@daloyjs/core 0.7.0 → 0.7.1

package/README.md

@@ -1,10 +1,10 @@
 # DaloyJS
 
-> A **runtime-portable TypeScript web framework** with built-in **contract-first routing**, **validation**, **OpenAPI (Hey API)**, **typed client generation**, **large-scale maintainability**, and **secure-by-default runtime and supply-chain posture**.
+> A **runtime-portable TypeScript web framework** with built-in **contract-first routing**, **validation**, **OpenAPI (Hey API)**, **typed client generation**, **large-scale maintainability**, and **security-focused runtime plus supply-chain posture**.
 
 DaloyJS is maintained in the GitHub organization at <https://github.com/daloyjs>; the canonical framework repository is <https://github.com/daloyjs/daloy>.
 
-📚 **Documentation site:** [`./website`](./website) — a Next.js 16 + shadcn/ui + Tailwind v4 site with the landing page, getting-started guide, ORM integration guides, tutorials, security docs, and full API reference. Run it with:
+📚 **Documentation site:** <https://daloyjs.dev> — a Next.js 16 + shadcn/ui + Tailwind v4 site with the landing page, getting-started guide, ORM integration guides, tutorials, security docs, and full API reference. Run it with:
 
 ```zsh
 cd website
@@ -50,13 +50,27 @@ DaloyJS combines the wins:
 1. **Explicit contracts, minimal ceremony.** One `app.route({...})` is the source of truth for validation, types, OpenAPI, the typed client, and contract tests.
 2. **One source of truth for validation, typing, and docs** via [Standard Schema](https://github.com/standard-schema/standard-schema) — Zod 4 / Valibot / ArkType / TypeBox all work, no lock-in.
 3. **Portable core, optional runtime optimizations** — the only thing the core knows is `Request → Response`. Adapters live at the edge.
-4. **Secure by default — bad defaults are bugs.** Body limits, prototype-pollution-safe JSON, path-traversal rejection, request timeouts, Helmet-grade headers, RFC 9457 problem+json errors with prod-mode redaction.
+4. **Security guardrails by default — bad defaults are bugs.** The core enforces body limits, prototype-pollution-safe JSON, path-traversal rejection, request timeouts, content-type checks, and RFC 9457 problem+json errors with prod-mode redaction. First-party middleware covers Helmet-grade headers, CORS, CSRF, rate limits, request ids, and signed-cookie sessions.
 5. **Tooling and inspectability over magic.** `app.introspect()` is a public API; contract-test runner is built in.
 6. **Optimize for large-team maintenance**, not only solo-dev speed. Encapsulated plugins, decorators, request ids, structured logger.
 
 ---
 
-## Install
+## Get started
+
+For a new DaloyJS project, the recommended path is the official scaffolder:
+
+```bash
+pnpm create daloy@latest my-api
+# or
+npm  create daloy@latest my-api
+```
+
+`create-daloy` gives you a working project structure, runtime template selection, docs routes, OpenAPI wiring, and production-oriented defaults without copying code out of the README.
+
+See [Scaffold a project](https://daloyjs.dev/docs/scaffolder) for templates and flags.
+
+## Install core manually
 
 DaloyJS is distributed via **pnpm** for [supply-chain hygiene](https://pnpm.io/motivation) and backed by a hardened release pipeline — strict isolation, content-addressable store, deterministic lockfile, no phantom dependencies, SHA-pinned CI actions, and provenance publishing.
 
@@ -83,16 +97,6 @@ Run `pnpm audit --prod` regularly (or `pnpm run audit` in this repo) — and `pn
 
 ---
 
-## Quick start
-
-```bash
-pnpm create daloy@latest my-api
-# or
-npm  create daloy@latest my-api
-```
-
-See [Scaffold a project](https://daloyjs.dev/docs/scaffolder) for templates and flags.
-
 ## Hello world
 
 ```ts
@@ -102,7 +106,7 @@ import { serve } from "@daloyjs/core/node";
 
 const app = new App({ bodyLimitBytes: 1024 * 1024, requestTimeoutMs: 5_000 });
 
-// Security defaults — usually three plugins in other frameworks.
+// First-party security middleware — usually three plugins in other frameworks.
 app.use(requestId());
 app.use(secureHeaders());
 app.use(rateLimit({ windowMs: 60_000, max: 120 }));
@@ -177,29 +181,34 @@ import { swaggerUiHtml, htmlResponse } from "@daloyjs/core/docs";
 ```
 
 Mount at `/docs` and the UI is always contract-accurate — never stale.
-`create-daloy@0.1.14` mounts Swagger UI at `/docs` and the live spec at `/openapi.json` by default.
+`create-daloy@0.1.20` mounts Swagger UI at `/docs` and the live spec at `/openapi.json` by default.
 
 ---
 
-## Security defaults (no plugins required)
+## Security guardrails
+
+Some protections are enforced by the `App` core whenever the relevant request
+path is used. Others are first-party middleware so applications can choose the
+right CORS policy, rate-limit key, CSP, session secret, or CSRF rollout for their
+deployment.
 
-| Threat | Default behavior |
+| Threat | Built-in behavior |
 |---|---|
-| **Body-size DoS** | Streamed read, hard cap (default 1 MiB), `Content-Length` checked first. |
-| **Prototype pollution** | `safeJsonParse` strips `__proto__` / `constructor` / `prototype` via reviver. |
-| **Header / response splitting** | `sanitizeHeaderName` / `sanitizeHeaderValue` reject CRLF + NUL. |
-| **Path traversal** | Router rejects `..` segments and `//` before walking. |
-| **Slow-loris / hung handlers** | `requestTimeoutMs` aborts handlers (default 30 s); Node adapter sets `requestTimeout` + `headersTimeout` + `maxHeaderSize`. |
-| **MIME sniffing** | `secureHeaders()` sets `X-Content-Type-Options: nosniff`. |
-| **Clickjacking** | `X-Frame-Options: DENY` + CSP `frame-ancestors 'none'`. |
-| **XSS via injected scripts** | Strict CSP `default-src 'self'` baseline. |
-| **Cross-origin leakage** | `cross-origin-opener-policy` + `cross-origin-resource-policy` set to `same-origin`. |
+| **Body-size DoS** | Core-enforced streamed read with a hard cap (default 1 MiB); `Content-Length` checked first. |
+| **Prototype pollution** | Core JSON parser strips `__proto__` / `constructor` / `prototype` via reviver. |
+| **Header / response splitting** | Core header sanitizers reject CRLF + NUL. |
+| **Path traversal** | Core router rejects `..` segments and `//` before walking. |
+| **Slow-loris / hung handlers** | Core `requestTimeoutMs` aborts handlers (default 30 s); Node adapter sets `requestTimeout` + `headersTimeout` + `maxHeaderSize`. |
+| **MIME sniffing** | First-party `secureHeaders()` sets `X-Content-Type-Options: nosniff`; scaffolded apps enable it. |
+| **Clickjacking** | First-party `secureHeaders()` sets `X-Frame-Options: DENY` + CSP `frame-ancestors 'none'`; scaffolded apps enable it. |
+| **XSS via injected scripts** | First-party `secureHeaders()` provides a strict CSP `default-src 'self'` baseline; scaffolded apps enable it. |
+| **Cross-origin leakage** | First-party `secureHeaders()` sets `cross-origin-opener-policy` + `cross-origin-resource-policy` to `same-origin`; scaffolded apps enable it. |
 | **Information disclosure (5xx)** | Production mode strips `detail` from 5xx problem+json automatically. |
-| **Credential timing attacks** | `timingSafeEqual()` for tokens & signatures. |
-| **Brute-force / scraping** | `rateLimit()` with token-bucket + `Retry-After`. |
+| **Credential timing attacks** | First-party `timingSafeEqual()` helper for tokens & signatures. |
+| **Brute-force / scraping** | First-party `rateLimit()` with token-bucket + `Retry-After`; Node/Bun/Deno scaffolded apps enable it. |
 | **Method confusion** | Real **405** with `Allow` header, not a misleading 404. |
-| **CORS misconfig** | Explicit allowlist; never `*` with credentials. |
-| **Request correlation** | Cryptographic `randomId()` request ids on every response. |
+| **CORS misconfig** | First-party `cors()` requires an explicit allowlist and throws for `*` with credentials. |
+| **Request correlation** | First-party `requestId()` uses cryptographic ids; scaffolded apps enable it. |
 | **Supply chain** | pnpm `ignore-scripts=true`, `minimum-release-age=1440`, verified store, reproducible lockfile, lockfile source verification, provenance publishing, and CI/CD hardening against cache poisoning and OIDC token abuse. |
 
 The publish pipeline is also hardened: no `pull_request_target`, no GitHub Actions cache in CI, top-level `permissions: {}`, `step-security/harden-runner`, a separate protected `release.yml` workflow, npm trusted publishing with `--provenance`, CodeQL, OpenSSF Scorecard, zizmor workflow linting, Dependabot, and CODEOWNERS on workflow/package files. See [SECURITY.md](SECURITY.md) and the [supply-chain security docs](https://daloyjs.dev/docs/security/supply-chain).
@@ -333,6 +342,8 @@ WebSockets and HTTP/2 + HTTP/3 adapters.
 - [x] `--minimal` flag that strips the bookstore demo and `/docs` + `/openapi.json` routes from any template
 - [x] `daloy inspect` CLI: route table, schema summary, contract-test gate, OpenAPI dump, tag/method filters
 - [x] Redis-backed `RateLimitStore` at `@daloyjs/core/rate-limit-redis` with `ioredisAdapter` / `nodeRedisAdapter` and a fail-open default for shared counters across replicas
+- [x] AI-agent helper files (`AGENTS.md` + `SKILL.md`) shipped in every `create-daloy` template so Copilot/Claude/Cursor/Codex have project context out of the box
+- [x] Polished `create-daloy` terminal UX: DaloyJS welcome banner, arrow-key pickers, install spinner, and boxed next steps while preserving zero runtime dependencies
 
 ## License
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daloyjs/core",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "description": "DaloyJS is a runtime-portable, contract-first TypeScript web framework with built-in OpenAPI (Hey API), typed client generation, large-scale maintainability, and security-first defaults. Hono-grade portability, Elysia-grade DX, FastAPI-grade docs, Fastify-grade ops — distributed via pnpm.",
   "type": "module",
   "publishConfig": {
@@ -10,7 +10,7 @@
     "type": "git",
     "url": "git+https://github.com/daloyjs/daloy.git"
   },
-  "homepage": "https://github.com/daloyjs/daloy#readme",
+  "homepage": "https://daloyjs.dev",
   "bugs": {
     "url": "https://github.com/daloyjs/daloy/issues"
   },