StreetJS — Full Project Report
Consolidated, evidence-based status. Tags: VERIFIED (executed proof this cycle), IMPLEMENTED (in repo, not re-run here), PARTIAL, GAP. No marketing. Generated 2026-06-15 against
main.
1. Executive summary
StreetJS is a TypeScript backend framework built on Node.js core with a tiny dependency footprint. It is published, signed, provenance-attested, and CI-green, with a broad feature set, an 18-plugin ecosystem, a new first-party ORM, and a full governance/enterprise/compliance documentation suite.
Verdict: technical production-readiness is achieved. The binding remaining constraints are adoption, community, and production proof — not engineering. Ready today for solo devs, internal services, and early adopters; not yet a default for risk-averse enterprises needing a large ecosystem, hiring pool, and proven longevity.
2. Published artifacts (VERIFIED on npm)
| Package | Version | Provenance |
|---|---|---|
streetjs (core) |
1.0.9 (latest) |
✅ |
@streetjs/core (compat shim) |
1.0.9 | ✅ |
@streetjs/cli |
1.0.9 | ✅ |
@streetjs/plugin-* (×18) |
1.0.1 | ✅ + official Ed25519 signature |
@streetjs/orm |
0.1.0 (published) | ✅ |
@streetjs/{client,react,next,vue,nuxt} |
0.1.0 (published) | ✅ |
@streetjs/{auth-ui,ai-ui,admin-ui} |
0.1.0 (published) | ✅ |
Repo: 47 packages, 31 CI workflows. Latest full ci-cd run on main:
success (VERIFIED). Frontend packages additionally gated by frontend-ci.yml
(Node 20/22) and published via publish-frontend.yml. Workspace build is
reproducible: import-smoke reports 47/47 packages load, 0 fail, 0 skip;
circular-dependency scan 0 cycles repo-wide (after fixing barrel cycles in
storage and search); the former publish-only @streetjs/core shim is now
workspace-buildable and its dependents were migrated to streetjs. 47/47
includes the new @streetjs/plugin-africastalking.
3. Architecture & core (IMPLEMENTED; exercised by green CI)
Native PostgreSQL wire driver (SCRAM-SHA-256, no pg), MySQL + SQLite drivers;
HTTP/router/DI with decorators; WebSocket + SSE + channel hub + GraphQL
subscriptions; jobs; webhooks; microservices (circuit breaker, saga, event bus);
Kafka + RabbitMQ transports; observability (Prometheus + OTel); AI subsystem
(RAG, tool-calling agent); multi-tenancy. Security: JWT, AES-256-GCM sessions,
RBAC, MFA, rate limiting, validation, XSS sanitization, field-level encryption,
vault mode, mTLS, abuse prevention, moderation, secret-provider adapters, audit
logging.
4. Data layer (PARTIAL → relations SHIPPED)
@streetjs/orm 0.1.0 (published to npm with provenance) adds entity/relation
decorators, a safe parameterized query planner, eager loading (1:1/1:N/N:M,
batched + N+1-safe), relation filtering, lazy loading, and model-driven
migration generation (Orm.makeMigration diffs metadata vs the live schema →
up/down SQL). VERIFIED: 29 offline unit tests + 5 live-PostgreSQL integration
tests (incl. a migration generate→apply→idempotent round-trip), CI
orm-integration.yml green. RFC 0001 fully implemented.
4a. Full-stack expansion (IMPLEMENTED; RFC 0002 Accepted)
Additive, backend-first expansion — no frontend dependency entered core and
no core subsystem was rewritten (RFC 0002 hard constraints honored). Nine new
packages, each consuming @streetjs/client or public HTTP/WS APIs only, never
core internals:
| Package | Role | Verification |
|---|---|---|
@streetjs/client |
Universal, zero-dep typed SDK (requests, REST, auth, search, uploads, realtime, AI streaming) | 12 unit tests; client-ci.yml Node 20/22 |
@streetjs/react |
Hooks over the client (auth/query/mutation/realtime/search/AI) | build + 2 tests |
@streetjs/next |
Server/edge clients + auth/session/cookie helpers | build + 4 tests |
@streetjs/vue |
Vue 3 composables | build + 1 test |
@streetjs/nuxt |
Nuxt plugin factory + composable re-exports | build + 3 tests |
@streetjs/auth-ui |
Login/Register/Forgot/MFA/Profile React components | build + 4 tests |
@streetjs/ai-ui |
Chat/Streaming/RAG search/Tool viewer | build + 5 tests |
@streetjs/admin-ui |
RBAC/Audit/User management/Multi-tenancy | build + 4 tests |
street create --frontend |
Scaffolds a web/ React (Vite) or Next app + ci.yml |
build + 4 tests |
All exercised by .github/workflows/frontend-ci.yml (build + tsc --noEmit +
tests on Node 20 & 22). Honest scope note: UI/adapter packages are verified by
TypeScript build, type-check, and export-shape + pure-function tests — not full
DOM render tests (which would add jsdom/testing-library dev deps the project
avoids). This is a stated tradeoff, not a silent skip. The framework adapters
declare React/Vue/Next as peer deps; a root .npmrc (legacy-peer-deps=true)
keeps monorepo dev installs deterministic and has no effect on published packages.
Published (VERIFIED): all nine packages are live on npm at 0.1.0 with provenance attestations, published in dependency order via
.github/workflows/publish-frontend.yml(build → test → publish → attestation check, all green).street create --frontend <react|next>therefore resolves its@streetjs/*dependencies for end users.
5. Ecosystem (VERIFIED)
18 official, dependency-free, Ed25519-signed plugins, all 1.0.1 with
provenance, verified against the official key (verify-official-signatures.mjs,
18/18): databases (postgres, mysql, mongodb), messaging (nats, kafka,
rabbitmq), payments (stripe, paypal), identity (auth0, clerk, firebase,
supabase), AI (openai), storage (s3, r2), email/SMS (sendgrid, twilio). A 19th
plugin, @streetjs/plugin-africastalking (Africa’s Talking: SMS/Bulk SMS/Voice/
USSD/Airtime/Mobile Money, sandbox+production, zero third-party deps), is built,
33/33 tests green, and passes the certification structure suite (229/229) — added
to publish-plugins.yml, pending its first npm publish (CI signs it with the
official key at publish). Search backends covered by @streetjs/search.
Certification levels (Official/Verified/Community) + review checklists +
Plugin Author Guide documented (docs/ecosystem/).
6. Testing & runtime certification (VERIFIED)
Full ci-cd pipeline green on main: core integration (Node 20+22 vs live PG),
CLI + migration, memory-leak, 6 system-test suites, MySQL, certification + DB
E2E, package-integrity clean-install smoke, benchmark regression gate. CLI
148/148; plugin-structure 217/217; ORM 23 offline + 4 live-PG; MongoDB live SCRAM
path in CI (mongodb-integration.yml). All 0 skips except documented
conditional integration tests.
Runtime certification (this session, reusable): npm run verify:runtime
(scripts/audit/verify-runtime.mjs, zero added dependencies) ran 9/9 PASS →
CERTIFIED: import smoke (46/46), circular scan (0), live HTTP pipeline, plugin
config validation, 18/18 signatures, PG/MySQL/SQLite lifecycle + clean socket
teardown, and a 20× start/stop memory check (0 MB drift). Output:
docs/runtime-certification.md. A new runtime-certification.yml workflow runs
this in CI with live PG+MySQL and asserts a clean tree after a strict full
--workspaces build (Phase-1 signing gate). Scaled reliability harnesses added
(soak.mjs, ws-scale.mjs, chaos.mjs) with a nightly soak-scale-chaos.yml:
soak (event-loop/RSS/handle leak gate), WS scale (1k/5k/10k), and DB-restart chaos
(recovery VERIFIED ~1s). See docs/RUNTIME-STABILITY-VERIFICATION.md and
docs/PRODUCTION-HARDENING-PROGRAM.md.
7. Security & supply chain (VERIFIED)
Gitleaks + TruffleHog secret scanning, dependency review + high-sev audit, CodeQL,
zizmor workflow lint, npm provenance + CI provenance gate, per-release CycloneDX
SBOM, Ed25519 plugin signing with an embedded official trust key, Actions pinned
to SHAs. Resolved CodeQL alerts: polynomial-ReDoS in client/realtime.ts (×2) and
client/http.ts (×1) — all confirmed fixed via the code-scanning API, 0
open polynomial-ReDoS alerts repo-wide; earlier ReDoS (#110), cat subprocess
(#107), admin ReDoS, stack-trace exposures. Plugin-signing hardened: build
never signs; sign requires STREET_PLUGIN_SIGNING_KEY and fails without it;
prepublishOnly runs build && sign; a CI gate asserts build leaves the tree
clean — closing an earlier footgun where a keyless build re-signed manifests with
an ephemeral key. 18/18 published signatures still verify.
8. Deployment & docs (IMPLEMENTED)
Distroless Docker + health endpoints; Cloud Run/ECS/Vercel/Cloudflare manifests;
5 verified reference apps. 130 doc pages (Jekyll/just-the-docs, Pages build
green) including a new tutorials track (6 published; beginner path complete),
framework comparison pages (vs Express/Fastify/NestJS/Laravel/Django, each
with FAQPage JSON-LD), an example-app catalog, and a
Tutorials & Examples Program with
90/180/365-day content targets. Migration guides (Express/Nest/Fastify), SEO
(sitemap, JSON-LD), enterprise trust package, compliance mappings.
Low-cost deployment (this session): a StreetJS on a Budget guide with measured footprint — bare HTTP server ~64 MB RSS, +SQLite ~94 MB, ~5.7k req/s single-process, ~30 KB/WebSocket — and concrete under-$10 / under-$25 / under-$50 monthly stacks (SQLite→Postgres, self-hosted, Caddy TLS, R2 zero-egress storage) with a managed-vs-self-hosted cost comparison.
9. Governance, community & sustainability (IMPLEMENTED this program)
- Governance:
GOVERNANCE.mdextended with Steering Committee (odd seats, election, voting, conflict resolution), maintainer responsibilities, and an RFC lifecycle diagram. RFC process live (rfcs/) with the first Accepted RFC (0001). - Community: Discussions structure + moderation/escalation, contributor path (first→reviewer→maintainer→SC), labels manifest, mentored-task template.
- Enterprise: architecture overview, risk assessment, security whitepaper,
procurement FAQ (
docs/enterprise/). - Compliance: SOC2/HIPAA/GDPR/PCI control mappings distinguishing framework
capability vs operator responsibility (
docs/compliance/). - Sustainability: funding strategy, maintainer-health, bus-factor mitigation.
- Adoption: measurable KPI scorecard with quarterly targets and honest
baselines (
docs/adoption/).
10. Honest gaps (GAP)
- Community ≈ zero — no verifiable Discord/Discussions activity or external contributors yet (the #1 adoption blocker).
- Single-maintainer / bus-factor — mitigation documented; needs ≥2 real maintainers.
- No third-party production proof — reference apps are first-party; case-study framework is in place, awaiting real submissions.
- Compliance is documentation-only — mappings drafted; no certification/audit.
- Frontend packages are 0.1.0 previews — published with provenance and CI-green, but pre-1.0 and without full DOM render tests (verified by build + type-check + export-shape/pure-function tests); APIs may change before 1.0.
- Tutorial/example coverage is early — 6 tutorials + 5 comparisons + 4 example pages published against 90/180/365-day targets of 20/50/100 tutorials.
- Performance is unbenchmarked head-to-head — single-box numbers measured (~5.7k req/s, ~64 MB idle), but no comparative benchmark vs Fastify/Express exists; treat perf as architecturally-favorable-but-unproven.
- Hiring pool for “StreetJS developers” does not exist.
A brutally honest, evidence-tiered competitive audit (vs Express/Fastify/NestJS/ Laravel/Django/Spring/ASP.NET) lives in
docs/STREETJS-GAP-ANALYSIS.md. Its realistic composite score is ~62/100 — engineering ~80s, dragged down by adoption (30), market competitiveness (48), and enterprise readiness (55). The remaining gap to incumbents is ~80% social/market (community, ecosystem, proof, hiring), ~20% technical.
11. Readiness by audience
| Profile | Verdict |
|---|---|
| Solo devs / internal tools / supply-chain minimalists | Ready |
| Small teams comfortable as early adopters | Ready, eyes open |
| Mid-size teams needing deep ecosystem + hiring pool | Not yet |
| Risk-averse / regulated enterprises | Not yet |
12. Bottom line
Engineering and process maturity are done and verified: published with
provenance, signed ecosystem, green CI across 31 workflows, runtime certification
(9/9), reproducible 46/46 workspace build, governance + RFC + enterprise +
compliance docs in place. What remains is social adoption — community,
contributors, and real-world production usage — which is people-and-time work,
tracked with measurable targets in docs/adoption/adoption-scorecard.md. Nothing
material is blocked on code.