fastscript 1.0.0 → 3.0.0

package/src/migration-wizard.mjs

@@ -0,0 +1,42 @@
+import { existsSync } from "node:fs";
+import { resolve } from "node:path";
+import { createStrictConversionPlan } from "./migrate.mjs";
+
+export async function runMigrationWizard(args = []) {
+  const target = args[0] || "app";
+  const abs = resolve(target);
+  if (!existsSync(abs)) throw new Error(`migration wizard: path not found (${abs})`);
+
+  const prepared = createStrictConversionPlan([abs, "--dry-run"]);
+  const { plan } = prepared;
+
+  console.log("=== strict conversion preview ===");
+  console.log(`target: ${abs}`);
+  console.log(`rename files: ${plan.renames.length}`);
+  console.log(`rewrite files: ${plan.writes.filter((item) => item.kind === "rewrite").length}`);
+  console.log(`import rewrites: ${plan.importRewrites.reduce((sum, item) => sum + item.count, 0)}`);
+  console.log(`blocked files: ${plan.blockedFiles.length}`);
+
+  if (plan.renames.length) {
+    console.log("--- renames ---");
+    for (const item of plan.renames.slice(0, 200)) {
+      console.log(`${item.fromRel} -> ${item.toRel}`);
+    }
+  }
+
+  if (plan.importRewrites.length) {
+    console.log("--- import rewrites ---");
+    for (const item of plan.importRewrites.slice(0, 100)) {
+      console.log(`${item.file} (${item.count})`);
+    }
+  }
+
+  if (plan.blockedFiles.length) {
+    console.log("--- blocked ---");
+    for (const item of plan.blockedFiles.slice(0, 200)) {
+      console.log(`${item.path}: ${item.reason}`);
+    }
+  }
+
+  console.log("=== end preview ===");
+}

package/src/module-loader.mjs

@@ -1,24 +1,31 @@
-import { extname } from "node:path";
+import { extname } from "node:path";
 import { pathToFileURL } from "node:url";
 import esbuild from "esbuild";
-import {
-  createFastScriptDiagnosticError,
-  normalizeFastScriptWithTelemetry,
-} from "./fs-normalize.mjs";
+import { normalizeFastScript } from "./fs-normalize.mjs";
+import { assertFastScript } from "./fs-diagnostics.mjs";
+import { createPermissionRuntime } from "./runtime-permissions.mjs";
+
+let cachedPermissionRuntime = null;
+
+function getPermissionRuntime() {
+  if (process.env.FASTSCRIPT_RUNTIME_PERMISSIONS === "0") return null;
+  if (!cachedPermissionRuntime) cachedPermissionRuntime = createPermissionRuntime();
+  return cachedPermissionRuntime;
+}
 
 function fsLoaderPlugin() {
+  const compilerMode = (process.env.FASTSCRIPT_COMPILER_MODE || "strict").toLowerCase() === "lenient" ? "lenient" : "strict";
   return {
     name: "fastscript-fs-loader",
     setup(build) {
       build.onLoad({ filter: /\.fs$/ }, async (args) => {
         const { readFile } = await import("node:fs/promises");
         const raw = await readFile(args.path, "utf8");
-        const result = normalizeFastScriptWithTelemetry(raw, { filename: args.path, strict: false });
-        const hardErrors = result.diagnostics.filter((diag) => diag.severity === "error");
-        if (hardErrors.length > 0) {
-          throw createFastScriptDiagnosticError(hardErrors, { filename: args.path });
-        }
-        return { contents: result.code, loader: "js" };
+        assertFastScript(raw, { file: args.path, mode: compilerMode });
+        return {
+          contents: normalizeFastScript(raw, { file: args.path, mode: compilerMode, sourceMap: "inline" }),
+          loader: "js",
+        };
       });
     },
   };
@@ -26,6 +33,8 @@ function fsLoaderPlugin() {
 
 export async function importSourceModule(filePath, { platform = "node" } = {}) {
   const ext = extname(filePath).toLowerCase();
+  const permissionRuntime = getPermissionRuntime();
+  permissionRuntime?.assert({ kind: "dynamicImportAccess", resource: filePath, details: { platform } });
   if (ext !== ".fs") {
     return import(`${pathToFileURL(filePath).href}?t=${Date.now()}`);
   }
@@ -41,7 +50,9 @@ export async function importSourceModule(filePath, { platform = "node" } = {}) {
     plugins: [fsLoaderPlugin()],
     loader: { ".fs": "js" },
   });
+
   const code = result.outputFiles[0].text;
   const dataUrl = `data:text/javascript;base64,${Buffer.from(code).toString("base64")}`;
+  permissionRuntime?.assert({ kind: "dynamicImportAccess", resource: dataUrl, details: { platform, source: filePath } });
   return import(dataUrl);
 }

package/src/oauth-providers.mjs

@@ -0,0 +1,103 @@
+import { buildOAuthAuthorizeUrl, createOAuthState } from "./auth-flows.mjs";
+
+const PROVIDERS = {
+  github: {
+    name: "GitHub",
+    authorizeUrl: "https://github.com/login/oauth/authorize",
+    tokenUrl: "https://github.com/login/oauth/access_token",
+    userUrl: "https://api.github.com/user",
+    scope: "read:user user:email",
+  },
+  google: {
+    name: "Google",
+    authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenUrl: "https://oauth2.googleapis.com/token",
+    userUrl: "https://www.googleapis.com/oauth2/v3/userinfo",
+    scope: "openid email profile",
+  },
+  microsoft: {
+    name: "Microsoft",
+    authorizeUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
+    tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+    userUrl: "https://graph.microsoft.com/v1.0/me",
+    scope: "openid profile email User.Read",
+  },
+};
+
+export function listAuthProviders() {
+  return Object.keys(PROVIDERS);
+}
+
+export function getAuthProvider(name) {
+  const key = String(name || "").toLowerCase();
+  const provider = PROVIDERS[key];
+  if (!provider) {
+    const error = new Error(`Unknown OAuth provider: ${name}`);
+    error.status = 400;
+    throw error;
+  }
+  return { id: key, ...provider };
+}
+
+export function createOAuthAdapter(name, {
+  clientId = process.env[`${String(name || "").toUpperCase()}_CLIENT_ID`],
+  clientSecret = process.env[`${String(name || "").toUpperCase()}_CLIENT_SECRET`],
+  redirectUri = process.env[`${String(name || "").toUpperCase()}_REDIRECT_URI`],
+} = {}) {
+  const provider = getAuthProvider(name);
+  return {
+    ...provider,
+    clientId,
+    clientSecret,
+    redirectUri,
+    authorizeUrl({ state = createOAuthState(), scope = provider.scope } = {}) {
+      return {
+        state,
+        url: buildOAuthAuthorizeUrl({
+          authorizeUrl: provider.authorizeUrl,
+          clientId,
+          redirectUri,
+          scope,
+          state,
+        }),
+      };
+    },
+    async exchangeCode(code) {
+      const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        client_id: clientId,
+        client_secret: clientSecret,
+        redirect_uri: redirectUri,
+      });
+      const response = await fetch(provider.tokenUrl, {
+        method: "POST",
+        headers: {
+          "content-type": "application/x-www-form-urlencoded",
+          accept: "application/json",
+        },
+        body,
+      });
+      if (!response.ok) {
+        const error = new Error(`OAuth token exchange failed (${response.status})`);
+        error.status = 502;
+        throw error;
+      }
+      return response.json();
+    },
+    async fetchUser(accessToken) {
+      const response = await fetch(provider.userUrl, {
+        headers: {
+          authorization: `Bearer ${accessToken}`,
+          accept: "application/json",
+        },
+      });
+      if (!response.ok) {
+        const error = new Error(`OAuth user fetch failed (${response.status})`);
+        error.status = 502;
+        throw error;
+      }
+      return response.json();
+    },
+  };
+}

package/src/permissions-cli.mjs

@@ -0,0 +1,112 @@
+import { mkdirSync, writeFileSync } from "node:fs";
+import { dirname, relative, resolve } from "node:path";
+import { createPermissionRuntime } from "./runtime-permissions.mjs";
+
+function normalize(path) {
+  return String(path || "").replace(/\\/g, "/");
+}
+
+function parseArgs(args = []) {
+  const options = {
+    policy: process.env.FASTSCRIPT_PERMISSION_POLICY_PATH || "fastscript.permissions.json",
+    mode: "report",
+    kind: "",
+    resource: "",
+    out: "",
+    json: false,
+  };
+
+  for (let i = 0; i < args.length; i += 1) {
+    const arg = args[i];
+    if (arg === "--policy") {
+      options.policy = args[i + 1] || options.policy;
+      i += 1;
+      continue;
+    }
+    if (arg === "--mode") {
+      const next = String(args[i + 1] || "report").toLowerCase();
+      options.mode = next === "assert" ? "assert" : "report";
+      i += 1;
+      continue;
+    }
+    if (arg === "--kind") {
+      options.kind = String(args[i + 1] || "");
+      i += 1;
+      continue;
+    }
+    if (arg === "--resource") {
+      options.resource = String(args[i + 1] || "");
+      i += 1;
+      continue;
+    }
+    if (arg === "--out") {
+      options.out = resolve(args[i + 1] || "");
+      i += 1;
+      continue;
+    }
+    if (arg === "--json") {
+      options.json = true;
+      continue;
+    }
+  }
+
+  return options;
+}
+
+function summarizePolicy(policyRuntime) {
+  const policy = policyRuntime.policy;
+  return {
+    policyPath: normalize(relative(resolve("."), policyRuntime.policyPath)),
+    preset: policy.preset,
+    boundaries: {
+      fileAccess: policy.fileAccess.mode,
+      envAccess: policy.envAccess.mode,
+      networkAccess: policy.networkAccess.mode,
+      subprocessExecution: policy.subprocessExecution.mode,
+      dynamicImports: policy.dynamicImports.mode,
+      pluginAccess: policy.pluginAccess.mode,
+    },
+  };
+}
+
+export async function runPermissions(args = []) {
+  const options = parseArgs(args);
+  const runtime = createPermissionRuntime({ policyPath: options.policy });
+
+  const summary = summarizePolicy(runtime);
+  let decision = null;
+
+  if (options.kind && options.resource) {
+    if (options.mode === "assert") {
+      decision = runtime.assert({ kind: options.kind, resource: options.resource });
+    } else {
+      decision = runtime.check({ kind: options.kind, resource: options.resource });
+    }
+  }
+
+  const report = {
+    generatedAt: new Date().toISOString(),
+    summary,
+    decision,
+  };
+
+  if (options.out) {
+    mkdirSync(dirname(options.out), { recursive: true });
+    writeFileSync(options.out, `${JSON.stringify(report, null, 2)}\n`, "utf8");
+  }
+
+  if (options.json) {
+    console.log(JSON.stringify(report, null, 2));
+    return;
+  }
+
+  console.log(`permissions policy: ${summary.policyPath}`);
+  console.log(`preset: ${summary.preset}`);
+  for (const [boundary, mode] of Object.entries(summary.boundaries)) {
+    console.log(`${boundary}: ${mode}`);
+  }
+  if (decision) {
+    console.log(`decision: ${decision.allowed ? "allow" : "deny"} (${decision.boundary})`);
+    console.log(`reason: ${decision.reason}`);
+  }
+}

package/src/plugins.mjs

@@ -0,0 +1,194 @@
+import { existsSync } from "node:fs";
+import { extname, join, resolve } from "node:path";
+import { pathToFileURL } from "node:url";
+import { importSourceModule } from "./module-loader.mjs";
+
+export const PLUGIN_API_VERSION = 1;
+const DEFAULT_PLUGIN_TIMEOUT_MS = Number(process.env.PLUGIN_TIMEOUT_MS || 2500);
+
+const CONFIG_CANDIDATES = [
+  "fastscript.plugins.fs",
+  "fastscript.plugins.js",
+  "fastscript.plugins.mjs",
+  "fastscript.plugins.cjs",
+  "app/plugins.fs",
+  "app/plugins.js",
+  "app/plugins.mjs",
+  "app/plugins.cjs",
+];
+
+function asArray(value) {
+  if (!value) return [];
+  return Array.isArray(value) ? value : [value];
+}
+
+function createNullLogger() {
+  return {
+    info() {},
+    warn() {},
+    error() {},
+  };
+}
+
+function withTimeout(task, ms, label) {
+  if (!Number.isFinite(ms) || ms <= 0) return task;
+  let timer = null;
+  const timeout = new Promise((_, reject) => {
+    timer = setTimeout(() => {
+      const error = new Error(`Plugin hook timeout (${ms}ms): ${label}`);
+      error.code = "PLUGIN_HOOK_TIMEOUT";
+      reject(error);
+    }, ms);
+  });
+  return Promise.race([task.finally(() => clearTimeout(timer)), timeout]);
+}
+
+async function importPluginModule(file) {
+  const abs = resolve(file);
+  const ext = extname(abs).toLowerCase();
+  if (ext === ".fs") return importSourceModule(abs, { platform: "node" });
+  return import(`${pathToFileURL(abs).href}?t=${Date.now()}`);
+}
+
+function normalizePluginEntries(mod) {
+  const entries = [];
+  entries.push(...asArray(mod?.plugins));
+  entries.push(...asArray(mod?.default));
+  return entries;
+}
+
+function normalizePlugin(raw, fallbackName) {
+  if (!raw) return null;
+  if (typeof raw === "function") {
+    return { name: fallbackName, apiVersion: PLUGIN_API_VERSION, setup: raw };
+  }
+  if (typeof raw !== "object") return null;
+  const setup = typeof raw.setup === "function" ? raw.setup : null;
+  const plugin = {
+    name: raw.name || fallbackName,
+    apiVersion: Number.isInteger(raw.apiVersion) ? raw.apiVersion : PLUGIN_API_VERSION,
+    setup,
+  };
+  if (typeof raw.middleware === "function") plugin.middleware = raw.middleware;
+  if (typeof raw.onBuildStart === "function") plugin.onBuildStart = raw.onBuildStart;
+  if (typeof raw.onBuildEnd === "function") plugin.onBuildEnd = raw.onBuildEnd;
+  if (typeof raw.onRequestStart === "function") plugin.onRequestStart = raw.onRequestStart;
+  if (typeof raw.onRequestEnd === "function") plugin.onRequestEnd = raw.onRequestEnd;
+  return plugin;
+}
+
+function createRegistry() {
+  return {
+    middleware: [],
+    onBuildStart: [],
+    onBuildEnd: [],
+    onRequestStart: [],
+    onRequestEnd: [],
+  };
+}
+
+async function runHookList(hooks, ctx, logger, stage) {
+  for (const hook of hooks) {
+    const label = `${hook.plugin}:${stage}`;
+    try {
+      await withTimeout(Promise.resolve(hook.fn(ctx)), hook.timeoutMs ?? DEFAULT_PLUGIN_TIMEOUT_MS, label);
+    } catch (error) {
+      logger.warn("plugin_hook_failed", {
+        plugin: hook.plugin,
+        stage,
+        error: error?.message || String(error),
+      });
+    }
+  }
+}
+
+function createHookApi(registry, pluginName) {
+  return {
+    middleware(fn, opts = {}) {
+      if (typeof fn !== "function") return;
+      registry.middleware.push({ plugin: pluginName, fn, timeoutMs: opts.timeoutMs });
+    },
+    onBuildStart(fn, opts = {}) {
+      if (typeof fn !== "function") return;
+      registry.onBuildStart.push({ plugin: pluginName, fn, timeoutMs: opts.timeoutMs });
+    },
+    onBuildEnd(fn, opts = {}) {
+      if (typeof fn !== "function") return;
+      registry.onBuildEnd.push({ plugin: pluginName, fn, timeoutMs: opts.timeoutMs });
+    },
+    onRequestStart(fn, opts = {}) {
+      if (typeof fn !== "function") return;
+      registry.onRequestStart.push({ plugin: pluginName, fn, timeoutMs: opts.timeoutMs });
+    },
+    onRequestEnd(fn, opts = {}) {
+      if (typeof fn !== "function") return;
+      registry.onRequestEnd.push({ plugin: pluginName, fn, timeoutMs: opts.timeoutMs });
+    },
+  };
+}
+
+function configFiles(root) {
+  return CONFIG_CANDIDATES.map((file) => join(root, file)).filter((p) => existsSync(p));
+}
+
+export async function createPluginRuntime({ root = process.cwd(), logger = createNullLogger() } = {}) {
+  const files = configFiles(root);
+  const registry = createRegistry();
+  const loaded = [];
+
+  for (const file of files) {
+    let mod;
+    try {
+      mod = await importPluginModule(file);
+    } catch (error) {
+      logger.warn("plugin_module_load_failed", { file, error: error?.message || String(error) });
+      continue;
+    }
+    const rawEntries = normalizePluginEntries(mod);
+    rawEntries.forEach((raw, idx) => {
+      const plugin = normalizePlugin(raw, `${file}#${idx + 1}`);
+      if (!plugin) return;
+      if (plugin.apiVersion !== PLUGIN_API_VERSION) {
+        logger.warn("plugin_api_version_mismatch", {
+          plugin: plugin.name,
+          expected: PLUGIN_API_VERSION,
+          received: plugin.apiVersion,
+        });
+        return;
+      }
+
+      const hooks = createHookApi(registry, plugin.name);
+      try {
+        if (plugin.middleware) hooks.middleware(plugin.middleware);
+        if (plugin.onBuildStart) hooks.onBuildStart(plugin.onBuildStart);
+        if (plugin.onBuildEnd) hooks.onBuildEnd(plugin.onBuildEnd);
+        if (plugin.onRequestStart) hooks.onRequestStart(plugin.onRequestStart);
+        if (plugin.onRequestEnd) hooks.onRequestEnd(plugin.onRequestEnd);
+        if (plugin.setup) plugin.setup({ hooks, apiVersion: PLUGIN_API_VERSION });
+        loaded.push({ name: plugin.name, file });
+      } catch (error) {
+        logger.warn("plugin_setup_failed", { plugin: plugin.name, file, error: error?.message || String(error) });
+      }
+    });
+  }
+
+  return {
+    apiVersion: PLUGIN_API_VERSION,
+    loaded,
+    middleware() {
+      return registry.middleware.map((row) => row.fn);
+    },
+    async onBuildStart(ctx = {}) {
+      await runHookList(registry.onBuildStart, ctx, logger, "onBuildStart");
+    },
+    async onBuildEnd(ctx = {}) {
+      await runHookList(registry.onBuildEnd, ctx, logger, "onBuildEnd");
+    },
+    async onRequestStart(ctx = {}) {
+      await runHookList(registry.onRequestStart, ctx, logger, "onRequestStart");
+    },
+    async onRequestEnd(ctx = {}) {
+      await runHookList(registry.onRequestEnd, ctx, logger, "onRequestEnd");
+    },
+  };
+}

package/src/profile.mjs

@@ -0,0 +1,95 @@
+import { mkdirSync, writeFileSync } from "node:fs";
+import { dirname, relative, resolve } from "node:path";
+import { performance } from "node:perf_hooks";
+import { runBuild } from "./build.mjs";
+import { runTypeCheck } from "./typecheck.mjs";
+import { runBench } from "./bench.mjs";
+import { runCompat } from "./compat.mjs";
+
+function parseArgs(args = []) {
+  const options = {
+    command: "build",
+    runs: Math.max(1, Number(process.env.FASTSCRIPT_PROFILE_RUNS || 1)),
+    out: resolve(".fastscript", "profile-latest.json"),
+  };
+
+  for (let i = 0; i < args.length; i += 1) {
+    const arg = args[i];
+    if (arg === "--command") {
+      options.command = String(args[i + 1] || options.command).toLowerCase();
+      i += 1;
+      continue;
+    }
+    if (arg === "--runs") {
+      options.runs = Math.max(1, Number(args[i + 1] || options.runs));
+      i += 1;
+      continue;
+    }
+    if (arg === "--out") {
+      options.out = resolve(args[i + 1] || options.out);
+      i += 1;
+      continue;
+    }
+  }
+
+  return options;
+}
+
+function createRunner(command) {
+  switch (command) {
+    case "build":
+      return () => runBuild({ mode: "build" });
+    case "typecheck":
+      return () => runTypeCheck(["--mode", "pass"]);
+    case "bench":
+      return () => runBench();
+    case "compat":
+      return () => runCompat();
+    default:
+      throw new Error(`profile: unsupported command '${command}'`);
+  }
+}
+
+export async function runProfile(args = []) {
+  const options = parseArgs(args);
+  const runner = createRunner(options.command);
+  const runs = [];
+
+  for (let i = 0; i < options.runs; i += 1) {
+    const rssBefore = process.memoryUsage().rss;
+    const t0 = performance.now();
+    await runner();
+    const t1 = performance.now();
+    const rssAfter = process.memoryUsage().rss;
+
+    runs.push({
+      run: i + 1,
+      ms: Number((t1 - t0).toFixed(2)),
+      rssBeforeMb: Number((rssBefore / (1024 * 1024)).toFixed(2)),
+      rssAfterMb: Number((rssAfter / (1024 * 1024)).toFixed(2)),
+      rssDeltaMb: Number(((rssAfter - rssBefore) / (1024 * 1024)).toFixed(2)),
+    });
+  }
+
+  const times = runs.map((row) => row.ms).sort((a, b) => a - b);
+  const mean = times.reduce((sum, value) => sum + value, 0) / Math.max(1, times.length);
+
+  const report = {
+    generatedAt: new Date().toISOString(),
+    command: options.command,
+    runs,
+    summary: {
+      count: runs.length,
+      minMs: times[0] || 0,
+      medianMs: times[Math.floor(times.length / 2)] || 0,
+      maxMs: times[times.length - 1] || 0,
+      meanMs: Number(mean.toFixed(2)),
+    },
+  };
+
+  mkdirSync(dirname(options.out), { recursive: true });
+  writeFileSync(options.out, `${JSON.stringify(report, null, 2)}\n`, "utf8");
+
+  console.log(`profile complete: command=${options.command}, runs=${runs.length}, mean=${report.summary.meanMs}ms`);
+  console.log(`profile report: ${String(relative(resolve("."), options.out)).replace(/\\/g, "/")}`);
+}