@zintrust/core 0.1.20 → 0.1.21

package/src/runtime/StartupConfigFileRegistry.d.ts

@@ -0,0 +1,20 @@
+export declare enum StartupConfigFile {
+    Broadcast = "config/broadcast.ts",
+    Cache = "config/cache.ts",
+    Database = "config/database.ts",
+    Mail = "config/mail.ts",
+    Middleware = "config/middleware.ts",
+    Notification = "config/notification.ts",
+    Queue = "config/queue.ts",
+    Storage = "config/storage.ts"
+}
+export declare const StartupConfigFileRegistry: Readonly<{
+    preload(files: readonly StartupConfigFile[]): Promise<void>;
+    isPreloaded(): boolean;
+    get<T>(file: StartupConfigFile): T | undefined;
+    has(file: StartupConfigFile): boolean;
+    /** Intended for tests only. */
+    clear(): void;
+}>;
+export default StartupConfigFileRegistry;
+//# sourceMappingURL=StartupConfigFileRegistry.d.ts.map

package/src/runtime/StartupConfigFileRegistry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"StartupConfigFileRegistry.d.ts","sourceRoot":"","sources":["../../../src/runtime/StartupConfigFileRegistry.ts"],"names":[],"mappings":"AAEA,oBAAY,iBAAiB;IAC3B,SAAS,wBAAwB;IACjC,KAAK,oBAAoB;IACzB,QAAQ,uBAAuB;IAC/B,IAAI,mBAAmB;IACvB,UAAU,yBAAyB;IACnC,YAAY,2BAA2B;IACvC,KAAK,oBAAoB;IACzB,OAAO,sBAAsB;CAC9B;AAKD,eAAO,MAAM,yBAAyB;mBACf,SAAS,iBAAiB,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;mBAelD,OAAO;QAIlB,CAAC,QAAQ,iBAAiB,GAAG,CAAC,GAAG,SAAS;cAIpC,iBAAiB,GAAG,OAAO;IAIrC,+BAA+B;aACtB,IAAI;EAIb,CAAC;AAEH,eAAe,yBAAyB,CAAC"}

package/src/runtime/StartupConfigFileRegistry.js

@@ -0,0 +1,44 @@
+import useFileLoader from '../runtime/useFileLoader.js';
+export var StartupConfigFile;
+(function (StartupConfigFile) {
+    StartupConfigFile["Broadcast"] = "config/broadcast.ts";
+    StartupConfigFile["Cache"] = "config/cache.ts";
+    StartupConfigFile["Database"] = "config/database.ts";
+    StartupConfigFile["Mail"] = "config/mail.ts";
+    StartupConfigFile["Middleware"] = "config/middleware.ts";
+    StartupConfigFile["Notification"] = "config/notification.ts";
+    StartupConfigFile["Queue"] = "config/queue.ts";
+    StartupConfigFile["Storage"] = "config/storage.ts";
+})(StartupConfigFile || (StartupConfigFile = {}));
+const cache = new Map();
+let preloaded = false;
+export const StartupConfigFileRegistry = Object.freeze({
+    async preload(files) {
+        const tasks = files.map(async (file) => {
+            const loader = useFileLoader(file);
+            if (!loader.exists()) {
+                cache.delete(file);
+                return;
+            }
+            const value = await loader.get();
+            cache.set(file, value);
+        });
+        await Promise.all(tasks);
+        preloaded = true;
+    },
+    isPreloaded() {
+        return preloaded;
+    },
+    get(file) {
+        return cache.get(file);
+    },
+    has(file) {
+        return cache.has(file);
+    },
+    /** Intended for tests only. */
+    clear() {
+        cache.clear();
+        preloaded = false;
+    },
+});
+export default StartupConfigFileRegistry;

package/src/runtime/useFileLoader.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Project file loader
+ *
+ * Loads project-owned files (typically config modules) from the project root.
+ *
+ * Usage:
+ *  - useFileLoader('config/mail.ts').get<TypeMail>()
+ *  - useFileLoader('config', 'mail.ts').get<TypeMail>()
+ */
+export type FileLoader = Readonly<{
+    /** Absolute filesystem candidates (in resolution order). */
+    candidates: () => readonly string[];
+    /** Returns the first existing candidate path (or the first candidate if none exist). */
+    path: () => string;
+    /** Whether any candidate exists on disk. */
+    exists: () => boolean;
+    /**
+     * Loads the file via ESM dynamic import and returns:
+     * - `default` export when present
+     * - otherwise the full module namespace object
+     */
+    get: <T = unknown>() => Promise<T>;
+}>;
+export declare const useFileLoader: (...args: [string] | [string, ...string[]]) => FileLoader;
+export default useFileLoader;
+//# sourceMappingURL=useFileLoader.d.ts.map

package/src/runtime/useFileLoader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useFileLoader.d.ts","sourceRoot":"","sources":["../../../src/runtime/useFileLoader.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAUH,MAAM,MAAM,UAAU,GAAG,QAAQ,CAAC;IAChC,4DAA4D;IAC5D,UAAU,EAAE,MAAM,SAAS,MAAM,EAAE,CAAC;IACpC,wFAAwF;IACxF,IAAI,EAAE,MAAM,MAAM,CAAC;IACnB,4CAA4C;IAC5C,MAAM,EAAE,MAAM,OAAO,CAAC;IACtB;;;;OAIG;IACH,GAAG,EAAE,CAAC,CAAC,GAAG,OAAO,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC;CACpC,CAAC,CAAC;AAyIH,eAAO,MAAM,aAAa,GAAI,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,KAAG,UA+DzE,CAAC;AAEF,eAAe,aAAa,CAAC"}

package/src/runtime/useFileLoader.js

@@ -0,0 +1,188 @@
+/**
+ * Project file loader
+ *
+ * Loads project-owned files (typically config modules) from the project root.
+ *
+ * Usage:
+ *  - useFileLoader('config/mail.ts').get<TypeMail>()
+ *  - useFileLoader('config', 'mail.ts').get<TypeMail>()
+ */
+import { ErrorFactory } from '../exceptions/ZintrustError.js';
+import { existsSync } from '../node-singletons/fs.js';
+import pathModule, { extname, join, resolve, sep } from '../node-singletons/path.js';
+import processModule from '../node-singletons/process.js';
+import { pathToFileURL } from '../node-singletons/url.js';
+const resolveProjectRoot = () => {
+    const isTestRuntime = () => {
+        const nodeEnv = processModule.env?.['NODE_ENV'];
+        const isVitest = processModule.env?.['VITEST'] !== undefined ||
+            processModule.env?.['VITEST_WORKER_ID'] !== undefined ||
+            processModule.env?.['VITEST_POOL_ID'] !== undefined;
+        return nodeEnv === 'testing' || isVitest;
+    };
+    const isCoreRepo = (cwdPath) => {
+        const fromNpm = processModule.env?.['npm_package_name'];
+        if (fromNpm === '@zintrust/core')
+            return true;
+        // Vitest suites (notably CoverageBoost) may mock `@node-singletons/fs` to return
+        // `existsSync() === true` for everything and `readFileSync() === '{}'`, which makes
+        // any package.json-based detection unreliable. Instead, detect a core repo checkout
+        // by checking whether this module is being executed from within the current cwd.
+        // - core repo tests: import.meta.url points into `<cwd>/src/...`
+        // - consumer apps: import.meta.url points into `node_modules/@zintrust/core/...`
+        try {
+            const cwdAbs = resolve(cwdPath);
+            const selfUrl = new URL(import.meta.url);
+            const selfPath = decodeURIComponent(selfUrl.pathname);
+            const selfAbs = resolve(selfPath);
+            return selfAbs === cwdAbs || selfAbs.startsWith(cwdAbs + sep);
+        }
+        catch {
+            return false;
+        }
+    };
+    const fromEnv = processModule.env?.['ZINTRUST_PROJECT_ROOT'];
+    if (typeof fromEnv === 'string' && fromEnv.trim().length > 0)
+        return fromEnv.trim();
+    const cwd = processModule.cwd();
+    // In the ZinTrust core repo, `config/*.ts` are templates (not consumer app config).
+    // During core test runs, we avoid auto-loading them to prevent unexpected overrides.
+    // In normal runs, keep the historical behavior (projectRoot = cwd).
+    if (isCoreRepo(cwd) && isTestRuntime()) {
+        return resolve(cwd, '.zintrust-internal-project-root');
+    }
+    return cwd;
+};
+const isInternalProjectRoot = (projectRoot) => pathModule.basename(projectRoot) === '.zintrust-internal-project-root';
+const normalizeProjectRelativePath = (raw) => {
+    const value = String(raw ?? '').trim();
+    if (value.length === 0) {
+        throw ErrorFactory.createConfigError('useFileLoader() requires a non-empty path');
+    }
+    if (value.includes('\u0000')) {
+        throw ErrorFactory.createSecurityError('Invalid file path (null byte)');
+    }
+    const normalized = value.replaceAll('\\', '/').replace(/^\.\/+/, '');
+    if (pathModule.isAbsolute(normalized)) {
+        throw ErrorFactory.createSecurityError('Absolute paths are not allowed', { requested: value });
+    }
+    return normalized;
+};
+const resolveWithinProjectRoot = (projectRoot, relativePath) => {
+    const rootAbs = resolve(projectRoot);
+    const candidateAbs = resolve(projectRoot, relativePath);
+    if (candidateAbs === rootAbs)
+        return candidateAbs;
+    if (!candidateAbs.startsWith(rootAbs + sep)) {
+        throw ErrorFactory.createSecurityError('Invalid file path (path traversal detected)', {
+            projectRoot: rootAbs,
+            requested: relativePath,
+            resolved: candidateAbs,
+        });
+    }
+    return candidateAbs;
+};
+const replaceExtension = (filePath, nextExt) => {
+    const current = extname(filePath);
+    if (current.length === 0)
+        return `${filePath}${nextExt}`;
+    return filePath.slice(0, -current.length) + nextExt;
+};
+const unique = (items) => {
+    const seen = new Set();
+    const out = [];
+    for (const item of items) {
+        if (seen.has(item))
+            continue;
+        seen.add(item);
+        out.push(item);
+    }
+    return out;
+};
+const buildCandidateAbsolutePaths = (projectRoot, relativePath) => {
+    const ext = extname(relativePath);
+    const baseRelCandidates = unique([
+        relativePath,
+        ...(ext.length === 0
+            ? [`${relativePath}.ts`, `${relativePath}.js`, `${relativePath}.mjs`]
+            : []),
+        ...(ext === '.ts'
+            ? [replaceExtension(relativePath, '.js'), replaceExtension(relativePath, '.mjs')]
+            : []),
+        ...(ext === '.js'
+            ? [replaceExtension(relativePath, '.mjs'), replaceExtension(relativePath, '.ts')]
+            : []),
+        ...(ext === '.mjs'
+            ? [replaceExtension(relativePath, '.js'), replaceExtension(relativePath, '.ts')]
+            : []),
+    ]);
+    const absCandidates = baseRelCandidates.flatMap((rel) => [
+        resolveWithinProjectRoot(projectRoot, rel),
+        resolveWithinProjectRoot(projectRoot, join('dist', rel)),
+    ]);
+    return unique(absCandidates);
+};
+const importModule = async (filePath) => {
+    const url = pathToFileURL(filePath).href;
+    return (await import(url));
+};
+export const useFileLoader = (...args) => {
+    const relativePath = args.length === 1
+        ? normalizeProjectRelativePath(args[0])
+        : normalizeProjectRelativePath(args.join('/'));
+    const projectRoot = resolveProjectRoot();
+    const isInternalRoot = isInternalProjectRoot(projectRoot);
+    const candidates = buildCandidateAbsolutePaths(projectRoot, relativePath);
+    // The core repo uses `.zintrust-internal-project-root` as a sentinel during core test runs.
+    // In this mode, we must *never* import project config templates.
+    // This also avoids test suites that mock `existsSync()` globally (e.g. CoverageBoost).
+    const exists = () => (isInternalRoot ? false : candidates.some((c) => existsSync(c)));
+    const resolveFirstExistingPath = () => {
+        if (isInternalRoot)
+            return candidates[0] ?? resolveWithinProjectRoot(projectRoot, relativePath);
+        for (const candidate of candidates) {
+            if (existsSync(candidate))
+                return candidate;
+        }
+        return candidates[0] ?? resolveWithinProjectRoot(projectRoot, relativePath);
+    };
+    const get = async () => {
+        if (isInternalRoot) {
+            throw ErrorFactory.createNotFoundError('Project file not found', {
+                projectRoot,
+                relativePath,
+                candidates,
+            });
+        }
+        const candidate = candidates.find((c) => existsSync(c));
+        if (candidate === undefined) {
+            throw ErrorFactory.createNotFoundError('Project file not found', {
+                projectRoot,
+                relativePath,
+                candidates,
+            });
+        }
+        try {
+            const mod = await importModule(candidate);
+            if (Object.hasOwn(mod, 'default') && mod.default !== undefined) {
+                return mod.default;
+            }
+            return mod;
+        }
+        catch (error) {
+            throw ErrorFactory.createTryCatchError('Failed to import project file', {
+                candidate,
+                projectRoot,
+                relativePath,
+                error,
+            });
+        }
+    };
+    return Object.freeze({
+        candidates: () => candidates,
+        path: resolveFirstExistingPath,
+        exists,
+        get,
+    });
+};
+export default useFileLoader;

package/src/scripts/TemplateSync.js

@@ -140,10 +140,10 @@ const rewriteStarterTemplateImports = (relPath, content) => {
         .replaceAll('"@common/uuid"', '"@zintrust/core"')
         // Starter templates should not rely on local config/env wrappers.
         // Normalize Env imports to come from the public package surface.
-        .replaceAll("from '../env';", "from '@zintrust/core';")
-        .replaceAll('from "../env";', 'from "@zintrust/core";')
-        .replaceAll("from './env';", "from '@zintrust/core';")
-        .replaceAll('from "./env";', 'from "@zintrust/core";')
+        .replaceAll("from '../env';", "from '../index.js';")
+        .replaceAll('from "../env";', 'from "../index.js";')
+        .replaceAll("from './env';", "from '../index.js';")
+        .replaceAll('from "./env";', 'from "../index.js";')
         // Node-singletons are internal to this repo; starter templates should use Node built-ins.
         .replaceAll("'@node-singletons/fs'", "'node:fs'")
         .replaceAll('"@node-singletons/fs"', '"node:fs"')

package/src/security/XssProtection.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"XssProtection.d.ts","sourceRoot":"","sources":["../../../src/security/XssProtection.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA6SH;;GAEG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,OAAO,KAAG,MAGzC,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IAC/B,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IAC/B,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAChC,UAAU,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAAC;CAClC;AAED;;;;GAIG;AACH,eAAO,MAAM,aAAa,EAAE,cAO1B,CAAC"}
+{"version":3,"file":"XssProtection.d.ts","sourceRoot":"","sources":["../../../src/security/XssProtection.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA0WH;;GAEG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,OAAO,KAAG,MAGzC,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IAC/B,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IAC/B,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAChC,UAAU,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAAC;CAClC;AAED;;;;GAIG;AACH,eAAO,MAAM,aAAa,EAAE,cAO1B,CAAC"}

package/src/security/XssProtection.js

@@ -27,30 +27,51 @@ const escapeHtml = (text) => {
 /**
  * Sanitize HTML by removing dangerous tags and attributes
  */
-const sanitizeHtml = (html) => {
-    if (typeof html !== 'string') {
-        return '';
-    }
+const MAX_SANITIZE_LOOPS = 50;
+function removeScripts(input) {
     // Remove script tags and content (loop until stable to avoid incomplete multi-character sanitization)
-    let sanitized = html;
-    let prevScriptSanitized;
+    let sanitized = input;
+    let prevSanitized;
+    let loopCount = 0;
     do {
-        prevScriptSanitized = sanitized;
+        prevSanitized = sanitized;
         sanitized = sanitized.replaceAll(/<script\b[\s\S]*?<\/script[^<]*?>/gi, '');
-    } while (sanitized !== prevScriptSanitized);
+        loopCount++;
+    } while (sanitized !== prevSanitized && loopCount < MAX_SANITIZE_LOOPS);
+    if (loopCount >= MAX_SANITIZE_LOOPS) {
+        Logger.warn('[XSS] Sanitization loop limit reached (script removal)');
+        return ''; // Fail safe: return empty string if attack detected
+    }
+    return sanitized;
+}
+function removeDangerousTags(input) {
     // Remove iframe, object, embed, and base tags
+    let sanitized = input;
     sanitized = sanitized.replaceAll(/<(?:iframe|object|embed|base)\b[\s\S]*?>/gi, '');
     sanitized = sanitized.replaceAll(/<\/(?:iframe|object|embed|base)>/gi, '');
+    return sanitized;
+}
+function removeEventHandlers(input) {
     // Remove event handlers (on*). Re-apply until stable to avoid incomplete multi-character sanitization.
-    let previousSanitized;
+    let sanitized = input;
+    let prevSanitized;
+    let loopCount = 0;
     do {
-        previousSanitized = sanitized;
+        prevSanitized = sanitized;
         sanitized = sanitized.replaceAll(/\bon\w+\s*=\s*(?:'[^']*'|"[^"]*"|`[^`]*`|[^\s>]*)/gi, '');
-    } while (sanitized !== previousSanitized);
+        loopCount++;
+    } while (sanitized !== prevSanitized && loopCount < MAX_SANITIZE_LOOPS);
+    if (loopCount >= MAX_SANITIZE_LOOPS) {
+        Logger.warn('[XSS] Sanitization loop limit reached (event handler removal)');
+        return '';
+    }
+    return sanitized;
+}
+function stripDangerousUrlAttributes(input) {
     // Remove dangerous protocols in URL-bearing attributes.
     // This uses the same protocol normalization logic as encodeHref to prevent obfuscations like:
     //   href="jav&#x61;script:..." or href="java\nscript:..." or href="%6a%61..."
-    sanitized = sanitized.replaceAll(/(\s)(href|src|action|formaction|xlink:href)\s*=\s*(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi, (match, _leadingWhitespace, _attributeName, doubleQuotedValue, singleQuotedValue, unquotedValue) => {
+    return input.replaceAll(/(\s)(href|src|action|formaction|xlink:href)\s*=\s*(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi, (match, _leadingWhitespace, _attributeName, doubleQuotedValue, singleQuotedValue, unquotedValue) => {
         const rawValue = doubleQuotedValue ?? singleQuotedValue ?? unquotedValue ?? '';
         const protocolCheck = normalizeHrefForProtocolCheck(rawValue);
         // Allow relative URLs and fragments.
@@ -92,19 +113,46 @@ const sanitizeHtml = (html) => {
         // Otherwise, keep the attribute (e.g. relative-like values without a scheme).
         return match;
     });
+}
+function removeStyles(input) {
     // Remove style tags and style attributes with potentially dangerous content
+    let sanitized = input;
     let prevSanitized;
+    let loopCount = 0;
     do {
         prevSanitized = sanitized;
         sanitized = sanitized.replaceAll(/<style\b[\s\S]*?<\/style>/gi, '');
-    } while (sanitized !== prevSanitized);
+        loopCount++;
+    } while (sanitized !== prevSanitized && loopCount < MAX_SANITIZE_LOOPS);
+    if (loopCount >= MAX_SANITIZE_LOOPS) {
+        Logger.warn('[XSS] Sanitization loop limit reached (style removal)');
+        return '';
+    }
     sanitized = sanitized.replaceAll(/\bstyle\s*=\s*(?:'[^']*'|"[^"]*"|[^\s>]*)/gi, '');
+    return sanitized;
+}
+function sanitizeHtml(html) {
+    if (typeof html !== 'string') {
+        return '';
+    }
+    let sanitized = html;
+    sanitized = removeScripts(sanitized);
+    if (!sanitized)
+        return '';
+    sanitized = removeDangerousTags(sanitized);
+    sanitized = removeEventHandlers(sanitized);
+    if (!sanitized)
+        return '';
+    sanitized = stripDangerousUrlAttributes(sanitized);
+    sanitized = removeStyles(sanitized);
+    if (!sanitized)
+        return '';
     // Remove form elements
     sanitized = sanitized.replaceAll(/<form\b[\s\S]*?<\/form>/gi, '');
     // Remove object and embed tags
     sanitized = sanitized.replaceAll(/<(?:object|embed|applet|meta|link|base)\b[\s\S]*?>/gi, '');
     return sanitized.trim();
-};
+}
 /**
  * Encode URI component to prevent injection in URLs
  */

package/src/templates/project/basic/config/broadcast.ts.tpl

@@ -1,23 +1,39 @@
+import { Env, type BroadcastConfigOverrides } from '@zintrust/core';
+
 /**
- * Broadcast Configuration (template)
+ * Broadcast Configuration (default override)
  *
  * Keep this file declarative:
  * - Core owns env parsing/default logic.
- * - Projects can override values by editing `drivers` and `broadcastConfigObj`.
+ * - Projects can override config by editing values below.
  */
 
-import { broadcastConfig as coreBroadcastConfig } from '@zintrust/core';
-
-type BroadcastConfigShape = typeof coreBroadcastConfig;
-
-export const drivers = {
-  ...coreBroadcastConfig.drivers,
-} satisfies BroadcastConfigShape['drivers'];
-
-export const broadcastConfigObj = {
-  ...coreBroadcastConfig,
-  drivers,
-} satisfies BroadcastConfigShape;
-
-const broadcastConfig = broadcastConfigObj;
-export default broadcastConfig;
+export default {
+  default: Env.get('BROADCAST_CONNECTION', Env.get('BROADCAST_DRIVER', 'inmemory')),
+  drivers: {
+    inmemory: {
+      driver: 'inmemory' as const,
+    },
+    pusher: {
+      driver: 'pusher' as const,
+      appId: Env.get('PUSHER_APP_ID', ''),
+      key: Env.get('PUSHER_APP_KEY', ''),
+      secret: Env.get('PUSHER_APP_SECRET', ''),
+      cluster: Env.get('PUSHER_APP_CLUSTER', ''),
+      useTLS: Env.getBool('PUSHER_USE_TLS', true),
+    },
+    redis: {
+      driver: 'redis' as const,
+      host: Env.get('BROADCAST_REDIS_HOST', Env.get('REDIS_HOST', 'localhost')),
+      port: Env.getInt('BROADCAST_REDIS_PORT', Env.getInt('REDIS_PORT', 6379)),
+      password: Env.get('BROADCAST_REDIS_PASSWORD', Env.get('REDIS_PASSWORD', '')),
+      channelPrefix: Env.get('BROADCAST_CHANNEL_PREFIX', 'broadcast:'),
+    },
+    redishttps: {
+      driver: 'redishttps' as const,
+      endpoint: Env.get('REDIS_HTTPS_ENDPOINT', ''),
+      token: Env.get('REDIS_HTTPS_TOKEN', ''),
+      channelPrefix: Env.get('BROADCAST_CHANNEL_PREFIX', 'broadcast:'),
+    },
+  },
+} satisfies BroadcastConfigOverrides;

package/src/templates/project/basic/config/cache.ts.tpl

@@ -1,23 +1,41 @@
+import { Env, type CacheConfigOverrides } from '@zintrust/core';
+
 /**
- * Cache Configuration (template)
+ * Cache Configuration (default override)
  *
  * Keep this file declarative:
  * - Core owns env parsing/default logic.
- * - Projects can override values by editing `drivers` and `cacheConfigObj`.
+ * - Projects can override config by editing values below.
  */
 
-import { cacheConfig as coreCacheConfig } from '@zintrust/core';
-
-type CacheConfigShape = typeof coreCacheConfig;
-
-export const drivers = {
-  ...coreCacheConfig.drivers,
-} satisfies CacheConfigShape['drivers'];
-
-export const cacheConfigObj = {
-  ...coreCacheConfig,
-  drivers,
-} satisfies CacheConfigShape;
-
-export const cacheConfig = cacheConfigObj;
-export type CacheConfig = typeof cacheConfig;
+export default {
+  default: Env.get('CACHE_CONNECTION', Env.get('CACHE_DRIVER', 'memory')).trim().toLowerCase(),
+  drivers: {
+    memory: {
+      driver: 'memory' as const,
+      ttl: Env.getInt('CACHE_MEMORY_TTL', 3600),
+    },
+    redis: {
+      driver: 'redis' as const,
+      host: Env.get('REDIS_HOST', 'localhost'),
+      port: Env.getInt('REDIS_PORT', 6379),
+      ttl: Env.getInt('CACHE_REDIS_TTL', 3600),
+    },
+    mongodb: {
+      driver: 'mongodb' as const,
+      uri: Env.get('MONGO_URI', ''),
+      db: Env.get('MONGO_DB', 'zintrust_cache'),
+      ttl: Env.getInt('CACHE_MONGO_TTL', 3600),
+    },
+    kv: {
+      driver: 'kv' as const,
+      ttl: Env.getInt('CACHE_KV_TTL', 3600),
+    },
+    'kv-remote': {
+      driver: 'kv-remote' as const,
+      ttl: Env.getInt('CACHE_KV_TTL', 3600),
+    },
+  },
+  keyPrefix: Env.get('CACHE_KEY_PREFIX', 'zintrust:'),
+  ttl: Env.getInt('CACHE_TTL', 3600),
+} satisfies CacheConfigOverrides;

package/src/templates/project/basic/config/database.ts.tpl

@@ -1,38 +1,74 @@
-/**
- * Database Configuration (template)
- *
- * This file is intentionally kept simple and editable:
- * - Developers can add/remove connections in `connections`.
- * - Developers can edit `databaseConfigObj` to customize behavior.
- *
- * Core owns the default logic (sqlite path/name resolution, env handling, etc.).
- */
-
-import { databaseConfig as coreDatabaseConfig } from '@zintrust/core';
-import type { DatabaseConfigShape, DatabaseConnections } from '@zintrust/core';
+import { Env, type DatabaseConfigOverrides } from '@zintrust/core';
 
 /**
- * Editable connections map.
+ * Database Configuration (default override)
  *
- * Defaults are sourced from core so you inherit framework-safe behavior.
+ * Keep this file declarative:
+ * - Core owns driver setup and env parsing/default logic.
+ * - Projects can override config by editing values below.
  */
-export const connections = {
-  sqlite: coreDatabaseConfig.connections.sqlite,
-  d1: coreDatabaseConfig.connections.d1,
-  'd1-remote': coreDatabaseConfig.connections['d1-remote'],
-  postgresql: coreDatabaseConfig.connections.postgresql,
-  mysql: coreDatabaseConfig.connections.mysql,
-} satisfies DatabaseConnections;
 
-/**
- * Editable database config object.
- *
- * You can override any top-level keys from core, while keeping core defaults.
- */
-export const databaseConfigObj = {
-  ...coreDatabaseConfig,
-  connections,
-} satisfies DatabaseConfigShape;
+const parseReadHosts = (raw: string): string[] | undefined => {
+  const list = String(raw ?? '')
+    .split(',')
+    .map((v) => v.trim())
+    .filter((v) => v.length > 0);
+  return list.length > 0 ? list : undefined;
+};
 
-export const databaseConfig = databaseConfigObj;
-export type DatabaseConfig = typeof databaseConfig;
+export default {
+  default: Env.get('DB_CONNECTION', 'mysql'),
+  connections: {
+    sqlite: {
+      driver: 'sqlite' as const,
+      database: 'database/sqlite.db',
+      migrations: 'database/migrations',
+    },
+    postgresql: {
+      driver: 'postgresql' as const,
+      host: Env.get('DB_HOST', 'localhost'),
+      port: Env.getInt('DB_PORT_POSTGRESQL', 5432),
+      database: Env.get('DB_DATABASE_POSTGRESQL', 'postgres'),
+      username: Env.get('DB_USERNAME_POSTGRESQL', 'postgres'),
+      password: Env.get('DB_PASSWORD_POSTGRESQL', 'pass'),
+      ssl: Env.getBool('DB_SSL', false),
+      readHosts: parseReadHosts(Env.get('DB_READ_HOSTS_POSTGRESQL', '127.0.0.1')),
+      pooling: {
+        enabled: Env.getBool('DB_POOLING', true),
+        min: Env.getInt('DB_POOL_MIN', 5),
+        max: Env.getInt('DB_POOL_MAX', 20),
+        idleTimeout: Env.getInt('DB_IDLE_TIMEOUT', 30000),
+        connectionTimeout: Env.getInt('DB_CONNECTION_TIMEOUT', 10000),
+      },
+    },
+    mysql: {
+      driver: 'mysql' as const,
+      host: Env.get('DB_HOST', 'localhost'),
+      port: Env.getInt('DB_PORT', 3306),
+      database: Env.get('DB_DATABASE', 'zintrust'),
+      username: Env.get('DB_USERNAME', 'root'),
+      password: Env.get('DB_PASSWORD', 'pass'),
+      readHosts: parseReadHosts(Env.get('DB_READ_HOSTS', '127.0.0.1')),
+      pooling: {
+        enabled: Env.getBool('DB_POOLING', true),
+        min: Env.getInt('DB_POOL_MIN', 5),
+        max: Env.getInt('DB_POOL_MAX', 20),
+      },
+    },
+    sqlserver: {
+      driver: 'sqlserver' as const,
+      host: Env.get('DB_HOST_MSSQL', Env.get('DB_HOST', 'localhost')),
+      port: Env.getInt('DB_PORT_MSSQL', 1433),
+      database: Env.get('DB_DATABASE_MSSQL', 'zintrust'),
+      username: Env.get('DB_USERNAME_MSSQL', 'sa'),
+      password: Env.get('DB_PASSWORD_MSSQL', 'pass'),
+      readHosts: parseReadHosts(Env.get('DB_READ_HOSTS_MSSQL', '127.0.0.1')),
+    },
+    d1: {
+      driver: 'd1' as const,
+    },
+    'd1-remote': {
+      driver: 'd1-remote' as const,
+    },
+  },
+} satisfies DatabaseConfigOverrides;