millas 0.2.13 → 0.2.14

package/src/encryption/Encrypter.js

@@ -0,0 +1,381 @@
+'use strict';
+
+const crypto = require('crypto');
+
+// ── Supported ciphers ─────────────────────────────────────────────────────────
+
+const CIPHER_CONFIG = {
+  'AES-128-CBC': { keyBytes: 16, ivBytes: 16 },
+  'AES-256-CBC': { keyBytes: 32, ivBytes: 16 },
+  'AES-128-GCM': { keyBytes: 16, ivBytes: 12, gcm: true },
+  'AES-256-GCM': { keyBytes: 32, ivBytes: 12, gcm: true },
+};
+
+// ── EncryptionError ───────────────────────────────────────────────────────────
+
+class EncryptionError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = 'EncryptionError';
+  }
+}
+
+class DecryptionError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = 'DecryptionError';
+  }
+}
+
+// ── Encrypter ─────────────────────────────────────────────────────────────────
+
+/**
+ * Encrypter
+ *
+ * Laravel-style AES encryption service.
+ * Registered in the container as 'encrypter'.
+ * Access via the Encrypt facade — never instantiate directly.
+ *
+ * ── How it works ─────────────────────────────────────────────────────────────
+ *
+ * Every encrypted payload is a base64-encoded JSON object:
+ *
+ *   {
+ *     iv:  "<base64 iv>",
+ *     val: "<base64 ciphertext>",
+ *     mac: "<hex HMAC-SHA256>",       // CBC only
+ *     tag: "<base64 auth tag>",       // GCM only
+ *     ser: true                       // if value was JSON-serialised
+ *   }
+ *
+ * The MAC (CBC) or auth tag (GCM) prevents tampered payloads from decrypting.
+ *
+ * ── Usage ─────────────────────────────────────────────────────────────────────
+ *
+ *   const { Encrypt } = require('millas/facades/Encrypt');
+ *
+ *   // Encrypt any JS value (objects, arrays, strings, numbers)
+ *   const token = Encrypt.encrypt({ userId: 1, role: 'admin' });
+ *
+ *   // Decrypt back
+ *   const payload = Encrypt.decrypt(token);
+ *   // → { userId: 1, role: 'admin' }
+ *
+ *   // Encrypt a raw string — skips JSON serialisation
+ *   const raw = Encrypt.encryptString('hello');
+ *   const str = Encrypt.decryptString(raw);  // → 'hello'
+ *
+ *   // Key introspection
+ *   Encrypt.supported('my-key', 'AES-256-CBC');   // → true / false
+ *   Encrypt.getKey();     // → Buffer
+ *   Encrypt.getCipher();  // → 'AES-256-CBC'
+ */
+class Encrypter {
+  /**
+   * @param {string|Buffer} key    — raw key (use generateKey() to create one)
+   * @param {string}        cipher — 'AES-128-CBC' | 'AES-256-CBC' | 'AES-128-GCM' | 'AES-256-GCM'
+   */
+  constructor(key, cipher = 'AES-256-CBC') {
+    const cipherUpper = cipher.toUpperCase();
+    const config      = CIPHER_CONFIG[cipherUpper];
+
+    if (!config) {
+      throw new EncryptionError(
+        `[Encrypt] Unsupported cipher "${cipher}". ` +
+        `Supported: ${Object.keys(CIPHER_CONFIG).join(', ')}.`
+      );
+    }
+
+    const keyBuf = typeof key === 'string' ? Buffer.from(key, 'base64') : key;
+
+    if (keyBuf.length !== config.keyBytes) {
+      throw new EncryptionError(
+        `[Encrypt] Invalid key length for ${cipherUpper}. ` +
+        `Expected ${config.keyBytes} bytes, got ${keyBuf.length}. ` +
+        `Use Encrypter.generateKey('${cipherUpper}') to create a valid key.`
+      );
+    }
+
+    this._key    = keyBuf;
+    this._cipher = cipherUpper;
+    this._config = config;
+  }
+
+  // ── Core ───────────────────────────────────────────────────────────────────
+
+  /**
+   * Encrypt a value (any JSON-serialisable type).
+   * Returns a base64-encoded payload string.
+   *
+   *   Encrypt.encrypt({ userId: 1 })
+   *   Encrypt.encrypt([1, 2, 3])
+   *   Encrypt.encrypt('hello')
+   *   Encrypt.encrypt(42)
+   */
+  encrypt(value) {
+    return this._encrypt(JSON.stringify(value), true);
+  }
+
+  /**
+   * Encrypt a raw string without JSON serialisation.
+   * Use when you need deterministic round-tripping of plain strings.
+   *
+   *   Encrypt.encryptString('secret-token')
+   */
+  encryptString(value) {
+    return this._encrypt(String(value), false);
+  }
+
+  /**
+   * Decrypt a payload produced by encrypt().
+   * Deserialises the JSON value back to the original type.
+   *
+   *   const obj = Encrypt.decrypt(token);  // → original object / array / primitive
+   */
+  decrypt(payload) {
+    const raw = this._decrypt(payload);
+    try {
+      return JSON.parse(raw);
+    } catch {
+      throw new DecryptionError('[Encrypt] Failed to deserialise decrypted value.');
+    }
+  }
+
+  /**
+   * Decrypt a payload produced by encryptString().
+   * Returns a plain string.
+   *
+   *   const str = Encrypt.decryptString(token);
+   */
+  decryptString(payload) {
+    return this._decrypt(payload);
+  }
+
+  // ── Key / cipher info ──────────────────────────────────────────────────────
+
+  /**
+   * Return the raw key as a Buffer.
+   */
+  getKey() {
+    return Buffer.from(this._key);
+  }
+
+  /**
+   * Return the cipher name (e.g. 'AES-256-CBC').
+   */
+  getCipher() {
+    return this._cipher;
+  }
+
+  /**
+   * Check whether a given key + cipher combination is supported and valid.
+   *
+   *   Encrypter.supported(myKey, 'AES-256-CBC')  → true / false
+   *
+   * @param {string|Buffer} key
+   * @param {string}        cipher
+   * @returns {boolean}
+   */
+  static supported(key, cipher) {
+    try {
+      const config = CIPHER_CONFIG[(cipher || '').toUpperCase()];
+      if (!config) return false;
+      const keyBuf = typeof key === 'string' ? Buffer.from(key, 'base64') : key;
+      return keyBuf.length === config.keyBytes;
+    } catch {
+      return false;
+    }
+  }
+
+  // ── Key generation ─────────────────────────────────────────────────────────
+
+  /**
+   * Generate a cryptographically random key for the given cipher.
+   * Returns a base64-encoded string — store this in your APP_KEY env var.
+   *
+   *   const key = Encrypter.generateKey('AES-256-CBC');
+   *   // → 'base64:...'
+   *
+   * @param {string} cipher
+   * @returns {string}
+   */
+  static generateKey(cipher = 'AES-256-CBC') {
+    const config = CIPHER_CONFIG[cipher.toUpperCase()];
+    if (!config) {
+      throw new EncryptionError(`[Encrypt] Unknown cipher "${cipher}".`);
+    }
+    return 'base64:' + crypto.randomBytes(config.keyBytes).toString('base64');
+  }
+
+  // ── Internal ───────────────────────────────────────────────────────────────
+
+  _encrypt(plaintext, serialised) {
+    const iv = crypto.randomBytes(this._config.ivBytes);
+
+    if (this._config.gcm) {
+      return this._encryptGcm(plaintext, iv, serialised);
+    }
+    return this._encryptCbc(plaintext, iv, serialised);
+  }
+
+  _encryptCbc(plaintext, iv, serialised) {
+    const cipher     = crypto.createCipheriv(this._cipher, this._key, iv);
+    const encrypted  = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const ivB64      = iv.toString('base64');
+    const valB64     = encrypted.toString('base64');
+    const mac        = this._computeMac(ivB64, valB64);
+
+    const payload = JSON.stringify({ iv: ivB64, val: valB64, mac, ser: serialised });
+    return Buffer.from(payload).toString('base64');
+  }
+
+  _encryptGcm(plaintext, iv, serialised) {
+    const cipher    = crypto.createCipheriv(this._cipher, this._key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag       = cipher.getAuthTag();
+    const ivB64     = iv.toString('base64');
+    const valB64    = encrypted.toString('base64');
+    const tagB64    = tag.toString('base64');
+
+    const payload = JSON.stringify({ iv: ivB64, val: valB64, tag: tagB64, ser: serialised });
+    return Buffer.from(payload).toString('base64');
+  }
+
+  _decrypt(token) {
+    // Decode and parse the envelope
+    let envelope;
+    try {
+      const json = Buffer.from(token, 'base64').toString('utf8');
+      envelope   = JSON.parse(json);
+    } catch {
+      throw new DecryptionError('[Encrypt] The payload is invalid — could not decode.');
+    }
+
+    if (!envelope || typeof envelope !== 'object') {
+      throw new DecryptionError('[Encrypt] The payload is invalid — unexpected structure.');
+    }
+
+    if (this._config.gcm) {
+      return this._decryptGcm(envelope);
+    }
+    return this._decryptCbc(envelope);
+  }
+
+  _decryptCbc(envelope) {
+    const { iv: ivB64, val: valB64, mac } = envelope;
+
+    if (!ivB64 || !valB64 || !mac) {
+      throw new DecryptionError('[Encrypt] The payload is missing required CBC fields (iv, val, mac).');
+    }
+
+    // Verify MAC before decrypting — prevents padding oracle attacks
+    const expectedMac = this._computeMac(ivB64, valB64);
+    if (!crypto.timingSafeEqual(Buffer.from(mac, 'hex'), Buffer.from(expectedMac, 'hex'))) {
+      throw new DecryptionError('[Encrypt] The MAC is invalid. The payload may have been tampered with.');
+    }
+
+    try {
+      const iv        = Buffer.from(ivB64, 'base64');
+      const encrypted = Buffer.from(valB64, 'base64');
+      const decipher  = crypto.createDecipheriv(this._cipher, this._key, iv);
+      return decipher.update(encrypted) + decipher.final('utf8');
+    } catch (err) {
+      throw new DecryptionError(`[Encrypt] Decryption failed: ${err.message}`);
+    }
+  }
+
+  _decryptGcm(envelope) {
+    const { iv: ivB64, val: valB64, tag: tagB64 } = envelope;
+
+    if (!ivB64 || !valB64 || !tagB64) {
+      throw new DecryptionError('[Encrypt] The payload is missing required GCM fields (iv, val, tag).');
+    }
+
+    try {
+      const iv        = Buffer.from(ivB64, 'base64');
+      const encrypted = Buffer.from(valB64, 'base64');
+      const tag       = Buffer.from(tagB64, 'base64');
+      const decipher  = crypto.createDecipheriv(this._cipher, this._key, iv);
+      decipher.setAuthTag(tag);
+      return decipher.update(encrypted) + decipher.final('utf8');
+    } catch (err) {
+      throw new DecryptionError(`[Encrypt] Decryption failed — GCM auth tag mismatch or corrupted payload.`);
+    }
+  }
+
+  _computeMac(iv, val) {
+    return crypto
+      .createHmac('sha256', this._key)
+      .update(iv + val)
+      .digest('hex');
+  }
+}
+
+// ── EncrypterManager ──────────────────────────────────────────────────────────
+
+/**
+ * EncrypterManager
+ *
+ * Container-registered service (bound as 'encrypter').
+ * Reads APP_KEY and MILLAS_CIPHER from the environment and
+ * delegates everything to the underlying Encrypter.
+ *
+ * ── Service provider registration ─────────────────────────────────────────────
+ *
+ *   container.singleton('encrypter', () => new EncrypterManager());
+ */
+class EncrypterManager {
+  constructor(config = {}) {
+    this._config   = config;
+    this._instance = null;
+  }
+
+  /**
+   * Resolve (and cache) the underlying Encrypter.
+   * Lazily created so APP_KEY can be set after the manager is instantiated.
+   */
+  _driver() {
+    if (this._instance) return this._instance;
+
+    let key    = this._config.key    || process.env.APP_KEY    || '';
+    const cipher = this._config.cipher || process.env.MILLAS_CIPHER || 'AES-256-CBC';
+
+    // Strip the 'base64:' prefix Laravel / Millas uses for generated keys
+    if (key.startsWith('base64:')) {
+      key = key.slice(7);
+    }
+
+    if (!key) {
+      throw new EncryptionError(
+        '[Encrypt] No application key set. ' +
+        'Set APP_KEY in your .env file. ' +
+        'Generate one with: Encrypter.generateKey(\'AES-256-CBC\')'
+      );
+    }
+
+    this._instance = new Encrypter(key, cipher);
+    return this._instance;
+  }
+
+  // ── Delegated API ──────────────────────────────────────────────────────────
+
+  encrypt(value)             { return this._driver().encrypt(value); }
+  encryptString(value)       { return this._driver().encryptString(value); }
+  decrypt(payload)           { return this._driver().decrypt(payload); }
+  decryptString(payload)     { return this._driver().decryptString(payload); }
+  getKey()                   { return this._driver().getKey(); }
+  getCipher()                { return this._driver().getCipher(); }
+
+  // ── Static passthroughs ───────────────────────────────────────────────────
+
+  static supported(key, cipher) { return Encrypter.supported(key, cipher); }
+  static generateKey(cipher)    { return Encrypter.generateKey(cipher); }
+}
+
+// ── Exports ───────────────────────────────────────────────────────────────────
+
+module.exports               = new EncrypterManager();
+module.exports.Encrypter     = Encrypter;
+module.exports.EncrypterManager = EncrypterManager;
+module.exports.EncryptionError  = EncryptionError;
+module.exports.DecryptionError  = DecryptionError;

package/src/facades/Auth.js

@@ -1,7 +1,7 @@
 'use strict';
 
 const { createFacade } = require('./Facade');
-const { AuthUser, Hasher, JwtDriver, AuthMiddleware, RoleMiddleware, AuthController, AuthServiceProvider } = require('../core');
+// const { AuthUser, Hasher, JwtDriver, AuthMiddleware, RoleMiddleware, AuthController, AuthServiceProvider } = require('../core');
 
 /**
  * Auth facade.
@@ -9,9 +9,12 @@ const { AuthUser, Hasher, JwtDriver, AuthMiddleware, RoleMiddleware, AuthControl
  * @class
  * @property {function(object): Promise<object>}                             register
  * @property {function(string, string): Promise<{user, token, refreshToken}>} login
+ * @property {function(string, string): Promise<object|null>}                attempt
  * @property {function(string): object}                                      verify
  * @property {function(object): Promise<object|null>}                        user
  * @property {function(object): Promise<object>}                             userOrFail
+ * @property {function(object, string): Promise<void>}                       revokeToken
+ * @property {function(string): boolean}                                     isRevoked
  * @property {function(string, string): Promise<boolean>}                    checkPassword
  * @property {function(string): Promise<string>}                             hashPassword
  * @property {function(object, object=): string}                             issueToken
@@ -26,4 +29,4 @@ const { AuthUser, Hasher, JwtDriver, AuthMiddleware, RoleMiddleware, AuthControl
  */
 class Auth extends createFacade('auth') {}
 
-module.exports = { Auth, AuthUser, Hasher, JwtDriver, AuthMiddleware, RoleMiddleware, AuthController, AuthServiceProvider };
+module.exports = Auth

package/src/facades/Crypt.js

@@ -0,0 +1,166 @@
+'use strict';
+
+const { createFacade }                              = require('./Facade');
+const { Encrypter, EncrypterManager,
+        EncryptionError, DecryptionError }          = require('../encryption/Encrypter');
+
+/**
+ * Crypt facade — Laravel-style AES encryption.
+ *
+ * Resolved from the DI container as 'encrypter'.
+ * Identical in behaviour to the Encrypt facade — exists so that developers
+ * familiar with Laravel can use the name they already know.
+ *
+ * @class
+ *
+ * ── Core ──────────────────────────────────────────────────────────────────────
+ * @property {function(*): string}           encrypt
+ *   Encrypt any JSON-serialisable value (object, array, string, number, boolean).
+ *   Returns a base64-encoded ciphertext payload.
+ *
+ *     const token = Crypt.encrypt({ userId: 1, role: 'admin' });
+ *     const token = Crypt.encrypt('hello');
+ *     const token = Crypt.encrypt(42);
+ *
+ * @property {function(string): string}      encryptString
+ *   Encrypt a raw string without JSON serialisation.
+ *   Use for tokens, IDs, or any value you know is a string.
+ *
+ *     const token = Crypt.encryptString('reset-token-abc');
+ *
+ * @property {function(string): *}           decrypt
+ *   Decrypt a payload produced by encrypt().
+ *   Automatically deserialises JSON back to the original type.
+ *   Throws DecryptionError if the payload is invalid or tampered.
+ *
+ *     const payload = Crypt.decrypt(token);  // → original object / value
+ *
+ * @property {function(string): string}      decryptString
+ *   Decrypt a payload produced by encryptString().
+ *   Returns a plain string.
+ *   Throws DecryptionError if the payload is invalid or tampered.
+ *
+ *     const str = Crypt.decryptString(token);
+ *
+ * ── Key / cipher introspection ────────────────────────────────────────────────
+ * @property {function(): Buffer}            getKey
+ *   Return the raw key Buffer currently in use.
+ *
+ *     const key = Crypt.getKey();  // → Buffer
+ *
+ * @property {function(): string}            getCipher
+ *   Return the cipher name in use (e.g. 'AES-256-CBC').
+ *
+ *     const cipher = Crypt.getCipher();  // → 'AES-256-CBC'
+ *
+ * ── Static helpers (do not go through the container) ─────────────────────────
+ * @property {function(string|Buffer, string): boolean}  supported
+ *   Check whether a key + cipher pair is valid before constructing an Encrypter.
+ *
+ *     Crypt.supported(myKey, 'AES-256-CBC');  // → true / false
+ *
+ * @property {function(string=): string}                 generateKey
+ *   Generate a cryptographically random base64 key for a given cipher.
+ *   The returned string includes the 'base64:' prefix — paste it into .env as APP_KEY.
+ *
+ *     const key = Crypt.generateKey();              // → 'base64:...' (AES-256-CBC)
+ *     const key = Crypt.generateKey('AES-128-CBC'); // → 'base64:...'
+ *
+ * ── How encryption works ──────────────────────────────────────────────────────
+ *
+ * Every payload is a base64-encoded JSON envelope:
+ *
+ *   {
+ *     iv:  "<base64 IV>",
+ *     val: "<base64 ciphertext>",
+ *     mac: "<hex HMAC-SHA256>",   // CBC only — prevents tampering
+ *     tag: "<base64 auth tag>",   // GCM only — built-in authentication
+ *     ser: true                   // present when value was JSON-serialised
+ *   }
+ *
+ * CBC mode uses a separate HMAC-SHA256 MAC over (iv + ciphertext) and verifies
+ * it with crypto.timingSafeEqual() before decrypting — guards against padding
+ * oracle attacks.
+ *
+ * GCM mode uses the built-in auth tag; decryption throws if the tag is invalid.
+ *
+ * ── Configuration ─────────────────────────────────────────────────────────────
+ *
+ * APP_KEY and (optionally) MILLAS_CIPHER are read from the environment:
+ *
+ *   APP_KEY=base64:A3k9...        # required
+ *   MILLAS_CIPHER=AES-256-CBC     # optional, default AES-256-CBC
+ *
+ * Supported ciphers: AES-128-CBC, AES-256-CBC, AES-128-GCM, AES-256-GCM
+ *
+ * ── Usage ─────────────────────────────────────────────────────────────────────
+ *
+ *   const { Crypt } = require('millas/facades/Crypt');
+ *
+ *   // Encrypt / decrypt any value
+ *   const token   = Crypt.encrypt({ userId: 1, plan: 'pro' });
+ *   const payload = Crypt.decrypt(token);   // → { userId: 1, plan: 'pro' }
+ *
+ *   // Encrypt / decrypt raw strings
+ *   const raw = Crypt.encryptString('api-secret-xyz');
+ *   const str = Crypt.decryptString(raw);   // → 'api-secret-xyz'
+ *
+ *   // Generate a key (e.g. in a setup script)
+ *   console.log(Crypt.generateKey());       // → 'base64:...'
+ *
+ *   // Check a key is valid before use
+ *   if (!Crypt.supported(myKey, 'AES-256-CBC')) {
+ *     throw new Error('Invalid key');
+ *   }
+ *
+ * ── Testing ───────────────────────────────────────────────────────────────────
+ * @property {function(object): void}   swap
+ *   Swap the underlying instance for a fake in tests:
+ *     Crypt.swap({ encrypt: (v) => 'fake', decrypt: (v) => original });
+ *
+ * @property {function(): void}         restore
+ *   Restore the real implementation after a swap.
+ *
+ * @see src/encryption/Encrypter.js
+ * @see src/facades/Encrypt.js
+ */
+class Crypt extends createFacade('encrypter') {
+  static AES_128_CBC = 'AES-128-CBC';
+  static AES_256_CBC = 'AES-256-CBC';
+  static AES_128_GCM = 'AES-128-GCM';
+  static AES_256_GCM = 'AES-256-GCM';
+
+  /**
+   * Check whether a key + cipher pair is valid.
+   * Static helper — does not go through the container.
+   *
+   * @param {string|Buffer} key
+   * @param {string}        cipher
+   * @returns {boolean}
+   */
+  static supported(key, cipher) {
+    return Encrypter.supported(key, cipher);
+  }
+
+  /**
+   * Generate a cryptographically random base64 key for the given cipher.
+   * Static helper — does not go through the container.
+   *
+   * The returned string includes the 'base64:' prefix so it can be pasted
+   * directly into your .env file as APP_KEY.
+   *
+   *   const key = Crypt.generateKey();              // AES-256-CBC (default)
+   *   const key = Crypt.generateKey('AES-128-CBC');
+   *   const key = Crypt.generateKey('AES-256-GCM');
+   *
+   * @param {string} [cipher='AES-256-CBC']
+   * @returns {string}  e.g. 'base64:A3k9...'
+   */
+  static generateKey(cipher = 'AES-256-CBC') {
+    return Encrypter.generateKey(cipher);
+  }
+
+
+}
+
+module.exports = Crypt;

package/src/facades/Docs.js

@@ -0,0 +1,43 @@
+'use strict';
+
+/**
+ * millas/facades/Docs
+ *
+ *   const { Docs, ApiResource, ApiEndpoint, ApiField } = require('millas/facades/Docs');
+ *
+ *   class UserApiResource extends ApiResource {
+ *     static controller = UserController;
+ *     static label      = 'Users';
+ *     static group      = 'Auth & Users';
+ *     static prefix     = '/api/v1';
+ *
+ *     static endpoints() {
+ *       return [
+ *         ApiEndpoint.post('/auth/register')
+ *           .label('Register')
+ *           .body({
+ *             name:  ApiField.text().required().example('Jane Doe'),
+ *             email: ApiField.email().required().example('jane@example.com'),
+ *           })
+ *           .response(201, { id: 1, token: 'eyJ...' }),
+ *
+ *         ApiEndpoint.get('/users/me').label('Get current user').auth(),
+ *       ];
+ *     }
+ *   }
+ *
+ *   // In AppServiceProvider.boot():
+ *   Docs.register(UserApiResource);
+ */
+
+const Docs                = require('../docs/Docs');
+const { ApiResource, ApiEndpoint, ApiField } = require('../docs/resources/ApiResource');
+const DocsServiceProvider = require('../docs/DocsServiceProvider');
+
+module.exports = {
+  Docs,
+  ApiResource,
+  ApiEndpoint,
+  ApiField,
+  DocsServiceProvider,
+};

package/src/facades/Mail.js

@@ -1,7 +1,7 @@
 'use strict';
 
 const { createFacade } = require('./Facade');
-const { MailMessage, TemplateEngine, SmtpDriver, SendGridDriver, MailgunDriver, LogDriver, MailServiceProvider } = require('../core');
+// const { MailMessage, TemplateEngine, SmtpDriver, SendGridDriver, MailgunDriver, LogDriver, MailServiceProvider } = require('../core');
 
 /**
  * Mail facade.

package/src/http/MillasRequest.js

@@ -222,29 +222,17 @@ class MillasRequest {
     return this._req.secure || false;
   }
 
-  // ─── Validation ─────────────────────────────────────────────────────────────
+  // ─── Validation (escape hatch) ───────────────────────────────────────────────
 
   /**
-   * Validate request input against rules.
-   * Throws a 422 ValidationError on failure.
-   * Returns the validated + type-coerced data subset on success.
+   * Validate input against a typed schema.
+   * Prefer using body.validate() in handlers, or .shape() on routes.
    *
-   *   const data = await req.validate({
-   *     name:     'required|string|min:2|max:100',
-   *     email:    'required|email',
-   *     password: 'required|string|min:8',
-   *     age:      'optional|number|min:13',
-   *   });
-   *
-   * For route-level validation (runs before the handler, result in req.validated):
+   *   const { string, email } = require('millas/core/validation');
    *
-   *   Route.post('/register', {
-   *     validate: {
-   *       email:    'required|email',
-   *       password: 'required|string|min:8',
-   *     },
-   *   }, async (req) => {
-   *     const { email, password } = req.validated;
+   *   const data = await req.validate({
+   *     name:  string().required().max(100),
+   *     email: email().required(),
    *   });
    */
   async validate(rules) {
@@ -252,18 +240,6 @@ class MillasRequest {
     return Validator.validate(this.all(), rules);
   }
 
-  /**
-   * The validated + coerced input — populated by route-level validation middleware.
-   * Null if no route-level validation was declared for this route.
-   *
-   *   Route.post('/login', { validate: { email: 'required|email' } }, async (req) => {
-   *     req.validated.email  // guaranteed valid email string
-   *   });
-   */
-  get validated() {
-    return this._req.validated ?? null;
-  }
-
   // ─── CSRF ────────────────────────────────────────────────────────────────────
 
   /**