sootsim 0.1.84 → 0.1.86

package/dist-lib/vite.cjs

@@ -1,4 +1,4 @@
-/*! sootsim v0.1.84 | (c) 2026 Tamagui LLC | Proprietary — see LICENSE */
+/*! sootsim v0.1.86 | (c) 2026 Tamagui LLC | Proprietary — see LICENSE */
 let __sootsim_import_meta_url = ''; try { __sootsim_import_meta_url = require('url').pathToFileURL(__filename).href; } catch {}
 "use strict";
 var __create = Object.create;
@@ -36,11 +36,45 @@ __export(vite_plugin_one_exports, {
   sootsimPlugin: () => sootsimPlugin
 });
 module.exports = __toCommonJS(vite_plugin_one_exports);
+var import_fs2 = __toESM(require("fs"), 1);
+var import_path2 = __toESM(require("path"), 1);
+
+// src/runtime-assets.ts
 var import_fs = __toESM(require("fs"), 1);
 var import_path = __toESM(require("path"), 1);
-var sootsimRoot = import_path.default.resolve(import_path.default.dirname(new URL(__sootsim_import_meta_url).pathname), "..");
-var distDir = import_path.default.join(sootsimRoot, "dist-plugin");
-var publicDir = import_path.default.join(sootsimRoot, "public");
+
+// src/home-paths.ts
+var import_node_fs = __toESM(require("node:fs"), 1);
+var import_node_os = require("node:os");
+var import_node_path = __toESM(require("node:path"), 1);
+var SOOTSIM_HOME_ENV = "SOOTSIM_HOME";
+var ACTIVE_RUNTIME_FILE = "active";
+function sootsimHomeDir() {
+  const override = process.env[SOOTSIM_HOME_ENV];
+  if (override && override.length > 0) return import_node_path.default.resolve(override);
+  return import_node_path.default.join((0, import_node_os.homedir)(), ".sootsim");
+}
+function runtimesDir() {
+  return import_node_path.default.join(sootsimHomeDir(), "runtimes");
+}
+function runtimeDir(version) {
+  return import_node_path.default.join(runtimesDir(), version);
+}
+function activeRuntimeFile() {
+  return import_node_path.default.join(runtimesDir(), ACTIVE_RUNTIME_FILE);
+}
+function readActiveRuntime() {
+  try {
+    const value = import_node_fs.default.readFileSync(activeRuntimeFile(), "utf8").trim();
+    return value.length > 0 ? value : null;
+  } catch {
+    return null;
+  }
+}
+var DAEMON_LOCKFILE_MAX_BYTES = 16 * 1024;
+
+// src/runtime-assets.ts
+var SOOTSIM_RUNTIME_MISSING_MESSAGE = "[sootsim] no engine runtime installed \u2014 run `sootsim setup-repo` in your project, or `sootsim runtime install`";
 var MIME_TYPES = {
   ".js": "application/javascript",
   ".mjs": "application/javascript",
@@ -48,17 +82,64 @@ var MIME_TYPES = {
   ".html": "text/html",
   ".wasm": "application/wasm",
   ".json": "application/json",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
   ".png": "image/png",
   ".svg": "image/svg+xml",
+  ".webp": "image/webp",
+  ".glb": "model/gltf-binary",
   ".ttf": "font/ttf",
   ".otf": "font/otf",
   ".woff": "font/woff",
   ".woff2": "font/woff2",
   ".mp3": "audio/mpeg",
-  ".wav": "audio/wav",
-  ".jpg": "image/jpeg",
-  ".webp": "image/webp"
+  ".wav": "audio/wav"
 };
+var ROOT_RUNTIME_PATHS = [
+  "/assets/",
+  "/engine/",
+  "/engine-tenant/",
+  "/photos/",
+  "/three-mode/",
+  "/canvaskit.wasm",
+  "/fonts/",
+  "/icons/",
+  "/sounds/",
+  "/spike/",
+  "/test-wallpaper.jpg",
+  "/preview-sw.js"
+];
+function resolveActiveRuntimeRoot() {
+  const active = readActiveRuntime();
+  if (!active) return null;
+  const dir = runtimeDir(active);
+  if (!import_fs.default.existsSync(import_path.default.join(dir, "index.html"))) return null;
+  return dir;
+}
+function isRootRuntimeAssetPath(pathname) {
+  return ROOT_RUNTIME_PATHS.some((p) => pathname === p || pathname.startsWith(p));
+}
+function resolveRuntimeFilePath(runtimeRoot, pathname) {
+  if (!pathname.startsWith("/")) return null;
+  if (pathname.includes("\0") || pathname.includes("\\")) return null;
+  for (const segment of pathname.split("/")) {
+    if (segment === "..") return null;
+  }
+  const fullPath = import_path.default.resolve(runtimeRoot, pathname.replace(/^\/+/, ""));
+  const rootWithSep = runtimeRoot.endsWith(import_path.default.sep) ? runtimeRoot : runtimeRoot + import_path.default.sep;
+  if (!fullPath.startsWith(rootWithSep) && fullPath !== runtimeRoot) return null;
+  if (!import_fs.default.existsSync(fullPath) || !import_fs.default.statSync(fullPath).isFile()) return null;
+  return fullPath;
+}
+function serveRuntimeFile(res, fullPath) {
+  const ext = import_path.default.extname(fullPath);
+  res.setHeader("content-type", MIME_TYPES[ext] || "application/octet-stream");
+  res.setHeader("cache-control", "max-age=31536000,immutable");
+  import_fs.default.createReadStream(fullPath).pipe(res);
+}
+
+// src/vite-plugin-one.ts
+var sootsimRoot = import_path2.default.resolve(import_path2.default.dirname(new URL(__sootsim_import_meta_url).pathname), "..");
 function sootsimPlugin(options = {}) {
   if (options.enabled === false) return [];
   const prefix = options.prefix || "/__soot";
@@ -85,14 +166,27 @@ function sootsimPlugin(options = {}) {
         });
         server.middlewares.use((req, res, next) => {
           const url = req.url || "";
-          if (url === prefix || url === prefix + "/" || url.startsWith(prefix + "/?")) {
-            const htmlPath = import_path.default.join(distDir, "index.html");
-            if (!import_fs.default.existsSync(htmlPath)) {
+          const pathname = url.split("?")[0];
+          const runtimeRoot = resolveActiveRuntimeRoot();
+          if (!runtimeRoot) {
+            if (pathname === prefix || pathname === prefix + "/" || pathname.startsWith(prefix + "/")) {
               res.statusCode = 500;
-              res.end("[sootsim] dist-plugin not built. run: bun scripts/build-plugin.ts");
+              res.end(SOOTSIM_RUNTIME_MISSING_MESSAGE);
+              return;
+            }
+            next();
+            return;
+          }
+          if (isRootRuntimeAssetPath(pathname)) {
+            const fullPath = resolveRuntimeFilePath(runtimeRoot, pathname);
+            if (fullPath) {
+              serveRuntimeFile(res, fullPath);
               return;
             }
-            let html = import_fs.default.readFileSync(htmlPath, "utf8");
+          }
+          if (pathname === prefix || pathname === prefix + "/") {
+            const htmlPath = import_path2.default.join(runtimeRoot, "index.html");
+            let html = import_fs2.default.readFileSync(htmlPath, "utf8");
             html = html.replace(
               "</head>",
               `<script>history.replaceState(null,'','${prefix}/?bundle=${encodeURIComponent(bundleUrl)}')</script></head>`
@@ -101,31 +195,25 @@ function sootsimPlugin(options = {}) {
             res.end(html);
             return;
           }
-          if (url.startsWith(prefix + "/")) {
-            const filePath = url.slice(prefix.length).split("?")[0];
-            const fullPath = import_path.default.join(distDir, filePath);
-            if (import_fs.default.existsSync(fullPath) && import_fs.default.statSync(fullPath).isFile()) {
-              const ext = import_path.default.extname(fullPath);
-              res.setHeader("content-type", MIME_TYPES[ext] || "application/octet-stream");
-              res.setHeader("cache-control", "max-age=31536000,immutable");
-              import_fs.default.createReadStream(fullPath).pipe(res);
-              return;
-            }
-            const publicPath = import_path.default.join(publicDir, filePath);
-            if (import_fs.default.existsSync(publicPath) && import_fs.default.statSync(publicPath).isFile()) {
-              const ext = import_path.default.extname(publicPath);
-              res.setHeader("content-type", MIME_TYPES[ext] || "application/octet-stream");
-              import_fs.default.createReadStream(publicPath).pipe(res);
+          if (pathname.startsWith(prefix + "/")) {
+            const fullPath = resolveRuntimeFilePath(
+              runtimeRoot,
+              pathname.slice(prefix.length)
+            );
+            if (fullPath) {
+              serveRuntimeFile(res, fullPath);
               return;
             }
-          }
-          const staticRoots = ["/canvaskit.wasm", "/fonts/", "/icons/", "/sounds/"];
-          if (staticRoots.some((p) => url.startsWith(p))) {
-            const fullPath = import_path.default.join(publicDir, url.split("?")[0]);
-            if (import_fs.default.existsSync(fullPath) && import_fs.default.statSync(fullPath).isFile()) {
-              const ext = import_path.default.extname(fullPath);
-              res.setHeader("content-type", MIME_TYPES[ext] || "application/octet-stream");
-              import_fs.default.createReadStream(fullPath).pipe(res);
+            const ext = import_path2.default.extname(pathname);
+            if (!ext) {
+              const htmlPath = import_path2.default.join(runtimeRoot, "index.html");
+              let html = import_fs2.default.readFileSync(htmlPath, "utf8");
+              html = html.replace(
+                "</head>",
+                `<script>history.replaceState(null,'','${prefix}/?bundle=${encodeURIComponent(bundleUrl)}')</script></head>`
+              );
+              res.setHeader("content-type", "text/html");
+              res.end(html);
               return;
             }
           }
@@ -134,7 +222,9 @@ function sootsimPlugin(options = {}) {
         const port = server.config.server.port || 8081;
         const sootsimUrl = `http://localhost:${port}${prefix}/`;
         console.log(`[sootsim] serving at ${sootsimUrl}`);
-        openElectronApp(sootsimUrl);
+        if (options.open !== false) {
+          openElectronApp(sootsimUrl);
+        }
       }
     }
   ];
@@ -150,10 +240,10 @@ async function openElectronApp(sootsimUrl) {
   }
   const candidates = [
     "/Applications/sootsim.app",
-    import_path.default.join(process.env.HOME || "", "Applications/sootsim.app"),
-    import_path.default.join(sootsimRoot, "release/mac-arm64/sootsim.app")
+    import_path2.default.join(process.env.HOME || "", "Applications/sootsim.app"),
+    import_path2.default.join(sootsimRoot, "release/mac-arm64/sootsim.app")
   ];
-  let appPath = candidates.find((p) => import_fs.default.existsSync(p));
+  let appPath = candidates.find((p) => import_fs2.default.existsSync(p));
   if (!appPath) {
     try {
       const found = execSync(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sootsim",
-  "version": "0.1.84",
+  "version": "0.1.86",
   "description": "sootsim CLI + vite/metro plugins + skills registry. bridge client for driving the proprietary sootsim-engine over WebSocket.",
   "author": "Tamagui LLC",
   "license": "MIT",
@@ -25,10 +25,6 @@
       "source": "./src/vite-plugin-one.ts",
       "default": "./dist-lib/vite.cjs"
     },
-    "./vite-base": {
-      "source": "./src/vite-plugin.ts",
-      "default": "./dist-lib/vite-base.cjs"
-    },
     "./metro": {
       "source": "./src/metro-plugin.ts",
       "default": "./dist-lib/metro.cjs"
@@ -39,6 +35,7 @@
     },
     "./beta": {
       "source": "./src/beta.ts",
+      "import": "./dist-lib/beta.mjs",
       "default": "./dist-lib/beta.cjs"
     },
     "./agent-events": {
@@ -95,8 +92,13 @@
     },
     "./host/fetch-proxy-overrides": {
       "source": "./src/host/fetch-proxy-overrides.ts",
+      "import": "./dist-lib/host/fetch-proxy-overrides.mjs",
       "default": "./dist-lib/host/fetch-proxy-overrides.cjs"
     },
+    "./host/websocket-proxy": {
+      "source": "./src/host/websocket-proxy.ts",
+      "default": "./dist-lib/host/websocket-proxy.cjs"
+    },
     "./scripts/dev-server-scanner": {
       "source": "./scripts/dev-server-scanner.ts",
       "default": "./dist-lib/scripts/dev-server-scanner.cjs"
@@ -137,7 +139,6 @@
     "postinstall": "node ./scripts/postinstall.cjs"
   },
   "dependencies": {
-    "@soot/compat": "workspace:*",
     "ws": "^8.18.0"
   },
   "peerDependencies": {
@@ -149,6 +150,7 @@
     }
   },
   "devDependencies": {
+    "@soot/compat": "workspace:*",
     "@soot/sootsim-globals": "workspace:*",
     "@soot/sootsim-skills": "workspace:*",
     "@types/ws": "^8.5.13",

package/scripts/demo-app-registry.ts

@@ -11,6 +11,11 @@ export interface DemoApp {
   framework: 'expo' | 'one' | 'rock'
   runtimeConfig?: SootSimConfig
   sidecars?: DemoSidecar[]
+  // extra ports owned by the main demo command, derived from the chosen app
+  // port. unlike sidecars, these are not independently reusable services; the
+  // launcher clears/reserves them with the app command so stale child stacks
+  // cannot leave the app talking to the wrong backend.
+  managedPorts?: (port: number) => number[]
   prepare?: () => void | Promise<void>
   command: (port: number) => { cmd: string; env?: Record<string, string> }
   disabled?: boolean
@@ -775,11 +780,22 @@ export const APPS: DemoApp[] = [
     // be holding pglite locks on ~/takeout/.orez (soot can attach takeout as
     // a project and spin up its own orez against the same data dir).
     readyTimeoutMs: 240_000,
+    managedPorts: (p) => {
+      const offset = p - 8081
+      return [5433 + offset, 4848 + offset, 9200 + offset]
+    },
     command: (p) => ({
-      cmd: 'bun lite',
+      cmd: 'bun lite:demo',
       env: {
+        TAKEOUT_ENV_MODE: 'development',
         PORT_OFFSET: String(p - 8081),
         OREZ_DATA_DIR: `${HOME}/.cache/sootsim-demo/takeout-orez`,
+        VITE_DEMO_MODE: '1',
+        ZERO_APP_ID: 'takeout',
+        ZERO_APP_PUBLICATIONS: 'zero_takeout',
+        ZERO_CVR_MAX_CONNS: '4',
+        ZERO_NUM_SYNC_WORKERS: '2',
+        ZERO_UPSTREAM_MAX_CONNS: '8',
       },
     }),
   },

package/src/host/bridge-host.ts

@@ -36,6 +36,7 @@ import {
   isFetchProxyRequestUrl,
 } from './fetch-proxy-handler'
 import { openUrl as openUrlInBrowser, type OpenUrlOptions } from './open-url.ts'
+import { handleWebSocketProxyUpgrade } from './websocket-proxy'
 
 export interface BridgeSimInfo {
   id: string
@@ -493,8 +494,14 @@ export class SootSimBridgeHost {
           process.stderr.write(`ws bridge http error: ${String(err)}\n`)
         })
         this.httpServer = server
-        this.wss = new WebSocketServer({ server })
+        this.wss = new WebSocketServer({ noServer: true })
         this.wireWebSocketServer()
+        server.on('upgrade', (req, socket, head) => {
+          if (handleWebSocketProxyUpgrade(req, socket, head)) return
+          this.wss?.handleUpgrade(req, socket, head, (ws) => {
+            this.wss?.emit('connection', ws, req)
+          })
+        })
         resolve()
       })
     })

package/src/host/fetch-proxy-handler.ts

@@ -58,6 +58,15 @@ const FETCH_PROXY_CORS_HEADERS: Record<string, string> = {
   'access-control-max-age': '3600',
 }
 
+const APP_API_HEADER_REWRITES = new Set([
+  'host',
+  'origin',
+  'referer',
+  'sec-fetch-site',
+  'sec-fetch-mode',
+  'sec-fetch-dest',
+])
+
 function applyFetchProxyCors(res: ServerResponse) {
   for (const [key, value] of Object.entries(FETCH_PROXY_CORS_HEADERS)) {
     res.setHeader(key, value)
@@ -108,6 +117,22 @@ export function buildFetchProxyHeaders(
   return headers
 }
 
+export function buildAppApiProxyHeaders(
+  reqHeaders: Record<string, string | string[] | undefined>,
+  targetUrl: URL,
+): Record<string, string | string[]> {
+  const headers: Record<string, string | string[]> = {}
+  for (const [key, value] of Object.entries(reqHeaders)) {
+    if (!value) continue
+    if (APP_API_HEADER_REWRITES.has(key.toLowerCase())) continue
+    headers[key] = value
+  }
+  headers.host = targetUrl.host
+  headers.origin = targetUrl.origin
+  headers.referer = `${targetUrl.origin}/`
+  return headers
+}
+
 export function isFetchProxyRequestUrl(rawUrl: string | undefined): boolean {
   return rawUrl?.startsWith('/__fetch-proxy?') || rawUrl?.startsWith('/__proxy?') || false
 }
@@ -251,9 +276,7 @@ export function handleAppApiRequest(req: IncomingMessage, res: ServerResponse):
 
   const transport = targetUrl.protocol === 'https:' ? https : http
 
-  const fwdHeaders = { ...req.headers }
-  delete fwdHeaders.host
-  fwdHeaders.host = targetUrl.host
+  const fwdHeaders = buildAppApiProxyHeaders(req.headers, targetUrl)
 
   const proxyReq = transport.request(
     {

package/src/host/websocket-proxy.ts

@@ -0,0 +1,201 @@
+import { WebSocket, WebSocketServer } from 'ws'
+import type { IncomingMessage } from 'http'
+import type { Duplex } from 'stream'
+
+export const WEBSOCKET_PROXY_PATH = '/__websocket-proxy'
+
+const STRIP_UPSTREAM_HEADERS = new Set([
+  'host',
+  'connection',
+  'upgrade',
+  'transfer-encoding',
+  'content-length',
+  'sec-websocket-accept',
+  'sec-websocket-extensions',
+  'sec-websocket-key',
+  'sec-websocket-protocol',
+  'sec-websocket-version',
+])
+
+function rejectUpgrade(socket: Duplex, status: number, message: string) {
+  try {
+    socket.write(
+      `HTTP/1.1 ${status} ${message}\r\nConnection: close\r\nContent-Type: text/plain\r\nContent-Length: ${message.length}\r\n\r\n${message}`,
+    )
+  } catch {}
+  socket.destroy()
+}
+
+function isSameOriginUpgrade(req: IncomingMessage): boolean {
+  const origin = req.headers.origin
+  const host = req.headers.host
+  if (!origin || !host) return false
+  try {
+    return new URL(origin).host === host
+  } catch {
+    return false
+  }
+}
+
+function decodeProxyHeaders(encoded: string | null): Record<string, string> {
+  if (!encoded) return {}
+  const base64 = encoded.replace(/-/g, '+').replace(/_/g, '/')
+  const padded = base64 + '='.repeat((4 - (base64.length % 4)) % 4)
+  const parsed = JSON.parse(Buffer.from(padded, 'base64').toString('utf8'))
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) return {}
+  const headers: Record<string, string> = {}
+  for (const [key, value] of Object.entries(parsed)) {
+    if (value == null) continue
+    if (STRIP_UPSTREAM_HEADERS.has(key.toLowerCase())) continue
+    headers[key] = Array.isArray(value) ? value.join(', ') : String(value)
+  }
+  return headers
+}
+
+function getDefaultWebSocketOrigin(targetUrl: URL): string {
+  const origin = new URL(targetUrl.href)
+  origin.protocol = targetUrl.protocol === 'wss:' ? 'https:' : 'http:'
+  return origin.origin
+}
+
+function getRequestedProtocols(req: IncomingMessage): string[] {
+  const header = req.headers['sec-websocket-protocol']
+  const value = Array.isArray(header) ? header.join(',') : header || ''
+  return value
+    .split(',')
+    .map((part) => part.trim())
+    .filter(Boolean)
+}
+
+function safeClose(ws: WebSocket, code: number, reason: string) {
+  if (ws.readyState === WebSocket.CLOSED || ws.readyState === WebSocket.CLOSING) {
+    return
+  }
+  try {
+    ws.close(code, reason)
+  } catch {
+    ws.terminate()
+  }
+}
+
+function connectProxyPair(clientWs: WebSocket, upstream: WebSocket) {
+  let closing = false
+
+  const closeBoth = (
+    source: WebSocket,
+    target: WebSocket,
+    code: number,
+    reason: Buffer,
+  ) => {
+    if (closing) return
+    closing = true
+    safeClose(target, code, reason.toString())
+    if (source.readyState === WebSocket.OPEN) {
+      safeClose(source, code, reason.toString())
+    }
+  }
+
+  clientWs.on('message', (data, isBinary) => {
+    if (upstream.readyState === WebSocket.OPEN) {
+      upstream.send(data, { binary: isBinary })
+    }
+  })
+  upstream.on('message', (data, isBinary) => {
+    if (clientWs.readyState === WebSocket.OPEN) {
+      clientWs.send(data, { binary: isBinary })
+    }
+  })
+
+  clientWs.on('close', (code, reason) => closeBoth(clientWs, upstream, code, reason))
+  upstream.on('close', (code, reason) => closeBoth(upstream, clientWs, code, reason))
+  clientWs.on('error', () => safeClose(upstream, 1011, 'proxy client error'))
+  upstream.on('error', () => safeClose(clientWs, 1011, 'upstream websocket error'))
+}
+
+function createUpstreamWebSocket(
+  targetUrl: URL,
+  protocols: string[],
+  headers: Record<string, string>,
+): WebSocket {
+  const upstreamHeaders = { ...headers }
+  if (!Object.keys(upstreamHeaders).some((key) => key.toLowerCase() === 'origin')) {
+    upstreamHeaders.origin = getDefaultWebSocketOrigin(targetUrl)
+  }
+  return new WebSocket(targetUrl.href, protocols, {
+    headers: upstreamHeaders,
+  })
+}
+
+export function isWebSocketProxyRequestUrl(rawUrl: string | undefined): boolean {
+  if (!rawUrl) return false
+  try {
+    return new URL(rawUrl, 'http://localhost').pathname === WEBSOCKET_PROXY_PATH
+  } catch {
+    return false
+  }
+}
+
+export function handleWebSocketProxyUpgrade(
+  req: IncomingMessage,
+  socket: Duplex,
+  head: Buffer,
+): boolean {
+  if (!isWebSocketProxyRequestUrl(req.url)) return false
+  if (!isSameOriginUpgrade(req)) {
+    rejectUpgrade(socket, 403, 'forbidden websocket proxy origin')
+    return true
+  }
+
+  let targetUrl: URL
+  let headers: Record<string, string>
+  try {
+    const requestUrl = new URL(req.url || '/', 'http://localhost')
+    const target = requestUrl.searchParams.get('url')
+    if (!target) {
+      rejectUpgrade(socket, 400, 'missing websocket proxy url')
+      return true
+    }
+    targetUrl = new URL(target)
+    if (targetUrl.protocol !== 'ws:' && targetUrl.protocol !== 'wss:') {
+      rejectUpgrade(socket, 400, 'invalid websocket proxy protocol')
+      return true
+    }
+    headers = decodeProxyHeaders(requestUrl.searchParams.get('headers'))
+  } catch {
+    rejectUpgrade(socket, 400, 'invalid websocket proxy request')
+    return true
+  }
+
+  const protocols = getRequestedProtocols(req)
+  const upstream = createUpstreamWebSocket(targetUrl, protocols, headers)
+  let completed = false
+  socket.once('close', () => {
+    if (!completed) upstream.terminate()
+  })
+  upstream.once('open', () => {
+    if (completed) return
+    completed = true
+    const selectedProtocol = upstream.protocol
+    const proxyServer = new WebSocketServer({
+      noServer: true,
+      clientTracking: false,
+      handleProtocols(requestedProtocols) {
+        return selectedProtocol || requestedProtocols.values().next().value || false
+      },
+    })
+    proxyServer.handleUpgrade(req, socket, head, (clientWs) => {
+      connectProxyPair(clientWs, upstream)
+    })
+  })
+  upstream.once('error', () => {
+    if (completed) return
+    completed = true
+    rejectUpgrade(socket, 502, 'upstream websocket error')
+  })
+  upstream.once('close', () => {
+    if (completed) return
+    completed = true
+    rejectUpgrade(socket, 502, 'upstream websocket closed')
+  })
+  return true
+}