stack/examples/demo/hexclave.config.ts
Mantra 6bbc792fb3
Some checks failed
all-good: Did all the other checks pass? / all-good (push) Has been cancelled
Ensure Prisma migrations are in sync with the schema / check_prisma_migrations (22.x) (push) Has been cancelled
Docker Server Build and Push / Docker Build and Push Server (push) Has been cancelled
Docker Server Build and Run / docker (push) Has been cancelled
Runs E2E API Tests (Local Emulator) / E2E Tests (Local Emulator, Node ${{ matrix.node-version }}) (22.x) (push) Has been cancelled
Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (mock, 22.x) (push) Has been cancelled
Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (prod, 22.x) (push) Has been cancelled
Runs E2E API Tests with custom port prefix / build (22.x) (push) Has been cancelled
Runs E2E Fallback Tests / E2E Fallback Tests (Node ${{ matrix.node-version }}) (22.x) (push) Has been cancelled
Lint & build / lint_and_build (24) (push) Has been cancelled
Publish npm packages / publish (push) Has been cancelled
Publish Swift SDK to prerelease repo / publish (push) Has been cancelled
TOC Generator / TOC Generator (push) Has been cancelled
refactor: migrate config parsing from Babel AST to jiti (#1661)
## Summary

Replace `parseHexclaveConfigFileContent` /
`evaluateStaticConfigExpression` (Babel AST walker) with
`evalConfigFileContent` using `jiti.evalModule()`. Move
`renderConfigFileContent` from `hexclave-config-file.ts` →
`config-rendering.ts`.

Added `jiti` dep to `@hexclave/shared` (already used in shared-backend,
dashboard, backend, cli).

Link to Devin session:
https://app.devin.ai/sessions/cb098b1fb62b4dfeaf3324bc2e1377f1
Requested by: @mantrakp04

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Migrates trusted config evaluation to `jiti` and moves GitHub config
edits to a server‑side repo agent running in a Vercel Sandbox with an
apply → review → commit flow. Adds run tracking, safer defaults, and a
dashboard diff review with clear, user‑facing errors.

- **New Features**
- Two‑phase flow and endpoints: POST `/internal/config/github/apply`,
`.../commit`, `.../cancel`, plus GET `.../run`; each run tracked by
`run_id` in `ConfigAgentRun` (status, stage, progress, diff, base
commit, sandbox id). Run ids validated as UUIDs.
- Repo agent runs in a fresh sandboxed clone; warm‑boot via base
snapshot (`apps/backend/scripts/config-agent/build-image.ts`,
`HEXCLAVE_CONFIG_AGENT_BASE_SNAPSHOT_ID`). Captures a unified diff and
base commit, stops the sandbox at review, then rebuilds files from the
stored diff on commit. Returns `commitSha`, uses a safe conflict error,
and strips OAuth tokens from git remotes.
- Dashboard: non‑dismissible progress and diff preview using
`@pierre/diffs` with a cross‑tab run watcher; blocks conflicting edits
and supports cancel/commit review flow. Adds an RDE “apply” path with
progress UI.
- AI proxy defaults to `/api/latest/integrations/ai-proxy` (production
passthrough via `PRODUCTION_AI_PROXY_BASE_URL`); adds
`anthropic/claude-haiku-4.5`.

- **Refactors and Fixes**
- Trusted eval via `@hexclave/shared` `config-eval` using `jiti`;
browser‑safe parsing for untrusted GitHub content; rendering remains in
`config-rendering`. Clear separation of Node‑only code into
`config-eval`.
- Shared agent/updater logic moved to `@hexclave/shared-backend`;
removed deterministic fast path so all writes go through the agent to
preserve authoring. CLI and emulator updated to use `config-eval`.
- Defaults/renames: config file `hexclave.config.ts` (CLI `config pull`
defaults to this path), workflow `hexclave-config-sync.yml`; env
prefixes standardized to `HEXCLAVE_*`.
- Integrity and UX: commit advancement gated to the current linked
repo/branch; cancel clears any captured diff; elapsed timer handles late
starts and the not‑started sentinel; loader vs invalid config export
errors separated for accurate messaging.
- Onboarding and seeds: wizard now uses environment‑based OAuth provider
setup with updated tests; corrected GitHub owner in dummy project
seeding.

<sup>Written for commit 6cf0e899a0.
Summary will update on new commits.</sup>

<a
href="https://cubic.dev/pr/hexclave/hexclave/pull/1661?utm_source=github"
target="_blank" rel="noopener noreferrer"
data-no-image-dialog="true"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://www.cubic.dev/buttons/review-in-cubic-light.svg"><img
alt="Review in cubic"
src="https://www.cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a>

<!-- End of auto-generated description by cubic. -->

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Refactor**
* Improved configuration file parsing/validation by evaluating config
modules, supporting both string and object-based `config` exports and
ensuring the expected `config` export is present.
* Updated config rendering and import-package detection to consistently
generate the `config` export and handle legacy package entrypoints.
* Tightened handling of non-statically-resolvable forms during update
flows.
* **Tests**
* Updated and extended config parsing/validation tests to reflect the
new evaluation behavior and edge cases.
* **Chores**
  * Added a Jiti-based dependency to support runtime evaluation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: mantra <mantra@stack-auth.com>
2026-06-29 10:25:11 -07:00

149 lines
4.9 KiB
TypeScript

/**
* Hexclave project configuration as code (demo app).
*
* Source of truth for RBAC permissions/roles, auth methods, OAuth providers,
* sign-up rules, API keys, and payment plans. The Hexclave CLI (`hexclave dev`)
* bundles + executes this file and provisions the project to match.
*
* It's wrapped in `defineHexclaveConfig(...)`, so the shared-backend config updater takes
* its AI-agent path (not the deterministic regenerator): dashboard edits are
* reconciled back here while preserving the comments and layout. `null` on any
* value means "reset that key to its default".
*/
import { defineHexclaveConfig } from "@hexclave/next";
export const config = defineHexclaveConfig({
rbac: {
// Fine-grained, composable permissions. Higher-level ones contain the lower
// ones, so a role only needs to grant the top of each chain.
permissions: {
read_content: { description: "View content within the team", scope: "team" },
write_content: {
description: "Create and edit content within the team",
scope: "team",
containedPermissionIds: { read_content: true },
},
invite_members: { description: "Invite new members to the team", scope: "team" },
manage_members: {
description: "Remove members and change their roles",
scope: "team",
containedPermissionIds: { invite_members: true },
},
manage_billing: {
description: "Manage subscriptions, invoices, and payment methods",
scope: "team",
},
team_admin: {
description: "Full administrative control over the team",
scope: "team",
containedPermissionIds: { write_content: true, manage_members: true, manage_billing: true },
},
},
// "Roles" = the default permission sets handed out at each lifecycle moment.
// Team creators become admins; everyone else starts as a reader.
defaultPermissions: {
teamCreator: { team_admin: true },
teamMember: { read_content: true },
signUp: {},
},
},
teams: {
createPersonalTeamOnSignUp: true,
allowClientTeamCreation: true,
},
users: {
allowClientUserDeletion: false,
},
apiKeys: {
enabled: { team: true, user: true },
},
auth: {
allowSignUp: true,
password: { allowSignIn: false },
otp: { allowSignIn: true },
passkey: { allowSignIn: true },
oauth: {
accountMergeStrategy: "link_method",
providers: {
google: { type: "google", allowSignIn: true, allowConnectedAccounts: true },
github: { type: "github", allowSignIn: true, allowConnectedAccounts: true },
microsoft: { type: "microsoft", allowSignIn: false, allowConnectedAccounts: true },
},
},
// Rules are evaluated highest-priority-first; the default action applies when
// nothing matches. Conditions are CEL expressions over the sign-up context.
signUpRules: {
block_example_domain: {
enabled: false,
displayName: "Block example.com domain",
priority: 10,
condition: 'email.endsWith("@example.com")',
action: { type: "reject", message: "Sign-ups from example.com are not allowed" },
},
flag_freemail: {
enabled: false,
displayName: "Flag freemail sign-ups",
priority: 5,
condition: 'emailDomain == "gmail.com"',
action: { type: "log" },
},
},
signUpRulesDefaultAction: "allow",
},
payments: {
blockNewPurchases: false,
// Products within a product line are mutually exclusive (except add-ons).
productLines: {
saas: { displayName: "SaaS Plans", customerType: "user" },
team_plans: { displayName: "Team Plans", customerType: "team" },
},
items: {
api_calls: { displayName: "API Calls", customerType: "user" },
seats: { displayName: "Team Seats", customerType: "team" },
},
products: {
pro: {
displayName: "Pro",
productLineId: "saas",
customerType: "user",
prices: {
monthly: { USD: "20", interval: [1, "month"] },
yearly: { USD: "200", interval: [1, "year"], freeTrial: [14, "day"] },
},
includedItems: {
api_calls: { quantity: 10000, repeat: [1, "month"], expires: "when-repeated" },
},
},
team_pro: {
displayName: "Team Pro",
productLineId: "team_plans",
customerType: "team",
prices: {
monthly: { USD: "99", interval: [1, "month"] },
},
includedItems: {
seats: { quantity: 25, expires: "when-purchase-expires" },
},
},
extra_seats: {
displayName: "Extra Seats",
productLineId: "team_plans",
customerType: "team",
isAddOnTo: { team_pro: true },
stackable: true,
prices: {
per_seat: { USD: "10", interval: [1, "month"] },
},
includedItems: {
seats: { quantity: 1, expires: "when-purchase-expires" },
},
},
},
},
});