@vyckr/tachyon 1.3.0 → 1.3.2

package/.env.example

@@ -1,13 +1,19 @@
 # Tachyon environment variables
 PORT=8000
 TIMEOUT=70
+# Maximum ms a handler process may run before it is killed (default: 30000)
+HANDLER_TIMEOUT_MS=30000
 DEV=
 VALIDATE=
 HOSTNAME=127.0.0.1
 ALLOW_HEADERS=*
-ALLOW_ORIGINS=*
+# Restrict to explicit origins in production — never use * with credentials enabled
+ALLOW_ORIGINS=https://yourdomain.com
 ALLOW_CREDENTIALS=
-ALLOW_EXPOSE_HEADERS=*
+ALLOW_EXPOSE_HEADERS=
 ALLOW_MAX_AGE=3600
 ALLOW_METHODS=GET,POST,PUT,DELETE,PATCH,OPTIONS
-BASIC_AUTH=username:password
+# Generate strong credentials at deployment time — never commit real credentials
+BASIC_AUTH=
+# Override default CSP if your app loads scripts/styles from external origins
+CONTENT_SECURITY_POLICY=default-src 'self'

package/README.md

@@ -13,7 +13,8 @@ Tachyon is a **polyglot, file-system-routed full-stack framework for [Bun](https
 - **Custom 404 page** — drop a `404.html` in your project root to override the default
 - **Schema validation** — per-route request/response validation via `OPTIONS` files
 - **Status code routing** — map response schemas to HTTP status codes; the framework picks the code automatically
-- **Auth** — built-in Basic Auth and JWT decoding
+- **Auth** — built-in Basic Auth (timing-safe) and JWT decoding with expiry enforcement
+- **Security headers** — X-Frame-Options, X-Content-Type-Options, HSTS, CSP, and Referrer-Policy sent on every response
 - **Streaming** — SSE responses via `Accept: text/event-stream`
 
 ## Installation
@@ -53,20 +54,28 @@ HOSTNAME=127.0.0.1
 TIMEOUT=70
 DEV=true
 
-# CORS
-ALLOW_HEADERS=*
-ALLOW_ORIGINS=*
+# CORS — restrict to explicit origins in production; never combine * with credentials
+ALLOW_HEADERS=Content-Type,Authorization
+ALLOW_ORIGINS=https://yourdomain.com
 ALLOW_CREDENTIALS=false
-ALLOW_EXPOSE_HEADERS=*
+ALLOW_EXPOSE_HEADERS=
 ALLOW_MAX_AGE=3600
 ALLOW_METHODS=GET,POST,PUT,DELETE,PATCH,OPTIONS
 
-# Auth
-BASIC_AUTH=username:password
+# Auth — generate strong credentials; never commit real values
+BASIC_AUTH=
 
 # Validation (set to any value to enable)
 VALIDATE=true
 
+# Security
+# Override the default CSP if your app loads scripts/styles from external origins
+CONTENT_SECURITY_POLICY=default-src 'self'
+# Maximum ms a handler process may run before it is killed (default: 30000)
+HANDLER_TIMEOUT_MS=30000
+# Maximum length of any single route or query parameter value (default: 1000)
+MAX_PARAM_LENGTH=1000
+
 # Custom route/asset paths (defaults to <cwd>/routes, <cwd>/components, <cwd>/assets)
 ROUTES_PATH=
 COMPONENTS_PATH=
@@ -111,11 +120,18 @@ Every handler receives the full request context on `stdin` as a JSON object:
   "paths":   { "version": "v2" },
   "context": {
     "ipAddress": "127.0.0.1",
-    "bearer":    { "header": {}, "payload": {}, "signature": "..." }
+    "bearer": {
+      "header":   { "alg": "HS256", "typ": "JWT" },
+      "payload":  { "sub": "42", "exp": 1999999999 },
+      "signature": "...",
+      "verified": false
+    }
   }
 }
 ```
 
+> **Note:** `context.bearer` is decoded but the signature is **not** verified. `verified` is always `false`. Do not trust claims in `bearer.payload` without out-of-band verification (e.g. via middleware that calls a trusted auth service). Tokens with an expired `exp` claim are rejected before reaching your handler. Use the [`jose`](https://github.com/panva/jose) library for full JWT verification.
+
 ### Route Handler Examples
 
 **Bun (TypeScript)**
@@ -292,6 +308,25 @@ tach.bundle
 
 Outputs compiled assets to `dist/`.
 
+## Security
+
+Tachyon applies the following protections by default:
+
+| Area | Protection |
+|------|-----------|
+| **Response headers** | `X-Frame-Options: DENY`, `X-Content-Type-Options: nosniff`, `Strict-Transport-Security`, `Content-Security-Policy`, `Referrer-Policy` on every response |
+| **Basic Auth** | Credential comparison uses `timingSafeEqual` to prevent timing oracle attacks |
+| **JWT** | Tokens with an expired `exp` claim are rejected; signature is decoded but not verified (see note above) |
+| **Process timeout** | Handler processes that exceed `HANDLER_TIMEOUT_MS` are killed automatically |
+| **Parameter limits** | Query and path parameters exceeding `MAX_PARAM_LENGTH` characters return HTTP 400 |
+| **Error responses** | Unhandled server errors return a generic message; internal details are logged server-side only |
+| **CORS** | Wildcard `ALLOW_ORIGINS=*` combined with `ALLOW_CREDENTIALS=true` is not recommended — set explicit origins in production |
+
+For production deployments:
+- Set `BASIC_AUTH` to a strong credential — never use a default value
+- Set `ALLOW_ORIGINS` to your application's domain instead of `*`
+- Consider adding a reverse proxy (nginx, Caddy) to enforce HTTPS and add rate limiting
+
 ## License
 
 MIT

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@vyckr/tachyon",
-    "version": "1.3.0",
+    "version": "1.3.2",
     "description": "A polyglot, file-system-routed full-stack framework for Bun",
     "author": "Chidelma",
     "license": "MIT",

package/src/cli/serve.ts

@@ -23,7 +23,13 @@ async function loadMiddleware() {
         const filePath = `${Router.middlewarePath}${ext}`
         if (await pathExists(filePath)) {
             const mod = await import(filePath)
-            Router.middleware = (mod.default ?? mod) as Middleware
+            const loaded = mod.default ?? mod
+            if (typeof loaded !== 'object' || loaded === null ||
+                (loaded.before !== undefined && typeof loaded.before !== 'function') ||
+                (loaded.after  !== undefined && typeof loaded.after  !== 'function')) {
+                throw new Error(`Middleware at '${filePath}' must export an object with optional before/after functions`)
+            }
+            Router.middleware = loaded as Middleware
             return
         }
     }

package/src/compiler/render-template.js

@@ -4,7 +4,15 @@ export default async function(props) {
 
     // script
 
-    if(props) props.split(';').map(prop => eval(prop))
+    if(props) {
+        const __p__ = typeof props === 'string' ? JSON.parse(decodeURIComponent(props)) : props
+        for(const __k__ of Object.keys(__p__)) {
+            if(/^[a-zA-Z_$][a-zA-Z0-9_$]*$/.test(__k__)) {
+                const __v__ = __p__[__k__]
+                eval(`${__k__} = __v__`)
+            }
+        }
+    }
 
     const compRenders = new Map()
 
@@ -28,24 +36,21 @@ export default async function(props) {
         }
 
         const ty_invokeEvent = (hash, action) => {
-            
             if(elemId === ty_generateId(hash, 'ev')) {
-                
-                if(event && !action.endsWith(')')) {
-                    return action + "('" + event + "')"
-                }
-                return action
+                const toCall = (event && !action.endsWith(')')) ? action + "('" + event + "')" : action
+                eval(toCall)
             }
-            return "''"
+            return ''
         }
 
         const ty_assignValue = (hash, variable) => {
-
             if(elemId === ty_generateId(hash, 'bind') && event) {
-                return variable + " = '" + event.value + "'"
+                if(/^[a-zA-Z_$][a-zA-Z0-9_$]*$/.test(variable)) {
+                    const __val__ = event.value
+                    eval(`${variable} = __val__`)
+                }
             }
-
-            return variable
+            return ''
         }
 
         let elements = '';

package/src/compiler/template-compiler.ts

@@ -119,9 +119,9 @@ export default class Yon {
 
             const formatAttr = (name: string, value: string, hash: string): string => {
                 if (name.startsWith('@'))
-                    return `${name}="\${eval(ty_invokeEvent('${hash}', '${value}'))}"`;
+                    return `${name}="\${ty_invokeEvent('${hash}', '${value}')}"`;
                 if (name === ':value')
-                    return `value="\${eval(ty_assignValue('${hash}', '${value}'))}"`;
+                    return `value="\${ty_assignValue('${hash}', '${value}')}"`;
                 return `${name}="${value}"`;
             };
 
@@ -266,24 +266,28 @@ export default class Yon {
                 if (key.startsWith('@')) {
                     events.push(`${key}="${value.replace(/(ty_invokeEvent\(')([^"]+)(',[^)]+\))/g, `$1${hash}$3`)}"`);
                 } else {
-                    props.push(`${key}=${value}`);
+                    // Convert template-literal expr "${foo()}" → foo(), static value → JSON literal
+                    const expr = value.startsWith('${') && value.endsWith('}')
+                        ? value.slice(2, -1)
+                        : JSON.stringify(value);
+                    props.push(`"${key}": ${expr}`);
                 }
             }
 
             const genId = "${ty_generateId('" + hash + "', 'id')}";
+            const propsObj = props.length ? `{${props.join(', ')}}` : 'null';
 
             if (isLazy) {
                 const filepath = Yon.compMapping.get(component);
-                const propsEncoded = props.length ? props.join(';') : '';
                 return `
-                elements += \`<div id="${genId}" data-lazy-component="${component}" data-lazy-path="/components/${filepath}" data-lazy-props="${propsEncoded}" ${events.join(' ')}></div>\`
+                elements += \`<div id="${genId}" data-lazy-component="${component}" data-lazy-path="/components/${filepath}" data-lazy-props="\${${props.length ? `encodeURIComponent(JSON.stringify(${propsObj}))` : "''"}}\" ${events.join(' ')}></div>\`
                 `;
             }
 
             return `
                 elements += \`<div id="${genId}" ${events.join(' ')}>\`
                 if(!compRenders.has('${hash}')) {
-                    render = await ${component}(\`${props.join(';')}\`)
+                    render = await ${component}(${propsObj})
                     elements += await render(elemId, event, '${hash}')
                     compRenders.set('${hash}', render)
                 } else {

package/src/runtime/spa-renderer.ts

@@ -200,7 +200,8 @@ const lazyObserver = new IntersectionObserver((entries) => {
 async function loadLazyComponent(el: HTMLElement) {
   const path = el.dataset.lazyComponent!;
   const modulePath = el.dataset.lazyPath!;
-  const props = el.dataset.lazyProps || '';
+  const propsRaw = el.dataset.lazyProps || '';
+  const props = propsRaw ? JSON.parse(decodeURIComponent(propsRaw)) : null;
 
   try {
     const mod = await import(modulePath);

package/src/server/process-executor.ts

@@ -1,4 +1,5 @@
 import { BunRequest, Server } from "bun";
+import { timingSafeEqual } from "node:crypto";
 import Router, { RequestContext, RouteOptions, RequestPayload, RouteResponse } from "./route-handler.js";
 import Pool from "./process-pool.js";
 import Validate from "./schema-validator.js";
@@ -118,11 +119,15 @@ export default class Tach {
     }
 
     private static isAuthorizedClient(authorization: string | undefined, basicAuth: string): boolean {
-        if (authorization) {
-            const [, hash] = authorization.split(' ')
-            return hash === btoa(basicAuth)
-        }
-        return false
+        if (!authorization) return false
+        const [, provided] = authorization.split(' ')
+        if (!provided) return false
+        const expected = btoa(basicAuth)
+        // Timing-safe comparison prevents brute-force timing oracle attacks
+        const a = Buffer.from(expected)
+        const b = Buffer.from(provided)
+        if (a.length !== b.length) return false
+        return timingSafeEqual(a, b)
     }
 
     private static async serveRequest(
@@ -187,7 +192,9 @@ export default class Tach {
 
     /**
      * Decodes a Bearer JWT from an Authorization header.
-     * Returns `undefined` if absent, not Bearer, or the payload is malformed.
+     * WARNING: The signature is NOT verified. Route handlers must not trust claims
+     * without out-of-band verification (e.g. via a middleware that calls a trusted
+     * auth service). Rejects tokens whose `exp` claim is in the past.
      * @param authorization - The raw `Authorization` header value
      */
     private static decodeJWT(authorization: string | undefined) {
@@ -200,10 +207,19 @@ export default class Tach {
         const [header, payload, signature] = token.split('.')
 
         try {
+            const decodedPayload: Record<string, unknown> = JSON.parse(atob(payload))
+
+            // Reject expired tokens even without full signature verification
+            if (typeof decodedPayload.exp === 'number' && decodedPayload.exp < Math.floor(Date.now() / 1000)) {
+                console.warn(`Rejected expired JWT (exp=${decodedPayload.exp})`, process.pid)
+                return undefined
+            }
+
             return {
-                header:    JSON.parse(atob(header)),
-                payload:   JSON.parse(atob(payload)),
+                header:     JSON.parse(atob(header)),
+                payload:    decodedPayload,
                 signature,
+                verified:   false as const, // Signature NOT verified — do not trust claims without separate verification
             }
         } catch {
             console.warn(`Failed to decode JWT — malformed base64 or JSON payload`, process.pid)
@@ -263,9 +279,12 @@ export default class Tach {
                     }
 
                 } catch (err) {
-                    res = err instanceof Response
-                        ? err
-                        : Response.json({ detail: (err as Error).message }, { status: 400, headers: Router.headers })
+                    if (err instanceof Response) {
+                        res = err
+                    } else {
+                        console.error('[process-executor] Unhandled error:', err, process.pid)
+                        res = Response.json({ error: 'Internal server error' }, { status: 500, headers: Router.headers })
+                    }
                 }
 
                 console.info(`${path} - ${request!.method} - ${res.status} - ${Date.now() - start}ms`, process.pid)

package/src/server/process-pool.ts

@@ -3,6 +3,11 @@ import Router from "./route-handler.js"
 /** A Bun subprocess with all three stdio channels opened as pipes. */
 export type PipedProcess = ReturnType<typeof Bun.spawn<"pipe", "pipe", "pipe">>
 
+/** Maximum time (ms) a handler process may run before it is killed. Default: 30 s. */
+const HANDLER_TIMEOUT_MS = process.env.HANDLER_TIMEOUT_MS
+    ? Number(process.env.HANDLER_TIMEOUT_MS)
+    : 30_000
+
 export default class Pool {
 
     /**
@@ -58,6 +63,9 @@ export default class Pool {
      * Returns the pre-warmed process for `handler` if one exists and is still
      * running, otherwise spawns a fresh process. Immediately schedules a
      * replacement warm process for the next request.
+     *
+     * A kill-on-timeout timer is armed: if the process has not exited within
+     * HANDLER_TIMEOUT_MS it is killed and the event is logged.
      */
     static acquireHandler(handler: string): PipedProcess {
         const warmed = Pool.warmedProcesses.get(handler)
@@ -67,14 +75,27 @@ export default class Pool {
         setImmediate(() => Pool.prewarmHandler(handler))
 
         // If the warmed process exited early (e.g. handler syntax error), spawn fresh
-        if (warmed && warmed.exitCode === null) return warmed
+        const proc: PipedProcess = (warmed && warmed.exitCode === null)
+            ? warmed
+            : Bun.spawn<"pipe", "pipe", "pipe">({
+                cmd:    [handler],
+                stdin:  "pipe",
+                stdout: "pipe",
+                stderr: "pipe",
+                env:    process.env,
+            })
 
-        return Bun.spawn<"pipe", "pipe", "pipe">({
-            cmd:    [handler],
-            stdin:  "pipe",
-            stdout: "pipe",
-            stderr: "pipe",
-            env:    process.env,
-        })
+        // Kill hung processes to prevent resource exhaustion
+        const timeout = setTimeout(() => {
+            if (proc.exitCode === null) {
+                console.error(`[pool] Handler timed out after ${HANDLER_TIMEOUT_MS}ms — killing process`, proc.pid)
+                try { proc.kill() } catch { /* already exited */ }
+            }
+        }, HANDLER_TIMEOUT_MS)
+
+        // Clear the timer once the process exits naturally
+        proc.exited.then(() => clearTimeout(timeout)).catch(() => clearTimeout(timeout))
+
+        return proc
     }
 }

package/src/server/route-handler.ts

@@ -7,6 +7,8 @@ export interface RequestContext {
         header: Record<string, unknown>
         payload: Record<string, unknown>
         signature: string
+        /** Always false — signature is decoded but NOT cryptographically verified */
+        verified: false
     }
 }
 
@@ -64,7 +66,13 @@ export default class Router {
         "Access-Control-Allow-Credential": process.env.ALLOW_CREDENTIALS || "false",
         "Access-Control-Expose-Headers":   process.env.ALLOW_EXPOSE_HEADERS || "",
         "Access-Control-Max-Age":          process.env.ALLOW_MAX_AGE     || "",
-        "Access-Control-Allow-Methods":    process.env.ALLOW_METHODS     || ""
+        "Access-Control-Allow-Methods":    process.env.ALLOW_METHODS     || "",
+        // Security headers
+        "X-Frame-Options":                 "DENY",
+        "X-Content-Type-Options":          "nosniff",
+        "Strict-Transport-Security":       "max-age=31536000; includeSubDomains",
+        "Content-Security-Policy":         process.env.CONTENT_SECURITY_POLICY || "default-src 'self'",
+        "Referrer-Policy":                 "strict-origin-when-cross-origin",
     }
 
     /**
@@ -153,17 +161,24 @@ export default class Router {
         return { handler: `${Router.routesPath}${route}/${request.method}`, stdin, config: requestConfig }
     }
 
+    /** Maximum allowed length for any single route or query parameter value. */
+    static readonly MAX_PARAM_LENGTH = Number(process.env.MAX_PARAM_LENGTH) || 1000
+
     /**
      * Coerces an array of string path segments into their native types
      * (number, boolean, null, undefined, or string).
      * @param input - Raw string segments from the URL path
      * @returns Typed parameter values
+     * @throws Response with status 400 if any segment exceeds MAX_PARAM_LENGTH
      */
     static parseParams(input: string[]): (string | boolean | number | null | undefined)[] {
 
         const params: (string | boolean | number | null | undefined)[] = []
 
         for (const param of input) {
+            if (param.length > Router.MAX_PARAM_LENGTH) {
+                throw Response.json({ error: 'Parameter too long' }, { status: 400 })
+            }
 
             const num = Number(param)
 
@@ -190,6 +205,10 @@ export default class Router {
 
         for (const [key, val] of input) {
 
+            if (typeof val === "string" && val.length > Router.MAX_PARAM_LENGTH) {
+                throw Response.json({ error: 'Parameter too long' }, { status: 400 })
+            }
+
             if (typeof val === "string") {
 
                 try {