@vertz/core 0.2.0 → 0.2.3

package/README.md

@@ -629,6 +629,50 @@ router.post('/send', {
 });
 ```
 
+### Environment Validation
+
+`createEnv` validates environment variables against a schema at startup, returning a frozen, typed configuration object.
+
+```typescript
+import { createEnv } from '@vertz/core';
+import { s } from '@vertz/schema';
+
+const env = createEnv({
+  schema: s.object({
+    DATABASE_URL: s.string(),
+    PORT: s.coerce.number().default(3000),
+    NODE_ENV: s.enum(['development', 'production', 'test']),
+  }),
+});
+
+// env.DATABASE_URL — fully typed, validated, immutable
+```
+
+By default, `createEnv` reads from `process.env`. You can pass an explicit `env` record instead — useful for edge runtimes (Cloudflare Workers, Deno Deploy) or testing:
+
+```typescript
+// Edge runtime — pass env explicitly
+const env = createEnv({
+  schema: s.object({
+    DATABASE_URL: s.string(),
+    API_KEY: s.string(),
+  }),
+  env: context.env, // Cloudflare Workers env bindings
+});
+
+// Testing — inject controlled values
+const env = createEnv({
+  schema: s.object({ PORT: s.coerce.number() }),
+  env: { PORT: '4000' },
+});
+```
+
+| Option | Type | Description |
+|--------|------|-------------|
+| `schema` | `Schema<T>` | A `@vertz/schema` schema to validate against |
+| `env` | `Record<string, string \| undefined>` | Explicit env record. Defaults to `process.env` with a `typeof process` guard for non-Node runtimes |
+| `load` | `string[]` | Dotenv file paths to load before validation |
+
 ### Custom Server Adapters
 
 Use the `.handler` property to integrate with custom servers:

package/dist/index.d.ts

@@ -39,172 +39,6 @@ declare function createMiddleware<
 	TRequires extends Record<string, unknown> = Record<string, unknown>,
 	TProvides extends Record<string, unknown> = Record<string, unknown>
 >(def: NamedMiddlewareDef<TRequires, TProvides>): NamedMiddlewareDef<TRequires, TProvides>;
-import { Schema as Schema2 } from "@vertz/schema";
-interface ModuleDef<
-	TImports extends Record<string, unknown> = Record<string, unknown>,
-	TOptions extends Record<string, unknown> = Record<string, unknown>
-> {
-	name: string;
-	imports?: TImports;
-	options?: Schema2<TOptions>;
-}
-interface ServiceDef<
-	TDeps = unknown,
-	TState = unknown,
-	TMethods = unknown,
-	TOptions extends Record<string, unknown> = Record<string, unknown>,
-	TEnv extends Record<string, unknown> = Record<string, unknown>
-> {
-	inject?: Record<string, unknown>;
-	options?: Schema2<TOptions>;
-	env?: Schema2<TEnv>;
-	onInit?: (deps: TDeps, opts: TOptions, env: TEnv) => Promise<TState> | TState;
-	methods: (deps: TDeps, state: TState, opts: TOptions, env: TEnv) => TMethods;
-	onDestroy?: (deps: TDeps, state: TState) => Promise<void> | void;
-}
-interface RouterDef<TInject extends Record<string, unknown> = Record<string, unknown>> {
-	prefix: string;
-	inject?: TInject;
-}
-interface Module<TDef extends ModuleDef = ModuleDef> {
-	definition: TDef;
-	services: ServiceDef[];
-	routers: RouterDef[];
-	exports: ServiceDef[];
-}
-type Primitive = string | number | boolean | bigint | symbol | undefined | null;
-type BuiltinObject = Date | RegExp | Error | Map<unknown, unknown> | Set<unknown> | WeakMap<object, unknown> | WeakSet<object> | Promise<unknown> | Request | Response | Headers | ReadableStream | WritableStream;
-type DeepReadonly<T> = unknown extends T ? T : T extends Primitive ? T : T extends BuiltinObject ? T : T extends (...args: infer A) => infer R ? (...args: A) => R : T extends ReadonlyArray<infer U> ? ReadonlyArray<DeepReadonly<U>> : T extends Array<infer U> ? ReadonlyArray<DeepReadonly<U>> : { readonly [K in keyof T] : DeepReadonly<T[K]> };
-interface RawRequest {
-	readonly request: Request;
-	readonly method: string;
-	readonly url: string;
-	readonly headers: Headers;
-}
-interface HandlerCtx {
-	params: Record<string, unknown>;
-	body: unknown;
-	query: Record<string, string>;
-	headers: Record<string, unknown>;
-	raw: RawRequest;
-	options: Record<string, unknown>;
-	env: Record<string, unknown>;
-	[key: string]: unknown;
-}
-type Deps<T extends Record<string, unknown>> = DeepReadonly<T>;
-type Ctx<T extends Record<string, unknown>> = DeepReadonly<T>;
-interface NamedServiceDef<
-	TDeps = unknown,
-	TState = unknown,
-	TMethods = unknown,
-	TOptions extends Record<string, unknown> = Record<string, unknown>,
-	TEnv extends Record<string, unknown> = Record<string, unknown>
-> extends ServiceDef<TDeps, TState, TMethods, TOptions, TEnv> {
-	moduleName: string;
-}
-type InferOutput<
-	T,
-	TDefault = unknown
-> = T extends {
-	_output: infer O;
-} ? O : T extends {
-	parse(v: unknown): infer P;
-} ? P : TDefault;
-type TypedHandlerCtx<
-	TParams = unknown,
-	TQuery = unknown,
-	THeaders = unknown,
-	TBody = unknown,
-	TMiddleware extends Record<string, unknown> = Record<string, unknown>
-> = Omit<HandlerCtx, "params" | "query" | "headers" | "body"> & {
-	params: TParams;
-	query: TQuery;
-	headers: THeaders;
-	body: TBody;
-} & TMiddleware;
-interface RouteConfig<
-	TParams = unknown,
-	TQuery = unknown,
-	THeaders = unknown,
-	TBody = unknown,
-	TMiddleware extends Record<string, unknown> = Record<string, unknown>
-> {
-	params?: TParams;
-	body?: TBody;
-	query?: TQuery;
-	response?: unknown;
-	/** Error schemas for errors-as-values pattern. Keys are HTTP status codes. */
-	errors?: Record<number, unknown>;
-	headers?: THeaders;
-	middlewares?: unknown[];
-	handler: (ctx: TypedHandlerCtx<InferOutput<TParams>, InferOutput<TQuery, Record<string, string>>, InferOutput<THeaders>, InferOutput<TBody>, TMiddleware>) => unknown;
-}
-interface Route {
-	method: string;
-	path: string;
-	config: RouteConfig<unknown, unknown, unknown, unknown, Record<string, unknown>>;
-}
-/**
-* Extracts the TMethods type from a NamedServiceDef or ServiceDef.
-* Returns `unknown` for non-service types.
-*/
-type ExtractMethods<T> = T extends NamedServiceDef<any, any, infer M> ? M : T extends ServiceDef<any, any, infer M> ? M : unknown;
-/**
-* Resolves an inject map by extracting TMethods from each NamedServiceDef value.
-* Given `{ userService: NamedServiceDef<..., ..., UserMethods> }`,
-* produces `{ userService: UserMethods }`.
-*/
-type ResolveInjectMap<T extends Record<string, unknown>> = { [K in keyof T] : ExtractMethods<T[K]> };
-type HttpMethodFn<
-	TMiddleware extends Record<string, unknown> = Record<string, unknown>,
-	TInject extends Record<string, unknown> = Record<string, unknown>
-> = <
-	TParams,
-	TQuery,
-	THeaders,
-	TBody
->(path: `/${string}`, config: RouteConfig<TParams, TQuery, THeaders, TBody, TMiddleware & ResolveInjectMap<TInject>>) => NamedRouterDef<TMiddleware, TInject>;
-interface NamedRouterDef<
-	TMiddleware extends Record<string, unknown> = Record<string, unknown>,
-	TInject extends Record<string, unknown> = Record<string, unknown>
-> extends RouterDef<TInject> {
-	moduleName: string;
-	routes: Route[];
-	get: HttpMethodFn<TMiddleware, TInject>;
-	post: HttpMethodFn<TMiddleware, TInject>;
-	put: HttpMethodFn<TMiddleware, TInject>;
-	patch: HttpMethodFn<TMiddleware, TInject>;
-	delete: HttpMethodFn<TMiddleware, TInject>;
-	head: HttpMethodFn<TMiddleware, TInject>;
-}
-interface NamedModuleDef<
-	TImports extends Record<string, unknown> = Record<string, unknown>,
-	TOptions extends Record<string, unknown> = Record<string, unknown>,
-	TMiddleware extends Record<string, unknown> = Record<string, unknown>
-> extends ModuleDef<TImports, TOptions> {
-	service: <
-		TDeps,
-		TState,
-		TMethods
-	>(config: ServiceDef<TDeps, TState, TMethods>) => NamedServiceDef<TDeps, TState, TMethods>;
-	router: <TInject extends Record<string, unknown> = Record<string, unknown>>(config: RouterDef<TInject>) => NamedRouterDef<TMiddleware, TInject>;
-}
-declare function createModuleDef<
-	TImports extends Record<string, unknown> = Record<string, unknown>,
-	TOptions extends Record<string, unknown> = Record<string, unknown>,
-	TMiddleware extends Record<string, unknown> = Record<string, unknown>
->(config: ModuleDef<TImports, TOptions>): NamedModuleDef<TImports, TOptions, TMiddleware>;
-interface NamedModule {
-	definition: NamedModuleDef;
-	services: NamedServiceDef[];
-	routers: NamedRouterDef<any, any>[];
-	exports: NamedServiceDef[];
-}
-declare function createModule(definition: NamedModuleDef, config: {
-	services: NamedServiceDef[];
-	routers: NamedRouterDef<any, any>[];
-	exports: NamedServiceDef[];
-}): NamedModule;
 interface CorsConfig {
 	origins?: string | string[] | boolean;
 	methods?: string[];
@@ -213,25 +47,52 @@ interface CorsConfig {
 	maxAge?: number;
 	exposedHeaders?: string[];
 }
-interface DomainDefinition {
+interface EntityDefinition {
+	readonly kind?: string;
 	readonly name: string;
-	readonly type: string;
-	readonly table: unknown;
-	readonly exposedRelations: Record<string, unknown>;
+	readonly model: unknown;
 	readonly access: Record<string, unknown>;
-	readonly handlers: Record<string, unknown>;
+	readonly before: Record<string, unknown>;
+	readonly after: Record<string, unknown>;
 	readonly actions: Record<string, unknown>;
+	readonly relations: Record<string, unknown>;
+}
+type SchemaLike = {
+	parse(value: unknown): {
+		ok: boolean;
+		data?: unknown;
+		error?: unknown;
+	};
+};
+/**
+* An entity route entry generated by @vertz/server's route generator.
+* Core doesn't know about entity internals — it just registers these as handlers.
+*/
+interface EntityRouteEntry {
+	method: string;
+	path: string;
+	handler: (ctx: Record<string, unknown>) => unknown;
+	paramsSchema?: SchemaLike;
+	bodySchema?: SchemaLike;
+	querySchema?: SchemaLike;
+	headersSchema?: SchemaLike;
+	responseSchema?: SchemaLike;
+	errorsSchema?: Record<number, SchemaLike>;
 }
 interface AppConfig {
 	basePath?: string;
 	version?: string;
 	cors?: CorsConfig;
-	/** Domain definitions for auto-CRUD route generation */
-	domains?: DomainDefinition[];
-	/** API prefix for domain routes (default: '/api/') */
+	/** Entity definitions for auto-CRUD route generation */
+	entities?: EntityDefinition[];
+	/** API prefix for entity routes (default: '/api/') */
 	apiPrefix?: string;
 	/** Enable response schema validation in dev mode (logs warnings but doesn't break response) */
 	validateResponses?: boolean;
+	/** Internal: pre-built entity route handlers injected by @vertz/server */
+	_entityRoutes?: EntityRouteEntry[];
+	/** Internal: factory for creating DB adapters per entity (used by @vertz/server) */
+	_entityDbFactory?: (entityDef: EntityDefinition) => unknown;
 }
 interface ListenOptions {
 	hostname?: string;
@@ -249,8 +110,7 @@ interface RouteInfo {
 	method: string;
 	path: string;
 }
-interface AppBuilder<TMiddlewareCtx extends Record<string, unknown> = Record<string, unknown>> {
-	register(module: NamedModule, options?: Record<string, unknown>): AppBuilder<TMiddlewareCtx>;
+interface AppBuilder<_TMiddlewareCtx extends Record<string, unknown> = Record<string, unknown>> {
 	middlewares<const M extends readonly NamedMiddlewareDef<any, any>[]>(list: M): AppBuilder<AccumulateProvides<M>>;
 	readonly handler: (request: Request) => Promise<Response>;
 	listen(port?: number, options?: ListenOptions): Promise<ServerHandle>;
@@ -260,36 +120,32 @@ interface AppBuilder<TMiddlewareCtx extends Record<string, unknown> = Record<str
 	};
 }
 declare function createApp(config: AppConfig): AppBuilder;
-type ServiceFactory<
-	TDeps = unknown,
-	TState = unknown,
-	TMethods = unknown,
-	TOptions extends Record<string, unknown> = Record<string, unknown>,
-	TEnv extends Record<string, unknown> = Record<string, unknown>
-> = ServiceDef<TDeps, TState, TMethods, TOptions, TEnv>;
-interface ServiceBootInstruction {
-	type: "service";
-	id: string;
-	deps: string[];
-	factory: ServiceFactory;
-	options?: Record<string, unknown>;
-	env?: Record<string, unknown>;
-}
-interface ModuleBootInstruction {
-	type: "module";
-	id: string;
-	services: string[];
-	options?: Record<string, unknown>;
+type Primitive = string | number | boolean | bigint | symbol | undefined | null;
+type BuiltinObject = Date | RegExp | Error | Map<unknown, unknown> | Set<unknown> | WeakMap<object, unknown> | WeakSet<object> | Promise<unknown> | Request | Response | Headers | ReadableStream | WritableStream;
+type DeepReadonly<T> = unknown extends T ? T : T extends Primitive ? T : T extends BuiltinObject ? T : T extends (...args: infer A) => infer R ? (...args: A) => R : T extends ReadonlyArray<infer U> ? ReadonlyArray<DeepReadonly<U>> : T extends Array<infer U> ? ReadonlyArray<DeepReadonly<U>> : { readonly [K in keyof T] : DeepReadonly<T[K]> };
+interface RawRequest {
+	readonly request: Request;
+	readonly method: string;
+	readonly url: string;
+	readonly headers: Headers;
 }
-type BootInstruction = ServiceBootInstruction | ModuleBootInstruction;
-interface BootSequence {
-	instructions: BootInstruction[];
-	shutdownOrder: string[];
+interface HandlerCtx {
+	params: Record<string, unknown>;
+	body: unknown;
+	query: Record<string, string>;
+	headers: Record<string, unknown>;
+	raw: RawRequest;
+	options: Record<string, unknown>;
+	env: Record<string, unknown>;
+	[key: string]: unknown;
 }
-import { Schema as Schema3 } from "@vertz/schema";
+type Deps<T extends Record<string, unknown>> = DeepReadonly<T>;
+type Ctx<T extends Record<string, unknown>> = DeepReadonly<T>;
+import { Schema as Schema2 } from "@vertz/schema";
 interface EnvConfig<T = unknown> {
 	load?: string[];
-	schema: Schema3<T>;
+	schema: Schema2<T>;
+	env?: Record<string, string | undefined>;
 }
 type HttpMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE" | "HEAD" | "OPTIONS";
 type HttpStatusCode = 200 | 201 | 204 | 301 | 302 | 304 | 400 | 401 | 403 | 404 | 405 | 409 | 422 | 429 | 500 | 502 | 503 | 504;
@@ -300,7 +156,13 @@ declare class VertzException extends Error {
 	readonly code: string;
 	readonly details?: unknown;
 	constructor(message: string, statusCode?: number, code?: string, details?: unknown);
-	toJSON(): Record<string, unknown>;
+	toJSON(): {
+		error: {
+			code: string;
+			message: string;
+			details?: unknown;
+		};
+	};
 }
 declare class BadRequestException extends VertzException {
 	constructor(message: string, details?: unknown);
@@ -326,7 +188,16 @@ declare class ValidationException extends VertzException {
 		path: string;
 		message: string;
 	}>);
-	toJSON(): Record<string, unknown>;
+	toJSON(): {
+		error: {
+			code: string;
+			message: string;
+			details?: ReadonlyArray<{
+				path: string;
+				message: string;
+			}>;
+		};
+	};
 }
 declare class InternalServerErrorException extends VertzException {
 	constructor(message: string, details?: unknown);
@@ -340,128 +211,11 @@ declare function makeImmutable<T extends object>(obj: T, contextName: string): D
 declare const vertz: {
 	readonly env: typeof createEnv;
 	readonly middleware: typeof createMiddleware;
-	readonly moduleDef: typeof createModuleDef;
-	readonly module: typeof createModule;
 	readonly app: typeof createApp;
 	/** @since 0.2.0 — preferred alias for `app` */
 	readonly server: typeof createApp;
 };
 /**
-* Symbol used to brand Result objects to prevent accidental matches with user data.
-* Using a Symbol makes it impossible for user objects to accidentally match isResult().
-*/
-declare const RESULT_BRAND: unique symbol;
-/**
-* Result type for explicit error handling in route handlers.
-*
-* This provides an alternative to exception-based error handling,
-* making error cases visible in type signatures.
-*
-* @example
-* ```typescript
-* router.get('/:id', {
-*   handler: async (ctx) => {
-*     const user = await ctx.userService.find(ctx.params.id);
-*     if (!user) {
-*       return err(404, { message: 'User not found' });
-*     }
-*     return ok({ id: user.id, name: user.name });
-*   }
-* });
-* ```
-*/
-/**
-* Represents a successful result containing data.
-*/
-interface Ok<T> {
-	readonly ok: true;
-	readonly data: T;
-	readonly [RESULT_BRAND]: true;
-}
-/**
-* Represents an error result containing status code and error body.
-*/
-interface Err<E> {
-	readonly ok: false;
-	readonly status: number;
-	readonly body: E;
-	readonly [RESULT_BRAND]: true;
-}
-/**
-* A discriminated union type representing either a success (Ok) or failure (Err).
-*
-* @typeParam T - The type of the success data
-* @typeParam E - The type of the error body
-*
-* @example
-* ```typescript
-* type UserResult = Result<{ id: number; name: string }, { message: string }>;
-* ```
-*/
-type Result<
-	T,
-	E = unknown
-> = Ok<T> | Err<E>;
-/**
-* Creates a successful Result containing the given data.
-*
-* @param data - The success data
-* @returns An Ok result with the data
-*
-* @example
-* ```typescript
-* return ok({ id: 1, name: 'John' });
-* ```
-*/
-declare function ok<T>(data: T): Ok<T>;
-/**
-* Creates an error Result with the given status code and body.
-*
-* @param status - HTTP status code for the error
-* @param body - Error body/response
-* @returns An Err result with status and body
-*
-* @example
-* ```typescript
-* return err(404, { message: 'Not found' });
-* ```
-*/
-declare function err<E>(status: number, body: E): Err<E>;
-/**
-* Type guard to check if a Result is Ok.
-*
-* @param result - The result to check
-* @returns True if the result is Ok
-*
-* @example
-* ```typescript
-* if (isOk(result)) {
-*   console.log(result.data);
-* }
-* ```
-*/
-declare function isOk<
-	T,
-	E
->(result: Result<T, E>): result is Ok<T>;
-/**
-* Type guard to check if a Result is Err.
-*
-* @param result - The result to check
-* @returns True if the result is Err
-*
-* @example
-* ```typescript
-* if (isErr(result)) {
-*   console.log(result.status, result.body);
-* }
-* ```
-*/
-declare function isErr<
-	T,
-	E
->(result: Result<T, E>): result is Err<E>;
-/**
 * Creates an HTTP server. Preferred entry point for building Vertz services.
 * @since 0.2.0
 */
@@ -470,4 +224,4 @@ declare const createServer: (config: AppConfig) => AppBuilder;
 * @deprecated Use `createServer` instead. `createApp` will be removed in v0.3.0.
 */
 declare const createApp2: (config: AppConfig) => AppBuilder;
-export { vertz, ok, makeImmutable, isOk, isErr, err, deepFreeze, createServer, createModuleDef, createModule, createMiddleware, createImmutableProxy, createEnv, createApp2 as createApp, VertzException, ValidationException, UnauthorizedException, ServiceUnavailableException, ServiceFactory, ServiceDef, ServiceBootInstruction, ServerHandle, ServerAdapter, RouterDef, RouteInfo, Result, ResolveInjectMap, RawRequest, Ok, NotFoundException, NamedServiceDef, NamedRouterDef, NamedModuleDef, NamedModule, NamedMiddlewareDef, ModuleDef, ModuleBootInstruction, Module, MiddlewareDef, ListenOptions, InternalServerErrorException, Infer2 as InferSchema, Infer, HttpStatusCode, HttpMethod, HandlerCtx, ForbiddenException, ExtractMethods, Err, EnvConfig, Deps, DeepReadonly, Ctx, CorsConfig, ConflictException, BootSequence, BootInstruction, BadRequestException, AppConfig, AppBuilder, AccumulateProvides };
+export { vertz, makeImmutable, deepFreeze, createServer, createMiddleware, createImmutableProxy, createEnv, createApp2 as createApp, VertzException, ValidationException, UnauthorizedException, ServiceUnavailableException, ServerHandle, ServerAdapter, RouteInfo, RawRequest, NotFoundException, NamedMiddlewareDef, MiddlewareDef, ListenOptions, InternalServerErrorException, Infer2 as InferSchema, Infer, HttpStatusCode, HttpMethod, HandlerCtx, ForbiddenException, EnvConfig, EntityRouteEntry, Deps, DeepReadonly, Ctx, CorsConfig, ConflictException, BadRequestException, AppConfig, AppBuilder, AccumulateProvides };

package/dist/index.js

@@ -18,7 +18,19 @@ import {
   parseBody,
   parseRequest,
   runMiddlewareChain
-} from "./shared/chunk-c77pg5gx.js";
+} from "./shared/chunk-m3w3ytn5.js";
+
+// src/result.ts
+var RESULT_BRAND = Symbol.for("vertz.result");
+function isOk(result) {
+  return result.ok === true;
+}
+function isResult(value) {
+  if (value === null || typeof value !== "object")
+    return false;
+  const obj = value;
+  return obj[RESULT_BRAND] === true;
+}
 
 // src/server/cors.ts
 var DEFAULT_METHODS = ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"];
@@ -37,27 +49,34 @@ function resolveOrigin(config, requestOrigin) {
   return null;
 }
 function handleCors(config, request) {
+  if (config.credentials && (config.origins === true || config.origins === "*")) {
+    throw new Error("CORS misconfiguration: credentials cannot be used with wildcard origins. " + "Browsers will reject the response. Use an explicit origin allowlist instead.");
+  }
   const requestOrigin = request.headers.get("origin");
   const origin = resolveOrigin(config, requestOrigin);
   if (request.method === "OPTIONS") {
     const headers = {};
-    if (origin)
+    if (origin) {
       headers["access-control-allow-origin"] = origin;
-    const methods = config.methods ?? DEFAULT_METHODS;
-    headers["access-control-allow-methods"] = methods.join(", ");
-    const allowHeaders = config.headers ?? DEFAULT_HEADERS;
-    headers["access-control-allow-headers"] = allowHeaders.join(", ");
-    if (config.maxAge !== undefined) {
-      headers["access-control-max-age"] = String(config.maxAge);
-    }
-    if (config.credentials) {
-      headers["access-control-allow-credentials"] = "true";
+      const methods = config.methods ?? DEFAULT_METHODS;
+      headers["access-control-allow-methods"] = methods.join(", ");
+      const allowHeaders = config.headers ?? DEFAULT_HEADERS;
+      headers["access-control-allow-headers"] = allowHeaders.join(", ");
+      if (config.maxAge !== undefined) {
+        headers["access-control-max-age"] = String(config.maxAge);
+      }
+      if (config.credentials) {
+        headers["access-control-allow-credentials"] = "true";
+      }
     }
     return new Response(null, { status: 204, headers });
   }
   return null;
 }
 function applyCorsHeaders(config, request, response) {
+  if (config.credentials && (config.origins === true || config.origins === "*")) {
+    throw new Error("CORS misconfiguration: credentials cannot be used with wildcard origins. " + "Browsers will reject the response. Use an explicit origin allowlist instead.");
+  }
   const requestOrigin = request.headers.get("origin");
   const origin = resolveOrigin(config, requestOrigin);
   if (!origin)
@@ -77,27 +96,6 @@ function applyCorsHeaders(config, request, response) {
   });
 }
 
-// src/result.ts
-var RESULT_BRAND = Symbol.for("vertz.result");
-function ok(data) {
-  return { ok: true, data, [RESULT_BRAND]: true };
-}
-function err(status, body) {
-  return { ok: false, status, body, [RESULT_BRAND]: true };
-}
-function isOk(result) {
-  return result.ok === true;
-}
-function isErr(result) {
-  return result.ok === false;
-}
-function isResult(value) {
-  if (value === null || typeof value !== "object")
-    return false;
-  const obj = value;
-  return obj[RESULT_BRAND] === true;
-}
-
 // src/app/app-runner.ts
 function createResponseWithCors(data, status, config, request) {
   const response = createJsonResponse(data, status);
@@ -106,36 +104,40 @@ function createResponseWithCors(data, status, config, request) {
   }
   return response;
 }
-function validateSchema(schema, value, label) {
-  try {
-    return schema.parse(value);
-  } catch (error) {
-    if (error instanceof BadRequestException)
-      throw error;
-    const message = error instanceof Error ? error.message : `Invalid ${label}`;
-    throw new BadRequestException(message);
+var INTERNAL_DETAIL_PATTERNS = [
+  /(?:^|[\s:])\/[\w./-]+/,
+  /[A-Z]:\\[\w\\.-]+/,
+  /node_modules/,
+  /at\s+\w+\s+\(/,
+  /\.ts:\d+:\d+/,
+  /\.js:\d+:\d+/
+];
+function sanitizeValidationMessage(error, label) {
+  if (error != null && typeof error === "object" && "issues" in error && Array.isArray(error.issues)) {
+    const issues = error.issues;
+    const messages = issues.map((issue) => typeof issue.message === "string" ? issue.message : "").filter(Boolean);
+    if (messages.length > 0) {
+      return messages.join(", ");
+    }
   }
-}
-function resolveServices(registrations) {
-  const serviceMap = new Map;
-  for (const { module, options } of registrations) {
-    for (const service of module.services) {
-      if (!serviceMap.has(service)) {
-        let parsedOptions = {};
-        if (service.options && options) {
-          const parsed = service.options.safeParse(options);
-          if (parsed.success) {
-            parsedOptions = parsed.data;
-          } else {
-            throw new Error(`Invalid options for service ${service.moduleName}: ${parsed.error.issues.map((i) => i.message).join(", ")}`);
-          }
-        }
-        const env = {};
-        serviceMap.set(service, service.methods({}, undefined, parsedOptions, env));
-      }
+  const message = error instanceof Error ? error.message : "";
+  if (!message) {
+    return `Invalid ${label}`;
+  }
+  for (const pattern of INTERNAL_DETAIL_PATTERNS) {
+    if (pattern.test(message)) {
+      return `Invalid ${label}`;
     }
   }
-  return serviceMap;
+  return message;
+}
+function validateSchema(schema, value, label) {
+  const result = schema.parse(value);
+  if (!result.ok) {
+    const message = sanitizeValidationMessage(result.error, label);
+    throw new BadRequestException(message);
+  }
+  return result.data;
 }
 function resolveMiddlewares(globalMiddlewares) {
   return globalMiddlewares.map((mw) => ({
@@ -144,51 +146,26 @@ function resolveMiddlewares(globalMiddlewares) {
     resolvedInject: {}
   }));
 }
-function resolveRouterServices(inject, serviceMap) {
-  if (!inject)
-    return {};
-  const resolved = {};
-  for (const [name, serviceDef] of Object.entries(inject)) {
-    const methods = serviceMap.get(serviceDef);
-    if (methods)
-      resolved[name] = methods;
-  }
-  return resolved;
-}
-function registerRoutes(trie, basePath, registrations, serviceMap) {
-  for (const { module, options } of registrations) {
-    for (const router of module.routers) {
-      const resolvedServices = resolveRouterServices(router.inject, serviceMap);
-      for (const route of router.routes) {
-        const fullPath = basePath + router.prefix + route.path;
-        const routeMiddlewares = (route.config.middlewares ?? []).map((mw) => ({
-          name: mw.name,
-          handler: mw.handler,
-          resolvedInject: {}
-        }));
-        const entry = {
-          handler: route.config.handler,
-          options: options ?? {},
-          services: resolvedServices,
-          middlewares: routeMiddlewares,
-          paramsSchema: route.config.params,
-          bodySchema: route.config.body,
-          querySchema: route.config.query,
-          headersSchema: route.config.headers,
-          responseSchema: route.config.response,
-          errorsSchema: route.config.errors
-        };
-        trie.add(route.method, fullPath, entry);
-      }
-    }
-  }
-}
-function buildHandler(config, registrations, globalMiddlewares) {
+function buildHandler(config, globalMiddlewares) {
   const trie = new Trie;
-  const basePath = config.basePath ?? "";
   const resolvedMiddlewares = resolveMiddlewares(globalMiddlewares);
-  const serviceMap = resolveServices(registrations);
-  registerRoutes(trie, basePath, registrations, serviceMap);
+  if (config._entityRoutes) {
+    for (const route of config._entityRoutes) {
+      const entry = {
+        handler: route.handler,
+        options: {},
+        services: {},
+        middlewares: [],
+        paramsSchema: route.paramsSchema,
+        bodySchema: route.bodySchema,
+        querySchema: route.querySchema,
+        headersSchema: route.headersSchema,
+        responseSchema: route.responseSchema,
+        errorsSchema: route.errorsSchema
+      };
+      trie.add(route.method, route.path, entry);
+    }
+  }
   return async (request) => {
     try {
       if (config.cors) {
@@ -201,9 +178,9 @@ function buildHandler(config, registrations, globalMiddlewares) {
       if (!match) {
         const allowed = trie.getAllowedMethods(parsed.path);
         if (allowed.length > 0) {
-          return createJsonResponse({ error: "MethodNotAllowed", message: "Method Not Allowed", statusCode: 405 }, 405, { allow: allowed.join(", ") });
+          return createJsonResponse({ error: { code: "MethodNotAllowed", message: "Method Not Allowed" } }, 405, { allow: allowed.join(", ") });
         }
-        return createJsonResponse({ error: "NotFound", message: "Not Found", statusCode: 404 }, 404);
+        return createJsonResponse({ error: { code: "NotFound", message: "Not Found" } }, 404);
       }
       const body = await parseBody(request);
       const raw = {
@@ -224,7 +201,11 @@ function buildHandler(config, registrations, globalMiddlewares) {
       if (entry.middlewares.length > 0) {
         const routeCtx = { ...requestCtx, ...middlewareState };
         const routeState = await runMiddlewareChain(entry.middlewares, routeCtx);
-        Object.assign(middlewareState, routeState);
+        for (const key of Object.keys(routeState)) {
+          if (key !== "__proto__" && key !== "constructor" && key !== "prototype") {
+            middlewareState[key] = routeState[key];
+          }
+        }
       }
       const validatedParams = entry.paramsSchema ? validateSchema(entry.paramsSchema, match.params, "params") : match.params;
       const validatedBody = entry.bodySchema ? validateSchema(entry.bodySchema, body, "body") : body;
@@ -246,10 +227,9 @@ function buildHandler(config, registrations, globalMiddlewares) {
         if (isOk(result)) {
           const data = result.data;
           if (config.validateResponses && entry.responseSchema) {
-            try {
-              entry.responseSchema.parse(data);
-            } catch (error) {
-              const message = error instanceof Error ? error.message : "Response schema validation failed";
+            const validation = entry.responseSchema.parse(data);
+            if (!validation.ok) {
+              const message = validation.error instanceof Error ? validation.error.message : "Response schema validation failed";
               console.warn(`[vertz] Response validation warning: ${message}`);
             }
           }
@@ -260,10 +240,9 @@ function buildHandler(config, registrations, globalMiddlewares) {
           if (config.validateResponses && entry.errorsSchema) {
             const errorSchema = entry.errorsSchema[errorStatus];
             if (errorSchema) {
-              try {
-                errorSchema.parse(errorBody);
-              } catch (error) {
-                const message = error instanceof Error ? `Error schema validation failed for status ${errorStatus}: ${error.message}` : `Error schema validation failed for status ${errorStatus}`;
+              const validation = errorSchema.parse(errorBody);
+              if (!validation.ok) {
+                const message = validation.error instanceof Error ? `Error schema validation failed for status ${errorStatus}: ${validation.error.message}` : `Error schema validation failed for status ${errorStatus}`;
                 console.warn(`[vertz] Response validation warning: ${message}`);
               }
             }
@@ -272,14 +251,13 @@ function buildHandler(config, registrations, globalMiddlewares) {
         }
       }
       if (config.validateResponses && entry.responseSchema) {
-        try {
-          entry.responseSchema.parse(result);
-        } catch (error) {
-          const message = error instanceof Error ? error.message : "Response schema validation failed";
+        const validation = entry.responseSchema.parse(result);
+        if (!validation.ok) {
+          const message = validation.error instanceof Error ? validation.error.message : "Response schema validation failed";
           console.warn(`[vertz] Response validation warning: ${message}`);
         }
       }
-      const response = result === undefined ? new Response(null, { status: 204 }) : createJsonResponse(result);
+      const response = result === undefined ? new Response(null, { status: 204 }) : result instanceof Response ? result : createJsonResponse(result);
       if (config.cors) {
         return applyCorsHeaders(config.cors, request, response);
       }
@@ -323,27 +301,6 @@ function detectAdapter(hints) {
 }
 
 // src/app/route-log.ts
-function normalizePath(path) {
-  let normalized = path.replace(/\/+/g, "/");
-  if (normalized.length > 1 && normalized.endsWith("/")) {
-    normalized = normalized.slice(0, -1);
-  }
-  return normalized || "/";
-}
-function collectRoutes(basePath, registrations) {
-  const routes = [];
-  for (const { module } of registrations) {
-    for (const router of module.routers) {
-      for (const route of router.routes) {
-        routes.push({
-          method: route.method,
-          path: normalizePath(basePath + router.prefix + route.path)
-        });
-      }
-    }
-  }
-  return routes;
-}
 function formatRouteLog(listenUrl, routes) {
   const header = `vertz server listening on ${listenUrl}`;
   if (routes.length === 0) {
@@ -363,28 +320,18 @@ function formatRouteLog(listenUrl, routes) {
 // src/app/app-builder.ts
 var DEFAULT_PORT = 3000;
 function createApp(config) {
-  const registrations = [];
   let globalMiddlewares = [];
   let cachedHandler = null;
   const registeredRoutes = [];
+  const entityRoutes = [];
   const builder = {
-    register(module, options) {
-      registrations.push({ module, options });
-      for (const router of module.routers) {
-        for (const route of router.routes) {
-          registeredRoutes.push({ method: route.method, path: router.prefix + route.path });
-        }
-      }
-      cachedHandler = null;
-      return builder;
-    },
     middlewares(list) {
       globalMiddlewares = [...list];
       return builder;
     },
     get handler() {
       if (!cachedHandler) {
-        cachedHandler = buildHandler(config, registrations, globalMiddlewares);
+        cachedHandler = buildHandler(config, globalMiddlewares);
       }
       return cachedHandler;
     },
@@ -395,35 +342,45 @@ function createApp(config) {
       const adapter = detectAdapter();
       const serverHandle = await adapter.listen(port ?? DEFAULT_PORT, builder.handler, options);
       if (options?.logRoutes !== false) {
-        const routes = collectRoutes(config.basePath ?? "", registrations);
         const url = `http://${serverHandle.hostname}:${serverHandle.port}`;
-        console.log(formatRouteLog(url, routes));
+        console.log(formatRouteLog(url, entityRoutes));
       }
       return serverHandle;
     }
   };
-  if (config.domains && config.domains.length > 0) {
+  if (config._entityRoutes) {
+    for (const route of config._entityRoutes) {
+      const info = { method: route.method, path: route.path };
+      registeredRoutes.push(info);
+      entityRoutes.push(info);
+    }
+  } else if (config.entities && config.entities.length > 0) {
     const rawPrefix = config.apiPrefix === undefined ? "/api/" : config.apiPrefix;
-    for (const domain of config.domains) {
-      const domainPath = rawPrefix === "" ? "/" + domain.name : (rawPrefix.endsWith("/") ? rawPrefix : rawPrefix + "/") + domain.name;
-      registeredRoutes.push({ method: "GET", path: domainPath });
-      registeredRoutes.push({ method: "GET", path: `${domainPath}/:id` });
-      registeredRoutes.push({ method: "POST", path: domainPath });
-      registeredRoutes.push({ method: "PUT", path: `${domainPath}/:id` });
-      registeredRoutes.push({ method: "DELETE", path: `${domainPath}/:id` });
-      if (domain.actions) {
-        for (const actionName of Object.keys(domain.actions)) {
-          registeredRoutes.push({ method: "POST", path: `${domainPath}/:id/${actionName}` });
+    for (const entity of config.entities) {
+      const entityPath = rawPrefix === "" ? `/${entity.name}` : (rawPrefix.endsWith("/") ? rawPrefix : `${rawPrefix}/`) + entity.name;
+      const routes = [
+        { method: "GET", path: entityPath },
+        { method: "GET", path: `${entityPath}/:id` },
+        { method: "POST", path: entityPath },
+        { method: "PATCH", path: `${entityPath}/:id` },
+        { method: "DELETE", path: `${entityPath}/:id` }
+      ];
+      if (entity.actions) {
+        for (const actionName of Object.keys(entity.actions)) {
+          routes.push({ method: "POST", path: `${entityPath}/:id/${actionName}` });
         }
       }
+      registeredRoutes.push(...routes);
+      entityRoutes.push(...routes);
     }
   }
   return builder;
 }
 // src/env/env-validator.ts
 function createEnv(config) {
-  const result = config.schema.safeParse(process.env);
-  if (!result.success) {
+  const envRecord = config.env ?? (typeof process !== "undefined" ? process.env : {});
+  const result = config.schema.safeParse(envRecord);
+  if (!result.ok) {
     throw new Error(`Environment validation failed:
 ${result.error.message}`);
   }
@@ -433,72 +390,10 @@ ${result.error.message}`);
 function createMiddleware(def) {
   return deepFreeze(def);
 }
-// src/module/module.ts
-function validateOwnership(items, kind, expectedModule) {
-  for (const item of items) {
-    if (item.moduleName !== expectedModule) {
-      throw new Error(`${kind} belongs to module "${item.moduleName}", cannot add to module "${expectedModule}"`);
-    }
-  }
-}
-function createModule(definition, config) {
-  validateOwnership(config.services, "Service", definition.name);
-  validateOwnership(config.routers, "Router", definition.name);
-  for (const exp of config.exports) {
-    if (!config.services.includes(exp)) {
-      throw new Error("exports must be a subset of services");
-    }
-  }
-  return deepFreeze({
-    definition,
-    ...config
-  });
-}
-// src/module/router-def.ts
-var HTTP_METHODS = ["get", "post", "put", "patch", "delete", "head"];
-function createRouterDef(moduleName, config) {
-  const routes = [];
-  function addRoute(method, path, routeConfig) {
-    if (!path.startsWith("/")) {
-      throw new Error(`Route path must start with '/', got '${path}'`);
-    }
-    routes.push({ method, path, config: routeConfig });
-    return router;
-  }
-  const router = {
-    ...config,
-    moduleName,
-    routes
-  };
-  for (const method of HTTP_METHODS) {
-    router[method] = (path, cfg) => addRoute(method.toUpperCase(), path, cfg);
-  }
-  return router;
-}
-
-// src/module/service.ts
-function createServiceDef(moduleName, config) {
-  return deepFreeze({
-    ...config,
-    moduleName
-  });
-}
-
-// src/module/module-def.ts
-function createModuleDef(config) {
-  const def = {
-    ...config,
-    service: (serviceConfig) => createServiceDef(config.name, serviceConfig),
-    router: (routerConfig) => createRouterDef(config.name, routerConfig)
-  };
-  return deepFreeze(def);
-}
 // src/vertz.ts
 var vertz = /* @__PURE__ */ deepFreeze({
   env: createEnv,
   middleware: createMiddleware,
-  moduleDef: createModuleDef,
-  module: createModule,
   app: createApp,
   server: createApp
 });
@@ -511,15 +406,9 @@ var createApp2 = (...args) => {
 };
 export {
   vertz,
-  ok,
   makeImmutable,
-  isOk,
-  isErr,
-  err,
   deepFreeze,
   createServer,
-  createModuleDef,
-  createModule,
   createMiddleware,
   createImmutableProxy,
   createEnv,

package/dist/internals.d.ts

@@ -53,7 +53,7 @@ interface ParsedRequest {
 	raw: Request;
 }
 declare function parseRequest(request: Request): ParsedRequest;
-declare function parseBody(request: Request): Promise<unknown>;
+declare function parseBody(request: Request, maxBodySize?: number): Promise<unknown>;
 declare function createJsonResponse(data: unknown, status?: number, headers?: Record<string, string>): Response;
 declare function createErrorResponse(error: unknown): Response;
 export { runMiddlewareChain, parseRequest, parseBody, createJsonResponse, createErrorResponse, buildCtx, Trie, ResolvedMiddleware };

package/dist/internals.js

@@ -6,7 +6,7 @@ import {
   parseBody,
   parseRequest,
   runMiddlewareChain
-} from "./shared/chunk-c77pg5gx.js";
+} from "./shared/chunk-m3w3ytn5.js";
 export {
   runMiddlewareChain,
   parseRequest,

package/dist/shared/{chunk-c77pg5gx.js → chunk-m3w3ytn5.js}

@@ -41,7 +41,7 @@ function deepFreeze(obj, visited = new WeakSet) {
 
 // src/immutability/make-immutable.ts
 function makeImmutable(obj, contextName) {
-  if (true) {
+  if (typeof process !== "undefined" && true) {
     return createImmutableProxy(obj, contextName);
   }
   return obj;
@@ -65,7 +65,7 @@ function validateCollisions(config) {
   }
 }
 function buildCtx(config) {
-  if (true) {
+  if (typeof process !== "undefined" && true) {
     validateCollisions(config);
   }
   return makeImmutable({
@@ -98,11 +98,11 @@ class VertzException extends Error {
   }
   toJSON() {
     return {
-      error: this.name,
-      message: this.message,
-      statusCode: this.statusCode,
-      code: this.code,
-      ...this.details !== undefined && { details: this.details }
+      error: {
+        code: this.code,
+        message: this.message,
+        ...this.details !== undefined && { details: this.details }
+      }
     };
   }
 }
@@ -110,70 +110,81 @@ class VertzException extends Error {
 // src/exceptions/http-exceptions.ts
 class BadRequestException extends VertzException {
   constructor(message, details) {
-    super(message, 400, undefined, details);
+    super(message, 400, "BadRequest", details);
   }
 }
 
 class UnauthorizedException extends VertzException {
   constructor(message, details) {
-    super(message, 401, undefined, details);
+    super(message, 401, "Unauthorized", details);
   }
 }
 
 class ForbiddenException extends VertzException {
   constructor(message, details) {
-    super(message, 403, undefined, details);
+    super(message, 403, "Forbidden", details);
   }
 }
 
 class NotFoundException extends VertzException {
   constructor(message, details) {
-    super(message, 404, undefined, details);
+    super(message, 404, "NotFound", details);
   }
 }
 
 class ConflictException extends VertzException {
   constructor(message, details) {
-    super(message, 409, undefined, details);
+    super(message, 409, "Conflict", details);
   }
 }
 
 class ValidationException extends VertzException {
   errors;
   constructor(errors) {
-    super("Validation failed", 422, undefined, undefined);
+    super("Validation failed", 422, "ValidationError", undefined);
     this.errors = errors;
   }
   toJSON() {
     return {
-      ...super.toJSON(),
-      errors: this.errors
+      error: {
+        code: this.code,
+        message: this.message,
+        details: this.errors
+      }
     };
   }
 }
 
 class InternalServerErrorException extends VertzException {
   constructor(message, details) {
-    super(message, 500, undefined, details);
+    super(message, 500, "InternalError", details);
   }
 }
 
 class ServiceUnavailableException extends VertzException {
   constructor(message, details) {
-    super(message, 503, undefined, details);
+    super(message, 503, "ServiceUnavailable", details);
   }
 }
 // src/middleware/middleware-runner.ts
+var DANGEROUS_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 function isPlainObject(value) {
   return value !== null && typeof value === "object" && !Array.isArray(value);
 }
+function safeAssign(target, source) {
+  for (const key of Object.keys(source)) {
+    if (!DANGEROUS_KEYS.has(key)) {
+      target[key] = source[key];
+    }
+  }
+}
 async function runMiddlewareChain(middlewares, requestCtx) {
-  const accumulated = {};
+  const accumulated = Object.create(null);
   for (const mw of middlewares) {
     const ctx = { ...requestCtx, ...mw.resolvedInject, ...accumulated };
     const contribution = await mw.handler(ctx);
     if (isPlainObject(contribution)) {
-      Object.assign(accumulated, contribution);
+      safeAssign(accumulated, contribution);
     }
   }
   return accumulated;
@@ -297,11 +308,16 @@ function parseRequest(request) {
     method: request.method,
     path: url.pathname,
     query: Object.fromEntries(url.searchParams),
-    headers: Object.fromEntries(request.headers),
+    headers: Object.fromEntries([...request.headers].map(([k, v]) => [k.toLowerCase(), v])),
     raw: request
   };
 }
-async function parseBody(request) {
+var DEFAULT_MAX_BODY_SIZE = 10 * 1024 * 1024;
+async function parseBody(request, maxBodySize = DEFAULT_MAX_BODY_SIZE) {
+  const contentLength = parseInt(request.headers.get("content-length") ?? "0", 10);
+  if (maxBodySize && contentLength > maxBodySize) {
+    throw new BadRequestException("Request body too large");
+  }
   const contentType = request.headers.get("content-type") ?? "";
   if (contentType.includes("application/json")) {
     try {
@@ -325,7 +341,7 @@ function createJsonResponse(data, status = 200, headers) {
   return new Response(JSON.stringify(data), {
     status,
     headers: {
-      "content-type": "application/json",
+      "content-type": "application/json; charset=utf-8",
       ...headers
     }
   });
@@ -334,7 +350,7 @@ function createErrorResponse(error) {
   if (error instanceof VertzException) {
     return createJsonResponse(error.toJSON(), error.statusCode);
   }
-  return createJsonResponse({ error: "InternalServerError", message: "Internal Server Error", statusCode: 500 }, 500);
+  return createJsonResponse({ error: { code: "InternalServerError", message: "Internal Server Error" } }, 500);
 }
 
 export { createImmutableProxy, deepFreeze, makeImmutable, buildCtx, VertzException, BadRequestException, UnauthorizedException, ForbiddenException, NotFoundException, ConflictException, ValidationException, InternalServerErrorException, ServiceUnavailableException, runMiddlewareChain, Trie, parseRequest, parseBody, createJsonResponse, createErrorResponse };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vertz/core",
-  "version": "0.2.0",
+  "version": "0.2.3",
   "type": "module",
   "license": "MIT",
   "description": "Vertz core framework primitives",
@@ -30,17 +30,18 @@
   ],
   "scripts": {
     "build": "bunup",
-    "test": "vitest run",
+    "test": "bun test",
+    "test:coverage": "vitest run --coverage",
     "test:watch": "vitest",
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@vertz/schema": "workspace:*"
+    "@vertz/schema": "0.2.2"
   },
   "devDependencies": {
-    "@types/node": "^22.0.0",
+    "@types/node": "^25.3.1",
     "@vitest/coverage-v8": "^4.0.18",
-    "bunup": "latest",
+    "bunup": "^0.16.31",
     "typescript": "^5.7.0",
     "vitest": "^4.0.18"
   },