veryfront 0.1.128 → 0.1.129

package/src/src/middleware/builtin/timeout.ts

@@ -12,6 +12,7 @@ const logger = serverLogger.component("timeout");
 
 const DEFAULT_TIMEOUT_MS = 60_000;
 const TIMEOUT_SENTINEL = Symbol("timeout");
+const DEFAULT_EXCLUDE_PATHS = ["/healthz", "/readyz", "/_health"];
 
 export interface TimeoutOptions {
   /** Timeout in milliseconds (default: 60000) */
@@ -24,6 +25,24 @@ export interface TimeoutOptions {
   exclude?: string[];
 }
 
+function isExcludedPath(pathname: string, exclude: string[]): boolean {
+  return exclude.some((path) => pathname === path || pathname.startsWith(path));
+}
+
+function timeoutResponse(pathname: string, timeoutMs: number, message: string): dntShim.Response {
+  return new dntShim.Response(
+    JSON.stringify({
+      error: message,
+      timeoutMs,
+      path: pathname,
+    }),
+    {
+      status: HTTP_GATEWAY_TIMEOUT,
+      headers: { "Content-Type": "application/json" },
+    },
+  );
+}
+
 /**
  * Creates a middleware that enforces request timeouts.
  *
@@ -33,13 +52,13 @@ export interface TimeoutOptions {
 export function timeout(options?: TimeoutOptions): Middleware {
   const timeoutMs = options?.timeoutMs ?? DEFAULT_TIMEOUT_MS;
   const message = options?.message ?? "Request timeout";
-  const exclude = options?.exclude ?? ["/healthz", "/readyz", "/_health"];
+  const exclude = options?.exclude ?? DEFAULT_EXCLUDE_PATHS;
 
   return async (ctx, next) => {
     const req = getRequest(ctx);
     const { pathname } = new URL(req.url);
 
-    if (exclude.some((path) => pathname === path || pathname.startsWith(path))) {
+    if (isExcludedPath(pathname, exclude)) {
       return next();
     }
 
@@ -60,17 +79,7 @@ export function timeout(options?: TimeoutOptions): Middleware {
         timeoutMs,
       });
 
-      return new dntShim.Response(
-        JSON.stringify({
-          error: message,
-          timeoutMs,
-          path: pathname,
-        }),
-        {
-          status: HTTP_GATEWAY_TIMEOUT,
-          headers: { "Content-Type": "application/json" },
-        },
-      );
+      return timeoutResponse(pathname, timeoutMs, message);
     } finally {
       if (timeoutId) clearTimeout(timeoutId);
     }

package/src/src/modules/import-map/default-import-map.ts

@@ -12,10 +12,11 @@ import { getReactImportMap } from "../../transforms/esm/package-registry.js";
 function getVeryfrontSsrImportMap(): Record<string, string> {
   const base = "/_vf_modules/_veryfront";
   const ssr = "?ssr=true";
+  const coreReact = `${base}/react/runtime/core.js${ssr}`;
 
-  const head = `${base}/react/components/Head.js${ssr}`;
-  const router = `${base}/react/router/index.js${ssr}`;
-  const context = `${base}/react/context/index.js${ssr}`;
+  const head = coreReact;
+  const router = coreReact;
+  const context = coreReact;
   const fonts = `${base}/react/fonts/index.js${ssr}`;
 
   const markdown = `${base}/markdown/index.js${ssr}`;

package/src/src/oauth/handlers/callback-handler.ts

@@ -1,11 +1,4 @@
-/**************************************************
- * OAuth Callback Handler
- *
- * Reusable handler for OAuth callback routes.
- **************************************************/
 import * as dntShim from "../../../_dnt.shims.js";
-
-
 import { logger as baseLogger } from "../../utils/index.js";
 import { getEnv } from "../../platform/compat/process.js";
 import {
@@ -93,24 +86,24 @@ export function createOAuthCallbackHandler(
     const url = new URL(request.url);
     const code = url.searchParams.get("code");
     const state = url.searchParams.get("state");
-    const oauthError = url.searchParams.get("error");
+    const providerError = url.searchParams.get("error");
     const errorDescription = url.searchParams.get("error_description");
 
     const appUrl = getAppUrl();
 
-    if (oauthError) {
+    if (providerError) {
       logger.error("Callback error", {
         serviceId: config.serviceId,
-        error: oauthError,
+        error: providerError,
         description: errorDescription,
       });
-      await onError?.(config.serviceId, oauthError);
-      return redirectWithError(appUrl, oauthError, errorDescription);
+      await onError?.(config.serviceId, providerError);
+      return redirectWithError(appUrl, providerError, errorDescription);
     }
 
     if (!code) return handleError(appUrl, "no_code");
 
-    let oauthState: OAuthState | null = null;
+    let storedState: OAuthState | null = null;
 
     if (!skipStateValidation && !state) {
       return handleError(appUrl, "invalid_state", "Missing state parameter", {
@@ -119,8 +112,8 @@ export function createOAuthCallbackHandler(
     }
 
     if (state) {
-      oauthState = await tokenStore.getState(state);
-      if (!skipStateValidation && !oauthState) {
+      storedState = await tokenStore.getState(state);
+      if (!skipStateValidation && !storedState) {
         return handleError(appUrl, "invalid_state", "Invalid or expired state", {
           serviceId: config.serviceId,
         });
@@ -134,7 +127,7 @@ export function createOAuthCallbackHandler(
       const result = await service.exchangeCode({
         code,
         redirectUri,
-        codeVerifier: oauthState?.codeVerifier,
+        codeVerifier: storedState?.codeVerifier,
       });
 
       if (!result.success || !result.tokens) {

package/src/src/oauth/handlers/index.ts

@@ -1,5 +1,5 @@
 /**
- * Oauth Handlers
+ * OAuth Handlers
  *
  * @module oauth/handlers
  */

package/src/src/oauth/handlers/init-handler.ts

@@ -10,6 +10,42 @@ import type { AuthorizationUrlOptions, OAuthServiceConfig, TokenStore } from "..
 import { memoryTokenStore } from "../token-store/memory.js";
 
 const logger = baseLogger.component("o-auth");
+const DEFAULT_APP_URL = "http://localhost:3000";
+
+function createUnauthorizedResponse(): dntShim.Response {
+  return dntShim.Response.json({ error: "Unauthorized" }, { status: 401 });
+}
+
+async function isRequestUnauthorized(
+  req: dntShim.Request,
+  isAuthenticated?: (req: dntShim.Request) => boolean | Promise<boolean>,
+): Promise<boolean> {
+  return isAuthenticated ? !(await isAuthenticated(req)) : false;
+}
+
+function resolveAppUrl(baseUrl: string | undefined, env: EnvironmentConfig): string {
+  return baseUrl ?? env.appUrl ?? DEFAULT_APP_URL;
+}
+
+function createNotConfiguredResponse(config: OAuthServiceConfig): dntShim.Response {
+  return dntShim.Response.json(
+    {
+      error: `${config.displayName} OAuth not configured`,
+      details: `Missing ${config.clientIdEnvVar} or ${config.clientSecretEnvVar}`,
+    },
+    { status: 500 },
+  );
+}
+
+function createInitErrorResponse(error: unknown): dntShim.Response {
+  return dntShim.Response.json(
+    {
+      error: "Failed to initiate OAuth flow",
+      details: error instanceof Error ? error.message : "Unknown error",
+    },
+    { status: 500 },
+  );
+}
 
 export interface OAuthInitHandlerOptions {
   /** Token store to use (defaults to memory store) */
@@ -32,25 +68,22 @@ export function createOAuthInitHandler(
   config: OAuthServiceConfig,
   options: OAuthInitHandlerOptions = {},
 ): () => Promise<dntShim.Response> {
-  const tokenStore = options.tokenStore ?? memoryTokenStore;
-  const authOptions = options.authOptions ?? {};
-  const env = options.env ?? getEnvironmentConfig();
-  const envReader = options.envReader ?? getEnv;
+  const {
+    tokenStore = memoryTokenStore,
+    baseUrl,
+    authOptions = {},
+    env = getEnvironmentConfig(),
+    envReader = getEnv,
+  } = options;
 
   return async function handler(): Promise<dntShim.Response> {
     const service = new OAuthService(config, tokenStore, envReader);
 
     if (!service.isConfigured()) {
-      return dntShim.Response.json(
-        {
-          error: `${config.displayName} OAuth not configured`,
-          details: `Missing ${config.clientIdEnvVar} or ${config.clientSecretEnvVar}`,
-        },
-        { status: 500 },
-      );
+      return createNotConfiguredResponse(config);
     }
 
-    const appUrl = options.baseUrl ?? env.appUrl ?? "http://localhost:3000";
+    const appUrl = resolveAppUrl(baseUrl, env);
     const redirectUri = `${appUrl}/api/auth/${config.serviceId}/callback`;
 
     try {
@@ -59,14 +92,7 @@ export function createOAuthInitHandler(
       return dntShim.Response.redirect(url);
     } catch (error) {
       logger.error("Init error", { serviceId: config.serviceId }, error);
-
-      return dntShim.Response.json(
-        {
-          error: "Failed to initiate OAuth flow",
-          details: error instanceof Error ? error.message : "Unknown error",
-        },
-        { status: 500 },
-      );
+      return createInitErrorResponse(error);
     }
   };
 }
@@ -86,12 +112,15 @@ export function createOAuthStatusHandler(
   config: OAuthServiceConfig,
   options: OAuthStatusHandlerOptions = {},
 ): (req: dntShim.Request) => Promise<dntShim.Response> {
-  const tokenStore = options.tokenStore ?? memoryTokenStore;
-  const envReader = options.envReader ?? getEnv;
+  const {
+    tokenStore = memoryTokenStore,
+    envReader = getEnv,
+    isAuthenticated,
+  } = options;
 
   return async function handler(req: dntShim.Request): Promise<dntShim.Response> {
-    if (options.isAuthenticated && !(await options.isAuthenticated(req))) {
-      return dntShim.Response.json({ error: "Unauthorized" }, { status: 401 });
+    if (await isRequestUnauthorized(req, isAuthenticated)) {
+      return createUnauthorizedResponse();
     }
 
     const tokens = await tokenStore.getTokens(config.serviceId);
@@ -119,11 +148,11 @@ export function createOAuthDisconnectHandler(
     isAuthenticated?: (req: dntShim.Request) => boolean | Promise<boolean>;
   } = {},
 ): (req: dntShim.Request) => Promise<dntShim.Response> {
-  const tokenStore = options.tokenStore ?? memoryTokenStore;
+  const { tokenStore = memoryTokenStore, isAuthenticated } = options;
 
   return async function handler(req: dntShim.Request): Promise<dntShim.Response> {
-    if (options.isAuthenticated && !(await options.isAuthenticated(req))) {
-      return dntShim.Response.json({ error: "Unauthorized" }, { status: 401 });
+    if (await isRequestUnauthorized(req, isAuthenticated)) {
+      return createUnauthorizedResponse();
     }
 
     await tokenStore.clearTokens(config.serviceId);

package/src/src/oauth/providers/index.ts

@@ -1,5 +1,5 @@
 /**
- * Oauth Providers
+ * OAuth Providers
  *
  * @module oauth/providers
  */

package/src/src/oauth/schemas/index.ts

@@ -1,5 +1,5 @@
 /**
- * Oauth Schemas
+ * OAuth Schemas
  *
  * @module oauth/schemas
  */

package/src/src/oauth/token-store/index.ts

@@ -1,5 +1,5 @@
 /**
- * Oauth Token Store
+ * OAuth Token Store
  *
  * @module oauth/token-store
  */

package/src/src/oauth/token-store/memory.ts

@@ -29,19 +29,19 @@ export class MemoryTokenStore implements TokenStore {
   }
 
   async getState(state: string): Promise<OAuthState | null> {
-    const oauthState = this.states.get(state);
-    if (!oauthState) return null;
+    const storedState = this.states.get(state);
+    if (!storedState) return null;
 
-    if (Date.now() - oauthState.createdAt > STATE_EXPIRATION_MS) {
+    if (Date.now() - storedState.createdAt > STATE_EXPIRATION_MS) {
       this.states.delete(state);
       return null;
     }
 
-    return oauthState;
+    return storedState;
   }
 
-  async setState(oauthState: OAuthState): Promise<void> {
-    this.states.set(oauthState.state, oauthState);
+  async setState(storedState: OAuthState): Promise<void> {
+    this.states.set(storedState.state, storedState);
     this.cleanupExpiredStates();
   }
 
@@ -51,8 +51,8 @@ export class MemoryTokenStore implements TokenStore {
 
   private cleanupExpiredStates(): void {
     const now = Date.now();
-    for (const [state, oauthState] of this.states) {
-      if (now - oauthState.createdAt > STATE_EXPIRATION_MS) {
+    for (const [state, storedState] of this.states) {
+      if (now - storedState.createdAt > STATE_EXPIRATION_MS) {
         this.states.delete(state);
       }
     }

package/src/src/observability/request-profiler.ts

@@ -0,0 +1,140 @@
+import * as dntShim from "../../_dnt.shims.js";
+import { AsyncLocalStorage } from "node:async_hooks";
+
+export interface RequestProfileRecord {
+  sequence: number;
+  category: string;
+  method: string;
+  pathname: string;
+  projectSlug?: string;
+  requestMode?: string;
+  status?: number;
+  startedAt: string;
+  completedAt: string;
+  totalMs: number;
+  phases: Record<string, number>;
+}
+
+interface RequestProfileSession {
+  category: string;
+  method: string;
+  pathname: string;
+  projectSlug?: string;
+  requestMode?: string;
+  startedAt: number;
+  phases: Map<string, number>;
+}
+
+const storage = new AsyncLocalStorage<RequestProfileSession>();
+const records: RequestProfileRecord[] = [];
+const MAX_RECORDS = 200;
+let sequence = 0;
+
+function roundMs(value: number): number {
+  return Math.round(value * 100) / 100;
+}
+
+function shouldEnableProfiling(): boolean {
+  return dntShim.Deno.env.get("VERYFRONT_ENABLE_PERF_PROFILING") === "1";
+}
+
+function shouldProfilePath(pathname: string): boolean {
+  return pathname.startsWith("/bench/") ||
+    pathname.startsWith("/api/bench/") ||
+    pathname.startsWith("/_vf_styles/") ||
+    pathname.startsWith("/_vf_modules/");
+}
+
+export function isRequestProfilingEnabled(pathname?: string): boolean {
+  if (!shouldEnableProfiling()) return false;
+  if (!pathname) return true;
+  return shouldProfilePath(pathname);
+}
+
+export async function runWithRequestProfiling<T>(
+  options: {
+    category: string;
+    method: string;
+    pathname: string;
+    projectSlug?: string;
+    requestMode?: string;
+  },
+  fn: () => Promise<T>,
+): Promise<T> {
+  if (!isRequestProfilingEnabled(options.pathname)) {
+    return await fn();
+  }
+
+  const session: RequestProfileSession = {
+    ...options,
+    startedAt: performance.now(),
+    phases: new Map(),
+  };
+
+  return await storage.run(session, fn);
+}
+
+export async function profilePhase<T>(name: string, fn: () => Promise<T>): Promise<T> {
+  const session = storage.getStore();
+  if (!session) return await fn();
+
+  const startedAt = performance.now();
+  try {
+    return await fn();
+  } finally {
+    const duration = performance.now() - startedAt;
+    session.phases.set(name, roundMs((session.phases.get(name) ?? 0) + duration));
+  }
+}
+
+export function profileSyncPhase<T>(name: string, fn: () => T): T {
+  const session = storage.getStore();
+  if (!session) return fn();
+
+  const startedAt = performance.now();
+  try {
+    return fn();
+  } finally {
+    const duration = performance.now() - startedAt;
+    session.phases.set(name, roundMs((session.phases.get(name) ?? 0) + duration));
+  }
+}
+
+export function finalizeRequestProfiling(status?: number): void {
+  const session = storage.getStore();
+  if (!session) return;
+
+  const record: RequestProfileRecord = {
+    sequence: ++sequence,
+    category: session.category,
+    method: session.method,
+    pathname: session.pathname,
+    projectSlug: session.projectSlug,
+    requestMode: session.requestMode,
+    status,
+    startedAt: new Date(Date.now() - (performance.now() - session.startedAt)).toISOString(),
+    completedAt: new Date().toISOString(),
+    totalMs: roundMs(performance.now() - session.startedAt),
+    phases: Object.fromEntries(session.phases.entries()),
+  };
+
+  records.push(record);
+  while (records.length > MAX_RECORDS) records.shift();
+}
+
+export function snapshotRequestProfiles(): {
+  enabled: boolean;
+  last_sequence: number;
+  records: RequestProfileRecord[];
+} {
+  return {
+    enabled: shouldEnableProfiling(),
+    last_sequence: sequence,
+    records: [...records],
+  };
+}
+
+export function resetRequestProfiles(): void {
+  records.length = 0;
+  sequence = 0;
+}

package/src/src/observability/tracing/otlp-setup.ts

@@ -69,11 +69,6 @@ async function ensureApis(): Promise<void> {
   propagationApi = await import("@opentelemetry/core");
 }
 
-function getServiceName(): string {
-  const tracingConfig = getOtelTracingConfig();
-  return tracingConfig.serviceName || "veryfront";
-}
-
 function setSpanErrorStatus(span: import("@opentelemetry/api").Span, error: unknown): void {
   if (!traceApi) return;
 
@@ -183,9 +178,9 @@ export async function withSpan<T>(
   fn: () => Promise<T>,
   attributes?: Record<string, string | number | boolean>,
 ): Promise<T> {
-  if (!traceApi || !isOTLPEnabled()) return await fn();
+  if (!traceApi || !isOTLPEnabled()) return fn();
 
-  const tracer = traceApi.trace.getTracer(getServiceName());
+  const tracer = traceApi.trace.getTracer(getConfig().serviceName);
   const parentContext = traceApi.context.active();
 
   const span = tracer.startSpan(
@@ -215,7 +210,7 @@ export function withSpanSync<T>(
 ): T {
   if (!traceApi || !isOTLPEnabled()) return fn();
 
-  const tracer = traceApi.trace.getTracer(getServiceName());
+  const tracer = traceApi.trace.getTracer(getConfig().serviceName);
   const parentContext = traceApi.context.active();
 
   const span = tracer.startSpan(
@@ -271,7 +266,7 @@ export function startServerSpan(
 ): { span: unknown; context: unknown } | null {
   if (!traceApi || !isOTLPEnabled()) return null;
 
-  const tracer = traceApi.trace.getTracer(getServiceName());
+  const tracer = traceApi.trace.getTracer(getConfig().serviceName);
   const ctx = (parentContext || traceApi.context.active()) as import("@opentelemetry/api").Context;
 
   const span = tracer.startSpan(`${method} ${path}`, { kind: traceApi.SpanKind.SERVER }, ctx);
@@ -284,24 +279,23 @@ export function startServerSpan(
 export function endServerSpan(span: unknown, statusCode: number, error?: Error): void {
   if (!span || !traceApi) return;
 
-  const s = span as import("@opentelemetry/api").Span;
-  s.setAttribute("http.status_code", statusCode);
+  const otelSpan = span as import("@opentelemetry/api").Span;
+  otelSpan.setAttribute("http.status_code", statusCode);
 
   if (error) {
-    s.setStatus({ code: traceApi.SpanStatusCode.ERROR, message: error.message });
-    s.recordException(error);
-    s.end();
+    setSpanErrorStatus(otelSpan, error);
+    otelSpan.end();
     return;
   }
 
   if (statusCode >= 400) {
-    s.setStatus({ code: traceApi.SpanStatusCode.ERROR });
-    s.end();
+    otelSpan.setStatus({ code: traceApi.SpanStatusCode.ERROR });
+    otelSpan.end();
     return;
   }
 
-  s.setStatus({ code: traceApi.SpanStatusCode.OK });
-  s.end();
+  otelSpan.setStatus({ code: traceApi.SpanStatusCode.OK });
+  otelSpan.end();
 }
 
 export function setSpanAttributes(
@@ -310,8 +304,8 @@ export function setSpanAttributes(
 ): void {
   if (!span || !traceApi) return;
 
-  const s = span as import("@opentelemetry/api").Span;
-  for (const [key, value] of Object.entries(attributes)) s.setAttribute(key, value);
+  const otelSpan = span as import("@opentelemetry/api").Span;
+  for (const [key, value] of Object.entries(attributes)) otelSpan.setAttribute(key, value);
 }
 
 export function setActiveSpanAttributes(
@@ -326,8 +320,8 @@ export function setActiveSpanAttributes(
 }
 
 export async function withContext<T>(spanContext: unknown, fn: () => Promise<T>): Promise<T> {
-  if (!traceApi) return await fn();
-  return await traceApi.context.with(spanContext as import("@opentelemetry/api").Context, fn);
+  if (!traceApi) return fn();
+  return traceApi.context.with(spanContext as import("@opentelemetry/api").Context, fn);
 }
 
 export function getTraceContext(): { traceId?: string; spanId?: string } {

package/src/src/prompt/factory.ts

@@ -2,24 +2,27 @@ import type { Prompt, PromptConfig } from "./types.js";
 import { createError, toError } from "../errors/veryfront-error.js";
 import { COMMON_BLOCKED_PATTERNS } from "../agent/middleware/security/validator.js";
 
+type PromptGenerateFn = (variables: Record<string, unknown>) => string | Promise<string>;
+
+const BLOCKED_PROMPT_PATTERNS = COMMON_BLOCKED_PATTERNS.promptInjection;
+
 export function prompt(config: PromptConfig): Prompt {
+  const { content, description, generate, suggestion } = config;
   const id = config.id ?? generatePromptId();
 
   return {
     id,
-    description: config.description,
-    suggestion: config.suggestion,
+    description,
+    suggestion,
     async getContent(variables?: Record<string, unknown>): Promise<string> {
-      const vars = variables ?? {};
+      const resolvedVariables = variables ?? {};
 
-      if (config.content) {
-        return interpolateVariables(config.content, vars);
+      if (content) {
+        return interpolateVariables(content, resolvedVariables);
       }
 
-      if (config.generate) {
-        // z.function() in v4 doesn't carry arg/return types — cast to expected signature
-        type GenerateFn = (vars: Record<string, unknown>) => string | Promise<string>;
-        return (config.generate as GenerateFn)(vars);
+      if (generate) {
+        return (generate as PromptGenerateFn)(resolvedVariables);
       }
 
       throw toError(
@@ -39,11 +42,10 @@ function generatePromptId(): string {
 }
 
 function sanitizeVariableValue(value: string): string {
-  let sanitized = value;
-  for (const pattern of COMMON_BLOCKED_PATTERNS.promptInjection) {
-    sanitized = sanitized.replace(pattern, "");
-  }
-  return sanitized;
+  return BLOCKED_PROMPT_PATTERNS.reduce(
+    (sanitizedValue, pattern) => sanitizedValue.replace(pattern, ""),
+    value,
+  );
 }
 
 function interpolateVariables(

package/src/src/prompt/registry.ts

@@ -3,21 +3,22 @@ import { createError, toError } from "../errors/veryfront-error.js";
 import { ProjectScopedRegistryManager } from "../ai/registry-manager.js";
 import { ScopedRegistryFacade } from "../ai/registry-facade.js";
 
-const promptManager = new ProjectScopedRegistryManager<Prompt>("prompt");
+const promptRegistryManager = new ProjectScopedRegistryManager<Prompt>("prompt");
+
+function createMissingPromptError(id: string): Error {
+  return toError(
+    createError({
+      type: "agent",
+      message: `Prompt "${id}" not found`,
+    }),
+  );
+}
 
 class PromptRegistryClass extends ScopedRegistryFacade<Prompt> {
   getContent(id: string, variables?: Record<string, unknown>): Promise<string> {
-    const promptInstance = this.get(id);
-    if (!promptInstance) {
-      throw toError(
-        createError({
-          type: "agent",
-          message: `Prompt "${id}" not found`,
-        }),
-      );
-    }
-
-    return promptInstance.getContent(variables);
+    const registeredPrompt = this.get(id);
+    if (registeredPrompt) return registeredPrompt.getContent(variables);
+    throw createMissingPromptError(id);
   }
 
   list(): string[] {
@@ -25,4 +26,4 @@ class PromptRegistryClass extends ScopedRegistryFacade<Prompt> {
   }
 }
 
-export const promptRegistry = new PromptRegistryClass(promptManager);
+export const promptRegistry = new PromptRegistryClass(promptRegistryManager);

package/src/src/prompt/schemas/prompt.schema.ts

@@ -9,8 +9,4 @@ export const PromptConfigSchema = z.object({
   suggestion: z.string().optional(),
 });
 
-// Inferred type
 export type PromptConfig = z.infer<typeof PromptConfigSchema>;
-
-// Note: Prompt interface with getContent method stays as TypeScript interface
-// since it includes a method that returns a Promise