Merge remote-tracking branch 'origin/dev' into new-setup

Author: N2D4

apps/backend/.env

@@ -15,7 +15,7 @@ STACK_SEED_INTERNAL_PROJECT_USER_PASSWORD=# default user's password, paired with
 STACK_SEED_INTERNAL_PROJECT_USER_INTERNAL_ACCESS=# if the default user has access to the internal dashboard project
 STACK_SEED_INTERNAL_PROJECT_USER_GITHUB_ID=# add github oauth id to the default user
 STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=# default publishable client key for the internal project
-STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=# default secret server key for the internal project
+STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY=# default secret server key for the internal project
 STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=# default super secret admin key for the internal project
 
 # OAuth mock provider settings

apps/backend/.env.development

@@ -14,7 +14,7 @@ STACK_SEED_INTERNAL_PROJECT_OAUTH_PROVIDERS=github,spotify,google,microsoft
 STACK_SEED_INTERNAL_PROJECT_USER_GITHUB_ID=admin@example.com
 STACK_SEED_INTERNAL_PROJECT_USER_INTERNAL_ACCESS=true
 STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=this-publishable-client-key-is-for-local-development-only
-STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=this-secret-server-key-is-for-local-development-only
+STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY=this-secret-server-key-is-for-local-development-only
 STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=this-super-secret-admin-key-is-for-local-development-only
 
 STACK_OAUTH_MOCK_URL=http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}14

apps/backend/prisma/seed.ts

@@ -372,8 +372,8 @@ export async function seed() {
     const keySet = {
       publishableClientKey: rawPck || throwErr('STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY is not set'),
       secretServerKey: isLocalEmulator
-        ? (process.env.STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY ?? null)
-        : (process.env.STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY || throwErr('STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY is not set')),
+        ? (process.env.STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY ?? null)
+        : (process.env.STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY || throwErr('STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY is not set')),
       superSecretAdminKey: isLocalEmulator
         ? (process.env.STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY ?? null)
         : (process.env.STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY || throwErr('STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY is not set')),

apps/backend/src/app/api/latest/internal/metrics/route.tsx

@@ -21,7 +21,6 @@ import {
   MetricsRecentUserSchema,
 } from "@stackframe/stack-shared/dist/interface/admin-metrics";
 import { captureError, StackAssertionError } from "@stackframe/stack-shared/dist/utils/errors";
-import { stringCompare } from "@stackframe/stack-shared/dist/utils/strings";
 import { adaptSchema, adminAuthTypeSchema, yupArray, yupNumber, yupObject, yupRecord, yupString } from "@stackframe/stack-shared/dist/schema-fields";
 import { userFullInclude, userPrismaToCrud, usersCrudHandlers } from "../../users/crud";
 
@@ -123,10 +122,10 @@ async function loadUsersByCountry(tenancy: Tenancy, includeAnonymous: boolean =
   );
 }
 
-// ClickHouse sample size per country. Small enough to keep the event-table
-// scan cheap, large enough for the dashboard globe to pick ~1-5 distinct
-// avatars per country based on the country's visible area.
-const ACTIVE_USERS_BY_COUNTRY_SAMPLE = 8;
+// Max live users returned per country. Small enough to keep the Postgres join
+// cheap, large enough for the dashboard globe and satellite bubbles to pick a
+// few distinct avatars per country.
+const ACTIVE_USERS_BY_COUNTRY_LIMIT = 8;
 // "Live" window used to classify users as currently active for the globe
 // ping layer. Token-refresh fires every few minutes for each open session,
 // so a 2-minute window gives a genuine "who's online right now" read while
@@ -145,27 +144,45 @@ async function loadActiveUsersByCountry(
     query: `
       SELECT
         country_code,
-        groupArraySample({sample:UInt32})(user_id) AS user_ids
+        groupArray(user_id) AS user_ids
       FROM (
         SELECT
-          user_id,
-          argMax(cc, event_at) AS country_code
+          country_code,
+          user_id
         FROM (
           SELECT
+            country_code,
             user_id,
-            event_at,
-            CAST(data.ip_info.country_code, 'Nullable(String)') AS cc,
-            coalesce(CAST(data.is_anonymous, 'Nullable(UInt8)'), 0) AS is_anonymous
-          FROM analytics_internal.events
-          WHERE event_type = '$token-refresh'
-            AND project_id = {projectId:String}
-            AND branch_id = {branchId:String}
-            AND user_id IS NOT NULL
-            AND event_at >= {since:DateTime}
+            row_number() OVER (
+              PARTITION BY country_code
+              ORDER BY last_event_at DESC, user_id ASC
+            ) AS country_rank
+          FROM (
+            SELECT
+              user_id,
+              argMax(cc, event_at) AS country_code,
+              max(event_at) AS last_event_at
+            FROM (
+              SELECT
+                user_id,
+                event_at,
+                CAST(data.ip_info.country_code, 'Nullable(String)') AS cc,
+                coalesce(CAST(data.is_anonymous, 'Nullable(UInt8)'), 0) AS is_anonymous
+              FROM analytics_internal.events
+              WHERE event_type = '$token-refresh'
+                AND project_id = {projectId:String}
+                AND branch_id = {branchId:String}
+                AND user_id IS NOT NULL
+                AND event_at >= {since:DateTime}
+            )
+            WHERE cc IS NOT NULL
+              AND ({includeAnonymous:UInt8} = 1 OR is_anonymous = 0)
+            GROUP BY user_id
+          )
+          WHERE country_code IS NOT NULL
         )
-        WHERE cc IS NOT NULL
-          AND ({includeAnonymous:UInt8} = 1 OR is_anonymous = 0)
-        GROUP BY user_id
+        WHERE country_rank <= {limit:UInt32}
+        ORDER BY country_code ASC, country_rank ASC
       )
       WHERE country_code IS NOT NULL
       GROUP BY country_code
@@ -175,13 +192,13 @@ async function loadActiveUsersByCountry(
       branchId: tenancy.branchId,
       includeAnonymous: includeAnonymous ? 1 : 0,
       since: formatClickhouseDateTimeParam(since),
-      sample: ACTIVE_USERS_BY_COUNTRY_SAMPLE,
+      limit: ACTIVE_USERS_BY_COUNTRY_LIMIT,
     },
     format: "JSONEachRow",
   });
   const rows: { country_code: string, user_ids: string[] }[] = await res.json();
 
-  // Collect every sampled UUID once so we only hit Postgres with a single
+  // Collect every selected UUID once so we only hit Postgres with a single
   // `IN (...)` lookup, then re-attach them to their country buckets.
   const allIds = new Set<string>();
   const countryToIds = new Map<string, string[]>();
@@ -232,15 +249,6 @@ async function loadActiveUsersByCountry(
       if (user != null) users.push(user);
     }
     if (users.length > 0) {
-      // Sort so the response is stable — `groupArraySample()` returns users
-      // in random order, which is fine for the globe UI but flakes snapshot
-      // tests. Primary key is `primary_email` (stable across test runs);
-      // `id` is a tiebreaker for anonymous users where email is null. The
-      // globe doesn't rely on any particular order.
-      users.sort((a, b) => {
-        const emailCmp = stringCompare(a.primary_email ?? "", b.primary_email ?? "");
-        return emailCmp !== 0 ? emailCmp : stringCompare(a.id, b.id);
-      });
       result[country] = users;
     }
   }

apps/backend/src/stack.tsx

@@ -18,6 +18,6 @@ export function getStackServerApp() {
     projectId: 'internal',
     tokenStore: null,
     publishableClientKey: getEnvVariable('STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY'),
-    secretServerKey: getEnvVariable('STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY'),
+    secretServerKey: getEnvVariable('STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY'),
   });
 }

docker/local-emulator/qemu/cloud-init/emulator/user-data

@@ -118,7 +118,7 @@ write_files:
         cat /mnt/stack-runtime/base.env
         cat /mnt/stack-runtime/runtime.env
         printf 'STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=%s\n' "$INTERNAL_PCK"
-        printf 'STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=%s\n' "$INTERNAL_SSK"
+        printf 'STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY=%s\n' "$INTERNAL_SSK"
         printf 'STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=%s\n' "$INTERNAL_SAK"
         if [ -n "$EMULATOR_CRON_SECRET" ]; then
           printf 'CRON_SECRET=%s\n' "$EMULATOR_CRON_SECRET"
@@ -503,7 +503,7 @@ write_files:
           --env-file /etc/stack-build.env \
           --env-file /etc/stack-build-computed.env \
           -e STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY="$SMOKE_PCK" \
-          -e STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY="$SMOKE_SSK" \
+          -e STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY="$SMOKE_SSK" \
           -e STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY="$SMOKE_SAK" \
           -e STACK_SKIP_MIGRATIONS=true \
           -e STACK_SKIP_SEED_SCRIPT=true \
@@ -646,7 +646,7 @@ write_files:
 
       exec docker exec \
         -e STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY \
-        -e STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY \
+        -e STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY \
         -e STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY \
         -e CRON_SECRET \
         stack /usr/local/bin/rotate-secrets

docker/local-emulator/qemu/run-emulator.sh

@@ -693,7 +693,7 @@ qga_trigger_fast_rotate() {
   fresh_cron="$(openssl rand -hex 32)"
   payload=$(
     printf 'STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=%s\n' "$fresh_pck"
-    printf 'STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=%s\n' "$fresh_ssk"
+    printf 'STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY=%s\n' "$fresh_ssk"
     printf 'STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=%s\n' "$fresh_sak"
     printf 'CRON_SECRET=%s\n' "$fresh_cron"
   )

docker/local-emulator/rotate-secrets.sh

@@ -38,7 +38,7 @@ if [ -n "${STACK_ROTATE_INPUT:-}" ] && [ -f "$STACK_ROTATE_INPUT" ]; then
 fi
 
 for var in STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY \
-           STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY \
+           STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY \
            STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY \
            CRON_SECRET; do
   val="${!var:-}"
@@ -56,12 +56,12 @@ mkdir -p "$(dirname "$OUTPUT")"
 umask 077
 {
   printf 'STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=%s\n' "$STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY"
-  printf 'STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=%s\n' "$STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY"
+  printf 'STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY=%s\n' "$STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY"
   printf 'STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=%s\n' "$STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY"
   printf 'CRON_SECRET=%s\n' "$CRON_SECRET"
   # Mirror these so process.env lookups in Node match env after restart.
   printf 'NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=%s\n' "$STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY"
-  printf 'STACK_SECRET_SERVER_KEY=%s\n' "$STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY"
+  printf 'STACK_SECRET_SERVER_KEY=%s\n' "$STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY"
   printf 'STACK_SUPER_SECRET_ADMIN_KEY=%s\n' "$STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY"
 } > "$OUTPUT"
 chmod 0600 "$OUTPUT"
@@ -92,7 +92,7 @@ if [ -n "${STACK_DATABASE_CONNECTION_STRING:-}" ]; then
   psql "$STACK_DATABASE_CONNECTION_STRING" -v ON_ERROR_STOP=1 <<SQL
 UPDATE "ApiKeySet" SET
   "publishableClientKey" = '${STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY}',
-  "secretServerKey"      = '${STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY}',
+  "secretServerKey"      = '${STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY}',
   "superSecretAdminKey"  = '${STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY}',
   "updatedAt"            = NOW()
 WHERE "projectId" = 'internal' AND id = '3142e763-b230-44b5-8636-aa62f7489c26';

docker/server/entrypoint.sh

@@ -23,23 +23,23 @@ fi
 # ============= ENV VARS =============
 
 if [ "$NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR" = "true" ]; then
-  for v in STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY; do
+  for v in STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY; do
     if [ -z "${!v:-}" ]; then
       echo "$v must be set in local-emulator mode (injected by the QEMU VM)." >&2
       exit 1
     fi
   done
-  export STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY
+  export STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY
 else
   export STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=${STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY:-$(openssl rand -base64 32)}
-  export STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=${STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY:-$(openssl rand -base64 32)}
+  export STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY=${STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY:-$(openssl rand -base64 32)}
   export STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=${STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY:-$(openssl rand -base64 32)}
 fi
 
 export NEXT_PUBLIC_STACK_PROJECT_ID=internal
 export NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=${STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY}
-if [ -n "${STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY:-}" ]; then
-  export STACK_SECRET_SERVER_KEY=${STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY}
+if [ -n "${STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY:-}" ]; then
+  export STACK_SECRET_SERVER_KEY=${STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY}
 fi
 if [ -n "${STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY:-}" ]; then
   export STACK_SUPER_SECRET_ADMIN_KEY=${STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY}
@@ -102,7 +102,7 @@ fi
 if [ "$NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR" = "true" ] && [ -n "${STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY:-}" ] && [ -n "${STACK_DATABASE_CONNECTION_STRING:-}" ]; then
   # Validate the keys are hex-only to defuse any SQL-injection risk (the VM
   # generates them via `openssl rand -hex 32`, so this is an assert, not a filter).
-  for varname in STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY; do
+  for varname in STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY; do
     val="${!varname:-}"
     if [ -z "$val" ]; then
       echo "ERROR: $varname is not set; refusing to bootstrap internal api key set." >&2
@@ -118,7 +118,7 @@ if [ "$NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR" = "true" ] && [ -n "${STACK_INTERNAL
 INSERT INTO "ApiKeySet" ("projectId", id, description, "expiresAt", "createdAt", "updatedAt", "publishableClientKey", "secretServerKey", "superSecretAdminKey")
 VALUES ('internal', '3142e763-b230-44b5-8636-aa62f7489c26', 'Internal API key set', '2099-12-31T23:59:59Z', NOW(), NOW(),
         '${STACK_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY}',
-        '${STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY}',
+        '${STACK_INTERNAL_PROJECT_SECRET_SERVER_KEY}',
         '${STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY}')
 ON CONFLICT ("projectId", id) DO UPDATE SET
   "publishableClientKey" = EXCLUDED."publishableClientKey",

packages/stack-shared/src/interface/admin-metrics.ts

@@ -152,12 +152,12 @@ export const UserActivityResponseBodySchema = yupObject({
   data_points: MetricsDataPointsSchema,
 }).defined();
 
-// Sampled "currently live" users keyed by ISO country code. Populated by
-// joining a bounded ClickHouse sample (last N hours of `$token-refresh`
-// events grouped by country) with the corresponding Prisma profile rows, so
-// the overview globe can render real avatars of real users from each
-// country. Optional for one release cycle so clients talking to older
-// servers don't fail validation on the returned body.
+// Recent "currently live" users keyed by ISO country code. Populated by
+// joining a bounded ClickHouse selection from the live `$token-refresh` window
+// with the corresponding Prisma profile rows, so the overview globe can render
+// real avatars of real users from each country. Optional for one release cycle
+// so clients talking to older servers don't fail validation on the returned
+// body.
 export const MetricsActiveUsersByCountrySchema = yupRecord(
   yupString().defined(),
   yupArray(MetricsRecentUserSchema).defined(),