Enterprise-Grade Node.js Web Framework

-blue.svg)

Quick Start • Documentation • Examples • API Reference

Beta Version

Overview

XyPriss is an Enterprise-Grade Hybrid Web Framework that combines the raw performance of compiled native binaries with the productivity and flexibility of TypeScript. It is designed for teams that require both operational speed and developer velocity, without compromise.

🛡️ Security Briefing: XyPriss enforces "Secure by Default" architecture. Core variables are protected by a native Environment Security Shield that blocks direct process.env access to prevent leakage, alongside a built-in, zero-dependency storage system (XEMS) and high-speed Go-powered networking (XHSC).

Cross-Platform Foundation

XyPriss ships pre-compiled native binaries for all major platforms. No additional toolchains, compilers, or runtime dependencies are required.

| OS | Architecture | Status | | ----------- | ----------------------- | --------- | | Linux | x86_64 (AMD64) | Supported | | Linux | aarch64 (ARM64) | Supported | | Windows | x86_64 (AMD64) | Supported | | Windows | aarch64 (ARM64) | Supported | | macOS | x86_64 (Intel) | Supported | | macOS | aarch64 (Apple Silicon) | Supported |

Architecture

At the center of XyPriss lies XHSC (XyPriss Hyper-System Core) — the native engine responsible for low-level HTTP networking, high-speed radix routing, filesystem operations, real-time system telemetry, and inter-process communication. XHSC is written in Go for maximum portability and ships as a single statically-linked binary per platform with zero external dependencies.

The framework operates on a layered architecture:

1. XHSC (Native Engine): Handles the HTTP/S stack, advanced radix routing, filesystem I/O, process monitoring, and real-time hardware telemetry. It acts as the high-speed gateway for all incoming traffic and system operations.
2. Node.js Runtime: Provides the enterprise-ready application layer where developers define business logic, security middleware, and data processing pipelines using TypeScript.
3. XFPM (XyPriss Fast Package Manager): A high-performance, Rust-powered package manager optimized for the XyPriss ecosystem. Provides ultra-fast dependency resolution, extraction, and caching. Learn more about XFPM.

This separation allows each layer to operate in its optimal domain: compiled native code for performance-critical paths, TypeScript for rapid application development.

Core Features

• XHSC Native Engine — Statically-linked system core with multi-core clustering, IPC bridge, and high-precision hardware telemetry across all supported platforms.
• XEMS Session Security — AES-256-GCM encrypted in-memory session store powered by a dedicated native Golang sidecar. Provides opaque tokens, per-request atomic rotation, sandboxed namespaces, and optional hardware-bound persistence — with zero external dependencies.
• Security-First Architecture — 12+ built-in security middleware modules including CSRF protection, XSS prevention, and intelligent rate limiting.
• Advanced Radix Routing — Ultra-fast routing system capable of complex path matching with microsecond latency.
• Real-Time System Intelligence — Native access to CPU, memory, disk, network, battery, and process metrics directly from the application layer.
• Filesystem Engine — High-performance file operations including recursive copy, directory sync, content hashing, duplicate detection, and real-time file watching.
• File Upload Management — Production-ready multipart/form-data handling with automatic validation and error handling.
• Environment Security Shield — Military-grade protection for sensitive variables. Direct process.env access is masked via a native Proxy to prevent accidental leakage, forcing the use of secure, typed APIs.
• Built-in DotEnv Loader — Zero-dependency, ultra-fast .env parser with automatic support for .env, .env.local, and .private/.env.
• Extensible Plugin System — Permission-based plugin architecture with lifecycle hooks and security controls.
• Native Production Integration — Built for automated deployments and SSL management via XyNginC.
• Multi-Server Support — Run multiple server instances with isolated configurations and security policies.

We strongly recommend using the XyPriss CLI (xyp) for the fastest and most reliable developer experience.

Refer to the Installation Guide for detailed platform-specific instructions.

Quick Install (Unix)

curl -sL https://xypriss.nehonix.com/install.js | node

Once installed, you can manage your project dependencies with ultra-high performance:

# Install XyPriss in your project
xyp install xypriss

Alternatively, using standard package managers:

xfpm i xypriss
# or
yarn add xypriss

For additional security features:

xfpm install xypriss-security

Quick Start

Using CLI

xfpm init
cd my-app
xfpm dev # or xyp dev (both are the same)

Manual Setup

import { createServer } from "xypriss";

const app = createServer({
    server: { port: 3000 },
    security: { enabled: true },
});

app.get("/", (req, res) => {
    res.json({ message: "Hello from XyPriss" });
});

app.start();

Complete Quick Start Guide

Documentation

Getting Started

• Quick Start Guide - Installation and basic setup
• XFPM Guide - Using the XyPriss Fast Package Manager
• Examples - Practical code examples
• Features Overview - Comprehensive feature list

Security

• Security Overview - Security features and best practices
• XEMS — Secure Sessions & Temporary Storage - AES-256-GCM encrypted sessions, OTP flows, token rotation
• Route-Based Security - Per-route security policies
• Request Signature Auth - API key authentication
• CORS Configuration - Advanced CORS with RegExp patterns

Plugin System

• Plugin Development - Creating plugins
• Plugin Hooks - Available lifecycle hooks
• Plugin Permissions - Security and permissions
• Console Intercept Hook - Console monitoring

Advanced Topics

• XJson API - Advanced JSON serialization
• Clustering - Multi-worker scaling
• Performance Tuning - Optimization strategies

View All Documentation

Security

XyPriss is built with security as a fundamental design principle. The framework implements multiple layers of protection and follows industry best practices for secure web application development.

XEMS — Encrypted Memory Store

XEMS is the built-in session security layer. Unlike cookie-based JWT, XEMS stores all session data server-side inside a native Go sidecar process, encrypted with AES-256-GCM. The client only ever holds a random opaque token.

import { createServer, xems } from "xypriss";

const app = createServer({
    server: {
        xems: {
            enable: true, // Enable the XEMS middleware
            ttl: "15m", // Session lifetime
            autoRotation: true, // Rotate token on every request
            gracePeriod: 1000, // ms the old token stays valid (concurrent requests)
        },
    },
});

// Login — create an encrypted session
app.post("/auth/login", async (req, res) => {
    // ... verify credentials
    await res.xLink({ userId: user.id, role: user.role }); // session created
    res.json({ success: true });
});

// Protected route — session auto-decrypted
app.get("/profile", (req, res) => {
    if (!req.session) return res.status(401).json({ error: "Unauthorized" });
    res.json({ user: req.session }); // { userId, role }
});

Full XEMS Guide →

Environment Security Shield

XyPriss implements a Strict Environment Shield to protect your secrets and enforce coding best practices. By default, XyPriss masks direct access to process.env for non-essential variables to prevent accidental exposure by third-party libraries or logging debugging artifacts.

1. Zero-Dependency Loader

No need for dotenv or other external packages. XyPriss automatically loads variables from:

1. .env
2. .env.local
3. .private/.env (Priority)

2. The Shield in Action

Standard system variables (like PATH, USER, NODE_ENV) are whitelisted for system stability, but your custom application variables are protected.

// ❌ Blocked & Masked (returns undefined + Security Warning)
const secret = process.env.DATABASE_PASSWORD;

// ✅ Official & Secure Way
const secret = __sys__.__env__.get("DATABASE_PASSWORD");

3. Official Configuration

For project configuration, use the XYPRISS_ prefix to bypass the shield for internal framework variables:

• XYPRISS_PORT
• XYPRISS_HOST
• XYPRISS_REDIS_URL

Learn more about Environment Security →

Security Disclosure Policy

While we maintain rigorous security standards, we acknowledge that vulnerabilities may exist. We encourage responsible disclosure of security issues.

If you discover a security vulnerability, please report it via email:

Email: [email protected]

Please do not open public GitHub issues for security vulnerabilities.

We are committed to:

• Acknowledging receipt of your report within 48 hours
• Providing regular updates on our progress
• Crediting researchers who responsibly disclose vulnerabilities

Your assistance in maintaining the security of XyPriss is greatly appreciated.

Multi-Server Security Isolation

In Multi-Server mode, XyPriss enforces strict process and memory isolation. Each server defined in your configuration runs its own dedicated XEMS sidecar. This prevents session leakage between services (e.g., your public API cannot access sessions from your admin dashboard).

To interact with the correct store in a distributed setup:

• Web Auth: Use res.xLink() (automatic).
• Direct Access: Use req.app.xems or xems.forApp(req.app).

Contributing

XyPriss is an open-source project that welcomes contributions from the community. We value all forms of contribution, from bug reports to documentation improvements.

How to Contribute

1. Star the Repository - Show your support and help others discover XyPriss
2. Report Issues - Submit bug reports with detailed reproduction steps
3. Suggest Features - Open discussions for feature proposals
4. Submit Pull Requests - Review our Contributing Guide before submitting code
5. Improve Documentation - Help us maintain clear and accurate documentation

Contribution Guidelines

• Follow the existing code style and conventions
• Include tests for new features
• Update documentation as needed
• Ensure all tests pass before submitting
• Write clear commit messages

Read the Complete Contributing Guide

Community Support

Resources

• Documentation - Complete guides and API reference
• GitHub Discussions - Community Q&A and feature discussions
• Issue Tracker - Bug reports and feature requests
• Security - Report vulnerabilities
• Website - Learn more about Nehonix

Support the Project

If XyPriss has been valuable for your projects, consider:

• Starring the repository on GitHub
• Sharing the project with your network
• Contributing to the codebase or documentation
• Providing feedback and suggestions
• Giving us a star on GitHub

License

XyPriss is licensed under the Nehonix OSL (Nehonix OSL (NOSL)) License.

Acknowledgments

Developed by Nehonix Team

XyPriss is maintained by Nehonix and its contributors.