npm - @daloyjs/core - Versions diffs - 0.7.4 → 0.7.5 - Mend

@daloyjs/core 0.7.4 → 0.7.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +15 -56
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -285,62 +285,21 @@ The core only ever sees `Request → Response`. Adapters live at the edge.
 ---
-## Status & roadmap
-Full, versioned plan: [ROADMAP.md](./ROADMAP.md).
-**Implemented (v0.1):**
-- [x] Trie router with static fast path + 405 with `Allow` + traversal guard
-- [x] Contract-first `app.route()`, groups, encapsulated plugins, decorators
-- [x] Standard Schema validation (Zod 4 / Valibot / ArkType / TypeBox)
-- [x] Problem+json error model with prod-mode redaction
-- [x] OpenAPI 3.1 generator (built-in)
-- [x] In-process test client + contract-test runner
-- [x] In-process typed client factory + Hey API codegen integration (`pnpm gen`)
-- [x] Node / Bun / Deno / Cloudflare / Vercel adapters
-- [x] Security: body limits, content-type allowlist, prototype-pollution-safe JSON, path-traversal rejection, request timeout, header injection guards
-- [x] Security middleware: `secureHeaders` / `cors` / `rateLimit` / `requestId` / `bearerAuth` / `timing` / `timingSafeEqual`
-- [x] Pluggable structured logger + request id propagation
-- [x] Graceful shutdown
-- [x] `app.onClose()` lifecycle hook + augmentable `AppState` for plugin-typed context
-- [x] Mock mode
-- [x] Scalar + Swagger UI handlers
-- [x] **pnpm-first distribution with hardened `.npmrc`**
-- [x] **Lockfile source verification for git/non-registry tarball dependencies**
-- [x] **100% line + function coverage** enforced by `pnpm coverage`
-**Current (`0.2.x` follow-up — see [ROADMAP.md](./ROADMAP.md) for the full plan):**
-- [x] `onSend` hook for response transformation
-- [x] GitHub Actions CI for install, typecheck, tests, coverage, build, and audit
-- [x] `SECURITY.md` and vulnerability disclosure process
-- [x] `pnpm create daloy` project scaffolder (Node + Vercel Edge + Cloudflare templates)
-- [x] Docs site discoverability pass: page metadata, sitemap, robots, OpenGraph image, ORM guides
-- [x] Streaming response helpers: SSE + NDJSON with backpressure-safe writers (`sseStream` / `sseResponse` / `ndjsonStream` / `ndjsonResponse`)
-- [x] OpenAPI extras: `securitySchemes` builders (`httpBearerScheme` / `httpBasicScheme` / `apiKeyScheme` / `oauth2Scheme` / `openIdConnectScheme`), top-level `webhooks`, per-operation `callbacks`, and `discriminator` / `discriminatedUnion` helpers
-- [x] OpenTelemetry-compatible tracing hook (`otelTracing`) with HTTP semantic-convention attributes and per-request `SERVER` spans
-- [x] CSRF helper (`csrf`) with double-submit-cookie pattern, timing-safe verification, and `__Host-` cookie defaults
-- [x] Multipart/form-data ergonomics: `fileField` + `multipartObject` (per-file size and MIME caps, OpenAPI-aware emission) and `AppOptions.multipart` defense-in-depth caps
-- [ ] Branch coverage push to `>= 98%`
-- [ ] Release checklist and publishing docs cleanup
-**On deck (`0.3.x` and beyond):**
-WebSockets and HTTP/2 + HTTP/3 adapters.
-**Shipped from the `0.x` extensibility track so far:**
-- [x] Plugin lifecycle events: `app.onPluginInstalled((info) => ...)` fires once per `register()` (sync or async), and `app.onShutdown(({ reason, timeoutMs }) => ...)` fires at the start of `app.shutdown()` before in-flight requests drain. `onClose()` still runs after drain for resource cleanup.
-- [x] Edge-friendly session middleware: `session({ secret, store })` exposes `ctx.state.session` (`get` / `set` / `delete` / `regenerate` / `destroy`) backed by a signed `__Host-` cookie (HMAC-SHA256, key rotation) and a pluggable `SessionStore` (`MemorySessionStore` ships in-process; KV/Redis stores plug in directly). Standalone `signValue` / `verifySignedValue` helpers are exported for ad-hoc cookie/token signing.
-**Shipped from `0.5.x` ("project ops") so far:**
-- [x] Bun and Deno scaffolder templates (`bun-basic`, `deno-basic`)
-- [x] `--minimal` flag that strips the bookstore demo and `/docs` + `/openapi.json` routes from any template
-- [x] `daloy inspect` CLI: route table, schema summary, contract-test gate, OpenAPI dump, tag/method filters
-- [x] Redis-backed `RateLimitStore` at `@daloyjs/core/rate-limit-redis` with `ioredisAdapter` / `nodeRedisAdapter` and a fail-open default for shared counters across replicas
-- [x] AI-agent helper files (`AGENTS.md` + `SKILL.md`) shipped in every `create-daloy` template so Copilot/Claude/Cursor/Codex have project context out of the box
-- [x] Polished `create-daloy` terminal UX: DaloyJS welcome banner, arrow-key pickers, install spinner, and boxed next steps while preserving zero runtime dependencies
+## Status
+DaloyJS is in **public preview** (`0.x`). The public API may still change between minor versions; deprecations will get at least one minor cycle once `1.0.0` ships. The framework is already in use for production trials — every release ships with **100% line + function test coverage**, strict TypeScript, OpenSSF Scorecard, CodeQL, zizmor workflow linting, and npm provenance.
+What works today, at a glance:
+- Contract-first routing, Standard Schema validation (Zod 4 / Valibot / ArkType / TypeBox), and OpenAPI 3.1 from a single source of truth.
+- Adapters for Node, Bun, Deno, Cloudflare Workers, and Vercel Edge.
+- Built-in security primitives (body limits, prototype-pollution-safe JSON, path-traversal guard, request timeouts, header injection guards) plus first-party middleware (`secureHeaders`, `cors`, `rateLimit`, `requestId`, `bearerAuth`, `csrf`, `session`, `timing` / `timingSafeEqual`).
+- Streaming helpers (SSE + NDJSON), multipart ergonomics, OpenTelemetry-compatible tracing, signed-cookie sessions with pluggable stores, and a Redis-backed rate-limit store at `@daloyjs/core/rate-limit-redis`.
+- In-process test client (`app.request()`), contract-test runner, in-process typed client, and Hey API codegen via `pnpm gen`.
+- `pnpm create daloy` scaffolder with Node, Bun, Deno, Cloudflare Worker, and Vercel Edge templates.
+- Plugin encapsulation, decorators, structured logging, request-id propagation, lifecycle events (`onPluginInstalled`, `onShutdown`, `onClose`), and graceful shutdown.
+Roadmap, version-by-version plan, and shipped/in-progress checklists live in [ROADMAP.md](./ROADMAP.md). Release history and rationale lives in [PROJECT_HISTORY.md](./PROJECT_HISTORY.md).
 ## License

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@daloyjs/core",
-  "version": "0.7.4",
+  "version": "0.7.5",
   "description": "DaloyJS is a runtime-portable, contract-first TypeScript web framework with built-in OpenAPI (Hey API), typed client generation, large-scale maintainability, and security-first defaults. Hono-grade portability, Elysia-grade DX, FastAPI-grade docs, Fastify-grade ops — distributed via pnpm.",
   "type": "module",
   "publishConfig": {