feat(runtime): MarketplaceProxyPlugin browse-only — drop the install 405 dead-end (ADR §5.2)#1568
Merged
Merged
Conversation
…on-GET (ADR §5.2) Removes the framework's hardcoded install-policy dead-end. The marketplace proxy is a BROWSE mechanism: it forwards GET/HEAD reads and carries no credentialled cloud auth. It must not pretend to own install *policy*. Previously a non-GET marketplace request returned a 405 `marketplace_method_not_allowed` "install via cloud" — a dead-end the in-env Install button hit (framework#1548). Now non-GET requests PASS THROUGH (`next()`) so a host-supplied install route — mounted after this plugin via the createObjectOSStack `extraPlugins` seam — can claim them; if none does, the app returns its normal 404 instead of a misleading policy 405. This is the "remove framework's hardcoded marketplace policy" half of ADR §5.2, now that the cloud side has landed + deployed: ObjectStack Cloud owns install (the `/cloud-connection/install` route + `sys_package.install_package` action + the tiered cloud-connection gate — cloud PR #53). The framework keeps only the neutral browse mechanism. Test: 3 cases — non-GET passes through (not 405); install-local still passes through; no-control-plane still 503s. Full src/cloud suite (40) stays green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Removes the framework's hardcoded marketplace install-policy dead-end.
MarketplaceProxyPluginis a browse mechanism — it forwards GET/HEAD reads and carries no credentialled cloud auth. It should not pretend to own install policy.Before: a non-GET marketplace request returned
405 marketplace_method_not_allowed— "install via cloud" — a dead-end the in-env Install button hit (framework#1548).After: non-GET requests pass through (
next()), so a host-supplied install route — mounted after this plugin via thecreateObjectOSStackextraPluginsseam (framework #1566) — can claim them. If none does, the app returns its normal 404 instead of a misleading policy 405.Why now
This is the "remove framework's hardcoded policy" half of ADR §5.2, deliberately deferred until the cloud side landed + deployed. It has:
/cloud-connection/installroute +sys_package.install_packageaction + the tiered cloud-connection gate (cloud PR Standardize filter syntax to MongoDB-style and complete documentation #53, merged + deployed to staging ✅).extraPluginsseam (framework feat(runtime): extraPlugins host seam on createObjectOSStack (ADR §5.2) #1566, merged) is how cloud supplies that install route to the runtime.So the framework can now drop its browse-only install policy and keep only the neutral browse forwarder.
Test
Full
src/cloudsuite (40 tests) stays green.Sequencing note
Pairs with cloud PR #53 (binding + install gate, deployed) and framework #1566 (extraPlugins seam, merged). The remaining cloud-side follow-ups (bump
.framework-sha; migrateapps/objectos/objectstack.config.tsfromconfig.plugins.pushto theextraPluginsseam) are tracked separately and don't block this.🤖 Generated with Claude Code