4 Commits

Author	SHA1	Message	Date
BilalG1	f7e389809e	feat(hexclave): PR 1 — wire compatibility layer (invisible) (#1475) ... ## Summary **Stacked on #1468** (`docs/hexclave-rename-plan` — the plan doc). Diff vs that base = the actual PR 1 code. This is **PR 1 of the Hexclave rebrand: the invisible compatibility layer**. Everything is additive. Old SDKs, old wire identifiers, and old env var names keep working unchanged. The backend dual-accepts and dual-emits; new SDK code emits `x-hexclave-*` headers and the `hexclave_` Bearer prefix; cookies dual-write; env vars dual-read across every category. **No user-visible rebranding lands here** — that's PR 2. See [`RENAME-TO-HEXCLAVE.md`](./RENAME-TO-HEXCLAVE.md) → *"PR 1 implementation guide"* for the full per-work-area spec, file pointers, and chosen approach. ## What's implemented (all 14 PR-1 work-areas) - **SDK export aliases** — `Hexclave*` aliases for the user-facing `Stack*` exports added in `packages/template`; codegen propagates them to `@stackframe/{js,stack,react,tanstack-start}`. React-only aliases correctly excluded from `@stackframe/js`. (`e60550a2`) - **JWT issuer dual-accept** — `decodeAccessToken` accepts both `api.stack-auth.com` and `api.hexclave.com` issuers. Signing unchanged. (`fc781def`) - **Request-header dual-accept** — backend + dashboard proxies normalize `x-hexclave-*` → `x-stack-*` at the existing empty proxy hook (so `smart-request.tsx` and every route schema keep working unchanged); CORS allowlists extended via a derive-once helper. (`2a056eac`) - **MCP `ask_hexclave`** — registered alongside `ask_stack_auth` via a shared helper; `ask_stack_auth` behavior byte-identical. (`30ffd604`) - **Dev-tool** — DOM ids + header emit switched. `window.HexclaveDevTool` exposed alongside `window.StackDevTool`. (`32131ea7`) - **The big consolidated commit** (`7fed864a`): - **Env vars** — central `getEnvVariable` prefix-transform (HEXCLAVE first, STACK fallback); dashboard + template client env files dual-read; `turbo.json` globalEnv; `NEXT_PUBLIC_STACK_PORT_PREFIX` renamed outright across ~82 files including docker. - **Cookies** — dual-write/dual-read auth (`stack-access`/`-refresh-*` and custom-domain variants), OAuth-state (`stack-oauth-{inner,outer}-*`), and low-risk cookies (`stack-is-https`, `stack-last-seen-changelog-version`). Bypass sites patched (backend OAuth callback, dashboard remote-dev auth route, impersonation snippets, snapshot serializer). - **Bearer prefix** — SDK token parser accepts both `stackauth_` and `hexclave_`; emits `hexclave_`. Discovery correction: this is purely SDK-internal — the backend never parses it. - **Response headers** — backend dual-emits `x-hexclave-{request-id,actual-status,known-error}`; SDKs dual-read (new first, stack fallback). - **SDK request-header emit switch** — `client/server/admin-interface.ts` + dashboard `api-headers.ts` + `internal-project-headers.ts` + `feedback-form.tsx` switched to `x-hexclave-*`. Plus `stack_response_mode` query param. - **Storage keys** — dev-tool / cli-auth / oauth-button / docs keys renamed (straight); `stack:session-replay:v1` dual-read so in-progress recordings survive SDK upgrades; `stack_mfa_attempt_code` dual-read. - **Query params** — cross-domain params dual-emit/dual-accept via shared helpers; backend `oauth/authorize` accepts `hexclave_response_mode` and `stack_response_mode`; `stack-init-id` renamed. - **`Symbol.for`** — app-internals symbol gets a parallel `Symbol.for("Hexclave--app-internals")` getter on each attach site (no read-site churn — old symbol still attached). 3 file-private symbols renamed outright. - **Config discovery** — prefer `hexclave.config.ts`, fall back to `stack.config.ts` at every discovery site (CLI / dashboard / backend / local-emulator); `init` writes the new filename; CLI credentials path migrates. - **Internal renames** — `StackAssertionError`, `StackClient/Server/AdminInterface` renamed outright (no alias, per the "internal-only → rename" rule). ~264 files touched. - **Review-pass fixes** (`21217fbe`) — three real bugs found by parallel review agents and fixed: - `snapshot-serializer.ts` was interpolating the whole `keyedCookieNamePrefixes` array (`${arr}`) — adding a second prefix would have corrupted **every** OAuth-cookie snapshot, not just new ones. - **Docker port-prefix producer/consumer mismatch** — `entrypoint.sh`/`run-emulator.sh`/cloud-init `user-data` were still producing `NEXT_PUBLIC_STACK_PORT_PREFIX` while the dashboard sentinel + consumers had been renamed; silent self-host regression (custom port prefix would be ignored). - **Missing `hexclave-oauth-inner-*` dual-write** in the OAuth authorize route — callback's fallback masked it but the dual-write was specified by the plan. - Plus: `mcp.test.ts` tool-list assertions updated to include `ask_hexclave`; two dashboard header-emit sites switched to `x-hexclave-*` for consistency. - **E2E snapshot serializer follow-up** (`4b16cc5d`) — `x-hexclave-request-id` added to the hidden-headers list (mirroring `x-stack-request-id` treatment), and 2 sample inline snapshots regenerated in `projects.test.ts` to include the new dual-emitted headers. ## Verification - **`pnpm typecheck`** — clean (the fresh-worktree `@/.source` / Prisma codegen gap in `stack-docs` is pre-existing and unrelated). - **`pnpm lint`** — 29/29 packages green. - **`pnpm exec turbo run build --filter=./packages/*`** — 13/13 packages build (including `@stackframe/stack-cli` once the dashboard standalone is present). - **Live E2E** against a running backend on `cl/hexclave-pr1`: - `pnpm test run apps/e2e/tests/backend/endpoints/api/v1/internal/mcp.test.ts` — **6/6 pass** (verifies the new `ask_hexclave` tool — the hand-written inline snapshot matched actual MCP server output). - `pnpm test run apps/e2e/tests/backend/endpoints/api/v1/internal/projects.test.ts` — **11/11 pass** (verifies wire dual-accept + dual-emit end-to-end; the snapshot serializer fix was found and applied during this check). A four-agent parallel **review pass** also audited the full diff for logic/runtime bugs across the work-areas (wire headers + JWT, cookies + bearer + symbols, env vars, query params + config + MCP + aliases). All in-slice review verdicts were ✓ except the three bugs listed above, which are now fixed. ## Known follow-ups (out of scope for this PR) - **E2E snapshots across the rest of the suite** — backend now dual-emits `x-hexclave-{known-error,actual-status}` alongside `x-stack-*`, which legitimately appears in inline snapshots throughout `apps/e2e`. Two were regenerated here as a sample; the rest should regen with `vitest -u` in CI. - **Docker shell env vars beyond `PORT_PREFIX`** — `entrypoint.sh` still reads `STACK_*` env vars directly (the JS-side `getEnvVariable` transform doesn't help the shell). JS consumers dual-read so it works in practice; full shell-level dual-read is a deeper self-host follow-up. - **`@stackframe/stack-cli` build ordering** — pre-existing; needs `build:rde-standalone` first. Not affected by this PR. ## Test plan - [ ] CI runs full e2e suite (with `vitest -u` to absorb dual-emit snapshot deltas, then committed back) - [ ] Spot-check: an old SDK build (emitting only `x-stack-*`) still authenticates against the new backend - [ ] Spot-check: a new SDK (emitting `x-hexclave-*` / `Bearer hexclave_*`) still authenticates against an old backend during deploy ordering - [ ] Manual: `npx @stackframe/stack-cli@latest init` (new onboarding entrypoint) generates `hexclave.config.ts` - [ ] Manual: existing `stack.config.ts`-only project still resolves (no migration required) --------- Co-authored-by: bilal <bilal@stack-auth.com>	2026-05-23 17:24:55 -07:00
BilalG1	15faf709f3	stack-cli: explicit --cloud-project-id / --config-file across exec, config, project (#1422) ... ## Summary Reworks the `stack` CLI surface so the cloud-vs-local choice is **explicit at every invocation**, removing the global `--project-id` / `STACK_PROJECT_ID` env var and the local-default `exec` behavior introduced earlier in this branch. ### `stack exec` - Removes `--cloud`, `STACK_EXEC_DEFAULT_TARGET`, and the implicit local default. The CLI now requires **exactly one** of: - `--cloud-project-id <id>` — run against the Stack Auth cloud API - `--config-file <path>` — run against the local emulator project mapped to that absolute config-file path - The `--config-file` branch resolves the project id by calling the existing `GET /api/latest/internal/local-emulator/project` endpoint and matching `absolute_file_path` client-side. No new backend endpoint introduced. ### `stack config pull` / `stack config push` - Both now take `--cloud-project-id <id>` per-command instead of the global flag / `STACK_PROJECT_ID` env. - `config pull --config-file` is **optional**: when omitted, the CLI uses `./stack.config.ts` from the current directory. If neither flag nor cwd file is present, it exits with a clear hint to pass `--config-file` or `cd` into a directory containing `stack.config.ts`. ### `stack project list` - Default (no flags) lists both **cloud and local emulator** projects. Each entry carries a `target: "cloud" | "dev"` field (text format: `<id>\t<displayName>\t[<target>]`). - `--cloud` / `--dev` filter to a single source (mutually exclusive — passing both errors). - On the default code path, an unreachable local emulator emits a single stderr warning (`warning: skipping dev projects — local emulator not reachable …`) and the command still succeeds with cloud results. With `--dev` explicit, the unreachable case hard-errors. ### `stack project create` - Now requires `--cloud` to make the cloud-vs-local choice explicit. There is no local alternative today; the flag exists to surface the decision so a future local-project create doesn't silently change behavior. ### Backend - Bumps the `LIMIT` on `GET /api/latest/internal/local-emulator/project` from 20 → 100 so `project list --dev` doesn't silently truncate. ### Refactors (from earlier in this branch, unchanged here) - Local-emulator paths/ports/PCK polling live in `packages/stack-cli/src/lib/emulator-paths.ts`. - Shared local-emulator admin credentials live in `packages/stack-shared/src/local-emulator.ts`. - `resolveAuth` / `resolveLocalEmulatorAuth` take an explicit `projectId: string` (no more `Flags` parameter). - New `packages/stack-cli/src/lib/local-emulator-client.ts` encapsulates the GET-and-match flow used by both `exec --config-file` and `project list --dev`. ## Breaking changes **Scripts that relied on any of the following must be updated:** | Removed | Replacement | | --- | --- | | Global `--project-id <id>` flag | Per-command `--cloud-project-id <id>` | | `STACK_PROJECT_ID` env var | Per-command `--cloud-project-id <id>` | | `stack exec --cloud` | `stack exec --cloud-project-id <id>` | | `STACK_EXEC_DEFAULT_TARGET=cloud\|local` | `--cloud-project-id <id>` or `--config-file <path>` | | `stack exec` defaulting to local emulator | Explicit `--config-file <path>` required | | `stack project create` without a flag | `stack project create --cloud …` required | ## Test plan - [x] `pnpm lint` (stack-cli, backend, e2e) — clean - [x] `pnpm --filter @stackframe/stack-cli typecheck` — clean - [x] `pnpm --filter @stackframe/stack-cli exec vitest run` — **72/72 passing** (new unit tests: `parseExecTarget`, `resolveConfigFilePathForPull`, `resolveProjectListSources`, `formatProjectList`) - [x] `pnpm test run apps/e2e/tests/general/cli.test.ts` — **73 passing, 4 skipped, 0 failing**. New e2e cases cover: - `exec` with neither flag → errors with "Specify a target" - `exec` with both flags → errors with "not both" - `exec --config-file` with missing file / missing PCK / unreachable API - `exec --config-file` happy path against a real local-emulator backend (gated on `NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR=true`) - `config pull` cwd fallback to `./stack.config.ts` - `config pull` with no `--config-file` and no cwd `stack.config.ts` → errors with `Pass --config-file …` - `project list --cloud --dev` together → errors - `project list` default with unreachable emulator → cloud results + single stderr warning - `project create` without `--cloud` → errors - All previously-`--cloud` exec cases ported to `--cloud-project-id` - [x] Manual smoke: `stack exec --help`, `stack project list --cloud --dev`, `stack project create` all emit the expected friendly errors / help text. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * CLI `exec`, `config`, and `project` commands now require explicit targeting via `--cloud-project-id` (cloud) or `--config-file` (local emulator). * `project list` now supports `--cloud` and `--dev` flags to display projects from both sources with target indicators. * Enhanced environment variable validation for emulator service ports with proper fallback handling. * **Bug Fixes** * `project list` now gracefully handles unreachable emulator with warning fallback instead of failure. * **Tests** * Expanded test coverage for project targeting, config file resolution, and emulator connectivity scenarios. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-05-14 17:20:40 -07:00
Mantra	7f8e3df852	feat: add anonRefreshToken to CLI auth flow and enhance session management (#1303) ... - Extended `CliAuthAttempt` with `anonRefreshToken` and a migration. - CLI `POST /auth/cli` accepts optional `anon_refresh_token` (must be an anonymous user's refresh token for the current project). - `POST /auth/cli/complete` supports `mode` `check` (anonymous vs none), `claim-anon-session` (issue tokens for the linked anonymous session), and `complete` (bind the browser session's refresh token to the attempt). Completing clears `anonRefreshToken` on the row. We do **not** merge anonymous account data into the signed-in user (that behavior was removed as a security risk; the anonymous user remains unchanged). - Template CLI confirmation page, stack-cli optional `STACK_CLI_ANON_REFRESH_TOKEN`, SDK/spec updates, and e2e coverage. <!-- Make sure you've read the CONTRIBUTING.md guidelines: https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * CLI login supports attaching anonymous sessions and a multi-mode confirm/claim/check flow; CLI tools now surface login codes and remove anon token after use. * Added interactive CLI auth demo page and a CLI simulator script. * Client libraries: prompt flow accepts an optional anon token and a promptLink(url, loginCode) callback. * **Tests** * Expanded end-to-end coverage for anonymous CLI sessions, claim/complete/poll flows, upgrades, and error cases. * **Documentation** * Updated prompt CLI docs/spec to describe new options and callback signature. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-14 02:09:35 +00:00
BilalG1	57149bd84b	Stack CLI (#1227) ... <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Added Stack CLI with authentication (login/logout) commands. * Added project management commands to list and create projects. * Added configuration management to pull and push project settings. * Added code execution capability to run JavaScript expressions. * Added initialization command for Stack Auth setup. * **Tests** * Added comprehensive end-to-end test suite for CLI functionality. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-03-09 13:24:15 -07:00