create-fluxstack 1.10.1 → 1.12.1

package/core/plugins/registry.ts

@@ -1,12 +1,12 @@
 import type { FluxStack, PluginManifest, PluginLoadResult, PluginDiscoveryOptions } from "./types"
 
 type FluxStackPlugin = FluxStack.Plugin
-import type { FluxStackConfig } from "@/core/config/schema"
-import type { Logger } from "@/core/utils/logger"
-import { FluxStackError } from "@/core/utils/errors"
+import type { FluxStackConfig } from "@config"
+import type { Logger } from "@core/utils/logger"
+import { FluxStackError } from "@core/utils/errors"
 import { PluginDependencyManager } from "./dependency-manager"
 import { readdir, readFile } from "fs/promises"
-import { join, resolve } from "path"
+import { join, resolve, sep } from "path"
 import { existsSync } from "fs"
 
 export interface PluginRegistryConfig {
@@ -51,8 +51,9 @@ export class PluginRegistry {
     this.validatePlugin(plugin)
 
     // Validate plugin configuration if schema is provided
-    if (plugin.configSchema && this.config?.plugins.config[plugin.name]) {
-      this.validatePluginConfig(plugin, this.config.plugins.config[plugin.name])
+    const pluginConfigs = this.config?.plugins.config as Record<string, unknown> | undefined
+    if (plugin.configSchema && pluginConfigs?.[plugin.name]) {
+      this.validatePluginConfig(plugin, pluginConfigs[plugin.name])
     }
 
     this.plugins.set(plugin.name, plugin)
@@ -222,14 +223,84 @@ export class PluginRegistry {
     return this.plugins.has(name)
   }
 
+  /**
+   * Check which dependencies are missing from main package.json
+   */
+  private checkMissingDependencies(pluginDeps: Record<string, string>): string[] {
+    try {
+      const mainPackageJsonPath = join(process.cwd(), 'package.json')
+      if (!existsSync(mainPackageJsonPath)) {
+        return Object.keys(pluginDeps)
+      }
+
+      const mainPackageJson = JSON.parse(
+        require('fs').readFileSync(mainPackageJsonPath, 'utf-8')
+      )
+
+      const allDeps = {
+        ...mainPackageJson.dependencies,
+        ...mainPackageJson.devDependencies
+      }
+
+      return Object.keys(pluginDeps).filter(dep => !allDeps[dep])
+    } catch (error) {
+      // If we can't read package.json, assume all deps are missing
+      return Object.keys(pluginDeps)
+    }
+  }
+
+  /**
+   * 🔒 Check if a plugin is allowed to be loaded (whitelist check)
+   *
+   * @param pluginName - Name of the plugin (e.g., "fluxstack-plugin-auth", "@acme/fplugin-payments")
+   * @param isNpmPlugin - Whether this is an npm plugin (requires whitelist) or project plugin (trusted)
+   * @returns true if plugin is allowed, false otherwise
+   */
+  /**
+   * Check if a plugin is allowed to be loaded (whitelist enforcement)
+   *
+   * Security model:
+   * - Project plugins (plugins/) are ALWAYS trusted (developer put them there)
+   * - NPM plugins (node_modules/) REQUIRE whitelist (supply chain protection)
+   */
+  private isPluginAllowed(pluginName: string, source: 'npm' | 'project'): boolean {
+    const allowedPlugins = this.config?.plugins.allowedPlugins || []
+
+    // Project plugins are always trusted - developer explicitly added them
+    if (source === 'project') {
+      if (!this.config?.plugins.discoverProjectPlugins) {
+        this.logger?.debug(`Project plugin '${pluginName}' skipped: discovery disabled`)
+        return false
+      }
+
+      // ✅ Project plugins bypass whitelist - they're trusted by design
+      this.logger?.debug(`Project plugin '${pluginName}' allowed (trusted source)`)
+      return true
+    }
+
+    if (allowedPlugins.length === 0) {
+      this.logger?.warn(`NPM plugin '${pluginName}' blocked: No plugins in whitelist (PLUGINS_ALLOWED is empty)`)
+      return false
+    }
+
+    if (!allowedPlugins.includes(pluginName)) {
+      this.logger?.warn(`NPM plugin '${pluginName}' blocked: Not in whitelist (PLUGINS_ALLOWED)`, {
+        pluginName,
+        allowedPlugins
+      })
+      return false
+    }
+
+    return true
+  }
   /**
    * Get registry statistics
    */
   getStats() {
     return {
       totalPlugins: this.plugins.size,
-      enabledPlugins: this.config?.plugins.enabled.length || 0,
-      disabledPlugins: this.config?.plugins.disabled.length || 0,
+      enabledPlugins: this.config?.plugins.enabled?.length ?? 0,
+      disabledPlugins: this.config?.plugins.disabled?.length ?? 0,
       conflicts: this.conflicts.length,
       loadOrder: this.loadOrder.length
     }
@@ -263,8 +334,136 @@ export class PluginRegistry {
     }
   }
 
+  /**
+   * Discover FluxStack plugins from node_modules
+   * Looks for packages with naming pattern:
+   * - fluxstack-plugin-*
+   * - fplugin-*
+   * - @fluxstack/plugin-*
+   * - @fplugin/*
+   * - @org/fluxstack-plugin-*
+   * - @org/fplugin-*
+   *
+   * 🔒 SECURITY: Respects config.plugins.discoverNpmPlugins and config.plugins.allowedPlugins
+   */
+  async discoverNpmPlugins(): Promise<PluginLoadResult[]> {
+    const results: PluginLoadResult[] = []
+    const nodeModulesDir = 'node_modules'
+
+    // 🔒 Check if npm plugin discovery is enabled
+    if (!this.config?.plugins.discoverNpmPlugins) {
+      this.logger?.debug('NPM plugin discovery is disabled (PLUGINS_DISCOVER_NPM=false)')
+      return results
+    }
+
+    if (!existsSync(nodeModulesDir)) {
+      this.logger?.debug('node_modules directory not found')
+      return results
+    }
+
+    try {
+      const entries = await readdir(nodeModulesDir, { withFileTypes: true })
+
+      for (const entry of entries) {
+        if (entry.isDirectory()) {
+          // Check scoped packages (@org/package)
+          if (entry.name.startsWith('@')) {
+            const scopeDir = join(nodeModulesDir, entry.name)
+            const scopedEntries = await readdir(scopeDir, { withFileTypes: true })
+
+            for (const scopedEntry of scopedEntries) {
+              if (scopedEntry.isDirectory()) {
+                const packageName = `${entry.name}/${scopedEntry.name}`
+                let isFluxStackPlugin = false
+
+                // Match patterns:
+                // @fluxstack/plugin-*
+                if (entry.name === '@fluxstack' && scopedEntry.name.startsWith('plugin-')) {
+                  isFluxStackPlugin = true
+                }
+                // @fplugin/*
+                else if (entry.name === '@fplugin') {
+                  isFluxStackPlugin = true
+                }
+                // @org/fluxstack-plugin-*
+                else if (scopedEntry.name.startsWith('fluxstack-plugin-')) {
+                  isFluxStackPlugin = true
+                }
+                // @org/fplugin-*
+                else if (scopedEntry.name.startsWith('fplugin-')) {
+                  isFluxStackPlugin = true
+                }
+
+                if (isFluxStackPlugin) {
+                  // 🔒 Security check: Verify plugin is in whitelist
+                  if (!this.isPluginAllowed(packageName, 'npm')) {
+                    this.logger?.debug(`Skipping npm plugin (not in whitelist): ${packageName}`)
+                    results.push({
+                      success: false,
+                      error: `Plugin '${packageName}' is not in the allowed plugins whitelist (PLUGINS_ALLOWED)`
+                    })
+                    continue
+                  }
+
+                  const pluginPath = join(scopeDir, scopedEntry.name)
+                  this.logger?.debug(`Loading whitelisted npm plugin: ${packageName}`)
+
+                  const result = await this.loadPlugin(pluginPath)
+                  results.push(result)
+                }
+              }
+            }
+          }
+          // Check non-scoped packages
+          else if (
+            entry.name.startsWith('fluxstack-plugin-') ||
+            entry.name.startsWith('fplugin-')
+          ) {
+            // 🔒 Security check: Verify plugin is in whitelist
+            if (!this.isPluginAllowed(entry.name, 'npm')) {
+              this.logger?.debug(`Skipping npm plugin (not in whitelist): ${entry.name}`)
+              results.push({
+                success: false,
+                error: `Plugin '${entry.name}' is not in the allowed plugins whitelist (PLUGINS_ALLOWED)`
+              })
+              continue
+            }
+
+            const pluginPath = join(nodeModulesDir, entry.name)
+            this.logger?.debug(`Loading whitelisted npm plugin: ${entry.name}`)
+
+            const result = await this.loadPlugin(pluginPath)
+            results.push(result)
+          }
+        }
+      }
+
+      // 🔒 Security summary
+      const successful = results.filter(r => r.success).length
+      const blocked = results.filter(r => !r.success && r.error?.includes('whitelist')).length
+      const failed = results.filter(r => !r.success && !r.error?.includes('whitelist')).length
+
+      if (blocked > 0) {
+        this.logger?.warn(`🔒 Security: Blocked ${blocked} npm plugin(s) not in whitelist (PLUGINS_ALLOWED)`)
+      }
+
+      this.logger?.info(`Discovered ${successful} allowed npm plugin(s)`, {
+        total: results.length,
+        successful,
+        blocked,
+        failed
+      })
+    } catch (error) {
+      this.logger?.error('Failed to discover npm plugins', { error })
+    }
+
+    return results
+  }
+
   /**
    * Discover plugins from filesystem
+   *
+   * 🔒 SECURITY: Respects config.plugins.discoverProjectPlugins for project plugins
    */
   async discoverPlugins(options: PluginDiscoveryOptions = {}): Promise<PluginLoadResult[]> {
     const results: PluginLoadResult[] = []
@@ -275,6 +474,12 @@ export class PluginRegistry {
       includeExternal: _includeExternal = true
     } = options
 
+    // 🔒 Check if project plugin discovery is enabled
+    if (!this.config?.plugins.discoverProjectPlugins) {
+      this.logger?.debug('Project plugin discovery is disabled (PLUGINS_DISCOVER_PROJECT=false)')
+      return results
+    }
+
     // Descobrir plugins
     for (const directory of directories) {
       this.logger?.debug(`Scanning directory: ${directory}`)
@@ -286,7 +491,20 @@ export class PluginRegistry {
       try {
         const pluginResults = await this.discoverPluginsInDirectory(directory, _patterns)
         this.logger?.debug(`Found ${pluginResults.length} plugins in ${directory}`)
-        results.push(...pluginResults)
+
+        for (const pluginResult of pluginResults) {
+          if (pluginResult.success && pluginResult.plugin) {
+            if (!this.isPluginAllowed(pluginResult.plugin.name, 'project')) {
+              results.push({
+                success: false,
+                error: `Plugin '${pluginResult.plugin.name}' is not in the allowed plugins whitelist (PLUGINS_ALLOWED)`
+              })
+              continue
+            }
+          }
+
+          results.push(pluginResult)
+        }
       } catch (error) {
         this.logger?.warn(`Failed to discover plugins in directory '${directory}'`, { error })
         results.push({
@@ -343,17 +561,31 @@ export class PluginRegistry {
         }
       }
 
-      // Install dependencies BEFORE importing the plugin
+      // Check and install plugin dependencies
       if (manifest && manifest.dependencies && Object.keys(manifest.dependencies).length > 0) {
-        try {
-          const resolution = await this.dependencyManager.resolvePluginDependencies(pluginPath)
-          if (resolution.dependencies.length > 0) {
-            // Install dependencies directly in the plugin directory
-            await this.dependencyManager.installPluginDependenciesLocally(pluginPath, resolution.dependencies)
-            this.logger?.debug(`Dependencies installed for plugin at: ${pluginPath}`)
+        const isProjectPlugin = pluginPath.includes('plugins' + sep)
+
+        if (isProjectPlugin) {
+          // Install dependencies locally in plugin directory
+          this.logger?.debug(
+            `Installing dependencies for plugin '${manifest.name}' in ${pluginPath}`,
+            { dependencies: Object.keys(manifest.dependencies).length }
+          )
+
+          try {
+            await this.dependencyManager.installDependenciesInPath(
+              pluginPath,
+              manifest.dependencies
+            )
+          } catch (error) {
+            this.logger?.warn(
+              `Failed to install dependencies for plugin '${manifest.name}'. ` +
+              `You can install manually with: cd ${pluginPath} && bun install`
+            )
           }
-        } catch (error) {
-          this.logger?.warn(`Failed to install dependencies for plugin at '${pluginPath}'`, { error })
+        } else {
+          // NPM plugins always show warning
+          this.logger?.warn(`Plugin '${manifest.name}' declares dependencies. Run 'bun run flux plugin:deps install ${manifest.name}' to review and install them manually.`)
         }
       }
 
@@ -582,4 +814,8 @@ export class PluginRegistry {
     
     return results
   }
-}
+}
+
+
+
+

package/core/plugins/types.ts

@@ -1,5 +1,5 @@
-import type { FluxStackConfig } from "@/core/config/schema"
-import type { Logger } from "@/core/utils/logger/index"
+import type { FluxStackConfig } from "@config"
+import type { Logger } from "@core/utils/logger/index"
 
 export type PluginHook =
   // Lifecycle hooks
@@ -190,7 +190,7 @@ export namespace FluxStack {
    * @example
    * // ✅ New way (recommended):
    * // plugins/my-plugin/config/index.ts
-   * import { defineConfig, config } from '@/core/utils/config-schema'
+   * import { defineConfig, config } from '@core/utils/config-schema'
    * export const myConfig = defineConfig({ ... })
    *
    * // ❌ Old way (deprecated):
@@ -357,55 +357,9 @@ export interface CliContext {
   }
 }
 
-// Live Components Types
-export interface LiveComponent<TState = any> {
-  id: string
-  name: string
-  state: TState
-  mounted: boolean
-  socket?: any
-  userId?: string
-  destroy?: () => void
-  executeAction?: (action: string, payload?: any) => Promise<any>
-  setState?: (newState: Partial<TState>) => void
-  getSerializableState?: () => TState
-}
-
-export interface LiveMessage {
-  type: string
-  componentId: string
-  data?: any
-  payload?: any
-  action?: string
-  property?: string
-  userId?: string
-  expectResponse?: boolean
-  timestamp?: number
-  requestId?: string
-  room?: string
-}
-
-export interface BroadcastMessage {
-  type: string
-  data?: any
-  channel?: string
-  room?: string
-  payload?: any
-  excludeUser?: string
-}
-
-export interface ComponentDefinition<TState = any> {
-  name: string
-  initialState: TState
-  handlers?: Record<string, Function>
-  component?: any
-}
-
-export interface WebSocketData {
-  componentId?: string
-  userId?: string
-  sessionId?: string
-}
+// Live Components Types - Re-exported from core/types/types.ts
+// See core/types/types.ts for full implementation
+// Note: These are re-exported at the end of this file
 
 // File Upload Types
 export interface ActiveUpload {
@@ -477,4 +431,17 @@ export interface FileUploadCompleteResponse {
 }
 
 // Plugin Type Export
-export type Plugin = FluxStack.Plugin
+export type Plugin = FluxStack.Plugin
+
+// Re-export all WebSocket and LiveComponent types from core/types/types.ts
+export {
+  LiveComponent,
+  type FluxStackWebSocket,
+  type FluxStackWSData,
+  type FluxStackServerWebSocket,
+  type LiveMessage,
+  type BroadcastMessage,
+  type ComponentState,
+  type ComponentDefinition,
+  type WebSocketData
+} from '@core/types/types'

package/core/server/framework.ts

@@ -1,8 +1,10 @@
 import { Elysia } from "elysia"
+import { createHash as nodeCreateHash } from "crypto"
 import type { FluxStackConfig, FluxStackContext, Plugin } from "../types"
 import type { PluginContext, PluginUtils } from "../plugins/types"
 import { PluginManager } from "../plugins/manager"
-import { getConfigSync, getEnvironmentInfo } from "../config"
+import { fluxStackConfig } from "@config"
+import { getEnvironmentInfo } from "../config"
 import { logger, type Logger } from "../utils/logger/index"
 import { createTimer, formatBytes, isProduction, isDevelopment } from "../utils/helpers"
 
@@ -12,11 +14,11 @@ export class FluxStackFramework {
   private pluginContext: PluginContext
   private plugins: Plugin[] = []
   private pluginManager: PluginManager
+  private initialized = false
 
   constructor(config?: Partial<FluxStackConfig>) {
-    console.log('🚀 [DEBUG] FluxStackFramework constructor called!')
     // Load the full configuration
-    const fullConfig = config ? { ...getConfigSync(), ...config } : getConfigSync()
+    const fullConfig = config ? { ...fluxStackConfig, ...config } : fluxStackConfig
     const envInfo = getEnvironmentInfo()
 
     this.context = {
@@ -36,10 +38,7 @@ export class FluxStackFramework {
       isProduction,
       isDevelopment,
       getEnvironment: () => envInfo.name,
-      createHash: (data: string) => {
-        const crypto = require('crypto')
-        return crypto.createHash('sha256').update(data).digest('hex')
-      },
+      createHash: (data: string) => nodeCreateHash('sha256').update(data).digest('hex'),
       deepMerge: (target: any, source: any) => {
         const result = { ...target }
         for (const key in source) {
@@ -78,49 +77,50 @@ export class FluxStackFramework {
     })
 
     this.setupCors()
-    
-    console.log('🔍 [DEBUG] About to call initializePluginsAsync()...')
-    // Initialize plugins automatically in the background
-    this.initializePluginsAsync().catch(error => {
-      console.error('❌ [DEBUG] Failed to initialize plugins async:', error)
-    })
-    console.log('🔍 [DEBUG] initializePluginsAsync() call dispatched')
-  }
-
-  private async initializePluginsAsync() {
-    console.log('🚀 [DEBUG] initializePluginsAsync() CALLED!')
-    try {
-      console.log('🔍 [DEBUG] Starting automatic plugin discovery...')
-      console.log('🔍 [DEBUG] Current working directory:', process.cwd())
-      logger.info('[FluxStack] Initializing automatic plugin discovery...')
-      await this.pluginManager.initialize()
-      const stats = this.pluginManager.getRegistry().getStats()
-      console.log('🔍 [DEBUG] Plugin discovery completed:', stats)
-      logger.info('[FluxStack] Automatic plugins loaded successfully', {
-        pluginCount: stats.totalPlugins,
-        enabledPlugins: stats.enabledPlugins,
-        disabledPlugins: stats.disabledPlugins
-      })
-    } catch (error) {
-      console.error('❌ [DEBUG] Plugin discovery error:', error)
-      logger.error('[FluxStack] Failed to initialize automatic plugins', { error })
-    }
   }
 
   private setupCors() {
-    const { cors } = this.context.config.server
+    const cors = this.context.config.cors
+
+    const allowedOrigins = cors.origins.length > 0 ? cors.origins : ['*']
+    const allowAllMethods = cors.methods.length > 0 ? cors.methods.join(", ") : "GET,POST,PUT,DELETE,OPTIONS"
+    const allowAllHeaders = cors.headers.length > 0 ? cors.headers.join(", ") : "Content-Type, Authorization"
+
+    const resolveOrigin = (requestOrigin?: string | null) => {
+      const origin = requestOrigin || allowedOrigins[0] || "*"
+      if (allowedOrigins.includes("*")) {
+        return cors.credentials ? origin : "*"
+      }
+      return allowedOrigins.includes(origin) ? origin : allowedOrigins[0] || origin
+    }
 
     this.app
-      .onRequest(({ set }) => {
-        set.headers["Access-Control-Allow-Origin"] = cors.origins.join(", ") || "*"
-        set.headers["Access-Control-Allow-Methods"] = cors.methods.join(", ") || "*"
-        set.headers["Access-Control-Allow-Headers"] = cors.headers.join(", ") || "*"
+      .onRequest(({ request, set }) => {
+        const origin = resolveOrigin(request.headers.get("origin"))
+        set.headers["Access-Control-Allow-Origin"] = origin
+        set.headers["Access-Control-Allow-Methods"] = allowAllMethods
+        set.headers["Access-Control-Allow-Headers"] = allowAllHeaders
+        set.headers["Vary"] = "Origin"
         if (cors.credentials) {
           set.headers["Access-Control-Allow-Credentials"] = "true"
         }
+        if (cors.maxAge) {
+          set.headers["Access-Control-Max-Age"] = cors.maxAge.toString()
+        }
       })
-      .options("*", ({ set }) => {
-        set.status = 200
+      .options("*", ({ request, set }) => {
+        set.status = 204
+        const origin = resolveOrigin(request.headers.get("origin"))
+        set.headers["Access-Control-Allow-Origin"] = origin
+        set.headers["Access-Control-Allow-Methods"] = allowAllMethods
+        set.headers["Access-Control-Allow-Headers"] = allowAllHeaders
+        set.headers["Vary"] = "Origin"
+        if (cors.credentials) {
+          set.headers["Access-Control-Allow-Credentials"] = "true"
+        }
+        if (cors.maxAge) {
+          set.headers["Access-Control-Max-Age"] = cors.maxAge.toString()
+        }
         return ""
       })
   }
@@ -146,7 +146,28 @@ export class FluxStackFramework {
     return this.context
   }
 
-  listen(callback?: () => void) {
+  async listen(callback?: () => void) {
+    // Initialize plugins synchronously before starting server
+    if (!this.initialized) {
+      logger.debug('[FluxStack] Initializing automatic plugin discovery...')
+
+      try {
+        await this.pluginManager.initialize()
+        const stats = this.pluginManager.getRegistry().getStats()
+
+        logger.info('[FluxStack] Automatic plugins loaded successfully', {
+          pluginCount: stats.totalPlugins,
+          enabledPlugins: stats.enabledPlugins,
+          disabledPlugins: stats.disabledPlugins
+        })
+
+        this.initialized = true
+      } catch (error) {
+        logger.error('[FluxStack] Failed to initialize automatic plugins', { error })
+        throw error
+      }
+    }
+
     const port = this.context.config.server.port
     const apiPrefix = this.context.config.server.apiPrefix
 
@@ -162,5 +183,7 @@ export class FluxStackFramework {
       console.log()
       callback?.()
     })
+
+    return this
   }
-}
+}

package/core/server/index.ts

@@ -1,16 +1,16 @@
-// FluxStack framework exports
-export { FluxStackFramework } from "../framework/server"
-export { vitePlugin, staticPlugin } from "../plugins/built-in"
-export { swaggerPlugin } from "../plugins/built-in/swagger"
-export { PluginRegistry } from "../plugins/registry"
-export * from "../types"
-
-// Live Components exports
-export { liveComponentsPlugin } from "./live/websocket-plugin"
-export { componentRegistry } from "./live/ComponentRegistry"
-export { LiveComponent } from "../types/types"
-
-// Static Files Plugin
-export { staticFilesPlugin } from "./plugins/static-files-plugin"
-
+// FluxStack framework exports
+export { FluxStackFramework } from "../framework/server"
+export { vitePlugin, staticPlugin } from "../plugins/built-in"
+export { swaggerPlugin } from "../plugins/built-in/swagger"
+export { PluginRegistry } from "../plugins/registry"
+export * from "../types"
+
+// Live Components exports
+export { liveComponentsPlugin } from "./live/websocket-plugin"
+export { componentRegistry } from "./live/ComponentRegistry"
+export { LiveComponent } from "../types/types"
+
+// Static Files Plugin
+export { staticFilesPlugin } from "./plugins/static-files-plugin"
+
 export * from "../types/types"