npm - khotan-data - Versions diffs - 0.2.0 → 0.3.0 - Mend

khotan-data 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/README.md +32 -20
package/dist/cli.js +51 -0
package/dist/factory.cjs +8 -1
package/dist/factory.cjs.map +1 -1
package/dist/factory.d.cts +9 -1
package/dist/factory.d.ts +9 -1
package/dist/factory.js +8 -1
package/dist/factory.js.map +1 -1
package/dist/templates/catch.example.ts +25 -17
package/dist/templates/catch.ts +20 -15
package/dist/templates/hub.tsx +96 -13
package/dist/templates/inflow.example.ts +46 -38
package/dist/templates/inflow.ts +37 -31
package/dist/templates/khotan-config.ts +11 -0
package/dist/templates/outflow.example.ts +39 -31
package/dist/templates/outflow.ts +28 -23
package/dist/templates/pass.example.ts +38 -30
package/dist/templates/pass.ts +29 -24
package/dist/templates/relay.example.ts +52 -44
package/dist/templates/relay.ts +38 -33
package/dist/templates/skill-dashboard.md +2 -1
package/dist/templates/skill-setup.md +77 -1
package/dist/templates/skill-webhook.md +45 -23
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -99,7 +99,13 @@ authorize: async (request) => {
 ```
 - `KHOTAN_SECRET` encrypts plug credentials **at rest** (AES-256-GCM). It is not
-  an auth credential — it never gates requests. Set it to a high-entropy value.
+  an auth credential — it never gates requests, and **must not** be sent as a
+  `Bearer` token. Management routes are gated only by `authorize` (plus a
+  dev-only CLI HMAC token derived from the secret). A rejected request returns
+  `401` with `code: "authorize_rejected"` and a `hint`. To trigger a flow over
+  HTTP (`POST /api/khotan/flows/{flowId}/runs`), send a credential your
+  `authorize` hook accepts — or just call `khotanData.flow(name).start()` from
+  server code, which needs no auth. Set the secret to a high-entropy value.
 - Inbound webhooks (verified via per-plug `onVerify`), the cron dispatcher
   (`CRON_SECRET`), and debug routes (`KHOTAN_DEBUG`, non-production only) are
   exempt from `authorize` automatically.
@@ -128,32 +134,38 @@ export const shopifyProductsSnapshotCache = cache({
 Inside workflows, use `khotanCache(ctx, "name")` for snapshots, cursors, and dedupe markers:
+Declare `"use step"` functions at module top level and pass them serializable
+values only (`ctx` is plain data). Nesting steps inside the `"use workflow"`
+function fails at runtime — the Workflow compiler cannot hoist closures that
+capture workflow scope.
 ```typescript
 import { khotanCache } from "khotan-data/factory";
-async function shopifyProductsWorkflow(ctx: InflowContext) {
-  "use workflow";
-  async function syncProducts() {
-    "use step";
-    const snapshotCache = khotanCache(ctx, "shopify-products-snapshot");
-    const previous =
-      (await snapshotCache.get<Array<Record<string, unknown>>>("latest")) ?? [];
+// Step: top-level, retried independently, full Node.js access.
+async function syncProducts(ctx: InflowContext) {
+  "use step";
+  const snapshotCache = khotanCache(ctx, "shopify-products-snapshot");
+  const previous =
+    (await snapshotCache.get<Array<Record<string, unknown>>>("latest")) ?? [];
-    const response = await shopifyPlug.get<{ data?: Array<Record<string, unknown>> }>("/products");
-    const records = Array.isArray(response.data) ? response.data : [];
+  const response = await shopifyPlug.get<{ data?: Array<Record<string, unknown>> }>("/products");
+  const records = Array.isArray(response.data) ? response.data : [];
-    await snapshotCache.set("latest", records);
+  await snapshotCache.set("latest", records);
-    return {
-      extracted: records.length,
-      transformed: records.length,
-      created: records.length,
-      metadata: { previousCount: previous.length },
-    };
-  }
+  return {
+    extracted: records.length,
+    transformed: records.length,
+    created: records.length,
+    metadata: { previousCount: previous.length },
+  };
+}
-  return syncProducts();
+// Workflow: orchestration only.
+async function shopifyProductsWorkflow(ctx: InflowContext) {
+  "use workflow";
+  return syncProducts(ctx);
 }
 ```

package/dist/cli.js CHANGED Viewed

@@ -678,6 +678,15 @@ function resolveAgentsMdPaths(content, targets) {
 // src/cli/commands/init.ts
 var __dirname2 = path2.dirname(fileURLToPath(import.meta.url));
 function resolveOutputDir(projectRoot) {
+  const configPath = path2.join(projectRoot, "khotan.config.ts");
+  if (fs4.existsSync(configPath)) {
+    try {
+      const content = fs4.readFileSync(configPath, "utf-8");
+      const match = /outputDir:\s*["']([^"']+)["']/.exec(content);
+      if (match?.[1]) return match[1];
+    } catch {
+    }
+  }
   if (fs4.existsSync(path2.join(projectRoot, "src", "app"))) {
     return "src/khotan";
   }
@@ -728,6 +737,45 @@ function scaffoldCoreFiles(cwd, outputDir) {
   }
   return created;
 }
+var MIDDLEWARE_CANDIDATES = [
+  "middleware.ts",
+  "middleware.js",
+  "src/middleware.ts",
+  "src/middleware.js",
+  "proxy.ts",
+  "proxy.js",
+  "src/proxy.ts",
+  "src/proxy.js"
+];
+function warnAboutWorkflowProxy(cwd) {
+  const found = MIDDLEWARE_CANDIDATES.map((rel) => ({
+    rel,
+    abs: path2.join(cwd, rel)
+  })).find((c) => fs4.existsSync(c.abs));
+  if (!found) return false;
+  let contents = "";
+  try {
+    contents = fs4.readFileSync(found.abs, "utf-8");
+  } catch {
+    return false;
+  }
+  if (/\.well-known|workflow/i.test(contents)) {
+    return false;
+  }
+  console.log(
+    `
+\u26A0 Detected ${found.rel}. Vercel Workflow (used by inflows, outflows,
+  relays, catch, and pass) communicates over /.well-known/workflow/*.
+  If your middleware/proxy matcher captures these paths, durable runs
+  will silently fail. Exclude them from your matcher, e.g.:
+    export const config = {
+      matcher: ["/((?!_next|.well-known/workflow).*)"],
+    };
+`
+  );
+  return true;
+}
 async function runFullSetup(cwd) {
   const results = [];
   const pm = detectPackageManager(cwd);
@@ -839,6 +887,7 @@ Installing shadcn components: ${missingShadcn.join(", ")}...`
     results.push({ name: "Scaffold core files", status: "skipped" });
   }
   results.push(ensureKhotanDataInstalled(cwd));
+  warnAboutWorkflowProxy(cwd);
   return results;
 }
 function ensureKhotanDataInstalled(cwd) {
@@ -867,6 +916,7 @@ async function runInit(cwd) {
   }
   scaffoldCoreFiles(cwd, outputDir);
   ensureKhotanDataInstalled(cwd);
+  warnAboutWorkflowProxy(cwd);
   return fs4.existsSync(configPath);
 }
 var SKILL_COMPONENTS = [
@@ -939,6 +989,7 @@ ${String(failed.length)} step(s) failed. You may need to run them manually.`
   }
   const coreFiles = scaffoldCoreFiles(cwd, outputDir);
   ensureKhotanDataInstalled(cwd);
+  warnAboutWorkflowProxy(cwd);
   let installSkills2 = opts.yes ?? false;
   if (!installSkills2 && process.stdin.isTTY) {
     const response = await prompts2({

package/dist/factory.cjs CHANGED Viewed

@@ -2301,7 +2301,14 @@ function khotan(config) {
         }
       }
       if (!allowed) {
-        return Response.json({ error: "Unauthorized" }, { status: 401 });
+        return Response.json(
+          {
+            error: "Unauthorized",
+            code: "authorize_rejected",
+            hint: "Management routes (/api/khotan/*) require your `authorize` hook to pass. KHOTAN_SECRET is an encryption key, not an HTTP credential \u2014 sending it as a Bearer token will not authenticate the request. To trigger a flow: call khotanData.flow(name).start() from server code (no HTTP/auth needed), or send a credential your authorize hook accepts (e.g. a session cookie or your own token). The khotan CLI authenticates automatically via a dev-only token derived from KHOTAN_SECRET."
+          },
+          { status: 401 }
+        );
       }
     }
     const limit = Math.min(