veryfront 0.1.217 → 0.1.219

package/esm/src/extensions/interfaces/token-cache-store.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Contract interface for OAuth-token-style cache stores used by the proxy.
+ *
+ * This contract is richer than the generic `CacheStore` — it adds scan-by-prefix,
+ * bulk read, and usage statistics primitives that the proxy's token cache needs.
+ * Simpler key-value consumers should use `CacheStore` instead.
+ *
+ * Default implementation: `@veryfront/ext-redis`.
+ *
+ * @module extensions/interfaces/token-cache-store
+ */
+/**
+ * A cache entry stored by `TokenCacheStore`.
+ *
+ * The proxy persists OAuth tokens keyed by request metadata; this entry shape
+ * mirrors what the proxy has historically stored.
+ */
+export interface TokenCacheEntry {
+    token: string;
+    /** Unix timestamp in milliseconds. */
+    expiresAt: number;
+    scope: "preview" | "production";
+    projectSlug?: string;
+}
+/**
+ * Aggregate usage statistics for a `TokenCacheStore`.
+ */
+export interface TokenCacheStats {
+    hits: number;
+    misses: number;
+    size: number;
+    type: "memory" | "redis";
+}
+/**
+ * TokenCacheStore contract interface.
+ *
+ * Implementations provide TTL-aware token caching, plus scan and stats
+ * primitives that generic key-value caches do not require.
+ */
+export interface TokenCacheStore {
+    /** Retrieve a cached entry by key. Returns `null` on miss or expiry. */
+    get(key: string): Promise<TokenCacheEntry | null>;
+    /** Store an entry. TTL is derived from `entry.expiresAt`. */
+    set(key: string, entry: TokenCacheEntry): Promise<void>;
+    /** Delete a cached entry. No-op if the key does not exist. */
+    delete(key: string): Promise<void>;
+    /** Remove every entry owned by this store. */
+    clear(): Promise<void>;
+    /** Check whether a non-expired entry exists for the given key. */
+    has(key: string): Promise<boolean>;
+    /** Return current hit/miss/size statistics. */
+    stats(): Promise<TokenCacheStats>;
+    /** Close connections and release resources. */
+    close(): Promise<void>;
+}
+//# sourceMappingURL=token-cache-store.d.ts.map

package/esm/src/extensions/interfaces/token-cache-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-cache-store.d.ts","sourceRoot":"","sources":["../../../../src/src/extensions/interfaces/token-cache-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,SAAS,GAAG,YAAY,CAAC;IAChC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,wEAAwE;IACxE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;IAClD,6DAA6D;IAC7D,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACxD,8DAA8D;IAC9D,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC,8CAA8C;IAC9C,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACvB,kEAAkE;IAClE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACnC,+CAA+C;IAC/C,KAAK,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;IAClC,+CAA+C;IAC/C,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB"}

package/esm/src/extensions/interfaces/token-cache-store.js

@@ -0,0 +1,12 @@
+/**
+ * Contract interface for OAuth-token-style cache stores used by the proxy.
+ *
+ * This contract is richer than the generic `CacheStore` — it adds scan-by-prefix,
+ * bulk read, and usage statistics primitives that the proxy's token cache needs.
+ * Simpler key-value consumers should use `CacheStore` instead.
+ *
+ * Default implementation: `@veryfront/ext-redis`.
+ *
+ * @module extensions/interfaces/token-cache-store
+ */
+export {};

package/esm/src/extensions/recommendations.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"recommendations.d.ts","sourceRoot":"","sources":["../../../src/src/extensions/recommendations.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAiBH,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAE1E"}
+{"version":3,"file":"recommendations.d.ts","sourceRoot":"","sources":["../../../src/src/extensions/recommendations.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAkBH,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAE1E"}

package/esm/src/extensions/recommendations.js

@@ -6,6 +6,7 @@
 const recommendations = new Map([
     ["Bundler", "@veryfront/ext-esbuild"],
     ["CacheStore", "@veryfront/ext-redis"],
+    ["TokenCacheStore", "@veryfront/ext-redis"],
     ["CSSProcessor", "@veryfront/ext-tailwind"],
     ["ContentTransformer", "@veryfront/ext-mdx"],
     ["DatabaseClient", "@veryfront/ext-postgres"],

package/esm/src/integrations/_data.js

@@ -24,7 +24,7 @@ export const connectors = [
     { "name": "mailchimp", "displayName": "Mailchimp", "icon": "mailchimp.svg", "description": "Manage email campaigns, lists, and subscribers in Mailchimp", "auth": { "type": "oauth2", "provider": "mailchimp", "authorizationUrl": "https://login.mailchimp.com/oauth2/authorize", "tokenUrl": "https://login.mailchimp.com/oauth2/token", "scopes": [], "requiredApis": [{ "name": "Mailchimp API", "enableUrl": "https://admin.mailchimp.com/account/oauth2/" }] }, "envVars": [{ "name": "MAILCHIMP_CLIENT_ID", "description": "Mailchimp OAuth Client ID", "required": true, "sensitive": false, "docsUrl": "https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/" }, { "name": "MAILCHIMP_CLIENT_SECRET", "description": "Mailchimp OAuth Client Secret", "required": true, "sensitive": true, "docsUrl": "https://mailchimp.com/developer/marketing/guides/access-user-data-oauth-2/" }], "tools": [{ "id": "list-campaigns", "name": "List Campaigns", "description": "List all email campaigns in Mailchimp", "requiresWrite": false }, { "id": "get-campaign", "name": "Get Campaign", "description": "Get details of a specific campaign", "requiresWrite": false }, { "id": "list-lists", "name": "List Audience Lists", "description": "List all audience lists (mailing lists) in Mailchimp", "requiresWrite": false }, { "id": "get-list", "name": "Get Audience List", "description": "Get details of a specific audience list", "requiresWrite": false }, { "id": "list-members", "name": "List Members", "description": "List subscribers/members in an audience list", "requiresWrite": false }], "prompts": [{ "id": "campaign-stats", "title": "Show campaign stats", "prompt": "Show me the performance statistics for my recent email campaigns in Mailchimp.", "category": "marketing", "icon": "chart" }, { "id": "list-subscribers", "title": "List subscribers", "prompt": "Show me the subscribers in my main email list with their subscription status.", "category": "marketing", "icon": "users" }], "suggestedWith": ["slack", "notion", "hubspot"] },
     { "name": "mixpanel", "displayName": "Mixpanel", "icon": "mixpanel.svg", "description": "Track events, analyze funnels, and understand user behavior with Mixpanel analytics", "auth": { "type": "api-key", "requiredApis": [{ "name": "Mixpanel API", "enableUrl": "https://mixpanel.com/settings/project" }], "keyName": "MIXPANEL_PROJECT_TOKEN" }, "envVars": [{ "name": "MIXPANEL_PROJECT_TOKEN", "description": "Mixpanel Project Token for event tracking", "required": true, "sensitive": true, "docsUrl": "https://docs.mixpanel.com/docs/tracking-methods/id-management/authentication" }, { "name": "MIXPANEL_API_SECRET", "description": "Mixpanel API Secret for data export and query operations", "required": true, "sensitive": true, "docsUrl": "https://developer.mixpanel.com/reference/authentication" }, { "name": "MIXPANEL_PROJECT_ID", "description": "Mixpanel Project ID (found in project settings)", "required": true, "sensitive": false, "docsUrl": "https://docs.mixpanel.com/docs/admin/organizations-projects/manage-projects" }], "tools": [{ "id": "track-event", "name": "Track Event", "description": "Track a custom event in Mixpanel with properties", "requiresWrite": true }, { "id": "query-events", "name": "Query Events", "description": "Query and export event data from Mixpanel", "requiresWrite": false }, { "id": "get-funnel", "name": "Get Funnel", "description": "Retrieve funnel analysis data to understand conversion rates", "requiresWrite": false }, { "id": "get-retention", "name": "Get Retention", "description": "Analyze user retention cohorts over time", "requiresWrite": false }, { "id": "list-cohorts", "name": "List Cohorts", "description": "List all user cohorts defined in your Mixpanel project", "requiresWrite": false }], "prompts": [{ "id": "event-analysis", "title": "Event analysis", "prompt": "Show me the most important events tracked in my Mixpanel project over the last 7 days and their trends.", "category": "analytics", "icon": "chart" }, { "id": "funnel-performance", "title": "Funnel performance", "prompt": "Analyze my key conversion funnels and identify where users are dropping off.", "category": "analytics", "icon": "funnel" }, { "id": "retention-insights", "title": "Retention insights", "prompt": "Give me insights about user retention and cohort behavior over the past month.", "category": "analytics", "icon": "users" }], "suggestedWith": ["slack", "analytics", "monitoring"] },
     { "name": "monday", "displayName": "Monday.com", "icon": "monday.svg", "description": "Manage projects, tasks, and workflows in Monday.com", "auth": { "type": "oauth2", "provider": "monday", "authorizationUrl": "https://auth.monday.com/oauth2/authorize", "tokenUrl": "https://auth.monday.com/oauth2/token", "scopes": ["me:read", "boards:read", "boards:write"], "requiredApis": [{ "name": "Monday.com Developers", "enableUrl": "https://monday.com/developers/apps" }] }, "envVars": [{ "name": "MONDAY_CLIENT_ID", "description": "Monday.com OAuth Client ID", "required": true, "sensitive": false, "docsUrl": "https://developer.monday.com/apps/docs/oauth" }, { "name": "MONDAY_CLIENT_SECRET", "description": "Monday.com OAuth Client Secret", "required": true, "sensitive": true, "docsUrl": "https://developer.monday.com/apps/docs/oauth" }], "tools": [{ "id": "list-boards", "name": "List Boards", "description": "List all boards in the workspace", "requiresWrite": false }, { "id": "list-items", "name": "List Items", "description": "List items in a board", "requiresWrite": false }, { "id": "get-item", "name": "Get Item", "description": "Get details of a specific item", "requiresWrite": false }, { "id": "create-item", "name": "Create Item", "description": "Create a new item in a board", "requiresWrite": true }, { "id": "update-item", "name": "Update Item", "description": "Update an existing item", "requiresWrite": true }], "prompts": [{ "id": "my-items", "title": "Show my items", "prompt": "List all items assigned to me in Monday.com with their status and due dates.", "category": "productivity", "icon": "list" }, { "id": "create-item", "title": "Create an item", "prompt": "Create a new item with a name, status, and assign it to someone.", "category": "productivity", "icon": "plus" }], "suggestedWith": ["slack", "notion", "asana"] },
-    { "name": "neon", "displayName": "Neon", "icon": "neon.svg", "description": "Manage Neon Postgres projects, branches, and execute database queries", "auth": { "type": "api-key", "requiredApis": [{ "name": "Neon Management API", "enableUrl": "https://console.neon.tech/app/settings/api-keys" }], "tokenName": "API Key", "docsUrl": "https://neon.tech/docs/manage/api-keys" }, "envVars": [{ "name": "NEON_API_KEY", "description": "Neon API Key for Management API access", "required": true, "sensitive": true, "docsUrl": "https://neon.tech/docs/manage/api-keys" }, { "name": "DATABASE_URL", "description": "PostgreSQL connection string for database queries", "required": true, "sensitive": true, "docsUrl": "https://neon.tech/docs/connect/connect-from-any-app" }], "tools": [{ "id": "list-projects", "name": "List Projects", "description": "List all Neon projects in your account", "requiresWrite": false }, { "id": "list-branches", "name": "List Branches", "description": "List all branches for a specific project", "requiresWrite": false }, { "id": "query-database", "name": "Query Database", "description": "Execute SQL queries against the connected database", "requiresWrite": false }, { "id": "list-tables", "name": "List Tables", "description": "List all tables in the connected database", "requiresWrite": false }, { "id": "describe-table", "name": "Describe Table", "description": "Get detailed schema information for a specific table", "requiresWrite": false }], "prompts": [{ "id": "check-db-status", "title": "Check database status", "prompt": "Show me the status of my Neon projects and their branches.", "category": "database", "icon": "database" }, { "id": "explore-schema", "title": "Explore database schema", "prompt": "List all tables in my database and show me the schema for the main tables.", "category": "database", "icon": "table" }, { "id": "query-data", "title": "Query database", "prompt": "Help me query my database to find specific data.", "category": "database", "icon": "search" }], "suggestedWith": ["stripe", "clerk", "vercel"] },
+    { "name": "neon", "displayName": "Neon", "icon": "neon.svg", "description": "Manage Neon Postgres projects, branches, and execute database queries", "auth": { "type": "api-key", "requiredApis": [{ "name": "Neon Management API", "enableUrl": "https://console.neon.tech/app/settings/api-keys" }], "tokenName": "API Key", "docsUrl": "https://neon.tech/docs/manage/api-keys" }, "envVars": [{ "name": "NEON_API_KEY", "description": "Neon API Key for Management API access", "required": true, "sensitive": true, "docsUrl": "https://neon.tech/docs/manage/api-keys" }, { "name": "DATABASE_URL", "description": "PostgreSQL connection string for database queries", "required": true, "sensitive": true, "docsUrl": "https://neon.tech/docs/connect/connect-from-any-app" }], "npmDependencies": { "pg": "^8.13.1" }, "tools": [{ "id": "list-projects", "name": "List Projects", "description": "List all Neon projects in your account", "requiresWrite": false }, { "id": "list-branches", "name": "List Branches", "description": "List all branches for a specific project", "requiresWrite": false }, { "id": "query-database", "name": "Query Database", "description": "Execute SQL queries against the connected database", "requiresWrite": false }, { "id": "list-tables", "name": "List Tables", "description": "List all tables in the connected database", "requiresWrite": false }, { "id": "describe-table", "name": "Describe Table", "description": "Get detailed schema information for a specific table", "requiresWrite": false }], "prompts": [{ "id": "check-db-status", "title": "Check database status", "prompt": "Show me the status of my Neon projects and their branches.", "category": "database", "icon": "database" }, { "id": "explore-schema", "title": "Explore database schema", "prompt": "List all tables in my database and show me the schema for the main tables.", "category": "database", "icon": "table" }, { "id": "query-data", "title": "Query database", "prompt": "Help me query my database to find specific data.", "category": "database", "icon": "search" }], "suggestedWith": ["stripe", "clerk", "vercel"] },
     { "name": "notion", "displayName": "Notion", "icon": "notion.svg", "description": "Search, read, and create pages in Notion workspaces", "auth": { "type": "oauth2", "provider": "notion", "authorizationUrl": "https://api.notion.com/v1/oauth/authorize", "tokenUrl": "https://api.notion.com/v1/oauth/token", "scopes": [], "tokenAuthMethod": "basic", "requiredApis": [{ "name": "Notion Integration", "enableUrl": "https://www.notion.so/my-integrations" }] }, "envVars": [{ "name": "NOTION_CLIENT_ID", "description": "Notion OAuth Client ID (from your integration)", "required": true, "sensitive": false, "docsUrl": "https://www.notion.so/my-integrations" }, { "name": "NOTION_CLIENT_SECRET", "description": "Notion OAuth Client Secret", "required": true, "sensitive": true, "docsUrl": "https://www.notion.so/my-integrations" }], "tools": [{ "id": "search-notion", "name": "Search Notion", "description": "Search pages and databases in the workspace", "requiresWrite": false }, { "id": "read-page", "name": "Read Page", "description": "Read the content of a Notion page", "requiresWrite": false }, { "id": "create-page", "name": "Create Page", "description": "Create a new page in a database or as a subpage", "requiresWrite": true }, { "id": "query-database", "name": "Query Database", "description": "Query a Notion database with filters and sorts", "requiresWrite": false }], "prompts": [{ "id": "search-docs", "title": "Search my docs", "prompt": "Search my Notion workspace for relevant documentation or notes about a topic.", "category": "productivity", "icon": "search" }, { "id": "summarize-page", "title": "Summarize a page", "prompt": "Read and summarize a specific Notion page. Extract the key points and action items.", "category": "productivity", "icon": "document" }, { "id": "create-meeting-notes", "title": "Create meeting notes", "prompt": "Create a new meeting notes page with today's date, attendees, agenda, and action items sections.", "category": "productivity", "icon": "plus" }], "suggestedWith": ["gmail", "slack", "calendar"] },
     { "name": "onedrive", "displayName": "OneDrive", "icon": "onedrive.svg", "description": "Access and manage files in Microsoft OneDrive", "auth": { "type": "oauth2", "provider": "microsoft", "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize", "tokenUrl": "https://login.microsoftonline.com/common/oauth2/v2.0/token", "scopes": ["Files.Read", "Files.ReadWrite", "Files.Read.All", "Files.ReadWrite.All", "offline_access"], "tokenAuthMethod": "body", "requiredApis": [{ "name": "Microsoft Graph API", "enableUrl": "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade" }] }, "envVars": [{ "name": "MICROSOFT_CLIENT_ID", "description": "Microsoft Azure App Client ID (shared with Outlook/Teams/SharePoint)", "required": true, "sensitive": false, "docsUrl": "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade" }, { "name": "MICROSOFT_CLIENT_SECRET", "description": "Microsoft Azure App Client Secret", "required": true, "sensitive": true, "docsUrl": "https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade" }], "tools": [{ "id": "list-files", "name": "List Files", "description": "List files and folders in a OneDrive folder", "requiresWrite": false }, { "id": "search-files", "name": "Search Files", "description": "Search for files and folders in OneDrive by name or content", "requiresWrite": false }, { "id": "upload-file", "name": "Upload File", "description": "Upload or update a file in OneDrive", "requiresWrite": true }, { "id": "download-file", "name": "Download File", "description": "Download file content from OneDrive", "requiresWrite": false }], "prompts": [{ "id": "search-documents", "title": "Search documents", "prompt": "Search for documents in OneDrive and summarize their content.", "category": "productivity", "icon": "search" }, { "id": "list-recent-files", "title": "List recent files", "prompt": "Show me the most recently modified files in my OneDrive.", "category": "productivity", "icon": "document" }, { "id": "organize-files", "title": "Organize files", "prompt": "Help me organize and manage files in my OneDrive storage.", "category": "productivity", "icon": "folder" }, { "id": "backup-file", "title": "Backup a file", "prompt": "Upload and backup a file to my OneDrive storage.", "category": "productivity", "icon": "upload" }], "suggestedWith": ["outlook", "teams", "sharepoint"] },
     { "name": "outlook", "displayName": "Microsoft Outlook", "icon": "outlook.svg", "description": "Read, send, and manage Outlook emails", "auth": { "type": "oauth2", "provider": "microsoft", "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize", "tokenUrl": "https://login.microsoftonline.com/common/oauth2/v2.0/token", "scopes": ["Mail.Read", "Mail.Send", "Mail.ReadWrite", "offline_access"], "tokenAuthMethod": "body", "requiredApis": [{ "name": "Microsoft Graph API", "enableUrl": "https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade" }] }, "envVars": [{ "name": "MICROSOFT_CLIENT_ID", "description": "Microsoft Azure App Client ID (Application ID)", "required": true, "sensitive": false, "docsUrl": "https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade" }, { "name": "MICROSOFT_CLIENT_SECRET", "description": "Microsoft Azure App Client Secret", "required": true, "sensitive": true, "docsUrl": "https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade" }], "tools": [{ "id": "list-emails", "name": "List Emails", "description": "List recent emails from inbox or a specific folder", "requiresWrite": false }, { "id": "get-email", "name": "Get Email", "description": "Get detailed information about a specific email", "requiresWrite": false }, { "id": "send-email", "name": "Send Email", "description": "Send a new email message", "requiresWrite": true }, { "id": "search-emails", "name": "Search Emails", "description": "Search emails by query, subject, sender, or date", "requiresWrite": false }, { "id": "list-folders", "name": "List Folders", "description": "List all mail folders in the mailbox", "requiresWrite": false }], "prompts": [{ "id": "check-emails", "title": "Check my emails", "prompt": "List my recent unread emails and summarize the most important ones.", "category": "productivity", "icon": "mail" }, { "id": "search-emails", "title": "Search my emails", "prompt": "Search my emails for specific topics, senders, or date ranges.", "category": "productivity", "icon": "search" }, { "id": "draft-email", "title": "Draft an email", "prompt": "Help me draft a professional email with proper formatting and tone.", "category": "productivity", "icon": "compose" }], "suggestedWith": ["teams", "calendar", "gmail"] },

package/esm/src/integrations/schema.d.ts

@@ -356,6 +356,7 @@ export declare const IntegrationConfigSchema: z.ZodObject<{
         docsUrl: z.ZodOptional<z.ZodString>;
         default: z.ZodOptional<z.ZodString>;
     }, z.core.$strip>>>;
+    npmDependencies: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
     tools: z.ZodArray<z.ZodObject<{
         id: z.ZodOptional<z.ZodString>;
         name: z.ZodString;

package/esm/src/integrations/schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../../src/src/integrations/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAuDxB,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAA2B,CAAC;AAE9D,eAAO,MAAM,YAAY;;;;;;;;iBAQvB,CAAC;AAEH,eAAO,MAAM,gBAAgB;;;;;;;iBAO3B,CAAC;AAEH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAyB5B,CAAC;AAEH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;iBAMzC,CAAC;AAEH,eAAO,MAAM,kCAAkC;;;;;;;;;;;iBAK7C,CAAC;AAEH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBASpC,CAAC;AAEH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAOhC,CAAC;AAEH,eAAO,MAAM,uBAAuB;;;;;;iBAMlC,CAAC;AAEH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAYlC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACpE,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AACxD,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC1D,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAC5D,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACxE,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AACxE,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC"}
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../../src/src/integrations/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAuDxB,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAA2B,CAAC;AAE9D,eAAO,MAAM,YAAY;;;;;;;;iBAQvB,CAAC;AAEH,eAAO,MAAM,gBAAgB;;;;;;;iBAO3B,CAAC;AAEH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAyB5B,CAAC;AAEH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;iBAMzC,CAAC;AAEH,eAAO,MAAM,kCAAkC;;;;;;;;;;;iBAK7C,CAAC;AAEH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBASpC,CAAC;AAEH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAOhC,CAAC;AAEH,eAAO,MAAM,uBAAuB;;;;;;iBAMlC,CAAC;AAEH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAoBlC,CAAC;AAEH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACpE,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AACxD,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC1D,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAC5D,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACxE,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AACxE,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC"}

package/esm/src/integrations/schema.js

@@ -140,6 +140,14 @@ export const IntegrationConfigSchema = z.object({
     description: z.string(),
     auth: OAuthConfigSchema,
     envVars: z.array(EnvVarSchema).optional(),
+    /**
+     * Optional map of npm packages to semver ranges. When this integration is
+     * selected during `veryfront init`, these deps are merged into the
+     * generated project's `package.json#dependencies`. Use this for templates
+     * that import packages beyond the init scaffold's defaults (react,
+     * react-dom, veryfront, zod).
+     */
+    npmDependencies: z.record(z.string(), z.string()).optional(),
     tools: z.array(IntegrationToolSchema),
     prompts: z.array(IntegrationPromptSchema).optional(),
     suggestedWith: z.array(z.string()).optional(),

package/esm/src/proxy/cache/index.d.ts

@@ -5,8 +5,8 @@
  */
 export type { CacheOptions, CacheStats, MemoryCacheOptions, RedisCacheOptions, TokenCache, TokenCacheEntry, } from "./types.js";
 export { MemoryCache } from "./memory-cache.js";
-export { RedisCache } from "./redis-cache.js";
 export { ResilientCache } from "./resilient-cache.js";
+export { TracingTokenCache } from "./tracing-cache.js";
 import type { CacheOptions, TokenCache } from "./types.js";
 export declare function createCache(options: CacheOptions): Promise<TokenCache>;
 export declare function createCacheFromEnv(): Promise<TokenCache>;

package/esm/src/proxy/cache/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/src/proxy/cache/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EACV,YAAY,EACZ,UAAU,EACV,kBAAkB,EAClB,iBAAiB,EACjB,UAAU,EACV,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAU3D,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAS5E;AAED,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,CA0B9D"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/src/proxy/cache/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EACV,YAAY,EACZ,UAAU,EACV,kBAAkB,EAClB,iBAAiB,EACjB,UAAU,EACV,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAEvD,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAe3D,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAc5E;AAED,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,CA4B9D"}

package/esm/src/proxy/cache/index.js

@@ -4,19 +4,26 @@
  * @module proxy/cache
  */
 export { MemoryCache } from "./memory-cache.js";
-export { RedisCache } from "./redis-cache.js";
 export { ResilientCache } from "./resilient-cache.js";
+export { TracingTokenCache } from "./tracing-cache.js";
 import { MemoryCache } from "./memory-cache.js";
-import { RedisCache } from "./redis-cache.js";
 import { ResilientCache } from "./resilient-cache.js";
+import { TracingTokenCache } from "./tracing-cache.js";
+import { tryResolve } from "../../extensions/contracts.js";
 import { getEnv } from "../../platform/compat/process.js";
 import { proxyLogger } from "../logger.js";
 import { withSpan } from "../tracing.js";
 const logger = proxyLogger.child({ module: "cache" });
+const MISSING_EXTENSION_INFO = "TokenCacheStore contract not provided — install @veryfront/ext-redis or scaffold extensions/ext-redis/";
 export async function createCache(options) {
     return withSpan("cache.create", async () => {
-        if (options.type === "redis")
-            return new RedisCache(options.options);
+        if (options.type === "redis") {
+            const tokenCache = tryResolve("TokenCacheStore");
+            if (tokenCache)
+                return new TracingTokenCache(tokenCache);
+            logger.info(MISSING_EXTENSION_INFO);
+            return new MemoryCache(undefined);
+        }
         return new MemoryCache(options.options);
     }, { "cache.type": options.type });
 }
@@ -25,18 +32,21 @@ export async function createCacheFromEnv() {
     return withSpan("cache.createFromEnv", async () => {
         if (cacheType !== "redis")
             return new MemoryCache();
-        const url = getEnv("REDIS_URL");
-        if (!url) {
-            logger.warn("[Cache] CACHE_TYPE=redis but REDIS_URL not set, falling back to memory");
+        const tokenCache = tryResolve("TokenCacheStore");
+        if (!tokenCache) {
+            // Redis was requested via config/env but no extension registered the
+            // TokenCacheStore contract. Log an info (misconfiguration, not error),
+            // then fall back to an in-memory cache so the proxy still boots.
+            logger.info(MISSING_EXTENSION_INFO);
             return new MemoryCache();
         }
-        const redisCache = new RedisCache({
-            url,
-            prefix: getEnv("REDIS_PREFIX") || "vf:token:",
-        });
-        // Wrap Redis with resilient fallback to memory cache
-        // This ensures the proxy continues to function when Redis is unavailable
-        logger.debug("[Cache] Using Redis with memory fallback (ResilientCache)");
-        return new ResilientCache(redisCache, new MemoryCache());
+        // Wrap the extension-provided cache with a memory fallback so a Redis
+        // outage does not take the proxy down. TracingTokenCache sits between
+        // ResilientCache and the extension impl so spans wrap the actual
+        // primary-cache attempt (mirrors the pre-extraction RedisCache which
+        // had inner withSpan calls).
+        logger.debug("[Cache] Using TokenCacheStore extension with memory fallback (ResilientCache)");
+        const traced = new TracingTokenCache(tokenCache);
+        return new ResilientCache(traced, new MemoryCache());
     }, { "cache.type": cacheType });
 }

package/esm/src/proxy/cache/tracing-cache.d.ts

@@ -0,0 +1,31 @@
+/**
+ * TracingTokenCache
+ *
+ * Wraps a {@link TokenCache} implementation and emits an OpenTelemetry span
+ * around each public method. This keeps extension-provided caches (such as
+ * `@veryfront/ext-redis`) tracer-agnostic: the extension implements the
+ * contract only, and the proxy applies observability at the factory boundary.
+ *
+ * Span names default to `cache.redis.<op>` to preserve the pre-extraction
+ * behavior of the in-tree RedisCache. Callers may override via
+ * {@link TracingTokenCacheOptions.spanPrefix} when wrapping a different
+ * backend.
+ */
+import type { CacheStats, TokenCache, TokenCacheEntry } from "./types.js";
+export interface TracingTokenCacheOptions {
+    /** Span name prefix, e.g. "cache.redis" produces "cache.redis.get". */
+    spanPrefix?: string;
+}
+export declare class TracingTokenCache implements TokenCache {
+    private readonly inner;
+    private readonly prefix;
+    constructor(inner: TokenCache, options?: TracingTokenCacheOptions);
+    get(key: string): Promise<TokenCacheEntry | null>;
+    set(key: string, entry: TokenCacheEntry): Promise<void>;
+    delete(key: string): Promise<void>;
+    clear(): Promise<void>;
+    has(key: string): Promise<boolean>;
+    stats(): Promise<CacheStats>;
+    close(): Promise<void>;
+}
+//# sourceMappingURL=tracing-cache.d.ts.map

package/esm/src/proxy/cache/tracing-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracing-cache.d.ts","sourceRoot":"","sources":["../../../../src/src/proxy/cache/tracing-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAG1E,MAAM,WAAW,wBAAwB;IACvC,uEAAuE;IACvE,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAID,qBAAa,iBAAkB,YAAW,UAAU;IAClD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAa;IACnC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBAEpB,KAAK,EAAE,UAAU,EAAE,OAAO,GAAE,wBAA6B;IAKrE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC;IAQjD,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC;IAQvD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQlC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAItB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQlC,KAAK,IAAI,OAAO,CAAC,UAAU,CAAC;IAI5B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAGvB"}

package/esm/src/proxy/cache/tracing-cache.js

@@ -0,0 +1,44 @@
+/**
+ * TracingTokenCache
+ *
+ * Wraps a {@link TokenCache} implementation and emits an OpenTelemetry span
+ * around each public method. This keeps extension-provided caches (such as
+ * `@veryfront/ext-redis`) tracer-agnostic: the extension implements the
+ * contract only, and the proxy applies observability at the factory boundary.
+ *
+ * Span names default to `cache.redis.<op>` to preserve the pre-extraction
+ * behavior of the in-tree RedisCache. Callers may override via
+ * {@link TracingTokenCacheOptions.spanPrefix} when wrapping a different
+ * backend.
+ */
+import { withSpan } from "../tracing.js";
+const DEFAULT_SPAN_PREFIX = "cache.redis";
+export class TracingTokenCache {
+    inner;
+    prefix;
+    constructor(inner, options = {}) {
+        this.inner = inner;
+        this.prefix = options.spanPrefix ?? DEFAULT_SPAN_PREFIX;
+    }
+    get(key) {
+        return withSpan(`${this.prefix}.get`, () => this.inner.get(key), { "cache.key": key });
+    }
+    set(key, entry) {
+        return withSpan(`${this.prefix}.set`, () => this.inner.set(key, entry), { "cache.key": key });
+    }
+    delete(key) {
+        return withSpan(`${this.prefix}.delete`, () => this.inner.delete(key), { "cache.key": key });
+    }
+    clear() {
+        return withSpan(`${this.prefix}.clear`, () => this.inner.clear());
+    }
+    has(key) {
+        return withSpan(`${this.prefix}.has`, () => this.inner.has(key), { "cache.key": key });
+    }
+    stats() {
+        return withSpan(`${this.prefix}.stats`, () => this.inner.stats());
+    }
+    close() {
+        return withSpan(`${this.prefix}.close`, () => this.inner.close());
+    }
+}

package/esm/src/proxy/cache/types.d.ts

@@ -2,7 +2,7 @@
  * Token Cache Interface
  *
  * Abstraction for storing OAuth tokens with TTL support.
- * Implementations: MemoryCache, RedisCache
+ * Implementations: MemoryCache (built-in), RedisCache (via @veryfront/ext-redis)
  */
 export interface TokenCacheEntry {
     token: string;

package/esm/src/proxy/cache/types.js

@@ -2,6 +2,6 @@
  * Token Cache Interface
  *
  * Abstraction for storing OAuth tokens with TTL support.
- * Implementations: MemoryCache, RedisCache
+ * Implementations: MemoryCache (built-in), RedisCache (via @veryfront/ext-redis)
  */
 export {};

package/esm/src/proxy/handler.d.ts

@@ -1,5 +1,12 @@
 import { type ParsedDomain } from "../server/utils/domain-parser.js";
 import type { TokenCache } from "./cache/types.js";
+/**
+ * Reset the cached AuthProvider. Intended for tests that `register()` a mock
+ * after the handler module has been imported.
+ *
+ * @internal
+ */
+export declare function __resetCachedAuthProviderForTests(): void;
 export declare const INTERNAL_PROXY_HEADERS: readonly ["x-token", "x-project-slug", "x-environment", "x-environment-id", "x-content-source-id", "x-forwarded-host", "x-project-path", "x-project-id", "x-release-id", "x-branch-id", "x-branch-name"];
 export interface ProxyConfig {
     apiBaseUrl: string;

package/esm/src/proxy/handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/src/proxy/handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,YAAY,EAAsB,MAAM,kCAAkC,CAAC;AACzF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAQnD,eAAO,MAAM,sBAAsB,0MAYzB,CAAC;AAmIX,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,SAAS,GAAG,YAAY,CAAC;IACtC,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,YAAY,CAAC;IAC3B,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,CAAC,EAAE;QACN,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IAC9D,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IAC7D,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IAC7D,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;CAC9E;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,WAAW,CAAC;IACpB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAiGD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,mBAAmB;0BA4Q1B,OAAO,KAAG,OAAO,CAAC,YAAY,CAAC;0BAmQ/B,OAAO,KAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;;;;;;;;0BApd7C,MAAM,EAAE;;EAgfpC;AAED,MAAM,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEjE,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,GAAG,OAAO,CAwB7E"}
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/src/proxy/handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,YAAY,EAAsB,MAAM,kCAAkC,CAAC;AACzF,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAuCnD;;;;;GAKG;AACH,wBAAgB,iCAAiC,IAAI,IAAI,CAExD;AAED,eAAO,MAAM,sBAAsB,0MAYzB,CAAC;AAqHX,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,SAAS,GAAG,YAAY,CAAC;IACtC,eAAe,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,YAAY,CAAC;IAC3B,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,CAAC,EAAE;QACN,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IAC9D,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IAC7D,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IAC7D,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;CAC9E;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,WAAW,CAAC;IACpB,KAAK,CAAC,EAAE,UAAU,CAAC;IACnB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAgGD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,mBAAmB;0BA4Q1B,OAAO,KAAG,OAAO,CAAC,YAAY,CAAC;0BAmQ/B,OAAO,KAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;;;;;;;;0BApd7C,MAAM,EAAE;;EAgfpC;AAED,MAAM,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEjE,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,GAAG,OAAO,CAwB7E"}

package/esm/src/proxy/handler.js

@@ -5,7 +5,42 @@ import { cwd, getEnv } from "../platform/compat/process.js";
 import { join } from "../platform/compat/path/index.js";
 import { injectContext, ProxySpanNames, withSpan } from "./tracing.js";
 import { computeContentSourceId } from "../cache/keys.js";
-import { createRemoteJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
+import { resolve as resolveContract } from "../extensions/contracts.js";
+/**
+ * Cache the resolved AuthProvider at module scope so the proxy does not pay
+ * the registry lookup on every request. The cache is cleared implicitly when
+ * `ExtensionLoader.teardownAll()` clears the registry — the next call
+ * re-resolves (or surfaces the "install ext-jwt" hint if the extension was
+ * removed).
+ */
+let cachedAuthProvider;
+function getAuthProvider() {
+    if (cachedAuthProvider)
+        return cachedAuthProvider;
+    try {
+        cachedAuthProvider = resolveContract("AuthProvider");
+        return cachedAuthProvider;
+    }
+    catch (err) {
+        // resolve() already throws with a helpful "Recommended: @veryfront/ext-jwt"
+        // message, but the proxy is a load-bearing code path — append a concrete
+        // remediation hint that names the project-root extension directory so
+        // the user knows exactly what's missing.
+        const base = err instanceof Error ? err.message : String(err);
+        throw new Error(`${base}\nTo enable JWT verification in the proxy, install ext-jwt ` +
+            `(scaffold with \`deno task cli extension init ext-jwt\` or add the ` +
+            `npm package @veryfront/ext-jwt).`, { cause: err });
+    }
+}
+/**
+ * Reset the cached AuthProvider. Intended for tests that `register()` a mock
+ * after the handler module has been imported.
+ *
+ * @internal
+ */
+export function __resetCachedAuthProviderForTests() {
+    cachedAuthProvider = undefined;
+}
 export const INTERNAL_PROXY_HEADERS = [
     "x-token",
     "x-project-slug",
@@ -40,21 +75,10 @@ function isSignedInternalControlPlaneRequest(req) {
     }
     return !!req.headers.get("x-token");
 }
-const remoteJwksByUrl = new Map();
-function getApiJwks(apiBaseUrl, logger) {
+function resolveApiJwksUrl(apiBaseUrl, logger) {
     try {
         const normalizedBaseUrl = apiBaseUrl.endsWith("/") ? apiBaseUrl : `${apiBaseUrl}/`;
-        const jwksUrl = new URL(".well-known/jwks.json", normalizedBaseUrl);
-        const cacheKey = jwksUrl.toString();
-        // Lazily initialize and cache JWKS in a single, idempotent step to avoid
-        // unsynchronized read/then-write on the shared Map across concurrent calls.
-        let jwks = remoteJwksByUrl.get(cacheKey);
-        if (!jwks) {
-            const created = createRemoteJWKSet(jwksUrl);
-            remoteJwksByUrl.set(cacheKey, created);
-            jwks = created;
-        }
-        return jwks;
+        return new URL(".well-known/jwks.json", normalizedBaseUrl).toString();
     }
     catch (error) {
         logger?.error("Invalid API base URL for JWKS lookup", error, {
@@ -130,22 +154,19 @@ function isMissingCustomDomainProjectError(error) {
     return /project not found for domain/i.test(message);
 }
 async function extractUserIdFromToken(token, apiBaseUrl, log) {
-    let algorithm;
-    try {
-        algorithm = decodeProtectedHeader(token).alg;
-    }
-    catch (error) {
-        log?.debug("Failed to decode JWT header", {
-            error: error instanceof Error ? error.message : String(error),
-        });
+    const auth = getAuthProvider();
+    const header = auth.decode(token);
+    if (!header) {
+        log?.debug("Failed to decode JWT header");
         return undefined;
     }
+    const algorithm = header.alg;
     if (algorithm === "RS256") {
-        const jwks = getApiJwks(apiBaseUrl, log);
-        if (!jwks)
+        const jwksUrl = resolveApiJwksUrl(apiBaseUrl, log);
+        if (!jwksUrl)
             return undefined;
         try {
-            const { payload } = await jwtVerify(token, jwks, {
+            const payload = await auth.verifyWithJwks(token, jwksUrl, {
                 algorithms: ["RS256"],
             });
             return payload.userId;
@@ -167,10 +188,10 @@ async function extractUserIdFromToken(token, apiBaseUrl, log) {
         return undefined;
     }
     try {
-        const secret = new TextEncoder().encode(jwtSecret);
-        const { payload } = await jwtVerify(token, secret, {
-            algorithms: ["HS256"],
-        });
+        // ext-jwt reads JWT_SECRET from the environment when no `secret` was
+        // passed to the extension factory; the explicit env check above is kept
+        // so callers can warn once before we attempt verification.
+        const payload = await auth.verify(token, { algorithms: ["HS256"] });
         return payload.userId;
     }
     catch (error) {

package/esm/src/server/runtime-handler/request-tracker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"request-tracker.d.ts","sourceRoot":"","sources":["../../../../src/src/server/runtime-handler/request-tracker.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,KAAK,OAAO,MAAM,wBAAwB,CAAC;AASlD,UAAU,cAAc;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,UAAU,CAAC,OAAO,OAAO,CAAC,UAAU,CAAC,CAAC;IAClD,aAAa,CAAC,EAAE,UAAU,CAAC,OAAO,OAAO,CAAC,UAAU,CAAC,CAAC;CACvD;AAiBD,cAAM,cAAc;IAClB,OAAO,CAAC,QAAQ,CAAqC;IACrD,OAAO,CAAC,cAAc,CAAqD;IAC3E,OAAO,CAAC,aAAa,CAAK;IAC1B,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,aAAa,CAAK;;IAM1B,OAAO,CAAC,kBAAkB;IA4B1B,KAAK,CACH,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,GAAG,CAAC,EAAE,MAAM,EACZ,SAAS,CAAC,EAAE,MAAM,GACjB,IAAI;IAsDP,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,UAAQ,GAAG,IAAI;IAmCvE,gBAAgB,IAAI,MAAM;IAI1B,mBAAmB,IAAI,cAAc,EAAE;IAIvC,QAAQ,IAAI;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE;IAS9E,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,cAAc,SAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAsD7E,QAAQ,IAAI,IAAI;CAUjB;AAED,eAAO,MAAM,cAAc,gBAAuB,CAAC"}
+{"version":3,"file":"request-tracker.d.ts","sourceRoot":"","sources":["../../../../src/src/server/runtime-handler/request-tracker.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,KAAK,OAAO,MAAM,wBAAwB,CAAC;AASlD,UAAU,cAAc;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,UAAU,CAAC,OAAO,OAAO,CAAC,UAAU,CAAC,CAAC;IAClD,aAAa,CAAC,EAAE,UAAU,CAAC,OAAO,OAAO,CAAC,UAAU,CAAC,CAAC;CACvD;AAiBD,cAAM,cAAc;IAClB,OAAO,CAAC,QAAQ,CAAqC;IACrD,OAAO,CAAC,cAAc,CAAqD;IAC3E,OAAO,CAAC,aAAa,CAAK;IAC1B,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,aAAa,CAAK;;IAM1B,OAAO,CAAC,kBAAkB;IA4B1B,KAAK,CACH,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,GAAG,CAAC,EAAE,MAAM,EACZ,SAAS,CAAC,EAAE,MAAM,GACjB,IAAI;IAuDP,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,UAAQ,GAAG,IAAI;IAgCvE,gBAAgB,IAAI,MAAM;IAI1B,mBAAmB,IAAI,cAAc,EAAE;IAIvC,QAAQ,IAAI;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE;IAS9E,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,cAAc,SAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAsD7E,QAAQ,IAAI,IAAI;CAUjB;AAED,eAAO,MAAM,cAAc,gBAAuB,CAAC"}

package/esm/src/server/runtime-handler/request-tracker.js

@@ -7,7 +7,7 @@
 import * as dntShim from "../../../_dnt.shims.js";
 import { serverLogger } from "../../utils/index.js";
 import { unrefTimer } from "../../platform/compat/process.js";
-import { isWebSocketPath } from "./request-utils.js";
+import { isLightweightPath, isWebSocketPath } from "./request-utils.js";
 const logger = serverLogger.component("request-tracker");
 /** Threshold in ms before logging a warning about a slow request */
 const SLOW_REQUEST_THRESHOLD_MS = 10_000; // 10 seconds
@@ -66,8 +66,9 @@ class RequestTracker {
             env,
             releaseId,
         };
-        // WebSocket connections are long-lived by design — don't flag them as stuck.
-        if (!isWebSocketPath(path)) {
+        // WebSocket connections are long-lived by design and lightweight internal
+        // asset/module requests can be noisy under CI jitter — don't flag them as stuck.
+        if (!isWebSocketPath(path) && !isLightweightPath(path)) {
             tracked.slowTimer = dntShim.setTimeout(() => {
                 const elapsedMs = Math.round(performance.now() - startTime);
                 logger.warn("Slow request detected", {
@@ -118,9 +119,7 @@ class RequestTracker {
             this.totalTimedOut++;
         else
             this.totalCompleted++;
-        const isModuleRequest = tracked.path.startsWith("/_vf_modules/") ||
-            tracked.path.startsWith("/_veryfront/");
-        if (isModuleRequest) {
+        if (isLightweightPath(tracked.path)) {
             if (durationMs > MODULE_REQUEST_LOG_THRESHOLD_MS) {
                 logger.debug(`${tracked.method} ${tracked.path} ${statusCode} ${durationMs}ms`);
             }

package/esm/src/server/runtime-handler/request-utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"request-utils.d.ts","sourceRoot":"","sources":["../../../../src/src/server/runtime-handler/request-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AAErE,qDAAqD;AACrD,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAkBpD;AAED,sDAAsD;AACtD,eAAO,MAAM,gBAAgB,aAA+C,CAAC;AAK7E,yFAAyF;AACzF,wBAAgB,iBAAiB,IAAI,MAAM,CAK1C;AAED,OAAO,EAAE,oBAAoB,EAAE,CAAC;AAEhC,sEAAsE;AACtE,eAAO,MAAM,gBAAgB,eAA4B,CAAC;AAE1D,oFAAoF;AACpF,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE1D;AAED,uFAAuF;AACvF,eAAO,MAAM,yBAAyB,UAQrC,CAAC;AAEF,mFAAmF;AACnF,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,mFAAmF;AACnF,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEzD;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEnE"}
+{"version":3,"file":"request-utils.d.ts","sourceRoot":"","sources":["../../../../src/src/server/runtime-handler/request-utils.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AAErE,qDAAqD;AACrD,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAkBpD;AAED,sDAAsD;AACtD,eAAO,MAAM,gBAAgB,aAA+C,CAAC;AAK7E,yFAAyF;AACzF,wBAAgB,iBAAiB,IAAI,MAAM,CAK1C;AAED,OAAO,EAAE,oBAAoB,EAAE,CAAC;AAEhC,sEAAsE;AACtE,eAAO,MAAM,gBAAgB,eAA4B,CAAC;AAE1D,oFAAoF;AACpF,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE1D;AAED,uFAAuF;AACvF,eAAO,MAAM,yBAAyB,UASrC,CAAC;AAEF,mFAAmF;AACnF,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE3D;AAED,mFAAmF;AACnF,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEzD;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEnE"}

package/esm/src/server/runtime-handler/request-utils.js

@@ -48,6 +48,7 @@ export function isMonitoringPath(pathname) {
 /** Lightweight paths that should skip concurrency limiting (modules, static assets) */
 export const LIGHTWEIGHT_PATH_PREFIXES = [
     "/_vf_modules/",
+    "/_vf_styles/",
     "/_veryfront/modules/",
     "/_veryfront/hydration-runtime.js",
     "/_veryfront/preview-hmr.js",

package/esm/src/utils/version-constant.d.ts

@@ -1,2 +1,2 @@
-export declare const VERSION = "0.1.217";
+export declare const VERSION = "0.1.219";
 //# sourceMappingURL=version-constant.d.ts.map

package/esm/src/utils/version-constant.js

@@ -1,3 +1,3 @@
 // Keep in sync with deno.json version.
 // scripts/release.ts updates this constant during releases.
-export const VERSION = "0.1.217";
+export const VERSION = "0.1.219";