npm - veryfront - Versions diffs - 0.1.73 → 0.1.75 - Mend

veryfront 0.1.73 → 0.1.75

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (120) hide show

package/src/src/rendering/orchestrator/lifecycle.ts CHANGED Viewed

@@ -38,6 +38,8 @@ export interface LifecycleOptions {
   projectId?: string;
   /** Content source identifier for cache isolation (branch or release) */
   contentSourceId?: string;
+  /** Injectable factory for testing — bypasses real service construction */
+  servicesFactory?: (adapter: RuntimeAdapter) => RendererServices;
 }
 export interface RendererServices {
@@ -62,6 +64,7 @@ export class RendererLifecycle {
   private contentSourceId?: string;
   private services?: RendererServices;
   private adapter!: RuntimeAdapter;
+  private servicesFactory?: (adapter: RuntimeAdapter) => RendererServices;
   constructor(options: LifecycleOptions) {
     this.configManager = options.configManager;
@@ -69,6 +72,7 @@ export class RendererLifecycle {
     this.moduleServerUrl = options.moduleServerUrl;
     this.projectId = options.projectId;
     this.contentSourceId = options.contentSourceId;
+    this.servicesFactory = options.servicesFactory;
   }
   async initialize(): Promise<RendererServices> {
@@ -83,6 +87,13 @@ export class RendererLifecycle {
       this.adapter = await runtime.get();
     }
+    // Allow tests to bypass the full service graph construction
+    if (this.servicesFactory) {
+      this.services = this.servicesFactory(this.adapter);
+      logger.debug("Renderer services initialized via injected factory");
+      return this.services;
+    }
     const projectDir = this.configManager.getProjectDir();
     const mode = this.configManager.getMode();
     const debugMode = this.configManager.isDebugMode();

package/src/src/rendering/orchestrator/pipeline.ts CHANGED Viewed

@@ -36,7 +36,7 @@ import type { PageResolver } from "../page-resolution/index.js";
 import type { LayoutOrchestrator } from "./layout.js";
 import type { SSROrchestrator } from "./ssr-orchestrator.js";
 import type { PageDataResponse, RenderOptions, RenderResult } from "./types.js";
-import { DataFetcher } from "../../data/index.js";
+import { DataFetcher, type FetchDataOptions } from "../../data/index.js";
 import type { DataContext, PageWithData } from "../../data/types.js";
 import { clearSSRModuleCacheForProject } from "../../modules/react-loader/index.js";
 import { setupSSRGlobals } from "../ssr-globals.js";
@@ -303,8 +303,13 @@ export class RenderPipeline {
           Promise.all(
             dataJobs.map(async (job) => {
               try {
+                const jobPath = (job as LoadedModule & { path?: string }).path;
+                const fetchOptions: FetchDataOptions = {
+                  modulePath: jobPath,
+                  projectDir: this.config.projectDir,
+                };
                 const result = await this.dataFetcher
-                  .fetchData(job.mod as PageWithData, dataContext, this.config.mode);
+                  .fetchData(job.mod as PageWithData, dataContext, this.config.mode, fetchOptions);
                 return { ...job, result, error: null as Error | null };
               } catch (error) {
                 return { ...job, result: null, error: error as Error };

package/src/src/rendering/orchestrator/ssr-orchestrator.ts CHANGED Viewed

@@ -10,6 +10,8 @@ import { computeHash } from "../utils/index.js";
 import type { HTMLGenerationContext, HTMLGenerator } from "./html.js";
 import type { RenderOptions } from "./types.js";
 import { runWithHeadCollector } from "../../react/head-collector.js";
+import { getWorkerPool, isSSRIsolationEnabled } from "../../security/sandbox/worker-pool.js";
+import type { WorkerResponse } from "../../security/sandbox/worker-types.js";
 const logger = rendererLogger.component("ssr-orchestrator");
@@ -27,6 +29,24 @@ export interface SSRRenderingResult {
   ssrHash: string;
 }
+/**
+ * Options for isolated SSR rendering through the Worker pool.
+ * When provided and SSR isolation is enabled, the rendering happens
+ * in a per-project Worker instead of the main process.
+ */
+export interface SSRIsolationOptions {
+  /** Temp file path for the page component module */
+  pageModulePath: string;
+  /** Ordered layout module temp paths (innermost → outermost) */
+  layoutModulePaths: string[];
+  /** Page component props */
+  pageProps: Record<string, unknown>;
+  /** Layout props (one entry per layout, matching layoutModulePaths order) */
+  layoutProps: Record<string, unknown>[];
+  /** Project directory for worker scoping */
+  projectDir: string;
+}
 function getElementTypeName(el: React.ReactElement | null | undefined): string {
   if (!el?.type) return "unknown";
   if (typeof el.type === "string") return el.type;
@@ -46,7 +66,18 @@ export class SSROrchestrator {
     pageElement: React.ReactElement,
     generationContext: Omit<HTMLGenerationContext, "html" | "ssrHash">,
     options?: RenderOptions,
+    isolationOptions?: SSRIsolationOptions,
   ): Promise<SSRRenderingResult> {
+    // Isolated SSR path: render in per-project Worker
+    if (
+      isSSRIsolationEnabled() &&
+      isolationOptions?.pageModulePath &&
+      isolationOptions?.projectDir
+    ) {
+      return this.performIsolatedSSR(generationContext, options, isolationOptions);
+    }
+    // Default path: render in main process
     logger.debug("performSSRRendering called", {
       elementType: getElementTypeName(pageElement),
       hasChildren: !!(pageElement.props as Record<string, unknown>)?.children,
@@ -133,6 +164,94 @@ export class SSROrchestrator {
     };
   }
+  /**
+   * Perform SSR rendering in an isolated per-project Worker.
+   *
+   * The Worker imports user modules from their temp file paths,
+   * constructs the React element tree, and renders to HTML.
+   * For streaming, the Worker sends chunks via postMessage.
+   */
+  private async performIsolatedSSR(
+    generationContext: Omit<HTMLGenerationContext, "html" | "ssrHash">,
+    options: RenderOptions | undefined,
+    isolation: SSRIsolationOptions,
+  ): Promise<SSRRenderingResult> {
+    const wantsStream = options?.delivery === "stream";
+    const pool = getWorkerPool();
+    const requestId = dntShim.crypto.randomUUID();
+    return withSpan(
+      "ssr.isolated_render",
+      async () => {
+        const worker = pool.getOrCreateWorker(isolation.projectDir, [isolation.projectDir]);
+        if (wantsStream) {
+          // Streaming mode: get a ReadableStream of chunks from the Worker
+          const stream = worker.executeStream({
+            type: "render-ssr",
+            id: requestId,
+            pageModulePath: isolation.pageModulePath,
+            layoutModulePaths: isolation.layoutModulePaths,
+            pageProps: isolation.pageProps,
+            layoutProps: isolation.layoutProps,
+            delivery: "stream",
+          });
+          const ssrHash = `stream-isolated-${Date.now()}`;
+          // Generate HTML stream using the framework's HTML generator
+          const finalStream = await this.config.htmlGenerator.generateHTMLStream(stream, {
+            ...generationContext,
+            ssrHash,
+            options: { ...generationContext.options, ...options },
+            collectedHead: undefined,
+          });
+          return { fullHtml: "", finalStream, ssrHash };
+        }
+        // String mode: render to HTML in Worker, get result back
+        const workerResponse: WorkerResponse = await worker.execute({
+          type: "render-ssr",
+          id: requestId,
+          pageModulePath: isolation.pageModulePath,
+          layoutModulePaths: isolation.layoutModulePaths,
+          pageProps: isolation.pageProps,
+          layoutProps: isolation.layoutProps,
+          delivery: "string",
+        });
+        if (workerResponse.type === "error") {
+          const err = new Error(workerResponse.error.message);
+          err.name = workerResponse.error.name;
+          throw err;
+        }
+        if (workerResponse.type !== "ssr-result") {
+          throw new Error(`Unexpected worker response type: ${workerResponse.type}`);
+        }
+        const html = workerResponse.html;
+        const ssrHash = await computeHash(html);
+        const fullHtml = await this.config.htmlGenerator.generateFullHTML({
+          ...generationContext,
+          html,
+          ssrHash,
+          options: { ...generationContext.options, ...options },
+          collectedHead: undefined,
+        });
+        return { fullHtml, finalStream: null, ssrHash };
+      },
+      {
+        "ssr.isolated": true,
+        "ssr.wants_stream": wantsStream,
+        "ssr.project_dir": isolation.projectDir,
+      },
+    );
+  }
   private createStream(html: string): ReadableStream | null {
     try {
       return new dntShim.Response(html).body ?? null;

package/src/src/routing/api/handler.ts CHANGED Viewed

@@ -13,7 +13,7 @@ import { ApiRouteMatcher, type RouteMatch } from "./api-route-matcher.js";
 import type { APIRoute } from "./module-loader/types.js";
 import { loadHandlerModule } from "./module-loader/loader.js";
 import { discoverAppRoutes, discoverPagesRoutes } from "./route-discovery.js";
-import { executeAppRoute, executePagesRoute } from "./route-executor.js";
+import { executeAppRoute, executePagesRoute, type ExecuteRouteOptions } from "./route-executor.js";
 import { withSpan } from "../../observability/tracing/otlp-setup.js";
 /** Max entries in the loaded-handler LRU cache */
@@ -188,9 +188,22 @@ export class APIRouteHandler {
         // Note: Cannot use path-based detection (/app/) as projectDir may be '/app' in production
         const isAppRoute = /\/route\.(ts|js|tsx|jsx)$/.test(match.route.page);
+        const isolationOptions: ExecuteRouteOptions = {
+          modulePath: match.route.page,
+          projectDir: this.projectDir,
+        };
         const response = isAppRoute
-          ? await executeAppRoute(handler, request, match, pathname, adapter)
-          : await executePagesRoute(handler, request, match, pathname, adapter, this.projectDir);
+          ? await executeAppRoute(handler, request, match, pathname, adapter, isolationOptions)
+          : await executePagesRoute(
+            handler,
+            request,
+            match,
+            pathname,
+            adapter,
+            this.projectDir,
+            isolationOptions,
+          );
         const corsResponse = await applyCORSHeaders({
           request,

package/src/src/routing/api/route-executor.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import * as dntShim from "../../../_dnt.shims.js";
 import type { FileSystemAdapter, RuntimeAdapter } from "../../platform/adapters/base.js";
-import { createContext, normalizeParams } from "./context-builder.js";
+import { createContext, normalizeParams, parseCookies } from "./context-builder.js";
 import type { RouteMatch } from "./api-route-matcher.js";
 import { createError, toError } from "../../errors/veryfront-error.js";
 import type {
@@ -20,6 +20,16 @@ import { errorToRFC9457Response } from "../../errors/middleware/http-error-bound
 import { serverLogger as logger } from "../../utils/index.js";
 import { isDevelopment as isDevelopmentEnv } from "../../build/config/environment.js";
 import type { HandlerContext } from "../../types/index.js";
+import {
+  getWorkerPool,
+  isWorkerIsolationEnabled,
+} from "../../security/sandbox/worker-pool.js";
+import type {
+  SerializedRequest,
+  SerializedResponse,
+  WorkerResponse,
+} from "../../security/sandbox/worker-types.js";
+import { getProjectEnvSnapshot } from "../../server/project-env/storage.js";
 function isDevelopment(adapter: RuntimeAdapter): boolean {
   const env = adapter.env.get("MODE") ??
@@ -115,13 +125,206 @@ function toHeadResponse(response: dntShim.Response): dntShim.Response {
   return new dntShim.Response(null, { status: response.status, headers: response.headers });
 }
+// ---------------------------------------------------------------------------
+// Worker Isolation Helpers
+// ---------------------------------------------------------------------------
+async function serializeRequest(request: dntShim.Request): Promise<SerializedRequest> {
+  const body = request.body ? new Uint8Array(await request.arrayBuffer()) : null;
+  return {
+    url: request.url,
+    method: request.method,
+    headers: [...request.headers.entries()],
+    body,
+  };
+}
+function deserializeResponse(s: SerializedResponse): dntShim.Response {
+  return new dntShim.Response(s.body as dntShim.BodyInit | null, {
+    status: s.status,
+    statusText: s.statusText,
+    headers: s.headers,
+  });
+}
+function workerResponseToResponse(
+  workerResponse: WorkerResponse,
+  pathname: string,
+  adapter: RuntimeAdapter,
+): dntShim.Response {
+  if (workerResponse.type === "error") {
+    const { error } = workerResponse;
+    logger.error(`API route error in ${pathname} (worker):`, error.message);
+    // If the worker serialized RFC 9457 fields, return them directly
+    // to preserve the original status code, type, and detail.
+    if (error.status && error.type) {
+      return dntShim.Response.json(
+        {
+          type: error.type,
+          title: error.name,
+          status: error.status,
+          detail: error.detail ?? error.message,
+          instance: pathname,
+        },
+        { status: error.status },
+      );
+    }
+    const ctx = { isLocalProject: isDevelopment(adapter) } as HandlerContext;
+    const req = new dntShim.Request(`http://localhost${pathname}`);
+    const err = new Error(error.message);
+    err.name = error.name;
+    return errorToRFC9457Response(err, ctx, req);
+  }
+  if (workerResponse.type === "result") {
+    return deserializeResponse(workerResponse.response);
+  }
+  // data-result type is not expected in API route execution
+  throw new Error(`Unexpected worker response type: ${workerResponse.type}`);
+}
+// ---------------------------------------------------------------------------
+// Isolated Execution (Worker Path)
+// ---------------------------------------------------------------------------
+function executeAppRouteIsolated(
+  modulePath: string,
+  request: dntShim.Request,
+  match: RouteMatch,
+  pathname: string,
+  adapter: RuntimeAdapter,
+  projectDir: string,
+): Promise<dntShim.Response> {
+  const method = request.method.toUpperCase() as HTTPMethod;
+  return withSpan(
+    "api.executeAppRoute.isolated",
+    async () => {
+      try {
+        const pool = getWorkerPool();
+        const serialized = await serializeRequest(request);
+        const workerResponse = await pool.execute(
+          projectDir,
+          [projectDir],
+          {
+            type: "execute-app-route",
+            id: dntShim.crypto.randomUUID(),
+            modulePath,
+            method,
+            request: serialized,
+            params: match.params,
+            projectDir,
+            projectEnv: getProjectEnvSnapshot(),
+          },
+        );
+        const response = workerResponseToResponse(workerResponse, pathname, adapter);
+        return method === "HEAD" ? toHeadResponse(response) : response;
+      } catch (error) {
+        return handleAPIError(error, pathname, adapter);
+      }
+    },
+    {
+      "http.method": method,
+      "http.path": pathname,
+      "api.route.pattern": match.route.pattern,
+      "api.isolated": true,
+    },
+  );
+}
+function executePagesRouteIsolated(
+  modulePath: string,
+  request: dntShim.Request,
+  match: RouteMatch,
+  pathname: string,
+  adapter: RuntimeAdapter,
+  projectDir: string,
+): Promise<dntShim.Response> {
+  const method = request.method as string;
+  return withSpan(
+    "api.executePagesRoute.isolated",
+    async () => {
+      try {
+        const pool = getWorkerPool();
+        const body = request.body ? new Uint8Array(await request.arrayBuffer()) : null;
+        const workerResponse = await pool.execute(
+          projectDir,
+          [projectDir],
+          {
+            type: "execute-pages-route",
+            id: dntShim.crypto.randomUUID(),
+            modulePath,
+            method,
+            context: {
+              url: request.url,
+              method: request.method,
+              headers: [...request.headers.entries()],
+              body,
+              params: match.params,
+              cookies: parseCookies(request.headers.get("cookie") ?? ""),
+            },
+            projectDir,
+            projectEnv: getProjectEnvSnapshot(),
+          },
+        );
+        return workerResponseToResponse(workerResponse, pathname, adapter);
+      } catch (error) {
+        return handleAPIError(error, pathname, adapter);
+      }
+    },
+    {
+      "http.method": method,
+      "http.path": pathname,
+      "api.route.pattern": match.route.pattern,
+      "api.isolated": true,
+    },
+  );
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export interface ExecuteRouteOptions {
+  /** Absolute path to the handler module on disk (for isolated execution) */
+  modulePath?: string;
+  /** Project directory (for isolated execution scope) */
+  projectDir?: string;
+}
 export function executeAppRoute(
   handler: APIRoute,
   request: dntShim.Request,
   match: RouteMatch,
   pathname: string,
   adapter: RuntimeAdapter,
+  options?: ExecuteRouteOptions,
 ): Promise<dntShim.Response> {
+  // Isolated path: execute in per-project Worker, fall back to main process on error
+  if (
+    isWorkerIsolationEnabled() &&
+    options?.modulePath &&
+    options?.projectDir
+  ) {
+    return executeAppRouteIsolated(
+      options.modulePath,
+      request,
+      match,
+      pathname,
+      adapter,
+      options.projectDir,
+    );
+  }
+  // Default path: execute in main process (existing behavior)
   const method = request.method.toUpperCase() as HTTPMethod;
   return withSpan(
@@ -158,7 +361,25 @@ export function executePagesRoute(
   pathname: string,
   adapter: RuntimeAdapter,
   projectDir?: string,
+  options?: ExecuteRouteOptions,
 ): Promise<dntShim.Response> {
+  // Isolated path: execute in per-project Worker, fall back to main process on error
+  if (
+    isWorkerIsolationEnabled() &&
+    options?.modulePath &&
+    (options?.projectDir ?? projectDir)
+  ) {
+    return executePagesRouteIsolated(
+      options.modulePath,
+      request,
+      match,
+      pathname,
+      adapter,
+      options.projectDir ?? projectDir!,
+    );
+  }
+  // Default path: execute in main process (existing behavior)
   const method = request.method as keyof APIRoute;
   return withSpan(

package/src/src/security/deno-permissions.ts CHANGED Viewed

@@ -41,3 +41,14 @@ export const BUILD_HELPER_PERMISSIONS = [
   "--allow-write",
   "--allow-env",
 ] as const;
+/**
+ * RENDER_WORKER — Per-project Worker for isolated code execution.
+ * Read-only filesystem (transformed modules), network (data fetchers),
+ * env (API keys and config). No subprocess/ffi/sys.
+ */
+export const RENDER_WORKER_PERMISSIONS = [
+  "--allow-read",
+  "--allow-net",
+  "--allow-env",
+] as const;