@bractjs/bractjs 0.1.0 → 0.1.6

package/src/image/cache.ts

@@ -1,5 +1,5 @@
 import { join } from "node:path";
-import { mkdir } from "node:fs/promises";
+import { mkdir, rename, unlink } from "node:fs/promises";
 import type { ImageTransformParams, TransformResult, ImageFormat } from "./types.ts";
 
 const MAX_MEM = 200;
@@ -50,10 +50,14 @@ export async function getFromDisk(
   const key = await cacheKey(src, params);
   const metaFile = Bun.file(join(dir, `${key}.json`));
   const dataFile = Bun.file(join(dir, `${key}.bin`));
-  if (!(await metaFile.exists()) || !(await dataFile.exists())) return null;
+  // No existence pre-check: it would create a TOCTOU race where the file is
+  // deleted between exists() and read(). Just attempt the reads and let either
+  // a missing file or invalid JSON fall through to MISS.
   try {
-    const meta = await metaFile.json() as { contentType: string; format: ImageFormat };
-    const data = await dataFile.arrayBuffer();
+    const [meta, data] = await Promise.all([
+      metaFile.json() as Promise<{ contentType: string; format: ImageFormat }>,
+      dataFile.arrayBuffer(),
+    ]);
     return { data, contentType: meta.contentType, format: meta.format };
   } catch {
     return null;
@@ -68,8 +72,24 @@ export async function setOnDisk(
 ): Promise<void> {
   await mkdir(dir, { recursive: true });
   const key = await cacheKey(src, params);
-  await Promise.all([
-    Bun.write(join(dir, `${key}.json`), JSON.stringify({ contentType: result.contentType, format: result.format })),
-    Bun.write(join(dir, `${key}.bin`), result.data),
-  ]);
+  const jsonFinal = join(dir, `${key}.json`);
+  const binFinal = join(dir, `${key}.bin`);
+  const jsonTmp = `${jsonFinal}.tmp`;
+  const binTmp = `${binFinal}.tmp`;
+  // Write both temp files, then atomically rename. Readers see either both
+  // files present or neither — never a half-written pair.
+  try {
+    await Promise.all([
+      Bun.write(jsonTmp, JSON.stringify({ contentType: result.contentType, format: result.format })),
+      Bun.write(binTmp, result.data),
+    ]);
+    await Promise.all([rename(jsonTmp, jsonFinal), rename(binTmp, binFinal)]);
+  } catch (err) {
+    // Best-effort cleanup so failed writes don't leak .tmp files indefinitely.
+    await Promise.all([
+      unlink(jsonTmp).catch(() => {}),
+      unlink(binTmp).catch(() => {}),
+    ]);
+    throw err;
+  }
 }

package/src/image/handler.ts

@@ -1,36 +1,51 @@
-import { join, resolve } from "node:path";
+import { join, resolve, sep } from "node:path";
+import { realpath } from "node:fs/promises";
 import type { ImageTransformParams, ImageFormat, ImageFit } from "./types.ts";
-import { QUALITY_DEFAULT, FORMAT_DEFAULT, FIT_DEFAULT, MIME } from "./types.ts";
+import { QUALITY_DEFAULT, FORMAT_DEFAULT, FIT_DEFAULT, MIME, ALLOWED_FITS } from "./types.ts";
 import { transformImage } from "./optimizer.ts";
 import { getFromMemory, setInMemory, getFromDisk, setOnDisk } from "./cache.ts";
 
-const MAX_DIM = 4096;
+const ALLOWED_DIMS = new Set([320, 640, 768, 1024, 1280, 1536, 1920, 3840]);
+const MAX_AREA = 4_000_000;
 const CACHE_CTRL = "public, max-age=31536000, immutable";
 
-function parseParams(
+async function parseParams(
   sp: URLSearchParams,
   publicDir: string,
-): { src: string; filePath: string; params: ImageTransformParams } | null {
+): Promise<{ src: string; filePath: string; params: ImageTransformParams } | null> {
   const src = sp.get("src");
   // src must be a /public/ path with no traversal sequences
   if (!src || !src.startsWith("/public/") || src.includes("..")) return null;
 
   const rel = src.slice("/public/".length);
   const root = resolve(publicDir);
-  const filePath = resolve(join(root, rel));
-  if (!filePath.startsWith(root + "/") && filePath !== root) return null;
+  const candidate = resolve(join(root, rel));
+  if (!candidate.startsWith(root + sep) && candidate !== root) return null;
+  // Re-check after symlink resolution. If the file doesn't exist yet, realpath
+  // throws — fall through and let the existence check below handle it.
+  let filePath = candidate;
+  try {
+    const real = await realpath(candidate);
+    if (!real.startsWith(root + sep) && real !== root) return null;
+    filePath = real;
+  } catch {
+    // missing file: defer to Bun.file(...).exists() below
+  }
 
   const wRaw = sp.get("w");
   const hRaw = sp.get("h");
   const w = wRaw ? parseInt(wRaw, 10) : undefined;
   const h = hRaw ? parseInt(hRaw, 10) : undefined;
-  if (w !== undefined && (isNaN(w) || w < 1 || w > MAX_DIM)) return null;
-  if (h !== undefined && (isNaN(h) || h < 1 || h > MAX_DIM)) return null;
+  if (w !== undefined && (isNaN(w) || !ALLOWED_DIMS.has(w))) return null;
+  if (h !== undefined && (isNaN(h) || !ALLOWED_DIMS.has(h))) return null;
+  if (w !== undefined && h !== undefined && w * h > MAX_AREA) return null;
 
   const q = Math.min(100, Math.max(1, parseInt(sp.get("q") ?? String(QUALITY_DEFAULT), 10)));
   const fmt = (sp.get("format") ?? FORMAT_DEFAULT) as ImageFormat;
-  const fit = (sp.get("fit") ?? FIT_DEFAULT) as ImageFit;
+  const fitRaw = sp.get("fit") ?? FIT_DEFAULT;
   if (!MIME[fmt]) return null;
+  if (!ALLOWED_FITS.has(fitRaw as ImageFit)) return null;
+  const fit = fitRaw as ImageFit;
 
   return { src, filePath, params: { w, h, q, format: fmt, fit } };
 }
@@ -53,7 +68,7 @@ export async function handleImageRequest(
   const url = new URL(request.url);
   if (url.pathname !== "/_image") return null;
 
-  const parsed = parseParams(url.searchParams, publicDir);
+  const parsed = await parseParams(url.searchParams, publicDir);
   if (!parsed) return new Response("Bad Request", { status: 400 });
 
   const { src, filePath, params } = parsed;

package/src/image/optimizer.ts

@@ -1,6 +1,30 @@
 import type { ImageTransformParams, TransformResult, ImageFormat } from "./types.ts";
 import { MIME } from "./types.ts";
 
+// In-process semaphore (DoS guard): cap concurrent ImageMagick spawns so a
+// burst of /_image requests can't fork-bomb the server.
+const MAX_CONCURRENT = 4;
+// Per-spawn timeout (ms). A pathological input must not hold a slot forever;
+// without this, four hung spawns wedge the whole image pipeline.
+const SPAWN_TIMEOUT_MS = 15_000;
+let inFlight = 0;
+const waiters: Array<() => void> = [];
+
+async function acquireSlot(): Promise<void> {
+  if (inFlight < MAX_CONCURRENT) {
+    inFlight++;
+    return;
+  }
+  await new Promise<void>((resolve) => waiters.push(resolve));
+  inFlight++;
+}
+
+function releaseSlot(): void {
+  inFlight--;
+  const next = waiters.shift();
+  if (next) next();
+}
+
 // Probe for an available ImageMagick binary once, then cache the result.
 let _binary: string | null | undefined;
 
@@ -57,20 +81,28 @@ export async function transformImage(
     return { data, contentType: MIME[fmt] ?? "image/jpeg", format: fmt };
   }
 
-  const proc = Bun.spawn(buildArgs(binary, filePath, params), {
-    stdout: "pipe",
-    stderr: "pipe",
-  });
+  await acquireSlot();
+  try {
+    const proc = Bun.spawn(buildArgs(binary, filePath, params), {
+      stdout: "pipe",
+      stderr: "ignore",
+      timeout: SPAWN_TIMEOUT_MS,
+      killSignal: "SIGKILL",
+    });
 
-  const [data, , exitCode] = await Promise.all([
-    new Response(proc.stdout!).arrayBuffer(),
-    new Response(proc.stderr!).arrayBuffer(),
-    proc.exited,
-  ]);
+    const [data, exitCode] = await Promise.all([
+      new Response(proc.stdout!).arrayBuffer(),
+      proc.exited,
+    ]);
 
-  if (exitCode !== 0) {
-    throw new Error(`[bractjs] ImageMagick exited ${exitCode} for ${filePath}`);
-  }
+    if (exitCode !== 0) {
+      // Non-zero exit covers normal failures AND timeout-induced SIGKILL,
+      // since Bun reports the signal as a non-zero exit code.
+      throw new Error(`[bractjs] ImageMagick exited ${exitCode} for ${filePath}`);
+    }
 
-  return { data, contentType: MIME[params.format], format: params.format };
+    return { data, contentType: MIME[params.format], format: params.format };
+  } finally {
+    releaseSlot();
+  }
 }

package/src/image/types.ts

@@ -25,3 +25,4 @@ export const MIME: Record<ImageFormat, string> = {
   jpeg: "image/jpeg",
   png:  "image/png",
 };
+export const ALLOWED_FITS: ReadonlySet<ImageFit> = new Set(["cover", "contain", "fill"]);

package/src/middleware/cors.ts

@@ -3,25 +3,39 @@ import type { MiddlewareFn } from "../server/middleware.ts";
 export interface CorsOptions {
   origin: string | string[];
   methods?: string[];
+  credentials?: boolean;
 }
 
 /**
  * Sets CORS headers. Handles OPTIONS preflight with 204.
+ *
+ * Never reflects the Origin header when "*" is configured — emits literal "*".
+ * Refuses to combine credentials:true with "*" (browsers reject it anyway).
+ * Always sets `Vary: Origin` so caches don't serve a cross-origin response to
+ * the wrong site.
  */
 export function cors(options: CorsOptions): MiddlewareFn {
-  const allowedOrigins = Array.isArray(options.origin)
-    ? options.origin
-    : [options.origin];
+  const allowedOrigins = Array.isArray(options.origin) ? options.origin : [options.origin];
   const allowedMethods = options.methods?.join(", ") ?? "GET, POST, PUT, DELETE, PATCH, OPTIONS";
+  const wildcard = allowedOrigins.includes("*");
+  const credentials = options.credentials === true;
+  if (wildcard && credentials) {
+    throw new Error("cors: credentials=true cannot be combined with origin='*'");
+  }
 
   return async (ctx, next) => {
     const origin = ctx.request.headers.get("Origin") ?? "";
-    const allowed = allowedOrigins.includes("*") || allowedOrigins.includes(origin);
     const corsHeaders: Record<string, string> = {
       "Access-Control-Allow-Methods": allowedMethods,
       "Access-Control-Allow-Headers": "Content-Type, Authorization",
+      "Vary": "Origin",
     };
-    if (allowed) corsHeaders["Access-Control-Allow-Origin"] = origin || "*";
+    if (wildcard) {
+      corsHeaders["Access-Control-Allow-Origin"] = "*";
+    } else if (origin && allowedOrigins.includes(origin)) {
+      corsHeaders["Access-Control-Allow-Origin"] = origin;
+    }
+    if (credentials) corsHeaders["Access-Control-Allow-Credentials"] = "true";
 
     // Preflight
     if (ctx.request.method === "OPTIONS") {
@@ -29,8 +43,10 @@ export function cors(options: CorsOptions): MiddlewareFn {
     }
 
     const response = await next();
-    const patched = new Response(response.body, response);
-    for (const [k, v] of Object.entries(corsHeaders)) patched.headers.set(k, v);
-    return patched;
+    // Mutate headers in place rather than wrapping body. Wrapping with
+    // `new Response(response.body, response)` makes the original Response
+    // unusable to anyone holding a reference (single-shot stream).
+    for (const [k, v] of Object.entries(corsHeaders)) response.headers.set(k, v);
+    return response;
   };
 }

package/src/server/action-handler.ts

@@ -1,10 +1,25 @@
 import { resolveAction } from "./action-registry.ts";
 import { json } from "./response.ts";
+import { isAllowedMutation } from "./csrf.ts";
+
+const FORBIDDEN_KEYS = new Set(["__proto__", "constructor", "prototype"]);
+// Cap action JSON bodies. Anything over this looks like an abuse attempt;
+// FormData uploads (large files) take the multipart branch and bypass this.
+const MAX_JSON_BODY_BYTES = 1_048_576; // 1 MiB
+
+function hasForbiddenKey(value: unknown): boolean {
+  if (!value || typeof value !== "object") return false;
+  for (const key of Object.keys(value as Record<string, unknown>)) {
+    if (FORBIDDEN_KEYS.has(key)) return true;
+  }
+  return false;
+}
 
 export async function handleActionRequest(request: Request): Promise<Response | null> {
   const url = new URL(request.url);
   if (!url.pathname.startsWith("/_action")) return null;
   if (request.method !== "POST") return new Response("Method Not Allowed", { status: 405 });
+  if (!isAllowedMutation(request)) return new Response("Forbidden", { status: 403 });
 
   const id = url.searchParams.get("id");
   if (!id) return new Response("Bad Request: missing action id", { status: 400 });
@@ -18,8 +33,32 @@ export async function handleActionRequest(request: Request): Promise<Response |
     if (ct.includes("multipart/form-data") || ct.includes("application/x-www-form-urlencoded")) {
       args = [await request.formData()];
     } else {
+      // Cheap pre-check: trust Content-Length if the client sent one.
+      const clRaw = request.headers.get("Content-Length");
+      if (clRaw) {
+        const cl = Number(clRaw);
+        if (Number.isFinite(cl) && cl > MAX_JSON_BODY_BYTES) {
+          return new Response("Payload Too Large", { status: 413 });
+        }
+      }
       const text = await request.text();
-      args = text ? JSON.parse(text) as unknown[] : [];
+      // Defense in depth: clients can lie about Content-Length, so verify the
+      // actual decoded text length too.
+      if (text.length > MAX_JSON_BODY_BYTES) {
+        return new Response("Payload Too Large", { status: 413 });
+      }
+      if (!text) {
+        args = [];
+      } else {
+        const parsed: unknown = JSON.parse(text);
+        if (!Array.isArray(parsed)) {
+          return new Response("Bad Request: args must be array", { status: 400 });
+        }
+        if (parsed.some(hasForbiddenKey)) {
+          return new Response("Bad Request: forbidden keys", { status: 400 });
+        }
+        args = parsed;
+      }
     }
   } catch {
     return new Response("Bad Request: invalid body", { status: 400 });

package/src/server/action-registry.ts

@@ -1,6 +1,9 @@
 import { join } from "node:path";
 
-const SERVER_RE = /^["']use server["']/m;
+// Anchored at start-of-file. Allow whitespace and line/block comments before
+// the "use server" string literal. This prevents false matches from a "use
+// server" found inside template literals or runtime strings.
+const SERVER_RE = /^(?:\s|\/\/[^\n]*\n|\/\*[\s\S]*?\*\/)*["']use server["']/;
 const registry = new Map<string, (...args: unknown[]) => Promise<unknown>>();
 
 async function computeId(filePath: string, name: string): Promise<string> {
@@ -16,9 +19,19 @@ export function resolveAction(id: string): ((...args: unknown[]) => Promise<unkn
   return registry.get(id) ?? null;
 }
 
+function isEligible(rel: string): boolean {
+  return (
+    rel.endsWith(".server.ts") ||
+    rel.endsWith(".server.tsx") ||
+    rel.startsWith("routes/") ||
+    rel.startsWith("routes\\")
+  );
+}
+
 export async function loadServerActions(appDir: string): Promise<void> {
   const glob = new Bun.Glob("**/*.{ts,tsx}");
   for await (const rel of glob.scan(appDir)) {
+    if (!isEligible(rel)) continue;
     const filePath = join(appDir, rel);
     let src: string;
     try { src = await Bun.file(filePath).text(); } catch { continue; }

package/src/server/csrf.ts

@@ -0,0 +1,16 @@
+/**
+ * Cross-origin POST/PUT/DELETE/PATCH protection.
+ * Allow when: request carries X-BractJS-Action header (client-issued, blocked
+ * cross-origin by CORS for non-simple requests), OR the Origin header matches
+ * the request URL's origin.
+ */
+export function isAllowedMutation(request: Request): boolean {
+  if (request.headers.get("X-BractJS-Action")) return true;
+  const origin = request.headers.get("Origin");
+  if (!origin) return false;
+  try {
+    return new URL(origin).origin === new URL(request.url).origin;
+  } catch {
+    return false;
+  }
+}

package/src/server/env.ts

@@ -10,6 +10,11 @@ export function requireEnv(key: string): string {
   return value;
 }
 
+// Build LS/PS at runtime so the source contains no raw U+2028/U+2029
+// (which would break JS parsing as LineTerminators).
+const LS = String.fromCharCode(0x2028);
+const PS = String.fromCharCode(0x2029);
+
 export function safeStringify(data: unknown): string {
   const seen = new WeakSet();
   const json = JSON.stringify(data, (_key, value) => {
@@ -19,11 +24,12 @@ export function safeStringify(data: unknown): string {
     }
     return value;
   });
-  // Escape HTML-sensitive characters so this JSON is safe to embed inside a
-  // <script> tag.  \u003c / \u003e / \u0026 are valid JSON unicode escapes —
-  // JSON.parse on the client decodes them transparently.
+  // Escape HTML-sensitive chars + JS LineTerminators (U+2028 / U+2029) so this
+  // JSON is safe to embed inside a <script> tag.
   return json
     .replace(/</g, "\\u003c")
     .replace(/>/g, "\\u003e")
-    .replace(/&/g, "\\u0026");
+    .replace(/&/g, "\\u0026")
+    .replaceAll(LS, "\\u2028")
+    .replaceAll(PS, "\\u2029");
 }

package/src/server/middleware.ts

@@ -30,16 +30,20 @@ export class MiddlewarePipeline {
     ctx: MiddlewareContext,
     handler: () => Promise<Response>,
   ): Promise<Response> {
-    let index = 0;
     const fns = this.fns;
-
-    const dispatch = (): Promise<Response> => {
-      if (index >= fns.length) return handler();
-      const fn = fns[index++];
-      return fn(ctx, dispatch);
+    let lastCalled = -1;
+
+    const dispatch = (i: number): Promise<Response> => {
+      if (i <= lastCalled) {
+        return Promise.reject(new Error("middleware: next() called more than once"));
+      }
+      lastCalled = i;
+      if (i >= fns.length) return handler();
+      const fn = fns[i];
+      return fn(ctx, () => dispatch(i + 1));
     };
 
-    return dispatch();
+    return dispatch(0);
   }
 }
 

package/src/server/render.ts

@@ -35,12 +35,14 @@ export async function renderRoute(options: RenderOptions): Promise<Response> {
     status = 200,
   } = options;
 
-  const devOverlay = isDev() ? errorOverlayScript + "\n" : "";
-  const metaHtml = renderMetaTags(mergeMeta(options.meta ?? []));
-  // Include manifest + routeFile so the client can pre-import the route module
-  // before hydrateRoot(), preventing the SSR/client tree mismatch.
+  const devFlag = isDev() ? "window.__BRACT_DEV__=true;" : "";
+  const devOverlay = isDev() ? devFlag + errorOverlayScript + "\n" : "";
+  const mergedMeta = mergeMeta(options.meta ?? []);
+  // metaHtml is injected into <head> via React (the renderToReadableStream tree
+  // is expected to use it). The merged descriptor array is what the client
+  // reads — keep it shaped, not stringified HTML.
   const bootstrapScriptContent =
-    devOverlay + `window.__BRACTJS_DATA__=${safeStringify({ loaderData, actionData, params, pathname, manifest, routeFile: options.routeFile, meta: metaHtml })};`;
+    devOverlay + `window.__BRACTJS_DATA__=${safeStringify({ loaderData, actionData, params, pathname, manifest, routeFile: options.routeFile, meta: mergedMeta })};`;
 
   let renderError: unknown;
 

package/src/server/request-handler.ts

@@ -1,4 +1,3 @@
-import { join } from "node:path";
 import { createElement } from "react";
 import type { TrieNode } from "./matcher.ts";
 import { matchRoute } from "./matcher.ts";
@@ -7,9 +6,11 @@ import { runLoaders, runAction, buildLoaderArgs } from "./loader.ts";
 import { renderRoute, type ServerManifest } from "./render.ts";
 import { resolveMeta } from "./meta.ts";
 import { json, error } from "./response.ts";
-import { isRedirect } from "../shared/errors.ts";
+import { isRedirect, isHttpError } from "../shared/errors.ts";
+import { isDev } from "./env.ts";
 import { pipeline, type MiddlewareContext } from "./middleware.ts";
 import { BractJSProvider } from "../shared/context.ts";
+import { isAllowedMutation } from "./csrf.ts";
 
 export interface HandlerConfig {
   appDir: string;
@@ -39,17 +40,10 @@ async function route(
   config: HandlerConfig,
   context: Record<string, unknown>,
 ): Promise<Response> {
-  const { appDir, publicDir, manifest } = config;
+  const { appDir, manifest } = config;
   const url = new URL(request.url);
   const { pathname, searchParams } = url;
 
-  // ── Static public assets ──────────────────────────────────────────────
-  if (pathname.startsWith("/public/")) {
-    const file = Bun.file(join(publicDir, pathname.slice("/public/".length)));
-    if (await file.exists()) return new Response(file);
-    return error("Not Found", 404);
-  }
-
   // ── /_data soft-nav JSON endpoint ─────────────────────────────────────
   if (pathname.startsWith("/_data")) {
     const targetPath = searchParams.get("path") ?? "/";
@@ -77,12 +71,17 @@ async function route(
   // ── Action (mutating methods) ─────────────────────────────────────────
   let actionData: unknown = null;
   if (MUTATING_METHODS.has(request.method)) {
+    if (!isAllowedMutation(request)) return error("Forbidden", 403);
     try {
-      const formData = await request.formData();
+      const ct = request.headers.get("Content-Type") ?? "";
+      const isFormLike = ct.includes("multipart/form-data") || ct.includes("application/x-www-form-urlencoded");
+      const formData = isFormLike ? await request.formData() : new FormData();
       actionData = await runAction(chain.route, { ...args, formData });
     } catch (err) {
       if (isRedirect(err)) return err as Response;
-      throw err;
+      if (isHttpError(err)) return error(err.message, err.status);
+      if (isDev()) return error(err instanceof Error ? err.message : String(err), 500);
+      return error("Internal Server Error", 500);
     }
 
     // Client-side Form submits with this header — return JSON, not HTML.
@@ -97,7 +96,9 @@ async function route(
     loaderResults = await runLoaders(chain, args);
   } catch (err) {
     if (isRedirect(err)) return err as Response;
-    throw err;
+    if (isHttpError(err)) return error(err.message, err.status);
+    if (isDev()) return error(err instanceof Error ? err.message : String(err), 500);
+    return error("Internal Server Error", 500);
   }
 
   const loaderData = {

package/src/server/response.ts

@@ -1,8 +1,32 @@
-export function redirect(url: string, status: number = 302): Response {
-  return new Response(null, {
-    status,
-    headers: { Location: url },
-  });
+export interface RedirectOptions {
+  /** Allow absolute URLs to other origins. Default false. */
+  allowExternal?: boolean;
+}
+
+function isSafeInternalRedirect(url: string): boolean {
+  // Must be path-only: single leading "/" not followed by "/" or "\".
+  // Rejects: "//evil.com", "/\\evil.com", "https://...", "javascript:...", "".
+  if (url.length === 0) return false;
+  if (url[0] !== "/") return false;
+  if (url[1] === "/" || url[1] === "\\") return false;
+  return true;
+}
+
+export function redirect(
+  url: string,
+  status: number = 302,
+  headers?: HeadersInit,
+  options?: RedirectOptions,
+): Response {
+  if (!options?.allowExternal && !isSafeInternalRedirect(url)) {
+    throw new Error(
+      `[bractjs] redirect: unsafe Location "${url}". ` +
+        `Pass { allowExternal: true } to redirect off-origin.`,
+    );
+  }
+  const h = new Headers(headers);
+  h.set("Location", url);
+  return new Response(null, { status, headers: h });
 }
 
 export function json<T>(data: T, init?: ResponseInit): Response {

package/src/server/scanner.ts

@@ -1,3 +1,5 @@
+import { basename } from "node:path";
+
 // ── Types ──────────────────────────────────────────────────────────────────
 
 export type Segment = string | { param: string } | { catchAll: string };
@@ -54,8 +56,10 @@ export async function scanRoutes(appDir: string): Promise<RouteFile[]> {
   const routes: RouteFile[] = [];
 
   for await (const filePath of glob.scan(appDir)) {
-    // Skip layout files — handled separately
-    if (filePath.endsWith("/layout.tsx") || filePath.endsWith("/layout.ts")) {
+    // Skip layout files — handled separately. Use basename so this also
+    // skips top-level "routes/layout.tsx" on any OS.
+    const base = basename(filePath);
+    if (base === "layout.tsx" || base === "layout.ts") {
       continue;
     }
 

package/src/server/session.ts

@@ -52,15 +52,20 @@ async function sign(data: string, secret: string): Promise<string> {
 }
 
 async function verify(data: string, sig: string, secrets: string[]): Promise<boolean> {
+  // Iterate ALL secrets without short-circuit, and do full-length constant-time
+  // compare against every candidate to avoid leaking which secret matched (or
+  // whether a length mismatch occurred) via timing.
+  let ok = false;
   for (const secret of secrets) {
     const expected = await sign(data, secret);
-    if (expected.length === sig.length) {
-      let diff = 0;
-      for (let i = 0; i < expected.length; i++) diff |= expected.charCodeAt(i) ^ sig.charCodeAt(i);
-      if (diff === 0) return true;
+    const len = Math.max(expected.length, sig.length);
+    let diff = expected.length ^ sig.length;
+    for (let i = 0; i < len; i++) {
+      diff |= (expected.charCodeAt(i) || 0) ^ (sig.charCodeAt(i) || 0);
     }
+    if (diff === 0) ok = true;
   }
-  return false;
+  return ok;
 }
 
 function makeSession(data: SessionData): InternalSession {
@@ -77,6 +82,12 @@ function makeSession(data: SessionData): InternalSession {
 
 export function createCookieSession(options: CookieSessionOptions): SessionStorage {
   const { name, secrets, maxAge, secure = true, sameSite = "Lax" } = options;
+  if (!Array.isArray(secrets) || secrets.length === 0) {
+    throw new Error("createCookieSession: secrets must be a non-empty array");
+  }
+  if (!secrets.every((s) => typeof s === "string" && s.length >= 16)) {
+    throw new Error("createCookieSession: each secret must be a string of length >= 16");
+  }
 
   return {
     async getSession(cookie?: string | null): Promise<Session> {