veryfront 0.1.228 → 0.1.230
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/esm/deno.js +1 -1
- package/esm/src/agent/hosted-child-lifecycle.d.ts +41 -0
- package/esm/src/agent/hosted-child-lifecycle.d.ts.map +1 -0
- package/esm/src/agent/hosted-child-lifecycle.js +47 -0
- package/esm/src/agent/hosted-lifecycle.d.ts +41 -0
- package/esm/src/agent/hosted-lifecycle.d.ts.map +1 -0
- package/esm/src/agent/hosted-lifecycle.js +77 -0
- package/esm/src/agent/index.d.ts +2 -0
- package/esm/src/agent/index.d.ts.map +1 -1
- package/esm/src/agent/index.js +2 -0
- package/esm/src/agent/runtime/sse-utils.d.ts.map +1 -1
- package/esm/src/agent/runtime/sse-utils.js +9 -1
- package/esm/src/channels/control-plane.d.ts +21 -0
- package/esm/src/channels/control-plane.d.ts.map +1 -1
- package/esm/src/channels/control-plane.js +48 -0
- package/esm/src/channels/invoke.d.ts +1 -1
- package/esm/src/channels/invoke.d.ts.map +1 -1
- package/esm/src/channels/invoke.js +1 -1
- package/esm/src/server/handlers/preview/hmr.handler.d.ts.map +1 -1
- package/esm/src/server/handlers/preview/hmr.handler.js +21 -9
- package/esm/src/server/runtime-handler/adapter-factory.d.ts +5 -2
- package/esm/src/server/runtime-handler/adapter-factory.d.ts.map +1 -1
- package/esm/src/server/runtime-handler/adapter-factory.js +18 -1
- package/esm/src/server/runtime-handler/index.d.ts.map +1 -1
- package/esm/src/server/runtime-handler/index.js +5 -2
- package/esm/src/server/services/rsc/orchestrators/page-handler.d.ts.map +1 -1
- package/esm/src/server/services/rsc/orchestrators/page-handler.js +22 -1
- package/esm/src/server/utils/proxy-trust.d.ts +33 -0
- package/esm/src/server/utils/proxy-trust.d.ts.map +1 -0
- package/esm/src/server/utils/proxy-trust.js +41 -0
- package/esm/src/utils/version-constant.d.ts +1 -1
- package/esm/src/utils/version-constant.js +1 -1
- package/package.json +1 -1
- package/src/deno.js +1 -1
- package/src/src/agent/hosted-child-lifecycle.ts +121 -0
- package/src/src/agent/hosted-lifecycle.ts +159 -0
- package/src/src/agent/index.ts +15 -0
- package/src/src/agent/runtime/sse-utils.ts +9 -1
- package/src/src/channels/control-plane.ts +52 -0
- package/src/src/channels/invoke.ts +1 -1
- package/src/src/server/handlers/preview/hmr.handler.ts +32 -26
- package/src/src/server/runtime-handler/adapter-factory.ts +23 -3
- package/src/src/server/runtime-handler/index.ts +5 -2
- package/src/src/server/services/rsc/orchestrators/page-handler.ts +23 -1
- package/src/src/server/utils/proxy-trust.ts +56 -0
- package/src/src/utils/version-constant.ts +1 -1
package/esm/deno.js
CHANGED
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
export interface HostedChildLifecycleTerminalState {
|
|
2
|
+
status: "completed" | "failed" | "cancelled";
|
|
3
|
+
usage?: {
|
|
4
|
+
inputTokens?: number;
|
|
5
|
+
outputTokens?: number;
|
|
6
|
+
totalTokens?: number;
|
|
7
|
+
};
|
|
8
|
+
terminalErrorCode?: string | null;
|
|
9
|
+
terminalErrorMessage?: string | null;
|
|
10
|
+
}
|
|
11
|
+
export interface HostedChildLifecycleCompletedState extends Omit<HostedChildLifecycleTerminalState, "status"> {
|
|
12
|
+
status: "completed";
|
|
13
|
+
}
|
|
14
|
+
export interface HostedChildLifecycleAdapter {
|
|
15
|
+
pending?: () => Promise<void> | void;
|
|
16
|
+
running?: () => Promise<void> | void;
|
|
17
|
+
completed?: (terminalState: HostedChildLifecycleTerminalState) => Promise<void> | void;
|
|
18
|
+
failed?: (terminalState: HostedChildLifecycleTerminalState) => Promise<void> | void;
|
|
19
|
+
cancelled?: (terminalState: HostedChildLifecycleTerminalState) => Promise<void> | void;
|
|
20
|
+
}
|
|
21
|
+
export interface HostedChildLifecycleErrorState extends Omit<HostedChildLifecycleTerminalState, "status"> {
|
|
22
|
+
status: "failed" | "cancelled";
|
|
23
|
+
}
|
|
24
|
+
export interface HostedChildLifecycleRunnerOptions<TResult> {
|
|
25
|
+
adapter: HostedChildLifecycleAdapter;
|
|
26
|
+
execute: () => Promise<TResult> | TResult;
|
|
27
|
+
resolveCompletedState?: (result: TResult) => Promise<HostedChildLifecycleCompletedState> | HostedChildLifecycleCompletedState;
|
|
28
|
+
resolveErrorState: (error: unknown) => Promise<HostedChildLifecycleErrorState> | HostedChildLifecycleErrorState;
|
|
29
|
+
onLifecycleError?: (error: unknown) => Promise<void> | void;
|
|
30
|
+
}
|
|
31
|
+
export type HostedChildLifecycleRunResult<TResult> = {
|
|
32
|
+
status: "completed";
|
|
33
|
+
result: TResult;
|
|
34
|
+
terminalState: HostedChildLifecycleTerminalState;
|
|
35
|
+
} | {
|
|
36
|
+
status: "failed" | "cancelled";
|
|
37
|
+
error: unknown;
|
|
38
|
+
terminalState: HostedChildLifecycleTerminalState;
|
|
39
|
+
};
|
|
40
|
+
export declare function runHostedChildLifecycle<TResult>(options: HostedChildLifecycleRunnerOptions<TResult>): Promise<HostedChildLifecycleRunResult<TResult>>;
|
|
41
|
+
//# sourceMappingURL=hosted-child-lifecycle.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hosted-child-lifecycle.d.ts","sourceRoot":"","sources":["../../../src/src/agent/hosted-child-lifecycle.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,iCAAiC;IAChD,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,WAAW,CAAC;IAC7C,KAAK,CAAC,EAAE;QACN,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,oBAAoB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACtC;AAED,MAAM,WAAW,kCACf,SAAQ,IAAI,CAAC,iCAAiC,EAAE,QAAQ,CAAC;IACzD,MAAM,EAAE,WAAW,CAAC;CACrB;AAED,MAAM,WAAW,2BAA2B;IAC1C,OAAO,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACrC,OAAO,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACrC,SAAS,CAAC,EAAE,CACV,aAAa,EAAE,iCAAiC,KAC7C,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAC1B,MAAM,CAAC,EAAE,CACP,aAAa,EAAE,iCAAiC,KAC7C,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAC1B,SAAS,CAAC,EAAE,CACV,aAAa,EAAE,iCAAiC,KAC7C,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,8BACf,SAAQ,IAAI,CAAC,iCAAiC,EAAE,QAAQ,CAAC;IACzD,MAAM,EAAE,QAAQ,GAAG,WAAW,CAAC;CAChC;AAED,MAAM,WAAW,iCAAiC,CAAC,OAAO;IACxD,OAAO,EAAE,2BAA2B,CAAC;IACrC,OAAO,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAC1C,qBAAqB,CAAC,EAAE,CACtB,MAAM,EAAE,OAAO,KAEb,OAAO,CAAC,kCAAkC,CAAC,GAC3C,kCAAkC,CAAC;IACvC,iBAAiB,EAAE,CACjB,KAAK,EAAE,OAAO,KAEZ,OAAO,CAAC,8BAA8B,CAAC,GACvC,8BAA8B,CAAC;IACnC,gBAAgB,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAC7D;AAED,MAAM,MAAM,6BAA6B,CAAC,OAAO,IAC7C;IACA,MAAM,EAAE,WAAW,CAAC;IACpB,MAAM,EAAE,OAAO,CAAC;IAChB,aAAa,EAAE,iCAAiC,CAAC;CAClD,GACC;IACA,MAAM,EAAE,QAAQ,GAAG,WAAW,CAAC;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,aAAa,EAAE,iCAAiC,CAAC;CAClD,CAAC;AAmBJ,wBAAsB,uBAAuB,CAAC,OAAO,EACnD,OAAO,EAAE,iCAAiC,CAAC,OAAO,CAAC,GAClD,OAAO,CAAC,6BAA6B,CAAC,OAAO,CAAC,CAAC,CAsCjD"}
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
async function dispatchTerminalState(adapter, terminalState) {
|
|
2
|
+
if (terminalState.status === "cancelled") {
|
|
3
|
+
await adapter.cancelled?.(terminalState);
|
|
4
|
+
return;
|
|
5
|
+
}
|
|
6
|
+
if (terminalState.status === "failed") {
|
|
7
|
+
await adapter.failed?.(terminalState);
|
|
8
|
+
return;
|
|
9
|
+
}
|
|
10
|
+
await adapter.completed?.(terminalState);
|
|
11
|
+
}
|
|
12
|
+
export async function runHostedChildLifecycle(options) {
|
|
13
|
+
await options.adapter.pending?.();
|
|
14
|
+
await options.adapter.running?.();
|
|
15
|
+
let result;
|
|
16
|
+
try {
|
|
17
|
+
result = await options.execute();
|
|
18
|
+
}
|
|
19
|
+
catch (error) {
|
|
20
|
+
const terminalState = await options.resolveErrorState(error);
|
|
21
|
+
try {
|
|
22
|
+
await dispatchTerminalState(options.adapter, terminalState);
|
|
23
|
+
}
|
|
24
|
+
catch (lifecycleError) {
|
|
25
|
+
if (options.onLifecycleError) {
|
|
26
|
+
await options.onLifecycleError(lifecycleError);
|
|
27
|
+
}
|
|
28
|
+
else {
|
|
29
|
+
throw lifecycleError;
|
|
30
|
+
}
|
|
31
|
+
}
|
|
32
|
+
return {
|
|
33
|
+
status: terminalState.status,
|
|
34
|
+
error,
|
|
35
|
+
terminalState,
|
|
36
|
+
};
|
|
37
|
+
}
|
|
38
|
+
const terminalState = options.resolveCompletedState
|
|
39
|
+
? await options.resolveCompletedState(result)
|
|
40
|
+
: { status: "completed" };
|
|
41
|
+
await dispatchTerminalState(options.adapter, terminalState);
|
|
42
|
+
return {
|
|
43
|
+
status: "completed",
|
|
44
|
+
result,
|
|
45
|
+
terminalState,
|
|
46
|
+
};
|
|
47
|
+
}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
export interface HostedLifecycleTerminalState {
|
|
2
|
+
status: "completed" | "failed" | "cancelled";
|
|
3
|
+
metadata?: {
|
|
4
|
+
modelId?: string;
|
|
5
|
+
usage?: {
|
|
6
|
+
inputTokens?: number;
|
|
7
|
+
outputTokens?: number;
|
|
8
|
+
cachedInputTokens?: number;
|
|
9
|
+
};
|
|
10
|
+
};
|
|
11
|
+
terminalErrorCode?: string | null;
|
|
12
|
+
terminalErrorMessage?: string | null;
|
|
13
|
+
}
|
|
14
|
+
export interface HostedLifecycleExecution<TChunk> {
|
|
15
|
+
stream: AsyncIterable<TChunk>;
|
|
16
|
+
waitForFinish: () => Promise<void>;
|
|
17
|
+
}
|
|
18
|
+
export interface HostedLifecycleAdapter<TRun, TChunk> {
|
|
19
|
+
startRun: (input: {
|
|
20
|
+
abortSignal: AbortSignal;
|
|
21
|
+
}) => Promise<TRun> | TRun;
|
|
22
|
+
appendEvents?: (run: TRun, chunk: TChunk) => Promise<void> | void;
|
|
23
|
+
persistTranscriptChunk?: (run: TRun, chunk: TChunk) => Promise<void> | void;
|
|
24
|
+
persistTranscriptTerminalState?: (run: TRun, terminalState: HostedLifecycleTerminalState) => Promise<void> | void;
|
|
25
|
+
onTerminalState?: (run: TRun, terminalState: HostedLifecycleTerminalState) => Promise<void> | void;
|
|
26
|
+
finalizeRun?: (run: TRun, terminalState: HostedLifecycleTerminalState) => Promise<void> | void;
|
|
27
|
+
cancelRun?: (run: TRun, terminalState: HostedLifecycleTerminalState) => Promise<void> | void;
|
|
28
|
+
}
|
|
29
|
+
export interface HostedLifecycleRunnerOptions<TRun, TChunk> {
|
|
30
|
+
abortSignal: AbortSignal;
|
|
31
|
+
execution: HostedLifecycleExecution<TChunk>;
|
|
32
|
+
adapter: HostedLifecycleAdapter<TRun, TChunk>;
|
|
33
|
+
resolveTerminalState: () => Promise<HostedLifecycleTerminalState> | HostedLifecycleTerminalState;
|
|
34
|
+
resolveErrorTerminalState?: (error: unknown) => Promise<HostedLifecycleTerminalState> | HostedLifecycleTerminalState;
|
|
35
|
+
}
|
|
36
|
+
export interface HostedLifecycleRunResult<TRun> {
|
|
37
|
+
run: TRun;
|
|
38
|
+
terminalState: HostedLifecycleTerminalState;
|
|
39
|
+
}
|
|
40
|
+
export declare function runHostedLifecycle<TRun, TChunk>(options: HostedLifecycleRunnerOptions<TRun, TChunk>): Promise<HostedLifecycleRunResult<TRun>>;
|
|
41
|
+
//# sourceMappingURL=hosted-lifecycle.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hosted-lifecycle.d.ts","sourceRoot":"","sources":["../../../src/src/agent/hosted-lifecycle.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,4BAA4B;IAC3C,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,WAAW,CAAC;IAC7C,QAAQ,CAAC,EAAE;QACT,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,KAAK,CAAC,EAAE;YACN,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB,YAAY,CAAC,EAAE,MAAM,CAAC;YACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC;SAC5B,CAAC;KACH,CAAC;IACF,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,oBAAoB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACtC;AAED,MAAM,WAAW,wBAAwB,CAAC,MAAM;IAC9C,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9B,aAAa,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,sBAAsB,CAAC,IAAI,EAAE,MAAM;IAClD,QAAQ,EAAE,CAAC,KAAK,EAAE;QAAE,WAAW,EAAE,WAAW,CAAA;KAAE,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACxE,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAClE,sBAAsB,CAAC,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAC5E,8BAA8B,CAAC,EAAE,CAC/B,GAAG,EAAE,IAAI,EACT,aAAa,EAAE,4BAA4B,KACxC,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAC1B,eAAe,CAAC,EAAE,CAChB,GAAG,EAAE,IAAI,EACT,aAAa,EAAE,4BAA4B,KACxC,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAC1B,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,aAAa,EAAE,4BAA4B,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAC/F,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,aAAa,EAAE,4BAA4B,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAC9F;AAED,MAAM,WAAW,4BAA4B,CAAC,IAAI,EAAE,MAAM;IACxD,WAAW,EAAE,WAAW,CAAC;IACzB,SAAS,EAAE,wBAAwB,CAAC,MAAM,CAAC,CAAC;IAC5C,OAAO,EAAE,sBAAsB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC9C,oBAAoB,EAAE,MAAM,OAAO,CAAC,4BAA4B,CAAC,GAAG,4BAA4B,CAAC;IACjG,yBAAyB,CAAC,EAAE,CAC1B,KAAK,EAAE,OAAO,KACX,OAAO,CAAC,4BAA4B,CAAC,GAAG,4BAA4B,CAAC;CAC3E;AAED,MAAM,WAAW,wBAAwB,CAAC,IAAI;IAC5C,GAAG,EAAE,IAAI,CAAC;IACV,aAAa,EAAE,4BAA4B,CAAC;CAC7C;AA4ED,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EACnD,OAAO,EAAE,4BAA4B,CAAC,IAAI,EAAE,MAAM,CAAC,GAClD,OAAO,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAgCzC"}
|
|
@@ -0,0 +1,77 @@
|
|
|
1
|
+
function getTerminalErrorMessage(error) {
|
|
2
|
+
return error instanceof Error ? error.message : String(error);
|
|
3
|
+
}
|
|
4
|
+
function defaultErrorTerminalState(abortSignal, error) {
|
|
5
|
+
if (abortSignal.aborted) {
|
|
6
|
+
return {
|
|
7
|
+
status: "cancelled",
|
|
8
|
+
terminalErrorCode: "ABORTED",
|
|
9
|
+
terminalErrorMessage: getTerminalErrorMessage(error),
|
|
10
|
+
};
|
|
11
|
+
}
|
|
12
|
+
return {
|
|
13
|
+
status: "failed",
|
|
14
|
+
terminalErrorCode: "STREAM_ERROR",
|
|
15
|
+
terminalErrorMessage: getTerminalErrorMessage(error),
|
|
16
|
+
};
|
|
17
|
+
}
|
|
18
|
+
async function captureHookError(callback) {
|
|
19
|
+
if (!callback) {
|
|
20
|
+
return null;
|
|
21
|
+
}
|
|
22
|
+
try {
|
|
23
|
+
await callback();
|
|
24
|
+
return null;
|
|
25
|
+
}
|
|
26
|
+
catch (error) {
|
|
27
|
+
return error;
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
async function runTerminalHooks(input) {
|
|
31
|
+
let firstHookError = null;
|
|
32
|
+
const persistError = await captureHookError(() => input.adapter.persistTranscriptTerminalState?.(input.run, input.terminalState));
|
|
33
|
+
if (persistError) {
|
|
34
|
+
firstHookError = persistError;
|
|
35
|
+
}
|
|
36
|
+
const terminalObserverError = await captureHookError(() => input.adapter.onTerminalState?.(input.run, input.terminalState));
|
|
37
|
+
if (!firstHookError && terminalObserverError) {
|
|
38
|
+
firstHookError = terminalObserverError;
|
|
39
|
+
}
|
|
40
|
+
const terminalControlError = await captureHookError(() => input.terminalState.status === "cancelled"
|
|
41
|
+
? input.adapter.cancelRun?.(input.run, input.terminalState)
|
|
42
|
+
: input.adapter.finalizeRun?.(input.run, input.terminalState));
|
|
43
|
+
if (firstHookError) {
|
|
44
|
+
throw firstHookError;
|
|
45
|
+
}
|
|
46
|
+
if (terminalControlError) {
|
|
47
|
+
throw terminalControlError;
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
export async function runHostedLifecycle(options) {
|
|
51
|
+
const run = await options.adapter.startRun({ abortSignal: options.abortSignal });
|
|
52
|
+
try {
|
|
53
|
+
for await (const chunk of options.execution.stream) {
|
|
54
|
+
await options.adapter.appendEvents?.(run, chunk);
|
|
55
|
+
await options.adapter.persistTranscriptChunk?.(run, chunk);
|
|
56
|
+
}
|
|
57
|
+
await options.execution.waitForFinish();
|
|
58
|
+
}
|
|
59
|
+
catch (error) {
|
|
60
|
+
const terminalState = options.resolveErrorTerminalState
|
|
61
|
+
? await options.resolveErrorTerminalState(error)
|
|
62
|
+
: defaultErrorTerminalState(options.abortSignal, error);
|
|
63
|
+
await runTerminalHooks({
|
|
64
|
+
run,
|
|
65
|
+
terminalState,
|
|
66
|
+
adapter: options.adapter,
|
|
67
|
+
}).catch(() => undefined);
|
|
68
|
+
throw error;
|
|
69
|
+
}
|
|
70
|
+
const terminalState = await options.resolveTerminalState();
|
|
71
|
+
await runTerminalHooks({
|
|
72
|
+
run,
|
|
73
|
+
terminalState,
|
|
74
|
+
adapter: options.adapter,
|
|
75
|
+
});
|
|
76
|
+
return { run, terminalState };
|
|
77
|
+
}
|
package/esm/src/agent/index.d.ts
CHANGED
|
@@ -89,6 +89,8 @@ export { type AgUiRuntimeContextItem, AgUiRuntimeContextItemSchema, type AgUiRun
|
|
|
89
89
|
export { normalizeAgUiRuntimeMessages } from "./ag-ui-runtime-support.js";
|
|
90
90
|
export { type AgUiBrowserEncodedEvent, type AgUiBrowserEncoderState, type AgUiBrowserRunFinishedMetadata, type AgUiRuntimeStreamEvent, buildAgUiBrowserFinalizeResponse, createAgUiBrowserEncoderState, finalizeAgUiBrowserEvents, mapRuntimeStreamEventToAgUiBrowserEvents, } from "./ag-ui-browser-encoder.js";
|
|
91
91
|
export { type AgUiBrowserResponseEncoder, type AgUiBrowserResponseExecution, type AgUiBrowserResponseRequestState, createAgUiBrowserResponseStream, type CreateAgUiBrowserResponseStreamInput, } from "./ag-ui-browser-response-stream.js";
|
|
92
|
+
export { type HostedChildLifecycleAdapter, type HostedChildLifecycleRunnerOptions, type HostedChildLifecycleRunResult, type HostedChildLifecycleTerminalState, runHostedChildLifecycle, } from "./hosted-child-lifecycle.js";
|
|
93
|
+
export { type HostedLifecycleAdapter, type HostedLifecycleExecution, type HostedLifecycleRunnerOptions, type HostedLifecycleRunResult, type HostedLifecycleTerminalState, runHostedLifecycle, } from "./hosted-lifecycle.js";
|
|
92
94
|
export { mergeToolCallInput, mergeToolInputDelta, parseDataStreamSseEvents, parseToolInputObject, streamDataStreamEvents, stripLeadingEmptyObjectPlaceholder, } from "./data-stream.js";
|
|
93
95
|
export { expandAllowedRemoteToolNames, getProviderNativeToolNames, type ProviderNativeToolInventoryOptions, } from "./provider-native-tool-inventory.js";
|
|
94
96
|
export { type AgUiDetachedStartAccepted, AgUiDetachedStartAcceptedSchema, type AgUiDetachedStartHandlerOptions, type AgUiDetachedStartRequest, AgUiDetachedStartRequestSchema, createAgUiDetachedStartHandler, executeAgUiDetachedStart, type ExecuteAgUiDetachedStartInput, } from "./ag-ui-detached-start.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/src/agent/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+EG;AACH,OAAO,yBAAyB,CAAC;AAGjC,YAAY,EACV,KAAK,EACL,WAAW,EACX,YAAY,EACZ,eAAe,EACf,aAAa,EACb,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,UAAU,EACV,YAAY,EACZ,OAAO,IAAI,YAAY,EACvB,WAAW,EACX,aAAa,EACb,WAAW,EACX,qBAAqB,EACrB,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,EACpB,mBAAmB,EACnB,oBAAoB,EACpB,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,EACrB,cAAc,GACf,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAEnF,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,YAAY,EACZ,iBAAiB,EACjB,KAAK,MAAM,EACX,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,WAAW,EACX,KAAK,iBAAiB,EACtB,aAAa,GACd,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,WAAW,EACX,cAAc,EACd,QAAQ,EACR,gBAAgB,EAChB,cAAc,EACd,aAAa,EACb,KAAK,cAAc,EACnB,KAAK,cAAc,EACnB,KAAK,YAAY,GAClB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,KAAK,EAAE,MAAM,cAAc,CAAC;AACrC,OAAO,EACL,KAAK,wBAAwB,EAC7B,KAAK,iCAAiC,EACtC,KAAK,yBAAyB,EAC9B,KAAK,8BAA8B,EACnC,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,wBAAwB,GACzB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,KAAK,sBAAsB,EAC3B,4BAA4B,EAC5B,KAAK,uBAAuB,EAC5B,6BAA6B,EAC7B,KAAK,kBAAkB,EACvB,wBAAwB,EACxB,KAAK,kBAAkB,EACvB,wBAAwB,EACxB,uBAAuB,EACvB,8BAA8B,GAC/B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAC1E,OAAO,EACL,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,8BAA8B,EACnC,KAAK,sBAAsB,EAC3B,gCAAgC,EAChC,6BAA6B,EAC7B,yBAAyB,EACzB,wCAAwC,GACzC,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,KAAK,0BAA0B,EAC/B,KAAK,4BAA4B,EACjC,KAAK,+BAA+B,EACpC,+BAA+B,EAC/B,KAAK,oCAAoC,GAC1C,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,EACpB,sBAAsB,EACtB,kCAAkC,GACnC,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,EAC1B,KAAK,kCAAkC,GACxC,MAAM,qCAAqC,CAAC;AAC7C,OAAO,EACL,KAAK,yBAAyB,EAC9B,+BAA+B,EAC/B,KAAK,+BAA+B,EACpC,KAAK,wBAAwB,EAC7B,8BAA8B,EAC9B,8BAA8B,EAC9B,wBAAwB,EACxB,KAAK,6BAA6B,GACnC,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAC7B,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,uBAAuB,EACvB,uBAAuB,GACxB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,KAAK,YAAY,EACjB,uBAAuB,EACvB,0BAA0B,EAC1B,qBAAqB,EACrB,gBAAgB,EAChB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,0BAA0B,EAC/B,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,WAAW,EAChB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,oBAAoB,EACzB,qBAAqB,EACrB,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,KAAK,wBAAwB,EAC7B,8BAA8B,EAC9B,KAAK,iBAAiB,EACtB,KAAK,sBAAsB,EAC3B,uBAAuB,EACvB,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,qBAAqB,EACrB,4BAA4B,EAC5B,iBAAiB,EACjB,KAAK,wBAAwB,GAC9B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,KAAK,uBAAuB,EAC5B,KAAK,8BAA8B,EACnC,KAAK,6BAA6B,EAClC,KAAK,0BAA0B,EAC/B,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,iBAAiB,GAClB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,YAAY,EACZ,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,uBAAuB,EACvB,KAAK,8BAA8B,EACnC,KAAK,gBAAgB,EACrB,KAAK,wBAAwB,EAC7B,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/src/agent/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+EG;AACH,OAAO,yBAAyB,CAAC;AAGjC,YAAY,EACV,KAAK,EACL,WAAW,EACX,YAAY,EACZ,eAAe,EACf,aAAa,EACb,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,UAAU,EACV,YAAY,EACZ,OAAO,IAAI,YAAY,EACvB,WAAW,EACX,aAAa,EACb,WAAW,EACX,qBAAqB,EACrB,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,EACpB,mBAAmB,EACnB,oBAAoB,EACpB,cAAc,EACd,QAAQ,EACR,YAAY,EACZ,oBAAoB,EACpB,qBAAqB,EACrB,cAAc,GACf,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAEnF,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,YAAY,EACZ,iBAAiB,EACjB,KAAK,MAAM,EACX,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,WAAW,EACX,KAAK,iBAAiB,EACtB,aAAa,GACd,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,WAAW,EACX,cAAc,EACd,QAAQ,EACR,gBAAgB,EAChB,cAAc,EACd,aAAa,EACb,KAAK,cAAc,EACnB,KAAK,cAAc,EACnB,KAAK,YAAY,GAClB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,KAAK,EAAE,MAAM,cAAc,CAAC;AACrC,OAAO,EACL,KAAK,wBAAwB,EAC7B,KAAK,iCAAiC,EACtC,KAAK,yBAAyB,EAC9B,KAAK,8BAA8B,EACnC,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,wBAAwB,GACzB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,KAAK,sBAAsB,EAC3B,4BAA4B,EAC5B,KAAK,uBAAuB,EAC5B,6BAA6B,EAC7B,KAAK,kBAAkB,EACvB,wBAAwB,EACxB,KAAK,kBAAkB,EACvB,wBAAwB,EACxB,uBAAuB,EACvB,8BAA8B,GAC/B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAC1E,OAAO,EACL,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,8BAA8B,EACnC,KAAK,sBAAsB,EAC3B,gCAAgC,EAChC,6BAA6B,EAC7B,yBAAyB,EACzB,wCAAwC,GACzC,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,KAAK,0BAA0B,EAC/B,KAAK,4BAA4B,EACjC,KAAK,+BAA+B,EACpC,+BAA+B,EAC/B,KAAK,oCAAoC,GAC1C,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EACL,KAAK,2BAA2B,EAChC,KAAK,iCAAiC,EACtC,KAAK,6BAA6B,EAClC,KAAK,iCAAiC,EACtC,uBAAuB,GACxB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,wBAAwB,EAC7B,KAAK,4BAA4B,EACjC,KAAK,wBAAwB,EAC7B,KAAK,4BAA4B,EACjC,kBAAkB,GACnB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,wBAAwB,EACxB,oBAAoB,EACpB,sBAAsB,EACtB,kCAAkC,GACnC,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,EAC1B,KAAK,kCAAkC,GACxC,MAAM,qCAAqC,CAAC;AAC7C,OAAO,EACL,KAAK,yBAAyB,EAC9B,+BAA+B,EAC/B,KAAK,+BAA+B,EACpC,KAAK,wBAAwB,EAC7B,8BAA8B,EAC9B,8BAA8B,EAC9B,wBAAwB,EACxB,KAAK,6BAA6B,GACnC,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAC7B,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,uBAAuB,EACvB,uBAAuB,GACxB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,KAAK,YAAY,EACjB,uBAAuB,EACvB,0BAA0B,EAC1B,qBAAqB,EACrB,gBAAgB,EAChB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,0BAA0B,EAC/B,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,WAAW,EAChB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,oBAAoB,EACzB,qBAAqB,EACrB,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,KAAK,wBAAwB,EAC7B,8BAA8B,EAC9B,KAAK,iBAAiB,EACtB,KAAK,sBAAsB,EAC3B,uBAAuB,EACvB,KAAK,gBAAgB,EACrB,sBAAsB,EACtB,qBAAqB,EACrB,4BAA4B,EAC5B,iBAAiB,EACjB,KAAK,wBAAwB,GAC9B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,KAAK,uBAAuB,EAC5B,KAAK,8BAA8B,EACnC,KAAK,6BAA6B,EAClC,KAAK,0BAA0B,EAC/B,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,EACvB,iBAAiB,GAClB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,YAAY,EACZ,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,uBAAuB,EACvB,KAAK,8BAA8B,EACnC,KAAK,gBAAgB,EACrB,KAAK,wBAAwB,EAC7B,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC"}
|
package/esm/src/agent/index.js
CHANGED
|
@@ -88,6 +88,8 @@ export { AgUiRuntimeContextItemSchema, AgUiRuntimeInjectedToolSchema, AgUiRuntim
|
|
|
88
88
|
export { normalizeAgUiRuntimeMessages } from "./ag-ui-runtime-support.js";
|
|
89
89
|
export { buildAgUiBrowserFinalizeResponse, createAgUiBrowserEncoderState, finalizeAgUiBrowserEvents, mapRuntimeStreamEventToAgUiBrowserEvents, } from "./ag-ui-browser-encoder.js";
|
|
90
90
|
export { createAgUiBrowserResponseStream, } from "./ag-ui-browser-response-stream.js";
|
|
91
|
+
export { runHostedChildLifecycle, } from "./hosted-child-lifecycle.js";
|
|
92
|
+
export { runHostedLifecycle, } from "./hosted-lifecycle.js";
|
|
91
93
|
export { mergeToolCallInput, mergeToolInputDelta, parseDataStreamSseEvents, parseToolInputObject, streamDataStreamEvents, stripLeadingEmptyObjectPlaceholder, } from "./data-stream.js";
|
|
92
94
|
export { expandAllowedRemoteToolNames, getProviderNativeToolNames, } from "./provider-native-tool-inventory.js";
|
|
93
95
|
export { AgUiDetachedStartAcceptedSchema, AgUiDetachedStartRequestSchema, createAgUiDetachedStartHandler, executeAgUiDetachedStart, } from "./ag-ui-detached-start.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sse-utils.d.ts","sourceRoot":"","sources":["../../../../src/src/agent/runtime/sse-utils.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAOH;;;GAGG;AACH,wBAAgB,OAAO,CACrB,UAAU,EAAE,+BAA+B,EAC3C,OAAO,EAAE,WAAW,EACpB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,IAAI,
|
|
1
|
+
{"version":3,"file":"sse-utils.d.ts","sourceRoot":"","sources":["../../../../src/src/agent/runtime/sse-utils.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAOH;;;GAGG;AACH,wBAAgB,OAAO,CACrB,UAAU,EAAE,+BAA+B,EAC3C,OAAO,EAAE,WAAW,EACpB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,IAAI,CAUN;AAED,wBAAgB,cAAc,CAAC,UAAU,EAAE,+BAA+B,GAAG,IAAI,CAUhF;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C"}
|
|
@@ -14,7 +14,15 @@ function isClosedStreamControllerError(error) {
|
|
|
14
14
|
* Formats event as: data: {json}\n\n
|
|
15
15
|
*/
|
|
16
16
|
export function sendSSE(controller, encoder, event) {
|
|
17
|
-
|
|
17
|
+
try {
|
|
18
|
+
controller.enqueue(encoder.encode(`data: ${JSON.stringify(event)}\n\n`));
|
|
19
|
+
}
|
|
20
|
+
catch (error) {
|
|
21
|
+
if (isClosedStreamControllerError(error)) {
|
|
22
|
+
return;
|
|
23
|
+
}
|
|
24
|
+
throw error;
|
|
25
|
+
}
|
|
18
26
|
}
|
|
19
27
|
export function closeSSEStream(controller) {
|
|
20
28
|
try {
|
|
@@ -159,6 +159,27 @@ export interface RuntimeAgentDiscoveryDeps {
|
|
|
159
159
|
getAllAgentIds: () => string[];
|
|
160
160
|
}
|
|
161
161
|
export declare function listRuntimeAgents(ctx: HandlerContext, deps: RuntimeAgentDiscoveryDeps): Promise<RuntimeAgentListResponse>;
|
|
162
|
+
/**
|
|
163
|
+
* Verify the Ed25519 signature of a dispatch JWS and the recency of its
|
|
164
|
+
* timestamps, without binding to a particular request body or audience.
|
|
165
|
+
*
|
|
166
|
+
* This is intentionally weaker than {@link verifyDispatchJws}: it answers
|
|
167
|
+
* "was this JWS minted by a holder of the control-plane private key and is it
|
|
168
|
+
* still fresh?" and is used as a trust signal in code paths (proxy-trust,
|
|
169
|
+
* adapter selection) that don't yet have access to the authoritative request
|
|
170
|
+
* body or project audience. Callers that consume request payloads MUST still
|
|
171
|
+
* call {@link verifyDispatchJws} / {@link verifyControlPlaneJws} to bind the
|
|
172
|
+
* signature to the body and project.
|
|
173
|
+
*
|
|
174
|
+
* Returns true iff the signature verifies and `iat`/`exp` are within the
|
|
175
|
+
* allowed skew and max-age window. All other failures (including parsing
|
|
176
|
+
* errors) resolve to false so callers can treat the signal as present-but-not-
|
|
177
|
+
* proven without raising.
|
|
178
|
+
*/
|
|
179
|
+
export declare function verifyDispatchJwsSignature(jws: string, options: {
|
|
180
|
+
publicKeyPem: string;
|
|
181
|
+
maxAgeSeconds: number;
|
|
182
|
+
}): Promise<boolean>;
|
|
162
183
|
export declare function verifyDispatchJws(jws: string, body: string, options: {
|
|
163
184
|
audience: string;
|
|
164
185
|
expectedPlatform?: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"control-plane.d.ts","sourceRoot":"","sources":["../../../src/src/channels/control-plane.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGxD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAUxB,eAAO,MAAM,yBAAyB;;;;;EAA+C,CAAC;AAEtF,eAAO,MAAM,mCAAmC;;;;;;;;;iBAI9C,CAAC;AAEH,eAAO,MAAM,uBAAuB;;;;;;iBAMlC,CAAC;AAEH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;2BAgBvC,CAAC;AAEH,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;iBAGxC,CAAC;AAEH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAQ7B,CAAC;AAEH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAEzC,CAAC;AAEH,QAAA,MAAM,oBAAoB;;;;;;;;;iBASxB,CAAC;AAEH,QAAA,MAAM,wBAAwB;;;;;;;;;;;;;;iBAS5B,CAAC;AAEH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAC5E,MAAM,MAAM,6BAA6B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mCAAmC,CAAC,CAAC;AAChG,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AACxE,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAClF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AACpF,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AACtF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAClE,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAE1E,MAAM,WAAW,yBAAyB;IACxC,sBAAsB,EAAE,CAAC,GAAG,EAAE,cAAc,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/D,QAAQ,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,KAAK,GAAG,SAAS,CAAC;IAC5C,cAAc,EAAE,MAAM,MAAM,EAAE,CAAC;CAChC;AAiLD,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,yBAAyB,GAC9B,OAAO,CAAC,wBAAwB,CAAC,CAUnC;AAED,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE;IACP,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GACA,OAAO,CAAC,cAAc,CAAC,CAmBzB;AAED,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE;IACP,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,mBAAmB,CAAC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GACA,OAAO,CAAC,kBAAkB,CAAC,CAmB7B"}
|
|
1
|
+
{"version":3,"file":"control-plane.d.ts","sourceRoot":"","sources":["../../../src/src/channels/control-plane.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGxD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAUxB,eAAO,MAAM,yBAAyB;;;;;EAA+C,CAAC;AAEtF,eAAO,MAAM,mCAAmC;;;;;;;;;iBAI9C,CAAC;AAEH,eAAO,MAAM,uBAAuB;;;;;;iBAMlC,CAAC;AAEH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;2BAgBvC,CAAC;AAEH,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;iBAGxC,CAAC;AAEH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAQ7B,CAAC;AAEH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAEzC,CAAC;AAEH,QAAA,MAAM,oBAAoB;;;;;;;;;iBASxB,CAAC;AAEH,QAAA,MAAM,wBAAwB;;;;;;;;;;;;;;iBAS5B,CAAC;AAEH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAC5E,MAAM,MAAM,6BAA6B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mCAAmC,CAAC,CAAC;AAChG,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AACxE,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAClF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AACpF,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AACtF,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAClE,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAE1E,MAAM,WAAW,yBAAyB;IACxC,sBAAsB,EAAE,CAAC,GAAG,EAAE,cAAc,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/D,QAAQ,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,KAAK,GAAG,SAAS,CAAC;IAC5C,cAAc,EAAE,MAAM,MAAM,EAAE,CAAC;CAChC;AAiLD,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,yBAAyB,GAC9B,OAAO,CAAC,wBAAwB,CAAC,CAUnC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,0BAA0B,CAC9C,GAAG,EAAE,MAAM,EACX,OAAO,EAAE;IACP,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB,GACA,OAAO,CAAC,OAAO,CAAC,CA2BlB;AAED,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE;IACP,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GACA,OAAO,CAAC,cAAc,CAAC,CAmBzB;AAED,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE;IACP,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,mBAAmB,CAAC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB,GACA,OAAO,CAAC,kBAAkB,CAAC,CAmB7B"}
|
|
@@ -197,6 +197,54 @@ export async function listRuntimeAgents(ctx, deps) {
|
|
|
197
197
|
.sort((left, right) => left.name.localeCompare(right.name));
|
|
198
198
|
return RuntimeAgentListResponseSchema.parse({ agents });
|
|
199
199
|
}
|
|
200
|
+
/**
|
|
201
|
+
* Verify the Ed25519 signature of a dispatch JWS and the recency of its
|
|
202
|
+
* timestamps, without binding to a particular request body or audience.
|
|
203
|
+
*
|
|
204
|
+
* This is intentionally weaker than {@link verifyDispatchJws}: it answers
|
|
205
|
+
* "was this JWS minted by a holder of the control-plane private key and is it
|
|
206
|
+
* still fresh?" and is used as a trust signal in code paths (proxy-trust,
|
|
207
|
+
* adapter selection) that don't yet have access to the authoritative request
|
|
208
|
+
* body or project audience. Callers that consume request payloads MUST still
|
|
209
|
+
* call {@link verifyDispatchJws} / {@link verifyControlPlaneJws} to bind the
|
|
210
|
+
* signature to the body and project.
|
|
211
|
+
*
|
|
212
|
+
* Returns true iff the signature verifies and `iat`/`exp` are within the
|
|
213
|
+
* allowed skew and max-age window. All other failures (including parsing
|
|
214
|
+
* errors) resolve to false so callers can treat the signal as present-but-not-
|
|
215
|
+
* proven without raising.
|
|
216
|
+
*/
|
|
217
|
+
export async function verifyDispatchJwsSignature(jws, options) {
|
|
218
|
+
try {
|
|
219
|
+
const parts = jws.split(".");
|
|
220
|
+
if (parts.length !== 3)
|
|
221
|
+
return false;
|
|
222
|
+
const [encodedHeader, encodedPayload, encodedSignature] = parts;
|
|
223
|
+
if (!encodedHeader || !encodedPayload || !encodedSignature)
|
|
224
|
+
return false;
|
|
225
|
+
compactJwsHeaderSchema.parse(parseCompactJwsPart(encodedHeader));
|
|
226
|
+
const claims = dispatchClaimsSchema.parse(parseCompactJwsPart(encodedPayload));
|
|
227
|
+
const signingInput = new TextEncoder().encode(`${encodedHeader}.${encodedPayload}`);
|
|
228
|
+
const signature = base64urlDecodeToBytes(encodedSignature);
|
|
229
|
+
const publicKey = await importEd25519PublicKey(options.publicKeyPem);
|
|
230
|
+
const verified = await dntShim.crypto.subtle.verify("Ed25519", publicKey, signature, signingInput);
|
|
231
|
+
if (!verified)
|
|
232
|
+
return false;
|
|
233
|
+
if (claims.iss !== "veryfront-api")
|
|
234
|
+
return false;
|
|
235
|
+
const now = Math.floor(Date.now() / 1000);
|
|
236
|
+
if (claims.exp <= now)
|
|
237
|
+
return false;
|
|
238
|
+
if (claims.iat > now + SIGNATURE_SKEW_SECONDS)
|
|
239
|
+
return false;
|
|
240
|
+
if (now - claims.iat > options.maxAgeSeconds)
|
|
241
|
+
return false;
|
|
242
|
+
return true;
|
|
243
|
+
}
|
|
244
|
+
catch {
|
|
245
|
+
return false;
|
|
246
|
+
}
|
|
247
|
+
}
|
|
200
248
|
export async function verifyDispatchJws(jws, body, options) {
|
|
201
249
|
return verifySignedRequestJws(jws, body, {
|
|
202
250
|
audience: options.audience,
|
|
@@ -139,7 +139,7 @@ export interface ChannelInvokeDeps extends RuntimeAgentDiscoveryDeps {
|
|
|
139
139
|
}
|
|
140
140
|
export declare const defaultChannelInvokeDeps: ChannelInvokeDeps;
|
|
141
141
|
export declare function listChannelAssistants(ctx: HandlerContext, deps: ChannelInvokeDeps): Promise<ChannelAssistantsResponse>;
|
|
142
|
-
export { verifyDispatchJws } from "./control-plane.js";
|
|
142
|
+
export { verifyDispatchJws, verifyDispatchJwsSignature } from "./control-plane.js";
|
|
143
143
|
export declare function normalizeConversationHistoryForRuntime(messages: ChannelInvokeRequest["conversationHistory"]): Message[];
|
|
144
144
|
export declare function resolveChannelInvokeAgent(assistantId: string, deps: Pick<ChannelInvokeDeps, "getAgent">): Agent | undefined;
|
|
145
145
|
export declare function buildChannelResponseParts(response: AgentResponse): ChannelResponsePart[];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"invoke.d.ts","sourceRoot":"","sources":["../../../src/src/channels/invoke.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,YAAY,IAAI,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAEvF,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAExD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAKxB,OAAO,EAAqB,KAAK,yBAAyB,EAAE,MAAM,oBAAoB,CAAC;AA4CvF,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAAiC,CAAC;AAEzE,eAAO,MAAM,8BAA8B;;;;iBAIzC,CAAC;AAEH,eAAO,MAAM,sBAAsB;;;;;iBAKjC,CAAC;AAEH,eAAO,MAAM,+BAA+B;;;;;;;iBAE1C,CAAC;AAiCH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;2BAMpC,CAAC;AAEH,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAYtC,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAC9E,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAChF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AACtF,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAExF,KAAK,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AACrE,MAAM,WAAW,iBAAkB,SAAQ,yBAAyB;CAAG;AAEvE,eAAO,MAAM,wBAAwB,EAAE,iBAItC,CAAC;AAEF,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC,yBAAyB,CAAC,CAYpC;AACD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"invoke.d.ts","sourceRoot":"","sources":["../../../src/src/channels/invoke.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,YAAY,IAAI,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAEvF,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAExD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAKxB,OAAO,EAAqB,KAAK,yBAAyB,EAAE,MAAM,oBAAoB,CAAC;AA4CvF,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAAiC,CAAC;AAEzE,eAAO,MAAM,8BAA8B;;;;iBAIzC,CAAC;AAEH,eAAO,MAAM,sBAAsB;;;;;iBAKjC,CAAC;AAEH,eAAO,MAAM,+BAA+B;;;;;;;iBAE1C,CAAC;AAiCH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;2BAMpC,CAAC;AAEH,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAYtC,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAC9E,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAChF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AACtF,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAExF,KAAK,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AACrE,MAAM,WAAW,iBAAkB,SAAQ,yBAAyB;CAAG;AAEvE,eAAO,MAAM,wBAAwB,EAAE,iBAItC,CAAC;AAEF,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC,yBAAyB,CAAC,CAYpC;AACD,OAAO,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAqCnF,wBAAgB,sCAAsC,CACpD,QAAQ,EAAE,oBAAoB,CAAC,qBAAqB,CAAC,GACpD,OAAO,EAAE,CAUX;AAED,wBAAgB,yBAAyB,CACvC,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,IAAI,CAAC,iBAAiB,EAAE,UAAU,CAAC,GACxC,KAAK,GAAG,SAAS,CAEnB;AAsDD,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,aAAa,GAAG,mBAAmB,EAAE,CAiDxF;AAgBD,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,oBAAoB,EAC7B,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC,qBAAqB,CAAC,CAkEhC"}
|
|
@@ -116,7 +116,7 @@ export async function listChannelAssistants(ctx, deps) {
|
|
|
116
116
|
}));
|
|
117
117
|
return ChannelAssistantsResponseSchema.parse({ assistants });
|
|
118
118
|
}
|
|
119
|
-
export { verifyDispatchJws } from "./control-plane.js";
|
|
119
|
+
export { verifyDispatchJws, verifyDispatchJwsSignature } from "./control-plane.js";
|
|
120
120
|
function normalizeConversationPart(part) {
|
|
121
121
|
if (part.type === "text" && typeof part.text === "string") {
|
|
122
122
|
return { type: "text", text: part.text };
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"hmr.handler.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/preview/hmr.handler.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,eAAe,EAEpB,KAAK,aAAa,EACnB,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"hmr.handler.d.ts","sourceRoot":"","sources":["../../../../../src/src/server/handlers/preview/hmr.handler.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,eAAe,EAEpB,KAAK,aAAa,EACnB,MAAM,aAAa,CAAC;AAsBrB,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAK7D,qBAAa,UAAW,SAAQ,WAAW;IACzC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAgD;IAC1E,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAA6B;IAC7D,OAAO,CAAC,MAAM,CAAC,4BAA4B,CAAK;IAChD,OAAO,CAAC,MAAM,CAAC,WAAW,CAAS;IAEnC,QAAQ,EAAE,eAAe,CAKvB;IAEF,OAAO,CAAC,MAAM,CAAC,UAAU;IAsCnB,MAAM,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;IA8JvE;;;;;OAKG;YACW,wBAAwB;IAuCtC,MAAM,CAAC,cAAc,IAAI,MAAM;IAI/B,MAAM,CAAC,UAAU,IAAI;QACnB,OAAO,EAAE,MAAM,CAAC;QAChB,cAAc,EAAE,MAAM,CAAC;QACvB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,iBAAiB,EAAE,MAAM,CAAC;KAC3B;IAID,MAAM,CAAC,+BAA+B,IAAI,MAAM,IAAI;IAWpD,MAAM,CAAC,QAAQ,IAAI,IAAI;IAcvB,OAAO,CAAC,MAAM,CAAC,cAAc;CAO9B"}
|
|
@@ -11,6 +11,8 @@ import { addClient, clearAll, getClient, getClientCount, getClientDetails, remov
|
|
|
11
11
|
import { getPingIntervalMs, startPingInterval, stopPingInterval } from "./hmr-ping-keepalive.js";
|
|
12
12
|
import { broadcastUpdate, getMetrics } from "./hmr-message-router.js";
|
|
13
13
|
import { getEffectiveRequestHost } from "../../utils/request-host.js";
|
|
14
|
+
import { isProxyTrusted } from "../../utils/proxy-trust.js";
|
|
15
|
+
import { getHostEnv } from "../../../platform/compat/process.js";
|
|
14
16
|
const logger = serverLogger.component("hmr-handler");
|
|
15
17
|
// Priority between auth (0) and high (100)
|
|
16
18
|
const PRIORITY_HMR = HandlerPriority.EARLY;
|
|
@@ -56,14 +58,24 @@ export class HMRHandler extends BaseHandler {
|
|
|
56
58
|
pingIntervalMs: getPingIntervalMs(),
|
|
57
59
|
});
|
|
58
60
|
}
|
|
59
|
-
handle(req, ctx) {
|
|
61
|
+
async handle(req, ctx) {
|
|
60
62
|
if (!this.shouldHandle(req, ctx))
|
|
61
|
-
return
|
|
63
|
+
return this.continue();
|
|
62
64
|
const url = new URL(req.url);
|
|
63
65
|
const queryEnv = url.searchParams.get("x-environment");
|
|
64
66
|
const isPreviewMode = ctx.requestContext?.mode === "preview" || queryEnv === "preview";
|
|
65
67
|
const isLocal = !!ctx.isLocalProject;
|
|
66
|
-
|
|
68
|
+
// SECURITY: x-forwarded-host is client-controlled unless we trust the upstream proxy.
|
|
69
|
+
// Honouring it unconditionally lets any remote client present `x-forwarded-host: localhost`
|
|
70
|
+
// and unlock the localhost short-circuit that opens HMR (VULN-SRV-4). Only consult
|
|
71
|
+
// forwarded headers when the request is proxy-trusted; otherwise use Host / url.host.
|
|
72
|
+
// Proxy trust requires a verifiable dispatch JWS (or operator opt-in) — mere header
|
|
73
|
+
// presence is not enough, since `x-veryfront-dispatch-jws` is not stripped on ingress.
|
|
74
|
+
const publicKeyPem = ctx.adapter?.env?.get("CHANNEL_DISPATCH_SIGNING_PUBLIC_KEY") ??
|
|
75
|
+
getHostEnv("CHANNEL_DISPATCH_SIGNING_PUBLIC_KEY");
|
|
76
|
+
const host = (await isProxyTrusted(req, { publicKeyPem }))
|
|
77
|
+
? getEffectiveRequestHost(req, url)
|
|
78
|
+
: (req.headers.get("host") ?? url.host);
|
|
67
79
|
const isLocalhost = isLocalDevHost(host);
|
|
68
80
|
if (!isPreviewMode && !isLocal && !isLocalhost) {
|
|
69
81
|
logger.warn("Skipping /_ws - not preview, local dev, or localhost", {
|
|
@@ -75,7 +87,7 @@ export class HMRHandler extends BaseHandler {
|
|
|
75
87
|
isLocal,
|
|
76
88
|
isLocalhost,
|
|
77
89
|
});
|
|
78
|
-
return
|
|
90
|
+
return this.continue();
|
|
79
91
|
}
|
|
80
92
|
HMRHandler.initialize();
|
|
81
93
|
// In proxy mode, ensure the adapter is initialized so WebSocketManager connects
|
|
@@ -90,7 +102,7 @@ export class HMRHandler extends BaseHandler {
|
|
|
90
102
|
});
|
|
91
103
|
}
|
|
92
104
|
if (req.headers.get("upgrade")?.toLowerCase() !== "websocket") {
|
|
93
|
-
return
|
|
105
|
+
return this.respond(new Response(JSON.stringify({
|
|
94
106
|
status: "ok",
|
|
95
107
|
clients: getClientCount(),
|
|
96
108
|
clientDetails: getClientDetails(),
|
|
@@ -99,10 +111,10 @@ export class HMRHandler extends BaseHandler {
|
|
|
99
111
|
reloadNotifierMetrics: ReloadNotifier.getMetrics(),
|
|
100
112
|
},
|
|
101
113
|
message: "HMR WebSocket endpoint - connect via WebSocket",
|
|
102
|
-
}), { headers: { "content-type": "application/json" } }))
|
|
114
|
+
}), { headers: { "content-type": "application/json" } }));
|
|
103
115
|
}
|
|
104
116
|
if (!ctx.adapter?.server) {
|
|
105
|
-
return
|
|
117
|
+
return this.respond(new Response("WebSocket not supported", { status: 501 }));
|
|
106
118
|
}
|
|
107
119
|
try {
|
|
108
120
|
const { socket, response } = ctx.adapter.server.upgradeWebSocket(req);
|
|
@@ -180,11 +192,11 @@ export class HMRHandler extends BaseHandler {
|
|
|
180
192
|
projectSlug: ctx.projectSlug,
|
|
181
193
|
totalClients: getClientCount(),
|
|
182
194
|
});
|
|
183
|
-
return
|
|
195
|
+
return this.respond(response);
|
|
184
196
|
}
|
|
185
197
|
catch (error) {
|
|
186
198
|
logger.error("WebSocket upgrade failed", { error });
|
|
187
|
-
return
|
|
199
|
+
return this.respond(new Response("WebSocket upgrade failed", { status: 500 }));
|
|
188
200
|
}
|
|
189
201
|
}
|
|
190
202
|
/**
|
|
@@ -21,6 +21,11 @@ interface AdapterResolutionResult {
|
|
|
21
21
|
isLocalProject: boolean;
|
|
22
22
|
}
|
|
23
23
|
interface AdapterResolutionOptions {
|
|
24
|
+
/**
|
|
25
|
+
* Inbound request. Used to determine whether forwarded headers such as
|
|
26
|
+
* `x-project-path` can be trusted (see {@link isProxyTrusted}).
|
|
27
|
+
*/
|
|
28
|
+
req: Request;
|
|
24
29
|
/** Base project directory */
|
|
25
30
|
projectDir: string;
|
|
26
31
|
/** Base adapter */
|
|
@@ -43,8 +48,6 @@ interface AdapterResolutionOptions {
|
|
|
43
48
|
environmentName: string | undefined;
|
|
44
49
|
/** Parsed domain info */
|
|
45
50
|
parsedDomain: ParsedDomain;
|
|
46
|
-
/** Project path from header */
|
|
47
|
-
headerProjectPath: string | undefined;
|
|
48
51
|
/** Whether running in proxy mode */
|
|
49
52
|
isProxyMode: boolean;
|
|
50
53
|
/** Optional injectable cache (defaults to module-level singleton) */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"adapter-factory.d.ts","sourceRoot":"","sources":["../../../../src/src/server/runtime-handler/adapter-factory.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AAGtE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAE7D,OAAO,EAGL,KAAK,qBAAqB,EAC3B,MAAM,8BAA8B,CAAC;AACtC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;
|
|
1
|
+
{"version":3,"file":"adapter-factory.d.ts","sourceRoot":"","sources":["../../../../src/src/server/runtime-handler/adapter-factory.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AAGtE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAE7D,OAAO,EAGL,KAAK,qBAAqB,EAC3B,MAAM,8BAA8B,CAAC;AACtC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAQ9D,UAAU,uBAAuB;IAC/B,6CAA6C;IAC7C,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,OAAO,EAAE,cAAc,CAAC;IACxB,kCAAkC;IAClC,MAAM,EAAE,eAAe,GAAG,SAAS,CAAC;IACpC,yDAAyD;IACzD,cAAc,EAAE,OAAO,CAAC;CACzB;AAED,UAAU,wBAAwB;IAChC;;;OAGG;IACH,GAAG,EAAE,OAAO,CAAC;IACb,6BAA6B;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,mBAAmB;IACnB,OAAO,EAAE,cAAc,CAAC;IACxB,6BAA6B;IAC7B,MAAM,EAAE,eAAe,GAAG,SAAS,CAAC;IACpC,mBAAmB;IACnB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChC,iBAAiB;IACjB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,kBAAkB;IAClB,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC;IAC/B,iBAAiB;IACjB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,uCAAuC;IACvC,QAAQ,EAAE,SAAS,GAAG,YAAY,GAAG,SAAS,CAAC;IAC/C,kBAAkB;IAClB,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;IAClC,yCAAyC;IACzC,eAAe,EAAE,MAAM,GAAG,SAAS,CAAC;IACpC,yBAAyB;IACzB,YAAY,EAAE,YAAY,CAAC;IAC3B,oCAAoC;IACpC,WAAW,EAAE,OAAO,CAAC;IACrB,qEAAqE;IACrE,KAAK,CAAC,EAAE,qBAAqB,CAAC;CAC/B;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,wBAAwB,GAC7B,OAAO,CAAC,uBAAuB,CAAC,CAoIlC"}
|
|
@@ -13,6 +13,8 @@ import { isExtendedFSAdapter } from "../../platform/adapters/fs/wrapper.js";
|
|
|
13
13
|
import { getConfig } from "../../config/loader.js";
|
|
14
14
|
import { timeAsync } from "./request-lifecycle.js";
|
|
15
15
|
import { defaultDiscoveryCache, findLocalProjectPath, } from "./local-project-discovery.js";
|
|
16
|
+
import { isProxyTrusted } from "../utils/proxy-trust.js";
|
|
17
|
+
import { getHostEnv } from "../../platform/compat/process.js";
|
|
16
18
|
const baseLogger = getBaseLogger("SERVER");
|
|
17
19
|
const logger = baseLogger.component("adapter-factory");
|
|
18
20
|
/**
|
|
@@ -29,7 +31,22 @@ export async function resolveAdapter(opts) {
|
|
|
29
31
|
// Check if this is a local project.
|
|
30
32
|
// In proxy mode, skip local discovery unless there's an explicit header path override —
|
|
31
33
|
// the standard directories (data/projects/, projects/) don't exist in k8s.
|
|
32
|
-
|
|
34
|
+
//
|
|
35
|
+
// SECURITY: `x-project-path` is a client-controlled header. Honouring it from any
|
|
36
|
+
// request would let an attacker reaching the runtime directly aim project discovery
|
|
37
|
+
// (and therefore `/_veryfront/fs/...`) at arbitrary filesystem paths (VULN-SRV-3).
|
|
38
|
+
// Only read it when the request is proxy-trusted: either the operator opted in via
|
|
39
|
+
// VERYFRONT_TRUST_FORWARDED_HEADERS=1, or the request carries a dispatch JWS that
|
|
40
|
+
// verifies against CHANNEL_DISPATCH_SIGNING_PUBLIC_KEY. Mere header presence is
|
|
41
|
+
// NOT sufficient — a direct-access attacker could otherwise spoof `x-project-path`
|
|
42
|
+
// by attaching any value in `x-veryfront-dispatch-jws`.
|
|
43
|
+
const publicKeyPem = opts.adapter.env.get("CHANNEL_DISPATCH_SIGNING_PUBLIC_KEY") ??
|
|
44
|
+
getHostEnv("CHANNEL_DISPATCH_SIGNING_PUBLIC_KEY");
|
|
45
|
+
const proxyTrusted = opts.isProxyMode &&
|
|
46
|
+
(await isProxyTrusted(opts.req, { publicKeyPem }));
|
|
47
|
+
const trustedHeaderProjectPath = proxyTrusted
|
|
48
|
+
? opts.req.headers.get("x-project-path")?.trim() || undefined
|
|
49
|
+
: undefined;
|
|
33
50
|
const shouldCheckLocalPath = opts.projectSlug && (!opts.isProxyMode || trustedHeaderProjectPath);
|
|
34
51
|
const localProjectPath = shouldCheckLocalPath
|
|
35
52
|
? await findLocalProjectPath(opts.projectSlug, opts.adapter, trustedHeaderProjectPath, cache)
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/src/server/runtime-handler/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAOH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AACtE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAK7D,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAChE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AA+BpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AA+DrE,OAAO,EAAE,qBAAqB,EAAE,KAAK,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAMtF,2CAA2C;AAC3C,eAAO,MAAM,aAAa,uqBAkChB,CAAC;AAEX,6CAA6C;AAC7C,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzD;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IAClC,8CAA8C;IAC9C,SAAS,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;IAClD,mDAAmD;IACnD,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AA0CD;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,cAAc,EACvB,IAAI,GAAE,mBAAwB,GAC7B;IAAE,QAAQ,EAAE,aAAa,CAAC;IAAC,UAAU,EAAE,iBAAiB,CAAA;CAAE,CAuB5D;AAED,MAAM,WAAW,qBAAqB;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,wEAAwE;IACxE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,oFAAoF;IACpF,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,sFAAsF;IACtF,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,oFAAoF;IACpF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uGAAuG;IACvG,kBAAkB,CAAC,EAAE,SAAS,GAAG,YAAY,CAAC;CAC/C;AAED,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,cAAc,EACvB,IAAI,GAAE,qBAAsC,GAC3C,CAAC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC,GAAG;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC,IAAI,CAAC,CAAA;CAAE,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/src/server/runtime-handler/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAOH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AACtE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAK7D,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAChE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AA+BpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AA+DrE,OAAO,EAAE,qBAAqB,EAAE,KAAK,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAMtF,2CAA2C;AAC3C,eAAO,MAAM,aAAa,uqBAkChB,CAAC;AAEX,6CAA6C;AAC7C,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzD;;;;GAIG;AACH,MAAM,WAAW,mBAAmB;IAClC,8CAA8C;IAC9C,SAAS,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;IAClD,mDAAmD;IACnD,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AA0CD;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,cAAc,EACvB,IAAI,GAAE,mBAAwB,GAC7B;IAAE,QAAQ,EAAE,aAAa,CAAC;IAAC,UAAU,EAAE,iBAAiB,CAAA;CAAE,CAuB5D;AAED,MAAM,WAAW,qBAAqB;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,wEAAwE;IACxE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,oFAAoF;IACpF,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,sFAAsF;IACtF,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,oFAAoF;IACpF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uGAAuG;IACvG,kBAAkB,CAAC,EAAE,SAAS,GAAG,YAAY,CAAC;CAC/C;AAED,wBAAgB,sBAAsB,CACpC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,cAAc,EACvB,IAAI,GAAE,qBAAsC,GAC3C,CAAC,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC,GAAG;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC,IAAI,CAAC,CAAA;CAAE,CAmanE;AAGD,YAAY,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC"}
|
|
@@ -352,8 +352,12 @@ export function createVeryfrontHandler(projectDir, adapter, opts = { projectDir
|
|
|
352
352
|
if (response)
|
|
353
353
|
return response;
|
|
354
354
|
}
|
|
355
|
-
// Resolve adapter and config for project
|
|
355
|
+
// Resolve adapter and config for project.
|
|
356
|
+
// Note: `x-project-path` is NOT forwarded via `headers.projectPath` anymore;
|
|
357
|
+
// `resolveAdapter` reads it directly from `req` and only honours it when the
|
|
358
|
+
// request is proxy-trusted (see isProxyTrusted).
|
|
356
359
|
const adapterRes = await resolveAdapter({
|
|
360
|
+
req,
|
|
357
361
|
projectDir,
|
|
358
362
|
adapter,
|
|
359
363
|
config,
|
|
@@ -365,7 +369,6 @@ export function createVeryfrontHandler(projectDir, adapter, opts = { projectDir
|
|
|
365
369
|
branch: reqCtx.branch,
|
|
366
370
|
environmentName: projectRes.environmentName,
|
|
367
371
|
parsedDomain: projectRes.parsedDomain,
|
|
368
|
-
headerProjectPath: headers.projectPath,
|
|
369
372
|
isProxyMode,
|
|
370
373
|
});
|
|
371
374
|
// Resolve environment and validate
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"page-handler.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/services/rsc/orchestrators/page-handler.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"page-handler.d.ts","sourceRoot":"","sources":["../../../../../../src/src/server/services/rsc/orchestrators/page-handler.ts"],"names":[],"mappings":"AAuBA,qBAAa,WAAW;IACtB,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,eAAe,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,QAAQ;IAQjF,OAAO,CAAC,SAAS;CAyElB"}
|