Set `options.outbase = 'src'` in the esbuildOptions callback to ensure
output files preserve the correct directory structure relative to the
`src` folder, preventing path flattening during the build process.
- Increment package version from 1.3.13 to 1.3.14
- Update `zen-db` binary path from `dist/cli/database.js`
to `dist/core/database/cli.js` to reflect new file structure
Update BaseLayout imports in auth email templates to use the
`@zen/core/email/templates` module alias instead of relative paths,
improving maintainability and consistency across the codebase.
- Fix BaseLayout import paths in auth email templates from
`../../core/...` to `../../../core/...` to match correct
directory depth
- Remove unused `DatabaseError` from db.js exports
Move the database CLI entry point from `src/cli/database.js` to
`src/core/database/cli.js` to better reflect its location within
the core database module. Update both the `package.json` bin path
and `tsup.config.js` build entry accordingly.
Move the database CLI from `src/cli/database.js` to
`src/core/database/cli.js` to better reflect its association
with the database module. Update both the `package.json` bin
path and `tsup.config.js` entry points accordingly.
Removes all module-related logic from the admin dashboard, CLI database
initialization, and AdminPages component:
- Drop `initModules` call from `db init` CLI command and simplify the
completion message to only reflect core feature tables
- Remove `getModuleDashboardStats` and module page routing from admin
stats actions and update usage documentation accordingly
- Simplify `AdminPagesClient` to remove module page loading, lazy
components, and module-specific props (`moduleStats`, `modulePageInfo`,
`routeInfo`, `enabledModules`)
Introduce a dedicated `storage-config.js` for registering public
prefixes and access policies via `configureStorageApi()`, replacing the
previous `getAllStoragePublicPrefixes` / `getAllStorageAccessPolicies`
imports from the module registry.
Remove `getAllApiRoutes()` from the router so module-level routes are no
longer auto-collected; feature routes must now be registered explicitly
via `registerFeatureRoutes()` during `initializeZen()`.
Update `.env.example` to document separate `ZEN_STORAGE_PROVIDER`,
`ZEN_STORAGE_B2_*` variables for Backblaze B2 alongside the existing
Cloudflare R2 variables, making provider selection explicit.
Clean up admin navigation and page components to drop module-injected
nav entries, keeping only core and system sections.
- Remove all module-related entry points from package.json exports
- Remove module source files from tsup build configuration
- Clean up external dependencies related to modules
- Update DEV.md to reflect modules removal from architecture
- Clarify package description to specify Next.js CMS
- Add `storagePublicPrefixes` and `storageAccessPolicies` fields to
both internal and external module config loading in discovery.js
- Add a module-level `MIME_TYPES` constant in storage/utils.js to
avoid recreating the object on every `getMimeType` call
- Remove unused `validateImageDimensions` export from storage/index.js
- Remove dead `isFinite` check after `Math.min/max` in `getPresignedUrl`
(result is always finite at that point)
- Remove unused `warn` import from storage/utils.js
- Add documentation rule in DEV.md: comments must always reflect the
actual behavior of the code they describe
Replace hardcoded `users/` path-based access control with a
declarative `storageAccessPolicies` system defined per module via
`defineModule()`.
- Add `storageAccessPolicies` field to `defineModule()` defaults with
support for `owner` and `admin` policy types
- Expose `getAllStorageAccessPolicies()` from the modules/storage layer
- Refactor `handleGetFile` in `storage/api.js` to resolve access
control dynamically from registered policies instead of hardcoded
path checks
- Add `ZEN_STORAGE_ENDPOINT` env var and update `.env.example` to
support S3-compatible backends (Cloudflare R2, Backblaze B2)
- Document the env/doc sync convention in `DEV.md`
Remove helper functions (cmToPoints, inchesToPoints, mmToPoints,
createElement, PAGE_SIZES) and consolidate re-exports from
@react-pdf/renderer into a single export statement. Retain only
the getFilename utility and streamline the module to reduce
unnecessary abstraction over the underlying library.
- Replace dynamic `import('stripe')` with static import for clarity
- Introduce singleton pattern for Stripe instance to avoid re-initialization
- Convert `getStripe()` from async to sync function
- Remove redundant JSDoc comments to reduce verbosity
- Remove `paymentMethodTypes` option from `createCheckoutSession`
- Remove default export of `stripe` instance from payments index
- Add webhook signature verification and idempotency key helpers
- Add customer and subscription management utilities
- Simplify `sendEmail` by extracting `resolveFrom` and `buildPayload` helpers
- Remove `sendAuthEmail` and `sendAppEmail` exports, keeping only `sendEmail` and `sendBatchEmails`
- Replace hardcoded fallback sender with env-based validation (throws if missing)
- Update `BaseLayout` to resolve `supportEmail` from `ZEN_SUPPORT_EMAIL` env var instead of hardcoded default
- Conditionally render support section only when a support email is available
- Remove verbose JSDoc comments and reduce overall code verbosity
Restructure the core API to separate infrastructure routes from feature
routes. Key changes:
- Add `runtime.js` for global state: session resolver and feature route
registry
- Add `file-response.js` for streaming file responses (storage endpoint)
- Remove feature routes (auth/users) from `core-routes.js`, keeping only
true infrastructure routes (health, storage)
- Introduce `registerFeatureRoutes()` so features self-register during
`initializeZen()` instead of being hardcoded in `core-routes.js`
- Add `UserFacingError` class to safely surface client-facing errors
without leaking internal details
- Fix import path for `rateLimit.js` to use shared lib location
- Update README to reflect new two-step registration flow and clarify
the role of `core-routes.js`
- Add `ZEN_DB_SSL_DISABLED` env variable to allow disabling SSL for database connections
- Refactor database CLI to split init logic into `initFeatures` and `initModules` for modular table initialization, with graceful fallback when modules are absent
- Extract `printHelp` and `askConfirmation` helpers for cleaner CLI structure
- Ensure `closePool` is called on both success and error paths in CLI
- Add `filterAllowedColumns` utility in `crud.js` to enforce column whitelists, preventing mass-assignment of privileged fields (e.g. `role`, `email_verified`)
- Update drop command description from "auth tables" to "all tables"
- Add input validation for name, schedule expression, and handler
- Store full CronEntry metadata (handler, schedule, timezone, registeredAt)
instead of raw job instance to support introspection
- Add JSDoc typedefs for CronEntry and improve all function docs
- Use globalThis symbol store to survive Next.js hot-reload
- Remove verbose per-run info logs to reduce noise
- Replace `||` with `??` for runOnInit default to handle falsy correctly
- Fix stop/stopAll to access `entry.job` from new storage structure
hykocx