docs(site): .js examples, separate the two paths, trim copy

Thanga-Ganapathy · Thanga-Ganapathy · commit a5a42e54a8f8 · 2026-06-14T12:26:27.000+05:30
- use .js (not .mjs) in all examples (run commands, runtime:process, imports)
- clearly separate ES Runtime's two paths: the embeddable library is
  deny-by-default; the esrun CLI grants all capabilities. Never attribute
  deny-by-default to esrun. Reworded security page (two-path list), comparison
  bullet, docs/api overviews
- trim: drop the Capabilities section + redundant cards from the API overview,
  the CLI "Capabilities" note, and the runtime:process preamble paragraph
diff --git a/site/app/api/cli/page.jsx b/site/app/api/cli/page.jsx
@@ -8,16 +8,16 @@ esrun -h, --help         Show this help
 esrun -v, --version      Show the version`;
 
 const RUN = `# Run a module file
-esrun app.mjs
+esrun app.js
 
 # Inline snippet (top-level await works)
 esrun -e "console.log(await Promise.resolve(42))"
 
 # Pass arguments through to the script (read via runtime:process)
-esrun app.mjs build --watch
+esrun app.js build --watch
 
 # Stop a runaway script after 500ms
-esrun -t 500 app.mjs`;
+esrun -t 500 app.js`;
 
 const options = [
   {
@@ -90,17 +90,6 @@ export default function CliDoc() {
         </a>
         . The runtime binary and the script path are excluded.
       </div>
-
-      <div className="mt-4 rounded-xl border border-zinc-200 bg-zinc-50 p-5 text-sm leading-relaxed text-zinc-600">
-        <strong className="text-zinc-900">Capabilities.</strong> The standalone
-        CLI grants the host capabilities its features need so scripts “just run.”
-        The deny-by-default model is what an <em>embedder</em> of the library
-        controls — see the{" "}
-        <a href="/api" className="font-medium text-brand-600 hover:text-brand-700">
-          API overview
-        </a>
-        .
-      </div>
     </ApiShell>
   );
 }
diff --git a/site/app/api/page.jsx b/site/app/api/page.jsx
@@ -3,14 +3,6 @@ import CodeBlock from "../../components/CodeBlock.jsx";
 
 const IMPORT = `import { env, args } from "runtime:process";`;
 
-const capabilities = [
-  { cap: "Env", grants: "Environment, arguments, cwd, platform — backs runtime:process." },
-  { cap: "FileRead", grants: "Read files within the configured root jail." },
-  { cap: "FileWrite", grants: "Write files within the configured root jail." },
-  { cap: "Net", grants: "Open outbound network connections." },
-  { cap: "HrTime", grants: "Access high-resolution timing." },
-];
-
 const modules = [
   { name: "runtime:process", status: "Available", cap: "Env", href: "/api/process" },
   { name: "runtime:path", status: "Planned", cap: "—", href: null },
@@ -27,8 +19,9 @@ export default function ApiOverview() {
         Overview
       </h1>
       <p className="mt-4 text-lg leading-relaxed text-zinc-600">
-        ES Runtime is ESM-only, and its embeddable library is deny-by-default.
-        Host functionality is exposed as ES modules under the{" "}
+        ES Runtime is ESM-only; the embeddable library is deny-by-default (the
+        esrun CLI grants all capabilities). Host functionality is exposed as ES
+        modules under the{" "}
         <code className="rounded bg-zinc-100 px-1.5 py-0.5 font-mono text-[0.9em]">
           runtime:
         </code>{" "}
@@ -92,58 +85,6 @@ export default function ApiOverview() {
           </tbody>
         </table>
       </div>
-
-      <h2 className="mt-12 text-xl font-semibold text-zinc-900">Capabilities</h2>
-      <p className="mt-3 text-zinc-600">
-        A fresh runtime can compute but cannot reach the host until the embedder
-        grants the relevant capability. The check lives on the native op, so it
-        cannot be bypassed by reaching a different module path.
-      </p>
-      <div className="mt-5 overflow-hidden rounded-xl border border-zinc-200">
-        <table className="w-full text-left text-sm">
-          <thead className="bg-zinc-50 text-xs uppercase tracking-wider text-zinc-500">
-            <tr>
-              <th className="px-4 py-3 font-semibold">Capability</th>
-              <th className="px-4 py-3 font-semibold">Grants</th>
-            </tr>
-          </thead>
-          <tbody className="divide-y divide-zinc-100">
-            {capabilities.map((c) => (
-              <tr>
-                <td className="px-4 py-3 font-mono font-medium text-zinc-900">
-                  {c.cap}
-                </td>
-                <td className="px-4 py-3 text-zinc-600">{c.grants}</td>
-              </tr>
-            ))}
-          </tbody>
-        </table>
-      </div>
-
-      <div className="mt-10 grid gap-4 sm:grid-cols-2">
-        <a
-          href="/api/cli"
-          className="flex flex-col rounded-xl border border-zinc-200 p-5 transition-shadow hover:shadow-sm"
-        >
-          <span className="font-mono font-semibold text-zinc-900">
-            esrun CLI →
-          </span>
-          <span className="mt-1 text-sm text-zinc-600">
-            Command-line options: run a file, -e, --timeout, --help, --version.
-          </span>
-        </a>
-        <a
-          href="/api/process"
-          className="flex flex-col rounded-xl border border-zinc-200 p-5 transition-shadow hover:shadow-sm"
-        >
-          <span className="font-mono font-semibold text-zinc-900">
-            runtime:process →
-          </span>
-          <span className="mt-1 text-sm text-zinc-600">
-            Environment, arguments, working directory, platform, and exit.
-          </span>
-        </a>
-      </div>
     </ApiShell>
   );
 }
diff --git a/site/app/api/process/page.jsx b/site/app/api/process/page.jsx
@@ -12,7 +12,7 @@ console.log(env.HOME);      // read
 env.FEATURE_FLAG = "on";    // write (in-process only)
 delete env.SECRET;          // delete (in-process only)`;
 
-const ARGS_EX = `// esrun app.mjs build --watch
+const ARGS_EX = `// esrun app.js build --watch
 import { args } from "runtime:process";
 
 console.log(args); // ["build", "--watch"]`;
@@ -79,13 +79,6 @@ export default function ProcessDoc() {
         </span>
       </div>
 
-      <p className="mt-8 text-zinc-600">
-        Every member requires the <strong>Env</strong> capability; the check
-        lives on the host op. Values are snapshotted when the module is
-        evaluated, and the module is loaded on demand — importing it adds no cost
-        to startup if you never use it.
-      </p>
-
       <h2 className="mt-12 text-xl font-semibold text-zinc-900">Import</h2>
       <div className="mt-4">
         <CodeBlock code={IMPORT} title="runtime:process" lang="js" />
@@ -114,21 +107,21 @@ export default function ProcessDoc() {
         env — reading and writing
       </h2>
       <div className="mt-4">
-        <CodeBlock code={ENV_EX} title="env.mjs" lang="js" />
+        <CodeBlock code={ENV_EX} title="env.js" lang="js" />
       </div>
 
       <h2 className="mt-12 text-xl font-semibold text-zinc-900">
         args — program arguments
       </h2>
       <div className="mt-4">
-        <CodeBlock code={ARGS_EX} title="args.mjs" lang="js" />
+        <CodeBlock code={ARGS_EX} title="args.js" lang="js" />
       </div>
 
       <h2 className="mt-12 text-xl font-semibold text-zinc-900">
         exit — stopping the run
       </h2>
       <div className="mt-4">
-        <CodeBlock code={EXIT_EX} title="exit.mjs" lang="js" />
+        <CodeBlock code={EXIT_EX} title="exit.js" lang="js" />
       </div>
 
       <div className="mt-12 rounded-xl border border-zinc-200 bg-zinc-50 p-5 text-sm text-zinc-600">
diff --git a/site/app/docs/comparison/page.jsx b/site/app/docs/comparison/page.jsx
@@ -116,8 +116,8 @@ export default function ComparisonDoc() {
             File access — including module resolution — is confined to a project
             root that can't be escaped, even via symlink, in both the library and
             the CLI. Deno gates host access with CLI permission flags and Node.js
-            has an experimental permission model; esrun's CLI grants all
-            capabilities, while its embeddable library is deny-by-default.
+            has an experimental permission model; the esrun CLI grants all
+            capabilities, while the embeddable library is deny-by-default.
           </span>
         </li>
         <li className="flex gap-3">
diff --git a/site/app/docs/modules/page.jsx b/site/app/docs/modules/page.jsx
@@ -2,13 +2,13 @@ import DocsShell from "../../../components/DocsShell.jsx";
 import CodeBlock from "../../../components/CodeBlock.jsx";
 
 const STATIC = `// Relative and bare specifiers both work.
-import { greet } from "./greet.mjs";
+import { greet } from "./greet.js";
 import greeter from "greeter";           // from node_modules (ESM)
 
 export const message = greet("world");`;
 
 const DYNAMIC = `// Dynamic import() is fully supported, including top-level await.
-const { default: plugin } = await import("./plugins/auth.mjs");
+const { default: plugin } = await import("./plugins/auth.js");
 await plugin.init();`;
 
 const BUILTIN = `// Host functionality is imported under the runtime: scheme.
@@ -45,12 +45,12 @@ export default function ModulesDoc() {
 
       <h2 className="mt-12 text-xl font-semibold text-zinc-900">Static imports</h2>
       <div className="mt-4">
-        <CodeBlock code={STATIC} title="app.mjs" lang="js" />
+        <CodeBlock code={STATIC} title="app.js" lang="js" />
       </div>
 
       <h2 className="mt-12 text-xl font-semibold text-zinc-900">Dynamic import</h2>
       <div className="mt-4">
-        <CodeBlock code={DYNAMIC} title="app.mjs" lang="js" />
+        <CodeBlock code={DYNAMIC} title="app.js" lang="js" />
       </div>
 
       <h2 className="mt-12 text-xl font-semibold text-zinc-900">
@@ -79,7 +79,7 @@ export default function ModulesDoc() {
         host dependency explicit and statically visible in the source.
       </p>
       <div className="mt-4">
-        <CodeBlock code={BUILTIN} title="app.mjs" lang="js" />
+        <CodeBlock code={BUILTIN} title="app.js" lang="js" />
       </div>
       <p className="mt-4 text-zinc-600">
         Each built-in module is backed by host ops that carry the capability
diff --git a/site/app/docs/page.jsx b/site/app/docs/page.jsx
@@ -5,13 +5,13 @@ import InstallBox from "../../components/InstallBox.jsx";
 const GITHUB = "https://github.com/Open-Tech-Foundation/ES-Runtime";
 
 const RUN = `# Run a module file
-esrun app.mjs
+esrun app.js
 
 # Evaluate an inline snippet (top-level await is supported)
 esrun -e "console.log(await Promise.resolve(42))"
 
 # Pass arguments through to the script
-esrun app.mjs --name Ada`;
+esrun app.js --name Ada`;
 
 export default function DocsOverview() {
   return (
@@ -21,18 +21,17 @@ export default function DocsOverview() {
         Overview
       </h1>
       <p className="mt-4 text-lg leading-relaxed text-zinc-600">
-        esrun is a secure, standards-based JavaScript runtime for the server,
-        built on V8 in Rust. It runs standard ES Modules with a sandboxed module
-        system; its embeddable library is deny-by-default, granting host
-        capabilities only when the host asks.
+        ES Runtime is a secure, standards-based JavaScript runtime for the
+        server, built on V8 in Rust. It runs standard ES Modules with a
+        sandboxed module system.
       </p>
 
       <div className="mt-6 rounded-xl border border-brand-200 bg-brand-50 p-5 leading-relaxed text-brand-900">
         Ships in two shapes from one core: an{" "}
-        <strong>embeddable library</strong> and a{" "}
+        <strong>embeddable library</strong>, which is deny-by-default, and the{" "}
         <strong>standalone CLI</strong> (
         <code className="rounded bg-white/70 px-1.5 py-0.5 text-[13px]">esrun</code>
-        ).
+        ), which grants all capabilities.
       </div>
 
       <p className="mt-4 text-zinc-600">
diff --git a/site/app/docs/security/page.jsx b/site/app/docs/security/page.jsx
@@ -16,12 +16,28 @@ export default function SecurityDoc() {
         Security model
       </h1>
       <p className="mt-4 text-lg leading-relaxed text-zinc-600">
-        esrun's <strong>embeddable library</strong> is deny-by-default: a runtime
-        the host creates can compute, but cannot reach the host environment, the
-        filesystem, or the network until the host grants a capability for it. The
-        standalone <code className="font-mono">esrun</code> CLI grants all
-        capabilities, so scripts run unrestricted.
+        ES Runtime ships in two forms, and they differ on what code can reach by
+        default:
       </p>
+      <ul className="mt-4 space-y-2 text-zinc-600">
+        <li className="flex gap-3">
+          <span className="mt-2 h-1.5 w-1.5 shrink-0 rounded-full bg-brand-500" />
+          <span>
+            <strong className="text-zinc-900">Embeddable library — deny-by-default.</strong>{" "}
+            A runtime the host creates can compute, but cannot reach the host
+            environment, filesystem, or network until the host grants a
+            capability for it.
+          </span>
+        </li>
+        <li className="flex gap-3">
+          <span className="mt-2 h-1.5 w-1.5 shrink-0 rounded-full bg-brand-500" />
+          <span>
+            <strong className="text-zinc-900">The <code className="font-mono">esrun</code> CLI — unrestricted.</strong>{" "}
+            The standalone binary grants all capabilities so scripts run without
+            setup. It is not deny-by-default.
+          </span>
+        </li>
+      </ul>
 
       <h2 className="mt-12 text-xl font-semibold text-zinc-900">Capabilities</h2>
       <p className="mt-3 text-zinc-600">
