@uploadista/server 0.0.18-beta.9 → 0.0.19

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@uploadista/server",
   "type": "module",
-  "version": "0.0.18-beta.9",
+  "version": "0.0.19",
   "description": "Core Server package for Uploadista",
   "license": "MIT",
   "author": "Uploadista",
@@ -20,10 +20,10 @@
     }
   },
   "dependencies": {
-    "@uploadista/core": "0.0.18-beta.9",
-    "@uploadista/observability": "0.0.18-beta.9",
-    "@uploadista/event-emitter-websocket": "0.0.18-beta.9",
-    "@uploadista/event-broadcaster-memory": "0.0.18-beta.9"
+    "@uploadista/core": "0.0.19",
+    "@uploadista/event-emitter-websocket": "0.0.19",
+    "@uploadista/observability": "0.0.19",
+    "@uploadista/event-broadcaster-memory": "0.0.19"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "4.20251202.0",
@@ -34,9 +34,9 @@
     "tsd": "0.33.0",
     "tsdown": "0.16.8",
     "typescript": "5.9.3",
-    "vitest": "4.0.14",
+    "vitest": "4.0.15",
     "zod": "4.1.13",
-    "@uploadista/typescript-config": "0.0.18-beta.9"
+    "@uploadista/typescript-config": "0.0.19"
   },
   "peerDependencies": {
     "effect": "^3.0.0",

package/src/core/http-handlers/upload-http-handlers.ts

@@ -5,8 +5,8 @@ import { MetricsService } from "@uploadista/observability";
 import { Effect } from "effect";
 import { AuthCacheService } from "../../cache";
 import { ValidationError } from "../../error-types";
-import { PERMISSIONS } from "../../permissions/types";
 import { QuotaExceededError } from "../../permissions/errors";
+import { PERMISSIONS } from "../../permissions/types";
 import { AuthContextService } from "../../service";
 import { UsageHookService } from "../../usage-hooks/service";
 import type {

package/src/core/server.ts

@@ -193,6 +193,7 @@ export const createUploadistaServer = async <
   eventEmitter,
   eventBroadcaster = memoryEventBroadcaster,
   withTracing = false,
+  observabilityLayer,
   baseUrl: configBaseUrl = "uploadista",
   generateId = GenerateIdLive,
   metricsLayer,
@@ -308,6 +309,15 @@ export const createUploadistaServer = async <
     ...(dlqLayer ? [dlqLayer] : []),
   );
 
+  /**
+   * Determine the tracing layer to use.
+   * This must be included in the runtime layer (not per-request) so that the
+   * BatchSpanProcessor can aggregate spans across requests and flush them properly.
+   */
+  const tracingLayer = withTracing
+    ? observabilityLayer ?? NodeSdkLive
+    : null;
+
   /**
    * Type Casting Rationale for Plugin System
    *
@@ -385,16 +395,29 @@ export const createUploadistaServer = async <
    * @see validatePluginRequirements - Runtime validation helper
    * @see ValidatePlugins - Compile-time validation type utility
    */
-  const serverLayer = serverLayerRaw as unknown as Layer.Layer<
+  const serverLayerTyped = serverLayerRaw as unknown as Layer.Layer<
     // biome-ignore lint/suspicious/noExplicitAny: Dynamic plugin requirements require any - see comprehensive explanation above
     any,
     never,
     never
   >;
 
+  /**
+   * Final server layer with optional tracing.
+   * The tracing layer is merged at runtime level (not per-request) so that:
+   * 1. The OpenTelemetry SDK is initialized once for the server
+   * 2. The BatchSpanProcessor can aggregate spans across requests
+   * 3. Spans are properly flushed when the runtime is disposed
+   */
+  const serverLayer = tracingLayer
+    ? Layer.merge(serverLayerTyped, tracingLayer)
+    : serverLayerTyped;
+
   // Create a shared managed runtime from the server layer
   // This ensures all requests use the same layer instances (including event broadcaster)
   // ManagedRuntime properly handles scoped resources and provides convenient run methods
+  // When tracing is enabled, the OpenTelemetry SDK is part of this runtime and will be
+  // properly shut down (flushing all pending spans) when dispose() is called
 
   const managedRuntime = ManagedRuntime.make(serverLayer);
 
@@ -491,7 +514,10 @@ export const createUploadistaServer = async <
       }
 
       // Create auth context layer for this request
-      const authContextLayer = AuthContextServiceLive(authContext);
+      // If no auth middleware is configured, bypass permission checks (backward compatibility)
+      const authContextLayer = AuthContextServiceLive(authContext, {
+        bypassAuth: !adapter.runAuthMiddleware,
+      });
 
       // Extract waitUntil callback if available (for Cloudflare Workers)
       // This must be extracted per-request since it comes from the framework context
@@ -559,12 +585,8 @@ export const createUploadistaServer = async <
       }),
     );
 
-    // Use the shared managed runtime instead of creating a new one per request
-    if (withTracing) {
-      return managedRuntime.runPromise(
-        program.pipe(Effect.provide(NodeSdkLive)),
-      );
-    }
+    // Use the shared managed runtime which includes all layers (including tracing if enabled)
+    // Tracing is now part of the runtime layer, so spans are properly aggregated and flushed
     return managedRuntime.runPromise(program);
   };
 

package/src/core/types.ts

@@ -230,6 +230,42 @@ export interface UploadistaServerConfig<
    */
   withTracing?: boolean;
 
+  /**
+   * Optional: Custom observability layer for distributed tracing.
+   *
+   * When provided, this layer will be used instead of the default NodeSdkLive.
+   * This allows you to configure custom OTLP exporters (e.g., for Grafana Cloud,
+   * Jaeger, or other OpenTelemetry-compatible backends).
+   *
+   * Requires `withTracing: true` to be effective.
+   *
+   * @example
+   * ```typescript
+   * import { OtlpNodeSdkLive, createOtlpNodeSdkLayer } from "@uploadista/observability";
+   *
+   * // Option 1: Use default OTLP layer (reads from env vars)
+   * const server = await createUploadistaServer({
+   *   withTracing: true,
+   *   observabilityLayer: OtlpNodeSdkLive,
+   *   // ...
+   * });
+   *
+   * // Option 2: Custom configuration with tenant attributes
+   * const server = await createUploadistaServer({
+   *   withTracing: true,
+   *   observabilityLayer: createOtlpNodeSdkLayer({
+   *     serviceName: "uploadista-cloud-api",
+   *     resourceAttributes: {
+   *       "deployment.environment": "production",
+   *     },
+   *   }),
+   *   // ...
+   * });
+   * ```
+   */
+  // biome-ignore lint/suspicious/noExplicitAny: Observability layers from @effect/opentelemetry provide different services
+  observabilityLayer?: Layer.Layer<any, never, never>;
+
   /**
    * Optional: Metrics layer for observability.
    *

package/src/service.ts

@@ -114,17 +114,32 @@ export class AuthContextService extends Context.Tag("AuthContextService")<
   }
 >() {}
 
+/**
+ * Options for creating an AuthContextService Layer.
+ */
+export interface AuthContextServiceOptions {
+  /**
+   * When true, bypasses all permission checks (grants all permissions).
+   * Used when no auth middleware is configured (backward compatibility).
+   * @default false
+   */
+  bypassAuth?: boolean;
+}
+
 /**
  * Creates an AuthContextService Layer from an AuthContext.
  * This is typically called by adapters after successful authentication.
  *
  * @param authContext - The authentication context from middleware
+ * @param options - Optional configuration for auth behavior
  * @returns Effect Layer providing AuthContextService
  */
 export const AuthContextServiceLive = (
   authContext: AuthContext | null,
+  options?: AuthContextServiceOptions,
 ): Layer.Layer<AuthContextService> => {
   const permissions = authContext?.permissions ?? [];
+  const bypassAuth = options?.bypassAuth ?? false;
 
   return Layer.succeed(AuthContextService, {
     getClientId: () => Effect.succeed(authContext?.clientId ?? null),
@@ -132,13 +147,24 @@ export const AuthContextServiceLive = (
     getMetadata: () => Effect.succeed(authContext?.metadata ?? {}),
 
     hasPermission: (permission: string) =>
-      Effect.succeed(matchHasPermission(permissions, permission)),
+      bypassAuth
+        ? Effect.succeed(true)
+        : Effect.succeed(matchHasPermission(permissions, permission)),
 
     hasAnyPermission: (requiredPermissions: readonly string[]) =>
-      Effect.succeed(matchHasAnyPermission(permissions, requiredPermissions)),
+      bypassAuth
+        ? Effect.succeed(true)
+        : Effect.succeed(matchHasAnyPermission(permissions, requiredPermissions)),
 
     requirePermission: (permission: string) =>
       Effect.gen(function* () {
+        // If bypass mode is enabled, grant all permissions
+        if (bypassAuth) {
+          yield* Effect.logDebug(
+            `[Auth] Bypass mode: permission '${permission}' auto-granted`,
+          );
+          return;
+        }
         if (!authContext) {
           yield* Effect.logDebug(
             `[Auth] Permission check failed: authentication required for '${permission}'`,