@currentjs/gen 0.3.2 → 0.5.1

package/dist/generators/controllerGenerator.js

@@ -37,389 +37,646 @@ exports.ControllerGenerator = void 0;
 const yaml_1 = require("yaml");
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
-const controllerTemplates_1 = require("./templates/controllerTemplates");
 const generationRegistry_1 = require("../utils/generationRegistry");
 const colors_1 = require("../utils/colors");
+const configTypes_1 = require("../types/configTypes");
+const childEntityUtils_1 = require("../utils/childEntityUtils");
+const typeUtils_1 = require("../utils/typeUtils");
 const constants_1 = require("../utils/constants");
 class ControllerGenerator {
-    hasPermissions(config) {
-        if (config.modules) {
-            return Object.values(config.modules).some(module => module.permissions && module.permissions.length > 0);
+    getHttpDecorator(method) {
+        switch (method.toUpperCase()) {
+            case 'GET': return 'Get';
+            case 'POST': return 'Post';
+            case 'PUT': return 'Put';
+            case 'PATCH': return 'Patch';
+            case 'DELETE': return 'Delete';
+            default: return 'Get';
         }
-        const module = config;
-        return !!(module.permissions && module.permissions.length > 0);
     }
-    getActionPermissions(moduleName, moduleConfig) {
-        if (!moduleConfig.permissions || !moduleConfig.actions) {
-            return {};
-        }
-        const actionPermissions = {};
-        Object.keys(moduleConfig.actions).forEach(action => {
-            actionPermissions[action] = [];
-        });
-        (moduleConfig.permissions || []).forEach(permission => {
-            (permission.actions || []).forEach(action => {
-                if (actionPermissions[action]) {
-                    actionPermissions[action].push(permission.role);
-                }
-            });
-        });
-        return actionPermissions;
-    }
-    shouldGenerateMethod(action, roles) {
-        return !roles.includes('none');
+    parseUseCase(useCase) {
+        const [model, action] = useCase.split(':');
+        return { model, action };
     }
-    needsUserParam(roles) {
-        return roles.length > 0 && !roles.includes('all');
+    /**
+     * Normalize auth config to an array of roles
+     */
+    normalizeAuth(auth) {
+        if (!auth)
+            return [];
+        if (Array.isArray(auth))
+            return auth;
+        return [auth];
     }
-    getHttpMethodName(_httpMethod, action) {
-        return action;
+    /**
+     * Check if auth config includes owner permission
+     */
+    hasOwnerAuth(auth) {
+        const roles = this.normalizeAuth(auth);
+        return roles.includes(constants_1.AUTH_ROLES.OWNER);
     }
-    getHttpDecorator(httpMethod) {
-        switch ((httpMethod || 'GET').toUpperCase()) {
-            case 'GET':
-                return 'Get';
-            case 'POST':
-                return 'Post';
-            case 'PUT':
-                return 'Put';
-            case 'PATCH':
-                return 'Patch';
-            case 'DELETE':
-                return 'Delete';
-            default:
-                return 'Get';
+    /**
+     * Generate pre-fetch authentication/authorization check code.
+     * This runs before fetching the entity and validates authentication and role-based access.
+     * @param auth - The auth requirement: 'all', 'authenticated', 'owner', role names, or array of roles
+     * @returns Code string for the auth check, or empty string if no check needed
+     */
+    generateAuthCheck(auth) {
+        const roles = this.normalizeAuth(auth);
+        if (roles.length === 0 || (roles.length === 1 && roles[0] === constants_1.AUTH_ROLES.ALL)) {
+            return ''; // No check needed - public access
+        }
+        // If only 'authenticated' is specified
+        if (roles.length === 1 && roles[0] === constants_1.AUTH_ROLES.AUTHENTICATED) {
+            return `if (!context.request.user) {
+      throw new Error('${constants_1.AUTH_ERRORS.REQUIRED}');
+    }`;
+        }
+        // If only 'owner' is specified - just require authentication here
+        // (owner check happens post-fetch)
+        if (roles.length === 1 && roles[0] === constants_1.AUTH_ROLES.OWNER) {
+            return `if (!context.request.user) {
+      throw new Error('${constants_1.AUTH_ERRORS.REQUIRED}');
+    }`;
         }
+        // Filter out 'owner' and 'all' for role checks (owner is checked post-fetch)
+        const roleChecks = roles.filter(r => r !== constants_1.AUTH_ROLES.OWNER && r !== constants_1.AUTH_ROLES.ALL && r !== constants_1.AUTH_ROLES.AUTHENTICATED);
+        const hasOwner = roles.includes(constants_1.AUTH_ROLES.OWNER);
+        const hasAuthenticated = roles.includes(constants_1.AUTH_ROLES.AUTHENTICATED);
+        // If we have role checks or owner, we need authentication
+        if (roleChecks.length > 0 || hasOwner) {
+            if (roleChecks.length === 0) {
+                // Only owner (and maybe authenticated) - just require auth
+                return `if (!context.request.user) {
+      throw new Error('${constants_1.AUTH_ERRORS.REQUIRED}');
+    }`;
+            }
+            if (roleChecks.length === 1 && !hasOwner) {
+                // Single role check
+                return `if (!context.request.user) {
+      throw new Error('${constants_1.AUTH_ERRORS.REQUIRED}');
+    }
+    if (context.request.user.role !== '${roleChecks[0]}') {
+      throw new Error('${constants_1.AUTH_ERRORS.INSUFFICIENT_PERMISSIONS}: ${roleChecks[0]} role required');
+    }`;
+            }
+            // Multiple roles OR owner - use OR logic
+            // If owner is included, we can't fully check here (post-fetch), so we just require auth
+            // and mark that owner check should happen later
+            if (hasOwner) {
+                // With owner: require auth, role check will be combined with owner check post-fetch
+                return `if (!context.request.user) {
+      throw new Error('${constants_1.AUTH_ERRORS.REQUIRED}');
+    }`;
+            }
+            // Multiple roles without owner - check if user has ANY of the roles
+            const roleConditions = roleChecks.map(r => `context.request.user.role === '${r}'`).join(' || ');
+            return `if (!context.request.user) {
+      throw new Error('${constants_1.AUTH_ERRORS.REQUIRED}');
     }
-    getMethodCallParams(action, entityName) {
-        const dtoType = entityName ? `${entityName}DTO` : 'any';
-        switch (action) {
-            case 'list':
-                return 'page, limit';
-            case 'get':
-            case 'getById':
-                return 'id';
-            case 'create':
-                return `context.request.body as ${dtoType}`;
-            case 'update':
-                return `id, context.request.body as ${dtoType}`;
-            case 'delete':
-                return 'id';
-            default:
-                return '/* custom params */';
+    if (!(${roleConditions})) {
+      throw new Error('${constants_1.AUTH_ERRORS.INSUFFICIENT_PERMISSIONS}: one of [${roleChecks.join(', ')}] role required');
+    }`;
+        }
+        // Only 'authenticated' in the mix
+        if (hasAuthenticated) {
+            return `if (!context.request.user) {
+      throw new Error('${constants_1.AUTH_ERRORS.REQUIRED}');
+    }`;
         }
+        return '';
     }
-    generateParameterExtractions(action) {
-        switch (action) {
-            case 'list':
-                return `
-    // Extract pagination from URL parameters
-    const page = parseInt(context.request.parameters.page as string) || 1;
-    const limit = parseInt(context.request.parameters.limit as string) || 10;`;
-            case 'get':
-            case 'getById':
-            case 'update':
-            case 'delete':
+    /**
+     * Generate post-fetch authorization check for owner validation.
+     * This runs after fetching the entity and validates ownership.
+     * Used for READ operations (get, list) where we check after fetch.
+     * For child entities, uses getResourceOwner() since result has no ownerId.
+     */
+    generatePostFetchOwnerCheck(auth, resultVar = 'result', useCaseVar, childInfo) {
+        const roles = this.normalizeAuth(auth);
+        if (!roles.includes(constants_1.AUTH_ROLES.OWNER)) {
+            return ''; // No owner check needed
+        }
+        const bypassRoles = roles.filter(r => r !== constants_1.AUTH_ROLES.OWNER && r !== constants_1.AUTH_ROLES.ALL && r !== constants_1.AUTH_ROLES.AUTHENTICATED);
+        // Child entities don't have ownerId on result; resolve via getResourceOwner
+        if (childInfo && useCaseVar) {
+            if (bypassRoles.length === 0) {
                 return `
-    const id = parseInt(context.request.parameters.id as string);
-    if (isNaN(id)) {
-      throw new Error('Invalid ID parameter');
+    // Owner validation (post-fetch for reads, via parent)
+    const resourceOwnerId = await this.${useCaseVar}.getResourceOwner(${resultVar}.id);
+    if (resourceOwnerId === null) {
+      throw new Error('Resource not found');
+    }
+    if (resourceOwnerId !== context.request.user?.id) {
+      throw new Error('${constants_1.AUTH_ERRORS.ACCESS_DENIED}');
+    }`;
+            }
+            const bypassConditions = bypassRoles.map(r => `context.request.user?.role === '${r}'`).join(' || ');
+            return `
+    // Owner validation (post-fetch for reads, via parent, bypassed for: ${bypassRoles.join(', ')})
+    const resourceOwnerId = await this.${useCaseVar}.getResourceOwner(${resultVar}.id);
+    if (resourceOwnerId === null) {
+      throw new Error('Resource not found');
+    }
+    const isOwner = resourceOwnerId === context.request.user?.id;
+    const hasPrivilegedRole = ${bypassConditions};
+    if (!isOwner && !hasPrivilegedRole) {
+      throw new Error('${constants_1.AUTH_ERRORS.ACCESS_DENIED}');
     }`;
-            case 'create':
-                return ''; // No additional parameter extraction needed for create
-            default:
-                return '';
         }
+        // Root entity: result has ownerId
+        if (bypassRoles.length === 0) {
+            return `
+    // Owner validation (post-fetch for reads)
+    if (${resultVar}.ownerId !== context.request.user?.id) {
+      throw new Error('${constants_1.AUTH_ERRORS.ACCESS_DENIED}');
+    }`;
+        }
+        const bypassConditions = bypassRoles.map(r => `context.request.user?.role === '${r}'`).join(' || ');
+        return `
+    // Owner validation (post-fetch for reads, bypassed for: ${bypassRoles.join(', ')})
+    const isOwner = ${resultVar}.ownerId === context.request.user?.id;
+    const hasPrivilegedRole = ${bypassConditions};
+    if (!isOwner && !hasPrivilegedRole) {
+      throw new Error('${constants_1.AUTH_ERRORS.ACCESS_DENIED}');
+    }`;
+    }
+    /**
+     * Generate pre-mutation authorization check for owner validation.
+     * This runs BEFORE the mutation to prevent unauthorized changes.
+     * Used for WRITE operations (update, delete).
+     * @param auth - The auth requirement
+     * @param useCaseVar - The use case variable name
+     * @returns Code string for the pre-mutation owner check, or empty string if not needed
+     */
+    generatePreMutationOwnerCheck(auth, useCaseVar = 'useCase') {
+        const roles = this.normalizeAuth(auth);
+        if (!roles.includes(constants_1.AUTH_ROLES.OWNER)) {
+            return ''; // No owner check needed
+        }
+        // Get non-owner roles for the bypass check
+        const bypassRoles = roles.filter(r => r !== constants_1.AUTH_ROLES.OWNER && r !== constants_1.AUTH_ROLES.ALL && r !== constants_1.AUTH_ROLES.AUTHENTICATED);
+        if (bypassRoles.length === 0) {
+            // Only owner - strict ownership check
+            return `
+    // Pre-mutation owner validation
+    const resourceOwnerId = await this.${useCaseVar}.getResourceOwner(input.id);
+    if (resourceOwnerId === null) {
+      throw new Error('Resource not found');
+    }
+    if (resourceOwnerId !== context.request.user?.id) {
+      throw new Error('${constants_1.AUTH_ERRORS.ACCESS_DENIED}');
+    }
+`;
+        }
+        // Owner OR other roles - bypass if user has a privileged role
+        const bypassConditions = bypassRoles.map(r => `context.request.user?.role === '${r}'`).join(' || ');
+        return `
+    // Pre-mutation owner validation (bypassed for: ${bypassRoles.join(', ')})
+    const resourceOwnerId = await this.${useCaseVar}.getResourceOwner(input.id);
+    if (resourceOwnerId === null) {
+      throw new Error('Resource not found');
+    }
+    const isOwner = resourceOwnerId === context.request.user?.id;
+    const hasPrivilegedRole = ${bypassConditions};
+    if (!isOwner && !hasPrivilegedRole) {
+      throw new Error('${constants_1.AUTH_ERRORS.ACCESS_DENIED}');
     }
-    generateMethodImplementation(action, entityName, hasUserParam, actions) {
-        // Check if we have action handlers
-        if (actions && actions[action] && actions[action].handlers) {
-            const handlers = actions[action].handlers;
-            const entityLower = entityName.toLowerCase();
-            // Filter handlers that apply to this model
-            const modelHandlers = handlers.filter(h => h.startsWith(`${entityLower}:`) || h.startsWith(`${entityName}:`));
-            if (modelHandlers.length === 0) {
-                return `// TODO: No valid handlers found for action ${action}. Use ${entityName}:default:${action} or ${entityName}:customMethodName format.`;
+`;
+    }
+    generateApiEndpointMethod(endpoint, resourceName, useCasesConfig, childInfo) {
+        var _a;
+        const { model, action } = this.parseUseCase(endpoint.useCase);
+        const methodName = action;
+        const decorator = this.getHttpDecorator(endpoint.method);
+        const useCaseVar = `${model.toLowerCase()}UseCase`;
+        const inputClass = `${model}${(0, typeUtils_1.capitalize)(action)}Input`;
+        const outputClass = `${model}${(0, typeUtils_1.capitalize)(action)}Output`;
+        const useCaseDef = (_a = useCasesConfig[model]) === null || _a === void 0 ? void 0 : _a[action];
+        const isVoidOutput = !(useCaseDef === null || useCaseDef === void 0 ? void 0 : useCaseDef.output) || useCaseDef.output === 'void';
+        const dtoImports = new Set();
+        const voidOutputDtos = new Set();
+        dtoImports.add(`${model}${(0, typeUtils_1.capitalize)(action)}`);
+        if (isVoidOutput) {
+            voidOutputDtos.add(`${model}${(0, typeUtils_1.capitalize)(action)}`);
+        }
+        // Generate auth check (pre-fetch)
+        const authCheck = this.generateAuthCheck(endpoint.auth);
+        const authLine = authCheck ? `\n    ${authCheck}\n` : '';
+        const hasOwner = this.hasOwnerAuth(endpoint.auth);
+        // Build parsing logic
+        // For create: root gets ownerId from user, child gets parentId from URL params
+        let parseLogic;
+        if (action === 'list') {
+            parseLogic = `const input = ${inputClass}.parse(context.request.parameters);`;
+        }
+        else if (action === 'get' || action === 'delete') {
+            parseLogic = `const input = ${inputClass}.parse({ id: context.request.parameters.id });`;
+        }
+        else if (action === 'create') {
+            if (childInfo) {
+                parseLogic = `const input = ${inputClass}.parse({ ...context.request.body, ${childInfo.parentIdField}: context.request.parameters.${childInfo.parentIdField} });`;
+            }
+            else {
+                parseLogic = `const input = ${inputClass}.parse({ ...context.request.body, ownerId: context.request.user?.id });`;
             }
-            const userExtraction = hasUserParam ? controllerTemplates_1.controllerTemplates.userExtraction : '';
-            const userParam = hasUserParam ? ', user' : '';
-            // Generate parameter extraction based on action type
-            const paramExtractions = this.generateParameterExtractions(action);
-            // Generate step-by-step calls for each handler
-            const handlerCalls = modelHandlers.map((handler, index) => {
-                const parts = handler.split(':');
-                let methodName;
-                let params;
-                if (parts.length === 3 && parts[1] === 'default') {
-                    // Format: modelname:default:action
-                    const actionName = parts[2];
-                    methodName = actionName === 'getById' ? 'get' : actionName; // Use 'get' instead of 'getById'
-                    // For default handlers, use extracted parameters
-                    params = this.getMethodCallParams(actionName, entityName) + userParam;
+        }
+        else if (action === 'update') {
+            parseLogic = `const input = ${inputClass}.parse({ ...context.request.body, id: context.request.parameters.id });`;
+        }
+        else {
+            parseLogic = `const input = ${inputClass}.parse(context.request.body || {});`;
+        }
+        // Generate owner checks:
+        // - For mutations (update, delete): PRE-mutation check (before operation)
+        // - For reads (get): POST-fetch check (after fetching)
+        const isMutation = action === 'update' || action === 'delete';
+        const isRead = action === 'get';
+        // Pre-mutation owner check for write operations
+        const preMutationOwnerCheck = (hasOwner && isMutation)
+            ? this.generatePreMutationOwnerCheck(endpoint.auth, useCaseVar)
+            : '';
+        // Post-fetch owner check for read operations only
+        const postFetchOwnerCheck = (hasOwner && isRead)
+            ? this.generatePostFetchOwnerCheck(endpoint.auth, 'result', useCaseVar, childInfo)
+            : '';
+        // Generate output transformation based on action
+        let outputTransform;
+        if (isVoidOutput || action === 'delete') {
+            outputTransform = `return result;`;
+        }
+        else if (action === 'list') {
+            outputTransform = `return ${outputClass}.from(result);`;
+        }
+        else {
+            outputTransform = `return ${outputClass}.from(result);`;
+        }
+        const useCaseArgs = (hasOwner && action === 'list')
+            ? 'input, context.request.user?.id as number'
+            : 'input';
+        const method = `  @${decorator}('${endpoint.path}')
+  async ${methodName}(context: IContext): Promise<any> {${authLine}
+    ${parseLogic}${preMutationOwnerCheck}
+    const result = await this.${useCaseVar}.${action}(${useCaseArgs});${postFetchOwnerCheck}
+    ${outputTransform}
+  }`;
+        return { method, dtoImports, voidOutputDtos };
+    }
+    generateWebPageMethod(page, resourceName, layout, methodIndex, childInfo, withChildChildren) {
+        const method = page.method || 'GET';
+        const decorator = this.getHttpDecorator(method);
+        const dtoImports = new Set();
+        // Generate unique method name by appending method type for POST routes
+        const pathSegments = page.path.split('/').filter(Boolean);
+        let baseMethodName = pathSegments.length === 0
+            ? 'index'
+            : pathSegments.map((seg, idx) => {
+                if (seg.startsWith(':')) {
+                    return 'By' + (0, typeUtils_1.capitalize)(seg.slice(1));
                 }
-                else if (parts.length === 2) {
-                    // Format: modelname:custommethod
-                    methodName = parts[1];
-                    // For custom handlers, pass result from previous handler (or null) and context
-                    const prevResult = index === 0 ? 'null' : `result${index}`;
-                    params = `${prevResult}, context${userParam}`;
+                return idx === 0 ? seg : (0, typeUtils_1.capitalize)(seg);
+            }).join('');
+        // Append method suffix for POST to avoid duplicates
+        const methodName = method === 'POST' ? `${baseMethodName}Submit` : baseMethodName;
+        // Generate auth check (pre-fetch)
+        const authCheck = this.generateAuthCheck(page.auth);
+        const authLine = authCheck ? `\n    ${authCheck}\n` : '';
+        // For GET requests with views (display pages)
+        if (method === 'GET' && page.view) {
+            const pageLayout = this.resolveLayout(page.layout, layout);
+            const renderDecorator = pageLayout
+                ? `\n  @Render("${page.view}", "${pageLayout}")`
+                : `\n  @Render("${page.view}")`;
+            if (page.useCase) {
+                const { model, action } = this.parseUseCase(page.useCase);
+                const useCaseVar = `${model.toLowerCase()}UseCase`;
+                const inputClass = `${model}${(0, typeUtils_1.capitalize)(action)}Input`;
+                dtoImports.add(`${model}${(0, typeUtils_1.capitalize)(action)}`);
+                const hasOwner = this.hasOwnerAuth(page.auth);
+                let parseLogic;
+                if (page.path.includes(':id')) {
+                    parseLogic = `const input = ${inputClass}.parse({ id: context.request.parameters.id });`;
+                }
+                else if (action === 'list') {
+                    parseLogic = `const input = ${inputClass}.parse(context.request.parameters);`;
                 }
                 else {
-                    return `// Invalid handler format: ${handler}`;
+                    parseLogic = `const input = ${inputClass}.parse({});`;
                 }
-                const isLast = index === modelHandlers.length - 1;
-                const resultVar = isLast ? 'result' : `result${index + 1}`;
-                return `const ${resultVar} = await this.${entityLower}Service.${methodName}(${params});`;
-            }).join('\n    ');
-            // For multiple handlers, return the last result
-            const returnStatement = '\n    return result;';
-            return `${userExtraction}${paramExtractions}
-    ${handlerCalls}${returnStatement}`;
-        }
-        // Fallback to existing template lookup
-        const template = controllerTemplates_1.controllerTemplates.methodImplementations[action];
-        if (!template) {
-            return `    // TODO: Implement ${action} method\n    return {} as any;`;
-        }
-        const userExtraction = hasUserParam ? controllerTemplates_1.controllerTemplates.userExtraction : '';
-        const userParam = hasUserParam ? ', user' : '';
-        return template
-            .replace(/{{ENTITY_NAME}}/g, entityName)
-            .replace(/{{ENTITY_LOWER}}/g, entityName.toLowerCase())
-            .replace(/{{USER_EXTRACTION}}/g, userExtraction)
-            .replace(/{{USER_PARAM}}/g, userParam);
-    }
-    replaceTemplateVars(template, variables) {
-        let result = template;
-        Object.entries(variables).forEach(([key, value]) => {
-            const regex = new RegExp(`{{${key}}}`, 'g');
-            result = result.replace(regex, String(value));
-        });
-        return result;
-    }
-    generateControllerMethod(endpoint, entityName, roles, hasPermissions, kind, actions) {
-        const methodName = kind === 'web' ? this.getWebMethodName(endpoint) : this.getHttpMethodName(endpoint.method, endpoint.action);
-        const httpDecorator = kind === 'web' ? 'Get' : this.getHttpDecorator(endpoint.method);
-        const needsUser = this.needsUserParam(roles);
-        const methodImplementation = this.generateMethodImplementation(endpoint.action, entityName, needsUser, actions);
-        const returnType = this.getReturnType(endpoint.action, entityName);
-        const renderDecorator = kind === 'web' && endpoint.view
-            ? `\n  @Render("${endpoint.view}"${endpoint.layout ? `, "${endpoint.layout}"` : ', "main_view"'})`
-            : '';
-        const variables = {
-            METHOD_NAME: methodName,
-            HTTP_DECORATOR: httpDecorator,
-            ENDPOINT_PATH: endpoint.path,
-            METHOD_IMPLEMENTATION: methodImplementation,
-            RETURN_TYPE: returnType,
-            RENDER_DECORATOR: renderDecorator
-        };
-        return this.replaceTemplateVars(controllerTemplates_1.controllerTemplates.controllerMethod, variables);
+                const isReadAction = action === 'get' || action === 'list';
+                const postFetchOwnerCheck = (hasOwner && isReadAction)
+                    ? this.generatePostFetchOwnerCheck(page.auth, 'result', useCaseVar, childInfo)
+                    : '';
+                // For get + withChild: load child entities and merge into result for template
+                const loadChildBlocks = [];
+                let returnExpr;
+                if (childInfo) {
+                    returnExpr = `{ ...result, ${childInfo.parentIdField}: context.request.parameters.${childInfo.parentIdField} }`;
+                }
+                else if ((withChildChildren === null || withChildChildren === void 0 ? void 0 : withChildChildren.length) && action === 'get') {
+                    const childKeys = [];
+                    for (const child of withChildChildren) {
+                        const childVar = child.childEntityName.charAt(0).toLowerCase() + child.childEntityName.slice(1);
+                        const childItemsKey = `${childVar}Items`;
+                        childKeys.push(childItemsKey);
+                        loadChildBlocks.push(`const ${childItemsKey} = await this.${childVar}Service.listByParent(result.id);`);
+                    }
+                    returnExpr = `{ ...result, ${childKeys.map(k => `${k}: ${k}`).join(', ')} }`;
+                }
+                else {
+                    returnExpr = 'result';
+                }
+                const useCaseArgs = (hasOwner && action === 'list')
+                    ? 'input, context.request.user?.id as number'
+                    : 'input';
+                const loadChildCode = loadChildBlocks.length ? '\n    ' + loadChildBlocks.join('\n    ') + '\n    ' : '';
+                const methodCode = `${renderDecorator}
+  @${decorator}('${page.path}')
+  async ${methodName}(context: IContext): Promise<any> {${authLine}
+    ${parseLogic}
+    const result = await this.${useCaseVar}.${action}(${useCaseArgs});${postFetchOwnerCheck}${loadChildCode}
+    return ${returnExpr};
+  }`;
+                return { method: methodCode, dtoImports };
+            }
+            else {
+                // No use case - just render view (e.g. create form)
+                // Child entities need the parent ID from URL params for link rendering
+                const emptyFormData = childInfo
+                    ? `{ formData: {}, ${childInfo.parentIdField}: context.request.parameters.${childInfo.parentIdField} }`
+                    : '{ formData: {} }';
+                const methodCode = `${renderDecorator}
+  @${decorator}('${page.path}')
+  async ${methodName}(context: IContext): Promise<any> {${authLine}
+    return ${emptyFormData};
+  }`;
+                return { method: methodCode, dtoImports };
+            }
+        }
+        else if (method === 'POST' && page.useCase) {
+            // POST request - form submission
+            const { model, action } = this.parseUseCase(page.useCase);
+            const useCaseVar = `${model.toLowerCase()}UseCase`;
+            const inputClass = `${model}${(0, typeUtils_1.capitalize)(action)}Input`;
+            dtoImports.add(`${model}${(0, typeUtils_1.capitalize)(action)}`);
+            let parseLogic;
+            if (page.path.includes(':id')) {
+                parseLogic = `const input = ${inputClass}.parse({ ...context.request.body, id: context.request.parameters.id });`;
+            }
+            else if (action === 'create') {
+                if (childInfo) {
+                    parseLogic = `const input = ${inputClass}.parse({ ...context.request.body, ${childInfo.parentIdField}: context.request.parameters.${childInfo.parentIdField} });`;
+                }
+                else {
+                    parseLogic = `const input = ${inputClass}.parse({ ...context.request.body, ownerId: context.request.user?.id });`;
+                }
+            }
+            else {
+                parseLogic = `const input = ${inputClass}.parse(context.request.body);`;
+            }
+            // Generate PRE-mutation owner check for update/delete actions (POST requests)
+            const hasOwner = this.hasOwnerAuth(page.auth);
+            const isMutation = action === 'update' || action === 'delete';
+            const preMutationOwnerCheck = (hasOwner && isMutation)
+                ? this.generatePreMutationOwnerCheck(page.auth, useCaseVar)
+                : '';
+            // Handle onSuccess and onError strategies
+            const onSuccessHandler = this.generateOnSuccessHandler(page);
+            const onErrorHandler = this.generateOnErrorHandler(page);
+            const methodCode = `  @${decorator}('${page.path}')
+  async ${methodName}(context: IContext): Promise<any> {${authLine}
+    try {
+      ${parseLogic}${preMutationOwnerCheck}
+      const result = await this.${useCaseVar}.${action}(input);
+      ${onSuccessHandler}
+      return { success: true, data: result };
+    } catch (error) {
+      ${onErrorHandler}
+      throw error;
     }
-    getWebMethodName(endpoint) {
-        const base = this.getHttpMethodName(endpoint.method, endpoint.action);
-        const suffix = this.getPathSuffix(endpoint.path);
-        return `${base}${suffix}`;
+  }`;
+            return { method: methodCode, dtoImports };
+        }
+        const methodCode = `  @${decorator}('${page.path}')
+  async ${methodName}(context: IContext): Promise<any> {
+    // TODO: Implement ${methodName}
+    return {};
+  }`;
+        return { method: methodCode, dtoImports };
     }
-    getPathSuffix(routePath) {
-        if (!routePath || routePath === '/')
-            return 'Index';
-        const segments = routePath.split('/').filter(Boolean);
-        const parts = segments.map(seg => {
-            if (seg.startsWith(':')) {
-                const name = seg.slice(1);
-                return 'By' + name.charAt(0).toUpperCase() + name.slice(1);
-            }
-            const cleaned = seg.replace(/[^a-zA-Z0-9]+/g, ' ')
-                .split(' ')
-                .filter(Boolean)
-                .map(s => s.charAt(0).toUpperCase() + s.slice(1))
-                .join('');
-            return cleaned || 'Index';
-        });
-        return parts.join('');
+    generateOnSuccessHandler(page) {
+        if (!page.onSuccess)
+            return '// Success';
+        const handlers = [];
+        if (page.onSuccess.toast) {
+            handlers.push(`// Toast: ${page.onSuccess.toast}`);
+        }
+        if (page.onSuccess.redirect) {
+            const redirectPath = page.onSuccess.redirect.replace(':id', '${result.id}');
+            handlers.push(`// Redirect: ${redirectPath}`);
+        }
+        if (page.onSuccess.back) {
+            handlers.push('// Navigate back');
+        }
+        return handlers.join('\n      ') || '// Success';
     }
-    getReturnType(action, entityName) {
-        switch (action) {
-            case 'list':
-                return `${entityName}[]`;
-            case 'get':
-            case 'create':
-            case 'update':
-            case 'empty':
-                return entityName;
-            case 'delete':
-                return '{ success: boolean; message: string }';
-            default:
-                return 'any';
+    generateOnErrorHandler(page) {
+        if (!page.onError)
+            return '// Error occurred';
+        const handlers = [];
+        if (page.onError.stay) {
+            handlers.push('// Stay on page');
         }
+        if (page.onError.toast) {
+            handlers.push(`// Error toast: ${page.onError.toast}`);
+        }
+        return handlers.join('\n      ') || '// Error occurred';
     }
     /**
-     * Generate controller for a single config (api or routes)
+     * Sort routes so static paths are registered before parameterized ones.
+     * This prevents parameterized routes (e.g. /:id) from catching requests
+     * meant for static routes (e.g. /create).
      */
-    generateControllerForModelWithConfig(model, moduleName, moduleConfig, cfg, hasGlobalPermissions, kind) {
-        var _a;
-        const isApi = kind === 'api';
-        const entityName = model.name;
-        const entityLower = entityName.toLowerCase();
-        // Determine if we should generate a controller for this model
-        const configModel = (cfg === null || cfg === void 0 ? void 0 : cfg.model) || (moduleConfig.models && moduleConfig.models[0] ? moduleConfig.models[0].name : null);
-        const topLevelMatches = !configModel || configModel === entityName || configModel.toLowerCase() === entityLower;
-        // Also check if any endpoints specifically target this model (Option A)
-        const hasEndpointForThisModel = ((_a = cfg === null || cfg === void 0 ? void 0 : cfg.endpoints) === null || _a === void 0 ? void 0 : _a.some(endpoint => {
-            const endpointModel = endpoint.model || configModel;
-            return endpointModel === entityName || (endpointModel === null || endpointModel === void 0 ? void 0 : endpointModel.toLowerCase()) === entityLower;
-        })) || false;
-        const shouldGenerateForThisModel = topLevelMatches || hasEndpointForThisModel;
-        if (!shouldGenerateForThisModel) {
-            return '';
-        }
-        const controllerBase = (cfg.prefix || `/${isApi ? 'api/' : ''}${entityLower}`).replace(/\/$/, '');
-        const actionPermissions = this.getActionPermissions(moduleName, moduleConfig);
-        const hasPermissions = hasGlobalPermissions && !!(moduleConfig.permissions && moduleConfig.permissions.length > 0);
-        // Filter endpoints that apply to this model (Option A)
-        const modelEndpoints = (cfg.endpoints || []).filter(endpoint => {
-            const endpointModel = endpoint.model || (cfg === null || cfg === void 0 ? void 0 : cfg.model) || (moduleConfig.models && moduleConfig.models[0] ? moduleConfig.models[0].name : null);
-            return endpointModel === entityName || (endpointModel === null || endpointModel === void 0 ? void 0 : endpointModel.toLowerCase()) === entityLower;
+    sortRoutesBySpecificity(routes) {
+        return [...routes].sort((a, b) => {
+            const aSegments = a.path.split('/').filter(Boolean);
+            const bSegments = b.path.split('/').filter(Boolean);
+            const aParamCount = aSegments.filter(s => s.startsWith(':')).length;
+            const bParamCount = bSegments.filter(s => s.startsWith(':')).length;
+            return aParamCount - bParamCount;
         });
-        const controllerMethods = modelEndpoints
-            .filter(endpoint => {
-            const roles = actionPermissions[endpoint.action] || [];
-            return this.shouldGenerateMethod(endpoint.action, roles);
-        })
-            .map(endpoint => {
-            const roles = actionPermissions[endpoint.action] || [];
-            return this.generateControllerMethod(endpoint, entityName, roles, hasPermissions, kind, moduleConfig.actions);
-        })
-            .join('\n\n');
-        return controllerMethods;
     }
     /**
-     * Generate controller for a model (handles both single config and array) - Option D
+     * Resolve layout from YAML value.
+     * - undefined => use fallback (if provided)
+     * - "none" or "" => no layout
+     * - other values => use explicit layout name
      */
-    generateControllerForModel(model, moduleName, moduleConfig, hasGlobalPermissions, kind) {
-        const isApi = kind === 'api';
-        const cfgRaw = isApi ? moduleConfig.api : moduleConfig.routes;
-        const entityName = model.name;
-        const entityLower = entityName.toLowerCase();
-        // Support both single config and array (Option D)
-        let configs = [];
-        if (!cfgRaw) {
-            // No config - generate defaults for web routes only
-            if (!isApi) {
-                configs = [{
-                        prefix: `/${entityLower}`,
-                        endpoints: [
-                            { path: '/', action: 'list', method: 'GET', view: `${entityLower}List` },
-                            { path: '/:id', action: 'get', method: 'GET', view: `${entityLower}Detail` },
-                            { path: '/create', action: 'empty', method: 'GET', view: `${entityLower}Create` },
-                            { path: '/:id/edit', action: 'get', method: 'GET', view: `${entityLower}Update` }
-                        ]
-                    }];
-            }
-            else {
-                return '';
-            }
+    resolveLayout(layout, fallback) {
+        if (layout === undefined) {
+            return fallback;
         }
-        else if (Array.isArray(cfgRaw)) {
-            configs = cfgRaw;
+        const normalized = layout.trim();
+        if (!normalized || normalized.toLowerCase() === 'none') {
+            return undefined;
         }
-        else {
-            configs = [cfgRaw];
-        }
-        // For web routes, force GET method
-        if (!isApi) {
-            configs = configs.map(cfg => ({
-                ...cfg,
-                endpoints: (cfg.endpoints || []).map(e => ({ ...e, method: 'GET' }))
-            }));
-        }
-        // Generate methods from all configs
-        const allMethods = configs
-            .map(cfg => this.generateControllerForModelWithConfig(model, moduleName, moduleConfig, cfg, hasGlobalPermissions, kind))
-            .filter(methods => methods.trim() !== '')
-            .join('\n\n');
-        if (!allMethods.trim()) {
-            return '';
-        }
-        // Use the first config for controller base path (or default)
-        const firstConfig = configs[0];
-        const controllerBase = ((firstConfig === null || firstConfig === void 0 ? void 0 : firstConfig.prefix) || `/${isApi ? 'api/' : ''}${entityLower}`).replace(/\/$/, '');
-        const controllerClass = this.replaceTemplateVars(controllerTemplates_1.controllerTemplates.controllerClass, {
-            CONTROLLER_NAME: `${entityName}${isApi ? 'ApiController' : 'WebController'}`,
-            ENTITY_NAME: entityName,
-            ENTITY_LOWER: entityLower,
-            CONTROLLER_BASE: controllerBase,
-            CONTROLLER_METHODS: allMethods
-        });
-        return this.replaceTemplateVars(controllerTemplates_1.controllerFileTemplate, {
-            ENTITY_NAME: entityName,
-            JWT_IMPORT: '',
-            CONTROLLER_CLASS: controllerClass
+        return normalized;
+    }
+    generateApiController(resourceName, prefix, endpoints, useCasesConfig, childInfo) {
+        const controllerName = `${resourceName}ApiController`;
+        // Determine which use cases and DTOs are referenced
+        const useCaseModels = new Set();
+        const allDtoImports = new Set();
+        const allVoidOutputDtos = new Set();
+        const methods = [];
+        const sortedEndpoints = this.sortRoutesBySpecificity(endpoints);
+        sortedEndpoints.forEach(endpoint => {
+            const { model } = this.parseUseCase(endpoint.useCase);
+            useCaseModels.add(model);
+            const { method, dtoImports, voidOutputDtos } = this.generateApiEndpointMethod(endpoint, resourceName, useCasesConfig, childInfo);
+            methods.push(method);
+            dtoImports.forEach(d => allDtoImports.add(d));
+            voidOutputDtos.forEach(d => allVoidOutputDtos.add(d));
         });
+        // Generate imports
+        const useCaseImports = Array.from(useCaseModels)
+            .map(model => `import { ${model}UseCase } from '../../application/useCases/${model}UseCase';`)
+            .join('\n');
+        const dtoImportStatements = Array.from(allDtoImports)
+            .map(dto => {
+            if (allVoidOutputDtos.has(dto)) {
+                return `import { ${dto}Input } from '../../application/dto/${dto}';`;
+            }
+            return `import { ${dto}Input, ${dto}Output } from '../../application/dto/${dto}';`;
+        })
+            .join('\n');
+        // Generate constructor parameters
+        const constructorParams = Array.from(useCaseModels)
+            .map(model => `private ${model.toLowerCase()}UseCase: ${model}UseCase`)
+            .join(',\n    ');
+        return `import { Controller, Get, Post, Put, Delete, type IContext } from '@currentjs/router';
+${useCaseImports}
+${dtoImportStatements}
+
+@Controller('${prefix}')
+export class ${controllerName} {
+  constructor(
+    ${constructorParams}
+  ) {}
+
+${methods.join('\n\n')}
+}`;
     }
-    generateController(moduleName, moduleConfig, hasGlobalPermissions, kind) {
-        // Legacy method for backward compatibility - use first model
-        if (!moduleConfig.models || moduleConfig.models.length === 0) {
-            return '';
+    generateWebController(resourceName, prefix, layout, pages, config, childInfo) {
+        const controllerName = `${resourceName}WebController`;
+        // Child entities of this resource (for withChild). Only root entities can have withChild.
+        const withChildChildren = childInfo ? [] : (0, childEntityUtils_1.getChildrenOfParent)(config, resourceName);
+        // Determine which use cases and DTOs are referenced
+        const useCaseModels = new Set();
+        const allDtoImports = new Set();
+        const methods = [];
+        const sortedPages = this.sortRoutesBySpecificity(pages);
+        sortedPages.forEach((page, index) => {
+            var _a, _b;
+            if (page.useCase) {
+                const { model } = this.parseUseCase(page.useCase);
+                useCaseModels.add(model);
+            }
+            const { model, action } = page.useCase ? this.parseUseCase(page.useCase) : { model: '', action: '' };
+            const useCaseWithChild = model && action && ((_b = (_a = config.useCases[model]) === null || _a === void 0 ? void 0 : _a[action]) === null || _b === void 0 ? void 0 : _b.withChild) === true;
+            const withChildForThisPage = useCaseWithChild && action === 'get' && withChildChildren.length > 0 ? withChildChildren : undefined;
+            const { method, dtoImports } = this.generateWebPageMethod(page, resourceName, layout, index, childInfo, withChildForThisPage);
+            methods.push(method);
+            dtoImports.forEach(d => allDtoImports.add(d));
+        });
+        // Determine if any page actually uses withChild (only then inject child services)
+        const needsChildServices = withChildChildren.length > 0 && sortedPages.some(page => {
+            var _a, _b;
+            if (!page.useCase)
+                return false;
+            const { model: m, action: a } = this.parseUseCase(page.useCase);
+            return a === 'get' && ((_b = (_a = config.useCases[m]) === null || _a === void 0 ? void 0 : _a[a]) === null || _b === void 0 ? void 0 : _b.withChild) === true;
+        });
+        // Constructor: use cases + child entity services when withChild is actually used
+        const serviceImports = [];
+        const constructorParams = [];
+        Array.from(useCaseModels).forEach(model => {
+            constructorParams.push(`private ${model.toLowerCase()}UseCase: ${model}UseCase`);
+        });
+        if (needsChildServices) {
+            withChildChildren.forEach(child => {
+                const childVar = child.childEntityName.charAt(0).toLowerCase() + child.childEntityName.slice(1);
+                serviceImports.push(`import { ${child.childEntityName}Service } from '../../application/services/${child.childEntityName}Service';`);
+                constructorParams.push(`private ${childVar}Service: ${child.childEntityName}Service`);
+            });
         }
-        return this.generateControllerForModel(moduleConfig.models[0], moduleName, moduleConfig, hasGlobalPermissions, kind);
+        const useCaseImports = Array.from(useCaseModels)
+            .map(model => `import { ${model}UseCase } from '../../application/useCases/${model}UseCase';`)
+            .join('\n');
+        const dtoImportStatements = Array.from(allDtoImports)
+            .map(dto => `import { ${dto}Input } from '../../application/dto/${dto}';`)
+            .join('\n');
+        const constructorBlock = constructorParams.length > 0
+            ? `constructor(
+    ${constructorParams.join(',\n    ')}
+  ) {}`
+            : 'constructor() {}';
+        return `import { Controller, Get, Post, Render, type IContext } from '@currentjs/router';
+${useCaseImports}
+${serviceImports.join('\n')}
+${dtoImportStatements}
+
+@Controller('${prefix}')
+export class ${controllerName} {
+  ${constructorBlock}
+
+${methods.join('\n\n')}
+}`;
     }
-    generateFromYamlFile(yamlFilePath) {
-        const yamlContent = fs.readFileSync(yamlFilePath, 'utf8');
-        const config = (0, yaml_1.parse)(yamlContent);
+    generateFromConfig(config) {
         const result = {};
-        const hasGlobalPermissions = this.hasPermissions(config);
-        if (config.modules) {
-            Object.entries(config.modules).forEach(([moduleName, moduleConfig]) => {
-                if (moduleConfig.models && moduleConfig.models.length > 0) {
-                    // Generate controllers for each model
-                    moduleConfig.models.forEach(model => {
-                        const apiControllerCode = this.generateControllerForModel(model, moduleName, moduleConfig, hasGlobalPermissions, 'api');
-                        if (apiControllerCode)
-                            result[`${model.name}Api`] = apiControllerCode;
-                        const webControllerCode = this.generateControllerForModel(model, moduleName, moduleConfig, hasGlobalPermissions, 'web');
-                        if (webControllerCode)
-                            result[`${model.name}Web`] = webControllerCode;
-                    });
-                }
+        const childEntityMap = (0, childEntityUtils_1.buildChildEntityMap)(config);
+        // Generate API controllers
+        if (config.api) {
+            Object.entries(config.api).forEach(([resourceName, resourceConfig]) => {
+                const childInfo = childEntityMap.get(resourceName);
+                const code = this.generateApiController(resourceName, resourceConfig.prefix, resourceConfig.endpoints, config.useCases, childInfo);
+                result[`${resourceName}Api`] = code;
             });
         }
-        else {
-            const moduleName = 'Module';
-            const moduleConfig = config;
-            if (moduleConfig.models && moduleConfig.models.length > 0) {
-                // Generate controllers for each model
-                moduleConfig.models.forEach(model => {
-                    const apiControllerCode = this.generateControllerForModel(model, moduleName, moduleConfig, hasGlobalPermissions, 'api');
-                    if (apiControllerCode)
-                        result[`${model.name}Api`] = apiControllerCode;
-                    const webControllerCode = this.generateControllerForModel(model, moduleName, moduleConfig, hasGlobalPermissions, 'web');
-                    if (webControllerCode)
-                        result[`${model.name}Web`] = webControllerCode;
-                });
-            }
+        // Generate Web controllers
+        if (config.web) {
+            Object.entries(config.web).forEach(([resourceName, resourceConfig]) => {
+                const childInfo = childEntityMap.get(resourceName);
+                const moduleLayout = this.resolveLayout(resourceConfig.layout, 'main_view');
+                const code = this.generateWebController(resourceName, resourceConfig.prefix, moduleLayout, resourceConfig.pages, config, childInfo);
+                result[`${resourceName}Web`] = code;
+            });
         }
         return result;
     }
-    async generateAndSaveFiles(yamlFilePath = constants_1.COMMON_FILES.APP_YAML, outputDir = 'infrastructure', opts) {
+    generateFromYamlFile(yamlFilePath) {
         const yamlContent = fs.readFileSync(yamlFilePath, 'utf8');
         const config = (0, yaml_1.parse)(yamlContent);
-        const hasGlobalPermissions = this.hasPermissions(config);
-        const controllers = this.generateFromYamlFile(yamlFilePath);
-        const generatedControllerPaths = [];
-        const controllersDir = path.join(outputDir, 'controllers');
+        if (!(0, configTypes_1.isValidModuleConfig)(config)) {
+            throw new Error('Configuration does not match new module format. Expected domain/useCases/api/web structure.');
+        }
+        return this.generateFromConfig(config);
+    }
+    async generateAndSaveFiles(yamlFilePath, moduleDir, opts) {
+        const controllersByName = this.generateFromYamlFile(yamlFilePath);
+        const controllersDir = path.join(moduleDir, 'infrastructure', 'controllers');
         fs.mkdirSync(controllersDir, { recursive: true });
-        for (const [moduleName, controllerCode] of Object.entries(controllers)) {
-            const fileName = `${moduleName}Controller.ts`;
-            const filePath = path.join(controllersDir, fileName);
+        const generatedPaths = [];
+        for (const [name, code] of Object.entries(controllersByName)) {
+            const filePath = path.join(controllersDir, `${name}Controller.ts`);
             // eslint-disable-next-line no-await-in-loop
-            await (0, generationRegistry_1.writeGeneratedFile)(filePath, controllerCode, { force: !!(opts === null || opts === void 0 ? void 0 : opts.force), skipOnConflict: !!(opts === null || opts === void 0 ? void 0 : opts.skipOnConflict) });
-            generatedControllerPaths.push(filePath);
+            await (0, generationRegistry_1.writeGeneratedFile)(filePath, code, { force: !!(opts === null || opts === void 0 ? void 0 : opts.force), skipOnConflict: !!(opts === null || opts === void 0 ? void 0 : opts.skipOnConflict) });
+            generatedPaths.push(filePath);
         }
         // eslint-disable-next-line no-console
         console.log('\n' + colors_1.colors.green('Controller files generated successfully!') + '\n');
-        return generatedControllerPaths;
+        return generatedPaths;
     }
 }
 exports.ControllerGenerator = ControllerGenerator;