alepha 0.15.2 → 0.15.3

package/src/react/router/services/ReactRouter.ts

@@ -7,7 +7,7 @@ import {
   type ReactRouterState,
 } from "../providers/ReactPageProvider.ts";
 
-export interface RouterGoOptions {
+export interface RouterPushOptions {
   replace?: boolean;
   params?: Record<string, string>;
   query?: Record<string, string>;
@@ -114,7 +114,7 @@ export class ReactRouter<T extends object> {
       return;
     }
 
-    await this.go(this.location.pathname + this.location.search, {
+    await this.push(this.location.pathname + this.location.search, {
       replace: true,
       force: true,
     });
@@ -168,18 +168,18 @@ export class ReactRouter<T extends object> {
     await this.browser?.invalidate(props);
   }
 
-  public async go(path: string, options?: RouterGoOptions): Promise<void>;
-  public async go(
+  public async push(path: string, options?: RouterPushOptions): Promise<void>;
+  public async push(
     path: keyof VirtualRouter<T>,
-    options?: RouterGoOptions,
+    options?: RouterPushOptions,
   ): Promise<void>;
-  public async go(
+  public async push(
     path: string | keyof VirtualRouter<T>,
-    options?: RouterGoOptions,
+    options?: RouterPushOptions,
   ): Promise<void> {
     for (const page of this.pages) {
       if (page.name === path) {
-        await this.browser?.go(
+        await this.browser?.push(
           this.path(path as keyof VirtualRouter<T>, options),
           options,
         );
@@ -187,17 +187,17 @@ export class ReactRouter<T extends object> {
       }
     }
 
-    await this.browser?.go(path as string, options);
+    await this.browser?.push(path as string, options);
   }
 
-  public anchor(path: string, options?: RouterGoOptions): AnchorProps;
+  public anchor(path: string, options?: RouterPushOptions): AnchorProps;
   public anchor(
     path: keyof VirtualRouter<T>,
-    options?: RouterGoOptions,
+    options?: RouterPushOptions,
   ): AnchorProps;
   public anchor(
     path: string | keyof VirtualRouter<T>,
-    options: RouterGoOptions = {},
+    options: RouterPushOptions = {},
   ): AnchorProps {
     let href = path as string;
 
@@ -214,7 +214,7 @@ export class ReactRouter<T extends object> {
         ev.stopPropagation();
         ev.preventDefault();
 
-        this.go(href, options).catch(console.error);
+        this.push(href, options).catch(console.error);
       },
     };
   }

package/src/security/__tests__/ServerSecurityProvider.spec.ts

@@ -15,6 +15,7 @@ describe("ServerSecurityProvider", () => {
   it("should protect action from unauthorized users", async () => {
     class TestApp {
       ok = $action({
+        secure: true,
         handler: () => "OK",
       });
     }
@@ -63,10 +64,12 @@ describe("ServerSecurityProvider", () => {
   it("should guard by permission", async () => {
     class TestApp {
       admin = $action({
+        secure: true,
         group: "read",
         handler: () => "ADMIN",
       });
       user = $action({
+        secure: true,
         group: "read",
         handler: () => "USER",
       });
@@ -128,4 +131,78 @@ describe("ServerSecurityProvider", () => {
       await app.admin.fetch({}, { user: admin }).then((it) => it.data),
     ).toBe("ADMIN");
   });
+
+  it("should allow public actions by default (no secure option)", async () => {
+    class TestApp {
+      public = $action({
+        handler: () => "PUBLIC",
+      });
+      issuer = $issuer({
+        secret: "test",
+        roles: [{ name: "user", permissions: [{ name: "*" }] }],
+      });
+    }
+
+    const alepha = Alepha.create().with(AlephaServer).with(AlephaSecurity);
+    const app = alepha.inject(TestApp);
+    await alepha.start();
+
+    // Should work without authentication via .run()
+    expect(await app.public.run({})).toBe("PUBLIC");
+
+    // Should work without authentication via .fetch()
+    expect(await app.public.fetch({}).then((it) => it.data)).toBe("PUBLIC");
+
+    // Should work via HTTP without token
+    const response = await fetch(
+      `${alepha.inject(ServerProvider).hostname}${app.public.route.path}`,
+    );
+    expect(response.status).toBe(200);
+    expect(await response.text()).toBe("PUBLIC");
+  });
+
+  it("should allow explicit secure: false", async () => {
+    class TestApp {
+      public = $action({
+        secure: false,
+        handler: () => "PUBLIC",
+      });
+      issuer = $issuer({
+        secret: "test",
+        roles: [{ name: "user", permissions: [{ name: "*" }] }],
+      });
+    }
+
+    const alepha = Alepha.create().with(AlephaServer).with(AlephaSecurity);
+    const app = alepha.inject(TestApp);
+    await alepha.start();
+
+    // Should work without authentication
+    expect(await app.public.run({})).toBe("PUBLIC");
+    expect(await app.public.fetch({}).then((it) => it.data)).toBe("PUBLIC");
+  });
+
+  it("should require auth when secure: true is explicit", async () => {
+    class TestApp {
+      protected = $action({
+        secure: true,
+        handler: () => "PROTECTED",
+      });
+      issuer = $issuer({
+        secret: "test",
+        roles: [{ name: "user", permissions: [{ name: "*" }] }],
+      });
+    }
+
+    const alepha = Alepha.create().with(AlephaServer).with(AlephaSecurity);
+    const app = alepha.inject(TestApp);
+    await alepha.start();
+
+    // Should fail without user
+    await expect(app.protected.run({})).rejects.toThrowError(UnauthorizedError);
+
+    // Should succeed with user
+    const user = { id: randomUUID(), roles: ["user"] };
+    expect(await app.protected.run({}, { user })).toBe("PROTECTED");
+  });
 });

package/src/security/providers/ServerSecurityProvider.ts

@@ -31,25 +31,23 @@ export class ServerSecurityProvider {
     handler: async () => {
       for (const action of this.alepha.primitives($action)) {
         // -------------------------------------------------------------------------------------------------------------
-        // if the action is disabled or not secure, we do NOT create a permission for it
+        // Only create permission when secure is explicitly set to true
+        // Actions are public by default (like $route)
         // -------------------------------------------------------------------------------------------------------------
         if (
           action.options.disabled ||
-          action.options.secure === false ||
+          action.options.secure !== true ||
           this.securityProvider.getRealms().length === 0
         ) {
           continue;
         }
 
-        const secure = action.options.secure;
-        if (typeof secure !== "object") {
-          this.securityProvider.createPermission({
-            name: action.name,
-            group: action.group,
-            method: action.route.method,
-            path: action.route.path,
-          });
-        }
+        this.securityProvider.createPermission({
+          name: action.name,
+          group: action.group,
+          method: action.route.method,
+          path: action.route.path,
+        });
       }
     },
   });
@@ -59,10 +57,12 @@ export class ServerSecurityProvider {
   protected readonly onActionRequest = $hook({
     on: "action:onRequest",
     handler: async ({ action, request, options }) => {
-      // if you set explicitly secure: false, we assume you don't want any security check
-      // but only if no user is provided in options
-      if (action.options.secure === false && !options.user) {
-        this.log.trace("Skipping security check for route");
+      const secure = action.options.secure;
+
+      // Skip security if not explicitly enabled (secure: true or secure: { realm: ... })
+      // Actions are public by default (like $route)
+      if (secure !== true && typeof secure !== "object" && !options.user) {
+        this.log.trace("Skipping security check for action - not secured");
         return;
       }
 
@@ -93,7 +93,7 @@ export class ServerSecurityProvider {
           this.alepha.codec.decode(userAccountInfoSchema, request.user),
         );
       } catch (error) {
-        if (action.options.secure || permission) {
+        if (secure === true || typeof secure === "object" || permission) {
           throw error;
         }
         // else, we skip the security check
@@ -106,7 +106,7 @@ export class ServerSecurityProvider {
     on: "server:onRequest",
     priority: "last",
     handler: async ({ request, route }) => {
-      // if you set explicitly secure: false, we assume you don't want any security check
+      // Skip entirely only if explicitly disabled
       if (route.secure === false) {
         this.log.trace(
           "Skipping security check for route - explicitly disabled",
@@ -126,7 +126,7 @@ export class ServerSecurityProvider {
         typeof route.secure === "object" ? route.secure.realm : undefined;
 
       try {
-        // Try to resolve user (JWT, API key, etc.)
+        // Try to resolve user (JWT, API key, etc.) - even for public routes (optional auth)
         request.user = await this.securityProvider.resolveUserFromServerRequest(
           request,
           { permission, realm },
@@ -135,7 +135,11 @@ export class ServerSecurityProvider {
         // No user resolved?
         if (!request.user) {
           // Route requires auth → throw
-          if (route.secure || permission) {
+          if (
+            route.secure === true ||
+            typeof route.secure === "object" ||
+            permission
+          ) {
             // Provide a more specific error message when no auth header was provided
             if (!request.headers.authorization) {
               throw new InvalidTokenError(
@@ -144,7 +148,7 @@ export class ServerSecurityProvider {
             }
             throw new UnauthorizedError("Authentication required");
           }
-          // Route is public → skip
+          // Route is public → skip (but we tried to resolve user for optional auth)
           this.log.trace(
             "Skipping security check for route - no auth provided and not required",
           );
@@ -166,11 +170,15 @@ export class ServerSecurityProvider {
           permission,
         });
       } catch (error) {
-        if (route.secure || permission) {
+        if (
+          route.secure === true ||
+          typeof route.secure === "object" ||
+          permission
+        ) {
           throw error;
         }
 
-        // else, we skip the security check
+        // else, we skip the security check (route is public)
         this.log.trace(
           "Skipping security check for route - error occurred",
           error,

package/src/server/core/providers/NodeHttpServerProvider.spec.ts

@@ -31,7 +31,9 @@ describe("NodeHttpServerProvider", () => {
     });
 
     test("production mode: waits for connections then closes", async () => {
-      alepha = Alepha.create({ env: { NODE_ENV: "production" } });
+      alepha = Alepha.create({
+        env: { NODE_ENV: "production", SERVER_PORT: 0 },
+      });
       alepha.with(NodeHttpServerProvider);
 
       await alepha.start();
@@ -52,7 +54,9 @@ describe("NodeHttpServerProvider", () => {
     });
 
     test("production mode: forces close after timeout", async () => {
-      alepha = Alepha.create({ env: { NODE_ENV: "production" } });
+      alepha = Alepha.create({
+        env: { NODE_ENV: "production", SERVER_PORT: 0 },
+      });
       alepha.with(NodeHttpServerProvider);
 
       await alepha.start();
@@ -89,7 +93,9 @@ describe("NodeHttpServerProvider", () => {
     });
 
     test("rejects new requests during shutdown", async () => {
-      alepha = Alepha.create({ env: { NODE_ENV: "production" } });
+      alepha = Alepha.create({
+        env: { NODE_ENV: "production", SERVER_PORT: 0 },
+      });
       alepha.with(NodeHttpServerProvider);
 
       await alepha.start();

package/src/system/index.browser.ts

@@ -1,11 +1,36 @@
 import { $module } from "alepha";
+import { FileSystemProvider } from "./providers/FileSystemProvider.ts";
+import { MemoryFileSystemProvider } from "./providers/MemoryFileSystemProvider.ts";
+import { MemoryShellProvider } from "./providers/MemoryShellProvider.ts";
+import { ShellProvider } from "./providers/ShellProvider.ts";
+import { FileDetector } from "./services/FileDetector.ts";
 
 export * from "./errors/FileError.ts";
 export * from "./providers/FileSystemProvider.ts";
 export * from "./providers/MemoryFileSystemProvider.ts";
 export * from "./providers/MemoryShellProvider.ts";
 export * from "./providers/ShellProvider.ts";
+export * from "./services/FileDetector.ts";
 
 export const AlephaSystem = $module({
   name: "alepha.system",
+  services: [
+    FileDetector,
+    FileSystemProvider,
+    MemoryFileSystemProvider,
+    ShellProvider,
+    MemoryShellProvider,
+  ],
+  register: (alepha) =>
+    alepha
+      .with({
+        optional: true,
+        provide: FileSystemProvider,
+        use: MemoryFileSystemProvider,
+      })
+      .with({
+        optional: true,
+        provide: ShellProvider,
+        use: MemoryShellProvider,
+      }),
 });

package/src/system/index.workerd.ts

@@ -0,0 +1 @@
+export * from "./index.browser.ts";

package/src/system/providers/FileSystemProvider.ts

@@ -196,8 +196,16 @@ export interface CpOptions {
 export interface MkdirOptions {
   /**
    * If true, creates parent directories as needed
+   *
+   * @default true
    */
   recursive?: boolean;
+  /**
+   * If true, does not throw an error if the directory already exists
+   *
+   * @default true
+   */
+  force?: boolean;
   /**
    * File mode (permission and sticky bits)
    */

package/src/system/providers/NodeFileSystemProvider.ts

@@ -291,8 +291,17 @@ export class NodeFileSystemProvider implements FileSystemProvider {
    * await fs.mkdir("/tmp/mydir", { mode: 0o755 });
    * ```
    */
-  async mkdir(path: string, options?: MkdirOptions): Promise<void> {
-    await fsMkdir(path, options);
+  async mkdir(path: string, options: MkdirOptions = {}): Promise<void> {
+    const p = fsMkdir(path, {
+      recursive: options.recursive ?? true,
+      mode: options.mode,
+    });
+
+    if (options.force === false) {
+      await p;
+    } else {
+      await p.catch(() => {});
+    }
   }
 
   /**

package/src/vite/tasks/buildServer.ts

@@ -23,7 +23,7 @@ export interface BuildServerOptions {
 
   /**
    * Optional client directory name (relative to distDir).
-   * If provided, the client template will be embedded in the server output.
+   * If provided, the SSR manifest will be embedded in the server output.
    */
   clientDir?: string;
 
@@ -167,16 +167,6 @@ export async function buildServer(
 
   const entryFile = extractEntryFromBundle(opts.entry, result);
 
-  // Embed client template if client was built
-  let template = "";
-  if (opts.clientDir) {
-    const index = await readFile(
-      `${opts.distDir}/${opts.clientDir}/index.html`,
-      "utf-8",
-    );
-    template = `__alepha.set("alepha.react.server.template", \`${index.replace(/>\s*</g, "><").trim()}\`);\n`;
-  }
-
   // Embed SSR manifests if client was built
   // This bundles all manifest data into index.js for serverless deployments
   let manifest = "";
@@ -230,7 +220,7 @@ export async function buildServer(
 
   await writeFile(
     `${opts.distDir}/index.js`,
-    `${warning}\n${template}${manifest}import './server/${entryFile}';\n`.trim(),
+    `${warning}\n${manifest}import './server/${entryFile}';\n`.trim(),
   );
 
   return { entryFile, manifest: manifestData };

package/src/vite/tasks/generateCloudflare.ts

@@ -63,11 +63,8 @@ export async function generateCloudflare(
   }
 
   const url = process.env.DATABASE_URL;
-  if (url?.startsWith("cloudflare-d1:")) {
-    const [name, id] = url
-      .replace("cloudflare-d1://", "")
-      .replace("cloudflare-d1:", "")
-      .split(":");
+  if (url?.startsWith("d1:")) {
+    const [name, id] = url.replace("d1://", "").replace("d1:", "").split(":");
     wrangler.d1_databases = wrangler.d1_databases || [];
     wrangler.d1_databases.push({
       binding: name,
@@ -75,7 +72,7 @@ export async function generateCloudflare(
       database_id: id,
     });
     wrangler.vars ??= {};
-    wrangler.vars.DATABASE_URL = `cloudflare-d1://${name}:${id}`;
+    wrangler.vars.DATABASE_URL = `d1://${name}:${id}`;
   }
 
   await writeFile(
@@ -102,7 +99,13 @@ export default {
 
     __alepha.set("cloudflare.env", env);
 
-    await __alepha.start();
+    try {
+      await __alepha.start();
+    } catch (err) {
+      console.error(err);
+      return new Response("Internal Server Error", { status: 500 });
+    }
+
     await __alepha.events.emit("web:request", ctx);
 
     return ctx.res;

package/src/vite/tasks/generateDocker.ts

@@ -67,6 +67,10 @@ WORKDIR /app
 
 COPY . .
 
+RUN ${command === "bun" ? "bun" : "npm"} install
+
+ENV SERVER_HOST=0.0.0.0
+
 CMD ["${command}", "index.js"]
 `;