Set `options.outbase = 'src'` in the esbuildOptions callback to ensure
output files preserve the correct directory structure relative to the
`src` folder, preventing path flattening during the build process.
- Increment package version from 1.3.13 to 1.3.14
- Update `zen-db` binary path from `dist/cli/database.js`
to `dist/core/database/cli.js` to reflect new file structure
Update BaseLayout imports in auth email templates to use the
`@zen/core/email/templates` module alias instead of relative paths,
improving maintainability and consistency across the codebase.
- Fix BaseLayout import paths in auth email templates from
`../../core/...` to `../../../core/...` to match correct
directory depth
- Remove unused `DatabaseError` from db.js exports
Move the database CLI entry point from `src/cli/database.js` to
`src/core/database/cli.js` to better reflect its location within
the core database module. Update both the `package.json` bin path
and `tsup.config.js` build entry accordingly.
Move the database CLI from `src/cli/database.js` to
`src/core/database/cli.js` to better reflect its association
with the database module. Update both the `package.json` bin
path and `tsup.config.js` entry points accordingly.
Removes all module-related logic from the admin dashboard, CLI database
initialization, and AdminPages component:
- Drop `initModules` call from `db init` CLI command and simplify the
completion message to only reflect core feature tables
- Remove `getModuleDashboardStats` and module page routing from admin
stats actions and update usage documentation accordingly
- Simplify `AdminPagesClient` to remove module page loading, lazy
components, and module-specific props (`moduleStats`, `modulePageInfo`,
`routeInfo`, `enabledModules`)
Introduce a dedicated `storage-config.js` for registering public
prefixes and access policies via `configureStorageApi()`, replacing the
previous `getAllStoragePublicPrefixes` / `getAllStorageAccessPolicies`
imports from the module registry.
Remove `getAllApiRoutes()` from the router so module-level routes are no
longer auto-collected; feature routes must now be registered explicitly
via `registerFeatureRoutes()` during `initializeZen()`.
Update `.env.example` to document separate `ZEN_STORAGE_PROVIDER`,
`ZEN_STORAGE_B2_*` variables for Backblaze B2 alongside the existing
Cloudflare R2 variables, making provider selection explicit.
Clean up admin navigation and page components to drop module-injected
nav entries, keeping only core and system sections.
- Remove all module-related entry points from package.json exports
- Remove module source files from tsup build configuration
- Clean up external dependencies related to modules
- Update DEV.md to reflect modules removal from architecture
- Clarify package description to specify Next.js CMS
- Add `storagePublicPrefixes` and `storageAccessPolicies` fields to
both internal and external module config loading in discovery.js
- Add a module-level `MIME_TYPES` constant in storage/utils.js to
avoid recreating the object on every `getMimeType` call
- Remove unused `validateImageDimensions` export from storage/index.js
- Remove dead `isFinite` check after `Math.min/max` in `getPresignedUrl`
(result is always finite at that point)
- Remove unused `warn` import from storage/utils.js
- Add documentation rule in DEV.md: comments must always reflect the
actual behavior of the code they describe
Replace hardcoded `users/` path-based access control with a
declarative `storageAccessPolicies` system defined per module via
`defineModule()`.
- Add `storageAccessPolicies` field to `defineModule()` defaults with
support for `owner` and `admin` policy types
- Expose `getAllStorageAccessPolicies()` from the modules/storage layer
- Refactor `handleGetFile` in `storage/api.js` to resolve access
control dynamically from registered policies instead of hardcoded
path checks
- Add `ZEN_STORAGE_ENDPOINT` env var and update `.env.example` to
support S3-compatible backends (Cloudflare R2, Backblaze B2)
- Document the env/doc sync convention in `DEV.md`
Remove helper functions (cmToPoints, inchesToPoints, mmToPoints,
createElement, PAGE_SIZES) and consolidate re-exports from
@react-pdf/renderer into a single export statement. Retain only
the getFilename utility and streamline the module to reduce
unnecessary abstraction over the underlying library.
- Replace dynamic `import('stripe')` with static import for clarity
- Introduce singleton pattern for Stripe instance to avoid re-initialization
- Convert `getStripe()` from async to sync function
- Remove redundant JSDoc comments to reduce verbosity
- Remove `paymentMethodTypes` option from `createCheckoutSession`
- Remove default export of `stripe` instance from payments index
- Add webhook signature verification and idempotency key helpers
- Add customer and subscription management utilities
- Simplify `sendEmail` by extracting `resolveFrom` and `buildPayload` helpers
- Remove `sendAuthEmail` and `sendAppEmail` exports, keeping only `sendEmail` and `sendBatchEmails`
- Replace hardcoded fallback sender with env-based validation (throws if missing)
- Update `BaseLayout` to resolve `supportEmail` from `ZEN_SUPPORT_EMAIL` env var instead of hardcoded default
- Conditionally render support section only when a support email is available
- Remove verbose JSDoc comments and reduce overall code verbosity
Restructure the core API to separate infrastructure routes from feature
routes. Key changes:
- Add `runtime.js` for global state: session resolver and feature route
registry
- Add `file-response.js` for streaming file responses (storage endpoint)
- Remove feature routes (auth/users) from `core-routes.js`, keeping only
true infrastructure routes (health, storage)
- Introduce `registerFeatureRoutes()` so features self-register during
`initializeZen()` instead of being hardcoded in `core-routes.js`
- Add `UserFacingError` class to safely surface client-facing errors
without leaking internal details
- Fix import path for `rateLimit.js` to use shared lib location
- Update README to reflect new two-step registration flow and clarify
the role of `core-routes.js`
- Add `ZEN_DB_SSL_DISABLED` env variable to allow disabling SSL for database connections
- Refactor database CLI to split init logic into `initFeatures` and `initModules` for modular table initialization, with graceful fallback when modules are absent
- Extract `printHelp` and `askConfirmation` helpers for cleaner CLI structure
- Ensure `closePool` is called on both success and error paths in CLI
- Add `filterAllowedColumns` utility in `crud.js` to enforce column whitelists, preventing mass-assignment of privileged fields (e.g. `role`, `email_verified`)
- Update drop command description from "auth tables" to "all tables"
- Add input validation for name, schedule expression, and handler
- Store full CronEntry metadata (handler, schedule, timezone, registeredAt)
instead of raw job instance to support introspection
- Add JSDoc typedefs for CronEntry and improve all function docs
- Use globalThis symbol store to survive Next.js hot-reload
- Remove verbose per-run info logs to reduce noise
- Replace `||` with `??` for runOnInit default to handle falsy correctly
- Fix stop/stopAll to access `entry.job` from new storage structure
- Add `@zen/core/api` to the `external` array in `tsup.config.js` to
prevent build failures caused by unresolved `dist/` imports at build time
- Document the externals rule in `docs/DEV.md`: any `@zen/core/*` import
used in bundled module files must be declared as external, with an
explanation of why and a code example to follow
Restructure the core API module to improve clarity, consistency, and
maintainability:
- Introduce `defineApiRoutes()` helper for declarative route definitions
with built-in config validation at startup
- Add `apiSuccess()` / `apiError()` response utilities; enforce their
use across all handlers (core and modules)
- Move auth enforcement to route definitions (`auth: 'public' | 'user' |
'admin'`), removing manual auth checks from handlers
- Extract core routes into `core-routes.js`; router now has no knowledge
of specific features
- Rename `nx-route.js` to `route-handler.js` and update package.json
export accordingly
- Update ARCHITECTURE.md to reflect new API conventions and point to
`src/core/api/README.md` for details
Move the "Publier le package" section from DEV.md to a new
PUBLICATION.md file, and add references to ARCHITECTURE.md and
PUBLICATION.md in the main DEV.md index. This reduces the size of
DEV.md and improves discoverability by grouping related content
into focused documents.
Replace the terse DEV.md with a comprehensive French-language guide
covering code standards, security rules, and the npm publish workflow.
Key changes:
- Expand code principles into readable prose (single responsibility,
control flow, input validation, promise handling, minimal scope)
- Add concrete security sections: parameterized queries, secret
management via env vars, dependency auditing, and opaque error
messages
- Document the full publish procedure (version bump, build, audit,
npm publish with provenance, git tag)
- Remove the NASA Power of Ten bullet list in favor of actionable,
project-specific guidelines
- Bump package version from 1.3.11 to 1.3.12
- Add `src/shared/lib/logger.js` to tsup build entry points to expose the logger module as a public export
Replace raw `console.log`/`console.error` calls across CLI, API
handlers, and module files with structured logger functions (`step`,
`done`, `warn`, `fail`) from the shared logger library.
This improves log consistency, readability, and makes it easier to
control output formatting and log levels from a single place.
- Add `./modules/storage` package export pointing to `modules.storage.js`
- Add `modules/*/config.js` to tsup build entries for server-only configs
- Add `@zen/core/modules/storage` to external dependencies in tsup config
- Add `src/modules/modules.storage.js` to the second tsup build target
- Update storage handler to import via `@zen/core/modules/storage` alias
- Rename unused `request` param to `_request` in `handleGetFile`
Refactor storage access control to use dynamic public prefixes
sourced from `getAllStoragePublicPrefixes()` instead of a hardcoded
`blog` check. Each module can now declare its own public storage
prefixes via `defineModule()` storagePublicPrefixes, making the
system extensible without modifying the core handler.
Also adds a `posts` path handler requiring admin access for private
post types, removes the deprecated `version` API endpoint and its
rate-limit exemption, and minor whitespace/comment cleanup.
Replace the single `ZEN_APP_URL` environment variable with the
existing `NEXT_PUBLIC_URL` and `NEXT_PUBLIC_URL_DEV` variables for
CSRF origin resolution.
- Add `resolveAppUrl()` helper that prefers `NEXT_PUBLIC_URL_DEV`
in development and falls back to `NEXT_PUBLIC_URL` in production
- Update `passesCsrfCheck()` to use the new helper
- Update error log messages to reference the new variable names
- Rename `getModuleMetadata` to `getModuleMetadataGenerator` in registry,
index, and client exports to clarify its purpose (returns a generator
function, not a metadata object)
- Add new `getModuleMetadata` and `getMetadataGenerator` exports from
`modules.metadata.js` for server-side metadata object retrieval
- Update route auth format in docs from `requireAuth`/`requireAdmin`
flags to a single `auth` field with values: `'admin'`, `'user'`,
or `'public'`
- Fix `isModuleEnabledInEnv` to replace hyphens with underscores in
env var names (e.g. `my-module` → `ZEN_MODULE_MY_MODULE`)
- Replace `useState` initializer in `ZenProvider` with `useRef` guard
to avoid React strict mode double-invocation issues
hykocx