@gravito/monolith 1.0.0-alpha.6 → 1.0.0

package/ion/src/index.js

@@ -2384,7 +2384,7 @@ var require_cjs = __commonJS((exports, module) => {
 });
 // ../core/package.json
 var package_default = {
-  name: "gravito-core",
+  name: "@gravito/core",
   version: "1.0.0-beta.2",
   description: "",
   module: "./dist/index.mjs",
@@ -3082,7 +3082,7 @@ async function handleProcessError(kind, error) {
       }
     }));
   } catch (e) {
-    console.error("[gravito-core] Failed to handle process-level error:", e);
+    console.error("[@gravito/core] Failed to handle process-level error:", e);
   } finally {
     if (shouldExit) {
       clearTimeout(exitTimer);

package/package.json

@@ -1,32 +1,46 @@
 {
   "name": "@gravito/monolith",
-  "version": "1.0.0-alpha.6",
-  "description": "Content management and Markdown rendering orbit for Gravito",
-  "main": "dist/index.js",
+  "version": "1.0.0",
+  "description": "Enterprise monolith framework for Gravito Galaxy",
+  "main": "dist/index.cjs",
+  "module": "dist/index.js",
+  "type": "module",
   "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
   "scripts": {
-    "build": "bun build ./src/index.ts --outdir ./dist --target node",
-    "test": "bun test"
+    "build": "tsup src/index.ts --format esm,cjs --dts",
+    "test": "bun test",
+    "test:coverage": "bun test --coverage --coverage-threshold=80",
+    "typecheck": "bun tsc -p tsconfig.json --noEmit --skipLibCheck"
   },
   "keywords": [
     "gravito",
     "orbit",
-    "content",
-    "markdown",
-    "cms"
+    "monolith",
+    "backend"
   ],
   "author": "Carl Lee <carllee0520@gmail.com>",
   "license": "MIT",
-  "peerDependencies": {
-    "gravito-core": "1.0.0-beta.5"
-  },
   "dependencies": {
     "marked": "^11.1.1",
-    "gray-matter": "^4.0.3"
+    "gray-matter": "^4.0.3",
+    "@gravito/mass": "workspace:*"
+  },
+  "peerDependencies": {
+    "@gravito/core": "workspace:*"
   },
   "devDependencies": {
-    "bun-types": "latest",
-    "@types/marked": "^5.0.0"
+    "@gravito/core": "workspace:*",
+    "@types/marked": "^5.0.0",
+    "bun-types": "^1.3.5",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3"
   },
   "publishConfig": {
     "access": "public"
@@ -37,4 +51,4 @@
     "url": "git+https://github.com/gravito-framework/gravito.git",
     "directory": "packages/monolith"
   }
-}
+}

package/src/ContentManager.ts

@@ -20,6 +20,19 @@ export class ContentManager {
   private collections = new Map<string, CollectionConfig>()
   // Simple memory cache: collection:locale:slug -> ContentItem
   private cache = new Map<string, ContentItem>()
+  private renderer = (() => {
+    const renderer = new marked.Renderer()
+    renderer.html = (html: string) => this.escapeHtml(html)
+    renderer.link = (href: string | null, title: string | null, text: string) => {
+      if (!href || !this.isSafeUrl(href)) {
+        return text
+      }
+      const safeHref = this.escapeHtml(href)
+      const titleAttr = title ? ` title="${this.escapeHtml(title)}"` : ''
+      return `<a href="${safeHref}"${titleAttr}>${text}</a>`
+    }
+    return renderer
+  })()
 
   /**
    * Create a new ContentManager instance.
@@ -53,6 +66,12 @@ export class ContentManager {
       throw new Error(`Collection '${collectionName}' not defined`)
     }
 
+    const safeSlug = this.sanitizeSegment(slug)
+    const safeLocale = this.sanitizeSegment(locale)
+    if (!safeSlug || !safeLocale) {
+      return null
+    }
+
     const cacheKey = `${collectionName}:${locale}:${slug}`
     if (this.cache.has(cacheKey)) {
       return this.cache.get(cacheKey)!
@@ -60,7 +79,7 @@ export class ContentManager {
 
     // Determine path strategy
     // Strategy: {root}/{path}/{locale}/{slug}.md
-    const filePath = join(this.rootDir, config.path, locale, `${slug}.md`)
+    const filePath = join(this.rootDir, config.path, safeLocale, `${safeSlug}.md`)
 
     try {
       const exists = await stat(filePath)
@@ -71,16 +90,16 @@ export class ContentManager {
       }
 
       const fileContent = await readFile(filePath, 'utf-8')
-      const { data, content, exemption } = matter(fileContent)
+      const { data, content, excerpt } = matter(fileContent)
 
-      const html = await marked.parse(content)
+      const html = await marked.parse(content, { renderer: this.renderer })
 
       const item: ContentItem = {
         slug,
         body: html,
         meta: data,
         raw: content,
-        excerpt: exemption,
+        excerpt: excerpt,
       }
 
       this.cache.set(cacheKey, item)
@@ -106,7 +125,12 @@ export class ContentManager {
       throw new Error(`Collection '${collectionName}' not defined`)
     }
 
-    const dirPath = join(this.rootDir, config.path, locale)
+    const safeLocale = this.sanitizeSegment(locale)
+    if (!safeLocale) {
+      return []
+    }
+
+    const dirPath = join(this.rootDir, config.path, safeLocale)
 
     try {
       const files = await readdir(dirPath)
@@ -117,7 +141,7 @@ export class ContentManager {
           continue
         }
         const slug = parse(file).name
-        const item = await this.find(collectionName, slug, locale)
+        const item = await this.find(collectionName, slug, safeLocale)
         if (item) {
           items.push(item)
         }
@@ -129,4 +153,50 @@ export class ContentManager {
       return []
     }
   }
+
+  private sanitizeSegment(value: string): string | null {
+    if (!value) {
+      return null
+    }
+    if (value.includes('\0')) {
+      return null
+    }
+    if (value.includes('/') || value.includes('\\')) {
+      return null
+    }
+    if (value.includes('..')) {
+      return null
+    }
+    return value
+  }
+
+  private escapeHtml(value: string): string {
+    return value
+      .replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#39;')
+  }
+
+  private isSafeUrl(href: string): boolean {
+    const trimmed = href.trim()
+    if (!trimmed) {
+      return false
+    }
+    const lower = trimmed.toLowerCase()
+    if (
+      lower.startsWith('javascript:') ||
+      lower.startsWith('vbscript:') ||
+      lower.startsWith('data:')
+    ) {
+      return false
+    }
+    const schemeMatch = lower.match(/^[a-z][a-z0-9+.-]*:/)
+    if (!schemeMatch) {
+      return true
+    }
+    const scheme = schemeMatch[0]
+    return scheme === 'http:' || scheme === 'https:' || scheme === 'mailto:'
+  }
 }

package/src/Controller.ts

@@ -0,0 +1,82 @@
+import type { GravitoContext } from '@gravito/core'
+import { Sanitizer } from './Sanitizer.js'
+
+export abstract class BaseController {
+  protected sanitizer = new Sanitizer()
+
+  async call(ctx: GravitoContext, method: string): Promise<Response> {
+    const action = (this as any)[method] as (ctx: GravitoContext) => Promise<Response>
+    if (typeof action !== 'function') {
+      throw new Error(`Method ${method} not found on controller`)
+    }
+
+    return await action.apply(this, [ctx])
+  }
+}
+
+export abstract class Controller {
+  protected context!: GravitoContext
+
+  /**
+   * Set the request context for this controller instance.
+   */
+  public setContext(context: GravitoContext): this {
+    this.context = context
+    return this
+  }
+
+  /**
+   * Return a JSON response.
+   */
+  protected json(data: any, status = 200) {
+    return this.context.json(data, status as any)
+  }
+
+  /**
+   * Return a text response.
+   */
+  protected text(text: string, status = 200) {
+    return this.context.text(text, status as any)
+  }
+
+  /**
+   * Redirect to a given URL.
+   */
+  protected redirect(url: string, status = 302) {
+    return this.context.redirect(url, status as any)
+  }
+
+  /**
+   * Get an item from the context variables.
+   */
+  protected get(key: string): any {
+    return this.context.get(key as any)
+  }
+
+  /**
+   * Get the request object.
+   */
+  protected get request() {
+    return this.context.req
+  }
+
+  /**
+   * Validate the request against a schema.
+   */
+  protected async validate(_schema: any, source: 'json' | 'query' | 'form' = 'json'): Promise<any> {
+    const req = this.context.req as any
+    return req.valid(source)
+  }
+
+  /**
+   * Resolve a controller action into a handler compatible with GravitoContext.
+   */
+  public static call(method: string): any {
+    return async (c: GravitoContext) => {
+      const instance = new (this as any)()
+      instance.setContext(c)
+      const action = instance[method] as (ctx: GravitoContext) => Promise<Response>
+      return action.apply(instance, [c])
+    }
+  }
+}

package/src/FormRequest.ts

@@ -0,0 +1,86 @@
+import type { GravitoContext, GravitoNext } from '@gravito/core'
+import { type TSchema, validate } from '@gravito/mass'
+import { Sanitizer } from './Sanitizer.js'
+
+export abstract class FormRequest {
+  protected context!: GravitoContext
+
+  /**
+   * Define the validation schema.
+   */
+  abstract schema(): TSchema
+
+  /**
+   * Define the source of data (json, query, form, etc.).
+   */
+  source(): 'json' | 'query' | 'form' {
+    return 'json'
+  }
+
+  /**
+   * Determine if the user is authorized to make this request.
+   */
+  authorize(): boolean {
+    return true
+  }
+
+  /**
+   * Set the context.
+   */
+  public setContext(context: GravitoContext): this {
+    this.context = context
+    return this
+  }
+
+  /**
+   * Get the validated data.
+   */
+  public validated(): any {
+    const data = (this.context.req as any).valid(this.source())
+    return Sanitizer.clean(data)
+  }
+
+  /**
+   * Static helper to create a middleware from this request class.
+   */
+  public static middleware(): any {
+    const RequestClass = this as any
+
+    return async (c: GravitoContext, next: GravitoNext) => {
+      const instance = new RequestClass()
+      instance.setContext(c)
+
+      // 1. Authorization Check
+      if (!instance.authorize()) {
+        return c.json({ message: 'This action is unauthorized.' }, 403)
+      }
+
+      // 2. Validation using mass
+      // Use double cast to bypass strict Hono Context type matching in CI
+      const validator = validate(instance.source(), instance.schema(), (result: any, ctx: any) => {
+        if (!result.success) {
+          const errors: Record<string, string[]> = {}
+          const issues = result.error?.issues || []
+
+          for (const issue of issues) {
+            const path = Array.isArray(issue.path) ? issue.path.join('.') : issue.path || 'root'
+            const key = path.replace(/^\//, '').replace(/\//g, '.')
+            if (!errors[key]) errors[key] = []
+            errors[key].push(issue.message || 'Validation failed')
+          }
+
+          return ctx.json(
+            {
+              message: 'The given data was invalid.',
+              errors: Object.keys(errors).length > 0 ? errors : { root: ['Validation failed'] },
+            },
+            422
+          )
+        }
+      })
+
+      // Forced cast to any to ensure CI compatibility
+      return (validator as any)(c as any, next as any)
+    }
+  }
+}

package/src/Router.ts

@@ -0,0 +1,35 @@
+import type { Hono } from 'hono'
+
+export class RouterHelper {
+  /**
+   * Register standard resource routes for a controller.
+   *
+   * GET    /prefix          -> index
+   * GET    /prefix/create   -> create
+   * POST   /prefix          -> store
+   * GET    /prefix/:id      -> show
+   * GET    /prefix/:id/edit -> edit
+   * PUT    /prefix/:id      -> update
+   * DELETE /prefix/:id      -> destroy
+   */
+  public static resource(app: Hono<any, any, any>, prefix: string, controller: any) {
+    const p = prefix.startsWith('/') ? prefix : `/${prefix}`
+
+    // Mapping: Method -> [HTTP Verb, Path Suffix]
+    const routes: Record<string, [string, string]> = {
+      index: ['get', ''],
+      create: ['get', '/create'],
+      store: ['post', ''],
+      show: ['get', '/:id'],
+      edit: ['get', '/:id/edit'],
+      update: ['put', '/:id'],
+      destroy: ['delete', '/:id'],
+    }
+
+    for (const [method, [verb, suffix]] of Object.entries(routes)) {
+      if (typeof controller.prototype[method] === 'function') {
+        ;(app as any)[verb](`${p}${suffix}`, controller.call(method))
+      }
+    }
+  }
+}

package/src/Sanitizer.ts

@@ -0,0 +1,32 @@
+/**
+ * Utility to clean up request data.
+ */
+export class Sanitizer {
+  /**
+   * Recursively trim strings and convert empty strings to null.
+   */
+  public static clean(data: any): any {
+    if (!data || typeof data !== 'object') {
+      return data
+    }
+
+    const cleaned: any = Array.isArray(data) ? [] : {}
+
+    for (const key in data) {
+      let value = data[key]
+
+      if (typeof value === 'string') {
+        value = value.trim()
+        if (value === '') {
+          value = null
+        }
+      } else if (typeof value === 'object' && value !== null) {
+        value = this.clean(value)
+      }
+
+      cleaned[key] = value
+    }
+
+    return cleaned
+  }
+}

package/src/index.ts

@@ -1,7 +1,7 @@
-import type { GravitoOrbit, PlanetCore } from 'gravito-core'
+import type { GravitoOrbit, PlanetCore } from '@gravito/core'
 import { type CollectionConfig, ContentManager } from './ContentManager'
 
-declare module 'gravito-core' {
+declare module '@gravito/core' {
   interface Variables {
     content: ContentManager
   }
@@ -40,4 +40,8 @@ export class OrbitMonolith implements GravitoOrbit {
   }
 }
 
+export { Schema } from '@gravito/mass'
 export * from './ContentManager'
+export * from './Controller'
+export * from './FormRequest'
+export { RouterHelper as Route } from './Router'

package/src/middleware/TrimStrings.ts

@@ -0,0 +1,39 @@
+import type { MiddlewareHandler } from 'hono'
+
+/**
+ * Automatically trim all strings in the request body and query.
+ */
+export const trimStrings = (): MiddlewareHandler => {
+  return async (c, next) => {
+    // We proxy the req.json and req.query methods to return trimmed data
+    // This is more efficient than pre-processing everything if the controller doesn't use it.
+
+    // However, for best DX, we will attempt to clean the body if it's JSON
+    if (c.req.header('Content-Type')?.includes('application/json')) {
+      try {
+        const body = await c.req.json()
+        clean(body, (val) => (typeof val === 'string' ? val.trim() : val))
+        // Since Hono's body is already read, we might need to store it in context
+        // But for now, let's assume we use a simpler approach for the prototype.
+      } catch {
+        // Skip if not valid JSON
+      }
+    }
+
+    await next()
+  }
+}
+
+function clean(obj: any, transform: (val: any) => any) {
+  if (!obj || typeof obj !== 'object') {
+    return
+  }
+
+  for (const key in obj) {
+    if (typeof obj[key] === 'object') {
+      clean(obj[key], transform)
+    } else {
+      obj[key] = transform(obj[key])
+    }
+  }
+}

package/tests/ecommerce_integration.test.ts

@@ -0,0 +1,58 @@
+import { beforeAll, describe, expect, it } from 'bun:test'
+import { Photon } from '@gravito/photon'
+import { Controller, FormRequest, Schema } from '../src'
+
+// --- 模擬電商控制器與請求 ---
+
+class StoreProductRequest extends FormRequest {
+  schema() {
+    return Schema.Object({
+      name: Schema.String({ minLength: 3 }),
+      price: Schema.Number({ minimum: 0 }),
+    })
+  }
+}
+
+class ProductController extends Controller {
+  async store() {
+    const request = new StoreProductRequest().setContext(this.context)
+    const data = request.validated()
+    return this.json({ success: true, product: data }, 201)
+  }
+}
+
+// --- 測試 ---
+
+describe('Ecommerce MVC Integration (Shared Environment)', () => {
+  let app: Photon
+
+  beforeAll(() => {
+    app = new Photon()
+    // 手動註冊路由以驗證
+    app.post('/products', StoreProductRequest.middleware(), ProductController.call('store'))
+  })
+
+  it('should return 422 when data is invalid', async () => {
+    const res = await app.request('/products', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ name: 'Hi', price: -1 }),
+    })
+
+    expect(res.status).toBe(422)
+    const data: any = await res.json()
+    expect(data.message).toBe('The given data was invalid.')
+  })
+
+  it('should return 201 and sanitized data when valid', async () => {
+    const res = await app.request('/products', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ name: '  Galaxy Pro  ', price: 999 }),
+    })
+
+    expect(res.status).toBe(201)
+    const data: any = await res.json()
+    expect(data.product.name).toBe('Galaxy Pro') // 驗證自動 Trim
+  })
+})