@mandujs/core 0.12.2 → 0.13.0

package/src/runtime/router.ts

@@ -81,14 +81,14 @@ export class RouterError extends Error {
 /**
  * Wildcard 설정
  */
-interface WildcardConfig {
-  /** 파라미터 이름 (예: "path" for :path*) */
-  name: string;
-  /** optional 여부 (예: :path*? 는 optional) */
-  optional: boolean;
-  /** 라우트 정보 */
-  route: RouteSpec;
-}
+interface WildcardConfig {
+  /** 파라미터 이름 (예: "path" for :path*) */
+  name: string;
+  /** optional 여부 (예: :path*? 는 optional) */
+  optional: boolean;
+  /** 라우트 정보 */
+  route: RouteSpec;
+}
 
 /**
  * Trie node for dynamic route matching
@@ -133,7 +133,7 @@ class TrieNode {
  *
  * @returns Decoded string or null if security violation
  */
-function safeDecodeURIComponent(str: string): string | null {
+function safeDecodeURIComponent(str: string): string | null {
   // 1. Pre-decode %2F check
   if (ENCODED_SLASH_PATTERN.test(str)) {
     return null;
@@ -158,26 +158,26 @@ function safeDecodeURIComponent(str: string): string | null {
     return null;
   }
 
-  return decoded;
-}
-
-/**
- * Decode wildcard segments safely (per-segment)
- */
-function decodeWildcardSegments(segments: string[]): string | null {
-  if (segments.length === 0) return "";
-
-  const decodedSegments: string[] = [];
-  for (const segment of segments) {
-    const decoded = safeDecodeURIComponent(segment);
-    if (decoded === null) {
-      return null;
-    }
-    decodedSegments.push(decoded);
-  }
-
-  return decodedSegments.join("/");
-}
+  return decoded;
+}
+
+/**
+ * Decode wildcard segments safely (per-segment)
+ */
+function decodeWildcardSegments(segments: string[]): string | null {
+  if (segments.length === 0) return "";
+
+  const decodedSegments: string[] = [];
+  for (const segment of segments) {
+    const decoded = safeDecodeURIComponent(segment);
+    if (decoded === null) {
+      return null;
+    }
+    decodedSegments.push(decoded);
+  }
+
+  return decodedSegments.join("/");
+}
 
 // ═══════════════════════════════════════════════════════════════════════════
 // Router Class
@@ -371,47 +371,47 @@ export class Router {
   private insertTrie(pattern: string, segments: string[], route: RouteSpec): void {
     let node = this.trie;
 
-    for (let i = 0; i < segments.length; i++) {
-      const seg = segments[i];
-
-      // Legacy wildcard: *
-      if (seg === "*") {
-        if (node.wildcardConfig) {
-          throw new RouterError(
-            `Wildcard conflict in pattern "${pattern}"`,
-            "ROUTE_CONFLICT",
-            route.id,
-            node.wildcardConfig.route.id
-          );
-        }
-        node.wildcardConfig = {
-          name: WILDCARD_PARAM_KEY,
-          optional: false,
-          route,
-        };
-        return;
-      }
+    for (let i = 0; i < segments.length; i++) {
+      const seg = segments[i];
+
+      // Legacy wildcard: *
+      if (seg === "*") {
+        if (node.wildcardConfig) {
+          throw new RouterError(
+            `Wildcard conflict in pattern "${pattern}"`,
+            "ROUTE_CONFLICT",
+            route.id,
+            node.wildcardConfig.route.id
+          );
+        }
+        node.wildcardConfig = {
+          name: WILDCARD_PARAM_KEY,
+          optional: false,
+          route,
+        };
+        return;
+      }
 
       // Parameter handling (including wildcards)
       if (seg.startsWith(":")) {
         // Check for wildcard pattern: :param* or :param*?
         const wildcardMatch = seg.match(/^:([^*?]+)\*(\?)?$/);
-        if (wildcardMatch) {
-          const paramName = wildcardMatch[1];
-          const isOptional = wildcardMatch[2] === "?";
-
-          if (node.wildcardConfig) {
-            throw new RouterError(
-              `Wildcard conflict in pattern "${pattern}"`,
-              "ROUTE_CONFLICT",
-              route.id,
-              node.wildcardConfig.route.id
-            );
-          }
-
-          node.wildcardConfig = {
-            name: paramName,
-            optional: isOptional,
+        if (wildcardMatch) {
+          const paramName = wildcardMatch[1];
+          const isOptional = wildcardMatch[2] === "?";
+
+          if (node.wildcardConfig) {
+            throw new RouterError(
+              `Wildcard conflict in pattern "${pattern}"`,
+              "ROUTE_CONFLICT",
+              route.id,
+              node.wildcardConfig.route.id
+            );
+          }
+
+          node.wildcardConfig = {
+            name: paramName,
+            optional: isOptional,
             route,
           };
 
@@ -494,18 +494,18 @@ export class Router {
         continue;
       }
 
-      // 3. No match - try wildcard fallback
-      if (wildcardMatch) {
-        const remainingSegments = segments.slice(wildcardMatch.consumed);
-        const remaining = decodeWildcardSegments(remainingSegments);
-        if (remaining === null) {
-          return null;
-        }
-        if (this.debug) {
-          console.log(`[Router] Wildcard match: ${wildcardMatch.config.route.id} with ${remaining}`);
-        }
-        return {
-          route: wildcardMatch.config.route,
+      // 3. No match - try wildcard fallback
+      if (wildcardMatch) {
+        const remainingSegments = segments.slice(wildcardMatch.consumed);
+        const remaining = decodeWildcardSegments(remainingSegments);
+        if (remaining === null) {
+          return null;
+        }
+        if (this.debug) {
+          console.log(`[Router] Wildcard match: ${wildcardMatch.config.route.id} with ${remaining}`);
+        }
+        return {
+          route: wildcardMatch.config.route,
           params: { ...params, [wildcardMatch.config.name]: remaining },
         };
       }
@@ -522,36 +522,36 @@ export class Router {
       return { route: node.route, params };
     }
 
-    // Check for wildcard at current node (but with no remaining segments)
-    if (node.wildcardConfig) {
-      // Optional wildcard: /files/:path*? matches /files (with empty path param)
-      if (node.wildcardConfig.optional) {
-        if (this.debug) {
-          console.log(`[Router] Optional wildcard match: ${node.wildcardConfig.route.id} with empty path`);
-        }
-        return {
-          route: node.wildcardConfig.route,
-          params,
-        };
-      }
-      // Non-optional wildcard: /files/:path* does NOT match /files
-      if (this.debug) {
-        console.log(`[Router] Wildcard policy: ${pathname} does not match non-optional wildcard`);
-      }
+    // Check for wildcard at current node (but with no remaining segments)
+    if (node.wildcardConfig) {
+      // Optional wildcard: /files/:path*? matches /files (with empty path param)
+      if (node.wildcardConfig.optional) {
+        if (this.debug) {
+          console.log(`[Router] Optional wildcard match: ${node.wildcardConfig.route.id} with empty path`);
+        }
+        return {
+          route: node.wildcardConfig.route,
+          params,
+        };
+      }
+      // Non-optional wildcard: /files/:path* does NOT match /files
+      if (this.debug) {
+        console.log(`[Router] Wildcard policy: ${pathname} does not match non-optional wildcard`);
+      }
     }
 
-    // Try wildcard fallback from earlier in the path
-    if (wildcardMatch) {
-      const remainingSegments = segments.slice(wildcardMatch.consumed);
-      const remaining = decodeWildcardSegments(remainingSegments);
-      if (remaining === null) {
-        return null;
-      }
-      return {
-        route: wildcardMatch.config.route,
-        params: { ...params, [wildcardMatch.config.name]: remaining },
-      };
-    }
+    // Try wildcard fallback from earlier in the path
+    if (wildcardMatch) {
+      const remainingSegments = segments.slice(wildcardMatch.consumed);
+      const remaining = decodeWildcardSegments(remainingSegments);
+      if (remaining === null) {
+        return null;
+      }
+      return {
+        route: wildcardMatch.config.route,
+        params: { ...params, [wildcardMatch.config.name]: remaining },
+      };
+    }
 
     return null;
   }

package/src/runtime/security.ts

@@ -1,155 +1,155 @@
-/**
- * Runtime Security
- *
- * 동적 import 및 경로 접근 보안 검증
- */
-
-import path from "path";
-import type { Result } from "../error/result";
-import { ok, err } from "../error/result";
-import { SecurityError } from "../error/domains";
-
-/**
- * 허용된 import 경로 패턴
- */
-const ALLOWED_IMPORT_PATTERNS = [
-  /^app\//,           // app/ 디렉토리 (FS Routes)
-  /^src\/client\//,   // 클라이언트 코드
-  /^src\/server\//,   // 서버 코드
-  /^src\/shared\//,   // 공유 코드
-  /^spec\//,          // Spec 디렉토리 (레거시)
-];
-
-/**
- * 허용된 파일 확장자
- */
-const ALLOWED_EXTENSIONS = [".ts", ".tsx", ".js", ".jsx", ".mjs"];
-
-/**
- * 차단된 경로 패턴
- */
-const BLOCKED_PATTERNS = [
-  /node_modules/,     // node_modules 직접 접근 차단
-  /\.env/,            // 환경 변수 파일
-  /\.git/,            // Git 디렉토리
-  /\.mandu\/.*\.json$/, // 설정 파일
-];
-
-/**
- * 동적 import 경로 검증
- *
- * @param rootDir 프로젝트 루트 디렉토리
- * @param modulePath 상대 모듈 경로 (예: "app/layout.tsx")
- * @returns 검증된 전체 경로 또는 에러
- */
-export function validateImportPath(
-  rootDir: string,
-  modulePath: string
-): Result<string> {
-  // 1. 경로 정규화
-  const normalized = path.posix.normalize(modulePath).replace(/\\/g, "/");
-
-  // 2. Path traversal 체크
-  if (normalized.includes("..")) {
-    return err(
-      new SecurityError(
-        "path_traversal",
-        `경로 탐색 공격 감지: ${modulePath}`,
-        modulePath
-      ).toManduError()
-    );
-  }
-
-  // 3. 차단된 패턴 체크
-  for (const pattern of BLOCKED_PATTERNS) {
-    if (pattern.test(normalized)) {
-      return err(
-        new SecurityError(
-          "import_violation",
-          `차단된 경로 접근: ${modulePath}`,
-          modulePath
-        ).toManduError()
-      );
-    }
-  }
-
-  // 4. 화이트리스트 검증
-  const isAllowed = ALLOWED_IMPORT_PATTERNS.some((pattern) =>
-    pattern.test(normalized)
-  );
-
-  if (!isAllowed) {
-    return err(
-      new SecurityError(
-        "import_violation",
-        `허용되지 않은 import 경로: ${modulePath}. 허용된 경로: app/, src/client/, src/server/, src/shared/, spec/`,
-        modulePath
-      ).toManduError()
-    );
-  }
-
-  // 5. 확장자 검증 (있는 경우만)
-  const ext = path.extname(normalized);
-  if (ext && !ALLOWED_EXTENSIONS.includes(ext)) {
-    return err(
-      new SecurityError(
-        "import_violation",
-        `허용되지 않은 파일 확장자: ${ext}`,
-        modulePath
-      ).toManduError()
-    );
-  }
-
-  // 6. 전체 경로 생성
-  const fullPath = path.join(rootDir, normalized);
-
-  // 7. 최종 경로가 rootDir 내에 있는지 확인
-  const resolvedPath = path.resolve(fullPath);
-  const resolvedRoot = path.resolve(rootDir);
-
-  if (!resolvedPath.startsWith(resolvedRoot + path.sep)) {
-    return err(
-      new SecurityError(
-        "path_traversal",
-        `루트 디렉토리 외부 접근 시도: ${modulePath}`,
-        modulePath
-      ).toManduError()
-    );
-  }
-
-  return ok(fullPath);
-}
-
-/**
- * 안전한 동적 import
- *
- * @param rootDir 프로젝트 루트 디렉토리
- * @param modulePath 상대 모듈 경로
- * @returns 로드된 모듈 또는 null
- */
-export async function safeImport<T = unknown>(
-  rootDir: string,
-  modulePath: string
-): Promise<T | null> {
-  const validation = validateImportPath(rootDir, modulePath);
-
-  if (!validation.ok) {
-    console.error(`[Mandu Security] ${validation.error.message}`);
-    return null;
-  }
-
-  try {
-    const module = await import(validation.value);
-    return module as T;
-  } catch (error) {
-    console.error(`[Mandu] Failed to import: ${modulePath}`, error);
-    return null;
-  }
-}
-
-/**
- * 모듈 경로 검증 (boolean 반환)
- */
-export function isValidImportPath(rootDir: string, modulePath: string): boolean {
-  return validateImportPath(rootDir, modulePath).ok;
-}
+/**
+ * Runtime Security
+ *
+ * 동적 import 및 경로 접근 보안 검증
+ */
+
+import path from "path";
+import type { Result } from "../error/result";
+import { ok, err } from "../error/result";
+import { SecurityError } from "../error/domains";
+
+/**
+ * 허용된 import 경로 패턴
+ */
+const ALLOWED_IMPORT_PATTERNS = [
+  /^app\//,           // app/ 디렉토리 (FS Routes)
+  /^src\/client\//,   // 클라이언트 코드
+  /^src\/server\//,   // 서버 코드
+  /^src\/shared\//,   // 공유 코드
+  /^spec\//,          // Spec 디렉토리 (레거시)
+];
+
+/**
+ * 허용된 파일 확장자
+ */
+const ALLOWED_EXTENSIONS = [".ts", ".tsx", ".js", ".jsx", ".mjs"];
+
+/**
+ * 차단된 경로 패턴
+ */
+const BLOCKED_PATTERNS = [
+  /node_modules/,     // node_modules 직접 접근 차단
+  /\.env/,            // 환경 변수 파일
+  /\.git/,            // Git 디렉토리
+  /\.mandu\/.*\.json$/, // 설정 파일
+];
+
+/**
+ * 동적 import 경로 검증
+ *
+ * @param rootDir 프로젝트 루트 디렉토리
+ * @param modulePath 상대 모듈 경로 (예: "app/layout.tsx")
+ * @returns 검증된 전체 경로 또는 에러
+ */
+export function validateImportPath(
+  rootDir: string,
+  modulePath: string
+): Result<string> {
+  // 1. 경로 정규화
+  const normalized = path.posix.normalize(modulePath).replace(/\\/g, "/");
+
+  // 2. Path traversal 체크
+  if (normalized.includes("..")) {
+    return err(
+      new SecurityError(
+        "path_traversal",
+        `경로 탐색 공격 감지: ${modulePath}`,
+        modulePath
+      ).toManduError()
+    );
+  }
+
+  // 3. 차단된 패턴 체크
+  for (const pattern of BLOCKED_PATTERNS) {
+    if (pattern.test(normalized)) {
+      return err(
+        new SecurityError(
+          "import_violation",
+          `차단된 경로 접근: ${modulePath}`,
+          modulePath
+        ).toManduError()
+      );
+    }
+  }
+
+  // 4. 화이트리스트 검증
+  const isAllowed = ALLOWED_IMPORT_PATTERNS.some((pattern) =>
+    pattern.test(normalized)
+  );
+
+  if (!isAllowed) {
+    return err(
+      new SecurityError(
+        "import_violation",
+        `허용되지 않은 import 경로: ${modulePath}. 허용된 경로: app/, src/client/, src/server/, src/shared/, spec/`,
+        modulePath
+      ).toManduError()
+    );
+  }
+
+  // 5. 확장자 검증 (있는 경우만)
+  const ext = path.extname(normalized);
+  if (ext && !ALLOWED_EXTENSIONS.includes(ext)) {
+    return err(
+      new SecurityError(
+        "import_violation",
+        `허용되지 않은 파일 확장자: ${ext}`,
+        modulePath
+      ).toManduError()
+    );
+  }
+
+  // 6. 전체 경로 생성
+  const fullPath = path.join(rootDir, normalized);
+
+  // 7. 최종 경로가 rootDir 내에 있는지 확인
+  const resolvedPath = path.resolve(fullPath);
+  const resolvedRoot = path.resolve(rootDir);
+
+  if (!resolvedPath.startsWith(resolvedRoot + path.sep)) {
+    return err(
+      new SecurityError(
+        "path_traversal",
+        `루트 디렉토리 외부 접근 시도: ${modulePath}`,
+        modulePath
+      ).toManduError()
+    );
+  }
+
+  return ok(fullPath);
+}
+
+/**
+ * 안전한 동적 import
+ *
+ * @param rootDir 프로젝트 루트 디렉토리
+ * @param modulePath 상대 모듈 경로
+ * @returns 로드된 모듈 또는 null
+ */
+export async function safeImport<T = unknown>(
+  rootDir: string,
+  modulePath: string
+): Promise<T | null> {
+  const validation = validateImportPath(rootDir, modulePath);
+
+  if (!validation.ok) {
+    console.error(`[Mandu Security] ${validation.error.message}`);
+    return null;
+  }
+
+  try {
+    const module = await import(validation.value);
+    return module as T;
+  } catch (error) {
+    console.error(`[Mandu] Failed to import: ${modulePath}`, error);
+    return null;
+  }
+}
+
+/**
+ * 모듈 경로 검증 (boolean 반환)
+ */
+export function isValidImportPath(rootDir: string, modulePath: string): boolean {
+  return validateImportPath(rootDir, modulePath).ok;
+}

package/src/runtime/server.ts

@@ -938,7 +938,7 @@ async function handleRequestInternal(
     message: `Unknown route kind: ${route.kind}`,
     summary: "알 수 없는 라우트 종류 - 프레임워크 버그",
     fix: {
-      file: "spec/routes.manifest.json",
+      file: ".mandu/routes.manifest.json",
       suggestion: "라우트의 kind는 'api' 또는 'page'여야 합니다",
     },
     route: { id: route.id, pattern: route.pattern },
@@ -957,29 +957,29 @@ function isPortInUseError(error: unknown): boolean {
   return code === "EADDRINUSE" || message.includes("EADDRINUSE") || message.includes("address already in use");
 }
 
-function startBunServerWithFallback(options: {
-  port: number;
-  hostname?: string;
-  fetch: (req: Request) => Promise<Response>;
-}): { server: Server; port: number; attempts: number } {
-  const { port: startPort, hostname, fetch } = options;
-  let lastError: unknown = null;
-
-  // Port 0: let Bun/OS pick an available ephemeral port.
-  if (startPort === 0) {
-    const server = Bun.serve({
-      port: 0,
-      hostname,
-      fetch,
-    });
-    return { server, port: server.port ?? 0, attempts: 0 };
-  }
-
-  for (let attempt = 0; attempt < MAX_PORT_ATTEMPTS; attempt++) {
-    const candidate = startPort + attempt;
-    if (candidate < 1 || candidate > 65535) {
-      continue;
-    }
+function startBunServerWithFallback(options: {
+  port: number;
+  hostname?: string;
+  fetch: (req: Request) => Promise<Response>;
+}): { server: Server; port: number; attempts: number } {
+  const { port: startPort, hostname, fetch } = options;
+  let lastError: unknown = null;
+
+  // Port 0: let Bun/OS pick an available ephemeral port.
+  if (startPort === 0) {
+    const server = Bun.serve({
+      port: 0,
+      hostname,
+      fetch,
+    });
+    return { server, port: server.port ?? 0, attempts: 0 };
+  }
+
+  for (let attempt = 0; attempt < MAX_PORT_ATTEMPTS; attempt++) {
+    const candidate = startPort + attempt;
+    if (candidate < 1 || candidate > 65535) {
+      continue;
+    }
     try {
       const server = Bun.serve({
         port: candidate,