tova 0.4.7 → 0.5.1

package/bin/tova.js

@@ -36,9 +36,9 @@ const color = {
 };
 
 const HELP = `
-  ╦  ╦ ╦═╗ ╦
-  ║  ║ ║ ║ ╠╣
-  ╩═╝╚═╝╩═╝╩  v${VERSION}
+  ╔╦╗╔═╗╦  ╦╔═╗
+   ║ ║ ║╚╗╔╝╠═╣
+   ╩ ╚═╝ ╚╝ ╩ ╩  v${VERSION}
 
   Created by Enoch Kujem Abassey
   A modern full-stack language that transpiles to JavaScript
@@ -601,6 +601,18 @@ async function runFile(filePath, options = {}) {
     const AsyncFunction = Object.getPrototypeOf(async function(){}).constructor;
     const stdlib = getRunStdlib();
 
+    // CLI mode: execute the cli code directly
+    if (output.isCli) {
+      let code = stdlib + '\n' + output.cli;
+      code = code.replace(/^export /gm, '');
+      // Override process.argv for cli dispatch
+      const scriptArgs = options.scriptArgs || [];
+      code = `process.argv = ["node", ${JSON.stringify(resolved)}, ...${JSON.stringify(scriptArgs)}];\n` + code;
+      const fn = new AsyncFunction('__tova_args', '__tova_filename', '__tova_dirname', code);
+      await fn(scriptArgs, resolved, dirname(resolved));
+      return;
+    }
+
     // Compile .tova dependencies and inline them
     let depCode = '';
     if (hasTovaImports) {
@@ -766,8 +778,29 @@ async function buildProject(args) {
       const outSubDir = dirname(join(outDir, outBaseName));
       if (outSubDir !== outDir) mkdirSync(outSubDir, { recursive: true });
 
+      // CLI files: write single executable <name>.js with shebang
+      if (output.isCli) {
+        if (output.cli && output.cli.trim()) {
+          const cliPath = join(outDir, `${outBaseName}.js`);
+          const shebang = '#!/usr/bin/env node\n';
+          writeFileSync(cliPath, shebang + output.cli);
+          try { chmodSync(cliPath, 0o755); } catch (e) { /* ignore on Windows */ }
+          if (!isQuiet) console.log(`  ✓ ${relLabel} → ${relative('.', cliPath)} [cli]${timing}`);
+        }
+        if (!noCache) {
+          const outputPaths = {};
+          if (output.cli && output.cli.trim()) outputPaths.cli = join(outDir, `${outBaseName}.js`);
+          if (single) {
+            const absFile = files[0];
+            const sourceContent = readFileSync(absFile, 'utf-8');
+            buildCache.set(absFile, sourceContent, outputPaths);
+          } else {
+            buildCache.setGroup(`dir:${dir}`, files, outputPaths);
+          }
+        }
+      }
       // Module files: write single <name>.js (not .shared.js)
-      if (output.isModule) {
+      else if (output.isModule) {
         if (output.shared && output.shared.trim()) {
           const modulePath = join(outDir, `${outBaseName}.js`);
           writeFileSync(modulePath, generateSourceMap(output.shared, modulePath));
@@ -4655,9 +4688,9 @@ async function infoCommand() {
   const config = resolveConfig(process.cwd());
   const hasTOML = config._source === 'tova.toml';
 
-  console.log(`\n  ╦  ╦ ╦═╗ ╦`);
-  console.log(`  ║  ║ ║ ║ ╠╣`);
-  console.log(`  ╩═╝╚═╝╩═╝╩  v${VERSION}\n`);
+  console.log(`\n  ╔╦╗╔═╗╦  ╦╔═╗`);
+  console.log(`   ║ ║ ║╚╗╔╝╠═╣`);
+  console.log(`   ╩ ╚═╝ ╚╝ ╩ ╩  v${VERSION}\n`);
 
   // Bun version
   let bunVersion = 'not found';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tova",
-  "version": "0.4.7",
+  "version": "0.5.1",
   "description": "Tova — a modern programming language that transpiles to JavaScript, unifying frontend and backend",
   "type": "module",
   "main": "src/index.js",

package/src/analyzer/analyzer.js

@@ -1,8 +1,7 @@
 import { Scope, Symbol } from './scope.js';
 import { PIPE_TARGET } from '../parser/ast.js';
 import { BUILTIN_NAMES } from '../stdlib/inline.js';
-import { collectServerBlockFunctions, installServerAnalyzer } from './server-analyzer.js';
-import { installClientAnalyzer } from './client-analyzer.js';
+import { BlockRegistry } from '../registry/register-all.js';
 import {
   Type, PrimitiveType, NilType, AnyType, UnknownType,
   ArrayType, TupleType, FunctionType, RecordType, ADTType,
@@ -327,17 +326,18 @@ export class Analyzer {
   }
 
   analyze() {
-    // Pre-pass: collect named server block functions for inter-server RPC validation
-    const hasServerBlocks = this.ast.body.some(n => n.type === 'ServerBlock');
-    if (hasServerBlocks) {
-      installServerAnalyzer(Analyzer);
-      this.serverBlockFunctions = collectServerBlockFunctions(this.ast);
-    } else {
-      this.serverBlockFunctions = new Map();
+    // Pre-pass hooks (e.g., server block function collection for RPC validation)
+    for (const plugin of BlockRegistry.all()) {
+      if (plugin.analyzer?.prePass) plugin.analyzer.prePass(this);
     }
 
     this.visitProgram(this.ast);
 
+    // Post-visit cross-block validation
+    for (const plugin of BlockRegistry.all()) {
+      if (plugin.analyzer?.crossBlockValidate) plugin.analyzer.crossBlockValidate(this);
+    }
+
     // Check for unused variables/imports (#9)
     this._collectAllScopes(this.globalScope);
     this._checkUnusedSymbols();
@@ -729,43 +729,14 @@ export class Analyzer {
   visitNode(node) {
     if (!node) return;
 
+    // Single registry lookup: returns plugin, NOOP sentinel, or null
+    const entry = BlockRegistry.getByAstType(node.type);
+    if (entry) {
+      if (entry === BlockRegistry.NOOP) return;
+      if (entry.analyzer?.visit) return entry.analyzer.visit(this, node);
+    }
+
     switch (node.type) {
-      case 'ServerBlock':
-      case 'RouteDeclaration':
-      case 'MiddlewareDeclaration':
-      case 'HealthCheckDeclaration':
-      case 'CorsDeclaration':
-      case 'ErrorHandlerDeclaration':
-      case 'WebSocketDeclaration':
-      case 'StaticDeclaration':
-      case 'DiscoverDeclaration':
-      case 'AuthDeclaration':
-      case 'MaxBodyDeclaration':
-      case 'RouteGroupDeclaration':
-      case 'RateLimitDeclaration':
-      case 'LifecycleHookDeclaration':
-      case 'SubscribeDeclaration':
-      case 'EnvDeclaration':
-      case 'ScheduleDeclaration':
-      case 'UploadDeclaration':
-      case 'SessionDeclaration':
-      case 'DbDeclaration':
-      case 'TlsDeclaration':
-      case 'CompressionDeclaration':
-      case 'BackgroundJobDeclaration':
-      case 'CacheDeclaration':
-      case 'SseDeclaration':
-      case 'ModelDeclaration':
-        return this._visitServerNode(node);
-      case 'AiConfigDeclaration': return; // handled at block level
-      case 'ClientBlock':
-      case 'StateDeclaration':
-      case 'ComputedDeclaration':
-      case 'EffectDeclaration':
-      case 'ComponentDeclaration':
-      case 'StoreDeclaration':
-        return this._visitClientNode(node);
-      case 'SharedBlock': return this.visitSharedBlock(node);
       case 'Assignment': return this.visitAssignment(node);
       case 'VarDeclaration': return this.visitVarDeclaration(node);
       case 'LetDestructure': return this.visitLetDestructure(node);
@@ -787,14 +758,7 @@ export class Analyzer {
       case 'ContinueStatement': return this.visitContinueStatement(node);
       case 'GuardStatement': return this.visitGuardStatement(node);
       case 'InterfaceDeclaration': return this.visitInterfaceDeclaration(node);
-      case 'DataBlock': return this.visitDataBlock(node);
-      case 'SourceDeclaration': return;
-      case 'PipelineDeclaration': return;
-      case 'ValidateBlock': return;
-      case 'RefreshPolicy': return;
       case 'RefinementType': return;
-      case 'TestBlock': return this.visitTestBlock(node);
-      case 'BenchBlock': return this.visitTestBlock(node);
       case 'ComponentStyleBlock': return; // raw CSS — no analysis needed
       case 'ImplDeclaration': return this.visitImplDeclaration(node);
       case 'TraitDeclaration': return this.visitTraitDeclaration(node);
@@ -808,19 +772,14 @@ export class Analyzer {
   }
 
   _visitServerNode(node) {
-    if (!Analyzer.prototype._serverAnalyzerInstalled) {
-      installServerAnalyzer(Analyzer);
-    }
     const methodName = 'visit' + node.type;
     return this[methodName](node);
   }
 
   _visitClientNode(node) {
-    if (!Analyzer.prototype._clientAnalyzerInstalled) {
-      installClientAnalyzer(Analyzer);
-    }
-    const methodName = 'visit' + node.type;
-    return this[methodName](node);
+    // Ensure client analyzer is installed (may be called from visitExpression for JSX)
+    const plugin = BlockRegistry.get('client');
+    return plugin.analyzer.visit(this, node);
   }
 
   visitExpression(node) {
@@ -991,6 +950,343 @@ export class Analyzer {
     }
   }
 
+  visitSecurityBlock(node) {
+    // Per-block: only check for duplicate role names within this block
+    const localRoles = new Set();
+    for (const stmt of node.body) {
+      if (stmt.type === 'SecurityRoleDeclaration') {
+        if (localRoles.has(stmt.name)) {
+          this.warnings.push({
+            message: `Duplicate role definition: '${stmt.name}'`,
+            loc: stmt.loc,
+            code: 'W_DUPLICATE_ROLE',
+          });
+        }
+        localRoles.add(stmt.name);
+      }
+    }
+  }
+
+  visitCliBlock(node) {
+    const validKeys = new Set(['name', 'version', 'description']);
+
+    // Validate config keys
+    for (const field of node.config) {
+      if (!validKeys.has(field.key)) {
+        this.warnings.push({
+          message: `Unknown cli config key '${field.key}' — valid keys are: ${[...validKeys].join(', ')}`,
+          loc: field.loc,
+          code: 'W_UNKNOWN_CLI_CONFIG',
+        });
+      }
+    }
+
+    // Validate commands
+    const commandNames = new Set();
+    for (const cmd of node.commands) {
+      // Duplicate command names
+      if (commandNames.has(cmd.name)) {
+        this.warnings.push({
+          message: `Duplicate cli command '${cmd.name}'`,
+          loc: cmd.loc,
+          code: 'W_DUPLICATE_CLI_COMMAND',
+        });
+      }
+      commandNames.add(cmd.name);
+
+      // Check for positional args after flags
+      let seenFlag = false;
+      for (const param of cmd.params) {
+        if (param.isFlag) {
+          seenFlag = true;
+        } else if (seenFlag) {
+          this.warnings.push({
+            message: `Positional argument '${param.name}' after flag in command '${cmd.name}' — positionals should come before flags`,
+            loc: param.loc,
+            code: 'W_POSITIONAL_AFTER_FLAG',
+          });
+        }
+      }
+
+      // Visit command body with params in scope
+      this.pushScope('function');
+      for (const param of cmd.params) {
+        this.currentScope.define(param.name,
+          new Symbol(param.name, 'parameter', null, false, param.loc));
+      }
+      this.visitNode(cmd.body);
+      this.popScope();
+    }
+  }
+
+  _validateCliCrossBlock() {
+    const cliBlocks = this.ast.body.filter(n => n.type === 'CliBlock');
+    if (cliBlocks.length === 0) return;
+
+    // Warn if cli + server coexist
+    const hasServer = this.ast.body.some(n => n.type === 'ServerBlock');
+    if (hasServer) {
+      this.warnings.push({
+        message: 'cli {} and server {} blocks in the same file — cli produces a standalone executable, not a web server',
+        loc: cliBlocks[0].loc,
+        code: 'W_CLI_WITH_SERVER',
+      });
+    }
+
+    // Check for missing name across all cli blocks
+    let hasName = false;
+    for (const block of cliBlocks) {
+      for (const field of block.config) {
+        if (field.key === 'name') hasName = true;
+      }
+    }
+    if (!hasName) {
+      this.warnings.push({
+        message: 'cli block has no name: field — consider adding name: "your-tool"',
+        loc: cliBlocks[0].loc,
+        code: 'W_CLI_MISSING_NAME',
+      });
+    }
+  }
+
+  _validateSecurityCrossBlock() {
+    // Collect ALL security declarations across ALL security blocks in the AST
+    const allRoles = new Set();
+    const allProtects = [];
+    const allSensitives = [];
+    let hasAuth = false;
+    let hasProtect = false;
+    let authDecl = null;
+    let corsDecl = null;
+    let rateLimitDecl = null;
+    let csrfDecl = null;
+
+    const roleDecls = []; // track all role declarations for cross-block duplicate detection
+    for (const node of this.ast.body) {
+      if (node.type !== 'SecurityBlock') continue;
+      for (const stmt of node.body) {
+        if (stmt.type === 'SecurityRoleDeclaration') {
+          roleDecls.push(stmt);
+          allRoles.add(stmt.name);
+        } else if (stmt.type === 'SecurityProtectDeclaration') {
+          allProtects.push(stmt);
+          hasProtect = true;
+        } else if (stmt.type === 'SecuritySensitiveDeclaration') {
+          allSensitives.push(stmt);
+        } else if (stmt.type === 'SecurityAuthDeclaration') {
+          hasAuth = true;
+          authDecl = stmt;
+        } else if (stmt.type === 'SecurityCorsDeclaration') {
+          corsDecl = stmt;
+        } else if (stmt.type === 'SecurityRateLimitDeclaration') {
+          rateLimitDecl = stmt;
+        } else if (stmt.type === 'SecurityCsrfDeclaration') {
+          csrfDecl = stmt;
+        }
+      }
+    }
+
+    // W_DUPLICATE_ROLE across blocks: detect roles with same name in different security blocks
+    const seenRoleNames = new Map(); // name -> first declaration
+    for (const decl of roleDecls) {
+      const prev = seenRoleNames.get(decl.name);
+      if (prev && prev.loc !== decl.loc) {
+        // Only warn if this is from a different block (same-block dupes handled by visitSecurityBlock)
+        const prevInSameBlock = this.ast.body.some(b =>
+          b.type === 'SecurityBlock' && b.body.includes(prev) && b.body.includes(decl)
+        );
+        if (!prevInSameBlock) {
+          this.warnings.push({
+            message: `Role '${decl.name}' is defined in multiple security blocks — later definition overwrites earlier one`,
+            loc: decl.loc,
+            code: 'W_DUPLICATE_ROLE',
+          });
+        }
+      }
+      seenRoleNames.set(decl.name, decl);
+    }
+
+    // W_UNKNOWN_AUTH_TYPE — validate auth type is a known value
+    if (authDecl && authDecl.authType) {
+      const validAuthTypes = ['jwt', 'api_key'];
+      if (!validAuthTypes.includes(authDecl.authType)) {
+        this.warnings.push({
+          message: `Unknown auth type '${authDecl.authType}' — supported types are: ${validAuthTypes.join(', ')}`,
+          loc: authDecl.loc,
+          code: 'W_UNKNOWN_AUTH_TYPE',
+        });
+      }
+    }
+
+    // Fix 2: W_HARDCODED_SECRET — warn if auth secret is a string literal
+    if (authDecl && authDecl.config.secret) {
+      const secretNode = authDecl.config.secret;
+      if (secretNode.type === 'StringLiteral') {
+        this.warnings.push({
+          message: 'Auth secret is hardcoded as a string literal — use env("SECRET_NAME") instead',
+          loc: authDecl.loc,
+          code: 'W_HARDCODED_SECRET',
+        });
+      }
+    }
+
+    // Fix 7: W_CORS_WILDCARD — warn if cors origins contains "*"
+    if (corsDecl && corsDecl.config.origins) {
+      const originsNode = corsDecl.config.origins;
+      if (originsNode.elements) {
+        for (const elem of originsNode.elements) {
+          if (elem.type === 'StringLiteral' && elem.value === '*') {
+            this.warnings.push({
+              message: 'CORS origins contains wildcard "*" — consider restricting to specific origins',
+              loc: corsDecl.loc,
+              code: 'W_CORS_WILDCARD',
+            });
+            break;
+          }
+        }
+      }
+    }
+
+    // W_INVALID_RATE_LIMIT — validate rate limit max/window are positive numbers
+    const _rlNumericValue = (node) => {
+      if (!node) return null;
+      if (node.type === 'NumberLiteral') return node.value;
+      if (node.type === 'UnaryExpression' && node.operator === '-' && node.operand && node.operand.type === 'NumberLiteral') return -node.operand.value;
+      return null;
+    };
+    if (rateLimitDecl && rateLimitDecl.config) {
+      const rlMaxVal = _rlNumericValue(rateLimitDecl.config.max);
+      const rlWindowVal = _rlNumericValue(rateLimitDecl.config.window);
+      if (rlMaxVal !== null && rlMaxVal <= 0) {
+        this.warnings.push({
+          message: `Rate limit max must be a positive number, got ${rlMaxVal}`,
+          loc: rateLimitDecl.loc,
+          code: 'W_INVALID_RATE_LIMIT',
+        });
+      }
+      if (rlWindowVal !== null && rlWindowVal <= 0) {
+        this.warnings.push({
+          message: `Rate limit window must be a positive number, got ${rlWindowVal}`,
+          loc: rateLimitDecl.loc,
+          code: 'W_INVALID_RATE_LIMIT',
+        });
+      }
+    }
+
+    // W_CSRF_DISABLED — warn when CSRF is explicitly disabled
+    if (csrfDecl && csrfDecl.config && csrfDecl.config.enabled) {
+      const enabledNode = csrfDecl.config.enabled;
+      if ((enabledNode.type === 'BooleanLiteral' && enabledNode.value === false) ||
+          (enabledNode.type === 'Identifier' && enabledNode.name === 'false')) {
+        this.warnings.push({
+          message: 'CSRF protection is explicitly disabled — this increases vulnerability to cross-site request forgery attacks',
+          loc: csrfDecl.loc,
+          code: 'W_CSRF_DISABLED',
+        });
+      }
+    }
+
+    // W_LOCALSTORAGE_TOKEN — warn when auth uses default localStorage storage (XSS-vulnerable)
+    if (authDecl && authDecl.authType === 'jwt') {
+      const storageNode = authDecl.config.storage;
+      const isCookieAuth = storageNode && storageNode.type === 'StringLiteral' && storageNode.value === 'cookie';
+      if (!isCookieAuth) {
+        this.warnings.push({
+          message: 'Auth tokens stored in localStorage are vulnerable to XSS attacks — consider using storage: "cookie" for HttpOnly cookie storage',
+          loc: authDecl.loc,
+          code: 'W_LOCALSTORAGE_TOKEN',
+        });
+      }
+    }
+
+    // Fix 5: W_INMEMORY_RATELIMIT — warn that rate limiting is in-memory only
+    if (rateLimitDecl) {
+      this.warnings.push({
+        message: 'Rate limiting uses in-memory storage — not shared across server instances. Consider an external store for production multi-instance deployments',
+        loc: rateLimitDecl.loc,
+        code: 'W_INMEMORY_RATELIMIT',
+      });
+    }
+
+    // Fix 6: W_NO_AUTH_RATELIMIT — warn when auth exists but no rate limiting protects against brute-force
+    if (hasAuth && !rateLimitDecl) {
+      const hasAuthRateLimit = allProtects.some(p => p.config && p.config.rate_limit);
+      if (!hasAuthRateLimit) {
+        this.warnings.push({
+          message: 'Auth is configured without rate limiting — consider adding rate_limit to protect against brute-force attacks',
+          loc: authDecl.loc,
+          code: 'W_NO_AUTH_RATELIMIT',
+        });
+      }
+    }
+
+    // Fix 7: W_HASH_NOT_ENFORCED — warn when sensitive declares hash but it's not auto-enforced
+    for (const s of allSensitives) {
+      if (s.config && s.config.hash) {
+        const hashVal = s.config.hash.value || s.config.hash;
+        this.warnings.push({
+          message: `sensitive ${s.typeName}.${s.fieldName} declares hash: "${hashVal}" but hashing is not automatically enforced — use hash_password() in your write handlers`,
+          loc: s.loc,
+          code: 'W_HASH_NOT_ENFORCED',
+        });
+      }
+    }
+
+    // No security blocks → nothing to validate (but allow auth/cors checks above)
+    if (!hasProtect && allSensitives.length === 0) return;
+
+    // W_PROTECT_WITHOUT_AUTH: protect rules exist but no auth configured
+    if (hasProtect && !hasAuth) {
+      // Find first protect for location
+      this.warnings.push({
+        message: 'Route protection rules exist but no auth is configured — all protected routes will be inaccessible',
+        loc: allProtects[0].loc,
+        code: 'W_PROTECT_WITHOUT_AUTH',
+      });
+    }
+
+    // W_UNDEFINED_ROLE: protect rules reference roles not defined anywhere
+    for (const protect of allProtects) {
+      const requireExpr = protect.config.require;
+      if (!requireExpr) {
+        // W_PROTECT_NO_REQUIRE: protect rule has no require key
+        this.warnings.push({
+          message: `Protect rule for "${protect.pattern}" has no 'require' — route is unprotected`,
+          loc: protect.loc,
+          code: 'W_PROTECT_NO_REQUIRE',
+        });
+        continue;
+      }
+      if (requireExpr.type === 'Identifier' && requireExpr.name !== 'authenticated') {
+        if (!allRoles.has(requireExpr.name)) {
+          this.warnings.push({
+            message: `Protect rule references undefined role '${requireExpr.name}'`,
+            loc: protect.loc,
+            code: 'W_UNDEFINED_ROLE',
+          });
+        }
+      }
+    }
+
+    // W_UNDEFINED_ROLE: sensitive visible_to references roles not defined anywhere
+    for (const sensitive of allSensitives) {
+      const visibleTo = sensitive.config.visible_to;
+      if (visibleTo && (visibleTo.type === 'ArrayExpression' || visibleTo.type === 'ArrayLiteral')) {
+        for (const elem of visibleTo.elements) {
+          if (elem.type === 'Identifier' && elem.name !== 'self') {
+            if (!allRoles.has(elem.name)) {
+              this.warnings.push({
+                message: `Sensitive field '${sensitive.typeName}.${sensitive.fieldName}' visible_to references undefined role '${elem.name}'`,
+                loc: sensitive.loc,
+                code: 'W_UNDEFINED_ROLE',
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+
   // visitClientBlock and other client visitors are in client-analyzer.js (lazy-loaded)
 
   visitSharedBlock(node) {