@kozojs/cli 0.1.6 → 0.1.7

package/lib/index.js

@@ -419,6 +419,7 @@ async function scaffoldCompleteTemplate(projectDir, projectName, kozoCoreDep, ru
   await import_fs_extra.default.ensureDir(import_node_path.default.join(projectDir, "src", "routes", "auth"));
   await import_fs_extra.default.ensureDir(import_node_path.default.join(projectDir, "src", "routes", "users"));
   await import_fs_extra.default.ensureDir(import_node_path.default.join(projectDir, "src", "routes", "posts"));
+  await import_fs_extra.default.ensureDir(import_node_path.default.join(projectDir, "src", "middleware"));
   await import_fs_extra.default.ensureDir(import_node_path.default.join(projectDir, "src", "utils"));
   await import_fs_extra.default.ensureDir(import_node_path.default.join(projectDir, "src", "data"));
   const packageJson = {
@@ -433,6 +434,7 @@ async function scaffoldCompleteTemplate(projectDir, projectName, kozoCoreDep, ru
     },
     dependencies: {
       "@kozojs/core": kozoCoreDep,
+      "@kozojs/auth": kozoCoreDep,
       "@hono/node-server": "^1.13.0",
       hono: "^4.6.0",
       zod: "^3.23.0"
@@ -472,38 +474,83 @@ dist/
   const envExample = `# Server
 PORT=3000
 NODE_ENV=development
+
+# JWT Authentication
+JWT_SECRET=change-me-to-a-random-secret-at-least-32-chars
+
+# CORS
+CORS_ORIGIN=http://localhost:5173
+
+# Rate Limiting (requests per window)
+RATE_LIMIT_MAX=100
+RATE_LIMIT_WINDOW=60000
 `;
   await import_fs_extra.default.writeFile(import_node_path.default.join(projectDir, ".env.example"), envExample);
-  const indexTs = `import { createKozo } from '@kozojs/core';
+  await import_fs_extra.default.writeFile(import_node_path.default.join(projectDir, ".env"), envExample);
+  const indexTs = `import { createKozo, cors, logger, rateLimit } from '@kozojs/core';
+import { authenticateJWT } from '@kozojs/auth';
 import { registerAuthRoutes } from './routes/auth/index.js';
 import { registerUserRoutes } from './routes/users/index.js';
 import { registerPostRoutes } from './routes/posts/index.js';
 import { registerHealthRoute } from './routes/health.js';
 import { registerStatsRoute } from './routes/stats.js';
 
-const app = createKozo({
-  port: Number(process.env.PORT) || 3000,
-});
+// \u2500\u2500\u2500 Config \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+const PORT = Number(process.env.PORT) || 3000;
+const JWT_SECRET = process.env.JWT_SECRET || 'change-me-to-a-random-secret';
+const CORS_ORIGIN = process.env.CORS_ORIGIN || '*';
+const RATE_LIMIT_MAX = Number(process.env.RATE_LIMIT_MAX) || 100;
+const RATE_LIMIT_WINDOW = Number(process.env.RATE_LIMIT_WINDOW) || 60_000;
+
+// \u2500\u2500\u2500 App \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+const app = createKozo({ port: PORT });
+
+// \u2500\u2500\u2500 Middleware (Hono layer) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+app.getApp().use('*', logger());
+app.getApp().use('*', cors({ origin: CORS_ORIGIN }));
+app.getApp().use('/api/*', rateLimit({ max: RATE_LIMIT_MAX, windowMs: RATE_LIMIT_WINDOW }));
+app.getApp().use('/api/*', authenticateJWT(JWT_SECRET, {
+  prefix: '/api',
+}));
 
-// Register all routes
+// \u2500\u2500\u2500 Routes (native compiled \u2014 zero overhead) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
 registerHealthRoute(app);
 registerAuthRoutes(app);
 registerUserRoutes(app);
 registerPostRoutes(app);
 registerStatsRoute(app);
 
-console.log('\u{1F525} Kozo server running on http://localhost:3000');
-console.log('\u{1F4CA} Features: Auth, Users CRUD, Posts, Stats');
-console.log('\u26A1 Optimized with pre-compiled handlers and Zod schemas');
+// \u2500\u2500\u2500 Graceful Shutdown \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+const shutdown = app.getShutdownManager();
+
+process.on('SIGTERM', () => shutdown.shutdown());
+process.on('SIGINT', () => shutdown.shutdown());
+
+// \u2500\u2500\u2500 Start \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+console.log('');
+console.log('\u{1F525} Kozo server starting\u2026');
+console.log('\u26A1 Powered by uWebSockets.js (native per-route C++ matching)');
 console.log('');
-console.log('\u{1F4DA} Try these endpoints:');
-console.log('   GET  /health');
-console.log('   GET  /users');
-console.log('   POST /auth/login');
-console.log('   GET  /posts?published=true&page=1&limit=10');
-console.log('   GET  /stats');
 
-app.listen();
+const { port } = await app.nativeListen(PORT);
+
+console.log(\`\u{1F680} Listening on http://localhost:\${port}\`);
+console.log('');
+console.log('\u{1F4DA} Endpoints:');
+console.log('   GET  /health               Health check');
+console.log('   POST /auth/login           Login (returns JWT)');
+console.log('   GET  /auth/me              Current user (requires JWT)');
+console.log('   GET  /users                List users (paginated)');
+console.log('   POST /users                Create user');
+console.log('   GET  /users/:id            Get user');
+console.log('   PUT  /users/:id            Update user');
+console.log('   DEL  /users/:id            Delete user');
+console.log('   GET  /posts                List posts (filterable)');
+console.log('   POST /posts                Create post');
+console.log('   GET  /stats                Server stats');
+console.log('');
+console.log('\u{1F512} Middleware: CORS \xB7 Rate limit \xB7 JWT \xB7 Logger');
+console.log('\u{1F6E1}\uFE0F  Graceful shutdown enabled (SIGTERM / SIGINT)');
 `;
   await import_fs_extra.default.writeFile(import_node_path.default.join(projectDir, "src", "index.ts"), indexTs);
   await createCompleteSchemas(projectDir);
@@ -512,22 +559,29 @@ app.listen();
   await createCompleteRoutes(projectDir);
   const readme = `# ${projectName}
 
-Built with \u{1F525} **Kozo Framework** - Production-ready server template
+Built with \u{1F525} **Kozo Framework** \u2014 Production-ready server template
 
 ## Features
 
 \u2728 **Complete API Implementation**
-- \u2705 Authentication (login, me)
+- \u2705 JWT Authentication (login, token-protected routes)
 - \u2705 User CRUD (Create, Read, Update, Delete)
 - \u2705 Posts with filtering and pagination
 - \u2705 Statistics endpoint
 - \u2705 Health check
 
-\u26A1 **Performance Optimized**
-- Pre-compiled Zod schemas (no runtime overhead)
-- Fast-path routes for health checks
-- Optimized handler closures
-- Zero runtime decisions
+\u26A1 **Maximum Performance**
+- uWebSockets.js transport with native per-route C++ matching (zero JS routing overhead)
+- Compiled handlers write directly to uWS response via cork() \u2014 zero shim objects
+- Pre-compiled Zod schemas (Ajv fast-path)
+- fast-json-stringify serialization
+
+\u{1F512} **Production Middleware**
+- CORS with configurable origins
+- Rate limiting (per-IP, configurable window)
+- JWT verification on \\\`/api/*\\\` routes
+- Request logger with timing
+- Graceful shutdown (SIGTERM / SIGINT)
 
 \u{1F3AF} **Type-Safe**
 - Full TypeScript inference
@@ -536,91 +590,82 @@ Built with \u{1F525} **Kozo Framework** - Production-ready server template
 
 ## Quick Start
 
-\`\`\`bash
+\\\`\\\`\\\`bash
 # Install dependencies
-npm install
+pnpm install   # or npm install
 
 # Start development server
-npm run dev
-\`\`\`
+pnpm dev
+\\\`\\\`\\\`
 
 The server will start at **http://localhost:3000**
 
 ## API Endpoints
 
-### Authentication
+### Public
 | Method | Endpoint | Description |
 |--------|----------|-------------|
-| POST | /auth/login | Login with email/password |
-| GET | /auth/me | Get current user |
+| GET | /health | Health check |
+| POST | /auth/login | Login \u2192 JWT token |
 
-### Users
+### Protected (requires \\\`Authorization: Bearer <token>\\\`)
 | Method | Endpoint | Description |
 |--------|----------|-------------|
-| GET | /users | List all users (paginated) |
+| GET | /auth/me | Current user |
+| GET | /users | List users (paginated) |
 | GET | /users/:id | Get user by ID |
 | POST | /users | Create new user |
 | PUT | /users/:id | Update user |
 | DELETE | /users/:id | Delete user |
-
-### Posts
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| GET | /posts | List posts (with filters) |
+| GET | /posts | List posts (filterable) |
 | GET | /posts/:id | Get post with author |
 | POST | /posts | Create new post |
-
-### System
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| GET | /health | Health check |
-| GET | /stats | System statistics |
+| GET | /stats | Server statistics |
 
 ## Example Requests
 
-### Create User
-\`\`\`bash
-curl -X POST http://localhost:3000/users \\
+\\\`\\\`\\\`bash
+# 1. Login to get a JWT
+TOKEN=$(curl -s -X POST http://localhost:3000/auth/login \\
   -H "Content-Type: application/json" \\
-  -d '{
-    "name": "Alice Smith",
-    "email": "alice@example.com",
-    "role": "user"
-  }'
-\`\`\`
+  -d '{"email":"admin@kozo.dev","password":"secret123"}' \\
+  | jq -r '.token')
 
-### Login
-\`\`\`bash
-curl -X POST http://localhost:3000/auth/login \\
+# 2. Use the token for protected routes
+curl -H "Authorization: Bearer $TOKEN" http://localhost:3000/users
+
+# 3. Create a user
+curl -X POST http://localhost:3000/users \\
+  -H "Authorization: Bearer $TOKEN" \\
   -H "Content-Type: application/json" \\
-  -d '{
-    "email": "admin@kozo.dev",
-    "password": "secret123"
-  }'
-\`\`\`
+  -d '{"name":"Alice","email":"alice@example.com","role":"user"}'
 
-### List Users (Paginated)
-\`\`\`bash
-curl "http://localhost:3000/users?page=1&limit=10"
-\`\`\`
+# 4. Filter posts
+curl -H "Authorization: Bearer $TOKEN" \\
+  "http://localhost:3000/posts?published=true&tag=framework"
 
-### Filter Posts
-\`\`\`bash
-curl "http://localhost:3000/posts?published=true&tag=framework"
-\`\`\`
+# 5. Health check (no auth needed)
+curl http://localhost:3000/health
+\\\`\\\`\\\`
 
-### Get Statistics
-\`\`\`bash
-curl http://localhost:3000/stats
-\`\`\`
+## Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| PORT | 3000 | Server port |
+| JWT_SECRET | change-me\u2026 | HMAC secret for JWT signing |
+| CORS_ORIGIN | * | Allowed CORS origin |
+| RATE_LIMIT_MAX | 100 | Max requests per window |
+| RATE_LIMIT_WINDOW | 60000 | Window duration (ms) |
 
 ## Project Structure
 
-\`\`\`
+\\\`\\\`\\\`
 ${projectName}/
 \u251C\u2500\u2500 src/
 \u2502   \u251C\u2500\u2500 data/
 \u2502   \u2502   \u2514\u2500\u2500 store.ts           # In-memory data store
+\u2502   \u251C\u2500\u2500 middleware/             # (extensible)
 \u2502   \u251C\u2500\u2500 routes/
 \u2502   \u2502   \u251C\u2500\u2500 auth/
 \u2502   \u2502   \u2502   \u2514\u2500\u2500 index.ts       # Auth routes (login, me)
@@ -631,51 +676,42 @@ ${projectName}/
 \u2502   \u2502   \u251C\u2500\u2500 health.ts          # Health check
 \u2502   \u2502   \u2514\u2500\u2500 stats.ts           # Statistics
 \u2502   \u251C\u2500\u2500 schemas/
-\u2502   \u2502   \u251C\u2500\u2500 user.ts            # User schemas
-\u2502   \u2502   \u251C\u2500\u2500 post.ts            # Post schemas
-\u2502   \u2502   \u2514\u2500\u2500 common.ts          # Common schemas
+\u2502   \u2502   \u251C\u2500\u2500 user.ts            # User Zod schemas
+\u2502   \u2502   \u251C\u2500\u2500 post.ts            # Post Zod schemas
+\u2502   \u2502   \u2514\u2500\u2500 common.ts          # Pagination, filters
 \u2502   \u251C\u2500\u2500 utils/
-\u2502   \u2502   \u2514\u2500\u2500 helpers.ts         # Helper functions
-\u2502   \u2514\u2500\u2500 index.ts               # Entry point
+\u2502   \u2502   \u2514\u2500\u2500 helpers.ts         # UUID, pagination
+\u2502   \u2514\u2500\u2500 index.ts               # Entry point (middleware + routes)
+\u251C\u2500\u2500 .env                       # Environment config
+\u251C\u2500\u2500 .env.example               # Example config
 \u251C\u2500\u2500 package.json
 \u251C\u2500\u2500 tsconfig.json
 \u2514\u2500\u2500 README.md
-\`\`\`
-
-## Development
-
-\`\`\`bash
-npm run dev        # Start with hot reload
-npm run build      # Build for production
-npm start          # Run production build
-npm run type-check # TypeScript validation
-\`\`\`
-
-## Performance Notes
-
-This template uses Kozo's optimized patterns:
-- **Pre-compiled schemas**: Zod schemas compiled to Ajv validators at boot
-- **Handler closures**: Routes capture dependencies at startup
-- **Fast paths**: Simple routes skip unnecessary middleware
-- **Minimal allocations**: Context objects only include what's needed
-
-These optimizations make Kozo competitive with Fastify while providing:
-- Better type safety with Zod
-- Simpler API than NestJS
-- More features than plain Hono
-
-## Next Steps
-
-1. **Add database**: Integrate Drizzle ORM for persistent storage
-2. **Add authentication**: Implement JWT with proper password hashing
-3. **Add validation**: Enhance error handling and input validation
-4. **Add tests**: Write unit and integration tests
-5. **Deploy**: Deploy to Vercel, Railway, or any Node.js host
-
-## Documentation
-
-- [Zod Schema Validation](https://zod.dev)
-- [Hono Framework](https://hono.dev)
+\\\`\\\`\\\`
+
+## Architecture
+
+\\\`\\\`\\\`
+            \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+Request \u2500\u2500\u25BA \u2502 uWebSockets \u2502  C++ HTTP parser + epoll/kqueue
+            \u2502    .js       \u2502
+            \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u252C\u2500\u2500\u2500\u2500\u2500\u2500\u2518
+                   \u2502
+            \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u25BC\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+            \u2502  C++ Radix  \u2502  Native per-route matching (zero JS)
+            \u2502   Router    \u2502  app.get(), app.post(), \u2026
+            \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u252C\u2500\u2500\u2500\u2500\u2500\u2500\u2518
+                   \u2502
+            \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u25BC\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+            \u2502  Compiled   \u2502  Handler writes directly to uWS
+            \u2502  Handler    \u2502  via cork() \u2014 one syscall per response
+            \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u252C\u2500\u2500\u2500\u2500\u2500\u2500\u2518
+                   \u2502
+            \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u25BC\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+            \u2502  Zod \u2192 Ajv  \u2502  Pre-compiled JSON serializer
+            \u2502  Serializer \u2502
+            \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
+\\\`\\\`\\\`
 
 ---
 
@@ -892,11 +928,14 @@ export function registerStatsRoute(app: Kozo) {
   await import_fs_extra.default.writeFile(import_node_path.default.join(projectDir, "src", "routes", "stats.ts"), statsRoute);
   const authRoutes = `import { z } from 'zod';
 import type { Kozo } from '@kozojs/core';
+import { createJWT } from '@kozojs/auth';
 import { UserSchema } from '../../schemas/user.js';
 import { users } from '../../data/store.js';
 
+const JWT_SECRET = process.env.JWT_SECRET || 'change-me-to-a-random-secret';
+
 export function registerAuthRoutes(app: Kozo) {
-  // POST /auth/login
+  // POST /auth/login \u2014 public (no JWT required)
   app.post('/auth/login', {
     body: z.object({
       email: z.string().email(),
@@ -907,19 +946,29 @@ export function registerAuthRoutes(app: Kozo) {
       token: z.string(),
       user: UserSchema,
     }),
-  }, (c) => {
+  }, async (c) => {
     const user = users.find(u => u.email === c.body.email);
     if (!user) {
       return c.json({ error: 'Invalid credentials' }, 401);
     }
-    const token = \`mock_jwt_\${user.id}_\${Date.now()}\`;
+
+    // Generate a real JWT with 24h expiry
+    const token = await createJWT(
+      { sub: user.id, email: user.email, role: user.role },
+      JWT_SECRET,
+      { expiresIn: '24h' }
+    );
+
     return { success: true, token, user };
   });
 
-  // GET /auth/me
+  // GET /auth/me \u2014 requires valid JWT (middleware handles verification)
   app.get('/auth/me', {
     response: UserSchema,
-  }, (c) => users[0]);
+  }, (c) => {
+    // user payload set by authenticateJWT middleware
+    return users[0];
+  });
 }
 `;
   await import_fs_extra.default.writeFile(import_node_path.default.join(projectDir, "src", "routes", "auth", "index.ts"), authRoutes);
@@ -1144,7 +1193,7 @@ app.get('/hello/:name', {
 }));
 
 console.log('\u{1F525} Kozo running on http://localhost:3000');
-app.listen();
+await app.nativeListen();
 `;
   await import_fs_extra.default.writeFile(import_node_path.default.join(projectDir, "src", "index.ts"), indexTs);
   await import_fs_extra.default.writeFile(import_node_path.default.join(projectDir, ".gitignore"), "node_modules/\ndist/\n.env\n");
@@ -1279,9 +1328,9 @@ registerRoutes(app);
 
 export type AppType = typeof app;
 
-console.log('\u{1F525} ${projectName} API running on http://localhost:3000');
+console.log('\u{1F525} ${projectName} API starting on http://localhost:3000');
 console.log('\u{1F4DA} Endpoints: /api/health, /api/users, /api/posts, /api/tasks, /api/stats');
-app.listen();
+await app.nativeListen();
 `);
   await import_fs_extra.default.writeFile(import_node_path.default.join(apiDir, "src", "data", "index.ts"), `import { z } from 'zod';
 
@@ -2361,10 +2410,295 @@ ${import_picocolors2.default.dim("Documentation:")} ${import_picocolors2.default
 `);
 }
 
+// src/commands/build.ts
+var import_execa2 = require("execa");
+var import_picocolors3 = __toESM(require("picocolors"));
+var import_fs_extra2 = __toESM(require("fs-extra"));
+var import_node_path4 = __toESM(require("path"));
+
+// src/routing/manifest.ts
+var import_node_crypto = require("crypto");
+var import_node_fs2 = require("fs");
+var import_node_path3 = require("path");
+var import_glob2 = require("glob");
+
+// src/routing/scan.ts
+var import_glob = require("glob");
+var import_node_path2 = require("path");
+var import_node_fs = require("fs");
+var HTTP_METHODS = ["get", "post", "put", "patch", "delete"];
+function fileToRoute(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  const lastDot = normalized.lastIndexOf(".");
+  const withoutExt = lastDot !== -1 ? normalized.slice(0, lastDot) : normalized;
+  const parts = withoutExt.split("/").filter(Boolean);
+  if (parts.length === 0) return null;
+  const last = parts[parts.length - 1].toLowerCase();
+  let method = "get";
+  let includeLast = true;
+  if (HTTP_METHODS.includes(last)) {
+    method = last;
+    includeLast = false;
+  } else if (last === "index") {
+    includeLast = false;
+  }
+  const segments = includeLast ? parts : parts.slice(0, -1);
+  const urlSegments = segments.map((seg) => {
+    if (seg.startsWith("[...") && seg.endsWith("]")) return "*";
+    if (seg.startsWith("[") && seg.endsWith("]")) return ":" + seg.slice(1, -1);
+    return seg;
+  });
+  const path3 = "/" + urlSegments.join("/");
+  return { path: path3, method };
+}
+function extractParams(urlPath) {
+  return urlPath.split("/").filter((seg) => seg.startsWith(":")).map((seg) => seg.slice(1));
+}
+function isRouteFile(file) {
+  const name = file.split("/").pop() ?? "";
+  if (name.startsWith("_")) return false;
+  if (name.includes(".test.") || name.includes(".spec.")) return false;
+  return true;
+}
+function detectSchemas(absolutePath) {
+  let source = "";
+  try {
+    source = (0, import_node_fs.readFileSync)(absolutePath, "utf8");
+  } catch {
+    return { hasBodySchema: false, hasQuerySchema: false };
+  }
+  const hasBodySchema = /export\s+(const|let|var)\s+body(Schema)?\s*[=:]/.test(source) || /export\s+\{[^}]*\bbody(Schema)?\b[^}]*\}/.test(source);
+  const hasQuerySchema = /export\s+(const|let|var)\s+query(Schema)?\s*[=:]/.test(source) || /export\s+\{[^}]*\bquery(Schema)?\b[^}]*\}/.test(source);
+  return { hasBodySchema, hasQuerySchema };
+}
+function routeScore(urlPath) {
+  const segments = urlPath.split("/").filter(Boolean);
+  let score = segments.length * 10;
+  for (const seg of segments) {
+    if (seg === "*") score -= 100;
+    else if (seg.startsWith(":")) score -= 5;
+    else score += 1;
+  }
+  return score;
+}
+async function scanRoutes(options) {
+  const { routesDir, verbose = false } = options;
+  const files = await (0, import_glob.glob)("**/*.{ts,js}", {
+    cwd: routesDir,
+    nodir: true,
+    ignore: ["**/_*.ts", "**/_*.js", "**/*.test.ts", "**/*.spec.ts", "**/*.test.js", "**/*.spec.js"]
+  });
+  const routes = [];
+  for (const file of files) {
+    if (!isRouteFile(file)) continue;
+    const parsed = fileToRoute(file);
+    if (!parsed) continue;
+    const absolutePath = (0, import_node_path2.join)(routesDir, file);
+    const { hasBodySchema, hasQuerySchema } = detectSchemas(absolutePath);
+    const params = extractParams(parsed.path);
+    routes.push({
+      path: parsed.path,
+      method: parsed.method,
+      handler: absolutePath,
+      relativePath: file,
+      params,
+      hasBodySchema,
+      hasQuerySchema
+    });
+  }
+  routes.sort((a, b) => routeScore(b.path) - routeScore(a.path));
+  if (verbose) {
+    for (const r of routes) {
+      const method = r.method.toUpperCase().padEnd(6);
+      console.log(`  ${method} ${r.path}  (${r.relativePath})`);
+    }
+  }
+  return routes;
+}
+
+// src/routing/manifest.ts
+async function hashRouteFiles(routesDir) {
+  const files = await (0, import_glob2.glob)("**/*.{ts,js}", {
+    cwd: routesDir,
+    nodir: true,
+    ignore: ["**/_*.ts", "**/_*.js", "**/*.test.ts", "**/*.spec.ts", "**/*.test.js", "**/*.spec.js"]
+  });
+  files.sort();
+  const hash = (0, import_node_crypto.createHash)("sha256");
+  for (const file of files) {
+    hash.update(file);
+    try {
+      const content = (0, import_node_fs2.readFileSync)((0, import_node_path3.join)(routesDir, file));
+      hash.update(content);
+    } catch {
+    }
+  }
+  return hash.digest("hex");
+}
+function readExistingManifest(manifestPath) {
+  if (!(0, import_node_fs2.existsSync)(manifestPath)) return null;
+  try {
+    const raw = (0, import_node_fs2.readFileSync)(manifestPath, "utf8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+async function generateManifest(options) {
+  const {
+    routesDir,
+    projectRoot,
+    outputPath = (0, import_node_path3.join)(projectRoot, "routes-manifest.json"),
+    cache = true,
+    verbose = false
+  } = options;
+  const contentHash = await hashRouteFiles(routesDir);
+  if (cache) {
+    const existing = readExistingManifest(outputPath);
+    if (existing && existing.contentHash === contentHash && existing.version === MANIFEST_VERSION) {
+      if (verbose) {
+        console.log(`  \u2713 routes-manifest.json up-to-date (hash: ${contentHash.slice(0, 8)}\u2026)`);
+      }
+      return existing;
+    }
+  }
+  if (verbose) {
+    console.log(`  Scanning routes in: ${routesDir}`);
+  }
+  const scanned = await scanRoutes({ routesDir, verbose: false });
+  const entries = scanned.map((r) => ({
+    path: r.path,
+    method: r.method,
+    handler: r.relativePath,
+    // relative to routesDir; callers can join with projectRoot
+    params: r.params,
+    hasBodySchema: r.hasBodySchema,
+    hasQuerySchema: r.hasQuerySchema
+  }));
+  const manifest = {
+    version: MANIFEST_VERSION,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    contentHash,
+    routes: entries
+  };
+  const dir = (0, import_node_path3.dirname)(outputPath);
+  if (!(0, import_node_fs2.existsSync)(dir)) {
+    (0, import_node_fs2.mkdirSync)(dir, { recursive: true });
+  }
+  (0, import_node_fs2.writeFileSync)(outputPath, JSON.stringify(manifest, null, 2) + "\n", "utf8");
+  if (verbose) {
+    console.log(`  \u2713 Generated routes-manifest.json (${entries.length} routes, hash: ${contentHash.slice(0, 8)}\u2026)`);
+  }
+  return manifest;
+}
+var MANIFEST_VERSION = 1;
+
+// src/commands/build.ts
+function printBox(title) {
+  const width = 50;
+  const pad = Math.max(0, Math.floor((width - title.length) / 2));
+  const line = "\u2500".repeat(width);
+  console.log(import_picocolors3.default.cyan(`\u250C${line}\u2510`));
+  console.log(import_picocolors3.default.cyan("\u2502") + " ".repeat(pad) + import_picocolors3.default.bold(title) + " ".repeat(width - pad - title.length) + import_picocolors3.default.cyan("\u2502"));
+  console.log(import_picocolors3.default.cyan(`\u2514${line}\u2518`));
+  console.log();
+}
+function step(n, total, label) {
+  console.log(import_picocolors3.default.dim(`[${n}/${total}]`) + " " + import_picocolors3.default.cyan("\u2192") + " " + label);
+}
+function ok(label) {
+  console.log(import_picocolors3.default.green("  \u2713") + " " + label);
+}
+function fail(label, err) {
+  console.log(import_picocolors3.default.red("  \u2717") + " " + label);
+  if (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.log(import_picocolors3.default.dim("    " + msg));
+  }
+}
+async function buildCommand(options = {}) {
+  console.clear();
+  printBox("Kozo Build");
+  const cwd = process.cwd();
+  const TOTAL_STEPS = options.noManifest ? 3 : 4;
+  let currentStep = 0;
+  currentStep++;
+  step(currentStep, TOTAL_STEPS, "Checking project structure\u2026");
+  if (!import_fs_extra2.default.existsSync(import_node_path4.default.join(cwd, "package.json"))) {
+    fail("No package.json found. Run this command inside a Kozo project.");
+    process.exit(1);
+  }
+  if (!import_fs_extra2.default.existsSync(import_node_path4.default.join(cwd, "node_modules"))) {
+    fail("Dependencies not installed. Run `npm install` first.");
+    process.exit(1);
+  }
+  ok("Project structure OK");
+  currentStep++;
+  step(currentStep, TOTAL_STEPS, "Cleaning previous build\u2026");
+  try {
+    await import_fs_extra2.default.remove(import_node_path4.default.join(cwd, "dist"));
+    ok("dist/ cleaned");
+  } catch (err) {
+    fail("Failed to clean dist/", err);
+    process.exit(1);
+  }
+  if (!options.noManifest) {
+    currentStep++;
+    step(currentStep, TOTAL_STEPS, "Generating routes manifest\u2026");
+    const routesDirRel = options.routesDir ?? "src/routes";
+    const routesDirAbs = import_node_path4.default.join(cwd, routesDirRel);
+    if (!import_fs_extra2.default.existsSync(routesDirAbs)) {
+      console.log(import_picocolors3.default.dim(`  \u26A0  Routes directory not found (${routesDirRel}), skipping manifest.`));
+    } else {
+      try {
+        const manifestOutAbs = options.manifestOut ? import_node_path4.default.join(cwd, options.manifestOut) : import_node_path4.default.join(cwd, "routes-manifest.json");
+        const manifest = await generateManifest({
+          routesDir: routesDirAbs,
+          projectRoot: cwd,
+          outputPath: manifestOutAbs,
+          cache: !options.forceManifest,
+          verbose: true
+        });
+        ok(`Manifest ready \u2014 ${manifest.routes.length} route(s)`);
+      } catch (err) {
+        fail("Manifest generation failed", err);
+        console.log(import_picocolors3.default.dim("  Continuing build without manifest\u2026"));
+      }
+    }
+  }
+  currentStep++;
+  step(currentStep, TOTAL_STEPS, "Compiling with tsup\u2026");
+  try {
+    const tsupArgs = ["tsup", ...options.tsupArgs ?? []];
+    await (0, import_execa2.execa)("npx", tsupArgs, {
+      cwd,
+      stdio: "inherit",
+      env: { ...process.env, NODE_ENV: "production" }
+    });
+    ok("Compilation complete");
+  } catch (err) {
+    fail("tsup compilation failed", err);
+    process.exit(1);
+  }
+  console.log();
+  console.log(import_picocolors3.default.green("\u2705  Build successful"));
+  console.log();
+}
+
 // src/index.ts
 var program = new import_commander.Command();
 program.name("kozo").description("CLI to scaffold new Kozo Framework projects").version("0.2.6");
 program.argument("[project-name]", "Name of the project").action(async (projectName) => {
   await newCommand(projectName);
 });
+program.command("build").description("Build the project (generates routes manifest then compiles with tsup)").option("--no-manifest", "Skip routes-manifest.json generation").option("--force-manifest", "Force manifest regeneration even if routes are unchanged").option("--routes-dir <dir>", "Routes directory relative to project root", "src/routes").option("--manifest-out <path>", "Output path for routes-manifest.json relative to project root").allowUnknownOption().action(async (opts, cmd) => {
+  const tsupArgs = cmd.args.length > 0 ? cmd.args : void 0;
+  await buildCommand({
+    noManifest: opts.noManifest === false || opts.manifest === false,
+    forceManifest: opts.forceManifest ?? false,
+    routesDir: opts.routesDir,
+    manifestOut: opts.manifestOut,
+    tsupArgs
+  });
+});
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kozojs/cli",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "CLI to scaffold new Kozo Framework projects - The next-gen TypeScript Backend Framework",
   "bin": {
     "create-kozo": "./lib/index.js",
@@ -39,7 +39,8 @@
     "picocolors": "^1.1.0",
     "ora": "^8.1.0",
     "execa": "^9.5.0",
-    "fs-extra": "^11.2.0"
+    "fs-extra": "^11.2.0",
+    "glob": "^11.0.0"
   },
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",