turtle.config.ts
Small, validated, explicit.
Configuration is loaded once for builds and rebuilds. Unknown fields and unsafe paths fail before any graph is emitted.
import { defineConfig } from "turtle";
export default defineConfig({
appDirectory: "app",
outputDirectory: "dist",
publicDirectory: "public",
assets: { "assets/*.wasm": "file", "content/*.txt": "text" },
diagnostics: false,
publicEnvironment: ["PUBLIC_SITE_NAME"],
redirects: [{ source: "/old", destination: "/new", permanent: true }],
stylesheets: ["/styles.css"],
});Options
| Option | Default | Contract |
|---|---|---|
appDirectory | app | Relative directory inside the application. |
outputDirectory | dist | Relative generated server/build output. |
publicDirectory | public | Relative application-owned static directory. |
assets | {} | Glob-to-loader map. Loaders: file, text, wasm. |
diagnostics | false | Explicitly exposes /__runtime and /__assets. |
publicEnvironment | [] | Required uppercase environment names allowed into build definitions. |
redirects | [] | Exact same-origin path redirects. Status is 307 or 308. |
stylesheets | [] | Same-origin stylesheet paths emitted as document links. |
Environment boundary
Only allowlisted public variables are read and substituted into graphs; every listed value is required. Application server and shared environment values should be declared in one package-owned env module with runtime validation. Do not access raw process.env throughout application code.
Static files and assets
Files in the configured public directory are served for GET and HEAD with MIME types, nosniff, and no-store caching. Traversal and malformed encoding are rejected. Configured build assets are emitted with deterministic names and a SHA-256 manifest. Turtle never creates application branding or fixtures in public/.
Redirect safety
Sources cannot contain query strings or fragments. Sources and destinations must begin with one slash, remain same-origin, and contain no backslashes. Runtime redirect() applies the same destination rules.