@pyreon/zero 0.24.5 → 0.24.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pyreon/zero",
-  "version": "0.24.5",
+  "version": "0.24.6",
   "description": "Pyreon Zero — zero-config full-stack framework powered by Pyreon and Vite",
   "license": "MIT",
   "author": "Vit Bokisch",
@@ -13,7 +13,6 @@
     "lib",
     "!lib/**/*.map",
     "!lib/analysis",
-    "src",
     "!src/tests",
     "LICENSE",
     "README.md"
@@ -25,142 +24,114 @@
   "types": "./lib/types/index.d.ts",
   "exports": {
     ".": {
-      "bun": "./src/index.ts",
       "import": "./lib/index.js",
       "types": "./lib/types/index.d.ts"
     },
     "./server": {
-      "bun": "./src/server.ts",
       "import": "./lib/server.js",
       "types": "./lib/types/server.d.ts"
     },
     "./client": {
-      "bun": "./src/client.ts",
       "import": "./lib/client.js",
       "types": "./lib/types/client.d.ts"
     },
     "./config": {
-      "bun": "./src/config.ts",
       "import": "./lib/config.js",
       "types": "./lib/types/config.d.ts"
     },
     "./image": {
-      "bun": "./src/image.tsx",
       "import": "./lib/image.js",
       "types": "./lib/types/image.d.ts"
     },
     "./link": {
-      "bun": "./src/link.tsx",
       "import": "./lib/link.js",
       "types": "./lib/types/link.d.ts"
     },
     "./script": {
-      "bun": "./src/script.tsx",
       "import": "./lib/script.js",
       "types": "./lib/types/script.d.ts"
     },
     "./font": {
-      "bun": "./src/font.ts",
       "import": "./lib/font.js",
       "types": "./lib/types/font.d.ts"
     },
     "./cache": {
-      "bun": "./src/cache.ts",
       "import": "./lib/cache.js",
       "types": "./lib/types/cache.d.ts"
     },
     "./seo": {
-      "bun": "./src/seo.ts",
       "import": "./lib/seo.js",
       "types": "./lib/types/seo.d.ts"
     },
     "./theme": {
-      "bun": "./src/theme.tsx",
       "import": "./lib/theme.js",
       "types": "./lib/types/theme.d.ts"
     },
     "./image-plugin": {
-      "bun": "./src/image-plugin.ts",
       "import": "./lib/image-plugin.js",
       "types": "./lib/types/image-plugin.d.ts"
     },
     "./image-types": {
-      "bun": "./src/image-types.ts",
       "import": "./lib/image-types.js",
       "types": "./lib/types/image-types.d.ts"
     },
     "./actions": {
-      "bun": "./src/actions.ts",
       "import": "./lib/actions.js",
       "types": "./lib/types/actions.d.ts"
     },
     "./api-routes": {
-      "bun": "./src/api-routes.ts",
       "import": "./lib/api-routes.js",
       "types": "./lib/types/api-routes.d.ts"
     },
     "./cors": {
-      "bun": "./src/cors.ts",
       "import": "./lib/cors.js",
       "types": "./lib/types/cors.d.ts"
     },
     "./rate-limit": {
-      "bun": "./src/rate-limit.ts",
       "import": "./lib/rate-limit.js",
       "types": "./lib/types/rate-limit.d.ts"
     },
     "./compression": {
-      "bun": "./src/compression.ts",
       "import": "./lib/compression.js",
       "types": "./lib/types/compression.d.ts"
     },
     "./testing": {
-      "bun": "./src/testing.ts",
       "import": "./lib/testing.js",
       "types": "./lib/types/testing.d.ts"
     },
     "./meta": {
-      "bun": "./src/meta.tsx",
       "import": "./lib/meta.js",
       "types": "./lib/types/meta.d.ts"
     },
     "./favicon": {
-      "bun": "./src/favicon.ts",
       "import": "./lib/favicon.js",
       "types": "./lib/types/favicon.d.ts"
     },
     "./og-image": {
-      "bun": "./src/og-image.ts",
       "import": "./lib/og-image.js",
       "types": "./lib/types/og-image.d.ts"
     },
     "./i18n-routing": {
-      "bun": "./src/i18n-routing.ts",
       "import": "./lib/i18n-routing.js",
       "types": "./lib/types/i18n-routing.d.ts"
     },
     "./ai": {
-      "bun": "./src/ai.ts",
       "import": "./lib/ai.js",
       "types": "./lib/types/ai.d.ts"
     },
     "./middleware": {
-      "bun": "./src/middleware.ts",
       "import": "./lib/middleware.js",
       "types": "./lib/types/middleware.d.ts"
     },
     "./csp": {
-      "bun": "./src/csp.ts",
       "import": "./lib/csp.js",
       "types": "./lib/types/csp.d.ts"
     },
     "./env": {
-      "bun": "./src/env.ts",
       "import": "./lib/env.js",
       "types": "./lib/types/env.d.ts"
     },
     "./logger": {
-      "bun": "./src/logger.ts",
       "import": "./lib/logger.js",
       "types": "./lib/types/logger.d.ts"
     }
@@ -173,15 +144,15 @@
     "lint": "oxlint ."
   },
   "dependencies": {
-    "@pyreon/core": "^0.24.5",
-    "@pyreon/head": "^0.24.5",
-    "@pyreon/meta": "^0.24.5",
-    "@pyreon/reactivity": "^0.24.5",
-    "@pyreon/router": "^0.24.5",
-    "@pyreon/runtime-dom": "^0.24.5",
-    "@pyreon/runtime-server": "^0.24.5",
-    "@pyreon/server": "^0.24.5",
-    "@pyreon/vite-plugin": "^0.24.5",
+    "@pyreon/core": "^0.24.6",
+    "@pyreon/head": "^0.24.6",
+    "@pyreon/meta": "^0.24.6",
+    "@pyreon/reactivity": "^0.24.6",
+    "@pyreon/router": "^0.24.6",
+    "@pyreon/runtime-dom": "^0.24.6",
+    "@pyreon/runtime-server": "^0.24.6",
+    "@pyreon/server": "^0.24.6",
+    "@pyreon/vite-plugin": "^0.24.6",
     "vite": "^8.0.0"
   },
   "devDependencies": {

package/src/actions.ts

@@ -1,196 +0,0 @@
-import type { MiddlewareContext } from '@pyreon/server'
-
-// ─── Types ───────────────────────────────────────────────────────────────────
-
-/** Context passed to server action handlers. */
-export interface ActionContext {
-  /** The original request. */
-  request: Request
-  /** Parsed form data (for form submissions). */
-  formData: FormData | null
-  /** Parsed JSON body (for JSON submissions). */
-  json: unknown
-  /** Request headers. */
-  headers: Headers
-}
-
-/** A server action handler function. */
-export type ActionHandler<T = unknown> = (ctx: ActionContext) => T | Promise<T>
-
-/** A registered action with its ID and handler. */
-interface RegisteredAction {
-  id: string
-  handler: ActionHandler
-}
-
-/** Client-side callable action returned by defineAction. */
-export interface Action<T = unknown> {
-  /** Call the action with JSON data. */
-  (data?: unknown): Promise<T>
-  /** The action's unique ID. */
-  actionId: string
-}
-
-// ─── Registry ────────────────────────────────────────────────────────────────
-
-/**
- * Module-level registry of every `defineAction()` call. Lookup is by the
- * `action_<uuid>` string the client sends in `POST /_zero/actions/<id>`.
- *
- * **HMR caveat (dev-only):** the registry uses fresh `crypto.randomUUID()`
- * per `defineAction()` invocation. When Vite hot-replaces a module that
- * calls `defineAction()`, the module re-runs and a NEW entry is inserted
- * — the OLD entry stays in the Map until the dev process exits. Each
- * entry holds `{ id, handler }` (~80 bytes). Bounded by the count of
- * distinct UUIDs minted in the session; a realistic dev session sees
- * <50 entries, so total dev-memory cost stays under ~5KB. Production
- * registers each module exactly once at startup — no leak. A
- * FinalizationRegistry-based purge is tracked as a follow-up; the
- * current cost is too small to justify the WeakRef/finalizer complexity.
- */
-const actionRegistry = new Map<string, RegisteredAction>()
-
-/**
- * Define a server action. Returns a callable function that:
- * - On the **client**: sends a POST request to `/_zero/actions/<id>`
- * - On the **server** (SSR): executes the handler directly (no fetch)
- *
- * @example
- * // In a route file or module:
- * export const createPost = defineAction(async (ctx) => {
- *   const data = ctx.json as { title: string; body: string }
- *   // ... save to database
- *   return { success: true, id: 123 }
- * })
- *
- * // In a component:
- * const result = await createPost({ title: 'Hello', body: '...' })
- */
-export function defineAction<T = unknown>(handler: ActionHandler<T>): Action<T> {
-  const id = `action_${crypto.randomUUID().slice(0, 8)}`
-
-  actionRegistry.set(id, { id, handler: handler as ActionHandler })
-
-  const callable = async (data?: unknown): Promise<T> => {
-    // Server-side: execute handler directly (no network round-trip)
-    if (typeof globalThis.window === 'undefined') {
-      return handler({
-        request: new Request(`http://localhost/_zero/actions/${id}`, {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify(data ?? null),
-        }),
-        formData: null,
-        json: data ?? null,
-        headers: new Headers({ 'Content-Type': 'application/json' }),
-      })
-    }
-
-    // Client-side: POST to the action endpoint
-    const response = await fetch(`/_zero/actions/${id}`, {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify(data ?? null),
-    })
-    if (!response.ok) {
-      const body = await response.json().catch(() => ({}))
-      throw new Error((body as { error?: string }).error ?? `Action failed: ${response.statusText}`)
-    }
-    return response.json()
-  }
-
-  callable.actionId = id
-  return callable as Action<T>
-}
-
-/** Get all registered actions. Useful for testing. */
-export function getRegisteredActions(): Map<string, RegisteredAction> {
-  return actionRegistry
-}
-
-/**
- * Reset the action registry. Useful for testing.
- * @internal
- */
-export function _resetActions(): void {
-  actionRegistry.clear()
-}
-
-// ─── Server handler ──────────────────────────────────────────────────────────
-
-/**
- * Create a middleware that handles action requests at `/_zero/actions/*`.
- * Mount this before the SSR handler in the server entry.
- */
-export function createActionMiddleware(): (
-  ctx: MiddlewareContext,
-) => Response | undefined | Promise<Response | undefined> {
-  return async (ctx: MiddlewareContext) => {
-    if (!ctx.path.startsWith('/_zero/actions/')) return
-
-    const actionId = ctx.path.slice('/_zero/actions/'.length)
-    const action = actionRegistry.get(actionId)
-
-    if (!action) {
-      return Response.json({ error: 'Action not found' }, { status: 404 })
-    }
-
-    if (ctx.req.method !== 'POST') {
-      return Response.json({ error: 'Method not allowed' }, { status: 405 })
-    }
-
-    return executeAction(action, ctx.req)
-  }
-}
-
-async function executeAction(action: RegisteredAction, req: Request): Promise<Response> {
-  // Parse the request payload separately so a malformed body returns
-  // 400 (Bad Request) instead of being conflated with a runtime 500.
-  // `req.json()` / `req.formData()` throw on syntactically invalid
-  // payloads (truncated JSON, malformed multipart, invalid UTF-8, etc.)
-  // — that's a client problem, not a server problem, and the HTTP
-  // status code should reflect that.
-  const contentType = req.headers.get('content-type') ?? ''
-  let formData: FormData | null = null
-  let json: unknown = null
-  try {
-    if (contentType.includes('application/json')) {
-      json = await req.json()
-    } else if (
-      contentType.includes('multipart/form-data') ||
-      contentType.includes('application/x-www-form-urlencoded')
-    ) {
-      formData = await req.formData()
-    }
-  } catch (err) {
-    // Malformed request body — log for ops diagnostics but return 400
-    // (not 500) so the client sees the right status code. Don't leak
-    // the parser's internal error message; surface only the shape.
-    console.error('[Pyreon Action] failed to parse request body:', err)
-    return Response.json(
-      { error: 'Invalid request body' },
-      { status: 400 },
-    )
-  }
-
-  // Execute the user-supplied action handler. Surface errors to server
-  // logs via `console.error` — the cloud adapter audit (PR #755) found
-  // this same swallow-error pattern hiding production crashes from
-  // operators. Without it, a CMS-triggered action that crashed inside
-  // the user's handler returned a generic 500 to the client AND
-  // logged nothing on the server side, so the operator couldn't
-  // diagnose the failure.
-  try {
-    const result = await action.handler({
-      request: req,
-      formData,
-      json,
-      headers: req.headers,
-    })
-    return Response.json(result ?? null)
-  } catch (err) {
-    console.error('[Pyreon Action] handler failed:', err)
-    const message = err instanceof Error ? err.message : 'Internal server error'
-    return Response.json({ error: message }, { status: 500 })
-  }
-}

package/src/adapters/bun.ts

@@ -1,114 +0,0 @@
-import type { Adapter, AdapterBuildOptions, AdapterRevalidateResult } from '../types'
-import { validateBuildInputs } from './validate'
-
-/**
- * Bun adapter — generates a standalone Bun.serve() entry.
- *
- * **SSG mode (PR J)**: no-op. Bun adapter exists for serving the SSR
- * runtime; SSG output is already complete static HTML — serve it with
- * any static-file server (`bun preview` / `bunx serve` / nginx / Caddy).
- * Use `staticAdapter()` if you want explicit SSG semantics.
- */
-export function bunAdapter(): Adapter {
-  return {
-    name: 'bun',
-    async build(options: AdapterBuildOptions) {
-      if (options.kind === 'ssg') {
-        // Bun runner has nothing to add for prerendered SSG dist.
-        return
-      }
-      await validateBuildInputs(options)
-      const { writeFile, cp, mkdir } = await import('node:fs/promises')
-      const { join } = await import('node:path')
-
-      const outDir = options.outDir
-      await mkdir(outDir, { recursive: true })
-
-      // Copy server and client builds
-      await cp(options.clientOutDir, join(outDir, 'client'), {
-        recursive: true,
-      })
-      await cp(join(options.serverEntry, '..'), join(outDir, 'server'), {
-        recursive: true,
-      })
-
-      const port = options.config.port ?? 3000
-      const serverEntry = `
-import { normalize } from "node:path"
-
-const handler = (await import("./server/entry-server.js")).default
-const clientDir = new URL("./client/", import.meta.url).pathname
-
-Bun.serve({
-  port: ${port},
-  async fetch(req) {
-    const url = new URL(req.url)
-
-    // Try static files first (GET only).
-    //
-    // Path safety: decode percent-encoding, normalize \`..\` segments,
-    // then assert the resulting path doesn't escape the clientDir
-    // prefix. The previous implementation used \`Bun.resolveSync\`,
-    // which is MODULE resolution — it throws on any non-existent
-    // path, so it crashed every SSR route (URLs without a matching
-    // static file) with a 500 before the SSR handler ran.
-    // \`node:path.normalize\` is pure-string path arithmetic and
-    // doesn't touch the filesystem — safe for arbitrary input.
-    if (req.method === "GET") {
-      let decoded
-      try {
-        decoded = decodeURIComponent(url.pathname)
-      } catch {
-        // Malformed %-encoding → reject (don't fall through to SSR
-        // with a corrupt URL).
-        return new Response("Bad Request", { status: 400 })
-      }
-      // Reject null bytes outright — no legitimate use in a URL,
-      // and they can confuse downstream filesystem code.
-      if (decoded.includes("\\0")) {
-        return new Response("Forbidden", { status: 403 })
-      }
-      const reqPath = decoded === "/" ? "/index.html" : decoded
-      // Prepend clientDir then normalize. If the normalized result
-      // no longer starts with clientDir, a \`..\` segment escaped —
-      // reject. Using string-startsWith with clientDir (which ends
-      // in "/") prevents the "/clientdir-evil/" sibling-prefix
-      // bypass.
-      const candidate = normalize(clientDir + reqPath)
-      if (!candidate.startsWith(clientDir)) {
-        return new Response("Forbidden", { status: 403 })
-      }
-      const file = Bun.file(candidate)
-      if (await file.exists()) {
-        return new Response(file, {
-          headers: {
-            "cache-control": candidate.endsWith(".js") || candidate.endsWith(".css")
-              ? "public, max-age=31536000, immutable"
-              : "public, max-age=3600",
-          },
-        })
-      }
-    }
-
-    // Fall through to SSR handler
-    return handler(req)
-  },
-})
-
-console.log("\\n  ⚡ Zero production server running on http://localhost:${port}\\n")
-`.trimStart()
-
-      await writeFile(join(outDir, 'index.ts'), serverEntry)
-    },
-    async revalidate(_path: string): Promise<AdapterRevalidateResult> {
-      // Self-hosted Bun has no platform-driven ISR — same shape as
-      // nodeAdapter. See nodeAdapter.revalidate for full rationale.
-      if (process.env.NODE_ENV !== 'production') {
-        console.warn(
-          '[Pyreon] bunAdapter.revalidate() is a no-op — self-hosted Bun has no platform-driven ISR. Use mode: "isr" for runtime LRU caching, or vercelAdapter / cloudflareAdapter / netlifyAdapter for platform-driven build-time ISR.',
-        )
-      }
-      return { regenerated: false }
-    },
-  }
-}

package/src/adapters/cloudflare.ts

@@ -1,166 +0,0 @@
-import type { Adapter, AdapterBuildOptions, AdapterRevalidateResult } from '../types'
-import { validateBuildInputs } from './validate'
-import { warnMissingEnv } from './warn-missing-env'
-
-/**
- * Cloudflare Pages adapter — generates output for Cloudflare Pages with Functions.
- *
- * Produces:
- * - Client assets in the output directory root (served as static)
- * - `_worker.js` — Cloudflare Pages Function for SSR
- *
- * Note: Cloudflare Pages Functions have a ~1MB module size limit.
- * For large apps, configure Vite's SSR build to bundle server code:
- * `ssr: { noExternal: true }` in vite.config.ts.
- *
- * Deploy with: `npx wrangler pages deploy ./dist`
- *
- * @example
- * ```ts
- * // zero.config.ts
- * import { defineConfig } from "@pyreon/zero"
- *
- * export default defineConfig({
- *   adapter: "cloudflare",
- * })
- * ```
- */
-export function cloudflareAdapter(): Adapter {
-  return {
-    name: 'cloudflare',
-    async build(options: AdapterBuildOptions) {
-      if (options.kind === 'ssg') {
-        // PR J — SSG branch. Emit Cloudflare Pages `_routes.json` with
-        // `include: []` + `exclude: ['/*']` — i.e. "every URL is a
-        // static asset, never invoke a Pages Function". Without this
-        // file, Pages defaults to running the worker on every request,
-        // which is wasteful for prerendered SSG output (and incurs
-        // function-invocation costs on paid plans).
-        //
-        // Reference: https://developers.cloudflare.com/pages/functions/routing/
-        // — `version: 1`, `include` lists URL globs that DO invoke the
-        // function, `exclude` lists globs that bypass it. Setting
-        // `include: []` makes the function unreachable; the result is
-        // a pure-static deploy.
-        //
-        // Deploy with: `npx wrangler pages deploy ./dist`
-        const { writeFile } = await import('node:fs/promises')
-        const { join } = await import('node:path')
-        const routesConfig = {
-          version: 1,
-          include: [] as string[],
-          exclude: ['/*'],
-        }
-        await writeFile(
-          join(options.outDir, '_routes.json'),
-          JSON.stringify(routesConfig, null, 2),
-        )
-        return
-      }
-      await validateBuildInputs(options)
-      const { writeFile, cp, mkdir } = await import('node:fs/promises')
-      const { join } = await import('node:path')
-
-      const outDir = options.outDir
-      await mkdir(outDir, { recursive: true })
-
-      // Copy client assets to root (Cloudflare serves static files from root)
-      await cp(options.clientOutDir, outDir, { recursive: true })
-
-      // Copy server build
-      await cp(join(options.serverEntry, '..'), join(outDir, '_server'), {
-        recursive: true,
-      })
-
-      // Generate Cloudflare Pages _worker.js (ES module format).
-      //
-      // Static assets are handled by Cloudflare Pages itself via the
-      // asset binding (Cloudflare's CDN serves files from the dist
-      // root before invoking the worker). The pre-fix harness had an
-      // \`if (ext && ...) { /* comment */ }\` block here computing an
-      // \`ext\` variable and checking a condition with an EMPTY body —
-      // pure dead code that did nothing at runtime. Removed for
-      // clarity.
-      const workerEntry = `
-import handler from "./_server/entry-server.js"
-
-export default {
-  async fetch(request, env, ctx) {
-    try {
-      return await handler(request)
-    } catch (err) {
-      // Surface the error to Cloudflare Tail logs so production
-      // crashes give real diagnostic info — pre-fix the catch
-      // swallowed \`err\` entirely and the operator saw only a
-      // bare "Internal Server Error" with no stack, no message,
-      // no path. Logging via \`console.error\` is the standard
-      // Workers logging surface (lands in \`wrangler tail\` + the
-      // Cloudflare dashboard log stream).
-      console.error("[Pyreon SSR] handler failed:", err)
-      return new Response("Internal Server Error", { status: 500 })
-    }
-  },
-}
-`.trimStart()
-
-      await writeFile(join(outDir, '_worker.js'), workerEntry)
-
-      // Cloudflare Pages config — _routes.json for routing
-      const routesConfig = {
-        version: 1,
-        include: ['/*'],
-        exclude: ['/assets/*', '/favicon.*', '/site.webmanifest', '/robots.txt', '/sitemap.xml'],
-      }
-
-      await writeFile(join(outDir, '_routes.json'), JSON.stringify(routesConfig, null, 2))
-    },
-    async revalidate(path: string): Promise<AdapterRevalidateResult> {
-      // Cloudflare Pages ISR via Cache API delete + zone purge.
-      // Reads `CLOUDFLARE_ZONE_ID` and `CLOUDFLARE_API_TOKEN` from env
-      // (set in Workers / Pages dashboard → Variables). The zone
-      // purge endpoint accepts a list of URLs and removes them from
-      // every PoP's edge cache; the next visitor triggers a fresh
-      // origin fetch which rebuilds the prerendered page.
-      //
-      // Reference: https://developers.cloudflare.com/api/operations/zone-purge
-      const zoneId = process.env.CLOUDFLARE_ZONE_ID
-      const apiToken = process.env.CLOUDFLARE_API_TOKEN
-      const siteUrl = process.env.CLOUDFLARE_SITE_URL
-      if (!zoneId || !apiToken || !siteUrl) {
-        // M2.4 — warn even in production (dedupe per process). See vercel.ts
-        // for the rationale.
-        const missing: string[] = []
-        if (!zoneId) missing.push('CLOUDFLARE_ZONE_ID')
-        if (!apiToken) missing.push('CLOUDFLARE_API_TOKEN')
-        if (!siteUrl) missing.push('CLOUDFLARE_SITE_URL')
-        return warnMissingEnv(
-          'cloudflare',
-          missing,
-          'Set them in Cloudflare Pages dashboard → Settings → Environment Variables. Note: Cloudflare imposes a 1000-purge-per-24h rate limit per zone — high-frequency revalidation will hit it.',
-        )
-      }
-      const fullUrl = `${siteUrl.replace(/\/$/, '')}${path.startsWith('/') ? path : `/${path}`}`
-      try {
-        const res = await fetch(
-          `https://api.cloudflare.com/client/v4/zones/${zoneId}/purge_cache`,
-          {
-            method: 'POST',
-            headers: {
-              'Authorization': `Bearer ${apiToken}`,
-              'Content-Type': 'application/json',
-            },
-            body: JSON.stringify({ files: [fullUrl] }),
-          },
-        )
-        return { regenerated: res.ok }
-      } catch (err) {
-        if (process.env.NODE_ENV !== 'production') {
-          console.warn(
-            `[Pyreon] cloudflareAdapter.revalidate(${path}) failed: ${err instanceof Error ? err.message : String(err)}`,
-          )
-        }
-        return { regenerated: false }
-      }
-    },
-  }
-}