@kuratchi/js 0.0.16 → 0.0.17

package/dist/compiler/route-pipeline.js

@@ -1,5 +1,4 @@
 import { stripTopLevelImports } from './parser.js';
-import { transpileTypeScript } from './transpile.js';
 import { buildDevAliasDeclarations, buildSegmentedScriptBody, rewriteImportedFunctionCalls, rewriteWorkerEnvAliases, } from './script-transform.js';
 function dedupe(items) {
     return Array.from(new Set(items));
@@ -151,15 +150,7 @@ export function analyzeRouteBuild(opts) {
     if (explicitLoadFunction && scriptUsesAwait) {
         throw new Error(`[kuratchi compiler] ${pattern}\nTop-level await cannot be mixed with export async function load(). Move async server work into load().`);
     }
-    if (scriptBody) {
-        scriptBody = transpileTypeScript(scriptBody, `route-script:${pattern}.ts`);
-    }
-    if (renderPreludeSource) {
-        renderPreludeSource = transpileTypeScript(renderPreludeSource, `route-render:${pattern}.ts`);
-    }
-    if (explicitLoadFunction) {
-        explicitLoadFunction = transpileTypeScript(explicitLoadFunction, `route-load:${pattern}.ts`);
-    }
+    // TypeScript is preserved — wrangler's esbuild handles transpilation
     const scriptReturnVars = parsed.script
         ? parsed.dataVars.filter((name) => !queryVars.includes(name) &&
             !importedBindingNames.has(name) &&
@@ -251,46 +242,50 @@ export function emitRouteObject(plan) {
             .map((rpc) => `'${rpc.rpcId}': ${rpc.expression}`)
             .join(', ');
         parts.push(`    rpc: { ${rpcEntries} }`);
+        // Also emit allowedQueries for query override validation
+        const allowedQueryNames = plan.rpc.map((rpc) => `'${rpc.rpcId}'`).join(', ');
+        parts.push(`    allowedQueries: [${allowedQueryNames}]`);
     }
     const destructure = `const { ${plan.render.dataVars.join(', ')} } = data;\n      `;
     let finalHeadRenderBody = plan.render.headBody;
     if (plan.render.componentStyles.length > 0) {
         const lines = plan.render.headBody.split('\n');
-        const styleLines = plan.render.componentStyles.map((css) => `__html += \`${css}\\n\`;`);
+        const styleLines = plan.render.componentStyles.map((css) => `__parts.push(\`${css}\\n\`);`);
         finalHeadRenderBody = [lines[0], ...styleLines, ...lines.slice(1)].join('\n');
     }
     if (plan.render.clientModuleHref) {
-        finalHeadRenderBody += `\n__html += \`<script type="module" src="${plan.render.clientModuleHref}"></script>\\n\`;`;
+        finalHeadRenderBody += `\n__parts.push(\`<script type="module" src="${plan.render.clientModuleHref}"></script>\\n\`);`;
     }
-    parts.push(`    render(data) {
-      ${destructure}${plan.render.prelude ? plan.render.prelude + '\n      ' : ''}const __head = (() => {
-        ${finalHeadRenderBody}
-        return __html;
-      })();
-      const __rendered = (() => {
-        const __fragments = Object.create(null);
-        const __fragmentStack = [];
-        const __emit = (chunk) => {
-          const __value = chunk == null ? '' : String(chunk);
-          __html += __value;
-          for (const __fragmentId of __fragmentStack) {
-            __fragments[__fragmentId] = (__fragments[__fragmentId] || '') + __value;
-          }
-        };
-        const __pushFragment = (id) => {
-          const __key = String(id);
-          if (!Object.prototype.hasOwnProperty.call(__fragments, __key)) {
-            __fragments[__key] = '';
-          }
-          __fragmentStack.push(__key);
-        };
-        const __popFragment = () => {
-          __fragmentStack.pop();
-        };
-        ${plan.render.body}
-        return { html: __html, fragments: __fragments };
-      })();
-      return { html: __rendered.html, head: __head, fragments: __rendered.fragments };
+    parts.push(`    render(data) {
+      ${destructure}${plan.render.prelude ? plan.render.prelude + '\n      ' : ''}const __head = (() => {
+        ${finalHeadRenderBody}
+        return __html;
+      })();
+      const __rendered = (() => {
+        const __fragments = Object.create(null);
+        const __fragmentStack = [];
+        const __parts = [];
+        const __emit = (chunk) => {
+          const __value = chunk == null ? '' : String(chunk);
+          __parts.push(__value);
+          for (const __fragmentId of __fragmentStack) {
+            __fragments[__fragmentId] = (__fragments[__fragmentId] || '') + __value;
+          }
+        };
+        const __pushFragment = (id) => {
+          const __key = String(id);
+          if (!Object.prototype.hasOwnProperty.call(__fragments, __key)) {
+            __fragments[__key] = '';
+          }
+          __fragmentStack.push(__key);
+        };
+        const __popFragment = () => {
+          __fragmentStack.pop();
+        };
+        ${plan.render.body}
+        return { html: __parts.join(''), fragments: __fragments };
+      })();
+      return { html: __rendered.html, head: __head, fragments: __rendered.fragments };
     }`);
     return `  {\n${parts.join(',\n')}\n  }`;
 }

package/dist/compiler/route-state-pipeline.d.ts

@@ -22,4 +22,5 @@ export declare function assembleRouteState(opts: {
     fullPath: string;
     routesDir: string;
     layoutRelativePaths: string[];
+    fileContents?: Map<string, string>;
 }): RouteStatePlan;

package/dist/compiler/route-state-pipeline.js

@@ -9,7 +9,7 @@ function isSharedImport(line) {
     return /\bfrom\s+['"]\$shared\//.test(line);
 }
 export function assembleRouteState(opts) {
-    const { parsed, fullPath, routesDir, layoutRelativePaths } = opts;
+    const { parsed, fullPath, routesDir, layoutRelativePaths, fileContents } = opts;
     let effectiveTemplate = parsed.template;
     const routeScriptParts = [];
     const routeScriptSegments = [];
@@ -44,9 +44,9 @@ export function assembleRouteState(opts) {
         if (layoutRelPath === 'layout.html')
             continue;
         const layoutPath = path.join(routesDir, layoutRelPath);
-        if (!fs.existsSync(layoutPath))
+        const layoutSource = fileContents?.get(layoutPath) ?? (fs.existsSync(layoutPath) ? fs.readFileSync(layoutPath, 'utf-8') : null);
+        if (!layoutSource)
             continue;
-        const layoutSource = fs.readFileSync(layoutPath, 'utf-8');
         const layoutParsed = parseFile(layoutSource, { kind: 'layout', filePath: layoutPath });
         if (layoutParsed.loadFunction) {
             throw new Error(`${layoutRelPath} cannot export load(); nested layouts currently share the child route load lifecycle.`);

package/dist/compiler/routes-module-feature-blocks.js

@@ -2,7 +2,7 @@ import * as path from 'node:path';
 import { toSafeIdentifier } from './compiler-shared.js';
 export function buildRoutesModuleFeatureBlocks(opts) {
     const workerImport = `import { env as __env } from 'cloudflare:workers';`;
-    const contextImport = `import { __setRequestContext, __esc, __rawHtml, __sanitizeHtml, __setLocal, __getLocals, buildDefaultBreadcrumbs as __buildDefaultBreadcrumbs } from '${opts.runtimeContextImport}';`;
+    const contextImport = `import { __setRequestContext, __esc, __rawHtml, __sanitizeHtml, __setLocal, __getLocals, __getCsrfToken, __signFragment, buildDefaultBreadcrumbs as __buildDefaultBreadcrumbs } from '${opts.runtimeContextImport}';`;
     const runtimeImport = opts.hasRuntime && opts.runtimeImportPath
         ? `import __kuratchiRuntime from '${opts.runtimeImportPath}';`
         : '';
@@ -30,30 +30,30 @@ function buildAuthSessionInit(opts) {
     if (!opts.authConfig?.sessionEnabled)
         return '';
     const cookieName = opts.authConfig.cookieName;
-    return `
-// Auth Session Init
-
-function __parseCookies(header) {
-  const map = {};
-  if (!header) return map;
-  for (const pair of header.split(';')) {
-    const eq = pair.indexOf('=');
-    if (eq === -1) continue;
-    map[pair.slice(0, eq).trim()] = pair.slice(eq + 1).trim();
-  }
-  return map;
-}
-
-function __initAuth(request) {
-  const cookies = __parseCookies(request.headers.get('cookie'));
-  __setLocal('session', null);
-  __setLocal('user', null);
-  __setLocal('auth', {
-    cookies,
-    sessionCookie: cookies['${cookieName}'] || null,
-    cookieName: '${cookieName}',
-  });
-}
+    return `
+// Auth Session Init
+
+function __parseCookies(header) {
+  const map = {};
+  if (!header) return map;
+  for (const pair of header.split(';')) {
+    const eq = pair.indexOf('=');
+    if (eq === -1) continue;
+    map[pair.slice(0, eq).trim()] = pair.slice(eq + 1).trim();
+  }
+  return map;
+}
+
+function __initAuth(request) {
+  const cookies = __parseCookies(request.headers.get('cookie'));
+  __setLocal('session', null);
+  __setLocal('user', null);
+  __setLocal('auth', {
+    cookies,
+    sessionCookie: cookies['${cookieName}'] || null,
+    cookieName: '${cookieName}',
+  });
+}
 `;
 }
 function buildOrmMigrationBlock(opts) {
@@ -78,38 +78,38 @@ function buildOrmMigrationBlock(opts) {
             `import { kuratchiORM } from '@kuratchi/orm';`,
             ...schemaImports,
         ].join('\n'),
-        migrationInit: `
-// ORM Auto-Migration
-
-let __migrated = false;
-const __ormDatabases = [
-${migrateEntries.join(',\n')}
-];
-
-async function __runMigrations() {
-  if (__migrated) return;
-  __migrated = true;
-  for (const db of __ormDatabases) {
-    const binding = __env[db.binding];
-    if (!binding) continue;
-    try {
-      const executor = (sql, params) => {
-        let stmt = binding.prepare(sql);
-        if (params?.length) stmt = stmt.bind(...params);
-        return stmt.all().then(r => ({ success: r.success ?? true, data: r.results, results: r.results }));
-      };
-      const result = await runMigrations({ execute: executor, schema: db.schema });
-      if (result.applied) {
-        console.log('[kuratchi] ' + db.binding + ': migrated (' + result.statementsRun + ' statements)');
-      }
-      if (result.warnings.length) {
-        result.warnings.forEach(w => console.warn('[kuratchi] ' + db.binding + ': ' + w));
-      }
-    } catch (err) {
-      console.error('[kuratchi] ' + db.binding + ' migration failed:', err.message);
-    }
-  }
-}
+        migrationInit: `
+// ORM Auto-Migration
+
+let __migrated = false;
+const __ormDatabases = [
+${migrateEntries.join(',\n')}
+];
+
+async function __runMigrations() {
+  if (__migrated) return;
+  __migrated = true;
+  for (const db of __ormDatabases) {
+    const binding = __env[db.binding];
+    if (!binding) continue;
+    try {
+      const executor = (sql, params) => {
+        let stmt = binding.prepare(sql);
+        if (params?.length) stmt = stmt.bind(...params);
+        return stmt.all().then(r => ({ success: r.success ?? true, data: r.results, results: r.results }));
+      };
+      const result = await runMigrations({ execute: executor, schema: db.schema });
+      if (result.applied) {
+        console.log('[kuratchi] ' + db.binding + ': migrated (' + result.statementsRun + ' statements)');
+      }
+      if (result.warnings.length) {
+        result.warnings.forEach(w => console.warn('[kuratchi] ' + db.binding + ': ' + w));
+      }
+    } catch (err) {
+      console.error('[kuratchi] ' + db.binding + ' migration failed:', err.message);
+    }
+  }
+}
 `,
     };
 }
@@ -163,12 +163,12 @@ function buildAuthPluginBlock(opts) {
     }
     return {
         authPluginImports: imports.join('\n'),
-        authPluginInit: `
-// Auth Plugin Init
-
-function __initAuthPlugins() {
-${initLines.join('\n')}
-}
+        authPluginInit: `
+// Auth Plugin Init
+
+function __initAuthPlugins() {
+${initLines.join('\n')}
+}
 `,
     };
 }

package/dist/compiler/routes-module-runtime-shell.js

@@ -22,60 +22,70 @@ export function buildRoutesModuleRuntimeShell(opts, blocks) {
         opts.authConfig?.hasGuards ? `    { const __gRes = __checkGuard(); if (__gRes) return __gRes; }` : '',
         '    return null;',
     ].filter(Boolean).join('\n');
-    return `// Generated by KuratchiJS compiler - do not edit.
-${opts.isDev ? '\nglobalThis.__kuratchi_DEV__ = true;\n' : ''}
-${blocks.workerImport}
-import { createGeneratedWorker } from '${opts.runtimeWorkerImport}';
-${blocks.contextImport}
-${blocks.runtimeImport ? blocks.runtimeImport + '\n' : ''}${blocks.migrationImports ? blocks.migrationImports + '\n' : ''}${blocks.authPluginImports ? blocks.authPluginImports + '\n' : ''}${blocks.doImports ? blocks.doImports + '\n' : ''}${opts.serverImports.join('\n')}
-${blocks.workflowStatusRpc}
-
-// Assets
-
-const __assets = {
-${opts.compiledAssets.map((asset) => `  ${JSON.stringify(asset.name)}: { content: ${JSON.stringify(asset.content)}, mime: ${JSON.stringify(asset.mime)}, etag: ${JSON.stringify(asset.etag)} }`).join(',\n')}
-};
-
-// Layout
-
-${layoutBlock}
-
-${layoutActionsBlock}
-
-// Error pages
-
-${customErrorFunctions ? '// Custom error page overrides (user-created NNN.html)\n' + customErrorFunctions + '\n' : ''}const __customErrors = {
-${customErrorEntries}
-};
-
-${componentBlock}${blocks.migrationInit}${blocks.authInit}${blocks.authPluginInit}${blocks.doResolverInit}${blocks.doClassCode}
-// Route definitions
-
-const routes = [
-${opts.compiledRoutes.join(',\n')}
-];
-
-const __runtimeDef = (typeof __kuratchiRuntime !== 'undefined' && __kuratchiRuntime && typeof __kuratchiRuntime === 'object') ? __kuratchiRuntime : {};
-
-async function __initializeRequest(ctx) {
-${initializeRequestBody || '    return;'}
-}
-
-async function __preRouteChecks() {
-${preRouteChecksBody}
-}
-
-export default createGeneratedWorker({
-  routes,
-  layout: __layout,
-  layoutActions: __layoutActions,
-  assetsPrefix: ${JSON.stringify(opts.assetsPrefix)},
-  assets: __assets,
-  errorPages: __customErrors,
-  runtimeDefinition: __runtimeDef,
-  workflowStatusRpc: typeof __workflowStatusRpc !== 'undefined' ? __workflowStatusRpc : {},
-  initializeRequest: __initializeRequest,
-  preRouteChecks: __preRouteChecks,
-});
+    return `// Generated by KuratchiJS compiler - do not edit.
+${opts.isDev ? '\nglobalThis.__kuratchi_DEV__ = true;\n' : ''}
+${blocks.workerImport}
+import { createGeneratedWorker } from '${opts.runtimeWorkerImport}';
+${blocks.contextImport}
+${blocks.runtimeImport ? blocks.runtimeImport + '\n' : ''}${blocks.migrationImports ? blocks.migrationImports + '\n' : ''}${blocks.authPluginImports ? blocks.authPluginImports + '\n' : ''}${blocks.doImports ? blocks.doImports + '\n' : ''}${opts.serverImports.join('\n')}
+${blocks.workflowStatusRpc}
+
+// Assets
+
+const __assets = {
+${opts.compiledAssets.map((asset) => `  ${JSON.stringify(asset.name)}: { content: ${JSON.stringify(asset.content)}, mime: ${JSON.stringify(asset.mime)}, etag: ${JSON.stringify(asset.etag)} }`).join(',\n')}
+};
+
+// Layout
+
+${layoutBlock}
+
+${layoutActionsBlock}
+
+// Error pages
+
+${customErrorFunctions ? '// Custom error page overrides (user-created NNN.html)\n' + customErrorFunctions + '\n' : ''}const __customErrors = {
+${customErrorEntries}
+};
+
+${componentBlock}${blocks.migrationInit}${blocks.authInit}${blocks.authPluginInit}${blocks.doResolverInit}${blocks.doClassCode}
+// Route definitions
+
+const routes = [
+${opts.compiledRoutes.join(',\n')}
+];
+
+const __runtimeDef = (typeof __kuratchiRuntime !== 'undefined' && __kuratchiRuntime && typeof __kuratchiRuntime === 'object') ? __kuratchiRuntime : {};
+
+async function __initializeRequest(ctx) {
+${initializeRequestBody || '    return;'}
+}
+
+async function __preRouteChecks() {
+${preRouteChecksBody}
+}
+
+export default createGeneratedWorker({
+  routes,
+  layout: __layout,
+  layoutActions: __layoutActions,
+  assetsPrefix: ${JSON.stringify(opts.assetsPrefix)},
+  assets: __assets,
+  errorPages: __customErrors,
+  runtimeDefinition: __runtimeDef,
+  workflowStatusRpc: typeof __workflowStatusRpc !== 'undefined' ? __workflowStatusRpc : {},
+  initializeRequest: __initializeRequest,
+  preRouteChecks: __preRouteChecks,
+  security: {
+    csrfEnabled: ${opts.securityConfig.csrfEnabled},
+    csrfCookieName: ${JSON.stringify(opts.securityConfig.csrfCookieName)},
+    csrfHeaderName: ${JSON.stringify(opts.securityConfig.csrfHeaderName)},
+    rpcRequireAuth: ${opts.securityConfig.rpcRequireAuth},
+    actionRequireAuth: ${opts.securityConfig.actionRequireAuth},
+    contentSecurityPolicy: ${JSON.stringify(opts.securityConfig.contentSecurityPolicy)},
+    strictTransportSecurity: ${JSON.stringify(opts.securityConfig.strictTransportSecurity)},
+    permissionsPolicy: ${JSON.stringify(opts.securityConfig.permissionsPolicy)},
+  },
+});
 `;
 }

package/dist/compiler/routes-module-types.d.ts

@@ -1,4 +1,4 @@
-import type { AuthConfigEntry, DoConfigEntry, DoHandlerEntry, OrmDatabaseEntry, WorkerClassConfigEntry } from './compiler-shared.js';
+import type { AuthConfigEntry, DoConfigEntry, DoHandlerEntry, OrmDatabaseEntry, SecurityConfigEntry, WorkerClassConfigEntry } from './compiler-shared.js';
 export interface CompiledAssetEntry {
     name: string;
     content: string;
@@ -16,6 +16,7 @@ export interface GenerateRoutesModuleOptions {
     compiledErrorPages: Map<number, string>;
     ormDatabases: OrmDatabaseEntry[];
     authConfig: AuthConfigEntry | null;
+    securityConfig: SecurityConfigEntry;
     doConfig: DoConfigEntry[];
     doHandlers: DoHandlerEntry[];
     workflowConfig: WorkerClassConfigEntry[];

package/dist/compiler/server-module-pipeline.js

@@ -34,7 +34,7 @@ export function createServerModuleCompiler(options) {
         const proxyNoExt = doHandlerProxyPaths.get(normalizedNoExt);
         if (!proxyNoExt)
             return null;
-        return resolveExistingModuleFile(proxyNoExt) ?? (fs.existsSync(proxyNoExt + '.js') ? proxyNoExt + '.js' : null);
+        return resolveExistingModuleFile(proxyNoExt) ?? (fs.existsSync(proxyNoExt + '.ts') ? proxyNoExt + '.ts' : null);
     }
     function resolveImportTarget(importerAbs, spec) {
         if (spec.startsWith('$')) {

package/dist/compiler/template.js

@@ -148,7 +148,9 @@ export function splitTemplateRenderSections(template) {
     };
 }
 function buildAppendStatement(expression, emitCall) {
-    return emitCall ? `${emitCall}(${expression});` : `__html += ${expression};`;
+    // When emitCall is provided, use it (e.g., __emit(expr))
+    // Otherwise, use array push for O(n) performance
+    return emitCall ? `${emitCall}(${expression});` : `__parts.push(${expression});`;
 }
 function extractPollFragmentExpr(tagText, rpcNameMap) {
     const pollMatch = tagText.match(/\bdata-poll=\{([\s\S]*?)\}/);
@@ -275,7 +277,9 @@ export function compileTemplate(template, componentNames, actionNames, rpcNameMa
     if (options.enableFragmentManifest) {
         template = instrumentPollFragments(template, rpcNameMap);
     }
-    const out = ['let __html = "";'];
+    // Use array accumulation for O(n) performance instead of O(n²) string concatenation
+    const useArrayAccum = !emitCall;
+    const out = useArrayAccum ? ['const __parts = [];'] : ['let __html = "";'];
     const lines = template.split('\n');
     let inStyle = false;
     let inScript = false;
@@ -422,6 +426,10 @@ export function compileTemplate(template, componentNames, actionNames, rpcNameMa
         }
         out.push(...compileHtmlLineStatements(htmlLine, actionNames, rpcNameMap, options));
     }
+    // For non-emit mode, add final join to produce __html
+    if (!emitCall) {
+        out.push('let __html = __parts.join(\'\');');
+    }
     return out.join('\n');
 }
 /**
@@ -495,9 +503,9 @@ function transformClientScriptBlock(block) {
     const openTag = match[1];
     const body = match[2];
     const closeTag = match[3];
+    // TypeScript is preserved — wrangler's esbuild handles transpilation
     if (!/\$\s*:/.test(body)) {
-        const transpiled = transpileTypeScript(body, 'client-script.ts');
-        return `${openTag}${transpiled}${closeTag}`;
+        return `${openTag}${body}${closeTag}`;
     }
     const out = [];
     const lines = body.split('\n');
@@ -593,8 +601,8 @@ function transformClientScriptBlock(block) {
         break;
     }
     out.splice(insertAt, 0, 'const __k$ = window.__kuratchiReactive;');
-    const transpiled = transpileTypeScript(out.join('\n'), 'client-script.ts');
-    return `${openTag}${transpiled}${closeTag}`;
+    // TypeScript is preserved — wrangler's esbuild handles transpilation
+    return `${openTag}${out.join('\n')}${closeTag}`;
 }
 function braceDelta(line) {
     let delta = 0;
@@ -1021,7 +1029,7 @@ function compileHtmlSegment(line, actionNames, rpcNameMap, options = {}) {
                     continue;
                 }
                 else if (attrName === 'data-poll') {
-                    // data-poll={fn(args)} → data-poll="fnName" data-poll-args="[serialized]" data-poll-id="stable-id"
+                    // data-poll={fn(args)} → data-poll="fnName" data-poll-args="[serialized]" data-poll-id="signed-id"
                     const pollCallMatch = inner.match(/^(\w+)\((.*)\)$/);
                     if (pollCallMatch) {
                         const fnName = pollCallMatch[1];
@@ -1029,16 +1037,16 @@ function compileHtmlSegment(line, actionNames, rpcNameMap, options = {}) {
                         const argsExpr = pollCallMatch[2].trim();
                         // Remove the trailing "data-poll=" we already appended
                         result = result.replace(/\s*data-poll=$/, '');
-                        // Emit data-poll, data-poll-args, and stable data-poll-id (based on fn + args expression)
+                        // Emit data-poll, data-poll-args, and signed data-poll-id (signed at runtime for security)
                         result += ` data-poll="${rpcName}"`;
                         if (argsExpr) {
                             result += ` data-poll-args="\${__esc(JSON.stringify([${argsExpr}]))}"`;
-                            // Stable ID based on args so same data produces same ID across renders
-                            result += ` data-poll-id="\${__esc('__poll_' + String(${argsExpr}).replace(/[^a-zA-Z0-9]/g, '_'))}"`;
+                            // Sign the fragment ID at runtime with __signFragment(fragmentId, routePath)
+                            result += ` data-poll-id="\${__signFragment('__poll_' + String(${argsExpr}).replace(/[^a-zA-Z0-9]/g, '_'))}"`;
                         }
                         else {
-                            // No args - use function name as ID
-                            result += ` data-poll-id="__poll_${rpcName}"`;
+                            // No args - sign with function name as base ID
+                            result += ` data-poll-id="\${__signFragment('__poll_${rpcName}')}"`;
                         }
                     }
                     pos = closeIdx + 1;
@@ -1054,12 +1062,13 @@ function compileHtmlSegment(line, actionNames, rpcNameMap, options = {}) {
                     if (!isServerAction) {
                         throw new Error(`Invalid action expression: "${inner}". Use action={myActionFn} for server actions.`);
                     }
-                    // Remove trailing `action=` from output and inject _action hidden field.
+                    // Remove trailing `action=` from output and inject _action hidden field + CSRF token.
                     result = result.replace(/\s*action=$/, '');
                     const actionValue = actionNames === undefined
                         ? `\${__esc(${inner})}`
                         : inner;
-                    pendingActionHiddenInput = `\\n<input type="hidden" name="_action" value="${actionValue}">`;
+                    // Inject both _action and _csrf hidden fields for server action forms
+                    pendingActionHiddenInput = `\\n<input type="hidden" name="_action" value="${actionValue}">\\n<input type="hidden" name="_csrf" value="\${__getCsrfToken()}">`;
                     pos = closeIdx + 1;
                     continue;
                 }
@@ -1199,4 +1208,4 @@ export function generateRenderFunction(template) {
   ${body}
 }`;
 }
-import { transpileTypeScript } from './transpile.js';
+// TypeScript transpilation removed — wrangler's esbuild handles it

package/dist/compiler/worker-output-pipeline.js

@@ -29,8 +29,8 @@ export function buildWorkerEntrypointSource(opts) {
     });
     return [
         '// Auto-generated by kuratchi — do not edit.',
-        "export { default } from './routes.js';",
-        ...opts.doClassNames.map((className) => `export { ${className} } from './routes.js';`),
+        "export { default } from './routes.ts';",
+        ...opts.doClassNames.map((className) => `export { ${className} } from './routes.ts';`),
         ...workerClassExports,
         '',
     ].join('\n');

package/dist/runtime/context.d.ts

@@ -57,3 +57,7 @@ export declare function __esc(v: any): string;
 export declare function __rawHtml(v: any): string;
 /** Best-effort HTML sanitizer for {@html ...} template output. */
 export declare function __sanitizeHtml(v: any): string;
+/** Get CSRF token for form injection (used by template compiler) */
+export declare function __getCsrfToken(): string;
+/** Sign a fragment ID for secure polling (used by template compiler) */
+export declare function __signFragment(fragmentId: string): string;

package/dist/runtime/context.js

@@ -161,13 +161,51 @@ export function __rawHtml(v) {
 /** Best-effort HTML sanitizer for {@html ...} template output. */
 export function __sanitizeHtml(v) {
     let html = __rawHtml(v);
+    // Remove dangerous elements entirely
     html = html.replace(/<script\b[^>]*>[\s\S]*?<\/script>/gi, '');
     html = html.replace(/<iframe\b[^>]*>[\s\S]*?<\/iframe>/gi, '');
     html = html.replace(/<object\b[^>]*>[\s\S]*?<\/object>/gi, '');
     html = html.replace(/<embed\b[^>]*>/gi, '');
+    html = html.replace(/<base\b[^>]*>/gi, '');
+    html = html.replace(/<meta\b[^>]*>/gi, '');
+    html = html.replace(/<link\b[^>]*>/gi, '');
+    html = html.replace(/<style\b[^>]*>[\s\S]*?<\/style>/gi, '');
+    html = html.replace(/<template\b[^>]*>[\s\S]*?<\/template>/gi, '');
+    html = html.replace(/<noscript\b[^>]*>[\s\S]*?<\/noscript>/gi, '');
+    // Remove all event handlers (on*)
     html = html.replace(/\son[a-z]+\s*=\s*("[^"]*"|'[^']*'|[^\s>]+)/gi, '');
-    html = html.replace(/\s(href|src|xlink:href)\s*=\s*(["'])\s*javascript:[\s\S]*?\2/gi, ' $1="#"');
-    html = html.replace(/\s(href|src|xlink:href)\s*=\s*javascript:[^\s>]+/gi, ' $1="#"');
+    // Remove javascript: URLs in href, src, xlink:href, action, formaction, data
+    html = html.replace(/\s(href|src|xlink:href|action|formaction|data)\s*=\s*(["'])\s*javascript:[\s\S]*?\2/gi, ' $1="#"');
+    html = html.replace(/\s(href|src|xlink:href|action|formaction|data)\s*=\s*javascript:[^\s>]+/gi, ' $1="#"');
+    // Remove vbscript: URLs
+    html = html.replace(/\s(href|src|xlink:href|action|formaction|data)\s*=\s*(["'])\s*vbscript:[\s\S]*?\2/gi, ' $1="#"');
+    html = html.replace(/\s(href|src|xlink:href|action|formaction|data)\s*=\s*vbscript:[^\s>]+/gi, ' $1="#"');
+    // Remove data: URLs in src (can contain scripts)
+    html = html.replace(/\ssrc\s*=\s*(["'])\s*data:[\s\S]*?\1/gi, ' src="#"');
+    html = html.replace(/\ssrc\s*=\s*data:[^\s>]+/gi, ' src="#"');
+    // Remove srcdoc (can contain arbitrary HTML)
     html = html.replace(/\ssrcdoc\s*=\s*("[^"]*"|'[^']*'|[^\s>]+)/gi, '');
+    // Remove form-related dangerous attributes
+    html = html.replace(/\sformaction\s*=\s*("[^"]*"|'[^']*'|[^\s>]+)/gi, '');
+    // Remove SVG-specific dangerous elements
+    html = html.replace(/<foreignObject\b[^>]*>[\s\S]*?<\/foreignObject>/gi, '');
+    html = html.replace(/<use\b[^>]*>/gi, '');
     return html;
 }
+/** Get CSRF token for form injection (used by template compiler) */
+export function __getCsrfToken() {
+    return __locals.__csrfToken || '';
+}
+/** Sign a fragment ID for secure polling (used by template compiler) */
+export function __signFragment(fragmentId) {
+    const token = __locals.__csrfToken || '';
+    const routePath = __locals.__currentRoutePath || '/';
+    const payload = `${fragmentId}:${routePath}:${token}`;
+    // FNV-1a hash for fast, consistent signing
+    let hash = 2166136261;
+    for (let i = 0; i < payload.length; i++) {
+        hash ^= payload.charCodeAt(i);
+        hash = (hash * 16777619) >>> 0;
+    }
+    return `${fragmentId}:${hash.toString(36)}`;
+}