create-daloy 0.38.0 → 0.38.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -120,6 +120,20 @@ A [Deno](https://deno.com) runtime starter using `@daloyjs/core/deno` with:
120
120
  - A health route and contract-first `/books/:id` route with Zod validation.
121
121
  - The CLI skips Node-style installs for this template (no `package.json`).
122
122
 
123
+ ## Authentication (OAuth2 / OpenID Connect)
124
+
125
+ Scaffolded apps are **resource servers**: DaloyJS verifies and enforces access
126
+ tokens, it does **not** issue them. There is no built-in login UI, user
127
+ database, or OAuth2 authorization server (it is not an identity provider like
128
+ Keycloak, Auth0, or Duende IdentityServer). To add login, bring an OpenID
129
+ Connect provider — managed (Auth0, Okta, Clerk, Microsoft Entra ID, AWS
130
+ Cognito) or self-hosted open source (Keycloak, Zitadel, Ory, Logto) — and have
131
+ DaloyJS verify its JWTs with the first-party `jwk()`, `bearerAuth()`, and
132
+ `requireScopes()` helpers. Don't build your own authorization server.
133
+
134
+ See [Auth architecture](https://daloyjs.dev/docs/auth/architecture) for the full
135
+ picture and the two recommended designs (API resource server and browser BFF).
136
+
123
137
  ## Minimal scaffolds
124
138
 
125
139
  Pass `--minimal` to drop the bookstore demo route and the built-in
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-daloy",
3
- "version": "0.38.0",
3
+ "version": "0.38.1",
4
4
  "description": "Scaffold a new DaloyJS project. Run with `pnpm create daloy`, `npm create daloy@latest`, `yarn create daloy`, or `bun create daloy`.",
5
5
  "type": "module",
6
6
  "license": "MIT",
package/sbom.cdx.json CHANGED
@@ -1,25 +1,25 @@
1
1
  {
2
2
  "bomFormat": "CycloneDX",
3
3
  "specVersion": "1.5",
4
- "serialNumber": "urn:uuid:b1a2eb69-121b-5cae-87a9-5d036a3e1a7a",
4
+ "serialNumber": "urn:uuid:5874d6d1-4f7c-5889-b1dc-59abaf86bc40",
5
5
  "version": 1,
6
6
  "metadata": {
7
- "timestamp": "2026-06-10T11:58:38.391Z",
7
+ "timestamp": "2026-06-11T09:54:26.989Z",
8
8
  "tools": [
9
9
  {
10
10
  "vendor": "DaloyJS",
11
11
  "name": "daloy-generate-sbom",
12
- "version": "0.38.0"
12
+ "version": "0.38.1"
13
13
  }
14
14
  ],
15
15
  "authors": [],
16
16
  "component": {
17
17
  "type": "library",
18
- "bom-ref": "pkg:npm/create-daloy@0.38.0",
18
+ "bom-ref": "pkg:npm/create-daloy@0.38.1",
19
19
  "name": "create-daloy",
20
- "version": "0.38.0",
20
+ "version": "0.38.1",
21
21
  "description": "Scaffold a new DaloyJS project. Run with `pnpm create daloy`, `npm create daloy@latest`, `yarn create daloy`, or `bun create daloy`.",
22
- "purl": "pkg:npm/create-daloy@0.38.0",
22
+ "purl": "pkg:npm/create-daloy@0.38.1",
23
23
  "licenses": [
24
24
  {
25
25
  "license": {
@@ -42,9 +42,9 @@
42
42
  }
43
43
  ],
44
44
  "swid": {
45
- "tagId": "swidtag-create-daloy-0.38.0",
45
+ "tagId": "swidtag-create-daloy-0.38.1",
46
46
  "name": "create-daloy",
47
- "version": "0.38.0",
47
+ "version": "0.38.1",
48
48
  "tagVersion": 0,
49
49
  "patch": false
50
50
  }
@@ -53,7 +53,7 @@
53
53
  "components": [],
54
54
  "dependencies": [
55
55
  {
56
- "ref": "pkg:npm/create-daloy@0.38.0",
56
+ "ref": "pkg:npm/create-daloy@0.38.1",
57
57
  "dependsOn": []
58
58
  }
59
59
  ]
package/sbom.spdx.json CHANGED
@@ -2,10 +2,10 @@
2
2
  "spdxVersion": "SPDX-2.3",
3
3
  "dataLicense": "CC0-1.0",
4
4
  "SPDXID": "SPDXRef-DOCUMENT",
5
- "name": "create-daloy-0.38.0",
6
- "documentNamespace": "https://github.com/daloyjs/daloy/sbom/create-daloy-0.38.0-b1a2eb69-121b-5cae-87a9-5d036a3e1a7a",
5
+ "name": "create-daloy-0.38.1",
6
+ "documentNamespace": "https://github.com/daloyjs/daloy/sbom/create-daloy-0.38.1-5874d6d1-4f7c-5889-b1dc-59abaf86bc40",
7
7
  "creationInfo": {
8
- "created": "2026-06-10T11:58:38.391Z",
8
+ "created": "2026-06-11T09:54:26.989Z",
9
9
  "creators": [
10
10
  "Tool: daloy-generate-sbom",
11
11
  "Organization: DaloyJS"
@@ -16,7 +16,7 @@
16
16
  {
17
17
  "SPDXID": "SPDXRef-Package-create-daloy",
18
18
  "name": "create-daloy",
19
- "versionInfo": "0.38.0",
19
+ "versionInfo": "0.38.1",
20
20
  "downloadLocation": "https://github.com/daloyjs/daloy",
21
21
  "filesAnalyzed": false,
22
22
  "licenseConcluded": "MIT",
@@ -27,7 +27,7 @@
27
27
  {
28
28
  "referenceCategory": "PACKAGE-MANAGER",
29
29
  "referenceType": "purl",
30
- "referenceLocator": "pkg:npm/create-daloy@0.38.0"
30
+ "referenceLocator": "pkg:npm/create-daloy@0.38.1"
31
31
  }
32
32
  ]
33
33
  }
@@ -44,13 +44,13 @@ jobs:
44
44
  show-progress: false
45
45
 
46
46
  - name: Initialize CodeQL
47
- uses: github/codeql-action/init@52485aec7be33610227643b0fe83936b8b5f061a # v3
47
+ uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
48
48
  with:
49
49
  languages: ${{ matrix.language }}
50
50
  build-mode: ${{ matrix.build-mode }}
51
51
  queries: security-extended,security-and-quality
52
52
 
53
53
  - name: Perform CodeQL Analysis
54
- uses: github/codeql-action/analyze@52485aec7be33610227643b0fe83936b8b5f061a # v3
54
+ uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
55
55
  with:
56
56
  category: "/language:${{ matrix.language }}"
@@ -139,7 +139,7 @@ jobs:
139
139
 
140
140
  - name: Upload hadolint SARIF
141
141
  if: steps.detect.outputs.present == 'true'
142
- uses: github/codeql-action/upload-sarif@52485aec7be33610227643b0fe83936b8b5f061a # v3
142
+ uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
143
143
  with:
144
144
  sarif_file: hadolint.sarif
145
145
  category: hadolint
@@ -162,7 +162,7 @@ jobs:
162
162
  exit-code: "0"
163
163
 
164
164
  - name: Upload Trivy filesystem SARIF
165
- uses: github/codeql-action/upload-sarif@52485aec7be33610227643b0fe83936b8b5f061a # v3
165
+ uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
166
166
  with:
167
167
  sarif_file: trivy-fs.sarif
168
168
  category: trivy-fs
@@ -186,7 +186,7 @@ jobs:
186
186
 
187
187
  - name: Upload Trivy image SARIF
188
188
  if: always() && steps.detect.outputs.present == 'true'
189
- uses: github/codeql-action/upload-sarif@52485aec7be33610227643b0fe83936b8b5f061a # v3
189
+ uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
190
190
  with:
191
191
  sarif_file: trivy-image.sarif
192
192
  category: trivy-image
@@ -131,7 +131,7 @@ jobs:
131
131
 
132
132
  - name: Upload SARIF to GitHub code scanning
133
133
  if: always()
134
- uses: github/codeql-action/upload-sarif@52485aec7be33610227643b0fe83936b8b5f061a # v3
134
+ uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
135
135
  with:
136
136
  sarif_file: opengrep.sarif
137
137
  category: opengrep
@@ -41,6 +41,6 @@ jobs:
41
41
  publish_results: true
42
42
 
43
43
  - name: Upload to code-scanning
44
- uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
44
+ uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
45
45
  with:
46
46
  sarif_file: results.sarif
@@ -44,13 +44,13 @@ jobs:
44
44
  show-progress: false
45
45
 
46
46
  - name: Initialize CodeQL
47
- uses: github/codeql-action/init@52485aec7be33610227643b0fe83936b8b5f061a # v3
47
+ uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
48
48
  with:
49
49
  languages: ${{ matrix.language }}
50
50
  build-mode: ${{ matrix.build-mode }}
51
51
  queries: security-extended,security-and-quality
52
52
 
53
53
  - name: Perform CodeQL Analysis
54
- uses: github/codeql-action/analyze@52485aec7be33610227643b0fe83936b8b5f061a # v3
54
+ uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
55
55
  with:
56
56
  category: "/language:${{ matrix.language }}"
@@ -157,7 +157,7 @@ jobs:
157
157
 
158
158
  - name: Upload hadolint SARIF
159
159
  if: steps.detect.outputs.present == 'true'
160
- uses: github/codeql-action/upload-sarif@52485aec7be33610227643b0fe83936b8b5f061a # v3
160
+ uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
161
161
  with:
162
162
  sarif_file: hadolint.sarif
163
163
  category: hadolint
@@ -180,7 +180,7 @@ jobs:
180
180
  exit-code: "0"
181
181
 
182
182
  - name: Upload Trivy filesystem SARIF
183
- uses: github/codeql-action/upload-sarif@52485aec7be33610227643b0fe83936b8b5f061a # v3
183
+ uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
184
184
  with:
185
185
  sarif_file: trivy-fs.sarif
186
186
  category: trivy-fs
@@ -207,7 +207,7 @@ jobs:
207
207
 
208
208
  - name: Upload Trivy image SARIF
209
209
  if: always() && steps.detect.outputs.present == 'true'
210
- uses: github/codeql-action/upload-sarif@52485aec7be33610227643b0fe83936b8b5f061a # v3
210
+ uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
211
211
  with:
212
212
  sarif_file: trivy-image.sarif
213
213
  category: trivy-image
@@ -163,7 +163,7 @@ jobs:
163
163
 
164
164
  - name: Upload SARIF to GitHub code scanning
165
165
  if: always()
166
- uses: github/codeql-action/upload-sarif@52485aec7be33610227643b0fe83936b8b5f061a # v3
166
+ uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
167
167
  with:
168
168
  sarif_file: opengrep.sarif
169
169
  category: opengrep
@@ -41,6 +41,6 @@ jobs:
41
41
  publish_results: true
42
42
 
43
43
  - name: Upload to code-scanning
44
- uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
44
+ uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
45
45
  with:
46
46
  sarif_file: results.sarif
@@ -63,4 +63,18 @@ Do not use `.js` here — that's the Node NodeNext convention and will not resol
63
63
  - Hot reload via `bun --hot`.
64
64
  - Hey API codegen wired to `bun run gen:openapi` + `bun run gen:client`.
65
65
 
66
+ ## Authentication (OAuth2 / OpenID Connect)
67
+
68
+ This app is a **resource server**: DaloyJS verifies and enforces access tokens,
69
+ it does **not** issue them. There is no built-in login UI, user database, or
70
+ OAuth2 authorization server (it is not an identity provider like Keycloak,
71
+ Auth0, or Duende IdentityServer). To add login, bring an OpenID Connect provider
72
+ — managed (Auth0, Okta, Clerk, Microsoft Entra ID, AWS Cognito) or self-hosted
73
+ open source (Keycloak, Zitadel, Ory, Logto) — and verify its JWTs with the
74
+ first-party `jwk()`, `bearerAuth()`, and `requireScopes()` helpers. Don't build
75
+ your own authorization server.
76
+
77
+ See [Auth architecture](https://daloyjs.dev/docs/auth/architecture) for the
78
+ recommended designs (API resource server and browser BFF).
79
+
66
80
  Read the docs at <https://daloyjs.dev/docs>.
@@ -17,7 +17,7 @@
17
17
  "audit": "pnpm audit --prod"
18
18
  },
19
19
  "dependencies": {
20
- "@daloyjs/core": "^0.38.0",
20
+ "@daloyjs/core": "^0.38.1",
21
21
  "zod": "^4.4.3"
22
22
  },
23
23
  "devDependencies": {
@@ -22,3 +22,19 @@ pnpm deploy
22
22
  - `@daloyjs/core/cloudflare` with starter security middleware: `secureHeaders` and `requestId`.
23
23
  - Smaller edge-friendly body and timeout limits in the generated app.
24
24
  - `wrangler.toml` ready for local development and deploys.
25
+
26
+ ## Authentication (OAuth2 / OpenID Connect)
27
+
28
+ This app is a **resource server**: DaloyJS verifies and enforces access tokens,
29
+ it does **not** issue them. There is no built-in login UI, user database, or
30
+ OAuth2 authorization server (it is not an identity provider like Keycloak,
31
+ Auth0, or Duende IdentityServer). To add login, bring an OpenID Connect provider
32
+ — managed (Auth0, Okta, Clerk, Microsoft Entra ID, AWS Cognito) or self-hosted
33
+ open source (Keycloak, Zitadel, Ory, Logto) — and verify its JWTs with the
34
+ first-party `jwk()`, `bearerAuth()`, and `requireScopes()` helpers. Don't build
35
+ your own authorization server.
36
+
37
+ See [Auth architecture](https://daloyjs.dev/docs/auth/architecture) for the
38
+ recommended designs (API resource server and browser BFF).
39
+
40
+ Read the docs at <https://daloyjs.dev/docs>.
@@ -11,7 +11,7 @@
11
11
  "audit": "pnpm audit --prod"
12
12
  },
13
13
  "dependencies": {
14
- "@daloyjs/core": "^0.38.0",
14
+ "@daloyjs/core": "^0.38.1",
15
15
  "zod": "^4.4.3"
16
16
  },
17
17
  "devDependencies": {
@@ -56,4 +56,18 @@ deno task test
56
56
  <!-- daloy-minimal:strip-end books -->
57
57
  - Minimal permissions: `--allow-net --allow-env --allow-read` for `dev`.
58
58
 
59
+ ## Authentication (OAuth2 / OpenID Connect)
60
+
61
+ This app is a **resource server**: DaloyJS verifies and enforces access tokens,
62
+ it does **not** issue them. There is no built-in login UI, user database, or
63
+ OAuth2 authorization server (it is not an identity provider like Keycloak,
64
+ Auth0, or Duende IdentityServer). To add login, bring an OpenID Connect provider
65
+ — managed (Auth0, Okta, Clerk, Microsoft Entra ID, AWS Cognito) or self-hosted
66
+ open source (Keycloak, Zitadel, Ory, Logto) — and verify its JWTs with the
67
+ first-party `jwk()`, `bearerAuth()`, and `requireScopes()` helpers. Don't build
68
+ your own authorization server.
69
+
70
+ See [Auth architecture](https://daloyjs.dev/docs/auth/architecture) for the
71
+ recommended designs (API resource server and browser BFF).
72
+
59
73
  Read the docs at <https://daloyjs.dev/docs>.
@@ -8,10 +8,10 @@
8
8
  "gen:openapi": "deno run --allow-net --allow-env --allow-read --allow-write scripts/dump-openapi.ts"
9
9
  },
10
10
  "imports": {
11
- "@daloyjs/core": "jsr:@daloyjs/daloy@^0.38.0",
12
- "@daloyjs/core/banner": "jsr:@daloyjs/daloy@^0.38.0/banner",
13
- "@daloyjs/core/deno": "jsr:@daloyjs/daloy@^0.38.0/deno",
14
- "@daloyjs/core/openapi": "jsr:@daloyjs/daloy@^0.38.0/openapi",
11
+ "@daloyjs/core": "jsr:@daloyjs/daloy@^0.38.1",
12
+ "@daloyjs/core/banner": "jsr:@daloyjs/daloy@^0.38.1/banner",
13
+ "@daloyjs/core/deno": "jsr:@daloyjs/daloy@^0.38.1/deno",
14
+ "@daloyjs/core/openapi": "jsr:@daloyjs/daloy@^0.38.1/openapi",
15
15
  "zod": "npm:zod@^4.4.3"
16
16
  },
17
17
  "compilerOptions": {
@@ -65,4 +65,18 @@ On `pnpm build`, TypeScript rewrites the `.ts` specifier to `.js` in the compile
65
65
  - Hardened `.npmrc` for safer installs.
66
66
  - Hey API codegen wired to `pnpm gen`.
67
67
 
68
+ ## Authentication (OAuth2 / OpenID Connect)
69
+
70
+ This app is a **resource server**: DaloyJS verifies and enforces access tokens,
71
+ it does **not** issue them. There is no built-in login UI, user database, or
72
+ OAuth2 authorization server (it is not an identity provider like Keycloak,
73
+ Auth0, or Duende IdentityServer). To add login, bring an OpenID Connect provider
74
+ — managed (Auth0, Okta, Clerk, Microsoft Entra ID, AWS Cognito) or self-hosted
75
+ open source (Keycloak, Zitadel, Ory, Logto) — and verify its JWTs with the
76
+ first-party `jwk()`, `bearerAuth()`, and `requireScopes()` helpers. Don't build
77
+ your own authorization server.
78
+
79
+ See [Auth architecture](https://daloyjs.dev/docs/auth/architecture) for the
80
+ recommended designs (API resource server and browser BFF).
81
+
68
82
  Read the docs at <https://daloyjs.dev/docs>.
@@ -18,7 +18,7 @@
18
18
  "audit": "pnpm audit --prod"
19
19
  },
20
20
  "dependencies": {
21
- "@daloyjs/core": "^0.38.0",
21
+ "@daloyjs/core": "^0.38.1",
22
22
  "zod": "^4.4.3"
23
23
  },
24
24
  "devDependencies": {
@@ -77,3 +77,17 @@ Vercel bundles the `api/` functions at deploy time and resolves `.ts` directly,
77
77
  <!-- daloy-minimal:strip-start docs -->
78
78
  - A Scalar API reference UI at `/docs`, plus live OpenAPI 3.1 specs at `/openapi.json` and `/openapi.yaml`.
79
79
  <!-- daloy-minimal:strip-end docs -->
80
+
81
+ ## Authentication (OAuth2 / OpenID Connect)
82
+
83
+ This app is a **resource server**: DaloyJS verifies and enforces access tokens,
84
+ it does **not** issue them. There is no built-in login UI, user database, or
85
+ OAuth2 authorization server (it is not an identity provider like Keycloak,
86
+ Auth0, or Duende IdentityServer). To add login, bring an OpenID Connect provider
87
+ — managed (Auth0, Okta, Clerk, Microsoft Entra ID, AWS Cognito) or self-hosted
88
+ open source (Keycloak, Zitadel, Ory, Logto) — and verify its JWTs with the
89
+ first-party `jwk()`, `bearerAuth()`, and `requireScopes()` helpers. Don't build
90
+ your own authorization server.
91
+
92
+ See [Auth architecture](https://daloyjs.dev/docs/auth/architecture) for the
93
+ recommended designs (API resource server and browser BFF).
@@ -11,7 +11,7 @@
11
11
  "audit": "pnpm audit --prod"
12
12
  },
13
13
  "dependencies": {
14
- "@daloyjs/core": "^0.38.0",
14
+ "@daloyjs/core": "^0.38.1",
15
15
  "zod": "^4.4.3"
16
16
  },
17
17
  "devDependencies": {