- Add `passesCsrfCheck()` to both `router.js` and `dynamic-router.js`
to block cross-site request forgery on state-mutating methods
(POST/PUT/PATCH/DELETE) by validating Origin/Referer headers against
`ZEN_APP_URL`
- Apply global IP-based rate limiting in `dynamic-router.js` mirroring
the policy already present in `router.js`; exempt health and version
GET endpoints from throttling
- Sanitize 404 response in `dynamic-router.js` to prevent route
structure enumeration
- Strip internal error details from user-facing error messages (e.g.
profile picture deletion) to avoid information leakage
- Remove `zen-setup` binary from package.json and package-lock.json
- Replace manual setup steps with `npx @zen/start` CLI command
- Simplify INSTALL.md by reducing steps from 6 to 4
- Update DEV.md to reflect removal of zen-setup from CLI scripts
- Fix relative path to `.env.example` in documentation
Remove the `ZEN_DESCRIPTION` environment variable from `.env.example`
and its usage in `generateMetadata`. The description field is no longer
needed in the default metadata configuration.
Add three documentation files for the posts module:
- `api.md`: public API reference (list, slug, categories, images)
- `admin-api.md`: admin API reference with all CRUD endpoints
- `integration.md`: Next.js integration examples with code snippets
Update all references across source files, documentation, and
configuration to reflect the new package scope and name. This includes
updating `.npmrc` registry config, install instructions, module
examples, and all import path comments throughout the codebase.
Removes the `./setup` export entry from `package.json` and the
corresponding `src/features/setup/index.js` entry point from
`tsup.config.js`, eliminating the standalone setup feature module
from the public API and build output.
Move `database` and `setup` CLI scripts from their respective feature
directories into a unified `src/cli/` directory. Update `tsup.config.js`
build entries and `package.json` bin paths to reflect the new locations.
- Translate all installation instructions from English to French
- Add new step to configure the npm registry with a `.npmrc` file
- Renumber steps accordingly (now 6 steps instead of 5)
- Add `./modules/define` export path pointing to `defineModule.js`
- Implement `registerExternalModules()` to handle modules passed via `zen.config.js`, with env var gating (`ZEN_MODULE_<NAME>=true`)
- Extract `buildAdminConfig()` helper to consolidate admin navigation/page config building
- Refactor `loadModuleConfig()` to use `buildAdminConfig()` and simplify public routes check
- Improve `initializeModuleTables()` to gracefully skip modules without `db.js` instead of erroring
- Update module discovery JSDoc to reflect external module registration support
Strips out built-in clients, invoice, and nuage modules from core
handlers, module initializers, and action registries. This cleans up
hardcoded module dependencies, leaving only the posts module as a
reference implementation for the modular architecture.
hykocx