veko-framework 1.0.0

package/src/runtime/adapters/base.js

@@ -0,0 +1,96 @@
+/**
+ * Veko v1 – DatabaseAdapter interface (SOLID)
+ * All adapters (sqlite, postgres) must implement this contract.
+ */
+
+/**
+ * @typedef {'asc'|'desc'} SortDirection
+ * @typedef {{ field: string, direction: SortDirection }} OrderBy
+ */
+
+/**
+ * Base adapter: defines the interface. Subclasses implement all methods.
+ * @abstract
+ */
+export class DatabaseAdapter {
+  /**
+   * Connect to the database. Must be called before any other method.
+   * @returns {Promise<void>}
+   */
+  async connect() {
+    throw new Error('DatabaseAdapter.connect() must be implemented');
+  }
+
+  /**
+   * Run a raw query (SELECT only in safe sugar context). Returns rows.
+   * @param {string} sql
+   * @param {unknown[]} [params]
+   * @returns {Promise<unknown[]>}
+   */
+  async query(sql, params = []) {
+    throw new Error('DatabaseAdapter.query() must be implemented');
+  }
+
+  /**
+   * Insert a row. Returns { id, changes }.
+   * @param {string} table
+   * @param {Record<string, unknown>} data
+   * @returns {Promise<{ id: number, changes?: number }>}
+   */
+  async insert(table, data) {
+    throw new Error('DatabaseAdapter.insert() must be implemented');
+  }
+
+  /**
+   * Update row by id. Returns { updated: boolean }.
+   * @param {string} table
+   * @param {number} id
+   * @param {Record<string, unknown>} data
+   * @returns {Promise<{ updated: boolean }>}
+   */
+  async update(table, id, data) {
+    throw new Error('DatabaseAdapter.update() must be implemented');
+  }
+
+  /**
+   * Delete row by id. Returns { deleted: boolean }.
+   * @param {string} table
+   * @param {number} id
+   * @returns {Promise<{ deleted: boolean }>}
+   */
+  async delete(table, id) {
+    throw new Error('DatabaseAdapter.delete() must be implemented');
+  }
+
+  /**
+   * Find one row by id. Returns row or null.
+   * @param {string} table
+   * @param {number} id
+   * @returns {Promise<Record<string, unknown> | null>}
+   */
+  async findById(table, id) {
+    throw new Error('DatabaseAdapter.findById() must be implemented');
+  }
+
+  /**
+   * List rows with optional where and orderBy.
+   * @param {string} table
+   * @param {Record<string, unknown>} [where]
+   * @param {OrderBy|null} [orderBy]
+   * @returns {Promise<unknown[]>}
+   */
+  async findAll(table, where = {}, orderBy = null) {
+    throw new Error('DatabaseAdapter.findAll() must be implemented');
+  }
+
+  /**
+   * Run a callback inside a transaction.
+   * @param {(adapter: DatabaseAdapter) => Promise<unknown>} callback
+   * @returns {Promise<unknown>}
+   */
+  async transaction(callback) {
+    throw new Error('DatabaseAdapter.transaction() must be implemented');
+  }
+}
+
+export default DatabaseAdapter;

package/src/runtime/adapters/postgres.js

@@ -0,0 +1,98 @@
+/**
+ * Veko v1 – PostgreSQL adapter (implements DatabaseAdapter)
+ * Requires: pg package
+ */
+
+import { DatabaseAdapter } from './base.js';
+
+export class PostgresAdapter extends DatabaseAdapter {
+  constructor(connectionString) {
+    super();
+    this.connectionString = connectionString;
+    this.pool = null;
+  }
+
+  async connect() {
+    const { default: pg } = await import('pg');
+    this.pool = new pg.Pool({ connectionString: this.connectionString });
+  }
+
+  async _query(sql, params = []) {
+    const client = await this.pool.connect();
+    try {
+      const result = await client.query(sql, params);
+      return result.rows;
+    } finally {
+      client.release();
+    }
+  }
+
+  async query(sql, params = []) {
+    const client = await this.pool.connect();
+    try {
+      const result = await client.query(sql, params);
+      return result.rows;
+    } finally {
+      client.release();
+    }
+  }
+
+  async insert(table, data) {
+    const keys = Object.keys(data);
+    const cols = keys.map((k) => `"${k}"`).join(', ');
+    const placeholders = keys.map((_, i) => `$${i + 1}`).join(', ');
+    const sql = `INSERT INTO "${table}" (${cols}) VALUES (${placeholders}) RETURNING id`;
+    const rows = await this._query(sql, Object.values(data));
+    return { id: rows[0]?.id, changes: 1 };
+  }
+
+  async update(table, id, data) {
+    const keys = Object.keys(data);
+    if (keys.length === 0) return { updated: false };
+    const sets = keys.map((k, i) => `"${k}" = $${i + 1}`).join(', ');
+    const sql = `UPDATE "${table}" SET ${sets} WHERE id = $${keys.length + 1}`;
+    const result = await this.pool.query(sql, [...Object.values(data), id]);
+    return { updated: (result.rowCount ?? 0) > 0 };
+  }
+
+  async delete(table, id) {
+    const result = await this.pool.query(`DELETE FROM "${table}" WHERE id = $1`, [id]);
+    return { deleted: (result.rowCount ?? 0) > 0 };
+  }
+
+  async findById(table, id) {
+    const rows = await this._query(`SELECT * FROM "${table}" WHERE id = $1`, [id]);
+    return rows[0] ?? null;
+  }
+
+  async findAll(table, where = {}, orderBy = null) {
+    let sql = `SELECT * FROM "${table}"`;
+    const params = [];
+    let n = 1;
+    if (Object.keys(where).length > 0) {
+      const conditions = Object.keys(where).map((k) => `"${k}" = $${n++}`);
+      params.push(...Object.values(where));
+      sql += ` WHERE ${conditions.join(' AND ')}`;
+    }
+    if (orderBy) {
+      const dir = orderBy.direction === 'desc' ? 'DESC' : 'ASC';
+      sql += ` ORDER BY "${orderBy.field}" ${dir}`;
+    }
+    return this._query(sql, params);
+  }
+
+  async transaction(callback) {
+    const client = await this.pool.connect();
+    try {
+      await client.query('BEGIN');
+      const result = await callback(this);
+      await client.query('COMMIT');
+      return result;
+    } catch (e) {
+      await client.query('ROLLBACK');
+      throw e;
+    } finally {
+      client.release();
+    }
+  }
+}

package/src/runtime/adapters/sqlite.js

@@ -0,0 +1,87 @@
+/**
+ * Veko v1 – SQLite adapter (implements DatabaseAdapter)
+ */
+
+import Database from 'better-sqlite3';
+import { DatabaseAdapter } from './base.js';
+
+export class SqliteAdapter extends DatabaseAdapter {
+  constructor(path = 'veko.db') {
+    super();
+    this.path = path;
+    this.db = null;
+  }
+
+  async connect() {
+    this.db = new Database(this.path);
+    this.db.pragma('journal_mode = WAL');
+    this.db.pragma('busy_timeout = 5000');
+    this.db.pragma('foreign_keys = ON');
+  }
+
+  async query(sql, params = []) {
+    const stmt = this.db.prepare(sql);
+    return stmt.all(...params);
+  }
+
+  async insert(table, data) {
+    const keys = Object.keys(data);
+    const placeholders = keys.map(() => '?').join(', ');
+    const sql = `INSERT INTO "${table}" (${keys.map((k) => `"${k}"`).join(', ')}) VALUES (${placeholders})`;
+    const stmt = this.db.prepare(sql);
+    const result = stmt.run(...Object.values(data));
+    return { id: result.lastInsertRowid, changes: result.changes };
+  }
+
+  async update(table, id, data) {
+    const keys = Object.keys(data);
+    if (keys.length === 0) return { updated: false };
+    const sets = keys.map((k) => `"${k}" = ?`).join(', ');
+    const sql = `UPDATE "${table}" SET ${sets} WHERE id = ?`;
+    const stmt = this.db.prepare(sql);
+    const result = stmt.run(...Object.values(data), id);
+    return { updated: result.changes > 0 };
+  }
+
+  async delete(table, id) {
+    const sql = `DELETE FROM "${table}" WHERE id = ?`;
+    const stmt = this.db.prepare(sql);
+    const result = stmt.run(id);
+    return { deleted: result.changes > 0 };
+  }
+
+  async findById(table, id) {
+    const sql = `SELECT * FROM "${table}" WHERE id = ?`;
+    const stmt = this.db.prepare(sql);
+    return stmt.get(id) ?? null;
+  }
+
+  /**
+   * Safe list: orderBy must be { field: string, direction: 'asc'|'desc' } and field allowed by schema.
+   * @param {string} table
+   * @param {object} [where]
+   * @param {{ field: string, direction: 'asc'|'desc' }} [orderBy]
+   */
+  async findAll(table, where = {}, orderBy = null) {
+    let sql = `SELECT * FROM "${table}"`;
+    const params = [];
+    if (Object.keys(where).length > 0) {
+      const conditions = Object.keys(where).map((k) => `"${k}" = ?`);
+      params.push(...Object.values(where));
+      sql += ` WHERE ${conditions.join(' AND ')}`;
+    }
+    if (orderBy) {
+      const dir = orderBy.direction === 'desc' ? 'DESC' : 'ASC';
+      sql += ` ORDER BY "${orderBy.field}" ${dir}`;
+    }
+    const stmt = this.db.prepare(sql);
+    return stmt.all(...params);
+  }
+
+  async transaction(callback) {
+    const run = this.db.transaction(() => {
+      return callback(this);
+    });
+    return run();
+  }
+}

package/src/runtime/auth.js

@@ -0,0 +1,64 @@
+/**
+ * Veko v1 – Auth (JWT Bearer middleware + sign helper for login)
+ */
+
+import jwt from 'jsonwebtoken';
+
+const DEV_SECRET = 'changeme-secret';
+
+function getDefaultSecret() {
+  const secret = process.env.JWT_SECRET || DEV_SECRET;
+  if (process.env.NODE_ENV === 'production' && (secret === DEV_SECRET || !process.env.JWT_SECRET)) {
+    throw new Error('JWT_SECRET must be set in production. Do not use the default secret.');
+  }
+  return secret;
+}
+
+/** Lazy so we only enforce in production when auth is actually used. */
+function defaultSecret() {
+  return getDefaultSecret();
+}
+
+/**
+ * Sign a JWT payload (e.g. for login). Uses JWT_SECRET.
+ * @param {object} payload - Claims (e.g. { sub: userId, username })
+ * @param {{ expiresIn?: string }} [opts] - Optional expiresIn (default '1h')
+ */
+export function signToken(payload, opts = {}) {
+  return jwt.sign(
+    payload,
+    defaultSecret(),
+    { algorithm: 'HS256', expiresIn: opts.expiresIn ?? '1h' }
+  );
+}
+
+/**
+ * @param {{ secret?: string }} [options]
+ */
+export function createAuth(options = {}) {
+  const secret = options.secret ?? defaultSecret();
+
+  function authMiddleware(req, res, next) {
+    const header = req.headers.authorization;
+    if (!header || !header.startsWith('Bearer ')) {
+      return res.status(401).json({ error: 'Unauthorized', message: 'Missing or invalid Authorization header' });
+    }
+    const token = header.slice(7);
+    try {
+      const decoded = jwt.verify(token, secret, { algorithms: ['HS256'] });
+      req.user = decoded;
+      next();
+    } catch (err) {
+      return res.status(401).json({
+        error: 'Unauthorized',
+        message: err instanceof Error ? err.message : String(err),
+      });
+    }
+  }
+
+  return { authMiddleware };
+}
+
+// Default export for generated code: single middleware
+const { authMiddleware } = createAuth();
+export { authMiddleware };

package/src/runtime/errors.js

@@ -0,0 +1,63 @@
+/**
+ * Veko v1 – Consistent error type for API and DB errors
+ */
+
+export class VekoError extends Error {
+  /**
+   * @param {string} message
+   * @param {number} [status=500]
+   */
+  constructor(message, status = 500) {
+    super(message);
+    this.name = 'VekoError';
+    this.status = status;
+    if (typeof Error.captureStackTrace === 'function') {
+      Error.captureStackTrace(this, VekoError);
+    }
+  }
+}
+
+/**
+ * Normalize any thrown value to a VekoError. Preserves status if present.
+ * Maps common DB errors to user-friendly messages and status codes.
+ * @param {unknown} err
+ * @returns {VekoError}
+ */
+export function toVekoError(err) {
+  if (err instanceof VekoError) return err;
+  const status = err && typeof err === 'object' && 'status' in err ? Number(err.status) : undefined;
+  const message = err instanceof Error ? err.message : String(err);
+  const code = err && typeof err === 'object' && 'code' in err ? String(err.code) : '';
+
+  let finalStatus = status;
+  let finalMessage = message;
+
+  if (!finalStatus) {
+    if (err && typeof err === 'object' && 'type' in err && err.type === 'entity.parse.failed') {
+      finalStatus = 400;
+      finalMessage = 'Invalid JSON body';
+    } else if (code === 'SQLITE_CONSTRAINT_UNIQUE' || code === 'SQLITE_CONSTRAINT_PRIMARYKEY' || code === '23505') {
+      finalStatus = 409;
+      finalMessage = 'Resource already exists';
+    } else if (code === 'SQLITE_CONSTRAINT_FOREIGNKEY' || code === '23503') {
+      finalStatus = 400;
+      finalMessage = 'Invalid reference';
+    } else if (code === 'SQLITE_CONSTRAINT_NOTNULL' || code === '23502') {
+      finalStatus = 400;
+      finalMessage = message || 'Required value missing';
+    } else if (code === 'SQLITE_BUSY' || code === 'SQLITE_LOCKED') {
+      finalStatus = 503;
+      finalMessage = 'Database busy, please retry';
+    } else if (message && (message.includes('ECONNREFUSED') || message.includes('ENOENT'))) {
+      finalStatus = 503;
+      finalMessage = 'Service temporarily unavailable';
+    } else {
+      finalStatus = 500;
+      finalMessage = message || 'Internal server error';
+    }
+  }
+
+  return new VekoError(finalMessage, finalStatus);
+}
+
+export default VekoError;

package/src/runtime/index.js

@@ -0,0 +1,36 @@
+/**
+ * Veko v1 – Plugin interface (extensible without changing core)
+ */
+
+/**
+ * @typedef {Object} VekoPlugin
+ * @property {function(object): void} [onRouteRegister] – called when a route is registered
+ * @property {function(object): Promise<object>|object} [beforeAction] – run before action; can mutate ctx
+ * @property {function(any): Promise<any>|any} [afterAction] – run after action; can transform result
+ */
+
+/**
+ * Run beforeAction hooks in order
+ * @param {VekoPlugin[]} plugins
+ * @param {object} ctx
+ */
+export async function runBeforeAction(plugins, ctx) {
+  let current = ctx;
+  for (const p of plugins) {
+    if (p.beforeAction) current = await Promise.resolve(p.beforeAction(current)) ?? current;
+  }
+  return current;
+}
+
+/**
+ * Run afterAction hooks in order
+ * @param {VekoPlugin[]} plugins
+ * @param {any} result
+ */
+export async function runAfterAction(plugins, result) {
+  let current = result;
+  for (const p of plugins) {
+    if (p.afterAction) current = await Promise.resolve(p.afterAction(current)) ?? current;
+  }
+  return current;
+}

package/src/runtime/queryBuilder.js

@@ -0,0 +1,86 @@
+/**
+ * Veko v1 – QueryBuilder: SQL preparation logic for AOT-generated server
+ * Single place for INSERT/UPDATE/DELETE/SELECT by id. Generated code calls prepareAll() at startup.
+ */
+
+/**
+ * Build INSERT SQL for a table.
+ * @param {string} table
+ * @param {string[]} columns
+ * @param {'sqlite'|'postgres'} adapter
+ * @returns {string}
+ */
+export function insertSql(table, columns, adapter) {
+  const cols = columns.map((c) => `"${c}"`).join(', ');
+  const params = adapter === 'sqlite' ? columns.map(() => '?').join(', ') : columns.map((_, i) => `$${i + 1}`).join(', ');
+  const returning = adapter === 'postgres' ? ' RETURNING id' : '';
+  return `INSERT INTO "${table}" (${cols}) VALUES (${params})${returning}`;
+}
+
+/**
+ * Build UPDATE SQL for a table.
+ * @param {string} table
+ * @param {string[]} columns
+ * @param {'sqlite'|'postgres'} adapter
+ * @returns {string}
+ */
+export function updateSql(table, columns, adapter) {
+  if (columns.length === 0) return `UPDATE "${table}" SET id = id WHERE id = ?`;
+  const sets = adapter === 'sqlite'
+    ? columns.map((c) => `"${c}" = ?`).join(', ')
+    : columns.map((c, i) => `"${c}" = $${i + 1}`).join(', ');
+  const idParam = adapter === 'sqlite' ? '?' : `$${columns.length + 1}`;
+  return `UPDATE "${table}" SET ${sets} WHERE id = ${idParam}`;
+}
+
+/**
+ * Build DELETE SQL for a table.
+ * @param {string} table
+ * @param {'sqlite'|'postgres'} adapter
+ * @returns {string}
+ */
+export function deleteSql(table, adapter) {
+  return adapter === 'sqlite' ? `DELETE FROM "${table}" WHERE id = ?` : `DELETE FROM "${table}" WHERE id = $1`;
+}
+
+/**
+ * Build SELECT by id SQL for a table.
+ * @param {string} table
+ * @param {'sqlite'|'postgres'} adapter
+ * @returns {string}
+ */
+export function findByIdSql(table, adapter) {
+  return adapter === 'sqlite' ? `SELECT * FROM "${table}" WHERE id = ?` : `SELECT * FROM "${table}" WHERE id = $1`;
+}
+
+/**
+ * Build the PREP object used by AOT db helpers. Called once at server startup.
+ * @param {'sqlite'|'postgres'} adapterKind
+ * @param {import('./adapters/base.js').DatabaseAdapter} db - Connected adapter instance
+ * @param {Record<string, string[]>} tableCols - { TableName: ['col1','col2'], ... }
+ * @returns {Record<string, { insert: unknown, update: unknown, delete: unknown, findById: unknown }>}
+ */
+export function prepareAll(adapterKind, db, tableCols) {
+  const PREP = {};
+  for (const [table, columns] of Object.entries(tableCols)) {
+    if (adapterKind === 'sqlite') {
+      const raw = /** @type {import('./adapters/sqlite.js').SqliteAdapter} */ (db).db;
+      PREP[table] = {
+        insert: raw.prepare(insertSql(table, columns, 'sqlite')),
+        update: raw.prepare(updateSql(table, columns, 'sqlite')),
+        delete: raw.prepare(deleteSql(table, 'sqlite')),
+        findById: raw.prepare(findByIdSql(table, 'sqlite')),
+      };
+    } else {
+      PREP[table] = {
+        insert: { name: `${table}_insert`, text: insertSql(table, columns, 'postgres') },
+        update: { name: `${table}_update`, text: updateSql(table, columns, 'postgres') },
+        delete: { name: `${table}_delete`, text: deleteSql(table, 'postgres') },
+        findById: { name: `${table}_findById`, text: findByIdSql(table, 'postgres') },
+      };
+    }
+  }
+  return PREP;
+}
+
+export default { insertSql, updateSql, deleteSql, findByIdSql, prepareAll };

package/src/runtime/sugar.js

@@ -0,0 +1,76 @@
+/**
+ * Veko v1 – Sugar layer (safe table allowlist + safe orderBy + SELECT-only query)
+ * ORDER BY field must be in table schema (passed from compiler).
+ */
+
+const ALLOWED_DIRECTIONS = new Set(['asc', 'desc']);
+
+/** Allow only SELECT to prevent accidental or malicious writes via sugar.query. */
+function assertSelectOnly(sql) {
+  const trimmed = (typeof sql === 'string' ? sql : '').trim();
+  if (!trimmed.toUpperCase().startsWith('SELECT')) {
+    throw new Error(
+      'sugar.query() is restricted to SELECT statements only. Use sugar.save/update/remove for writes.'
+    );
+  }
+}
+
+/**
+ * @param {import('./adapters/sqlite.js').SqliteAdapter|import('./adapters/postgres.js').PostgresAdapter} db
+ * @param {Set<string>} knownTables
+ * @param {Record<string, string[]>} [tableColumns] - Optional map of table name → allowed column names (e.g. from compiler). Includes 'id'.
+ */
+export function createSugar(db, knownTables, tableColumns = {}) {
+  function assertTable(table) {
+    if (!knownTables.has(table)) {
+      throw new Error(`sugar: unknown table "${table}". Allowed: ${[...knownTables].join(', ')}`);
+    }
+  }
+
+  function assertOrderBy(table, orderBy) {
+    if (!orderBy || typeof orderBy !== 'object') return;
+    const { field, direction } = orderBy;
+    if (!field || typeof field !== 'string') throw new Error('orderBy.field must be a string');
+    if (!ALLOWED_DIRECTIONS.has((direction || '').toLowerCase())) {
+      throw new Error('orderBy.direction must be "asc" or "desc"');
+    }
+    assertTable(table);
+    const allowed = tableColumns[table];
+    if (allowed && !allowed.includes(field)) {
+      throw new Error(
+        `sugar: orderBy.field "${field}" is not a valid column for table "${table}". Allowed: ${allowed.join(', ')}`
+      );
+    }
+  }
+
+  return {
+    async save(table, data) {
+      assertTable(table);
+      return db.insert(table, data);
+    },
+    async all(table, where = {}, orderBy = null) {
+      assertTable(table);
+      assertOrderBy(table, orderBy);
+      return db.findAll(table, where, orderBy ? { field: orderBy.field, direction: (orderBy.direction || 'asc').toLowerCase() } : null);
+    },
+    async find(table, id) {
+      assertTable(table);
+      return db.findById(table, id);
+    },
+    async remove(table, id) {
+      assertTable(table);
+      return db.delete(table, id);
+    },
+    async update(table, id, data) {
+      assertTable(table);
+      return db.update(table, id, data);
+    },
+    async query(sql, ...params) {
+      assertSelectOnly(sql);
+      return db.query(sql, params);
+    },
+    async transaction(callback) {
+      return db.transaction(callback);
+    },
+  };
+}

package/src/runtime/validator.js

@@ -0,0 +1,71 @@
+/**
+ * Veko v1 – Validator (schema def → middleware + validate function)
+ */
+
+/**
+ * @param {string} tableName
+ * @param {Record<string,{ type: string, required?: boolean, min?: number, max?: number, enum?: string[] }>} schema
+ */
+export function createValidator(tableName, schema) {
+  function validate(data) {
+    if (data === null || typeof data !== 'object' || Array.isArray(data)) {
+      const err = new Error(`${tableName}: body must be a plain object`);
+      err.status = 400;
+      throw err;
+    }
+    const result = {};
+    for (const [key, opts] of Object.entries(schema)) {
+      const value = data[key];
+      if (value === undefined || value === null) {
+        if (opts.required !== false) {
+          const err = new Error(`${tableName}: missing required field "${key}"`);
+          err.status = 400;
+          throw err;
+        }
+        result[key] = null;
+        continue;
+      }
+      if (opts.type === 'string' && typeof value !== 'string') {
+        const err = new Error(`${tableName}: "${key}" must be a string`);
+        err.status = 400;
+        throw err;
+      }
+      if (opts.type === 'number') {
+        const n = Number(value);
+        if (!Number.isFinite(n)) {
+          const err = new Error(`${tableName}: "${key}" must be a number`);
+          err.status = 400;
+          throw err;
+        }
+        if (opts.min !== undefined && n < opts.min) throw Object.assign(new Error(`${tableName}: "${key}" must be >= ${opts.min}`), { status: 400 });
+        if (opts.max !== undefined && n > opts.max) throw Object.assign(new Error(`${tableName}: "${key}" must be <= ${opts.max}`), { status: 400 });
+        result[key] = n;
+        continue;
+      }
+      if (opts.type === 'string' || opts.type === 'enum') {
+        if (typeof value !== 'string') throw Object.assign(new Error(`${tableName}: "${key}" must be a string`), { status: 400 });
+        if (opts.min !== undefined && value.length < opts.min) throw Object.assign(new Error(`${tableName}: "${key}" too short`), { status: 400 });
+        if (opts.max !== undefined && value.length > opts.max) throw Object.assign(new Error(`${tableName}: "${key}" too long`), { status: 400 });
+        if (opts.enum && !opts.enum.includes(value)) throw Object.assign(new Error(`${tableName}: "${key}" must be one of ${opts.enum.join(', ')}`), { status: 400 });
+        result[key] = value;
+        continue;
+      }
+      result[key] = value;
+    }
+    return result;
+  }
+
+  /** Express middleware (valid handler, not a factory). */
+  function middleware(req, res, next) {
+    try {
+      req.validated = validate(req.body ?? {});
+      next();
+    } catch (err) {
+      const status = err?.status ?? 400;
+      const message = err instanceof Error ? err.message : String(err);
+      res.status(status).json({ error: message, message });
+    }
+  }
+
+  return { validate, middleware };
+}