novac 2.2.2 → 2.4.0

package/bin/nvml

@@ -15,11 +15,21 @@
  *   nvml --version                    Show version
  */
 
-const fs   = require('fs');
+const fs = require('fs');
 const path = require('path');
 const http = require('http');
-const os   = require('os');
-const url  = require('url');
+const os = require('os');
+const url = require('url');
+const crypto = require('crypto');
+
+// ── CSRF token — one per server process, embedded in every compiled page ──
+const CSRF_TOKEN = crypto.randomBytes(32).toString('hex');
+
+// ── Named action registry — populated by parsing the NVML file ────────────
+// { actionName → { code, type: 'nova'|'nodejs' } }
+// Actions are registered when the file is first compiled (or re-compiled).
+// The browser calls /_nvml/action/:name — no code ever travels over the wire.
+const _actions = new Map();
 
 const chalk = (() => {
   try { return require('chalk').default ?? require('chalk'); } catch { return null; }
@@ -29,11 +39,11 @@ const VERSION = '1.0.0';
 
 // ── colour helpers (graceful fallback if chalk absent) ────────
 const c = {
-  green:  s => chalk ? chalk.green(s)  : s,
-  red:    s => chalk ? chalk.red(s)    : s,
-  cyan:   s => chalk ? chalk.cyan(s)   : s,
-  bold:   s => chalk ? chalk.bold(s)   : s,
-  dim:    s => chalk ? chalk.dim(s)    : s,
+  green: s => chalk ? chalk.green(s) : s,
+  red: s => chalk ? chalk.red(s) : s,
+  cyan: s => chalk ? chalk.cyan(s) : s,
+  bold: s => chalk ? chalk.bold(s) : s,
+  dim: s => chalk ? chalk.dim(s) : s,
   yellow: s => chalk ? chalk.yellow(s) : s,
 };
 
@@ -112,11 +122,11 @@ function findElementById(elements, id) {
 
 function makeDocumentProxy(doc) {
   return {
-    setConfig: (k, v)    => { doc.config[k] = v; },
-    getConfig: (k)       => doc.config[k],
-    setTitle:  (t)       => { doc.config.title = t; },
-    setMeta:   (k, v)    => { doc.config[k] = v; },
-    set: (id, content)   => {
+    setConfig: (k, v) => { doc.config[k] = v; },
+    getConfig: (k) => doc.config[k],
+    setTitle: (t) => { doc.config.title = t; },
+    setMeta: (k, v) => { doc.config[k] = v; },
+    set: (id, content) => {
       const el = findElementById(doc.visual, id);
       if (el) el.textValue = String(content);
     },
@@ -155,15 +165,15 @@ function makeDocumentProxy(doc) {
       const el = findElementById(doc.visual, id);
       if (el) el.ss = (el.ss ? el.ss + '\n' : '') + `display: ${display || 'block'};`;
     },
-    alert: (_msg) => {},
+    alert: (_msg) => { },
     config: doc.config,
-    _doc:   doc,
+    _doc: doc,
   };
 }
 
 // ── error page (served when compile fails during --serve) ─────
 function errorPage(file, err) {
-  const esc = s => String(s).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;');
+  const esc = s => String(s).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
   return `<!DOCTYPE html>
 <html><head><meta charset="UTF-8"><title>NVML Error</title>
 <style>
@@ -184,7 +194,7 @@ function errorPage(file, err) {
 
 // ── serve ─────────────────────────────────────────────────────
 function cmdServe(port, nvmlFile, route) {
-  const nvml    = loadKit();
+  const nvml = loadKit();
   const absFile = path.resolve(process.cwd(), nvmlFile);
 
   if (!fs.existsSync(absFile)) die(`File not found: ${absFile}`);
@@ -199,233 +209,266 @@ function cmdServe(port, nvmlFile, route) {
     );
   }
 
-  // Build a novaRunner for a given NvmlDocument + request context
-  function makeNovaRunner(reqCtx) {
-    if (!novaRun) return null;
-    return (code, doc) => {
-      const scope = {
-        document: makeDocumentProxy(doc),
-        request:  reqCtx || {},
-      };
-      novaRun(code, scope);
-    };
+  // ── registerAction — called by renderer at compile time ─────────────────
+  // Stores the action's server code by name so the browser can call it by name only.
+  function registerAction(name, code, type) {
+    _actions.set(name, { code, type: type || 'nova' });
   }
 
-  // Build a mutation-capturing proxy for /_nvml/run
-  const _sseClients = new Set(); // Server-Sent Events connections
-
-  function makeMutationProxy(mutations, live) {
-    return {
-      // config
-      setConfig:      (k, v)       => mutations.push({ type: 'setConfig',    key: String(k), value: v }),
-      setTitle:       (t)          => mutations.push({ type: 'setConfig',    key: 'title', value: t }),
-      setMeta:        (k, v)       => mutations.push({ type: 'setConfig',    key: String(k), value: v }),
-      // text / html
-      set:            (id, val)    => mutations.push({ type: 'setText',      id: String(id), value: String(val) }),
-      setHTML:        (id, val)    => mutations.push({ type: 'setHTML',      id: String(id), value: String(val) }),
-      // props / attrs
-      setProp:        (id, k, v)   => mutations.push({ type: 'setProp',      id: String(id), key: String(k), value: String(v) }),
-      setAttr:        (id, k, v)   => mutations.push({ type: 'setAttr',      id: String(id), key: String(k), value: String(v) }),
-      removeAttr:     (id, k)      => mutations.push({ type: 'removeAttr',   id: String(id), key: String(k) }),
-      // classes
-      addClass:       (id, cls)    => mutations.push({ type: 'addClass',     id: String(id), value: String(cls) }),
-      removeClass:    (id, cls)    => mutations.push({ type: 'removeClass',  id: String(id), value: String(cls) }),
-      toggleClass:    (id, cls, f) => mutations.push({ type: 'toggleClass',  id: String(id), value: String(cls), force: f }),
-      setClass:       (id, cls)    => mutations.push({ type: 'setClass',     id: String(id), value: String(cls) }),
-      // style
-      addStyle:       (css)        => mutations.push({ type: 'addStyle',     value: String(css) }),
-      addElementStyle:(id, css)    => mutations.push({ type: 'addStyle',     id: String(id), value: String(css) }),
-      setStyle:       (id, k, v)   => mutations.push({ type: 'setStyle',     id: String(id), key: String(k), value: String(v) }),
-      setCSSVar:      (name, val)  => mutations.push({ type: 'setCSSVar',    name: String(name), value: String(val) }),
-      // visibility
-      hide:           (id, t)      => mutations.push({ type: 'hide',         id: String(id), transition: t || null }),
-      show:           (id, d, t)   => mutations.push({ type: 'show',         id: String(id), value: d || 'block', transition: t || null }),
-      // DOM manipulation
-      remove:         (id, t)      => mutations.push({ type: 'remove',       id: String(id), transition: t || null }),
-      appendChild:    (id, html)   => mutations.push({ type: 'appendChild',  id: String(id), html: String(html) }),
-      insertBefore:   (id, html)   => mutations.push({ type: 'insertBefore', id: String(id), html: String(html) }),
-      insertAfter:    (id, html)   => mutations.push({ type: 'insertAfter',  id: String(id), html: String(html) }),
-      // focus / scroll
-      focus:          (id)         => mutations.push({ type: 'focus',        id: String(id) }),
-      blur:           (id)         => mutations.push({ type: 'blur',         id: String(id) }),
-      scroll:         (id, beh)    => mutations.push({ type: 'scroll',       id: String(id), behavior: beh || 'smooth' }),
-      // signals
-      setSignal:      (name, val)  => mutations.push({ type: 'setSignal',    name: String(name), value: val }),
-      // list patch
-      patchList:      (id, items, tpl, key) => mutations.push({ type: 'patchList', id: String(id), items, template: String(tpl), key: key || null }),
-      // navigation
-      navigate:       (path)       => mutations.push({ type: 'navigate',     path: String(path) }),
-      reload:         ()           => mutations.push({ type: 'reload' }),
-      redirect:       (url)        => mutations.push({ type: 'redirect',     url: String(url) }),
-      // feedback
-      alert:          (msg)        => mutations.push({ type: 'alert',        value: String(msg) }),
-      toast:          (msg, d, t)  => mutations.push({ type: 'toast',        value: String(msg), duration: d || 3000, type: t || 'info' }),
-      console:        (msg, lvl)   => mutations.push({ type: 'console',      value: String(msg), level: lvl || 'log' }),
-      // reads from live snapshot
-      get:            (id)         => (live.elements && live.elements[id]) ? live.elements[id].text : null,
-      getValue:       (id)         => (live.elements && live.elements[id]) ? live.elements[id].value : null,
-      getClass:       (id)         => (live.elements && live.elements[id]) ? live.elements[id].class : null,
-      getConfig:      (k)          => live[k] ?? null,
-      getSignal:      (n)          => (live.state && live.state[n]) ?? null,
-      config:         live,
-      // SSE push (server → all connected clients)
-      push:           (name, val)  => {
-        const msg = `event: signal\ndata: ${JSON.stringify({ name, value: val })}\n\n`;
-        _sseClients.forEach(c => { try { c.write(msg); } catch(_) {} });
-      },
-      pushMutations:  (muts)       => {
-        const msg = `event: mutations\ndata: ${JSON.stringify(muts)}\n\n`;
-        _sseClients.forEach(c => { try { c.write(msg); } catch(_) {} });
-      },
-    };
+  // ── Compile the NVML file (re-reads + re-registers actions on every request) ──
+  function compileFile(reqCtx) {
+    const source = fs.readFileSync(absFile, 'utf8');
+    return nvml.compile(source, {
+      novaRunner: makeNovaRunner(reqCtx),
+      novaEmitter: null,
+      registerAction: registerAction,
+      csrfToken: CSRF_TOKEN,
+    });
   }
+  if (!novaRun) return null;
+  return (code, doc) => {
+    const scope = {
+      document: makeDocumentProxy(doc),
+      request: reqCtx || {},
+    };
+    novaRun(code, scope);
+  };
+}
 
-  const server = http.createServer((req, res) => {
-    const parsed  = url.parse(req.url || '/');
-    const urlPath = parsed.pathname || '/';
+// Build a mutation-capturing proxy for /_nvml/run
+const _sseClients = new Set(); // Server-Sent Events connections
 
-    // CORS
-    res.setHeader('Access-Control-Allow-Origin', '*');
-    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
-    if (req.method === 'OPTIONS') { res.writeHead(204); res.end(); return; }
-
-    // ── /_nvml/sse — Server-Sent Events for server-push signal updates ──
-    if (urlPath === '/_nvml/sse' && req.method === 'GET') {
-      res.writeHead(200, {
-        'Content-Type': 'text/event-stream',
-        'Cache-Control': 'no-cache',
-        'Connection': 'keep-alive',
-        'X-Accel-Buffering': 'no',
-      });
-      res.write('retry: 3000\n\n'); // tell client to reconnect after 3s if disconnected
-      _sseClients.add(res);
-      req.on('close', () => _sseClients.delete(res));
+function makeMutationProxy(mutations, live) {
+  return {
+    // config
+    setConfig: (k, v) => mutations.push({ type: 'setConfig', key: String(k), value: v }),
+    setTitle: (t) => mutations.push({ type: 'setConfig', key: 'title', value: t }),
+    setMeta: (k, v) => mutations.push({ type: 'setConfig', key: String(k), value: v }),
+    // text / html
+    set: (id, val) => mutations.push({ type: 'setText', id: String(id), value: String(val) }),
+    setHTML: (id, val) => mutations.push({ type: 'setHTML', id: String(id), value: String(val) }),
+    // props / attrs
+    setProp: (id, k, v) => mutations.push({ type: 'setProp', id: String(id), key: String(k), value: String(v) }),
+    setAttr: (id, k, v) => mutations.push({ type: 'setAttr', id: String(id), key: String(k), value: String(v) }),
+    removeAttr: (id, k) => mutations.push({ type: 'removeAttr', id: String(id), key: String(k) }),
+    // classes
+    addClass: (id, cls) => mutations.push({ type: 'addClass', id: String(id), value: String(cls) }),
+    removeClass: (id, cls) => mutations.push({ type: 'removeClass', id: String(id), value: String(cls) }),
+    toggleClass: (id, cls, f) => mutations.push({ type: 'toggleClass', id: String(id), value: String(cls), force: f }),
+    setClass: (id, cls) => mutations.push({ type: 'setClass', id: String(id), value: String(cls) }),
+    // style
+    addStyle: (css) => mutations.push({ type: 'addStyle', value: String(css) }),
+    addElementStyle: (id, css) => mutations.push({ type: 'addStyle', id: String(id), value: String(css) }),
+    setStyle: (id, k, v) => mutations.push({ type: 'setStyle', id: String(id), key: String(k), value: String(v) }),
+    setCSSVar: (name, val) => mutations.push({ type: 'setCSSVar', name: String(name), value: String(val) }),
+    // visibility
+    hide: (id, t) => mutations.push({ type: 'hide', id: String(id), transition: t || null }),
+    show: (id, d, t) => mutations.push({ type: 'show', id: String(id), value: d || 'block', transition: t || null }),
+    // DOM manipulation
+    remove: (id, t) => mutations.push({ type: 'remove', id: String(id), transition: t || null }),
+    appendChild: (id, html) => mutations.push({ type: 'appendChild', id: String(id), html: String(html) }),
+    insertBefore: (id, html) => mutations.push({ type: 'insertBefore', id: String(id), html: String(html) }),
+    insertAfter: (id, html) => mutations.push({ type: 'insertAfter', id: String(id), html: String(html) }),
+    // focus / scroll
+    focus: (id) => mutations.push({ type: 'focus', id: String(id) }),
+    blur: (id) => mutations.push({ type: 'blur', id: String(id) }),
+    scroll: (id, beh) => mutations.push({ type: 'scroll', id: String(id), behavior: beh || 'smooth' }),
+    // signals
+    setSignal: (name, val) => mutations.push({ type: 'setSignal', name: String(name), value: val }),
+    // list patch
+    patchList: (id, items, tpl, key) => mutations.push({ type: 'patchList', id: String(id), items, template: String(tpl), key: key || null }),
+    // navigation
+    navigate: (path) => mutations.push({ type: 'navigate', path: String(path) }),
+    reload: () => mutations.push({ type: 'reload' }),
+    redirect: (url) => mutations.push({ type: 'redirect', url: String(url) }),
+    // feedback
+    alert: (msg) => mutations.push({ type: 'alert', value: String(msg) }),
+    toast: (msg, d, t) => mutations.push({ type: 'toast', value: String(msg), duration: d || 3000, type: t || 'info' }),
+    console: (msg, lvl) => mutations.push({ type: 'console', value: String(msg), level: lvl || 'log' }),
+    // reads from live snapshot
+    get: (id) => (live.elements && live.elements[id]) ? live.elements[id].text : null,
+    getValue: (id) => (live.elements && live.elements[id]) ? live.elements[id].value : null,
+    getClass: (id) => (live.elements && live.elements[id]) ? live.elements[id].class : null,
+    getConfig: (k) => live[k] ?? null,
+    getSignal: (n) => (live.state && live.state[n]) ?? null,
+    config: live,
+    // SSE push (server → all connected clients)
+    push: (name, val) => {
+      const msg = `event: signal\ndata: ${JSON.stringify({ name, value: val })}\n\n`;
+      _sseClients.forEach(c => { try { c.write(msg); } catch (_) { } });
+    },
+    pushMutations: (muts) => {
+      const msg = `event: mutations\ndata: ${JSON.stringify(muts)}\n\n`;
+      _sseClients.forEach(c => { try { c.write(msg); } catch (_) { } });
+    },
+  };
+}
+
+const server = http.createServer((req, res) => {
+  const parsed = url.parse(req.url || '/');
+  const urlPath = parsed.pathname || '/';
+
+  // ── Localhost-only guard for all internal /_nvml/* endpoints ─────────
+  if (urlPath.startsWith('/_nvml/')) {
+    const ip = req.socket.remoteAddress;
+    if (ip !== '127.0.0.1' && ip !== '::1' && ip !== '::ffff:127.0.0.1') {
+      res.writeHead(403, { 'Content-Type': 'text/plain' });
+      res.end('403 Forbidden');
       return;
     }
+  }
 
-    // ── /_nvml/run — triggered server-side Nova scripts ──────
-    if (urlPath === '/_nvml/run' && req.method === 'POST') {
-      let rawBody = '';
-      req.on('data', chunk => { rawBody += chunk; });
-      req.on('end', () => {
-        let code, live;
-        try {
-          const body = JSON.parse(rawBody);
-          code = String(body.code || '');
-          live = body.live || {};
-        } catch (e) {
-          return sendJSON(res, 400, { error: 'Invalid JSON body' });
-        }
+  // CORS — open for the main page, locked for internal endpoints
+  if (urlPath.startsWith('/_nvml/')) {
+    res.setHeader('Access-Control-Allow-Origin', `http://localhost:${port}`);
+  } else {
+    res.setHeader('Access-Control-Allow-Origin', '*');
+  }
+  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, X-CSRF-Token');
+  if (req.method === 'OPTIONS') { res.writeHead(204); res.end(); return; }
 
-        if (!code.trim()) return sendJSON(res, 200, { mutations: [] });
+  // ── CSRF validation helper ────────────────────────────────────────────
+  function validCSRF() {
+    return (req.headers['x-csrf-token'] || '') === CSRF_TOKEN;
+  }
 
-        if (!novaRun) {
-          return sendJSON(res, 503, { error: 'Nova runtime not available' });
-        }
+  // ── /_nvml/sse — Server-Sent Events ──────────────────────────────────
+  if (urlPath === '/_nvml/sse' && req.method === 'GET') {
+    res.writeHead(200, {
+      'Content-Type': 'text/event-stream',
+      'Cache-Control': 'no-cache',
+      'Connection': 'keep-alive',
+      'X-Accel-Buffering': 'no',
+    });
+    res.write('retry: 3000\n\n');
+    _sseClients.add(res);
+    req.on('close', () => _sseClients.delete(res));
+    return;
+  }
 
-        const mutations = [];
-        const docProxy  = makeMutationProxy(mutations, live);
-        try {
-          novaRun(code, { document: docProxy, request: live });
-          return sendJSON(res, 200, { mutations });
-        } catch (e) {
-          process.stderr.write(c.red(`[nvml] /_nvml/run error: ${e.message}`) + '\n');
-          return sendJSON(res, 500, { error: e.message, mutations });
-        }
-      });
-      return;
-    }
+  // ── /_nvml/action/:name — named server action dispatcher ─────────────
+  // This is the only server-execution endpoint. The browser calls it by
+  // action name (declared in NVML source), never sends executable code.
+  const actionMatch = urlPath.match(/^\/_nvml\/action\/([a-zA-Z0-9_-]+)$/);
+  if (actionMatch && req.method === 'POST') {
+    if (!validCSRF()) return sendJSON(res, 403, { error: 'Invalid CSRF token' });
 
-    // ── main route ───────────────────────────────────────────
-    if (urlPath !== route) {
-      res.writeHead(404, { 'Content-Type': 'text/plain' });
-      res.end(`404 — this server only handles: ${route}`);
-      return;
-    }
+    const actionName = actionMatch[1];
+    const action = _actions.get(actionName);
+    if (!action) return sendJSON(res, 404, { error: `Unknown action: ${actionName}` });
 
-    let source;
-    try { source = fs.readFileSync(absFile, 'utf8'); }
-    catch (e) { res.writeHead(500); res.end(e.message); return; }
-
-    // Build request context
-    const reqContext = {
-      method:  req.method,
-      url:     req.url,
-      path:    urlPath,
-      query:   Object.fromEntries(new URLSearchParams(parsed.query || '')),
-      headers: req.headers,
-      params:  {},
-      body:    null,
-    };
+    let rawBody = '';
+    req.on('data', chunk => { rawBody += chunk; });
+    req.on('end', () => {
+      let live = {};
+      try { live = JSON.parse(rawBody).live || {}; } catch (_) { }
+
+      const mutations = [];
+      const docProxy = makeMutationProxy(mutations, live);
 
-    const compileAndSend = () => {
-      let html;
       try {
-        html = nvml.compile(source, {
-          novaRunner:  makeNovaRunner(reqContext),
-          novaEmitter: null,
-        });
+        if (action.type === 'nova') {
+          if (!novaRun) return sendJSON(res, 503, { error: 'Nova runtime not available' });
+          novaRun(action.code, { document: docProxy, request: live });
+        } else if (action.type === 'nodejs') {
+          const vm = require('vm');
+          vm.runInNewContext(action.code, {
+            document: docProxy, request: live,
+            require, console, process,
+          }, { timeout: 5000 });
+        }
+        return sendJSON(res, 200, { mutations });
       } catch (e) {
-        process.stderr.write(c.red(`[nvml] compile error: ${e.message}`) + '\n');
-        const errHtml = errorPage(nvmlFile, e);
-        res.writeHead(500, {
-          'Content-Type':   'text/html; charset=UTF-8',
-          'Content-Length': Buffer.byteLength(errHtml),
-        });
-        res.end(errHtml);
-        return;
+        process.stderr.write(c.red(`[nvml] action "${actionName}" error: ${e.message}`) + '\n');
+        return sendJSON(res, 500, { error: e.message, mutations });
       }
+    });
+    return;
+  }
 
-      res.writeHead(200, {
-        'Content-Type':   'text/html; charset=UTF-8',
-        'Content-Length': Buffer.byteLength(html),
-        'Cache-Control':  'no-store',
-        'X-Powered-By':   `nvml/${VERSION}`,
-      });
-      res.end(html);
-      process.stdout.write(c.dim(`  ${req.method} ${urlPath} → 200`) + '\n');
-    };
+  // ── main route ───────────────────────────────────────────
+  if (urlPath !== route) {
+    res.writeHead(404, { 'Content-Type': 'text/plain' });
+    res.end(`404 — this server only handles: ${route}`);
+    return;
+  }
 
-    // Collect body for POST/PUT/PATCH before compiling
-    if (['POST', 'PUT', 'PATCH'].includes(req.method)) {
-      let rawBody = '';
-      req.on('data', chunk => { rawBody += chunk; });
-      req.on('end', () => {
-        try { reqContext.body = JSON.parse(rawBody); } catch { reqContext.body = rawBody; }
-        compileAndSend();
+  // Build request context
+  const reqContext = {
+    method: req.method,
+    url: req.url,
+    path: urlPath,
+    query: Object.fromEntries(new URLSearchParams(parsed.query || '')),
+    headers: req.headers,
+    params: {},
+    body: null,
+  };
+
+  const compileAndSend = () => {
+    let html;
+    try {
+      html = compileFile(reqContext);
+    } catch (e) {
+      process.stderr.write(c.red(`[nvml] compile error: ${e.message}`) + '\n');
+      const errHtml = errorPage(nvmlFile, e);
+      res.writeHead(500, {
+        'Content-Type': 'text/html; charset=UTF-8',
+        'Content-Length': Buffer.byteLength(errHtml),
       });
-    } else {
-      compileAndSend();
+      res.end(errHtml);
+      return;
     }
-  });
 
-  server.on('error', e => {
-    if (e.code === 'EADDRINUSE') die(`Port ${port} is already in use.`);
-    die(`Server error: ${e.message}`);
-  });
+    res.writeHead(200, {
+      'Content-Type': 'text/html; charset=UTF-8',
+      'Content-Length': Buffer.byteLength(html),
+      'Cache-Control': 'no-store',
+      'X-Powered-By': `nvml/${VERSION}`,
+    });
+    res.end(html);
+    process.stdout.write(c.dim(`  ${req.method} ${urlPath} → 200`) + '\n');
+  };
 
-  server.listen(port, '127.0.0.1', () => {
-    process.stdout.write(
-      c.green('\n  nvml server running') + '\n' +
-      c.cyan(`  http://localhost:${port}${route}`) + '\n\n' +
-      c.dim(`  file   : ${absFile}`) + '\n' +
-      c.dim(`  route  : ${route}`) + '\n' +
-      c.dim(`  reload : automatic (re-reads file on every request)`) + '\n\n' +
-      `  Press ${c.bold('Ctrl+C')} to stop.\n\n`
-    );
-  });
+  // Collect body for POST/PUT/PATCH before compiling
+  if (['POST', 'PUT', 'PATCH'].includes(req.method)) {
+    let rawBody = '';
+    req.on('data', chunk => { rawBody += chunk; });
+    req.on('end', () => {
+      try { reqContext.body = JSON.parse(rawBody); } catch { reqContext.body = rawBody; }
+      compileAndSend();
+    });
+  } else {
+    compileAndSend();
+  }
+});
+
+server.on('error', e => {
+  if (e.code === 'EADDRINUSE') die(`Port ${port} is already in use.`);
+  die(`Server error: ${e.message}`);
+});
+
+server.listen(port, '127.0.0.1', () => {
+  process.stdout.write(
+    c.green('\n  nvml server running') + '\n' +
+    c.cyan(`  http://localhost:${port}${route}`) + '\n\n' +
+    c.dim(`  file   : ${absFile}`) + '\n' +
+    c.dim(`  route  : ${route}`) + '\n' +
+    c.dim(`  reload : automatic (re-reads file on every request)`) + '\n\n' +
+    `  Press ${c.bold('Ctrl+C')} to stop.\n\n`
+  );
+});
+
+process.on('SIGINT', () => { process.stdout.write('\n'); process.exit(0); });
+process.on('SIGTERM', () => process.exit(0));
 
-  process.on('SIGINT',  () => { process.stdout.write('\n'); process.exit(0); });
-  process.on('SIGTERM', () => process.exit(0));
-}
 
 // ── helpers ───────────────────────────────────────────────────
 function sendJSON(res, code, obj) {
   const body = JSON.stringify(obj);
   res.writeHead(code, {
-    'Content-Type':                'application/json; charset=UTF-8',
-    'Content-Length':              Buffer.byteLength(body),
+    'Content-Type': 'application/json; charset=UTF-8',
+    'Content-Length': Buffer.byteLength(body),
     'Access-Control-Allow-Origin': '*',
   });
   res.end(body);
@@ -433,7 +476,7 @@ function sendJSON(res, code, obj) {
 
 // ── compile ───────────────────────────────────────────────────
 function cmdCompile(nvmlFile) {
-  const nvml    = loadKit();
+  const nvml = loadKit();
   const absFile = path.resolve(process.cwd(), nvmlFile);
   if (!fs.existsSync(absFile)) die(`File not found: ${absFile}`);
   const novaRun = resolveNovaRun();
@@ -449,7 +492,7 @@ function cmdCompile(nvmlFile) {
 
 // ── ast ───────────────────────────────────────────────────────
 function cmdAst(nvmlFile) {
-  const nvml    = loadKit();
+  const nvml = loadKit();
   const absFile = path.resolve(process.cwd(), nvmlFile);
   if (!fs.existsSync(absFile)) die(`File not found: ${absFile}`);
   try {
@@ -462,7 +505,7 @@ function cmdAst(nvmlFile) {
 // ── tokens ────────────────────────────────────────────────────
 function cmdTokens(nvmlFile) {
   const { Lexer } = loadLexer();
-  const absFile   = path.resolve(process.cwd(), nvmlFile);
+  const absFile = path.resolve(process.cwd(), nvmlFile);
   if (!fs.existsSync(absFile)) die(`File not found: ${absFile}`);
   try {
     process.stdout.write(JSON.stringify(new Lexer(fs.readFileSync(absFile, 'utf8')).tokenize(), null, 2) + '\n');
@@ -473,7 +516,7 @@ function cmdTokens(nvmlFile) {
 
 // ── check ─────────────────────────────────────────────────────
 function cmdCheck(nvmlFile) {
-  const nvml    = loadKit();
+  const nvml = loadKit();
   const absFile = path.resolve(process.cwd(), nvmlFile);
   if (!fs.existsSync(absFile)) die(`File not found: ${absFile}`);
   try {
@@ -527,13 +570,13 @@ if (args[0] === '--version' || args[0] === '-v') {
 // subcommands
 switch (args[0]) {
   case 'compile': if (!args[1]) die('Usage: nvml compile <file.nvml>'); cmdCompile(args[1]); break;
-  case 'ast':     if (!args[1]) die('Usage: nvml ast <file.nvml>');     cmdAst(args[1]);     break;
-  case 'tokens':  if (!args[1]) die('Usage: nvml tokens <file.nvml>');  cmdTokens(args[1]);  break;
-  case 'check':   if (!args[1]) die('Usage: nvml check <file.nvml>');   cmdCheck(args[1]);   break;
+  case 'ast': if (!args[1]) die('Usage: nvml ast <file.nvml>'); cmdAst(args[1]); break;
+  case 'tokens': if (!args[1]) die('Usage: nvml tokens <file.nvml>'); cmdTokens(args[1]); break;
+  case 'check': if (!args[1]) die('Usage: nvml check <file.nvml>'); cmdCheck(args[1]); break;
   default: {
     // nvml <port> <file> [route]
-    const port  = parseInt(args[0], 10);
-    const file  = args[1];
+    const port = parseInt(args[0], 10);
+    const file = args[1];
     const route = args[2] || '/';
     if (!port || port < 1 || port > 65535) die(`Invalid port: "${args[0]}"\nUsage: nvml <port> <file.nvml>`);
     if (!file) die('Usage: nvml <port> <file.nvml> [route]');

package/bin/nvml.cmd

@@ -0,0 +1,2 @@
+@echo off
+node "%~dp0nvml" %*