nyte 1.0.0 → 1.0.1

package/dist/hotReload.js

@@ -213,6 +213,7 @@ class HotReloadManager {
             });
             try {
                 this.frontendChangeCallback?.();
+                this.backendApiChangeCallback?.();
                 await Promise.race([buildPromise, timeoutPromise]);
                 dm.end(`Build complete for ${path.basename(filePath)}, reloading frontend.`);
                 this.frontendChangeCallback?.();
@@ -230,13 +231,13 @@ class HotReloadManager {
         }
         // Se for arquivo de backend, recarrega o módulo e notifica
         if (isBackendFile) {
-            console_1.default.logWithout(console_1.Levels.INFO, console_1.Colors.BgRed, `Reloading backend...`);
+            console_1.default.logWithout(console_1.Levels.INFO, undefined, `Reloading backend...`);
             this.backendApiChangeCallback?.();
             this.notifyClients('backend-api-reload', { file: filePath, event: 'change' });
         }
         // Fallback: se não for nem frontend nem backend detectado, recarrega tudo
         if (!isFrontendFile && !isBackendFile) {
-            console_1.default.logWithout(console_1.Levels.INFO, console_1.Colors.BgRed, `Reloading application...`);
+            console_1.default.logWithout(console_1.Levels.INFO, undefined, `Reloading application...`);
             this.frontendChangeCallback?.();
             this.backendApiChangeCallback?.();
             this.notifyClients('src-reload', { file: filePath, event: 'change' });

package/dist/rpc/annotations.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Símbolo único para marcar funções expostas.
+ * Usamos Symbol para garantir que não possa ser falsificado via JSON no payload.
+ */
+export declare const RPC_EXPOSED_KEY: unique symbol;
+type AnyFn = (...args: any[]) => any;
+/**
+ * Marca uma ou mais funções como seguras para RPC.
+ */
+export default function Expose<T extends AnyFn>(fn: T): T;
+export default function Expose<T extends AnyFn[]>(fns: [...T]): T;
+export default function Expose<T extends AnyFn[]>(...fns: T): T;
+export {};

package/dist/rpc/annotations.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RPC_EXPOSED_KEY = void 0;
+exports.default = Expose;
+/**
+ * Símbolo único para marcar funções expostas.
+ * Usamos Symbol para garantir que não possa ser falsificado via JSON no payload.
+ */
+exports.RPC_EXPOSED_KEY = Symbol('__rpc_exposed__');
+function Expose(...input) {
+    const fns = Array.isArray(input[0]) ? input[0] : input;
+    for (const fn of fns) {
+        if (typeof fn !== 'function') {
+            throw new TypeError('Expose aceita apenas funções');
+        }
+        fn[exports.RPC_EXPOSED_KEY] = true;
+    }
+    // Retorno:
+    // - se veio uma função → retorna ela
+    // - se veio lista → retorna a lista
+    return input.length === 1 ? input[0] : input;
+}

package/dist/rpc/server.js

@@ -7,7 +7,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *     http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -23,6 +23,8 @@ exports.executeRpc = executeRpc;
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
 const http_1 = require("../api/http");
+// Importamos a chave para verificar a anotação de segurança
+const annotations_1 = require("./annotations");
 const DEFAULT_ALLOWED_SERVER_DIRS = ['src/backend'];
 function normalizeToPosix(p) {
     return p.replace(/\\/g, '/');
@@ -52,7 +54,7 @@ function tryResolveWithinAllowedDirs(projectDir, allowedDirs, requestedFile) {
         const baseAbs = path_1.default.resolve(projectDir, d);
         // Interpret client path as relative to src/web (where it's typically authored)
         const fromWebAbs = path_1.default.resolve(projectDir, 'src/web', req);
-        // Map: <project>/src/backend/*  (coming from ../../backend/* from web code)
+        // Map: <project>/src/backend/* (coming from ../../backend/* from web code)
         const mappedFromWebAbs = fromWebAbs.replace(path_1.default.resolve(projectDir, 'backend') + path_1.default.sep, path_1.default.resolve(projectDir, 'src', 'backend') + path_1.default.sep);
         // Also accept callers passing a backend-relative path like "./auth" or "auth"
         const fromBackendAbs = path_1.default.resolve(baseAbs, req);
@@ -155,6 +157,20 @@ async function executeRpc(ctx, payload) {
         if (typeof fnValue !== 'function') {
             return { success: false, error: `RPC function not found: ${fnName}` };
         }
+        // --- SECURITY CHECK (Expose Annotation or Allowlist) ---
+        // 1. Verifica se a função possui o Symbol definido em annotations.ts (Via wrapper Expose())
+        const isAnnotated = fnValue[annotations_1.RPC_EXPOSED_KEY];
+        // 2. Verifica se o módulo exporta uma lista explícita chamada 'exposed' ou 'rpcMethods'
+        //    Isso permite o uso de "export function" sem wrapper, listando os nomes no final do arquivo.
+        const allowList = mod.exposed || mod.rpcMethods;
+        const isListed = Array.isArray(allowList) && allowList.includes(fnName);
+        if (!isAnnotated && !isListed) {
+            return {
+                success: false,
+                error: `Function '${fnName}' is not exposed via RPC. Mark it with Expose() or add it to an exported 'exposed' array.`
+            };
+        }
+        // ------------------------------------------
         const rpcRequest = ctx.request ? new http_1.NyteRequest(ctx.request) : buildRpcRequestFromPayload(payload);
         const result = await fnValue(rpcRequest, ...payload.args);
         return { success: true, return: result };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nyte",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Nyte.js is a high-level framework for building web applications with ease and speed. It provides a robust set of tools and features to streamline development and enhance productivity.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -47,6 +47,11 @@
       "types": "./dist/eslint/index.d.ts",
       "import": "./dist/eslint/index.js",
       "require": "./dist/eslint/index.js"
+    },
+    "./rpc": {
+      "types": "./dist/rpc/annotations.d.ts",
+      "import": "./dist/rpc/annotations.js",
+      "require": "./dist/rpc/annotations.js"
     }
   },
   "peerDependencies": {

package/src/hotReload.ts

@@ -219,6 +219,7 @@ export class HotReloadManager {
 
             try {
                 this.frontendChangeCallback?.();
+                this.backendApiChangeCallback?.();
                 await Promise.race([buildPromise, timeoutPromise]);
                 dm.end(`Build complete for ${path.basename(filePath)}, reloading frontend.`);
                 this.frontendChangeCallback?.();
@@ -235,14 +236,14 @@ export class HotReloadManager {
 
         // Se for arquivo de backend, recarrega o módulo e notifica
         if (isBackendFile) {
-            Console.logWithout(Levels.INFO, Colors.BgRed,`Reloading backend...`);
+            Console.logWithout(Levels.INFO, undefined,`Reloading backend...`);
             this.backendApiChangeCallback?.();
             this.notifyClients('backend-api-reload', { file: filePath, event: 'change' });
         }
 
         // Fallback: se não for nem frontend nem backend detectado, recarrega tudo
         if (!isFrontendFile && !isBackendFile) {
-            Console.logWithout(Levels.INFO, Colors.BgRed,`Reloading application...`);
+            Console.logWithout(Levels.INFO, undefined,`Reloading application...`);
             this.frontendChangeCallback?.();
             this.backendApiChangeCallback?.();
             this.notifyClients('src-reload', { file: filePath, event: 'change' });

package/src/rpc/annotations.ts

@@ -0,0 +1,30 @@
+/**
+ * Símbolo único para marcar funções expostas.
+ * Usamos Symbol para garantir que não possa ser falsificado via JSON no payload.
+ */
+export const RPC_EXPOSED_KEY = Symbol('__rpc_exposed__');
+
+type AnyFn = (...args: any[]) => any;
+
+/**
+ * Marca uma ou mais funções como seguras para RPC.
+ */
+export default function Expose<T extends AnyFn>(fn: T): T;
+export default function Expose<T extends AnyFn[]>(fns: [...T]): T;
+export default function Expose<T extends AnyFn[]>(...fns: T): T;
+export default function Expose(...input: any[]): any {
+    const fns: AnyFn[] =
+        Array.isArray(input[0]) ? input[0] : input;
+
+    for (const fn of fns) {
+        if (typeof fn !== 'function') {
+            throw new TypeError('Expose aceita apenas funções');
+        }
+        (fn as any)[RPC_EXPOSED_KEY] = true;
+    }
+
+    // Retorno:
+    // - se veio uma função → retorna ela
+    // - se veio lista → retorna a lista
+    return input.length === 1 ? input[0] : input;
+}

package/src/rpc/server.ts

@@ -6,7 +6,7 @@
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
- *     http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
@@ -20,6 +20,8 @@ import path from 'path';
 import { RpcRequestPayload, RpcResponsePayload } from './types';
 import { NyteRequest } from '../api/http';
 import type { GenericRequest } from '../types/framework';
+// Importamos a chave para verificar a anotação de segurança
+import { RPC_EXPOSED_KEY } from './annotations';
 
 const DEFAULT_ALLOWED_SERVER_DIRS = ['src/backend'] as const;
 
@@ -64,7 +66,7 @@ function tryResolveWithinAllowedDirs(projectDir: string, allowedDirs: string[],
         // Interpret client path as relative to src/web (where it's typically authored)
         const fromWebAbs = path.resolve(projectDir, 'src/web', req);
 
-        // Map: <project>/src/backend/*  (coming from ../../backend/* from web code)
+        // Map: <project>/src/backend/* (coming from ../../backend/* from web code)
         const mappedFromWebAbs = fromWebAbs.replace(
             path.resolve(projectDir, 'backend') + path.sep,
             path.resolve(projectDir, 'src', 'backend') + path.sep
@@ -180,6 +182,23 @@ export async function executeRpc(ctx: RpcExecutionContext, payload: any): Promis
             return { success: false, error: `RPC function not found: ${fnName}` };
         }
 
+        // --- SECURITY CHECK (Expose Annotation or Allowlist) ---
+        // 1. Verifica se a função possui o Symbol definido em annotations.ts (Via wrapper Expose())
+        const isAnnotated = (fnValue as any)[RPC_EXPOSED_KEY];
+
+        // 2. Verifica se o módulo exporta uma lista explícita chamada 'exposed' ou 'rpcMethods'
+        //    Isso permite o uso de "export function" sem wrapper, listando os nomes no final do arquivo.
+        const allowList = mod.exposed || mod.rpcMethods;
+        const isListed = Array.isArray(allowList) && allowList.includes(fnName);
+
+        if (!isAnnotated && !isListed) {
+            return {
+                success: false,
+                error: `Function '${fnName}' is not exposed via RPC. Mark it with Expose() or add it to an exported 'exposed' array.`
+            };
+        }
+        // ------------------------------------------
+
         const rpcRequest = ctx.request ? new NyteRequest(ctx.request) : buildRpcRequestFromPayload(payload);
         const result = await fnValue(rpcRequest, ...payload.args);
         return { success: true, return: result };
@@ -187,4 +206,4 @@ export async function executeRpc(ctx: RpcExecutionContext, payload: any): Promis
         const message = typeof err?.message === 'string' ? err.message : 'Unknown RPC error';
         return { success: false, error: message };
     }
-}
+}