@nitronjs/framework 0.2.23 → 0.2.26

package/cli/njs.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 
 const COLORS = {
     reset: "\x1b[0m",
@@ -183,7 +183,7 @@ async function run() {
         if (exitCode !== null) {
             const { default: checkForUpdates } = await import("../lib/Console/UpdateChecker.js");
             await checkForUpdates();
-            process.exitCode = exitCode;
+            process.exit(exitCode);
         }
     } catch (error) {
         console.error(`${COLORS.red}Error: ${error.message}${COLORS.reset}`);

package/lib/Console/UpdateChecker.js

@@ -78,34 +78,28 @@ function stripAnsi(str) {
 }
 
 function printUpdateNotice(current, latest) {
-    const title = `${C.yellow}${C.bold}Update available${C.reset}`;
-    const version = `${C.dim}${current}${C.reset}  ${C.cyan}\u2192${C.reset}  ${C.green}${C.bold}${latest}${C.reset}`;
-    const cmd = `${C.cyan}npm update @nitronjs/framework --save${C.reset}`;
+    const boxWidth = 70;
+    const border = C.yellow;
+    const pad = (content, length) => content + " ".repeat(Math.max(0, length - stripAnsi(content).length));
 
     const lines = [
+        `${border}${C.bold}!${C.reset} ${C.bold}Update available${C.reset}`,
         "",
-        `   ${title}`,
-        `   ${version}`,
+        `${C.bold}Current:${C.reset} ${current}`,
+        `${C.bold}Latest:${C.reset}  ${C.green}${C.bold}${latest}${C.reset}`,
         "",
-        `   ${cmd}`,
-        ""
+        `${C.bold}Run:${C.reset}     ${C.cyan}npm update @nitronjs/framework --save${C.reset}`
     ];
 
-    const boxWidth = 50;
-    const border = C.gray;
-
     console.log();
-    console.log(`  ${border}\u256D${"\u2500".repeat(boxWidth)}\u256E${C.reset}`);
+    console.log(`${border}\u250C${"\u2500".repeat(boxWidth - 2)}\u2510${C.reset}`);
 
     for (const line of lines) {
-        const rawLen = stripAnsi(line).length;
-        const pad = boxWidth - rawLen;
-
-        console.log(`  ${border}\u2502${C.reset}${line}${" ".repeat(Math.max(0, pad))}${border}\u2502${C.reset}`);
+        console.log(`${border}\u2502${C.reset} ${pad(line, boxWidth - 4)} ${border}\u2502${C.reset}`);
     }
 
-    console.log(`  ${border}\u2570${"\u2500".repeat(boxWidth)}\u256F${C.reset}`);
-    console.log();
+    console.log(`${border}\u2502${C.reset} ${" ".repeat(boxWidth - 4)} ${border}\u2502${C.reset}`);
+    console.log(`${border}\u2514${"\u2500".repeat(boxWidth - 2)}\u2518${C.reset}`);
 }
 
 export default async function checkForUpdates() {

package/lib/Database/DB.js

@@ -74,17 +74,18 @@ class DB {
     }
 
     /**
-     * Executes a raw SQL query.
-     * @param {string} sql - Raw SQL string
+     * Executes a raw SQL query with optional parameter bindings.
+     * @param {string} sql - Raw SQL string (use ? for parameter placeholders)
+     * @param {Array} bindings - Parameter bindings for safe query execution
      * @returns {Promise<Array>} Query result
      * @throws {Error} If database is disabled
      */
-    static async rawQuery(sql) {
+    static async rawQuery(sql, bindings = []) {
         if (!this.#driver) {
             throw new Error("Database is disabled (DATABASE_DRIVER=none)");
         }
 
-        return await this.#driver.raw(sql);
+        return await this.#driver.raw(sql, bindings);
     }
 
     /**
@@ -105,7 +106,27 @@ class DB {
         const timeoutId = setTimeout(() => controller.abort(), timeout);
 
         try {
-            const result = await this.#driver.withTransaction(callback, { signal: controller.signal });
+            const result = await this.#driver.withTransaction((connection) => {
+                const connectionWrapper = {
+                    query: (sql, bindings) => connection.execute(sql, bindings)
+                };
+
+                const trx = {
+                    table: (table, modelClass = null) => createQueryBuilder(table, connectionWrapper, modelClass),
+                    rawQuery: (sql, bindings = []) => {
+                        if (bindings.length > 0) {
+                            return connection.execute(sql, bindings);
+                        }
+
+                        return connection.query(sql);
+                    },
+                    query: (...args) => connection.query(...args),
+                    execute: (...args) => connection.execute(...args)
+                };
+
+                return callback(trx);
+            }, { signal: controller.signal });
+
             clearTimeout(timeoutId);
 
             return result;
@@ -147,6 +168,13 @@ class DB {
         };
 
         this.#driver = this.#createDriver("mysql");
+
+        const isHealthy = await this.#driver.healthCheck();
+
+        if (!isHealthy) {
+            this.#driver = null;
+            throw new Error("Database reconfiguration failed: health check failed. Check your credentials.");
+        }
     }
 
     /** @private */

package/lib/Database/Drivers/MySQLDriver.js

@@ -30,11 +30,11 @@ class MySQLDriver {
             charset: this.#config.charset || "utf8mb4",
             waitForConnections: true,
             connectionLimit: this.#config.pool?.max ?? 10,
+            idleTimeout: this.#config.pool?.idleTimeout ?? 60000,
             queueLimit: this.#config.pool?.queueLimit ?? 100,
             connectTimeout: 10000,
             enableKeepAlive: true,
             keepAliveInitialDelay: 10000,
-            namedPlaceholders: true,
             decimalNumbers: true
         });
     }
@@ -67,12 +67,16 @@ class MySQLDriver {
      * @param {string} sql - Raw SQL string
      * @returns {Promise<Array>} Query result
      */
-    async raw(sql) {
+    async raw(sql, bindings = []) {
         try {
+            if (bindings.length > 0) {
+                return await this.#pool.execute(sql, bindings);
+            }
+
             return await this.#pool.query(sql);
         }
         catch (error) {
-            throw this.#handleError(error, sql);
+            throw this.#handleError(error, sql, bindings.length > 0 ? bindings : null);
         }
     }
 

package/lib/Database/Model.js

@@ -175,18 +175,30 @@ class Model {
      */
     async save() {
         const table = this.constructor.table;
-        const data = {};
 
-        for (const [key, value] of Object.entries(this._attributes)) {
-            if (value !== undefined && (key !== 'id' || !this._exists)) {
-                data[key] = value;
+        if (this._exists) {
+            const dirty = {};
+
+            for (const [key, value] of Object.entries(this._attributes)) {
+                if (key === 'id') continue;
+                if (value !== this._original[key]) {
+                    dirty[key] = value;
+                }
             }
-        }
 
-        if (this._exists) {
-            await DB.table(table).where('id', this._attributes.id).update(data);
+            if (Object.keys(dirty).length > 0) {
+                await DB.table(table).where('id', this._attributes.id).update(dirty);
+            }
         }
         else {
+            const data = {};
+
+            for (const [key, value] of Object.entries(this._attributes)) {
+                if (value !== undefined) {
+                    data[key] = value;
+                }
+            }
+
             const id = await DB.table(table).insert(data);
             this._attributes.id = id;
             this._exists = true;
@@ -264,10 +276,10 @@ function hydrate(modelClass, row) {
 
 const QUERY_METHODS = [
     // Chain methods (return QueryBuilder)
-    'distinct', 'orWhere', 'whereIn', 'whereNotIn',
+    'selectRaw', 'distinct', 'orWhere', 'whereIn', 'whereNotIn',
     'whereBetween', 'whereNot', 'join', 'groupBy', 'offset',
     // Terminal methods (return results)
-    'count', 'max', 'min', 'sum', 'avg', 'delete'
+    'count', 'countDistinct', 'max', 'min', 'sum', 'avg', 'delete'
 ];
 
 for (const method of QUERY_METHODS) {

package/lib/Database/QueryBuilder.js

@@ -1,4 +1,4 @@
-import { validateDirection, validateIdentifier, validateWhereOperator } from "./QueryValidation.js";
+import { validateDirection, validateIdentifier, validateRawExpression, validateWhereOperator } from "./QueryValidation.js";
 import Environment from "../Core/Environment.js";
 
 /**
@@ -22,7 +22,6 @@ class QueryBuilder {
     #joins = [];
     #orders = [];
     #groups = [];
-    #havings = [];
     #limitValue = null;
     #offsetValue = null;
     #distinctFlag = false;
@@ -90,19 +89,21 @@ class QueryBuilder {
         return operator;
     }
 
-    #validateInteger(value) {
+    #validateInteger(value, maxAllowed = 10000000) {
         const stringValue = String(value).trim();
+
         if (!/^\d+$/.test(stringValue)) {
             throw new Error(`Invalid integer: "${value}". Must be a pure positive number.`);
         }
 
         const num = parseInt(stringValue, 10);
+
         if (isNaN(num) || num < 0) {
             throw new Error(`Invalid integer: "${value}". Must be a non-negative number.`);
         }
 
-        if (num > 100000) {
-            throw new Error(`Invalid integer: "${value}". Maximum allowed value is 100000.`);
+        if (num > maxAllowed) {
+            throw new Error(`Invalid integer: "${value}". Maximum allowed value is ${maxAllowed}.`);
         }
 
         return num;
@@ -157,7 +158,6 @@ class QueryBuilder {
         this.#joins = [];
         this.#orders = [];
         this.#groups = [];
-        this.#havings = [];
         this.#limitValue = null;
         this.#offsetValue = null;
         this.#distinctFlag = false;
@@ -179,6 +179,45 @@ class QueryBuilder {
         return this;
     }
 
+    /**
+     * Add a raw expression to the SELECT clause.
+     * If the current selection is the default '*', replaces it.
+     * Otherwise appends to existing selections.
+     *
+     * @param {string} expression - Raw SQL expression
+     * @returns {QueryBuilder}
+     *
+     * @example
+     * // Standalone
+     * DB.table("orders").selectRaw("COUNT(*) as total").first();
+     *
+     * // Combined with select
+     * DB.table("orders")
+     *     .select("status")
+     *     .selectRaw("COUNT(*) as total")
+     *     .selectRaw("AVG(amount) as avg_amount")
+     *     .groupBy("status")
+     *     .get();
+     */
+    selectRaw(expression) {
+        if (typeof expression !== 'string' || expression.trim() === '') {
+            throw new Error('selectRaw() requires a non-empty string expression.');
+        }
+
+        validateRawExpression(expression);
+
+        const raw = new RawExpression(expression);
+
+        if (this.#selectColumns.length === 1 && this.#selectColumns[0] === '*') {
+            this.#selectColumns = [raw];
+        }
+        else {
+            this.#selectColumns.push(raw);
+        }
+
+        return this;
+    }
+
     distinct() {
         this.#distinctFlag = true;
 
@@ -206,6 +245,19 @@ class QueryBuilder {
         operator = this.#validateWhereOperator(operator);
         value = this.#validateWhereValue(value);
 
+        // where("column", null) → IS NULL, where("column", "!=", null) → IS NOT NULL
+        if (value === null || value === undefined) {
+            const isNot = operator === '!=' || operator === '<>' || operator === 'IS NOT';
+
+            this.#wheres.push({
+                type: isNot ? 'notNull' : 'null',
+                column: this.#validateIdentifier(column),
+                boolean: 'AND'
+            });
+
+            return this;
+        }
+
         this.#wheres.push({
             type: 'basic',
             column: this.#validateIdentifier(column),
@@ -228,6 +280,18 @@ class QueryBuilder {
         operator = this.#validateWhereOperator(operator);
         value = this.#validateWhereValue(value);
 
+        if (value === null || value === undefined) {
+            const isNot = operator === '!=' || operator === '<>' || operator === 'IS NOT';
+
+            this.#wheres.push({
+                type: isNot ? 'notNull' : 'null',
+                column: this.#validateIdentifier(column),
+                boolean: 'OR'
+            });
+
+            return this;
+        }
+
         this.#wheres.push({
             type: 'basic',
             column: this.#validateIdentifier(column),
@@ -363,7 +427,7 @@ class QueryBuilder {
     }
 
     limit(value) {
-        this.#limitValue = this.#validateInteger(value);
+        this.#limitValue = this.#validateInteger(value, 100000);
 
         return this;
     }
@@ -453,6 +517,40 @@ class QueryBuilder {
         return parseInt(result) || 0;
     }
 
+    /**
+     * Count distinct values of a column.
+     * @param {string} column - Column name to count distinct values of
+     * @returns {Promise<number>}
+     *
+     * @example
+     * const uniqueVisitors = await Log_View
+     *     .where("created_at", ">=", "2026-01-01")
+     *     .countDistinct("ip_address");
+     */
+    async countDistinct(column) {
+        const connection = await this.#getConnection();
+
+        try {
+            const validatedColumn = this.#validateIdentifier(column);
+            const originalSelect = this.#selectColumns;
+            this.#selectColumns = [new RawExpression(`COUNT(DISTINCT ${validatedColumn}) as count_distinct`)];
+            this.#limitValue = 1;
+
+            const sql = this.#toSql();
+            const [rows] = await connection.query(sql, this.#bindings);
+
+            this.#selectColumns = originalSelect;
+
+            return rows[0] ? parseInt(rows[0].count_distinct) || 0 : 0;
+        }
+        catch (error) {
+            throw this.#sanitizeError(error);
+        }
+        finally {
+            this.#reset();
+        }
+    }
+
     async max(column) {
         return await this.#aggregate('MAX', column);
     }
@@ -474,20 +572,24 @@ class QueryBuilder {
     }
 
     async #aggregate(func, column) {
+        const connection = await this.#getConnection();
         const alias = func.toLowerCase();
-        const originalSelect = this.#selectColumns;
 
         try {
             const validatedColumn = column === '*' ? '*' : this.#validateIdentifier(column);
+            const originalSelect = this.#selectColumns;
             this.#selectColumns = [new RawExpression(`${func}(${validatedColumn}) as ${alias}`)];
+            this.#limitValue = 1;
 
-            const row = await this.first(); // first() handles reset internally
-
-            return row ? row[alias] : null;
-        }
+            const sql = this.#toSql();
+            const [rows] = await connection.query(sql, this.#bindings);
 
-        finally {
             this.#selectColumns = originalSelect;
+
+            return rows[0] ? rows[0][alias] : null;
+        }
+        catch (error) {
+            throw this.#sanitizeError(error);
         }
     }
 
@@ -585,11 +687,10 @@ class QueryBuilder {
         const joins = this.#compileJoins();
         const wheres = this.#compileWheres();
         const groups = this.#compileGroupBy();
-        const havings = this.#compileHaving();
         const orders = this.#compileOrders();
         const limit = this.#compileLimit();
 
-        return `SELECT ${distinct}${columns} FROM ${this.#quoteIdentifier(this.#table)}${joins}${wheres}${groups}${havings}${orders}${limit}`;
+        return `SELECT ${distinct}${columns} FROM ${this.#quoteIdentifier(this.#table)}${joins}${wheres}${groups}${orders}${limit}`;
     }
 
     #compileJoins() {
@@ -647,19 +748,7 @@ class QueryBuilder {
         return ` GROUP BY ${this.#groups.join(', ')}`;
     }
 
-    #compileHaving() {
-        if (this.#havings.length === 0) {
-            return '';
-        }
-
-        const compiled = this.#havings.map((having, index) => {
-            const boolean = index === 0 ? '' : ' AND ';
-
-            return `${boolean}${having.column} ${having.operator} ?`;
-        }).join('');
 
-        return ` HAVING ${compiled}`;
-    }
 
     #compileOrders() {
         if (this.#orders.length === 0) {

package/lib/Database/QueryValidation.js

@@ -74,6 +74,38 @@ export function validateDirection(direction) {
     return upper;
 }
 
+/**
+ * Validates a raw SQL expression for use in selectRaw().
+ * Blocks dangerous patterns while allowing legitimate aggregate/function expressions.
+ *
+ * Allowed: COUNT(*), AVG(col), DISTINCT, AS aliases, DATE(), CASE WHEN, math operators
+ * Blocked: Semicolons, DDL (DROP/ALTER/CREATE/TRUNCATE), DML writes (INSERT/UPDATE/DELETE),
+ *          UNION, SQL comments, system functions (LOAD_FILE, INTO OUTFILE), subqueries
+ *
+ * @param {string} expression - Raw SQL expression to validate
+ * @throws {Error} If expression contains dangerous patterns
+ */
+export function validateRawExpression(expression) {
+    if (typeof expression !== 'string' || expression.trim() === '') {
+        throw new Error('Raw expression must be a non-empty string.');
+    }
+
+    if (/;/.test(expression)) {
+        throw new Error(`Dangerous raw expression: semicolons are not allowed.`);
+    }
+
+    if (/--|#|\/\*|\*\//.test(expression)) {
+        throw new Error(`Dangerous raw expression: SQL comments are not allowed.`);
+    }
+
+    const dangerous = /\b(DROP|ALTER|CREATE|TRUNCATE|INSERT|UPDATE|DELETE|REPLACE|GRANT|REVOKE|UNION|INTO\s+OUTFILE|INTO\s+DUMPFILE|LOAD_FILE|BENCHMARK|SLEEP|INFORMATION_SCHEMA)\b/i;
+
+    if (dangerous.test(expression)) {
+        const match = expression.match(dangerous);
+        throw new Error(`Dangerous raw expression: "${match[0].toUpperCase()}" is not allowed in selectRaw().`);
+    }
+}
+
 // ─────────────────────────────────────────────────────────────────────────────
 // Private Functions
 // ─────────────────────────────────────────────────────────────────────────────

package/lib/Database/Schema/Blueprint.js

@@ -1,6 +1,8 @@
 class Blueprint {
     #tableName;
     #columns = [];
+    #indexes = [];
+    #dropIndexes = [];
 
     constructor(tableName) {
         this.#tableName = tableName;
@@ -18,6 +20,24 @@ class Blueprint {
         return this.#columns;
     }
 
+    getIndexes() {
+        return this.#indexes;
+    }
+
+    getDropIndexes() {
+        return this.#dropIndexes;
+    }
+
+    index(columns) {
+        const cols = Array.isArray(columns) ? columns : [columns];
+        const name = `idx_${this.#tableName}_${cols.join('_')}`;
+        this.#indexes.push({ name, columns: cols });
+    }
+
+    dropIndex(name) {
+        this.#dropIndexes.push(name);
+    }
+
     id() {
         this.#columns.push({ name: 'id', type: 'id', modifiers: {} });
         return this;
@@ -64,11 +84,15 @@ class Blueprint {
         };
         this.#columns.push(column);
 
-        return {
-            nullable: () => { column.modifiers.nullable = true; return this; },
-            default: (value) => { column.modifiers.default = value; return this; },
-            unique: () => { column.modifiers.unique = true; return this; }
+        const blueprint = this;
+        const chain = {
+            nullable() { column.modifiers.nullable = true; return chain; },
+            default(value) { column.modifiers.default = value; return chain; },
+            unique() { column.modifiers.unique = true; return chain; },
+            index() { blueprint.index(name); return chain; },
         };
+
+        return chain;
     }
 }
 

package/lib/Database/Schema/Manager.js

@@ -16,6 +16,17 @@ export default class Schema {
         await DB.rawQuery(this.#buildCreateSQL(blueprint, true));
     }
 
+    static async table(tableName, callback) {
+        const blueprint = new (await import('./Blueprint.js')).default(tableName);
+        callback(blueprint);
+
+        const statements = this.#buildAlterSQL(blueprint);
+
+        for (const sql of statements) {
+            await DB.rawQuery(sql);
+        }
+    }
+
     static async dropIfExists(tableName) {
         await DB.rawQuery(`DROP TABLE IF EXISTS \`${tableName}\``);
     }
@@ -23,13 +34,36 @@ export default class Schema {
     // Private Methods
     static #buildCreateSQL(blueprint, ifNotExists = false) {
         const columns = blueprint.getColumns().map(col => this.#buildColumnSQL(col));
+        const indexes = blueprint.getIndexes().map(idx => this.#buildIndexSQL(idx));
+        const definitions = [...columns, ...indexes];
         const dbConfig = Config.all('database').connections.mysql;
 
         const charset = dbConfig.charset || 'utf8mb4';
         const collation = dbConfig.collation || 'utf8mb4_unicode_ci';
         const ifNotExistsClause = ifNotExists ? 'IF NOT EXISTS ' : '';
 
-        return `CREATE TABLE ${ifNotExistsClause}\`${blueprint.getTableName()}\` (\n    ${columns.join(',\n    ')}\n) ENGINE=InnoDB DEFAULT CHARSET=${charset} COLLATE=${collation}`;
+        return `CREATE TABLE ${ifNotExistsClause}\`${blueprint.getTableName()}\` (\n    ${definitions.join(',\n    ')}\n) ENGINE=InnoDB DEFAULT CHARSET=${charset} COLLATE=${collation}`;
+    }
+
+    static #buildAlterSQL(blueprint) {
+        const tableName = blueprint.getTableName();
+        const statements = [];
+
+        for (const idx of blueprint.getIndexes()) {
+            const cols = idx.columns.map(c => `\`${c}\``).join(', ');
+            statements.push(`ALTER TABLE \`${tableName}\` ADD INDEX \`${idx.name}\` (${cols})`);
+        }
+
+        for (const name of blueprint.getDropIndexes()) {
+            statements.push(`ALTER TABLE \`${tableName}\` DROP INDEX \`${name}\``);
+        }
+
+        return statements;
+    }
+
+    static #buildIndexSQL(idx) {
+        const cols = idx.columns.map(c => `\`${c}\``).join(', ');
+        return `INDEX \`${idx.name}\` (${cols})`;
     }
 
     static #buildColumnSQL(column) {
@@ -55,10 +89,18 @@ export default class Schema {
         if (column.modifiers) {
             sql += column.modifiers.nullable ? ' NULL' : ' NOT NULL';
             if (column.modifiers.default !== null) {
-                const val = typeof column.modifiers.default === 'string'
-                    ? `'${column.modifiers.default}'`
-                    : column.modifiers.default;
-                sql += ` DEFAULT ${val}`;
+                const raw = column.modifiers.default;
+
+                if (typeof raw === 'string') {
+                    const escaped = raw.replace(/'/g, "''");
+                    sql += ` DEFAULT '${escaped}'`;
+                }
+                else if (typeof raw === 'boolean') {
+                    sql += ` DEFAULT ${raw ? 1 : 0}`;
+                }
+                else {
+                    sql += ` DEFAULT ${Number(raw)}`;
+                }
             }
             if (column.modifiers.unique) sql += ' UNIQUE';
         }

package/lib/Encryption/Encryption.js

@@ -1,14 +1,14 @@
 import crypto from "crypto";
 
 /**
- * AES-256-CBC encryption and decryption utility.
+ * AES-256-GCM authenticated encryption and decryption utility.
  * Uses APP_KEY from environment for secure encryption.
  */
 class Encryption {
     /**
-     * Encrypts a value using AES-256-CBC.
+     * Encrypts a value using AES-256-GCM with authentication tag.
      * @param {string|Object} value - Value to encrypt (objects are JSON stringified)
-     * @returns {string} Encrypted string in format "iv:encryptedData"
+     * @returns {string} Encrypted string in format "iv:authTag:encryptedData"
      */
     static encrypt(value) {
         if (typeof value === "object") {
@@ -16,27 +16,35 @@ class Encryption {
         }
 
         const secretKey = crypto.createHash("sha256").update(process.env.APP_KEY).digest();
-        const iv = crypto.randomBytes(16);
-        const cipher = crypto.createCipheriv("aes-256-cbc", secretKey, iv);
+        const iv = crypto.randomBytes(12);
+        const cipher = crypto.createCipheriv("aes-256-gcm", secretKey, iv);
 
         let encrypted = cipher.update(value, "utf8", "hex");
         encrypted += cipher.final("hex");
+        const authTag = cipher.getAuthTag().toString("hex");
 
-        return iv.toString("hex") + ":" + encrypted;
+        return iv.toString("hex") + ":" + authTag + ":" + encrypted;
     }
 
     /**
-     * Decrypts an AES-256-CBC encrypted value.
-     * @param {string} encryptedValue - Encrypted string in format "iv:encryptedData"
+     * Decrypts an AES-256-GCM encrypted value.
+     * @param {string} encryptedValue - Encrypted string in format "iv:authTag:encryptedData"
      * @returns {string|false} Decrypted string or false if decryption fails
      */
     static decrypt(encryptedValue) {
         try {
             const parts = encryptedValue.split(":");
-            const iv = Buffer.from(parts.shift(), "hex");
-            const encryptedText = Buffer.from(parts.join(":"), "hex");
+
+            if (parts.length < 3) {
+                return false;
+            }
+
+            const iv = Buffer.from(parts[0], "hex");
+            const authTag = Buffer.from(parts[1], "hex");
+            const encryptedText = Buffer.from(parts.slice(2).join(":"), "hex");
             const secretKey = crypto.createHash("sha256").update(process.env.APP_KEY).digest();
-            const decipher = crypto.createDecipheriv("aes-256-cbc", secretKey, iv);
+            const decipher = crypto.createDecipheriv("aes-256-gcm", secretKey, iv);
+            decipher.setAuthTag(authTag);
 
             let decrypted = decipher.update(encryptedText, "hex", "utf8");
             decrypted += decipher.final("utf8");

package/lib/Filesystem/Storage.js

@@ -62,7 +62,9 @@ class Storage {
         const base = isPrivate ? this.#privateRoot : this.#publicRoot;
         const fullPath = this.#validatePath(base, filePath);
 
-        await fs.promises.unlink(fullPath);
+        await fs.promises.unlink(fullPath).catch(err => {
+            if (err.code !== "ENOENT") throw err;
+        });
     }
 
     /**

package/lib/Http/Server.js

@@ -42,6 +42,11 @@ class Server {
         dotenv.config({ quiet: true });
         await Config.initialize();
 
+        if (!process.env.APP_KEY || process.env.APP_KEY.trim() === "") {
+            console.error("\x1b[31m✕ APP_KEY is not set. Please set APP_KEY in your .env file before starting the server.\x1b[0m");
+            process.exit(1);
+        }
+
         this.#config = Config.all("server");
         const { web_server = {}, cors = {} } = this.#config;
         
@@ -335,7 +340,7 @@ class Server {
 
     // Private Methods
     static #printBanner({ success, address, host, port, error }) {
-        if (this.#config.log.channel !== "none" && this.#config.log.channel !== "file") {
+        if (this.#config.log.channel === "console") {
             return;
         }
 

package/lib/Logging/Log.js

@@ -9,6 +9,7 @@ import Config from "../Core/Config.js";
 class Log {
     static #levels = { debug: 0, info: 1, warn: 2, error: 3, fatal: 4 };
     static #levelLabels = { debug: "DEBUG", info: "INFO", warn: "WARN", error: "ERROR", fatal: "FATAL" };
+    static #dirEnsured = false;
 
     /**
      * Logs a debug message.
@@ -158,10 +159,15 @@ class Log {
     /** @private */
     static #logToFile(level, message, context, timestamp, config) {
         const filePath = path.resolve(process.cwd(), config.file);
-        const dir = path.dirname(filePath);
 
-        if (!fs.existsSync(dir)) {
-            fs.mkdirSync(dir, { recursive: true });
+        if (!this.#dirEnsured) {
+            const dir = path.dirname(filePath);
+
+            if (!fs.existsSync(dir)) {
+                fs.mkdirSync(dir, { recursive: true });
+            }
+
+            this.#dirEnsured = true;
         }
 
         const time = this.#formatTimestamp(timestamp);

package/lib/Route/Router.js

@@ -54,11 +54,25 @@ class HotReloadRegistry {
         if (!info) return handler;
 
         const { filePath, methodName } = info;
+        let cachedModule = null;
+        let cachedMtime = 0;
 
         return async (request, response, param) => {
-            const module = await import(`file://${filePath}?t=${Date.now()}`);
+            let mtime = 0;
 
-            return module.default[methodName](request, response, param);
+            try {
+                mtime = fs.statSync(filePath).mtimeMs;
+            }
+            catch {
+                mtime = Date.now();
+            }
+
+            if (!cachedModule || mtime !== cachedMtime) {
+                cachedModule = await import(`file://${filePath}?t=${mtime}`);
+                cachedMtime = mtime;
+            }
+
+            return cachedModule.default[methodName](request, response, param);
         };
     }
 
@@ -391,25 +405,30 @@ class RouteGroup {
 
     group(callback) {
         const beforeCount = this.routes.length;
-        callback();
-        const newRoutes = this.routes.slice(beforeCount);
-
-        for (const route of newRoutes) {
-            // Apply prefix
-            if (this.options.prefix) {
-                route.url = route.url === "/" 
-                    ? this.options.prefix 
-                    : this.options.prefix + route.url;
-            }
 
-            // Apply name prefix
-            if (route.name && this.options.name) {
-                route.name = this.options.name + route.name;
+        const applyGroup = () => {
+            const newRoutes = this.routes.slice(beforeCount);
+            for (const route of newRoutes) {
+                if (this.options.prefix) {
+                    route.url = route.url === "/"
+                        ? this.options.prefix
+                        : this.options.prefix + route.url;
+                }
+                if (route.name && this.options.name) {
+                    route.name = this.options.name + route.name;
+                }
+                route.middlewares.unshift(...this.options.middlewares);
             }
+        };
+
+        const result = callback();
 
-            // Prepend middlewares
-            route.middlewares.unshift(...this.options.middlewares);
+        // Sync callback: apply immediately. Async callback: apply after resolution.
+        if (result && typeof result.then === "function") {
+            return result.then(() => applyGroup());
         }
+
+        applyGroup();
     }
 }
 

package/lib/Session/Manager.js

@@ -19,13 +19,24 @@ class SessionManager {
      * Gets the singleton instance.
      * @returns {Promise<SessionManager>}
      */
+    static #initPromise = null;
+
     static async getInstance() {
-        if (!this.#instance) {
-            this.#instance = new SessionManager();
-            await this.#instance.#initialize();
+        if (this.#instance) {
+            return this.#instance;
+        }
+
+        if (!this.#initPromise) {
+            this.#initPromise = (async () => {
+                const manager = new SessionManager();
+                await manager.#initialize();
+                this.#instance = manager;
+
+                return manager;
+            })();
         }
 
-        return this.#instance;
+        return this.#initPromise;
     }
 
     /** @private */

package/lib/View/View.js

@@ -175,23 +175,24 @@ class View {
             });
         });
 
-        if (View.#isDev) {
-            server.get("/__nitron/navigate", async (req, res) => {
-                const url = req.query.url;
-                if (!url) {
-                    return res.code(400).send({ error: "Missing url" });
-                }
+        server.get("/__nitron/navigate", async (req, res) => {
+            const url = req.query.url;
 
-                const result = await View.#renderPartial(url, req, res);
-                
-                if (result.handled) return;
-                
-                return res
-                    .code(result.status || 200)
-                    .header("X-Content-Type-Options", "nosniff")
-                    .send(result);
-            });
+            if (!url) {
+                return res.code(400).send({ error: "Missing url" });
+            }
 
+            const result = await View.#renderPartial(url, req, res);
+
+            if (result.handled) return;
+
+            return res
+                .code(result.status || 200)
+                .header("X-Content-Type-Options", "nosniff")
+                .send(result);
+        });
+
+        if (View.#isDev) {
             server.get("/__nitron/icon.png", async (req, res) => {
                 const iconPath = path.join(__dirname, "Client", "nitronjs-icon.png");
                 const iconBuffer = readFileSync(iconPath);

package/lib/index.d.ts

@@ -56,40 +56,84 @@ export class Model {
     static hidden: string[];
     static casts: Record<string, string>;
 
+    // Direct static methods
     static get<T extends Model>(this: new () => T): Promise<T[]>;
     static find<T extends Model>(this: new () => T, id: number | string): Promise<T | null>;
     static first<T extends Model>(this: new () => T): Promise<T | null>;
-    static where<T extends Model>(this: new () => T, column: string, operator?: any, value?: any): QueryBuilder<T>;
+    static where<T extends Model>(this: new () => T, column: string, value: string | number | boolean | null): QueryBuilder<T>;
+    static where<T extends Model>(this: new () => T, column: string, operator: string, value: string | number | boolean | null): QueryBuilder<T>;
+    static where<T extends Model>(this: new () => T, column: Record<string, any>): QueryBuilder<T>;
     static select<T extends Model>(this: new () => T, ...columns: string[]): QueryBuilder<T>;
     static orderBy<T extends Model>(this: new () => T, column: string, direction?: 'asc' | 'desc'): QueryBuilder<T>;
     static limit<T extends Model>(this: new () => T, count: number): QueryBuilder<T>;
-    static create<T extends Model>(this: new () => T, data: Record<string, any>): Promise<T>;
 
+    // Forwarded from QueryBuilder (QUERY_METHODS)
+    static selectRaw<T extends Model>(this: new () => T, expression: string): QueryBuilder<T>;
+    static distinct<T extends Model>(this: new () => T): QueryBuilder<T>;
+    static orWhere<T extends Model>(this: new () => T, column: string, value: string | number | boolean | null): QueryBuilder<T>;
+    static orWhere<T extends Model>(this: new () => T, column: string, operator: string, value: string | number | boolean | null): QueryBuilder<T>;
+    static whereIn<T extends Model>(this: new () => T, column: string, values: any[]): QueryBuilder<T>;
+    static whereNotIn<T extends Model>(this: new () => T, column: string, values: any[]): QueryBuilder<T>;
+    static whereBetween<T extends Model>(this: new () => T, column: string, range: [any, any]): QueryBuilder<T>;
+    static whereNot<T extends Model>(this: new () => T, column: string, value: any): QueryBuilder<T>;
+    static join<T extends Model>(this: new () => T, table: string, col1: string, operator: string, col2: string): QueryBuilder<T>;
+    static groupBy<T extends Model>(this: new () => T, ...columns: string[]): QueryBuilder<T>;
+    static offset<T extends Model>(this: new () => T, count: number): QueryBuilder<T>;
+    static count<T extends Model>(this: new () => T, column?: string): Promise<number>;
+    static countDistinct<T extends Model>(this: new () => T, column: string): Promise<number>;
+    static max<T extends Model>(this: new () => T, column: string): Promise<number | null>;
+    static min<T extends Model>(this: new () => T, column: string): Promise<number | null>;
+    static sum<T extends Model>(this: new () => T, column: string): Promise<number>;
+    static avg<T extends Model>(this: new () => T, column: string): Promise<number | null>;
+
+    // Instance methods
     save(): Promise<this>;
     delete(): Promise<boolean>;
-    update(data: Record<string, any>): Promise<this>;
-    refresh(): Promise<this>;
-    toJSON(): Record<string, any>;
+    toObject(): Record<string, any>;
 
     [key: string]: any;
 }
 
 export interface QueryBuilder<T> {
-    where(column: string, operator?: any, value?: any): QueryBuilder<T>;
-    orWhere(column: string, operator?: any, value?: any): QueryBuilder<T>;
+    // Where clauses
+    where(column: string, value: string | number | boolean | null): QueryBuilder<T>;
+    where(column: string, operator: string, value: string | number | boolean | null): QueryBuilder<T>;
+    where(column: Record<string, any>): QueryBuilder<T>;
+    orWhere(column: string, value: string | number | boolean | null): QueryBuilder<T>;
+    orWhere(column: string, operator: string, value: string | number | boolean | null): QueryBuilder<T>;
     whereIn(column: string, values: any[]): QueryBuilder<T>;
     whereNotIn(column: string, values: any[]): QueryBuilder<T>;
-    whereNull(column: string): QueryBuilder<T>;
-    whereNotNull(column: string): QueryBuilder<T>;
+    whereNot(column: string, value: any): QueryBuilder<T>;
     whereBetween(column: string, range: [any, any]): QueryBuilder<T>;
+
+    // Selection
     select(...columns: string[]): QueryBuilder<T>;
+    selectRaw(expression: string): QueryBuilder<T>;
+    distinct(): QueryBuilder<T>;
+
+    // Joins
+    join(table: string, col1: string, operator: string, col2: string): QueryBuilder<T>;
+
+    // Ordering & Grouping
     orderBy(column: string, direction?: 'asc' | 'desc'): QueryBuilder<T>;
+    groupBy(...columns: string[]): QueryBuilder<T>;
     limit(count: number): QueryBuilder<T>;
     offset(count: number): QueryBuilder<T>;
+
+    // Terminal — fetch
     get(): Promise<T[]>;
     first(): Promise<T | null>;
-    count(): Promise<number>;
-    exists(): Promise<boolean>;
+
+    // Terminal — aggregates
+    count(column?: string): Promise<number>;
+    countDistinct(column: string): Promise<number>;
+    max(column: string): Promise<number | null>;
+    min(column: string): Promise<number | null>;
+    sum(column: string): Promise<number>;
+    avg(column: string): Promise<number | null>;
+
+    // Terminal — mutation
+    insert(data: Record<string, any>): Promise<number>;
     update(data: Record<string, any>): Promise<number>;
     delete(): Promise<number>;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@nitronjs/framework",
-	"version": "0.2.23",
+	"version": "0.2.26",
 	"description": "NitronJS is a modern and extensible Node.js MVC framework built on Fastify. It focuses on clean architecture, modular structure, and developer productivity, offering built-in routing, middleware, configuration management, CLI tooling, and native React integration for scalable full-stack applications.",
 	"bin": {
 		"njs": "./cli/njs.js"

package/skeleton/app/Middlewares/VerifyCsrf.js

@@ -1,8 +1,8 @@
-import sessionConfig from "../../config/session.js";
+import { Config } from "@nitronjs/framework";
 
 class VerifyCsrf {
     static async handler(req, res) {
-        const csrf = sessionConfig.csrf;
+        const csrf = Config.all("session").csrf;
         const token = req.body?.[csrf.tokenField] || req.headers[csrf.headerField];
 
         if (!token) {