@timber-js/app 0.2.0-alpha.87 → 0.2.0-alpha.89

package/dist/server/route-matcher.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route-matcher.d.ts","sourceRoot":"","sources":["../../src/server/route-matcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAEhD,OAAO,EAIL,KAAK,iBAAiB,EACvB,MAAM,sBAAsB,CAAC;AAM9B,6DAA6D;AAC7D,UAAU,YAAY;IACpB,IAAI,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,gFAAgF;AAChF,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EACP,QAAQ,GACR,SAAS,GACT,WAAW,GACX,oBAAoB,GACpB,OAAO,GACP,MAAM,GACN,cAAc,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8DAA8D;IAC9D,kBAAkB,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,OAAO,GAAG,UAAU,CAAC;IAC3D,8EAA8E;IAC9E,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,IAAI,CAAC,EAAE,YAAY,CAAC;IACpB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,2FAA2F;IAC3F,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IAC3C,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IAC/C,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IACjD,sFAAsF;IACtF,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IAE9C,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;CAC5C;AAED,6DAA6D;AAC7D,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,mBAAmB,CAAC;IAC1B,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB;;;;;OAKG;IACH,WAAW,CAAC,EAAE,YAAY,CAAC;CAC5B;AAID;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,YAAY,GACrB,CAAC,QAAQ,EAAE,MAAM,KAAK,UAAU,GAAG,IAAI,CAEzC;AAyMD,2CAA2C;AAC3C,MAAM,WAAW,kBAAkB;IACjC,4DAA4D;IAC5D,IAAI,EAAE,iBAAiB,CAAC;IACxB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,IAAI,EAAE,YAAY,CAAC;IACnB,0DAA0D;IAC1D,OAAO,EAAE,mBAAmB,CAAC;IAC7B;;;OAGG;IACH,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CACxC,QAAQ,EAAE,YAAY,GACrB,CAAC,QAAQ,EAAE,MAAM,KAAK,kBAAkB,GAAG,IAAI,CAMjD"}
+{"version":3,"file":"route-matcher.d.ts","sourceRoot":"","sources":["../../src/server/route-matcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAEhD,OAAO,EAIL,KAAK,iBAAiB,EACvB,MAAM,sBAAsB,CAAC;AAM9B,6DAA6D;AAC7D,UAAU,YAAY;IACpB,IAAI,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,gFAAgF;AAChF,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EACP,QAAQ,GACR,SAAS,GACT,WAAW,GACX,oBAAoB,GACpB,OAAO,GACP,MAAM,GACN,cAAc,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8DAA8D;IAC9D,kBAAkB,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,OAAO,GAAG,UAAU,CAAC;IAC3D,8EAA8E;IAC9E,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,IAAI,CAAC,EAAE,YAAY,CAAC;IACpB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,2FAA2F;IAC3F,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IAC3C,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IAC/C,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IACjD,sFAAsF;IACtF,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IAE9C,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;CAC5C;AAED,6DAA6D;AAC7D,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,mBAAmB,CAAC;IAC1B;;;;;OAKG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB;;;;;OAKG;IACH,WAAW,CAAC,EAAE,YAAY,CAAC;CAC5B;AAID;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,YAAY,GACrB,CAAC,QAAQ,EAAE,MAAM,KAAK,UAAU,GAAG,IAAI,CAEzC;AAyMD,2CAA2C;AAC3C,MAAM,WAAW,kBAAkB;IACjC,4DAA4D;IAC5D,IAAI,EAAE,iBAAiB,CAAC;IACxB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,IAAI,EAAE,YAAY,CAAC;IACnB,0DAA0D;IAC1D,OAAO,EAAE,mBAAmB,CAAC;IAC7B;;;OAGG;IACH,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CACxC,QAAQ,EAAE,YAAY,GACrB,CAAC,QAAQ,EAAE,MAAM,KAAK,kBAAkB,GAAG,IAAI,CAMjD"}

package/dist/server/rsc-entry/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/rsc-entry/index.ts"],"names":[],"mappings":"AA4DA,OAAO,EAKL,KAAK,mBAAmB,EACzB,MAAM,cAAc,CAAC;AAoCtB;;;;;;;;;GASG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,mBAAmB,EAAE,KAAK,IAAI,GACtF,IAAI,CAEN;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,GAAG,IAAI,CAE5E;AAqiBD,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AAInE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;8BA3SrC,OAAO,KAAG,OAAO,CAAC,QAAQ,CAAC;AA6ShD,wBAAiE"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/rsc-entry/index.ts"],"names":[],"mappings":"AA4DA,OAAO,EAKL,KAAK,mBAAmB,EACzB,MAAM,cAAc,CAAC;AAoCtB;;;;;;;;;GASG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,mBAAmB,EAAE,KAAK,IAAI,GACtF,IAAI,CAEN;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,GAAG,IAAI,CAE5E;AAqjBD,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AAInE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;8BA5SrC,OAAO,KAAG,OAAO,CAAC,QAAQ,CAAC;AA8ShD,wBAAiE"}

package/dist/server/sensitive-fields.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Sensitive field stripping — removes password/token/CVV-style fields
+ * from form values before they are echoed back to the client as
+ * `submittedValues` for form repopulation.
+ *
+ * Applied to both action paths:
+ *  - With-JS action path: `createActionClient()` in `action-client.ts`
+ *  - No-JS form POST path: `handleFormAction()` in `action-handler.ts`
+ *
+ * Why: on a validation failure, timber echoes submitted form values back so
+ * the user doesn't have to re-type everything. Without filtering, plaintext
+ * passwords / credit-card numbers / TOTP codes would travel through the RSC
+ * stream (with-JS) or land in the HTML as `defaultValue` attributes (no-JS)
+ * — ending up in browser history, proxy logs, disk caches, and the
+ * back-forward cache.
+ *
+ * Safe by default: the built-in deny-list is applied unconditionally unless
+ * the user explicitly opts out via `forms.stripSensitiveFields: false` in
+ * `timber.config.ts` or per-action via `createActionClient({ stripSensitiveFields: false })`.
+ *
+ * See design/08-forms-and-actions.md §"Validation errors"
+ * See design/13-security.md §"Sensitive field stripping"
+ * See TIM-816
+ */
+/**
+ * How to strip sensitive fields from `submittedValues`.
+ *
+ * - `true` / `undefined` — use the built-in deny-list (default, safe).
+ * - `false` — do not strip anything (dev convenience; never do this in prod).
+ * - `string[]` — additional field names to strip, merged with the built-in list.
+ * - `(name) => boolean` — custom predicate, fully replaces the built-in list.
+ *   Return `true` to strip, `false` to keep. The `name` argument is the raw
+ *   (un-normalized) field name as it appeared in the submitted form.
+ */
+export type SensitiveFieldsOption = boolean | readonly string[] | ((name: string) => boolean);
+/**
+ * A resolved predicate: `null` means "don't strip anything" (the option was
+ * explicitly `false`). Otherwise a function from raw field name → boolean.
+ */
+export type ResolvedSensitivePredicate = ((name: string) => boolean) | null;
+/**
+ * Resolve a `SensitiveFieldsOption` into a concrete predicate.
+ * Precedence: per-action > global > built-in default.
+ *
+ * - Per-action `undefined` → fall back to global.
+ * - Global `undefined` → use built-in list.
+ * - Either level set to `false` → disable stripping entirely (returns `null`).
+ * - `true` → built-in list.
+ * - `string[]` → built-in ∪ extras.
+ * - function → custom, replaces the built-in list entirely.
+ */
+export declare function resolveSensitivePredicate(perAction: SensitiveFieldsOption | undefined, global: SensitiveFieldsOption | undefined): ResolvedSensitivePredicate;
+/**
+ * Set the global `forms.stripSensitiveFields` config from `timber.config.ts`.
+ * Called once at startup from `rsc-entry`.
+ */
+export declare function setGlobalSensitiveFieldsConfig(option: SensitiveFieldsOption | undefined): void;
+/** Read the global `forms.stripSensitiveFields` config. */
+export declare function getGlobalSensitiveFieldsConfig(): SensitiveFieldsOption | undefined;
+/**
+ * Walk an object (recursively) and return a copy with every key matching
+ * `predicate` removed. Nested objects like `{ user: { password: '...' } }`
+ * are handled — `user.password` is stripped while other `user.*` fields remain.
+ *
+ * - Arrays are walked element-wise (object entries inside arrays are cleaned).
+ * - Non-plain values (strings, numbers, Files, Dates, etc.) are returned as-is.
+ * - When a stripped key is encountered, it is omitted from the result entirely
+ *   — we do NOT set it to an empty string, because that would overwrite a
+ *   valid `defaultValue` the form author might have set.
+ */
+export declare function stripSensitiveFields<T>(value: T, predicate: ResolvedSensitivePredicate): T;
+/** Reset the "warned once" cache. Exposed for tests. */
+export declare function __resetSensitiveFieldsWarnings(): void;
+//# sourceMappingURL=sensitive-fields.d.ts.map

package/dist/server/sensitive-fields.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sensitive-fields.d.ts","sourceRoot":"","sources":["../../src/server/sensitive-fields.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAMH;;;;;;;;;GASG;AACH,MAAM,MAAM,qBAAqB,GAAG,OAAO,GAAG,SAAS,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC;AAoF9F;;;GAGG;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,GAAG,IAAI,CAAC;AAE5E;;;;;;;;;;GAUG;AACH,wBAAgB,yBAAyB,CACvC,SAAS,EAAE,qBAAqB,GAAG,SAAS,EAC5C,MAAM,EAAE,qBAAqB,GAAG,SAAS,GACxC,0BAA0B,CAa5B;AAMD;;;GAGG;AACH,wBAAgB,8BAA8B,CAAC,MAAM,EAAE,qBAAqB,GAAG,SAAS,GAAG,IAAI,CAE9F;AAED,2DAA2D;AAC3D,wBAAgB,8BAA8B,IAAI,qBAAqB,GAAG,SAAS,CAElF;AAkBD;;;;;;;;;;GAUG;AACH,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,0BAA0B,GAAG,CAAC,CAoB1F;AAID,wDAAwD;AACxD,wBAAgB,8BAA8B,IAAI,IAAI,CAErD"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@timber-js/app",
-  "version": "0.2.0-alpha.87",
+  "version": "0.2.0-alpha.89",
   "description": "Vite-native React framework built for Servers and Serverless Platforms — correct HTTP semantics, real status codes, pages that work without JavaScript",
   "keywords": [
     "cloudflare-workers",
@@ -110,11 +110,6 @@
   "publishConfig": {
     "access": "public"
   },
-  "scripts": {
-    "build": "vite build --config vite.lib.config.ts && tsc --emitDeclarationOnly --project tsconfig.json --outDir dist",
-    "typecheck": "tsgo --noEmit",
-    "prepublishOnly": "pnpm run build"
-  },
   "dependencies": {
     "@opentelemetry/api": "^1.9.1",
     "@opentelemetry/context-async-hooks": "^2.6.1",
@@ -157,5 +152,9 @@
   },
   "engines": {
     "node": ">=22.12.0"
+  },
+  "scripts": {
+    "build": "vite build --config vite.lib.config.ts && tsc --emitDeclarationOnly --project tsconfig.json --outDir dist",
+    "typecheck": "tsgo --noEmit"
   }
-}
+}

package/src/client/index.ts

@@ -10,10 +10,86 @@
 export type { RenderErrorDigest } from './types';
 
 // Navigation
+import type { JSX } from 'react';
+import type { SearchParamsDefinition } from '../search-params/define.js';
+import type { LinkBaseProps } from './link';
 export { Link, interpolateParams, resolveHref, validateLinkHref, buildLinkProps } from './link';
 export { mergePreservedSearchParams } from '../shared/merge-search-params.js';
-export type { LinkFunction, LinkProps, LinkPropsWithHref, LinkPropsWithParams } from './link';
+export type { LinkProps, LinkPropsWithHref, LinkPropsWithParams, LinkBaseProps } from './link';
 export type { LinkSegmentParams, OnNavigateHandler, OnNavigateEvent } from './link';
+
+// ─── LinkFunction (originally declared here for module augmentation) ───
+//
+// The codegen emits `declare module '@timber-js/app/client' { interface
+// LinkFunction { ... } }` to add per-route call signatures. TypeScript
+// interface merging via module augmentation only merges with interfaces
+// that are ORIGINALLY DECLARED in the augmented module — a re-exported
+// type binding (`export type { LinkFunction } from './link'`) creates a
+// distinct, unmergeable name. So `LinkFunction` and its supporting
+// `ExternalHref` type must live here, not in `./link.tsx`. The `Link`
+// const in `./link.tsx` imports this interface as a type-only import.
+// See TIM-624.
+
+/**
+ * Href types accepted by the catch-all (non-route) call signature.
+ *
+ * - External protocols: https://, http://, mailto:, tel:, ftp://
+ * - Hash-only and query-only links: #section, ?param=value
+ * - Computed `string` variables (non-literal)
+ *
+ * Internal path literals like "/typo-route" do NOT match — they must
+ * be a known route (from codegen) or stored in a `string` variable.
+ * This catches wrong hrefs at the type level.
+ */
+type ExternalHref =
+  | `http://${string}`
+  | `https://${string}`
+  | `mailto:${string}`
+  | `tel:${string}`
+  | `ftp://${string}`
+  | `//${string}`
+  | `#${string}`
+  | `?${string}`;
+
+/**
+ * Callable interface for the Link component.
+ *
+ * Two kinds of call signatures:
+ * 1. Per-route (added by codegen via interface merging): DIRECT types
+ *    for segmentParams — preserves TypeScript excess property checking.
+ * 2. Catch-all (below): accepts external hrefs and computed `string`
+ *    variables. Does NOT accept internal path literals — those must
+ *    match a known route from the codegen.
+ */
+export interface LinkFunction {
+  // External links (literal protocol hrefs)
+  (
+    props: LinkBaseProps & {
+      href: ExternalHref;
+      segmentParams?: never;
+      searchParams?: {
+        definition: SearchParamsDefinition<Record<string, unknown>>;
+        values: Record<string, unknown>;
+      };
+    }
+  ): JSX.Element;
+  // Computed/variable href (non-literal string) — e.g. href={myVar}
+  // `string extends H` is true only when H is the wide `string` type,
+  // not a specific literal. Template literal hrefs like `/blog/${slug}`
+  // are handled by resolved-pattern signatures in the codegen.
+  <H extends string>(
+    props: string extends H
+      ? LinkBaseProps & {
+          href: H;
+          segmentParams?: Record<string, string | number | string[]>;
+          searchParams?: {
+            definition: SearchParamsDefinition<Record<string, unknown>>;
+            values: Record<string, unknown>;
+          };
+        }
+      : never
+  ): JSX.Element;
+}
 export { usePendingNavigation } from './use-pending-navigation';
 export { useLinkStatus, LinkStatusContext } from './use-link-status';
 export type { LinkStatus } from './use-link-status';

package/src/client/link.tsx

@@ -23,11 +23,11 @@ import {
   useEffect,
   useRef,
   type AnchorHTMLAttributes,
-  type JSX,
   type ReactNode,
   type MouseEvent as ReactMouseEvent,
 } from 'react';
 import type { SearchParamsDefinition } from '../search-params/define.js';
+import type { LinkFunction } from './index.js';
 import { classifyUrlSegment, type UrlSegment } from '../routing/segment-classify.js';
 import { LinkStatusContext } from './use-link-status.js';
 import { getRouterOrNull } from './router-ref.js';
@@ -68,8 +68,12 @@ export type OnNavigateHandler = (e: OnNavigateEvent) => void;
 
 /**
  * Base props shared by all Link variants.
+ *
+ * Exported so the public `LinkFunction` interface (declared in
+ * `./index.ts`, where module augmentation can merge into it) can
+ * compose this without duplication.
  */
-interface LinkBaseProps extends Omit<AnchorHTMLAttributes<HTMLAnchorElement>, 'href'> {
+export interface LinkBaseProps extends Omit<AnchorHTMLAttributes<HTMLAnchorElement>, 'href'> {
   /** Prefetch the RSC payload on hover */
   prefetch?: boolean;
   /**
@@ -114,69 +118,15 @@ export type LinkSegmentParams<T> = {
 };
 
 // ─── External Href Types ─────────────────────────────────────────
-
-/**
- * Href types accepted by the catch-all (non-route) call signature.
- *
- * - External protocols: https://, http://, mailto:, tel:, ftp://
- * - Hash-only and query-only links: #section, ?param=value
- * - Computed `string` variables (non-literal)
- *
- * Internal path literals like "/typo-route" do NOT match — they must
- * be a known route (from codegen) or stored in a `string` variable.
- * This catches wrong hrefs at the type level. See TIM-624.
- */
-type ExternalHref =
-  | `http://${string}`
-  | `https://${string}`
-  | `mailto:${string}`
-  | `tel:${string}`
-  | `ftp://${string}`
-  | `//${string}`
-  | `#${string}`
-  | `?${string}`;
-
-/**
- * Callable interface for the Link component.
- *
- * Two kinds of call signatures:
- * 1. Per-route (added by codegen via interface merging): DIRECT types
- *    for segmentParams — preserves TypeScript excess property checking.
- * 2. Catch-all (below): accepts external hrefs and computed `string`
- *    variables. Does NOT accept internal path literals — those must
- *    match a known route from the codegen.
- *
- * See TIM-624.
- */
-export interface LinkFunction {
-  // External links (literal protocol hrefs)
-  (
-    props: LinkBaseProps & {
-      href: ExternalHref;
-      segmentParams?: never;
-      searchParams?: {
-        definition: SearchParamsDefinition<Record<string, unknown>>;
-        values: Record<string, unknown>;
-      };
-    }
-  ): JSX.Element;
-  // Computed/variable href (non-literal string) — e.g. href={myVar}
-  // `string extends H` is true only when H is the wide `string` type,
-  // not a specific literal. Template literal hrefs like `/blog/${slug}`
-  // are handled by resolved-pattern signatures in the codegen.
-  <H extends string>(
-    props: string extends H
-      ? LinkBaseProps & {
-          href: H;
-          segmentParams?: Record<string, string | number | string[]>;
-          searchParams?: {
-            definition: SearchParamsDefinition<Record<string, unknown>>;
-            values: Record<string, unknown>;
-          };
-        }
-      : never
-  ): JSX.Element;
-}
+//
+// `ExternalHref` and the public `LinkFunction` interface live in
+// `./index.ts` rather than this file. They MUST be originally declared
+// in the same module that the codegen augments (`@timber-js/app/client`)
+// so that codegen-generated per-route call signatures merge with the
+// same interface that types the `Link` constant. Re-exporting an
+// interface via `export type {}` does NOT participate in module
+// augmentation merging — only originally-declared interfaces do.
+// See TIM-624.
 
 /**
  * Runtime-only loose props used internally by the Link implementation.

package/src/config-types.ts

@@ -54,6 +54,45 @@ export interface TimberUserConfig {
     uploadBodySize?: string;
     maxFields?: number;
   };
+  /**
+   * Server-action form handling.
+   *
+   * See design/08-forms-and-actions.md §"Validation errors" and
+   * design/13-security.md §"Sensitive field stripping".
+   */
+  forms?: {
+    /**
+     * Strip sensitive fields (passwords, tokens, CVV, SSN, etc.) from the
+     * `submittedValues` echoed back on validation failure.
+     *
+     * Applied to both the with-JS (`createActionClient`) and no-JS (form POST
+     * re-render) paths. Safe-by-default: the built-in deny-list is active
+     * unless you explicitly opt out.
+     *
+     * - `true` / omitted — use the built-in deny-list (default, recommended).
+     * - `false` — do not strip anything. Dev convenience only; never do this
+     *   in production — plaintext passwords end up in `defaultValue` attributes,
+     *   browser history, proxy logs, and the back-forward cache.
+     * - `string[]` — additional field names to strip, merged with the built-in list.
+     *
+     * The built-in list matches (case-insensitive, substring match on
+     * normalized names) the following patterns: password / passwd / pwd,
+     * secret, apiKey, accessToken, refreshToken, cvv, cvc, cardNumber,
+     * cardCvc, ssn, socialSecurityNumber, otp, totp, mfaCode, twoFactorCode,
+     * privateKey — plus exact match on `token` (exact-only to avoid
+     * false positives on `csrfToken`).
+     *
+     * **Function predicates are not supported at the global level** because
+     * `timber.config.ts` is JSON-serialized into the runtime config and
+     * functions cannot cross that boundary. For custom predicates, use
+     * the per-action override: `createActionClient({ stripSensitiveFields:
+     * (name) => ... })` (functions are supported at the per-action level
+     * since `createActionClient` runs in the same module graph as user code).
+     *
+     * See TIM-816.
+     */
+    stripSensitiveFields?: boolean | readonly string[];
+  };
   pageExtensions?: string[];
   /**
    * Slow request threshold in milliseconds. Requests exceeding this emit

package/src/config-validation.ts

@@ -8,6 +8,7 @@
  * Design doc: 18-build-system.md
  */
 
+import { createRequire } from 'node:module';
 import type { TimberUserConfig } from './config-types.js';
 
 // ─── Types ──────────────────────────────────────────────────────────────────
@@ -262,11 +263,14 @@ const REQUIRED_PEERS = ['react', 'react-dom', '@vitejs/plugin-react', '@vitejs/p
 export function checkPeerDependencies(projectRoot: string): PeerDepResult[] {
   const results: PeerDepResult[] = [];
 
+  // Use createRequire from the project root to resolve as the user would.
+  // `createRequire` MUST be a top-level ESM import — inline `require('node:module')`
+  // throws "Dynamic require not supported" in ESM and the catch below would
+  // mark every peer as missing. Same class of bug as TIM-796.
+  const userRequire = createRequire(`${projectRoot}/package.json`);
+
   for (const name of REQUIRED_PEERS) {
     try {
-      // Use createRequire from the project root to resolve as the user would
-      const { createRequire } = require('node:module');
-      const userRequire = createRequire(`${projectRoot}/package.json`);
       userRequire.resolve(name);
       results.push({ name, status: 'ok' });
     } catch {

package/src/fonts/bundle.ts

@@ -0,0 +1,142 @@
+/**
+ * Build-output emission for the timber-fonts plugin.
+ *
+ * Splits the `generateBundle` hook into pure helpers so the plugin shell
+ * can stay focused on Vite wiring. The functions here are deliberately
+ * Rollup-agnostic — they take an `EmitFile` callback so the plugin can
+ * pass `this.emitFile` from the `generateBundle` context.
+ *
+ * Design doc: 24-fonts.md
+ */
+
+import { readFileSync, existsSync } from 'node:fs';
+import { resolve, normalize } from 'node:path';
+import type { ManifestFontEntry, BuildManifest } from '../server/build-manifest.js';
+
+/**
+ * Minimal shape of the asset descriptor accepted by Rollup's `emitFile`.
+ * Declared inline rather than importing from `rollup` to keep `bundle.ts`
+ * Rollup-agnostic and avoid pulling the type into the build graph.
+ */
+interface EmittedAsset {
+  type: 'asset';
+  fileName: string;
+  source: string | Uint8Array;
+}
+import type { FontPipeline } from './pipeline.js';
+import type { CachedFont } from './google.js';
+import { inferFontFormat } from './local.js';
+
+type EmitFile = (asset: EmittedAsset) => string;
+type EmitWarning = (msg: string) => void;
+
+/** Group cached Google Font binaries by lowercase family name. */
+export function groupCachedFontsByFamily(
+  cachedFonts: readonly CachedFont[]
+): Map<string, CachedFont[]> {
+  const cachedByFamily = new Map<string, CachedFont[]>();
+  for (const cf of cachedFonts) {
+    const key = cf.face.family.toLowerCase();
+    const arr = cachedByFamily.get(key) ?? [];
+    arr.push(cf);
+    cachedByFamily.set(key, arr);
+  }
+  return cachedByFamily;
+}
+
+/**
+ * Emit cached Google Font binaries and local font files into the build
+ * output under `_timber/fonts/`. Local files missing on disk produce a
+ * warning rather than an error so the build still succeeds.
+ *
+ * Cached Google Font binaries are deduplicated by `hashedFilename` so
+ * each unique file is written exactly once even when multiple font
+ * entries share a family (and therefore share `CachedFont` references).
+ */
+export function emitFontAssets(
+  pipeline: FontPipeline,
+  emitFile: EmitFile,
+  warn: EmitWarning
+): void {
+  // Cached Google Font binaries (content-hashed, deduped by filename)
+  for (const cf of pipeline.uniqueCachedFiles()) {
+    emitFile({
+      type: 'asset',
+      fileName: `_timber/fonts/${cf.hashedFilename}`,
+      source: cf.data,
+    });
+  }
+
+  // Local font files (emitted by basename)
+  for (const font of pipeline.fonts()) {
+    if (font.provider !== 'local' || !font.localSources) continue;
+    for (const src of font.localSources) {
+      const absolutePath = normalize(resolve(src.path));
+      if (!existsSync(absolutePath)) {
+        warn(`Local font file not found: ${absolutePath}`);
+        continue;
+      }
+      const basename = src.path.split('/').pop() ?? src.path;
+      const data = readFileSync(absolutePath);
+      emitFile({
+        type: 'asset',
+        fileName: `_timber/fonts/${basename}`,
+        source: data,
+      });
+    }
+  }
+}
+
+/**
+ * Populate `buildManifest.fonts` with `ManifestFontEntry[]` keyed by the
+ * importer module path (relative to the project root, matching how Vite's
+ * `manifest.json` keys css/js).
+ *
+ * Google fonts use the content-hashed filenames produced during
+ * `buildStart`. Local fonts use the source basename.
+ */
+export function writeFontManifest(
+  pipeline: FontPipeline,
+  buildManifest: BuildManifest,
+  rootDir: string
+): void {
+  const fontsByImporter = new Map<string, ManifestFontEntry[]>();
+
+  for (const entry of pipeline.entries()) {
+    const manifestEntries = fontsByImporter.get(entry.importer) ?? [];
+
+    if (entry.provider === 'local' && entry.localSources) {
+      for (const src of entry.localSources) {
+        const filename = src.path.split('/').pop() ?? src.path;
+        const format = inferFontFormat(src.path);
+        manifestEntries.push({
+          href: `/_timber/fonts/${filename}`,
+          format,
+          crossOrigin: 'anonymous',
+        });
+      }
+    } else if (entry.cachedFiles) {
+      // Google fonts: use the per-entry cached files attached during
+      // buildStart. Each entry owns its own cached binaries (TIM-829),
+      // so we no longer need a family-grouped lookup.
+      for (const cf of entry.cachedFiles) {
+        manifestEntries.push({
+          href: `/_timber/fonts/${cf.hashedFilename}`,
+          format: 'woff2',
+          crossOrigin: 'anonymous',
+        });
+      }
+    }
+
+    fontsByImporter.set(entry.importer, manifestEntries);
+  }
+
+  // Normalize importer paths to be relative to project root (matching how
+  // Vite's manifest.json keys work for css/js).
+  for (const [importer, entries] of fontsByImporter) {
+    const relativePath = importer.startsWith(rootDir)
+      ? importer.slice(rootDir.length + 1)
+      : importer;
+    buildManifest.fonts[relativePath] = entries;
+  }
+}

package/src/fonts/dev-middleware.ts

@@ -0,0 +1,74 @@
+/**
+ * Dev-mode middleware that serves local font binaries under
+ * `/_timber/fonts/<basename>`.
+ *
+ * Only files registered in the FontPipeline are served, and only by
+ * basename — directory traversal and path separators in the requested
+ * filename are rejected up front. Font CSS is no longer served here; it
+ * goes through Vite's CSS pipeline via virtual modules.
+ *
+ * Design doc: 24-fonts.md
+ */
+
+import type { ViteDevServer } from 'vite';
+import { readFileSync, existsSync } from 'node:fs';
+import { resolve, normalize } from 'node:path';
+import type { FontPipeline } from './pipeline.js';
+
+const FONT_MIME_TYPES: Record<string, string> = {
+  woff2: 'font/woff2',
+  woff: 'font/woff',
+  ttf: 'font/ttf',
+  otf: 'font/otf',
+  eot: 'application/vnd.ms-fontopen',
+};
+
+/**
+ * Wire the timber-fonts dev middleware onto a Vite dev server.
+ *
+ * Returns synchronously after registering the middleware. The pipeline is
+ * captured by reference so that fonts registered after `configureServer`
+ * runs (during transform) are still resolvable.
+ */
+export function installFontDevMiddleware(server: ViteDevServer, pipeline: FontPipeline): void {
+  server.middlewares.use((req, res, next) => {
+    const url = req.url;
+    if (!url || !url.startsWith('/_timber/fonts/')) return next();
+
+    const requestedFilename = url.slice('/_timber/fonts/'.length);
+    // Reject path traversal attempts and any subdirectory access. We only
+    // serve flat basenames out of the registry.
+    if (requestedFilename.includes('..') || requestedFilename.includes('/')) {
+      res.statusCode = 400;
+      res.end('Bad request');
+      return;
+    }
+
+    // Find the matching font file in the registry. We iterate every local
+    // font's source list and match by basename. The set is small (one per
+    // localFont() call) so this is cheap.
+    for (const font of pipeline.fonts()) {
+      if (font.provider !== 'local' || !font.localSources) continue;
+      for (const src of font.localSources) {
+        const basename = src.path.split('/').pop() ?? '';
+        if (basename !== requestedFilename) continue;
+
+        const absolutePath = normalize(resolve(src.path));
+        if (!existsSync(absolutePath)) {
+          res.statusCode = 404;
+          res.end('Not found');
+          return;
+        }
+        const data = readFileSync(absolutePath);
+        const ext = absolutePath.split('.').pop()?.toLowerCase();
+        res.setHeader('Content-Type', FONT_MIME_TYPES[ext ?? ''] ?? 'application/octet-stream');
+        res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
+        res.setHeader('Access-Control-Allow-Origin', '*');
+        res.end(data);
+        return;
+      }
+    }
+
+    next();
+  });
+}