bonescript-compiler 0.6.0 → 0.6.1

package/dist/cli.js

@@ -94,7 +94,7 @@ function main() {
     }
 }
 function showHelp() {
-    console.log("BoneScript compiler v0.6.0");
+    console.log("BoneScript compiler v0.6.1");
     console.log("");
     console.log("Usage:");
     console.log("  bonec compile <file> [--target <target>]  Compile to runnable project");

package/dist/emit_nakama.js

@@ -415,44 +415,44 @@ function emitNakamaReadme(system) {
         }
     }
     const realtimeMods = system.modules.filter(m => m.kind === "realtime_service");
-    return `# ${system.name} — Nakama Backend
-
-Generated by BoneScript compiler (target: nakama). Source hash: ${system.source_hash}
-
-## Quick Start
-
-\`\`\`bash
-# Install deps
-npm install
-
-# Build TypeScript -> JS
-npm run build
-
-# Start Nakama with this module
-docker run --rm -v $(pwd)/build:/nakama/data/modules \\
-  heroiclabs/nakama:latest
-\`\`\`
-
-## RPC Endpoints
-
-Call these from any Nakama client SDK:
-
-${rpcs.join("\n")}
-
-## Match Handlers
-
+    return `# ${system.name} — Nakama Backend
+
+Generated by BoneScript compiler (target: nakama). Source hash: ${system.source_hash}
+
+## Quick Start
+
+\`\`\`bash
+# Install deps
+npm install
+
+# Build TypeScript -> JS
+npm run build
+
+# Start Nakama with this module
+docker run --rm -v $(pwd)/build:/nakama/data/modules \\
+  heroiclabs/nakama:latest
+\`\`\`
+
+## RPC Endpoints
+
+Call these from any Nakama client SDK:
+
+${rpcs.join("\n")}
+
+## Match Handlers
+
 ${realtimeMods.length > 0
         ? realtimeMods.map(m => `- \`${toSnakeCase(m.name)}\` (tick rate: ${m.config["tick_rate"] ?? 10}/s)`).join("\n")
-        : "_No realtime channels declared._"}
-
-## Storage Collections
-
-${system.modules.flatMap(m => m.models).map(m => `- \`${toSnakeCase(m.name)}s\``).join("\n") || "_No entities declared._"}
-
-## Auth
-
-All authenticated RPCs require a valid Nakama session token.
-Use any Nakama client SDK to authenticate before calling RPCs.
+        : "_No realtime channels declared._"}
+
+## Storage Collections
+
+${system.modules.flatMap(m => m.models).map(m => `- \`${toSnakeCase(m.name)}s\``).join("\n") || "_No entities declared._"}
+
+## Auth
+
+All authenticated RPCs require a valid Nakama session token.
+Use any Nakama client SDK to authenticate before calling RPCs.
 `;
 }
 class NakamaEmitter {

package/dist/emit_notify.js

@@ -29,7 +29,32 @@ function emitNotifyService(system) {
     lines.push(`  body: string;`);
     lines.push(`}`);
     lines.push(``);
+    // HTML-escape helper. Used to render arbitrary event payload data inside an
+    // HTML email body without enabling HTML/JS injection in clients that render
+    // it. Subject lines are also escaped for consistency.
+    lines.push(`function escapeHtml(s: string): string {`);
+    lines.push(`  return s`);
+    lines.push(`    .replace(/&/g, "&")`);
+    lines.push(`    .replace(/</g, "&lt;")`);
+    lines.push(`    .replace(/>/g, "&gt;")`);
+    lines.push(`    .replace(/"/g, "&quot;")`);
+    lines.push(`    .replace(/'/g, "&#39;");`);
+    lines.push(`}`);
+    lines.push(``);
+    // Conservative email validation. Rejects empty input, multiple addresses,
+    // and CRLF that would let a caller inject extra headers into the request body
+    // sent to Resend / SendGrid.
+    lines.push(`const __EMAIL_RE = /^[A-Za-z0-9._%+\\-]+@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,}$/;`);
+    lines.push(`function isValidEmail(addr: string): boolean {`);
+    lines.push(`  if (!addr || addr.length > 254) return false;`);
+    lines.push(`  if (/[\\r\\n]/.test(addr)) return false;`);
+    lines.push(`  return __EMAIL_RE.test(addr);`);
+    lines.push(`}`);
+    lines.push(``);
     lines.push(`async function sendEmail(msg: NotifyMessage): Promise<void> {`);
+    lines.push(`  if (!isValidEmail(msg.to)) {`);
+    lines.push("    throw new Error(`Invalid recipient address: ${msg.to.slice(0, 64)}`);");
+    lines.push(`  }`);
     lines.push(`  if (PROVIDER === "log") {`);
     lines.push(`    console.log(\`[notify] \${msg.subject} → \${msg.to}\`);`);
     lines.push(`    return;`);
@@ -54,15 +79,18 @@ function emitNotifyService(system) {
     lines.push(`  }`);
     lines.push(`}`);
     lines.push(``);
-    // Per-event handlers
+    // Per-event handlers — payload is JSON-stringified and HTML-escaped before
+    // being placed inside <pre> so payload values like "<script>..." can't break
+    // out of the body.
     for (const event of system.events) {
         const eventName = toPascalCase(event.name);
         lines.push(`// Handler for ${eventName}`);
         lines.push(`export async function notify${eventName}(event: SystemEvent, recipientEmail: string): Promise<void> {`);
+        lines.push(`  const __payload = escapeHtml(JSON.stringify(event.payload, null, 2));`);
         lines.push(`  await sendEmail({`);
         lines.push(`    to: recipientEmail,`);
         lines.push(`    subject: "${eventName} notification",`);
-        lines.push(`    body: \`<p>Event <strong>${eventName}</strong> occurred.</p><pre>\${JSON.stringify(event.payload, null, 2)}</pre>\`,`);
+        lines.push("    body: `<p>Event <strong>${escapeHtml(\"" + eventName + "\")}</strong> occurred.</p><pre>${__payload}</pre>`,");
         lines.push(`  });`);
         lines.push(`}`);
         lines.push(``);

package/dist/emit_notify.js.map

@@ -1 +1 @@
-{"version":3,"file":"emit_notify.js","sourceRoot":"","sources":["../src/emit_notify.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAIH,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,CAAC,CAAC,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;AAC7E,CAAC;AAED,SAAgB,iBAAiB,CAAC,MAAmB;IACnD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;IACnD,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;IAClE,KAAK,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;IAC9E,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;IAClE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IACtD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;IAC1E,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,4EAA4E,CAAC,CAAC;IACzF,KAAK,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;IAChE,KAAK,CAAC,IAAI,CAAC,4EAA4E,CAAC,CAAC;IACzF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IAC/C,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC5B,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjC,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC9B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;IAC5E,KAAK,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IAC1C,KAAK,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;IAC1E,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IAC7C,KAAK,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;IAC7E,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACpC,KAAK,CAAC,IAAI,CAAC,iGAAiG,CAAC,CAAC;IAC9G,KAAK,CAAC,IAAI,CAAC,qGAAqG,CAAC,CAAC;IAClH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtB,KAAK,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAC;IAClF,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IAC/C,KAAK,CAAC,IAAI,CAAC,wEAAwE,CAAC,CAAC;IACrF,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACpC,KAAK,CAAC,IAAI,CAAC,iGAAiG,CAAC,CAAC;IAC9G,KAAK,CAAC,IAAI,CAAC,wLAAwL,CAAC,CAAC;IACrM,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtB,KAAK,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IACpF,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,qBAAqB;IACrB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3C,KAAK,CAAC,IAAI,CAAC,kBAAkB,SAAS,EAAE,CAAC,CAAC;QAC1C,KAAK,CAAC,IAAI,CAAC,+BAA+B,SAAS,+DAA+D,CAAC,CAAC;QACpH,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAClC,KAAK,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,iBAAiB,SAAS,iBAAiB,CAAC,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,gCAAgC,SAAS,iFAAiF,CAAC,CAAC;QACvI,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,+BAA+B;IAC/B,KAAK,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAC;IAClF,KAAK,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;IACnE,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3C,KAAK,CAAC,IAAI,CAAC,4BAA4B,SAAS,oCAAoC,CAAC,CAAC;QACtF,KAAK,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;QAC1E,KAAK,CAAC,IAAI,CAAC,sBAAsB,SAAS,0BAA0B,CAAC,CAAC;QACtE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACzB,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AA5ED,8CA4EC"}
+{"version":3,"file":"emit_notify.js","sourceRoot":"","sources":["../src/emit_notify.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAIH,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,CAAC,CAAC,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;AAC7E,CAAC;AAED,SAAgB,iBAAiB,CAAC,MAAmB;IACnD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;IACnD,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;IAClE,KAAK,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;IAC9E,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;IAClE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IACtD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;IAC1E,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,4EAA4E,CAAC,CAAC;IACzF,KAAK,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;IAChE,KAAK,CAAC,IAAI,CAAC,4EAA4E,CAAC,CAAC;IACzF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IAC/C,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC5B,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjC,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC9B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,4EAA4E;IAC5E,4EAA4E;IAC5E,sDAAsD;IACtD,KAAK,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;IACvD,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACzB,KAAK,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IAC1C,KAAK,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACzC,KAAK,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACzC,KAAK,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IAC3C,KAAK,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IAC3C,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,0EAA0E;IAC1E,8EAA8E;IAC9E,6BAA6B;IAC7B,KAAK,CAAC,IAAI,CAAC,6EAA6E,CAAC,CAAC;IAC1F,KAAK,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;IAC7D,KAAK,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;IACzD,KAAK,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IAC9C,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;IAC5E,KAAK,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IAC7C,KAAK,CAAC,IAAI,CAAC,2EAA2E,CAAC,CAAC;IACxF,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IAC1C,KAAK,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;IAC1E,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IAC7C,KAAK,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;IAC7E,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACpC,KAAK,CAAC,IAAI,CAAC,iGAAiG,CAAC,CAAC;IAC9G,KAAK,CAAC,IAAI,CAAC,qGAAqG,CAAC,CAAC;IAClH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtB,KAAK,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAC;IAClF,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IAC/C,KAAK,CAAC,IAAI,CAAC,wEAAwE,CAAC,CAAC;IACrF,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACpC,KAAK,CAAC,IAAI,CAAC,iGAAiG,CAAC,CAAC;IAC9G,KAAK,CAAC,IAAI,CAAC,wLAAwL,CAAC,CAAC;IACrM,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtB,KAAK,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IACpF,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,2EAA2E;IAC3E,6EAA6E;IAC7E,mBAAmB;IACnB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3C,KAAK,CAAC,IAAI,CAAC,kBAAkB,SAAS,EAAE,CAAC,CAAC;QAC1C,KAAK,CAAC,IAAI,CAAC,+BAA+B,SAAS,+DAA+D,CAAC,CAAC;QACpH,KAAK,CAAC,IAAI,CAAC,yEAAyE,CAAC,CAAC;QACtF,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAClC,KAAK,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,iBAAiB,SAAS,iBAAiB,CAAC,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,6CAA6C,GAAG,SAAS,GAAG,sDAAsD,CAAC,CAAC;QAC/H,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,+BAA+B;IAC/B,KAAK,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAC;IAClF,KAAK,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;IACnE,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3C,KAAK,CAAC,IAAI,CAAC,4BAA4B,SAAS,oCAAoC,CAAC,CAAC;QACtF,KAAK,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;QAC1E,KAAK,CAAC,IAAI,CAAC,sBAAsB,SAAS,0BAA0B,CAAC,CAAC;QACtE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACzB,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAxGD,8CAwGC"}

package/dist/emit_runtime.js

@@ -140,86 +140,86 @@ function emitDbClient(system) {
 }
 exports.emitDbClient = emitDbClient;
 function emitAuthMiddleware(system) {
-    return `// Generated by BoneScript compiler. DO NOT EDIT.
-import { Request, Response, NextFunction } from "express";
-import jwt from "jsonwebtoken";
-import { v4 as uuid } from "uuid";
-
-// JWT_SECRET must be set in production. The server will refuse to start without it
-// when NODE_ENV is "production" to prevent accidental use of a weak fallback.
-const JWT_SECRET = (() => {
-  const secret = process.env.JWT_SECRET;
-  if (!secret) {
-    if (process.env.NODE_ENV === "production") {
-      console.error("[FATAL] JWT_SECRET environment variable is not set. Refusing to start in production.");
-      process.exit(1);
-    }
-    console.warn("[WARN] JWT_SECRET is not set. Using insecure default — do not use in production.");
-    return "bonescript-dev-secret-do-not-use-in-production";
-  }
-  if (secret.length < 32) {
-    console.warn("[WARN] JWT_SECRET is shorter than 32 characters. Use a longer secret in production.");
-  }
-  return secret;
-})();
-
-export interface AuthContext {
-  authenticated: boolean;
-  actor_id: string | null;
-  trace_id: string;
-}
-
-// Trace IDs are server-generated. We accept a client-supplied X-Trace-Id only
-// if it parses as a UUID, so callers can correlate their own logs without
-// being able to forge correlation IDs in audit / event records.
-const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
-function resolveTraceId(req: Request): string {
-  const supplied = req.headers["x-trace-id"];
-  if (typeof supplied === "string" && UUID_RE.test(supplied)) return supplied;
-  return uuid();
-}
-
-export function authMiddleware(req: Request, res: Response, next: NextFunction): void {
-  const header = req.headers.authorization;
-  const traceId = resolveTraceId(req);
-  if (!header || !header.startsWith("Bearer ")) {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
-    next();
-    return;
-  }
-  try {
-    const token = header.slice(7);
-    // Pin algorithms to HS256 and require an expiration. Without pinning,
-    // jsonwebtoken would accept any algorithm including RS/HS confusion attacks.
-    // maxAge is a safety net even if exp is set far in the future.
-    const decoded = jwt.verify(token, JWT_SECRET, {
-      algorithms: ["HS256"],
-      maxAge: process.env.JWT_MAX_AGE || "1h",
-    }) as { sub?: unknown };
-    if (typeof decoded.sub !== "string" || decoded.sub.length === 0) {
-      (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
-      next();
-      return;
-    }
-    (req as any).auth = {
-      authenticated: true,
-      actor_id: decoded.sub,
-      trace_id: traceId,
-    };
-  } catch {
-    (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
-  }
-  next();
-}
-
-export function requireAuth(req: Request, res: Response, next: NextFunction): void {
-  const auth: AuthContext = (req as any).auth;
-  if (!auth || !auth.authenticated) {
-    res.status(401).json({ error: { code: "UNAUTHORIZED", message: "Authentication required" } });
-    return;
-  }
-  next();
-}
+    return `// Generated by BoneScript compiler. DO NOT EDIT.
+import { Request, Response, NextFunction } from "express";
+import jwt from "jsonwebtoken";
+import { v4 as uuid } from "uuid";
+
+// JWT_SECRET must be set in production. The server will refuse to start without it
+// when NODE_ENV is "production" to prevent accidental use of a weak fallback.
+const JWT_SECRET = (() => {
+  const secret = process.env.JWT_SECRET;
+  if (!secret) {
+    if (process.env.NODE_ENV === "production") {
+      console.error("[FATAL] JWT_SECRET environment variable is not set. Refusing to start in production.");
+      process.exit(1);
+    }
+    console.warn("[WARN] JWT_SECRET is not set. Using insecure default — do not use in production.");
+    return "bonescript-dev-secret-do-not-use-in-production";
+  }
+  if (secret.length < 32) {
+    console.warn("[WARN] JWT_SECRET is shorter than 32 characters. Use a longer secret in production.");
+  }
+  return secret;
+})();
+
+export interface AuthContext {
+  authenticated: boolean;
+  actor_id: string | null;
+  trace_id: string;
+}
+
+// Trace IDs are server-generated. We accept a client-supplied X-Trace-Id only
+// if it parses as a UUID, so callers can correlate their own logs without
+// being able to forge correlation IDs in audit / event records.
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+function resolveTraceId(req: Request): string {
+  const supplied = req.headers["x-trace-id"];
+  if (typeof supplied === "string" && UUID_RE.test(supplied)) return supplied;
+  return uuid();
+}
+
+export function authMiddleware(req: Request, res: Response, next: NextFunction): void {
+  const header = req.headers.authorization;
+  const traceId = resolveTraceId(req);
+  if (!header || !header.startsWith("Bearer ")) {
+    (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
+    next();
+    return;
+  }
+  try {
+    const token = header.slice(7);
+    // Pin algorithms to HS256 and require an expiration. Without pinning,
+    // jsonwebtoken would accept any algorithm including RS/HS confusion attacks.
+    // maxAge is a safety net even if exp is set far in the future.
+    const decoded = jwt.verify(token, JWT_SECRET, {
+      algorithms: ["HS256"],
+      maxAge: process.env.JWT_MAX_AGE || "1h",
+    }) as { sub?: unknown };
+    if (typeof decoded.sub !== "string" || decoded.sub.length === 0) {
+      (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
+      next();
+      return;
+    }
+    (req as any).auth = {
+      authenticated: true,
+      actor_id: decoded.sub,
+      trace_id: traceId,
+    };
+  } catch {
+    (req as any).auth = { authenticated: false, actor_id: null, trace_id: traceId };
+  }
+  next();
+}
+
+export function requireAuth(req: Request, res: Response, next: NextFunction): void {
+  const auth: AuthContext = (req as any).auth;
+  if (!auth || !auth.authenticated) {
+    res.status(401).json({ error: { code: "UNAUTHORIZED", message: "Authentication required" } });
+    return;
+  }
+  next();
+}
 `;
 }
 exports.emitAuthMiddleware = emitAuthMiddleware;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bonescript-compiler",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "description": "BoneScript compiler — compile .bone system descriptions into complete, runnable Node.js backends",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/cli.ts

@@ -75,7 +75,7 @@ function main() {
 }
 
 function showHelp() {
-  console.log("BoneScript compiler v0.6.0");
+  console.log("BoneScript compiler v0.6.1");
   console.log("");
   console.log("Usage:");
   console.log("  bonec compile <file> [--target <target>]  Compile to runnable project");