From b249f77b21fc2d3b79bbe4f7733a3b9186ee0102 Mon Sep 17 00:00:00 2001
From: David Glasser <glasser@meteor.com>
Date: Mon, 23 Jun 2014 21:59:28 -0700
Subject: [PATCH 01/19] Never add two sourceMappingURL notes to a file

(eg, when roundtripping through JsImage.readFromDisk)

Pre-0.9.0 this just means excessive rebuilds; on the packaging branch,
this means excessive version number bumps!
---
 tools/bundler.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tools/bundler.js b/tools/bundler.js
index 04025de4ed..d9bf8ca144 100644
--- a/tools/bundler.js
+++ b/tools/bundler.js
@@ -1158,6 +1158,10 @@ _.extend(JsImage.prototype, {
         );
 
         var sourceMapFileName = path.basename(loadItem.sourceMap);
+        // Remove any existing sourceMappingURL line. (eg, if roundtripping
+        // through JsImage.readFromDisk, don't end up with two!)
+        item.source = item.source.replace(
+            /\n\/\/# sourceMappingURL=.+\n?$/, '');
         item.source += "\n//# sourceMappingURL=" + sourceMapFileName + "\n";
         loadItem.sourceMapRoot = item.sourceMapRoot;
       }

From da356dad0f7b621aab4c2b34f287aeaca798b425 Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Tue, 24 Jun 2014 08:33:02 -0700
Subject: [PATCH 02/19] Remove sentence about SRP from docs

---
 docs/client/api.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/client/api.js b/docs/client/api.js
index e1d5d24746..b389f4fad9 100644
--- a/docs/client/api.js
+++ b/docs/client/api.js
@@ -1087,7 +1087,7 @@ Template.api.loginWithPassword = {
     {
       name: "password",
       type: "String",
-      descr: "The user's password. This is __not__ sent in plain text over the wire &mdash; it is secured with [SRP](http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol)."
+      descr: "The user's password."
     },
     {
       name: "callback",

From 53c3143285e035dd3039ff92323f68ce5f9c59df Mon Sep 17 00:00:00 2001
From: Matt DeBergalis <matt@meteor.com>
Date: Tue, 24 Jun 2014 09:29:52 -0700
Subject: [PATCH 03/19] jobs note

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 1cd7553747..df1861c3e8 100644
--- a/README.md
+++ b/README.md
@@ -87,3 +87,7 @@ Interested in contributing to Meteor?
 
 * Core framework design mailing list: https://groups.google.com/group/meteor-core
 * Contribution guidelines: https://github.com/meteor/meteor/tree/devel/Contributing.md
+
+We are hiring!  Visit https://www.meteor.com/jobs/working-at-meteor to
+learn more about working full-time on the Meteor project.
+

From 9a100f0dcaf6ad65490042aa5287f0d534b790f1 Mon Sep 17 00:00:00 2001
From: David Glasser <glasser@meteor.com>
Date: Tue, 24 Jun 2014 21:21:35 -0700
Subject: [PATCH 04/19] note that dev bundle 0.3.39 will shortly be in use

---
 meteor | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meteor b/meteor
index 93ddb8cc13..0414a5a4bb 100755
--- a/meteor
+++ b/meteor
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-BUNDLE_VERSION=0.3.38
+BUNDLE_VERSION=0.3.38  # warning! 0.3.39 used on packaging branch
 
 # OS Check. Put here because here is where we download the precompiled
 # bundles that are arch specific.

From 6d2408f52b174372294f8e1584acb3a24f83e467 Mon Sep 17 00:00:00 2001
From: David Glasser <glasser@meteor.com>
Date: Wed, 25 Jun 2014 14:55:01 -0700
Subject: [PATCH 05/19] copy-dev-bundle-from-jenkins: don't overwrite!

---
 scripts/admin/copy-dev-bundle-from-jenkins.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/scripts/admin/copy-dev-bundle-from-jenkins.sh b/scripts/admin/copy-dev-bundle-from-jenkins.sh
index f7ebb5c92d..4f1e71a4c0 100755
--- a/scripts/admin/copy-dev-bundle-from-jenkins.sh
+++ b/scripts/admin/copy-dev-bundle-from-jenkins.sh
@@ -37,5 +37,12 @@ echo Found build $DIRNAME
 s3cmd ls s3://com.meteor.jenkins/$DIRNAME/ | \
   perl -nle 'if (/\.tar\.gz/) { ++$TAR } else { die "something weird" }  END { exit !($TAR == 3) }'
 
+for FILE in $(s3cmd ls s3://com.meteor.jenkins/$DIRNAME/ | perl -nlaF/ -e 'print $F[-1]'); do
+   if s3cmd info $TARGET$FILE >/dev/null 2>&1; then
+     echo "$TARGET$FILE already exists (maybe from another branch?)"
+     exit 1
+   fi
+done
+
 echo Copying to $TARGET
 s3cmd -P cp -r s3://com.meteor.jenkins/$DIRNAME/ $TARGET

From 8b74a7d253f86fc8e2c102c79aa1b093804cf4b3 Mon Sep 17 00:00:00 2001
From: David Glasser <glasser@meteor.com>
Date: Wed, 25 Jun 2014 23:51:33 -0700
Subject: [PATCH 06/19] more dev bundle warnings

---
 meteor | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meteor b/meteor
index 0414a5a4bb..4ce7672a42 100755
--- a/meteor
+++ b/meteor
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-BUNDLE_VERSION=0.3.38  # warning! 0.3.39 used on packaging branch
+BUNDLE_VERSION=0.3.38  # warning! 0.3.39-40 used on packaging branch
 
 # OS Check. Put here because here is where we download the precompiled
 # bundles that are arch specific.

From b76f3e67c880c132895975a963745f61ebab8fac Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Thu, 19 Jun 2014 11:23:50 -0700
Subject: [PATCH 07/19] Move reload safety belt into an opt-in package

---
 docs/.meteor/packages                         |   1 +
 packages/galaxy-reload-safetybelt/.gitignore  |   1 +
 packages/galaxy-reload-safetybelt/package.js  |   9 ++
 .../reload-safety-belt.js                     |  12 ++
 packages/webapp/boilerplate.html              |  12 +-
 packages/webapp/webapp_server.js              |  19 +--
 tools/tests/galaxy-reload-safetybelt.js       | 138 ++++++++++++++++++
 tools/tests/list-sites.js                     |   1 -
 8 files changed, 174 insertions(+), 19 deletions(-)
 create mode 100644 packages/galaxy-reload-safetybelt/.gitignore
 create mode 100644 packages/galaxy-reload-safetybelt/package.js
 create mode 100644 packages/galaxy-reload-safetybelt/reload-safety-belt.js
 create mode 100644 tools/tests/galaxy-reload-safetybelt.js

diff --git a/docs/.meteor/packages b/docs/.meteor/packages
index 46c52f81e7..e72e891e45 100644
--- a/docs/.meteor/packages
+++ b/docs/.meteor/packages
@@ -12,3 +12,4 @@ jquery-waypoints
 less
 spiderable
 appcache
+galaxy-reload-safetybelt
diff --git a/packages/galaxy-reload-safetybelt/.gitignore b/packages/galaxy-reload-safetybelt/.gitignore
new file mode 100644
index 0000000000..677a6fc263
--- /dev/null
+++ b/packages/galaxy-reload-safetybelt/.gitignore
@@ -0,0 +1 @@
+.build*
diff --git a/packages/galaxy-reload-safetybelt/package.js b/packages/galaxy-reload-safetybelt/package.js
new file mode 100644
index 0000000000..d1d78a07b0
--- /dev/null
+++ b/packages/galaxy-reload-safetybelt/package.js
@@ -0,0 +1,9 @@
+Package.describe({
+  summary: "Reload safety belt for galaxy apps",
+  internal: true
+});
+
+Package.on_use(function (api) {
+  api.add_files("reload-safety-belt.js", "server");
+  api.export("ReloadSafetyBelt", "server");
+});
diff --git a/packages/galaxy-reload-safetybelt/reload-safety-belt.js b/packages/galaxy-reload-safetybelt/reload-safety-belt.js
new file mode 100644
index 0000000000..e16d3402ed
--- /dev/null
+++ b/packages/galaxy-reload-safetybelt/reload-safety-belt.js
@@ -0,0 +1,12 @@
+// The reload safetybelt is some js that will be loaded after everything else in
+// the HTML.  In some multi-server deployments, when you update, you have a
+// chance of hitting an old server for the HTML and the new server for the JS or
+// CSS.  This prevents you from displaying the page in that case, and instead
+// reloads it, presumably all on the new version now.
+
+ReloadSafetyBelt = "\n" +
+      "if (typeof Package === 'undefined' ||\n" +
+      "    ! Package.webapp ||\n" +
+      "    ! Package.webapp.WebApp ||\n" +
+      "    ! Package.webapp.WebApp._isCssLoaded())\n" +
+      "  document.location.reload(); \n";
diff --git a/packages/webapp/boilerplate.html b/packages/webapp/boilerplate.html
index e71c29c5ba..baf56a3343 100644
--- a/packages/webapp/boilerplate.html
+++ b/packages/webapp/boilerplate.html
@@ -9,10 +9,14 @@
 {{/if}}
 {{#each js}}  <script type="text/javascript" src="{{../bundledJsCssPrefix}}{{url}}"></script>
 {{/each}}
-{{#if inlineScriptsAllowed}}
-<script type='text/javascript'>{{{reloadSafetyBelt}}}</script>
-{{else}}
-<script type='text/javascript' src='{{rootUrlPathPrefix}}/meteor_reload_safetybelt.js'></script>
+{{#if reloadSafetyBelt}}
+  {{#if inlineScriptsAllowed}}
+    <script type='text/javascript'>
+      {{{reloadSafetyBelt}}}
+    </script>
+  {{else}}
+    <script type='text/javascript' src='{{rootUrlPathPrefix}}/meteor_reload_safetybelt.js'></script>
+  {{/if}}
 {{/if}}
 {{{head}}}
 </head>
diff --git a/packages/webapp/webapp_server.js b/packages/webapp/webapp_server.js
index 5b2429cefd..aec8e62c82 100644
--- a/packages/webapp/webapp_server.js
+++ b/packages/webapp/webapp_server.js
@@ -19,18 +19,6 @@ WebAppInternals = {};
 
 var bundledJsCssPrefix;
 
-// The reload safetybelt is some js that will be loaded after everything else in
-// the HTML.  In some multi-server deployments, when you update, you have a
-// chance of hitting an old server for the HTML and the new server for the JS or
-// CSS.  This prevents you from displaying the page in that case, and instead
-// reloads it, presumably all on the new version now.
-var RELOAD_SAFETYBELT = "\n" +
-      "if (typeof Package === 'undefined' ||\n" +
-      "    ! Package.webapp ||\n" +
-      "    ! Package.webapp.WebApp ||\n" +
-      "    ! Package.webapp.WebApp._isCssLoaded())\n" +
-      "  document.location.reload(); \n";
-
 // Keepalives so that when the outer server dies unceremoniously and
 // doesn't kill us, we quit ourselves. A little gross, but better than
 // pidfiles.
@@ -345,8 +333,10 @@ var runWebAppServer = function () {
                     JSON.stringify(__meteor_runtime_config__) + ";");
       return;
     } else if (pathname === "/meteor_reload_safetybelt.js" &&
+               Package["galaxy-reload-safetybelt"] &&
+               Package["galaxy-reload-safetybelt"].ReloadSafetyBelt &&
                ! WebAppInternals.inlineScriptsAllowed()) {
-      serveStaticJs(RELOAD_SAFETYBELT);
+      serveStaticJs(Package["galaxy-reload-safetybelt"].ReloadSafetyBelt);
       return;
     }
 
@@ -609,7 +599,8 @@ var runWebAppServer = function () {
       body: '',
       inlineScriptsAllowed: WebAppInternals.inlineScriptsAllowed(),
       meteorRuntimeConfig: JSON.stringify(__meteor_runtime_config__),
-      reloadSafetyBelt: RELOAD_SAFETYBELT,
+      reloadSafetyBelt: Package["galaxy-reload-safetybelt"] &&
+        Package["galaxy-reload-safetybelt"].ReloadSafetyBelt,
       rootUrlPathPrefix: __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || '',
       bundledJsCssPrefix: bundledJsCssPrefix ||
         __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || ''
diff --git a/tools/tests/galaxy-reload-safetybelt.js b/tools/tests/galaxy-reload-safetybelt.js
new file mode 100644
index 0000000000..f3f5cf7644
--- /dev/null
+++ b/tools/tests/galaxy-reload-safetybelt.js
@@ -0,0 +1,138 @@
+var httpHelpers = require('../http-helpers.js');
+var selftest = require('../selftest.js');
+var Sandbox = selftest.Sandbox;
+var unipackage = require('../unipackage.js');
+var release = require('../release.js');
+var utils = require("../utils.js");
+
+var fetchPage = function (path) {
+  var result = httpHelpers.request("http://localhost:3000" + (path || ""));
+  if (result.response.statusCode !== 200) {
+    throw new Error("Response status code: ", result.response.statusCode);
+  }
+  return result;
+};
+
+var runApp = function (s) {
+  var run = s.run();
+  run.waitSecs(5);
+  run.match("Started your app");
+  return run;
+};
+
+var scriptTagSafetyBelt =
+      '<script type="text/javascript" src="/meteor_reload_safetybelt.js">';
+var checkResponse = function (body, reloadSafetyBelt, options) {
+  if (! body) {
+    throw new Error("Missing response body");
+  }
+
+  if (options.inlineSafetyBelt) {
+    if (body.indexOf(reloadSafetyBelt) === -1) {
+      throw new Error("Missing reload safety belt inline");
+    }
+  } else {
+    if (body.indexOf(reloadSafetyBelt) !== -1) {
+      throw new Error("Reload safety belt inline when it shouldn't be present");
+    }
+  }
+
+  if (options.scriptTagSafetyBelt) {
+    if (body.indexOf(scriptTagSafetyBelt) === -1) {
+      throw new Error("Missing reload safety belt script tag");
+    }
+  } else {
+    if (body.indexOf(scriptTagSafetyBelt) !== -1) {
+      throw new Error(
+        "Reload safety belt in script tag when it shouldn't be present");
+    }
+  }
+};
+
+selftest.define("galaxy reload safety belt", function () {
+  var s = new Sandbox();
+  var run;
+
+  s.createApp("myapp", "standard-app");
+  s.cd("myapp");
+  run = runApp(s);
+
+  var result = fetchPage();
+
+  var Package = unipackage.load({
+    library: release.current.library,
+    packages: [ 'meteor', 'galaxy-reload-safetybelt' ],
+    release: release.current.name
+  });
+
+  var reloadSafetyBelt = Package["galaxy-reload-safetybelt"].ReloadSafetyBelt;
+
+  // Reload safety belt should not be present in response when the
+  // package hasn't been added to the app.
+  checkResponse(result.body, reloadSafetyBelt, {
+    inlineSafetyBelt: false,
+    scriptTagSafetyBelt: false
+  });
+
+  run.stop();
+
+  run = s.run("add", "galaxy-reload-safetybelt");
+  run.waitSecs(5);
+  run.expectExit(0);
+
+  run = runApp(s);
+  result = fetchPage();
+
+  // Reload safety belt should be present in response when the package
+  // has been added to the app.
+  checkResponse(result.body, reloadSafetyBelt, {
+    inlineSafetyBelt: true,
+    scriptTagSafetyBelt: false
+  });
+
+  run.stop();
+
+  // Disable inline scripts; reload safety belt should be loaded from a
+  // script tag.
+  run = s.run("add", "browser-policy-content");
+  run.waitSecs(5);
+  run.expectExit(0);
+
+  s.write(
+    "inline.js",
+    "if (Meteor.isServer) BrowserPolicy.content.disallowInlineScripts();"
+  );
+
+  run = runApp(s);
+  result = fetchPage();
+
+  // When inline scripts are disallowed, the reload safety belt should
+  // NOT be present in the response, but it should be loaded from a
+  // script tag.
+  checkResponse(result.body, reloadSafetyBelt, {
+    inlineSafetyBelt: false,
+    scriptTagSafetyBelt: true
+  });
+
+  result = fetchPage("/meteor_reload_safetybelt.js");
+  checkResponse(result.body, reloadSafetyBelt, {
+    inlineSafetyBelt: true,
+    scriptTagSafetyBelt: false
+  });
+
+  run.stop();
+
+  // Remove the package; reload safety belt should go away.
+  run = s.run("remove", "galaxy-reload-safetybelt");
+  run.waitSecs(5);
+  run.expectExit(0);
+
+  run = runApp(s);
+  result = fetchPage();
+  checkResponse(result.body, reloadSafetyBelt, {
+    inlineSafetyBelt: false,
+    scriptTagSafetyBelt: false
+  });
+
+  run.stop();
+});
diff --git a/tools/tests/list-sites.js b/tools/tests/list-sites.js
index 48025566fc..c25fb200c5 100644
--- a/tools/tests/list-sites.js
+++ b/tools/tests/list-sites.js
@@ -3,7 +3,6 @@ var selftest = require('../selftest.js');
 var testUtils = require('../test-utils.js');
 var files = require('../files.js');
 var Sandbox = selftest.Sandbox;
-var httpHelpers = require('../http-helpers.js');
 
 var commandTimeoutSecs = testUtils.accountsCommandTimeoutSecs;
 

From 1c90d0410c55dfc9e83aa1cba3b6ebc23c377b9e Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Mon, 23 Jun 2014 16:48:48 -0700
Subject: [PATCH 08/19] galaxy-reload-safetybelt -> reload-safetybelt

---
 docs/.meteor/packages                                  |  2 +-
 .../.gitignore                                         |  0
 .../package.js                                         |  2 +-
 .../reload-safety-belt.js                              |  0
 packages/webapp/webapp_server.js                       | 10 +++++-----
 ...alaxy-reload-safetybelt.js => reload-safetybelt.js} | 10 +++++-----
 6 files changed, 12 insertions(+), 12 deletions(-)
 rename packages/{galaxy-reload-safetybelt => reload-safetybelt}/.gitignore (100%)
 rename packages/{galaxy-reload-safetybelt => reload-safetybelt}/package.js (73%)
 rename packages/{galaxy-reload-safetybelt => reload-safetybelt}/reload-safety-belt.js (100%)
 rename tools/tests/{galaxy-reload-safetybelt.js => reload-safetybelt.js} (91%)

diff --git a/docs/.meteor/packages b/docs/.meteor/packages
index e72e891e45..3273520f32 100644
--- a/docs/.meteor/packages
+++ b/docs/.meteor/packages
@@ -12,4 +12,4 @@ jquery-waypoints
 less
 spiderable
 appcache
-galaxy-reload-safetybelt
+reload-safetybelt
diff --git a/packages/galaxy-reload-safetybelt/.gitignore b/packages/reload-safetybelt/.gitignore
similarity index 100%
rename from packages/galaxy-reload-safetybelt/.gitignore
rename to packages/reload-safetybelt/.gitignore
diff --git a/packages/galaxy-reload-safetybelt/package.js b/packages/reload-safetybelt/package.js
similarity index 73%
rename from packages/galaxy-reload-safetybelt/package.js
rename to packages/reload-safetybelt/package.js
index d1d78a07b0..87d67a16bd 100644
--- a/packages/galaxy-reload-safetybelt/package.js
+++ b/packages/reload-safetybelt/package.js
@@ -1,5 +1,5 @@
 Package.describe({
-  summary: "Reload safety belt for galaxy apps",
+  summary: "Reload safety belt for multi-server deployments",
   internal: true
 });
 
diff --git a/packages/galaxy-reload-safetybelt/reload-safety-belt.js b/packages/reload-safetybelt/reload-safety-belt.js
similarity index 100%
rename from packages/galaxy-reload-safetybelt/reload-safety-belt.js
rename to packages/reload-safetybelt/reload-safety-belt.js
diff --git a/packages/webapp/webapp_server.js b/packages/webapp/webapp_server.js
index aec8e62c82..2b60479441 100644
--- a/packages/webapp/webapp_server.js
+++ b/packages/webapp/webapp_server.js
@@ -333,10 +333,10 @@ var runWebAppServer = function () {
                     JSON.stringify(__meteor_runtime_config__) + ";");
       return;
     } else if (pathname === "/meteor_reload_safetybelt.js" &&
-               Package["galaxy-reload-safetybelt"] &&
-               Package["galaxy-reload-safetybelt"].ReloadSafetyBelt &&
+               Package["reload-safetybelt"] &&
+               Package["reload-safetybelt"].ReloadSafetyBelt &&
                ! WebAppInternals.inlineScriptsAllowed()) {
-      serveStaticJs(Package["galaxy-reload-safetybelt"].ReloadSafetyBelt);
+      serveStaticJs(Package["reload-safetybelt"].ReloadSafetyBelt);
       return;
     }
 
@@ -599,8 +599,8 @@ var runWebAppServer = function () {
       body: '',
       inlineScriptsAllowed: WebAppInternals.inlineScriptsAllowed(),
       meteorRuntimeConfig: JSON.stringify(__meteor_runtime_config__),
-      reloadSafetyBelt: Package["galaxy-reload-safetybelt"] &&
-        Package["galaxy-reload-safetybelt"].ReloadSafetyBelt,
+      reloadSafetyBelt: Package["reload-safetybelt"] &&
+        Package["reload-safetybelt"].ReloadSafetyBelt,
       rootUrlPathPrefix: __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || '',
       bundledJsCssPrefix: bundledJsCssPrefix ||
         __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || ''
diff --git a/tools/tests/galaxy-reload-safetybelt.js b/tools/tests/reload-safetybelt.js
similarity index 91%
rename from tools/tests/galaxy-reload-safetybelt.js
rename to tools/tests/reload-safetybelt.js
index f3f5cf7644..ffad29e90c 100644
--- a/tools/tests/galaxy-reload-safetybelt.js
+++ b/tools/tests/reload-safetybelt.js
@@ -49,7 +49,7 @@ var checkResponse = function (body, reloadSafetyBelt, options) {
   }
 };
 
-selftest.define("galaxy reload safety belt", function () {
+selftest.define("reload safety belt", function () {
   var s = new Sandbox();
   var run;
 
@@ -61,11 +61,11 @@ selftest.define("galaxy reload safety belt", function () {
 
   var Package = unipackage.load({
     library: release.current.library,
-    packages: [ 'meteor', 'galaxy-reload-safetybelt' ],
+    packages: [ 'meteor', 'reload-safetybelt' ],
     release: release.current.name
   });
 
-  var reloadSafetyBelt = Package["galaxy-reload-safetybelt"].ReloadSafetyBelt;
+  var reloadSafetyBelt = Package["reload-safetybelt"].ReloadSafetyBelt;
 
   // Reload safety belt should not be present in response when the
   // package hasn't been added to the app.
@@ -76,7 +76,7 @@ selftest.define("galaxy reload safety belt", function () {
 
   run.stop();
 
-  run = s.run("add", "galaxy-reload-safetybelt");
+  run = s.run("add", "reload-safetybelt");
   run.waitSecs(5);
   run.expectExit(0);
 
@@ -123,7 +123,7 @@ selftest.define("galaxy reload safety belt", function () {
   run.stop();
 
   // Remove the package; reload safety belt should go away.
-  run = s.run("remove", "galaxy-reload-safetybelt");
+  run = s.run("remove", "reload-safetybelt");
   run.waitSecs(5);
   run.expectExit(0);
 

From 68b4c1862725d7f85d5fcd48b6de26f86893cad3 Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Mon, 23 Jun 2014 18:44:29 -0700
Subject: [PATCH 09/19] Make more generic `additionalStaticJs` interface in
 webapp.

Now webapp doesn't need to know anything about the reload safetybelt; it
just exposes a generic interface that any package can use to include
additional static JS (inlined when possible) in the boilerplate
HTML. reload-safetybelt uses this interface, instead of webapp
weak-depending on reload-safetybelt.
---
 packages/reload-safetybelt/package.js         |  9 ++-
 .../reload-safety-belt-tests.js               | 12 ++++
 .../reload-safetybelt/reload-safety-belt.js   |  8 +--
 packages/reload-safetybelt/safetybelt.js      |  6 ++
 packages/webapp/boilerplate.html              | 12 ++--
 packages/webapp/webapp_server.js              | 57 +++++++++++++------
 packages/webapp/webapp_tests.js               | 32 +++++++++++
 7 files changed, 106 insertions(+), 30 deletions(-)
 create mode 100644 packages/reload-safetybelt/reload-safety-belt-tests.js
 create mode 100644 packages/reload-safetybelt/safetybelt.js

diff --git a/packages/reload-safetybelt/package.js b/packages/reload-safetybelt/package.js
index 87d67a16bd..d551a93de3 100644
--- a/packages/reload-safetybelt/package.js
+++ b/packages/reload-safetybelt/package.js
@@ -4,6 +4,13 @@ Package.describe({
 });
 
 Package.on_use(function (api) {
+  api.use("webapp", "server");
   api.add_files("reload-safety-belt.js", "server");
-  api.export("ReloadSafetyBelt", "server");
+  api.add_files("safetybelt.js", "server", { isAsset: true });
+});
+
+Package.on_test(function (api) {
+  api.add_files("safetybelt.js", "server", { isAsset: true });
+  api.use(["reload-safetybelt", "tinytest", "http", "webapp"]);
+  api.add_files("reload-safety-belt-tests.js", "server");
 });
diff --git a/packages/reload-safetybelt/reload-safety-belt-tests.js b/packages/reload-safetybelt/reload-safety-belt-tests.js
new file mode 100644
index 0000000000..e9bda3dae0
--- /dev/null
+++ b/packages/reload-safetybelt/reload-safety-belt-tests.js
@@ -0,0 +1,12 @@
+var script = Assets.getText("safetybelt.js");
+
+Tinytest.add("reload-safetybelt - safety belt is added", function (test) {
+  var origInlineScriptsAllowed = WebAppInternals.inlineScriptsAllowed();
+
+  WebAppInternals.setInlineScriptsAllowed(true);
+  var resp = HTTP.get(Meteor.absoluteUrl());
+  // Safety belt should be inlined.
+  test.isTrue(resp.content.indexOf(script) !== -1);
+
+  WebAppInternals.setInlineScriptsAllowed(origInlineScriptsAllowed);
+});
diff --git a/packages/reload-safetybelt/reload-safety-belt.js b/packages/reload-safetybelt/reload-safety-belt.js
index e16d3402ed..4c255ab3a7 100644
--- a/packages/reload-safetybelt/reload-safety-belt.js
+++ b/packages/reload-safetybelt/reload-safety-belt.js
@@ -3,10 +3,4 @@
 // chance of hitting an old server for the HTML and the new server for the JS or
 // CSS.  This prevents you from displaying the page in that case, and instead
 // reloads it, presumably all on the new version now.
-
-ReloadSafetyBelt = "\n" +
-      "if (typeof Package === 'undefined' ||\n" +
-      "    ! Package.webapp ||\n" +
-      "    ! Package.webapp.WebApp ||\n" +
-      "    ! Package.webapp.WebApp._isCssLoaded())\n" +
-      "  document.location.reload(); \n";
+WebAppInternals.addStaticJs(Assets.getText("safetybelt.js"));
diff --git a/packages/reload-safetybelt/safetybelt.js b/packages/reload-safetybelt/safetybelt.js
new file mode 100644
index 0000000000..32e0a9953b
--- /dev/null
+++ b/packages/reload-safetybelt/safetybelt.js
@@ -0,0 +1,6 @@
+if (typeof Package === 'undefined' ||
+    ! Package.webapp ||
+    ! Package.webapp.WebApp ||
+    ! Package.webapp.WebApp._isCssLoaded()) {
+  document.location.reload();
+}
diff --git a/packages/webapp/boilerplate.html b/packages/webapp/boilerplate.html
index baf56a3343..d3a012b206 100644
--- a/packages/webapp/boilerplate.html
+++ b/packages/webapp/boilerplate.html
@@ -9,15 +9,17 @@
 {{/if}}
 {{#each js}}  <script type="text/javascript" src="{{../bundledJsCssPrefix}}{{url}}"></script>
 {{/each}}
-{{#if reloadSafetyBelt}}
-  {{#if inlineScriptsAllowed}}
+{{#each additionalStaticJs}}
+  {{#if ../inlineScriptsAllowed}}
     <script type='text/javascript'>
-      {{{reloadSafetyBelt}}}
+      {{contents}}
     </script>
   {{else}}
-    <script type='text/javascript' src='{{rootUrlPathPrefix}}/meteor_reload_safetybelt.js'></script>
+    <script type='text/javascript'
+            src='{{rootUrlPathPrefix}}{{pathname}}'></script>
   {{/if}}
-{{/if}}
+{{/each}}
+
 {{{head}}}
 </head>
 <body>
diff --git a/packages/webapp/webapp_server.js b/packages/webapp/webapp_server.js
index 2b60479441..00afdc795a 100644
--- a/packages/webapp/webapp_server.js
+++ b/packages/webapp/webapp_server.js
@@ -332,11 +332,9 @@ var runWebAppServer = function () {
       serveStaticJs("__meteor_runtime_config__ = " +
                     JSON.stringify(__meteor_runtime_config__) + ";");
       return;
-    } else if (pathname === "/meteor_reload_safetybelt.js" &&
-               Package["reload-safetybelt"] &&
-               Package["reload-safetybelt"].ReloadSafetyBelt &&
+    } else if (_.has(additionalStaticJs, pathname) &&
                ! WebAppInternals.inlineScriptsAllowed()) {
-      serveStaticJs(Package["reload-safetybelt"].ReloadSafetyBelt);
+      serveStaticJs(additionalStaticJs[pathname]);
       return;
     }
 
@@ -440,7 +438,7 @@ var runWebAppServer = function () {
   // Will be updated by main before we listen.
   var boilerplateTemplate = null;
   var boilerplateBaseData = null;
-  var boilerplateByAttributes = {};
+  var memoizedBoilerplate = {};
   app.use(function (req, res, next) {
     if (! appUrl(req.url))
       return next();
@@ -472,19 +470,26 @@ var runWebAppServer = function () {
 
     var htmlAttributes = getHtmlAttributes(request);
 
-    // The only thing that changes from request to request (for now) are the
-    // HTML attributes (used by, eg, appcache), so we can memoize based on that.
-    var attributeKey = JSON.stringify(htmlAttributes);
-    if (!_.has(boilerplateByAttributes, attributeKey)) {
+    // The only thing that changes from request to request (for now) are
+    // the HTML attributes (used by, eg, appcache) and whether inline
+    // scripts are allowed, so we can memoize based on that.
+    var boilerplateKey = JSON.stringify({
+      inlineScriptsAllowed: inlineScriptsAllowed,
+      htmlAttributes: htmlAttributes
+    });
+
+    if (! _.has(memoizedBoilerplate, boilerplateKey)) {
       try {
-        var boilerplateData = _.extend({htmlAttributes: htmlAttributes},
-                                       boilerplateBaseData);
+        var boilerplateData = _.extend({
+          htmlAttributes: htmlAttributes,
+          inlineScriptsAllowed: WebAppInternals.inlineScriptsAllowed()
+        }, boilerplateBaseData);
         var boilerplateInstance = boilerplateTemplate.extend({
           data: boilerplateData
         });
         var boilerplateHtmlJs = boilerplateInstance.render();
-        boilerplateByAttributes[attributeKey] = "<!DOCTYPE html>\n" +
-              HTML.toHTML(boilerplateHtmlJs, boilerplateInstance);
+        memoizedBoilerplate[boilerplateKey] = "<!DOCTYPE html>\n" +
+          HTML.toHTML(boilerplateHtmlJs, boilerplateInstance);
       } catch (e) {
         Log.error("Error running template: " + e);
         res.writeHead(500, headers);
@@ -494,7 +499,7 @@ var runWebAppServer = function () {
     }
 
     res.writeHead(200, headers);
-    res.write(boilerplateByAttributes[attributeKey]);
+    res.write(memoizedBoilerplate[boilerplateKey]);
     res.end();
     return undefined;
   });
@@ -593,14 +598,23 @@ var runWebAppServer = function () {
     var expectKeepalives = _.contains(argv, '--keepalive');
 
     boilerplateBaseData = {
+      // 'htmlAttributes' and 'inlineScriptsAllowed' are set at render
+      // time, because they are allowed to change from request to
+      // request.
       css: [],
       js: [],
       head: '',
       body: '',
-      inlineScriptsAllowed: WebAppInternals.inlineScriptsAllowed(),
+      additionalStaticJs: _.map(
+        additionalStaticJs,
+        function (contents, pathname) {
+          return {
+            pathname: pathname,
+            contents: contents
+          };
+        }
+      ),
       meteorRuntimeConfig: JSON.stringify(__meteor_runtime_config__),
-      reloadSafetyBelt: Package["reload-safetybelt"] &&
-        Package["reload-safetybelt"].ReloadSafetyBelt,
       rootUrlPathPrefix: __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || '',
       bundledJsCssPrefix: bundledJsCssPrefix ||
         __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || ''
@@ -1002,3 +1016,12 @@ WebAppInternals.setInlineScriptsAllowed = function (value) {
 WebAppInternals.setBundledJsCssPrefix = function (prefix) {
   bundledJsCssPrefix = prefix;
 };
+
+// Packages can call `WebAppInternals.addStaticJs` to specify static
+// JavaScript to be included in the app. This static JS will be inlined,
+// unless inline scripts have been disabled, in which case it will be
+// served under `/<sha1 of contents>`.
+var additionalStaticJs = {};
+WebAppInternals.addStaticJs = function (contents) {
+  additionalStaticJs["/" + sha1(contents) + ".js"] = contents;
+};
diff --git a/packages/webapp/webapp_tests.js b/packages/webapp/webapp_tests.js
index 1f555c362c..9b837eb2df 100644
--- a/packages/webapp/webapp_tests.js
+++ b/packages/webapp/webapp_tests.js
@@ -1,4 +1,11 @@
 var url = Npm.require("url");
+var crypto = Npm.require("crypto");
+
+var additionalScript = "(function () { var foo = 1; })";
+WebAppInternals.addStaticJs(additionalScript);
+var hash = crypto.createHash('sha1');
+hash.update(additionalScript);
+var additionalScriptPathname = hash.digest('hex') + ".js";
 
 Tinytest.add("webapp - content-type header", function (test) {
   var cssResource = _.find(
@@ -21,3 +28,28 @@ Tinytest.add("webapp - content-type header", function (test) {
   test.equal(resp.headers["content-type"].toLowerCase(),
              "application/javascript; charset=utf-8");
 });
+
+Tinytest.add("webapp - additional static javascript", function (test) {
+  var origInlineScriptsAllowed = WebAppInternals.inlineScriptsAllowed();
+
+  WebAppInternals.setInlineScriptsAllowed(true);
+  var resp = HTTP.get(Meteor.absoluteUrl());
+  // When inline scripts are allowed, the script should be inlined.
+  test.isTrue(resp.content.indexOf(additionalScript) !== -1);
+  // And the script should not be served as its own separate resource
+  // (so it will serve the app).
+  resp = HTTP.get(Meteor.absoluteUrl() + "/" + additionalScriptPathname);
+  test.isTrue(resp.content.indexOf("__meteor_runtime_config__") !== -1);
+
+  WebAppInternals.setInlineScriptsAllowed(false);
+  resp = HTTP.get(Meteor.absoluteUrl());
+  // When inline scripts are disallowed, the script body should not be
+  // inlined, and the script should be included in a <script src="..">
+  // tag.
+  test.isTrue(resp.content.indexOf(additionalScript) === -1);
+  test.isTrue(resp.content.indexOf(additionalScriptPathname) !== -1);
+  resp = HTTP.get(Meteor.absoluteUrl() + additionalScriptPathname);
+  test.isTrue(resp.content.indexOf(additionalScript) !== -1);
+
+  WebAppInternals.setInlineScriptsAllowed(origInlineScriptsAllowed);
+});

From 130d1a61fb6667f7bee340358e3c2263ab060592 Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Mon, 23 Jun 2014 18:47:01 -0700
Subject: [PATCH 10/19] Remove reload safetybelt selftest.

It's been replaced by package tests (webapp, reload-safetybelt).
---
 tools/tests/reload-safetybelt.js | 138 -------------------------------
 1 file changed, 138 deletions(-)
 delete mode 100644 tools/tests/reload-safetybelt.js

diff --git a/tools/tests/reload-safetybelt.js b/tools/tests/reload-safetybelt.js
deleted file mode 100644
index ffad29e90c..0000000000
--- a/tools/tests/reload-safetybelt.js
+++ /dev/null
@@ -1,138 +0,0 @@
-var httpHelpers = require('../http-helpers.js');
-var selftest = require('../selftest.js');
-var Sandbox = selftest.Sandbox;
-var unipackage = require('../unipackage.js');
-var release = require('../release.js');
-var utils = require("../utils.js");
-
-var fetchPage = function (path) {
-  var result = httpHelpers.request("http://localhost:3000" + (path || ""));
-  if (result.response.statusCode !== 200) {
-    throw new Error("Response status code: ", result.response.statusCode);
-  }
-  return result;
-};
-
-var runApp = function (s) {
-  var run = s.run();
-  run.waitSecs(5);
-  run.match("Started your app");
-  return run;
-};
-
-var scriptTagSafetyBelt =
-      '<script type="text/javascript" src="/meteor_reload_safetybelt.js">';
-var checkResponse = function (body, reloadSafetyBelt, options) {
-  if (! body) {
-    throw new Error("Missing response body");
-  }
-
-  if (options.inlineSafetyBelt) {
-    if (body.indexOf(reloadSafetyBelt) === -1) {
-      throw new Error("Missing reload safety belt inline");
-    }
-  } else {
-    if (body.indexOf(reloadSafetyBelt) !== -1) {
-      throw new Error("Reload safety belt inline when it shouldn't be present");
-    }
-  }
-
-  if (options.scriptTagSafetyBelt) {
-    if (body.indexOf(scriptTagSafetyBelt) === -1) {
-      throw new Error("Missing reload safety belt script tag");
-    }
-  } else {
-    if (body.indexOf(scriptTagSafetyBelt) !== -1) {
-      throw new Error(
-        "Reload safety belt in script tag when it shouldn't be present");
-    }
-  }
-};
-
-selftest.define("reload safety belt", function () {
-  var s = new Sandbox();
-  var run;
-
-  s.createApp("myapp", "standard-app");
-  s.cd("myapp");
-  run = runApp(s);
-
-  var result = fetchPage();
-
-  var Package = unipackage.load({
-    library: release.current.library,
-    packages: [ 'meteor', 'reload-safetybelt' ],
-    release: release.current.name
-  });
-
-  var reloadSafetyBelt = Package["reload-safetybelt"].ReloadSafetyBelt;
-
-  // Reload safety belt should not be present in response when the
-  // package hasn't been added to the app.
-  checkResponse(result.body, reloadSafetyBelt, {
-    inlineSafetyBelt: false,
-    scriptTagSafetyBelt: false
-  });
-
-  run.stop();
-
-  run = s.run("add", "reload-safetybelt");
-  run.waitSecs(5);
-  run.expectExit(0);
-
-  run = runApp(s);
-  result = fetchPage();
-
-  // Reload safety belt should be present in response when the package
-  // has been added to the app.
-  checkResponse(result.body, reloadSafetyBelt, {
-    inlineSafetyBelt: true,
-    scriptTagSafetyBelt: false
-  });
-
-  run.stop();
-
-  // Disable inline scripts; reload safety belt should be loaded from a
-  // script tag.
-  run = s.run("add", "browser-policy-content");
-  run.waitSecs(5);
-  run.expectExit(0);
-
-  s.write(
-    "inline.js",
-    "if (Meteor.isServer) BrowserPolicy.content.disallowInlineScripts();"
-  );
-
-  run = runApp(s);
-  result = fetchPage();
-
-  // When inline scripts are disallowed, the reload safety belt should
-  // NOT be present in the response, but it should be loaded from a
-  // script tag.
-  checkResponse(result.body, reloadSafetyBelt, {
-    inlineSafetyBelt: false,
-    scriptTagSafetyBelt: true
-  });
-
-  result = fetchPage("/meteor_reload_safetybelt.js");
-  checkResponse(result.body, reloadSafetyBelt, {
-    inlineSafetyBelt: true,
-    scriptTagSafetyBelt: false
-  });
-
-  run.stop();
-
-  // Remove the package; reload safety belt should go away.
-  run = s.run("remove", "reload-safetybelt");
-  run.waitSecs(5);
-  run.expectExit(0);
-
-  run = runApp(s);
-  result = fetchPage();
-  checkResponse(result.body, reloadSafetyBelt, {
-    inlineSafetyBelt: false,
-    scriptTagSafetyBelt: false
-  });
-
-  run.stop();
-});

From afff81ffc5620ad71f3b15339d7b1be353516548 Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Wed, 25 Jun 2014 14:19:39 -0700
Subject: [PATCH 11/19] New approach for reload safety belt testing.

Mutating global state in tests is still not a good idea. (Specifically,
in the previous version of the test, changing the value of
`WebAppInternals.inlineScriptsAllowed()` could mess with other
client-side tests that depend on it being one way or another -- of which
there are currently probably none, but there could be in theory.)

Instead, export the exact things we want to test (boilerplate HTML
generation and the static file handler). Now we are still mutating the
global `inlineScriptsAllowed()` state, but we don't yield before setting
it back to what it was.

Also simplify the reload-safetybelt test: instead of sending an HTTP
request, just check that the script gets adding to
`WebAppInternals.additionalStaticJs`.
---
 .../reload-safety-belt-tests.js               |  14 +-
 packages/webapp/webapp_server.js              | 315 ++++++++++--------
 packages/webapp/webapp_tests.js               |  97 +++++-
 3 files changed, 261 insertions(+), 165 deletions(-)

diff --git a/packages/reload-safetybelt/reload-safety-belt-tests.js b/packages/reload-safetybelt/reload-safety-belt-tests.js
index e9bda3dae0..117a0110a5 100644
--- a/packages/reload-safetybelt/reload-safety-belt-tests.js
+++ b/packages/reload-safetybelt/reload-safety-belt-tests.js
@@ -1,12 +1,10 @@
 var script = Assets.getText("safetybelt.js");
 
 Tinytest.add("reload-safetybelt - safety belt is added", function (test) {
-  var origInlineScriptsAllowed = WebAppInternals.inlineScriptsAllowed();
-
-  WebAppInternals.setInlineScriptsAllowed(true);
-  var resp = HTTP.get(Meteor.absoluteUrl());
-  // Safety belt should be inlined.
-  test.isTrue(resp.content.indexOf(script) !== -1);
-
-  WebAppInternals.setInlineScriptsAllowed(origInlineScriptsAllowed);
+  test.isTrue(_.some(
+    WebAppInternals.additionalStaticJs,
+    function (js, pathname) {
+      return js === script;
+    }
+  ));
 });
diff --git a/packages/webapp/webapp_server.js b/packages/webapp/webapp_server.js
index 00afdc795a..0152f6d33d 100644
--- a/packages/webapp/webapp_server.js
+++ b/packages/webapp/webapp_server.js
@@ -223,6 +223,161 @@ WebApp._timeoutAdjustmentRequestCallback = function (req, res) {
   _.each(finishListeners, function (l) { res.on('finish', l); });
 };
 
+// Will be updated by main before we listen.
+var boilerplateTemplate = null;
+var boilerplateBaseData = null;
+var memoizedBoilerplate = {};
+
+// Given a request (as returned from `categorizeRequest`), return the
+// boilerplate HTML to serve for that request. Memoizes on HTML
+// attributes (used by, eg, appcache) and whether inline scripts are
+// currently allowed.
+var getBoilerplate = function (request) {
+  var htmlAttributes = getHtmlAttributes(request);
+
+  // The only thing that changes from request to request (for now) are
+  // the HTML attributes (used by, eg, appcache) and whether inline
+  // scripts are allowed, so we can memoize based on that.
+  var boilerplateKey = JSON.stringify({
+    inlineScriptsAllowed: inlineScriptsAllowed,
+    htmlAttributes: htmlAttributes
+  });
+
+  if (! _.has(memoizedBoilerplate, boilerplateKey)) {
+    var boilerplateData = _.extend({
+      htmlAttributes: htmlAttributes,
+      inlineScriptsAllowed: WebAppInternals.inlineScriptsAllowed()
+    }, boilerplateBaseData);
+    var boilerplateInstance = boilerplateTemplate.extend({
+      data: boilerplateData
+    });
+    var boilerplateHtmlJs = boilerplateInstance.render();
+    memoizedBoilerplate[boilerplateKey] = "<!DOCTYPE html>\n" +
+      HTML.toHTML(boilerplateHtmlJs, boilerplateInstance);
+  }
+  return memoizedBoilerplate[boilerplateKey];
+};
+
+// Serve static files from the manifest or added with
+// `addStaticJs`. Exported for tests.
+// Options are:
+//   - staticFiles: object mapping pathname of file in manifest -> {
+//     path, cacheable, sourceMapUrl, type }
+//   - clientDir: root directory for static files from client manifest
+WebAppInternals.serveStaticFiles = function (options, req, res, next) {
+  if ('GET' != req.method && 'HEAD' != req.method) {
+    next();
+    return;
+  }
+  var pathname = connect.utils.parseUrl(req).pathname;
+  var staticFiles = options.staticFiles;
+  var clientDir = options.clientDir;
+
+  try {
+    pathname = decodeURIComponent(pathname);
+  } catch (e) {
+    next();
+    return;
+  }
+
+  var serveStaticJs = function (s) {
+    res.writeHead(200, {
+      'Content-type': 'application/javascript; charset=UTF-8'
+    });
+    res.write(s);
+    res.end();
+  };
+
+  if (pathname === "/meteor_runtime_config.js" &&
+      ! WebAppInternals.inlineScriptsAllowed()) {
+    serveStaticJs("__meteor_runtime_config__ = " +
+                  JSON.stringify(__meteor_runtime_config__) + ";");
+    return;
+  } else if (_.has(additionalStaticJs, pathname) &&
+             ! WebAppInternals.inlineScriptsAllowed()) {
+    serveStaticJs(additionalStaticJs[pathname]);
+    return;
+  }
+
+  if (!_.has(staticFiles, pathname)) {
+    next();
+    return;
+  }
+
+  // We don't need to call pause because, unlike 'static', once we call into
+  // 'send' and yield to the event loop, we never call another handler with
+  // 'next'.
+
+  var info = staticFiles[pathname];
+
+  // Cacheable files are files that should never change. Typically
+  // named by their hash (eg meteor bundled js and css files).
+  // We cache them ~forever (1yr).
+  //
+  // We cache non-cacheable files anyway. This isn't really correct, as users
+  // can change the files and changes won't propagate immediately. However, if
+  // we don't cache them, browsers will 'flicker' when rerendering
+  // images. Eventually we will probably want to rewrite URLs of static assets
+  // to include a query parameter to bust caches. That way we can both get
+  // good caching behavior and allow users to change assets without delay.
+  // https://github.com/meteor/meteor/issues/773
+  var maxAge = info.cacheable
+        ? 1000 * 60 * 60 * 24 * 365
+        : 1000 * 60 * 60 * 24;
+
+  // Set the X-SourceMap header, which current Chrome understands.
+  // (The files also contain '//#' comments which FF 24 understands and
+  // Chrome doesn't understand yet.)
+  //
+  // Eventually we should set the SourceMap header but the current version of
+  // Chrome and no version of FF supports it.
+  //
+  // To figure out if your version of Chrome should support the SourceMap
+  // header,
+  //   - go to chrome://version. Let's say the Chrome version is
+  //      28.0.1500.71 and the Blink version is 537.36 (@153022)
+  //   - go to http://src.chromium.org/viewvc/blink/branches/chromium/1500/Source/core/inspector/InspectorPageAgent.cpp?view=log
+  //     where the "1500" is the third part of your Chrome version
+  //   - find the first revision that is no greater than the "153022"
+  //     number.  That's probably the first one and it probably has
+  //     a message of the form "Branch 1500 - blink@r149738"
+  //   - If *that* revision number (149738) is at least 151755,
+  //     then Chrome should support SourceMap (not just X-SourceMap)
+  // (The change is https://codereview.chromium.org/15832007)
+  //
+  // You also need to enable source maps in Chrome: open dev tools, click
+  // the gear in the bottom right corner, and select "enable source maps".
+  //
+  // Firefox 23+ supports source maps but doesn't support either header yet,
+  // so we include the '//#' comment for it:
+  //   https://bugzilla.mozilla.org/show_bug.cgi?id=765993
+  // In FF 23 you need to turn on `devtools.debugger.source-maps-enabled`
+  // in `about:config` (it is on by default in FF 24).
+  if (info.sourceMapUrl)
+    res.setHeader('X-SourceMap', info.sourceMapUrl);
+
+  if (info.type === "js") {
+    res.setHeader("Content-Type", "application/javascript; charset=UTF-8");
+  } else if (info.type === "css") {
+    res.setHeader("Content-Type", "text/css; charset=UTF-8");
+  }
+
+  send(req, path.join(clientDir, info.path))
+    .maxage(maxAge)
+    .hidden(true)  // if we specified a dotfile in the manifest, serve it
+    .on('error', function (err) {
+      Log.error("Error serving static file " + err);
+      res.writeHead(500);
+      res.end();
+    })
+    .on('directory', function () {
+      Log.error("Unexpected directory " + info.path);
+      res.writeHead(500);
+      res.end();
+    })
+    .pipe(res);
+};
+
 var runWebAppServer = function () {
   var shuttingDown = false;
   // read the control for the client we'll be serving up
@@ -306,115 +461,10 @@ var runWebAppServer = function () {
   // Serve static files from the manifest.
   // This is inspired by the 'static' middleware.
   app.use(function (req, res, next) {
-    if ('GET' != req.method && 'HEAD' != req.method) {
-      next();
-      return;
-    }
-    var pathname = connect.utils.parseUrl(req).pathname;
-
-    try {
-      pathname = decodeURIComponent(pathname);
-    } catch (e) {
-      next();
-      return;
-    }
-
-    var serveStaticJs = function (s) {
-      res.writeHead(200, {
-        'Content-type': 'application/javascript; charset=UTF-8'
-      });
-      res.write(s);
-      res.end();
-    };
-
-    if (pathname === "/meteor_runtime_config.js" &&
-        ! WebAppInternals.inlineScriptsAllowed()) {
-      serveStaticJs("__meteor_runtime_config__ = " +
-                    JSON.stringify(__meteor_runtime_config__) + ";");
-      return;
-    } else if (_.has(additionalStaticJs, pathname) &&
-               ! WebAppInternals.inlineScriptsAllowed()) {
-      serveStaticJs(additionalStaticJs[pathname]);
-      return;
-    }
-
-    if (!_.has(staticFiles, pathname)) {
-      next();
-      return;
-    }
-
-    // We don't need to call pause because, unlike 'static', once we call into
-    // 'send' and yield to the event loop, we never call another handler with
-    // 'next'.
-
-    var info = staticFiles[pathname];
-
-    // Cacheable files are files that should never change. Typically
-    // named by their hash (eg meteor bundled js and css files).
-    // We cache them ~forever (1yr).
-    //
-    // We cache non-cacheable files anyway. This isn't really correct, as users
-    // can change the files and changes won't propagate immediately. However, if
-    // we don't cache them, browsers will 'flicker' when rerendering
-    // images. Eventually we will probably want to rewrite URLs of static assets
-    // to include a query parameter to bust caches. That way we can both get
-    // good caching behavior and allow users to change assets without delay.
-    // https://github.com/meteor/meteor/issues/773
-    var maxAge = info.cacheable
-          ? 1000 * 60 * 60 * 24 * 365
-          : 1000 * 60 * 60 * 24;
-
-    // Set the X-SourceMap header, which current Chrome understands.
-    // (The files also contain '//#' comments which FF 24 understands and
-    // Chrome doesn't understand yet.)
-    //
-    // Eventually we should set the SourceMap header but the current version of
-    // Chrome and no version of FF supports it.
-    //
-    // To figure out if your version of Chrome should support the SourceMap
-    // header,
-    //   - go to chrome://version. Let's say the Chrome version is
-    //      28.0.1500.71 and the Blink version is 537.36 (@153022)
-    //   - go to http://src.chromium.org/viewvc/blink/branches/chromium/1500/Source/core/inspector/InspectorPageAgent.cpp?view=log
-    //     where the "1500" is the third part of your Chrome version
-    //   - find the first revision that is no greater than the "153022"
-    //     number.  That's probably the first one and it probably has
-    //     a message of the form "Branch 1500 - blink@r149738"
-    //   - If *that* revision number (149738) is at least 151755,
-    //     then Chrome should support SourceMap (not just X-SourceMap)
-    // (The change is https://codereview.chromium.org/15832007)
-    //
-    // You also need to enable source maps in Chrome: open dev tools, click
-    // the gear in the bottom right corner, and select "enable source maps".
-    //
-    // Firefox 23+ supports source maps but doesn't support either header yet,
-    // so we include the '//#' comment for it:
-    //   https://bugzilla.mozilla.org/show_bug.cgi?id=765993
-    // In FF 23 you need to turn on `devtools.debugger.source-maps-enabled`
-    // in `about:config` (it is on by default in FF 24).
-    if (info.sourceMapUrl)
-      res.setHeader('X-SourceMap', info.sourceMapUrl);
-
-    if (info.type === "js") {
-      res.setHeader("Content-Type", "application/javascript; charset=UTF-8");
-    } else if (info.type === "css") {
-      res.setHeader("Content-Type", "text/css; charset=UTF-8");
-    }
-
-    send(req, path.join(clientDir, info.path))
-      .maxage(maxAge)
-      .hidden(true)  // if we specified a dotfile in the manifest, serve it
-      .on('error', function (err) {
-        Log.error("Error serving static file " + err);
-        res.writeHead(500);
-        res.end();
-      })
-      .on('directory', function () {
-        Log.error("Unexpected directory " + info.path);
-        res.writeHead(500);
-        res.end();
-      })
-      .pipe(res);
+    return WebAppInternals.serveStaticFiles({
+      staticFiles: staticFiles,
+      clientDir: clientDir
+    }, req, res, next);
   });
 
   // Packages and apps can add handlers to this via WebApp.connectHandlers.
@@ -435,10 +485,6 @@ var runWebAppServer = function () {
     res.end("An error message");
   });
 
-  // Will be updated by main before we listen.
-  var boilerplateTemplate = null;
-  var boilerplateBaseData = null;
-  var memoizedBoilerplate = {};
   app.use(function (req, res, next) {
     if (! appUrl(req.url))
       return next();
@@ -448,7 +494,6 @@ var runWebAppServer = function () {
     if (!boilerplateBaseData)
       throw new Error("boilerplateBaseData should be set before listening!");
 
-
     var headers = {
       'Content-Type':  'text/html; charset=utf-8'
     };
@@ -468,38 +513,18 @@ var runWebAppServer = function () {
       return undefined;
     }
 
-    var htmlAttributes = getHtmlAttributes(request);
-
-    // The only thing that changes from request to request (for now) are
-    // the HTML attributes (used by, eg, appcache) and whether inline
-    // scripts are allowed, so we can memoize based on that.
-    var boilerplateKey = JSON.stringify({
-      inlineScriptsAllowed: inlineScriptsAllowed,
-      htmlAttributes: htmlAttributes
-    });
-
-    if (! _.has(memoizedBoilerplate, boilerplateKey)) {
-      try {
-        var boilerplateData = _.extend({
-          htmlAttributes: htmlAttributes,
-          inlineScriptsAllowed: WebAppInternals.inlineScriptsAllowed()
-        }, boilerplateBaseData);
-        var boilerplateInstance = boilerplateTemplate.extend({
-          data: boilerplateData
-        });
-        var boilerplateHtmlJs = boilerplateInstance.render();
-        memoizedBoilerplate[boilerplateKey] = "<!DOCTYPE html>\n" +
-          HTML.toHTML(boilerplateHtmlJs, boilerplateInstance);
-      } catch (e) {
-        Log.error("Error running template: " + e);
-        res.writeHead(500, headers);
-        res.end();
-        return undefined;
-      }
+    var boilerplate;
+    try {
+      boilerplate = getBoilerplate(request);
+    } catch (e) {
+      Log.error("Error running template: " + e);
+      res.writeHead(500, headers);
+      res.end();
+      return undefined;
     }
 
     res.writeHead(200, headers);
-    res.write(memoizedBoilerplate[boilerplateKey]);
+    res.write(boilerplate);
     res.end();
     return undefined;
   });
@@ -1025,3 +1050,7 @@ var additionalStaticJs = {};
 WebAppInternals.addStaticJs = function (contents) {
   additionalStaticJs["/" + sha1(contents) + ".js"] = contents;
 };
+
+// Exported for tests
+WebAppInternals.getBoilerplate = getBoilerplate;
+WebAppInternals.additionalStaticJs = additionalStaticJs;
diff --git a/packages/webapp/webapp_tests.js b/packages/webapp/webapp_tests.js
index 9b837eb2df..04bd224c8d 100644
--- a/packages/webapp/webapp_tests.js
+++ b/packages/webapp/webapp_tests.js
@@ -1,5 +1,6 @@
 var url = Npm.require("url");
 var crypto = Npm.require("crypto");
+var http = Npm.require("http");
 
 var additionalScript = "(function () { var foo = 1; })";
 WebAppInternals.addStaticJs(additionalScript);
@@ -7,6 +8,42 @@ var hash = crypto.createHash('sha1');
 hash.update(additionalScript);
 var additionalScriptPathname = hash.digest('hex') + ".js";
 
+// Mock the 'res' object that gets passed to connect handlers. This mock
+// just records any utf8 data written to the response and returns it
+// when you call `mockResponse.getBody()`.
+var MockResponse = function () {
+  this.buffer = "";
+  this.statusCode = null;
+};
+
+MockResponse.prototype.writeHead = function (statusCode) {
+  this.statusCode = statusCode;
+};
+
+MockResponse.prototype.setHeader = function (name, value) {
+  // nothing
+};
+
+MockResponse.prototype.write = function (data, encoding) {
+  if (! encoding || encoding === "utf8") {
+    this.buffer = this.buffer + data;
+  }
+};
+
+MockResponse.prototype.end = function (data, encoding) {
+  if (! encoding || encoding === "utf8") {
+    if (data) {
+      this.buffer = this.buffer + data;
+    }
+  }
+};
+
+MockResponse.prototype.getBody = function () {
+  return this.buffer;
+};
+
+
+
 Tinytest.add("webapp - content-type header", function (test) {
   var cssResource = _.find(
     _.keys(WebAppInternals.staticFiles),
@@ -32,24 +69,56 @@ Tinytest.add("webapp - content-type header", function (test) {
 Tinytest.add("webapp - additional static javascript", function (test) {
   var origInlineScriptsAllowed = WebAppInternals.inlineScriptsAllowed();
 
-  WebAppInternals.setInlineScriptsAllowed(true);
-  var resp = HTTP.get(Meteor.absoluteUrl());
-  // When inline scripts are allowed, the script should be inlined.
-  test.isTrue(resp.content.indexOf(additionalScript) !== -1);
-  // And the script should not be served as its own separate resource
-  // (so it will serve the app).
-  resp = HTTP.get(Meteor.absoluteUrl() + "/" + additionalScriptPathname);
-  test.isTrue(resp.content.indexOf("__meteor_runtime_config__") !== -1);
+  var staticFilesOpts = {
+    staticFiles: {},
+    clientDir: "/"
+  };
+
+  // It's okay to set this global state because we're not going to yield
+  // before settng it back to what it was originally.
+  WebAppInternals.setInlineScriptsAllowed(true);
+
+  var boilerplate = WebAppInternals.getBoilerplate({
+    browser: "doesn't-matter",
+    url: "also-doesnt-matter"
+  });
+
+  // When inline scripts are allowed, the script should be inlined.
+  test.isTrue(boilerplate.indexOf(additionalScript) !== -1);
+
+  // And the script should not be served as its own separate resource,
+  // meaning that the static file handler should pass on this request.
+  var res = new MockResponse();
+  var req = new http.IncomingMessage();
+  req.headers = {};
+  req.method = "GET";
+  req.url = "/" + additionalScriptPathname;
+  var nextCalled = false;
+  WebAppInternals.serveStaticFiles(staticFilesOpts, req, res, function () {
+    nextCalled = true;
+  });
+  test.isTrue(nextCalled);
 
-  WebAppInternals.setInlineScriptsAllowed(false);
-  resp = HTTP.get(Meteor.absoluteUrl());
   // When inline scripts are disallowed, the script body should not be
   // inlined, and the script should be included in a <script src="..">
   // tag.
-  test.isTrue(resp.content.indexOf(additionalScript) === -1);
-  test.isTrue(resp.content.indexOf(additionalScriptPathname) !== -1);
-  resp = HTTP.get(Meteor.absoluteUrl() + additionalScriptPathname);
-  test.isTrue(resp.content.indexOf(additionalScript) !== -1);
+  WebAppInternals.setInlineScriptsAllowed(false);
+  boilerplate = WebAppInternals.getBoilerplate({
+    browser: "doesn't-matter",
+    url: "also-doesnt-matter"
+  });
+
+  // The script contents itself should not be present; the pathname
+  // where the script is served should be.
+  test.isTrue(boilerplate.indexOf(additionalScript) === -1);
+  test.isTrue(boilerplate.indexOf(additionalScriptPathname) !== -1);
+
+  // And the static file handler should serve the script at that pathname.
+  res = new MockResponse();
+  WebAppInternals.serveStaticFiles(staticFilesOpts, req, res, function () { });
+  var resBody = res.getBody();
+  test.isTrue(resBody.indexOf(additionalScript) !== -1);
+  test.equal(res.statusCode, 200);
 
   WebAppInternals.setInlineScriptsAllowed(origInlineScriptsAllowed);
 });

From 53936d30624cc7e746a1c86289af050425acbfb0 Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Thu, 26 Jun 2014 14:46:53 -0700
Subject: [PATCH 12/19] Wrap webapp test code in _noYieldsAllowed.

---
 packages/webapp/webapp_tests.js | 83 +++++++++++++++++----------------
 1 file changed, 43 insertions(+), 40 deletions(-)

diff --git a/packages/webapp/webapp_tests.js b/packages/webapp/webapp_tests.js
index 04bd224c8d..62b2c75749 100644
--- a/packages/webapp/webapp_tests.js
+++ b/packages/webapp/webapp_tests.js
@@ -78,47 +78,50 @@ Tinytest.add("webapp - additional static javascript", function (test) {
   // before settng it back to what it was originally.
   WebAppInternals.setInlineScriptsAllowed(true);
 
-  var boilerplate = WebAppInternals.getBoilerplate({
-    browser: "doesn't-matter",
-    url: "also-doesnt-matter"
+  Meteor._noYieldsAllowed(function () {
+    var boilerplate = WebAppInternals.getBoilerplate({
+      browser: "doesn't-matter",
+      url: "also-doesnt-matter"
+    });
+
+    // When inline scripts are allowed, the script should be inlined.
+    test.isTrue(boilerplate.indexOf(additionalScript) !== -1);
+
+    // And the script should not be served as its own separate resource,
+    // meaning that the static file handler should pass on this request.
+    var res = new MockResponse();
+    var req = new http.IncomingMessage();
+    req.headers = {};
+    req.method = "GET";
+    req.url = "/" + additionalScriptPathname;
+    var nextCalled = false;
+    WebAppInternals.serveStaticFiles(staticFilesOpts, req, res, function () {
+      nextCalled = true;
+    });
+    test.isTrue(nextCalled);
+
+    // When inline scripts are disallowed, the script body should not be
+    // inlined, and the script should be included in a <script src="..">
+    // tag.
+    WebAppInternals.setInlineScriptsAllowed(false);
+    boilerplate = WebAppInternals.getBoilerplate({
+      browser: "doesn't-matter",
+      url: "also-doesnt-matter"
+    });
+
+    // The script contents itself should not be present; the pathname
+    // where the script is served should be.
+    test.isTrue(boilerplate.indexOf(additionalScript) === -1);
+    test.isTrue(boilerplate.indexOf(additionalScriptPathname) !== -1);
+
+    // And the static file handler should serve the script at that pathname.
+    res = new MockResponse();
+    WebAppInternals.serveStaticFiles(staticFilesOpts, req, res,
+                                     function () { });
+    var resBody = res.getBody();
+    test.isTrue(resBody.indexOf(additionalScript) !== -1);
+    test.equal(res.statusCode, 200);
   });
 
-  // When inline scripts are allowed, the script should be inlined.
-  test.isTrue(boilerplate.indexOf(additionalScript) !== -1);
-
-  // And the script should not be served as its own separate resource,
-  // meaning that the static file handler should pass on this request.
-  var res = new MockResponse();
-  var req = new http.IncomingMessage();
-  req.headers = {};
-  req.method = "GET";
-  req.url = "/" + additionalScriptPathname;
-  var nextCalled = false;
-  WebAppInternals.serveStaticFiles(staticFilesOpts, req, res, function () {
-    nextCalled = true;
-  });
-  test.isTrue(nextCalled);
-
-  // When inline scripts are disallowed, the script body should not be
-  // inlined, and the script should be included in a <script src="..">
-  // tag.
-  WebAppInternals.setInlineScriptsAllowed(false);
-  boilerplate = WebAppInternals.getBoilerplate({
-    browser: "doesn't-matter",
-    url: "also-doesnt-matter"
-  });
-
-  // The script contents itself should not be present; the pathname
-  // where the script is served should be.
-  test.isTrue(boilerplate.indexOf(additionalScript) === -1);
-  test.isTrue(boilerplate.indexOf(additionalScriptPathname) !== -1);
-
-  // And the static file handler should serve the script at that pathname.
-  res = new MockResponse();
-  WebAppInternals.serveStaticFiles(staticFilesOpts, req, res, function () { });
-  var resBody = res.getBody();
-  test.isTrue(resBody.indexOf(additionalScript) !== -1);
-  test.equal(res.statusCode, 200);
-
   WebAppInternals.setInlineScriptsAllowed(origInlineScriptsAllowed);
 });

From 168f21654c012ee102a4e8b81ddef1cb199b5bcc Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Thu, 26 Jun 2014 15:15:24 -0700
Subject: [PATCH 13/19] Rename serveStaticFiles to staticFilesMiddleware

---
 packages/webapp/webapp_server.js | 4 ++--
 packages/webapp/webapp_tests.js  | 9 +++++----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/packages/webapp/webapp_server.js b/packages/webapp/webapp_server.js
index 0152f6d33d..93a29cd7e5 100644
--- a/packages/webapp/webapp_server.js
+++ b/packages/webapp/webapp_server.js
@@ -264,7 +264,7 @@ var getBoilerplate = function (request) {
 //   - staticFiles: object mapping pathname of file in manifest -> {
 //     path, cacheable, sourceMapUrl, type }
 //   - clientDir: root directory for static files from client manifest
-WebAppInternals.serveStaticFiles = function (options, req, res, next) {
+WebAppInternals.staticFilesMiddleware = function (options, req, res, next) {
   if ('GET' != req.method && 'HEAD' != req.method) {
     next();
     return;
@@ -461,7 +461,7 @@ var runWebAppServer = function () {
   // Serve static files from the manifest.
   // This is inspired by the 'static' middleware.
   app.use(function (req, res, next) {
-    return WebAppInternals.serveStaticFiles({
+    return WebAppInternals.staticFilesMiddleware({
       staticFiles: staticFiles,
       clientDir: clientDir
     }, req, res, next);
diff --git a/packages/webapp/webapp_tests.js b/packages/webapp/webapp_tests.js
index 62b2c75749..d300e863cd 100644
--- a/packages/webapp/webapp_tests.js
+++ b/packages/webapp/webapp_tests.js
@@ -95,9 +95,10 @@ Tinytest.add("webapp - additional static javascript", function (test) {
     req.method = "GET";
     req.url = "/" + additionalScriptPathname;
     var nextCalled = false;
-    WebAppInternals.serveStaticFiles(staticFilesOpts, req, res, function () {
-      nextCalled = true;
-    });
+    WebAppInternals.staticFilesMiddleware(
+      staticFilesOpts, req, res, function () {
+        nextCalled = true;
+      });
     test.isTrue(nextCalled);
 
     // When inline scripts are disallowed, the script body should not be
@@ -116,7 +117,7 @@ Tinytest.add("webapp - additional static javascript", function (test) {
 
     // And the static file handler should serve the script at that pathname.
     res = new MockResponse();
-    WebAppInternals.serveStaticFiles(staticFilesOpts, req, res,
+    WebAppInternals.staticFilesMiddleware(staticFilesOpts, req, res,
                                      function () { });
     var resBody = res.getBody();
     test.isTrue(resBody.indexOf(additionalScript) !== -1);

From 93483d12170b9a7d7bda29c5669f787fc3487fdb Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Fri, 27 Jun 2014 10:53:56 -0700
Subject: [PATCH 14/19] Restore optionality of loginWithPassword/changePassword
 callbacks.

Fixes a regression in 0.8.2.

Fixes #2255.
---
 packages/accounts-password/password_client.js | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/packages/accounts-password/password_client.js b/packages/accounts-password/password_client.js
index bc04cc8754..3767a86bb7 100644
--- a/packages/accounts-password/password_client.js
+++ b/packages/accounts-password/password_client.js
@@ -41,9 +41,9 @@ Meteor.loginWithPassword = function (selector, password, callback) {
         }, callback);
       }
       else if (error) {
-        callback(error);
+        callback && callback(error);
       } else {
-        callback();
+        callback && callback();
       }
     }
   });
@@ -69,9 +69,9 @@ var srpUpgradePath = function (options, callback) {
     details = EJSON.parse(options.upgradeError.details);
   } catch (e) {}
   if (!(details && details.format === 'srp')) {
-    callback(new Meteor.Error(400,
-                              "Password is old. Please reset your " +
-                              "password."));
+    callback && callback(
+      new Meteor.Error(400, "Password is old. Please reset your " +
+                       "password."));
   } else {
     Accounts.callLoginMethod({
       methodArguments: [{
@@ -133,7 +133,7 @@ Accounts.changePassword = function (oldPassword, newPassword, callback) {
             plaintextPassword: oldPassword
           }, function (err) {
             if (err) {
-              callback(err);
+              callback && callback(err);
             } else {
               // Now that we've successfully migrated from srp to
               // bcrypt, try changing the password again.

From 01cf5c6fd5236b96fe5d978314947d4546c7d679 Mon Sep 17 00:00:00 2001
From: Matthew Arbesfeld <arbesfeld@gmail.com>
Date: Fri, 27 Jun 2014 13:39:33 -0700
Subject: [PATCH 15/19] Update BUNDLE_VERSION note in meteor script

---
 meteor | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meteor b/meteor
index 4ce7672a42..4d81c79100 100755
--- a/meteor
+++ b/meteor
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-BUNDLE_VERSION=0.3.38  # warning! 0.3.39-40 used on packaging branch
+BUNDLE_VERSION=0.3.38  # warning! 0.3.39-41 used on packaging branch
 
 # OS Check. Put here because here is where we download the precompiled
 # bundles that are arch specific.

From d17c190c52062540a2e96cb4d777cb135f6c20e7 Mon Sep 17 00:00:00 2001
From: Slava Kim <slava@meteor.com>
Date: Fri, 27 Jun 2014 13:40:03 -0700
Subject: [PATCH 16/19] Observe-sequence package recognizes different cursors
 by checking the interface of observe and fetch.

Before it checked that the cursor is an instance of Minimongo.Cursor.
---
 packages/observe-sequence/observe_sequence.js | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/packages/observe-sequence/observe_sequence.js b/packages/observe-sequence/observe_sequence.js
index e4c1b4dea2..b4a7dc9b71 100644
--- a/packages/observe-sequence/observe_sequence.js
+++ b/packages/observe-sequence/observe_sequence.js
@@ -127,7 +127,7 @@ ObserveSequence = {
           });
 
           diffArray(lastSeqArray, seqArray, callbacks);
-        } else if (isMinimongoCursor(seq)) {
+        } else if (isStoreCursor(seq)) {
           var cursor = seq;
           seqArray = [];
 
@@ -188,7 +188,7 @@ ObserveSequence = {
       return [];
     } else if (seq instanceof Array) {
       return seq;
-    } else if (isMinimongoCursor(seq)) {
+    } else if (isStoreCursor(seq)) {
       return seq.fetch();
     } else {
       throw badSequenceError();
@@ -201,9 +201,9 @@ var badSequenceError = function () {
                    "arrays, cursors or falsey values.");
 };
 
-var isMinimongoCursor = function (seq) {
-  var minimongo = Package.minimongo;
-  return !!minimongo && (seq instanceof minimongo.LocalCollection.Cursor);
+var isStoreCursor = function (cursor) {
+  return cursor && _.isObject(cursor) &&
+    _.isFunction(cursor.observe) && _.isFunction(cursor.fetch);
 };
 
 // Calculates the differences between `lastSeqArray` and

From fe5ff812e4176bda95ff0f9c0954414edd7e64f4 Mon Sep 17 00:00:00 2001
From: Matthew Arbesfeld <arbesfeld@gmail.com>
Date: Fri, 27 Jun 2014 15:30:50 -0700
Subject: [PATCH 17/19] Revert change to warning text, going to do this on
 Monday

---
 meteor | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meteor b/meteor
index 4d81c79100..4ce7672a42 100755
--- a/meteor
+++ b/meteor
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-BUNDLE_VERSION=0.3.38  # warning! 0.3.39-41 used on packaging branch
+BUNDLE_VERSION=0.3.38  # warning! 0.3.39-40 used on packaging branch
 
 # OS Check. Put here because here is where we download the precompiled
 # bundles that are arch specific.

From 135b0b56e90e63f7a1ddb685eb0b5dd5a5ffbe21 Mon Sep 17 00:00:00 2001
From: David Glasser <glasser@meteor.com>
Date: Fri, 27 Jun 2014 16:37:14 -0700
Subject: [PATCH 18/19] install script should write files as current user

If you ran it as root before, it would write files as whatever uid we
had on our buildbot. Oops!

Fixes #2249.
---
 scripts/admin/install-engine.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/admin/install-engine.sh b/scripts/admin/install-engine.sh
index dffce62413..52b7692a62 100644
--- a/scripts/admin/install-engine.sh
+++ b/scripts/admin/install-engine.sh
@@ -79,7 +79,7 @@ INSTALL_TMPDIR="$HOME/.meteor-install-tmp"
 rm -rf "$INSTALL_TMPDIR"
 mkdir "$INSTALL_TMPDIR"
 echo "Downloading Meteor distribution"
-curl --progress-bar --fail "$TARBALL_URL" | tar -xzf - -C "$INSTALL_TMPDIR"
+curl --progress-bar --fail "$TARBALL_URL" | tar -xzf - -C "$INSTALL_TMPDIR" -o
 # bomb out if it didn't work, eg no net
 test -x "${INSTALL_TMPDIR}/.meteor/meteor"
 mv "${INSTALL_TMPDIR}/.meteor" "$HOME"

From 6bf6480569df0164eb5be52f728a14ccd07e4621 Mon Sep 17 00:00:00 2001
From: David Glasser <glasser@meteor.com>
Date: Fri, 27 Jun 2014 16:48:20 -0700
Subject: [PATCH 19/19] Clarify that your publisher must do SOMETHING

Either return cursor(s), or use the low-level API.

Fixes #2253
---
 docs/client/api.html | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/docs/client/api.html b/docs/client/api.html
index adc97f191e..405a90fac4 100644
--- a/docs/client/api.html
+++ b/docs/client/api.html
@@ -92,15 +92,17 @@ different collections. We hope to lift this restriction in a future release.
       ];
     });
 
-Alternatively, a publish function can directly control its published
-record set by calling the functions [`added`](#publish_added) (to add a
-new document to the published record set), [`changed`](#publish_changed)
-(to change or clear some fields on a document already in the published
-record set), and [`removed`](#publish_removed) (to remove documents from
-the published record set).  Publish functions that use these functions
-should also call [`ready`](#publish_ready) once the initial record set
-is complete.  These methods are provided by `this` in your publish
-function.
+Alternatively, a publish function can directly control its published record set
+by calling the functions [`added`](#publish_added) (to add a new document to the
+published record set), [`changed`](#publish_changed) (to change or clear some
+fields on a document already in the published record set), and
+[`removed`](#publish_removed) (to remove documents from the published record
+set).  These methods are provided by `this` in your publish function.
+
+If a publish function does not return a cursor or array of cursors, it is
+assumed to be using the low-level `added`/`changed`/`removed` interface, and it
+**must also call [`ready`](#publish_ready) once the initial record set is
+complete**.
 
 Example:
 
@@ -156,6 +158,19 @@ Example:
                 Counts.findOne(Session.get("roomId")).count +
                 " messages.");
 
+    // server: sometimes publish a query, sometimes publish nothing
+    Meteor.publish("secretData", function () {
+      if (this.userId === 'superuser') {
+        return SecretData.find();
+      } else {
+        // Declare that no data is being published. If you leave this line
+        // out, Meteor will never consider the subscription ready because
+        // it thinks you're using the added/changed/removed interface where
+        // you have to explicitly call this.ready().
+        return [];
+      }
+    });
+
 {{#warning}}
 Meteor will emit a warning message if you call `Meteor.publish` in a
 project that includes the `autopublish` package.  Your publish function