v1.20.0 — @fluxstack/live 0.8.0 + LLMD docs overhaul

Changes

• Bump @fluxstack/live, live-client, live-react dependencies to ^0.8.0
• All 27 LLMD documentation files updated to v1.20.0
• Plugin system docs updated for .use() registration pattern
• Live component docs updated with real examples and framework features

v1.19.0 — Plugin-kit extraction + static registration

Major Refactor: Plugin System Extracted to @fluxstack/plugin-kit

The plugin system (manager, registry, executor, discovery, dependency
manager, module resolver, types) has been extracted from core/plugins/
into the new standalone package @fluxstack/plugin-kit. This is the
same playbook we used for @fluxstack/live in 1.16.0 — implementation
lives in the lib, core/plugins/ is now a thin re-export shim layer
for backwards compatibility with existing @core/plugins/* imports.

Impact: ~3,300 lines of plugin system implementation deleted from
the app, core/plugins/ went from 9 runtime files (4017 lines) to
2 thin shims (types.ts + index.ts, ~200 lines combined). Single
source of truth for plugin types and runtime is now
@fluxstack/plugin-kit.

Breaking Changes

• Auto-discovery removed from PluginManager.initialize() (plugin-kit 0.4.0).
  The old code called readdir('node_modules') and readdir('plugins')
  at startup to discover plugins. This silently broke in production
  bundles where those directories don't exist, and prevented bundlers
  from statically including plugin code. Host apps must now register
  plugins explicitly via framework.use(pluginObject). Dev and prod
  are now identical; the bundler can tree-shake.

• PluginManager constructor requires settings and clientHooks
  explicitly. These used to be read from the full config / imported
  as module-level singletons. Now they're injected:

  new PluginManager<FluxStackConfig>({
    config: fullConfig,
    settings: fullConfig.plugins,
    logger: pluginLogger,
    clientHooks: { register: (...) => pluginClientHooks.register(...) },
    app: this.app,
  })

• FluxStack.Plugin generic over TConfig. The legacy form
  (no generic) still works and defaults to unknown. FluxStack's
  shim specializes to Plugin<FluxStackConfig>.

• Plugin classes discouraged, object literals are canonical.
  All built-in plugins and @fluxstack/plugin-csrf-protection use
  export const xxxPlugin: Plugin = { name, setup, ... }. The
  class X implements Plugin form is retired from the generators
  but still technically accepted at runtime (it implements the
  same interface).

Added

• @fluxstack/plugin-kit — new npm package. Types + runtime
  for the plugin system. Published at 0.4.0 as of this release.
  Used by FluxStack app and external plugin packages alike.
• tests/integration/framework/registered-plugins.test.ts (10 tests)
  — end-to-end verification that the four plugins registered via
  framework.use() in app/server/index.ts actually inject their
  hooks at runtime. Catches the class of bug where plugin objects
  are registered but no hook actually fires (the exact failure
  mode of the old auto-discovery in prod bundles).
• Static plugin registration everywhere. app/server/index.ts
  now imports csrfProtectionPlugin from @fluxstack/plugin-csrf-protection
  directly and registers via .use(). Same pattern as the built-ins.
• Startup banner reads from the PluginRegistry. The banner line
  Plugins (N): ... now lists exactly what framework.getPluginRegistry().getAll()
  returns, instead of relying on each plugin manually pushing itself
  to globalThis.__fluxstackPlugins. Backwards compatible — the old
  global is still read as a fallback.
• @fluxstack/sdk deprecated on npm with a message pointing
  users to @fluxstack/plugin-kit. The SDK was a static copy of
  plugin types + a duplicate of @fluxstack/config; both have
  canonical sources now.
• make:plugin CLI generates plain object literal plugins
  importing from @fluxstack/plugin-kit. Identifier generation
  fixed: my-plugin → myPlugin (not myPluginPlugin).

Changed

• @fluxstack/live family bumped from ^0.6.0 to ^0.7.1.
  Ships three follow-up bug fixes: opt-in includeSelf on $room
  proxy emit (#15), deepAssign clones plain objects to break
  external aliasing (#13), fail-loud protocol framing + telemetry (#7).
• create-fluxstack README template: removed the loggerPlugin
  example (that plugin was deleted), replaced class-based plugin
  example with object literal, added a hook reference table.
• plugins/README.md template: rewritten to reflect the static
  .use() model. Explicitly calls out that plugins are NOT
  auto-discovered. Points at @fluxstack/plugin-csrf-protection
  as the living reference implementation.
• Bundle prod size grew from ~2.46 MB to ~3.34 MB because
  @fluxstack/plugin-csrf-protection is now statically included.
  Before, it was dynamically loaded via readdir('node_modules')
  and the bundler couldn't see it.
• Vite plugin startup banner label fixed — | Vite: embedded
  only shows in development now. In production the vite plugin
  runs in static-fallback mode (serving dist/client/) and doesn't
  actually run a Vite dev server, so the label was misleading.

Removed

• 6934 lines of dead test code across 24 test files. Orphaned
  tests under core/**/__tests__/* never ran (vitest config was
  include: tests/**/*.test.ts) and 14 of 18 were broken on
  import when run directly. Also deleted 5 describe.skip'd test
  suites under tests/ with abandoned TODOs pointing at APIs
  that were refactored away (Eden Treaty, ProjectCreator). Plus
  vitest.config.live.ts, an orphan config pointing at a
  directory that doesn't exist anymore.
• core/plugins/{manager,registry,executor,discovery,dependency-manager,module-resolver,config}.ts
  deleted from FluxStack app. Implementation lives in
  @fluxstack/plugin-kit now. core/plugins/types.ts and
  core/plugins/index.ts kept as thin shim barrels that re-export
  from the lib and specialize <TConfig> against FluxStackConfig.
• Deprecated configSchema and defaultConfig fields from the
  Plugin interface. Were marked @deprecated and had no call sites.
  Plugins use @fluxstack/config for declarative config instead.
• loggerPlugin — old built-in plugin that was already absent
  from the real codebase but still referenced in generated templates.
  Template references removed.

Validation

• Typecheck (bunx tsc --noEmit -p tsconfig.api-strict.json) holds
  at the 60 pre-existing errors baseline throughout every step —
  zero regression across all four phases of the extraction.
• Full test suite: 42 test files, 652 passing, 5 skipped (all
  intentional individual it.skip TODOs).
• Dev and prod both show Plugins (4): swagger, live-components, csrf-protection, vite in the startup banner — identical output.

v1.18.1 — Security Patch

Security Fixes

• ChatRoom passwords: now use SHA-256 with random 16-byte salt (was unsalted)
• Boolean config casting: 'false', '0', 'no', 'off' correctly return false (was returning true)
• Nonce replay Map: capped at 100k entries to prevent DoS via memory exhaustion
• Security headers: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin
• Health check: returns real data (uptime, memory, version) instead of fake 200

npm packages updated

• create-fluxstack@1.18.1
• @fluxstack/config@1.0.1

Stats

• 23 new tests (all confirmed failing before fix, passing after)
• 670 FluxStack tests, 549 live tests, 43 config tests

v1.18.0 — Plugin Client Hooks, Security Fixes, Config Extraction

🚀 What's New

Plugin Client-Side Hook Injection

Plugins can now inject JavaScript code that runs on the client at specific lifecycle points. The CSRF plugin uses this to auto-inject X-CSRF-Token on every POST/PUT/DELETE — zero manual setup.

// Plugin registers client code in setup()
ctx.clientHooks.register('onEdenInit', `
  eden.onRequest((req) => {
    req.headers['X-CSRF-Token'] = getCsrfToken()
  })
`)

@fluxstack/config — Standalone Config Package

The configuration system is now an independent npm package with extendConfig() for schema inheritance. Plugins and external projects can use it without depending on FluxStack core.

bun add @fluxstack/config

CSRF Protection Built-in

@fluxstack/plugin-csrf-protection is now a default dependency. It automatically:

1. Sets XSRF-TOKEN cookie on first request
2. Patches window.fetch to add the token header on state-changing requests
3. Validates tokens server-side on POST/PUT/DELETE

Plugins Migrated to npm

All plugins are now independent npm packages instead of embedded copies:

• @fluxstack/plugin-crypto-auth@1.0.0
• @fluxstack/plugin-csrf-protection@1.1.0

🔒 Security Fixes

• ChatRoom: passwords hashed with SHA-256 + timingSafeEqual (was plain-text)
• TokenGuard: private field properly typed (no more as any)
• LiveUpload: robust filename validation (null bytes, control chars, Windows reserved names)
• Console.log: guarded by NODE_ENV in production
• SESSION_SECURE: auto-detects production environment
• Auth routes: all as any eliminated via AuthenticatableJSON type

🏗️ Architecture

• core/utils/config-schema.ts and env.ts removed — replaced by @fluxstack/config
• plugins/ directory removed — plugins are now external npm packages
• AuthManager: LRU guard cache (max 100), public getProvider() API
• Auth error classes: AuthValidationError, AuthServerError, classifyAuthError()
• dev-link.sh for local development with symlinked packages

📦 Dependencies Updated

• @fluxstack/live@^0.6.0 (20 bug fixes, async lifecycle)
• @fluxstack/config@^1.0.0
• @fluxstack/plugin-crypto-auth@^1.0.0
• @fluxstack/plugin-csrf-protection@^1.1.0

📊 Stats

• 661 tests passing
• 12 npm packages published
• 50+ bugs fixed across all modules

⚠️ Breaking Changes

• core/utils/config-schema.ts removed — use @fluxstack/config
• core/utils/env.ts removed — use env from @fluxstack/config
• plugins/crypto-auth/ embedded removed — install @fluxstack/plugin-crypto-auth
• @fluxstack/live 0.6.0: joinRoom(), leaveRoom(), cleanupComponent() are now async

v1.16.0 — Extract Live Components to Monorepo

Major Refactor: Extract Live Components to Monorepo

Live Components code has been extracted from core/ into standalone npm packages under the @fluxstack/live scope. This reduces the framework core by ~11,000 lines and allows the Live system to be versioned and published independently.

Changed

• Live Components are now npm packages: @fluxstack/live, @fluxstack/live-client, @fluxstack/live-react, @fluxstack/live-elysia
• core/server/live/ reduced from full implementation to thin re-exports from @fluxstack/live and @fluxstack/live-elysia
• core/client/ reduced from full implementation to re-exports from @fluxstack/live-client and @fluxstack/live-react
• Vite config now includes source aliases for @fluxstack/live, @fluxstack/live-client, and @fluxstack/live-react (frontend dev uses TypeScript source directly)
• Tests migrated to v0.3.0 API: setLiveComponentContext DI pattern replaces vi.mock, async flush for WsSendBatcher
• CI Bun version updated to 1.3.2

Added

• Typed LiveRoom demos: LivePingPong, LiveSharedCounter with dedicated Room classes (ChatRoom, CounterRoom, DirectoryRoom, PingRoom)
• PingPongDemo.tsx, SharedCounterDemo.tsx — new frontend demo components
• LLMD/resources/live-binary-delta.md — binary delta codec documentation
• plugins/*/bun.lock added to .gitignore
• Bundler now logs stdout/stderr on build failure for CI debugging

Removed

• core/server/live/ComponentRegistry.ts, WebSocketConnectionManager.ts, StateSignature.ts, LiveRoomManager.ts, RoomEventBus.ts, RoomStateManager.ts, FileUploadManager.ts, LiveComponentPerformanceMonitor.ts, LiveDebugger.ts, LiveLogger.ts — moved to @fluxstack/live
• core/server/live/auth/ — moved to @fluxstack/live
• core/server/live/__tests__/ — moved to fluxstack-live monorepo
• core/client/LiveComponentsProvider.tsx, Live.tsx, LiveDebugger.tsx — moved to @fluxstack/live-react
• core/client/hooks/useLiveComponent.ts, useRoom.ts, useRoomProxy.ts, useLiveDebugger.ts, useChunkedUpload.ts, useLiveChunkedUpload.ts, AdaptiveChunkSizer.ts, state-validator.ts — moved to @fluxstack/live-client
• core/build/vite-plugin-live-strip.ts — moved to @fluxstack/live
• LiveDebugger UI and exports (removed entirely, not extracted)
• LiveChat and LiveTodoList demo components (replaced by new typed demos)
• ChatDemo.tsx, TodoListDemo.tsx, LiveDebuggerPanel.tsx — replaced by new demos
• workspace.json — stale config referencing non-existent ./packages/*

Fixed

• Bun bundler failing on Linux CI with "Could not resolve: @fluxstack/live" — caused by "bun" export condition in @fluxstack/live@0.3.0 pointing to non-existent src/ (fixed in @fluxstack/live@0.3.1)
• live-components-generator.ts basename extraction bug
• Vite aliases made conditional for CI compatibility

npm packages published

Package	Version
@fluxstack/live	0.3.1
@fluxstack/live-client	0.3.1
@fluxstack/live-react	0.3.1
@fluxstack/live-elysia	0.2.1

1.12.1

✨ New Features

Live Components v2.0

• Reactive State Proxy - this.state.count++ auto-syncs with frontend
• Static defaultState pattern - Define state inside the class, no external exports
• Client component links - Ctrl+Click navigation from server to client components
• Type-safe WebSocket - New FluxStackWebSocket interface
• No constructor needed - Base class handles state merge automatically
• Static componentName - Required for minification support in production

Room System

• Multi-room support - $room('sala').join(), $room('sala').emit()
• Room Event Bus - Server-side pub/sub for real-time features
• HTTP API for rooms - External integrations via /api/rooms/{id}/messages

Live Upload System

• Chunked uploads via WebSocket - Stream large files efficiently
• Adaptive chunk sizing - Auto-optimizes based on network conditions
• Progress tracking - Real-time upload progress in Live Components

Plugin System

• Security system - Whitelist + opt-in for NPM plugins (protect against supply chain attacks)
• Plugin hooks - 5 build pipeline hooks + request/response lifecycle hooks
• Modular CLI - Plugin commands auto-discovered

Developer Experience

• LLMD documentation - LLM-optimized docs replacing ai-context
• --frontend-only / --backend-only - Separate dev modes
• Build executables - bun run build:exe for standalone apps
• FluxStack Desktop plugin - Desktop app support

🐛 Bug Fixes

• Fix duplicate messages in multi-room chat
• Fix browser data leak in npm package (security)
• Fix TypeScript strict mode issues
• Fix Docker build and CI pipeline
• Fix ESM compatibility (replace require with readFileSync)
• Fix CORS config after refactoring
• Fix Vite HMR client script injection
• Fix plugin dependency installation
• Fix build paths and tsconfig resolution

🧹 Refactoring

• Simplified LiveRoomChat (-60% code)
• Removed typing indicator system (non-essential)
• Consolidated server entry points
• Standardized path aliases
• Modernized config system
• Cleaner Vite/Swagger plugins

📚 Documentation

• Complete Live Components rewrite for junior/mid developers
• Plugin hooks comprehensive guide
• Router migration guide
• Eden Treaty type inference details

Full Changelog: v1.8.3...v1.12.1

1.8.3

What's Changed

• Isolated plugin loader by @MarcosBrendonDePaula in #10
• Review and update core config schema file by @MarcosBrendonDePaula in #11
• Remove unnecessary test nop commands by @MarcosBrendonDePaula in #12
• Improve build log design and layout by @MarcosBrendonDePaula in #13
• Remove Docker commands from package.json scripts by @MarcosBrendonDePaula in #14
• Fix unit tests with errors by @MarcosBrendonDePaula in #15
• refactor: protect backend-only.ts logic in core framework by @MarcosBrendonDePaula in #16
• Fix missing test:run script error by @MarcosBrendonDePaula in #18
• fix: correct lock file name in Dockerfile (bun.lockb → bun.lock) by @MarcosBrendonDePaula in #19
• Fix the email functionality by @MarcosBrendonDePaula in #20
• Find where file is being used by @MarcosBrendonDePaula in #21
• Review and analyze code section by @MarcosBrendonDePaula in #22
• Find and remove duplicate config files by @MarcosBrendonDePaula in #23
• Simplify example client into single page by @MarcosBrendonDePaula in #24
• Register legacy CLI commands in new system by @MarcosBrendonDePaula in #25
• Fix missing LiveClock component registration by @MarcosBrendonDePaula in #26
• Review plugin configuration schema design by @MarcosBrendonDePaula in #27
• docs: update plugins-guide with new declarative config system by @MarcosBrendonDePaula in #28
• Review and update system documentation by @MarcosBrendonDePaula in #29
• Fix module resolution errors in test files by @MarcosBrendonDePaula in #30
• Fix failing user validation test status code by @MarcosBrendonDePaula in #31
• Fix URL parsing error in error handler by @MarcosBrendonDePaula in #32
• Document Live Routes by @MarcosBrendonDePaula in #33
• docs: add comprehensive Swagger documentation for Users API routes by @MarcosBrendonDePaula in #34
• Fix built-in core plugins by @MarcosBrendonDePaula in #35
• refactor: remove deprecated configSchema and defaultConfig from built… by @MarcosBrendonDePaula in #36
• Fix Swagger plugin route visibility issue by @MarcosBrendonDePaula in #37
• Claude/swagger tags system routes 011 cv697 yu8m q hd xj w18 hki p by @MarcosBrendonDePaula in #38
• Update Eden API client library by @MarcosBrendonDePaula in #39
• Exchange the V variable by @MarcosBrendonDePaula in #40

Full Changelog: v1.5.0...v1.8.3