tova 0.4.7 → 0.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tova",
-  "version": "0.4.7",
+  "version": "0.5.0",
   "description": "Tova — a modern programming language that transpiles to JavaScript, unifying frontend and backend",
   "type": "module",
   "main": "src/index.js",

package/src/analyzer/analyzer.js

@@ -338,6 +338,9 @@ export class Analyzer {
 
     this.visitProgram(this.ast);
 
+    // Cross-block security validation (after all blocks are visited)
+    this._validateSecurityCrossBlock();
+
     // Check for unused variables/imports (#9)
     this._collectAllScopes(this.globalScope);
     this._checkUnusedSymbols();
@@ -788,6 +791,16 @@ export class Analyzer {
       case 'GuardStatement': return this.visitGuardStatement(node);
       case 'InterfaceDeclaration': return this.visitInterfaceDeclaration(node);
       case 'DataBlock': return this.visitDataBlock(node);
+      case 'SecurityBlock': return this.visitSecurityBlock(node);
+      case 'SecurityAuthDeclaration': return;
+      case 'SecurityRoleDeclaration': return;
+      case 'SecurityProtectDeclaration': return;
+      case 'SecuritySensitiveDeclaration': return;
+      case 'SecurityCorsDeclaration': return;
+      case 'SecurityCspDeclaration': return;
+      case 'SecurityRateLimitDeclaration': return;
+      case 'SecurityCsrfDeclaration': return;
+      case 'SecurityAuditDeclaration': return;
       case 'SourceDeclaration': return;
       case 'PipelineDeclaration': return;
       case 'ValidateBlock': return;
@@ -991,6 +1004,261 @@ export class Analyzer {
     }
   }
 
+  visitSecurityBlock(node) {
+    // Per-block: only check for duplicate role names within this block
+    const localRoles = new Set();
+    for (const stmt of node.body) {
+      if (stmt.type === 'SecurityRoleDeclaration') {
+        if (localRoles.has(stmt.name)) {
+          this.warnings.push({
+            message: `Duplicate role definition: '${stmt.name}'`,
+            loc: stmt.loc,
+            code: 'W_DUPLICATE_ROLE',
+          });
+        }
+        localRoles.add(stmt.name);
+      }
+    }
+  }
+
+  _validateSecurityCrossBlock() {
+    // Collect ALL security declarations across ALL security blocks in the AST
+    const allRoles = new Set();
+    const allProtects = [];
+    const allSensitives = [];
+    let hasAuth = false;
+    let hasProtect = false;
+    let authDecl = null;
+    let corsDecl = null;
+    let rateLimitDecl = null;
+    let csrfDecl = null;
+
+    const roleDecls = []; // track all role declarations for cross-block duplicate detection
+    for (const node of this.ast.body) {
+      if (node.type !== 'SecurityBlock') continue;
+      for (const stmt of node.body) {
+        if (stmt.type === 'SecurityRoleDeclaration') {
+          roleDecls.push(stmt);
+          allRoles.add(stmt.name);
+        } else if (stmt.type === 'SecurityProtectDeclaration') {
+          allProtects.push(stmt);
+          hasProtect = true;
+        } else if (stmt.type === 'SecuritySensitiveDeclaration') {
+          allSensitives.push(stmt);
+        } else if (stmt.type === 'SecurityAuthDeclaration') {
+          hasAuth = true;
+          authDecl = stmt;
+        } else if (stmt.type === 'SecurityCorsDeclaration') {
+          corsDecl = stmt;
+        } else if (stmt.type === 'SecurityRateLimitDeclaration') {
+          rateLimitDecl = stmt;
+        } else if (stmt.type === 'SecurityCsrfDeclaration') {
+          csrfDecl = stmt;
+        }
+      }
+    }
+
+    // W_DUPLICATE_ROLE across blocks: detect roles with same name in different security blocks
+    const seenRoleNames = new Map(); // name -> first declaration
+    for (const decl of roleDecls) {
+      const prev = seenRoleNames.get(decl.name);
+      if (prev && prev.loc !== decl.loc) {
+        // Only warn if this is from a different block (same-block dupes handled by visitSecurityBlock)
+        const prevInSameBlock = this.ast.body.some(b =>
+          b.type === 'SecurityBlock' && b.body.includes(prev) && b.body.includes(decl)
+        );
+        if (!prevInSameBlock) {
+          this.warnings.push({
+            message: `Role '${decl.name}' is defined in multiple security blocks — later definition overwrites earlier one`,
+            loc: decl.loc,
+            code: 'W_DUPLICATE_ROLE',
+          });
+        }
+      }
+      seenRoleNames.set(decl.name, decl);
+    }
+
+    // W_UNKNOWN_AUTH_TYPE — validate auth type is a known value
+    if (authDecl && authDecl.authType) {
+      const validAuthTypes = ['jwt', 'api_key'];
+      if (!validAuthTypes.includes(authDecl.authType)) {
+        this.warnings.push({
+          message: `Unknown auth type '${authDecl.authType}' — supported types are: ${validAuthTypes.join(', ')}`,
+          loc: authDecl.loc,
+          code: 'W_UNKNOWN_AUTH_TYPE',
+        });
+      }
+    }
+
+    // Fix 2: W_HARDCODED_SECRET — warn if auth secret is a string literal
+    if (authDecl && authDecl.config.secret) {
+      const secretNode = authDecl.config.secret;
+      if (secretNode.type === 'StringLiteral') {
+        this.warnings.push({
+          message: 'Auth secret is hardcoded as a string literal — use env("SECRET_NAME") instead',
+          loc: authDecl.loc,
+          code: 'W_HARDCODED_SECRET',
+        });
+      }
+    }
+
+    // Fix 7: W_CORS_WILDCARD — warn if cors origins contains "*"
+    if (corsDecl && corsDecl.config.origins) {
+      const originsNode = corsDecl.config.origins;
+      if (originsNode.elements) {
+        for (const elem of originsNode.elements) {
+          if (elem.type === 'StringLiteral' && elem.value === '*') {
+            this.warnings.push({
+              message: 'CORS origins contains wildcard "*" — consider restricting to specific origins',
+              loc: corsDecl.loc,
+              code: 'W_CORS_WILDCARD',
+            });
+            break;
+          }
+        }
+      }
+    }
+
+    // W_INVALID_RATE_LIMIT — validate rate limit max/window are positive numbers
+    const _rlNumericValue = (node) => {
+      if (!node) return null;
+      if (node.type === 'NumberLiteral') return node.value;
+      if (node.type === 'UnaryExpression' && node.operator === '-' && node.operand && node.operand.type === 'NumberLiteral') return -node.operand.value;
+      return null;
+    };
+    if (rateLimitDecl && rateLimitDecl.config) {
+      const rlMaxVal = _rlNumericValue(rateLimitDecl.config.max);
+      const rlWindowVal = _rlNumericValue(rateLimitDecl.config.window);
+      if (rlMaxVal !== null && rlMaxVal <= 0) {
+        this.warnings.push({
+          message: `Rate limit max must be a positive number, got ${rlMaxVal}`,
+          loc: rateLimitDecl.loc,
+          code: 'W_INVALID_RATE_LIMIT',
+        });
+      }
+      if (rlWindowVal !== null && rlWindowVal <= 0) {
+        this.warnings.push({
+          message: `Rate limit window must be a positive number, got ${rlWindowVal}`,
+          loc: rateLimitDecl.loc,
+          code: 'W_INVALID_RATE_LIMIT',
+        });
+      }
+    }
+
+    // W_CSRF_DISABLED — warn when CSRF is explicitly disabled
+    if (csrfDecl && csrfDecl.config && csrfDecl.config.enabled) {
+      const enabledNode = csrfDecl.config.enabled;
+      if ((enabledNode.type === 'BooleanLiteral' && enabledNode.value === false) ||
+          (enabledNode.type === 'Identifier' && enabledNode.name === 'false')) {
+        this.warnings.push({
+          message: 'CSRF protection is explicitly disabled — this increases vulnerability to cross-site request forgery attacks',
+          loc: csrfDecl.loc,
+          code: 'W_CSRF_DISABLED',
+        });
+      }
+    }
+
+    // W_LOCALSTORAGE_TOKEN — warn when auth uses default localStorage storage (XSS-vulnerable)
+    if (authDecl && authDecl.authType === 'jwt') {
+      const storageNode = authDecl.config.storage;
+      const isCookieAuth = storageNode && storageNode.type === 'StringLiteral' && storageNode.value === 'cookie';
+      if (!isCookieAuth) {
+        this.warnings.push({
+          message: 'Auth tokens stored in localStorage are vulnerable to XSS attacks — consider using storage: "cookie" for HttpOnly cookie storage',
+          loc: authDecl.loc,
+          code: 'W_LOCALSTORAGE_TOKEN',
+        });
+      }
+    }
+
+    // Fix 5: W_INMEMORY_RATELIMIT — warn that rate limiting is in-memory only
+    if (rateLimitDecl) {
+      this.warnings.push({
+        message: 'Rate limiting uses in-memory storage — not shared across server instances. Consider an external store for production multi-instance deployments',
+        loc: rateLimitDecl.loc,
+        code: 'W_INMEMORY_RATELIMIT',
+      });
+    }
+
+    // Fix 6: W_NO_AUTH_RATELIMIT — warn when auth exists but no rate limiting protects against brute-force
+    if (hasAuth && !rateLimitDecl) {
+      const hasAuthRateLimit = allProtects.some(p => p.config && p.config.rate_limit);
+      if (!hasAuthRateLimit) {
+        this.warnings.push({
+          message: 'Auth is configured without rate limiting — consider adding rate_limit to protect against brute-force attacks',
+          loc: authDecl.loc,
+          code: 'W_NO_AUTH_RATELIMIT',
+        });
+      }
+    }
+
+    // Fix 7: W_HASH_NOT_ENFORCED — warn when sensitive declares hash but it's not auto-enforced
+    for (const s of allSensitives) {
+      if (s.config && s.config.hash) {
+        const hashVal = s.config.hash.value || s.config.hash;
+        this.warnings.push({
+          message: `sensitive ${s.typeName}.${s.fieldName} declares hash: "${hashVal}" but hashing is not automatically enforced — use hash_password() in your write handlers`,
+          loc: s.loc,
+          code: 'W_HASH_NOT_ENFORCED',
+        });
+      }
+    }
+
+    // No security blocks → nothing to validate (but allow auth/cors checks above)
+    if (!hasProtect && allSensitives.length === 0) return;
+
+    // W_PROTECT_WITHOUT_AUTH: protect rules exist but no auth configured
+    if (hasProtect && !hasAuth) {
+      // Find first protect for location
+      this.warnings.push({
+        message: 'Route protection rules exist but no auth is configured — all protected routes will be inaccessible',
+        loc: allProtects[0].loc,
+        code: 'W_PROTECT_WITHOUT_AUTH',
+      });
+    }
+
+    // W_UNDEFINED_ROLE: protect rules reference roles not defined anywhere
+    for (const protect of allProtects) {
+      const requireExpr = protect.config.require;
+      if (!requireExpr) {
+        // W_PROTECT_NO_REQUIRE: protect rule has no require key
+        this.warnings.push({
+          message: `Protect rule for "${protect.pattern}" has no 'require' — route is unprotected`,
+          loc: protect.loc,
+          code: 'W_PROTECT_NO_REQUIRE',
+        });
+        continue;
+      }
+      if (requireExpr.type === 'Identifier' && requireExpr.name !== 'authenticated') {
+        if (!allRoles.has(requireExpr.name)) {
+          this.warnings.push({
+            message: `Protect rule references undefined role '${requireExpr.name}'`,
+            loc: protect.loc,
+            code: 'W_UNDEFINED_ROLE',
+          });
+        }
+      }
+    }
+
+    // W_UNDEFINED_ROLE: sensitive visible_to references roles not defined anywhere
+    for (const sensitive of allSensitives) {
+      const visibleTo = sensitive.config.visible_to;
+      if (visibleTo && (visibleTo.type === 'ArrayExpression' || visibleTo.type === 'ArrayLiteral')) {
+        for (const elem of visibleTo.elements) {
+          if (elem.type === 'Identifier' && elem.name !== 'self') {
+            if (!allRoles.has(elem.name)) {
+              this.warnings.push({
+                message: `Sensitive field '${sensitive.typeName}.${sensitive.fieldName}' visible_to references undefined role '${elem.name}'`,
+                loc: sensitive.loc,
+                code: 'W_UNDEFINED_ROLE',
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+
   // visitClientBlock and other client visitors are in client-analyzer.js (lazy-loaded)
 
   visitSharedBlock(node) {

package/src/codegen/client-codegen.js

@@ -1,5 +1,6 @@
 import { BaseCodegen } from './base-codegen.js';
 import { getClientStdlib, buildSelectiveStdlib, RESULT_OPTION, PROPAGATE } from '../stdlib/inline.js';
+import { SecurityCodegen } from './security-codegen.js';
 
 export class ClientCodegen extends BaseCodegen {
   constructor() {
@@ -184,7 +185,7 @@ export class ClientCodegen extends BaseCodegen {
     return `${asyncPrefix}(${params}) => ${this.genExpression(node.body)}`;
   }
 
-  generate(clientBlocks, sharedCode, sharedBuiltins = null) {
+  generate(clientBlocks, sharedCode, sharedBuiltins = null, securityConfig = null) {
     this._sharedBuiltins = sharedBuiltins || new Set();
     const lines = [];
 
@@ -238,6 +239,16 @@ export class ClientCodegen extends BaseCodegen {
     lines.push('});');
     lines.push('');
 
+    // Security block: auth token injection and role helpers
+    if (securityConfig) {
+      const secGen = new SecurityCodegen();
+      const clientSecurity = secGen.generateClientSecurity(securityConfig);
+      if (clientSecurity.trim()) {
+        lines.push(clientSecurity);
+        lines.push('');
+      }
+    }
+
     const states = [];
     const computeds = [];
     const effects = [];

package/src/codegen/codegen.js

@@ -6,6 +6,7 @@ import { SharedCodegen } from './shared-codegen.js';
 import { BUILTIN_NAMES } from '../stdlib/inline.js';
 import { ServerCodegen } from './server-codegen.js';
 import { ClientCodegen } from './client-codegen.js';
+import { SecurityCodegen } from './security-codegen.js';
 
 function getServerCodegen() {
   return ServerCodegen;
@@ -42,6 +43,7 @@ export class CodeGenerator {
     const testBlocks = [];
     const benchBlocks = [];
     const dataBlocks = [];
+    const securityBlocks = [];
 
     for (const node of this.ast.body) {
       switch (node.type) {
@@ -51,6 +53,7 @@ export class CodeGenerator {
         case 'TestBlock': testBlocks.push(node); break;
         case 'BenchBlock': benchBlocks.push(node); break;
         case 'DataBlock': dataBlocks.push(node); break;
+        case 'SecurityBlock': securityBlocks.push(node); break;
         default: topLevel.push(node); break;
       }
     }
@@ -59,6 +62,7 @@ export class CodeGenerator {
     const isModule = sharedBlocks.length === 0 && serverBlocks.length === 0
       && clientBlocks.length === 0 && testBlocks.length === 0
       && benchBlocks.length === 0 && dataBlocks.length === 0
+      && securityBlocks.length === 0
       && topLevel.length > 0;
 
     if (isModule) {
@@ -127,6 +131,11 @@ export class CodeGenerator {
       }
     }
 
+    // Merge security blocks into a single config
+    const securityConfig = securityBlocks.length > 0
+      ? SecurityCodegen.mergeSecurityBlocks(securityBlocks)
+      : null;
+
     // Generate server outputs (one per named group)
     const servers = {};
     for (const [name, blocks] of serverGroups) {
@@ -143,7 +152,7 @@ export class CodeGenerator {
           }
         }
       }
-      servers[key] = gen.generate(blocks, combinedShared, name, peerBlocks, sharedBlocks);
+      servers[key] = gen.generate(blocks, combinedShared, name, peerBlocks, sharedBlocks, securityConfig);
     }
 
     // Generate client outputs (one per named group)
@@ -152,7 +161,7 @@ export class CodeGenerator {
       const gen = new (getClientCodegen())();
       gen._sourceMapsEnabled = this._sourceMaps;
       const key = name || 'default';
-      clients[key] = gen.generate(blocks, combinedShared, sharedGen._usedBuiltins);
+      clients[key] = gen.generate(blocks, combinedShared, sharedGen._usedBuiltins, securityConfig);
     }
 
     // Generate tests if test blocks exist