) may still be absent, in which
+   * case getPassword() silently returns null per credential.
    */
   async isAvailable() {
-    try {
-      await import("keytar");
-      return true;
-    } catch {
-      return false;
-    }
+    return true;
   }
 };
 var secretsLoader = new SecretsLoader();
@@ -3012,6 +3304,7 @@ export {
   ElevenLabsState,
   IceSvamlBuilder,
   LocalCache,
+  LocalStorage,
   MenuBuilder,
   MenuTemplates,
   NOTIFICATION_EVENTS,
@@ -3042,6 +3335,7 @@ export {
   createResponse,
   createSimpleMenu,
   createSms,
+  createStorageClient,
   createUniversalConfig,
   createWhatsApp,
   extractCallerNumber,