@timber-js/app 0.2.0-alpha.87 → 0.2.0-alpha.88

package/dist/plugins/entries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"entries.d.ts","sourceRoot":"","sources":["../../src/plugins/entries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAInC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAqH1D;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAUrE;AAED;;;;;;;;GAQG;AACH,wBAAgB,6BAA6B,CAAC,mBAAmB,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,CAwBxF;AAiDD;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM,CAkFxD"}
+{"version":3,"file":"entries.d.ts","sourceRoot":"","sources":["../../src/plugins/entries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAInC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AA0J1D;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAUrE;AAED;;;;;;;;GAQG;AACH,wBAAgB,6BAA6B,CAAC,mBAAmB,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,CAwBxF;AAiDD;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM,CAkFxD"}

package/dist/plugins/fonts.d.ts

@@ -1,94 +1,27 @@
 /**
- * timber-fonts — Vite sub-plugin for build-time font processing.
+ * timber-fonts — Vite sub-plugin shell for build-time font processing.
  *
- * Handles:
- * - Virtual module resolution for `@timber/fonts/google` and `@timber/fonts/local`
- * - Static analysis of font function calls during `transform`
- * - @font-face CSS generation and scoped class output
- * - Size-adjusted fallback font generation
+ * This file is intentionally thin: it wires the Vite plugin hooks to the
+ * pipeline + per-concern modules under `../fonts/`. All real logic lives
+ * in:
  *
- * Does NOT handle (separate tasks):
- * - Google Fonts downloading/caching (timber-nk5)
- * - Build manifest / Early Hints integration (timber-qnx)
+ * - `../fonts/pipeline.ts`        — `FontPipeline` (state, mutators)
+ * - `../fonts/transform.ts`       — transform-hook logic, parsing helpers
+ * - `../fonts/dev-middleware.ts`  — dev font binary server
+ * - `../fonts/virtual-modules.ts` — virtual module ID constants + source
+ *
+ * The public exports below are the stable API that the test suite and
+ * other parts of the framework import. Anything new should be added to
+ * one of the per-concern modules and re-exported here only if external
+ * consumers need it.
  *
  * Design doc: 24-fonts.md
  */
 import type { Plugin } from 'vite';
 import type { PluginContext } from '../plugin-context.js';
-import type { ExtractedFont, GoogleFontConfig } from '../fonts/types.js';
-import type { FontFaceDescriptor } from '../fonts/types.js';
-/**
- * Registry of fonts extracted during transform.
- * Keyed by a unique font ID derived from family + config.
- */
-export type FontRegistry = Map<string, ExtractedFont>;
-/**
- * Generate a unique font ID from family + config hash.
- */
-export declare function generateFontId(family: string, config: GoogleFontConfig): string;
-/**
- * Extract static font config from a font function call in source code.
- *
- * Parses patterns like:
- *   const inter = Inter({ subsets: ['latin'], weight: '400', display: 'swap', variable: '--font-sans' })
- *
- * Returns null if the call cannot be statically analyzed.
- *
- * Uses acorn AST parsing for robust handling of comments, trailing commas,
- * and multi-line configs.
- */
-export declare function extractFontConfig(callSource: string): GoogleFontConfig | null;
-/**
- * Detect if a source file contains dynamic/computed font function calls
- * that cannot be statically analyzed.
- *
- * Returns the offending expression if found, null if all calls are static.
- *
- * Uses acorn AST parsing for accurate detection.
- */
-export declare function detectDynamicFontCall(source: string, importedNames: string[]): string | null;
-/**
- * Parse import specifiers from a source file that imports from
- * `@timber/fonts/google` or `next/font/google`.
- *
- * Returns the list of imported font names (e.g. ['Inter', 'JetBrains_Mono']).
- */
-export declare function parseGoogleFontImports(source: string): string[];
-/**
- * Parse the original (remote) font family names from imports.
- *
- * Returns a map of local name → family name.
- * e.g. { Inter: 'Inter', JetBrains_Mono: 'JetBrains Mono' }
- */
-export declare function parseGoogleFontFamilies(source: string): Map<string, string>;
-/**
- * Generate CSS for a single extracted font.
- *
- * Includes @font-face rules (for local and Google fonts), fallback @font-face,
- * and the scoped class rule.
- *
- * For Google fonts, pass the resolved FontFaceDescriptor[] from either
- * `generateProductionFontFaces()` (production) or `resolveDevFontFaces()` (dev).
- */
-export declare function generateFontCss(font: ExtractedFont, googleFaces?: FontFaceDescriptor[]): string;
-/**
- * Generate the CSS output for all extracted fonts.
- *
- * Includes @font-face rules for local and Google fonts, fallback @font-face
- * rules, and scoped classes.
- *
- * `googleFontFacesMap` provides pre-resolved FontFaceDescriptor[] for each
- * Google font ID (keyed by ExtractedFont.id).
- */
-export declare function generateAllFontCss(registry: FontRegistry, googleFontFacesMap?: Map<string, FontFaceDescriptor[]>): string;
-/**
- * Parse the local name used for the default import of `@timber/fonts/local`.
- *
- * Handles:
- *   import localFont from '@timber/fonts/local'
- *   import myLoader from '@timber/fonts/local'
- */
-export declare function parseLocalFontImportName(source: string): string | null;
+export { FontPipeline, pruneRegistryEntries, type FontRegistry } from '../fonts/pipeline.js';
+export { generateFontId, extractFontConfig, detectDynamicFontCall, parseGoogleFontImports, parseGoogleFontFamilies, parseLocalFontImportName, } from '../fonts/transform.js';
+export { generateFontCss, generateAllFontCss } from '../fonts/virtual-modules.js';
 /**
  * Create the timber-fonts Vite plugin.
  */

package/dist/plugins/fonts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fonts.d.ts","sourceRoot":"","sources":["../../src/plugins/fonts.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAiB,MAAM,MAAM,CAAC;AAGlD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAYzE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AA6B5D;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;AAkBtD;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAM/E;AAkBD;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,gBAAgB,GAAG,IAAI,CAE7E;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,MAAM,GAAG,IAAI,CAE5F;AAUD;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAkB/D;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAqB3E;AAwED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,aAAa,EAAE,WAAW,CAAC,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAwB/F;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,YAAY,EACtB,kBAAkB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,kBAAkB,EAAE,CAAC,GACrD,MAAM,CAOR;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAKtE;AAqED;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM,CAsYtD"}
+{"version":3,"file":"fonts.d.ts","sourceRoot":"","sources":["../../src/plugins/fonts.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAiB,MAAM,MAAM,CAAC;AAClD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AA4B1D,OAAO,EAAE,YAAY,EAAE,oBAAoB,EAAE,KAAK,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAC7F,OAAO,EACL,cAAc,EACd,iBAAiB,EACjB,qBAAqB,EACrB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,GACzB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AAElF;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,aAAa,GAAG,MAAM,CAuItD"}

package/dist/server/action-client.d.ts

@@ -116,6 +116,13 @@ interface ActionClientConfig<TCtx> {
     middleware?: ActionMiddleware<TCtx> | ActionMiddleware<Record<string, unknown>>[];
     /** Max file size in bytes. Files exceeding this are rejected with validation errors. */
     fileSizeLimit?: number;
+    /**
+     * Override the sensitive-field deny-list for this action client.
+     * See `SensitiveFieldsOption` in `./sensitive-fields.ts`. Per-action config
+     * takes precedence over the global `forms.stripSensitiveFields` option in
+     * `timber.config.ts`. See design/08-forms-and-actions.md and TIM-816.
+     */
+    stripSensitiveFields?: SensitiveFieldsOption;
 }
 /** Intermediate builder returned by createActionClient(). */
 export interface ActionBuilder<TCtx> {
@@ -165,6 +172,7 @@ export type ActionFn<TData = unknown, TInput = unknown> = {
     /** React useActionState: action(prevState, formData) */
     (prevState: ActionResult<TData> | null, formData: FormData): Promise<ActionResult<TData>>;
 };
+import { type SensitiveFieldsOption } from './sensitive-fields.js';
 /**
  * Wrap unexpected errors into a safe server error result.
  * ActionError → typed result. Other errors → INTERNAL_ERROR (no leak).

package/dist/server/action-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"action-client.d.ts","sourceRoot":"","sources":["../../src/server/action-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH;;;;;;;GAOG;AACH,qBAAa,WAAW,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,CAAE,SAAQ,KAAK;IACnE,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAAC;gBAEvC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAMxD;AAID;;;;;;;GAOG;AACH,UAAU,gBAAgB,CAAC,MAAM,GAAG,OAAO;IACzC,WAAW,EAAE;QACX,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,oBAAoB,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC;KAChG,CAAC;CACH;AAED,KAAK,oBAAoB,CAAC,MAAM,IAC5B;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,SAAS,CAAA;CAAE,GACrC;IAAE,KAAK,CAAC,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,aAAa,CAAC,mBAAmB,CAAC,CAAA;CAAE,CAAC;AAEtE,UAAU,mBAAmB;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,aAAa,CAAC,WAAW,GAAG;QAAE,GAAG,EAAE,WAAW,CAAA;KAAE,CAAC,CAAC;CAC1D;AAcD;;;;;;;;;GASG;AACH,MAAM,MAAM,YAAY,CAAC,CAAC,GAAG,OAAO,IAAI,gBAAgB,CAAC,CAAC,CAAC,GAAG,kBAAkB,CAAC,CAAC,CAAC,CAAC;AAEpF,4DAA4D;AAC5D,UAAU,kBAAkB,CAAC,CAAC,GAAG,OAAO;IACtC,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,CAAC,CAAC;IAC1B,WAAW,CAAC,CAAC,IAAI,EAAE,OAAO,GAAG;QAAE,OAAO,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,CAAC,CAAA;KAAE,GAAG;QAAE,OAAO,EAAE,KAAK,CAAC;QAAC,KAAK,EAAE,WAAW,CAAA;KAAE,CAAC;IAEjG,WAAW,CAAC,EAAE,KAAK,CAAC;CACrB;AAED,kFAAkF;AAClF,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACnE,OAAO,CAAC,IAAI;QAAE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;KAAE,CAAC;CACvD;AAED,uDAAuD;AACvD,MAAM,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;AAExD,gFAAgF;AAChF,MAAM,MAAM,gBAAgB,CAAC,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AAE1F,8CAA8C;AAC9C,MAAM,MAAM,YAAY,CAAC,KAAK,GAAG,OAAO,IACpC;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,gBAAgB,CAAC,EAAE,KAAK,CAAC;IAAC,WAAW,CAAC,EAAE,KAAK,CAAC;IAAC,eAAe,CAAC,EAAE,KAAK,CAAA;CAAE,GACvF;IACE,IAAI,CAAC,EAAE,KAAK,CAAC;IACb,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,WAAW,CAAC,EAAE,KAAK,CAAC;IACpB,6EAA6E;IAC7E,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC3C,GACD;IACE,IAAI,CAAC,EAAE,KAAK,CAAC;IACb,gBAAgB,CAAC,EAAE,KAAK,CAAC;IACzB,WAAW,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IAC9D,eAAe,CAAC,EAAE,KAAK,CAAC;CACzB,CAAC;AAEN,yCAAyC;AACzC,MAAM,WAAW,aAAa,CAAC,IAAI,EAAE,MAAM;IACzC,GAAG,EAAE,IAAI,CAAC;IACV,KAAK,EAAE,MAAM,CAAC;CACf;AAID,UAAU,kBAAkB,CAAC,IAAI;IAC/B,UAAU,CAAC,EAAE,gBAAgB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC;IAClF,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,6DAA6D;AAC7D,MAAM,WAAW,aAAa,CAAC,IAAI;IACjC,sEAAsE;IACtE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC,GAAG,uBAAuB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACpF,uDAAuD;IACvD,MAAM,CAAC,KAAK,EACV,EAAE,EAAE,CAAC,GAAG,EAAE,aAAa,CAAC,IAAI,EAAE,SAAS,CAAC,KAAK,OAAO,CAAC,KAAK,CAAC,GAC1D,QAAQ,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;CAC/B;AAED,+CAA+C;AAC/C,MAAM,WAAW,uBAAuB,CAAC,IAAI,EAAE,MAAM;IACnD,mDAAmD;IACnD,MAAM,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,OAAO,CAAC,KAAK,CAAC,GAAG,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;CAClG;AAED;;;;;;;;;;;GAWG;AACH;;;;GAIG;AACH,MAAM,MAAM,SAAS,CAAC,CAAC,IACrB,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;KAAG,CAAC,IAAI,MAAM,CAAC,GAAG,MAAM,GAAG,SAAS;CAAE,GAAG,CAAC,CAAC;AAEjF;;;;;;;GAOG;AACH,MAAM,MAAM,QAAQ,CAAC,KAAK,GAAG,OAAO,EAAE,MAAM,GAAG,OAAO,IAAI;IACxD,0EAA0E;IAC1E,CAAC,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAC;IAC3B,kGAAkG;IAClG,CACE,GAAG,IAAI,EAAE,SAAS,SAAS,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,GACrE,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;IAChC,wDAAwD;IACxD,CAAC,SAAS,EAAE,YAAY,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;CAC3F,CAAC;AA4EF;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,CAqBrE;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAC7D,MAAM,GAAE,kBAAkB,CAAC,IAAI,CAAM,GACpC,aAAa,CAAC,IAAI,CAAC,CAkHrB;AAID;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,SAAS,CAAC,MAAM,EAAE,KAAK,EACrC,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC,EAC5B,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,KAAK,CAAC,GACzC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,CAIzB"}
+{"version":3,"file":"action-client.d.ts","sourceRoot":"","sources":["../../src/server/action-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH;;;;;;;GAOG;AACH,qBAAa,WAAW,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,CAAE,SAAQ,KAAK;IACnE,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CAAC;gBAEvC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAMxD;AAID;;;;;;;GAOG;AACH,UAAU,gBAAgB,CAAC,MAAM,GAAG,OAAO;IACzC,WAAW,EAAE;QACX,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,oBAAoB,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC;KAChG,CAAC;CACH;AAED,KAAK,oBAAoB,CAAC,MAAM,IAC5B;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,SAAS,CAAA;CAAE,GACrC;IAAE,KAAK,CAAC,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,aAAa,CAAC,mBAAmB,CAAC,CAAA;CAAE,CAAC;AAEtE,UAAU,mBAAmB;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,aAAa,CAAC,WAAW,GAAG;QAAE,GAAG,EAAE,WAAW,CAAA;KAAE,CAAC,CAAC;CAC1D;AAcD;;;;;;;;;GASG;AACH,MAAM,MAAM,YAAY,CAAC,CAAC,GAAG,OAAO,IAAI,gBAAgB,CAAC,CAAC,CAAC,GAAG,kBAAkB,CAAC,CAAC,CAAC,CAAC;AAEpF,4DAA4D;AAC5D,UAAU,kBAAkB,CAAC,CAAC,GAAG,OAAO;IACtC,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,CAAC,CAAC;IAC1B,WAAW,CAAC,CAAC,IAAI,EAAE,OAAO,GAAG;QAAE,OAAO,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,CAAC,CAAA;KAAE,GAAG;QAAE,OAAO,EAAE,KAAK,CAAC;QAAC,KAAK,EAAE,WAAW,CAAA;KAAE,CAAC;IAEjG,WAAW,CAAC,EAAE,KAAK,CAAC;CACrB;AAED,kFAAkF;AAClF,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACnE,OAAO,CAAC,IAAI;QAAE,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;KAAE,CAAC;CACvD;AAED,uDAAuD;AACvD,MAAM,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;AAExD,gFAAgF;AAChF,MAAM,MAAM,gBAAgB,CAAC,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AAE1F,8CAA8C;AAC9C,MAAM,MAAM,YAAY,CAAC,KAAK,GAAG,OAAO,IACpC;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,gBAAgB,CAAC,EAAE,KAAK,CAAC;IAAC,WAAW,CAAC,EAAE,KAAK,CAAC;IAAC,eAAe,CAAC,EAAE,KAAK,CAAA;CAAE,GACvF;IACE,IAAI,CAAC,EAAE,KAAK,CAAC;IACb,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,WAAW,CAAC,EAAE,KAAK,CAAC;IACpB,6EAA6E;IAC7E,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC3C,GACD;IACE,IAAI,CAAC,EAAE,KAAK,CAAC;IACb,gBAAgB,CAAC,EAAE,KAAK,CAAC;IACzB,WAAW,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IAC9D,eAAe,CAAC,EAAE,KAAK,CAAC;CACzB,CAAC;AAEN,yCAAyC;AACzC,MAAM,WAAW,aAAa,CAAC,IAAI,EAAE,MAAM;IACzC,GAAG,EAAE,IAAI,CAAC;IACV,KAAK,EAAE,MAAM,CAAC;CACf;AAID,UAAU,kBAAkB,CAAC,IAAI;IAC/B,UAAU,CAAC,EAAE,gBAAgB,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC;IAClF,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;OAKG;IACH,oBAAoB,CAAC,EAAE,qBAAqB,CAAC;CAC9C;AAED,6DAA6D;AAC7D,MAAM,WAAW,aAAa,CAAC,IAAI;IACjC,sEAAsE;IACtE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC,GAAG,uBAAuB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACpF,uDAAuD;IACvD,MAAM,CAAC,KAAK,EACV,EAAE,EAAE,CAAC,GAAG,EAAE,aAAa,CAAC,IAAI,EAAE,SAAS,CAAC,KAAK,OAAO,CAAC,KAAK,CAAC,GAC1D,QAAQ,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;CAC/B;AAED,+CAA+C;AAC/C,MAAM,WAAW,uBAAuB,CAAC,IAAI,EAAE,MAAM;IACnD,mDAAmD;IACnD,MAAM,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,OAAO,CAAC,KAAK,CAAC,GAAG,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;CAClG;AAED;;;;;;;;;;;GAWG;AACH;;;;GAIG;AACH,MAAM,MAAM,SAAS,CAAC,CAAC,IACrB,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;KAAG,CAAC,IAAI,MAAM,CAAC,GAAG,MAAM,GAAG,SAAS;CAAE,GAAG,CAAC,CAAC;AAEjF;;;;;;;GAOG;AACH,MAAM,MAAM,QAAQ,CAAC,KAAK,GAAG,OAAO,EAAE,MAAM,GAAG,OAAO,IAAI;IACxD,0EAA0E;IAC1E,CAAC,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAC;IAC3B,kGAAkG;IAClG,CACE,GAAG,IAAI,EAAE,SAAS,SAAS,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,GACrE,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;IAChC,wDAAwD;IACxD,CAAC,SAAS,EAAE,YAAY,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;CAC3F,CAAC;AA+BF,OAAO,EAIL,KAAK,qBAAqB,EAC3B,MAAM,uBAAuB,CAAC;AA8C/B;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,CAqBrE;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAC7D,MAAM,GAAE,kBAAkB,CAAC,IAAI,CAAM,GACpC,aAAa,CAAC,IAAI,CAAC,CAmIrB;AAID;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,SAAS,CAAC,MAAM,EAAE,KAAK,EACrC,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC,EAC5B,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,KAAK,CAAC,GACzC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,CAIzB"}

package/dist/server/action-handler.d.ts

@@ -15,6 +15,7 @@
 import { type CsrfConfig } from './csrf.js';
 import { type RevalidateRenderer } from './actions.js';
 import { type BodyLimitsConfig } from './body-limits.js';
+import { type SensitiveFieldsOption } from './sensitive-fields.js';
 import type { FormFlashData } from './form-flash.js';
 /** Configuration for the action handler. */
 export interface ActionDispatchConfig {
@@ -24,6 +25,12 @@ export interface ActionDispatchConfig {
     revalidateRenderer?: RevalidateRenderer;
     /** Body size limits (from timber.config.ts). */
     bodyLimits?: BodyLimitsConfig;
+    /**
+     * Override the sensitive-field deny-list for the no-JS form POST path.
+     * Defaults to the global `forms.stripSensitiveFields` from `timber.config.ts`.
+     * See `SensitiveFieldsOption` in `./sensitive-fields.ts` and TIM-816.
+     */
+    sensitiveFields?: SensitiveFieldsOption;
 }
 /**
  * Check if a request is a server action invocation.

package/dist/server/action-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"action-handler.d.ts","sourceRoot":"","sources":["../../src/server/action-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AASH,OAAO,EAAgB,KAAK,UAAU,EAAE,MAAM,WAAW,CAAC;AAC1D,OAAO,EAAiB,KAAK,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAOtE,OAAO,EAAwC,KAAK,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAE/F,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAMrD,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACnC,0BAA0B;IAC1B,IAAI,EAAE,UAAU,CAAC;IACjB,kEAAkE;IAClE,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,gDAAgD;IAChD,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAQD;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAarD;AAID,iGAAiG;AACjG,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,aAAa,CAAC;CACzB;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,OAAO,EACZ,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,QAAQ,GAAG,YAAY,GAAG,IAAI,CAAC,CAuDzC"}
+{"version":3,"file":"action-handler.d.ts","sourceRoot":"","sources":["../../src/server/action-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AASH,OAAO,EAAgB,KAAK,UAAU,EAAE,MAAM,WAAW,CAAC;AAC1D,OAAO,EAAiB,KAAK,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAOtE,OAAO,EAAwC,KAAK,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAE/F,OAAO,EAIL,KAAK,qBAAqB,EAC3B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAMrD,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACnC,0BAA0B;IAC1B,IAAI,EAAE,UAAU,CAAC;IACjB,kEAAkE;IAClE,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,gDAAgD;IAChD,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAC9B;;;;OAIG;IACH,eAAe,CAAC,EAAE,qBAAqB,CAAC;CACzC;AAQD;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAarD;AAID,iGAAiG;AACjG,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,aAAa,CAAC;CACzB;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,OAAO,EACZ,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,QAAQ,GAAG,YAAY,GAAG,IAAI,CAAC,CAuDzC"}

package/dist/server/index.js

@@ -146,6 +146,156 @@ var coerce = {
 	}
 };
 //#endregion
+//#region src/server/sensitive-fields.ts
+/**
+* Sensitive field stripping — removes password/token/CVV-style fields
+* from form values before they are echoed back to the client as
+* `submittedValues` for form repopulation.
+*
+* Applied to both action paths:
+*  - With-JS action path: `createActionClient()` in `action-client.ts`
+*  - No-JS form POST path: `handleFormAction()` in `action-handler.ts`
+*
+* Why: on a validation failure, timber echoes submitted form values back so
+* the user doesn't have to re-type everything. Without filtering, plaintext
+* passwords / credit-card numbers / TOTP codes would travel through the RSC
+* stream (with-JS) or land in the HTML as `defaultValue` attributes (no-JS)
+* — ending up in browser history, proxy logs, disk caches, and the
+* back-forward cache.
+*
+* Safe by default: the built-in deny-list is applied unconditionally unless
+* the user explicitly opts out via `forms.stripSensitiveFields: false` in
+* `timber.config.ts` or per-action via `createActionClient({ stripSensitiveFields: false })`.
+*
+* See design/08-forms-and-actions.md §"Validation errors"
+* See design/13-security.md §"Sensitive field stripping"
+* See TIM-816
+*/
+/**
+* Substring patterns matched against the normalized field name.
+* Normalization = lowercase + strip `_` and `-`.
+*
+* Any field whose normalized name *contains* one of these strings is
+* considered sensitive. Entries like `currentPassword`, `passwordConfirmation`,
+* and `user.password` all match via the `password` substring.
+*/
+var BUILTIN_SUBSTRING_PATTERNS = [
+	"password",
+	"passwd",
+	"pwd",
+	"secret",
+	"apikey",
+	"accesstoken",
+	"refreshtoken",
+	"cvv",
+	"cvc",
+	"cardnumber",
+	"cardcvc",
+	"ssn",
+	"socialsecuritynumber",
+	"otp",
+	"totp",
+	"mfacode",
+	"twofactorcode",
+	"privatekey"
+];
+/**
+* Exact matches against the normalized field name. These are field names that
+* are too short or too common to substring-match safely. e.g. `token` alone
+* would match `csrfToken`, which is not sensitive — so `token` is exact-only,
+* while legitimate token fields are covered by `accesstoken` / `refreshtoken`.
+*/
+var BUILTIN_EXACT_PATTERNS = ["token"];
+/**
+* Normalize a field name for deny-list comparison.
+* Lowercases the string and strips `_` and `-` so camelCase, snake_case, and
+* kebab-case variants all compare equal (`api_key` / `apiKey` / `api-key` →
+* `apikey`).
+*/
+function normalize(name) {
+	let out = "";
+	for (let i = 0; i < name.length; i++) {
+		const ch = name.charCodeAt(i);
+		if (ch === 95 || ch === 45) continue;
+		if (ch >= 65 && ch <= 90) out += String.fromCharCode(ch + 32);
+		else out += name[i];
+	}
+	return out;
+}
+/**
+* Check whether a name matches the built-in deny-list (with optional extras).
+* Extras are merged into the substring pattern list after normalization.
+*/
+function isBuiltinSensitive(name, extras) {
+	const normalized = normalize(name);
+	if (BUILTIN_EXACT_PATTERNS.includes(normalized)) return true;
+	for (const pattern of BUILTIN_SUBSTRING_PATTERNS) if (normalized.includes(pattern)) return true;
+	if (extras && extras.length > 0) for (const extra of extras) {
+		const normExtra = normalize(extra);
+		if (normExtra.length === 0) continue;
+		if (normalized.includes(normExtra)) return true;
+	}
+	return false;
+}
+/**
+* Resolve a `SensitiveFieldsOption` into a concrete predicate.
+* Precedence: per-action > global > built-in default.
+*
+* - Per-action `undefined` → fall back to global.
+* - Global `undefined` → use built-in list.
+* - Either level set to `false` → disable stripping entirely (returns `null`).
+* - `true` → built-in list.
+* - `string[]` → built-in ∪ extras.
+* - function → custom, replaces the built-in list entirely.
+*/
+function resolveSensitivePredicate(perAction, global) {
+	const chosen = perAction !== void 0 ? perAction : global;
+	if (chosen === false) return null;
+	if (chosen === void 0 || chosen === true) return (name) => isBuiltinSensitive(name);
+	if (typeof chosen === "function") return chosen;
+	const extras = chosen;
+	return (name) => isBuiltinSensitive(name, extras);
+}
+var globalConfig;
+/** Read the global `forms.stripSensitiveFields` config. */
+function getGlobalSensitiveFieldsConfig() {
+	return globalConfig;
+}
+var warnedFields = /* @__PURE__ */ new Set();
+function warnStripped(name) {
+	if (!isDebug()) return;
+	if (warnedFields.has(name)) return;
+	warnedFields.add(name);
+	console.warn(`[timber] stripped sensitive field "${name}" from submittedValues. Override via forms.stripSensitiveFields in timber.config.ts.`);
+}
+/**
+* Walk an object (recursively) and return a copy with every key matching
+* `predicate` removed. Nested objects like `{ user: { password: '...' } }`
+* are handled — `user.password` is stripped while other `user.*` fields remain.
+*
+* - Arrays are walked element-wise (object entries inside arrays are cleaned).
+* - Non-plain values (strings, numbers, Files, Dates, etc.) are returned as-is.
+* - When a stripped key is encountered, it is omitted from the result entirely
+*   — we do NOT set it to an empty string, because that would overwrite a
+*   valid `defaultValue` the form author might have set.
+*/
+function stripSensitiveFields(value, predicate) {
+	if (predicate === null) return value;
+	if (value === null || value === void 0) return value;
+	if (typeof value !== "object") return value;
+	if (value instanceof File || value instanceof Date) return value;
+	if (Array.isArray(value)) return value.map((item) => stripSensitiveFields(item, predicate));
+	const result = {};
+	for (const [key, nested] of Object.entries(value)) {
+		if (predicate(key)) {
+			warnStripped(key);
+			continue;
+		}
+		result[key] = stripSensitiveFields(nested, predicate);
+	}
+	return result;
+}
+//#endregion
 //#region src/server/action-client.ts
 /**
 * createActionClient — typed middleware and schema validation for server actions.
@@ -277,14 +427,20 @@ function createActionClient(config = {}) {
 				if (args.length === 2 && args[1] instanceof FormData) rawInput = schema ? parseFormData(args[1]) : args[1];
 				else if (args.length === 1 && args[0] instanceof FormData) rawInput = schema ? parseFormData(args[0]) : args[0];
 				else rawInput = args[0];
+				const sensitivePredicate = resolveSensitivePredicate(config.stripSensitiveFields, getGlobalSensitiveFieldsConfig());
+				const buildSubmittedValues = () => {
+					const withoutFiles = stripFiles(rawInput);
+					if (withoutFiles === void 0) return void 0;
+					return stripSensitiveFields(withoutFiles, sensitivePredicate);
+				};
 				if (config.fileSizeLimit !== void 0 && rawInput && typeof rawInput === "object") {
 					const fileSizeErrors = validateFileSizes(rawInput, config.fileSizeLimit);
 					if (fileSizeErrors) return {
 						validationErrors: fileSizeErrors,
-						submittedValues: stripFiles(rawInput)
+						submittedValues: buildSubmittedValues()
 					};
 				}
-				const submittedValues = schema ? stripFiles(rawInput) : void 0;
+				const submittedValues = schema ? buildSubmittedValues() : void 0;
 				let input;
 				if (schema) if (isStandardSchema(schema)) {
 					const result = schema["~standard"].validate(rawInput);

package/dist/server/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../src/server/form-data.ts","../../src/server/action-client.ts","../../src/server/form-flash.ts"],"sourcesContent":["/**\n * FormData preprocessing — schema-agnostic conversion of FormData to typed objects.\n *\n * FormData is all strings. Schema validation expects typed values. This module\n * bridges the gap with intelligent coercion that runs *before* schema validation.\n *\n * Inspired by zod-form-data, but schema-agnostic — works with any Standard Schema\n * library (Zod, Valibot, ArkType).\n *\n * See design/08-forms-and-actions.md §\"parseFormData() and coerce helpers\"\n */\n\n// ─── parseFormData ───────────────────────────────────────────────────────\n\n/**\n * Convert FormData into a plain object with intelligent coercion.\n *\n * Handles:\n * - **Duplicate keys → arrays**: `tags=js&tags=ts` → `{ tags: [\"js\", \"ts\"] }`\n * - **Nested dot-paths**: `user.name=Alice` → `{ user: { name: \"Alice\" } }`\n * - **Empty strings → undefined**: Enables `.optional()` semantics in schemas\n * - **Empty Files → undefined**: File inputs with no selection become `undefined`\n * - **Strips `$ACTION_*` fields**: React's internal hidden fields are excluded\n */\nexport function parseFormData(formData: FormData): Record<string, unknown> {\n  const flat: Record<string, unknown> = {};\n\n  for (const key of new Set(formData.keys())) {\n    // Skip React internal fields\n    if (key.startsWith('$ACTION_')) continue;\n\n    const values = formData.getAll(key);\n    const processed = values.map(normalizeValue);\n\n    if (processed.length === 1) {\n      flat[key] = processed[0];\n    } else {\n      // Filter out undefined entries from multi-value fields\n      flat[key] = processed.filter((v) => v !== undefined);\n    }\n  }\n\n  // Expand dot-notation paths into nested objects\n  return expandDotPaths(flat);\n}\n\n/**\n * Normalize a single FormData entry value.\n * - Empty strings → undefined (enables .optional() semantics)\n * - Empty File objects (no selection) → undefined\n * - Everything else passes through as-is\n */\nfunction normalizeValue(value: FormDataEntryValue): unknown {\n  if (typeof value === 'string') {\n    return value === '' ? undefined : value;\n  }\n\n  // File input with no selection: browsers submit a File with name=\"\" and size=0\n  if (value instanceof File && value.size === 0 && value.name === '') {\n    return undefined;\n  }\n\n  return value;\n}\n\n/**\n * Expand dot-notation keys into nested objects.\n * `{ \"user.name\": \"Alice\", \"user.age\": \"30\" }` → `{ user: { name: \"Alice\", age: \"30\" } }`\n *\n * Keys without dots are left as-is. Bracket notation (e.g. `items[0]`) is NOT\n * supported — use dot notation (`items.0`) instead.\n */\nfunction expandDotPaths(flat: Record<string, unknown>): Record<string, unknown> {\n  const result: Record<string, unknown> = {};\n  let hasDotPaths = false;\n\n  // First pass: check if any keys have dots\n  for (const key of Object.keys(flat)) {\n    if (key.includes('.')) {\n      hasDotPaths = true;\n      break;\n    }\n  }\n\n  // Fast path: no dot-notation keys, return as-is\n  if (!hasDotPaths) return flat;\n\n  for (const [key, value] of Object.entries(flat)) {\n    if (!key.includes('.')) {\n      result[key] = value;\n      continue;\n    }\n\n    const parts = key.split('.');\n    let current: Record<string, unknown> = result;\n\n    for (let i = 0; i < parts.length - 1; i++) {\n      const part = parts[i];\n      if (current[part] === undefined || current[part] === null) {\n        current[part] = {};\n      }\n      // If current[part] is not an object (e.g., a string from a non-dotted key),\n      // the dot-path takes precedence\n      if (typeof current[part] !== 'object' || current[part] instanceof File) {\n        current[part] = {};\n      }\n      current = current[part] as Record<string, unknown>;\n    }\n\n    current[parts[parts.length - 1]] = value;\n  }\n\n  return result;\n}\n\n// ─── Coercion Helpers ────────────────────────────────────────────────────\n\n/**\n * Schema-agnostic coercion primitives for common FormData patterns.\n *\n * These are plain transform functions — they compose with any schema library's\n * `transform`/`preprocess` pipeline:\n *\n * ```ts\n * // Zod\n * z.preprocess(coerce.number, z.number())\n * // Valibot\n * v.pipe(v.unknown(), v.transform(coerce.number), v.number())\n * ```\n */\nexport const coerce = {\n  /**\n   * Coerce a string to a number.\n   * - `\"42\"` → `42`\n   * - `\"3.14\"` → `3.14`\n   * - `\"\"` / `undefined` / `null` → `undefined`\n   * - Non-numeric strings → `undefined` (schema validation will catch this)\n   */\n  number(value: unknown): number | undefined {\n    if (value === undefined || value === null || value === '') return undefined;\n    if (typeof value === 'number') return value;\n    if (typeof value !== 'string') return undefined;\n    const num = Number(value);\n    if (Number.isNaN(num)) return undefined;\n    return num;\n  },\n\n  /**\n   * Coerce a checkbox value to a boolean.\n   * HTML checkboxes submit \"on\" when checked and are absent when unchecked.\n   * - `\"on\"` / any truthy string → `true`\n   * - `undefined` / `null` / `\"\"` → `false`\n   */\n  checkbox(value: unknown): boolean {\n    if (value === undefined || value === null || value === '') return false;\n    if (typeof value === 'boolean') return value;\n    // Any non-empty string (typically \"on\") is true\n    return typeof value === 'string' && value.length > 0;\n  },\n\n  /**\n   * Parse a JSON string into an object.\n   * - Valid JSON string → parsed object\n   * - `\"\"` / `undefined` / `null` → `undefined`\n   * - Invalid JSON → `undefined` (schema validation will catch this)\n   */\n  json(value: unknown): unknown {\n    if (value === undefined || value === null || value === '') return undefined;\n    if (typeof value !== 'string') return value;\n    try {\n      return JSON.parse(value);\n    } catch {\n      return undefined;\n    }\n  },\n\n  /**\n   * Coerce a date string to a Date object.\n   * Handles `<input type=\"date\">` (`\"2024-01-15\"`), `<input type=\"datetime-local\">`\n   * (`\"2024-01-15T10:30\"`), and full ISO 8601 strings.\n   * - Valid date string → `Date`\n   * - `\"\"` / `undefined` / `null` → `undefined`\n   * - Invalid date strings → `undefined` (schema validation will catch this)\n   * - Impossible dates that `new Date()` silently normalizes (e.g. Feb 31) → `undefined`\n   */\n  date(value: unknown): Date | undefined {\n    if (value === undefined || value === null || value === '') return undefined;\n    if (value instanceof Date) return value;\n    if (typeof value !== 'string') return undefined;\n    const date = new Date(value);\n    if (Number.isNaN(date.getTime())) return undefined;\n\n    // Overflow detection: extract Y/M/D from the input string and verify\n    // they match the parsed Date components. new Date('2024-02-31') silently\n    // normalizes to March 2nd — we reject such inputs.\n    const ymdMatch = value.match(/^(\\d{4})-(\\d{2})-(\\d{2})/);\n    if (ymdMatch) {\n      const inputYear = Number(ymdMatch[1]);\n      const inputMonth = Number(ymdMatch[2]);\n      const inputDay = Number(ymdMatch[3]);\n\n      // Use UTC methods for date-only and Z-suffixed strings to avoid\n      // timezone offset shifting the day. For datetime-local (no Z suffix),\n      // the Date constructor parses in local time, so use local methods.\n      const isUTC = value.length === 10 || value.endsWith('Z');\n      const parsedYear = isUTC ? date.getUTCFullYear() : date.getFullYear();\n      const parsedMonth = isUTC ? date.getUTCMonth() + 1 : date.getMonth() + 1;\n      const parsedDay = isUTC ? date.getUTCDate() : date.getDate();\n\n      if (inputYear !== parsedYear || inputMonth !== parsedMonth || inputDay !== parsedDay) {\n        return undefined;\n      }\n    }\n\n    return date;\n  },\n\n  /**\n   * Create a File coercion function with optional size and mime type validation.\n   * Returns the File if valid, `undefined` otherwise.\n   *\n   * ```ts\n   * // Basic — just checks it's a real File\n   * z.preprocess(coerce.file(), z.instanceof(File))\n   *\n   * // With constraints\n   * z.preprocess(\n   *   coerce.file({ maxSize: 5 * 1024 * 1024, accept: ['image/png', 'image/jpeg'] }),\n   *   z.instanceof(File)\n   * )\n   * ```\n   */\n  file(options?: { maxSize?: number; accept?: string[] }): (value: unknown) => File | undefined {\n    return (value: unknown): File | undefined => {\n      if (value === undefined || value === null || value === '') return undefined;\n      if (!(value instanceof File)) return undefined;\n\n      // Empty file input (no selection): browsers submit File with name=\"\" and size=0\n      if (value.size === 0 && value.name === '') return undefined;\n\n      if (options?.maxSize !== undefined && value.size > options.maxSize) {\n        return undefined;\n      }\n\n      if (options?.accept !== undefined && !options.accept.includes(value.type)) {\n        return undefined;\n      }\n\n      return value;\n    };\n  },\n};\n","/**\n * createActionClient — typed middleware and schema validation for server actions.\n *\n * Inspired by next-safe-action. Provides a builder API:\n *   createActionClient({ middleware }) → .schema(z.object(...)) → .action(fn)\n *\n * The resulting action function satisfies both:\n *   1. Direct call: action(input) → Promise<ActionResult>\n *   2. React useActionState: (prevState, formData) => Promise<ActionResult>\n *\n * See design/08-forms-and-actions.md §\"Middleware for Server Actions\"\n */\n\n// ─── ActionError ─────────────────────────────────────────────────────────\n\n/**\n * Typed error class for server actions. Carries a string code and optional data.\n * When thrown from middleware or the action body, the action short-circuits and\n * the client receives `result.serverError`.\n *\n * In production, unexpected errors (non-ActionError) return `{ code: 'INTERNAL_ERROR' }`\n * with no message. In dev, `data.message` is included.\n */\nexport class ActionError<TCode extends string = string> extends Error {\n  readonly code: TCode;\n  readonly data: Record<string, unknown> | undefined;\n\n  constructor(code: TCode, data?: Record<string, unknown>) {\n    super(`ActionError: ${code}`);\n    this.name = 'ActionError';\n    this.code = code;\n    this.data = data;\n  }\n}\n\n// ─── Standard Schema ──────────────────────────────────────────────────────\n\n/**\n * Standard Schema v1 interface (subset).\n * Zod ≥3.24, Valibot ≥1.0, and ArkType all implement this.\n * See https://github.com/standard-schema/standard-schema\n *\n * We use permissive types here to accept all compliant libraries without\n * requiring exact structural matches on issues/path shapes.\n */\ninterface StandardSchemaV1<Output = unknown> {\n  '~standard': {\n    validate(value: unknown): StandardSchemaResult<Output> | Promise<StandardSchemaResult<Output>>;\n  };\n}\n\ntype StandardSchemaResult<Output> =\n  | { value: Output; issues?: undefined }\n  | { value?: undefined; issues: ReadonlyArray<StandardSchemaIssue> };\n\ninterface StandardSchemaIssue {\n  message: string;\n  path?: ReadonlyArray<PropertyKey | { key: PropertyKey }>;\n}\n\n/** Check if a schema implements the Standard Schema protocol. */\nfunction isStandardSchema(schema: unknown): schema is StandardSchemaV1 {\n  return (\n    typeof schema === 'object' &&\n    schema !== null &&\n    '~standard' in schema &&\n    typeof (schema as StandardSchemaV1)['~standard'].validate === 'function'\n  );\n}\n\n// ─── Types ───────────────────────────────────────────────────────────────\n\n/**\n * Minimal schema interface — compatible with Zod, Valibot, ArkType, etc.\n *\n * Accepts either:\n * - Standard Schema (preferred): any object with `~standard.validate()`\n * - Legacy parse interface: objects with `.parse()` / `.safeParse()`\n *\n * At runtime, Standard Schema is detected via `~standard` property and\n * takes priority over the legacy interface.\n */\nexport type ActionSchema<T = unknown> = StandardSchemaV1<T> | LegacyActionSchema<T>;\n\n/** Legacy schema interface with .parse() / .safeParse(). */\ninterface LegacyActionSchema<T = unknown> {\n  'parse'(data: unknown): T;\n  'safeParse'?(data: unknown): { success: true; data: T } | { success: false; error: SchemaError };\n  // Exclude Standard Schema objects from matching this interface\n  '~standard'?: never;\n}\n\n/** Schema validation error shape (for legacy .safeParse()/.parse() interface). */\nexport interface SchemaError {\n  issues?: Array<{ path?: Array<string | number>; message: string }>;\n  flatten?(): { fieldErrors: Record<string, string[]> };\n}\n\n/** Flattened validation errors keyed by field name. */\nexport type ValidationErrors = Record<string, string[]>;\n\n/** Middleware function: returns context to merge into the action body's ctx. */\nexport type ActionMiddleware<TCtx = Record<string, unknown>> = () => Promise<TCtx> | TCtx;\n\n/** The result type returned to the client. */\nexport type ActionResult<TData = unknown> =\n  | { data: TData; validationErrors?: never; serverError?: never; submittedValues?: never }\n  | {\n      data?: never;\n      validationErrors: ValidationErrors;\n      serverError?: never;\n      /** Raw input values on validation failure — for repopulating form fields. */\n      submittedValues?: Record<string, unknown>;\n    }\n  | {\n      data?: never;\n      validationErrors?: never;\n      serverError: { code: string; data?: Record<string, unknown> };\n      submittedValues?: never;\n    };\n\n/** Context passed to the action body. */\nexport interface ActionContext<TCtx, TInput> {\n  ctx: TCtx;\n  input: TInput;\n}\n\n// ─── Builder ─────────────────────────────────────────────────────────────\n\ninterface ActionClientConfig<TCtx> {\n  middleware?: ActionMiddleware<TCtx> | ActionMiddleware<Record<string, unknown>>[];\n  /** Max file size in bytes. Files exceeding this are rejected with validation errors. */\n  fileSizeLimit?: number;\n}\n\n/** Intermediate builder returned by createActionClient(). */\nexport interface ActionBuilder<TCtx> {\n  /** Declare the input schema. Validation errors are returned typed. */\n  schema<TInput>(schema: ActionSchema<TInput>): ActionBuilderWithSchema<TCtx, TInput>;\n  /** Define the action body without input validation. */\n  action<TData>(\n    fn: (ctx: ActionContext<TCtx, undefined>) => Promise<TData>\n  ): ActionFn<TData, undefined>;\n}\n\n/** Builder after .schema() has been called. */\nexport interface ActionBuilderWithSchema<TCtx, TInput> {\n  /** Define the action body with validated input. */\n  action<TData>(fn: (ctx: ActionContext<TCtx, TInput>) => Promise<TData>): ActionFn<TData, TInput>;\n}\n\n/**\n * The final action function. Callable three ways:\n * - Direct: action(input) → Promise<ActionResult<TData>>\n * - React useActionState: action(prevState, formData) → Promise<ActionResult<TData>>\n * - React <form action={fn}>: action(formData) → void  (return value ignored by React)\n *\n * The third overload exists purely for type compatibility with React's\n * `<form action>` prop, which expects `(formData: FormData) => void`.\n * At runtime the function still returns Promise<ActionResult>, but React\n * discards it. This lets validated actions be passed directly to forms\n * without casts.\n */\n/**\n * Map schema output keys to `string | undefined` for form-facing APIs.\n * HTML form values are always strings, and fields can be absent.\n * Gives autocomplete for field names without lying about value types.\n */\nexport type InputHint<T> =\n  T extends Record<string, unknown> ? { [K in keyof T]: string | undefined } : T;\n\n/**\n * ActionFn — the callable returned by `createActionClient().action()`.\n *\n * Generic order: `<TData, TInput>` — TData first for backward compatibility.\n * Previously ActionFn had a single `<TData>` generic, so existing code like\n * `ActionFn<MyResult>` must still work with TData in the first position.\n * See TIM-797.\n */\nexport type ActionFn<TData = unknown, TInput = unknown> = {\n  /** <form action={fn}> compatibility — React discards the return value. */\n  (formData: FormData): void;\n  /** Direct call: action(input) — optional when TInput is undefined/unknown (no-schema actions). */\n  (\n    ...args: undefined extends TInput ? [input?: TInput] : [input: TInput]\n  ): Promise<ActionResult<TData>>;\n  /** React useActionState: action(prevState, formData) */\n  (prevState: ActionResult<TData> | null, formData: FormData): Promise<ActionResult<TData>>;\n};\n\n// ─── Implementation ──────────────────────────────────────────────────────\n\n/**\n * Run middleware array or single function. Returns merged context.\n */\nasync function runActionMiddleware<TCtx>(\n  middleware: ActionMiddleware<TCtx> | ActionMiddleware<Record<string, unknown>>[] | undefined\n): Promise<TCtx> {\n  if (!middleware) {\n    return {} as TCtx;\n  }\n\n  if (Array.isArray(middleware)) {\n    let merged = {} as Record<string, unknown>;\n    for (const mw of middleware) {\n      const result = await mw();\n      merged = { ...merged, ...result };\n    }\n    return merged as TCtx;\n  }\n\n  return await middleware();\n}\n\n// Re-export parseFormData for use throughout the framework\nimport { parseFormData } from './form-data.js';\nimport { formatSize } from '../utils/format.js';\nimport { isDebug, isDevMode } from './debug.js';\nimport { RedirectSignal, DenySignal } from './primitives.js';\n\n/**\n * Extract validation errors from a schema error.\n * Supports Zod's flatten() and generic issues array.\n */\nfunction extractValidationErrors(error: SchemaError): ValidationErrors {\n  // Zod-style flatten\n  if (typeof error.flatten === 'function') {\n    return error.flatten().fieldErrors;\n  }\n\n  // Generic issues array\n  if (error.issues) {\n    const errors: ValidationErrors = {};\n    for (const issue of error.issues) {\n      const path = issue.path?.join('.') ?? '_root';\n      if (!errors[path]) errors[path] = [];\n      errors[path].push(issue.message);\n    }\n    return errors;\n  }\n\n  return { _root: ['Validation failed'] };\n}\n\n/**\n * Extract validation errors from Standard Schema issues.\n */\nfunction extractStandardSchemaErrors(issues: ReadonlyArray<StandardSchemaIssue>): ValidationErrors {\n  const errors: ValidationErrors = {};\n  for (const issue of issues) {\n    const path =\n      issue.path\n        ?.map((p) => {\n          // Standard Schema path items can be { key: ... } objects or bare PropertyKey values\n          if (typeof p === 'object' && p !== null && 'key' in p) return String(p.key);\n          return String(p);\n        })\n        .join('.') ?? '_root';\n    if (!errors[path]) errors[path] = [];\n    errors[path].push(issue.message);\n  }\n  return Object.keys(errors).length > 0 ? errors : { _root: ['Validation failed'] };\n}\n\n/**\n * Wrap unexpected errors into a safe server error result.\n * ActionError → typed result. Other errors → INTERNAL_ERROR (no leak).\n *\n * Exported for use by action-handler.ts to catch errors from raw 'use server'\n * functions that don't use createActionClient.\n */\nexport function handleActionError(error: unknown): ActionResult<never> {\n  if (error instanceof ActionError) {\n    return {\n      serverError: {\n        code: error.code,\n        ...(error.data ? { data: error.data } : {}),\n      },\n    };\n  }\n\n  // In dev, include the message for debugging.\n  // Uses isDevMode() — NOT isDebug() — because this data is sent to the\n  // browser. TIMBER_DEBUG must never cause error messages to leak to clients.\n  // See design/13-security.md principle 4: \"Errors don't leak.\"\n  const devMode = isDevMode();\n  return {\n    serverError: {\n      code: 'INTERNAL_ERROR',\n      ...(devMode && error instanceof Error ? { data: { message: error.message } } : {}),\n    },\n  };\n}\n\n/**\n * Create a typed action client with middleware and schema validation.\n *\n * @example\n * ```ts\n * const action = createActionClient({\n *   middleware: async () => {\n *     const user = await getUser()\n *     if (!user) throw new ActionError('UNAUTHORIZED')\n *     return { user }\n *   },\n * })\n *\n * export const createTodo = action\n *   .schema(z.object({ title: z.string().min(1) }))\n *   .action(async ({ input, ctx }) => {\n *     await db.todos.create({ ...input, userId: ctx.user.id })\n *   })\n * ```\n */\nexport function createActionClient<TCtx = Record<string, never>>(\n  config: ActionClientConfig<TCtx> = {}\n): ActionBuilder<TCtx> {\n  function buildAction<TInput, TData>(\n    schema: ActionSchema<TInput> | undefined,\n    fn: (ctx: ActionContext<TCtx, TInput>) => Promise<TData>\n  ): ActionFn<TData, TInput> {\n    async function actionHandler(...args: unknown[]): Promise<ActionResult<TData>> {\n      try {\n        // Run middleware\n        const ctx = await runActionMiddleware(config.middleware);\n\n        // Determine input — either FormData (from useActionState) or direct arg\n        let rawInput: unknown;\n        if (args.length === 2 && args[1] instanceof FormData) {\n          // Called as (prevState, formData) by React useActionState (with-JS path)\n          rawInput = schema ? parseFormData(args[1]) : args[1];\n        } else if (args.length === 1 && args[0] instanceof FormData) {\n          // No-JS path: React's decodeAction binds FormData as the sole argument.\n          // The form POSTs without JavaScript, decodeAction resolves the server\n          // reference and binds the FormData, then executeAction calls fn() with\n          // no additional args — so the bound FormData arrives as args[0].\n          rawInput = schema ? parseFormData(args[0]) : args[0];\n        } else {\n          // Direct call: action(input)\n          rawInput = args[0];\n        }\n\n        // Validate file sizes before schema validation.\n        if (config.fileSizeLimit !== undefined && rawInput && typeof rawInput === 'object') {\n          const fileSizeErrors = validateFileSizes(\n            rawInput as Record<string, unknown>,\n            config.fileSizeLimit\n          );\n          if (fileSizeErrors) {\n            const submittedValues = stripFiles(rawInput);\n            return { validationErrors: fileSizeErrors, submittedValues };\n          }\n        }\n\n        // Capture submitted values for repopulation on validation failure.\n        // Exclude File objects (can't serialize, shouldn't echo back).\n        const submittedValues = schema ? stripFiles(rawInput) : undefined;\n\n        // Validate with schema if provided\n        let input: TInput;\n        if (schema) {\n          if (isStandardSchema(schema)) {\n            // Standard Schema protocol (Zod ≥3.24, Valibot ≥1.0, ArkType)\n            const result = schema['~standard'].validate(rawInput);\n            if (result instanceof Promise) {\n              throw new Error(\n                '[timber] createActionClient: schema returned a Promise — only sync schemas are supported.'\n              );\n            }\n            if (result.issues) {\n              const validationErrors = extractStandardSchemaErrors(result.issues);\n              logValidationFailure(validationErrors);\n              return { validationErrors, submittedValues };\n            }\n            input = result.value;\n          } else if (typeof schema.safeParse === 'function') {\n            const result = schema.safeParse(rawInput);\n            if (!result.success) {\n              const validationErrors = extractValidationErrors(result.error);\n              logValidationFailure(validationErrors);\n              return { validationErrors, submittedValues };\n            }\n            input = result.data;\n          } else {\n            try {\n              input = schema.parse(rawInput);\n            } catch (parseError) {\n              const validationErrors = extractValidationErrors(parseError as SchemaError);\n              logValidationFailure(validationErrors);\n              return { validationErrors, submittedValues };\n            }\n          }\n        } else {\n          input = rawInput as TInput;\n        }\n\n        // Execute the action body\n        const data = await fn({ ctx, input });\n        return { data };\n      } catch (error) {\n        // Re-throw redirect/deny signals — these are control flow, not errors.\n        // They must propagate to executeAction() which converts them to proper\n        // HTTP responses (302 redirect, 4xx deny). Catching them here would\n        // wrap them as INTERNAL_ERROR and break redirect()/redirectExternal()/deny().\n        if (error instanceof RedirectSignal || error instanceof DenySignal) {\n          throw error;\n        }\n        return handleActionError(error);\n      }\n    }\n\n    return actionHandler as ActionFn<TData, TInput>;\n  }\n\n  return {\n    schema<TInput>(schema: ActionSchema<TInput>) {\n      return {\n        action<TData>(\n          fn: (ctx: ActionContext<TCtx, TInput>) => Promise<TData>\n        ): ActionFn<TData, TInput> {\n          return buildAction(schema, fn);\n        },\n      };\n    },\n    action<TData>(\n      fn: (ctx: ActionContext<TCtx, undefined>) => Promise<TData>\n    ): ActionFn<TData, undefined> {\n      return buildAction(undefined, fn as (ctx: ActionContext<TCtx, unknown>) => Promise<TData>);\n    },\n  };\n}\n\n// ─── validated() ────────────────────────────────────────────────────────\n\n/**\n * Convenience wrapper for the common case: validate input, run handler.\n * No middleware needed.\n *\n * @example\n * ```ts\n * 'use server'\n * import { validated } from '@timber-js/app/server'\n * import { z } from 'zod'\n *\n * export const createTodo = validated(\n *   z.object({ title: z.string().min(1) }),\n *   async (input) => {\n *     await db.todos.create(input)\n *   }\n * )\n * ```\n */\nexport function validated<TInput, TData>(\n  schema: ActionSchema<TInput>,\n  handler: (input: TInput) => Promise<TData>\n): ActionFn<TData, TInput> {\n  return createActionClient()\n    .schema(schema)\n    .action(async ({ input }) => handler(input));\n}\n\n// ─── Helpers ────────────────────────────────────────────────────────────\n\n/**\n * Log validation failures in dev mode so developers can see what went wrong.\n * In production, validation errors are only returned to the client.\n */\nfunction logValidationFailure(errors: ValidationErrors): void {\n  const isDev = isDebug();\n  if (!isDev) return;\n\n  const fields = Object.entries(errors)\n    .map(([field, messages]) => `  ${field}: ${messages.join(', ')}`)\n    .join('\\n');\n  console.warn(`[timber] action schema validation failed:\\n${fields}`);\n}\n\n/**\n * Validate that all File objects in the input are within the size limit.\n * Returns validation errors keyed by field name, or null if all files are ok.\n */\nfunction validateFileSizes(input: Record<string, unknown>, limit: number): ValidationErrors | null {\n  const errors: ValidationErrors = {};\n  const limitKb = Math.round(limit / 1024);\n  const limitLabel =\n    limit >= 1024 * 1024 ? `${Math.round(limit / (1024 * 1024))}MB` : `${limitKb}KB`;\n\n  for (const [key, value] of Object.entries(input)) {\n    if (value instanceof File && value.size > limit) {\n      errors[key] = [\n        `File \"${value.name}\" (${formatSize(value.size)}) exceeds the ${limitLabel} limit`,\n      ];\n    } else if (Array.isArray(value)) {\n      const oversized = value.filter((item) => item instanceof File && item.size > limit);\n      if (oversized.length > 0) {\n        errors[key] = oversized.map(\n          (f: File) => `File \"${f.name}\" (${formatSize(f.size)}) exceeds the ${limitLabel} limit`\n        );\n      }\n    }\n  }\n\n  return Object.keys(errors).length > 0 ? errors : null;\n}\n\n/**\n * Strip File objects from a value, returning a plain object safe for\n * serialization. File objects can't be serialized and shouldn't be echoed back.\n */\nfunction stripFiles(value: unknown): Record<string, unknown> | undefined {\n  if (value === null || value === undefined) return undefined;\n  if (typeof value !== 'object') return undefined;\n\n  const result: Record<string, unknown> = {};\n  for (const [k, v] of Object.entries(value as Record<string, unknown>)) {\n    if (v instanceof File) continue;\n    if (Array.isArray(v)) {\n      result[k] = v.filter((item) => !(item instanceof File));\n    } else if (typeof v === 'object' && v !== null && !(v instanceof File)) {\n      result[k] = stripFiles(v) ?? {};\n    } else {\n      result[k] = v;\n    }\n  }\n  return result;\n}\n","/**\n * Form Flash — ALS-based store for no-JS form action results.\n *\n * When a no-JS form action completes, the server re-renders the page with\n * the action result injected via AsyncLocalStorage instead of redirecting\n * (which would discard the result). Server components read the flash and\n * pass it to client form components as the initial `useActionState` value.\n *\n * This follows the Remix/Rails pattern — the form component becomes the\n * single source of truth for both with-JS (React state) and no-JS (flash).\n *\n * The flash data is server-side only — never serialized to cookies or headers.\n *\n * See design/08-forms-and-actions.md §\"No-JS Error Round-Trip\"\n */\n\nimport type { ValidationErrors } from './action-client.js';\nimport { formFlashAls } from './als-registry.js';\n\n// ─── Types ───────────────────────────────────────────────────────────────\n\n/**\n * Flash data injected into the re-render after a no-JS form submission.\n *\n * This is the action result from the server action, stored in ALS so server\n * components can read it and pass it to client form components as the initial\n * state for `useActionState`. This makes the form component a single source\n * of truth for both with-JS and no-JS paths.\n *\n * The shape matches `ActionResult<unknown>` — it's one of:\n * - `{ data: ... }` — success\n * - `{ validationErrors, submittedValues }` — validation failure\n * - `{ serverError }` — server error\n */\nexport interface FormFlashData {\n  /** Success data from the action. */\n  data?: unknown;\n  /** Validation errors keyed by field name. `_root` for form-level errors. */\n  validationErrors?: ValidationErrors;\n  /** Raw submitted values for repopulating form fields. File objects are excluded. */\n  submittedValues?: Record<string, unknown>;\n  /** Server error if the action threw an ActionError. */\n  serverError?: { code: string; data?: Record<string, unknown> };\n}\n\n// ─── Public API ──────────────────────────────────────────────────────────\n\n/**\n * Read the form flash data for the current request.\n *\n * Returns `null` if no flash data is present (i.e., this is a normal page\n * render, not a re-render after a no-JS form submission).\n *\n * Pass the flash as the initial state to `useActionState` so the form\n * component has a single source of truth for both with-JS and no-JS paths:\n *\n * ```tsx\n * // app/contact/page.tsx (server component)\n * import { getFormFlash } from '@timber-js/app/server'\n *\n * export default function ContactPage() {\n *   const flash = getFormFlash()\n *   return <ContactForm flash={flash} />\n * }\n *\n * // app/contact/form.tsx (client component)\n * export function ContactForm({ flash }) {\n *   const [result, action, isPending] = useActionState(submitContact, flash)\n *   // result is the single source of truth — flash seeds it on no-JS\n * }\n * ```\n */\nexport function getFormFlash(): FormFlashData | null {\n  return formFlashAls.getStore() ?? null;\n}\n\n// ─── Framework-Internal ──────────────────────────────────────────────────\n\n/**\n * Run a callback with form flash data in scope.\n *\n * Used by the action handler to re-render the page with validation errors\n * available via `getFormFlash()`. Not part of the public API.\n *\n * @internal\n */\nexport function runWithFormFlash<T>(data: FormFlashData, fn: () => T): T {\n  return formFlashAls.run(data, fn);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwBA,SAAgB,cAAc,UAA6C;CACzE,MAAM,OAAgC,EAAE;AAExC,MAAK,MAAM,OAAO,IAAI,IAAI,SAAS,MAAM,CAAC,EAAE;AAE1C,MAAI,IAAI,WAAW,WAAW,CAAE;EAGhC,MAAM,YADS,SAAS,OAAO,IAAI,CACV,IAAI,eAAe;AAE5C,MAAI,UAAU,WAAW,EACvB,MAAK,OAAO,UAAU;MAGtB,MAAK,OAAO,UAAU,QAAQ,MAAM,MAAM,KAAA,EAAU;;AAKxD,QAAO,eAAe,KAAK;;;;;;;;AAS7B,SAAS,eAAe,OAAoC;AAC1D,KAAI,OAAO,UAAU,SACnB,QAAO,UAAU,KAAK,KAAA,IAAY;AAIpC,KAAI,iBAAiB,QAAQ,MAAM,SAAS,KAAK,MAAM,SAAS,GAC9D;AAGF,QAAO;;;;;;;;;AAUT,SAAS,eAAe,MAAwD;CAC9E,MAAM,SAAkC,EAAE;CAC1C,IAAI,cAAc;AAGlB,MAAK,MAAM,OAAO,OAAO,KAAK,KAAK,CACjC,KAAI,IAAI,SAAS,IAAI,EAAE;AACrB,gBAAc;AACd;;AAKJ,KAAI,CAAC,YAAa,QAAO;AAEzB,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,KAAK,EAAE;AAC/C,MAAI,CAAC,IAAI,SAAS,IAAI,EAAE;AACtB,UAAO,OAAO;AACd;;EAGF,MAAM,QAAQ,IAAI,MAAM,IAAI;EAC5B,IAAI,UAAmC;AAEvC,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,SAAS,GAAG,KAAK;GACzC,MAAM,OAAO,MAAM;AACnB,OAAI,QAAQ,UAAU,KAAA,KAAa,QAAQ,UAAU,KACnD,SAAQ,QAAQ,EAAE;AAIpB,OAAI,OAAO,QAAQ,UAAU,YAAY,QAAQ,iBAAiB,KAChE,SAAQ,QAAQ,EAAE;AAEpB,aAAU,QAAQ;;AAGpB,UAAQ,MAAM,MAAM,SAAS,MAAM;;AAGrC,QAAO;;;;;;;;;;;;;;;AAkBT,IAAa,SAAS;CAQpB,OAAO,OAAoC;AACzC,MAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO,KAAA;AAClE,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,OAAO,UAAU,SAAU,QAAO,KAAA;EACtC,MAAM,MAAM,OAAO,MAAM;AACzB,MAAI,OAAO,MAAM,IAAI,CAAE,QAAO,KAAA;AAC9B,SAAO;;CAST,SAAS,OAAyB;AAChC,MAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO;AAClE,MAAI,OAAO,UAAU,UAAW,QAAO;AAEvC,SAAO,OAAO,UAAU,YAAY,MAAM,SAAS;;CASrD,KAAK,OAAyB;AAC5B,MAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO,KAAA;AAClE,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI;AACF,UAAO,KAAK,MAAM,MAAM;UAClB;AACN;;;CAaJ,KAAK,OAAkC;AACrC,MAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO,KAAA;AAClE,MAAI,iBAAiB,KAAM,QAAO;AAClC,MAAI,OAAO,UAAU,SAAU,QAAO,KAAA;EACtC,MAAM,OAAO,IAAI,KAAK,MAAM;AAC5B,MAAI,OAAO,MAAM,KAAK,SAAS,CAAC,CAAE,QAAO,KAAA;EAKzC,MAAM,WAAW,MAAM,MAAM,2BAA2B;AACxD,MAAI,UAAU;GACZ,MAAM,YAAY,OAAO,SAAS,GAAG;GACrC,MAAM,aAAa,OAAO,SAAS,GAAG;GACtC,MAAM,WAAW,OAAO,SAAS,GAAG;GAKpC,MAAM,QAAQ,MAAM,WAAW,MAAM,MAAM,SAAS,IAAI;GACxD,MAAM,aAAa,QAAQ,KAAK,gBAAgB,GAAG,KAAK,aAAa;GACrE,MAAM,cAAc,QAAQ,KAAK,aAAa,GAAG,IAAI,KAAK,UAAU,GAAG;GACvE,MAAM,YAAY,QAAQ,KAAK,YAAY,GAAG,KAAK,SAAS;AAE5D,OAAI,cAAc,cAAc,eAAe,eAAe,aAAa,UACzE;;AAIJ,SAAO;;CAkBT,KAAK,SAAyF;AAC5F,UAAQ,UAAqC;AAC3C,OAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO,KAAA;AAClE,OAAI,EAAE,iBAAiB,MAAO,QAAO,KAAA;AAGrC,OAAI,MAAM,SAAS,KAAK,MAAM,SAAS,GAAI,QAAO,KAAA;AAElD,OAAI,SAAS,YAAY,KAAA,KAAa,MAAM,OAAO,QAAQ,QACzD;AAGF,OAAI,SAAS,WAAW,KAAA,KAAa,CAAC,QAAQ,OAAO,SAAS,MAAM,KAAK,CACvE;AAGF,UAAO;;;CAGZ;;;;;;;;;;;;;;;;;;;;;;;ACpOD,IAAa,cAAb,cAAgE,MAAM;CACpE;CACA;CAEA,YAAY,MAAa,MAAgC;AACvD,QAAM,gBAAgB,OAAO;AAC7B,OAAK,OAAO;AACZ,OAAK,OAAO;AACZ,OAAK,OAAO;;;;AA8BhB,SAAS,iBAAiB,QAA6C;AACrE,QACE,OAAO,WAAW,YAClB,WAAW,QACX,eAAe,UACf,OAAQ,OAA4B,aAAa,aAAa;;;;;AAiIlE,eAAe,oBACb,YACe;AACf,KAAI,CAAC,WACH,QAAO,EAAE;AAGX,KAAI,MAAM,QAAQ,WAAW,EAAE;EAC7B,IAAI,SAAS,EAAE;AACf,OAAK,MAAM,MAAM,YAAY;GAC3B,MAAM,SAAS,MAAM,IAAI;AACzB,YAAS;IAAE,GAAG;IAAQ,GAAG;IAAQ;;AAEnC,SAAO;;AAGT,QAAO,MAAM,YAAY;;;;;;AAa3B,SAAS,wBAAwB,OAAsC;AAErE,KAAI,OAAO,MAAM,YAAY,WAC3B,QAAO,MAAM,SAAS,CAAC;AAIzB,KAAI,MAAM,QAAQ;EAChB,MAAM,SAA2B,EAAE;AACnC,OAAK,MAAM,SAAS,MAAM,QAAQ;GAChC,MAAM,OAAO,MAAM,MAAM,KAAK,IAAI,IAAI;AACtC,OAAI,CAAC,OAAO,MAAO,QAAO,QAAQ,EAAE;AACpC,UAAO,MAAM,KAAK,MAAM,QAAQ;;AAElC,SAAO;;AAGT,QAAO,EAAE,OAAO,CAAC,oBAAoB,EAAE;;;;;AAMzC,SAAS,4BAA4B,QAA8D;CACjG,MAAM,SAA2B,EAAE;AACnC,MAAK,MAAM,SAAS,QAAQ;EAC1B,MAAM,OACJ,MAAM,MACF,KAAK,MAAM;AAEX,OAAI,OAAO,MAAM,YAAY,MAAM,QAAQ,SAAS,EAAG,QAAO,OAAO,EAAE,IAAI;AAC3E,UAAO,OAAO,EAAE;IAChB,CACD,KAAK,IAAI,IAAI;AAClB,MAAI,CAAC,OAAO,MAAO,QAAO,QAAQ,EAAE;AACpC,SAAO,MAAM,KAAK,MAAM,QAAQ;;AAElC,QAAO,OAAO,KAAK,OAAO,CAAC,SAAS,IAAI,SAAS,EAAE,OAAO,CAAC,oBAAoB,EAAE;;;;;;;;;AAUnF,SAAgB,kBAAkB,OAAqC;AACrE,KAAI,iBAAiB,YACnB,QAAO,EACL,aAAa;EACX,MAAM,MAAM;EACZ,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,MAAM,GAAG,EAAE;EAC3C,EACF;AAQH,QAAO,EACL,aAAa;EACX,MAAM;EACN,GAJY,WAAW,IAIR,iBAAiB,QAAQ,EAAE,MAAM,EAAE,SAAS,MAAM,SAAS,EAAE,GAAG,EAAE;EAClF,EACF;;;;;;;;;;;;;;;;;;;;;;AAuBH,SAAgB,mBACd,SAAmC,EAAE,EAChB;CACrB,SAAS,YACP,QACA,IACyB;EACzB,eAAe,cAAc,GAAG,MAA+C;AAC7E,OAAI;IAEF,MAAM,MAAM,MAAM,oBAAoB,OAAO,WAAW;IAGxD,IAAI;AACJ,QAAI,KAAK,WAAW,KAAK,KAAK,cAAc,SAE1C,YAAW,SAAS,cAAc,KAAK,GAAG,GAAG,KAAK;aACzC,KAAK,WAAW,KAAK,KAAK,cAAc,SAKjD,YAAW,SAAS,cAAc,KAAK,GAAG,GAAG,KAAK;QAGlD,YAAW,KAAK;AAIlB,QAAI,OAAO,kBAAkB,KAAA,KAAa,YAAY,OAAO,aAAa,UAAU;KAClF,MAAM,iBAAiB,kBACrB,UACA,OAAO,cACR;AACD,SAAI,eAEF,QAAO;MAAE,kBAAkB;MAAgB,iBADnB,WAAW,SAAS;MACgB;;IAMhE,MAAM,kBAAkB,SAAS,WAAW,SAAS,GAAG,KAAA;IAGxD,IAAI;AACJ,QAAI,OACF,KAAI,iBAAiB,OAAO,EAAE;KAE5B,MAAM,SAAS,OAAO,aAAa,SAAS,SAAS;AACrD,SAAI,kBAAkB,QACpB,OAAM,IAAI,MACR,4FACD;AAEH,SAAI,OAAO,QAAQ;MACjB,MAAM,mBAAmB,4BAA4B,OAAO,OAAO;AACnE,2BAAqB,iBAAiB;AACtC,aAAO;OAAE;OAAkB;OAAiB;;AAE9C,aAAQ,OAAO;eACN,OAAO,OAAO,cAAc,YAAY;KACjD,MAAM,SAAS,OAAO,UAAU,SAAS;AACzC,SAAI,CAAC,OAAO,SAAS;MACnB,MAAM,mBAAmB,wBAAwB,OAAO,MAAM;AAC9D,2BAAqB,iBAAiB;AACtC,aAAO;OAAE;OAAkB;OAAiB;;AAE9C,aAAQ,OAAO;UAEf,KAAI;AACF,aAAQ,OAAO,MAAM,SAAS;aACvB,YAAY;KACnB,MAAM,mBAAmB,wBAAwB,WAA0B;AAC3E,0BAAqB,iBAAiB;AACtC,YAAO;MAAE;MAAkB;MAAiB;;QAIhD,SAAQ;AAKV,WAAO,EAAE,MADI,MAAM,GAAG;KAAE;KAAK;KAAO,CAAC,EACtB;YACR,OAAO;AAKd,QAAI,iBAAiB,kBAAkB,iBAAiB,WACtD,OAAM;AAER,WAAO,kBAAkB,MAAM;;;AAInC,SAAO;;AAGT,QAAO;EACL,OAAe,QAA8B;AAC3C,UAAO,EACL,OACE,IACyB;AACzB,WAAO,YAAY,QAAQ,GAAG;MAEjC;;EAEH,OACE,IAC4B;AAC5B,UAAO,YAAY,KAAA,GAAW,GAA4D;;EAE7F;;;;;;;;;;;;;;;;;;;;AAuBH,SAAgB,UACd,QACA,SACyB;AACzB,QAAO,oBAAoB,CACxB,OAAO,OAAO,CACd,OAAO,OAAO,EAAE,YAAY,QAAQ,MAAM,CAAC;;;;;;AAShD,SAAS,qBAAqB,QAAgC;AAE5D,KAAI,CADU,SAAS,CACX;CAEZ,MAAM,SAAS,OAAO,QAAQ,OAAO,CAClC,KAAK,CAAC,OAAO,cAAc,KAAK,MAAM,IAAI,SAAS,KAAK,KAAK,GAAG,CAChE,KAAK,KAAK;AACb,SAAQ,KAAK,8CAA8C,SAAS;;;;;;AAOtE,SAAS,kBAAkB,OAAgC,OAAwC;CACjG,MAAM,SAA2B,EAAE;CACnC,MAAM,UAAU,KAAK,MAAM,QAAQ,KAAK;CACxC,MAAM,aACJ,SAAS,OAAO,OAAO,GAAG,KAAK,MAAM,SAAS,OAAO,MAAM,CAAC,MAAM,GAAG,QAAQ;AAE/E,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,CAC9C,KAAI,iBAAiB,QAAQ,MAAM,OAAO,MACxC,QAAO,OAAO,CACZ,SAAS,MAAM,KAAK,KAAK,WAAW,MAAM,KAAK,CAAC,gBAAgB,WAAW,QAC5E;UACQ,MAAM,QAAQ,MAAM,EAAE;EAC/B,MAAM,YAAY,MAAM,QAAQ,SAAS,gBAAgB,QAAQ,KAAK,OAAO,MAAM;AACnF,MAAI,UAAU,SAAS,EACrB,QAAO,OAAO,UAAU,KACrB,MAAY,SAAS,EAAE,KAAK,KAAK,WAAW,EAAE,KAAK,CAAC,gBAAgB,WAAW,QACjF;;AAKP,QAAO,OAAO,KAAK,OAAO,CAAC,SAAS,IAAI,SAAS;;;;;;AAOnD,SAAS,WAAW,OAAqD;AACvE,KAAI,UAAU,QAAQ,UAAU,KAAA,EAAW,QAAO,KAAA;AAClD,KAAI,OAAO,UAAU,SAAU,QAAO,KAAA;CAEtC,MAAM,SAAkC,EAAE;AAC1C,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,MAAiC,EAAE;AACrE,MAAI,aAAa,KAAM;AACvB,MAAI,MAAM,QAAQ,EAAE,CAClB,QAAO,KAAK,EAAE,QAAQ,SAAS,EAAE,gBAAgB,MAAM;WAC9C,OAAO,MAAM,YAAY,MAAM,QAAQ,EAAE,aAAa,MAC/D,QAAO,KAAK,WAAW,EAAE,IAAI,EAAE;MAE/B,QAAO,KAAK;;AAGhB,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACpcT,SAAgB,eAAqC;AACnD,QAAO,aAAa,UAAU,IAAI"}
+{"version":3,"file":"index.js","names":[],"sources":["../../src/server/form-data.ts","../../src/server/sensitive-fields.ts","../../src/server/action-client.ts","../../src/server/form-flash.ts"],"sourcesContent":["/**\n * FormData preprocessing — schema-agnostic conversion of FormData to typed objects.\n *\n * FormData is all strings. Schema validation expects typed values. This module\n * bridges the gap with intelligent coercion that runs *before* schema validation.\n *\n * Inspired by zod-form-data, but schema-agnostic — works with any Standard Schema\n * library (Zod, Valibot, ArkType).\n *\n * See design/08-forms-and-actions.md §\"parseFormData() and coerce helpers\"\n */\n\n// ─── parseFormData ───────────────────────────────────────────────────────\n\n/**\n * Convert FormData into a plain object with intelligent coercion.\n *\n * Handles:\n * - **Duplicate keys → arrays**: `tags=js&tags=ts` → `{ tags: [\"js\", \"ts\"] }`\n * - **Nested dot-paths**: `user.name=Alice` → `{ user: { name: \"Alice\" } }`\n * - **Empty strings → undefined**: Enables `.optional()` semantics in schemas\n * - **Empty Files → undefined**: File inputs with no selection become `undefined`\n * - **Strips `$ACTION_*` fields**: React's internal hidden fields are excluded\n */\nexport function parseFormData(formData: FormData): Record<string, unknown> {\n  const flat: Record<string, unknown> = {};\n\n  for (const key of new Set(formData.keys())) {\n    // Skip React internal fields\n    if (key.startsWith('$ACTION_')) continue;\n\n    const values = formData.getAll(key);\n    const processed = values.map(normalizeValue);\n\n    if (processed.length === 1) {\n      flat[key] = processed[0];\n    } else {\n      // Filter out undefined entries from multi-value fields\n      flat[key] = processed.filter((v) => v !== undefined);\n    }\n  }\n\n  // Expand dot-notation paths into nested objects\n  return expandDotPaths(flat);\n}\n\n/**\n * Normalize a single FormData entry value.\n * - Empty strings → undefined (enables .optional() semantics)\n * - Empty File objects (no selection) → undefined\n * - Everything else passes through as-is\n */\nfunction normalizeValue(value: FormDataEntryValue): unknown {\n  if (typeof value === 'string') {\n    return value === '' ? undefined : value;\n  }\n\n  // File input with no selection: browsers submit a File with name=\"\" and size=0\n  if (value instanceof File && value.size === 0 && value.name === '') {\n    return undefined;\n  }\n\n  return value;\n}\n\n/**\n * Expand dot-notation keys into nested objects.\n * `{ \"user.name\": \"Alice\", \"user.age\": \"30\" }` → `{ user: { name: \"Alice\", age: \"30\" } }`\n *\n * Keys without dots are left as-is. Bracket notation (e.g. `items[0]`) is NOT\n * supported — use dot notation (`items.0`) instead.\n */\nfunction expandDotPaths(flat: Record<string, unknown>): Record<string, unknown> {\n  const result: Record<string, unknown> = {};\n  let hasDotPaths = false;\n\n  // First pass: check if any keys have dots\n  for (const key of Object.keys(flat)) {\n    if (key.includes('.')) {\n      hasDotPaths = true;\n      break;\n    }\n  }\n\n  // Fast path: no dot-notation keys, return as-is\n  if (!hasDotPaths) return flat;\n\n  for (const [key, value] of Object.entries(flat)) {\n    if (!key.includes('.')) {\n      result[key] = value;\n      continue;\n    }\n\n    const parts = key.split('.');\n    let current: Record<string, unknown> = result;\n\n    for (let i = 0; i < parts.length - 1; i++) {\n      const part = parts[i];\n      if (current[part] === undefined || current[part] === null) {\n        current[part] = {};\n      }\n      // If current[part] is not an object (e.g., a string from a non-dotted key),\n      // the dot-path takes precedence\n      if (typeof current[part] !== 'object' || current[part] instanceof File) {\n        current[part] = {};\n      }\n      current = current[part] as Record<string, unknown>;\n    }\n\n    current[parts[parts.length - 1]] = value;\n  }\n\n  return result;\n}\n\n// ─── Coercion Helpers ────────────────────────────────────────────────────\n\n/**\n * Schema-agnostic coercion primitives for common FormData patterns.\n *\n * These are plain transform functions — they compose with any schema library's\n * `transform`/`preprocess` pipeline:\n *\n * ```ts\n * // Zod\n * z.preprocess(coerce.number, z.number())\n * // Valibot\n * v.pipe(v.unknown(), v.transform(coerce.number), v.number())\n * ```\n */\nexport const coerce = {\n  /**\n   * Coerce a string to a number.\n   * - `\"42\"` → `42`\n   * - `\"3.14\"` → `3.14`\n   * - `\"\"` / `undefined` / `null` → `undefined`\n   * - Non-numeric strings → `undefined` (schema validation will catch this)\n   */\n  number(value: unknown): number | undefined {\n    if (value === undefined || value === null || value === '') return undefined;\n    if (typeof value === 'number') return value;\n    if (typeof value !== 'string') return undefined;\n    const num = Number(value);\n    if (Number.isNaN(num)) return undefined;\n    return num;\n  },\n\n  /**\n   * Coerce a checkbox value to a boolean.\n   * HTML checkboxes submit \"on\" when checked and are absent when unchecked.\n   * - `\"on\"` / any truthy string → `true`\n   * - `undefined` / `null` / `\"\"` → `false`\n   */\n  checkbox(value: unknown): boolean {\n    if (value === undefined || value === null || value === '') return false;\n    if (typeof value === 'boolean') return value;\n    // Any non-empty string (typically \"on\") is true\n    return typeof value === 'string' && value.length > 0;\n  },\n\n  /**\n   * Parse a JSON string into an object.\n   * - Valid JSON string → parsed object\n   * - `\"\"` / `undefined` / `null` → `undefined`\n   * - Invalid JSON → `undefined` (schema validation will catch this)\n   */\n  json(value: unknown): unknown {\n    if (value === undefined || value === null || value === '') return undefined;\n    if (typeof value !== 'string') return value;\n    try {\n      return JSON.parse(value);\n    } catch {\n      return undefined;\n    }\n  },\n\n  /**\n   * Coerce a date string to a Date object.\n   * Handles `<input type=\"date\">` (`\"2024-01-15\"`), `<input type=\"datetime-local\">`\n   * (`\"2024-01-15T10:30\"`), and full ISO 8601 strings.\n   * - Valid date string → `Date`\n   * - `\"\"` / `undefined` / `null` → `undefined`\n   * - Invalid date strings → `undefined` (schema validation will catch this)\n   * - Impossible dates that `new Date()` silently normalizes (e.g. Feb 31) → `undefined`\n   */\n  date(value: unknown): Date | undefined {\n    if (value === undefined || value === null || value === '') return undefined;\n    if (value instanceof Date) return value;\n    if (typeof value !== 'string') return undefined;\n    const date = new Date(value);\n    if (Number.isNaN(date.getTime())) return undefined;\n\n    // Overflow detection: extract Y/M/D from the input string and verify\n    // they match the parsed Date components. new Date('2024-02-31') silently\n    // normalizes to March 2nd — we reject such inputs.\n    const ymdMatch = value.match(/^(\\d{4})-(\\d{2})-(\\d{2})/);\n    if (ymdMatch) {\n      const inputYear = Number(ymdMatch[1]);\n      const inputMonth = Number(ymdMatch[2]);\n      const inputDay = Number(ymdMatch[3]);\n\n      // Use UTC methods for date-only and Z-suffixed strings to avoid\n      // timezone offset shifting the day. For datetime-local (no Z suffix),\n      // the Date constructor parses in local time, so use local methods.\n      const isUTC = value.length === 10 || value.endsWith('Z');\n      const parsedYear = isUTC ? date.getUTCFullYear() : date.getFullYear();\n      const parsedMonth = isUTC ? date.getUTCMonth() + 1 : date.getMonth() + 1;\n      const parsedDay = isUTC ? date.getUTCDate() : date.getDate();\n\n      if (inputYear !== parsedYear || inputMonth !== parsedMonth || inputDay !== parsedDay) {\n        return undefined;\n      }\n    }\n\n    return date;\n  },\n\n  /**\n   * Create a File coercion function with optional size and mime type validation.\n   * Returns the File if valid, `undefined` otherwise.\n   *\n   * ```ts\n   * // Basic — just checks it's a real File\n   * z.preprocess(coerce.file(), z.instanceof(File))\n   *\n   * // With constraints\n   * z.preprocess(\n   *   coerce.file({ maxSize: 5 * 1024 * 1024, accept: ['image/png', 'image/jpeg'] }),\n   *   z.instanceof(File)\n   * )\n   * ```\n   */\n  file(options?: { maxSize?: number; accept?: string[] }): (value: unknown) => File | undefined {\n    return (value: unknown): File | undefined => {\n      if (value === undefined || value === null || value === '') return undefined;\n      if (!(value instanceof File)) return undefined;\n\n      // Empty file input (no selection): browsers submit File with name=\"\" and size=0\n      if (value.size === 0 && value.name === '') return undefined;\n\n      if (options?.maxSize !== undefined && value.size > options.maxSize) {\n        return undefined;\n      }\n\n      if (options?.accept !== undefined && !options.accept.includes(value.type)) {\n        return undefined;\n      }\n\n      return value;\n    };\n  },\n};\n","/**\n * Sensitive field stripping — removes password/token/CVV-style fields\n * from form values before they are echoed back to the client as\n * `submittedValues` for form repopulation.\n *\n * Applied to both action paths:\n *  - With-JS action path: `createActionClient()` in `action-client.ts`\n *  - No-JS form POST path: `handleFormAction()` in `action-handler.ts`\n *\n * Why: on a validation failure, timber echoes submitted form values back so\n * the user doesn't have to re-type everything. Without filtering, plaintext\n * passwords / credit-card numbers / TOTP codes would travel through the RSC\n * stream (with-JS) or land in the HTML as `defaultValue` attributes (no-JS)\n * — ending up in browser history, proxy logs, disk caches, and the\n * back-forward cache.\n *\n * Safe by default: the built-in deny-list is applied unconditionally unless\n * the user explicitly opts out via `forms.stripSensitiveFields: false` in\n * `timber.config.ts` or per-action via `createActionClient({ stripSensitiveFields: false })`.\n *\n * See design/08-forms-and-actions.md §\"Validation errors\"\n * See design/13-security.md §\"Sensitive field stripping\"\n * See TIM-816\n */\n\nimport { isDebug } from './debug.js';\n\n// ─── Public types ────────────────────────────────────────────────────────\n\n/**\n * How to strip sensitive fields from `submittedValues`.\n *\n * - `true` / `undefined` — use the built-in deny-list (default, safe).\n * - `false` — do not strip anything (dev convenience; never do this in prod).\n * - `string[]` — additional field names to strip, merged with the built-in list.\n * - `(name) => boolean` — custom predicate, fully replaces the built-in list.\n *   Return `true` to strip, `false` to keep. The `name` argument is the raw\n *   (un-normalized) field name as it appeared in the submitted form.\n */\nexport type SensitiveFieldsOption = boolean | readonly string[] | ((name: string) => boolean);\n\n// ─── Built-in deny-list ──────────────────────────────────────────────────\n\n/**\n * Substring patterns matched against the normalized field name.\n * Normalization = lowercase + strip `_` and `-`.\n *\n * Any field whose normalized name *contains* one of these strings is\n * considered sensitive. Entries like `currentPassword`, `passwordConfirmation`,\n * and `user.password` all match via the `password` substring.\n */\nconst BUILTIN_SUBSTRING_PATTERNS: readonly string[] = [\n  'password',\n  'passwd',\n  'pwd',\n  'secret',\n  'apikey',\n  'accesstoken',\n  'refreshtoken',\n  'cvv',\n  'cvc',\n  'cardnumber',\n  'cardcvc',\n  'ssn',\n  'socialsecuritynumber',\n  'otp',\n  'totp',\n  'mfacode',\n  'twofactorcode',\n  'privatekey',\n];\n\n/**\n * Exact matches against the normalized field name. These are field names that\n * are too short or too common to substring-match safely. e.g. `token` alone\n * would match `csrfToken`, which is not sensitive — so `token` is exact-only,\n * while legitimate token fields are covered by `accesstoken` / `refreshtoken`.\n */\nconst BUILTIN_EXACT_PATTERNS: readonly string[] = ['token'];\n\n/**\n * Normalize a field name for deny-list comparison.\n * Lowercases the string and strips `_` and `-` so camelCase, snake_case, and\n * kebab-case variants all compare equal (`api_key` / `apiKey` / `api-key` →\n * `apikey`).\n */\nfunction normalize(name: string): string {\n  let out = '';\n  for (let i = 0; i < name.length; i++) {\n    const ch = name.charCodeAt(i);\n    if (ch === 0x5f /* _ */ || ch === 0x2d /* - */) continue;\n    // A-Z → a-z\n    if (ch >= 0x41 && ch <= 0x5a) {\n      out += String.fromCharCode(ch + 32);\n    } else {\n      out += name[i];\n    }\n  }\n  return out;\n}\n\n/**\n * Check whether a name matches the built-in deny-list (with optional extras).\n * Extras are merged into the substring pattern list after normalization.\n */\nfunction isBuiltinSensitive(name: string, extras?: readonly string[]): boolean {\n  const normalized = normalize(name);\n  if (BUILTIN_EXACT_PATTERNS.includes(normalized)) return true;\n  for (const pattern of BUILTIN_SUBSTRING_PATTERNS) {\n    if (normalized.includes(pattern)) return true;\n  }\n  if (extras && extras.length > 0) {\n    for (const extra of extras) {\n      const normExtra = normalize(extra);\n      if (normExtra.length === 0) continue;\n      if (normalized.includes(normExtra)) return true;\n    }\n  }\n  return false;\n}\n\n// ─── Predicate resolution ────────────────────────────────────────────────\n\n/**\n * A resolved predicate: `null` means \"don't strip anything\" (the option was\n * explicitly `false`). Otherwise a function from raw field name → boolean.\n */\nexport type ResolvedSensitivePredicate = ((name: string) => boolean) | null;\n\n/**\n * Resolve a `SensitiveFieldsOption` into a concrete predicate.\n * Precedence: per-action > global > built-in default.\n *\n * - Per-action `undefined` → fall back to global.\n * - Global `undefined` → use built-in list.\n * - Either level set to `false` → disable stripping entirely (returns `null`).\n * - `true` → built-in list.\n * - `string[]` → built-in ∪ extras.\n * - function → custom, replaces the built-in list entirely.\n */\nexport function resolveSensitivePredicate(\n  perAction: SensitiveFieldsOption | undefined,\n  global: SensitiveFieldsOption | undefined\n): ResolvedSensitivePredicate {\n  const chosen = perAction !== undefined ? perAction : global;\n\n  if (chosen === false) return null;\n  if (chosen === undefined || chosen === true) {\n    return (name) => isBuiltinSensitive(name);\n  }\n  if (typeof chosen === 'function') {\n    return chosen;\n  }\n  // Array of extra names merged with the built-in list.\n  const extras = chosen;\n  return (name) => isBuiltinSensitive(name, extras);\n}\n\n// ─── Module-level global config ──────────────────────────────────────────\n\nlet globalConfig: SensitiveFieldsOption | undefined;\n\n/**\n * Set the global `forms.stripSensitiveFields` config from `timber.config.ts`.\n * Called once at startup from `rsc-entry`.\n */\nexport function setGlobalSensitiveFieldsConfig(option: SensitiveFieldsOption | undefined): void {\n  globalConfig = option;\n}\n\n/** Read the global `forms.stripSensitiveFields` config. */\nexport function getGlobalSensitiveFieldsConfig(): SensitiveFieldsOption | undefined {\n  return globalConfig;\n}\n\n// ─── Stripping ───────────────────────────────────────────────────────────\n\n// One warning per field name per process — prevents log spam when a form is\n// submitted many times in dev mode.\nconst warnedFields = new Set<string>();\n\nfunction warnStripped(name: string): void {\n  if (!isDebug()) return;\n  if (warnedFields.has(name)) return;\n  warnedFields.add(name);\n  console.warn(\n    `[timber] stripped sensitive field \"${name}\" from submittedValues. ` +\n      `Override via forms.stripSensitiveFields in timber.config.ts.`\n  );\n}\n\n/**\n * Walk an object (recursively) and return a copy with every key matching\n * `predicate` removed. Nested objects like `{ user: { password: '...' } }`\n * are handled — `user.password` is stripped while other `user.*` fields remain.\n *\n * - Arrays are walked element-wise (object entries inside arrays are cleaned).\n * - Non-plain values (strings, numbers, Files, Dates, etc.) are returned as-is.\n * - When a stripped key is encountered, it is omitted from the result entirely\n *   — we do NOT set it to an empty string, because that would overwrite a\n *   valid `defaultValue` the form author might have set.\n */\nexport function stripSensitiveFields<T>(value: T, predicate: ResolvedSensitivePredicate): T {\n  // Null predicate = stripping disabled entirely.\n  if (predicate === null) return value;\n  if (value === null || value === undefined) return value;\n  if (typeof value !== 'object') return value;\n  if (value instanceof File || value instanceof Date) return value;\n\n  if (Array.isArray(value)) {\n    return value.map((item) => stripSensitiveFields(item, predicate)) as unknown as T;\n  }\n\n  const result: Record<string, unknown> = {};\n  for (const [key, nested] of Object.entries(value as Record<string, unknown>)) {\n    if (predicate(key)) {\n      warnStripped(key);\n      continue;\n    }\n    result[key] = stripSensitiveFields(nested, predicate);\n  }\n  return result as unknown as T;\n}\n\n// ─── Test helpers ────────────────────────────────────────────────────────\n\n/** Reset the \"warned once\" cache. Exposed for tests. */\nexport function __resetSensitiveFieldsWarnings(): void {\n  warnedFields.clear();\n}\n","/**\n * createActionClient — typed middleware and schema validation for server actions.\n *\n * Inspired by next-safe-action. Provides a builder API:\n *   createActionClient({ middleware }) → .schema(z.object(...)) → .action(fn)\n *\n * The resulting action function satisfies both:\n *   1. Direct call: action(input) → Promise<ActionResult>\n *   2. React useActionState: (prevState, formData) => Promise<ActionResult>\n *\n * See design/08-forms-and-actions.md §\"Middleware for Server Actions\"\n */\n\n// ─── ActionError ─────────────────────────────────────────────────────────\n\n/**\n * Typed error class for server actions. Carries a string code and optional data.\n * When thrown from middleware or the action body, the action short-circuits and\n * the client receives `result.serverError`.\n *\n * In production, unexpected errors (non-ActionError) return `{ code: 'INTERNAL_ERROR' }`\n * with no message. In dev, `data.message` is included.\n */\nexport class ActionError<TCode extends string = string> extends Error {\n  readonly code: TCode;\n  readonly data: Record<string, unknown> | undefined;\n\n  constructor(code: TCode, data?: Record<string, unknown>) {\n    super(`ActionError: ${code}`);\n    this.name = 'ActionError';\n    this.code = code;\n    this.data = data;\n  }\n}\n\n// ─── Standard Schema ──────────────────────────────────────────────────────\n\n/**\n * Standard Schema v1 interface (subset).\n * Zod ≥3.24, Valibot ≥1.0, and ArkType all implement this.\n * See https://github.com/standard-schema/standard-schema\n *\n * We use permissive types here to accept all compliant libraries without\n * requiring exact structural matches on issues/path shapes.\n */\ninterface StandardSchemaV1<Output = unknown> {\n  '~standard': {\n    validate(value: unknown): StandardSchemaResult<Output> | Promise<StandardSchemaResult<Output>>;\n  };\n}\n\ntype StandardSchemaResult<Output> =\n  | { value: Output; issues?: undefined }\n  | { value?: undefined; issues: ReadonlyArray<StandardSchemaIssue> };\n\ninterface StandardSchemaIssue {\n  message: string;\n  path?: ReadonlyArray<PropertyKey | { key: PropertyKey }>;\n}\n\n/** Check if a schema implements the Standard Schema protocol. */\nfunction isStandardSchema(schema: unknown): schema is StandardSchemaV1 {\n  return (\n    typeof schema === 'object' &&\n    schema !== null &&\n    '~standard' in schema &&\n    typeof (schema as StandardSchemaV1)['~standard'].validate === 'function'\n  );\n}\n\n// ─── Types ───────────────────────────────────────────────────────────────\n\n/**\n * Minimal schema interface — compatible with Zod, Valibot, ArkType, etc.\n *\n * Accepts either:\n * - Standard Schema (preferred): any object with `~standard.validate()`\n * - Legacy parse interface: objects with `.parse()` / `.safeParse()`\n *\n * At runtime, Standard Schema is detected via `~standard` property and\n * takes priority over the legacy interface.\n */\nexport type ActionSchema<T = unknown> = StandardSchemaV1<T> | LegacyActionSchema<T>;\n\n/** Legacy schema interface with .parse() / .safeParse(). */\ninterface LegacyActionSchema<T = unknown> {\n  'parse'(data: unknown): T;\n  'safeParse'?(data: unknown): { success: true; data: T } | { success: false; error: SchemaError };\n  // Exclude Standard Schema objects from matching this interface\n  '~standard'?: never;\n}\n\n/** Schema validation error shape (for legacy .safeParse()/.parse() interface). */\nexport interface SchemaError {\n  issues?: Array<{ path?: Array<string | number>; message: string }>;\n  flatten?(): { fieldErrors: Record<string, string[]> };\n}\n\n/** Flattened validation errors keyed by field name. */\nexport type ValidationErrors = Record<string, string[]>;\n\n/** Middleware function: returns context to merge into the action body's ctx. */\nexport type ActionMiddleware<TCtx = Record<string, unknown>> = () => Promise<TCtx> | TCtx;\n\n/** The result type returned to the client. */\nexport type ActionResult<TData = unknown> =\n  | { data: TData; validationErrors?: never; serverError?: never; submittedValues?: never }\n  | {\n      data?: never;\n      validationErrors: ValidationErrors;\n      serverError?: never;\n      /** Raw input values on validation failure — for repopulating form fields. */\n      submittedValues?: Record<string, unknown>;\n    }\n  | {\n      data?: never;\n      validationErrors?: never;\n      serverError: { code: string; data?: Record<string, unknown> };\n      submittedValues?: never;\n    };\n\n/** Context passed to the action body. */\nexport interface ActionContext<TCtx, TInput> {\n  ctx: TCtx;\n  input: TInput;\n}\n\n// ─── Builder ─────────────────────────────────────────────────────────────\n\ninterface ActionClientConfig<TCtx> {\n  middleware?: ActionMiddleware<TCtx> | ActionMiddleware<Record<string, unknown>>[];\n  /** Max file size in bytes. Files exceeding this are rejected with validation errors. */\n  fileSizeLimit?: number;\n  /**\n   * Override the sensitive-field deny-list for this action client.\n   * See `SensitiveFieldsOption` in `./sensitive-fields.ts`. Per-action config\n   * takes precedence over the global `forms.stripSensitiveFields` option in\n   * `timber.config.ts`. See design/08-forms-and-actions.md and TIM-816.\n   */\n  stripSensitiveFields?: SensitiveFieldsOption;\n}\n\n/** Intermediate builder returned by createActionClient(). */\nexport interface ActionBuilder<TCtx> {\n  /** Declare the input schema. Validation errors are returned typed. */\n  schema<TInput>(schema: ActionSchema<TInput>): ActionBuilderWithSchema<TCtx, TInput>;\n  /** Define the action body without input validation. */\n  action<TData>(\n    fn: (ctx: ActionContext<TCtx, undefined>) => Promise<TData>\n  ): ActionFn<TData, undefined>;\n}\n\n/** Builder after .schema() has been called. */\nexport interface ActionBuilderWithSchema<TCtx, TInput> {\n  /** Define the action body with validated input. */\n  action<TData>(fn: (ctx: ActionContext<TCtx, TInput>) => Promise<TData>): ActionFn<TData, TInput>;\n}\n\n/**\n * The final action function. Callable three ways:\n * - Direct: action(input) → Promise<ActionResult<TData>>\n * - React useActionState: action(prevState, formData) → Promise<ActionResult<TData>>\n * - React <form action={fn}>: action(formData) → void  (return value ignored by React)\n *\n * The third overload exists purely for type compatibility with React's\n * `<form action>` prop, which expects `(formData: FormData) => void`.\n * At runtime the function still returns Promise<ActionResult>, but React\n * discards it. This lets validated actions be passed directly to forms\n * without casts.\n */\n/**\n * Map schema output keys to `string | undefined` for form-facing APIs.\n * HTML form values are always strings, and fields can be absent.\n * Gives autocomplete for field names without lying about value types.\n */\nexport type InputHint<T> =\n  T extends Record<string, unknown> ? { [K in keyof T]: string | undefined } : T;\n\n/**\n * ActionFn — the callable returned by `createActionClient().action()`.\n *\n * Generic order: `<TData, TInput>` — TData first for backward compatibility.\n * Previously ActionFn had a single `<TData>` generic, so existing code like\n * `ActionFn<MyResult>` must still work with TData in the first position.\n * See TIM-797.\n */\nexport type ActionFn<TData = unknown, TInput = unknown> = {\n  /** <form action={fn}> compatibility — React discards the return value. */\n  (formData: FormData): void;\n  /** Direct call: action(input) — optional when TInput is undefined/unknown (no-schema actions). */\n  (\n    ...args: undefined extends TInput ? [input?: TInput] : [input: TInput]\n  ): Promise<ActionResult<TData>>;\n  /** React useActionState: action(prevState, formData) */\n  (prevState: ActionResult<TData> | null, formData: FormData): Promise<ActionResult<TData>>;\n};\n\n// ─── Implementation ──────────────────────────────────────────────────────\n\n/**\n * Run middleware array or single function. Returns merged context.\n */\nasync function runActionMiddleware<TCtx>(\n  middleware: ActionMiddleware<TCtx> | ActionMiddleware<Record<string, unknown>>[] | undefined\n): Promise<TCtx> {\n  if (!middleware) {\n    return {} as TCtx;\n  }\n\n  if (Array.isArray(middleware)) {\n    let merged = {} as Record<string, unknown>;\n    for (const mw of middleware) {\n      const result = await mw();\n      merged = { ...merged, ...result };\n    }\n    return merged as TCtx;\n  }\n\n  return await middleware();\n}\n\n// Re-export parseFormData for use throughout the framework\nimport { parseFormData } from './form-data.js';\nimport { formatSize } from '../utils/format.js';\nimport { isDebug, isDevMode } from './debug.js';\nimport { RedirectSignal, DenySignal } from './primitives.js';\nimport {\n  stripSensitiveFields,\n  resolveSensitivePredicate,\n  getGlobalSensitiveFieldsConfig,\n  type SensitiveFieldsOption,\n} from './sensitive-fields.js';\n\n/**\n * Extract validation errors from a schema error.\n * Supports Zod's flatten() and generic issues array.\n */\nfunction extractValidationErrors(error: SchemaError): ValidationErrors {\n  // Zod-style flatten\n  if (typeof error.flatten === 'function') {\n    return error.flatten().fieldErrors;\n  }\n\n  // Generic issues array\n  if (error.issues) {\n    const errors: ValidationErrors = {};\n    for (const issue of error.issues) {\n      const path = issue.path?.join('.') ?? '_root';\n      if (!errors[path]) errors[path] = [];\n      errors[path].push(issue.message);\n    }\n    return errors;\n  }\n\n  return { _root: ['Validation failed'] };\n}\n\n/**\n * Extract validation errors from Standard Schema issues.\n */\nfunction extractStandardSchemaErrors(issues: ReadonlyArray<StandardSchemaIssue>): ValidationErrors {\n  const errors: ValidationErrors = {};\n  for (const issue of issues) {\n    const path =\n      issue.path\n        ?.map((p) => {\n          // Standard Schema path items can be { key: ... } objects or bare PropertyKey values\n          if (typeof p === 'object' && p !== null && 'key' in p) return String(p.key);\n          return String(p);\n        })\n        .join('.') ?? '_root';\n    if (!errors[path]) errors[path] = [];\n    errors[path].push(issue.message);\n  }\n  return Object.keys(errors).length > 0 ? errors : { _root: ['Validation failed'] };\n}\n\n/**\n * Wrap unexpected errors into a safe server error result.\n * ActionError → typed result. Other errors → INTERNAL_ERROR (no leak).\n *\n * Exported for use by action-handler.ts to catch errors from raw 'use server'\n * functions that don't use createActionClient.\n */\nexport function handleActionError(error: unknown): ActionResult<never> {\n  if (error instanceof ActionError) {\n    return {\n      serverError: {\n        code: error.code,\n        ...(error.data ? { data: error.data } : {}),\n      },\n    };\n  }\n\n  // In dev, include the message for debugging.\n  // Uses isDevMode() — NOT isDebug() — because this data is sent to the\n  // browser. TIMBER_DEBUG must never cause error messages to leak to clients.\n  // See design/13-security.md principle 4: \"Errors don't leak.\"\n  const devMode = isDevMode();\n  return {\n    serverError: {\n      code: 'INTERNAL_ERROR',\n      ...(devMode && error instanceof Error ? { data: { message: error.message } } : {}),\n    },\n  };\n}\n\n/**\n * Create a typed action client with middleware and schema validation.\n *\n * @example\n * ```ts\n * const action = createActionClient({\n *   middleware: async () => {\n *     const user = await getUser()\n *     if (!user) throw new ActionError('UNAUTHORIZED')\n *     return { user }\n *   },\n * })\n *\n * export const createTodo = action\n *   .schema(z.object({ title: z.string().min(1) }))\n *   .action(async ({ input, ctx }) => {\n *     await db.todos.create({ ...input, userId: ctx.user.id })\n *   })\n * ```\n */\nexport function createActionClient<TCtx = Record<string, never>>(\n  config: ActionClientConfig<TCtx> = {}\n): ActionBuilder<TCtx> {\n  function buildAction<TInput, TData>(\n    schema: ActionSchema<TInput> | undefined,\n    fn: (ctx: ActionContext<TCtx, TInput>) => Promise<TData>\n  ): ActionFn<TData, TInput> {\n    async function actionHandler(...args: unknown[]): Promise<ActionResult<TData>> {\n      try {\n        // Run middleware\n        const ctx = await runActionMiddleware(config.middleware);\n\n        // Determine input — either FormData (from useActionState) or direct arg\n        let rawInput: unknown;\n        if (args.length === 2 && args[1] instanceof FormData) {\n          // Called as (prevState, formData) by React useActionState (with-JS path)\n          rawInput = schema ? parseFormData(args[1]) : args[1];\n        } else if (args.length === 1 && args[0] instanceof FormData) {\n          // No-JS path: React's decodeAction binds FormData as the sole argument.\n          // The form POSTs without JavaScript, decodeAction resolves the server\n          // reference and binds the FormData, then executeAction calls fn() with\n          // no additional args — so the bound FormData arrives as args[0].\n          rawInput = schema ? parseFormData(args[0]) : args[0];\n        } else {\n          // Direct call: action(input)\n          rawInput = args[0];\n        }\n\n        // Resolve the sensitive-field stripping predicate once per invocation.\n        // Precedence: per-action (config.stripSensitiveFields) > global\n        // (forms.stripSensitiveFields from timber.config.ts) > built-in deny-list.\n        // See TIM-816.\n        const sensitivePredicate = resolveSensitivePredicate(\n          config.stripSensitiveFields,\n          getGlobalSensitiveFieldsConfig()\n        );\n\n        // Capture a \"safe-to-echo\" snapshot of the raw input once. Files are\n        // stripped (can't serialize, shouldn't echo back) and sensitive fields\n        // (passwords, tokens, CVV, etc.) are removed before they would land\n        // in the RSC payload → client form `defaultValue` → DOM.\n        const buildSubmittedValues = (): Record<string, unknown> | undefined => {\n          const withoutFiles = stripFiles(rawInput);\n          if (withoutFiles === undefined) return undefined;\n          return stripSensitiveFields(withoutFiles, sensitivePredicate);\n        };\n\n        // Validate file sizes before schema validation.\n        if (config.fileSizeLimit !== undefined && rawInput && typeof rawInput === 'object') {\n          const fileSizeErrors = validateFileSizes(\n            rawInput as Record<string, unknown>,\n            config.fileSizeLimit\n          );\n          if (fileSizeErrors) {\n            return { validationErrors: fileSizeErrors, submittedValues: buildSubmittedValues() };\n          }\n        }\n\n        // Capture submitted values for repopulation on validation failure.\n        const submittedValues = schema ? buildSubmittedValues() : undefined;\n\n        // Validate with schema if provided\n        let input: TInput;\n        if (schema) {\n          if (isStandardSchema(schema)) {\n            // Standard Schema protocol (Zod ≥3.24, Valibot ≥1.0, ArkType)\n            const result = schema['~standard'].validate(rawInput);\n            if (result instanceof Promise) {\n              throw new Error(\n                '[timber] createActionClient: schema returned a Promise — only sync schemas are supported.'\n              );\n            }\n            if (result.issues) {\n              const validationErrors = extractStandardSchemaErrors(result.issues);\n              logValidationFailure(validationErrors);\n              return { validationErrors, submittedValues };\n            }\n            input = result.value;\n          } else if (typeof schema.safeParse === 'function') {\n            const result = schema.safeParse(rawInput);\n            if (!result.success) {\n              const validationErrors = extractValidationErrors(result.error);\n              logValidationFailure(validationErrors);\n              return { validationErrors, submittedValues };\n            }\n            input = result.data;\n          } else {\n            try {\n              input = schema.parse(rawInput);\n            } catch (parseError) {\n              const validationErrors = extractValidationErrors(parseError as SchemaError);\n              logValidationFailure(validationErrors);\n              return { validationErrors, submittedValues };\n            }\n          }\n        } else {\n          input = rawInput as TInput;\n        }\n\n        // Execute the action body\n        const data = await fn({ ctx, input });\n        return { data };\n      } catch (error) {\n        // Re-throw redirect/deny signals — these are control flow, not errors.\n        // They must propagate to executeAction() which converts them to proper\n        // HTTP responses (302 redirect, 4xx deny). Catching them here would\n        // wrap them as INTERNAL_ERROR and break redirect()/redirectExternal()/deny().\n        if (error instanceof RedirectSignal || error instanceof DenySignal) {\n          throw error;\n        }\n        return handleActionError(error);\n      }\n    }\n\n    return actionHandler as ActionFn<TData, TInput>;\n  }\n\n  return {\n    schema<TInput>(schema: ActionSchema<TInput>) {\n      return {\n        action<TData>(\n          fn: (ctx: ActionContext<TCtx, TInput>) => Promise<TData>\n        ): ActionFn<TData, TInput> {\n          return buildAction(schema, fn);\n        },\n      };\n    },\n    action<TData>(\n      fn: (ctx: ActionContext<TCtx, undefined>) => Promise<TData>\n    ): ActionFn<TData, undefined> {\n      return buildAction(undefined, fn as (ctx: ActionContext<TCtx, unknown>) => Promise<TData>);\n    },\n  };\n}\n\n// ─── validated() ────────────────────────────────────────────────────────\n\n/**\n * Convenience wrapper for the common case: validate input, run handler.\n * No middleware needed.\n *\n * @example\n * ```ts\n * 'use server'\n * import { validated } from '@timber-js/app/server'\n * import { z } from 'zod'\n *\n * export const createTodo = validated(\n *   z.object({ title: z.string().min(1) }),\n *   async (input) => {\n *     await db.todos.create(input)\n *   }\n * )\n * ```\n */\nexport function validated<TInput, TData>(\n  schema: ActionSchema<TInput>,\n  handler: (input: TInput) => Promise<TData>\n): ActionFn<TData, TInput> {\n  return createActionClient()\n    .schema(schema)\n    .action(async ({ input }) => handler(input));\n}\n\n// ─── Helpers ────────────────────────────────────────────────────────────\n\n/**\n * Log validation failures in dev mode so developers can see what went wrong.\n * In production, validation errors are only returned to the client.\n */\nfunction logValidationFailure(errors: ValidationErrors): void {\n  const isDev = isDebug();\n  if (!isDev) return;\n\n  const fields = Object.entries(errors)\n    .map(([field, messages]) => `  ${field}: ${messages.join(', ')}`)\n    .join('\\n');\n  console.warn(`[timber] action schema validation failed:\\n${fields}`);\n}\n\n/**\n * Validate that all File objects in the input are within the size limit.\n * Returns validation errors keyed by field name, or null if all files are ok.\n */\nfunction validateFileSizes(input: Record<string, unknown>, limit: number): ValidationErrors | null {\n  const errors: ValidationErrors = {};\n  const limitKb = Math.round(limit / 1024);\n  const limitLabel =\n    limit >= 1024 * 1024 ? `${Math.round(limit / (1024 * 1024))}MB` : `${limitKb}KB`;\n\n  for (const [key, value] of Object.entries(input)) {\n    if (value instanceof File && value.size > limit) {\n      errors[key] = [\n        `File \"${value.name}\" (${formatSize(value.size)}) exceeds the ${limitLabel} limit`,\n      ];\n    } else if (Array.isArray(value)) {\n      const oversized = value.filter((item) => item instanceof File && item.size > limit);\n      if (oversized.length > 0) {\n        errors[key] = oversized.map(\n          (f: File) => `File \"${f.name}\" (${formatSize(f.size)}) exceeds the ${limitLabel} limit`\n        );\n      }\n    }\n  }\n\n  return Object.keys(errors).length > 0 ? errors : null;\n}\n\n/**\n * Strip File objects from a value, returning a plain object safe for\n * serialization. File objects can't be serialized and shouldn't be echoed back.\n */\nfunction stripFiles(value: unknown): Record<string, unknown> | undefined {\n  if (value === null || value === undefined) return undefined;\n  if (typeof value !== 'object') return undefined;\n\n  const result: Record<string, unknown> = {};\n  for (const [k, v] of Object.entries(value as Record<string, unknown>)) {\n    if (v instanceof File) continue;\n    if (Array.isArray(v)) {\n      result[k] = v.filter((item) => !(item instanceof File));\n    } else if (typeof v === 'object' && v !== null && !(v instanceof File)) {\n      result[k] = stripFiles(v) ?? {};\n    } else {\n      result[k] = v;\n    }\n  }\n  return result;\n}\n","/**\n * Form Flash — ALS-based store for no-JS form action results.\n *\n * When a no-JS form action completes, the server re-renders the page with\n * the action result injected via AsyncLocalStorage instead of redirecting\n * (which would discard the result). Server components read the flash and\n * pass it to client form components as the initial `useActionState` value.\n *\n * This follows the Remix/Rails pattern — the form component becomes the\n * single source of truth for both with-JS (React state) and no-JS (flash).\n *\n * The flash data is server-side only — never serialized to cookies or headers.\n *\n * See design/08-forms-and-actions.md §\"No-JS Error Round-Trip\"\n */\n\nimport type { ValidationErrors } from './action-client.js';\nimport { formFlashAls } from './als-registry.js';\n\n// ─── Types ───────────────────────────────────────────────────────────────\n\n/**\n * Flash data injected into the re-render after a no-JS form submission.\n *\n * This is the action result from the server action, stored in ALS so server\n * components can read it and pass it to client form components as the initial\n * state for `useActionState`. This makes the form component a single source\n * of truth for both with-JS and no-JS paths.\n *\n * The shape matches `ActionResult<unknown>` — it's one of:\n * - `{ data: ... }` — success\n * - `{ validationErrors, submittedValues }` — validation failure\n * - `{ serverError }` — server error\n */\nexport interface FormFlashData {\n  /** Success data from the action. */\n  data?: unknown;\n  /** Validation errors keyed by field name. `_root` for form-level errors. */\n  validationErrors?: ValidationErrors;\n  /** Raw submitted values for repopulating form fields. File objects are excluded. */\n  submittedValues?: Record<string, unknown>;\n  /** Server error if the action threw an ActionError. */\n  serverError?: { code: string; data?: Record<string, unknown> };\n}\n\n// ─── Public API ──────────────────────────────────────────────────────────\n\n/**\n * Read the form flash data for the current request.\n *\n * Returns `null` if no flash data is present (i.e., this is a normal page\n * render, not a re-render after a no-JS form submission).\n *\n * Pass the flash as the initial state to `useActionState` so the form\n * component has a single source of truth for both with-JS and no-JS paths:\n *\n * ```tsx\n * // app/contact/page.tsx (server component)\n * import { getFormFlash } from '@timber-js/app/server'\n *\n * export default function ContactPage() {\n *   const flash = getFormFlash()\n *   return <ContactForm flash={flash} />\n * }\n *\n * // app/contact/form.tsx (client component)\n * export function ContactForm({ flash }) {\n *   const [result, action, isPending] = useActionState(submitContact, flash)\n *   // result is the single source of truth — flash seeds it on no-JS\n * }\n * ```\n */\nexport function getFormFlash(): FormFlashData | null {\n  return formFlashAls.getStore() ?? null;\n}\n\n// ─── Framework-Internal ──────────────────────────────────────────────────\n\n/**\n * Run a callback with form flash data in scope.\n *\n * Used by the action handler to re-render the page with validation errors\n * available via `getFormFlash()`. Not part of the public API.\n *\n * @internal\n */\nexport function runWithFormFlash<T>(data: FormFlashData, fn: () => T): T {\n  return formFlashAls.run(data, fn);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwBA,SAAgB,cAAc,UAA6C;CACzE,MAAM,OAAgC,EAAE;AAExC,MAAK,MAAM,OAAO,IAAI,IAAI,SAAS,MAAM,CAAC,EAAE;AAE1C,MAAI,IAAI,WAAW,WAAW,CAAE;EAGhC,MAAM,YADS,SAAS,OAAO,IAAI,CACV,IAAI,eAAe;AAE5C,MAAI,UAAU,WAAW,EACvB,MAAK,OAAO,UAAU;MAGtB,MAAK,OAAO,UAAU,QAAQ,MAAM,MAAM,KAAA,EAAU;;AAKxD,QAAO,eAAe,KAAK;;;;;;;;AAS7B,SAAS,eAAe,OAAoC;AAC1D,KAAI,OAAO,UAAU,SACnB,QAAO,UAAU,KAAK,KAAA,IAAY;AAIpC,KAAI,iBAAiB,QAAQ,MAAM,SAAS,KAAK,MAAM,SAAS,GAC9D;AAGF,QAAO;;;;;;;;;AAUT,SAAS,eAAe,MAAwD;CAC9E,MAAM,SAAkC,EAAE;CAC1C,IAAI,cAAc;AAGlB,MAAK,MAAM,OAAO,OAAO,KAAK,KAAK,CACjC,KAAI,IAAI,SAAS,IAAI,EAAE;AACrB,gBAAc;AACd;;AAKJ,KAAI,CAAC,YAAa,QAAO;AAEzB,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,KAAK,EAAE;AAC/C,MAAI,CAAC,IAAI,SAAS,IAAI,EAAE;AACtB,UAAO,OAAO;AACd;;EAGF,MAAM,QAAQ,IAAI,MAAM,IAAI;EAC5B,IAAI,UAAmC;AAEvC,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,SAAS,GAAG,KAAK;GACzC,MAAM,OAAO,MAAM;AACnB,OAAI,QAAQ,UAAU,KAAA,KAAa,QAAQ,UAAU,KACnD,SAAQ,QAAQ,EAAE;AAIpB,OAAI,OAAO,QAAQ,UAAU,YAAY,QAAQ,iBAAiB,KAChE,SAAQ,QAAQ,EAAE;AAEpB,aAAU,QAAQ;;AAGpB,UAAQ,MAAM,MAAM,SAAS,MAAM;;AAGrC,QAAO;;;;;;;;;;;;;;;AAkBT,IAAa,SAAS;CAQpB,OAAO,OAAoC;AACzC,MAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO,KAAA;AAClE,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,OAAO,UAAU,SAAU,QAAO,KAAA;EACtC,MAAM,MAAM,OAAO,MAAM;AACzB,MAAI,OAAO,MAAM,IAAI,CAAE,QAAO,KAAA;AAC9B,SAAO;;CAST,SAAS,OAAyB;AAChC,MAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO;AAClE,MAAI,OAAO,UAAU,UAAW,QAAO;AAEvC,SAAO,OAAO,UAAU,YAAY,MAAM,SAAS;;CASrD,KAAK,OAAyB;AAC5B,MAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO,KAAA;AAClE,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI;AACF,UAAO,KAAK,MAAM,MAAM;UAClB;AACN;;;CAaJ,KAAK,OAAkC;AACrC,MAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO,KAAA;AAClE,MAAI,iBAAiB,KAAM,QAAO;AAClC,MAAI,OAAO,UAAU,SAAU,QAAO,KAAA;EACtC,MAAM,OAAO,IAAI,KAAK,MAAM;AAC5B,MAAI,OAAO,MAAM,KAAK,SAAS,CAAC,CAAE,QAAO,KAAA;EAKzC,MAAM,WAAW,MAAM,MAAM,2BAA2B;AACxD,MAAI,UAAU;GACZ,MAAM,YAAY,OAAO,SAAS,GAAG;GACrC,MAAM,aAAa,OAAO,SAAS,GAAG;GACtC,MAAM,WAAW,OAAO,SAAS,GAAG;GAKpC,MAAM,QAAQ,MAAM,WAAW,MAAM,MAAM,SAAS,IAAI;GACxD,MAAM,aAAa,QAAQ,KAAK,gBAAgB,GAAG,KAAK,aAAa;GACrE,MAAM,cAAc,QAAQ,KAAK,aAAa,GAAG,IAAI,KAAK,UAAU,GAAG;GACvE,MAAM,YAAY,QAAQ,KAAK,YAAY,GAAG,KAAK,SAAS;AAE5D,OAAI,cAAc,cAAc,eAAe,eAAe,aAAa,UACzE;;AAIJ,SAAO;;CAkBT,KAAK,SAAyF;AAC5F,UAAQ,UAAqC;AAC3C,OAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO,KAAA;AAClE,OAAI,EAAE,iBAAiB,MAAO,QAAO,KAAA;AAGrC,OAAI,MAAM,SAAS,KAAK,MAAM,SAAS,GAAI,QAAO,KAAA;AAElD,OAAI,SAAS,YAAY,KAAA,KAAa,MAAM,OAAO,QAAQ,QACzD;AAGF,OAAI,SAAS,WAAW,KAAA,KAAa,CAAC,QAAQ,OAAO,SAAS,MAAM,KAAK,CACvE;AAGF,UAAO;;;CAGZ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACxMD,IAAM,6BAAgD;CACpD;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD;;;;;;;AAQD,IAAM,yBAA4C,CAAC,QAAQ;;;;;;;AAQ3D,SAAS,UAAU,MAAsB;CACvC,IAAI,MAAM;AACV,MAAK,IAAI,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;EACpC,MAAM,KAAK,KAAK,WAAW,EAAE;AAC7B,MAAI,OAAO,MAAgB,OAAO,GAAc;AAEhD,MAAI,MAAM,MAAQ,MAAM,GACtB,QAAO,OAAO,aAAa,KAAK,GAAG;MAEnC,QAAO,KAAK;;AAGhB,QAAO;;;;;;AAOT,SAAS,mBAAmB,MAAc,QAAqC;CAC7E,MAAM,aAAa,UAAU,KAAK;AAClC,KAAI,uBAAuB,SAAS,WAAW,CAAE,QAAO;AACxD,MAAK,MAAM,WAAW,2BACpB,KAAI,WAAW,SAAS,QAAQ,CAAE,QAAO;AAE3C,KAAI,UAAU,OAAO,SAAS,EAC5B,MAAK,MAAM,SAAS,QAAQ;EAC1B,MAAM,YAAY,UAAU,MAAM;AAClC,MAAI,UAAU,WAAW,EAAG;AAC5B,MAAI,WAAW,SAAS,UAAU,CAAE,QAAO;;AAG/C,QAAO;;;;;;;;;;;;;AAsBT,SAAgB,0BACd,WACA,QAC4B;CAC5B,MAAM,SAAS,cAAc,KAAA,IAAY,YAAY;AAErD,KAAI,WAAW,MAAO,QAAO;AAC7B,KAAI,WAAW,KAAA,KAAa,WAAW,KACrC,SAAQ,SAAS,mBAAmB,KAAK;AAE3C,KAAI,OAAO,WAAW,WACpB,QAAO;CAGT,MAAM,SAAS;AACf,SAAQ,SAAS,mBAAmB,MAAM,OAAO;;AAKnD,IAAI;;AAWJ,SAAgB,iCAAoE;AAClF,QAAO;;AAOT,IAAM,+BAAe,IAAI,KAAa;AAEtC,SAAS,aAAa,MAAoB;AACxC,KAAI,CAAC,SAAS,CAAE;AAChB,KAAI,aAAa,IAAI,KAAK,CAAE;AAC5B,cAAa,IAAI,KAAK;AACtB,SAAQ,KACN,sCAAsC,KAAK,sFAE5C;;;;;;;;;;;;;AAcH,SAAgB,qBAAwB,OAAU,WAA0C;AAE1F,KAAI,cAAc,KAAM,QAAO;AAC/B,KAAI,UAAU,QAAQ,UAAU,KAAA,EAAW,QAAO;AAClD,KAAI,OAAO,UAAU,SAAU,QAAO;AACtC,KAAI,iBAAiB,QAAQ,iBAAiB,KAAM,QAAO;AAE3D,KAAI,MAAM,QAAQ,MAAM,CACtB,QAAO,MAAM,KAAK,SAAS,qBAAqB,MAAM,UAAU,CAAC;CAGnE,MAAM,SAAkC,EAAE;AAC1C,MAAK,MAAM,CAAC,KAAK,WAAW,OAAO,QAAQ,MAAiC,EAAE;AAC5E,MAAI,UAAU,IAAI,EAAE;AAClB,gBAAa,IAAI;AACjB;;AAEF,SAAO,OAAO,qBAAqB,QAAQ,UAAU;;AAEvD,QAAO;;;;;;;;;;;;;;;;;;;;;;;;ACtMT,IAAa,cAAb,cAAgE,MAAM;CACpE;CACA;CAEA,YAAY,MAAa,MAAgC;AACvD,QAAM,gBAAgB,OAAO;AAC7B,OAAK,OAAO;AACZ,OAAK,OAAO;AACZ,OAAK,OAAO;;;;AA8BhB,SAAS,iBAAiB,QAA6C;AACrE,QACE,OAAO,WAAW,YAClB,WAAW,QACX,eAAe,UACf,OAAQ,OAA4B,aAAa,aAAa;;;;;AAwIlE,eAAe,oBACb,YACe;AACf,KAAI,CAAC,WACH,QAAO,EAAE;AAGX,KAAI,MAAM,QAAQ,WAAW,EAAE;EAC7B,IAAI,SAAS,EAAE;AACf,OAAK,MAAM,MAAM,YAAY;GAC3B,MAAM,SAAS,MAAM,IAAI;AACzB,YAAS;IAAE,GAAG;IAAQ,GAAG;IAAQ;;AAEnC,SAAO;;AAGT,QAAO,MAAM,YAAY;;;;;;AAmB3B,SAAS,wBAAwB,OAAsC;AAErE,KAAI,OAAO,MAAM,YAAY,WAC3B,QAAO,MAAM,SAAS,CAAC;AAIzB,KAAI,MAAM,QAAQ;EAChB,MAAM,SAA2B,EAAE;AACnC,OAAK,MAAM,SAAS,MAAM,QAAQ;GAChC,MAAM,OAAO,MAAM,MAAM,KAAK,IAAI,IAAI;AACtC,OAAI,CAAC,OAAO,MAAO,QAAO,QAAQ,EAAE;AACpC,UAAO,MAAM,KAAK,MAAM,QAAQ;;AAElC,SAAO;;AAGT,QAAO,EAAE,OAAO,CAAC,oBAAoB,EAAE;;;;;AAMzC,SAAS,4BAA4B,QAA8D;CACjG,MAAM,SAA2B,EAAE;AACnC,MAAK,MAAM,SAAS,QAAQ;EAC1B,MAAM,OACJ,MAAM,MACF,KAAK,MAAM;AAEX,OAAI,OAAO,MAAM,YAAY,MAAM,QAAQ,SAAS,EAAG,QAAO,OAAO,EAAE,IAAI;AAC3E,UAAO,OAAO,EAAE;IAChB,CACD,KAAK,IAAI,IAAI;AAClB,MAAI,CAAC,OAAO,MAAO,QAAO,QAAQ,EAAE;AACpC,SAAO,MAAM,KAAK,MAAM,QAAQ;;AAElC,QAAO,OAAO,KAAK,OAAO,CAAC,SAAS,IAAI,SAAS,EAAE,OAAO,CAAC,oBAAoB,EAAE;;;;;;;;;AAUnF,SAAgB,kBAAkB,OAAqC;AACrE,KAAI,iBAAiB,YACnB,QAAO,EACL,aAAa;EACX,MAAM,MAAM;EACZ,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,MAAM,GAAG,EAAE;EAC3C,EACF;AAQH,QAAO,EACL,aAAa;EACX,MAAM;EACN,GAJY,WAAW,IAIR,iBAAiB,QAAQ,EAAE,MAAM,EAAE,SAAS,MAAM,SAAS,EAAE,GAAG,EAAE;EAClF,EACF;;;;;;;;;;;;;;;;;;;;;;AAuBH,SAAgB,mBACd,SAAmC,EAAE,EAChB;CACrB,SAAS,YACP,QACA,IACyB;EACzB,eAAe,cAAc,GAAG,MAA+C;AAC7E,OAAI;IAEF,MAAM,MAAM,MAAM,oBAAoB,OAAO,WAAW;IAGxD,IAAI;AACJ,QAAI,KAAK,WAAW,KAAK,KAAK,cAAc,SAE1C,YAAW,SAAS,cAAc,KAAK,GAAG,GAAG,KAAK;aACzC,KAAK,WAAW,KAAK,KAAK,cAAc,SAKjD,YAAW,SAAS,cAAc,KAAK,GAAG,GAAG,KAAK;QAGlD,YAAW,KAAK;IAOlB,MAAM,qBAAqB,0BACzB,OAAO,sBACP,gCAAgC,CACjC;IAMD,MAAM,6BAAkE;KACtE,MAAM,eAAe,WAAW,SAAS;AACzC,SAAI,iBAAiB,KAAA,EAAW,QAAO,KAAA;AACvC,YAAO,qBAAqB,cAAc,mBAAmB;;AAI/D,QAAI,OAAO,kBAAkB,KAAA,KAAa,YAAY,OAAO,aAAa,UAAU;KAClF,MAAM,iBAAiB,kBACrB,UACA,OAAO,cACR;AACD,SAAI,eACF,QAAO;MAAE,kBAAkB;MAAgB,iBAAiB,sBAAsB;MAAE;;IAKxF,MAAM,kBAAkB,SAAS,sBAAsB,GAAG,KAAA;IAG1D,IAAI;AACJ,QAAI,OACF,KAAI,iBAAiB,OAAO,EAAE;KAE5B,MAAM,SAAS,OAAO,aAAa,SAAS,SAAS;AACrD,SAAI,kBAAkB,QACpB,OAAM,IAAI,MACR,4FACD;AAEH,SAAI,OAAO,QAAQ;MACjB,MAAM,mBAAmB,4BAA4B,OAAO,OAAO;AACnE,2BAAqB,iBAAiB;AACtC,aAAO;OAAE;OAAkB;OAAiB;;AAE9C,aAAQ,OAAO;eACN,OAAO,OAAO,cAAc,YAAY;KACjD,MAAM,SAAS,OAAO,UAAU,SAAS;AACzC,SAAI,CAAC,OAAO,SAAS;MACnB,MAAM,mBAAmB,wBAAwB,OAAO,MAAM;AAC9D,2BAAqB,iBAAiB;AACtC,aAAO;OAAE;OAAkB;OAAiB;;AAE9C,aAAQ,OAAO;UAEf,KAAI;AACF,aAAQ,OAAO,MAAM,SAAS;aACvB,YAAY;KACnB,MAAM,mBAAmB,wBAAwB,WAA0B;AAC3E,0BAAqB,iBAAiB;AACtC,YAAO;MAAE;MAAkB;MAAiB;;QAIhD,SAAQ;AAKV,WAAO,EAAE,MADI,MAAM,GAAG;KAAE;KAAK;KAAO,CAAC,EACtB;YACR,OAAO;AAKd,QAAI,iBAAiB,kBAAkB,iBAAiB,WACtD,OAAM;AAER,WAAO,kBAAkB,MAAM;;;AAInC,SAAO;;AAGT,QAAO;EACL,OAAe,QAA8B;AAC3C,UAAO,EACL,OACE,IACyB;AACzB,WAAO,YAAY,QAAQ,GAAG;MAEjC;;EAEH,OACE,IAC4B;AAC5B,UAAO,YAAY,KAAA,GAAW,GAA4D;;EAE7F;;;;;;;;;;;;;;;;;;;;AAuBH,SAAgB,UACd,QACA,SACyB;AACzB,QAAO,oBAAoB,CACxB,OAAO,OAAO,CACd,OAAO,OAAO,EAAE,YAAY,QAAQ,MAAM,CAAC;;;;;;AAShD,SAAS,qBAAqB,QAAgC;AAE5D,KAAI,CADU,SAAS,CACX;CAEZ,MAAM,SAAS,OAAO,QAAQ,OAAO,CAClC,KAAK,CAAC,OAAO,cAAc,KAAK,MAAM,IAAI,SAAS,KAAK,KAAK,GAAG,CAChE,KAAK,KAAK;AACb,SAAQ,KAAK,8CAA8C,SAAS;;;;;;AAOtE,SAAS,kBAAkB,OAAgC,OAAwC;CACjG,MAAM,SAA2B,EAAE;CACnC,MAAM,UAAU,KAAK,MAAM,QAAQ,KAAK;CACxC,MAAM,aACJ,SAAS,OAAO,OAAO,GAAG,KAAK,MAAM,SAAS,OAAO,MAAM,CAAC,MAAM,GAAG,QAAQ;AAE/E,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,CAC9C,KAAI,iBAAiB,QAAQ,MAAM,OAAO,MACxC,QAAO,OAAO,CACZ,SAAS,MAAM,KAAK,KAAK,WAAW,MAAM,KAAK,CAAC,gBAAgB,WAAW,QAC5E;UACQ,MAAM,QAAQ,MAAM,EAAE;EAC/B,MAAM,YAAY,MAAM,QAAQ,SAAS,gBAAgB,QAAQ,KAAK,OAAO,MAAM;AACnF,MAAI,UAAU,SAAS,EACrB,QAAO,OAAO,UAAU,KACrB,MAAY,SAAS,EAAE,KAAK,KAAK,WAAW,EAAE,KAAK,CAAC,gBAAgB,WAAW,QACjF;;AAKP,QAAO,OAAO,KAAK,OAAO,CAAC,SAAS,IAAI,SAAS;;;;;;AAOnD,SAAS,WAAW,OAAqD;AACvE,KAAI,UAAU,QAAQ,UAAU,KAAA,EAAW,QAAO,KAAA;AAClD,KAAI,OAAO,UAAU,SAAU,QAAO,KAAA;CAEtC,MAAM,SAAkC,EAAE;AAC1C,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,MAAiC,EAAE;AACrE,MAAI,aAAa,KAAM;AACvB,MAAI,MAAM,QAAQ,EAAE,CAClB,QAAO,KAAK,EAAE,QAAQ,SAAS,EAAE,gBAAgB,MAAM;WAC9C,OAAO,MAAM,YAAY,MAAM,QAAQ,EAAE,aAAa,MAC/D,QAAO,KAAK,WAAW,EAAE,IAAI,EAAE;MAE/B,QAAO,KAAK;;AAGhB,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACleT,SAAgB,eAAqC;AACnD,QAAO,aAAa,UAAU,IAAI"}

package/dist/server/route-matcher.d.ts

@@ -45,6 +45,13 @@ export interface ManifestSegmentNode {
 /** The manifest shape from virtual:timber-route-manifest. */
 export interface ManifestRoot {
     root: ManifestSegmentNode;
+    /**
+     * Absolute path to the Vite project root, captured at build/load time.
+     * Used by dev-only features (e.g., dev error page frame classification)
+     * that need a correct project root even when CWD differs (e.g., monorepo
+     * custom root). See TIM-807 / TIM-808.
+     */
+    viteRoot: string;
     proxy?: ManifestFile;
     /**
      * Global error page: app/global-error.{tsx,ts,jsx,js}