@tolinax/ayoune-cli 2026.9.0 → 2026.10.1

package/lib/api/apiClient.js

@@ -1,5 +1,25 @@
-import { http } from "@tolinax/ayoune-core/lib/http/index.js";
+// HTTP client for the `ay` CLI.
+//
+// Uses Node's built-in `fetch` (Node ≥ 18) — NO axios, NO @tolinax/ayoune-core
+// HTTP wrapper. The `core/lib/http` re-export was previously used here, but
+// it transitively requires `core/lib/aYOUne` at module top-level which loads
+// the entire backend framework: mongoose schemas, prom-client metric
+// registries, and an ioredis client wired to env vars that don't exist on
+// end-user machines (causing visible "ERR_SOCKET_BAD_PORT" errors and a
+// duplicate-index warning). The CLI is a pure HTTP client — it has no
+// business loading any of that.
+//
+// The exported `api({...})` and `audit({...})` functions preserve the
+// axios-shaped contract that callers expect:
+//
+//   const res = await api({ baseURL, method, url, data, params, headers });
+//   res.status / res.statusText / res.data / res.headers
+//
+// Errors throw with `.response = { status, statusText, data, headers }` and
+// `.config = { baseURL, url, method }` so `handleAPIError` keeps working
+// unchanged.
 import chalk from "chalk";
+import { Readable } from "stream";
 import { config } from "../helpers/config.js";
 let debugEnabled = false;
 export function enableDebug() {
@@ -22,57 +42,211 @@ const MODULE_HOST_OVERRIDES = {
 export function getModuleBaseUrl(module) {
     return MODULE_HOST_OVERRIDES[module] || `https://${module}-api.ayoune.app`;
 }
-const retryConfig = {
-    retries: 3,
-    retryDelay: (retryCount, error) => {
-        var _a, _b;
-        // Respect Retry-After header for 429 responses
-        const retryAfter = (_b = (_a = error.response) === null || _a === void 0 ? void 0 : _a.headers) === null || _b === void 0 ? void 0 : _b["retry-after"];
-        if (retryAfter) {
-            const seconds = parseInt(retryAfter, 10);
-            if (!isNaN(seconds)) {
-                debugLog(chalk.yellow(`Rate limited. Retrying in ${seconds}s...`));
-                return seconds * 1000;
+const DEFAULT_TIMEOUT = 30000;
+const MAX_RETRIES = 3;
+/**
+ * Build the full request URL from baseURL + url + serialized params.
+ * Handles the same edge cases as axios: collapses duplicate slashes,
+ * preserves the protocol's `://`, and skips falsy params.
+ */
+function buildUrl(req) {
+    const base = req.baseURL || "";
+    const path = req.url || "";
+    let combined = `${base}/${path}`.replace(/\/+/g, "/").replace(":/", "://");
+    if (req.params && typeof req.params === "object") {
+        const usp = new URLSearchParams();
+        for (const [k, v] of Object.entries(req.params)) {
+            if (v === undefined || v === null)
+                continue;
+            // Booleans / numbers stringify cleanly; arrays get repeated keys; objects get JSON.
+            if (Array.isArray(v)) {
+                v.forEach((item) => usp.append(k, String(item)));
+            }
+            else if (typeof v === "object") {
+                usp.append(k, JSON.stringify(v));
+            }
+            else {
+                usp.append(k, String(v));
             }
         }
-        // Exponential backoff: 1s, 2s, 4s
-        const delay = Math.pow(2, retryCount - 1) * 1000;
-        debugLog(chalk.yellow(`Retrying in ${delay / 1000}s (attempt ${retryCount}/3)...`));
-        return delay;
-    },
-    retryCondition: (error) => {
-        var _a;
-        // Retry on network errors, 5xx, and 429 (rate limit)
-        const status = (_a = error.response) === null || _a === void 0 ? void 0 : _a.status;
-        if (!status)
-            return true; // network error
-        return status >= 500 || status === 429;
-    },
-};
+        const qs = usp.toString();
+        if (qs)
+            combined += (combined.includes("?") ? "&" : "?") + qs;
+    }
+    return combined;
+}
+/** Build a "configured" request — used by api()/audit() to apply defaults. */
+function withDefaults(defaults, req) {
+    return {
+        ...defaults,
+        ...req,
+        headers: { ...(defaults.headers || {}), ...(req.headers || {}) },
+    };
+}
+/** Sleep for n ms — used by retry backoff. */
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/** Decide whether to retry given the last error. */
+function shouldRetry(err) {
+    // No response → network or timeout error → retry.
+    if (!err.response)
+        return true;
+    const status = err.response.status;
+    return status >= 500 || status === 429;
+}
+/** Compute backoff in ms, honouring Retry-After on 429. */
+function backoffMs(attempt, err) {
+    var _a, _b, _c;
+    const status = (_a = err.response) === null || _a === void 0 ? void 0 : _a.status;
+    const retryAfter = (_c = (_b = err.response) === null || _b === void 0 ? void 0 : _b.headers) === null || _c === void 0 ? void 0 : _c["retry-after"];
+    if (status === 429 && retryAfter) {
+        const seconds = parseInt(retryAfter, 10);
+        if (!Number.isNaN(seconds)) {
+            debugLog(chalk.yellow(`Rate limited. Retrying in ${seconds}s...`));
+            return seconds * 1000;
+        }
+    }
+    // Exponential: 1s, 2s, 4s
+    const delay = Math.pow(2, attempt) * 1000;
+    debugLog(chalk.yellow(`Retrying in ${delay / 1000}s (attempt ${attempt + 1}/${MAX_RETRIES})...`));
+    return delay;
+}
+/**
+ * Headers#entries() returned by undici returns a flat record. Normalize to
+ * a plain `Record<string, string>` so callers (and handleAPIError) can index
+ * by header name without thinking about Headers semantics.
+ */
+function headersToObject(headers) {
+    const out = {};
+    headers.forEach((value, key) => {
+        out[key.toLowerCase()] = value;
+    });
+    return out;
+}
+/**
+ * Single-shot fetch — no retry. Throws axios-shaped errors so the existing
+ * `handleAPIError` works unchanged.
+ */
+async function performRequest(req) {
+    var _a;
+    const method = (req.method || "GET").toUpperCase();
+    const url = buildUrl(req);
+    const headers = { ...(req.headers || {}) };
+    let body;
+    if (req.data !== undefined && req.data !== null && method !== "GET" && method !== "HEAD") {
+        body = typeof req.data === "string" ? req.data : JSON.stringify(req.data);
+        if (!headers["Content-Type"] && !headers["content-type"]) {
+            headers["Content-Type"] = "application/json";
+        }
+    }
+    const timeout = (_a = req.timeout) !== null && _a !== void 0 ? _a : DEFAULT_TIMEOUT;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeout);
+    let response;
+    try {
+        response = await fetch(url, {
+            method,
+            headers,
+            body,
+            signal: controller.signal,
+        });
+    }
+    catch (e) {
+        clearTimeout(timer);
+        const err = new Error(e.name === "AbortError" ? `Request timed out after ${timeout}ms` : e.message);
+        err.code = e.code;
+        err.config = { baseURL: req.baseURL, url: req.url, method };
+        throw err;
+    }
+    clearTimeout(timer);
+    // Stream mode: hand back a Node Readable wrapping the fetch body. Used by
+    // searchClient.searchGlobal() for the SSE endpoint. The caller .on('data')s
+    // it directly, no JSON parsing.
+    let data = undefined;
+    if (req.responseType === "stream" && response.body) {
+        // Readable.fromWeb is available since Node 18.
+        data = Readable.fromWeb(response.body);
+    }
+    else {
+        // Parse body — JSON if Content-Type says so, else text. Empty body → undefined.
+        const ct = response.headers.get("content-type") || "";
+        const text = await response.text();
+        if (text.length > 0) {
+            if (ct.includes("application/json")) {
+                try {
+                    data = JSON.parse(text);
+                }
+                catch (_b) {
+                    data = text;
+                }
+            }
+            else {
+                data = text;
+            }
+        }
+    }
+    const apiResponse = {
+        status: response.status,
+        statusText: response.statusText,
+        data,
+        headers: headersToObject(response.headers),
+        config: { baseURL: req.baseURL, url: req.url, method },
+    };
+    if (response.status >= 200 && response.status < 300) {
+        return apiResponse;
+    }
+    // Non-2xx → throw axios-shaped error.
+    const err = new Error(`HTTP ${response.status} ${response.statusText}`);
+    err.response = apiResponse;
+    err.config = apiResponse.config;
+    throw err;
+}
+/**
+ * Retry wrapper around `performRequest`. Mirrors the previous axios-retry
+ * config: 3 retries, exponential backoff (1s/2s/4s), respects Retry-After on
+ * 429, retries on network errors and 5xx/429 status codes.
+ */
+async function performRequestWithRetry(req) {
+    let lastErr;
+    for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+        try {
+            return await performRequest(req);
+        }
+        catch (err) {
+            lastErr = err;
+            if (attempt >= MAX_RETRIES || !shouldRetry(err))
+                throw err;
+            await sleep(backoffMs(attempt, err));
+        }
+    }
+    throw lastErr;
+}
 /**
- * Debug-aware HTTP request wrapper.
- * Logs request/response details to stderr when debug mode is enabled.
+ * Debug-aware request wrapper. Logs request/response details to stderr when
+ * debug mode is enabled, then delegates to the retry wrapper.
  */
-async function debugRequest(client, requestConfig) {
+async function debugRequest(defaults, requestConfig) {
     var _a, _b, _c, _d;
-    const url = `${requestConfig.baseURL || ""}/${requestConfig.url || ""}`.replace(/\/+/g, "/").replace(":/", "://");
-    const method = (requestConfig.method || "GET").toUpperCase();
+    const merged = withDefaults(defaults, requestConfig);
+    const url = buildUrl(merged);
+    const method = (merged.method || "GET").toUpperCase();
     if (debugEnabled) {
         debugLog(`${chalk.yellow(method)} ${chalk.cyan(url)}`);
-        if (requestConfig.params && Object.keys(requestConfig.params).length) {
-            debugLog("params:", JSON.stringify(requestConfig.params));
+        if (merged.params && Object.keys(merged.params).length) {
+            debugLog("params:", JSON.stringify(merged.params));
         }
-        if (requestConfig.data) {
-            debugLog("body:", JSON.stringify(requestConfig.data).substring(0, 200));
+        if (merged.data) {
+            debugLog("body:", JSON.stringify(merged.data).substring(0, 200));
         }
-        const auth = ((_a = requestConfig.headers) === null || _a === void 0 ? void 0 : _a.Authorization) || ((_b = requestConfig.headers) === null || _b === void 0 ? void 0 : _b.authorization);
+        const auth = ((_a = merged.headers) === null || _a === void 0 ? void 0 : _a.Authorization) || ((_b = merged.headers) === null || _b === void 0 ? void 0 : _b.authorization);
         if (auth) {
             const token = String(auth);
             debugLog("auth:", token.substring(0, 15) + "..." + token.substring(token.length - 10));
         }
     }
     try {
-        const res = await client.request(requestConfig);
+        const res = await performRequestWithRetry(merged);
         if (debugEnabled) {
             const meta = (_c = res.data) === null || _c === void 0 ? void 0 : _c.meta;
             const total = (_d = meta === null || meta === void 0 ? void 0 : meta.pageInfo) === null || _d === void 0 ? void 0 : _d.totalEntries;
@@ -102,20 +276,13 @@ async function debugRequest(client, requestConfig) {
         throw err;
     }
 }
-const apiClient = http.create({
-    timeout: 30000,
-    retry: retryConfig,
-    logging: false,
-    metrics: false,
-});
-const auditClient = http.create({
+const API_DEFAULTS = { timeout: DEFAULT_TIMEOUT };
+const AUDIT_DEFAULTS = {
     baseURL: config.auditUrl,
-    retry: retryConfig,
-    logging: false,
-    metrics: false,
-});
-/** Callable API client that supports debug logging */
-const api = (requestConfig) => debugRequest(apiClient, requestConfig);
-/** Callable audit client that supports debug logging */
-const audit = (requestConfig) => debugRequest(auditClient, requestConfig);
+    timeout: DEFAULT_TIMEOUT,
+};
+/** Callable API client that supports debug logging. */
+const api = (requestConfig) => debugRequest(API_DEFAULTS, requestConfig);
+/** Callable audit client that supports debug logging. */
+const audit = (requestConfig) => debugRequest(AUDIT_DEFAULTS, requestConfig);
 export { api, audit };

package/lib/commands/_registry.js

@@ -223,6 +223,23 @@ export const COMMAND_REGISTRY = [
         description: "Check for and apply updates to a self-hosted aYOUne deployment",
         loader: async () => (await import("./createSelfHostUpdateCommand.js")).createSelfHostUpdateCommand,
     },
+    {
+        name: "local",
+        description: "Run a self-hosted aYOUne instance locally via Docker Compose",
+        loader: async () => (await import("./local/index.js")).createLocalCommand,
+    },
+    {
+        name: "functions",
+        aliases: ["fns"],
+        description: "Manage Custom Functions (sandboxed FaaS) for this customer",
+        loader: async () => (await import("./functions/index.js")).createFunctionsCommand,
+    },
+    {
+        name: "provision",
+        aliases: ["prov"],
+        description: "Provision aYOUne to a cloud provider (AWS / GCP / Azure / DigitalOcean / Hetzner)",
+        loader: async () => (await import("./provision/index.js")).createProvisionCommand,
+    },
     {
         name: "context",
         aliases: ["ctx"],

package/lib/commands/createProgram.js

@@ -34,7 +34,7 @@ import { loadAliases } from "./createAliasCommand.js";
 import { getLogoSync, brandHighlight, dim } from "../helpers/logo.js";
 import { createRequire } from "module";
 // HEAVY modules deliberately NOT imported at the top of this file:
-//   - ../api/apiClient (pulls in @tolinax/ayoune-core HTTP client + axios)
+//   - ../api/apiClient (uses native fetch but still pulls in chalk + config)
 //   - ../api/apiCallHandler (pulls in apiClient + secureStorage + login)
 //   - ../helpers/secureStorage (pulls in node-localstorage + crypto)
 //   - ../api/login (pulls in socket.io-client)

package/lib/commands/createSelfHostUpdateCommand.js

@@ -2,26 +2,7 @@ import chalk from "chalk";
 import { spinner } from "../../index.js";
 import { EXIT_GENERAL_ERROR } from "../exitCodes.js";
 import { cliError } from "../helpers/cliError.js";
-import { execSync } from "child_process";
-function runCommand(cmd) {
-    try {
-        return execSync(cmd, { encoding: "utf-8", timeout: 30000 }).trim();
-    }
-    catch (_a) {
-        return "";
-    }
-}
-function detectRuntime() {
-    // Check for docker compose
-    const composeResult = runCommand("docker compose version 2>&1");
-    if (composeResult.includes("Docker Compose"))
-        return "compose";
-    // Check for kubectl
-    const kubectlResult = runCommand("kubectl version --client 2>&1");
-    if (kubectlResult.includes("Client Version"))
-        return "kubernetes";
-    return "unknown";
-}
+import { runCommand, detectRuntime } from "../helpers/dockerCompose.js";
 function getRunningComposeServices() {
     const output = runCommand('docker compose ps --format "{{.Name}}" 2>&1');
     if (!output)

package/lib/commands/createServicesCommand.js

@@ -127,16 +127,17 @@ Examples:
             // Deduplicate by host
             const uniqueTargets = [...new Map(targets.map((t) => [t.host, t])).values()];
             spinner.start({ text: `Checking ${uniqueTargets.length} service(s)...`, color: "magenta" });
-            const { http } = await import("@tolinax/ayoune-core/lib/http");
             const results = await Promise.allSettled(uniqueTargets.map(async (t) => {
                 const start = Date.now();
+                // Native fetch with AbortController-driven timeout. We previously
+                // used @tolinax/ayoune-core's http wrapper here, but it loads the
+                // backend AY singleton (mongoose + ioredis + prom-client) at import
+                // time and has no place in a CLI process.
+                const controller = new AbortController();
+                const timer = setTimeout(() => controller.abort(), opts.timeout);
                 try {
-                    const resp = await http.get(`https://${t.host}/`, {
-                        timeout: opts.timeout,
-                        validateStatus: () => true,
-                        logging: false,
-                        metrics: false,
-                    });
+                    const resp = await fetch(`https://${t.host}/`, { signal: controller.signal });
+                    clearTimeout(timer);
                     return {
                         host: t.host,
                         name: t.name,
@@ -146,13 +147,14 @@ Examples:
                     };
                 }
                 catch (e) {
+                    clearTimeout(timer);
                     return {
                         host: t.host,
                         name: t.name,
                         status: "unreachable",
                         statusCode: 0,
                         responseTime: Date.now() - start,
-                        error: e.code || e.message,
+                        error: e.name === "AbortError" ? "timeout" : (e.code || e.message),
                     };
                 }
             }));

package/lib/commands/createSetupCommand.js

@@ -3,9 +3,11 @@ import inquirer from "inquirer";
 import { writeFile, mkdir } from "fs/promises";
 import { existsSync } from "fs";
 import path from "path";
+import { spawn } from "child_process";
 import { spinner } from "../../index.js";
 import { EXIT_GENERAL_ERROR } from "../exitCodes.js";
 import { cliError } from "../helpers/cliError.js";
+import { detectRuntime } from "../helpers/dockerCompose.js";
 const AVAILABLE_MODULES = [
     { name: "CRM", value: "crm", description: "Customer Relationship Management" },
     { name: "Marketing", value: "marketing", description: "Marketing automation & campaigns" },
@@ -152,6 +154,36 @@ function generateRandomString(length) {
 function capitalize(s) {
     return s.charAt(0).toUpperCase() + s.slice(1);
 }
+/**
+ * Launch the freshly-generated compose stack from the output dir, then poll
+ * the status command until services come up healthy or we time out. Wired
+ * into `ay setup` so the first-run experience is "answer questions →
+ * everything is running" instead of "answer questions → here's the next
+ * shell command to type".
+ */
+async function launchComposeStack(outputDir, profiles) {
+    spinner.start({ text: `Starting docker compose with profiles: ${profiles.join(", ")}`, color: "cyan" });
+    const profileArgs = profiles.flatMap((p) => ["--profile", p]);
+    const args = [...profileArgs, "up", "-d"];
+    const code = await new Promise((resolve) => {
+        const child = spawn("docker", ["compose", ...args], {
+            cwd: outputDir,
+            stdio: "inherit",
+            shell: process.platform === "win32",
+        });
+        child.on("exit", (c) => resolve(c !== null && c !== void 0 ? c : 0));
+        child.on("error", () => resolve(1));
+    });
+    if (code !== 0) {
+        spinner.error({ text: "docker compose up failed" });
+        cliError("Could not start the stack — check the docker compose output above.", EXIT_GENERAL_ERROR);
+    }
+    spinner.success({ text: "Stack started" });
+    console.log("");
+    console.log(chalk.green("  aYOUne is starting up."));
+    console.log(chalk.dim("  Run `ay status` to verify all services are healthy."));
+    console.log("");
+}
 export function createSetupCommand(program) {
     program
         .command("setup")
@@ -285,13 +317,33 @@ Examples:
             else {
                 spinner.success({ text: "Configuration files generated!" });
                 spinner.stop();
-                const profiles = ["core", ...answers.modules].join(",");
+                const profiles = ["core", ...answers.modules];
                 console.log(chalk.green("\n  Generated files:"));
                 console.log(chalk.dim(`    ${envPath}`));
-                console.log(chalk.cyan("\n  Next steps:"));
-                console.log(chalk.dim("    1. Review and adjust the .env file"));
-                console.log(chalk.dim(`    2. docker compose --profile ${profiles} up -d`));
-                console.log(chalk.dim("    3. ay status  — verify all services are healthy\n"));
+                // Offer to launch the stack right away. Skipped non-interactively
+                // (CI / piped) — that path keeps the original "next steps" output.
+                const canLaunch = process.stdin.isTTY && detectRuntime() === "compose";
+                let launched = false;
+                if (canLaunch) {
+                    const { launchNow } = await inquirer.prompt([
+                        {
+                            type: "confirm",
+                            name: "launchNow",
+                            message: "Start aYOUne now?",
+                            default: true,
+                        },
+                    ]);
+                    if (launchNow) {
+                        await launchComposeStack(outputDir, profiles);
+                        launched = true;
+                    }
+                }
+                if (!launched) {
+                    console.log(chalk.cyan("\n  Next steps:"));
+                    console.log(chalk.dim("    1. Review and adjust the .env file"));
+                    console.log(chalk.dim(`    2. docker compose --profile ${profiles.join(" --profile ")} up -d`));
+                    console.log(chalk.dim("    3. ay status  — verify all services are healthy\n"));
+                }
             }
             if (!answers.licenseKey) {
                 console.log(chalk.yellow("  Note: Running in 14-day trial mode.") +

package/lib/commands/functions/_shared.js

@@ -0,0 +1,38 @@
+// Shared helpers for the `ay functions *` subcommands.
+//
+// Centralizes the user-functions resource path and the id-or-slug resolver
+// so each subcommand stays small and consistent. The custom-functions API
+// accepts both `_id` (Mongo) and `slug` in path params, but list/get/etc.
+// vary in which they prefer — wrapping the resolution here keeps the
+// per-subcommand files focused on their actual verb.
+import { apiCallHandler } from "../../api/apiCallHandler.js";
+/** Module that hosts the userfunctions collection. */
+export const FN_MODULE = "config";
+/** Collection segment used in URL paths. */
+export const FN_COLLECTION = "userfunctions";
+/**
+ * Resolve a user-supplied identifier (slug or _id) to a concrete function
+ * record. Returns the full doc; throws if nothing matches.
+ *
+ * The userfunctions list endpoint supports `?slug=` and `?_id=` filters.
+ * Many subcommands need the full record (e.g. invoke needs the entry id +
+ * latest version) — fetching it once via the resolver keeps every callsite
+ * uniform and gives consistent error messages.
+ */
+export async function resolveFunction(idOrSlug) {
+    // Try direct GET first — works when the user passed a Mongo _id.
+    if (/^[a-f0-9]{24}$/i.test(idOrSlug)) {
+        const direct = await apiCallHandler(FN_MODULE, `${FN_COLLECTION}/${idOrSlug}`, "get");
+        if (direct === null || direct === void 0 ? void 0 : direct.payload)
+            return direct.payload;
+    }
+    // Otherwise treat it as a slug + filter the list endpoint.
+    const res = await apiCallHandler(FN_MODULE, FN_COLLECTION, "get", null, {
+        slug: idOrSlug,
+        limit: 1,
+    });
+    const hit = Array.isArray(res === null || res === void 0 ? void 0 : res.payload) ? res.payload[0] : res === null || res === void 0 ? void 0 : res.payload;
+    if (!hit)
+        throw new Error(`No function found for "${idOrSlug}"`);
+    return hit;
+}

package/lib/commands/functions/_validateSource.js

@@ -0,0 +1,50 @@
+// Light source validation for `ay functions deploy`.
+//
+// We can't actually run the code (the sandbox lives in
+// platform/custom-functions-worker via isolated-vm), but we can catch the
+// most common end-user mistakes that would otherwise produce confusing
+// runtime errors:
+//   - importing Node builtins like `fs` / `child_process` / `net` (sandbox
+//     forbids them — surface that early instead of after publishing)
+//   - using `import` syntax (the sandbox is CommonJS, isolated-vm doesn't
+//     run an ESM loader)
+//   - missing `module.exports = async function ...`
+//
+// Returns a list of warnings; the deploy subcommand prints them and asks
+// for confirmation if any are present.
+const FORBIDDEN_BUILTINS = [
+    "fs",
+    "child_process",
+    "net",
+    "tls",
+    "dgram",
+    "dns",
+    "http",
+    "https",
+    "cluster",
+    "worker_threads",
+    "vm",
+    "os",
+    "process",
+    "v8",
+];
+export function validateFunctionSource(source) {
+    const warnings = [];
+    // ESM imports — sandbox is CJS.
+    if (/^\s*import\s+/m.test(source)) {
+        warnings.push("Detected `import` syntax. The Custom Functions sandbox runs CommonJS — use `const x = require(...)` instead.");
+    }
+    // Forbidden builtins via require().
+    const requireMatches = source.matchAll(/require\(\s*['"]([^'"]+)['"]\s*\)/g);
+    for (const m of requireMatches) {
+        const mod = m[1];
+        if (FORBIDDEN_BUILTINS.includes(mod)) {
+            warnings.push(`Importing Node builtin "${mod}" — the sandbox does not expose this module. Use the platform SDK (\`ay\`) instead.`);
+        }
+    }
+    // Module.exports check.
+    if (!/module\.exports\s*=/.test(source) && !/exports\.\w+\s*=/.test(source)) {
+        warnings.push("Source does not export anything. The sandbox expects `module.exports = async (input, ay) => {...}`.");
+    }
+    return warnings;
+}