@objectstack/runtime 4.0.4 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/README.md +62 -0
  2. package/dist/index.cjs +40646 -2294
  3. package/dist/index.cjs.map +1 -1
  4. package/dist/index.d.cts +1588 -6
  5. package/dist/index.d.ts +1588 -6
  6. package/dist/index.js +40671 -2328
  7. package/dist/index.js.map +1 -1
  8. package/package.json +45 -9
  9. package/.turbo/turbo-build.log +0 -22
  10. package/CHANGELOG.md +0 -763
  11. package/src/app-plugin.test.ts +0 -274
  12. package/src/app-plugin.ts +0 -285
  13. package/src/dispatcher-plugin.ts +0 -503
  14. package/src/driver-plugin.ts +0 -76
  15. package/src/http-dispatcher.root.test.ts +0 -73
  16. package/src/http-dispatcher.test.ts +0 -1317
  17. package/src/http-dispatcher.ts +0 -1483
  18. package/src/http-server.ts +0 -142
  19. package/src/index.ts +0 -39
  20. package/src/middleware.ts +0 -222
  21. package/src/runtime.test.ts +0 -65
  22. package/src/runtime.ts +0 -69
  23. package/src/seed-loader.test.ts +0 -1123
  24. package/src/seed-loader.ts +0 -713
  25. package/tsconfig.json +0 -10
  26. package/vitest.config.ts +0 -26
package/README.md CHANGED
@@ -574,6 +574,68 @@ export class HealthCheckPlugin implements Plugin {
574
574
  }
575
575
  ```
576
576
 
577
+ ## Production Hardening
578
+
579
+ The runtime ships zero-dependency primitives for production HTTP deployments.
580
+ All defaults are safe / no-op so opting in is gradual.
581
+
582
+ ### Security headers (on by default)
583
+
584
+ `createDispatcherPlugin` adds CSP / X-Content-Type-Options / X-Frame-Options /
585
+ Referrer-Policy / Permissions-Policy / Cross-Origin-Resource-Policy to every
586
+ response. HSTS is opt-in (only enable once TLS is confirmed). See
587
+ [`docs/HARDENING.md`](../../docs/HARDENING.md).
588
+
589
+ ```ts
590
+ createDispatcherPlugin({
591
+ securityHeaders: {
592
+ hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
593
+ csp: "default-src 'self'",
594
+ },
595
+ });
596
+ ```
597
+
598
+ ### Rate limiting (primitive — wire per-adapter)
599
+
600
+ Token-bucket `RateLimiter` with pluggable `RateLimitStore` (in-memory default,
601
+ Redis-friendly contract). Curated `DEFAULT_RATE_LIMITS` for auth / write / read
602
+ buckets. Fastify / Hono / Express recipes in
603
+ [`docs/HARDENING.md`](../../docs/HARDENING.md#rate-limiting).
604
+
605
+ ```ts
606
+ import { RateLimiter, DEFAULT_RATE_LIMITS } from '@objectstack/runtime';
607
+
608
+ const limiter = new RateLimiter(DEFAULT_RATE_LIMITS.auth);
609
+ const decision = limiter.consume(`ip:${ip}`);
610
+ if (!decision.allowed) reply.code(429).send({ retryAfterMs: decision.retryAfterMs });
611
+ ```
612
+
613
+ ### Observability (opt-in adapters)
614
+
615
+ `createDispatcherPlugin` instruments every route with request-id propagation,
616
+ `http_requests_total{method,route,status}`, `http_request_duration_ms`,
617
+ `http_request_errors_total`, and 5xx error reporting. Plug your own
618
+ `MetricsRegistry` (Prometheus / OTel) and `ErrorReporter` (Sentry / Datadog).
619
+ Adapter recipes + go-live checklist in
620
+ [`docs/OBSERVABILITY.md`](../../docs/OBSERVABILITY.md).
621
+
622
+ ```ts
623
+ import {
624
+ createDispatcherPlugin,
625
+ type MetricsRegistry,
626
+ type ErrorReporter,
627
+ } from '@objectstack/runtime';
628
+
629
+ createDispatcherPlugin({
630
+ observability: {
631
+ metrics: promMetrics, // your MetricsRegistry adapter
632
+ errorReporter: sentryReporter, // your ErrorReporter adapter
633
+ },
634
+ });
635
+ ```
636
+
637
+ Defaults are noop — zero overhead until you plug an adapter.
638
+
577
639
  ## Documentation
578
640
 
579
641
  - [MiniKernel Guide](../../MINI_KERNEL_GUIDE.md) - Complete API documentation and patterns