@bractjs/bractjs 0.1.0 → 0.1.6

package/src/__tests__/security.test.ts

@@ -0,0 +1,348 @@
+import { test, expect, describe, beforeAll, afterAll } from "bun:test";
+import { mkdir, rm, writeFile, symlink } from "node:fs/promises";
+import { resolve, join } from "node:path";
+import { tmpdir } from "node:os";
+import { createServer } from "../server/serve.ts";
+import { handleActionRequest } from "../server/action-handler.ts";
+import { loadServerActions } from "../server/action-registry.ts";
+import { safeStringify } from "../server/env.ts";
+import { cors } from "../middleware/cors.ts";
+import { createCookieSession } from "../server/session.ts";
+import { MiddlewarePipeline, type MiddlewareContext } from "../server/middleware.ts";
+import { serveStatic } from "../server/static.ts";
+import { handleImageRequest } from "../image/handler.ts";
+
+const ACTION_TMP = resolve(import.meta.dir, ".tmp-security-action");
+let registeredActionId = "";
+
+async function computeId(filePath: string, name: string): Promise<string> {
+  const raw = new TextEncoder().encode(filePath + "#" + name);
+  const buf = await crypto.subtle.digest("SHA-256", raw);
+  return Array.from(new Uint8Array(buf))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("")
+    .slice(0, 16);
+}
+
+const PORT = 3998;
+const BASE = `http://localhost:${PORT}`;
+const FIXTURE_APP = resolve(import.meta.dir, "fixtures/app");
+
+let handle: ReturnType<typeof createServer>;
+
+beforeAll(async () => {
+  handle = createServer({
+    port: PORT,
+    appDir: FIXTURE_APP,
+    manifest: { clientEntry: "/build/client/client.js", routes: {} },
+  });
+
+  await rm(ACTION_TMP, { recursive: true, force: true });
+  await mkdir(join(ACTION_TMP, "routes"), { recursive: true });
+  const actionFile = join(ACTION_TMP, "routes", "_index.tsx");
+  await writeFile(actionFile, `"use server";\nexport async function ping(...args) { return args; }\n`);
+  await loadServerActions(ACTION_TMP);
+  registeredActionId = await computeId(actionFile, "ping");
+});
+
+afterAll(async () => {
+  handle.stop();
+  await rm(ACTION_TMP, { recursive: true, force: true });
+});
+
+// ── Item 1 — path traversal ───────────────────────────────────────────────
+
+describe("path traversal", () => {
+  test("GET /public/../package.json returns 404, not file contents", async () => {
+    const res = await fetch(`${BASE}/public/../package.json`);
+    expect(res.status).toBe(404);
+    const body = await res.text();
+    expect(body).not.toContain("@bractjs/bractjs");
+  });
+});
+
+// ── Item 2 — action arg validation ────────────────────────────────────────
+
+describe("action-handler — arg validation", () => {
+  test("non-array JSON body → 400", async () => {
+    const req = new Request(`http://x/_action?id=${registeredActionId}`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-BractJS-Action": "1" },
+      body: JSON.stringify({ foo: "bar" }),
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).toBe(400);
+  });
+
+  test("array with __proto__ key → 400", async () => {
+    const req = new Request(`http://x/_action?id=${registeredActionId}`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-BractJS-Action": "1" },
+      // Use JSON.parse to actually inject __proto__ as an own key
+      body: '[{"__proto__":{"polluted":true}}]',
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).toBe(400);
+  });
+
+  test("array with constructor key → 400", async () => {
+    const req = new Request(`http://x/_action?id=${registeredActionId}`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", "X-BractJS-Action": "1" },
+      body: '[{"constructor":1}]',
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).toBe(400);
+  });
+
+  test("JSON body > 1 MiB rejected with 413 (advertised via Content-Length)", async () => {
+    const huge = "a".repeat(2 * 1024 * 1024);
+    const req = new Request(`http://x/_action?id=${registeredActionId}`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-BractJS-Action": "1",
+        "Content-Length": String(2 * 1024 * 1024 + 2),
+      },
+      body: `["${huge}"]`,
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).toBe(413);
+  });
+
+  test("JSON body > 1 MiB rejected with 413 even when Content-Length lies", async () => {
+    const huge = "a".repeat(2 * 1024 * 1024);
+    const req = new Request(`http://x/_action?id=${registeredActionId}`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-BractJS-Action": "1",
+        "Content-Length": "10",
+      },
+      body: `["${huge}"]`,
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).toBe(413);
+  });
+});
+
+// ── Item 3 — CSRF ─────────────────────────────────────────────────────────
+
+describe("CSRF — cross-origin mutation", () => {
+  test("/_action without X-BractJS-Action and with cross-origin Origin → 403", async () => {
+    const req = new Request("http://localhost/_action?id=abc", {
+      method: "POST",
+      headers: { Origin: "https://evil.example" },
+      body: "[]",
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).toBe(403);
+  });
+
+  test("/_action with same-origin Origin → not 403 (404 unknown id)", async () => {
+    const req = new Request("http://localhost/_action?id=abc", {
+      method: "POST",
+      headers: { Origin: "http://localhost", "Content-Type": "application/json" },
+      body: "[]",
+    });
+    const res = await handleActionRequest(req);
+    expect(res?.status).not.toBe(403);
+  });
+
+  test("route POST with mismatched Origin → 403", async () => {
+    const res = await fetch(`${BASE}/`, {
+      method: "POST",
+      body: new FormData(),
+      headers: { Origin: "https://evil.example" },
+    });
+    expect(res.status).toBe(403);
+  });
+});
+
+// ── Item 5 — safeStringify ───────────────────────────────────────────────
+
+describe("safeStringify", () => {
+  test("escapes U+2028 / U+2029", () => {
+    const ls = String.fromCharCode(0x2028);
+    const ps = String.fromCharCode(0x2029);
+    const out = safeStringify({ a: `x${ls}y${ps}z` });
+    expect(out).not.toContain(ls);
+    expect(out).not.toContain(ps);
+    expect(out).toContain("\\u2028");
+    expect(out).toContain("\\u2029");
+  });
+
+  test("escapes < > &", () => {
+    const out = safeStringify({ x: "<script>&" });
+    expect(out).toContain("\\u003c");
+    expect(out).toContain("\\u003e");
+    expect(out).toContain("\\u0026");
+  });
+});
+
+// ── Item 6 — session ─────────────────────────────────────────────────────
+
+describe("session — secret validation", () => {
+  test("empty secrets throws", () => {
+    expect(() => createCookieSession({ name: "s", secrets: [] })).toThrow();
+  });
+
+  test("short secret throws", () => {
+    expect(() => createCookieSession({ name: "s", secrets: ["short"] })).toThrow();
+  });
+
+  test("valid secret roundtrips", async () => {
+    const s = createCookieSession({ name: "s", secrets: ["a-secret-that-is-long-enough-1"] });
+    const sess = await s.getSession(null);
+    sess.set("k", "v");
+    const cookie = await s.commitSession(sess);
+    const rt = await s.getSession(cookie.split(";")[0]);
+    expect(rt.get("k")).toBe("v");
+  });
+
+  test("tampered signature rejected", async () => {
+    const s = createCookieSession({ name: "s", secrets: ["a-secret-that-is-long-enough-1"] });
+    const sess = await s.getSession(null);
+    sess.set("k", "v");
+    const cookie = await s.commitSession(sess);
+    const tampered = cookie.replace(/=([^;]+)/, (_, val) => `=${val.slice(0, -1)}X`);
+    const rt = await s.getSession(tampered.split(";")[0]);
+    expect(rt.has("k")).toBe(false);
+  });
+});
+
+// ── Item 7 — CORS ────────────────────────────────────────────────────────
+
+describe("cors middleware", () => {
+  async function runOnce(mw: ReturnType<typeof cors>, req: Request): Promise<Response> {
+    const ctx: MiddlewareContext = { request: req, params: {}, context: {} };
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    return pipeline.run(ctx, () => Promise.resolve(new Response("ok")));
+  }
+
+  test("wildcard never reflects Origin", async () => {
+    const mw = cors({ origin: "*" });
+    const res = await runOnce(mw, new Request("http://x/", { headers: { Origin: "https://evil.example" } }));
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
+  });
+
+  test("always emits Vary: Origin", async () => {
+    const mw = cors({ origin: "https://ok.example" });
+    const res = await runOnce(mw, new Request("http://x/", { headers: { Origin: "https://ok.example" } }));
+    expect(res.headers.get("Vary")).toContain("Origin");
+  });
+
+  test("credentials + wildcard throws at setup", () => {
+    expect(() => cors({ origin: "*", credentials: true })).toThrow();
+  });
+});
+
+// ── Item 8 — image dim validation ────────────────────────────────────────
+
+describe("image handler — dim allowlist", () => {
+  test("w=999 (not in allowlist) → 400", async () => {
+    const res = await fetch(`${BASE}/_image?src=/public/a.jpg&w=999`);
+    expect(res.status).toBe(400);
+  });
+
+  test("w=320 (in allowlist) → not 400 (404 because file missing)", async () => {
+    const res = await fetch(`${BASE}/_image?src=/public/missing.jpg&w=320`);
+    expect(res.status).toBe(404);
+  });
+
+  test("w=3840&h=3840 (area too large) → 400", async () => {
+    const res = await fetch(`${BASE}/_image?src=/public/a.jpg&w=3840&h=3840`);
+    expect(res.status).toBe(400);
+  });
+});
+
+// ── Item 11 — HttpError → response ───────────────────────────────────────
+// (Implicitly covered: integration.test.ts hits a route; this test exercises
+// the conversion via a direct loader throw is awkward without fixtures. Skip
+// here — the request-handler change is type-checked + reachable via redirect.)
+
+// ── Item 12 — Content-Type branching for action ──────────────────────────
+
+describe("action Content-Type branching", () => {
+  test("JSON content-type does not require multipart formData", async () => {
+    const res = await fetch(`${BASE}/`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", Origin: BASE },
+      body: JSON.stringify({ name: "bract" }),
+    });
+    // The fixture's action accepts FormData; with JSON CT, request-handler
+    // passes an empty FormData and the action returns. Should not 500 from
+    // formData() throwing.
+    expect([200, 302, 400, 404]).toContain(res.status);
+  });
+});
+
+// ── Item 14 — meta is array in __BRACTJS_DATA__ ─────────────────────────
+
+describe("render meta shape", () => {
+  test("__BRACTJS_DATA__.meta is an array", async () => {
+    const res = await fetch(`${BASE}/`);
+    const html = await res.text();
+    const match = html.match(/window\.__BRACTJS_DATA__=({[\s\S]*?});/);
+    expect(match).not.toBeNull();
+    const data = JSON.parse(match![1]) as { meta: unknown };
+    expect(Array.isArray(data.meta)).toBe(true);
+  });
+});
+
+// ── Item 20 — middleware double-next ─────────────────────────────────────
+
+describe("middleware — double next()", () => {
+  test("calling next() twice rejects", async () => {
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(async (_ctx, next) => {
+      await next();
+      return next(); // illegal
+    });
+    const ctx: MiddlewareContext = { request: new Request("http://x/"), params: {}, context: {} };
+    await expect(pipeline.run(ctx, () => Promise.resolve(new Response("ok")))).rejects.toThrow(/more than once/);
+  });
+});
+
+// ── Symlink escape (static + image) ─────────────────────────────────────
+
+describe("symlink escape — static", () => {
+  let pub: string;
+  let outside: string;
+  let buildDir: string;
+
+  beforeAll(async () => {
+    const root = await Bun.file(tmpdir()).exists() ? tmpdir() : ".";
+    pub = join(root, `bract-sym-pub-${Date.now()}`);
+    outside = join(root, `bract-sym-out-${Date.now()}`);
+    buildDir = join(root, `bract-sym-build-${Date.now()}`);
+    await mkdir(pub, { recursive: true });
+    await mkdir(outside, { recursive: true });
+    await mkdir(join(buildDir, "client"), { recursive: true });
+    await writeFile(join(outside, "secret.txt"), "PWNED");
+    // Symlink inside /public/ that points outside the root.
+    await symlink(join(outside, "secret.txt"), join(pub, "escape.txt"));
+  });
+
+  afterAll(async () => {
+    await rm(pub, { recursive: true, force: true });
+    await rm(outside, { recursive: true, force: true });
+    await rm(buildDir, { recursive: true, force: true });
+  });
+
+  test("static refuses to serve a symlink whose target is outside publicDir", async () => {
+    const res = await serveStatic("/public/escape.txt", buildDir, pub);
+    expect(res).toBeNull();
+  });
+
+  test("image /_image refuses src that symlinks outside publicDir", async () => {
+    const cacheDir = join(tmpdir(), `bract-sym-cache-${Date.now()}`);
+    await mkdir(cacheDir, { recursive: true });
+    const req = new Request(`http://x/_image?src=/public/escape.txt&w=320`);
+    const res = await handleImageRequest(req, pub, cacheDir);
+    expect(res?.status === 400 || res?.status === 404).toBe(true);
+    await rm(cacheDir, { recursive: true, force: true });
+  });
+});
+

package/src/__tests__/session.test.ts

@@ -3,7 +3,7 @@ import { createCookieSession } from "../server/session.ts";
 
 const sessionStorage = createCookieSession({
   name: "__test",
-  secrets: ["secret-one", "secret-two"],
+  secrets: ["secret-one-1234567890", "secret-two-1234567890"],
   secure: false,
   sameSite: "Lax",
 });
@@ -71,7 +71,7 @@ describe("createCookieSession — commitSession + roundtrip", () => {
   test("secret rotation: old secret still verifies", async () => {
     const oldStorage = createCookieSession({
       name: "__test",
-      secrets: ["secret-two"], // only the old secret
+      secrets: ["secret-two-1234567890"], // only the old secret
       secure: false,
     });
     const s1 = await oldStorage.getSession(null);
@@ -81,7 +81,7 @@ describe("createCookieSession — commitSession + roundtrip", () => {
     // New storage has new secret first, old secret second (rotation)
     const newStorage = createCookieSession({
       name: "__test",
-      secrets: ["secret-one", "secret-two"],
+      secrets: ["secret-one-1234567890", "secret-two-1234567890"],
       secure: false,
     });
     const cookieValue = cookie.split(";")[0];

package/src/build/bundler.ts

@@ -1,4 +1,4 @@
-import { join } from "node:path";
+import { join, basename, extname, resolve } from "node:path";
 import { rename } from "node:fs/promises";
 import type { BractJSConfig } from "../server/serve.ts";
 import { scanRoutes } from "../server/scanner.ts";
@@ -47,6 +47,10 @@ export async function runBuild(config: BractJSConfig): Promise<void> {
   const routeChunks = new Map<string, string>();
   let clientEntry = "";
   let rootChunk: string | undefined;
+  const outdirAbs = resolve("build/client");
+  const appDirClean = appDir.replace(/^\.\//, "");
+  const entryBase = basename("src/client/entry.tsx", extname("src/client/entry.tsx")); // "entry"
+  const rootBase = basename(rootFilePath, extname(rootFilePath)); // "root"
 
   for (const artifact of clientResult.outputs) {
     if (artifact.kind !== "chunk" && artifact.kind !== "entry-point") continue;
@@ -57,13 +61,19 @@ export async function runBuild(config: BractJSConfig): Promise<void> {
     await rename(artifact.path, hashedPath);
 
     const publicPath = "/" + hashedPath.replace(/^build\//, "build/");
-    if (artifact.kind === "entry-point" && artifact.path.includes("entry")) {
+    const absPath = resolve(artifact.path);
+    const rel = absPath.startsWith(outdirAbs + "/") ? absPath.slice(outdirAbs.length + 1) : basename(artifact.path);
+    const outBase = basename(artifact.path, extname(artifact.path));
+
+    if (artifact.kind === "entry-point" && outBase === entryBase) {
       clientEntry = publicPath;
-    } else if (artifact.kind === "entry-point" && artifact.path.includes("root")) {
+    } else if (artifact.kind === "entry-point" && outBase === rootBase) {
       rootChunk = publicPath;
     } else {
-      // Map route file path back to URL pattern
-      const matched = routes.find((r) => artifact.path.includes(r.filePath.replace("./", "")));
+      const matched = routes.find((r) => {
+        const expected = join(appDirClean, r.filePath).replace(/\.[^.]+$/, ".js");
+        return rel === expected;
+      });
       if (matched) routeChunks.set(matched.urlPattern, publicPath);
     }
   }

package/src/build/directives.ts

@@ -3,10 +3,37 @@ import type { BunPlugin } from "bun";
 const CLIENT_RE = /^["']use client["']/m;
 const SERVER_RE = /^["']use server["']/m;
 
+// Strip a UTF-8 BOM and any leading ASCII whitespace before testing the
+// directive regex. Editors that save files with BOM otherwise let "use server"
+// fall through and ship server code to the client bundle.
+function normalizeForDirectiveCheck(src: string): string {
+  return src.replace(/^/, "").replace(/^\s+/, "");
+}
+function hasClientDirective(src: string): boolean {
+  return CLIENT_RE.test(normalizeForDirectiveCheck(src));
+}
+function hasServerDirective(src: string): boolean {
+  return SERVER_RE.test(normalizeForDirectiveCheck(src));
+}
+
 function extractExports(src: string): string[] {
   const names: string[] = [];
   for (const m of src.matchAll(/^export\s+(?:async\s+)?function\s+(\w+)/gm)) names.push(m[1]);
-  for (const m of src.matchAll(/^export\s+(?:let|const)\s+(\w+)\s*=/gm)) names.push(m[1]);
+  for (const m of src.matchAll(/^export\s+(?:let|const|var)\s+(\w+)\s*=/gm)) names.push(m[1]);
+  for (const m of src.matchAll(/^export\s+default\s+(?:async\s+)?function\s+(\w+)/gm)) names.push(m[1]);
+  for (const m of src.matchAll(/^export\s+class\s+(\w+)/gm)) names.push(m[1]);
+  for (const m of src.matchAll(/^export\s*\{([^}]+)\}/gm)) {
+    for (const part of m[1].split(",")) {
+      const trimmed = part.trim();
+      if (!trimmed) continue;
+      const asMatch = trimmed.match(/\bas\s+(\w+)$/);
+      if (asMatch) names.push(asMatch[1]);
+      else {
+        const idMatch = trimmed.match(/^(\w+)/);
+        if (idMatch) names.push(idMatch[1]);
+      }
+    }
+  }
   return names;
 }
 
@@ -25,7 +52,7 @@ export const useClientStubPlugin: BunPlugin = {
   setup(build) {
     build.onLoad({ filter: /\.(tsx?|jsx?)$/ }, async ({ path }) => {
       const src = await Bun.file(path).text();
-      if (!CLIENT_RE.test(src)) return undefined;
+      if (!hasClientDirective(src)) return undefined;
       const stubs = extractExports(src).map((n) => `export const ${n} = () => null;`).join("\n");
       return { contents: stubs || "export {};", loader: "ts" };
     });
@@ -52,7 +79,7 @@ export const useServerProxyPlugin: BunPlugin = {
   setup(build) {
     build.onLoad({ filter: /\.(tsx?|jsx?)$/ }, async ({ path }) => {
       const src = await Bun.file(path).text();
-      if (!SERVER_RE.test(src)) return undefined;
+      if (!hasServerDirective(src)) return undefined;
       const names = extractExports(src);
       if (names.length === 0) return { contents: "export {};", loader: "ts" };
       const proxies = await Promise.all(

package/src/build/env-plugin.ts

@@ -41,6 +41,7 @@ export function clientEnvPlugin(
     name: "bractjs-client-env",
     setup(build) {
       build.onLoad({ filter: /\.(ts|tsx|js|jsx)$/ }, async (args) => {
+        if (args.path.includes("/node_modules/")) return undefined;
         const src = await Bun.file(args.path).text();
         const contents = src.replace(
           /process\.env\.([A-Z_][A-Z0-9_]*)/g,

package/src/build/hash.ts

@@ -1,5 +1,4 @@
 import { extname, basename, dirname, join } from "node:path";
-import { test, expect } from "bun:test";
 
 // ── Helpers ────────────────────────────────────────────────────────────────
 
@@ -35,22 +34,3 @@ export async function renameWithHash(filePath: string): Promise<string> {
   const base = basename(filePath, ext);
   return join(dirname(filePath), `${base}.${hash}${ext}`);
 }
-
-// ── Tests ──────────────────────────────────────────────────────────────────
-
-test("same content → same hash", async () => {
-  const a = await hashString("hello world");
-  const b = await hashString("hello world");
-  expect(a).toBe(b);
-});
-
-test("different content → different hash", async () => {
-  const a = await hashString("foo");
-  const b = await hashString("bar");
-  expect(a).not.toBe(b);
-});
-
-test("hash is 8 hex chars", async () => {
-  const h = await hashString("bractjs");
-  expect(h).toMatch(/^[0-9a-f]{8}$/);
-});

package/src/client/ClientRouter.tsx

@@ -68,8 +68,10 @@ export function ClientRouter({ children, initialData, initialModule = null }: Cl
         setPathname(to);
         setCurrentModule(routeModule);
       });
-      if ((data.meta as { title?: string })?.title) {
-        document.title = (data.meta as { title: string }).title;
+      const metaList = data.meta as Array<Record<string, unknown>> | undefined;
+      const titleEntry = metaList?.find((m) => "title" in m);
+      if (titleEntry && typeof titleEntry.title === "string") {
+        document.title = titleEntry.title;
       }
     } catch (err) {
       console.error("[bractjs] loadRoute error:", err);
@@ -93,9 +95,11 @@ export function ClientRouter({ children, initialData, initialModule = null }: Cl
   // Module-level HMR: swap the current route module without a full reload.
   // The injected HMR client script calls window.__BRACTJS_HMR_ACCEPT__(pattern, mod)
   // after importing the freshly-built chunk from /_hmr/module.
+  // Dev gate: prod builds inject __BRACT_DEV__ = false; absence in browser also
+  // counts as prod since we never reference `process` here.
   useEffect(() => {
-    if (process.env.NODE_ENV === "production") return;
-    const w = window as unknown as { __BRACTJS_HMR_ACCEPT__?: unknown };
+    const w = window as unknown as { __BRACT_DEV__?: boolean; __BRACTJS_HMR_ACCEPT__?: unknown };
+    if (w.__BRACT_DEV__ !== true) return;
     w.__BRACTJS_HMR_ACCEPT__ = (pattern: string, mod: RouteModuleClient) => {
       const current = matchPatternForPath(pathname, manifest);
       if (current === pattern) startTransition(() => setCurrentModule(mod));

package/src/codegen/route-codegen.ts

@@ -29,23 +29,44 @@ function substituteParams(pattern: string, params: string[]): string {
   ).join("/");
 }
 
+// Allowed pattern: "/" + (segment | ":ident") (segments are filename-derived).
+// Restricting upfront removes any chance that a hostile filename injects a
+// backtick, ${ }, or quote into the generated TS source.
+const SAFE_PATTERN_RE = /^\/(?:[A-Za-z0-9_\-]+|:[A-Za-z_][A-Za-z0-9_]*)(?:\/(?:[A-Za-z0-9_\-]+|:[A-Za-z_][A-Za-z0-9_]*))*$|^\/$/;
+const SAFE_IDENT_RE = /^[A-Za-z_][A-Za-z0-9_]*$/;
+
+function assertSafePattern(pattern: string): void {
+  if (!SAFE_PATTERN_RE.test(pattern)) {
+    throw new Error(`[bractjs] codegen: refusing to emit unsafe route pattern: ${JSON.stringify(pattern)}`);
+  }
+}
+function assertSafeParam(name: string): void {
+  if (!SAFE_IDENT_RE.test(name)) {
+    throw new Error(`[bractjs] codegen: refusing to emit unsafe param name: ${JSON.stringify(name)}`);
+  }
+}
+
 function builderEntry(pattern: string, params: string[]): string {
-  if (params.length === 0)
-    return "  \"" + pattern + "\": () => \"" + pattern + "\" as const,";
+  assertSafePattern(pattern);
+  params.forEach(assertSafeParam);
+  const key = JSON.stringify(pattern);
+  if (params.length === 0) return "  " + key + ": () => " + key + " as const,";
   const paramType = params.map((p) => p + ": string").join("; ");
   const body = substituteParams(pattern, params);
-  return "  \"" + pattern + "\": (params: { " + paramType + " }) => `" + body + "` as const,";
+  return "  " + key + ": (params: { " + paramType + " }) => `" + body + "` as const,";
 }
 
 function paramsTypeLines(routes: Array<{ pattern: string; params: string[] }>): string {
   const dynamic = routes.filter((r) => r.params.length > 0);
   if (dynamic.length === 0) return "export type RouteParams<_T extends AppRoutes> = Record<never, never>;";
   const branches = dynamic
-    .map((r) =>
-      "  T extends \"" + r.pattern + "\" ? { "
-      + r.params.map((p) => p + ": string").join("; ")
-      + " } :",
-    )
+    .map((r) => {
+      assertSafePattern(r.pattern);
+      r.params.forEach(assertSafeParam);
+      return "  T extends " + JSON.stringify(r.pattern) + " ? { "
+        + r.params.map((p) => p + ": string").join("; ")
+        + " } :";
+    })
     .join("\n");
   return "export type RouteParams<T extends AppRoutes> =\n" + branches + "\n  Record<never, never>;";
 }
@@ -65,7 +86,10 @@ export async function generateRouteTypes(appDir: string): Promise<string> {
   }));
 
   const union = routes.length > 0
-    ? routes.map((r) => "  | \"" + r.pattern + "\"").join("\n")
+    ? routes.map((r) => {
+        assertSafePattern(r.pattern);
+        return "  | " + JSON.stringify(r.pattern);
+      }).join("\n")
     : "  never";
 
   const builderEntries = routes.map((r) => builderEntry(r.pattern, r.params)).join("\n");

package/src/dev/hmr-module-handler.ts

@@ -1,4 +1,5 @@
-import { resolve, join } from "node:path";
+import { resolve, join, sep } from "node:path";
+import { realpath } from "node:fs/promises";
 
 /**
  * Dev-only HTTP handler for /_hmr/module?file=routes/about.tsx
@@ -17,10 +18,19 @@ export async function handleHmrModuleRequest(
     return new Response("Missing file param", { status: 400 });
   }
 
-  // Resolve and guard against path traversal
+  // Resolve and guard against path traversal AND symlink escape.
   const rootDir = resolve(appDir);
-  const fullPath = resolve(join(rootDir, file));
-  if (!fullPath.startsWith(rootDir + "/") && fullPath !== rootDir) {
+  const candidate = resolve(join(rootDir, file));
+  if (!candidate.startsWith(rootDir + sep) && candidate !== rootDir) {
+    return new Response("Forbidden", { status: 403 });
+  }
+  let fullPath: string;
+  try {
+    fullPath = await realpath(candidate);
+  } catch {
+    return new Response("Not Found", { status: 404 });
+  }
+  if (!fullPath.startsWith(rootDir + sep) && fullPath !== rootDir) {
     return new Response("Forbidden", { status: 403 });
   }