Runtime apps that compose, verify, and evolve without rebuilding — built on Module Federation, every-plugin, and NEAR Protocol.
A published bos.config.json defines how host, UI, and API load together. Changing the config changes the composition. No rebuild needed. The configuration lives on-chain — inspectable, verifiable, and extendable by anyone.
Built with Tanstack Start, Hono.js, oRPC, better-auth, and rsbuild.
bun install # Install dependencies
bos dev --host remote # Start development (typical workflow)This will start serving the UI, the API, and mounting it on a universally shared (remote) HOST application's build.
- Host: http://localhost:3000
- API: http://localhost:3000/api
This maintains a flexible, well-typed architecture that connects the entirity of the application, it's operating system, and a cli to interact with it. It is a perpetually in-development model for the Blockchain Operating System (BOS)
Agents can now build software. But 45% of AI-generated code fails security tests — a rate flat for two years across 150+ models. The JavaScript supply chain saw a 15.3x increase in malicious packages. $1.46B was stolen via runtime JavaScript injection at Bybit. Only 2.8% of scripts on the median web page have integrity protection.
Build-time bundles have no compositional integrity. You cannot verify what is running matches what was published. You cannot swap a component without redeploying everything. You cannot prove provenance.
everything.dev is a composition protocol, not a framework. The bos.config.json is a verifiable manifest. every-plugin provides typed contracts for composable APIs. The registry discovers published runtimes on-chain. extends and bos:// let any app compose from any other. better-near-auth gives cryptographic identity and verifiable on-chain actions. Integrity hashes prove what loads matches what was published.
Runtime apps that compose, verify, and evolve without rebuilding.
For the full argument, see A New Renaissance: Why Software Must Compose or Collapse.
everything-dev is the canonical runtime package and CLI. bos is a command alias for the same tool. See AGENTS.md for the quick reference and LLM.txt for the full technical guide.
everything-dev dev --host remote # Remote host, local UI + API (typical)
everything-dev dev --ui remote # Isolate API work
everything-dev dev --api remote # Isolate UI work
|/ --proxy # Use a proxy
everything-dev dev # Full local, client shell by default
# `bos` is an alias for the same commands
bos dev --ssr # Opt into local SSReverything-dev start --no-interactive # All remotes, production URLsbos build # Build all packages (updates bos.config.json)
bos publish # Publish config to the temporary dev.everything.near registry
bos publish --deploy # Build/deploy all workspaces, then publish
bun run publish # Same publish command via root script
bos sync # Sync from production (every.near/everything.dev)bos create project <name> # Scaffold new project
bos info # Show configuration
bos status # Check remote health
bos clean # Clean build artifacts- UI Changes: Edit
ui/src/→ hot reload automatically → publish withbos publish --deploy - API Changes: Edit
api/src/→ hot reload automatically → publish withbos publish --deploy - Host Changes: Edit
host/src/orbos.config.json→ publish withbos publish --deploy
Always run these commands before committing:
bun test # Run all tests
bun typecheck # Type check all packages
bun lint # Run linting (see lint setup below)We use Changesets for versioning:
When to add a changeset:
- Any user-facing change (features, fixes, deprecations)
- Breaking changes
- Skip for: docs-only changes, internal refactors, test-only changes
Create a changeset:
bun run changeset
# Follow prompts to select packages and describe changesThe release workflow (.github/workflows/release.yml) handles versioning and GitHub releases automatically on merge to main.
See CONTRIBUTING.md for detailed contribution guidelines including:
- Branch naming conventions
- Semantic commit format
- Pull request process
- AGENTS.md - Quick operational guide for AI agents
- CONTRIBUTING.md - Contribution guidelines and git workflow
- LLM.txt - Deep technical reference for implementation
- API README - API plugin documentation
- UI README - Frontend documentation
- Host README - Server host documentation
- Auth Plugin README - Auth plugin documentation
Documentation Purpose:
README.md(this file) - Human quick start and overviewAGENTS.md- Agent operational shortcutsCONTRIBUTING.md- How to contribute (branch, commit, PR workflow)LLM.txt- Technical deep-dive for implementation details- Package READMEs (api/, ui/, host/, plugins/auth/) - Package-specific details
Module Federation monorepo with runtime-loaded configuration:
┌─────────────────────────────────────────────────────────┐
│ host (Server) │
│ Hono.js + oRPC + bos.config.json loader │
│ ┌──────────────────┐ ┌──────────────────┐ │
│ │ Module Federation│ │ every-plugin │ │
│ │ Runtime │ │ Runtime │ │
│ └────────┬─────────┘ └────────┬─────────┘ │
│ ↓ ↓ │
│ Loads UI Runtime Loads API + Auth Plugins │
└───────────┬─────────────────────────┬───────────────────┘
↓ ↓
┌───────────────────────┐ ┌───────────────────────┐
│ ui/ (Runtime) │ │ api/ + plugins/ │
│ React + TanStack │ │ oRPC + Effect │
│ ui/src/app.ts │ │ remoteEntry.js │
└───────────────────────┘ └───────────────────────┘
Key Features:
- ✅ Runtime Configuration - All URLs from
bos.config.json(no rebuild needed) - ✅ Independent Deployment - UI, API, and Host deploy separately
- ✅ Type Safety - End-to-end with oRPC contracts
- ✅ UI Runtime Boundary -
everything-dev/ui/clientand/serverown router/runtime glue - ✅ CDN-Ready - Module Federation with Zephyr Cloud
All runtime configuration lives in bos.config.json:
{
"account": "dev.everything.near",
"domain": "everything.dev",
"staging": { "domain": "staging.dev.yourapp.dev" },
"repository": "https://github.com/nearbuilders/everything-dev",
"testnet": "dev.allthethings.testnet",
"plugins": {
"template": {
"development": "local:plugins/_template"
}
},
"app": {
"host": {
"name": "host",
"development": "local:host",
"production": "https://..."
},
"ui": {
"name": "ui",
"development": "local:ui",
"production": "https://...",
"ssr": "https://..."
},
"api": {
"name": "api",
"development": "local:api",
"production": "https://...",
"variables": {},
"secrets": []
},
"auth": {
"name": "everything-dev_auth-plugin",
"development": "local:plugins/auth",
"production": "https://...",
"variables": {
"account": "dev.everything.near",
"hostUrl": "http://localhost:3000",
"uiUrl": "http://localhost:3003"
},
"secrets": ["AUTH_DATABASE_URL", "BETTER_AUTH_SECRET"]
}
}
}The temporary publish registry currently points at dev.everything.near, and bos publish --deploy is the release path when you want Zephyr URLs refreshed first.
Use the repo Dockerfile for the service, and treat the GHCR image as the deployable artifact.
- Image source:
ghcr.io/<lowercased github.repository>:latest - Staging:
ghcr.io/<lowercased github.repository>:staging - Preview:
ghcr.io/<lowercased github.repository>:pr-<number>
All configuration derives from bos.config.json (baked into the image). Only secrets need to be set as environment variables.
Required runtime vars:
APP_ENV-productionorstaging(derives domain frombos.config.json)BETTER_AUTH_SECRET- Session encryption keyBETTER_AUTH_URL- Auth callback URL (defaults to host URL from config)HOST_DATABASE_URL- Database connection stringHOST_DATABASE_AUTH_TOKEN- Database auth tokenCORS_ORIGIN- Comma-separated allowed origins (defaults to host + UI URLs from config)
See LLM.txt for the complete schema and configuration reference.
This project uses Biome for linting and formatting:
# Check linting
bun lint
# Fix auto-fixable issues
bun lint:fix
# Format code
bun formatBiome is configured in biome.json at the project root. Generated files (like routeTree.gen.ts) are automatically excluded.
Frontend:
- React 19 + TanStack Router (file-based) + TanStack Query
- Tailwind CSS v4 + shadcn/ui components
- Module Federation for microfrontend architecture
Backend:
- Hono.js server + oRPC (type-safe RPC + OpenAPI)
- every-plugin architecture for modular APIs
- Effect-TS for service composition
Database & Auth:
- PostgreSQL + Drizzle ORM
- Better-Auth with NEAR Protocol support
- every-plugin - Plugin framework for modular APIs with typed contracts and runtime composition
- near-kit - Unified NEAR Protocol SDK
- better-near-auth - NEAR SIWN + gasless relay for Better-Auth (cryptographic identity, verifiable on-chain actions)
- TanStack Intent - Agent skills shipped as npm package artifacts (compositional knowledge versioned with code)
everything.dev sits within a broader ecosystem building a verifiable internet on NEAR:
- BOS — Composable on-chain frontend components
- web4 — Web apps as verifiable on-chain smart contracts
- near-dns — Blockchain-backed DNS resolution
- NameSky — Named accounts as tradeable on-chain assets
- OutLayer — TEE-attested verifiable off-chain computation
- NEAR Intents — Intent-based cross-chain settlement ($15B+ volume)
- Trezu — Multi-chain treasury management ($72M AUM)
- NEAR AI Cloud — Confidential inference with hardware attestation
MIT