npm - @bractjs/bractjs - Versions diffs - 0.1.29 → 0.2.1 - Mend

@bractjs/bractjs 0.1.29 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +1449 -0
package/package.json +1 -1
package/src/__tests__/fixtures/app/routes/redirect-loader.tsx +13 -0
package/src/__tests__/integration.test.ts +18 -0
package/src/client/components/Form.tsx +5 -1
package/src/client/components/Image.tsx +4 -2
package/src/client/components/Toaster.tsx +117 -0
package/src/client/hooks/useToast.ts +12 -0
package/src/client/toast-store.ts +132 -0
package/src/index.ts +5 -0
package/src/server/adapter.ts +7 -1
package/src/server/request-handler.ts +6 -1
package/src/server/serve.ts +17 -1
package/types/index.d.ts +62 -2

package/README.md ADDED Viewed

@@ -0,0 +1,1449 @@
+# BractJS
+[![npm version](https://img.shields.io/npm/v/@bractjs/bractjs)](https://www.npmjs.com/package/@bractjs/bractjs)
+[![license](https://img.shields.io/npm/l/@bractjs/bractjs)](LICENSE)
+> Production-grade SSR framework for **Bun + React 19**.
+> File-based routing · Parallel loaders · Streaming SSR · Built-in HMR · Server Actions · Typed routes · Single-binary deploy.
+## Requirements
+- [Bun](https://bun.sh) ≥ 1.1 — no Node.js support
+- React 19 (peer dependency)
+This README is a **step-by-step guide to every function and feature** BractJS exports. Each section is self-contained and ordered from "first app" to "advanced". Every symbol shown here is a real export from `@bractjs/bractjs` (see [packages/core/src/index.ts](packages/core/src/index.ts)).
+---
+## Table of Contents
+1. [Install & create an app](#1-install--create-an-app)
+2. [Project structure](#2-project-structure)
+3. [The root layout (`app/root.tsx`)](#3-the-root-layout-approotsx)
+4. [File-based routing](#4-file-based-routing)
+5. [Route module API: `loader`, `action`, `meta`, `beforeLoad`, `ErrorBoundary`, `default`](#5-route-module-api)
+6. [Response helpers: `json`, `redirect`, `error`, `HttpError`](#6-response-helpers)
+7. [Per-route context: `defineContext`](#7-per-route-context-definecontext)
+8. [Streaming data: `defer`, `Deferred`, `isDeferred`, `<Await>`](#8-streaming-data)
+9. [Client hooks](#9-client-hooks)
+10. [Client components: `<Outlet>`, `<Link>`, `<Form>`, `<Scripts>`, `<LiveReload>`, `<Image>`, `<Toaster>`](#10-client-components)
+11. [Server Actions (`"use server"`) & client-only (`"use client"`)](#11-server-actions--client-components)
+12. [Typed API routes: `route` + `createClient`](#12-typed-api-routes)
+13. [Input validation: `validate`](#13-input-validation-validate)
+14. [Middleware: `pipeline`, `requestLogger`, `cors`, `authGuard`, `csp`](#14-middleware)
+15. [Sessions: `createCookieSession`](#15-sessions)
+16. [Lifecycle hooks: `defineLifecycle`](#16-lifecycle-hooks)
+17. [Environment variables & `*.server.ts`](#17-environment-variables)
+18. [Typed routes](#18-typed-routes)
+19. [Internationalization (i18n) utilities](#19-internationalization-utilities)
+20. [Image optimization (`<Image>` + `/_image`)](#20-image-optimization)
+21. [Build & run: CLI + programmatic API (`createDevServer`, `runBuild`, `loadUserConfig`)](#21-build--run)
+22. [Single-binary deployment (`bun build --compile`)](#22-single-binary-deployment)
+23. [Custom adapters (`BunAdapter`, Cloudflare)](#23-custom-adapters)
+24. [Build plugins (for custom `Bun.build`)](#24-build-plugins)
+25. [Configuration reference](#25-configuration-reference)
+26. [Full export index](#26-full-export-index)
+---
+## 1. Install & create an app
+BractJS requires [Bun](https://bun.sh). There is no Node.js runtime path.
+```sh
+# Scaffold a new app
+bunx bractjs new my-app
+cd my-app
+# Start the dev server (HMR on http://localhost:3000)
+bun run dev
+```
+`bractjs new <name>` copies the scaffold template, runs `bun install`, and seeds `app/_generated/` so the single-binary entry typechecks before your first build.
+Add it to an existing project instead:
+```sh
+bun add @bractjs/bractjs react react-dom
+```
+`react` and `react-dom` v19 are **peer dependencies** — BractJS ships zero other runtime deps.
+---
+## 2. Project structure
+```
+my-app/
+├── app/
+│   ├── root.tsx              # required — the <html> document shell
+│   ├── server.ts             # single-binary entry (bun build --compile)
+│   ├── lifecycle.ts          # optional — onStart / onShutdown / onError
+│   ├── route-types.gen.ts    # generated by `bractjs codegen`
+│   ├── _generated/           # generated by `bractjs codegen:registry` / `:manifest`
+│   ├── actions.ts            # "use server" actions (optional)
+│   └── routes/
+│       ├── _index.tsx        # → /
+│       ├── about.tsx         # → /about
+│       ├── blog/
+│       │   ├── layout.tsx    # wraps /blog/*
+│       │   ├── _index.tsx    # → /blog
+│       │   └── [id].tsx      # → /blog/:id
+│       └── docs/
+│           └── [...slug].tsx # → /docs/*  (catch-all)
+├── public/                   # static assets, served at /public/*
+├── bractjs.config.ts         # optional config (see §25)
+└── build/                    # generated — do not edit
+```
+Defaults: `appDir="./app"`, `publicDir="./public"`, `buildDir="./build"`, `port=3000`. All overridable (§25).
+---
+## 3. The root layout (`app/root.tsx`)
+**Required.** It provides the `<html>` document shell and is always rendered. Use the `<Outlet>`, `<Scripts>`, and `<LiveReload>` components from the package.
+```tsx
+// app/root.tsx
+import { Outlet, Scripts, LiveReload } from "@bractjs/bractjs";
+export function meta() {
+  return [
+    { title: "My App" },
+    { name: "viewport", content: "width=device-width, initial-scale=1" },
+  ];
+}
+export default function Root() {
+  return (
+    <html lang="en">
+      <head>
+        <meta charSet="utf-8" />
+        {/* BractJS hoists <title>/<meta> from every route's meta() into <head> */}
+      </head>
+      <body>
+        <Outlet />     {/* renders the matched route tree */}
+        <Scripts />    {/* injects the client bundle + bootstrap data */}
+        <LiveReload /> {/* dev-only HMR client; no-op in production */}
+      </body>
+    </html>
+  );
+}
+```
+**Step by step:**
+1. `export default function Root()` returns the full `<html>` document.
+2. Put `<Outlet />` where the page content should render.
+3. Put `<Scripts />` at the end of `<body>` — it's a marker the SSR pipeline replaces with the hashed client entry + `window.__BRACTJS_DATA__`.
+4. `<LiveReload />` renders an HMR client script in dev and `null` in production.
+5. Optionally `export function meta()` for site-wide defaults (route `meta()` overrides per descriptor).
+> `<title>`/`<meta>` tags from any route's `meta()` are rendered into `<head>` via React 19 document-metadata hoisting — you do not place them manually.
+---
+## 4. File-based routing
+Drop a file in `app/routes/`; it becomes a route. BractJS scans at startup and builds a trie.
+| File | URL |
+|------|-----|
+| `routes/_index.tsx` | `/` |
+| `routes/about.tsx` | `/about` |
+| `routes/blog/_index.tsx` | `/blog` |
+| `routes/blog/[id].tsx` | `/blog/:id` |
+| `routes/users/[[id]].tsx` | `/users` **and** `/users/:id` (optional) |
+| `routes/docs/[...slug].tsx` | `/docs/*` (catch-all) |
+| `routes/blog/layout.tsx` | wraps all `/blog/*` routes |
+| `routes/(marketing)/about.tsx` | `/about` (group adds no URL segment) |
+- `[param]` → a dynamic segment, read via `useParams()` / `params` arg.
+- `[[param]]` → an **optional** dynamic segment: the route matches whether the segment is present or not (when absent, `params.param` is simply unset).
+- `[...name]` → a catch-all; the rest of the path lands in `params.name`.
+- `layout.tsx` in any directory wraps every route under it (layouts nest: `root → blog/layout → blog/[id]`).
+- `(group)/` → a **route group**: the folder organizes files and contributes its `layout.tsx`, but adds **no** URL segment. Use it to give a set of routes a shared layout without a shared path prefix.
+- Match priority per segment: **static > dynamic > optional > catch-all**.
+No registration step — the file IS the route.
+---
+## 5. Route module API
+Every file in `app/routes/` (and `root.tsx`/`layout.tsx`) may export any combination of these. Import the arg types from the package.
+```tsx
+import type { LoaderArgs, ActionArgs, MetaArgs, HeadersArgs } from "@bractjs/bractjs";
+import { redirect, json, HttpError } from "@bractjs/bractjs";
+// 1) loader — runs on every GET. Return value → useLoaderData().
+//    `search` is the validated output of searchSchema (below), or the raw
+//    string record when the route has no schema.
+export async function loader({ request, params, context, search }: LoaderArgs) {
+  const post = await db.post.findById(params.id);
+  if (!post) throw new HttpError(404, "Not found"); // → 404 page
+  return { post };
+}
+export type LoaderData = Awaited<ReturnType<typeof loader>>;
+// 2) action — runs on POST / PUT / DELETE / PATCH. For one route handling
+//    several buttons, compose it from `defineActions` (§5a) instead of a
+//    hand-rolled `intent` switch.
+export async function action({ request, params, context, formData }: ActionArgs) {
+  await db.post.update(params.id, { title: formData.get("title") as string });
+  return redirect("/blog");
+}
+// 3) meta — SSR <title> / <meta>. Receives this route's loaderData slice.
+export function meta({ loaderData, params }: MetaArgs<LoaderData>) {
+  return [
+    { title: loaderData.post.title },
+    { name: "description", content: loaderData.post.excerpt },
+    { property: "og:title", content: loaderData.post.title },
+  ];
+}
+// 4) beforeLoad — auth/redirect gate. Runs BEFORE loaders, on full-page GET
+//    AND the /_data soft-nav endpoint. Return a Response to short-circuit.
+export function beforeLoad({ context, params, location }) {
+  if (!context.user) {
+    return redirect(`/login?next=${encodeURIComponent(location.pathname)}`);
+  }
+}
+// 5) ErrorBoundary — renders when this segment's loader/component throws.
+export function ErrorBoundary({ error }: { error: unknown }) {
+  return <p>Something broke: {error instanceof Error ? error.message : String(error)}</p>;
+}
+// 6) searchSchema — validate/coerce search params BEFORE loaders run (Zod,
+//    Valibot, or anything with parse/safeParse). Failure → 400; use
+//    .catch()/.default() per field for URLs that must tolerate junk.
+//    Loaders receive the OUTPUT via `search`; the client reads it with
+//    useSearch() — numbers stay numbers. (Typed end-to-end after codegen, §18.)
+export const searchSchema = z.object({
+  page: z.coerce.number().int().positive().catch(1),
+  q: z.string().optional(),
+});
+// 7) shouldRevalidate — veto automatic data refetches (the SWR background
+//    refetch, and the revalidation after <Form>/fetcher mutations).
+export function shouldRevalidate({ currentUrl, nextUrl, formMethod, defaultShouldRevalidate }) {
+  if (formMethod === "DELETE") return true;     // always refetch after deletes
+  return defaultShouldRevalidate;
+}
+// 8) ssr + Fallback — selective SSR (see also §21 for app-wide SPA mode):
+//    true (default)  full document SSR
+//    "data-only"     loaders run on the server; component renders client-only
+//    false           loader + component skipped during document SSR; the
+//                    client fetches /_data after hydration.
+//    beforeLoad ALWAYS runs on the server — ssr:false is not an auth bypass.
+export const ssr = "data-only";
+export function Fallback() {
+  return <p>Loading dashboard…</p>;             // SSR'd in the component's place
+}
+// 9) headers — set response headers (Cache-Control / ETag / Vary / CDN hints)
+//    for this route's document AND /_data responses. Runs root → layout →
+//    route; innermost wins per key, and you receive the merged parentHeaders.
+export function headers({ loaderData, parentHeaders }: HeadersArgs<LoaderData>) {
+  return { "Cache-Control": "public, max-age=300, s-maxage=3600" };
+}
+// 10) middleware — nested, server-side. Runs root → layout → route BEFORE
+//     beforeLoad/action/loaders, with a shared mutable `context`. Return a
+//     Response to short-circuit (a cleaner per-route alternative to beforeLoad,
+//     and to a single global pipeline). Protects the document and /_data.
+export const middleware = [
+  async (ctx, next) => {
+    if (!ctx.context.user) return redirect("/login");
+    ctx.context.startedAt = Date.now();         // visible to loaders
+    return next();
+  },
+];
+// 11) clientLoader / clientAction — RR7-style browser-side data. clientLoader
+//     runs on navigation and its result becomes useLoaderData(); call
+//     serverLoader() for this route's server data. Set clientLoader.hydrate =
+//     true to also run on the first hydration of an SSR'd document.
+export async function clientLoader({ serverLoader }) {
+  const server = await serverLoader();          // the normal /_data route slice
+  return { ...server, fetchedAt: Date.now() };
+}
+// clientLoader.hydrate = true;                  // opt into running on hydration
+export async function clientAction({ formData, serverAction }) {
+  // optimistic local work, then defer to the server action:
+  return serverAction();
+}
+// 12) default — the page component (required for a renderable route).
+export default function BlogPost() {
+  const { post } = useLoaderData<LoaderData>();
+  return <article><h1>{post.title}</h1></article>;
+}
+```
+**Execution order for a request:**
+```
+global pipeline → searchSchema → route middleware (root → layout → route) → beforeLoad → (action, if mutating method) → loaders (root + layouts + route, in parallel) → render
+```
+- **Route middleware** wraps everything after search validation: it runs in chain order with a shared `context`, can short-circuit with a `Response`, and (being outermost-first) can also post-process the final response. It runs inside the app-wide `pipeline` (§14).
+- **Loaders run concurrently** (root, every layout, and the route loader all in one `Promise.all`).
+- A loader that throws an `HttpError`/redirect `Response` is intentional control flow. Any *other* thrown error is caught, sanitized (generic message in production, full message+stack only when `NODE_ENV=development`), and rendered via the nearest `ErrorBoundary`.
+> **Security:** put auth checks in `beforeLoad` (per route) or middleware (cross-cutting) — never in a component. `/_data` (used by `<Link>` soft-nav) runs `beforeLoad` and the loader, so a component-only check would still leak loader JSON. See §14.
+### Less boilerplate
+**Infer loader data — `useLoaderData<typeof loader>()`.** Pass the loader function type and the data type is inferred from its return (no `LoaderData` alias to maintain). The `Response` redirect branch is excluded; `Deferred` fields (from `defer()`, §8) are preserved for `<Await>`. Same for `useActionData<typeof action>()`.
+```tsx
+export async function loader() { return { post: await db.post.find() }; }
+export default function Post() {
+  const { post } = useLoaderData<typeof loader>();   // typed — no hand-written type
+}
+```
+**Type search params on the args — `LoaderArgs<T>`.** Parameterize to drop the cast (the schema's output type):
+```tsx
+export async function loader({ search }: LoaderArgs<{ page: number }>) {
+  return db.posts({ page: search.page });            // search.page is a number
+}
+// After codegen (§18), `LoaderArgsFor<"/posts">` types params + context + search from the route.
+```
+### `defineActions` — multi-button forms without an `intent` switch
+A route action that handles several buttons usually devolves into `if (intent === …)`. `defineActions` composes it from one handler per intent, and `<Form intent="…">` (§10) renders the matching hidden input. An unknown/missing intent returns a 400 automatically (dev lists the known intents).
+```tsx
+import { defineActions, safeValidate, formText } from "@bractjs/bractjs";
+export const action = defineActions({
+  add:    async ({ formData }) => {
+    const r = await safeValidate(TitleSchema, formData);   // §13
+    if (!r.ok) return { error: r.firstError };
+    addTodo(r.data.title); return {};
+  },
+  toggle: ({ formData }) => { toggleTodo(formText(formData, "id")); return {}; },
+  delete: ({ formData }) => { deleteTodo(formText(formData, "id")); return {}; },
+});
+```
+```tsx
+<Form method="post" intent="toggle"><input type="hidden" name="id" value={id} /><button>Toggle</button></Form>
+```
+---
+## 6. Response helpers
+Imported from `@bractjs/bractjs`.
+```ts
+import { json, redirect, error, HttpError, isRedirect, isHttpError } from "@bractjs/bractjs";
+```
+### `json(data, init?)`
+Serialize a value as `application/json`.
+```ts
+return json({ ok: true }, { status: 201 });
+```
+### `redirect(url, status?, headers?, options?)`
+Throw or return a redirect. **Open-redirect safe by default** — rejects `//evil.com`, `/\evil`, `https://…`, `javascript:` unless you pass `{ allowExternal: true }`.
+```ts
+return redirect("/dashboard");                                   // 302
+return redirect("/login", 303);                                  // custom status
+return redirect("/x", 302, { "Set-Cookie": cookie });            // with headers
+return redirect("https://other.com", 302, undefined, { allowExternal: true });
+```
+### `error(message, status?)`
+Convenience JSON error: `{ "error": message }` with the given status (default 500).
+```ts
+return error("Bad Request", 400);
+```
+### `HttpError` & `BractJSError`
+Throw a typed HTTP error from a loader/action. The framework converts it to a response with that status (and a default status text if you omit the message).
+```ts
+throw new HttpError(403);                 // → 403 Forbidden
+throw new HttpError(404, "No such post"); // → 404 with custom message
+```
+`isRedirect(value)` / `isHttpError(value)` / `isBractJSError(value)` are type guards if you handle errors manually.
+---
+## 7. Per-route context: `defineContext`
+A route can compute request-scoped data once and share it with all its loaders/actions via the `context` argument. Middleware can also populate `context` (§14) — `defineContext` is the per-route version.
+```ts
+// app/routes/dashboard.tsx
+import { defineContext } from "@bractjs/bractjs";
+import { getUser } from "../auth.server.ts";
+export const context = defineContext(async ({ request, params }) => ({
+  user: await getUser(request),
+}));
+export function beforeLoad({ context }) {
+  if (!context.user) return redirect("/login");
+}
+export async function loader({ context }) {
+  return { name: context.user.name };
+}
+```
+The factory runs before `beforeLoad` and its result is merged into `context` for `beforeLoad`, `loader`, and `action` on that route.
+---
+## 8. Streaming data
+Stream slow data without blocking the initial HTML.
+```ts
+import { defer, Deferred, isDeferred } from "@bractjs/bractjs";
+import { Await } from "@bractjs/bractjs";
+import { Suspense } from "react";
+```
+### `defer(data)`
+Wraps each `Promise` field in a `Deferred`; non-promise fields pass through. Awaited fields are in the initial HTML; promises stream after.
+```tsx
+export async function loader({ params }: LoaderArgs) {
+  return defer({
+    post: await db.post.findById(params.id),  // awaited → initial HTML
+    comments: db.comments.forPost(params.id), // Promise → streamed
+  });
+}
+export default function BlogPost() {
+  // useLoaderData<typeof loader>() infers the shape — `comments` stays a
+  // Deferred<Comment[]>, which <Await> accepts directly.
+  const { post, comments } = useLoaderData<typeof loader>();
+  return (
+    <article>
+      <h1>{post.title}</h1>
+      <Await resolve={comments} fallback={<p>Loading comments…</p>}>
+        {(c) => <CommentList comments={c} />}
+      </Await>
+    </article>
+  );
+}
+```
+### `<Await resolve={promise | Deferred} fallback={…}>{(data) => …}</Await>`
+Unwraps a promise (or a `Deferred` field from a `defer()` loader) with React 19's `use()` inside its own `<Suspense>`. `isDeferred(value)` and the `Deferred` class are exported if you need to detect/construct deferred values manually.
+---
+## 9. Client hooks
+All hooks are SSR-safe (they return sensible values during SSR) and imported from `@bractjs/bractjs`.
+### `useLoaderData<T>()` → `T`
+The current route's loader return value. **Pass the loader function type** to infer it (`Response` branch excluded, `Deferred` fields preserved) — no hand-written type to keep in sync. An explicit object type still works.
+```ts
+const { post } = useLoaderData<typeof loader>();   // inferred from loader()
+const { post } = useLoaderData<LoaderData>();       // or an explicit type
+```
+### `useActionData<T>()` → `T | null`
+The most recent action return value (null until an action runs). Like `useLoaderData`, accepts the action function type.
+```ts
+const result = useActionData<typeof action>();
+```
+### `useParams<T>()` → `T`
+URL dynamic params. Pass the **route pattern** as a generic to type the result against your codegen'd routes (see §18); an object shape also works.
+```ts
+const { id } = useParams<"/blog/:id">();        // { id: string } — typed from routes
+const { id } = useParams<{ id: string }>();     // or a hand-written shape
+```
+> The pattern is supplied by the caller because the framework can't infer the active route at the type level (React Router's `useParams` works the same way).
+### `useMatches()` → `RouteMatch[]`
+The matched route chain, **outermost → innermost** (root, layouts, then the leaf route). Each entry is `{ id, pathname, params, data, handle }`, where `handle` is that module's static `handle` export. Ideal for breadcrumbs and conditional chrome without threading props through every layout. SSR-safe; updates on soft navigation and revalidation.
+```tsx
+// routes/blog/[id].tsx
+export const handle = { breadcrumb: "Post" };
+// a layout
+const crumbs = useMatches()
+  .filter((m) => m.handle?.breadcrumb)
+  .map((m) => m.handle!.breadcrumb as string);
+```
+> `handle` travels in the SSR bootstrap and the `/_data` payload, so it must be JSON-serializable (same constraint as loader data).
+### `useLocation()` → `{ pathname, search, hash, state, key }`
+The current location — reactive on the client, request-derived during SSR (`hash` is always `""` there). `key` is the history entry's identity (what scroll restoration uses); `state` is whatever you passed via `navigate(to, { state })`.
+```ts
+const location = useLocation();
+const isActive = location.pathname.startsWith("/blog");
+```
+### `useNavigation()` → `{ state }`
+`"idle" | "loading" | "submitting"`. Form/`submit()` mutations walk `"submitting"` → `"loading"` (revalidation) → `"idle"`.
+```ts
+const { state } = useNavigation();
+if (state === "loading") return <Spinner />;
+```
+### `useNavigate()` → `(to, { params?, search?, replace?, state? }) => Promise<void>`
+Imperative soft navigation — the counterpart to `<Link>`. `to` autocompletes your routes (after codegen, §18); `params` and `search` are typed per route; any string is still accepted.
+```ts
+const navigate = useNavigate();
+await navigate("/blog/:id", { params: { id: "42" } });     // typed
+await navigate("/posts", { search: { page: 2 } });          // typed search → /posts?page=2
+await navigate("/login", { replace: true });                // replaceState, no history entry
+await navigate("/wizard/2", { state: { from: "step1" } });  // read via useLocation().state
+```
+### `useRevalidator()` → `{ revalidate, state }`
+Manually re-run the current route's loaders — for "Refresh" buttons, polling, or after out-of-band changes (e.g. a WebSocket event). Respects the route's `shouldRevalidate`. `state` is `"idle" | "loading"` and tracks only revalidation (navigations are `useNavigation()`).
+```ts
+const { revalidate, state } = useRevalidator();
+<button onClick={() => void revalidate()} disabled={state === "loading"}>Refresh</button>
+```
+### `useSearch()` / `useSetSearch()` — typed, validated search params
+`useSearch` returns the route's **validated** search object (the `searchSchema` output — numbers are numbers, defaults applied). Validation runs once on the server; the client never re-runs the schema. `useSetSearch` merges a patch, writes the URL, and soft-navigates so loaders re-run. Set a key to `undefined` to delete it.
+```ts
+const search = useSearch<"/posts">();              // { page: number; q?: string }
+const setSearch = useSetSearch<"/posts">();
+setSearch({ page: search.page + 1 });              // patch → /posts?page=2&q=…
+setSearch((prev) => ({ q: undefined }), { replace: true });  // delete + replaceState
+```
+### `useSearchParams<T>()` → `{ searchParams, getParam, setSearchParams }`
+The low-level escape hatch: raw string `URLSearchParams` read/write; writing triggers a soft-nav loader re-run. Prefer `useSearch`/`useSetSearch` (above) when the route has a `searchSchema`.
+```ts
+const { searchParams, getParam, setSearchParams } = useSearchParams<"/blog/:id">();
+const q = getParam("q");                        // string | null
+setSearchParams({ q: "bun" });                  // replace all params
+setSearchParams((prev) => { prev.set("page", "2"); return prev; }); // update
+```
+### `useFetcher({ key? })` → `{ data, state, formData, formMethod, load, submit, Form, key }`
+Background fetch/mutation without navigating. After a `submit`, the active route's loaders revalidate automatically (gated by `shouldRevalidate`). `formData`/`formMethod` are set from the moment `submit` is called — render them for **optimistic UI**. A `key` gives the fetcher a stable identity shared across components and surviving remounts; unkeyed fetchers are component-bound.
+```ts
+const fetcher = useFetcher({ key: `delete-${id}` });
+await fetcher.load("/products?q=bun");                       // GET loader data
+await fetcher.submit("/cart", { method: "post", body: { id: "1" } });
+const optimisticTitle = fetcher.formData?.get("title");      // while submitting
+<fetcher.Form method="post" action="/cart">…</fetcher.Form>  {/* scoped form, no navigation */}
+```
+### `useFetchers()` → `FetcherEntry[]`
+Every active fetcher — the cross-component view for optimistic UI (e.g. dim each table row whose keyed delete fetcher is in flight elsewhere in the tree).
+```ts
+const deleting = new Set(
+  useFetchers()
+    .filter((f) => f.state === "submitting" && f.key.startsWith("delete-"))
+    .map((f) => f.key.slice("delete-".length)),
+);
+```
+### `useFetcher<T>({ stream: true })` → `{ connect }`
+Consume an async-generator server action as an SSE stream.
+```ts
+const { connect } = useFetcher<string>({ stream: true });
+for await (const chunk of connect(actionId)) { /* … */ }
+```
+### `useBlocker(shouldBlock)`
+Prompt before leaving when there are unsaved changes (intercepts back/forward and `<Link>` navigations).
+```ts
+useBlocker(() => formIsDirty);
+```
+### `useToast()` → `toast` and `useToasts()` → `ToastEntry[]`
+Flash status feedback ("Saved", "Delete completed", …) from anywhere. `useToast()` returns the stable `toast` API; you can also import `toast` directly to fire from non-React code (event handlers, fetcher callbacks). Render a single [`<Toaster />`](#10-client-components) in `root.tsx`. `useToasts()` exposes the live queue if you want to build a custom renderer.
+```ts
+import { toast, useToast } from "@bractjs/bractjs";
+toast.success("Saved successfully");
+toast.error("Delete failed", { description: "Try again." });
+toast.info("Heads up");           // also: .warning, .loading
+toast.dismiss(id);                // or toast.dismiss() to clear all
+// Wrap an async action: loading → success / error
+await toast.promise(savePost(data), {
+  loading: "Saving…",
+  success: "Saved successfully",
+  error: (e) => `Save failed: ${e}`,
+});
+// Optional action button (e.g. undo) + custom auto-dismiss
+toast.success("Delete completed", {
+  duration: 6000,                 // ms; Infinity/0 = sticky
+  action: { label: "Undo", onClick: () => restore(id) },
+});
+```
+### `useLocale(defaultLocale?)` → `string` and `useLocalizedLink(defaultLocale?)` → `(path) => string`
+For i18n prefix routing (§19).
+```ts
+const locale = useLocale("en");                 // reads params.locale
+const localized = useLocalizedLink("en");
+<Link to={localized("/about")} />               // → /en/about
+```
+---
+## 10. Client components
+### `<Outlet />`
+Renders the matched child route inside a layout (or the route tree inside `root.tsx`).
+```tsx
+export default function BlogLayout() {
+  return <div><nav>Blog</nav><Outlet /></div>;
+}
+```
+### `<Link to params? search? prefetch? replace? viewTransition?>`
+Soft-navigates without a full reload. After codegen (§18), `to` autocompletes your routes; for a dynamic route pass typed `params`, and `search` is typed by the target's `searchSchema`. Building the URL yourself still works, so existing links need no changes.
+```tsx
+<Link to="/blog/:id" params={{ id: "42" }}>Read</Link>  {/* typed route + params */}
+<Link to={`/blog/${id}`}>Read</Link>                    {/* built string — also fine */}
+<Link to="/posts" search={{ page: 2 }}>Page 2</Link>    {/* typed search params */}
+<Link to="/about" prefetch="intent">About</Link>        {/* preload on hover/focus intent */}
+<Link to="/gallery" viewTransition>Gallery</Link>       {/* use View Transitions API */}
+```
+Modifier-clicks (ctrl/cmd/shift/alt) fall back to native browser navigation.
+**Prefetch modes** — prefetching warms the route chunk (`modulepreload`) *and* the loader cache, so the click commits instantly (prefetched data stays fresh ≥ 30s; concurrent data prefetches are capped at 6 so long lists can't stampede the server):
+| mode | when |
+|---|---|
+| `"none"` (default) | never |
+| `"intent"` | hover **or focus**, after a 100 ms delay (canceled on fly-by) — best default |
+| `"hover"` | immediately on mouseenter (legacy alias) |
+| `"viewport"` | when the link scrolls into view (one shared IntersectionObserver) — for lists |
+| `"render"` | as soon as the link mounts |
+### `<ScrollRestoration getKey? storageKey?>`
+Restores the window scroll position on back/forward (and reload), scrolls to top — or to the `#hash` element — on new navigations. Render it **once** in `app/root.tsx`, next to `<Scripts />`. Positions persist in `sessionStorage`. Pass `getKey={(location) => location.pathname}` to share one position across every visit to the same path.
+```tsx
+<body>
+  <Outlet />
+  <ScrollRestoration />
+  <Scripts />
+</body>
+```
+### `<Form method action?>`
+Fetch-based submission that re-runs the current route's loader after the action.
+```tsx
+<Form method="post">
+  <input name="title" />
+  <button type="submit">Create</button>
+</Form>
+<Form method="post" action="/blog/new">…</Form>
+```
+Submits as `multipart/form-data` with the `X-BractJS-Action` header (CSRF gate). If the action returns a redirect, the form follows it.
+### `<Scripts />` and `<LiveReload />`
+Markers used inside `root.tsx` (§3). `<Scripts />` is where the client bundle + bootstrap data go; `<LiveReload />` is the dev-only HMR client.
+### `<Image />`
+Responsive, format-converted images via the built-in `/_image` endpoint — see §20.
+### `<Toaster position? gap? renderToast?>`
+Renders the toast queue fired by [`toast` / `useToast()`](#9-client-hooks). Mount it **once** in `app/root.tsx`, next to `<Scripts />`. Self-contained inline styles (no CSS import, CSP-safe — no injected `<style>`/nonce).
+```tsx
+<body>
+  <Outlet />
+  <Toaster position="top-right" />   {/* top|bottom + left|center|right */}
+  <Scripts />
+</body>
+```
+Style hooks: target `[data-bract-toaster]` / `[data-bract-toast="success|error|…"]` with your own CSS, or pass `renderToast={(t, dismiss) => <YourCard …/>}` to fully replace the card.
+---
+## 11. Server Actions & Client Components
+### `"use server"` — Server Actions
+Mark a file's exports as server actions by making `"use server"` the first line. On the **client**, imports become `fetch("/_action?id=<hash>")` proxies; on the **server**, the real function runs. Action IDs are `SHA-256(appDir-relative-path + "#" + name)`.
+```ts
+// app/actions.ts
+"use server";
+export async function createPost(formData: FormData) {
+  const title = formData.get("title") as string;
+  await db.insert(posts).values({ title });
+  return { ok: true };
+}
+export async function deletePost(id: string) {
+  await db.delete(posts).where(eq(posts.id, id));
+}
+```
+```tsx
+// app/routes/new.tsx — import as normal; the client bundle gets a fetch proxy
+import { createPost } from "../actions.ts";
+export default function NewPost() {
+  return (
+    <form action={createPost}>
+      <input name="title" />
+      <button type="submit">Create</button>
+    </form>
+  );
+}
+```
+- Accepts a single `FormData` (sent as `multipart/form-data`) **or** a JSON-serializable argument array.
+- Unknown action IDs return 404 — only functions registered at startup are callable.
+- Bodies are size-capped (1 MiB JSON) and prototype-pollution scanned.
+**Streaming server actions** (async generators) are consumed with `useFetcher({ stream: true })` (§9) over `/_stream`. The endpoint requires the `X-BractJS-Action` header (set automatically by the client).
+### `"use client"` — Client-Only Components
+Mark a component browser-only. During server builds the module is stubbed to `null` to prevent `window`/`document`/`localStorage` crashes during SSR.
+```tsx
+// app/components/Counter.tsx
+"use client";
+import { useState } from "react";
+export function Counter() {
+  const [n, setN] = useState(0);
+  return <button onClick={() => setN(n + 1)}>Count: {n}</button>;
+}
+```
+---
+## 12. Typed API routes
+Define type-safe JSON endpoints under `/api/*` with `route`, and call them with a fully-typed `createClient`.
+### Define routes with `route(method, path, handler)`
+```ts
+// app/api/users.ts
+import { route } from "@bractjs/bractjs";
+import { db } from "../db.server.ts";
+export const listUsers = route("GET", "/api/users", async () => {
+  return db.users.findAll();
+});
+export const createUser = route("POST", "/api/users", async (input: { name: string }) => {
+  return db.users.create(input);
+});
+// Public, credential-free endpoint (e.g. a webhook): opt out of CSRF.
+export const webhook = route("POST", "/api/webhook", handleWebhook, { csrf: false });
+```
+- `GET`/`DELETE`: no body parsed. `POST`/`PUT`/`PATCH`: JSON or form body parsed into `input`.
+- Bodies are capped at 1 MiB. JSON bodies carrying prototype-pollution keys (`__proto__`/`constructor`/`prototype`) are rejected (400). Errors return a generic 500 in production (full message in dev).
+- Handlers also receive the raw `Request` as the 2nd arg.
+- `:param` segments match any non-empty value; **read and validate params from `request.url` yourself** (they aren't injected into `input`).
+- **CSRF — on by default for mutating methods** (`POST`/`PUT`/`PATCH`/`DELETE`): the request must prove same-origin (via `Sec-Fetch-Site`, the `X-BractJS-Action` header `createClient` sends automatically, or a matching `Origin`), exactly like server actions. Cross-site requests get `403`. Pass `{ csrf: false }` **only** for endpoints that don't trust ambient credentials (session cookies / Basic auth) and are meant to be called cross-site (webhooks, token-authenticated or public APIs).
+- Global `pipeline` middleware (`cors`, `csp`, `authGuard`, custom) applies to `/api` responses too — see §14.
+### Call them with `createClient<AppApiRoutes>()`
+```ts
+import { createClient } from "@bractjs/bractjs";
+import type { AppApiRoutes } from "@bractjs/bractjs"; // union of your route defs
+const client = createClient<AppApiRoutes>();          // optional baseUrl arg
+const users = await client["/api/users"].GET();        // typed output
+await client["/api/users"].POST({ name: "Alice" });    // typed input
+```
+The proxy builds `METHOD path` from the property chain. Non-2xx responses throw an `Error` with `.status` and `.response` attached.
+---
+## 13. Input validation: `validate`
+Validate `FormData` or a plain object against any **Zod- or Valibot-compatible** schema (anything with `.safeParse()` or `.parse()`).
+```ts
+import { validate } from "@bractjs/bractjs";
+import { z } from "zod";
+const Schema = z.object({ title: z.string().min(1), tags: z.array(z.string()) });
+export async function action({ formData }: ActionArgs) {
+  // Throws a 400 Response with { errors: { field: [msgs] } } on failure.
+  const data = await validate(Schema, formData);
+  await db.post.create(data); // data is fully typed + coerced
+}
+```
+- Repeated `FormData` keys become arrays automatically.
+- On failure it throws a `Response.json({ errors }, { status: 400 })`. The exported `ValidationError` type and `FieldErrors` shape describe the structure.
+### `safeValidate` — validate without try/catch (recommended for inline form errors)
+Returns a result instead of throwing — the clean idiom when you want to render field errors rather than a 400 page. `firstError` is the first field message.
+```ts
+import { safeValidate } from "@bractjs/bractjs";
+export const action = defineActions({
+  create: async ({ formData }) => {
+    const r = await safeValidate(Schema, formData);
+    if (!r.ok) return { error: r.firstError, fieldErrors: r.fieldErrors };
+    await db.post.create(r.data);   // r.data is typed + coerced
+    return redirect("/blog");
+  },
+});
+```
+If you prefer to keep calling `validate()` and catching: `isValidationResponse(err)` narrows the thrown 400, and `readValidationError(res)` parses it into `{ fieldErrors, firstError }`.
+### FormData helpers
+`formText(formData, key)` returns a string (`""` for missing or File values) — no more `String(formData.get(k) ?? "")`. `formValues(formData, keys?)` collects string fields into an object (all, or a named subset).
+---
+## 14. Middleware
+The module-level `pipeline` singleton wraps the **entire** request — every response flows through it, including typed `/api` routes, server actions (`/_action`, `/_stream`), the image endpoint (`/_image`), static assets, and SSR documents. So `cors()`, `csp()`, `authGuard()`, a rate limiter, or your own logging applies uniformly, not just to page renders. Each middleware gets `(ctx, next)` and returns a `Response`; `ctx.context` is threaded into every loader/action and into nested route middleware.
+```ts
+import { pipeline, requestLogger, cors, authGuard, csp } from "@bractjs/bractjs";
+import type { MiddlewareFn } from "@bractjs/bractjs";
+pipeline
+  .use(requestLogger())
+  .use(cors({ origin: "https://myapp.com" }))
+  .use(csp())
+  .use(authGuard({ session }));
+```
+### Built-in middleware
+| Middleware | What it does |
+|---|---|
+| `requestLogger()` | Logs `[METHOD] /path → status in Xms`. Never logs the query string or headers (token-leak safe). |
+| `cors(options)` | Sets CORS headers, handles `OPTIONS` preflight (204), always sets `Vary: Origin`, refuses `credentials:true` + `origin:"*"`. |
+| `authGuard(options)` | Reads the session, sets `ctx.context.user`; with `required:true` returns 401 when unauthenticated. |
+| `csp(options?)` | Opt-in nonce-based Content-Security-Policy (see below). |
+**`cors(options)`** — `{ origin: string | string[]; methods?: string[]; credentials?: boolean }`:
+```ts
+pipeline.use(cors({ origin: ["https://a.com", "https://b.com"], credentials: true }));
+```
+**`authGuard(options)`** — `{ session: SessionStorageLike; required?: boolean }`:
+```ts
+pipeline.use(authGuard({ session, required: true })); // 401 if no session.user
+```
+**`csp(options?)`** — generates a per-request nonce, applies it to the scripts BractJS injects (via `renderToReadableStream`'s `nonce`), and sets the CSP header:
+```ts
+pipeline.use(csp({
+  directives: { "img-src": "'self' data: https://cdn.example", "frame-ancestors": "'none'" },
+  reportOnly: false, // true → Content-Security-Policy-Report-Only
+  strict: false,     // true → drop 'unsafe-inline' from style-src (see below)
+}));
+```
+Read the nonce inside a component/middleware with `getCspNonce(context)` (key: `CSP_NONCE_KEY`) to nonce your own inline scripts.
+`script-src` is always nonce-based (`'nonce-…' 'strict-dynamic'`), so injected `<script>` cannot execute. Note that with `'strict-dynamic'`, supporting browsers **ignore** the `'self'`/host expressions in `script-src` — trust flows solely through the nonce and the scripts it loads (the `'self'` is kept only as a fallback for older browsers). The default policy also sets `form-action 'self'` (a `<form>` can only submit same-origin), `base-uri 'self'`, `frame-ancestors 'self'`, and `object-src 'none'`. The default `style-src` allows `'unsafe-inline'` for ergonomics (React inline styles, CSS-in-JS); this leaves inline-style injection possible. Pass `strict: true` (or override `style-src` with a nonce/hash) if your app serves all styles from same-origin stylesheets.
+### Custom middleware
+```ts
+import type { MiddlewareFn } from "@bractjs/bractjs";
+const trace: MiddlewareFn = async (ctx, next) => {
+  ctx.context.requestId = crypto.randomUUID();
+  const res = await next();
+  res.headers.set("X-Request-Id", ctx.context.requestId as string);
+  return res;
+};
+pipeline.use(trace);
+```
+You can also construct an isolated `new MiddlewarePipeline()` and `.run(ctx, handler)` it yourself (used internally and in tests).
+### Nested route middleware
+The global `pipeline` is app-wide. For middleware scoped to a branch of the route tree, export `middleware` from a route, `layout.tsx`, or `root.tsx` — a single function or an array. It runs **inside** the global pipeline, in chain order (root → layout → route), before `beforeLoad`/action/loaders, sharing the same mutable `context`. Return a `Response` to short-circuit; because the chain is outermost-first, an ancestor can also post-process the response.
+```ts
+// routes/admin/layout.tsx — gates every /admin/* route
+import type { RouteMiddlewareFunction } from "@bractjs/bractjs";
+import { redirect } from "@bractjs/bractjs";
+const requireAdmin: RouteMiddlewareFunction = async (ctx, next) => {
+  if (!(ctx.context.user as { admin?: boolean } | undefined)?.admin) {
+    return redirect("/login");
+  }
+  return next();                 // continue to child layouts/route + loaders
+};
+export const middleware = [requireAdmin];
+```
+It protects the **document and the `/_data` soft-nav endpoint** alike, so it's a safe place for auth — same guarantee as `beforeLoad`. Prefer route middleware over `beforeLoad` when you want composition (multiple concerns, shared across a folder) or response post-processing; `beforeLoad` remains the lighter single-gate option.
+---
+## 15. Sessions
+Signed, tamper-proof cookie sessions (HMAC-SHA256, constant-time verify, secret rotation).
+```ts
+import { createCookieSession } from "@bractjs/bractjs";
+const session = createCookieSession({
+  name: "__session",
+  secrets: [Bun.env.SESSION_SECRET!], // first signs; all verify (rotate by prepending)
+  maxAge: 60 * 60 * 24 * 7,           // seconds; 1 week
+  secure: true,                        // false only for local HTTP dev
+  sameSite: "Lax",                     // "Strict" | "Lax" | "None"
+});
+```
+Read in a loader, write in an action:
+```ts
+export async function loader({ request }: LoaderArgs) {
+  const s = await session.getSession(request.headers.get("Cookie"));
+  return { user: s.get("user") };
+}
+export async function action({ request }: ActionArgs) {
+  const s = await session.getSession(request.headers.get("Cookie"));
+  s.set("user", { id: 1, name: "Alice" }); // also: s.get, s.has, s.delete
+  return redirect("/dashboard", {
+    headers: { "Set-Cookie": await session.commitSession(s) }, // opt: { maxAge }
+  });
+}
+```
+- Each secret must be ≥16 chars; `secrets` must be non-empty (throws otherwise).
+- Tampered cookies are silently rejected → empty session.
+- Generate a secret: `openssl rand -base64 32`.
+---
+## 16. Lifecycle hooks: `defineLifecycle`
+Run code on server start, shutdown, and unexpected errors. Shutdown fires on **any** exit signal (`SIGTERM`, `SIGINT`, `SIGUSR2`, `beforeExit`, uncaught exceptions).
+```ts
+// app/lifecycle.ts
+import { defineLifecycle } from "@bractjs/bractjs";
+import { db } from "./db.server.ts";
+export default defineLifecycle({
+  async onStart()   { await db.connect();    },
+  async onShutdown(){ await db.disconnect(); },
+  onError(err, request) {
+    Sentry.captureException(err, { extra: { url: request?.url } });
+  },
+});
+```
+| Hook | When |
+|------|------|
+| `onStart` | Once, after the server starts listening. |
+| `onShutdown` | Before exit — any signal, programmatic `stop()`, or uncaught exception. |
+| `onError` | Every unexpected error (loader/action throws, uncaught exceptions). Redirects and `HttpError`s are intentional control flow and are **not** reported. `request` is `undefined` for process-level exceptions. |
+- **Dev** picks up `app/lifecycle.ts` automatically.
+- **Production**: spread into `createServer()`:
+  ```ts
+  import { createServer } from "@bractjs/bractjs";
+  import lifecycle from "./app/lifecycle.ts";
+  createServer({ port: 3000, ...lifecycle });
+  ```
+`createServer()` returns `{ stop }`. `stop()` runs `onShutdown` and closes the listener but does **not** call `process.exit()` (good for tests/supervisors). Signals do exit.
+---
+## 17. Environment variables
+| Convention | Behavior |
+|---|---|
+| `*.server.ts` / `*.server.tsx` | **Stubbed out of the client bundle.** Import it freely from a route's `loader`/`action`; every export is replaced by an inert stub in the browser build, so the real source (DB drivers, secrets, `bun:sqlite`) never ships. The stub throws if you accidentally call it on the client. |
+| Keys listed in `clientEnv` | Replaced with string literals in the client bundle. |
+| Any other `process.env.*` | Becomes the literal `"undefined"` in the client bundle. |
+```ts
+// db.server.ts — never reaches the browser
+import { Database } from "bun:sqlite";
+export const db = new Database(Bun.env.DATABASE_URL!);
+```
+```ts
+// app/routes/posts.tsx — import the server module inside the loader
+import { db } from "../db.server.ts"; // stubbed in the client bundle
+export async function loader() {
+  return { posts: db.query("SELECT * FROM posts").all() };
+}
+```
+> BractJS ships the whole route module — `loader` and `action` included — to the client, so a server import is reachable from the client graph. The `serverModuleStubPlugin` (applied automatically by `bractjs dev`/`build`) replaces every `*.server.ts` export with a throwing stub: the import resolves, the loader/action are dead code on the client, and **zero** server source is emitted. The stricter, hard-failing `serverOnlyPlugin` is still exported if you'd rather a server import be a build error.
+```ts
+// bractjs.config.ts
+export default { clientEnv: ["PUBLIC_API_URL"] };
+```
+```ts
+// in a client component — only allow-listed keys survive
+fetch(`${process.env.PUBLIC_API_URL}/items`);
+```
+On the server, read env via `Bun.env.*` directly.
+---
+## 18. Typed routes
+Generate type-safe routing from your route files — one command wires `<Link>`, `useNavigate`, `useParams`, and `useSearchParams` to your actual routes.
+```sh
+bractjs codegen                       # ./app → ./app/route-types.gen.ts
+bractjs codegen ./app ./app/types.ts  # explicit paths
+```
+**You rarely run this by hand.** `bractjs new` generates it on scaffold, `bractjs dev` regenerates it on boot and whenever you add/remove/rename a route file, and `bractjs build` runs it too. The output is deterministic (route-sorted) and carries a `// bractjs:routes <hash>` fingerprint, so re-runs that change nothing don't rewrite the file (no editor reload loops); on boot the dev server prints precisely what drifted. Make sure the generated file is part of your TypeScript program (it is, if your `tsconfig.json` `include`s `app/`). It augments BractJS's `Register` interface, after which the runtime components and hooks become type-safe — **no per-route imports needed**:
+```tsx
+<Link to="/blog/:id" params={{ id }} />     // ✅ "/blog/:id" autocompletes; params typed
+<Link to="/blgo/:id" params={{ id }} />     // ❌ typo'd route — compile error
+<Link to="/blog/:id" params={{ x: id }} />  // ❌ wrong param key — compile error
+const navigate = useNavigate();
+navigate("/blog/:id", { params: { id } });  // ✅ same typing as <Link>
+const { id } = useParams<"/blog/:id">();     // id: string
+```
+Building the URL yourself (`<Link to={`/blog/${id}`}>`) still type-checks, so adopting codegen never breaks existing links.
+The generated file also exports types/helpers for typed loaders and explicit URL building:
+```ts
+import type { TypedLoaderArgs } from "../route-types.gen.ts";
+import { routes } from "../route-types.gen.ts";
+export async function loader({ params }: TypedLoaderArgs<"/blog/:id">) {
+  return db.post.findById(params.id);          // params.id: string
+}
+routes["/blog/:id"]({ id: "123" });            // → "/blog/123"  (typo'd routes won't compile)
+```
+**Type a route's search params or context** by augmenting the package interfaces — `SearchParams<T>` / `Context<T>` and `useSearchParams<T>()` pick it up:
+```ts
+declare module "@bractjs/bractjs" {
+  interface RouteSearchParamsMap { "/blog": { page: string; sort: string } }
+  interface RouteContextMap { "/admin": { user: { id: string; role: "admin" } } }
+}
+```
+You can also call `writeRouteTypes(appDir, outPath?)` / `generateRouteTypes(appDir)` programmatically.
+> **Heads up:** earlier versions documented `useParams<RouteParams<"/blog/:id">>()` and untyped `<Link to={string}>`. The route-literal form (`useParams<"/blog/:id">()`) and typed `<Link>`/`useNavigate` are the current API; the old forms still compile.
+---
+## 19. Internationalization utilities
+BractJS exports **utilities** for locale-prefixed routing. These are helpers you wire up yourself (there is no fully-automatic locale router yet) plus the `useLocale` / `useLocalizedLink` client hooks (§9).
+```ts
+import { wrapRoutesWithLocale, stripLocale, localizedDataPath } from "@bractjs/bractjs";
+import type { I18nConfig } from "@bractjs/bractjs";
+const i18n: I18nConfig = { locales: ["en", "fr"], defaultLocale: "en" };
+// Add /:locale-prefixed variants alongside the originals.
+const localized = wrapRoutesWithLocale(routeFiles, i18n);
+// Split a locale off a pathname.
+const { locale, strippedPathname } = stripLocale("/fr/about", i18n.locales);
+// → { locale: "fr", strippedPathname: "/about" }
+// Build a locale-aware data path.
+localizedDataPath("/about", "fr"); // → "/fr/about"
+```
+On the client, read the active locale and build localized links:
+```tsx
+const locale = useLocale("en");
+const to = useLocalizedLink("en");
+<Link to={to("/about")} />; // → /en/about
+```
+---
+## 20. Image optimization
+`<Image>` serves responsive, format-converted images through the built-in `/_image` endpoint. Requires [ImageMagick](https://imagemagick.org) (`magick` or `convert`) — without it, originals are served as-is.
+```tsx
+import { Image } from "@bractjs/bractjs";
+<Image src="/public/hero.jpg" alt="Hero" width={1200} height={600} />
+{/* above-the-fold: eager + fetchpriority=high */}
+<Image src="/public/hero.jpg" alt="Hero" width={1200} priority />
+<Image
+  src="/public/photo.jpg" alt="Photo" width={800}
+  format="avif" quality={70} fit="contain"
+  sizes="(max-width: 640px) 100vw, 50vw"
+/>
+```
+| Prop | Type | Default | Notes |
+|------|------|---------|-------|
+| `src` | `string` | — | Path under `/public/` (required) |
+| `alt` | `string` | — | Required |
+| `width` / `height` | `number` | — | Intrinsic size |
+| `quality` | `number` | `80` | 1–100 |
+| `format` | `"webp" \| "avif" \| "jpeg" \| "png"` | `"webp"` | `ImageFormat` |
+| `fit` | `"cover" \| "contain" \| "fill"` | `"cover"` | `ImageFit` |
+| `priority` | `boolean` | `false` | Disable lazy load, set `fetchpriority=high` |
+| `sizes` | `string` | `"100vw"` | HTML `sizes` |
+Generates a `srcset` across breakpoints (320→1920px). Optimized images are cached in memory (LRU, 200 slots) and on disk (`.bract-image-cache/`, survives restarts), both served `Cache-Control: immutable`. The endpoint validates widths against an allowlist, caps total pixel area, limits concurrency, and kills runaway transforms (DoS hardening).
+`ImageProps`, `ImageFormat`, and `ImageFit` are exported types.
+---
+## 21. Build & run
+### CLI
+| Command | Description |
+|---------|-------------|
+| `bractjs new <name>` | Scaffold a new app into `<name>/`. |
+| `bractjs dev` | Dev server with HMR (port 3000, HMR ws 3001). |
+| `bractjs build` | Dual server + client build with content-hashed output. |
+| `bractjs start` | Serve the production build. |
+| `bractjs codegen [app] [out]` | Generate `route-types.gen.ts`. |
+| `bractjs codegen:registry [app]` | Generate `app/_generated/{routes,actions}.ts`. |
+| `bractjs codegen:manifest [app] [build]` | Snapshot manifest → `app/_generated/manifest.ts`. |
+| `bractjs compile [outfile] [entry]` | Full single-binary pipeline. |
+The CLI is a thin wrapper — every command delegates to a public function, so you can script the same thing.
+### Programmatic API
+**`createDevServer(options?)`** — dev server with HMR.
+```ts
+import { createDevServer } from "@bractjs/bractjs";
+const dev = await createDevServer({
+  port: 3000,            // default: config.port ?? 3000
+  hmrPort: 3001,         // HMR websocket
+  config: { appDir: "./app", clientEnv: ["PUBLIC_API_URL"] },
+  skipUserConfig: false, // true → don't read bractjs.config.ts
+});
+dev.stop();
+```
+**`runBuild(config?)`** — production build (accepts only build-relevant fields).
+```ts
+import { runBuild } from "@bractjs/bractjs";
+await runBuild({
+  appDir: "./app",
+  buildDir: "./build",
+  minify: true,
+  sourcemap: "external",   // "none" | "linked" | "inline" | "external"
+  clientEnv: ["PUBLIC_API_URL"],
+  plugins: [],             // extra Bun plugins
+});
+```
+**`loadUserConfig()`** — read `bractjs.config.ts` (or `.js`) from cwd, validated.
+```ts
+import { loadUserConfig } from "@bractjs/bractjs";
+const cfg = await loadUserConfig(); // {} if no file; throws on a malformed shape
+```
+**`createServer(config?)`** — production HTTP server. Returns `{ stop }`.
+```ts
+import { createServer } from "@bractjs/bractjs";
+import lifecycle from "./app/lifecycle.ts";
+const srv = createServer({ port: 3000, buildDir: "./build", ...lifecycle });
+```
+**`buildFetchHandler(config)`** — the adapter-agnostic `(Request) => Promise<Response>` core, if you want to mount BractJS inside another server.
+```ts
+import { buildFetchHandler } from "@bractjs/bractjs";
+const handler = buildFetchHandler({ appDir: "./app", manifest });
+Bun.serve({ port: 3000, fetch: handler });
+```
+`renderRoute(options)` (low-level SSR render) and the `RenderOptions`/`ServerManifest`/`BractJSConfig` types are also exported for advanced embedding.
+### Rendering modes
+Three levels of SSR control, all opt-in:
+**Per-route selective SSR** — `export const ssr = false | "data-only"` plus a `Fallback` component on any route (§5 item 8). The document SSRs the Fallback; the client swaps in the real component after hydration. `beforeLoad` always runs server-side.
+**App-wide SPA mode** — `ssr: false` in `bractjs.config.ts`:
+```ts
+// bractjs.config.ts
+export default {
+  ssr: false,   // every document GET serves one static shell
+};
+```
+SPA mode means **"no document SSR", not "no server"**: the Bun server keeps serving `/_data` (loaders), `/_action`/mutations (CSRF gate intact), `/_image`, API routes, and static assets. `bractjs build` emits the shell at `build/client/__spa.html`; in dev it renders on the fly so `root.tsx` edits show up. Constraints: the root component renders without loader data and with a `/` location, so keep location/loader-dependent markup out of `root.tsx`; route-level `meta()` only applies after hydration (no SEO for route content).
+**Build-time prerendering (SSG)** — `prerender` in `bractjs.config.ts`:
+```ts
+// bractjs.config.ts
+export default {
+  prerender: ["/", "/about", "/blog/intro"],
+  // or resolve dynamically: prerender: async () => (await db.posts()).map(p => `/blog/${p.slug}`),
+};
+```
+`bractjs build` runs the real loaders in-process (anything they need — DB, env — must be available at build time), writing each path's HTML **and** its `/_data` payload (used by client navigations *into* a prerendered page) under `build/client/_prerender/`. In production, clean URLs are served from these files before dynamic SSR; **a query string opts the request back into SSR** (the file was rendered without one). Paths must be concrete — expand `"/blog/:slug"` yourself; the build fails on patterns. `runPrerender(options)` is exported for custom pipelines.
+Deployment notes: with `bun build --compile`, ship `build/client/` (including `_prerender/`) alongside the binary — or pass it via `--asset`. On Cloudflare, upload `build/client/` as static assets so the platform serves prerendered files before the worker runs.
+---
+## 22. Single-binary deployment (`bun build --compile`)
+BractJS compiles to a single executable. Because `bun build --compile` can't trace runtime fs scans or dynamic `import(absPath)`, a codegen step materializes routes, layouts, actions, and the manifest into static imports so the binary boots with **zero filesystem reads of `appDir`**.
+### One-shot
+```sh
+bractjs compile ./myapp
+# = codegen:registry → build → codegen:manifest → bun build --compile app/server.ts
+```
+### The `app/server.ts` entry
+The scaffold includes:
+```ts
+import { createServer } from "@bractjs/bractjs";
+import { routeFiles, moduleRegistry } from "./_generated/routes.ts";
+import { actionModules } from "./_generated/actions.ts";
+import { manifest } from "./_generated/manifest.ts";
+createServer({
+  port: Number(process.env.PORT ?? 3000),
+  appDir: "./app",
+  publicDir: "./public",
+  manifest,        // no manifest read from disk
+  routeFiles,      // no Bun.Glob route scan
+  moduleRegistry,  // no dynamic import(absPath)
+  actionModules,   // no scan/import for "use server" files
+});
+```
+When all four are present, the server uses the pre-imported modules for routing, layouts, actions, and assets.
+### Manual pipeline
+```sh
+bractjs codegen:registry                          # A — scan routes/actions → static imports
+bractjs build                                     # B — client + server bundles + manifest
+bractjs codegen:manifest                          # C — embed manifest as a TS constant
+bun build --compile app/server.ts \               # D — single binary
+  --asset build/client/ --outfile ./myapp
+```
+`--asset build/client/` embeds JS/CSS into the binary (true single file); omit it to ship `myapp` + `build/client/` side by side.
+The codegen functions are exported: `writeModuleRegistries(appDir)`, `writeManifestModule(appDir, buildDir)`, and the lower-level `generateRouteRegistry` / `generateActionRegistry` / `generateManifestModule`.
+> **Contributor note — keep the binary working:** anything on the server request/startup path must avoid runtime `Bun.Glob`/computed-path `import()`, must fall back from `realpath()` to `Bun.file().exists()` for embedded assets, and must preserve every consumed export when projecting route modules. Two tests enforce this: `packages/core/src/__tests__/compile-safety.test.ts` (fast static scan) and `packages/core/src/__tests__/compile-smoke.test.ts` (compiles and boots a real binary).
+---
+## 23. Custom adapters
+The server core is adapter-agnostic. The default is `BunAdapter` (wraps `Bun.serve`); supply your own via `createServer({ adapter })`.
+```ts
+import type { BractAdapter } from "@bractjs/bractjs";
+import { BunAdapter } from "@bractjs/bractjs";
+// BractAdapter: { fetch(req): Promise<Response>; listen?(port): void }
+```
+**Cloudflare Workers:**
+```ts
+import { buildFetchHandler, makeCloudflareHandler } from "@bractjs/bractjs";
+const handler = buildFetchHandler({ appDir: "./app", manifest });
+export default makeCloudflareHandler(handler);
+// or createCloudflareAdapter(handler) for the BractAdapter-compatible form
+```
+---
+## 24. Build plugins
+If you write your own `Bun.build()` (instead of `bractjs build`), you **must** apply these or face crashes / secret leaks. All are exported.
+| Bundle | Plugin | Without it |
+|---|---|---|
+| Server | `useClientStubPlugin` | Server crashes calling browser-only hooks from `"use client"` modules. |
+| Client | `createUseServerProxyPlugin(appDir)` | Server-action bodies (DB code, secrets) ship in the browser JS. |
+| Client | `serverModuleStubPlugin` | `*.server.ts` source (DB drivers, secrets) leaks into the client bundle. |
+| Client | `clientEnvPlugin(allowedKeys, env)` | Server env vars leak into the browser bundle. |
+| Client | `cssModulesPlugin` | `*.module.css` imports don't resolve. |
+```ts
+import {
+  useClientStubPlugin, createUseServerProxyPlugin,
+  serverModuleStubPlugin, clientEnvPlugin, cssModulesPlugin,
+} from "@bractjs/bractjs";
+// Server bundle (target: "bun"):
+plugins: [useClientStubPlugin];
+// Client bundle (target: "browser"):
+plugins: [
+  serverModuleStubPlugin,
+  createUseServerProxyPlugin("./app"),               // same appDir as createServer!
+  clientEnvPlugin(["PUBLIC_API_URL"], Bun.env as Record<string, string>),
+  cssModulesPlugin,
+];
+```
+> Always pass the **same `appDir`** to `createUseServerProxyPlugin` that you pass to `createServer` — action IDs hash the appDir-relative path, so a mismatch makes every `/_action` return 404. `transformCssModule(filePath)` is exported for custom CSS pipelines; `useServerProxyPlugin` is the legacy absolute-path variant. `serverModuleStubPlugin` stubs `*.server.ts` exports so a route can import a server module inside its loader/action without leaking source; `serverOnlyPlugin` is the stricter predecessor that hard-fails such imports instead (still exported for opt-in use).
+---
+## 25. Configuration reference
+All fields optional. Wrap the default export in `defineConfig()` for autocomplete + type-checking (it's a no-op identity helper), or pass these to `createServer` / `createDevServer` / `runBuild`.
+```ts
+import { defineConfig } from "@bractjs/bractjs";
+export default defineConfig({ port: 3000, clientEnv: ["PUBLIC_API_URL"] });
+```
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `port` | `number` | `3000` | TCP port |
+| `hmrPort` | `number` | `3001` | Dev HMR WebSocket port (`bractjs dev` only) |
+| `appDir` | `string` | `"./app"` | Contains `routes/` and `root.tsx` |
+| `publicDir` | `string` | `"./public"` | Static assets (served no-cache) |
+| `buildDir` | `string` | `"./build"` | Build output |
+| `imageCacheDir` | `string` | `".bract-image-cache"` | Optimized-image disk cache |
+| `maxRequestBodySize` | `number` | `16777216` (16 MiB) | Hard ceiling on any request body, enforced by the Bun adapter (§27) |
+| `sourcemap` | `string` | `"external"` | `"none" \| "linked" \| "inline" \| "external"` |
+| `minify` | `boolean` | `true` | Minify client bundles |
+| `clientEnv` | `string[]` | `[]` | `process.env` keys exposed to the client |
+| `plugins` | `BunPlugin[]` | `[]` | Extra client-build plugins |
+| `adapter` | `BractAdapter` | `BunAdapter` | Custom server adapter |
+| `i18n` | `I18nConfig` | — | Locale config consumed by the i18n utilities |
+| `ssr` | `boolean` | `true` | `false` → SPA mode: static shell for every document GET (§21) |
+| `prerender` | `string[] \| () => paths` | — | Paths to prerender at build time (§21) |
+| `onStart` / `onShutdown` / `onError` | hooks | — | Lifecycle (§16) |
+`loadUserConfig()` validates these shapes and throws a clear error on an obvious mistake (e.g. a string `port`).
+---
+## 26. Full export index
+Everything importable from `@bractjs/bractjs` ([packages/core/src/index.ts](packages/core/src/index.ts)):
+**Server / runtime:** `createServer`, `buildFetchHandler`, `renderRoute`, `redirect`, `json`, `error`, `defineContext`, `route`, `validate`, `safeValidate`, `isValidationResponse`, `readValidationError`, `validateSearch`, `searchParamsToObject`, `hasForbiddenKey`, `nullProtoFromEntries`, `formText`, `formValues`, `defineActions`, `BunAdapter`, `defineLifecycle`, `renderSpaShell`
+**Errors:** `BractJSError`, `HttpError`, `isRedirect`, `isHttpError`, `isBractJSError`
+**Streaming:** `defer`, `Deferred`, `isDeferred`, `Await`
+**Context:** `BractJSContext`, `BractJSProvider`, `useBractJSContext`
+**Middleware:** `pipeline`, `MiddlewarePipeline`, `runRouteMiddleware`, `collectRouteMiddleware`, `requestLogger`, `cors`, `authGuard`, `csp`, `getCspNonce`, `CSP_NONCE_KEY`
+**Sessions:** `createCookieSession`
+**Components:** `Outlet`, `Link`, `Form`, `Scripts`, `LiveReload`, `Await`, `Image`, `ScrollRestoration`, `Toaster`
+**Hooks:** `useLoaderData`, `useActionData`, `useLocation`, `useParams`, `useMatches`, `useNavigation`, `useNavigate`, `useFetcher`, `useFetchers`, `useRevalidator`, `useSearch`, `useSetSearch`, `useSearchParams`, `useBlocker`, `useToast`, `useToasts`, `useLocale`, `useLocalizedLink`
+**Toasts:** `toast`, `toastStore`
+**Search serialization:** `serializeSearch`
+**i18n:** `wrapRoutesWithLocale`, `stripLocale`, `localizedDataPath`
+**Client RPC:** `createClient`
+**Build / programmatic:** `createDevServer`, `runBuild`, `loadUserConfig`, `defineConfig`, `runPrerender`
+**Codegen:** `writeModuleRegistries`, `writeManifestModule`, `generateRouteRegistry`, `generateActionRegistry`, `generateManifestModule`
+**Build plugins:** `useClientStubPlugin`, `createUseServerProxyPlugin`, `useServerProxyPlugin`, `serverModuleStubPlugin`, `serverOnlyPlugin`, `clientEnvPlugin`, `cssModulesPlugin`, `transformCssModule`
+**Adapters:** `createCloudflareAdapter`, `makeCloudflareHandler`
+**Types:** `LoaderArgs`, `ActionArgs`, `MetaArgs`, `MetaDescriptor`, `LoaderFunction`, `ActionFunction`, `MetaFunction`, `RouteModule`, `RouteDefinition`, `RouteFile`, `Segment`, `RouterLocation`, `ShouldRevalidateArgs`, `ShouldRevalidateFunction`, `BractJSConfig`, `RenderOptions`, `ServerManifest`, `ContextFactory`, `ApiRouteDefinition`, `ApiRouteOptions`, `AppApiRoutes`, `FieldErrors`, `ValidationError`, `BractAdapter`, `LifecycleHooks`, `MiddlewareFn`, `MiddlewareContext`, `CorsOptions`, `AuthGuardOptions`, `CspOptions`, `SessionStorageLike`, `SessionLike`, `Session`, `SessionStorage`, `SessionData`, `CookieSessionOptions`, `CommitOptions`, `ImageProps`, `ImageFormat`, `ImageFit`, `SearchParamsResult`, `SetSearchFn`, `SetSearchOptions`, `SearchOutputFor`, `InferSchemaOutput`, `LoaderData`, `ActionData`, `SafeValidateResult`, `FetcherResult`, `FetcherEntry`, `FetcherState`, `FetcherFormProps`, `UseFetcherOptions`, `Revalidator`, `ScrollRestorationProps`, `ToasterProps`, `ToastPosition`, `Toast`, `ToastEntry`, `ToastOptions`, `ToastType`, `ToastAction`, `PrerenderOptions`, `PrerenderResult`, `I18nConfig`, `DevServerOptions`, `DevServer`, `BuildConfig`, `CodegenResult`, `ModuleRegistry`, `BractJSContextValue`, `RouteManifest`
+---
+## 27. Security model
+BractJS ships secure defaults, but a few behaviors are worth understanding so you don't accidentally widen your attack surface.
+- **What `"use server"` publishes.** Every exported **function** of a `"use server"` module becomes an unauthenticated RPC endpoint reachable via `POST /_action` and `GET /_stream`. In files under `routes/`, framework exports (`loader`, `action`, `default`, `meta`, `beforeLoad`, `context`, `ErrorBoundary`, `Fallback`, `config`, `searchSchema`, `ssr`) are **not** registered as actions — but any *other* exported function is. Treat each exported action as a public endpoint: **do your own authorization inside the function body** (read the session, check the user). The CSRF gate only proves the call is same-origin; it does not authenticate the user.
+- **`/_stream` calls actions with no arguments.** A streaming action invoked over `GET /_stream` receives no caller input. It must be safe to call with none and must authorize itself.
+- **Typed `/api` routes are CSRF-protected by default.** Mutating routes (`POST`/`PUT`/`PATCH`/`DELETE`) require a same-origin proof just like server actions; cross-site requests get `403`. Opt out with `route(..., { csrf: false })` **only** for endpoints that don't trust ambient credentials (webhooks, token-authenticated/public APIs). As with actions, the CSRF gate is not authentication — authorize inside the handler.
+- **Global middleware covers every endpoint.** Anything attached to `pipeline.use(...)` — `cors()`, `csp()`, `authGuard()`, a rate limiter, custom logging — runs for typed `/api` routes, `/_action`, `/_stream`, `/_image`, static assets, and SSR documents alike. (This was previously SSR-only; a cross-cutting guard you register globally now actually applies to your API surface.)
+- **CORS + credentials.** Listing an origin in `cors({ origin: [...], credentials: true })` fully trusts that origin for credentialed cross-origin reads. Only list origins you control. `credentials:true` with `origin:"*"` is refused at setup. **Never add `X-BractJS-Action` to `Access-Control-Allow-Headers`** — it is part of the CSRF gate; the built-in `cors()` deliberately omits it. If you write your own CORS layer and expose that header cross-origin, you defeat CSRF on both actions and `/api`; add a cryptographic double-submit token if you must. The header-based gate also assumes browsers send `Sec-Fetch-Site` — behind a proxy that strips it, rely on same-origin `Origin` (which `cors()` does not weaken).
+- **Error messages.** In production, loader/action/api errors are surfaced to the client as a generic message; the real message + stack appear only in dev (`NODE_ENV=development`). For user-facing structured errors throw an `HttpError` (its message *is* shown) — never put secrets in a raw `Error.message`.
+- **CSP `style-src`.** The opt-in `csp()` middleware nonces all scripts, but its default `style-src` includes `'unsafe-inline'` for ergonomics. Pass `csp({ strict: true })` (or override `style-src` with a nonce/hash) if you want to block inline-style injection.
+- **Request body size.** Beyond the per-handler caps (1 MiB JSON for actions/api, 10 MiB route forms), the Bun adapter enforces a hard `maxRequestBodySize` ceiling (default 16 MiB) so no path can stream an unbounded body into memory. Raise it via the `maxRequestBodySize` config for a dedicated large-upload endpoint.
+- **Already handled for you:** path traversal + symlink escape on `/public` and `/_image`, open-redirect neutralization (`redirect()` requires `{ allowExternal: true }` to go off-origin), XSS-safe SSR data island (`safeStringify`), prototype-pollution rejection on action **and** `/api` JSON bodies plus null-prototype objects for form/search inputs, request body-size caps + global backstop, signed/constant-time-verified cookie sessions, CSP defaults (`script-src` nonce + `strict-dynamic`, `form-action`/`base-uri`/`frame-ancestors` `'self'`, `object-src 'none'`), and CSRF via layered `Sec-Fetch-Site` + custom-header + `Origin` checks across actions, `/_stream`, route mutations, and `/api`.
+---
+## Changelog
+See [CHANGELOG.md](CHANGELOG.md) for release history.
+---
+## Why BractJS
+- **Bun-native** — `Bun.serve`, `Bun.build`, `Bun.file`, `Bun.Glob`, `Bun.watch`. No Node.js.
+- **Zero framework deps** — only peers are `react` and `react-dom`.
+- **Streaming SSR** — `renderToReadableStream()` with `defer()` and `<Await>`.
+- **File-based routing** — drop a file in `app/routes/`.
+- **Full-stack** — loaders, actions, sessions, server actions, typed API routes, middleware.
+- **Typed routes** — codegen wires `<Link>`, `useNavigate`, and `useParams` to your routes (autocompleted paths, typed params), plus a type-safe URL builder.
+- **Single-binary** — `bun build --compile` to one executable.
+## License
+MIT