[APPS][Connections Part 3] Resolve same-module backend connection IDs

[sdkennedy2]

Motivation

This is part 3 of the connection ID manifest stack. Inline string literals are too narrow for realistic backend functions, where authors commonly name connection IDs or group them in a local object.

Changes

Extends same-file extraction to resolve static values declared in the backend module. The extractor now supports top-level const string identifiers, const-to-const chains, static template literals without interpolations, and one-level object member reads from same-file const object literals.

Examples now supported:

const HTTP_CONNECTION_ID = 'conn-id';
request({ connectionId: HTTP_CONNECTION_ID, inputs: {} });

const CONNECTIONS = { HTTP: 'conn-id' };
request({ connectionId: CONNECTIONS.HTTP, inputs: {} });

The PR preserves fail-closed behavior for mutable bindings, unresolved identifiers, imported values, dynamic templates, computed/spread object forms, function calls, env reads, and nested member chains. Imported module traversal remains deferred to part 4.

QA Instructions

• Run NODE_OPTIONS=--experimental-vm-modules ~/.yarn/switch/bin/yarn workspace @dd/tests jest --config jest.config.ts ../plugins/apps/src/backend/discovery.test.ts ../plugins/apps/src/backend/extract-connection-ids.test.ts ../plugins/apps/src/index.test.ts ../plugins/apps/src/vite/index.test.ts ../plugins/apps/src/vite/dev-server.test.ts ../plugins/apps/src/upload.test.ts --runInBand.
• Run ~/.yarn/switch/bin/yarn workspace @dd/apps-plugin typecheck.
• Run ~/.yarn/switch/bin/yarn workspace @dd/tests typecheck.
• Confirm imported identifier/object member cases still fail until part 4.

Blast Radius

This affects static analysis inside a single backend entry module. It does not load or resolve imported modules, so behavior remains bounded to files already being transformed by the apps plugin.

Documentation

• How to reliably make frontend production changes
• PR Description Guidelines
• Deploy steps

[sdkennedy2]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• [APPS][Connections Part 4] Analyze backend connection IDs across modules #341
• [APPS][Connections Part 3] Resolve same-module backend connection IDs #340 👈 (View in Graphite)
• [APPS][Connections Part 2] Extract inline backend connection IDs #339
• [APPS][Connections Part 1] Add backend connection manifest upload plumbing #338
• [APPS] Stop exposing raw index.html standalone URL #329 : 1 other dependent PR (#330 )
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[sdkennedy2]

@codex review
@cursor review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8000ecd7eb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Respect local shadowing before resolving constants

When a backend function declares a local CONNECTION_ID that shadows a top-level const, this lookup still resolves the identifier from the module-wide top-level map because the walker visits calls in nested scopes without checking local bindings. For example, const CONNECTION_ID = 'prod'; function run() { const CONNECTION_ID = getId(); request({ connectionId: CONNECTION_ID }); } would emit prod instead of failing closed for the dynamic local value, producing an incorrect connection manifest.

Useful? React with 👍 / 👎.

[sdkennedy2]

@codex review
@cursor review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b3ebcdc55e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Check lexical scope before resolving consts

When a backend function has a local binding that shadows a top-level connection constant, this lookup still resolves the identifier from the module-level consts map because the AST walk does not track lexical scope. For example, with const CONNECTION_ID = 'prod' at the top level and function run() { const CONNECTION_ID = getConnectionId(); request({ connectionId: CONNECTION_ID }); }, the manifest records 'prod' even though the call uses the inner dynamic value; the fail-closed behavior should reject the scoped binding instead of emitting a wrong connection ID.

Useful? React with 👍 / 👎.

[sdkennedy2]

@codex review
@cursor review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a367b98b6f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Respect shadowed connectionId identifiers

When a backend call is inside a nested scope that declares the same name as a top-level const, this resolves the connectionId from the module-level map rather than the binding that is actually in scope. For example, with const CONNECTION_ID = 'prod' at the top level and function run() { const CONNECTION_ID = 'dev'; request({ connectionId: CONNECTION_ID }); }, the manifest records prod even though the runtime call uses dev, so the generated backend-function metadata can omit the connection that is actually required.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Fail closed when const connection maps are mutated

This treats any top-level const object literal as immutable, but const only freezes the binding, not its properties. In modules that update the map before or around the backend call, e.g. const CONNECTIONS = { HTTP: 'old' }; CONNECTIONS.HTTP = 'new'; request({ connectionId: CONNECTIONS.HTTP });, the extractor records old while runtime uses new; the existing checks fail closed for spreads/computed keys because they can hide members, and property assignments can hide them in the same way.

Useful? React with 👍 / 👎.

[sdkennedy2]

@codex review
@cursor review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a735063a8d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid resolving shadowed IDs from top-level consts

When a call is inside an inner scope that declares a local CONNECTION_ID, walk still visits that call but collectSameModuleBindings only recorded top-level bindings; this branch then resolves the identifier by name from the top-level map without checking lexical shadowing. In the inspected backend extraction flow, const CONNECTION_ID = 'prod'; function run() { const CONNECTION_ID = 'dev'; request({ connectionId: CONNECTION_ID }); } records prod even though runtime sends dev, corrupting the manifest; please fail closed on shadowed identifiers or track scopes before resolving.

Useful? React with 👍 / 👎.