Conversation
Update moq to latest, upgrade biome to 2.4+ and typescript to 6.0+ to match moq requirements, enable tailwindDirectives in biome config, and run semver-compatible dependency updates across all packages. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Bump major versions: vite 8, typescript 6, @types/web 0.0.345, marked 17, uuid 13, @huggingface/transformers 4, globals 17 - Revert WIP addSection/addTrack code (d624cfe) that used unmerged APIs - Fix path → name rename for Publish.Broadcast and Watch.Broadcast - Fix support element imports: @moq/watch/support and @moq/publish/support - Fix CryptoKeyPair type narrowing in moq/token - Add allowImportingTsExtensions and worklet.d.ts for moq compatibility - Remove stale @ts-expect-error directives (navigator.gpu now typed) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the moq git submodule with published @moq/* npm packages and provide moq-relay/moq-token-cli via the moq nix flake for local dev. - Remove moq submodule and .gitmodules - Replace workspace:* deps with published npm versions - Add moq flake input to flake.nix for relay and token CLI binaries - Add dev/relay/ with config and justfile for local relay server - Update justfile, api/justfile paths for new relay location - Copy worklet.d.ts locally (was in moq/js/common/) - Update CLAUDE.md, README.md, CI workflow, infra references Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
WalkthroughThis pull request removes the moq git submodule and related .gitmodules entries, replaces in-repo moq usage with published npm packages ( 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
README.md (1)
51-56:⚠️ Potential issue | 🟠 MajorThe “Without Nix” path is missing relay tool prerequisites.
just devnow relies onmoq-relay/moq-token-cli, but this section only installs JS deps. That path will fail unless users install those binaries separately.💡 Suggested docs patch
**Without Nix:** ```sh bun install +# Ensure `moq-relay` and `moq-token-cli` are installed and on PATH just dev</details> Also applies to: 77-77 <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In
@README.mdaround lines 51 - 56, The "Without Nix" instructions omit the
required relay tool binaries, so update the README's section that shows the
commandsbun installandjust devto also instruct users to install and add
moq-relayandmoq-token-clito their PATH before runningjust dev; mention
these exact tool names (moq-relay,moq-token-cli) and place the note
immediately afterbun install(and likewise update the similar occurrence
around line 77) so users know to install those prerequisites.</details> </blockquote></details> </blockquote></details>🧹 Nitpick comments (2)
app/package.json (1)
21-25: Consider exact pins for pre-1.0@moq/*packages.Using
^0.x.yfor pre-1.0 dependencies can introduce breaking behavior on fresh installs. Prefer exact versions ("0.x.y") if you want tighter reproducibility during this migration period. This pattern appears in both app/package.json (lines 21–25) and api/package.json.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@app/package.json` around lines 21 - 25, The package pins for pre-1.0 dependencies use caret ranges which can pull breaking changes; update the dependency entries for "@moq/hang", "@moq/lite", "@moq/publish", "@moq/signals", and "@moq/watch" (in app/package.json) from "^0.x.y" to exact "0.x.y" versions to ensure reproducible installs, and apply the same change for the corresponding `@moq/`* entries found in api/package.json; keep the exact numeric versions currently listed (remove the leading ^) without changing the version numbers themselves.dev/relay/justfile (1)
8-23: Harden permissions for generated auth artifacts.
root.jwk(and usuallyroot.jwt) should be owner-readable only to avoid accidental local disclosure on shared systems.💡 Suggested fix
auth-key: `@if` [ ! -f "root.jwk" ]; then \ rm -f *.jwt; \ moq-token-cli --key "root.jwk" generate; \ + chmod 600 root.jwk; \ fi @@ auth-token: auth-key `@if` [ ! -f "root.jwt" ]; then \ moq-token-cli --key "root.jwk" sign \ --root "" \ --subscribe "" \ --publish "" \ --cluster \ > root.jwt ; \ + chmod 600 root.jwt; \ fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@dev/relay/justfile` around lines 8 - 23, The generated auth targets (auth-key and auth-token) currently create root.jwk and root.jwt with default permissions; change the recipes for targets "auth-key" and "auth-token" to set strict file permissions after creation (e.g., chmod 600 root.jwk and chmod 600 root.jwt) so both files are owner-readable/writeable only; ensure the chmod commands run only when the files are created and preserve the existing rm -f *.jwt cleanup behavior in the "auth-key" recipe.🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed. Inline comments: In `@api/justfile`: - Around line 9-11: The dev justfile target should guard the cat ../dev/relay/root.jwk call with an explicit preflight check: before invoking bun wrangler dev, test that ../dev/relay/root.jwk exists (e.g., using [ -f ] or test -f) and if it’s missing emit a clear error message and exit non-zero; then read the key into a variable and pass it via --var "RELAY_SECRET:$(cat ...)" and keep the existing RELAY_URL line unchanged. Locate the dev target in the justfile and add the existence check and early exit immediately before the bun wrangler dev invocation so the failure is descriptive rather than a bare cat error. In `@dev/relay/root.toml`: - Around line 9-18: The default relay listen addresses (tls.generate/listen and [web.http].listen) are currently set to "[::]:4443", which is too permissive for anonymous mode; change these defaults to loopback-only (e.g., "[::1]:4443" or "127.0.0.1:4443") so the relay binds only to localhost when running with public = "anon" — update the tls.generate/listen and web.http.listen entries accordingly and ensure any comments note the security rationale. In `@README.md`: - Around line 18-23: The fenced code block that lists the project structure (the block containing the lines starting with "app/ Web frontend (SolidJS + Vite)", "api/ Backend API (Cloudflare Workers + Hono)", "native/ Desktop/mobile app (Tauri v2)", and "dev/relay/ Local relay server config") needs a language identifier to satisfy markdownlint MD040; update the opening fence from ``` to ```text so the block becomes a labeled plaintext code block. --- Outside diff comments: In `@README.md`: - Around line 51-56: The "Without Nix" instructions omit the required relay tool binaries, so update the README's section that shows the commands `bun install` and `just dev` to also instruct users to install and add `moq-relay` and `moq-token-cli` to their PATH before running `just dev`; mention these exact tool names (`moq-relay`, `moq-token-cli`) and place the note immediately after `bun install` (and likewise update the similar occurrence around line 77) so users know to install those prerequisites. --- Nitpick comments: In `@app/package.json`: - Around line 21-25: The package pins for pre-1.0 dependencies use caret ranges which can pull breaking changes; update the dependency entries for "@moq/hang", "@moq/lite", "@moq/publish", "@moq/signals", and "@moq/watch" (in app/package.json) from "^0.x.y" to exact "0.x.y" versions to ensure reproducible installs, and apply the same change for the corresponding `@moq/`* entries found in api/package.json; keep the exact numeric versions currently listed (remove the leading ^) without changing the version numbers themselves. In `@dev/relay/justfile`: - Around line 8-23: The generated auth targets (auth-key and auth-token) currently create root.jwk and root.jwt with default permissions; change the recipes for targets "auth-key" and "auth-token" to set strict file permissions after creation (e.g., chmod 600 root.jwk and chmod 600 root.jwt) so both files are owner-readable/writeable only; ensure the chmod commands run only when the files are created and preserve the existing rm -f *.jwt cleanup behavior in the "auth-key" recipe.🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID:
99226d78-5294-4adf-9743-0c25d01464fd⛔ Files ignored due to path filters (2)
bun.lockis excluded by!**/*.lockflake.lockis excluded by!**/*.lock📒 Files selected for processing (15)
.github/workflows/check.yml.gitmodulesCLAUDE.mdREADME.mdapi/justfileapi/package.jsonapp/package.jsonapp/src/worklet.d.tsdev/relay/justfiledev/relay/root.tomlflake.nixinfra/variables.tfjustfilemoqpackage.json💤 Files with no reviewable changes (4)
- infra/variables.tf
- .gitmodules
- moq
- .github/workflows/check.yml
| dev: | ||
| bun wrangler d1 migrations apply DB --local | ||
| bun wrangler dev --var "RELAY_SECRET:$(cat ../moq/dev/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443" | ||
| bun wrangler dev --var "RELAY_SECRET:$(cat ../dev/relay/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443" |
There was a problem hiding this comment.
Add an explicit preflight check for root.jwk.
Running cd api && just dev fails with a low-context cat error if the key hasn’t been generated yet. A guard here makes local setup failures much clearer.
💡 Suggested patch
dev:
bun wrangler d1 migrations apply DB --local
- bun wrangler dev --var "RELAY_SECRET:$(cat ../dev/relay/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443"
+ test -f ../dev/relay/root.jwk || (echo "Missing ../dev/relay/root.jwk. Run: cd dev/relay && just auth-token" >&2; exit 1)
+ bun wrangler dev --var "RELAY_SECRET:$(cat ../dev/relay/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| dev: | |
| bun wrangler d1 migrations apply DB --local | |
| bun wrangler dev --var "RELAY_SECRET:$(cat ../moq/dev/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443" | |
| bun wrangler dev --var "RELAY_SECRET:$(cat ../dev/relay/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443" | |
| dev: | |
| bun wrangler d1 migrations apply DB --local | |
| test -f ../dev/relay/root.jwk || (echo "Missing ../dev/relay/root.jwk. Run: cd dev/relay && just auth-token" >&2; exit 1) | |
| bun wrangler dev --var "RELAY_SECRET:$(cat ../dev/relay/root.jwk)" --var "RELAY_URL:http://${TAURI_DEV_HOST:-localhost}:4443" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@api/justfile` around lines 9 - 11, The dev justfile target should guard the
cat ../dev/relay/root.jwk call with an explicit preflight check: before invoking
bun wrangler dev, test that ../dev/relay/root.jwk exists (e.g., using [ -f ] or
test -f) and if it’s missing emit a clear error message and exit non-zero; then
read the key into a variable and pass it via --var "RELAY_SECRET:$(cat ...)" and
keep the existing RELAY_URL line unchanged. Locate the dev target in the
justfile and add the existence check and early exit immediately before the bun
wrangler dev invocation so the failure is descriptive rather than a bare cat
error.
| listen = "[::]:4443" | ||
|
|
||
| # Generate a self-signed certificate for the given hostnames. | ||
| # This is used for local development, in conjunction with a fingerprint, or with TLS verification disabled. | ||
| tls.generate = ["localhost"] | ||
|
|
||
| [web.http] | ||
| # Listen for HTTP and WebSocket (TCP) connections on the given address. | ||
| # Defaults to disabled if not provided. | ||
| listen = "[::]:4443" |
There was a problem hiding this comment.
Default relay binding is too broad for anonymous mode.
With listen = "[::]:4443" and public = "anon", the relay may accept anonymous traffic from non-local interfaces on shared networks. Default this config to loopback-only for safer local development.
🔒 Suggested hardening
[server]
-listen = "[::]:4443"
+listen = "127.0.0.1:4443"
@@
[web.http]
-listen = "[::]:4443"
+listen = "127.0.0.1:4443"Also applies to: 33-34
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@dev/relay/root.toml` around lines 9 - 18, The default relay listen addresses
(tls.generate/listen and [web.http].listen) are currently set to "[::]:4443",
which is too permissive for anonymous mode; change these defaults to
loopback-only (e.g., "[::1]:4443" or "127.0.0.1:4443") so the relay binds only
to localhost when running with public = "anon" — update the tls.generate/listen
and web.http.listen entries accordingly and ensure any comments note the
security rationale.
| ``` | ||
| app/ Web frontend (SolidJS + Vite) | ||
| api/ Backend API (Cloudflare Workers + Hono) | ||
| native/ Desktop/mobile app (Tauri v2) | ||
| moq/ Media over QUIC libraries (git submodule → github.com/kixelated/moq) | ||
| dev/relay/ Local relay server config | ||
| ``` |
There was a problem hiding this comment.
Add a language identifier to the fenced project-structure block.
This currently trips markdownlint MD040.
💡 Suggested fix
-```
+```text
app/ Web frontend (SolidJS + Vite)
api/ Backend API (Cloudflare Workers + Hono)
native/ Desktop/mobile app (Tauri v2)
dev/relay/ Local relay server config</details>
<details>
<summary>🧰 Tools</summary>
<details>
<summary>🪛 markdownlint-cli2 (0.22.0)</summary>
[warning] 18-18: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
</details>
</details>
<details>
<summary>🤖 Prompt for AI Agents</summary>
Verify each finding against the current code and only fix it if needed.
In @README.md around lines 18 - 23, The fenced code block that lists the project
structure (the block containing the lines starting with "app/ Web
frontend (SolidJS + Vite)", "api/ Backend API (Cloudflare Workers +
Hono)", "native/ Desktop/mobile app (Tauri v2)", and "dev/relay/ Local
relay server config") needs a language identifier to satisfy markdownlint MD040;
update the opening fence from totext so the block becomes a labeled
plaintext code block.
</details>
<!-- fingerprinting:phantom:poseidon:hawk:5ca8007f-9d0b-410f-888f-fecd37b49e9a -->
<!-- This is an auto-generated comment by CodeRabbit -->
- Fix check:shaders glob to match actual shader location (src/room/gl/) - Auto-run auth-key generation in api dev target instead of failing - Gitignore *.jwk and *.jwt relay key/token files Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
glslangValidator doesn't support #include directives used in the shaders. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
🧹 Nitpick comments (1)
flake.nix (1)
46-48: Guardmoqpackage attrs to avoid cross-system evaluation failures.Lines 46–48 reference
moq.packages.${system}.moq-relayandmoq.packages.${system}.moq-token-cliwithout checking whether these attributes are published for all systems. The flake evaluates across four default systems (x86_64-linux, aarch64-linux, x86_64-darwin, aarch64-darwin) viaeachDefaultSystem, but CI only tests on ubuntu-latest, leaving other systems untested. If the moq flake doesn't expose these packages for a particular system, evaluation will fail for that target.Consider gating these entries with
hasAttrchecks:Suggested defensive change
let pkgs = import nixpkgs { inherit system; overlays = [ rust-overlay.overlays.default ]; }; + moqPkgs = moq.packages.${system} or {}; in { devShells.default = pkgs.mkShell { - nativeBuildInputs = with pkgs; [ + nativeBuildInputs = + (with pkgs; [ cargo-sort cargo-shear cargo-edit cargo-tauri bun just rsync # MoQ relay and token CLI for local development - moq.packages.${system}.moq-relay - moq.packages.${system}.moq-token-cli - # Icon generation tools imagemagick libicns # provides png2icns - ]; + ]) + ++ pkgs.lib.optionals (builtins.hasAttr "moq-relay" moqPkgs) [ moqPkgs."moq-relay" ] + ++ pkgs.lib.optionals (builtins.hasAttr "moq-token-cli" moqPkgs) [ moqPkgs."moq-token-cli" ]; };🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@flake.nix` around lines 46 - 48, The flake references moq.packages.${system}.moq-relay and moq.packages.${system}.moq-token-cli unguarded, causing cross-system evaluation failures when those attrs are missing; update the list to only include these package entries when they exist by checking hasAttr on moq.packages for the current system and hasAttr for the package names (e.g. guard access to moq.packages.${system} and then to .moq-relay/.moq-token-cli) before adding them to the outputs used with eachDefaultSystem so missing-system variants don’t break evaluation.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@flake.nix`:
- Around line 46-48: The flake references moq.packages.${system}.moq-relay and
moq.packages.${system}.moq-token-cli unguarded, causing cross-system evaluation
failures when those attrs are missing; update the list to only include these
package entries when they exist by checking hasAttr on moq.packages for the
current system and hasAttr for the package names (e.g. guard access to
moq.packages.${system} and then to .moq-relay/.moq-token-cli) before adding them
to the outputs used with eachDefaultSystem so missing-system variants don’t
break evaluation.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 744244e6-e155-49ee-bf75-bfcd662f07c5
📒 Files selected for processing (2)
app/package.jsonflake.nix
🚧 Files skipped from review as they are similar to previous changes (1)
- app/package.json
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@native/justfile`:
- Around line 14-17: The Linux-only guard in the justfile (the conditional using
[[ "$(uname)" != "Linux" ]]) causes cargo check and cargo clippy to be skipped
on CI; change the justfile so Rust validation runs by default (always invoke
cargo check and cargo clippy -- -D warnings) and make skipping explicit via an
opt-in environment variable (e.g., SKIP_RUST_CHECK=1) or a platform-specific
allowlist (check for "Darwin" or "Windows" instead), and update the conditional
logic to reference that env var or allowlist so CI (ubuntu-latest) executes the
Rust checks; ensure the unique symbols cargo check, cargo clippy -- -D warnings,
and the uname conditional are updated accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
| if [[ "$(uname)" != "Linux" ]]; then | ||
| cargo check | ||
| cargo clippy -- -D warnings | ||
| fi |
There was a problem hiding this comment.
Linux guard disables Rust validation in CI (Line 14).
Because CI runs on ubuntu-latest and calls just check (.github/workflows/check.yml Line 14 and Line 23; root justfile Line 19), this branch skips cargo check and cargo clippy on the main CI path. That creates a blind spot for Rust regressions.
💡 Proposed fix (make skipping explicit/opt-in instead of OS-wide)
check:
#!/usr/bin/env bash
set -euo pipefail
- # cargo check/clippy require system GTK/WebKit libraries on Linux
- if [[ "$(uname)" != "Linux" ]]; then
+ if [[ "${SKIP_NATIVE_CHECKS:-0}" != "1" ]]; then
cargo check
cargo clippy -- -D warnings
+ else
+ echo "Skipping cargo check/clippy (SKIP_NATIVE_CHECKS=1)"
fi
cargo fmt -- --check🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@native/justfile` around lines 14 - 17, The Linux-only guard in the justfile
(the conditional using [[ "$(uname)" != "Linux" ]]) causes cargo check and cargo
clippy to be skipped on CI; change the justfile so Rust validation runs by
default (always invoke cargo check and cargo clippy -- -D warnings) and make
skipping explicit via an opt-in environment variable (e.g., SKIP_RUST_CHECK=1)
or a platform-specific allowlist (check for "Darwin" or "Windows" instead), and
update the conditional logic to reference that env var or allowlist so CI
(ubuntu-latest) executes the Rust checks; ensure the unique symbols cargo check,
cargo clippy -- -D warnings, and the uname conditional are updated accordingly.
1 participant
Summary
moqgit submodule, consume@moq/*packages from npm insteadmoq-relayandmoq-token-clifor local devdev/relay/with config and justfile for running the local relay serverTest plan
bun installresolves all published npm packages@hang/apiand@hang/livejust devstarts relay, api, and app correctly🤖 Generated with Claude Code