v0.6.0
@damatjs/create-damat-app
Full note ↗Git and shell commands run through
execFilewith argument arrays instead of interpolated shell strings, and the scaffolder reports its build-time version.@damatjs/damat-cli
Full note ↗damat module addbecomes safe by default: non-registry sources and lifecycle scripts require explicit opt-in flags, module ids and paths are validated before anything is written, and the CLI reports its real version.@damatjs/framework
Full note ↗Auth middleware fails closed: a route that declares an auth type with no registered handler now rejects the request with a structured 401 instead of warning and letting it through.
@damatjs/link
Full note ↗Links resolve against real tables and real primary keys: junction naming uses table names (not model keys), endpoint PKs come from the registry, pivot columns can be named explicitly, link creation is a race-safe upsert, and the graph API only serves entities that participate in registered links.
@damatjs/mcp
Full note ↗The
add_moduletool exposes the CLI's new security gates:allowUnverifiedandallowScriptsinputs map to--allow-unverified/--allow-scripts, and the tool description explains the registry verification gate.@damatjs/orm-cli
Full note ↗migrate:statuspasses the full module descriptor to the migration layer — status is tracked by modulename, discovery by itsresolvepath.@damatjs/orm-migration
Full note ↗Concurrent deploys serialize on a Postgres advisory lock, statements that can't run in a transaction (
CREATE INDEX CONCURRENTLY,ALTER TYPE … ADD VALUE, …) execute outside one, and the status API is keyed by module name.@damatjs/orm-model
Full note ↗Timestamp columns become real timestamps:
created_at/updated_atare nowtimestamp with time zone(they weredate, silently dropping the time), andupdated_atis non-nullable with anow()default.@damatjs/orm-pg
Full note ↗ORDER BYinputs are validated against whitelists before they reach SQL — direction and nulls placement can no longer carry arbitrary strings into the query text.@damatjs/redis
Full note ↗Every hot path becomes atomic or non-blocking:
SCAN-based pattern deletion, Lua-scripted rate limiting and dequeue, TTL applied only on a counter's first increment, and capped completed/failed queue sets.@damatjs/services
Full note ↗Request-derived query options are sanitized end to end: only safe find options pass through,
orderByis whitelist-validated, pagination is bounded, reads filter soft-deleted rows by default, andupdate/updateOnestampupdated_atautomatically.@damatjs/workflow-engine
Full note ↗Safer defaults for retries and locking: steps are presumed idempotent (and non-idempotent steps are never retried), locks auto-extend by default, and lock-backend failures surface as structured results instead of throws.