@cfbender/cesium 0.5.1 → 0.6.0

package/src/server/http.ts

@@ -1,15 +1,25 @@
 // Bun HTTP server bound to 127.0.0.1 (default), serving the cesium state directory.
+//
+// Routing is owned by a Hono app exposed on the returned ServerHandle. Callers
+// (e.g. lifecycle.ts) mount sub-apps for /api/* and /favicon.ico via
+// `handle.app.route("/", subApp)`. Any path that does not match a registered
+// route falls through to the static file handler installed here via
+// `app.notFound` — this preserves the cesium-specific behavior (custom 404 page,
+// 1MB streaming threshold, MIME table) without forcing callers to think about
+// registration order.
 
 import { resolve, extname } from "node:path";
 import { readFile } from "node:fs/promises";
+import { Hono } from "hono";
 
 export interface ServerHandle {
   port: number;
   url: string; // "http://127.0.0.1:<port>"
+  /** Hono app — register routes via `handle.app.route(...)` before requests arrive. */
+  app: Hono;
   stop(): Promise<void>;
-  onRequest(handler: () => void): void; // for idle-tracking; lifecycle attaches a callback
-  /** Register a pre-static handler. Returns a Response to short-circuit, or undefined to fall through. */
-  addHandler(handler: (req: Request) => Promise<Response | undefined>): void;
+  /** Register an idle-tracker callback fired on every request. */
+  onRequest(handler: () => void): void;
 }
 
 export interface StartServerArgs {
@@ -57,119 +67,106 @@ const FORBIDDEN_HTML = `<!doctype html>
 <body><div class="box"><h1>403</h1><p>forbidden</p></div></body>
 </html>`;
 
+const ONE_MB = 1024 * 1024;
+
 function mimeFor(filePath: string): string {
   const ext = extname(filePath).toLowerCase();
   return MIME_TYPES[ext] ?? "application/octet-stream";
 }
 
+function htmlResponse(body: string, status: number): Response {
+  return new Response(body, {
+    status,
+    headers: { "Content-Type": "text/html; charset=utf-8" },
+  });
+}
+
+// Static file handler: resolves the request path under stateDir, enforces
+// traversal containment, falls back to index.html for directories, streams
+// files >= 1MB, and returns the cesium 404 page on miss.
+async function serveStatic(req: Request, stateDirResolved: string): Promise<Response> {
+  if (req.method !== "GET") {
+    return new Response("Method Not Allowed", { status: 405 });
+  }
+
+  const url = new URL(req.url);
+  let reqPath: string;
+  try {
+    reqPath = decodeURIComponent(url.pathname);
+  } catch {
+    return htmlResponse(NOT_FOUND_HTML, 404);
+  }
+
+  const joined = resolve(stateDirResolved, "." + reqPath);
+
+  // Path traversal defense: resolved path must be rooted at stateDir
+  if (!joined.startsWith(stateDirResolved + "/") && joined !== stateDirResolved) {
+    return htmlResponse(FORBIDDEN_HTML, 403);
+  }
+
+  const filePath = joined;
+  const trailingSlash = reqPath.endsWith("/");
+  const indexPath = filePath.endsWith("/") ? filePath + "index.html" : filePath + "/index.html";
+
+  let fileToServe = filePath;
+  let isDir = false;
+  if (trailingSlash || extname(filePath) === "") {
+    isDir = true;
+    fileToServe = filePath.endsWith("/") ? filePath + "index.html" : filePath + "/index.html";
+  }
+
+  const bunFile = Bun.file(fileToServe);
+  let exists = await bunFile.exists();
+
+  if (!exists && !isDir) {
+    // Try as directory index (e.g. /sub → /sub/index.html)
+    fileToServe = indexPath;
+    exists = await Bun.file(fileToServe).exists();
+    if (!exists) return htmlResponse(NOT_FOUND_HTML, 404);
+  } else if (!exists) {
+    return htmlResponse(NOT_FOUND_HTML, 404);
+  }
+
+  const contentType = mimeFor(fileToServe);
+  const finalFile = Bun.file(fileToServe);
+  const size = finalFile.size;
+
+  // Large files: stream; small files: read fully.
+  if (size >= ONE_MB) {
+    return new Response(finalFile.stream(), {
+      status: 200,
+      headers: { "Content-Type": contentType },
+    });
+  }
+
+  const buf = await readFile(fileToServe);
+  return new Response(buf, { status: 200, headers: { "Content-Type": contentType } });
+}
+
 export async function startServer(args: StartServerArgs): Promise<ServerHandle> {
   const { stateDir, port, hostname = "127.0.0.1" } = args;
   const stateDirResolved = resolve(stateDir);
   const requestHandlers: Array<() => void> = [];
-  const preHandlers: Array<(req: Request) => Promise<Response | undefined>> = [];
+
+  const app = new Hono();
+
+  // Idle-tracker middleware: fires registered callbacks on every request before
+  // dispatching to routes. Used by lifecycle.ts to reset the idle-shutdown timer.
+  app.use("*", async (_c, next) => {
+    for (const h of requestHandlers) {
+      h();
+    }
+    await next();
+  });
+
+  // Anything that doesn't match a registered route falls through to static
+  // file serving rooted at stateDir.
+  app.notFound((c) => serveStatic(c.req.raw, stateDirResolved));
 
   const server = Bun.serve({
     hostname,
     port,
-    async fetch(req) {
-      // Notify idle tracker
-      for (const h of requestHandlers) {
-        h();
-      }
-
-      // Run pre-static handlers (e.g. API routes) before serving static files
-      for (const handler of preHandlers) {
-        const result = await handler(req);
-        if (result !== undefined) {
-          return result;
-        }
-      }
-
-      if (req.method !== "GET") {
-        return new Response("Method Not Allowed", { status: 405 });
-      }
-
-      const url = new URL(req.url);
-      // Decode and normalize the request path
-      let reqPath: string;
-      try {
-        reqPath = decodeURIComponent(url.pathname);
-      } catch {
-        return new Response(NOT_FOUND_HTML, {
-          status: 404,
-          headers: { "Content-Type": "text/html; charset=utf-8" },
-        });
-      }
-
-      // Resolve the absolute path under stateDir
-      // Use resolve with stateDir as root to prevent traversal
-      const joined = resolve(stateDirResolved, "." + reqPath);
-
-      // Path traversal defense: resolved path must be rooted at stateDir
-      if (!joined.startsWith(stateDirResolved + "/") && joined !== stateDirResolved) {
-        return new Response(FORBIDDEN_HTML, {
-          status: 403,
-          headers: { "Content-Type": "text/html; charset=utf-8" },
-        });
-      }
-
-      // Determine final file path: if directory, try index.html
-      let filePath = joined;
-      const trailingSlash = reqPath.endsWith("/");
-
-      // Check if it's a directory by trying index.html
-      const indexPath = filePath.endsWith("/") ? filePath + "index.html" : filePath + "/index.html";
-
-      // Try as-is first, then as directory index
-      let fileToServe = filePath;
-      let isDir = false;
-
-      // If path has no extension or trailing slash, it might be a directory
-      if (trailingSlash || extname(filePath) === "") {
-        isDir = true;
-        fileToServe = filePath.endsWith("/") ? filePath + "index.html" : filePath + "/index.html";
-      }
-
-      const bunFile = Bun.file(fileToServe);
-      let exists = await bunFile.exists();
-
-      if (!exists && !isDir) {
-        // Try as directory index (e.g. /sub → /sub/index.html)
-        fileToServe = indexPath;
-        const bunFileIdx = Bun.file(fileToServe);
-        exists = await bunFileIdx.exists();
-        if (!exists) {
-          return new Response(NOT_FOUND_HTML, {
-            status: 404,
-            headers: { "Content-Type": "text/html; charset=utf-8" },
-          });
-        }
-      } else if (!exists) {
-        return new Response(NOT_FOUND_HTML, {
-          status: 404,
-          headers: { "Content-Type": "text/html; charset=utf-8" },
-        });
-      }
-
-      const contentType = mimeFor(fileToServe);
-      const finalFile = Bun.file(fileToServe);
-      const size = finalFile.size;
-
-      // Large files (>= 1MB): stream; small files: read fully
-      const ONE_MB = 1024 * 1024;
-      if (size >= ONE_MB) {
-        return new Response(finalFile.stream(), {
-          status: 200,
-          headers: { "Content-Type": contentType },
-        });
-      }
-
-      const buf = await readFile(fileToServe);
-      return new Response(buf, {
-        status: 200,
-        headers: { "Content-Type": contentType },
-      });
-    },
+    fetch: app.fetch,
   });
 
   const actualPort = server.port;
@@ -182,14 +179,12 @@ export async function startServer(args: StartServerArgs): Promise<ServerHandle>
   return {
     port: actualPort,
     url: serverUrl,
+    app,
     stop: async () => {
       await server.stop();
     },
     onRequest: (handler: () => void) => {
       requestHandlers.push(handler);
     },
-    addHandler: (handler: (req: Request) => Promise<Response | undefined>) => {
-      preHandlers.push(handler);
-    },
   };
 }

package/src/server/lifecycle.ts

@@ -8,8 +8,8 @@ import { dirname } from "node:path";
 import { spawn } from "node:child_process";
 import { startServer, type ServerHandle } from "./http.ts";
 import { acquireLock } from "../storage/lock.ts";
-import { createApiHandler } from "./api.ts";
-import { createFaviconHandler } from "./favicon.ts";
+import { createApiApp } from "./api.ts";
+import { createFaviconApp } from "./favicon.ts";
 import { ensureThemeCss } from "../storage/assets.ts";
 import { defaultTheme, type ThemeTokens } from "../render/theme.ts";
 
@@ -279,11 +279,11 @@ export async function runServerForeground(cfg: LifecycleConfig): Promise<Running
     // Materialize theme.css before serving — self-heals on plugin upgrade
     await ensureThemeCss(stateDir, theme);
 
-    // Wire API handler before static file fallback
-    handle.addHandler(createApiHandler({ stateDir }));
+    // Mount API routes; unmatched paths fall through to the static handler
+    handle.app.route("/", createApiApp({ stateDir }));
     // /favicon.ico shim — browsers auto-request this even when the page
     // declares an SVG favicon. Serve the SVG bytes inline so we don't 404.
-    handle.addHandler(createFaviconHandler());
+    handle.app.route("/", createFaviconApp());
 
     const startedAt = new Date().toISOString();
 
@@ -379,7 +379,11 @@ export async function ensureServerRunning(cfg: LifecycleConfig): Promise<Running
 
   // Use a spawn-only lock to prevent concurrent spawns. Release it immediately
   // after spawning so the child can acquire its own (.server-start.lock) lock.
-  const spawnLock = await acquireLock({ lockPath: spawnLockPath, timeoutMs: 15_000, staleMs: 30_000 });
+  const spawnLock = await acquireLock({
+    lockPath: spawnLockPath,
+    timeoutMs: 15_000,
+    staleMs: 30_000,
+  });
   try {
     // Re-check after acquiring lock
     const existingAfterLock = readPidFile(pidFilePath);
@@ -448,11 +452,13 @@ export async function ensureServerRunning(cfg: LifecycleConfig): Promise<Running
   while (Date.now() < deadline) {
     const waitMs = POLL_SCHEDULE[scheduleIdx] ?? 1000;
     scheduleIdx = Math.min(scheduleIdx + 1, POLL_SCHEDULE.length - 1);
+    // eslint-disable-next-line no-await-in-loop -- poll-with-backoff requires sequential sleeps
     await sleep(waitMs);
 
     const pidContent = readPidFile(pidFilePath);
     if (pidContent !== null && isAlive(pidContent.pid)) {
       const probeUrl = `http://${pidContent.hostname}:${pidContent.port}/`;
+      // eslint-disable-next-line no-await-in-loop -- probe runs per-iteration after sleep; cannot parallelize
       const alive = await httpProbe(probeUrl);
       if (alive) {
         return {

package/src/storage/assets.ts

@@ -1,14 +1,9 @@
 // Materializes /theme.css in the state directory, atomically and idempotently.
 
 import { createHash } from "node:crypto";
-import { join } from "node:path";
-import {
-  frameworkRulesCss,
-  themeTokensCss,
-  defaultTheme,
-  type ThemeTokens,
-} from "../render/theme.ts";
+import { defaultTheme, type ThemeTokens } from "../render/theme.ts";
 import { atomicWrite } from "./write.ts";
+import { buildThemeCss, themeCssPath } from "./theme-write.ts";
 import { readFile } from "node:fs/promises";
 
 /** Per-theme CSS cache: built CSS string keyed by theme content hash. */
@@ -19,19 +14,22 @@ function themeKey(theme: ThemeTokens): string {
   return createHash("sha256").update(JSON.stringify(theme)).digest("hex");
 }
 
-/** Build the full theme.css string for a given theme (tokens + framework rules). */
+/** Build the full theme.css string for a given theme (tokens + framework rules).
+ *  Delegates to buildThemeCss so cesium-theme-apply and ensureThemeCss agree on
+ *  byte-exact output. Caches by theme identity to avoid re-string-concat on the
+ *  hot publish path. */
 function buildCss(theme: ThemeTokens): string {
   const key = themeKey(theme);
   const cached = cssCache.get(key);
   if (cached !== undefined) return cached;
-  const css = themeTokensCss(theme) + "\n" + frameworkRulesCss();
+  const css = buildThemeCss(theme);
   cssCache.set(key, css);
   return css;
 }
 
 /** Returns the absolute path to theme.css in stateDir. */
 export function themeCssAssetPath(stateDir: string): string {
-  return join(stateDir, "theme.css");
+  return themeCssPath(stateDir);
 }
 
 /**

package/src/storage/index-gen.ts

@@ -236,9 +236,8 @@ function indexJs(): string {
 function renderEntryCard(entry: IndexEntry): string {
   const isSuperseded = entry.supersededBy !== null ? "1" : "0";
   const kindPill = `<span class="pill">${esc(entry.kind)}</span>`;
-  const inputModeBadge = entry.inputMode !== undefined
-    ? ` <span class="tag">${esc(entry.inputMode)}</span>`
-    : "";
+  const inputModeBadge =
+    entry.inputMode !== undefined ? ` <span class="tag">${esc(entry.inputMode)}</span>` : "";
   const dateStr = `<span class="card-date">${esc(formatDate(entry.createdAt))}</span>`;
   const supersededBadge =
     entry.supersedes !== null

package/src/storage/theme-write.ts

@@ -1,7 +1,15 @@
 // Writes theme.css to the state directory for dynamic theme support.
+//
+// Produces the same content as `assets.ts:ensureThemeCss` — tokens + framework
+// rules. The two writers were split during the v1 design (when theme.css held
+// tokens only and framework CSS was inlined into every artifact) and were never
+// re-unified after the phase 1 refactor promoted theme.css to carry the full
+// framework. Keeping them aligned is now an invariant: if they disagree,
+// `cesium theme apply` will clobber the CSS that the server / publish flow
+// just wrote, and artifacts will render unstyled.
 
 import { join } from "node:path";
-import { themeTokensCss } from "../render/theme.ts";
+import { themeTokensCss, frameworkRulesCss } from "../render/theme.ts";
 import type { ThemeTokens } from "../render/theme.ts";
 import { atomicWrite } from "./write.ts";
 
@@ -10,10 +18,16 @@ export function themeCssPath(stateDir: string): string {
   return join(stateDir, "theme.css");
 }
 
-/** Writes <stateDir>/theme.css with token definitions only (no framework rules).
+/** Returns the full theme.css content (tokens + framework rules) for a theme.
+ *  Must stay byte-identical to `assets.ts:buildCss` — see module docstring. */
+export function buildThemeCss(theme: ThemeTokens): string {
+  return themeTokensCss(theme) + "\n" + frameworkRulesCss();
+}
+
+/** Writes <stateDir>/theme.css with the full framework CSS (tokens + rules).
  *  Atomic. Returns the absolute path. */
 export async function writeThemeCss(stateDir: string, theme: ThemeTokens): Promise<string> {
   const path = themeCssPath(stateDir);
-  await atomicWrite(path, themeTokensCss(theme) + "\n");
+  await atomicWrite(path, buildThemeCss(theme));
   return path;
 }

package/src/tools/publish.ts

@@ -117,9 +117,7 @@ export function createPublishTool(
       html: tool.schema
         .string()
         .optional()
-        .describe(
-          "Body HTML — escape valve / legacy mode. Provide exactly one of html or blocks.",
-        ),
+        .describe("Body HTML — escape valve / legacy mode. Provide exactly one of html or blocks."),
       blocks: tool.schema
         .array(tool.schema.any())
         .optional()

package/src/tools/styleguide.ts

@@ -101,21 +101,17 @@ export async function generateStyleguideMarkdown(): Promise<string> {
     "- Inline: `**bold**`, `*italic*`, `` `code` ``, `[text](href)` (relative or anchor only).",
   );
   lines.push(
-    "- HTML safelist: `<kbd>`, `<span class=\"pill\">`, `<span class=\"tag\">`. Anything else is escaped.",
+    '- HTML safelist: `<kbd>`, `<span class="pill">`, `<span class="tag">`. Anything else is escaped.',
   );
   lines.push("");
   lines.push("## When to reach for raw_html / diagram");
   lines.push("");
-  lines.push(
-    "- `diagram` — inline SVG visualizations or bespoke composed HTML diagrams.",
-  );
+  lines.push("- `diagram` — inline SVG visualizations or bespoke composed HTML diagrams.");
   lines.push(
     "- `raw_html` — anything genuinely creative that doesn't fit a known block type." +
       " Include a `purpose` string describing what you're building.",
   );
-  lines.push(
-    "- Critique flags raw_html overuse (>2 blocks or >30% of body characters).",
-  );
+  lines.push("- Critique flags raw_html overuse (>2 blocks or >30% of body characters).");
 
   return lines.join("\n");
 }

package/src/tools/wait.ts

@@ -87,6 +87,7 @@ async function resolveArtifactPath(stateDir: string, id: string): Promise<string
     const indexPath = join(projectsDir, projectSlug, "index.json");
     let entries;
     try {
+      // eslint-disable-next-line no-await-in-loop -- short-circuit on first project containing the id
       entries = await loadIndex(indexPath);
     } catch {
       continue;