npm - bonescript-compiler - Versions diffs - 0.8.0 → 0.11.0 - Mend

bonescript-compiler 0.8.0 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/src/emit_graphql.ts CHANGED Viewed

@@ -142,20 +142,31 @@ export function emitGraphQLSchema(system: IR.IRSystem): string {
   }
   // ─── type Query ───
+  // GraphQL spec requires every schema to define a non-empty Query type.
+  // For systems with no API modules (event-only or channel-only), emit a
+  // placeholder _service field so the schema parses.
   lines.push(`type Query {`);
-  for (const f of queryFields) {
-    lines.push(f);
+  if (queryFields.length === 0) {
+    lines.push(`  _service: String!`);
+  } else {
+    for (const f of queryFields) {
+      lines.push(f);
+    }
   }
   lines.push(`}`);
   lines.push(``);
   // ─── type Mutation ───
-  lines.push(`type Mutation {`);
-  for (const f of mutationFields) {
-    lines.push(f);
+  // Mutation is technically optional in GraphQL, but emitting an empty body
+  // is a syntax error. Skip the type entirely if there's nothing to mutate.
+  if (mutationFields.length > 0) {
+    lines.push(`type Mutation {`);
+    for (const f of mutationFields) {
+      lines.push(f);
+    }
+    lines.push(`}`);
+    lines.push(``);
   }
-  lines.push(`}`);
-  lines.push(``);
   return lines.join("\n");
 }

package/src/emit_notify.ts CHANGED Viewed

@@ -97,6 +97,33 @@ export function emitNotifyService(system: IR.IRSystem): string {
   lines.push(`  return createHmac("sha256", WEBHOOK_SECRET).update(body).digest("hex");`);
   lines.push(`}`);
   lines.push(``);
+  // Private-host detection. Catches loopback (127/8, ::1, 0.0.0.0), RFC1918
+  // (10/8, 172.16/12, 192.168/16), link-local (169.254/16, fe80::/10) and
+  // unique-local IPv6 (fc00::/7). DNS hostnames that resolve to private
+  // addresses are not blocked here — that requires a DNS lookup and a
+  // dual-stack check; we leave that to the deployer's network policy.
+  lines.push(`function isPrivateHost(host: string): boolean {`);
+  lines.push(`  const h = host.toLowerCase();`);
+  lines.push(`  if (h === "localhost" || h === "0.0.0.0" || h === "::" || h === "::1") return true;`);
+  lines.push(`  // IPv4 dotted quad`);
+  lines.push(`  const m4 = h.match(/^(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})$/);`);
+  lines.push(`  if (m4) {`);
+  lines.push(`    const a = Number(m4[1]), b = Number(m4[2]);`);
+  lines.push(`    if (a === 127) return true;            // loopback`);
+  lines.push(`    if (a === 10) return true;             // RFC1918`);
+  lines.push(`    if (a === 172 && b >= 16 && b <= 31) return true; // RFC1918`);
+  lines.push(`    if (a === 192 && b === 168) return true;          // RFC1918`);
+  lines.push(`    if (a === 169 && b === 254) return true;          // link-local / cloud metadata`);
+  lines.push(`    if (a === 0) return true;`);
+  lines.push(`    return false;`);
+  lines.push(`  }`);
+  lines.push(`  // IPv6 — strip optional brackets and zone suffix.`);
+  lines.push(`  const v6 = h.replace(/^\\[|\\]$/g, "").split("%")[0];`);
+  lines.push(`  if (/^fe[89ab][0-9a-f]?:/i.test(v6)) return true; // link-local fe80::/10`);
+  lines.push(`  if (/^f[cd][0-9a-f]?:/i.test(v6)) return true;     // unique-local fc00::/7`);
+  lines.push(`  return false;`);
+  lines.push(`}`);
+  lines.push(``);
   lines.push(`/**`);
   lines.push(` * Send a JSON payload to NOTIFY_WEBHOOK_URL.`);
   lines.push(` *`);
@@ -113,13 +140,21 @@ export function emitNotifyService(system: IR.IRSystem): string {
   lines.push(`  if (!WEBHOOK_URL) {`);
   lines.push(`    throw new Error("NOTIFY_WEBHOOK_URL is not configured");`);
   lines.push(`  }`);
-  lines.push(`  // Validate URL — only http(s) and reject obvious attempts at SSRF (loopback / RFC1918).`);
+  lines.push(`  // Validate URL — only http(s), and reject loopback / RFC1918 /`);
+  lines.push(`  // link-local hosts to make this server unusable as an SSRF probe.`);
+  lines.push(`  // Set NOTIFY_WEBHOOK_ALLOW_PRIVATE=1 to opt out (e.g. for internal CI`);
+  lines.push(`  // setups where the webhook receiver is on the same network).`);
   lines.push(`  let url: URL;`);
   lines.push(`  try { url = new URL(WEBHOOK_URL); }`);
   lines.push(`  catch { throw new Error("Invalid NOTIFY_WEBHOOK_URL"); }`);
   lines.push(`  if (url.protocol !== "https:" && url.protocol !== "http:") {`);
   lines.push(`    throw new Error(\`Webhook URL protocol must be http(s), got \${url.protocol}\`);`);
   lines.push(`  }`);
+  lines.push(`  if (process.env.NOTIFY_WEBHOOK_ALLOW_PRIVATE !== "1") {`);
+  lines.push(`    if (isPrivateHost(url.hostname)) {`);
+  lines.push(`      throw new Error(\`Webhook URL host is loopback / private / link-local: \${url.hostname}. Set NOTIFY_WEBHOOK_ALLOW_PRIVATE=1 to allow.\`);`);
+  lines.push(`    }`);
+  lines.push(`  }`);
   lines.push(`  const body = JSON.stringify(payload);`);
   lines.push(`  const headers: Record<string, string> = { "Content-Type": "application/json" };`);
   lines.push(`  const sig = signPayload(body);`);

package/src/emit_prisma.ts CHANGED Viewed

@@ -50,8 +50,13 @@ function toPrismaNativeType(irType: string): string | null {
     case "bytes": return null;
     case "timestamp": return "@db.Timestamptz";
     case "float": return "@db.DoublePrecision";
-    case "uint": return "@db.BigInt";
-    case "int": return "@db.BigInt";
+    // BoneScript `uint` and `int` map to Prisma `Int`. Prisma rejects
+    // `Int @db.BigInt` (BigInt requires the Prisma `BigInt` type), so we use
+    // no native type and let Prisma map to the default Postgres `INTEGER`.
+    // If a caller needs 64-bit ints they should use the `int` IR type with a
+    // future `@db.bigint` annotation — TBD.
+    case "uint": return null;
+    case "int": return null;
     default: return null;
   }
 }
@@ -253,6 +258,9 @@ export class PrismaEmitter {
     } else if (field.name === "created_at" || (field.type === "timestamp" && field.name.includes("created"))) {
       attrs.push("@default(now())");
     } else if (field.name === "updated_at") {
+      // @updatedAt only fires on update — we also need a default for create
+      // or the NOT NULL column has no value at INSERT time.
+      attrs.push("@default(now())");
       attrs.push("@updatedAt");
     } else if (field.default_value) {
       const dv = this.mapDefaultValue(field.default_value, field.type);