Merge branch 'main' into cp/216-fix-users-link

2026-03-16 20:37:21 +00:00 · 2026-02-28 11:03:54 -06:00
parent eb22289460 224d98879a
commit 6321a9935a
260 changed files with 8084 additions and 3850 deletions
--- a/app/src/modules/ModuleManager.ts
+++ b/app/src/modules/ModuleManager.ts
@@ -87,7 +87,7 @@ export type ModuleManagerOptions = {
   verbosity?: Verbosity;
 };

-const debug_modules = env("modules_debug");
+const debug_modules = env("modules_debug", false);

 abstract class ModuleManagerEvent<A = {}> extends Event<{ ctx: ModuleBuildContext } & A> {}
 export class ModuleManagerConfigUpdateEvent<
@@ -223,7 +223,7 @@ export class ModuleManager {
   }

   extractSecrets() {
-      const moduleConfigs = structuredClone(this.configs());
+      const moduleConfigs = JSON.parse(JSON.stringify(this.configs()));
      const secrets = { ...this.options?.secrets };
      const extractedKeys: string[] = [];

--- a/app/src/modules/db/DbModuleManager.ts
+++ b/app/src/modules/db/DbModuleManager.ts
@@ -1,4 +1,4 @@
-import { mark, stripMark, $console, s, SecretSchema, setPath } from "bknd/utils";
+import { mark, stripMark, $console, s, setPath } from "bknd/utils";
 import { BkndError } from "core/errors";
 import * as $diff from "core/object/diff";
 import type { Connection } from "data/connection";
@@ -290,13 +290,12 @@ export class DbModuleManager extends ModuleManager {
                  updated_at: new Date(),
               });
            }
-         } else if (e instanceof TransformPersistFailedException) {
-            $console.error("ModuleManager: Cannot save invalid config");
-            this.revertModules();
-            throw e;
         } else {
+            if (e instanceof TransformPersistFailedException) {
+               $console.error("ModuleManager: Cannot save invalid config");
+            }
            $console.error("ModuleManager: Aborting");
-            this.revertModules();
+            await this.revertModules();
            throw e;
         }
      }
--- a/app/src/modules/permissions/index.ts
+++ b/app/src/modules/permissions/index.ts
@@ -33,3 +33,5 @@ export const schemaRead = new Permission(
 );
 export const build = new Permission("system.build");
 export const mcp = new Permission("system.mcp");
+export const info = new Permission("system.info");
+export const openapi = new Permission("system.openapi");
--- a/app/src/modules/server/AppServer.ts
+++ b/app/src/modules/server/AppServer.ts
@@ -105,7 +105,10 @@ export class AppServer extends Module<AppServerConfig> {

         if (err instanceof Error) {
            if (isDebug()) {
-               return c.json({ error: err.message, stack: err.stack }, 500);
+               return c.json(
+                  { error: err.message, stack: err.stack?.split("\n").map((line) => line.trim()) },
+                  500,
+               );
            }
         }

--- a/app/src/modules/server/SystemController.ts
+++ b/app/src/modules/server/SystemController.ts
@@ -1,5 +1,3 @@
-/// <reference types="@cloudflare/workers-types" />
-
 import type { App } from "App";
 import {
   datetimeStringLocal,
@@ -125,7 +123,7 @@ export class SystemController extends Controller {
   private registerConfigController(client: Hono<any>): void {
      const { permission } = this.middlewares;
      // don't add auth again, it's already added in getController
-      const hono = this.create(); /* .use(permission(SystemPermissions.configRead)); */
+      const hono = this.create();

      if (!this.app.isReadOnly()) {
         const manager = this.app.modules as DbModuleManager;
@@ -317,6 +315,11 @@ export class SystemController extends Controller {
            summary: "Get the config for a module",
            tags: ["system"],
         }),
+         permission(SystemPermissions.configRead, {
+            context: (c) => ({
+               module: c.req.param("module"),
+            }),
+         }),
         mcpTool("system_config", {
            annotations: {
               readOnlyHint: true,
@@ -354,7 +357,7 @@ export class SystemController extends Controller {

   override getController() {
      const { permission, auth } = this.middlewares;
-      const hono = this.create().use(auth());
+      const hono = this.create().use(auth()).use(permission(SystemPermissions.accessApi, {}));

      this.registerConfigController(hono);

@@ -429,6 +432,9 @@ export class SystemController extends Controller {

      hono.get(
         "/permissions",
+         permission(SystemPermissions.schemaRead, {
+            context: (_c) => ({ module: "auth" }),
+         }),
         describeRoute({
            summary: "Get the permissions",
            tags: ["system"],
@@ -441,6 +447,7 @@ export class SystemController extends Controller {

      hono.post(
         "/build",
+         permission(SystemPermissions.build, {}),
         describeRoute({
            summary: "Build the app",
            tags: ["system"],
@@ -471,6 +478,7 @@ export class SystemController extends Controller {

      hono.get(
         "/info",
+         permission(SystemPermissions.info, {}),
         mcpTool("system_info"),
         describeRoute({
            summary: "Get the server info",
@@ -504,6 +512,7 @@ export class SystemController extends Controller {

      hono.get(
         "/openapi.json",
+         permission(SystemPermissions.openapi, {}),
         openAPISpecs(this.ctx.server, {
            info: {
               title: "bknd API",
@@ -511,7 +520,11 @@ export class SystemController extends Controller {
            },
         }),
      );
-      hono.get("/swagger", swaggerUI({ url: "/api/system/openapi.json" }));
+      hono.get(
+         "/swagger",
+         permission(SystemPermissions.openapi, {}),
+         swaggerUI({ url: "/api/system/openapi.json" }),
+      );

      return hono;
   }