fix: Address PR review comments

ammario · claude · ammario · commit 6bd0c8983af1 · 2025-09-21T19:54:17.000-05:00
- Fix V8 platform lifetime issue by storing SharedRef in OnceLock - Update JS and prog engines to use deny_message instead of message - Support shorthand {deny_message: "..."} syntax (implies allow: false) - Update README to clarify JS is fastest mode - Only return messages when denying, not when allowing Breaking change: JS expressions now use deny_message instead of message for custom denial messages, matching the prog engine API. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/README.md b/README.md
@@ -252,12 +252,13 @@ Examples:
 true  // Allow
 false // Deny
 
-// Object with message (parentheses needed when used as expression)
-({allow: false, message: "Blocked by policy"})
-({allow: true, message: "Allowed with warning"})
+// Object with deny_message (parentheses needed when used as expression)
+({allow: false, deny_message: "Blocked by policy"})
+// Shorthand: if only deny_message is provided, request is denied
+({deny_message: "Blocked by policy"})
 
 // Conditional with message
-r.method === 'POST' ? {allow: false, message: 'POST not allowed'} : true
+r.method === 'POST' ? {deny_message: 'POST not allowed'} : true
 ```
 
 **JavaScript evaluation rules:**
@@ -269,10 +270,11 @@ r.method === 'POST' ? {allow: false, message: 'POST not allowed'} : true
 
 **Performance considerations:**
 
-- V8 engine provides fast JavaScript execution
-- Fresh isolate creation per request ensures thread safety but adds some overhead
-- JavaScript evaluation is generally faster than shell script execution (--sh)
-- Persistent program mode (--prog) can be comparable to JavaScript for compiled languages
+- JavaScript mode is designed to be the fastest evaluation mode
+- V8 engine provides fast JavaScript execution with minimal overhead
+- Fresh isolate creation per request ensures thread safety
+- JavaScript evaluation is significantly faster than shell script execution (--sh)
+- Persistent program mode (--prog) can approach JavaScript performance for compiled languages, and future versions may support parallel instances and stateful caching
 
 > [!NOTE]
 > The evaluation flags `--js`, `--js-file`, `--sh`, and `--prog` are mutually exclusive. Only one evaluation method can be used at a time.
@@ -302,7 +304,7 @@ fi
 
 ### Persistent Program Mode (--prog)
 
-The `--prog` flag starts a single persistent process that receives JSON-formatted requests on stdin (one per line) and outputs decisions line-by-line. This approach eliminates process spawn overhead by keeping the evaluator in memory, making it suitable for production use.
+The `--prog` flag starts a single persistent process that receives JSON-formatted requests on stdin (one per line) and outputs decisions line-by-line. This approach eliminates process spawn overhead by keeping the evaluator in memory, making it suitable for production use. The API is designed to be equivalent to the JavaScript engine, supporting the same response formats.
 
 ```bash
 # Use a persistent program (path to executable)
@@ -335,8 +337,9 @@ for line in sys.stdin:
 
 - **Output**: One response per line, either:
   - Simple: `true` or `false` (matching JS boolean semantics)
-  - JSON: `{"allow": true/false, "message": "optional context"}`
-  - Any other output is treated as deny with the output as the message
+  - JSON: `{"allow": true/false, "deny_message": "optional message for denials"}`
+  - Shorthand: `{"deny_message": "reason"}` (implies allow: false)
+  - Any other output is treated as deny with the output as the deny_message
 
 > [!NOTE]
 > Make sure to flush stdout after each response in your script to ensure real-time processing!
diff --git a/src/rules/prog.rs b/src/rules/prog.rs
@@ -168,23 +168,29 @@ impl ProgRuleEngine {
                             if let Ok(json_response) =
                                 serde_json::from_str::<serde_json::Value>(response)
                             {
-                                let allowed = json_response
-                                    .get("allow")
-                                    .and_then(|v| v.as_bool())
-                                    .unwrap_or(false);
-
-                                let message = json_response
-                                    .get("message")
+                                // Check for deny_message first
+                                let deny_message = json_response
+                                    .get("deny_message")
                                     .and_then(|v| v.as_str())
                                     .map(String::from);
 
+                                // Get allow value - if not present but deny_message exists, default to false
+                                let allowed = if let Some(allow_val) = json_response.get("allow") {
+                                    allow_val.as_bool().unwrap_or(false)
+                                } else if deny_message.is_some() {
+                                    // Shorthand: if only deny_message is present, it implies allow: false
+                                    false
+                                } else {
+                                    false
+                                };
+
                                 if allowed {
                                     debug!("ALLOW: {} {} (script allowed via JSON)", method, url);
+                                    (allowed, None) // No message when allowing
                                 } else {
                                     debug!("DENY: {} {} (script denied via JSON)", method, url);
+                                    (allowed, deny_message)
                                 }
-
-                                (allowed, message)
                             } else {
                                 // Not JSON, treat the output as a deny message
                                 debug!("DENY: {} {} (script returned: {})", method, url, response);
@@ -347,13 +353,13 @@ for line in sys.stdin:
     try:
         request = json.loads(line)
         if 'blocked' in request.get('host', ''):
-            response = {'allow': False, 'message': f"Host {request['host']} is blocked"}
+            response = {'allow': False, 'deny_message': f"Host {request['host']} is blocked"}
         else:
             response = {'allow': True}
         print(json.dumps(response))
         sys.stdout.flush()
     except Exception as e:
-        print(json.dumps({'allow': False, 'message': str(e)}))
+        print(json.dumps({'allow': False, 'deny_message': str(e)}))
         sys.stdout.flush()
 "#;
         script_file.write_all(script.as_bytes()).unwrap();
@@ -453,18 +459,18 @@ for line in sys.stdin:
     
     # First request: allow
     if counter == 1:
-        response = {"allow": True, "message": f"Request {counter} allowed"}
+        response = {"allow": True}
         print(json.dumps(response))
         sys.stdout.flush()
-    # Second request: allow then exit
+    # Second request: deny then exit
     elif counter == 2:
-        response = {"allow": False, "message": f"Request {counter} denied, exiting"}
+        response = {"allow": False, "deny_message": f"Request {counter} denied, exiting"}
         print(json.dumps(response))
         sys.stdout.flush()
         sys.exit(0)  # Exit after second request
     else:
         # This should never be reached in the first process
-        response = {"allow": True, "message": f"Unexpected request {counter}"}
+        response = {"allow": True}
         print(json.dumps(response))
         sys.stdout.flush()
 "#;
@@ -488,12 +494,7 @@ for line in sys.stdin:
             .evaluate(Method::GET, "https://example.com/1", "127.0.0.1")
             .await;
         assert!(matches!(result.action, Action::Allow));
-        assert!(
-            result
-                .context
-                .as_ref()
-                .is_some_and(|c| c.contains("Request 1 allowed"))
-        );
+        assert_eq!(result.context, None); // No message when allowing
 
         // Second request - should be denied, then process exits
         let result = engine
@@ -515,12 +516,7 @@ for line in sys.stdin:
             .evaluate(Method::GET, "https://example.com/3", "127.0.0.1")
             .await;
         assert!(matches!(result.action, Action::Allow));
-        assert!(
-            result
-                .context
-                .as_ref()
-                .is_some_and(|c| c.contains("Request 1 allowed"))
-        );
+        assert_eq!(result.context, None); // No message when allowing
 
         // Fourth request - should be second request in restarted process
         let result = engine
diff --git a/src/rules/v8_js.rs b/src/rules/v8_js.rs
@@ -14,12 +14,15 @@ pub struct V8JsRuleEngine {
 
 impl V8JsRuleEngine {
     pub fn new(js_code: String) -> Result<Self, Box<dyn std::error::Error>> {
-        // Initialize V8 platform once
-        static V8_INIT: std::sync::Once = std::sync::Once::new();
-        V8_INIT.call_once(|| {
+        // Initialize V8 platform once and keep it alive for the lifetime of the program
+        use std::sync::OnceLock;
+        static V8_PLATFORM: OnceLock<v8::SharedRef<v8::Platform>> = OnceLock::new();
+
+        V8_PLATFORM.get_or_init(|| {
             let platform = v8::new_default_platform(0, false).make_shared();
-            v8::V8::initialize_platform(platform);
+            v8::V8::initialize_platform(platform.clone());
             v8::V8::initialize();
+            platform
         });
 
         // Compile the JavaScript to check for syntax errors
@@ -121,37 +124,48 @@ impl V8JsRuleEngine {
             .run(context_scope)
             .ok_or("Expression evaluation failed")?;
 
-        // Check if result is an object with 'allow' and optionally 'message'
+        // Check if result is an object with 'allow' and/or 'deny_message'
         if result.is_object() {
             let obj = result.to_object(context_scope).unwrap();
 
-            // Get 'allow' property
+            // Get 'deny_message' property if present
+            let deny_message_key = v8::String::new(context_scope, "deny_message").unwrap();
+            let deny_message = obj
+                .get(context_scope, deny_message_key.into())
+                .and_then(|v| {
+                    if v.is_undefined() || v.is_null() {
+                        None
+                    } else {
+                        v.to_string(context_scope)
+                            .map(|s| s.to_rust_string_lossy(context_scope))
+                    }
+                });
+
+            // Get 'allow' property - if not present but deny_message exists, default to false
             let allow_key = v8::String::new(context_scope, "allow").unwrap();
-            let allowed = obj
-                .get(context_scope, allow_key.into())
-                .map(|v| v.boolean_value(context_scope))
-                .unwrap_or(false);
-
-            // Get 'message' property if present
-            let message_key = v8::String::new(context_scope, "message").unwrap();
-            let message = obj.get(context_scope, message_key.into()).and_then(|v| {
-                if v.is_undefined() || v.is_null() {
-                    None
-                } else {
-                    v.to_string(context_scope)
-                        .map(|s| s.to_rust_string_lossy(context_scope))
-                }
-            });
+            let allow_value = obj.get(context_scope, allow_key.into());
+            let allowed = if allow_value.is_some() && !allow_value.unwrap().is_undefined() {
+                allow_value.unwrap().boolean_value(context_scope)
+            } else if deny_message.is_some() {
+                // Shorthand: if only deny_message is present, it implies allow: false
+                false
+            } else {
+                // Default to false if neither is properly set
+                false
+            };
 
             debug!(
                 "JS rule returned object: allow={} for {} {}",
                 allowed, request_info.method, request_info.url
             );
 
-            if let Some(ref msg) = message {
-                debug!("Message: {}", msg);
+            if let Some(ref msg) = deny_message {
+                debug!("Deny message: {}", msg);
             }
 
+            // Only return the message if the request is denied
+            let message = if !allowed { deny_message } else { None };
+
             Ok((allowed, message))
         } else {
             // Result is not an object, treat as boolean
@@ -242,19 +256,18 @@ mod tests {
 
     #[tokio::test]
     async fn test_v8_js_object_response_allow() {
-        let engine =
-            V8JsRuleEngine::new("({allow: true, message: 'Test allowed'})".to_string()).unwrap();
+        let engine = V8JsRuleEngine::new("({allow: true})".to_string()).unwrap();
         let result = engine
             .evaluate(Method::GET, "https://example.com", "127.0.0.1")
             .await;
         assert!(matches!(result.action, crate::rules::Action::Allow));
-        assert_eq!(result.context, Some("Test allowed".to_string()));
+        assert_eq!(result.context, None); // No message when allowing
     }
 
     #[tokio::test]
     async fn test_v8_js_object_response_deny() {
         let engine =
-            V8JsRuleEngine::new("({allow: false, message: 'Blocked by policy'})".to_string())
+            V8JsRuleEngine::new("({allow: false, deny_message: 'Blocked by policy'})".to_string())
                 .unwrap();
         let result = engine
             .evaluate(Method::POST, "https://example.com", "127.0.0.1")
@@ -266,7 +279,7 @@ mod tests {
     #[tokio::test]
     async fn test_v8_js_conditional_object() {
         let engine = V8JsRuleEngine::new(
-            "r.method === 'POST' ? {allow: false, message: 'POST not allowed'} : true".to_string(),
+            "r.method === 'POST' ? {deny_message: 'POST not allowed'} : true".to_string(),
         )
         .unwrap();
 
@@ -284,4 +297,16 @@ mod tests {
         assert!(matches!(result.action, crate::rules::Action::Allow));
         assert_eq!(result.context, None);
     }
+
+    #[tokio::test]
+    async fn test_v8_js_shorthand_deny_message() {
+        // Test shorthand: {deny_message: "reason"} implies allow: false
+        let engine =
+            V8JsRuleEngine::new("({deny_message: 'Shorthand denial'})".to_string()).unwrap();
+        let result = engine
+            .evaluate(Method::GET, "https://example.com", "127.0.0.1")
+            .await;
+        assert!(matches!(result.action, crate::rules::Action::Deny));
+        assert_eq!(result.context, Some("Shorthand denial".to_string()));
+    }
 }
