aegisnode 0.0.3 → 0.0.5

package/src/cli/commands/fixapp.js

@@ -0,0 +1,65 @@
+import path from 'path';
+import { ensureValidName, normalizeMountPath } from '../utils/fs.js';
+import { resolveProjectRoot } from '../utils/project.js';
+import {
+  detectSettingsMode,
+  ensureAppScaffold,
+  readAppsConfig,
+  updateAppRegistry,
+  updateProjectRoutesFile,
+} from '../utils/apps.js';
+
+export async function runFixApp({ appName, projectRoot, mount } = {}) {
+  if (!appName) {
+    throw new Error('Missing app name. Usage: aegisnode fix --app <app-name>');
+  }
+
+  ensureValidName(appName, 'app');
+
+  const resolvedRoot = await resolveProjectRoot(projectRoot || process.cwd());
+  const settingsMode = await detectSettingsMode(resolvedRoot);
+  const existingApps = await readAppsConfig(settingsMode);
+  const existingApp = existingApps.find((entry) => entry.name === appName) || null;
+  const appMount = existingApp?.mount || normalizeMountPath(mount || `/${appName}`);
+
+  const scaffoldResult = await ensureAppScaffold(resolvedRoot, appName, { overwrite: false });
+
+  let registryUpdated = false;
+  if (!existingApp) {
+    await updateAppRegistry(
+      resolvedRoot,
+      [...existingApps, { name: appName, mount: appMount }],
+      settingsMode,
+    );
+    registryUpdated = true;
+  }
+
+  const routesResult = await updateProjectRoutesFile(resolvedRoot, appName, appMount);
+  const relativeWritten = scaffoldResult.written.map((target) => path.relative(resolvedRoot, target));
+
+  if (relativeWritten.length === 0 && !registryUpdated && !routesResult.updatedImport && !routesResult.updatedRoute) {
+    console.log(`App "${appName}" is already complete.`);
+  } else {
+    console.log(`App "${appName}" repaired at ${resolvedRoot}/apps/${appName}`);
+    if (relativeWritten.length > 0) {
+      console.log(`Created missing files: ${relativeWritten.join(', ')}`);
+    }
+    if (registryUpdated) {
+      console.log(`Added app "${appName}" to settings.apps with mount ${appMount}`);
+    }
+    if (routesResult.updatedImport || routesResult.updatedRoute) {
+      console.log(`Updated routes.js registration for app "${appName}"`);
+    }
+  }
+
+  return {
+    rootDir: resolvedRoot,
+    appName,
+    mount: appMount,
+    createdFiles: scaffoldResult.written,
+    skippedFiles: scaffoldResult.skipped,
+    registryUpdated,
+    routesUpdated: routesResult.updatedImport || routesResult.updatedRoute,
+    routesFile: routesResult.routesFile,
+  };
+}

package/src/cli/commands/generateloader.js

@@ -0,0 +1,37 @@
+import path from 'path';
+import { exists, writeFile } from '../utils/fs.js';
+import { resolveProjectRoot } from '../utils/project.js';
+import { renderProjectAppJs, renderProjectLoaderCjs } from '../utils/scaffolds.js';
+
+async function ensureStartupFile(rootDir, fileName, content, output) {
+  const target = path.join(rootDir, fileName);
+  if (await exists(target)) {
+    output.log(`${fileName} already exists.`);
+    return false;
+  }
+
+  await writeFile(target, content);
+  output.log(`Generated ${fileName}.`);
+  return true;
+}
+
+export async function runGenerateLoader({
+  projectRoot,
+  output = console,
+} = {}) {
+  const resolvedRoot = await resolveProjectRoot(projectRoot || process.cwd());
+  const createdApp = await ensureStartupFile(resolvedRoot, 'app.js', renderProjectAppJs(), output);
+  const createdLoader = await ensureStartupFile(resolvedRoot, 'loader.cjs', renderProjectLoaderCjs(), output);
+
+  if (!createdApp && !createdLoader) {
+    output.log(`Startup entry files already exist in ${resolvedRoot}`);
+  } else {
+    output.log(`Startup entry files are ready in ${resolvedRoot}`);
+  }
+
+  return {
+    rootDir: resolvedRoot,
+    createdApp,
+    createdLoader,
+  };
+}

package/src/cli/commands/startproject.js

@@ -53,7 +53,7 @@ async function createBaseProjectFiles(projectRoot, projectName) {
   await writeFile(path.join(projectRoot, '.env'), renderProjectEnv(appSecret));
   await writeFile(path.join(projectRoot, '.env.example'), renderEnvExample());
 
-  await writeFile(path.join(projectRoot, 'settings.js'), renderProjectSettings(projectName, apps));
+  await writeFile(path.join(projectRoot, 'settings.js'), renderProjectSettings(projectName, apps, appSecret));
   await writeFile(path.join(projectRoot, 'routes.js'), renderProjectRoutes());
 }
 

package/src/cli/index.js

@@ -4,6 +4,8 @@ import { runServer } from './commands/runserver.js';
 import { generateArtifact } from './commands/generate.js';
 import { runDoctor } from './commands/doctor.js';
 import { runUpdateDependencies } from './commands/updatedeps.js';
+import { runGenerateLoader } from './commands/generateloader.js';
+import { runFixApp } from './commands/fixapp.js';
 
 function printHelp() {
   console.log(`AegisNode CLI
@@ -11,9 +13,11 @@ function printHelp() {
 Usage:
   aegisnode startproject <project-name>
   aegisnode createapp <app-name> [--project <path>] [--mount </path>]
+  aegisnode fix [--app <app-name>] [--project <path>]
   aegisnode generate <type> <name> --app <app-name> [--project <path>]
   aegisnode runserver [--project <path>] [--port <number>]
-  aegisnode doctor [--project <path>]
+  aegisnode generateloader [--project <path>]
+  aegisnode doctor [--app <app-name>] [--project <path>]
   aegisnode updatedeps [--project <path>]
 
 Examples:
@@ -22,8 +26,11 @@ Examples:
   npm install
   aegisnode runserver
   aegisnode createapp users
+  aegisnode fix --app users
   aegisnode generate view user --app users
   aegisnode generate validator user --app users
+  aegisnode generateloader --project blog
+  aegisnode doctor --app users --project blog
   aegisnode updatedeps --project blog
 `);
 }
@@ -120,8 +127,32 @@ export async function runCli(argv) {
     }
 
     case 'doctor': {
+      if (positional.length > 0) {
+        throw new Error('Doctor app target must use --app <app-name>. Usage: aegisnode doctor [--app <app-name>] [--project <path>]');
+      }
       await runDoctor({
         projectRoot: flags.project ? String(flags.project) : process.cwd(),
+        appName: flags.app ? String(flags.app) : null,
+      });
+      return;
+    }
+
+    case 'fix':
+    case 'fixapp': {
+      if (positional.length > 0) {
+        throw new Error('Fix app target must use --app <app-name>. Usage: aegisnode fix [--app <app-name>] [--project <path>]');
+      }
+      await runFixApp({
+        appName: flags.app ? String(flags.app) : undefined,
+        projectRoot: flags.project ? String(flags.project) : process.cwd(),
+      });
+      return;
+    }
+
+    case 'generateloader':
+    case 'loader': {
+      await runGenerateLoader({
+        projectRoot: flags.project ? String(flags.project) : process.cwd(),
       });
       return;
     }

package/src/cli/utils/apps.js

@@ -0,0 +1,253 @@
+import fs from 'fs/promises';
+import path from 'path';
+import { pathToFileURL } from 'url';
+import { ensureDir, ensureValidName, exists, normalizeMountPath, writeFile } from './fs.js';
+import {
+  renderAppModelTest,
+  renderAppModelsFile,
+  renderAppRoutes,
+  renderAppRoutesTest,
+  renderAppServiceTest,
+  renderAppServicesFile,
+  renderAppSubscribersFile,
+  renderAppUtilsFile,
+  renderAppValidatorTest,
+  renderAppValidatorsFile,
+  renderAppViewsFile,
+  renderSettingsApps,
+} from './scaffolds.js';
+
+export const APPS_START = '// AEGIS_APPS_START';
+export const APPS_END = '// AEGIS_APPS_END';
+
+function renderAppEntries(apps) {
+  return apps
+    .map((app) => `    { name: ${JSON.stringify(app.name)}, mount: ${JSON.stringify(app.mount)} },`)
+    .join('\n');
+}
+
+function escapeRegExp(value) {
+  return String(value).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+export function toImportName(appName) {
+  const safe = appName
+    .split(/[-_\s]+/)
+    .filter(Boolean)
+    .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
+    .join('');
+
+  if (!safe) {
+    return 'appRoutes';
+  }
+
+  return `${safe.charAt(0).toLowerCase()}${safe.slice(1)}`;
+}
+
+async function readDefaultExport(filePath) {
+  const moduleUrl = `${pathToFileURL(filePath).href}?t=${Date.now()}`;
+  const loaded = await import(moduleUrl);
+  return loaded?.default;
+}
+
+export async function detectSettingsMode(projectRoot) {
+  const single = path.join(projectRoot, 'settings.js');
+  const split = path.join(projectRoot, 'settings', 'apps.js');
+
+  if (await exists(single)) {
+    return { mode: 'single', file: single };
+  }
+
+  if (await exists(split)) {
+    return { mode: 'split', file: split };
+  }
+
+  throw new Error(`Not an AegisNode project root: missing ${single} (or legacy ${split})`);
+}
+
+export async function readAppsConfig(settingsMode) {
+  const normalizeApp = (entry) => {
+    if (!entry || typeof entry !== 'object' || typeof entry.name !== 'string') {
+      return null;
+    }
+
+    ensureValidName(entry.name, 'app');
+    return {
+      name: entry.name,
+      mount: normalizeMountPath(entry.mount || `/${entry.name}`),
+    };
+  };
+
+  if (settingsMode.mode === 'single') {
+    const settings = await readDefaultExport(settingsMode.file);
+    const apps = settings?.apps;
+
+    if (!Array.isArray(apps)) {
+      throw new Error(`settings.js must export { apps: [] }. File: ${settingsMode.file}`);
+    }
+
+    return apps.map(normalizeApp).filter(Boolean);
+  }
+
+  const apps = await readDefaultExport(settingsMode.file);
+  if (!Array.isArray(apps)) {
+    throw new Error(`settings/apps.js must export an array. File: ${settingsMode.file}`);
+  }
+
+  return apps.map(normalizeApp).filter(Boolean);
+}
+
+async function updateSingleSettingsApps(settingsFile, apps) {
+  const current = await fs.readFile(settingsFile, 'utf8');
+
+  if (!current.includes(APPS_START) || !current.includes(APPS_END)) {
+    throw new Error(`settings.js is missing ${APPS_START}/${APPS_END} markers: ${settingsFile}`);
+  }
+
+  const replacement = `${APPS_START}\n${renderAppEntries(apps)}\n    ${APPS_END}`;
+  const updated = current.replace(/\/\/ AEGIS_APPS_START[\s\S]*?\/\/ AEGIS_APPS_END/m, replacement);
+
+  await writeFile(settingsFile, updated);
+}
+
+export async function updateAppRegistry(projectRoot, apps, settingsMode) {
+  if (settingsMode.mode === 'single') {
+    await updateSingleSettingsApps(settingsMode.file, apps);
+    return;
+  }
+
+  await writeFile(path.join(projectRoot, 'settings', 'apps.js'), renderSettingsApps(apps));
+}
+
+export function getAppScaffoldEntries(appName) {
+  const appRoot = path.join('apps', appName);
+  return [
+    {
+      target: path.join(appRoot, 'views.js'),
+      content: renderAppViewsFile(appName),
+    },
+    {
+      target: path.join(appRoot, 'models.js'),
+      content: renderAppModelsFile(appName),
+    },
+    {
+      target: path.join(appRoot, 'validators.js'),
+      content: renderAppValidatorsFile(appName),
+    },
+    {
+      target: path.join(appRoot, 'services.js'),
+      content: renderAppServicesFile(appName),
+    },
+    {
+      target: path.join(appRoot, 'utils.js'),
+      content: renderAppUtilsFile(),
+    },
+    {
+      target: path.join(appRoot, 'subscribers.js'),
+      content: renderAppSubscribersFile(appName),
+    },
+    {
+      target: path.join(appRoot, 'routes.js'),
+      content: renderAppRoutes(appName),
+    },
+    {
+      target: path.join(appRoot, 'tests', 'models.test.js'),
+      content: renderAppModelTest(appName),
+    },
+    {
+      target: path.join(appRoot, 'tests', 'validators.test.js'),
+      content: renderAppValidatorTest(appName),
+    },
+    {
+      target: path.join(appRoot, 'tests', 'services.test.js'),
+      content: renderAppServiceTest(appName),
+    },
+    {
+      target: path.join(appRoot, 'tests', 'routes.test.js'),
+      content: renderAppRoutesTest(appName),
+    },
+  ];
+}
+
+export async function ensureAppScaffold(projectRoot, appName, { overwrite = false } = {}) {
+  ensureValidName(appName, 'app');
+
+  const appRoot = path.join(projectRoot, 'apps', appName);
+  await ensureDir(appRoot);
+  await ensureDir(path.join(appRoot, 'tests'));
+
+  const written = [];
+  const skipped = [];
+
+  for (const entry of getAppScaffoldEntries(appName)) {
+    const target = path.join(projectRoot, entry.target);
+    if (!overwrite && await exists(target)) {
+      skipped.push(target);
+      continue;
+    }
+
+    await writeFile(target, entry.content);
+    written.push(target);
+  }
+
+  return {
+    appRoot,
+    written,
+    skipped,
+  };
+}
+
+export async function updateProjectRoutesFile(projectRoot, appName, mountPath) {
+  const routesFile = path.join(projectRoot, 'routes.js');
+  if (!(await exists(routesFile))) {
+    // Keep backward compatibility for legacy projects that still use routes/index.js.
+    return {
+      routesFile,
+      updatedImport: false,
+      updatedRoute: false,
+      skipped: true,
+    };
+  }
+
+  const importName = toImportName(appName);
+  const importLine = `import ${importName} from './apps/${appName}/routes.js';`;
+  const routeLine = `    route.use(${JSON.stringify(mountPath)}, ${importName});`;
+  const routePattern = new RegExp(`route\\.use\\([^\\n]*,\\s*${escapeRegExp(importName)}\\s*\\);`);
+
+  let content = await fs.readFile(routesFile, 'utf8');
+  let updatedImport = false;
+  let updatedRoute = false;
+
+  if (!content.includes(importLine)) {
+    if (content.includes('// AEGIS_APP_IMPORTS_START') && content.includes('// AEGIS_APP_IMPORTS_END')) {
+      content = content.replace('// AEGIS_APP_IMPORTS_END', `${importLine}\n// AEGIS_APP_IMPORTS_END`);
+    } else {
+      content = `${importLine}\n${content}`;
+    }
+    updatedImport = true;
+  }
+
+  if (!routePattern.test(content)) {
+    if (content.includes('// AEGIS_PROJECT_APP_ROUTES_START') && content.includes('// AEGIS_PROJECT_APP_ROUTES_END')) {
+      content = content.replace('    // AEGIS_PROJECT_APP_ROUTES_END', `${routeLine}\n    // AEGIS_PROJECT_APP_ROUTES_END`);
+      updatedRoute = true;
+    } else {
+      const match = content.match(/register\s*\([^)]*\)\s*{[\s\S]*?\n\s*}/m);
+      if (match) {
+        content = content.replace(match[0], `${match[0]}\n${routeLine}`);
+        updatedRoute = true;
+      }
+    }
+  }
+
+  if (updatedImport || updatedRoute) {
+    await writeFile(routesFile, content);
+  }
+
+  return {
+    routesFile,
+    updatedImport,
+    updatedRoute,
+    skipped: false,
+  };
+}

package/src/cli/utils/scaffolds.js

@@ -53,7 +53,7 @@ export function renderProjectLoaderCjs() {
 `;
 }
 
-export function renderProjectSettings(projectName, apps) {
+export function renderProjectSettings(projectName, apps, appSecret = '') {
   return `export default {
   appName: '${projectName}',
   env: process.env.NODE_ENV || 'development',
@@ -61,8 +61,9 @@ export function renderProjectSettings(projectName, apps) {
   port: process.env.PORT ? Number(process.env.PORT) : 3000,
   trustProxy: false,
   security: {
-    // Loaded from .env by default. Replace or rotate APP_SECRET in production.
-    appSecret: process.env.APP_SECRET || '',
+    // Loaded from .env by default. Scaffold also embeds the generated secret as a fallback.
+    // Replace or rotate APP_SECRET in production.
+    appSecret: process.env.APP_SECRET || ${JSON.stringify(appSecret)},
   },
   logging: {
     level: process.env.LOG_LEVEL || 'info',
@@ -402,6 +403,19 @@ export default {
 `;
 }
 
+export function renderAppUtilsFile() {
+  return `/**
+ * App-local pure utilities.
+ *
+ * Use this file for small reusable functions that belong only to this app.
+ * Keep database access in models, business workflows in services, and request
+ * validation/sanitization in validators.
+ */
+
+export {};
+`;
+}
+
 export function renderAppSubscribersFile(appName) {
   return `export default function register${toPascalCase(appName)}Subscribers({ events, logger }) {
   events.subscribe('app.booted', ({ appName }) => {

package/src/runtime/kernel.js

@@ -3148,6 +3148,16 @@ function attachCsrfProtection(expressApp, config, logger, auth = null) {
     }
 
     const provided = extractCsrfToken(req, csrfConfig);
+    if (!provided && isMultipartRequestContentType(req.headers?.['content-type'])) {
+      req.aegis = req.aegis || {};
+      req.aegis.csrf = {
+        deferredMultipart: true,
+        fieldName: csrfConfig.fieldName,
+        token,
+      };
+      return next();
+    }
+
     if (!provided || !constantTimeEqual(provided, token)) {
       return res.status(403).json({ error: 'CSRF token missing or invalid' });
     }

package/src/runtime/upload.js

@@ -120,6 +120,47 @@ function createUploadError(code, message, statusCode) {
   return error;
 }
 
+function constantTimeEqual(left, right) {
+  if (typeof left !== 'string' || typeof right !== 'string') {
+    return false;
+  }
+
+  const a = Buffer.from(left);
+  const b = Buffer.from(right);
+  if (a.length !== b.length) {
+    return false;
+  }
+
+  try {
+    return crypto.timingSafeEqual(a, b);
+  } catch {
+    return false;
+  }
+}
+
+function validateDeferredMultipartCsrf(req) {
+  const csrfState = req?.aegis?.csrf;
+  if (!csrfState || csrfState.deferredMultipart !== true) {
+    return null;
+  }
+
+  const expected = typeof csrfState.token === 'string' ? csrfState.token : '';
+  const fieldName = typeof csrfState.fieldName === 'string' && csrfState.fieldName.length > 0
+    ? csrfState.fieldName
+    : '_csrf';
+  const provided = req?.body && typeof req.body === 'object'
+    ? req.body[fieldName]
+    : '';
+
+  delete req.aegis.csrf;
+
+  if (!expected || typeof provided !== 'string' || !constantTimeEqual(provided, expected)) {
+    return createUploadError('AEGIS_CSRF_INVALID', 'CSRF token missing or invalid', 403);
+  }
+
+  return null;
+}
+
 function resolveUploadError(error) {
   if (!error) {
     return null;
@@ -207,6 +248,13 @@ function wrapUploadMiddleware(middleware) {
   return (req, res, next) => {
     middleware(req, res, (error) => {
       if (!error) {
+        const csrfError = validateDeferredMultipartCsrf(req);
+        if (csrfError) {
+          res.status(csrfError.statusCode || 403).json({
+            error: csrfError.message || 'CSRF token missing or invalid',
+          });
+          return;
+        }
         next();
         return;
       }