bonescript-compiler 0.5.2 → 0.5.4

package/src/emit_auth.ts

@@ -1,513 +0,0 @@
-/**
- * BoneScript Auth Emitter
- * Generates auth.ts — JWT, OAuth2, or API key middleware depending on the
- * resolved auth_method in the system's constraint resolution map.
- *
- * Auth method selection (in priority order):
- *   1. system.resolution["implied.auth_method"] — set by constraint solver
- *   2. Any api_service module's config.auth_method
- *   3. Fallback: jwt
- *
- * Generated strategies:
- *   jwt     — Bearer token verification via jsonwebtoken
- *   oauth2  — Authorization Code flow: /auth/login redirect + /auth/callback
- *             token exchange + refresh token rotation
- *   apikey  — X-API-Key header lookup against hashed keys in the database
- */
-
-import * as IR from "./ir";
-
-/** Resolve the auth method for the system. */
-function resolveAuthMethod(system: IR.IRSystem): "jwt" | "oauth2" | "apikey" {
-  // Check resolution map first (set by constraint solver)
-  // The solver writes keys like "UserService.auth_method" for each api_service module.
-  // Also check the implied.auth_method key (set by domain defaults propagation).
-  const resolved = system.resolution["implied.auth_method"]
-    || system.resolution["system.auth_method"];
-  if (resolved === "oauth2" || resolved === "apikey" || resolved === "jwt") {
-    return resolved;
-  }
-
-  // Check per-module resolution keys written by the solver
-  for (const [key, val] of Object.entries(system.resolution)) {
-    if (key.endsWith(".auth_method") && (val === "oauth2" || val === "apikey" || val === "jwt")) {
-      return val as "jwt" | "oauth2" | "apikey";
-    }
-  }
-
-  // Fall back to any api_service module config
-  for (const mod of system.modules) {
-    const m = mod.config["auth_method"] as string | undefined;
-    if (m === "oauth2" || m === "apikey" || m === "jwt") return m;
-  }
-  return "jwt";
-}
-
-export function emitAuthMiddleware(system: IR.IRSystem): string {
-  const method = resolveAuthMethod(system);
-  switch (method) {
-    case "oauth2":  return emitOAuth2Auth();
-    case "apikey":  return emitApiKeyAuth();
-    default:        return emitJwtAuth();
-  }
-}
-
-// ─── JWT ──────────────────────────────────────────────────────────────────────
-
-function emitJwtAuth(): string {
-  return `// Generated by BoneScript compiler. DO NOT EDIT.
-// Auth strategy: JWT (Bearer token)
-import { Request, Response, NextFunction } from "express";
-import jwt from "jsonwebtoken";
-
-// JWT_SECRET must be set in production. The server will refuse to start without it
-// when NODE_ENV is "production" to prevent accidental use of a weak fallback.
-const JWT_SECRET = (() => {
-  const secret = process.env.JWT_SECRET;
-  if (!secret) {
-    if (process.env.NODE_ENV === "production") {
-      console.error("[FATAL] JWT_SECRET environment variable is not set. Refusing to start in production.");
-      process.exit(1);
-    }
-    console.warn("[WARN] JWT_SECRET is not set. Using insecure default — do not use in production.");
-    return "bonescript-dev-secret-do-not-use-in-production";
-  }
-  if (secret.length < 32) {
-    console.warn("[WARN] JWT_SECRET is shorter than 32 characters. Use a longer secret in production.");
-  }
-  return secret;
-})();
-
-export interface AuthContext {
-  authenticated: boolean;
-  actor_id: string | null;
-  trace_id: string;
-}
-
-export function authMiddleware(req: Request, res: Response, next: NextFunction): void {
-  const header = req.headers.authorization;
-  if (!header || !header.startsWith("Bearer ")) {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
-    next();
-    return;
-  }
-  try {
-    const token = header.slice(7);
-    const decoded = jwt.verify(token, JWT_SECRET) as { sub: string };
-    (req as any).auth = {
-      authenticated: true,
-      actor_id: decoded.sub,
-      trace_id: req.headers["x-trace-id"] as string || "",
-    };
-  } catch {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
-  }
-  next();
-}
-
-export function requireAuth(req: Request, res: Response, next: NextFunction): void {
-  const auth: AuthContext = (req as any).auth;
-  if (!auth || !auth.authenticated) {
-    res.status(401).json({ error: { code: "UNAUTHORIZED", message: "Authentication required" } });
-    return;
-  }
-  next();
-}
-
-/** Issue a signed JWT for a given actor. Used by login/register routes. */
-export function issueToken(actorId: string, expiresIn: string = "24h"): string {
-  return jwt.sign({ sub: actorId }, JWT_SECRET, { expiresIn } as any);
-}
-`;
-}
-
-// ─── OAuth2 ───────────────────────────────────────────────────────────────────
-
-function emitOAuth2Auth(): string {
-  return `// Generated by BoneScript compiler. DO NOT EDIT.
-// Auth strategy: OAuth2 Authorization Code Flow with PKCE + refresh token rotation
-import { Request, Response, NextFunction, Router } from "express";
-import crypto from "crypto";
-import jwt from "jsonwebtoken";
-
-// ─── Configuration ────────────────────────────────────────────────────────────
-
-const OAUTH2_CLIENT_ID     = process.env.OAUTH2_CLIENT_ID     || "";
-const OAUTH2_CLIENT_SECRET = process.env.OAUTH2_CLIENT_SECRET || "";
-const OAUTH2_AUTH_URL      = process.env.OAUTH2_AUTH_URL      || "";
-const OAUTH2_TOKEN_URL     = process.env.OAUTH2_TOKEN_URL     || "";
-const OAUTH2_REDIRECT_URI  = process.env.OAUTH2_REDIRECT_URI  || "http://localhost:3000/auth/callback";
-const OAUTH2_SCOPES        = (process.env.OAUTH2_SCOPES       || "openid profile email").split(" ");
-
-const JWT_SECRET = (() => {
-  const secret = process.env.JWT_SECRET;
-  if (!secret) {
-    if (process.env.NODE_ENV === "production") {
-      console.error("[FATAL] JWT_SECRET environment variable is not set. Refusing to start in production.");
-      process.exit(1);
-    }
-    console.warn("[WARN] JWT_SECRET is not set. Using insecure default — do not use in production.");
-    return "bonescript-dev-secret-do-not-use-in-production";
-  }
-  return secret;
-})();
-
-if (process.env.NODE_ENV === "production") {
-  if (!OAUTH2_CLIENT_ID || !OAUTH2_CLIENT_SECRET || !OAUTH2_AUTH_URL || !OAUTH2_TOKEN_URL) {
-    console.error("[FATAL] OAuth2 configuration incomplete. Set OAUTH2_CLIENT_ID, OAUTH2_CLIENT_SECRET, OAUTH2_AUTH_URL, OAUTH2_TOKEN_URL.");
-    process.exit(1);
-  }
-}
-
-// ─── PKCE helpers ─────────────────────────────────────────────────────────────
-
-function generateCodeVerifier(): string {
-  return crypto.randomBytes(32).toString("base64url");
-}
-
-function generateCodeChallenge(verifier: string): string {
-  return crypto.createHash("sha256").update(verifier).digest("base64url");
-}
-
-// ─── In-memory state store (replace with Redis in production) ─────────────────
-
-const pendingStates = new Map<string, { verifier: string; createdAt: number }>();
-
-// Clean up stale states every 5 minutes
-setInterval(() => {
-  const cutoff = Date.now() - 10 * 60 * 1000; // 10 min TTL
-  for (const [k, v] of pendingStates) {
-    if (v.createdAt < cutoff) pendingStates.delete(k);
-  }
-}, 5 * 60 * 1000);
-
-// ─── Auth context ─────────────────────────────────────────────────────────────
-
-export interface AuthContext {
-  authenticated: boolean;
-  actor_id: string | null;
-  trace_id: string;
-}
-
-// ─── Middleware ───────────────────────────────────────────────────────────────
-
-export function authMiddleware(req: Request, res: Response, next: NextFunction): void {
-  const header = req.headers.authorization;
-  if (!header || !header.startsWith("Bearer ")) {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
-    next();
-    return;
-  }
-  try {
-    const token = header.slice(7);
-    const decoded = jwt.verify(token, JWT_SECRET) as { sub: string };
-    (req as any).auth = {
-      authenticated: true,
-      actor_id: decoded.sub,
-      trace_id: req.headers["x-trace-id"] as string || "",
-    };
-  } catch {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
-  }
-  next();
-}
-
-export function requireAuth(req: Request, res: Response, next: NextFunction): void {
-  const auth: AuthContext = (req as any).auth;
-  if (!auth || !auth.authenticated) {
-    res.status(401).json({ error: { code: "UNAUTHORIZED", message: "Authentication required" } });
-    return;
-  }
-  next();
-}
-
-// ─── OAuth2 Routes ────────────────────────────────────────────────────────────
-
-export const authRouter = Router();
-
-/** GET /auth/login — redirect to OAuth2 provider */
-authRouter.get("/login", (_req: Request, res: Response) => {
-  const state = crypto.randomBytes(16).toString("hex");
-  const verifier = generateCodeVerifier();
-  const challenge = generateCodeChallenge(verifier);
-  pendingStates.set(state, { verifier, createdAt: Date.now() });
-
-  const params = new URLSearchParams({
-    response_type: "code",
-    client_id: OAUTH2_CLIENT_ID,
-    redirect_uri: OAUTH2_REDIRECT_URI,
-    scope: OAUTH2_SCOPES.join(" "),
-    state,
-    code_challenge: challenge,
-    code_challenge_method: "S256",
-  });
-  res.redirect(\`\${OAUTH2_AUTH_URL}?\${params}\`);
-});
-
-/** GET /auth/callback — exchange code for tokens, issue internal JWT */
-authRouter.get("/callback", async (req: Request, res: Response) => {
-  const { code, state, error } = req.query as Record<string, string>;
-
-  if (error) {
-    return res.status(400).json({ error: { code: "OAUTH2_ERROR", message: error } });
-  }
-  if (!code || !state) {
-    return res.status(400).json({ error: { code: "MISSING_PARAMS", message: "code and state are required" } });
-  }
-
-  const pending = pendingStates.get(state);
-  if (!pending) {
-    return res.status(400).json({ error: { code: "INVALID_STATE", message: "Unknown or expired state parameter" } });
-  }
-  pendingStates.delete(state);
-
-  try {
-    // Exchange authorization code for tokens
-    const tokenRes = await fetch(OAUTH2_TOKEN_URL, {
-      method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams({
-        grant_type: "authorization_code",
-        code,
-        redirect_uri: OAUTH2_REDIRECT_URI,
-        client_id: OAUTH2_CLIENT_ID,
-        client_secret: OAUTH2_CLIENT_SECRET,
-        code_verifier: pending.verifier,
-      }),
-    });
-
-    if (!tokenRes.ok) {
-      const body = await tokenRes.text();
-      console.error("[OAuth2] Token exchange failed:", body);
-      return res.status(502).json({ error: { code: "TOKEN_EXCHANGE_FAILED", message: "Failed to exchange authorization code" } });
-    }
-
-    const tokens = await tokenRes.json() as {
-      access_token: string;
-      id_token?: string;
-      refresh_token?: string;
-      expires_in?: number;
-    };
-
-    // Extract subject from id_token or access_token
-    let actorId: string;
-    try {
-      const payload = JSON.parse(Buffer.from((tokens.id_token || tokens.access_token).split(".")[1], "base64url").toString());
-      actorId = payload.sub || payload.email || payload.preferred_username || "unknown";
-    } catch {
-      actorId = "unknown";
-    }
-
-    // Issue internal JWT (short-lived)
-    const internalToken = jwt.sign({ sub: actorId }, JWT_SECRET, { expiresIn: "1h" } as any);
-
-    res.json({
-      token: internalToken,
-      actor_id: actorId,
-      expires_in: 3600,
-    });
-  } catch (err: any) {
-    console.error("[OAuth2] Callback error:", err.message);
-    res.status(500).json({ error: { code: "INTERNAL_ERROR", message: "OAuth2 callback failed" } });
-  }
-});
-
-/** POST /auth/refresh — refresh an expired internal JWT */
-authRouter.post("/refresh", (req: Request, res: Response) => {
-  const { token } = req.body as { token?: string };
-  if (!token) {
-    return res.status(400).json({ error: { code: "MISSING_TOKEN", message: "token is required" } });
-  }
-  try {
-    // Allow expired tokens for refresh (ignoreExpiration)
-    const decoded = jwt.verify(token, JWT_SECRET, { ignoreExpiration: true }) as { sub: string };
-    const newToken = jwt.sign({ sub: decoded.sub }, JWT_SECRET, { expiresIn: "1h" } as any);
-    res.json({ token: newToken, expires_in: 3600 });
-  } catch {
-    res.status(401).json({ error: { code: "INVALID_TOKEN", message: "Cannot refresh: token is invalid" } });
-  }
-});
-
-/** POST /auth/logout — client-side only (stateless JWT); invalidation requires a denylist */
-authRouter.post("/logout", (_req: Request, res: Response) => {
-  res.json({ ok: true, message: "Logged out. Discard the token on the client." });
-});
-`;
-}
-
-// ─── API Key ──────────────────────────────────────────────────────────────────
-
-function emitApiKeyAuth(): string {
-  return `// Generated by BoneScript compiler. DO NOT EDIT.
-// Auth strategy: API Key (X-API-Key header, hashed keys stored in database)
-import { Request, Response, NextFunction, Router } from "express";
-import crypto from "crypto";
-import { query } from "./db";
-
-// ─── Auth context ─────────────────────────────────────────────────────────────
-
-export interface AuthContext {
-  authenticated: boolean;
-  actor_id: string | null;
-  trace_id: string;
-}
-
-// ─── Key hashing ──────────────────────────────────────────────────────────────
-
-/** Hash an API key with SHA-256 for safe storage. Never store raw keys. */
-function hashApiKey(key: string): string {
-  return crypto.createHash("sha256").update(key).digest("hex");
-}
-
-/** Generate a new API key. Returns the raw key (shown once) and its hash. */
-export function generateApiKey(): { key: string; hash: string; prefix: string } {
-  const raw = "bsk_" + crypto.randomBytes(32).toString("base64url");
-  return { key: raw, hash: hashApiKey(raw), prefix: raw.slice(0, 12) };
-}
-
-// ─── In-memory LRU cache (avoids a DB hit on every request) ──────────────────
-
-const KEY_CACHE_TTL_MS = 60_000; // 1 minute
-const keyCache = new Map<string, { actorId: string; expiresAt: number }>();
-
-function getCached(hash: string): string | null {
-  const entry = keyCache.get(hash);
-  if (!entry) return null;
-  if (Date.now() > entry.expiresAt) { keyCache.delete(hash); return null; }
-  return entry.actorId;
-}
-
-function setCached(hash: string, actorId: string): void {
-  // Evict oldest entry if cache is too large
-  if (keyCache.size >= 1000) {
-    const oldest = [...keyCache.entries()].sort((a, b) => a[1].expiresAt - b[1].expiresAt)[0];
-    if (oldest) keyCache.delete(oldest[0]);
-  }
-  keyCache.set(hash, { actorId, expiresAt: Date.now() + KEY_CACHE_TTL_MS });
-}
-
-// ─── Middleware ───────────────────────────────────────────────────────────────
-
-export async function authMiddleware(req: Request, res: Response, next: NextFunction): Promise<void> {
-  const rawKey = req.headers["x-api-key"] as string | undefined;
-  const traceId = req.headers["x-trace-id"] as string || "";
-
-  if (!rawKey) {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
-    next();
-    return;
-  }
-
-  const hash = hashApiKey(rawKey);
-
-  // Check cache first
-  const cached = getCached(hash);
-  if (cached) {
-    (req as any).auth = { authenticated: true, actor_id: cached, trace_id: traceId };
-    next();
-    return;
-  }
-
-  try {
-    // Look up in database — api_keys table (see migration below)
-    const rows = await query<{ actor_id: string; revoked: boolean }>(
-      \`SELECT actor_id, revoked FROM api_keys WHERE key_hash = $1 AND expires_at > NOW()\`,
-      [hash]
-    );
-    if (rows.length === 0 || rows[0].revoked) {
-      (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
-      next();
-      return;
-    }
-    const actorId = rows[0].actor_id;
-    setCached(hash, actorId);
-    (req as any).auth = { authenticated: true, actor_id: actorId, trace_id: traceId };
-  } catch (err: any) {
-    console.error("[ApiKey] Auth lookup failed:", err.message);
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
-  }
-  next();
-}
-
-export function requireAuth(req: Request, res: Response, next: NextFunction): void {
-  const auth: AuthContext = (req as any).auth;
-  if (!auth || !auth.authenticated) {
-    res.status(401).json({ error: { code: "UNAUTHORIZED", message: "Valid API key required (X-API-Key header)" } });
-    return;
-  }
-  next();
-}
-
-// ─── Key Management Routes ────────────────────────────────────────────────────
-
-export const authRouter = Router();
-
-/** POST /auth/keys — create a new API key for the authenticated actor */
-authRouter.post("/keys", requireAuth, async (req: Request, res: Response) => {
-  const auth: AuthContext = (req as any).auth;
-  const { name, expires_in_days = 365 } = req.body as { name?: string; expires_in_days?: number };
-
-  const { key, hash, prefix } = generateApiKey();
-  const expiresAt = new Date(Date.now() + expires_in_days * 86_400_000);
-
-  try {
-    await query(
-      \`INSERT INTO api_keys (actor_id, key_hash, key_prefix, name, expires_at) VALUES ($1, $2, $3, $4, $5)\`,
-      [auth.actor_id, hash, prefix, name || "default", expiresAt]
-    );
-    // Return the raw key ONCE — it cannot be retrieved again
-    res.status(201).json({ key, prefix, expires_at: expiresAt });
-  } catch (err: any) {
-    res.status(500).json({ error: { code: "KEY_CREATE_FAILED", message: err.message } });
-  }
-});
-
-/** GET /auth/keys — list API keys for the authenticated actor (no raw keys) */
-authRouter.get("/keys", requireAuth, async (req: Request, res: Response) => {
-  const auth: AuthContext = (req as any).auth;
-  try {
-    const rows = await query(
-      \`SELECT id, key_prefix, name, created_at, expires_at, revoked FROM api_keys WHERE actor_id = $1 ORDER BY created_at DESC\`,
-      [auth.actor_id]
-    );
-    res.json({ keys: rows });
-  } catch (err: any) {
-    res.status(500).json({ error: { code: "KEY_LIST_FAILED", message: err.message } });
-  }
-});
-
-/** DELETE /auth/keys/:id — revoke an API key */
-authRouter.delete("/keys/:id", requireAuth, async (req: Request, res: Response) => {
-  const auth: AuthContext = (req as any).auth;
-  try {
-    const result = await query(
-      \`UPDATE api_keys SET revoked = true WHERE id = $1 AND actor_id = $2 RETURNING id\`,
-      [req.params.id, auth.actor_id]
-    );
-    if (result.length === 0) {
-      return res.status(404).json({ error: { code: "NOT_FOUND", message: "API key not found" } });
-    }
-    res.json({ ok: true });
-  } catch (err: any) {
-    res.status(500).json({ error: { code: "KEY_REVOKE_FAILED", message: err.message } });
-  }
-});
-
-/*
- * Required migration — add to your migrations directory:
- *
- * CREATE TABLE IF NOT EXISTS api_keys (
- *   id         UUID PRIMARY KEY DEFAULT gen_random_uuid(),
- *   actor_id   UUID NOT NULL,
- *   key_hash   VARCHAR(64) NOT NULL UNIQUE,
- *   key_prefix VARCHAR(16) NOT NULL,
- *   name       VARCHAR(255) NOT NULL DEFAULT 'default',
- *   created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
- *   expires_at TIMESTAMPTZ NOT NULL,
- *   revoked    BOOLEAN NOT NULL DEFAULT false
- * );
- * CREATE INDEX IF NOT EXISTS idx_api_keys_actor ON api_keys (actor_id);
- * CREATE INDEX IF NOT EXISTS idx_api_keys_hash  ON api_keys (key_hash);
- */
-`;
-}

package/src/emit_database.ts

@@ -1,75 +0,0 @@
-/**
- * BoneScript Database Emitter
- * Generates db.ts (connection pool) and migrate.ts (migration runner).
- */
-
-import * as IR from "./ir";
-
-function toSnakeCase(s: string): string {
-  return s.replace(/([a-z])([A-Z])/g, "$1_$2").toLowerCase();
-}
-
-export function emitDbClient(system: IR.IRSystem): string {
-  const name = toSnakeCase(system.name);
-  return [
-    "// Generated by BoneScript compiler. DO NOT EDIT.",
-    `import { Pool, PoolClient } from "pg";`,
-    "",
-    "// Lazy pool — created on first use so DATABASE_URL is read after dotenv loads",
-    "let _pool: Pool | null = null;",
-    "function getPool(): Pool {",
-    "  if (!_pool) {",
-    `    _pool = new Pool({ connectionString: process.env.DATABASE_URL || "postgresql://localhost:5432/${name}", max: 20 });`,
-    `    _pool.on("error", (err: Error) => console.error("[DB] Pool error (non-fatal):", err.message));`,
-    "  }",
-    "  return _pool;",
-    "}",
-    "export const pool = new Proxy({} as Pool, { get(_t: any, p: any) { return (getPool() as any)[p]; } });",
-    "",
-    "export async function query<T = any>(text: string, params?: any[]): Promise<T[]> {",
-    "  try { const result = await pool.query(text, params); return result.rows as T[]; }",
-    "  catch (e: any) { throw new Error(`DB query failed: ${e.message}`); }",
-    "}",
-    "export async function queryOne<T = any>(text: string, params?: any[]): Promise<T | null> {",
-    "  try { const rows = await query<T>(text, params); return rows[0] || null; }",
-    "  catch (e: any) { throw new Error(`DB query failed: ${e.message}`); }",
-    "}",
-    "export async function execute(text: string, params?: any[]): Promise<number> {",
-    "  try { const result = await pool.query(text, params); return result.rowCount || 0; }",
-    "  catch (e: any) { throw new Error(`DB execute failed: ${e.message}`); }",
-    "}",
-    "export async function transaction<T>(fn: (client: PoolClient) => Promise<T>): Promise<T> {",
-    "  const client = await pool.connect();",
-    `  try { await client.query("BEGIN"); const result = await fn(client); await client.query("COMMIT"); return result; }`,
-    `  catch (e) { await client.query("ROLLBACK"); throw e; }`,
-    "  finally { client.release(); }",
-    "}",
-  ].join("\n");
-}
-
-export function emitMigration(system: IR.IRSystem, schemas: string[]): string {
-  const lines: string[] = [];
-  lines.push(`// Generated by BoneScript compiler. DO NOT EDIT.`);
-  lines.push(`require("dotenv").config();`);
-  lines.push(`import { pool } from "./db";`);
-  lines.push(``);
-  lines.push(`async function migrate() {`);
-  lines.push(`  console.log("Running migrations...");`);
-  lines.push(`  const client = await pool.connect();`);
-  lines.push(`  try {`);
-
-  for (const schema of schemas) {
-    const escaped = schema.replace(/`/g, "\\`").replace(/\$/g, "\\$");
-    lines.push(`    await client.query(\`${escaped}\`);`);
-  }
-
-  lines.push(`    console.log("Migrations complete.");`);
-  lines.push(`  } finally {`);
-  lines.push(`    client.release();`);
-  lines.push(`    await pool.end();`);
-  lines.push(`  }`);
-  lines.push(`}`);
-  lines.push(``);
-  lines.push(`migrate().catch(e => { console.error(e); process.exit(1); });`);
-  return lines.join("\n");
-}