tjs-lang 0.7.7 → 0.7.8

package/src/rbac/index.ts

@@ -46,7 +46,7 @@ export {
   interpretRuleResult,
   hasRoleLevel,
   buildRuleContext,
-} from './rules.js'
+} from './rules.tjs'
 
 /**
  * Security rule definition
@@ -125,7 +125,7 @@ import {
   validateSchema,
   buildRuleContext,
   interpretRuleResult,
-} from './rules.js'
+} from './rules.tjs'
 
 /**
  * Create an RBAC instance with a store backend

package/src/rbac/rules.tjs.d.ts

@@ -0,0 +1,9 @@
+// Ambient declarations for rules.tjs. The bun plugin (bunfig.toml)
+// transpiles .tjs at runtime; tsc needs explicit names to resolve the
+// `from './rules.tjs'` imports in index.ts.
+export function evaluateAccessShortcut(accessRule: any, context: any): any
+export function selectAccessRule(rule: any, context: any): any
+export function validateSchema(schema: any, data: any): any
+export function interpretRuleResult(result: any): any
+export function hasRoleLevel(userRoles: any, requiredRole: any): any
+export function buildRuleContext(options: any): any

package/src/vm/atoms/batteries.ts

@@ -25,7 +25,7 @@ interface StoreBattery {
 interface LLMBattery {
   predict(
     system: string,
-    user: string,
+    user: string | any[], // string for single-turn, message array for multi-turn
     tools?: any[],
     responseFormat?: any
   ): Promise<any>
@@ -140,7 +140,7 @@ export const llmPredictBattery = defineAtom(
   'llmPredictBattery',
   s.object({
     system: s.string.optional,
-    user: s.string,
+    user: s.union([s.string, s.array(s.any)]), // string or message array for multi-turn
     tools: s.array(s.any).optional,
     responseFormat: s.any.optional,
   }),

package/src/vm/runtime.ts

@@ -451,7 +451,9 @@ export type ExprNode =
   | {
       $expr: 'member'
       object: ExprNode
-      property: string
+      // string for static `obj.foo` and literal-indexed `arr[0]`;
+      // ExprNode for variable-indexed `arr[i]` (evaluated at runtime).
+      property: string | ExprNode
       computed?: boolean
       optional?: boolean
     }
@@ -1132,8 +1134,12 @@ export function evaluateExpr(node: ExprNode, ctx: RuntimeContext): any {
         return undefined
       }
 
-      const prop = node.property
-      assertSafeProperty(prop)
+      // Property is either a static string or a computed expression node (e.g. arr[i])
+      const prop =
+        typeof node.property === 'object' && node.property !== null
+          ? evaluateExpr(node.property, ctx)
+          : node.property
+      assertSafeProperty(String(prop))
 
       return obj?.[prop]
     }
@@ -1524,6 +1530,7 @@ export const whileLoop = defineAtom(
       if ((ctx.fuel.current -= 0.1) <= 0) throw new Error('Out of Fuel')
       await seq.exec({ op: 'seq', steps: step.body } as any, ctx)
       if (ctx.output !== undefined) return
+      if (ctx.error) return // Propagate monadic errors out of the loop
     }
   },
   { docs: 'While Loop', timeoutMs: 0, cost: 0.1 }

package/dist/src/rbac/rules.d.ts

@@ -1,184 +0,0 @@
-export function evaluateAccessShortcut(accessRule: any, context: any): {
-    allowed: boolean;
-    reason: string;
-} | {
-    allowed: boolean;
-    reason?: undefined;
-} | null;
-export namespace evaluateAccessShortcut {
-    namespace __tjs {
-        namespace params {
-            namespace accessRule {
-                namespace type {
-                    let kind: string;
-                }
-                let required: boolean;
-            }
-            namespace context {
-                export namespace type_1 {
-                    let kind_1: string;
-                    export { kind_1 as kind };
-                }
-                export { type_1 as type };
-                let required_1: boolean;
-                export { required_1 as required };
-            }
-        }
-        let unsafe: boolean;
-        let source: string;
-    }
-}
-export function selectAccessRule(rule: any, context: any): any;
-export namespace selectAccessRule {
-    export namespace __tjs_1 {
-        export namespace params_1 {
-            export namespace rule {
-                export namespace type_2 {
-                    let kind_2: string;
-                    export { kind_2 as kind };
-                }
-                export { type_2 as type };
-                let required_2: boolean;
-                export { required_2 as required };
-            }
-            export namespace context_1 {
-                export namespace type_3 {
-                    let kind_3: string;
-                    export { kind_3 as kind };
-                }
-                export { type_3 as type };
-                let required_3: boolean;
-                export { required_3 as required };
-            }
-            export { context_1 as context };
-        }
-        export { params_1 as params };
-        let unsafe_1: boolean;
-        export { unsafe_1 as unsafe };
-        let source_1: string;
-        export { source_1 as source };
-    }
-    export { __tjs_1 as __tjs };
-}
-export function validateSchema(schema: any, data: any): {
-    valid: boolean;
-    errors: string[];
-};
-export namespace validateSchema {
-    export namespace __tjs_2 {
-        export namespace params_2 {
-            namespace schema {
-                export namespace type_4 {
-                    let kind_4: string;
-                    export { kind_4 as kind };
-                }
-                export { type_4 as type };
-                let required_4: boolean;
-                export { required_4 as required };
-            }
-            namespace data {
-                export namespace type_5 {
-                    let kind_5: string;
-                    export { kind_5 as kind };
-                }
-                export { type_5 as type };
-                let required_5: boolean;
-                export { required_5 as required };
-            }
-        }
-        export { params_2 as params };
-        let unsafe_2: boolean;
-        export { unsafe_2 as unsafe };
-        let source_2: string;
-        export { source_2 as source };
-    }
-    export { __tjs_2 as __tjs };
-}
-export function interpretRuleResult(result: any): {
-    allowed: boolean;
-    reason: any;
-};
-export namespace interpretRuleResult {
-    export namespace __tjs_3 {
-        export namespace params_3 {
-            namespace result {
-                export namespace type_6 {
-                    let kind_6: string;
-                    export { kind_6 as kind };
-                }
-                export { type_6 as type };
-                let required_6: boolean;
-                export { required_6 as required };
-            }
-        }
-        export { params_3 as params };
-        let unsafe_3: boolean;
-        export { unsafe_3 as unsafe };
-        let source_3: string;
-        export { source_3 as source };
-    }
-    export { __tjs_3 as __tjs };
-}
-export function hasRoleLevel(userRoles: any, requiredRole: any): boolean;
-export namespace hasRoleLevel {
-    export namespace __tjs_4 {
-        export namespace params_4 {
-            namespace userRoles {
-                export namespace type_7 {
-                    let kind_7: string;
-                    export { kind_7 as kind };
-                }
-                export { type_7 as type };
-                let required_7: boolean;
-                export { required_7 as required };
-            }
-            namespace requiredRole {
-                export namespace type_8 {
-                    let kind_8: string;
-                    export { kind_8 as kind };
-                }
-                export { type_8 as type };
-                let required_8: boolean;
-                export { required_8 as required };
-            }
-        }
-        export { params_4 as params };
-        let unsafe_4: boolean;
-        export { unsafe_4 as unsafe };
-        let source_4: string;
-        export { source_4 as source };
-    }
-    export { __tjs_4 as __tjs };
-}
-export function buildRuleContext(options: any): {
-    _uid: any;
-    _roles: any;
-    _isAdmin: any;
-    _isAuthor: any;
-    _method: any;
-    _collection: any;
-    _docId: any;
-    doc: any;
-    newData: any;
-};
-export namespace buildRuleContext {
-    export namespace __tjs_5 {
-        export namespace params_5 {
-            namespace options {
-                export namespace type_9 {
-                    let kind_9: string;
-                    export { kind_9 as kind };
-                }
-                export { type_9 as type };
-                let required_9: boolean;
-                export { required_9 as required };
-            }
-        }
-        export { params_5 as params };
-        let unsafe_5: boolean;
-        export { unsafe_5 as unsafe };
-        let source_5: string;
-        export { source_5 as source };
-    }
-    export { __tjs_5 as __tjs };
-}

package/src/rbac/rules.js

@@ -1,338 +0,0 @@
-/*#
-# RBAC Security Rules (Pure Logic)
-
-Pure security rule evaluation logic, independent of storage backend.
-This module contains no I/O - it only evaluates rules against contexts.
-
-## Rule Context
-- `_uid` - authenticated user ID (null if public)
-- `_roles` - array of user roles
-- `_method` - 'read' | 'write' | 'delete'
-- `_collection` - collection name
-- `_docId` - document ID
-- `doc` - existing document data (for read/write/delete)
-- `newData` - incoming data (for write only)
-
-## Rule Response
-- Return `true` to allow
-- Return `false` to deny
-- Return `{ allow: true/false, reason: string }` for detailed response
-*/
-
-/*#
-## Access Rule Shortcuts
-
-Evaluates simple access rule strings without AJS overhead.
-Returns { allowed: boolean, reason?: string } or null if not a shortcut.
-
-Shortcuts:
-- 'none' - deny all
-- 'all' - allow all
-- 'authenticated' - must be logged in
-- 'admin' - must have admin role
-- 'author' - must have author role
-- 'owner:fieldName' - doc[fieldName] === _uid
-- 'role:roleName' - _roles.includes(roleName)
-*/
-export function evaluateAccessShortcut(accessRule, context) {
-  if (typeof accessRule !== 'string') return null
-
-  const { _uid, _roles, doc, newData } = context
-
-  switch (accessRule) {
-    case 'none':
-      return { allowed: false, reason: 'Access denied' }
-
-    case 'all':
-      return { allowed: true }
-
-    case 'authenticated':
-      return _uid
-        ? { allowed: true }
-        : { allowed: false, reason: 'Authentication required' }
-
-    case 'admin':
-      return _roles?.includes('admin')
-        ? { allowed: true }
-        : { allowed: false, reason: 'Admin role required' }
-
-    case 'author':
-      return _roles?.includes('author')
-        ? { allowed: true }
-        : { allowed: false, reason: 'Author role required' }
-
-    default:
-      // owner:fieldName pattern
-      if (accessRule.startsWith('owner:')) {
-        const field = accessRule.slice(6)
-        const checkDoc = doc || newData
-        if (!_uid) {
-          return { allowed: false, reason: 'Authentication required' }
-        }
-        if (checkDoc && checkDoc[field] === _uid) {
-          return { allowed: true }
-        }
-        if (!doc && newData && newData[field] === _uid) {
-          return { allowed: true }
-        }
-        return { allowed: false, reason: `Must be owner (${field})` }
-      }
-
-      // role:roleName pattern
-      if (accessRule.startsWith('role:')) {
-        const role = accessRule.slice(5)
-        return _roles?.includes(role)
-          ? { allowed: true }
-          : { allowed: false, reason: `Role '${role}' required` }
-      }
-
-      return null // Not a recognized shortcut
-  }
-}
-evaluateAccessShortcut.__tjs = {
-  params: {
-    accessRule: {
-      type: {
-        kind: 'any',
-      },
-      required: false,
-    },
-    context: {
-      type: {
-        kind: 'any',
-      },
-      required: false,
-    },
-  },
-  unsafe: true,
-  source: 'rules.tjs:37',
-}
-
-/*#
-## Select Access Rule
-
-Determines which access rule to use based on the operation method.
-Supports granular rules (read/create/update/delete) with fallbacks.
-*/
-export function selectAccessRule(rule, context) {
-  const { _method, doc } = context
-
-  // Method-specific rules with fallbacks
-  if (_method === 'read' && rule.read !== undefined) {
-    return rule.read
-  }
-
-  if (_method === 'write') {
-    // Distinguish create vs update
-    if (!doc && rule.create !== undefined) {
-      return rule.create
-    }
-    if (doc && rule.update !== undefined) {
-      return rule.update
-    }
-    if (rule.write !== undefined) {
-      return rule.write
-    }
-  }
-
-  if (_method === 'delete' && rule.delete !== undefined) {
-    return rule.delete
-  }
-
-  // Fall back to code for backwards compatibility
-  return rule.code
-}
-selectAccessRule.__tjs = {
-  params: {
-    rule: {
-      type: {
-        kind: 'any',
-      },
-      required: false,
-    },
-    context: {
-      type: {
-        kind: 'any',
-      },
-      required: false,
-    },
-  },
-  unsafe: true,
-  source: 'rules.tjs:99',
-}
-
-/*#
-## Validate Schema
-
-Simple schema validation for write operations.
-Checks required fields and basic types.
-*/
-export function validateSchema(schema, data) {
-  const errors = []
-
-  if (!schema || typeof schema !== 'object') {
-    return { valid: true, errors: [] }
-  }
-
-  // Check required fields
-  if (schema.required && Array.isArray(schema.required)) {
-    for (const field of schema.required) {
-      if (data[field] === undefined || data[field] === null) {
-        errors.push(`Missing required field: ${field}`)
-      }
-    }
-  }
-
-  // Check field types
-  if (schema.properties && typeof schema.properties === 'object') {
-    for (const [field, spec] of Object.entries(schema.properties)) {
-      const value = data[field]
-      if (value === undefined) continue // Skip missing optional fields
-
-      const expectedType = spec.type
-      if (expectedType) {
-        const actualType = Array.isArray(value) ? 'array' : typeof value
-        if (actualType !== expectedType) {
-          errors.push(
-            `Field '${field}' expected ${expectedType}, got ${actualType}`
-          )
-        }
-      }
-    }
-  }
-
-  return {
-    valid: errors.length === 0,
-    errors,
-  }
-}
-validateSchema.__tjs = {
-  params: {
-    schema: {
-      type: {
-        kind: 'any',
-      },
-      required: false,
-    },
-    data: {
-      type: {
-        kind: 'any',
-      },
-      required: false,
-    },
-  },
-  unsafe: true,
-  source: 'rules.tjs:134',
-}
-
-/*#
-## Evaluate Rule Result
-
-Interprets the result of a rule evaluation (boolean, object, etc.)
-into a standardized { allowed, reason } format.
-*/
-export function interpretRuleResult(result) {
-  if (typeof result === 'boolean') {
-    return { allowed: result, reason: result ? null : 'Access denied' }
-  }
-
-  if (typeof result === 'object' && result !== null) {
-    return {
-      allowed: !!result.allow,
-      reason: result.reason || (result.allow ? null : 'Access denied'),
-    }
-  }
-
-  // Truthy/falsy fallback
-  return { allowed: !!result, reason: result ? null : 'Access denied' }
-}
-interpretRuleResult.__tjs = {
-  params: {
-    result: {
-      type: {
-        kind: 'any',
-      },
-      required: false,
-    },
-  },
-  unsafe: true,
-  source: 'rules.tjs:178',
-}
-
-/*#
-## Check Role Hierarchy
-
-Evaluates if a user has sufficient role level.
-Role hierarchy: admin > author > user > guest
-*/
-const ROLE_LEVELS = {
-  admin: 100,
-  author: 50,
-  editor: 40,
-  user: 10,
-  guest: 0,
-}
-
-export function hasRoleLevel(userRoles, requiredRole) {
-  const requiredLevel = ROLE_LEVELS[requiredRole] ?? 0
-
-  for (const role of userRoles || []) {
-    const level = ROLE_LEVELS[role] ?? 0
-    if (level >= requiredLevel) {
-      return true
-    }
-  }
-
-  return false
-}
-hasRoleLevel.__tjs = {
-  params: {
-    userRoles: {
-      type: {
-        kind: 'any',
-      },
-      required: false,
-    },
-    requiredRole: {
-      type: {
-        kind: 'any',
-      },
-      required: false,
-    },
-  },
-  unsafe: true,
-  source: 'rules.tjs:208',
-}
-
-/*#
-## Build Rule Context
-
-Creates the evaluation context for a security rule.
-*/
-export function buildRuleContext(options) {
-  const { uid, roles, method, collection, docId, doc, newData } = options
-
-  return {
-    _uid: uid || null,
-    _roles: roles || [],
-    _isAdmin: roles?.includes('admin') || false,
-    _isAuthor: roles?.includes('author') || false,
-    _method: method,
-    _collection: collection,
-    _docId: docId,
-    doc: doc || null,
-    newData: newData || null,
-  }
-}
-buildRuleContext.__tjs = {
-  params: {
-    options: {
-      type: {
-        kind: 'any',
-      },
-      required: false,
-    },
-  },
-  unsafe: true,
-  source: 'rules.tjs:226',
-}