veryfront 0.1.74 → 0.1.76

package/src/src/platform/adapters/veryfront-api-client/retry-handler.ts

@@ -18,6 +18,9 @@ export interface RequestOptions {
   returnText?: boolean;
   /** Request timeout in milliseconds. Defaults to 30000ms (30 seconds). */
   timeoutMs?: number;
+  method?: string;
+  body?: dntShim.BodyInit | null;
+  headers?: dntShim.HeadersInit;
 }
 
 /** Default timeout for API requests (30 seconds) */
@@ -48,13 +51,19 @@ export async function requestWithRetry(
         async () => {
           const startTime = performance.now();
 
-          const headers = new dntShim.Headers({
-            Authorization: `Bearer ${apiToken}`,
-            "Content-Type": "application/json",
-          });
+          const headers = new dntShim.Headers(options.headers);
+          headers.set("Authorization", `Bearer ${apiToken}`);
+          if (!headers.has("Content-Type")) {
+            headers.set("Content-Type", "application/json");
+          }
           injectContext(headers);
 
-          const response = await dntShim.fetch(url, { headers, signal: controller.signal });
+          const response = await dntShim.fetch(url, {
+            method: options.method ?? "GET",
+            headers,
+            body: options.body,
+            signal: controller.signal,
+          });
           const duration = performance.now() - startTime;
 
           recordApiRequest(response.status);
@@ -89,7 +98,7 @@ export async function requestWithRetry(
           return { data, status: response.status, duration };
         },
         {
-          "http.method": "GET",
+          "http.method": options.method ?? "GET",
           "http.url": url,
           "http.target": urlPath,
           "http.host": urlObj.host,

package/src/src/proxy/handler.ts

@@ -3,10 +3,11 @@ import { TokenManager, type TokenScope } from "./token-manager.js";
 import { type ParsedDomain, parseProjectDomain } from "../server/utils/domain-parser.js";
 import type { TokenCache } from "./cache/types.js";
 import { createFileSystem } from "../platform/compat/fs.js";
-import { cwd } from "../platform/compat/process.js";
+import { cwd, getEnv } from "../platform/compat/process.js";
 import { join } from "../platform/compat/path/index.js";
 import { injectContext, ProxySpanNames, withSpan } from "./tracing.js";
 import { computeContentSourceId } from "../cache/keys.js";
+import { jwtVerify } from "jose";
 
 export const INTERNAL_PROXY_HEADERS = [
   "x-token",
@@ -151,19 +152,27 @@ function extractUserToken(cookieHeader: string): string | undefined {
   return match?.[1] ? decodeURIComponent(match[1]) : undefined;
 }
 
-function extractUserIdFromToken(token: string): string | undefined {
+async function extractUserIdFromToken(
+  token: string,
+  log?: ProxyLogger,
+): Promise<string | undefined> {
+  const jwtSecret = getEnv("JWT_SECRET");
+
+  if (!jwtSecret) {
+    log?.warn("JWT_SECRET not configured — cannot verify user token");
+    return undefined;
+  }
+
   try {
-    const payload = token.split(".")[1];
-    if (!payload) return undefined;
-    // JWT payloads are base64url-encoded: normalize to standard base64 before decoding
-    let base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
-    const remainder = base64.length % 4;
-    if (remainder === 2) base64 += "==";
-    else if (remainder === 3) base64 += "=";
-    const decoded = JSON.parse(atob(base64));
-    return decoded?.userId;
-  } catch (_) {
-    /* expected: malformed JWT token */
+    const secret = new TextEncoder().encode(jwtSecret);
+    const { payload } = await jwtVerify(token, secret, {
+      algorithms: ["HS256"],
+    });
+    return (payload as { userId?: string }).userId;
+  } catch (error) {
+    log?.debug("JWT verification failed", {
+      error: error instanceof Error ? error.message : String(error),
+    });
     return undefined;
   }
 }
@@ -276,13 +285,13 @@ export function createProxyHandler(options: ProxyHandlerOptions) {
     return `https://veryfront.com/sign-in?from=${encodeURIComponent(returnPath)}`;
   }
 
-  function checkProtectedAccess(
+  async function checkProtectedAccess(
     req: dntShim.Request,
     matchingEnv: NonNullable<DomainLookupResult["environments"]>[number] | undefined,
     userToken: string | undefined,
     users: DomainLookupResult["users"],
     logContext: Record<string, unknown>,
-  ): { status: number; message: string; redirectUrl?: string } | null {
+  ): Promise<{ status: number; message: string; redirectUrl?: string } | null> {
     if (!matchingEnv?.protected) return null;
 
     if (!userToken) {
@@ -295,9 +304,8 @@ export function createProxyHandler(options: ProxyHandlerOptions) {
       return { status: 302, message: "Authentication required", redirectUrl };
     }
 
-    const userId = extractUserIdFromToken(userToken);
+    const userId = await extractUserIdFromToken(userToken, logger);
     if (!userId) {
-      // Malformed token — treat as unauthenticated so user can re-sign-in
       const redirectUrl = makeAuthRedirectUrl(req);
       logger?.info("Could not extract userId from token", {
         ...logContext,
@@ -334,7 +342,7 @@ export function createProxyHandler(options: ProxyHandlerOptions) {
 
     const matchingEnv = lookupResult.environments?.find(envMatcher);
 
-    const protectionError = checkProtectedAccess(
+    const protectionError = await checkProtectedAccess(
       req,
       matchingEnv,
       userToken,
@@ -442,7 +450,7 @@ export function createProxyHandler(options: ProxyHandlerOptions) {
         releaseId = matchingEnv?.active_release_id ?? undefined;
         environmentId = matchingEnv?.id;
 
-        const protectionError = checkProtectedAccess(
+        const protectionError = await checkProtectedAccess(
           req,
           matchingEnv,
           userToken,

package/src/src/rendering/orchestrator/lifecycle.ts

@@ -38,6 +38,8 @@ export interface LifecycleOptions {
   projectId?: string;
   /** Content source identifier for cache isolation (branch or release) */
   contentSourceId?: string;
+  /** Injectable factory for testing — bypasses real service construction */
+  servicesFactory?: (adapter: RuntimeAdapter) => RendererServices;
 }
 
 export interface RendererServices {
@@ -62,6 +64,7 @@ export class RendererLifecycle {
   private contentSourceId?: string;
   private services?: RendererServices;
   private adapter!: RuntimeAdapter;
+  private servicesFactory?: (adapter: RuntimeAdapter) => RendererServices;
 
   constructor(options: LifecycleOptions) {
     this.configManager = options.configManager;
@@ -69,6 +72,7 @@ export class RendererLifecycle {
     this.moduleServerUrl = options.moduleServerUrl;
     this.projectId = options.projectId;
     this.contentSourceId = options.contentSourceId;
+    this.servicesFactory = options.servicesFactory;
   }
 
   async initialize(): Promise<RendererServices> {
@@ -83,6 +87,13 @@ export class RendererLifecycle {
       this.adapter = await runtime.get();
     }
 
+    // Allow tests to bypass the full service graph construction
+    if (this.servicesFactory) {
+      this.services = this.servicesFactory(this.adapter);
+      logger.debug("Renderer services initialized via injected factory");
+      return this.services;
+    }
+
     const projectDir = this.configManager.getProjectDir();
     const mode = this.configManager.getMode();
     const debugMode = this.configManager.isDebugMode();

package/src/src/rendering/orchestrator/pipeline.ts

@@ -36,7 +36,7 @@ import type { PageResolver } from "../page-resolution/index.js";
 import type { LayoutOrchestrator } from "./layout.js";
 import type { SSROrchestrator } from "./ssr-orchestrator.js";
 import type { PageDataResponse, RenderOptions, RenderResult } from "./types.js";
-import { DataFetcher } from "../../data/index.js";
+import { DataFetcher, type FetchDataOptions } from "../../data/index.js";
 import type { DataContext, PageWithData } from "../../data/types.js";
 import { clearSSRModuleCacheForProject } from "../../modules/react-loader/index.js";
 import { setupSSRGlobals } from "../ssr-globals.js";
@@ -303,8 +303,13 @@ export class RenderPipeline {
           Promise.all(
             dataJobs.map(async (job) => {
               try {
+                const jobPath = (job as LoadedModule & { path?: string }).path;
+                const fetchOptions: FetchDataOptions = {
+                  modulePath: jobPath,
+                  projectDir: this.config.projectDir,
+                };
                 const result = await this.dataFetcher
-                  .fetchData(job.mod as PageWithData, dataContext, this.config.mode);
+                  .fetchData(job.mod as PageWithData, dataContext, this.config.mode, fetchOptions);
                 return { ...job, result, error: null as Error | null };
               } catch (error) {
                 return { ...job, result: null, error: error as Error };

package/src/src/rendering/orchestrator/ssr-orchestrator.ts

@@ -10,6 +10,8 @@ import { computeHash } from "../utils/index.js";
 import type { HTMLGenerationContext, HTMLGenerator } from "./html.js";
 import type { RenderOptions } from "./types.js";
 import { runWithHeadCollector } from "../../react/head-collector.js";
+import { getWorkerPool, isSSRIsolationEnabled } from "../../security/sandbox/worker-pool.js";
+import type { WorkerResponse } from "../../security/sandbox/worker-types.js";
 
 const logger = rendererLogger.component("ssr-orchestrator");
 
@@ -27,6 +29,24 @@ export interface SSRRenderingResult {
   ssrHash: string;
 }
 
+/**
+ * Options for isolated SSR rendering through the Worker pool.
+ * When provided and SSR isolation is enabled, the rendering happens
+ * in a per-project Worker instead of the main process.
+ */
+export interface SSRIsolationOptions {
+  /** Temp file path for the page component module */
+  pageModulePath: string;
+  /** Ordered layout module temp paths (innermost → outermost) */
+  layoutModulePaths: string[];
+  /** Page component props */
+  pageProps: Record<string, unknown>;
+  /** Layout props (one entry per layout, matching layoutModulePaths order) */
+  layoutProps: Record<string, unknown>[];
+  /** Project directory for worker scoping */
+  projectDir: string;
+}
+
 function getElementTypeName(el: React.ReactElement | null | undefined): string {
   if (!el?.type) return "unknown";
   if (typeof el.type === "string") return el.type;
@@ -46,7 +66,18 @@ export class SSROrchestrator {
     pageElement: React.ReactElement,
     generationContext: Omit<HTMLGenerationContext, "html" | "ssrHash">,
     options?: RenderOptions,
+    isolationOptions?: SSRIsolationOptions,
   ): Promise<SSRRenderingResult> {
+    // Isolated SSR path: render in per-project Worker
+    if (
+      isSSRIsolationEnabled() &&
+      isolationOptions?.pageModulePath &&
+      isolationOptions?.projectDir
+    ) {
+      return this.performIsolatedSSR(generationContext, options, isolationOptions);
+    }
+
+    // Default path: render in main process
     logger.debug("performSSRRendering called", {
       elementType: getElementTypeName(pageElement),
       hasChildren: !!(pageElement.props as Record<string, unknown>)?.children,
@@ -133,6 +164,94 @@ export class SSROrchestrator {
     };
   }
 
+  /**
+   * Perform SSR rendering in an isolated per-project Worker.
+   *
+   * The Worker imports user modules from their temp file paths,
+   * constructs the React element tree, and renders to HTML.
+   * For streaming, the Worker sends chunks via postMessage.
+   */
+  private async performIsolatedSSR(
+    generationContext: Omit<HTMLGenerationContext, "html" | "ssrHash">,
+    options: RenderOptions | undefined,
+    isolation: SSRIsolationOptions,
+  ): Promise<SSRRenderingResult> {
+    const wantsStream = options?.delivery === "stream";
+    const pool = getWorkerPool();
+    const requestId = dntShim.crypto.randomUUID();
+
+    return withSpan(
+      "ssr.isolated_render",
+      async () => {
+        const worker = pool.getOrCreateWorker(isolation.projectDir, [isolation.projectDir]);
+
+        if (wantsStream) {
+          // Streaming mode: get a ReadableStream of chunks from the Worker
+          const stream = worker.executeStream({
+            type: "render-ssr",
+            id: requestId,
+            pageModulePath: isolation.pageModulePath,
+            layoutModulePaths: isolation.layoutModulePaths,
+            pageProps: isolation.pageProps,
+            layoutProps: isolation.layoutProps,
+            delivery: "stream",
+          });
+
+          const ssrHash = `stream-isolated-${Date.now()}`;
+
+          // Generate HTML stream using the framework's HTML generator
+          const finalStream = await this.config.htmlGenerator.generateHTMLStream(stream, {
+            ...generationContext,
+            ssrHash,
+            options: { ...generationContext.options, ...options },
+            collectedHead: undefined,
+          });
+
+          return { fullHtml: "", finalStream, ssrHash };
+        }
+
+        // String mode: render to HTML in Worker, get result back
+        const workerResponse: WorkerResponse = await worker.execute({
+          type: "render-ssr",
+          id: requestId,
+          pageModulePath: isolation.pageModulePath,
+          layoutModulePaths: isolation.layoutModulePaths,
+          pageProps: isolation.pageProps,
+          layoutProps: isolation.layoutProps,
+          delivery: "string",
+        });
+
+        if (workerResponse.type === "error") {
+          const err = new Error(workerResponse.error.message);
+          err.name = workerResponse.error.name;
+          throw err;
+        }
+
+        if (workerResponse.type !== "ssr-result") {
+          throw new Error(`Unexpected worker response type: ${workerResponse.type}`);
+        }
+
+        const html = workerResponse.html;
+        const ssrHash = await computeHash(html);
+
+        const fullHtml = await this.config.htmlGenerator.generateFullHTML({
+          ...generationContext,
+          html,
+          ssrHash,
+          options: { ...generationContext.options, ...options },
+          collectedHead: undefined,
+        });
+
+        return { fullHtml, finalStream: null, ssrHash };
+      },
+      {
+        "ssr.isolated": true,
+        "ssr.wants_stream": wantsStream,
+        "ssr.project_dir": isolation.projectDir,
+      },
+    );
+  }
+
   private createStream(html: string): ReadableStream | null {
     try {
       return new dntShim.Response(html).body ?? null;

package/src/src/routing/api/handler.ts

@@ -13,7 +13,7 @@ import { ApiRouteMatcher, type RouteMatch } from "./api-route-matcher.js";
 import type { APIRoute } from "./module-loader/types.js";
 import { loadHandlerModule } from "./module-loader/loader.js";
 import { discoverAppRoutes, discoverPagesRoutes } from "./route-discovery.js";
-import { executeAppRoute, executePagesRoute } from "./route-executor.js";
+import { executeAppRoute, executePagesRoute, type ExecuteRouteOptions } from "./route-executor.js";
 import { withSpan } from "../../observability/tracing/otlp-setup.js";
 
 /** Max entries in the loaded-handler LRU cache */
@@ -188,9 +188,22 @@ export class APIRouteHandler {
         // Note: Cannot use path-based detection (/app/) as projectDir may be '/app' in production
         const isAppRoute = /\/route\.(ts|js|tsx|jsx)$/.test(match.route.page);
 
+        const isolationOptions: ExecuteRouteOptions = {
+          modulePath: match.route.page,
+          projectDir: this.projectDir,
+        };
+
         const response = isAppRoute
-          ? await executeAppRoute(handler, request, match, pathname, adapter)
-          : await executePagesRoute(handler, request, match, pathname, adapter, this.projectDir);
+          ? await executeAppRoute(handler, request, match, pathname, adapter, isolationOptions)
+          : await executePagesRoute(
+            handler,
+            request,
+            match,
+            pathname,
+            adapter,
+            this.projectDir,
+            isolationOptions,
+          );
 
         const corsResponse = await applyCORSHeaders({
           request,

package/src/src/routing/api/route-executor.ts

@@ -1,6 +1,6 @@
 import * as dntShim from "../../../_dnt.shims.js";
 import type { FileSystemAdapter, RuntimeAdapter } from "../../platform/adapters/base.js";
-import { createContext, normalizeParams } from "./context-builder.js";
+import { createContext, normalizeParams, parseCookies } from "./context-builder.js";
 import type { RouteMatch } from "./api-route-matcher.js";
 import { createError, toError } from "../../errors/veryfront-error.js";
 import type {
@@ -20,6 +20,17 @@ import { errorToRFC9457Response } from "../../errors/middleware/http-error-bound
 import { serverLogger as logger } from "../../utils/index.js";
 import { isDevelopment as isDevelopmentEnv } from "../../build/config/environment.js";
 import type { HandlerContext } from "../../types/index.js";
+import {
+  getWorkerPool,
+  isWorkerIsolationEnabled,
+} from "../../security/sandbox/worker-pool.js";
+import {
+  MAX_WORKER_BODY_BYTES,
+  type SerializedRequest,
+  type SerializedResponse,
+  type WorkerResponse,
+} from "../../security/sandbox/worker-types.js";
+import { getProjectEnvSnapshot } from "../../server/project-env/storage.js";
 
 function isDevelopment(adapter: RuntimeAdapter): boolean {
   const env = adapter.env.get("MODE") ??
@@ -115,13 +126,241 @@ function toHeadResponse(response: dntShim.Response): dntShim.Response {
   return new dntShim.Response(null, { status: response.status, headers: response.headers });
 }
 
+// ---------------------------------------------------------------------------
+// Worker Isolation Helpers
+// ---------------------------------------------------------------------------
+
+function checkContentLengthLimit(request: dntShim.Request): void {
+  const contentLength = request.headers.get("content-length");
+  if (!contentLength) return;
+
+  const bytes = parseInt(contentLength, 10);
+  if (bytes > MAX_WORKER_BODY_BYTES) {
+    throw createError({
+      type: "api",
+      message: `Request body too large for isolated execution (${
+        (bytes / 1024 / 1024).toFixed(1)
+      } MB, limit ${MAX_WORKER_BODY_BYTES / 1024 / 1024} MB)`,
+    });
+  }
+}
+
+async function readBodyWithSizeGuard(request: dntShim.Request): Promise<Uint8Array | null> {
+  if (!request.body) return null;
+
+  // Fast path: reject before buffering if Content-Length is known
+  checkContentLengthLimit(request);
+
+  const body = new Uint8Array(await request.arrayBuffer());
+
+  // Fallback: check actual size for chunked/streaming bodies
+  if (body.byteLength > MAX_WORKER_BODY_BYTES) {
+    throw createError({
+      type: "api",
+      message: `Request body too large for isolated execution (${
+        (body.byteLength / 1024 / 1024).toFixed(1)
+      } MB, limit ${MAX_WORKER_BODY_BYTES / 1024 / 1024} MB)`,
+    });
+  }
+
+  return body;
+}
+
+async function serializeRequest(request: dntShim.Request): Promise<SerializedRequest> {
+  return {
+    url: request.url,
+    method: request.method,
+    headers: [...request.headers.entries()],
+    body: await readBodyWithSizeGuard(request),
+  };
+}
+
+function deserializeResponse(s: SerializedResponse): dntShim.Response {
+  return new dntShim.Response(s.body as dntShim.BodyInit | null, {
+    status: s.status,
+    statusText: s.statusText,
+    headers: s.headers,
+  });
+}
+
+function workerResponseToResponse(
+  workerResponse: WorkerResponse,
+  pathname: string,
+  adapter: RuntimeAdapter,
+): dntShim.Response {
+  if (workerResponse.type === "error") {
+    const { error } = workerResponse;
+    logger.error(`API route error in ${pathname} (worker):`, error.message);
+
+    // If the worker serialized RFC 9457 fields, return them directly
+    // to preserve the original status code, type, and detail.
+    if (error.status && error.type) {
+      return dntShim.Response.json(
+        {
+          type: error.type,
+          title: error.name,
+          status: error.status,
+          detail: error.detail ?? error.message,
+          instance: pathname,
+        },
+        { status: error.status },
+      );
+    }
+
+    const ctx = { isLocalProject: isDevelopment(adapter) } as HandlerContext;
+    const req = new dntShim.Request(`http://localhost${pathname}`);
+    const err = new Error(error.message);
+    err.name = error.name;
+    return errorToRFC9457Response(err, ctx, req);
+  }
+
+  if (workerResponse.type === "result") {
+    return deserializeResponse(workerResponse.response);
+  }
+
+  // data-result type is not expected in API route execution
+  throw new Error(`Unexpected worker response type: ${workerResponse.type}`);
+}
+
+// ---------------------------------------------------------------------------
+// Isolated Execution (Worker Path)
+// ---------------------------------------------------------------------------
+
+function executeAppRouteIsolated(
+  modulePath: string,
+  request: dntShim.Request,
+  match: RouteMatch,
+  pathname: string,
+  adapter: RuntimeAdapter,
+  projectDir: string,
+): Promise<dntShim.Response> {
+  const method = request.method.toUpperCase() as HTTPMethod;
+
+  return withSpan(
+    "api.executeAppRoute.isolated",
+    async () => {
+      try {
+        const pool = getWorkerPool();
+        const serialized = await serializeRequest(request);
+
+        const workerResponse = await pool.execute(
+          projectDir,
+          [projectDir],
+          {
+            type: "execute-app-route",
+            id: dntShim.crypto.randomUUID(),
+            modulePath,
+            method,
+            request: serialized,
+            params: match.params,
+            projectDir,
+            projectEnv: getProjectEnvSnapshot(),
+          },
+        );
+
+        const response = workerResponseToResponse(workerResponse, pathname, adapter);
+        return method === "HEAD" ? toHeadResponse(response) : response;
+      } catch (error) {
+        return handleAPIError(error, pathname, adapter);
+      }
+    },
+    {
+      "http.method": method,
+      "http.path": pathname,
+      "api.route.pattern": match.route.pattern,
+      "api.isolated": true,
+    },
+  );
+}
+
+function executePagesRouteIsolated(
+  modulePath: string,
+  request: dntShim.Request,
+  match: RouteMatch,
+  pathname: string,
+  adapter: RuntimeAdapter,
+  projectDir: string,
+): Promise<dntShim.Response> {
+  const method = request.method as string;
+
+  return withSpan(
+    "api.executePagesRoute.isolated",
+    async () => {
+      try {
+        const pool = getWorkerPool();
+        const body = await readBodyWithSizeGuard(request);
+
+        const workerResponse = await pool.execute(
+          projectDir,
+          [projectDir],
+          {
+            type: "execute-pages-route",
+            id: dntShim.crypto.randomUUID(),
+            modulePath,
+            method,
+            context: {
+              url: request.url,
+              method: request.method,
+              headers: [...request.headers.entries()],
+              body,
+              params: match.params,
+              cookies: parseCookies(request.headers.get("cookie") ?? ""),
+            },
+            projectDir,
+            projectEnv: getProjectEnvSnapshot(),
+          },
+        );
+
+        return workerResponseToResponse(workerResponse, pathname, adapter);
+      } catch (error) {
+        return handleAPIError(error, pathname, adapter);
+      }
+    },
+    {
+      "http.method": method,
+      "http.path": pathname,
+      "api.route.pattern": match.route.pattern,
+      "api.isolated": true,
+    },
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+export interface ExecuteRouteOptions {
+  /** Absolute path to the handler module on disk (for isolated execution) */
+  modulePath?: string;
+  /** Project directory (for isolated execution scope) */
+  projectDir?: string;
+}
+
 export function executeAppRoute(
   handler: APIRoute,
   request: dntShim.Request,
   match: RouteMatch,
   pathname: string,
   adapter: RuntimeAdapter,
+  options?: ExecuteRouteOptions,
 ): Promise<dntShim.Response> {
+  // Isolated path: execute in per-project Worker, fall back to main process on error
+  if (
+    isWorkerIsolationEnabled() &&
+    options?.modulePath &&
+    options?.projectDir
+  ) {
+    return executeAppRouteIsolated(
+      options.modulePath,
+      request,
+      match,
+      pathname,
+      adapter,
+      options.projectDir,
+    );
+  }
+
+  // Default path: execute in main process (existing behavior)
   const method = request.method.toUpperCase() as HTTPMethod;
 
   return withSpan(
@@ -158,7 +397,25 @@ export function executePagesRoute(
   pathname: string,
   adapter: RuntimeAdapter,
   projectDir?: string,
+  options?: ExecuteRouteOptions,
 ): Promise<dntShim.Response> {
+  // Isolated path: execute in per-project Worker, fall back to main process on error
+  if (
+    isWorkerIsolationEnabled() &&
+    options?.modulePath &&
+    (options?.projectDir ?? projectDir)
+  ) {
+    return executePagesRouteIsolated(
+      options.modulePath,
+      request,
+      match,
+      pathname,
+      adapter,
+      options.projectDir ?? projectDir!,
+    );
+  }
+
+  // Default path: execute in main process (existing behavior)
   const method = request.method as keyof APIRoute;
 
   return withSpan(