Merge branch 'dev' into cli-exec-changes

Author: BilalG1

.gitignore

@@ -140,10 +140,12 @@ packages/js/*
 packages/react/*
 packages/next/*
 packages/stack/*
+packages/tanstack-start/*
 !packages/js/package.json
 !packages/react/package.json
 !packages/next/package.json
 !packages/stack/package.json
+!packages/tanstack-start/package.json
 
 # claude code
 .claude/scheduled_tasks.lock

apps/backend/src/app/api/latest/auth/cli/poll/route.tsx

@@ -1,8 +1,16 @@
-import { getPrismaClientForTenancy } from "@/prisma-client";
+import { Prisma } from "@/generated/prisma/client";
+import { getPrismaClientForTenancy, getPrismaSchemaForTenancy, sqlQuoteIdent } from "@/prisma-client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { KnownErrors } from "@stackframe/stack-shared";
 import { adaptSchema, clientOrHigherAuthTypeSchema, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
 
+type CliAuthAttemptRow = {
+  id: string,
+  refreshToken: string | null,
+  expiresAt: Date,
+  usedAt: Date | null,
+};
+
 // Helper function to create response
 const createResponse = (status: 'waiting' | 'success' | 'expired' | 'used', refreshToken?: string) => ({
   statusCode: status === 'success' ? 201 : 200,
@@ -38,44 +46,55 @@ export const POST = createSmartRouteHandler({
   }),
   async handler({ auth: { tenancy }, body: { polling_code } }) {
     const prisma = await getPrismaClientForTenancy(tenancy);
+    const schema = await getPrismaSchemaForTenancy(tenancy);
 
-    // Find the CLI auth attempt
-    const cliAuth = await prisma.cliAuthAttempt.findFirst({
-      where: {
-        tenancyId: tenancy.id,
-        pollingCode: polling_code,
-      },
-    });
+    const cliAuthRows = await prisma.$queryRaw<CliAuthAttemptRow[]>(Prisma.sql`
+      SELECT
+        "id",
+        "refreshToken",
+        "expiresAt",
+        "usedAt"
+      FROM ${sqlQuoteIdent(schema)}."CliAuthAttempt"
+      WHERE "tenancyId" = ${tenancy.id}::UUID
+        AND "pollingCode" = ${polling_code}
+      LIMIT 1
+    `);
 
-    if (!cliAuth) {
+    if (cliAuthRows.length === 0) {
       throw new KnownErrors.InvalidPollingCodeError();
     }
+    const cliAuth = cliAuthRows[0];
 
     if (cliAuth.expiresAt < new Date()) {
       return createResponse('expired');
     }
 
-    if (cliAuth.usedAt) {
+    if (cliAuth.usedAt !== null) {
       return createResponse('used');
     }
 
-    if (!cliAuth.refreshToken) {
+    if (cliAuth.refreshToken === null) {
       return createResponse('waiting');
     }
 
-    // Mark as used
-    await prisma.cliAuthAttempt.update({
-      where: {
-        tenancyId_id: {
-          tenancyId: tenancy.id,
-          id: cliAuth.id,
-        },
-      },
-      data: {
-        usedAt: new Date(),
-      },
-    });
+    // Atomically mark as used, claiming the row only if no one else has.
+    // This prevents a TOCTOU race where two concurrent polls could both
+    // read usedAt = null and both receive the same refresh token.
+    const claimed = await prisma.$queryRaw<{ refreshToken: string }[]>(Prisma.sql`
+      UPDATE ${sqlQuoteIdent(schema)}."CliAuthAttempt"
+      SET
+        "usedAt" = NOW(),
+        "updatedAt" = NOW()
+      WHERE "tenancyId" = ${tenancy.id}::UUID
+        AND "id" = ${cliAuth.id}::UUID
+        AND "usedAt" IS NULL
+      RETURNING "refreshToken"
+    `);
+
+    if (claimed.length === 0) {
+      return createResponse('used');
+    }
 
-    return createResponse('success', cliAuth.refreshToken);
+    return createResponse('success', claimed[0].refreshToken);
   },
 });

apps/backend/src/app/api/latest/auth/cli/route.tsx

@@ -25,7 +25,7 @@ export const POST = createSmartRouteHandler({
       tenancy: adaptSchema.defined(),
     }).defined(),
     body: yupObject({
-      expires_in_millis: yupNumber().max(1000 * 60 * 60 * 24).default(1000 * 60 * 120), // Default: 2 hours, max: 24 hours
+      expires_in_millis: yupNumber().max(1000 * 60 * 15).default(1000 * 60 * 2), // Default: 2 minutes, max: 15 minutes
       anon_refresh_token: yupString().optional(),
     }).default({}),
   }),
@@ -41,8 +41,7 @@ export const POST = createSmartRouteHandler({
   async handler({ auth: { tenancy }, body: { expires_in_millis, anon_refresh_token } }) {
     let anonRefreshToken: string | null = null;
 
-    if (anon_refresh_token) {
-      // ProjectUserRefreshToken lives in the global DB (see tokens.tsx and oauth/model.tsx).
+    if (anon_refresh_token != null) {
       const refreshTokenRows = await globalPrismaClient.$queryRaw<RefreshTokenRow[]>(Prisma.sql`
         SELECT "tenancyId", "projectUserId", "expiresAt"
         FROM "ProjectUserRefreshToken"
@@ -58,7 +57,7 @@ export const POST = createSmartRouteHandler({
         throw new StatusError(400, "Anon refresh token does not belong to this project");
       }
 
-      if (refreshTokenObj.expiresAt && refreshTokenObj.expiresAt < new Date()) {
+      if (refreshTokenObj.expiresAt != null && refreshTokenObj.expiresAt < new Date()) {
         throw new StatusError(400, "The provided anon refresh token has expired");
       }
 

apps/backend/src/app/api/latest/internal/projects-weekly-users/route.test.tsx

@@ -0,0 +1,66 @@
+import { describe, expect, it } from "vitest";
+import { applyProjectWeeklyUsersRows } from "./route";
+
+describe("internal projects weekly users helpers", () => {
+  it("applies ClickHouse rows through a Map and skips unknown projects", () => {
+    const byProject = new Map([
+      ["project-a", {
+        weekly_users: 0,
+        daily_users: [
+          { date: "2026-05-01", activity: 0 },
+          { date: "2026-05-02", activity: 0 },
+        ],
+      }],
+      ["__proto__", {
+        weekly_users: 0,
+        daily_users: [
+          { date: "2026-05-01", activity: 0 },
+          { date: "2026-05-02", activity: 0 },
+        ],
+      }],
+    ]);
+
+    applyProjectWeeklyUsersRows(
+      byProject,
+      [
+        { projectId: "project-a", day: "1970-01-01", users: 4 },
+        { projectId: "__proto__", day: "1970-01-01", users: 7 },
+        { projectId: "missing-project", day: "1970-01-01", users: 99 },
+        { projectId: "project-a", day: "2026-05-01", users: 2 },
+        { projectId: "__proto__", day: "2026-05-02", users: 5 },
+        { projectId: "missing-project", day: "2026-05-01", users: 99 },
+      ],
+    );
+
+    expect(Object.fromEntries(byProject)).toMatchInlineSnapshot(`
+      {
+        "__proto__": {
+          "daily_users": [
+            {
+              "activity": 0,
+              "date": "2026-05-01",
+            },
+            {
+              "activity": 5,
+              "date": "2026-05-02",
+            },
+          ],
+          "weekly_users": 7,
+        },
+        "project-a": {
+          "daily_users": [
+            {
+              "activity": 2,
+              "date": "2026-05-01",
+            },
+            {
+              "activity": 0,
+              "date": "2026-05-02",
+            },
+          ],
+          "weekly_users": 4,
+        },
+      }
+    `);
+  });
+});

…i/latest/internal/projects-dau/route.tsx …internal/projects-weekly-users/route.tsxapps/backend/src/app/api/latest/internal/projects-dau/route.tsx renamed to apps/backend/src/app/api/latest/internal/projects-weekly-users/route.tsx apps/backend/src/app/api/latest/internal/projects-dau/route.tsx renamed to apps/backend/src/app/api/latest/internal/projects-weekly-users/route.tsx

@@ -10,6 +10,46 @@ import { StackAssertionError, captureError } from "@stackframe/stack-shared/dist
 const WINDOW_DAYS = 7;
 const ONE_DAY_MS = 24 * 60 * 60 * 1000;
 
+type ProjectWeeklyUsers = {
+  weekly_users: number,
+  daily_users: { date: string, activity: number }[],
+};
+
+export function applyProjectWeeklyUsersRows(
+  byProject: Map<string, ProjectWeeklyUsers>,
+  rows: { projectId: string, day: string, users: number }[],
+) {
+  // GROUPING SETS emits one rollup row per project with day defaulted to the
+  // ClickHouse Date epoch ("1970-01-01"); those rows hold the weekly total.
+  const dailyIndex = new Map<string, Map<string, number>>();
+  for (const row of rows) {
+    const project = byProject.get(row.projectId);
+    if (project == null) {
+      continue;
+    }
+    const dayKey = row.day.split("T")[0];
+    if (dayKey === "1970-01-01") {
+      project.weekly_users = Number(row.users);
+      continue;
+    }
+    let m = dailyIndex.get(row.projectId);
+    if (!m) {
+      m = new Map();
+      dailyIndex.set(row.projectId, m);
+    }
+    m.set(dayKey, Number(row.users));
+  }
+
+  for (const [id, project] of byProject) {
+    const m = dailyIndex.get(id);
+    if (!m) continue;
+    project.daily_users = project.daily_users.map((point) => ({
+      date: point.date,
+      activity: m.get(point.date) ?? 0,
+    }));
+  }
+}
+
 export const GET = createSmartRouteHandler({
   metadata: { hidden: true },
   request: yupObject({
@@ -24,7 +64,10 @@ export const GET = createSmartRouteHandler({
     statusCode: yupNumber().oneOf([200]).defined(),
     bodyType: yupString().oneOf(["json"]).defined(),
     body: yupObject({
-      projects: yupRecord(yupString().defined(), MetricsDataPointsSchema).defined(),
+      projects: yupRecord(yupString().defined(), yupObject({
+        weekly_users: yupNumber().integer().defined(),
+        daily_users: MetricsDataPointsSchema,
+      }).defined()).defined(),
     }).defined(),
   }),
   handler: async (req) => {
@@ -52,28 +95,39 @@ export const GET = createSmartRouteHandler({
       return out;
     };
 
-    const byProject: Record<string, { date: string, activity: number }[]> = {};
+    const byProject = new Map<string, ProjectWeeklyUsers>();
     for (const id of projectIds) {
-      byProject[id] = emptySeries();
+      byProject.set(id, {
+        weekly_users: 0,
+        daily_users: emptySeries(),
+      });
     }
+    const projectsResponse = () => Object.fromEntries(byProject);
 
     if (projectIds.length === 0) {
       return {
         statusCode: 200,
         bodyType: "json",
-        body: { projects: byProject },
+        body: { projects: projectsResponse() },
       };
     }
 
-    let rows: { projectId: string, day: string, dau: number }[] = [];
+    const clickhouseClient = getClickhouseAdminClient();
+    const queryParams = {
+      projectIds,
+      branchId: DEFAULT_BRANCH_ID,
+      since: since.toISOString().slice(0, 19),
+      untilExclusive: untilExclusive.toISOString().slice(0, 19),
+    };
+
+    let rows: { projectId: string, day: string, users: number }[] = [];
     try {
-      const clickhouseClient = getClickhouseAdminClient();
       const result = await clickhouseClient.query({
         query: `
           SELECT
             project_id AS projectId,
-            toDate(event_at) AS day,
-            uniqExact(assumeNotNull(user_id)) AS dau
+            toDate(event_at, 'UTC') AS day,
+            uniqExact(assumeNotNull(user_id)) AS users
           FROM analytics_internal.events
           WHERE event_type = '$token-refresh'
             AND project_id IN {projectIds:Array(String)}
@@ -82,55 +136,33 @@ export const GET = createSmartRouteHandler({
             AND event_at >= {since:DateTime}
             AND event_at < {untilExclusive:DateTime}
             AND coalesce(CAST(data.is_anonymous, 'Nullable(UInt8)'), 0) = 0
-          GROUP BY projectId, day
+          GROUP BY GROUPING SETS ((projectId), (projectId, day))
         `,
-        query_params: {
-          projectIds,
-          branchId: DEFAULT_BRANCH_ID,
-          since: since.toISOString().slice(0, 19),
-          untilExclusive: untilExclusive.toISOString().slice(0, 19),
-        },
+        query_params: queryParams,
         format: "JSONEachRow",
       });
-      rows = await result.json();
+      rows = await result.json<{ projectId: string, day: string, users: number }>();
     } catch (error) {
       const captureId = error instanceof ClickHouseError
-        ? "internal-projects-dau-clickhouse-error"
-        : "internal-projects-dau-unexpected-error";
+        ? "internal-projects-weekly-users-clickhouse-error"
+        : "internal-projects-weekly-users-unexpected-error";
       captureError(captureId, new StackAssertionError(
-        "Failed to load projects DAU.",
+        "Failed to load projects weekly users.",
         { cause: error, projectCount: projectIds.length },
       ));
       return {
         statusCode: 200,
         bodyType: "json",
-        body: { projects: byProject },
+        body: { projects: projectsResponse() },
       };
     }
-    const index = new Map<string, Map<string, number>>();
-    for (const row of rows) {
-      const dayKey = row.day.split("T")[0];
-      let m = index.get(row.projectId);
-      if (!m) {
-        m = new Map();
-        index.set(row.projectId, m);
-      }
-      m.set(dayKey, Number(row.dau));
-    }
 
-    for (const id of projectIds) {
-      const m = index.get(id);
-      if (!m) continue;
-      byProject[id] = byProject[id].map((point) => ({
-        date: point.date,
-        activity: m.get(point.date) ?? 0,
-      }));
-    }
+    applyProjectWeeklyUsersRows(byProject, rows);
 
     return {
       statusCode: 200,
       bodyType: "json",
-      body: { projects: byProject },
+      body: { projects: projectsResponse() },
     };
   },
 });