@sylphx/lens-server 2.3.2 → 2.4.0

package/dist/index.js

@@ -37,6 +37,7 @@ function extendContext(current, extension) {
 import {
   createEmit,
   flattenRouter,
+  hashValue,
   isEntityDef,
   isMutationDef,
   isQueryDef,
@@ -285,6 +286,45 @@ function extractNestedInputs(select, prefix = "") {
 function isAsyncIterable(value) {
   return value != null && typeof value === "object" && Symbol.asyncIterator in value;
 }
+
+class RingBuffer {
+  capacity;
+  buffer;
+  head = 0;
+  tail = 0;
+  count = 0;
+  constructor(capacity) {
+    this.capacity = capacity;
+    this.buffer = new Array(capacity).fill(null);
+  }
+  get size() {
+    return this.count;
+  }
+  get isEmpty() {
+    return this.count === 0;
+  }
+  enqueue(item) {
+    let dropped = false;
+    if (this.count >= this.capacity) {
+      this.head = (this.head + 1) % this.capacity;
+      this.count--;
+      dropped = true;
+    }
+    this.buffer[this.tail] = item;
+    this.tail = (this.tail + 1) % this.capacity;
+    this.count++;
+    return dropped;
+  }
+  dequeue() {
+    if (this.count === 0)
+      return null;
+    const item = this.buffer[this.head];
+    this.buffer[this.head] = null;
+    this.head = (this.head + 1) % this.capacity;
+    this.count--;
+    return item;
+  }
+}
 var noopLogger = {};
 
 class LensServerImpl {
@@ -390,13 +430,17 @@ class LensServerImpl {
         let cancelled = false;
         let currentState;
         let lastEmittedResult;
+        let lastEmittedHash;
         const cleanups = [];
         const emitIfChanged = (data) => {
           if (cancelled)
             return;
-          if (valuesEqual(data, lastEmittedResult))
+          const dataHash = hashValue(data);
+          if (lastEmittedHash !== undefined && valuesEqual(data, lastEmittedResult, dataHash, lastEmittedHash)) {
             return;
+          }
           lastEmittedResult = data;
+          lastEmittedHash = dataHash;
           observer.next?.({ data });
         };
         (async () => {
@@ -433,26 +477,28 @@ class LensServerImpl {
                 return;
               }
               let emitProcessing = false;
-              const emitQueue = [];
+              const MAX_EMIT_QUEUE_SIZE = 100;
+              const emitQueue = new RingBuffer(MAX_EMIT_QUEUE_SIZE);
               const processEmitQueue = async () => {
                 if (emitProcessing || cancelled)
                   return;
                 emitProcessing = true;
-                while (emitQueue.length > 0 && !cancelled) {
-                  const command = emitQueue.shift();
+                let command = emitQueue.dequeue();
+                while (command !== null && !cancelled) {
                   currentState = this.applyEmitCommand(command, currentState);
                   const fieldEmitFactory = isQuery ? this.createFieldEmitFactory(() => currentState, (state) => {
                     currentState = state;
                   }, emitIfChanged, select, context, onCleanup) : undefined;
                   const processed = isQuery ? await this.processQueryResult(path, currentState, select, context, onCleanup, fieldEmitFactory) : currentState;
                   emitIfChanged(processed);
+                  command = emitQueue.dequeue();
                 }
                 emitProcessing = false;
               };
               const emitHandler = (command) => {
                 if (cancelled)
                   return;
-                emitQueue.push(command);
+                emitQueue.enqueue(command);
                 processEmitQueue().catch((err) => {
                   if (!cancelled) {
                     observer.next?.({ error: err instanceof Error ? err : new Error(String(err)) });
@@ -490,6 +536,9 @@ class LensServerImpl {
                 currentState = value;
                 const processed = isQuery ? await this.processQueryResult(path, value, select, context, onCleanup, createFieldEmit) : value;
                 emitIfChanged(processed);
+                if (!isQuery && !cancelled) {
+                  observer.complete?.();
+                }
               }
             });
           } catch (error) {
@@ -687,10 +736,11 @@ class LensServerImpl {
     let loader = this.loaders.get(loaderKey);
     if (!loader) {
       loader = new DataLoader(async (parents) => {
+        const context = tryUseContext() ?? {};
         const results = [];
         for (const parent of parents) {
           try {
-            const result = await resolverDef.resolveField(fieldName, parent, {}, {});
+            const result = await resolverDef.resolveField(fieldName, parent, {}, context);
             results.push(result);
           } catch {
             results.push(null);
@@ -921,20 +971,106 @@ function createSSEHandler(config = {}) {
 
 // src/handlers/http.ts
 import { firstValueFrom } from "@sylphx/lens-core";
+function sanitizeError(error, isDevelopment) {
+  if (isDevelopment) {
+    return error.message;
+  }
+  const message = error.message;
+  const safePatterns = [
+    /^Invalid input:/,
+    /^Missing operation/,
+    /^Not found/,
+    /^Unauthorized/,
+    /^Forbidden/,
+    /^Bad request/,
+    /^Validation failed/
+  ];
+  if (safePatterns.some((pattern) => pattern.test(message))) {
+    return message;
+  }
+  const sensitivePatterns = [
+    /\/[^\s]+\.(ts|js|json)/,
+    /at\s+[^\s]+\s+\(/,
+    /ENOENT|EACCES|ECONNREFUSED/,
+    /SELECT|INSERT|UPDATE|DELETE|FROM|WHERE/i,
+    /password|secret|token|key|auth/i
+  ];
+  if (sensitivePatterns.some((pattern) => pattern.test(message))) {
+    return "An internal error occurred";
+  }
+  if (message.length < 100 && !message.includes(`
+`)) {
+    return message;
+  }
+  return "An internal error occurred";
+}
 function createHTTPHandler(server, options = {}) {
-  const { pathPrefix = "", cors } = options;
-  const corsHeaders = {
-    "Access-Control-Allow-Origin": cors?.origin ? Array.isArray(cors.origin) ? cors.origin.join(", ") : cors.origin : "*",
+  const { pathPrefix = "", cors, errors, health } = options;
+  const isDevelopment = errors?.development ?? false;
+  const healthEnabled = health?.enabled !== false;
+  const healthPath = health?.path ?? "/__lens/health";
+  const startTime = Date.now();
+  const sanitize = (error) => {
+    if (errors?.sanitize) {
+      return errors.sanitize(error);
+    }
+    return sanitizeError(error, isDevelopment);
+  };
+  const allowedOrigin = cors?.origin ? Array.isArray(cors.origin) ? cors.origin.join(", ") : cors.origin : isDevelopment ? "*" : "";
+  const baseHeaders = {
+    "Content-Type": "application/json",
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
     "Access-Control-Allow-Methods": cors?.methods?.join(", ") ?? "GET, POST, OPTIONS",
     "Access-Control-Allow-Headers": cors?.headers?.join(", ") ?? "Content-Type, Authorization"
   };
+  if (allowedOrigin) {
+    baseHeaders["Access-Control-Allow-Origin"] = allowedOrigin;
+  }
   const handler = async (request) => {
     const url = new URL(request.url);
     const pathname = url.pathname;
     if (request.method === "OPTIONS") {
       return new Response(null, {
         status: 204,
-        headers: corsHeaders
+        headers: baseHeaders
+      });
+    }
+    const fullHealthPath = `${pathPrefix}${healthPath}`;
+    if (healthEnabled && request.method === "GET" && pathname === fullHealthPath) {
+      const metadata = server.getMetadata();
+      const uptimeSeconds = Math.floor((Date.now() - startTime) / 1000);
+      let customChecks = {};
+      let hasFailure = false;
+      if (health?.checks) {
+        try {
+          customChecks = await health.checks();
+          hasFailure = Object.values(customChecks).some((c) => c.status === "fail");
+        } catch (error) {
+          customChecks.healthCheck = {
+            status: "fail",
+            message: error instanceof Error ? error.message : "Health check failed"
+          };
+          hasFailure = true;
+        }
+      }
+      const response = {
+        status: hasFailure ? "degraded" : "healthy",
+        service: "lens-server",
+        version: metadata.version,
+        uptime: uptimeSeconds,
+        timestamp: new Date().toISOString()
+      };
+      if (Object.keys(customChecks).length > 0) {
+        response.checks = customChecks;
+      }
+      return new Response(JSON.stringify(response), {
+        status: hasFailure ? 503 : 200,
+        headers: {
+          "Content-Type": "application/json",
+          "Cache-Control": "no-cache, no-store, must-revalidate",
+          ...baseHeaders
+        }
       });
     }
     const metadataPath = `${pathPrefix}/__lens/metadata`;
@@ -942,21 +1078,32 @@ function createHTTPHandler(server, options = {}) {
       return new Response(JSON.stringify(server.getMetadata()), {
         headers: {
           "Content-Type": "application/json",
-          ...corsHeaders
+          ...baseHeaders
         }
       });
     }
     const operationPath = pathPrefix || "/";
     if (request.method === "POST" && (pathname === operationPath || pathname === `${pathPrefix}/`)) {
+      let body;
+      try {
+        body = await request.json();
+      } catch {
+        return new Response(JSON.stringify({ error: "Invalid JSON in request body" }), {
+          status: 400,
+          headers: {
+            "Content-Type": "application/json",
+            ...baseHeaders
+          }
+        });
+      }
       try {
-        const body = await request.json();
         const operationPath2 = body.operation ?? body.path;
         if (!operationPath2) {
           return new Response(JSON.stringify({ error: "Missing operation path" }), {
             status: 400,
             headers: {
               "Content-Type": "application/json",
-              ...corsHeaders
+              ...baseHeaders
             }
           });
         }
@@ -965,26 +1112,27 @@ function createHTTPHandler(server, options = {}) {
           input: body.input
         }));
         if (result2.error) {
-          return new Response(JSON.stringify({ error: result2.error.message }), {
+          return new Response(JSON.stringify({ error: sanitize(result2.error) }), {
             status: 500,
             headers: {
               "Content-Type": "application/json",
-              ...corsHeaders
+              ...baseHeaders
             }
           });
         }
         return new Response(JSON.stringify({ data: result2.data }), {
           headers: {
             "Content-Type": "application/json",
-            ...corsHeaders
+            ...baseHeaders
           }
         });
       } catch (error) {
-        return new Response(JSON.stringify({ error: String(error) }), {
+        const err = error instanceof Error ? error : new Error(String(error));
+        return new Response(JSON.stringify({ error: sanitize(err) }), {
           status: 500,
           headers: {
             "Content-Type": "application/json",
-            ...corsHeaders
+            ...baseHeaders
           }
         });
       }
@@ -993,7 +1141,7 @@ function createHTTPHandler(server, options = {}) {
       status: 404,
       headers: {
         "Content-Type": "application/json",
-        ...corsHeaders
+        ...baseHeaders
       }
     });
   };
@@ -1031,7 +1179,13 @@ function createHandler(server, options = {}) {
   return result;
 }
 // src/handlers/framework.ts
-import { firstValueFrom as firstValueFrom2 } from "@sylphx/lens-core";
+import { firstValueFrom as firstValueFrom2, isObservable } from "@sylphx/lens-core";
+async function resolveExecuteResult(result) {
+  if (isObservable(result)) {
+    return firstValueFrom2(result);
+  }
+  return result;
+}
 function createServerClientProxy(server) {
   function createProxy(path) {
     return new Proxy(() => {}, {
@@ -1045,7 +1199,7 @@ function createServerClientProxy(server) {
       },
       async apply(_, __, args) {
         const input = args[0];
-        const result = await firstValueFrom2(server.execute({ path, input }));
+        const result = await resolveExecuteResult(server.execute({ path, input }));
         if (result.error) {
           throw result.error;
         }
@@ -1059,7 +1213,7 @@ async function handleWebQuery(server, path, url) {
   try {
     const inputParam = url.searchParams.get("input");
     const input = inputParam ? JSON.parse(inputParam) : undefined;
-    const result = await firstValueFrom2(server.execute({ path, input }));
+    const result = await resolveExecuteResult(server.execute({ path, input }));
     if (result.error) {
       return Response.json({ error: result.error.message }, { status: 400 });
     }
@@ -1072,7 +1226,7 @@ async function handleWebMutation(server, path, request) {
   try {
     const body = await request.json();
     const input = body.input;
-    const result = await firstValueFrom2(server.execute({ path, input }));
+    const result = await resolveExecuteResult(server.execute({ path, input }));
     if (result.error) {
       return Response.json({ error: result.error.message }, { status: 400 });
     }
@@ -1149,10 +1303,38 @@ import {
 } from "@sylphx/lens-core";
 function createWSHandler(server, options = {}) {
   const { logger = {} } = options;
+  const maxMessageSize = options.maxMessageSize ?? 1024 * 1024;
+  const maxSubscriptionsPerClient = options.maxSubscriptionsPerClient ?? 100;
+  const maxConnections = options.maxConnections ?? 1e4;
+  const rateLimitMaxMessages = options.rateLimit?.maxMessages ?? 100;
+  const rateLimitWindowMs = options.rateLimit?.windowMs ?? 1000;
+  const clientMessageTimestamps = new Map;
+  function isRateLimited(clientId) {
+    const now = Date.now();
+    const windowStart = now - rateLimitWindowMs;
+    let timestamps = clientMessageTimestamps.get(clientId);
+    if (!timestamps) {
+      timestamps = [];
+      clientMessageTimestamps.set(clientId, timestamps);
+    }
+    while (timestamps.length > 0 && timestamps[0] < windowStart) {
+      timestamps.shift();
+    }
+    if (timestamps.length >= rateLimitMaxMessages) {
+      return true;
+    }
+    timestamps.push(now);
+    return false;
+  }
   const connections = new Map;
   const wsToConnection = new WeakMap;
   let connectionCounter = 0;
   async function handleConnection(ws) {
+    if (connections.size >= maxConnections) {
+      logger.warn?.(`Connection limit reached (${maxConnections}), rejecting new connection`);
+      ws.close(1013, "Server at capacity");
+      return;
+    }
     const clientId = `client_${++connectionCounter}`;
     const conn = {
       id: clientId,
@@ -1178,6 +1360,28 @@ function createWSHandler(server, options = {}) {
     };
   }
   function handleMessage(conn, data) {
+    if (data.length > maxMessageSize) {
+      logger.warn?.(`Message too large (${data.length} bytes > ${maxMessageSize}), rejecting`);
+      conn.ws.send(JSON.stringify({
+        type: "error",
+        error: {
+          code: "MESSAGE_TOO_LARGE",
+          message: `Message exceeds ${maxMessageSize} byte limit`
+        }
+      }));
+      return;
+    }
+    if (isRateLimited(conn.id)) {
+      logger.warn?.(`Rate limit exceeded for client ${conn.id}`);
+      conn.ws.send(JSON.stringify({
+        type: "error",
+        error: {
+          code: "RATE_LIMITED",
+          message: `Rate limit exceeded: max ${rateLimitMaxMessages} messages per ${rateLimitWindowMs}ms`
+        }
+      }));
+      return;
+    }
     try {
       const message = JSON.parse(data);
       switch (message.type) {
@@ -1221,6 +1425,18 @@ function createWSHandler(server, options = {}) {
   }
   async function handleSubscribe(conn, message) {
     const { id, operation, input, fields } = message;
+    if (!conn.subscriptions.has(id) && conn.subscriptions.size >= maxSubscriptionsPerClient) {
+      logger.warn?.(`Subscription limit reached for client ${conn.id} (${maxSubscriptionsPerClient}), rejecting`);
+      conn.ws.send(JSON.stringify({
+        type: "error",
+        id,
+        error: {
+          code: "SUBSCRIPTION_LIMIT",
+          message: `Maximum ${maxSubscriptionsPerClient} subscriptions per client`
+        }
+      }));
+      return;
+    }
     let result;
     try {
       result = await firstValueFrom3(server.execute({ path: operation, input }));
@@ -1488,6 +1704,7 @@ function createWSHandler(server, options = {}) {
       }
     }
     connections.delete(conn.id);
+    clientMessageTimestamps.delete(conn.id);
     server.removeClient(conn.id, subscriptionCount);
   }
   function extractEntities(data) {
@@ -2251,17 +2468,139 @@ function coalescePatches(patches) {
 function estimatePatchSize(patch) {
   return JSON.stringify(patch).length;
 }
+// src/logging/structured-logger.ts
+var LOG_LEVEL_PRIORITY = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  fatal: 4
+};
+var jsonOutput = {
+  write(entry) {
+    console.log(JSON.stringify(entry));
+  }
+};
+var prettyOutput = {
+  write(entry) {
+    const { timestamp, level, message, ...rest } = entry;
+    const color = {
+      debug: "\x1B[36m",
+      info: "\x1B[32m",
+      warn: "\x1B[33m",
+      error: "\x1B[31m",
+      fatal: "\x1B[35m"
+    }[level];
+    const reset = "\x1B[0m";
+    const contextStr = Object.keys(rest).length > 0 ? ` ${JSON.stringify(rest)}` : "";
+    console.log(`${timestamp} ${color}[${level.toUpperCase()}]${reset} ${message}${contextStr}`);
+  }
+};
+function createStructuredLogger(options = {}) {
+  const {
+    service = "lens",
+    level: minLevel = "info",
+    includeStackTrace = false,
+    output = jsonOutput,
+    defaultContext = {}
+  } = options;
+  const minPriority = LOG_LEVEL_PRIORITY[minLevel];
+  function shouldLog(level) {
+    return LOG_LEVEL_PRIORITY[level] >= minPriority;
+  }
+  function log(level, message, context = {}) {
+    if (!shouldLog(level))
+      return;
+    const error = context.error instanceof Error ? context.error : undefined;
+    const errorContext = {};
+    if (error) {
+      errorContext.errorType = error.name;
+      errorContext.errorMessage = error.message;
+      if (includeStackTrace && error.stack) {
+        errorContext.stack = error.stack;
+      }
+    }
+    const entry = {
+      timestamp: new Date().toISOString(),
+      level,
+      message,
+      service,
+      ...defaultContext,
+      ...context,
+      ...errorContext
+    };
+    if ("error" in entry && entry.error instanceof Error) {
+      delete entry.error;
+    }
+    output.write(entry);
+  }
+  return {
+    debug: (message, context) => log("debug", message, context),
+    info: (message, context) => log("info", message, context),
+    warn: (message, context) => log("warn", message, context),
+    error: (message, context) => log("error", message, context),
+    fatal: (message, context) => log("fatal", message, context),
+    child: (childContext) => {
+      return createStructuredLogger({
+        ...options,
+        defaultContext: { ...defaultContext, ...childContext }
+      });
+    },
+    request: (requestId, message, context) => {
+      log("info", message, { requestId, ...context });
+    },
+    startOperation: (operation, context) => {
+      const startTime = Date.now();
+      const requestId = context?.requestId;
+      log("debug", `Operation started: ${operation}`, { operation, ...context });
+      return (result) => {
+        const durationMs = Date.now() - startTime;
+        if (result?.error) {
+          log("error", `Operation failed: ${operation}`, {
+            operation,
+            requestId,
+            durationMs,
+            error: result.error
+          });
+        } else {
+          log("info", `Operation completed: ${operation}`, {
+            operation,
+            requestId,
+            durationMs
+          });
+        }
+      };
+    }
+  };
+}
+function toBasicLogger(structuredLogger) {
+  return {
+    info: (message, ...args) => {
+      structuredLogger.info(message, args.length > 0 ? { args } : undefined);
+    },
+    warn: (message, ...args) => {
+      structuredLogger.warn(message, args.length > 0 ? { args } : undefined);
+    },
+    error: (message, ...args) => {
+      const error = args.find((arg) => arg instanceof Error);
+      structuredLogger.error(message, error ? { error } : args.length > 0 ? { args } : undefined);
+    }
+  };
+}
 export {
   useContext,
   tryUseContext,
+  toBasicLogger,
   runWithContextAsync,
   runWithContext,
   router,
   query,
+  prettyOutput,
   optimisticPlugin,
   opLog,
   mutation,
   memoryStorage,
+  jsonOutput,
   isOptimisticPlugin,
   isOpLogPlugin,
   hasContext,
@@ -2271,6 +2610,7 @@ export {
   extendContext,
   estimatePatchSize,
   createWSHandler,
+  createStructuredLogger,
   createServerClientProxy,
   createSSEHandler,
   createPluginManager,

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@sylphx/lens-server",
-	"version": "2.3.2",
+	"version": "2.4.0",
 	"description": "Server runtime for Lens API framework",
 	"type": "module",
 	"main": "./dist/index.js",

package/src/handlers/framework.ts

@@ -37,8 +37,21 @@
  * ```
  */
 
-import { firstValueFrom } from "@sylphx/lens-core";
+import { firstValueFrom, isObservable } from "@sylphx/lens-core";
 import type { LensServer } from "../server/create.js";
+import type { LensResult } from "../server/types.js";
+
+/**
+ * Helper to resolve server.execute() result which may be Observable or Promise.
+ * This provides backwards compatibility for test mocks that return Promises.
+ */
+async function resolveExecuteResult<T>(result: unknown): Promise<LensResult<T>> {
+	if (isObservable<LensResult<T>>(result)) {
+		return firstValueFrom(result);
+	}
+	// Handle Promise or direct value (for backwards compatibility with test mocks)
+	return result as Promise<LensResult<T>>;
+}
 
 // =============================================================================
 // Server Client Proxy
@@ -75,7 +88,7 @@ export function createServerClientProxy(server: LensServer): unknown {
 			},
 			async apply(_, __, args) {
 				const input = args[0];
-				const result = await firstValueFrom(server.execute({ path, input }));
+				const result = await resolveExecuteResult(server.execute({ path, input }));
 
 				if (result.error) {
 					throw result.error;
@@ -113,7 +126,7 @@ export async function handleWebQuery(
 		const inputParam = url.searchParams.get("input");
 		const input = inputParam ? JSON.parse(inputParam) : undefined;
 
-		const result = await firstValueFrom(server.execute({ path, input }));
+		const result = await resolveExecuteResult(server.execute({ path, input }));
 
 		if (result.error) {
 			return Response.json({ error: result.error.message }, { status: 400 });
@@ -148,7 +161,7 @@ export async function handleWebMutation(
 		const body = (await request.json()) as { input?: unknown };
 		const input = body.input;
 
-		const result = await firstValueFrom(server.execute({ path, input }));
+		const result = await resolveExecuteResult(server.execute({ path, input }));
 
 		if (result.error) {
 			return Response.json({ error: result.error.message }, { status: 400 });