@daloyjs/core 0.7.2 → 0.7.5

package/README.md

@@ -285,62 +285,21 @@ The core only ever sees `Request → Response`. Adapters live at the edge.
 
 ---
 
-## Status & roadmap
-
-Full, versioned plan: [ROADMAP.md](./ROADMAP.md).
-
-**Implemented (v0.1):**
-
-- [x] Trie router with static fast path + 405 with `Allow` + traversal guard
-- [x] Contract-first `app.route()`, groups, encapsulated plugins, decorators
-- [x] Standard Schema validation (Zod 4 / Valibot / ArkType / TypeBox)
-- [x] Problem+json error model with prod-mode redaction
-- [x] OpenAPI 3.1 generator (built-in)
-- [x] In-process test client + contract-test runner
-- [x] In-process typed client factory + Hey API codegen integration (`pnpm gen`)
-- [x] Node / Bun / Deno / Cloudflare / Vercel adapters
-- [x] Security: body limits, content-type allowlist, prototype-pollution-safe JSON, path-traversal rejection, request timeout, header injection guards
-- [x] Security middleware: `secureHeaders` / `cors` / `rateLimit` / `requestId` / `bearerAuth` / `timing` / `timingSafeEqual`
-- [x] Pluggable structured logger + request id propagation
-- [x] Graceful shutdown
-- [x] `app.onClose()` lifecycle hook + augmentable `AppState` for plugin-typed context
-- [x] Mock mode
-- [x] Scalar + Swagger UI handlers
-- [x] **pnpm-first distribution with hardened `.npmrc`**
-- [x] **Lockfile source verification for git/non-registry tarball dependencies**
-- [x] **100% line + function coverage** enforced by `pnpm coverage`
-
-**Current (`0.2.x` follow-up — see [ROADMAP.md](./ROADMAP.md) for the full plan):**
-
-- [x] `onSend` hook for response transformation
-- [x] GitHub Actions CI for install, typecheck, tests, coverage, build, and audit
-- [x] `SECURITY.md` and vulnerability disclosure process
-- [x] `pnpm create daloy` project scaffolder (Node + Vercel Edge + Cloudflare templates)
-- [x] Docs site discoverability pass: page metadata, sitemap, robots, OpenGraph image, ORM guides
-- [x] Streaming response helpers: SSE + NDJSON with backpressure-safe writers (`sseStream` / `sseResponse` / `ndjsonStream` / `ndjsonResponse`)
-- [x] OpenAPI extras: `securitySchemes` builders (`httpBearerScheme` / `httpBasicScheme` / `apiKeyScheme` / `oauth2Scheme` / `openIdConnectScheme`), top-level `webhooks`, per-operation `callbacks`, and `discriminator` / `discriminatedUnion` helpers
-- [x] OpenTelemetry-compatible tracing hook (`otelTracing`) with HTTP semantic-convention attributes and per-request `SERVER` spans
-- [x] CSRF helper (`csrf`) with double-submit-cookie pattern, timing-safe verification, and `__Host-` cookie defaults
-- [x] Multipart/form-data ergonomics: `fileField` + `multipartObject` (per-file size and MIME caps, OpenAPI-aware emission) and `AppOptions.multipart` defense-in-depth caps
-- [ ] Branch coverage push to `>= 98%`
-- [ ] Release checklist and publishing docs cleanup
-
-**On deck (`0.3.x` and beyond):**
-WebSockets and HTTP/2 + HTTP/3 adapters.
-
-**Shipped from the `0.x` extensibility track so far:**
-
-- [x] Plugin lifecycle events: `app.onPluginInstalled((info) => ...)` fires once per `register()` (sync or async), and `app.onShutdown(({ reason, timeoutMs }) => ...)` fires at the start of `app.shutdown()` before in-flight requests drain. `onClose()` still runs after drain for resource cleanup.
-- [x] Edge-friendly session middleware: `session({ secret, store })` exposes `ctx.state.session` (`get` / `set` / `delete` / `regenerate` / `destroy`) backed by a signed `__Host-` cookie (HMAC-SHA256, key rotation) and a pluggable `SessionStore` (`MemorySessionStore` ships in-process; KV/Redis stores plug in directly). Standalone `signValue` / `verifySignedValue` helpers are exported for ad-hoc cookie/token signing.
-
-**Shipped from `0.5.x` ("project ops") so far:**
-
-- [x] Bun and Deno scaffolder templates (`bun-basic`, `deno-basic`)
-- [x] `--minimal` flag that strips the bookstore demo and `/docs` + `/openapi.json` routes from any template
-- [x] `daloy inspect` CLI: route table, schema summary, contract-test gate, OpenAPI dump, tag/method filters
-- [x] Redis-backed `RateLimitStore` at `@daloyjs/core/rate-limit-redis` with `ioredisAdapter` / `nodeRedisAdapter` and a fail-open default for shared counters across replicas
-- [x] AI-agent helper files (`AGENTS.md` + `SKILL.md`) shipped in every `create-daloy` template so Copilot/Claude/Cursor/Codex have project context out of the box
-- [x] Polished `create-daloy` terminal UX: DaloyJS welcome banner, arrow-key pickers, install spinner, and boxed next steps while preserving zero runtime dependencies
+## Status
+
+DaloyJS is in **public preview** (`0.x`). The public API may still change between minor versions; deprecations will get at least one minor cycle once `1.0.0` ships. The framework is already in use for production trials — every release ships with **100% line + function test coverage**, strict TypeScript, OpenSSF Scorecard, CodeQL, zizmor workflow linting, and npm provenance.
+
+What works today, at a glance:
+
+- Contract-first routing, Standard Schema validation (Zod 4 / Valibot / ArkType / TypeBox), and OpenAPI 3.1 from a single source of truth.
+- Adapters for Node, Bun, Deno, Cloudflare Workers, and Vercel Edge.
+- Built-in security primitives (body limits, prototype-pollution-safe JSON, path-traversal guard, request timeouts, header injection guards) plus first-party middleware (`secureHeaders`, `cors`, `rateLimit`, `requestId`, `bearerAuth`, `csrf`, `session`, `timing` / `timingSafeEqual`).
+- Streaming helpers (SSE + NDJSON), multipart ergonomics, OpenTelemetry-compatible tracing, signed-cookie sessions with pluggable stores, and a Redis-backed rate-limit store at `@daloyjs/core/rate-limit-redis`.
+- In-process test client (`app.request()`), contract-test runner, in-process typed client, and Hey API codegen via `pnpm gen`.
+- `pnpm create daloy` scaffolder with Node, Bun, Deno, Cloudflare Worker, and Vercel Edge templates.
+- Plugin encapsulation, decorators, structured logging, request-id propagation, lifecycle events (`onPluginInstalled`, `onShutdown`, `onClose`), and graceful shutdown.
+
+Roadmap, version-by-version plan, and shipped/in-progress checklists live in [ROADMAP.md](./ROADMAP.md). Release history and rationale lives in [PROJECT_HISTORY.md](./PROJECT_HISTORY.md).
 
 ## License
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@daloyjs/core",
-  "version": "0.7.2",
+  "version": "0.7.5",
   "description": "DaloyJS is a runtime-portable, contract-first TypeScript web framework with built-in OpenAPI (Hey API), typed client generation, large-scale maintainability, and security-first defaults. Hono-grade portability, Elysia-grade DX, FastAPI-grade docs, Fastify-grade ops — distributed via pnpm.",
   "type": "module",
   "publishConfig": {
@@ -15,6 +15,22 @@
     "url": "https://github.com/daloyjs/daloy/issues"
   },
   "author": "DaloyJS",
+  "license": "MIT",
+  "keywords": [
+    "framework",
+    "http",
+    "openapi",
+    "hey-api",
+    "contract-first",
+    "typescript",
+    "hono",
+    "elysia",
+    "fastify",
+    "fastapi",
+    "standard-schema",
+    "security",
+    "pnpm"
+  ],
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "bin": {
@@ -90,27 +106,6 @@
       "import": "./dist/session.js"
     }
   },
-  "files": [
-    "dist",
-    "bin",
-    "README.md"
-  ],
-  "keywords": [
-    "framework",
-    "http",
-    "openapi",
-    "hey-api",
-    "contract-first",
-    "typescript",
-    "hono",
-    "elysia",
-    "fastify",
-    "fastapi",
-    "standard-schema",
-    "security",
-    "pnpm"
-  ],
-  "license": "MIT",
   "devDependencies": {
     "@hey-api/openapi-ts": "^0.97.1",
     "@types/node": "^25.7.0",
@@ -119,6 +114,12 @@
     "typescript": "^6.0.3",
     "zod": "^4.4.3"
   },
+  "files": [
+    "dist",
+    "bin",
+    "README.md"
+  ],
+  "dependencies": {},
   "scripts": {
     "build": "tsc -p tsconfig.json",
     "dev": "tsc -w -p tsconfig.json",