@kuratchi/js 0.0.15 → 0.0.17

package/dist/compiler/worker-output-pipeline.js

@@ -0,0 +1,37 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+export function resolveRuntimeImportPath(projectDir) {
+    const candidates = [
+        { file: 'src/server/runtime.hook.ts', importPath: '../src/server/runtime.hook' },
+    ];
+    for (const candidate of candidates) {
+        if (fs.existsSync(path.join(projectDir, candidate.file))) {
+            return candidate.importPath;
+        }
+    }
+    return null;
+}
+export function toWorkerImportPath(projectDir, outDir, filePath) {
+    const absPath = path.isAbsolute(filePath) ? filePath : path.join(projectDir, filePath);
+    let rel = path.relative(outDir, absPath).replace(/\\/g, '/');
+    if (!rel.startsWith('.'))
+        rel = `./${rel}`;
+    return rel.replace(/\.(ts|js|mjs|cjs)$/, '');
+}
+export function buildWorkerEntrypointSource(opts) {
+    const workerClassExports = opts.workerClassEntries
+        .map((entry) => {
+        const importPath = toWorkerImportPath(opts.projectDir, opts.outDir, entry.file);
+        if (entry.exportKind === 'default') {
+            return `export { default as ${entry.className} } from '${importPath}';`;
+        }
+        return `export { ${entry.className} } from '${importPath}';`;
+    });
+    return [
+        '// Auto-generated by kuratchi — do not edit.',
+        "export { default } from './routes.ts';",
+        ...opts.doClassNames.map((className) => `export { ${className} } from './routes.ts';`),
+        ...workerClassExports,
+        '',
+    ].join('\n');
+}

package/dist/compiler/wrangler-sync.d.ts

@@ -0,0 +1,14 @@
+export interface WranglerSyncEntry {
+    binding: string;
+    className: string;
+}
+export interface WranglerSyncConfig {
+    workflows: WranglerSyncEntry[];
+    containers: WranglerSyncEntry[];
+    durableObjects: WranglerSyncEntry[];
+}
+export declare function syncWranglerConfig(opts: {
+    projectDir: string;
+    config: WranglerSyncConfig;
+    writeFile: (filePath: string, content: string) => void;
+}): void;

package/dist/compiler/wrangler-sync.js

@@ -0,0 +1,185 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+function stripJsonComments(content) {
+    let result = '';
+    let i = 0;
+    let inString = false;
+    let stringChar = '';
+    while (i < content.length) {
+        const ch = content[i];
+        const next = content[i + 1];
+        if (inString) {
+            result += ch;
+            if (ch === '\\' && i + 1 < content.length) {
+                result += next;
+                i += 2;
+                continue;
+            }
+            if (ch === stringChar) {
+                inString = false;
+            }
+            i++;
+            continue;
+        }
+        if (ch === '"' || ch === "'") {
+            inString = true;
+            stringChar = ch;
+            result += ch;
+            i++;
+            continue;
+        }
+        if (ch === '/' && next === '/') {
+            while (i < content.length && content[i] !== '\n')
+                i++;
+            continue;
+        }
+        if (ch === '/' && next === '*') {
+            i += 2;
+            while (i < content.length - 1 && !(content[i] === '*' && content[i + 1] === '/'))
+                i++;
+            i += 2;
+            continue;
+        }
+        result += ch;
+        i++;
+    }
+    return result;
+}
+export function syncWranglerConfig(opts) {
+    const jsoncPath = path.join(opts.projectDir, 'wrangler.jsonc');
+    const jsonPath = path.join(opts.projectDir, 'wrangler.json');
+    const tomlPath = path.join(opts.projectDir, 'wrangler.toml');
+    let configPath;
+    let isJsonc = false;
+    if (fs.existsSync(jsoncPath)) {
+        configPath = jsoncPath;
+        isJsonc = true;
+    }
+    else if (fs.existsSync(jsonPath)) {
+        configPath = jsonPath;
+    }
+    else if (fs.existsSync(tomlPath)) {
+        console.log('[kuratchi] wrangler.toml detected. Auto-sync requires wrangler.jsonc. Skipping wrangler sync.');
+        return;
+    }
+    else {
+        console.log('[kuratchi] Creating wrangler.jsonc with workflow config...');
+        configPath = jsoncPath;
+        isJsonc = true;
+    }
+    let rawContent = '';
+    let wranglerConfig = {};
+    if (fs.existsSync(configPath)) {
+        rawContent = fs.readFileSync(configPath, 'utf-8');
+        try {
+            const jsonContent = stripJsonComments(rawContent);
+            wranglerConfig = JSON.parse(jsonContent);
+        }
+        catch (err) {
+            console.error(`[kuratchi] Failed to parse ${path.basename(configPath)}: ${err.message}`);
+            console.error('[kuratchi] Skipping wrangler sync. Please fix the JSON syntax.');
+            return;
+        }
+    }
+    let changed = false;
+    if (opts.config.workflows.length > 0) {
+        const existingWorkflows = wranglerConfig.workflows || [];
+        const existingByBinding = new Map(existingWorkflows.map((workflow) => [workflow.binding, workflow]));
+        for (const workflow of opts.config.workflows) {
+            const name = workflow.binding.toLowerCase().replace(/_/g, '-');
+            const entry = {
+                name,
+                binding: workflow.binding,
+                class_name: workflow.className,
+            };
+            const existing = existingByBinding.get(workflow.binding);
+            if (!existing) {
+                existingWorkflows.push(entry);
+                changed = true;
+                console.log(`[kuratchi] Added workflow "${workflow.binding}" to wrangler config`);
+            }
+            else if (existing.class_name !== workflow.className) {
+                existing.class_name = workflow.className;
+                changed = true;
+                console.log(`[kuratchi] Updated workflow "${workflow.binding}" class_name to "${workflow.className}"`);
+            }
+        }
+        const configBindings = new Set(opts.config.workflows.map((workflow) => workflow.binding));
+        const filtered = existingWorkflows.filter((workflow) => {
+            if (!configBindings.has(workflow.binding)) {
+                const expectedName = workflow.binding.toLowerCase().replace(/_/g, '-');
+                if (workflow.name === expectedName) {
+                    console.log(`[kuratchi] Removed workflow "${workflow.binding}" from wrangler config`);
+                    changed = true;
+                    return false;
+                }
+            }
+            return true;
+        });
+        if (filtered.length !== existingWorkflows.length) {
+            wranglerConfig.workflows = filtered;
+        }
+        else {
+            wranglerConfig.workflows = existingWorkflows;
+        }
+        if (wranglerConfig.workflows.length === 0) {
+            delete wranglerConfig.workflows;
+        }
+    }
+    if (opts.config.containers.length > 0) {
+        const existingContainers = wranglerConfig.containers || [];
+        const existingByBinding = new Map(existingContainers.map((container) => [container.binding, container]));
+        for (const container of opts.config.containers) {
+            const name = container.binding.toLowerCase().replace(/_/g, '-');
+            const entry = {
+                name,
+                binding: container.binding,
+                class_name: container.className,
+            };
+            const existing = existingByBinding.get(container.binding);
+            if (!existing) {
+                existingContainers.push(entry);
+                changed = true;
+                console.log(`[kuratchi] Added container "${container.binding}" to wrangler config`);
+            }
+            else if (existing.class_name !== container.className) {
+                existing.class_name = container.className;
+                changed = true;
+                console.log(`[kuratchi] Updated container "${container.binding}" class_name to "${container.className}"`);
+            }
+        }
+        wranglerConfig.containers = existingContainers;
+        if (wranglerConfig.containers.length === 0) {
+            delete wranglerConfig.containers;
+        }
+    }
+    if (opts.config.durableObjects.length > 0) {
+        if (!wranglerConfig.durable_objects) {
+            wranglerConfig.durable_objects = { bindings: [] };
+        }
+        const existingBindings = wranglerConfig.durable_objects.bindings || [];
+        const existingByName = new Map(existingBindings.map((binding) => [binding.name, binding]));
+        for (const durableObject of opts.config.durableObjects) {
+            const entry = {
+                name: durableObject.binding,
+                class_name: durableObject.className,
+            };
+            const existing = existingByName.get(durableObject.binding);
+            if (!existing) {
+                existingBindings.push(entry);
+                changed = true;
+                console.log(`[kuratchi] Added durable_object "${durableObject.binding}" to wrangler config`);
+            }
+            else if (existing.class_name !== durableObject.className) {
+                existing.class_name = durableObject.className;
+                changed = true;
+                console.log(`[kuratchi] Updated durable_object "${durableObject.binding}" class_name to "${durableObject.className}"`);
+            }
+        }
+        wranglerConfig.durable_objects.bindings = existingBindings;
+    }
+    if (!changed)
+        return;
+    const newContent = JSON.stringify(wranglerConfig, null, isJsonc ? '\t' : '\t');
+    opts.writeFile(configPath, newContent + '\n');
+}

package/dist/runtime/app.js

@@ -133,13 +133,25 @@ export function createApp(config) {
 }
 /** Render a page through its layout */
 function renderPage(route, data, layouts) {
-    const content = route.render(data);
+    const rendered = normalizeRenderOutput(route.render(data));
     const layoutName = route.layout ?? 'default';
     const layout = layouts[layoutName];
     const html = layout
-        ? layout.render({ content, data })
-        : content;
+        ? layout.render({ content: rendered.html, data, head: rendered.head })
+        : rendered.html;
     return new Response(html, {
         headers: { 'content-type': 'text/html; charset=utf-8' },
     });
 }
+function normalizeRenderOutput(output) {
+    if (typeof output === 'string') {
+        return { html: output, head: '' };
+    }
+    return {
+        html: typeof output?.html === 'string' ? output.html : '',
+        head: typeof output?.head === 'string' ? output.head : '',
+        fragments: output && typeof output === 'object' && !Array.isArray(output) && typeof output.fragments === 'object'
+            ? (output.fragments ?? {})
+            : {},
+    };
+}

package/dist/runtime/context.d.ts

@@ -57,3 +57,7 @@ export declare function __esc(v: any): string;
 export declare function __rawHtml(v: any): string;
 /** Best-effort HTML sanitizer for {@html ...} template output. */
 export declare function __sanitizeHtml(v: any): string;
+/** Get CSRF token for form injection (used by template compiler) */
+export declare function __getCsrfToken(): string;
+/** Sign a fragment ID for secure polling (used by template compiler) */
+export declare function __signFragment(fragmentId: string): string;

package/dist/runtime/context.js

@@ -161,13 +161,51 @@ export function __rawHtml(v) {
 /** Best-effort HTML sanitizer for {@html ...} template output. */
 export function __sanitizeHtml(v) {
     let html = __rawHtml(v);
+    // Remove dangerous elements entirely
     html = html.replace(/<script\b[^>]*>[\s\S]*?<\/script>/gi, '');
     html = html.replace(/<iframe\b[^>]*>[\s\S]*?<\/iframe>/gi, '');
     html = html.replace(/<object\b[^>]*>[\s\S]*?<\/object>/gi, '');
     html = html.replace(/<embed\b[^>]*>/gi, '');
+    html = html.replace(/<base\b[^>]*>/gi, '');
+    html = html.replace(/<meta\b[^>]*>/gi, '');
+    html = html.replace(/<link\b[^>]*>/gi, '');
+    html = html.replace(/<style\b[^>]*>[\s\S]*?<\/style>/gi, '');
+    html = html.replace(/<template\b[^>]*>[\s\S]*?<\/template>/gi, '');
+    html = html.replace(/<noscript\b[^>]*>[\s\S]*?<\/noscript>/gi, '');
+    // Remove all event handlers (on*)
     html = html.replace(/\son[a-z]+\s*=\s*("[^"]*"|'[^']*'|[^\s>]+)/gi, '');
-    html = html.replace(/\s(href|src|xlink:href)\s*=\s*(["'])\s*javascript:[\s\S]*?\2/gi, ' $1="#"');
-    html = html.replace(/\s(href|src|xlink:href)\s*=\s*javascript:[^\s>]+/gi, ' $1="#"');
+    // Remove javascript: URLs in href, src, xlink:href, action, formaction, data
+    html = html.replace(/\s(href|src|xlink:href|action|formaction|data)\s*=\s*(["'])\s*javascript:[\s\S]*?\2/gi, ' $1="#"');
+    html = html.replace(/\s(href|src|xlink:href|action|formaction|data)\s*=\s*javascript:[^\s>]+/gi, ' $1="#"');
+    // Remove vbscript: URLs
+    html = html.replace(/\s(href|src|xlink:href|action|formaction|data)\s*=\s*(["'])\s*vbscript:[\s\S]*?\2/gi, ' $1="#"');
+    html = html.replace(/\s(href|src|xlink:href|action|formaction|data)\s*=\s*vbscript:[^\s>]+/gi, ' $1="#"');
+    // Remove data: URLs in src (can contain scripts)
+    html = html.replace(/\ssrc\s*=\s*(["'])\s*data:[\s\S]*?\1/gi, ' src="#"');
+    html = html.replace(/\ssrc\s*=\s*data:[^\s>]+/gi, ' src="#"');
+    // Remove srcdoc (can contain arbitrary HTML)
     html = html.replace(/\ssrcdoc\s*=\s*("[^"]*"|'[^']*'|[^\s>]+)/gi, '');
+    // Remove form-related dangerous attributes
+    html = html.replace(/\sformaction\s*=\s*("[^"]*"|'[^']*'|[^\s>]+)/gi, '');
+    // Remove SVG-specific dangerous elements
+    html = html.replace(/<foreignObject\b[^>]*>[\s\S]*?<\/foreignObject>/gi, '');
+    html = html.replace(/<use\b[^>]*>/gi, '');
     return html;
 }
+/** Get CSRF token for form injection (used by template compiler) */
+export function __getCsrfToken() {
+    return __locals.__csrfToken || '';
+}
+/** Sign a fragment ID for secure polling (used by template compiler) */
+export function __signFragment(fragmentId) {
+    const token = __locals.__csrfToken || '';
+    const routePath = __locals.__currentRoutePath || '/';
+    const payload = `${fragmentId}:${routePath}:${token}`;
+    // FNV-1a hash for fast, consistent signing
+    let hash = 2166136261;
+    for (let i = 0; i < payload.length; i++) {
+        hash ^= payload.charCodeAt(i);
+        hash = (hash * 16777619) >>> 0;
+    }
+    return `${fragmentId}:${hash.toString(36)}`;
+}

package/dist/runtime/do.js

@@ -30,6 +30,10 @@ export function __getDoSelf() {
 }
 const _resolvers = new Map();
 const _classBindings = new WeakMap();
+const _rpcProxyCache = new WeakMap();
+function __isDevMode() {
+    return !!globalThis.__kuratchi_DEV__;
+}
 /** @internal — called by compiler-generated init code */
 export function __registerDoResolver(binding, resolver) {
     _resolvers.set(binding, resolver);
@@ -94,36 +98,47 @@ export class kuratchiDO {
      */
     static rpc() {
         const klass = this;
-        return new Proxy({}, {
+        // Cache proxy per class to avoid repeated Proxy creation
+        let cached = _rpcProxyCache.get(klass);
+        if (cached)
+            return cached;
+        const proxy = new Proxy({}, {
             get(_, method) {
                 return async (...args) => {
                     const binding = this.binding || _classBindings.get(klass);
                     if (!binding) {
                         throw new Error(`[KuratchiJS] Missing DO binding for class '${this?.name || 'UnknownDO'}'. Add static binding or ensure compiler binding registration is active.`);
                     }
-                    console.log(`[rpc] ${binding}.${method}() — resolving stub...`);
+                    if (__isDevMode())
+                        console.log(`[rpc] ${binding}.${method}() — resolving stub...`);
                     const stub = await __getDoStub(binding);
                     if (!stub) {
                         throw new Error(`[KuratchiJS] Not authenticated — cannot call '${method}' on ${binding}`);
                     }
-                    console.log(`[rpc] ${binding}.${method}() — stub type: ${stub?.constructor?.name ?? typeof stub}`);
-                    console.log(`[rpc] ${binding}.${method}() — calling with ${args.length} arg(s)...`);
+                    if (__isDevMode()) {
+                        console.log(`[rpc] ${binding}.${method}() — stub type: ${stub?.constructor?.name ?? typeof stub}`);
+                        console.log(`[rpc] ${binding}.${method}() — calling with ${args.length} arg(s)...`);
+                    }
                     try {
                         // Call method directly on the stub — DO NOT detach with stub[method]
                         // then .apply(). Workers RPC stubs are Proxy-based; detaching breaks
                         // the runtime's interception and causes DataCloneError trying to
                         // serialize the DurableObject as `this`.
                         const result = await stub[method](...args);
-                        console.log(`[rpc] ${binding}.${method}() — returned, result type: ${typeof result}`);
+                        if (__isDevMode())
+                            console.log(`[rpc] ${binding}.${method}() — returned, result type: ${typeof result}`);
                         return result;
                     }
                     catch (err) {
-                        console.error(`[rpc] ${binding}.${method}() — THREW: ${err.message}`);
+                        if (__isDevMode())
+                            console.error(`[rpc] ${binding}.${method}() — THREW: ${err.message}`);
                         throw err;
                     }
                 };
             },
         });
+        _rpcProxyCache.set(klass, proxy);
+        return proxy;
     }
 }
 /**

package/dist/runtime/generated-worker.d.ts

@@ -0,0 +1,55 @@
+import type { PageRenderOutput, RuntimeContext, RuntimeDefinition } from './types.js';
+export interface GeneratedAssetEntry {
+    content: string;
+    mime: string;
+    etag: string;
+}
+export interface GeneratedApiRoute {
+    pattern: string;
+    __api: true;
+    [method: string]: unknown;
+}
+export interface GeneratedPageRoute {
+    pattern: string;
+    load?: (params: Record<string, string>) => Promise<unknown> | unknown;
+    actions?: Record<string, (...args: any[]) => Promise<unknown> | unknown>;
+    rpc?: Record<string, (...args: any[]) => Promise<unknown> | unknown>;
+    /** Allowed query function names for this route (for query override validation) */
+    allowedQueries?: string[];
+    render: (data: Record<string, any>) => PageRenderOutput;
+}
+export interface SecurityOptions {
+    /** Enable CSRF protection (default: true) */
+    csrfEnabled?: boolean;
+    /** CSRF cookie name (default: '__kuratchi_csrf') */
+    csrfCookieName?: string;
+    /** CSRF header name (default: 'x-kuratchi-csrf') */
+    csrfHeaderName?: string;
+    /** Require authentication for RPC (default: false) */
+    rpcRequireAuth?: boolean;
+    /** Require authentication for form actions (default: false) */
+    actionRequireAuth?: boolean;
+    /** Content Security Policy directive string */
+    contentSecurityPolicy?: string | null;
+    /** Strict-Transport-Security header value */
+    strictTransportSecurity?: string | null;
+    /** Permissions-Policy header value */
+    permissionsPolicy?: string | null;
+}
+export interface GeneratedWorkerOptions {
+    routes: Array<GeneratedPageRoute | GeneratedApiRoute>;
+    layout: (content: string, head?: string) => Promise<string> | string;
+    layoutActions: Record<string, (...args: any[]) => Promise<unknown> | unknown>;
+    assetsPrefix: string;
+    assets: Record<string, GeneratedAssetEntry>;
+    errorPages: Record<number, (detail?: string) => string>;
+    runtimeDefinition?: RuntimeDefinition;
+    workflowStatusRpc?: Record<string, (instanceId: string) => Promise<unknown>>;
+    initializeRequest?: (ctx: RuntimeContext) => Promise<void> | void;
+    preRouteChecks?: (ctx: RuntimeContext) => Promise<Response | null | undefined> | Response | null | undefined;
+    /** Security configuration */
+    security?: SecurityOptions;
+}
+export declare function createGeneratedWorker(opts: GeneratedWorkerOptions): {
+    fetch(request: Request, env: Record<string, any>, ctx: ExecutionContext): Promise<Response>;
+};