@mantiq/core 0.5.6 → 0.5.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mantiq/core",
-  "version": "0.5.6",
+  "version": "0.5.8",
   "description": "Service container, router, middleware, HTTP kernel, config, and exception handler",
   "type": "module",
   "license": "MIT",

package/src/application/Application.ts

@@ -188,12 +188,14 @@ export class Application extends ContainerImpl {
           if (mod[providerName] && typeof mod[providerName] === 'function') {
             providers.push(mod[providerName])
           }
-        } catch {
-          // Skip packages that can't be loaded
+        } catch (e) {
+          if (process.env.APP_DEBUG === 'true') {
+            console.warn(`[Mantiq] Failed to load provider from ${file}:`, (e as Error)?.message ?? e)
+          }
         }
       }
     } catch {
-      // node_modules/@mantiq doesn't exist
+      // node_modules/@mantiq doesn't exist — expected when no @mantiq packages installed
     }
 
     return providers

package/src/discovery/Discoverer.ts

@@ -1,5 +1,5 @@
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs'
-import { dirname, join, relative } from 'node:path'
+import { basename, dirname, join, relative } from 'node:path'
 
 /**
  * Auto-discovers application classes by scanning conventional directories.
@@ -126,17 +126,39 @@ export class Discoverer {
   /**
    * Load and register all discovered route files.
    * Each route file should export a default function: (router) => void
+   *
+   * Routes are auto-wrapped in middleware groups by filename convention:
+   * - web.ts → router.group({ middleware: ['web'] })
+   * - api.ts → router.group({ middleware: ['api'], prefix: '/api' })
+   * - Other files (console.ts, channels.ts) → loaded as-is
    */
   async loadRoutes(manifest: DiscoveryManifest, router: any): Promise<void> {
+    const groupMap: Record<string, { prefix: string }> = {
+      web: { prefix: '' },
+      api: { prefix: '/api' },
+    }
+
     for (const file of manifest.routes) {
       const fullPath = join(this.basePath, file)
       try {
         const mod = await import(fullPath)
-        if (typeof mod.default === 'function') {
+        if (typeof mod.default !== 'function') continue
+
+        const stem = basename(file, '.ts')
+        const group = groupMap[stem]
+
+        if (group) {
+          router.group(
+            { middleware: [stem], prefix: group.prefix },
+            (r: any) => mod.default(r),
+          )
+        } else {
           mod.default(router)
         }
-      } catch {
-        // Skip unloadable routes
+      } catch (e) {
+        if (process.env.APP_DEBUG === 'true') {
+          console.warn(`[Mantiq] Failed to load route file ${file}:`, (e as Error)?.message ?? e)
+        }
       }
     }
   }

package/src/helpers/dd.ts

@@ -0,0 +1,52 @@
+/**
+ * Dump values to console and die (exit process).
+ * Laravel's dd() equivalent.
+ *
+ * @example dd(user)
+ * @example dd(user, request.query(), 'debug')
+ */
+export function dd(...args: any[]): never {
+  dump(...args)
+  process.exit(1)
+}
+
+/**
+ * Dump values to console with colorized, inspected output.
+ * Like dd() but doesn't exit.
+ *
+ * @example dump(user)
+ * @example dump(user, request.query())
+ */
+export function dump(...args: any[]): void {
+  for (const arg of args) {
+    if (arg === null) {
+      console.log('\x1b[2mnull\x1b[0m')
+    } else if (arg === undefined) {
+      console.log('\x1b[2mundefined\x1b[0m')
+    } else if (typeof arg === 'string') {
+      console.log(`\x1b[32m"${arg}"\x1b[0m`)
+    } else if (typeof arg === 'number' || typeof arg === 'bigint') {
+      console.log(`\x1b[33m${arg}\x1b[0m`)
+    } else if (typeof arg === 'boolean') {
+      console.log(`\x1b[35m${arg}\x1b[0m`)
+    } else if (arg instanceof Error) {
+      console.log(`\x1b[31m${arg.constructor.name}: ${arg.message}\x1b[0m`)
+      if (arg.stack) {
+        const frames = arg.stack.split('\n').slice(1, 6).map(l => `  \x1b[2m${l.trim()}\x1b[0m`)
+        console.log(frames.join('\n'))
+      }
+    } else if (Array.isArray(arg)) {
+      console.dir(arg, { depth: 4, colors: true })
+    } else if (typeof arg === 'object') {
+      // Model instances — use toObject() if available
+      if (typeof arg.toObject === 'function') {
+        console.log(`\x1b[36m${arg.constructor?.name ?? 'Object'}\x1b[0m`)
+        console.dir(arg.toObject(), { depth: 4, colors: true })
+      } else {
+        console.dir(arg, { depth: 4, colors: true })
+      }
+    } else {
+      console.log(arg)
+    }
+  }
+}

package/src/helpers/paths.ts

@@ -0,0 +1,71 @@
+import { Application } from '../application/Application.ts'
+
+/**
+ * Get the application base path or a path relative to it.
+ *
+ * @example base_path()              // '/Users/you/my-app'
+ * @example base_path('config')      // '/Users/you/my-app/config'
+ */
+export function base_path(path: string = ''): string {
+  return Application.getInstance().basePath_(path)
+}
+
+/**
+ * Get the app directory path.
+ *
+ * @example app_path()               // '/Users/you/my-app/app'
+ * @example app_path('Models')       // '/Users/you/my-app/app/Models'
+ */
+export function app_path(path: string = ''): string {
+  return base_path(path ? `app/${path}` : 'app')
+}
+
+/**
+ * Get the config directory path.
+ *
+ * @example config_path()            // '/Users/you/my-app/config'
+ * @example config_path('app.ts')    // '/Users/you/my-app/config/app.ts'
+ */
+export function config_path(path: string = ''): string {
+  return Application.getInstance().configPath(path)
+}
+
+/**
+ * Get the database directory path.
+ *
+ * @example database_path()                      // '/Users/you/my-app/database'
+ * @example database_path('migrations')          // '/Users/you/my-app/database/migrations'
+ */
+export function database_path(path: string = ''): string {
+  return base_path(path ? `database/${path}` : 'database')
+}
+
+/**
+ * Get the storage directory path.
+ *
+ * @example storage_path()            // '/Users/you/my-app/storage'
+ * @example storage_path('logs')      // '/Users/you/my-app/storage/logs'
+ */
+export function storage_path(path: string = ''): string {
+  return Application.getInstance().storagePath(path)
+}
+
+/**
+ * Get the public directory path.
+ *
+ * @example public_path()             // '/Users/you/my-app/public'
+ * @example public_path('build')      // '/Users/you/my-app/public/build'
+ */
+export function public_path(path: string = ''): string {
+  return base_path(path ? `public/${path}` : 'public')
+}
+
+/**
+ * Get the resources directory path.
+ *
+ * @example resource_path()           // '/Users/you/my-app/resources'
+ * @example resource_path('views')    // '/Users/you/my-app/resources/views'
+ */
+export function resource_path(path: string = ''): string {
+  return base_path(path ? `resources/${path}` : 'resources')
+}

package/src/http/Kernel.ts

@@ -100,8 +100,8 @@ export class HttpKernel {
     const request = MantiqRequest.fromBun(bunRequest)
 
     try {
-      // Combine prepend + global + append middleware
-      const allMiddleware = [...this.prependMiddleware, ...this.globalMiddleware, ...this.appendMiddleware]
+      // Combine prepend + global + append middleware (deduplicated, preserving order)
+      const allMiddleware = [...new Set([...this.prependMiddleware, ...this.globalMiddleware, ...this.appendMiddleware])]
       const globalClasses = this.resolveMiddlewareList(allMiddleware)
 
       const response = await new Pipeline(this.container)

package/src/index.ts

@@ -100,3 +100,5 @@ export { response, json, html, redirect, noContent, stream, download } from './h
 export { hash, hashCheck } from './helpers/hash.ts'
 export { cache } from './helpers/cache.ts'
 export { session } from './helpers/session.ts'
+export { dd, dump } from './helpers/dd.ts'
+export { base_path, app_path, config_path, database_path, storage_path, public_path, resource_path } from './helpers/paths.ts'

package/src/middleware/Cors.ts

@@ -19,13 +19,18 @@ export class CorsMiddleware implements Middleware {
   private config: CorsConfig
 
   constructor(configRepo?: ConfigRepository) {
+    // Smart default: use APP_URL as origin with credentials when available
+    const appUrl = configRepo?.get('app.url', '') as string
+    const defaultOrigin = appUrl || '*'
+    const defaultCredentials = !!appUrl
+
     this.config = {
-      origin: configRepo?.get('cors.origin', '*') ?? '*',
+      origin: configRepo?.get('cors.origin', defaultOrigin) ?? defaultOrigin,
       methods: configRepo?.get('cors.methods', ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS']) ?? ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
-      allowedHeaders: configRepo?.get('cors.allowedHeaders', ['Content-Type', 'Authorization', 'X-Requested-With']) ?? ['Content-Type', 'Authorization', 'X-Requested-With'],
-      exposedHeaders: configRepo?.get('cors.exposedHeaders', []) ?? [],
-      credentials: configRepo?.get('cors.credentials', false) ?? false,
-      maxAge: configRepo?.get('cors.maxAge', 0) ?? 0,
+      allowedHeaders: configRepo?.get('cors.allowedHeaders', ['Content-Type', 'Authorization', 'X-Requested-With', 'X-CSRF-TOKEN', 'X-XSRF-TOKEN', 'X-Mantiq']) ?? ['Content-Type', 'Authorization', 'X-Requested-With', 'X-CSRF-TOKEN', 'X-XSRF-TOKEN', 'X-Mantiq'],
+      exposedHeaders: configRepo?.get('cors.exposedHeaders', ['X-Heartbeat']) ?? ['X-Heartbeat'],
+      credentials: configRepo?.get('cors.credentials', defaultCredentials) ?? defaultCredentials,
+      maxAge: configRepo?.get('cors.maxAge', 7200) ?? 7200,
     }
   }
 

package/src/middleware/EncryptCookies.ts

@@ -11,7 +11,7 @@ import { parseCookies, serializeCookie } from '../http/Cookie.ts'
  */
 export class EncryptCookies implements Middleware {
   /** Cookie names that should NOT be encrypted/decrypted. */
-  protected except: string[] = []
+  protected except: string[] = ['XSRF-TOKEN']
 
   constructor(private readonly encrypter: AesEncrypter) {}
 

package/src/middleware/VerifyCsrfToken.ts

@@ -39,8 +39,9 @@ export class VerifyCsrfToken implements Middleware {
     // Read-only methods don't need CSRF
     if (['GET', 'HEAD', 'OPTIONS'].includes(method)) return false
 
-    // Check exclusions
     const path = request.path()
+
+    // Check user-defined exclusions
     return !this.except.some((pattern) => {
       if (pattern.endsWith('*')) {
         return path.startsWith(pattern.slice(0, -1))
@@ -77,7 +78,9 @@ export class VerifyCsrfToken implements Middleware {
     const xsrfHeader = request.header('x-xsrf-token')
     if (xsrfHeader) {
       try {
-        return await this.encrypter.decrypt(xsrfHeader)
+        // Cookie values may be URL-encoded — decode before decrypting
+        const decoded = decodeURIComponent(xsrfHeader)
+        return await this.encrypter.decrypt(decoded)
       } catch {
         return null
       }

package/src/providers/CoreServiceProvider.ts

@@ -107,11 +107,21 @@ export class CoreServiceProvider extends ServiceProvider {
     kernel.registerMiddleware('session', StartSession)
     kernel.registerMiddleware('csrf', VerifyCsrfToken)
 
-    // Set default global middleware stack (can be overridden in config/app.ts)
+    // Register middleware groups from config
     const configRepo = this.app.make(ConfigRepository)
-    const globalMiddleware = configRepo.get('app.middleware', [
-      'cors', 'encrypt.cookies', 'session',
-    ]) as string[]
-    kernel.setGlobalMiddleware(globalMiddleware)
+    const middlewareGroups = configRepo.get('app.middlewareGroups', {
+      web: ['cors', 'encrypt.cookies', 'session', 'csrf'],
+      api: ['cors', 'throttle'],
+    }) as Record<string, string[]>
+
+    for (const [name, middleware] of Object.entries(middlewareGroups)) {
+      kernel.registerMiddlewareGroup(name, middleware)
+    }
+
+    // Legacy: if app.middleware is set, apply as global middleware (backward compat)
+    const globalMiddleware = configRepo.get('app.middleware', []) as string[]
+    if (globalMiddleware.length > 0) {
+      kernel.setGlobalMiddleware(globalMiddleware)
+    }
   }
 }