@zolomedia/bifrost-client 1.7.74

package/docs/ARCHITECTURE.md

@@ -0,0 +1,111 @@
+# Architecture
+
+The client is split into a tiny **bootstrap** and a lazily-loaded **core**, layered
+`L1 → L4` with a cross-cutting `zSys` utility layer. Nothing here knows about your
+application — it only knows how to open a socket, decode events, and build DOM.
+
+## Bootstrap / core split
+
+```
+page <head>
+  └─ bifrost_client.js  (BifrostClient, ~190 LOC, hardcoded & pinned in HTML)
+        1. read  #zui-config  (server-injected JSON)
+        2. open  WebSocket    (ws[s]://host:port from config)
+        3. recv  connection_info { bifrost_core_url, nav_html, session, ... }
+        4. import(bifrost_core_url)            ← server picks the core version
+        5. new BifrostCore(url, opts)          → window.bifrostClient
+        6. replay any hooks queued before the core was ready
+```
+
+Why two files:
+
+- **`bifrost_client.js`** is small, stable, and pinned in the page. It almost never
+  changes, so it can be cached hard and rarely needs a redeploy of the host page.
+- **`bifrost_core.js`** holds all the logic and is selected **by the server** at
+  connect time (`connection_info.bifrost_core_url`). The server therefore controls
+  exactly which renderer build every client runs — no page edit required to ship a
+  new client.
+
+The bootstrap origin-pins that import; see
+[SECURITY.md](SECURITY.md#core-import-origin-pinning).
+
+> `bifrost_core.js` is intentionally written **without top-level `import`** so it can
+> also be consumed as a plain `<script>` (UMD-style). Its lazily-loaded submodules
+> (everything under `L1`–`L4`/`zSys`) are standard ES modules pulled in via dynamic
+> `import()`.
+
+## Layers
+
+| Layer | Path | Responsibility |
+|-------|------|----------------|
+| **L1 — Foundation** | `L1_Foundation/` | WebSocket connection, constants (incl. the protocol vocabulary), config parsing, bootstrap, module registry, CDN/Prism loaders |
+| **L2 — Handling** | `L2_Handling/` | Message handling & correlation, the renderer set, cache, navigation, zVaF mounting, hooks |
+| **L3 — Abstraction** | `L3_Abstraction/` | Orchestrators that compose handlers (navbar, wizard gate, session) |
+| **L4 — Orchestration** | `L4_Orchestration/` | The public client facade, renderer/manager **registries**, lifecycle |
+| **zSys** | `zSys/` | Cross-cutting utilities: DOM, theme, accessibility, validation, encoding (HTML escape SSOT) |
+
+Imports flow **downward** (`L4 → L1 → zSys`); lower layers never import higher ones.
+
+## Registries & lazy loading
+
+The core does not eagerly load 40+ renderer modules. Two registries map a logical
+name to a module path + class and load on first use:
+
+- **`L4_Orchestration/facade/renderer_registry.js`** — `RENDERER_REGISTRY` maps a
+  renderer key (`text`, `header`, `card`, `table`, `zMenu`, `zTerminal`, …) to its
+  module path and class. `ensureRenderer(key)` dynamic-imports and caches it.
+- **`L4_Orchestration/facade/manager_registry.js`** — same pattern for managers
+  (cache, zVaF, navigation, hooks).
+
+This keeps time-to-first-paint cheap: only the renderers a page actually uses are
+fetched. (A `critical`/`deferred` preload tiering is sketched as a TODO in the
+registry for further first-paint tuning.)
+
+## Module map (high level)
+
+```
+L1_Foundation/
+  bootstrap/        bootstrap.js, cdn_loader.js, prism_loader.js, module_registry.js
+  config/           client_config.js, config.js     (parse #zui-config)
+  connection/       websocket_connection.js          (open/reconnect lifecycle)
+  constants/        bifrost_constants.js             (TIMEOUTS, EVENT_TYPES,
+                                                       PROTOCOL_EVENTS, CSS_CLASSES…)
+  logger/
+
+L2_Handling/
+  message/          message_handler.js               (parse → decode opcodes → dispatch)
+  display/
+    outputs/        text, typography, header, card, code, list, table, alert, icon,
+                    image, dl …
+    inputs/         button, form, input, input_request
+    feedback/       progressbar, spinner
+    composite/      dashboard, swiper, terminal, wizard_conditional
+    navigation/     menu, navigation
+    primitives/     low-level DOM builders shared by renderers (links, typography,
+                    tables, media, lists, semantic elements)
+    orchestration/  zdisplay_orchestrator.js
+  cache/  navigation/  zvaf/  hooks/
+
+L3_Abstraction/     orchestrator/  renderer/  session/
+
+L4_Orchestration/
+  facade/           facade.js, renderer_registry.js, manager_registry.js
+  rendering/        rendering facade
+  client/  lifecycle/
+
+zSys/
+  dom/              dom_utils.js, style_utils.js, encoding_utils.js  (escapeHtml/safeHref SSOT)
+  theme/            ztheme_utils.js
+  accessibility/    emoji_accessibility.js
+  errors/  validation/
+```
+
+## Lifecycle (one connection)
+
+1. Page instantiates `BifrostClient` → bootstrap connects, gets `connection_info`.
+2. `BifrostCore` connects its own socket and sends the first `execute_walker`.
+3. Server streams `render_chunk` messages (opcode-encoded display trees).
+4. `message_handler` decodes opcodes → display events and dispatches to renderers
+   via hooks (`onRenderChunk`, `onDisplay`, `onMenu`, …).
+5. Renderers build DOM into the `zVaF` mount; navigation/menus drive subsequent
+   walker calls. See [PROTOCOL.md](PROTOCOL.md).

package/docs/PROTOCOL.md

@@ -0,0 +1,106 @@
+# Wire Protocol (client side)
+
+This describes the protocol **as the browser sees it**. The authoritative,
+server-side encoding (how display trees become opcodes, auth, chunking) lives in
+the zOS/zGuard repos and is deliberately not duplicated here. The client only
+needs to: connect, decode, and dispatch.
+
+All messages are JSON. The discriminator is the `event` field (a few legacy paths
+also look at `display_event` / `type`).
+
+## 1. Handshake — `connection_info`
+
+After the socket opens, the server sends exactly one `connection_info`:
+
+```jsonc
+{
+  "event": "connection_info",
+  "data": {
+    "server_version": "…",
+    "bifrost_core_url": "https://cdn.jsdelivr.net/gh/ZoloAi/zbifrost-client@v1.7.52/bifrost_core.js",
+    "nav_html": "<nav>…</nav>",        // pre-built, RBAC-filtered navbar
+    "session": { "authenticated": false, "username": null, "role": null, … },
+    "features": [ … ],
+    "available_models": [ … ]
+  }
+}
+```
+
+- The **bootstrap** uses `bifrost_core_url` to `import()` the core (origin-pinned —
+  see [SECURITY.md](SECURITY.md#core-import-origin-pinning)).
+- `nav_html` is consumed as-is; the client does not build navigation itself.
+- `session` is display state only (navbar, RBAC-driven visibility). It is **not**
+  proof of identity — the server re-validates every request.
+
+## 2. Render stream — `render_chunk` + opcodes
+
+The server streams the page as a sequence of `render_chunk` messages. To keep the
+zOS display vocabulary off the wire, each render node's event name is encoded to a
+short **opcode** on `node.e`. The client decodes it back before dispatching.
+
+```jsonc
+// on the wire (encoded)            // after _decodeRenderNode()
+{ "e": "tx", "content": "Hi" }  →   { "event": "text", "content": "Hi" }
+{ "e": "hd", "label": "Title" } →   { "event": "header", "label": "Title" }
+```
+
+The decode table `_ZRENDER_OPS` in `L2_Handling/message/message_handler.js` is a
+**hand-maintained mirror** of the server SSOT
+(`render_opcodes.py` → `EVENT_TO_OP`, 35 entries). The decoder:
+
+- recurses into arrays and child nodes,
+- decodes any node carrying a known opcode (`node.e`),
+- **warns once** (`_warnUnknownOpcode`) on an unknown opcode instead of silently
+  dropping it — this surfaces client/server drift loudly. If you see
+  `[zRender] Unknown render opcode "…"`, the client mirror is behind the server.
+
+> Opcodes are an obfuscation/compactness layer, **not** a security boundary. They
+> carry no routes, field names, or wizard flow — only the display-event vocabulary.
+
+## 3. Control & display events — `PROTOCOL_EVENTS`
+
+Top-level `message.event` values are the protocol vocabulary. They are the SSOT in
+`L1_Foundation/constants/bifrost_constants.js` as **`PROTOCOL_EVENTS`** /
+**`PROTOCOL_REASONS`** — `message_handler` dispatch references these constants, not
+raw string literals.
+
+| Group | Events |
+|-------|--------|
+| Transport / connection | `render_chunk`, `connection_info`, `navigate_back`, `error` |
+| Display / output | `display`, `output`, `zTable`, `zDash`, `zMenu`, `zDialog`, `swiper_init` |
+| Progress / spinner | `progress_bar`, `progress_update`, `progress_complete`, `spinner_start`, `spinner_stop` |
+| Input req/res | `request_input`, `input_request`, `input_response` |
+| Execution / wizard / RBAC | `execute_walker`, `execute_zfunc_response`, `execute_code_response`, `zfunc_exec`, `wizard_gate_result`, `rbac_denied` |
+| Logging | `app_log` |
+
+`navigate_back` carries a `reason` (`PROTOCOL_REASONS`):
+`bounce_back_block_completed` (post-login/logout bounce) and `rbac_denied`
+(access-denied redirect).
+
+> `EVENT_TYPES` in the same file is a **separate** map — browser-native DOM event
+> names (`click`, `change`, …) used with `addEventListener`. Do not confuse it with
+> the wire `PROTOCOL_EVENTS`.
+
+## 4. Dispatch flow
+
+```
+WebSocket message
+  → JSON.parse
+  → message.event === render_chunk ?  decode opcodes → hooks.call('onRenderChunk')
+  → connection_info ?                 hooks.call('onConnectionInfo' / 'onConnected')
+  → error ?                           show alert + hooks.call('onError')
+  → navigate_back ?                   history.back() / client-side route by reason
+  → zDash / zMenu / rbac_denied ?     dedicated hooks
+  → _requestId correlated ?           resolve the pending request promise
+  → display / progress / spinner / input / swiper / app_log / zfunc_exec → hooks
+  → else                              broadcast
+```
+
+Renderers subscribe to these hooks and build DOM. See [RENDERERS.md](RENDERERS.md).
+
+## 5. Outgoing
+
+The client sends `execute_walker` (and friends) back to the server. When a session
+cookie is readable it is attached to walker requests as a best-effort sync hint
+(see [SECURITY.md](SECURITY.md#session-cookie-handling)); the server remains the
+authority.

package/docs/RENDERERS.md

@@ -0,0 +1,101 @@
+# Renderers
+
+A renderer turns one decoded display event into DOM. Renderers are **pure**: no
+WebSocket, no app state, no side effects beyond producing/returning elements. They
+consume Layer-2 *primitives* and `zSys` utilities rather than hand-rolling DOM or
+escaping.
+
+## The model
+
+- Each renderer is an ES-module class under `L2_Handling/display/<group>/`.
+- It exposes render method(s) that accept a decoded event object (`eventData`) and
+  return an `HTMLElement` (or append into a container).
+- It is registered in `L4_Orchestration/facade/renderer_registry.js` so it is
+  lazy-loaded on first use.
+
+```js
+// L2_Handling/display/outputs/typography_renderer.js
+export class TypographyRenderer {
+  constructor(logger) { this.logger = logger; }
+  renderText(eventData) {
+    // build & return an HTMLElement from eventData
+  }
+}
+```
+
+## The registry
+
+`RENDERER_REGISTRY` maps a logical renderer key to its module path + class:
+
+```js
+export const RENDERER_REGISTRY = {
+  text:       { path: 'L2_Handling/display/outputs/text_renderer.js',       className: 'TextRenderer',       isDefault: true,  passClient: false },
+  header:     { path: 'L2_Handling/display/outputs/header_renderer.js',     className: 'HeaderRenderer',     isDefault: true,  passClient: false },
+  table:      { path: 'L2_Handling/display/outputs/table_renderer.js',      className: 'TableRenderer',      isDefault: true,  passClient: false },
+  zMenu:      { path: 'L2_Handling/display/navigation/menu_renderer.js',    className: 'MenuRenderer',       isDefault: true,  passClient: true  },
+  // …
+};
+```
+
+- `className` — the exported class name to instantiate.
+- `passClient` — `true` if the renderer needs a reference to the live client (e.g.
+  navigation/menu renderers that trigger walker calls); `false` for pure output
+  renderers.
+- `ensureRenderer(key)` dynamic-imports and caches the instance on first use.
+
+The renderer **key** corresponds to the decoded `event` name from the wire
+(`text`, `header`, `zTable`, `zMenu`, …) — see [PROTOCOL.md](PROTOCOL.md).
+
+## Renderer set (by group)
+
+| Group | Renderers |
+|-------|-----------|
+| `outputs/` | text, typography, header, code, card, list, dl, table, alert, icon, image |
+| `inputs/` | button, form, input, input_request |
+| `feedback/` | progressbar, spinner |
+| `composite/` | dashboard, swiper, terminal, wizard_conditional |
+| `navigation/` | menu, navigation |
+| `specialized/` | input_request |
+
+Shared low-level DOM builders live in `L2_Handling/display/primitives/`
+(`link_primitives`, `typography_primitives`, `table_primitives`, `media_primitives`,
+`lists_primitives`, `semantic_element_primitive`, …). Prefer composing these over
+writing raw element code in a renderer.
+
+## HTML escaping is centralized (SSOT)
+
+Renderers must **never** hand-roll escape chains (`.replace(/&/g, …)`) or build
+attribute strings by hand. Use the single source of truth in
+`zSys/dom/encoding_utils.js`:
+
+```js
+import { escapeHtml, safeHref } from '../../../zSys/dom/encoding_utils.js';
+
+// element text or attribute value (escapes & < > " ')
+el.innerHTML = `<span title="${escapeHtml(label)}">${escapeHtml(text)}</span>`;
+
+// href/src values — blocks javascript:/data:/vbscript: then attr-escapes
+a.innerHTML = `<a href="${safeHref(url)}">${escapeHtml(label)}</a>`;
+```
+
+- `escapeHtml(value)` — escapes the five HTML-significant characters; safe for both
+  text and quoted-attribute contexts; deterministic, no DOM dependency.
+- `safeHref(url)` — sanitizes a URL for an `href`/`src` attribute: blocks dangerous
+  schemes (including whitespace/control-char obfuscation), returns `#` for blocked
+  or empty input, otherwise attribute-escapes. Run resolved/zPath URLs through it.
+
+Rationale and the broader trust boundary are in [SECURITY.md](SECURITY.md).
+
+## Adding a renderer
+
+1. Create `L2_Handling/display/<group>/<name>_renderer.js` exporting a class with a
+   `render…(eventData)` method that returns an `HTMLElement`.
+2. Build DOM via `display/primitives/*` and `zSys/dom/*`; escape every dynamic value
+   through `escapeHtml` / `safeHref`.
+3. Add an entry to `RENDERER_REGISTRY` keyed by the decoded event name; set
+   `passClient: true` only if you need the live client.
+4. If the event is a **new** wire event, add it to `PROTOCOL_EVENTS` in
+   `bifrost_constants.js` and (if it is a render-node op) confirm the server added
+   the opcode — the client mirror `_ZRENDER_OPS` and `render_opcodes.py` must agree
+   (an unknown opcode logs a drift warning; see [PROTOCOL.md](PROTOCOL.md#2-render-stream--render_chunk--opcodes)).
+5. Syntax-check (ESM): `node --input-type=module --check < path/to/renderer.js`.

package/docs/SECURITY.md

@@ -0,0 +1,92 @@
+# Security & Trust Boundary
+
+This client is a **thin renderer**. Keeping it thin is the security model: the less
+it knows and decides, the smaller its attack surface. This document records the
+boundary and the client-side hardening.
+
+## The boundary: what stays server-side
+
+The client holds **none** of the following — they live in the zOS/zGuard server:
+
+- routing / route resolution
+- `.zolo` parsing or any application grammar
+- RBAC decisions (the client only *displays* RBAC-filtered output the server sends)
+- business logic, schemas, secrets, tokens, signing keys
+- the render-event vocabulary (sent as opaque opcodes; see
+  [PROTOCOL.md](PROTOCOL.md#2-render-stream--render_chunk--opcodes))
+
+The client's job is: open a socket, decode JSON events, build DOM. Anything that
+would leak mechanism or grant trust is the server's responsibility. Render opcodes
+are an obfuscation/compactness layer, **not** an authorization boundary.
+
+## DOM-XSS: centralized escaping (SSOT)
+
+Renderers use `innerHTML` for speed, so any dynamic value interpolated into markup
+must be escaped through the single source of truth in
+`zSys/dom/encoding_utils.js`:
+
+- **`escapeHtml(value)`** — escapes `& < > " '`. Safe for text and quoted-attribute
+  contexts. No `.replace()` chains anywhere else in the codebase.
+- **`safeHref(url)`** — blocks `javascript:` / `data:` / `vbscript:` schemes
+  (including whitespace/control-char obfuscation), returns `#` for blocked/empty,
+  otherwise attribute-escapes. All `href`/`src` values go through it.
+
+Notably, markdown link assembly in `text_renderer.js` escapes the link label and
+runs the resolved href through `safeHref`, so a `[label](javascript:…)` payload can
+never produce an executable link. See [RENDERERS.md](RENDERERS.md#html-escaping-is-centralized-ssot).
+
+> The client escapes its own output, but it cannot vouch for what a zApp echoes. zApps
+> that display untrusted user input are responsible for not defeating these guards.
+
+## Core-import origin pinning
+
+The bootstrap dynamically `import()`s `bifrost_core.js` from
+`connection_info.bifrost_core_url`. Because `connection_info` arrives over the
+socket, a spoofed payload could otherwise point the import at attacker-hosted code.
+`bifrost_client._loadCore` therefore:
+
+1. resolves the URL with `new URL(rawUrl, location.origin)` (rejects malformed),
+2. allows the import **only** from an allowlisted origin:
+   - the page origin (`window.location.origin`),
+   - the official jsDelivr CDN (`https://cdn.jsdelivr.net`, where the canonical
+     client ships),
+   - any origin you opt into via `opts.coreOriginAllowlist`.
+
+Anything else is refused with a logged error and the core is not loaded.
+
+```js
+// permit a custom/self-hosted CDN origin:
+new BifrostClient(null, {
+  autoConnect: true,
+  coreOriginAllowlist: ['https://cdn.example.com'],
+});
+```
+
+> Loading from `https://cdn.jsdelivr.net` is allowed by default because that is the
+> canonical distribution channel and the version is still chosen by *your* server.
+> Self-hosting the core? Serve it from the page origin (no config needed) or add its
+> origin to `coreOriginAllowlist`.
+
+## Session-cookie handling
+
+`message_handler._getSessionIdFromCookie` reads `session`/`sessionid` from
+`document.cookie` and attaches it to `execute_walker` requests as a best-effort
+session-sync hint for the WebSocket/HTTP bridge.
+
+- This only works when the cookie is **not** `HttpOnly`.
+- It is **not** proof of identity — the server re-validates every request.
+- `HttpOnly` deployments (recommended) simply get `null` here and rely on the
+  browser attaching the cookie to the WS handshake — the safer path.
+
+## Opcode-mirror drift
+
+`_ZRENDER_OPS` mirrors the server `render_opcodes.py`. An unknown opcode is **not**
+silently dropped — `_warnUnknownOpcode` logs once so a server change the client
+hasn't mirrored is visible. Treat `[zRender] Unknown render opcode "…"` as "update
+the client mirror / bump the client version."
+
+## Reporting
+
+This is the public, open-source renderer. Report client-side issues against the
+`zbifrost-client` repo. Server-side concerns (auth, RBAC, `execute_code`, the
+sealed network runtime) belong to the zOS/zGuard projects.

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@zolomedia/bifrost-client",
+  "version": "1.7.74",
+  "description": "Browser client for zBifrost — the WebSocket bridge that turns JSON events from a zOS server into live DOM. Thin bootstrap + server-controlled core.",
+  "homepage": "https://github.com/ZoloAi/zbifrost-client#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ZoloAi/zbifrost-client.git"
+  },
+  "license": "SEE LICENSE IN LICENSE",
+  "keywords": [
+    "zos",
+    "zbifrost",
+    "websocket",
+    "ssr",
+    "declarative-ui"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "release:patch": "npm version patch && npm publish"
+  }
+}

package/syntax/prism-zconfig.js

@@ -0,0 +1,41 @@
+/**
+ * Prism.js language definition for zconfig
+ * zConfig.*.zolo - System configuration files
+ *
+ * Extends base 'zolo' language with file-type-specific patterns.
+ *
+ * Generated by zlsp/zlsp/generators/generate_prism_zolo.py
+ * DO NOT EDIT MANUALLY - regenerate with: python3 -m zlsp.generators.generate_prism_zolo
+ */
+
+Prism.languages.zconfig = Prism.languages.extend('zolo', {
+    'zconfig-special-root': {
+        pattern: /((?:^|\n)[ \t]*)(?:zMachine|Z[A-Z0-9_]+)(?=\s*:)/m,
+        alias: 'function',
+        lookbehind: true,
+    },
+    'root-key': {
+        pattern: /(^|\n)([A-Z][a-zA-Z0-9_]*)(?=\s*(?:\([^)]+\))?[*!^~]?:)/m,
+        alias: 'class-name',
+        lookbehind: true,
+    },
+    'zmachine-locked-section': {
+        pattern: /(?<=\n)[ \t]{1}(?:storage|python_runtime|launch_commands|network|display|memory|machine_identity|user_paths|gpu|cpu)(?=\s*:)/m,
+        alias: 'constant',
+        lookbehind: true,
+    },
+    'zmachine-editable-section': {
+        pattern: /(?<=\n)[ \t]{1}(?:user_preferences|time_date_formatting|custom)(?=\s*:)/m,
+        alias: 'variable',
+        lookbehind: true,
+    },
+    'zconfig-property': {
+        pattern: /(?<=\n)[ \t]{2,}[a-zA-Z][a-zA-Z0-9_]*(?=\s*:)/m,
+        alias: 'variable',
+        lookbehind: true,
+    },
+    'property': null
+});
+
+// Support both ```zconfig and ```zConfig code fences
+Prism.languages.zConfig = Prism.languages.zconfig;

package/syntax/prism-zenv.js

@@ -0,0 +1,69 @@
+/**
+ * Prism.js language definition for zenv
+ * zEnv.*.zolo - Environment configuration files
+ *
+ * Extends base 'zolo' language with file-type-specific patterns.
+ *
+ * Generated by zlsp/zlsp/generators/generate_prism_zolo.py
+ * DO NOT EDIT MANUALLY - regenerate with: python3 -m zlsp.generators.generate_prism_zolo
+ */
+
+Prism.languages.zenv = Prism.languages.extend('zolo', {
+    'zenv-config-root': {
+        pattern: /((?:^|\n)[ \t]*)(?:LOG_LEVEL|DEBUG|DEPLOYMENT)(?=\s*:)/m,
+        alias: 'keyword',
+        lookbehind: true,
+    },
+    'zenv-z-uppercase-root': {
+        pattern: /((?:^|\n)[ \t]*)Z[A-Z0-9_]+(?=\s*:)/m,
+        alias: 'function',
+        lookbehind: true,
+    },
+    'root-key': {
+        pattern: /(^|\n)([A-Z][a-zA-Z0-9_]*)(?=\s*(?:\([^)]+\))?[*!^~]?:)/m,
+        alias: 'class-name',
+        lookbehind: true,
+    },
+    'znavbar-nested': {
+        pattern: /(?<=\n)[ \t]{1}[a-zA-Z][a-zA-Z0-9_]*(?=\s*:)/m,
+        alias: 'type',
+        lookbehind: true,
+    },
+    'zsub-key': {
+        pattern: /(?<=\n)[ \t]{2,}zSub(?=\s*:)/m,
+        alias: 'keyword',
+        lookbehind: true,
+    },
+    'zrbac-key': {
+        pattern: /\bzRBAC(?=\s*:)/,
+        alias: 'constant',
+    },
+    'property': {
+        pattern: /\b[a-zA-Z][a-zA-Z0-9_]*(?=\s*(?:\([^)]+\))?[*!]?:)/,
+    },
+    'prefix-modifier': {
+        pattern: /[\^~](?=[a-zA-Z][a-zA-Z0-9_]*\s*:)/,
+        alias: 'variable',
+    },
+    'suffix-modifier': {
+        pattern: /[*!](?=:)/,
+        alias: 'operator',
+    }
+});
+
+// Insert value patterns BEFORE string-unquoted for priority
+Prism.languages.insertBefore('zenv', 'string-unquoted', {
+        'zpath-value': {
+            pattern: /[@~]\.[a-zA-Z0-9_./]+/,
+            alias: 'string',
+        }
+});
+Prism.languages.insertBefore('zenv', 'string-unquoted', {
+        'env-constant-value': {
+            pattern: /\b(?:DEBUG|PROD|INFO|WARNING|ERROR|CRITICAL|SESSION|Development|Production)\b/,
+            alias: 'number',
+        }
+});
+
+// Support both ```zenv and ```zEnv code fences
+Prism.languages.zEnv = Prism.languages.zenv;