mirror of https://github.com/stack-auth/stack.git synced 2026-06-30 21:01:54 +08:00

开源的用户管理解决方案，自带前端组件和管理后台。

Go to file

BilalG1 0e1d98b5d0 fix(cli): fall back to installed CLI when npx auto-update fails (#1612 ) ## Problem `hexclave dev` re-execs itself through `npx <pkg>@latest` (`maybeReexecToLatest`) so users always get the latest dashboard without reinstalling. But when that npx run fails, it exits nonzero and we did `process.exit(result.code)` — killing `hexclave dev` even though a perfectly good CLI was already installed locally. This surfaced on Replit, where a user running `hexclave dev` got: ``` npm notice Access denied: Your download has been blocked by the Socket Security Policy. Reason: AI-detected potential malware. npm error code ECOMPROMISED npm error Lock compromised ``` Diagnosis: the user's `pnpm` is aliased to `sfw pnpm` (Socket Firewall), and Replit enforces an org-level Socket Security Policy. Socket blocks the `@hexclave/cli@latest` download (false-positive "AI-detected malware", almost certainly the bundled minified dashboard). The interrupted download breaks npx's reify while it holds its cache lock, which npm reports as `Lock compromised`. The lock message is a downstream symptom; the real failure is the blocked download. The same class of failure (blocked download, npm error, lock contention, offline) all share one shape: npx exits nonzero before our CLI ever runs, and today that takes down `hexclave dev`. ## Fix Use a startup-marker handshake to distinguish the two cases: - The parent passes a temp marker path to the npx child via `STACK_CLI_REEXEC_MARKER`. - The re-exec'd child touches the marker the instant it starts (`signalReexecStartedIfChild`). - After the child exits (`decidePostReexec`): - exited 0, or nonzero with the marker present → our CLI ran; propagate the exit code (real command result). - nonzero without the marker, or npx not spawnable → our CLI never ran; fall back to the installed CLI instead of failing `hexclave dev`. The marker only needs file create/exists (robust on sandboxed/networked filesystems). If the marker can't be created, we preserve the old always-propagate behavior, so there's no spurious-fallback risk. `decidePostReexec` and `signalReexecStartedIfChild` are pure and unit-tested. ## Verification - `pnpm test run src/lib/self-update.test.ts` → 23 passing (added cases for the fallback decision and the marker handshake). - `pnpm typecheck` / `pnpm lint` → clean. - End-to-end: forced a real npx failure (unreachable registry → npx exits nonzero before our CLI runs) and confirmed `hexclave dev` now logs `Auto-update skipped: …; continuing with the installed CLI.` and proceeds into the installed dev path instead of dying. ## Notes / follow-ups (not in this PR) - Workaround for affected users today: `STACK_CLI_NO_AUTO_UPDATE=1` (or `--no-auto-update`) skips the npx download entirely. - Worth reporting the Socket false-positive to socket.dev to allowlist `@hexclave/cli`, and reconsidering shipping a ~165 MB minified dashboard inside the npm tarball (it's what trips AI-malware heuristics and slows cold installs). <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Prevent `hexclave dev` from exiting when `npx @latest` auto-update fails by falling back to the installed CLI. Signal-based aborts now propagate as a nonzero exit (never NaN), so Ctrl-C doesn’t relaunch dev. - Bug Fixes - Fall back to the installed CLI when `npx <pkg>@latest` fails before the CLI starts (firewalls, offline, npm lock errors). Do not fall back when the child is killed by a signal; propagate 128+signum with a safe nonzero fallback if the signum is unknown. - Startup-marker handshake: parent sets `REEXEC_MARKER_ENV` (`HEXCLAVE_CLI_REEXEC_MARKER`); child touches it on start; `decidePostReexec` chooses propagate vs fallback. If the marker can’t be created, keep the old always-propagate behavior. - Scrub the marker env from user commands using the exported constant, covering both Windows and POSIX spawn paths. <sup>Written for commit `cb2635f2ae`. Summary will update on new commits.</sup> <a href="https://cubic.dev/pr/hexclave/hexclave/pull/1612?utm_source=github" target="_blank" rel="noopener noreferrer" data-no-image-dialog="true"><picture><source media="(prefers-color-scheme: dark)" srcset="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://www.cubic.dev/buttons/review-in-cubic-light.svg"><img alt="Review in cubic" src="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a> <!-- End of auto-generated description by cubic. --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * Bug Fixes * Updated the `dev` command to prevent internal re-exec environment details from being inherited by user commands. * Improved self-update re-exec fallback logic to better detect whether the CLI actually started, with more reliable exit-code and signal handling. * Tests * Added deterministic test coverage for the post-re-exec decision path and signal/exit propagation scenarios, including early `npx` failures. <!-- end of auto-generated comment: release notes by coderabbit.ai -->		2026-06-19 13:17:07 -07:00
.agents/skills	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
.changeset	Disable changesets changelogs	2026-01-12 15:21:56 -08:00
.claude	Support local dashboard in remote SSH and GH Codespaces (#1538 )	2026-06-04 16:36:17 -07:00
.cursor	Update pre-push.md	2026-06-04 10:44:39 -07:00
.devcontainer	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
.github	feat(hexclave): PR 5 — internal symbol/path/package renames + brand strings (#1547 )	2026-06-03 18:57:09 -07:00
.vscode	Make it clear there are more SDK packages	2026-06-16 10:37:58 -07:00
apps	Inject HEXCLAVE_* env vars in dev environment (#1627 )	2026-06-19 13:08:41 -07:00
configs	[Fix] Infinite Loop on handler/sign-in due to useStackApp not being able to find the StackProvider given context (#1248 )	2026-03-12 22:28:47 -07:00
docker	[codex] Add analytics overview filters (#1496 )	2026-06-10 17:50:35 -07:00
docs	chore: update package versions	2026-06-17 20:31:22 +00:00
docs-mintlify	docs: clarify Microsoft OAuth email verification and account types (#1623 )	2026-06-19 13:04:20 -07:00
examples	chore: update package versions	2026-06-17 20:31:22 +00:00
packages	fix(cli): fall back to installed CLI when npx auto-update fails (#1612 )	2026-06-19 13:17:07 -07:00
patches	Fix MS OAuth (#457 )	2025-02-21 19:39:22 +01:00
scripts	[codex] Add skill context to Ask Hexclave (#1605 )	2026-06-18 11:40:02 -07:00
sdks	chore: update package versions	2026-06-17 20:31:22 +00:00
skills/hexclave	feat(hexclave): PR 5 — internal symbol/path/package renames + brand strings (#1547 )	2026-06-03 18:57:09 -07:00
.dockerignore	feat(hexclave): PR 5 — internal symbol/path/package renames + brand strings (#1547 )	2026-06-03 18:57:09 -07:00
.gitignore	feat(hexclave): PR 5 — internal symbol/path/package renames + brand strings (#1547 )	2026-06-03 18:57:09 -07:00
.gitmodules	Update GitHub URL	2026-05-19 10:27:53 -07:00
AGENTS.md	Make it clear there are more SDK packages	2026-06-16 10:37:58 -07:00
CHANGELOG.md	Add 6/12/26 changelog entry (#1589 )	2026-06-16 16:44:03 -07:00
CLAUDE.md	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
CONTRIBUTING.md	Rename port prefix envvar	2026-05-27 18:09:52 -07:00
LICENSE	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481 )	2026-05-26 19:18:20 -07:00
package.json	feat(hexclave): PR 5 — internal symbol/path/package renames + brand strings (#1547 )	2026-06-03 18:57:09 -07:00
pnpm-lock.yaml	add platform analytics route to the dashboard (#1626 )	2026-06-19 11:11:06 -07:00
pnpm-workspace.yaml	Fix Docker builds for pnpm v11 (#1532 )	2026-06-02 14:41:18 -07:00
README.md	Add "For AI agents" section to README (#1563 )	2026-06-05 17:01:13 -07:00
skills-lock.json	Auth app redesign (#1367 )	2026-05-19 23:03:46 -07:00
turbo.json	Replace writeConfigObject with AI-aware updateConfigObject (#1537 )	2026-06-15 12:00:24 -07:00
vitest.shared.ts	Fix tests	2026-02-17 19:57:08 -08:00
vitest.workspace.ts	Hosted components (#1229 )	2026-03-10 11:29:05 -07:00

README.md

Hexclave

The user infrastructure platform.

Hexclave handles everything around your users: authentication, teams, payments, emails, analytics, and much more. Start in minutes on the hosted cloud. Your data is always yours to export and self-host.

Website · Docs · Dashboard · Discord

Where Hexclave fits in the infrastructure stack

Get started

Setting up Hexclave is one prompt. Paste this into your coding agent of choice:

Read skill.hexclave.com and help me setup hexclave in this project

For AI agents

If you're an AI coding agent, use your web fetch tool or curl the skill documentation for up-to-date integration instructions:

curl -sSL "https://skill.hexclave.com?question=<your-question>&context=<your-context>"

What's included

Hexclave ships as a catalog of apps you switch on as your product needs them. Each one is built on the same user model, and new apps land regularly.

Authentication

Authentication that just works with passkeys, OAuth, and CLI auth. Drop in one component and ship the whole flow; auth methods toggle from the dashboard with no code changes needed.

Teams

Build for teams, not just users, with workspaces, email invites, and roles that actually gate the work. The workspace switcher remembers selection, invites auto sign up new users, and permissions hold up under audit.

RBAC

Permissions, sorted: roles that nest and one permission check that works the same on server or client. Define them in the dashboard, check them anywhere in your code.

API Keys

API keys without the footguns: leaked keys get auto-revoked, work for users and teams, and show the full secret only once. We never keep the plaintext after creation.

Payments

Payments without the plumbing for subscriptions, one-time charges, and usage metering with credits. Bill a person or a whole team with one model, no separate codepath.

Emails

Email that delivers and tells you so, handling transactional and marketing sends from one API. Edit templates with an AI editor, theme once, and track every open and click.

Analytics

Know your users with no data stack required, with live active user counts and session replays out of the box. Ask in plain English to build dashboards or write SQL to save queries, all with one flag enabled.

Webhooks

React to every user event in real time with signed, tamper-proof webhooks. Retries and backoff are handled for you; verify in five lines and manage endpoints from the dashboard.

Data Vault

A safe for the secrets your users hand you, locked with your secret so we never see the plaintext. Store and retrieve tokens in two lines each, server-only by design.

Launch Checklist

Run through the must-do checks before flipping to production: domain setup, callbacks locked, secrets rotated. The progress tracker keeps your team aligned so nothing critical slips through on launch day.

Contributing

Hexclave is open source, and contributions are welcome. Read CONTRIBUTING.md to get started, and say hello in Discord before picking up anything large. Found a security issue? Email security@hexclave.com.