mirror of
https://github.com/stack-auth/stack.git
synced 2026-06-13 21:01:21 +08:00
f7e389809e
Some checks failed
all-good: Did all the other checks pass? / all-good (push) Has been cancelled
Ensure Prisma migrations are in sync with the schema / check_prisma_migrations (22.x) (push) Has been cancelled
DB migration compat / Check if migrations changed (push) Has been cancelled
Docker Server Build and Push / Docker Build and Push Server (push) Has been cancelled
Docker Server Build and Run / docker (push) Has been cancelled
Runs E2E API Tests (Local Emulator) / E2E Tests (Local Emulator, Node ${{ matrix.node-version }}) (22.x) (push) Has been cancelled
Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (mock, 22.x) (push) Has been cancelled
Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (prod, 22.x) (push) Has been cancelled
Runs E2E API Tests with custom port prefix / build (22.x) (push) Has been cancelled
Runs E2E Fallback Tests / E2E Fallback Tests (Node ${{ matrix.node-version }}) (22.x) (push) Has been cancelled
Lint & build / lint_and_build (24) (push) Has been cancelled
TOC Generator / TOC Generator (push) Has been cancelled
DB migration compat / Back-compat — Current branch migrations with ${{ needs.check-migrations-changed.outputs.base_branch }} branch code (push) Has been cancelled
DB migration compat / Forward-compat — Current branch code with ${{ needs.check-migrations-changed.outputs.base_branch }} branch migrations (push) Has been cancelled
DB migration compat / No migration changes (skipped) (push) Has been cancelled
## Summary
**Stacked on #1468** (`docs/hexclave-rename-plan` — the plan doc). Diff
vs that base = the actual PR 1 code.
This is **PR 1 of the Hexclave rebrand: the invisible compatibility
layer**. Everything is additive. Old SDKs, old wire identifiers, and old
env var names keep working unchanged. The backend dual-accepts and
dual-emits; new SDK code emits `x-hexclave-*` headers and the
`hexclave_` Bearer prefix; cookies dual-write; env vars dual-read across
every category. **No user-visible rebranding lands here** — that's PR 2.
See [`RENAME-TO-HEXCLAVE.md`](./RENAME-TO-HEXCLAVE.md) → *"PR 1
implementation guide"* for the full per-work-area spec, file pointers,
and chosen approach.
## What's implemented (all 14 PR-1 work-areas)
- **SDK export aliases** — `Hexclave*` aliases for the user-facing
`Stack*` exports added in `packages/template`; codegen propagates them
to `@stackframe/{js,stack,react,tanstack-start}`. React-only aliases
correctly excluded from `@stackframe/js`. (`e60550a2`)
- **JWT issuer dual-accept** — `decodeAccessToken` accepts both
`api.stack-auth.com` and `api.hexclave.com` issuers. Signing unchanged.
(`fc781def`)
- **Request-header dual-accept** — backend + dashboard proxies normalize
`x-hexclave-*` → `x-stack-*` at the existing empty proxy hook (so
`smart-request.tsx` and every route schema keep working unchanged); CORS
allowlists extended via a derive-once helper. (`2a056eac`)
- **MCP `ask_hexclave`** — registered alongside `ask_stack_auth` via a
shared helper; `ask_stack_auth` behavior byte-identical. (`30ffd604`)
- **Dev-tool** — DOM ids + header emit switched.
`window.HexclaveDevTool` exposed alongside `window.StackDevTool`.
(`32131ea7`)
- **The big consolidated commit** (`7fed864a`):
- **Env vars** — central `getEnvVariable` prefix-transform (HEXCLAVE
first, STACK fallback); dashboard + template client env files dual-read;
`turbo.json` globalEnv; `NEXT_PUBLIC_STACK_PORT_PREFIX` renamed outright
across ~82 files including docker.
- **Cookies** — dual-write/dual-read auth (`stack-access`/`-refresh-*`
and custom-domain variants), OAuth-state
(`stack-oauth-{inner,outer}-*`), and low-risk cookies (`stack-is-https`,
`stack-last-seen-changelog-version`). Bypass sites patched (backend
OAuth callback, dashboard remote-dev auth route, impersonation snippets,
snapshot serializer).
- **Bearer prefix** — SDK token parser accepts both `stackauth_` and
`hexclave_`; emits `hexclave_`. Discovery correction: this is purely
SDK-internal — the backend never parses it.
- **Response headers** — backend dual-emits
`x-hexclave-{request-id,actual-status,known-error}`; SDKs dual-read (new
first, stack fallback).
- **SDK request-header emit switch** —
`client/server/admin-interface.ts` + dashboard `api-headers.ts` +
`internal-project-headers.ts` + `feedback-form.tsx` switched to
`x-hexclave-*`. Plus `stack_response_mode` query param.
- **Storage keys** — dev-tool / cli-auth / oauth-button / docs keys
renamed (straight); `stack:session-replay:v1` dual-read so in-progress
recordings survive SDK upgrades; `stack_mfa_attempt_code` dual-read.
- **Query params** — cross-domain params dual-emit/dual-accept via
shared helpers; backend `oauth/authorize` accepts
`hexclave_response_mode` and `stack_response_mode`; `stack-init-id`
renamed.
- **`Symbol.for`** — app-internals symbol gets a parallel
`Symbol.for("Hexclave--app-internals")` getter on each attach site (no
read-site churn — old symbol still attached). 3 file-private symbols
renamed outright.
- **Config discovery** — prefer `hexclave.config.ts`, fall back to
`stack.config.ts` at every discovery site (CLI / dashboard / backend /
local-emulator); `init` writes the new filename; CLI credentials path
migrates.
- **Internal renames** — `StackAssertionError`,
`StackClient/Server/AdminInterface` renamed outright (no alias, per the
"internal-only → rename" rule). ~264 files touched.
- **Review-pass fixes** (`21217fbe`) — three real bugs found by parallel
review agents and fixed:
- `snapshot-serializer.ts` was interpolating the whole
`keyedCookieNamePrefixes` array (`${arr}`) — adding a second prefix
would have corrupted **every** OAuth-cookie snapshot, not just new ones.
- **Docker port-prefix producer/consumer mismatch** —
`entrypoint.sh`/`run-emulator.sh`/cloud-init `user-data` were still
producing `NEXT_PUBLIC_STACK_PORT_PREFIX` while the dashboard sentinel +
consumers had been renamed; silent self-host regression (custom port
prefix would be ignored).
- **Missing `hexclave-oauth-inner-*` dual-write** in the OAuth authorize
route — callback's fallback masked it but the dual-write was specified
by the plan.
- Plus: `mcp.test.ts` tool-list assertions updated to include
`ask_hexclave`; two dashboard header-emit sites switched to
`x-hexclave-*` for consistency.
- **E2E snapshot serializer follow-up** (`4b16cc5d`) —
`x-hexclave-request-id` added to the hidden-headers list (mirroring
`x-stack-request-id` treatment), and 2 sample inline snapshots
regenerated in `projects.test.ts` to include the new dual-emitted
headers.
## Verification
- **`pnpm typecheck`** — clean (the fresh-worktree `@/.source` / Prisma
codegen gap in `stack-docs` is pre-existing and unrelated).
- **`pnpm lint`** — 29/29 packages green.
- **`pnpm exec turbo run build --filter=./packages/*`** — 13/13 packages
build (including `@stackframe/stack-cli` once the dashboard standalone
is present).
- **Live E2E** against a running backend on `cl/hexclave-pr1`:
- `pnpm test run
apps/e2e/tests/backend/endpoints/api/v1/internal/mcp.test.ts` — **6/6
pass** (verifies the new `ask_hexclave` tool — the hand-written inline
snapshot matched actual MCP server output).
- `pnpm test run
apps/e2e/tests/backend/endpoints/api/v1/internal/projects.test.ts` —
**11/11 pass** (verifies wire dual-accept + dual-emit end-to-end; the
snapshot serializer fix was found and applied during this check).
A four-agent parallel **review pass** also audited the full diff for
logic/runtime bugs across the work-areas (wire headers + JWT, cookies +
bearer + symbols, env vars, query params + config + MCP + aliases). All
in-slice review verdicts were ✓ except the three bugs listed above,
which are now fixed.
## Known follow-ups (out of scope for this PR)
- **E2E snapshots across the rest of the suite** — backend now
dual-emits `x-hexclave-{known-error,actual-status}` alongside
`x-stack-*`, which legitimately appears in inline snapshots throughout
`apps/e2e`. Two were regenerated here as a sample; the rest should regen
with `vitest -u` in CI.
- **Docker shell env vars beyond `PORT_PREFIX`** — `entrypoint.sh` still
reads `STACK_*` env vars directly (the JS-side `getEnvVariable`
transform doesn't help the shell). JS consumers dual-read so it works in
practice; full shell-level dual-read is a deeper self-host follow-up.
- **`@stackframe/stack-cli` build ordering** — pre-existing; needs
`build:rde-standalone` first. Not affected by this PR.
## Test plan
- [ ] CI runs full e2e suite (with `vitest -u` to absorb dual-emit
snapshot deltas, then committed back)
- [ ] Spot-check: an old SDK build (emitting only `x-stack-*`) still
authenticates against the new backend
- [ ] Spot-check: a new SDK (emitting `x-hexclave-*` / `Bearer
hexclave_*`) still authenticates against an old backend during deploy
ordering
- [ ] Manual: `npx @stackframe/stack-cli@latest init` (new onboarding
entrypoint) generates `hexclave.config.ts`
- [ ] Manual: existing `stack.config.ts`-only project still resolves (no
migration required)
---------
Co-authored-by: bilal <bilal@stack-auth.com>
278 lines
9.8 KiB
TypeScript
278 lines
9.8 KiB
TypeScript
/**
|
|
* CEL Visual Parser
|
|
*
|
|
* Converts simple CEL expressions (with AND/OR) to a visual tree structure
|
|
* and back to CEL strings. Supports nested AND/OR groups.
|
|
*
|
|
* Supported condition types:
|
|
* - email == "value" / email != "value"
|
|
* - email.endsWith("@domain.com")
|
|
* - email.matches("regex")
|
|
* - countryCode == "US" / countryCode in ["US", "CA"]
|
|
* - emailDomain == "domain.com" / emailDomain in ["d1", "d2"]
|
|
* - authMethod == "password" / authMethod in ["password", "otp"]
|
|
* - oauthProvider == "google" / oauthProvider in ["google", "github"]
|
|
* - riskScores.bot > 80 / riskScores.free_trial_abuse >= 60
|
|
*/
|
|
|
|
import { normalizeCountryCode } from "@stackframe/stack-shared/dist/schema-fields";
|
|
import { type ConditionField, type ConditionOperator, conditionFields, escapeCelString, fieldMetadata, isNumericField, unescapeCelString, validateNumericFieldValue } from "@stackframe/stack-shared/dist/utils/cel-fields";
|
|
import { HexclaveAssertionError } from "@stackframe/stack-shared/dist/utils/errors";
|
|
|
|
export type { ConditionField, ConditionOperator } from "@stackframe/stack-shared/dist/utils/cel-fields";
|
|
|
|
export type ConditionNode = {
|
|
type: 'condition',
|
|
id: string,
|
|
field: ConditionField,
|
|
operator: ConditionOperator,
|
|
value: string | number | string[],
|
|
};
|
|
|
|
export type GroupNode = {
|
|
type: 'group',
|
|
id: string,
|
|
operator: 'and' | 'or',
|
|
children: (ConditionNode | GroupNode)[],
|
|
};
|
|
|
|
export type RuleNode = ConditionNode | GroupNode;
|
|
|
|
|
|
// ── Node factories ─────────────────────────────────────────────────────
|
|
|
|
function generateNodeId(): string {
|
|
return `node-${Math.random().toString(36).slice(2, 11)}`;
|
|
}
|
|
|
|
export function createEmptyCondition(): ConditionNode {
|
|
return { type: 'condition', id: generateNodeId(), field: 'email', operator: 'equals', value: '' };
|
|
}
|
|
|
|
export function createEmptyGroup(operator: 'and' | 'or' = 'and'): GroupNode {
|
|
return { type: 'group', id: generateNodeId(), operator, children: [] };
|
|
}
|
|
|
|
|
|
// ── Tree → CEL ─────────────────────────────────────────────────────────
|
|
|
|
const comparisonSymbols: Record<string, string> = {
|
|
equals: '==',
|
|
not_equals: '!=',
|
|
greater_than: '>',
|
|
greater_or_equal: '>=',
|
|
less_than: '<',
|
|
less_or_equal: '<=',
|
|
};
|
|
|
|
const stringMethodNames: Record<string, string> = {
|
|
matches: 'matches',
|
|
ends_with: 'endsWith',
|
|
starts_with: 'startsWith',
|
|
contains: 'contains',
|
|
};
|
|
|
|
export function visualTreeToCel(node: RuleNode): string {
|
|
return node.type === 'condition' ? conditionToCel(node) : groupToCel(node);
|
|
}
|
|
|
|
function normalizeConditionValue(condition: ConditionNode): ConditionNode['value'] {
|
|
if (condition.field !== 'countryCode') return condition.value;
|
|
if (typeof condition.value === 'number') {
|
|
throw new HexclaveAssertionError(`Invalid numeric value for countryCode: ${condition.value}. Country codes must be strings.`);
|
|
}
|
|
return Array.isArray(condition.value)
|
|
? condition.value.map(normalizeCountryCode)
|
|
: normalizeCountryCode(condition.value);
|
|
}
|
|
|
|
function conditionToCel(condition: ConditionNode): string {
|
|
const { field, operator } = condition;
|
|
const value = normalizeConditionValue(condition);
|
|
|
|
// Numeric comparisons: field >= 42
|
|
if (operator in comparisonSymbols && isNumericField(field)) {
|
|
const err = validateNumericFieldValue(field, String(value));
|
|
if (err) throw new HexclaveAssertionError(err);
|
|
return `${field} ${comparisonSymbols[operator]} ${typeof value === 'number' ? value : Number(value)}`;
|
|
}
|
|
|
|
// String equality/inequality: field == "value"
|
|
if (operator === 'equals' || operator === 'not_equals') {
|
|
const symbol = comparisonSymbols[operator];
|
|
return `${field} ${symbol} "${escapeCelString(String(value))}"`;
|
|
}
|
|
|
|
// String methods: field.contains("value")
|
|
if (operator in stringMethodNames) {
|
|
return `${field}.${stringMethodNames[operator]}("${escapeCelString(String(value))}")`;
|
|
}
|
|
|
|
// In-list: field in ["a", "b"]
|
|
if (operator === 'in_list') {
|
|
if (Array.isArray(value)) {
|
|
const items = value.map(v => `"${escapeCelString(String(v))}"`).join(', ');
|
|
return `${field} in [${items}]`;
|
|
}
|
|
return `${field} == "${escapeCelString(String(value))}"`;
|
|
}
|
|
|
|
// Fallback
|
|
return `${field} == "${escapeCelString(String(value))}"`;
|
|
}
|
|
|
|
function groupToCel(group: GroupNode): string {
|
|
if (group.children.length === 0) return 'true';
|
|
if (group.children.length === 1) return visualTreeToCel(group.children[0]);
|
|
|
|
const celOperator = group.operator === 'and' ? ' && ' : ' || ';
|
|
return group.children.map(child => {
|
|
const expr = visualTreeToCel(child);
|
|
return child.type === 'group' && child.operator !== group.operator ? `(${expr})` : expr;
|
|
}).join(celOperator);
|
|
}
|
|
|
|
|
|
// ── CEL → Tree ─────────────────────────────────────────────────────────
|
|
|
|
export function parseCelToVisualTree(cel: string): RuleNode | null {
|
|
try {
|
|
const trimmed = cel.trim();
|
|
if (!trimmed || trimmed === 'true') {
|
|
return { type: 'group', id: generateNodeId(), operator: 'and', children: [] };
|
|
}
|
|
return parseExpression(trimmed);
|
|
} catch (e) {
|
|
console.warn('Failed to parse CEL expression:', e);
|
|
return null;
|
|
}
|
|
}
|
|
|
|
function parseExpression(expr: string): RuleNode | null {
|
|
const trimmed = expr.trim();
|
|
|
|
// Unwrap fully-parenthesized expressions
|
|
if (trimmed.startsWith('(') && trimmed.endsWith(')')) {
|
|
let depth = 0;
|
|
let isWrapped = true;
|
|
for (let i = 0; i < trimmed.length - 1; i++) {
|
|
if (trimmed[i] === '(') depth++;
|
|
if (trimmed[i] === ')') depth--;
|
|
if (depth === 0 && i < trimmed.length - 1) {
|
|
isWrapped = false;
|
|
break;
|
|
}
|
|
}
|
|
if (isWrapped) return parseExpression(trimmed.slice(1, -1));
|
|
}
|
|
|
|
// Try OR then AND at top level
|
|
for (const [op, logicalOp] of [['||', 'or'], ['&&', 'and']] as const) {
|
|
const parts = splitByOperator(trimmed, op);
|
|
if (parts.length > 1) {
|
|
const children = parts.map(p => parseExpression(p));
|
|
if (children.some(c => c === null)) return null;
|
|
return { type: 'group', id: generateNodeId(), operator: logicalOp, children: children as RuleNode[] };
|
|
}
|
|
}
|
|
|
|
return parseCondition(trimmed);
|
|
}
|
|
|
|
function splitByOperator(expr: string, operator: string): string[] {
|
|
const parts: string[] = [];
|
|
let current = '';
|
|
let depth = 0;
|
|
let inString = false;
|
|
let stringChar = '';
|
|
|
|
for (let i = 0; i < expr.length; i++) {
|
|
const char = expr[i];
|
|
|
|
if ((char === '"' || char === "'") && (i === 0 || expr[i - 1] !== '\\')) {
|
|
if (!inString) {
|
|
inString = true;
|
|
stringChar = char;
|
|
} else if (char === stringChar) {
|
|
inString = false;
|
|
}
|
|
}
|
|
|
|
if (!inString) {
|
|
if (char === '(' || char === '[') depth++;
|
|
if (char === ')' || char === ']') depth--;
|
|
|
|
if (depth === 0 && expr.slice(i, i + operator.length) === operator) {
|
|
if (current.trim()) parts.push(current.trim());
|
|
current = '';
|
|
i += operator.length - 1;
|
|
continue;
|
|
}
|
|
}
|
|
|
|
current += char;
|
|
}
|
|
|
|
if (current.trim()) parts.push(current.trim());
|
|
return parts;
|
|
}
|
|
|
|
function isConditionField(field: string): field is ConditionField {
|
|
return (conditionFields as string[]).includes(field);
|
|
}
|
|
|
|
function isValidFieldOperator(field: string, operator: ConditionOperator): field is ConditionField {
|
|
return isConditionField(field) && fieldMetadata[field].operators.includes(operator);
|
|
}
|
|
|
|
// Regex patterns for parsing conditions. Order matters: >= before >, <= before <
|
|
const numericComparisonParsers = [
|
|
{ re: /^([\w.]+)\s*>=\s*(-?\d+(?:\.\d+)?)$/, op: 'greater_or_equal' },
|
|
{ re: /^([\w.]+)\s*<=\s*(-?\d+(?:\.\d+)?)$/, op: 'less_or_equal' },
|
|
{ re: /^([\w.]+)\s*>\s*(-?\d+(?:\.\d+)?)$/, op: 'greater_than' },
|
|
{ re: /^([\w.]+)\s*<\s*(-?\d+(?:\.\d+)?)$/, op: 'less_than' },
|
|
{ re: /^([\w.]+)\s*==\s*(-?\d+(?:\.\d+)?)$/, op: 'equals' },
|
|
{ re: /^([\w.]+)\s*!=\s*(-?\d+(?:\.\d+)?)$/, op: 'not_equals' },
|
|
] as const;
|
|
|
|
const stringConditionParsers = [
|
|
{ re: /^([\w.]+)\s*==\s*"((?:\\.|[^"\\])*)"$/, op: 'equals' },
|
|
{ re: /^([\w.]+)\s*!=\s*"((?:\\.|[^"\\])*)"$/, op: 'not_equals' },
|
|
{ re: /^([\w.]+)\.matches\("((?:\\.|[^"\\])*)"\)$/, op: 'matches' },
|
|
{ re: /^([\w.]+)\.endsWith\("((?:\\.|[^"\\])*)"\)$/, op: 'ends_with' },
|
|
{ re: /^([\w.]+)\.startsWith\("((?:\\.|[^"\\])*)"\)$/, op: 'starts_with' },
|
|
{ re: /^([\w.]+)\.contains\("((?:\\.|[^"\\])*)"\)$/, op: 'contains' },
|
|
] as const;
|
|
|
|
function parseCondition(expr: string): ConditionNode | null {
|
|
const trimmed = expr.trim();
|
|
|
|
// Numeric comparisons: field >= 42
|
|
for (const { re, op } of numericComparisonParsers) {
|
|
const m = trimmed.match(re);
|
|
if (m && isConditionField(m[1]) && isNumericField(m[1]) && isValidFieldOperator(m[1], op)) {
|
|
return { type: 'condition', id: generateNodeId(), field: m[1], operator: op, value: Number(m[2]) };
|
|
}
|
|
}
|
|
|
|
// String conditions: field == "value", field.contains("value"), etc.
|
|
for (const { re, op } of stringConditionParsers) {
|
|
const m = trimmed.match(re);
|
|
if (m && isValidFieldOperator(m[1], op)) {
|
|
return { type: 'condition', id: generateNodeId(), field: m[1], operator: op, value: unescapeCelString(m[2]) };
|
|
}
|
|
}
|
|
|
|
// In-list: field in ["a", "b"]
|
|
const inListMatch = trimmed.match(/^([\w.]+)\s+in\s+\[([^\]]*)\]$/);
|
|
if (inListMatch && isValidFieldOperator(inListMatch[1], 'in_list')) {
|
|
const items = inListMatch[2].split(',').map(s => s.trim()).filter(Boolean).map(s => {
|
|
const m = s.match(/^["']((?:\\.|[^"\\])*)["']$/);
|
|
return m ? unescapeCelString(m[1]) : s;
|
|
});
|
|
return { type: 'condition', id: generateNodeId(), field: inListMatch[1], operator: 'in_list', value: items };
|
|
}
|
|
|
|
return null;
|
|
}
|