c8y-nitro 0.4.1 → 0.5.0

package/README.md

@@ -143,6 +143,7 @@ Credential caching can be configured to optimize performance. By default, subscr
 ```ts
 export default defineNitroConfig({
   c8y: {
+    enableTenantOptionsInvalidationRoute: false,
     cache: {
       credentialsTTL: 300, // Cache credentials for 5 minutes (in seconds)
       defaultTenantOptionsTTL: 600, // Default cache for tenant options (in seconds)
@@ -179,6 +180,21 @@ C8Y_DEVELOPMENT_PASSWORD=your-password
 
 This enables testing of access control middlewares like `hasUserRequiredRole()` and `isUserFromAllowedTenant()` without needing to manually set authorization headers.
 
+If you run a local proxy that already forwards a user session or authorization header, disable this middleware:
+
+```ts
+export default defineNitroConfig({
+  c8y: {
+    dev: {
+      injectUser: false,
+    },
+  },
+  modules: [c8y()],
+})
+```
+
+When disabled, `c8y-nitro` does not register the development user injection middleware, so incoming auth headers stay untouched.
+
 ### Managing Development User Roles
 
 Use the [CLI roles command](#cli-commands) to assign or remove your microservice's custom roles to your development user:
@@ -440,7 +456,7 @@ export default defineNitroConfig({
     manifest: {
       settings: [
         { key: 'myOption', defaultValue: 'default' },
-        { key: 'credentials.secret' }, // Encrypted option
+        { key: 'credentials.secret', defaultValue: 'change-me' }, // Encrypted option
       ],
       settingsCategory: 'my-service', // Optional, defaults to contextPath/name
       requiredRoles: ['ROLE_OPTION_MANAGEMENT_READ'], // Required for reading tenant options
@@ -450,9 +466,11 @@ export default defineNitroConfig({
 })
 ```
 
+`manifest.settings[].defaultValue` is required and must be a non-empty string. `''` is rejected during manifest generation so invalid settings fail early during development/build.
+
 > **Important**: To read tenant options, your microservice **must** have the `ROLE_OPTION_MANAGEMENT_READ` role in `manifest.requiredRoles`. Without this role, API calls will fail with a 403 Forbidden error.
 
-> **Note on Encrypted Options**: Keys prefixed with `credentials.` are stored encrypted by Cumulocity. The value is automatically decrypted when fetched if your microservice is the owner of the option (the option's category matches your microservice's `settingsCategory`, `contextPath`, or name). The `credentials.` prefix is automatically stripped when calling the API.
+> **Note on Encrypted Options**: Keys prefixed with `credentials.` are stored encrypted by Cumulocity. See more details [here](https://cumulocity.com/api/core/#operation/postOptionCollectionResource).
 
 > **Note on Missing Options**: If a tenant option is not set (404 Not Found), `useTenantOption()` returns `undefined` instead of throwing an error. Other errors (e.g., 403 Forbidden) are thrown normally.
 
@@ -480,6 +498,8 @@ export default defineNitroConfig({
 | `isUserFromAllowedTenant(tenant\|tenants)` | Check if user is from allowed tenant(s)   |       ✅        |
 | `isUserFromDeployedTenant()`               | Check if user is from the deployed tenant |       ✅        |
 
+Probe requests targeting the manifest-defined `livenessProbe.httpGet.path` or `readinessProbe.httpGet.path` bypass these auth helpers so orchestration health checks are not blocked by route-wide access control.
+
 ## CLI Commands
 
 | Command     | Description                                             |

package/dist/{bootstrap-BqWPkH8q.mjs → bootstrap-BSdVwFWO.mjs}

@@ -1,6 +1,6 @@
-import { a as findMicroserviceByName, d as updateMicroservice, l as subscribeToApplication, n as createBasicAuthHeader, o as getBootstrapCredentials, p as createC8yManifest, r as createMicroservice } from "./c8y-api-BBSKRwKs.mjs";
+import { a as findMicroserviceByName, d as updateMicroservice, l as subscribeToApplication, n as createBasicAuthHeader, o as getBootstrapCredentials, p as createC8yManifest, r as createMicroservice } from "./c8y-api-BgTNTqHd.mjs";
 import { t as writeBootstrapCredentials } from "./env-file-B0BK-uZW.mjs";
-import { n as validateBootstrapEnv, t as loadC8yConfig } from "./config-Dqi-ttQi.mjs";
+import { n as validateBootstrapEnv, t as loadC8yConfig } from "./config-BRnvtthI.mjs";
 import { defineCommand, runCommand } from "citty";
 import { consola } from "consola";
 //#region src/cli/commands/bootstrap.ts
@@ -52,7 +52,7 @@ var bootstrap_default = defineCommand({
 		});
 		consola.success(`Bootstrap credentials written to ${envFileName}`);
 		if (manifest.roles && manifest.roles.length > 0) {
-			if (await consola.prompt("Do you want to manage microservice roles for your development user?", { type: "confirm" })) await runCommand(await import("./roles-DJxp2d8p.mjs").then((r) => r.default), { rawArgs: [] });
+			if (await consola.prompt("Do you want to manage microservice roles for your development user?", { type: "confirm" })) await runCommand(await import("./roles-CoBPqvDv.mjs").then((r) => r.default), { rawArgs: [] });
 		}
 		consola.success("Bootstrap complete!");
 	}

package/dist/{c8y-api-BBSKRwKs.mjs → c8y-api-BgTNTqHd.mjs}

@@ -3,8 +3,15 @@ import { Buffer } from "node:buffer";
 //#region src/module/constants.ts
 const GENERATED_LIVENESS_ROUTE = "/_c8y_nitro/liveness";
 const GENERATED_READINESS_ROUTE = "/_c8y_nitro/readiness";
+const GENERATED_INVALIDATE_TENANT_OPTIONS_ROUTE = "/_c8y_nitro/invalidate-tenant-options";
 //#endregion
 //#region src/module/manifest.ts
+function validateManifestSettings(options) {
+	const invalidSettings = options.settings?.filter((setting) => typeof setting.defaultValue !== "string" || setting.defaultValue.length === 0) ?? [];
+	if (invalidSettings.length === 0) return;
+	const invalidKeys = invalidSettings.map((setting) => `"${setting.key}"`).join(", ");
+	throw new Error(`manifest.settings entries must define a non-empty defaultValue. Invalid keys: ${invalidKeys}`);
+}
 async function readPackageJsonFieldsForManifest(rootDir, logger) {
 	logger?.debug(`Reading package file from ${rootDir}`);
 	const pkg = await readPackage(rootDir);
@@ -37,6 +44,7 @@ async function readPackageJsonFieldsForManifest(rootDir, logger) {
 * @param logger - Optional logger for debug output
 */
 async function createC8yManifest(rootDir, options = {}, logger) {
+	validateManifestSettings(options);
 	const { name, version, provider, ...restManifestFields } = await readPackageJsonFieldsForManifest(rootDir, logger);
 	const probeFields = {};
 	if (!options.livenessProbe?.httpGet) probeFields.livenessProbe = {
@@ -286,7 +294,35 @@ async function getTenantOption(baseUrl, category, key, authHeader) {
 	return (await response.json()).value;
 }
 /**
-* Updates or creates a tenant option.
+* Creates a tenant option.
+* @param baseUrl - The Cumulocity base URL
+* @param category - The category of the option
+* @param key - The option key
+* @param value - The value to set
+* @param authHeader - The Basic Auth header
+*/
+async function createTenantOption(baseUrl, category, key, value, authHeader) {
+	const url = `${baseUrl}/tenant/options`;
+	const response = await fetch(url, {
+		method: "POST",
+		headers: {
+			"Authorization": authHeader,
+			"Content-Type": "application/vnd.com.nsn.cumulocity.option+json",
+			"Accept": "application/json"
+		},
+		body: JSON.stringify({
+			category,
+			key,
+			value
+		})
+	});
+	if (!response.ok) {
+		const errorText = await response.text();
+		throw new Error(`Failed to create tenant option ${category}/${key}: ${response.status} ${response.statusText}\n${errorText}`, { cause: response });
+	}
+}
+/**
+* Updates an existing tenant option.
 * @param baseUrl - The Cumulocity base URL
 * @param category - The category of the option
 * @param key - The option key
@@ -310,6 +346,25 @@ async function updateTenantOption(baseUrl, category, key, value, authHeader) {
 	}
 }
 /**
+* Updates a tenant option if it exists, otherwise creates it.
+* @param baseUrl - The Cumulocity base URL
+* @param category - The category of the option
+* @param key - The option key
+* @param value - The new value to set
+* @param authHeader - The Basic Auth header
+*/
+async function upsertTenantOption(baseUrl, category, key, value, authHeader) {
+	try {
+		await updateTenantOption(baseUrl, category, key, value, authHeader);
+	} catch (error) {
+		if (error.cause?.status === 404) {
+			await createTenantOption(baseUrl, category, key, value, authHeader);
+			return;
+		}
+		throw error;
+	}
+}
+/**
 * Deletes a tenant option.
 * @param baseUrl - The Cumulocity base URL
 * @param category - The category of the option
@@ -329,4 +384,4 @@ async function deleteTenantOption(baseUrl, category, key, authHeader) {
 	}
 }
 //#endregion
-export { findMicroserviceByName as a, getTenantOptionsByCategory as c, updateMicroservice as d, updateTenantOption as f, GENERATED_READINESS_ROUTE as g, GENERATED_LIVENESS_ROUTE as h, deleteTenantOption as i, subscribeToApplication as l, createC8yManifestFromNitro as m, createBasicAuthHeader as n, getBootstrapCredentials as o, createC8yManifest as p, createMicroservice as r, getTenantOption as s, assignUserRole as t, unassignUserRole as u };
+export { GENERATED_READINESS_ROUTE as _, findMicroserviceByName as a, getTenantOptionsByCategory as c, updateMicroservice as d, upsertTenantOption as f, GENERATED_LIVENESS_ROUTE as g, GENERATED_INVALIDATE_TENANT_OPTIONS_ROUTE as h, deleteTenantOption as i, subscribeToApplication as l, createC8yManifestFromNitro as m, createBasicAuthHeader as n, getBootstrapCredentials as o, createC8yManifest as p, createMicroservice as r, getTenantOption as s, assignUserRole as t, unassignUserRole as u };

package/dist/cli/index.mjs

@@ -1,4 +1,4 @@
-import { n as name, r as version, t as description } from "../package-CobwNpP9.mjs";
+import { n as name, r as version, t as description } from "../package-bfMasPPg.mjs";
 import { defineCommand, runMain } from "citty";
 //#region src/cli/index.ts
 runMain(defineCommand({
@@ -8,9 +8,9 @@ runMain(defineCommand({
 		description
 	},
 	subCommands: {
-		bootstrap: () => import("../bootstrap-BqWPkH8q.mjs").then((r) => r.default),
-		roles: () => import("../roles-DJxp2d8p.mjs").then((r) => r.default),
-		options: () => import("../options-BDDJWdph.mjs").then((r) => r.default)
+		bootstrap: () => import("../bootstrap-BSdVwFWO.mjs").then((r) => r.default),
+		roles: () => import("../roles-CoBPqvDv.mjs").then((r) => r.default),
+		options: () => import("../options-BkWL1FOa.mjs").then((r) => r.default)
 	}
 }));
 //#endregion

package/dist/{config-Dqi-ttQi.mjs → config-BRnvtthI.mjs}

@@ -2,6 +2,9 @@ import { dirname } from "pathe";
 import { loadConfig, loadDotenv } from "c12";
 import process from "process";
 //#region src/cli/utils/config.ts
+function normalizeBaseUrl(baseUrl) {
+	return baseUrl.endsWith("/") ? baseUrl.slice(0, -1) : baseUrl;
+}
 /**
 * Loads c8y configuration from nitro.config and .env files.
 * Searches in cwd.
@@ -45,7 +48,7 @@ function validateBootstrapEnv(env) {
 	const missing = REQUIRED_BOOTSTRAP_ENV_VARS.filter((key) => !env[key]);
 	if (missing.length > 0) throw new Error(`Missing required environment variables:\n${missing.map((k) => `  - ${k}`).join("\n")}\n\nPlease set these in your .env or .env.local file.`);
 	return {
-		C8Y_BASEURL: env.C8Y_BASEURL.endsWith("/") ? env.C8Y_BASEURL.slice(0, -1) : env.C8Y_BASEURL,
+		C8Y_BASEURL: normalizeBaseUrl(env.C8Y_BASEURL),
 		C8Y_DEVELOPMENT_TENANT: env.C8Y_DEVELOPMENT_TENANT,
 		C8Y_DEVELOPMENT_USER: env.C8Y_DEVELOPMENT_USER,
 		C8Y_DEVELOPMENT_PASSWORD: env.C8Y_DEVELOPMENT_PASSWORD

package/dist/{index-CzUqbp5C.d.mts → index-Bvu7DqDt.d.mts}

@@ -193,10 +193,10 @@ interface Option {
    */
   key: string;
   /**
-   * Initial value if not overridden.
+   * Initial non-empty value if not overridden.
    * @example "1234"
    */
-  defaultValue?: string;
+  defaultValue: string;
   /**
    * Allow tenants to modify at runtime.
    * @default false
@@ -389,11 +389,34 @@ type C8YTenantOptionKeysCacheConfig$1 = Partial<Record<C8YTenantOptionKey$1, num
 type C8YTenantOptionKey$1 = string;
 //#endregion
 //#region src/types/index.d.ts
+interface C8yDevOptions {
+  /**
+   * Automatically inject the configured development user into incoming requests
+   * during local Nitro dev mode.
+   *
+   * Disable this when a local proxy already forwards the desired user context.
+   * @default true
+   */
+  injectUser?: boolean;
+}
 interface C8yNitroModuleOptions {
+  dev?: C8yDevOptions;
   manifest?: C8YManifestOptions;
   apiClient?: C8YAPIClientOptions;
   zip?: C8YZipOptions;
   cache?: C8yCacheOptions;
+  /**
+   * Adds a debug route for invalidating already-created tenant option caches.
+   * Exposes `GET /_c8y_nitro/invalidate-tenant-options`.
+   *
+   * Query params:
+   * - `all`: invalidate all created tenant option fetchers
+   * - `key`: invalidate a single manifest-defined tenant option key if its fetcher exists
+   *
+   * `all` takes priority over `key`.
+   * @default false
+   */
+  enableTenantOptionsInvalidationRoute?: boolean;
   /**
    * Disable auto-bootstrap during development.
    * When true, the module will not automatically register the microservice
@@ -405,4 +428,4 @@ interface C8yNitroModuleOptions {
   skipBootstrap?: boolean;
 }
 //#endregion
-export { C8yCacheOptions as a, C8YManifestOptions as c, C8YRoles$1 as i, C8YAPIClientOptions as l, C8YTenantOptionKey$1 as n, C8YZipOptions as o, C8YTenantOptionKeysCacheConfig$1 as r, C8YManifest as s, C8yNitroModuleOptions as t };
+export { C8YRoles$1 as a, C8YManifest as c, C8YTenantOptionKeysCacheConfig$1 as i, C8YManifestOptions as l, C8yNitroModuleOptions as n, C8yCacheOptions as o, C8YTenantOptionKey$1 as r, C8YZipOptions as s, C8yDevOptions as t, C8YAPIClientOptions as u };

package/dist/index.d.mts

@@ -1,4 +1,4 @@
-import { t as C8yNitroModuleOptions } from "./index-CzUqbp5C.mjs";
+import { n as C8yNitroModuleOptions } from "./index-Bvu7DqDt.mjs";
 import { NitroModule } from "nitro/types";
 
 //#region src/index.d.ts

package/dist/index.mjs

@@ -1,6 +1,6 @@
-import { a as findMicroserviceByName, g as GENERATED_READINESS_ROUTE, h as GENERATED_LIVENESS_ROUTE, l as subscribeToApplication, m as createC8yManifestFromNitro, n as createBasicAuthHeader, o as getBootstrapCredentials, p as createC8yManifest, r as createMicroservice } from "./c8y-api-BBSKRwKs.mjs";
+import { _ as GENERATED_READINESS_ROUTE, a as findMicroserviceByName, g as GENERATED_LIVENESS_ROUTE, h as GENERATED_INVALIDATE_TENANT_OPTIONS_ROUTE, l as subscribeToApplication, m as createC8yManifestFromNitro, n as createBasicAuthHeader, o as getBootstrapCredentials, p as createC8yManifest, r as createMicroservice } from "./c8y-api-BgTNTqHd.mjs";
 import { t as writeBootstrapCredentials } from "./env-file-B0BK-uZW.mjs";
-import { n as name } from "./package-CobwNpP9.mjs";
+import { n as name } from "./package-bfMasPPg.mjs";
 import { basename, dirname, join, relative } from "node:path";
 import { mkdir, writeFile } from "node:fs/promises";
 import { x } from "tinyexec";
@@ -427,11 +427,21 @@ async function setupRuntimeConfig(nitro, options) {
 */
 function registerRuntime(nitro, options = {}) {
 	const thisFilePath = fileURLToPath(new URL(".", import.meta.url));
+	const isNitroDev = nitro.options.preset === "nitro-dev";
+	const shouldIncludeRuntimeFile = (relativePath) => {
+		if (relativePath.endsWith(".dev.ts") && !isNitroDev) return false;
+		if (relativePath.endsWith("/dev-user.dev.ts") && options.dev?.injectUser === false) return false;
+		return true;
+	};
+	const toRuntimePath = (relativePath) => join$1(thisFilePath, relativePath.replace(/\.ts$/, ""));
 	const allPlugins = Object.keys({
-		"./runtime/plugins/c8y-variables.ts": 0,
+		"./runtime/plugins/c8y-variables.dev.ts": 0,
 		"./runtime/plugins/enrich-logs.ts": 0
-	}).map((p) => join$1(thisFilePath, p.replace(".ts", "")));
-	const allMiddlewares = Object.keys({ "./runtime/middlewares/dev-user.ts": 0 }).map((p) => join$1(thisFilePath, p.replace(".ts", "")));
+	}).filter(shouldIncludeRuntimeFile).map(toRuntimePath);
+	const allMiddlewares = Object.keys({
+		"./runtime/middlewares/c8y-client.ts": 0,
+		"./runtime/middlewares/dev-user.dev.ts": 0
+	}).filter(shouldIncludeRuntimeFile).map(toRuntimePath);
 	/**
 	* Plugins (auto scanned)
 	*/
@@ -465,6 +475,15 @@ function registerRuntime(nitro, options = {}) {
 		});
 		nitro.logger.debug(`Generated readiness probe at ${GENERATED_READINESS_ROUTE}`);
 	} else nitro.logger.debug("Readiness probe httpGet defined by user; skipping generation");
+	if (options.enableTenantOptionsInvalidationRoute) {
+		const invalidateTenantOptionsHandlerPath = join$1(thisFilePath, "./runtime/handlers/invalidateTenantOptions");
+		handlers.push({
+			route: GENERATED_INVALIDATE_TENANT_OPTIONS_ROUTE,
+			handler: invalidateTenantOptionsHandlerPath,
+			method: "GET"
+		});
+		nitro.logger.debug(`Generated tenant option invalidation route at ${GENERATED_INVALIDATE_TENANT_OPTIONS_ROUTE}`);
+	}
 	nitro.options.handlers.push(...handlers);
 }
 //#endregion
@@ -558,12 +577,25 @@ function c8y() {
 				name,
 				"@c8y/client"
 			];
+			nitro.options.rolldownConfig = {
+				...nitro.options.rolldownConfig,
+				resolve: {
+					...nitro.options.rolldownConfig?.resolve,
+					alias: {
+						...nitro.options.rolldownConfig?.resolve?.alias,
+						tslib: "tslib/tslib.es6.mjs"
+					}
+				}
+			};
 			if (!nitro.options.preset.startsWith("nitro") && !nitro.options.preset.startsWith("node")) {
 				nitro.logger.error(`Unsupported preset "${nitro.options.preset}" for c8y-nitro module, only node presets are supported.`);
 				throw new Error("Unsupported preset for c8y-nitro module");
 			}
 			let manifest = await createC8yManifestFromNitro(nitro);
-			const { setup: setupEvlog } = evlog({ env: { service: manifest.name } });
+			const { setup: setupEvlog } = evlog({
+				env: { service: manifest.name },
+				exclude: [manifest.livenessProbe?.httpGet?.path, manifest.readinessProbe?.httpGet?.path].filter(Boolean)
+			});
 			await setupEvlog(nitro);
 			if (!options.skipBootstrap) await autoBootstrap(nitro);
 			await setupRuntimeConfig(nitro, options);

package/dist/logging-CVlaRS4O.mjs

@@ -0,0 +1,3 @@
+import "evlog/nitro/v3";
+import { createError } from "evlog";
+export { createError as t };

package/dist/{options-BDDJWdph.mjs → options-BkWL1FOa.mjs}

@@ -1,5 +1,5 @@
-import { c as getTenantOptionsByCategory, f as updateTenantOption, i as deleteTenantOption, n as createBasicAuthHeader, p as createC8yManifest, s as getTenantOption } from "./c8y-api-BBSKRwKs.mjs";
-import { n as validateBootstrapEnv, t as loadC8yConfig } from "./config-Dqi-ttQi.mjs";
+import { c as getTenantOptionsByCategory, f as upsertTenantOption, i as deleteTenantOption, n as createBasicAuthHeader, p as createC8yManifest, s as getTenantOption } from "./c8y-api-BgTNTqHd.mjs";
+import { n as validateBootstrapEnv, t as loadC8yConfig } from "./config-BRnvtthI.mjs";
 import { defineCommand } from "citty";
 import { consola } from "consola";
 //#region src/cli/commands/options.ts
@@ -62,6 +62,7 @@ async function handleRead(baseUrl, category, authHeader, availableKeys, currentO
 		consola.warn("No options are currently set");
 		return;
 	}
+	if (credentialsKeys.length > 0) consola.warn("Encrypted credentials.* options cannot be read in decrypted form with the development user in this CLI.");
 	const key = await consola.prompt("Select option to read:", {
 		type: "select",
 		options: allKeys.map((k) => ({
@@ -71,7 +72,7 @@ async function handleRead(baseUrl, category, authHeader, availableKeys, currentO
 		cancel: "reject"
 	});
 	consola.info(`Reading option: ${key}`);
-	const value = await getTenantOption(baseUrl, category, key.startsWith("credentials.") ? key.replace(/^credentials\./, "") : key, authHeader);
+	const value = await getTenantOption(baseUrl, category, key, authHeader);
 	if (value === void 0) consola.warn(`Option '${key}' is not set`);
 	else consola.success(`Value: ${value}`);
 }
@@ -101,7 +102,7 @@ async function handleUpdate(baseUrl, category, authHeader, availableKeys, curren
 			cancel: "reject"
 		});
 		consola.info(`Updating option: ${key}`);
-		await updateTenantOption(baseUrl, category, key.replace(/^credentials\./, ""), newValue, authHeader);
+		await upsertTenantOption(baseUrl, category, key, newValue, authHeader);
 		currentOptions[key] = newValue;
 		consola.success(`Option '${key}' updated successfully`);
 		if (!await consola.prompt("Update another option?", {
@@ -136,7 +137,8 @@ async function handleDelete(baseUrl, category, authHeader, availableKeys, curren
 	consola.info(`Deleting ${keysToDelete.length} option(s)...`);
 	for (const key of keysToDelete) {
 		consola.info(`Deleting option: ${key}`);
-		await deleteTenantOption(baseUrl, category, key.startsWith("credentials.") ? key.replace(/^credentials\./, "") : key, authHeader);
+		await deleteTenantOption(baseUrl, category, key, authHeader);
+		delete currentOptions[key];
 		consola.success(`✓ Deleted: ${key}`);
 	}
 	consola.success("Delete operation completed");

package/dist/{package-CobwNpP9.mjs → package-bfMasPPg.mjs}

@@ -1,6 +1,6 @@
 //#region package.json
 var name = "c8y-nitro";
-var version = "0.4.1";
+var version = "0.5.0";
 var description = "Lightning fast Cumulocity IoT microservice development powered by Nitro";
 //#endregion
 export { name as n, version as r, description as t };

package/dist/{roles-DJxp2d8p.mjs → roles-CoBPqvDv.mjs}

@@ -1,5 +1,5 @@
-import { n as createBasicAuthHeader, p as createC8yManifest, t as assignUserRole, u as unassignUserRole } from "./c8y-api-BBSKRwKs.mjs";
-import { n as validateBootstrapEnv, t as loadC8yConfig } from "./config-Dqi-ttQi.mjs";
+import { n as createBasicAuthHeader, p as createC8yManifest, t as assignUserRole, u as unassignUserRole } from "./c8y-api-BgTNTqHd.mjs";
+import { n as validateBootstrapEnv, t as loadC8yConfig } from "./config-BRnvtthI.mjs";
 import { defineCommand } from "citty";
 import { consola } from "consola";
 //#region src/cli/commands/roles.ts

package/dist/runtime/handlers/invalidateTenantOptions.mjs

@@ -0,0 +1,35 @@
+import { t as createError } from "../../logging-CVlaRS4O.mjs";
+import { c8yTenantOptionKeys } from "c8y-nitro/runtime";
+import { defineEventHandler, getQuery } from "nitro/h3";
+//#region src/utils/internal/tenantOptionFetchers.ts
+/**
+* Internal storage for cached functions per key
+*/
+const tenantOptionFetchers = {};
+//#endregion
+//#region src/module/runtime/handlers/invalidateTenantOptions.ts
+var invalidateTenantOptions_default = defineEventHandler(async (event) => {
+	const query = getQuery(event);
+	if ("all" in query) {
+		await Promise.all(Object.values(tenantOptionFetchers).map((fetcher) => fetcher?.invalidate()));
+		return { message: "success" };
+	}
+	const key = Array.isArray(query.key) ? query.key[0] : query.key;
+	if (!key) throw createError({
+		status: 400,
+		message: "Provide either the all or key query parameter",
+		why: "The tenant option invalidation route requires an explicit target",
+		fix: "Use ?all to invalidate all created tenant option caches or ?key=<manifest setting key> to invalidate one created cache entry"
+	});
+	if (!c8yTenantOptionKeys.includes(key)) throw createError({
+		status: 400,
+		message: "Invalid tenant option invalidation request",
+		why: "Only tenant option keys declared in manifest.settings can be invalidated via this route",
+		fix: "Use ?all to invalidate all created tenant option caches or provide a valid manifest-defined key in ?key"
+	});
+	const fetcher = tenantOptionFetchers[key];
+	if (fetcher) await fetcher.invalidate();
+	return { message: "success" };
+});
+//#endregion
+export { invalidateTenantOptions_default as default };

package/dist/runtime/middlewares/c8y-client.mjs

@@ -0,0 +1,43 @@
+import { t as createError } from "../../logging-CVlaRS4O.mjs";
+import { defineMiddleware } from "nitro";
+import process from "node:process";
+//#region src/module/runtime/middlewares/c8y-client.ts
+function isC8yClientThrownResponse(error) {
+	if (!error || typeof error !== "object") return false;
+	if (!("res" in error) || !error.res || typeof error.res !== "object") return false;
+	const response = error.res;
+	if (typeof response.status !== "number") return false;
+	const responseUrl = typeof response.url === "string" ? response.url : void 0;
+	const baseUrl = process.env.C8Y_BASEURL?.replace(/\/+$/, "");
+	const matchesConfiguredTenant = Boolean(baseUrl && responseUrl?.startsWith(baseUrl));
+	if ("data" in error && error.data && typeof error.data === "object") {
+		const data = error.data;
+		if (typeof data.info === "string" && data.info.startsWith("https://cumulocity.com/")) return true;
+	}
+	return matchesConfiguredTenant;
+}
+var c8y_client_default = defineMiddleware(async (_event, next) => {
+	try {
+		return await next();
+	} catch (error) {
+		if (!isC8yClientThrownResponse(error)) throw error;
+		const upstreamMessage = error.data?.message || error.res.statusText || "Cumulocity request failed";
+		const upstreamCode = error.data?.error;
+		throw createError({
+			message: "Internal Server Error",
+			status: 500,
+			internal: {
+				help: "An error occurred while processing a request to Cumulocity from the @c8y/client library.",
+				upstream: "@c8y/client",
+				message: upstreamMessage,
+				code: upstreamCode,
+				status: error.res.status,
+				statusText: error.res.statusText,
+				url: error.res.url,
+				data: error.data
+			}
+		});
+	}
+});
+//#endregion
+export { c8y_client_default as default };

package/dist/runtime/middlewares/{dev-user.mjs → dev-user.dev.mjs}

@@ -2,8 +2,8 @@ import { defineHandler } from "nitro/h3";
 import process from "node:process";
 import { Buffer } from "node:buffer";
 import consola from "consola";
-//#region src/module/runtime/middlewares/dev-user.ts
-var dev_user_default = defineHandler((event) => {
+//#region src/module/runtime/middlewares/dev-user.dev.ts
+var dev_user_dev_default = defineHandler((event) => {
 	if (import.meta.dev) {
 		const missingDevVars = [
 			"C8Y_DEVELOPMENT_TENANT",
@@ -20,4 +20,4 @@ var dev_user_default = defineHandler((event) => {
 	}
 });
 //#endregion
-export { dev_user_default as default };
+export { dev_user_dev_default as default };

package/dist/runtime/plugins/{c8y-variables.mjs → c8y-variables.dev.mjs}

@@ -1,7 +1,7 @@
-import process from "node:process";
 import { definePlugin } from "nitro";
-//#region src/module/runtime/plugins/c8y-variables.ts
-var c8y_variables_default = definePlugin(() => {
+import process from "node:process";
+//#region src/module/runtime/plugins/c8y-variables.dev.ts
+var c8y_variables_dev_default = definePlugin(() => {
 	if (import.meta.dev) {
 		const env = process.env;
 		const missingVars = [
@@ -14,4 +14,4 @@ var c8y_variables_default = definePlugin(() => {
 	}
 });
 //#endregion
-export { c8y_variables_default as default };
+export { c8y_variables_dev_default as default };

package/dist/runtime/plugins/enrich-logs.mjs

@@ -1,5 +1,5 @@
-import { definePlugin } from "nitro";
 import { c8yManifest } from "c8y-nitro/runtime";
+import { definePlugin } from "nitro";
 //#region src/module/runtime/plugins/enrich-logs.ts
 var enrich_logs_default = definePlugin(async (nitroApp) => {
 	nitroApp.hooks.hook("evlog:enrich", (enrichContext) => {

package/dist/types.d.mts

@@ -1,2 +1,2 @@
-import { a as C8yCacheOptions, c as C8YManifestOptions, i as C8YRoles, l as C8YAPIClientOptions, n as C8YTenantOptionKey, o as C8YZipOptions, r as C8YTenantOptionKeysCacheConfig, s as C8YManifest, t as C8yNitroModuleOptions } from "./index-CzUqbp5C.mjs";
-export { C8YAPIClientOptions, C8YManifest, C8YManifestOptions, C8YRoles, C8YTenantOptionKey, C8YTenantOptionKeysCacheConfig, C8YZipOptions, C8yCacheOptions, C8yNitroModuleOptions };
+import { a as C8YRoles, c as C8YManifest, i as C8YTenantOptionKeysCacheConfig, l as C8YManifestOptions, n as C8yNitroModuleOptions, o as C8yCacheOptions, r as C8YTenantOptionKey, s as C8YZipOptions, t as C8yDevOptions, u as C8YAPIClientOptions } from "./index-Bvu7DqDt.mjs";
+export { C8YAPIClientOptions, C8YManifest, C8YManifestOptions, C8YRoles, C8YTenantOptionKey, C8YTenantOptionKeysCacheConfig, C8YZipOptions, C8yCacheOptions, C8yDevOptions, C8yNitroModuleOptions };

package/dist/utils.d.mts

@@ -242,11 +242,6 @@ declare function useUserTenantCredentials(requestOrEvent: ServerRequest | H3Even
  * - `c8y.cache.tenantOptions` — Per-key TTL overrides
  * - `NITRO_C8Y_DEFAULT_TENANT_OPTIONS_TTL` — Environment variable for default TTL
  *
- * @note For encrypted options (keys starting with `credentials.`), the value is automatically
- * decrypted by Cumulocity if this microservice is the owner of the option (category matches
- * the microservice's settingsCategory/contextPath/name). The `credentials.` prefix is
- * automatically stripped when calling the API.
- *
  * @example
  * // Fetch a tenant option:
  * const value = await useTenantOption('myOption')

package/dist/utils.mjs

@@ -1,10 +1,13 @@
+import { Buffer } from "node:buffer";
 import process from "node:process";
 import { useLogger } from "evlog/nitro/v3";
 import { BasicAuth, Client, MicroserviceClientRequestAuth } from "@c8y/client";
 import { defineCachedFunction } from "nitro/cache";
+import { createHash, randomBytes } from "node:crypto";
 import { HTTPError, defineHandler } from "nitro/h3";
 import { useStorage } from "nitro/storage";
 import { useRuntimeConfig } from "nitro/runtime-config";
+import { c8yManifest } from "c8y-nitro/runtime";
 import { createError, createLogger } from "evlog";
 //#region src/utils/internal/common.ts
 /**
@@ -30,6 +33,55 @@ function convertRequestHeadersToC8yFormat(request) {
 	return headers;
 }
 //#endregion
+//#region src/utils/internal/tenant.ts
+const USER_TENANT_CACHE_SALT = randomBytes(32).toString("hex");
+function getCookieValue(cookieHeader, name) {
+	try {
+		const value = cookieHeader?.match(`(^|;)\\s*${name}\\s*=\\s*([^;]+)`);
+		return value ? value.pop() : void 0;
+	} catch {
+		return;
+	}
+}
+function getCurrentUserTenantCacheKeyMaterial(requestOrEvent) {
+	const request = "req" in requestOrEvent ? requestOrEvent.req : requestOrEvent;
+	const cookieAuth = getCookieValue(request.headers.get("cookie"), "authorization");
+	if (cookieAuth) return `cookie:${cookieAuth}`;
+	const authorization = request.headers.get("authorization");
+	if (authorization) return `header:${authorization}`;
+}
+function createCurrentUserTenantCacheKey(requestOrEvent) {
+	const material = getCurrentUserTenantCacheKeyMaterial(requestOrEvent);
+	if (!material) throw new Error("Cannot create current user tenant cache key without auth material");
+	return createHash("sha256").update(USER_TENANT_CACHE_SALT).update(":").update(material).digest("hex");
+}
+function tryGetTenantFromBasicAuth(requestOrEvent) {
+	const authorization = ("req" in requestOrEvent ? requestOrEvent.req : requestOrEvent).headers.get("authorization");
+	if (!authorization?.startsWith("Basic ")) return;
+	try {
+		const decoded = Buffer.from(authorization.slice(6), "base64").toString("utf8");
+		const separatorIndex = decoded.indexOf(":");
+		const userPart = separatorIndex === -1 ? decoded : decoded.slice(0, separatorIndex);
+		const slashIndex = userPart.indexOf("/");
+		if (slashIndex <= 0) return;
+		return userPart.slice(0, slashIndex);
+	} catch {
+		return;
+	}
+}
+const getCurrentUserTenantId = defineCachedFunction(async (requestOrEvent) => {
+	const basicTenant = tryGetTenantFromBasicAuth(requestOrEvent);
+	if (basicTenant) return basicTenant;
+	return (await useUserClient(requestOrEvent).tenant.current()).data.name;
+}, {
+	maxAge: 60,
+	name: "_c8y_nitro_get_current_user_tenant_id",
+	group: "c8y_nitro",
+	swr: false,
+	getKey: (requestOrEvent) => createCurrentUserTenantCacheKey(requestOrEvent),
+	shouldBypassCache: (requestOrEvent) => !getCurrentUserTenantCacheKeyMaterial(requestOrEvent)
+});
+//#endregion
 //#region src/utils/credentials.ts
 /**
 * Fetches credentials for all tenants subscribed to this microservice.\
@@ -128,7 +180,7 @@ const useDeployedTenantCredentials = Object.assign(async () => {
 async function useUserTenantCredentials(requestOrEvent) {
 	const request = "req" in requestOrEvent ? requestOrEvent.req : requestOrEvent;
 	if (request.context?.["c8y_user_tenant_credentials"]) return request.context["c8y_user_tenant_credentials"];
-	const tenantId = useUserClient(requestOrEvent).core.tenant;
+	const tenantId = await getCurrentUserTenantId(requestOrEvent);
 	const userTenantCreds = (await useSubscribedTenantCredentials())[tenantId];
 	if (!userTenantCreds) throw new HTTPError({
 		message: `No subscribed tenant credentials found for user tenant '${tenantId}'`,
@@ -172,7 +224,7 @@ function useUserClient(requestOrEvent) {
 async function useUserTenantClient(requestOrEvent) {
 	const request = "req" in requestOrEvent ? requestOrEvent.req : requestOrEvent;
 	if (request.context?.["c8y_user_tenant_client"]) return request.context["c8y_user_tenant_client"];
-	const tenantId = useUserClient(requestOrEvent).core.tenant;
+	const tenantId = await getCurrentUserTenantId(requestOrEvent);
 	const creds = await useSubscribedTenantCredentials();
 	if (!creds[tenantId]) throw new HTTPError({
 		message: `No subscribed tenant credentials found for user tenant '${tenantId}'`,
@@ -267,8 +319,13 @@ async function useUserRoles(requestOrEvent) {
 }
 //#endregion
 //#region src/utils/middleware.ts
+const probePaths = [c8yManifest.livenessProbe?.httpGet?.path, c8yManifest.readinessProbe?.httpGet?.path].filter((path) => Boolean(path));
+function isProbeRequest(pathname) {
+	return probePaths.some((probePath) => pathname.startsWith(probePath));
+}
 function hasUserRequiredRole(roleOrRoles) {
 	return defineHandler(async (event) => {
+		if (isProbeRequest(event.url.pathname)) return;
 		const requiredRoles = Array.isArray(roleOrRoles) ? roleOrRoles : [roleOrRoles];
 		const userRoles = await useUserRoles(event);
 		if (!requiredRoles.some((role) => userRoles.includes(role))) throw new HTTPError({
@@ -280,8 +337,9 @@ function hasUserRequiredRole(roleOrRoles) {
 }
 function isUserFromAllowedTenant(tenantIdOrIds) {
 	return defineHandler(async (event) => {
+		if (isProbeRequest(event.url.pathname)) return;
 		const allowedTenants = Array.isArray(tenantIdOrIds) ? tenantIdOrIds : [tenantIdOrIds];
-		const userTenantId = useUserClient(event).core.tenant;
+		const userTenantId = await getCurrentUserTenantId(event);
 		if (!allowedTenants.includes(userTenantId)) throw new HTTPError({
 			status: 403,
 			statusText: "Forbidden",
@@ -306,7 +364,8 @@ function isUserFromAllowedTenant(tenantIdOrIds) {
 */
 function isUserFromDeployedTenant() {
 	return defineHandler(async (event) => {
-		const userTenantId = useUserClient(event).core.tenant;
+		if (isProbeRequest(event.url.pathname)) return;
+		const userTenantId = await getCurrentUserTenantId(event);
 		const deployedTenantId = process.env.C8Y_BOOTSTRAP_TENANT;
 		if (!deployedTenantId) throw new HTTPError({
 			status: 500,
@@ -321,6 +380,12 @@ function isUserFromDeployedTenant() {
 	});
 }
 //#endregion
+//#region src/utils/internal/tenantOptionFetchers.ts
+/**
+* Internal storage for cached functions per key
+*/
+const tenantOptionFetchers = {};
+//#endregion
 //#region src/utils/tenantOptions.ts
 /**
 * Gets the cache TTL for a specific tenant option key.
@@ -332,10 +397,6 @@ function getTenantOptionCacheTTL(key) {
 	return config.c8yTenantOptionsPerKeyTTL?.[key] ?? config.c8yDefaultTenantOptionsTTL ?? 600;
 }
 /**
-* Internal storage for cached functions per key
-*/
-const tenantOptionFetchers = {};
-/**
 * Factory function that creates a cached fetcher for a specific tenant option key.
 * @param key - The tenant option key
 */
@@ -344,10 +405,9 @@ function createCachedTenantOptionFetcher(key) {
 	const fetcher = defineCachedFunction(async () => {
 		const client = await useDeployedTenantClient();
 		const category = useRuntimeConfig().c8ySettingsCategory;
-		const apiKey = key.replace(/^credentials\./, "");
 		try {
 			return (await client.options.tenant.detail({
-				key: apiKey,
+				key,
 				category
 			})).data.value;
 		} catch (error) {
@@ -397,11 +457,6 @@ function getOrCreateFetcher(key) {
 * - `c8y.cache.tenantOptions` — Per-key TTL overrides
 * - `NITRO_C8Y_DEFAULT_TENANT_OPTIONS_TTL` — Environment variable for default TTL
 *
-* @note For encrypted options (keys starting with `credentials.`), the value is automatically
-* decrypted by Cumulocity if this microservice is the owner of the option (category matches
-* the microservice's settingsCategory/contextPath/name). The `credentials.` prefix is
-* automatically stripped when calling the API.
-*
 * @example
 * // Fetch a tenant option:
 * const value = await useTenantOption('myOption')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "c8y-nitro",
-  "version": "0.4.1",
+  "version": "0.5.0",
   "type": "module",
   "description": "Lightning fast Cumulocity IoT microservice development powered by Nitro",
   "keywords": [
@@ -23,22 +23,12 @@
     "url": "https://github.com/schplitt/c8y-nitro/issues"
   },
   "exports": {
-    ".": {
-      "types": "./dist/index.d.mts",
-      "import": "./dist/index.mjs"
-    },
-    "./types": {
-      "types": "./dist/types.d.mts",
-      "import": "./dist/types.mjs"
-    },
-    "./utils": {
-      "types": "./dist/utils.d.mts",
-      "import": "./dist/utils.mjs"
-    }
+    ".": "./dist/index.mjs",
+    "./cli": "./dist/cli/index.mjs",
+    "./types": "./dist/types.mjs",
+    "./utils": "./dist/utils.mjs",
+    "./package.json": "./package.json"
   },
-  "main": "./dist/index.mjs",
-  "module": "./dist/index.mjs",
-  "types": "./dist/index.d.mts",
   "bin": {
     "c8y-nitro": "./dist/cli/index.mjs"
   },
@@ -49,25 +39,26 @@
   ],
   "dependencies": {
     "c12": "^4.0.0-beta.4",
-    "citty": "^0.2.1",
+    "citty": "^0.2.2",
     "consola": "^3.4.2",
-    "evlog": "^2.9.0",
+    "evlog": "^2.11.1",
     "jszip": "^3.10.1",
     "pathe": "^2.0.3",
     "pkg-types": "^2.3.0",
     "spinnies": "^0.5.1",
-    "tinyexec": "^1.0.4"
+    "tinyexec": "^1.1.1",
+    "tsnapi": "^0.1.1"
   },
   "devDependencies": {
     "@schplitt/eslint-config": "^1.3.1",
     "@types/spinnies": "^0.5.3",
     "bumpp": "^11.0.1",
     "changelogithub": "^14.0.0",
-    "eslint": "^10.1.0",
+    "eslint": "^10.2.0",
     "memfs": "^4.57.1",
-    "tsdown": "^0.21.4",
+    "tsdown": "^0.21.7",
     "typescript": "^5.9.3",
-    "vitest": "^4.1.0"
+    "vitest": "^4.1.4"
   },
   "peerDependencies": {
     "@c8y/client": ">=1021",
@@ -79,6 +70,7 @@
   "scripts": {
     "dev": "tsdown --watch",
     "build": "tsdown",
+    "build:update": "tsdown --update-snapshot",
     "lint": "eslint",
     "lint:fix": "eslint --fix",
     "typecheck": "tsc --noEmit",