@timber-js/app 0.2.0-alpha.98 → 0.2.0-alpha.99

package/dist/server/cookie-parsing.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Cookie parsing and serialization helpers — pure string ↔ structure
+ * functions with no ALS dependency. Split out of `cookie-context.ts`
+ * (TIM-853) so the API surface and the wire-format codecs can each be
+ * read on their own.
+ *
+ * The functions in this module are total over arbitrary input. They
+ * never throw and never call `assertValid*` (the security validators
+ * live in the API surface — `cookie-context.ts` invokes them at every
+ * jar entry point so the smuggling-primitive invariant from TIM-868
+ * is enforced regardless of which path produced the bytes).
+ */
+import type { CookieEntry } from './als-registry.js';
+import type { CookieOptions } from './cookie-context.js';
+/**
+ * Parse a Cookie header string into a Map of name → value pairs.
+ * Follows RFC 6265 §4.2.1: cookies are semicolon-separated key=value pairs.
+ *
+ * Values are auto-decoded with `decodeURIComponent` so they round-trip
+ * losslessly with `getCookies().set()` (which auto-encodes). Malformed
+ * `%`-escapes from third-party cookies fall back to the raw byte sequence
+ * — the parser must be total over arbitrary inbound headers, including
+ * non-conforming values from other servers, browser extensions, etc.
+ */
+export declare function parseCookieHeader(header: string): Map<string, string>;
+/**
+ * Decode a single cookie value with `decodeURIComponent`, falling back to
+ * the raw byte sequence if the input contains a malformed `%`-escape.
+ *
+ * Used by both `parseCookieHeader` (incoming Cookie: header) and the
+ * `setRaw` forwarding path (outgoing Set-Cookie from upstream services).
+ * Total — never throws.
+ */
+export declare function safeDecodeCookieValue(raw: string): string;
+/** Serialize a CookieEntry into a Set-Cookie header value. */
+export declare function serializeCookieEntry(entry: CookieEntry): string;
+/**
+ * Parse a raw `Set-Cookie` header string into name, value, and options.
+ * Handles all standard attributes: Path, Domain, Max-Age, Expires,
+ * SameSite, Secure, HttpOnly, Partitioned.
+ *
+ * Does NOT apply DEFAULT_COOKIE_OPTIONS — the caller decides whether
+ * to merge defaults (e.g. `set()` does, but `setRaw()` should preserve
+ * the original header's intent).
+ */
+export declare function parseSetCookie(header: string): {
+    name: string;
+    value: string;
+    options: CookieOptions;
+} | null;
+//# sourceMappingURL=cookie-parsing.d.ts.map

package/dist/server/cookie-parsing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie-parsing.d.ts","sourceRoot":"","sources":["../../src/server/cookie-parsing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEzD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAerE;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAMzD;AAED,8DAA8D;AAC9D,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,WAAW,GAAG,MAAM,CAgB/D;AAED;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,MAAM,GACb;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,aAAa,CAAA;CAAE,GAAG,IAAI,CA6ChE"}

package/dist/server/deny-boundary.d.ts

@@ -0,0 +1,90 @@
+/**
+ * Deny boundary subsystem — the in-tree DenySignal flow.
+ *
+ * Three things live together here because they form a single flow:
+ *
+ * 1. **Chain construction** (`buildDenyPageChain`) — walks the matched
+ *    segment chain at element-tree build time and produces a list of
+ *    `DenyPageEntry` records ordered by specificity (specific status →
+ *    category catch-all → `error.tsx`).
+ *
+ * 2. **Runtime matching** (`renderMatchingDenyPage`) — picks the first
+ *    chain entry whose status filter matches the thrown DenySignal and
+ *    returns a React element for the matching component. Used by
+ *    `AccessGate` and `PageDenyBoundary` when they catch a deny.
+ *
+ * 3. **The page boundary itself** (`PageDenyBoundary`) — the async server
+ *    component that wraps a server-component page, calls it, and catches
+ *    `DenySignal` so the deny page renders in-tree (no throw reaches
+ *    React Flight, single render pass).
+ *
+ * Plus the ALS helpers (`setDenyStatus` / `getDenyStatus`) the boundary
+ * uses to thread the matched status code back to the pipeline so the
+ * HTTP status reflects the deny.
+ *
+ * Folded into one module from the former `deny-page-resolver.ts` and
+ * `page-deny-boundary.tsx` (TIM-853) — the names were misleading and the
+ * three pieces only made sense together.
+ *
+ * See design/04-authorization.md, design/10-error-handling.md, TIM-666.
+ */
+import type { ManifestSegmentNode } from './route-matcher.js';
+/** A single entry in the deny page fallback chain. */
+export interface DenyPageEntry {
+    /** Status code filter: specific (403), category (400 = any 4xx), or null (catch-all). */
+    status: number | null;
+    /** The component to render (server or client — both work). */
+    component: (...args: unknown[]) => unknown;
+}
+/**
+ * Build the deny page fallback chain from the segment chain.
+ *
+ * Walks segments from `startIndex` outward (toward root) and collects
+ * status-code file components in fallback order:
+ * 1. Specific status files (403.tsx, 404.tsx) — exact match
+ * 2. Category catch-alls (4xx.tsx) — matches any 4xx
+ * 3. error.tsx — catches everything
+ *
+ * Each segment is checked in this order. The chain is ordered so the
+ * FIRST match wins at catch time.
+ */
+export declare function buildDenyPageChain(segments: ManifestSegmentNode[], startIndex: number): Promise<DenyPageEntry[]>;
+/**
+ * Find the first deny page in the chain that matches the given status code.
+ * Returns a React element for the matching component, or null if no match.
+ */
+export declare function renderMatchingDenyPage(chain: DenyPageEntry[], status: number, data: unknown): React.ReactElement | null;
+/**
+ * Async server component that wraps a page call with DenySignal catching.
+ *
+ * Calls the page component as an async function (the same thing React
+ * Flight does internally), awaits it, and catches DenySignal. On catch,
+ * renders the matching deny page in-tree. On success, returns the page's
+ * rendered output normally.
+ *
+ * Client component pages ('use client') are NOT wrapped — they can't call
+ * deny() (server-only API) and must go through createElement normally.
+ *
+ * No error reaches React Flight — the Flight stream is clean, SSR succeeds,
+ * and the entire request uses a single renderToReadableStream call.
+ */
+export declare function PageDenyBoundary({ Page, route, denyPages, }: {
+    /** The page server component function. */
+    Page: (...args: unknown[]) => unknown;
+    /** Route path for OTEL tracing. */
+    route: string;
+    /** Deny page fallback chain from the segment chain. */
+    denyPages: DenyPageEntry[];
+}): Promise<React.ReactElement>;
+/**
+ * Set the deny status in the request context ALS.
+ * Called from AccessGate / PageDenyBoundary when a DenySignal is caught.
+ * The pipeline reads this after render to set the HTTP status code.
+ */
+export declare function setDenyStatus(status: number): void;
+/**
+ * Read the deny status from the request context ALS.
+ * Returns undefined if no deny was caught during render.
+ */
+export declare function getDenyStatus(): number | undefined;
+//# sourceMappingURL=deny-boundary.d.ts.map

package/dist/server/deny-boundary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deny-boundary.d.ts","sourceRoot":"","sources":["../../src/server/deny-boundary.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAQH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAI9D,sDAAsD;AACtD,MAAM,WAAW,aAAa;IAC5B,yFAAyF;IACzF,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,8DAA8D;IAC9D,SAAS,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC;CAC5C;AAID;;;;;;;;;;;GAWG;AACH,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,aAAa,EAAE,CAAC,CAqD1B;AAID;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,aAAa,EAAE,EACtB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,OAAO,GACZ,KAAK,CAAC,YAAY,GAAG,IAAI,CAkB3B;AAID;;;;;;;;;;;;;GAaG;AACH,wBAAsB,gBAAgB,CAAC,EACrC,IAAI,EACJ,KAAK,EACL,SAAS,GACV,EAAE;IACD,0CAA0C;IAC1C,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC;IACtC,mCAAmC;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,uDAAuD;IACvD,SAAS,EAAE,aAAa,EAAE,CAAC;CAC5B,GAAG,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,CAiB9B;AAID;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAKlD;AAED;;;GAGG;AACH,wBAAgB,aAAa,IAAI,MAAM,GAAG,SAAS,CAElD"}

package/dist/server/deny-renderer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deny-renderer.d.ts","sourceRoot":"","sources":["../../src/server/deny-renderer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAM7C,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAEjD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAOjE,qDAAqD;AACrD,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC;IAC3C,OAAO,EAAE,mBAAmB,CAAC;CAC9B;AAED,iEAAiE;AACjE,MAAM,MAAM,mBAAmB,GAAG,MAAM;IACtC,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,cAAc,CAAC;CAC1B,CAAC;AAEF,6DAA6D;AAC7D,MAAM,MAAM,SAAS,GAAG,CACtB,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,EACrC,UAAU,EAAE,UAAU,KACnB,OAAO,CAAC,QAAQ,CAAC,CAAC;AAUvB;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,gBAAgB,EAAE,WAAW,EAAE,EAC/B,GAAG,EAAE,OAAO,EACZ,KAAK,EAAE,UAAU,EACjB,eAAe,EAAE,OAAO,EACxB,eAAe,EAAE,qBAAqB,EACtC,sBAAsB,EAAE,mBAAmB,EAC3C,OAAO,EAAE,SAAS,GACjB,OAAO,CAAC,QAAQ,CAAC,CAiGnB;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,gBAAgB,EAAE,WAAW,EAAE,EAC/B,eAAe,EAAE,OAAO,EACxB,sBAAsB,EAAE,mBAAmB,GAC1C,OAAO,CAAC,QAAQ,CAAC,CA2CnB"}
+{"version":3,"file":"deny-renderer.d.ts","sourceRoot":"","sources":["../../src/server/deny-renderer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAO7C,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAEjD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAOjE,qDAAqD;AACrD,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC;IAC3C,OAAO,EAAE,mBAAmB,CAAC;CAC9B;AAED,iEAAiE;AACjE,MAAM,MAAM,mBAAmB,GAAG,MAAM;IACtC,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,cAAc,CAAC;CAC1B,CAAC;AAEF,6DAA6D;AAC7D,MAAM,MAAM,SAAS,GAAG,CACtB,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,EACrC,UAAU,EAAE,UAAU,KACnB,OAAO,CAAC,QAAQ,CAAC,CAAC;AAUvB;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,gBAAgB,EAAE,WAAW,EAAE,EAC/B,GAAG,EAAE,OAAO,EACZ,KAAK,EAAE,UAAU,EACjB,eAAe,EAAE,OAAO,EACxB,eAAe,EAAE,qBAAqB,EACtC,sBAAsB,EAAE,mBAAmB,EAC3C,OAAO,EAAE,SAAS,GACjB,OAAO,CAAC,QAAQ,CAAC,CAiGnB;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,mBAAmB,EAAE,EAC/B,gBAAgB,EAAE,WAAW,EAAE,EAC/B,eAAe,EAAE,OAAO,EACxB,sBAAsB,EAAE,mBAAmB,GAC1C,OAAO,CAAC,QAAQ,CAAC,CA2CnB"}

package/dist/server/early-hints-sender.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"early-hints-sender.d.ts","sourceRoot":"","sources":["../../src/server/early-hints-sender.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,4EAA4E;AAC5E,MAAM,MAAM,kBAAkB,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,IAAI,CAAC;AAE3D;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAErF;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CASvD"}
+{"version":3,"file":"early-hints-sender.d.ts","sourceRoot":"","sources":["../../src/server/early-hints-sender.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAKH,4EAA4E;AAC5E,MAAM,MAAM,kBAAkB,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,IAAI,CAAC;AAE3D;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,CAAC,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAErF;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CASvD"}

package/dist/server/index.d.ts

@@ -1,14 +1,15 @@
 export type { AccessContext } from './types';
 export type { MiddlewareContext } from './types';
 export type { RouteContext } from './types';
-export type { Metadata, MetadataRoute } from './types';
-export { getHeaders, getHeader, getCookies, getCookie, getSearchParams, getSegmentParams, } from './request-context';
-export type { ReadonlyHeaders, RequestCookies, CookieOptions } from './request-context';
+export type { Metadata, MetadataRoute, MetadataHandler, MetadataResult } from './types';
+export { getHeaders, getSegmentParams } from './request-context';
+export type { ReadonlyHeaders } from './request-context';
+export { getCookieJar } from './cookie-context';
+export type { RequestCookies, CookieOptions, SetCookieOptions } from './cookie-context';
 export { deny, redirect, redirectExternal, RedirectType, waitUntil, type DenyOptions, type RedirectOptions, } from './primitives';
 export type { RenderErrorDigest, WaitUntilAdapter } from './primitives';
 export { createActionClient, ActionError, validated } from './action-client';
 export type { ActionResult, ActionFn, ActionBuilder, ActionBuilderWithSchema, ActionContext, ActionMiddleware, ActionSchema, ValidationErrors, } from './action-client';
-export { parseFormData, coerce } from './form-data';
 export { getFormFlash } from './form-flash';
 export type { FormFlashData } from './form-flash';
 export { revalidatePath, revalidateTag } from './actions';

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAMA,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7C,YAAY,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AACjD,YAAY,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,YAAY,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAKvD,OAAO,EACL,UAAU,EACV,SAAS,EACT,UAAU,EACV,SAAS,EACT,eAAe,EACf,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,eAAe,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGxF,OAAO,EACL,IAAI,EACJ,QAAQ,EACR,gBAAgB,EAChB,YAAY,EACZ,SAAS,EACT,KAAK,WAAW,EAChB,KAAK,eAAe,GACrB,MAAM,cAAc,CAAC;AAItB,YAAY,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAKxE,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC7E,YAAY,EACV,YAAY,EACZ,QAAQ,EACR,aAAa,EACb,uBAAuB,EACvB,aAAa,EACb,gBAAgB,EAChB,YAAY,EACZ,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAGpD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAGlD,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAI1D,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAI1E,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAMA,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7C,YAAY,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AACjD,YAAY,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,YAAY,EAAE,QAAQ,EAAE,aAAa,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAKxF,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACjE,YAAY,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAIzD,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAChD,YAAY,EAAE,cAAc,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAGxF,OAAO,EACL,IAAI,EACJ,QAAQ,EACR,gBAAgB,EAChB,YAAY,EACZ,SAAS,EACT,KAAK,WAAW,EAChB,KAAK,eAAe,GACrB,MAAM,cAAc,CAAC;AAItB,YAAY,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAKxE,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC7E,YAAY,EACV,YAAY,EACZ,QAAQ,EACR,aAAa,EACb,uBAAuB,EACvB,aAAa,EACb,gBAAgB,EAChB,YAAY,EACZ,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAOzB,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,YAAY,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAGlD,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAI1D,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAI1E,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC"}

package/dist/server/index.js

@@ -1,151 +1,6 @@
-import { n as isDevMode, t as isDebug } from "../_chunks/debug-ECi_61pb.js";
-import { t as formatSize } from "../_chunks/format-CYBGxKtc.js";
-import { n as formFlashAls } from "../_chunks/als-registry-HS0LGUl2.js";
-import { a as getHeaders, c as getSegmentParams, i as getHeader, n as getCookie, r as getCookies, s as getSearchParams } from "../_chunks/request-context-CK5tZqIP.js";
-import { a as revalidateTag, c as RedirectType, d as redirect, f as redirectExternal, i as revalidatePath, o as DenySignal, p as waitUntil, s as RedirectSignal, u as deny } from "../_chunks/actions-DLnUaR65.js";
-import { a as getSpanId, d as withSpan, o as getTraceId, t as addSpanEvent } from "../_chunks/tracing-CCYbKn5n.js";
-//#region src/server/form-data.ts
-/**
-* FormData preprocessing — schema-agnostic conversion of FormData to typed objects.
-*
-* FormData is all strings. Schema validation expects typed values. This module
-* bridges the gap with intelligent coercion that runs *before* schema validation.
-*
-* Inspired by zod-form-data, but schema-agnostic — works with any Standard Schema
-* library (Zod, Valibot, ArkType).
-*
-* See design/08-forms-and-actions.md §"parseFormData() and coerce helpers"
-*/
-/**
-* Convert FormData into a plain object with intelligent coercion.
-*
-* Handles:
-* - **Duplicate keys → arrays**: `tags=js&tags=ts` → `{ tags: ["js", "ts"] }`
-* - **Nested dot-paths**: `user.name=Alice` → `{ user: { name: "Alice" } }`
-* - **Empty strings → undefined**: Enables `.optional()` semantics in schemas
-* - **Empty Files → undefined**: File inputs with no selection become `undefined`
-* - **Strips `$ACTION_*` fields**: React's internal hidden fields are excluded
-*/
-function parseFormData(formData) {
-	const flat = {};
-	for (const key of new Set(formData.keys())) {
-		if (key.startsWith("$ACTION_")) continue;
-		const processed = formData.getAll(key).map(normalizeValue);
-		if (processed.length === 1) flat[key] = processed[0];
-		else flat[key] = processed.filter((v) => v !== void 0);
-	}
-	return expandDotPaths(flat);
-}
-/**
-* Normalize a single FormData entry value.
-* - Empty strings → undefined (enables .optional() semantics)
-* - Empty File objects (no selection) → undefined
-* - Everything else passes through as-is
-*/
-function normalizeValue(value) {
-	if (typeof value === "string") return value === "" ? void 0 : value;
-	if (value instanceof File && value.size === 0 && value.name === "") return;
-	return value;
-}
-/**
-* Expand dot-notation keys into nested objects.
-* `{ "user.name": "Alice", "user.age": "30" }` → `{ user: { name: "Alice", age: "30" } }`
-*
-* Keys without dots are left as-is. Bracket notation (e.g. `items[0]`) is NOT
-* supported — use dot notation (`items.0`) instead.
-*/
-function expandDotPaths(flat) {
-	const result = {};
-	let hasDotPaths = false;
-	for (const key of Object.keys(flat)) if (key.includes(".")) {
-		hasDotPaths = true;
-		break;
-	}
-	if (!hasDotPaths) return flat;
-	for (const [key, value] of Object.entries(flat)) {
-		if (!key.includes(".")) {
-			result[key] = value;
-			continue;
-		}
-		const parts = key.split(".");
-		let current = result;
-		for (let i = 0; i < parts.length - 1; i++) {
-			const part = parts[i];
-			if (current[part] === void 0 || current[part] === null) current[part] = {};
-			if (typeof current[part] !== "object" || current[part] instanceof File) current[part] = {};
-			current = current[part];
-		}
-		current[parts[parts.length - 1]] = value;
-	}
-	return result;
-}
-/**
-* Schema-agnostic coercion primitives for common FormData patterns.
-*
-* These are plain transform functions — they compose with any schema library's
-* `transform`/`preprocess` pipeline:
-*
-* ```ts
-* // Zod
-* z.preprocess(coerce.number, z.number())
-* // Valibot
-* v.pipe(v.unknown(), v.transform(coerce.number), v.number())
-* ```
-*/
-var coerce = {
-	number(value) {
-		if (value === void 0 || value === null || value === "") return void 0;
-		if (typeof value === "number") return value;
-		if (typeof value !== "string") return void 0;
-		const num = Number(value);
-		if (Number.isNaN(num)) return void 0;
-		return num;
-	},
-	checkbox(value) {
-		if (value === void 0 || value === null || value === "") return false;
-		if (typeof value === "boolean") return value;
-		return typeof value === "string" && value.length > 0;
-	},
-	json(value) {
-		if (value === void 0 || value === null || value === "") return void 0;
-		if (typeof value !== "string") return value;
-		try {
-			return JSON.parse(value);
-		} catch {
-			return;
-		}
-	},
-	date(value) {
-		if (value === void 0 || value === null || value === "") return void 0;
-		if (value instanceof Date) return value;
-		if (typeof value !== "string") return void 0;
-		const date = new Date(value);
-		if (Number.isNaN(date.getTime())) return void 0;
-		const ymdMatch = value.match(/^(\d{4})-(\d{2})-(\d{2})/);
-		if (ymdMatch) {
-			const inputYear = Number(ymdMatch[1]);
-			const inputMonth = Number(ymdMatch[2]);
-			const inputDay = Number(ymdMatch[3]);
-			const isUTC = value.length === 10 || value.endsWith("Z");
-			const parsedYear = isUTC ? date.getUTCFullYear() : date.getFullYear();
-			const parsedMonth = isUTC ? date.getUTCMonth() + 1 : date.getMonth() + 1;
-			const parsedDay = isUTC ? date.getUTCDate() : date.getDate();
-			if (inputYear !== parsedYear || inputMonth !== parsedMonth || inputDay !== parsedDay) return;
-		}
-		return date;
-	},
-	file(options) {
-		return (value) => {
-			if (value === void 0 || value === null || value === "") return void 0;
-			if (!(value instanceof File)) return void 0;
-			if (value.size === 0 && value.name === "") return void 0;
-			if (options?.maxSize !== void 0 && value.size > options.maxSize) return;
-			if (options?.accept !== void 0 && !options.accept.includes(value.type)) return;
-			return value;
-		};
-	}
-};
-//#endregion
+import { a as getSpanId, d as withSpan, o as getTraceId, p as formFlashAls, t as addSpanEvent, v as isDebug, y as isDevMode } from "../_chunks/tracing-C8V-YGsP.js";
+import { t as formatSize } from "../_chunks/format-Bcn-Iv1x.js";
+import { E as getCookieJar, a as revalidateTag, b as getSegmentParams, c as DenySignal, f as deny, h as waitUntil, i as revalidatePath, l as RedirectSignal, m as redirectExternal, p as redirect, s as parseFormData, u as RedirectType, v as getHeaders } from "../_chunks/actions-CQ8Z8VGL.js";
 //#region src/server/sensitive-fields.ts
 /**
 * Sensitive field stripping — removes password/token/CVV-style fields
@@ -590,6 +445,6 @@ function getFormFlash() {
 	return formFlashAls.getStore() ?? null;
 }
 //#endregion
-export { ActionError, RedirectType, addSpanEvent, coerce, createActionClient, deny, getCookie, getCookies, getFormFlash, getHeader, getHeaders, getSearchParams, getSegmentParams, getSpanId, getTraceId, parseFormData, redirect, redirectExternal, revalidatePath, revalidateTag, validated, waitUntil, withSpan };
+export { ActionError, RedirectType, addSpanEvent, createActionClient, deny, getCookieJar, getFormFlash, getHeaders, getSegmentParams, getSpanId, getTraceId, redirect, redirectExternal, revalidatePath, revalidateTag, validated, waitUntil, withSpan };
 
 //# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../src/server/form-data.ts","../../src/server/sensitive-fields.ts","../../src/server/action-client.ts","../../src/server/form-flash.ts"],"sourcesContent":["/**\n * FormData preprocessing — schema-agnostic conversion of FormData to typed objects.\n *\n * FormData is all strings. Schema validation expects typed values. This module\n * bridges the gap with intelligent coercion that runs *before* schema validation.\n *\n * Inspired by zod-form-data, but schema-agnostic — works with any Standard Schema\n * library (Zod, Valibot, ArkType).\n *\n * See design/08-forms-and-actions.md §\"parseFormData() and coerce helpers\"\n */\n\n// ─── parseFormData ───────────────────────────────────────────────────────\n\n/**\n * Convert FormData into a plain object with intelligent coercion.\n *\n * Handles:\n * - **Duplicate keys → arrays**: `tags=js&tags=ts` → `{ tags: [\"js\", \"ts\"] }`\n * - **Nested dot-paths**: `user.name=Alice` → `{ user: { name: \"Alice\" } }`\n * - **Empty strings → undefined**: Enables `.optional()` semantics in schemas\n * - **Empty Files → undefined**: File inputs with no selection become `undefined`\n * - **Strips `$ACTION_*` fields**: React's internal hidden fields are excluded\n */\nexport function parseFormData(formData: FormData): Record<string, unknown> {\n  const flat: Record<string, unknown> = {};\n\n  for (const key of new Set(formData.keys())) {\n    // Skip React internal fields\n    if (key.startsWith('$ACTION_')) continue;\n\n    const values = formData.getAll(key);\n    const processed = values.map(normalizeValue);\n\n    if (processed.length === 1) {\n      flat[key] = processed[0];\n    } else {\n      // Filter out undefined entries from multi-value fields\n      flat[key] = processed.filter((v) => v !== undefined);\n    }\n  }\n\n  // Expand dot-notation paths into nested objects\n  return expandDotPaths(flat);\n}\n\n/**\n * Normalize a single FormData entry value.\n * - Empty strings → undefined (enables .optional() semantics)\n * - Empty File objects (no selection) → undefined\n * - Everything else passes through as-is\n */\nfunction normalizeValue(value: FormDataEntryValue): unknown {\n  if (typeof value === 'string') {\n    return value === '' ? undefined : value;\n  }\n\n  // File input with no selection: browsers submit a File with name=\"\" and size=0\n  if (value instanceof File && value.size === 0 && value.name === '') {\n    return undefined;\n  }\n\n  return value;\n}\n\n/**\n * Expand dot-notation keys into nested objects.\n * `{ \"user.name\": \"Alice\", \"user.age\": \"30\" }` → `{ user: { name: \"Alice\", age: \"30\" } }`\n *\n * Keys without dots are left as-is. Bracket notation (e.g. `items[0]`) is NOT\n * supported — use dot notation (`items.0`) instead.\n */\nfunction expandDotPaths(flat: Record<string, unknown>): Record<string, unknown> {\n  const result: Record<string, unknown> = {};\n  let hasDotPaths = false;\n\n  // First pass: check if any keys have dots\n  for (const key of Object.keys(flat)) {\n    if (key.includes('.')) {\n      hasDotPaths = true;\n      break;\n    }\n  }\n\n  // Fast path: no dot-notation keys, return as-is\n  if (!hasDotPaths) return flat;\n\n  for (const [key, value] of Object.entries(flat)) {\n    if (!key.includes('.')) {\n      result[key] = value;\n      continue;\n    }\n\n    const parts = key.split('.');\n    let current: Record<string, unknown> = result;\n\n    for (let i = 0; i < parts.length - 1; i++) {\n      const part = parts[i];\n      if (current[part] === undefined || current[part] === null) {\n        current[part] = {};\n      }\n      // If current[part] is not an object (e.g., a string from a non-dotted key),\n      // the dot-path takes precedence\n      if (typeof current[part] !== 'object' || current[part] instanceof File) {\n        current[part] = {};\n      }\n      current = current[part] as Record<string, unknown>;\n    }\n\n    current[parts[parts.length - 1]] = value;\n  }\n\n  return result;\n}\n\n// ─── Coercion Helpers ────────────────────────────────────────────────────\n\n/**\n * Schema-agnostic coercion primitives for common FormData patterns.\n *\n * These are plain transform functions — they compose with any schema library's\n * `transform`/`preprocess` pipeline:\n *\n * ```ts\n * // Zod\n * z.preprocess(coerce.number, z.number())\n * // Valibot\n * v.pipe(v.unknown(), v.transform(coerce.number), v.number())\n * ```\n */\nexport const coerce = {\n  /**\n   * Coerce a string to a number.\n   * - `\"42\"` → `42`\n   * - `\"3.14\"` → `3.14`\n   * - `\"\"` / `undefined` / `null` → `undefined`\n   * - Non-numeric strings → `undefined` (schema validation will catch this)\n   */\n  number(value: unknown): number | undefined {\n    if (value === undefined || value === null || value === '') return undefined;\n    if (typeof value === 'number') return value;\n    if (typeof value !== 'string') return undefined;\n    const num = Number(value);\n    if (Number.isNaN(num)) return undefined;\n    return num;\n  },\n\n  /**\n   * Coerce a checkbox value to a boolean.\n   * HTML checkboxes submit \"on\" when checked and are absent when unchecked.\n   * - `\"on\"` / any truthy string → `true`\n   * - `undefined` / `null` / `\"\"` → `false`\n   */\n  checkbox(value: unknown): boolean {\n    if (value === undefined || value === null || value === '') return false;\n    if (typeof value === 'boolean') return value;\n    // Any non-empty string (typically \"on\") is true\n    return typeof value === 'string' && value.length > 0;\n  },\n\n  /**\n   * Parse a JSON string into an object.\n   * - Valid JSON string → parsed object\n   * - `\"\"` / `undefined` / `null` → `undefined`\n   * - Invalid JSON → `undefined` (schema validation will catch this)\n   */\n  json(value: unknown): unknown {\n    if (value === undefined || value === null || value === '') return undefined;\n    if (typeof value !== 'string') return value;\n    try {\n      return JSON.parse(value);\n    } catch {\n      return undefined;\n    }\n  },\n\n  /**\n   * Coerce a date string to a Date object.\n   * Handles `<input type=\"date\">` (`\"2024-01-15\"`), `<input type=\"datetime-local\">`\n   * (`\"2024-01-15T10:30\"`), and full ISO 8601 strings.\n   * - Valid date string → `Date`\n   * - `\"\"` / `undefined` / `null` → `undefined`\n   * - Invalid date strings → `undefined` (schema validation will catch this)\n   * - Impossible dates that `new Date()` silently normalizes (e.g. Feb 31) → `undefined`\n   */\n  date(value: unknown): Date | undefined {\n    if (value === undefined || value === null || value === '') return undefined;\n    if (value instanceof Date) return value;\n    if (typeof value !== 'string') return undefined;\n    const date = new Date(value);\n    if (Number.isNaN(date.getTime())) return undefined;\n\n    // Overflow detection: extract Y/M/D from the input string and verify\n    // they match the parsed Date components. new Date('2024-02-31') silently\n    // normalizes to March 2nd — we reject such inputs.\n    const ymdMatch = value.match(/^(\\d{4})-(\\d{2})-(\\d{2})/);\n    if (ymdMatch) {\n      const inputYear = Number(ymdMatch[1]);\n      const inputMonth = Number(ymdMatch[2]);\n      const inputDay = Number(ymdMatch[3]);\n\n      // Use UTC methods for date-only and Z-suffixed strings to avoid\n      // timezone offset shifting the day. For datetime-local (no Z suffix),\n      // the Date constructor parses in local time, so use local methods.\n      const isUTC = value.length === 10 || value.endsWith('Z');\n      const parsedYear = isUTC ? date.getUTCFullYear() : date.getFullYear();\n      const parsedMonth = isUTC ? date.getUTCMonth() + 1 : date.getMonth() + 1;\n      const parsedDay = isUTC ? date.getUTCDate() : date.getDate();\n\n      if (inputYear !== parsedYear || inputMonth !== parsedMonth || inputDay !== parsedDay) {\n        return undefined;\n      }\n    }\n\n    return date;\n  },\n\n  /**\n   * Create a File coercion function with optional size and mime type validation.\n   * Returns the File if valid, `undefined` otherwise.\n   *\n   * ```ts\n   * // Basic — just checks it's a real File\n   * z.preprocess(coerce.file(), z.instanceof(File))\n   *\n   * // With constraints\n   * z.preprocess(\n   *   coerce.file({ maxSize: 5 * 1024 * 1024, accept: ['image/png', 'image/jpeg'] }),\n   *   z.instanceof(File)\n   * )\n   * ```\n   */\n  file(options?: { maxSize?: number; accept?: string[] }): (value: unknown) => File | undefined {\n    return (value: unknown): File | undefined => {\n      if (value === undefined || value === null || value === '') return undefined;\n      if (!(value instanceof File)) return undefined;\n\n      // Empty file input (no selection): browsers submit File with name=\"\" and size=0\n      if (value.size === 0 && value.name === '') return undefined;\n\n      if (options?.maxSize !== undefined && value.size > options.maxSize) {\n        return undefined;\n      }\n\n      if (options?.accept !== undefined && !options.accept.includes(value.type)) {\n        return undefined;\n      }\n\n      return value;\n    };\n  },\n};\n","/**\n * Sensitive field stripping — removes password/token/CVV-style fields\n * from form values before they are echoed back to the client as\n * `submittedValues` for form repopulation.\n *\n * Applied to both action paths:\n *  - With-JS action path: `createActionClient()` in `action-client.ts`\n *  - No-JS form POST path: `handleFormAction()` in `action-handler.ts`\n *\n * Why: on a validation failure, timber echoes submitted form values back so\n * the user doesn't have to re-type everything. Without filtering, plaintext\n * passwords / credit-card numbers / TOTP codes would travel through the RSC\n * stream (with-JS) or land in the HTML as `defaultValue` attributes (no-JS)\n * — ending up in browser history, proxy logs, disk caches, and the\n * back-forward cache.\n *\n * Safe by default: the built-in deny-list is applied unconditionally unless\n * the user explicitly opts out via `forms.stripSensitiveFields: false` in\n * `timber.config.ts` or per-action via `createActionClient({ stripSensitiveFields: false })`.\n *\n * See design/08-forms-and-actions.md §\"Validation errors\"\n * See design/13-security.md §\"Sensitive field stripping\"\n * See TIM-816\n */\n\nimport { isDebug } from './debug.js';\n\n// ─── Public types ────────────────────────────────────────────────────────\n\n/**\n * How to strip sensitive fields from `submittedValues`.\n *\n * - `true` / `undefined` — use the built-in deny-list (default, safe).\n * - `false` — do not strip anything (dev convenience; never do this in prod).\n * - `string[]` — additional field names to strip, merged with the built-in list.\n * - `(name) => boolean` — custom predicate, fully replaces the built-in list.\n *   Return `true` to strip, `false` to keep. The `name` argument is the raw\n *   (un-normalized) field name as it appeared in the submitted form.\n */\nexport type SensitiveFieldsOption = boolean | readonly string[] | ((name: string) => boolean);\n\n// ─── Built-in deny-list ──────────────────────────────────────────────────\n\n/**\n * Substring patterns matched against the normalized field name.\n * Normalization = lowercase + strip `_` and `-`.\n *\n * Any field whose normalized name *contains* one of these strings is\n * considered sensitive. Entries like `currentPassword`, `passwordConfirmation`,\n * and `user.password` all match via the `password` substring.\n */\nconst BUILTIN_SUBSTRING_PATTERNS: readonly string[] = [\n  'password',\n  'passwd',\n  'pwd',\n  'secret',\n  'apikey',\n  'accesstoken',\n  'refreshtoken',\n  'cvv',\n  'cvc',\n  'cardnumber',\n  'cardcvc',\n  'ssn',\n  'socialsecuritynumber',\n  'otp',\n  'totp',\n  'mfacode',\n  'twofactorcode',\n  'privatekey',\n];\n\n/**\n * Exact matches against the normalized field name. These are field names that\n * are too short or too common to substring-match safely. e.g. `token` alone\n * would match `csrfToken`, which is not sensitive — so `token` is exact-only,\n * while legitimate token fields are covered by `accesstoken` / `refreshtoken`.\n */\nconst BUILTIN_EXACT_PATTERNS: readonly string[] = ['token'];\n\n/**\n * Normalize a field name for deny-list comparison.\n * Lowercases the string and strips `_` and `-` so camelCase, snake_case, and\n * kebab-case variants all compare equal (`api_key` / `apiKey` / `api-key` →\n * `apikey`).\n */\nfunction normalize(name: string): string {\n  let out = '';\n  for (let i = 0; i < name.length; i++) {\n    const ch = name.charCodeAt(i);\n    if (ch === 0x5f /* _ */ || ch === 0x2d /* - */) continue;\n    // A-Z → a-z\n    if (ch >= 0x41 && ch <= 0x5a) {\n      out += String.fromCharCode(ch + 32);\n    } else {\n      out += name[i];\n    }\n  }\n  return out;\n}\n\n/**\n * Check whether a name matches the built-in deny-list (with optional extras).\n * Extras are merged into the substring pattern list after normalization.\n */\nfunction isBuiltinSensitive(name: string, extras?: readonly string[]): boolean {\n  const normalized = normalize(name);\n  if (BUILTIN_EXACT_PATTERNS.includes(normalized)) return true;\n  for (const pattern of BUILTIN_SUBSTRING_PATTERNS) {\n    if (normalized.includes(pattern)) return true;\n  }\n  if (extras && extras.length > 0) {\n    for (const extra of extras) {\n      const normExtra = normalize(extra);\n      if (normExtra.length === 0) continue;\n      if (normalized.includes(normExtra)) return true;\n    }\n  }\n  return false;\n}\n\n// ─── Predicate resolution ────────────────────────────────────────────────\n\n/**\n * A resolved predicate: `null` means \"don't strip anything\" (the option was\n * explicitly `false`). Otherwise a function from raw field name → boolean.\n */\nexport type ResolvedSensitivePredicate = ((name: string) => boolean) | null;\n\n/**\n * Resolve a `SensitiveFieldsOption` into a concrete predicate.\n * Precedence: per-action > global > built-in default.\n *\n * - Per-action `undefined` → fall back to global.\n * - Global `undefined` → use built-in list.\n * - Either level set to `false` → disable stripping entirely (returns `null`).\n * - `true` → built-in list.\n * - `string[]` → built-in ∪ extras.\n * - function → custom, replaces the built-in list entirely.\n */\nexport function resolveSensitivePredicate(\n  perAction: SensitiveFieldsOption | undefined,\n  global: SensitiveFieldsOption | undefined\n): ResolvedSensitivePredicate {\n  const chosen = perAction !== undefined ? perAction : global;\n\n  if (chosen === false) return null;\n  if (chosen === undefined || chosen === true) {\n    return (name) => isBuiltinSensitive(name);\n  }\n  if (typeof chosen === 'function') {\n    return chosen;\n  }\n  // Array of extra names merged with the built-in list.\n  const extras = chosen;\n  return (name) => isBuiltinSensitive(name, extras);\n}\n\n// ─── Module-level global config ──────────────────────────────────────────\n\nlet globalConfig: SensitiveFieldsOption | undefined;\n\n/**\n * Set the global `forms.stripSensitiveFields` config from `timber.config.ts`.\n * Called once at startup from `rsc-entry`.\n */\nexport function setGlobalSensitiveFieldsConfig(option: SensitiveFieldsOption | undefined): void {\n  globalConfig = option;\n}\n\n/** Read the global `forms.stripSensitiveFields` config. */\nexport function getGlobalSensitiveFieldsConfig(): SensitiveFieldsOption | undefined {\n  return globalConfig;\n}\n\n// ─── Stripping ───────────────────────────────────────────────────────────\n\n// One warning per field name per process — prevents log spam when a form is\n// submitted many times in dev mode.\nconst warnedFields = new Set<string>();\n\nfunction warnStripped(name: string): void {\n  if (!isDebug()) return;\n  if (warnedFields.has(name)) return;\n  warnedFields.add(name);\n  console.warn(\n    `[timber] stripped sensitive field \"${name}\" from submittedValues. ` +\n      `Override via forms.stripSensitiveFields in timber.config.ts.`\n  );\n}\n\n/**\n * Walk an object (recursively) and return a copy with every key matching\n * `predicate` removed. Nested objects like `{ user: { password: '...' } }`\n * are handled — `user.password` is stripped while other `user.*` fields remain.\n *\n * - Arrays are walked element-wise (object entries inside arrays are cleaned).\n * - Non-plain values (strings, numbers, Files, Dates, etc.) are returned as-is.\n * - When a stripped key is encountered, it is omitted from the result entirely\n *   — we do NOT set it to an empty string, because that would overwrite a\n *   valid `defaultValue` the form author might have set.\n */\nexport function stripSensitiveFields<T>(value: T, predicate: ResolvedSensitivePredicate): T {\n  // Null predicate = stripping disabled entirely.\n  if (predicate === null) return value;\n  if (value === null || value === undefined) return value;\n  if (typeof value !== 'object') return value;\n  if (value instanceof File || value instanceof Date) return value;\n\n  if (Array.isArray(value)) {\n    return value.map((item) => stripSensitiveFields(item, predicate)) as unknown as T;\n  }\n\n  const result: Record<string, unknown> = {};\n  for (const [key, nested] of Object.entries(value as Record<string, unknown>)) {\n    if (predicate(key)) {\n      warnStripped(key);\n      continue;\n    }\n    result[key] = stripSensitiveFields(nested, predicate);\n  }\n  return result as unknown as T;\n}\n\n// ─── Test helpers ────────────────────────────────────────────────────────\n\n/** Reset the \"warned once\" cache. Exposed for tests. */\nexport function __resetSensitiveFieldsWarnings(): void {\n  warnedFields.clear();\n}\n","/**\n * createActionClient — typed middleware and schema validation for server actions.\n *\n * Inspired by next-safe-action. Provides a builder API:\n *   createActionClient({ middleware }) → .schema(z.object(...)) → .action(fn)\n *\n * The resulting action function satisfies both:\n *   1. Direct call: action(input) → Promise<ActionResult>\n *   2. React useActionState: (prevState, formData) => Promise<ActionResult>\n *\n * See design/08-forms-and-actions.md §\"Middleware for Server Actions\"\n */\n\n// ─── ActionError ─────────────────────────────────────────────────────────\n\n/**\n * Typed error class for server actions. Carries a string code and optional data.\n * When thrown from middleware or the action body, the action short-circuits and\n * the client receives `result.serverError`.\n *\n * In production, unexpected errors (non-ActionError) return `{ code: 'INTERNAL_ERROR' }`\n * with no message. In dev, `data.message` is included.\n */\nexport class ActionError<TCode extends string = string> extends Error {\n  readonly code: TCode;\n  readonly data: Record<string, unknown> | undefined;\n\n  constructor(code: TCode, data?: Record<string, unknown>) {\n    super(`ActionError: ${code}`);\n    this.name = 'ActionError';\n    this.code = code;\n    this.data = data;\n  }\n}\n\n// ─── Standard Schema ──────────────────────────────────────────────────────\n\n/**\n * Standard Schema v1 interface (subset).\n * Zod ≥3.24, Valibot ≥1.0, and ArkType all implement this.\n * See https://github.com/standard-schema/standard-schema\n *\n * We use permissive types here to accept all compliant libraries without\n * requiring exact structural matches on issues/path shapes.\n */\ninterface StandardSchemaV1<Output = unknown> {\n  '~standard': {\n    validate(value: unknown): StandardSchemaResult<Output> | Promise<StandardSchemaResult<Output>>;\n  };\n}\n\ntype StandardSchemaResult<Output> =\n  | { value: Output; issues?: undefined }\n  | { value?: undefined; issues: ReadonlyArray<StandardSchemaIssue> };\n\ninterface StandardSchemaIssue {\n  message: string;\n  path?: ReadonlyArray<PropertyKey | { key: PropertyKey }>;\n}\n\n/** Check if a schema implements the Standard Schema protocol. */\nfunction isStandardSchema(schema: unknown): schema is StandardSchemaV1 {\n  return (\n    typeof schema === 'object' &&\n    schema !== null &&\n    '~standard' in schema &&\n    typeof (schema as StandardSchemaV1)['~standard'].validate === 'function'\n  );\n}\n\n// ─── Types ───────────────────────────────────────────────────────────────\n\n/**\n * Minimal schema interface — compatible with Zod, Valibot, ArkType, etc.\n *\n * Accepts either:\n * - Standard Schema (preferred): any object with `~standard.validate()`\n * - Legacy parse interface: objects with `.parse()` / `.safeParse()`\n *\n * At runtime, Standard Schema is detected via `~standard` property and\n * takes priority over the legacy interface.\n */\nexport type ActionSchema<T = unknown> = StandardSchemaV1<T> | LegacyActionSchema<T>;\n\n/** Legacy schema interface with .parse() / .safeParse(). */\ninterface LegacyActionSchema<T = unknown> {\n  'parse'(data: unknown): T;\n  'safeParse'?(data: unknown): { success: true; data: T } | { success: false; error: SchemaError };\n  // Exclude Standard Schema objects from matching this interface\n  '~standard'?: never;\n}\n\n/** Schema validation error shape (for legacy .safeParse()/.parse() interface). */\nexport interface SchemaError {\n  issues?: Array<{ path?: Array<string | number>; message: string }>;\n  flatten?(): { fieldErrors: Record<string, string[]> };\n}\n\n/** Flattened validation errors keyed by field name. */\nexport type ValidationErrors = Record<string, string[]>;\n\n/** Middleware function: returns context to merge into the action body's ctx. */\nexport type ActionMiddleware<TCtx = Record<string, unknown>> = () => Promise<TCtx> | TCtx;\n\n/** The result type returned to the client. */\nexport type ActionResult<TData = unknown> =\n  | { data: TData; validationErrors?: never; serverError?: never; submittedValues?: never }\n  | {\n      data?: never;\n      validationErrors: ValidationErrors;\n      serverError?: never;\n      /** Raw input values on validation failure — for repopulating form fields. */\n      submittedValues?: Record<string, unknown>;\n    }\n  | {\n      data?: never;\n      validationErrors?: never;\n      serverError: { code: string; data?: Record<string, unknown> };\n      submittedValues?: never;\n    };\n\n/** Context passed to the action body. */\nexport interface ActionContext<TCtx, TInput> {\n  ctx: TCtx;\n  input: TInput;\n}\n\n// ─── Builder ─────────────────────────────────────────────────────────────\n\ninterface ActionClientConfig<TCtx> {\n  middleware?: ActionMiddleware<TCtx> | ActionMiddleware<Record<string, unknown>>[];\n  /** Max file size in bytes. Files exceeding this are rejected with validation errors. */\n  fileSizeLimit?: number;\n  /**\n   * Override the sensitive-field deny-list for this action client.\n   * See `SensitiveFieldsOption` in `./sensitive-fields.ts`. Per-action config\n   * takes precedence over the global `forms.stripSensitiveFields` option in\n   * `timber.config.ts`. See design/08-forms-and-actions.md and TIM-816.\n   */\n  stripSensitiveFields?: SensitiveFieldsOption;\n}\n\n/** Intermediate builder returned by createActionClient(). */\nexport interface ActionBuilder<TCtx> {\n  /** Declare the input schema. Validation errors are returned typed. */\n  schema<TInput>(schema: ActionSchema<TInput>): ActionBuilderWithSchema<TCtx, TInput>;\n  /** Define the action body without input validation. */\n  action<TData>(\n    fn: (ctx: ActionContext<TCtx, undefined>) => Promise<TData>\n  ): ActionFn<TData, undefined>;\n}\n\n/** Builder after .schema() has been called. */\nexport interface ActionBuilderWithSchema<TCtx, TInput> {\n  /** Define the action body with validated input. */\n  action<TData>(fn: (ctx: ActionContext<TCtx, TInput>) => Promise<TData>): ActionFn<TData, TInput>;\n}\n\n/**\n * The final action function. Callable three ways:\n * - Direct: action(input) → Promise<ActionResult<TData>>\n * - React useActionState: action(prevState, formData) → Promise<ActionResult<TData>>\n * - React <form action={fn}>: action(formData) → void  (return value ignored by React)\n *\n * The third overload exists purely for type compatibility with React's\n * `<form action>` prop, which expects `(formData: FormData) => void`.\n * At runtime the function still returns Promise<ActionResult>, but React\n * discards it. This lets validated actions be passed directly to forms\n * without casts.\n */\n/**\n * Map schema output keys to `string | undefined` for form-facing APIs.\n * HTML form values are always strings, and fields can be absent.\n * Gives autocomplete for field names without lying about value types.\n */\nexport type InputHint<T> =\n  T extends Record<string, unknown> ? { [K in keyof T]: string | undefined } : T;\n\n/**\n * ActionFn — the callable returned by `createActionClient().action()`.\n *\n * Generic order: `<TData, TInput>` — TData first for backward compatibility.\n * Previously ActionFn had a single `<TData>` generic, so existing code like\n * `ActionFn<MyResult>` must still work with TData in the first position.\n * See TIM-797.\n */\nexport type ActionFn<TData = unknown, TInput = unknown> = {\n  /** <form action={fn}> compatibility — React discards the return value. */\n  (formData: FormData): void;\n  /** Direct call: action(input) — optional when TInput is undefined/unknown (no-schema actions). */\n  (\n    ...args: undefined extends TInput ? [input?: TInput] : [input: TInput]\n  ): Promise<ActionResult<TData>>;\n  /** React useActionState: action(prevState, formData) */\n  (prevState: ActionResult<TData> | null, formData: FormData): Promise<ActionResult<TData>>;\n};\n\n// ─── Implementation ──────────────────────────────────────────────────────\n\n/**\n * Run middleware array or single function. Returns merged context.\n */\nasync function runActionMiddleware<TCtx>(\n  middleware: ActionMiddleware<TCtx> | ActionMiddleware<Record<string, unknown>>[] | undefined\n): Promise<TCtx> {\n  if (!middleware) {\n    return {} as TCtx;\n  }\n\n  if (Array.isArray(middleware)) {\n    let merged = {} as Record<string, unknown>;\n    for (const mw of middleware) {\n      const result = await mw();\n      merged = { ...merged, ...result };\n    }\n    return merged as TCtx;\n  }\n\n  return await middleware();\n}\n\n// Re-export parseFormData for use throughout the framework\nimport { parseFormData } from './form-data.js';\nimport { formatSize } from '../utils/format.js';\nimport { isDebug, isDevMode } from './debug.js';\nimport { RedirectSignal, DenySignal } from './primitives.js';\nimport {\n  stripSensitiveFields,\n  resolveSensitivePredicate,\n  getGlobalSensitiveFieldsConfig,\n  type SensitiveFieldsOption,\n} from './sensitive-fields.js';\n\n/**\n * Extract validation errors from a schema error.\n * Supports Zod's flatten() and generic issues array.\n */\nfunction extractValidationErrors(error: SchemaError): ValidationErrors {\n  // Zod-style flatten\n  if (typeof error.flatten === 'function') {\n    return error.flatten().fieldErrors;\n  }\n\n  // Generic issues array\n  if (error.issues) {\n    const errors: ValidationErrors = {};\n    for (const issue of error.issues) {\n      const path = issue.path?.join('.') ?? '_root';\n      if (!errors[path]) errors[path] = [];\n      errors[path].push(issue.message);\n    }\n    return errors;\n  }\n\n  return { _root: ['Validation failed'] };\n}\n\n/**\n * Extract validation errors from Standard Schema issues.\n */\nfunction extractStandardSchemaErrors(issues: ReadonlyArray<StandardSchemaIssue>): ValidationErrors {\n  const errors: ValidationErrors = {};\n  for (const issue of issues) {\n    const path =\n      issue.path\n        ?.map((p) => {\n          // Standard Schema path items can be { key: ... } objects or bare PropertyKey values\n          if (typeof p === 'object' && p !== null && 'key' in p) return String(p.key);\n          return String(p);\n        })\n        .join('.') ?? '_root';\n    if (!errors[path]) errors[path] = [];\n    errors[path].push(issue.message);\n  }\n  return Object.keys(errors).length > 0 ? errors : { _root: ['Validation failed'] };\n}\n\n/**\n * Wrap unexpected errors into a safe server error result.\n * ActionError → typed result. Other errors → INTERNAL_ERROR (no leak).\n *\n * Exported for use by action-handler.ts to catch errors from raw 'use server'\n * functions that don't use createActionClient.\n */\nexport function handleActionError(error: unknown): ActionResult<never> {\n  if (error instanceof ActionError) {\n    return {\n      serverError: {\n        code: error.code,\n        ...(error.data ? { data: error.data } : {}),\n      },\n    };\n  }\n\n  // In dev, include the message for debugging.\n  // Uses isDevMode() — NOT isDebug() — because this data is sent to the\n  // browser. TIMBER_DEBUG must never cause error messages to leak to clients.\n  // See design/13-security.md principle 4: \"Errors don't leak.\"\n  const devMode = isDevMode();\n  return {\n    serverError: {\n      code: 'INTERNAL_ERROR',\n      ...(devMode && error instanceof Error ? { data: { message: error.message } } : {}),\n    },\n  };\n}\n\n/**\n * Create a typed action client with middleware and schema validation.\n *\n * @example\n * ```ts\n * const action = createActionClient({\n *   middleware: async () => {\n *     const user = await getUser()\n *     if (!user) throw new ActionError('UNAUTHORIZED')\n *     return { user }\n *   },\n * })\n *\n * export const createTodo = action\n *   .schema(z.object({ title: z.string().min(1) }))\n *   .action(async ({ input, ctx }) => {\n *     await db.todos.create({ ...input, userId: ctx.user.id })\n *   })\n * ```\n */\nexport function createActionClient<TCtx = Record<string, never>>(\n  config: ActionClientConfig<TCtx> = {}\n): ActionBuilder<TCtx> {\n  function buildAction<TInput, TData>(\n    schema: ActionSchema<TInput> | undefined,\n    fn: (ctx: ActionContext<TCtx, TInput>) => Promise<TData>\n  ): ActionFn<TData, TInput> {\n    async function actionHandler(...args: unknown[]): Promise<ActionResult<TData>> {\n      try {\n        // Run middleware\n        const ctx = await runActionMiddleware(config.middleware);\n\n        // Determine input — either FormData (from useActionState) or direct arg\n        let rawInput: unknown;\n        if (args.length === 2 && args[1] instanceof FormData) {\n          // Called as (prevState, formData) by React useActionState (with-JS path)\n          rawInput = schema ? parseFormData(args[1]) : args[1];\n        } else if (args.length === 1 && args[0] instanceof FormData) {\n          // No-JS path: React's decodeAction binds FormData as the sole argument.\n          // The form POSTs without JavaScript, decodeAction resolves the server\n          // reference and binds the FormData, then executeAction calls fn() with\n          // no additional args — so the bound FormData arrives as args[0].\n          rawInput = schema ? parseFormData(args[0]) : args[0];\n        } else {\n          // Direct call: action(input)\n          rawInput = args[0];\n        }\n\n        // Resolve the sensitive-field stripping predicate once per invocation.\n        // Precedence: per-action (config.stripSensitiveFields) > global\n        // (forms.stripSensitiveFields from timber.config.ts) > built-in deny-list.\n        // See TIM-816.\n        const sensitivePredicate = resolveSensitivePredicate(\n          config.stripSensitiveFields,\n          getGlobalSensitiveFieldsConfig()\n        );\n\n        // Capture a \"safe-to-echo\" snapshot of the raw input once. Files are\n        // stripped (can't serialize, shouldn't echo back) and sensitive fields\n        // (passwords, tokens, CVV, etc.) are removed before they would land\n        // in the RSC payload → client form `defaultValue` → DOM.\n        const buildSubmittedValues = (): Record<string, unknown> | undefined => {\n          const withoutFiles = stripFiles(rawInput);\n          if (withoutFiles === undefined) return undefined;\n          return stripSensitiveFields(withoutFiles, sensitivePredicate);\n        };\n\n        // Validate file sizes before schema validation.\n        if (config.fileSizeLimit !== undefined && rawInput && typeof rawInput === 'object') {\n          const fileSizeErrors = validateFileSizes(\n            rawInput as Record<string, unknown>,\n            config.fileSizeLimit\n          );\n          if (fileSizeErrors) {\n            return { validationErrors: fileSizeErrors, submittedValues: buildSubmittedValues() };\n          }\n        }\n\n        // Capture submitted values for repopulation on validation failure.\n        const submittedValues = schema ? buildSubmittedValues() : undefined;\n\n        // Validate with schema if provided\n        let input: TInput;\n        if (schema) {\n          if (isStandardSchema(schema)) {\n            // Standard Schema protocol (Zod ≥3.24, Valibot ≥1.0, ArkType)\n            const result = schema['~standard'].validate(rawInput);\n            if (result instanceof Promise) {\n              throw new Error(\n                '[timber] createActionClient: schema returned a Promise — only sync schemas are supported.'\n              );\n            }\n            if (result.issues) {\n              const validationErrors = extractStandardSchemaErrors(result.issues);\n              logValidationFailure(validationErrors);\n              return { validationErrors, submittedValues };\n            }\n            input = result.value;\n          } else if (typeof schema.safeParse === 'function') {\n            const result = schema.safeParse(rawInput);\n            if (!result.success) {\n              const validationErrors = extractValidationErrors(result.error);\n              logValidationFailure(validationErrors);\n              return { validationErrors, submittedValues };\n            }\n            input = result.data;\n          } else {\n            try {\n              input = schema.parse(rawInput);\n            } catch (parseError) {\n              const validationErrors = extractValidationErrors(parseError as SchemaError);\n              logValidationFailure(validationErrors);\n              return { validationErrors, submittedValues };\n            }\n          }\n        } else {\n          input = rawInput as TInput;\n        }\n\n        // Execute the action body\n        const data = await fn({ ctx, input });\n        return { data };\n      } catch (error) {\n        // Re-throw redirect/deny signals — these are control flow, not errors.\n        // They must propagate to executeAction() which converts them to proper\n        // HTTP responses (302 redirect, 4xx deny). Catching them here would\n        // wrap them as INTERNAL_ERROR and break redirect()/redirectExternal()/deny().\n        if (error instanceof RedirectSignal || error instanceof DenySignal) {\n          throw error;\n        }\n        return handleActionError(error);\n      }\n    }\n\n    return actionHandler as ActionFn<TData, TInput>;\n  }\n\n  return {\n    schema<TInput>(schema: ActionSchema<TInput>) {\n      return {\n        action<TData>(\n          fn: (ctx: ActionContext<TCtx, TInput>) => Promise<TData>\n        ): ActionFn<TData, TInput> {\n          return buildAction(schema, fn);\n        },\n      };\n    },\n    action<TData>(\n      fn: (ctx: ActionContext<TCtx, undefined>) => Promise<TData>\n    ): ActionFn<TData, undefined> {\n      return buildAction(undefined, fn as (ctx: ActionContext<TCtx, unknown>) => Promise<TData>);\n    },\n  };\n}\n\n// ─── validated() ────────────────────────────────────────────────────────\n\n/**\n * Convenience wrapper for the common case: validate input, run handler.\n * No middleware needed.\n *\n * @example\n * ```ts\n * 'use server'\n * import { validated } from '@timber-js/app/server'\n * import { z } from 'zod'\n *\n * export const createTodo = validated(\n *   z.object({ title: z.string().min(1) }),\n *   async (input) => {\n *     await db.todos.create(input)\n *   }\n * )\n * ```\n */\nexport function validated<TInput, TData>(\n  schema: ActionSchema<TInput>,\n  handler: (input: TInput) => Promise<TData>\n): ActionFn<TData, TInput> {\n  return createActionClient()\n    .schema(schema)\n    .action(async ({ input }) => handler(input));\n}\n\n// ─── Helpers ────────────────────────────────────────────────────────────\n\n/**\n * Log validation failures in dev mode so developers can see what went wrong.\n * In production, validation errors are only returned to the client.\n */\nfunction logValidationFailure(errors: ValidationErrors): void {\n  const isDev = isDebug();\n  if (!isDev) return;\n\n  const fields = Object.entries(errors)\n    .map(([field, messages]) => `  ${field}: ${messages.join(', ')}`)\n    .join('\\n');\n  console.warn(`[timber] action schema validation failed:\\n${fields}`);\n}\n\n/**\n * Validate that all File objects in the input are within the size limit.\n * Returns validation errors keyed by field name, or null if all files are ok.\n */\nfunction validateFileSizes(input: Record<string, unknown>, limit: number): ValidationErrors | null {\n  const errors: ValidationErrors = {};\n  const limitKb = Math.round(limit / 1024);\n  const limitLabel =\n    limit >= 1024 * 1024 ? `${Math.round(limit / (1024 * 1024))}MB` : `${limitKb}KB`;\n\n  for (const [key, value] of Object.entries(input)) {\n    if (value instanceof File && value.size > limit) {\n      errors[key] = [\n        `File \"${value.name}\" (${formatSize(value.size)}) exceeds the ${limitLabel} limit`,\n      ];\n    } else if (Array.isArray(value)) {\n      const oversized = value.filter((item) => item instanceof File && item.size > limit);\n      if (oversized.length > 0) {\n        errors[key] = oversized.map(\n          (f: File) => `File \"${f.name}\" (${formatSize(f.size)}) exceeds the ${limitLabel} limit`\n        );\n      }\n    }\n  }\n\n  return Object.keys(errors).length > 0 ? errors : null;\n}\n\n/**\n * Strip File objects from a value, returning a plain object safe for\n * serialization. File objects can't be serialized and shouldn't be echoed back.\n */\nfunction stripFiles(value: unknown): Record<string, unknown> | undefined {\n  if (value === null || value === undefined) return undefined;\n  if (typeof value !== 'object') return undefined;\n\n  const result: Record<string, unknown> = {};\n  for (const [k, v] of Object.entries(value as Record<string, unknown>)) {\n    if (v instanceof File) continue;\n    if (Array.isArray(v)) {\n      result[k] = v.filter((item) => !(item instanceof File));\n    } else if (typeof v === 'object' && v !== null && !(v instanceof File)) {\n      result[k] = stripFiles(v) ?? {};\n    } else {\n      result[k] = v;\n    }\n  }\n  return result;\n}\n","/**\n * Form Flash — ALS-based store for no-JS form action results.\n *\n * When a no-JS form action completes, the server re-renders the page with\n * the action result injected via AsyncLocalStorage instead of redirecting\n * (which would discard the result). Server components read the flash and\n * pass it to client form components as the initial `useActionState` value.\n *\n * This follows the Remix/Rails pattern — the form component becomes the\n * single source of truth for both with-JS (React state) and no-JS (flash).\n *\n * The flash data is server-side only — never serialized to cookies or headers.\n *\n * See design/08-forms-and-actions.md §\"No-JS Error Round-Trip\"\n */\n\nimport type { ValidationErrors } from './action-client.js';\nimport { formFlashAls } from './als-registry.js';\n\n// ─── Types ───────────────────────────────────────────────────────────────\n\n/**\n * Flash data injected into the re-render after a no-JS form submission.\n *\n * This is the action result from the server action, stored in ALS so server\n * components can read it and pass it to client form components as the initial\n * state for `useActionState`. This makes the form component a single source\n * of truth for both with-JS and no-JS paths.\n *\n * The shape matches `ActionResult<unknown>` — it's one of:\n * - `{ data: ... }` — success\n * - `{ validationErrors, submittedValues }` — validation failure\n * - `{ serverError }` — server error\n */\nexport interface FormFlashData {\n  /** Success data from the action. */\n  data?: unknown;\n  /** Validation errors keyed by field name. `_root` for form-level errors. */\n  validationErrors?: ValidationErrors;\n  /** Raw submitted values for repopulating form fields. File objects are excluded. */\n  submittedValues?: Record<string, unknown>;\n  /** Server error if the action threw an ActionError. */\n  serverError?: { code: string; data?: Record<string, unknown> };\n}\n\n// ─── Public API ──────────────────────────────────────────────────────────\n\n/**\n * Read the form flash data for the current request.\n *\n * Returns `null` if no flash data is present (i.e., this is a normal page\n * render, not a re-render after a no-JS form submission).\n *\n * Pass the flash as the initial state to `useActionState` so the form\n * component has a single source of truth for both with-JS and no-JS paths:\n *\n * ```tsx\n * // app/contact/page.tsx (server component)\n * import { getFormFlash } from '@timber-js/app/server'\n *\n * export default function ContactPage() {\n *   const flash = getFormFlash()\n *   return <ContactForm flash={flash} />\n * }\n *\n * // app/contact/form.tsx (client component)\n * export function ContactForm({ flash }) {\n *   const [result, action, isPending] = useActionState(submitContact, flash)\n *   // result is the single source of truth — flash seeds it on no-JS\n * }\n * ```\n */\nexport function getFormFlash(): FormFlashData | null {\n  return formFlashAls.getStore() ?? null;\n}\n\n// ─── Framework-Internal ──────────────────────────────────────────────────\n\n/**\n * Run a callback with form flash data in scope.\n *\n * Used by the action handler to re-render the page with validation errors\n * available via `getFormFlash()`. Not part of the public API.\n *\n * @internal\n */\nexport function runWithFormFlash<T>(data: FormFlashData, fn: () => T): T {\n  return formFlashAls.run(data, fn);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwBA,SAAgB,cAAc,UAA6C;CACzE,MAAM,OAAgC,EAAE;AAExC,MAAK,MAAM,OAAO,IAAI,IAAI,SAAS,MAAM,CAAC,EAAE;AAE1C,MAAI,IAAI,WAAW,WAAW,CAAE;EAGhC,MAAM,YADS,SAAS,OAAO,IAAI,CACV,IAAI,eAAe;AAE5C,MAAI,UAAU,WAAW,EACvB,MAAK,OAAO,UAAU;MAGtB,MAAK,OAAO,UAAU,QAAQ,MAAM,MAAM,KAAA,EAAU;;AAKxD,QAAO,eAAe,KAAK;;;;;;;;AAS7B,SAAS,eAAe,OAAoC;AAC1D,KAAI,OAAO,UAAU,SACnB,QAAO,UAAU,KAAK,KAAA,IAAY;AAIpC,KAAI,iBAAiB,QAAQ,MAAM,SAAS,KAAK,MAAM,SAAS,GAC9D;AAGF,QAAO;;;;;;;;;AAUT,SAAS,eAAe,MAAwD;CAC9E,MAAM,SAAkC,EAAE;CAC1C,IAAI,cAAc;AAGlB,MAAK,MAAM,OAAO,OAAO,KAAK,KAAK,CACjC,KAAI,IAAI,SAAS,IAAI,EAAE;AACrB,gBAAc;AACd;;AAKJ,KAAI,CAAC,YAAa,QAAO;AAEzB,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,KAAK,EAAE;AAC/C,MAAI,CAAC,IAAI,SAAS,IAAI,EAAE;AACtB,UAAO,OAAO;AACd;;EAGF,MAAM,QAAQ,IAAI,MAAM,IAAI;EAC5B,IAAI,UAAmC;AAEvC,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,SAAS,GAAG,KAAK;GACzC,MAAM,OAAO,MAAM;AACnB,OAAI,QAAQ,UAAU,KAAA,KAAa,QAAQ,UAAU,KACnD,SAAQ,QAAQ,EAAE;AAIpB,OAAI,OAAO,QAAQ,UAAU,YAAY,QAAQ,iBAAiB,KAChE,SAAQ,QAAQ,EAAE;AAEpB,aAAU,QAAQ;;AAGpB,UAAQ,MAAM,MAAM,SAAS,MAAM;;AAGrC,QAAO;;;;;;;;;;;;;;;AAkBT,IAAa,SAAS;CAQpB,OAAO,OAAoC;AACzC,MAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO,KAAA;AAClE,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,OAAO,UAAU,SAAU,QAAO,KAAA;EACtC,MAAM,MAAM,OAAO,MAAM;AACzB,MAAI,OAAO,MAAM,IAAI,CAAE,QAAO,KAAA;AAC9B,SAAO;;CAST,SAAS,OAAyB;AAChC,MAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO;AAClE,MAAI,OAAO,UAAU,UAAW,QAAO;AAEvC,SAAO,OAAO,UAAU,YAAY,MAAM,SAAS;;CASrD,KAAK,OAAyB;AAC5B,MAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO,KAAA;AAClE,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI;AACF,UAAO,KAAK,MAAM,MAAM;UAClB;AACN;;;CAaJ,KAAK,OAAkC;AACrC,MAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO,KAAA;AAClE,MAAI,iBAAiB,KAAM,QAAO;AAClC,MAAI,OAAO,UAAU,SAAU,QAAO,KAAA;EACtC,MAAM,OAAO,IAAI,KAAK,MAAM;AAC5B,MAAI,OAAO,MAAM,KAAK,SAAS,CAAC,CAAE,QAAO,KAAA;EAKzC,MAAM,WAAW,MAAM,MAAM,2BAA2B;AACxD,MAAI,UAAU;GACZ,MAAM,YAAY,OAAO,SAAS,GAAG;GACrC,MAAM,aAAa,OAAO,SAAS,GAAG;GACtC,MAAM,WAAW,OAAO,SAAS,GAAG;GAKpC,MAAM,QAAQ,MAAM,WAAW,MAAM,MAAM,SAAS,IAAI;GACxD,MAAM,aAAa,QAAQ,KAAK,gBAAgB,GAAG,KAAK,aAAa;GACrE,MAAM,cAAc,QAAQ,KAAK,aAAa,GAAG,IAAI,KAAK,UAAU,GAAG;GACvE,MAAM,YAAY,QAAQ,KAAK,YAAY,GAAG,KAAK,SAAS;AAE5D,OAAI,cAAc,cAAc,eAAe,eAAe,aAAa,UACzE;;AAIJ,SAAO;;CAkBT,KAAK,SAAyF;AAC5F,UAAQ,UAAqC;AAC3C,OAAI,UAAU,KAAA,KAAa,UAAU,QAAQ,UAAU,GAAI,QAAO,KAAA;AAClE,OAAI,EAAE,iBAAiB,MAAO,QAAO,KAAA;AAGrC,OAAI,MAAM,SAAS,KAAK,MAAM,SAAS,GAAI,QAAO,KAAA;AAElD,OAAI,SAAS,YAAY,KAAA,KAAa,MAAM,OAAO,QAAQ,QACzD;AAGF,OAAI,SAAS,WAAW,KAAA,KAAa,CAAC,QAAQ,OAAO,SAAS,MAAM,KAAK,CACvE;AAGF,UAAO;;;CAGZ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACxMD,IAAM,6BAAgD;CACpD;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD;;;;;;;AAQD,IAAM,yBAA4C,CAAC,QAAQ;;;;;;;AAQ3D,SAAS,UAAU,MAAsB;CACvC,IAAI,MAAM;AACV,MAAK,IAAI,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;EACpC,MAAM,KAAK,KAAK,WAAW,EAAE;AAC7B,MAAI,OAAO,MAAgB,OAAO,GAAc;AAEhD,MAAI,MAAM,MAAQ,MAAM,GACtB,QAAO,OAAO,aAAa,KAAK,GAAG;MAEnC,QAAO,KAAK;;AAGhB,QAAO;;;;;;AAOT,SAAS,mBAAmB,MAAc,QAAqC;CAC7E,MAAM,aAAa,UAAU,KAAK;AAClC,KAAI,uBAAuB,SAAS,WAAW,CAAE,QAAO;AACxD,MAAK,MAAM,WAAW,2BACpB,KAAI,WAAW,SAAS,QAAQ,CAAE,QAAO;AAE3C,KAAI,UAAU,OAAO,SAAS,EAC5B,MAAK,MAAM,SAAS,QAAQ;EAC1B,MAAM,YAAY,UAAU,MAAM;AAClC,MAAI,UAAU,WAAW,EAAG;AAC5B,MAAI,WAAW,SAAS,UAAU,CAAE,QAAO;;AAG/C,QAAO;;;;;;;;;;;;;AAsBT,SAAgB,0BACd,WACA,QAC4B;CAC5B,MAAM,SAAS,cAAc,KAAA,IAAY,YAAY;AAErD,KAAI,WAAW,MAAO,QAAO;AAC7B,KAAI,WAAW,KAAA,KAAa,WAAW,KACrC,SAAQ,SAAS,mBAAmB,KAAK;AAE3C,KAAI,OAAO,WAAW,WACpB,QAAO;CAGT,MAAM,SAAS;AACf,SAAQ,SAAS,mBAAmB,MAAM,OAAO;;AAKnD,IAAI;;AAWJ,SAAgB,iCAAoE;AAClF,QAAO;;AAOT,IAAM,+BAAe,IAAI,KAAa;AAEtC,SAAS,aAAa,MAAoB;AACxC,KAAI,CAAC,SAAS,CAAE;AAChB,KAAI,aAAa,IAAI,KAAK,CAAE;AAC5B,cAAa,IAAI,KAAK;AACtB,SAAQ,KACN,sCAAsC,KAAK,sFAE5C;;;;;;;;;;;;;AAcH,SAAgB,qBAAwB,OAAU,WAA0C;AAE1F,KAAI,cAAc,KAAM,QAAO;AAC/B,KAAI,UAAU,QAAQ,UAAU,KAAA,EAAW,QAAO;AAClD,KAAI,OAAO,UAAU,SAAU,QAAO;AACtC,KAAI,iBAAiB,QAAQ,iBAAiB,KAAM,QAAO;AAE3D,KAAI,MAAM,QAAQ,MAAM,CACtB,QAAO,MAAM,KAAK,SAAS,qBAAqB,MAAM,UAAU,CAAC;CAGnE,MAAM,SAAkC,EAAE;AAC1C,MAAK,MAAM,CAAC,KAAK,WAAW,OAAO,QAAQ,MAAiC,EAAE;AAC5E,MAAI,UAAU,IAAI,EAAE;AAClB,gBAAa,IAAI;AACjB;;AAEF,SAAO,OAAO,qBAAqB,QAAQ,UAAU;;AAEvD,QAAO;;;;;;;;;;;;;;;;;;;;;;;;ACtMT,IAAa,cAAb,cAAgE,MAAM;CACpE;CACA;CAEA,YAAY,MAAa,MAAgC;AACvD,QAAM,gBAAgB,OAAO;AAC7B,OAAK,OAAO;AACZ,OAAK,OAAO;AACZ,OAAK,OAAO;;;;AA8BhB,SAAS,iBAAiB,QAA6C;AACrE,QACE,OAAO,WAAW,YAClB,WAAW,QACX,eAAe,UACf,OAAQ,OAA4B,aAAa,aAAa;;;;;AAwIlE,eAAe,oBACb,YACe;AACf,KAAI,CAAC,WACH,QAAO,EAAE;AAGX,KAAI,MAAM,QAAQ,WAAW,EAAE;EAC7B,IAAI,SAAS,EAAE;AACf,OAAK,MAAM,MAAM,YAAY;GAC3B,MAAM,SAAS,MAAM,IAAI;AACzB,YAAS;IAAE,GAAG;IAAQ,GAAG;IAAQ;;AAEnC,SAAO;;AAGT,QAAO,MAAM,YAAY;;;;;;AAmB3B,SAAS,wBAAwB,OAAsC;AAErE,KAAI,OAAO,MAAM,YAAY,WAC3B,QAAO,MAAM,SAAS,CAAC;AAIzB,KAAI,MAAM,QAAQ;EAChB,MAAM,SAA2B,EAAE;AACnC,OAAK,MAAM,SAAS,MAAM,QAAQ;GAChC,MAAM,OAAO,MAAM,MAAM,KAAK,IAAI,IAAI;AACtC,OAAI,CAAC,OAAO,MAAO,QAAO,QAAQ,EAAE;AACpC,UAAO,MAAM,KAAK,MAAM,QAAQ;;AAElC,SAAO;;AAGT,QAAO,EAAE,OAAO,CAAC,oBAAoB,EAAE;;;;;AAMzC,SAAS,4BAA4B,QAA8D;CACjG,MAAM,SAA2B,EAAE;AACnC,MAAK,MAAM,SAAS,QAAQ;EAC1B,MAAM,OACJ,MAAM,MACF,KAAK,MAAM;AAEX,OAAI,OAAO,MAAM,YAAY,MAAM,QAAQ,SAAS,EAAG,QAAO,OAAO,EAAE,IAAI;AAC3E,UAAO,OAAO,EAAE;IAChB,CACD,KAAK,IAAI,IAAI;AAClB,MAAI,CAAC,OAAO,MAAO,QAAO,QAAQ,EAAE;AACpC,SAAO,MAAM,KAAK,MAAM,QAAQ;;AAElC,QAAO,OAAO,KAAK,OAAO,CAAC,SAAS,IAAI,SAAS,EAAE,OAAO,CAAC,oBAAoB,EAAE;;;;;;;;;AAUnF,SAAgB,kBAAkB,OAAqC;AACrE,KAAI,iBAAiB,YACnB,QAAO,EACL,aAAa;EACX,MAAM,MAAM;EACZ,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,MAAM,GAAG,EAAE;EAC3C,EACF;AAQH,QAAO,EACL,aAAa;EACX,MAAM;EACN,GAJY,WAAW,IAIR,iBAAiB,QAAQ,EAAE,MAAM,EAAE,SAAS,MAAM,SAAS,EAAE,GAAG,EAAE;EAClF,EACF;;;;;;;;;;;;;;;;;;;;;;AAuBH,SAAgB,mBACd,SAAmC,EAAE,EAChB;CACrB,SAAS,YACP,QACA,IACyB;EACzB,eAAe,cAAc,GAAG,MAA+C;AAC7E,OAAI;IAEF,MAAM,MAAM,MAAM,oBAAoB,OAAO,WAAW;IAGxD,IAAI;AACJ,QAAI,KAAK,WAAW,KAAK,KAAK,cAAc,SAE1C,YAAW,SAAS,cAAc,KAAK,GAAG,GAAG,KAAK;aACzC,KAAK,WAAW,KAAK,KAAK,cAAc,SAKjD,YAAW,SAAS,cAAc,KAAK,GAAG,GAAG,KAAK;QAGlD,YAAW,KAAK;IAOlB,MAAM,qBAAqB,0BACzB,OAAO,sBACP,gCAAgC,CACjC;IAMD,MAAM,6BAAkE;KACtE,MAAM,eAAe,WAAW,SAAS;AACzC,SAAI,iBAAiB,KAAA,EAAW,QAAO,KAAA;AACvC,YAAO,qBAAqB,cAAc,mBAAmB;;AAI/D,QAAI,OAAO,kBAAkB,KAAA,KAAa,YAAY,OAAO,aAAa,UAAU;KAClF,MAAM,iBAAiB,kBACrB,UACA,OAAO,cACR;AACD,SAAI,eACF,QAAO;MAAE,kBAAkB;MAAgB,iBAAiB,sBAAsB;MAAE;;IAKxF,MAAM,kBAAkB,SAAS,sBAAsB,GAAG,KAAA;IAG1D,IAAI;AACJ,QAAI,OACF,KAAI,iBAAiB,OAAO,EAAE;KAE5B,MAAM,SAAS,OAAO,aAAa,SAAS,SAAS;AACrD,SAAI,kBAAkB,QACpB,OAAM,IAAI,MACR,4FACD;AAEH,SAAI,OAAO,QAAQ;MACjB,MAAM,mBAAmB,4BAA4B,OAAO,OAAO;AACnE,2BAAqB,iBAAiB;AACtC,aAAO;OAAE;OAAkB;OAAiB;;AAE9C,aAAQ,OAAO;eACN,OAAO,OAAO,cAAc,YAAY;KACjD,MAAM,SAAS,OAAO,UAAU,SAAS;AACzC,SAAI,CAAC,OAAO,SAAS;MACnB,MAAM,mBAAmB,wBAAwB,OAAO,MAAM;AAC9D,2BAAqB,iBAAiB;AACtC,aAAO;OAAE;OAAkB;OAAiB;;AAE9C,aAAQ,OAAO;UAEf,KAAI;AACF,aAAQ,OAAO,MAAM,SAAS;aACvB,YAAY;KACnB,MAAM,mBAAmB,wBAAwB,WAA0B;AAC3E,0BAAqB,iBAAiB;AACtC,YAAO;MAAE;MAAkB;MAAiB;;QAIhD,SAAQ;AAKV,WAAO,EAAE,MADI,MAAM,GAAG;KAAE;KAAK;KAAO,CAAC,EACtB;YACR,OAAO;AAKd,QAAI,iBAAiB,kBAAkB,iBAAiB,WACtD,OAAM;AAER,WAAO,kBAAkB,MAAM;;;AAInC,SAAO;;AAGT,QAAO;EACL,OAAe,QAA8B;AAC3C,UAAO,EACL,OACE,IACyB;AACzB,WAAO,YAAY,QAAQ,GAAG;MAEjC;;EAEH,OACE,IAC4B;AAC5B,UAAO,YAAY,KAAA,GAAW,GAA4D;;EAE7F;;;;;;;;;;;;;;;;;;;;AAuBH,SAAgB,UACd,QACA,SACyB;AACzB,QAAO,oBAAoB,CACxB,OAAO,OAAO,CACd,OAAO,OAAO,EAAE,YAAY,QAAQ,MAAM,CAAC;;;;;;AAShD,SAAS,qBAAqB,QAAgC;AAE5D,KAAI,CADU,SAAS,CACX;CAEZ,MAAM,SAAS,OAAO,QAAQ,OAAO,CAClC,KAAK,CAAC,OAAO,cAAc,KAAK,MAAM,IAAI,SAAS,KAAK,KAAK,GAAG,CAChE,KAAK,KAAK;AACb,SAAQ,KAAK,8CAA8C,SAAS;;;;;;AAOtE,SAAS,kBAAkB,OAAgC,OAAwC;CACjG,MAAM,SAA2B,EAAE;CACnC,MAAM,UAAU,KAAK,MAAM,QAAQ,KAAK;CACxC,MAAM,aACJ,SAAS,OAAO,OAAO,GAAG,KAAK,MAAM,SAAS,OAAO,MAAM,CAAC,MAAM,GAAG,QAAQ;AAE/E,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,CAC9C,KAAI,iBAAiB,QAAQ,MAAM,OAAO,MACxC,QAAO,OAAO,CACZ,SAAS,MAAM,KAAK,KAAK,WAAW,MAAM,KAAK,CAAC,gBAAgB,WAAW,QAC5E;UACQ,MAAM,QAAQ,MAAM,EAAE;EAC/B,MAAM,YAAY,MAAM,QAAQ,SAAS,gBAAgB,QAAQ,KAAK,OAAO,MAAM;AACnF,MAAI,UAAU,SAAS,EACrB,QAAO,OAAO,UAAU,KACrB,MAAY,SAAS,EAAE,KAAK,KAAK,WAAW,EAAE,KAAK,CAAC,gBAAgB,WAAW,QACjF;;AAKP,QAAO,OAAO,KAAK,OAAO,CAAC,SAAS,IAAI,SAAS;;;;;;AAOnD,SAAS,WAAW,OAAqD;AACvE,KAAI,UAAU,QAAQ,UAAU,KAAA,EAAW,QAAO,KAAA;AAClD,KAAI,OAAO,UAAU,SAAU,QAAO,KAAA;CAEtC,MAAM,SAAkC,EAAE;AAC1C,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,MAAiC,EAAE;AACrE,MAAI,aAAa,KAAM;AACvB,MAAI,MAAM,QAAQ,EAAE,CAClB,QAAO,KAAK,EAAE,QAAQ,SAAS,EAAE,gBAAgB,MAAM;WAC9C,OAAO,MAAM,YAAY,MAAM,QAAQ,EAAE,aAAa,MAC/D,QAAO,KAAK,WAAW,EAAE,IAAI,EAAE;MAE/B,QAAO,KAAK;;AAGhB,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACleT,SAAgB,eAAqC;AACnD,QAAO,aAAa,UAAU,IAAI"}
+{"version":3,"file":"index.js","names":[],"sources":["../../src/server/sensitive-fields.ts","../../src/server/action-client.ts","../../src/server/form-flash.ts"],"sourcesContent":["/**\n * Sensitive field stripping — removes password/token/CVV-style fields\n * from form values before they are echoed back to the client as\n * `submittedValues` for form repopulation.\n *\n * Applied to both action paths:\n *  - With-JS action path: `createActionClient()` in `action-client.ts`\n *  - No-JS form POST path: `handleFormAction()` in `action-handler.ts`\n *\n * Why: on a validation failure, timber echoes submitted form values back so\n * the user doesn't have to re-type everything. Without filtering, plaintext\n * passwords / credit-card numbers / TOTP codes would travel through the RSC\n * stream (with-JS) or land in the HTML as `defaultValue` attributes (no-JS)\n * — ending up in browser history, proxy logs, disk caches, and the\n * back-forward cache.\n *\n * Safe by default: the built-in deny-list is applied unconditionally unless\n * the user explicitly opts out via `forms.stripSensitiveFields: false` in\n * `timber.config.ts` or per-action via `createActionClient({ stripSensitiveFields: false })`.\n *\n * See design/08-forms-and-actions.md §\"Validation errors\"\n * See design/13-security.md §\"Sensitive field stripping\"\n * See TIM-816\n */\n\nimport { isDebug } from './debug.js';\n\n// ─── Public types ────────────────────────────────────────────────────────\n\n/**\n * How to strip sensitive fields from `submittedValues`.\n *\n * - `true` / `undefined` — use the built-in deny-list (default, safe).\n * - `false` — do not strip anything (dev convenience; never do this in prod).\n * - `string[]` — additional field names to strip, merged with the built-in list.\n * - `(name) => boolean` — custom predicate, fully replaces the built-in list.\n *   Return `true` to strip, `false` to keep. The `name` argument is the raw\n *   (un-normalized) field name as it appeared in the submitted form.\n */\nexport type SensitiveFieldsOption = boolean | readonly string[] | ((name: string) => boolean);\n\n// ─── Built-in deny-list ──────────────────────────────────────────────────\n\n/**\n * Substring patterns matched against the normalized field name.\n * Normalization = lowercase + strip `_` and `-`.\n *\n * Any field whose normalized name *contains* one of these strings is\n * considered sensitive. Entries like `currentPassword`, `passwordConfirmation`,\n * and `user.password` all match via the `password` substring.\n */\nconst BUILTIN_SUBSTRING_PATTERNS: readonly string[] = [\n  'password',\n  'passwd',\n  'pwd',\n  'secret',\n  'apikey',\n  'accesstoken',\n  'refreshtoken',\n  'cvv',\n  'cvc',\n  'cardnumber',\n  'cardcvc',\n  'ssn',\n  'socialsecuritynumber',\n  'otp',\n  'totp',\n  'mfacode',\n  'twofactorcode',\n  'privatekey',\n];\n\n/**\n * Exact matches against the normalized field name. These are field names that\n * are too short or too common to substring-match safely. e.g. `token` alone\n * would match `csrfToken`, which is not sensitive — so `token` is exact-only,\n * while legitimate token fields are covered by `accesstoken` / `refreshtoken`.\n */\nconst BUILTIN_EXACT_PATTERNS: readonly string[] = ['token'];\n\n/**\n * Normalize a field name for deny-list comparison.\n * Lowercases the string and strips `_` and `-` so camelCase, snake_case, and\n * kebab-case variants all compare equal (`api_key` / `apiKey` / `api-key` →\n * `apikey`).\n */\nfunction normalize(name: string): string {\n  let out = '';\n  for (let i = 0; i < name.length; i++) {\n    const ch = name.charCodeAt(i);\n    if (ch === 0x5f /* _ */ || ch === 0x2d /* - */) continue;\n    // A-Z → a-z\n    if (ch >= 0x41 && ch <= 0x5a) {\n      out += String.fromCharCode(ch + 32);\n    } else {\n      out += name[i];\n    }\n  }\n  return out;\n}\n\n/**\n * Check whether a name matches the built-in deny-list (with optional extras).\n * Extras are merged into the substring pattern list after normalization.\n */\nfunction isBuiltinSensitive(name: string, extras?: readonly string[]): boolean {\n  const normalized = normalize(name);\n  if (BUILTIN_EXACT_PATTERNS.includes(normalized)) return true;\n  for (const pattern of BUILTIN_SUBSTRING_PATTERNS) {\n    if (normalized.includes(pattern)) return true;\n  }\n  if (extras && extras.length > 0) {\n    for (const extra of extras) {\n      const normExtra = normalize(extra);\n      if (normExtra.length === 0) continue;\n      if (normalized.includes(normExtra)) return true;\n    }\n  }\n  return false;\n}\n\n// ─── Predicate resolution ────────────────────────────────────────────────\n\n/**\n * A resolved predicate: `null` means \"don't strip anything\" (the option was\n * explicitly `false`). Otherwise a function from raw field name → boolean.\n */\nexport type ResolvedSensitivePredicate = ((name: string) => boolean) | null;\n\n/**\n * Resolve a `SensitiveFieldsOption` into a concrete predicate.\n * Precedence: per-action > global > built-in default.\n *\n * - Per-action `undefined` → fall back to global.\n * - Global `undefined` → use built-in list.\n * - Either level set to `false` → disable stripping entirely (returns `null`).\n * - `true` → built-in list.\n * - `string[]` → built-in ∪ extras.\n * - function → custom, replaces the built-in list entirely.\n */\nexport function resolveSensitivePredicate(\n  perAction: SensitiveFieldsOption | undefined,\n  global: SensitiveFieldsOption | undefined\n): ResolvedSensitivePredicate {\n  const chosen = perAction !== undefined ? perAction : global;\n\n  if (chosen === false) return null;\n  if (chosen === undefined || chosen === true) {\n    return (name) => isBuiltinSensitive(name);\n  }\n  if (typeof chosen === 'function') {\n    return chosen;\n  }\n  // Array of extra names merged with the built-in list.\n  const extras = chosen;\n  return (name) => isBuiltinSensitive(name, extras);\n}\n\n// ─── Module-level global config ──────────────────────────────────────────\n\nlet globalConfig: SensitiveFieldsOption | undefined;\n\n/**\n * Set the global `forms.stripSensitiveFields` config from `timber.config.ts`.\n * Called once at startup from `rsc-entry`.\n */\nexport function setGlobalSensitiveFieldsConfig(option: SensitiveFieldsOption | undefined): void {\n  globalConfig = option;\n}\n\n/** Read the global `forms.stripSensitiveFields` config. */\nexport function getGlobalSensitiveFieldsConfig(): SensitiveFieldsOption | undefined {\n  return globalConfig;\n}\n\n// ─── Stripping ───────────────────────────────────────────────────────────\n\n// One warning per field name per process — prevents log spam when a form is\n// submitted many times in dev mode.\nconst warnedFields = new Set<string>();\n\nfunction warnStripped(name: string): void {\n  if (!isDebug()) return;\n  if (warnedFields.has(name)) return;\n  warnedFields.add(name);\n  console.warn(\n    `[timber] stripped sensitive field \"${name}\" from submittedValues. ` +\n      `Override via forms.stripSensitiveFields in timber.config.ts.`\n  );\n}\n\n/**\n * Walk an object (recursively) and return a copy with every key matching\n * `predicate` removed. Nested objects like `{ user: { password: '...' } }`\n * are handled — `user.password` is stripped while other `user.*` fields remain.\n *\n * - Arrays are walked element-wise (object entries inside arrays are cleaned).\n * - Non-plain values (strings, numbers, Files, Dates, etc.) are returned as-is.\n * - When a stripped key is encountered, it is omitted from the result entirely\n *   — we do NOT set it to an empty string, because that would overwrite a\n *   valid `defaultValue` the form author might have set.\n */\nexport function stripSensitiveFields<T>(value: T, predicate: ResolvedSensitivePredicate): T {\n  // Null predicate = stripping disabled entirely.\n  if (predicate === null) return value;\n  if (value === null || value === undefined) return value;\n  if (typeof value !== 'object') return value;\n  if (value instanceof File || value instanceof Date) return value;\n\n  if (Array.isArray(value)) {\n    return value.map((item) => stripSensitiveFields(item, predicate)) as unknown as T;\n  }\n\n  const result: Record<string, unknown> = {};\n  for (const [key, nested] of Object.entries(value as Record<string, unknown>)) {\n    if (predicate(key)) {\n      warnStripped(key);\n      continue;\n    }\n    result[key] = stripSensitiveFields(nested, predicate);\n  }\n  return result as unknown as T;\n}\n\n// ─── Test helpers ────────────────────────────────────────────────────────\n\n/** Reset the \"warned once\" cache. Exposed for tests. */\nexport function __resetSensitiveFieldsWarnings(): void {\n  warnedFields.clear();\n}\n","/**\n * createActionClient — typed middleware and schema validation for server actions.\n *\n * Inspired by next-safe-action. Provides a builder API:\n *   createActionClient({ middleware }) → .schema(z.object(...)) → .action(fn)\n *\n * The resulting action function satisfies both:\n *   1. Direct call: action(input) → Promise<ActionResult>\n *   2. React useActionState: (prevState, formData) => Promise<ActionResult>\n *\n * See design/08-forms-and-actions.md §\"Middleware for Server Actions\"\n */\n\n// ─── ActionError ─────────────────────────────────────────────────────────\n\n/**\n * Typed error class for server actions. Carries a string code and optional data.\n * When thrown from middleware or the action body, the action short-circuits and\n * the client receives `result.serverError`.\n *\n * In production, unexpected errors (non-ActionError) return `{ code: 'INTERNAL_ERROR' }`\n * with no message. In dev, `data.message` is included.\n */\nexport class ActionError<TCode extends string = string> extends Error {\n  readonly code: TCode;\n  readonly data: Record<string, unknown> | undefined;\n\n  constructor(code: TCode, data?: Record<string, unknown>) {\n    super(`ActionError: ${code}`);\n    this.name = 'ActionError';\n    this.code = code;\n    this.data = data;\n  }\n}\n\n// ─── Standard Schema ──────────────────────────────────────────────────────\n\n/**\n * Standard Schema v1 interface (subset).\n * Zod ≥3.24, Valibot ≥1.0, and ArkType all implement this.\n * See https://github.com/standard-schema/standard-schema\n *\n * We use permissive types here to accept all compliant libraries without\n * requiring exact structural matches on issues/path shapes.\n */\ninterface StandardSchemaV1<Output = unknown> {\n  '~standard': {\n    validate(value: unknown): StandardSchemaResult<Output> | Promise<StandardSchemaResult<Output>>;\n  };\n}\n\ntype StandardSchemaResult<Output> =\n  | { value: Output; issues?: undefined }\n  | { value?: undefined; issues: ReadonlyArray<StandardSchemaIssue> };\n\ninterface StandardSchemaIssue {\n  message: string;\n  path?: ReadonlyArray<PropertyKey | { key: PropertyKey }>;\n}\n\n/** Check if a schema implements the Standard Schema protocol. */\nfunction isStandardSchema(schema: unknown): schema is StandardSchemaV1 {\n  return (\n    typeof schema === 'object' &&\n    schema !== null &&\n    '~standard' in schema &&\n    typeof (schema as StandardSchemaV1)['~standard'].validate === 'function'\n  );\n}\n\n// ─── Types ───────────────────────────────────────────────────────────────\n\n/**\n * Minimal schema interface — compatible with Zod, Valibot, ArkType, etc.\n *\n * Accepts either:\n * - Standard Schema (preferred): any object with `~standard.validate()`\n * - Legacy parse interface: objects with `.parse()` / `.safeParse()`\n *\n * At runtime, Standard Schema is detected via `~standard` property and\n * takes priority over the legacy interface.\n */\nexport type ActionSchema<T = unknown> = StandardSchemaV1<T> | LegacyActionSchema<T>;\n\n/** Legacy schema interface with .parse() / .safeParse(). */\ninterface LegacyActionSchema<T = unknown> {\n  'parse'(data: unknown): T;\n  'safeParse'?(data: unknown): { success: true; data: T } | { success: false; error: SchemaError };\n  // Exclude Standard Schema objects from matching this interface\n  '~standard'?: never;\n}\n\n/** Schema validation error shape (for legacy .safeParse()/.parse() interface). */\nexport interface SchemaError {\n  issues?: Array<{ path?: Array<string | number>; message: string }>;\n  flatten?(): { fieldErrors: Record<string, string[]> };\n}\n\n/** Flattened validation errors keyed by field name. */\nexport type ValidationErrors = Record<string, string[]>;\n\n/** Middleware function: returns context to merge into the action body's ctx. */\nexport type ActionMiddleware<TCtx = Record<string, unknown>> = () => Promise<TCtx> | TCtx;\n\n/** The result type returned to the client. */\nexport type ActionResult<TData = unknown> =\n  | { data: TData; validationErrors?: never; serverError?: never; submittedValues?: never }\n  | {\n      data?: never;\n      validationErrors: ValidationErrors;\n      serverError?: never;\n      /** Raw input values on validation failure — for repopulating form fields. */\n      submittedValues?: Record<string, unknown>;\n    }\n  | {\n      data?: never;\n      validationErrors?: never;\n      serverError: { code: string; data?: Record<string, unknown> };\n      submittedValues?: never;\n    };\n\n/** Context passed to the action body. */\nexport interface ActionContext<TCtx, TInput> {\n  ctx: TCtx;\n  input: TInput;\n}\n\n// ─── Builder ─────────────────────────────────────────────────────────────\n\ninterface ActionClientConfig<TCtx> {\n  middleware?: ActionMiddleware<TCtx> | ActionMiddleware<Record<string, unknown>>[];\n  /** Max file size in bytes. Files exceeding this are rejected with validation errors. */\n  fileSizeLimit?: number;\n  /**\n   * Override the sensitive-field deny-list for this action client.\n   * See `SensitiveFieldsOption` in `./sensitive-fields.ts`. Per-action config\n   * takes precedence over the global `forms.stripSensitiveFields` option in\n   * `timber.config.ts`. See design/08-forms-and-actions.md and TIM-816.\n   */\n  stripSensitiveFields?: SensitiveFieldsOption;\n}\n\n/** Intermediate builder returned by createActionClient(). */\nexport interface ActionBuilder<TCtx> {\n  /** Declare the input schema. Validation errors are returned typed. */\n  schema<TInput>(schema: ActionSchema<TInput>): ActionBuilderWithSchema<TCtx, TInput>;\n  /** Define the action body without input validation. */\n  action<TData>(\n    fn: (ctx: ActionContext<TCtx, undefined>) => Promise<TData>\n  ): ActionFn<TData, undefined>;\n}\n\n/** Builder after .schema() has been called. */\nexport interface ActionBuilderWithSchema<TCtx, TInput> {\n  /** Define the action body with validated input. */\n  action<TData>(fn: (ctx: ActionContext<TCtx, TInput>) => Promise<TData>): ActionFn<TData, TInput>;\n}\n\n/**\n * The final action function. Callable three ways:\n * - Direct: action(input) → Promise<ActionResult<TData>>\n * - React useActionState: action(prevState, formData) → Promise<ActionResult<TData>>\n * - React <form action={fn}>: action(formData) → void  (return value ignored by React)\n *\n * The third overload exists purely for type compatibility with React's\n * `<form action>` prop, which expects `(formData: FormData) => void`.\n * At runtime the function still returns Promise<ActionResult>, but React\n * discards it. This lets validated actions be passed directly to forms\n * without casts.\n */\n/**\n * Map schema output keys to `string | undefined` for form-facing APIs.\n * HTML form values are always strings, and fields can be absent.\n * Gives autocomplete for field names without lying about value types.\n */\nexport type InputHint<T> =\n  T extends Record<string, unknown> ? { [K in keyof T]: string | undefined } : T;\n\n/**\n * ActionFn — the callable returned by `createActionClient().action()`.\n *\n * Generic order: `<TData, TInput>` — TData first for backward compatibility.\n * Previously ActionFn had a single `<TData>` generic, so existing code like\n * `ActionFn<MyResult>` must still work with TData in the first position.\n * See TIM-797.\n */\nexport type ActionFn<TData = unknown, TInput = unknown> = {\n  /** <form action={fn}> compatibility — React discards the return value. */\n  (formData: FormData): void;\n  /** Direct call: action(input) — optional when TInput is undefined/unknown (no-schema actions). */\n  (\n    ...args: undefined extends TInput ? [input?: TInput] : [input: TInput]\n  ): Promise<ActionResult<TData>>;\n  /** React useActionState: action(prevState, formData) */\n  (prevState: ActionResult<TData> | null, formData: FormData): Promise<ActionResult<TData>>;\n};\n\n// ─── Implementation ──────────────────────────────────────────────────────\n\n/**\n * Run middleware array or single function. Returns merged context.\n */\nasync function runActionMiddleware<TCtx>(\n  middleware: ActionMiddleware<TCtx> | ActionMiddleware<Record<string, unknown>>[] | undefined\n): Promise<TCtx> {\n  if (!middleware) {\n    return {} as TCtx;\n  }\n\n  if (Array.isArray(middleware)) {\n    let merged = {} as Record<string, unknown>;\n    for (const mw of middleware) {\n      const result = await mw();\n      merged = { ...merged, ...result };\n    }\n    return merged as TCtx;\n  }\n\n  return await middleware();\n}\n\n// Re-export parseFormData for use throughout the framework\nimport { parseFormData } from './form-data.js';\nimport { formatSize } from '../utils/format.js';\nimport { isDebug, isDevMode } from './debug.js';\nimport { RedirectSignal, DenySignal } from './primitives.js';\nimport {\n  stripSensitiveFields,\n  resolveSensitivePredicate,\n  getGlobalSensitiveFieldsConfig,\n  type SensitiveFieldsOption,\n} from './sensitive-fields.js';\n\n/**\n * Extract validation errors from a schema error.\n * Supports Zod's flatten() and generic issues array.\n */\nfunction extractValidationErrors(error: SchemaError): ValidationErrors {\n  // Zod-style flatten\n  if (typeof error.flatten === 'function') {\n    return error.flatten().fieldErrors;\n  }\n\n  // Generic issues array\n  if (error.issues) {\n    const errors: ValidationErrors = {};\n    for (const issue of error.issues) {\n      const path = issue.path?.join('.') ?? '_root';\n      if (!errors[path]) errors[path] = [];\n      errors[path].push(issue.message);\n    }\n    return errors;\n  }\n\n  return { _root: ['Validation failed'] };\n}\n\n/**\n * Extract validation errors from Standard Schema issues.\n */\nfunction extractStandardSchemaErrors(issues: ReadonlyArray<StandardSchemaIssue>): ValidationErrors {\n  const errors: ValidationErrors = {};\n  for (const issue of issues) {\n    const path =\n      issue.path\n        ?.map((p) => {\n          // Standard Schema path items can be { key: ... } objects or bare PropertyKey values\n          if (typeof p === 'object' && p !== null && 'key' in p) return String(p.key);\n          return String(p);\n        })\n        .join('.') ?? '_root';\n    if (!errors[path]) errors[path] = [];\n    errors[path].push(issue.message);\n  }\n  return Object.keys(errors).length > 0 ? errors : { _root: ['Validation failed'] };\n}\n\n/**\n * Wrap unexpected errors into a safe server error result.\n * ActionError → typed result. Other errors → INTERNAL_ERROR (no leak).\n *\n * Exported for use by action-handler.ts to catch errors from raw 'use server'\n * functions that don't use createActionClient.\n */\nexport function handleActionError(error: unknown): ActionResult<never> {\n  if (error instanceof ActionError) {\n    return {\n      serverError: {\n        code: error.code,\n        ...(error.data ? { data: error.data } : {}),\n      },\n    };\n  }\n\n  // In dev, include the message for debugging.\n  // Uses isDevMode() — NOT isDebug() — because this data is sent to the\n  // browser. TIMBER_DEBUG must never cause error messages to leak to clients.\n  // See design/13-security.md principle 4: \"Errors don't leak.\"\n  const devMode = isDevMode();\n  return {\n    serverError: {\n      code: 'INTERNAL_ERROR',\n      ...(devMode && error instanceof Error ? { data: { message: error.message } } : {}),\n    },\n  };\n}\n\n/**\n * Create a typed action client with middleware and schema validation.\n *\n * @example\n * ```ts\n * const action = createActionClient({\n *   middleware: async () => {\n *     const user = await getUser()\n *     if (!user) throw new ActionError('UNAUTHORIZED')\n *     return { user }\n *   },\n * })\n *\n * export const createTodo = action\n *   .schema(z.object({ title: z.string().min(1) }))\n *   .action(async ({ input, ctx }) => {\n *     await db.todos.create({ ...input, userId: ctx.user.id })\n *   })\n * ```\n */\nexport function createActionClient<TCtx = Record<string, never>>(\n  config: ActionClientConfig<TCtx> = {}\n): ActionBuilder<TCtx> {\n  function buildAction<TInput, TData>(\n    schema: ActionSchema<TInput> | undefined,\n    fn: (ctx: ActionContext<TCtx, TInput>) => Promise<TData>\n  ): ActionFn<TData, TInput> {\n    async function actionHandler(...args: unknown[]): Promise<ActionResult<TData>> {\n      try {\n        // Run middleware\n        const ctx = await runActionMiddleware(config.middleware);\n\n        // Determine input — either FormData (from useActionState) or direct arg\n        let rawInput: unknown;\n        if (args.length === 2 && args[1] instanceof FormData) {\n          // Called as (prevState, formData) by React useActionState (with-JS path)\n          rawInput = schema ? parseFormData(args[1]) : args[1];\n        } else if (args.length === 1 && args[0] instanceof FormData) {\n          // No-JS path: React's decodeAction binds FormData as the sole argument.\n          // The form POSTs without JavaScript, decodeAction resolves the server\n          // reference and binds the FormData, then executeAction calls fn() with\n          // no additional args — so the bound FormData arrives as args[0].\n          rawInput = schema ? parseFormData(args[0]) : args[0];\n        } else {\n          // Direct call: action(input)\n          rawInput = args[0];\n        }\n\n        // Resolve the sensitive-field stripping predicate once per invocation.\n        // Precedence: per-action (config.stripSensitiveFields) > global\n        // (forms.stripSensitiveFields from timber.config.ts) > built-in deny-list.\n        // See TIM-816.\n        const sensitivePredicate = resolveSensitivePredicate(\n          config.stripSensitiveFields,\n          getGlobalSensitiveFieldsConfig()\n        );\n\n        // Capture a \"safe-to-echo\" snapshot of the raw input once. Files are\n        // stripped (can't serialize, shouldn't echo back) and sensitive fields\n        // (passwords, tokens, CVV, etc.) are removed before they would land\n        // in the RSC payload → client form `defaultValue` → DOM.\n        const buildSubmittedValues = (): Record<string, unknown> | undefined => {\n          const withoutFiles = stripFiles(rawInput);\n          if (withoutFiles === undefined) return undefined;\n          return stripSensitiveFields(withoutFiles, sensitivePredicate);\n        };\n\n        // Validate file sizes before schema validation.\n        if (config.fileSizeLimit !== undefined && rawInput && typeof rawInput === 'object') {\n          const fileSizeErrors = validateFileSizes(\n            rawInput as Record<string, unknown>,\n            config.fileSizeLimit\n          );\n          if (fileSizeErrors) {\n            return { validationErrors: fileSizeErrors, submittedValues: buildSubmittedValues() };\n          }\n        }\n\n        // Capture submitted values for repopulation on validation failure.\n        const submittedValues = schema ? buildSubmittedValues() : undefined;\n\n        // Validate with schema if provided\n        let input: TInput;\n        if (schema) {\n          if (isStandardSchema(schema)) {\n            // Standard Schema protocol (Zod ≥3.24, Valibot ≥1.0, ArkType)\n            const result = schema['~standard'].validate(rawInput);\n            if (result instanceof Promise) {\n              throw new Error(\n                '[timber] createActionClient: schema returned a Promise — only sync schemas are supported.'\n              );\n            }\n            if (result.issues) {\n              const validationErrors = extractStandardSchemaErrors(result.issues);\n              logValidationFailure(validationErrors);\n              return { validationErrors, submittedValues };\n            }\n            input = result.value;\n          } else if (typeof schema.safeParse === 'function') {\n            const result = schema.safeParse(rawInput);\n            if (!result.success) {\n              const validationErrors = extractValidationErrors(result.error);\n              logValidationFailure(validationErrors);\n              return { validationErrors, submittedValues };\n            }\n            input = result.data;\n          } else {\n            try {\n              input = schema.parse(rawInput);\n            } catch (parseError) {\n              const validationErrors = extractValidationErrors(parseError as SchemaError);\n              logValidationFailure(validationErrors);\n              return { validationErrors, submittedValues };\n            }\n          }\n        } else {\n          input = rawInput as TInput;\n        }\n\n        // Execute the action body\n        const data = await fn({ ctx, input });\n        return { data };\n      } catch (error) {\n        // Re-throw redirect/deny signals — these are control flow, not errors.\n        // They must propagate to executeAction() which converts them to proper\n        // HTTP responses (302 redirect, 4xx deny). Catching them here would\n        // wrap them as INTERNAL_ERROR and break redirect()/redirectExternal()/deny().\n        if (error instanceof RedirectSignal || error instanceof DenySignal) {\n          throw error;\n        }\n        return handleActionError(error);\n      }\n    }\n\n    return actionHandler as ActionFn<TData, TInput>;\n  }\n\n  return {\n    schema<TInput>(schema: ActionSchema<TInput>) {\n      return {\n        action<TData>(\n          fn: (ctx: ActionContext<TCtx, TInput>) => Promise<TData>\n        ): ActionFn<TData, TInput> {\n          return buildAction(schema, fn);\n        },\n      };\n    },\n    action<TData>(\n      fn: (ctx: ActionContext<TCtx, undefined>) => Promise<TData>\n    ): ActionFn<TData, undefined> {\n      return buildAction(undefined, fn as (ctx: ActionContext<TCtx, unknown>) => Promise<TData>);\n    },\n  };\n}\n\n// ─── validated() ────────────────────────────────────────────────────────\n\n/**\n * Convenience wrapper for the common case: validate input, run handler.\n * No middleware needed.\n *\n * @example\n * ```ts\n * 'use server'\n * import { validated } from '@timber-js/app/server'\n * import { z } from 'zod'\n *\n * export const createTodo = validated(\n *   z.object({ title: z.string().min(1) }),\n *   async (input) => {\n *     await db.todos.create(input)\n *   }\n * )\n * ```\n */\nexport function validated<TInput, TData>(\n  schema: ActionSchema<TInput>,\n  handler: (input: TInput) => Promise<TData>\n): ActionFn<TData, TInput> {\n  return createActionClient()\n    .schema(schema)\n    .action(async ({ input }) => handler(input));\n}\n\n// ─── Helpers ────────────────────────────────────────────────────────────\n\n/**\n * Log validation failures in dev mode so developers can see what went wrong.\n * In production, validation errors are only returned to the client.\n */\nfunction logValidationFailure(errors: ValidationErrors): void {\n  const isDev = isDebug();\n  if (!isDev) return;\n\n  const fields = Object.entries(errors)\n    .map(([field, messages]) => `  ${field}: ${messages.join(', ')}`)\n    .join('\\n');\n  console.warn(`[timber] action schema validation failed:\\n${fields}`);\n}\n\n/**\n * Validate that all File objects in the input are within the size limit.\n * Returns validation errors keyed by field name, or null if all files are ok.\n */\nfunction validateFileSizes(input: Record<string, unknown>, limit: number): ValidationErrors | null {\n  const errors: ValidationErrors = {};\n  const limitKb = Math.round(limit / 1024);\n  const limitLabel =\n    limit >= 1024 * 1024 ? `${Math.round(limit / (1024 * 1024))}MB` : `${limitKb}KB`;\n\n  for (const [key, value] of Object.entries(input)) {\n    if (value instanceof File && value.size > limit) {\n      errors[key] = [\n        `File \"${value.name}\" (${formatSize(value.size)}) exceeds the ${limitLabel} limit`,\n      ];\n    } else if (Array.isArray(value)) {\n      const oversized = value.filter((item) => item instanceof File && item.size > limit);\n      if (oversized.length > 0) {\n        errors[key] = oversized.map(\n          (f: File) => `File \"${f.name}\" (${formatSize(f.size)}) exceeds the ${limitLabel} limit`\n        );\n      }\n    }\n  }\n\n  return Object.keys(errors).length > 0 ? errors : null;\n}\n\n/**\n * Strip File objects from a value, returning a plain object safe for\n * serialization. File objects can't be serialized and shouldn't be echoed back.\n */\nfunction stripFiles(value: unknown): Record<string, unknown> | undefined {\n  if (value === null || value === undefined) return undefined;\n  if (typeof value !== 'object') return undefined;\n\n  const result: Record<string, unknown> = {};\n  for (const [k, v] of Object.entries(value as Record<string, unknown>)) {\n    if (v instanceof File) continue;\n    if (Array.isArray(v)) {\n      result[k] = v.filter((item) => !(item instanceof File));\n    } else if (typeof v === 'object' && v !== null && !(v instanceof File)) {\n      result[k] = stripFiles(v) ?? {};\n    } else {\n      result[k] = v;\n    }\n  }\n  return result;\n}\n","/**\n * Form Flash — ALS-based store for no-JS form action results.\n *\n * When a no-JS form action completes, the server re-renders the page with\n * the action result injected via AsyncLocalStorage instead of redirecting\n * (which would discard the result). Server components read the flash and\n * pass it to client form components as the initial `useActionState` value.\n *\n * This follows the Remix/Rails pattern — the form component becomes the\n * single source of truth for both with-JS (React state) and no-JS (flash).\n *\n * The flash data is server-side only — never serialized to cookies or headers.\n *\n * See design/08-forms-and-actions.md §\"No-JS Error Round-Trip\"\n */\n\nimport type { ValidationErrors } from './action-client.js';\nimport { formFlashAls } from './als-registry.js';\n\n// ─── Types ───────────────────────────────────────────────────────────────\n\n/**\n * Flash data injected into the re-render after a no-JS form submission.\n *\n * This is the action result from the server action, stored in ALS so server\n * components can read it and pass it to client form components as the initial\n * state for `useActionState`. This makes the form component a single source\n * of truth for both with-JS and no-JS paths.\n *\n * The shape matches `ActionResult<unknown>` — it's one of:\n * - `{ data: ... }` — success\n * - `{ validationErrors, submittedValues }` — validation failure\n * - `{ serverError }` — server error\n */\nexport interface FormFlashData {\n  /** Success data from the action. */\n  data?: unknown;\n  /** Validation errors keyed by field name. `_root` for form-level errors. */\n  validationErrors?: ValidationErrors;\n  /** Raw submitted values for repopulating form fields. File objects are excluded. */\n  submittedValues?: Record<string, unknown>;\n  /** Server error if the action threw an ActionError. */\n  serverError?: { code: string; data?: Record<string, unknown> };\n}\n\n// ─── Public API ──────────────────────────────────────────────────────────\n\n/**\n * Read the form flash data for the current request.\n *\n * Returns `null` if no flash data is present (i.e., this is a normal page\n * render, not a re-render after a no-JS form submission).\n *\n * Pass the flash as the initial state to `useActionState` so the form\n * component has a single source of truth for both with-JS and no-JS paths:\n *\n * ```tsx\n * // app/contact/page.tsx (server component)\n * import { getFormFlash } from '@timber-js/app/server'\n *\n * export default function ContactPage() {\n *   const flash = getFormFlash()\n *   return <ContactForm flash={flash} />\n * }\n *\n * // app/contact/form.tsx (client component)\n * export function ContactForm({ flash }) {\n *   const [result, action, isPending] = useActionState(submitContact, flash)\n *   // result is the single source of truth — flash seeds it on no-JS\n * }\n * ```\n */\nexport function getFormFlash(): FormFlashData | null {\n  return formFlashAls.getStore() ?? null;\n}\n\n// ─── Framework-Internal ──────────────────────────────────────────────────\n\n/**\n * Run a callback with form flash data in scope.\n *\n * Used by the action handler to re-render the page with validation errors\n * available via `getFormFlash()`. Not part of the public API.\n *\n * @internal\n */\nexport function runWithFormFlash<T>(data: FormFlashData, fn: () => T): T {\n  return formFlashAls.run(data, fn);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmDA,IAAM,6BAAgD;CACpD;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD;;;;;;;AAQD,IAAM,yBAA4C,CAAC,QAAQ;;;;;;;AAQ3D,SAAS,UAAU,MAAsB;CACvC,IAAI,MAAM;AACV,MAAK,IAAI,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;EACpC,MAAM,KAAK,KAAK,WAAW,EAAE;AAC7B,MAAI,OAAO,MAAgB,OAAO,GAAc;AAEhD,MAAI,MAAM,MAAQ,MAAM,GACtB,QAAO,OAAO,aAAa,KAAK,GAAG;MAEnC,QAAO,KAAK;;AAGhB,QAAO;;;;;;AAOT,SAAS,mBAAmB,MAAc,QAAqC;CAC7E,MAAM,aAAa,UAAU,KAAK;AAClC,KAAI,uBAAuB,SAAS,WAAW,CAAE,QAAO;AACxD,MAAK,MAAM,WAAW,2BACpB,KAAI,WAAW,SAAS,QAAQ,CAAE,QAAO;AAE3C,KAAI,UAAU,OAAO,SAAS,EAC5B,MAAK,MAAM,SAAS,QAAQ;EAC1B,MAAM,YAAY,UAAU,MAAM;AAClC,MAAI,UAAU,WAAW,EAAG;AAC5B,MAAI,WAAW,SAAS,UAAU,CAAE,QAAO;;AAG/C,QAAO;;;;;;;;;;;;;AAsBT,SAAgB,0BACd,WACA,QAC4B;CAC5B,MAAM,SAAS,cAAc,KAAA,IAAY,YAAY;AAErD,KAAI,WAAW,MAAO,QAAO;AAC7B,KAAI,WAAW,KAAA,KAAa,WAAW,KACrC,SAAQ,SAAS,mBAAmB,KAAK;AAE3C,KAAI,OAAO,WAAW,WACpB,QAAO;CAGT,MAAM,SAAS;AACf,SAAQ,SAAS,mBAAmB,MAAM,OAAO;;AAKnD,IAAI;;AAWJ,SAAgB,iCAAoE;AAClF,QAAO;;AAOT,IAAM,+BAAe,IAAI,KAAa;AAEtC,SAAS,aAAa,MAAoB;AACxC,KAAI,CAAC,SAAS,CAAE;AAChB,KAAI,aAAa,IAAI,KAAK,CAAE;AAC5B,cAAa,IAAI,KAAK;AACtB,SAAQ,KACN,sCAAsC,KAAK,sFAE5C;;;;;;;;;;;;;AAcH,SAAgB,qBAAwB,OAAU,WAA0C;AAE1F,KAAI,cAAc,KAAM,QAAO;AAC/B,KAAI,UAAU,QAAQ,UAAU,KAAA,EAAW,QAAO;AAClD,KAAI,OAAO,UAAU,SAAU,QAAO;AACtC,KAAI,iBAAiB,QAAQ,iBAAiB,KAAM,QAAO;AAE3D,KAAI,MAAM,QAAQ,MAAM,CACtB,QAAO,MAAM,KAAK,SAAS,qBAAqB,MAAM,UAAU,CAAC;CAGnE,MAAM,SAAkC,EAAE;AAC1C,MAAK,MAAM,CAAC,KAAK,WAAW,OAAO,QAAQ,MAAiC,EAAE;AAC5E,MAAI,UAAU,IAAI,EAAE;AAClB,gBAAa,IAAI;AACjB;;AAEF,SAAO,OAAO,qBAAqB,QAAQ,UAAU;;AAEvD,QAAO;;;;;;;;;;;;;;;;;;;;;;;;ACtMT,IAAa,cAAb,cAAgE,MAAM;CACpE;CACA;CAEA,YAAY,MAAa,MAAgC;AACvD,QAAM,gBAAgB,OAAO;AAC7B,OAAK,OAAO;AACZ,OAAK,OAAO;AACZ,OAAK,OAAO;;;;AA8BhB,SAAS,iBAAiB,QAA6C;AACrE,QACE,OAAO,WAAW,YAClB,WAAW,QACX,eAAe,UACf,OAAQ,OAA4B,aAAa,aAAa;;;;;AAwIlE,eAAe,oBACb,YACe;AACf,KAAI,CAAC,WACH,QAAO,EAAE;AAGX,KAAI,MAAM,QAAQ,WAAW,EAAE;EAC7B,IAAI,SAAS,EAAE;AACf,OAAK,MAAM,MAAM,YAAY;GAC3B,MAAM,SAAS,MAAM,IAAI;AACzB,YAAS;IAAE,GAAG;IAAQ,GAAG;IAAQ;;AAEnC,SAAO;;AAGT,QAAO,MAAM,YAAY;;;;;;AAmB3B,SAAS,wBAAwB,OAAsC;AAErE,KAAI,OAAO,MAAM,YAAY,WAC3B,QAAO,MAAM,SAAS,CAAC;AAIzB,KAAI,MAAM,QAAQ;EAChB,MAAM,SAA2B,EAAE;AACnC,OAAK,MAAM,SAAS,MAAM,QAAQ;GAChC,MAAM,OAAO,MAAM,MAAM,KAAK,IAAI,IAAI;AACtC,OAAI,CAAC,OAAO,MAAO,QAAO,QAAQ,EAAE;AACpC,UAAO,MAAM,KAAK,MAAM,QAAQ;;AAElC,SAAO;;AAGT,QAAO,EAAE,OAAO,CAAC,oBAAoB,EAAE;;;;;AAMzC,SAAS,4BAA4B,QAA8D;CACjG,MAAM,SAA2B,EAAE;AACnC,MAAK,MAAM,SAAS,QAAQ;EAC1B,MAAM,OACJ,MAAM,MACF,KAAK,MAAM;AAEX,OAAI,OAAO,MAAM,YAAY,MAAM,QAAQ,SAAS,EAAG,QAAO,OAAO,EAAE,IAAI;AAC3E,UAAO,OAAO,EAAE;IAChB,CACD,KAAK,IAAI,IAAI;AAClB,MAAI,CAAC,OAAO,MAAO,QAAO,QAAQ,EAAE;AACpC,SAAO,MAAM,KAAK,MAAM,QAAQ;;AAElC,QAAO,OAAO,KAAK,OAAO,CAAC,SAAS,IAAI,SAAS,EAAE,OAAO,CAAC,oBAAoB,EAAE;;;;;;;;;AAUnF,SAAgB,kBAAkB,OAAqC;AACrE,KAAI,iBAAiB,YACnB,QAAO,EACL,aAAa;EACX,MAAM,MAAM;EACZ,GAAI,MAAM,OAAO,EAAE,MAAM,MAAM,MAAM,GAAG,EAAE;EAC3C,EACF;AAQH,QAAO,EACL,aAAa;EACX,MAAM;EACN,GAJY,WAAW,IAIR,iBAAiB,QAAQ,EAAE,MAAM,EAAE,SAAS,MAAM,SAAS,EAAE,GAAG,EAAE;EAClF,EACF;;;;;;;;;;;;;;;;;;;;;;AAuBH,SAAgB,mBACd,SAAmC,EAAE,EAChB;CACrB,SAAS,YACP,QACA,IACyB;EACzB,eAAe,cAAc,GAAG,MAA+C;AAC7E,OAAI;IAEF,MAAM,MAAM,MAAM,oBAAoB,OAAO,WAAW;IAGxD,IAAI;AACJ,QAAI,KAAK,WAAW,KAAK,KAAK,cAAc,SAE1C,YAAW,SAAS,cAAc,KAAK,GAAG,GAAG,KAAK;aACzC,KAAK,WAAW,KAAK,KAAK,cAAc,SAKjD,YAAW,SAAS,cAAc,KAAK,GAAG,GAAG,KAAK;QAGlD,YAAW,KAAK;IAOlB,MAAM,qBAAqB,0BACzB,OAAO,sBACP,gCAAgC,CACjC;IAMD,MAAM,6BAAkE;KACtE,MAAM,eAAe,WAAW,SAAS;AACzC,SAAI,iBAAiB,KAAA,EAAW,QAAO,KAAA;AACvC,YAAO,qBAAqB,cAAc,mBAAmB;;AAI/D,QAAI,OAAO,kBAAkB,KAAA,KAAa,YAAY,OAAO,aAAa,UAAU;KAClF,MAAM,iBAAiB,kBACrB,UACA,OAAO,cACR;AACD,SAAI,eACF,QAAO;MAAE,kBAAkB;MAAgB,iBAAiB,sBAAsB;MAAE;;IAKxF,MAAM,kBAAkB,SAAS,sBAAsB,GAAG,KAAA;IAG1D,IAAI;AACJ,QAAI,OACF,KAAI,iBAAiB,OAAO,EAAE;KAE5B,MAAM,SAAS,OAAO,aAAa,SAAS,SAAS;AACrD,SAAI,kBAAkB,QACpB,OAAM,IAAI,MACR,4FACD;AAEH,SAAI,OAAO,QAAQ;MACjB,MAAM,mBAAmB,4BAA4B,OAAO,OAAO;AACnE,2BAAqB,iBAAiB;AACtC,aAAO;OAAE;OAAkB;OAAiB;;AAE9C,aAAQ,OAAO;eACN,OAAO,OAAO,cAAc,YAAY;KACjD,MAAM,SAAS,OAAO,UAAU,SAAS;AACzC,SAAI,CAAC,OAAO,SAAS;MACnB,MAAM,mBAAmB,wBAAwB,OAAO,MAAM;AAC9D,2BAAqB,iBAAiB;AACtC,aAAO;OAAE;OAAkB;OAAiB;;AAE9C,aAAQ,OAAO;UAEf,KAAI;AACF,aAAQ,OAAO,MAAM,SAAS;aACvB,YAAY;KACnB,MAAM,mBAAmB,wBAAwB,WAA0B;AAC3E,0BAAqB,iBAAiB;AACtC,YAAO;MAAE;MAAkB;MAAiB;;QAIhD,SAAQ;AAKV,WAAO,EAAE,MADI,MAAM,GAAG;KAAE;KAAK;KAAO,CAAC,EACtB;YACR,OAAO;AAKd,QAAI,iBAAiB,kBAAkB,iBAAiB,WACtD,OAAM;AAER,WAAO,kBAAkB,MAAM;;;AAInC,SAAO;;AAGT,QAAO;EACL,OAAe,QAA8B;AAC3C,UAAO,EACL,OACE,IACyB;AACzB,WAAO,YAAY,QAAQ,GAAG;MAEjC;;EAEH,OACE,IAC4B;AAC5B,UAAO,YAAY,KAAA,GAAW,GAA4D;;EAE7F;;;;;;;;;;;;;;;;;;;;AAuBH,SAAgB,UACd,QACA,SACyB;AACzB,QAAO,oBAAoB,CACxB,OAAO,OAAO,CACd,OAAO,OAAO,EAAE,YAAY,QAAQ,MAAM,CAAC;;;;;;AAShD,SAAS,qBAAqB,QAAgC;AAE5D,KAAI,CADU,SAAS,CACX;CAEZ,MAAM,SAAS,OAAO,QAAQ,OAAO,CAClC,KAAK,CAAC,OAAO,cAAc,KAAK,MAAM,IAAI,SAAS,KAAK,KAAK,GAAG,CAChE,KAAK,KAAK;AACb,SAAQ,KAAK,8CAA8C,SAAS;;;;;;AAOtE,SAAS,kBAAkB,OAAgC,OAAwC;CACjG,MAAM,SAA2B,EAAE;CACnC,MAAM,UAAU,KAAK,MAAM,QAAQ,KAAK;CACxC,MAAM,aACJ,SAAS,OAAO,OAAO,GAAG,KAAK,MAAM,SAAS,OAAO,MAAM,CAAC,MAAM,GAAG,QAAQ;AAE/E,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,CAC9C,KAAI,iBAAiB,QAAQ,MAAM,OAAO,MACxC,QAAO,OAAO,CACZ,SAAS,MAAM,KAAK,KAAK,WAAW,MAAM,KAAK,CAAC,gBAAgB,WAAW,QAC5E;UACQ,MAAM,QAAQ,MAAM,EAAE;EAC/B,MAAM,YAAY,MAAM,QAAQ,SAAS,gBAAgB,QAAQ,KAAK,OAAO,MAAM;AACnF,MAAI,UAAU,SAAS,EACrB,QAAO,OAAO,UAAU,KACrB,MAAY,SAAS,EAAE,KAAK,KAAK,WAAW,EAAE,KAAK,CAAC,gBAAgB,WAAW,QACjF;;AAKP,QAAO,OAAO,KAAK,OAAO,CAAC,SAAS,IAAI,SAAS;;;;;;AAOnD,SAAS,WAAW,OAAqD;AACvE,KAAI,UAAU,QAAQ,UAAU,KAAA,EAAW,QAAO,KAAA;AAClD,KAAI,OAAO,UAAU,SAAU,QAAO,KAAA;CAEtC,MAAM,SAAkC,EAAE;AAC1C,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,MAAiC,EAAE;AACrE,MAAI,aAAa,KAAM;AACvB,MAAI,MAAM,QAAQ,EAAE,CAClB,QAAO,KAAK,EAAE,QAAQ,SAAS,EAAE,gBAAgB,MAAM;WAC9C,OAAO,MAAM,YAAY,MAAM,QAAQ,EAAE,aAAa,MAC/D,QAAO,KAAK,WAAW,EAAE,IAAI,EAAE;MAE/B,QAAO,KAAK;;AAGhB,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACleT,SAAgB,eAAqC;AACnD,QAAO,aAAa,UAAU,IAAI"}

package/dist/server/internal.d.ts

@@ -1,4 +1,6 @@
-export { setSegmentParams, runWithRequestContext, setMutableCookieContext, markResponseFlushed, getSetCookieHeaders, } from './request-context.js';
+export { getSearchParams, getSegmentParams, getHeader, setSegmentParams, runWithRequestContext, setMutableCookieContext, markResponseFlushed, } from './request-context.js';
+export { getCookie, getSetCookieHeaders } from './cookie-context.js';
+export { coerce } from './form-data.js';
 export { DenySignal, RedirectSignal, RenderError } from './primitives.js';
 export type { RenderErrorDigest } from './primitives.js';
 export { createPipeline } from './pipeline.js';
@@ -14,7 +16,7 @@ export type { ProxyFn, ProxyExport } from './proxy.js';
 export { runMiddleware } from './middleware-runner.js';
 export type { MiddlewareFn } from './middleware-runner.js';
 export { buildElementTree } from './tree-builder.js';
-export type { TreeBuilderConfig, TreeBuildResult, LoadedModule, ModuleLoader, AccessGateProps, SlotAccessGateProps, ErrorBoundaryProps, } from './tree-builder.js';
+export type { TreeBuilderConfig, TreeBuildResult, LoadedModule, LoadedComponent, ModuleLoader, AccessGateProps, SlotAccessGateProps, ErrorBoundaryProps, } from './tree-builder.js';
 export { AccessGate, SlotAccessGate } from './access-gate.js';
 export { resolveStatusFile, resolveSlotDenied } from './status-code-resolver.js';
 export type { StatusFileResolution, StatusFileKind, StatusFileFormat, SlotDeniedResolution, SlotDeniedKind, } from './status-code-resolver.js';
@@ -37,8 +39,8 @@ export { logRequestCompleted, logRequestReceived, logSlowRequest, logMiddlewareS
 export type { TimberLogger } from './logger.js';
 export { loadInstrumentation, callOnRequestError, hasOnRequestError } from './instrumentation.js';
 export type { InstrumentationOnRequestError, InstrumentationRequestInfo, InstrumentationErrorContext, } from './instrumentation.js';
-export { warnSuspenseWrappingChildren, warnDenyInSuspense, warnRedirectInSuspense, warnRedirectInAccess, warnStaticRequestApi, warnSlowSlotWithoutSuspense, setViteServer, WarningId, } from './dev-warnings.js';
-export type { DevWarningConfig } from './dev-warnings.js';
+export { warnSuspenseWrappingChildren, warnDenyInSuspense, warnRedirectInSuspense, warnRedirectInAccess, warnStaticRequestApi, warnSlowSlotWithoutSuspense, setViteServer, WarningId, } from '../dev-tools/warnings.js';
+export type { DevWarningConfig } from '../dev-tools/warnings.js';
 export { handleRouteRequest, resolveAllowedMethods } from './route-handler.js';
 export type { RouteModule, RouteHandler, HttpMethod } from './route-handler.js';
 export { RenderTimeoutError } from './render-timeout.js';