orez 0.4.24 → 0.4.25

package/dist/worker/cf-do-shim.d.ts

@@ -0,0 +1,55 @@
+/**
+ * namespace routing primitives for the Cloudflare Durable Object deploy.
+ *
+ * a multi-tenant CF/orez deploy shards data into one DO instance per tenant
+ * namespace (`ns:<scope>-<id>`) plus a control-plane `singleton`. the worker
+ * tiers carry the chosen namespace in a header (and re-stamp it so an inbound
+ * value is never trusted) and must validate its shape before routing — an
+ * unvalidated namespace would let a client mint unbounded DO instances.
+ *
+ * the deployed worker entry classes are bundled strings in the consumer's
+ * deploy integration (awkward to unit-test), so the routing decision and the
+ * security-relevant shape validation live here as pure functions, tested in
+ * cf-do-shim.test.ts. consumers import these into their worker shims instead of
+ * copy-pasting the validation regex at every routing site.
+ */
+export interface NamespaceRoutingOptions {
+    /** allowed namespace scope prefixes. default `['proj', 'test']`. */
+    scopes?: readonly string[];
+    /**
+     * namespace values that resolve to the control-plane `singleton` instance,
+     * in addition to the empty string (which is always the singleton).
+     */
+    controlPlaneNamespaces?: readonly string[];
+    /** request header the worker tiers carry the namespace in. default `x-orez-ns`. */
+    nsHeader?: string;
+}
+/**
+ * true when `ns` is a structurally valid tenant namespace: a configured scope
+ * prefix followed by a 1-64 char `[A-Za-z0-9_-]` id. this is the gate that
+ * keeps a stray header from minting an unbounded DO instance, so every routing
+ * site that forwards a namespace should run it.
+ */
+export declare function isValidNamespace(ns: string, opts?: NamespaceRoutingOptions): boolean;
+/**
+ * resolve a raw namespace string to a DO instance name:
+ *   - `''` or a control-plane alias -> `'singleton'`
+ *   - a valid tenant namespace      -> `'ns:<ns>'`
+ *   - anything else                 -> `null` (caller should reject the request)
+ */
+export declare function doInstanceName(ns: string, opts?: NamespaceRoutingOptions): string | null;
+interface HeaderReader {
+    get(name: string): string | null;
+}
+/**
+ * read the namespace from a request (the configured header, falling back to the
+ * `?ns=` query param) and resolve it to a DO instance name. returns `null` for a
+ * structurally invalid namespace so the worker can reply 400 instead of routing.
+ */
+export declare function doInstanceNameForRequest(request: {
+    headers: HeaderReader;
+}, url: {
+    searchParams: HeaderReader;
+}, opts?: NamespaceRoutingOptions): string | null;
+export {};
+//# sourceMappingURL=cf-do-shim.d.ts.map

package/dist/worker/cf-do-shim.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cf-do-shim.d.ts","sourceRoot":"","sources":["../../src/worker/cf-do-shim.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH,MAAM,WAAW,uBAAuB;IACtC,oEAAoE;IACpE,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;IAC1B;;;OAGG;IACH,sBAAsB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;IAC1C,mFAAmF;IACnF,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAWD;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAC9B,EAAE,EAAE,MAAM,EACV,IAAI,GAAE,uBAA4B,GACjC,OAAO,CAET;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,EAAE,EAAE,MAAM,EACV,IAAI,GAAE,uBAA4B,GACjC,MAAM,GAAG,IAAI,CAKf;AAED,UAAU,YAAY;IACpB,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAA;CACjC;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE;IAAE,OAAO,EAAE,YAAY,CAAA;CAAE,EAClC,GAAG,EAAE;IAAE,YAAY,EAAE,YAAY,CAAA;CAAE,EACnC,IAAI,GAAE,uBAA4B,GACjC,MAAM,GAAG,IAAI,CAIf"}

package/dist/worker/cf-do-shim.js

@@ -0,0 +1,58 @@
+/**
+ * namespace routing primitives for the Cloudflare Durable Object deploy.
+ *
+ * a multi-tenant CF/orez deploy shards data into one DO instance per tenant
+ * namespace (`ns:<scope>-<id>`) plus a control-plane `singleton`. the worker
+ * tiers carry the chosen namespace in a header (and re-stamp it so an inbound
+ * value is never trusted) and must validate its shape before routing — an
+ * unvalidated namespace would let a client mint unbounded DO instances.
+ *
+ * the deployed worker entry classes are bundled strings in the consumer's
+ * deploy integration (awkward to unit-test), so the routing decision and the
+ * security-relevant shape validation live here as pure functions, tested in
+ * cf-do-shim.test.ts. consumers import these into their worker shims instead of
+ * copy-pasting the validation regex at every routing site.
+ */
+/** default namespace scope prefixes (`proj-<id>`, `test-<id>`). */
+const DEFAULT_SCOPES = ['proj', 'test'];
+function escapeForRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+function namespacePattern(scopes) {
+    const group = scopes.map(escapeForRegExp).join('|');
+    return new RegExp(`^(?:${group})-[A-Za-z0-9_-]{1,64}$`);
+}
+/**
+ * true when `ns` is a structurally valid tenant namespace: a configured scope
+ * prefix followed by a 1-64 char `[A-Za-z0-9_-]` id. this is the gate that
+ * keeps a stray header from minting an unbounded DO instance, so every routing
+ * site that forwards a namespace should run it.
+ */
+export function isValidNamespace(ns, opts = {}) {
+    return namespacePattern(opts.scopes ?? DEFAULT_SCOPES).test(ns);
+}
+/**
+ * resolve a raw namespace string to a DO instance name:
+ *   - `''` or a control-plane alias -> `'singleton'`
+ *   - a valid tenant namespace      -> `'ns:<ns>'`
+ *   - anything else                 -> `null` (caller should reject the request)
+ */
+export function doInstanceName(ns, opts = {}) {
+    if (!ns)
+        return 'singleton';
+    if ((opts.controlPlaneNamespaces ?? []).includes(ns))
+        return 'singleton';
+    if (!isValidNamespace(ns, opts))
+        return null;
+    return 'ns:' + ns;
+}
+/**
+ * read the namespace from a request (the configured header, falling back to the
+ * `?ns=` query param) and resolve it to a DO instance name. returns `null` for a
+ * structurally invalid namespace so the worker can reply 400 instead of routing.
+ */
+export function doInstanceNameForRequest(request, url, opts = {}) {
+    const ns = request.headers.get(opts.nsHeader ?? 'x-orez-ns') || url.searchParams.get('ns') || '';
+    return doInstanceName(ns, opts);
+}
+//# sourceMappingURL=cf-do-shim.js.map

package/dist/worker/cf-do-shim.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cf-do-shim.js","sourceRoot":"","sources":["../../src/worker/cf-do-shim.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,mEAAmE;AACnE,MAAM,cAAc,GAAG,CAAC,MAAM,EAAE,MAAM,CAAU,CAAA;AAchD,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,KAAK,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAA;AACrD,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAyB;IACjD,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnD,OAAO,IAAI,MAAM,CAAC,OAAO,KAAK,wBAAwB,CAAC,CAAA;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAC9B,EAAU,EACV,OAAgC,EAAE;IAElC,OAAO,gBAAgB,CAAC,IAAI,CAAC,MAAM,IAAI,cAAc,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;AACjE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,EAAU,EACV,OAAgC,EAAE;IAElC,IAAI,CAAC,EAAE;QAAE,OAAO,WAAW,CAAA;IAC3B,IAAI,CAAC,IAAI,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;QAAE,OAAO,WAAW,CAAA;IACxE,IAAI,CAAC,gBAAgB,CAAC,EAAE,EAAE,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAC5C,OAAO,KAAK,GAAG,EAAE,CAAA;AACnB,CAAC;AAMD;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CACtC,OAAkC,EAClC,GAAmC,EACnC,OAAgC,EAAE;IAElC,MAAM,EAAE,GACN,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,WAAW,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAA;IACvF,OAAO,cAAc,CAAC,EAAE,EAAE,IAAI,CAAC,CAAA;AACjC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "orez",
-  "version": "0.4.24",
+  "version": "0.4.25",
   "description": "PGlite-powered zero-sync development backend. No Docker required.",
   "type": "module",
   "license": "MIT",
@@ -87,7 +87,7 @@
     "@electric-sql/pglite": "0.4.1",
     "@electric-sql/pglite-tools": "^0.3.1",
     "@pgsql/traverse": "17.2.6",
-    "bedrock-sqlite": "0.4.24",
+    "bedrock-sqlite": "0.4.25",
     "citty": "^0.2.0",
     "pg-gateway": "0.3.0-beta.4",
     "pgsql-parser": "^17.9.11",