Merge branch 'dev' into fix/onboarding-migration-test-and-metrics-snapshot

Author: mantrakp04

.gitignore

@@ -140,10 +140,12 @@ packages/js/*
 packages/react/*
 packages/next/*
 packages/stack/*
+packages/tanstack-start/*
 !packages/js/package.json
 !packages/react/package.json
 !packages/next/package.json
 !packages/stack/package.json
+!packages/tanstack-start/package.json
 
 # claude code
 .claude/scheduled_tasks.lock

apps/backend/src/app/api/latest/auth/cli/poll/route.tsx

@@ -1,8 +1,16 @@
-import { getPrismaClientForTenancy } from "@/prisma-client";
+import { Prisma } from "@/generated/prisma/client";
+import { getPrismaClientForTenancy, getPrismaSchemaForTenancy, sqlQuoteIdent } from "@/prisma-client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { KnownErrors } from "@stackframe/stack-shared";
 import { adaptSchema, clientOrHigherAuthTypeSchema, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
 
+type CliAuthAttemptRow = {
+  id: string,
+  refreshToken: string | null,
+  expiresAt: Date,
+  usedAt: Date | null,
+};
+
 // Helper function to create response
 const createResponse = (status: 'waiting' | 'success' | 'expired' | 'used', refreshToken?: string) => ({
   statusCode: status === 'success' ? 201 : 200,
@@ -38,44 +46,55 @@ export const POST = createSmartRouteHandler({
   }),
   async handler({ auth: { tenancy }, body: { polling_code } }) {
     const prisma = await getPrismaClientForTenancy(tenancy);
+    const schema = await getPrismaSchemaForTenancy(tenancy);
 
-    // Find the CLI auth attempt
-    const cliAuth = await prisma.cliAuthAttempt.findFirst({
-      where: {
-        tenancyId: tenancy.id,
-        pollingCode: polling_code,
-      },
-    });
+    const cliAuthRows = await prisma.$queryRaw<CliAuthAttemptRow[]>(Prisma.sql`
+      SELECT
+        "id",
+        "refreshToken",
+        "expiresAt",
+        "usedAt"
+      FROM ${sqlQuoteIdent(schema)}."CliAuthAttempt"
+      WHERE "tenancyId" = ${tenancy.id}::UUID
+        AND "pollingCode" = ${polling_code}
+      LIMIT 1
+    `);
 
-    if (!cliAuth) {
+    if (cliAuthRows.length === 0) {
       throw new KnownErrors.InvalidPollingCodeError();
     }
+    const cliAuth = cliAuthRows[0];
 
     if (cliAuth.expiresAt < new Date()) {
       return createResponse('expired');
     }
 
-    if (cliAuth.usedAt) {
+    if (cliAuth.usedAt !== null) {
       return createResponse('used');
     }
 
-    if (!cliAuth.refreshToken) {
+    if (cliAuth.refreshToken === null) {
       return createResponse('waiting');
     }
 
-    // Mark as used
-    await prisma.cliAuthAttempt.update({
-      where: {
-        tenancyId_id: {
-          tenancyId: tenancy.id,
-          id: cliAuth.id,
-        },
-      },
-      data: {
-        usedAt: new Date(),
-      },
-    });
+    // Atomically mark as used, claiming the row only if no one else has.
+    // This prevents a TOCTOU race where two concurrent polls could both
+    // read usedAt = null and both receive the same refresh token.
+    const claimed = await prisma.$queryRaw<{ refreshToken: string }[]>(Prisma.sql`
+      UPDATE ${sqlQuoteIdent(schema)}."CliAuthAttempt"
+      SET
+        "usedAt" = NOW(),
+        "updatedAt" = NOW()
+      WHERE "tenancyId" = ${tenancy.id}::UUID
+        AND "id" = ${cliAuth.id}::UUID
+        AND "usedAt" IS NULL
+      RETURNING "refreshToken"
+    `);
+
+    if (claimed.length === 0) {
+      return createResponse('used');
+    }
 
-    return createResponse('success', cliAuth.refreshToken);
+    return createResponse('success', claimed[0].refreshToken);
   },
 });

apps/backend/src/app/api/latest/auth/cli/route.tsx

@@ -25,7 +25,7 @@ export const POST = createSmartRouteHandler({
       tenancy: adaptSchema.defined(),
     }).defined(),
     body: yupObject({
-      expires_in_millis: yupNumber().max(1000 * 60 * 60 * 24).default(1000 * 60 * 120), // Default: 2 hours, max: 24 hours
+      expires_in_millis: yupNumber().max(1000 * 60 * 15).default(1000 * 60 * 2), // Default: 2 minutes, max: 15 minutes
       anon_refresh_token: yupString().optional(),
     }).default({}),
   }),
@@ -41,8 +41,7 @@ export const POST = createSmartRouteHandler({
   async handler({ auth: { tenancy }, body: { expires_in_millis, anon_refresh_token } }) {
     let anonRefreshToken: string | null = null;
 
-    if (anon_refresh_token) {
-      // ProjectUserRefreshToken lives in the global DB (see tokens.tsx and oauth/model.tsx).
+    if (anon_refresh_token != null) {
       const refreshTokenRows = await globalPrismaClient.$queryRaw<RefreshTokenRow[]>(Prisma.sql`
         SELECT "tenancyId", "projectUserId", "expiresAt"
         FROM "ProjectUserRefreshToken"
@@ -58,7 +57,7 @@ export const POST = createSmartRouteHandler({
         throw new StatusError(400, "Anon refresh token does not belong to this project");
       }
 
-      if (refreshTokenObj.expiresAt && refreshTokenObj.expiresAt < new Date()) {
+      if (refreshTokenObj.expiresAt != null && refreshTokenObj.expiresAt < new Date()) {
         throw new StatusError(400, "The provided anon refresh token has expired");
       }
 

apps/backend/src/app/api/latest/internal/local-emulator/project/route.tsx

@@ -4,10 +4,11 @@ import {
   LOCAL_EMULATOR_ADMIN_USER_ID,
   LOCAL_EMULATOR_ONLY_ENDPOINT_MESSAGE,
   LOCAL_EMULATOR_OWNER_TEAM_ID,
-  isLocalEmulatorOnboardingEnabledInConfig,
   isLocalEmulatorEnabled,
+  isLocalEmulatorOnboardingEnabledInConfig,
   readConfigFromFile,
   resolveEmulatorPath,
+  writeConfigToFile,
   writeShowOnboardingConfigToFile,
 } from "@/lib/local-emulator";
 import { DEFAULT_BRANCH_ID, getSoleTenancyFromProjectBranch } from "@/lib/tenancies";
@@ -18,6 +19,7 @@ import {
   projectOnboardingStatusSchema,
   projectOnboardingStatusValues,
   type ProjectOnboardingStatus,
+  yupArray,
   yupBoolean,
   yupNumber,
   yupObject,
@@ -37,6 +39,14 @@ function isProjectOnboardingStatus(value: string): value is ProjectOnboardingSta
   return projectOnboardingStatusValues.some((status) => status === value);
 }
 
+function deriveDisplayLabel(absoluteFilePath: string): string {
+  const base = path.basename(absoluteFilePath);
+  if (base.toLowerCase() === "stack.config.ts") {
+    return path.basename(path.dirname(absoluteFilePath)) || base;
+  }
+  return base;
+}
+
 async function assertLocalEmulatorOwnerTeamReadiness() {
   const internalTenancy = await getSoleTenancyFromProjectBranch("internal", DEFAULT_BRANCH_ID);
   const internalPrisma = await getPrismaClientForTenancy(internalTenancy);
@@ -90,7 +100,7 @@ async function getOrCreateLocalEmulatorProjectId(absoluteFilePath: string): Prom
     update: {},
     create: {
       id: projectId,
-      displayName: `Local Emulator: ${path.basename(absoluteFilePath) || "Project"}`,
+      displayName: `Local Emulator: ${deriveDisplayLabel(absoluteFilePath) || "Project"}`,
       description: `Local emulator project for ${absoluteFilePath}`,
       isProductionMode: false,
       ownerTeamId: LOCAL_EMULATOR_OWNER_TEAM_ID,
@@ -287,14 +297,30 @@ export const POST = createSmartRouteHandler({
     if (!isLocalEmulatorEnabled()) {
       throw new StatusError(StatusError.BadRequest, LOCAL_EMULATOR_ONLY_ENDPOINT_MESSAGE);
     }
-    if (!path.isAbsolute(req.body.absolute_file_path)) {
-      throw new StatusError(StatusError.BadRequest, "absolute_file_path must be an absolute path.");
+    if (!path.posix.isAbsolute(req.body.absolute_file_path)) {
+      const looksWindows = path.win32.isAbsolute(req.body.absolute_file_path);
+      throw new StatusError(
+        StatusError.BadRequest,
+        looksWindows
+          ? "absolute_file_path must be a POSIX absolute path. The local emulator runs in a Linux VM and does not accept Windows-style paths. Use the in-VM path or run the emulator from WSL."
+          : "absolute_file_path must be an absolute path.",
+      );
     }
 
-    const absoluteFilePath = path.resolve(req.body.absolute_file_path);
-    const resolvedFilePath = resolveEmulatorPath(absoluteFilePath);
+    const inputPath = path.resolve(req.body.absolute_file_path);
+    let inputStat;
+    try {
+      inputStat = await fs.stat(resolveEmulatorPath(inputPath));
+    } catch {
+      inputStat = undefined;
+    }
 
-    // Validate file exists before creating a project
+    const looksLikeConfigFile = /\.(ts|js|mjs)$/i.test(inputPath);
+    const absoluteFilePath = (inputStat?.isDirectory() || (!inputStat && !looksLikeConfigFile))
+      ? path.join(inputPath, "stack.config.ts")
+      : inputPath;
+
+    const resolvedFilePath = resolveEmulatorPath(absoluteFilePath);
     let fileExists: boolean;
     try {
       await fs.access(resolvedFilePath);
@@ -303,7 +329,7 @@ export const POST = createSmartRouteHandler({
       fileExists = false;
     }
     if (!fileExists) {
-      throw new StatusError(StatusError.BadRequest, `Config file not found: ${absoluteFilePath}`);
+      await writeConfigToFile(absoluteFilePath, {});
     }
 
     const fileContent = await fs.readFile(resolvedFilePath, "utf-8");
@@ -335,3 +361,71 @@ export const POST = createSmartRouteHandler({
     };
   },
 });
+
+type LocalEmulatorProjectListRow = {
+  projectId: string,
+  absoluteFilePath: string,
+  updatedAt: Date,
+};
+
+export const GET = createSmartRouteHandler({
+  metadata: {
+    hidden: true,
+    summary: "List recent local emulator projects",
+    description: "Returns previously opened local emulator project mappings, most-recent first.",
+    tags: ["Local Emulator"],
+  },
+  request: yupObject({
+    auth: yupObject({
+      type: clientOrHigherAuthTypeSchema.defined(),
+      project: yupObject({
+        id: yupString().oneOf(["internal"]).defined(),
+      }).defined(),
+    }).defined(),
+    method: yupString().oneOf(["GET"]).defined(),
+  }),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).defined(),
+    bodyType: yupString().oneOf(["json"]).defined(),
+    body: yupObject({
+      projects: yupArray(yupObject({
+        project_id: yupString().defined(),
+        absolute_file_path: yupString().defined(),
+        display_name: yupString().defined(),
+      }).defined()).defined(),
+    }).defined(),
+  }),
+  handler: async () => {
+    if (!isLocalEmulatorEnabled()) {
+      throw new StatusError(StatusError.BadRequest, LOCAL_EMULATOR_ONLY_ENDPOINT_MESSAGE);
+    }
+
+    const rows = await globalPrismaClient.$queryRaw<LocalEmulatorProjectListRow[]>(Prisma.sql`
+      SELECT "projectId", "absoluteFilePath", "updatedAt"
+      FROM "LocalEmulatorProject"
+      ORDER BY "updatedAt" DESC
+      LIMIT 20
+    `);
+
+    const projectIds = rows.map((r) => r.projectId);
+    const projects = projectIds.length > 0
+      ? await globalPrismaClient.project.findMany({
+        where: { id: { in: projectIds } },
+        select: { id: true, displayName: true },
+      })
+      : [];
+    const displayNameById = new Map(projects.map((p) => [p.id, p.displayName]));
+
+    return {
+      statusCode: 200 as const,
+      bodyType: "json" as const,
+      body: {
+        projects: rows.map((r) => ({
+          project_id: r.projectId,
+          absolute_file_path: r.absoluteFilePath,
+          display_name: displayNameById.get(r.projectId) ?? deriveDisplayLabel(r.absoluteFilePath),
+        })),
+      },
+    };
+  },
+});

apps/backend/src/app/api/latest/internal/projects-weekly-users/route.test.tsx

@@ -0,0 +1,66 @@
+import { describe, expect, it } from "vitest";
+import { applyProjectWeeklyUsersRows } from "./route";
+
+describe("internal projects weekly users helpers", () => {
+  it("applies ClickHouse rows through a Map and skips unknown projects", () => {
+    const byProject = new Map([
+      ["project-a", {
+        weekly_users: 0,
+        daily_users: [
+          { date: "2026-05-01", activity: 0 },
+          { date: "2026-05-02", activity: 0 },
+        ],
+      }],
+      ["__proto__", {
+        weekly_users: 0,
+        daily_users: [
+          { date: "2026-05-01", activity: 0 },
+          { date: "2026-05-02", activity: 0 },
+        ],
+      }],
+    ]);
+
+    applyProjectWeeklyUsersRows(
+      byProject,
+      [
+        { projectId: "project-a", day: "1970-01-01", users: 4 },
+        { projectId: "__proto__", day: "1970-01-01", users: 7 },
+        { projectId: "missing-project", day: "1970-01-01", users: 99 },
+        { projectId: "project-a", day: "2026-05-01", users: 2 },
+        { projectId: "__proto__", day: "2026-05-02", users: 5 },
+        { projectId: "missing-project", day: "2026-05-01", users: 99 },
+      ],
+    );
+
+    expect(Object.fromEntries(byProject)).toMatchInlineSnapshot(`
+      {
+        "__proto__": {
+          "daily_users": [
+            {
+              "activity": 0,
+              "date": "2026-05-01",
+            },
+            {
+              "activity": 5,
+              "date": "2026-05-02",
+            },
+          ],
+          "weekly_users": 7,
+        },
+        "project-a": {
+          "daily_users": [
+            {
+              "activity": 2,
+              "date": "2026-05-01",
+            },
+            {
+              "activity": 0,
+              "date": "2026-05-02",
+            },
+          ],
+          "weekly_users": 4,
+        },
+      }
+    `);
+  });
+});