alepha 0.15.3 → 0.15.4

package/src/api/audits/controllers/AdminAuditController.ts

@@ -25,6 +25,7 @@ export class AdminAuditController {
   public readonly findAudits = $action({
     path: this.url,
     group: this.group,
+    secure: true,
     description: "Find audit entries with filtering and pagination",
     schema: {
       query: auditQuerySchema,
@@ -39,6 +40,7 @@ export class AdminAuditController {
   public readonly getAudit = $action({
     path: `${this.url}/:id`,
     group: this.group,
+    secure: true,
     description: "Get a single audit entry by ID",
     schema: {
       params: t.object({
@@ -56,6 +58,7 @@ export class AdminAuditController {
     method: "POST",
     path: this.url,
     group: this.group,
+    secure: true,
     description: "Create a new audit entry",
     schema: {
       body: createAuditSchema,
@@ -70,6 +73,7 @@ export class AdminAuditController {
   public readonly findByUser = $action({
     path: `${this.url}/user/:userId`,
     group: this.group,
+    secure: true,
     description: "Get audit entries for a specific user",
     schema: {
       params: t.object({
@@ -88,6 +92,7 @@ export class AdminAuditController {
   public readonly findByResource = $action({
     path: `${this.url}/resource/:resourceType/:resourceId`,
     group: this.group,
+    secure: true,
     description: "Get audit entries for a specific resource",
     schema: {
       params: t.object({
@@ -111,6 +116,7 @@ export class AdminAuditController {
   public readonly getStats = $action({
     path: `${this.url}/stats`,
     group: this.group,
+    secure: true,
     description: "Get audit statistics for a time period",
     schema: {
       query: t.object({
@@ -144,6 +150,7 @@ export class AdminAuditController {
   public readonly getTypes = $action({
     path: `${this.url}/types`,
     group: this.group,
+    secure: true,
     description: "Get all registered audit types",
     schema: {
       response: t.array(
@@ -163,6 +170,7 @@ export class AdminAuditController {
   public readonly getFilterOptions = $action({
     path: `${this.url}/filters`,
     group: this.group,
+    secure: true,
     description: "Get distinct values for audit filters",
     schema: {
       response: t.object({

package/src/api/files/controllers/AdminFileStatsController.ts

@@ -20,6 +20,7 @@ export class AdminFileStatsController {
   public readonly getStats = $action({
     path: this.url,
     group: this.group,
+    secure: true,
     description: "Get storage statistics",
     schema: {
       response: storageStatsSchema,

package/src/api/jobs/controllers/AdminJobController.ts

@@ -13,6 +13,7 @@ export class AdminJobController {
   public readonly getJobs = $action({
     path: this.url,
     group: this.group,
+    secure: true,
     schema: {
       response: t.array(t.string()),
     },
@@ -22,6 +23,7 @@ export class AdminJobController {
   public readonly getJobExecutions = $action({
     path: `${this.url}/executions`,
     group: this.group,
+    secure: true,
     schema: {
       query: jobExecutionQuerySchema,
       response: t.page(jobExecutionResourceSchema),
@@ -33,6 +35,7 @@ export class AdminJobController {
     method: "POST",
     path: `${this.url}/trigger`,
     group: this.group,
+    secure: true,
     schema: {
       body: triggerJobSchema,
       response: okSchema,

package/src/api/notifications/controllers/AdminNotificationController.ts

@@ -15,6 +15,7 @@ export class AdminNotificationController {
   public readonly findNotifications = $action({
     path: this.url,
     group: this.group,
+    secure: true,
     description: "Find notifications with pagination and filtering",
     schema: {
       query: notificationQuerySchema,

package/src/api/parameters/controllers/AdminConfigController.ts

@@ -41,6 +41,7 @@ export class AdminConfigController {
    */
   getConfigTree = $action({
     group: this.group,
+    secure: true,
     description:
       "Get tree structure of all configuration names for navigation.",
     path: "/configs/tree",
@@ -58,6 +59,7 @@ export class AdminConfigController {
    */
   listConfigNames = $action({
     group: this.group,
+    secure: true,
     description: "List all unique configuration names.",
     path: "/configs",
     method: "GET",
@@ -75,6 +77,7 @@ export class AdminConfigController {
    */
   getByStatus = $action({
     group: this.group,
+    secure: true,
     description: "Get all configurations with a specific status.",
     path: "/configs/status/:status",
     method: "GET",
@@ -95,6 +98,7 @@ export class AdminConfigController {
    */
   getHistory = $action({
     group: this.group,
+    secure: true,
     description: "Get all versions of a specific configuration.",
     path: "/configs/:name/history",
     method: "GET",
@@ -115,6 +119,7 @@ export class AdminConfigController {
    */
   getCurrent = $action({
     group: this.group,
+    secure: true,
     description: "Get current and next scheduled values for a configuration.",
     path: "/configs/:name",
     method: "GET",
@@ -139,6 +144,7 @@ export class AdminConfigController {
    */
   getVersion = $action({
     group: this.group,
+    secure: true,
     description: "Get a specific version of a configuration.",
     path: "/configs/:name/versions/:version",
     method: "GET",
@@ -157,6 +163,7 @@ export class AdminConfigController {
    */
   createVersion = $action({
     group: this.group,
+    secure: true,
     description:
       "Create a new version of a configuration (immediate or scheduled).",
     path: "/configs/:name",
@@ -184,6 +191,7 @@ export class AdminConfigController {
    */
   rollback = $action({
     group: this.group,
+    secure: true,
     description:
       "Rollback a configuration to a previous version (creates new version with old content).",
     path: "/configs/:name/rollback",
@@ -207,6 +215,7 @@ export class AdminConfigController {
    */
   activateNow = $action({
     group: this.group,
+    secure: true,
     description: "Activate a future/next configuration version immediately.",
     path: "/configs/:name/activate",
     method: "POST",
@@ -248,6 +257,7 @@ export class AdminConfigController {
    */
   checkScheduled = $action({
     group: this.group,
+    secure: true,
     description:
       "Manually trigger activation check for all scheduled configurations.",
     path: "/configs/activate-scheduled",

package/src/api/users/controllers/AdminIdentityController.ts

@@ -15,6 +15,7 @@ export class AdminIdentityController {
   public readonly findIdentities = $action({
     path: this.url,
     group: this.group,
+    secure: true,
     description: "Find identities with pagination and filtering",
     schema: {
       query: t.extend(identityQuerySchema, {
@@ -34,6 +35,7 @@ export class AdminIdentityController {
   public readonly getIdentity = $action({
     path: `${this.url}/:id`,
     group: this.group,
+    secure: true,
     description: "Get an identity by ID",
     schema: {
       params: t.object({
@@ -55,6 +57,7 @@ export class AdminIdentityController {
     method: "DELETE",
     path: `${this.url}/:id`,
     group: this.group,
+    secure: true,
     description: "Delete an identity",
     schema: {
       params: t.object({

package/src/api/users/controllers/AdminSessionController.ts

@@ -15,6 +15,7 @@ export class AdminSessionController {
   public readonly findSessions = $action({
     path: this.url,
     group: this.group,
+    secure: true,
     description: "Find sessions with pagination and filtering",
     schema: {
       query: t.extend(sessionQuerySchema, {
@@ -34,6 +35,7 @@ export class AdminSessionController {
   public readonly getSession = $action({
     path: `${this.url}/:id`,
     group: this.group,
+    secure: true,
     description: "Get a session by ID",
     schema: {
       params: t.object({
@@ -55,6 +57,7 @@ export class AdminSessionController {
     method: "DELETE",
     path: `${this.url}/:id`,
     group: this.group,
+    secure: true,
     description: "Delete a session",
     schema: {
       params: t.object({

package/src/api/users/controllers/AdminUserController.ts

@@ -17,6 +17,7 @@ export class AdminUserController {
   public readonly findUsers = $action({
     path: this.url,
     group: this.group,
+    secure: true,
     description: "Find users with pagination and filtering",
     schema: {
       query: t.extend(userQuerySchema, {
@@ -36,6 +37,7 @@ export class AdminUserController {
   public readonly getUser = $action({
     path: `${this.url}/:id`,
     group: this.group,
+    secure: true,
     description: "Get a user by ID",
     schema: {
       params: t.object({
@@ -57,6 +59,7 @@ export class AdminUserController {
     method: "POST",
     path: this.url,
     group: this.group,
+    secure: true,
     description: "Create a new user",
     schema: {
       query: t.object({
@@ -76,6 +79,7 @@ export class AdminUserController {
     method: "PATCH",
     path: `${this.url}/:id`,
     group: this.group,
+    secure: true,
     description: "Update a user",
     schema: {
       params: t.object({
@@ -98,6 +102,7 @@ export class AdminUserController {
     method: "DELETE",
     path: `${this.url}/:id`,
     group: this.group,
+    secure: true,
     description: "Delete a user",
     schema: {
       params: t.object({

package/src/cli/commands/build.ts

@@ -269,6 +269,7 @@ export class BuildCommand {
             generateCloudflare({
               distDir,
               config: options.cloudflare?.config,
+              alepha: alepha!,
             }),
         });
       }

package/src/cli/providers/ViteDevServerProvider.ts

@@ -245,6 +245,11 @@ export class ViteDevServerProvider {
       return;
     }
 
+    // Generate dev head content using Vite's transformIndexHtml
+    // This lets Vite and all plugins (React, etc.) inject their scripts
+    const devHead = await this.generateDevHead();
+    this.alepha.store.set("alepha.react.ssr.manifest" as any, { devHead });
+
     this.alepha.events.on("server:onRequest", {
       priority: "first",
       callback: async ({ request }) => {
@@ -264,6 +269,32 @@ export class ViteDevServerProvider {
     });
   }
 
+  /**
+   * Generate dev head content by transforming a minimal HTML through Vite.
+   * This lets Vite and all plugins inject their scripts (HMR client, React Fast Refresh, etc.).
+   */
+  protected async generateDevHead(): Promise<string> {
+    const { browser, style } = this.options.entry;
+
+    // Build minimal HTML with entry points
+    const scripts: string[] = [];
+    if (style) {
+      scripts.push(`<link rel="stylesheet" href="/${style}">`);
+    }
+    if (browser) {
+      scripts.push(`<script type="module" src="/${browser}"></script>`);
+    }
+
+    const minimalHtml = `<!DOCTYPE html><html><head>${scripts.join("\n")}</head><body></body></html>`;
+
+    // Transform through Vite to inject all plugin scripts
+    const transformed = await this.server.transformIndexHtml("/", minimalHtml);
+
+    // Extract head content
+    const headMatch = transformed.match(/<head>([\s\S]*?)<\/head>/i);
+    return headMatch?.[1]?.trim() ?? "";
+  }
+
   /**
    * Check if request is for an HTML page (not an asset).
    */

package/src/email/index.workerd.ts

@@ -0,0 +1,36 @@
+import { $module } from "alepha";
+import { $email } from "./primitives/$email.ts";
+import { EmailProvider } from "./providers/EmailProvider.ts";
+import { MemoryEmailProvider } from "./providers/MemoryEmailProvider.ts";
+import { WorkermailerEmailProvider } from "./providers/WorkermailerEmailProvider.ts";
+
+// ---------------------------------------------------------------------------------------------------------------------
+
+export * from "./errors/EmailError.ts";
+export * from "./primitives/$email.ts";
+export * from "./providers/EmailProvider.ts";
+export * from "./providers/MemoryEmailProvider.ts";
+export * from "./providers/WorkermailerEmailProvider.ts";
+
+// ---------------------------------------------------------------------------------------------------------------------
+
+export const AlephaEmail = $module({
+  name: "alepha.email",
+  primitives: [$email],
+  services: [EmailProvider, MemoryEmailProvider, WorkermailerEmailProvider],
+  register: (alepha) => {
+    if (alepha.env.EMAIL_HOST) {
+      alepha.with({
+        optional: true,
+        provide: EmailProvider,
+        use: WorkermailerEmailProvider,
+      });
+    } else {
+      alepha.with({
+        optional: true,
+        provide: EmailProvider,
+        use: MemoryEmailProvider,
+      });
+    }
+  },
+});

package/src/email/providers/WorkermailerEmailProvider.ts

@@ -0,0 +1,221 @@
+import { $atom, $env, $use, type Static, t } from "alepha";
+import { $logger } from "alepha/logger";
+import { WorkerMailer } from "worker-mailer";
+import { EmailError } from "../errors/EmailError.ts";
+import type { EmailProvider, EmailSendOptions } from "./EmailProvider.ts";
+
+// ---------------------------------------------------------------------------------------------------------------------
+
+/**
+ * Environment variables for worker-mailer configuration
+ */
+const envSchema = t.object({
+  EMAIL_HOST: t.optional(
+    t.text({
+      description: "SMTP server host",
+    }),
+  ),
+  EMAIL_PORT: t.number({
+    default: 587,
+    description: "SMTP server port (465 or 587, not 25)",
+  }),
+  EMAIL_USER: t.optional(
+    t.text({
+      description: "SMTP authentication username",
+    }),
+  ),
+  EMAIL_PASS: t.optional(
+    t.text({
+      description: "SMTP authentication password",
+    }),
+  ),
+  EMAIL_FROM: t.optional(
+    t.text({
+      description: "Default from email address",
+    }),
+  ),
+  EMAIL_FROM_NAME: t.optional(
+    t.text({
+      description: "Default from name",
+    }),
+  ),
+  EMAIL_SECURE: t.boolean({
+    default: true,
+    description: "Use secure connection (TLS/STARTTLS)",
+  }),
+  EMAIL_AUTH_TYPE: t.optional(
+    t.enum(["plain", "login", "cram-md5"], {
+      default: "plain",
+      description: "SMTP authentication type",
+    }),
+  ),
+});
+
+// ---------------------------------------------------------------------------------------------------------------------
+
+/**
+ * Worker-mailer specific options
+ */
+export const workermailerEmailOptions = $atom({
+  name: "alepha.email.workermailer.options",
+  schema: t.object({
+    authType: t.optional(
+      t.enum(["plain", "login", "cram-md5"], {
+        description: "SMTP authentication type (default: plain)",
+      }),
+    ),
+  }),
+  default: {},
+});
+
+export type WorkermailerEmailProviderOptions = Static<
+  typeof workermailerEmailOptions.schema
+>;
+
+declare module "alepha" {
+  interface State {
+    [workermailerEmailOptions.key]: WorkermailerEmailProviderOptions;
+  }
+}
+
+// ---------------------------------------------------------------------------------------------------------------------
+
+/**
+ * Email provider using worker-mailer for Cloudflare Workers.
+ *
+ * This provider uses Cloudflare's TCP Sockets API to send emails via SMTP,
+ * making it suitable for edge runtime environments.
+ *
+ * Configuration is provided via environment variables:
+ * - EMAIL_HOST: SMTP server host
+ * - EMAIL_PORT: SMTP server port (default: 587, note: port 25 is blocked)
+ * - EMAIL_USER: SMTP authentication username
+ * - EMAIL_PASS: SMTP authentication password
+ * - EMAIL_FROM: Default from email address
+ * - EMAIL_FROM_NAME: Default from name (optional)
+ * - EMAIL_SECURE: Use secure connection (default: true)
+ * - EMAIL_AUTH_TYPE: Authentication type - plain, login, or cram-md5 (default: plain)
+ *
+ * @example
+ * ```typescript
+ * // Configure via environment variables
+ * // EMAIL_HOST=smtp.example.com
+ * // EMAIL_PORT=587
+ * // EMAIL_USER=user@example.com
+ * // EMAIL_PASS=secret
+ * // EMAIL_FROM=noreply@example.com
+ * // EMAIL_FROM_NAME=My App
+ * // EMAIL_SECURE=true
+ * // EMAIL_AUTH_TYPE=plain
+ * ```
+ *
+ * @see https://github.com/zou-yu/worker-mailer
+ */
+export class WorkermailerEmailProvider implements EmailProvider {
+  protected readonly env = $env(envSchema);
+  protected readonly log = $logger();
+  protected readonly options = $use(workermailerEmailOptions);
+
+  protected get host(): string {
+    const host = this.env.EMAIL_HOST;
+    if (!host) {
+      throw new EmailError(
+        "Email host not configured. Set EMAIL_HOST env var.",
+      );
+    }
+    return host;
+  }
+
+  protected get port(): number {
+    return this.env.EMAIL_PORT;
+  }
+
+  protected get secure(): boolean {
+    return this.env.EMAIL_SECURE;
+  }
+
+  protected get user(): string | undefined {
+    return this.env.EMAIL_USER;
+  }
+
+  protected get pass(): string | undefined {
+    return this.env.EMAIL_PASS;
+  }
+
+  protected get fromAddress(): string {
+    const from = this.env.EMAIL_FROM;
+    if (!from) {
+      throw new EmailError(
+        "Email from address not configured. Set EMAIL_FROM env var.",
+      );
+    }
+    return from;
+  }
+
+  protected get fromName(): string | undefined {
+    return this.env.EMAIL_FROM_NAME;
+  }
+
+  protected get authType(): "plain" | "login" | "cram-md5" {
+    return this.options.authType ?? this.env.EMAIL_AUTH_TYPE ?? "plain";
+  }
+
+  public async send(options: EmailSendOptions): Promise<void> {
+    const { to, subject, body } = options;
+    this.log.debug("Sending email via worker-mailer", { to, subject });
+
+    const user = this.user;
+    const pass = this.pass;
+
+    if (!user || !pass) {
+      throw new EmailError(
+        "Email credentials not configured. Set EMAIL_USER and EMAIL_PASS env vars.",
+      );
+    }
+
+    let mailer: WorkerMailer | undefined;
+
+    try {
+      mailer = await WorkerMailer.connect({
+        credentials: {
+          username: user,
+          password: pass,
+        },
+        authType: this.authType,
+        host: this.host,
+        port: this.port,
+        secure: this.secure,
+      });
+
+      const recipients = Array.isArray(to) ? to : [to];
+
+      for (const recipient of recipients) {
+        await mailer.send({
+          from: this.fromName
+            ? { name: this.fromName, email: this.fromAddress }
+            : { email: this.fromAddress },
+          to: { email: recipient },
+          subject,
+          html: body,
+        });
+
+        this.log.info("Email sent successfully", {
+          to: recipient,
+          subject,
+        });
+      }
+    } catch (error) {
+      const message = `Failed to send email via worker-mailer: ${error instanceof Error ? error.message : String(error)}`;
+      this.log.error(message, { to, subject });
+      throw new EmailError(message, error instanceof Error ? error : undefined);
+    } finally {
+      if (mailer) {
+        try {
+          await mailer.close();
+        } catch {
+          // Ignore close errors
+        }
+      }
+    }
+  }
+}

package/src/lock/core/primitives/$lock.ts

@@ -302,7 +302,19 @@ export class LockPrimitive<TFunc extends AsyncFn> extends Primitive<
   protected readonly provider = $inject(LockProvider);
   protected readonly env = $env(envSchema);
   protected readonly dateTimeProvider = $inject(DateTimeProvider);
-  protected readonly id = crypto.randomUUID();
+
+  /**
+   * Lazy-initialized UUID to avoid calling crypto.randomUUID() in global scope.
+   * Cloudflare Workers doesn't allow random value generation during initialization.
+   */
+  protected _id?: string;
+  protected get id(): string {
+    if (!this._id) {
+      this._id = crypto.randomUUID();
+    }
+    return this._id;
+  }
+
   public readonly maxDuration = this.dateTimeProvider.duration(
     this.options.maxDuration ?? [5, "minutes"],
   );

package/src/react/auth/services/ReactAuth.ts

@@ -130,6 +130,8 @@ export class ReactAuth {
   }
 
   public logout() {
-    window.location.href = `${alephaServerAuthRoutes.logout}?post_logout_redirect_uri=${encodeURIComponent(window.location.origin)}`;
+    // Add cache-busting parameter to prevent browser from using cached redirect
+    const cacheBuster = Date.now();
+    window.location.href = `${alephaServerAuthRoutes.logout}?post_logout_redirect_uri=${encodeURIComponent(window.location.origin)}&_=${cacheBuster}`;
   }
 }

package/src/react/router/atoms/ssrManifestAtom.ts

@@ -32,6 +32,13 @@ export const ssrManifestAtomSchema = t.object({
       }),
     ),
   ),
+
+  /**
+   * Dev mode head content.
+   * Contains pre-transformed scripts injected by Vite and plugins (React, etc.).
+   * Only set in dev mode via ViteDevServerProvider.
+   */
+  devHead: t.optional(t.string()),
 });
 
 /**

package/src/react/router/providers/ReactServerProvider.ts

@@ -142,11 +142,22 @@ export class ReactServerProvider {
    * allowing the browser to start downloading entry.js and CSS files early.
    */
   protected setupEarlyHeadContent(): void {
-    const assets = this.ssrManifestProvider.getEntryAssets();
     const globalHead = this.serverHeadProvider.resolveGlobalHead();
+    const manifest = this.ssrManifestProvider.getManifest();
 
-    const parts: string[] = [];
+    // Dev mode: use pre-transformed head content from Vite
+    if (manifest.devHead) {
+      this.templateProvider.setEarlyHeadContent(
+        `${manifest.devHead}\n`,
+        globalHead,
+      );
+      this.log.debug("Early head content set (dev mode)");
+      return;
+    }
 
+    // Production: build from SSR manifest entry assets
+    const parts: string[] = [];
+    const assets = this.ssrManifestProvider.getEntryAssets();
     if (assets) {
       for (const css of assets.css) {
         parts.push(`<link rel="stylesheet" href="${css}" crossorigin="">`);
@@ -164,8 +175,7 @@ export class ReactServerProvider {
     );
 
     this.log.debug("Early head content set", {
-      css: assets?.css.length ?? 0,
-      js: assets?.js ? 1 : 0,
+      parts: parts.length,
     });
   }
 

package/src/react/router/providers/SSRManifestProvider.ts

@@ -32,6 +32,13 @@ export class SSRManifestProvider {
     );
   }
 
+  /**
+   * Get the full manifest object.
+   */
+  public getManifest(): Static<SsrManifestAtomSchema> {
+    return this.manifest;
+  }
+
   /**
    * Get the base path for assets (from Vite's base config).
    * Returns empty string if base is "/" (default), otherwise returns the base path.