npm - alepha - Versions diffs - 0.20.2 → 0.20.4 - Mend

alepha 0.20.2 → 0.20.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (304) hide show

package/README.md +0 -1
package/assets/swagger-ui/swagger-ui-bundle.js +1 -1
package/assets/swagger-ui/swagger-ui.css +1 -1
package/dist/api/audits/index.browser.js +49 -0
package/dist/api/audits/index.browser.js.map +1 -1
package/dist/api/audits/index.js +49 -0
package/dist/api/audits/index.js.map +1 -1
package/dist/api/files/index.js.map +1 -1
package/dist/api/jobs/index.d.ts +2 -61
package/dist/api/jobs/index.d.ts.map +1 -1
package/dist/api/jobs/index.js.map +1 -1
package/dist/api/keys/index.d.ts +4 -4
package/dist/api/keys/index.js.map +1 -1
package/dist/api/notifications/index.d.ts +1 -10
package/dist/api/notifications/index.d.ts.map +1 -1
package/dist/api/parameters/index.browser.js +37 -0
package/dist/api/parameters/index.browser.js.map +1 -1
package/dist/api/parameters/index.d.ts +12 -68
package/dist/api/parameters/index.d.ts.map +1 -1
package/dist/api/parameters/index.js +57 -4
package/dist/api/parameters/index.js.map +1 -1
package/dist/api/payments/index.js.map +1 -1
package/dist/api/users/index.browser.js +6 -0
package/dist/api/users/index.browser.js.map +1 -1
package/dist/api/users/index.d.ts +148 -227
package/dist/api/users/index.d.ts.map +1 -1
package/dist/api/users/index.js +60 -14
package/dist/api/users/index.js.map +1 -1
package/dist/api/verifications/index.d.ts.map +1 -1
package/dist/api/verifications/index.js +2 -1
package/dist/api/verifications/index.js.map +1 -1
package/dist/bucket/index.d.ts +77 -107
package/dist/bucket/index.d.ts.map +1 -1
package/dist/bucket/index.js +153 -5
package/dist/bucket/index.js.map +1 -1
package/dist/bucket/index.workerd.js +12 -2
package/dist/bucket/index.workerd.js.map +1 -1
package/dist/cache/core/index.d.ts +26 -0
package/dist/cache/core/index.d.ts.map +1 -1
package/dist/cache/core/index.js +11 -1
package/dist/cache/core/index.js.map +1 -1
package/dist/cache/core/index.workerd.js +11 -1
package/dist/cache/core/index.workerd.js.map +1 -1
package/dist/captcha/index.js.map +1 -1
package/dist/cli/config/index.d.ts +7 -5
package/dist/cli/config/index.d.ts.map +1 -1
package/dist/cli/config/index.js +2 -3
package/dist/cli/config/index.js.map +1 -1
package/dist/cli/core/index.d.ts +637 -11660
package/dist/cli/core/index.d.ts.map +1 -1
package/dist/cli/core/index.js +707 -532
package/dist/cli/core/index.js.map +1 -1
package/dist/cli/devtools/index.d.ts +4 -8
package/dist/cli/devtools/index.d.ts.map +1 -1
package/dist/cli/devtools/index.js +20 -16
package/dist/cli/devtools/index.js.map +1 -1
package/dist/cli/platform/index.d.ts +51 -77
package/dist/cli/platform/index.d.ts.map +1 -1
package/dist/cli/platform/index.js +65 -15
package/dist/cli/platform/index.js.map +1 -1
package/dist/cli/vendor/index.d.ts +10 -13
package/dist/cli/vendor/index.d.ts.map +1 -1
package/dist/cli/vendor/index.js +30 -12
package/dist/cli/vendor/index.js.map +1 -1
package/dist/command/index.js +1 -1
package/dist/command/index.js.map +1 -1
package/dist/core/index.browser.js +27 -3
package/dist/core/index.browser.js.map +1 -1
package/dist/core/index.d.ts +8 -11
package/dist/core/index.d.ts.map +1 -1
package/dist/core/index.js +27 -3
package/dist/core/index.js.map +1 -1
package/dist/core/index.native.js +27 -3
package/dist/core/index.native.js.map +1 -1
package/dist/core/index.workerd.js +27 -3
package/dist/core/index.workerd.js.map +1 -1
package/dist/crypto/index.js.map +1 -1
package/dist/datetime/index.d.ts +69 -10
package/dist/datetime/index.d.ts.map +1 -1
package/dist/datetime/index.js +135 -13
package/dist/datetime/index.js.map +1 -1
package/dist/email/core/index.js.map +1 -1
package/dist/email/smtp/index.js +130 -16
package/dist/email/smtp/index.js.map +1 -1
package/dist/fake/index.js.map +1 -1
package/dist/lock/core/index.d.ts +30 -2
package/dist/lock/core/index.d.ts.map +1 -1
package/dist/lock/core/index.js +35 -12
package/dist/lock/core/index.js.map +1 -1
package/dist/lock/redis/index.js.map +1 -1
package/dist/logger/index.js +32 -1
package/dist/logger/index.js.map +1 -1
package/dist/mcp/index.d.ts +238 -31
package/dist/mcp/index.d.ts.map +1 -1
package/dist/mcp/index.js +198 -67
package/dist/mcp/index.js.map +1 -1
package/dist/orm/core/index.browser.js +2 -362
package/dist/orm/core/index.browser.js.map +1 -1
package/dist/orm/core/index.bun.js +18 -409
package/dist/orm/core/index.bun.js.map +1 -1
package/dist/orm/core/index.d.ts +41 -194
package/dist/orm/core/index.d.ts.map +1 -1
package/dist/orm/core/index.js +27 -422
package/dist/orm/core/index.js.map +1 -1
package/dist/orm/postgres/index.bun.js +17 -20
package/dist/orm/postgres/index.bun.js.map +1 -1
package/dist/orm/postgres/index.d.ts +1 -5
package/dist/orm/postgres/index.d.ts.map +1 -1
package/dist/orm/postgres/index.js +17 -20
package/dist/orm/postgres/index.js.map +1 -1
package/dist/react/core/index.d.ts +102 -1
package/dist/react/core/index.d.ts.map +1 -1
package/dist/react/core/index.js +65 -1
package/dist/react/core/index.js.map +1 -1
package/dist/react/form/index.d.ts +6 -0
package/dist/react/form/index.d.ts.map +1 -1
package/dist/react/form/index.js +7 -7
package/dist/react/form/index.js.map +1 -1
package/dist/react/i18n/index.d.ts +7 -1
package/dist/react/i18n/index.d.ts.map +1 -1
package/dist/react/i18n/index.js +6 -0
package/dist/react/i18n/index.js.map +1 -1
package/dist/react/intro/index.js +22 -17
package/dist/react/intro/index.js.map +1 -1
package/dist/react/router/index.browser.js +98 -4
package/dist/react/router/index.browser.js.map +1 -1
package/dist/react/router/index.d.ts +58 -5
package/dist/react/router/index.d.ts.map +1 -1
package/dist/react/router/index.js +122 -6
package/dist/react/router/index.js.map +1 -1
package/dist/react/testing/{chunk-DBEY4PJZ.js → chunk-6Ep1yQYe.js} +1 -1
package/dist/react/testing/index.js +1 -1
package/dist/react/testing/index.js.map +1 -1
package/dist/react/ui/index.d.ts +195 -1
package/dist/react/ui/index.d.ts.map +1 -1
package/dist/react/ui/index.js +64 -1
package/dist/react/ui/index.js.map +1 -1
package/dist/react/websocket/index.js.map +1 -1
package/dist/redis/index.js.map +1 -1
package/dist/scheduler/index.d.ts +1 -2
package/dist/scheduler/index.d.ts.map +1 -1
package/dist/scheduler/index.js +1 -1
package/dist/scheduler/index.js.map +1 -1
package/dist/scheduler/index.workerd.js +1 -1
package/dist/scheduler/index.workerd.js.map +1 -1
package/dist/security/index.browser.js.map +1 -1
package/dist/security/index.d.ts.map +1 -1
package/dist/security/index.js +2 -2
package/dist/security/index.js.map +1 -1
package/dist/server/auth/index.d.ts.map +1 -1
package/dist/server/auth/index.js +24 -10
package/dist/server/auth/index.js.map +1 -1
package/dist/server/cookies/index.js.map +1 -1
package/dist/server/core/index.browser.js +10 -3
package/dist/server/core/index.browser.js.map +1 -1
package/dist/server/core/index.d.ts +1 -4
package/dist/server/core/index.d.ts.map +1 -1
package/dist/server/core/index.js +47 -9
package/dist/server/core/index.js.map +1 -1
package/dist/server/links/index.browser.js.map +1 -1
package/dist/server/links/index.js.map +1 -1
package/dist/server/metrics/index.js +19 -1
package/dist/server/metrics/index.js.map +1 -1
package/dist/server/rate-limit/index.js.map +1 -1
package/dist/server/static/index.js.map +1 -1
package/dist/server/swagger/index.d.ts.map +1 -1
package/dist/server/swagger/index.js +4 -5
package/dist/server/swagger/index.js.map +1 -1
package/dist/sms/index.js.map +1 -1
package/dist/system/index.browser.js.map +1 -1
package/dist/system/index.js.map +1 -1
package/dist/system/index.workerd.js.map +1 -1
package/dist/topic/core/index.js.map +1 -1
package/dist/websocket/index.browser.js +32 -5
package/dist/websocket/index.browser.js.map +1 -1
package/dist/websocket/index.d.ts +3 -1
package/dist/websocket/index.d.ts.map +1 -1
package/dist/websocket/index.js +42 -6
package/dist/websocket/index.js.map +1 -1
package/package.json +685 -274
package/src/api/files/__tests__/FileController.spec.ts +1 -1
package/src/api/jobs/__tests__/$job.spec.ts +5 -1
package/src/api/parameters/services/ParameterProvider.ts +21 -4
package/src/api/users/__tests__/SessionService.spec.ts +99 -0
package/src/api/users/__tests__/UserJobs.spec.ts +67 -0
package/src/api/users/atoms/realmAuthSettingsAtom.ts +15 -0
package/src/api/users/entities/sessions.ts +6 -0
package/src/api/users/jobs/UserJobs.ts +44 -17
package/src/api/users/providers/RealmProvider.ts +4 -0
package/src/api/users/schemas/userQuerySchema.ts +0 -1
package/src/api/users/services/SessionService.ts +27 -0
package/src/api/users/services/UserService.ts +1 -5
package/src/api/verifications/__tests__/CodeVerification.spec.ts +14 -0
package/src/api/verifications/__tests__/LinkVerification.spec.ts +14 -0
package/src/api/verifications/services/VerificationService.ts +1 -0
package/src/bucket/__tests__/NodeS3BucketProvider.spec.ts +74 -0
package/src/bucket/index.ts +19 -2
package/src/bucket/primitives/$bucket.ts +9 -1
package/src/bucket/providers/CloudflareR2Provider.ts +2 -137
package/src/bucket/providers/NodeS3BucketProvider.ts +218 -0
package/src/cache/core/index.ts +29 -0
package/src/cache/core/primitives/$cache.ts +14 -1
package/src/cli/config/defineConfig.ts +13 -15
package/src/cli/core/__tests__/init.spec.ts +214 -7
package/src/cli/core/commands/init.ts +12 -0
package/src/cli/core/services/PackageManagerUtils.ts +23 -6
package/src/cli/core/services/ProjectScaffolder.ts +315 -33
package/src/cli/core/tasks/BuildCloudflareTask.ts +5 -0
package/src/cli/core/tasks/BuildDockerTask.ts +9 -10
package/src/cli/core/tasks/BuildServerTask.ts +8 -0
package/src/cli/core/templates/agentMd.ts +2 -10
package/src/cli/core/templates/apiIndexTs.ts +23 -1
package/src/cli/core/templates/componentsJsonTs.ts +39 -0
package/src/cli/core/templates/mainCss.ts +1 -0
package/src/cli/core/templates/saasAdminLayoutTsx.ts +77 -0
package/src/cli/core/templates/saasAdminPagesTsx.ts +26 -0
package/src/cli/core/templates/saasAuthLayoutTsx.ts +20 -0
package/src/cli/core/templates/saasAuthPagesTsx.ts +62 -0
package/src/cli/core/templates/saasRealmProviderTs.ts +46 -0
package/src/cli/core/templates/webAppRouterTs.ts +104 -1
package/src/cli/core/templates/webIndexTs.ts +23 -1
package/src/cli/devtools/index.ts +12 -26
package/src/cli/platform/__tests__/SecretsCommand.spec.ts +2 -0
package/src/cli/platform/index.ts +15 -24
package/src/cli/vendor/atoms/vendorOptions.ts +1 -1
package/src/cli/vendor/index.ts +14 -23
package/src/command/providers/CliProvider.ts +1 -1
package/src/core/Alepha.ts +11 -1
package/src/core/helpers/ref.ts +18 -0
package/src/core/index.shared.ts +1 -0
package/src/core/interfaces/Service.ts +3 -1
package/src/core/providers/SchemaValidator.ts +9 -1
package/src/core/providers/TypeProvider.ts +2 -3
package/src/datetime/REFACTORING.md +118 -0
package/src/datetime/providers/DateTimeProvider.ts +203 -24
package/src/lock/core/index.ts +31 -0
package/src/lock/core/primitives/$lock.ts +14 -1
package/src/logger/services/Logger.ts +1 -1
package/src/mcp/__tests__/$resource.spec.ts +1 -1
package/src/mcp/__tests__/$tool.spec.ts +1 -1
package/src/mcp/__tests__/McpServerProvider.spec.ts +1 -1
package/src/mcp/__tests__/jsonrpc.spec.ts +1 -1
package/src/mcp/helpers/jsonrpc.ts +26 -1
package/src/mcp/index.ts +10 -5
package/src/mcp/interfaces/McpTypes.ts +83 -6
package/src/mcp/primitives/$prompt.ts +18 -1
package/src/mcp/primitives/$resource.ts +18 -1
package/src/mcp/primitives/$tool.ts +83 -7
package/src/mcp/providers/McpServerProvider.ts +74 -16
package/src/mcp/transports/StreamableHttpMcpTransport.ts +226 -0
package/src/orm/REFACTORING.md +330 -0
package/src/orm/__tests__/$repository-tests.ts +1 -0
package/src/orm/__tests__/orm-next-tests.ts +2 -67
package/src/orm/__tests__/orm-next.spec.ts +0 -21
package/src/orm/core/index.shared.ts +0 -2
package/src/orm/core/index.ts +1 -2
package/src/orm/core/primitives/$repository.ts +3 -6
package/src/orm/core/primitives/$transactional.ts +11 -0
package/src/orm/core/providers/drivers/DatabaseProvider.ts +0 -5
package/src/orm/core/providers/drivers/NodeSqliteProvider.ts +11 -13
package/src/orm/core/schemas/updateSchema.ts +1 -1
package/src/orm/core/services/ModelBuilder.ts +1 -13
package/src/orm/core/services/PgRelationManager.ts +4 -2
package/src/orm/core/services/Repository.ts +1 -42
package/src/orm/core/services/SqliteModelBuilder.ts +2 -33
package/src/orm/postgres/services/PostgresModelBuilder.ts +10 -45
package/src/react/core/__tests__/useQuery.browser.spec.tsx +86 -0
package/src/react/core/hooks/useQuery.ts +153 -0
package/src/react/core/index.ts +1 -0
package/src/react/form/services/FormModel.ts +15 -6
package/src/react/form/services/parseField.ts +8 -0
package/src/react/i18n/providers/I18nProvider.ts +8 -2
package/src/react/intro/components/GettingStartedAuthSlide.tsx +11 -4
package/src/react/router/__tests__/$page.spec.tsx +0 -16
package/src/react/router/__tests__/ReactBrowserProvider.browser.spec.ts +213 -2
package/src/react/router/__tests__/ssr.spec.tsx +339 -0
package/src/react/router/primitives/$page.ts +28 -4
package/src/react/router/providers/ReactBrowserProvider.ts +73 -0
package/src/react/router/providers/ReactBrowserRouterProvider.ts +1 -1
package/src/react/router/providers/ReactPageProvider.ts +27 -9
package/src/react/router/providers/ReactPreloadProvider.ts +1 -1
package/src/react/router/providers/ReactServerProvider.ts +1 -0
package/src/react/ui/atoms/uiThemeListAtom.ts +36 -0
package/src/react/ui/index.ts +6 -0
package/src/react/ui/services/SchemaControl.ts +209 -0
package/src/scheduler/providers/CronProvider.ts +1 -1
package/src/security/primitives/$basicAuth.ts +1 -1
package/src/security/primitives/$issuer.ts +6 -3
package/src/server/auth/providers/ServerAuthProvider.ts +5 -1
package/src/server/core/__tests__/ServerRouterProvider-serializationError.spec.ts +75 -0
package/src/server/core/__tests__/ServerRouterProvider-validationError.spec.ts +306 -0
package/src/server/core/errors/ValidationError.ts +13 -1
package/src/server/core/interfaces/ServerRequest.ts +1 -0
package/src/server/core/primitives/$action.ts +16 -5
package/src/server/core/providers/ServerProvider.ts +1 -1
package/src/server/core/providers/ServerRouterProvider.ts +28 -6
package/src/server/core/services/HttpClient.ts +1 -1
package/src/server/swagger/providers/ServerSwaggerProvider.ts +6 -8
package/src/websocket/providers/NodeWebSocketServerProvider.ts +10 -4
package/src/websocket/services/WebSocketClient.ts +11 -5
package/src/mcp/transports/SseMcpTransport.ts +0 -182
package/src/orm/core/__tests__/parseQueryString.spec.ts +0 -196
package/src/orm/core/helpers/parseQueryString.ts +0 -502
package/src/orm/core/primitives/$view.ts +0 -88

package/src/mcp/transports/StreamableHttpMcpTransport.ts ADDED Viewed

@@ -0,0 +1,226 @@
+import { $atom, $inject, $state, t } from "alepha";
+import { $logger } from "alepha/logger";
+import { $route } from "alepha/server";
+import {
+  createErrorResponse,
+  createParseError,
+  JsonRpcParseError,
+  parseMessage,
+} from "../helpers/jsonrpc.ts";
+import type { McpContext } from "../interfaces/McpTypes.ts";
+import { McpServerProvider } from "../providers/McpServerProvider.ts";
+// ---------------------------------------------------------------------------------------------------------------------
+export const mcpStreamableHttpOptions = $atom({
+  name: "alepha.mcp.streamableHttp.options",
+  description: "Configuration options for the MCP Streamable HTTP transport.",
+  schema: t.object({
+    /**
+     * Path for the MCP endpoint. Single endpoint for both requests and
+     * (optional) server-streamed responses, per spec 2025-03-26+.
+     */
+    path: t.text({ default: "/mcp" }),
+    /**
+     * Allow-list of `Origin` header values accepted on incoming requests.
+     * Empty array (default) means "allow any". When set, browser-originated
+     * requests with a non-matching `Origin` are rejected with 403 Forbidden,
+     * blocking DNS-rebinding attacks against localhost MCP servers.
+     *
+     * Server-to-server callers (no `Origin` header) are always allowed.
+     *
+     * Spec 2025-11-25, PR #1439.
+     */
+    allowedOrigins: t.array(t.text(), { default: [] }),
+  }),
+  default: {
+    path: "/mcp",
+    allowedOrigins: [],
+  },
+});
+// Backward-compat alias for the legacy atom name. Prefer
+// `mcpStreamableHttpOptions` going forward; this re-export keeps existing
+// consumer imports compiling and will be removed once they migrate.
+export const mcpSseOptions = mcpStreamableHttpOptions;
+// ---------------------------------------------------------------------------------------------------------------------
+/**
+ * Streamable HTTP transport for MCP communication.
+ *
+ * Implements the 2025-03-26+ Streamable HTTP transport: a single `/mcp`
+ * endpoint that accepts JSON-RPC over POST and returns either
+ * `application/json` (single response, the default) or
+ * `text/event-stream` (when the server wants to stream multiple messages).
+ *
+ * Designed for serverless deployment (Cloudflare Workers, etc.) — there is
+ * no long-lived GET stream. GET on the endpoint returns 405 Method Not
+ * Allowed; clients that want server-initiated push must rely on the POST
+ * response stream when the server upgrades to SSE for that particular call.
+ *
+ * Spec compliance:
+ * - 2025-06-18: validates `MCP-Protocol-Version` header on every request
+ *   after `initialize` against the version negotiated and stored on
+ *   `McpServerProvider`.
+ * - 2025-11-25: rejects requests with a non-allow-listed `Origin` header
+ *   (PR #1439). See {@link mcpStreamableHttpOptions.allowedOrigins}.
+ *
+ * @example
+ * ```ts
+ * import { Alepha, run } from "alepha";
+ * import { AlephaServer } from "alepha/server";
+ * import { AlephaMcp, StreamableHttpMcpTransport } from "alepha/mcp";
+ *
+ * class MyTools {
+ *   // ... tool definitions
+ * }
+ *
+ * run(
+ *   Alepha.create()
+ *     .with(AlephaServer)
+ *     .with(AlephaMcp)
+ *     .with(StreamableHttpMcpTransport)
+ *     .with(MyTools)
+ * );
+ * ```
+ */
+export class StreamableHttpMcpTransport {
+  protected readonly log = $logger();
+  protected readonly options = $state(mcpStreamableHttpOptions);
+  protected readonly mcpServer = $inject(McpServerProvider);
+  /**
+   * GET on the MCP endpoint is not supported in this transport. Returning
+   * 405 (rather than serving the legacy two-endpoint SSE pattern) is the
+   * spec-allowed response for servers that don't offer server-initiated
+   * push outside of an active POST.
+   */
+  notAllowed = $route({
+    method: "GET",
+    path: this.options.path,
+    handler: (request) => {
+      request.reply.status = 405;
+      request.reply.headers.allow = "POST";
+      request.reply.headers["content-type"] = "application/json";
+      request.reply.body = JSON.stringify({
+        error: "Method Not Allowed. Use POST for MCP messages.",
+      });
+    },
+  });
+  /**
+   * POST endpoint for client-to-server JSON-RPC messages.
+   * Returns `application/json` for single responses; tools that need to
+   * stream progress would upgrade to `text/event-stream` (deferred until a
+   * concrete need exists).
+   */
+  message = $route({
+    method: "POST",
+    path: this.options.path,
+    schema: {
+      body: t.json(),
+    },
+    handler: async (request) => {
+      try {
+        // Origin allow-list check (spec 2025-11-25 / PR #1439).
+        const originRaw = request.headers.origin;
+        const origin = Array.isArray(originRaw) ? originRaw[0] : originRaw;
+        if (
+          origin &&
+          this.options.allowedOrigins.length > 0 &&
+          !this.options.allowedOrigins.includes(origin)
+        ) {
+          this.log.warn("Rejected MCP request with non-allowed Origin", {
+            origin,
+            allowed: this.options.allowedOrigins,
+          });
+          request.reply.status = 403;
+          request.reply.headers["content-type"] = "application/json";
+          request.reply.body = JSON.stringify({
+            error: "Forbidden: Origin not allowed",
+          });
+          return;
+        }
+        const body =
+          typeof request.body === "string"
+            ? request.body
+            : JSON.stringify(request.body);
+        this.log.debug("MCP request body", {
+          body,
+          bodyType: typeof request.body,
+        });
+        const rpcRequest = parseMessage(body);
+        // Build context from request headers
+        const headers = { ...request.headers } as Record<
+          string,
+          string | string[] | undefined
+        >;
+        // Spec 2025-06-18+: every HTTP request after `initialize` MUST carry
+        // an `MCP-Protocol-Version` header matching the negotiated version.
+        // Reject mismatches with 400 so the client doesn't silently drift.
+        if (rpcRequest.method !== "initialize") {
+          const headerRaw = headers["mcp-protocol-version"];
+          const headerVersion = Array.isArray(headerRaw)
+            ? headerRaw[0]
+            : headerRaw;
+          if (
+            headerVersion &&
+            headerVersion !== this.mcpServer.negotiatedVersion
+          ) {
+            this.log.warn("MCP-Protocol-Version header mismatch", {
+              header: headerVersion,
+              negotiated: this.mcpServer.negotiatedVersion,
+            });
+            request.reply.status = 400;
+            request.reply.headers["content-type"] = "application/json";
+            request.reply.body = JSON.stringify({
+              error: `MCP-Protocol-Version mismatch: expected ${this.mcpServer.negotiatedVersion}, got ${headerVersion}`,
+            });
+            return;
+          }
+        }
+        const context: McpContext = { headers };
+        const response = await this.mcpServer.handleMessage(
+          rpcRequest,
+          context,
+        );
+        if (response) {
+          request.reply.headers["content-type"] = "application/json";
+          request.reply.body = JSON.stringify(response);
+        } else {
+          request.reply.status = 204;
+        }
+      } catch (error) {
+        if (error instanceof JsonRpcParseError) {
+          request.reply.status = 400;
+          request.reply.headers["content-type"] = "application/json";
+          request.reply.body = JSON.stringify(
+            createErrorResponse(0, createParseError(error.message)),
+          );
+        } else {
+          this.log.error("Failed to process MCP message", error);
+          request.reply.status = 500;
+          request.reply.body = JSON.stringify({
+            error: (error as Error).message,
+          });
+        }
+      }
+    },
+  });
+}
+/**
+ * @deprecated Use {@link StreamableHttpMcpTransport}. The 2024-11-05
+ * two-endpoint HTTP+SSE pattern was replaced by Streamable HTTP in spec
+ * 2025-03-26. This alias is preserved for one release to ease migration.
+ */
+export const SseMcpTransport = StreamableHttpMcpTransport;

package/src/orm/REFACTORING.md ADDED Viewed

@@ -0,0 +1,330 @@
+# ORM — Refactoring Roadmap
+## Context
+Alepha currently runs on `drizzle-orm@0.45.x` (stable). This document captures the planned overhaul to **Drizzle v1** — the version that ships **Relations v2**, the official `node:sqlite` driver, and a rewritten `drizzle-kit`.
+This refactoring is **deferred** until Drizzle v1 reaches GA. As of writing (2026-05) v1 is still in beta (`v1.0.0-beta.20`, March 2025) with no GA date announced. The framework's stability needs the upstream library to be stable too — pulling in a beta would force every consumer to absorb breakage on someone else's release schedule.
+When v1 GA ships, this becomes a **bigbang upgrade** (no incremental migration path). The plan below is the playbook to execute on that day.
+## Why upgrade
+Alepha wraps Drizzle at the wrong layer. The `Repository` uses the low-level SQL builder (`db.select().from().leftJoin()`) and re-implements join handling manually via `PgRelationManager`. Drizzle's real power — the relational query API — is completely bypassed.
+Drizzle v1 Relations v2 solves every limitation of Alepha's current join system:
+| Current limitation | Drizzle v1 solution |
+|---|---|
+| No one-to-many joins | `r.many()` — lateral join + `json_agg` under the hood |
+| No many-to-many | `through()` — junction tables hidden from results |
+| No per-relation `where`/`orderBy`/`limit` | First-class in `db.query.table.findMany({ with: { posts: { where, orderBy, limit } } })` |
+| No `columns` on joined tables | `with: { posts: { columns: { id: true, title: true } } }` |
+| No computed fields on relations | `extras: { fullName: sql\`...\` }` |
+| Manual `.alias()` for self-joins | Handled by relation definition (`alias` param) |
+| `node:sqlite` shim around `better-sqlite3` | Official `drizzle-orm/node-sqlite` driver |
+## What Alepha keeps (the genuine value-add)
+These layers justify the Repository pattern. None of this exists in raw Drizzle and they survive the upgrade unchanged:
+- **Soft deletes** — automatic `deletedAt IS NULL` injection, transparent to all queries
+- **Multi-tenancy** — automatic org scoping via `currentUserAtom`
+- **Optimistic locking** — `save()` with version checking, `DbVersionMismatchError`
+- **Typed error hierarchy** — `DbConflictError`, `DbForeignKeyError`, `DbDeadlockError`, etc.
+- **Pagination** — `paginate()` with count, metadata, sort string parsing
+- **Aggregate API** — type-safe `aggregate()` with GROUP BY, HAVING, dot-notation ordering
+- **Transaction propagation** — implicit via `alepha.store`, no manual `{ tx }` drilling
+- **Query caching** — per-table TTL cache with auto-invalidation on writes
+- **Lifecycle events** — `repository:create:before/after`, `repository:read:before/after`, etc.
+- **Codec integration** — `DateTime`, custom types auto-encoded in WHERE clauses
+- **Schema transforms** — `insertSchema` / `updateSchema` — auto-exclude generated cols, handle defaults
+- **DI integration** — `$repository()`, `$inject()`, service substitution for tests
+- **JSON query DSL** — `{ where: { age: { gt: 18 } } }` — composable, serializable, loggable
+## What the current wrapper blocks
+Drizzle features the current Alepha layer hides from users:
+| Blocked feature | Impact |
+|---|---|
+| Relational query API (`db.query.table.findMany({ with })`) | Critical — one-to-many, per-relation filtering/ordering/limiting |
+| Lateral joins (`leftJoinLateral`) | High — top-N-per-group patterns |
+| CTEs (`$with` / `with`) | High — recursive queries, complex analytics |
+| Per-relation `where`/`orderBy`/`limit` | High |
+| `columns` on relations | Medium |
+| `extras` / computed fields | Medium |
+| Set operators (`union`, `intersect`, `except`) | Medium |
+| UPDATE with FROM/JOINs | Medium — join-based batch updates |
+| INSERT from SELECT | Medium |
+| `onConflictDoNothing` | Low-medium |
+| `selectDistinctOn` | Low-medium |
+## Drizzle v1 — feature reference
+### Relations v2
+```typescript
+const relations = defineRelations({ users, posts, comments }, (r) => ({
+  users: {
+    posts: r.many.posts(),                    // one-to-many
+    groups: r.many.groups({                   // many-to-many via junction
+      from: r.users.id.through(r.usersToGroups.userId),
+      to: r.groups.id.through(r.usersToGroups.groupId),
+    }),
+  },
+  posts: {
+    author: r.one.users({                     // many-to-one
+      from: r.posts.authorId,
+      to: r.users.id,
+    }),
+    comments: r.many.comments(),
+  },
+  comments: {
+    post: r.one.posts({
+      from: r.comments.postId,
+      to: r.posts.id,
+    }),
+  },
+}));
+```
+Key features:
+- `r.one` / `r.many` — declarative relation types
+- `through()` — many-to-many, junction table hidden from query results
+- `optional: true` — nullable relations (type-level)
+- `alias` — disambiguate multiple relations between same tables
+- `where` — predefined filters on target table (polymorphic relations)
+- `defineRelationsPart()` — modules define their own relations independently, then merge
+### Relational Query Builder v2
+```typescript
+const result = await db.query.users.findMany({
+  columns: { id: true, name: true },
+  where: { verified: true, age: { gt: 18 } },
+  orderBy: { name: "asc" },
+  limit: 10,
+  offset: 20,
+  extras: {
+    postCount: (users) => db.$count(posts, eq(posts.authorId, users.id)),
+  },
+  with: {
+    posts: {
+      columns: { id: true, title: true },
+      where: { publishedAt: { isNotNull: true } },
+      orderBy: { publishedAt: "desc" },
+      limit: 5,
+      with: {
+        comments: {
+          limit: 3,
+          orderBy: { createdAt: "desc" },
+        },
+      },
+    },
+  },
+});
+```
+Compiles to a single SQL statement using lateral joins with `json_agg`:
+```sql
+SELECT ...
+FROM "users" AS "d0"
+LEFT JOIN LATERAL (
+  SELECT coalesce(json_agg(row_to_json("t".*)), '[]') AS "r"
+  FROM (
+    SELECT ... FROM "posts" AS "d1"
+    WHERE "d0"."id" = "d1"."author_id"
+      AND "d1"."published_at" IS NOT NULL
+    ORDER BY "d1"."published_at" DESC
+    LIMIT 5
+  ) AS "t"
+) AS "posts" ON true
+```
+Where syntax operators: `eq`, `ne`, `gt`, `gte`, `lt`, `lte`, `in`, `notIn`, `like`, `ilike`, `notLike`, `notIlike`, `isNull`, `isNotNull`, `arrayOverlaps`, `arrayContained`, `arrayContains`, `OR`, `AND`, `NOT`, `RAW`.
+### Official `node:sqlite` driver
+```typescript
+import { drizzle } from "drizzle-orm/node-sqlite";
+// Simple — just a path
+const db = drizzle("sqlite.db");
+// Advanced — pass existing DatabaseSync
+import { DatabaseSync } from "node:sqlite";
+const sqlite = new DatabaseSync("sqlite.db");
+const db = drizzle({ client: sqlite });
+```
+No more `better-sqlite3` shim, no `aliasSelectColumns` SQL rewriting.
+### Other v1 features
+- **MSSQL support** — full dialect with drizzle-orm, drizzle-kit, drizzle-seed
+- **CockroachDB support** — new dialect
+- **Migration folders v3** — no `journal.json`, grouped folders, fewer Git conflicts
+- **`drizzle-kit` rewrite** — DDL snapshots, ~10x faster introspection
+- **Validator consolidation** — `drizzle-zod` → `drizzle-orm/zod`, `drizzle-typebox` → `drizzle-orm/typebox`
+- **Alternation engine** — advanced query branching (beta)
+- **Commutativity checks** (`drizzle-kit check`) — detect migration collisions in teams
+- **Column `.as()` alias** — direct column aliasing
+- **Subqueries in select fields** — computed columns inline
+- **RLS** — moved to `pgTable.withRLS()`
+- **Prepared statements** — work inside relational queries with `sql.placeholder()`
+- **PostgreSQL type fixes** — arrays of intervals, timestamps, dates now map correctly
+## Breaking changes to handle
+| Breaking change | Alepha impact |
+|---|---|
+| Migration folder restructure (v3 layout) | Run `drizzle-kit up` once. Update `DrizzleKitProvider`. |
+| Relations v1 → v2 | Alepha doesn't use Drizzle relations today — adopt v2 fresh. |
+| PostgreSQL array/timestamp type fixes | Audit `db.createdAt()`, `db.updatedAt()` and any array columns. |
+| Database/session/migrator gain 2 new generics | Update `DatabaseProvider` types. |
+| `DrizzleConfig` gains `TRelations` generic + `relations` field | Pass relations to `drizzle()` constructor. |
+| Validator packages moved into `drizzle-orm/*` | Low impact — Alepha uses TypeBox directly. |
+| `.enableRLS()` → `pgTable.withRLS()` | Audit Alepha for RLS usage (currently none expected). |
+## Migration playbook (when v1 GA ships)
+### 1. Bump dependencies
+```bash
+yarn add drizzle-orm@^1.0.0
+yarn add -D drizzle-kit@^1.0.0
+```
+### 2. Replace the `node:sqlite` shim
+Delete the `better-sqlite3` shim code in `core/providers/drivers/`:
+- `shimDatabaseSync()` (~50 lines)
+- `aliasSelectColumns()` (~60 lines)
+- `initDrizzle()` manual session construction (~20 lines)
+Replace with the official driver:
+```typescript
+import { drizzle } from "drizzle-orm/node-sqlite";
+this.drizzleDb = drizzle({ client: this.sqlite, relations });
+```
+### 3. Auto-generate `defineRelations()` from `db.ref()`
+The FK info already exists in `$entity` schemas. Either extend `ModelBuilder` or add a new `RelationBuilder` that walks all registered entities and emits:
+```typescript
+const relations = defineRelations(tables, (r) => ({
+  players: {
+    team: r.one.teams({
+      from: r.players.teamId,
+      to: r.teams.id,
+    }),
+  },
+  teams: {
+    players: r.many.players(),
+  },
+}));
+```
+This is fully derivable from `db.ref()` declarations — each ref knows its source column and target `EntityColumn`.
+### 4. Add `relationalQuery()` to `Repository`
+A new method that delegates to `db.query.table.findMany()` while applying Alepha's concerns:
+```typescript
+public async relationalQuery<Config>(config: RelationalQueryConfig<T>) {
+  // Inject soft-delete filter
+  // Inject org scoping
+  // Encode values via codec
+  // Emit repository:read:before/after events
+  // Handle caching
+  return await db.query[this.tableName].findMany(config);
+}
+```
+### 5. Deprecate `findMany({ with })` for joins
+Keep it working for backward compatibility but log a deprecation warning pointing to `relationalQuery()`. Remove in a follow-up release once consumers migrate.
+### 6. Run `drizzle-kit up`
+Migrate existing migration folders to the v3 layout.
+### 7. Audit timestamp/array column types
+PostgreSQL type fixes in v1 may change runtime values for:
+- `db.createdAt()` / `db.updatedAt()` — timestamp columns
+- Any array columns (intervals, timestamps, dates)
+### 8. Pass relations to `drizzle()`
+Update `DatabaseProvider` subclasses to pass the auto-generated relations when constructing the Drizzle instance.
+## Files affected
+### Delete / heavily simplify
+| File | Approx. lines | Reason |
+|---|---|---|
+| `core/services/PgRelationManager.ts` | 131 | Replaced by Drizzle's relational query engine |
+| `node:sqlite` driver shim | ~150 | `shimDatabaseSync()`, `aliasSelectColumns()` gone |
+| Join types in query layer (`PgRelation`, `PgRelationMap`, `PgStatic`) | ~40 | Drizzle handles relation types natively |
+| Relation where types (`PgQueryWhereRelations`) | ~10 | Drizzle v2 where syntax handles this |
+### Modify
+| File | Change |
+|---|---|
+| `core/services/Repository.ts` | Add `relationalQuery()`, deprecate `findMany({ with })` joins |
+| `core/providers/RepositoryProvider.ts` / `DatabaseTypeProvider.ts` | Accept and pass `relations` to Drizzle constructor |
+| `core/services/ModelBuilder.ts` (or new `RelationBuilder.ts`) | Generate `defineRelations()` from `db.ref()` |
+| `core/providers/DrizzleKitProvider.ts` | Update for migration folder v3 |
+| `postgres/` ModelBuilder | Audit timestamp/array type changes |
+| `core/providers/drivers/` (sqlite) | Replace shim with official driver |
+## Where syntax — Alepha → Drizzle v2
+Alepha's current syntax maps almost 1:1 to Drizzle v2:
+```
+Alepha                          Drizzle v2
+──────                          ──────────
+{ age: { gt: 18 } }             { age: { gt: 18 } }
+{ age: { gte: 18, lte: 65 } }   { age: { gte: 18, lte: 65 } }
+{ name: { contains: "foo" } }   { name: { ilike: "%foo%" } }
+{ status: { inArray: [...] } }  { status: { in: [...] } }
+{ isNull: true }                { isNull: true }
+{ and: [...] }                  { AND: [...] }
+{ or: [...] }                   { OR: [...] }
+{ not: {...} }                  { NOT: {...} }
+```
+Differences to bridge:
+- `inArray` → `in`, `notInArray` → `notIn`
+- `and` / `or` / `not` → `AND` / `OR` / `NOT` (capitalized)
+- `contains` / `startsWith` / `endsWith` — Alepha sugar with no direct Drizzle equivalent (expand to `ilike`)
+- Drizzle adds `RAW: (table) => sql\`...\`` for inline raw SQL inside `where`
+Alepha's JSON DSL stays the public API; the bridge to Drizzle v2 lives inside `Repository` / `QueryManager`.
+## Why not now
+- **Beta risk** — Drizzle v1 is still in beta. Pinning Alepha to a beta would couple every Alepha release to upstream's stabilization timeline.
+- **Bigbang nature** — the upgrade is not incremental (Relations v2, migration folder layout, type generics, driver swap all land together). Better executed in one focused window post-GA than dripped over months.
+- **No urgent user pain** — current Repository covers ~95% of usage. The blocked features (one-to-many joins, lateral joins, CTEs) are real gaps but have manual workarounds today.
+## Estimated effort when triggered
+Multi-day, not single-day:
+- Replace `node:sqlite` shim — ~half day
+- Auto-generate `defineRelations()` from entity refs — 1 day
+- Add `relationalQuery()` with all Repository concerns wired through — 1 day
+- Migration folder v3 + `drizzle-kit` provider update — half day
+- PG type audit + test suite stabilization — 1 day
+- Total: ~4 days of focused work, plus regression hunt against the existing test suite.
+The framework's `~3400` ORM-touching tests are the safety net. If they pass, the upgrade landed cleanly.

package/src/orm/__tests__/$repository-tests.ts CHANGED Viewed

@@ -1014,6 +1014,7 @@ export const testTransactionThrowsWhenUnsupported = async (alepha: Alepha) => {
         original,
       );
     } else {
+      // biome-ignore lint/performance/noDelete: setting to undefined fails because the prototype has a getter
       delete provider.supportsTransactions;
     }
   }

package/src/orm/__tests__/orm-next-tests.ts CHANGED Viewed

@@ -1,8 +1,8 @@
-import { type Alepha, AlephaError, t } from "alepha";
+import { type Alepha, t } from "alepha";
 import { sql } from "drizzle-orm";
 import { expect } from "vitest";
 import { PG_GENERATED } from "../core/constants/PG_SYMBOLS.ts";
-import { $entity, $repository, $view, db, pgAttr } from "../core/index.ts";
+import { $entity, $repository, db, pgAttr } from "../core/index.ts";
 // ============================================================================
 // Shared entity definitions
@@ -425,68 +425,3 @@ export const testQueryCacheCustomKey = async (alepha: Alepha) => {
   );
   expect(cached).toHaveLength(1);
 };
-// ============================================================================
-// Feature 8: Database Views
-// ============================================================================
-export const testViewReadOnly = async (alepha: Alepha) => {
-  // Create the underlying table
-  const itemEntity = $entity({
-    name: "view_items",
-    schema: t.object({
-      id: db.primaryKey(),
-      name: t.text(),
-      price: t.number(),
-    }),
-  });
-  // Create a view
-  const itemView = $view({
-    name: "view_items_summary",
-    schema: t.object({
-      id: t.integer(),
-      name: t.text(),
-      price: t.number(),
-    }),
-    query: sql`SELECT id, name, price FROM view_items`,
-  });
-  class App {
-    items = $repository(itemEntity);
-    summary = $repository(itemView);
-  }
-  const app = alepha.inject(App);
-  await alepha.start();
-  // Verify the repository detects it's a view
-  expect(app.summary.isReadOnly).toBe(true);
-  expect(app.items.isReadOnly).toBe(false);
-  // Write operations should throw on views
-  await expect(
-    app.summary.create({ id: 1, name: "test", price: 10 } as any),
-  ).rejects.toThrow(AlephaError);
-};
-export const testViewRefreshThrowsForNonMaterialized = async (
-  alepha: Alepha,
-) => {
-  const view = $view({
-    name: "non_mat_view",
-    schema: t.object({
-      id: t.integer(),
-    }),
-    query: sql`SELECT 1 as id`,
-  });
-  class App {
-    repo = $repository(view);
-  }
-  const app = alepha.inject(App);
-  await alepha.start();
-  await expect(app.repo.refresh()).rejects.toThrow(AlephaError);
-};

package/src/orm/__tests__/orm-next.spec.ts CHANGED Viewed

@@ -14,8 +14,6 @@ import {
   testPartialIndex,
   testQueryCache,
   testQueryCacheCustomKey,
-  testViewReadOnly,
-  testViewRefreshThrowsForNonMaterialized,
 } from "./orm-next-tests.ts";
 const sqlite = () =>
@@ -119,22 +117,3 @@ describe("query caching", () => {
     await testQueryCacheCustomKey(postgres());
   });
 });
-// =============================================================================
-// Feature 8: Database Views
-// =============================================================================
-describe("database views", () => {
-  it("should block writes on view repositories (sqlite)", async () => {
-    await testViewReadOnly(sqlite());
-  });
-  it("should block writes on view repositories (postgres)", async () => {
-    await testViewReadOnly(postgres());
-  });
-  it("should throw on refresh for non-materialized view (sqlite)", async () => {
-    await testViewRefreshThrowsForNonMaterialized(sqlite());
-  });
-  it("should throw on refresh for non-materialized view (postgres)", async () => {
-    await testViewRefreshThrowsForNonMaterialized(postgres());
-  });
-});

package/src/orm/core/index.shared.ts CHANGED Viewed

@@ -12,13 +12,11 @@ export * from "./errors/DbEntityNotFoundError.ts";
 export * from "./errors/DbForeignKeyError.ts";
 export * from "./errors/DbNotNullError.ts";
 export * from "./errors/DbTableNotFoundError.ts";
-export * from "./helpers/parseQueryString.ts";
 export * from "./helpers/pgAttr.ts";
 export * from "./interfaces/AggregateQuery.ts";
 export * from "./interfaces/FilterOperators.ts";
 export * from "./interfaces/PgQuery.ts";
 export * from "./interfaces/PgQueryWhere.ts";
 export * from "./primitives/$entity.ts";
-export * from "./primitives/$view.ts";
 export * from "./providers/DatabaseTypeProvider.ts";
 export * from "./schemas/legacyIdSchema.ts";