create-volt 0.22.0 → 0.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -4,6 +4,22 @@ All notable changes to `create-volt` are documented here. The format follows
4
4
  [Keep a Changelog](https://keepachangelog.com/), and this project adheres to
5
5
  [Semantic Versioning](https://semver.org/).
6
6
 
7
+ ## [0.23.0] - 2026-06-29
8
+
9
+ ### Added
10
+ - Plugin context now includes **`requireAuth`** and **`sessionFromReq`** (when the
11
+ auth add-on is on) so third-party add-ons can gate routes by login. Purely
12
+ additive — no change to defaults or security posture.
13
+
14
+ ### Note
15
+ - New companion package **`volt-addon-editor`** (separate npm package): a
16
+ standing, role-gated RTEPro WYSIWYG editor that writes markdown pages. Mounts
17
+ only if `ADMIN_PATH` is set (**fail-closed**), behind magic-link auth + an
18
+ `ADMIN_EMAILS` allowlist; the secret path is obscurity *on top of* auth, never
19
+ instead. The AI key stays server-side via a key-injecting proxy. The core stays
20
+ no-standing-admin by default — install only where you want it
21
+ (`npx create-volt add editor`). See `/docs/editor`.
22
+
7
23
  ## [0.22.0] - 2026-06-29
8
24
 
9
25
  ### Added
@@ -318,6 +334,7 @@ All notable changes to `create-volt` are documented here. The format follows
318
334
  watching and full-page hot reload. Supports `--skip-install` and `--force`,
319
335
  and auto-detects npm / pnpm / yarn / bun for the install step.
320
336
 
337
+ [0.23.0]: https://github.com/MIR-2025/volt/releases/tag/v0.23.0
321
338
  [0.22.0]: https://github.com/MIR-2025/volt/releases/tag/v0.22.0
322
339
  [0.21.0]: https://github.com/MIR-2025/volt/releases/tag/v0.21.0
323
340
  [0.20.0]: https://github.com/MIR-2025/volt/releases/tag/v0.20.0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-volt",
3
- "version": "0.22.0",
3
+ "version": "0.23.0",
4
4
  "description": "Scaffold a new Volt app — no-build, signals-based UI with Socket.io hot reload.",
5
5
  "type": "module",
6
6
  "bin": {
@@ -141,13 +141,21 @@ async function startApp() {
141
141
  const io = new SocketServer(server);
142
142
  if (enabled.has("realtime") && store) (await addonMod("realtime")).attachRealtime(io, { store });
143
143
 
144
- // third-party add-ons — register(ctx) gets the app, io, store, mailer, and env
144
+ // third-party add-ons — register(ctx). When auth is on, requireAuth/sessionFromReq
145
+ // are provided so add-ons can gate routes by login.
146
+ let requireAuth = null;
147
+ let sessionFromReq = null;
148
+ if (enabled.has("auth") && store) {
149
+ const a = await addonMod("auth");
150
+ requireAuth = a.requireAuth(store);
151
+ sessionFromReq = (req) => a.sessionFromReq(store, req);
152
+ }
145
153
  for (const name of enabled) {
146
154
  if (BUILTINS.has(name)) continue;
147
155
  const mod = await loadAddon(name);
148
156
  const register = mod && (mod.register || mod.default);
149
157
  if (typeof register === "function") {
150
- await register({ app, express, io, store, mailer, env: process.env, log: (...a) => console.log(`[${name}]`, ...a) });
158
+ await register({ app, express, io, store, mailer, env: process.env, requireAuth, sessionFromReq, log: (...a) => console.log(`[${name}]`, ...a) });
151
159
  } else {
152
160
  console.warn(`[volt] add-on "${name}" not found or missing a register() export — skipped`);
153
161
  }
@@ -167,13 +167,21 @@ async function startApp() {
167
167
  const io = new SocketServer(server);
168
168
  if (enabled.has("realtime") && store) (await addonMod("realtime")).attachRealtime(io, { store });
169
169
 
170
- // third-party add-ons — register(ctx) gets the app, io, store, mailer, and env
170
+ // third-party add-ons — register(ctx). When auth is on, requireAuth/sessionFromReq
171
+ // are provided so add-ons can gate routes by login.
172
+ let requireAuth = null;
173
+ let sessionFromReq = null;
174
+ if (enabled.has("auth") && store) {
175
+ const a = await addonMod("auth");
176
+ requireAuth = a.requireAuth(store);
177
+ sessionFromReq = (req) => a.sessionFromReq(store, req);
178
+ }
171
179
  for (const name of enabled) {
172
180
  if (BUILTINS.has(name)) continue;
173
181
  const mod = await loadAddon(name);
174
182
  const register = mod && (mod.register || mod.default);
175
183
  if (typeof register === "function") {
176
- await register({ app, express, io, store, mailer, env: process.env, log: (...a) => console.log(`[${name}]`, ...a) });
184
+ await register({ app, express, io, store, mailer, env: process.env, requireAuth, sessionFromReq, log: (...a) => console.log(`[${name}]`, ...a) });
177
185
  } else {
178
186
  console.warn(`[volt] add-on "${name}" not found or missing a register() export — skipped`);
179
187
  }