chore: sync next with main

.github/workflows/ci.yml

@@ -14,10 +14,14 @@ jobs:
         with:
           node-version: 22
 
-      - run: npm ci
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: 1.3.5
+
+      - run: bun install --frozen-lockfile
 
-      - run: npm test
+      - run: bun run test
 
-      - run: npm run lint
+      - run: bun run lint
 
-      - run: npm run typecheck
+      - run: bun run typecheck

.github/workflows/release.yml

@@ -22,8 +22,7 @@ name: Release
 
 on:
   push:
-    branches: [main, next]
-  workflow_dispatch:
+    branches: [main]
 
 permissions:
   contents: write
@@ -44,11 +43,13 @@ jobs:
           node-version: 22
           registry-url: https://registry.npmjs.org
 
-      - run: npm ci
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: 1.3.5
 
-      - run: npm test
+      - run: bun install --frozen-lockfile
 
       - name: Release
-        run: npx semantic-release
+        run: bunx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.releaserc.json

@@ -1,8 +1,5 @@
 {
-  "branches": [
-    "main",
-    { "name": "next", "prerelease": true }
-  ],
+  "branches": ["main"],
   "plugins": [
     ["@semantic-release/commit-analyzer", {
       "preset": "angular",
@@ -21,7 +18,7 @@
     "@semantic-release/release-notes-generator",
     ["@semantic-release/exec", {
       "prepareCmd": "npm version ${nextRelease.version} --no-git-tag-version",
-      "publishCmd": "npm publish --access public --tag ${nextRelease.channel || 'latest'}"
+      "publishCmd": "npm publish --access public"
     }],
     "@semantic-release/github"
   ]

algolia/README.md

@@ -0,0 +1,89 @@
+# Algolia app — initial scaffold
+
+This folder ports the Algolia integration from `deco-cx/apps/algolia`
+(Fresh/Deno) to `@decocms/apps/algolia` (TanStack Start/Node), following
+the same shape as `vtex/`, `magento/`, and `shopify/`.
+
+## Status
+
+**Initial scaffold** — covers the `configureAlgolia`/`getAlgoliaClient`
+surface plus the `loaders/client.ts` shim that matches the upstream
+`apps/algolia/loaders/client.ts` call site (`ctx.invoke.algolia.loaders.client({})`).
+Just enough for downstream sites with their own product loaders to wire
+Algolia and consume the SDK SearchClient directly.
+
+A real-world consumer (deco-sites/granadobr-tanstack) is migrating away
+from the legacy `ctx.invoke.algolia.loaders.client({})` proxy that
+existed in the Fresh runtime. The site keeps its own product loaders
+(custom Granado transforms over the upstream toProduct) and only needs
+the SDK client from this package.
+
+## What's here
+
+- `client.ts` — `configureAlgolia({ applicationId, searchApiKey,
+  adminApiKey })` + `getAlgoliaConfig()` accessor + lazy
+  `getAlgoliaClient()` cached singleton. Mirrors `configureMagento` /
+  `configureVtex`.
+- `types.ts` — `AlgoliaConfig`, canonical `Indices` union.
+- `loaders/client.ts` — returns the configured `SearchClient` so legacy
+  call sites (`invoke.algolia.loaders.client({})`) keep working when
+  routed through the loader registry.
+- `index.ts` — re-export entry.
+
+## Pending port (PR follow-ups)
+
+These exist as production code in `deco-cx/apps/algolia/` and need a
+Deno → Node pass (npm specifiers, `commerce/types.ts` shared import,
+etc.). Tracked here so the next PR series has a clear scope:
+
+| Path | Original location |
+|---|---|
+| `loaders/product/list.ts` | `deco-cx/apps/algolia/loaders/product/list.ts` |
+| `loaders/product/listingPage.ts` | idem |
+| `loaders/product/suggestions.ts` | idem |
+| `actions/setup.ts` | `deco-cx/apps/algolia/actions/setup.ts` |
+| `actions/index/{product,wait}.ts` | `deco-cx/apps/algolia/actions/index/*` |
+| `utils/{highlight,product}.ts` | `deco-cx/apps/algolia/utils/*` |
+| `workflows/index/product.ts` | `deco-cx/apps/algolia/workflows/index/product.ts` |
+| `sections/Analytics/Algolia.tsx` | `deco-cx/apps/algolia/sections/Analytics/Algolia.tsx` |
+
+The site-side `src/packs/algolia/products/*` in granadobr-tanstack
+contains a Granado-specific transform layer that is not portable as-is.
+Once `loaders/product/*` lands here, the upstream tract can be reused;
+the Granado overlays will keep living in the site.
+
+## Wiring in a site
+
+```ts
+// src/setup.ts
+import { initAlgoliaFromBlocks } from "@decocms/apps/algolia";
+import { blocks } from "./server/cms/blocks.gen";
+
+createSiteSetup({
+  // ...
+  initPlatform: (blocks) => {
+    initAlgoliaFromBlocks(blocks); // default block key: "deco-algolia"
+  },
+});
+```
+
+Then in your loaders:
+
+```ts
+import { getAlgoliaClient } from "@decocms/apps/algolia/client";
+
+export default async function loader(props, req) {
+  const client = getAlgoliaClient();
+  const { results } = await client.search([{
+    indexName: "products",
+    query: props.term,
+    params: { hitsPerPage: 12 },
+  }]);
+  return results[0].hits;
+}
+```
+
+The Secret-shaped `adminApiKey` in the CMS block
+(`{__resolveType: "website/loaders/secret.ts", name: "ADMIN_KEY"}`) is
+dereferenced via `process.env.ADMIN_KEY` at init time, matching how
+`magento/client.ts` handles secrets in this repo.

algolia/__tests__/client.test.ts

@@ -0,0 +1,195 @@
+/**
+ * Tests for algolia/client.ts.
+ *
+ * The goal is to lock the contract that downstream sites depend on:
+ *  - configureAlgolia stores config and surfaces it via getAlgoliaConfig
+ *  - getAlgoliaConfig throws a useful error when init never happened
+ *  - getAlgoliaClient builds the SDK lazily and caches the instance
+ *  - initAlgoliaFromBlocks dereferences Secret-shaped admin keys via
+ *    `process.env` so prod CMS blocks (`{__resolveType:
+ *    "website/loaders/secret.ts", name: "ADMIN_KEY"}`) work
+ *
+ * The SDK itself is mocked — we don't want network or fetch polyfills
+ * pulled into the test runner; we only care that we call into
+ * `algoliasearch(applicationId, adminApiKey)` with the right args.
+ */
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+const algoliasearchSpy = vi.fn(() => ({ __mockClient: true }));
+
+vi.mock("algoliasearch", () => ({
+	algoliasearch: (...args: unknown[]) =>
+		algoliasearchSpy(...(args as Parameters<typeof algoliasearchSpy>)),
+}));
+
+// Importing after the mock so the production module picks up the
+// mocked SDK. resetModules() in beforeEach keeps module-global state
+// (cachedClient, config) isolated across tests.
+let mod: typeof import("../client");
+
+beforeEach(async () => {
+	algoliasearchSpy.mockClear();
+	vi.resetModules();
+	mod = await import("../client");
+});
+
+afterEach(() => {
+	delete process.env.TEST_ADMIN_KEY;
+});
+
+describe("configureAlgolia + getAlgoliaConfig", () => {
+	it("returns the most recently configured values", () => {
+		mod.configureAlgolia({ applicationId: "APP", searchApiKey: "S", adminApiKey: "A" });
+		expect(mod.getAlgoliaConfig()).toEqual({
+			applicationId: "APP",
+			searchApiKey: "S",
+			adminApiKey: "A",
+		});
+	});
+
+	it("throws a helpful error when called before init", () => {
+		expect(() => mod.getAlgoliaConfig()).toThrowError(/configureAlgolia/);
+	});
+});
+
+describe("getAlgoliaClient", () => {
+	it("constructs the SDK with applicationId + adminApiKey", () => {
+		mod.configureAlgolia({ applicationId: "APP_X", searchApiKey: "S", adminApiKey: "ADMIN" });
+		const client = mod.getAlgoliaClient();
+		expect(algoliasearchSpy).toHaveBeenCalledExactlyOnceWith("APP_X", "ADMIN");
+		expect(client).toEqual({ __mockClient: true });
+	});
+
+	it("caches the client across calls", () => {
+		mod.configureAlgolia({ applicationId: "APP_X", searchApiKey: "S", adminApiKey: "ADMIN" });
+		mod.getAlgoliaClient();
+		mod.getAlgoliaClient();
+		mod.getAlgoliaClient();
+		expect(algoliasearchSpy).toHaveBeenCalledOnce();
+	});
+
+	it("rebuilds the client after configureAlgolia is called again", () => {
+		mod.configureAlgolia({ applicationId: "APP_X", searchApiKey: "S", adminApiKey: "ADMIN1" });
+		mod.getAlgoliaClient();
+		mod.configureAlgolia({ applicationId: "APP_X", searchApiKey: "S", adminApiKey: "ADMIN2" });
+		mod.getAlgoliaClient();
+		expect(algoliasearchSpy).toHaveBeenCalledTimes(2);
+		expect(algoliasearchSpy).toHaveBeenNthCalledWith(2, "APP_X", "ADMIN2");
+	});
+
+	it("throws when applicationId is missing", () => {
+		mod.configureAlgolia({ applicationId: "", searchApiKey: "S", adminApiKey: "A" });
+		expect(() => mod.getAlgoliaClient()).toThrowError(/applicationId/);
+	});
+
+	it("falls back to searchApiKey when adminApiKey is empty", () => {
+		mod.configureAlgolia({ applicationId: "APP", searchApiKey: "SEARCH_ONLY", adminApiKey: "" });
+		mod.getAlgoliaClient();
+		expect(algoliasearchSpy).toHaveBeenCalledExactlyOnceWith("APP", "SEARCH_ONLY");
+	});
+
+	it("throws when both keys are empty", () => {
+		mod.configureAlgolia({ applicationId: "APP", searchApiKey: "", adminApiKey: "" });
+		expect(() => mod.getAlgoliaClient()).toThrowError(/adminApiKey or searchApiKey/);
+	});
+
+	it("prefers adminApiKey over searchApiKey when both present", () => {
+		mod.configureAlgolia({ applicationId: "APP", searchApiKey: "S", adminApiKey: "ADMIN" });
+		mod.getAlgoliaClient();
+		expect(algoliasearchSpy).toHaveBeenCalledExactlyOnceWith("APP", "ADMIN");
+	});
+});
+
+describe("initAlgoliaFromBlocks", () => {
+	it("returns false and skips configure() when block is absent", async () => {
+		const result = await mod.initAlgoliaFromBlocks({});
+		expect(result).toBe(false);
+		expect(() => mod.getAlgoliaConfig()).toThrowError(/configureAlgolia/);
+	});
+
+	it("reads applicationId + searchApiKey + adminApiKey from the block", async () => {
+		const result = await mod.initAlgoliaFromBlocks({
+			"deco-algolia": {
+				applicationId: "APP",
+				searchApiKey: "SEARCH",
+				adminApiKey: "ADMIN_STRING",
+			},
+		});
+		expect(result).toBe(true);
+		expect(mod.getAlgoliaConfig()).toEqual({
+			applicationId: "APP",
+			searchApiKey: "SEARCH",
+			adminApiKey: "ADMIN_STRING",
+		});
+	});
+
+	it("dereferences a Secret-shaped adminApiKey via process.env", async () => {
+		process.env.TEST_ADMIN_KEY = "from-env";
+		await mod.initAlgoliaFromBlocks({
+			"deco-algolia": {
+				applicationId: "APP",
+				searchApiKey: "SEARCH",
+				adminApiKey: {
+					__resolveType: "website/loaders/secret.ts",
+					name: "TEST_ADMIN_KEY",
+				},
+			},
+		});
+		expect(mod.getAlgoliaConfig().adminApiKey).toBe("from-env");
+	});
+
+	it("falls back to empty string when env var is unset", async () => {
+		await mod.initAlgoliaFromBlocks({
+			"deco-algolia": {
+				applicationId: "APP",
+				searchApiKey: "SEARCH",
+				adminApiKey: {
+					__resolveType: "website/loaders/secret.ts",
+					name: "UNDEFINED_ENV_VAR_DO_NOT_SET",
+				},
+			},
+		});
+		expect(mod.getAlgoliaConfig().adminApiKey).toBe("");
+	});
+
+	it("honors a custom block key", async () => {
+		await mod.initAlgoliaFromBlocks(
+			{
+				"my-algolia": {
+					applicationId: "X",
+					searchApiKey: "Y",
+					adminApiKey: "Z",
+				},
+			},
+			"my-algolia",
+		);
+		expect(mod.getAlgoliaConfig().applicationId).toBe("X");
+	});
+
+	// Encrypted-secret flow: the CMS block ships `{ encrypted, name }`,
+	// the framework's `resolveSecret` (from `@decocms/start/sdk/crypto`)
+	// is supposed to AES-CBC decrypt `encrypted` using `DECO_CRYPTO_KEY`.
+	// In a vitest worker `crypto.subtle` is available but the AES key
+	// material isn't shipped to the runner — without `DECO_CRYPTO_KEY`,
+	// `resolveSecret` skips the decrypt step and falls back to the env
+	// var. That fallback path is what this test pins: prod sites either
+	// set the env var on top OR (more commonly) rely on the decrypt to
+	// succeed against the worker's `DECO_CRYPTO_KEY` binding.
+	it("uses env var fallback when DECO_CRYPTO_KEY is unset and encrypted is present", async () => {
+		delete process.env.DECO_CRYPTO_KEY;
+		process.env.FALLBACK_ADMIN_KEY = "from-env-fallback";
+		await mod.initAlgoliaFromBlocks({
+			"deco-algolia": {
+				applicationId: "APP",
+				searchApiKey: "SEARCH",
+				adminApiKey: {
+					__resolveType: "website/loaders/secret.ts",
+					encrypted: "deadbeef",
+					name: "FALLBACK_ADMIN_KEY",
+				},
+			},
+		});
+		expect(mod.getAlgoliaConfig().adminApiKey).toBe("from-env-fallback");
+		delete process.env.FALLBACK_ADMIN_KEY;
+	});
+});