@zintrust/core 0.1.34 → 0.1.36

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zintrust/core",
-  "version": "0.1.34",
+  "version": "0.1.36",
   "description": "Production-grade TypeScript backend framework for JavaScript",
   "homepage": "https://zintrust.com",
   "repository": {

package/src/boot/bootstrap.js

@@ -103,9 +103,15 @@ const gracefulShutdown = async (signal) => {
             // Shutdown worker management system FIRST (before database closes)
             if (appConfig.detectRuntime() === 'nodejs' || appConfig.detectRuntime() === 'lambda') {
                 try {
-                    const { WorkerShutdown } = await import('@zintrust/workers');
+                    const { createRequire } = await import('../node-singletons/module.js');
+                    const require = createRequire(import.meta.url);
+                    const workers = require('@zintrust/workers');
                     const workerBudgetMs = Math.min(15000, remainingMs());
-                    await withTimeout(WorkerShutdown.shutdown({ signal, timeout: workerBudgetMs, forceExit: false }), workerBudgetMs, 'Worker shutdown timed out');
+                    await withTimeout(workers.WorkerShutdown.shutdown({
+                        signal,
+                        timeout: workerBudgetMs,
+                        forceExit: false,
+                    }), workerBudgetMs, 'Worker shutdown timed out');
                 }
                 catch (error) {
                     Logger.warn('Worker shutdown failed (continuing with app shutdown)', error);
@@ -136,9 +142,11 @@ async function useWorkerStarter() {
     // Initialize worker management system
     let workerInit = null;
     try {
-        const { WorkerInit } = await import('@zintrust/workers');
-        workerInit = WorkerInit;
-        await WorkerInit.initialize({
+        const { createRequire } = await import('../node-singletons/module.js');
+        const require = createRequire(import.meta.url);
+        const workers = require('@zintrust/workers');
+        workerInit = workers.WorkerInit;
+        await workers.WorkerInit.initialize({
             enableResourceMonitoring: true,
             enableHealthMonitoring: true,
             enableAutoScaling: false, // Disabled by default, enable via config

package/src/index.js

@@ -1,11 +1,11 @@
 /**
- * @zintrust/core v0.1.34
+ * @zintrust/core v0.1.36
  *
  * ZinTrust Framework - Production-Grade TypeScript Backend
  * Built for performance, type safety, and exceptional developer experience
  *
  * Build Information:
- *   Built: 2026-01-29T10:18:32.341Z
+ *   Built: 2026-01-29T10:45:55.711Z
  *   Node: >=20.0.0
  *   License: MIT
  *
@@ -21,7 +21,7 @@
  * Available at runtime for debugging and health checks
  */
 export const ZINTRUST_VERSION = '0.1.23';
-export const ZINTRUST_BUILD_DATE = '2026-01-29T10:18:32.299Z'; // Replaced during build
+export const ZINTRUST_BUILD_DATE = '2026-01-29T10:45:55.674Z'; // Replaced during build
 import { Application } from './boot/Application.js';
 import { AwsSigV4 } from './common/index.js';
 import { SignedRequest } from './security/SignedRequest.js';

package/src/orm/QueryBuilder.js

@@ -562,7 +562,7 @@ function attachReadExecutionMethods(builder, state, db) {
 }
 const isNonEmptyString = (value) => typeof value === 'string' && value.length > 0;
 const isKeyValue = (value) => typeof value === 'string' || typeof value === 'number';
-const getModelIds = (models, key) => models.map((model) => model.getAttribute(key)).filter(isKeyValue);
+const getModelIds = (models, key) => models.map((model) => model.getAttribute(key)).filter((element) => isKeyValue(element));
 const applyConstraint = (query, constraint) => {
     if (typeof constraint === 'function') {
         return constraint(query) ?? query;

package/src/templates/project/basic/app/Controllers/UserQueryBuilderController.ts.tpl

@@ -0,0 +1,468 @@
+/**
+ * User QueryBuilder Controller
+ * QueryBuilder-backed controller for the users resource.
+ */
+
+import type { IUserController, JsonRecord, ValidationErrorLike } from '@app/Types/controller';
+import type { IRequest, IResponse, SanitizerError } from '@zintrust/core';
+import {
+  Logger,
+  QueryBuilder,
+  Sanitizer,
+  Schema,
+  Validator,
+  getValidatedBody,
+  nowIso,
+  randomBytes,
+  useDatabase,
+} from '@zintrust/core';
+
+const isValidationError = (error: unknown): error is ValidationErrorLike => {
+  if (typeof error !== 'object' || error === null) return false;
+  const maybe = error as ValidationErrorLike;
+  return maybe.name === 'ValidationError' && typeof maybe.toObject === 'function';
+};
+
+const isSanitizerError = (error: unknown): error is SanitizerError => {
+  if (typeof error !== 'object' || error === null) return false;
+  const maybe = error as SanitizerError;
+  return maybe.name === 'SanitizerError';
+};
+
+const toJsonRecord = (value: unknown): JsonRecord => {
+  if (typeof value !== 'object' || value === null) return {};
+  if (Array.isArray(value)) return {};
+  return value as JsonRecord;
+};
+
+const resolveBody = (req: IRequest): JsonRecord => {
+  return toJsonRecord(getValidatedBody(req) ?? req.body ?? {});
+};
+
+const getParamCompat = (req: IRequest, name: string): unknown => {
+  try {
+    const anyReq = req as unknown as { getParam?: (key: string) => unknown };
+    if (typeof anyReq.getParam === 'function') return anyReq.getParam(name);
+  } catch {
+    // ignore
+  }
+
+  const anyReq = req as unknown as { params?: Record<string, unknown> };
+  const params = anyReq.params;
+  if (typeof params === 'object' && params !== null) return params[name];
+  return undefined;
+};
+
+const requireSelf = (
+  req: IRequest,
+  res: IResponse,
+  userId: string | undefined
+): userId is string => {
+  if (typeof userId !== 'string' || userId.length === 0) {
+    res.status(400).json({ error: 'Missing user id' });
+    return false;
+  }
+
+  const subject = typeof req.user?.sub === 'string' ? req.user.sub : undefined;
+  if (subject === undefined || subject.length === 0) {
+    res.status(401).json({ error: 'Unauthorized' });
+    return false;
+  }
+  if (subject !== userId) {
+    res.status(403).json({ error: 'Forbidden' });
+    return false;
+  }
+  return true;
+};
+
+const randomInt = (min: number, max: number): number => {
+  const lo = Math.ceil(min);
+  const hi = Math.floor(max);
+  return Math.floor(lo + Math.random() * (hi - lo + 1)); // NOSONAR is just a test utility
+};
+
+const randomName = (): string => {
+  const first = ['Alex', 'Jordan', 'Taylor', 'Sam', 'Casey', 'Riley', 'Morgan'];
+  const last = ['Lee', 'Kim', 'Patel', 'Garcia', 'Brown', 'Nguyen', 'Smith'];
+  return `${first[randomInt(0, first.length - 1)]} ${last[randomInt(0, last.length - 1)]}`;
+};
+
+const randomEmail = (): string => {
+  const n = randomInt(10000, 99999);
+  return `user${n}@example.com`;
+};
+
+const randomPassword = (): string => {
+  // Not cryptographically perfect UX-wise, but avoids hard-coded credentials.
+  // `base64url` keeps it URL-safe and reasonably short.
+  return randomBytes(12).toString('base64url');
+};
+
+const pickAllowed = (body: JsonRecord, allowed: Set<string>): JsonRecord => {
+  const out: JsonRecord = {};
+  for (const [k, v] of Object.entries(body)) {
+    if (allowed.has(k)) out[k] = v;
+  }
+  return out;
+};
+
+const hasUnknownKeys = (body: JsonRecord, allowed: Set<string>): string | null => {
+  for (const k of Object.keys(body)) {
+    if (!allowed.has(k)) return k;
+  }
+  return null;
+};
+
+const sanitizeUserUpdateBody = (updateBody: JsonRecord): JsonRecord => {
+  const sanitizedUpdateBody: JsonRecord = {};
+  if ('name' in updateBody) {
+    sanitizedUpdateBody['name'] = Sanitizer.nameText(updateBody['name']).trim();
+  }
+  if ('email' in updateBody) {
+    sanitizedUpdateBody['email'] = Sanitizer.email(updateBody['email']).trim().toLowerCase();
+  }
+  if ('password' in updateBody) {
+    sanitizedUpdateBody['password'] = Sanitizer.safePasswordChars(updateBody['password']);
+  }
+  return sanitizedUpdateBody;
+};
+
+const buildUserUpdateSchema = (): ReturnType<typeof Schema.create> => {
+  return Schema.create()
+    .custom(
+      'name',
+      (v: unknown) => v === undefined || typeof v === 'string',
+      'name must be a string'
+    )
+    .minLength('name', 1)
+    .custom(
+      'email',
+      (v: unknown) => v === undefined || typeof v === 'string',
+      'email must be a string'
+    )
+    .custom(
+      'password',
+      (v: unknown) => v === undefined || typeof v === 'string',
+      'password must be a string'
+    )
+    .minLength('password', 8);
+};
+
+const buildUserStoreSchema = (): ReturnType<typeof Schema.create> => {
+  return Schema.create()
+    .custom('name', (v: unknown) => typeof v === 'string', 'name must be a string')
+    .minLength('name', 1)
+    .custom('email', (v: unknown) => typeof v === 'string', 'email must be a string')
+    .email('email')
+    .custom('password', (v: unknown) => typeof v === 'string', 'password must be a string')
+    .minLength('password', 8);
+};
+
+/**
+ * User Controller Methods
+ */
+const userControllerMethods: IUserController = {
+  /**
+   * List all users
+   * GET /users
+   */
+  async index(req: IRequest, res: IResponse): Promise<void> {
+    try {
+      const subject = typeof req.user?.sub === 'string' ? req.user.sub : undefined;
+      if (subject === undefined || subject.length === 0) {
+        res.status(401).json({ error: 'Unauthorized' });
+        return;
+      }
+
+      const db = useDatabase();
+      const users = await QueryBuilder.create('users', db)
+        .select('id', 'name', 'email', 'created_at', 'updated_at')
+        .where('id', '=', subject)
+        .limit(1)
+        .get();
+
+      res.json({ data: users });
+    } catch (error) {
+      Logger.error('Error fetching users:', error);
+      res.status(500).json({ error: 'Failed to fetch users' });
+    }
+  },
+
+  /**
+   * Show a specific user
+   * GET /users/:id
+   */
+  async show(req: IRequest, res: IResponse): Promise<void> {
+    try {
+      const db = useDatabase();
+
+      const rawId = getParamCompat(req, 'id');
+      const id = Sanitizer.digitsOnly(rawId); // Zero trust protection for db id
+      if (typeof id !== 'string' || id.length === 0) {
+        // ✅ Good
+        res.status(400).json({ error: 'Missing user id' });
+        return;
+      }
+      if (!requireSelf(req, res, id)) return;
+
+      const user = await QueryBuilder.create('users', db)
+        .select('id', 'name', 'email', 'created_at', 'updated_at')
+        .where('id', '=', id)
+        .limit(1)
+        .first();
+
+      if (user === null) {
+        res.status(404).json({ error: 'User not found' });
+        return;
+      }
+      res.json({ data: user });
+    } catch (error) {
+      if (isSanitizerError(error)) {
+        res.status(400).json({ error: error.message });
+        return;
+      }
+      Logger.error('Error fetching user:', error);
+      res.status(500).json({ error: 'Failed to fetch user' });
+    }
+  },
+
+  /**
+   * Show create form
+   * GET /users/create
+   */
+  async create(_req: IRequest, res: IResponse): Promise<void> {
+    res.json({ form: 'Create User Form' });
+  },
+
+  /**
+   * Store a new user
+   * POST /users
+   */
+  async store(req: IRequest, res: IResponse): Promise<void> {
+    try {
+      // Use validated body if available (already sanitized by middleware), otherwise fallback to raw
+      const body = resolveBody(req);
+
+      const required = ['name', 'email', 'password'] as const;
+      const missing: Record<string, string[]> = {};
+      for (const key of required) {
+        const val = body[key];
+        if (typeof val !== 'string' || val.trim() === '') {
+          missing[key] = ['Required'];
+        }
+      }
+      if (Object.keys(missing).length > 0) {
+        res.status(422).json({ errors: missing });
+        return;
+      }
+
+      // Trust middleware for sanitization if validation passed.
+      // If we are here, validation ostensibly passed or we are in a context where we must self-validate.
+      // To satisfy defense-in-depth without double-sanitization bottleneck:
+      // We assume body is safe-ish if it came from resolved validated body.
+      // But to be explicit and type-safe, we cast or read fields directly.
+
+      const db = useDatabase();
+      const ts = nowIso();
+
+      // Apply bulletproof sanitization for defense-in-depth
+      const name = Sanitizer.nameText(body['name']);
+      const email = Sanitizer.email(body['email']);
+      const password = Sanitizer.safePasswordChars(body['password']);
+
+      Validator.validate({ name, email, password }, buildUserStoreSchema());
+
+      await QueryBuilder.create('users', db).insert({
+        name,
+        email,
+        password, // Hashing should be handled by model/service or here if raw
+        created_at: ts,
+        updated_at: ts,
+      });
+
+      res.status(201).json({ message: 'User created' });
+    } catch (error) {
+      if (isSanitizerError(error)) {
+        res.status(400).json({ error: error.message });
+        return;
+      }
+      if (isValidationError(error)) {
+        res.status(422).json({ errors: error.toObject?.() ?? {} });
+        return;
+      }
+      Logger.error('Error creating user:', error);
+      res.status(500).json({ error: 'Failed to create user' });
+    }
+  },
+
+  /**
+   * Fill users table with random users
+   * POST /users/fill
+   */
+  async fill(req: IRequest, res: IResponse): Promise<void> {
+    try {
+      const body = resolveBody(req);
+      const countVal = body['count'];
+
+      // Ensure count is a number (middleware validation handles this, but we double check or default)
+      let count = typeof countVal === 'number' ? countVal : 10;
+      if (count < 1) count = 1;
+      if (count > 100) count = 100;
+
+      const db = useDatabase();
+      const ts = nowIso();
+
+      // Optimize: Bulk insert instead of N+1 inserts to reduce IO bottleneck and memory overhead
+      const users = Array.from({ length: count }, () => ({
+        name: randomName(),
+        email: randomEmail(),
+        password: randomPassword(),
+        created_at: ts,
+        updated_at: ts,
+      }));
+
+      await QueryBuilder.create('users', db).insert(users);
+
+      res.status(201).json({ message: 'Users filled', count });
+    } catch (error) {
+      Logger.error('Error filling users:', error);
+      res.status(500).json({ error: 'Failed to fill users' });
+    }
+  },
+
+  /**
+   * Show edit form
+   * GET /users/:id/edit
+   */
+  async edit(_req: IRequest, res: IResponse): Promise<void> {
+    try {
+      res.json({ form: 'Edit User Form' });
+    } catch (error) {
+      Logger.error('Error loading edit form:', error);
+      res.status(500).json({ error: 'Failed to load edit form' });
+    }
+  },
+
+  /**
+   * Update a user
+   * PUT /users/:id
+   */
+  async update(req: IRequest, res: IResponse): Promise<void> {
+    // NOSONAR bulletproof sanitization requires explicit validation steps
+    try {
+      const db = useDatabase();
+      const rawId = getParamCompat(req, 'id');
+      const id = Sanitizer.digitsOnly(rawId);
+      if (typeof id !== 'string' || id.length === 0) {
+        res.status(400).json({ error: 'Missing user id' });
+        return;
+      }
+      if (!requireSelf(req, res, id)) return;
+
+      const allowed = new Set(['name', 'email', 'password']);
+      const body = resolveBody(req);
+      const unknown = hasUnknownKeys(body, allowed);
+      if (unknown !== null) {
+        res.status(422).json({ errors: { [unknown]: ['Unknown field'] } });
+        return;
+      }
+
+      const updateBody = pickAllowed(body, allowed);
+      if (Object.keys(updateBody).length === 0) {
+        res.status(422).json({ errors: { body: ['No fields to update'] } });
+        return;
+      }
+
+      const sanitizedUpdateBody = sanitizeUserUpdateBody(updateBody);
+      Validator.validate(sanitizedUpdateBody, buildUserUpdateSchema());
+
+      const existing = await QueryBuilder.create('users', db)
+        .select('id')
+        .where('id', '=', id)
+        .limit(1)
+        .first();
+
+      if (existing === null) {
+        res.status(404).json({ error: 'User not found' });
+        return;
+      }
+
+      const ts = nowIso();
+      await QueryBuilder.create('users', db)
+        .where('id', '=', id)
+        .update({ ...sanitizedUpdateBody, updated_at: ts });
+
+      const user = await QueryBuilder.create('users', db)
+        .select('id', 'name', 'email', 'created_at', 'updated_at')
+        .where('id', '=', id)
+        .limit(1)
+        .first();
+
+      res.json({ message: 'User updated', user });
+    } catch (error) {
+      if (isSanitizerError(error)) {
+        res.status(400).json({ error: error.message });
+        return;
+      }
+      if (isValidationError(error)) {
+        res.status(422).json({ errors: error.toObject?.() ?? {} });
+        return;
+      }
+      Logger.error('Error updating user:', error);
+      res.status(500).json({ error: 'Failed to update user' });
+    }
+  },
+
+  /**
+   * Delete a user
+   * DELETE /users/:id
+   */
+  async destroy(req: IRequest, res: IResponse): Promise<void> {
+    try {
+      const db = useDatabase();
+      const rawId = getParamCompat(req, 'id');
+      const id = Sanitizer.digitsOnly(rawId);
+      if (typeof id !== 'string' || id.length === 0) {
+        res.status(400).json({ error: 'Missing user id' });
+        return;
+      }
+
+      if (!requireSelf(req, res, id)) return;
+
+      const existing = await QueryBuilder.create('users', db)
+        .select('id')
+        .where('id', '=', id)
+        .limit(1)
+        .first();
+
+      if (existing === null) {
+        res.status(404).json({ error: 'User not found' });
+        return;
+      }
+
+      await QueryBuilder.create('users', db).where('id', '=', id).delete();
+      res.json({ message: 'User deleted' });
+    } catch (error) {
+      if (isSanitizerError(error)) {
+        res.status(400).json({ error: error.message });
+        return;
+      }
+      Logger.error('Error deleting user:', error);
+      res.status(500).json({ error: 'Failed to delete user' });
+    }
+  },
+};
+
+/**
+ * User QueryBuilder Controller Factory
+ */
+export const UserQueryBuilderController = {
+  /**
+   * Create a new user controller instance
+   */
+  create(): IUserController {
+    return userControllerMethods;
+  },
+};
+
+export default UserQueryBuilderController;