frappebun 0.0.0

package/README.md

@@ -0,0 +1,72 @@
+# frappebun 🍞⚡
+
+[![CI](https://github.com/netchampfaris/frappebun/actions/workflows/ci.yml/badge.svg)](https://github.com/netchampfaris/frappebun/actions/workflows/ci.yml)
+[![Coverage](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/netchampfaris/7e5a601fde8a6df937135068d2195e70/raw/frappebun-coverage.json)](https://github.com/netchampfaris/frappebun/actions/workflows/ci.yml)
+
+## Quick Start
+
+```bash
+bun install frappebun
+
+frappe init todo
+```
+
+
+## Motivation
+
+I've been working with Frappe Framework for a long time. There is a lot I love about it — DocType-driven development, multi-tenancy, the idea that defining your data should give you most of what you need. But there's also a lot of baggage: Python, Redis, MariaDB, a hook system held together by strings, and an API surface that grew organically over many years without much care.
+
+This is my imagination of Frappe Framework if we designed it fresh today, with TypeScript and Bun, and design each API with taste and care.
+
+## The Core Idea
+
+**Define your data, get everything for free.**
+
+A single DocType definition should be enough to generate the database schema, REST API, forms, list views, permissions, and search — with little to no glue code. The framework should feel inevitable to read. Controllers should be pure logic. Imports should be minimal. There should be one obvious way to do each common thing.
+
+A Frappe developer should feel at home immediately. A non-Frappe developer should understand most files without reading docs.
+
+## Progress
+
+| Area | Status | Notes |
+|------|--------|-------|
+| Runtime & globals | ✅ Done | Bun HTTP server, `AsyncLocalStorage` context, ambient `frappe` global |
+| DocType definition | ✅ Done | `doctype()`, full field library, layout helpers |
+| Query builder | ✅ Done | Fluent `frappe.query()`, link-field dot-notation, filters |
+| Database | ✅ Done | `frappe.db.*` API, SQLite adapter |
+| Auth | ✅ Done | Session auth, `User` / `Session` DocTypes, API key auth |
+| Document CRUD | ✅ Done | Lifecycle hooks, validation, naming strategies |
+| REST API | ✅ Done | Opt-in `rest: true`, explicit `route()` registration |
+| Permissions | ✅ Done | Role-based, `scope()`, per-action checks |
+| App loading | ✅ Done | Auto-discovery, multi-site |
+| CLI | ✅ Done | `frappe init`, `frappe dev`, `frappe new-site`, `frappe migrate` |
+| Migrations | ✅ Done | Schema sync, data migrations, patch runner |
+| Frontend SSR (minimal) | 🔄 In progress | Basic Vue SSR, `<script context>`, hydration |
+| Hooks & extensions |  | App extension system, doc event listeners |
+| Background jobs |  | Job queue, scheduled tasks |
+| Frontend SSR (full) |  | File-based routing, full SSR pipeline |
+| Admin desk |  | Auto-generated forms and list views |
+| Frontend composables |  | `useDoc`, `useDocList`, realtime bindings |
+| Realtime |  | WebSocket pub/sub, document subscriptions |
+| Visual builder |  | Two-way `.ts` sync with a GUI DocType editor |
+| Email |  | Sending, templates, incoming email |
+| Files |  | Upload handling, S3/local adapters |
+
+## Why frappebun
+
+- **Fast** — Bun startup is near-instant, SQLite has no network hop, no Redis in the critical path
+- **One process** — HTTP, WebSocket, background jobs, and asset bundling in one `bun` process, no daemons
+- **Two file types** — `.ts` for server code and schema, `.vue` for UI; no Python, no Jinja, no `requirements.txt`
+- **SQLite by default** — no setup to start; switch to Postgres when you need it
+- **Single app per project** — one project, one app, one namespace; no multi-app overhead
+- **Auto-migration in dev** — add a field, save, it's in the database; no `bench migrate` in dev
+- **Ambient globals** — `frappe`, `doctype`, `controller`, `field` are global; controllers have zero imports
+- **Schema and logic are separate** — `doctype()` files are restricted to literals and field helpers; no logic leaks in
+- **Typed hooks** — hooks are typed function references, not strings; your editor can navigate and refactor them
+- **TypeScript end-to-end** — one language across server, schema, and frontend
+
+## Start Here
+
+- **[spec/goals.md](./spec/goals.md)** — Product direction, philosophy, and design taste
+- **[spec/api-reference.md](./spec/api-reference.md)** — The intended `frappe` API surface
+- **[spec/spec-plan.md](./spec/spec-plan.md)** — Spec index, layered plan, and build order

package/package.json

@@ -0,0 +1,59 @@
+{
+  "name": "frappebun",
+  "version": "0.0.0",
+  "description": "A clean, TypeScript-native Frappe-style framework for Bun",
+  "keywords": [
+    "frappe",
+    "bun",
+    "framework",
+    "typescript",
+    "sqlite"
+  ],
+  "homepage": "https://github.com/netchampfaris/frappebun",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/netchampfaris/frappebun.git"
+  },
+  "license": "MIT",
+  "engines": {
+    "bun": ">=1.0.0"
+  },
+  "bin": {
+    "frappe": "src/cli/bin.ts"
+  },
+  "main": "src/index.ts",
+  "types": "src/frappe.d.ts",
+  "exports": {
+    ".": "./src/index.ts",
+    "./cli": "./src/cli/index.ts"
+  },
+  "files": [
+    "src/",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "prepare": "git config core.hooksPath .githooks",
+    "prepublishOnly": "bun run check && bun test",
+    "test": "bun test",
+    "test:coverage": "bun test --coverage",
+    "lint": "oxlint src tests",
+    "lint:fix": "oxlint src tests --fix",
+    "format": "oxfmt src tests",
+    "format:check": "oxfmt src tests --check",
+    "check": "bun run lint && bun run format:check"
+  },
+  "dependencies": {
+    "@vue/compiler-sfc": "^3.5.32",
+    "@vue/server-renderer": "^3.5.32",
+    "vue": "^3.5.32"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "oxfmt": "^0.43.0",
+    "oxlint": "^1.58.0"
+  },
+  "peerDependencies": {
+    "typescript": "^5.0.0"
+  }
+}

package/src/api/auth.ts

@@ -0,0 +1,76 @@
+/**
+ * /api/auth — login, logout, and CSRF token endpoints.
+ */
+
+import { contextStore } from "../context"
+import { response } from "../response"
+import { route } from "./route"
+
+// POST /api/auth/login
+export const login = route({
+  path: "/api/auth/login",
+  auth: "public",
+  method: "POST",
+  async handler({ email, password }: { email?: unknown; password?: unknown }) {
+    if (!email || !password) return response.error("email and password are required", 400)
+
+    const ctx = contextStore.getStore()!
+    const { login: loginFn } = await import("../auth/auth")
+    const result = await loginFn(String(email), String(password), ctx.db, ctx.request)
+
+    if (!result) return response.unauthorized("Invalid email or password")
+
+    // Return Response directly to control the Set-Cookie header
+    return new Response(
+      JSON.stringify({ user: result.user, fullName: result.fullName, csrfToken: result.csrfToken }),
+      { status: 200, headers: { "Content-Type": "application/json", "Set-Cookie": result.cookie } },
+    )
+  },
+})
+
+// POST /api/auth/logout
+export const logout = route({
+  path: "/api/auth/logout",
+  auth: "public",
+  method: "POST",
+  async handler() {
+    const ctx = contextStore.getStore()!
+    const req = ctx.request
+
+    if (req) {
+      const sid = parseCookie(req.headers.get("Cookie") ?? "", "sid")
+      if (sid) {
+        const { logout: logoutFn } = await import("../auth/auth")
+        const clearCookie = await logoutFn(sid, ctx.db)
+        // Return Response directly to control the Set-Cookie header
+        return new Response(JSON.stringify({ message: "Logged out" }), {
+          status: 200,
+          headers: { "Content-Type": "application/json", "Set-Cookie": clearCookie },
+        })
+      }
+    }
+
+    return response.ok({ message: "Logged out" })
+  },
+})
+
+// GET /api/auth/csrf
+export const csrf = route({
+  path: "/api/auth/csrf",
+  auth: "public",
+  method: "GET",
+  async handler() {
+    const ctx = contextStore.getStore()
+    return response.ok({ csrfToken: ctx?.session.csrfToken ?? null })
+  },
+})
+
+// ─── helpers ──────────────────────────────────────────────
+
+function parseCookie(header: string, name: string): string | undefined {
+  for (const part of header.split(";")) {
+    const eq = part.indexOf("=")
+    if (eq === -1) continue
+    if (part.slice(0, eq).trim() === name) return part.slice(eq + 1).trim()
+  }
+}

package/src/api/index.ts

@@ -0,0 +1,10 @@
+export {
+  route,
+  isRouteDefinition,
+  inferMethod,
+  camelToKebab,
+  resolveRoutePath,
+  invokeRoute,
+  routeRegistry,
+} from "./route"
+export type { RouteConfig, RouteDefinition, AuthMode, HttpMethod, RouteHandler } from "./route"

package/src/api/resource.ts

@@ -0,0 +1,177 @@
+/**
+ * /api/resource — auto-generated DocType REST CRUD.
+ *
+ * One route() export per operation.  The server dispatcher selects the right
+ * one based on HTTP method and URL shape, then calls invokeRoute() with the
+ * extracted path params ({ doctype, name }).
+ *
+ * All resource endpoints require authentication (auth: "required").
+ * For public/guest access to a DocType, write an explicit route() endpoint
+ * with auth: "public" in your app's api/ directory.
+ */
+
+import { contextStore } from "../context"
+import { getDocTypeMeta } from "../doctype/registry"
+import type { Dict, FilterInput, RestConfig } from "../doctype/types"
+import { hasRolePermission } from "../permissions"
+import { response } from "../response"
+import { route } from "./route"
+
+// ─── REST flag ────────────────────────────────────────────
+
+type RestOp = "list" | "read" | "create" | "update" | "delete" | "submit" | "cancel"
+
+function isRestEnabled(doctype: string, op: RestOp): boolean {
+  const rest = getDocTypeMeta(doctype)?.schema.rest
+  if (!rest) return false
+  if (rest === true) return true
+  return (rest as RestConfig)[op] === true
+}
+
+// ─── Shared access guard ──────────────────────────────────
+
+function deny(doctype: string, op: RestOp): Response | null {
+  if (!isRestEnabled(doctype, op))
+    return response.forbidden(`REST ${op} not enabled for ${doctype}`)
+  const ctx = contextStore.getStore()!
+  const permAction = op === "list" || op === "read" ? "read" : op === "update" ? "write" : op
+  if (!hasRolePermission(doctype, permAction, ctx.user, ctx.db, ctx)) return response.forbidden()
+  return null
+}
+
+// ─── GET /api/resource/:doctype ───────────────────────────
+
+export const list = route({
+  path: "/api/resource/:doctype",
+  auth: "required",
+  method: "GET",
+  async handler({
+    doctype,
+    filters,
+    fields,
+    order_by,
+    limit,
+    offset,
+  }: {
+    doctype: string
+    filters?: string
+    fields?: string
+    order_by?: string
+    limit?: string
+    offset?: string
+  }) {
+    const err = deny(doctype, "list")
+    if (err) return err
+
+    const ctx = contextStore.getStore()!
+    const rows = await ctx.getList(doctype, {
+      filters: filters ? (JSON.parse(filters) as FilterInput) : undefined,
+      fields: fields ? (JSON.parse(fields) as string[]) : ["name"],
+      orderBy: order_by,
+      limit: limit ? parseInt(limit) : 20,
+      offset: offset ? parseInt(offset) : 0,
+    })
+    return response.ok(rows)
+  },
+})
+
+// ─── GET /api/resource/:doctype/:name ─────────────────────
+
+export const read = route({
+  path: "/api/resource/:doctype/:name",
+  auth: "required",
+  method: "GET",
+  async handler({ doctype, name }: { doctype: string; name: string }) {
+    const err = deny(doctype, "read")
+    if (err) return err
+
+    const doc = await contextStore.getStore()!.getDoc(doctype, name)
+    return response.ok(doc.asDict())
+  },
+})
+
+// ─── POST /api/resource/:doctype ──────────────────────────
+
+export const create = route({
+  path: "/api/resource/:doctype",
+  auth: "required",
+  method: "POST",
+  async handler({ doctype, ...body }: { doctype: string } & Dict) {
+    const err = deny(doctype, "create")
+    if (err) return err
+
+    const doc = contextStore.getStore()!.newDoc(doctype, body as Dict)
+    await doc.insert()
+    return response.created(doc.asDict())
+  },
+})
+
+// ─── PUT /api/resource/:doctype/:name ─────────────────────
+
+export const update = route({
+  path: "/api/resource/:doctype/:name",
+  auth: "required",
+  method: "PUT",
+  async handler({ doctype, name, ...body }: { doctype: string; name: string } & Dict) {
+    const err = deny(doctype, "update")
+    if (err) return err
+
+    const ctx = contextStore.getStore()!
+    const doc = await ctx.getDoc(doctype, name)
+    for (const [k, v] of Object.entries(body)) {
+      if (k !== "doctype") doc.set(k, v)
+    }
+    await doc.save()
+    return response.ok(doc.asDict())
+  },
+})
+
+// ─── DELETE /api/resource/:doctype/:name ──────────────────
+
+export const remove = route({
+  path: "/api/resource/:doctype/:name",
+  auth: "required",
+  method: "DELETE",
+  async handler({ doctype, name }: { doctype: string; name: string }) {
+    const err = deny(doctype, "delete")
+    if (err) return err
+
+    await contextStore.getStore()!.deleteDoc(doctype, name)
+    return response.ok({ message: "ok" })
+  },
+})
+
+// ─── POST /api/resource/:doctype/:name/submit ─────────────
+
+export const submit = route({
+  path: "/api/resource/:doctype/:name/submit",
+  auth: "required",
+  method: "POST",
+  async handler({ doctype, name }: { doctype: string; name: string }) {
+    const err = deny(doctype, "submit")
+    if (err) return err
+
+    const doc = await contextStore.getStore()!.getDoc(doctype, name)
+    await doc.submit()
+    return response.ok(doc.asDict())
+  },
+})
+
+// ─── POST /api/resource/:doctype/:name/cancel ─────────────
+
+export const cancel = route({
+  path: "/api/resource/:doctype/:name/cancel",
+  auth: "required",
+  method: "POST",
+  async handler({ doctype, name }: { doctype: string; name: string }) {
+    const err = deny(doctype, "cancel")
+    if (err) return err
+
+    const doc = await contextStore.getStore()!.getDoc(doctype, name)
+    await doc.cancel()
+    return response.ok(doc.asDict())
+  },
+})
+
+// ─── helpers ──────────────────────────────────────────────
+// resource.ts has no local helpers — all response construction uses frappe.response