PyPI - simple-module-hosting - Versions diffs - 0.0.3__tar.gz → 0.0.5__tar.gz - Mend

simple-module-hosting 0.0.3tar.gz → 0.0.5tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

{simple_module_hosting-0.0.3 → simple_module_hosting-0.0.5}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: simple_module_hosting
-Version: 0.0.3
+Version: 0.0.5
 Summary: FastAPI + Inertia.js host runtime for simple_module — app_builder, middleware stack, CLI (sm / simple-module), scaffolding
 Project-URL: Homepage, https://github.com/antosubash/simple_module_python
 Project-URL: Repository, https://github.com/antosubash/simple_module_python
@@ -26,8 +26,8 @@ Requires-Dist: fastapi-inertia>=1.0
 Requires-Dist: fastapi>=0.115
 Requires-Dist: httpx>=0.27
 Requires-Dist: jinja2>=3.1
-Requires-Dist: simple-module-core==0.0.3
-Requires-Dist: simple-module-db==0.0.3
+Requires-Dist: simple-module-core==0.0.5
+Requires-Dist: simple-module-db==0.0.5
 Requires-Dist: starlette>=0.44
 Requires-Dist: tomlkit>=0.13
 Requires-Dist: uvicorn[standard]>=0.34

{simple_module_hosting-0.0.3 → simple_module_hosting-0.0.5}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "simple_module_hosting"
-version = "0.0.3"
+version = "0.0.5"
 description = "FastAPI + Inertia.js host runtime for simple_module — app_builder, middleware stack, CLI (sm / simple-module), scaffolding"
 readme = "README.md"
 license = "MIT"
@@ -26,13 +26,16 @@ dependencies = [
     "fastapi-inertia>=1.0",
     "httpx>=0.27",
     "jinja2>=3.1",
-    "simple_module_core==0.0.3",
-    "simple_module_db==0.0.3",
+    "simple_module_core==0.0.5",
+    "simple_module_db==0.0.5",
     "starlette>=0.44",
     "tomlkit>=0.13",
     "uvicorn[standard]>=0.34",
 ]
+[project.scripts]
+sm-host = "simple_module_hosting.host_cli:app"
 [project.entry-points."simple_module_cli.cli_plugins"]
 host = "simple_module_hosting.host_cli:app"

simple_module_hosting-0.0.5/simple_module_hosting/__main__.py ADDED Viewed

@@ -0,0 +1,14 @@
+"""Module entry point: ``python -m simple_module_hosting`` invokes the host CLI.
+Without this, ``python -m simple_module_hosting.host_cli`` would import the
+module without running the Typer app — silently no-op'ing commands like
+``gen-pages``. Provides the same Typer ``app`` callable that the
+``simple_module_cli.cli_plugins`` entry point exposes as ``sm host``.
+"""
+from __future__ import annotations
+from simple_module_hosting.host_cli import app
+if __name__ == "__main__":
+    app()

simple_module_hosting-0.0.5/simple_module_hosting/_host_services.py ADDED Viewed

@@ -0,0 +1,21 @@
+"""``_HostServices`` container exposed on ``app.state.host``.
+Module-scope so the type is stable across ``create_app`` calls — tests
+that build multiple apps in one process can ``isinstance``-check
+``app.state.host`` against the same class object.
+"""
+from __future__ import annotations
+from dataclasses import dataclass
+from simple_module_hosting.host_settings import HostSettings
+__all__ = ["_HostServices"]
+@dataclass
+class _HostServices:
+    """Container for host-level services exposed on ``app.state.host``."""
+    settings: HostSettings

{simple_module_hosting-0.0.3 → simple_module_hosting-0.0.5}/simple_module_hosting/_inertia_setup.py RENAMED Viewed

@@ -57,10 +57,23 @@ def setup_inertia(
     templates = Jinja2Templates(directory=directories)
+    # fastapi-inertia only switches to the asset manifest when environment
+    # equals the literal string "production". Anything else (staging, qa,
+    # ...) would render a /main.tsx <script> tag served by the SPA fallback
+    # as text/html, breaking module loading. Normalize:
+    #   * `development`/`testing` → keep the dev-server path (Vite serves
+    #     /main.tsx directly).
+    #   * Anything else (staging, production, qa, ...) → use the production
+    #     manifest so built assets are referenced.
+    from simple_module_core.environments import NON_PROD_ENVIRONMENTS
+    use_dev_server = settings.environment in NON_PROD_ENVIRONMENTS
+    inertia_environment = "development" if use_dev_server else "production"
     inertia_config = InertiaConfig(
-        environment=settings.environment,
+        environment=inertia_environment,
         version=_INERTIA_VERSION,
-        dev_url=settings.vite_dev_url if settings.is_development else "",
+        dev_url=settings.vite_dev_url if use_dev_server else "",
         templates=templates,
         root_template_filename=_ROOT_TEMPLATE_FILENAME,
         entrypoint_filename=_ENTRYPOINT_FILENAME,

{simple_module_hosting-0.0.3 → simple_module_hosting-0.0.5}/simple_module_hosting/_phase_helpers.py RENAMED Viewed

@@ -11,7 +11,8 @@ import logging
 from pathlib import Path
 from typing import TYPE_CHECKING
-from fastapi import FastAPI
+from fastapi import APIRouter, FastAPI
+from fastapi.routing import APIRoute
 from fastapi.staticfiles import StaticFiles
 from inertia import (
     InertiaVersionConflictException,
@@ -158,3 +159,37 @@ def check_settings_registration(app: FastAPI, modules: list) -> list[Diagnostic]
             )
         )
     return diagnostics
+def wire_module_routes(app: FastAPI, module) -> None:
+    """Attach a module's API + view routers to ``app`` using its Meta prefixes.
+    The single canonical implementation so ``create_app`` and the test harness
+    in ``simple_module_test`` stay in lockstep if ``ModuleBase`` ever gains
+    a new router type.
+    Bare-prefix view routes (``view_prefix="/foo"`` + ``@router.get("/")``)
+    are also mounted at the trailing-slash-less form ``"/foo"``. Without this,
+    FastAPI's ``redirect_slashes=True`` fires a 307 to ``"/foo/"``, which
+    clients like httpx strip ``X-Inertia`` from on follow — turning every
+    Inertia navigation into a broken HTML response. Cloning the route at the
+    bare-prefix path serves the same handler directly, no redirect.
+    """
+    api_router = APIRouter(prefix=module.meta.route_prefix, tags=[module.meta.name])
+    view_router = APIRouter(prefix=module.meta.view_prefix, tags=[f"{module.meta.name} Views"])
+    module.register_routes(api_router, view_router)
+    if module.meta.view_prefix:
+        bare_target = f"{module.meta.view_prefix}/"
+        for route in list(view_router.routes):
+            if isinstance(route, APIRoute) and route.path == bare_target:
+                view_router.add_api_route(
+                    "",
+                    route.endpoint,
+                    methods=list(route.methods or {"GET"}),
+                    response_model=route.response_model,
+                    include_in_schema=False,
+                    dependencies=route.dependencies,
+                    name=f"{route.name}__bare",
+                )
+    app.include_router(api_router)
+    app.include_router(view_router)

{simple_module_hosting-0.0.3 → simple_module_hosting-0.0.5}/simple_module_hosting/app_builder.py RENAMED Viewed

@@ -2,13 +2,14 @@
 from __future__ import annotations
+import inspect
 import logging
 import os
 from collections.abc import AsyncGenerator
 from contextlib import asynccontextmanager
 from pathlib import Path
-from fastapi import APIRouter, FastAPI
+from fastapi import FastAPI
 from fastapi.staticfiles import StaticFiles
 from simple_module_core.diagnostics import DiagnosticLevel, print_diagnostics, run_diagnostics
 from simple_module_core.discovery import discover_modules, topological_sort
@@ -21,14 +22,17 @@ from simple_module_core.services import Services
 from simple_module_db.listeners import register_listeners
 from simple_module_db.session import init_db
+from simple_module_hosting._host_services import _HostServices
 from simple_module_hosting._inertia_setup import setup_inertia
 from simple_module_hosting._phase_helpers import (
     check_settings_registration,
     install_middleware,
     mount_module_static_dirs,
     register_exception_handlers,
+    wire_module_routes,
 )
 from simple_module_hosting.health import router as health_router
+from simple_module_hosting.host_settings import HostSettings
 from simple_module_hosting.i18n_manifest import build_i18n_registry, emit_frontend_types
 from simple_module_hosting.migrations import check_migrations
 from simple_module_hosting.settings import Settings
@@ -44,39 +48,50 @@ _STATIC_DIR_NAME = "static"
 _ENV_PROJECT_ROOT = "SM_PROJECT_ROOT"
+_PROJECT_ROOT_SENTINELS = ("pyproject.toml", ".env", "alembic.ini")
 def _resolve_project_root() -> Path:
     """Return the project root directory.
-    Prefers the ``SM_PROJECT_ROOT`` environment variable (set by
-    ``host/main.py``) so the framework works even when installed from a
-    wheel into ``site-packages`` — in that layout the fallback walk-up
-    below would escape the package into ``site-packages/..`` and miss
-    ``host/static`` entirely.
+    Prefers the ``SM_PROJECT_ROOT`` environment variable when set.
-    Falls back to ``parents[3]`` for the workspace-install dev loop
-    (simple_module_hosting/ → hosting/ → framework/ → project root).
+    Otherwise walks up from the current working directory looking for a
+    project sentinel (``pyproject.toml``, ``.env`` or ``alembic.ini``). This
+    works whether the framework is installed as a wheel into ``site-packages``
+    or run from a workspace clone.
+    Falls back to ``parents[3]`` for the in-tree dev loop only when the walk
+    finds nothing — which still keeps ``framework/`` users working without
+    setting the env var explicitly.
     """
     override = os.environ.get(_ENV_PROJECT_ROOT)
     if override:
         return Path(override)
+    cwd = Path.cwd().resolve()
+    for candidate in (cwd, *cwd.parents):
+        if any((candidate / s).exists() for s in _PROJECT_ROOT_SENTINELS):
+            return candidate
     return Path(__file__).resolve().parents[3]
 _PROJECT_ROOT = _resolve_project_root()
-def wire_module_routes(app: FastAPI, module) -> None:
-    """Attach a module's API + view routers to ``app`` using its Meta prefixes.
+def _register_event_handlers(mod, event_bus: EventBus, app: FastAPI) -> None:
+    """Dispatch to ``mod.register_event_handlers`` with or without ``app``.
-    The single canonical implementation so ``create_app`` and the test harness
-    in ``simple_module_test`` stay in lockstep if ``ModuleBase`` ever gains
-    a new router type.
+    Back-compat shim for modules that still override the one-arg form
+    ``(self, bus)``; passing ``app=`` to those crashes.
     """
-    api_router = APIRouter(prefix=module.meta.route_prefix, tags=[module.meta.name])
-    view_router = APIRouter(prefix=module.meta.view_prefix, tags=[f"{module.meta.name} Views"])
-    module.register_routes(api_router, view_router)
-    app.include_router(api_router)
-    app.include_router(view_router)
+    sig = inspect.signature(mod.register_event_handlers)
+    accepts_app = "app" in sig.parameters or any(
+        p.kind is inspect.Parameter.VAR_KEYWORD for p in sig.parameters.values()
+    )
+    if accepts_app:
+        mod.register_event_handlers(event_bus, app=app)
+    else:
+        mod.register_event_handlers(event_bus)
 def create_app(settings: Settings | None = None) -> FastAPI:
@@ -198,18 +213,11 @@ def create_app(settings: Settings | None = None) -> FastAPI:
     # AST plugin-free while still hitting the real helper at runtime.
     if hasattr(app.state, "settings"):
         import importlib
-        from dataclasses import dataclass as _dataclass
-        from simple_module_hosting.host_settings import HostSettings
         _register_module_settings = importlib.import_module(
             "settings.registration"
         ).register_module_settings
-        @_dataclass
-        class _HostServices:
-            settings: HostSettings
         _register_module_settings(app, "host", HostSettings, lambda s: _HostServices(settings=s))
     if settings.is_development:
@@ -222,7 +230,7 @@ def create_app(settings: Settings | None = None) -> FastAPI:
         mod.register_menu_items(menu_registry)
         mod.register_permissions(perm_registry)
         mod.register_feature_flags(ff_registry)
-        mod.register_event_handlers(event_bus)
+        _register_event_handlers(mod, event_bus, app)
         mod.register_health_checks(health_registry)
     logger.info(

{simple_module_hosting-0.0.3 → simple_module_hosting-0.0.5}/simple_module_hosting/host_cli.py RENAMED Viewed

@@ -45,8 +45,9 @@ def gen_pages(
     modules = discover_modules()
     written = write_module_pages_manifest(modules, host_dir)
     typer.echo(
-        f"Wrote {written['manifest'].name}, {written['generated'].name}, "
-        f"{written['css'].name} to {host_dir}"
+        f"Module pages manifest: {len(modules)} module(s) "
+        f"→ {written['manifest'].name}, {written['generated'].name}, "
+        f"{written['css'].name} in {host_dir}"
     )
@@ -115,3 +116,7 @@ def sync_js_deps(
         return
     result = subprocess.run(cmd, cwd=repo_root, check=False)
     raise typer.Exit(code=result.returncode)
+if __name__ == "__main__":
+    app()

{simple_module_hosting-0.0.3 → simple_module_hosting-0.0.5}/simple_module_hosting/middleware.py RENAMED Viewed

@@ -45,7 +45,10 @@ _HEADER_HSTS = "Strict-Transport-Security"
 # Security response header values
 _XCTO_NOSNIFF = "nosniff"
 _XFO_SAMEORIGIN = "SAMEORIGIN"
-_XXSS_BLOCK = "1; mode=block"
+# OWASP/MDN now recommend disabling the legacy XSS auditor — older
+# browser implementations introduced reflected-XSS vectors of their own.
+# Modern protection comes from the CSP below (strict-dynamic + nonces).
+_XXSS_DISABLED = "0"
 _REFERRER_STRICT_ORIGIN = "strict-origin-when-cross-origin"
 __all__ = [
@@ -79,6 +82,11 @@ class SecurityHeadersMiddleware:
         "img-src 'self' data: blob:; "
         "font-src 'self' https://fonts.gstatic.com data:; "
         "connect-src 'self'; "
+        # Allow blob: workers — MapLibre, comlink, web-tree-sitter and most
+        # WASM libs ship their worker as a Blob URL. `child-src` is the
+        # legacy fallback some browsers consult before `worker-src`.
+        "worker-src 'self' blob:; "
+        "child-src 'self' blob:; "
         "frame-ancestors 'self'; "
         "base-uri 'self'; "
         "form-action 'self'"
@@ -104,6 +112,8 @@ class SecurityHeadersMiddleware:
             "img-src 'self' data: blob:; "
             "font-src 'self' https://fonts.gstatic.com data:; "
             f"connect-src 'self' {vite_dev_url} {ws_url}; "
+            "worker-src 'self' blob:; "
+            "child-src 'self' blob:; "
             "frame-ancestors 'self'; "
             "base-uri 'self'; "
             "form-action 'self'"
@@ -130,7 +140,7 @@ class SecurityHeadersMiddleware:
                 headers = MutableHeaders(scope=message)
                 headers[_HEADER_X_CONTENT_TYPE_OPTIONS] = _XCTO_NOSNIFF
                 headers[_HEADER_X_FRAME_OPTIONS] = _XFO_SAMEORIGIN
-                headers[_HEADER_X_XSS_PROTECTION] = _XXSS_BLOCK
+                headers[_HEADER_X_XSS_PROTECTION] = _XXSS_DISABLED
                 headers[_HEADER_REFERRER_POLICY] = _REFERRER_STRICT_ORIGIN
                 if self.csp:
                     headers[_HEADER_CSP] = self.csp

{simple_module_hosting-0.0.3 → simple_module_hosting-0.0.5}/tests/test_app.py RENAMED Viewed

@@ -2,8 +2,6 @@
 from __future__ import annotations
-from collections import defaultdict
 import httpx
 import pytest
 from fastapi import FastAPI
@@ -29,12 +27,11 @@ class TestCreateApp:
     async def test_modules_enabled_limits_loaded_modules(self, settings: Settings):
         """Host respects settings.modules_enabled — only listed modules contribute routes."""
-        # Only Auth should be loaded; Products + Dashboard routes must be absent.
+        # Only Auth should be loaded; Dashboard routes must be absent.
         restricted = settings.model_copy(update={"modules_enabled": ["Auth"]})
         app = create_app(restricted)
         paths: set[str] = {str(r.path) for r in app.routes if hasattr(r, "path")}
         # Auth is now contracts-only, so it has no routes — only health remains.
-        assert not any(p.startswith("/api/products") for p in paths)
         assert "/dashboard" not in paths
     async def test_module_static_mounts_become_app_routes(
@@ -117,9 +114,6 @@ class TestRouteRegistration:
         assert "/health/live" in route_paths
         assert "/health/ready" in route_paths
-        assert "/api/products/" in route_paths
-        assert "/api/products/{product_id}" in route_paths
         # Users module owns login, register, etc. Auth module is contracts-only.
         assert "/users/login" in route_paths
@@ -127,19 +121,8 @@ class TestRouteRegistration:
         # landing page at "/" is owned by the host and added in host/main.py,
         # which the create_app fixture doesn't run.
         assert "/dashboard/" in route_paths
-    async def test_products_api_methods(self, app: FastAPI):
-        """Products endpoints should support the correct HTTP methods."""
-        routes_by_path: dict[str, set[str]] = defaultdict(set)
-        for route in app.routes:
-            if hasattr(route, "path") and hasattr(route, "methods"):
-                routes_by_path[route.path].update(route.methods)
-        assert "GET" in routes_by_path.get("/api/products/", set())
-        assert "POST" in routes_by_path.get("/api/products/", set())
-        assert "GET" in routes_by_path.get("/api/products/{product_id}", set())
-        assert "PUT" in routes_by_path.get("/api/products/{product_id}", set())
-        assert "DELETE" in routes_by_path.get("/api/products/{product_id}", set())
+        # Bare-prefix alias — see wire_module_routes for the X-Inertia rationale.
+        assert "/dashboard" in route_paths
 class TestProtectedPages:
@@ -148,18 +131,13 @@ class TestProtectedPages:
         assert resp.status_code == 302
         assert "/users/login" in resp.headers["location"]
-    async def test_products_page_redirects_unauthenticated(self, client: httpx.AsyncClient):
-        resp = await client.get("/products/", follow_redirects=False)
-        assert resp.status_code == 302
-        assert "/users/login" in resp.headers["location"]
 class TestSecurityHeaders:
     async def test_security_headers_present(self, client: httpx.AsyncClient):
         resp = await client.get("/health")
         assert resp.headers["x-content-type-options"] == "nosniff"
         assert resp.headers["x-frame-options"] == "SAMEORIGIN"
-        assert resp.headers["x-xss-protection"] == "1; mode=block"
+        assert resp.headers["x-xss-protection"] == "0"
         assert resp.headers["referrer-policy"] == "strict-origin-when-cross-origin"

{simple_module_hosting-0.0.3 → simple_module_hosting-0.0.5}/tests/test_host_cli.py RENAMED Viewed

@@ -2,8 +2,11 @@
 from __future__ import annotations
+import subprocess
+import sys
 from pathlib import Path
+import pytest
 import typer
 from simple_module_hosting.host_cli import app
 from typer.testing import CliRunner
@@ -26,3 +29,22 @@ def test_gen_pages_errors_on_missing_client_app(tmp_path: Path) -> None:
     result = runner.invoke(app, ["gen-pages", "--host-dir", str(tmp_path / "does-not-exist")])
     assert result.exit_code != 0
     assert "not found" in result.output.lower() or "not found" in (result.stderr or "").lower()
+@pytest.mark.parametrize(
+    "module_target",
+    ["simple_module_hosting", "simple_module_hosting.host_cli"],
+)
+def test_python_dash_m_invocation_runs_cli(module_target: str) -> None:
+    """Both ``python -m simple_module_hosting`` and ``...host_cli`` must invoke
+    the Typer app — without ``__main__.py`` / a ``__name__ == "__main__"`` block
+    these silently no-op'd, breaking the documented ``gen-pages`` workflow.
+    """
+    result = subprocess.run(
+        [sys.executable, "-m", module_target, "--help"],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+    assert result.returncode == 0, result.stderr
+    assert "gen-pages" in result.stdout