bonescript-compiler 0.5.8 → 0.6.0

package/src/emit_maintenance.ts

@@ -220,9 +220,29 @@ export function emitHealthChecks(system: IR.IRSystem): string {
   lines.push(`});`);
   lines.push(``);
 
-  // Metrics endpoint
-  lines.push(`// Prometheus-style metrics`);
-  lines.push(`healthRouter.get("/metrics", (_req: Request, res: Response) => {`);
+  // Metrics endpoint — restricted to internal callers.
+  // Accepted: shared bearer in METRICS_TOKEN, or loopback / RFC1918 source IPs.
+  // External scrapers must inject the bearer; otherwise 403.
+  lines.push(`// Prometheus-style metrics — restricted to internal callers`);
+  lines.push(`function isInternalMetricsRequest(req: Request): boolean {`);
+  lines.push(`  const expected = process.env.METRICS_TOKEN || "";`);
+  lines.push(`  if (expected) {`);
+  lines.push(`    const header = req.headers.authorization || "";`);
+  lines.push(`    if (header.startsWith("Bearer ") && header.slice(7) === expected) return true;`);
+  lines.push(`  }`);
+  lines.push(`  const ip = (req.ip || "").replace(/^::ffff:/, "");`);
+  lines.push(`  if (ip === "127.0.0.1" || ip === "::1") return true;`);
+  lines.push(`  if (ip.startsWith("10.") || ip.startsWith("192.168.")) return true;`);
+  lines.push(`  // RFC1918 172.16.0.0/12`);
+  lines.push(`  const m = ip.match(/^172\\.(\\d{1,3})\\./);`);
+  lines.push(`  if (m && +m[1] >= 16 && +m[1] <= 31) return true;`);
+  lines.push(`  return false;`);
+  lines.push(`}`);
+  lines.push(`healthRouter.get("/metrics", (req: Request, res: Response) => {`);
+  lines.push(`  if (!isInternalMetricsRequest(req)) {`);
+  lines.push(`    res.status(403).json({ error: { code: "FORBIDDEN", message: "Metrics restricted to internal callers" } });`);
+  lines.push(`    return;`);
+  lines.push(`  }`);
   lines.push(`  res.type("text/plain").send(dumpMetrics());`);
   lines.push(`});`);
   lines.push(``);
@@ -356,6 +376,7 @@ interface Field {
   name: string;
   type: string;
   nullable: boolean;
+  renamed_from?: string | null;
 }
 
 interface Model {
@@ -395,8 +416,18 @@ export function diffModels(oldModels: Model[], newModels: Model[]): string[] {
     const oldFields = new Map(oldModel.fields.map(f => [f.name, f]));
     const newFields = new Map(newModel.fields.map(f => [f.name, f]));
 
+    // Renames first — avoid double-counting as add+drop.
+    const renamedOld = new Set<string>();
+    for (const [fname, field] of newFields) {
+      if (field.renamed_from && oldFields.has(field.renamed_from) && !oldFields.has(fname)) {
+        statements.push(\`ALTER TABLE \${tableName} RENAME COLUMN \${field.renamed_from} TO \${fname};\`);
+        renamedOld.add(field.renamed_from);
+      }
+    }
+
     // New columns (backward-compatible)
     for (const [fname, field] of newFields) {
+      if (field.renamed_from && renamedOld.has(field.renamed_from)) continue;
       if (!oldFields.has(fname)) {
         const sqlType = mapType(field.type);
         const nullability = field.nullable ? "" : " NOT NULL DEFAULT (CASE WHEN false THEN NULL ELSE NULL END)";
@@ -406,6 +437,7 @@ export function diffModels(oldModels: Model[], newModels: Model[]): string[] {
 
     // Removed columns (NOT auto-dropped — backward compat)
     for (const [fname] of oldFields) {
+      if (renamedOld.has(fname)) continue;
       if (!newFields.has(fname)) {
         statements.push(\`-- WARNING: Column \${tableName}.\${fname} removed from schema. Run manually: ALTER TABLE \${tableName} DROP COLUMN \${fname};\`);
       }

package/src/emit_runtime.ts

@@ -4,6 +4,7 @@
  */
 
 import * as IR from "./ir";
+import { createHash } from "crypto";
 import { emitCapabilityBody } from "./emit_capability";
 
 function toSnakeCase(s: string): string {
@@ -47,28 +48,31 @@ export function emitPackageJson(system: IR.IRSystem): string {
       migrate: "ts-node src/migrate.ts",
     },
     dependencies: {
-      express: "4.18.2",
-      pg: "8.11.3",
-      ioredis: "5.3.2",
-      ws: "8.16.0",
-      uuid: "9.0.0",
+      // Pinned to specific patch versions. Update consciously — a bump should
+      // be paired with a quick read of the release notes / advisories.
+      express: "4.22.2",          // 4.22.x patches qs / path-to-regexp DoS
+      pg: "8.13.1",
+      ioredis: "5.4.1",
+      ws: "8.18.0",               // 8.17.1 patched CVE-2024-37890 (DoS)
+      uuid: "10.0.0",
       cors: "2.8.5",
-      helmet: "7.1.0",
-      "express-rate-limit": "7.1.5",
+      helmet: "8.0.0",
+      "express-rate-limit": "7.5.0",
       jsonwebtoken: "9.0.2",
-      dotenv: "16.3.1",
+      dotenv: "16.4.7",
       "node-cron": "3.0.3",
+      zod: "3.23.8",
     },
     devDependencies: {
       "@types/express": "4.17.21",
-      "@types/node": "18.19.0",
-      "@types/pg": "8.10.9",
-      "@types/ws": "8.5.10",
+      "@types/node": "20.14.0",
+      "@types/pg": "8.11.10",
+      "@types/ws": "8.5.13",
       "@types/cors": "2.8.17",
-      "@types/jsonwebtoken": "9.0.5",
-      "@types/uuid": "9.0.7",
+      "@types/jsonwebtoken": "9.0.7",
+      "@types/uuid": "10.0.0",
       "@types/node-cron": "3.0.11",
-      typescript: "5.3.3",
+      typescript: "5.6.3",
       "ts-node": "10.9.2",
     },
   };
@@ -145,6 +149,7 @@ export function emitAuthMiddleware(system: IR.IRSystem): string {
   return `// Generated by BoneScript compiler. DO NOT EDIT.
 import { Request, Response, NextFunction } from "express";
 import jwt from "jsonwebtoken";
+import { v4 as uuid } from "uuid";
 
 // JWT_SECRET must be set in production. The server will refuse to start without it
 // when NODE_ENV is "production" to prevent accidental use of a weak fallback.
@@ -170,23 +175,45 @@ export interface AuthContext {
   trace_id: string;
 }
 
+// Trace IDs are server-generated. We accept a client-supplied X-Trace-Id only
+// if it parses as a UUID, so callers can correlate their own logs without
+// being able to forge correlation IDs in audit / event records.
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+function resolveTraceId(req: Request): string {
+  const supplied = req.headers["x-trace-id"];
+  if (typeof supplied === "string" && UUID_RE.test(supplied)) return supplied;
+  return uuid();
+}
+
 export function authMiddleware(req: Request, res: Response, next: NextFunction): void {
   const header = req.headers.authorization;
+  const traceId = resolveTraceId(req);
   if (!header || !header.startsWith("Bearer ")) {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
+    (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
     next();
     return;
   }
   try {
     const token = header.slice(7);
-    const decoded = jwt.verify(token, JWT_SECRET) as { sub: string };
+    // Pin algorithms to HS256 and require an expiration. Without pinning,
+    // jsonwebtoken would accept any algorithm including RS/HS confusion attacks.
+    // maxAge is a safety net even if exp is set far in the future.
+    const decoded = jwt.verify(token, JWT_SECRET, {
+      algorithms: ["HS256"],
+      maxAge: process.env.JWT_MAX_AGE || "1h",
+    }) as { sub?: unknown };
+    if (typeof decoded.sub !== "string" || decoded.sub.length === 0) {
+      (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
+      next();
+      return;
+    }
     (req as any).auth = {
       authenticated: true,
       actor_id: decoded.sub,
-      trace_id: req.headers["x-trace-id"] as string || "",
+      trace_id: traceId,
     };
   } catch {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: req.headers["x-trace-id"] as string || "" };
+    (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
   }
   next();
 }
@@ -226,6 +253,9 @@ export function emitEntityRouter(mod: IR.IRModule, system: IR.IRSystem): string
   }
   lines.push(`import { logger } from "../logger";`);
   lines.push(`import { counter } from "../metrics";`);
+  // Zod schemas for input validation. The Create / Update derivatives are
+  // generated alongside the full model schema in src/schemas.ts.
+  lines.push(`import { ${toPascalCase(entityModel.name)}CreateSchema, ${toPascalCase(entityModel.name)}UpdateSchema } from "../schemas";`);
   lines.push(`import * as __algorithms from "../algorithms";`);
   lines.push(`const { shortestPath, topologicalSort, binarySearch, bipartiteMatching, roundRobin, weightedAverage, percentile, rankBy, consistentHash } = __algorithms as any;`);
   lines.push(``);
@@ -265,9 +295,15 @@ export function emitEntityRouter(mod: IR.IRModule, system: IR.IRSystem): string
   lines.push(`// CREATE`);
   const __crudMiddlewares = modRateLimit > 0 ? "__routeRateLimit, requireAuth" : "requireAuth";
   lines.push(`${toCamelCase(routeBase)}Router.post("/", ${__crudMiddlewares}, async (req: Request, res: Response) => {`);
+  lines.push(`  // Validate the request body against the generated Zod schema.`);
+  lines.push(`  const __parsed = ${toPascalCase(entityModel.name)}CreateSchema.safeParse(req.body);`);
+  lines.push(`  if (!__parsed.success) {`);
+  lines.push(`    return res.status(400).json({ error: { code: "VALIDATION_FAILED", message: "Invalid request body", issues: __parsed.error.flatten() } });`);
+  lines.push(`  }`);
+  lines.push(`  const __body = __parsed.data;`);
   lines.push(`  try {`);
   lines.push(`    const id = uuid();`);
-  lines.push(`    const { ${insertFields.map(f => f.name).join(", ")} } = req.body;`);
+  lines.push(`    const { ${insertFields.map(f => f.name).join(", ")} } = __body as any;`);
   if (mod.state_machines.length > 0) {
     lines.push(`    const state = ${mod.state_machines[0].entity.toUpperCase()}_INITIAL;`);
   }
@@ -331,10 +367,35 @@ export function emitEntityRouter(mod: IR.IRModule, system: IR.IRSystem): string
   lines.push(`});`);
   lines.push(``);
 
-  // UPDATE — with state machine enforcement
+  // UPDATE — with state machine enforcement and column allow-list
+  // The allow-list is derived from the IR model so generated SQL never
+  // interpolates user-supplied keys as identifiers.
+  const updatableColumns = entityModel.fields
+    .filter(f => !["id", "created_at", "updated_at"].includes(f.name))
+    .map(f => f.name);
+  // Entities with a state machine carry a `state` column not present in the
+  // IR field list. Include it so PUT can drive transitions.
+  if (mod.state_machines.length > 0 && !updatableColumns.includes("state")) {
+    updatableColumns.push("state");
+  }
   lines.push(`// UPDATE`);
+  lines.push(`const __${toCamelCase(routeBase)}Updatable = new Set<string>(${JSON.stringify(updatableColumns)});`);
   lines.push(`${toCamelCase(routeBase)}Router.put("/:id", ${__crudMiddlewares}, async (req: Request, res: Response) => {`);
-  lines.push(`  const fields = { ...req.body };`);
+  lines.push(`  // 1. Validate body shape and types via Zod (UpdateSchema is partial).`);
+  lines.push(`  const __parsed = ${toPascalCase(entityModel.name)}UpdateSchema.safeParse(req.body);`);
+  lines.push(`  if (!__parsed.success) {`);
+  lines.push(`    return res.status(400).json({ error: { code: "VALIDATION_FAILED", message: "Invalid request body", issues: __parsed.error.flatten() } });`);
+  lines.push(`  }`);
+  lines.push(`  // 2. Reject unknown columns (defense in depth — Zod would already strip them).`);
+  lines.push(`  const __unknown = Object.keys(req.body || {}).filter(k => !__${toCamelCase(routeBase)}Updatable.has(k));`);
+  lines.push(`  if (__unknown.length > 0) {`);
+  lines.push(`    return res.status(400).json({ error: { code: "UNKNOWN_FIELDS", message: \`Unknown fields: \${__unknown.join(", ")}\`, fields: __unknown } });`);
+  lines.push(`  }`);
+  lines.push(`  // 3. Use the Zod-parsed object as the update set.`);
+  lines.push(`  const fields: Record<string, unknown> = __parsed.data as Record<string, unknown>;`);
+  lines.push(`  if (Object.keys(fields).length === 0) {`);
+  lines.push(`    return res.status(400).json({ error: { code: "NO_FIELDS", message: "No updatable fields supplied" } });`);
+  lines.push(`  }`);
   if (mod.state_machines.length > 0) {
     const sm = mod.state_machines[0];
     lines.push(`  // State machine enforcement`);
@@ -347,8 +408,9 @@ export function emitEntityRouter(mod: IR.IRModule, system: IR.IRSystem): string
     lines.push(`    if (!tr.ok) return res.status(422).json({ error: { code: "INVALID_TRANSITION", message: \`Cannot transition from \${current.state} to \${fields.state}\` } });`);
     lines.push(`  }`);
   }
-  lines.push(`  const sets = Object.keys(fields).map((k, i) => \`\${k} = $\${i + 2}\`).join(", ");`);
-  lines.push(`  const values = Object.values(fields);`);
+  lines.push(`  const keys = Object.keys(fields);`);
+  lines.push(`  const sets = keys.map((k, i) => \`\${k} = $\${i + 2}\`).join(", ");`);
+  lines.push(`  const values = keys.map(k => fields[k]);`);
   lines.push(`  const sql = \`UPDATE ${tableName} SET \${sets}, updated_at = NOW() WHERE id = $1 RETURNING *\`;`);
   lines.push(`  const rows = await query(sql, [req.params.id, ...values]);`);
   lines.push(`  if (rows.length === 0) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });`);
@@ -597,6 +659,14 @@ export function emitIndex(system: IR.IRSystem): string {
   lines.push(`const httpServer = createServer(app);`);
   lines.push(`const PORT = parseInt(process.env.PORT || "3000");`);
   lines.push(``);
+  lines.push(`// Trust the immediate hop's X-Forwarded-* headers when running behind a`);
+  lines.push(`// load balancer / k8s ingress. Override with TRUST_PROXY=<n> for multi-hop`);
+  lines.push(`// (e.g. "2" for ingress + service mesh). Set to "false" to disable.`);
+  lines.push(`const __trust = process.env.TRUST_PROXY ?? "loopback, linklocal, uniquelocal";`);
+  lines.push(`if (__trust === "false") app.set("trust proxy", false);`);
+  lines.push(`else if (/^\\d+$/.test(__trust)) app.set("trust proxy", Number(__trust));`);
+  lines.push(`else app.set("trust proxy", __trust);`);
+  lines.push(``);
   lines.push(`// Middleware`);
   lines.push(`app.use(helmet());`);
   lines.push(`// CORS: restrict to ALLOWED_ORIGINS env var (comma-separated). Defaults to same-origin only.`);
@@ -699,23 +769,145 @@ export function emitIndex(system: IR.IRSystem): string {
 
 // ─── Migration Script ─────────────────────────────────────────────────────────
 
-export function emitMigration(system: IR.IRSystem, schemas: string[]): string {
+/**
+ * A migration block paired with a stable identifier and content checksum.
+ * - `id` is a human-readable, ordered name (e.g. "0001_create_sellers").
+ * - `checksum` is a sha256 of the SQL body — used by the ledger to detect
+ *   tampering with already-applied migrations.
+ */
+export interface MigrationBlock {
+  id: string;
+  checksum: string;
+  sql: string;
+}
+
+/**
+ * Build deterministic migration blocks from raw schema strings.
+ * The order of `schemas` is preserved; each block gets a zero-padded prefix
+ * so lexicographic sort matches insertion order.
+ */
+export function buildMigrationBlocks(schemas: string[]): MigrationBlock[] {
+  const blocks: MigrationBlock[] = [];
+  schemas.forEach((sql, i) => {
+    const checksum = createHash("sha256").update(sql).digest("hex");
+    // Try to extract the module name from the schema header for a friendlier id.
+    const moduleMatch = sql.match(/^--\s*Module:\s*(\S+)/m);
+    const tableMatch = sql.match(/CREATE TABLE IF NOT EXISTS\s+(\w+)/i);
+    const slug = (tableMatch?.[1] || moduleMatch?.[1] || `block_${i}`)
+      .replace(/[^a-zA-Z0-9_]/g, "_")
+      .toLowerCase();
+    const id = `${String(i).padStart(4, "0")}_${slug}`;
+    blocks.push({ id, checksum, sql });
+  });
+  return blocks;
+}
+
+export function emitMigration(_system: IR.IRSystem, schemas: string[]): string {
+  const blocks = buildMigrationBlocks(schemas);
+
   const lines: string[] = [];
   lines.push(`// Generated by BoneScript compiler. DO NOT EDIT.`);
+  lines.push(`// Migration runner with a schema_migrations ledger.`);
+  lines.push(`// Each block is hashed at compile time; runs are skipped if the same`);
+  lines.push(`// (id, checksum) pair has already been recorded as applied.`);
   lines.push(`require("dotenv").config();`);
+  lines.push(`import * as fs from "fs";`);
+  lines.push(`import * as path from "path";`);
+  lines.push(`import { createHash } from "crypto";`);
   lines.push(`import { pool } from "./db";`);
   lines.push(``);
+  lines.push(`interface Block { id: string; checksum: string; sql: string; }`);
+  lines.push(``);
+  lines.push(`const GENERATED_BLOCKS: Block[] = [`);
+  for (const b of blocks) {
+    const escaped = b.sql.replace(/\\/g, "\\\\").replace(/`/g, "\\`").replace(/\$/g, "\\$");
+    lines.push(`  {`);
+    lines.push(`    id: ${JSON.stringify(b.id)},`);
+    lines.push(`    checksum: ${JSON.stringify(b.checksum)},`);
+    lines.push(`    sql: \`${escaped}\`,`);
+    lines.push(`  },`);
+  }
+  lines.push(`];`);
+  lines.push(``);
+  lines.push(`/**`);
+  lines.push(` * Pick up any hand-authored migrations dropped into migrations/_manual/.`);
+  lines.push(` * Files are picked up in lexicographic order; \`bonec diff --write\` writes`);
+  lines.push(` * them with a numeric prefix so insertion order is stable.`);
+  lines.push(` */`);
+  lines.push(`function loadManualBlocks(): Block[] {`);
+  lines.push(`  const dir = path.resolve(__dirname, "..", "migrations", "_manual");`);
+  lines.push(`  if (!fs.existsSync(dir)) return [];`);
+  lines.push(`  return fs.readdirSync(dir)`);
+  lines.push(`    .filter(f => f.endsWith(".sql"))`);
+  lines.push(`    .sort()`);
+  lines.push(`    .map(f => {`);
+  lines.push(`      const sql = fs.readFileSync(path.join(dir, f), "utf-8");`);
+  lines.push(`      return {`);
+  lines.push(`        id: "manual_" + f.replace(/\\.sql$/, ""),`);
+  lines.push(`        checksum: createHash("sha256").update(sql).digest("hex"),`);
+  lines.push(`        sql,`);
+  lines.push(`      };`);
+  lines.push(`    });`);
+  lines.push(`}`);
+  lines.push(``);
+  lines.push(`const LEDGER_DDL = \`CREATE TABLE IF NOT EXISTS schema_migrations (`);
+  lines.push(`  id           VARCHAR PRIMARY KEY,`);
+  lines.push(`  checksum     VARCHAR NOT NULL,`);
+  lines.push(`  applied_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),`);
+  lines.push(`  applied_by   VARCHAR NOT NULL DEFAULT current_user,`);
+  lines.push(`  duration_ms  INTEGER NOT NULL DEFAULT 0`);
+  lines.push(`);\`;`);
+  lines.push(``);
   lines.push(`async function migrate() {`);
-  lines.push(`  console.log("Running migrations...");`);
   lines.push(`  const client = await pool.connect();`);
+  lines.push(`  let applied = 0, skipped = 0;`);
   lines.push(`  try {`);
-
-  for (const schema of schemas) {
-    const escaped = schema.replace(/`/g, "\\`").replace(/\$/g, "\\$");
-    lines.push(`    await client.query(\`${escaped}\`);`);
-  }
-
-  lines.push(`    console.log("Migrations complete.");`);
+  lines.push(`    await client.query(LEDGER_DDL);`);
+  lines.push(``);
+  lines.push(`    // Generated blocks come first (compile-time schema), then manual diffs.`);
+  lines.push(`    const allBlocks: Block[] = [...GENERATED_BLOCKS, ...loadManualBlocks()];`);
+  lines.push(``);
+  lines.push(`    // Load already-applied entries.`);
+  lines.push(`    const existing = await client.query(`);
+  lines.push(`      "SELECT id, checksum FROM schema_migrations"`);
+  lines.push(`    );`);
+  lines.push(`    const rows = existing.rows as Array<{ id: string; checksum: string }>;`);
+  lines.push(`    const appliedById = new Map(rows.map(r => [r.id, r.checksum]));`);
+  lines.push(``);
+  lines.push(`    for (const block of allBlocks) {`);
+  lines.push(`      const prior = appliedById.get(block.id);`);
+  lines.push(`      if (prior === block.checksum) {`);
+  lines.push(`        skipped++;`);
+  lines.push(`        continue;`);
+  lines.push(`      }`);
+  lines.push(`      if (prior && prior !== block.checksum) {`);
+  lines.push(`        // Someone changed an already-applied migration. Refuse to proceed —`);
+  lines.push(`        // an explicit migration file should be authored instead.`);
+  lines.push(`        throw new Error(`);
+  lines.push("          `Migration ${block.id} was previously applied with a different ` +");
+  lines.push("          `checksum. Generate a new migration via 'bonec diff --write' ` +");
+  lines.push("          `instead of editing existing schemas.`");
+  lines.push(`        );`);
+  lines.push(`      }`);
+  lines.push(``);
+  lines.push(`      const start = Date.now();`);
+  lines.push(`      try {`);
+  lines.push(`        await client.query("BEGIN");`);
+  lines.push(`        await client.query(block.sql);`);
+  lines.push(`        await client.query(`);
+  lines.push(`          "INSERT INTO schema_migrations (id, checksum, duration_ms) VALUES ($1, $2, $3)",`);
+  lines.push(`          [block.id, block.checksum, Date.now() - start]`);
+  lines.push(`        );`);
+  lines.push(`        await client.query("COMMIT");`);
+  lines.push("        console.log(`  applied  ${block.id}  (${Date.now() - start}ms)`);");
+  lines.push(`        applied++;`);
+  lines.push(`      } catch (e) {`);
+  lines.push(`        await client.query("ROLLBACK").catch(() => {});`);
+  lines.push(`        throw e;`);
+  lines.push(`      }`);
+  lines.push(`    }`);
+  lines.push(``);
+  lines.push("    console.log(`Migrations complete: ${applied} applied, ${skipped} already up to date.`);");
   lines.push(`  } finally {`);
   lines.push(`    client.release();`);
   lines.push(`    await pool.end();`);

package/src/emit_websocket.ts

@@ -29,7 +29,23 @@ export function emitWebSocketServer(system: IR.IRSystem): string {
   lines.push(`import { eventBus } from "./events";`);
   lines.push(`import { logger } from "./logger";`);
   lines.push(``);
-  lines.push(`const JWT_SECRET = process.env.JWT_SECRET || "bonescript-dev-secret-change-in-production";`);
+  // Use the same secret-loading rules as the HTTP middleware.
+  // Refuse to boot in production without JWT_SECRET; warn in dev.
+  lines.push(`const JWT_SECRET = (() => {`);
+  lines.push(`  const secret = process.env.JWT_SECRET;`);
+  lines.push(`  if (!secret) {`);
+  lines.push(`    if (process.env.NODE_ENV === "production") {`);
+  lines.push(`      console.error("[FATAL] JWT_SECRET environment variable is not set. Refusing to start in production.");`);
+  lines.push(`      process.exit(1);`);
+  lines.push(`    }`);
+  lines.push(`    console.warn("[WARN] JWT_SECRET is not set. Using insecure default — do not use in production.");`);
+  lines.push(`    return "bonescript-dev-secret-do-not-use-in-production";`);
+  lines.push(`  }`);
+  lines.push(`  if (secret.length < 32) {`);
+  lines.push(`    console.warn("[WARN] JWT_SECRET is shorter than 32 characters. Use a longer secret in production.");`);
+  lines.push(`  }`);
+  lines.push(`  return secret;`);
+  lines.push(`})();`);
   lines.push(``);
   // Redis pub/sub for multi-instance support
   lines.push(`// Redis pub/sub for multi-instance WebSocket broadcasting`);
@@ -117,7 +133,11 @@ export function emitWebSocketServer(system: IR.IRSystem): string {
   lines.push(``);
   lines.push(`    let userId: string;`);
   lines.push(`    try {`);
-  lines.push(`      const decoded = jwt.verify(token, JWT_SECRET) as { sub: string };`);
+  lines.push(`      const decoded = jwt.verify(token, JWT_SECRET, {`);
+  lines.push(`        algorithms: ["HS256"],`);
+  lines.push(`        maxAge: process.env.JWT_MAX_AGE || "1h",`);
+  lines.push(`      }) as { sub?: unknown };`);
+  lines.push(`      if (typeof decoded.sub !== "string" || decoded.sub.length === 0) throw new Error("invalid sub");`);
   lines.push(`      userId = decoded.sub;`);
   lines.push(`    } catch {`);
   lines.push(`      socket.send(JSON.stringify({ type: "error", message: "Authentication failed" }));`);

package/src/emit_zod.ts

@@ -62,9 +62,13 @@ export function emitZodSchemas(system: IR.IRSystem): string {
   lines.push(`import { z } from "zod";`);
   lines.push("");
 
-  // Model schemas
+  // Model schemas — dedupe by name since the same entity can appear in both
+  // an api_service module and its backing data_store module.
+  const seenModels = new Set<string>();
   for (const mod of system.modules) {
     for (const model of mod.models) {
+      if (seenModels.has(model.name)) continue;
+      seenModels.add(model.name);
       const schemaName = toPascalCase(model.name) + "Schema";
       const typeName = toPascalCase(model.name);
 
@@ -79,6 +83,12 @@ export function emitZodSchemas(system: IR.IRSystem): string {
       }
       lines.push(`});`);
       lines.push(`export type ${typeName} = z.infer<typeof ${schemaName}>;`);
+      // Derived schemas for CRUD validation. `omit` drops server-managed fields
+      // and `partial` makes every key optional for PUT.
+      const hasState = model.fields.some(f => f.name === "state");
+      const createPartial = hasState ? ".partial({ state: true })" : "";
+      lines.push(`export const ${toPascalCase(model.name)}CreateSchema = ${schemaName}.omit({ id: true, created_at: true, updated_at: true })${createPartial};`);
+      lines.push(`export const ${toPascalCase(model.name)}UpdateSchema = ${schemaName}.omit({ id: true, created_at: true, updated_at: true }).partial();`);
       lines.push("");
     }
   }

package/src/formatter.ts

@@ -76,7 +76,7 @@ export class Formatter {
 
     if (e.owns.length > 0) {
       if (e.owns.length <= 2) {
-        const fields = e.owns.map(f => `${f.name}: ${this.formatType(f.type)}`).join(", ");
+        const fields = e.owns.map(f => this.formatField(f)).join(", ");
         this.line(`owns: [${fields}]`);
       } else {
         this.line(`owns: [`);
@@ -84,7 +84,7 @@ export class Formatter {
         for (let i = 0; i < e.owns.length; i++) {
           const f = e.owns[i];
           const comma = i < e.owns.length - 1 ? "," : "";
-          this.line(`${f.name}: ${this.formatType(f.type)}${comma}`);
+          this.line(`${this.formatField(f)}${comma}`);
         }
         this.indent--;
         this.line(`]`);
@@ -264,6 +264,13 @@ export class Formatter {
     }
   }
 
+  private formatField(f: AST.FieldNode): string {
+    let s = `${f.name}: ${this.formatType(f.type)}`;
+    if (f.renamedFrom) s += ` @renamed_from(${f.renamedFrom})`;
+    if (f.sensitive) s += ` @sensitive`;
+    return s;
+  }
+
   private formatExpr(e: AST.ExprNode): string {
     switch (e.kind) {
       case "Literal":

package/src/ir.ts

@@ -17,6 +17,8 @@ export interface IRField {
   unique: boolean;
   indexed: boolean;
   default_value: string | null;
+  renamed_from?: string | null;
+  sensitive?: boolean;
 }
 
 // ─── Models ──────────────────────────────────────────────────────────────────

package/src/lexer.ts

@@ -25,6 +25,7 @@ export enum TokenKind {
   Arrow = "Arrow",
   Pipe = "Pipe",
   Semicolon = "Semicolon",
+  At = "At",
 
   // Operators
   Equals = "Equals",
@@ -519,6 +520,7 @@ export class Lexer {
       case "?": this.advance(); return { kind: TokenKind.Question, value: "?", loc };
       case "!": this.advance(); return { kind: TokenKind.Bang, value: "!", loc };
       case ";": this.advance(); return { kind: TokenKind.Semicolon, value: ";", loc };
+      case "@": this.advance(); return { kind: TokenKind.At, value: "@", loc };
     }
 
     // String literal

package/src/lowering.ts

@@ -380,9 +380,9 @@ export class Lowering {
       config: {
         authenticated: entity.auth !== null && entity.auth !== "none",
         auth_method: entity.auth || "none",
-        audit: policies.some(p => p.audit === true),
-        rate_limit: policies.length > 0 && policies[0].rateLimit ? policies[0].rateLimit.count : 0,
-        rate_limit_window_ms: policies.length > 0 && policies[0].rateLimit ? (parseDurationMs(String(policies[0].rateLimit.per)) || 60000) : 60000,
+        audit: policies.some(p => p.audit === true),
+        rate_limit: policies.length > 0 && policies[0].rateLimit ? policies[0].rateLimit.count : 0,
+        rate_limit_window_ms: policies.length > 0 && policies[0].rateLimit ? (parseDurationMs(String(policies[0].rateLimit.per)) || 60000) : 60000,
       },
     };
   }
@@ -554,6 +554,8 @@ export class Lowering {
       unique: false,
       indexed: false,
       default_value: f.defaultValue ? serializeExpr(f.defaultValue) : null,
+      renamed_from: f.renamedFrom ?? null,
+      sensitive: f.sensitive ?? false,
     };
   }
 }

package/src/parse_decls.ts

@@ -33,7 +33,37 @@ export function parseField(s: TokenStream): AST.FieldNode {
   const type = parseTypeExpr(s);
   let defaultValue: AST.ExprNode | null = null;
   if (s.match(TokenKind.Equals)) { defaultValue = parseExpr(s); }
-  return { kind: "Field", loc, name, type, defaultValue };
+  // Optional annotations: @renamed_from(old_name), @sensitive
+  let renamedFrom: string | null = null;
+  let sensitive = false;
+  while (s.check(TokenKind.At)) {
+    s.advance();
+    const annoName = parseIdentOrKeyword(s);
+    if (annoName === "renamed_from") {
+      s.expect(TokenKind.LParen, "renamed_from(old_name)");
+      renamedFrom = parseIdentOrKeyword(s);
+      s.expect(TokenKind.RParen, "renamed_from close");
+    } else if (annoName === "sensitive") {
+      // Bare flag annotation. Optional empty parens for forward compat.
+      sensitive = true;
+      if (s.match(TokenKind.LParen)) {
+        s.expect(TokenKind.RParen, "sensitive close");
+      }
+    } else {
+      // Unknown annotation — accept and ignore for forward compat; consume
+      // an optional (...) payload so it parses cleanly.
+      if (s.match(TokenKind.LParen)) {
+        let depth = 1;
+        while (depth > 0 && !s.check(TokenKind.EOF)) {
+          if (s.check(TokenKind.LParen)) depth++;
+          else if (s.check(TokenKind.RParen)) depth--;
+          if (depth > 0) s.advance();
+        }
+        s.expect(TokenKind.RParen, "annotation close");
+      }
+    }
+  }
+  return { kind: "Field", loc, name, type, defaultValue, renamedFrom, sensitive };
 }
 
 export function parseIdentList(s: TokenStream): string[] {

package/src/typechecker.ts

@@ -404,6 +404,16 @@ export class TypeChecker {
     const path = expr.path;
     if (path.length === 0) return null;
 
+    // Built-in: `caller` resolves to the authenticated actor's identity.
+    // `caller.id` is a uuid; bare `caller` is a record { id: uuid } for now.
+    if (path[0] === "caller") {
+      const callerType = record("Caller", new Map([
+        ["id", prim("uuid")],
+        ["actor_id", prim("uuid")],
+      ]));
+      return this.resolveFieldPath(callerType, path.slice(1), expr);
+    }
+
     // First segment: look up in context
     let currentType = ctx.lookup(path[0]);