@vertesia/workflow 1.0.0 → 1.1.0-dev.20260427.060440Z

package/src/dsl/dsl-workflow.ts

@@ -183,9 +183,9 @@ async function executeSteps(definition: DSLWorkflowSpec, payload: DSLWorkflowExe
             if (stepType === 'workflow') {
                 const childWorkflowStep = step as DSLChildWorkflowStep;
                 if (childWorkflowStep.async) {
-                    await startChildWorkflow(childWorkflowStep, payload, vars, basePayload.debug_mode);
+                    await startChildWorkflow(childWorkflowStep, payload, vars, basePayload.debug_mode, defaultProxy, basePayload);
                 } else {
-                    await executeChildWorkflow(childWorkflowStep, payload, vars, basePayload.debug_mode);
+                    await executeChildWorkflow(childWorkflowStep, payload, vars, basePayload.debug_mode, defaultProxy, basePayload);
                 }
             } else { // activity
                 await runActivity(step as DSLActivitySpec, basePayload, vars, defaultProxy, defaultOptions, remoteActivities);
@@ -236,11 +236,20 @@ async function handleError(originalError: any, basePayload: BaseActivityPayload,
     throw originalError;
 }
 
-async function startChildWorkflow(step: DSLChildWorkflowStep, payload: DSLWorkflowExecutionPayload, vars: Vars, debug_mode?: boolean) {
+async function startChildWorkflow(step: DSLChildWorkflowStep, payload: DSLWorkflowExecutionPayload, vars: Vars, debug_mode?: boolean, proxy?: ActivityInterfaceFor<UntypedActivities>, basePayload?: BaseActivityPayload) {
     if (step.condition && !vars.match(step.condition)) {
         log.info("Child workflow skipped: condition not satisfied", { workflow: step.name, condition: step.condition });
         return;
     }
+    if (step.name.startsWith('dsl:') && !step.spec && proxy && basePayload) {
+        const workflowName = step.name.slice(4);
+        const specPayload = dslActivityPayload(basePayload, { name: 'loadChildWorkflowSpec' } as DSLActivitySpec, { workflowName });
+        const spec = await proxy.loadChildWorkflowSpec(specPayload) as DSLWorkflowSpec;
+        const humanName = spec.name.replace(/([A-Z])/g, ' $1').trim();
+        const objectIds = getDocumentIds(payload);
+        const workflowId = objectIds.length > 0 ? `${humanName}:${objectIds[0]}` : humanName;
+        step = { ...step, name: 'dslWorkflow', spec, options: { ...step.options, workflowId } };
+    }
     const resolvedVars = vars.resolve();
     if (step.vars) {
         // copy user vars (from step definition) to the resolved vars, resolving any expressions
@@ -274,11 +283,20 @@ async function startChildWorkflow(step: DSLChildWorkflowStep, payload: DSLWorkfl
     }
 }
 
-async function executeChildWorkflow(step: DSLChildWorkflowStep, payload: DSLWorkflowExecutionPayload, vars: Vars, debug_mode?: boolean) {
+async function executeChildWorkflow(step: DSLChildWorkflowStep, payload: DSLWorkflowExecutionPayload, vars: Vars, debug_mode?: boolean, proxy?: ActivityInterfaceFor<UntypedActivities>, basePayload?: BaseActivityPayload) {
     if (step.condition && !vars.match(step.condition)) {
         log.info("Child workflow skipped: condition not satisfied", { workflow: step.name, condition: step.condition });
         return;
     }
+    if (step.name.startsWith('dsl:') && !step.spec && proxy && basePayload) {
+        const workflowName = step.name.slice(4);
+        const specPayload = dslActivityPayload(basePayload, { name: 'loadChildWorkflowSpec' } as DSLActivitySpec, { workflowName });
+        const spec = await proxy.loadChildWorkflowSpec(specPayload) as DSLWorkflowSpec;
+        const humanName = spec.name.replace(/([A-Z])/g, ' $1').trim();
+        const objectIds = getDocumentIds(payload);
+        const workflowId = objectIds.length > 0 ? `${humanName}:${objectIds[0]}` : humanName;
+        step = { ...step, name: 'dslWorkflow', spec, options: { ...step.options, workflowId } };
+    }
     const resolvedVars = vars.resolve();
     if (step.vars) {
         // copy user vars (from step definition) to the resolved vars, resolving any expressions

package/src/dsl/setup/ActivityContext.test.ts

@@ -0,0 +1,57 @@
+import { ContentEventName, DSLActivityExecutionPayload } from "@vertesia/common";
+import { describe, expect, it } from "vitest";
+import { setupActivity } from "./ActivityContext.js";
+
+const MOCK_AUTH_TOKEN =
+    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbW9jay10b2tlbi1zZXJ2ZXIiLCJzdWIiOiJ0ZXN0In0.signature";
+
+function basePayload<T extends Record<string, any>>(
+    activity: DSLActivityExecutionPayload<T>["activity"],
+    params: T,
+): DSLActivityExecutionPayload<T> {
+    return {
+        event: ContentEventName.create,
+        vars: {},
+        account_id: "acc",
+        project_id: "prj",
+        auth_token: MOCK_AUTH_TOKEN,
+        config: { studio_url: "http://localhost", store_url: "http://localhost" },
+        activity,
+        params,
+        workflow_name: "test",
+    };
+}
+
+describe("setupActivity", () => {
+    // Regression guard: user-supplied strings containing "${...}" must be preserved
+    // verbatim when the activity is dispatched from TypeScript code (no activity.params,
+    // no activity.fetch). Previously Vars.parse/resolve would treat any "${...}" as a
+    // template ref and silently drop the key when it failed to resolve.
+    it("preserves user data containing literal ${} in code-dispatched activities", async () => {
+        const data = {
+            task: 'preserve "${}" literal',
+            other: "also has ${undefined_ref}",
+        };
+        const payload = basePayload({ name: "testActivity" }, { data });
+        const ctx = await setupActivity(payload);
+        expect(ctx.params.data.task).toBe('preserve "${}" literal');
+        expect(ctx.params.data.other).toBe("also has ${undefined_ref}");
+    });
+
+    it("returns empty params when code-dispatched activity has no params", async () => {
+        const payload = basePayload({ name: "testActivity" }, undefined as any);
+        const ctx = await setupActivity(payload);
+        expect(ctx.params).toEqual({});
+    });
+
+    // Counter-test: DSL-defined activities (those carrying activity.params) must
+    // still have their ${refs} resolved against payload.params (imported vars).
+    it("still resolves ${refs} in activity.params for DSL-dispatched activities", async () => {
+        const payload = basePayload(
+            { name: "dslActivity", params: { message: "Hello ${name}" } },
+            { name: "World" } as any,
+        );
+        const ctx = await setupActivity(payload);
+        expect((ctx.params as any).message).toBe("Hello World");
+    });
+});

package/src/dsl/setup/ActivityContext.ts

@@ -183,6 +183,22 @@ export class ActivityContext<ParamsT extends Record<string, any>> {
 export async function setupActivity<ParamsT extends Record<string, any>>(
     payload: DSLActivityExecutionPayload<ParamsT>,
 ) {
+    const client = await getVertesiaClient(payload);
+
+    // Activities dispatched from TypeScript code (via dslProxyActivities) set
+    // only `activity.name`; their params are a plain TS object that must not
+    // be run through Vars template expansion — doing so would interpret any
+    // `${...}` in user-supplied strings as a variable reference and silently
+    // drop the key when it fails to resolve. Only DSL-defined activities
+    // (which carry `activity.params` and/or `activity.fetch`) need Vars.
+    const isDslDispatched =
+        payload.activity.params !== undefined || payload.activity.fetch !== undefined;
+
+    if (!isDslDispatched) {
+        const params = (payload.params ?? {}) as ParamsT;
+        return new ActivityContext<ParamsT>(payload, client, params);
+    }
+
     const isDebugMode = !!payload.debug_mode;
 
     const vars = new Vars({
@@ -190,7 +206,6 @@ export async function setupActivity<ParamsT extends Record<string, any>>(
         ...payload.activity.params, // activity params (may contain expressions)
     });
 
-    //}
     if (isDebugMode) {
         log.info(`Setting up activity ${payload.activity.name}`, {
             config: payload.config,
@@ -200,7 +215,6 @@ export async function setupActivity<ParamsT extends Record<string, any>>(
         });
     }
 
-    const client = await getVertesiaClient(payload);
     const fetchSpecs = payload.activity.fetch;
     if (fetchSpecs) {
         const keys = Object.keys(fetchSpecs);

package/src/security/ssrf.ts

@@ -0,0 +1,32 @@
+/**
+ * SSRF protection shim for @vertesia/workflow.
+ *
+ * URL validation is delegated via client.apps.validateUrl() so that security
+ * policy details (blocked IP ranges, ports, hostnames) are not exposed in this
+ * public package.
+ *
+ * This file only provides redirect-safe fetch and the error class.
+ */
+
+export class URLValidationError extends Error {
+    constructor(message: string) {
+        super(message);
+        this.name = 'URLValidationError';
+    }
+}
+
+/**
+ * Redirect-safe fetch wrapper. Does not validate the URL — call client.apps.validateUrl() first.
+ * @throws {URLValidationError} if the server redirects (potential redirect-based SSRF)
+ */
+export async function safeFetch(url: string, init: RequestInit = {}): Promise<Response> {
+    const response = await fetch(url, { ...init, redirect: 'manual' });
+    // Only block actual redirects (those with a Location header). 304 Not Modified is a 3xx
+    // but carries no Location and must not be treated as a redirect.
+    if (response.headers.has('location')) {
+        throw new URLValidationError(
+            `Request to ${url} returned a redirect (${response.status}), which is not allowed`,
+        );
+    }
+    return response;
+}