@nuraly/lumenjs 0.1.4 → 0.3.0

package/README.md

@@ -68,6 +68,8 @@ export class PageIndex extends LitElement {
 
 Export a `loader()` to fetch data server-side. It runs on SSR and via `/__nk_loader/<path>` during client-side navigation. Automatically stripped from client bundles.
 
+Declare each returned key as its own property — the framework spreads loader data onto the element automatically.
+
 ```typescript
 // pages/blog/[slug].ts
 export async function loader({ params }) {
@@ -77,11 +79,11 @@ export async function loader({ params }) {
 }
 
 export class BlogPost extends LitElement {
-  static properties = { loaderData: { type: Object } };
-  loaderData: any = {};
+  static properties = { post: { type: Object } };
+  post: any = null;
 
   render() {
-    return html`<h1>${this.loaderData.post?.title}</h1>`;
+    return html`<h1>${this.post?.title}</h1>`;
   }
 }
 ```
@@ -110,16 +112,20 @@ export function subscribe({ push }) {
 }
 
 export class PageDashboard extends LitElement {
-  static properties = { liveData: { type: Object } };
-  liveData: any = null;
+  static properties = {
+    time: { type: String },
+    count: { type: Number },
+  };
+  time = '';
+  count = 0;
 
   render() {
-    return html`<p>Server time: ${this.liveData?.time}</p>`;
+    return html`<p>Server time: ${this.time}</p>`;
   }
 }
 ```
 
-Return a cleanup function — it runs when the client disconnects.
+Each key from `push()` is spread as an individual property on the component — same as loader data. Return a cleanup function — it runs when the client disconnects.
 
 ## Layouts
 
@@ -186,6 +192,41 @@ npx lumenjs add tailwind    # Tailwind CSS via @tailwindcss/vite
 export default { integrations: ['nuralyui'] };
 ```
 
+## Visual Editor
+
+Start the dev server with `--editor-mode` to edit pages visually in the browser:
+
+```bash
+npx lumenjs dev --editor-mode
+```
+
+Click elements to select them, edit properties and styles in the side panel, double-click text to edit inline, or ask the AI assistant to make changes for you. Everything saves directly to your source files.
+
+### AI Backend
+
+The editor includes an AI assistant that can modify your components. It supports three backends:
+
+**Claude Code** (recommended) — uses your Pro/Max subscription, no API key needed:
+
+```bash
+npm install -g @anthropic-ai/claude-code
+claude login
+npm install @anthropic-ai/claude-agent-sdk
+npx lumenjs dev --editor-mode
+```
+
+**OpenCode** — coding agent server, configure it with DeepSeek or any LLM provider:
+
+```bash
+npm install -g opencode
+opencode serve                        # terminal 1
+npx lumenjs dev --editor-mode         # terminal 2
+```
+
+Configure the connection: `OPENCODE_URL` (default `http://localhost:4096`) and `OPENCODE_SERVER_PASSWORD` if auth is required.
+
+Set `AI_BACKEND` to force a specific backend (`claude-code` or `opencode`). Without it, the editor auto-detects: Claude Code (if CLI logged in) → OpenCode (fallback).
+
 ## CLI
 
 ```

package/dist/auth/native-auth.d.ts

@@ -66,6 +66,15 @@ export declare function decodeResetTokenUserId(token: string): string | null;
 export declare function updatePassword(db: Db, userId: string, newPassword: string, minLength?: number): Promise<void>;
 /** Find a user by email. Returns { id, email, name } or null. */
 export declare function findUserIdByEmail(db: Db, email: string): Promise<string | null>;
+export declare function encryptTotpSecret(secret: string, sessionSecret: string): Promise<string>;
+export declare function decryptTotpSecret(encrypted: string, sessionSecret: string): Promise<string>;
+export declare function saveTotpSecret(db: Db, userId: string, encryptedSecret: string): Promise<void>;
+export declare function enableTotp(db: Db, userId: string): Promise<void>;
+export declare function disableTotp(db: Db, userId: string): Promise<void>;
+export declare function getTotpState(db: Db, userId: string): Promise<{
+    totpEnabled: boolean;
+    encryptedSecret: string | null;
+}>;
 /** Set sessions_revoked_at to now, invalidating all sessions created before this moment. */
 export declare function revokeAllSessions(db: Db, userId: string): Promise<void>;
 /** Get the epoch-seconds timestamp of the last logout-all, or null if never revoked. */

package/dist/auth/native-auth.js

@@ -44,8 +44,8 @@ export async function ensureUsersTable(db) {
     password_hash TEXT NOT NULL,
     email_verified INTEGER NOT NULL DEFAULT 0,
     roles TEXT NOT NULL DEFAULT '[]',
-    created_at TEXT NOT NULL DEFAULT (datetime('now')),
-    updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+    created_at TEXT NOT NULL DEFAULT NOW(),
+    updated_at TEXT NOT NULL DEFAULT NOW()
   )`);
     // Add email_verified column if table already exists without it
     try {
@@ -59,6 +59,17 @@ export async function ensureUsersTable(db) {
     }
     catch { }
     ;
+    // Add TOTP columns
+    try {
+        await db.exec('ALTER TABLE _nk_auth_users ADD COLUMN totp_secret TEXT');
+    }
+    catch { }
+    ;
+    try {
+        await db.exec('ALTER TABLE _nk_auth_users ADD COLUMN totp_enabled INTEGER NOT NULL DEFAULT 0');
+    }
+    catch { }
+    ;
 }
 /**
  * Register a new user with email/password.
@@ -279,6 +290,42 @@ export async function findUserIdByEmail(db, email) {
     const row = await db.get('SELECT id FROM _nk_auth_users WHERE email = ?', email);
     return row?.id || null;
 }
+// ── TOTP helpers ─────────────────────────────────────────────────
+const TOTP_IV_LEN = 12;
+const TOTP_ALGO = 'aes-256-gcm';
+function deriveTotpKey(sessionSecret) {
+    return Buffer.from(crypto.hkdfSync('sha256', sessionSecret, 'totp-key', '', 32));
+}
+export async function encryptTotpSecret(secret, sessionSecret) {
+    const key = deriveTotpKey(sessionSecret);
+    const iv = crypto.randomBytes(TOTP_IV_LEN);
+    const cipher = crypto.createCipheriv(TOTP_ALGO, key, iv);
+    const enc = Buffer.concat([cipher.update(secret, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return `${iv.toString('base64url')}.${enc.toString('base64url')}.${tag.toString('base64url')}`;
+}
+export async function decryptTotpSecret(encrypted, sessionSecret) {
+    const [ivB64, encB64, tagB64] = encrypted.split('.');
+    if (!ivB64 || !encB64 || !tagB64)
+        throw new Error('Invalid TOTP secret format');
+    const key = deriveTotpKey(sessionSecret);
+    const decipher = crypto.createDecipheriv(TOTP_ALGO, key, Buffer.from(ivB64, 'base64url'));
+    decipher.setAuthTag(Buffer.from(tagB64, 'base64url'));
+    return decipher.update(Buffer.from(encB64, 'base64url')).toString('utf8') + decipher.final('utf8');
+}
+export async function saveTotpSecret(db, userId, encryptedSecret) {
+    await db.run('UPDATE _nk_auth_users SET totp_secret = ?, totp_enabled = 0 WHERE id = ?', encryptedSecret, userId);
+}
+export async function enableTotp(db, userId) {
+    await db.run('UPDATE _nk_auth_users SET totp_enabled = 1 WHERE id = ?', userId);
+}
+export async function disableTotp(db, userId) {
+    await db.run('UPDATE _nk_auth_users SET totp_secret = NULL, totp_enabled = 0 WHERE id = ?', userId);
+}
+export async function getTotpState(db, userId) {
+    const row = await db.get('SELECT totp_enabled, totp_secret FROM _nk_auth_users WHERE id = ?', userId);
+    return { totpEnabled: !!row?.totp_enabled, encryptedSecret: row?.totp_secret || null };
+}
 // ── Session Revocation (Logout All) ─────────────────────────────
 /** Set sessions_revoked_at to now, invalidating all sessions created before this moment. */
 export async function revokeAllSessions(db, userId) {

package/dist/auth/routes/login.js

@@ -53,7 +53,7 @@ export async function handleNativeLogin(config, req, res, url, db) {
         sendJson(res, 400, { error: 'Email and password required' });
         return true;
     }
-    const { authenticateUser, isEmailVerified } = await import('../native-auth.js');
+    const { authenticateUser, isEmailVerified, getTotpState } = await import('../native-auth.js');
     const user = await authenticateUser(db, email, password);
     if (!user) {
         sendJson(res, 401, { error: 'Invalid credentials' });
@@ -64,6 +64,29 @@ export async function handleNativeLogin(config, req, res, url, db) {
         sendJson(res, 403, { error: 'Please verify your email before signing in', code: 'EMAIL_NOT_VERIFIED' });
         return true;
     }
+    // Check TOTP — if enabled, issue a short-lived pending cookie instead of a full session
+    const totpState = await getTotpState(db, user.sub);
+    if (totpState.totpEnabled) {
+        const pendingData = {
+            accessToken: `totp-pending:${user.sub}`,
+            expiresAt: Math.floor(Date.now() / 1000) + 300,
+            user: { sub: user.sub, roles: [] },
+            provider: 'native',
+            createdAt: Math.floor(Date.now() / 1000),
+        };
+        const pendingEncrypted = await encryptSession(pendingData, config.session.secret);
+        const pendingCookie = createSessionCookie('nk-totp-pending', pendingEncrypted, 300, config.session.secure);
+        const returnTo = safeReturnTo(url.searchParams.get('returnTo'), config.routes.postLogin);
+        if (req.headers.accept?.includes('application/json')) {
+            res.writeHead(200, { 'Content-Type': 'application/json', 'Set-Cookie': pendingCookie });
+            res.end(JSON.stringify({ requires2fa: true, returnTo }));
+        }
+        else {
+            res.writeHead(302, { Location: `/auth/totp-challenge?returnTo=${encodeURIComponent(returnTo)}`, 'Set-Cookie': pendingCookie });
+            res.end();
+        }
+        return true;
+    }
     // Create session — same as OIDC callback
     const sessionData = {
         accessToken: `native:${user.sub}`,

package/dist/auth/routes/totp.d.ts

@@ -0,0 +1,22 @@
+import type { IncomingMessage, ServerResponse } from 'http';
+import type { ResolvedAuthConfig } from '../types.js';
+/**
+ * POST /__nk_auth/totp/setup
+ * Generates a new TOTP secret for the authenticated user and returns a QR code.
+ */
+export declare function handleTotpSetup(config: ResolvedAuthConfig, req: IncomingMessage, res: ServerResponse, db?: any): Promise<boolean>;
+/**
+ * POST /__nk_auth/totp/verify-setup
+ * Confirms setup by verifying the first 6-digit code and enables TOTP.
+ */
+export declare function handleTotpVerifySetup(config: ResolvedAuthConfig, req: IncomingMessage, res: ServerResponse, db?: any): Promise<boolean>;
+/**
+ * POST /__nk_auth/totp/disable
+ * Disables TOTP after verifying a valid code.
+ */
+export declare function handleTotpDisable(config: ResolvedAuthConfig, req: IncomingMessage, res: ServerResponse, db?: any): Promise<boolean>;
+/**
+ * POST /__nk_auth/totp/challenge
+ * Exchanges a pending-2FA cookie + valid TOTP code for a full session cookie.
+ */
+export declare function handleTotpChallenge(config: ResolvedAuthConfig, req: IncomingMessage, res: ServerResponse, db?: any): Promise<boolean>;

package/dist/auth/routes/totp.js

@@ -0,0 +1,232 @@
+import { sendJson, readBody } from './utils.js';
+import { encryptSession, createSessionCookie, decryptSession } from '../session.js';
+import { encryptTotpSecret, decryptTotpSecret, saveTotpSecret, enableTotp, disableTotp, getTotpState, } from '../native-auth.js';
+function parseCookies(req) {
+    const cookies = {};
+    const header = req.headers.cookie || '';
+    for (const part of header.split(';')) {
+        const [k, ...v] = part.trim().split('=');
+        if (k)
+            cookies[k.trim()] = decodeURIComponent(v.join('='));
+    }
+    return cookies;
+}
+/**
+ * POST /__nk_auth/totp/setup
+ * Generates a new TOTP secret for the authenticated user and returns a QR code.
+ */
+export async function handleTotpSetup(config, req, res, db) {
+    const user = req.nkAuth?.user;
+    if (!user?.sub) {
+        sendJson(res, 401, { error: 'Not authenticated' });
+        return true;
+    }
+    if (!db) {
+        sendJson(res, 500, { error: 'Database unavailable' });
+        return true;
+    }
+    try {
+        const { authenticator } = await import('otplib');
+        const QRCode = await import('qrcode');
+        const secret = authenticator.generateSecret();
+        const appName = config.totp?.appName || 'Nuraly';
+        const otpauthUri = authenticator.keyuri(user.email || user.sub, appName, secret);
+        const qrDataUrl = await QRCode.default.toDataURL(otpauthUri);
+        const encrypted = await encryptTotpSecret(secret, config.session.secret);
+        await saveTotpSecret(db, user.sub, encrypted);
+        sendJson(res, 200, { qrDataUrl, otpauthUri });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err.message || 'Setup failed' });
+    }
+    return true;
+}
+/**
+ * POST /__nk_auth/totp/verify-setup
+ * Confirms setup by verifying the first 6-digit code and enables TOTP.
+ */
+export async function handleTotpVerifySetup(config, req, res, db) {
+    const user = req.nkAuth?.user;
+    if (!user?.sub) {
+        sendJson(res, 401, { error: 'Not authenticated' });
+        return true;
+    }
+    if (!db) {
+        sendJson(res, 500, { error: 'Database unavailable' });
+        return true;
+    }
+    let body;
+    try {
+        body = JSON.parse(await readBody(req));
+    }
+    catch {
+        sendJson(res, 400, { error: 'Invalid JSON' });
+        return true;
+    }
+    const { code } = body;
+    if (!code) {
+        sendJson(res, 400, { error: 'Code required' });
+        return true;
+    }
+    try {
+        const { authenticator } = await import('otplib');
+        const state = await getTotpState(db, user.sub);
+        if (!state.encryptedSecret) {
+            sendJson(res, 400, { error: 'No pending TOTP setup' });
+            return true;
+        }
+        const secret = await decryptTotpSecret(state.encryptedSecret, config.session.secret);
+        const valid = authenticator.check(code, secret);
+        if (!valid) {
+            sendJson(res, 400, { error: 'Invalid code — check your authenticator app and try again' });
+            return true;
+        }
+        await enableTotp(db, user.sub);
+        sendJson(res, 200, { ok: true });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err.message || 'Verification failed' });
+    }
+    return true;
+}
+/**
+ * POST /__nk_auth/totp/disable
+ * Disables TOTP after verifying a valid code.
+ */
+export async function handleTotpDisable(config, req, res, db) {
+    const user = req.nkAuth?.user;
+    if (!user?.sub) {
+        sendJson(res, 401, { error: 'Not authenticated' });
+        return true;
+    }
+    if (!db) {
+        sendJson(res, 500, { error: 'Database unavailable' });
+        return true;
+    }
+    let body;
+    try {
+        body = JSON.parse(await readBody(req));
+    }
+    catch {
+        sendJson(res, 400, { error: 'Invalid JSON' });
+        return true;
+    }
+    const { code } = body;
+    if (!code) {
+        sendJson(res, 400, { error: 'Code required' });
+        return true;
+    }
+    try {
+        const { authenticator } = await import('otplib');
+        const state = await getTotpState(db, user.sub);
+        if (!state.totpEnabled || !state.encryptedSecret) {
+            sendJson(res, 400, { error: '2FA is not enabled' });
+            return true;
+        }
+        const secret = await decryptTotpSecret(state.encryptedSecret, config.session.secret);
+        const valid = authenticator.check(code, secret);
+        if (!valid) {
+            sendJson(res, 400, { error: 'Invalid code' });
+            return true;
+        }
+        await disableTotp(db, user.sub);
+        sendJson(res, 200, { ok: true });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err.message || 'Failed to disable 2FA' });
+    }
+    return true;
+}
+/**
+ * POST /__nk_auth/totp/challenge
+ * Exchanges a pending-2FA cookie + valid TOTP code for a full session cookie.
+ */
+export async function handleTotpChallenge(config, req, res, db) {
+    if (!db) {
+        sendJson(res, 500, { error: 'Database unavailable' });
+        return true;
+    }
+    const cookies = parseCookies(req);
+    const pendingEncrypted = cookies['nk-totp-pending'];
+    if (!pendingEncrypted) {
+        sendJson(res, 401, { error: 'No pending 2FA session' });
+        return true;
+    }
+    let body;
+    try {
+        body = JSON.parse(await readBody(req));
+    }
+    catch {
+        sendJson(res, 400, { error: 'Invalid JSON' });
+        return true;
+    }
+    const { code } = body;
+    if (!code) {
+        sendJson(res, 400, { error: 'Code required' });
+        return true;
+    }
+    try {
+        // Decrypt and validate the pending session
+        const pending = await decryptSession(pendingEncrypted, config.session.secret);
+        if (!pending || !pending.accessToken.startsWith('totp-pending:')) {
+            sendJson(res, 401, { error: 'Invalid pending session' });
+            return true;
+        }
+        if (pending.expiresAt < Math.floor(Date.now() / 1000)) {
+            sendJson(res, 401, { error: '2FA session expired — please log in again' });
+            return true;
+        }
+        const userId = pending.accessToken.slice('totp-pending:'.length);
+        // Fetch full user row
+        const row = await db.get('SELECT * FROM _nk_auth_users WHERE id = ?', userId);
+        if (!row) {
+            sendJson(res, 401, { error: 'User not found' });
+            return true;
+        }
+        // Verify TOTP code
+        const { authenticator } = await import('otplib');
+        if (!row.totp_enabled || !row.totp_secret) {
+            sendJson(res, 400, { error: '2FA not enabled for this account' });
+            return true;
+        }
+        const secret = await decryptTotpSecret(row.totp_secret, config.session.secret);
+        const valid = authenticator.check(code, secret);
+        if (!valid) {
+            sendJson(res, 400, { error: 'Invalid code — check your authenticator app and try again' });
+            return true;
+        }
+        // Build full user object
+        let roles = [];
+        try {
+            roles = JSON.parse(row.roles);
+        }
+        catch { }
+        const user = { sub: row.id, email: row.email, name: row.name, roles, provider: 'native' };
+        // Issue full session cookie
+        const sessionData = {
+            accessToken: `native:${user.sub}`,
+            expiresAt: Math.floor(Date.now() / 1000) + config.session.maxAge,
+            user,
+            provider: 'native',
+            createdAt: Math.floor(Date.now() / 1000),
+        };
+        const encrypted = await encryptSession(sessionData, config.session.secret);
+        const sessionCookie = createSessionCookie(config.session.cookieName, encrypted, config.session.maxAge, config.session.secure);
+        // Clear the pending cookie
+        const clearPending = `nk-totp-pending=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax${config.session.secure ? '; Secure' : ''}`;
+        const url = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
+        const returnTo = url.searchParams.get('returnTo') || config.routes.postLogin;
+        if (req.headers.accept?.includes('application/json')) {
+            res.writeHead(200, { 'Content-Type': 'application/json', 'Set-Cookie': [sessionCookie, clearPending] });
+            res.end(JSON.stringify({ user, returnTo }));
+        }
+        else {
+            res.writeHead(302, { Location: returnTo, 'Set-Cookie': [sessionCookie, clearPending] });
+            res.end();
+        }
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err.message || 'Challenge failed' });
+    }
+    return true;
+}

package/dist/auth/routes.js

@@ -6,6 +6,7 @@ import { handleLogout, handleLogoutAll } from './routes/logout.js';
 import { handleVerifyEmail } from './routes/verify.js';
 import { handleForgotPassword, handleResetPassword, handleChangePassword } from './routes/password.js';
 import { handleTokenRefresh, handleTokenRevoke } from './routes/token.js';
+import { handleTotpSetup, handleTotpVerifySetup, handleTotpDisable, handleTotpChallenge } from './routes/totp.js';
 /**
  * Validate Origin header on POST requests to prevent CSRF.
  * Returns true if the request is safe to proceed.
@@ -106,5 +107,18 @@ export async function handleAuthRoutes(config, req, res, db) {
     if (pathname === '/__nk_auth/revoke' && req.method === 'POST') {
         return handleTokenRevoke(req, res, db);
     }
+    // ── TOTP 2FA ──────────────────────────────────────────────────
+    if (pathname === '/__nk_auth/totp/setup' && req.method === 'POST') {
+        return handleTotpSetup(config, req, res, db);
+    }
+    if (pathname === '/__nk_auth/totp/verify-setup' && req.method === 'POST') {
+        return handleTotpVerifySetup(config, req, res, db);
+    }
+    if (pathname === '/__nk_auth/totp/disable' && req.method === 'POST') {
+        return handleTotpDisable(config, req, res, db);
+    }
+    if (pathname === '/__nk_auth/totp/challenge' && req.method === 'POST') {
+        return handleTotpChallenge(config, req, res, db);
+    }
     return false;
 }

package/dist/auth/token.js

@@ -58,11 +58,11 @@ export function hashRefreshToken(token) {
 }
 export async function ensureRefreshTokenTable(db) {
     await db.exec(`CREATE TABLE IF NOT EXISTS _nk_auth_refresh_tokens (
-    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    id SERIAL PRIMARY KEY,
     token_hash TEXT NOT NULL UNIQUE,
     user_id TEXT NOT NULL,
     expires_at TEXT NOT NULL,
-    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    created_at TEXT NOT NULL DEFAULT NOW()
   )`);
 }
 export async function storeRefreshToken(db, token, userId, ttlSeconds) {

package/dist/build/build-markdown.d.ts

@@ -0,0 +1,15 @@
+import type { BuildManifest } from '../shared/types.js';
+import type { PageEntry } from './scan.js';
+export interface MarkdownOptions {
+    serverDir: string;
+    clientDir: string;
+    pagesDir: string;
+    pageEntries: PageEntry[];
+    manifest: BuildManifest;
+}
+/**
+ * Generate static .md files for each page by SSR-rendering the component
+ * and converting the HTML to markdown. Written to clientDir so the
+ * production static file server picks them up (e.g., /docs/routing.md).
+ */
+export declare function generateMarkdownPages(opts: MarkdownOptions): Promise<void>;

package/dist/build/build-markdown.js

@@ -0,0 +1,90 @@
+import path from 'path';
+import fs from 'fs';
+import { pathToFileURL } from 'url';
+import { stripOuterLitMarkers, patchLoaderDataSpread } from '../shared/utils.js';
+import { installDomShims } from '../shared/dom-shims.js';
+import { htmlToMarkdown } from '../shared/html-to-markdown.js';
+/**
+ * Generate static .md files for each page by SSR-rendering the component
+ * and converting the HTML to markdown. Written to clientDir so the
+ * production static file server picks them up (e.g., /docs/routing.md).
+ */
+export async function generateMarkdownPages(opts) {
+    const { serverDir, clientDir, pagesDir, pageEntries, manifest } = opts;
+    // Skip if no pages
+    if (pageEntries.length === 0)
+        return;
+    // Load SSR runtime
+    const ssrRuntimePath = pathToFileURL(path.join(serverDir, 'ssr-runtime.js')).href;
+    let ssrRuntime;
+    try {
+        ssrRuntime = await import(ssrRuntimePath);
+    }
+    catch {
+        // No SSR runtime — skip markdown generation
+        return;
+    }
+    const { render, html, unsafeStatic } = ssrRuntime;
+    installDomShims();
+    let count = 0;
+    for (const page of pageEntries) {
+        // Skip dynamic routes (e.g., /blog/:slug)
+        if (page.routePath.includes(':'))
+            continue;
+        const moduleName = `pages/${page.name.replace(/\[(\w+)\]/g, '_$1_')}.js`;
+        let modulePath = path.join(serverDir, moduleName);
+        if (!fs.existsSync(modulePath)) {
+            modulePath = path.join(serverDir, moduleName.replace(/\[/g, '_').replace(/\]/g, '_'));
+        }
+        if (!fs.existsSync(modulePath))
+            continue;
+        try {
+            const mod = await import(pathToFileURL(modulePath).href);
+            // Run loader if present
+            let loaderData = undefined;
+            if (mod.loader && typeof mod.loader === 'function') {
+                loaderData = await mod.loader({ params: {}, query: {}, url: page.routePath, headers: {} });
+                if (loaderData?.__nk_redirect)
+                    continue;
+            }
+            // Get tag name from manifest
+            const route = manifest.routes.find(r => r.path === page.routePath);
+            const tagName = route?.tagName;
+            if (!tagName)
+                continue;
+            patchLoaderDataSpread(tagName);
+            const tag = unsafeStatic(tagName);
+            const template = loaderData !== undefined
+                ? html `<${tag} .loaderData=${loaderData}></${tag}>`
+                : html `<${tag}></${tag}>`;
+            let rendered = '';
+            for (const chunk of render(template)) {
+                rendered += typeof chunk === 'string' ? chunk : String(chunk);
+            }
+            rendered = stripOuterLitMarkers(rendered);
+            const markdown = htmlToMarkdown(rendered);
+            if (!markdown.trim())
+                continue;
+            // Write to clientDir so static serving picks it up
+            // /docs/routing → clientDir/docs/routing.md
+            const mdPath = page.routePath === '/'
+                ? path.join(clientDir, 'index.md')
+                : path.join(clientDir, page.routePath + '.md');
+            // Skip if user provided their own .md file (copied from public/ during client build)
+            if (fs.existsSync(mdPath))
+                continue;
+            const mdDir = path.dirname(mdPath);
+            if (!fs.existsSync(mdDir))
+                fs.mkdirSync(mdDir, { recursive: true });
+            fs.writeFileSync(mdPath, markdown);
+            count++;
+        }
+        catch (err) {
+            // Skip pages that fail to render
+            console.warn(`[LumenJS] Markdown generation skipped for ${page.routePath}: ${err?.message}`);
+        }
+    }
+    if (count > 0) {
+        console.log(`[LumenJS] Generated ${count} markdown page(s) for /llms.txt`);
+    }
+}

package/dist/build/build-server.d.ts

@@ -1,11 +1,12 @@
 import { type UserConfig, type Plugin } from 'vite';
-import type { PageEntry, LayoutEntry, ApiEntry } from './scan.js';
+import type { PageEntry, LayoutEntry, ApiEntry, MiddlewareEntry } from './scan.js';
 export interface BuildServerOptions {
     projectDir: string;
     serverDir: string;
     pageEntries: PageEntry[];
     layoutEntries: LayoutEntry[];
     apiEntries: ApiEntry[];
+    middlewareEntries: MiddlewareEntry[];
     hasAuthConfig: boolean;
     authConfigPath: string;
     shared: {