Commit Graph

9 Commits

Author SHA1 Message Date
hykocx 4ddf834990 refactor(api): refactor API module with route definitions and response utilities
Restructure the core API module to improve clarity, consistency, and
maintainability:

- Introduce `defineApiRoutes()` helper for declarative route definitions
  with built-in config validation at startup
- Add `apiSuccess()` / `apiError()` response utilities; enforce their
  use across all handlers (core and modules)
- Move auth enforcement to route definitions (`auth: 'public' | 'user' |
  'admin'`), removing manual auth checks from handlers
- Extract core routes into `core-routes.js`; router now has no knowledge
  of specific features
- Rename `nx-route.js` to `route-handler.js` and update package.json
  export accordingly
- Update ARCHITECTURE.md to reflect new API conventions and point to
  `src/core/api/README.md` for details
2026-04-13 15:13:03 -04:00
hykocx e87bd05fa4 refactor: replace console.log with structured logger calls
Replace raw `console.log`/`console.error` calls across CLI, API
handlers, and module files with structured logger functions (`step`,
`done`, `warn`, `fail`) from the shared logger library.

This improves log consistency, readability, and makes it easier to
control output formatting and log levels from a single place.
2026-04-12 21:44:00 -04:00
hykocx 3e633e981a docs/refactor: rename getModuleMetadata and update route auth format
- Rename `getModuleMetadata` to `getModuleMetadataGenerator` in registry,
  index, and client exports to clarify its purpose (returns a generator
  function, not a metadata object)
- Add new `getModuleMetadata` and `getMetadataGenerator` exports from
  `modules.metadata.js` for server-side metadata object retrieval
- Update route auth format in docs from `requireAuth`/`requireAdmin`
  flags to a single `auth` field with values: `'admin'`, `'user'`,
  or `'public'`
- Fix `isModuleEnabledInEnv` to replace hyphens with underscores in
  env var names (e.g. `my-module` → `ZEN_MODULE_MY_MODULE`)
- Replace `useState` initializer in `ZenProvider` with `useRef` guard
  to avoid React strict mode double-invocation issues
2026-04-12 18:58:01 -04:00
hykocx 98f1cd9688 fix: harden API security against info leakage and MIME sniffing
- Sanitize route handler errors: only surface known auth messages
  ('Unauthorized', 'Admin access required'); log all other exceptions
  server-side and return a generic 'Internal Server Error' to clients
- Derive profile picture content-type from validated file extension
  instead of attacker-controlled file.type to prevent MIME spoofing
- Always emit explicit Content-Disposition headers on file responses;
  serve known image types as 'inline', force download for all others
  to prevent in-browser rendering of potentially dangerous content
- Add X-Content-Type-Options: nosniff and X-Frame-Options: DENY to
  file response headers
2026-04-12 18:26:33 -04:00
hykocx 81172bda94 chore: rename package from @hykocx/zen to @zen/core
Update all references across source files, documentation, and
configuration to reflect the new package scope and name. This includes
updating `.npmrc` registry config, install instructions, module
examples, and all import path comments throughout the codebase.
2026-04-12 15:09:26 -04:00
hykocx 1b53ba8d58 refactor: remove setup feature from build exports and config
Removes the `./setup` export entry from `package.json` and the
corresponding `src/features/setup/index.js` entry point from
`tsup.config.js`, eliminating the standalone setup feature module
from the public API and build output.
2026-04-12 14:40:34 -04:00
hykocx 390133808b refactor: consolidate CLI entry points into dedicated cli/ directory
Move `database` and `setup` CLI scripts from their respective feature
directories into a unified `src/cli/` directory. Update `tsup.config.js`
build entries and `package.json` bin paths to reflect the new locations.
2026-04-12 14:39:17 -04:00
hykocx 99a56d2c39 feat(modules): add external module registration and defineModule support
- Add `./modules/define` export path pointing to `defineModule.js`
- Implement `registerExternalModules()` to handle modules passed via `zen.config.js`, with env var gating (`ZEN_MODULE_<NAME>=true`)
- Extract `buildAdminConfig()` helper to consolidate admin navigation/page config building
- Refactor `loadModuleConfig()` to use `buildAdminConfig()` and simplify public routes check
- Improve `initializeModuleTables()` to gracefully skip modules without `db.js` instead of erroring
- Update module discovery JSDoc to reflect external module registration support
2026-04-12 13:39:56 -04:00
hykocx 65ae3c6788 chore: import codes 2026-04-12 12:50:14 -04:00