Merge branch 'main' into deps/js/check-dependency-version-consistency…

…-3.x

.env

@@ -21,8 +21,8 @@ POSTGRES_PASSWORD=postgres
 HASH_KRATOS_PG_USER=kratos
 HASH_KRATOS_PG_PASSWORD=kratos
 HASH_KRATOS_PG_DATABASE=kratos
-ORY_KRATOS_PUBLIC_URL=http://127.0.0.1:4433
-ORY_KRATOS_ADMIN_URL=HTTP://127.0.0.1:4434
+HASH_KRATOS_PUBLIC_URL=http://127.0.0.1:4433
+HASH_KRATOS_ADMIN_URL=HTTP://127.0.0.1:4434
 KRATOS_API_KEY=secret
 KRATOS_COOKIE_DOMAIN=localhost
 KRATOS_SECRETS_COOKIE=VERY-INSECURE-AND-SHOULD-ONLY-BE-USED-IN-DEV

.github/workflows/codeql-analysis.yml

@@ -36,7 +36,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+        uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -47,7 +47,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+        uses: github/codeql-action/autobuild@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -61,4 +61,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+        uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5

.github/workflows/lint.yml

@@ -115,7 +115,7 @@ jobs:
 
       - name: Install Rust tools
         if: always() && steps.lints.outputs.has-rust == 'true'
-        uses: taiki-e/install-action@6943331e01261cdff7420bbc2508cb463574e404 # v2.27.2
+        uses: taiki-e/install-action@b7add58e53e52e624966da65007ce24524f3dcf3 # v2.27.9
         with:
           tool: [email protected],[email protected],[email protected],[email protected],[email protected]
 
@@ -182,7 +182,7 @@ jobs:
           mv "$tmp" clippy.sarif
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+        uses: github/codeql-action/upload-sarif@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
         if: always() && steps.lints.outputs.has-clippy == 'true'
         with:
           sarif_file: ${{ matrix.directory }}/clippy.sarif

.github/workflows/semgrep.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
 
     container:
-      image: returntocorp/semgrep:1.61.1@sha256:6b8e487ba2eba166f1364529e49e241fc625fb837a1a190a5480366ecef71330
+      image: returntocorp/semgrep:1.62.0@sha256:7f817a27f8322550e5569750079c10bdecf90284afb660edc5bb27a4b252d928
 
     # Skip any PR created by Dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')
@@ -43,7 +43,7 @@ jobs:
           files: "semgrep.sarif"
 
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+        uses: github/codeql-action/upload-sarif@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
         if: steps.sarif_file_check.outputs.files_exists == 'true'
         with:
           sarif_file: semgrep.sarif

.github/workflows/test.yml

@@ -173,7 +173,7 @@ jobs:
 
       - name: Install Rust tools
         if: always() && steps.tests.outputs.has-rust == 'true'
-        uses: taiki-e/install-action@6943331e01261cdff7420bbc2508cb463574e404 # v2.27.2
+        uses: taiki-e/install-action@b7add58e53e52e624966da65007ce24524f3dcf3 # v2.27.9
         with:
           tool: [email protected],[email protected],[email protected],[email protected]
 
@@ -198,7 +198,7 @@ jobs:
       - name: Show disk usage
         run: df -h
 
-      - uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1
+      - uses: codecov/codecov-action@0cfda1dd0a4ad9efc75517f399d859cd1ea4ced1 # v4.0.2
         name: Upload coverage to https://app.codecov.io/gh/hashintel/hash
         with:
           flags: ${{ env.TRIMMED_PACKAGE_NAME }}
@@ -298,7 +298,7 @@ jobs:
 
       - name: Install Rust tools
         if: always() && steps.tests.outputs.has-rust == 'true'
-        uses: taiki-e/install-action@6943331e01261cdff7420bbc2508cb463574e404 # v2.27.2
+        uses: taiki-e/install-action@b7add58e53e52e624966da65007ce24524f3dcf3 # v2.27.9
         with:
           tool: [email protected],[email protected],[email protected],[email protected]
 
@@ -354,7 +354,7 @@ jobs:
       - name: Show disk usage
         run: df -h
 
-      - uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1
+      - uses: codecov/codecov-action@0cfda1dd0a4ad9efc75517f399d859cd1ea4ced1 # v4.0.2
         name: Upload coverage to https://app.codecov.io/gh/hashintel/hash
         with:
           flags: ${{ env.TRIMMED_PACKAGE_NAME }}
@@ -429,7 +429,7 @@ jobs:
 
       - name: Install Rust tools
         if: always() && steps.tests.outputs.has-rust == 'true'
-        uses: taiki-e/install-action@6943331e01261cdff7420bbc2508cb463574e404 # v2.27.2
+        uses: taiki-e/install-action@b7add58e53e52e624966da65007ce24524f3dcf3 # v2.27.9
         with:
           tool: [email protected],[email protected],[email protected],[email protected]
 
@@ -555,7 +555,7 @@ jobs:
 
       - name: Install tools
         if: always() && steps.publish.outputs.has-rust == 'true' && github.event_name == 'pull_request' || github.event_name == 'merge_group'
-        uses: taiki-e/install-action@6943331e01261cdff7420bbc2508cb463574e404 # v2.27.2
+        uses: taiki-e/install-action@b7add58e53e52e624966da65007ce24524f3dcf3 # v2.27.9
         with:
           tool: cargo-semver-checks
 

apps/hash-api/src/auth/ory-kratos.ts

@@ -7,13 +7,13 @@ import {
 
 import { getRequiredEnv } from "../util";
 
-export const kratosPublicUrl = getRequiredEnv("ORY_KRATOS_PUBLIC_URL");
+export const kratosPublicUrl = getRequiredEnv("HASH_KRATOS_PUBLIC_URL");
 
 export const kratosFrontendApi = new FrontendApi(
   new Configuration({ basePath: kratosPublicUrl }),
 );
 
-const adminUrl = getRequiredEnv("ORY_KRATOS_ADMIN_URL");
+const adminUrl = getRequiredEnv("HASH_KRATOS_ADMIN_URL");
 
 export const kratosIdentityApi = new IdentityApi(
   new Configuration({ basePath: adminUrl }),

apps/hash-api/views/consent.hbs

@@ -29,13 +29,21 @@
             xhr.send(JSON.stringify(data));
         }
 
-        window.addEventListener("DOMContentLoaded", function() {
+        if (document.readyState !== 'loading') {
             var form = document.querySelector('form');
             form.addEventListener('submit', function(event) {
                 event.preventDefault();
                 submit();
             });
-        })
+        } else {
+            document.addEventListener('DOMContentLoaded', function() {
+                var form = document.querySelector('form');
+                form.addEventListener('submit', function(event) {
+                    event.preventDefault();
+                    submit();
+                });
+            });
+        }
     </script>
     <div class="auth-box">
         <h1>Grant access to HASH</h1>

apps/hash-external-services/docker-compose.prod.yml

@@ -21,6 +21,7 @@ services:
       COOKIES_PATH: "/"
       COOKIES_DOMAIN: "${KRATOS_COOKIE_DOMAIN}"
       COOKIES_SAME_SITE: "Lax"
+      OAUTH2_PROVIDER_URL: "http://hydra:4445"
       SERVE_PUBLIC_BASE_URL: "${FRONTEND_URL}/api/ory"
       SERVE_PUBLIC_CORS_ALLOWED_HEADERS: "Authorization,Content-Type,X-Session-Token,X-CSRF-Token"
       SERVE_PUBLIC_CORS_ALLOWED_ORIGINS: "${FRONTEND_URL}"
@@ -41,8 +42,8 @@ services:
 
   hydra:
     environment:
-      COOKIES_DOMAIN: "${KRATOS_COOKIE_DOMAIN}"
-      COOKIES_SAME_SITE: "Lax"
+      SERVE_COOKIES_DOMAIN: "${KRATOS_COOKIE_DOMAIN}"
+      SERVE_COOKIES_SAME_SITE_MODE: "Lax"
 
   spicedb-migrate:
     image: authzed/spicedb:v${HASH_SPICEDB_VERSION}
@@ -113,8 +114,8 @@ services:
       HASH_OPENSEARCH_ENABLED: "false"
       HASH_INTEGRATION_QUEUE_NAME: "${HASH_INTEGRATION_QUEUE_NAME}"
 
-      ORY_KRATOS_PUBLIC_URL: "http://kratos:4433"
-      ORY_KRATOS_ADMIN_URL: "http://kratos:4434"
+      HASH_KRATOS_PUBLIC_URL: "http://kratos:4433"
+      HASH_KRATOS_ADMIN_URL: "http://kratos:4434"
       KRATOS_API_KEY: "${KRATOS_API_KEY}"
     ports:
       - "5001:5001"
@@ -141,7 +142,6 @@ services:
       # appropriately. The backend is not on "localhost" from the perspective of
       # this container.
       API_ORIGIN: "http://hash-api:5001"
-      ORY_KRATOS_PUBLIC_URL: "http://kratos:4433"
 
     ports:
       - "3000:3000"

apps/hash-graph/libs/api/Cargo.toml

@@ -38,7 +38,7 @@ tokio = { workspace = true, features = ["macros"], optional = true }
 tokio-postgres = { version = "0.7.10", default-features = false, optional = true }
 tokio-util = { workspace = true, features = ["io"], optional = true }
 tower = "0.4.13"
-tower-http = { version = "0.5.1", features = ["trace"] }
+tower-http = { version = "0.5.2", features = ["trace"] }
 tracing = { workspace = true }
 tracing-opentelemetry = "0.22.0"
 utoipa = "4.2.0"

apps/hash-graph/libs/graph/src/store/postgres/knowledge/entity/mod.rs

@@ -1289,8 +1289,8 @@ impl<C: AsClient> EntityStore for PostgresStore<C> {
                         WHERE web_id = $1
                           AND entity_uuid = $2
                           AND draft_id IS NULL
-                          AND updated_at_transaction_time <= $4
-                          AND updated_at_decision_time <= $5;
+                          AND updated_at_transaction_time <= $3
+                          AND updated_at_decision_time <= $4;
                     ",
                         &[
                             &params.entity_id.owned_by_id,

apps/hash-graph/tests/friendship.http

@@ -1813,7 +1813,7 @@ X-Authenticated-User-Actor-Id: {{account_id}}
   ],
   "updatedAtTransactionTime": "{{person_a_transaction_time}}",
   "updatedAtDecisionTime": "{{person_a_decision_time}}",
-  "reset": false
+  "reset": true
 }
 
 > {%
@@ -1877,7 +1877,7 @@ X-Authenticated-User-Actor-Id: {{account_id}}
   ],
   "updatedAtTransactionTime": "{{person_b_transaction_time}}",
   "updatedAtDecisionTime": "{{person_b_decision_time}}",
-  "reset": false
+  "reset": true
 }
 
 > {%

infra/terraform/hash/prod-usea1.tfvars

@@ -31,18 +31,22 @@ kratos_env_vars = [
   { name = "LOG_LEAK_SENSITIVE_VALUES", secret = false, value = "false" },
   { name = "COURIER_SMTP_FROM_ADDRESS", secret = false, value = "[email protected]" },
   { name = "COURIER_SMTP_FROM_NAME", secret = false, value = "HASH" },
+  { name = "OAUTH2_PROVIDER_URL", secret = false, value = "http://localhost:4445" } # Hydra admin endpoint
 ]
 
 hydra_env_vars = [
   { name = "LOG_LEVEL", secret = false, value = "info" },
   { name = "COOKIES_PATH", secret = false, value = "/" },
-  { name = "COOKIES_DOMAIN", secret = false, value = "hash.ai" },
-  { name = "COOKIES_SAME_SITE", secret = false, value = "Lax" },
+  { name = "SERVE_COOKIES_DOMAIN", secret = false, value = "hash.ai" },
+  { name = "SERVE_COOKIES_SAME_SITE_MODE", secret = false, value = "Lax" },
+  { name = "URLS_CONSENT", secret = false, value = "https://app-api.hash.ai/oauth2/consent"},
   { name = "URLS_LOGIN", secret = false, value = "https://app.hash.ai/signin" },
   { name = "URLS_REGISTRATION", secret = false, value = "https://app.hash.ai/signup" },
   { name = "URLS_POST_LOGOUT_REDIRECT", secret = false, value = "https://app.hash.ai" },
-  { name = "URLs_IDENTITY_PROVIDER_PUBLICURL", secret = false, value = "http://localhost:4444" },
-  { name = "URLS_IDENTITY_PROVIDER_URL", secret = false, value = "http://localhost:4445" },
+  { name = "URLS_IDENTITY_PROVIDER_PUBLICURL", secret = false, value = "http://localhost:4433" }, # Kratos public endpoint
+  { name = "URLS_IDENTITY_PROVIDER_URL", secret = false, value = "http://localhost:4434" }, # Kratos admin endpoint
+  { name = "URLS_SELF_ISSUER", secret = false, value = "https://app-api.hash.ai" },
+  { name = "URLS_SELF_PUBLIC", secret = false, value = "https://app-api.hash.ai" }
 ]
 
 hash_graph_env_vars = [
@@ -65,10 +69,10 @@ hash_api_env_vars = [
 
   { name = "HASH_OPENSEARCH_ENABLED", secret = false, value = "false" },
 
-  { name = "ORY_KRATOS_PUBLIC_URL", secret = false, value = "http://localhost:4433" },
-  { name = "ORY_KRATOS_ADMIN_URL", secret = false, value = "http://localhost:4434" },
-  { name = "ORY_HYDRA_PUBLIC_URL", secret = false, value = "http://localhost:4444" },
-  { name = "ORY_HYDRA_ADMIN_URL", secret = false, value = "http://localhost:4445" },
+  { name = "HASH_KRATOS_PUBLIC_URL", secret = false, value = "http://localhost:4433" },
+  { name = "HASH_KRATOS_ADMIN_URL", secret = false, value = "http://localhost:4434" },
+  { name = "HASH_HYDRA_PUBLIC_URL", secret = false, value = "http://localhost:4444" },
+  { name = "HASH_HYDRA_ADMIN_URL", secret = false, value = "http://localhost:4445" },
 
   # TODO: remove these deprecated system org variables
   { name = "SYSTEM_ACCOUNT_NAME", secret = false, value = "HASH" },

libs/@local/hash-graph-client/typescript/package.json

@@ -16,7 +16,7 @@
     "@apps/hash-graph": "0.0.0-private",
     "@local/eslint-config": "0.0.0-private",
     "@local/tsconfig": "0.0.0-private",
-    "@redocly/cli": "1.9.0",
+    "@redocly/cli": "1.9.1",
     "@types/node": "18.15.13",
     "@typescript-eslint/parser": "7.0.2",
     "eslint": "8.56.0",

package.json

@@ -90,13 +90,13 @@
     "dotenv-flow": "3.2.0",
     "husky": "8.0.3",
     "lint-staged": "15.2.2",
-    "lockfile-lint": "4.13.1",
+    "lockfile-lint": "4.13.2",
     "markdownlint-cli": "0.39.0",
     "npm-run-all": "4.1.5",
     "patch-package": "6.5.0",
     "postinstall-postinstall": "2.1.0",
     "prettier": "3.2.5",
-    "prettier-plugin-packagejson": "2.4.11",
+    "prettier-plugin-packagejson": "2.4.12",
     "prettier-plugin-sh": "0.14.0",
     "prettier-plugin-sql": "0.12.1",
     "suppress-exit-code": "3.1.0",