Refactor/simplify and secure

.eslintrc.js

@@ -17,7 +17,7 @@ module.exports = {
     'no-console': 'off', // Allow console for CLI tool
     'prefer-const': 'error',
     'no-var': 'error',
-    'no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
+    'no-unused-vars': ['error', { argsIgnorePattern: '^_', caughtErrors: 'none' }],
 
     // SomonScript specific rules
     'no-irregular-whitespace': 'off', // Allow Cyrillic characters
@@ -26,7 +26,10 @@ module.exports = {
     '@typescript-eslint/no-explicit-any': ['error', { ignoreRestArgs: false }],
 
     // TypeScript unused vars rule with underscore ignore pattern
-    '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
+    '@typescript-eslint/no-unused-vars': [
+      'error',
+      { argsIgnorePattern: '^_', caughtErrors: 'none' },
+    ],
 
     // Code quality rules
     complexity: ['warn', 15],

.github/workflows/pr-tests.yml

@@ -12,12 +12,22 @@ permissions:
 
 jobs:
   test:
-    name: Test on Node.js ${{ matrix.node-version }}
-    runs-on: ubuntu-latest
-
+    # Keep the canonical ubuntu run as "Test on Node.js 24.x" so that the required
+    # status check configured in branch protection (which was set before the OS
+    # matrix was added) still matches by name. Non-ubuntu runs carry the OS suffix.
+    name: Test on Node.js ${{ matrix.node-version }}${{ matrix.os != 'ubuntu-latest' && format(' / {0}', matrix.os) || '' }}
+    runs-on: ${{ matrix.os }}
+
+    env:
+      # husky git-hooks install is dev-only; turn it off in CI so that
+      # `npm ci` does not hit the sporadic "Exit handler never called"
+      # npm bug triggered by the `prepare` script.
+      HUSKY: 0
+
     strategy:
       fail-fast: false
       matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
         node-version: [20.x, 22.x, 23.x, 24.x]
 
     steps:
@@ -46,7 +56,7 @@ jobs:
       run: npm run test:ci
 
     - name: Upload coverage reports to Codecov
-      if: matrix.node-version == '20.x'
+      if: matrix.node-version == '20.x' && matrix.os == 'ubuntu-latest'
       uses: codecov/codecov-action@v5
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
@@ -57,7 +67,7 @@ jobs:
         verbose: true
 
     - name: Comment PR with test results
-      if: always() && matrix.node-version == '20.x'
+      if: always() && matrix.node-version == '20.x' && matrix.os == 'ubuntu-latest'
       continue-on-error: true
       uses: actions/github-script@v7
       with:
@@ -77,6 +87,8 @@ jobs:
     name: Audit Examples
     runs-on: ubuntu-latest
     needs: test
+    env:
+      HUSKY: 0
 
     steps:
     - name: Checkout

.gitignore

@@ -89,4 +89,7 @@ temp/
 # CI/CD artifacts
 codecov/
 codecov.SHA256SUM*
-example-audit-report.json
+example-audit-report.json
+
+# Gitnexus
+.gitnexus/

CLAUDE.md

@@ -16,7 +16,7 @@ type system, module system, and bundling capabilities.
 ```bash
 npm run build          # TypeScript compilation (required before running)
 npm run dev            # Watch mode for development (npm run build:watch)
-npm test               # Run full Jest test suite (326+ tests)
+npm test               # Run full Jest test suite (~840 tests)
 npm run lint           # ESLint validation
 npm run lint:fix       # Auto-fix linting issues
 npm run format         # Format code with Prettier
@@ -41,12 +41,7 @@ somon compile app.som                    # Compile to JavaScript
 somon run app.som                        # Compile and execute
 somon bundle src/main.som -o dist/app.js # Bundle modules
 somon module-info src/main.som --graph   # Analyze dependencies
-somon serve --port 8080                  # Start management server
 somon resolve "./utils" --from src/main.som # Resolve module paths
-
-# Production mode with all safety features
-somon compile app.som --production
-NODE_ENV=production somon run app.som
 ```
 
 ## Architecture
@@ -106,40 +101,22 @@ projects:
 modules internally, enabling seamless interop between compiled output and source
 modules.
 
-### Production Systems (`src/module-system/`)
-
-The module system includes comprehensive production features:
-
-- **CircuitBreakerManager** (`circuit-breaker.ts`) - Fault isolation
-  - Automatic failure detection and recovery
-  - Configurable thresholds and timeouts
-  - State tracking: closed → open → half-open
-
-- **PrometheusExporter** (`prometheus-metrics.ts`) - Metrics collection
-  - Standard Prometheus text format
-  - Module compilation metrics
-  - Cache hit/miss ratios
-  - Circuit breaker states
-  - Memory and CPU usage
-
-- **ManagementServer** (`runtime-config.ts`) - HTTP endpoints
-  - `/health` - Health status with detailed checks
-  - `/metrics` - Prometheus metrics endpoint
-  - `/ready` - Kubernetes readiness probe
-  - `/config` - Runtime configuration (GET/POST)
-  - Graceful shutdown with connection draining
-
-- **ResourceLimiter** (`resource-limiter.ts`) - Resource management
-  - Memory limits with automatic cleanup
-  - Module count limits
-  - Compilation timeouts
-  - Cache size management
-
-- **StructuredLogger** (`structured-logger.ts`) - Production logging
-  - JSON-formatted logs for aggregation
-  - Log levels: debug, info, warn, error
-  - Context preservation across operations
-  - Integration with monitoring systems
+### Minimal runtime Logger
+
+`src/module-system/logger.ts` is a small internal logger used by `ModuleLoader`
+and `ModuleSystem`. Warnings and errors go to stderr; `info`/`debug`/`trace` are
+suppressed unless `SOMON_DEBUG=1`. Pre-built singletons exist
+(`moduleSystemLogger`, `moduleLoaderLogger`, etc.) so call sites do not have to
+pick a component name.
+
+> **Historical note:** earlier revisions of this project carried a
+> production-ops surface under `src/module-system/` (circuit breakers,
+> Prometheus exporter, management HTTP server with `/health` `/ready` `/metrics`
+> `/config`, resource limiter, structured logger, a `somon serve` subcommand).
+> That ~2,300 LOC had no user story outside the test fixtures and shipped
+> several real security issues (unauthenticated `/config`, wide-open CORS). It
+> was deleted in commit `refactor(module-system): remove production subsystems`.
+> Do not reintroduce this pattern into a CLI transpiler.
 
 ### Configuration System
 
@@ -150,18 +127,7 @@ The module system includes comprehensive production features:
   "compilerOptions": { "target": "es2020", "sourceMap": true },
   "moduleSystem": {
     "resolution": { "baseUrl": ".", "extensions": [".som", ".js"] },
-    "loading": { "circularDependencyStrategy": "warn" },
-    "metrics": true,
-    "circuitBreakers": true,
-    "logger": true,
-    "managementServer": true,
-    "managementPort": 8080,
-    "resourceLimits": {
-      "maxMemory": 512,
-      "maxModules": 1000,
-      "maxCacheSize": 100,
-      "compilationTimeout": 5000
-    }
+    "loading": { "circularDependencyStrategy": "warn" }
   },
   "bundle": { "format": "commonjs", "minify": false }
 }

README.md

@@ -398,7 +398,6 @@ somon init my-project
 somon bundle src/main.som
 somon module-info src/main.som
 somon resolve "./utils"
-somon serve --port 8080
 ```
 
 </td>
@@ -486,9 +485,6 @@ somon run app.som
 # Initialize new project
 somon init my-project
 
-# Start management server for monitoring
-somon serve --port 8080
-
 # Get help
 somon --help
 somon compile --help
@@ -534,178 +530,8 @@ Source Code (.som)
 - **Type Checker**: Advanced static analysis with inference
 - **Code Generator**: Produces clean, optimized JavaScript
 - **CLI**: Developer-friendly command-line interface
-- **Module System**: Production-grade module resolution and bundling
-- **Production Systems**: Circuit breakers, metrics, health checks
-
----
-
-## 🔒 Production Features
-
-### **Enterprise-Grade Reliability**
-
-SomonScript includes comprehensive production features for enterprise
-deployment:
-
-#### **Operational Visibility**
-
-```bash
-# Start management server with health checks and metrics
-somon serve --port 8080
-
-# Access endpoints:
-curl http://localhost:8080/health  # Health status
-curl http://localhost:8080/metrics # Prometheus metrics
-curl http://localhost:8080/ready   # Readiness probe
-```
-
-#### **Production Mode**
-
-```bash
-# Enable all production features
-somon compile app.som --production
-somon bundle app.som --production
-
-# Or via environment
-NODE_ENV=production somon run app.som
-```
-
-Production mode enforces:
-
-- ✅ Circuit breakers for fault tolerance
-- ✅ Structured logging with levels
-- ✅ Resource limits and timeout protection
-- ✅ Prometheus metrics collection
-- ✅ Graceful shutdown handling
-- ✅ Memory and CPU monitoring
-
-#### **Circuit Breakers**
-
-Automatic fault isolation for resilient operations:
-
-```json
-{
-  "moduleSystem": {
-    "circuitBreakers": true,
-    "failureThreshold": 5,
-    "recoveryTimeout": 30000
-  }
-}
-```
-
-#### **Resource Management**
-
-```json
-{
-  "moduleSystem": {
-    "resourceLimits": {
-      "maxMemory": 512, // MB
-      "maxModules": 1000,
-      "maxCacheSize": 100, // MB
-      "compilationTimeout": 5000 // ms
-    }
-  }
-}
-```
-
-#### **Metrics & Monitoring**
-
-Built-in Prometheus metrics exporter:
-
-- Module compilation times
-- Cache hit/miss ratios
-- Circuit breaker states
-- Memory usage patterns
-- Error rates and types
-
-#### **Health Checks**
-
-```json
-// GET /health response
-{
-  "status": "healthy",
-  "version": "0.3.36",
-  "uptime": 3600,
-  "checks": [
-    { "name": "memory", "status": "pass" },
-    { "name": "cache", "status": "pass" },
-    { "name": "circuitBreakers", "status": "pass" }
-  ]
-}
-```
-
----
-
-## 🚀 Production Deployment
-
-### **Production Mode**
-
-SomonScript includes comprehensive production features activated with the
-`--production` flag:
-
-```bash
-# Compile with production mode
-somon compile app.som --production
-
-# Run with production mode
-somon run app.som --production
-
-# Bundle with production mode
-somon bundle app.som --production
-
-# Or use environment variable
-NODE_ENV=production somon compile app.som
-```
-
-**Production mode automatically enables:**
-
-- ✅ Environment validation (Node version, permissions)
-- ✅ Circuit breakers for fault tolerance
-- ✅ Resource limits (memory, file handles)
-- ✅ Structured JSON logging
-- ✅ Metrics collection
-- ✅ Graceful shutdown handling
-
-### **Deployment Options**
-
-#### **Docker**
-
-```bash
-docker run -d \
-  --name somon \
-  -p 8080:8080 \
-  -e NODE_ENV=production \
-  somon-script:latest
-```
-
-#### **Kubernetes**
-
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: somon-script
-spec:
-  replicas: 3
-  template:
-    spec:
-      containers:
-        - name: somon
-          image: somon-script:latest
-          env:
-            - name: NODE_ENV
-              value: production
-```
-
-#### **Systemd**
-
-```bash
-# Install service
-sudo cp somon-script.service /etc/systemd/system/
-sudo systemctl enable somon-script
-sudo systemctl start somon-script
-```
-
-📖 **Full deployment guide**: [DEPLOYMENT.md](DEPLOYMENT.md)
+- **Module System**: Module resolution, cyclic-dependency detection, and a
+  CommonJS bundler
 
 ---