wu-framework 1.1.16 → 1.1.17

package/integrations/astro/types.d.ts

@@ -1,53 +1,53 @@
-import type { AstroIntegration } from 'astro';
-
-/** Configuration for a single wu micro-app. */
-export interface WuAppConfig {
-  /** Unique name used to reference this micro-app. */
-  name: string;
-  /** URL or path from which the micro-app is loaded. */
-  url: string;
-  /** Loading strategy. Defaults to the framework default. */
-  strategy?: 'eager' | 'lazy' | 'manual';
-}
-
-/** Options accepted by the wu Astro integration. */
-export interface WuIntegrationOptions {
-  /** Micro-apps to auto-register via wu.init(). */
-  apps?: WuAppConfig[];
-  /** Global sandbox isolation mode. */
-  sandbox?: 'module' | 'strict' | 'eval';
-  /** CDN URL for the wu-framework UMD bundle. When omitted the local package is used. */
-  cdn?: string;
-  /** Enable debug logging. */
-  debug?: boolean;
-}
-
-/**
- * Astro integration factory for wu-framework.
- *
- * @example
- * import wu from '@wu-framework/astro';
- * export default defineConfig({ integrations: [wu({ apps: [...] })] });
- */
-export default function wuIntegration(
-  options?: WuIntegrationOptions
-): AstroIntegration;
-
-/** Props for the WuShell.astro layout component. */
-export interface WuShellProps {
-  apps: WuAppConfig[];
-  sandbox?: 'module' | 'strict' | 'eval';
-  debug?: boolean;
-}
-
-/** Props for the WuApp.astro mount component. */
-export interface WuAppProps {
-  /** Name of the registered wu micro-app. */
-  name: string;
-  /** Defer mounting until the element is visible (IntersectionObserver). */
-  lazy?: boolean;
-  /** CSS class(es) for the container div. */
-  class?: string;
-  /** Inline styles for the container div. */
-  style?: string;
-}
+import type { AstroIntegration } from 'astro';
+
+/** Configuration for a single wu micro-app. */
+export interface WuAppConfig {
+  /** Unique name used to reference this micro-app. */
+  name: string;
+  /** URL or path from which the micro-app is loaded. */
+  url: string;
+  /** Loading strategy. Defaults to the framework default. */
+  strategy?: 'eager' | 'lazy' | 'manual';
+}
+
+/** Options accepted by the wu Astro integration. */
+export interface WuIntegrationOptions {
+  /** Micro-apps to auto-register via wu.init(). */
+  apps?: WuAppConfig[];
+  /** Global sandbox isolation mode. */
+  sandbox?: 'module' | 'strict' | 'eval';
+  /** CDN URL for the wu-framework UMD bundle. When omitted the local package is used. */
+  cdn?: string;
+  /** Enable debug logging. */
+  debug?: boolean;
+}
+
+/**
+ * Astro integration factory for wu-framework.
+ *
+ * @example
+ * import wu from '@wu-framework/astro';
+ * export default defineConfig({ integrations: [wu({ apps: [...] })] });
+ */
+export default function wuIntegration(
+  options?: WuIntegrationOptions
+): AstroIntegration;
+
+/** Props for the WuShell.astro layout component. */
+export interface WuShellProps {
+  apps: WuAppConfig[];
+  sandbox?: 'module' | 'strict' | 'eval';
+  debug?: boolean;
+}
+
+/** Props for the WuApp.astro mount component. */
+export interface WuAppProps {
+  /** Name of the registered wu micro-app. */
+  name: string;
+  /** Defer mounting until the element is visible (IntersectionObserver). */
+  lazy?: boolean;
+  /** CSS class(es) for the container div. */
+  class?: string;
+  /** Inline styles for the container div. */
+  style?: string;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wu-framework",
-  "version": "1.1.16",
+  "version": "1.1.17",
   "description": "Universal Microfrontends Framework - 8 frameworks, zero config, Shadow DOM isolation",
   "main": "dist/wu-framework.cjs.js",
   "module": "src/index.js",
@@ -35,7 +35,10 @@
     "clean": "node -e \"require('fs').rmSync('dist',{recursive:true,force:true})\"",
     "test": "vitest run",
     "test:watch": "vitest",
-    "test:coverage": "vitest run --coverage"
+    "test:coverage": "vitest run --coverage",
+    "lint": "eslint src/",
+    "format": "prettier --write src/",
+    "format:check": "prettier --check src/"
   },
   "keywords": [
     "microfrontends",
@@ -118,7 +121,9 @@
     "@rollup/plugin-replace": "^5.0.5",
     "@rollup/plugin-terser": "^0.4.4",
     "@vitest/coverage-v8": "^4.0.18",
+    "eslint": "^10.0.2",
     "jsdom": "^28.0.0",
+    "prettier": "^3.8.1",
     "rollup": "^4.9.0",
     "vitest": "^4.0.18"
   },

package/src/adapters/svelte/index.js

@@ -695,7 +695,7 @@ function createWuSlotConfig() {
 
     // Implementación JavaScript pura para usar sin .svelte
     createInstance: (target, props) => {
-      let container = document.createElement('div');
+      const container = document.createElement('div');
       container.className = 'wu-slot';
       container.style.minHeight = '100px';
       container.style.position = 'relative';

package/src/adapters/vanilla/index.js

@@ -146,7 +146,7 @@ async function register(appName, config, options = {}) {
   }
 
   // Estado local de la app
-  let appState = { ...state };
+  const appState = { ...state };
 
   // Función de mount
   const mountApp = (container) => {

package/src/core/wu-cache.js

@@ -32,6 +32,9 @@ export class WuCache {
       cooldownUntil: 0
     };
 
+    // Rate limit notification flag (log only once per cooldown)
+    this._rateLimitNotified = false;
+
     // Memory cache
     this.memoryCache = new Map();
 
@@ -66,6 +69,7 @@ export class WuCache {
       }
       // Cooldown terminado
       this.rateLimiting.inCooldown = false;
+      this._rateLimitNotified = false;
       this.rateLimiting.operations = [];
     }
 
@@ -91,7 +95,22 @@ export class WuCache {
   }
 
   /**
-   * 🔐 GET RATE LIMIT STATUS
+   * Handle rate-limited operations: log once per cooldown, return diagnostic object
+   * @param {string} operation - The operation that was rate limited ('get' or 'set')
+   * @param {string} key - The cache key that was rejected
+   * @returns {{ rateLimited: true, operation: string, key: string }}
+   */
+  _onRateLimited(operation, key) {
+    if (!this._rateLimitNotified) {
+      const cooldownRemaining = Math.max(0, this.rateLimiting.cooldownUntil - Date.now());
+      logger.warn(`[WuCache] Rate limited: ${operation} for key "${key}" rejected. ${cooldownRemaining}ms remaining in cooldown.`);
+      this._rateLimitNotified = true;
+    }
+    return { rateLimited: true, operation, key };
+  }
+
+  /**
+   * GET RATE LIMIT STATUS
    */
   getRateLimitStatus() {
     const now = Date.now();
@@ -115,7 +134,8 @@ export class WuCache {
   get(key) {
     // 🔐 Check rate limit
     if (!this._checkRateLimit()) {
-      return null; // Silently fail on rate limit
+      this._onRateLimited('get', key);
+      return null;
     }
 
     // 1. Buscar en memoria
@@ -162,7 +182,8 @@ export class WuCache {
   set(key, value, ttl) {
     // 🔐 Check rate limit
     if (!this._checkRateLimit()) {
-      return false; // Reject on rate limit
+      this._onRateLimited('set', key);
+      return false;
     }
 
     try {

package/src/core/wu-core.js

@@ -333,6 +333,20 @@ export class WuCore {
     } catch (error) {
       logger.wuError(`Mount attempt ${attempt + 1} failed for ${appName}:`, error);
 
+      // Cleanup sandbox to prevent orphaned shadow DOMs
+      try {
+        if (this.sandbox && this.sandbox.sandboxes && this.sandbox.sandboxes.has(appName)) {
+          const sb = this.sandbox.sandboxes.get(appName);
+          if (sb && sb.proxySandbox) {
+            sb.proxySandbox.deactivate();
+          }
+          this.sandbox.sandboxes.delete(appName);
+          logger.wuDebug(`Sandbox cleaned up after mount failure for ${appName}`);
+        }
+      } catch (cleanupError) {
+        logger.wuWarn(`Sandbox cleanup failed for ${appName}:`, cleanupError);
+      }
+
       // Use error boundary for intelligent error handling
       const errorResult = await this.errorBoundary.handle(error, {
         appName,
@@ -671,7 +685,7 @@ export class WuCore {
    * Intelligently resolves module paths with real-time validation
    */
   async resolveModulePath(app) {
-    let entryFile = app.manifest?.entry || 'main.js';
+    const entryFile = app.manifest?.entry || 'main.js';
     const baseUrl = app.url.replace(/\/$/, ''); // Remove trailing slash
 
     // Normalize path: Remove duplicated directories

package/src/core/wu-error-boundary.js

@@ -314,19 +314,33 @@ export class WuErrorBoundary {
    * @param {Object} context - Contexto
    */
   logError(error, context) {
+    // Truncate stack to first 5 lines to prevent retaining large object references
+    const stack = error.stack ? error.stack.split('\n').slice(0, 5).join('\n') : '';
+
+    // Shallow-copy context to avoid retaining references to live objects
+    const safeContext = {};
+    for (const key of Object.keys(context)) {
+      const val = context[key];
+      if (typeof val === 'string' || typeof val === 'number' || typeof val === 'boolean' || val === null) {
+        safeContext[key] = val;
+      } else {
+        safeContext[key] = String(val);
+      }
+    }
+
     const errorEntry = {
       error: {
         name: error.name,
         message: error.message,
-        stack: error.stack
+        stack
       },
-      context,
+      context: safeContext,
       timestamp: Date.now()
     };
 
     this.errorLog.push(errorEntry);
 
-    // Mantener límite de log
+    // Maintain log limit
     if (this.errorLog.length > this.maxErrorLog) {
       this.errorLog.shift();
     }

package/src/core/wu-event-bus.js

@@ -10,6 +10,25 @@
  */
 import { logger } from './wu-logger.js';
 
+/**
+ * @typedef {Object} WuEvent
+ * @property {string} name - Event name
+ * @property {*} data - Event payload
+ * @property {number} timestamp - Event timestamp
+ * @property {string} appName - Source app name
+ * @property {Object} meta - Additional metadata
+ * @property {boolean} verified - Whether origin was verified
+ */
+
+/**
+ * @typedef {Object} WuEventBusConfig
+ * @property {number} [maxHistory=100] - Maximum events in history
+ * @property {boolean} [enableReplay=true] - Enable event replay
+ * @property {boolean} [enableWildcards=true] - Enable wildcard matching
+ * @property {boolean} [logEvents=false] - Log all events
+ * @property {boolean} [strictMode=false] - Reject unauthorized events
+ * @property {boolean} [validateOrigin=true] - Validate event origins
+ */
 
 export class WuEventBus {
   constructor() {
@@ -20,16 +39,21 @@ export class WuEventBus {
     this.authorizedApps = new Map(); // appName -> { token, permissions }
     this.trustedEvents = new Set(['wu:*', 'system:*']); // Eventos del sistema
 
+    // Auto-detect production environment for strictMode default
+    const isProduction = typeof process !== 'undefined' && process.env?.NODE_ENV === 'production';
+
     this.config = {
       maxHistory: 100,
       enableReplay: true,
       enableWildcards: true,
       logEvents: false,
       // 🔐 Opciones de seguridad
-      strictMode: false, // Si true, rechaza eventos de apps no autorizadas
+      strictMode: isProduction, // Auto-enabled in production, permissive in development
       validateOrigin: true // Valida que appName sea una app registrada
     };
 
+    this._permissiveWarned = false;
+
     this.stats = {
       emitted: 0,
       subscriptions: 0,
@@ -127,6 +151,19 @@ export class WuEventBus {
     return `wu_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
   }
 
+  /**
+   * WARN PERMISSIVE MODE: Log a one-time warning when strictMode is off
+   * Alerts developers that events are flowing without authorization checks
+   */
+  _warnPermissiveMode() {
+    if (this._permissiveWarned) return;
+    this._permissiveWarned = true;
+    logger.warn(
+      '[WuEventBus] strictMode is disabled. Events are emitted without authorization checks. ' +
+      'Enable strictMode for production by calling enableStrictMode() or setting NODE_ENV=production.'
+    );
+  }
+
   /**
    * 📢 EMIT: Emitir evento con validación de origen
    * @param {string} eventName - Nombre del evento
@@ -136,6 +173,11 @@ export class WuEventBus {
   emit(eventName, data, options = {}) {
     const appName = options.appName || 'unknown';
 
+    // Warn once if running in permissive mode (strictMode off)
+    if (!this.config.strictMode) {
+      this._warnPermissiveMode();
+    }
+
     // 🔐 Validar origen si está habilitado
     if (this.config.validateOrigin && this.config.strictMode) {
       if (!this._validateOrigin(eventName, appName, options.token)) {

package/src/core/wu-html-parser.js

@@ -62,19 +62,28 @@ export class WuHtmlParser {
       return this._cache.get(cacheKey);
     }
 
-    const temp = document.createElement('div');
-    temp.innerHTML = html;
+    const parser = new DOMParser();
+    const doc = parser.parseFromString(html, 'text/html');
 
     const inlineScripts = [];
     const externalScripts = [];
     const inlineStyles = [];
     const externalStyles = [];
 
-    this._extractResources(temp, {
+    const ctx = {
       inlineScripts, externalScripts,
       inlineStyles, externalStyles,
       baseUrl
-    });
+    };
+
+    // DOMParser moves <style>, <link>, and some <script> tags to <head>.
+    // Extract resources from both head and body to capture everything.
+    if (doc.head) {
+      this._extractResources(doc.head, ctx);
+    }
+
+    const temp = doc.body || doc.documentElement;
+    this._extractResources(temp, ctx);
 
     const result = {
       dom: temp.innerHTML,