Changelog
Release notes for create-volt. New app: npm create volt@latest · update an app: npx create-volt@latest update. Source on GitHub.
Changelog
All notable changes to create-volt are documented here. The format follows
Keep a Changelog, and this project adheres to
Semantic Versioning.
0.63.1 - 2026-07-06
Added
- MIR emission is opt-in. Being a registered MIR partner no longer means events flow:
submitEventis a no-op until the owner opts in — a new Emit participation events checkbox in the config (MIR_EMIT=on). Sending data about your users to the registry is now a deliberate, separate consent step;resolveUser(a read) is unaffected. The startup log states whether events are emitting.
0.63.0 - 2026-07-06
Added
volt-addon-mir— Memory Infrastructure Registry participation. Make an app a MIR partner; its users become participants who build portable, cross-partner reputation. The add-on serves the domain-verification challenge at/.well-known/mir-challengeand exposesapp.locals.mir { submitEvent, resolveUser }to your routes (200 found / 202 provisional / 404 unknown, surfaced distinctly). Onboarding is driven from the config: register a sandbox partner (email-gated), deploy, then promote to a production key once MIR verifies your domain. Only offered whenSITE_URLis a public, DNS-resolving domain — a localhost site can't be domain-verified. New/docs/mir.SITE_URLDNS affirmation. The config now checks that the domain actually resolves (on blur), catching typos before canonical / OG / RSS — and MIR — rely on it. Existence, not ownership:✓ resolves/✗ doesn't/ a local-private note. Server-side lookup via a new/setup/dns-check.
0.62.0 - 2026-07-05
Added
- SPA / Normal navigation (
SITE_SPA). Off = normal full-reload navigation. On = a tiny turbo script intercepts internal link clicks and fetch-swaps the body (no reload) — while every URL stays fully server-rendered (content, title, meta, canonical, OG), so SEO is unaffected. It's the Turbolinks/htmx model, not a client-rendered SPA: crawlers get complete HTML and ignore the script. Delegated ondocument(survives swaps), re-runs inline scripts (hero re-inits), falls back to a real navigation on any error. - Admin IP allowlist (
ADMIN_ALLOW_IPS). A comma-separated list gates the whole admin path before any route — a non-listed IP gets a plain 404 (can't even reach the login form or/request). PrefersX-Real-IPfor reverse-proxy setups; config field in the Web-admin section; blank = any IP (the magic link is still required). - Themed 404 page. An unknown path now renders a real 404 in the active theme
(with nav) instead of Express's bare "Cannot GET". Override the copy with
pages/404.md.
0.61.0 - 2026-07-05
Added
- Media roles. In the config's Media library, assign a file as Logo /
Favicon / OG image / Hero. Logo (
SITE_LOGO) swaps the brand text for the image across every theme; Favicon (SITE_FAVICON) sets the<head>icon + apple-touch on every page; Hero (SITE_HERO) fills any.volt-heroslot — one image, or several → a fading vanilla-JS carousel (the business template's hero is pre-marked). OG image (OG_IMAGE) was already wired.
Fixed
- Auto-canonical + og:url. Every page and post now emits
<link rel="canonical">andog:urlfromSITE_URL+ the request path, unless the front-matter overrides — closing an SEO gap where they only appeared if added by hand.
0.60.0 - 2026-07-05
Added
- Configured header menus + responsive nav.
pages/_nav.md— a Markdown link list — defines the header menu (reorder, rename, external links). Every theme (default, paper, midnight, classic, business) renders it with active-link marking and a CSS-only hamburger under 640px.loadNav+ shared nav classes/CSS live in the pages add-on; templates ship a starter_nav.md.
Fixed
- Blog/post pages now get the color scheme + mode + nav.
posts.jsrendered through the theme but skippedinjectSchemeand passed no nav — so blog pages ignoredSITE_SCHEME/SITE_MODEand had no menu. Now consistent with pages. - Config buttons invisible in light mode. The
.envcard's "Manage content →" and "Media →" werebtn-outline-light(white-on-white in light mode) → nowbtn-outline-secondary, readable in both.
0.59.0 - 2026-07-05
Added
- Guided first-run wizard. First run (no
.env) now walks through setup one step at a time — Name → Features → Appearance → Database → Email → Web admin → AI → Review & launch — with a progress bar, per-step validation (e.g. the web-admin email is required before you can continue), a live.envpreview, and steps that appear only for the features you turned on.--editkeeps the dense all-at-once form. - Light / Dark / Auto mode. A
SITE_MODEtoggle beside the color scheme: Auto follows the visitor's device, Light/Dark force it (data-themestamped server-side, no flash). Works with any scheme; the default theme honors forced dark. - Full-bleed content. A theme-side
.full-bleedutility (appended to every theme's/_theme.css) breaks a flagged block out of the readable column to full viewport width — a hero image or video — with no editor change.
0.58.1 - 2026-07-05
Added
- Web admin: "View site →" and "Restart" in the header. After an edit, one click opens the live site to check it (content + media changes are live instantly — no restart needed); Restart is there only for theme/settings changes.
- Config: a "Copy" button on the admin URL (just before Regenerate) that copies
the full admin URL (
SITE_URL+ path) to the clipboard.
0.58.0 - 2026-07-05
Added
- Scoped server actions in the web admin. The admin gains Update / Pull /
Restart buttons — a fixed whitelist of commands (
npx create-volt@latest update,git pull --ff-only, and a process restart), with output streamed live to the page. It is explicitly not a shell: the button name is a key lookup, no user string ever reaches a command. Lets an owner who can't SSH run the common server operations (update, pull content, restart under pm2/docker/systemd) without exposing arbitrary command execution.
0.57.0 - 2026-07-05
Added
- Color schemes. Eight curated palettes (Slate, Ocean, Indigo, Rose, Forest,
Amber, Mono, High-contrast), each with a light + dark set, chosen from a swatch
picker in the config (
SITE_SCHEME) and stamped on<html>server-side (no flash). A scheme swaps only the palette: every bundled theme (default, paper, midnight, classic) and thebusinesstemplate now share one token contract (--bg/--surface/--ink/--muted/--line/--brand/--brand-ink), so one theme × eight schemes = eight looks. The bare default keeps its automatic OS light/dark. volt-addon-admin— secure web admin. Manage content + media on the live site without shell access, at a secretADMIN_PATHbehind a hardened magic link: a one-time nonce, a same-browser challenge cookie (a secret planted in the browser that requested the link, which the click must present), and a device fingerprint — a link opened in a different browser/device is rejected. Signed stateless sessions, gated toADMIN_EMAIL, rate-limited, no account enumeration. Enable it in the config and it generates an unguessableADMIN_PATH+ a 256-bitADMIN_SECRETautomatically.
0.56.1 - 2026-07-05
Fixed
- Media library thumbnails / editor image previews showed as broken inside the
config. The config server served a fixed asset allowlist and had no
/media/route, so uploaded files 404'd in the config UI — even though they uploaded fine and render on the live site (the running app serves them viaexpress.static). The config now servespublic/media/<name>with a path-traversal guard.
0.56.0 - 2026-07-05
Added
- Full site templates.
--template businessscaffolds a complete multi-page site (Home, About, Products, Contact) with a sticky-nav theme, hero, product grid, CTA, and swap-your-own media slots — the "install a theme with demo content, then make it yours" experience. - Media library in the config. A new Media view uploads / browses / deletes
images and video (stored in
public/media/, served at/media/<name>) — a Bootstrap card grid with thumbnails, copy-URL, and delete. - Editor media, de-base64'd on save. RTEPro's built-in picker inlines "Choose
File" uploads as base64; on save they're extracted to
public/media/<hash>.<ext>(content-hash deduped) and thesrcrewritten to a/mediaURL, so pages stay lean and editor uploads land in the library.
Fixed
- Boolean attributes.
readonly=${false}(andrequired/multiple/hidden/…) now correctly turn the attribute OFF — any value, including the string"false", previously left it on.readonlyalso maps to thereadOnlyDOM property. - Hosted-token button. "Generate a free hosted token" shows its result inline next to the button, with a clear message when the gateway isn't reachable (was a silent failure buried in the status line).
default/server.jsnow importsnode:crypto— it had relied on the global Web Crypto, which has nocreateHash.
0.55.1 - 2026-07-05
Security
- Bump the scaffold's nodemailer pin
^6.10.1→^9.0.3. nodemailer <= 9.0.0 carries several high-severity advisories (email to an unintended domain, SMTP/CRLF command injection, addressparser DoS, improper TLS validation, file-read/SSRF). Apps that enable the mailer add-on now install the fixed 9.x — same createTransport/sendMail/verify API, no code change.
0.55.0 - 2026-07-05
Added
- Inline "Test" buttons for SMTP + AI in the config wizard — the result shows
right next to each button.
/setup/test-smtpverifies connection/auth (nodemailer, or a TCP reachability fallback);/setup/test-aidoes a 1-token live call to the provider key or the hosted gateway. The DB test result is inline now too.
0.54.0 - 2026-07-05
Added
- Config editor renders themed. The in-config WYSIWYG loads the active theme's
CSS (new
/setup/theme-css→ RTEProexportCSS), so pages look like the published site as you edit — new pages included.
Fixed
- Log analytics bot/attack counts were always 0 — they read
.bot/.attack, but mir-sentinel's parseLine returns.isBot/.isAttack. Fixed in--logs.
0.53.0 - 2026-07-04
Added
create-volt env— writes a documented.env.examplefor a deploying admin to fill in: every var grouped and commented, structural values (PORT, SITE_NAME, VOLT_ADDONS…) seeded from an existing.env, secrets left blank.--printto stdout,--forceto overwrite.
0.52.0 - 2026-07-04
Added
- Mailer accepts discrete SMTP vars. The mailer add-on builds its transport
from
SMTP_HOST/SMTP_PORT/SMTP_SECURE/SMTP_USER/SMTP_PASSwhenSMTP_URLis not set (secure defaults on for port 465), and resolves the From address asMAIL_FROM→SMTP_FROM→SMTP_USER. So a plain host/port/user/pass config works without composing a URL.
0.51.0 - 2026-06-30
Added
- Generate a hosted-AI token from the config. The wizard's AI section has a
Generate a free hosted token button: it self-registers with the voltjs.com
gateway (new public, rate-limited
POST /api/register) and writesVOLT_AI_TOKENto.envon Apply. One click to the free-capped/pay-as-you-go hosted tier when you have no key of your own.
0.50.0 - 2026-06-30
Added
- Config editor AI falls back to the hosted gateway. With no local provider
key,
/setup/airoutes through the voltjs.com gateway viaVOLT_AI_TOKEN(free-capped, then pay-as-you-go on the host's key); a local key still wins (BYO). Clear error when neither is set. The gateway now honors the client's stream preference, so the editor gets a normal JSON response.
0.49.0 - 2026-06-30
Added
- AI in the config editor. The embedded RTEPro editor's AI button now works:
a new
/setup/aiproxy injects the.envprovider key server-side (Anthropic / OpenAI / Gemini, BYO) and RTEPro is wired to it via aiProxy. The key never reaches the browser. (Set ANTHROPIC_API_KEY etc. in the app's .env.)
0.48.3 - 2026-06-29
Fixed
- Unreadable text in the dark config. The wizard never set Bootstrap's
data-bs-theme, so muted/secondary text (feature descriptions, hints) was colored for a light background and vanished on the dark cards. It now tracks the light/dark toggle, so all Bootstrap text is readable in both modes.
0.48.2 - 2026-06-29
Changed
- Config is desktop-only, so the editor view is now much wider (up to
min(1200px, 95vw)) while settings stay a readable 720px — view-responsive.
0.48.1 - 2026-06-29
Changed
- Config WYSIWYG loads RTEPro at a major-version float (
@1) instead of a pinned patch, so RTEPro 1.x updates flow without a create-volt release. Dropped the marked dependency entirely — RTEPro takes markdown directly via setMarkdown().
0.48.0 - 2026-06-29
Added
- WYSIWYG editor in the config. Manage content embeds the RTEPro rich editor (loaded from CDN) instead of a raw textarea — visual editing, shell-gated, no public route or auth. Opens markdown rendered to HTML, saves markdown (or HTML for complex layouts), with a title field beside the slug.
0.47.0 - 2026-06-29
Added
- Config shows the create-volt version at the top, always; with
(X available)- an Upgrade button when behind,
(up to date)otherwise.
- an Upgrade button when behind,
- Light-mode switcher in the config wizard (top-right; persists; defaults to dark).
Fixed
- Content-editor textarea showed a template placeholder instead of the page body — now binds the body via the value property.
0.46.0 - 2026-06-29
Added
updateself-healsserver.jsstartup-log encoding. Older scaffolds had byte-corrupted bolt/arrow/ellipsis/dash characters in their console logs;create-volt update(and the config wizard Upgrade button, which runs it) now surgically repairs them — rewriting the brand log lines to plain ASCII and swapping the corrupted byte-runs — with no change to your logic.
0.45.1 - 2026-06-29
Fixed
- .env inline comments.
KEY=value # notenow parses tovalue(trailing comment stripped); quoted values stay literal. Previously the comment became part of the value.
0.45.0 - 2026-06-29
Added
- Buy AI credits from the config wizard. When an app uses the hosted gateway
(
VOLT_AI_TOKENset), the--editwizard shows an AI credits card — live balance + tier, and top-up buttons that open Stripe Checkout. The purchase flow lives in the (shell-gated) config only; the running app never exposes it. Proxied via/setup/ai-credits+/setup/ai-credits/checkoutto the gateway.
0.44.0 - 2026-06-29
Added
--logs— a built-in log viewer on its own localhost port (like--studio):npm run logs. Tails pm2 stdout/stderr out of the box; an Analytics tab parses Apache/nginx access logs viamir-sentinel(optional dep) → top paths/status/IPs + bot/attack counts. Add more sources (other apps, servers, mounted/tunneled paths) right in the viewer — saved to.volt/logs.json. Localhost-only; SSH-tunnel the port for a remote box.
0.43.0 - 2026-06-29
Added
- Upgrade from the wizard. Scaffolds record their version in
.volt/version; the--editwizard checks npm and shows an "create-volt X available" notice with a one-click Upgrade button (runsnpx create-volt@latest update). updaterefreshes everything framework-owned — vendored runtime (volt.js,volt-ssr.js), the setup wizard, and bundled add-ons + themes (was justvolt.js). Yourserver.js+ content are left untouched.- Simpler AI setup. The wizard AI section is clearly optional with a per-provider Get a key → link (Anthropic / OpenAI / Gemini); leave it blank and the editor works without AI.
0.42.0 - 2026-06-29
Added
- Content manager in the config wizard.
npm run dev -- --edithas a Manage content → view: list, create, edit (raw markdown), and delete pages- posts, via new slug-validated
/setup/content*endpoints. The config page is a content dashboard now, not just settings.
- posts, via new slug-validated
Fixed
- Garbled characters in startup logs. The
⚡/→/…/—in server logs and source comments had been byte-corrupted (mojibake) by an earlier tooling pass. Console output is now clean ASCII ("Volt at http://…", "Volt setup at …").
0.41.0 - 2026-06-29
Added
- PM2 support. Scaffolds ship
ecosystem.config.cjs+ scripts:npm run pm2(start under pm2 — fetched via npx if not installed, or uses your global pm2),pm2:restart(clean reload, no port clash),pm2:logs,pm2:stop. npm run devon an already-running app reloads it instead of crashing. A second start detects the in-use port, pings the running instance's new/__volt/reloadroute to refresh browsers, prints a note, and exits 0 — no moreEADDRINUSEstack trace.
0.40.0 - 2026-06-29
Added
- Themed front page.
pages/index.mdnow takes over/(rendered in your theme), so a content site's home matches the rest of the site instead of showing the demoviews/index.html. With nopages/index.md,/stays the app's index.html. (Answers: "I chose a theme but the home page was unchanged" — the theme styles pages/posts; the home needs to be a page.)
0.39.1 - 2026-06-29
Fixed
- Scaffolding was broken in 0.37.0–0.39.0. The bundled
themes/dir is copied into new apps, but it was never added to the packagefiles, so it was missing from the npm tarball andnpm create voltcrashed withENOENT … create-volt/themes. Addedthemestofiles, and guarded the bundled-dir copy (addons/themes) so a missing dir is skipped, never fatal. Verified by scaffolding from the packed tarball.
0.39.0 - 2026-06-29
Fixed
- Hot reload now reaches content pages. Pages/posts are server-rendered HTML
that dont load
volt.js, so the 0.38 morph client never ran on them. In dev, thepages/postsadd-ons now inject the hot-reload client (socket.io +volt.js) into every served page. Verified with Chromium: editing a post morphs the DOM in place — scroll position and page state preserved, no full reload. Nothing is injected in production.
0.38.0 - 2026-06-29
Added
- Smart hot reload (live DOM morph). Editing markdown / HTML / templates now
patches only the changed DOM nodes instead of a full page reload — focus, caret,
scroll, and untouched subtrees survive. CSS edits swap the stylesheet in place;
JS edits (and client-rendered
#apppages) still do a full reload, and any morph error falls back to one. The watcher tells the client which file changed. - Themes hot-reload in dev. Editing
_theme.js/_theme.css/ a bundled theme now reflects immediately — theme imports are mtime cache-busted in dev (previously a restart was needed). Pages + posts share the live resolver (themeResolver).
0.37.0 - 2026-06-29
Added
- Bundled themes + a wizard theme picker. create-volt ships paper/midnight/
classic under
.volt/themes; the setup wizard has a Theme dropdown (no npm needed) with a Customize button that copies the chosen theme topages/_theme.jsfor editing.THEMEnow also resolves bundled themes. - More wizard settings:
SITE_NAME,SITE_URL,CONFIG_PORT, and optional AI keys (AI_PROVIDER+ Anthropic/OpenAI/Gemini key — written to.env, kept server-side). CONFIG_PORTdefaults to 5050 for the--edit/--studioconfig UI, so it never collides with a running app.- Inject
<script>tags for third-party libs: per-page front-matterscripts:(comma-separated URLs) and/or a site-wideSITE_SCRIPTSenv, loaded deferred (works on pages + posts).
0.36.0 - 2026-06-29
Added
--port <n>andCONFIG_PORT.--portoverrides the listen port for any run;CONFIG_PORTin.envgives the--edit/--studioconfig UI its own port, so it never collides with a running app. An in-use config port now prints a clear hint instead of a rawEADDRINUSEstack.- Hot reload watches
pages/andposts/. Editing markdown content now reloads the browser (content is read per request, so the edit shows). Theme files (_theme.js) still need a restart — ES modules cache.
Fixed
- The
blog+docstemplates had drifted fromdefaultsserver.js/wizard and silently missed recent fixes (including the hot-reload watcher). Re-synced, with a test that fails if they drift again.
0.35.0 - 2026-06-29
Fixed
- Setup wizard: dependency add-ons now show as checked. Enabling
authpulls indb+mailer(its dependencies), which were added toVOLT_ADDONSbut whose checkboxes stayed unchecked — so the generated.envlooked like it had add-ons you never picked. Pulled-in dependencies now render checked + disabled with a "required by" note, so the checkboxes always match VOLT_ADDONS.
0.34.0 - 2026-06-29
Added
- Timezone detection. The setup wizard detects the admin's timezone from
their browser (
Intl) and writesSITE_TZto.env. Thepostsadd-on then renders full timestamps inSITE_TZrather than the server's zone (usually UTC on a host); date-only values render as that calendar day either way.
0.33.0 - 2026-06-29
Added
- Two content templates showcasing the pages/posts/theme system:
--template blog(markdown posts → /blog, categories, tags, RSS, an /about page, per-post SEO, a serif theme) and--template docs(markdown pages in a sidebar layout). Both ship a pre-configured.envand boot straight into the app — no wizard.
Fixed
- Dark-on-dark text in the default + starter apps:
.text-mutedis overridden to a readable color on the dark background (the demo footer caption was dropped). posts:YYYY-MM-DDdates render on the correct day (parsed as local, not UTC).
0.32.0 - 2026-06-29
Changed
- Brand refresh: the ⚡ glyph is replaced with the Volt logo across the demo
app, the setup wizard, and Studio; scaffolded apps now ship
logo.webp+favicon.webpand link a favicon (so apps get a real tab icon). README titles keep the ⚡.
0.31.0 - 2026-06-29
Added
postsadd-on — a blog (the WordPress content model). Markdown inposts/becomes a paginated index at/blog, single posts at/blog/<slug>, plus/category/<name>,/tag/<name>, and an RSS feed at/feed.xml. Posts carry date/author/category/tags front-matter (date can also come from aYYYY-MM-DD-filename prefix); drafts (draft: true) are skipped. Renders in the site theme and reuses pages' SEO — single posts get an auto Article JSON-LD +og:type=article. Depends on thepagesadd-on. New/docs/posts.
0.30.0 - 2026-06-29
Fixed
- Setup wizard: typing in a settings field no longer drops focus. The
conditional sections (DB-driver fields, S3 fields) read the whole
state()signal, so every keystroke re-rendered the section and recreated the<input>, losing focus. They now key on memoized primitive derivations (dbDriver,mediaDriver,hasDb/hasMailer/hasMedia) so a section re-renders only when its discriminant changes. volt.js: reactivevaluebindings skip redundant DOM writes.setAttrno longer reassignsnode.valuewhen it already equals the new value — those writes were resetting the caret to the end while typing. Benefits every Volt app, not just the wizard.
0.29.0 - 2026-06-29
Fixed
- Date-derived default port is now valid year-round. For Oct–Dec the
readable YY+M+DD form is 6 digits (e.g.
261010) and exceeds the max TCP port 65535, so create-volt previously refused to scaffold without--port. It now falls back to a deterministic in-range port1024 + (YYYYMMDD % 64512)when the readable form overflows; Jan–Sep keep the readable port unchanged. Extracted tolib/date-port.jsand unit-tested.
0.28.0 - 2026-06-29
Fixed
- Wizard Test connection now installs the selected DB driver on demand
(mongodb / mysql2 / pg, at the pinned version) before testing — it used to fail
with "
isn't installed" because the package is only added on Apply. Also adds the missing spawnSyncimport.
0.27.0 - 2026-06-29
Fixed
- Reactive crash on conditional re-render (
volt.js) — a signal write notified a snapshot of subscribers, so a parent reactive block that disposed a nested one mid-update would still run the stale nested effect on detached DOM ("Cannot read properties of null (reading 'insertBefore')"). Disposed effects now skip their queued run, andrenderRangeguards against a detached range. Fixes the setup wizard crashing when toggling add-ons or changing the DB driver. Regression-tested in the headless-browser suite.
0.26.0 - 2026-06-29
Added
- Themes / shared layout for the
pagesadd-on — pages render into a layout: (1)pages/_header.html+_footer.htmlpartials (no code); (2) a localpages/_theme.jsexportinglayout({ title, head, content, meta })(+ optionalcss); (3) a third-partyvolt-theme-<name>package selected withTHEME=<name>.create-volt create-theme <name>scaffolds one. Resolution: THEME → local_theme.js→ built-in default. - One stylesheet for page + editor — the active theme's CSS is served at
/_theme.css(a theme'sexport const css, orpages/_theme.css, or the default). Pages link it, and the WYSIWYG editor loads it into RTEPro'sexportCSS, so the preview matches the published page — CSS authored once. - Site-wide OG image default —
OG_IMAGEin.envis theog:imagefor pages without a per-pageimage.
0.25.0 - 2026-06-29
Added
- Per-page SEO on the
pagesadd-on — front-matter now drives the page head:description(meta description + og:description),image(og:image),type(og:type),canonical, andjsonld(a one-line JSON string rendered into a validated<script type="application/ld+json">block, with<escaped to prevent breakout). Open Graph + Twitter + JSON-LD per page — the Yoast-style SEO a migrated WordPress site expects.volt-addon-editor0.4.0 adds a SEO panel to set these from the editor.
0.24.0 - 2026-06-29
Added
- The
pagesadd-on now supportsformat: htmlin front-matter — those pages are served verbatim (no markdown processing), so rich/complex layouts (e.g. from the WYSIWYG editor) are preserved losslessly. Plain markdown pages are unchanged. (volt-addon-editor0.2.0 now storesgetHTML()withformat: htmlso editor layouts round-trip exactly.)
0.23.0 - 2026-06-29
Added
- Plugin context now includes
requireAuthandsessionFromReq(when the auth add-on is on) so third-party add-ons can gate routes by login. Purely additive — no change to defaults or security posture.
Note
- New companion package
volt-addon-editor(separate npm package): a standing, role-gated RTEPro WYSIWYG editor that writes markdown pages. Mounts only ifADMIN_PATHis set (fail-closed), behind magic-link auth + anADMIN_EMAILSallowlist; the secret path is obscurity on top of auth, never instead. The AI key stays server-side via a key-injecting proxy. The core stays no-standing-admin by default — install only where you want it (npx create-volt add editor). See/docs/editor.
0.22.0 - 2026-06-29
Added
- Third-party add-ons (plugins) — the WordPress-plugin equivalent. Any
VOLT_ADDONSentry that is not built-in is loaded from a local.volt/addons/<name>/index.jsor an installed npm packagevolt-addon-<name>, and wired via a singleregister(ctx)export (ctx = app, express, io, store, mailer, env, log). Install functionality as small, owned packages instead of dashboard plugins.create-volt add <name>— installvolt-addon-<name>and enable it.create-volt create-addon <name>— scaffold a publishable add-on package.- New
/docs/plugins.
Fixed
availableAddons()tolerates add-on directories withoutmeta.json(so local third-party add-ons do not break the wizard).
0.21.0 - 2026-06-29
Added
import-wp-db— import WordPress content by reading its MySQL/MariaDB database directly, for when the REST API is disabled but you have DB access (on the server or via an SSH tunnel).--prefixfor non-default table prefixes (validated against SQL injection); creds viaWP_DB_URLto keep them out of shell history;mysql2loaded lazily. Reuses the WXR converter; unit tested with an injected connection. Third migration path alongsideimport-wp(REST) andimport-wxr(file).
0.20.0 - 2026-06-29
Added
import-wp— fully-automated WordPress import over the REST API.npx create-volt import-wp <https://site>pulls published posts + pages directly (paginated) into markdownpages/— no export file, and no credentials for public content. Drafts/private need an Application Password viaWP_USER+WP_APP_PASSWORD(Basic auth, sent only over HTTPS, never logged). Falls back toimport-wxrif the REST API is disabled. Reuses the WXR→markdown converter; unit-tested with a mocked fetch./docs/migrateupdated to lead with the automated path.
0.19.0 - 2026-06-29
Added
import-wxr— WordPress importer.npx create-volt import-wxr <export.xml>converts a WordPress WXR export into markdown pages: published pages + posts →pages/<slug>.mdwith front-matter (title, date, tags), Gutenberg block comments stripped, body kept as HTML/markdown; drafts + attachments skipped; slugs sanitized + de-duplicated. Flags:--out <dir>,--drafts,--force. Zero-dep parser (WXR is a consistent format); unit-tested. Lowers the cost of moving off WordPress. New/docs/migrate.
0.18.0 - 2026-06-29
Added
- Volt SSR —
volt-ssr.js, a tiny server-side renderer: render the samehtml/h()markup and signal values to an HTML string in Node (${values}escaped by default,raw()for trusted HTML) viarenderToString. Ships in every template, so a scaffolded app can be server-rendered for SEO + fast first paint and hydrate withvolt.json the client. The Volt site itself is now built with it — marketing pages as Volt components, docs as markdown rendered withraw(), the whole page composed byrenderToString.
0.17.0 - 2026-06-29
Added
- PaaS deploy targets — every scaffold now ships a
Dockerfile,.dockerignore,render.yaml,fly.toml, andProcfile, so a Volt app deploys to Render / Fly.io / Railway / DO App Platform (which handle the server, DNS, and TLS) with config supplied as platform env vars. New/docs/deployguide covering the PaaS and PM2+nginx paths.
Changed
- The server boots straight into app mode (no setup wizard) when
NODE_ENV=productionorVOLT_ADDONSis set via env — so a container/PaaS runs the app from platform env vars without a committed.env.
0.16.0 - 2026-06-29
Added
mediaadd-on — file uploads with a swappable storage driver:local(disk, served at/media) ors3(any S3-compatible store: AWS S3, DigitalOcean Spaces, …).POST /api/mediais auth-gated (depends on the auth add-on); uploads are size-capped (MEDIA_MAX_MB, default 10), restricted to raster images + PDF (SVG rejected), stored under a random key, and returned as a public URL. Driver + S3 settings are configured in the setup wizard. Pulls inbusboy(and@aws-sdk/client-s3whenMEDIA_DRIVER=s3), both tracked by the dependency auto-updater and exercised by the smoke gate.
0.15.1 - 2026-06-29
Fixed
volt.jsno longer toucheswindowat import time — the hot-reload client is guarded withtypeof window, so the library is safe to import in Node (SSR, tests), not just the browser.
Changed
- The
pagesadd-on importsexpress/markedlazily (only when mounted), so its pure helpers load without those packages present.
Added (repo tooling — not shipped in scaffolded apps)
- A
node --testunit suite (reactive core, memory store, pages helpers), asmokescript (scaffold → install → boot → hit endpoints), a CI workflow, and a smoke-test gate on the dependency auto-updater: a version bump is committed only if unit tests + smoke pass on the bumped versions.
0.15.0 - 2026-06-28
Added
pagesadd-on — markdown pages, no database and no admin. Drop.mdfiles inpages/and each is served as HTML at/<slug>; front-mattertitle:sets the page title. Author them in your editor or with AI. Pulls inmarked(added on enable, tracked by the dependency auto-updater); thepages/directory is auto-created with a sample on first run. Mounted last, so your own app routes always win.
0.14.0 - 2026-06-28
Changed
- Adopted the most-secure admin model: ephemeral, shell-only. Removed the
persistent role-gated
adminadd-on (from 0.13.0). There is now no web admin anywhere — the data browser is the ephemeral, localhost-only--studio, and config is--edit; both are shell/SSH-gated. SECURITY.md updated to state this as a core property.
Added
- Dependency auto-update:
scripts/update-deps.mjs+ a weekly GitHub Action bump create-volt's pinned dependency floors to the latest within the current major (never a breaking major). Repo-only — scaffolded apps are untouched. - Refreshed floors: express ^4.22.2, socket.io ^4.8.3, mongodb ^6.21.0, mysql2 ^3.22.5, pg ^8.22.0, nodemailer ^6.10.1.
0.13.0 - 2026-06-28
Added
- Opt-in
adminadd-on: a persistent, role-gated web admin (data browser) for browser-only admins. Gated by auth and anADMIN_EMAILSallowlist; the panel is hidden for non-admins and/admin/api/*returns 403. Internal collections (auth tokens/sessions) hidden. Wired into the default + starter templates and the setup wizard (ADMIN_EMAILS field). SECURITY.mddocumenting the ephemeral-admin model and secure defaults.
Note
- Prefer the ephemeral
--studio(shell-gated) for admins with server access; theadminadd-on is the explicit standing-surface opt-in for non-shell admins.
0.12.0 - 2026-06-28
Added
--template starter— a complete, no-build app shell, fully wired and on out of the box: top nav over Home, magic-link Account, per-user Notes (auth-gated CRUD, db-backed), and Chat (realtime rooms + presence- typing). Ships a default
.envenabling db+mailer+auth+realtime; includes the setup wizard (--edit) and Studio (--studio). The SaaS-style starting point.
- typing). Ships a default
- Templates can now ship a default
.env(asenv, renamed on scaffold).
0.11.0 - 2026-06-28
Added
create-volt studio(andnpm run dev -- --studio) — an ephemeral, localhost-only data browser, à la Prisma Studio. Browse collections and documents across any driver (memory / MongoDB / MySQL / Postgres) and delete docs. It's never a route in the running app — it exists only while you run it, binds127.0.0.1, and disappears on Ctrl-C (shell/SSH access is the auth). Internal collections (auth tokens/sessions) are hidden.- Stores gained
collections()(enumerate collection names) on every adapter.
Security
- Admin/data surfaces are ephemeral by design — no standing
/adminroute in the running app to attack (verified: the app 404s admin routes). Same model as the config editor: on-demand, loopback-only, gone when the app runs.
0.10.0 - 2026-06-28
Added
- Frontend UI for the user-facing add-ons, auto-mounted when enabled:
- auth → a magic-link sign-in panel (email → link → signed-in state)
- realtime → a live chat panel (rooms, presence, typing, messages)
Each add-on serves its own
/<name>-ui.js(only when enabled);public/app.jsmounts them alongside the demo. The server exposesGET /__volt/addons.
Security
- Security headers on every response:
X-Content-Type-Options: nosniff,X-Frame-Options: SAMEORIGIN,Referrer-Policy: same-origin,X-Powered-Byoff. - Hardened forms: typed / length-capped / autocompleted inputs; all user content
renders through Volt holes (text nodes — HTML-escaped, no innerHTML); server
validation + caps (email ≤ 320, chat ≤ 500);
.envvalues stripped of newlines; session cookiesHttpOnly+SameSite=Lax.
0.9.0 - 2026-06-28
Changed
- The setup wizard is now the single place to configure an app, and it shows
all add-ons: tick db/auth/realtime/mailer + fill their settings. Enabling
is pure config — Apply writes
.env(aVOLT_ADDONSlist + settings) and adds any needed packages topackage.json+ runsnpm install, then starts the app, which auto-wires whatever.envenables (auth routes, realtime sockets, db). Add-on code ships bundled under.volt/addons; nothing is copied into yourlib/. create-volt confignow just opens that in-app wizard (server.js --edit) — one implementation, localhost-only (shell/SSH access is the auth).
Removed
- The standalone create-volt config page and its
--host/key flags (superseded by the in-app wizard, which is localhost-only + SSH-tunnel for remote).
Note
- Backend of an enabled add-on is wired automatically; the frontend UI (login
form, chat) is yours to build — or start from
--template guestbook.
0.8.0 - 2026-06-28
Added
- First-run setup wizard baked into the app: on first run (no
.env) or withnpm run dev -- --edit(-e),server.jsserves a disposable local config page; click Apply and it writes.env, loads it, and starts the app in-process — the setup page then disappears. It self-detects which add-ons are present and only asks for their settings. - Auto-open browser on first run (and prints the link); skips opening on
headless/remote boxes (no
DISPLAY). Opt out with--no-open/VOLT_NO_OPEN. --startflag forcreate-volt: scaffold, then launch the dev server (which opens the setup page) in one go..envauto-loader in templates — nonode --env-fileneeded; reads the file directly, so it behaves identically on Windows/PowerShell.- Test connection button in the wizard: actually connects with the entered DB credentials before you save.
Changed
create-volt configis localhost-only by default (shell/SSH access is the auth — no key). Expose on a LAN with--host 0.0.0.0, which then mints a key.
0.7.0 - 2026-06-28
Added
create-volt config— a disposable, key-gated local page (built with Volt) for add-ons. Tick the add-ons (or All), fill settings (DB driver/URL, SMTP, port), then Apply: it copies the add-on files into the app and writes.env, and shows copy-able install + wiring. Prints localhost and LAN links plus an SSH-tunnel hint for remote/headless boxes; a random key gates the page and the apply endpoint. Dependency-free (node:http). Run apps withnode --env-file=.env.
Removed
- The
create-volt addcommand (from 0.6.0) — applying add-ons now happens throughcreate-volt config, which both copies files and writes.env.
0.6.0 - 2026-06-28
Added
create-volt add <integration>— layer composable add-ons into an existing app instead of cloning whole templates. Copies self-contained files and prints the wiring (never edits your code); supports--dry-runand--force, andcreate-volt addwith no name lists what's available. Integrations:db— document store over memory / MongoDB / MySQL / Postgresmailer— console (dev) / SMTP (prod) emailauth— magic-link login + sessions (builds on db + mailer)realtime— Socket.io chat with rooms, presence, and typing
0.5.0 - 2026-06-28
Added
- Multiple starter templates via
--template <name>. The default stays the Counter + Todos demo;--template guestbookscaffolds a full real-world app: magic-link auth, Socket.io real-time, and pluggable MongoDB / MySQL / Postgres storage (with an in-memory dev fallback so it runs with no setup).
Changed
- Templates now live under
templates/<name>/(was a singletemplate/). - The "files created" summary is derived from the chosen template.
0.4.0 - 2026-06-28
Added
create-volt updatecommand: refreshpublic/volt.jsin an existing app to the library version bundled with create-volt. Runnpx create-volt@latest updateinside an app. Only touches the library file — never yourapp.js,server.js, or chosen port. Supports--dry-runto check without writing.
0.3.2 - 2026-06-28
Changed
- Scaffolded apps'
README.mdnow has a Dev port section explaining the date-derived port and how to override it (PORTenv /--port). - Package README shows
--portdirectly in the Usage block.
0.3.1 - 2026-06-28
Changed
- Internal: releases now publish from GitHub Actions via npm Trusted Publishing (OIDC, with provenance) — no functional changes to scaffolded apps.
0.3.0 - 2026-06-28
Added
--port <number>flag to set the new app's dev port.- The dev port now defaults to the creation date (two-digit year + month +
two-digit day, e.g.
2026-06-28→26628), so apps scaffolded on different days don't collide. The chosen port is stamped into the generatedserver.js.
0.2.0 - 2026-06-28
Added
- Git auto-init: scaffolded apps start as a git repository with an initial
commit (
--no-gitto skip). --dry-runflag: preview the files and actions without writing anything.
0.1.0 - 2026-06-28
Added
- Initial release. Scaffolds a no-build, signals-based Volt app: the
volt.jslibrary, a Counter + Todos demo, an Express + Socket.io dev server with file watching and full-page hot reload. Supports--skip-installand--force, and auto-detects npm / pnpm / yarn / bun for the install step.