Conversation
Update moq to latest, upgrade biome to 2.4+ and typescript to 6.0+ to match moq requirements, enable tailwindDirectives in biome config, and run semver-compatible dependency updates across all packages. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Bump major versions: vite 8, typescript 6, @types/web 0.0.345, marked 17, uuid 13, @huggingface/transformers 4, globals 17 - Revert WIP addSection/addTrack code (d624cfe) that used unmerged APIs - Fix path → name rename for Publish.Broadcast and Watch.Broadcast - Fix support element imports: @moq/watch/support and @moq/publish/support - Fix CryptoKeyPair type narrowing in moq/token - Add allowImportingTsExtensions and worklet.d.ts for moq compatibility - Remove stale @ts-expect-error directives (navigator.gpu now typed) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the moq git submodule with published @moq/* npm packages and provide moq-relay/moq-token-cli via the moq nix flake for local dev. - Remove moq submodule and .gitmodules - Replace workspace:* deps with published npm versions - Add moq flake input to flake.nix for relay and token CLI binaries - Add dev/relay/ with config and justfile for local relay server - Update justfile, api/justfile paths for new relay location - Copy worklet.d.ts locally (was in moq/js/common/) - Update CLAUDE.md, README.md, CI workflow, infra references Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
WalkthroughThis pull request transitions the MOQ protocol implementation from a git submodule dependency to published npm packages. The 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
README.md (1)
51-56:⚠️ Potential issue | 🟠 MajorThe “Without Nix” path is missing relay tool prerequisites.
just devnow relies onmoq-relay/moq-token-cli, but this section only installs JS deps. That path will fail unless users install those binaries separately.💡 Suggested docs patch
**Without Nix:** ```sh bun install +# Ensure `moq-relay` and `moq-token-cli` are installed and on PATH just dev</details> Also applies to: 77-77 <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In
@README.mdaround lines 51 - 56, The "Without Nix" instructions omit the
required relay tool binaries, so update the README's section that shows the
commandsbun installandjust devto also instruct users to install and add
moq-relayandmoq-token-clito their PATH before runningjust dev; mention
these exact tool names (moq-relay,moq-token-cli) and place the note
immediately afterbun install(and likewise update the similar occurrence
around line 77) so users know to install those prerequisites.</details> </blockquote></details> </blockquote></details>🧹 Nitpick comments (2)
app/package.json (1)
21-25: Consider exact pins for pre-1.0@moq/*packages.Using
^0.x.yfor pre-1.0 dependencies can introduce breaking behavior on fresh installs. Prefer exact versions ("0.x.y") if you want tighter reproducibility during this migration period. This pattern appears in both app/package.json (lines 21–25) and api/package.json.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@app/package.json` around lines 21 - 25, The package pins for pre-1.0 dependencies use caret ranges which can pull breaking changes; update the dependency entries for "@moq/hang", "@moq/lite", "@moq/publish", "@moq/signals", and "@moq/watch" (in app/package.json) from "^0.x.y" to exact "0.x.y" versions to ensure reproducible installs, and apply the same change for the corresponding `@moq/`* entries found in api/package.json; keep the exact numeric versions currently listed (remove the leading ^) without changing the version numbers themselves.dev/relay/justfile (1)
8-23: Harden permissions for generated auth artifacts.
root.jwk(and usuallyroot.jwt) should be owner-readable only to avoid accidental local disclosure on shared systems.💡 Suggested fix
auth-key: `@if` [ ! -f "root.jwk" ]; then \ rm -f *.jwt; \ moq-token-cli --key "root.jwk" generate; \ + chmod 600 root.jwk; \ fi @@ auth-token: auth-key `@if` [ ! -f "root.jwt" ]; then \ moq-token-cli --key "root.jwk" sign \ --root "" \ --subscribe "" \ --publish "" \ --cluster \ > root.jwt ; \ + chmod 600 root.jwt; \ fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@dev/relay/justfile` around lines 8 - 23, The generated auth targets (auth-key and auth-token) currently create root.jwk and root.jwt with default permissions; change the recipes for targets "auth-key" and "auth-token" to set strict file permissions after creation (e.g., chmod 600 root.jwk and chmod 600 root.jwt) so both files are owner-readable/writeable only; ensure the chmod commands run only when the files are created and preserve the existing rm -f *.jwt cleanup behavior in the "auth-key" recipe.🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed. Inline comments: In `@api/justfile`: - Around line 9-11: The dev justfile target should guard the cat ../dev/relay/root.jwk call with an explicit preflight check: before invoking bun wrangler dev, test that ../dev/relay/root.jwk exists (e.g., using [ -f ] or test -f) and if it’s missing emit a clear error message and exit non-zero; then read the key into a variable and pass it via --var "RELAY_SECRET:$(cat ...)" and keep the existing RELAY_URL line unchanged. Locate the dev target in the justfile and add the existence check and early exit immediately before the bun wrangler dev invocation so the failure is descriptive rather than a bare cat error. In `@dev/relay/root.toml`: - Around line 9-18: The default relay listen addresses (tls.generate/listen and [web.http].listen) are currently set to "[::]:4443", which is too permissive for anonymous mode; change these defaults to loopback-only (e.g., "[::1]:4443" or "127.0.0.1:4443") so the relay binds only to localhost when running with public = "anon" — update the tls.generate/listen and web.http.listen entries accordingly and ensure any comments note the security rationale. In `@README.md`: - Around line 18-23: The fenced code block that lists the project structure (the block containing the lines starting with "app/ Web frontend (SolidJS + Vite)", "api/ Backend API (Cloudflare Workers + Hono)", "native/ Desktop/mobile app (Tauri v2)", and "dev/relay/ Local relay server config") needs a language identifier to satisfy markdownlint MD040; update the opening fence from ``` to ```text so the block becomes a labeled plaintext code block. --- Outside diff comments: In `@README.md`: - Around line 51-56: The "Without Nix" instructions omit the required relay tool binaries, so update the README's section that shows the commands `bun install` and `just dev` to also instruct users to install and add `moq-relay` and `moq-token-cli` to their PATH before running `just dev`; mention these exact tool names (`moq-relay`, `moq-token-cli`) and place the note immediately after `bun install` (and likewise update the similar occurrence around line 77) so users know to install those prerequisites. --- Nitpick comments: In `@app/package.json`: - Around line 21-25: The package pins for pre-1.0 dependencies use caret ranges which can pull breaking changes; update the dependency entries for "@moq/hang", "@moq/lite", "@moq/publish", "@moq/signals", and "@moq/watch" (in app/package.json) from "^0.x.y" to exact "0.x.y" versions to ensure reproducible installs, and apply the same change for the corresponding `@moq/`* entries found in api/package.json; keep the exact numeric versions currently listed (remove the leading ^) without changing the version numbers themselves. In `@dev/relay/justfile`: - Around line 8-23: The generated auth targets (auth-key and auth-token) currently create root.jwk and root.jwt with default permissions; change the recipes for targets "auth-key" and "auth-token" to set strict file permissions after creation (e.g., chmod 600 root.jwk and chmod 600 root.jwt) so both files are owner-readable/writeable only; ensure the chmod commands run only when the files are created and preserve the existing rm -f *.jwt cleanup behavior in the "auth-key" recipe.🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID:
99226d78-5294-4adf-9743-0c25d01464fd⛔ Files ignored due to path filters (2)
bun.lockis excluded by!**/*.lockflake.lockis excluded by!**/*.lock📒 Files selected for processing (15)
.github/workflows/check.yml.gitmodulesCLAUDE.mdREADME.mdapi/justfileapi/package.jsonapp/package.jsonapp/src/worklet.d.tsdev/relay/justfiledev/relay/root.tomlflake.nixinfra/variables.tfjustfilemoqpackage.json💤 Files with no reviewable changes (4)
- infra/variables.tf
- .gitmodules
- moq
- .github/workflows/check.yml
| dev: | ||
| bun wrangler d1 migrations apply DB --local | ||
| bun wrangler dev --var "RELAY_SECRET:$(cat ../moq/dev/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443" | ||
| bun wrangler dev --var "RELAY_SECRET:$(cat ../dev/relay/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443" |
There was a problem hiding this comment.
Add an explicit preflight check for root.jwk.
Running cd api && just dev fails with a low-context cat error if the key hasn’t been generated yet. A guard here makes local setup failures much clearer.
💡 Suggested patch
dev:
bun wrangler d1 migrations apply DB --local
- bun wrangler dev --var "RELAY_SECRET:$(cat ../dev/relay/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443"
+ test -f ../dev/relay/root.jwk || (echo "Missing ../dev/relay/root.jwk. Run: cd dev/relay && just auth-token" >&2; exit 1)
+ bun wrangler dev --var "RELAY_SECRET:$(cat ../dev/relay/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| dev: | |
| bun wrangler d1 migrations apply DB --local | |
| bun wrangler dev --var "RELAY_SECRET:$(cat ../moq/dev/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443" | |
| bun wrangler dev --var "RELAY_SECRET:$(cat ../dev/relay/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443" | |
| dev: | |
| bun wrangler d1 migrations apply DB --local | |
| test -f ../dev/relay/root.jwk || (echo "Missing ../dev/relay/root.jwk. Run: cd dev/relay && just auth-token" >&2; exit 1) | |
| bun wrangler dev --var "RELAY_SECRET:$(cat ../dev/relay/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@api/justfile` around lines 9 - 11, The dev justfile target should guard the
cat ../dev/relay/root.jwk call with an explicit preflight check: before invoking
bun wrangler dev, test that ../dev/relay/root.jwk exists (e.g., using [ -f ] or
test -f) and if it’s missing emit a clear error message and exit non-zero; then
read the key into a variable and pass it via --var "RELAY_SECRET:$(cat ...)" and
keep the existing RELAY_URL line unchanged. Locate the dev target in the
justfile and add the existence check and early exit immediately before the bun
wrangler dev invocation so the failure is descriptive rather than a bare cat
error.
| listen = "[::]:4443" | ||
|
|
||
| # Generate a self-signed certificate for the given hostnames. | ||
| # This is used for local development, in conjunction with a fingerprint, or with TLS verification disabled. | ||
| tls.generate = ["localhost"] | ||
|
|
||
| [web.http] | ||
| # Listen for HTTP and WebSocket (TCP) connections on the given address. | ||
| # Defaults to disabled if not provided. | ||
| listen = "[::]:4443" |
There was a problem hiding this comment.
Default relay binding is too broad for anonymous mode.
With listen = "[::]:4443" and public = "anon", the relay may accept anonymous traffic from non-local interfaces on shared networks. Default this config to loopback-only for safer local development.
🔒 Suggested hardening
[server]
-listen = "[::]:4443"
+listen = "127.0.0.1:4443"
@@
[web.http]
-listen = "[::]:4443"
+listen = "127.0.0.1:4443"Also applies to: 33-34
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@dev/relay/root.toml` around lines 9 - 18, The default relay listen addresses
(tls.generate/listen and [web.http].listen) are currently set to "[::]:4443",
which is too permissive for anonymous mode; change these defaults to
loopback-only (e.g., "[::1]:4443" or "127.0.0.1:4443") so the relay binds only
to localhost when running with public = "anon" — update the tls.generate/listen
and web.http.listen entries accordingly and ensure any comments note the
security rationale.
| ``` | ||
| app/ Web frontend (SolidJS + Vite) | ||
| api/ Backend API (Cloudflare Workers + Hono) | ||
| native/ Desktop/mobile app (Tauri v2) | ||
| moq/ Media over QUIC libraries (git submodule → github.com/kixelated/moq) | ||
| dev/relay/ Local relay server config | ||
| ``` |
There was a problem hiding this comment.
Add a language identifier to the fenced project-structure block.
This currently trips markdownlint MD040.
💡 Suggested fix
-```
+```text
app/ Web frontend (SolidJS + Vite)
api/ Backend API (Cloudflare Workers + Hono)
native/ Desktop/mobile app (Tauri v2)
dev/relay/ Local relay server config</details>
<details>
<summary>🧰 Tools</summary>
<details>
<summary>🪛 markdownlint-cli2 (0.22.0)</summary>
[warning] 18-18: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
</details>
</details>
<details>
<summary>🤖 Prompt for AI Agents</summary>
Verify each finding against the current code and only fix it if needed.
In @README.md around lines 18 - 23, The fenced code block that lists the project
structure (the block containing the lines starting with "app/ Web
frontend (SolidJS + Vite)", "api/ Backend API (Cloudflare Workers +
Hono)", "native/ Desktop/mobile app (Tauri v2)", and "dev/relay/ Local
relay server config") needs a language identifier to satisfy markdownlint MD040;
update the opening fence from totext so the block becomes a labeled
plaintext code block.
</details>
<!-- fingerprinting:phantom:poseidon:hawk:5ca8007f-9d0b-410f-888f-fecd37b49e9a -->
<!-- This is an auto-generated comment by CodeRabbit -->
1 participant
Summary
moqgit submodule, consume@moq/*packages from npm insteadmoq-relayandmoq-token-clifor local devdev/relay/with config and justfile for running the local relay serverTest plan
bun installresolves all published npm packages@hang/apiand@hang/livejust devstarts relay, api, and app correctly🤖 Generated with Claude Code