lakebed 0.0.5 → 0.0.7

package/src/anonymous.js

@@ -6,6 +6,14 @@ export const ANONYMOUS_ARTIFACT_FORMAT = "lakebed.capsule.artifact.v1";
 export const ANONYMOUS_ARTIFACT_MEDIA_TYPE = "application/vnd.lakebed.artifact+json";
 export { LAKEBED_VERSION };
 
+export const SERVER_ENV_FILE = ".env.lakebed.server";
+export const SERVER_ENV_LIMITS = {
+  maxKeyBytes: 128,
+  maxKeys: 64,
+  maxTotalBytes: 64 * 1024,
+  maxValueBytes: 16 * 1024
+};
+
 export const DEFAULT_ANONYMOUS_LIMITS = {
   artifactBytes: 1024 * 1024,
   stateBytes: 1024 * 1024,
@@ -67,6 +75,65 @@ function isPlainObject(value) {
   return Boolean(value) && typeof value === "object" && Object.getPrototypeOf(value) === Object.prototype;
 }
 
+export function validateServerEnvValues(values, path = "serverEnv.values") {
+  if (!isPlainObject(values)) {
+    throw new Error(`${path} must be a JSON object.`);
+  }
+
+  const entries = Object.entries(values).sort(([left], [right]) => left.localeCompare(right));
+  if (entries.length > SERVER_ENV_LIMITS.maxKeys) {
+    throw new Error(`${path} may include at most ${SERVER_ENV_LIMITS.maxKeys} keys.`);
+  }
+
+  const env = {};
+  let totalBytes = 0;
+  for (const [key, value] of entries) {
+    if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
+      throw new Error(`${path}.${key} is not a valid server env key.`);
+    }
+    if (key.startsWith("LAKEBED_")) {
+      throw new Error(`${path}.${key} uses the reserved LAKEBED_ prefix.`);
+    }
+    if (typeof value !== "string") {
+      throw new Error(`${path}.${key} must be a string.`);
+    }
+
+    const keyBytes = byteLength(key);
+    const valueBytes = byteLength(value);
+    if (keyBytes > SERVER_ENV_LIMITS.maxKeyBytes) {
+      throw new Error(`${path}.${key} exceeds ${SERVER_ENV_LIMITS.maxKeyBytes} bytes.`);
+    }
+    if (valueBytes > SERVER_ENV_LIMITS.maxValueBytes) {
+      throw new Error(`${path}.${key} exceeds ${SERVER_ENV_LIMITS.maxValueBytes} bytes.`);
+    }
+
+    totalBytes += keyBytes + valueBytes;
+    env[key] = value;
+  }
+
+  if (totalBytes > SERVER_ENV_LIMITS.maxTotalBytes) {
+    throw new Error(`${path} exceeds ${SERVER_ENV_LIMITS.maxTotalBytes} bytes.`);
+  }
+
+  return env;
+}
+
+export function validateServerEnvPayload(payload) {
+  if (payload === undefined) {
+    return undefined;
+  }
+
+  if (!isPlainObject(payload)) {
+    throw new Error("serverEnv must be a JSON object.");
+  }
+
+  if (payload.mode !== "replace") {
+    throw new Error("serverEnv.mode must be replace.");
+  }
+
+  return validateServerEnvValues(payload.values);
+}
+
 function isExpression(value) {
   return Array.isArray(value) && expressionOps.has(value[0]);
 }
@@ -317,7 +384,7 @@ function diagnostic(file, message) {
 }
 
 async function readSourceFiles(sourceStore) {
-  const paths = (await sourceStore.listFiles()).filter((path) => !path.startsWith("__lakebed/"));
+  const paths = (await sourceStore.listFiles()).filter((path) => !path.startsWith("__lakebed/") && path !== SERVER_ENV_FILE);
   const files = [];
 
   for (const path of paths) {
@@ -843,12 +910,14 @@ export function validateAnonymousDeployPayload(payload, options = {}) {
   }
 
   const artifactHash = sha256(stableStringify(payload.artifact));
+  const serverEnv = validateServerEnvPayload(payload.serverEnv);
   return {
     artifact: cloneJson(payload.artifact),
     artifactHash,
     clientBundle,
     clientBundleBase64: clientBundle.toString("base64"),
-    clientBundleHash
+    clientBundleHash,
+    serverEnv
   };
 }
 
@@ -1102,6 +1171,7 @@ function createSourceQuery(rows, tableName) {
 async function createSourceContext({ artifact, auth, deployId, state }) {
   const rows = {};
   const operations = [];
+  const env = typeof state.getServerEnv === "function" ? await state.getServerEnv(deployId) : {};
   for (const tableName of Object.keys(artifact.server.schema ?? {})) {
     rows[tableName] = await state.listRows(deployId, tableName);
   }
@@ -1143,7 +1213,7 @@ async function createSourceContext({ artifact, auth, deployId, state }) {
     ctx: {
       auth,
       db,
-      env: {},
+      env,
       log: {
         error() {},
         info() {},

package/src/cli.js

@@ -10,10 +10,12 @@ import {
   ANONYMOUS_ARTIFACT_MEDIA_TYPE,
   AnonymousCompilerError,
   LAKEBED_VERSION,
+  SERVER_ENV_FILE,
   createAnonymousArtifact,
   createClaimedArtifact,
   parseTtlSeconds,
-  stableStringify
+  stableStringify,
+  validateServerEnvValues
 } from "./anonymous.js";
 import { startAnonymousServer } from "./anonymous-server.js";
 import { authFromUrl as resolveAuthFromUrl, createGuestAuth, requestOrigin, shooBaseUrlFromEnv } from "./auth.js";
@@ -221,29 +223,45 @@ function createSourcePlugin(sourceStore, target) {
   };
 }
 
-async function readServerEnv(sourceStore) {
-  const env = { ...process.env };
-  if (!sourceStore.hasFile(".env.lakebed.server")) {
-    return env;
+function unquoteServerEnvValue(value) {
+  if (value.length < 2) {
+    return value;
   }
 
-  const contents = await sourceStore.readFile(".env.lakebed.server");
-  for (const rawLine of contents.split(/\r?\n/)) {
+  const quote = value[0];
+  if ((quote !== `"` && quote !== `'`) || value[value.length - 1] !== quote) {
+    return value;
+  }
+
+  return value.slice(1, -1);
+}
+
+function parseServerEnvFile(contents) {
+  const env = {};
+  for (const [index, rawLine] of contents.split(/\r?\n/).entries()) {
     const line = rawLine.trim();
     if (!line || line.startsWith("#")) {
       continue;
     }
 
-    const match = line.match(/^([A-Za-z_][A-Za-z0-9_]*)=(.*)$/);
+    const match = line.match(/^(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)=(.*)$/);
     if (!match) {
-      continue;
+      throw new Error(`Invalid ${SERVER_ENV_FILE} line ${index + 1}. Use KEY=value.`);
     }
 
     const [, key, rawValue] = match;
-    env[key] = rawValue.replace(/^['"]|['"]$/g, "");
+    env[key] = unquoteServerEnvValue(rawValue.trim());
   }
 
-  return env;
+  return validateServerEnvValues(env, SERVER_ENV_FILE);
+}
+
+async function readCapsuleServerEnv(sourceStore) {
+  if (!sourceStore.hasFile(SERVER_ENV_FILE)) {
+    return {};
+  }
+
+  return parseServerEnvFile(await sourceStore.readFile(SERVER_ENV_FILE));
 }
 
 export async function buildCapsule({ capsuleDir, sourceStore, capsuleId = "dev" } = {}) {
@@ -301,7 +319,7 @@ export async function buildCapsule({ capsuleDir, sourceStore, capsuleId = "dev"
     app: capsuleModule.default,
     buildDir,
     clientOut,
-    env: await readServerEnv(workingStore),
+    env: await readCapsuleServerEnv(workingStore),
     serverOut,
     sourceStore: workingStore
   };
@@ -579,9 +597,9 @@ async function dev(args) {
   });
 }
 
-async function buildAnonymousEnvelope(capsuleArg) {
+async function buildAnonymousEnvelope(capsuleArg, sourceStore) {
   const capsuleDir = resolveCapsuleDir(capsuleArg);
-  const sourceStore = await createMemorySourceStoreFromDirectory(capsuleDir);
+  sourceStore ??= await createMemorySourceStoreFromDirectory(capsuleDir);
   const built = await buildCapsule({
     capsuleDir,
     capsuleId: `anonymous-${Date.now()}`,
@@ -615,7 +633,7 @@ function canDeployAfterClaim(error) {
   );
 }
 
-async function buildClaimRequiredEnvelope({ capsuleDir }) {
+async function buildClaimRequiredEnvelope({ capsuleDir, feature = "claimed server features" }) {
   const sourceStore = new MemorySourceStore();
   await sourceStore.writeFile(
     "server/index.ts",
@@ -638,7 +656,7 @@ export default capsule({
         <p className="text-sm font-semibold uppercase tracking-wide text-cyan-300">Lakebed deploy</p>
         <h1 className="mt-3 text-3xl font-semibold">Claim required</h1>
         <p className="mt-4 text-neutral-300">
-          This capsule uses server-side fetch. Claim this deploy, then run lakebed deploy again to publish the app.
+          This capsule uses ${feature}. Claim this deploy, then run lakebed deploy again to publish the app.
         </p>
       </section>
     </main>
@@ -667,9 +685,9 @@ export default capsule({
   };
 }
 
-async function buildClaimedEnvelope(capsuleArg) {
+async function buildClaimedEnvelope(capsuleArg, sourceStore) {
   const capsuleDir = resolveCapsuleDir(capsuleArg);
-  const sourceStore = await createMemorySourceStoreFromDirectory(capsuleDir);
+  sourceStore ??= await createMemorySourceStoreFromDirectory(capsuleDir);
   const built = await buildCapsule({
     capsuleDir,
     capsuleId: `claimed-${Date.now()}`,
@@ -743,13 +761,21 @@ function claimUrlFromDeployMetadata(metadata) {
   return `${String(metadata.api).replace(/\/+$/g, "")}/claim/${encodeURIComponent(metadata.deployId)}/${encodeURIComponent(metadata.claimToken)}`;
 }
 
-function deployRequestBody(envelope, ttl) {
-  return JSON.stringify({
+function deployRequestBody(envelope, ttl, { serverEnv } = {}) {
+  const body = {
     artifact: envelope.artifact,
     clientBundle: envelope.clientBundle,
     clientVersion: LAKEBED_VERSION,
     requestedTtlSeconds: ttl
-  });
+  };
+  if (serverEnv !== undefined) {
+    body.serverEnv = {
+      mode: "replace",
+      values: serverEnv
+    };
+  }
+
+  return JSON.stringify(body);
 }
 
 async function buildCommand(args) {
@@ -801,6 +827,11 @@ async function readResponseJson(response) {
 async function deployCommand(args) {
   const [capsuleArg] = positionals(args);
   const capsuleDir = capsuleArg ? resolveCapsuleDir(capsuleArg) : root;
+  const sourceStore = await createMemorySourceStoreFromDirectory(capsuleDir);
+  const serverEnvFileExists = sourceStore.hasFile(SERVER_ENV_FILE);
+  const serverEnv = await readCapsuleServerEnv(sourceStore);
+  const serverEnvKeys = Object.keys(serverEnv).sort();
+  const hasServerEnvValues = serverEnvKeys.length > 0;
   const ttl = parseTtlSeconds(readArg(args, "--ttl", "7d"));
   const api = deployApiUrl(args);
   const metadata = await readDeployMetadata(capsuleDir);
@@ -815,27 +846,45 @@ async function deployCommand(args) {
   }
 
   let envelope;
-  try {
-    envelope = currentDeploy?.claimed ? await buildClaimedEnvelope(capsuleDir) : await buildAnonymousEnvelope(capsuleDir);
-  } catch (error) {
-    if (error instanceof AnonymousCompilerError && canUpdate && currentDeploy && !currentDeploy.claimed) {
+  if (!currentDeploy?.claimed && hasServerEnvValues) {
+    if (canUpdate && currentDeploy) {
       throw new Error(
-        `${error.message}\n\nThis deploy is still anonymous. Claim it first, then run lakebed deploy again to use server-side fetch.`
+        `This capsule defines server env in ${SERVER_ENV_FILE}.\n\nThis deploy is still anonymous. Claim it first, then run lakebed deploy again to sync server env.`
       );
     }
-    if ((!canUpdate || !currentDeploy) && canDeployAfterClaim(error)) {
-      envelope = await buildClaimRequiredEnvelope({ capsuleDir });
-    } else {
-      throw error;
+    try {
+      await buildAnonymousEnvelope(capsuleDir, sourceStore);
+    } catch (error) {
+      if (!canDeployAfterClaim(error)) {
+        throw error;
+      }
+    }
+    envelope = await buildClaimRequiredEnvelope({ capsuleDir, feature: "server env" });
+  } else {
+    try {
+      envelope = currentDeploy?.claimed ? await buildClaimedEnvelope(capsuleDir, sourceStore) : await buildAnonymousEnvelope(capsuleDir, sourceStore);
+    } catch (error) {
+      if (error instanceof AnonymousCompilerError && canUpdate && currentDeploy && !currentDeploy.claimed) {
+        throw new Error(
+          `${error.message}\n\nThis deploy is still anonymous. Claim it first, then run lakebed deploy again to use server-side fetch.`
+        );
+      }
+      if ((!canUpdate || !currentDeploy) && canDeployAfterClaim(error)) {
+        envelope = await buildClaimRequiredEnvelope({ capsuleDir, feature: "server-side fetch" });
+      } else {
+        throw error;
+      }
     }
   }
-  const body = deployRequestBody(envelope, ttl);
+  const syncServerEnv = Boolean(currentDeploy?.claimed && serverEnvFileExists);
+  const serverEnvForUpdate = syncServerEnv ? serverEnv : undefined;
+  let serverEnvSynced = false;
   let mode = "created";
   let response;
 
   if (canUpdate) {
     response = await fetch(`${api}/v1/deploys/${encodeURIComponent(metadata.deployId)}`, {
-      body,
+      body: deployRequestBody(envelope, ttl, { serverEnv: serverEnvForUpdate }),
       headers: {
         "Authorization": `Bearer ${metadata.claimToken}`,
         "Content-Type": "application/json"
@@ -846,13 +895,17 @@ async function deployCommand(args) {
     if (response.status === 404 || response.status === 410) {
       mode = "created";
       response = null;
+      if (serverEnvForUpdate !== undefined && hasServerEnvValues) {
+        envelope = await buildClaimRequiredEnvelope({ capsuleDir, feature: "server env" });
+      }
     } else {
       mode = "updated";
+      serverEnvSynced = serverEnvForUpdate !== undefined;
     }
   }
 
   response ??= await fetch(`${api}/v1/anonymous-deploys`, {
-    body,
+    body: deployRequestBody(envelope, ttl),
     headers: {
       "Content-Type": "application/json"
     },
@@ -871,7 +924,16 @@ async function deployCommand(args) {
   }
 
   if (hasFlag(args, "--json")) {
-    console.log(JSON.stringify(envelope.claimRequired ? { ...deployed, claimRequired: true } : deployed, null, 2));
+    console.log(
+      JSON.stringify(
+        {
+          ...(envelope.claimRequired ? { ...deployed, claimRequired: true } : deployed),
+          ...(serverEnvSynced ? { serverEnv: { keys: serverEnvKeys, mode: "replace", synced: true } } : {})
+        },
+        null,
+        2
+      )
+    );
     return;
   }
 
@@ -892,8 +954,14 @@ async function deployCommand(args) {
   console.log(`  requests:        ${deployed.limits.requestsPerDay} / day`);
   console.log(`  mutations:       ${deployed.limits.mutationsPerDay} / day`);
   console.log(`  outbound fetch:  ${envelope.artifact.deployTarget === "claimed-source" ? "enabled" : "disabled"}`);
+  if (serverEnvSynced) {
+    console.log(`\nServer env: ${serverEnvKeys.length} synced`);
+    for (const key of serverEnvKeys) {
+      console.log(`  ${key}`);
+    }
+  }
   if (envelope.claimRequired) {
-    console.log("\nThis app needs a claimed deploy before server-side fetch can run.");
+    console.log("\nThis app needs a claimed deploy before server-side fetch or server env can run.");
     console.log("Open the claim URL, then run lakebed deploy again.");
   }
 }
@@ -1106,6 +1174,7 @@ lakebed logs --port 3000
 - Use Tailwind classes directly in JSX.
 - Do not add a CSS, PostCSS, or Tailwind build pipeline.
 - Use auth through \`ctx.auth\` on the server and \`useAuth()\` on the client.
+- Read server-only environment variables through \`ctx.env\`; define them in \`.env.lakebed.server\`.
 - Add Google sign-in with \`<SignInWithGoogle />\` or \`signInWithGoogle()\` from \`lakebed/client\`.
 - Keep \`shared/\` free of DOM, Node, env, and Lakebed runtime imports.
 
@@ -1116,6 +1185,7 @@ lakebed logs --port 3000
 - Guest auth locally, with built-in Google sign-in through Shoo.
 - No file storage.
 - No outbound fetch in anonymous deploys. Claim the deploy before using server-side fetch.
+- Non-empty \`.env.lakebed.server\` files sync only after a deploy is claimed.
 - Local state resets when \`lakebed dev\` restarts.
 `;
 }
@@ -1223,6 +1293,7 @@ export function cleanTodoText(value: string): string {
 }
 `,
     ".gitignore": `.lakebed/
+.env.lakebed.server
 `,
     "README.md": `# ${title}
 

package/src/client.js

@@ -19,6 +19,7 @@ const pending = new Map();
 const activeSubscriptions = new Set();
 let authInitPromise = null;
 let authInitialized = false;
+let refreshRequested = false;
 
 function toGuestName(name) {
   return (
@@ -68,6 +69,15 @@ function emitQuery(name, value) {
   }
 }
 
+function refreshPage() {
+  if (refreshRequested) {
+    return;
+  }
+
+  refreshRequested = true;
+  window.location.reload();
+}
+
 function send(message) {
   const ws = connect();
   const payload = JSON.stringify(message);
@@ -438,6 +448,11 @@ function connect() {
       return;
     }
 
+    if (message.op === "refresh") {
+      refreshPage();
+      return;
+    }
+
     if (message.id && pending.has(message.id)) {
       const handlers = pending.get(message.id);
       pending.delete(message.id);

package/src/version.js

@@ -1 +1 @@
-export const LAKEBED_VERSION = "0.0.5";
+export const LAKEBED_VERSION = "0.0.7";