What's Changed

• feat: release v3.6.9 with new blockFiles config, SSRF protection, and… by @natthp49 in #17

Full Changelog: v3.6.8...v3.6.9

[3.6.9] - 2026-06-12

Added

• blockFiles config for dev and preview - dev.blockFiles and preview.blockFiles accept glob patterns to block sensitive files from being served over HTTP
  • Default patterns block .env, .env.*, *.pem, *.key, *.p12, *.pfx, .git/**, .htaccess, docker-compose.yml, docker-compose.yaml, and Dockerfile
  • Requests matching a blocked pattern receive a 403 Forbidden response
  • Set to an empty array to disable blocking; override with custom patterns to change the default list
• elit/config subpath export - added missing ./config entry to the package exports map so import { defineConfig } from 'elit/config' resolves correctly

Changed

• Version metadata refresh - release-facing version references across package.json, Cargo.toml, docs, examples, and create-elit templates now track v3.6.9

Fixed

• SSRF protection for PM proxy controller (#88) - the PM proxy now validates all upstream targets to prevent server-side request forgery attacks
  • Blocked IP ranges: loopback (127.x, ::1), private (10.x, 172.16–31.x, 192.168.x), link-local (169.254.x), carrier-grade NAT (100.64–127.x), multicast, and reserved addresses
  • DNS resolution validation prevents rebinding attacks by verifying the resolved IP is not a blocked address
  • Only http: and https: protocols are permitted as proxy targets
  • Request URL paths are sanitized to prevent @-based host smuggling and credential injection
  • Target URLs are validated on both setTarget/setTargets calls and at request time for continuous enforcement

What's Changed

• Feature/v3.6.8 by @natthp49 in #16

Full Changelog: v3.6.7...v3.6.8

[3.6.8] - 2026-06-12

Added

• Multi-instance process groups - elit pm start now accepts --instances <count> to launch and manage multiple copies of the same app as a single group
  • elit pm scale <name> <count> dynamically adjusts the number of running instances
  • elit pm reset <name|all> and elit pm send-signal <signal> <name|all> operate across all instances in a group
• Readiness checks - --wait-ready keeps processes in a starting state until their health endpoint responds; --listen-timeout <ms> caps the startup window
• Memory management - --max-memory <bytes|size> monitors process RSS and triggers a configurable --memory-action restart|stop when the threshold is exceeded
• Scheduled restarts - --cron-restart <expr> supports 5-field cron expressions and @every syntax for periodic restarts
• Exponential backoff for unstable restarts - --exp-backoff-restart-delay <ms> doubles the restart delay on repeated crashes; --exp-backoff-restart-max-delay <ms> caps the ceiling
• Restart window - --restart-window <ms> resets stale restart counters before they accumulate toward maxRestarts
• Kill timeout - --kill-timeout <ms> gives managed processes a configurable grace period between SIGTERM and SIGKILL
• Proxy management - --proxy-port, --proxy-strategy proxy|inherit, --proxy-host, --proxy-target-host, and --proxy-env let PM own the public port and forward traffic to child processes
  • proxy strategy routes HTTP and WebSocket upgrades through an in-process proxy (supports multi-instance groups)
  • inherit strategy shares the public listener file descriptor directly with a single Node child via IPC bootstrap
• PM JSON output and live metrics - elit pm list --json and elit pm describe <name> --json return machine-readable records with live cpu, memory, and uptime fields for running processes
  • elit pm list now includes live CPU, memory, and uptime columns in the table output
• Rolling reload - elit pm reload <name|all> performs a stop/start cycle across instances, waiting for each replacement to become online before continuing
  • When proxy is enabled, reload can hand off a single-instance HTTP app without dropping the public endpoint
• Agent skills and project documentation - added .agents/skills/ and .github/skills/ directories with structured checklists, architecture references, and command cheatsheets for server/CLI, mobile/WAPK, and native-renderer workflows
• blockFiles config for dev and preview - dev.blockFiles and preview.blockFiles accept glob patterns to block sensitive files from being served over HTTP
  • Default patterns block .env, .env.*, *.pem, *.key, *.p12, *.pfx, .git/**, .htaccess, docker-compose.yml, docker-compose.yaml, and Dockerfile
  • Requests matching a blocked pattern receive a 403 Forbidden response
  • Set to an empty array to disable blocking; override with custom patterns to change the default list

Changed

• Version metadata refresh - release-facing version references across package.json, Cargo.toml, docs, examples, and create-elit templates now track v3.6.8

Tests

• PM regression coverage - expanded test suite with coverage for multi-instance scaling, readiness monitors, memory thresholds, cron restarts, exponential backoff, kill timeout, proxy configuration, shared listener inheritance, and JSON output format

What's Changed

• Feature/v3.6.7 by @natthp49 in #15

Full Changelog: v3.6.6...v3.6.7

[3.6.7] - 2026-04-17

Added

• Standalone dev/preview server build flow - production builds can now emit runnable Node server bundles for dev and preview workflows without depending on the source tree at runtime
  • Added elit build-dev and elit build-preview convenience commands
  • Added --standalone-dev, --standalone-preview, --dev-out-file, and --preview-out-file build flags
  • Added typed programmatic elit/dev-build and elit/preview-build subpath exports for standalone server generation
• Public process-manager subpath - elit/pm is now exposed as a first-class package entry for typed process-manager helpers and programmatic access

Changed

• Standalone build pipeline integration - the normal build flow can now emit standalone dev/preview bundles from CLI flags or config-driven dev.standalone / preview.standalone settings
  • Standalone server generation reuses the regular build pipeline and emits runnable Node index.js outputs into the target build roots
  • Build, dev-build, preview-build, desktop, and shared type ownership is now split into dedicated modules while compatibility barrels remain in place for existing imports
• Release metadata refresh - release-facing Cargo, docs, and example version references now track v3.6.7

Fixed

• WAPK archive config-artifact filtering - elit wapk pack no longer leaks transient .elit-config-* bundles created while loading TypeScript/MTS config files, and legacy wapk.config.json stays excluded from packaged archives
  • Prevents temporary config-loader output from being shipped when projects use elit.config.ts or elit.config.mts
  • Keeps package metadata resolution anchored to current wapk config fields and package.json, not legacy wapk.config.json

Tests

• WAPK regression coverage refresh - updated WAPK coverage for temp config-bundle exclusion, legacy config ignore behavior, and online shared-session shutdown flows under the in-repo test runner
  • Simplified assertions to match the custom runner's spy and matcher API while preserving the same runtime expectations

What's Changed

• Feature/v3.6.6 by @natthp49 in #14

Full Changelog: v3.6.5...v3.6.6

[3.6.6] - 2026-04-16

Added

• WAPK archive patch workflow - elit wapk patch can now overlay selected files from one archive into another through a manifest-driven patch archive
  • Added elit wapk patch <target.wapk> --from <patch.wapk> plus --use as an alias for --from
  • Added --from-password so a locked patch archive can be applied to a target archive with different credentials
  • Patch selection now reads archive-relative rules from .wapkpatch, including ordered excludes like !database/*
  • Folder selectors like src/* now apply to the whole subtree so patch archives can target directories more naturally
• elit/smtp-server subpath package - new built-in SMTP server module for receiving inbound email inside an elit project
  • createSmtpServer(options) and startSmtpServer(options) provide a zero-dependency embedded SMTP listener
  • dev.smtp and preview.smtp config keys wire the server lifecycle to the elit dev/preview process automatically
  • clients[].smtp supports per-client SMTP configuration in multi-tenant setups
• Webmail example - new examples/webmail-example/ showing a full in-browser webmail client built with elit
  • Includes elit.config.ts with SMTP sandbox wired to dev.smtp / preview.smtp on 127.0.0.1:2525
  • REST API via ServerRouter: GET/POST /api/accounts, GET /api/messages, GET /api/messages/:id, POST /api/messages/send, POST /api/messages/draft, POST /api/demo/inbound
  • Browser UI renders inbox list, message preview, compose form, reply flow, and save-draft — all using reactive states + bindValue for form field binding
  • Register email account panel lets users add named accounts; the From field in compose reflects registered accounts
  • SSR shell (client.ts) delivers the initial HTML frame; styles live in a dedicated styles.ts module

Documentation

• WAPK patch guide refresh - README, CLI docs, and the WAPK guide now document the elit wapk patch flow, the .wapkpatch manifest name, and patch archive password handling

Tests

• WAPK patch regression coverage - added focused coverage for manifest-driven patching, subtree selector behavior, locked target archives, locked patch archives, and missing .wapkpatch validation

What's Changed

• Feature/v3.6.5 by @n-devs in #13

Full Changelog: v3.6.4...v3.6.5

[3.6.5] - 2026-04-13

Changed

• Release metadata and version reference refresh - release-facing versioned inputs now track v3.6.5 across the desktop runtime, docs UI, and example package references
  • Desktop Cargo metadata now tracks v3.6.5
  • Docs UI version badges and example release references now point at v3.6.5
  • Example package references and lockfiles now track v3.6.5

Fixed

• .wapkignore now supports ordered gitignore-style exceptions and glob rules - WAPK packaging can now exclude and re-include paths more predictably when archives need to keep selected build artifacts while dropping generated noise
  • Added ordered negate support such as !dist to re-include a later match
  • Added directory-only rules like dist/, globstar patterns like **/*.map, and escaped leading \!literal / \#literal entries
  • WAPK archive collection now evaluates ignore rules in order so later matches can override earlier ones
• Test runtime module loading no longer rewrites imports with whole-source regex passes - elit test now handles fixtures that contain import-looking strings without corrupting the transformed source
  • Test files now transpile and execute as full CommonJS modules instead of stripping named imports before transform
  • Relative test dependencies now resolve recursively through the test loader, avoiding unterminated-string failures from string literals such as import { value } from "linked-lib";

Documentation

• WAPK ignore guide refresh - CLI and WAPK docs now document negate rules, directory rules, globstar patterns, and escaped leading literals for .wapkignore

Tests

• WAPK ignore regression coverage - added focused coverage for negate rules, directory rules, globstar rules, and escaped leading ! literals, and validated the new matcher behavior through the rebuilt CLI test path

Full Changelog: v3.6.3...v3.6.4

[3.6.4] - 2026-04-13

Changed

• Release metadata and desktop packaging refresh - versioned release collateral for v3.6.4 has been synced across the desktop runtime and published package inputs
  • Desktop Cargo metadata now tracks v3.6.4
  • Published package files now include Cargo.lock alongside Cargo.toml so desktop runtime builds can reuse the pinned Rust dependency graph

Documentation

• Version reference refresh - README, docs UI version badges, and example project release references now point at v3.6.4

Full Changelog: v3.6.2...v3.6.3

[3.6.3] - 2026-04-13

Changed

• MIT license notice refresh - updated the bundled MIT license file to keep the project copyright notice current
  • Refreshed the copyright line to 2024-2026 Elit
  • No runtime or API behavior changes were introduced in this release

Full Changelog: v3.6.1...v3.6.2

[3.6.2] - 2026-04-13

Fixed

• Packaged desktop bootstrap helper resolution - elit desktop run and elit desktop build no longer bundle packaged desktop-auto-render / render-context helpers through ESM artifacts that inject import { createRequire } from 'module' into non-Node desktop bundle targets
  • Desktop bootstrap helper resolution now prefers source files when available and otherwise falls back to packaged CommonJS helpers for bundle-based desktop compilers
  • Desktop bundle self-reference resolution now prefers built CommonJS elit/* artifacts when the package source tree is not shipped with the installed package

Tests

• Desktop helper resolution coverage - updated desktop CLI coverage to assert that packaged desktop bootstrap helpers can prefer CommonJS helper artifacts while still preserving the existing source-first / ESM fallback behavior

Full Changelog: v3.6.0...v3.6.1

[3.6.1] - 2026-04-13

Fixed

• Browser import maps now expose only browser-safe Elit entries - dev/preview HTML and standalone build-dev / build-preview outputs no longer publish server-only or build-only elit/* specifiers to the browser runtime
  • Browser import maps are now limited to elit, elit/dom, elit/el, elit/native, elit/universal, elit/router, elit/state, elit/style, elit/hmr, and elit/types
  • Prevents browser clients from resolving non-browser subpaths such as elit/server, elit/build, and elit/
• Standalone dev fallback asset resolution - standalone build-dev servers no longer return 404 Not Found for built assets like /main.js when SSR and public assets are still served from the primary source root
  • Dev server static file resolution now falls back to fallbackRoot before returning 404
  • Keeps SSR output and primary-root public assets intact while serving built client bundles and sourcemaps from the generated output when needed

Tests

• Browser-safe import map regression coverage - updated server import-map tests to assert that only the browser-safe Elit subset is emitted for both workspace and installed-package browser flows
• Standalone dev mixed-root fallback coverage - added regression coverage for the case where SSR/public assets come from the source root while built client assets are resolved from fallbackRoot

Full Changelog: v3.5.9...v3.6.0

[3.6.0] - 2026-04-13

Fixed

• Dev-mode workspace Elit import maps now use built JavaScript output - the dev server no longer emits workspace-local elit/* browser imports that point at /src/*.ts
  • Workspace-root Elit imports now resolve through /dist/*.js in both dev and preview modes
  • Keeps browser import maps aligned with the published package surface and avoids exposing TypeScript source paths to the browser runtime

Tests

• Server import map regression coverage - updated the server import map tests to assert that workspace-local Elit imports resolve to /dist/*.js and no longer include /src/ or .ts entries in dev mode