Removes all module-related logic from the admin dashboard, CLI database
initialization, and AdminPages component:
- Drop `initModules` call from `db init` CLI command and simplify the
completion message to only reflect core feature tables
- Remove `getModuleDashboardStats` and module page routing from admin
stats actions and update usage documentation accordingly
- Simplify `AdminPagesClient` to remove module page loading, lazy
components, and module-specific props (`moduleStats`, `modulePageInfo`,
`routeInfo`, `enabledModules`)
Introduce a dedicated `storage-config.js` for registering public
prefixes and access policies via `configureStorageApi()`, replacing the
previous `getAllStoragePublicPrefixes` / `getAllStorageAccessPolicies`
imports from the module registry.
Remove `getAllApiRoutes()` from the router so module-level routes are no
longer auto-collected; feature routes must now be registered explicitly
via `registerFeatureRoutes()` during `initializeZen()`.
Update `.env.example` to document separate `ZEN_STORAGE_PROVIDER`,
`ZEN_STORAGE_B2_*` variables for Backblaze B2 alongside the existing
Cloudflare R2 variables, making provider selection explicit.
Clean up admin navigation and page components to drop module-injected
nav entries, keeping only core and system sections.
- Remove all module-related entry points from package.json exports
- Remove module source files from tsup build configuration
- Clean up external dependencies related to modules
- Update DEV.md to reflect modules removal from architecture
- Clarify package description to specify Next.js CMS
- Add `storagePublicPrefixes` and `storageAccessPolicies` fields to
both internal and external module config loading in discovery.js
- Add a module-level `MIME_TYPES` constant in storage/utils.js to
avoid recreating the object on every `getMimeType` call
- Remove unused `validateImageDimensions` export from storage/index.js
- Remove dead `isFinite` check after `Math.min/max` in `getPresignedUrl`
(result is always finite at that point)
- Remove unused `warn` import from storage/utils.js
- Add documentation rule in DEV.md: comments must always reflect the
actual behavior of the code they describe
Replace hardcoded `users/` path-based access control with a
declarative `storageAccessPolicies` system defined per module via
`defineModule()`.
- Add `storageAccessPolicies` field to `defineModule()` defaults with
support for `owner` and `admin` policy types
- Expose `getAllStorageAccessPolicies()` from the modules/storage layer
- Refactor `handleGetFile` in `storage/api.js` to resolve access
control dynamically from registered policies instead of hardcoded
path checks
- Add `ZEN_STORAGE_ENDPOINT` env var and update `.env.example` to
support S3-compatible backends (Cloudflare R2, Backblaze B2)
- Document the env/doc sync convention in `DEV.md`
Remove helper functions (cmToPoints, inchesToPoints, mmToPoints,
createElement, PAGE_SIZES) and consolidate re-exports from
@react-pdf/renderer into a single export statement. Retain only
the getFilename utility and streamline the module to reduce
unnecessary abstraction over the underlying library.
- Replace dynamic `import('stripe')` with static import for clarity
- Introduce singleton pattern for Stripe instance to avoid re-initialization
- Convert `getStripe()` from async to sync function
- Remove redundant JSDoc comments to reduce verbosity
- Remove `paymentMethodTypes` option from `createCheckoutSession`
- Remove default export of `stripe` instance from payments index
- Add webhook signature verification and idempotency key helpers
- Add customer and subscription management utilities
- Simplify `sendEmail` by extracting `resolveFrom` and `buildPayload` helpers
- Remove `sendAuthEmail` and `sendAppEmail` exports, keeping only `sendEmail` and `sendBatchEmails`
- Replace hardcoded fallback sender with env-based validation (throws if missing)
- Update `BaseLayout` to resolve `supportEmail` from `ZEN_SUPPORT_EMAIL` env var instead of hardcoded default
- Conditionally render support section only when a support email is available
- Remove verbose JSDoc comments and reduce overall code verbosity
Restructure the core API to separate infrastructure routes from feature
routes. Key changes:
- Add `runtime.js` for global state: session resolver and feature route
registry
- Add `file-response.js` for streaming file responses (storage endpoint)
- Remove feature routes (auth/users) from `core-routes.js`, keeping only
true infrastructure routes (health, storage)
- Introduce `registerFeatureRoutes()` so features self-register during
`initializeZen()` instead of being hardcoded in `core-routes.js`
- Add `UserFacingError` class to safely surface client-facing errors
without leaking internal details
- Fix import path for `rateLimit.js` to use shared lib location
- Update README to reflect new two-step registration flow and clarify
the role of `core-routes.js`
- Add `ZEN_DB_SSL_DISABLED` env variable to allow disabling SSL for database connections
- Refactor database CLI to split init logic into `initFeatures` and `initModules` for modular table initialization, with graceful fallback when modules are absent
- Extract `printHelp` and `askConfirmation` helpers for cleaner CLI structure
- Ensure `closePool` is called on both success and error paths in CLI
- Add `filterAllowedColumns` utility in `crud.js` to enforce column whitelists, preventing mass-assignment of privileged fields (e.g. `role`, `email_verified`)
- Update drop command description from "auth tables" to "all tables"
- Add input validation for name, schedule expression, and handler
- Store full CronEntry metadata (handler, schedule, timezone, registeredAt)
instead of raw job instance to support introspection
- Add JSDoc typedefs for CronEntry and improve all function docs
- Use globalThis symbol store to survive Next.js hot-reload
- Remove verbose per-run info logs to reduce noise
- Replace `||` with `??` for runOnInit default to handle falsy correctly
- Fix stop/stopAll to access `entry.job` from new storage structure
Restructure the core API module to improve clarity, consistency, and
maintainability:
- Introduce `defineApiRoutes()` helper for declarative route definitions
with built-in config validation at startup
- Add `apiSuccess()` / `apiError()` response utilities; enforce their
use across all handlers (core and modules)
- Move auth enforcement to route definitions (`auth: 'public' | 'user' |
'admin'`), removing manual auth checks from handlers
- Extract core routes into `core-routes.js`; router now has no knowledge
of specific features
- Rename `nx-route.js` to `route-handler.js` and update package.json
export accordingly
- Update ARCHITECTURE.md to reflect new API conventions and point to
`src/core/api/README.md` for details
Replace raw `console.log`/`console.error` calls across CLI, API
handlers, and module files with structured logger functions (`step`,
`done`, `warn`, `fail`) from the shared logger library.
This improves log consistency, readability, and makes it easier to
control output formatting and log levels from a single place.
- Add `./modules/storage` package export pointing to `modules.storage.js`
- Add `modules/*/config.js` to tsup build entries for server-only configs
- Add `@zen/core/modules/storage` to external dependencies in tsup config
- Add `src/modules/modules.storage.js` to the second tsup build target
- Update storage handler to import via `@zen/core/modules/storage` alias
- Rename unused `request` param to `_request` in `handleGetFile`
Refactor storage access control to use dynamic public prefixes
sourced from `getAllStoragePublicPrefixes()` instead of a hardcoded
`blog` check. Each module can now declare its own public storage
prefixes via `defineModule()` storagePublicPrefixes, making the
system extensible without modifying the core handler.
Also adds a `posts` path handler requiring admin access for private
post types, removes the deprecated `version` API endpoint and its
rate-limit exemption, and minor whitespace/comment cleanup.
Replace the single `ZEN_APP_URL` environment variable with the
existing `NEXT_PUBLIC_URL` and `NEXT_PUBLIC_URL_DEV` variables for
CSRF origin resolution.
- Add `resolveAppUrl()` helper that prefers `NEXT_PUBLIC_URL_DEV`
in development and falls back to `NEXT_PUBLIC_URL` in production
- Update `passesCsrfCheck()` to use the new helper
- Update error log messages to reference the new variable names
- Rename `getModuleMetadata` to `getModuleMetadataGenerator` in registry,
index, and client exports to clarify its purpose (returns a generator
function, not a metadata object)
- Add new `getModuleMetadata` and `getMetadataGenerator` exports from
`modules.metadata.js` for server-side metadata object retrieval
- Update route auth format in docs from `requireAuth`/`requireAdmin`
flags to a single `auth` field with values: `'admin'`, `'user'`,
or `'public'`
- Fix `isModuleEnabledInEnv` to replace hyphens with underscores in
env var names (e.g. `my-module` → `ZEN_MODULE_MY_MODULE`)
- Replace `useState` initializer in `ZenProvider` with `useRef` guard
to avoid React strict mode double-invocation issues
- Remove `react-email`, `react-grid-layout` from dependencies
- Remove `tailwindcss`, `@tailwindcss/cli`, `@tailwindcss/postcss`,
`autoprefixer`, `postcss`, and `typescript` from devDependencies
- Update package-lock.json to reflect dependency removals
- Bump package version from 1.3.5 to 1.3.6
- Sanitize route handler errors: only surface known auth messages
('Unauthorized', 'Admin access required'); log all other exceptions
server-side and return a generic 'Internal Server Error' to clients
- Derive profile picture content-type from validated file extension
instead of attacker-controlled file.type to prevent MIME spoofing
- Always emit explicit Content-Disposition headers on file responses;
serve known image types as 'inline', force download for all others
to prevent in-browser rendering of potentially dangerous content
- Add X-Content-Type-Options: nosniff and X-Frame-Options: DENY to
file response headers
- **CSRF**: Change missing `ZEN_APP_URL` behavior from bypass (return
`true`) to enforced deny (return `false`) with an error-level log,
preventing unauthenticated access when the env var is misconfigured
- **Version endpoint**: Require authentication on the `/version` route
by passing `request` to `handleVersion`; add session/token validation
inside the handler so version info is no longer publicly accessible
- **Storage handler**: Enforce a minimum path depth of 3 segments for
public blog file access to prevent unintentional root-prefix exposure;
strip raw storage error messages (bucket names, keys) from all client
responses, logging full details server-side only
- **SQL injection hardening**: Wrap the whitelisted `sortColumn`
identifier in double-quotes in the `handleListUsers` query to enforce
identifier boundaries and prevent any edge case from being interpreted
as SQL syntax
- **Misc**: Improve log clarity for orphaned profile picture deletion
failures; add inline comments explaining security rationale throughout
- Add `passesCsrfCheck()` to both `router.js` and `dynamic-router.js`
to block cross-site request forgery on state-mutating methods
(POST/PUT/PATCH/DELETE) by validating Origin/Referer headers against
`ZEN_APP_URL`
- Apply global IP-based rate limiting in `dynamic-router.js` mirroring
the policy already present in `router.js`; exempt health and version
GET endpoints from throttling
- Sanitize 404 response in `dynamic-router.js` to prevent route
structure enumeration
- Strip internal error details from user-facing error messages (e.g.
profile picture deletion) to avoid information leakage
- Remove `zen-setup` binary from package.json and package-lock.json
- Replace manual setup steps with `npx @zen/start` CLI command
- Simplify INSTALL.md by reducing steps from 6 to 4
- Update DEV.md to reflect removal of zen-setup from CLI scripts
- Fix relative path to `.env.example` in documentation
Remove the `ZEN_DESCRIPTION` environment variable from `.env.example`
and its usage in `generateMetadata`. The description field is no longer
needed in the default metadata configuration.
Add three documentation files for the posts module:
- `api.md`: public API reference (list, slug, categories, images)
- `admin-api.md`: admin API reference with all CRUD endpoints
- `integration.md`: Next.js integration examples with code snippets
Update all references across source files, documentation, and
configuration to reflect the new package scope and name. This includes
updating `.npmrc` registry config, install instructions, module
examples, and all import path comments throughout the codebase.
Removes the `./setup` export entry from `package.json` and the
corresponding `src/features/setup/index.js` entry point from
`tsup.config.js`, eliminating the standalone setup feature module
from the public API and build output.
Move `database` and `setup` CLI scripts from their respective feature
directories into a unified `src/cli/` directory. Update `tsup.config.js`
build entries and `package.json` bin paths to reflect the new locations.
- Add `./modules/define` export path pointing to `defineModule.js`
- Implement `registerExternalModules()` to handle modules passed via `zen.config.js`, with env var gating (`ZEN_MODULE_<NAME>=true`)
- Extract `buildAdminConfig()` helper to consolidate admin navigation/page config building
- Refactor `loadModuleConfig()` to use `buildAdminConfig()` and simplify public routes check
- Improve `initializeModuleTables()` to gracefully skip modules without `db.js` instead of erroring
- Update module discovery JSDoc to reflect external module registration support
Strips out built-in clients, invoice, and nuage modules from core
handlers, module initializers, and action registries. This cleans up
hardcoded module dependencies, leaving only the posts module as a
reference implementation for the modular architecture.
hykocx