veryfront 0.1.217 → 0.1.219

package/src/src/proxy/cache/index.ts

@@ -13,24 +13,34 @@ export type {
   TokenCacheEntry,
 } from "./types.js";
 export { MemoryCache } from "./memory-cache.js";
-export { RedisCache } from "./redis-cache.js";
 export { ResilientCache } from "./resilient-cache.js";
+export { TracingTokenCache } from "./tracing-cache.js";
 
 import type { CacheOptions, TokenCache } from "./types.js";
+import type { TokenCacheStore } from "../../extensions/interfaces/token-cache-store.js";
 import { MemoryCache } from "./memory-cache.js";
-import { RedisCache } from "./redis-cache.js";
 import { ResilientCache } from "./resilient-cache.js";
+import { TracingTokenCache } from "./tracing-cache.js";
+import { tryResolve } from "../../extensions/contracts.js";
 import { getEnv } from "../../platform/compat/process.js";
 import { proxyLogger } from "../logger.js";
 import { withSpan } from "../tracing.js";
 
 const logger = proxyLogger.child({ module: "cache" });
 
+const MISSING_EXTENSION_INFO =
+  "TokenCacheStore contract not provided — install @veryfront/ext-redis or scaffold extensions/ext-redis/";
+
 export async function createCache(options: CacheOptions): Promise<TokenCache> {
   return withSpan(
     "cache.create",
     async () => {
-      if (options.type === "redis") return new RedisCache(options.options);
+      if (options.type === "redis") {
+        const tokenCache = tryResolve<TokenCacheStore>("TokenCacheStore");
+        if (tokenCache) return new TracingTokenCache(tokenCache as unknown as TokenCache);
+        logger.info(MISSING_EXTENSION_INFO);
+        return new MemoryCache(undefined);
+      }
       return new MemoryCache(options.options);
     },
     { "cache.type": options.type },
@@ -45,21 +55,23 @@ export async function createCacheFromEnv(): Promise<TokenCache> {
     async () => {
       if (cacheType !== "redis") return new MemoryCache();
 
-      const url = getEnv("REDIS_URL");
-      if (!url) {
-        logger.warn("[Cache] CACHE_TYPE=redis but REDIS_URL not set, falling back to memory");
+      const tokenCache = tryResolve<TokenCacheStore>("TokenCacheStore");
+      if (!tokenCache) {
+        // Redis was requested via config/env but no extension registered the
+        // TokenCacheStore contract. Log an info (misconfiguration, not error),
+        // then fall back to an in-memory cache so the proxy still boots.
+        logger.info(MISSING_EXTENSION_INFO);
         return new MemoryCache();
       }
 
-      const redisCache = new RedisCache({
-        url,
-        prefix: getEnv("REDIS_PREFIX") || "vf:token:",
-      });
-
-      // Wrap Redis with resilient fallback to memory cache
-      // This ensures the proxy continues to function when Redis is unavailable
-      logger.debug("[Cache] Using Redis with memory fallback (ResilientCache)");
-      return new ResilientCache(redisCache, new MemoryCache());
+      // Wrap the extension-provided cache with a memory fallback so a Redis
+      // outage does not take the proxy down. TracingTokenCache sits between
+      // ResilientCache and the extension impl so spans wrap the actual
+      // primary-cache attempt (mirrors the pre-extraction RedisCache which
+      // had inner withSpan calls).
+      logger.debug("[Cache] Using TokenCacheStore extension with memory fallback (ResilientCache)");
+      const traced = new TracingTokenCache(tokenCache as unknown as TokenCache);
+      return new ResilientCache(traced, new MemoryCache());
     },
     { "cache.type": cacheType },
   );

package/src/src/proxy/cache/tracing-cache.ts

@@ -0,0 +1,77 @@
+/**
+ * TracingTokenCache
+ *
+ * Wraps a {@link TokenCache} implementation and emits an OpenTelemetry span
+ * around each public method. This keeps extension-provided caches (such as
+ * `@veryfront/ext-redis`) tracer-agnostic: the extension implements the
+ * contract only, and the proxy applies observability at the factory boundary.
+ *
+ * Span names default to `cache.redis.<op>` to preserve the pre-extraction
+ * behavior of the in-tree RedisCache. Callers may override via
+ * {@link TracingTokenCacheOptions.spanPrefix} when wrapping a different
+ * backend.
+ */
+
+import type { CacheStats, TokenCache, TokenCacheEntry } from "./types.js";
+import { withSpan } from "../tracing.js";
+
+export interface TracingTokenCacheOptions {
+  /** Span name prefix, e.g. "cache.redis" produces "cache.redis.get". */
+  spanPrefix?: string;
+}
+
+const DEFAULT_SPAN_PREFIX = "cache.redis";
+
+export class TracingTokenCache implements TokenCache {
+  private readonly inner: TokenCache;
+  private readonly prefix: string;
+
+  constructor(inner: TokenCache, options: TracingTokenCacheOptions = {}) {
+    this.inner = inner;
+    this.prefix = options.spanPrefix ?? DEFAULT_SPAN_PREFIX;
+  }
+
+  get(key: string): Promise<TokenCacheEntry | null> {
+    return withSpan(
+      `${this.prefix}.get`,
+      () => this.inner.get(key),
+      { "cache.key": key },
+    );
+  }
+
+  set(key: string, entry: TokenCacheEntry): Promise<void> {
+    return withSpan(
+      `${this.prefix}.set`,
+      () => this.inner.set(key, entry),
+      { "cache.key": key },
+    );
+  }
+
+  delete(key: string): Promise<void> {
+    return withSpan(
+      `${this.prefix}.delete`,
+      () => this.inner.delete(key),
+      { "cache.key": key },
+    );
+  }
+
+  clear(): Promise<void> {
+    return withSpan(`${this.prefix}.clear`, () => this.inner.clear());
+  }
+
+  has(key: string): Promise<boolean> {
+    return withSpan(
+      `${this.prefix}.has`,
+      () => this.inner.has(key),
+      { "cache.key": key },
+    );
+  }
+
+  stats(): Promise<CacheStats> {
+    return withSpan(`${this.prefix}.stats`, () => this.inner.stats());
+  }
+
+  close(): Promise<void> {
+    return withSpan(`${this.prefix}.close`, () => this.inner.close());
+  }
+}

package/src/src/proxy/cache/types.ts

@@ -2,7 +2,7 @@
  * Token Cache Interface
  *
  * Abstraction for storing OAuth tokens with TTL support.
- * Implementations: MemoryCache, RedisCache
+ * Implementations: MemoryCache (built-in), RedisCache (via @veryfront/ext-redis)
  */
 
 export interface TokenCacheEntry {

package/src/src/proxy/handler.ts

@@ -6,7 +6,48 @@ import { cwd, getEnv } from "../platform/compat/process.js";
 import { join } from "../platform/compat/path/index.js";
 import { injectContext, ProxySpanNames, withSpan } from "./tracing.js";
 import { computeContentSourceId } from "../cache/keys.js";
-import { createRemoteJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
+import { resolve as resolveContract } from "../extensions/contracts.js";
+import type { AuthProvider } from "../extensions/interfaces/auth-provider.js";
+
+/**
+ * Cache the resolved AuthProvider at module scope so the proxy does not pay
+ * the registry lookup on every request. The cache is cleared implicitly when
+ * `ExtensionLoader.teardownAll()` clears the registry — the next call
+ * re-resolves (or surfaces the "install ext-jwt" hint if the extension was
+ * removed).
+ */
+let cachedAuthProvider: AuthProvider | undefined;
+
+function getAuthProvider(): AuthProvider {
+  if (cachedAuthProvider) return cachedAuthProvider;
+
+  try {
+    cachedAuthProvider = resolveContract<AuthProvider>("AuthProvider");
+    return cachedAuthProvider;
+  } catch (err) {
+    // resolve() already throws with a helpful "Recommended: @veryfront/ext-jwt"
+    // message, but the proxy is a load-bearing code path — append a concrete
+    // remediation hint that names the project-root extension directory so
+    // the user knows exactly what's missing.
+    const base = err instanceof Error ? err.message : String(err);
+    throw new Error(
+      `${base}\nTo enable JWT verification in the proxy, install ext-jwt ` +
+        `(scaffold with \`deno task cli extension init ext-jwt\` or add the ` +
+        `npm package @veryfront/ext-jwt).`,
+      { cause: err },
+    );
+  }
+}
+
+/**
+ * Reset the cached AuthProvider. Intended for tests that `register()` a mock
+ * after the handler module has been imported.
+ *
+ * @internal
+ */
+export function __resetCachedAuthProviderForTests(): void {
+  cachedAuthProvider = undefined;
+}
 
 export const INTERNAL_PROXY_HEADERS = [
   "x-token",
@@ -64,24 +105,10 @@ interface DomainLookupResult {
   }>;
 }
 
-const remoteJwksByUrl = new Map<string, ReturnType<typeof createRemoteJWKSet>>();
-
-function getApiJwks(apiBaseUrl: string, logger?: ProxyLogger) {
+function resolveApiJwksUrl(apiBaseUrl: string, logger?: ProxyLogger): string | undefined {
   try {
     const normalizedBaseUrl = apiBaseUrl.endsWith("/") ? apiBaseUrl : `${apiBaseUrl}/`;
-    const jwksUrl = new URL(".well-known/jwks.json", normalizedBaseUrl);
-    const cacheKey = jwksUrl.toString();
-
-    // Lazily initialize and cache JWKS in a single, idempotent step to avoid
-    // unsynchronized read/then-write on the shared Map across concurrent calls.
-    let jwks = remoteJwksByUrl.get(cacheKey);
-    if (!jwks) {
-      const created = createRemoteJWKSet(jwksUrl);
-      remoteJwksByUrl.set(cacheKey, created);
-      jwks = created;
-    }
-
-    return jwks;
+    return new URL(".well-known/jwks.json", normalizedBaseUrl).toString();
   } catch (error) {
     logger?.error("Invalid API base URL for JWKS lookup", error as Error, {
       apiBaseUrl,
@@ -229,23 +256,22 @@ async function extractUserIdFromToken(
   apiBaseUrl: string,
   log?: ProxyLogger,
 ): Promise<string | undefined> {
-  let algorithm: string | undefined;
+  const auth = getAuthProvider();
 
-  try {
-    algorithm = decodeProtectedHeader(token).alg;
-  } catch (error) {
-    log?.debug("Failed to decode JWT header", {
-      error: error instanceof Error ? error.message : String(error),
-    });
+  const header = auth.decode(token);
+  if (!header) {
+    log?.debug("Failed to decode JWT header");
     return undefined;
   }
 
+  const algorithm = header.alg;
+
   if (algorithm === "RS256") {
-    const jwks = getApiJwks(apiBaseUrl, log);
-    if (!jwks) return undefined;
+    const jwksUrl = resolveApiJwksUrl(apiBaseUrl, log);
+    if (!jwksUrl) return undefined;
 
     try {
-      const { payload } = await jwtVerify(token, jwks, {
+      const payload = await auth.verifyWithJwks(token, jwksUrl, {
         algorithms: ["RS256"],
       });
       return (payload as { userId?: string }).userId;
@@ -270,10 +296,10 @@ async function extractUserIdFromToken(
   }
 
   try {
-    const secret = new TextEncoder().encode(jwtSecret);
-    const { payload } = await jwtVerify(token, secret, {
-      algorithms: ["HS256"],
-    });
+    // ext-jwt reads JWT_SECRET from the environment when no `secret` was
+    // passed to the extension factory; the explicit env check above is kept
+    // so callers can warn once before we attempt verification.
+    const payload = await auth.verify(token, { algorithms: ["HS256"] });
     return (payload as { userId?: string }).userId;
   } catch (error) {
     log?.debug("JWT verification failed", {

package/src/src/server/runtime-handler/request-tracker.ts

@@ -9,7 +9,7 @@ import * as dntShim from "../../../_dnt.shims.js";
 
 import { serverLogger } from "../../utils/index.js";
 import { unrefTimer } from "../../platform/compat/process.js";
-import { isWebSocketPath } from "./request-utils.js";
+import { isLightweightPath, isWebSocketPath } from "./request-utils.js";
 
 const logger = serverLogger.component("request-tracker");
 
@@ -100,8 +100,9 @@ class RequestTracker {
       releaseId,
     };
 
-    // WebSocket connections are long-lived by design — don't flag them as stuck.
-    if (!isWebSocketPath(path)) {
+    // WebSocket connections are long-lived by design and lightweight internal
+    // asset/module requests can be noisy under CI jitter — don't flag them as stuck.
+    if (!isWebSocketPath(path) && !isLightweightPath(path)) {
       tracked.slowTimer = dntShim.setTimeout(() => {
         const elapsedMs = Math.round(performance.now() - startTime);
         logger.warn("Slow request detected", {
@@ -154,10 +155,7 @@ class RequestTracker {
     if (timedOut) this.totalTimedOut++;
     else this.totalCompleted++;
 
-    const isModuleRequest = tracked.path.startsWith("/_vf_modules/") ||
-      tracked.path.startsWith("/_veryfront/");
-
-    if (isModuleRequest) {
+    if (isLightweightPath(tracked.path)) {
       if (durationMs > MODULE_REQUEST_LOG_THRESHOLD_MS) {
         logger.debug(`${tracked.method} ${tracked.path} ${statusCode} ${durationMs}ms`);
       }

package/src/src/server/runtime-handler/request-utils.ts

@@ -58,6 +58,7 @@ export function isMonitoringPath(pathname: string): boolean {
 /** Lightweight paths that should skip concurrency limiting (modules, static assets) */
 export const LIGHTWEIGHT_PATH_PREFIXES = [
   "/_vf_modules/",
+  "/_vf_styles/",
   "/_veryfront/modules/",
   "/_veryfront/hydration-runtime.js",
   "/_veryfront/preview-hmr.js",

package/src/src/utils/version-constant.ts

@@ -1,3 +1,3 @@
 // Keep in sync with deno.json version.
 // scripts/release.ts updates this constant during releases.
-export const VERSION = "0.1.217";
+export const VERSION = "0.1.219";

package/esm/src/proxy/cache/redis-cache.d.ts

@@ -1,25 +0,0 @@
-import type { CacheStats, RedisCacheOptions, TokenCache, TokenCacheEntry } from "./types.js";
-export declare class RedisCache implements TokenCache {
-    private client;
-    private readonly prefix;
-    private readonly url;
-    private readonly connectTimeout;
-    private readonly tls;
-    private readonly password?;
-    private readonly username?;
-    private hits;
-    private misses;
-    private connected;
-    constructor(options: RedisCacheOptions);
-    private key;
-    get(key: string): Promise<TokenCacheEntry | null>;
-    set(key: string, entry: TokenCacheEntry): Promise<void>;
-    delete(key: string): Promise<void>;
-    clear(): Promise<void>;
-    has(key: string): Promise<boolean>;
-    stats(): Promise<CacheStats>;
-    close(): Promise<void>;
-    private getConnectedClient;
-    private ensureConnected;
-}
-//# sourceMappingURL=redis-cache.d.ts.map

package/esm/src/proxy/cache/redis-cache.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"redis-cache.d.ts","sourceRoot":"","sources":["../../../../src/src/proxy/cache/redis-cache.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAY7F,qBAAa,UAAW,YAAW,UAAU;IAC3C,OAAO,CAAC,MAAM,CAAgC;IAC9C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAC7B,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAU;IAC9B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAS;IACnC,OAAO,CAAC,IAAI,CAAK;IACjB,OAAO,CAAC,MAAM,CAAK;IACnB,OAAO,CAAC,SAAS,CAAS;gBAEd,OAAO,EAAE,iBAAiB;IAStC,OAAO,CAAC,GAAG;IAIL,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC;IAoCjD,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC;IAqBvD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAmBlC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAwCtB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAmBlC,KAAK,IAAI,OAAO,CAAC,UAAU,CAAC;IAkB5B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAmBd,kBAAkB;YAQlB,eAAe;CAoC9B"}

package/esm/src/proxy/cache/redis-cache.js

@@ -1,219 +0,0 @@
-import { createClient } from "redis";
-import { withSpan } from "../tracing.js";
-import { proxyLogger } from "../logger.js";
-const logger = proxyLogger.child({ module: "redis-cache" });
-const DEFAULT_PREFIX = "vf:token:";
-const DEFAULT_CONNECT_TIMEOUT_MS = 5_000;
-const DEFAULT_SCAN_COUNT = 100;
-const MAX_RECONNECT_RETRIES = 3;
-const RECONNECT_BACKOFF_BASE_MS = 100;
-const RECONNECT_BACKOFF_MAX_MS = 3_000;
-export class RedisCache {
-    client = null;
-    prefix;
-    url;
-    connectTimeout;
-    tls;
-    password;
-    username;
-    hits = 0;
-    misses = 0;
-    connected = false;
-    constructor(options) {
-        this.url = options.url;
-        this.prefix = options.prefix ?? DEFAULT_PREFIX;
-        this.connectTimeout = options.connectTimeout ?? DEFAULT_CONNECT_TIMEOUT_MS;
-        this.tls = options.tls ?? options.url.startsWith("rediss://");
-        this.password = options.password;
-        this.username = options.username;
-    }
-    key(k) {
-        return `${this.prefix}${k}`;
-    }
-    async get(key) {
-        return withSpan("cache.redis.get", async () => {
-            try {
-                const client = await this.getConnectedClient();
-                const data = await client.get(this.key(key));
-                if (!data) {
-                    this.misses++;
-                    return null;
-                }
-                const entry = JSON.parse(data);
-                if (Date.now() >= entry.expiresAt) {
-                    await client.del(this.key(key));
-                    this.misses++;
-                    return null;
-                }
-                this.hits++;
-                return entry;
-            }
-            catch (error) {
-                logger.error("[RedisCache] Get error", {
-                    error: error instanceof Error ? error.message : String(error),
-                });
-                this.connected = false;
-                this.misses++;
-                throw error;
-            }
-        }, { "cache.key": key });
-    }
-    async set(key, entry) {
-        return withSpan("cache.redis.set", async () => {
-            try {
-                const client = await this.getConnectedClient();
-                const ttlMs = entry.expiresAt - Date.now();
-                const ttlSeconds = Math.max(1, Math.floor(ttlMs / 1000));
-                await client.setEx(this.key(key), ttlSeconds, JSON.stringify(entry));
-            }
-            catch (error) {
-                logger.error("[RedisCache] Set error", {
-                    error: error instanceof Error ? error.message : String(error),
-                });
-                this.connected = false;
-                throw error;
-            }
-        }, { "cache.key": key });
-    }
-    async delete(key) {
-        return withSpan("cache.redis.delete", async () => {
-            try {
-                const client = await this.getConnectedClient();
-                await client.del(this.key(key));
-            }
-            catch (error) {
-                logger.error("[RedisCache] Delete error", {
-                    error: error instanceof Error ? error.message : String(error),
-                });
-                this.connected = false;
-                throw error;
-            }
-        }, { "cache.key": key });
-    }
-    async clear() {
-        return withSpan("cache.redis.clear", async () => {
-            try {
-                const client = await this.getConnectedClient();
-                const pattern = `${this.prefix}*`;
-                // redis v5: scan cursor is string-based to prevent Number.MAX_SAFE_INTEGER overflow
-                let cursor = "0";
-                let totalDeleted = 0;
-                do {
-                    // deno-lint-ignore no-explicit-any
-                    const result = await client.scan(cursor, {
-                        MATCH: pattern,
-                        COUNT: DEFAULT_SCAN_COUNT,
-                    });
-                    cursor = String(result.cursor);
-                    if (result.keys.length > 0) {
-                        totalDeleted += await client.del(result.keys);
-                    }
-                } while (cursor !== "0");
-                if (totalDeleted > 0) {
-                    logger.info(`[RedisCache] Cleared ${totalDeleted} keys`);
-                }
-                this.hits = 0;
-                this.misses = 0;
-            }
-            catch (error) {
-                logger.error("[RedisCache] Clear error", {
-                    error: error instanceof Error ? error.message : String(error),
-                });
-                this.connected = false;
-                throw error;
-            }
-        });
-    }
-    async has(key) {
-        return withSpan("cache.redis.has", async () => {
-            try {
-                const client = await this.getConnectedClient();
-                return (await client.exists(this.key(key))) === 1;
-            }
-            catch (error) {
-                logger.error("[RedisCache] Has error", {
-                    error: error instanceof Error ? error.message : String(error),
-                });
-                this.connected = false;
-                throw error;
-            }
-        }, { "cache.key": key });
-    }
-    async stats() {
-        return withSpan("cache.redis.stats", async () => {
-            let size = 0;
-            try {
-                const client = await this.getConnectedClient();
-                size = await client.dbSize();
-            }
-            catch (error) {
-                this.connected = false;
-                logger.error("[RedisCache] Stats error", {
-                    error: error instanceof Error ? error.message : String(error),
-                });
-            }
-            return { hits: this.hits, misses: this.misses, size, type: "redis" };
-        });
-    }
-    async close() {
-        return withSpan("cache.redis.close", async () => {
-            const client = this.client;
-            if (!client) {
-                this.connected = false;
-                return;
-            }
-            try {
-                await client.close();
-            }
-            catch (_) {
-                // expected: close errors are non-critical
-            }
-            finally {
-                this.client = null;
-                this.connected = false;
-            }
-        });
-    }
-    async getConnectedClient() {
-        await this.ensureConnected();
-        if (!this.client) {
-            throw new Error("Redis client not available after connect");
-        }
-        return this.client;
-    }
-    async ensureConnected() {
-        return withSpan("cache.redis.connect", async () => {
-            if (this.connected && this.client)
-                return;
-            // deno-lint-ignore no-explicit-any
-            const clientOpts = {
-                url: this.url,
-                socket: {
-                    connectTimeout: this.connectTimeout,
-                    tls: this.tls || undefined,
-                    reconnectStrategy: (retries) => {
-                        if (retries > MAX_RECONNECT_RETRIES) {
-                            return new Error("Max reconnection attempts reached");
-                        }
-                        return Math.min(retries * RECONNECT_BACKOFF_BASE_MS, RECONNECT_BACKOFF_MAX_MS);
-                    },
-                },
-            };
-            if (this.password)
-                clientOpts.password = this.password;
-            if (this.username)
-                clientOpts.username = this.username;
-            const client = createClient(clientOpts);
-            client.on("error", (err) => {
-                logger.error("[RedisCache] Client error", {
-                    error: err instanceof Error ? err.message : String(err),
-                });
-                this.connected = false;
-            });
-            this.client = client;
-            await client.connect();
-            this.connected = true;
-            logger.info("[RedisCache] Connected");
-        });
-    }
-}