@jasonshimmy/vite-plugin-cer-app 0.23.1 → 0.23.2

package/src/__tests__/plugin/html-post-process.test.ts

@@ -0,0 +1,146 @@
+import { describe, it, expect } from 'vitest'
+import {
+  injectFaviconLink,
+  injectCanonicalLink,
+  addNoopenerToExternalLinks,
+  generateRobotsTxt,
+} from '../../plugin/html-post-process.js'
+
+// ---------------------------------------------------------------------------
+// injectFaviconLink
+// ---------------------------------------------------------------------------
+
+describe('injectFaviconLink', () => {
+  it('injects link before </head> when none exists', () => {
+    const html = '<html><head><title>Test</title></head><body></body></html>'
+    const result = injectFaviconLink(html, '/favicon.ico')
+    expect(result).toContain('<link rel="icon" href="/favicon.ico">')
+    expect(result.indexOf('<link rel="icon"')).toBeLessThan(result.indexOf('</head>'))
+  })
+
+  it('does not inject when rel="icon" already present', () => {
+    const html = '<html><head><link rel="icon" href="/custom.ico"></head></html>'
+    expect(injectFaviconLink(html, '/favicon.ico')).toBe(html)
+  })
+
+  it('does not inject when rel="shortcut icon" already present', () => {
+    const html = '<html><head><link rel="shortcut icon" href="/old.ico"></head></html>'
+    expect(injectFaviconLink(html, '/favicon.ico')).toBe(html)
+  })
+
+  it('prepends tag when no </head> is found', () => {
+    const html = '<html><body></body></html>'
+    const result = injectFaviconLink(html, '/favicon.svg')
+    expect(result).toContain('<link rel="icon" href="/favicon.svg">')
+  })
+
+  it('supports svg favicon href', () => {
+    const html = '<html><head></head></html>'
+    expect(injectFaviconLink(html, '/favicon.svg')).toContain('href="/favicon.svg"')
+  })
+})
+
+// ---------------------------------------------------------------------------
+// injectCanonicalLink
+// ---------------------------------------------------------------------------
+
+describe('injectCanonicalLink', () => {
+  it('injects canonical before </head>', () => {
+    const html = '<html><head><title>T</title></head><body></body></html>'
+    const result = injectCanonicalLink(html, 'https://example.com/about')
+    expect(result).toContain('<link rel="canonical" href="https://example.com/about">')
+    expect(result.indexOf('<link rel="canonical"')).toBeLessThan(result.indexOf('</head>'))
+  })
+
+  it('does not inject when canonical already present', () => {
+    const html = '<head><link rel="canonical" href="https://example.com/"></head>'
+    expect(injectCanonicalLink(html, 'https://example.com/')).toBe(html)
+  })
+
+  it('escapes & in the URL', () => {
+    const html = '<html><head></head></html>'
+    const result = injectCanonicalLink(html, 'https://example.com/?a=1&b=2')
+    expect(result).toContain('href="https://example.com/?a=1&amp;b=2"')
+  })
+
+  it('prepends tag when no </head> is found', () => {
+    const html = '<html><body></body></html>'
+    const result = injectCanonicalLink(html, 'https://example.com/')
+    expect(result).toContain('<link rel="canonical"')
+  })
+})
+
+// ---------------------------------------------------------------------------
+// addNoopenerToExternalLinks
+// ---------------------------------------------------------------------------
+
+describe('addNoopenerToExternalLinks', () => {
+  it('adds rel to target="_blank" link with no rel', () => {
+    const html = '<a href="https://example.com" target="_blank">Link</a>'
+    const result = addNoopenerToExternalLinks(html)
+    expect(result).toContain('rel="noopener noreferrer"')
+  })
+
+  it('does not modify links without target="_blank"', () => {
+    const html = '<a href="https://example.com">Link</a>'
+    expect(addNoopenerToExternalLinks(html)).toBe(html)
+  })
+
+  it('does not duplicate when both values already present', () => {
+    const html = '<a href="https://x.com" target="_blank" rel="noopener noreferrer">X</a>'
+    const result = addNoopenerToExternalLinks(html)
+    expect(result).toBe(html)
+  })
+
+  it('appends missing noopener to existing rel', () => {
+    const html = '<a href="https://x.com" target="_blank" rel="noreferrer">X</a>'
+    const result = addNoopenerToExternalLinks(html)
+    expect(result).toContain('noopener')
+    expect(result).toContain('noreferrer')
+  })
+
+  it('appends missing noreferrer to existing rel', () => {
+    const html = '<a href="https://x.com" target="_blank" rel="noopener">X</a>'
+    const result = addNoopenerToExternalLinks(html)
+    expect(result).toContain('noreferrer')
+  })
+
+  it('handles target="_blank" after href in attributes', () => {
+    const html = '<a href="https://x.com" class="btn" target="_blank">X</a>'
+    const result = addNoopenerToExternalLinks(html)
+    expect(result).toContain('rel="noopener noreferrer"')
+  })
+
+  it('handles multiple links in the same document', () => {
+    const html = [
+      '<a href="https://a.com" target="_blank">A</a>',
+      '<a href="/internal">Internal</a>',
+      '<a href="https://b.com" target="_blank">B</a>',
+    ].join('')
+    const result = addNoopenerToExternalLinks(html)
+    expect(result.match(/rel="noopener noreferrer"/g)?.length).toBe(2)
+  })
+})
+
+// ---------------------------------------------------------------------------
+// generateRobotsTxt
+// ---------------------------------------------------------------------------
+
+describe('generateRobotsTxt', () => {
+  it('generates allow-all rules without siteUrl', () => {
+    const txt = generateRobotsTxt(null)
+    expect(txt).toContain('User-agent: *')
+    expect(txt).toContain('Allow: /')
+    expect(txt).not.toContain('Sitemap:')
+  })
+
+  it('includes Sitemap directive when siteUrl is provided', () => {
+    const txt = generateRobotsTxt('https://example.com')
+    expect(txt).toContain('Sitemap: https://example.com/sitemap.xml')
+  })
+
+  it('ends with a newline', () => {
+    expect(generateRobotsTxt(null).endsWith('\n')).toBe(true)
+    expect(generateRobotsTxt('https://example.com').endsWith('\n')).toBe(true)
+  })
+})

package/src/__tests__/plugin/resolve-config.test.ts

@@ -197,4 +197,37 @@ describe('resolveConfig', () => {
     expect(cfg.runtimeConfig.public).toEqual({ apiBase: '/api' })
     expect(cfg.runtimeConfig.private).toEqual({ token: '' })
   })
+
+  it('defaults siteUrl to null when not set', () => {
+    const cfg = resolveConfig({}, ROOT)
+    expect(cfg.siteUrl).toBeNull()
+  })
+
+  it('stores siteUrl with trailing slash stripped', () => {
+    const cfg = resolveConfig({ siteUrl: 'https://example.com/' }, ROOT)
+    expect(cfg.siteUrl).toBe('https://example.com')
+  })
+
+  it('stores siteUrl unchanged when no trailing slash', () => {
+    const cfg = resolveConfig({ siteUrl: 'https://example.com' }, ROOT)
+    expect(cfg.siteUrl).toBe('https://example.com')
+  })
+
+  it('exposes siteUrl in runtimeConfig.public', () => {
+    const cfg = resolveConfig({ siteUrl: 'https://example.com' }, ROOT)
+    expect(cfg.runtimeConfig.public['siteUrl']).toBe('https://example.com')
+  })
+
+  it('does not add siteUrl to runtimeConfig.public when not set', () => {
+    const cfg = resolveConfig({}, ROOT)
+    expect(Object.prototype.hasOwnProperty.call(cfg.runtimeConfig.public, 'siteUrl')).toBe(false)
+  })
+
+  it('user-supplied runtimeConfig.public.siteUrl overrides the siteUrl shorthand', () => {
+    const cfg = resolveConfig({
+      siteUrl: 'https://example.com',
+      runtimeConfig: { public: { siteUrl: 'https://override.com' } },
+    }, ROOT)
+    expect(cfg.runtimeConfig.public['siteUrl']).toBe('https://override.com')
+  })
 })

package/src/__tests__/runtime/app-template.test.ts

@@ -91,6 +91,16 @@ describe('APP_ENTRY_TEMPLATE — meta.hydrate', () => {
     expect(APP_ENTRY_TEMPLATE).toContain('return')
   })
 
+  it('keeps the SSR slot during the initRouter startup microtask navigation (before page chunk loads)', () => {
+    // initRouter() queues queueMicrotask(() => navigate(...)) to run guards on
+    // the entry URL. That microtask fires during await route.load() — before
+    // _currentPageTag is set. Without this guard, _cerHydrating would be set to
+    // false prematurely, dropping the SSR slot and showing an empty router-view.
+    expect(APP_ENTRY_TEMPLATE).toContain(
+      'if (_cerHydrating.value && _currentPageTag !== null) _cerHydrating.value = false',
+    )
+  })
+
   it('exposes router globally as __cerRouter', () => {
     expect(APP_ENTRY_TEMPLATE).toContain('__cerRouter')
   })

package/src/__tests__/runtime/use-head.test.ts

@@ -215,6 +215,29 @@ describe('useHead — client-side DOM updates', () => {
     expect(links.length).toBe(1)
   })
 
+  it('updates canonical href in-place when URL changes (no duplicate)', () => {
+    useHead({ link: [{ rel: 'canonical', href: 'https://example.com/page-a' }] })
+    useHead({ link: [{ rel: 'canonical', href: 'https://example.com/page-b' }] })
+    const links = document.querySelectorAll('link[rel="canonical"]')
+    expect(links.length).toBe(1)
+    expect(links[0].getAttribute('href')).toBe('https://example.com/page-b')
+  })
+
+  it('updates icon link in-place when href changes (no duplicate)', () => {
+    useHead({ link: [{ rel: 'icon', href: '/favicon.ico' }] })
+    useHead({ link: [{ rel: 'icon', href: '/favicon.svg' }] })
+    const links = document.querySelectorAll('link[rel="icon"]')
+    expect(links.length).toBe(1)
+    expect(links[0].getAttribute('href')).toBe('/favicon.svg')
+  })
+
+  it('does NOT deduplicate stylesheet links by rel alone (multiple hrefs allowed)', () => {
+    useHead({ link: [{ rel: 'stylesheet', href: '/a.css' }] })
+    useHead({ link: [{ rel: 'stylesheet', href: '/b.css' }] })
+    const links = document.querySelectorAll('link[rel="stylesheet"]')
+    expect(links.length).toBe(2)
+  })
+
   it('adds a script tag with src', () => {
     useHead({ script: [{ src: '/analytics.js' }] })
     const script = document.querySelector('script[src="/analytics.js"]')
@@ -263,4 +286,26 @@ describe('useHead — client-side DOM updates', () => {
     expect(scripts.length).toBe(1)
     expect(scripts[0].textContent).toBe('window.x = 2')
   })
+
+  it('updates existing application/ld+json content in-place (no duplicate)', () => {
+    useHead({ script: [{ type: 'application/ld+json', innerHTML: '{"@type":"WebPage","name":"A"}' }] })
+    useHead({ script: [{ type: 'application/ld+json', innerHTML: '{"@type":"WebPage","name":"B"}' }] })
+    const scripts = document.querySelectorAll('script[type="application/ld+json"]')
+    expect(scripts.length).toBe(1)
+    expect(scripts[0].textContent).toBe('{"@type":"WebPage","name":"B"}')
+  })
+
+  it('creates application/ld+json script when none exists', () => {
+    useHead({ script: [{ type: 'application/ld+json', innerHTML: '{"@type":"WebPage"}' }] })
+    const scripts = document.querySelectorAll('script[type="application/ld+json"]')
+    expect(scripts.length).toBe(1)
+    expect(scripts[0].textContent).toBe('{"@type":"WebPage"}')
+  })
+
+  it('does NOT deduplicate non-ld+json inline scripts', () => {
+    useHead({ script: [{ innerHTML: 'window.a = 1' }] })
+    useHead({ script: [{ innerHTML: 'window.b = 2' }] })
+    const scripts = document.querySelectorAll('script:not([src]):not([type])')
+    expect(scripts.length).toBe(2)
+  })
 })

package/src/cli/commands/preview.ts

@@ -1,6 +1,7 @@
 import { Command } from 'commander'
 import { createServer as createHttpServer, type IncomingMessage, type ServerResponse } from 'node:http'
 import { createReadStream, existsSync, statSync } from 'node:fs'
+import { createGzip } from 'node:zlib'
 import { resolve, join, extname } from 'pathe'
 import { pathToFileURL } from 'node:url'
 import {
@@ -108,6 +109,22 @@ function getMimeType(filePath: string): string {
   return MIME_TYPES[ext] ?? 'application/octet-stream'
 }
 
+// MIME types that benefit from gzip compression. Binary formats (woff2, images)
+// are already compressed and should not be re-compressed.
+const GZIP_TYPES = new Set([
+  'text/html; charset=utf-8',
+  'application/javascript; charset=utf-8',
+  'text/css; charset=utf-8',
+  'application/json; charset=utf-8',
+  'image/svg+xml',
+  'application/json',
+])
+
+function acceptsGzip(req: IncomingMessage): boolean {
+  const ae = req.headers['accept-encoding'] ?? ''
+  return ae.includes('gzip')
+}
+
 /**
  * Returns the appropriate Cache-Control header value for a file.
  * Vite content-hashes assets placed in the /assets/ directory, so they
@@ -129,6 +146,8 @@ function setSecurityHeaders(res: ServerResponse): void {
 
 /**
  * Serves a static file from the dist directory.
+ * Applies gzip compression for compressible text types when the client
+ * signals support via the Accept-Encoding request header.
  * Returns true if the file was served, false otherwise.
  */
 function serveStaticFile(
@@ -161,10 +180,18 @@ function serveStaticFile(
     }
   }
 
-  res.setHeader('Content-Type', getMimeType(filePath))
+  const mimeType = getMimeType(filePath)
+  res.setHeader('Content-Type', mimeType)
   res.setHeader('Cache-Control', getCacheControl(filePath))
   setSecurityHeaders(res)
-  createReadStream(filePath).pipe(res)
+
+  const stream = createReadStream(filePath)
+  if (GZIP_TYPES.has(mimeType) && acceptsGzip(req)) {
+    res.setHeader('Content-Encoding', 'gzip')
+    stream.pipe(createGzip()).pipe(res)
+  } else {
+    stream.pipe(res)
+  }
   return true
 }
 
@@ -463,9 +490,16 @@ export function previewCommand(): Command {
               isPathBounded(clientDist, urlPath) &&
               existsSync(assetPath) && !statSync(assetPath).isDirectory()
             ) {
-              res.setHeader('Content-Type', getMimeType(assetPath))
+              const mimeType = getMimeType(assetPath)
+              res.setHeader('Content-Type', mimeType)
               res.setHeader('Cache-Control', getCacheControl(assetPath))
-              createReadStream(assetPath).pipe(res)
+              const stream = createReadStream(assetPath)
+              if (GZIP_TYPES.has(mimeType) && acceptsGzip(req)) {
+                res.setHeader('Content-Encoding', 'gzip')
+                stream.pipe(createGzip()).pipe(res)
+              } else {
+                stream.pipe(res)
+              }
               return
             }
           }

package/src/plugin/build-ssg.ts

@@ -1,6 +1,12 @@
 import { writeFile, mkdir, readFile } from 'node:fs/promises'
 import { existsSync } from 'node:fs'
 import { join } from 'pathe'
+import {
+  injectFaviconLink,
+  injectCanonicalLink,
+  addNoopenerToExternalLinks,
+  generateRobotsTxt,
+} from './html-post-process.js'
 import { createServer, type UserConfig } from 'vite'
 import type { ResolvedCerConfig } from './dev-server.js'
 import type { ContentItem } from '../types/content.js'
@@ -255,13 +261,59 @@ export async function writeRenderedPath(
   await writeFile(outputPath, html, 'utf-8')
 }
 
+/**
+ * Detects which favicon href to use from the project's public directory.
+ * Prefers .svg > .ico > .png. Returns null when none is found.
+ */
+function detectFaviconHref(root: string): string | null {
+  const candidates = ['/favicon.svg', '/favicon.ico', '/favicon.png']
+  for (const href of candidates) {
+    if (existsSync(join(root, 'public', href.slice(1)))) return href
+  }
+  return null
+}
+
+/**
+ * Applies all HTML post-processing transforms to a rendered page.
+ *
+ * - Injects `<link rel="icon">` when a favicon exists in public/ and none
+ *   is already declared in the HTML.
+ * - Injects `<link rel="canonical">` when `config.siteUrl` is set and none
+ *   is already declared.
+ * - Adds `rel="noopener noreferrer"` to every `<a target="_blank">` link
+ *   that is missing it.
+ */
+function postProcessHtml(
+  html: string,
+  path: string,
+  config: ResolvedCerConfig,
+  faviconHref: string | null,
+): string {
+  let out = html
+
+  if (faviconHref) {
+    out = injectFaviconLink(out, faviconHref)
+  }
+
+  if (config.siteUrl) {
+    const canonicalUrl = config.siteUrl + (path === '/' ? '' : path)
+    out = injectCanonicalLink(out, canonicalUrl)
+  }
+
+  out = addNoopenerToExternalLinks(out)
+
+  return out
+}
+
 /**
  * Full SSG build pipeline:
  * 1. Run the SSR dual-build (client + server bundles)
  * 2. Enumerate all paths to generate
  * 3. Render each path using the server bundle
- * 4. Write HTML files to dist/
- * 5. Write ssg-manifest.json
+ * 4. Post-process HTML (favicon, canonical, noopener)
+ * 5. Write HTML files to dist/
+ * 6. Write robots.txt (when not already present in public/)
+ * 7. Write ssg-manifest.json
  */
 export async function buildSSG(
   config: ResolvedCerConfig,
@@ -281,7 +333,10 @@ export async function buildSSG(
   const paths = await collectSsgPaths(config, viteUserConfig)
   console.log(`[cer-app] Found ${paths.length} path(s) to generate:`, paths)
 
-  // Step 3+4: Render and write paths with bounded concurrency.
+  // Detect favicon once for use in every page's post-processing pass.
+  const faviconHref = detectFaviconHref(config.root)
+
+  // Step 3+4+5: Render, post-process, and write paths with bounded concurrency.
   // The server bundle uses per-request router instances (initRouter returns the
   // router; the factory passes it to createStreamingSSRHandler as { vnode, router })
   // so concurrent renders are safe — each request carries its own router with its
@@ -299,7 +354,8 @@ export async function buildSSG(
     const results = await Promise.allSettled(
       chunk.map(async (path) => {
         console.log(`[cer-app] Generating: ${path}`)
-        const html = await renderPath(path, serverBundlePath)
+        const raw = await renderPath(path, serverBundlePath)
+        const html = postProcessHtml(raw, path, config, faviconHref)
         await writeRenderedPath(path, html, distDir)
         return path
       }),
@@ -316,7 +372,18 @@ export async function buildSSG(
     }
   }
 
-  // Step 5: Write SSG manifest
+  // Step 6: Write robots.txt unless the project supplies its own via public/robots.txt,
+  // which Vite copies to dist/ as-is. Always overwrite any previously generated file so
+  // that siteUrl changes (e.g. adding the Sitemap directive) take effect on rebuild.
+  const publicRobots = join(config.root, 'public', 'robots.txt')
+  if (!existsSync(publicRobots)) {
+    const distRobots = join(distDir, 'robots.txt')
+    await mkdir(distDir, { recursive: true })
+    await writeFile(distRobots, generateRobotsTxt(config.siteUrl), 'utf-8')
+    console.log('[cer-app] Generated robots.txt')
+  }
+
+  // Step 7: Write SSG manifest
   const manifest: SsgManifest = {
     generatedAt: new Date().toISOString(),
     paths: generatedPaths,

package/src/plugin/dev-server.ts

@@ -9,6 +9,8 @@ export interface ResolvedCerConfig {
   mode: 'spa' | 'ssr' | 'ssg'
   srcDir: string
   root: string
+  /** Canonical site origin (no trailing slash). Null when not configured. */
+  siteUrl: string | null
   contentDir: string
   pagesDir: string
   layoutsDir: string

package/src/plugin/generated-dir.ts

@@ -107,7 +107,7 @@ export function writeGeneratedDir(config: ResolvedCerConfig): void {
   // Always write the generated app.ts — this is the framework entry point and
   // is never user-owned. Regenerating it on every dev/build ensures consumers
   // automatically get the latest bootstrap code on plugin update (Nuxt-style).
-  writeFileSync(join(dir, 'app.ts'), generateAppEntryTemplate(config.jitCss.customColors), 'utf-8')
+  writeFileSync(join(dir, 'app.ts'), generateAppEntryTemplate(), 'utf-8')
 
   // Always write the SSR entry — used by the dev server's ssrLoadModule call.
   // The production build injects this as a virtual module, but the dev server

package/src/plugin/html-post-process.ts

@@ -0,0 +1,96 @@
+/**
+ * HTML post-processing transforms applied to every SSG-rendered page.
+ *
+ * Each function is a pure string → string transform. They are composed in
+ * build-ssg.ts after the server bundle renders each path.
+ */
+
+// ---------------------------------------------------------------------------
+// Favicon injection
+// ---------------------------------------------------------------------------
+
+/**
+ * Injects `<link rel="icon" href="${faviconHref}">` before `</head>` when no
+ * `<link rel="icon">` or `<link rel="shortcut icon">` is already present.
+ */
+export function injectFaviconLink(html: string, faviconHref: string): string {
+  if (/<link[^>]+rel=["'](?:shortcut )?icon["']/i.test(html)) return html
+  const tag = `<link rel="icon" href="${faviconHref}">`
+  return insertBeforeHead(html, tag)
+}
+
+// ---------------------------------------------------------------------------
+// Canonical link injection
+// ---------------------------------------------------------------------------
+
+/**
+ * Injects `<link rel="canonical" href="${url}">` before `</head>` when no
+ * `<link rel="canonical">` is already present.
+ */
+export function injectCanonicalLink(html: string, url: string): string {
+  if (/<link[^>]+rel=["']canonical["']/i.test(html)) return html
+  const tag = `<link rel="canonical" href="${escapeAttr(url)}">`
+  return insertBeforeHead(html, tag)
+}
+
+// ---------------------------------------------------------------------------
+// noopener / noreferrer on external target="_blank" links
+// ---------------------------------------------------------------------------
+
+/**
+ * Adds `rel="noopener noreferrer"` to every `<a target="_blank">` element
+ * that does not already have a `rel` attribute containing both values.
+ *
+ * Only touches anchor tags — not `<form>` or other elements with `target`.
+ */
+export function addNoopenerToExternalLinks(html: string): string {
+  return html.replace(
+    /(<a\b[^>]*\btarget\s*=\s*["']_blank["'][^>]*)(>)/gi,
+    (match, attrs: string, close: string) => {
+      const relMatch = attrs.match(/\brel\s*=\s*["']([^"']*)["']/i)
+      if (relMatch) {
+        const existing = relMatch[1]
+        const hasNoopener = /\bnoopener\b/i.test(existing)
+        const hasNoreferrer = /\bnoreferrer\b/i.test(existing)
+        if (hasNoopener && hasNoreferrer) return match
+        const parts = existing.trim().split(/\s+/).filter(Boolean)
+        if (!hasNoopener) parts.push('noopener')
+        if (!hasNoreferrer) parts.push('noreferrer')
+        return attrs.replace(relMatch[0], `rel="${parts.join(' ')}"`) + close
+      }
+      return `${attrs} rel="noopener noreferrer"${close}`
+    },
+  )
+}
+
+// ---------------------------------------------------------------------------
+// robots.txt generation
+// ---------------------------------------------------------------------------
+
+/**
+ * Generates the content of a `robots.txt` file.
+ * When `siteUrl` is provided a `Sitemap:` directive is included.
+ */
+export function generateRobotsTxt(siteUrl: string | null): string {
+  const lines = ['User-agent: *', 'Allow: /']
+  if (siteUrl) {
+    lines.push('', `Sitemap: ${siteUrl}/sitemap.xml`)
+  }
+  return lines.join('\n') + '\n'
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function insertBeforeHead(html: string, tag: string): string {
+  const idx = html.indexOf('</head>')
+  if (idx !== -1) {
+    return html.slice(0, idx) + tag + '\n' + html.slice(idx)
+  }
+  return tag + '\n' + html
+}
+
+function escapeAttr(value: string): string {
+  return value.replace(/&/g, '&amp;').replace(/"/g, '&quot;')
+}

package/src/plugin/index.ts

@@ -36,6 +36,7 @@ const VIRTUAL_IDS = {
   error: 'virtual:cer-error',
   contentComponents: 'virtual:cer-content-components',
   i18n: 'virtual:cer-i18n',
+  jitInit: 'virtual:cer-jit-init',
 } as const
 
 // Resolved virtual module IDs (prefixed with \0)
@@ -62,6 +63,7 @@ export function resolveConfig(userConfig: CerAppConfig, root: string = process.c
     mode,
     srcDir,
     root,
+    siteUrl: userConfig.siteUrl ? userConfig.siteUrl.replace(/\/$/, '') : null,
     contentDir: resolve(root, userConfig.content?.dir ?? 'content'),
     pagesDir: join(srcDir, 'pages'),
     layoutsDir: join(srcDir, 'layouts'),
@@ -97,7 +99,10 @@ export function resolveConfig(userConfig: CerAppConfig, root: string = process.c
       runtime: userConfig.autoImports?.runtime ?? true,
     },
     runtimeConfig: {
-      public: userConfig.runtimeConfig?.public ?? {},
+      public: {
+        ...(userConfig.siteUrl ? { siteUrl: userConfig.siteUrl.replace(/\/$/, '') } : {}),
+        ...userConfig.runtimeConfig?.public,
+      },
       private: userConfig.runtimeConfig?.private ?? {},
     },
     auth: userConfig.auth ?? null,
@@ -144,6 +149,8 @@ async function generateVirtualModule(
       return generateContentComponentsCode(config.componentsDir, config.contentDir)
     case RESOLVED_IDS.i18n:
       return generateI18nModule(config.i18n)
+    case RESOLVED_IDS.jitInit:
+      return generateJitInitModule(config.jitCss)
     default:
       return null
   }
@@ -167,6 +174,30 @@ function generateI18nModule(
   )
 }
 
+/**
+ * Generates the virtual:cer-jit-init module that calls enableJITCSS() with the
+ * project's jitCss options. Imported as the first side-effect import in app.ts
+ * so JIT CSS is active before virtual:cer-layouts and virtual:cer-plugins run
+ * their static imports — which upgrade custom elements synchronously via
+ * customElements.define(). Without this, applyStyle() runs with _jitCSSEnabled=false
+ * and produces unstyled renders that replace the DSD pre-rendered content.
+ */
+export function generateJitInitModule(jitCss: ResolvedCerConfig['jitCss']): string {
+  const args: string[] = []
+  if (jitCss.extendedColors) {
+    args.push(`extendedColors: ${JSON.stringify(jitCss.extendedColors)}`)
+  }
+  if (jitCss.customColors && Object.keys(jitCss.customColors).length > 0) {
+    args.push(`customColors: ${JSON.stringify(jitCss.customColors)}`)
+  }
+  const callArgs = args.length > 0 ? `{ ${args.join(', ')} }` : ''
+  return (
+    `// AUTO-GENERATED by @jasonshimmy/vite-plugin-cer-app\n` +
+    `import { enableJITCSS } from '@jasonshimmy/custom-elements-runtime/jit-css'\n` +
+    `enableJITCSS(${callArgs})\n`
+  )
+}
+
 /**
  * Generates a virtual module that exports the resolved app config.
  * When `ssr` is true, also exports `_runtimePrivateDefaults` (server-only).
@@ -313,7 +344,7 @@ export function cerApp(userConfig: CerAppConfig = {}): Plugin[] {
     },
 
     async load(id: string, options?: { ssr?: boolean }) {
-      if (id === RESOLVED_APP_ENTRY) return generateAppEntryTemplate(config.jitCss.customColors)
+      if (id === RESOLVED_APP_ENTRY) return generateAppEntryTemplate()
 
       const allResolved = Object.values(RESOLVED_IDS) as string[]
       if (!allResolved.includes(id)) return null