vibe-gx 2.0.0 → 3.1.0

package/README.md

@@ -223,9 +223,17 @@ Extend app, request, or response with custom properties:
 // App decorator - shared config
 app.decorate("config", { env: "production", version: "1.0.0" });
 
-// Access via app.decorators.config
+// Access via app.decorators in main app
 app.get("/version", () => ({ version: app.decorators.config.version }));
 
+// In plugins, decorators are spread directly (no .decorators)
+app.register(
+  async (api) => {
+    api.get("/env", () => ({ env: api.config.env })); // Direct access
+  },
+  { prefix: "/api" },
+);
+
 // Request decorator - add to all requests
 app.decorateRequest("timestamp", () => Date.now());
 
@@ -241,19 +249,19 @@ app.decorateReply("sendSuccess", function (data) {
 
 ## 📂 File Uploads
 
-Vibe supports multipart file uploads with built-in validation.
+Vibe supports multipart file uploads with built-in validation and security.
+
+> **🔒 Security**: File uploads are **disabled by default**. You must explicitly configure `media` options to accept uploads.
 
 ### Basic Upload
 
 ```javascript
 app.post("/upload", { media: { dest: "uploads" } }, (req) => {
->>>>>>> cpp-optimization
   return { files: req.files, body: req.body };
 });
 ```
 
 ### Media Options
->>>>>>> cpp-optimization
 
 ```javascript
 app.post(
@@ -261,7 +269,7 @@ app.post(
   {
     media: {
       dest: "uploads", // Subfolder destination
-      public: true, // Save inside public folder (default: true)
+      public: true, // Save in public folder (default: true)
       maxSize: 5 * 1024 * 1024, // Max file size: 5MB
       allowedTypes: ["image/jpeg", "image/png", "image/*"], // Wildcards supported
     },
@@ -270,6 +278,42 @@ app.post(
 );
 ```
 
+### Public vs Private Uploads
+
+**Public uploads** (web-accessible):
+
+```javascript
+app.post(
+  "/upload/avatar",
+  {
+    media: {
+      public: true, // ✅ Files accessible via HTTP
+      dest: "avatars", // Saved to: public/avatars/
+    },
+  },
+  handler,
+);
+
+// Files accessible at: http://yourapp.com/avatars/filename.jpg
+```
+
+**Private uploads** (server-only access):
+
+```javascript
+app.post(
+  "/upload/documents",
+  {
+    media: {
+      public: false, // 🔒 Files NOT web-accessible
+      dest: "documents", // Saved to: private/documents/
+    },
+  },
+  handler,
+);
+
+// Files only accessible via your backend code (e.g., sendAbsoluteFile)
+```
+
 ### Uploaded File Object
 
 ```javascript
@@ -408,61 +452,77 @@ app.plugin(adapt(compression()));
 
 Built-in protections:
 
-| Feature                                 | Status |
-| :-------------------------------------- | :----: |
-| Path traversal protection               |   ✅   |
-| File type validation                    |   ✅   |
-| Body size limits (1MB JSON, 10MB files) |   ✅   |
-| Error sanitization (production mode)    |   ✅   |
-| Safe filename generation                |   ✅   |
-| Port validation                         |   ✅   |
+| Feature                                  | Status |
+| :--------------------------------------- | :----: |
+| **File upload protection** (opt-in only) |   ✅   |
+| Path traversal protection                |   ✅   |
+| File type validation                     |   ✅   |
+| Body size limits (1MB JSON, 10MB files)  |   ✅   |
+| Error sanitization (production mode)     |   ✅   |
+| Safe filename generation                 |   ✅   |
+| Port validation                          |   ✅   |
 
-Set `NODE_ENV=production` for secure error handling (stack traces hidden).
+### File Upload Security
 
->>>>>>> cpp-optimization
----
+Routes **reject multipart uploads by default** unless `media` is explicitly configured:
 
-### Interceptors (Middleware)
+```javascript
+// ❌ This will reject file uploads with 400 Bad Request
+app.post("/api/data", (req) => ({ data: req.body }));
 
-Interceptors run before your handler. Return `false` to stop execution.
+// ✅ This accepts file uploads (explicit opt-in)
+app.post(
+  "/upload",
+  {
+    media: {
+      dest: "uploads",
+      maxSize: 5 * 1024 * 1024,
+      allowedTypes: ["image/*", "application/pdf"],
+    },
+  },
+  handler,
+);
+```
 
-#### Single Interceptor
+This prevents attackers from uploading malicious files to unintended routes.
 
-```javascript
-const authCheck = (req, res) => {
-  if (!req.headers.authorization) {
-    res.unauthorized("Token required");
-    return false;
-  }
-  req.user = { id: 1 };
-  return true;
-};
+Set `NODE_ENV=production` for secure error handling (stack traces hidden).
 
-app.get("/protected", { intercept: authCheck }, (req) => {
-  return { user: req.user };
-});
-```
+---
 
-#### Multiple Interceptors
+## ⚡ Schema-Based Serialization
+
+**Optional** performance boost: Pre-compile JSON serializers for 2-3x faster responses.
 
 ```javascript
 app.get(
-  "/admin",
+  "/users/:id",
   {
-    intercept: [authCheck, adminCheck, rateLimiter],
+    schema: {
+      response: {
+        type: "object",
+        properties: {
+          id: { type: "number" },
+          name: { type: "string" },
+          email: { type: "string" },
+          active: { type: "boolean" },
+        },
+      },
+    },
+  },
+  async (req) => {
+    const user = await db.getUser(req.params.id);
+    return user; // Uses pre-compiled serializer (2-3x faster than JSON.stringify)
   },
-  handler,
 );
 ```
 
-#### Global Interceptors
+**Benefits:**
 
-```javascript
-// Applies to ALL routes
-app.plugin((req, res) => {
-  console.log(`${req.method} ${req.url}`);
-});
-```
+- ✅ 2-3x faster JSON serialization
+- ✅ No `Object.keys()` enumeration
+- ✅ Zero runtime type checking
+- ✅ Completely optional (routes work without schemas)
 
 ---
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "vibe-gx",
-  "version": "2.0.0",
-  "description": "A lightweight, high-performance Node.js web framework with optional C++ optimizations.",
+  "version": "3.1.0",
+  "description": "A lightweight, high-performance Node.js web framework.",
   "type": "module",
   "main": "vibe.js",
   "types": "vibe.d.ts",
@@ -14,18 +14,13 @@
   "files": [
     "vibe.js",
     "vibe.d.ts",
-    "utils/",
-    "native/",
-    "binding.gyp"
+    "utils/"
   ],
   "scripts": {
     "test": "node tests/unit.test.js && node tests/live.test.js",
     "test:all": "node tests/unit.test.js && node tests/live.test.js && node tests/scalability.test.js",
     "benchmark": "node tests/full-benchmark.js",
-    "start": "node server.js",
-    "build:native": "node-gyp rebuild",
-    "install": "node-gyp rebuild || echo 'Native build failed, using JS fallback'",
-    "clean": "node-gyp clean"
+    "start": "node server.js"
   },
   "keywords": [
     "node",
@@ -36,21 +31,15 @@
     "web",
     "backend",
     "fast",
-    "native",
     "performance",
     "express-alternative"
   ],
   "author": "Nnamdi \"Joe\" Amaga",
   "license": "MIT",
   "dependencies": {
-    "busboy": "^1.6.0",
-    "node-addon-api": "^7.1.1"
-  },
-  "optionalDependencies": {
-    "node-gyp": "^10.3.1"
+    "busboy": "^1.6.0"
   },
   "engines": {
     "node": ">=18"
-  },
-  "gypfile": true
-}
+  }
+}

package/utils/core/compile-serializer.js

@@ -0,0 +1,171 @@
+/**
+ * Schema-based JSON serializer compiler.
+ *
+ * Pre-compiles a specialized stringify function from a JSON schema
+ * at route registration time. The generated function knows the exact
+ * object shape, avoiding Object.keys() enumeration and type-checking
+ * at request time.
+ *
+ * @module compile-serializer
+ */
+
+/**
+ * Compiles a JSON schema into a specialized serializer function.
+ *
+ * @param {Object} schema - JSON schema (subset)
+ * @returns {(data: any) => string} Compiled serializer
+ */
+export function compileSerializer(schema) {
+  if (!schema || !schema.type) {
+    return JSON.stringify;
+  }
+
+  const fn = compileType(schema);
+  return fn;
+}
+
+/**
+ * Escapes a string for JSON output.
+ * Handles: " \ \b \f \n \r \t and control chars
+ */
+const escapeChar = {
+  '"': '\\"',
+  "\\": "\\\\",
+  "\b": "\\b",
+  "\f": "\\f",
+  "\n": "\\n",
+  "\r": "\\r",
+  "\t": "\\t",
+};
+
+function escapeString(str) {
+  let result = '"';
+  let last = 0;
+
+  for (let i = 0; i < str.length; i++) {
+    const code = str.charCodeAt(i);
+    // Check for characters that need escaping
+    if (code === 34 || code === 92 || code < 32) {
+      const char = str[i];
+      if (i > last) result += str.slice(last, i);
+      result += escapeChar[char] || "\\u" + code.toString(16).padStart(4, "0");
+      last = i + 1;
+    }
+  }
+
+  if (last === 0) return '"' + str + '"';
+  if (last < str.length) result += str.slice(last);
+  return result + '"';
+}
+
+/**
+ * Compiles a type-specific serializer from schema.
+ * Returns a function (value) => string.
+ */
+function compileType(schema) {
+  switch (schema.type) {
+    case "object":
+      return compileObject(schema);
+    case "array":
+      return compileArray(schema);
+    case "string":
+      return escapeString;
+    case "number":
+    case "integer":
+      return serializeNumber;
+    case "boolean":
+      return serializeBoolean;
+    case "null":
+      return () => "null";
+    default:
+      return JSON.stringify;
+  }
+}
+
+function serializeNumber(v) {
+  if (v !== v || v === Infinity || v === -Infinity) return "null"; // NaN, Inf
+  return "" + v;
+}
+
+function serializeBoolean(v) {
+  return v ? "true" : "false";
+}
+
+/**
+ * Compiles an object serializer from schema.properties.
+ *
+ * Generates a function that directly accesses known properties
+ * by name, avoiding Object.keys() enumeration entirely.
+ */
+function compileObject(schema) {
+  const props = schema.properties;
+  if (!props) return JSON.stringify;
+
+  const keys = Object.keys(props);
+  if (keys.length === 0) return () => "{}";
+
+  // Pre-compute property serializers and JSON key prefixes
+  const entries = keys.map((key, i) => {
+    const serializer = compileType(props[key]);
+    // Pre-stringify the key + colon (and comma for non-first)
+    const prefix = (i > 0 ? "," : "") + '"' + key + '":';
+    return { key, serializer, prefix };
+  });
+
+  // Check if all properties are simple strings — ultra-fast path
+  const allStrings = keys.every((k) => props[k].type === "string");
+
+  if (allStrings && keys.length <= 8) {
+    // Ultra-fast path for small all-string objects (most common API response)
+    return function serializeStringObject(obj) {
+      if (obj === null || obj === undefined) return "null";
+      let result = "{";
+      for (let i = 0; i < entries.length; i++) {
+        const e = entries[i];
+        const v = obj[e.key];
+        result += e.prefix;
+        result += v === undefined || v === null ? "null" : escapeString("" + v);
+      }
+      return result + "}";
+    };
+  }
+
+  // General path for mixed-type objects
+  return function serializeObject(obj) {
+    if (obj === null || obj === undefined) return "null";
+    let result = "{";
+    for (let i = 0; i < entries.length; i++) {
+      const e = entries[i];
+      const v = obj[e.key];
+      result += e.prefix;
+      if (v === undefined || v === null) {
+        result += "null";
+      } else {
+        result += e.serializer(v);
+      }
+    }
+    return result + "}";
+  };
+}
+
+/**
+ * Compiles an array serializer from schema.items.
+ */
+function compileArray(schema) {
+  const itemSerializer = schema.items
+    ? compileType(schema.items)
+    : JSON.stringify;
+
+  return function serializeArray(arr) {
+    if (!Array.isArray(arr)) return "null";
+    if (arr.length === 0) return "[]";
+
+    let result = "[" + itemSerializer(arr[0]);
+    for (let i = 1; i < arr.length; i++) {
+      result += "," + itemSerializer(arr[i]);
+    }
+    return result + "]";
+  };
+}
+
+export default compileSerializer;

package/utils/core/parser.js

@@ -32,6 +32,20 @@ export default function bodyParser(req, res, media = {}, options = {}) {
 
     /* ---------- Multipart / File Uploads ---------- */
     if (contentType.includes("multipart/form-data")) {
+      // SECURITY: Only allow file uploads if media config is explicitly set
+      // This prevents attackers from uploading files to routes that don't expect them
+      if (!media || Object.keys(media).length === 0) {
+        res.writeHead(400, { "content-type": "application/json" });
+        res.end(
+          JSON.stringify({
+            error: "Bad Request",
+            message: "File uploads not allowed on this route",
+          }),
+        );
+        return reject(
+          new Error("File upload attempted without media configuration"),
+        );
+      }
       parseMultipart(req, res, media, options, resolve, reject);
       return;
     }
@@ -235,11 +249,11 @@ function parseMultipart(req, res, media, options, resolve, reject) {
  */
 function parseJson(req, res, media, options, resolve, reject) {
   const limit = options.maxJsonSize || 1e6;
-  const streamThreshold = media.streamThreshold || DEFAULT_STREAM_THRESHOLD;
+  const streamThreshold = media?.streamThreshold || DEFAULT_STREAM_THRESHOLD;
   const contentLength = parseInt(req.headers["content-length"] || "0", 10);
 
   // STREAMING MODE: For very large JSON, let handler process incrementally
-  if (media.streaming && contentLength > streamThreshold) {
+  if (media?.streaming && contentLength > streamThreshold) {
     req.body = null; // Signal that body should be consumed via stream
     req.emit("jsonStream", req);
     resolve();