mirror of
https://github.com/stack-auth/stack.git
synced 2026-06-30 21:01:54 +08:00
Some checks are pending
all-good: Did all the other checks pass? / all-good (push) Waiting to run
Ensure Prisma migrations are in sync with the schema / check_prisma_migrations (22.x) (push) Waiting to run
Docker Server Build and Push / Docker Build and Push Server (push) Waiting to run
Docker Server Build and Run / docker (push) Waiting to run
Runs E2E API Tests (Local Emulator) / E2E Tests (Local Emulator, Node ${{ matrix.node-version }}) (22.x) (push) Waiting to run
Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (mock, 22.x) (push) Waiting to run
Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (prod, 22.x) (push) Waiting to run
Runs E2E API Tests with custom port prefix / build (22.x) (push) Waiting to run
Runs E2E Fallback Tests / E2E Fallback Tests (Node ${{ matrix.node-version }}) (22.x) (push) Waiting to run
Lint & build / lint_and_build (24) (push) Waiting to run
Publish npm packages / publish (push) Waiting to run
Publish Swift SDK to prerelease repo / publish (push) Waiting to run
TOC Generator / TOC Generator (push) Waiting to run
## Summary
Replace `parseHexclaveConfigFileContent` /
`evaluateStaticConfigExpression` (Babel AST walker) with
`evalConfigFileContent` using `jiti.evalModule()`. Move
`renderConfigFileContent` from `hexclave-config-file.ts` →
`config-rendering.ts`.
Added `jiti` dep to `@hexclave/shared` (already used in shared-backend,
dashboard, backend, cli).
Link to Devin session:
https://app.devin.ai/sessions/cb098b1fb62b4dfeaf3324bc2e1377f1
Requested by: @mantrakp04
<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Migrates trusted config evaluation to `jiti` and moves GitHub config
edits to a server‑side repo agent running in a Vercel Sandbox with an
apply → review → commit flow. Adds run tracking, safer defaults, and a
dashboard diff review with clear, user‑facing errors.
- **New Features**
- Two‑phase flow and endpoints: POST `/internal/config/github/apply`,
`.../commit`, `.../cancel`, plus GET `.../run`; each run tracked by
`run_id` in `ConfigAgentRun` (status, stage, progress, diff, base
commit, sandbox id). Run ids validated as UUIDs.
- Repo agent runs in a fresh sandboxed clone; warm‑boot via base
snapshot (`apps/backend/scripts/config-agent/build-image.ts`,
`HEXCLAVE_CONFIG_AGENT_BASE_SNAPSHOT_ID`). Captures a unified diff and
base commit, stops the sandbox at review, then rebuilds files from the
stored diff on commit. Returns `commitSha`, uses a safe conflict error,
and strips OAuth tokens from git remotes.
- Dashboard: non‑dismissible progress and diff preview using
`@pierre/diffs` with a cross‑tab run watcher; blocks conflicting edits
and supports cancel/commit review flow. Adds an RDE “apply” path with
progress UI.
- AI proxy defaults to `/api/latest/integrations/ai-proxy` (production
passthrough via `PRODUCTION_AI_PROXY_BASE_URL`); adds
`anthropic/claude-haiku-4.5`.
- **Refactors and Fixes**
- Trusted eval via `@hexclave/shared` `config-eval` using `jiti`;
browser‑safe parsing for untrusted GitHub content; rendering remains in
`config-rendering`. Clear separation of Node‑only code into
`config-eval`.
- Shared agent/updater logic moved to `@hexclave/shared-backend`;
removed deterministic fast path so all writes go through the agent to
preserve authoring. CLI and emulator updated to use `config-eval`.
- Defaults/renames: config file `hexclave.config.ts` (CLI `config pull`
defaults to this path), workflow `hexclave-config-sync.yml`; env
prefixes standardized to `HEXCLAVE_*`.
- Integrity and UX: commit advancement gated to the current linked
repo/branch; cancel clears any captured diff; elapsed timer handles late
starts and the not‑started sentinel; loader vs invalid config export
errors separated for accurate messaging.
- Onboarding and seeds: wizard now uses environment‑based OAuth provider
setup with updated tests; corrected GitHub owner in dummy project
seeding.
<sup>Written for commit 6cf0e899a0.
Summary will update on new commits.</sup>
<a
href="https://cubic.dev/pr/hexclave/hexclave/pull/1661?utm_source=github"
target="_blank" rel="noopener noreferrer"
data-no-image-dialog="true"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://www.cubic.dev/buttons/review-in-cubic-light.svg"><img
alt="Review in cubic"
src="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a>
<!-- End of auto-generated description by cubic. -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Improved configuration file parsing/validation by evaluating config
modules, supporting both string and object-based `config` exports and
ensuring the expected `config` export is present.
* Updated config rendering and import-package detection to consistently
generate the `config` export and handle legacy package entrypoints.
* Tightened handling of non-statically-resolvable forms during update
flows.
* **Tests**
* Updated and extended config parsing/validation tests to reflect the
new evaluation behavior and edge cases.
* **Chores**
* Added a Jiti-based dependency to support runtime evaluation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: mantra <mantra@stack-auth.com>
140 lines
7.5 KiB
Plaintext
140 lines
7.5 KiB
Plaintext
NEXT_PUBLIC_HEXCLAVE_API_URL=http://localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}02
|
|
NEXT_PUBLIC_HEXCLAVE_DASHBOARD_URL=http://localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}01
|
|
NEXT_PUBLIC_HEXCLAVE_HOSTED_HANDLER_DOMAIN_SUFFIX=.localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}09
|
|
NEXT_PUBLIC_HEXCLAVE_IS_LOCAL_EMULATOR=false
|
|
HEXCLAVE_SERVER_SECRET=23-wuNpik0gIW4mruTz25rbIvhuuvZFrLOLtL7J4tyo
|
|
|
|
HEXCLAVE_CHANGELOG_URL=https://raw.githubusercontent.com/hexclave/hexclave/refs/heads/dev/CHANGELOG.md
|
|
|
|
HEXCLAVE_SEED_ENABLE_DUMMY_PROJECT=true
|
|
HEXCLAVE_SEED_INTERNAL_PROJECT_SIGN_UP_ENABLED=true
|
|
HEXCLAVE_SEED_INTERNAL_PROJECT_OTP_ENABLED=true
|
|
HEXCLAVE_SEED_INTERNAL_PROJECT_ALLOW_LOCALHOST=true
|
|
HEXCLAVE_SEED_INTERNAL_PROJECT_OAUTH_PROVIDERS=github,spotify,google,microsoft
|
|
HEXCLAVE_SEED_INTERNAL_PROJECT_USER_GITHUB_ID=admin@example.com
|
|
HEXCLAVE_SEED_INTERNAL_PROJECT_USER_INTERNAL_ACCESS=true
|
|
HEXCLAVE_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=this-publishable-client-key-is-for-local-development-only
|
|
HEXCLAVE_INTERNAL_PROJECT_SECRET_SERVER_KEY=this-secret-server-key-is-for-local-development-only
|
|
HEXCLAVE_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=this-super-secret-admin-key-is-for-local-development-only
|
|
|
|
HEXCLAVE_OAUTH_MOCK_URL=http://localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}14
|
|
HEXCLAVE_TURNSTILE_SITEVERIFY_URL=http://localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}14/turnstile/siteverify
|
|
|
|
# Cloudflare Turnstile test keys — always-pass widgets, no real challenges
|
|
# See https://developers.cloudflare.com/turnstile/troubleshooting/testing/
|
|
NEXT_PUBLIC_HEXCLAVE_BOT_CHALLENGE_SITE_KEY=1x00000000000000000000AA
|
|
NEXT_PUBLIC_HEXCLAVE_BOT_CHALLENGE_INVISIBLE_SITE_KEY=1x00000000000000000000BB
|
|
HEXCLAVE_TURNSTILE_SECRET_KEY=1x0000000000000000000000000000000AA
|
|
# Set to true to disable Turnstile entirely in local development.
|
|
# This skips invisible/visible bot challenge flow and removes the Turnstile risk penalty.
|
|
HEXCLAVE_DISABLE_BOT_CHALLENGE=false
|
|
# Default behavior is to block sign-up if the visible challenge cannot be completed.
|
|
# Flip this only when you intentionally want local sign-up to continue during Turnstile outages.
|
|
HEXCLAVE_ALLOW_SIGN_UP_ON_VISIBLE_BOT_CHALLENGE_FAILURE=false
|
|
|
|
HEXCLAVE_GITHUB_CLIENT_ID=MOCK
|
|
HEXCLAVE_GITHUB_CLIENT_SECRET=MOCK
|
|
HEXCLAVE_GOOGLE_CLIENT_ID=MOCK
|
|
HEXCLAVE_GOOGLE_CLIENT_SECRET=MOCK
|
|
HEXCLAVE_MICROSOFT_CLIENT_ID=MOCK
|
|
HEXCLAVE_MICROSOFT_CLIENT_SECRET=MOCK
|
|
HEXCLAVE_SPOTIFY_CLIENT_ID=MOCK
|
|
HEXCLAVE_SPOTIFY_CLIENT_SECRET=MOCK
|
|
|
|
HEXCLAVE_ALLOW_SHARED_OAUTH_ACCESS_TOKENS=true
|
|
|
|
# Default to enforcing plan limits in local dev so behavior matches prod.
|
|
# Flip to "true" to bypass every Stack-Auth-internal plan-limit enforcement
|
|
# site (e.g. session_replays, analytics_events, emails_per_month). See
|
|
# apps/backend/src/lib/plan-entitlements.ts:arePlanLimitsEnforced.
|
|
HEXCLAVE_DISABLE_PLAN_LIMITS=false
|
|
|
|
HEXCLAVE_DATABASE_CONNECTION_STRING=postgres://postgres:PASSWORD-PLACEHOLDER--uqfEC1hmmv@localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}28/stackframe
|
|
HEXCLAVE_DATABASE_REPLICA_CONNECTION_STRING=postgres://postgres:PASSWORD-PLACEHOLDER--uqfEC1hmmv@localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}34/stackframe
|
|
HEXCLAVE_DATABASE_REPLICATION_WAIT_STRATEGY=pg-stat-replication
|
|
|
|
HEXCLAVE_EMAIL_HOST=127.0.0.1
|
|
HEXCLAVE_EMAIL_PORT=${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}29
|
|
HEXCLAVE_EMAIL_SECURE=false
|
|
HEXCLAVE_EMAIL_USERNAME="does not matter, ignored by Inbucket"
|
|
HEXCLAVE_EMAIL_PASSWORD="does not matter, ignored by Inbucket"
|
|
HEXCLAVE_EMAIL_SENDER=noreply@example.com
|
|
|
|
HEXCLAVE_ACCESS_TOKEN_EXPIRATION_TIME=60s
|
|
|
|
HEXCLAVE_DEFAULT_EMAIL_CAPACITY_PER_HOUR=100000
|
|
|
|
HEXCLAVE_SVIX_SERVER_URL=http://localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}13
|
|
HEXCLAVE_SVIX_API_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NTUxNDA2MzksImV4cCI6MTk3MDUwMDYzOSwibmJmIjoxNjU1MTQwNjM5LCJpc3MiOiJzdml4LXNlcnZlciIsInN1YiI6Im9yZ18yM3JiOFlkR3FNVDBxSXpwZ0d3ZFhmSGlyTXUifQ.En8w77ZJWbd0qrMlHHupHUB-4cx17RfzFykseg95SUk
|
|
|
|
# Trusted reverse proxy for reading real client IP addresses.
|
|
# Set to "vercel", "cloudflare", or leave empty/unset for no proxy trust.
|
|
HEXCLAVE_TRUSTED_PROXY=
|
|
|
|
HEXCLAVE_ARTIFICIAL_DEVELOPMENT_DELAY_MS=500
|
|
|
|
HEXCLAVE_ENABLE_HARDCODED_PASSKEY_CHALLENGE_FOR_TESTING=yes
|
|
|
|
HEXCLAVE_INTEGRATION_CLIENTS_CONFIG='[{"client_id": "neon-local", "client_secret": "neon-local-secret", "id_token_signed_response_alg": "ES256", "redirect_uris": ["http://localhost:30000/api/v2/identity/authorize", "http://localhost:30000/api/v2/auth/authorize"]}, {"client_id": "custom-local", "client_secret": "custom-local-secret", "id_token_signed_response_alg": "ES256", "redirect_uris": ["http://localhost:30000/api/v2/identity/authorize", "http://localhost:30000/api/v2/auth/authorize"]}]'
|
|
CRON_SECRET=mock_cron_secret
|
|
HEXCLAVE_FREESTYLE_API_KEY=mock_stack_freestyle_key
|
|
HEXCLAVE_VERCEL_SANDBOX_TOKEN=vercel_sandbox_disabled_for_local_development
|
|
HEXCLAVE_CONFIG_AGENT_BASE_SNAPSHOT_ID=
|
|
HEXCLAVE_OPENAI_API_KEY=mock_openai_api_key
|
|
HEXCLAVE_STRIPE_SECRET_KEY=sk_test_mockstripekey
|
|
HEXCLAVE_STRIPE_WEBHOOK_SECRET=mock_stripe_webhook_secret
|
|
HEXCLAVE_OPENROUTER_API_KEY=FORWARD_TO_PRODUCTION
|
|
HEXCLAVE_FEEDBACK_MODE=FORWARD_TO_PRODUCTION
|
|
HEXCLAVE_MINTLIFY_MCP_URL=https://stackauth-e0affa27.mintlify.app/mcp
|
|
# Email monitor configuration for tests
|
|
HEXCLAVE_EMAIL_MONITOR_VERIFICATION_CALLBACK_URL=http://localhost:8101/handler/email-verification
|
|
HEXCLAVE_EMAIL_MONITOR_PROJECT_ID=internal
|
|
HEXCLAVE_EMAIL_MONITOR_PUBLISHABLE_CLIENT_KEY=this-publishable-client-key-is-for-local-development-only
|
|
HEXCLAVE_EMAIL_MONITOR_RESEND_EMAIL_DOMAIN=stack-generated.example.com
|
|
HEXCLAVE_EMAIL_MONITOR_RESEND_EMAIL_API_KEY=this-is-a-fake-key
|
|
HEXCLAVE_EMAIL_MONITOR_INBUCKET_API_URL=http://localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}05
|
|
HEXCLAVE_EMAIL_MONITOR_USE_INBUCKET=true
|
|
HEXCLAVE_EMAIL_MONITOR_SECRET_TOKEN=this-secret-token-is-for-local-development-only
|
|
|
|
HEXCLAVE_EMAILABLE_API_KEY=
|
|
|
|
HEXCLAVE_INTERNAL_FEEDBACK_RECIPIENTS=team@hexclave.com
|
|
|
|
# S3 Configuration for local development using s3mock
|
|
HEXCLAVE_S3_ENDPOINT=http://localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}21
|
|
HEXCLAVE_S3_REGION=us-east-1
|
|
HEXCLAVE_S3_ACCESS_KEY_ID=s3mockroot
|
|
HEXCLAVE_S3_SECRET_ACCESS_KEY=s3mockroot
|
|
HEXCLAVE_S3_BUCKET=stack-storage
|
|
HEXCLAVE_S3_PRIVATE_BUCKET=stack-storage-private
|
|
|
|
# AWS region defaults to LocalStack
|
|
HEXCLAVE_AWS_REGION=us-east-1
|
|
HEXCLAVE_AWS_KMS_ENDPOINT=http://localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}24
|
|
HEXCLAVE_AWS_ACCESS_KEY_ID=test
|
|
HEXCLAVE_AWS_SECRET_ACCESS_KEY=test
|
|
|
|
# Upstash defaults to one of the pre-build test users of the local emulator
|
|
HEXCLAVE_QSTASH_URL=http://localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}25
|
|
HEXCLAVE_QSTASH_TOKEN=eyJVc2VySUQiOiJkZWZhdWx0VXNlciIsIlBhc3N3b3JkIjoiZGVmYXVsdFBhc3N3b3JkIn0=
|
|
HEXCLAVE_QSTASH_CURRENT_SIGNING_KEY=sig_7kYjw48mhY7kAjqNGcy6cr29RJ6r
|
|
HEXCLAVE_QSTASH_NEXT_SIGNING_KEY=sig_5ZB6DVzB1wjE8S6rZ7eenA8Pdnhs
|
|
|
|
# MCP review tool (SpacetimeDB)
|
|
HEXCLAVE_SPACETIMEDB_URI=ws://localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}39
|
|
HEXCLAVE_SPACETIMEDB_DB_NAME=stack-auth-llm
|
|
HEXCLAVE_MCP_LOG_TOKEN=change-me
|
|
|
|
# Clickhouse
|
|
HEXCLAVE_CLICKHOUSE_URL=http://localhost:${NEXT_PUBLIC_HEXCLAVE_PORT_PREFIX:-81}36
|
|
HEXCLAVE_CLICKHOUSE_ADMIN_USER=stackframe
|
|
HEXCLAVE_CLICKHOUSE_ADMIN_PASSWORD=PASSWORD-PLACEHOLDER--9gKyMxJeMx
|
|
HEXCLAVE_CLICKHOUSE_EXTERNAL_PASSWORD=PASSWORD-PLACEHOLDER--EZeHscBMzE
|
|
|
|
# Managed emails
|
|
HEXCLAVE_RESEND_API_KEY=mock_resend_api_key
|
|
HEXCLAVE_RESEND_WEBHOOK_SECRET=mock_resend_webhook_secret
|
|
HEXCLAVE_DNSIMPLE_API_TOKEN=mock_dnsimple_api_token
|
|
HEXCLAVE_DNSIMPLE_ACCOUNT_ID=mock_dnsimple_account_id
|
|
HEXCLAVE_DNSIMPLE_API_BASE_URL=https://api.dnsimple.com/v2
|