Production readiness testing

[spellsaif]

Summary by CodeRabbit

• New Features

  • HTTP 405 Method Not Allowed responses now include proper Allow headers for route methods.
  • Relic grouping now supports nested composition via unite().

• Bug Fixes

  • Fixed Set-Cookie header handling in Node.js adapter.
  • Fixed Retry-After calculation in rate limiting.

• Documentation

  • Added comprehensive deployment, production-readiness, and release guidance.
  • Added security policy and contribution guidelines.
  • Clarified release candidate status in README.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

TomoeJS RC2 release establishes governance infrastructure via issue templates, security policy, and deployment guides; standardizes type inference using Record<never, never>; improves HTTP routing with 405 method-not-allowed responses; enhances the relic system with nested group flattening; fixes Node adapter Set-Cookie handling; and adds comprehensive test coverage and benchmarking infrastructure including Fastify comparison.

Changes

RC2 Infrastructure & Core Framework

Layer / File(s)	Summary
Release RC2 Governance & Documentation .github/ISSUE_TEMPLATE/bug_report.yml, .github/ISSUE_TEMPLATE/feature_request.yml, .github/pull_request_template.md, .github/workflows/ci.yml, .github/workflows/security.yml, CHANGELOG.md, README.md, SECURITY.md, CONTRIBUTING.md, docs/deployment.md, docs/production-readiness.md, docs/release-checklist.md	GitHub issue/PR templates collect structured bug/feature/compatibility metadata. CI workflow tests across Node 20/22/24 and includes Bun and soak jobs. Security workflow audits dependencies and runs CodeQL. CHANGELOG reframes RC2 as production-readiness candidate. README adds prominent RC callout and links to governance docs. SECURITY.md documents vulnerability reporting and pre-1.0 scope. CONTRIBUTING.md defines dev setup, compatibility rules, and test expectations. Deployment guide covers Bun/Node/Workers/Deno setup with reverse-proxy guidance. Production-readiness doc lists release gates and operational checklist. Release-checklist enumerates versioning and verification steps.
Benchmarking Infrastructure & Fastify Addition benchmarks/src/fastify.ts, benchmarks/src/index.ts, benchmarks/BENCHMARK.md, benchmarks/package.json, packages/tomoe/package.json	Fastify server benchmark added with /json, /user/:id/posts/:postId, and /protected endpoints and header-based middleware hooks. Benchmark runner checks Bun availability via synchronous spawnSync, adds Fastify to benchmark targets, and regenerates findings summary. Report reflects new Fastify comparison and caveat-driven performance narrative. Benchmark and tomoe package dependencies reorganized and version-pinned for reproducibility.
Type System Standardization to Record<never, never> packages/tomoe/src/context.ts, packages/tomoe/src/client.ts, packages/tomoe/src/router/router.ts, packages/tomoe/src/tomoe.ts, packages/tomoe/src/types/inference.ts, packages/tomoe/src/types/utils.ts	Context generic defaults (E/P/R), Client inference fallback, Router and ScopedRouter defaults, Tomoe Routes default, ParamsObject no-params branch, and Prettify intersection all migrate from {} to Record<never, never> for stricter inference and clearer intent.
HTTP Method Dispatch & 405 Responses packages/tomoe/src/router/router.ts, packages/tomoe/test/unit/router/router.test.ts	Router dispatch normalizes request method to uppercase, computes allowed methods per pathname (including automatic OPTIONS), returns 405 with Allow header when methods match the route but not the request, and otherwise returns 404. HEAD requests still fall back to GET with body-dropping. Tests updated to expect 405 with Allow header instead of 404 for method mismatches, and new test confirms HEAD to GET route returns 200 with empty body.
Relic System Nested Group Flattening packages/tomoe/src/relic/unite.ts, packages/tomoe/test/unit/relic/relic.test.ts, packages/tomoe/test/unit/types/inference.test.ts	unite() now accepts individual relics and nested RelicGroup instances, flattens groups at runtime, and computes merged context types via new helpers (RelicInput, FlattenRelicInputs, UniteContext). Tests verify flattening behavior and nested group composition with router scoping and type inference.
Node Adapter & Middleware Robustness packages/tomoe/src/node.ts, packages/tomoe/src/middleware/rate-limit.ts	Node adapter's response header handling now detects getSetCookie, extracts cookie values, filters duplicates, and explicitly sets Node's Set-Cookie array. Rate-limiter's Retry-After calculation guards against undefined oldest timestamp, defaulting to 1 second.
Test Suite & Script Infrastructure packages/tomoe/test/unit/node-adapter.test.ts, packages/tomoe/test/unit/production-edge.test.ts, packages/tomoe/test/unit/relic/relic.test.ts, packages/tomoe/test/unit/router/radix.test.ts, packages/tomoe/test/unit/router/router.test.ts, packages/tomoe/test/unit/types/inference.test.ts, scripts/bun-smoke.ts, scripts/soak.ts, package.json, apps/examples/package.json	Node adapter unit tests validate streaming, body forwarding, Set-Cookie preservation, HEAD fallback, abort recovery, and forwarded headers. Production-edge tests verify 405/method-not-allowed, URL-decoding, body-validation, cookie accumulation, double-next() error handling, and end-to-end server lifecycle. Relic, router, and type inference tests extended for nested groups and 405 behavior. RadixTree performance thresholds relaxed. Bun smoke test exercises relic composition and guard authorization on a running Bun server. Soak test measures latency percentiles across concurrent load with CORS, rate limiting, and admin/member authorization paths. Root and examples package.json scripts/dependencies updated.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Project-Tomoe/tomoe#6: The main PR updates relic-system code—especially packages/tomoe/src/relic/unite.ts—to add runtime flattening and expanded typing for nested relic groups, which directly builds on the Relic system introduced in the retrieved PR.

Poem

🐰 A framework hops toward its stable release,

With governance, tests, and type-system peace,

Methods now answer with 405's might,

Relics stack nested—the compose feels right,

From RC to production, the path becomes clear! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 23.53% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Production readiness testing' accurately reflects the main focus of the PR, which adds comprehensive production readiness documentation, testing infrastructure (CI/security workflows), and new test suites covering edge cases and adapter behavior.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch production-readiness-testing

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.