tova 0.7.0 → 0.9.4

package/src/deploy/provision.js

@@ -0,0 +1,315 @@
+// Provisioning Script Generator for the Tova language
+// Generates idempotent bash scripts from an infrastructure manifest.
+
+/**
+ * Generate a complete provisioning shell script from an infrastructure manifest.
+ *
+ * The script is idempotent — it checks before installing (command -v, dpkg, etc.)
+ * and is organized in layers:
+ *   Layer 1: System (Bun, Caddy, UFW, tova user)
+ *   Layer 2: Databases (PostgreSQL, Redis — conditional)
+ *   Layer 3: App directories
+ *   Layer 5: Caddy config
+ *   Layer 6: systemd services
+ *
+ * @param {Object} manifest - Infrastructure manifest from inferInfrastructure()
+ * @returns {string} Complete provisioning bash script
+ */
+export function generateProvisionScript(manifest) {
+  const appName = manifest.name || 'tova-app';
+  const lines = [];
+
+  lines.push('#!/bin/bash');
+  lines.push('set -euo pipefail');
+  lines.push('');
+  lines.push(`# Provisioning script for ${appName}`);
+  lines.push(`# Generated by Tova deploy — idempotent, safe to re-run`);
+  lines.push('');
+
+  // ── Layer 1: System ────────────────────────────────────────
+  lines.push('# ═══════════════════════════════════════════════════════════');
+  lines.push('# Layer 1: System dependencies');
+  lines.push('# ═══════════════════════════════════════════════════════════');
+  lines.push('');
+
+  if (manifest.requires && manifest.requires.bun) {
+    lines.push('# Install Bun runtime');
+    lines.push('if ! command -v bun &>/dev/null; then');
+    lines.push('  echo "Installing Bun..."');
+    lines.push('  curl -fsSL https://bun.sh/install | bash');
+    lines.push('  export PATH="$HOME/.bun/bin:$PATH"');
+    lines.push('fi');
+    lines.push('');
+  }
+
+  if (manifest.requires && manifest.requires.caddy) {
+    lines.push('# Install Caddy web server');
+    lines.push('if ! command -v caddy &>/dev/null; then');
+    lines.push('  echo "Installing Caddy..."');
+    lines.push('  apt-get update -qq');
+    lines.push('  apt-get install -y -qq debian-keyring debian-archive-keyring apt-transport-https curl');
+    lines.push('  curl -1sLf "https://dl.cloudsmith.io/public/caddy/stable/gpg.key" | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg');
+    lines.push('  curl -1sLf "https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt" | tee /etc/apt/sources.list.d/caddy-stable.list');
+    lines.push('  apt-get update -qq');
+    lines.push('  apt-get install -y -qq caddy');
+    lines.push('fi');
+    lines.push('');
+  }
+
+  if (manifest.requires && manifest.requires.ufw) {
+    lines.push('# Configure UFW firewall');
+    lines.push('if command -v ufw &>/dev/null; then');
+    lines.push('  ufw allow 22/tcp');
+    lines.push('  ufw allow 80/tcp');
+    lines.push('  ufw allow 443/tcp');
+    lines.push('  echo "y" | ufw enable || true');
+    lines.push('fi');
+    lines.push('');
+  }
+
+  // Create tova system user
+  lines.push('# Create tova system user');
+  lines.push('if ! id "tova" &>/dev/null; then');
+  lines.push('  useradd --system --create-home --shell /bin/bash tova');
+  lines.push('fi');
+  lines.push('');
+
+  // ── Layer 2: Databases ─────────────────────────────────────
+  const databases = manifest.databases || [];
+  const hasPostgres = databases.some(d => d.engine === 'postgres');
+  const hasRedis = databases.some(d => d.engine === 'redis');
+
+  if (hasPostgres || hasRedis) {
+    lines.push('# ═══════════════════════════════════════════════════════════');
+    lines.push('# Layer 2: Databases');
+    lines.push('# ═══════════════════════════════════════════════════════════');
+    lines.push('');
+  }
+
+  if (hasPostgres) {
+    const pgDb = databases.find(d => d.engine === 'postgres');
+    const dbName = (pgDb && pgDb.config && pgDb.config.name) || `${appName}_db`;
+    lines.push('# Install PostgreSQL');
+    lines.push('if ! command -v psql &>/dev/null; then');
+    lines.push('  echo "Installing PostgreSQL..."');
+    lines.push('  apt-get update -qq');
+    lines.push('  apt-get install -y -qq postgresql postgresql-contrib');
+    lines.push('  systemctl enable postgresql');
+    lines.push('  systemctl start postgresql');
+    lines.push('fi');
+    lines.push('');
+    lines.push(`# Create database: ${dbName}`);
+    lines.push(`sudo -u postgres psql -tc "SELECT 1 FROM pg_database WHERE datname = '${dbName}'" | grep -q 1 || sudo -u postgres createdb "${dbName}"`);
+    lines.push('');
+  }
+
+  if (hasRedis) {
+    lines.push('# Install Redis');
+    lines.push('if ! command -v redis-server &>/dev/null; then');
+    lines.push('  echo "Installing Redis..."');
+    lines.push('  apt-get update -qq');
+    lines.push('  apt-get install -y -qq redis-server');
+    lines.push('  systemctl enable redis-server');
+    lines.push('  systemctl start redis-server');
+    lines.push('fi');
+    lines.push('');
+  }
+
+  // ── Layer 3: App directories ───────────────────────────────
+  lines.push('# ═══════════════════════════════════════════════════════════');
+  lines.push('# Layer 3: App directories');
+  lines.push('# ═══════════════════════════════════════════════════════════');
+  lines.push('');
+  lines.push('mkdir -p /opt/tova/apps');
+  lines.push(`APP_DIR="/opt/tova/apps/${appName}"`);
+  lines.push('mkdir -p "$APP_DIR/releases"');
+  lines.push('mkdir -p "$APP_DIR/shared/logs"');
+  lines.push('mkdir -p "$APP_DIR/shared/data"');
+  lines.push('chown -R tova:tova /opt/tova');
+  lines.push('');
+
+  // ── Layer 5: Caddy config ──────────────────────────────────
+  if (manifest.requires && manifest.requires.caddy && manifest.domain) {
+    lines.push('# ═══════════════════════════════════════════════════════════');
+    lines.push('# Layer 5: Caddy config');
+    lines.push('# ═══════════════════════════════════════════════════════════');
+    lines.push('');
+    const caddyConfig = generateCaddyConfig(appName, {
+      domain: manifest.domain,
+      instances: manifest.instances || 1,
+      health: manifest.health,
+      health_interval: manifest.health_interval,
+      health_timeout: manifest.health_timeout,
+      hasWebSocket: manifest.hasWebSocket,
+    });
+    lines.push(`cat > /etc/caddy/Caddyfile <<'CADDY_EOF'`);
+    lines.push(caddyConfig);
+    lines.push('CADDY_EOF');
+    lines.push('');
+    lines.push('systemctl reload caddy || systemctl restart caddy');
+    lines.push('');
+  }
+
+  // ── Layer 6: systemd services ──────────────────────────────
+  lines.push('# ═══════════════════════════════════════════════════════════');
+  lines.push('# Layer 6: systemd services');
+  lines.push('# ═══════════════════════════════════════════════════════════');
+  lines.push('');
+  const serviceUnit = generateSystemdService(appName, {
+    memory: manifest.memory || '512mb',
+    restart_on_failure: manifest.restart_on_failure !== false,
+    env: manifest.env || {},
+  });
+  lines.push(`cat > /etc/systemd/system/${appName}@.service <<'SYSTEMD_EOF'`);
+  lines.push(serviceUnit);
+  lines.push('SYSTEMD_EOF');
+  lines.push('');
+  lines.push('systemctl daemon-reload');
+
+  // Enable and start instances
+  const instances = manifest.instances || 1;
+  for (let i = 0; i < instances; i++) {
+    const port = 3000 + i;
+    lines.push(`systemctl enable ${appName}@${port}`);
+  }
+  lines.push('');
+
+  lines.push(`echo "Provisioning complete for ${appName}"`);
+  return lines.join('\n');
+}
+
+/**
+ * Parse a memory string like "512mb", "1gb" into bytes for systemd MemoryMax.
+ */
+function parseMemory(mem) {
+  if (typeof mem === 'number') return mem;
+  const str = String(mem).toLowerCase().trim();
+  const match = str.match(/^(\d+(?:\.\d+)?)\s*(mb|gb|m|g|kb|k)?$/);
+  if (!match) return str;
+  const num = parseFloat(match[1]);
+  const unit = match[2] || 'mb';
+  switch (unit) {
+    case 'kb': case 'k': return `${Math.round(num)}K`;
+    case 'mb': case 'm': return `${Math.round(num)}M`;
+    case 'gb': case 'g': return `${Math.round(num * 1024)}M`;
+    default: return str;
+  }
+}
+
+/**
+ * Generate a systemd unit template for the application.
+ *
+ * Uses %i for the instance port (template unit: appName@.service).
+ *
+ * @param {string} appName - Application name
+ * @param {Object} config - { memory, restart_on_failure, env }
+ * @returns {string} systemd unit file content
+ */
+export function generateSystemdService(appName, config = {}) {
+  const memLimit = parseMemory(config.memory || '512mb');
+  const restart = config.restart_on_failure !== false ? 'on-failure' : 'no';
+  const env = config.env || {};
+
+  const lines = [];
+  lines.push('[Unit]');
+  lines.push(`Description=${appName} instance on port %i`);
+  lines.push('After=network.target');
+  lines.push('');
+  lines.push('[Service]');
+  lines.push('Type=simple');
+  lines.push('User=tova');
+  lines.push('Group=tova');
+  lines.push(`WorkingDirectory=/opt/tova/apps/${appName}/current`);
+  lines.push(`ExecStart=/home/tova/.bun/bin/bun run server.js --port %i`);
+  lines.push(`Restart=${restart}`);
+  lines.push('RestartSec=5');
+  lines.push(`MemoryMax=${memLimit}`);
+  lines.push('');
+
+  // Environment — load secrets from .env.production, then set inline defaults
+  lines.push(`EnvironmentFile=-/opt/tova/apps/${appName}/.env.production`);
+  lines.push('Environment=NODE_ENV=production');
+  lines.push('Environment=PORT=%i');
+  for (const [key, value] of Object.entries(env)) {
+    if (key !== 'NODE_ENV' && key !== 'PORT') {
+      lines.push(`Environment=${key}=${value}`);
+    }
+  }
+  lines.push('');
+
+  // Logging
+  lines.push('StandardOutput=journal');
+  lines.push('StandardError=journal');
+  lines.push(`SyslogIdentifier=${appName}-%i`);
+  lines.push('');
+  lines.push('[Install]');
+  lines.push('WantedBy=multi-user.target');
+
+  return lines.join('\n');
+}
+
+/**
+ * Generate a Caddy site block configuration.
+ *
+ * @param {string} appName - Application name
+ * @param {Object} opts - { domain, instances, health, hasWebSocket }
+ * @returns {string} Caddy config block
+ */
+export function generateCaddyConfig(appName, opts = {}) {
+  const domain = opts.domain || 'localhost';
+  const instances = opts.instances || 1;
+  const health = opts.health || '/healthz';
+  const healthInterval = opts.health_interval || 30;
+  const healthTimeout = opts.health_timeout || 5;
+  const hasWebSocket = opts.hasWebSocket || false;
+
+  const lines = [];
+  lines.push(`${domain} {`);
+
+  // Upstream / reverse proxy
+  if (instances === 1) {
+    lines.push('  reverse_proxy localhost:3000 {');
+  } else {
+    // Multiple instances with round-robin load balancing
+    const upstreams = [];
+    for (let i = 0; i < instances; i++) {
+      upstreams.push(`localhost:${3000 + i}`);
+    }
+    lines.push(`  reverse_proxy ${upstreams.join(' ')} {`);
+    lines.push('    lb_policy round_robin');
+  }
+
+  // Health check
+  lines.push(`    health_uri ${health}`);
+  lines.push(`    health_interval ${healthInterval}s`);
+  lines.push(`    health_timeout ${healthTimeout}s`);
+
+  lines.push('  }');
+
+  // WebSocket support
+  if (hasWebSocket) {
+    lines.push('');
+    lines.push('  @websocket {');
+    lines.push('    header Connection *Upgrade*');
+    lines.push('    header Upgrade websocket');
+    lines.push('  }');
+    if (instances === 1) {
+      lines.push('  reverse_proxy @websocket localhost:3000');
+    } else {
+      const upstreams = [];
+      for (let i = 0; i < instances; i++) {
+        upstreams.push(`localhost:${3000 + i}`);
+      }
+      lines.push(`  reverse_proxy @websocket ${upstreams.join(' ')}`);
+    }
+  }
+
+  // Logging
+  lines.push('');
+  lines.push('  log {');
+  lines.push(`    output file /var/log/caddy/${appName}.log`);
+  lines.push('  }');
+
+  lines.push('}');
+  return lines.join('\n');
+}

package/src/diagnostics/security-scorecard.js

@@ -0,0 +1,111 @@
+/**
+ * Security Scorecard — post-compilation security posture summary.
+ */
+
+export function generateSecurityScorecard(securityConfig, warnings, hasServer, hasEdge) {
+  if (!hasServer && !hasEdge) return null;
+
+  const items = [];
+  let score = 10;
+
+  const warningCodes = new Set((warnings || []).map(w => w.code).filter(Boolean));
+
+  if (!securityConfig) {
+    items.push({ pass: false, label: 'No security block configured', deduction: 3 });
+    score -= 3;
+    items.push({ pass: false, label: 'No auth configured', deduction: 2 });
+    score -= 2;
+    items.push({ pass: false, label: 'No CSRF protection', deduction: 1 });
+    score -= 1;
+    items.push({ pass: false, label: 'No rate limiting', deduction: 1 });
+    score -= 1;
+    items.push({ pass: false, label: 'No CSP configured', deduction: 1 });
+    score -= 1;
+    items.push({ pass: false, label: 'No audit logging', deduction: 1 });
+    score -= 1;
+    return { score: Math.max(0, score), items, format: () => formatScorecard(Math.max(0, score), items) };
+  }
+
+  // Auth
+  if (securityConfig.auth) {
+    const isCookie = securityConfig.auth.storage === 'cookie';
+    const authType = securityConfig.auth.authType || 'JWT';
+    if (isCookie) {
+      items.push({ pass: true, label: `${authType} auth with HttpOnly cookies` });
+    } else {
+      items.push({ pass: true, label: `${authType} auth configured` });
+    }
+    if (warningCodes.has('W_LOCALSTORAGE_TOKEN')) {
+      items.push({ pass: false, label: 'Auth tokens in localStorage (XSS vulnerable)', deduction: 1 });
+      score -= 1;
+    }
+  } else {
+    items.push({ pass: false, label: 'No auth configured', deduction: 2 });
+    score -= 2;
+  }
+
+  // CSRF
+  if (securityConfig.csrf && securityConfig.csrf.enabled === false) {
+    items.push({ pass: false, label: 'CSRF protection disabled', deduction: 1 });
+    score -= 1;
+  } else if (securityConfig.auth) {
+    items.push({ pass: true, label: 'CSRF enabled with session binding' });
+  } else {
+    items.push({ pass: false, label: 'No CSRF protection', deduction: 1 });
+    score -= 1;
+  }
+
+  // Rate limiting
+  if (securityConfig.rateLimit) {
+    items.push({ pass: true, label: 'Rate limiting configured' });
+  } else if (securityConfig.auth) {
+    items.push({ pass: false, label: 'No rate limiting (auth without brute-force protection)', deduction: 1 });
+    score -= 1;
+  }
+
+  // CSP
+  if (securityConfig.csp) {
+    items.push({ pass: true, label: 'Content Security Policy configured' });
+  } else {
+    items.push({ pass: false, label: 'No CSP configured', deduction: 1 });
+    score -= 1;
+  }
+
+  // CORS wildcard
+  if (warningCodes.has('W_CORS_WILDCARD')) {
+    items.push({ pass: false, label: 'CORS allows wildcard origins', deduction: 1 });
+    score -= 1;
+  } else if (securityConfig.cors) {
+    items.push({ pass: true, label: 'CORS restricted to specific origins' });
+  }
+
+  // Hardcoded secret
+  if (warningCodes.has('W_HARDCODED_SECRET')) {
+    items.push({ pass: false, label: 'Auth secret hardcoded in source', deduction: 1 });
+    score -= 1;
+  }
+
+  // Audit logging
+  if (securityConfig.audit) {
+    items.push({ pass: true, label: 'Audit logging configured' });
+  } else {
+    items.push({ pass: false, label: 'No audit logging', deduction: 1 });
+    score -= 1;
+  }
+
+  score = Math.max(0, score);
+  return { score, items, format: () => formatScorecard(score, items) };
+}
+
+function formatScorecard(score, items) {
+  const lines = [];
+  lines.push(`\x1b[1mSecurity: ${score}/10\x1b[0m`);
+  for (const item of items) {
+    if (item.pass) {
+      lines.push(`  \x1b[32m[pass]\x1b[0m ${item.label}`);
+    } else {
+      lines.push(`  \x1b[33m[warn]\x1b[0m ${item.label} (-${item.deduction})`);
+    }
+  }
+  return lines.join('\n');
+}

package/src/lexer/lexer.js

@@ -899,15 +899,30 @@ export class Lexer {
       return;
     }
 
-    // Special case: "style {" → read raw CSS block
+    // Special case: "style {" or "style(...) {" → read raw CSS block
     if (value === 'style') {
       const savedPos = this.pos;
       const savedLine = this.line;
       const savedCol = this.column;
-      // Skip whitespace (including newlines) to check for {
+      // Skip whitespace (including newlines) to check for ( or {
       while (this.pos < this.length && (this.isWhitespace(this.peek()) || this.peek() === '\n')) {
         this.advance();
       }
+      // Check for style(...) config
+      let configPrefix = '';
+      if (this.peek() === '(') {
+        this.advance(); // skip (
+        let configStr = '';
+        while (this.pos < this.length && this.peek() !== ')') {
+          configStr += this.advance();
+        }
+        if (this.pos < this.length) this.advance(); // skip )
+        configPrefix = '__CONFIG:' + configStr.trim() + '__';
+        // Skip whitespace after )
+        while (this.pos < this.length && (this.isWhitespace(this.peek()) || this.peek() === '\n')) {
+          this.advance();
+        }
+      }
       if (this.peek() === '{') {
         this.advance(); // skip {
         let depth = 1;
@@ -924,7 +939,7 @@ export class Lexer {
         if (depth > 0) {
           this.error('Unterminated style block');
         }
-        this.tokens.push(new Token(TokenType.STYLE_BLOCK, css.trim(), startLine, startCol));
+        this.tokens.push(new Token(TokenType.STYLE_BLOCK, configPrefix + css.trim(), startLine, startCol));
         return;
       }
       // Not a style block — restore position