---

Veko v1

An AOT-optimized DSL engine for Node.js that compiles high-level schemas and actions into lean, JIT-friendly JavaScript. Build production-ready APIs with Go-like performance and the flexibility of Node.js.

• Ahead-of-Time (AOT) Compilation — Your .vk DSL is compiled to static Express route handlers. No runtime interpretation, no eval, no middleware overhead.
• Security Audited — Prototype pollution guards, strict type validation, parameterized SQL, and JWT algorithm enforcement are built in and verified.
• High Concurrency — SQLite WAL mode, prepared statements, and configurable busy_timeout for 13k+ RPS under load.

---

Table of Contents

• Benchmarks
• Key Features
• Installation
• Quick Start
• DSL Overview
• Commands
• Security
• License

---

Benchmarks

Veko v1 is built for throughput. All numbers from autocannon on typical hardware (single process, SQLite WAL).

Scenario	Veko v1 AOT	Typical Express	Advantage
Plain ping (no DB)	~22,000+ RPS	~2,000–3,000 RPS	~4×–5×
DB read (SQLite, 100 conn)	13,143 RPS	~2,500–4,000 RPS	~4×
Avg latency (DB read)	~7 ms	~25–50 ms	Lower tail latency

Run your own: npm run build → node generated/server.js → autocannon -c 100 -d 30 http://localhost:3000/db-test (seed DB first with node test/seed-db.js).

---

Key Features

Feature	Description
AOT Compilation	DSL compiles directly to optimized route handlers. No middleware stack, no runtime schema loops.
Built-in Security	Passed security audit: prototype pollution protection, strict type validation, parameterized AOT queries, JWT algorithm enforcement and secret guards.
Database	Native SQLite and PostgreSQL support. WAL mode, busy_timeout, and retry-friendly design for high concurrency.
Type-Safe DSL	data blocks with String, Number, Boolean, Enum, optional fields, and min/max constraints. Generated TypeScript types.
Pipeline Routing	auth, validate(Schema), and action steps in a single declarative route block.

---

Installation

From source (development):

git clone <your-repo-url>
cd veko
npm install

Prerequisites: Node.js 18+. Uses ESM and optional tsx for dev.

---

Quick Start

1. Build the project (compile .vk → generated/server.js):

npx veko build

2. Run the generated server:

node generated/server.js

3. (Optional) Apply migrations and use dev mode:

npx veko migrate
npx veko dev   # watch + hot restart

---

DSL Overview

Your API lives in .vk files: data (schemas), do (actions), and route (HTTP pipelines).

Data (schemas)

data User {
    username: String(min:3, max:50),
    email: String(max:255),
    role: Enum(admin|editor|viewer),
    age: Number(min:0, max:150)?
}

data Post {
    title: String(min:1, max:200),
    content: String(max:5000),
    status: Enum(draft|published|archived),
    authorId: Number
}

Do blocks (business logic)

Use the sugar API for safe, allowlisted CRUD and SELECT-only raw queries:

do listUsers(data) {
    return sugar.all('User');
}

do createUser(data) {
    return sugar.save('User', data);
}

do getUser(data) {
    const id = parseInt(data.id ?? data.params?.id);
    const user = sugar.find('User', id);
    if (!user) throw Object.assign(new Error('User not found'), { status: 404 });
    return user;
}

do listPosts(data) {
    return sugar.query(
        `SELECT p.*, u.username as authorName
         FROM "Post" p
         LEFT JOIN "User" u ON p.authorId = u.id
         ORDER BY p.id DESC`
    );
}

Routes (pipelines)

Chain auth, validate(Schema), and action names:

route {
    GET    "/ping"       => ping
    GET    "/db-test"    => dbTest

    POST   "/login"      => login
    POST   "/register"   => validate(User), createUser

    GET    "/users"      => listUsers
    GET    "/users/:id"  => getUser
    POST   "/users"      => auth, validate(User), createUser

    GET    "/posts"      => listPosts
    POST   "/posts"      => auth, validate(Post), createPost
    DELETE "/posts/:id"  => auth, deletePost
}

Imports

Compose multiple .vk files from your entry (e.g. api.vk):

import "./models.vk"
import "./handlers.vk"

---

Commands

Command	Description
npx veko build	Compile api.vk → generated/server.js + generated/types.d.ts.
npx veko dev	Watch .vk files, rebuild and restart the server (hot reload).
npx veko check	Static analysis: schema integrity, security scan, circular deps.
npx veko migrate	Apply SQL migrations. Use -t for test DB.

---

Project structure

The framework is organized for clarity and scalability:

Path	Purpose
src/core/	Shared config and constants (e.g. defaults.js).
src/compiler/	Compiler entry (compile.js) and subpackages:
src/compiler/parse/	Lexer, parser, and source utilities.
src/compiler/codegen/	AOT code generation and validation codegen.
src/compiler/resolve/	Module resolution and AST merging for .vk imports.
src/runtime/	Runtime used by generated server (adapters, auth, errors, etc.).
src/cli/	CLI commands: build, dev, check, migrate.

Generated output goes to generated/server.js and generated/types.d.ts.

---

Security

Veko v1 is designed and audited for production use:

• Prototype pollution protection — Request context uses validated/null-prototype data; schema iteration does not rely on user-controlled keys.
• Strict type validation — AOT-generated validators with number coercion guards and enum allowlists.
• SQL injection prevention — All table CRUD uses prepared statements; sugar.query is SELECT-only and parameterized; AOT allowlist protects findAll column names.
• JWT security — Algorithm restricted to HS256; authorization header normalized (array/string); no algorithm confusion.
• Database — SQLite WAL + busy_timeout for predictable behavior under contention; no raw string interpolation in generated SQL.

---

License

MIT License

Copyright (c) 2024–2026 Wai Wai Naing.

See the LICENSE file for full text.