sootsim 0.1.83 → 0.1.84

package/src/host/fetch-proxy-handler.ts

@@ -0,0 +1,288 @@
+// shared fetch-proxy + app-api handlers for the sootsim dev/daemon HTTP
+// surface. both the vite dev middleware (packages/sootsim-shell/src/
+// dev-middleware.ts) and the daemon bridge (packages/sootsim/src/host/
+// bridge-host.ts) mount these on their respective servers so guest bundle
+// fetches resolve the same way regardless of which surface the sim is
+// loaded through.
+//
+// the symptom that drove this extraction: when the shell dev server was
+// not running, sims fell back to the daemon's loopback HTTP server,
+// which only knew about `/__bundle-proxy` and let every `/__fetch-proxy`
+// or `/__app-api` request fall through to the SPA index.html. tenant
+// code (e.g. Expensify's NetInfo reachability poll) saw a 200 response
+// whose body was the shell HTML, parsed it as JSON, failed, and reported
+// `isInternetReachable: false` → "you appear to be offline".
+//
+// routes implemented here:
+//   /__fetch-proxy?url=…    — generic CORS-bypassing proxy
+//   /__proxy?url=…          — alias of /__fetch-proxy (demo-gateway path)
+//   /__app-api?origin=…&path=… — tenant API reverse proxy, stateless
+//                              (bundle origin carried in the query string)
+//   /__app-api/<path>       — legacy form for callers that registered an
+//                              origin separately. requires an out-of-band
+//                              tenant-origin registry to resolve; left as
+//                              the caller's responsibility.
+
+import http, { type IncomingMessage, type ServerResponse } from 'http'
+import https from 'https'
+import {
+  FETCH_PROXY_BROWSER_USER_AGENT,
+  getFetchProxyTargetHeaders,
+} from './fetch-proxy-overrides.ts'
+
+const STRIP_FETCH_PROXY_HEADERS = new Set([
+  'host',
+  'origin',
+  'referer',
+  'user-agent',
+  'accept-encoding',
+  'cookie',
+  'connection',
+  'keep-alive',
+  'transfer-encoding',
+  'upgrade',
+  'content-length',
+  'sec-fetch-site',
+  'sec-fetch-mode',
+  'sec-fetch-dest',
+  'sec-ch-ua',
+  'sec-ch-ua-mobile',
+  'sec-ch-ua-platform',
+])
+
+const FETCH_PROXY_CORS_HEADERS: Record<string, string> = {
+  'access-control-allow-origin': '*',
+  'access-control-allow-methods': 'GET,POST,PUT,DELETE,PATCH,OPTIONS',
+  'access-control-allow-headers': '*',
+  'access-control-expose-headers': '*',
+  'access-control-max-age': '3600',
+}
+
+function applyFetchProxyCors(res: ServerResponse) {
+  for (const [key, value] of Object.entries(FETCH_PROXY_CORS_HEADERS)) {
+    res.setHeader(key, value)
+  }
+}
+
+function formatFetchProxyError(targetUrl: string, err: unknown): string {
+  const details: string[] = []
+  const error = err as
+    | {
+        message?: string
+        code?: string
+        cause?: { message?: string; code?: string }
+      }
+    | undefined
+
+  if (error?.code) details.push(error.code)
+  if (error?.message) details.push(error.message)
+  if (error?.cause?.code) details.push(error.cause.code)
+  if (error?.cause?.message) details.push(error.cause.message)
+
+  const uniqueDetails = [...new Set(details.filter(Boolean))]
+  const message = uniqueDetails.join(' | ') || String(err)
+
+  if (targetUrl.includes('stored-in-.env.local')) {
+    return `${message} | upstream url still contains placeholder env values`
+  }
+
+  return message
+}
+
+export function buildFetchProxyHeaders(
+  reqHeaders: Record<string, string | string[] | undefined>,
+  targetUrl?: URL,
+): Record<string, string> {
+  const headers: Record<string, string> = {}
+  for (const [key, value] of Object.entries(reqHeaders)) {
+    if (!value) continue
+    if (STRIP_FETCH_PROXY_HEADERS.has(key.toLowerCase())) continue
+    headers[key] = Array.isArray(value) ? value.join(', ') : value
+  }
+  Object.assign(
+    headers,
+    targetUrl
+      ? getFetchProxyTargetHeaders(targetUrl)
+      : { 'user-agent': FETCH_PROXY_BROWSER_USER_AGENT },
+  )
+  return headers
+}
+
+export function isFetchProxyRequestUrl(rawUrl: string | undefined): boolean {
+  return rawUrl?.startsWith('/__fetch-proxy?') || rawUrl?.startsWith('/__proxy?') || false
+}
+
+export function isAppApiRequestUrl(rawUrl: string | undefined): boolean {
+  if (!rawUrl) return false
+  if (rawUrl.startsWith('/__app-api?')) return true
+  if (rawUrl.startsWith('/__app-api/')) return true
+  return false
+}
+
+export async function handleFetchProxyRequest(
+  req: IncomingMessage,
+  res: ServerResponse,
+): Promise<void> {
+  if (req.method === 'OPTIONS') {
+    applyFetchProxyCors(res)
+    res.writeHead(204)
+    res.end()
+    return
+  }
+
+  const params = new URLSearchParams((req.url || '').split('?')[1] || '')
+  const targetUrl = params.get('url')
+  if (!targetUrl) {
+    applyFetchProxyCors(res)
+    res.writeHead(400, { 'Content-Type': 'text/plain' })
+    res.end('missing url param')
+    return
+  }
+
+  let upstreamUrl: URL
+  try {
+    upstreamUrl = new URL(targetUrl)
+  } catch {
+    applyFetchProxyCors(res)
+    res.writeHead(400, { 'Content-Type': 'text/plain' })
+    res.end('invalid url param')
+    return
+  }
+
+  const headers = buildFetchProxyHeaders(req.headers, upstreamUrl)
+
+  let body: Buffer | undefined
+  if (req.method !== 'GET' && req.method !== 'HEAD') {
+    const chunks: Buffer[] = []
+    for await (const chunk of req) {
+      chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk))
+    }
+    if (chunks.length > 0) body = Buffer.concat(chunks)
+  }
+
+  let upstream: Response
+  try {
+    upstream = await fetch(upstreamUrl.href, {
+      method: req.method,
+      headers,
+      body: body as BodyInit | undefined,
+      redirect: 'follow',
+    })
+  } catch (err) {
+    applyFetchProxyCors(res)
+    res.writeHead(502, { 'Content-Type': 'text/plain' })
+    res.end(`fetch proxy error: ${formatFetchProxyError(upstreamUrl.href, err)}`)
+    return
+  }
+
+  upstream.headers.forEach((value, key) => {
+    const lowerKey = key.toLowerCase()
+    if (
+      lowerKey === 'content-encoding' ||
+      lowerKey === 'transfer-encoding' ||
+      lowerKey === 'content-length' ||
+      lowerKey === 'set-cookie' ||
+      lowerKey.startsWith('access-control-')
+    ) {
+      return
+    }
+    res.setHeader(key, value)
+  })
+  applyFetchProxyCors(res)
+
+  const setCookie = upstream.headers.getSetCookie?.() ?? []
+  if (setCookie.length > 0) {
+    res.setHeader('x-sootsim-set-cookie', setCookie.join(', '))
+  }
+
+  res.statusCode = upstream.status
+  const buf = Buffer.from(await upstream.arrayBuffer())
+  res.end(buf)
+}
+
+export function handleAppApiRequest(req: IncomingMessage, res: ServerResponse): boolean {
+  // returns true if it handled the request, false if the caller should fall
+  // through. /__app-api requires `origin` query param for stateless mode;
+  // without it we return false so the caller decides what to do (the vite
+  // middleware uses its own out-of-band origin registry; the daemon has
+  // no such registry so it returns 400).
+
+  const reqUrl = req.url || ''
+
+  let targetPath = ''
+  let targetOrigin = ''
+  if (reqUrl.startsWith('/__app-api?')) {
+    const parsed = new URL(reqUrl, 'http://sootsim.local')
+    targetPath = parsed.searchParams.get('path') || ''
+    targetOrigin = parsed.searchParams.get('origin')?.trim() || ''
+  } else if (reqUrl.startsWith('/__app-api/')) {
+    targetPath = reqUrl.slice('/__app-api'.length)
+  } else {
+    return false
+  }
+
+  if (!targetOrigin) {
+    res.writeHead(400, { 'Content-Type': 'text/plain' })
+    res.end('app-api: missing origin query param')
+    return true
+  }
+
+  if (req.method === 'OPTIONS') {
+    res.writeHead(204, {
+      'Access-Control-Allow-Origin': (req.headers.origin as string) || '*',
+      'Access-Control-Allow-Methods': 'GET,POST,PUT,PATCH,DELETE,OPTIONS',
+      'Access-Control-Allow-Headers':
+        (req.headers['access-control-request-headers'] as string) || '*',
+      'Access-Control-Allow-Credentials': 'true',
+      'Access-Control-Max-Age': '86400',
+    })
+    res.end()
+    return true
+  }
+
+  let targetUrl: URL
+  try {
+    targetUrl = new URL(targetPath, targetOrigin)
+  } catch {
+    res.writeHead(400, { 'Content-Type': 'text/plain' })
+    res.end('app-api: invalid origin or path')
+    return true
+  }
+
+  const transport = targetUrl.protocol === 'https:' ? https : http
+
+  const fwdHeaders = { ...req.headers }
+  delete fwdHeaders.host
+  fwdHeaders.host = targetUrl.host
+
+  const proxyReq = transport.request(
+    {
+      hostname: targetUrl.hostname,
+      port: targetUrl.port || (targetUrl.protocol === 'https:' ? 443 : 80),
+      path: targetUrl.pathname + targetUrl.search,
+      method: req.method,
+      headers: fwdHeaders,
+    },
+    (proxyRes) => {
+      const exposedHeaders = Object.keys(proxyRes.headers)
+        .filter((name) => {
+          const lower = name.toLowerCase()
+          return !lower.startsWith('access-control-') && lower !== 'set-cookie'
+        })
+        .join(', ')
+      res.writeHead(proxyRes.statusCode ?? 502, {
+        ...proxyRes.headers,
+        'access-control-allow-origin': (req.headers.origin as string) || '*',
+        'access-control-allow-credentials': 'true',
+        'access-control-expose-headers': exposedHeaders,
+      })
+      proxyRes.pipe(res)
+    },
+  )
+  proxyReq.on('error', (err) => {
+    res.statusCode = 502
+    res.end(`app proxy error: ${err.message}`)
+  })
+  req.pipe(proxyReq)
+  return true
+}

package/src/host/fetch-proxy-overrides.ts

@@ -0,0 +1,39 @@
+// shared upstream header policy for SootSim's CORS-bypassing fetch proxy.
+// requests still forward tenant auth and app headers, but the proxy transport
+// defaults to native-app semantics: no browser Origin or Referer. web-backed
+// mobile APIs that require a specific web origin opt in below.
+
+export const FETCH_PROXY_BROWSER_USER_AGENT =
+  'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 ' +
+  '(KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36'
+
+const HOST_HEADER_OVERRIDES: Array<{
+  hostSuffix: string
+  headers: Record<string, string>
+}> = [
+  {
+    hostSuffix: 'uniswap.org',
+    headers: {
+      origin: 'https://app.uniswap.org',
+      referer: 'https://app.uniswap.org/',
+    },
+  },
+]
+
+function headerOverridesFor(hostname: string): Record<string, string> {
+  const host = hostname.toLowerCase()
+  for (const override of HOST_HEADER_OVERRIDES) {
+    if (host === override.hostSuffix || host.endsWith(`.${override.hostSuffix}`)) {
+      return override.headers
+    }
+  }
+  return {}
+}
+
+export function getFetchProxyTargetHeaders(targetUrl: URL): Record<string, string> {
+  return {
+    'accept-encoding': 'identity',
+    'user-agent': FETCH_PROXY_BROWSER_USER_AGENT,
+    ...headerOverridesFor(targetUrl.hostname),
+  }
+}

package/src/host/open-url.ts

@@ -0,0 +1,234 @@
+import { execFileSync, spawn } from 'child_process'
+import { existsSync } from 'fs'
+import { homedir } from 'os'
+import { join } from 'path'
+
+export type OpenUrlLaunchVia = 'chromium' | 'system'
+
+export interface OpenUrlOptions {
+  newWindow?: boolean
+  detached?: boolean
+  background?: boolean
+}
+
+export interface OpenUrlCommandOptions extends OpenUrlOptions {
+  platform?: NodeJS.Platform
+  chromiumBinary?: string | null
+}
+
+export interface OpenUrlCommand {
+  command: string
+  args: string[]
+  via: OpenUrlLaunchVia
+  target?: string
+}
+
+export interface OpenUrlLaunchResult extends OpenUrlCommand {
+  pid?: number
+  attachUrl: string
+}
+
+const MAC_CHROMIUM_CANDIDATES = [
+  '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
+  '~/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
+  '/Applications/Chromium.app/Contents/MacOS/Chromium',
+  '~/Applications/Chromium.app/Contents/MacOS/Chromium',
+  '/Applications/Microsoft Edge.app/Contents/MacOS/Microsoft Edge',
+  '~/Applications/Microsoft Edge.app/Contents/MacOS/Microsoft Edge',
+  '/Applications/Brave Browser.app/Contents/MacOS/Brave Browser',
+  '~/Applications/Brave Browser.app/Contents/MacOS/Brave Browser',
+  '/Applications/Arc.app/Contents/MacOS/Arc',
+  '~/Applications/Arc.app/Contents/MacOS/Arc',
+]
+
+const LINUX_CHROMIUM_CANDIDATES = [
+  '/usr/bin/google-chrome',
+  '/usr/bin/chromium',
+  '/usr/bin/chromium-browser',
+  '/usr/bin/microsoft-edge',
+  '/usr/bin/brave-browser',
+  '/snap/bin/chromium',
+]
+
+const WINDOWS_CHROMIUM_CANDIDATES = [
+  'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe',
+  'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe',
+  'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe',
+  'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe',
+  'C:\\Program Files\\BraveSoftware\\Brave-Browser\\Application\\brave.exe',
+  'C:\\Program Files (x86)\\BraveSoftware\\Brave-Browser\\Application\\brave.exe',
+]
+
+const UNIX_CHROMIUM_COMMANDS = [
+  'google-chrome',
+  'chromium',
+  'chromium-browser',
+  'microsoft-edge',
+  'brave-browser',
+]
+
+const WINDOWS_CHROMIUM_COMMANDS = ['chrome', 'msedge', 'brave']
+
+function expandHome(candidate: string): string {
+  return candidate.startsWith('~/') ? join(homedir(), candidate.slice(2)) : candidate
+}
+
+function firstExisting(candidates: string[]): string | null {
+  for (const candidate of candidates) {
+    const expanded = expandHome(candidate)
+    if (existsSync(expanded)) return expanded
+  }
+  return null
+}
+
+function lookupExecutable(command: string, platform: NodeJS.Platform): string | null {
+  try {
+    const tool = platform === 'win32' ? 'where' : 'which'
+    const out = execFileSync(tool, [command], {
+      encoding: 'utf8',
+      timeout: 1500,
+      stdio: ['ignore', 'pipe', 'ignore'],
+    }).trim()
+    return out ? out.split(/\r?\n/)[0] : null
+  } catch {
+    return null
+  }
+}
+
+export function resolveChromiumBinary(
+  platform: NodeJS.Platform = process.platform,
+): string | null {
+  const envCandidate = process.env.CHROME_PATH || process.env.CHROMIUM_PATH
+  if (envCandidate && existsSync(envCandidate)) return envCandidate
+
+  const direct =
+    platform === 'darwin'
+      ? firstExisting(MAC_CHROMIUM_CANDIDATES)
+      : platform === 'win32'
+        ? firstExisting(WINDOWS_CHROMIUM_CANDIDATES)
+        : firstExisting(LINUX_CHROMIUM_CANDIDATES)
+  if (direct) return direct
+
+  const commands =
+    platform === 'win32' ? WINDOWS_CHROMIUM_COMMANDS : UNIX_CHROMIUM_COMMANDS
+  for (const command of commands) {
+    const found = lookupExecutable(command, platform)
+    if (found) return found
+  }
+
+  return null
+}
+
+export function buildOpenUrlCommand(
+  url: string,
+  options: OpenUrlCommandOptions = {},
+): OpenUrlCommand {
+  if (!url) throw new Error('openUrl requires a url')
+
+  const platform = options.platform ?? process.platform
+  if (options.newWindow) {
+    return buildChromiumUrlCommand(url, { ...options, platform, newWindow: true })
+  }
+
+  if (platform === 'darwin') {
+    return {
+      command: 'open',
+      args: options.background === false ? [url] : ['-g', url],
+      via: 'system',
+    }
+  }
+
+  if (platform === 'win32') {
+    return {
+      command: 'cmd',
+      args: ['/c', 'start', '', url],
+      via: 'system',
+    }
+  }
+
+  return {
+    command: 'xdg-open',
+    args: [url],
+    via: 'system',
+  }
+}
+
+export function buildChromiumUrlCommand(
+  url: string,
+  options: OpenUrlCommandOptions = {},
+): OpenUrlCommand {
+  if (!url) throw new Error('openUrl requires a url')
+
+  const platform = options.platform ?? process.platform
+  const chromiumBinary =
+    'chromiumBinary' in options ? options.chromiumBinary : resolveChromiumBinary(platform)
+  if (!chromiumBinary) {
+    throw new Error('browser launch requires Chrome, Chromium, Edge, Brave, or Arc')
+  }
+
+  // the chromium driver always launches a visible system browser window.
+  // headless is intentionally NOT supported here: bare `chrome --headless=new
+  // <url>` renders the page once and exits — nothing keeps the process (and
+  // therefore the sim) alive without an attached CDP client. headless
+  // automation is the playwright driver's job. see chromium.ts `launch`.
+  const args: string[] = []
+  if (options.newWindow !== false) {
+    args.push('--new-window')
+  }
+  args.push(url)
+
+  return {
+    command: chromiumBinary,
+    args,
+    via: 'chromium',
+    target: chromiumBinary,
+  }
+}
+
+async function spawnLaunch(
+  command: string,
+  args: string[],
+  detached: boolean,
+): Promise<number | undefined> {
+  return new Promise((resolve, reject) => {
+    const child = spawn(command, args, {
+      detached,
+      stdio: 'ignore',
+    })
+    child.once('error', reject)
+    child.once('spawn', () => {
+      if (detached) child.unref()
+      resolve(child.pid)
+    })
+  })
+}
+
+export async function launchUrl(
+  url: string,
+  options: OpenUrlOptions = {},
+): Promise<OpenUrlLaunchResult> {
+  const command = buildOpenUrlCommand(url, options)
+  const pid = await spawnLaunch(command.command, command.args, options.detached ?? true)
+  return {
+    ...command,
+    pid,
+    attachUrl: url,
+  }
+}
+
+export async function launchChromiumUrl(
+  url: string,
+  options: OpenUrlCommandOptions = {},
+): Promise<OpenUrlLaunchResult> {
+  const command = buildChromiumUrlCommand(url, options)
+  const pid = await spawnLaunch(command.command, command.args, options.detached ?? true)
+  return {
+    ...command,
+    pid,
+    attachUrl: url,
+  }
+}
+
+export async function openUrl(url: string, options: OpenUrlOptions = {}): Promise<void> {
+  await launchUrl(url, options)
+}

package/src/index.ts

@@ -0,0 +1,9 @@
+// sootsim public package — CLI + framework integrations.
+//
+// the bridge client and plugins live here. the canvas rendering engine lives
+// in the private `sootsim-engine` workspace package.
+
+export { sootsimPlugin } from './vite-plugin-one'
+export { default as metroPlugin } from './metro-plugin'
+export { DEFAULT_SOOTSIM_BRIDGE_PORT } from './bridge-constants'
+export { DEFAULT_SOOTSIM_SHELL_URL } from './cli-constants'