aiplang 2.6.0 → 2.6.2

package/README.md

@@ -8,7 +8,7 @@ cd my-app
 npx aiplang serve
 ```
 
-Ask Claude to generate a page → paste into `pages/home.aiplang` → see it live.
+Ask Claude to generate a page → paste into `pages/home.aip` → see it live.
 
 ---
 
@@ -16,9 +16,9 @@ Ask Claude to generate a page → paste into `pages/home.aiplang` → see it liv
 
 **aiplang** is a web language designed to be generated by AI (Claude), not written by humans.
 
-A single `.aiplang` file describes a complete app: frontend, backend, database, auth, email, jobs.
+A single `.aip` file describes a complete app: frontend, backend, database, auth, email, jobs.
 
-```aiplang
+```aip
 ~db sqlite ./app.db
 ~auth jwt $JWT_SECRET expire=7d
 ~admin /admin
@@ -83,7 +83,7 @@ npx aiplang init --template landing       # landing page template
 npx aiplang init --template crud          # CRUD app template
 npx aiplang serve                         # dev server + hot reload → localhost:3000
 npx aiplang build pages/ --out dist/      # compile → static HTML
-npx aiplang start app.aiplang                # full-stack server (Node.js)
+npx aiplang start app.aip                # full-stack server (Node.js)
 npx aiplang new dashboard                 # create new page template
 ```
 
@@ -117,7 +117,7 @@ aiplang/
 │   ├── server/server.js          ← full-stack Node.js server
 │   └── aiplang-knowledge.md      ← Claude Project knowledge file
 ├── aiplang-go/                   ← Go compiler + server (v2)
-│   ├── compiler/compiler.go      ← .aiplang → AST parser
+│   ├── compiler/compiler.go      ← .aip → AST parser
 │   ├── server/server.go          ← Go HTTP server
 │   └── cmd/aiplangd/main.go      ← binary entrypoint
 ├── docs/                         ← GitHub Pages (aiplang.io)

package/aiplang-knowledge.md

@@ -1,338 +1,98 @@
-# aiplang — Claude Project Knowledge
+# aiplang — syntax reference
+File extension: `.aip` (e.g. `app.aip`, `home.aip`)
+Generate ONLY aiplang code. No React, HTML, or other frameworks. No explanations unless asked.
 
-You are an aiplang code generator. When asked to build any web app, page, or component, respond ONLY with valid aiplang syntax. No explanation unless asked. No React, no HTML, no other frameworks.
-
----
-
-## aiplang syntax reference
-
-### File structure
-```
-~theme ...              (optional global theme vars)
-%id theme /route        (page declaration — required)
-@var = default          (reactive state)
-~mount GET /api => @var (fetch on load)
-~interval 10000 GET /api => @var (polling)
-blocks...
----                     (page separator)
-```
-
-### Backend (full-stack)
+## File structure
 ```
-~env DATABASE_URL required
-~db sqlite ./app.db          (or postgres $DATABASE_URL)
-~auth jwt $JWT_SECRET expire=7d
-~mail smtp host=smtp.mailgun.com user=$MAIL_USER pass=$MAIL_PASS
-~admin /admin                (auto admin panel)
-~middleware cors | rate-limit 100/min | log
-
-model User {
-  id         : uuid      : pk auto
-  name       : text      : required
-  email      : text      : required unique
-  password   : text      : required hashed
-  plan       : enum      : starter,pro,enterprise : default=starter
-  role       : enum      : user,admin : default=user
-  ~soft-delete
-}
-
-api POST /api/auth/register {
-  ~validate name required | email required email | password min=8
-  ~unique User email $body.email | 409
-  ~hash password
-  insert User($body)
-  ~mail $inserted.email "Welcome!" "Your account is ready."
-  return jwt($inserted) 201
-}
-
-api GET /api/users {
-  ~guard admin
-  ~query page=1 limit=20
-  return User.paginate($page, $limit)
-}
-
-api DELETE /api/users/:id {
-  ~guard auth | admin
-  delete User($id)
-}
-```
-
-### Page declaration
-`%id theme /route`
-- themes: `dark` | `light` | `acid` | `#bg,#text,#accent`
-
-### Global theme
-`~theme accent=#7c3aed radius=1.5rem font=Syne bg=#0a0a0a text=#fff surface=#111 navbg=#000 spacing=6rem`
-
-### State & data
-```
-@users = []
-@stats = {}
-~mount GET /api/users => @users
-~interval 30000 GET /api/stats => @stats
-```
-
-### S3 Storage
-```
-~s3 $AWS_ACCESS_KEY_ID secret=$AWS_SECRET_ACCESS_KEY bucket=$S3_BUCKET region=us-east-1
-~s3 bucket=my-bucket region=us-east-1 prefix=uploads/ maxSize=5mb allow=image/jpeg,image/png,application/pdf
-
-# Cloudflare R2 compatible
-~s3 $R2_KEY secret=$R2_SECRET bucket=my-bucket endpoint=https://xxx.r2.cloudflarestorage.com
-
-# MinIO local
-~s3 $KEY secret=$SECRET bucket=local endpoint=http://localhost:9000
-```
-Auto-generated routes: `POST /api/upload` | `DELETE /api/upload/:key` | `GET /api/upload/presign?key=x`
-
-Mock mode in dev: saves to `./uploads/` folder, serves via `/uploads/filename`.
-
-### Plugin System
-```
-# Built-in plugins (no file needed)
-~use logger format=tiny
-~use cors origins=https://myapp.com,https://www.myapp.com
-~use rate-limit max=100 window=60s
-~use helmet
-~use compression
-
-# Local file plugin
-~plugin ./plugins/my-plugin.js
-
-# npm package plugin
-~plugin my-aiplang-plugin
-```
-
-Plugin interface:
-```js
-// plugins/my-plugin.js
-module.exports = {
-  name: 'my-plugin',
-  setup(server, app, utils) {
-    // server.addRoute('GET', '/api/custom', handler)
-    // utils.emit, utils.on, utils.dispatch, utils.dbRun, utils.uuid
-    // utils.s3Upload, utils.generateJWT — all available
-  }
-}
-
-// Factory with options
-module.exports = (opts) => ({
-  name: 'my-plugin',
-  setup(server, app, { opts, emit }) { ... }
-})
-```
-
-### Stripe Payments
-```
-~stripe $STRIPE_SECRET_KEY webhook=$STRIPE_WEBHOOK_SECRET success=/dashboard cancel=/pricing
-~plan starter=price_xxx pro=price_yyy enterprise=price_zzz
-```
-Auto-generated routes: `POST /api/stripe/checkout` | `POST /api/stripe/portal` | `GET /api/stripe/subscription` | `DELETE /api/stripe/subscription` | `POST /api/stripe/webhook`
-
-Webhooks handled: `checkout.session.completed`, `customer.subscription.updated`, `customer.subscription.deleted`, `invoice.payment_failed`, `invoice.payment_succeeded`
-
-Guard: `~guard subscribed` — requires active subscription
-
-### All blocks
-
-**nav** — `nav{Brand>/path:Link>/path:Link}` (auto mobile hamburger)
-
-**hero** — `hero{Title|Subtitle>/path:CTA>/path:CTA2}` or `hero{Title|Sub>/path:CTA|img:https://url}` (split layout)
-
-**stats** — `stats{@stats.users:Users|@stats.mrr:MRR|99.9%:Uptime}`
-
-**rowN** — `row3{rocket>Fast>Zero config.|shield>Secure>SOC2.|chart>Smart>Real-time.} animate:stagger`
-
-**sect** — `sect{Title|Optional body text}`
-
-**table** — `table @users { Name:name | Email:email | Plan:plan | edit PUT /api/users/{id} | delete /api/users/{id} | empty: No data. }`
-
-**form** — `form POST /api/users => @users.push($result) { Name:text:Alice | Email:email | Plan:select:starter,pro,enterprise }`
-
-**form with redirect** — `form POST /api/auth/login => redirect /dashboard { Email:email | Password:password }`
-
-**pricing** — `pricing{Starter>Free>3 projects>/signup:Get started|Pro>$29/mo>Unlimited>/signup:Start trial|Enterprise>Custom>SSO>/contact:Talk}`
-
-**faq** — `faq{How to start?>Sign up free.|Cancel anytime?>Yes, one click.}`
-
-**testimonial** — `testimonial{Alice Chen, CEO @ Acme|"Changed how we ship."|img:https://i.pravatar.cc/64?img=5}`
-
-**gallery** — `gallery{https://img1.jpg | https://img2.jpg | https://img3.jpg}`
-
-**btn** — `btn{Export CSV > GET /api/export}` or `btn{Delete all > DELETE /api/items > confirm:Are you sure?}`
-
-**select** — `select @filterVar { All | Active | Inactive }`
-
-**raw** — `raw{<div style="...">Any HTML, embeds, custom components</div>}`
-
-**if** — `if @user { sect{Welcome back!} }`
-
-**foot** — `foot{© 2025 AppName>/privacy:Privacy>/terms:Terms}`
-
-### Block modifiers (suffix on any block)
-```
-hero{...} animate:blur-in
-row3{...} animate:stagger class:my-section
-sect{...} animate:fade-up
-```
-Animations: `fade-up` `fade-in` `blur-in` `slide-left` `slide-right` `zoom-in` `stagger`
-
-### Multiple pages
-```
-%home dark /
-nav{...}
-hero{...}
----
-%dashboard dark /dashboard
-@users = []
-~mount GET /api/users => @users
-table @users { ... }
----
-%login dark /login
-form POST /api/auth/login => redirect /dashboard { ... }
-```
-
----
-
-## Complete examples
-
-### SaaS with 4 pages
-```
-~theme accent=#2563eb
-~db sqlite ./app.db
+~env VAR required          # env validation
+~db sqlite ./app.db        # or: postgres $DATABASE_URL
 ~auth jwt $JWT_SECRET expire=7d
+~mail smtp host=x user=$U pass=$P
+~s3 $KEY secret=$S bucket=$B region=us-east-1 prefix=uploads/ maxSize=10mb
+~stripe $KEY webhook=$WH success=/ok cancel=/pricing
+~plan free=price_x pro=price_y
 ~admin /admin
+~use cors origins=https://x.com
+~use rate-limit max=100 window=60s
+~use helmet | ~use logger | ~use compression
+~plugin ./my-plugin.js
 
-model User {
-  id         : uuid : pk auto
-  name       : text : required
-  email      : text : required unique
-  password   : text : required hashed
-  plan       : enum : starter,pro,enterprise : default=starter
-  role       : enum : user,admin : default=user
+model Name {
+  id    : uuid  : pk auto
+  field : type  : modifier
   ~soft-delete
+  ~belongs OtherModel
 }
+# types: uuid text int float bool timestamp json enum
+# modifiers: pk auto required unique hashed default=val index
 
-api POST /api/auth/register {
-  ~validate name required | email required email | password min=8
-  ~unique User email $body.email | 409
-  ~hash password
-  insert User($body)
-  return jwt($inserted) 201
-}
-
-api POST /api/auth/login {
-  $user = User.findBy(email=$body.email)
-  ~check password $body.password $user.password | 401
+api METHOD /path/:id {
+  ~guard auth | admin | subscribed | owner
+  ~validate field required | field email | field min=8 | field numeric
+  ~query page=1 limit=20
+  ~unique Model field $body.field | 409
+  ~hash field
+  ~check password $body.pw $user.pw | 401
+  ~mail $user.email "Subject" "Body"
+  ~dispatch jobName $body
+  ~emit event.name $body
+  $var = Model.findBy(field=$body.field)
+  insert Model($body)
+  update Model($id, $body)
+  delete Model($id)
+  restore Model($id)
+  return $inserted | $updated | $auth.user | Model.all(order=created_at desc)
+  return Model.paginate($page, $limit)
+  return Model.count() | Model.sum(field) | Model.avg(field)
   return jwt($user) 200
 }
 
-api GET /api/users {
-  ~guard admin
-  return User.paginate(1, 20)
-}
-
-api GET /api/stats {
-  return User.count()
-}
-
-%home dark /
-
-@stats = {}
-~mount GET /api/stats => @stats
+%id theme /route           # dark | light | acid | #bg,#text,#accent
+~theme accent=#hex bg=#hex text=#hex font=Name radius=1rem surface=#hex navbg=#hex
+@var = []                  # state: [] or {} or "string" or 0
+~mount GET /api => @var
+~interval 10000 GET /api => @var
 
-nav{MySaaS>/pricing:Pricing>/login:Sign in>/signup:Get started}
-hero{Ship faster with AI|Zero config. Deploy in seconds.>/signup:Start free>/demo:View demo} animate:blur-in
-stats{@stats:Users|99.9%:Uptime|$49:Starting price}
-row3{rocket>Deploy instantly>Push to git, live in seconds.|shield>Enterprise ready>SOC2, GDPR, SSO built-in.|chart>Full observability>Real-time errors and performance.} animate:stagger
-testimonial{Sarah Chen, CEO @ Acme|"Cut deployment time by 90%."|img:https://i.pravatar.cc/64?img=47} animate:fade-up
-pricing{Starter>Free>3 projects>/signup:Get started|Pro>$29/mo>Unlimited>/signup:Start trial|Enterprise>Custom>SSO>/contact:Talk}
-faq{How to start?>Sign up free, no credit card.|Cancel anytime?>Yes, one click, no questions.}
-foot{© 2025 MySaaS>/privacy:Privacy>/terms:Terms}
-
----
-
-%dashboard dark /dashboard
-
-@users = []
-@stats = {}
-~mount GET /api/users => @users
-~mount GET /api/stats => @stats
-~interval 30000 GET /api/stats => @stats
-
-nav{MySaaS>/settings:Settings>/logout:Sign out}
-stats{@stats:Total users|@stats:Active|$0:MRR}
-sect{User database}
-table @users { Name:name | Email:email | Plan:plan | Status:status | edit PUT /api/users/{id} | delete /api/users/{id} | empty: No users yet. }
-sect{Add user}
-form POST /api/users => @users.push($result) { Full name:text:Alice Johnson | Email:email:alice@co.com | Plan:select:starter,pro,enterprise }
-foot{MySaaS Dashboard © 2025}
-
----
-
-%login dark /login
-
-nav{MySaaS>/signup:Create account}
-hero{Welcome back|Sign in to continue.}
-form POST /api/auth/login => redirect /dashboard { Email:email:you@company.com | Password:password: }
-foot{© 2025 MySaaS>/signup:Create account}
-
----
-
-%signup dark /signup
-
-nav{MySaaS>/login:Sign in}
-hero{Start for free|No credit card required.}
-form POST /api/auth/register => redirect /dashboard { Full name:text:Alice | Email:email:alice@co.com | Password:password: }
-foot{© 2025 MySaaS>/login:Already have an account?}
-```
-
-### Landing page with custom theme
-```
-~theme accent=#f59e0b radius=2rem font=Syne bg=#0c0a09 text=#fafaf9 surface=#1c1917
-
-%home dark /
-
-nav{Acme Studio>/work:Work>/blog:Blog>/contact:Contact}
-hero{We build things that matter|Creative studio based in São Paulo.>/work:View our work>/contact:Get in touch|img:https://images.unsplash.com/photo-1497366216548?w=800} animate:fade-in
-row3{globe>Global clients>Teams in 30+ countries.|star>Award winning>12 design awards.|check>On-time delivery>98% on schedule.} animate:stagger
-testimonial{Marco Silva, CTO @ FinTech BR|"From prototype to production in 6 weeks."|img:https://i.pravatar.cc/64?img=12}
-gallery{https://images.unsplash.com/photo-1600880292203?w=400|https://images.unsplash.com/photo-1522202176988?w=400|https://images.unsplash.com/photo-1497366412874?w=400}
-foot{© 2025 Acme Studio>/privacy:Privacy>/instagram:Instagram}
-```
-
----
-
-## Generation rules
-
-1. Always start with `%id theme /route`
-2. Use `dark` theme unless specified otherwise
-3. For dynamic data, always declare `@var = []` or `@var = {}` and use `~mount`
-4. Tables with data should always have `edit` and `delete` unless readonly
-5. Forms should have `=> @list.push($result)` or `=> redirect /path`
-6. Use real icon names: bolt rocket shield chart star check globe gear fire money bell mail user
-7. Multiple pages separated by `---`
-8. Add `animate:fade-up` or `animate:stagger` to key sections
-9. `~theme` always comes before `%` declarations
-10. Never generate explanations — only aiplang code
-11. For full-stack apps, add `~db`, `~auth`, `model` and `api` blocks before pages
-
----
-
-## Running
-
-```bash
-# Install
-npm install -g aiplang
-
-# Frontend only (static site)
-aiplang serve        # dev → localhost:3000
-aiplang build pages/ # compile → dist/
-
-# Full-stack (Node.js backend)
-aiplang start app.aiplang
-
-# Go binary (production, v2)
-aiplangd dev app.aiplang
-aiplangd build app.aiplang
-```
+blocks...
+---                        # page separator
+```
+
+## All blocks
+```
+nav{Brand>/path:Link>/path:Link}
+hero{Title|Sub>/path:CTA} | hero{Title|Sub>/path:CTA|img:https://url}
+stats{@val:Label|99%:Uptime|$0:Free}
+row2{icon>Title>Body} | row3{...} | row4{...}
+sect{Title|Optional body}
+table @list { Col:field | edit PUT /api/{id} | delete /api/{id} | empty: msg }
+form POST /api => @list.push($result) { Label:type:placeholder | Label:select:a,b,c }
+form POST /api => redirect /path { Label:type | Label:password }
+pricing{Name>Price>Desc>/path:CTA|Name>Price>Desc>/path:CTA}
+faq{Question?>Answer.|Q2?>A2.}
+testimonial{Name, Role @ Co|"Quote."|img:https://url}
+gallery{https://img1|https://img2|https://img3}
+btn{Label > METHOD /api/path} | btn{Label > DELETE /api > confirm:Sure?}
+select @filterVar { All | Active | Inactive }
+if @var { blocks }
+raw{<div>any HTML</div>}
+foot{© 2025 Name>/path:Link}
+```
+
+## Block modifiers (any block)
+`animate:fade-up | fade-in | blur-in | slide-left | slide-right | zoom-in | stagger`
+`class:my-class`
+
+## S3 auto-routes
+`POST /api/upload` · `DELETE /api/upload/:key` · `GET /api/upload/presign?key=x`
+
+## Stripe auto-routes
+`POST /api/stripe/checkout` · `POST /api/stripe/portal` · `GET /api/stripe/subscription`
+
+## Rules
+1. Dark theme default
+2. `@var = []` + `~mount` for all dynamic data
+3. Tables always have `edit` + `delete` unless readonly
+4. Forms: `=> @list.push($result)` or `=> redirect /path`
+5. `~theme` before `%` declarations
+6. Separate pages with `---`
+7. Full-stack: `~db` + `~auth` + `model` + `api` before pages

package/bin/aiplang.js

@@ -5,7 +5,7 @@ const fs   = require('fs')
 const path = require('path')
 const http = require('http')
 
-const VERSION     = '2.6.0'
+const VERSION     = '2.6.2'
 const RUNTIME_DIR = path.join(__dirname, '..', 'runtime')
 const cmd         = process.argv[2]
 const args        = process.argv.slice(3)
@@ -36,7 +36,7 @@ if (!cmd||cmd==='--help'||cmd==='-h') {
   Usage:
     npx aiplang init [name]                  create project (default template)
     npx aiplang init [name] --template <t>   use template: saas|landing|crud|dashboard|portfolio|blog
-    npx aiplang init [name] --template ./my.aiplang     use a local .aiplang file as template
+    npx aiplang init [name] --template ./my.aip     use a local .aip file as template
     npx aiplang init [name] --template my-custom     use a saved custom template
     npx aiplang serve [dir]                  dev server + hot reload
     npx aiplang build [dir/file]             compile → static HTML
@@ -44,16 +44,16 @@ if (!cmd||cmd==='--help'||cmd==='-h') {
     npx aiplang --version
 
   Full-stack:
-    npx aiplang start app.aiplang           start full-stack server (API + DB + frontend)
-    PORT=8080 aiplang start app.aiplang     custom port
+    npx aiplang start app.aip           start full-stack server (API + DB + frontend)
+    PORT=8080 aiplang start app.aip     custom port
 
   Templates:
     npx aiplang template list                list all templates (built-in + custom)
     npx aiplang template save <n>            save current project as template
-    npx aiplang template save <n> --from <f> save a specific .aiplang file as template
+    npx aiplang template save <n> --from <f> save a specific .aip file as template
     npx aiplang template edit <n>            open template in editor
     npx aiplang template show <n>            print template source
-    npx aiplang template export <n>          export template to .aiplang file
+    npx aiplang template export <n>          export template to .aip file
     npx aiplang template remove <n>          delete a custom template
 
   Custom template variables:
@@ -76,10 +76,10 @@ if (cmd==='--version'||cmd==='-v') { console.log(`aiplang v${VERSION}`); process
 
 // ─────────────────────────────────────────────────────────────────
 // TEMPLATE SYSTEM
-// Custom templates stored at ~/.aiplang/templates/<name>.aiplang
+// Custom templates stored at ~/.aip/templates/<name>.aip
 // ─────────────────────────────────────────────────────────────────
 
-const TEMPLATES_DIR = path.join(require('os').homedir(), '.aiplang', 'templates')
+const TEMPLATES_DIR = path.join(require('os').homedir(), '.aip', 'templates')
 
 function ensureTemplatesDir() {
   if (!fs.existsSync(TEMPLATES_DIR)) fs.mkdirSync(TEMPLATES_DIR, { recursive: true })
@@ -220,7 +220,7 @@ foot{{{name}}}`,
   default: `# {{name}}
 %home dark /
 nav{{{name}}>/login:Sign in}
-hero{Welcome to {{name}}|Edit pages/home.aiplang to get started.>/signup:Get started} animate:fade-up
+hero{Welcome to {{name}}|Edit pages/home.aip to get started.>/signup:Get started} animate:fade-up
 row3{rocket>Fast>Renders in under 1ms.|bolt>AI-native>Written by Claude in seconds.|globe>Deploy anywhere>Static files. Any host.}
 foot{© {{year}} {{name}}}`,
 }
@@ -232,15 +232,15 @@ function applyTemplateVars(src, name, year) {
 function getTemplate(tplName, name, year) {
   ensureTemplatesDir()
 
-  // 1. Local file path: --template ./my-template.aiplang or --template /abs/path.aiplang
+  // 1. Local file path: --template ./my-template.aip or --template /abs/path.aip
   if (tplName.startsWith('./') || tplName.startsWith('../') || tplName.startsWith('/')) {
     const full = path.resolve(tplName)
     if (!fs.existsSync(full)) { console.error(`\n  ✗  Template file not found: ${full}\n`); process.exit(1) }
     return applyTemplateVars(fs.readFileSync(full, 'utf8'), name, year)
   }
 
-  // 2. User custom template: ~/.aiplang/templates/<name>.aiplang
-  const customPath = path.join(TEMPLATES_DIR, tplName + '.aiplang')
+  // 2. User custom template: ~/.aip/templates/<name>.aip
+  const customPath = path.join(TEMPLATES_DIR, tplName + '.aip')
   if (fs.existsSync(customPath)) {
     return applyTemplateVars(fs.readFileSync(customPath, 'utf8'), name, year)
   }
@@ -251,7 +251,7 @@ function getTemplate(tplName, name, year) {
 
   // Not found — show what's available
   const customs = fs.existsSync(TEMPLATES_DIR)
-    ? fs.readdirSync(TEMPLATES_DIR).filter(f=>f.endsWith('.aiplang')).map(f=>f.replace('.aiplang',''))
+    ? fs.readdirSync(TEMPLATES_DIR).filter(f=>f.endsWith('.aip')).map(f=>f.replace('.aip',''))
     : []
   const all = [...Object.keys(BUILTIN_TEMPLATES).filter(k=>k!=='default'), ...customs]
   console.error(`\n  ✗  Template "${tplName}" not found.\n  Available: ${all.join(', ')}\n`)
@@ -261,7 +261,7 @@ function getTemplate(tplName, name, year) {
 function listTemplates() {
   ensureTemplatesDir()
   const builtins = Object.keys(BUILTIN_TEMPLATES).filter(k=>k!=='default')
-  const customs  = fs.readdirSync(TEMPLATES_DIR).filter(f=>f.endsWith('.aiplang')).map(f=>f.replace('.aiplang',''))
+  const customs  = fs.readdirSync(TEMPLATES_DIR).filter(f=>f.endsWith('.aip')).map(f=>f.replace('.aip',''))
   console.log(`\n  aiplang templates\n`)
   console.log(`  Built-in:`)
   builtins.forEach(t => console.log(`    ${t}`))
@@ -295,18 +295,18 @@ if (cmd === 'template') {
       if (!fs.existsSync(fp)) { console.error(`\n  ✗  File not found: ${fp}\n`); process.exit(1) }
       src = fs.readFileSync(fp, 'utf8')
     } else {
-      // Auto-detect: use pages/ directory or app.aiplang
-      const sources = ['pages', 'app.aiplang', 'index.aiplang']
+      // Auto-detect: use pages/ directory or app.aip
+      const sources = ['pages', 'app.aip', 'index.aip']
       const found = sources.find(s => fs.existsSync(s))
-      if (!found) { console.error('\n  ✗  No .aiplang files found. Use --from <file> to specify source.\n'); process.exit(1) }
+      if (!found) { console.error('\n  ✗  No .aip files found. Use --from <file> to specify source.\n'); process.exit(1) }
       if (fs.statSync(found).isDirectory()) {
-        src = fs.readdirSync(found).filter(f=>f.endsWith('.aiplang'))
+        src = fs.readdirSync(found).filter(f=>f.endsWith('.aip'))
           .map(f => fs.readFileSync(path.join(found,f),'utf8')).join('\n---\n')
       } else {
         src = fs.readFileSync(found, 'utf8')
       }
     }
-    const dest = path.join(TEMPLATES_DIR, tname + '.aiplang')
+    const dest = path.join(TEMPLATES_DIR, tname + '.aip')
     fs.writeFileSync(dest, src)
     console.log(`\n  ✓  Template saved: ${tname}\n     ${dest}\n\n  Use it: aiplang init my-app --template ${tname}\n`)
     process.exit(0)
@@ -316,7 +316,7 @@ if (cmd === 'template') {
   if (sub === 'remove' || sub === 'rm' || sub === 'delete') {
     const tname = args[1]
     if (!tname) { console.error('\n  ✗  Usage: aiplang template remove <name>\n'); process.exit(1) }
-    const dest = path.join(TEMPLATES_DIR, tname + '.aiplang')
+    const dest = path.join(TEMPLATES_DIR, tname + '.aip')
     if (!fs.existsSync(dest)) { console.error(`\n  ✗  Template "${tname}" not found.\n`); process.exit(1) }
     fs.unlinkSync(dest)
     console.log(`\n  ✓  Removed template: ${tname}\n`); process.exit(0)
@@ -326,7 +326,7 @@ if (cmd === 'template') {
   if (sub === 'edit' || sub === 'open') {
     const tname = args[1]
     if (!tname) { console.error('\n  ✗  Usage: aiplang template edit <name>\n'); process.exit(1) }
-    let dest = path.join(TEMPLATES_DIR, tname + '.aiplang')
+    let dest = path.join(TEMPLATES_DIR, tname + '.aip')
     if (!fs.existsSync(dest)) {
       // create from built-in if exists
       const builtin = BUILTIN_TEMPLATES[tname]
@@ -342,7 +342,7 @@ if (cmd === 'template') {
   // aiplang template show <name>
   if (sub === 'show' || sub === 'cat') {
     const tname = args[1] || 'default'
-    const customPath = path.join(TEMPLATES_DIR, tname + '.aiplang')
+    const customPath = path.join(TEMPLATES_DIR, tname + '.aip')
     if (fs.existsSync(customPath)) { console.log(fs.readFileSync(customPath,'utf8')); process.exit(0) }
     const builtin = BUILTIN_TEMPLATES[tname]
     if (builtin) { console.log(builtin); process.exit(0) }
@@ -354,8 +354,8 @@ if (cmd === 'template') {
     const tname = args[1]
     if (!tname) { console.error('\n  ✗  Usage: aiplang template export <name>\n'); process.exit(1) }
     const outIdx = args.indexOf('--out')
-    const outFile = outIdx !== -1 ? args[outIdx+1] : `./${tname}.aiplang`
-    const customPath = path.join(TEMPLATES_DIR, tname + '.aiplang')
+    const outFile = outIdx !== -1 ? args[outIdx+1] : `./${tname}.aip`
+    const customPath = path.join(TEMPLATES_DIR, tname + '.aip')
     const src = fs.existsSync(customPath) ? fs.readFileSync(customPath,'utf8') : BUILTIN_TEMPLATES[tname]
     if (!src) { console.error(`\n  ✗  Template "${tname}" not found.\n`); process.exit(1) }
     fs.writeFileSync(outFile, src)
@@ -384,21 +384,21 @@ if (cmd==='init') {
   const isMultiFile = tplSrc.includes('\n---\n')
 
   if (isFullStack) {
-    // Full-stack project: single app.aiplang
+    // Full-stack project: single app.aip
     fs.mkdirSync(dir, { recursive: true })
-    fs.writeFileSync(path.join(dir, 'app.aiplang'), tplSrc)
+    fs.writeFileSync(path.join(dir, 'app.aip'), tplSrc)
     fs.writeFileSync(path.join(dir, 'package.json'), JSON.stringify({
       name, version:'0.1.0',
-      scripts: { dev: 'npx aiplang start app.aiplang', start: 'npx aiplang start app.aiplang' },
+      scripts: { dev: 'npx aiplang start app.aip', start: 'npx aiplang start app.aip' },
       devDependencies: { 'aiplang': `^${VERSION}` }
     }, null, 2))
     fs.writeFileSync(path.join(dir, '.env.example'), 'JWT_SECRET=change-me-in-production\n# STRIPE_SECRET_KEY=sk_test_...\n# AWS_ACCESS_KEY_ID=...\n# AWS_SECRET_ACCESS_KEY=...\n# S3_BUCKET=...\n')
     fs.writeFileSync(path.join(dir, '.gitignore'), '*.db\nnode_modules/\ndist/\n.env\nuploads/\n')
-    fs.writeFileSync(path.join(dir, 'README.md'), `# ${name}\n\nGenerated with [aiplang](https://npmjs.com/package/aiplang) v${VERSION}\n\n## Run\n\n\`\`\`bash\nnpx aiplang start app.aiplang\n\`\`\`\n`)
+    fs.writeFileSync(path.join(dir, 'README.md'), `# ${name}\n\nGenerated with [aiplang](https://npmjs.com/package/aiplang) v${VERSION}\n\n## Run\n\n\`\`\`bash\nnpx aiplang start app.aip\n\`\`\`\n`)
     const label = tplName !== 'default' ? ` (template: ${tplName})` : ''
-    console.log(`\n  ✓  Created ${name}/${label}\n\n     app.aiplang  ← full-stack app (backend + frontend)\n\n  Next:\n     cd ${name} && npx aiplang start app.aiplang\n`)
+    console.log(`\n  ✓  Created ${name}/${label}\n\n     app.aip  ← full-stack app (backend + frontend)\n\n  Next:\n     cd ${name} && npx aiplang start app.aip\n`)
   } else if (isMultiFile) {
-    // Multi-page SSG project: pages/*.aiplang
+    // Multi-page SSG project: pages/*.aip
     fs.mkdirSync(path.join(dir,'pages'), {recursive:true})
     fs.mkdirSync(path.join(dir,'public'), {recursive:true})
     for (const f of ['aiplang-runtime.js','aiplang-hydrate.js']) {
@@ -408,7 +408,7 @@ if (cmd==='init') {
     pageBlocks.forEach((block, i) => {
       const m = block.match(/^%([a-zA-Z0-9_-]+)/m)
       const pageName = m ? m[1] : (i === 0 ? 'home' : `page${i}`)
-      fs.writeFileSync(path.join(dir,'pages',`${pageName}.aiplang`), block.trim())
+      fs.writeFileSync(path.join(dir,'pages',`${pageName}.aip`), block.trim())
     })
     fs.writeFileSync(path.join(dir,'package.json'), JSON.stringify({name,version:'0.1.0',scripts:{dev:'npx aiplang serve',build:'npx aiplang build pages/ --out dist/'},devDependencies:{'aiplang':`^${VERSION}`}},null,2))
     fs.writeFileSync(path.join(dir,'.gitignore'),'dist/\nnode_modules/\n')
@@ -422,11 +422,11 @@ if (cmd==='init') {
     for (const f of ['aiplang-runtime.js','aiplang-hydrate.js']) {
       const src=path.join(RUNTIME_DIR,f); if(fs.existsSync(src)) fs.copyFileSync(src,path.join(dir,'public',f))
     }
-    fs.writeFileSync(path.join(dir,'pages','home.aiplang'), tplSrc)
+    fs.writeFileSync(path.join(dir,'pages','home.aip'), tplSrc)
     fs.writeFileSync(path.join(dir,'package.json'), JSON.stringify({name,version:'0.1.0',scripts:{dev:'npx aiplang serve',build:'npx aiplang build pages/ --out dist/'},devDependencies:{'aiplang':`^${VERSION}`}},null,2))
     fs.writeFileSync(path.join(dir,'.gitignore'),'dist/\nnode_modules/\n')
     const label = tplName !== 'default' ? ` (template: ${tplName})` : ''
-    console.log(`\n  ✓  Created ${name}/${label}\n\n     pages/home.aiplang  ← edit this\n\n  Next:\n     cd ${name} && npx aiplang serve\n`)
+    console.log(`\n  ✓  Created ${name}/${label}\n\n     pages/home.aip  ← edit this\n\n  Next:\n     cd ${name} && npx aiplang serve\n`)
   }
   process.exit(0)
 }
@@ -435,7 +435,7 @@ if (cmd==='init') {
 if (cmd==='new') {
   const name=args[0]; if(!name){console.error('\n  ✗  Usage: aiplang new <page>\n');process.exit(1)}
   const dir=fs.existsSync('pages')?'pages':'.'
-  const file=path.join(dir,`${name}.aiplang`)
+  const file=path.join(dir,`${name}.aip`)
   if(fs.existsSync(file)){console.error(`\n  ✗  ${file} exists.\n`);process.exit(1)}
   const cap=name.charAt(0).toUpperCase()+name.slice(1)
   fs.writeFileSync(file,`# ${name}\n%${name} dark /${name}\n\nnav{AppName>/home:Home}\nhero{${cap}|Description.>/action:Get started}\nfoot{© ${new Date().getFullYear()} AppName}\n`)
@@ -450,9 +450,9 @@ if (cmd==='build') {
   const input=args.filter((a,i)=>!a.startsWith('--')&&i!==outIdx+1)[0]||'pages/'
   const files=[]
   if(fs.existsSync(input)&&fs.statSync(input).isDirectory()){
-    fs.readdirSync(input).filter(f=>f.endsWith('.aiplang')).forEach(f=>files.push(path.join(input,f)))
-  } else if(input.endsWith('.aiplang')&&fs.existsSync(input)){ files.push(input) }
-  if(!files.length){console.error(`\n  ✗  No .aiplang files in: ${input}\n`);process.exit(1)}
+    fs.readdirSync(input).filter(f=>f.endsWith('.aip')).forEach(f=>files.push(path.join(input,f)))
+  } else if(input.endsWith('.aip')&&fs.existsSync(input)){ files.push(input) }
+  if(!files.length){console.error(`\n  ✗  No .aip files in: ${input}\n`);process.exit(1)}
   const src=files.map(f=>fs.readFileSync(f,'utf8')).join('\n---\n')
   const pages=parsePages(src)
   if(!pages.length){console.error('\n  ✗  No pages found.\n');process.exit(1)}
@@ -471,7 +471,7 @@ if (cmd==='build') {
   }
   const hf=path.join(RUNTIME_DIR,'aiplang-hydrate.js')
   if(fs.existsSync(hf)){const dst=path.join(outDir,'aiplang-hydrate.js');fs.copyFileSync(hf,dst);total+=fs.statSync(dst).size;console.log(`  ✓  ${dst.padEnd(40)} ${hSize(fs.statSync(dst).size)}`)}
-  if(fs.existsSync('public'))fs.readdirSync('public').filter(f=>!f.endsWith('.aiplang')).forEach(f=>fs.copyFileSync(path.join('public',f),path.join(outDir,f)))
+  if(fs.existsSync('public'))fs.readdirSync('public').filter(f=>!f.endsWith('.aip')).forEach(f=>fs.copyFileSync(path.join('public',f),path.join(outDir,f)))
   console.log(`\n  ${pages.length} page(s) — ${hSize(total)} total\n\n  Preview: npx serve ${outDir}\n  Deploy:  Vercel, Netlify, S3, any static host\n`)
   process.exit(0)
 }
@@ -480,13 +480,13 @@ if (cmd==='build') {
 if (cmd==='serve'||cmd==='dev') {
   const root=path.resolve(args[0]||'.')
   const port=parseInt(process.env.PORT||'3000')
-  const MIME={'.html':'text/html;charset=utf-8','.js':'application/javascript','.css':'text/css','.aiplang':'text/plain','.json':'application/json','.wasm':'application/wasm','.svg':'image/svg+xml','.png':'image/png','.jpg':'image/jpeg','.ico':'image/x-icon'}
+  const MIME={'.html':'text/html;charset=utf-8','.js':'application/javascript','.css':'text/css','.aip':'text/plain','.json':'application/json','.wasm':'application/wasm','.svg':'image/svg+xml','.png':'image/png','.jpg':'image/jpeg','.ico':'image/x-icon'}
   let clients=[]
   const mtimes={}
   setInterval(()=>{
     const pd=path.join(root,'pages')
     if(!fs.existsSync(pd))return
-    fs.readdirSync(pd).filter(f=>f.endsWith('.aiplang')).forEach(f=>{
+    fs.readdirSync(pd).filter(f=>f.endsWith('.aip')).forEach(f=>{
       const fp=path.join(pd,f),mt=fs.statSync(fp).mtimeMs
       if(mtimes[fp]&&mtimes[fp]!==mt)clients.forEach(c=>{try{c.write('data: reload\n\n')}catch{}})
       mtimes[fp]=mt
@@ -501,7 +501,7 @@ if (cmd==='serve'||cmd==='dev') {
     let p=req.url.split('?')[0];if(p==='/') p='/index.html'
     let fp=null
     for(const c of [path.join(root,'public',p),path.join(root,p)]){if(fs.existsSync(c)&&fs.statSync(c).isFile()){fp=c;break}}
-    if(!fp&&p.endsWith('.aiplang')){const c=path.join(root,'pages',path.basename(p));if(fs.existsSync(c))fp=c}
+    if(!fp&&p.endsWith('.aip')){const c=path.join(root,'pages',path.basename(p));if(fs.existsSync(c))fp=c}
     if(!fp){res.writeHead(404);res.end('Not found');return}
     let content=fs.readFileSync(fp)
     if(path.extname(fp)==='.html'){
@@ -510,7 +510,7 @@ if (cmd==='serve'||cmd==='dev') {
     }
     res.writeHead(200,{'Content-Type':MIME[path.extname(fp)]||'application/octet-stream','Access-Control-Allow-Origin':'*'})
     res.end(content)
-  }).listen(port,()=>console.log(`\n  ✓  aiplang dev server\n\n  →  http://localhost:${port}\n\n  Hot reload ON — edit .aiplang files and browser refreshes.\n  Ctrl+C to stop.\n`))
+  }).listen(port,()=>console.log(`\n  ✓  aiplang dev server\n\n  →  http://localhost:${port}\n\n  Hot reload ON — edit .aip files and browser refreshes.\n  Ctrl+C to stop.\n`))
   return
 }
 
@@ -518,7 +518,7 @@ if (cmd==='serve'||cmd==='dev') {
 if (cmd === 'start' || cmd === 'run') {
   const aipFile = args[0]
   if (!aipFile || !fs.existsSync(aipFile)) {
-    console.error(`\n  ✗  Usage: aiplang start <app.aiplang>\n`)
+    console.error(`\n  ✗  Usage: aiplang start <app.aip>\n`)
     process.exit(1)
   }
   const port = parseInt(process.env.PORT || args[1] || '3000')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aiplang",
-  "version": "2.6.0",
+  "version": "2.6.2",
   "description": "AI-first full-stack language. Frontend + Backend + DB + Auth in one file. Competes with Laravel.",
   "keywords": [
     "aiplang",
@@ -38,12 +38,12 @@
     "node": ">=16"
   },
   "dependencies": {
+    "@aws-sdk/client-s3": "^3.0.0",
+    "@aws-sdk/s3-request-presigner": "^3.0.0",
     "bcryptjs": "^2.4.3",
     "jsonwebtoken": "^9.0.2",
-    "nodemailer": "^6.9.0",
+    "nodemailer": "^8.0.3",
     "sql.js": "^1.10.3",
-    "stripe": "^14.0.0",
-    "@aws-sdk/client-s3": "^3.0.0",
-    "@aws-sdk/s3-request-presigner": "^3.0.0"
+    "stripe": "^14.0.0"
   }
 }

package/runtime/aiplang-runtime.js

@@ -100,14 +100,11 @@ class State {
   }
 
   _recompute() {
+    // Safe computed: only supports @var.path expressions, no arbitrary code
     if (!this._computedExprs) return
     for (const [name, expr] of Object.entries(this._computedExprs)) {
       try {
-        const fn = new Function(
-          ...Object.keys(this._data).map(k => '_'+k),
-          `try { return (${expr}) } catch(e) { return null }`
-        )
-        const val = fn(...Object.keys(this._data).map(k => this._data[k]))
+        const val = this.eval(expr.trim())
         if (JSON.stringify(this._computed[name]) !== JSON.stringify(val)) {
           this._computed[name] = val
           this._notify('$'+name)
@@ -957,108 +954,108 @@ html{scroll-behavior:smooth}
 body{font-family:-apple-system,'Segoe UI',system-ui,sans-serif;-webkit-font-smoothing:antialiased}
 a{text-decoration:none;color:inherit}
 input,button,select{font-family:inherit}
-.aiplang-root{min-height:100vh}
-.aiplang-theme-dark{background:#030712;color:#f1f5f9}
-.aiplang-theme-light{background:#fff;color:#0f172a}
-.aiplang-theme-acid{background:#000;color:#a3e635}
+.aip-root{min-height:100vh}
+.aip-theme-dark{background:#030712;color:#f1f5f9}
+.aip-theme-light{background:#fff;color:#0f172a}
+.aip-theme-acid{background:#000;color:#a3e635}
 .fx-nav{display:flex;align-items:center;justify-content:space-between;padding:1rem 2.5rem;position:sticky;top:0;z-index:50;backdrop-filter:blur(12px)}
-.aiplang-theme-dark .fx-nav{border-bottom:1px solid #1e293b;background:rgba(3,7,18,.85)}
-.aiplang-theme-light .fx-nav{border-bottom:1px solid #e2e8f0;background:rgba(255,255,255,.85)}
-.aiplang-theme-acid .fx-nav{border-bottom:1px solid #1a2e05;background:rgba(0,0,0,.9)}
+.aip-theme-dark .fx-nav{border-bottom:1px solid #1e293b;background:rgba(3,7,18,.85)}
+.aip-theme-light .fx-nav{border-bottom:1px solid #e2e8f0;background:rgba(255,255,255,.85)}
+.aip-theme-acid .fx-nav{border-bottom:1px solid #1a2e05;background:rgba(0,0,0,.9)}
 .fx-brand{font-size:1.25rem;font-weight:800;letter-spacing:-.03em}
 .fx-nav-links{display:flex;align-items:center;gap:1.75rem}
 .fx-nav-link{font-size:.875rem;font-weight:500;opacity:.65;transition:opacity .15s;cursor:pointer}
 .fx-nav-link:hover{opacity:1}
-.aiplang-theme-dark .fx-nav-link{color:#cbd5e1}
-.aiplang-theme-light .fx-nav-link{color:#475569}
-.aiplang-theme-acid .fx-nav-link{color:#86efac}
+.aip-theme-dark .fx-nav-link{color:#cbd5e1}
+.aip-theme-light .fx-nav-link{color:#475569}
+.aip-theme-acid .fx-nav-link{color:#86efac}
 .fx-hero{display:flex;align-items:center;justify-content:center;min-height:92vh;padding:4rem 1.5rem}
 .fx-hero-inner{max-width:56rem;text-align:center;display:flex;flex-direction:column;align-items:center;gap:1.5rem}
 .fx-title{font-size:clamp(2.5rem,8vw,5.5rem);font-weight:900;letter-spacing:-.04em;line-height:1}
 .fx-sub{font-size:clamp(1rem,2vw,1.25rem);line-height:1.75;max-width:40rem}
-.aiplang-theme-dark .fx-sub{color:#94a3b8}
-.aiplang-theme-light .fx-sub{color:#475569}
+.aip-theme-dark .fx-sub{color:#94a3b8}
+.aip-theme-light .fx-sub{color:#475569}
 .fx-cta{display:inline-flex;align-items:center;padding:.875rem 2.5rem;border-radius:.75rem;font-weight:700;font-size:1rem;letter-spacing:-.01em;transition:transform .15s,box-shadow .15s;margin:.25rem;cursor:pointer}
 .fx-cta:hover{transform:translateY(-1px)}
-.aiplang-theme-dark .fx-cta{background:#2563eb;color:#fff;box-shadow:0 8px 24px rgba(37,99,235,.35)}
-.aiplang-theme-light .fx-cta{background:#2563eb;color:#fff}
-.aiplang-theme-acid .fx-cta{background:#a3e635;color:#000;font-weight:800}
+.aip-theme-dark .fx-cta{background:#2563eb;color:#fff;box-shadow:0 8px 24px rgba(37,99,235,.35)}
+.aip-theme-light .fx-cta{background:#2563eb;color:#fff}
+.aip-theme-acid .fx-cta{background:#a3e635;color:#000;font-weight:800}
 .fx-stats{display:grid;grid-template-columns:repeat(auto-fit,minmax(180px,1fr));gap:3rem;padding:5rem 2.5rem;text-align:center}
 .fx-stat-val{font-size:clamp(2.5rem,5vw,4rem);font-weight:900;letter-spacing:-.04em;line-height:1}
 .fx-stat-lbl{font-size:.75rem;font-weight:600;text-transform:uppercase;letter-spacing:.1em;margin-top:.5rem}
-.aiplang-theme-dark .fx-stat-lbl{color:#64748b}
-.aiplang-theme-light .fx-stat-lbl{color:#94a3b8}
+.aip-theme-dark .fx-stat-lbl{color:#64748b}
+.aip-theme-light .fx-stat-lbl{color:#94a3b8}
 .fx-grid{display:grid;gap:1.25rem;padding:1rem 2.5rem 5rem}
 .fx-grid-2{grid-template-columns:repeat(auto-fit,minmax(280px,1fr))}
 .fx-grid-3{grid-template-columns:repeat(auto-fit,minmax(240px,1fr))}
 .fx-grid-4{grid-template-columns:repeat(auto-fit,minmax(200px,1fr))}
 .fx-card{border-radius:1rem;padding:1.75rem;transition:transform .2s,box-shadow .2s}
 .fx-card:hover{transform:translateY(-2px)}
-.aiplang-theme-dark .fx-card{background:#0f172a;border:1px solid #1e293b}
-.aiplang-theme-light .fx-card{background:#f8fafc;border:1px solid #e2e8f0}
-.aiplang-theme-acid .fx-card{background:#0a0f00;border:1px solid #1a2e05}
-.aiplang-theme-dark .fx-card:hover{box-shadow:0 20px 40px rgba(0,0,0,.5)}
-.aiplang-theme-light .fx-card:hover{box-shadow:0 20px 40px rgba(0,0,0,.08)}
+.aip-theme-dark .fx-card{background:#0f172a;border:1px solid #1e293b}
+.aip-theme-light .fx-card{background:#f8fafc;border:1px solid #e2e8f0}
+.aip-theme-acid .fx-card{background:#0a0f00;border:1px solid #1a2e05}
+.aip-theme-dark .fx-card:hover{box-shadow:0 20px 40px rgba(0,0,0,.5)}
+.aip-theme-light .fx-card:hover{box-shadow:0 20px 40px rgba(0,0,0,.08)}
 .fx-icon{font-size:2rem;margin-bottom:1rem}
 .fx-card-title{font-size:1.0625rem;font-weight:700;letter-spacing:-.02em;margin-bottom:.5rem}
 .fx-card-body{font-size:.875rem;line-height:1.65}
-.aiplang-theme-dark .fx-card-body{color:#64748b}
-.aiplang-theme-light .fx-card-body{color:#475569}
+.aip-theme-dark .fx-card-body{color:#64748b}
+.aip-theme-light .fx-card-body{color:#475569}
 .fx-card-link{font-size:.8125rem;font-weight:600;display:inline-block;margin-top:1rem;opacity:.6;transition:opacity .15s}
 .fx-card-link:hover{opacity:1}
 .fx-sect{padding:5rem 2.5rem}
 .fx-sect-title{font-size:clamp(1.75rem,4vw,3rem);font-weight:800;letter-spacing:-.04em;margin-bottom:1.5rem;text-align:center}
 .fx-sect-body{font-size:1rem;line-height:1.75;text-align:center;max-width:48rem;margin:0 auto}
-.aiplang-theme-dark .fx-sect-body{color:#64748b}
+.aip-theme-dark .fx-sect-body{color:#64748b}
 .fx-form-wrap{padding:3rem 2.5rem;display:flex;justify-content:center}
 .fx-form{width:100%;max-width:28rem;border-radius:1.25rem;padding:2.5rem}
-.aiplang-theme-dark .fx-form{background:#0f172a;border:1px solid #1e293b}
-.aiplang-theme-light .fx-form{background:#f8fafc;border:1px solid #e2e8f0}
+.aip-theme-dark .fx-form{background:#0f172a;border:1px solid #1e293b}
+.aip-theme-light .fx-form{background:#f8fafc;border:1px solid #e2e8f0}
 .fx-field{margin-bottom:1.25rem}
 .fx-label{display:block;font-size:.8125rem;font-weight:600;margin-bottom:.5rem}
-.aiplang-theme-dark .fx-label{color:#94a3b8}
-.aiplang-theme-light .fx-label{color:#475569}
+.aip-theme-dark .fx-label{color:#94a3b8}
+.aip-theme-light .fx-label{color:#475569}
 .fx-input{width:100%;padding:.75rem 1rem;border-radius:.625rem;font-size:.9375rem;outline:none;transition:box-shadow .15s;background:transparent}
 .fx-input:focus{box-shadow:0 0 0 3px rgba(37,99,235,.35)}
-.aiplang-theme-dark .fx-input{background:#020617;border:1px solid #1e293b;color:#f1f5f9}
-.aiplang-theme-dark .fx-input::placeholder{color:#334155}
-.aiplang-theme-light .fx-input{background:#fff;border:1px solid #cbd5e1;color:#0f172a}
-.aiplang-theme-acid .fx-input{background:#000;border:1px solid #1a2e05;color:#a3e635}
+.aip-theme-dark .fx-input{background:#020617;border:1px solid #1e293b;color:#f1f5f9}
+.aip-theme-dark .fx-input::placeholder{color:#334155}
+.aip-theme-light .fx-input{background:#fff;border:1px solid #cbd5e1;color:#0f172a}
+.aip-theme-acid .fx-input{background:#000;border:1px solid #1a2e05;color:#a3e635}
 .fx-btn{width:100%;padding:.875rem 1.5rem;border:none;border-radius:.625rem;font-size:.9375rem;font-weight:700;cursor:pointer;margin-top:.5rem;transition:transform .15s,opacity .15s;letter-spacing:-.01em}
 .fx-btn:hover{transform:translateY(-1px)}
 .fx-btn:disabled{opacity:.5;cursor:not-allowed;transform:none}
-.aiplang-theme-dark .fx-btn{background:#2563eb;color:#fff;box-shadow:0 4px 14px rgba(37,99,235,.4)}
-.aiplang-theme-light .fx-btn{background:#2563eb;color:#fff}
-.aiplang-theme-acid .fx-btn{background:#a3e635;color:#000;font-weight:800}
+.aip-theme-dark .fx-btn{background:#2563eb;color:#fff;box-shadow:0 4px 14px rgba(37,99,235,.4)}
+.aip-theme-light .fx-btn{background:#2563eb;color:#fff}
+.aip-theme-acid .fx-btn{background:#a3e635;color:#000;font-weight:800}
 .fx-form-msg{font-size:.8125rem;padding:.5rem 0;min-height:1.5rem;text-align:center}
 .fx-form-err{color:#f87171}
 .fx-form-ok{color:#4ade80}
 .fx-table-wrap{overflow-x:auto;padding:0 2.5rem 4rem}
 .fx-table{width:100%;border-collapse:collapse;font-size:.875rem}
 .fx-th{text-align:left;padding:.875rem 1.25rem;font-size:.75rem;font-weight:700;text-transform:uppercase;letter-spacing:.06em}
-.aiplang-theme-dark .fx-th{color:#475569;border-bottom:1px solid #1e293b}
-.aiplang-theme-light .fx-th{color:#94a3b8;border-bottom:1px solid #e2e8f0}
+.aip-theme-dark .fx-th{color:#475569;border-bottom:1px solid #1e293b}
+.aip-theme-light .fx-th{color:#94a3b8;border-bottom:1px solid #e2e8f0}
 .fx-tr{transition:background .1s}
 .fx-td{padding:.875rem 1.25rem}
-.aiplang-theme-dark .fx-tr:hover{background:#0f172a}
-.aiplang-theme-light .fx-tr:hover{background:#f8fafc}
-.aiplang-theme-dark .fx-td{border-bottom:1px solid #0f172a}
-.aiplang-theme-light .fx-td{border-bottom:1px solid #f1f5f9}
+.aip-theme-dark .fx-tr:hover{background:#0f172a}
+.aip-theme-light .fx-tr:hover{background:#f8fafc}
+.aip-theme-dark .fx-td{border-bottom:1px solid #0f172a}
+.aip-theme-light .fx-td{border-bottom:1px solid #f1f5f9}
 .fx-td-empty{padding:2rem 1.25rem;text-align:center;opacity:.4}
 .fx-list-wrap{padding:1rem 2.5rem 4rem;display:flex;flex-direction:column;gap:.75rem}
 .fx-list-item{border-radius:.75rem;padding:1.25rem 1.5rem}
-.aiplang-theme-dark .fx-list-item{background:#0f172a;border:1px solid #1e293b}
+.aip-theme-dark .fx-list-item{background:#0f172a;border:1px solid #1e293b}
 .fx-list-field{font-size:.9375rem;line-height:1.5}
 .fx-list-link{font-size:.8125rem;font-weight:600;opacity:.6;transition:opacity .15s}
 .fx-list-link:hover{opacity:1}
 .fx-alert{padding:1rem 2.5rem;font-size:.9375rem;font-weight:500;border-radius:.75rem;margin:1rem 2.5rem}
-.aiplang-theme-dark .fx-alert{background:rgba(239,68,68,.1);border:1px solid rgba(239,68,68,.3);color:#fca5a5}
+.aip-theme-dark .fx-alert{background:rgba(239,68,68,.1);border:1px solid rgba(239,68,68,.3);color:#fca5a5}
 .fx-if-wrap{display:contents}
 .fx-footer{padding:3rem 2.5rem;text-align:center}
-.aiplang-theme-dark .fx-footer{border-top:1px solid #1e293b}
-.aiplang-theme-light .fx-footer{border-top:1px solid #e2e8f0}
+.aip-theme-dark .fx-footer{border-top:1px solid #1e293b}
+.aip-theme-light .fx-footer{border-top:1px solid #e2e8f0}
 .fx-footer-text{font-size:.8125rem}
-.aiplang-theme-dark .fx-footer-text{color:#334155}
+.aip-theme-dark .fx-footer-text{color:#334155}
 .fx-footer-link{font-size:.8125rem;margin:0 .75rem;opacity:.5;transition:opacity .15s}
 .fx-footer-link:hover{opacity:1}
 `

package/server/server.js

@@ -752,13 +752,14 @@ td{padding:.875rem 1.25rem;border-bottom:1px solid rgba(255,255,255,.04);color:#
 </div>
 <script>
 const prefix = '${prefix}'
-// Token from cookie (set by login) or fallback to localStorage for compat
-function getAdminToken() {
-  const cookie = document.cookie.split(';').map(c=>c.trim()).find(c=>c.startsWith('aiplang_admin='))
-  return cookie ? cookie.split('=')[1] : (localStorage.getItem('admin_token') || '')
-}
+// API calls use credentials:include — HttpOnly cookie is sent automatically
 async function api(method, path, body) {
-  const r = await fetch(prefix + '/api' + path, {method, headers:{'Content-Type':'application/json','Authorization':'Bearer '+getAdminToken()},body:body?JSON.stringify(body):undefined})
+  const r = await fetch(prefix + '/api' + path, {
+    method,
+    headers: {'Content-Type':'application/json'},
+    credentials: 'same-origin',
+    body: body ? JSON.stringify(body) : undefined
+  })
   return r.json()
 }
 async function loadModel(name, page=1) {
@@ -794,13 +795,9 @@ function renderAdminLogin(prefix) {
 <button onclick="login()">Sign in</button></div>
 <script>
 async function login(){
-  const r=await fetch('/api/auth/login',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({email:document.getElementById('email').value,password:document.getElementById('pass').value})})
+  const r=await fetch('${prefix}/login',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({email:document.getElementById('email').value,password:document.getElementById('pass').value}),credentials:'same-origin'})
   const d=await r.json()
-  if(d.token){
-    localStorage.setItem('admin_token',d.token);
-    document.cookie='aiplang_admin='+d.token+';path=/;SameSite=Strict;max-age=86400';
-    location.href='${prefix}'
-  }
+  if(d.ok){location.href='${prefix}'}
   else document.getElementById('err').textContent=d.error||'Invalid credentials'
 }
 document.addEventListener('keydown',e=>{if(e.key==='Enter')login()})
@@ -891,7 +888,16 @@ function matchRoute(pattern, reqPath) {
   for(let i=0;i<pp.length;i++){if(pp[i].startsWith(':'))params[pp[i].slice(1)]=rp[i];else if(pp[i]!==rp[i])return null}
   return params
 }
-function extractToken(req) { const a=req.headers.authorization; return a?.startsWith('Bearer ')?a.slice(7):null }
+function extractToken(req) {
+  // 1. Bearer token from Authorization header
+  const a = req.headers.authorization
+  if (a?.startsWith('Bearer ')) return a.slice(7)
+  // 2. HttpOnly cookie (admin panel)
+  const cookies = req.headers['cookie'] || ''
+  const adminCookie = cookies.split(';').map(s=>s.trim()).find(s=>s.startsWith('aiplang_admin='))
+  if (adminCookie) return adminCookie.slice('aiplang_admin='.length)
+  return null
+}
 const MAX_BODY_BYTES = parseInt(process.env.MAX_BODY_BYTES || '1048576') // 1MB default
 async function parseBody(req) {
   return new Promise((resolve) => {
@@ -1206,7 +1212,7 @@ function getMime(filename) {
 //     name: 'my-plugin',
 //     setup(server, app, utils) {
 //       // server  = AiplangServer instance (.addRoute, .models)
-//       // app     = parsed .aiplang app definition
+//       // app     = parsed .aip app definition
 //       // utils   = { uuid, now, emit, on, dispatch, resolveEnv, dbRun, dbAll, dbGet }
 //     }
 //   }
@@ -1429,7 +1435,7 @@ async function startServer(aipFile, port = 3000) {
 
   // Health
   srv.addRoute('GET', '/health', (req, res) => res.json(200, {
-    status:'ok', version:'2.6.0',
+    status:'ok', version:'2.6.2',
     models: app.models.map(m=>m.name),
     routes: app.apis.length, pages: app.pages.length,
     admin: app.admin?.prefix || null,
@@ -1456,7 +1462,7 @@ async function startServer(aipFile, port = 3000) {
 module.exports = { startServer, parseApp, Model, getDB, dispatch, on, emit, sendMail, setupStripe, registerStripeRoutes, setupS3, registerS3Routes, s3Upload, s3Delete, s3PresignedUrl, PLUGIN_UTILS }
 if (require.main === module) {
   const f=process.argv[2], p=parseInt(process.argv[3]||process.env.PORT||'3000')
-  if (!f) { console.error('Usage: node server.js <app.aiplang> [port]'); process.exit(1) }
+  if (!f) { console.error('Usage: node server.js <app.aip> [port]'); process.exit(1) }
   startServer(f, p).catch(e=>{console.error(e);process.exit(1)})
 }