Security improvement: default dev handler to disabled

Co-authored-by: huangyiirene <7665279+huangyiirene@users.noreply.github.com>

Author: Copilot

examples/integrations/dev-playground/README.md

@@ -166,7 +166,7 @@ interface DevHandlerOptions {
     /** Base directory for file operations (defaults to process.cwd()) */
     baseDir?: string;
 
-    /** Enable dev mode (must be explicitly enabled) */
+    /** Enable dev mode (must be explicitly enabled, defaults to false) */
     enabled?: boolean;
 
     /** Allowed file extensions for editing */

examples/integrations/dev-playground/src/objects/project.object.yml

@@ -0,0 +1,46 @@
+name: project
+label: Project
+icon: briefcase
+fields:
+  name:
+    type: text
+    required: true
+    label: Project Name
+    searchable: true
+  
+  status:
+    type: select
+    options:
+      - planning
+      - in_progress
+      - completed
+      - on_hold
+    defaultValue: planning
+    label: Status
+  
+  priority:
+    type: select
+    options:
+      - low
+      - medium
+      - high
+      - urgent
+    defaultValue: medium
+    label: Priority
+  
+  description:
+    type: textarea
+    label: Description
+  
+  start_date:
+    type: date
+    label: Start Date
+  
+  end_date:
+    type: date
+    label: End Date
+  
+  budget:
+    type: currency
+    label: Budget
+    scale: 2

examples/integrations/dev-playground/src/objects/task.object.yml

@@ -0,0 +1,43 @@
+name: task
+label: Task
+icon: check-square
+fields:
+  title:
+    type: text
+    required: true
+    label: Task Title
+  
+  status:
+    type: select
+    options:
+      - todo
+      - in_progress
+      - done
+    defaultValue: todo
+    label: Status
+  
+  priority:
+    type: select
+    options:
+      - low
+      - medium
+      - high
+    defaultValue: medium
+    label: Priority
+  
+  description:
+    type: textarea
+    label: Description
+  
+  assignee:
+    type: text
+    label: Assigned To
+  
+  due_date:
+    type: datetime
+    label: Due Date
+  
+  completed:
+    type: boolean
+    defaultValue: false
+    label: Completed

examples/integrations/dev-playground/tsconfig.json

@@ -0,0 +1,11 @@
+{
+  "extends": "../../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": ".",
+    "module": "ESNext",
+    "target": "ES2020",
+    "moduleResolution": "node"
+  },
+  "include": ["*.ts", "src/**/*"]
+}

packages/runtime/server/src/dev-handler.ts

@@ -72,7 +72,7 @@ interface FileNode {
  */
 export function createDevHandler(options?: DevHandlerOptions) {
     const baseDir = options?.baseDir || process.cwd();
-    const enabled = options?.enabled ?? (process.env.NODE_ENV !== 'production');
+    const enabled = options?.enabled ?? false; // Default to false for security
     const allowedExtensions = options?.allowedExtensions || [
         '.yml', '.yaml', '.ts', '.js', '.json', '.md', 
         '.txt', '.object.yml', '.validation.yml', '.permission.yml', 

packages/runtime/server/test/dev-handler.test.ts

@@ -290,6 +290,24 @@ describe('DevHandler', () => {
     });
 
     describe('Security', () => {
+        it('should be disabled by default', async () => {
+            const defaultHandler = createDevHandler({
+                baseDir: testDir
+                // enabled not specified - should default to false
+            });
+
+            const defaultServer = createServer(defaultHandler);
+
+            const response = await request(defaultServer)
+                .get('/api/dev/files')
+                .expect(403);
+
+            expect(response.body).toHaveProperty('error');
+            expect(response.body.error.message).toContain('development mode');
+
+            defaultServer.close();
+        });
+
         it('should be disabled in production mode', async () => {
             const prodHandler = createDevHandler({
                 baseDir: testDir,