Harden secret store error handling

- handle platform file errors more safely
- resolve catalog overrides during server publish

Author: juliusmarminge

apps/server/scripts/cli.ts

@@ -14,6 +14,22 @@ import { resolveCatalogDependencies } from "../../../scripts/lib/resolve-catalog
 import rootPackageJson from "../../../package.json" with { type: "json" };
 import serverPackageJson from "../package.json" with { type: "json" };
 
+interface PackageJson {
+  name: string;
+  repository: {
+    type: string;
+    url: string;
+    directory: string;
+  };
+  bin: Record<string, string>;
+  type: string;
+  version: string;
+  engines: Record<string, string>;
+  files: string[];
+  dependencies: Record<string, string>;
+  overrides: Record<string, string>;
+}
+
 class CliError extends Data.TaggedError("CliError")<{
   readonly message: string;
   readonly cause?: unknown;
@@ -192,22 +208,28 @@ const publishCmd = Command.make(
           // Resolve catalog dependencies before any file mutations. If this throws,
           // acquire fails and no release hook runs, so filesystem must still be untouched.
           const version = Option.getOrElse(config.appVersion, () => serverPackageJson.version);
-          const pkg = {
+          const pkg: PackageJson = {
             name: serverPackageJson.name,
             repository: serverPackageJson.repository,
             bin: serverPackageJson.bin,
             type: serverPackageJson.type,
             version,
             engines: serverPackageJson.engines,
             files: serverPackageJson.files,
-            dependencies: serverPackageJson.dependencies as Record<string, unknown>,
+            dependencies: serverPackageJson.dependencies,
+            overrides: rootPackageJson.overrides,
           };
 
           pkg.dependencies = resolveCatalogDependencies(
             pkg.dependencies,
             rootPackageJson.workspaces.catalog,
             "apps/server dependencies",
           );
+          pkg.overrides = resolveCatalogDependencies(
+            pkg.overrides,
+            rootPackageJson.workspaces.catalog,
+            "root overrides",
+          );
 
           const original = yield* fs.readFileString(packageJsonPath);
           yield* fs.writeFileString(backupPath, original);

apps/server/src/auth/Layers/ServerSecretStore.ts

@@ -1,6 +1,6 @@
 import * as Crypto from "node:crypto";
 
-import { Effect, FileSystem, Layer, Path } from "effect";
+import { Effect, FileSystem, Layer, Path, Predicate } from "effect";
 import * as PlatformError from "effect/PlatformError";
 
 import { ServerConfig } from "../../config.ts";
@@ -28,17 +28,14 @@ export const makeServerSecretStore = Effect.gen(function* () {
 
   const resolveSecretPath = (name: string) => path.join(serverConfig.secretsDir, `${name}.bin`);
 
-  const isMissingSecretFileError = (cause: unknown): cause is PlatformError.PlatformError =>
-    cause instanceof PlatformError.PlatformError && cause.reason._tag === "NotFound";
-
-  const isAlreadyExistsSecretFileError = (cause: unknown): cause is PlatformError.PlatformError =>
-    cause instanceof PlatformError.PlatformError && cause.reason._tag === "AlreadyExists";
+  const isPlatformError = (u: unknown): u is PlatformError.PlatformError =>
+    Predicate.isTagged(u, "PlatformError");
 
   const get: ServerSecretStoreShape["get"] = (name) =>
     fileSystem.readFile(resolveSecretPath(name)).pipe(
       Effect.map((bytes) => Uint8Array.from(bytes)),
       Effect.catch((cause) =>
-        isMissingSecretFileError(cause)
+        cause.reason._tag === "NotFound"
           ? Effect.succeed(null)
           : Effect.fail(
               new SecretStoreError({
@@ -108,7 +105,7 @@ export const makeServerSecretStore = Effect.gen(function* () {
         return create(name, generated).pipe(
           Effect.as(Uint8Array.from(generated)),
           Effect.catchTag("SecretStoreError", (error) =>
-            isAlreadyExistsSecretFileError(error.cause)
+            isPlatformError(error.cause) && error.cause.reason._tag === "AlreadyExists"
               ? get(name).pipe(
                   Effect.flatMap((created) =>
                     created !== null
@@ -129,7 +126,7 @@ export const makeServerSecretStore = Effect.gen(function* () {
   const remove: ServerSecretStoreShape["remove"] = (name) =>
     fileSystem.remove(resolveSecretPath(name)).pipe(
       Effect.catch((cause) =>
-        isMissingSecretFileError(cause)
+        cause instanceof PlatformError.PlatformError && cause.reason._tag === "NotFound"
           ? Effect.void
           : Effect.fail(
               new SecretStoreError({

package.json

@@ -62,7 +62,13 @@
     "vitest": "catalog:"
   },
   "overrides": {
+    "@effect/atom-react": "catalog:",
+    "@effect/platform-bun": "catalog:",
+    "@effect/platform-node": "catalog:",
     "@effect/platform-node-shared": "catalog:",
+    "@effect/sql-sqlite-bun": "catalog:",
+    "@effect/vitest": "catalog:",
+    "effect": "catalog:",
     "vite": "^8.0.0"
   },
   "engines": {

scripts/lib/resolve-catalog.ts

@@ -5,10 +5,10 @@
  * the concrete version string found in `catalog`. Throws on missing entries.
  */
 export function resolveCatalogDependencies(
-  dependencies: Record<string, unknown>,
-  catalog: Record<string, unknown>,
+  dependencies: Record<string, string>,
+  catalog: Record<string, string>,
   label: string,
-): Record<string, unknown> {
+): Record<string, string> {
   return Object.fromEntries(
     Object.entries(dependencies).map(([name, spec]) => {
       if (typeof spec !== "string" || !spec.startsWith("catalog:")) {