rhales 0.5.4 → 0.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ba52e82c80de6bba26167aaf61b424d72a03fc195ec69be7e38dbd17422cf064
-  data.tar.gz: d87dc62997bf10cfde421bb93e7d1025b2374e9cd53a2280acd37c157d553227
+  metadata.gz: 249890f733fb9b88bbabe22bcc327aa5d0422c00ea595e4b67751e335e790feb
+  data.tar.gz: 69259f0ab5cc091cc2c4fab33e3eee13859e28ef789e522119e6702f695155ab
 SHA512:
-  metadata.gz: 8368580c220c662432ede3e323b9460b6edba4ff5012c57fbbe0b4760572d063aed07225a4e9b29d542d00f169c7ccdab9ddf7c1aa742b67d0a80c438ad91b18
-  data.tar.gz: 2ff74a6825fda46507e849dfc19139c7084be205024a03d2b0fd5f8d930d71366ce5c3407fbeeb77acf133bdd5486b17dbc5b068780ec169a1ee29c15669f1e2
+  metadata.gz: c424d4d348c48686ddb60fe068d2839627c552d94a03a507b9cf54f1d39d11dc4d18aaefccc8731ec0aa8fb79d72ef18ea838460d0e36f5d69b5575d7d15ac3d
+  data.tar.gz: 65139df9054a39981ca7f6fd51818544aca039847d4a1d60521e879c2d542f3ca1f2ca9bbeb030154cc735404882d5ca0ede2fcabe64ef55a8194c622518c963

data/.github/workflows/ci.yml

@@ -26,7 +26,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        ruby: ['3.4', '3.5']
+        ruby: ['3.2', '3.3', '3.4', '3.5']
 
     steps:
       - uses: actions/checkout@v4
@@ -50,7 +50,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        ruby: ['3.4', '3.5']
+        ruby: ['3.2', '3.3', '3.4', '3.5']
 
     steps:
       - uses: actions/checkout@v4
@@ -77,7 +77,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby: ['3.4', '3.5']
+        ruby: ['3.2', '3.3', '3.4', '3.5']
 
     steps:
       - uses: actions/checkout@v4
@@ -99,7 +99,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby: ['3.4', '3.5']
+        ruby: ['3.2', '3.3', '3.4', '3.5']
 
     steps:
       - uses: actions/checkout@v4

data/.github/workflows/release-gem.yml

@@ -0,0 +1,158 @@
+# Release Gem Workflow
+#
+# Automatically builds and publishes the rhales gem to RubyGems.org when a
+# GitHub release is published with a semantic version tag (vMAJOR.MINOR.PATCH,
+# e.g. v0.6.1, v1.2.3).
+#
+# Follows the canonical RubyGems Trusted Publishing workflow:
+#   https://guides.rubygems.org/trusted-publishing/
+#
+# ============================================================================
+# SETUP INSTRUCTIONS (one-time)
+# ============================================================================
+#
+# This workflow uses RubyGems Trusted Publishing (OIDC). No long-lived API
+# key needs to be stored in GitHub.
+#
+# ----------------------------------------------------------------------------
+# 1. Configure the trusted publisher on RubyGems.org
+# ----------------------------------------------------------------------------
+#
+#   a. Sign in to https://rubygems.org and enable MFA on your account
+#      (required for trusted publishing).
+#
+#   b. Open the gem's trusted publisher page (works for both existing gems
+#      and the first-ever publish):
+#        Existing gem: https://rubygems.org/gems/rhales/trusted_publishers
+#        First publish: https://rubygems.org/profile/oidc/pending_trusted_publishers/new
+#
+#   c. Click "Create" and fill in:
+#        Publisher type:    GitHub Actions
+#        Repository owner:  onetimesecret
+#        Repository name:   rhales
+#        Workflow filename: release-gem.yml
+#        Environment:       rubygems.org   (must match `environment.name` below)
+#
+#   d. Save. RubyGems will now accept short-lived OIDC tokens issued by this
+#      workflow running in this repository.
+#
+# ----------------------------------------------------------------------------
+# 2. Configure the GitHub environment
+# ----------------------------------------------------------------------------
+#
+#   a. In GitHub: Settings -> Environments -> New environment
+#      Name: `rubygems.org`   (must match `environment.name` below)
+#
+#   b. Under "Deployment branches and tags", restrict to tags matching:
+#        v*.*.*
+#      This prevents the environment (and its OIDC token) from being used
+#      from any branch or non-release tag.
+#
+#   c. Optional but recommended: add required reviewers to gate publishes
+#      behind manual approval.
+#
+#   No GitHub secrets are required - OIDC handles authentication.
+#
+# ----------------------------------------------------------------------------
+# 3. Cutting a release
+# ----------------------------------------------------------------------------
+#
+#   a. Bump Rhales::VERSION in lib/rhales/version.rb (semver: MAJOR.MINOR.PATCH).
+#   b. Update CHANGELOG.md and commit on main.
+#   c. On GitHub, draft a Release with tag `vX.Y.Z` (matching the constant)
+#      and publish it. This workflow runs automatically: it verifies the tag
+#      matches the gemspec version, builds the gem, and pushes it.
+#
+# ----------------------------------------------------------------------------
+# Fallback: API key (only if Trusted Publishing isn't an option)
+# ----------------------------------------------------------------------------
+#
+#   1. Create an API key at https://rubygems.org/profile/api_keys with scope
+#      "Push rubygem" restricted to the `rhales` gem.
+#   2. Store it as a repo secret named `RUBYGEMS_API_KEY`.
+#   3. Drop the `id-token: write` permission and `environment:` block, and
+#      replace the `rubygems/release-gem` step with:
+#
+#        - name: Publish to RubyGems
+#          env:
+#            GEM_HOST_API_KEY: ${{ secrets.RUBYGEMS_API_KEY }}
+#          run: gem push rhales-*.gem
+#
+# ----------------------------------------------------------------------------
+# Action provenance (SHA pins)
+# ----------------------------------------------------------------------------
+#
+# All third-party actions below are pinned to a full commit SHA, per GitHub's
+# secure-use guidance for release-critical workflows. The accompanying
+# comment records the tag the SHA was resolved from so renovate/dependabot
+# can keep them current.
+#
+#   actions/checkout      - official GitHub action
+#   ruby/setup-ruby       - official Ruby org action (GitHub-verified creator)
+#   rubygems/release-gem  - official RubyGems action for trusted publishing
+#
+# ============================================================================
+
+name: Release Gem
+
+on:
+  release:
+    types: [published]
+
+# Coarse default. Each job re-declares the narrowest permissions it needs.
+permissions:
+  contents: read
+
+# Don't allow two release runs to race - one published tag, one publish.
+concurrency:
+  group: release-gem-${{ github.event.release.tag_name }}
+  cancel-in-progress: false
+
+jobs:
+  release:
+    name: Build and push gem
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    environment:
+      name: rubygems.org
+      url: https://rubygems.org/gems/rhales
+
+    permissions:
+      contents: write   # rubygems/release-gem attaches built .gem to the GitHub release
+      id-token: write   # OIDC token for RubyGems Trusted Publishing
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
+        with:
+          bundler-cache: true
+          ruby-version: ruby   # latest stable Ruby installed by setup-ruby
+
+      - name: Verify release tag matches Rhales::VERSION
+        env:
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: |
+          set -euo pipefail
+          case "${RELEASE_TAG}" in
+            v[0-9]*.[0-9]*.[0-9]*) ;;
+            *)
+              echo "Release tag '${RELEASE_TAG}' is not a vMAJOR.MINOR.PATCH semver tag." >&2
+              exit 1
+              ;;
+          esac
+          tag_version="${RELEASE_TAG#v}"
+          gem_version="$(ruby -r ./lib/rhales/version.rb -e 'print Rhales::VERSION')"
+          if [ "${tag_version}" != "${gem_version}" ]; then
+            echo "Release tag ${RELEASE_TAG} (${tag_version}) != Rhales::VERSION (${gem_version})." >&2
+            exit 1
+          fi
+          echo "Releasing rhales ${gem_version} from tag ${RELEASE_TAG}"
+
+      - name: Build and push gem to RubyGems
+        uses: rubygems/release-gem@6317d8d1f7e28c24d28f6eff169ea854948bd9f7 # v1.2.0

data/.github/workflows/ruby-lint.yml

@@ -48,7 +48,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        ruby: ['3.4', '3.5']
+        ruby: ['3.2', '3.3', '3.4', '3.5']
         continue-on-error: [true]
 
     steps:

data/.rubocop.yml

@@ -17,7 +17,7 @@ AllCops:
   DisabledByDefault: false # flip to true for a good autocorrect time
   UseCache: true
   MaxFilesInCache: 1000
-  TargetRubyVersion: 3.4
+  TargetRubyVersion: 3.2
   Exclude:
     - 'bin/bundle'
     - 'node_modules/**/*'

data/CHANGELOG.md

@@ -7,7 +7,60 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.6.2] - 2026-05-25
+
 ### Added
+- **Automated gem release workflow** (`.github/workflows/release-gem.yml`):
+  builds and publishes the gem to RubyGems.org via Trusted Publishing
+  (OIDC) whenever a GitHub Release is published with a `vMAJOR.MINOR.PATCH`
+  tag. Verifies the tag matches `Rhales::VERSION` before pushing.
+
+### Changed
+- **Dependencies**: bumped `unicode-emoji` from 4.0.4 to 4.2.0 and
+  `unicode-display_width` from 3.1.4 to 3.2.0. The previous
+  `unicode-emoji` cap of `< Ruby 4.0` broke `bundle install` on Ruby 4.x;
+  4.2.0 lifts that cap.
+- **Gemfile.lock**: platform list normalized via
+  `bundle lock --normalize-platforms` so platform-specific gems no longer
+  trigger setup-ruby warnings on CI.
+
+## [0.6.1] - 2026-05-25
+
+### Added
+- **Server-rendered random tokens example** (`examples/token-loader.rue`):
+  pattern-teaching example showing how to generate per-request data with
+  `SecureRandom.hex` in a Ruby view model, validate a nested
+  `z.array(z.object(...))` shape, and walk it with nested `{{#each}}` blocks
+  that fall through to the current outer item without explicit bindings. The
+  original loader-animation use case is documented as a CSS-only follow-on in
+  the `<logic>` block. (#49)
+
+### Changed
+- **Minimum Ruby version lowered from 3.4 to 3.2** - broader compatibility with stable Ruby releases; CI now exercises 3.2, 3.3, 3.4, and 3.5
+
+### Fixed
+- `{{#each}}` block variable `@last` now correctly returns `true` for the final
+  iteration instead of always `false`. Enables comma-separated output via
+  `{{#unless @last}},{{/unless}}` and similar patterns. `EachContext` now
+  accepts and stores the collection's total length.
+
+## [0.6.0] - 2026-03-21
+
+### Added
+- **External Schema References**: Schema definitions can now reference external TypeScript/JavaScript files via the `src` attribute
+  - Enables single-source-of-truth patterns where TypeScript schemas drive both frontend types and Rhales validation
+  - Path resolution relative to template file with security checks to prevent path traversal
+  - Rake task output now shows inline vs external schema sources
+  - Example: `<schema src="schemas/user.schema.ts" lang="js-zod" window="__USER__">`
+- **Multi-directory Schema Search**: New `schema_search_paths` configuration option
+  - Allows searching multiple directories for external schema files
+  - Resolution order: template-relative first, then search paths in order
+  - Security checks apply to all configured paths
+- **tsx Import Mode**: New bundling mode for external schemas with imports
+  - `schema_use_tsx_import = true` enables esbuild bundling
+  - `schema_tsconfig_path` allows custom TypeScript configuration
+  - Externalizes zod to prevent dual-instance issues
+  - Cross-platform file:// URL support for Windows ESM compatibility
 - **Production Logging**: Structured logging via `Rhales.logger=` for security auditing and debugging
   - View rendering events with template details, timing, and hydration size
   - Schema validation warnings for production debugging (missing/extra keys)
@@ -23,16 +76,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Comprehensive test coverage for collision detection and merge strategies
 
 ### Changed
+- **Ruby 3.4+ required** (was 3.3.4) - aligns with current LTS ecosystem; no Ruby 3.3 features relied upon, but 3.4 is recommended for YJIT improvements and json_schemer performance
+- Updated zod to 4.3.6
+- Relaxed json_schemer dependency from ~> 2.3 to ~> 2
 - Replaced `json-schema` gem with `json_schemer` for better JSON Schema Draft 2020-12 support
 - Improved validation error messages with more structured output from json_schemer
 - Validation performance improved to <0.05ms average (was ~2ms with json-schema)
 
+### Removed
+- Unused `HydrationRegistry.clear!` method
+
 ### Security
 - Window collision detection prevents accidental data exposure by making overwrites explicit
 - All merge operations happen client-side after server-side interpolation and JSON serialization
 - Request-scoped registry prevents cross-request data leakage
 
-## [0.1.0] - 2024-01-XX
+## [0.1.0] - 2025-07-21
 
 ### Added
 - Initial release of Rhales

data/Gemfile.lock

@@ -1,8 +1,8 @@
 PATH
   remote: .
   specs:
-    rhales (0.5.3)
-      json_schemer (~> 2.3)
+    rhales (0.6.2)
+      json_schemer (~> 2)
       logger
       tilt (~> 2)
 
@@ -153,14 +153,14 @@ GEM
       prettier_print (>= 1.2.0)
     tilt (2.6.1)
     tsort (0.2.0)
-    unicode-display_width (3.1.4)
-      unicode-emoji (~> 4.0, >= 4.0.4)
-    unicode-emoji (4.0.4)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
     yard (0.9.37)
     zeitwerk (2.7.3)
 
 PLATFORMS
-  arm64-darwin-24
+  arm64-darwin
   ruby
 
 DEPENDENCIES
@@ -186,4 +186,4 @@ DEPENDENCIES
   yard (~> 0.9)
 
 BUNDLED WITH
-   2.6.6
+   2.7.2

data/README.md

@@ -1,20 +1,20 @@
 # Rhales - Ruby Single File Components
 
 > [!CAUTION]
-> **Early Development Release** - Rhales is in active development (v0.5). The API underwent breaking changes from v0.4. While functional and tested, it's recommended for experimental use and contributions. Please report issues and provide feedback through GitHub.
+> **Early Development Release** - Rhales is in active development (v0.6). The API underwent breaking changes from v0.4. While functional and tested, it's recommended for experimental use and contributions. Please report issues and provide feedback through GitHub.
 
 Rhales is a **type-safe contract enforcement framework** for server-rendered pages with client-side data hydration. It uses `.rue` files (Ruby Single File Components) that combine Zod v4 schemas, Handlebars templates, and documentation into a single contract-first format.
 
 **About the name:** It all started with a simple mustache template many years ago. Mustache's successor, "Handlebars," is a visual analog for a mustache. "Two Whales Kissing" is another visual analog for a mustache, and since we're working with Ruby, we call it "Rhales" (Ruby + Whales). It's a perfect name with absolutely no ambiguity or risk of confusion.
 
-## What's New in v0.5
+## What's New in v0.6
 
-- ✅ **Schema-First Design**: Replaced `<data>` sections with Zod v4 `<schema>` sections
-- ✅ **Type Safety**: Contract enforcement between backend and frontend
-- ✅ **Simplified API**: Removed deprecated parameters (`sess`, `cust`, `props:`, `app_data:`)
-- ✅ **Clear Context Layers**: Renamed `app` → `request` for clarity
-- ✅ **Schema Tooling**: Rake tasks for schema generation and validation
-- ✅ **100% Migration**: All demo templates use schemas
+- ✅ **External Schema References**: Reference TypeScript schema files via `src` attribute for single-source-of-truth patterns
+- ✅ **Multi-directory Search**: Configure `schema_search_paths` to search multiple directories for shared schemas
+- ✅ **tsx Import Mode**: Bundle external schemas with imports via esbuild (`schema_use_tsx_import`)
+- ✅ **Ruby 3.2+ Supported**: Minimum Ruby version
+
+**v0.5 features:** Schema-first design, type safety, simplified API, clear context layers, schema tooling.
 
 **Breaking changes from v0.4:** See [Migration Guide](#migration-from-v04-to-v05) below.
 
@@ -134,6 +134,65 @@ const schema = z.object({
 | `version` | No | Schema version | `"2"` |
 | `envelope` | No | Response wrapper type | `"SuccessEnvelope"` |
 | `layout` | No | Layout template reference | `"layouts/main"` |
+| `src` | No | External schema file path | `"schemas/user.schema.ts"` |
+
+### External Schema References
+
+Instead of defining schemas inline, you can reference external TypeScript/JavaScript files. This enables single-source-of-truth patterns where the same schema file drives both frontend TypeScript types (via `z.infer<>`) and Rhales validation.
+
+```xml
+<!-- templates/dashboard.rue -->
+<schema src="schemas/dashboard.schema.ts" lang="js-zod" window="__DASHBOARD__">
+</schema>
+
+<template>
+  <div>{{user.name}}</div>
+</template>
+```
+
+```typescript
+// templates/schemas/dashboard.schema.ts
+import { z } from 'zod';
+
+const schema = z.object({
+  user: z.object({
+    name: z.string(),
+    email: z.string().email()
+  }),
+  items: z.array(z.string())
+});
+
+export default schema;
+
+// TypeScript frontend can import and use: z.infer<typeof schema>
+```
+
+The `src` path is resolved relative to the template file. Security checks prevent path traversal outside the templates directory.
+
+#### Multi-directory Search
+
+Configure additional directories to search for shared schema files:
+
+```ruby
+Rhales.configure do |config|
+  config.schema_search_paths = ['./shared/schemas', './lib/schemas']
+end
+```
+
+Resolution order: template-relative first, then search paths in order.
+
+#### tsx Import Mode
+
+For external schemas that import other modules, enable esbuild bundling:
+
+```ruby
+Rhales.configure do |config|
+  config.schema_use_tsx_import = true
+  config.schema_tsconfig_path = './tsconfig.json'  # optional
+end
+```
+
+This bundles the schema with all its imports while externalizing zod to prevent dual-instance issues.
 
 ### Zod Schema Examples
 

data/examples/token-loader.rue

@@ -0,0 +1,119 @@
+<!-- examples/token-loader.rue -->
+
+<!--
+  Example: Server-Rendered Random Tokens with Nested Iteration
+
+  Demonstrates four rhales patterns in one small template:
+
+  1. Generating per-request random data on the server (SecureRandom.hex)
+     and passing it to the template via the client: context, instead of
+     relying on client JavaScript to fill the page in.
+
+  2. Validating a nested-array-of-objects shape with
+     z.array(z.object(...)) in the <schema> block.
+
+  3. Iterating with {{#each}} over a top-level array.
+
+  4. Iterating again inside the outer block to walk a nested array.
+     The inner {{#each}} resolves its variable name against the current
+     outer item first, so no explicit binding (`as |cell|`) or path
+     prefix (`this.glyphs`) is needed.
+
+  Each render produces a different output. The most common use case is
+  a pre-boot loader animated with CSS (see the "Use as a loader" note
+  below), but the same shape applies anywhere you want server-generated
+  per-request decorative data: identicons, correlation IDs displayed on
+  error pages, example IDs in onboarding flows, etc.
+-->
+
+<schema lang="js-zod" window="loaderTokens">
+const schema = z.object({
+  cells: z.array(z.object({
+    glyphs: z.array(z.string().length(1)).length(17)
+  })).length(5)
+});
+</schema>
+
+<template>
+<style nonce="{{nonce}}">
+  .tokens {
+    display: inline-flex;
+    gap: .3rem;
+    font-family: ui-monospace, "SF Mono", Menlo, monospace;
+    letter-spacing: 0.05em;
+  }
+</style>
+
+<div class="tokens">
+  {{#each cells}}<span class="cell">{{#each glyphs}}{{.}}{{/each}}</span>{{/each}}
+</div>
+</template>
+
+<logic>
+# Server-Rendered Random Tokens
+#
+# Backend Usage (Ruby):
+#
+# require 'securerandom'
+#
+# cells = Array.new(5) {
+#   { glyphs: Array.new(17) { SecureRandom.hex(1)[0] } }
+# }
+#
+# view = Rhales::View.new(
+#   request,
+#   client: { cells: cells },
+#   server: { pageTitle: 'Loading...' }
+# )
+#
+# html = view.render('token-loader')
+#
+# Why these patterns:
+#
+# 1. Randomness lives in the view model, not the template. Rhales
+#    templates don't expose Random.new or SecureRandom directly --
+#    generate the data in Ruby and hand it to the template via the
+#    client: context. Templates stay pure-render and the data flow
+#    is explicit.
+#
+# 2. CSPRNG over Kernel#rand. Even for decorative output, SecureRandom
+#    signals intent and avoids questions later about why a templating
+#    layer is pulling from a seeded RNG.
+#
+# 3. Fresh data per cell, not a shared pool. Generating 5 x 17 = 85
+#    fresh glyphs (vs. 17 glyphs shuffled five ways) avoids visible
+#    rhyming between adjacent columns.
+#
+# 4. Nested {{#each}} resolves against the current outer item. Inside
+#    {{#each cells}}, the inner {{#each glyphs}} looks up "glyphs" on
+#    each cell hash automatically -- no need to write {{#each
+#    this.glyphs}} or pass an explicit binding. See
+#    lib/rhales/core/template_engine.rb EachContext#get for the
+#    fallthrough order (current item -> parent context).
+#
+# 5. Cache layer caveat. If a fragment cache wraps the response, the
+#    "fresh on every render" guarantee becomes "fresh per cache miss."
+#    Worst case is the same tokens until the cache TTL expires, which
+#    matches the behavior of a fully static template. For anything
+#    where per-request uniqueness actually matters, exclude this block
+#    from the cache.
+#
+# Use as a loader:
+#
+# The original motivation for this template was a pre-boot SPA loader
+# that "looks like" something is being computed. To wire that up, wrap
+# the output in role="status" with a visually-hidden label so screen
+# readers announce it correctly, and add CSS that scrolls each cell's
+# glyphs vertically before locking onto a final character. The 17
+# glyphs per cell are sized for a 16-step CSS animation with one
+# resting frame:
+#
+#   <div class="tokens" role="status" aria-label="Loading">
+#     ... iteration ...
+#     <span class="visually-hidden">Loading</span>
+#   </div>
+#
+# The animation itself is just CSS keyframes on the iterated spans and
+# is independent of rhales -- the rhales-specific work ends at
+# rendering the markup with fresh random characters per request.
+</logic>

data/lib/rhales/configuration.rb

@@ -157,6 +157,9 @@ module Rhales
     # Hydration mismatch reporting settings
     attr_accessor :hydration_mismatch_format, :hydration_authority
 
+    # External schema settings
+    attr_accessor :schema_search_paths, :schema_tsconfig_path, :schema_use_tsx_import
+
     def initialize
       # Set sensible defaults
       @default_locale         = 'en'
@@ -191,6 +194,11 @@ module Rhales
       @hydration_mismatch_format        = :compact  # :compact, :multiline, :sidebyside, :json
       @hydration_authority              = :schema   # :schema or :data
 
+      # External schema defaults
+      @schema_search_paths              = []        # Additional paths to search for external schemas
+      @schema_tsconfig_path             = nil       # Path to tsconfig.json for tsx import execution
+      @schema_use_tsx_import            = false     # Use tsx import (runs through project tsconfig)
+
       # Yield to block for configuration if provided
       yield(self) if block_given?
     end
@@ -257,6 +265,13 @@ module Rhales
         end
       end
 
+      # Validate schema search paths exist if specified
+      @schema_search_paths.each do |path|
+        unless Dir.exist?(path)
+          errors << "Schema search path does not exist: #{path}"
+        end
+      end
+
       # Validate cache TTL
       if @cache_ttl && @cache_ttl <= 0
         errors << 'cache_ttl must be positive'
@@ -269,6 +284,7 @@ module Rhales
     def freeze!
       @features.freeze
       @template_paths.freeze
+      @schema_search_paths.freeze
       freeze
     end
 

data/lib/rhales/core/rue_document.rb

@@ -39,7 +39,7 @@ module Rhales
     ALL_SECTIONS = KNOWN_SECTIONS.freeze
 
     # Known schema section attributes
-    KNOWN_SCHEMA_ATTRIBUTES = %w[lang version envelope window merge layout extends].freeze
+    KNOWN_SCHEMA_ATTRIBUTES = %w[lang version envelope window merge layout extends src].freeze
 
     attr_reader :content, :file_path, :grammar, :ast
 
@@ -151,6 +151,12 @@ module Rhales
       schema_attributes['extends']
     end
 
+    # External schema file reference (optional)
+    # When present, schema code is loaded from this path instead of inline content
+    def schema_src
+      schema_attributes['src']
+    end
+
     def section?(name)
       @grammar.sections.key?(name)
     end

data/lib/rhales/core/template_engine.rb

@@ -202,9 +202,11 @@ module Rhales
       items = get_variable_value(items_var)
 
       if items.respond_to?(:each)
-        items.map.with_index do |item, index|
+        items_array = items.to_a
+        total       = items_array.size
+        items_array.map.with_index do |item, index|
           # Create context for each iteration
-          item_context = create_each_context(item, index, items_var)
+          item_context = create_each_context(item, index, items_var, total)
           engine       = self.class.new('', item_context, partial_resolver: @partial_resolver)
           engine.send(:render_content_nodes, block_content)
         end.join
@@ -312,8 +314,8 @@ module Rhales
     end
 
     # Create context for each iteration
-    def create_each_context(item, index, items_var)
-      EachContext.new(@context, item, index, items_var)
+    def create_each_context(item, index, items_var, total = nil)
+      EachContext.new(@context, item, index, items_var, total)
     end
 
     # HTML escape for XSS protection
@@ -323,13 +325,14 @@ module Rhales
 
     # Context wrapper for {{#each}} iterations
     class EachContext
-      attr_reader :parent_context, :current_item, :current_index, :items_var
+      attr_reader :parent_context, :current_item, :current_index, :items_var, :total
 
-      def initialize(parent_context, current_item, current_index, items_var)
+      def initialize(parent_context, current_item, current_index, items_var, total = nil)
         @parent_context = parent_context
         @current_item   = current_item
         @current_index  = current_index
         @items_var      = items_var
+        @total          = total
       end
 
       def get(variable_name)
@@ -342,8 +345,7 @@ module Rhales
         when '@first'
           return @current_index == 0
         when '@last'
-          # We'd need to know the total length for this
-          return false
+          return @total ? @current_index == @total - 1 : false
         end
 
         # Check if it's a property of the current item

data/lib/rhales/hydration/hydration_registry.rb

@@ -27,10 +27,6 @@ module Rhales
         }
       end
 
-      def clear!
-        Thread.current[:rhales_hydration_registry] = {}
-      end
-
       # Expose registry for testing purposes
       def registry
         thread_local_registry

data/lib/rhales/parsers/rue_format_parser.rb

@@ -343,7 +343,7 @@ module Rhales
     end
 
     # Preprocess content to strip XML/HTML comments outside of sections
-    # Uses Ruby 3.4+ pattern matching for robust, secure parsing
+    # Uses Ruby 3.2+ pattern matching for robust, secure parsing
     def preprocess_content(content)
       tokens = tokenize_content(content)
 

data/lib/rhales/utils/schema_extractor.rb

@@ -71,7 +71,18 @@ module Rhales
       return nil unless doc.section?('schema')
 
       template_name = derive_template_name(file_path)
-      schema_code = doc.section('schema')
+      src = doc.schema_src
+      resolved_path = nil
+      schema_code = nil
+
+      if src
+        # External schema: resolve path and read content
+        resolved_path = resolve_schema_src_path(file_path, src)
+        schema_code = read_schema_from_src(resolved_path, src, template_name)
+      else
+        # Inline schema: use content from the schema section
+        schema_code = doc.section('schema')
+      end
 
       {
         template_name: template_name,
@@ -83,7 +94,9 @@ module Rhales
         window: doc.schema_window,
         merge: doc.schema_merge_strategy,
         layout: doc.schema_layout,
-        extends: doc.schema_extends
+        extends: doc.schema_extends,
+        src: src,
+        resolved_path: resolved_path
       }
     end
 
@@ -97,15 +110,20 @@ module Rhales
 
     # Count how many .rue files have schema sections
     #
-    # @return [Hash] Count information
+    # @return [Hash] Count information including external vs inline breakdown
     def schema_stats
       all_files = find_rue_files
       schemas = extract_all
 
+      external_count = schemas.count { |s| s[:src] }
+      inline_count = schemas.count { |s| s[:src].nil? }
+
       {
         total_files: all_files.count,
         files_with_schemas: schemas.count,
         files_without_schemas: all_files.count - schemas.count,
+        external_schemas: external_count,
+        inline_schemas: inline_count,
         schemas_by_lang: schemas.group_by { |s| s[:lang] }.transform_values(&:count)
       }
     end
@@ -128,5 +146,105 @@ module Rhales
       relative_path = file_pathname.relative_path_from(templates_pathname)
       relative_path.to_s.sub(/\.rue$/, '')
     end
+
+    # Resolve external schema src path
+    #
+    # Resolution order:
+    # 1. Relative to template file directory
+    # 2. Search through configured schema_search_paths
+    #
+    # @param template_path [String] Absolute path to the .rue template
+    # @param src [String] The src attribute value from the schema tag
+    # @return [String] Absolute path to the external schema file
+    # @raise [ExtractionError] If path traversal is detected or file not found
+    def resolve_schema_src_path(template_path, src)
+      template_dir = File.dirname(template_path)
+      resolved = File.expand_path(src, template_dir)
+      searched_paths = [resolved]
+
+      # First, check if the path exists relative to template
+      if File.exist?(resolved) && path_within_allowed_directories?(resolved)
+        return resolved
+      end
+
+      # If the relative path does not exist or is not allowed,
+      # search through configured schema_search_paths
+      search_paths = Rhales.configuration.schema_search_paths || []
+      search_paths.each do |search_path|
+        expanded_search_path = File.expand_path(search_path)
+        candidate = File.join(expanded_search_path, src)
+        searched_paths << candidate
+
+        if File.exist?(candidate) && path_within_allowed_directories?(candidate)
+          return candidate
+        end
+      end
+
+      # Security check on the template-relative path
+      unless path_within_allowed_directories?(resolved)
+        raise ExtractionError,
+              "Schema src path traversal not allowed: '#{src}' resolves outside allowed directories"
+      end
+
+      # File not found in any location - raise helpful error listing all searched paths
+      raise ExtractionError,
+            "Schema file not found: '#{src}'. Searched:\n  - #{searched_paths.join("\n  - ")}"
+    end
+
+    # Check if a path is within any allowed directory
+    #
+    # Allowed directories include:
+    # - The templates directory
+    # - Any configured schema_search_paths
+    #
+    # @param path [String] Path to check
+    # @return [Boolean] True if path is within an allowed directory
+    def path_within_allowed_directories?(path)
+      return true if path_within_directory?(path, @templates_dir)
+
+      search_paths = Rhales.configuration.schema_search_paths || []
+      search_paths.any? do |search_path|
+        expanded_search_path = File.expand_path(search_path)
+        path_within_directory?(path, expanded_search_path)
+      end
+    end
+
+    # Read schema content from external file
+    #
+    # @param resolved_path [String] Absolute path to the schema file
+    # @param src [String] Original src attribute value (for error messages)
+    # @param template_name [String] Template name (for error messages)
+    # @return [String] Schema file content
+    # @raise [ExtractionError] If file cannot be read
+    def read_schema_from_src(resolved_path, src, template_name)
+      unless File.exist?(resolved_path)
+        raise ExtractionError,
+              "External schema file not found: '#{src}' (resolved to: #{resolved_path}) " \
+              "referenced by template '#{template_name}'"
+      end
+
+      File.read(resolved_path)
+    rescue Errno::EACCES => e
+      raise ExtractionError,
+            "Permission denied reading external schema '#{src}': #{e.message}"
+    rescue Errno::EISDIR
+      raise ExtractionError,
+            "External schema path '#{src}' is a directory, not a file"
+    end
+
+    # Check if a path is within a given directory (security check)
+    #
+    # @param path [String] Path to check
+    # @param directory [String] Directory that should contain the path
+    # @return [Boolean] True if path is within directory
+    def path_within_directory?(path, directory)
+      expanded_path = File.expand_path(path)
+      expanded_dir = File.expand_path(directory)
+
+      # Ensure directory ends with separator for accurate prefix matching
+      expanded_dir_with_sep = expanded_dir.end_with?(File::SEPARATOR) ? expanded_dir : "#{expanded_dir}#{File::SEPARATOR}"
+
+      expanded_path.start_with?(expanded_dir_with_sep) || expanded_path == expanded_dir
+    end
   end
 end

data/lib/rhales/utils/schema_generator.rb

@@ -3,6 +3,7 @@
 # frozen_string_literal: true
 
 require 'open3'
+require 'securerandom'
 require 'tempfile'
 require 'fileutils'
 require_relative 'schema_extractor'
@@ -76,7 +77,8 @@ module Rhales
         rescue => e
           results[:failed] += 1
           results[:success] = false
-          error_msg = "Failed to generate schema for #{schema_info[:template_name]}: #{e.message}"
+          source_info = schema_info[:src] ? " (from #{schema_info[:src]})" : ""
+          error_msg = "Failed to generate schema for #{schema_info[:template_name]}#{source_info}: #{e.message}"
           results[:errors] << error_msg
           warn error_msg
         end
@@ -95,14 +97,20 @@ module Rhales
       FileUtils.mkdir_p(temp_dir) unless Dir.exist?(temp_dir)
 
       temp_file = Tempfile.new(['schema', '.mts'], temp_dir)
+      bundled_file = nil
 
       begin
-        # Write TypeScript script
-        temp_file.write(build_typescript_script(schema_info))
+        # Write TypeScript script - use import mode for external schemas when configured
+        if use_tsx_import_mode?(schema_info)
+          script, bundled_file = build_typescript_import_script(schema_info)
+        else
+          script = build_typescript_script(schema_info)
+        end
+        temp_file.write(script)
         temp_file.close
 
-        # Execute with tsx via pnpm
-        stdout, stderr, status = Open3.capture3('pnpm', 'exec', 'tsx', temp_file.path)
+        # Execute with tsx via pnpm, optionally with tsconfig
+        stdout, stderr, status = execute_tsx(temp_file.path)
 
         unless status.success?
           raise GenerationError, "TypeScript execution failed: #{stderr}"
@@ -117,17 +125,132 @@ module Rhales
         json_schema
       ensure
         temp_file.unlink if temp_file
+        File.unlink(bundled_file) if bundled_file && File.exist?(bundled_file)
       end
     end
 
     private
 
+    # Determine if we should use tsx import mode for this schema
+    #
+    # Import mode is used when:
+    # 1. schema_use_tsx_import is enabled in configuration
+    # 2. The schema has an external src (not inline)
+    # 3. The resolved_path exists
+    #
+    # @param schema_info [Hash] Schema information
+    # @return [Boolean]
+    def use_tsx_import_mode?(schema_info)
+      return false unless Rhales.configuration.schema_use_tsx_import
+      return false unless schema_info[:src]
+      return false unless schema_info[:resolved_path]
+
+      File.exist?(schema_info[:resolved_path])
+    end
+
+    # Execute tsx with optional tsconfig
+    #
+    # @param script_path [String] Path to the TypeScript script to execute
+    # @return [Array] stdout, stderr, status from Open3.capture3
+    def execute_tsx(script_path)
+      tsconfig_path = Rhales.configuration.schema_tsconfig_path
+
+      if tsconfig_path
+        if File.exist?(tsconfig_path)
+          Open3.capture3('pnpm', 'exec', 'tsx', '--tsconfig', tsconfig_path, script_path)
+        else
+          warn "[Rhales] Warning: schema_tsconfig_path '#{tsconfig_path}' does not exist, ignoring"
+          Open3.capture3('pnpm', 'exec', 'tsx', script_path)
+        end
+      else
+        Open3.capture3('pnpm', 'exec', 'tsx', script_path)
+      end
+    end
+
+    # Build TypeScript script from bundled external schema
+    #
+    # Uses esbuild to bundle the external schema with all imports resolved,
+    # writes to a temp file, then imports via default export. This allows
+    # external files to name their schema variable anything they want.
+    #
+    # External schema files must use default export:
+    #   const mySchema = z.object({ ... });
+    #   export default mySchema;
+    #
+    # @param schema_info [Hash] Schema information with resolved_path
+    # @return [Array<String, String>] [script content, bundled_file_path] - caller must clean up bundled file
+    def build_typescript_import_script(schema_info)
+      safe_name = schema_info[:template_name].gsub("'", "\\'")
+      schema_path = schema_info[:resolved_path]
+
+      # Bundle external schema with esbuild to temp file - resolves all imports
+      # Use SecureRandom for uniqueness across concurrent invocations
+      temp_dir = File.join(Dir.pwd, 'tmp')
+      FileUtils.mkdir_p(temp_dir) unless Dir.exist?(temp_dir)
+      unique_suffix = "#{Process.pid}_#{SecureRandom.hex(4)}"
+      bundled_file = File.join(temp_dir, "bundled_#{File.basename(schema_path, '.*')}_#{unique_suffix}.mjs")
+
+      stdout, stderr, status = Open3.capture3(
+        'pnpm', 'exec', 'esbuild', schema_path,
+        '--bundle', '--format=esm', '--platform=node',
+        '--external:zod',
+        "--outfile=#{bundled_file}"
+      )
+
+      unless status.success?
+        raise GenerationError, "esbuild bundling failed for #{schema_path}: #{stderr}"
+      end
+
+      # Convert to file:// URL for cross-platform ESM import compatibility
+      bundled_file_url = path_to_file_url(bundled_file)
+
+      script = <<~TYPESCRIPT
+        // Auto-generated schema generator for #{safe_name}
+        // Source: #{schema_info[:src]} (bundled via esbuild)
+        import { z } from 'zod/v4';
+        import schema from '#{bundled_file_url}';
+
+        // Generate JSON Schema
+        try {
+          const jsonSchema = z.toJSONSchema(schema, {
+            target: 'draft-2020-12',
+            unrepresentable: 'any',
+            cycles: 'ref',
+            reused: 'inline',
+          });
+
+          // Add metadata
+          const schemaWithMeta = {
+            $schema: 'https://json-schema.org/draft/2020-12/schema',
+            $id: `https://rhales.dev/schemas/#{safe_name}.json`,
+            title: '#{safe_name}',
+            description: 'Schema for #{safe_name} template',
+            ...jsonSchema,
+          };
+
+          // Output JSON to stdout
+          console.log(JSON.stringify(schemaWithMeta, null, 2));
+        } catch (error) {
+          console.error('Schema generation error:', error.message);
+          process.exit(1);
+        }
+      TYPESCRIPT
+
+      [script, bundled_file]
+    end
+
     def build_typescript_script(schema_info)
       # Escape single quotes in template name for TypeScript string
       safe_name = schema_info[:template_name].gsub("'", "\\'")
+      source_comment = if schema_info[:src]
+        "// Source: #{schema_info[:src]} (external)"
+      else
+        "// Source: inline schema"
+      end
 
       <<~TYPESCRIPT
         // Auto-generated schema generator for #{safe_name}
+        #{source_comment}
         import { z } from 'zod/v4';
 
         // Schema code from .rue template
@@ -185,10 +308,34 @@ module Rhales
       unless status.success?
         raise GenerationError, "tsx not found. Run: pnpm install tsx --save-dev"
       end
+
+      # Check esbuild is available when tsx import mode is enabled
+      if Rhales.configuration.schema_use_tsx_import
+        stdout, stderr, status = Open3.capture3('pnpm', 'exec', 'esbuild', '--version')
+        unless status.success?
+          raise GenerationError, "esbuild not found (required for external schema bundling). Run: pnpm install esbuild --save-dev"
+        end
+      end
     end
 
     def ensure_output_directory!
       FileUtils.mkdir_p(@output_dir) unless File.directory?(@output_dir)
     end
+
+    # Convert absolute path to file:// URL for cross-platform ESM imports
+    #
+    # On Windows, paths like C:\foo\bar need to become file:///C:/foo/bar
+    # On Unix, paths like /foo/bar become file:///foo/bar
+    #
+    # @param path [String] Absolute file path
+    # @return [String] file:// URL
+    def path_to_file_url(path)
+      normalized = path.tr('\\', '/')
+      if normalized.match?(%r{^[A-Za-z]:}) # Windows drive letter
+        "file:///#{normalized}"
+      else
+        "file://#{normalized}"
+      end
+    end
   end
 end

data/lib/rhales/version.rb

@@ -5,6 +5,6 @@
 module Rhales
   # Version information for the RSFC gem
   unless defined?(Rhales::VERSION)
-    VERSION = '0.5.4'
+    VERSION = '0.6.2'
   end
 end

data/lib/tasks/rhales_schema.rake

@@ -45,7 +45,8 @@ namespace :rhales do
 
       puts "Found #{schemas.size} schema section(s):"
       schemas.each do |schema|
-        puts "  - #{schema[:template_name]} (#{schema[:lang]})"
+        source_type = schema[:src] ? "external: #{schema[:src]}" : "inline"
+        puts "  - #{schema[:template_name]} (#{schema[:lang]}, #{source_type})"
       end
       puts
 
@@ -186,6 +187,13 @@ namespace :rhales do
       puts "Files without <schema>: #{stats[:files_without_schemas]}"
       puts
 
+      if stats[:files_with_schemas] > 0
+        puts "Schema sources:"
+        puts "  External (src attribute): #{stats[:external_schemas]}"
+        puts "  Inline: #{stats[:inline_schemas]}"
+        puts
+      end
+
       if stats[:schemas_by_lang].any?
         puts "By language:"
         stats[:schemas_by_lang].each do |lang, count|

data/package.json

@@ -1,7 +1,7 @@
 {
   "type": "module",
   "dependencies": {
-    "zod": "^4.1.12"
+    "zod": "^4.3.6"
   },
   "devDependencies": {
     "@prettier/plugin-ruby": "^4.0.4",

data/pnpm-lock.yaml

@@ -9,8 +9,8 @@ importers:
   .:
     dependencies:
       zod:
-        specifier: ^4.1.12
-        version: 4.1.12
+        specifier: ^4.3.6
+        version: 4.3.6
     devDependencies:
       '@prettier/plugin-ruby':
         specifier: ^4.0.4
@@ -208,8 +208,8 @@ packages:
     engines: {node: '>=18.0.0'}
     hasBin: true
 
-  zod@4.1.12:
-    resolution: {integrity: sha512-JInaHOamG8pt5+Ey8kGmdcAcg3OL9reK8ltczgHTAwNhMys/6ThXHityHxVV2p3fkw/c+MAvBHFVYHFZDmjMCQ==}
+  zod@4.3.6:
+    resolution: {integrity: sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==}
 
 snapshots:
 
@@ -342,4 +342,4 @@ snapshots:
     optionalDependencies:
       fsevents: 2.3.3
 
-  zod@4.1.12: {}
+  zod@4.3.6: {}

data/rhales.gemspec

@@ -21,7 +21,7 @@ Gem::Specification.new do |spec|
 
   spec.homepage              = 'https://github.com/onetimesecret/rhales'
   spec.license               = 'MIT'
-  spec.required_ruby_version = '>= 3.3.4'
+  spec.required_ruby_version = '>= 3.2'
 
   spec.metadata['source_code_uri']       = 'https://github.com/onetimesecret/rhales'
   spec.metadata['changelog_uri']         = 'https://github.com/onetimesecret/rhales/blob/main/CHANGELOG.md'
@@ -41,14 +41,11 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   # Runtime dependencies
-  spec.add_dependency 'json_schemer', '~> 2.3'  # JSON Schema validation in middleware
+
+  spec.add_dependency 'json_schemer', '~> 2'    # JSON Schema validation in middleware
   spec.add_dependency 'logger'                  # Standard library logger for logging support
   spec.add_dependency 'tilt', '~> 2'            # Templating engine for rendering RSFCs
 
-  # Optional dependencies for performance optimization
-  # Install oj for 10-20x faster JSON parsing and 5-10x faster generation
-  # spec.add_dependency 'oj', '~> 3.13'
-
   # Development dependencies should be specified in Gemfile instead of gemspec
   # See: https://bundler.io/guides/creating_gem.html#testing-our-gem
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rhales
 version: !ruby/object:Gem::Version
-  version: 0.5.4
+  version: 0.6.2
 platform: ruby
 authors:
 - delano
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: logger
   requirement: !ruby/object:Gem::Requirement
@@ -70,6 +70,7 @@ files:
 - ".github/workflows/claude-code-review.yml"
 - ".github/workflows/claude.yml"
 - ".github/workflows/code-smells.yml"
+- ".github/workflows/release-gem.yml"
 - ".github/workflows/ruby-lint.yml"
 - ".github/workflows/yardoc.yml"
 - ".gitignore"
@@ -120,6 +121,7 @@ files:
 - examples/dashboard-with-charts.rue
 - examples/form-with-validation.rue
 - examples/simple-page.rue
+- examples/token-loader.rue
 - examples/vue.rue
 - generate-json-schemas.ts
 - json_schemer_migration_summary.md
@@ -189,14 +191,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.3.4
+      version: '3.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.2
+rubygems_version: 4.0.10
 specification_version: 4
 summary: Rhales - Server-rendered components with client-side hydration (RSFCs)
 test_files: []