Blog

Field notes from people who actually use this thing in anger. Short, honest, and occasionally funny.

• May 25, 2026·8 min read·Devlin Duldulao

  The Ghost CMS / ClickFix Campaign, Mapped to DaloyJS — Plus the One Default We Just Tightened

  A pre-auth SQL injection in Ghost CMS (CVE-2026-26980) is being exploited at scale to hijack 700+ sites — including Harvard, Oxford, and DuckDuckGo — and serve a fake Cloudflare "verify you are human" prompt that silently stuffs a PowerShell one-liner into the visitor's clipboard. Most of the chain was already blocked by DaloyJS defaults; the last mile (the clipboard write) wasn't. Here's the stage-by-stage mapping and the one-line default we changed in response.

• May 24, 2026·9 min read·Devlin Duldulao

  When the Security Scanner Is the Attacker: The LiteLLM / TeamPCP Compromise, Mapped to DaloyJS

  On March 24, 2026 the litellm Python package was backdoored after a poisoned Trivy GitHub Action stole the maintainer's PyPI token. The same attack pattern — compromised scanner action → exfiltrated publish token → malicious release with a startup-time payload — would have to clear nine of DaloyJS's existing CI gates before it could ship. Here's the stage-by-stage mapping.

• May 24, 2026·10 min read·Devlin Duldulao

  Aikido's Top 10 App Security Problems, Mapped to DaloyJS (and the One Gap We Just Closed)

  Aikido's 'Top 10 App Security Problems' is the short, blunt version of the OWASP list — SQLi, XSS, SSRF, path traversal, XXE, deserialization, shell injection, LFI, prototype pollution, open redirects. Here's the honest per-item mapping of what a DaloyJS app already blocks by default, what one opt-in line adds, and the single gap we shipped a new helper for in 0.35.0: safeRedirect().

• May 24, 2026·12 min read·Devlin Duldulao

  The International AI Safety Report 2026, Translated Into a Minimum Safety Baseline for AI Backends

  Aikido's read of the International AI Safety Report 2026 lands on a short list of deployment-time requirements for any backend an autonomous AI system can call — layered defense, independent verification, prompt-injection-resistant guardrails, network scope control, inference/execution separation, full observability and emergency controls. Here's the honest per-requirement mapping to what a DaloyJS app already enforces by default, what one opt-in line adds, and what still lives above the HTTP layer.

• May 24, 2026·11 min read·Devlin Duldulao

  The 5 Pillars of a Secure SDLC, Mapped to DaloyJS

  Aikido's 'Secure SDLC Explained' lists the five pillars every engineering team needs — Visibility, Early Feedback, Developer Adoption, Consistency, Actionability. Here's the honest per-pillar mapping of what a DaloyJS app and its create-daloy scaffold already give you on day one, what you still configure, and the few items no framework can own.

• May 23, 2026·12 min read·Devlin Duldulao

  OWASP Top 10 for Agentic Applications (2026), Mapped to the DaloyJS Tool Surface

  Aikido's write-up of the OWASP Top 10 for Agentic Applications 2026 — ASI01 Agent Behavior Hijacking through ASI10 Over-reliance — is the new threat model for AI agents and the MCP-style HTTP tools they call. Here's the honest per-risk mapping of what a DaloyJS-exposed tool already blocks by default, what one opt-in line adds, and which risks live above the HTTP layer where no framework can save you.

• May 23, 2026·10 min read·Devlin Duldulao

  Vibe Coding Security: What DaloyJS Already Blocks Before Your AI Even Ships

  Aikido's 'WTF is Vibe Coding Security' post lists the usual suspects: SQL injection, path traversal, hardcoded secrets, unlocked admin routes, missing input sanitization, dependency rot. Here's the honest mapping of which of those a DaloyJS app already blocks by default — even when the code is written by a sales rep at 1am with Claude — and the small list of things you still have to opt into.

• May 23, 2026·11 min read·Devlin Duldulao

  Cloud Security Architecture, Mapped to the DaloyJS App Layer

  Aikido's 'Cloud Security Architecture' guide is a fine high-level checklist — Zero Trust, defense-in-depth, IAM, segmentation, IaC scanning, continuous monitoring. Here's the honest, per-principle mapping of what DaloyJS already ships for the application-layer half of that checklist, what the cloud platform still owns, and the opt-ins worth turning on today.

• June 22, 2026·11 min read·Devlin Duldulao

  AI-Friendly Route Metadata: Machine-Readable Examples for Codegen Agents

  DaloyJS 0.14.x adds an optional meta field on every route() — structured examples, extra description copy, and free-form x-* extensions — validated against your Standard Schema at build time and surfaced into OpenAPI 3.1 plus sibling routes.json or routes.yaml dumps via daloy inspect --ai. Additive, non-breaking, and built so Hey API, Claude, GPT, and home-grown codegen agents can write correct call sites on the first try.

• June 21, 2026·10 min read·Devlin Duldulao

  Branded API Docs Without Losing the Contract: Customizing Scalar in DaloyJS

  DaloyJS 0.14 adds docs.scalar — a JSON-only knob that lets you theme the Scalar API reference, hide the Try-it button, drop in a brand stylesheet, and pick a layout, without forking the docs route. And because Daloy locks the spec URL to your live OpenAPI path at serialize time, the prettiest docs page in the company can't drift away from the contract.

• June 21, 2026·11 min read·Devlin Duldulao

  Designing for Coding Agents: Why DaloyJS Scaffolds AGENTS.md and Skills

  Every project created by create-daloy ships with a short AGENTS.md and a focused .agents/skills/daloyjs-best-practices/SKILL.md. Here's why those two files matter, why they're intentionally small, and how they let Copilot, Claude Code, Cursor, Codex, and friends make safer edits in your scaffolded DaloyJS app from the first prompt.

• June 21, 2026·12 min read·Devlin Duldulao

  The DaloyJS CLI: Inspecting Routes, Schemas, OpenAPI, and Contract Health

  daloy inspect is the CLI you point at your App before a PR merges. It prints the full route table, schema presence, contract issues, and the live OpenAPI 3.1 document — loaded straight from your TypeScript entry through tsx with zero build step. This is the API-surface review tool platform teams keep wishing they had.

• June 21, 2026·13 min read·Devlin Duldulao

  Plugin Lifecycle Events for Large-Team Framework Code

  Why DaloyJS exposes onPluginInstalled() and onShutdown() as first-class events, and how a platform team uses them to ship observability, service registration, graceful drain, metrics flushing, and policy plugins that every route inherits — without a single import in the route files themselves.

• June 21, 2026·13 min read·Devlin Duldulao

  Observability Without Lock-In: Structured Logs and OpenTelemetry-Compatible Tracing

  How DaloyJS gives you per-request structured logs, correlated request IDs, Server-Timing, and OpenTelemetry-shaped spans — without taking a hard dependency on @opentelemetry/api. The result is a single observability story that runs identically on Node, Bun, Workers, and Vercel Edge, with any tracer you bring.

• May 20, 2026·12 min read·Devlin Duldulao

  Rate Limiting That Survives Multiple Instances

  Why the default in-memory rateLimit() is a one-instance lie behind a load balancer, how @daloyjs/core/rate-limit-redis fixes it with an atomic Lua INCR+PEXPIRE script, and the three operational levers that matter in production: fail-open vs fail-closed, Retry-After accuracy, and where to host the counter on serverless, edge, and traditional Node deploys.

• May 20, 2026·12 min read·Devlin Duldulao

  File Uploads Without Framework Lock-In: Multipart in DaloyJS

  The fileField() and multipartObject() helpers: per-file size caps, MIME allowlists with wildcards, filename predicates, strict field validation, and OpenAPI binary schema emission — all while keeping the file as a Web standard File/Blob you can stream straight to S3, R2, or disk on any runtime.

• May 20, 2026·13 min read·Devlin Duldulao

  OpenAPI 3.1 Extras: Webhooks, Callbacks, and Discriminators

  A practical tour of the OpenAPI 3.1 features your generated clients are quietly waiting for: top-level webhooks for event-driven APIs, route-level callbacks for payment-style async flows, and the discriminator()/discriminatedUnion() pair that turns polymorphic payloads into tagged TypeScript unions you can switch on with confidence.

• May 20, 2026·13 min read·Devlin Duldulao

  Middleware Without Mystery: Hooks, Ordering, and Response Transformation

  The DaloyJS request lifecycle, end to end: onRequest → beforeHandle → handler → afterHandle → onSend → onResponse, plus onError on the error path. Where each hook fires, what it can change, how scopes compose (global → group → route), and what to put in which slot — with real short-circuit, header-stamping, and logging recipes.

• May 20, 2026·14 min read·Devlin Duldulao

  Building a Bookstore API with DaloyJS From Scratch

  A route-by-route walkthrough: create the project with create-daloy, model a Book with Zod, add list / create / fetch-by-id endpoints, watch validation errors arrive as RFC 9457 problem+json automatically, emit OpenAPI, generate a typed client, and write the whole test suite with app.request() — no HTTP server required.

• May 20, 2026·12 min read·Devlin Duldulao

  Problem Details Done Right: RFC 9457 Errors in DaloyJS

  Why every framework needs a predictable error contract — and how DaloyJS uses RFC 9457 application/problem+json for HttpError, ValidationError, UnauthorizedError, TooManyRequestsError, and the rest, with automatic 5xx redaction in production and a Retry-After story that just works.

• May 19, 2026·11 min read·Devlin Duldulao

  Scaffolding a Production-Ready DaloyJS App in 60 Seconds with create-daloy

  A tour of pnpm create daloy@latest — the interactive template + package-manager pickers, --minimal, --with-ci, the five runtime templates (Node, Bun, Deno, Workers, Vercel Edge), the AGENTS.md + .agents/skills/daloyjs-best-practices/SKILL.md drop-in for coding agents, and the printStartupBanner() polish that ships with every scaffold.

• May 19, 2026·16 min read·Devlin Duldulao

  Supply-Chain Hardening for TypeScript Libraries: Everything We Did and Why

  A maintainer's field guide to the supply-chain posture we shipped for DaloyJS — .npmrc that says no by default, pnpm 11 workspace keys (blockExoticSubdeps / strictDepBuilds / verifyDepsBeforeRun), SHA-pinned actions, permissions: {}, no Actions cache on installs, zizmor + Scorecard + CodeQL, npm trusted publishing with provenance, and the create-daloy --with-ci bundle that drops the app-safe parts into your project.

• May 19, 2026·13 min read·Devlin Duldulao

  Sessions on the Edge: Signed Cookies, Rotating Secrets, and a Pluggable Store

  Tour of the new session() middleware — __Host- cookie defaults, secret: [current, ...previous] rotation, regenerate() to kill session fixation, MemorySessionStore for tests, and how to plug in Redis or Workers KV via the SessionStore contract. Pairs naturally with the rate-limit Redis post.

• May 19, 2026·12 min read·Devlin Duldulao

  CSP Nonces and Trusted Types Without Tears

  A practical tour of secureHeaders({ contentSecurityPolicy: { nonce: true, trustedTypes: { policies: [...] } } }) — how ctx.state.cspNonce flows into a server-rendered template, why the nonce now lands on all four script/style directives, and how to roll out Trusted Types in report-only mode first without setting your weekend on fire.

• May 19, 2026·13 min read·Devlin Duldulao

  CSRF in 2026: Why DaloyJS Ships Both Double-Submit and Fetch-Metadata

  A short history of the double-submit cookie, the case for tokenless protection via Sec-Fetch-Site, when each one fails, and why strategy: "both" is the realistic default for apps that still have to serve a 2018 mobile browser somewhere.

• May 18, 2026·14 min read·Devlin Duldulao

  The Same App on Node, Bun, Deno, Cloudflare Workers, and Vercel Edge — Verified

  One Bookstore app, five entry files, five deployments — Node serve(), Bun handle.url, Deno onListen, Workers ctx.waitUntil, and Vercel's three handler shapes. With receipts.

• May 18, 2026·12 min read·Devlin Duldulao

  Contract-First Without the Codegen Dance: OpenAPI, Typed Client, and Contract Tests From One Definition

  One app.route({...}) projects into generateOpenAPI(app), createClient(app), and runContractTests(app) — plus pnpm gen for a Hey API typed fetch SDK your frontend can import.

• May 18, 2026·13 min read·Devlin Duldulao

  Secure by Default: The Defaults DaloyJS Ships So You Don't Have To Remember Them

  A tour of the always-on defenses in the DaloyJS request path, plus the opt-in upgrades worth turning on today.

• May 18, 2026·11 min read·Devlin Duldulao

  Introducing DaloyJS: One Route, Many Runtimes, Zero Ceremony

  The launch post. One app.route({...}) becomes your validation, types, OpenAPI, typed client, and contract tests — and the same app runs on Node, Bun, Deno, Workers, and Vercel Edge.

• May 18, 2026·9 min read·Devlin Duldulao

  The flow I wished I had: why we built DaloyJS

  Ten years of shipping fullstack apps, one Filipino dev in Norway, and the framework I kept wishing existed at 2am.