simple-module-hosting 0.0.2__tar.gz → 0.0.4__tar.gz

{simple_module_hosting-0.0.2 → simple_module_hosting-0.0.4}/.gitignore

@@ -36,6 +36,10 @@ uploads/
 # Vite
 host/static/dist/
 
+# VitePress (docs)
+docs/.vitepress/cache/
+docs/.vitepress/dist/
+
 # Auto-generated frontend module manifest (regenerated by the host at boot
 # or via `make gen-pages`).
 host/client_app/modules.manifest.json

{simple_module_hosting-0.0.2 → simple_module_hosting-0.0.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: simple_module_hosting
-Version: 0.0.2
+Version: 0.0.4
 Summary: FastAPI + Inertia.js host runtime for simple_module — app_builder, middleware stack, CLI (sm / simple-module), scaffolding
 Project-URL: Homepage, https://github.com/antosubash/simple_module_python
 Project-URL: Repository, https://github.com/antosubash/simple_module_python
@@ -26,8 +26,8 @@ Requires-Dist: fastapi-inertia>=1.0
 Requires-Dist: fastapi>=0.115
 Requires-Dist: httpx>=0.27
 Requires-Dist: jinja2>=3.1
-Requires-Dist: simple-module-core==0.0.2
-Requires-Dist: simple-module-db==0.0.2
+Requires-Dist: simple-module-core==0.0.4
+Requires-Dist: simple-module-db==0.0.4
 Requires-Dist: starlette>=0.44
 Requires-Dist: tomlkit>=0.13
 Requires-Dist: uvicorn[standard]>=0.34

{simple_module_hosting-0.0.2 → simple_module_hosting-0.0.4}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "simple_module_hosting"
-version = "0.0.2"
+version = "0.0.4"
 description = "FastAPI + Inertia.js host runtime for simple_module — app_builder, middleware stack, CLI (sm / simple-module), scaffolding"
 readme = "README.md"
 license = "MIT"
@@ -26,13 +26,16 @@ dependencies = [
     "fastapi-inertia>=1.0",
     "httpx>=0.27",
     "jinja2>=3.1",
-    "simple_module_core==0.0.2",
-    "simple_module_db==0.0.2",
+    "simple_module_core==0.0.4",
+    "simple_module_db==0.0.4",
     "starlette>=0.44",
     "tomlkit>=0.13",
     "uvicorn[standard]>=0.34",
 ]
 
+[project.scripts]
+sm-host = "simple_module_hosting.host_cli:app"
+
 [project.entry-points."simple_module_cli.cli_plugins"]
 host = "simple_module_hosting.host_cli:app"
 

simple_module_hosting-0.0.4/simple_module_hosting/__main__.py

@@ -0,0 +1,14 @@
+"""Module entry point: ``python -m simple_module_hosting`` invokes the host CLI.
+
+Without this, ``python -m simple_module_hosting.host_cli`` would import the
+module without running the Typer app — silently no-op'ing commands like
+``gen-pages``. Provides the same Typer ``app`` callable that the
+``simple_module_cli.cli_plugins`` entry point exposes as ``sm host``.
+"""
+
+from __future__ import annotations
+
+from simple_module_hosting.host_cli import app
+
+if __name__ == "__main__":
+    app()

simple_module_hosting-0.0.4/simple_module_hosting/_host_services.py

@@ -0,0 +1,21 @@
+"""``_HostServices`` container exposed on ``app.state.host``.
+
+Module-scope so the type is stable across ``create_app`` calls — tests
+that build multiple apps in one process can ``isinstance``-check
+``app.state.host`` against the same class object.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+from simple_module_hosting.host_settings import HostSettings
+
+__all__ = ["_HostServices"]
+
+
+@dataclass
+class _HostServices:
+    """Container for host-level services exposed on ``app.state.host``."""
+
+    settings: HostSettings

{simple_module_hosting-0.0.2 → simple_module_hosting-0.0.4}/simple_module_hosting/_inertia_setup.py

@@ -57,10 +57,23 @@ def setup_inertia(
 
     templates = Jinja2Templates(directory=directories)
 
+    # fastapi-inertia only switches to the asset manifest when environment
+    # equals the literal string "production". Anything else (staging, qa,
+    # ...) would render a /main.tsx <script> tag served by the SPA fallback
+    # as text/html, breaking module loading. Normalize:
+    #   * `development`/`testing` → keep the dev-server path (Vite serves
+    #     /main.tsx directly).
+    #   * Anything else (staging, production, qa, ...) → use the production
+    #     manifest so built assets are referenced.
+    from simple_module_core.environments import NON_PROD_ENVIRONMENTS
+
+    use_dev_server = settings.environment in NON_PROD_ENVIRONMENTS
+    inertia_environment = "development" if use_dev_server else "production"
+
     inertia_config = InertiaConfig(
-        environment=settings.environment,
+        environment=inertia_environment,
         version=_INERTIA_VERSION,
-        dev_url=settings.vite_dev_url if settings.is_development else "",
+        dev_url=settings.vite_dev_url if use_dev_server else "",
         templates=templates,
         root_template_filename=_ROOT_TEMPLATE_FILENAME,
         entrypoint_filename=_ENTRYPOINT_FILENAME,

{simple_module_hosting-0.0.2 → simple_module_hosting-0.0.4}/simple_module_hosting/_phase_helpers.py

@@ -11,7 +11,8 @@ import logging
 from pathlib import Path
 from typing import TYPE_CHECKING
 
-from fastapi import FastAPI
+from fastapi import APIRouter, FastAPI
+from fastapi.routing import APIRoute
 from fastapi.staticfiles import StaticFiles
 from inertia import (
     InertiaVersionConflictException,
@@ -158,3 +159,37 @@ def check_settings_registration(app: FastAPI, modules: list) -> list[Diagnostic]
             )
         )
     return diagnostics
+
+
+def wire_module_routes(app: FastAPI, module) -> None:
+    """Attach a module's API + view routers to ``app`` using its Meta prefixes.
+
+    The single canonical implementation so ``create_app`` and the test harness
+    in ``simple_module_test`` stay in lockstep if ``ModuleBase`` ever gains
+    a new router type.
+
+    Bare-prefix view routes (``view_prefix="/foo"`` + ``@router.get("/")``)
+    are also mounted at the trailing-slash-less form ``"/foo"``. Without this,
+    FastAPI's ``redirect_slashes=True`` fires a 307 to ``"/foo/"``, which
+    clients like httpx strip ``X-Inertia`` from on follow — turning every
+    Inertia navigation into a broken HTML response. Cloning the route at the
+    bare-prefix path serves the same handler directly, no redirect.
+    """
+    api_router = APIRouter(prefix=module.meta.route_prefix, tags=[module.meta.name])
+    view_router = APIRouter(prefix=module.meta.view_prefix, tags=[f"{module.meta.name} Views"])
+    module.register_routes(api_router, view_router)
+    if module.meta.view_prefix:
+        bare_target = f"{module.meta.view_prefix}/"
+        for route in list(view_router.routes):
+            if isinstance(route, APIRoute) and route.path == bare_target:
+                view_router.add_api_route(
+                    "",
+                    route.endpoint,
+                    methods=list(route.methods or {"GET"}),
+                    response_model=route.response_model,
+                    include_in_schema=False,
+                    dependencies=route.dependencies,
+                    name=f"{route.name}__bare",
+                )
+    app.include_router(api_router)
+    app.include_router(view_router)

{simple_module_hosting-0.0.2 → simple_module_hosting-0.0.4}/simple_module_hosting/app_builder.py

@@ -2,13 +2,14 @@
 
 from __future__ import annotations
 
+import inspect
 import logging
 import os
 from collections.abc import AsyncGenerator
 from contextlib import asynccontextmanager
 from pathlib import Path
 
-from fastapi import APIRouter, FastAPI
+from fastapi import FastAPI
 from fastapi.staticfiles import StaticFiles
 from simple_module_core.diagnostics import DiagnosticLevel, print_diagnostics, run_diagnostics
 from simple_module_core.discovery import discover_modules, topological_sort
@@ -21,14 +22,17 @@ from simple_module_core.services import Services
 from simple_module_db.listeners import register_listeners
 from simple_module_db.session import init_db
 
+from simple_module_hosting._host_services import _HostServices
 from simple_module_hosting._inertia_setup import setup_inertia
 from simple_module_hosting._phase_helpers import (
     check_settings_registration,
     install_middleware,
     mount_module_static_dirs,
     register_exception_handlers,
+    wire_module_routes,
 )
 from simple_module_hosting.health import router as health_router
+from simple_module_hosting.host_settings import HostSettings
 from simple_module_hosting.i18n_manifest import build_i18n_registry, emit_frontend_types
 from simple_module_hosting.migrations import check_migrations
 from simple_module_hosting.settings import Settings
@@ -44,39 +48,50 @@ _STATIC_DIR_NAME = "static"
 _ENV_PROJECT_ROOT = "SM_PROJECT_ROOT"
 
 
+_PROJECT_ROOT_SENTINELS = ("pyproject.toml", ".env", "alembic.ini")
+
+
 def _resolve_project_root() -> Path:
     """Return the project root directory.
 
-    Prefers the ``SM_PROJECT_ROOT`` environment variable (set by
-    ``host/main.py``) so the framework works even when installed from a
-    wheel into ``site-packages`` — in that layout the fallback walk-up
-    below would escape the package into ``site-packages/..`` and miss
-    ``host/static`` entirely.
+    Prefers the ``SM_PROJECT_ROOT`` environment variable when set.
 
-    Falls back to ``parents[3]`` for the workspace-install dev loop
-    (simple_module_hosting/ → hosting/ → framework/ → project root).
+    Otherwise walks up from the current working directory looking for a
+    project sentinel (``pyproject.toml``, ``.env`` or ``alembic.ini``). This
+    works whether the framework is installed as a wheel into ``site-packages``
+    or run from a workspace clone.
+
+    Falls back to ``parents[3]`` for the in-tree dev loop only when the walk
+    finds nothing — which still keeps ``framework/`` users working without
+    setting the env var explicitly.
     """
     override = os.environ.get(_ENV_PROJECT_ROOT)
     if override:
         return Path(override)
+    cwd = Path.cwd().resolve()
+    for candidate in (cwd, *cwd.parents):
+        if any((candidate / s).exists() for s in _PROJECT_ROOT_SENTINELS):
+            return candidate
     return Path(__file__).resolve().parents[3]
 
 
 _PROJECT_ROOT = _resolve_project_root()
 
 
-def wire_module_routes(app: FastAPI, module) -> None:
-    """Attach a module's API + view routers to ``app`` using its Meta prefixes.
+def _register_event_handlers(mod, event_bus: EventBus, app: FastAPI) -> None:
+    """Dispatch to ``mod.register_event_handlers`` with or without ``app``.
 
-    The single canonical implementation so ``create_app`` and the test harness
-    in ``simple_module_test`` stay in lockstep if ``ModuleBase`` ever gains
-    a new router type.
+    Back-compat shim for modules that still override the one-arg form
+    ``(self, bus)``; passing ``app=`` to those crashes.
     """
-    api_router = APIRouter(prefix=module.meta.route_prefix, tags=[module.meta.name])
-    view_router = APIRouter(prefix=module.meta.view_prefix, tags=[f"{module.meta.name} Views"])
-    module.register_routes(api_router, view_router)
-    app.include_router(api_router)
-    app.include_router(view_router)
+    sig = inspect.signature(mod.register_event_handlers)
+    accepts_app = "app" in sig.parameters or any(
+        p.kind is inspect.Parameter.VAR_KEYWORD for p in sig.parameters.values()
+    )
+    if accepts_app:
+        mod.register_event_handlers(event_bus, app=app)
+    else:
+        mod.register_event_handlers(event_bus)
 
 
 def create_app(settings: Settings | None = None) -> FastAPI:
@@ -198,18 +213,11 @@ def create_app(settings: Settings | None = None) -> FastAPI:
     # AST plugin-free while still hitting the real helper at runtime.
     if hasattr(app.state, "settings"):
         import importlib
-        from dataclasses import dataclass as _dataclass
-
-        from simple_module_hosting.host_settings import HostSettings
 
         _register_module_settings = importlib.import_module(
             "settings.registration"
         ).register_module_settings
 
-        @_dataclass
-        class _HostServices:
-            settings: HostSettings
-
         _register_module_settings(app, "host", HostSettings, lambda s: _HostServices(settings=s))
 
     if settings.is_development:
@@ -222,7 +230,7 @@ def create_app(settings: Settings | None = None) -> FastAPI:
         mod.register_menu_items(menu_registry)
         mod.register_permissions(perm_registry)
         mod.register_feature_flags(ff_registry)
-        mod.register_event_handlers(event_bus)
+        _register_event_handlers(mod, event_bus, app)
         mod.register_health_checks(health_registry)
 
     logger.info(

{simple_module_hosting-0.0.2 → simple_module_hosting-0.0.4}/simple_module_hosting/host_cli.py

@@ -45,8 +45,9 @@ def gen_pages(
     modules = discover_modules()
     written = write_module_pages_manifest(modules, host_dir)
     typer.echo(
-        f"Wrote {written['manifest'].name}, {written['generated'].name}, "
-        f"{written['css'].name} to {host_dir}"
+        f"Module pages manifest: {len(modules)} module(s) "
+        f"→ {written['manifest'].name}, {written['generated'].name}, "
+        f"{written['css'].name} in {host_dir}"
     )
 
 
@@ -115,3 +116,7 @@ def sync_js_deps(
         return
     result = subprocess.run(cmd, cwd=repo_root, check=False)
     raise typer.Exit(code=result.returncode)
+
+
+if __name__ == "__main__":
+    app()

{simple_module_hosting-0.0.2 → simple_module_hosting-0.0.4}/simple_module_hosting/middleware.py

@@ -45,7 +45,10 @@ _HEADER_HSTS = "Strict-Transport-Security"
 # Security response header values
 _XCTO_NOSNIFF = "nosniff"
 _XFO_SAMEORIGIN = "SAMEORIGIN"
-_XXSS_BLOCK = "1; mode=block"
+# OWASP/MDN now recommend disabling the legacy XSS auditor — older
+# browser implementations introduced reflected-XSS vectors of their own.
+# Modern protection comes from the CSP below (strict-dynamic + nonces).
+_XXSS_DISABLED = "0"
 _REFERRER_STRICT_ORIGIN = "strict-origin-when-cross-origin"
 
 __all__ = [
@@ -79,6 +82,11 @@ class SecurityHeadersMiddleware:
         "img-src 'self' data: blob:; "
         "font-src 'self' https://fonts.gstatic.com data:; "
         "connect-src 'self'; "
+        # Allow blob: workers — MapLibre, comlink, web-tree-sitter and most
+        # WASM libs ship their worker as a Blob URL. `child-src` is the
+        # legacy fallback some browsers consult before `worker-src`.
+        "worker-src 'self' blob:; "
+        "child-src 'self' blob:; "
         "frame-ancestors 'self'; "
         "base-uri 'self'; "
         "form-action 'self'"
@@ -104,6 +112,8 @@ class SecurityHeadersMiddleware:
             "img-src 'self' data: blob:; "
             "font-src 'self' https://fonts.gstatic.com data:; "
             f"connect-src 'self' {vite_dev_url} {ws_url}; "
+            "worker-src 'self' blob:; "
+            "child-src 'self' blob:; "
             "frame-ancestors 'self'; "
             "base-uri 'self'; "
             "form-action 'self'"
@@ -130,7 +140,7 @@ class SecurityHeadersMiddleware:
                 headers = MutableHeaders(scope=message)
                 headers[_HEADER_X_CONTENT_TYPE_OPTIONS] = _XCTO_NOSNIFF
                 headers[_HEADER_X_FRAME_OPTIONS] = _XFO_SAMEORIGIN
-                headers[_HEADER_X_XSS_PROTECTION] = _XXSS_BLOCK
+                headers[_HEADER_X_XSS_PROTECTION] = _XXSS_DISABLED
                 headers[_HEADER_REFERRER_POLICY] = _REFERRER_STRICT_ORIGIN
                 if self.csp:
                     headers[_HEADER_CSP] = self.csp

{simple_module_hosting-0.0.2 → simple_module_hosting-0.0.4}/tests/test_app.py

@@ -2,8 +2,6 @@
 
 from __future__ import annotations
 
-from collections import defaultdict
-
 import httpx
 import pytest
 from fastapi import FastAPI
@@ -29,12 +27,11 @@ class TestCreateApp:
 
     async def test_modules_enabled_limits_loaded_modules(self, settings: Settings):
         """Host respects settings.modules_enabled — only listed modules contribute routes."""
-        # Only Auth should be loaded; Products + Dashboard routes must be absent.
+        # Only Auth should be loaded; Dashboard routes must be absent.
         restricted = settings.model_copy(update={"modules_enabled": ["Auth"]})
         app = create_app(restricted)
         paths: set[str] = {str(r.path) for r in app.routes if hasattr(r, "path")}
         # Auth is now contracts-only, so it has no routes — only health remains.
-        assert not any(p.startswith("/api/products") for p in paths)
         assert "/dashboard" not in paths
 
     async def test_module_static_mounts_become_app_routes(
@@ -117,9 +114,6 @@ class TestRouteRegistration:
         assert "/health/live" in route_paths
         assert "/health/ready" in route_paths
 
-        assert "/api/products/" in route_paths
-        assert "/api/products/{product_id}" in route_paths
-
         # Users module owns login, register, etc. Auth module is contracts-only.
         assert "/users/login" in route_paths
 
@@ -127,19 +121,8 @@ class TestRouteRegistration:
         # landing page at "/" is owned by the host and added in host/main.py,
         # which the create_app fixture doesn't run.
         assert "/dashboard/" in route_paths
-
-    async def test_products_api_methods(self, app: FastAPI):
-        """Products endpoints should support the correct HTTP methods."""
-        routes_by_path: dict[str, set[str]] = defaultdict(set)
-        for route in app.routes:
-            if hasattr(route, "path") and hasattr(route, "methods"):
-                routes_by_path[route.path].update(route.methods)
-
-        assert "GET" in routes_by_path.get("/api/products/", set())
-        assert "POST" in routes_by_path.get("/api/products/", set())
-        assert "GET" in routes_by_path.get("/api/products/{product_id}", set())
-        assert "PUT" in routes_by_path.get("/api/products/{product_id}", set())
-        assert "DELETE" in routes_by_path.get("/api/products/{product_id}", set())
+        # Bare-prefix alias — see wire_module_routes for the X-Inertia rationale.
+        assert "/dashboard" in route_paths
 
 
 class TestProtectedPages:
@@ -148,18 +131,13 @@ class TestProtectedPages:
         assert resp.status_code == 302
         assert "/users/login" in resp.headers["location"]
 
-    async def test_products_page_redirects_unauthenticated(self, client: httpx.AsyncClient):
-        resp = await client.get("/products/", follow_redirects=False)
-        assert resp.status_code == 302
-        assert "/users/login" in resp.headers["location"]
-
 
 class TestSecurityHeaders:
     async def test_security_headers_present(self, client: httpx.AsyncClient):
         resp = await client.get("/health")
         assert resp.headers["x-content-type-options"] == "nosniff"
         assert resp.headers["x-frame-options"] == "SAMEORIGIN"
-        assert resp.headers["x-xss-protection"] == "1; mode=block"
+        assert resp.headers["x-xss-protection"] == "0"
         assert resp.headers["referrer-policy"] == "strict-origin-when-cross-origin"
 
 

{simple_module_hosting-0.0.2 → simple_module_hosting-0.0.4}/tests/test_host_cli.py

@@ -2,8 +2,11 @@
 
 from __future__ import annotations
 
+import subprocess
+import sys
 from pathlib import Path
 
+import pytest
 import typer
 from simple_module_hosting.host_cli import app
 from typer.testing import CliRunner
@@ -26,3 +29,22 @@ def test_gen_pages_errors_on_missing_client_app(tmp_path: Path) -> None:
     result = runner.invoke(app, ["gen-pages", "--host-dir", str(tmp_path / "does-not-exist")])
     assert result.exit_code != 0
     assert "not found" in result.output.lower() or "not found" in (result.stderr or "").lower()
+
+
+@pytest.mark.parametrize(
+    "module_target",
+    ["simple_module_hosting", "simple_module_hosting.host_cli"],
+)
+def test_python_dash_m_invocation_runs_cli(module_target: str) -> None:
+    """Both ``python -m simple_module_hosting`` and ``...host_cli`` must invoke
+    the Typer app — without ``__main__.py`` / a ``__name__ == "__main__"`` block
+    these silently no-op'd, breaking the documented ``gen-pages`` workflow.
+    """
+    result = subprocess.run(
+        [sys.executable, "-m", module_target, "--help"],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+    assert result.returncode == 0, result.stderr
+    assert "gen-pages" in result.stdout