aiplang 2.4.0 → 2.5.0

package/README.md

@@ -8,7 +8,7 @@ cd my-app
 npx aiplang serve
 ```
 
-Ask Claude to generate a page → paste into `pages/home.flux` → see it live.
+Ask Claude to generate a page → paste into `pages/home.aiplang` → see it live.
 
 ---
 
@@ -16,9 +16,9 @@ Ask Claude to generate a page → paste into `pages/home.flux` → see it live.
 
 **aiplang** is a web language designed to be generated by AI (Claude), not written by humans.
 
-A single `.flux` file describes a complete app: frontend, backend, database, auth, email, jobs.
+A single `.aiplang` file describes a complete app: frontend, backend, database, auth, email, jobs.
 
-```flux
+```aiplang
 ~db sqlite ./app.db
 ~auth jwt $JWT_SECRET expire=7d
 ~admin /admin
@@ -83,7 +83,7 @@ npx aiplang init --template landing       # landing page template
 npx aiplang init --template crud          # CRUD app template
 npx aiplang serve                         # dev server + hot reload → localhost:3000
 npx aiplang build pages/ --out dist/      # compile → static HTML
-npx aiplang start app.flux                # full-stack server (Node.js)
+npx aiplang start app.aiplang                # full-stack server (Node.js)
 npx aiplang new dashboard                 # create new page template
 ```
 
@@ -111,13 +111,13 @@ All blocks accept: animate:fade-up class:my-class | raw{<html>} | foot{text>/pat
 
 ```
 aiplang/
-├── packages/flux-lang/           ← npm package (aiplang CLI + runtime)
+├── packages/aiplang-pkg/           ← npm package (aiplang CLI + runtime)
 │   ├── bin/aiplang.js            ← CLI: init, serve, build, new, start
 │   ├── runtime/aiplang-hydrate.js← 10KB reactive runtime
 │   ├── server/server.js          ← full-stack Node.js server
 │   └── aiplang-knowledge.md      ← Claude Project knowledge file
 ├── aiplang-go/                   ← Go compiler + server (v2)
-│   ├── compiler/compiler.go      ← .flux → AST parser
+│   ├── compiler/compiler.go      ← .aiplang → AST parser
 │   ├── server/server.go          ← Go HTTP server
 │   └── cmd/aiplangd/main.go      ← binary entrypoint
 ├── docs/                         ← GitHub Pages (aiplang.io)

package/bin/aiplang.js

@@ -5,7 +5,7 @@ const fs   = require('fs')
 const path = require('path')
 const http = require('http')
 
-const VERSION     = '2.4.0'
+const VERSION     = '2.5.0'
 const RUNTIME_DIR = path.join(__dirname, '..', 'runtime')
 const cmd         = process.argv[2]
 const args        = process.argv.slice(3)
@@ -454,7 +454,7 @@ if (cmd==='build') {
   } else if(input.endsWith('.aiplang')&&fs.existsSync(input)){ files.push(input) }
   if(!files.length){console.error(`\n  ✗  No .aiplang files in: ${input}\n`);process.exit(1)}
   const src=files.map(f=>fs.readFileSync(f,'utf8')).join('\n---\n')
-  const pages=parseFlux(src)
+  const pages=parsePages(src)
   if(!pages.length){console.error('\n  ✗  No pages found.\n');process.exit(1)}
   fs.mkdirSync(outDir,{recursive:true})
   console.log(`\n  aiplang build v${VERSION} — ${files.length} file(s)\n`)
@@ -542,7 +542,7 @@ process.exit(1)
 // PARSER
 // ═════════════════════════════════════════════════════════════════
 
-function parseFlux(src) {
+function parsePages(src) {
   return src.split(/\n---\n/).map(s=>parsePage(s.trim())).filter(Boolean)
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aiplang",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "description": "AI-first full-stack language. Frontend + Backend + DB + Auth in one file. Competes with Laravel.",
   "keywords": [
     "aiplang",

package/runtime/aiplang-runtime.js

@@ -456,7 +456,7 @@ class Renderer {
 
   render(page) {
     this.container.innerHTML = ''
-    this.container.className = `flux-root flux-theme-${page.theme}`
+    this.container.className = `aiplang-root aiplang-theme-${page.theme}`
     for (const block of page.blocks) {
       const el = this.renderBlock(block)
       if (el) this.container.appendChild(el)
@@ -1069,9 +1069,9 @@ input,button,select{font-family:inherit}
 
 function boot(src, container) {
   // Inject CSS once
-  if (!document.getElementById('flux-css')) {
+  if (!document.getElementById('aiplang-css')) {
     const style = document.createElement('style')
-    style.id = 'flux-css'
+    style.id = 'aiplang-css'
     style.textContent = CSS
     document.head.appendChild(style)
   }
@@ -1089,9 +1089,9 @@ return { boot, parseFlux, State, Renderer, Router, QueryEngine }
 
 })()
 
-// Auto-boot from <script type="text/flux">
+// Auto-boot from <script type="text/aiplang">
 document.addEventListener('DOMContentLoaded', () => {
-  const script = document.querySelector('script[type="text/flux"]')
+  const script = document.querySelector('script[type="text/aiplang"]')
   if (script) {
     const targetSel = script.getAttribute('target') || '#app'
     const container = document.querySelector(targetSel)

package/server/server.js

@@ -29,7 +29,15 @@ function persistDB() {
   if (!_db || !DB_FILE || DB_FILE === ':memory:') return
   try { fs.writeFileSync(DB_FILE, Buffer.from(_db.export())) } catch {}
 }
-function dbRun(sql, params = []) { _db.run(sql, params); persistDB() }
+let _dirty = false, _persistTimer = null
+function dbRun(sql, params = []) {
+  _db.run(sql, params)
+  _dirty = true
+  if (!_persistTimer) _persistTimer = setTimeout(() => {
+    if (_dirty) { try { persistDB() } catch {} _dirty = false }
+    _persistTimer = null
+  }, 200)
+}
 function dbAll(sql, params = []) {
   const stmt = _db.prepare(sql); stmt.bind(params)
   const rows = []; while (stmt.step()) rows.push(stmt.getAsObject()); stmt.free()
@@ -135,7 +143,10 @@ class Model {
     if (this.softDelete) conditions.push('deleted_at IS NULL')
     if (opts.where) { conditions.push(opts.where); if (opts.whereParams) params.push(...opts.whereParams) }
     if (conditions.length) sql += ` WHERE ${conditions.join(' AND ')}`
-    if (opts.order)  sql += ` ORDER BY ${opts.order}`
+    if (opts.order) {
+      const safeOrder = /^[a-zA-Z_][a-zA-Z0-9_]*(\s+(asc|desc))?$/i
+      if (safeOrder.test(String(opts.order))) sql += ` ORDER BY ${opts.order}`
+    }
     if (opts.limit)  sql += ` LIMIT ${opts.limit}`
     if (opts.offset) sql += ` OFFSET ${opts.offset}`
     return dbAll(sql, params)
@@ -276,6 +287,15 @@ function migrateModels(models) {
     if (!cols.some(c=>c.startsWith('updated_at'))) cols.push('updated_at TEXT')
     if (model.softDelete) { if (!cols.some(c=>c.startsWith('deleted_at'))) cols.push('deleted_at TEXT') }
     try { dbRun(`CREATE TABLE IF NOT EXISTS ${table} (${cols.join(', ')})`) } catch {}
+    // Auto-index on unique + indexed fields
+    for (const f of model.fields) {
+      const colName = toCol(f.name)
+      if (f.modifiers.includes('unique') || f.modifiers.includes('index')) {
+        try { dbRun(`CREATE INDEX IF NOT EXISTS idx_${table}_${colName} ON ${table}(${colName})`) } catch {}
+      }
+    }
+    // Always index created_at for pagination performance
+    try { dbRun(`CREATE INDEX IF NOT EXISTS idx_${table}_created_at ON ${table}(created_at)`) } catch {}
     console.log(`[aiplang] ✓  ${table} (${cols.length} cols${model.softDelete ? ', soft-delete' : ''})`)
     MODEL_DEFS[model.name] = { softDelete: model.softDelete, timestamps: true }
   }
@@ -796,6 +816,11 @@ class AiplangServer {
       res.writeHead(429, { 'Content-Type': 'application/json' })
       res.end(JSON.stringify({ error: 'Too many requests' })); return
     }
+    // Auto rate-limit on auth endpoints
+    if (this._authRateLimit && this._authRateLimit(req)) {
+      res.writeHead(429, { 'Content-Type': 'application/json' })
+      res.end(JSON.stringify({ error: 'Too many requests. Try again in 1 minute.' })); return
+    }
 
     // CORS — use plugin config if set, otherwise allow all
     const origins = this._corsOrigins || ['*']
@@ -1294,6 +1319,16 @@ async function startServer(aipFile, port = 3000) {
   // Events
   for (const ev of app.events) on(ev.event, (data) => console.log(`[aiplang:event] ${ev.event}:`, ev.action))
 
+  // Auth rate limiting (automatic — 20 req/min per IP on /api/auth/*)
+  const _authAttempts = {}
+  srv._authRateLimit = (req) => {
+    if (!req.path?.includes('/api/auth/')) return false
+    const ip = req.socket?.remoteAddress || 'unknown'
+    const key = `${ip}:${Math.floor(Date.now() / 60000)}`
+    _authAttempts[key] = (_authAttempts[key] || 0) + 1
+    return _authAttempts[key] > 20
+  }
+
   // Routes
   for (const route of app.apis) {
     compileRoute(route, srv)