webspresso 0.0.74 → 0.0.75

package/core/kernel/plugin.js

@@ -0,0 +1,23 @@
+/**
+ * @module core/kernel/plugin
+ */
+
+/**
+ * Plugin descriptor consumed by {@link createApp}.
+ *
+ * @param {{
+ *   name: string,
+ *   events?: (app: Record<string, unknown>) => void,
+ *   views?: () => {
+ *     namespace: string,
+ *     layouts?: Record<string, string>,
+ *     pages?: Record<string, string>,
+ *     partials?: Record<string, string>,
+ *   },
+ * }} definition
+ */
+function definePlugin(definition) {
+  return definition;
+}
+
+module.exports = { definePlugin };

package/core/kernel/plugins/sample-seo.js

@@ -0,0 +1,26 @@
+const { definePlugin } = require('../plugin');
+
+module.exports = definePlugin({
+  name: 'seo-plugin',
+
+  events(app) {
+    app.events.on('orm.post.afterCreate', async () => {
+      console.log('[plugin] SEO update triggered');
+    });
+  },
+
+  views() {
+    return {
+      namespace: 'seo',
+      layouts: {
+        main: '<html><body><div class="wrap">{{ content }}</div></body></html>',
+      },
+      pages: {
+        home: '<h1>{{ title }}</h1><p>Welcome</p>',
+      },
+      partials: {
+        badge: '<span class="badge">{{ label }}</span>',
+      },
+    };
+  },
+});

package/core/kernel/run-demo.js

@@ -0,0 +1,58 @@
+#!/usr/bin/env node
+/**
+ * Demo: PostRepository + plugin + flow. Run: node core/kernel/run-demo.js
+ */
+
+const { createApp, defineFlow, BaseRepository } = require('./app');
+const sampleSeo = require('./plugins/sample-seo');
+
+class PostRepository extends BaseRepository {
+  constructor(events) {
+    super(events, { resource: 'post', source: 'orm' });
+  }
+}
+
+async function main() {
+  const app = createApp();
+
+  app.events.on('orm.post.beforeCreate', async () => {
+    console.log('[beforeCreate]');
+  });
+  app.events.on('orm.post.afterCreate', async () => {
+    console.log('[afterCreate]');
+  });
+
+  app.registerPlugin(sampleSeo);
+
+  app.registerFlow(
+    defineFlow({
+      id: 'sitemap-on-publish',
+      trigger: 'orm.post.afterCreate',
+      when: (ctx) => ctx.payload.record?.status === 'published',
+      actions: [
+        async () => {
+          console.log('[flow] Run sitemap update');
+        },
+      ],
+    }),
+  );
+
+  const posts = new PostRepository(app.events);
+
+  console.log('--- create post (published) ---');
+  await posts.create({ title: 'Hello', status: 'published' });
+
+  console.log('\n--- view render (inline plugin template) ---');
+  const html = app.view.renderView('seo::home', { title: 'Kernel' }, {
+    layout: 'seo::main',
+  });
+  console.log(html.slice(0, 120).replace(/\s+/g, ' ') + '...');
+
+  console.log('\n--- partial ---');
+  console.log(app.view.renderPartial('seo::badge', { label: 'new' }));
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/core/kernel/view.js

@@ -0,0 +1,167 @@
+/**
+ * Namespaced view resolution and minimal {{ var }} rendering.
+ * @module core/kernel/view
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * @param {string} template
+ * @param {Record<string, any>} data
+ */
+function renderTemplate(template, data) {
+  return template.replace(/\{\{\s*([\w.]+)\s*\}\}/g, (_, keyPath) => {
+    const parts = keyPath.split('.');
+    let v = data;
+    for (const p of parts) {
+      v = v == null ? undefined : v[p];
+    }
+    if (v == null || v === false) return '';
+    return String(v);
+  });
+}
+
+/**
+ * Parse "namespace::name" → { namespace, name }
+ * @param {string} qualified
+ */
+function parseQualified(qualified) {
+  const sep = '::';
+  const i = qualified.indexOf(sep);
+  if (i === -1) {
+    throw new Error(`View name must be namespaced ("ns::page"), got: ${qualified}`);
+  }
+  return {
+    namespace: qualified.slice(0, i),
+    name: qualified.slice(i + sep.length),
+  };
+}
+
+/**
+ * @param {{
+ *   appViews?: string,
+ *   themeViews?: string,
+ * }} paths
+ */
+function createViewEngine(paths = {}) {
+  const appPluginsRoot = paths.appViews || '';
+  const themeRoot = paths.themeViews || '';
+
+  /** @type {Map<string, { pluginName: string, layouts: Record<string,string>, pages: Record<string,string>, partials: Record<string,string> }>} */
+  const registry = new Map();
+
+  /**
+   * @param {string} pluginName
+   * @param {{ namespace: string, layouts?: Record<string,string>, pages?: Record<string,string>, partials?: Record<string,string> }} bundle
+   */
+  function registerPluginViews(pluginName, bundle) {
+    const { namespace } = bundle;
+    registry.set(namespace, {
+      pluginName,
+      layouts: bundle.layouts || {},
+      pages: bundle.pages || {},
+      partials: bundle.partials || {},
+    });
+  }
+
+  /**
+   * Resolve template body: app override → theme → plugin in-memory bundle.
+   * @param {'page'|'layout'|'partial'} kind
+   * @param {string} namespace
+   * @param {string} id
+   * @returns {string|null}
+   */
+  function resolveTemplate(kind, namespace, id) {
+    const entry = registry.get(namespace);
+    const pluginSlug = entry ? entry.pluginName : namespace;
+
+    const sub =
+      kind === 'layout'
+        ? 'layouts'
+        : kind === 'partial'
+          ? 'partials'
+          : 'pages';
+    const file = `${id}.html`;
+
+    if (appPluginsRoot) {
+      const appPath = path.join(appPluginsRoot, 'plugins', pluginSlug, sub, file);
+      if (fs.existsSync(appPath)) {
+        return fs.readFileSync(appPath, 'utf8');
+      }
+    }
+
+    if (themeRoot) {
+      const themePath = path.join(themeRoot, pluginSlug, sub, file);
+      if (fs.existsSync(themePath)) {
+        return fs.readFileSync(themePath, 'utf8');
+      }
+    }
+
+    if (entry) {
+      const dict =
+        kind === 'layout'
+          ? entry.layouts
+          : kind === 'partial'
+            ? entry.partials
+            : entry.pages;
+      const inline = dict[id];
+      if (inline != null) return inline;
+    }
+
+    return null;
+  }
+
+  /**
+   * @param {string} qualified
+   * @param {Record<string, any>} data
+   * @param {{ layout?: string }} [options]
+   */
+  function renderView(qualified, data, options = {}) {
+    const { namespace, name } = parseQualified(qualified);
+    let body = resolveTemplate('page', namespace, name);
+    if (body == null) {
+      throw new Error(`View not found: ${qualified}`);
+    }
+    body = renderTemplate(body, data);
+
+    if (options.layout) {
+      const lq = parseQualified(options.layout);
+      const layoutBody = resolveTemplate('layout', lq.namespace, lq.name);
+      if (layoutBody == null) {
+        throw new Error(`Layout not found: ${options.layout}`);
+      }
+      const merged = { ...data, content: body };
+      return renderTemplate(layoutBody, merged);
+    }
+
+    return body;
+  }
+
+  /**
+   * @param {string} qualified
+   * @param {Record<string, any>} data
+   */
+  function renderPartial(qualified, data) {
+    const { namespace, name } = parseQualified(qualified);
+    const raw = resolveTemplate('partial', namespace, name);
+    if (raw == null) {
+      throw new Error(`Partial not found: ${qualified}`);
+    }
+    return renderTemplate(raw, data);
+  }
+
+  return {
+    registerPluginViews,
+    renderView,
+    renderPartial,
+    renderTemplate,
+    parseQualified,
+  };
+}
+
+module.exports = {
+  createViewEngine,
+  renderTemplate,
+  parseQualified,
+};

package/core/openapi/build-from-api-routes.js

@@ -8,6 +8,8 @@ const { zodToJsonSchema } = require('zod-to-json-schema');
 const { compileSchema } = require('../compileSchema');
 const { generateOrmOpenApiSchemas } = require('./orm-components');
 
+const OPENAPI_METHODS = new Set(['get', 'post', 'put', 'patch', 'delete', 'head', 'options']);
+
 /**
  * Express route pattern → OpenAPI path (e.g. /users/:id → /users/{id})
  * @param {string} expressPath
@@ -115,7 +117,7 @@ function buildOpenApiDocument(opts) {
     throw new Error('buildOpenApiDocument: pagesDir is required');
   }
 
-  const paths = {};
+  const paths = Object.create(null);
   const apiRoutes = routes.filter((r) => r.type === 'api');
   const absPages = path.resolve(pagesDir);
 
@@ -142,8 +144,12 @@ function buildOpenApiDocument(opts) {
     const openApiPath = expressPathToOpenApi(route.pattern);
     const method = route.method.toLowerCase();
 
+    if (!OPENAPI_METHODS.has(method)) {
+      continue;
+    }
+
     if (!paths[openApiPath]) {
-      paths[openApiPath] = {};
+      paths[openApiPath] = Object.create(null);
     }
 
     paths[openApiPath][method] = buildOperation(route, compiled);

package/core/orm/model.js

@@ -4,6 +4,7 @@
  * @module core/orm/model
  */
 
+const { trimUrlPathSlashes } = require('../url-path-normalize');
 const { extractColumnsFromSchema } = require('./schema-helpers');
 const { ModelEvents, Hooks } = require('./events');
 
@@ -93,7 +94,8 @@ function defineModel(options) {
     },
     rest: {
       enabled: rest.enabled === true,
-      path: typeof rest.path === 'string' && rest.path.length > 0 ? rest.path.replace(/^\/+|\/+$/g, '') : null,
+      path:
+        typeof rest.path === 'string' && rest.path.length > 0 ? trimUrlPathSlashes(rest.path) : null,
       allowInclude: Array.isArray(rest.allowInclude) ? rest.allowInclude.filter((x) => typeof x === 'string') : null,
     },
     hidden: Array.isArray(hidden) ? hidden : [],

package/core/url-path-normalize.js

@@ -0,0 +1,30 @@
+/**
+ * Linear-time URL path trimming (avoid polynomial regex on long slash runs).
+ */
+
+const DEFAULT_MAX_CHARS = 4096;
+
+/**
+ * Trim leading and optional trailing ASCII '/' from a logical URL path fragment.
+ * @param {unknown} raw
+ * @param {{ maxChars?: number }} [opts]
+ * @returns {string}
+ */
+function trimUrlPathSlashes(raw, opts = {}) {
+  const maxChars = opts.maxChars ?? DEFAULT_MAX_CHARS;
+  let s = raw == null ? '' : String(raw);
+  if (s.length > maxChars) {
+    s = s.slice(0, maxChars);
+  }
+  let start = 0;
+  while (start < s.length && s.charCodeAt(start) === 47 /* / */) {
+    start++;
+  }
+  let end = s.length;
+  while (end > start && s.charCodeAt(end - 1) === 47) {
+    end--;
+  }
+  return s.slice(start, end);
+}
+
+module.exports = { trimUrlPathSlashes };

package/index.d.ts

@@ -34,7 +34,10 @@ export interface CreateAppOptions {
     version?: string;
     manifestPath?: string;
     prefix?: string;
-  };
+  };  /**
+   * Custom 404 / 500 / 503 handlers. File-based route errors are forwarded with `next(err)` and hit `serverError` / `timeout`.
+   * When `serverError` / `timeout` is a template path, it is not used for paths under `/api` (default JSON instead).
+   */
   errorPages?: {
     notFound?: string | ((req: Request, res: Response, ctx: ErrorPageContext) => unknown);
     serverError?:
@@ -120,6 +123,29 @@ export function detectLocale(
   defaultLocale: string
 ): string;
 
+export function parseNjkFrontmatter(content: string): {
+  body: string;
+  fm: Record<string, unknown> | null;
+  hasDelimiter: boolean;
+};
+
+export function frontmatterToPatches(fm: unknown): {
+  metaPatch: Record<string, unknown>;
+  dataPatch: Record<string, unknown>;
+};
+
+export function loadNjkRouteTemplate(
+  absPath: string,
+  isDev: boolean
+): {
+  useStringRender: boolean;
+  templateBody: string | null;
+  metaPatch: Record<string, unknown>;
+  dataPatch: Record<string, unknown>;
+};
+
+export function clearNjkFrontmatterCaches(): void;
+
 // --- Helpers / assets ---
 
 export function createHelpers(context: Record<string, unknown>): Record<string, unknown>;
@@ -144,6 +170,8 @@ export interface RoutesReadyContext {
   app: Application;
   nunjucksEnv: unknown;
   options: CreateAppOptions;
+  /** Same object as `createApp({ middlewares })` — plugins may register named handlers before or after routes. */
+  middlewares: Record<string, WebspressoRegisteredMiddleware>;
   db: DatabaseInstance | null;
   routes: unknown;
   usePlugin(name: string): unknown;
@@ -157,6 +185,8 @@ export interface PluginRegisterContext {
   app: Application;
   nunjucksEnv: unknown;
   options: Record<string, unknown>;
+  /** Same object as `createApp({ middlewares })` for registering named route middleware. */
+  middlewares: Record<string, WebspressoRegisteredMiddleware>;
   db: DatabaseInstance | null;
   usePlugin(name: string): unknown;
   addHelper(name: string, fn: (...args: unknown[]) => unknown): void;
@@ -528,6 +558,43 @@ export function swaggerPlugin(options?: Record<string, unknown>): WebspressoPlug
 
 export function healthCheckPlugin(options?: Record<string, unknown>): WebspressoPlugin;
 
+export interface RedirectRule {
+  from: string | RegExp;
+  to: string;
+  status?: number;
+  /** Use `'*'` to match any HTTP method; default follows `defaultMethods` on the plugin. */
+  methods?: string[] | '*';
+}
+
+export interface RedirectPluginOptions {
+  rules?: RedirectRule[];
+  /** Default when a rule omits `status`. Must be 301, 302, 303, 307, or 308. Default 302. */
+  defaultStatus?: number;
+  /** Append request query string to `to` when `to` has no `?`. Default true. */
+  preserveQuery?: boolean;
+  /** Allow `to` starting with http(s): or //. Default false. */
+  allowExternal?: boolean;
+  /** Normalize path before matching: strip/add trailing slash. Default false (still allows /old vs /old/ match for string rules). */
+  trailingSlash?: 'strip' | 'add' | false;
+  /** Methods matched when a rule has no `methods`. Default GET and HEAD. */
+  defaultMethods?: string[];
+}
+
+export function redirectPlugin(options?: RedirectPluginOptions): WebspressoPlugin;
+
+/** Options for `rateLimitPlugin`: `express-rate-limit` fields plus plugin-only keys. */
+export interface RateLimitPluginOptions {
+  /** Mount a global limiter on the Express app (named route middleware is always registered). */
+  global?: boolean;
+  /** Shallow merge applied only to the global limiter. */
+  globalOverrides?: Record<string, unknown>;
+  /** Extra path prefixes skipped by the global limiter (builtin skips dev routes, favicon, robots, health). */
+  globalSkipPaths?: string[];
+  [key: string]: unknown;
+}
+
+export function rateLimitPlugin(options?: RateLimitPluginOptions): WebspressoPlugin;
+
 export interface RestResourcePluginOptions {
   path?: string;
   middleware?: RequestHandler[];
@@ -569,3 +636,103 @@ export function createLocalFileProvider(options?: {
   destDir?: string;
   publicBasePath?: string;
 }): UploadStorageProvider;
+
+// --- Application kernel (use `kernel.createApp`; not the SSR `createApp`) ---
+
+export type KernelEventSource = 'orm' | 'auth' | 'route' | 'plugin' | 'system';
+
+export interface KernelEventMeta {
+  requestId?: string;
+  userId?: string;
+  source: KernelEventSource;
+  createdAt: Date;
+}
+
+export interface KernelEventContext {
+  payload: unknown;
+  meta: KernelEventMeta;
+}
+
+export interface KernelEventBus {
+  dispatch(eventName: string, ctx: KernelEventContext): Promise<unknown>;
+  publish(eventName: string, ctx: KernelEventContext): Promise<void>;
+  on(eventName: string, handler: (ctx: KernelEventContext) => unknown): void;
+  off(eventName: string, handler: (ctx: KernelEventContext) => unknown): void;
+  buildContext(
+    payload: unknown,
+    meta: Partial<Omit<KernelEventMeta, 'createdAt'>> & Pick<KernelEventMeta, 'source'>
+  ): KernelEventContext;
+}
+
+export interface KernelViewEngine {
+  registerPluginViews(
+    pluginName: string,
+    bundle: {
+      namespace: string;
+      layouts?: Record<string, string>;
+      pages?: Record<string, string>;
+      partials?: Record<string, string>;
+    }
+  ): void;
+  renderView(
+    qualifiedName: string,
+    data: Record<string, unknown>,
+    options?: { layout?: string }
+  ): string;
+  renderPartial(qualifiedName: string, data: Record<string, unknown>): string;
+}
+
+export interface KernelPluginDescriptor {
+  name: string;
+  events?: (app: KernelAppShell) => void | Promise<void>;
+  views?: () => {
+    namespace: string;
+    layouts?: Record<string, string>;
+    pages?: Record<string, string>;
+    partials?: Record<string, string>;
+  };
+}
+
+export interface KernelFlowDefinition {
+  id?: string;
+  trigger: string;
+  when?: (ctx: KernelEventContext) => boolean;
+  actions?: Array<(ctx: KernelEventContext, app: KernelAppShell) => void | Promise<void>>;
+}
+
+export interface KernelAppShell {
+  events: KernelEventBus;
+  view: KernelViewEngine;
+  flows: Array<{ id?: string; trigger: string }>;
+  registerPlugin(plugin: KernelPluginDescriptor): void;
+  registerFlow(flow: KernelFlowDefinition): () => void;
+  paths: Record<string, string | undefined>;
+  options?: Record<string, unknown>;
+}
+
+export interface KernelBaseRepository {
+  events: KernelEventBus;
+  resource: string;
+  create(data: Record<string, unknown>): Promise<Record<string, unknown>>;
+  update(id: string, data: Partial<Record<string, unknown>>): Promise<Record<string, unknown>>;
+  delete(id: string): Promise<void>;
+}
+
+export interface KernelBaseRepositoryConstructor {
+  new (events: KernelEventBus, options: { resource: string; source?: KernelEventSource }): KernelBaseRepository;
+}
+
+export interface WebspressoKernel {
+  createApp(options?: { paths?: { appViews?: string; themeViews?: string } }): KernelAppShell;
+  definePlugin(plugin: KernelPluginDescriptor): KernelPluginDescriptor;
+  defineFlow(flow: KernelFlowDefinition): KernelFlowDefinition;
+  BaseRepository: KernelBaseRepositoryConstructor;
+  createEventBus(): KernelEventBus;
+  buildContext: KernelEventBus['buildContext'];
+  randomUUID(): string;
+  createViewEngine(paths?: { appViews?: string; themeViews?: string }): KernelViewEngine;
+  renderTemplate(template: string, data: Record<string, unknown>): string;
+  parseQualified(qualified: string): { namespace: string; name: string };
+}
+
+export const kernel: WebspressoKernel;

package/index.js

@@ -20,7 +20,11 @@ const {
   scanDirectory,
   loadI18n,
   createTranslator,
-  detectLocale
+  detectLocale,
+  parseNjkFrontmatter,
+  frontmatterToPatches,
+  loadNjkRouteTemplate,
+  clearNjkFrontmatterCaches,
 } = require('./src/file-router');
 const { 
   createHelpers, 
@@ -39,6 +43,9 @@ const {
 // ORM exports (lazy loaded)
 const orm = require('./core/orm');
 
+/** Application kernel (event bus, plugin shell, view resolver, flows). Use `kernel.createApp`; not the framework SSR `createApp`. */
+const kernel = require('./core/kernel');
+
 // Built-in plugins
 const {
   schemaExplorerPlugin,
@@ -53,6 +60,8 @@ const {
   uploadPlugin,
   createLocalFileProvider,
   dataExchangePlugin,
+  redirectPlugin,
+  rateLimitPlugin,
 } = require('./plugins');
 
 module.exports = {
@@ -76,6 +85,10 @@ module.exports = {
   loadI18n,
   createTranslator,
   detectLocale,
+  parseNjkFrontmatter,
+  frontmatterToPatches,
+  loadNjkRouteTemplate,
+  clearNjkFrontmatterCaches,
   
   // Template helpers
   createHelpers,
@@ -94,7 +107,10 @@ module.exports = {
   
   // ORM
   ...orm,
-  
+
+  /** Event bus / plugin shell / view resolver / flows (`kernel.createApp` is distinct from SSR `createApp`) */
+  kernel,
+
   // Direct zdb export (for convenience)
   zdb: orm.zdb,
 
@@ -111,4 +127,6 @@ module.exports = {
   uploadPlugin,
   createLocalFileProvider,
   dataExchangePlugin,
+  redirectPlugin,
+  rateLimitPlugin,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "webspresso",
-  "version": "0.0.74",
+  "version": "0.0.75",
   "description": "Minimal, production-ready SSR framework for Node.js with file-based routing, Nunjucks templating, built-in i18n, and CLI tooling",
   "main": "index.js",
   "types": "index.d.ts",
@@ -17,6 +17,9 @@
     "test:e2e:headed": "playwright test --headed",
     "bench": "vitest bench --run",
     "bench:compare": "vitest bench --run --compare benchmark-results.json",
+    "bench:baseline": "vitest bench --run --outputJson benchmarks/ci-baseline.json",
+    "bench:ci": "vitest bench --run --outputJson benchmarks/current-benchmark.json && node scripts/check-bench-regression.mjs benchmarks/ci-baseline.json benchmarks/current-benchmark.json",
+    "bench:ci:local": "npm run bench:baseline && npm run bench:ci",
     "check:types": "tsc --project tests/ts-smoke/tsconfig.json",
     "rebuild:native": "npm rebuild better-sqlite3 bcrypt sharp",
     "release": "release-it"
@@ -66,8 +69,10 @@
     "knex": "^3.1.0",
     "multer": "^2.1.1",
     "nunjucks": "^3.2.4",
+    "sanitize-html": "^2.17.3",
     "sharp": "^0.33.5",
     "swup": "^4.8.3",
+    "yaml": "^2.8.3",
     "zod": "^3.23.0",
     "zod-to-json-schema": "^3.25.2"
   },
@@ -75,10 +80,14 @@
     "@faker-js/faker": ">=8.0.0",
     "better-sqlite3": ">=9.0.0",
     "dotenv": ">=16.0.0",
+    "express-rate-limit": ">=8.0.0",
     "mysql2": ">=3.0.0",
     "pg": ">=8.0.0"
   },
   "peerDependenciesMeta": {
+    "express-rate-limit": {
+      "optional": true
+    },
     "dotenv": {
       "optional": true
     },
@@ -104,6 +113,7 @@
     "better-sqlite3": "^11.10.0",
     "chokidar": "^3.5.3",
     "dotenv": "^16.3.1",
+    "express-rate-limit": "^8.4.1",
     "release-it": "^19.0.0",
     "supertest": "^6.3.4",
     "typescript": "~5.6.3",