@bleedingdev/modern-js-create 3.2.0-ultramodern.40 → 3.2.0-ultramodern.42

package/dist/index.js

@@ -4676,7 +4676,7 @@ function createTemplateManifest(modernVersion, packageSource) {
                 'provenance-present'
             ],
             materializationValidation: [
-                'path-boundary-allowlist',
+                'path-boundary-policy',
                 'path-boundary-denylist',
                 'no-path-traversal',
                 'no-absolute-paths',
@@ -5138,6 +5138,7 @@ async function fetchText(url) {
   return {
     ok: response.ok,
     status: response.status,
+    accessControlAllowOrigin: response.headers.get('access-control-allow-origin'),
     contentType: response.headers.get('content-type'),
     body: await response.text(),
   };
@@ -5246,6 +5247,16 @@ async function validateApp(app, publicUrl) {
     manifest.ok,
     \`\${app.id} MF manifest returned HTTP \${manifest.status}\`,
   );
+  evidence.assertions.push({
+    type: 'mf-manifest-cors',
+    route: manifestRoute,
+    actual: manifest.accessControlAllowOrigin,
+    status: manifest.accessControlAllowOrigin === '*' ? 'pass' : 'fail',
+  });
+  assert(
+    manifest.accessControlAllowOrigin === '*',
+    \`\${app.id} MF manifest is missing Cloudflare CORS headers\`,
+  );
 
   const localeRoute = routes.locale ?? \`/locales/en/\${app.i18n?.namespace}.json\`;
   const locale = await fetchText(joinUrl(publicUrl, localeRoute));
@@ -5263,6 +5274,16 @@ async function validateApp(app, publicUrl) {
     statusCode: locale.status,
   });
   assert(locale.ok, \`\${app.id} locale JSON returned HTTP \${locale.status}\`);
+  evidence.assertions.push({
+    type: 'i18n-cors',
+    route: localeRoute,
+    actual: locale.accessControlAllowOrigin,
+    status: locale.accessControlAllowOrigin === '*' ? 'pass' : 'fail',
+  });
+  assert(
+    locale.accessControlAllowOrigin === '*',
+    \`\${app.id} locale JSON is missing Cloudflare CORS headers\`,
+  );
   assert(
     localeJson && Object.hasOwn(localeJson, app.i18n?.namespace),
     \`\${app.id} locale JSON is missing namespace \${app.i18n?.namespace}\`,
@@ -5377,23 +5398,13 @@ function writeApp(targetDir, scope, app, packageSource, enableTailwind) {
     writeFile(targetDir, `${app.directory}/module-federation.config.ts`, 'shell' === app.kind ? createShellModuleFederationConfig() : createRemoteModuleFederationConfig(app));
     writeFile(targetDir, `${app.directory}/src/routes/layout.tsx`, createLayout(app.id));
     writeFile(targetDir, `${app.directory}/src/routes/[lang]/page.tsx`, 'shell' === app.kind ? createShellPage() : createRemotePage(app));
-    for (const route of createRouteOwnedI18nPaths(app)){
-        if ('/' === route.canonicalPath || 'shell' === app.kind) continue;
-        const routePaths = new Set([
-            route.canonicalPath,
-            ...Object.values(route.localisedPaths)
-        ]);
-        for (const routePath of routePaths)if ('/' !== routePath) writeFile(targetDir, createRoutePageFilePath(app, routePath), createRouteAliasPage(routePath));
-    }
+    for (const route of createRouteOwnedI18nPaths(app))if ('/' !== route.canonicalPath && 'shell' !== app.kind) writeFile(targetDir, createRoutePageFilePath(app, route.canonicalPath), createRouteAliasPage(route.canonicalPath));
     if ('shell' === app.kind) {
         writeFile(targetDir, `${app.directory}/src/routes/remote-components.tsx`, createShellRemoteComponents());
         writeFile(targetDir, `${app.directory}/src/effect/recommendations-client.ts`, createShellEffectClient(scope));
         writeFile(targetDir, `${app.directory}/src/routes/[lang]/tractors/page.tsx`, createShellTractorsPage());
-        writeFile(targetDir, `${app.directory}/src/routes/[lang]/traktory/page.tsx`, createShellTractorsPage());
         writeFile(targetDir, `${app.directory}/src/routes/[lang]/tractors/[slug]/page.tsx`, createShellProductPage());
-        writeFile(targetDir, `${app.directory}/src/routes/[lang]/traktory/[slug]/page.tsx`, createShellProductPage());
         writeFile(targetDir, `${app.directory}/src/routes/[lang]/cart/page.tsx`, createShellCartPage());
-        writeFile(targetDir, `${app.directory}/src/routes/[lang]/kosik/page.tsx`, createShellCartPage());
     }
     if (appHasEffectApi(app)) {
         writeFile(targetDir, `${app.directory}/shared/effect/api.ts`, createEffectSharedApi(app));

package/package.json

@@ -21,7 +21,7 @@
   "engines": {
     "node": ">=20"
   },
-  "version": "3.2.0-ultramodern.40",
+  "version": "3.2.0-ultramodern.42",
   "types": "./dist/types/index.d.ts",
   "main": "./dist/index.js",
   "bin": {
@@ -41,7 +41,7 @@
     "@types/node": "^25.9.1",
     "@typescript/native-preview": "7.0.0-dev.20260527.2",
     "tsx": "^4.22.3",
-    "@modern-js/i18n-utils": "npm:@bleedingdev/modern-js-i18n-utils@3.2.0-ultramodern.40"
+    "@modern-js/i18n-utils": "npm:@bleedingdev/modern-js-i18n-utils@3.2.0-ultramodern.42"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org/",
@@ -54,6 +54,6 @@
     "start": "node ./dist/index.js"
   },
   "ultramodern": {
-    "frameworkVersion": "3.2.0-ultramodern.40"
+    "frameworkVersion": "3.2.0-ultramodern.42"
   }
 }

package/template-workspace/AGENTS.md

@@ -36,7 +36,7 @@ ScriptedAlchemy/TechsioCZ skills are private and are cloned only when the curren
 pnpm skills:install
 ```
 
-The installer copies only the allowlisted private skills from `.agents/skills-lock.json`: `plan-graph`, `dag`, `subagent-graph`, `helm`, and `debugger-mode`.
+The installer copies only the pinned private skills from `.agents/skills-lock.json`: `plan-graph`, `dag`, `subagent-graph`, `helm`, and `debugger-mode`.
 
 ## Agent Reference Repositories
 
@@ -58,4 +58,4 @@ Agents may read files under `repos/` to understand upstream patterns, APIs, and
 
 ## Skill Provenance
 
-The vendored Rstack skills, public Module Federation skill, and private TechsioCZ skill allowlist are pinned in `.agents/skills-lock.json`. Do not update, remove, or replace them casually. If a skill needs updating, update the lock file and run `pnpm check`.
+The vendored Rstack skills, public Module Federation skill, and private TechsioCZ skill set are pinned in `.agents/skills-lock.json`. Do not update, remove, or replace them casually. If a skill needs updating, update the lock file and run `pnpm check`.

package/template-workspace/pnpm-workspace.yaml

@@ -4,22 +4,7 @@ packages:
   - services/*
   - packages/*
 
-minimumReleaseAge: 1440
-minimumReleaseAgeStrict: true
-minimumReleaseAgeIgnoreMissingTime: false
-minimumReleaseAgeExclude:
-  - '@modern-js/*'
-  - '@bleedingdev/*'
-  - '@effect/tsgo'
-  - '@effect/tsgo-*'
-  - '@typescript/native-preview'
-  - '@typescript/native-preview-*'
-  - '@cloudflare/*'
-  - miniflare
-  - workerd
-  - wrangler
-trustPolicy: no-downgrade
-trustPolicyIgnoreAfter: 1440
+minimumReleaseAge: 0
 blockExoticSubdeps: true
 engineStrict: true
 pmOnFail: error

package/template-workspace/scripts/validate-ultramodern-workspace.mjs.handlebars

@@ -244,30 +244,18 @@ assert(
     JSON.stringify(['apps/*', 'apps/remotes/*', 'services/*', 'packages/*']),
   'pnpm-workspace.yaml must retain workspace package globs',
 );
-assert(readPnpmConfig('minimumReleaseAge') === 1440, 'pnpm minimumReleaseAge must be 1440');
-assert(readPnpmConfig('minimumReleaseAgeStrict') === true, 'pnpm minimumReleaseAgeStrict must be true');
-assert(
-  readPnpmConfig('minimumReleaseAgeIgnoreMissingTime') === false,
-  'pnpm minimumReleaseAgeIgnoreMissingTime must be false',
-);
-assert(
-  JSON.stringify(readPnpmConfig('minimumReleaseAgeExclude')) ===
-    JSON.stringify([
-      '@modern-js/*',
-      '@bleedingdev/*',
-      '@effect/tsgo',
-      '@effect/tsgo-*',
-      '@typescript/native-preview',
-      '@typescript/native-preview-*',
-      '@cloudflare/*',
-      'miniflare',
-      'workerd',
-      'wrangler',
-    ]),
-  'pnpm minimumReleaseAgeExclude must retain framework and Cloudflare exceptions',
-);
-assert(readPnpmConfig('trustPolicy') === 'no-downgrade', 'pnpm trustPolicy must be no-downgrade');
-assert(readPnpmConfig('trustPolicyIgnoreAfter') === 1440, 'pnpm trustPolicyIgnoreAfter must be 1440');
+assert(readPnpmConfig('minimumReleaseAge') === 0, 'pnpm minimumReleaseAge must be 0');
+assert(readPnpmConfig('minimumReleaseAgeStrict') === undefined, 'pnpm minimumReleaseAgeStrict must stay unset');
+assert(
+  readPnpmConfig('minimumReleaseAgeIgnoreMissingTime') === undefined,
+  'pnpm minimumReleaseAgeIgnoreMissingTime must stay unset',
+);
+assert(
+  readPnpmConfig('minimumReleaseAgeExclude') === undefined,
+  'pnpm minimumReleaseAgeExclude must stay unset',
+);
+assert(readPnpmConfig('trustPolicy') === undefined, 'pnpm trustPolicy must stay unset');
+assert(readPnpmConfig('trustPolicyIgnoreAfter') === undefined, 'pnpm trustPolicyIgnoreAfter must stay unset');
 assert(readPnpmConfig('blockExoticSubdeps') === true, 'pnpm blockExoticSubdeps must be true');
 assert(readPnpmConfig('engineStrict') === true, 'pnpm engineStrict must be true');
 assert(readPnpmConfig('pmOnFail') === 'error', 'pnpm pmOnFail must be error');
@@ -492,7 +480,7 @@ assert(
 for (const skillName of privateAgentSkills) {
   assert(
     privateSource.baseline?.some((skill) => skill.name === skillName),
-    `Agent skills lock must allowlist private skill ${skillName}`,
+    `Agent skills lock must pin private skill ${skillName}`,
   );
 }
 
@@ -926,7 +914,7 @@ assert(
   privateAgentSkills.every((skillName) =>
     manifest.agentSkills?.privateSource?.baseline?.includes(skillName),
   ),
-  'Template manifest must list every private agent skill allowlist entry',
+  'Template manifest must list every pinned private agent skill entry',
 );
 assert(
   manifest.validation?.expectedCommands?.includes('mise exec -- pnpm run ultramodern:check'),