feat: enterprise hardening - request bodies, radix router, and error …

[layer78]

feat!: architecture hardening and enterprise feature suite
CORE & PERFORMANCE:

• Implement zero-allocation request body parsing in Rust core
• Upgrade router from O(N) linear scan to O(M) Radix Tree
• Optimize binary bridge to support high-throughput body transfers
• Implement buffer pooling for body reads to minimize GC pressure
  FEATURES & MIDDLEWARE:
• Add centralized error handling middleware support (app.onError)
• Implement built-in CORS middleware with preflight handling
• Add schema-agnostic validation middleware (Zod/TypeBox compatible)
• Add native support for req.json(), req.text(), and req.body
  DEVELOPER EXPERIENCE:
• Provide full TypeScript definitions (index.d.ts)
• Implement self-referencing package exports in package.json
• Add comprehensive examples (REST API, CORS, Validation, Middleware)
  SECURITY:
• Add CRLF injection prevention in static response headers
• Implement strict max body size limits (1MB) to prevent DoS
• Fix Rust borrow checker conflicts for safe concurrent body handling

Summary by CodeRabbit

Release Notes

• New Features

  • Added CORS middleware with configurable origin allowlisting and preflight support
  • Added validation middleware for request params, query, and body validation
  • Added global error handler registration via app.onError()
  • Added TypeScript type definitions covering the complete API surface

• Documentation

  • Added comprehensive examples with setup instructions and usage demonstrations

• Security

  • Enhanced request/response handling with prototype pollution protection
  • Added header validation to prevent CRLF injection

• Chores

  • Updated package exports for new middleware modules
  • Improved native performance optimizations

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR introduces a comprehensive framework enhancement with new middleware support (CORS, validation), security hardening (prototype pollution prevention, CRLF injection mitigation), object pooling for performance, error handler registration, radix-tree-based dynamic routing, and refactored HTTP parsing. It removes legacy "old" engine benchmarks and adds six example applications demonstrating core features.

Changes

Cohort / File(s)	Summary
Benchmark & Package Configuration bench/run.js, package.json	Removed "old" engine support; refactored process spawn options with explicit cwd and stdio configuration. Updated package exports to include conditional types and new subpath entries for cors and validate modules; eliminated legacy build/bench scripts.
Example Applications examples/README.md, examples/basic/server.js, examples/cors/server.js, examples/error-handling/server.js, examples/middleware/server.js, examples/rest-api/server.js, examples/validation/server.js	Added documentation and six self-contained example servers demonstrating HTTP routing, query/param parsing, custom headers, CORS preflight, middleware composition, error handling, CRUD operations, and request validation.
TypeScript Declarations & Type Definitions src/index.d.ts	New declaration file establishing public API surface for core types (Request, Response, Application), middleware abstractions, server lifecycle, and CORS/validation integration; exports createApp, cors, validate functions.
JavaScript Core Framework src/index.js, src/bridge.js, src/cors.js, src/validate.js	Added error handler registration (onError()), request/response object pooling, hardened security (prototype-pollution mitigation, dangerous-key filtering, CRLF header validation), introduced cors and validate middleware factories, and optimized middleware execution classification.
Rust Native Layer rust-native/src/lib.rs, rust-native/src/router.rs, rust-native/Cargo.toml	Major rewrite: replaced N-API server handle with simplified worker-thread-based ServerHandle; migrated request parsing to httparse-based ParsedRequest with body buffering; implemented radix-tree dynamic routing in place of linear segment-based matching; added thread-local buffer pooling; refactored dispatcher envelope format and direct TCP response writing. Added httparse and itoa dependencies; enabled opt-level = 3 in release profile.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Parser as HTTP Parser<br/>(httparse)
    participant Router as Radix Tree<br/>Router
    participant MiddleWare as Middleware<br/>Chain
    participant Handler as Route<br/>Handler
    participant ErrHandler as Error<br/>Handler
    participant ResponseWriter as Response<br/>Writer

    Client->>Parser: TCP Stream Buffer
    Parser->>Parser: Parse headers/body<br/>→ ParsedRequest
    Parser->>Router: Match parsed route
    Router->>Router: Traverse radix tree<br/>→ Matched route + params
    Router->>MiddleWare: Execute middleware stack
    alt Middleware Success
        MiddleWare->>Handler: Call route handler
        alt Handler Success
            Handler->>ResponseWriter: Serialize response
            ResponseWriter->>Client: Write Buffer to TCP
        else Handler Throws
            Handler->>ErrHandler: Dispatch error
            ErrHandler->>ResponseWriter: Serialize error response
            ResponseWriter->>Client: Write error Buffer to TCP
        end
    else Middleware Throws
        MiddleWare->>ErrHandler: Dispatch error
        ErrHandler->>ResponseWriter: Serialize error response
        ResponseWriter->>Client: Write error Buffer to TCP
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Poem

🐰 Hops through the code with glee,
CORS and validation—now all set free!
Radix trees dance, no more linear scans,
Pooled objects gleam through buffering plans,
With examples bright, this framework's divine!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.61% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly aligns with the PR's core objectives: it explicitly mentions 'enterprise hardening,' 'request bodies,' and 'radix router'—three of the main technical achievements detailed in the PR objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Nadhila-dot]

We will push this to the uno branch to check benchmarks