@taujs/server 0.2.6 → 0.3.0

package/LICENSE

@@ -1,6 +1,8 @@
 MIT License
 
-Copyright (c) Aoede Ltd 2024
+taujs [ τjs ] Orchestration System
+Author: John Smith
+Copyright (c) Aoede Ltd 2024-present
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -1,5 +1,7 @@
 # @taujs/server
 
+This package is part of the taujs [ τjs ] orchestration system, authored by John Smith | Aoede, 2024-present. Attribution is appreciated.
+
 `npm install @taujs/server`
 
 `yarn add @taujs/server`

package/dist/SSRServer-CmMH3qwx.d.ts

@@ -0,0 +1,150 @@
+import { ServerResponse } from 'node:http';
+import { FastifyRequest, FastifyReply, HookHandlerDoneFunction, FastifyPluginAsync } from 'fastify';
+import { PluginOption } from 'vite';
+
+type CSPDirectives = Record<string, string[]>;
+interface CSPOptions {
+    directives?: CSPDirectives;
+    exposeNonce?: (req: FastifyRequest, nonce: string) => void;
+    generateCSP?: (directives: CSPDirectives, nonce: string) => string;
+}
+declare const defaultGenerateCSP: (directives: CSPDirectives, nonce: string) => string;
+declare const generateNonce: () => string;
+declare const createCSPHook: (options?: CSPOptions) => (req: FastifyRequest, reply: FastifyReply, done: HookHandlerDoneFunction) => void;
+declare const getRequestNonce: (req: FastifyRequest) => string | undefined;
+declare const applyCSP: (security: SSRServerOptions["security"], reply: FastifyReply) => string | undefined;
+
+declare const TEMPLATE: {
+    readonly defaultEntryClient: "entry-client";
+    readonly defaultEntryServer: "entry-server";
+    readonly defaultHtmlTemplate: "index.html";
+};
+
+/**
+ * taujs [ τjs ] Orchestration System
+ * (c) 2024-present Aoede Ltd
+ * Author: John Smith
+ *
+ * Licensed under the MIT License — attribution appreciated.
+ * Part of the taujs [ τjs ] system for declarative, build-time orchestration of microfrontend applications,
+ * including SSR, streaming, and middleware composition.
+ */
+
+declare const createMaps: () => {
+    bootstrapModules: Map<string, string>;
+    cssLinks: Map<string, string>;
+    manifests: Map<string, Manifest>;
+    preloadLinks: Map<string, string>;
+    renderModules: Map<string, RenderModule>;
+    ssrManifests: Map<string, SSRManifest>;
+    templates: Map<string, string>;
+};
+declare const processConfigs: (configs: Config[], baseClientRoot: string, templateDefaults: typeof TEMPLATE) => ProcessedConfig[];
+declare const SSRServer: FastifyPluginAsync<SSRServerOptions>;
+type Config = {
+    appId: string;
+    entryPoint: string;
+    entryClient?: string;
+    entryServer?: string;
+    htmlTemplate?: string;
+};
+type ProcessedConfig = {
+    appId: string;
+    clientRoot: string;
+    entryClient: string;
+    entryPoint: string;
+    entryServer: string;
+    htmlTemplate: string;
+    plugins?: PluginOption[];
+};
+type SSRServerOptions = {
+    alias?: Record<string, string>;
+    clientRoot: string;
+    configs: Config[];
+    routes: Route<RouteParams>[];
+    serviceRegistry: ServiceRegistry;
+    security?: {
+        csp?: {
+            directives?: CSPDirectives;
+            generateCSP?: (directives: CSPDirectives, nonce: string) => string;
+        };
+    };
+    isDebug?: boolean;
+};
+type ServiceMethod = (params: Record<string, unknown>) => Promise<Record<string, unknown>>;
+type NamedService = Record<string, ServiceMethod>;
+type ServiceRegistry = Record<string, NamedService>;
+type RenderCallbacks = {
+    onHead: (headContent: string) => void;
+    onFinish: (initialDataResolved: unknown) => void;
+    onError: (error: unknown) => void;
+};
+type FetchConfig = {
+    url?: string;
+    options: RequestInit & {
+        params?: Record<string, unknown>;
+    };
+    serviceName?: string;
+    serviceMethod?: string;
+};
+type SSRManifest = {
+    [key: string]: string[];
+};
+type ManifestEntry = {
+    file: string;
+    src?: string;
+    isDynamicEntry?: boolean;
+    imports?: string[];
+    css?: string[];
+    assets?: string[];
+};
+type Manifest = {
+    [key: string]: ManifestEntry;
+};
+type RenderSSR = (initialDataResolved: Record<string, unknown>, location: string, meta?: Record<string, unknown>) => Promise<{
+    headContent: string;
+    appHtml: string;
+}>;
+type RenderStream = (serverResponse: ServerResponse, callbacks: RenderCallbacks, initialDataPromise: Promise<Record<string, unknown>>, location: string, bootstrapModules?: string, meta?: Record<string, unknown>) => void;
+type RenderModule = {
+    renderSSR: RenderSSR;
+    renderStream: RenderStream;
+};
+type BaseMiddleware = {
+    auth?: {
+        required: boolean;
+        redirect?: string;
+        roles?: string[];
+        strategy?: string;
+    };
+};
+type RouteAttributes<Params = {}, Middleware = BaseMiddleware> = {
+    render: 'ssr';
+    hydrate?: boolean;
+    meta?: Record<string, unknown>;
+    middleware?: Middleware;
+    fetch?: (params?: Params, options?: RequestInit & {
+        params?: Record<string, unknown>;
+    }) => Promise<FetchConfig>;
+} | {
+    render: 'streaming';
+    hydrate?: never;
+    meta: Record<string, unknown>;
+    middleware?: Middleware;
+    fetch?: (params?: Params, options?: RequestInit & {
+        params?: Record<string, unknown>;
+    }) => Promise<FetchConfig>;
+};
+type Route<Params = {}> = {
+    attr?: RouteAttributes<Params>;
+    path: string;
+    appId?: string;
+};
+interface InitialRouteParams extends Record<string, unknown> {
+    serviceName?: string;
+    serviceMethod?: string;
+}
+type RouteParams = InitialRouteParams & Record<string, unknown>;
+type RoutePathsAndAttributes<Params = {}> = Omit<Route<Params>, 'element'>;
+
+export { type BaseMiddleware as B, type Config as C, type FetchConfig as F, type InitialRouteParams as I, type ManifestEntry as M, type NamedService as N, type ProcessedConfig as P, type Route as R, SSRServer as S, TEMPLATE as T, type RouteParams as a, type RouteAttributes as b, createMaps as c, type SSRServerOptions as d, type ServiceMethod as e, type ServiceRegistry as f, type RenderCallbacks as g, type SSRManifest as h, type Manifest as i, type RenderSSR as j, type RenderStream as k, type RenderModule as l, type RoutePathsAndAttributes as m, type CSPDirectives as n, type CSPOptions as o, processConfigs as p, defaultGenerateCSP as q, generateNonce as r, createCSPHook as s, getRequestNonce as t, applyCSP as u };

package/dist/build.d.ts

@@ -1,15 +1,24 @@
-import { PluginOption } from 'vite';
+import { AppConfig } from './config.js';
+import 'vite';
+import './SSRServer-CmMH3qwx.js';
+import 'node:http';
+import 'fastify';
+
+/**
+ * taujs [ τjs ] Orchestration System
+ * (c) 2024-present Aoede Ltd
+ * Author: John Smith
+ *
+ * Licensed under the MIT License — attribution appreciated.
+ * Part of the taujs [ τjs ] system for declarative, build-time orchestration of microfrontend applications,
+ * including SSR, streaming, and middleware composition.
+ */
 
-type Config = {
-    appId: string;
-    entryPoint: string;
-    plugins?: PluginOption[];
-};
 declare function taujsBuild({ configs, projectRoot, clientBaseDir, isSSRBuild, }: {
-    configs: Config[];
+    configs: AppConfig[];
     projectRoot: string;
     clientBaseDir: string;
     isSSRBuild?: boolean;
 }): Promise<void>;
 
-export { type Config, taujsBuild };
+export { taujsBuild };

package/dist/build.js

@@ -198,6 +198,26 @@ var import_picocolors = __toESM(require_picocolors(), 1);
 import { readFile } from "fs/promises";
 import path2 from "path";
 
+// src/utils/Logger.ts
+var createLogger = (debug) => ({
+  log: (...args) => {
+    if (debug) console.log(...args);
+  },
+  warn: (...args) => {
+    if (debug) console.warn(...args);
+  },
+  error: (...args) => {
+    if (debug) console.error(...args);
+  }
+});
+var debugLog = (logger, message, req) => {
+  const prefix = "[\u03C4js]";
+  const method = req?.method ?? "";
+  const url = req?.url ?? "";
+  const tag = method && url ? `${method} ${url}` : "";
+  logger.log(`${prefix} ${tag} ${message}`);
+};
+
 // src/constants.ts
 var RENDERTYPE = {
   ssr: "ssr",
@@ -219,6 +239,32 @@ var DEV_CSP_DIRECTIVES = {
   "img-src": ["'self'", "data:"]
 };
 
+// src/security/auth.ts
+function createAuthHook(routes, isDebug) {
+  const logger = createLogger(Boolean(isDebug));
+  return async function authHook(req, reply) {
+    const url = new URL(req.url, `http://${req.headers.host}`).pathname;
+    const matched = routes.find((r) => r.path === url);
+    const authConfig = matched?.attr?.middleware?.auth;
+    if (!authConfig?.required) {
+      debugLog(logger, "Auth not required for route", req);
+      return;
+    }
+    if (typeof req.server.authenticate !== "function") {
+      req.log.warn('Route requires auth but no "authenticate" decorator is defined on Fastify.');
+      return reply.status(500).send("Server misconfiguration: auth decorator missing.");
+    }
+    try {
+      debugLog(logger, "Invoking authenticate(...)", req);
+      await req.server.authenticate(req, reply);
+      debugLog(logger, "Authentication successful", req);
+    } catch (err) {
+      debugLog(logger, "Authentication failed", req);
+      return reply.send(err);
+    }
+  };
+}
+
 // src/security/csp.ts
 import crypto from "crypto";
 var defaultGenerateCSP = (directives, nonce) => {
@@ -237,7 +283,7 @@ var defaultGenerateCSP = (directives, nonce) => {
   return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
 };
 var generateNonce = () => crypto.randomBytes(16).toString("base64");
-var cspHook = (options = {}) => (req, reply, done) => {
+var createCSPHook = (options = {}) => (req, reply, done) => {
   const nonce = generateNonce();
   const directives = options.directives ?? DEV_CSP_DIRECTIVES;
   const generate = options.generateCSP ?? defaultGenerateCSP;
@@ -260,6 +306,26 @@ var applyCSP = (security, reply) => {
   return nonce;
 };
 
+// src/security/verifyMiddleware.ts
+var isAuthRequired = (r) => r.attr?.middleware?.auth?.required === true;
+var hasAuthenticate = (app) => typeof app.authenticate === "function";
+var verifyContracts = (app, routes, contracts, isDebug) => {
+  const logger = createLogger(Boolean(isDebug));
+  for (const contract of contracts) {
+    const isUsed = routes.some(contract.required);
+    if (!isUsed) {
+      debugLog(logger, `Middleware "${contract.key}" not used in any routes`);
+      continue;
+    }
+    if (!contract.verify(app)) {
+      const error = new Error(`[\u03C4js] ${contract.errorMessage}`);
+      logger.error(error.message);
+      throw error;
+    }
+    debugLog(logger, `Middleware "${contract.key}" verified \u2713`);
+  }
+};
+
 // src/utils/Utils.ts
 import { dirname, join } from "path";
 import "path";
@@ -330,16 +396,15 @@ function renderPreloadLink(file) {
       return "";
   }
 }
-var callServiceMethod = async (serviceRegistry, serviceName, serviceMethod, params) => {
-  const service = serviceRegistry[serviceName];
-  if (service && typeof service[serviceMethod] === "function") {
-    const method = service[serviceMethod];
-    const data = await method(params);
-    if (typeof data !== "object" || data === null)
-      throw new Error(`Expected object response from service method ${serviceMethod} on ${serviceName}, but got ${typeof data}`);
-    return data;
-  }
-  throw new Error(`Service method ${serviceMethod} does not exist on ${serviceName}`);
+var callServiceMethod = async (registry, serviceName, methodName, params) => {
+  const service = registry[serviceName];
+  if (!service) throw new Error(`Service ${String(serviceName)} does not exist in the registry`);
+  const method = service[methodName];
+  if (typeof method !== "function") throw new Error(`Service method ${String(methodName)} does not exist on ${String(serviceName)}`);
+  const data = await method(params);
+  if (typeof data !== "object" || data === null)
+    throw new Error(`Expected object response from ${String(serviceName)}.${String(methodName)}, but got ${typeof data}`);
+  return data;
 };
 var fetchData = async ({ url, options }) => {
   if (url) {
@@ -357,10 +422,10 @@ var fetchInitialData = async (attr, params, serviceRegistry) => {
       headers: { "Content-Type": "application/json" },
       params
     }).then(async (data) => {
-      if (data.serviceName && data.serviceMethod) {
+      if (data.serviceName && data.serviceMethod && typeof data.serviceName === "string" && typeof data.serviceMethod === "string")
         return await callServiceMethod(serviceRegistry, data.serviceName, data.serviceMethod, data.options?.params ?? {});
-      }
-      return await fetchData(data);
+      if (data.url && typeof data.url === "string") return await fetchData(data);
+      throw new Error("Invalid fetch configuration: must have either serviceName+serviceMethod or url");
     }).catch((error) => {
       console.error("Error fetching initial data:", error);
       throw error;
@@ -433,6 +498,7 @@ var processConfigs = (configs, baseClientRoot, templateDefaults) => {
 };
 var SSRServer = (0, import_fastify_plugin.default)(
   async (app, opts) => {
+    const logger = createLogger(opts.isDebug ?? false);
     const { alias, configs, routes, serviceRegistry, isDebug, clientRoot: baseClientRoot } = opts;
     const { bootstrapModules, cssLinks, manifests, preloadLinks, renderModules, ssrManifests, templates } = createMaps();
     const processedConfigs = processConfigs(configs, baseClientRoot, TEMPLATE);
@@ -466,6 +532,19 @@ var SSRServer = (0, import_fastify_plugin.default)(
       }
     }
     let viteDevServer;
+    verifyContracts(
+      app,
+      routes,
+      [
+        {
+          key: "auth",
+          required: isAuthRequired,
+          verify: hasAuthenticate,
+          errorMessage: "Routes require auth but Fastify instance is missing `.authenticate` decorator."
+        }
+      ],
+      opts.isDebug
+    );
     await app.register(import("@fastify/static"), {
       index: false,
       prefix: "/",
@@ -474,11 +553,12 @@ var SSRServer = (0, import_fastify_plugin.default)(
     });
     app.addHook(
       "onRequest",
-      cspHook({
+      createCSPHook({
         directives: opts.security?.csp?.directives,
         generateCSP: opts.security?.csp?.generateCSP
       })
     );
+    app.addHook("onRequest", createAuthHook(routes));
     if (isDevelopment) {
       const { createServer } = await import("vite");
       viteDevServer = await createServer({
@@ -496,10 +576,10 @@ var SSRServer = (0, import_fastify_plugin.default)(
             {
               name: "taujs-development-server-debug-logging",
               configureServer(server) {
-                console.log(import_picocolors.default.green("\u03C4js development server debug started."));
+                logger.log(import_picocolors.default.green("\u03C4js development server debug started."));
                 server.middlewares.use((req, res, next) => {
-                  console.log(import_picocolors.default.cyan(`\u2190 rx: ${req.url}`));
-                  res.on("finish", () => console.log(import_picocolors.default.yellow(`\u2192 tx: ${req.url}`)));
+                  logger.log(import_picocolors.default.cyan(`\u2190 rx: ${req.url}`));
+                  res.on("finish", () => logger.log(import_picocolors.default.yellow(`\u2192 tx: ${req.url}`)));
                   next();
                 });
               }
@@ -583,7 +663,9 @@ var SSRServer = (0, import_fastify_plugin.default)(
           let aggregateHeadContent = headContent;
           if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
           if (manifest && cssLink) aggregateHeadContent += cssLink;
-          const fullHtml = template.replace(SSRTAG.ssrHead, aggregateHeadContent).replace(SSRTAG.ssrHtml, `${appHtml}${initialDataScript}<script nonce="${nonce}" type="module" src="${bootstrapModule}" defer></script>`);
+          const shouldHydrate = attr?.hydrate !== false;
+          const bootstrapScriptTag = shouldHydrate ? `<script nonce="${nonce}" type="module" src="${bootstrapModule}" defer></script>` : "";
+          const fullHtml = template.replace(SSRTAG.ssrHead, aggregateHeadContent).replace(SSRTAG.ssrHtml, `${appHtml}${initialDataScript}${bootstrapScriptTag}`);
           return reply.status(200).header("Content-Type", "text/html").send(fullHtml);
         } else {
           const { renderStream } = renderModule;

package/dist/config.d.ts

@@ -0,0 +1,37 @@
+import { PluginOption } from 'vite';
+import { R as Route, a as RouteParams, b as RouteAttributes } from './SSRServer-CmMH3qwx.js';
+import 'node:http';
+import 'fastify';
+
+/**
+ * taujs [ τjs ] Orchestration System
+ * (c) 2024-present Aoede Ltd
+ * Author: John Smith
+ *
+ * Licensed under the MIT License — attribution appreciated.
+ * Part of the taujs [ τjs ] system for declarative, build-time orchestration of microfrontend applications,
+ * including SSR, streaming, and middleware composition.
+ */
+
+type AppRoute = Omit<Route<RouteParams>, 'appId'> & {
+    attr?: RouteAttributes;
+};
+type AppConfig = {
+    appId: string;
+    entryPoint: string;
+    plugins?: PluginOption[];
+    routes?: AppRoute[];
+};
+type TaujsConfig = {
+    apps: AppConfig[];
+};
+declare const extractBuildConfigs: (config: {
+    apps: {
+        appId: string;
+        entryPoint: string;
+        plugins?: PluginOption[];
+    }[];
+}) => AppConfig[];
+declare function extractRoutes(taujsConfig: TaujsConfig): Route<RouteParams>[];
+
+export { type AppConfig, type AppRoute, type TaujsConfig, extractBuildConfigs, extractRoutes };

package/dist/config.js

@@ -0,0 +1,146 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// node_modules/picocolors/picocolors.js
+var require_picocolors = __commonJS({
+  "node_modules/picocolors/picocolors.js"(exports, module) {
+    "use strict";
+    var p = process || {};
+    var argv = p.argv || [];
+    var env = p.env || {};
+    var isColorSupported = !(!!env.NO_COLOR || argv.includes("--no-color")) && (!!env.FORCE_COLOR || argv.includes("--color") || p.platform === "win32" || (p.stdout || {}).isTTY && env.TERM !== "dumb" || !!env.CI);
+    var formatter = (open, close, replace = open) => (input) => {
+      let string = "" + input, index = string.indexOf(close, open.length);
+      return ~index ? open + replaceClose(string, close, replace, index) + close : open + string + close;
+    };
+    var replaceClose = (string, close, replace, index) => {
+      let result = "", cursor = 0;
+      do {
+        result += string.substring(cursor, index) + replace;
+        cursor = index + close.length;
+        index = string.indexOf(close, cursor);
+      } while (~index);
+      return result + string.substring(cursor);
+    };
+    var createColors = (enabled = isColorSupported) => {
+      let f = enabled ? formatter : () => String;
+      return {
+        isColorSupported: enabled,
+        reset: f("\x1B[0m", "\x1B[0m"),
+        bold: f("\x1B[1m", "\x1B[22m", "\x1B[22m\x1B[1m"),
+        dim: f("\x1B[2m", "\x1B[22m", "\x1B[22m\x1B[2m"),
+        italic: f("\x1B[3m", "\x1B[23m"),
+        underline: f("\x1B[4m", "\x1B[24m"),
+        inverse: f("\x1B[7m", "\x1B[27m"),
+        hidden: f("\x1B[8m", "\x1B[28m"),
+        strikethrough: f("\x1B[9m", "\x1B[29m"),
+        black: f("\x1B[30m", "\x1B[39m"),
+        red: f("\x1B[31m", "\x1B[39m"),
+        green: f("\x1B[32m", "\x1B[39m"),
+        yellow: f("\x1B[33m", "\x1B[39m"),
+        blue: f("\x1B[34m", "\x1B[39m"),
+        magenta: f("\x1B[35m", "\x1B[39m"),
+        cyan: f("\x1B[36m", "\x1B[39m"),
+        white: f("\x1B[37m", "\x1B[39m"),
+        gray: f("\x1B[90m", "\x1B[39m"),
+        bgBlack: f("\x1B[40m", "\x1B[49m"),
+        bgRed: f("\x1B[41m", "\x1B[49m"),
+        bgGreen: f("\x1B[42m", "\x1B[49m"),
+        bgYellow: f("\x1B[43m", "\x1B[49m"),
+        bgBlue: f("\x1B[44m", "\x1B[49m"),
+        bgMagenta: f("\x1B[45m", "\x1B[49m"),
+        bgCyan: f("\x1B[46m", "\x1B[49m"),
+        bgWhite: f("\x1B[47m", "\x1B[49m"),
+        blackBright: f("\x1B[90m", "\x1B[39m"),
+        redBright: f("\x1B[91m", "\x1B[39m"),
+        greenBright: f("\x1B[92m", "\x1B[39m"),
+        yellowBright: f("\x1B[93m", "\x1B[39m"),
+        blueBright: f("\x1B[94m", "\x1B[39m"),
+        magentaBright: f("\x1B[95m", "\x1B[39m"),
+        cyanBright: f("\x1B[96m", "\x1B[39m"),
+        whiteBright: f("\x1B[97m", "\x1B[39m"),
+        bgBlackBright: f("\x1B[100m", "\x1B[49m"),
+        bgRedBright: f("\x1B[101m", "\x1B[49m"),
+        bgGreenBright: f("\x1B[102m", "\x1B[49m"),
+        bgYellowBright: f("\x1B[103m", "\x1B[49m"),
+        bgBlueBright: f("\x1B[104m", "\x1B[49m"),
+        bgMagentaBright: f("\x1B[105m", "\x1B[49m"),
+        bgCyanBright: f("\x1B[106m", "\x1B[49m"),
+        bgWhiteBright: f("\x1B[107m", "\x1B[49m")
+      };
+    };
+    module.exports = createColors();
+    module.exports.createColors = createColors;
+  }
+});
+
+// src/config.ts
+var import_picocolors = __toESM(require_picocolors(), 1);
+import { performance } from "perf_hooks";
+var extractBuildConfigs = (config) => {
+  return config.apps.map(({ appId, entryPoint, plugins }) => ({
+    appId,
+    entryPoint,
+    plugins
+  }));
+};
+function extractRoutes(taujsConfig) {
+  console.log(import_picocolors.default.bold("Preparing taujs [ \u03C4js ]"));
+  const t0 = performance.now();
+  try {
+    const allRoutes = [];
+    const pathTracker = /* @__PURE__ */ new Map();
+    let totalRoutes = 0;
+    for (const app of taujsConfig.apps) {
+      const appRoutes = (app.routes ?? []).map((route) => {
+        const fullRoute = { ...route, appId: app.appId };
+        if (!pathTracker.has(route.path)) pathTracker.set(route.path, []);
+        pathTracker.get(route.path).push(app.appId);
+        return fullRoute;
+      });
+      console.log(import_picocolors.default.gray(` \u2022 ${app.appId}: ${appRoutes.length} route(s)`));
+      allRoutes.push(...appRoutes);
+      totalRoutes += appRoutes.length;
+    }
+    for (const [path, appIds] of pathTracker.entries()) {
+      if (appIds.length > 1) console.warn(import_picocolors.default.yellow(`\u26A0\uFE0F Route path "${path}" is declared in multiple apps: ${appIds.join(", ")} \u2013 order may affect matching`));
+    }
+    const sortedRoutes = allRoutes.sort((a, b) => computeScore(b.path) - computeScore(a.path));
+    const t1 = performance.now();
+    console.log(import_picocolors.default.green(`Prepared ${totalRoutes} route(s) in ${(t1 - t0).toFixed(1)}ms`));
+    return sortedRoutes;
+  } catch (err) {
+    console.log(import_picocolors.default.red("Failed to prepare routes"));
+    throw err;
+  }
+}
+function computeScore(path) {
+  return path.split("/").filter(Boolean).length;
+}
+export {
+  extractBuildConfigs,
+  extractRoutes
+};

package/dist/index.d.ts

@@ -1,4 +1,24 @@
-export { C as Config, F as FetchConfig, I as InitialRouteParams, f as Manifest, M as ManifestEntry, N as NamedService, P as ProcessedConfig, R as RenderCallbacks, i as RenderModule, g as RenderSSR, h as RenderStream, k as Route, j as RouteAttributes, l as RouteParams, m as RoutePathsAndAttributes, e as SSRManifest, S as SSRServer, a as SSRServerOptions, b as ServiceMethod, d as ServiceRegistry, T as TEMPLATE, c as createMaps, p as processConfigs } from './security/csp.js';
+import { FastifyReply } from 'fastify';
+export { B as BaseMiddleware, C as Config, F as FetchConfig, I as InitialRouteParams, i as Manifest, M as ManifestEntry, N as NamedService, P as ProcessedConfig, g as RenderCallbacks, l as RenderModule, j as RenderSSR, k as RenderStream, R as Route, b as RouteAttributes, a as RouteParams, m as RoutePathsAndAttributes, h as SSRManifest, S as SSRServer, d as SSRServerOptions, e as ServiceMethod, f as ServiceRegistry, T as TEMPLATE, c as createMaps, p as processConfigs } from './SSRServer-CmMH3qwx.js';
 import 'node:http';
-import 'fastify';
 import 'vite';
+
+declare module 'fastify' {
+  interface FastifyRequest {
+    nonce?: string;
+  }
+  interface FastifyInstance {
+    /**
+     * Optional authentication hook to be used by the TauJS SSRServer.
+     * This method must be decorated by the user when using auth middleware in `taujs.config.ts`.
+     *
+     * Example usage:
+     * ```ts
+     * fastify.decorate('authenticate', async function (req, reply) {
+     *   await req.jwtVerify();
+     * });
+     * ```
+     */
+    authenticate: (req: FastifyRequest, reply: FastifyReply) => Promise<void>;
+  }
+}

package/dist/index.js

@@ -187,12 +187,35 @@ var require_picocolors = __commonJS({
   }
 });
 
+// src/types.d.ts
+import "fastify";
+
 // src/SSRServer.ts
 var import_fastify_plugin = __toESM(require_plugin(), 1);
 var import_picocolors = __toESM(require_picocolors(), 1);
 import { readFile } from "fs/promises";
 import path2 from "path";
 
+// src/utils/Logger.ts
+var createLogger = (debug) => ({
+  log: (...args) => {
+    if (debug) console.log(...args);
+  },
+  warn: (...args) => {
+    if (debug) console.warn(...args);
+  },
+  error: (...args) => {
+    if (debug) console.error(...args);
+  }
+});
+var debugLog = (logger, message, req) => {
+  const prefix = "[\u03C4js]";
+  const method = req?.method ?? "";
+  const url = req?.url ?? "";
+  const tag = method && url ? `${method} ${url}` : "";
+  logger.log(`${prefix} ${tag} ${message}`);
+};
+
 // src/constants.ts
 var RENDERTYPE = {
   ssr: "ssr",
@@ -214,6 +237,32 @@ var DEV_CSP_DIRECTIVES = {
   "img-src": ["'self'", "data:"]
 };
 
+// src/security/auth.ts
+function createAuthHook(routes, isDebug) {
+  const logger = createLogger(Boolean(isDebug));
+  return async function authHook(req, reply) {
+    const url = new URL(req.url, `http://${req.headers.host}`).pathname;
+    const matched = routes.find((r) => r.path === url);
+    const authConfig = matched?.attr?.middleware?.auth;
+    if (!authConfig?.required) {
+      debugLog(logger, "Auth not required for route", req);
+      return;
+    }
+    if (typeof req.server.authenticate !== "function") {
+      req.log.warn('Route requires auth but no "authenticate" decorator is defined on Fastify.');
+      return reply.status(500).send("Server misconfiguration: auth decorator missing.");
+    }
+    try {
+      debugLog(logger, "Invoking authenticate(...)", req);
+      await req.server.authenticate(req, reply);
+      debugLog(logger, "Authentication successful", req);
+    } catch (err) {
+      debugLog(logger, "Authentication failed", req);
+      return reply.send(err);
+    }
+  };
+}
+
 // src/security/csp.ts
 import crypto from "crypto";
 var defaultGenerateCSP = (directives, nonce) => {
@@ -232,7 +281,7 @@ var defaultGenerateCSP = (directives, nonce) => {
   return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
 };
 var generateNonce = () => crypto.randomBytes(16).toString("base64");
-var cspHook = (options = {}) => (req, reply, done) => {
+var createCSPHook = (options = {}) => (req, reply, done) => {
   const nonce = generateNonce();
   const directives = options.directives ?? DEV_CSP_DIRECTIVES;
   const generate = options.generateCSP ?? defaultGenerateCSP;
@@ -255,6 +304,26 @@ var applyCSP = (security, reply) => {
   return nonce;
 };
 
+// src/security/verifyMiddleware.ts
+var isAuthRequired = (r) => r.attr?.middleware?.auth?.required === true;
+var hasAuthenticate = (app) => typeof app.authenticate === "function";
+var verifyContracts = (app, routes, contracts, isDebug) => {
+  const logger = createLogger(Boolean(isDebug));
+  for (const contract of contracts) {
+    const isUsed = routes.some(contract.required);
+    if (!isUsed) {
+      debugLog(logger, `Middleware "${contract.key}" not used in any routes`);
+      continue;
+    }
+    if (!contract.verify(app)) {
+      const error = new Error(`[\u03C4js] ${contract.errorMessage}`);
+      logger.error(error.message);
+      throw error;
+    }
+    debugLog(logger, `Middleware "${contract.key}" verified \u2713`);
+  }
+};
+
 // src/utils/Utils.ts
 import { dirname, join } from "path";
 import "path";
@@ -325,16 +394,15 @@ function renderPreloadLink(file) {
       return "";
   }
 }
-var callServiceMethod = async (serviceRegistry, serviceName, serviceMethod, params) => {
-  const service = serviceRegistry[serviceName];
-  if (service && typeof service[serviceMethod] === "function") {
-    const method = service[serviceMethod];
-    const data = await method(params);
-    if (typeof data !== "object" || data === null)
-      throw new Error(`Expected object response from service method ${serviceMethod} on ${serviceName}, but got ${typeof data}`);
-    return data;
-  }
-  throw new Error(`Service method ${serviceMethod} does not exist on ${serviceName}`);
+var callServiceMethod = async (registry, serviceName, methodName, params) => {
+  const service = registry[serviceName];
+  if (!service) throw new Error(`Service ${String(serviceName)} does not exist in the registry`);
+  const method = service[methodName];
+  if (typeof method !== "function") throw new Error(`Service method ${String(methodName)} does not exist on ${String(serviceName)}`);
+  const data = await method(params);
+  if (typeof data !== "object" || data === null)
+    throw new Error(`Expected object response from ${String(serviceName)}.${String(methodName)}, but got ${typeof data}`);
+  return data;
 };
 var fetchData = async ({ url, options }) => {
   if (url) {
@@ -352,10 +420,10 @@ var fetchInitialData = async (attr, params, serviceRegistry) => {
       headers: { "Content-Type": "application/json" },
       params
     }).then(async (data) => {
-      if (data.serviceName && data.serviceMethod) {
+      if (data.serviceName && data.serviceMethod && typeof data.serviceName === "string" && typeof data.serviceMethod === "string")
         return await callServiceMethod(serviceRegistry, data.serviceName, data.serviceMethod, data.options?.params ?? {});
-      }
-      return await fetchData(data);
+      if (data.url && typeof data.url === "string") return await fetchData(data);
+      throw new Error("Invalid fetch configuration: must have either serviceName+serviceMethod or url");
     }).catch((error) => {
       console.error("Error fetching initial data:", error);
       throw error;
@@ -428,6 +496,7 @@ var processConfigs = (configs, baseClientRoot, templateDefaults) => {
 };
 var SSRServer = (0, import_fastify_plugin.default)(
   async (app, opts) => {
+    const logger = createLogger(opts.isDebug ?? false);
     const { alias, configs, routes, serviceRegistry, isDebug, clientRoot: baseClientRoot } = opts;
     const { bootstrapModules, cssLinks, manifests, preloadLinks, renderModules, ssrManifests, templates } = createMaps();
     const processedConfigs = processConfigs(configs, baseClientRoot, TEMPLATE);
@@ -461,6 +530,19 @@ var SSRServer = (0, import_fastify_plugin.default)(
       }
     }
     let viteDevServer;
+    verifyContracts(
+      app,
+      routes,
+      [
+        {
+          key: "auth",
+          required: isAuthRequired,
+          verify: hasAuthenticate,
+          errorMessage: "Routes require auth but Fastify instance is missing `.authenticate` decorator."
+        }
+      ],
+      opts.isDebug
+    );
     await app.register(import("@fastify/static"), {
       index: false,
       prefix: "/",
@@ -469,11 +551,12 @@ var SSRServer = (0, import_fastify_plugin.default)(
     });
     app.addHook(
       "onRequest",
-      cspHook({
+      createCSPHook({
         directives: opts.security?.csp?.directives,
         generateCSP: opts.security?.csp?.generateCSP
       })
     );
+    app.addHook("onRequest", createAuthHook(routes));
     if (isDevelopment) {
       const { createServer } = await import("vite");
       viteDevServer = await createServer({
@@ -491,10 +574,10 @@ var SSRServer = (0, import_fastify_plugin.default)(
             {
               name: "taujs-development-server-debug-logging",
               configureServer(server) {
-                console.log(import_picocolors.default.green("\u03C4js development server debug started."));
+                logger.log(import_picocolors.default.green("\u03C4js development server debug started."));
                 server.middlewares.use((req, res, next) => {
-                  console.log(import_picocolors.default.cyan(`\u2190 rx: ${req.url}`));
-                  res.on("finish", () => console.log(import_picocolors.default.yellow(`\u2192 tx: ${req.url}`)));
+                  logger.log(import_picocolors.default.cyan(`\u2190 rx: ${req.url}`));
+                  res.on("finish", () => logger.log(import_picocolors.default.yellow(`\u2192 tx: ${req.url}`)));
                   next();
                 });
               }
@@ -578,7 +661,9 @@ var SSRServer = (0, import_fastify_plugin.default)(
           let aggregateHeadContent = headContent;
           if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
           if (manifest && cssLink) aggregateHeadContent += cssLink;
-          const fullHtml = template.replace(SSRTAG.ssrHead, aggregateHeadContent).replace(SSRTAG.ssrHtml, `${appHtml}${initialDataScript}<script nonce="${nonce}" type="module" src="${bootstrapModule}" defer></script>`);
+          const shouldHydrate = attr?.hydrate !== false;
+          const bootstrapScriptTag = shouldHydrate ? `<script nonce="${nonce}" type="module" src="${bootstrapModule}" defer></script>` : "";
+          const fullHtml = template.replace(SSRTAG.ssrHead, aggregateHeadContent).replace(SSRTAG.ssrHtml, `${appHtml}${initialDataScript}${bootstrapScriptTag}`);
           return reply.status(200).header("Content-Type", "text/html").send(fullHtml);
         } else {
           const { renderStream } = renderModule;

package/dist/security/csp.d.ts

@@ -1,131 +1,4 @@
-import { ServerResponse } from 'node:http';
-import { FastifyRequest, FastifyReply, HookHandlerDoneFunction, FastifyPluginAsync } from 'fastify';
-import { PluginOption } from 'vite';
-
-type CSPDirectives = Record<string, string[]>;
-interface CSPOptions {
-    directives?: CSPDirectives;
-    exposeNonce?: (req: FastifyRequest, nonce: string) => void;
-    generateCSP?: (directives: CSPDirectives, nonce: string) => string;
-}
-declare const defaultGenerateCSP: (directives: CSPDirectives, nonce: string) => string;
-declare const generateNonce: () => string;
-declare const cspHook: (options?: CSPOptions) => (req: FastifyRequest, reply: FastifyReply, done: HookHandlerDoneFunction) => void;
-declare const getRequestNonce: (req: FastifyRequest) => string | undefined;
-declare const applyCSP: (security: SSRServerOptions["security"], reply: FastifyReply) => string | undefined;
-
-declare const RENDERTYPE: {
-    ssr: string;
-    streaming: string;
-};
-declare const TEMPLATE: {
-    defaultEntryClient: string;
-    defaultEntryServer: string;
-    defaultHtmlTemplate: string;
-};
-
-declare const createMaps: () => {
-    bootstrapModules: Map<string, string>;
-    cssLinks: Map<string, string>;
-    manifests: Map<string, Manifest>;
-    preloadLinks: Map<string, string>;
-    renderModules: Map<string, RenderModule>;
-    ssrManifests: Map<string, SSRManifest>;
-    templates: Map<string, string>;
-};
-declare const processConfigs: (configs: Config[], baseClientRoot: string, templateDefaults: typeof TEMPLATE) => ProcessedConfig[];
-declare const SSRServer: FastifyPluginAsync<SSRServerOptions>;
-type Config = {
-    appId: string;
-    entryPoint: string;
-    entryClient?: string;
-    entryServer?: string;
-    htmlTemplate?: string;
-};
-type ProcessedConfig = {
-    appId: string;
-    clientRoot: string;
-    entryClient: string;
-    entryPoint: string;
-    entryServer: string;
-    htmlTemplate: string;
-    plugins?: PluginOption[];
-};
-type SSRServerOptions = {
-    alias?: Record<string, string>;
-    clientRoot: string;
-    configs: Config[];
-    routes: Route<RouteParams>[];
-    serviceRegistry: ServiceRegistry;
-    security?: {
-        csp?: {
-            directives?: CSPDirectives;
-            generateCSP?: (directives: CSPDirectives, nonce: string) => string;
-        };
-    };
-    isDebug?: boolean;
-};
-type ServiceMethod = (params: Record<string, unknown>) => Promise<Record<string, unknown>>;
-type NamedService = Record<string, ServiceMethod>;
-type ServiceRegistry = Record<string, NamedService>;
-type RenderCallbacks = {
-    onHead: (headContent: string) => void;
-    onFinish: (initialDataResolved: unknown) => void;
-    onError: (error: unknown) => void;
-};
-type FetchConfig = {
-    url?: string;
-    options: RequestInit & {
-        params?: Record<string, unknown>;
-    };
-    serviceName?: string;
-    serviceMethod?: string;
-};
-type SSRManifest = {
-    [key: string]: string[];
-};
-type ManifestEntry = {
-    file: string;
-    src?: string;
-    isDynamicEntry?: boolean;
-    imports?: string[];
-    css?: string[];
-    assets?: string[];
-};
-type Manifest = {
-    [key: string]: ManifestEntry;
-};
-type RenderSSR = (initialDataResolved: Record<string, unknown>, location: string, meta?: Record<string, unknown>) => Promise<{
-    headContent: string;
-    appHtml: string;
-    initialDataScript: string;
-}>;
-type RenderStream = (serverResponse: ServerResponse, callbacks: RenderCallbacks, initialDataPromise: Promise<Record<string, unknown>>, location: string, bootstrapModules?: string, meta?: Record<string, unknown>) => void;
-type RenderModule = {
-    renderSSR: RenderSSR;
-    renderStream: RenderStream;
-};
-type RouteAttributes<Params = {}> = {
-    fetch?: (params?: Params, options?: RequestInit & {
-        params?: Record<string, unknown>;
-    }) => Promise<FetchConfig>;
-} & ({
-    render?: typeof RENDERTYPE.ssr;
-    meta?: Record<string, unknown>;
-} | {
-    render: typeof RENDERTYPE.streaming;
-    meta: Record<string, unknown>;
-});
-type Route<Params = {}> = {
-    attr?: RouteAttributes<Params>;
-    path: string;
-    appId?: string;
-};
-interface InitialRouteParams extends Record<string, unknown> {
-    serviceName?: string;
-    serviceMethod?: string;
-}
-type RouteParams = InitialRouteParams & Record<string, unknown>;
-type RoutePathsAndAttributes<Params = {}> = Omit<Route<Params>, 'element'>;
-
-export { type Config as C, type CSPDirectives, type CSPOptions, type FetchConfig as F, type InitialRouteParams as I, type ManifestEntry as M, type NamedService as N, type ProcessedConfig as P, type RenderCallbacks as R, SSRServer as S, TEMPLATE as T, type SSRServerOptions as a, applyCSP, type ServiceMethod as b, createMaps as c, cspHook, type ServiceRegistry as d, defaultGenerateCSP, type SSRManifest as e, type Manifest as f, type RenderSSR as g, generateNonce, getRequestNonce, type RenderStream as h, type RenderModule as i, type RouteAttributes as j, type Route as k, type RouteParams as l, type RoutePathsAndAttributes as m, processConfigs as p };
+import 'fastify';
+export { n as CSPDirectives, o as CSPOptions, u as applyCSP, s as createCSPHook, q as defaultGenerateCSP, r as generateNonce, t as getRequestNonce } from '../SSRServer-CmMH3qwx.js';
+import 'node:http';
+import 'vite';

package/dist/security/csp.js

@@ -26,7 +26,7 @@ var defaultGenerateCSP = (directives, nonce) => {
   return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
 };
 var generateNonce = () => crypto.randomBytes(16).toString("base64");
-var cspHook = (options = {}) => (req, reply, done) => {
+var createCSPHook = (options = {}) => (req, reply, done) => {
   const nonce = generateNonce();
   const directives = options.directives ?? DEV_CSP_DIRECTIVES;
   const generate = options.generateCSP ?? defaultGenerateCSP;
@@ -51,7 +51,7 @@ var applyCSP = (security, reply) => {
 };
 export {
   applyCSP,
-  cspHook,
+  createCSPHook,
   defaultGenerateCSP,
   generateNonce,
   getRequestNonce

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@taujs/server",
-  "version": "0.2.6",
-  "description": "taujs | τjs",
-  "author": "Aoede <taujs@aoede.uk.net> (https://www.aoede.uk.net)",
+  "version": "0.3.0",
+  "description": "taujs [ τjs ]",
+  "author": "John Smith | Aoede <taujs@aoede.uk.net> (https://www.aoede.uk.net)",
   "license": "MIT",
   "homepage": "https://github.com/aoede3/taujs-server",
   "repository": {
@@ -33,6 +33,10 @@
       "import": "./dist/build.js",
       "types": "./dist/build.d.ts"
     },
+    "./config": {
+      "import": "./dist/config.js",
+      "types": "./dist/config.d.ts"
+    },
     "./csp": {
       "import": "./dist/security/csp.js",
       "types": "./dist/security/csp.d.ts"