Restructure the core API module to improve clarity, consistency, and
maintainability:
- Introduce `defineApiRoutes()` helper for declarative route definitions
with built-in config validation at startup
- Add `apiSuccess()` / `apiError()` response utilities; enforce their
use across all handlers (core and modules)
- Move auth enforcement to route definitions (`auth: 'public' | 'user' |
'admin'`), removing manual auth checks from handlers
- Extract core routes into `core-routes.js`; router now has no knowledge
of specific features
- Rename `nx-route.js` to `route-handler.js` and update package.json
export accordingly
- Update ARCHITECTURE.md to reflect new API conventions and point to
`src/core/api/README.md` for details
Replace raw `console.log`/`console.error` calls across CLI, API
handlers, and module files with structured logger functions (`step`,
`done`, `warn`, `fail`) from the shared logger library.
This improves log consistency, readability, and makes it easier to
control output formatting and log levels from a single place.
- Rename `getModuleMetadata` to `getModuleMetadataGenerator` in registry,
index, and client exports to clarify its purpose (returns a generator
function, not a metadata object)
- Add new `getModuleMetadata` and `getMetadataGenerator` exports from
`modules.metadata.js` for server-side metadata object retrieval
- Update route auth format in docs from `requireAuth`/`requireAdmin`
flags to a single `auth` field with values: `'admin'`, `'user'`,
or `'public'`
- Fix `isModuleEnabledInEnv` to replace hyphens with underscores in
env var names (e.g. `my-module` → `ZEN_MODULE_MY_MODULE`)
- Replace `useState` initializer in `ZenProvider` with `useRef` guard
to avoid React strict mode double-invocation issues
- Sanitize route handler errors: only surface known auth messages
('Unauthorized', 'Admin access required'); log all other exceptions
server-side and return a generic 'Internal Server Error' to clients
- Derive profile picture content-type from validated file extension
instead of attacker-controlled file.type to prevent MIME spoofing
- Always emit explicit Content-Disposition headers on file responses;
serve known image types as 'inline', force download for all others
to prevent in-browser rendering of potentially dangerous content
- Add X-Content-Type-Options: nosniff and X-Frame-Options: DENY to
file response headers
Update all references across source files, documentation, and
configuration to reflect the new package scope and name. This includes
updating `.npmrc` registry config, install instructions, module
examples, and all import path comments throughout the codebase.
Removes the `./setup` export entry from `package.json` and the
corresponding `src/features/setup/index.js` entry point from
`tsup.config.js`, eliminating the standalone setup feature module
from the public API and build output.
Move `database` and `setup` CLI scripts from their respective feature
directories into a unified `src/cli/` directory. Update `tsup.config.js`
build entries and `package.json` bin paths to reflect the new locations.
- Add `./modules/define` export path pointing to `defineModule.js`
- Implement `registerExternalModules()` to handle modules passed via `zen.config.js`, with env var gating (`ZEN_MODULE_<NAME>=true`)
- Extract `buildAdminConfig()` helper to consolidate admin navigation/page config building
- Refactor `loadModuleConfig()` to use `buildAdminConfig()` and simplify public routes check
- Improve `initializeModuleTables()` to gracefully skip modules without `db.js` instead of erroring
- Update module discovery JSDoc to reflect external module registration support
hykocx