npm - aiplang - Versions diffs - 2.6.0 → 2.6.1 - Mend

aiplang 2.6.0 → 2.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/aiplang-knowledge.md +85 -326
package/bin/aiplang.js +1 -1
package/package.json +5 -5
package/runtime/aiplang-runtime.js +2 -5
package/server/server.js +20 -14

package/aiplang-knowledge.md CHANGED Viewed

@@ -1,338 +1,97 @@
-# aiplang — Claude Project Knowledge
+# aiplang — syntax reference
+Generate ONLY aiplang code. No React, HTML, or other frameworks. No explanations unless asked.
-You are an aiplang code generator. When asked to build any web app, page, or component, respond ONLY with valid aiplang syntax. No explanation unless asked. No React, no HTML, no other frameworks.
----
-## aiplang syntax reference
-### File structure
-```
-~theme ...              (optional global theme vars)
-%id theme /route        (page declaration — required)
-@var = default          (reactive state)
-~mount GET /api => @var (fetch on load)
-~interval 10000 GET /api => @var (polling)
-blocks...
----                     (page separator)
-```
-### Backend (full-stack)
+## File structure
 ```
-~env DATABASE_URL required
-~db sqlite ./app.db          (or postgres $DATABASE_URL)
-~auth jwt $JWT_SECRET expire=7d
-~mail smtp host=smtp.mailgun.com user=$MAIL_USER pass=$MAIL_PASS
-~admin /admin                (auto admin panel)
-~middleware cors | rate-limit 100/min | log
-model User {
-  id         : uuid      : pk auto
-  name       : text      : required
-  email      : text      : required unique
-  password   : text      : required hashed
-  plan       : enum      : starter,pro,enterprise : default=starter
-  role       : enum      : user,admin : default=user
-  ~soft-delete
-}
-api POST /api/auth/register {
-  ~validate name required | email required email | password min=8
-  ~unique User email $body.email | 409
-  ~hash password
-  insert User($body)
-  ~mail $inserted.email "Welcome!" "Your account is ready."
-  return jwt($inserted) 201
-}
-api GET /api/users {
-  ~guard admin
-  ~query page=1 limit=20
-  return User.paginate($page, $limit)
-}
-api DELETE /api/users/:id {
-  ~guard auth | admin
-  delete User($id)
-}
-```
-### Page declaration
-`%id theme /route`
-- themes: `dark` | `light` | `acid` | `#bg,#text,#accent`
-### Global theme
-`~theme accent=#7c3aed radius=1.5rem font=Syne bg=#0a0a0a text=#fff surface=#111 navbg=#000 spacing=6rem`
-### State & data
-```
-@users = []
-@stats = {}
-~mount GET /api/users => @users
-~interval 30000 GET /api/stats => @stats
-```
-### S3 Storage
-```
-~s3 $AWS_ACCESS_KEY_ID secret=$AWS_SECRET_ACCESS_KEY bucket=$S3_BUCKET region=us-east-1
-~s3 bucket=my-bucket region=us-east-1 prefix=uploads/ maxSize=5mb allow=image/jpeg,image/png,application/pdf
-# Cloudflare R2 compatible
-~s3 $R2_KEY secret=$R2_SECRET bucket=my-bucket endpoint=https://xxx.r2.cloudflarestorage.com
-# MinIO local
-~s3 $KEY secret=$SECRET bucket=local endpoint=http://localhost:9000
-```
-Auto-generated routes: `POST /api/upload` | `DELETE /api/upload/:key` | `GET /api/upload/presign?key=x`
-Mock mode in dev: saves to `./uploads/` folder, serves via `/uploads/filename`.
-### Plugin System
-```
-# Built-in plugins (no file needed)
-~use logger format=tiny
-~use cors origins=https://myapp.com,https://www.myapp.com
-~use rate-limit max=100 window=60s
-~use helmet
-~use compression
-# Local file plugin
-~plugin ./plugins/my-plugin.js
-# npm package plugin
-~plugin my-aiplang-plugin
-```
-Plugin interface:
-```js
-// plugins/my-plugin.js
-module.exports = {
-  name: 'my-plugin',
-  setup(server, app, utils) {
-    // server.addRoute('GET', '/api/custom', handler)
-    // utils.emit, utils.on, utils.dispatch, utils.dbRun, utils.uuid
-    // utils.s3Upload, utils.generateJWT — all available
-  }
-}
-// Factory with options
-module.exports = (opts) => ({
-  name: 'my-plugin',
-  setup(server, app, { opts, emit }) { ... }
-})
-```
-### Stripe Payments
-```
-~stripe $STRIPE_SECRET_KEY webhook=$STRIPE_WEBHOOK_SECRET success=/dashboard cancel=/pricing
-~plan starter=price_xxx pro=price_yyy enterprise=price_zzz
-```
-Auto-generated routes: `POST /api/stripe/checkout` | `POST /api/stripe/portal` | `GET /api/stripe/subscription` | `DELETE /api/stripe/subscription` | `POST /api/stripe/webhook`
-Webhooks handled: `checkout.session.completed`, `customer.subscription.updated`, `customer.subscription.deleted`, `invoice.payment_failed`, `invoice.payment_succeeded`
-Guard: `~guard subscribed` — requires active subscription
-### All blocks
-**nav** — `nav{Brand>/path:Link>/path:Link}` (auto mobile hamburger)
-**hero** — `hero{Title|Subtitle>/path:CTA>/path:CTA2}` or `hero{Title|Sub>/path:CTA|img:https://url}` (split layout)
-**stats** — `stats{@stats.users:Users|@stats.mrr:MRR|99.9%:Uptime}`
-**rowN** — `row3{rocket>Fast>Zero config.|shield>Secure>SOC2.|chart>Smart>Real-time.} animate:stagger`
-**sect** — `sect{Title|Optional body text}`
-**table** — `table @users { Name:name | Email:email | Plan:plan | edit PUT /api/users/{id} | delete /api/users/{id} | empty: No data. }`
-**form** — `form POST /api/users => @users.push($result) { Name:text:Alice | Email:email | Plan:select:starter,pro,enterprise }`
-**form with redirect** — `form POST /api/auth/login => redirect /dashboard { Email:email | Password:password }`
-**pricing** — `pricing{Starter>Free>3 projects>/signup:Get started|Pro>$29/mo>Unlimited>/signup:Start trial|Enterprise>Custom>SSO>/contact:Talk}`
-**faq** — `faq{How to start?>Sign up free.|Cancel anytime?>Yes, one click.}`
-**testimonial** — `testimonial{Alice Chen, CEO @ Acme|"Changed how we ship."|img:https://i.pravatar.cc/64?img=5}`
-**gallery** — `gallery{https://img1.jpg | https://img2.jpg | https://img3.jpg}`
-**btn** — `btn{Export CSV > GET /api/export}` or `btn{Delete all > DELETE /api/items > confirm:Are you sure?}`
-**select** — `select @filterVar { All | Active | Inactive }`
-**raw** — `raw{<div style="...">Any HTML, embeds, custom components</div>}`
-**if** — `if @user { sect{Welcome back!} }`
-**foot** — `foot{© 2025 AppName>/privacy:Privacy>/terms:Terms}`
-### Block modifiers (suffix on any block)
-```
-hero{...} animate:blur-in
-row3{...} animate:stagger class:my-section
-sect{...} animate:fade-up
-```
-Animations: `fade-up` `fade-in` `blur-in` `slide-left` `slide-right` `zoom-in` `stagger`
-### Multiple pages
-```
-%home dark /
-nav{...}
-hero{...}
----
-%dashboard dark /dashboard
-@users = []
-~mount GET /api/users => @users
-table @users { ... }
----
-%login dark /login
-form POST /api/auth/login => redirect /dashboard { ... }
-```
----
-## Complete examples
-### SaaS with 4 pages
-```
-~theme accent=#2563eb
-~db sqlite ./app.db
+~env VAR required          # env validation
+~db sqlite ./app.db        # or: postgres $DATABASE_URL
 ~auth jwt $JWT_SECRET expire=7d
+~mail smtp host=x user=$U pass=$P
+~s3 $KEY secret=$S bucket=$B region=us-east-1 prefix=uploads/ maxSize=10mb
+~stripe $KEY webhook=$WH success=/ok cancel=/pricing
+~plan free=price_x pro=price_y
 ~admin /admin
+~use cors origins=https://x.com
+~use rate-limit max=100 window=60s
+~use helmet | ~use logger | ~use compression
+~plugin ./my-plugin.js
-model User {
-  id         : uuid : pk auto
-  name       : text : required
-  email      : text : required unique
-  password   : text : required hashed
-  plan       : enum : starter,pro,enterprise : default=starter
-  role       : enum : user,admin : default=user
+model Name {
+  id    : uuid  : pk auto
+  field : type  : modifier
   ~soft-delete
+  ~belongs OtherModel
 }
+# types: uuid text int float bool timestamp json enum
+# modifiers: pk auto required unique hashed default=val index
-api POST /api/auth/register {
-  ~validate name required | email required email | password min=8
-  ~unique User email $body.email | 409
-  ~hash password
-  insert User($body)
-  return jwt($inserted) 201
-}
-api POST /api/auth/login {
-  $user = User.findBy(email=$body.email)
-  ~check password $body.password $user.password | 401
+api METHOD /path/:id {
+  ~guard auth | admin | subscribed | owner
+  ~validate field required | field email | field min=8 | field numeric
+  ~query page=1 limit=20
+  ~unique Model field $body.field | 409
+  ~hash field
+  ~check password $body.pw $user.pw | 401
+  ~mail $user.email "Subject" "Body"
+  ~dispatch jobName $body
+  ~emit event.name $body
+  $var = Model.findBy(field=$body.field)
+  insert Model($body)
+  update Model($id, $body)
+  delete Model($id)
+  restore Model($id)
+  return $inserted | $updated | $auth.user | Model.all(order=created_at desc)
+  return Model.paginate($page, $limit)
+  return Model.count() | Model.sum(field) | Model.avg(field)
   return jwt($user) 200
 }
-api GET /api/users {
-  ~guard admin
-  return User.paginate(1, 20)
-}
-api GET /api/stats {
-  return User.count()
-}
-%home dark /
-@stats = {}
-~mount GET /api/stats => @stats
+%id theme /route           # dark | light | acid | #bg,#text,#accent
+~theme accent=#hex bg=#hex text=#hex font=Name radius=1rem surface=#hex navbg=#hex
+@var = []                  # state: [] or {} or "string" or 0
+~mount GET /api => @var
+~interval 10000 GET /api => @var
-nav{MySaaS>/pricing:Pricing>/login:Sign in>/signup:Get started}
-hero{Ship faster with AI|Zero config. Deploy in seconds.>/signup:Start free>/demo:View demo} animate:blur-in
-stats{@stats:Users|99.9%:Uptime|$49:Starting price}
-row3{rocket>Deploy instantly>Push to git, live in seconds.|shield>Enterprise ready>SOC2, GDPR, SSO built-in.|chart>Full observability>Real-time errors and performance.} animate:stagger
-testimonial{Sarah Chen, CEO @ Acme|"Cut deployment time by 90%."|img:https://i.pravatar.cc/64?img=47} animate:fade-up
-pricing{Starter>Free>3 projects>/signup:Get started|Pro>$29/mo>Unlimited>/signup:Start trial|Enterprise>Custom>SSO>/contact:Talk}
-faq{How to start?>Sign up free, no credit card.|Cancel anytime?>Yes, one click, no questions.}
-foot{© 2025 MySaaS>/privacy:Privacy>/terms:Terms}
----
-%dashboard dark /dashboard
-@users = []
-@stats = {}
-~mount GET /api/users => @users
-~mount GET /api/stats => @stats
-~interval 30000 GET /api/stats => @stats
-nav{MySaaS>/settings:Settings>/logout:Sign out}
-stats{@stats:Total users|@stats:Active|$0:MRR}
-sect{User database}
-table @users { Name:name | Email:email | Plan:plan | Status:status | edit PUT /api/users/{id} | delete /api/users/{id} | empty: No users yet. }
-sect{Add user}
-form POST /api/users => @users.push($result) { Full name:text:Alice Johnson | Email:email:alice@co.com | Plan:select:starter,pro,enterprise }
-foot{MySaaS Dashboard © 2025}
----
-%login dark /login
-nav{MySaaS>/signup:Create account}
-hero{Welcome back|Sign in to continue.}
-form POST /api/auth/login => redirect /dashboard { Email:email:you@company.com | Password:password: }
-foot{© 2025 MySaaS>/signup:Create account}
----
-%signup dark /signup
-nav{MySaaS>/login:Sign in}
-hero{Start for free|No credit card required.}
-form POST /api/auth/register => redirect /dashboard { Full name:text:Alice | Email:email:alice@co.com | Password:password: }
-foot{© 2025 MySaaS>/login:Already have an account?}
-```
-### Landing page with custom theme
-```
-~theme accent=#f59e0b radius=2rem font=Syne bg=#0c0a09 text=#fafaf9 surface=#1c1917
-%home dark /
-nav{Acme Studio>/work:Work>/blog:Blog>/contact:Contact}
-hero{We build things that matter|Creative studio based in São Paulo.>/work:View our work>/contact:Get in touch|img:https://images.unsplash.com/photo-1497366216548?w=800} animate:fade-in
-row3{globe>Global clients>Teams in 30+ countries.|star>Award winning>12 design awards.|check>On-time delivery>98% on schedule.} animate:stagger
-testimonial{Marco Silva, CTO @ FinTech BR|"From prototype to production in 6 weeks."|img:https://i.pravatar.cc/64?img=12}
-gallery{https://images.unsplash.com/photo-1600880292203?w=400|https://images.unsplash.com/photo-1522202176988?w=400|https://images.unsplash.com/photo-1497366412874?w=400}
-foot{© 2025 Acme Studio>/privacy:Privacy>/instagram:Instagram}
-```
----
-## Generation rules
-1. Always start with `%id theme /route`
-2. Use `dark` theme unless specified otherwise
-3. For dynamic data, always declare `@var = []` or `@var = {}` and use `~mount`
-4. Tables with data should always have `edit` and `delete` unless readonly
-5. Forms should have `=> @list.push($result)` or `=> redirect /path`
-6. Use real icon names: bolt rocket shield chart star check globe gear fire money bell mail user
-7. Multiple pages separated by `---`
-8. Add `animate:fade-up` or `animate:stagger` to key sections
-9. `~theme` always comes before `%` declarations
-10. Never generate explanations — only aiplang code
-11. For full-stack apps, add `~db`, `~auth`, `model` and `api` blocks before pages
----
-## Running
-```bash
-# Install
-npm install -g aiplang
-# Frontend only (static site)
-aiplang serve        # dev → localhost:3000
-aiplang build pages/ # compile → dist/
-# Full-stack (Node.js backend)
-aiplang start app.aiplang
-# Go binary (production, v2)
-aiplangd dev app.aiplang
-aiplangd build app.aiplang
-```
+blocks...
+---                        # page separator
+```
+## All blocks
+```
+nav{Brand>/path:Link>/path:Link}
+hero{Title|Sub>/path:CTA} | hero{Title|Sub>/path:CTA|img:https://url}
+stats{@val:Label|99%:Uptime|$0:Free}
+row2{icon>Title>Body} | row3{...} | row4{...}
+sect{Title|Optional body}
+table @list { Col:field | edit PUT /api/{id} | delete /api/{id} | empty: msg }
+form POST /api => @list.push($result) { Label:type:placeholder | Label:select:a,b,c }
+form POST /api => redirect /path { Label:type | Label:password }
+pricing{Name>Price>Desc>/path:CTA|Name>Price>Desc>/path:CTA}
+faq{Question?>Answer.|Q2?>A2.}
+testimonial{Name, Role @ Co|"Quote."|img:https://url}
+gallery{https://img1|https://img2|https://img3}
+btn{Label > METHOD /api/path} | btn{Label > DELETE /api > confirm:Sure?}
+select @filterVar { All | Active | Inactive }
+if @var { blocks }
+raw{<div>any HTML</div>}
+foot{© 2025 Name>/path:Link}
+```
+## Block modifiers (any block)
+`animate:fade-up | fade-in | blur-in | slide-left | slide-right | zoom-in | stagger`
+`class:my-class`
+## S3 auto-routes
+`POST /api/upload` · `DELETE /api/upload/:key` · `GET /api/upload/presign?key=x`
+## Stripe auto-routes
+`POST /api/stripe/checkout` · `POST /api/stripe/portal` · `GET /api/stripe/subscription`
+## Rules
+1. Dark theme default
+2. `@var = []` + `~mount` for all dynamic data
+3. Tables always have `edit` + `delete` unless readonly
+4. Forms: `=> @list.push($result)` or `=> redirect /path`
+5. `~theme` before `%` declarations
+6. Separate pages with `---`
+7. Full-stack: `~db` + `~auth` + `model` + `api` before pages

package/bin/aiplang.js CHANGED Viewed

@@ -5,7 +5,7 @@ const fs   = require('fs')
 const path = require('path')
 const http = require('http')
-const VERSION     = '2.6.0'
+const VERSION     = '2.6.1'
 const RUNTIME_DIR = path.join(__dirname, '..', 'runtime')
 const cmd         = process.argv[2]
 const args        = process.argv.slice(3)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "aiplang",
-  "version": "2.6.0",
+  "version": "2.6.1",
   "description": "AI-first full-stack language. Frontend + Backend + DB + Auth in one file. Competes with Laravel.",
   "keywords": [
     "aiplang",
@@ -38,12 +38,12 @@
     "node": ">=16"
   },
   "dependencies": {
+    "@aws-sdk/client-s3": "^3.0.0",
+    "@aws-sdk/s3-request-presigner": "^3.0.0",
     "bcryptjs": "^2.4.3",
     "jsonwebtoken": "^9.0.2",
-    "nodemailer": "^6.9.0",
+    "nodemailer": "^8.0.3",
     "sql.js": "^1.10.3",
-    "stripe": "^14.0.0",
-    "@aws-sdk/client-s3": "^3.0.0",
-    "@aws-sdk/s3-request-presigner": "^3.0.0"
+    "stripe": "^14.0.0"
   }
 }

package/runtime/aiplang-runtime.js CHANGED Viewed

@@ -100,14 +100,11 @@ class State {
   }
   _recompute() {
+    // Safe computed: only supports @var.path expressions, no arbitrary code
     if (!this._computedExprs) return
     for (const [name, expr] of Object.entries(this._computedExprs)) {
       try {
-        const fn = new Function(
-          ...Object.keys(this._data).map(k => '_'+k),
-          `try { return (${expr}) } catch(e) { return null }`
-        )
-        const val = fn(...Object.keys(this._data).map(k => this._data[k]))
+        const val = this.eval(expr.trim())
         if (JSON.stringify(this._computed[name]) !== JSON.stringify(val)) {
           this._computed[name] = val
           this._notify('$'+name)

package/server/server.js CHANGED Viewed

@@ -752,13 +752,14 @@ td{padding:.875rem 1.25rem;border-bottom:1px solid rgba(255,255,255,.04);color:#
 </div>
 <script>
 const prefix = '${prefix}'
-// Token from cookie (set by login) or fallback to localStorage for compat
-function getAdminToken() {
-  const cookie = document.cookie.split(';').map(c=>c.trim()).find(c=>c.startsWith('aiplang_admin='))
-  return cookie ? cookie.split('=')[1] : (localStorage.getItem('admin_token') || '')
-}
+// API calls use credentials:include — HttpOnly cookie is sent automatically
 async function api(method, path, body) {
-  const r = await fetch(prefix + '/api' + path, {method, headers:{'Content-Type':'application/json','Authorization':'Bearer '+getAdminToken()},body:body?JSON.stringify(body):undefined})
+  const r = await fetch(prefix + '/api' + path, {
+    method,
+    headers: {'Content-Type':'application/json'},
+    credentials: 'same-origin',
+    body: body ? JSON.stringify(body) : undefined
+  })
   return r.json()
 }
 async function loadModel(name, page=1) {
@@ -794,13 +795,9 @@ function renderAdminLogin(prefix) {
 <button onclick="login()">Sign in</button></div>
 <script>
 async function login(){
-  const r=await fetch('/api/auth/login',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({email:document.getElementById('email').value,password:document.getElementById('pass').value})})
+  const r=await fetch('${prefix}/login',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({email:document.getElementById('email').value,password:document.getElementById('pass').value}),credentials:'same-origin'})
   const d=await r.json()
-  if(d.token){
-    localStorage.setItem('admin_token',d.token);
-    document.cookie='aiplang_admin='+d.token+';path=/;SameSite=Strict;max-age=86400';
-    location.href='${prefix}'
-  }
+  if(d.ok){location.href='${prefix}'}
   else document.getElementById('err').textContent=d.error||'Invalid credentials'
 }
 document.addEventListener('keydown',e=>{if(e.key==='Enter')login()})
@@ -891,7 +888,16 @@ function matchRoute(pattern, reqPath) {
   for(let i=0;i<pp.length;i++){if(pp[i].startsWith(':'))params[pp[i].slice(1)]=rp[i];else if(pp[i]!==rp[i])return null}
   return params
 }
-function extractToken(req) { const a=req.headers.authorization; return a?.startsWith('Bearer ')?a.slice(7):null }
+function extractToken(req) {
+  // 1. Bearer token from Authorization header
+  const a = req.headers.authorization
+  if (a?.startsWith('Bearer ')) return a.slice(7)
+  // 2. HttpOnly cookie (admin panel)
+  const cookies = req.headers['cookie'] || ''
+  const adminCookie = cookies.split(';').map(s=>s.trim()).find(s=>s.startsWith('aiplang_admin='))
+  if (adminCookie) return adminCookie.slice('aiplang_admin='.length)
+  return null
+}
 const MAX_BODY_BYTES = parseInt(process.env.MAX_BODY_BYTES || '1048576') // 1MB default
 async function parseBody(req) {
   return new Promise((resolve) => {
@@ -1429,7 +1435,7 @@ async function startServer(aipFile, port = 3000) {
   // Health
   srv.addRoute('GET', '/health', (req, res) => res.json(200, {
-    status:'ok', version:'2.6.0',
+    status:'ok', version:'2.6.1',
     models: app.models.map(m=>m.name),
     routes: app.apis.length, pages: app.pages.length,
     admin: app.admin?.prefix || null,