npm - @daloyjs/core - Versions diffs - 0.7.0 → 0.7.2 - Mend

@daloyjs/core 0.7.0 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +47 -39
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -1,17 +1,14 @@
 # DaloyJS
-> A **runtime-portable TypeScript web framework** with built-in **contract-first routing**, **validation**, **OpenAPI (Hey API)**, **typed client generation**, **large-scale maintainability**, and **secure-by-default runtime and supply-chain posture**.
+[![CI](https://github.com/daloyjs/daloy/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/daloyjs/daloy/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/daloyjs/daloy/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/daloyjs/daloy/actions/workflows/codeql.yml)
+[![Publish](https://github.com/daloyjs/daloy/actions/workflows/release.yml/badge.svg)](https://github.com/daloyjs/daloy/actions/workflows/release.yml)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/daloyjs/daloy/badge)](https://securityscorecards.dev/viewer/?uri=github.com/daloyjs/daloy)
+[![Zizmor](https://github.com/daloyjs/daloy/actions/workflows/zizmor.yml/badge.svg?branch=main)](https://github.com/daloyjs/daloy/actions/workflows/zizmor.yml)
-DaloyJS is maintained in the GitHub organization at <https://github.com/daloyjs>; the canonical framework repository is <https://github.com/daloyjs/daloy>.
-📚 **Documentation site:** [`./website`](./website) — a Next.js 16 + shadcn/ui + Tailwind v4 site with the landing page, getting-started guide, ORM integration guides, tutorials, security docs, and full API reference. Run it with:
+> A **runtime-portable TypeScript web framework** with built-in **contract-first routing**, **validation**, **OpenAPI (Hey API)**, **typed client generation**, **large-scale maintainability**, and **security-focused runtime plus supply-chain posture**.
-```zsh
-cd website
-pnpm install
-pnpm dev      # http://localhost:3000
-pnpm build    # static prerender of every docs route
-```
+DaloyJS is maintained in the GitHub organization at <https://github.com/daloyjs>; the canonical framework repository is <https://github.com/daloyjs/daloy>.
 ---
@@ -50,13 +47,27 @@ DaloyJS combines the wins:
 1. **Explicit contracts, minimal ceremony.** One `app.route({...})` is the source of truth for validation, types, OpenAPI, the typed client, and contract tests.
 2. **One source of truth for validation, typing, and docs** via [Standard Schema](https://github.com/standard-schema/standard-schema) — Zod 4 / Valibot / ArkType / TypeBox all work, no lock-in.
 3. **Portable core, optional runtime optimizations** — the only thing the core knows is `Request → Response`. Adapters live at the edge.
-4. **Secure by default — bad defaults are bugs.** Body limits, prototype-pollution-safe JSON, path-traversal rejection, request timeouts, Helmet-grade headers, RFC 9457 problem+json errors with prod-mode redaction.
+4. **Security guardrails by default — bad defaults are bugs.** The core enforces body limits, prototype-pollution-safe JSON, path-traversal rejection, request timeouts, content-type checks, and RFC 9457 problem+json errors with prod-mode redaction. First-party middleware covers Helmet-grade headers, CORS, CSRF, rate limits, request ids, and signed-cookie sessions.
 5. **Tooling and inspectability over magic.** `app.introspect()` is a public API; contract-test runner is built in.
 6. **Optimize for large-team maintenance**, not only solo-dev speed. Encapsulated plugins, decorators, request ids, structured logger.
 ---
-## Install
+## Get started
+For a new DaloyJS project, the recommended path is the official scaffolder:
+```bash
+pnpm create daloy@latest my-api
+# or
+npm  create daloy@latest my-api
+```
+`create-daloy` gives you a working project structure, runtime template selection, docs routes, OpenAPI wiring, and production-oriented defaults without copying code out of the README.
+See [Scaffold a project](https://daloyjs.dev/docs/scaffolder) for templates and flags.
+## Install core manually
 DaloyJS is distributed via **pnpm** for [supply-chain hygiene](https://pnpm.io/motivation) and backed by a hardened release pipeline — strict isolation, content-addressable store, deterministic lockfile, no phantom dependencies, SHA-pinned CI actions, and provenance publishing.
@@ -83,16 +94,6 @@ Run `pnpm audit --prod` regularly (or `pnpm run audit` in this repo) — and `pn
 ---
-## Quick start
-```bash
-pnpm create daloy@latest my-api
-# or
-npm  create daloy@latest my-api
-```
-See [Scaffold a project](https://daloyjs.dev/docs/scaffolder) for templates and flags.
 ## Hello world
 ```ts
@@ -102,7 +103,7 @@ import { serve } from "@daloyjs/core/node";
 const app = new App({ bodyLimitBytes: 1024 * 1024, requestTimeoutMs: 5_000 });
-// Security defaults — usually three plugins in other frameworks.
+// First-party security middleware — usually three plugins in other frameworks.
 app.use(requestId());
 app.use(secureHeaders());
 app.use(rateLimit({ windowMs: 60_000, max: 120 }));
@@ -177,29 +178,34 @@ import { swaggerUiHtml, htmlResponse } from "@daloyjs/core/docs";
 ```
 Mount at `/docs` and the UI is always contract-accurate — never stale.
-`create-daloy@0.1.14` mounts Swagger UI at `/docs` and the live spec at `/openapi.json` by default.
+`create-daloy@0.1.20` mounts Swagger UI at `/docs` and the live spec at `/openapi.json` by default.
 ---
-## Security defaults (no plugins required)
+## Security guardrails
+Some protections are enforced by the `App` core whenever the relevant request
+path is used. Others are first-party middleware so applications can choose the
+right CORS policy, rate-limit key, CSP, session secret, or CSRF rollout for their
+deployment.
-| Threat | Default behavior |
+| Threat | Built-in behavior |
 |---|---|
-| **Body-size DoS** | Streamed read, hard cap (default 1 MiB), `Content-Length` checked first. |
-| **Prototype pollution** | `safeJsonParse` strips `__proto__` / `constructor` / `prototype` via reviver. |
-| **Header / response splitting** | `sanitizeHeaderName` / `sanitizeHeaderValue` reject CRLF + NUL. |
-| **Path traversal** | Router rejects `..` segments and `//` before walking. |
-| **Slow-loris / hung handlers** | `requestTimeoutMs` aborts handlers (default 30 s); Node adapter sets `requestTimeout` + `headersTimeout` + `maxHeaderSize`. |
-| **MIME sniffing** | `secureHeaders()` sets `X-Content-Type-Options: nosniff`. |
-| **Clickjacking** | `X-Frame-Options: DENY` + CSP `frame-ancestors 'none'`. |
-| **XSS via injected scripts** | Strict CSP `default-src 'self'` baseline. |
-| **Cross-origin leakage** | `cross-origin-opener-policy` + `cross-origin-resource-policy` set to `same-origin`. |
+| **Body-size DoS** | Core-enforced streamed read with a hard cap (default 1 MiB); `Content-Length` checked first. |
+| **Prototype pollution** | Core JSON parser strips `__proto__` / `constructor` / `prototype` via reviver. |
+| **Header / response splitting** | Core header sanitizers reject CRLF + NUL. |
+| **Path traversal** | Core router rejects `..` segments and `//` before walking. |
+| **Slow-loris / hung handlers** | Core `requestTimeoutMs` aborts handlers (default 30 s); Node adapter sets `requestTimeout` + `headersTimeout` + `maxHeaderSize`. |
+| **MIME sniffing** | First-party `secureHeaders()` sets `X-Content-Type-Options: nosniff`; scaffolded apps enable it. |
+| **Clickjacking** | First-party `secureHeaders()` sets `X-Frame-Options: DENY` + CSP `frame-ancestors 'none'`; scaffolded apps enable it. |
+| **XSS via injected scripts** | First-party `secureHeaders()` provides a strict CSP `default-src 'self'` baseline; scaffolded apps enable it. |
+| **Cross-origin leakage** | First-party `secureHeaders()` sets `cross-origin-opener-policy` + `cross-origin-resource-policy` to `same-origin`; scaffolded apps enable it. |
 | **Information disclosure (5xx)** | Production mode strips `detail` from 5xx problem+json automatically. |
-| **Credential timing attacks** | `timingSafeEqual()` for tokens & signatures. |
-| **Brute-force / scraping** | `rateLimit()` with token-bucket + `Retry-After`. |
+| **Credential timing attacks** | First-party `timingSafeEqual()` helper for tokens & signatures. |
+| **Brute-force / scraping** | First-party `rateLimit()` with token-bucket + `Retry-After`; Node/Bun/Deno scaffolded apps enable it. |
 | **Method confusion** | Real **405** with `Allow` header, not a misleading 404. |
-| **CORS misconfig** | Explicit allowlist; never `*` with credentials. |
-| **Request correlation** | Cryptographic `randomId()` request ids on every response. |
+| **CORS misconfig** | First-party `cors()` requires an explicit allowlist and throws for `*` with credentials. |
+| **Request correlation** | First-party `requestId()` uses cryptographic ids; scaffolded apps enable it. |
 | **Supply chain** | pnpm `ignore-scripts=true`, `minimum-release-age=1440`, verified store, reproducible lockfile, lockfile source verification, provenance publishing, and CI/CD hardening against cache poisoning and OIDC token abuse. |
 The publish pipeline is also hardened: no `pull_request_target`, no GitHub Actions cache in CI, top-level `permissions: {}`, `step-security/harden-runner`, a separate protected `release.yml` workflow, npm trusted publishing with `--provenance`, CodeQL, OpenSSF Scorecard, zizmor workflow linting, Dependabot, and CODEOWNERS on workflow/package files. See [SECURITY.md](SECURITY.md) and the [supply-chain security docs](https://daloyjs.dev/docs/security/supply-chain).
@@ -333,6 +339,8 @@ WebSockets and HTTP/2 + HTTP/3 adapters.
 - [x] `--minimal` flag that strips the bookstore demo and `/docs` + `/openapi.json` routes from any template
 - [x] `daloy inspect` CLI: route table, schema summary, contract-test gate, OpenAPI dump, tag/method filters
 - [x] Redis-backed `RateLimitStore` at `@daloyjs/core/rate-limit-redis` with `ioredisAdapter` / `nodeRedisAdapter` and a fail-open default for shared counters across replicas
+- [x] AI-agent helper files (`AGENTS.md` + `SKILL.md`) shipped in every `create-daloy` template so Copilot/Claude/Cursor/Codex have project context out of the box
+- [x] Polished `create-daloy` terminal UX: DaloyJS welcome banner, arrow-key pickers, install spinner, and boxed next steps while preserving zero runtime dependencies
 ## License

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@daloyjs/core",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "description": "DaloyJS is a runtime-portable, contract-first TypeScript web framework with built-in OpenAPI (Hey API), typed client generation, large-scale maintainability, and security-first defaults. Hono-grade portability, Elysia-grade DX, FastAPI-grade docs, Fastify-grade ops — distributed via pnpm.",
   "type": "module",
   "publishConfig": {
@@ -10,7 +10,7 @@
     "type": "git",
     "url": "git+https://github.com/daloyjs/daloy.git"
   },
-  "homepage": "https://github.com/daloyjs/daloy#readme",
+  "homepage": "https://daloyjs.dev",
   "bugs": {
     "url": "https://github.com/daloyjs/daloy/issues"
   },