@bleedingdev/modern-js-create 3.2.0-ultramodern.101 → 3.2.0-ultramodern.103

package/dist/index.js

@@ -566,6 +566,7 @@ const MODULE_FEDERATION_VERSION = '2.5.0';
 const ZEPHYR_RSPACK_PLUGIN_VERSION = '1.1.1';
 const ZEPHYR_AGENT_VERSION = '1.1.1';
 const WRANGLER_VERSION = '4.95.0';
+const CLOUDFLARE_COMPATIBILITY_DATE = '2026-06-02';
 const TAILWIND_VERSION = '4.3.0';
 const TAILWIND_POSTCSS_VERSION = '4.3.0';
 const EFFECT_TSGO_VERSION = '0.13.0';
@@ -900,6 +901,12 @@ function toCamelCase(value) {
 function toEnvSegment(value) {
     return toKebabCase(value).replace(/-/g, '_').toUpperCase();
 }
+function createRspackUniqueName(app) {
+    return app.mfName;
+}
+function createRspackChunkLoadingGlobal(app) {
+    return `__ULTRAMODERN_${toEnvSegment(app.mfName)}_LOADED_CHUNKS__`;
+}
 function ultramodern_workspace_packageName(scope, suffix) {
     return `@${scope}/${suffix}`;
 }
@@ -1095,17 +1102,105 @@ function createCloudflareProofRoute(app) {
         } : {}
     };
 }
+function createCloudflareSecurityContract() {
+    return {
+        enabled: true,
+        headers: {
+            referrerPolicy: 'strict-origin-when-cross-origin',
+            contentTypeOptions: 'nosniff',
+            permissionsPolicy: 'camera=(), geolocation=(), microphone=(), payment=(), usb=()'
+        },
+        contentSecurityPolicy: {
+            mode: 'report-only',
+            directives: {
+                'base-uri': [
+                    "'self'"
+                ],
+                'connect-src': [
+                    "'self'",
+                    'https:',
+                    'http:',
+                    'wss:',
+                    'ws:'
+                ],
+                'default-src': [
+                    "'self'"
+                ],
+                'font-src': [
+                    "'self'",
+                    'data:',
+                    'https:',
+                    'http:'
+                ],
+                'form-action': [
+                    "'self'"
+                ],
+                'frame-ancestors': [
+                    "'self'"
+                ],
+                'img-src': [
+                    "'self'",
+                    'data:',
+                    'blob:',
+                    'https:',
+                    'http:'
+                ],
+                'manifest-src': [
+                    "'self'",
+                    'https:',
+                    'http:'
+                ],
+                'object-src': [
+                    "'none'"
+                ],
+                "script-src": [
+                    "'self'",
+                    "'unsafe-inline'",
+                    "'unsafe-eval'",
+                    'https:',
+                    'http:',
+                    'blob:'
+                ],
+                'style-src': [
+                    "'self'",
+                    "'unsafe-inline'",
+                    'https:',
+                    'http:'
+                ],
+                'worker-src': [
+                    "'self'",
+                    'blob:'
+                ]
+            },
+            reason: "Report-only by default so Cloudflare Module Federation SSR can prove remote script, style, and connect compatibility before enforcement."
+        },
+        noindex: {
+            workersDev: true,
+            localhost: true,
+            previewHostnames: []
+        },
+        cookies: {
+            mutateSetCookie: false,
+            reason: 'Generated Cloudflare worker does not own application Set-Cookie headers.'
+        }
+    };
+}
+function formatTsJsonValue(value, indent) {
+    return JSON.stringify(value, null, 2).replaceAll('\n', `\n${' '.repeat(indent)}`);
+}
 function createCloudflareDeployContract(scope, app) {
     return {
         target: 'cloudflare',
         workerName: createCloudflareWorkerName(scope, app),
         publicUrlEnv: createCloudflarePublicUrlEnv(app),
+        compatibilityDate: CLOUDFLARE_COMPATIBILITY_DATE,
         compatibilityFlags: [
             'nodejs_compat',
             'global_fetch_strictly_public'
         ],
         assetsBinding: 'ASSETS',
         routes: createCloudflareProofRoute(app),
+        security: createCloudflareSecurityContract(),
         evidence: {
             proofScript: "scripts/proof-cloudflare-version.mjs",
             reportDefault: '.codex/reports/cloudflare-version-proof/public-url-proof.json'
@@ -1379,6 +1474,9 @@ ${bffPluginEntry}        moduleFederationPlugin(),
           overrideBrowserslist: ['defaults'],
         },
         bundlerChain: chain => {
+          chain.output
+            .uniqueName('${createRspackUniqueName(app)}')
+            .chunkLoadingGlobal('${createRspackChunkLoadingGlobal(app)}');
           chain.ignoreWarnings([
             {
               message: /the request of a dependency is an expression/u,
@@ -1391,6 +1489,8 @@ ${bffPluginEntry}        moduleFederationPlugin(),
         ? {
             deploy: {
               worker: {
+                compatibilityDate: '${CLOUDFLARE_COMPATIBILITY_DATE}',
+                security: ${formatTsJsonValue(createCloudflareSecurityContract(), 16)},
                 ssr: true,
               },
             },
@@ -1629,12 +1729,18 @@ ${createModuleFederationRemotesConfig(scope, app, remotes)}${createSharedModuleF
 function appI18nNamespace(app) {
     return 'shell' === app.kind ? 'shell' : app.domain ?? app.id;
 }
+const privateAppRoutePublicness = {
+    indexable: false,
+    public: false,
+    publicSurface: 'private-app-screen'
+};
 function createRouteOwnedI18nPaths(app) {
     const namespace = appI18nNamespace(app);
     const base = {
         mfBoundaryId: app.mfName,
         namespace,
-        ownerAppId: app.id
+        ownerAppId: app.id,
+        ...privateAppRoutePublicness
     };
     if ('shell' === app.kind) return [
         {
@@ -1807,8 +1913,11 @@ function createRouteOwnedI18nPaths(app) {
         }
     ];
 }
-function createLocalisedUrlsMap(app) {
-    return Object.fromEntries(createRouteOwnedI18nPaths(app).flatMap((route)=>{
+function isPublicIndexableRoute(route) {
+    return route.public && route.indexable;
+}
+function createLocalisedUrlsMapFromRoutes(routes) {
+    return Object.fromEntries(routes.flatMap((route)=>{
         if ('/' === route.canonicalPath) return [];
         return Array.from(new Set([
             route.canonicalPath,
@@ -1819,9 +1928,23 @@ function createLocalisedUrlsMap(app) {
             ]);
     }));
 }
+function createLocalisedUrlsMap(app) {
+    return createLocalisedUrlsMapFromRoutes(createRouteOwnedI18nPaths(app));
+}
+function createPublicRouteMetadata(app) {
+    return createRouteOwnedI18nPaths(app).filter(isPublicIndexableRoute).map((route)=>({
+            canonicalPath: route.canonicalPath,
+            id: route.id,
+            localisedPaths: route.localisedPaths,
+            namespace: route.namespace,
+            ownerAppId: route.ownerAppId,
+            titleKey: route.titleKey
+        }));
+}
 function createRouteMetadataModule(app) {
     const routes = sortJsonValue(createRouteOwnedI18nPaths(app));
     const localisedUrls = sortJsonValue(createLocalisedUrlsMap(app));
+    const publicRoutes = sortJsonValue(createPublicRouteMetadata(app));
     const namespace = appI18nNamespace(app);
     return `export const ultramodernRouteNamespace = '${namespace}' as const;
 
@@ -1829,9 +1952,12 @@ export const ultramodernRouteMetadata = ${JSON.stringify(routes, null, 2)} as co
 
 export const ultramodernLocalisedUrls = ${JSON.stringify(localisedUrls, null, 2)} as const;
 
+export const ultramodernPublicRoutes = ${JSON.stringify(publicRoutes, null, 2)} as const;
+
 export const ultramodernRouteConfig = {
   localisedUrls: ultramodernLocalisedUrls,
   namespace: ultramodernRouteNamespace,
+  publicRoutes: ultramodernPublicRoutes,
   routes: ultramodernRouteMetadata,
   source: 'route-owned',
 } as const;
@@ -4051,6 +4177,12 @@ function createAppConfigContract(app) {
                 disableClientServer: true
             }
         },
+        rspack: {
+            output: {
+                uniqueName: createRspackUniqueName(app),
+                chunkLoadingGlobal: createRspackChunkLoadingGlobal(app)
+            }
+        },
         html: {
             outputStructure: 'flat'
         },
@@ -4233,7 +4365,9 @@ function createAppGeneratedContract(scope, app, apps, enableTailwind) {
             target: 'cloudflare',
             cloudflare: createCloudflareDeployContract(scope, app),
             worker: {
+                compatibilityDate: CLOUDFLARE_COMPATIBILITY_DATE,
                 name: createCloudflareWorkerName(scope, app),
+                security: createCloudflareSecurityContract(),
                 ssr: true
             },
             output: {
@@ -4278,6 +4412,9 @@ function createAppGeneratedContract(scope, app, apps, enableTailwind) {
             metadataExport: './src/routes/ultramodern-route-metadata',
             localisedUrls: createLocalisedUrlsMap(app),
             owned: createRouteOwnedI18nPaths(app),
+            publicRoutes: createPublicRouteMetadata(app),
+            privateByDefault: true,
+            publicnessDefault: 'private-app-screen',
             generatedRouteMap: true,
             manualOverrides: []
         },
@@ -4755,6 +4892,7 @@ function createWorkspaceValidationScript(scope, enableTailwind, remotes = []) {
     const expectedBuildScript = remotes.length > 0 ? 'ULTRAMODERN_ZEPHYR=false pnpm -r --filter "./verticals/*" run build && ULTRAMODERN_ZEPHYR=false pnpm --filter "./apps/shell-super-app" run build && pnpm ultramodern:assert-mf-types' : 'ULTRAMODERN_ZEPHYR=false pnpm --filter "./apps/shell-super-app" run build && pnpm ultramodern:assert-mf-types';
     const expectedCloudflareBuildScript = remotes.length > 0 ? 'pnpm -r --filter "./verticals/*" run cloudflare:build && pnpm --filter "./apps/shell-super-app" run cloudflare:build && pnpm ultramodern:assert-mf-types' : 'pnpm --filter "./apps/shell-super-app" run cloudflare:build && pnpm ultramodern:assert-mf-types';
     const expectedCloudflareDeployScript = remotes.length > 0 ? 'pnpm -r --filter "./verticals/*" run cloudflare:deploy && pnpm --filter "./apps/shell-super-app" run cloudflare:deploy' : 'pnpm --filter "./apps/shell-super-app" run cloudflare:deploy';
+    const expectedCloudflareSecurity = createCloudflareSecurityContract();
     return `import { execFileSync } from 'node:child_process';
 import fs from 'node:fs';
 import path from 'node:path';
@@ -4769,6 +4907,7 @@ const oldRemotePaths = ${JSON.stringify(oldRemotePaths, null, 2)};
 const expectedBuildScript = ${JSON.stringify(expectedBuildScript)};
 const expectedCloudflareBuildScript = ${JSON.stringify(expectedCloudflareBuildScript)};
 const expectedCloudflareDeployScript = ${JSON.stringify(expectedCloudflareDeployScript)};
+const expectedCloudflareSecurity = ${JSON.stringify(expectedCloudflareSecurity, null, 2)};
 
 const readText = relativePath => fs.readFileSync(path.join(root, relativePath), 'utf-8');
 const readJson = relativePath => JSON.parse(readText(relativePath));
@@ -4784,6 +4923,12 @@ const assertNotExists = relativePath => {
   assert(!fs.existsSync(path.join(root, relativePath)), \`Unexpected \${relativePath}\`);
 };
 const expectedWorkerName = packageSuffix => \`\${packageScope}-\${packageSuffix}\`.slice(0, 63);
+const expectedChunkLoadingGlobal = mfName =>
+  \`__ULTRAMODERN_\${mfName
+    .replace(/([a-z0-9])([A-Z])/g, '$1_$2')
+    .replace(/[^a-zA-Z0-9]+/g, '_')
+    .replace(/^_+|_+$/g, '')
+    .toUpperCase()}_LOADED_CHUNKS__\`;
 const parseSemver = version => {
   const match = /^(\\d+)\\.(\\d+)\\.(\\d+)/u.exec(version);
   assert(match, \`Unable to parse pnpm version: \${version}\`);
@@ -4929,6 +5074,7 @@ assert(rootPackage.scripts?.['skills:check'] === 'node ./scripts/bootstrap-agent
 assert(rootPackage.scripts?.postinstall === "oxfmt . '!repos/**' && node ./scripts/bootstrap-agent-skills.mjs && node ./scripts/setup-agent-reference-repos.mjs", 'Root postinstall must format, bootstrap agent skills, initialize git/hooks, and install reference repositories');
 
 const expectedAppIds = ['shell-super-app', ...fullStackVerticals.map(vertical => vertical.id)];
+const expectedCloudflareCompatibilityDate = '${CLOUDFLARE_COMPATIBILITY_DATE}';
 const expectedCloudflareCompatibilityFlags = ['nodejs_compat', 'global_fetch_strictly_public'];
 assert(
   JSON.stringify(generatedContract.apps?.map(app => app.id)) === JSON.stringify(expectedAppIds),
@@ -4959,7 +5105,12 @@ assert(
 const shellContract = generatedContract.apps?.find(app => app.id === 'shell-super-app');
 assert(shellContract?.deploy?.cloudflare?.workerName === expectedWorkerName('shell-super-app'), 'Shell Cloudflare workerName is incorrect');
 assert(shellContract?.deploy?.cloudflare?.publicUrlEnv === 'ULTRAMODERN_PUBLIC_URL_SHELL_SUPER_APP', 'Shell Cloudflare public URL env is incorrect');
+assert(shellContract?.deploy?.cloudflare?.compatibilityDate === expectedCloudflareCompatibilityDate, 'Shell Cloudflare compatibilityDate is incorrect');
 assert(JSON.stringify(shellContract?.deploy?.cloudflare?.compatibilityFlags) === JSON.stringify(expectedCloudflareCompatibilityFlags), 'Shell Cloudflare compatibility flags are incorrect');
+assert(JSON.stringify(shellContract?.deploy?.cloudflare?.security) === JSON.stringify(expectedCloudflareSecurity), 'Shell Cloudflare security contract is incorrect');
+assert(shellContract?.deploy?.worker?.compatibilityDate === expectedCloudflareCompatibilityDate, 'Shell worker compatibilityDate is incorrect');
+assert(shellContract?.config?.rspack?.output?.uniqueName === 'shellSuperApp', 'Shell Rspack uniqueName is incorrect');
+assert(shellContract?.config?.rspack?.output?.chunkLoadingGlobal === expectedChunkLoadingGlobal('shellSuperApp'), 'Shell Rspack chunkLoadingGlobal is incorrect');
 assert(topology.shell?.cloudflare?.workerName === expectedWorkerName('shell-super-app'), 'Shell topology Cloudflare workerName is incorrect');
 assert(shellContract?.styling?.federation?.owner?.id === 'shell-super-app', 'Shell CSS federation owner is missing');
 assert(shellContract?.styling?.federation?.role === 'shell-base-overlay', 'Shell must own base and overlay CSS');
@@ -4971,6 +5122,13 @@ assert(shellContract?.styling?.federation?.entrypoints?.css?.includes('src/route
 assert(shellContract?.styling?.federation?.assets?.shared?.some(asset => asset.endsWith('/shared-design-tokens/tokens.css')), 'Shell must import the shared design token CSS asset');
 assert(shellContract?.styling?.federation?.dedupe?.duplicateBaseStylesAllowed === false, 'Shell CSS contract must forbid duplicated base styles');
 assert(shellContract?.styling?.federation?.ssr?.firstPaintRequired === true, 'Shell CSS must be required for SSR first paint');
+assert(shellContract?.routes?.privateByDefault === true, 'Shell routes must be private by default');
+assert(shellContract?.routes?.publicnessDefault === 'private-app-screen', 'Shell route publicness default is incorrect');
+assert(JSON.stringify(shellContract?.routes?.publicRoutes ?? []) === '[]', 'Shell must not expose generated public routes by default');
+assert(
+  (shellContract?.routes?.owned ?? []).every(route => route.public === false && route.indexable === false && route.publicSurface === 'private-app-screen'),
+  'Shell owned routes must be non-indexable private app screens by default',
+);
 assert(
   topology.shell?.verticalRefs?.join(',') === fullStackVerticals.map(vertical => vertical.id).join(','),
   'Topology shell verticalRefs must match generated verticals',
@@ -5006,8 +5164,13 @@ for (const vertical of fullStackVerticals) {
   assert(contractEntry?.kind === 'vertical', \`\${vertical.id} generated contract kind is incorrect\`);
   assert(contractEntry?.deploy?.cloudflare?.workerName === expectedWorkerName(vertical.id), \`\${vertical.id} Cloudflare workerName is incorrect\`);
   assert(contractEntry?.deploy?.cloudflare?.publicUrlEnv === \`ULTRAMODERN_PUBLIC_URL_\${vertical.id.replace(/-/g, '_').toUpperCase()}\`, \`\${vertical.id} Cloudflare public URL env is incorrect\`);
+  assert(contractEntry?.deploy?.cloudflare?.compatibilityDate === expectedCloudflareCompatibilityDate, \`\${vertical.id} Cloudflare compatibilityDate is incorrect\`);
   assert(JSON.stringify(contractEntry?.deploy?.cloudflare?.compatibilityFlags) === JSON.stringify(expectedCloudflareCompatibilityFlags), \`\${vertical.id} Cloudflare compatibility flags are incorrect\`);
+  assert(JSON.stringify(contractEntry?.deploy?.cloudflare?.security) === JSON.stringify(expectedCloudflareSecurity), \`\${vertical.id} Cloudflare security contract is incorrect\`);
+  assert(contractEntry?.deploy?.worker?.compatibilityDate === expectedCloudflareCompatibilityDate, \`\${vertical.id} worker compatibilityDate is incorrect\`);
   assert(contractEntry?.deploy?.cloudflare?.routes?.effectReadiness === \`\${vertical.apiPrefix}/effect/\${vertical.stem}/readiness\`, \`\${vertical.id} Cloudflare proof readiness route is incorrect\`);
+  assert(contractEntry?.config?.rspack?.output?.uniqueName === vertical.mfName, \`\${vertical.id} Rspack uniqueName is incorrect\`);
+  assert(contractEntry?.config?.rspack?.output?.chunkLoadingGlobal === expectedChunkLoadingGlobal(vertical.mfName), \`\${vertical.id} Rspack chunkLoadingGlobal is incorrect\`);
   assert(contractEntry?.moduleFederation?.name === vertical.mfName, \`\${vertical.id} MF name is incorrect\`);
   assert(JSON.stringify(contractEntry?.moduleFederation?.exposes) === JSON.stringify(vertical.exposes), \`\${vertical.id} MF exposes are incorrect\`);
   assert(contractEntry?.moduleFederation?.dts?.compilerInstance === '--package typescript -- tsc', \`\${vertical.id} must keep mandatory DTS compiler\`);
@@ -5031,6 +5194,13 @@ for (const vertical of fullStackVerticals) {
   );
   assert(contractEntry?.routes?.source === 'route-owned', \`\${vertical.id} routes must be route-owned\`);
   assert(contractEntry?.routes?.metadataExport === './src/routes/ultramodern-route-metadata', \`\${vertical.id} route metadata export is incorrect\`);
+  assert(contractEntry?.routes?.privateByDefault === true, \`\${vertical.id} routes must be private by default\`);
+  assert(contractEntry?.routes?.publicnessDefault === 'private-app-screen', \`\${vertical.id} route publicness default is incorrect\`);
+  assert(JSON.stringify(contractEntry?.routes?.publicRoutes ?? []) === '[]', \`\${vertical.id} must not expose generated public routes by default\`);
+  assert(
+    (contractEntry?.routes?.owned ?? []).every(route => route.public === false && route.indexable === false && route.publicSurface === 'private-app-screen'),
+    \`\${vertical.id} owned routes must be non-indexable private app screens by default\`,
+  );
   assert(contractEntry?.styling?.federation?.owner?.id === vertical.id, \`\${vertical.id} CSS federation owner is missing\`);
   assert(contractEntry?.styling?.federation?.role === 'vertical-css', \`\${vertical.id} must own only vertical CSS\`);
   assert(contractEntry?.styling?.federation?.rootSelector === \`[data-app-id="\${vertical.id}"]\`, \`\${vertical.id} CSS root selector is incorrect\`);
@@ -5136,8 +5306,14 @@ async function fetchText(url) {
     ok: response.ok,
     status: response.status,
     accessControlAllowOrigin: response.headers.get('access-control-allow-origin'),
+    contentSecurityPolicy: response.headers.get('content-security-policy'),
+    contentSecurityPolicyReportOnly: response.headers.get('content-security-policy-report-only'),
     contentType: response.headers.get('content-type'),
     link: response.headers.get('link'),
+    permissionsPolicy: response.headers.get('permissions-policy'),
+    referrerPolicy: response.headers.get('referrer-policy'),
+    xContentTypeOptions: response.headers.get('x-content-type-options'),
+    xRobotsTag: response.headers.get('x-robots-tag'),
     body: await response.text(),
   };
 }
@@ -5188,6 +5364,139 @@ function assert(condition, message) {
   }
 }
 
+function matchesPreviewHostname(hostname, pattern) {
+  const normalizedHostname = hostname.toLowerCase();
+  const normalizedPattern = String(pattern || '').toLowerCase();
+
+  if (!normalizedPattern) {
+    return false;
+  }
+
+  if (normalizedPattern.startsWith('*.')) {
+    return normalizedHostname.endsWith(normalizedPattern.slice(1));
+  }
+
+  return normalizedHostname === normalizedPattern;
+}
+
+function shouldNoindexUrl(publicUrl, noindex) {
+  if (!noindex || noindex === false) {
+    return false;
+  }
+
+  const { hostname } = new URL(publicUrl);
+  const normalizedHostname = hostname.toLowerCase();
+
+  if (
+    noindex.localhost !== false &&
+    (normalizedHostname === 'localhost' ||
+      normalizedHostname === '127.0.0.1' ||
+      normalizedHostname === '[::1]')
+  ) {
+    return true;
+  }
+
+  if (
+    noindex.workersDev !== false &&
+    normalizedHostname.endsWith('.workers.dev')
+  ) {
+    return true;
+  }
+
+  return (noindex.previewHostnames || []).some(pattern =>
+    matchesPreviewHostname(normalizedHostname, pattern),
+  );
+}
+
+function assertHeader(evidence, response, expected, options) {
+  if (expected === false || expected === undefined) {
+    return;
+  }
+
+  const actual = response[options.field];
+  evidence.assertions.push({
+    type: 'security-header',
+    header: options.header,
+    route: options.route,
+    expected,
+    actual,
+    status: actual === expected ? 'pass' : 'fail',
+  });
+  assert(actual === expected, \`\${options.appId} \${options.route} is missing \${options.header}\`);
+}
+
+function assertCloudflareSecurity(evidence, app, response, route, publicUrl, options = {}) {
+  const security = app.deploy?.cloudflare?.security;
+
+  if (!security || security.enabled === false) {
+    return;
+  }
+
+  const headers = security.headers || {};
+  assertHeader(evidence, response, headers.referrerPolicy, {
+    appId: app.id,
+    field: 'referrerPolicy',
+    header: 'referrer-policy',
+    route,
+  });
+  assertHeader(evidence, response, headers.contentTypeOptions, {
+    appId: app.id,
+    field: 'xContentTypeOptions',
+    header: 'x-content-type-options',
+    route,
+  });
+  assertHeader(evidence, response, headers.permissionsPolicy, {
+    appId: app.id,
+    field: 'permissionsPolicy',
+    header: 'permissions-policy',
+    route,
+  });
+
+  const csp = security.contentSecurityPolicy;
+  if (options.html && csp?.mode !== 'off') {
+    const header =
+      csp?.mode === 'enforce'
+        ? 'content-security-policy'
+        : 'content-security-policy-report-only';
+    const actual =
+      csp?.mode === 'enforce'
+        ? response.contentSecurityPolicy
+        : response.contentSecurityPolicyReportOnly;
+    const expectedDirectives = ['script-src', 'style-src', 'connect-src'];
+    const missingDirectives = expectedDirectives.filter(
+      directive => !actual?.includes(directive),
+    );
+
+    evidence.assertions.push({
+      type: 'security-csp',
+      header,
+      route,
+      mode: csp?.mode ?? 'report-only',
+      actual,
+      missingDirectives,
+      status: actual && missingDirectives.length === 0 ? 'pass' : 'fail',
+    });
+    assert(actual, \`\${app.id} \${route} is missing \${header}\`);
+    assert(
+      missingDirectives.length === 0,
+      \`\${app.id} \${route} CSP is missing \${missingDirectives.join(', ')}\`,
+    );
+  }
+
+  if (shouldNoindexUrl(publicUrl, security.noindex)) {
+    evidence.assertions.push({
+      type: 'security-noindex',
+      route,
+      actual: response.xRobotsTag,
+      status: response.xRobotsTag === 'noindex, nofollow' ? 'pass' : 'fail',
+    });
+    assert(
+      response.xRobotsTag === 'noindex, nofollow',
+      \`\${app.id} \${route} is missing noindex X-Robots-Tag\`,
+    );
+  }
+}
+
 async function validateApp(app, publicUrl) {
   const cloudflare = app.deploy?.cloudflare;
   const routes = cloudflare?.routes ?? {};
@@ -5208,6 +5517,9 @@ async function validateApp(app, publicUrl) {
     statusCode: ssr.status,
   });
   assert(ssr.ok, \`\${app.id} SSR route returned HTTP \${ssr.status}\`);
+  assertCloudflareSecurity(evidence, app, ssr, ssrRoute, publicUrl, {
+    html: true,
+  });
 
   const uiMarker = extractUiMarker(ssr.body);
   evidence.assertions.push({
@@ -5261,6 +5573,7 @@ async function validateApp(app, publicUrl) {
     manifest.ok,
     \`\${app.id} MF manifest returned HTTP \${manifest.status}\`,
   );
+  assertCloudflareSecurity(evidence, app, manifest, manifestRoute, publicUrl);
   evidence.assertions.push({
     type: 'mf-manifest-cors',
     route: manifestRoute,
@@ -5300,6 +5613,7 @@ async function validateApp(app, publicUrl) {
     statusCode: locale.status,
   });
   assert(locale.ok, \`\${app.id} locale JSON returned HTTP \${locale.status}\`);
+  assertCloudflareSecurity(evidence, app, locale, localeRoute, publicUrl);
   evidence.assertions.push({
     type: 'i18n-cors',
     route: localeRoute,

package/dist/types/locale/index.d.ts

@@ -1,3 +1,118 @@
-declare const i18n: any;
-declare const localeKeys: any;
+import { I18n } from '@modern-js/i18n-utils';
+declare const i18n: I18n;
+declare const localeKeys: {
+    prompt: {
+        projectName: string;
+    };
+    error: {
+        projectNameEmpty: string;
+        directoryExists: string;
+        invalidRouter: string;
+        invalidBffRuntime: string;
+        createFailed: string;
+    };
+    message: {
+        welcome: string;
+        success: string;
+        nextSteps: string;
+        step1: string;
+        step2: string;
+        step3: string;
+    };
+    help: {
+        title: string;
+        description: string;
+        usage: string;
+        usageExample: string;
+        options: string;
+        optionHelp: string;
+        optionVersion: string;
+        optionLang: string;
+        optionRouter: string;
+        optionBff: string;
+        optionBffRuntime: string;
+        optionTailwind: string;
+        optionWorkspace: string;
+        optionUltramodernWorkspace: string;
+        optionUltramodernPackageSource: string;
+        optionUltramodernPackageScope: string;
+        optionUltramodernPackageNamePrefix: string;
+        optionVertical: string;
+        optionSub: string;
+        examples: string;
+        example1: string;
+        example2: string;
+        example3: string;
+        example4: string;
+        example5: string;
+        example6: string;
+        example7: string;
+        example8: string;
+        example9: string;
+        example10: string;
+        example11: string;
+        example12: string;
+        moreInfo: string;
+    };
+    version: {
+        message: string;
+    };
+} | {
+    prompt: {
+        projectName: string;
+    };
+    error: {
+        projectNameEmpty: string;
+        directoryExists: string;
+        invalidRouter: string;
+        invalidBffRuntime: string;
+        createFailed: string;
+    };
+    message: {
+        welcome: string;
+        success: string;
+        nextSteps: string;
+        step1: string;
+        step2: string;
+        step3: string;
+    };
+    help: {
+        title: string;
+        description: string;
+        usage: string;
+        usageExample: string;
+        options: string;
+        optionHelp: string;
+        optionVersion: string;
+        optionLang: string;
+        optionRouter: string;
+        optionBff: string;
+        optionBffRuntime: string;
+        optionTailwind: string;
+        optionWorkspace: string;
+        optionUltramodernWorkspace: string;
+        optionUltramodernPackageSource: string;
+        optionUltramodernPackageScope: string;
+        optionUltramodernPackageNamePrefix: string;
+        optionVertical: string;
+        optionSub: string;
+        examples: string;
+        example1: string;
+        example2: string;
+        example3: string;
+        example4: string;
+        example5: string;
+        example6: string;
+        example7: string;
+        example8: string;
+        example9: string;
+        example10: string;
+        example11: string;
+        example12: string;
+        moreInfo: string;
+    };
+    version: {
+        message: string;
+    };
+};
 export { i18n, localeKeys };

package/package.json

@@ -21,7 +21,7 @@
   "engines": {
     "node": ">=20"
   },
-  "version": "3.2.0-ultramodern.101",
+  "version": "3.2.0-ultramodern.103",
   "types": "./dist/types/index.d.ts",
   "main": "./dist/index.js",
   "bin": {
@@ -41,7 +41,7 @@
     "@types/node": "^25.9.1",
     "@typescript/native-preview": "7.0.0-dev.20260527.2",
     "tsx": "^4.22.3",
-    "@modern-js/i18n-utils": "npm:@bleedingdev/modern-js-i18n-utils@3.2.0-ultramodern.101"
+    "@modern-js/i18n-utils": "npm:@bleedingdev/modern-js-i18n-utils@3.2.0-ultramodern.103"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org/",
@@ -54,6 +54,6 @@
     "start": "node ./dist/index.js"
   },
   "ultramodern": {
-    "frameworkVersion": "3.2.0-ultramodern.101"
+    "frameworkVersion": "3.2.0-ultramodern.103"
   }
 }

package/template/README.md

@@ -49,6 +49,7 @@ The default app is intentionally monolith-friendly:
 | --- | --- |
 | App routes | Locale-prefixed pages under `src/routes/[lang]` |
 | Copy | English and Czech resources in `config/public/locales` |
+| Web defaults | Local favicon/logo assets, localized metadata, semantic starter markup |
 | Styling | App-local CSS, with Tailwind files only when selected |
 | Server logic | Optional BFF entrypoints under `api/` |
 | Tests | Rstest smoke coverage in `tests/` |
@@ -66,6 +67,11 @@ real routes, actions, and API calls. Put user-visible text in
 `config/public/locales/<lang>/translation.json`, then render it through
 `react-i18next` or `@modern-js/plugin-i18n/runtime`.
 
+The starter keeps favicon and logo assets local in `config/favicon.svg` and
+`config/public/assets/ultramodern-logo.svg`. Replace those files when your app
+has product branding. The localized page title and description live in the same
+translation resources as the visible UI copy.
+
 Tune the preset in `modern.config.ts`. Production builds require
 `MODERN_PUBLIC_SITE_URL` so canonical and `hreflang` URLs use your deployed
 origin. The local fallback is `http://localhost:8080`.