The runtime-portable TypeScript framework with supply-chain-aware defaults

Secure-by-default runtime. Blocked install scripts. Source-verified lockfiles. Typed end-to-end. Optional hardened GitHub Actions bundle for teams on GitHub.

contract flowRequest -> Response

01routeGET /books/:id

02schemaz.object(...)

03OpenAPI3.1 spec

04clienttyped fetch

Contract-first routing, Standard Schema validation, OpenAPI 3.1 with Hey API typed client codegen, streaming and OpenTelemetry tracing, edge-friendly sessions, a security-focused runtime by default, and a supply-chain-hardened release pipeline for the framework itself. One line on the App constructor, docs: true: auto-mounts a Scalar API reference at /docs and the live OpenAPI 3.1 spec at /openapi.json, the same DX as FastAPI.

ᜇᜎᜓᜌ᜔ Daloy means flow in Tagalog, pronounced da-loy. About the name

Get started Read the docs

$ pnpm create daloy@latest my-api

1,870/1,870 tests passing≥90% line, function, and branch coverage gatesNode 24+, Bun, Deno, Cloudflare, Vercel

Why developers pick DaloyJS

The pitch is simple: keep the delightful parts of the modern web framework ecosystem, then move security and supply-chain posture from "later" to "already handled." That is the difference.

Security is the product

Most frameworks leave supply-chain posture as a company checklist. DaloyJS puts runtime guardrails, pnpm hardening, CI hygiene, ownership files, and release discipline on the happy path from the first scaffold.

One contract, fewer moving parts

Define the route once and get validation, types, OpenAPI 3.1, Scalar docs, Hey API clients, and contract tests from the same source. Less glue code, fewer stale specs, fewer places for an agent or teammate to drift.

Portable without giving up ops

You get a web-standard core that runs on Node, Bun, Deno, Workers, and Edge, plus the production pieces teams expect: request ids, structured logs, plugin encapsulation, graceful shutdown, and first-party middleware.

Built for AI-assisted teams

LLMs make teams faster, and they also make attackers faster at finding dependency mistakes. DaloyJS assumes coding agents are in the loop and ships scaffolds with security defaults, agent guidance, and source-verified installs.

Hello, contract

One route, types, validation, OpenAPI, and the typed client all generated from it.

import { z } from "zod";
import { App, secureHeaders, rateLimit, requestId } from "@daloyjs/core";
import { serve } from "@daloyjs/core/node";

const app = new App({ bodyLimitBytes: 1 << 20, requestTimeoutMs: 5_000 });

app.use(requestId());
app.use(secureHeaders());
app.use(rateLimit({ windowMs: 60_000, max: 120 })); // global unless you configure keyGenerator or trustProxyHeaders

app.route({
  method: "GET",
  path: "/books/:id",
  operationId: "getBookById",
  request: { params: z.object({ id: z.string() }) },
  responses: {
    200: { description: "Found", body: z.object({ id: z.string(), title: z.string() }) },
    404: { description: "Not found" },
  },
  handler: async ({ params }) => ({
    status: 200,
    body: { id: params.id, title: `Book ${params.id}` },
  }),
});

serve(app, { port: 3000 });

Why DaloyJS

The JS framework that is secure by default at the runtime layer, and ships create-daloy with pnpm install-time hardening and an optional hardened GitHub Actions bundle, so the app-safe pieces of the LLM-era supply-chain defense are on the happy path without giving up OpenAPI ergonomics, runtime portability, typed clients, or Node ops.

Supply-chain-hardened pnpm scaffolds

Pick pnpm in create-daloy and you get a hardened .npmrc out of the box: ignore-scripts=true blocks malicious post-install payloads, minimum-release-age=1440 waits out fresh-package attacks, and verify-store-integrity keeps installs honest. The optional GitHub Actions bundle adds lockfile source checks so git deps and non-registry tarballs cannot quietly sneak in.

Secure-by-default runtime

Unlike frameworks that leave basic protections to plugins or manual error routing, the DaloyJS core starts with guardrails on: prototype-pollution-safe JSON, built-in load shedding, proper 405 Method Not Allowed responses, automatic 5xx info-disclosure stripping in production, and a rate-limited CSP violation receiver.

Hardened against LLM-era attacks

Attackers can use LLMs to scale package impersonation, slopsquatting, dependency reconnaissance, and vulnerability hunting. DaloyJS answers with boring but sharp defaults: blocked lifecycle scripts, delayed fresh-package resolution, source-verified lockfiles, and a zero-runtime-dependency core.

AI-native scaffolding

Every project scaffolded by create-daloy includes an AGENTS.md and context skills. Copilot, Claude, and Cursor automatically understand your framework's conventions, routing rules, and security primitives without a prompt-engineering ritual.

Contract-first by design

One route definition is the source of truth for validation, types, OpenAPI 3.1, the typed client, and built-in contract tests, so drift has fewer places to hide.

Runtime-portable

The core only sees Request → Response. Adapters live at the edge: Node, Bun, Deno, Cloudflare Workers, Vercel Edge - same app, same tests, five runtimes.

Hey API typed clients

Run pnpm gen and get a fully typed fetch SDK, for any consumer, in any TS project, generated from your real spec. Or skip codegen with the in-process typed client.

Faster than you'd expect

Static routes resolve via a single Map.get (~12.3M ops/sec). Dynamic routes walk a trie in O(segments) regardless of route count.

Streaming & observability

Backpressure-safe SSE and NDJSON helpers, plus an OpenTelemetry tracing hook that emits HTTP server spans with semantic-convention attributes.

Hardened scaffolds, batteries included

create-daloy's security bundle ships hardened GitHub Actions (top-level permissions:{}, persist-credentials:false, pinned actions, harden-runner), Dependabot, CODEOWNERS, SECURITY.md, lockfile verification, container templates with non-root + tini PID 1, and a daloy doctor production-posture validator.

Competitor strengths, fewer tradeoffs

DaloyJS is not trying to win one checkbox. It is trying to remove the glue work between the best ideas developers already like.

You want	Today's best-of	What DaloyJS gives you
Best OpenAPI ergonomics	FastAPI	Built-in OpenAPI 3.1 from one route definition
Vercel / serverless / edge fit	Hono	Web-standard core, multi-runtime adapters
Mature Node ops & docs	Fastify	Encapsulated plugins, structured logs, graceful shutdown
Modern TS-first DX, Bun OK	Elysia	End-to-end typed handlers, typed context, typed client
Best typed client codegen	Hey API	pnpm gen → fully typed fetch SDK
Portable supply-chain hardening for the apps you build	pnpm defaults + zero-runtime-dep core	Hardened .npmrc, source-verified lockfiles, SBOM + npm provenance

Ready to ship, secure by default?

Scaffold a project in seconds with pnpm hardening when you choose pnpm, generated CI that blocks install scripts, pinned GitHub Actions, Dependabot, CODEOWNERS, and lockfile source verification. Then keep the contract as the app grows, the same app runs on Node, Bun, Deno, Cloudflare Workers, and Vercel Edge.

Install DaloyJS Build a bookstore API View source