bonescript-compiler 0.5.3 → 0.5.5

package/dist/commands/watch.js

@@ -1,50 +0,0 @@
-"use strict";
-/**
- * bonec watch <file>
- * Recompile on every save.
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.runWatch = void 0;
-const fs = __importStar(require("fs"));
-const compile_1 = require("./compile");
-function runWatch(_source, resolved) {
-    console.log(`Watching ${resolved}...`);
-    const compile = () => {
-        fs.promises.readFile(resolved, "utf-8")
-            .then(fresh => {
-            console.log(`\n[${new Date().toLocaleTimeString()}] Compiling...`);
-            return (0, compile_1.runCompile)(fresh, resolved);
-        })
-            .catch((e) => console.error(`x ${e.message}`));
-    };
-    compile();
-    fs.watchFile(resolved, { interval: 500 }, (curr, prev) => {
-        if (curr.mtimeMs !== prev.mtimeMs)
-            compile();
-    });
-}
-exports.runWatch = runWatch;
-//# sourceMappingURL=watch.js.map

package/dist/commands/watch.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"watch.js","sourceRoot":"","sources":["../../src/commands/watch.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,uCAAuC;AAEvC,SAAgB,QAAQ,CAAC,OAAe,EAAE,QAAgB;IACxD,OAAO,CAAC,GAAG,CAAC,YAAY,QAAQ,KAAK,CAAC,CAAC;IAEvC,MAAM,OAAO,GAAG,GAAG,EAAE;QACnB,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;aACpC,IAAI,CAAC,KAAK,CAAC,EAAE;YACZ,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC;YACnE,OAAO,IAAA,oBAAU,EAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QACrC,CAAC,CAAC;aACD,KAAK,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IACxD,CAAC,CAAC;IAEF,OAAO,EAAE,CAAC;IACV,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE;QACvD,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;IAC/C,CAAC,CAAC,CAAC;AACL,CAAC;AAhBD,4BAgBC"}

package/dist/emit_auth.d.ts

@@ -1,18 +0,0 @@
-/**
- * BoneScript Auth Emitter
- * Generates auth.ts — JWT, OAuth2, or API key middleware depending on the
- * resolved auth_method in the system's constraint resolution map.
- *
- * Auth method selection (in priority order):
- *   1. system.resolution["implied.auth_method"] — set by constraint solver
- *   2. Any api_service module's config.auth_method
- *   3. Fallback: jwt
- *
- * Generated strategies:
- *   jwt     — Bearer token verification via jsonwebtoken
- *   oauth2  — Authorization Code flow: /auth/login redirect + /auth/callback
- *             token exchange + refresh token rotation
- *   apikey  — X-API-Key header lookup against hashed keys in the database
- */
-import * as IR from "./ir";
-export declare function emitAuthMiddleware(system: IR.IRSystem): string;

package/dist/emit_auth.js

@@ -1,507 +0,0 @@
-"use strict";
-/**
- * BoneScript Auth Emitter
- * Generates auth.ts — JWT, OAuth2, or API key middleware depending on the
- * resolved auth_method in the system's constraint resolution map.
- *
- * Auth method selection (in priority order):
- *   1. system.resolution["implied.auth_method"] — set by constraint solver
- *   2. Any api_service module's config.auth_method
- *   3. Fallback: jwt
- *
- * Generated strategies:
- *   jwt     — Bearer token verification via jsonwebtoken
- *   oauth2  — Authorization Code flow: /auth/login redirect + /auth/callback
- *             token exchange + refresh token rotation
- *   apikey  — X-API-Key header lookup against hashed keys in the database
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.emitAuthMiddleware = void 0;
-/** Resolve the auth method for the system. */
-function resolveAuthMethod(system) {
-    // Check resolution map first (set by constraint solver)
-    // The solver writes keys like "UserService.auth_method" for each api_service module.
-    // Also check the implied.auth_method key (set by domain defaults propagation).
-    const resolved = system.resolution["implied.auth_method"]
-        || system.resolution["system.auth_method"];
-    if (resolved === "oauth2" || resolved === "apikey" || resolved === "jwt") {
-        return resolved;
-    }
-    // Check per-module resolution keys written by the solver
-    for (const [key, val] of Object.entries(system.resolution)) {
-        if (key.endsWith(".auth_method") && (val === "oauth2" || val === "apikey" || val === "jwt")) {
-            return val;
-        }
-    }
-    // Fall back to any api_service module config
-    for (const mod of system.modules) {
-        const m = mod.config["auth_method"];
-        if (m === "oauth2" || m === "apikey" || m === "jwt")
-            return m;
-    }
-    return "jwt";
-}
-function emitAuthMiddleware(system) {
-    const method = resolveAuthMethod(system);
-    switch (method) {
-        case "oauth2": return emitOAuth2Auth();
-        case "apikey": return emitApiKeyAuth();
-        default: return emitJwtAuth();
-    }
-}
-exports.emitAuthMiddleware = emitAuthMiddleware;
-// ─── JWT ──────────────────────────────────────────────────────────────────────
-function emitJwtAuth() {
-    return `// Generated by BoneScript compiler. DO NOT EDIT.
-// Auth strategy: JWT (Bearer token)
-import { Request, Response, NextFunction } from "express";
-import jwt from "jsonwebtoken";
-
-// JWT_SECRET must be set in production. The server will refuse to start without it
-// when NODE_ENV is "production" to prevent accidental use of a weak fallback.
-const JWT_SECRET = (() => {
-  const secret = process.env.JWT_SECRET;
-  if (!secret) {
-    if (process.env.NODE_ENV === "production") {
-      console.error("[FATAL] JWT_SECRET environment variable is not set. Refusing to start in production.");
-      process.exit(1);
-    }
-    console.warn("[WARN] JWT_SECRET is not set. Using insecure default — do not use in production.");
-    return "bonescript-dev-secret-do-not-use-in-production";
-  }
-  if (secret.length < 32) {
-    console.warn("[WARN] JWT_SECRET is shorter than 32 characters. Use a longer secret in production.");
-  }
-  return secret;
-})();
-
-export interface AuthContext {
-  authenticated: boolean;
-  actor_id: string | null;
-  trace_id: string;
-}
-
-export function authMiddleware(req: Request, res: Response, next: NextFunction): void {
-  const header = req.headers.authorization;
-  if (!header || !header.startsWith("Bearer ")) {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
-    next();
-    return;
-  }
-  try {
-    const token = header.slice(7);
-    const decoded = jwt.verify(token, JWT_SECRET) as { sub: string };
-    (req as any).auth = {
-      authenticated: true,
-      actor_id: decoded.sub,
-      trace_id: req.headers["x-trace-id"] as string || "",
-    };
-  } catch {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
-  }
-  next();
-}
-
-export function requireAuth(req: Request, res: Response, next: NextFunction): void {
-  const auth: AuthContext = (req as any).auth;
-  if (!auth || !auth.authenticated) {
-    res.status(401).json({ error: { code: "UNAUTHORIZED", message: "Authentication required" } });
-    return;
-  }
-  next();
-}
-
-/** Issue a signed JWT for a given actor. Used by login/register routes. */
-export function issueToken(actorId: string, expiresIn: string = "24h"): string {
-  return jwt.sign({ sub: actorId }, JWT_SECRET, { expiresIn } as any);
-}
-`;
-}
-// ─── OAuth2 ───────────────────────────────────────────────────────────────────
-function emitOAuth2Auth() {
-    return `// Generated by BoneScript compiler. DO NOT EDIT.
-// Auth strategy: OAuth2 Authorization Code Flow with PKCE + refresh token rotation
-import { Request, Response, NextFunction, Router } from "express";
-import crypto from "crypto";
-import jwt from "jsonwebtoken";
-
-// ─── Configuration ────────────────────────────────────────────────────────────
-
-const OAUTH2_CLIENT_ID     = process.env.OAUTH2_CLIENT_ID     || "";
-const OAUTH2_CLIENT_SECRET = process.env.OAUTH2_CLIENT_SECRET || "";
-const OAUTH2_AUTH_URL      = process.env.OAUTH2_AUTH_URL      || "";
-const OAUTH2_TOKEN_URL     = process.env.OAUTH2_TOKEN_URL     || "";
-const OAUTH2_REDIRECT_URI  = process.env.OAUTH2_REDIRECT_URI  || "http://localhost:3000/auth/callback";
-const OAUTH2_SCOPES        = (process.env.OAUTH2_SCOPES       || "openid profile email").split(" ");
-
-const JWT_SECRET = (() => {
-  const secret = process.env.JWT_SECRET;
-  if (!secret) {
-    if (process.env.NODE_ENV === "production") {
-      console.error("[FATAL] JWT_SECRET environment variable is not set. Refusing to start in production.");
-      process.exit(1);
-    }
-    console.warn("[WARN] JWT_SECRET is not set. Using insecure default — do not use in production.");
-    return "bonescript-dev-secret-do-not-use-in-production";
-  }
-  return secret;
-})();
-
-if (process.env.NODE_ENV === "production") {
-  if (!OAUTH2_CLIENT_ID || !OAUTH2_CLIENT_SECRET || !OAUTH2_AUTH_URL || !OAUTH2_TOKEN_URL) {
-    console.error("[FATAL] OAuth2 configuration incomplete. Set OAUTH2_CLIENT_ID, OAUTH2_CLIENT_SECRET, OAUTH2_AUTH_URL, OAUTH2_TOKEN_URL.");
-    process.exit(1);
-  }
-}
-
-// ─── PKCE helpers ─────────────────────────────────────────────────────────────
-
-function generateCodeVerifier(): string {
-  return crypto.randomBytes(32).toString("base64url");
-}
-
-function generateCodeChallenge(verifier: string): string {
-  return crypto.createHash("sha256").update(verifier).digest("base64url");
-}
-
-// ─── In-memory state store (replace with Redis in production) ─────────────────
-
-const pendingStates = new Map<string, { verifier: string; createdAt: number }>();
-
-// Clean up stale states every 5 minutes
-setInterval(() => {
-  const cutoff = Date.now() - 10 * 60 * 1000; // 10 min TTL
-  for (const [k, v] of pendingStates) {
-    if (v.createdAt < cutoff) pendingStates.delete(k);
-  }
-}, 5 * 60 * 1000);
-
-// ─── Auth context ─────────────────────────────────────────────────────────────
-
-export interface AuthContext {
-  authenticated: boolean;
-  actor_id: string | null;
-  trace_id: string;
-}
-
-// ─── Middleware ───────────────────────────────────────────────────────────────
-
-export function authMiddleware(req: Request, res: Response, next: NextFunction): void {
-  const header = req.headers.authorization;
-  if (!header || !header.startsWith("Bearer ")) {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
-    next();
-    return;
-  }
-  try {
-    const token = header.slice(7);
-    const decoded = jwt.verify(token, JWT_SECRET) as { sub: string };
-    (req as any).auth = {
-      authenticated: true,
-      actor_id: decoded.sub,
-      trace_id: req.headers["x-trace-id"] as string || "",
-    };
-  } catch {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
-  }
-  next();
-}
-
-export function requireAuth(req: Request, res: Response, next: NextFunction): void {
-  const auth: AuthContext = (req as any).auth;
-  if (!auth || !auth.authenticated) {
-    res.status(401).json({ error: { code: "UNAUTHORIZED", message: "Authentication required" } });
-    return;
-  }
-  next();
-}
-
-// ─── OAuth2 Routes ────────────────────────────────────────────────────────────
-
-export const authRouter = Router();
-
-/** GET /auth/login — redirect to OAuth2 provider */
-authRouter.get("/login", (_req: Request, res: Response) => {
-  const state = crypto.randomBytes(16).toString("hex");
-  const verifier = generateCodeVerifier();
-  const challenge = generateCodeChallenge(verifier);
-  pendingStates.set(state, { verifier, createdAt: Date.now() });
-
-  const params = new URLSearchParams({
-    response_type: "code",
-    client_id: OAUTH2_CLIENT_ID,
-    redirect_uri: OAUTH2_REDIRECT_URI,
-    scope: OAUTH2_SCOPES.join(" "),
-    state,
-    code_challenge: challenge,
-    code_challenge_method: "S256",
-  });
-  res.redirect(\`\${OAUTH2_AUTH_URL}?\${params}\`);
-});
-
-/** GET /auth/callback — exchange code for tokens, issue internal JWT */
-authRouter.get("/callback", async (req: Request, res: Response) => {
-  const { code, state, error } = req.query as Record<string, string>;
-
-  if (error) {
-    return res.status(400).json({ error: { code: "OAUTH2_ERROR", message: error } });
-  }
-  if (!code || !state) {
-    return res.status(400).json({ error: { code: "MISSING_PARAMS", message: "code and state are required" } });
-  }
-
-  const pending = pendingStates.get(state);
-  if (!pending) {
-    return res.status(400).json({ error: { code: "INVALID_STATE", message: "Unknown or expired state parameter" } });
-  }
-  pendingStates.delete(state);
-
-  try {
-    // Exchange authorization code for tokens
-    const tokenRes = await fetch(OAUTH2_TOKEN_URL, {
-      method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams({
-        grant_type: "authorization_code",
-        code,
-        redirect_uri: OAUTH2_REDIRECT_URI,
-        client_id: OAUTH2_CLIENT_ID,
-        client_secret: OAUTH2_CLIENT_SECRET,
-        code_verifier: pending.verifier,
-      }),
-    });
-
-    if (!tokenRes.ok) {
-      const body = await tokenRes.text();
-      console.error("[OAuth2] Token exchange failed:", body);
-      return res.status(502).json({ error: { code: "TOKEN_EXCHANGE_FAILED", message: "Failed to exchange authorization code" } });
-    }
-
-    const tokens = await tokenRes.json() as {
-      access_token: string;
-      id_token?: string;
-      refresh_token?: string;
-      expires_in?: number;
-    };
-
-    // Extract subject from id_token or access_token
-    let actorId: string;
-    try {
-      const payload = JSON.parse(Buffer.from((tokens.id_token || tokens.access_token).split(".")[1], "base64url").toString());
-      actorId = payload.sub || payload.email || payload.preferred_username || "unknown";
-    } catch {
-      actorId = "unknown";
-    }
-
-    // Issue internal JWT (short-lived)
-    const internalToken = jwt.sign({ sub: actorId }, JWT_SECRET, { expiresIn: "1h" } as any);
-
-    res.json({
-      token: internalToken,
-      actor_id: actorId,
-      expires_in: 3600,
-    });
-  } catch (err: any) {
-    console.error("[OAuth2] Callback error:", err.message);
-    res.status(500).json({ error: { code: "INTERNAL_ERROR", message: "OAuth2 callback failed" } });
-  }
-});
-
-/** POST /auth/refresh — refresh an expired internal JWT */
-authRouter.post("/refresh", (req: Request, res: Response) => {
-  const { token } = req.body as { token?: string };
-  if (!token) {
-    return res.status(400).json({ error: { code: "MISSING_TOKEN", message: "token is required" } });
-  }
-  try {
-    // Allow expired tokens for refresh (ignoreExpiration)
-    const decoded = jwt.verify(token, JWT_SECRET, { ignoreExpiration: true }) as { sub: string };
-    const newToken = jwt.sign({ sub: decoded.sub }, JWT_SECRET, { expiresIn: "1h" } as any);
-    res.json({ token: newToken, expires_in: 3600 });
-  } catch {
-    res.status(401).json({ error: { code: "INVALID_TOKEN", message: "Cannot refresh: token is invalid" } });
-  }
-});
-
-/** POST /auth/logout — client-side only (stateless JWT); invalidation requires a denylist */
-authRouter.post("/logout", (_req: Request, res: Response) => {
-  res.json({ ok: true, message: "Logged out. Discard the token on the client." });
-});
-`;
-}
-// ─── API Key ──────────────────────────────────────────────────────────────────
-function emitApiKeyAuth() {
-    return `// Generated by BoneScript compiler. DO NOT EDIT.
-// Auth strategy: API Key (X-API-Key header, hashed keys stored in database)
-import { Request, Response, NextFunction, Router } from "express";
-import crypto from "crypto";
-import { query } from "./db";
-
-// ─── Auth context ─────────────────────────────────────────────────────────────
-
-export interface AuthContext {
-  authenticated: boolean;
-  actor_id: string | null;
-  trace_id: string;
-}
-
-// ─── Key hashing ──────────────────────────────────────────────────────────────
-
-/** Hash an API key with SHA-256 for safe storage. Never store raw keys. */
-function hashApiKey(key: string): string {
-  return crypto.createHash("sha256").update(key).digest("hex");
-}
-
-/** Generate a new API key. Returns the raw key (shown once) and its hash. */
-export function generateApiKey(): { key: string; hash: string; prefix: string } {
-  const raw = "bsk_" + crypto.randomBytes(32).toString("base64url");
-  return { key: raw, hash: hashApiKey(raw), prefix: raw.slice(0, 12) };
-}
-
-// ─── In-memory LRU cache (avoids a DB hit on every request) ──────────────────
-
-const KEY_CACHE_TTL_MS = 60_000; // 1 minute
-const keyCache = new Map<string, { actorId: string; expiresAt: number }>();
-
-function getCached(hash: string): string | null {
-  const entry = keyCache.get(hash);
-  if (!entry) return null;
-  if (Date.now() > entry.expiresAt) { keyCache.delete(hash); return null; }
-  return entry.actorId;
-}
-
-function setCached(hash: string, actorId: string): void {
-  // Evict oldest entry if cache is too large
-  if (keyCache.size >= 1000) {
-    const oldest = [...keyCache.entries()].sort((a, b) => a[1].expiresAt - b[1].expiresAt)[0];
-    if (oldest) keyCache.delete(oldest[0]);
-  }
-  keyCache.set(hash, { actorId, expiresAt: Date.now() + KEY_CACHE_TTL_MS });
-}
-
-// ─── Middleware ───────────────────────────────────────────────────────────────
-
-export async function authMiddleware(req: Request, res: Response, next: NextFunction): Promise<void> {
-  const rawKey = req.headers["x-api-key"] as string | undefined;
-  const traceId = req.headers["x-trace-id"] as string || "";
-
-  if (!rawKey) {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
-    next();
-    return;
-  }
-
-  const hash = hashApiKey(rawKey);
-
-  // Check cache first
-  const cached = getCached(hash);
-  if (cached) {
-    (req as any).auth = { authenticated: true, actor_id: cached, trace_id: traceId };
-    next();
-    return;
-  }
-
-  try {
-    // Look up in database — api_keys table (see migration below)
-    const rows = await query<{ actor_id: string; revoked: boolean }>(
-      \`SELECT actor_id, revoked FROM api_keys WHERE key_hash = $1 AND expires_at > NOW()\`,
-      [hash]
-    );
-    if (rows.length === 0 || rows[0].revoked) {
-      (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
-      next();
-      return;
-    }
-    const actorId = rows[0].actor_id;
-    setCached(hash, actorId);
-    (req as any).auth = { authenticated: true, actor_id: actorId, trace_id: traceId };
-  } catch (err: any) {
-    console.error("[ApiKey] Auth lookup failed:", err.message);
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
-  }
-  next();
-}
-
-export function requireAuth(req: Request, res: Response, next: NextFunction): void {
-  const auth: AuthContext = (req as any).auth;
-  if (!auth || !auth.authenticated) {
-    res.status(401).json({ error: { code: "UNAUTHORIZED", message: "Valid API key required (X-API-Key header)" } });
-    return;
-  }
-  next();
-}
-
-// ─── Key Management Routes ────────────────────────────────────────────────────
-
-export const authRouter = Router();
-
-/** POST /auth/keys — create a new API key for the authenticated actor */
-authRouter.post("/keys", requireAuth, async (req: Request, res: Response) => {
-  const auth: AuthContext = (req as any).auth;
-  const { name, expires_in_days = 365 } = req.body as { name?: string; expires_in_days?: number };
-
-  const { key, hash, prefix } = generateApiKey();
-  const expiresAt = new Date(Date.now() + expires_in_days * 86_400_000);
-
-  try {
-    await query(
-      \`INSERT INTO api_keys (actor_id, key_hash, key_prefix, name, expires_at) VALUES ($1, $2, $3, $4, $5)\`,
-      [auth.actor_id, hash, prefix, name || "default", expiresAt]
-    );
-    // Return the raw key ONCE — it cannot be retrieved again
-    res.status(201).json({ key, prefix, expires_at: expiresAt });
-  } catch (err: any) {
-    res.status(500).json({ error: { code: "KEY_CREATE_FAILED", message: err.message } });
-  }
-});
-
-/** GET /auth/keys — list API keys for the authenticated actor (no raw keys) */
-authRouter.get("/keys", requireAuth, async (req: Request, res: Response) => {
-  const auth: AuthContext = (req as any).auth;
-  try {
-    const rows = await query(
-      \`SELECT id, key_prefix, name, created_at, expires_at, revoked FROM api_keys WHERE actor_id = $1 ORDER BY created_at DESC\`,
-      [auth.actor_id]
-    );
-    res.json({ keys: rows });
-  } catch (err: any) {
-    res.status(500).json({ error: { code: "KEY_LIST_FAILED", message: err.message } });
-  }
-});
-
-/** DELETE /auth/keys/:id — revoke an API key */
-authRouter.delete("/keys/:id", requireAuth, async (req: Request, res: Response) => {
-  const auth: AuthContext = (req as any).auth;
-  try {
-    const result = await query(
-      \`UPDATE api_keys SET revoked = true WHERE id = $1 AND actor_id = $2 RETURNING id\`,
-      [req.params.id, auth.actor_id]
-    );
-    if (result.length === 0) {
-      return res.status(404).json({ error: { code: "NOT_FOUND", message: "API key not found" } });
-    }
-    res.json({ ok: true });
-  } catch (err: any) {
-    res.status(500).json({ error: { code: "KEY_REVOKE_FAILED", message: err.message } });
-  }
-});
-
-/*
- * Required migration — add to your migrations directory:
- *
- * CREATE TABLE IF NOT EXISTS api_keys (
- *   id         UUID PRIMARY KEY DEFAULT gen_random_uuid(),
- *   actor_id   UUID NOT NULL,
- *   key_hash   VARCHAR(64) NOT NULL UNIQUE,
- *   key_prefix VARCHAR(16) NOT NULL,
- *   name       VARCHAR(255) NOT NULL DEFAULT 'default',
- *   created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
- *   expires_at TIMESTAMPTZ NOT NULL,
- *   revoked    BOOLEAN NOT NULL DEFAULT false
- * );
- * CREATE INDEX IF NOT EXISTS idx_api_keys_actor ON api_keys (actor_id);
- * CREATE INDEX IF NOT EXISTS idx_api_keys_hash  ON api_keys (key_hash);
- */
-`;
-}
-//# sourceMappingURL=emit_auth.js.map

package/dist/emit_auth.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"emit_auth.js","sourceRoot":"","sources":["../src/emit_auth.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AAIH,8CAA8C;AAC9C,SAAS,iBAAiB,CAAC,MAAmB;IAC5C,wDAAwD;IACxD,qFAAqF;IACrF,+EAA+E;IAC/E,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,qBAAqB,CAAC;WACpD,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IAC7C,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,KAAK,EAAE,CAAC;QACzE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,yDAAyD;IACzD,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3D,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,KAAK,CAAC,EAAE,CAAC;YAC5F,OAAO,GAAkC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,aAAa,CAAuB,CAAC;QAC1D,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,KAAK;YAAE,OAAO,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,kBAAkB,CAAC,MAAmB;IACpD,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACzC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,QAAQ,CAAC,CAAE,OAAO,cAAc,EAAE,CAAC;QACxC,KAAK,QAAQ,CAAC,CAAE,OAAO,cAAc,EAAE,CAAC;QACxC,OAAO,CAAC,CAAQ,OAAO,WAAW,EAAE,CAAC;IACvC,CAAC;AACH,CAAC;AAPD,gDAOC;AAED,iFAAiF;AAEjF,SAAS,WAAW;IAClB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+DR,CAAC;AACF,CAAC;AAED,iFAAiF;AAEjF,SAAS,cAAc;IACrB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgNR,CAAC;AACF,CAAC;AAED,iFAAiF;AAEjF,SAAS,cAAc;IACrB,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2KR,CAAC;AACF,CAAC"}

package/dist/emit_database.d.ts

@@ -1,7 +0,0 @@
-/**
- * BoneScript Database Emitter
- * Generates db.ts (connection pool) and migrate.ts (migration runner).
- */
-import * as IR from "./ir";
-export declare function emitDbClient(system: IR.IRSystem): string;
-export declare function emitMigration(system: IR.IRSystem, schemas: string[]): string;

package/dist/emit_database.js

@@ -1,72 +0,0 @@
-"use strict";
-/**
- * BoneScript Database Emitter
- * Generates db.ts (connection pool) and migrate.ts (migration runner).
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.emitMigration = exports.emitDbClient = void 0;
-const lowering_helpers_1 = require("./lowering_helpers");
-function emitDbClient(system) {
-    const name = (0, lowering_helpers_1.toSnakeCase)(system.name);
-    return [
-        "// Generated by BoneScript compiler. DO NOT EDIT.",
-        `import { Pool, PoolClient } from "pg";`,
-        "",
-        "// Lazy pool — created on first use so DATABASE_URL is read after dotenv loads",
-        "let _pool: Pool | null = null;",
-        "function getPool(): Pool {",
-        "  if (!_pool) {",
-        `    _pool = new Pool({ connectionString: process.env.DATABASE_URL || "postgresql://localhost:5432/${name}", max: 20 });`,
-        `    _pool.on("error", (err: Error) => console.error("[DB] Pool error (non-fatal):", err.message));`,
-        "  }",
-        "  return _pool;",
-        "}",
-        "export const pool = new Proxy({} as Pool, { get(_t: any, p: any) { return (getPool() as any)[p]; } });",
-        "",
-        "export async function query<T = any>(text: string, params?: any[]): Promise<T[]> {",
-        "  try { const result = await pool.query(text, params); return result.rows as T[]; }",
-        "  catch (e: any) { throw new Error(`DB query failed: ${e.message}`); }",
-        "}",
-        "export async function queryOne<T = any>(text: string, params?: any[]): Promise<T | null> {",
-        "  try { const rows = await query<T>(text, params); return rows[0] || null; }",
-        "  catch (e: any) { throw new Error(`DB query failed: ${e.message}`); }",
-        "}",
-        "export async function execute(text: string, params?: any[]): Promise<number> {",
-        "  try { const result = await pool.query(text, params); return result.rowCount || 0; }",
-        "  catch (e: any) { throw new Error(`DB execute failed: ${e.message}`); }",
-        "}",
-        "export async function transaction<T>(fn: (client: PoolClient) => Promise<T>): Promise<T> {",
-        "  const client = await pool.connect();",
-        `  try { await client.query("BEGIN"); const result = await fn(client); await client.query("COMMIT"); return result; }`,
-        `  catch (e) { await client.query("ROLLBACK"); throw e; }`,
-        "  finally { client.release(); }",
-        "}",
-    ].join("\n");
-}
-exports.emitDbClient = emitDbClient;
-function emitMigration(system, schemas) {
-    const lines = [];
-    lines.push(`// Generated by BoneScript compiler. DO NOT EDIT.`);
-    lines.push(`require("dotenv").config();`);
-    lines.push(`import { pool } from "./db";`);
-    lines.push(``);
-    lines.push(`async function migrate() {`);
-    lines.push(`  console.log("Running migrations...");`);
-    lines.push(`  const client = await pool.connect();`);
-    lines.push(`  try {`);
-    for (const schema of schemas) {
-        const escaped = schema.replace(/`/g, "\\`").replace(/\$/g, "\\$");
-        lines.push(`    await client.query(\`${escaped}\`);`);
-    }
-    lines.push(`    console.log("Migrations complete.");`);
-    lines.push(`  } finally {`);
-    lines.push(`    client.release();`);
-    lines.push(`    await pool.end();`);
-    lines.push(`  }`);
-    lines.push(`}`);
-    lines.push(``);
-    lines.push(`migrate().catch(e => { console.error(e); process.exit(1); });`);
-    return lines.join("\n");
-}
-exports.emitMigration = emitMigration;
-//# sourceMappingURL=emit_database.js.map

package/dist/emit_database.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"emit_database.js","sourceRoot":"","sources":["../src/emit_database.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAGH,yDAAiD;AAEjD,SAAgB,YAAY,CAAC,MAAmB;IAC9C,MAAM,IAAI,GAAG,IAAA,8BAAW,EAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACtC,OAAO;QACL,mDAAmD;QACnD,wCAAwC;QACxC,EAAE;QACF,gFAAgF;QAChF,gCAAgC;QAChC,4BAA4B;QAC5B,iBAAiB;QACjB,qGAAqG,IAAI,gBAAgB;QACzH,oGAAoG;QACpG,KAAK;QACL,iBAAiB;QACjB,GAAG;QACH,wGAAwG;QACxG,EAAE;QACF,oFAAoF;QACpF,qFAAqF;QACrF,wEAAwE;QACxE,GAAG;QACH,4FAA4F;QAC5F,8EAA8E;QAC9E,wEAAwE;QACxE,GAAG;QACH,gFAAgF;QAChF,uFAAuF;QACvF,0EAA0E;QAC1E,GAAG;QACH,4FAA4F;QAC5F,wCAAwC;QACxC,sHAAsH;QACtH,0DAA0D;QAC1D,iCAAiC;QACjC,GAAG;KACJ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AApCD,oCAoCC;AAED,SAAgB,aAAa,CAAC,MAAmB,EAAE,OAAiB;IAClE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;IAChE,KAAK,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IAC1C,KAAK,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IAC3C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACzC,KAAK,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IACtD,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;IACrD,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAEtB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAClE,KAAK,CAAC,IAAI,CAAC,4BAA4B,OAAO,MAAM,CAAC,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;IACvD,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC5B,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACpC,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACpC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;IAC5E,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAzBD,sCAyBC"}