@nexus_js/server 0.6.0

package/dist/context.js

@@ -0,0 +1,68 @@
+/**
+ * Nexus Request Context — passed to every page, layout and server action.
+ * Inspired by SvelteKit's RequestEvent and Next.js's Request/Response pattern.
+ */
+/** Internal redirect signal */
+export class RedirectSignal {
+    location;
+    status;
+    constructor(location, status) {
+        this.location = location;
+        this.status = status;
+    }
+}
+/** Internal not-found signal */
+export class NotFoundSignal {
+}
+export function createContext(request, params = {}) {
+    const url = new URL(request.url);
+    const responseHeaders = new Headers();
+    const cookies = parseCookies(request.headers.get('cookie') ?? '');
+    return {
+        request,
+        params,
+        url,
+        headers: request.headers,
+        locals: {},
+        setHeader(key, value) {
+            responseHeaders.set(key, value);
+        },
+        setCookie(name, value, opts = {}) {
+            const parts = [`${name}=${encodeURIComponent(value)}`];
+            if (opts.path)
+                parts.push(`Path=${opts.path}`);
+            if (opts.domain)
+                parts.push(`Domain=${opts.domain}`);
+            if (opts.maxAge !== undefined)
+                parts.push(`Max-Age=${opts.maxAge}`);
+            if (opts.expires)
+                parts.push(`Expires=${opts.expires.toUTCString()}`);
+            if (opts.httpOnly)
+                parts.push('HttpOnly');
+            if (opts.secure)
+                parts.push('Secure');
+            if (opts.sameSite)
+                parts.push(`SameSite=${opts.sameSite}`);
+            responseHeaders.append('Set-Cookie', parts.join('; '));
+        },
+        getCookie(name) {
+            return cookies[name];
+        },
+        redirect(location, status = 302) {
+            throw new RedirectSignal(location, status);
+        },
+        notFound() {
+            throw new NotFoundSignal();
+        },
+    };
+}
+function parseCookies(header) {
+    const result = {};
+    for (const part of header.split(';')) {
+        const [key, ...vals] = part.trim().split('=');
+        if (key)
+            result[key.trim()] = decodeURIComponent(vals.join('=').trim());
+    }
+    return result;
+}
+//# sourceMappingURL=context.js.map

package/dist/context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.js","sourceRoot":"","sources":["../src/context.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA8BH,+BAA+B;AAC/B,MAAM,OAAO,cAAc;IAEP;IACA;IAFlB,YACkB,QAAgB,EAChB,MAAc;QADd,aAAQ,GAAR,QAAQ,CAAQ;QAChB,WAAM,GAAN,MAAM,CAAQ;IAC7B,CAAC;CACL;AAED,gCAAgC;AAChC,MAAM,OAAO,cAAc;CAAG;AAE9B,MAAM,UAAU,aAAa,CAC3B,OAAgB,EAChB,SAAiC,EAAE;IAEnC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,eAAe,GAAG,IAAI,OAAO,EAAE,CAAC;IACtC,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IAElE,OAAO;QACL,OAAO;QACP,MAAM;QACN,GAAG;QACH,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,MAAM,EAAE,EAAE;QAEV,SAAS,CAAC,GAAG,EAAE,KAAK;YAClB,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAClC,CAAC;QAED,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,GAAG,EAAE;YAC9B,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,IAAI,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACvD,IAAI,IAAI,CAAC,IAAI;gBAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YAC/C,IAAI,IAAI,CAAC,MAAM;gBAAE,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YACrD,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS;gBAAE,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YACpE,IAAI,IAAI,CAAC,OAAO;gBAAE,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;YACtE,IAAI,IAAI,CAAC,QAAQ;gBAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC1C,IAAI,IAAI,CAAC,MAAM;gBAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACtC,IAAI,IAAI,CAAC,QAAQ;gBAAE,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC3D,eAAe,CAAC,MAAM,CAAC,YAAY,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACzD,CAAC;QAED,SAAS,CAAC,IAAI;YACZ,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC;QAED,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,GAAG;YAC7B,MAAM,IAAI,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC7C,CAAC;QAED,QAAQ;YACN,MAAM,IAAI,cAAc,EAAE,CAAC;QAC7B,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAc;IAClC,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC9C,IAAI,GAAG;YAAE,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/csrf.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Nexus Action Integrity — Anti-CSRF & Anti-Replay Protection.
+ *
+ * Every Server Action invocation is protected by an ephemeral, HMAC-signed,
+ * single-use token. The flow:
+ *
+ *   1. Server renders an island → calls generateActionToken(sessionId, action)
+ *   2. Token is embedded in the HTML as a data attribute on the island
+ *   3. Client POSTs the action with the token in x-nexus-action-token header
+ *   4. Server calls validateActionToken() — verifies HMAC, session, expiry, and
+ *      "burns" the token (single-use). A replay of the same token → blocked.
+ *
+ * Properties:
+ *  - HMAC-SHA256 signed with the app secret (tamper-proof)
+ *  - Bound to sessionId + actionName (no cross-action reuse)
+ *  - Expires after ACTION_TOKEN_TTL (default 15 min)
+ *  - Single-use: consumed on first valid use (replay attack prevention)
+ *  - Constant-time comparison to prevent timing attacks
+ */
+/** Request header name for the action token. */
+export declare const ACTION_TOKEN_HEADER = "x-nexus-action-token";
+export interface TokenValidationResult {
+    valid: boolean;
+    reason?: string;
+    /** True if the token was valid but has been consumed (replay attempt). */
+    replayed?: boolean;
+}
+/**
+ * Generates a signed, single-use action token.
+ *
+ * @param sessionId   Unique identifier for the current user session (cookie, JWT sub, etc.)
+ * @param actionName  The action being authorized (e.g. 'capture', 'update-favorites')
+ * @param secret      App-level secret — should come from process.env.NEXUS_SECRET
+ * @returns           base64url-encoded token safe to embed in HTML
+ */
+export declare function generateActionToken(sessionId: string, actionName: string, secret: string): string;
+/**
+ * Validates and consumes an action token. Calling this twice with the same
+ * token will return `{ valid: false, replayed: true }` on the second call.
+ *
+ * @param token       Token from x-nexus-action-token header
+ * @param sessionId   Current user's session ID
+ * @param actionName  The action being invoked
+ * @param secret      Same secret used during generation
+ */
+export declare function validateActionToken(token: string, sessionId: string, actionName: string, secret: string): TokenValidationResult;
+/**
+ * Extracts session ID from a request using common patterns.
+ * Override with your own session logic in production.
+ */
+export declare function extractSessionId(request: Request): string;
+/**
+ * Generates a session ID that is safe to store in a cookie.
+ */
+export declare function generateSessionId(): string;
+//# sourceMappingURL=csrf.d.ts.map

package/dist/csrf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../src/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAcH,gDAAgD;AAChD,eAAO,MAAM,mBAAmB,yBAAyB,CAAC;AAE1D,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAK,OAAO,CAAC;IAClB,MAAM,CAAC,EAAG,MAAM,CAAC;IACjB,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAID;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAG,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAM,MAAM,GACjB,MAAM,CAMR;AAID;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAO,MAAM,EAClB,SAAS,EAAG,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAM,MAAM,GACjB,qBAAqB,CAiDvB;AAkCD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAczD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C"}

package/dist/csrf.js

@@ -0,0 +1,153 @@
+/**
+ * Nexus Action Integrity — Anti-CSRF & Anti-Replay Protection.
+ *
+ * Every Server Action invocation is protected by an ephemeral, HMAC-signed,
+ * single-use token. The flow:
+ *
+ *   1. Server renders an island → calls generateActionToken(sessionId, action)
+ *   2. Token is embedded in the HTML as a data attribute on the island
+ *   3. Client POSTs the action with the token in x-nexus-action-token header
+ *   4. Server calls validateActionToken() — verifies HMAC, session, expiry, and
+ *      "burns" the token (single-use). A replay of the same token → blocked.
+ *
+ * Properties:
+ *  - HMAC-SHA256 signed with the app secret (tamper-proof)
+ *  - Bound to sessionId + actionName (no cross-action reuse)
+ *  - Expires after ACTION_TOKEN_TTL (default 15 min)
+ *  - Single-use: consumed on first valid use (replay attack prevention)
+ *  - Constant-time comparison to prevent timing attacks
+ */
+import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
+/** Token lifetime — 15 minutes. Matches typical form interaction time. */
+const ACTION_TOKEN_TTL_MS = 15 * 60 * 1_000;
+/**
+ * In-memory set of consumed tokens. In a multi-process / serverless deployment
+ * this should be backed by Redis or a distributed cache. For single-process
+ * (Node.js server) this is sufficient.
+ */
+const USED_TOKENS = new Set();
+/** Request header name for the action token. */
+export const ACTION_TOKEN_HEADER = 'x-nexus-action-token';
+// ── Token generation ──────────────────────────────────────────────────────────
+/**
+ * Generates a signed, single-use action token.
+ *
+ * @param sessionId   Unique identifier for the current user session (cookie, JWT sub, etc.)
+ * @param actionName  The action being authorized (e.g. 'capture', 'update-favorites')
+ * @param secret      App-level secret — should come from process.env.NEXUS_SECRET
+ * @returns           base64url-encoded token safe to embed in HTML
+ */
+export function generateActionToken(sessionId, actionName, secret) {
+    const ts = Date.now().toString(36); // compact timestamp
+    const nonce = randomBytes(8).toString('hex'); // 8 bytes = 64 bits of entropy
+    const payload = `${sessionId}\x00${actionName}\x00${ts}\x00${nonce}`;
+    const sig = sign(payload, secret);
+    return Buffer.from(`${payload}\x00${sig}`).toString('base64url');
+}
+// ── Token validation ──────────────────────────────────────────────────────────
+/**
+ * Validates and consumes an action token. Calling this twice with the same
+ * token will return `{ valid: false, replayed: true }` on the second call.
+ *
+ * @param token       Token from x-nexus-action-token header
+ * @param sessionId   Current user's session ID
+ * @param actionName  The action being invoked
+ * @param secret      Same secret used during generation
+ */
+export function validateActionToken(token, sessionId, actionName, secret) {
+    // 1. Replay check (fast path before expensive HMAC)
+    if (USED_TOKENS.has(token)) {
+        return { valid: false, replayed: true, reason: 'Token already used — replay attack prevented' };
+    }
+    // 2. Decode
+    let raw;
+    try {
+        raw = Buffer.from(token, 'base64url').toString('utf-8');
+    }
+    catch {
+        return { valid: false, reason: 'Malformed token (invalid base64url)' };
+    }
+    const parts = raw.split('\x00');
+    if (parts.length !== 5) {
+        return { valid: false, reason: 'Malformed token (wrong structure)' };
+    }
+    const [tokenSession, tokenAction, tsBase36, , sig] = parts;
+    const payloadWithoutSig = parts.slice(0, 4).join('\x00');
+    // 3. Verify HMAC in constant time (prevents timing side-channel)
+    const expectedSig = sign(payloadWithoutSig, secret);
+    if (!safeEqual(sig, expectedSig)) {
+        return { valid: false, reason: 'Invalid signature — possible CSRF attack' };
+    }
+    // 4. Verify session binding
+    if (tokenSession !== sessionId) {
+        return { valid: false, reason: 'Session mismatch — token not issued for this user' };
+    }
+    // 5. Verify action binding
+    if (tokenAction !== actionName) {
+        return { valid: false, reason: `Action mismatch — expected "${actionName}", got "${tokenAction}"` };
+    }
+    // 6. Check expiry
+    const issuedAt = parseInt(tsBase36, 36);
+    if (Date.now() - issuedAt > ACTION_TOKEN_TTL_MS) {
+        return { valid: false, reason: `Token expired (issued ${Math.round((Date.now() - issuedAt) / 60_000)}m ago)` };
+    }
+    // 7. Consume (burn) the token — prevents replay
+    USED_TOKENS.add(token);
+    pruneUsedTokens();
+    return { valid: true };
+}
+// ── Helpers ───────────────────────────────────────────────────────────────────
+function sign(payload, secret) {
+    return createHmac('sha256', secret).update(payload).digest('hex');
+}
+function safeEqual(a, b) {
+    try {
+        return timingSafeEqual(Buffer.from(a, 'hex'), Buffer.from(b, 'hex'));
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Prune the used-token set to prevent unbounded memory growth.
+ * Tokens older than TTL are safe to forget — they'd fail the expiry check.
+ */
+function pruneUsedTokens() {
+    if (USED_TOKENS.size < 50_000)
+        return;
+    // Tokens are not stored with timestamps — simplest safe eviction is to
+    // clear the oldest ~10% (insertion-order Set).
+    const deleteCount = Math.floor(USED_TOKENS.size * 0.1);
+    const iter = USED_TOKENS.values();
+    for (let i = 0; i < deleteCount; i++) {
+        const v = iter.next().value;
+        if (v !== undefined)
+            USED_TOKENS.delete(v);
+    }
+}
+// ── Middleware helper ─────────────────────────────────────────────────────────
+/**
+ * Extracts session ID from a request using common patterns.
+ * Override with your own session logic in production.
+ */
+export function extractSessionId(request) {
+    // Try standard session cookie patterns
+    const cookie = request.headers.get('cookie') ?? '';
+    const sessionMatch = cookie.match(/(?:nexus-session|__session|session)=([^;]+)/) ??
+        cookie.match(/([a-f0-9]{32,})/);
+    if (sessionMatch?.[1])
+        return sessionMatch[1];
+    // Fall back to IP + User-Agent fingerprint (not ideal, but workable for anonymous sessions)
+    const ip = request.headers.get('x-forwarded-for')?.split(',')[0]?.trim()
+        ?? request.headers.get('x-real-ip')
+        ?? 'unknown';
+    const ua = request.headers.get('user-agent') ?? '';
+    return `anon:${sign(`${ip}:${ua}`, 'nexus-anon-fp').slice(0, 16)}`;
+}
+/**
+ * Generates a session ID that is safe to store in a cookie.
+ */
+export function generateSessionId() {
+    return randomBytes(24).toString('base64url');
+}
+//# sourceMappingURL=csrf.js.map

package/dist/csrf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../src/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEvE,0EAA0E;AAC1E,MAAM,mBAAmB,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC;AAE5C;;;;GAIG;AACH,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;AAEtC,gDAAgD;AAChD,MAAM,CAAC,MAAM,mBAAmB,GAAG,sBAAsB,CAAC;AAS1D,iFAAiF;AAEjF;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,SAAkB,EAClB,UAAkB,EAClB,MAAkB;IAElB,MAAM,EAAE,GAAM,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAW,oBAAoB;IACrE,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAI,+BAA+B;IAChF,MAAM,OAAO,GAAG,GAAG,SAAS,OAAO,UAAU,OAAO,EAAE,OAAO,KAAK,EAAE,CAAC;IACrE,MAAM,GAAG,GAAK,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,OAAO,GAAG,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACnE,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;GAQG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAkB,EAClB,SAAkB,EAClB,UAAkB,EAClB,MAAkB;IAElB,oDAAoD;IACpD,IAAI,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,8CAA8C,EAAE,CAAC;IAClG,CAAC;IAED,YAAY;IACZ,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,qCAAqC,EAAE,CAAC;IACzE,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IACvE,CAAC;IAED,MAAM,CAAC,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,AAAD,EAAG,GAAG,CAAC,GAAG,KAAiD,CAAC;IACvG,MAAM,iBAAiB,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAEzD,iEAAiE;IACjE,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACpD,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,WAAW,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,0CAA0C,EAAE,CAAC;IAC9E,CAAC;IAED,4BAA4B;IAC5B,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;QAC/B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mDAAmD,EAAE,CAAC;IACvF,CAAC;IAED,2BAA2B;IAC3B,IAAI,WAAW,KAAK,UAAU,EAAE,CAAC;QAC/B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,UAAU,WAAW,WAAW,GAAG,EAAE,CAAC;IACtG,CAAC;IAED,kBAAkB;IAClB,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,GAAG,mBAAmB,EAAE,CAAC;QAChD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;IACjH,CAAC;IAED,gDAAgD;IAChD,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACvB,eAAe,EAAE,CAAC;IAElB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,iFAAiF;AAEjF,SAAS,IAAI,CAAC,OAAe,EAAE,MAAc;IAC3C,OAAO,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,SAAS,CAAC,CAAS,EAAE,CAAS;IACrC,IAAI,CAAC;QACH,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe;IACtB,IAAI,WAAW,CAAC,IAAI,GAAG,MAAM;QAAE,OAAO;IACtC,uEAAuE;IACvE,+CAA+C;IAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC;IACvD,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,EAAE,CAAC;IAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;QAC5B,IAAI,CAAC,KAAK,SAAS;YAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAgB;IAC/C,uCAAuC;IACvC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnD,MAAM,YAAY,GAChB,MAAM,CAAC,KAAK,CAAC,6CAA6C,CAAC;QAC3D,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAClC,IAAI,YAAY,EAAE,CAAC,CAAC,CAAC;QAAE,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;IAE9C,4FAA4F;IAC5F,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE;WACnE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;WAChC,SAAS,CAAC;IACf,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;IACnD,OAAO,QAAQ,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,eAAe,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC"}

package/dist/dev-assets.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Dev / Node server assets: /@nexus_js/runtime ESM mirror + aggregated scoped CSS from .nx files.
+ */
+export declare function bustAggregatedStylesCache(): void;
+/**
+ * Locate `@nexus_js/runtime/dist` without `require.resolve` (pnpm "exports" blocks package.json / bare resolve from apps).
+ */
+export declare function resolveRuntimeDistDir(appRoot: string): string | null;
+/**
+ * Locate `@nexus_js/serialize/dist` — served to the browser at `/_nexus/rt/serialize.js`.
+ */
+export declare function resolveSerializeDistFile(appRoot: string): string | null;
+/** Safe basename-only files under runtime dist (no ..). */
+export declare function runtimeModulePath(runtimeDist: string, pathname: string): string | null;
+/**
+ * Concatenate scoped CSS from every .nx under src/ (routes + components).
+ */
+export declare function buildAggregatedNxStylesheet(appRoot: string): Promise<string>;
+/**
+ * Compiles a .nx file's client island bundle for dynamic import() during hydration.
+ */
+export declare function compileIslandClientBundle(appRoot: string, url: URL): Promise<{
+    body: string;
+    status: number;
+}>;
+export declare function isIslandClientRequest(pathname: string): boolean;
+export declare function tryServeRuntimeAsset(pathname: string, appRoot: string): Promise<{
+    body: Buffer;
+    contentType: string;
+} | null>;
+//# sourceMappingURL=dev-assets.d.ts.map

package/dist/dev-assets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dev-assets.d.ts","sourceRoot":"","sources":["../src/dev-assets.ts"],"names":[],"mappings":"AAAA;;GAEG;AAYH,wBAAgB,yBAAyB,IAAI,IAAI,CAEhD;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CASpE;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CASvE;AAED,2DAA2D;AAC3D,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAKtF;AAyBD;;GAEG;AACH,wBAAsB,2BAA2B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAqBlF;AAID;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,GAAG,GACP,OAAO,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CA0D3C;AAED,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE/D;AAED,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CA2BvD"}

package/dist/dev-assets.js

@@ -0,0 +1,198 @@
+/**
+ * Dev / Node server assets: /@nexus_js/runtime ESM mirror + aggregated scoped CSS from .nx files.
+ */
+import { compile } from '@nexus_js/compiler';
+import { existsSync } from 'node:fs';
+import { readdir, readFile, stat } from 'node:fs/promises';
+import { join, relative, resolve, normalize, sep } from 'node:path';
+const RT_PREFIX = '/_nexus/rt/';
+const LAYER_DECL = '@layer nexus.scoped, nexus.global;\n';
+let aggregatedCssCache = null;
+export function bustAggregatedStylesCache() {
+    aggregatedCssCache = null;
+}
+/**
+ * Locate `@nexus_js/runtime/dist` without `require.resolve` (pnpm "exports" blocks package.json / bare resolve from apps).
+ */
+export function resolveRuntimeDistDir(appRoot) {
+    const candidates = [
+        join(appRoot, 'node_modules', '@nexus_js', 'runtime', 'dist'),
+        join(appRoot, '..', '..', 'packages', 'runtime', 'dist'),
+    ];
+    for (const d of candidates) {
+        if (existsSync(join(d, 'index.js')))
+            return d;
+    }
+    return null;
+}
+/**
+ * Locate `@nexus_js/serialize/dist` — served to the browser at `/_nexus/rt/serialize.js`.
+ */
+export function resolveSerializeDistFile(appRoot) {
+    const candidates = [
+        join(appRoot, 'node_modules', '@nexus_js', 'serialize', 'dist', 'index.js'),
+        join(appRoot, '..', '..', 'packages', 'serialize', 'dist', 'index.js'),
+    ];
+    for (const f of candidates) {
+        if (existsSync(f))
+            return f;
+    }
+    return null;
+}
+/** Safe basename-only files under runtime dist (no ..). */
+export function runtimeModulePath(runtimeDist, pathname) {
+    if (!pathname.startsWith(RT_PREFIX))
+        return null;
+    const name = pathname.slice(RT_PREFIX.length);
+    if (!/^[\w.-]+\.js$/.test(name) || name.includes('..'))
+        return null;
+    return join(runtimeDist, name);
+}
+async function collectNxFiles(dir) {
+    const out = [];
+    async function walk(d) {
+        let entries;
+        try {
+            entries = await readdir(d, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const e of entries) {
+            const p = join(d, e.name);
+            if (e.isDirectory()) {
+                if (e.name === 'node_modules')
+                    continue;
+                await walk(p);
+            }
+            else if (e.name.endsWith('.nx')) {
+                out.push(p);
+            }
+        }
+    }
+    await walk(dir);
+    return out;
+}
+/**
+ * Concatenate scoped CSS from every .nx under src/ (routes + components).
+ */
+export async function buildAggregatedNxStylesheet(appRoot) {
+    if (aggregatedCssCache !== null)
+        return aggregatedCssCache;
+    const srcDir = join(appRoot, 'src');
+    const files = await collectNxFiles(srcDir);
+    const parts = [LAYER_DECL];
+    for (const filepath of files) {
+        const source = await readFile(filepath, 'utf-8');
+        const result = compile(source, filepath, {
+            mode: 'server',
+            dev: true,
+            ssr: true,
+            emitIslandManifest: false,
+            target: 'node',
+        });
+        if (result.css)
+            parts.push(`/* ${relative(appRoot, filepath)} */\n${result.css}`);
+    }
+    aggregatedCssCache = parts.join('\n');
+    return aggregatedCssCache;
+}
+const ISLAND_CLIENT_PATH = '/_nexus/islands/client.mjs';
+/**
+ * Compiles a .nx file's client island bundle for dynamic import() during hydration.
+ */
+export async function compileIslandClientBundle(appRoot, url) {
+    const pathParam = url.searchParams.get('path');
+    const absParam = url.searchParams.get('abs');
+    const rootReal = resolve(appRoot);
+    function isUnderRoot(file) {
+        const rel = relative(rootReal, resolve(file));
+        if (rel === '..')
+            return false;
+        if (rel.startsWith(`..${sep}`))
+            return false;
+        return true;
+    }
+    let nxPath = null;
+    if (pathParam) {
+        if (pathParam.includes('..') || pathParam.startsWith('/')) {
+            return { body: 'Invalid path', status: 400 };
+        }
+        const joined = resolve(join(rootReal, normalize(pathParam)));
+        if (!isUnderRoot(joined)) {
+            return { body: 'Path escapes app root', status: 400 };
+        }
+        nxPath = joined;
+    }
+    else if (absParam) {
+        const decoded = decodeURIComponent(absParam);
+        const abs = resolve(decoded);
+        if (!isUnderRoot(abs)) {
+            return { body: 'Invalid abs path', status: 400 };
+        }
+        nxPath = abs;
+    }
+    else {
+        return { body: 'Missing path or abs query', status: 400 };
+    }
+    if (!nxPath.endsWith('.nx')) {
+        return { body: 'Not an .nx source', status: 400 };
+    }
+    try {
+        await stat(nxPath);
+    }
+    catch {
+        return { body: 'Source not found', status: 404 };
+    }
+    const source = await readFile(nxPath, 'utf-8');
+    const result = compile(source, nxPath, {
+        mode: 'server',
+        dev: true,
+        ssr: true,
+        emitIslandManifest: false,
+        target: 'node',
+        appRoot: rootReal,
+    });
+    if (!result.clientCode) {
+        return { body: 'No client island for this module', status: 404 };
+    }
+    return { body: result.clientCode, status: 200 };
+}
+export function isIslandClientRequest(pathname) {
+    return pathname === ISLAND_CLIENT_PATH;
+}
+export async function tryServeRuntimeAsset(pathname, appRoot) {
+    // Special alias: /_nexus/rt/serialize.js → @nexus_js/serialize/dist/index.js
+    if (pathname === '/_nexus/rt/serialize.js') {
+        const serializeFile = resolveSerializeDistFile(appRoot);
+        if (!serializeFile)
+            return null;
+        try {
+            const s = await stat(serializeFile);
+            if (!s.isFile())
+                return null;
+            const body = await readFile(serializeFile);
+            return { body, contentType: 'application/javascript; charset=utf-8' };
+        }
+        catch {
+            return null;
+        }
+    }
+    const dist = resolveRuntimeDistDir(appRoot);
+    if (!dist)
+        return null;
+    const file = runtimeModulePath(dist, pathname);
+    if (!file)
+        return null;
+    try {
+        const s = await stat(file);
+        if (!s.isFile())
+            return null;
+        const body = await readFile(file);
+        return { body, contentType: 'application/javascript; charset=utf-8' };
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=dev-assets.js.map

package/dist/dev-assets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dev-assets.js","sourceRoot":"","sources":["../src/dev-assets.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AAEpE,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,UAAU,GAAG,sCAAsC,CAAC;AAE1D,IAAI,kBAAkB,GAAkB,IAAI,CAAC;AAE7C,MAAM,UAAU,yBAAyB;IACvC,kBAAkB,GAAG,IAAI,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACnD,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC;QAC7D,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,CAAC;KACzD,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,OAAe;IACtD,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,CAAC;QAC3E,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,CAAC;KACvE,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,IAAI,UAAU,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,iBAAiB,CAAC,WAAmB,EAAE,QAAgB;IACrE,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACpE,OAAO,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,GAAW;IACvC,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,UAAU,IAAI,CAAC,CAAS;QAC3B,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,OAAO,CAAC,CAAC,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;YAC1B,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;gBACpB,IAAI,CAAC,CAAC,IAAI,KAAK,cAAc;oBAAE,SAAS;gBACxC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC;YAChB,CAAC;iBAAM,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAClC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IACD,MAAM,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAAC,OAAe;IAC/D,IAAI,kBAAkB,KAAK,IAAI;QAAE,OAAO,kBAAkB,CAAC;IAE3D,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,KAAK,GAAa,CAAC,UAAU,CAAC,CAAC;IAErC,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,QAAQ,EAAE;YACvC,IAAI,EAAE,QAAQ;YACd,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,IAAI;YACT,kBAAkB,EAAE,KAAK;YACzB,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,GAAG;YAAE,KAAK,CAAC,IAAI,CAAC,MAAM,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,QAAQ,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,kBAAkB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtC,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,MAAM,kBAAkB,GAAG,4BAA4B,CAAC;AAExD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,OAAe,EACf,GAAQ;IAER,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAElC,SAAS,WAAW,CAAC,IAAY;QAC/B,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QAC9C,IAAI,GAAG,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QAC/B,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,GAAG,EAAE,CAAC;YAAE,OAAO,KAAK,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1D,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QAC/C,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAC7D,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;YACzB,OAAO,EAAE,IAAI,EAAE,uBAAuB,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QACxD,CAAC;QACD,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;SAAM,IAAI,QAAQ,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAC7B,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO,EAAE,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QACnD,CAAC;QACD,MAAM,GAAG,GAAG,CAAC;IACf,CAAC;SAAM,CAAC;QACN,OAAO,EAAE,IAAI,EAAE,2BAA2B,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IAC5D,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IACpD,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,MAAM,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IACnD,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE;QACrC,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,IAAI;QACT,kBAAkB,EAAE,KAAK;QACzB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,QAAQ;KAClB,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;QACvB,OAAO,EAAE,IAAI,EAAE,kCAAkC,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IACnE,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,OAAO,QAAQ,KAAK,kBAAkB,CAAC;AACzC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,QAAgB,EAChB,OAAe;IAEf,6EAA6E;IAC7E,IAAI,QAAQ,KAAK,yBAAyB,EAAE,CAAC;QAC3C,MAAM,aAAa,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;QACxD,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QAChC,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,CAAC;YACpC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE;gBAAE,OAAO,IAAI,CAAC;YAC7B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,CAAC;YAC3C,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,uCAAuC,EAAE,CAAC;QACxE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAC5C,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,MAAM,IAAI,GAAG,iBAAiB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC/C,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE;YAAE,OAAO,IAAI,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,CAAC;QAClC,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,uCAAuC,EAAE,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/error-boundary.d.ts

@@ -0,0 +1,87 @@
+/**
+ * Nexus Error Boundaries — file-based resilience system.
+ *
+ * Convention (mirrors Next.js App Router):
+ *
+ *   routes/
+ *   ├── error.nx              ← catches errors in the root layout
+ *   ├── dashboard/
+ *   │   ├── error.nx          ← catches errors in /dashboard/**
+ *   │   ├── +layout.nx
+ *   │   └── +page.nx
+ *   └── blog/
+ *       ├── [slug]/
+ *       │   ├── error.nx      ← catches errors ONLY in /blog/:slug
+ *       │   └── +page.nx
+ *       └── not-found.nx      ← custom 404 for /blog/**
+ *
+ * The error.nx component receives:
+ *   - error: { message, name, digest? }
+ *   - reset: () => void  (client-side — triggers re-render)
+ *
+ * Island hydration for error.nx:
+ *   The "reset" button must be an island (client:load) to be interactive.
+ *   The error info is server-rendered (no JS needed to display it).
+ *
+ * Usage in error.nx:
+ *   ---
+ *   const { error } = ctx.errorBoundary;
+ *   ---
+ *   <script>
+ *     const { reset } = $props();
+ *   </script>
+ *   <div class="error-boundary" client:load>
+ *     <h2>Something went wrong</h2>
+ *     <p>{error.message}</p>
+ *     <button onclick={reset}>Try again</button>
+ *   </div>
+ */
+import type { NexusContext } from './context.js';
+export interface BoundaryError {
+    message: string;
+    name: string;
+    /** Opaque server-side error digest (safe to show in prod) */
+    digest?: string;
+    /** Full stack trace (dev only) */
+    stack?: string;
+}
+export interface ErrorBoundaryContext {
+    error: BoundaryError;
+    pathname: string;
+}
+/**
+ * Finds the nearest `error.nx` file to a given route filepath.
+ * Walks up the directory tree until it finds one or reaches the routes root.
+ */
+export declare function findErrorBoundary(routeFilepath: string, routesRoot: string): Promise<string | null>;
+/**
+ * Finds the nearest `not-found.nx` for a given route directory.
+ */
+export declare function findNotFoundBoundary(routeFilepath: string, routesRoot: string): Promise<string | null>;
+/**
+ * Renders an error boundary file to HTML.
+ * Sanitizes error info for production (hides stack, generates digest).
+ */
+export declare function renderErrorBoundary(boundaryFile: string, originalError: unknown, ctx: NexusContext, opts: {
+    dev: boolean;
+}): Promise<string>;
+/**
+ * Default error page when no error.nx is found.
+ * Shows full details in dev, sanitized message in production.
+ */
+export declare function buildDefaultErrorHTML(error: BoundaryError, dev: boolean): string;
+/**
+ * Wraps a render function with error boundary protection.
+ * If the render throws, catches it and renders the nearest error.nx.
+ */
+export declare function withErrorBoundary<T>(fn: () => Promise<T>, opts: {
+    routeFilepath: string;
+    routesRoot: string;
+    ctx: NexusContext;
+    dev: boolean;
+    fallback?: string;
+}): Promise<T | {
+    html: string;
+    status: number;
+}>;
+//# sourceMappingURL=error-boundary.d.ts.map

package/dist/error-boundary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-boundary.d.ts","sourceRoot":"","sources":["../src/error-boundary.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAIH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAEjD,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,6DAA6D;IAC7D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kCAAkC;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,aAAa,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,aAAa,EAAE,MAAM,EACrB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAiBxB;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,aAAa,EAAE,MAAM,EACrB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAgBxB;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,YAAY,EAAE,MAAM,EACpB,aAAa,EAAE,OAAO,EACtB,GAAG,EAAE,YAAY,EACjB,IAAI,EAAE;IAAE,GAAG,EAAE,OAAO,CAAA;CAAE,GACrB,OAAO,CAAC,MAAM,CAAC,CAejB;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,EAAE,OAAO,GAAG,MAAM,CAuBhF;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,CAAC,EACvC,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,EACpB,IAAI,EAAE;IACJ,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,YAAY,CAAC;IAClB,GAAG,EAAE,OAAO,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,CAAC,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAe/C"}