feat: add experimental bridge-compiler package — compiles bridge files into JavaScript

.changeset/rename-parser-and-compiler.md

@@ -0,0 +1,8 @@
+---
+"@stackables/bridge-parser": minor
+"@stackables/bridge-compiler": major
+---
+
+Rename `@stackables/bridge-compiler` to `@stackables/bridge-parser` (parser, serializer, language service). The new `@stackables/bridge-compiler` package compiles BridgeDocument into optimized JavaScript code with abort signal support, tool timeout, and full language feature parity.
+
+bridge-parser first release will continue from current bridge-compiler version 1.0.6. New version of bridge-compiler will jump to 2.0.0 to mark a breaking change in the package purpose

.github/codeql/codeql-config.yml

@@ -0,0 +1,15 @@
+# CodeQL Configuration
+#
+# The bridge-compiler package IS an AOT compiler — its codegen.ts file
+# generates JavaScript source strings from a fully-parsed, validated
+# Bridge AST. This is the core purpose of the package, not a security flaw.
+#
+# CodeQL's js/code-injection query correctly flags dynamic code construction
+# as a pattern worth reviewing; after review the usage in these files is
+# intentional and safe. No raw external / user input is ever spliced into
+# the generated output — all interpolated values originate from deterministic
+# AST walks over a Chevrotain-parsed, type-checked document.
+
+paths-ignore:
+  - packages/bridge-compiler/src/codegen.ts
+  - packages/bridge-compiler/build/**

.github/workflows/codeql.yml

@@ -0,0 +1,42 @@
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "27 2 * * 3"
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+          - language: javascript-typescript
+            build-mode: none
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"

.gitignore

@@ -10,3 +10,8 @@ coverage
 packages/*/lcov.info
 profiles/
 isolate-*.log
+
+# Build artifacts that may land in src/ during cross-package compilation
+packages/*/src/**/*.js
+packages/*/src/**/*.d.ts
+packages/*/src/**/*.d.ts.map

README.md

@@ -12,7 +12,8 @@ The Bridge engine parses your wiring diagram, builds a dependency graph, and exe
 
 - [See our roadmap](https://github.com/stackables/bridge/milestones)
 - [Feedback in the discussions](https://github.com/stackables/bridge/discussions/1)
-- [Performance report](./docs/performance.md)
+- [Performance report - interpreter](./packages/bridge-core/performance.md)
+- [Performance report - compiler](./packages/bridge-compiler/performance.md)
 
 ### How it looks
 

SECURITY.md

@@ -1,16 +1,21 @@
 # Security Policy
 
-Security is a top priority for us, especially since it functions as an egress gateway handling sensitive context (like API keys) and routing HTTP traffic.
+Security is a top priority for us, especially since The Bridge functions as an egress gateway handling sensitive context (like API keys) and routing HTTP traffic.
 
 ## Supported Versions
 
-Please note that The Bridge is currently in **Developer Preview (v1.x)**.
+| Package                       | Version | Supported          | Notes                                                |
+| ----------------------------- | ------- | ------------------ | ---------------------------------------------------- |
+| `@stackables/bridge`          | 2.x.x   | :white_check_mark: | Umbrella package — recommended for most users        |
+| `@stackables/bridge-core`     | 1.x.x   | :white_check_mark: | Execution engine                                     |
+| `@stackables/bridge-parser`   | 1.x.x   | :white_check_mark: | Parser & language service                            |
+| `@stackables/bridge-compiler` | 2.x.x   | :warning:          | AOT compiler — pre-stable, API may change            |
+| `@stackables/bridge-stdlib`   | 1.x.x   | :white_check_mark: | Standard library tools (`httpCall`, strings, arrays) |
+| `@stackables/bridge-graphql`  | 1.x.x   | :white_check_mark: | GraphQL schema adapter                               |
+| `@stackables/bridge-types`    | 1.x.x   | :white_check_mark: | Shared type definitions                              |
+| `bridge-syntax-highlight`     | 1.x.x   | :white_check_mark: | VS Code extension                                    |
 
-While we take security seriously and patch vulnerabilities as quickly as possible, v1.x is a public preview and is **not recommended for production use**. We will introduce strict security patch backporting starting with our stable v2.0.0 release.
-
-| Version | Supported | Notes |
-| --- | --- | --- |
-| 1.x.x | :white_check_mark: | Active Developer Preview. Patches applied to latest minor/patch. |
+Security patches are applied to the latest minor/patch of each supported major version.
 
 ## Reporting a Vulnerability
 
@@ -20,21 +25,27 @@ If you discover a security vulnerability within The Bridge, please report it at
 
 Please include the following in your report:
 
-* A description of the vulnerability and its impact.
-* Steps to reproduce the issue (a minimal `.bridge` file and GraphQL query is highly appreciated).
-* Any potential mitigation or fix you might suggest.
+- A description of the vulnerability and its impact.
+- Steps to reproduce the issue (a minimal `.bridge` file and GraphQL query is highly appreciated).
+- Any potential mitigation or fix you might suggest.
 
 We will acknowledge receipt of your vulnerability report within 48 hours and strive to send you regular updates about our progress.
 
 ## Scope & Threat Model
 
+For a comprehensive analysis of trust boundaries, attack surfaces, and mitigations across all packages, see our full [Security Threat Model](docs/threat-model.md).
+
 Because The Bridge evaluates `.bridge` files and executes HTTP requests, we are particularly interested in reports concerning:
 
-* **Credential Leakage:** Bugs that could cause secrets injected via `context` to be exposed in unauthorized logs, traces, or unmapped GraphQL responses.
-* **Engine Escapes / RCE:** Vulnerabilities where a malicious `.bridge` file or dynamic input could break out of the engine sandbox and execute arbitrary code on the host.
-* **SSRF (Server-Side Request Forgery):** Unexpected ways dynamic input could manipulate the `httpCall` tool to query internal network addresses not explicitly defined in the `.bridge` topology.
+- **Credential Leakage:** Bugs that could cause secrets injected via `context` to be exposed in unauthorized logs, traces, or unmapped GraphQL responses.
+- **Engine Escapes / RCE:** Vulnerabilities where a malicious `.bridge` file or dynamic input could break out of the engine sandbox and execute arbitrary code on the host. This includes the AOT compiler (`bridge-compiler`) which uses `new AsyncFunction()` for code generation.
+- **SSRF (Server-Side Request Forgery):** Unexpected ways dynamic input could manipulate the `httpCall` tool to query internal network addresses not explicitly defined in the `.bridge` topology.
+- **Prototype Pollution:** Bypasses of the `UNSAFE_KEYS` blocklist (`__proto__`, `constructor`, `prototype`) in `setNested`, `applyPath`, or `lookupToolFn`.
+- **Cache Poisoning:** Cross-tenant data leakage through the `httpCall` response cache.
+- **Playground Abuse:** Vulnerabilities in the browser-based playground or share API that could lead to data exfiltration or resource exhaustion.
 
 **Out of Scope:**
 
-* Hardcoding API keys directly into `.bridge` files or GraphQL schemas and committing them to version control. (This is a user configuration error, not an engine vulnerability).
-* Writing bridge files that send sensitive info from the context to malicious server deliberately (Writing insecure instructions is not a crime)
+- Hardcoding API keys directly into `.bridge` files or GraphQL schemas and committing them to version control. (This is a user configuration error, not an engine vulnerability.)
+- Writing bridge files that send sensitive info from the context to a malicious server deliberately. (Writing insecure instructions is not a framework vulnerability.)
+- GraphQL query depth / complexity attacks — these must be mitigated at the GraphQL server layer (Yoga/Apollo), not within The Bridge engine.