TypeScript backends,
without the bloat
Production-grade and memory-safe, built straight from Node.js core. Every feature implemented in-house — no Express, no pg, no Prisma.
Everything you need. Nothing you don't.
Every feature is implemented directly from Node.js core modules, with explicit memory bounds on every component.
TypeScript first
Strict mode, NodeNext ESM, decorator metadata, and full type inference. Zero any in the framework source.
Memory-safe by design
Bounded body limits, connection pools, ring-buffer telemetry, LRU eviction and WebSocket caps. Every component has a ceiling.
Native PostgreSQL driver
Wire protocol v3 over node:net with SCRAM-SHA-256 auth and socket-level streaming backpressure. No pg.
Dependency injection
IoC container with constructor injection, a singleton registry and circular-dependency detection via reflect-metadata.
Security built in
JWT, AES-256-GCM sessions, scrypt vault, sliding-window rate limiting, XSS sanitiser, CSRF, CORS and CSP — all included.
Real-time ready
A bounded WebSocket server with heartbeat, a typed event emitter, and SSE with keep-alive. Auth hook runs on upgrade.
OpenAPI 3.1 auto-gen
The spec is generated from @ApiOperation decorators, always in sync, and served at /openapi.json.
Clustering & telemetry
A node:cluster coordinator with IPC heartbeat, auto-restart, graceful shutdown and P50/P99 latency tracking.
CLI tooling
create, dev, generate and migrate — the full project lifecycle from a single binary.
A complete production API. One file.
PostgreSQL, JWT auth, rate limiting and auto-generated OpenAPI — every import comes from streetjs.
import 'reflect-metadata';
import {
streetApp, Injectable, Controller, Get, Post,
PgPool, securityHeaders, corsMiddleware,
RateLimiter, authMiddleware, JwtService, ApiOperation,
} from 'streetjs';
import type { StreetContext } from 'streetjs';
@Injectable()
class ItemService {
constructor(private readonly pool: PgPool) {}
async findAll() {
const { rows } = await this.pool.query(
'SELECT id, name, created_at FROM items ORDER BY created_at DESC'
);
return rows;
}
async create(name: string) {
const { rows } = await this.pool.query(
'INSERT INTO items (name) VALUES ($1) RETURNING *', [name]
);
return rows[0];
}
}
@Controller('/api/items')
class ItemController {
constructor(private readonly svc: ItemService) {}
@Get('/')
@ApiOperation({ summary: 'List items', tags: ['items'] })
async list(ctx: StreetContext): Promise<void> {
ctx.json({ items: await this.svc.findAll() });
}
@Post('/')
@ApiOperation({ summary: 'Create item', tags: ['items'] })
async create(ctx: StreetContext): Promise<void> {
const { name } = ctx.body as { name: string };
ctx.json(await this.svc.create(name), 201);
}
}
const jwt = new JwtService(process.env.JWT_SECRET!);
const limiter = new RateLimiter({ windowMs: 60_000, maxRequests: 100 });
const app = streetApp({ port: 3000 });
app.use(securityHeaders);
app.use(corsMiddleware(['https://app.example.com']));
app.use(limiter.middleware());
app.use(authMiddleware(jwt));
app.registerController(ItemController);
await app.listen();Everything you need to ship.
Comprehensive guides, API references and real-world examples for every part of the framework.
Install, scaffold, configure and run in 60 seconds.
HTTP handlers, routing, the context API and validation.
IoC container, constructor injection and singletons.
Wire driver, connection pool, repositories, migrations.
JWT, sessions, rate limiting, XSS, vault and CSRF.
WebSocket server, SSE, typed events and heartbeat.
Docker, production config and environment variables.
REST API, WebSocket chat, file upload and auth flow.
16 industry verticals — fintech, IoT, AI and gaming.
All street commands, flags and options.
Integration tests, the test runner and real PostgreSQL.
Token-gated, read-only Playground, Route Explorer, dependency graph and API Inspector.
Common questions, migration guides and troubleshooting.
Built in the open. Improved together.
StreetJS is MIT-licensed and actively developed. Bug reports, feature requests and contributions are all welcome.