bonescript-compiler 0.5.5 → 0.5.7

package/src/emit_openapi.ts

@@ -0,0 +1,344 @@
+/**
+ * BoneScript OpenAPI Emitter
+ * Generates OpenAPI 3.0.3 YAML and JSON specs from an IRSystem.
+ */
+
+import * as IR from "./ir";
+
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+
+function toSnakeCase(s: string): string {
+  return s.replace(/([a-z])([A-Z])/g, "$1_$2").toLowerCase();
+}
+
+function toDashCase(s: string): string {
+  return toSnakeCase(s).replace(/_/g, "-");
+}
+
+function toPascalCase(s: string): string {
+  return s.replace(/(^|_)([a-z])/g, (_: string, _p: string, c: string) => c.toUpperCase());
+}
+
+function irTypeToOpenApi(irType: string): Record<string, unknown> {
+  if (irType === "string") return { type: "string" };
+  if (irType === "uint" || irType === "int") return { type: "integer" };
+  if (irType === "float") return { type: "number" };
+  if (irType === "bool") return { type: "boolean" };
+  if (irType === "timestamp") return { type: "string", format: "date-time" };
+  if (irType === "uuid") return { type: "string", format: "uuid" };
+  if (irType === "bytes") return { type: "string", format: "byte" };
+  if (irType === "json") return { type: "object" };
+  const listMatch = irType.match(/^list<(.+)>$/);
+  if (listMatch) return { type: "array", items: irTypeToOpenApi(listMatch[1]) };
+  const setMatch = irType.match(/^set<(.+)>$/);
+  if (setMatch) return { type: "array", items: irTypeToOpenApi(setMatch[1]) };
+  const optMatch = irType.match(/^optional<(.+)>$/);
+  if (optMatch) return { ...irTypeToOpenApi(optMatch[1]), nullable: true };
+  return { type: "string" };
+}
+
+function ind(n: number): string {
+  return "  ".repeat(n);
+}
+
+function yamlValue(v: unknown, depth: number): string {
+  if (v === null || v === undefined) return "null";
+  if (typeof v === "boolean") return String(v);
+  if (typeof v === "number") return String(v);
+  if (typeof v === "string") {
+    if (
+      v.includes(":") ||
+      v.includes("#") ||
+      v.includes("'") ||
+      v.startsWith("{") ||
+      v.startsWith("[")
+    ) {
+      return JSON.stringify(v);
+    }
+    return v;
+  }
+  if (Array.isArray(v)) {
+    if (v.length === 0) return "[]";
+    return (
+      "\n" +
+      v
+        .map((item) => ind(depth) + "- " + yamlValue(item, depth + 1))
+        .join("\n")
+    );
+  }
+  if (typeof v === "object") {
+    const entries = Object.entries(v as Record<string, unknown>);
+    if (entries.length === 0) return "{}";
+    return (
+      "\n" +
+      entries
+        .map(([k, val]) => {
+          const valStr = yamlValue(val, depth + 1);
+          if (valStr.startsWith("\n")) {
+            return ind(depth) + k + ":" + valStr;
+          }
+          return ind(depth) + k + ": " + valStr;
+        })
+        .join("\n")
+    );
+  }
+  return String(v);
+}
+
+function objToYaml(obj: Record<string, unknown>, depth = 0): string {
+  const lines: string[] = [];
+  for (const [k, v] of Object.entries(obj)) {
+    const valStr = yamlValue(v, depth + 1);
+    if (valStr.startsWith("\n")) {
+      lines.push(ind(depth) + k + ":" + valStr);
+    } else {
+      lines.push(ind(depth) + k + ": " + valStr);
+    }
+  }
+  return lines.join("\n");
+}
+
+// ─── Spec builder ─────────────────────────────────────────────────────────────
+
+function buildSpec(system: IR.IRSystem): Record<string, unknown> {
+  const paths: Record<string, unknown> = {};
+  const schemas: Record<string, unknown> = {};
+
+  for (const mod of system.modules) {
+    if (mod.kind !== "api_service" || mod.models.length === 0) continue;
+
+    const model = mod.models[0];
+    const tableName = toSnakeCase(model.name);
+    const modelName = toPascalCase(model.name);
+    const collectionPath = "/" + tableName + "s";
+    const itemPath = "/" + tableName + "s/{id}";
+
+    const allMethods: IR.IRMethod[] = mod.interfaces.flatMap((i) => i.methods);
+    const crudNames = new Set(["create", "read", "update", "delete", "list"]);
+    const capabilityMethods = allMethods.filter(
+      (m) => !crudNames.has(m.name.toLowerCase())
+    );
+
+    const securityRef = [{ BearerAuth: [] }];
+
+    const listOp: Record<string, unknown> = {
+      summary: "List " + modelName,
+      operationId: "list" + modelName,
+      tags: [modelName],
+      parameters: [
+        { name: "page", in: "query", schema: { type: "integer", default: 1 } },
+        {
+          name: "page_size",
+          in: "query",
+          schema: { type: "integer", default: 50 },
+        },
+      ],
+      responses: {
+        "200": {
+          description: "List of " + modelName,
+          content: {
+            "application/json": {
+              schema: {
+                type: "object",
+                properties: {
+                  items: {
+                    type: "array",
+                    items: { $ref: "#/components/schemas/" + modelName },
+                  },
+                  total: { type: "integer" },
+                  page: { type: "integer" },
+                  page_size: { type: "integer" },
+                },
+              },
+            },
+          },
+        },
+        "401": { description: "Unauthorized" },
+      },
+    };
+
+    const createOp: Record<string, unknown> = {
+      summary: "Create " + modelName,
+      operationId: "create" + modelName,
+      tags: [modelName],
+      security: securityRef,
+      requestBody: {
+        required: true,
+        content: {
+          "application/json": {
+            schema: { $ref: "#/components/schemas/" + modelName },
+          },
+        },
+      },
+      responses: {
+        "200": {
+          description: "Created",
+          content: {
+            "application/json": {
+              schema: { $ref: "#/components/schemas/" + modelName },
+            },
+          },
+        },
+        "401": { description: "Unauthorized" },
+        "422": { description: "Precondition failed" },
+        "400": { description: "Bad request" },
+      },
+    };
+
+    paths[collectionPath] = { get: listOp, post: createOp };
+
+    const idParam = [
+      {
+        name: "id",
+        in: "path",
+        required: true,
+        schema: { type: "string", format: "uuid" },
+      },
+    ];
+
+    paths[itemPath] = {
+      get: {
+        summary: "Get " + modelName,
+        operationId: "get" + modelName,
+        tags: [modelName],
+        parameters: idParam,
+        security: securityRef,
+        responses: {
+          "200": {
+            description: "Found",
+            content: {
+              "application/json": {
+                schema: { $ref: "#/components/schemas/" + modelName },
+              },
+            },
+          },
+          "401": { description: "Unauthorized" },
+          "400": { description: "Not found" },
+        },
+      },
+      put: {
+        summary: "Update " + modelName,
+        operationId: "update" + modelName,
+        tags: [modelName],
+        parameters: idParam,
+        security: securityRef,
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": {
+              schema: { $ref: "#/components/schemas/" + modelName },
+            },
+          },
+        },
+        responses: {
+          "200": {
+            description: "Updated",
+            content: {
+              "application/json": {
+                schema: { $ref: "#/components/schemas/" + modelName },
+              },
+            },
+          },
+          "401": { description: "Unauthorized" },
+          "422": { description: "Precondition failed" },
+          "400": { description: "Bad request" },
+        },
+      },
+      delete: {
+        summary: "Delete " + modelName,
+        operationId: "delete" + modelName,
+        tags: [modelName],
+        parameters: idParam,
+        security: securityRef,
+        responses: {
+          "200": { description: "Deleted" },
+          "401": { description: "Unauthorized" },
+          "400": { description: "Not found" },
+        },
+      },
+    };
+
+    for (const method of capabilityMethods) {
+      const capPath = collectionPath + "/" + toDashCase(method.name);
+      const capOp: Record<string, unknown> = {
+        summary: method.name + " on " + modelName,
+        operationId: method.name + modelName,
+        tags: [modelName],
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": {
+              schema: { $ref: "#/components/schemas/" + modelName },
+            },
+          },
+        },
+        responses: {
+          "200": {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: {
+                  type: "object",
+                  properties: {
+                    ok: { type: "boolean" },
+                    action: { type: "string" },
+                  },
+                },
+              },
+            },
+          },
+          "401": { description: "Unauthorized" },
+          "422": { description: "Precondition failed" },
+          "400": { description: "Bad request" },
+        },
+      };
+      if (method.authenticated) {
+        capOp.security = securityRef;
+      }
+      paths[capPath] = { post: capOp };
+    }
+
+    const properties: Record<string, unknown> = {};
+    for (const field of model.fields) {
+      properties[field.name] = irTypeToOpenApi(field.type);
+    }
+    schemas[modelName] = {
+      type: "object",
+      properties,
+    };
+  }
+
+  return {
+    openapi: "3.0.3",
+    info: {
+      title: system.name,
+      version: system.version,
+      description: "Generated by BoneScript compiler",
+    },
+    servers: [{ url: "http://localhost:3000" }],
+    paths,
+    components: {
+      securitySchemes: {
+        BearerAuth: {
+          type: "http",
+          scheme: "bearer",
+          bearerFormat: "JWT",
+        },
+      },
+      schemas,
+    },
+  };
+}
+
+// ─── Public API ───────────────────────────────────────────────────────────────
+
+export function emitOpenApiSpec(system: IR.IRSystem): string {
+  const spec = buildSpec(system);
+  const lines: string[] = ["# Generated by BoneScript compiler"];
+  lines.push(objToYaml(spec));
+  return lines.join("\n") + "\n";
+}
+
+export function emitOpenApiJson(system: IR.IRSystem): string {
+  return JSON.stringify(buildSpec(system), null, 2);
+}

package/src/emit_postman.ts

@@ -0,0 +1,145 @@
+/**
+ * BoneScript Postman Collection Emitter
+ * Generates a Postman Collection v2.1 JSON from an IRSystem.
+ */
+
+import * as IR from "./ir";
+
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+
+function toSnakeCase(s: string): string {
+  return s.replace(/([a-z])([A-Z])/g, "$1_$2").toLowerCase();
+}
+
+function toDashCase(s: string): string {
+  return toSnakeCase(s).replace(/_/g, "-");
+}
+
+function sampleValue(irType: string): unknown {
+  if (irType === "string") return "example";
+  if (irType === "uint" || irType === "int") return 1;
+  if (irType === "float") return 1.0;
+  if (irType === "bool") return true;
+  if (irType === "uuid") return "00000000-0000-0000-0000-000000000001";
+  if (irType === "timestamp") return "2024-01-01T00:00:00.000Z";
+  if (irType === "bytes") return "";
+  if (irType === "json") return {};
+  const listMatch = irType.match(/^list<(.+)>$/);
+  if (listMatch) return [];
+  const setMatch = irType.match(/^set<(.+)>$/);
+  if (setMatch) return [];
+  const optMatch = irType.match(/^optional<(.+)>$/);
+  if (optMatch) return null;
+  return "example";
+}
+
+function buildSampleBody(model: IR.IRModel): Record<string, unknown> {
+  const body: Record<string, unknown> = {};
+  for (const field of model.fields) {
+    body[field.name] = sampleValue(field.type);
+  }
+  return body;
+}
+
+function makeRequest(
+  name: string,
+  method: string,
+  url: string,
+  body?: Record<string, unknown>
+): Record<string, unknown> {
+  const headers = [
+    { key: "Content-Type", value: "application/json" },
+    { key: "Authorization", value: "Bearer {{token}}" },
+  ];
+
+  const req: Record<string, unknown> = {
+    name,
+    request: {
+      method,
+      header: headers,
+      url: {
+        raw: url,
+        host: ["{{baseUrl}}"],
+        path: url
+          .replace("{{baseUrl}}/", "")
+          .split("/")
+          .filter(Boolean),
+      },
+    },
+  };
+
+  if (body !== undefined) {
+    (req.request as Record<string, unknown>).body = {
+      mode: "raw",
+      raw: JSON.stringify(body, null, 2),
+      options: { raw: { language: "json" } },
+    };
+  }
+
+  return req;
+}
+
+// ─── Public API ───────────────────────────────────────────────────────────────
+
+export function emitPostmanCollection(system: IR.IRSystem): string {
+  const folders: unknown[] = [];
+
+  for (const mod of system.modules) {
+    if (mod.kind !== "api_service" || mod.models.length === 0) continue;
+
+    const model = mod.models[0];
+    const tableName = toSnakeCase(model.name);
+    const baseUrl = `{{baseUrl}}/${tableName}s`;
+    const sampleBody = buildSampleBody(model);
+
+    const items: unknown[] = [
+      makeRequest(`List ${model.name}s`, "GET", baseUrl),
+      makeRequest(`Create ${model.name}`, "POST", baseUrl, sampleBody),
+      makeRequest(`Get ${model.name}`, "GET", `${baseUrl}/:id`),
+      makeRequest(`Update ${model.name}`, "PUT", `${baseUrl}/:id`, sampleBody),
+      makeRequest(`Delete ${model.name}`, "DELETE", `${baseUrl}/:id`),
+    ];
+
+    const crudNames = new Set(["create", "read", "update", "delete", "list"]);
+    const allMethods: IR.IRMethod[] = mod.interfaces.flatMap((i) => i.methods);
+    const capabilityMethods = allMethods.filter(
+      (m) => !crudNames.has(m.name.toLowerCase())
+    );
+
+    for (const method of capabilityMethods) {
+      const dashName = toDashCase(method.name);
+      items.push(
+        makeRequest(
+          method.name + " " + model.name,
+          "POST",
+          `${baseUrl}/${dashName}`,
+          sampleBody
+        )
+      );
+    }
+
+    folders.push({
+      name: mod.name,
+      item: items,
+    });
+  }
+
+  const collection = {
+    info: {
+      name: system.name,
+      schema:
+        "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
+    },
+    auth: {
+      type: "bearer",
+      bearer: [{ key: "token", value: "{{token}}", type: "string" }],
+    },
+    variable: [
+      { key: "baseUrl", value: "http://localhost:3000" },
+      { key: "token", value: "" },
+    ],
+    item: folders,
+  };
+
+  return JSON.stringify(collection, null, 2);
+}

package/src/emit_runtime.ts

@@ -217,6 +217,11 @@ export function emitEntityRouter(mod: IR.IRModule, system: IR.IRSystem): string
   lines.push(`import { query, queryOne, execute, pool } from "../db";`);
   lines.push(`import { eventBus } from "../events";`);
   lines.push(`import { requireAuth, AuthContext } from "../auth";`);
+  lines.push(`import rateLimit from "express-rate-limit";`);
+  // Only import audit if module has audit: true
+  if (mod.config["audit"]) {
+    lines.push(`import { auditLog } from "../audit";`);
+  }
   lines.push(`import { logger } from "../logger";`);
   lines.push(`import { counter } from "../metrics";`);
   lines.push(`import * as __algorithms from "../algorithms";`);
@@ -242,10 +247,22 @@ export function emitEntityRouter(mod: IR.IRModule, system: IR.IRSystem): string
   lines.push(`export const ${toCamelCase(routeBase)}Router = Router();`);
   lines.push(``);
 
+  // Per-module rate limiter (from policy declaration)
+  const modRateLimit = typeof mod.config["rate_limit"] === "number" && (mod.config["rate_limit"] as number) > 0
+    ? mod.config["rate_limit"] as number : 0;
+  const modRateLimitWindowMs = typeof mod.config["rate_limit_window_ms"] === "number"
+    ? mod.config["rate_limit_window_ms"] as number : 60000;
+  if (modRateLimit > 0) {
+    lines.push(`// Rate limiter from policy declaration`);
+    lines.push(`const __routeRateLimit = rateLimit({ windowMs: ${modRateLimitWindowMs}, max: ${modRateLimit}, standardHeaders: true, legacyHeaders: false });`);
+    lines.push(``);
+  }
+
   // CREATE
   const insertFields = entityModel.fields.filter(f => f.name !== "id" && f.name !== "created_at" && f.name !== "updated_at");
   lines.push(`// CREATE`);
-  lines.push(`${toCamelCase(routeBase)}Router.post("/", requireAuth, async (req: Request, res: Response) => {`);
+  const __crudMiddlewares = modRateLimit > 0 ? "__routeRateLimit, requireAuth" : "requireAuth";
+  lines.push(`${toCamelCase(routeBase)}Router.post("/", ${__crudMiddlewares}, async (req: Request, res: Response) => {`);
   lines.push(`  try {`);
   lines.push(`    const id = uuid();`);
   lines.push(`    const { ${insertFields.map(f => f.name).join(", ")} } = req.body;`);
@@ -270,7 +287,7 @@ export function emitEntityRouter(mod: IR.IRModule, system: IR.IRSystem): string
 
   // READ
   lines.push(`// READ`);
-  lines.push(`${toCamelCase(routeBase)}Router.get("/:id", requireAuth, async (req: Request, res: Response) => {`);
+  lines.push(`${toCamelCase(routeBase)}Router.get("/:id", ${__crudMiddlewares}, async (req: Request, res: Response) => {`);
   lines.push(`  try {`);
   lines.push(`    const row = await queryOne(\`SELECT * FROM ${tableName} WHERE id = $1\`, [req.params.id]);`);
   lines.push(`    if (!row) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });`);
@@ -284,7 +301,7 @@ export function emitEntityRouter(mod: IR.IRModule, system: IR.IRSystem): string
   // LIST — with optional JOINs for has_one/belongs_to relations
   const joinRelations = mod.relations.filter(r => r.kind === "has_one" || r.kind === "belongs_to");
   lines.push(`// LIST`);
-  lines.push(`${toCamelCase(routeBase)}Router.get("/", requireAuth, async (req: Request, res: Response) => {`);
+  lines.push(`${toCamelCase(routeBase)}Router.get("/", ${__crudMiddlewares}, async (req: Request, res: Response) => {`);
   lines.push(`  try {`);
   lines.push(`    const page = parseInt(req.query.page as string) || 1;`);
   lines.push(`    const pageSize = Math.min(parseInt(req.query.page_size as string) || 50, 100);`);
@@ -314,7 +331,7 @@ export function emitEntityRouter(mod: IR.IRModule, system: IR.IRSystem): string
 
   // UPDATE — with state machine enforcement
   lines.push(`// UPDATE`);
-  lines.push(`${toCamelCase(routeBase)}Router.put("/:id", requireAuth, async (req: Request, res: Response) => {`);
+  lines.push(`${toCamelCase(routeBase)}Router.put("/:id", ${__crudMiddlewares}, async (req: Request, res: Response) => {`);
   lines.push(`  const fields = { ...req.body };`);
   if (mod.state_machines.length > 0) {
     const sm = mod.state_machines[0];
@@ -339,7 +356,7 @@ export function emitEntityRouter(mod: IR.IRModule, system: IR.IRSystem): string
 
   // DELETE
   lines.push(`// DELETE`);
-  lines.push(`${toCamelCase(routeBase)}Router.delete("/:id", requireAuth, async (req: Request, res: Response) => {`);
+  lines.push(`${toCamelCase(routeBase)}Router.delete("/:id", ${__crudMiddlewares}, async (req: Request, res: Response) => {`);
   lines.push(`  try {`);
   lines.push(`    const count = await execute(\`DELETE FROM ${tableName} WHERE id = $1\`, [req.params.id]);`);
   lines.push(`    if (count === 0) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });`);
@@ -400,7 +417,15 @@ function emitCapabilityEndpoint(method: IR.IRMethod, mod: IR.IRModule, tableName
   const isTransactional = method.sync === "transactional";
 
   lines.push(`// CAPABILITY: ${method.name}${isTransactional ? " [transactional]" : ""}${method.retry ? ` [retry: ${method.retry.max_attempts}x ${method.retry.backoff}]` : ""}`);
-  lines.push(`${routerName}.post("${endpoint}", requireAuth, async (req: Request, res: Response) => {`);
+  // Build middleware chain: optional rate limiter + requireAuth + optional audit
+  const capMiddlewares: string[] = ["requireAuth"];
+  if (typeof mod.config["rate_limit"] === "number" && (mod.config["rate_limit"] as number) > 0) {
+    capMiddlewares.unshift("__routeRateLimit");
+  }
+  if (mod.config["audit"]) {
+    capMiddlewares.push(`auditLog("${method.name}", "${mod.models[0]?.name ?? ""}")`);
+  }
+  lines.push(`${routerName}.post("${endpoint}", ${capMiddlewares.join(", ")}, async (req: Request, res: Response) => {`);
   lines.push(`  const auth: AuthContext = (req as any).auth;`);
 
   // Wrap in retry logic if declared