swallowkit 1.0.0-beta.15 → 1.0.0-beta.16

package/src/cli/commands/dev.ts

@@ -458,10 +458,28 @@ async function startDevEnvironment(options: DevOptions) {
   const processes: ChildProcess[] = [];
   let functionsEnv: NodeJS.ProcessEnv = process.env;
   let mockServer: ConnectorMockServer | null = null;
+  let envLocalPath = '';
+  let envLocalDefaultUrl = ''; // default Functions URL to restore on shutdown
 
   // Cleanup processes on Ctrl+C
   process.on('SIGINT', async () => {
     console.log('\n🛑 Stopping development servers...');
+    // Restore .env.local to default Functions port on shutdown
+    if (envLocalPath && envLocalDefaultUrl) {
+      try {
+        if (fs.existsSync(envLocalPath)) {
+          const content = fs.readFileSync(envLocalPath, 'utf-8');
+          if (content.includes('BACKEND_FUNCTIONS_BASE_URL=') &&
+              !content.includes(`BACKEND_FUNCTIONS_BASE_URL=${envLocalDefaultUrl}`)) {
+            const restored = content.replace(
+              /^BACKEND_FUNCTIONS_BASE_URL=.*/m,
+              `BACKEND_FUNCTIONS_BASE_URL=${envLocalDefaultUrl}`
+            );
+            fs.writeFileSync(envLocalPath, restored, 'utf-8');
+          }
+        }
+      } catch { /* ignore */ }
+    }
     if (mockServer) {
       await mockServer.stop();
     }
@@ -604,28 +622,34 @@ async function startDevEnvironment(options: DevOptions) {
     if (hasFunctions && !options.noFunctions) {
       // Build shared package before starting Functions
       const sharedDir = path.join(process.cwd(), 'shared');
-      if (fs.existsSync(sharedDir) && fs.existsSync(path.join(sharedDir, 'package.json'))) {
-        console.log('📦 Building shared package...');
-        const filterArgs = pm === 'pnpm'
-          ? ['run', '--filter', 'shared', 'build']
-          : ['run', '--workspace=shared', 'build'];
-        const sharedBuild = spawn(pm, filterArgs, {
-          cwd: process.cwd(),
-          shell: true,
-          stdio: 'inherit',
-        });
+      const sharedPkgPath = path.join(sharedDir, 'package.json');
+      if (fs.existsSync(sharedDir) && fs.existsSync(sharedPkgPath)) {
+        const sharedPkg = JSON.parse(fs.readFileSync(sharedPkgPath, 'utf-8'));
+        if (sharedPkg.scripts?.build) {
+          console.log('📦 Building shared package...');
+          const filterArgs = pm === 'pnpm'
+            ? ['run', '--filter', 'shared', 'build']
+            : ['run', '--workspace=shared', 'build'];
+          const sharedBuild = spawn(pm, filterArgs, {
+            cwd: process.cwd(),
+            shell: true,
+            stdio: 'inherit',
+          });
 
-        await new Promise<void>((resolve, reject) => {
-          sharedBuild.on('close', (code) => {
-            if (code === 0) {
-              console.log('✅ Shared package built successfully');
-              resolve();
-            } else {
-              reject(new Error(`Shared package build failed with code ${code}`));
-            }
+          await new Promise<void>((resolve, reject) => {
+            sharedBuild.on('close', (code) => {
+              if (code === 0) {
+                console.log('✅ Shared package built successfully');
+                resolve();
+              } else {
+                reject(new Error(`Shared package build failed with code ${code}`));
+              }
+            });
+            sharedBuild.on('error', reject);
           });
-          sharedBuild.on('error', reject);
-        });
+        } else {
+          console.log('⚠️  Shared package has no build script — skipping build. Run "swallowkit add-auth" to fix.');
+        }
       }
 
       // Azure Functions を起動
@@ -783,6 +807,26 @@ async function startDevEnvironment(options: DevOptions) {
       }, 3000);
     }
 
+    // Ensure .env.local points to bffTargetPort so Next.js reads the correct backend URL.
+    // When --mock-connectors is active, bffTargetPort = mock port (7072); otherwise = Functions port (7071).
+    // Next.js may load .env.local values that override spawn env vars, so we must keep them in sync.
+    envLocalPath = path.join(process.cwd(), '.env.local');
+    envLocalDefaultUrl = `http://${options.host || 'localhost'}:${functionsPort}`;
+    const bffTargetUrl = `http://${options.host || 'localhost'}:${bffTargetPort}`;
+    try {
+      if (fs.existsSync(envLocalPath)) {
+        const envContent = fs.readFileSync(envLocalPath, 'utf-8');
+        if (envContent.includes('BACKEND_FUNCTIONS_BASE_URL=') &&
+            !envContent.includes(`BACKEND_FUNCTIONS_BASE_URL=${bffTargetUrl}`)) {
+          const updated = envContent.replace(
+            /^BACKEND_FUNCTIONS_BASE_URL=.*/m,
+            `BACKEND_FUNCTIONS_BASE_URL=${bffTargetUrl}`
+          );
+          fs.writeFileSync(envLocalPath, updated, 'utf-8');
+        }
+      }
+    } catch { /* ignore */ }
+
     const nextEnv: NodeJS.ProcessEnv = {
       ...process.env,
       BACKEND_FUNCTIONS_BASE_URL: `http://${options.host || 'localhost'}:${bffTargetPort}`,

package/src/cli/commands/scaffold.ts

@@ -328,14 +328,18 @@ async function generateFunctionsCode(
   }
 
   if (backendLanguage === "csharp") {
-    const functionFilePath = path.join(
-      process.cwd(),
-      functionsDir,
-      "Crud",
-      `${modelInfo.name}Functions.cs`
-    );
-    fs.mkdirSync(path.dirname(functionFilePath), { recursive: true });
-    fs.writeFileSync(functionFilePath, generateCSharpAzureFunctionsCRUD(modelInfo), "utf-8");
+    const crudDir = path.join(process.cwd(), functionsDir, "Crud");
+    const functionFilePath = path.join(crudDir, `${modelInfo.name}Functions.cs`);
+    fs.mkdirSync(crudDir, { recursive: true });
+
+    // Remove init-generated template (singular) to avoid route conflicts
+    const templatePath = path.join(crudDir, `${modelInfo.name}Function.cs`);
+    if (fs.existsSync(templatePath)) {
+      fs.unlinkSync(templatePath);
+      console.log(`🗑️  Removed template: ${templatePath}`);
+    }
+
+    fs.writeFileSync(functionFilePath, generateCSharpAzureFunctionsCRUD(modelInfo, authPolicy), "utf-8");
     console.log(`✅ Created: ${functionFilePath}`);
     return;
   }
@@ -344,7 +348,7 @@ async function generateFunctionsCode(
   const blueprintPath = path.join(blueprintsDir, `${modelKebab.replace(/-/g, "_")}.py`);
   fs.mkdirSync(blueprintsDir, { recursive: true });
 
-  const { blueprint, registration } = generatePythonAzureFunctionsCRUD(modelInfo);
+  const { blueprint, registration } = generatePythonAzureFunctionsCRUD(modelInfo, authPolicy);
   fs.writeFileSync(blueprintPath, blueprint, "utf-8");
   updatePythonFunctionRegistrations(path.join(process.cwd(), functionsDir, "function_app.py"), registration);
   console.log(`✅ Created: ${blueprintPath}`);
@@ -767,6 +771,14 @@ function pruneGeneratedCSharpArtifacts(outputDir: string): void {
 
   const clientDir = path.join(outputDir, "src", "SwallowKitBackendModels", "Client");
   if (!fs.existsSync(clientDir)) {
+    // --global-property models ではClient/が生成されないため、
+    // モデルが依存する最小限の Option<T> を自前で作成する
+    fs.mkdirSync(clientDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(clientDir, "Option.cs"),
+      generateMinimalOptionCs(),
+      "utf-8"
+    );
     return;
   }
 
@@ -779,12 +791,59 @@ function pruneGeneratedCSharpArtifacts(outputDir: string): void {
   }
 }
 
+/**
+ * OpenAPI Generator の csharp テンプレートが生成するモデルは Option<T> に依存するが、
+ * supportingFiles を除外しているため Client/Option.cs が生成されない。
+ * Polly 等の不要な依存を避けつつモデルをコンパイル可能にするため、最小限の Option<T> を提供する。
+ */
+function generateMinimalOptionCs(): string {
+  return `// <auto-generated>
+// Minimal Option<T> for OpenAPI Generator model compatibility.
+// Full client supporting files are excluded to avoid Polly version conflicts.
+// </auto-generated>
+
+#nullable enable
+
+namespace SwallowKitBackendModels.Client
+{
+    /// <summary>
+    /// A wrapper for nullable/optional properties generated by OpenAPI Generator.
+    /// Tracks whether a value has been explicitly set (distinguishing null from absent).
+    /// </summary>
+    public readonly struct Option<TValue>
+    {
+        /// <summary>Whether this option has been explicitly set.</summary>
+        public bool IsSet { get; }
+
+        /// <summary>The contained value (may be default if not set).</summary>
+        public TValue Value { get; }
+
+        /// <summary>Create an Option with an explicit value.</summary>
+        public Option(TValue value)
+        {
+            IsSet = true;
+            Value = value;
+        }
+
+        /// <summary>Implicit conversion from Option to its inner value.</summary>
+        public static implicit operator TValue(Option<TValue> option) => option.Value;
+    }
+}
+`;
+}
+
 function updatePythonFunctionRegistrations(functionAppPath: string, registration: string): void {
   if (!fs.existsSync(functionAppPath)) {
     throw new Error(`Python Functions entrypoint not found: ${functionAppPath}`);
   }
 
   const content = fs.readFileSync(functionAppPath, "utf-8");
+
+  // Check if import line already exists (handles init-generated layout)
+  const importLine = registration.split("\n").find((l) => l.startsWith("from ") || l.startsWith("import "));
+  if (importLine && content.includes(importLine)) {
+    return;
+  }
   if (content.includes(registration)) {
     return;
   }

package/src/core/scaffold/auth-generator.ts

@@ -373,7 +373,7 @@ namespace Functions.Auth
         public async Task<HttpResponseData> Me(
             [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "auth/me")] HttpRequestData request)
         {
-            var (principal, errorResponse) = JwtHelper.Authorize(request);
+            var (principal, errorResponse) = await JwtHelper.Authorize(request);
             if (errorResponse != null) return errorResponse;
 
             var response = request.CreateResponse(System.Net.HttpStatusCode.OK);
@@ -400,7 +400,9 @@ namespace Functions.Auth
 
     public class LoginRequest
     {
+        [System.Text.Json.Serialization.JsonPropertyName("loginId")]
         public string LoginId { get; set; } = "";
+        [System.Text.Json.Serialization.JsonPropertyName("password")]
         public string Password { get; set; } = "";
     }
 }
@@ -417,6 +419,7 @@ using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 using System.Text;
 using System.Text.Json;
+using System.Threading.Tasks;
 using Microsoft.Azure.Functions.Worker.Http;
 using Microsoft.IdentityModel.Tokens;
 
@@ -498,21 +501,21 @@ namespace Functions.Auth
             }
         }
 
-        public static (JwtPayload?, HttpResponseData?) Authorize(
+        public static async Task<(JwtPayload?, HttpResponseData?)> Authorize(
             HttpRequestData request, params string[] requiredRoles)
         {
             var payload = ValidateToken(request);
             if (payload == null)
             {
                 var unauthorized = request.CreateResponse(System.Net.HttpStatusCode.Unauthorized);
-                unauthorized.WriteAsJsonAsync(new { error = "Unauthorized" }).Wait();
+                await unauthorized.WriteAsJsonAsync(new { error = "Unauthorized" });
                 return (null, unauthorized);
             }
 
             if (requiredRoles.Length > 0 && !requiredRoles.Any(r => payload.Roles.Contains(r)))
             {
                 var forbidden = request.CreateResponse(System.Net.HttpStatusCode.Forbidden);
-                forbidden.WriteAsJsonAsync(new { error = "Forbidden" }).Wait();
+                await forbidden.WriteAsJsonAsync(new { error = "Forbidden" });
                 return (null, forbidden);
             }
 
@@ -765,9 +768,8 @@ export function generateBFFAuthLoginRoute(projectName: string, sharedPackageName
   return `import { NextRequest, NextResponse } from 'next/server';
 import { LoginRequest, LoginResponse } from '${sharedPackageName}';
 
-const FUNCTIONS_BASE_URL = process.env.BACKEND_FUNCTIONS_BASE_URL || process.env.FUNCTIONS_BASE_URL || 'http://localhost:7071';
-
 export async function POST(request: NextRequest) {
+  const FUNCTIONS_BASE_URL = process.env.BACKEND_FUNCTIONS_BASE_URL || process.env.FUNCTIONS_BASE_URL || 'http://localhost:7071';
   try {
     const body = await request.json();
     const validated = LoginRequest.parse(body);
@@ -818,9 +820,8 @@ export function generateBFFAuthMeRoute(sharedPackageName: string): string {
   return `import { NextResponse } from 'next/server';
 import { headers } from 'next/headers';
 
-const FUNCTIONS_BASE_URL = process.env.BACKEND_FUNCTIONS_BASE_URL || process.env.FUNCTIONS_BASE_URL || 'http://localhost:7071';
-
 export async function GET() {
+  const FUNCTIONS_BASE_URL = process.env.BACKEND_FUNCTIONS_BASE_URL || process.env.FUNCTIONS_BASE_URL || 'http://localhost:7071';
   try {
     const reqHeaders = await headers();
     const authorization = reqHeaders.get('authorization');
@@ -848,10 +849,10 @@ export async function GET() {
 }
 
 // ============================================================
-// 9. Next.js Middleware
+// 9. Next.js Proxy (formerly Middleware)
 // ============================================================
 
-export function generateMiddleware(projectName: string): string {
+export function generateProxy(projectName: string): string {
   const cookieName = projectName.replace(/^@[^/]+\//, '').replace(/[^a-z0-9-]/g, '-') + '-auth-token';
   return `import { NextResponse } from 'next/server';
 import type { NextRequest } from 'next/server';
@@ -859,7 +860,7 @@ import type { NextRequest } from 'next/server';
 const AUTH_COOKIE_NAME = '${cookieName}';
 const PUBLIC_PATHS = ['/login', '/api/auth/login', '/api/auth/logout'];
 
-export function middleware(request: NextRequest) {
+export function proxy(request: NextRequest) {
   const { pathname } = request.nextUrl;
 
   // 公開パス・静的アセットはスキップ
@@ -877,7 +878,7 @@ export function middleware(request: NextRequest) {
     return NextResponse.redirect(new URL('/login', request.url));
   }
 
-  // JWT 有効期限の簡易チェック（署名検証なし = Edge Runtime 互換）
+  // JWT 有効期限の簡易チェック（署名検証なし）
   try {
     const payload = JSON.parse(atob(token.split('.')[1]));
     if (payload.exp && payload.exp * 1000 < Date.now()) {
@@ -902,10 +903,6 @@ export function middleware(request: NextRequest) {
     request: { headers: requestHeaders },
   });
 }
-
-export const config = {
-  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
-};
 `;
 }
 
@@ -1164,7 +1161,7 @@ export async function callFunction<TInput = any, TOutput = any>(
     const url = functionsBaseUrl + path;
     console.log(\`[BFF] \${method} \${url}\`);
 
-    // Authorization ヘッダーの転送（Middleware が cookie → Authorization に変換済み）
+    // Authorization ヘッダーの転送（Proxy が cookie → Authorization に変換済み）
     const fetchHeaders: Record<string, string> = {
       'Content-Type': 'application/json',
     };
@@ -1262,10 +1259,10 @@ export function generateAuthGuardCSharp(policy: ModelAuthPolicy, operation: 'rea
 
   if (roles.length > 0) {
     const rolesStr = roles.map(r => `"${r}"`).join(', ');
-    return `            var (principal, errorResponse) = JwtHelper.Authorize(request, ${rolesStr});
+    return `            var (principal, errorResponse) = await JwtHelper.Authorize(request, ${rolesStr});
             if (errorResponse != null) return errorResponse;`;
   }
-  return `            var (principal, errorResponse) = JwtHelper.Authorize(request);
+  return `            var (principal, errorResponse) = await JwtHelper.Authorize(request);
             if (errorResponse != null) return errorResponse;`;
 }
 

package/src/core/scaffold/functions-generator.ts

@@ -6,7 +6,7 @@
 
 import { ModelInfo, toCamelCase, toKebabCase } from "./model-parser";
 import { ModelAuthPolicy } from "../../types";
-import { generateAuthImportTS, generateAuthGuardTS } from "./auth-generator";
+import { generateAuthImportTS, generateAuthGuardTS, generateAuthGuardCSharp, generateAuthGuardPython } from "./auth-generator";
 
 /**
  * Azure Functions エンティティファイルを生成（インラインハンドラー方式）
@@ -32,7 +32,7 @@ import { z } from 'zod/v4';
 import crypto from 'crypto';
 import { ${schemaName} } from '${sharedPackageName}';${authImport}
 
-const containerName = '${modelName}s';
+const containerName = '${modelName.endsWith('s') ? modelName : modelName + 's'}';
 
 // GET /api/${modelCamel} - 全件取得
 app.http('${modelCamel}-get-all', {
@@ -248,11 +248,16 @@ ${authCatchBlock}      context.error(\`Error deleting item from \${containerName
 `;
 }
 
-export function generateCSharpAzureFunctionsCRUD(model: ModelInfo): string {
+export function generateCSharpAzureFunctionsCRUD(model: ModelInfo, authPolicy?: ModelAuthPolicy): string {
   const modelName = model.name;
   const modelCamel = toCamelCase(modelName);
   const className = `${modelName}Functions`;
-  const containerName = `${modelName}s`;
+  const containerName = modelName.endsWith('s') ? modelName : `${modelName}s`;
+
+  const hasAuth = !!authPolicy;
+  const authUsing = hasAuth ? 'using Functions.Auth;\n' : '';
+  const readGuard = hasAuth ? `\n${generateAuthGuardCSharp(authPolicy!, 'read')}\n` : '';
+  const writeGuard = hasAuth ? `\n${generateAuthGuardCSharp(authPolicy!, 'write')}\n` : '';
 
   return `using System.Net;
 using System.Text;
@@ -263,7 +268,7 @@ using Microsoft.Azure.Cosmos;
 using Microsoft.Azure.Functions.Worker;
 using Microsoft.Azure.Functions.Worker.Http;
 using Microsoft.Extensions.Logging;
-
+${authUsing}
 namespace SwallowKit.Functions;
 
 public sealed class ${className}
@@ -376,7 +381,7 @@ public sealed class ${className}
         [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "${modelCamel}")] HttpRequestData request)
     {
         try
-        {
+        {${readGuard}
             using var client = CreateCosmosClient();
             var container = GetContainer(client);
             using var iterator = container.GetItemQueryStreamIterator("SELECT * FROM c");
@@ -418,7 +423,7 @@ public sealed class ${className}
         string id)
     {
         try
-        {
+        {${readGuard}
             using var client = CreateCosmosClient();
             var container = GetContainer(client);
             var item = await ReadCosmosItemAsync(container, id);
@@ -440,7 +445,7 @@ public sealed class ${className}
         [HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "${modelCamel}")] HttpRequestData request)
     {
         try
-        {
+        {${writeGuard}
             var body = await ReadRequestBodyAsync(request);
             var now = DateTimeOffset.UtcNow.ToString("O");
             var id = body["id"]?.GetValue<string>() ?? Guid.NewGuid().ToString();
@@ -475,7 +480,7 @@ public sealed class ${className}
         string id)
     {
         try
-        {
+        {${writeGuard}
             using var client = CreateCosmosClient();
             var container = GetContainer(client);
 
@@ -520,7 +525,7 @@ public sealed class ${className}
         string id)
     {
         try
-        {
+        {${writeGuard}
             using var client = CreateCosmosClient();
             var container = GetContainer(client);
             await container.DeleteItemAsync<JsonObject>(id, new PartitionKey(id));
@@ -541,14 +546,23 @@ public sealed class ${className}
 `;
 }
 
-export function generatePythonAzureFunctionsCRUD(model: ModelInfo): {
+export function generatePythonAzureFunctionsCRUD(model: ModelInfo, authPolicy?: ModelAuthPolicy): {
   blueprint: string;
   registration: string;
 } {
   const modelName = model.name;
   const modelCamel = toCamelCase(modelName);
   const modelSnake = toKebabCase(modelName).replace(/-/g, "_");
-  const containerName = `${modelName}s`;
+  const containerName = modelName.endsWith('s') ? modelName : `${modelName}s`;
+
+  const hasAuth = !!authPolicy;
+  const authImport = hasAuth ? '\nfrom auth.jwt_helper import require_auth, require_roles, handle_auth_error\n' : '';
+  // generateAuthGuardPython outputs at 4-space indent; inside try: we need 8-space
+  const readGuardRaw = hasAuth ? generateAuthGuardPython(authPolicy!, 'read') : '';
+  const writeGuardRaw = hasAuth ? generateAuthGuardPython(authPolicy!, 'write') : '';
+  const readGuard = hasAuth ? '\n' + readGuardRaw.split('\n').map(l => '    ' + l).join('\n') : '';
+  const writeGuard = hasAuth ? '\n' + writeGuardRaw.split('\n').map(l => '    ' + l).join('\n') : '';
+  const authCatch = hasAuth ? `\n        auth_err = handle_auth_error(exc)\n        if auth_err:\n            return auth_err` : '';
 
   return {
     registration: `from blueprints.${modelSnake} import bp as ${modelSnake}_bp\napp.register_blueprint(${modelSnake}_bp)`,
@@ -561,7 +575,7 @@ import os
 import azure.functions as func
 from azure.cosmos import CosmosClient, exceptions
 from azure.identity import DefaultAzureCredential
-
+${authImport}
 bp = func.Blueprint()
 CONTAINER_NAME = "${containerName}"
 DATABASE_NAME = os.environ.get("COSMOS_DB_DATABASE_NAME", "AppDatabase")
@@ -603,7 +617,7 @@ def _build_managed_document(source: dict[str, Any], item_id: str, created_at: st
 
 @bp.route(route="${modelCamel}", methods=["GET"])
 def ${modelSnake}_get_all(req: func.HttpRequest) -> func.HttpResponse:
-    try:
+    try:${readGuard}
         container = _get_container()
         items = list(
             container.query_items(
@@ -612,26 +626,26 @@ def ${modelSnake}_get_all(req: func.HttpRequest) -> func.HttpResponse:
             )
         )
         return _json_response(items, 200)
-    except Exception as exc:
+    except Exception as exc:${authCatch}
         return _json_response({"error": "Failed to fetch items", "details": str(exc)}, 500)
 
 
 @bp.route(route="${modelCamel}/{id}", methods=["GET"])
 def ${modelSnake}_get_by_id(req: func.HttpRequest) -> func.HttpResponse:
     item_id = req.route_params.get("id")
-    try:
+    try:${readGuard}
         container = _get_container()
         item = container.read_item(item=item_id, partition_key=item_id)
         return _json_response(item, 200)
     except exceptions.CosmosResourceNotFoundError:
         return _json_response({"error": "${modelName} not found", "id": item_id}, 404)
-    except Exception as exc:
+    except Exception as exc:${authCatch}
         return _json_response({"error": "Failed to fetch item", "id": item_id, "details": str(exc)}, 500)
 
 
 @bp.route(route="${modelCamel}", methods=["POST"])
 def ${modelSnake}_create(req: func.HttpRequest) -> func.HttpResponse:
-    try:
+    try:${writeGuard}
         body = req.get_json()
         now = datetime.now(timezone.utc).isoformat()
         item_id = body.get("id") or str(uuid4())
@@ -642,14 +656,14 @@ def ${modelSnake}_create(req: func.HttpRequest) -> func.HttpResponse:
         return _json_response(payload, 201)
     except ValueError:
         return _json_response({"error": "Request body must be a JSON object."}, 400)
-    except Exception as exc:
+    except Exception as exc:${authCatch}
         return _json_response({"error": "Failed to create item", "details": str(exc)}, 500)
 
 
 @bp.route(route="${modelCamel}/{id}", methods=["PUT"])
 def ${modelSnake}_update(req: func.HttpRequest) -> func.HttpResponse:
     item_id = req.route_params.get("id")
-    try:
+    try:${writeGuard}
         container = _get_container()
         existing = container.read_item(item=item_id, partition_key=item_id)
         body = req.get_json()
@@ -665,20 +679,20 @@ def ${modelSnake}_update(req: func.HttpRequest) -> func.HttpResponse:
         return _json_response({"error": "${modelName} not found", "id": item_id}, 404)
     except ValueError:
         return _json_response({"error": "Request body must be a JSON object.", "id": item_id}, 400)
-    except Exception as exc:
+    except Exception as exc:${authCatch}
         return _json_response({"error": "Failed to update item", "id": item_id, "details": str(exc)}, 500)
 
 
 @bp.route(route="${modelCamel}/{id}", methods=["DELETE"])
 def ${modelSnake}_delete(req: func.HttpRequest) -> func.HttpResponse:
     item_id = req.route_params.get("id")
-    try:
+    try:${writeGuard}
         container = _get_container()
         container.delete_item(item=item_id, partition_key=item_id)
         return func.HttpResponse(status_code=204)
     except exceptions.CosmosResourceNotFoundError:
         return _json_response({"error": "${modelName} not found", "id": item_id}, 404)
-    except Exception as exc:
+    except Exception as exc:${authCatch}
         return _json_response({"error": "Failed to delete item", "id": item_id, "details": str(exc)}, 500)
 `,
   };

package/src/core/scaffold/model-parser.ts

@@ -410,6 +410,8 @@ async function extractFieldsFromSchema(modelPath: string, schemaName: string): P
     // コメントを削除
     modelContent = modelContent.replace(/\/\*[\s\S]*?\*\//g, '');
     modelContent = modelContent.replace(/\/\/.*/g, '');
+    // TypeScript の `as const` アサーションを削除（.mjs では構文エラーになる）
+    modelContent = modelContent.replace(/\s+as\s+const\b/g, '');
     
     // インライン化したローカルインポートを先頭に追加
     const inlinedDeps = localImports.length > 0 ? localImports.join('\n\n') + '\n\n' : '';