@bractjs/bractjs 0.1.28 → 0.1.29

package/README.md

@@ -1,1331 +0,0 @@
-# BractJS
-
-[![npm version](https://img.shields.io/npm/v/@bractjs/bractjs)](https://www.npmjs.com/package/@bractjs/bractjs)
-[![license](https://img.shields.io/npm/l/@bractjs/bractjs)](LICENSE)
-
-> Production-grade SSR framework for **Bun + React 19**.
-> File-based routing · Parallel loaders · Streaming SSR · Built-in HMR · Server Actions · Typed routes · Single-binary deploy.
-
-## Requirements
-
-- [Bun](https://bun.sh) ≥ 1.1 — no Node.js support
-- React 19 (peer dependency)
-
-This README is a **step-by-step guide to every function and feature** BractJS exports. Each section is self-contained and ordered from "first app" to "advanced". Every symbol shown here is a real export from `@bractjs/bractjs` (see [src/index.ts](src/index.ts)).
-
----
-
-## Table of Contents
-
-1. [Install & create an app](#1-install--create-an-app)
-2. [Project structure](#2-project-structure)
-3. [The root layout (`app/root.tsx`)](#3-the-root-layout-approotsx)
-4. [File-based routing](#4-file-based-routing)
-5. [Route module API: `loader`, `action`, `meta`, `beforeLoad`, `ErrorBoundary`, `default`](#5-route-module-api)
-6. [Response helpers: `json`, `redirect`, `error`, `HttpError`](#6-response-helpers)
-7. [Per-route context: `defineContext`](#7-per-route-context-definecontext)
-8. [Streaming data: `defer`, `Deferred`, `isDeferred`, `<Await>`](#8-streaming-data)
-9. [Client hooks](#9-client-hooks)
-10. [Client components: `<Outlet>`, `<Link>`, `<Form>`, `<Scripts>`, `<LiveReload>`, `<Image>`](#10-client-components)
-11. [Server Actions (`"use server"`) & client-only (`"use client"`)](#11-server-actions--client-components)
-12. [Typed API routes: `route` + `createClient`](#12-typed-api-routes)
-13. [Input validation: `validate`](#13-input-validation-validate)
-14. [Middleware: `pipeline`, `requestLogger`, `cors`, `authGuard`, `csp`](#14-middleware)
-15. [Sessions: `createCookieSession`](#15-sessions)
-16. [Lifecycle hooks: `defineLifecycle`](#16-lifecycle-hooks)
-17. [Environment variables & `*.server.ts`](#17-environment-variables)
-18. [Typed routes](#18-typed-routes)
-19. [Internationalization (i18n) utilities](#19-internationalization-utilities)
-20. [Image optimization (`<Image>` + `/_image`)](#20-image-optimization)
-21. [Build & run: CLI + programmatic API (`createDevServer`, `runBuild`, `loadUserConfig`)](#21-build--run)
-22. [Single-binary deployment (`bun build --compile`)](#22-single-binary-deployment)
-23. [Custom adapters (`BunAdapter`, Cloudflare)](#23-custom-adapters)
-24. [Build plugins (for custom `Bun.build`)](#24-build-plugins)
-25. [Configuration reference](#25-configuration-reference)
-26. [Full export index](#26-full-export-index)
-
----
-
-## 1. Install & create an app
-
-BractJS requires [Bun](https://bun.sh). There is no Node.js runtime path.
-
-```sh
-# Scaffold a new app
-bunx bractjs new my-app
-cd my-app
-
-# Start the dev server (HMR on http://localhost:3000)
-bun run dev
-```
-
-`bractjs new <name>` copies the scaffold template, runs `bun install`, and seeds `app/_generated/` so the single-binary entry typechecks before your first build.
-
-Add it to an existing project instead:
-
-```sh
-bun add @bractjs/bractjs react react-dom
-```
-
-`react` and `react-dom` v19 are **peer dependencies** — BractJS ships zero other runtime deps.
-
----
-
-## 2. Project structure
-
-```
-my-app/
-├── app/
-│   ├── root.tsx              # required — the <html> document shell
-│   ├── server.ts             # single-binary entry (bun build --compile)
-│   ├── lifecycle.ts          # optional — onStart / onShutdown / onError
-│   ├── route-types.gen.ts    # generated by `bractjs codegen`
-│   ├── _generated/           # generated by `bractjs codegen:registry` / `:manifest`
-│   ├── actions.ts            # "use server" actions (optional)
-│   └── routes/
-│       ├── _index.tsx        # → /
-│       ├── about.tsx         # → /about
-│       ├── blog/
-│       │   ├── layout.tsx    # wraps /blog/*
-│       │   ├── _index.tsx    # → /blog
-│       │   └── [id].tsx      # → /blog/:id
-│       └── docs/
-│           └── [...slug].tsx # → /docs/*  (catch-all)
-├── public/                   # static assets, served at /public/*
-├── bractjs.config.ts         # optional config (see §25)
-└── build/                    # generated — do not edit
-```
-
-Defaults: `appDir="./app"`, `publicDir="./public"`, `buildDir="./build"`, `port=3000`. All overridable (§25).
-
----
-
-## 3. The root layout (`app/root.tsx`)
-
-**Required.** It provides the `<html>` document shell and is always rendered. Use the `<Outlet>`, `<Scripts>`, and `<LiveReload>` components from the package.
-
-```tsx
-// app/root.tsx
-import { Outlet, Scripts, LiveReload } from "@bractjs/bractjs";
-
-export function meta() {
-  return [
-    { title: "My App" },
-    { name: "viewport", content: "width=device-width, initial-scale=1" },
-  ];
-}
-
-export default function Root() {
-  return (
-    <html lang="en">
-      <head>
-        <meta charSet="utf-8" />
-        {/* BractJS hoists <title>/<meta> from every route's meta() into <head> */}
-      </head>
-      <body>
-        <Outlet />     {/* renders the matched route tree */}
-        <Scripts />    {/* injects the client bundle + bootstrap data */}
-        <LiveReload /> {/* dev-only HMR client; no-op in production */}
-      </body>
-    </html>
-  );
-}
-```
-
-**Step by step:**
-
-1. `export default function Root()` returns the full `<html>` document.
-2. Put `<Outlet />` where the page content should render.
-3. Put `<Scripts />` at the end of `<body>` — it's a marker the SSR pipeline replaces with the hashed client entry + `window.__BRACTJS_DATA__`.
-4. `<LiveReload />` renders an HMR client script in dev and `null` in production.
-5. Optionally `export function meta()` for site-wide defaults (route `meta()` overrides per descriptor).
-
-> `<title>`/`<meta>` tags from any route's `meta()` are rendered into `<head>` via React 19 document-metadata hoisting — you do not place them manually.
-
----
-
-## 4. File-based routing
-
-Drop a file in `app/routes/`; it becomes a route. BractJS scans at startup and builds a trie.
-
-| File | URL |
-|------|-----|
-| `routes/_index.tsx` | `/` |
-| `routes/about.tsx` | `/about` |
-| `routes/blog/_index.tsx` | `/blog` |
-| `routes/blog/[id].tsx` | `/blog/:id` |
-| `routes/docs/[...slug].tsx` | `/docs/*` (catch-all) |
-| `routes/blog/layout.tsx` | wraps all `/blog/*` routes |
-
-- `[param]` → a dynamic segment, read via `useParams()` / `params` arg.
-- `[...name]` → a catch-all; the rest of the path lands in `params.name`.
-- `layout.tsx` in any directory wraps every route under it (layouts nest: `root → blog/layout → blog/[id]`).
-- Match priority per segment: **static > dynamic > catch-all**.
-
-No registration step — the file IS the route.
-
----
-
-## 5. Route module API
-
-Every file in `app/routes/` (and `root.tsx`/`layout.tsx`) may export any combination of these. Import the arg types from the package.
-
-```tsx
-import type { LoaderArgs, ActionArgs, MetaArgs } from "@bractjs/bractjs";
-import { redirect, json, HttpError } from "@bractjs/bractjs";
-
-// 1) loader — runs on every GET. Return value → useLoaderData().
-//    `search` is the validated output of searchSchema (below), or the raw
-//    string record when the route has no schema.
-export async function loader({ request, params, context, search }: LoaderArgs) {
-  const post = await db.post.findById(params.id);
-  if (!post) throw new HttpError(404, "Not found"); // → 404 page
-  return { post };
-}
-export type LoaderData = Awaited<ReturnType<typeof loader>>;
-
-// 2) action — runs on POST / PUT / DELETE / PATCH. For one route handling
-//    several buttons, compose it from `defineActions` (§5a) instead of a
-//    hand-rolled `intent` switch.
-export async function action({ request, params, context, formData }: ActionArgs) {
-  await db.post.update(params.id, { title: formData.get("title") as string });
-  return redirect("/blog");
-}
-
-// 3) meta — SSR <title> / <meta>. Receives this route's loaderData slice.
-export function meta({ loaderData, params }: MetaArgs<LoaderData>) {
-  return [
-    { title: loaderData.post.title },
-    { name: "description", content: loaderData.post.excerpt },
-    { property: "og:title", content: loaderData.post.title },
-  ];
-}
-
-// 4) beforeLoad — auth/redirect gate. Runs BEFORE loaders, on full-page GET
-//    AND the /_data soft-nav endpoint. Return a Response to short-circuit.
-export function beforeLoad({ context, params, location }) {
-  if (!context.user) {
-    return redirect(`/login?next=${encodeURIComponent(location.pathname)}`);
-  }
-}
-
-// 5) ErrorBoundary — renders when this segment's loader/component throws.
-export function ErrorBoundary({ error }: { error: unknown }) {
-  return <p>Something broke: {error instanceof Error ? error.message : String(error)}</p>;
-}
-
-// 6) searchSchema — validate/coerce search params BEFORE loaders run (Zod,
-//    Valibot, or anything with parse/safeParse). Failure → 400; use
-//    .catch()/.default() per field for URLs that must tolerate junk.
-//    Loaders receive the OUTPUT via `search`; the client reads it with
-//    useSearch() — numbers stay numbers. (Typed end-to-end after codegen, §18.)
-export const searchSchema = z.object({
-  page: z.coerce.number().int().positive().catch(1),
-  q: z.string().optional(),
-});
-
-// 7) shouldRevalidate — veto automatic data refetches (the SWR background
-//    refetch, and the revalidation after <Form>/fetcher mutations).
-export function shouldRevalidate({ currentUrl, nextUrl, formMethod, defaultShouldRevalidate }) {
-  if (formMethod === "DELETE") return true;     // always refetch after deletes
-  return defaultShouldRevalidate;
-}
-
-// 8) ssr + Fallback — selective SSR (see also §21 for app-wide SPA mode):
-//    true (default)  full document SSR
-//    "data-only"     loaders run on the server; component renders client-only
-//    false           loader + component skipped during document SSR; the
-//                    client fetches /_data after hydration.
-//    beforeLoad ALWAYS runs on the server — ssr:false is not an auth bypass.
-export const ssr = "data-only";
-export function Fallback() {
-  return <p>Loading dashboard…</p>;             // SSR'd in the component's place
-}
-
-// 9) default — the page component (required for a renderable route).
-export default function BlogPost() {
-  const { post } = useLoaderData<LoaderData>();
-  return <article><h1>{post.title}</h1></article>;
-}
-```
-
-**Execution order for a request:**
-
-```
-searchSchema → beforeLoad → (action, if mutating method) → loaders (root + layouts + route, in parallel) → render
-```
-
-- **Loaders run concurrently** (root, every layout, and the route loader all in one `Promise.all`).
-- A loader that throws an `HttpError`/redirect `Response` is intentional control flow. Any *other* thrown error is caught, sanitized (generic message in production, full message+stack only when `NODE_ENV=development`), and rendered via the nearest `ErrorBoundary`.
-
-> **Security:** put auth checks in `beforeLoad` (per route) or middleware (cross-cutting) — never in a component. `/_data` (used by `<Link>` soft-nav) runs `beforeLoad` and the loader, so a component-only check would still leak loader JSON. See §14.
-
-### Less boilerplate
-
-**Infer loader data — `useLoaderData<typeof loader>()`.** Pass the loader function type and the data type is inferred from its return (no `LoaderData` alias to maintain). The `Response` redirect branch is excluded; `Deferred` fields (from `defer()`, §8) are preserved for `<Await>`. Same for `useActionData<typeof action>()`.
-```tsx
-export async function loader() { return { post: await db.post.find() }; }
-export default function Post() {
-  const { post } = useLoaderData<typeof loader>();   // typed — no hand-written type
-}
-```
-
-**Type search params on the args — `LoaderArgs<T>`.** Parameterize to drop the cast (the schema's output type):
-```tsx
-export async function loader({ search }: LoaderArgs<{ page: number }>) {
-  return db.posts({ page: search.page });            // search.page is a number
-}
-// After codegen (§18), `LoaderArgsFor<"/posts">` types params + context + search from the route.
-```
-
-### `defineActions` — multi-button forms without an `intent` switch
-
-A route action that handles several buttons usually devolves into `if (intent === …)`. `defineActions` composes it from one handler per intent, and `<Form intent="…">` (§10) renders the matching hidden input. An unknown/missing intent returns a 400 automatically (dev lists the known intents).
-```tsx
-import { defineActions, safeValidate, formText } from "@bractjs/bractjs";
-
-export const action = defineActions({
-  add:    async ({ formData }) => {
-    const r = await safeValidate(TitleSchema, formData);   // §13
-    if (!r.ok) return { error: r.firstError };
-    addTodo(r.data.title); return {};
-  },
-  toggle: ({ formData }) => { toggleTodo(formText(formData, "id")); return {}; },
-  delete: ({ formData }) => { deleteTodo(formText(formData, "id")); return {}; },
-});
-```
-```tsx
-<Form method="post" intent="toggle"><input type="hidden" name="id" value={id} /><button>Toggle</button></Form>
-```
-
----
-
-## 6. Response helpers
-
-Imported from `@bractjs/bractjs`.
-
-```ts
-import { json, redirect, error, HttpError, isRedirect, isHttpError } from "@bractjs/bractjs";
-```
-
-### `json(data, init?)`
-Serialize a value as `application/json`.
-```ts
-return json({ ok: true }, { status: 201 });
-```
-
-### `redirect(url, status?, headers?, options?)`
-Throw or return a redirect. **Open-redirect safe by default** — rejects `//evil.com`, `/\evil`, `https://…`, `javascript:` unless you pass `{ allowExternal: true }`.
-```ts
-return redirect("/dashboard");                                   // 302
-return redirect("/login", 303);                                  // custom status
-return redirect("/x", 302, { "Set-Cookie": cookie });            // with headers
-return redirect("https://other.com", 302, undefined, { allowExternal: true });
-```
-
-### `error(message, status?)`
-Convenience JSON error: `{ "error": message }` with the given status (default 500).
-```ts
-return error("Bad Request", 400);
-```
-
-### `HttpError` & `BractJSError`
-Throw a typed HTTP error from a loader/action. The framework converts it to a response with that status (and a default status text if you omit the message).
-```ts
-throw new HttpError(403);                 // → 403 Forbidden
-throw new HttpError(404, "No such post"); // → 404 with custom message
-```
-`isRedirect(value)` / `isHttpError(value)` / `isBractJSError(value)` are type guards if you handle errors manually.
-
----
-
-## 7. Per-route context: `defineContext`
-
-A route can compute request-scoped data once and share it with all its loaders/actions via the `context` argument. Middleware can also populate `context` (§14) — `defineContext` is the per-route version.
-
-```ts
-// app/routes/dashboard.tsx
-import { defineContext } from "@bractjs/bractjs";
-import { getUser } from "../auth.server.ts";
-
-export const context = defineContext(async ({ request, params }) => ({
-  user: await getUser(request),
-}));
-
-export function beforeLoad({ context }) {
-  if (!context.user) return redirect("/login");
-}
-
-export async function loader({ context }) {
-  return { name: context.user.name };
-}
-```
-
-The factory runs before `beforeLoad` and its result is merged into `context` for `beforeLoad`, `loader`, and `action` on that route.
-
----
-
-## 8. Streaming data
-
-Stream slow data without blocking the initial HTML.
-
-```ts
-import { defer, Deferred, isDeferred } from "@bractjs/bractjs";
-import { Await } from "@bractjs/bractjs";
-import { Suspense } from "react";
-```
-
-### `defer(data)`
-Wraps each `Promise` field in a `Deferred`; non-promise fields pass through. Awaited fields are in the initial HTML; promises stream after.
-
-```tsx
-export async function loader({ params }: LoaderArgs) {
-  return defer({
-    post: await db.post.findById(params.id),  // awaited → initial HTML
-    comments: db.comments.forPost(params.id), // Promise → streamed
-  });
-}
-
-export default function BlogPost() {
-  // useLoaderData<typeof loader>() infers the shape — `comments` stays a
-  // Deferred<Comment[]>, which <Await> accepts directly.
-  const { post, comments } = useLoaderData<typeof loader>();
-  return (
-    <article>
-      <h1>{post.title}</h1>
-      <Await resolve={comments} fallback={<p>Loading comments…</p>}>
-        {(c) => <CommentList comments={c} />}
-      </Await>
-    </article>
-  );
-}
-```
-
-### `<Await resolve={promise | Deferred} fallback={…}>{(data) => …}</Await>`
-Unwraps a promise (or a `Deferred` field from a `defer()` loader) with React 19's `use()` inside its own `<Suspense>`. `isDeferred(value)` and the `Deferred` class are exported if you need to detect/construct deferred values manually.
-
----
-
-## 9. Client hooks
-
-All hooks are SSR-safe (they return sensible values during SSR) and imported from `@bractjs/bractjs`.
-
-### `useLoaderData<T>()` → `T`
-The current route's loader return value. **Pass the loader function type** to infer it (`Response` branch excluded, `Deferred` fields preserved) — no hand-written type to keep in sync. An explicit object type still works.
-```ts
-const { post } = useLoaderData<typeof loader>();   // inferred from loader()
-const { post } = useLoaderData<LoaderData>();       // or an explicit type
-```
-
-### `useActionData<T>()` → `T | null`
-The most recent action return value (null until an action runs). Like `useLoaderData`, accepts the action function type.
-```ts
-const result = useActionData<typeof action>();
-```
-
-### `useParams<T>()` → `T`
-URL dynamic params. Pass the **route pattern** as a generic to type the result against your codegen'd routes (see §18); an object shape also works.
-```ts
-const { id } = useParams<"/blog/:id">();        // { id: string } — typed from routes
-const { id } = useParams<{ id: string }>();     // or a hand-written shape
-```
-> The pattern is supplied by the caller because the framework can't infer the active route at the type level (React Router's `useParams` works the same way).
-
-### `useLocation()` → `{ pathname, search, hash, state, key }`
-The current location — reactive on the client, request-derived during SSR (`hash` is always `""` there). `key` is the history entry's identity (what scroll restoration uses); `state` is whatever you passed via `navigate(to, { state })`.
-```ts
-const location = useLocation();
-const isActive = location.pathname.startsWith("/blog");
-```
-
-### `useNavigation()` → `{ state }`
-`"idle" | "loading" | "submitting"`. Form/`submit()` mutations walk `"submitting"` → `"loading"` (revalidation) → `"idle"`.
-```ts
-const { state } = useNavigation();
-if (state === "loading") return <Spinner />;
-```
-
-### `useNavigate()` → `(to, { params?, search?, replace?, state? }) => Promise<void>`
-Imperative soft navigation — the counterpart to `<Link>`. `to` autocompletes your routes (after codegen, §18); `params` and `search` are typed per route; any string is still accepted.
-```ts
-const navigate = useNavigate();
-await navigate("/blog/:id", { params: { id: "42" } });     // typed
-await navigate("/posts", { search: { page: 2 } });          // typed search → /posts?page=2
-await navigate("/login", { replace: true });                // replaceState, no history entry
-await navigate("/wizard/2", { state: { from: "step1" } });  // read via useLocation().state
-```
-
-### `useRevalidator()` → `{ revalidate, state }`
-Manually re-run the current route's loaders — for "Refresh" buttons, polling, or after out-of-band changes (e.g. a WebSocket event). Respects the route's `shouldRevalidate`. `state` is `"idle" | "loading"` and tracks only revalidation (navigations are `useNavigation()`).
-```ts
-const { revalidate, state } = useRevalidator();
-<button onClick={() => void revalidate()} disabled={state === "loading"}>Refresh</button>
-```
-
-### `useSearch()` / `useSetSearch()` — typed, validated search params
-`useSearch` returns the route's **validated** search object (the `searchSchema` output — numbers are numbers, defaults applied). Validation runs once on the server; the client never re-runs the schema. `useSetSearch` merges a patch, writes the URL, and soft-navigates so loaders re-run. Set a key to `undefined` to delete it.
-```ts
-const search = useSearch<"/posts">();              // { page: number; q?: string }
-const setSearch = useSetSearch<"/posts">();
-setSearch({ page: search.page + 1 });              // patch → /posts?page=2&q=…
-setSearch((prev) => ({ q: undefined }), { replace: true });  // delete + replaceState
-```
-
-### `useSearchParams<T>()` → `{ searchParams, getParam, setSearchParams }`
-The low-level escape hatch: raw string `URLSearchParams` read/write; writing triggers a soft-nav loader re-run. Prefer `useSearch`/`useSetSearch` (above) when the route has a `searchSchema`.
-```ts
-const { searchParams, getParam, setSearchParams } = useSearchParams<"/blog/:id">();
-const q = getParam("q");                        // string | null
-setSearchParams({ q: "bun" });                  // replace all params
-setSearchParams((prev) => { prev.set("page", "2"); return prev; }); // update
-```
-
-### `useFetcher({ key? })` → `{ data, state, formData, formMethod, load, submit, Form, key }`
-Background fetch/mutation without navigating. After a `submit`, the active route's loaders revalidate automatically (gated by `shouldRevalidate`). `formData`/`formMethod` are set from the moment `submit` is called — render them for **optimistic UI**. A `key` gives the fetcher a stable identity shared across components and surviving remounts; unkeyed fetchers are component-bound.
-```ts
-const fetcher = useFetcher({ key: `delete-${id}` });
-await fetcher.load("/products?q=bun");                       // GET loader data
-await fetcher.submit("/cart", { method: "post", body: { id: "1" } });
-const optimisticTitle = fetcher.formData?.get("title");      // while submitting
-<fetcher.Form method="post" action="/cart">…</fetcher.Form>  {/* scoped form, no navigation */}
-```
-
-### `useFetchers()` → `FetcherEntry[]`
-Every active fetcher — the cross-component view for optimistic UI (e.g. dim each table row whose keyed delete fetcher is in flight elsewhere in the tree).
-```ts
-const deleting = new Set(
-  useFetchers()
-    .filter((f) => f.state === "submitting" && f.key.startsWith("delete-"))
-    .map((f) => f.key.slice("delete-".length)),
-);
-```
-
-### `useFetcher<T>({ stream: true })` → `{ connect }`
-Consume an async-generator server action as an SSE stream.
-```ts
-const { connect } = useFetcher<string>({ stream: true });
-for await (const chunk of connect(actionId)) { /* … */ }
-```
-
-### `useBlocker(shouldBlock)` 
-Prompt before leaving when there are unsaved changes (intercepts back/forward and `<Link>` navigations).
-```ts
-useBlocker(() => formIsDirty);
-```
-
-### `useLocale(defaultLocale?)` → `string` and `useLocalizedLink(defaultLocale?)` → `(path) => string`
-For i18n prefix routing (§19).
-```ts
-const locale = useLocale("en");                 // reads params.locale
-const localized = useLocalizedLink("en");
-<Link to={localized("/about")} />               // → /en/about
-```
-
----
-
-## 10. Client components
-
-### `<Outlet />`
-Renders the matched child route inside a layout (or the route tree inside `root.tsx`).
-```tsx
-export default function BlogLayout() {
-  return <div><nav>Blog</nav><Outlet /></div>;
-}
-```
-
-### `<Link to params? search? prefetch? replace? viewTransition?>`
-Soft-navigates without a full reload. After codegen (§18), `to` autocompletes your routes; for a dynamic route pass typed `params`, and `search` is typed by the target's `searchSchema`. Building the URL yourself still works, so existing links need no changes.
-```tsx
-<Link to="/blog/:id" params={{ id: "42" }}>Read</Link>  {/* typed route + params */}
-<Link to={`/blog/${id}`}>Read</Link>                    {/* built string — also fine */}
-<Link to="/posts" search={{ page: 2 }}>Page 2</Link>    {/* typed search params */}
-<Link to="/about" prefetch="intent">About</Link>        {/* preload on hover/focus intent */}
-<Link to="/gallery" viewTransition>Gallery</Link>       {/* use View Transitions API */}
-```
-Modifier-clicks (ctrl/cmd/shift/alt) fall back to native browser navigation.
-
-**Prefetch modes** — prefetching warms the route chunk (`modulepreload`) *and* the loader cache, so the click commits instantly (prefetched data stays fresh ≥ 30s; concurrent data prefetches are capped at 6 so long lists can't stampede the server):
-
-| mode | when |
-|---|---|
-| `"none"` (default) | never |
-| `"intent"` | hover **or focus**, after a 100 ms delay (canceled on fly-by) — best default |
-| `"hover"` | immediately on mouseenter (legacy alias) |
-| `"viewport"` | when the link scrolls into view (one shared IntersectionObserver) — for lists |
-| `"render"` | as soon as the link mounts |
-
-### `<ScrollRestoration getKey? storageKey?>`
-Restores the window scroll position on back/forward (and reload), scrolls to top — or to the `#hash` element — on new navigations. Render it **once** in `app/root.tsx`, next to `<Scripts />`. Positions persist in `sessionStorage`. Pass `getKey={(location) => location.pathname}` to share one position across every visit to the same path.
-```tsx
-<body>
-  <Outlet />
-  <ScrollRestoration />
-  <Scripts />
-</body>
-```
-
-### `<Form method action?>`
-Fetch-based submission that re-runs the current route's loader after the action.
-```tsx
-<Form method="post">
-  <input name="title" />
-  <button type="submit">Create</button>
-</Form>
-<Form method="post" action="/blog/new">…</Form>
-```
-Submits as `multipart/form-data` with the `X-BractJS-Action` header (CSRF gate). If the action returns a redirect, the form follows it.
-
-### `<Scripts />` and `<LiveReload />`
-Markers used inside `root.tsx` (§3). `<Scripts />` is where the client bundle + bootstrap data go; `<LiveReload />` is the dev-only HMR client.
-
-### `<Image />`
-Responsive, format-converted images via the built-in `/_image` endpoint — see §20.
-
----
-
-## 11. Server Actions & Client Components
-
-### `"use server"` — Server Actions
-
-Mark a file's exports as server actions by making `"use server"` the first line. On the **client**, imports become `fetch("/_action?id=<hash>")` proxies; on the **server**, the real function runs. Action IDs are `SHA-256(appDir-relative-path + "#" + name)`.
-
-```ts
-// app/actions.ts
-"use server";
-
-export async function createPost(formData: FormData) {
-  const title = formData.get("title") as string;
-  await db.insert(posts).values({ title });
-  return { ok: true };
-}
-
-export async function deletePost(id: string) {
-  await db.delete(posts).where(eq(posts.id, id));
-}
-```
-
-```tsx
-// app/routes/new.tsx — import as normal; the client bundle gets a fetch proxy
-import { createPost } from "../actions.ts";
-
-export default function NewPost() {
-  return (
-    <form action={createPost}>
-      <input name="title" />
-      <button type="submit">Create</button>
-    </form>
-  );
-}
-```
-
-- Accepts a single `FormData` (sent as `multipart/form-data`) **or** a JSON-serializable argument array.
-- Unknown action IDs return 404 — only functions registered at startup are callable.
-- Bodies are size-capped (1 MiB JSON) and prototype-pollution scanned.
-
-**Streaming server actions** (async generators) are consumed with `useFetcher({ stream: true })` (§9) over `/_stream`. The endpoint requires the `X-BractJS-Action` header (set automatically by the client).
-
-### `"use client"` — Client-Only Components
-
-Mark a component browser-only. During server builds the module is stubbed to `null` to prevent `window`/`document`/`localStorage` crashes during SSR.
-
-```tsx
-// app/components/Counter.tsx
-"use client";
-import { useState } from "react";
-
-export function Counter() {
-  const [n, setN] = useState(0);
-  return <button onClick={() => setN(n + 1)}>Count: {n}</button>;
-}
-```
-
----
-
-## 12. Typed API routes
-
-Define type-safe JSON endpoints under `/api/*` with `route`, and call them with a fully-typed `createClient`.
-
-### Define routes with `route(method, path, handler)`
-
-```ts
-// app/api/users.ts
-import { route } from "@bractjs/bractjs";
-import { db } from "../db.server.ts";
-
-export const listUsers = route("GET", "/api/users", async () => {
-  return db.users.findAll();
-});
-
-export const createUser = route("POST", "/api/users", async (input: { name: string }) => {
-  return db.users.create(input);
-});
-```
-
-- `GET`/`DELETE`: no body parsed. `POST`/`PUT`/`PATCH`: JSON or form body parsed into `input`.
-- Bodies are capped at 1 MiB. Errors return a generic 500 in production (full message in dev).
-- Handlers also receive the raw `Request` as the 2nd arg.
-- `:param` segments match any non-empty value; **read and validate params from `request.url` yourself** (they aren't injected into `input`).
-
-### Call them with `createClient<AppApiRoutes>()`
-
-```ts
-import { createClient } from "@bractjs/bractjs";
-import type { AppApiRoutes } from "@bractjs/bractjs"; // union of your route defs
-
-const client = createClient<AppApiRoutes>();          // optional baseUrl arg
-const users = await client["/api/users"].GET();        // typed output
-await client["/api/users"].POST({ name: "Alice" });    // typed input
-```
-
-The proxy builds `METHOD path` from the property chain. Non-2xx responses throw an `Error` with `.status` and `.response` attached.
-
----
-
-## 13. Input validation: `validate`
-
-Validate `FormData` or a plain object against any **Zod- or Valibot-compatible** schema (anything with `.safeParse()` or `.parse()`).
-
-```ts
-import { validate } from "@bractjs/bractjs";
-import { z } from "zod";
-
-const Schema = z.object({ title: z.string().min(1), tags: z.array(z.string()) });
-
-export async function action({ formData }: ActionArgs) {
-  // Throws a 400 Response with { errors: { field: [msgs] } } on failure.
-  const data = await validate(Schema, formData);
-  await db.post.create(data); // data is fully typed + coerced
-}
-```
-
-- Repeated `FormData` keys become arrays automatically.
-- On failure it throws a `Response.json({ errors }, { status: 400 })`. The exported `ValidationError` type and `FieldErrors` shape describe the structure.
-
-### `safeValidate` — validate without try/catch (recommended for inline form errors)
-
-Returns a result instead of throwing — the clean idiom when you want to render field errors rather than a 400 page. `firstError` is the first field message.
-```ts
-import { safeValidate } from "@bractjs/bractjs";
-
-export const action = defineActions({
-  create: async ({ formData }) => {
-    const r = await safeValidate(Schema, formData);
-    if (!r.ok) return { error: r.firstError, fieldErrors: r.fieldErrors };
-    await db.post.create(r.data);   // r.data is typed + coerced
-    return redirect("/blog");
-  },
-});
-```
-If you prefer to keep calling `validate()` and catching: `isValidationResponse(err)` narrows the thrown 400, and `readValidationError(res)` parses it into `{ fieldErrors, firstError }`.
-
-### FormData helpers
-
-`formText(formData, key)` returns a string (`""` for missing or File values) — no more `String(formData.get(k) ?? "")`. `formValues(formData, keys?)` collects string fields into an object (all, or a named subset).
-
----
-
-## 14. Middleware
-
-Middleware runs **before routing** on the module-level `pipeline` singleton. Each middleware gets `(ctx, next)` and returns a `Response`. `ctx.context` is threaded into every loader/action.
-
-```ts
-import { pipeline, requestLogger, cors, authGuard, csp } from "@bractjs/bractjs";
-import type { MiddlewareFn } from "@bractjs/bractjs";
-
-pipeline
-  .use(requestLogger())
-  .use(cors({ origin: "https://myapp.com" }))
-  .use(csp())
-  .use(authGuard({ session }));
-```
-
-### Built-in middleware
-
-| Middleware | What it does |
-|---|---|
-| `requestLogger()` | Logs `[METHOD] /path → status in Xms`. Never logs the query string or headers (token-leak safe). |
-| `cors(options)` | Sets CORS headers, handles `OPTIONS` preflight (204), always sets `Vary: Origin`, refuses `credentials:true` + `origin:"*"`. |
-| `authGuard(options)` | Reads the session, sets `ctx.context.user`; with `required:true` returns 401 when unauthenticated. |
-| `csp(options?)` | Opt-in nonce-based Content-Security-Policy (see below). |
-
-**`cors(options)`** — `{ origin: string | string[]; methods?: string[]; credentials?: boolean }`:
-```ts
-pipeline.use(cors({ origin: ["https://a.com", "https://b.com"], credentials: true }));
-```
-
-**`authGuard(options)`** — `{ session: SessionStorageLike; required?: boolean }`:
-```ts
-pipeline.use(authGuard({ session, required: true })); // 401 if no session.user
-```
-
-**`csp(options?)`** — generates a per-request nonce, applies it to the scripts BractJS injects (via `renderToReadableStream`'s `nonce`), and sets the CSP header:
-```ts
-pipeline.use(csp({
-  directives: { "img-src": "'self' data: https://cdn.example", "frame-ancestors": "'none'" },
-  reportOnly: false, // true → Content-Security-Policy-Report-Only
-  strict: false,     // true → drop 'unsafe-inline' from style-src (see below)
-}));
-```
-Read the nonce inside a component/middleware with `getCspNonce(context)` (key: `CSP_NONCE_KEY`) to nonce your own inline scripts.
-
-`script-src` is always nonce-based (`'nonce-…' 'strict-dynamic'`), so injected `<script>` cannot execute. The default `style-src` allows `'unsafe-inline'` for ergonomics (React inline styles, CSS-in-JS); this leaves inline-style injection possible. Pass `strict: true` (or override `style-src` with a nonce/hash) if your app serves all styles from same-origin stylesheets.
-
-### Custom middleware
-
-```ts
-import type { MiddlewareFn } from "@bractjs/bractjs";
-
-const trace: MiddlewareFn = async (ctx, next) => {
-  ctx.context.requestId = crypto.randomUUID();
-  const res = await next();
-  res.headers.set("X-Request-Id", ctx.context.requestId as string);
-  return res;
-};
-pipeline.use(trace);
-```
-
-You can also construct an isolated `new MiddlewarePipeline()` and `.run(ctx, handler)` it yourself (used internally and in tests).
-
----
-
-## 15. Sessions
-
-Signed, tamper-proof cookie sessions (HMAC-SHA256, constant-time verify, secret rotation).
-
-```ts
-import { createCookieSession } from "@bractjs/bractjs";
-
-const session = createCookieSession({
-  name: "__session",
-  secrets: [Bun.env.SESSION_SECRET!], // first signs; all verify (rotate by prepending)
-  maxAge: 60 * 60 * 24 * 7,           // seconds; 1 week
-  secure: true,                        // false only for local HTTP dev
-  sameSite: "Lax",                     // "Strict" | "Lax" | "None"
-});
-```
-
-Read in a loader, write in an action:
-
-```ts
-export async function loader({ request }: LoaderArgs) {
-  const s = await session.getSession(request.headers.get("Cookie"));
-  return { user: s.get("user") };
-}
-
-export async function action({ request }: ActionArgs) {
-  const s = await session.getSession(request.headers.get("Cookie"));
-  s.set("user", { id: 1, name: "Alice" }); // also: s.get, s.has, s.delete
-  return redirect("/dashboard", {
-    headers: { "Set-Cookie": await session.commitSession(s) }, // opt: { maxAge }
-  });
-}
-```
-
-- Each secret must be ≥16 chars; `secrets` must be non-empty (throws otherwise).
-- Tampered cookies are silently rejected → empty session.
-- Generate a secret: `openssl rand -base64 32`.
-
----
-
-## 16. Lifecycle hooks: `defineLifecycle`
-
-Run code on server start, shutdown, and unexpected errors. Shutdown fires on **any** exit signal (`SIGTERM`, `SIGINT`, `SIGUSR2`, `beforeExit`, uncaught exceptions).
-
-```ts
-// app/lifecycle.ts
-import { defineLifecycle } from "@bractjs/bractjs";
-import { db } from "./db.server.ts";
-
-export default defineLifecycle({
-  async onStart()   { await db.connect();    },
-  async onShutdown(){ await db.disconnect(); },
-  onError(err, request) {
-    Sentry.captureException(err, { extra: { url: request?.url } });
-  },
-});
-```
-
-| Hook | When |
-|------|------|
-| `onStart` | Once, after the server starts listening. |
-| `onShutdown` | Before exit — any signal, programmatic `stop()`, or uncaught exception. |
-| `onError` | Every unexpected error (loader/action throws, uncaught exceptions). Redirects and `HttpError`s are intentional control flow and are **not** reported. `request` is `undefined` for process-level exceptions. |
-
-- **Dev** picks up `app/lifecycle.ts` automatically.
-- **Production**: spread into `createServer()`:
-  ```ts
-  import { createServer } from "@bractjs/bractjs";
-  import lifecycle from "./app/lifecycle.ts";
-  createServer({ port: 3000, ...lifecycle });
-  ```
-
-`createServer()` returns `{ stop }`. `stop()` runs `onShutdown` and closes the listener but does **not** call `process.exit()` (good for tests/supervisors). Signals do exit.
-
----
-
-## 17. Environment variables
-
-| Convention | Behavior |
-|---|---|
-| `*.server.ts` / `*.server.tsx` | **Stubbed out of the client bundle.** Import it freely from a route's `loader`/`action`; every export is replaced by an inert stub in the browser build, so the real source (DB drivers, secrets, `bun:sqlite`) never ships. The stub throws if you accidentally call it on the client. |
-| Keys listed in `clientEnv` | Replaced with string literals in the client bundle. |
-| Any other `process.env.*` | Becomes the literal `"undefined"` in the client bundle. |
-
-```ts
-// db.server.ts — never reaches the browser
-import { Database } from "bun:sqlite";
-export const db = new Database(Bun.env.DATABASE_URL!);
-```
-
-```ts
-// app/routes/posts.tsx — import the server module inside the loader
-import { db } from "../db.server.ts"; // stubbed in the client bundle
-
-export async function loader() {
-  return { posts: db.query("SELECT * FROM posts").all() };
-}
-```
-
-> BractJS ships the whole route module — `loader` and `action` included — to the client, so a server import is reachable from the client graph. The `serverModuleStubPlugin` (applied automatically by `bractjs dev`/`build`) replaces every `*.server.ts` export with a throwing stub: the import resolves, the loader/action are dead code on the client, and **zero** server source is emitted. The stricter, hard-failing `serverOnlyPlugin` is still exported if you'd rather a server import be a build error.
-
-```ts
-// bractjs.config.ts
-export default { clientEnv: ["PUBLIC_API_URL"] };
-```
-
-```ts
-// in a client component — only allow-listed keys survive
-fetch(`${process.env.PUBLIC_API_URL}/items`);
-```
-
-On the server, read env via `Bun.env.*` directly.
-
----
-
-## 18. Typed routes
-
-Generate type-safe routing from your route files — one command wires `<Link>`, `useNavigate`, `useParams`, and `useSearchParams` to your actual routes.
-
-```sh
-bractjs codegen                       # ./app → ./app/route-types.gen.ts
-bractjs codegen ./app ./app/types.ts  # explicit paths
-```
-
-**You rarely run this by hand.** `bractjs new` generates it on scaffold, `bractjs dev` regenerates it on boot and whenever you add/remove/rename a route file, and `bractjs build` runs it too. The output is deterministic (route-sorted) and carries a `// bractjs:routes <hash>` fingerprint, so re-runs that change nothing don't rewrite the file (no editor reload loops); on boot the dev server prints precisely what drifted. Make sure the generated file is part of your TypeScript program (it is, if your `tsconfig.json` `include`s `app/`). It augments BractJS's `Register` interface, after which the runtime components and hooks become type-safe — **no per-route imports needed**:
-
-```tsx
-<Link to="/blog/:id" params={{ id }} />     // ✅ "/blog/:id" autocompletes; params typed
-<Link to="/blgo/:id" params={{ id }} />     // ❌ typo'd route — compile error
-<Link to="/blog/:id" params={{ x: id }} />  // ❌ wrong param key — compile error
-
-const navigate = useNavigate();
-navigate("/blog/:id", { params: { id } });  // ✅ same typing as <Link>
-
-const { id } = useParams<"/blog/:id">();     // id: string
-```
-
-Building the URL yourself (`<Link to={`/blog/${id}`}>`) still type-checks, so adopting codegen never breaks existing links.
-
-The generated file also exports types/helpers for typed loaders and explicit URL building:
-
-```ts
-import type { TypedLoaderArgs } from "../route-types.gen.ts";
-import { routes } from "../route-types.gen.ts";
-
-export async function loader({ params }: TypedLoaderArgs<"/blog/:id">) {
-  return db.post.findById(params.id);          // params.id: string
-}
-routes["/blog/:id"]({ id: "123" });            // → "/blog/123"  (typo'd routes won't compile)
-```
-
-**Type a route's search params or context** by augmenting the package interfaces — `SearchParams<T>` / `Context<T>` and `useSearchParams<T>()` pick it up:
-
-```ts
-declare module "@bractjs/bractjs" {
-  interface RouteSearchParamsMap { "/blog": { page: string; sort: string } }
-  interface RouteContextMap { "/admin": { user: { id: string; role: "admin" } } }
-}
-```
-
-You can also call `writeRouteTypes(appDir, outPath?)` / `generateRouteTypes(appDir)` programmatically.
-
-> **Heads up:** earlier versions documented `useParams<RouteParams<"/blog/:id">>()` and untyped `<Link to={string}>`. The route-literal form (`useParams<"/blog/:id">()`) and typed `<Link>`/`useNavigate` are the current API; the old forms still compile.
-
----
-
-## 19. Internationalization utilities
-
-BractJS exports **utilities** for locale-prefixed routing. These are helpers you wire up yourself (there is no fully-automatic locale router yet) plus the `useLocale` / `useLocalizedLink` client hooks (§9).
-
-```ts
-import { wrapRoutesWithLocale, stripLocale, localizedDataPath } from "@bractjs/bractjs";
-import type { I18nConfig } from "@bractjs/bractjs";
-
-const i18n: I18nConfig = { locales: ["en", "fr"], defaultLocale: "en" };
-
-// Add /:locale-prefixed variants alongside the originals.
-const localized = wrapRoutesWithLocale(routeFiles, i18n);
-
-// Split a locale off a pathname.
-const { locale, strippedPathname } = stripLocale("/fr/about", i18n.locales);
-// → { locale: "fr", strippedPathname: "/about" }
-
-// Build a locale-aware data path.
-localizedDataPath("/about", "fr"); // → "/fr/about"
-```
-
-On the client, read the active locale and build localized links:
-
-```tsx
-const locale = useLocale("en");
-const to = useLocalizedLink("en");
-<Link to={to("/about")} />; // → /en/about
-```
-
----
-
-## 20. Image optimization
-
-`<Image>` serves responsive, format-converted images through the built-in `/_image` endpoint. Requires [ImageMagick](https://imagemagick.org) (`magick` or `convert`) — without it, originals are served as-is.
-
-```tsx
-import { Image } from "@bractjs/bractjs";
-
-<Image src="/public/hero.jpg" alt="Hero" width={1200} height={600} />
-
-{/* above-the-fold: eager + fetchpriority=high */}
-<Image src="/public/hero.jpg" alt="Hero" width={1200} priority />
-
-<Image
-  src="/public/photo.jpg" alt="Photo" width={800}
-  format="avif" quality={70} fit="contain"
-  sizes="(max-width: 640px) 100vw, 50vw"
-/>
-```
-
-| Prop | Type | Default | Notes |
-|------|------|---------|-------|
-| `src` | `string` | — | Path under `/public/` (required) |
-| `alt` | `string` | — | Required |
-| `width` / `height` | `number` | — | Intrinsic size |
-| `quality` | `number` | `80` | 1–100 |
-| `format` | `"webp" \| "avif" \| "jpeg" \| "png"` | `"webp"` | `ImageFormat` |
-| `fit` | `"cover" \| "contain" \| "fill"` | `"cover"` | `ImageFit` |
-| `priority` | `boolean` | `false` | Disable lazy load, set `fetchpriority=high` |
-| `sizes` | `string` | `"100vw"` | HTML `sizes` |
-
-Generates a `srcset` across breakpoints (320→1920px). Optimized images are cached in memory (LRU, 200 slots) and on disk (`.bract-image-cache/`, survives restarts), both served `Cache-Control: immutable`. The endpoint validates widths against an allowlist, caps total pixel area, limits concurrency, and kills runaway transforms (DoS hardening).
-
-`ImageProps`, `ImageFormat`, and `ImageFit` are exported types.
-
----
-
-## 21. Build & run
-
-### CLI
-
-| Command | Description |
-|---------|-------------|
-| `bractjs new <name>` | Scaffold a new app into `<name>/`. |
-| `bractjs dev` | Dev server with HMR (port 3000, HMR ws 3001). |
-| `bractjs build` | Dual server + client build with content-hashed output. |
-| `bractjs start` | Serve the production build. |
-| `bractjs codegen [app] [out]` | Generate `route-types.gen.ts`. |
-| `bractjs codegen:registry [app]` | Generate `app/_generated/{routes,actions}.ts`. |
-| `bractjs codegen:manifest [app] [build]` | Snapshot manifest → `app/_generated/manifest.ts`. |
-| `bractjs compile [outfile] [entry]` | Full single-binary pipeline. |
-
-The CLI is a thin wrapper — every command delegates to a public function, so you can script the same thing.
-
-### Programmatic API
-
-**`createDevServer(options?)`** — dev server with HMR.
-```ts
-import { createDevServer } from "@bractjs/bractjs";
-
-const dev = await createDevServer({
-  port: 3000,            // default: config.port ?? 3000
-  hmrPort: 3001,         // HMR websocket
-  config: { appDir: "./app", clientEnv: ["PUBLIC_API_URL"] },
-  skipUserConfig: false, // true → don't read bractjs.config.ts
-});
-dev.stop();
-```
-
-**`runBuild(config?)`** — production build (accepts only build-relevant fields).
-```ts
-import { runBuild } from "@bractjs/bractjs";
-
-await runBuild({
-  appDir: "./app",
-  buildDir: "./build",
-  minify: true,
-  sourcemap: "external",   // "none" | "linked" | "inline" | "external"
-  clientEnv: ["PUBLIC_API_URL"],
-  plugins: [],             // extra Bun plugins
-});
-```
-
-**`loadUserConfig()`** — read `bractjs.config.ts` (or `.js`) from cwd, validated.
-```ts
-import { loadUserConfig } from "@bractjs/bractjs";
-const cfg = await loadUserConfig(); // {} if no file; throws on a malformed shape
-```
-
-**`createServer(config?)`** — production HTTP server. Returns `{ stop }`.
-```ts
-import { createServer } from "@bractjs/bractjs";
-import lifecycle from "./app/lifecycle.ts";
-const srv = createServer({ port: 3000, buildDir: "./build", ...lifecycle });
-```
-
-**`buildFetchHandler(config)`** — the adapter-agnostic `(Request) => Promise<Response>` core, if you want to mount BractJS inside another server.
-```ts
-import { buildFetchHandler } from "@bractjs/bractjs";
-const handler = buildFetchHandler({ appDir: "./app", manifest });
-Bun.serve({ port: 3000, fetch: handler });
-```
-
-`renderRoute(options)` (low-level SSR render) and the `RenderOptions`/`ServerManifest`/`BractJSConfig` types are also exported for advanced embedding.
-
-### Rendering modes
-
-Three levels of SSR control, all opt-in:
-
-**Per-route selective SSR** — `export const ssr = false | "data-only"` plus a `Fallback` component on any route (§5 item 8). The document SSRs the Fallback; the client swaps in the real component after hydration. `beforeLoad` always runs server-side.
-
-**App-wide SPA mode** — `ssr: false` in `bractjs.config.ts`:
-
-```ts
-// bractjs.config.ts
-export default {
-  ssr: false,   // every document GET serves one static shell
-};
-```
-
-SPA mode means **"no document SSR", not "no server"**: the Bun server keeps serving `/_data` (loaders), `/_action`/mutations (CSRF gate intact), `/_image`, API routes, and static assets. `bractjs build` emits the shell at `build/client/__spa.html`; in dev it renders on the fly so `root.tsx` edits show up. Constraints: the root component renders without loader data and with a `/` location, so keep location/loader-dependent markup out of `root.tsx`; route-level `meta()` only applies after hydration (no SEO for route content).
-
-**Build-time prerendering (SSG)** — `prerender` in `bractjs.config.ts`:
-
-```ts
-// bractjs.config.ts
-export default {
-  prerender: ["/", "/about", "/blog/intro"],
-  // or resolve dynamically: prerender: async () => (await db.posts()).map(p => `/blog/${p.slug}`),
-};
-```
-
-`bractjs build` runs the real loaders in-process (anything they need — DB, env — must be available at build time), writing each path's HTML **and** its `/_data` payload (used by client navigations *into* a prerendered page) under `build/client/_prerender/`. In production, clean URLs are served from these files before dynamic SSR; **a query string opts the request back into SSR** (the file was rendered without one). Paths must be concrete — expand `"/blog/:slug"` yourself; the build fails on patterns. `runPrerender(options)` is exported for custom pipelines.
-
-Deployment notes: with `bun build --compile`, ship `build/client/` (including `_prerender/`) alongside the binary — or pass it via `--asset`. On Cloudflare, upload `build/client/` as static assets so the platform serves prerendered files before the worker runs.
-
----
-
-## 22. Single-binary deployment (`bun build --compile`)
-
-BractJS compiles to a single executable. Because `bun build --compile` can't trace runtime fs scans or dynamic `import(absPath)`, a codegen step materializes routes, layouts, actions, and the manifest into static imports so the binary boots with **zero filesystem reads of `appDir`**.
-
-### One-shot
-
-```sh
-bractjs compile ./myapp
-# = codegen:registry → build → codegen:manifest → bun build --compile app/server.ts
-```
-
-### The `app/server.ts` entry
-
-The scaffold includes:
-
-```ts
-import { createServer } from "@bractjs/bractjs";
-import { routeFiles, moduleRegistry } from "./_generated/routes.ts";
-import { actionModules } from "./_generated/actions.ts";
-import { manifest } from "./_generated/manifest.ts";
-
-createServer({
-  port: Number(process.env.PORT ?? 3000),
-  appDir: "./app",
-  publicDir: "./public",
-  manifest,        // no manifest read from disk
-  routeFiles,      // no Bun.Glob route scan
-  moduleRegistry,  // no dynamic import(absPath)
-  actionModules,   // no scan/import for "use server" files
-});
-```
-
-When all four are present, the server uses the pre-imported modules for routing, layouts, actions, and assets.
-
-### Manual pipeline
-
-```sh
-bractjs codegen:registry                          # A — scan routes/actions → static imports
-bractjs build                                     # B — client + server bundles + manifest
-bractjs codegen:manifest                          # C — embed manifest as a TS constant
-bun build --compile app/server.ts \               # D — single binary
-  --asset build/client/ --outfile ./myapp
-```
-
-`--asset build/client/` embeds JS/CSS into the binary (true single file); omit it to ship `myapp` + `build/client/` side by side.
-
-The codegen functions are exported: `writeModuleRegistries(appDir)`, `writeManifestModule(appDir, buildDir)`, and the lower-level `generateRouteRegistry` / `generateActionRegistry` / `generateManifestModule`.
-
-> **Contributor note — keep the binary working:** anything on the server request/startup path must avoid runtime `Bun.Glob`/computed-path `import()`, must fall back from `realpath()` to `Bun.file().exists()` for embedded assets, and must preserve every consumed export when projecting route modules. Two tests enforce this: `src/__tests__/compile-safety.test.ts` (fast static scan) and `src/__tests__/compile-smoke.test.ts` (compiles and boots a real binary).
-
----
-
-## 23. Custom adapters
-
-The server core is adapter-agnostic. The default is `BunAdapter` (wraps `Bun.serve`); supply your own via `createServer({ adapter })`.
-
-```ts
-import type { BractAdapter } from "@bractjs/bractjs";
-import { BunAdapter } from "@bractjs/bractjs";
-
-// BractAdapter: { fetch(req): Promise<Response>; listen?(port): void }
-```
-
-**Cloudflare Workers:**
-```ts
-import { buildFetchHandler, makeCloudflareHandler } from "@bractjs/bractjs";
-const handler = buildFetchHandler({ appDir: "./app", manifest });
-export default makeCloudflareHandler(handler);
-// or createCloudflareAdapter(handler) for the BractAdapter-compatible form
-```
-
----
-
-## 24. Build plugins
-
-If you write your own `Bun.build()` (instead of `bractjs build`), you **must** apply these or face crashes / secret leaks. All are exported.
-
-| Bundle | Plugin | Without it |
-|---|---|---|
-| Server | `useClientStubPlugin` | Server crashes calling browser-only hooks from `"use client"` modules. |
-| Client | `createUseServerProxyPlugin(appDir)` | Server-action bodies (DB code, secrets) ship in the browser JS. |
-| Client | `serverModuleStubPlugin` | `*.server.ts` source (DB drivers, secrets) leaks into the client bundle. |
-| Client | `clientEnvPlugin(allowedKeys, env)` | Server env vars leak into the browser bundle. |
-| Client | `cssModulesPlugin` | `*.module.css` imports don't resolve. |
-
-```ts
-import {
-  useClientStubPlugin, createUseServerProxyPlugin,
-  serverModuleStubPlugin, clientEnvPlugin, cssModulesPlugin,
-} from "@bractjs/bractjs";
-
-// Server bundle (target: "bun"):
-plugins: [useClientStubPlugin];
-
-// Client bundle (target: "browser"):
-plugins: [
-  serverModuleStubPlugin,
-  createUseServerProxyPlugin("./app"),               // same appDir as createServer!
-  clientEnvPlugin(["PUBLIC_API_URL"], Bun.env as Record<string, string>),
-  cssModulesPlugin,
-];
-```
-
-> Always pass the **same `appDir`** to `createUseServerProxyPlugin` that you pass to `createServer` — action IDs hash the appDir-relative path, so a mismatch makes every `/_action` return 404. `transformCssModule(filePath)` is exported for custom CSS pipelines; `useServerProxyPlugin` is the legacy absolute-path variant. `serverModuleStubPlugin` stubs `*.server.ts` exports so a route can import a server module inside its loader/action without leaking source; `serverOnlyPlugin` is the stricter predecessor that hard-fails such imports instead (still exported for opt-in use).
-
----
-
-## 25. Configuration reference
-
-All fields optional. Wrap the default export in `defineConfig()` for autocomplete + type-checking (it's a no-op identity helper), or pass these to `createServer` / `createDevServer` / `runBuild`.
-
-```ts
-import { defineConfig } from "@bractjs/bractjs";
-export default defineConfig({ port: 3000, clientEnv: ["PUBLIC_API_URL"] });
-```
-
-| Field | Type | Default | Description |
-|-------|------|---------|-------------|
-| `port` | `number` | `3000` | TCP port |
-| `hmrPort` | `number` | `3001` | Dev HMR WebSocket port (`bractjs dev` only) |
-| `appDir` | `string` | `"./app"` | Contains `routes/` and `root.tsx` |
-| `publicDir` | `string` | `"./public"` | Static assets (served no-cache) |
-| `buildDir` | `string` | `"./build"` | Build output |
-| `imageCacheDir` | `string` | `".bract-image-cache"` | Optimized-image disk cache |
-| `sourcemap` | `string` | `"external"` | `"none" \| "linked" \| "inline" \| "external"` |
-| `minify` | `boolean` | `true` | Minify client bundles |
-| `clientEnv` | `string[]` | `[]` | `process.env` keys exposed to the client |
-| `plugins` | `BunPlugin[]` | `[]` | Extra client-build plugins |
-| `adapter` | `BractAdapter` | `BunAdapter` | Custom server adapter |
-| `i18n` | `I18nConfig` | — | Locale config consumed by the i18n utilities |
-| `ssr` | `boolean` | `true` | `false` → SPA mode: static shell for every document GET (§21) |
-| `prerender` | `string[] \| () => paths` | — | Paths to prerender at build time (§21) |
-| `onStart` / `onShutdown` / `onError` | hooks | — | Lifecycle (§16) |
-
-`loadUserConfig()` validates these shapes and throws a clear error on an obvious mistake (e.g. a string `port`).
-
----
-
-## 26. Full export index
-
-Everything importable from `@bractjs/bractjs` ([src/index.ts](src/index.ts)):
-
-**Server / runtime:** `createServer`, `buildFetchHandler`, `renderRoute`, `redirect`, `json`, `error`, `defineContext`, `route`, `validate`, `safeValidate`, `isValidationResponse`, `readValidationError`, `validateSearch`, `searchParamsToObject`, `formText`, `formValues`, `defineActions`, `BunAdapter`, `defineLifecycle`, `renderSpaShell`
-
-**Errors:** `BractJSError`, `HttpError`, `isRedirect`, `isHttpError`, `isBractJSError`
-
-**Streaming:** `defer`, `Deferred`, `isDeferred`, `Await`
-
-**Context:** `BractJSContext`, `BractJSProvider`, `useBractJSContext`
-
-**Middleware:** `pipeline`, `MiddlewarePipeline`, `requestLogger`, `cors`, `authGuard`, `csp`, `getCspNonce`, `CSP_NONCE_KEY`
-
-**Sessions:** `createCookieSession`
-
-**Components:** `Outlet`, `Link`, `Form`, `Scripts`, `LiveReload`, `Await`, `Image`, `ScrollRestoration`
-
-**Hooks:** `useLoaderData`, `useActionData`, `useLocation`, `useParams`, `useNavigation`, `useNavigate`, `useFetcher`, `useFetchers`, `useRevalidator`, `useSearch`, `useSetSearch`, `useSearchParams`, `useBlocker`, `useLocale`, `useLocalizedLink`
-
-**Search serialization:** `serializeSearch`
-
-**i18n:** `wrapRoutesWithLocale`, `stripLocale`, `localizedDataPath`
-
-**Client RPC:** `createClient`
-
-**Build / programmatic:** `createDevServer`, `runBuild`, `loadUserConfig`, `defineConfig`, `runPrerender`
-
-**Codegen:** `writeModuleRegistries`, `writeManifestModule`, `generateRouteRegistry`, `generateActionRegistry`, `generateManifestModule`
-
-**Build plugins:** `useClientStubPlugin`, `createUseServerProxyPlugin`, `useServerProxyPlugin`, `serverModuleStubPlugin`, `serverOnlyPlugin`, `clientEnvPlugin`, `cssModulesPlugin`, `transformCssModule`
-
-**Adapters:** `createCloudflareAdapter`, `makeCloudflareHandler`
-
-**Types:** `LoaderArgs`, `ActionArgs`, `MetaArgs`, `MetaDescriptor`, `LoaderFunction`, `ActionFunction`, `MetaFunction`, `RouteModule`, `RouteDefinition`, `RouteFile`, `Segment`, `RouterLocation`, `ShouldRevalidateArgs`, `ShouldRevalidateFunction`, `BractJSConfig`, `RenderOptions`, `ServerManifest`, `ContextFactory`, `ApiRouteDefinition`, `AppApiRoutes`, `FieldErrors`, `ValidationError`, `BractAdapter`, `LifecycleHooks`, `MiddlewareFn`, `MiddlewareContext`, `CorsOptions`, `AuthGuardOptions`, `CspOptions`, `SessionStorageLike`, `SessionLike`, `Session`, `SessionStorage`, `SessionData`, `CookieSessionOptions`, `CommitOptions`, `ImageProps`, `ImageFormat`, `ImageFit`, `SearchParamsResult`, `SetSearchFn`, `SetSearchOptions`, `SearchOutputFor`, `InferSchemaOutput`, `LoaderData`, `ActionData`, `SafeValidateResult`, `FetcherResult`, `FetcherEntry`, `FetcherState`, `FetcherFormProps`, `UseFetcherOptions`, `Revalidator`, `ScrollRestorationProps`, `PrerenderOptions`, `PrerenderResult`, `I18nConfig`, `DevServerOptions`, `DevServer`, `BuildConfig`, `CodegenResult`, `ModuleRegistry`, `BractJSContextValue`, `RouteManifest`
-
----
-
-## 27. Security model
-
-BractJS ships secure defaults, but a few behaviors are worth understanding so you don't accidentally widen your attack surface.
-
-- **What `"use server"` publishes.** Every exported **function** of a `"use server"` module becomes an unauthenticated RPC endpoint reachable via `POST /_action` and `GET /_stream`. In files under `routes/`, framework exports (`loader`, `action`, `default`, `meta`, `beforeLoad`, `context`, `ErrorBoundary`, `Fallback`, `config`, `searchSchema`, `ssr`) are **not** registered as actions — but any *other* exported function is. Treat each exported action as a public endpoint: **do your own authorization inside the function body** (read the session, check the user). The CSRF gate only proves the call is same-origin; it does not authenticate the user.
-- **`/_stream` calls actions with no arguments.** A streaming action invoked over `GET /_stream` receives no caller input. It must be safe to call with none and must authorize itself.
-- **CORS + credentials.** Listing an origin in `cors({ origin: [...], credentials: true })` fully trusts that origin for credentialed cross-origin reads. Only list origins you control. `credentials:true` with `origin:"*"` is refused at setup. Never add `X-BractJS-Action` to `Access-Control-Allow-Headers` — it is the CSRF gate.
-- **Error messages.** In production, loader/action errors are surfaced to the client as a generic message; the real message + stack appear only in dev (`NODE_ENV=development`). For user-facing structured errors throw an `HttpError` (its message *is* shown) — never put secrets in a raw `Error.message`.
-- **CSP `style-src`.** The opt-in `csp()` middleware nonces all scripts, but its default `style-src` includes `'unsafe-inline'` for ergonomics. Pass `csp({ strict: true })` (or override `style-src` with a nonce/hash) if you want to block inline-style injection.
-- **Already handled for you:** path traversal + symlink escape on `/public` and `/_image`, open-redirect neutralization (`redirect()` requires `{ allowExternal: true }` to go off-origin), XSS-safe SSR data island (`safeStringify`), prototype-pollution rejection on action JSON bodies, request body-size caps, signed/constant-time-verified cookie sessions, and CSRF via layered `Sec-Fetch-Site` + custom-header + `Origin` checks.
-
----
-
-## Changelog
-
-See [CHANGELOG.md](CHANGELOG.md) for release history.
-
----
-
-## Why BractJS
-
-- **Bun-native** — `Bun.serve`, `Bun.build`, `Bun.file`, `Bun.Glob`, `Bun.watch`. No Node.js.
-- **Zero framework deps** — only peers are `react` and `react-dom`.
-- **Streaming SSR** — `renderToReadableStream()` with `defer()` and `<Await>`.
-- **File-based routing** — drop a file in `app/routes/`.
-- **Full-stack** — loaders, actions, sessions, server actions, typed API routes, middleware.
-- **Typed routes** — codegen wires `<Link>`, `useNavigate`, and `useParams` to your routes (autocompleted paths, typed params), plus a type-safe URL builder.
-- **Single-binary** — `bun build --compile` to one executable.
-
-## License
-
-MIT