HBForge/The Moat
Competitive Position · v4.4.0
50

features no other framework ships in one package.

A moat isn't a feature list — it's the gap between what you get and what your competitors must assemble. Below are 50 capabilities that ship inside @hyperbridge/forge with zero npm dependencies, organised into ten categories. Each card names the competing packages you'd otherwise need.

0 npm deps 77 modules 111K+ lines authored 1,399+ APIs 5 runtimes
v4.4.0 · NEW forge/moat is now a real shipped module — 50 primitives, 1,580 lines, 49/49 smoke tests passing. view source →
Category 01

Zero-Dep Engineering

5 features
01
Truly zero transitive dependencies
The whole framework imports nothing from npm except itself. No lodash, no express, no ws, no argon2 native binary. Your node_modules contains one folder.
all 77 modulesvs 300–2,000+ deps
02
Single audit surface for the whole stack
One repository. One SBOM. One security review. CVE scanning, license audit, and supply-chain attestation cover the entire framework in a single pass.
@hyperbridge/forgevs 15+ vendors
03
Lazy-loaded root barrel — sub-ms cold start
require('@hyperbridge/forge') defines 76 getters and loads zero modules. Each module's source is read on first access only. Importing forge/server directly skips the barrel entirely.
framework/index.jsvs eager top-level barrels
04
Validated dual CJS + ESM at publish time
prepublishOnly hook verifies all 153 declared exports resolve and parse on Node 18+ before any tarball ships. No "broken in production" regressions from a missing .mjs.
scripts/validate-exports.jsvs hand-rolled publish
05
76 tree-shakeable subpath exports
Explicit subpath exports per module — bundlers ship only what you import. forge/server doesn't pull in forge/3d. Auto-generated browser stubs strip Node-only paths from server modules.
package.json exportsvs monolithic barrels
Category 02

Runtime Portability

5 features
06
Fetch-API native + Node listener built in
Same WebApp instance runs as app.listen(3000) on Node, export default app on CF Workers / Bun, and Deno.serve(app.fetch) on Deno. No second adapter package.
forge/servervs Hono + adapter
07
WebSocket (RFC 6455) without ws
Full RFC-6455 server and client in forge/server — frame masking, ping/pong, close codes, permessage-deflate. GraphQL Subscriptions ride on the same socket layer.
forge/servervs ws, socket.io
08
HTTP/2 with Server Push + ALPN negotiation
createHttp2Server() gives you ALPN, stream multiplexing, server push, and per-stream priority. Same handler signature as HTTP/1.1.
forge/servervs manual node:http2 plumbing
09
Cluster mode with sticky IP-hash sessions
Multi-worker process model with deterministic per-IP worker routing — WebSockets and sessions land on the same worker every time. No external sticky-session proxy.
forge/servervs pm2 + sticky proxy
10
ACME / Let's Encrypt cert provisioning
Built-in ACME client requests, renews, and rotates Let's Encrypt certs. HTTP-01 and TLS-ALPN-01 challenges. No greenlock or certbot in your stack.
forge/servervs greenlock, certbot
Category 03

Routing & HTTP

5 features
11
Radix-trie router with :param and named *
O(path-depth) lookups, supports :id params, * unnamed catch-all, and *name named catch-all. Same trie used by Hono, written from scratch with zero deps.
forge/servervs find-my-way, trek-router
12
Sub-app composition with handler inheritance
app.route('/api', subApp) remounts routes and middleware, optionally adopts parent's onError/notFound. Zero runtime cost — the trie is copied at mount time.
forge/servervs Express Router
13
tRPC-style type-safe RPC built in
RPCRouter, procedure(), mergeRouters — full tRPC-style end-to-end typed RPC without adding @trpc/server, @trpc/client, and the link plugins.
forge/servervs @trpc/* (5 packages)
14
GraphQL Engine + DataLoader (N+1 fix)
Complete GraphQL implementation — schema parser, validator, executor, batching, subscriptions over WebSocket. DataLoader exported alongside.
forge/servervs apollo-server, dataloader
15
html`` tagged template — XSS-safe by default
All ${value} interpolation is HTML-escaped automatically. raw() opts out for pre-trusted markup. No JSX runtime needed.
forge/servervs react-dom/server + escape-html
Category 04

Performance & Safety

5 features
16
Circuit breaker — three-state state machine
Closed / open / half-open transitions with configurable thresholds, exponential backoff, and per-key isolation. Wraps any async function.
forge/servervs opossum
17
Four rate-limit algorithms in one module
Token-bucket, sliding-window, fixed-window, leaky-bucket — chosen via one option. Per-IP, per-user, per-route, or custom key extractors.
forge/servervs express-rate-limit + plugins
18
Body cache — multiple parses without re-streaming
Call c.req.json() and c.req.text() on the same request — both read from a memoized ArrayBuffer. No "body already consumed" errors.
forge/servervs manual stream caching
19
LRU cache with TTL + size eviction
LRUCache class + cacheMiddleware() for response caching. TTL, max-size, weak-ref, and per-key tags built in.
forge/servervs lru-cache
20
Backpressure / request queue with auto-shed
backpressure() middleware sheds load via 503 + Retry-After when the in-flight request queue saturates. Prevents cascading failure under burst load.
forge/servervs custom semaphore code
Category 05

Auth & Identity

5 features
21
34 auth primitives, zero dependencies
Password, JWT, OAuth2Provider, OAuth2PKCE, TOTP, WebAuthn, RBAC, ApiKeyAuth, MagicLink, BackupCodes, AdaptiveMFA, SAMLProvider, AccountLinker, DeviceManager, PasswordHistory.
forge/authvs passport + 20 strategies
22
Argon2id via WASM — runs on every runtime
Password hashing uses argon2id with a WASM fallback so it works identically on CF Workers, Deno Deploy, Vercel Edge — places where native argon2 binaries can't load.
forge/auth + forge/wasmvs native argon2 (won't load on edge)
23
WebAuthn / Passkeys with full FIDO2 ceremony
Registration and authentication ceremonies, attestation verification, transport hints, resident-key flow. CBOR + COSE parsing built in.
forge/authvs @simplewebauthn/server
24
Adaptive MFA with risk scoring
AdaptiveMFA scores login attempts on device, geo, velocity, and history; gates step-up based on threshold. Pluggable risk providers.
forge/authvs Auth0 ASR
25
Session encryption + signed cookies
SessionEncryption uses AES-256-GCM with rotating keys. signedCookies(secret) middleware verifies HMAC on every read. No vendor SDK.
forge/authvs iron-session
Category 06

Data & Persistence

5 features
26
Connection pool + Model + Migration in one
Pool, Model, Migration — covers ~80% of Prisma/Drizzle/TypeORM. SQL migrations live next to code; Migration.run() applies in order, tracks state.
forge/datavs prisma + codegen
27
Schema-as-code → validator + OpenAPI source
One ObjectSchema definition validates requests, normalises responses, and emits OpenAPI 3.1 components. No duplicate type declarations.
forge/schemavs zod + zod-to-openapi
28
Cron scheduler with full cron syntax
CronScheduler + the convenience cron(schedule, fn) helper — minute/hour/day/month/weekday, timezone support, exponential retry on failure.
forge/cron + forge/servervs node-cron
29
Persistent file-backed job queue
Queue jobs survive process restart, write-ahead log on disk, configurable retry policy, dead-letter handling, concurrent workers.
forge/queue + forge/servervs bullmq + Redis
30
Full-text + fuzzy search in 2,508 lines
Inverted index, BM25 ranking, prefix matching, fuzzy with edit distance, snippet generation, stemming.
forge/searchvs flexsearch, lunr
Category 07

Observability

5 features
31
W3C Trace Context spans → OTLP
OpenTelemetry-compatible spans with W3C traceparent propagation. Export to Jaeger, Tempo, Honeycomb, Datadog, or any OTLP collector.
forge/tracevs @opentelemetry/* (8+ packages)
32
OPA-like policy engine in JSON
Decision-as-data policy engine. Compile policies once, evaluate millions of decisions per second. Allow/deny with structured reasons.
forge/policyvs opa sidecar
33
Deterministic request replay for debugging
Capture request + response + side-effects; replay the exact sequence locally to debug production incidents. Effect mocks are captured automatically.
forge/replayno off-the-shelf equivalent
34
Built-in load + chaos simulator
forge/simulator generates synthetic load, injects latency/errors, runs failure scenarios. No external k6, vegeta, or chaos-mesh.
forge/simulatorvs k6, vegeta
35
Prometheus metrics endpoint
createMetrics() registers HTTP histogram, request counter, error counter, in-flight gauge — exposed at /metrics, scrape-ready.
forge/server + forge/monitorvs prom-client
Category 08

Web7 / Agentic

5 features
36
Agent Mesh Protocol (forge/amp)
Standardised agent-to-agent message protocol over HTTP. Capability discovery, signed messages, replay protection, payment hints.
forge/ampno equivalent
37
W3C DIDs + Verifiable Credentials
Decentralised identifiers (did:key, did:web) and W3C Verifiable Credentials issuance + verification.
forge/identityvs did-jwt + vc-js + plugins
38
Consent ledger with granular grants
Append-only ledger of user consents — purpose, scope, expiry, withdrawal. GDPR / DPDPA Article 7 receipt format.
forge/consentvs cookiebot, onetrust
39
Content provenance (C2PA-style)
Sign and verify content origin with embedded provenance manifests. Detect AI-generated content, track edit history.
forge/provenancevs C2PA SDK (300+ deps)
40
Web7-L6 AAA conformance suite — 30/30 in 8 ms
Full Web7-L6 specification test suite runs in-process. 30 tests across 12 spec categories, AAA grade certification.
forge/conformanceno equivalent
Category 09

Governance

5 features
41
Codified governance charter
forge/charter ratifies the framework's behavioural envelope. Changes require versioned charter amendments, traceable in code.
forge/charterno equivalent
42
Risk-tiered execution envelope
forge/risktier classifies operations by impact (T0–T3) and gates execution with tier-appropriate approvals and audit trails.
forge/risktierno equivalent
43
Jurisdiction-aware compliance routing
forge/jurisdiction resolves the applicable legal jurisdiction per request (GDPR / DPDPA / CCPA / Brazil LGPD) and routes data flows accordingly.
forge/jurisdictionno equivalent
44
Behavioural drift detection
forge/drift baselines normal behaviour and flags statistically significant deviations — for ML models, agents, and human operators alike.
forge/driftvs custom ML pipelines
45
Chaos engineering hooks built in
forge/chaos injects controlled failures (latency, drops, partitions) into your own request handlers — game-day rehearsals without separate tooling.
forge/chaosvs chaos-mesh, gremlin
Category 10

UI & Graphics

5 features
46
WebGL2 3D engine with PBR materials
Scene graph, PBR shaders, instanced rendering, bloom + SSAO post-processing, GLTF loader, physics-ready controls. 368 APIs.
forge/3dvs three.js + postprocessing
47
Barnes-Hut O(n log n) N-body physics
QuadTree + OctTree spatial partitioning, SoA Float64 layout for cache efficiency, XPBD constraint solver, SPH fluid kernels, inline Web Worker via Blob URL.
forge/physicsno zero-dep equivalent
48
165-API animation library
Spring physics, Tween, Timeline, ScrollTrigger, ViewTransitions, DrawSVG, MagneticEffect, DecayPhysics, CSSVariableAnimator. Framer Motion + GSAP combined.
forge/animatevs framer-motion + gsap
49
Canvas chart library — Chart.js parity
Line, bar, pie, area, scatter, candlestick — high-performance Canvas2D rendering with animations and interaction.
forge/chartvs chart.js, recharts
50
Quantum — React-alternative UI runtime
Fiber-style reconciler, hooks (state, effect, memo, layoutEffect, transition), lanes, Suspense, Router, Portals — 180 APIs in forge/client.
forge/clientvs react + react-dom + react-router
50
moat features
0
npm dependencies
77
modules
1
install

Hard to copy. Easier to install.

Every feature above lives in @hyperbridge/forge with zero npm dependencies. You'd need 15+ vendors and 300–2,000 transitive packages to assemble the same surface from the ecosystem.

npm i @hyperbridge/forge Detailed comparison 25 working examples