aiplang 2.5.1 → 2.6.1

package/aiplang-knowledge.md

@@ -1,338 +1,97 @@
-# aiplang — Claude Project Knowledge
+# aiplang — syntax reference
+Generate ONLY aiplang code. No React, HTML, or other frameworks. No explanations unless asked.
 
-You are an aiplang code generator. When asked to build any web app, page, or component, respond ONLY with valid aiplang syntax. No explanation unless asked. No React, no HTML, no other frameworks.
-
----
-
-## aiplang syntax reference
-
-### File structure
-```
-~theme ...              (optional global theme vars)
-%id theme /route        (page declaration — required)
-@var = default          (reactive state)
-~mount GET /api => @var (fetch on load)
-~interval 10000 GET /api => @var (polling)
-blocks...
----                     (page separator)
-```
-
-### Backend (full-stack)
+## File structure
 ```
-~env DATABASE_URL required
-~db sqlite ./app.db          (or postgres $DATABASE_URL)
-~auth jwt $JWT_SECRET expire=7d
-~mail smtp host=smtp.mailgun.com user=$MAIL_USER pass=$MAIL_PASS
-~admin /admin                (auto admin panel)
-~middleware cors | rate-limit 100/min | log
-
-model User {
-  id         : uuid      : pk auto
-  name       : text      : required
-  email      : text      : required unique
-  password   : text      : required hashed
-  plan       : enum      : starter,pro,enterprise : default=starter
-  role       : enum      : user,admin : default=user
-  ~soft-delete
-}
-
-api POST /api/auth/register {
-  ~validate name required | email required email | password min=8
-  ~unique User email $body.email | 409
-  ~hash password
-  insert User($body)
-  ~mail $inserted.email "Welcome!" "Your account is ready."
-  return jwt($inserted) 201
-}
-
-api GET /api/users {
-  ~guard admin
-  ~query page=1 limit=20
-  return User.paginate($page, $limit)
-}
-
-api DELETE /api/users/:id {
-  ~guard auth | admin
-  delete User($id)
-}
-```
-
-### Page declaration
-`%id theme /route`
-- themes: `dark` | `light` | `acid` | `#bg,#text,#accent`
-
-### Global theme
-`~theme accent=#7c3aed radius=1.5rem font=Syne bg=#0a0a0a text=#fff surface=#111 navbg=#000 spacing=6rem`
-
-### State & data
-```
-@users = []
-@stats = {}
-~mount GET /api/users => @users
-~interval 30000 GET /api/stats => @stats
-```
-
-### S3 Storage
-```
-~s3 $AWS_ACCESS_KEY_ID secret=$AWS_SECRET_ACCESS_KEY bucket=$S3_BUCKET region=us-east-1
-~s3 bucket=my-bucket region=us-east-1 prefix=uploads/ maxSize=5mb allow=image/jpeg,image/png,application/pdf
-
-# Cloudflare R2 compatible
-~s3 $R2_KEY secret=$R2_SECRET bucket=my-bucket endpoint=https://xxx.r2.cloudflarestorage.com
-
-# MinIO local
-~s3 $KEY secret=$SECRET bucket=local endpoint=http://localhost:9000
-```
-Auto-generated routes: `POST /api/upload` | `DELETE /api/upload/:key` | `GET /api/upload/presign?key=x`
-
-Mock mode in dev: saves to `./uploads/` folder, serves via `/uploads/filename`.
-
-### Plugin System
-```
-# Built-in plugins (no file needed)
-~use logger format=tiny
-~use cors origins=https://myapp.com,https://www.myapp.com
-~use rate-limit max=100 window=60s
-~use helmet
-~use compression
-
-# Local file plugin
-~plugin ./plugins/my-plugin.js
-
-# npm package plugin
-~plugin my-aiplang-plugin
-```
-
-Plugin interface:
-```js
-// plugins/my-plugin.js
-module.exports = {
-  name: 'my-plugin',
-  setup(server, app, utils) {
-    // server.addRoute('GET', '/api/custom', handler)
-    // utils.emit, utils.on, utils.dispatch, utils.dbRun, utils.uuid
-    // utils.s3Upload, utils.generateJWT — all available
-  }
-}
-
-// Factory with options
-module.exports = (opts) => ({
-  name: 'my-plugin',
-  setup(server, app, { opts, emit }) { ... }
-})
-```
-
-### Stripe Payments
-```
-~stripe $STRIPE_SECRET_KEY webhook=$STRIPE_WEBHOOK_SECRET success=/dashboard cancel=/pricing
-~plan starter=price_xxx pro=price_yyy enterprise=price_zzz
-```
-Auto-generated routes: `POST /api/stripe/checkout` | `POST /api/stripe/portal` | `GET /api/stripe/subscription` | `DELETE /api/stripe/subscription` | `POST /api/stripe/webhook`
-
-Webhooks handled: `checkout.session.completed`, `customer.subscription.updated`, `customer.subscription.deleted`, `invoice.payment_failed`, `invoice.payment_succeeded`
-
-Guard: `~guard subscribed` — requires active subscription
-
-### All blocks
-
-**nav** — `nav{Brand>/path:Link>/path:Link}` (auto mobile hamburger)
-
-**hero** — `hero{Title|Subtitle>/path:CTA>/path:CTA2}` or `hero{Title|Sub>/path:CTA|img:https://url}` (split layout)
-
-**stats** — `stats{@stats.users:Users|@stats.mrr:MRR|99.9%:Uptime}`
-
-**rowN** — `row3{rocket>Fast>Zero config.|shield>Secure>SOC2.|chart>Smart>Real-time.} animate:stagger`
-
-**sect** — `sect{Title|Optional body text}`
-
-**table** — `table @users { Name:name | Email:email | Plan:plan | edit PUT /api/users/{id} | delete /api/users/{id} | empty: No data. }`
-
-**form** — `form POST /api/users => @users.push($result) { Name:text:Alice | Email:email | Plan:select:starter,pro,enterprise }`
-
-**form with redirect** — `form POST /api/auth/login => redirect /dashboard { Email:email | Password:password }`
-
-**pricing** — `pricing{Starter>Free>3 projects>/signup:Get started|Pro>$29/mo>Unlimited>/signup:Start trial|Enterprise>Custom>SSO>/contact:Talk}`
-
-**faq** — `faq{How to start?>Sign up free.|Cancel anytime?>Yes, one click.}`
-
-**testimonial** — `testimonial{Alice Chen, CEO @ Acme|"Changed how we ship."|img:https://i.pravatar.cc/64?img=5}`
-
-**gallery** — `gallery{https://img1.jpg | https://img2.jpg | https://img3.jpg}`
-
-**btn** — `btn{Export CSV > GET /api/export}` or `btn{Delete all > DELETE /api/items > confirm:Are you sure?}`
-
-**select** — `select @filterVar { All | Active | Inactive }`
-
-**raw** — `raw{<div style="...">Any HTML, embeds, custom components</div>}`
-
-**if** — `if @user { sect{Welcome back!} }`
-
-**foot** — `foot{© 2025 AppName>/privacy:Privacy>/terms:Terms}`
-
-### Block modifiers (suffix on any block)
-```
-hero{...} animate:blur-in
-row3{...} animate:stagger class:my-section
-sect{...} animate:fade-up
-```
-Animations: `fade-up` `fade-in` `blur-in` `slide-left` `slide-right` `zoom-in` `stagger`
-
-### Multiple pages
-```
-%home dark /
-nav{...}
-hero{...}
----
-%dashboard dark /dashboard
-@users = []
-~mount GET /api/users => @users
-table @users { ... }
----
-%login dark /login
-form POST /api/auth/login => redirect /dashboard { ... }
-```
-
----
-
-## Complete examples
-
-### SaaS with 4 pages
-```
-~theme accent=#2563eb
-~db sqlite ./app.db
+~env VAR required          # env validation
+~db sqlite ./app.db        # or: postgres $DATABASE_URL
 ~auth jwt $JWT_SECRET expire=7d
+~mail smtp host=x user=$U pass=$P
+~s3 $KEY secret=$S bucket=$B region=us-east-1 prefix=uploads/ maxSize=10mb
+~stripe $KEY webhook=$WH success=/ok cancel=/pricing
+~plan free=price_x pro=price_y
 ~admin /admin
+~use cors origins=https://x.com
+~use rate-limit max=100 window=60s
+~use helmet | ~use logger | ~use compression
+~plugin ./my-plugin.js
 
-model User {
-  id         : uuid : pk auto
-  name       : text : required
-  email      : text : required unique
-  password   : text : required hashed
-  plan       : enum : starter,pro,enterprise : default=starter
-  role       : enum : user,admin : default=user
+model Name {
+  id    : uuid  : pk auto
+  field : type  : modifier
   ~soft-delete
+  ~belongs OtherModel
 }
+# types: uuid text int float bool timestamp json enum
+# modifiers: pk auto required unique hashed default=val index
 
-api POST /api/auth/register {
-  ~validate name required | email required email | password min=8
-  ~unique User email $body.email | 409
-  ~hash password
-  insert User($body)
-  return jwt($inserted) 201
-}
-
-api POST /api/auth/login {
-  $user = User.findBy(email=$body.email)
-  ~check password $body.password $user.password | 401
+api METHOD /path/:id {
+  ~guard auth | admin | subscribed | owner
+  ~validate field required | field email | field min=8 | field numeric
+  ~query page=1 limit=20
+  ~unique Model field $body.field | 409
+  ~hash field
+  ~check password $body.pw $user.pw | 401
+  ~mail $user.email "Subject" "Body"
+  ~dispatch jobName $body
+  ~emit event.name $body
+  $var = Model.findBy(field=$body.field)
+  insert Model($body)
+  update Model($id, $body)
+  delete Model($id)
+  restore Model($id)
+  return $inserted | $updated | $auth.user | Model.all(order=created_at desc)
+  return Model.paginate($page, $limit)
+  return Model.count() | Model.sum(field) | Model.avg(field)
   return jwt($user) 200
 }
 
-api GET /api/users {
-  ~guard admin
-  return User.paginate(1, 20)
-}
-
-api GET /api/stats {
-  return User.count()
-}
-
-%home dark /
-
-@stats = {}
-~mount GET /api/stats => @stats
+%id theme /route           # dark | light | acid | #bg,#text,#accent
+~theme accent=#hex bg=#hex text=#hex font=Name radius=1rem surface=#hex navbg=#hex
+@var = []                  # state: [] or {} or "string" or 0
+~mount GET /api => @var
+~interval 10000 GET /api => @var
 
-nav{MySaaS>/pricing:Pricing>/login:Sign in>/signup:Get started}
-hero{Ship faster with AI|Zero config. Deploy in seconds.>/signup:Start free>/demo:View demo} animate:blur-in
-stats{@stats:Users|99.9%:Uptime|$49:Starting price}
-row3{rocket>Deploy instantly>Push to git, live in seconds.|shield>Enterprise ready>SOC2, GDPR, SSO built-in.|chart>Full observability>Real-time errors and performance.} animate:stagger
-testimonial{Sarah Chen, CEO @ Acme|"Cut deployment time by 90%."|img:https://i.pravatar.cc/64?img=47} animate:fade-up
-pricing{Starter>Free>3 projects>/signup:Get started|Pro>$29/mo>Unlimited>/signup:Start trial|Enterprise>Custom>SSO>/contact:Talk}
-faq{How to start?>Sign up free, no credit card.|Cancel anytime?>Yes, one click, no questions.}
-foot{© 2025 MySaaS>/privacy:Privacy>/terms:Terms}
-
----
-
-%dashboard dark /dashboard
-
-@users = []
-@stats = {}
-~mount GET /api/users => @users
-~mount GET /api/stats => @stats
-~interval 30000 GET /api/stats => @stats
-
-nav{MySaaS>/settings:Settings>/logout:Sign out}
-stats{@stats:Total users|@stats:Active|$0:MRR}
-sect{User database}
-table @users { Name:name | Email:email | Plan:plan | Status:status | edit PUT /api/users/{id} | delete /api/users/{id} | empty: No users yet. }
-sect{Add user}
-form POST /api/users => @users.push($result) { Full name:text:Alice Johnson | Email:email:alice@co.com | Plan:select:starter,pro,enterprise }
-foot{MySaaS Dashboard © 2025}
-
----
-
-%login dark /login
-
-nav{MySaaS>/signup:Create account}
-hero{Welcome back|Sign in to continue.}
-form POST /api/auth/login => redirect /dashboard { Email:email:you@company.com | Password:password: }
-foot{© 2025 MySaaS>/signup:Create account}
-
----
-
-%signup dark /signup
-
-nav{MySaaS>/login:Sign in}
-hero{Start for free|No credit card required.}
-form POST /api/auth/register => redirect /dashboard { Full name:text:Alice | Email:email:alice@co.com | Password:password: }
-foot{© 2025 MySaaS>/login:Already have an account?}
-```
-
-### Landing page with custom theme
-```
-~theme accent=#f59e0b radius=2rem font=Syne bg=#0c0a09 text=#fafaf9 surface=#1c1917
-
-%home dark /
-
-nav{Acme Studio>/work:Work>/blog:Blog>/contact:Contact}
-hero{We build things that matter|Creative studio based in São Paulo.>/work:View our work>/contact:Get in touch|img:https://images.unsplash.com/photo-1497366216548?w=800} animate:fade-in
-row3{globe>Global clients>Teams in 30+ countries.|star>Award winning>12 design awards.|check>On-time delivery>98% on schedule.} animate:stagger
-testimonial{Marco Silva, CTO @ FinTech BR|"From prototype to production in 6 weeks."|img:https://i.pravatar.cc/64?img=12}
-gallery{https://images.unsplash.com/photo-1600880292203?w=400|https://images.unsplash.com/photo-1522202176988?w=400|https://images.unsplash.com/photo-1497366412874?w=400}
-foot{© 2025 Acme Studio>/privacy:Privacy>/instagram:Instagram}
-```
-
----
-
-## Generation rules
-
-1. Always start with `%id theme /route`
-2. Use `dark` theme unless specified otherwise
-3. For dynamic data, always declare `@var = []` or `@var = {}` and use `~mount`
-4. Tables with data should always have `edit` and `delete` unless readonly
-5. Forms should have `=> @list.push($result)` or `=> redirect /path`
-6. Use real icon names: bolt rocket shield chart star check globe gear fire money bell mail user
-7. Multiple pages separated by `---`
-8. Add `animate:fade-up` or `animate:stagger` to key sections
-9. `~theme` always comes before `%` declarations
-10. Never generate explanations — only aiplang code
-11. For full-stack apps, add `~db`, `~auth`, `model` and `api` blocks before pages
-
----
-
-## Running
-
-```bash
-# Install
-npm install -g aiplang
-
-# Frontend only (static site)
-aiplang serve        # dev → localhost:3000
-aiplang build pages/ # compile → dist/
-
-# Full-stack (Node.js backend)
-aiplang start app.aiplang
-
-# Go binary (production, v2)
-aiplangd dev app.aiplang
-aiplangd build app.aiplang
-```
+blocks...
+---                        # page separator
+```
+
+## All blocks
+```
+nav{Brand>/path:Link>/path:Link}
+hero{Title|Sub>/path:CTA} | hero{Title|Sub>/path:CTA|img:https://url}
+stats{@val:Label|99%:Uptime|$0:Free}
+row2{icon>Title>Body} | row3{...} | row4{...}
+sect{Title|Optional body}
+table @list { Col:field | edit PUT /api/{id} | delete /api/{id} | empty: msg }
+form POST /api => @list.push($result) { Label:type:placeholder | Label:select:a,b,c }
+form POST /api => redirect /path { Label:type | Label:password }
+pricing{Name>Price>Desc>/path:CTA|Name>Price>Desc>/path:CTA}
+faq{Question?>Answer.|Q2?>A2.}
+testimonial{Name, Role @ Co|"Quote."|img:https://url}
+gallery{https://img1|https://img2|https://img3}
+btn{Label > METHOD /api/path} | btn{Label > DELETE /api > confirm:Sure?}
+select @filterVar { All | Active | Inactive }
+if @var { blocks }
+raw{<div>any HTML</div>}
+foot{© 2025 Name>/path:Link}
+```
+
+## Block modifiers (any block)
+`animate:fade-up | fade-in | blur-in | slide-left | slide-right | zoom-in | stagger`
+`class:my-class`
+
+## S3 auto-routes
+`POST /api/upload` · `DELETE /api/upload/:key` · `GET /api/upload/presign?key=x`
+
+## Stripe auto-routes
+`POST /api/stripe/checkout` · `POST /api/stripe/portal` · `GET /api/stripe/subscription`
+
+## Rules
+1. Dark theme default
+2. `@var = []` + `~mount` for all dynamic data
+3. Tables always have `edit` + `delete` unless readonly
+4. Forms: `=> @list.push($result)` or `=> redirect /path`
+5. `~theme` before `%` declarations
+6. Separate pages with `---`
+7. Full-stack: `~db` + `~auth` + `model` + `api` before pages

package/bin/aiplang.js

@@ -5,7 +5,7 @@ const fs   = require('fs')
 const path = require('path')
 const http = require('http')
 
-const VERSION     = '2.5.1'
+const VERSION     = '2.6.1'
 const RUNTIME_DIR = path.join(__dirname, '..', 'runtime')
 const cmd         = process.argv[2]
 const args        = process.argv.slice(3)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aiplang",
-  "version": "2.5.1",
+  "version": "2.6.1",
   "description": "AI-first full-stack language. Frontend + Backend + DB + Auth in one file. Competes with Laravel.",
   "keywords": [
     "aiplang",
@@ -38,12 +38,12 @@
     "node": ">=16"
   },
   "dependencies": {
+    "@aws-sdk/client-s3": "^3.0.0",
+    "@aws-sdk/s3-request-presigner": "^3.0.0",
     "bcryptjs": "^2.4.3",
     "jsonwebtoken": "^9.0.2",
-    "nodemailer": "^6.9.0",
+    "nodemailer": "^8.0.3",
     "sql.js": "^1.10.3",
-    "stripe": "^14.0.0",
-    "@aws-sdk/client-s3": "^3.0.0",
-    "@aws-sdk/s3-request-presigner": "^3.0.0"
+    "stripe": "^14.0.0"
   }
 }

package/runtime/aiplang-hydrate.js

@@ -77,7 +77,27 @@ function applyAction(data, target, action) {
     const pm = action.match(/^@([a-zA-Z_]+)\.push\(\$result\)$/)
     if (pm) { set(pm[1], [...(get(pm[1]) || []), data]); return }
     const fm = action.match(/^@([a-zA-Z_]+)\.filter\((.+)\)$/)
-    if (fm) { try { set(fm[1], (get(fm[1])||[]).filter(new Function('item', `return (${fm[2]})(item)`))) } catch {} return }
+    if (fm) {
+      // Safe filter: @list.filter(item.status=active) style — no eval/new Function
+      try {
+        const expr = fm[2].trim()
+        const filtered = (get(fm[1]) || []).filter(item => {
+          // Support simple: field=value or field!=value
+          const eq = expr.match(/^([a-zA-Z_.]+)\s*(!?=)\s*(.+)$/)
+          if (eq) {
+            const [, field, op, val] = eq
+            const parts = field.split('.')
+            let v = item
+            for (const p of parts) v = v?.[p]
+            const strV = String(v ?? '')
+            return op === '!=' ? strV !== val.trim() : strV === val.trim()
+          }
+          return true
+        })
+        set(fm[1], filtered)
+      } catch {}
+      return
+    }
     const am = action.match(/^@([a-zA-Z_]+)\s*=\s*\$result$/)
     if (am) { set(am[1], data); return }
   }

package/runtime/aiplang-runtime.js

@@ -100,14 +100,11 @@ class State {
   }
 
   _recompute() {
+    // Safe computed: only supports @var.path expressions, no arbitrary code
     if (!this._computedExprs) return
     for (const [name, expr] of Object.entries(this._computedExprs)) {
       try {
-        const fn = new Function(
-          ...Object.keys(this._data).map(k => '_'+k),
-          `try { return (${expr}) } catch(e) { return null }`
-        )
-        const val = fn(...Object.keys(this._data).map(k => this._data[k]))
+        const val = this.eval(expr.trim())
         if (JSON.stringify(this._computed[name]) !== JSON.stringify(val)) {
           this._computed[name] = val
           this._notify('$'+name)

package/server/server.js

@@ -53,6 +53,14 @@ const ic    = n => ({bolt:'⚡',rocket:'🚀',shield:'🛡',chart:'📊',star:'
 
 // ── JWT ───────────────────────────────────────────────────────────
 let JWT_SECRET = process.env.JWT_SECRET || 'aiplang-secret-dev'
+// Warn loudly if using dev secret in what looks like production
+if (!process.env.JWT_SECRET) {
+  if (process.env.NODE_ENV === 'production') {
+    console.error('[aiplang] FATAL: JWT_SECRET not set in production. Set JWT_SECRET env var.')
+    process.exit(1)
+  }
+  console.warn('[aiplang] WARNING: JWT_SECRET not set. Using insecure dev default. Set JWT_SECRET in .env')
+}
 let JWT_EXPIRE = '7d'
 const generateJWT = (user) => jwt.sign({ id: user.id, email: user.email, role: user.role || 'user' }, JWT_SECRET, { expiresIn: JWT_EXPIRE })
 const verifyJWT   = (token) => { try { return jwt.verify(token, JWT_SECRET) } catch { return null } }
@@ -638,7 +646,7 @@ function resolveVar(expr, ctx) {
 }
 function evalMath(expr,ctx){try{const r=expr.replace(/\$[\w.]+/g,m=>resolveVar(m,ctx)||0);return Function('"use strict";return('+r+')')()}catch{return 0}}
 function sanitize(o){if(!o)return o;const s={...o};delete s.password;return s}
-function resolveEnv(v){if(!v)return v;if(v.startsWith('$'))return process.env[v.slice(1)]||v;return v}
+function resolveEnv(v){if(!v)return v;if(v.startsWith('$'))return process.env[v.slice(1)]||null;return v}
 
 // ═══════════════════════════════════════════════════════════════════
 // AUTO ADMIN PANEL
@@ -744,9 +752,14 @@ td{padding:.875rem 1.25rem;border-bottom:1px solid rgba(255,255,255,.04);color:#
 </div>
 <script>
 const prefix = '${prefix}'
-const token = localStorage.getItem('admin_token') || ''
+// API calls use credentials:include — HttpOnly cookie is sent automatically
 async function api(method, path, body) {
-  const r = await fetch(prefix + '/api' + path, {method, headers:{'Content-Type':'application/json','Authorization':'Bearer '+token},body:body?JSON.stringify(body):undefined})
+  const r = await fetch(prefix + '/api' + path, {
+    method,
+    headers: {'Content-Type':'application/json'},
+    credentials: 'same-origin',
+    body: body ? JSON.stringify(body) : undefined
+  })
   return r.json()
 }
 async function loadModel(name, page=1) {
@@ -782,9 +795,9 @@ function renderAdminLogin(prefix) {
 <button onclick="login()">Sign in</button></div>
 <script>
 async function login(){
-  const r=await fetch('/api/auth/login',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({email:document.getElementById('email').value,password:document.getElementById('pass').value})})
+  const r=await fetch('${prefix}/login',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({email:document.getElementById('email').value,password:document.getElementById('pass').value}),credentials:'same-origin'})
   const d=await r.json()
-  if(d.token){localStorage.setItem('admin_token',d.token);location.href='${prefix}'}
+  if(d.ok){location.href='${prefix}'}
   else document.getElementById('err').textContent=d.error||'Invalid credentials'
 }
 document.addEventListener('keydown',e=>{if(e.key==='Enter')login()})
@@ -804,8 +817,14 @@ class AiplangServer {
 
     // Multipart — don't pre-parse, let S3 upload handler do it
     const isMultipart = (req.headers['content-type'] || '').includes('multipart/form-data')
-    if (req.method !== 'GET' && req.method !== 'DELETE' && !isMultipart) req.body = await parseBody(req)
-    else if (!isMultipart) req.body = {}
+    const hasJsonCT = (req.headers['content-type'] || '').includes('application/json')
+    if (req.method !== 'GET' && req.method !== 'DELETE' && !isMultipart) {
+      req.body = await parseBody(req)
+      if (req.body.__tooBig) {
+        res.writeHead(413, { 'Content-Type': 'application/json' })
+        res.end(JSON.stringify({ error: 'Request body too large' })); return
+      }
+    } else if (!isMultipart) req.body = {}
 
     const parsed = url.parse(req.url, true)
     req.query = parsed.query; req.path = parsed.pathname
@@ -825,6 +844,11 @@ class AiplangServer {
     // CORS — use plugin config if set, otherwise allow all
     const origins = this._corsOrigins || ['*']
     const origin = req.headers['origin'] || ''
+    // Warn once if using wildcard CORS in production
+    if (origins.includes('*') && process.env.NODE_ENV === 'production' && !this._corsWarned) {
+      this._corsWarned = true
+      console.warn('[aiplang] WARNING: CORS is set to * (allow all origins). Use ~use cors origins=https://yourdomain.com in production')
+    }
     const allowOrigin = origins.includes('*') ? '*' : (origins.includes(origin) ? origin : origins[0])
     res.setHeader('Access-Control-Allow-Origin', allowOrigin)
     res.setHeader('Access-Control-Allow-Methods','GET,POST,PUT,PATCH,DELETE,OPTIONS')
@@ -864,9 +888,35 @@ function matchRoute(pattern, reqPath) {
   for(let i=0;i<pp.length;i++){if(pp[i].startsWith(':'))params[pp[i].slice(1)]=rp[i];else if(pp[i]!==rp[i])return null}
   return params
 }
-function extractToken(req) { const a=req.headers.authorization; return a?.startsWith('Bearer ')?a.slice(7):null }
+function extractToken(req) {
+  // 1. Bearer token from Authorization header
+  const a = req.headers.authorization
+  if (a?.startsWith('Bearer ')) return a.slice(7)
+  // 2. HttpOnly cookie (admin panel)
+  const cookies = req.headers['cookie'] || ''
+  const adminCookie = cookies.split(';').map(s=>s.trim()).find(s=>s.startsWith('aiplang_admin='))
+  if (adminCookie) return adminCookie.slice('aiplang_admin='.length)
+  return null
+}
+const MAX_BODY_BYTES = parseInt(process.env.MAX_BODY_BYTES || '1048576') // 1MB default
 async function parseBody(req) {
-  return new Promise(r=>{let d='';req.on('data',c=>d+=c);req.on('end',()=>{try{r(JSON.parse(d))}catch{r({})}});req.on('error',()=>r({}))})
+  return new Promise((resolve) => {
+    const chunks = []
+    let size = 0, done = false
+    req.on('data', chunk => {
+      if (done) return
+      size += chunk.length
+      if (size > MAX_BODY_BYTES) { done = true; resolve({ __tooBig: true }); return }
+      chunks.push(chunk)
+    })
+    req.on('end', () => {
+      if (done) return
+      done = true
+      try { resolve(JSON.parse(Buffer.concat(chunks).toString())) }
+      catch { resolve({}) }
+    })
+    req.on('error', () => { if (!done) { done = true; resolve({}) } })
+  })
 }
 
 // ═══════════════════════════════════════════════════════════════════
@@ -954,7 +1004,7 @@ function setupS3(config) {
     endpoint: config.endpoint ? resolveEnv(config.endpoint) : null,
   }
 
-  const isMock = !S3_CONFIG.key || S3_CONFIG.key.startsWith('$') || S3_CONFIG.key.includes('mock')
+  const isMock = !S3_CONFIG.key || S3_CONFIG.key === null || S3_CONFIG.key.startsWith('$') || S3_CONFIG.key.includes('mock')
   if (isMock) {
     console.log('[aiplang] S3: mock mode (set AWS_ACCESS_KEY_ID for real storage)')
     S3_CLIENT = null
@@ -1289,6 +1339,19 @@ async function startServer(aipFile, port = 3000) {
   const app = parseApp(src)
   const srv = new AiplangServer()
 
+  // Validate required env vars up front
+  const missingEnvs = []
+  for (const envDef of app.env) {
+    if (envDef.required && !process.env[envDef.name]) {
+      missingEnvs.push(envDef.name)
+    }
+  }
+  if (missingEnvs.length) {
+    console.error(`[aiplang] FATAL: Missing required env vars: ${missingEnvs.join(', ')}`)
+    console.error('[aiplang] Set them in .env or export them before starting')
+    process.exit(1)
+  }
+
   // Auth setup
   if (app.auth) {
     JWT_SECRET = resolveEnv(app.auth.secret) || JWT_SECRET
@@ -1372,7 +1435,7 @@ async function startServer(aipFile, port = 3000) {
 
   // Health
   srv.addRoute('GET', '/health', (req, res) => res.json(200, {
-    status:'ok', version:'2.5.0',
+    status:'ok', version:'2.6.1',
     models: app.models.map(m=>m.name),
     routes: app.apis.length, pages: app.pages.length,
     admin: app.admin?.prefix || null,
@@ -1415,7 +1478,7 @@ function setupStripe(config) {
   STRIPE_CONFIG = config
   const key = resolveEnv(config.key) || ''
   // Use mock if key is placeholder, test/mock value, or SDK unavailable
-  const isMock = !key || key.startsWith('$') || key === 'sk_test_mock' || key.includes('mock')
+  const isMock = !key || key === null || key.startsWith('$') || key === 'sk_test_mock' || key.includes('mock')
   if (isMock) {
     console.log('[aiplang] Stripe: mock mode (set STRIPE_SECRET_KEY for real payments)')
     STRIPE = null // will use mockStripe()