Enterprise readiness

Zoijs @zoijs/core 1.x is ready to depend on. A stable, frozen, fully-typed, secure-by-default core with a sharp optional ecosystem around it. This page is the sign-off — every criterion is met, and each one points to where it is enforced: a CI gate, a test, an RFC, or a published policy, not just a promise.

"Enterprise-ready" here means disciplined completion — a small surface you can fully understand, defended by automated checks, with the maturity (versioning, security, support) a team needs. What Zoijs deliberately doesn't build is part of the guarantee.

Everything marked enforced in CI runs on every push and pull request (npm test, npm run test:types, npm run test:browser).

Stable, versioned API#

• Nine functions, frozen for 1.x — the whole core, learnable in one sitting. See Core API and API Reference.
• Semantic Versioning with a published deprecation policy — within 1.x, upgrades are always additive and safe.
• Every change is RFC-gated — effect, boundary, devtools, and SSR each shipped through an accepted RFC. Nothing is added by accident.
• Type-checks pass for every package in CI.

Security#

• Secure by default — dynamic text is inert, URL attributes use a scheme allowlist, handlers must be functions, and there is no raw-HTML rendering API. See Security.
• Tested, not assumed — an XSS corpus plus a real-browser CSP / Trusted-Types gate run in CI.
• One escaping implementation — server rendering reuses the exact client predicates, so output is identical. See Server Rendering.
• No eval / new Function anywhere; a private disclosure policy with a 72-hour acknowledgement target.

Testing#

• 150 core unit/DOM tests, plus real cross-browser tests (Chromium, Firefox, WebKit) on every push.
• Type tests and a first-party testing package that drives the real DOM — no custom renderer, zero dependencies.

Performance#

• No Virtual DOM — one value changes, one DOM node updates; setup runs once. See Performance.
• Minimal DOM moves on reorder (a longest-increasing-subsequence pass), proven by move-count tests.
• A gzipped-size budget (≤ 16 KB for the client core) is enforced in CI — a careless dependency or a big feature fails the build.

Supply chain#

• Zero runtime dependencies, enforced by a CI gate, across every package.
• Star topology — each optional package depends only on @zoijs/core, never sideways.
• No build step — the published package is its source; it runs from a single <script type="module">.

Documentation#

• Zero undocumented public APIs, enforced by a CI gate (every public function must be named in its README).
• A full guide, tutorials, an API reference, a cookbook of real recipes, and migration guides from other frameworks.

Platform & operability#

• Modern browser support, verified in CI.
• TypeScript definitions with generics, including the /server and /devtools subpaths.
• Optional server rendering and a dev-only reactive-graph inspector.
• Production-scale reference apps — a task board, an admin dashboard, and a contacts CRM, each built from plain files.

Governance & support#

• A published support & LTS policy: the current major is actively maintained, and a future major would keep the previous line on security fixes for at least six months.
• A contribution process (with the RFC workflow), a code of conduct, changelog discipline, and an explicit roadmap and scope.

What Zoijs deliberately does not build#

Maturity is also what a framework refuses to add. Each of these is a recorded decision that keeps the surface small and the security model intact:

• No Virtual DOM, no build step, no JSX, no global store, no providers/context.
• No @zoijs/auth, @zoijs/query, @zoijs/ui, @zoijs/charts, @zoijs/http, or @zoijs/cli — these are recipes or the platform, not packages.
• No plugin system, no runtime template compilation, no eval.

The discipline to say no is why the list above can stay short and fully green.

The full, link-by-link evidence map lives in docs/enterprise-readiness.md in the repository, where each item links to the exact gate, test, or policy that enforces it.

Next: Roadmap.