tova 0.4.6 → 0.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tova",
-  "version": "0.4.6",
+  "version": "0.5.0",
   "description": "Tova — a modern programming language that transpiles to JavaScript, unifying frontend and backend",
   "type": "module",
   "main": "src/index.js",
@@ -37,5 +37,17 @@
   },
   "author": "Enoch Kujem Abassey",
   "keywords": ["language", "transpiler", "fullstack", "javascript"],
-  "license": "MIT"
+  "license": "MIT",
+  "devDependencies": {
+    "@codemirror/autocomplete": "^6.20.0",
+    "@codemirror/commands": "^6.10.2",
+    "@codemirror/language": "^6.12.1",
+    "@codemirror/lint": "^6.9.4",
+    "@codemirror/search": "^6.6.0",
+    "@codemirror/state": "^6.5.4",
+    "@codemirror/theme-one-dark": "^6.1.3",
+    "@codemirror/view": "^6.39.15",
+    "@lezer/highlight": "^1.2.3",
+    "codemirror": "^6.0.2"
+  }
 }

package/src/analyzer/analyzer.js

@@ -338,6 +338,9 @@ export class Analyzer {
 
     this.visitProgram(this.ast);
 
+    // Cross-block security validation (after all blocks are visited)
+    this._validateSecurityCrossBlock();
+
     // Check for unused variables/imports (#9)
     this._collectAllScopes(this.globalScope);
     this._checkUnusedSymbols();
@@ -788,6 +791,16 @@ export class Analyzer {
       case 'GuardStatement': return this.visitGuardStatement(node);
       case 'InterfaceDeclaration': return this.visitInterfaceDeclaration(node);
       case 'DataBlock': return this.visitDataBlock(node);
+      case 'SecurityBlock': return this.visitSecurityBlock(node);
+      case 'SecurityAuthDeclaration': return;
+      case 'SecurityRoleDeclaration': return;
+      case 'SecurityProtectDeclaration': return;
+      case 'SecuritySensitiveDeclaration': return;
+      case 'SecurityCorsDeclaration': return;
+      case 'SecurityCspDeclaration': return;
+      case 'SecurityRateLimitDeclaration': return;
+      case 'SecurityCsrfDeclaration': return;
+      case 'SecurityAuditDeclaration': return;
       case 'SourceDeclaration': return;
       case 'PipelineDeclaration': return;
       case 'ValidateBlock': return;
@@ -991,6 +1004,261 @@ export class Analyzer {
     }
   }
 
+  visitSecurityBlock(node) {
+    // Per-block: only check for duplicate role names within this block
+    const localRoles = new Set();
+    for (const stmt of node.body) {
+      if (stmt.type === 'SecurityRoleDeclaration') {
+        if (localRoles.has(stmt.name)) {
+          this.warnings.push({
+            message: `Duplicate role definition: '${stmt.name}'`,
+            loc: stmt.loc,
+            code: 'W_DUPLICATE_ROLE',
+          });
+        }
+        localRoles.add(stmt.name);
+      }
+    }
+  }
+
+  _validateSecurityCrossBlock() {
+    // Collect ALL security declarations across ALL security blocks in the AST
+    const allRoles = new Set();
+    const allProtects = [];
+    const allSensitives = [];
+    let hasAuth = false;
+    let hasProtect = false;
+    let authDecl = null;
+    let corsDecl = null;
+    let rateLimitDecl = null;
+    let csrfDecl = null;
+
+    const roleDecls = []; // track all role declarations for cross-block duplicate detection
+    for (const node of this.ast.body) {
+      if (node.type !== 'SecurityBlock') continue;
+      for (const stmt of node.body) {
+        if (stmt.type === 'SecurityRoleDeclaration') {
+          roleDecls.push(stmt);
+          allRoles.add(stmt.name);
+        } else if (stmt.type === 'SecurityProtectDeclaration') {
+          allProtects.push(stmt);
+          hasProtect = true;
+        } else if (stmt.type === 'SecuritySensitiveDeclaration') {
+          allSensitives.push(stmt);
+        } else if (stmt.type === 'SecurityAuthDeclaration') {
+          hasAuth = true;
+          authDecl = stmt;
+        } else if (stmt.type === 'SecurityCorsDeclaration') {
+          corsDecl = stmt;
+        } else if (stmt.type === 'SecurityRateLimitDeclaration') {
+          rateLimitDecl = stmt;
+        } else if (stmt.type === 'SecurityCsrfDeclaration') {
+          csrfDecl = stmt;
+        }
+      }
+    }
+
+    // W_DUPLICATE_ROLE across blocks: detect roles with same name in different security blocks
+    const seenRoleNames = new Map(); // name -> first declaration
+    for (const decl of roleDecls) {
+      const prev = seenRoleNames.get(decl.name);
+      if (prev && prev.loc !== decl.loc) {
+        // Only warn if this is from a different block (same-block dupes handled by visitSecurityBlock)
+        const prevInSameBlock = this.ast.body.some(b =>
+          b.type === 'SecurityBlock' && b.body.includes(prev) && b.body.includes(decl)
+        );
+        if (!prevInSameBlock) {
+          this.warnings.push({
+            message: `Role '${decl.name}' is defined in multiple security blocks — later definition overwrites earlier one`,
+            loc: decl.loc,
+            code: 'W_DUPLICATE_ROLE',
+          });
+        }
+      }
+      seenRoleNames.set(decl.name, decl);
+    }
+
+    // W_UNKNOWN_AUTH_TYPE — validate auth type is a known value
+    if (authDecl && authDecl.authType) {
+      const validAuthTypes = ['jwt', 'api_key'];
+      if (!validAuthTypes.includes(authDecl.authType)) {
+        this.warnings.push({
+          message: `Unknown auth type '${authDecl.authType}' — supported types are: ${validAuthTypes.join(', ')}`,
+          loc: authDecl.loc,
+          code: 'W_UNKNOWN_AUTH_TYPE',
+        });
+      }
+    }
+
+    // Fix 2: W_HARDCODED_SECRET — warn if auth secret is a string literal
+    if (authDecl && authDecl.config.secret) {
+      const secretNode = authDecl.config.secret;
+      if (secretNode.type === 'StringLiteral') {
+        this.warnings.push({
+          message: 'Auth secret is hardcoded as a string literal — use env("SECRET_NAME") instead',
+          loc: authDecl.loc,
+          code: 'W_HARDCODED_SECRET',
+        });
+      }
+    }
+
+    // Fix 7: W_CORS_WILDCARD — warn if cors origins contains "*"
+    if (corsDecl && corsDecl.config.origins) {
+      const originsNode = corsDecl.config.origins;
+      if (originsNode.elements) {
+        for (const elem of originsNode.elements) {
+          if (elem.type === 'StringLiteral' && elem.value === '*') {
+            this.warnings.push({
+              message: 'CORS origins contains wildcard "*" — consider restricting to specific origins',
+              loc: corsDecl.loc,
+              code: 'W_CORS_WILDCARD',
+            });
+            break;
+          }
+        }
+      }
+    }
+
+    // W_INVALID_RATE_LIMIT — validate rate limit max/window are positive numbers
+    const _rlNumericValue = (node) => {
+      if (!node) return null;
+      if (node.type === 'NumberLiteral') return node.value;
+      if (node.type === 'UnaryExpression' && node.operator === '-' && node.operand && node.operand.type === 'NumberLiteral') return -node.operand.value;
+      return null;
+    };
+    if (rateLimitDecl && rateLimitDecl.config) {
+      const rlMaxVal = _rlNumericValue(rateLimitDecl.config.max);
+      const rlWindowVal = _rlNumericValue(rateLimitDecl.config.window);
+      if (rlMaxVal !== null && rlMaxVal <= 0) {
+        this.warnings.push({
+          message: `Rate limit max must be a positive number, got ${rlMaxVal}`,
+          loc: rateLimitDecl.loc,
+          code: 'W_INVALID_RATE_LIMIT',
+        });
+      }
+      if (rlWindowVal !== null && rlWindowVal <= 0) {
+        this.warnings.push({
+          message: `Rate limit window must be a positive number, got ${rlWindowVal}`,
+          loc: rateLimitDecl.loc,
+          code: 'W_INVALID_RATE_LIMIT',
+        });
+      }
+    }
+
+    // W_CSRF_DISABLED — warn when CSRF is explicitly disabled
+    if (csrfDecl && csrfDecl.config && csrfDecl.config.enabled) {
+      const enabledNode = csrfDecl.config.enabled;
+      if ((enabledNode.type === 'BooleanLiteral' && enabledNode.value === false) ||
+          (enabledNode.type === 'Identifier' && enabledNode.name === 'false')) {
+        this.warnings.push({
+          message: 'CSRF protection is explicitly disabled — this increases vulnerability to cross-site request forgery attacks',
+          loc: csrfDecl.loc,
+          code: 'W_CSRF_DISABLED',
+        });
+      }
+    }
+
+    // W_LOCALSTORAGE_TOKEN — warn when auth uses default localStorage storage (XSS-vulnerable)
+    if (authDecl && authDecl.authType === 'jwt') {
+      const storageNode = authDecl.config.storage;
+      const isCookieAuth = storageNode && storageNode.type === 'StringLiteral' && storageNode.value === 'cookie';
+      if (!isCookieAuth) {
+        this.warnings.push({
+          message: 'Auth tokens stored in localStorage are vulnerable to XSS attacks — consider using storage: "cookie" for HttpOnly cookie storage',
+          loc: authDecl.loc,
+          code: 'W_LOCALSTORAGE_TOKEN',
+        });
+      }
+    }
+
+    // Fix 5: W_INMEMORY_RATELIMIT — warn that rate limiting is in-memory only
+    if (rateLimitDecl) {
+      this.warnings.push({
+        message: 'Rate limiting uses in-memory storage — not shared across server instances. Consider an external store for production multi-instance deployments',
+        loc: rateLimitDecl.loc,
+        code: 'W_INMEMORY_RATELIMIT',
+      });
+    }
+
+    // Fix 6: W_NO_AUTH_RATELIMIT — warn when auth exists but no rate limiting protects against brute-force
+    if (hasAuth && !rateLimitDecl) {
+      const hasAuthRateLimit = allProtects.some(p => p.config && p.config.rate_limit);
+      if (!hasAuthRateLimit) {
+        this.warnings.push({
+          message: 'Auth is configured without rate limiting — consider adding rate_limit to protect against brute-force attacks',
+          loc: authDecl.loc,
+          code: 'W_NO_AUTH_RATELIMIT',
+        });
+      }
+    }
+
+    // Fix 7: W_HASH_NOT_ENFORCED — warn when sensitive declares hash but it's not auto-enforced
+    for (const s of allSensitives) {
+      if (s.config && s.config.hash) {
+        const hashVal = s.config.hash.value || s.config.hash;
+        this.warnings.push({
+          message: `sensitive ${s.typeName}.${s.fieldName} declares hash: "${hashVal}" but hashing is not automatically enforced — use hash_password() in your write handlers`,
+          loc: s.loc,
+          code: 'W_HASH_NOT_ENFORCED',
+        });
+      }
+    }
+
+    // No security blocks → nothing to validate (but allow auth/cors checks above)
+    if (!hasProtect && allSensitives.length === 0) return;
+
+    // W_PROTECT_WITHOUT_AUTH: protect rules exist but no auth configured
+    if (hasProtect && !hasAuth) {
+      // Find first protect for location
+      this.warnings.push({
+        message: 'Route protection rules exist but no auth is configured — all protected routes will be inaccessible',
+        loc: allProtects[0].loc,
+        code: 'W_PROTECT_WITHOUT_AUTH',
+      });
+    }
+
+    // W_UNDEFINED_ROLE: protect rules reference roles not defined anywhere
+    for (const protect of allProtects) {
+      const requireExpr = protect.config.require;
+      if (!requireExpr) {
+        // W_PROTECT_NO_REQUIRE: protect rule has no require key
+        this.warnings.push({
+          message: `Protect rule for "${protect.pattern}" has no 'require' — route is unprotected`,
+          loc: protect.loc,
+          code: 'W_PROTECT_NO_REQUIRE',
+        });
+        continue;
+      }
+      if (requireExpr.type === 'Identifier' && requireExpr.name !== 'authenticated') {
+        if (!allRoles.has(requireExpr.name)) {
+          this.warnings.push({
+            message: `Protect rule references undefined role '${requireExpr.name}'`,
+            loc: protect.loc,
+            code: 'W_UNDEFINED_ROLE',
+          });
+        }
+      }
+    }
+
+    // W_UNDEFINED_ROLE: sensitive visible_to references roles not defined anywhere
+    for (const sensitive of allSensitives) {
+      const visibleTo = sensitive.config.visible_to;
+      if (visibleTo && (visibleTo.type === 'ArrayExpression' || visibleTo.type === 'ArrayLiteral')) {
+        for (const elem of visibleTo.elements) {
+          if (elem.type === 'Identifier' && elem.name !== 'self') {
+            if (!allRoles.has(elem.name)) {
+              this.warnings.push({
+                message: `Sensitive field '${sensitive.typeName}.${sensitive.fieldName}' visible_to references undefined role '${elem.name}'`,
+                loc: sensitive.loc,
+                code: 'W_UNDEFINED_ROLE',
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+
   // visitClientBlock and other client visitors are in client-analyzer.js (lazy-loaded)
 
   visitSharedBlock(node) {
@@ -2547,11 +2815,13 @@ export class Analyzer {
     if (typeName) {
       const existingImpls = this.typeRegistry.impls.get(typeName) || [];
       for (const method of node.methods) {
+        const hasSelf = (method.params || []).some(p => p.name === 'self');
         existingImpls.push({
           name: method.name,
           params: (method.params || []).map(p => p.name),
           paramTypes: (method.params || []).map(p => typeAnnotationToType(p.typeAnnotation)),
           returnType: typeAnnotationToType(method.returnType),
+          isAssociated: !hasSelf,
         });
       }
       this.typeRegistry.impls.set(typeName, existingImpls);
@@ -2583,13 +2853,16 @@ export class Analyzer {
 
     // Validate that methods reference the type
     for (const method of node.methods) {
+      const hasSelf = (method.params || []).some(p => p.name === 'self');
       this.pushScope('function');
       try {
-        // self is implicitly available
-        try {
-          this.currentScope.define('self',
-            new Symbol('self', 'variable', null, true, method.loc));
-        } catch (e) { /* ignore */ }
+        // self is only available for instance methods (not associated functions)
+        if (hasSelf) {
+          try {
+            this.currentScope.define('self',
+              new Symbol('self', 'variable', null, true, method.loc));
+          } catch (e) { /* ignore */ }
+        }
         for (const p of method.params) {
           if (p.name && p.name !== 'self') {
             try {

package/src/analyzer/type-registry.js

@@ -25,7 +25,7 @@ export class TypeRegistry {
 
   /**
    * Get all members (fields + impl methods) for a type name.
-   * Used for dot-completion.
+   * Used for dot-completion on instances.
    */
   getMembers(typeName) {
     const fields = new Map();
@@ -48,17 +48,36 @@ export class TypeRegistry {
       }
     }
 
-    // Get impl methods
+    // Get instance methods (methods with self)
     const implMethods = this.impls.get(typeName);
     if (implMethods) {
       for (const method of implMethods) {
-        methods.push(method);
+        if (!method.isAssociated) {
+          methods.push(method);
+        }
       }
     }
 
     return { fields, methods };
   }
 
+  /**
+   * Get associated functions for a type name (functions without self).
+   * Used for dot-completion on the type itself (e.g., Point.origin()).
+   */
+  getAssociatedFunctions(typeName) {
+    const functions = [];
+    const implMethods = this.impls.get(typeName);
+    if (implMethods) {
+      for (const method of implMethods) {
+        if (method.isAssociated) {
+          functions.push(method);
+        }
+      }
+    }
+    return functions;
+  }
+
   /**
    * Get variant names for a type (for match completion).
    */

package/src/codegen/base-codegen.js

@@ -2898,11 +2898,22 @@ export class BaseCodegen {
       }
       const body = this.genBlockBody(method.body);
       this.popScope();
-      const selfBinding = hasSelf ? `\n${this.i()}  const self = this;` : '';
-      if (hasPropagate) {
-        lines.push(`${this.i()}${node.typeName}.prototype.${method.name} = ${asyncPrefix}function(${paramStr}) {${selfBinding}\n${this.i()}  try {\n${body}\n${this.i()}  } catch (__e) {\n${this.i()}    if (__e && __e.__tova_propagate) return __e.value;\n${this.i()}    throw __e;\n${this.i()}  }\n${this.i()}};`);
+
+      if (hasSelf) {
+        // Instance method → prototype
+        const selfBinding = `\n${this.i()}  const self = this;`;
+        if (hasPropagate) {
+          lines.push(`${this.i()}${node.typeName}.prototype.${method.name} = ${asyncPrefix}function(${paramStr}) {${selfBinding}\n${this.i()}  try {\n${body}\n${this.i()}  } catch (__e) {\n${this.i()}    if (__e && __e.__tova_propagate) return __e.value;\n${this.i()}    throw __e;\n${this.i()}  }\n${this.i()}};`);
+        } else {
+          lines.push(`${this.i()}${node.typeName}.prototype.${method.name} = ${asyncPrefix}function(${paramStr}) {${selfBinding}\n${body}\n${this.i()}};`);
+        }
       } else {
-        lines.push(`${this.i()}${node.typeName}.prototype.${method.name} = ${asyncPrefix}function(${paramStr}) {${selfBinding}\n${body}\n${this.i()}};`);
+        // Associated function → constructor namespace (callable as Type.method())
+        if (hasPropagate) {
+          lines.push(`${this.i()}${node.typeName}.${method.name} = ${asyncPrefix}function(${paramStr}) {\n${this.i()}  try {\n${body}\n${this.i()}  } catch (__e) {\n${this.i()}    if (__e && __e.__tova_propagate) return __e.value;\n${this.i()}    throw __e;\n${this.i()}  }\n${this.i()}};`);
+        } else {
+          lines.push(`${this.i()}${node.typeName}.${method.name} = ${asyncPrefix}function(${paramStr}) {\n${body}\n${this.i()}};`);
+        }
       }
     }
     return lines.join('\n');

package/src/codegen/client-codegen.js

@@ -1,5 +1,6 @@
 import { BaseCodegen } from './base-codegen.js';
 import { getClientStdlib, buildSelectiveStdlib, RESULT_OPTION, PROPAGATE } from '../stdlib/inline.js';
+import { SecurityCodegen } from './security-codegen.js';
 
 export class ClientCodegen extends BaseCodegen {
   constructor() {
@@ -184,13 +185,14 @@ export class ClientCodegen extends BaseCodegen {
     return `${asyncPrefix}(${params}) => ${this.genExpression(node.body)}`;
   }
 
-  generate(clientBlocks, sharedCode, sharedBuiltins = null) {
+  generate(clientBlocks, sharedCode, sharedBuiltins = null, securityConfig = null) {
     this._sharedBuiltins = sharedBuiltins || new Set();
     const lines = [];
 
     // Runtime imports
-    lines.push(`import { createSignal, createEffect, createComputed, mount, hydrate, tova_el, tova_fragment, tova_keyed, tova_transition, tova_inject_css, batch, onMount, onUnmount, onCleanup, onBeforeUpdate, createRef, createContext, provide, inject, createErrorBoundary, ErrorBoundary, ErrorInfo, createRoot, watch, untrack, Dynamic, Portal, lazy, Suspense, __tova_action } from './runtime/reactivity.js';`);
-    lines.push(`import { rpc } from './runtime/rpc.js';`);
+    lines.push(`import { createSignal, createEffect, createComputed, mount, hydrate, tova_el, tova_fragment, tova_keyed, tova_transition, tova_inject_css, batch, onMount, onUnmount, onCleanup, onBeforeUpdate, createRef, createContext, provide, inject, createErrorBoundary, ErrorBoundary, ErrorInfo, createRoot, watch, untrack, Dynamic, Portal, lazy, Suspense, Head, createResource, __tova_action, TransitionGroup, createForm, configureCSP } from './runtime/reactivity.js';`);
+    lines.push(`import { rpc, configureRPC, addRPCInterceptor, setCSRFToken } from './runtime/rpc.js';`);
+    lines.push(`import { navigate, getCurrentRoute, getParams, getPath, getQuery, defineRoutes, onRouteChange, beforeNavigate, afterNavigate, Router, Outlet, Link, Redirect } from './runtime/router.js';`);
 
     // Hoist import lines from shared code to the top of the module
     let sharedRest = sharedCode;
@@ -237,6 +239,16 @@ export class ClientCodegen extends BaseCodegen {
     lines.push('});');
     lines.push('');
 
+    // Security block: auth token injection and role helpers
+    if (securityConfig) {
+      const secGen = new SecurityCodegen();
+      const clientSecurity = secGen.generateClientSecurity(securityConfig);
+      if (clientSecurity.trim()) {
+        lines.push(clientSecurity);
+        lines.push('');
+      }
+    }
+
     const states = [];
     const computeds = [];
     const effects = [];
@@ -394,14 +406,16 @@ export class ClientCodegen extends BaseCodegen {
     return p.join('');
   }
 
-  // Generate a short hash from component name + CSS content (for CSS scoping)
+  // Generate a scope hash from component name + CSS content (for CSS scoping)
+  // Uses FNV-1a for better distribution and 8-char output to reduce collision risk.
   _genScopeId(name, css) {
     const str = name + ':' + (css || '');
-    let h = 0;
+    let h = 0x811c9dc5; // FNV offset basis
     for (let i = 0; i < str.length; i++) {
-      h = ((h << 5) - h + str.charCodeAt(i)) | 0;
+      h ^= str.charCodeAt(i);
+      h = Math.imul(h, 0x01000193); // FNV prime
     }
-    return Math.abs(h).toString(36).slice(0, 6);
+    return (h >>> 0).toString(36).padStart(8, '0').slice(0, 8);
   }
 
   // Scope CSS selectors by appending [data-tova-HASH] to each selector

package/src/codegen/codegen.js

@@ -6,6 +6,7 @@ import { SharedCodegen } from './shared-codegen.js';
 import { BUILTIN_NAMES } from '../stdlib/inline.js';
 import { ServerCodegen } from './server-codegen.js';
 import { ClientCodegen } from './client-codegen.js';
+import { SecurityCodegen } from './security-codegen.js';
 
 function getServerCodegen() {
   return ServerCodegen;
@@ -42,6 +43,7 @@ export class CodeGenerator {
     const testBlocks = [];
     const benchBlocks = [];
     const dataBlocks = [];
+    const securityBlocks = [];
 
     for (const node of this.ast.body) {
       switch (node.type) {
@@ -51,6 +53,7 @@ export class CodeGenerator {
         case 'TestBlock': testBlocks.push(node); break;
         case 'BenchBlock': benchBlocks.push(node); break;
         case 'DataBlock': dataBlocks.push(node); break;
+        case 'SecurityBlock': securityBlocks.push(node); break;
         default: topLevel.push(node); break;
       }
     }
@@ -59,6 +62,7 @@ export class CodeGenerator {
     const isModule = sharedBlocks.length === 0 && serverBlocks.length === 0
       && clientBlocks.length === 0 && testBlocks.length === 0
       && benchBlocks.length === 0 && dataBlocks.length === 0
+      && securityBlocks.length === 0
       && topLevel.length > 0;
 
     if (isModule) {
@@ -127,6 +131,11 @@ export class CodeGenerator {
       }
     }
 
+    // Merge security blocks into a single config
+    const securityConfig = securityBlocks.length > 0
+      ? SecurityCodegen.mergeSecurityBlocks(securityBlocks)
+      : null;
+
     // Generate server outputs (one per named group)
     const servers = {};
     for (const [name, blocks] of serverGroups) {
@@ -143,7 +152,7 @@ export class CodeGenerator {
           }
         }
       }
-      servers[key] = gen.generate(blocks, combinedShared, name, peerBlocks, sharedBlocks);
+      servers[key] = gen.generate(blocks, combinedShared, name, peerBlocks, sharedBlocks, securityConfig);
     }
 
     // Generate client outputs (one per named group)
@@ -152,7 +161,7 @@ export class CodeGenerator {
       const gen = new (getClientCodegen())();
       gen._sourceMapsEnabled = this._sourceMaps;
       const key = name || 'default';
-      clients[key] = gen.generate(blocks, combinedShared, sharedGen._usedBuiltins);
+      clients[key] = gen.generate(blocks, combinedShared, sharedGen._usedBuiltins, securityConfig);
     }
 
     // Generate tests if test blocks exist
@@ -279,12 +288,13 @@ export class CodeGenerator {
           break;
         }
         case 'ValidateBlock': {
-          // Validate: validator function
+          // Validate: validator function — include rule expression in error for debuggability
           const rules = stmt.rules.map(r => gen.genExpression(r));
           lines.push(`function __validate_${stmt.typeName}(it) {`);
           lines.push(`  const errors = [];`);
           for (let i = 0; i < rules.length; i++) {
-            lines.push(`  if (!(${rules[i]})) errors.push("Validation rule ${i + 1} failed for ${stmt.typeName}");`);
+            const escapedRule = rules[i].replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+            lines.push(`  if (!(${rules[i]})) errors.push("Validation failed for ${stmt.typeName}: expected \`${escapedRule}\`");`);
           }
           lines.push(`  return errors.length === 0 ? { valid: true, errors: [] } : { valid: false, errors };`);
           lines.push(`}`);