bonescript-compiler 0.7.0 → 0.9.0

package/src/emit_notify.ts

@@ -19,11 +19,13 @@ export function emitNotifyService(system: IR.IRSystem): string {
   lines.push(``);
   lines.push(`import { SystemEvent } from "./events";`);
   lines.push(``);
-  lines.push(`export type NotifyProvider = "resend" | "sendgrid" | "log";`);
+  lines.push(`export type NotifyProvider = "resend" | "sendgrid" | "webhook" | "log";`);
   lines.push(``);
   lines.push(`const PROVIDER = (process.env.NOTIFY_PROVIDER || "log") as NotifyProvider;`);
   lines.push(`const API_KEY = process.env.NOTIFY_API_KEY || "";`);
   lines.push(`const FROM_EMAIL = process.env.NOTIFY_FROM_EMAIL || "noreply@example.com";`);
+  lines.push(`const WEBHOOK_URL = process.env.NOTIFY_WEBHOOK_URL || "";`);
+  lines.push(`const WEBHOOK_SECRET = process.env.NOTIFY_WEBHOOK_SECRET || "";`);
   lines.push(``);
   lines.push(`export interface NotifyMessage {`);
   lines.push(`  to: string;`);
@@ -79,6 +81,87 @@ export function emitNotifyService(system: IR.IRSystem): string {
   lines.push(`    if (!res.ok) throw new Error(\`SendGrid error: \${res.status}\`);`);
   lines.push(`    return;`);
   lines.push(`  }`);
+  lines.push(`  if (PROVIDER === "webhook") {`);
+  lines.push(`    // Email-style notifications still flow through the webhook so the receiver sees a uniform shape.`);
+  lines.push(`    await sendWebhook({ kind: "email", to: msg.to, subject: msg.subject, body: msg.body });`);
+  lines.push(`    return;`);
+  lines.push(`  }`);
+  lines.push(`}`);
+  lines.push(``);
+  // Webhook signing. We use HMAC-SHA256 over the raw body for tamper detection.
+  // Receivers verify with the same secret.
+  lines.push(`import { createHmac } from "crypto";`);
+  lines.push(``);
+  lines.push(`function signPayload(body: string): string {`);
+  lines.push(`  if (!WEBHOOK_SECRET) return "";`);
+  lines.push(`  return createHmac("sha256", WEBHOOK_SECRET).update(body).digest("hex");`);
+  lines.push(`}`);
+  lines.push(``);
+  // Private-host detection. Catches loopback (127/8, ::1, 0.0.0.0), RFC1918
+  // (10/8, 172.16/12, 192.168/16), link-local (169.254/16, fe80::/10) and
+  // unique-local IPv6 (fc00::/7). DNS hostnames that resolve to private
+  // addresses are not blocked here — that requires a DNS lookup and a
+  // dual-stack check; we leave that to the deployer's network policy.
+  lines.push(`function isPrivateHost(host: string): boolean {`);
+  lines.push(`  const h = host.toLowerCase();`);
+  lines.push(`  if (h === "localhost" || h === "0.0.0.0" || h === "::" || h === "::1") return true;`);
+  lines.push(`  // IPv4 dotted quad`);
+  lines.push(`  const m4 = h.match(/^(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})$/);`);
+  lines.push(`  if (m4) {`);
+  lines.push(`    const a = Number(m4[1]), b = Number(m4[2]);`);
+  lines.push(`    if (a === 127) return true;            // loopback`);
+  lines.push(`    if (a === 10) return true;             // RFC1918`);
+  lines.push(`    if (a === 172 && b >= 16 && b <= 31) return true; // RFC1918`);
+  lines.push(`    if (a === 192 && b === 168) return true;          // RFC1918`);
+  lines.push(`    if (a === 169 && b === 254) return true;          // link-local / cloud metadata`);
+  lines.push(`    if (a === 0) return true;`);
+  lines.push(`    return false;`);
+  lines.push(`  }`);
+  lines.push(`  // IPv6 — strip optional brackets and zone suffix.`);
+  lines.push(`  const v6 = h.replace(/^\\[|\\]$/g, "").split("%")[0];`);
+  lines.push(`  if (/^fe[89ab][0-9a-f]?:/i.test(v6)) return true; // link-local fe80::/10`);
+  lines.push(`  if (/^f[cd][0-9a-f]?:/i.test(v6)) return true;     // unique-local fc00::/7`);
+  lines.push(`  return false;`);
+  lines.push(`}`);
+  lines.push(``);
+  lines.push(`/**`);
+  lines.push(` * Send a JSON payload to NOTIFY_WEBHOOK_URL.`);
+  lines.push(` *`);
+  lines.push(` * Headers:`);
+  lines.push(` *   Content-Type: application/json`);
+  lines.push(` *   X-BoneScript-Signature: <hex hmac-sha256(body, WEBHOOK_SECRET)>  (only if secret set)`);
+  lines.push(` *   X-BoneScript-Event: <event type>  (set by event handlers)`);
+  lines.push(` */`);
+  lines.push(`export async function sendWebhook(payload: Record<string, unknown>, eventType?: string): Promise<void> {`);
+  lines.push(`  if (PROVIDER === "log") {`);
+  lines.push(`    console.log(\`[notify:webhook] \${eventType || payload.kind || "event"}\`, JSON.stringify(payload).slice(0, 200));`);
+  lines.push(`    return;`);
+  lines.push(`  }`);
+  lines.push(`  if (!WEBHOOK_URL) {`);
+  lines.push(`    throw new Error("NOTIFY_WEBHOOK_URL is not configured");`);
+  lines.push(`  }`);
+  lines.push(`  // Validate URL — only http(s), and reject loopback / RFC1918 /`);
+  lines.push(`  // link-local hosts to make this server unusable as an SSRF probe.`);
+  lines.push(`  // Set NOTIFY_WEBHOOK_ALLOW_PRIVATE=1 to opt out (e.g. for internal CI`);
+  lines.push(`  // setups where the webhook receiver is on the same network).`);
+  lines.push(`  let url: URL;`);
+  lines.push(`  try { url = new URL(WEBHOOK_URL); }`);
+  lines.push(`  catch { throw new Error("Invalid NOTIFY_WEBHOOK_URL"); }`);
+  lines.push(`  if (url.protocol !== "https:" && url.protocol !== "http:") {`);
+  lines.push(`    throw new Error(\`Webhook URL protocol must be http(s), got \${url.protocol}\`);`);
+  lines.push(`  }`);
+  lines.push(`  if (process.env.NOTIFY_WEBHOOK_ALLOW_PRIVATE !== "1") {`);
+  lines.push(`    if (isPrivateHost(url.hostname)) {`);
+  lines.push(`      throw new Error(\`Webhook URL host is loopback / private / link-local: \${url.hostname}. Set NOTIFY_WEBHOOK_ALLOW_PRIVATE=1 to allow.\`);`);
+  lines.push(`    }`);
+  lines.push(`  }`);
+  lines.push(`  const body = JSON.stringify(payload);`);
+  lines.push(`  const headers: Record<string, string> = { "Content-Type": "application/json" };`);
+  lines.push(`  const sig = signPayload(body);`);
+  lines.push(`  if (sig) headers["X-BoneScript-Signature"] = sig;`);
+  lines.push(`  if (eventType) headers["X-BoneScript-Event"] = eventType;`);
+  lines.push(`  const res = await fetch(WEBHOOK_URL, { method: "POST", headers, body });`);
+  lines.push(`  if (!res.ok) throw new Error(\`Webhook delivery failed: \${res.status}\`);`);
   lines.push(`}`);
   lines.push(``);
 

package/src/emit_prisma.ts

@@ -50,8 +50,13 @@ function toPrismaNativeType(irType: string): string | null {
     case "bytes": return null;
     case "timestamp": return "@db.Timestamptz";
     case "float": return "@db.DoublePrecision";
-    case "uint": return "@db.BigInt";
-    case "int": return "@db.BigInt";
+    // BoneScript `uint` and `int` map to Prisma `Int`. Prisma rejects
+    // `Int @db.BigInt` (BigInt requires the Prisma `BigInt` type), so we use
+    // no native type and let Prisma map to the default Postgres `INTEGER`.
+    // If a caller needs 64-bit ints they should use the `int` IR type with a
+    // future `@db.bigint` annotation — TBD.
+    case "uint": return null;
+    case "int": return null;
     default: return null;
   }
 }
@@ -253,6 +258,9 @@ export class PrismaEmitter {
     } else if (field.name === "created_at" || (field.type === "timestamp" && field.name.includes("created"))) {
       attrs.push("@default(now())");
     } else if (field.name === "updated_at") {
+      // @updatedAt only fires on update — we also need a default for create
+      // or the NOT NULL column has no value at INSERT time.
+      attrs.push("@default(now())");
       attrs.push("@updatedAt");
     } else if (field.default_value) {
       const dv = this.mapDefaultValue(field.default_value, field.type);

package/src/emit_react.ts

@@ -0,0 +1,236 @@
+/**
+ * BoneScript React Hooks Emitter
+ *
+ * Generates a typed React hooks file (sdk/react.ts) on top of the existing
+ * fetch SDK. Hooks are zero-dep — they use React's built-in useState +
+ * useEffect rather than pulling in @tanstack/react-query so consumers can
+ * decide their own data layer.
+ *
+ * For each entity:
+ *   useList<Entity>()      → { data, loading, error, refetch }
+ *   use<Entity>(id)        → { data, loading, error, refetch }
+ *   useCreate<Entity>()    → mutate(input) → Promise<Entity>
+ *   useUpdate<Entity>()    → mutate(id, patch) → Promise<Entity>
+ *   useDelete<Entity>()    → mutate(id) → Promise<void>
+ *
+ * For each capability:
+ *   useCapability<Name>()  → mutate(input) → Promise<unknown>
+ *
+ * Hooks are framework-agnostic in shape (no react-query, no SWR) so they work
+ * with Next.js, Vite, CRA, or any plain React app.
+ */
+
+import * as IR from "./ir";
+import { EmittedFile } from "./emitter";
+
+function toSnakeCase(s: string): string {
+  return s.replace(/([a-z])([A-Z])/g, "$1_$2").toLowerCase();
+}
+
+function toPascalCase(s: string): string {
+  return s.replace(/(^|[-_\s])(\w)/g, (_, __, c: string) => c.toUpperCase());
+}
+
+const TS_TYPE_MAP: Record<string, string> = {
+  string: "string", uint: "number", int: "number", float: "number",
+  bool: "boolean", timestamp: "string", uuid: "string", bytes: "string", json: "unknown",
+};
+
+function toTsType(irType: string): string {
+  if (TS_TYPE_MAP[irType]) return TS_TYPE_MAP[irType];
+  const m = irType.match(/^(list|set)<(.+)>$/);
+  if (m) return `${toTsType(m[2])}[]`;
+  const om = irType.match(/^optional<(.+)>$/);
+  if (om) return `${toTsType(om[1])} | null`;
+  return irType;
+}
+
+export function emitReactHooks(system: IR.IRSystem): EmittedFile {
+  const lines: string[] = [];
+
+  lines.push(`// Generated by BoneScript compiler. DO NOT EDIT.`);
+  lines.push(`// React hooks for the ${system.name} API.`);
+  lines.push(`//`);
+  lines.push(`// Pair with sdk/client.ts. Pass an instance of <System>Client to <ApiProvider>.`);
+  lines.push(``);
+  lines.push(`import { useCallback, useEffect, useState, createContext, useContext, ReactNode, createElement } from "react";`);
+  lines.push(``);
+
+  // Entity types (forward-declared so the hooks compile without importing the SDK)
+  // We re-declare them here to keep this file independent — the consumer can
+  // also import these types from sdk/client.ts if they prefer.
+  const apiModules = system.modules.filter(m => m.kind === "api_service" && m.models.length > 0);
+  for (const mod of apiModules) {
+    const model = mod.models[0];
+    lines.push(`export interface ${toPascalCase(model.name)} {`);
+    for (const field of model.fields) {
+      const optional = field.nullable ? "?" : "";
+      lines.push(`  ${field.name}${optional}: ${toTsType(field.type)};`);
+    }
+    lines.push(`}`);
+    lines.push(``);
+  }
+
+  lines.push(`export interface ApiClient {`);
+  lines.push(`  baseUrl: string;`);
+  lines.push(`  getToken: () => string | null;`);
+  lines.push(`}`);
+  lines.push(``);
+  lines.push(`async function apiFetch<T>(client: ApiClient, method: string, path: string, body?: unknown): Promise<T> {`);
+  lines.push(`  const headers: Record<string, string> = { "Content-Type": "application/json" };`);
+  lines.push(`  const token = client.getToken();`);
+  lines.push(`  if (token) headers["Authorization"] = "Bearer " + token;`);
+  lines.push(`  const res = await fetch(client.baseUrl + path, {`);
+  lines.push(`    method,`);
+  lines.push(`    headers,`);
+  lines.push(`    body: body !== undefined ? JSON.stringify(body) : undefined,`);
+  lines.push(`  });`);
+  lines.push(`  if (!res.ok) {`);
+  lines.push(`    let errMsg = "Request failed: " + res.status;`);
+  lines.push(`    try { const j = await res.json() as { error?: { message?: string } }; if (j.error?.message) errMsg = j.error.message; } catch {}`);
+  lines.push(`    throw new Error(errMsg);`);
+  lines.push(`  }`);
+  lines.push(`  if (res.status === 204) return undefined as unknown as T;`);
+  lines.push(`  return await res.json() as T;`);
+  lines.push(`}`);
+  lines.push(``);
+
+  // Provider + context. createElement avoids needing JSX in this generated file.
+  lines.push(`const ApiContext = createContext<ApiClient | null>(null);`);
+  lines.push(``);
+  lines.push(`export interface ApiProviderProps {`);
+  lines.push(`  client: ApiClient;`);
+  lines.push(`  children: ReactNode;`);
+  lines.push(`}`);
+  lines.push(``);
+  lines.push(`export function ApiProvider(props: ApiProviderProps) {`);
+  lines.push(`  return createElement(ApiContext.Provider, { value: props.client }, props.children);`);
+  lines.push(`}`);
+  lines.push(``);
+  lines.push(`function useApi(): ApiClient {`);
+  lines.push(`  const ctx = useContext(ApiContext);`);
+  lines.push(`  if (!ctx) throw new Error("useApi must be used inside <ApiProvider>");`);
+  lines.push(`  return ctx;`);
+  lines.push(`}`);
+  lines.push(``);
+
+  // Generic shape helpers
+  lines.push(`export interface QueryState<T> {`);
+  lines.push(`  data: T | null;`);
+  lines.push(`  loading: boolean;`);
+  lines.push(`  error: Error | null;`);
+  lines.push(`  refetch: () => Promise<void>;`);
+  lines.push(`}`);
+  lines.push(``);
+  lines.push(`export interface MutationState<TInput, TOutput> {`);
+  lines.push(`  mutate: (input: TInput) => Promise<TOutput>;`);
+  lines.push(`  loading: boolean;`);
+  lines.push(`  error: Error | null;`);
+  lines.push(`  reset: () => void;`);
+  lines.push(`}`);
+  lines.push(``);
+  lines.push(`export interface PaginatedResponse<T> {`);
+  lines.push(`  items: T[];`);
+  lines.push(`  total: number;`);
+  lines.push(`  page: number;`);
+  lines.push(`  page_size: number;`);
+  lines.push(`}`);
+  lines.push(``);
+
+  // Generic primitive hooks. Specific entity / capability hooks below wrap these.
+  lines.push(`function useQueryGeneric<T>(method: string, path: string, deps: unknown[]): QueryState<T> {`);
+  lines.push(`  const client = useApi();`);
+  lines.push(`  const [data, setData] = useState<T | null>(null);`);
+  lines.push(`  const [loading, setLoading] = useState(true);`);
+  lines.push(`  const [error, setError] = useState<Error | null>(null);`);
+  lines.push(`  const fetchOnce = useCallback(async () => {`);
+  lines.push(`    setLoading(true); setError(null);`);
+  lines.push(`    try { const result = await apiFetch<T>(client, method, path); setData(result); }`);
+  lines.push(`    catch (e: unknown) { setError(e instanceof Error ? e : new Error(String(e))); }`);
+  lines.push(`    finally { setLoading(false); }`);
+  // eslint-disable-next-line react-hooks/exhaustive-deps
+  lines.push(`  }, [client, method, path]);`);
+  lines.push(`  useEffect(() => { void fetchOnce(); /* eslint-disable-next-line react-hooks/exhaustive-deps */ }, deps);`);
+  lines.push(`  return { data, loading, error, refetch: fetchOnce };`);
+  lines.push(`}`);
+  lines.push(``);
+  lines.push(`function useMutationGeneric<TInput, TOutput>(builder: (input: TInput) => { method: string; path: string; body?: unknown }): MutationState<TInput, TOutput> {`);
+  lines.push(`  const client = useApi();`);
+  lines.push(`  const [loading, setLoading] = useState(false);`);
+  lines.push(`  const [error, setError] = useState<Error | null>(null);`);
+  lines.push(`  const mutate = useCallback(async (input: TInput): Promise<TOutput> => {`);
+  lines.push(`    setLoading(true); setError(null);`);
+  lines.push(`    try { const req = builder(input); return await apiFetch<TOutput>(client, req.method, req.path, req.body); }`);
+  lines.push(`    catch (e: unknown) { const err = e instanceof Error ? e : new Error(String(e)); setError(err); throw err; }`);
+  lines.push(`    finally { setLoading(false); }`);
+  lines.push(`  }, [client, builder]);`);
+  lines.push(`  const reset = useCallback(() => setError(null), []);`);
+  lines.push(`  return { mutate, loading, error, reset };`);
+  lines.push(`}`);
+  lines.push(``);
+
+  // Per-entity hooks
+  for (const mod of apiModules) {
+    const model = mod.models[0];
+    const entity = toPascalCase(model.name);
+    const tableName = toSnakeCase(model.name) + "s";
+    const route = `/${tableName}`;
+
+    lines.push(`// ─── ${entity} ───────────────────────────────────────────────────────────`);
+    lines.push(``);
+
+    // List
+    lines.push(`export function useList${entity}(): QueryState<PaginatedResponse<${entity}>> {`);
+    lines.push(`  return useQueryGeneric<PaginatedResponse<${entity}>>("GET", "${route}", []);`);
+    lines.push(`}`);
+    lines.push(``);
+
+    // Read
+    lines.push(`export function use${entity}(id: string | null): QueryState<${entity}> {`);
+    lines.push(`  return useQueryGeneric<${entity}>("GET", id ? \`${route}/\${id}\` : "${route}", [id]);`);
+    lines.push(`}`);
+    lines.push(``);
+
+    // Create
+    const createInputType = `Partial<${entity}>`;
+    lines.push(`export function useCreate${entity}(): MutationState<${createInputType}, ${entity}> {`);
+    lines.push(`  return useMutationGeneric<${createInputType}, ${entity}>((input) => ({ method: "POST", path: "${route}", body: input }));`);
+    lines.push(`}`);
+    lines.push(``);
+
+    // Update
+    lines.push(`export function useUpdate${entity}(): MutationState<{ id: string; patch: Partial<${entity}> }, ${entity}> {`);
+    lines.push(`  return useMutationGeneric<{ id: string; patch: Partial<${entity}> }, ${entity}>(({ id, patch }) => ({ method: "PUT", path: \`${route}/\${id}\`, body: patch }));`);
+    lines.push(`}`);
+    lines.push(``);
+
+    // Delete
+    lines.push(`export function useDelete${entity}(): MutationState<string, void> {`);
+    lines.push(`  return useMutationGeneric<string, void>((id) => ({ method: "DELETE", path: \`${route}/\${id}\` }));`);
+    lines.push(`}`);
+    lines.push(``);
+
+    // Capability hooks
+    for (const iface of mod.interfaces) {
+      for (const method of iface.methods) {
+        if (["create", "read", "update", "delete", "list"].includes(method.name)) continue;
+        const capName = toPascalCase(method.name);
+        const inputType = method.input.length > 0
+          ? `{ ${method.input.map(p => `${p.name}${p.nullable ? "?" : ""}: ${toTsType(p.type)}`).join("; ")} }`
+          : "Record<string, never>";
+        const endpoint = `${route}/${method.name.replace(/_/g, "-")}`;
+        lines.push(`export function useCapability${capName}(): MutationState<${inputType}, unknown> {`);
+        lines.push(`  return useMutationGeneric<${inputType}, unknown>((input) => ({ method: "POST", path: "${endpoint}", body: input }));`);
+        lines.push(`}`);
+        lines.push(``);
+      }
+    }
+  }
+
+  return {
+    path: "sdk/react.ts",
+    content: lines.join("\n"),
+    language: "typescript",
+    source_module: "sdk",
+  };
+}