@ereo/server 0.2.3 → 0.2.6

package/dist/auth-enforcement.d.ts

@@ -0,0 +1,25 @@
+/**
+ * @ereo/server - Auth Config Enforcement
+ *
+ * Runtime enforcement of route-level AuthConfig.
+ * Evaluates static checks (required, roles) and custom check functions
+ * before loaders/actions execute.
+ */
+import type { AuthConfig, AuthCheckResult, AppContext } from '@ereo/core';
+/**
+ * Resolve an auth denial using the static AuthConfig fallbacks.
+ * Checks redirect → unauthorized → default 403.
+ */
+export declare function resolveAuthDenial(auth: AuthConfig, request: Request): Response;
+/**
+ * Resolve a rich AuthCheckResult denial into a Response.
+ */
+export declare function resolveCheckResult(result: AuthCheckResult & {
+    allowed: false;
+}): Response;
+/**
+ * Enforce route-level auth config before running loaders/actions.
+ * Returns a Response if access is denied, or null if access is allowed.
+ */
+export declare function enforceAuthConfig(authConfig: AuthConfig, request: Request, context: AppContext, params: Record<string, string | string[] | undefined>): Promise<Response | null>;
+//# sourceMappingURL=auth-enforcement.d.ts.map

package/dist/auth-enforcement.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-enforcement.d.ts","sourceRoot":"","sources":["../src/auth-enforcement.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE1E;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,GAAG,QAAQ,CAgB9E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,eAAe,GAAG;IAAE,OAAO,EAAE,KAAK,CAAA;CAAE,GAAG,QAAQ,CAezF;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,UAAU,EACnB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GACpD,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CA4B1B"}

package/dist/bun-server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bun-server.d.ts","sourceRoot":"","sources":["../src/bun-server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,KAAK,CAAC;AAClC,OAAO,KAAK,EAAmE,iBAAiB,EAA0C,MAAM,YAAY,CAAC;AAC7J,OAAO,EAAiC,OAAO,EAAiB,MAAM,YAAY,CAAC;AACnF,OAAO,EAAE,UAAU,EAAwD,MAAM,cAAc,CAAC;AAChG,OAAO,EAIL,IAAI,EACJ,eAAe,EAChB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAe,KAAK,aAAa,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAA+C,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AAwD9F;;;;;;GAMG;AACH,MAAM,MAAM,gBAAgB,GAAG,WAAW,GAAG,QAAQ,CAAC;AAEtD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,wBAAwB;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,0BAA0B;IAC1B,MAAM,CAAC,EAAE,aAAa,CAAC;IACvB,qBAAqB;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,kBAAkB;IAClB,IAAI,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,8BAA8B;IAC9B,QAAQ,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC,OAAO,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,6BAA6B;IAC7B,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC7D,wBAAwB;IACxB,SAAS,CAAC,EAAE,UAAU,CAAC,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;IACzD,kBAAkB;IAClB,GAAG,CAAC,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;IACF,wFAAwF;IACxF,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B,kCAAkC;IAClC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+BAA+B;IAC/B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6BAA6B;IAC7B,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,2FAA2F;IAC3F,KAAK,CAAC,EAAE,OAAO,GAAG;QAAE,MAAM,EAAE,OAAO,CAAC;QAAC,UAAU,EAAE,iBAAiB,CAAC;QAAC,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,QAAQ,CAAC;QAAC,gBAAgB,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,QAAQ,CAAA;KAAE,CAAC;CACjK;AAED;;GAEG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,MAAM,CAAgC;IAC9C,OAAO,CAAC,GAAG,CAAwB;IACnC,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,UAAU,CAAkB;IACpC,OAAO,CAAC,aAAa,CAAiE;IACtF,OAAO,CAAC,OAAO,CAAgB;gBAEnB,OAAO,GAAE,aAAkB;IAoBvC;;OAEG;IACH,OAAO,CAAC,eAAe;IAwBvB;;OAEG;IACH,MAAM,CAAC,GAAG,EAAE,OAAO,GAAG,IAAI;IAI1B;;OAEG;IACH,SAAS,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI;IAOnC;;OAEG;IACH,GAAG,CAAC,OAAO,EAAE,iBAAiB,GAAG,IAAI;IACrC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,IAAI;IASnD;;OAEG;YACW,aAAa;IAqG3B;;OAEG;YACW,sBAAsB;IA2BpC;;OAEG;YACW,WAAW;IAuBzB;;OAEG;YACW,uBAAuB;IAoBrC;;OAEG;YACW,gBAAgB;IAkL9B;;OAEG;YACW,UAAU;IA2FxB;;;;;;;OAOG;YACW,mBAAmB;IA2FjC;;OAEG;YACW,gBAAgB;IAmC9B;;;;;;OAMG;YACW,yBAAyB;IA4EvC;;OAEG;YACW,sBAAsB;IAyCpC;;OAEG;YACW,iBAAiB;IAqC/B;;OAEG;IACH,OAAO,CAAC,eAAe;IA+BvB;;OAEG;IACH,OAAO,CAAC,SAAS;IA0BjB;;OAEG;IACH,OAAO,CAAC,YAAY;IASpB;;OAEG;IACH,OAAO,CAAC,eAAe;IAcvB;;;OAGG;IACH,OAAO,CAAC,gBAAgB;IA8BxB;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IA4CzB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAqBzB;;OAEG;IACH,OAAO,CAAC,UAAU;IASlB;;OAEG;IACH,OAAO,CAAC,WAAW;IA0CnB;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAmCvC;;OAEG;IACH,IAAI,IAAI,IAAI;IAOZ;;OAEG;IACG,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ7B;;OAEG;IACH,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI;IAInC;;OAEG;IACH,OAAO,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,OAAO,CAAA;KAAE;CAOpE;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,SAAS,CAE/D;AAED;;GAEG;AACH,wBAAsB,KAAK,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,SAAS,CAAC,CAIvE"}
+{"version":3,"file":"bun-server.d.ts","sourceRoot":"","sources":["../src/bun-server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,KAAK,CAAC;AAClC,OAAO,KAAK,EAAmE,iBAAiB,EAA0C,MAAM,YAAY,CAAC;AAC7J,OAAO,EAAiC,OAAO,EAAiB,MAAM,YAAY,CAAC;AACnF,OAAO,EAAE,UAAU,EAAwD,MAAM,cAAc,CAAC;AAChG,OAAO,EAIL,IAAI,EACJ,eAAe,EAChB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAe,KAAK,aAAa,EAAE,MAAM,UAAU,CAAC;AAC3D,OAAO,EAA+C,KAAK,aAAa,EAAE,MAAM,aAAa,CAAC;AAgE9F;;;;;;GAMG;AACH,MAAM,MAAM,gBAAgB,GAAG,WAAW,GAAG,QAAQ,CAAC;AAEtD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,wBAAwB;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,0BAA0B;IAC1B,MAAM,CAAC,EAAE,aAAa,CAAC;IACvB,qBAAqB;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,kBAAkB;IAClB,IAAI,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,8BAA8B;IAC9B,QAAQ,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC,OAAO,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,6BAA6B;IAC7B,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC7D,wBAAwB;IACxB,SAAS,CAAC,EAAE,UAAU,CAAC,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;IACzD,kBAAkB;IAClB,GAAG,CAAC,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;IACF,wFAAwF;IACxF,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B,kCAAkC;IAClC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+BAA+B;IAC/B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6BAA6B;IAC7B,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,2FAA2F;IAC3F,KAAK,CAAC,EAAE,OAAO,GAAG;QAAE,MAAM,EAAE,OAAO,CAAC;QAAC,UAAU,EAAE,iBAAiB,CAAC;QAAC,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,QAAQ,CAAC;QAAC,gBAAgB,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,QAAQ,CAAA;KAAE,CAAC;CACjK;AAED;;GAEG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,MAAM,CAAgC;IAC9C,OAAO,CAAC,GAAG,CAAwB;IACnC,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,UAAU,CAAkB;IACpC,OAAO,CAAC,aAAa,CAAiE;IACtF,OAAO,CAAC,OAAO,CAAgB;gBAEnB,OAAO,GAAE,aAAkB;IAoBvC;;OAEG;IACH,OAAO,CAAC,eAAe;IAwBvB;;OAEG;IACH,MAAM,CAAC,GAAG,EAAE,OAAO,GAAG,IAAI;IAI1B;;OAEG;IACH,SAAS,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI;IAOnC;;OAEG;IACH,GAAG,CAAC,OAAO,EAAE,iBAAiB,GAAG,IAAI;IACrC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,IAAI;IASnD;;OAEG;YACW,aAAa;IAqG3B;;OAEG;YACW,sBAAsB;IA2BpC;;OAEG;YACW,WAAW;IAuBzB;;OAEG;YACW,uBAAuB;IAoBrC;;OAEG;YACW,gBAAgB;IAyL9B;;OAEG;YACW,UAAU;IA2FxB;;;;;;;OAOG;YACW,mBAAmB;IAgHjC;;OAEG;YACW,gBAAgB;IAmC9B;;;;;;OAMG;YACW,yBAAyB;IAiGvC;;OAEG;YACW,sBAAsB;IAyCpC;;OAEG;YACW,iBAAiB;IAqC/B;;OAEG;IACH,OAAO,CAAC,eAAe;IA+BvB;;OAEG;IACH,OAAO,CAAC,SAAS;IA0BjB;;OAEG;IACH,OAAO,CAAC,YAAY;IASpB;;OAEG;IACH,OAAO,CAAC,eAAe;IAcvB;;;OAGG;IACH,OAAO,CAAC,gBAAgB;IA8BxB;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IA4CzB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAqBzB;;OAEG;IACH,OAAO,CAAC,UAAU;IASlB;;OAEG;IACH,OAAO,CAAC,WAAW;IA0CnB;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAmCvC;;OAEG;IACH,IAAI,IAAI,IAAI;IAOZ;;OAEG;IACG,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ7B;;OAEG;IACH,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI;IAInC;;OAEG;IACH,OAAO,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,OAAO,CAAA;KAAE;CAOpE;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,SAAS,CAE/D;AAED;;GAEG;AACH,wBAAsB,KAAK,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,SAAS,CAAC,CAIvE"}

package/dist/index.d.ts

@@ -8,8 +8,9 @@ export type { ServerOptions, ServerRenderMode } from './bun-server';
 export { MiddlewareChain, createMiddlewareChain, logger, cors, securityHeaders, compress, rateLimit, } from './middleware';
 export type { MiddlewareDefinition, CorsOptions, SecurityHeadersOptions, RateLimitOptions, } from './middleware';
 export type { MiddlewareHandler, NextFunction, Middleware, AppContext, } from '@ereo/core';
+export { enforceAuthConfig, resolveAuthDenial, resolveCheckResult, } from './auth-enforcement';
 export { serveStatic, staticMiddleware, getMimeType, } from './static';
 export type { StaticOptions } from './static';
-export { createShell, renderToStream, renderToString, createResponse, createSuspenseStream, } from './streaming';
+export { createShell, renderToStream, renderToString, createResponse, } from './streaming';
 export type { RenderOptions, ShellTemplate, RenderResult, } from './streaming';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,SAAS,EACT,YAAY,EACZ,KAAK,GACN,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGpE,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,MAAM,EACN,IAAI,EACJ,eAAe,EACf,QAAQ,EACR,SAAS,GACV,MAAM,cAAc,CAAC;AAEtB,YAAY,EACV,oBAAoB,EACpB,WAAW,EACX,sBAAsB,EACtB,gBAAgB,GACjB,MAAM,cAAc,CAAC;AAItB,YAAY,EACV,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,UAAU,GACX,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,WAAW,GACZ,MAAM,UAAU,CAAC;AAElB,YAAY,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAG9C,OAAO,EACL,WAAW,EACX,cAAc,EACd,cAAc,EACd,cAAc,EACd,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAErB,YAAY,EACV,aAAa,EACb,aAAa,EACb,YAAY,GACb,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,SAAS,EACT,YAAY,EACZ,KAAK,GACN,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGpE,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,MAAM,EACN,IAAI,EACJ,eAAe,EACf,QAAQ,EACR,SAAS,GACV,MAAM,cAAc,CAAC;AAEtB,YAAY,EACV,oBAAoB,EACpB,WAAW,EACX,sBAAsB,EACtB,gBAAgB,GACjB,MAAM,cAAc,CAAC;AAItB,YAAY,EACV,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,UAAU,GACX,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,WAAW,EACX,gBAAgB,EAChB,WAAW,GACZ,MAAM,UAAU,CAAC;AAElB,YAAY,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAG9C,OAAO,EACL,WAAW,EACX,cAAc,EACd,cAAc,EACd,cAAc,GACf,MAAM,aAAa,CAAC;AAErB,YAAY,EACV,aAAa,EACb,aAAa,EACb,YAAY,GACb,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -484,40 +484,85 @@ async function renderToStream(element, options) {
       context: options.context
     });
   }
-  if (hasDeferredData(loaderData)) {
-    loaderData = await resolveAllDeferred(loaderData);
-  }
-  const { head, tail } = createShell({ shell, scripts, styles, loaderData });
+  const hasDeferred = hasDeferredData(loaderData);
+  const { head, tail } = createShell({
+    shell,
+    scripts: [],
+    styles,
+    loaderData: hasDeferred ? null : loaderData
+  });
   return new Promise((resolve2, reject) => {
     const { PassThrough } = __require("stream");
+    const DEFERRED_TIMEOUT_MS = 1e4;
+    const RENDER_TIMEOUT_MS = 1e4;
+    const timeoutId = setTimeout(() => {
+      abort();
+    }, RENDER_TIMEOUT_MS);
     const { pipe, abort } = renderToPipeableStream(element, {
-      bootstrapScripts: scripts,
+      bootstrapModules: scripts,
       onShellReady() {
         const passThrough = new PassThrough;
-        const chunks = [];
-        chunks.push(Buffer.from(head));
-        passThrough.on("data", (chunk) => {
-          chunks.push(chunk);
-        });
-        passThrough.on("end", () => {
-          chunks.push(Buffer.from(tail));
-          const fullHtml = Buffer.concat(chunks).toString("utf-8");
-          resolve2({
-            body: fullHtml,
-            headers: new Headers({
-              "Content-Type": "text/html; charset=utf-8",
-              "Content-Length": Buffer.byteLength(fullHtml).toString()
-            }),
-            status: 200
-          });
+        const encoder = new TextEncoder;
+        const stream = new ReadableStream({
+          start(controller) {
+            controller.enqueue(encoder.encode(head));
+            passThrough.on("data", (chunk) => {
+              controller.enqueue(new Uint8Array(chunk));
+            });
+            passThrough.on("end", () => {
+              (async () => {
+                if (hasDeferred) {
+                  let resolvedData;
+                  try {
+                    resolvedData = await Promise.race([
+                      resolveAllDeferred(loaderData),
+                      new Promise((_, rejectTimeout) => setTimeout(() => rejectTimeout(new Error("Deferred data resolution timed out")), DEFERRED_TIMEOUT_MS))
+                    ]);
+                  } catch (error) {
+                    console.error("Deferred data resolution failed:", error);
+                    resolvedData = null;
+                  }
+                  const loaderScript = `<script>window.__EREO_DATA__=${serializeLoaderData(resolvedData)}</script>`;
+                  const resolvedTail = `</div>
+    ${loaderScript}
+</body>
+</html>`;
+                  controller.enqueue(encoder.encode(resolvedTail));
+                } else {
+                  controller.enqueue(encoder.encode(tail));
+                }
+                controller.close();
+              })().catch((error) => {
+                console.error("Stream finalization error:", error);
+                try {
+                  controller.error(error);
+                } catch {}
+              }).finally(() => {
+                clearTimeout(timeoutId);
+              });
+            });
+            passThrough.on("error", (error) => {
+              clearTimeout(timeoutId);
+              console.error("Stream error:", error);
+              controller.error(error);
+            });
+          },
+          cancel() {
+            clearTimeout(timeoutId);
+            passThrough.destroy();
+          }
         });
-        passThrough.on("error", (error) => {
-          console.error("Stream error:", error);
-          reject(error);
+        resolve2({
+          body: stream,
+          headers: new Headers({
+            "Content-Type": "text/html; charset=utf-8"
+          }),
+          status: 200
         });
         pipe(passThrough);
       },
       onShellError(error) {
+        clearTimeout(timeoutId);
         console.error("Shell render error:", error);
         reject(error);
       },
@@ -525,9 +570,6 @@ async function renderToStream(element, options) {
         console.error("Render error:", error);
       }
     });
-    setTimeout(() => {
-      abort();
-    }, 1e4);
   });
 }
 async function renderToString(element, options) {
@@ -562,29 +604,67 @@ function createResponse(result) {
     headers: result.headers
   });
 }
-function createSuspenseStream() {
-  const encoder = new TextEncoder;
-  let controller;
-  const stream = new ReadableStream({
-    start(c) {
-      controller = c;
-    }
-  });
-  return {
-    stream,
-    push: (chunk) => {
-      controller.enqueue(encoder.encode(chunk));
-    },
-    close: () => {
-      controller.close();
-    }
-  };
-}
 
 // src/bun-server.ts
 import { serializeLoaderData as serializeLoaderData2, hasDeferredData as hasDeferredData2, resolveAllDeferred as resolveAllDeferred2 } from "@ereo/data";
 import { createElement } from "react";
 import { OutletProvider } from "@ereo/client";
+
+// src/auth-enforcement.ts
+function resolveAuthDenial(auth, request) {
+  if (auth.redirect) {
+    const pathname = new URL(request.url).pathname;
+    const url = auth.redirect.replace("{pathname}", encodeURIComponent(pathname));
+    return new Response(null, {
+      status: 302,
+      headers: { Location: url }
+    });
+  }
+  if (auth.unauthorized) {
+    return new Response(JSON.stringify(auth.unauthorized.body), {
+      status: auth.unauthorized.status,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  return new Response("Forbidden", { status: 403 });
+}
+function resolveCheckResult(result) {
+  if ("response" in result)
+    return result.response;
+  if ("redirect" in result) {
+    return new Response(null, {
+      status: 302,
+      headers: { Location: result.redirect }
+    });
+  }
+  return new Response(result.body !== undefined ? JSON.stringify(result.body) : "Forbidden", {
+    status: result.status,
+    headers: result.body !== undefined ? { "Content-Type": "application/json" } : {}
+  });
+}
+async function enforceAuthConfig(authConfig, request, context, params) {
+  const authCtx = context.get("auth");
+  if (authConfig.required && !authCtx?.isAuthenticated()) {
+    return resolveAuthDenial(authConfig, request);
+  }
+  if (authConfig.roles?.length) {
+    if (!authCtx?.isAuthenticated() || !authCtx.hasAnyRole(authConfig.roles)) {
+      return resolveAuthDenial(authConfig, request);
+    }
+  }
+  if (authConfig.check) {
+    const result = await authConfig.check({ request, context, params });
+    if (result === false) {
+      return resolveAuthDenial(authConfig, request);
+    }
+    if (result !== true && typeof result === "object" && "allowed" in result && !result.allowed) {
+      return resolveCheckResult(result);
+    }
+  }
+  return null;
+}
+
+// src/bun-server.ts
 async function getStreamingRenderer() {
   try {
     const browserServer = await import("react-dom/server.browser");
@@ -766,6 +846,12 @@ class BunServer {
   }
   async handleRouteInner(request, match, context) {
     const module = match.route.module;
+    const routeAuthConfig = match.route.config?.auth || module.config?.auth;
+    if (routeAuthConfig) {
+      const denied = await enforceAuthConfig(routeAuthConfig, request, context, match.params);
+      if (denied)
+        return denied;
+    }
     const httpMethod = request.method.toUpperCase();
     const HTTP_METHODS = ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD"];
     if (HTTP_METHODS.includes(httpMethod)) {
@@ -938,27 +1024,31 @@ class BunServer {
     }
   }
   async renderStreamingPage(element, shell, loaderData) {
+    let timeoutId;
     try {
       const { renderToReadableStream } = await getStreamingRenderer();
       if (!renderToReadableStream) {
         return this.renderStringPage(element, shell, loaderData);
       }
       const hasDeferred = hasDeferredData2(loaderData);
-      const scripts = [this.options.clientEntry];
+      const clientEntry = this.options.clientEntry;
       const { head, tail } = createShell({
         shell,
-        scripts,
+        scripts: [],
         loaderData: hasDeferred ? null : loaderData
       });
       const encoder = new TextEncoder;
       const headBytes = encoder.encode(head);
       const tailBytes = hasDeferred ? null : encoder.encode(tail);
+      const abortController = new AbortController;
+      timeoutId = setTimeout(() => abortController.abort(), 1e4);
       const reactStream = await renderToReadableStream(element, {
+        bootstrapModules: [clientEntry],
+        signal: abortController.signal,
         onError(error) {
           console.error("Streaming render error:", error);
         }
       });
-      const clientEntry = this.options.clientEntry;
       const reader = reactStream.getReader();
       let phase = "head";
       const stream = new ReadableStream({
@@ -972,18 +1062,26 @@ class BunServer {
               const { done, value } = await reader.read();
               if (done) {
                 if (hasDeferred) {
-                  const resolved = await resolveAllDeferred2(loaderData);
-                  const loaderScript = `<script>window.__EREO_DATA__=${serializeLoaderData2(resolved)}</script>`;
-                  const scriptTag = `<script type="module" src="${clientEntry}"></script>`;
+                  let resolvedData;
+                  try {
+                    resolvedData = await Promise.race([
+                      resolveAllDeferred2(loaderData),
+                      new Promise((_, reject) => setTimeout(() => reject(new Error("Deferred data resolution timed out")), 1e4))
+                    ]);
+                  } catch (error) {
+                    console.error("Deferred data resolution failed:", error);
+                    resolvedData = null;
+                  }
+                  const loaderScript = `<script>window.__EREO_DATA__=${serializeLoaderData2(resolvedData)}</script>`;
                   const resolvedTail = `</div>
     ${loaderScript}
-    ${scriptTag}
 </body>
 </html>`;
                   controller.enqueue(encoder.encode(resolvedTail));
                 } else {
                   controller.enqueue(tailBytes);
                 }
+                clearTimeout(timeoutId);
                 controller.close();
                 phase = "done";
               } else {
@@ -995,6 +1093,7 @@ class BunServer {
         },
         cancel() {
           reader.cancel();
+          clearTimeout(timeoutId);
         }
       });
       return new Response(stream, {
@@ -1004,6 +1103,7 @@ class BunServer {
         }
       });
     } catch (error) {
+      clearTimeout(timeoutId);
       console.error("Streaming render failed:", error);
       return this.renderStringPage(element, shell, loaderData);
     }
@@ -1031,20 +1131,25 @@ class BunServer {
     }
   }
   async renderStreamingPageDirect(element, loaderData) {
+    let timeoutId;
     try {
       const { renderToReadableStream } = await getStreamingRenderer();
       if (!renderToReadableStream) {
         return this.renderStringPageDirect(element, loaderData);
       }
+      const hasDeferred = hasDeferredData2(loaderData);
+      const clientEntry = this.options.clientEntry;
+      const encoder = new TextEncoder;
+      const abortController = new AbortController;
+      timeoutId = setTimeout(() => abortController.abort(), 1e4);
       const reactStream = await renderToReadableStream(element, {
+        bootstrapModules: [clientEntry],
+        signal: abortController.signal,
         onError(error) {
           console.error("Streaming render error:", error);
         }
       });
-      const encoder = new TextEncoder;
-      const hasDeferred = hasDeferredData2(loaderData);
-      const clientEntry = this.options.clientEntry;
-      const injectedScripts = hasDeferred ? null : encoder.encode((loaderData ? `<script>window.__EREO_DATA__=${serializeLoaderData2(loaderData)}</script>` : "") + `<script type="module" src="${clientEntry}"></script>`);
+      const loaderScript = !hasDeferred && loaderData ? encoder.encode(`<script>window.__EREO_DATA__=${serializeLoaderData2(loaderData)}</script>`) : null;
       const reader = reactStream.getReader();
       let done = false;
       const stream = new ReadableStream({
@@ -1054,13 +1159,21 @@ class BunServer {
           const result = await reader.read();
           if (result.done) {
             if (hasDeferred) {
-              const resolved = await resolveAllDeferred2(loaderData);
-              const loaderScript = resolved ? `<script>window.__EREO_DATA__=${serializeLoaderData2(resolved)}</script>` : "";
-              const clientScript = `<script type="module" src="${clientEntry}"></script>`;
-              controller.enqueue(encoder.encode(loaderScript + clientScript));
-            } else {
-              controller.enqueue(injectedScripts);
+              let resolvedData;
+              try {
+                resolvedData = await Promise.race([
+                  resolveAllDeferred2(loaderData),
+                  new Promise((_, reject) => setTimeout(() => reject(new Error("Deferred data resolution timed out")), 1e4))
+                ]);
+              } catch (error) {
+                console.error("Deferred data resolution failed:", error);
+                resolvedData = null;
+              }
+              controller.enqueue(encoder.encode(`<script>window.__EREO_DATA__=${serializeLoaderData2(resolvedData)}</script>`));
+            } else if (loaderScript) {
+              controller.enqueue(loaderScript);
             }
+            clearTimeout(timeoutId);
             controller.close();
             done = true;
           } else {
@@ -1069,6 +1182,7 @@ class BunServer {
         },
         cancel() {
           reader.cancel();
+          clearTimeout(timeoutId);
         }
       });
       return new Response(stream, {
@@ -1078,6 +1192,7 @@ class BunServer {
         }
       });
     } catch (error) {
+      clearTimeout(timeoutId);
       console.error("Streaming render failed:", error);
       return this.renderStringPageDirect(element, loaderData);
     }
@@ -1373,12 +1488,14 @@ export {
   serveStatic,
   serve,
   securityHeaders,
+  resolveCheckResult,
+  resolveAuthDenial,
   renderToString,
   renderToStream,
   rateLimit,
   logger,
   getMimeType,
-  createSuspenseStream,
+  enforceAuthConfig,
   createShell,
   createServer,
   createResponse,

package/dist/streaming.d.ts

@@ -69,6 +69,13 @@ export declare function createShell(options: {
 /**
  * Render a route to a streaming response.
  * Uses renderToPipeableStream for Node.js/Bun environments.
+ *
+ * Returns a ReadableStream body that progressively sends:
+ *   shell head → React content (with $RC scripts for Suspense) → tail
+ *
+ * Deferred data is NOT resolved upfront — React streams Suspense fallbacks
+ * and resolves them out-of-order via inline $RC scripts. Loader data is
+ * serialized into the tail only after all Suspense boundaries resolve.
  */
 export declare function renderToStream(element: ReactElement, options: RenderOptions): Promise<RenderResult>;
 /**
@@ -79,12 +86,4 @@ export declare function renderToString(element: ReactElement, options: RenderOpt
  * Create a Response from render result.
  */
 export declare function createResponse(result: RenderResult): Response;
-/**
- * Stream helper for sending chunks with delays (Suspense boundaries).
- */
-export declare function createSuspenseStream(): {
-    stream: ReadableStream<Uint8Array>;
-    push: (chunk: string) => void;
-    close: () => void;
-};
 //# sourceMappingURL=streaming.d.ts.map

package/dist/streaming.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"streaming.d.ts","sourceRoot":"","sources":["../src/streaming.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,OAAO,CAAC;AAC1C,OAAO,KAAK,EAAS,UAAU,EAAE,UAAU,EAAkB,cAAc,EAAE,MAAM,YAAY,CAAC;AAGhG;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,kBAAkB;IAClB,KAAK,EAAE,UAAU,CAAC;IAClB,sBAAsB;IACtB,OAAO,EAAE,UAAU,CAAC;IACpB,qBAAqB;IACrB,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,uBAAuB;IACvB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,wBAAwB;IACxB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,kBAAkB;IAClB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,qBAAqB;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB;IAChB,IAAI,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACpE,uDAAuD;IACvD,KAAK,CAAC,EAAE,cAAc,EAAE,CAAC;IACzB,mBAAmB;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sBAAsB;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,sBAAsB;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,6BAA6B;IAC7B,IAAI,EAAE,MAAM,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;IAC1C,uBAAuB;IACvB,OAAO,EAAE,OAAO,CAAC;IACjB,kBAAkB;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE;IACnC,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CA8DjC;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,YAAY,EACrB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,YAAY,CAAC,CAwEvB;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,YAAY,EACrB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,YAAY,CAAC,CAgCvB;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,QAAQ,CAK7D;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI;IACtC,MAAM,EAAE,cAAc,CAAC,UAAU,CAAC,CAAC;IACnC,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;IAC9B,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB,CAmBA"}
+{"version":3,"file":"streaming.d.ts","sourceRoot":"","sources":["../src/streaming.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,OAAO,CAAC;AAC1C,OAAO,KAAK,EAAS,UAAU,EAAE,UAAU,EAAkB,cAAc,EAAE,MAAM,YAAY,CAAC;AAGhG;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,kBAAkB;IAClB,KAAK,EAAE,UAAU,CAAC;IAClB,sBAAsB;IACtB,OAAO,EAAE,UAAU,CAAC;IACpB,qBAAqB;IACrB,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,uBAAuB;IACvB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,wBAAwB;IACxB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,kBAAkB;IAClB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,qBAAqB;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB;IAChB,IAAI,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACpE,uDAAuD;IACvD,KAAK,CAAC,EAAE,cAAc,EAAE,CAAC;IACzB,mBAAmB;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sBAAsB;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,sBAAsB;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,6BAA6B;IAC7B,IAAI,EAAE,MAAM,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;IAC1C,uBAAuB;IACvB,OAAO,EAAE,OAAO,CAAC;IACjB,kBAAkB;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE;IACnC,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CA8DjC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,YAAY,EACrB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,YAAY,CAAC,CAuHvB;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,YAAY,EACrB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,YAAY,CAAC,CAgCvB;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,QAAQ,CAK7D"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ereo/server",
-  "version": "0.2.3",
+  "version": "0.2.6",
   "license": "MIT",
   "author": "Ereo Team",
   "homepage": "https://ereojs.github.io/ereoJS",
@@ -32,10 +32,10 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@ereo/core": "^0.2.3",
-    "@ereo/client": "^0.2.3",
-    "@ereo/router": "^0.2.3",
-    "@ereo/data": "^0.2.3"
+    "@ereo/core": "^0.2.6",
+    "@ereo/client": "^0.2.6",
+    "@ereo/router": "^0.2.6",
+    "@ereo/data": "^0.2.6"
   },
   "devDependencies": {
     "@types/bun": "^1.1.0",