Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 32 additions & 3 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
- name: Check formatting
run: |
# Collect all .go files across all modules.
unformatted=$(find registry -name '*.go' -type f -exec gofmt -l {} +)
unformatted=$(find cmd internal registry -name '*.go' -type f -exec gofmt -l {} +)
if [ -n "$unformatted" ]; then
echo "::error::The following files are not gofmt-clean:"
echo "$unformatted"
Expand All @@ -54,6 +54,9 @@ jobs:
- name: Run go vet on all modules
run: |
set -e
echo "::group::go vet: root CLI"
go vet ./cmd/... ./internal/...
echo "::endgroup::"
modules=(
middleware
auth
Expand Down Expand Up @@ -90,6 +93,9 @@ jobs:
- name: Run tests for all modules
run: |
set -e
echo "::group::go test: root CLI"
go test -count=1 -timeout 10m ./cmd/... ./internal/...
echo "::endgroup::"
modules=(
middleware
auth
Expand Down Expand Up @@ -134,6 +140,9 @@ jobs:
- name: Verify each module compiles
run: |
set -e
echo "::group::go build: root CLI"
go build ./cmd/scion
echo "::endgroup::"
modules=(
middleware
auth
Expand All @@ -154,21 +163,41 @@ jobs:
done
echo "All modules compile successfully."

# ===========================================================================
# Job 5: Bundle freshness — registry edits must update the embedded bundle
# ===========================================================================
bundle-check:
name: bundle check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: actions/setup-go@v5
with:
go-version: "1.22"

- name: Regenerate embedded registry bundle
run: go run ./internal/cmd/build-bundle

- name: Verify bundle is fresh
run: git diff --exit-code -- internal/bundle

# ===========================================================================
# Summary job — required for branch protection
# ===========================================================================
ci-success:
name: CI Success
runs-on: ubuntu-latest
needs: [gofmt, go-vet, go-test, module-check]
needs: [gofmt, go-vet, go-test, module-check, bundle-check]
if: always()
steps:
- name: Check all jobs
run: |
if [[ "${{ needs.gofmt.result }}" != "success" || \
"${{ needs.go-vet.result }}" != "success" || \
"${{ needs.go-test.result }}" != "success" || \
"${{ needs.module-check.result }}" != "success" ]]; then
"${{ needs.module-check.result }}" != "success" || \
"${{ needs.bundle-check.result }}" != "success" ]]; then
echo "::error::CI failed. One or more checks did not pass."
exit 1
fi
Expand Down
10 changes: 5 additions & 5 deletions AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@

## Project Description

Scion is a copy-paste code library for Go backend development. It contains 11 self-contained modules in `registry/` — each is a standalone Go package with zero external dependencies (Go standard library only). Modules are meant to be copied into a user's project and adapted, not imported as a dependency.
Scion is a copy-paste code library for Go backend development. It contains 11 self-contained modules in `registry/` — each is a standalone Go package. Modules are standard-library only by default; security-sensitive modules may be declared as `stdlibOnly:false` in `registry/index.json` and copied in standalone mode. Modules are meant to be copied into a user's project and adapted, not imported as a dependency.

## Coding Standards

- Go 1.22+ with generics
- Zero external dependencies — standard library only
- Standard library only by default; declared `stdlibOnly:false` modules may use mature security libraries
- `gofmt` formatting is mandatory
- `go vet` must pass with zero warnings
- Middleware signature: `func(http.Handler) http.Handler`
Expand Down Expand Up @@ -69,7 +69,7 @@ foreach ($m in $modules) { Push-Location "registry/$m/src/go"; go test ./...; Po

## Key Constraints

- Do NOT add external dependencies to any module's `go.mod`
- Do NOT add external dependencies to any module's `go.mod` unless the module is explicitly marked `stdlibOnly:false` in `registry/index.json` and the dependency is justified for security or correctness
- Do NOT use `panic` in HTTP handlers — return errors
- Do NOT trust client headers (`Content-Type`, `X-Forwarded-For`, `X-Real-Ip`)
- Do NOT use `strings.Split` for header parsing — use `strings.SplitN` with a limit
Expand All @@ -89,9 +89,9 @@ You are working on Scion, a copy-paste code library for Go backend development.
Project location: <path-to-scion>

Architecture:
- 11 modules in registry/ — each is a standalone Go package, zero external deps
- 11 modules in registry/ — each is a standalone Go package
- Module path pattern: registry/<module>/src/go/
- Go 1.22+, standard library only, gofmt mandatory
- Go 1.22+, standard library by default, gofmt mandatory

Security rules (non-negotiable):
1. Reject CRLF (\r\n) and null bytes (\x00) in all user inputs
Expand Down
10 changes: 5 additions & 5 deletions AGENTS_zh.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@

## 项目描述

Scion 是一个面向 Go 后端开发的复制粘贴代码库。`registry/` 目录下有 11 个自包含模块,每个都是独立的 Go 包,零外部依赖(仅使用 Go 标准库)。模块的设计目的是被复制到用户项目中并适配,而非作为依赖导入。
Scion 是一个面向 Go 后端开发的复制粘贴代码库。`registry/` 目录下有 11 个自包含模块,每个都是独立的 Go 包。模块默认仅使用标准库;安全敏感模块可以在 `registry/index.json` 中显式标记为 `stdlibOnly:false`,并以 standalone 模式复制。模块的设计目的是被复制到用户项目中并适配,而非作为依赖导入。

## 编码标准

- Go 1.22+,使用泛型
- 零外部依赖 — 仅使用标准库
- 默认仅使用标准库;显式标记为 `stdlibOnly:false` 的模块可以使用成熟安全库
- `gofmt` 格式化是强制的
- `go vet` 必须零警告通过
- 中间件签名:`func(http.Handler) http.Handler`
Expand Down Expand Up @@ -69,7 +69,7 @@ foreach ($m in $modules) { Push-Location "registry/$m/src/go"; go test ./...; Po

## 关键约束

- 不要给任何模块的 `go.mod` 添加外部依赖
- 不要给任何模块的 `go.mod` 添加外部依赖,除非该模块已在 `registry/index.json` 显式标记为 `stdlibOnly:false`,且依赖对安全或正确性有明确价值
- 不要在 HTTP 处理器中使用 `panic` — 返回错误
- 不要信任客户端 header(`Content-Type`、`X-Forwarded-For`、`X-Real-Ip`)
- 不要用 `strings.Split` 解析 header — 用 `strings.SplitN` 加限制
Expand All @@ -89,9 +89,9 @@ foreach ($m in $modules) { Push-Location "registry/$m/src/go"; go test ./...; Po
项目路径: <scion-项目路径>

架构:
- registry/ 下有 11 个模块 — 每个是独立的 Go 包,零外部依赖
- registry/ 下有 11 个模块 — 每个是独立的 Go 包
- 模块路径模式: registry/<模块名>/src/go/
- Go 1.22+,仅使用标准库,gofmt 强制
- Go 1.22+,默认仅使用标准库,gofmt 强制

安全规则(不可妥协):
1. 拒绝所有用户输入中的 CRLF (\r\n) 和 null 字节 (\x00)
Expand Down
37 changes: 26 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,22 +13,31 @@ Backend modules (auth, CRUD, file upload, rate limiting) share 80% of their skel
- You need to customize business logic deep inside the module
- You want to own the code, not be locked to upstream versions
- Your AI coding assistant works better with code it can read and modify directly
- No dependency hell — zero external dependencies, Go standard library only
- No dependency hell — standard library by default, with declared security exceptions

## Quick Start

```bash
# 1. Copy a module into your project
cp -r registry/auth/src/go/* yourproject/internal/auth/
# 1. Install the source-template copier
go install github.com/DarkInno/scion/cmd/scion@latest

# 2. Copy a zero-dependency module into your project
scion add cache --to internal/cache

# 2. Adapt the configuration
# Edit config.go: set JWT secret, database URL, etc.
# 3. Inspect local changes against the embedded template later
scion diff cache --target internal/cache
```

# 3. Implement the store interface
# type UserStore interface { ... } // your DB layer
Scion's CLI copies source files and writes `.scion-module.json` metadata for later comparison. It never edits your `go.mod` automatically. Modules marked `stdlibOnly=false` must be copied with `--standalone` so their `go.mod`/`go.sum` are explicit.

# 4. Wire up routes
# See registry/auth/examples/gin/main.go
Manual copy still works:

```bash
# 1. Copy a module into your project
cp -r registry/cache/src/go/*.go yourproject/internal/cache/

# 2. Adapt the package to your project
# Rename, trim tests, or wire it into your service as needed.
```

## Available Modules
Expand Down Expand Up @@ -79,7 +88,7 @@ scion/
## Design Principles

1. **Code ownership** — every line is yours after copying. No upstream lock-in.
2. **Self-contained** — each module works independently, zero external dependencies.
2. **Self-contained** — each module works independently; external dependencies are allowed only for declared security exceptions.
3. **Framework-agnostic** — uses Go standard `net/http`, adaptable to Gin/Echo/etc.
4. **Security-first** — input validation, rate limiting, injection prevention built in.
5. **AI-friendly** — `__llms__.md` files let AI assistants understand modules in ~200 tokens.
Expand All @@ -89,9 +98,15 @@ scion/

```bash
# Clone the repository
git clone https://github.com/your-org/scion.git
git clone https://github.com/DarkInno/scion.git
cd scion

# Regenerate the embedded CLI bundle after registry changes
go run ./internal/cmd/build-bundle

# Test the root CLI
go test ./cmd/... ./internal/...

# Run tests for a specific module
cd registry/auth/src/go && go test -v ./...

Expand Down
4 changes: 2 additions & 2 deletions README_zh.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ Scion 是一个面向 Go 后端开发的复制粘贴代码库。你不需要安
- 你需要在模块深处自定义业务逻辑
- 你想拥有代码的所有权,而不是被上游版本锁定
- 你的 AI 编码助手在能直接阅读和修改代码时表现更好
- 没有依赖地狱 — 零外部依赖,仅使用 Go 标准库
- 没有依赖地狱 — 默认仅使用 Go 标准库,安全例外会显式声明

## 快速开始

Expand Down Expand Up @@ -80,7 +80,7 @@ scion/
## 设计原则

1. **代码所有权** — 复制后每一行代码都是你的,没有上游锁定。
2. **自包含** — 每个模块独立工作,零外部依赖
2. **自包含** — 每个模块独立工作;只有显式声明的安全例外才允许外部依赖
3. **框架无关** — 使用 Go 标准 `net/http`,可适配 Gin/Echo 等。
4. **安全优先** — 内置输入验证、限流、注入防护。
5. **AI 友好** — `__llms__.md` 文件让 AI 助手在约 200 token 内理解模块。
Expand Down
22 changes: 22 additions & 0 deletions cmd/scion/main.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
package main

import (
"context"
"fmt"
"os"

"github.com/DarkInno/scion/internal/bundle"
"github.com/DarkInno/scion/internal/cli"
"github.com/DarkInno/scion/internal/registry"
)

func main() {
reg, err := registry.NewBundle(bundle.RegistryZip, bundle.ManifestJSON)
if err != nil {
_, _ = fmt.Fprintf(os.Stderr, "scion: failed to load embedded registry: %v\n", err)
os.Exit(1)
}

app := cli.New(reg)
os.Exit(app.Run(context.Background(), os.Args[1:], os.Stdout, os.Stderr))
}
2 changes: 1 addition & 1 deletion docs/contributing.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ Add your module to `registry/index.json`.
## Code Standards

- Go 1.22+ with generics
- Zero external dependencies — standard library only
- Standard library only by default; external dependencies require an explicit `stdlibOnly:false` registry entry and security/correctness justification
- `gofmt` formatting
- `go vet` must pass
- Middleware signature: `func(http.Handler) http.Handler`
Expand Down
6 changes: 3 additions & 3 deletions docs/guide/why-copy-paste.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Backend modules (auth, CRUD, file upload, rate limiting) share 80% of their skel
- You need to customize business logic deep inside the module
- You want to own the code, not be locked to upstream versions
- Your AI coding assistant works better with code it can read and modify directly
- No dependency hell — zero external dependencies, Go standard library only
- No dependency hell — standard library by default, with declared security exceptions

## The Solution

Expand All @@ -19,7 +19,7 @@ Scion provides copy-paste code modules. Instead of installing a framework or pul

Every line is yours after copying. No upstream lock-in. No version conflicts. No waiting for maintainers to merge your PR.

### Zero Dependencies
### Explicit Dependencies

Each module uses only the Go standard library. No `go.sum` bloat. No transitive dependency vulnerabilities.

Expand Down Expand Up @@ -53,7 +53,7 @@ Every module includes functional tests and penetration test cases. Run `go test
- You want to own every line of code
- You need deep customization
- You're building with AI coding assistants
- You want zero external dependencies
- You want no hidden transitive dependencies

## When NOT to Use Scion

Expand Down
4 changes: 2 additions & 2 deletions docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ layout: home
hero:
name: Scion
text: Copy-Paste Go Backend Modules
tagline: Zero dependencies, security-first, AI-friendly. Copy production-ready code into your project.
tagline: Explicit dependencies, security-first, AI-friendly. Copy production-ready code into your project.
actions:
- theme: brand
text: Get Started
Expand Down Expand Up @@ -84,6 +84,6 @@ cp -r registry/auth/src/go/* yourproject/internal/auth/
Backend modules share 80% of their skeleton across projects. Instead of installing a framework, copy pre-built, production-ready modules and own every line of code.

- **Code ownership** — every line is yours after copying
- **Zero dependencies** — Go standard library only
- **Explicit dependencies** — standard library by default; security exceptions are declared
- **Security-first** — input validation, rate limiting, injection prevention built in
- **AI-friendly** — `__llms__.md` files let AI assistants understand modules quickly
4 changes: 2 additions & 2 deletions docs/modules/index.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Modules Overview

Scion provides 11 production-ready, copy-paste Go modules. Each module is self-contained with zero external dependencies.
Scion provides 11 production-ready, copy-paste Go modules. Each module is self-contained. Modules are standard-library only by default; declared security exceptions are marked in the registry.

## Available Modules

Expand Down Expand Up @@ -53,4 +53,4 @@ go test -v ./...

## Dependencies

All modules use only the Go standard library. No external dependencies required.
Modules use only the Go standard library by default. Declared exceptions, such as auth, copy their own `go.mod` in standalone mode.
2 changes: 1 addition & 1 deletion docs/zh/contributing.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ go test -v ./...
## 代码标准

- Go 1.22+ 支持泛型
- 零外部依赖 — 仅标准库
- 默认仅使用标准库;外部依赖必须有显式的 `stdlibOnly:false` 注册表声明,并说明安全或正确性理由
- `gofmt` 格式化
- `go vet` 必须通过
- 中间件签名:`func(http.Handler) http.Handler`
Expand Down
10 changes: 5 additions & 5 deletions docs/zh/guide/why-copy-paste.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
- 你需要深入模块内部定制业务逻辑
- 你想拥有代码,而不是被上游版本锁定
- 你的 AI 编程助手能更好地理解和修改直接可见的代码
- 没有依赖地狱 — 零外部依赖,仅使用 Go 标准库
- 没有依赖地狱 — 默认仅使用 Go 标准库,安全例外会显式声明

## 解决方案

Expand All @@ -19,9 +19,9 @@ Scion 提供复制粘贴代码模块。与其安装框架或引入依赖,不

复制后每一行都是你的。没有上游锁定。没有版本冲突。不用等待维护者合并你的 PR。

### 零依赖
### 显式依赖

每个模块仅使用 Go 标准库。没有 `go.sum` 膨胀。没有传递依赖漏洞
模块默认仅使用 Go 标准库;安全敏感模块如认证可以显式声明外部安全库。没有隐藏的 `go.sum` 膨胀,也没有未声明的传递依赖

### 安全优先

Expand All @@ -45,15 +45,15 @@ Scion 提供复制粘贴代码模块。与其安装框架或引入依赖,不
|------|------|------|
| **包管理 (npm/go)** | 安装简单,自动更新 | 版本锁定,依赖地狱,难以定制 |
| **框架 (Gin/Echo)** | 统一API,社区支持 | 锁定,臃肿,学习曲线 |
| **复制粘贴 (Scion)** | 完全拥有,零依赖,可定制 | 手动更新,初始工作量稍大 |
| **复制粘贴 (Scion)** | 完全拥有,依赖显式,可定制 | 手动更新,初始工作量稍大 |

## 何时使用 Scion

- 你需要快速获得生产就绪的模块
- 你想拥有每一行代码
- 你需要深度定制
- 你使用 AI 编程助手
- 你想要零外部依赖
- 你不想要隐藏的传递依赖

## 何时不使用 Scion

Expand Down
4 changes: 2 additions & 2 deletions docs/zh/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ layout: home
hero:
name: Scion
text: 复制粘贴 Go 后端模块
tagline: 零依赖、安全优先、AI友好。复制生产就绪的代码到你的项目中。
tagline: 显式依赖、安全优先、AI友好。复制生产就绪的代码到你的项目中。
actions:
- theme: brand
text: 快速开始
Expand Down Expand Up @@ -84,6 +84,6 @@ cp -r registry/auth/src/go/* yourproject/internal/auth/
后端模块在不同项目间共享 80% 的骨架代码。与其安装框架,不如复制生产就绪的模块,拥有每一行代码。

- **代码所有权** — 复制后每一行都是你的
- **零依赖** — 仅使用 Go 标准库
- **显式依赖** — 默认仅使用标准库;安全例外会声明
- **安全优先** — 内置输入验证、限流、注入防护
- **AI友好** — `__llms__.md` 文件让 AI 快速理解模块
Loading
Loading