@axiomify/cli 5.0.0 → 6.0.0

package/README.md

@@ -1,89 +1,158 @@
 # @axiomify/cli
 
-The Axiomify command-line interface — scaffold projects, run the dev server, and inspect routes.
+
+[![npm version](https://img.shields.io/npm/v/@axiomify/cli.svg)](https://npmjs.com/package//@axiomify/cli)
+[![codecov](https://codecov.io/github/otopman/axiomify/graph/badge.svg)](https://codecov.io/github/otopman/axiomify)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/OTopman/axiomify/badge)](https://securityscorecards.dev/viewer/?uri=github.com/OTopman/axiomify)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+
+The official CLI for the Axiomify framework — scaffold projects, run the
+dev server, build production bundles, inspect routes, generate OpenAPI
+specs, and audit production readiness.
 
 ## Install
 
 ```bash
-npm install -g @axiomify/cli
-# or use without installing:
+npm install -D @axiomify/cli
+# or invoke without installing:
 npx @axiomify/cli init my-api
 ```
 
-## Commands
+Per-project install is recommended so the CLI version stays pinned to
+the same major as your `@axiomify/*` runtime packages.
+
+## Commands at a glance
 
-### `axiomify init <name>`
+| Command | Purpose |
+|---|---|
+| `axiomify init [directory]` | Bootstrap a new project |
+| `axiomify dev [entry]` | Hot-reload dev server (esbuild watch) |
+| `axiomify build [entry]` | Compile a production bundle to `dist/` |
+| `axiomify routes [entry]` | Inspect every HTTP + WebSocket route |
+| `axiomify openapi [entry]` | Generate the OpenAPI 3.0.3 spec |
+| `axiomify check [entry]` | Static production-readiness audit |
+| `axiomify doctor` | Diagnose the host environment |
 
-Scaffolds a new Axiomify project with your chosen adapter.
+`[entry]` defaults to `src/index.ts` everywhere it's accepted.
+
+For the full reference (flags, exit codes, CI examples), see
+[`[./docs/packages/cli.md](./docs/packages/cli.md)`](https://github.com/OTopman/axiomify/blob/main/docs/packages/cli.md).
+
+## `axiomify init`
 
 ```bash
 axiomify init my-api
 ```
 
-Prompts:
+Interactive scaffolder. Prompts for project name (when no directory
+argument is given), description, package manager (npm / pnpm / yarn),
+optional ESLint + Prettier + EditorConfig, git initialisation, and
+whether to run install automatically.
+
+The generated `src/index.ts` registers `helmet`, `cors`, `security`,
+`rate-limit`, `fingerprint`, and `logger` with sane defaults. Pass
+`-f, --force` to overwrite existing files.
 
-1. **Adapter** — Native (uWS, fastest) *(default)*, Fastify, Express, Hapi, or Node HTTP
-2. **Plugins** — Auth, CORS, Helmet, Rate Limit, Metrics, Logger, OpenAPI (multi-select)
-3. **Language** — TypeScript *(default)* or JavaScript
+## `axiomify dev` / `axiomify build`
 
-Generates:
+```bash
+axiomify dev               # watches src/, restarts on change
+axiomify build             # bundles to dist/index.js
 ```
-my-api/
-├── src/
-│   ├── index.ts          # Entry point with chosen adapter
-│   ├── routes/           # Example routes
-│   └── plugins/          # Plugin configuration
-├── package.json
-├── tsconfig.json
-└── README.md
+
+Both use esbuild. `dev` sends SIGTERM first so your `gracefulShutdown`
+hooks can drain, with a SIGKILL fallback after 3 seconds.
+
+## `axiomify routes`
+
+Inspects the app *without* booting a listener. Prints a
+Unicode-bordered table with colour-coded HTTP methods, validation
+badges, OpenAPI tags + `operationId`, plugin count, timeout, and
+deprecation marker.
+
 ```
+  🧭 Axiomify routes
+
+┌─────────┬──────────────────────┬───────────────┬───────────────────────────────────────┐
+│ METHOD  │ PATH                 │ VALIDATION    │ META                                  │
+├─────────┼──────────────────────┼───────────────┼───────────────────────────────────────┤
+│ WS      │ /chat                │ Message       │ —                                     │
+│ GET     │ /health              │ —             │ —                                     │
+│ POST    │ /users ⊘ DEPRECATED  │ Body,Response │ op:createUser #Users 5000ms +1 plugin │
+│ GET     │ /users/:id           │ Params        │ op:getUser #Users                     │
+│ DELETE  │ /users/:id           │ Params        │ —                                     │
+└─────────┴──────────────────────┴───────────────┴───────────────────────────────────────┘
+
+  ✓ 5 routes   DELETE 1 · GET 2 · POST 1 · WS 1
+    └ 1 WebSocket route included
+```
+
+Flags: `--json`, `--method GET,POST,WS`, `--filter "/api/v1/*"`,
+`--sort path|method`.
 
-### `axiomify dev`
+WebSocket routes (`app.ws(...)`) appear under the `WS` pseudo-method
+alongside HTTP routes — earlier CLI versions silently omitted them.
 
-Starts the development server with hot-reload powered by esbuild.
+## `axiomify openapi`
 
 ```bash
-axiomify dev                 # watches src/, rebuilds on change
-axiomify dev --port 4000     # custom port
-axiomify dev --debug         # verbose logging
+axiomify openapi                          # stdout, pretty JSON
+axiomify openapi -o openapi.json
+axiomify openapi --format yaml -o api.yml
+axiomify openapi --minify > spec.min.json
+axiomify openapi --title "My API" --spec-version "$(git describe)"
 ```
 
-### `axiomify build`
+Generates the OpenAPI 3.0.3 spec from the app's registered routes.
+Useful in CI for client codegen pipelines (`openapi-typescript`,
+`openapi-generator`, `oazapfts`) without booting an HTTP listener.
+
+Requires `@axiomify/openapi` to be installed; dynamic-imports it at
+runtime and prints a clean error if missing.
 
-Compiles the application for production.
+## `axiomify check`
 
 ```bash
-axiomify build               # outputs to dist/
-axiomify build --minify      # minified output
-axiomify build --sourcemap   # include source maps
+axiomify check
 ```
 
-### `axiomify routes`
+Static production-readiness audit. Loads the app (no listener) and
+flags:
+
+- ✓ pass — configuration is correct
+- ⚠ warn — non-fatal smell
+- ✗ fail — real defect that blocks ship
+
+Checks include: `enableRequestId()` called, env vars referenced in
+source actually set, routes with body schemas declare response schemas,
+no deprecated `meta:` field usage, health check registered, OpenAPI docs
+protected, security plugins active.
 
-Visualises all registered routes in a table.
+Exit code 1 on any fail — wire into CI to gate deploys.
+
+## `axiomify doctor`
 
 ```bash
-axiomify routes
-
-┌─────────────────────────────────────┬────────┬───────────────────────────────┐
-│ Path                                │ Method │ Plugins                       │
-├─────────────────────────────────────┼────────┼───────────────────────────────┤
-│ /users                              │ GET    │ requireAuth, rateLimiter       │
-│ /users                              │ POST   │ requireAuth                   │
-│ /users/:id                          │ GET    │ requireAuth                   │
-│ /auth/login                         │ POST   │ loginRateLimit                │
-│ /auth/refresh                       │ POST   │ refreshRateLimit              │
-│ /health                             │ GET    │ —                             │
-│ /metrics                            │ GET    │ —                             │
-└─────────────────────────────────────┴────────┴───────────────────────────────┘
+axiomify doctor
 ```
 
-## Adapter choices in `axiomify init`
+Diagnoses the host environment: Node version vs uWS prebuilt support,
+platform (Linux ✓ for `SO_REUSEPORT` clustering), `@axiomify/*` package
+alignment, uWS bindings load successfully, recent build artefact, port
+3000 (or `$PORT`) availability.
+
+Run on a fresh clone or new CI runner before chasing test failures that
+turn out to be Node-version mismatches.
+
+## CI example
+
+```yaml
+- run: npx axiomify doctor    # environment sanity
+- run: npx axiomify check     # static readiness audit
+- run: npx axiomify build
+- run: npx axiomify openapi -o ./openapi.json --spec-version "$GITHUB_SHA"
+- run: npx axiomify routes --json > routes.json   # surface snapshot
+```
 
-| Adapter | Req/s (1 core) | Use case |
-|---|---:|---|
-| **Native (uWS)** | ~50k | Maximum throughput, production APIs |
-| **Fastify** | ~10k | Recommended default — best ecosystem balance |
-| **Express** | ~5k | Legacy migration, Express middleware ecosystem |
-| **Hapi** | ~5k | Enterprise Hapi plugin ecosystem |
-| **Node HTTP** | ~10k | Zero dependencies, edge/serverless |
+Diff `routes.json` between commits to detect accidental API changes
+before they reach production.

package/dist/chunk-YZPZCUKZ.mjs

@@ -0,0 +1,41 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __glob = (map) => (path) => {
+  var fn = map[path];
+  if (fn) return fn();
+  throw new Error("Module not found in bundle: " + path);
+};
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __commonJS = (cb, mod) => function __require2() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+export { __commonJS, __esm, __glob, __require, __toESM };

package/dist/dist-SYWHGZLI.mjs

@@ -0,0 +1,344 @@
+import { __require } from './chunk-YZPZCUKZ.mjs';
+
+// ../openapi/dist/index.mjs
+var __require2 = /* @__PURE__ */ ((x) => typeof __require !== "undefined" ? __require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof __require !== "undefined" ? __require : a)[b]
+}) : x)(function(x) {
+  if (typeof __require !== "undefined") return __require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+function zodSchemaToOpenApi(schema) {
+  const s = schema;
+  if (typeof s.toJSONSchema === "function") {
+    const full = s.toJSONSchema({ target: "openApi3_1" });
+    const { $schema: _dropped, ...rest } = full;
+    return rest;
+  }
+  try {
+    const { zodToJsonSchema } = __require2("zod-to-json-schema");
+    return zodToJsonSchema(schema, { target: "openApi3" });
+  } catch {
+    return { type: "object" };
+  }
+}
+function isZodSchema(value) {
+  return typeof value === "object" && value !== null && typeof value.safeParse === "function";
+}
+var OpenApiGenerator = class {
+  constructor(app, options) {
+    this.app = app;
+    this.options = options;
+  }
+  app;
+  options;
+  generate() {
+    const spec = {
+      openapi: "3.1.0",
+      info: this.options.info,
+      paths: {}
+    };
+    if (this.options.components) spec.components = this.options.components;
+    if (this.options.security) spec.security = this.options.security;
+    for (const route of this.app.registeredRoutes) {
+      const openApiPath = this.formatPath(route.path);
+      const method = route.method.toLowerCase();
+      const paths = spec.paths;
+      if (!paths[openApiPath]) paths[openApiPath] = {};
+      const s = route.schema ?? {};
+      const operation = {
+        // OAS §4.8.10.2 — summary. Defaults to `${method} ${path}`.
+        summary: s.summary ?? `${route.method} ${route.path}`,
+        // OAS §4.8.10.5 — operationId for client codegen tools.
+        // Auto-synthesised from method+path when omitted:
+        //   GET /users/:id → "getUsersById"   POST /users → "postUsers"
+        operationId: s.operationId ?? this.synthesiseOperationId(route.method, route.path),
+        parameters: this.extractParameters(route),
+        responses: this.extractResponses(route)
+      };
+      if (s.description) operation.description = s.description;
+      if (s.tags) operation.tags = s.tags;
+      if (s.security !== void 0) operation.security = s.security;
+      if (s.deprecated) operation.deprecated = true;
+      if (s.externalDocs) operation.externalDocs = s.externalDocs;
+      if (s.servers) operation.servers = s.servers;
+      if (s.callbacks) operation.callbacks = s.callbacks;
+      const body = this.extractBody(route);
+      if (body) {
+        if (s.requestBodyDescription) body.description = s.requestBodyDescription;
+        operation.requestBody = body;
+      }
+      paths[openApiPath][method] = operation;
+    }
+    return spec;
+  }
+  /** Translates Axiomify path syntax to OpenAPI: `/users/:id` → `/users/{id}` */
+  formatPath(path) {
+    return path.replace(/:([a-zA-Z0-9_]+)/g, "{$1}");
+  }
+  extractParameters(route) {
+    const parameters = [];
+    if (route.schema?.params) {
+      const paramSchema = zodSchemaToOpenApi(route.schema.params);
+      const properties = paramSchema.properties ?? {};
+      for (const [key, prop] of Object.entries(properties)) {
+        parameters.push({ name: key, in: "path", required: true, schema: prop });
+      }
+    }
+    if (route.schema?.query) {
+      const querySchema = zodSchemaToOpenApi(route.schema.query);
+      const properties = querySchema.properties ?? {};
+      const required = querySchema.required ?? [];
+      for (const [key, prop] of Object.entries(properties)) {
+        parameters.push({
+          name: key,
+          in: "query",
+          required: required.includes(key),
+          schema: prop
+        });
+      }
+    }
+    return parameters;
+  }
+  /**
+   * Synthesise a stable, codegen-friendly operationId from method+path
+   * when the route definition doesn't supply one. Example outputs:
+   *   GET  /users/:id            → getUsersById
+   *   POST /users                → postUsers
+   *   GET  /users/:id/posts/:pid → getUsersByIdPostsByPid
+   *
+   * Determinism matters here — client codegen produces the same function
+   * names on every run as long as method+path are stable.
+   */
+  synthesiseOperationId(method, path) {
+    const verb = method.toLowerCase();
+    const parts = [];
+    for (const seg of path.split("/")) {
+      if (!seg) continue;
+      if (seg.startsWith(":")) {
+        const name = seg.slice(1);
+        parts.push("By", name.charAt(0).toUpperCase() + name.slice(1));
+      } else if (seg === "*") {
+        parts.push("All");
+      } else {
+        parts.push(seg.charAt(0).toUpperCase() + seg.slice(1));
+      }
+    }
+    return verb + parts.join("");
+  }
+  extractBody(route) {
+    if (!route.schema?.body && !route.schema?.files) return void 0;
+    const hasFiles = !!route.schema.files;
+    const contentType = hasFiles ? "multipart/form-data" : "application/json";
+    let finalSchema = { type: "object", properties: {} };
+    if (route.schema.body) {
+      const bodySchema = zodSchemaToOpenApi(route.schema.body);
+      if (bodySchema.type === "object") {
+        finalSchema.properties = { ...bodySchema.properties };
+        if (bodySchema.required) finalSchema.required = bodySchema.required;
+        if (bodySchema.additionalProperties !== void 0) {
+          finalSchema.additionalProperties = bodySchema.additionalProperties;
+        }
+      } else {
+        finalSchema = hasFiles ? { type: "object", properties: { payload: bodySchema } } : bodySchema;
+      }
+    }
+    if (hasFiles) {
+      const files = route.schema.files;
+      const props = finalSchema.properties ?? {};
+      for (const [fieldName, config] of Object.entries(files)) {
+        props[fieldName] = {
+          type: "string",
+          format: "binary",
+          ...config.description ? { description: config.description } : {},
+          ...config.maxSize ? { description: `Max size: ${config.maxSize} bytes` } : {}
+        };
+      }
+      finalSchema.properties = props;
+    }
+    return { required: true, content: { [contentType]: { schema: finalSchema } } };
+  }
+  extractResponses(route) {
+    const descriptions = route.schema?.responseDescriptions ?? {};
+    const defaultResponse = {
+      "200": {
+        description: descriptions["200"] ?? "Successful response",
+        content: { "application/json": { schema: { type: "object" } } }
+      }
+    };
+    if (!route.schema?.response) return defaultResponse;
+    const responseSchema = route.schema.response;
+    const responses = {};
+    if (isZodSchema(responseSchema)) {
+      responses["200"] = {
+        description: descriptions["200"] ?? "Successful response",
+        content: {
+          "application/json": { schema: zodSchemaToOpenApi(responseSchema) }
+        }
+      };
+    } else if (typeof responseSchema === "object" && responseSchema !== null) {
+      for (const [code, schema] of Object.entries(
+        responseSchema
+      )) {
+        responses[code] = {
+          description: descriptions[code] ?? `Response ${code}`,
+          content: {
+            "application/json": { schema: zodSchemaToOpenApi(schema) }
+          }
+        };
+      }
+    }
+    return Object.keys(responses).length > 0 ? responses : defaultResponse;
+  }
+};
+var DOCS_CSP = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://unpkg.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data: https://validator.swagger.io; worker-src 'self' blob:;";
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function escapeJsString(s) {
+  return s.replace(/\\/g, "\\\\").replace(/'/g, "\\'");
+}
+function defineSecuritySchemes(schemes) {
+  return {
+    schemes,
+    require: (name, scopes = []) => [{ [name]: scopes }],
+    requireMultiple: (requirements) => {
+      const combined = {};
+      requirements.forEach((req) => {
+        combined[req] = [];
+      });
+      return [combined];
+    }
+  };
+}
+var Security = defineSecuritySchemes({
+  bearerAuth: { type: "http", scheme: "bearer" },
+  apiKey: { type: "apiKey", in: "header", name: "X-API-KEY" },
+  basicAuth: { type: "http", scheme: "basic" }
+});
+function inferSchemaFromPayload(data, depth = 0) {
+  if (depth > 32) return { type: "object" };
+  if (data === null) return { type: "null" };
+  if (Array.isArray(data)) {
+    return {
+      type: "array",
+      items: data.length > 0 ? inferSchemaFromPayload(data[0], depth + 1) : { type: "object" }
+    };
+  }
+  if (typeof data === "object") {
+    const properties = {};
+    for (const [key, value] of Object.entries(data)) {
+      properties[key] = inferSchemaFromPayload(value, depth + 1);
+    }
+    return { type: "object", properties };
+  }
+  return { type: typeof data };
+}
+function useOpenAPI(app, options) {
+  const rawPrefix = options.prefix ?? "/docs";
+  const normalizedPrefix = rawPrefix.startsWith("/") ? rawPrefix : `/${rawPrefix}`;
+  const prefix = normalizedPrefix === "/" ? "/" : normalizedPrefix.endsWith("/") ? normalizedPrefix.slice(0, -1) : normalizedPrefix;
+  const docsPaths = prefix === "/" ? ["/"] : [prefix, `${prefix}/`];
+  const docsPathSet = new Set(docsPaths);
+  const specPath = prefix === "/" ? "/openapi.json" : `${prefix}/openapi.json`;
+  const generator = new OpenApiGenerator(app, options);
+  let cachedSpec = null;
+  let cachedSpecJson = null;
+  let emittedPublicDocsWarning = false;
+  if (options.autoInferResponses) {
+    app.addHook("onPostHandler", (req, res, match) => {
+      if (!match?.route) return;
+      if (req.path === specPath || docsPathSet.has(req.path)) {
+        return;
+      }
+      const payload = res.payload;
+      if (payload === void 0) return;
+      if (!cachedSpec) cachedSpec = generator.generate();
+      const path = generator.formatPath(match.route.path);
+      const method = match.route.method.toLowerCase();
+      const statusCode = String(res.statusCode);
+      const existingResponse = cachedSpec.paths[path]?.[method]?.responses?.[statusCode];
+      const isDefault = existingResponse?.description === "Successful response" && existingResponse?.content?.["application/json"]?.schema?.type === "object";
+      if (existingResponse && !isDefault) return;
+      let parsedData = payload;
+      if (typeof payload === "string") {
+        try {
+          parsedData = JSON.parse(payload);
+        } catch {
+        }
+      }
+      if (cachedSpec.paths[path]?.[method]) {
+        cachedSpec.paths[path][method].responses[statusCode] = {
+          description: "Auto-inferred response",
+          content: {
+            "application/json": { schema: inferSchemaFromPayload(parsedData) }
+          }
+        };
+        cachedSpecJson = null;
+      }
+    });
+  }
+  const guard = async (req) => {
+    if (!options.protect) {
+      if (process.env.NODE_ENV === "production") {
+        if (!emittedPublicDocsWarning) {
+          emittedPublicDocsWarning = true;
+          console.warn(
+            "[axiomify/openapi] OpenAPI endpoints are not protected. Production access is denied by default. Provide a `protect` function or set `allowPublicInProduction: true` explicitly."
+          );
+        }
+        return options.allowPublicInProduction === true;
+      }
+      return true;
+    }
+    return Boolean(await options.protect(req));
+  };
+  app.route({
+    method: "GET",
+    path: specPath,
+    handler: async (req, res) => {
+      if (!await guard(req)) return res.status(403).send(null, "Forbidden");
+      if (!cachedSpec) cachedSpec = generator.generate();
+      if (!cachedSpecJson) cachedSpecJson = JSON.stringify(cachedSpec);
+      res.status(200).sendRaw(cachedSpecJson, "application/json");
+    }
+  });
+  const docsHandler = async (req, res) => {
+    if (!await guard(req)) return res.status(403).send(null, "Forbidden");
+    if (typeof res.setHeader === "function") {
+      res.setHeader("Content-Security-Policy", DOCS_CSP);
+    } else if (typeof res.header === "function") {
+      res.header("Content-Security-Policy", DOCS_CSP);
+    }
+    const isDev = process.env.NODE_ENV !== "production";
+    const specUrl = isDev ? `${specPath}?t=${Date.now()}` : specPath;
+    const html = `<!DOCTYPE html>
+        <html lang="en">
+        <head>
+          <meta charset="utf-8" />
+          <meta name="viewport" content="width=device-width, initial-scale=1" />
+          <title>${escapeHtml(options.info.title)} - API Docs</title> 
+          <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/5.11.0/swagger-ui.min.css" integrity="sha384-bIuUyBV7i6P7z/kPAs1oeBIf8PMIqVkPVDzzaOL+QH7kWmvCT9HDTWwGVs0L4/9Q" crossorigin="anonymous" referrerpolicy="no-referrer" />
+        </head>
+        <body style="margin: 0; padding: 0;">
+          <div id="swagger-ui"></div>
+          <script src="https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/5.11.0/swagger-ui-bundle.min.js" integrity="sha384-XHDYRdiHvBq7oL4CtkiJKfdVVA5PydxYtssHVtRrvPlha1m+zz8kboiyx/MAsyl3" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+          <script>
+            window.onload = () => {
+              window.ui = SwaggerUIBundle({
+                url: '${escapeJsString(specUrl)}',
+                dom_id: '#swagger-ui',
+              });
+            };
+          </script>
+        </body>
+        </html>`;
+    res.status(200).sendRaw(html, "text/html");
+  };
+  app.route({
+    method: "GET",
+    path: prefix,
+    handler: docsHandler
+  });
+}
+
+export { OpenApiGenerator, Security, defineSecuritySchemes, useOpenAPI };