fix(ci,oauth,db): crawl fallback, proxy secret, querylayer auto

Author: linull24

.github/workflows/deploy-pages.yml

@@ -42,12 +42,21 @@ jobs:
       - name: Crawl JWXT snapshots (SSG bundled)
         # Cloud-side fallback only: prefer frontend-first runtime.
         # This step updates SSG-bundled snapshots under `app/static/crawler/data/**`.
+        continue-on-error: true
+        timeout-minutes: 15
         run: |
           if [ -z "${JWXT_USERID:-}" ] || [ -z "${JWXT_PASSWORD:-}" ]; then
             echo "JWXT secrets not set; skip crawl"
             exit 0
           fi
+          set +e
           npm run crawl:jwxt
+          code="$?"
+          set -e
+          if [ "$code" -ne 0 ]; then
+            echo "JWXT crawl failed (code=$code); continue using existing snapshots"
+            exit 0
+          fi
         env:
           JWXT_USERID: ${{ secrets.JWXT_USERID }}
           JWXT_PASSWORD: ${{ secrets.JWXT_PASSWORD }}

app/src/config/queryLayer.ts

@@ -13,7 +13,7 @@ export interface QueryLayerConfig {
 const DEFAULT_CONFIG: QueryLayerConfig = {
 	// NOTE: QueryLayer backs termState/actionLog/solverResult persistence.
 	// Default to DuckDB-Wasm; browser persistence is provided via OPFS-backed db path.
-	engine: resolveEngine(import.meta.env?.VITE_QUERY_LAYER_ENGINE ?? 'duckdb'),
+	engine: resolveEngine(import.meta.env?.VITE_QUERY_LAYER_ENGINE ?? 'auto'),
 	lazyInit: true,
 	strictEngine: resolveBool(import.meta.env?.VITE_QUERY_LAYER_STRICT_ENGINE)
 };

app/src/lib/data/db/createQueryLayer.ts

@@ -12,6 +12,7 @@ export interface QueryLayer {
 
 let dbPromise: Promise<QueryLayer> | null = null;
 let currentEngine: QueryLayerConfig['engine'] | null = null;
+let duckdbFallbackWarned = false;
 
 const duckdbWasmMvp = new URL('@duckdb/duckdb-wasm/dist/duckdb-mvp.wasm', import.meta.url).href;
 const duckdbWasmEh = new URL('@duckdb/duckdb-wasm/dist/duckdb-eh.wasm', import.meta.url).href;
@@ -96,6 +97,22 @@ async function instantiateLayer(config: QueryLayerConfig): Promise<QueryLayer> {
 		// breaking term_state persistence and to keep the app usable.
 		return /^DUCKDB_OPFS_(UNSUPPORTED|LOCKED|OPEN_FAILED)/.test(msg);
 	};
+
+	const warnDuckdbFallback = (error: unknown) => {
+		if (duckdbFallbackWarned) return;
+		duckdbFallbackWarned = true;
+		console.warn('[DB] DuckDB-Wasm 初始化失败，回退至 sql.js', toErrorInfo(error));
+	};
+
+	const canUseDuckdbOpfs = () => {
+		if (!isBrowserEnv()) return false;
+		try {
+			// DuckDB OPFS persistence relies on OPFS Sync Access Handles.
+			return typeof (globalThis as any).FileSystemFileHandle?.prototype?.createSyncAccessHandle === 'function';
+		} catch {
+			return false;
+		}
+	};
 	if (currentEngine && config.engine === currentEngine && dbPromise) {
 		return dbPromise;
 	}
@@ -106,25 +123,24 @@ async function instantiateLayer(config: QueryLayerConfig): Promise<QueryLayer> {
 				return await initDuckDB();
 			} catch (error) {
 				if (config.strictEngine && !shouldForceFallback(error)) throw error;
-				// OPFS access handles are not available in all browsers/contexts; fall back silently.
-				if (!shouldForceFallback(error)) {
-					console.warn('[DB] DuckDB-Wasm 初始化失败，回退至 sql.js', toErrorInfo(error));
-				}
+				warnDuckdbFallback(error);
 				currentEngine = 'sqljs';
 				return createFallbackLayer();
 			}
 		case 'sqljs':
 			currentEngine = 'sqljs';
 			return createFallbackLayer();
 		default:
+			if (!canUseDuckdbOpfs()) {
+				currentEngine = 'sqljs';
+				return createFallbackLayer();
+			}
 			try {
 				currentEngine = 'duckdb';
 				return await initDuckDB();
 			} catch (error) {
 				if (config.strictEngine && !shouldForceFallback(error)) throw error;
-				if (!shouldForceFallback(error)) {
-					console.warn('[DB] DuckDB-Wasm 初始化失败，回退至 sql.js', toErrorInfo(error));
-				}
+				warnDuckdbFallback(error);
 				currentEngine = 'sqljs';
 				return createFallbackLayer();
 			}

oauth-proxy/src/index.ts

@@ -1,5 +1,7 @@
 type Env = {
 	ALLOWED_ORIGINS?: string;
+	GITHUB_CLIENT_ID?: string;
+	GITHUB_CLIENT_SECRET?: string;
 };
 
 function parseAllowedOrigins(raw: string | undefined) {
@@ -59,13 +61,23 @@ async function handleToken(request: Request, env: Env): Promise<Response> {
 		return withCors(request, env, new Response('Missing required fields', { status: 400 }));
 	}
 
+	// Optional hardening: if the worker is configured with a fixed client_id, reject mismatches.
+	const configuredClientId = String(env.GITHUB_CLIENT_ID || '').trim();
+	if (configuredClientId && configuredClientId !== client_id) {
+		return withCors(request, env, new Response('Invalid client_id', { status: 400 }));
+	}
+
+	const params = new URLSearchParams({ client_id, code, redirect_uri, code_verifier });
+	const clientSecret = String(env.GITHUB_CLIENT_SECRET || '').trim();
+	if (clientSecret) params.set('client_secret', clientSecret);
+
 	const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
 		method: 'POST',
 		headers: {
 			Accept: 'application/json',
 			'Content-Type': 'application/x-www-form-urlencoded'
 		},
-		body: new URLSearchParams({ client_id, code, redirect_uri, code_verifier })
+		body: params
 	});
 
 	const bodyText = await tokenResponse.text().catch(() => '');
@@ -83,4 +95,3 @@ export default {
 		return new Response('Not Found', { status: 404 });
 	}
 };
-