@zenithbuild/cli 0.7.3 → 0.7.4

package/dist/preview.js

@@ -14,10 +14,15 @@ import { access, readFile } from 'node:fs/promises';
 import { extname, join, normalize, resolve, sep, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { appLocalRedirectLocation, imageEndpointPath, normalizeBasePath, routeCheckPath, stripBasePath } from './base-path.js';
-import { isConfigKeyExplicit, loadConfig, validateConfig } from './config.js';
+import { resolveBuildAdapter } from './adapters/resolve-adapter.js';
+import { isConfigKeyExplicit, isLoadedConfig, loadConfig, validateConfig } from './config.js';
 import { materializeImageMarkup } from './images/materialize.js';
 import { createImageRuntimePayload, injectImageRuntimePayload } from './images/payload.js';
 import { handleImageRequest } from './images/service.js';
+import { encodeRequestBodyBase64, readRequestBodyBuffer } from './request-body.js';
+import { createTrustedOriginResolver } from './request-origin.js';
+import { supportsTargetRouteCheck } from './route-check-support.js';
+import { clientFacingRouteMessage, defaultRouteDenyMessage, logServerException, sanitizeRouteResult } from './server-error.js';
 import { createSilentLogger } from './ui/logger.js';
 import { compareRouteSpecificity, matchRoute as matchManifestRoute, resolveRequestRoute } from './server/resolve-request-route.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -34,6 +39,7 @@ const MIME_TYPES = {
     '.avif': 'image/avif',
     '.gif': 'image/gif'
 };
+const IMAGE_RUNTIME_TAG_RE = /<script\b[^>]*\bid=(["'])zenith-image-runtime\1[^>]*>[\s\S]*?<\/script>/i;
 const SERVER_SCRIPT_RUNNER = String.raw `
 import vm from 'node:vm';
 import fs from 'node:fs/promises';
@@ -203,6 +209,13 @@ function ctxDeny(status = 403, message = undefined) {
     message: typeof message === 'string' ? message : undefined
   };
 }
+function ctxInvalid(payload, status = 400) {
+  return {
+    kind: 'invalid',
+    data: payload,
+    status: Number.isInteger(status) ? status : 400
+  };
+}
 function ctxData(payload) {
   return {
     kind: 'data',
@@ -210,10 +223,16 @@ function ctxData(payload) {
   };
 }
 
-const requestSnapshot = new Request(requestUrl, {
+const requestInit = {
   method: requestMethod,
   headers: new Headers(safeRequestHeaders)
-});
+};
+const requestBodyBase64 = String(process.env.ZENITH_SERVER_REQUEST_BODY_BASE64 || '');
+if (requestMethod !== 'GET' && requestMethod !== 'HEAD' && requestBodyBase64.length > 0) {
+  requestInit.body = Buffer.from(requestBodyBase64, 'base64');
+  requestInit.duplex = 'half';
+}
+const requestSnapshot = new Request(requestUrl, requestInit);
 const routeParams = { ...params };
 const routeMeta = {
   id: routeId,
@@ -229,6 +248,7 @@ const routeContext = {
   method: requestMethod,
   route: routeMeta,
   env: {},
+  action: null,
   auth: {
     async getSession(_ctx) {
       return null;
@@ -240,6 +260,7 @@ const routeContext = {
   allow: ctxAllow,
   redirect: ctxRedirect,
   deny: ctxDeny,
+  invalid: ctxInvalid,
   data: ctxData
 };
 
@@ -320,7 +341,7 @@ async function linkModule(specifier, parentIdentifier) {
   return loadFileModule(resolvedUrl);
 }
 
-const allowed = new Set(['data', 'load', 'guard', 'ssr_data', 'props', 'ssr', 'prerender']);
+const allowed = new Set(['data', 'load', 'guard', 'action', 'ssr_data', 'props', 'ssr', 'prerender']);
 const prelude = "const params = globalThis.params;\n" +
   "const ctx = globalThis.ctx;\n" +
   "import { resolveRouteResult } from 'zenith:server-contract';\n" +
@@ -372,13 +393,15 @@ try {
 
   process.stdout.write(JSON.stringify(resolved || null));
 } catch (error) {
-  const message = error instanceof Error ? error.message : String(error);
+  const message = error instanceof Error
+    ? (typeof error.stack === 'string' && error.stack.length > 0 ? error.stack : error.message)
+    : String(error);
+  process.stderr.write('[Zenith:Server] preview route execution failed\\n' + message + '\\n');
   process.stdout.write(
     JSON.stringify({
       __zenith_error: {
         status: 500,
-        code: 'LOAD_FAILED',
-        message
+        code: 'LOAD_FAILED'
       }
     })
   );
@@ -395,7 +418,9 @@ export async function createPreviewServer(options) {
     const loadedConfig = await loadConfig(resolvedProjectRoot);
     const resolvedConfig = options?.config && typeof options.config === 'object'
         ? (() => {
-            const overrideConfig = validateConfig(options.config);
+            const overrideConfig = isLoadedConfig(options.config)
+                ? options.config
+                : validateConfig(options.config);
             const mergedConfig = { ...loadedConfig };
             for (const key of Object.keys(overrideConfig)) {
                 if (isConfigKeyExplicit(overrideConfig, key)) {
@@ -411,7 +436,13 @@ export async function createPreviewServer(options) {
     const logger = providedLogger || createSilentLogger();
     const verboseLogging = logger.mode?.logLevel === 'verbose';
     const configuredBasePath = normalizeBasePath(config.basePath || '/');
+    const routeCheckEnabled = supportsTargetRouteCheck(resolveBuildAdapter(config).target);
     let actualPort = port;
+    const resolveServerOrigin = createTrustedOriginResolver({
+        host,
+        getPort: () => actualPort,
+        label: 'preview server'
+    });
     async function loadImageManifest() {
         try {
             const manifestRaw = await readFile(join(distDir, '_zenith', 'image', 'manifest.json'), 'utf8');
@@ -422,24 +453,17 @@ export async function createPreviewServer(options) {
             return {};
         }
     }
-    function publicHost() {
-        if (host === '0.0.0.0' || host === '::') {
-            return '127.0.0.1';
-        }
-        return host;
-    }
-    function serverOrigin() {
-        return `http://${publicHost()}:${actualPort}`;
-    }
     const server = createServer(async (req, res) => {
-        const requestBase = typeof req.headers.host === 'string' && req.headers.host.length > 0
-            ? `http://${req.headers.host}`
-            : serverOrigin();
-        const url = new URL(req.url, requestBase);
+        const url = new URL(req.url, resolveServerOrigin());
         const { basePath, routes } = await loadRouteManifestState(distDir, configuredBasePath);
         const canonicalPath = stripBasePath(url.pathname, basePath);
         try {
             if (url.pathname === routeCheckPath(basePath)) {
+                if (!routeCheckEnabled) {
+                    res.writeHead(501, { 'Content-Type': 'application/json', 'Cache-Control': 'no-store' });
+                    res.end(JSON.stringify({ error: 'route_check_unsupported' }));
+                    return;
+                }
                 // Security: Require explicitly designated header to prevent public oracle probing
                 if (req.headers['x-zenith-route-check'] !== '1') {
                     res.writeHead(403, { 'Content-Type': 'application/json' });
@@ -509,7 +533,7 @@ export async function createPreviewServer(options) {
                     'Vary': 'Cookie'
                 });
                 res.end(JSON.stringify({
-                    result: checkResult?.result || checkResult,
+                    result: sanitizeRouteResult(checkResult?.result || checkResult),
                     routeId: resolvedCheck.route.route_id || '',
                     to: targetUrl.toString()
                 }));
@@ -557,33 +581,40 @@ export async function createPreviewServer(options) {
                 throw new Error('not found');
             }
             let ssrPayload = null;
+            let routeExecution = null;
             if (resolved.matched && resolved.route?.server_script && resolved.route.prerender !== true) {
-                let routeExecution = null;
                 try {
+                    const requestMethod = req.method || 'GET';
+                    const requestBodyBuffer = requestMethod === 'GET' || requestMethod === 'HEAD'
+                        ? null
+                        : await readRequestBodyBuffer(req);
                     routeExecution = await executeServerRoute({
                         source: resolved.route.server_script,
                         sourcePath: resolved.route.server_script_path || '',
                         params: resolved.params,
                         requestUrl: url.toString(),
-                        requestMethod: req.method || 'GET',
+                        requestMethod,
                         requestHeaders: req.headers,
+                        requestBodyBase64: encodeRequestBodyBase64(requestBodyBuffer),
                         routePattern: resolved.route.path,
                         routeFile: resolved.route.server_script_path || '',
                         routeId: resolved.route.route_id || routeIdFromSourcePath(resolved.route.server_script_path || '')
                     });
                 }
                 catch (error) {
+                    logServerException('preview server route execution failed', error);
                     ssrPayload = {
                         __zenith_error: {
+                            status: 500,
                             code: 'LOAD_FAILED',
-                            message: error instanceof Error ? error.message : String(error)
+                            message: error instanceof Error ? error.message : String(error || '')
                         }
                     };
                 }
-                const trace = routeExecution?.trace || { guard: 'none', load: 'none' };
+                const trace = routeExecution?.trace || { guard: 'none', action: 'none', load: 'none' };
                 const routeId = resolved.route.route_id || routeIdFromSourcePath(resolved.route.server_script_path || '');
                 if (verboseLogging) {
-                    logger.router(`${routeId} guard=${trace.guard} load=${trace.load}`);
+                    logger.router(`${routeId} guard=${trace.guard} action=${trace.action} load=${trace.load}`);
                 }
                 const result = routeExecution?.result;
                 if (result && result.kind === 'redirect') {
@@ -598,7 +629,7 @@ export async function createPreviewServer(options) {
                 if (result && result.kind === 'deny') {
                     const status = Number.isInteger(result.status) ? result.status : 403;
                     res.writeHead(status, { 'Content-Type': 'text/plain; charset=utf-8' });
-                    res.end(result.message || defaultRouteDenyMessage(status));
+                    res.end(clientFacingRouteMessage(status, result.message));
                     return;
                 }
                 if (result && result.kind === 'data' && result.data && typeof result.data === 'object' && !Array.isArray(result.data)) {
@@ -606,21 +637,24 @@ export async function createPreviewServer(options) {
                 }
             }
             let html = await readFile(htmlPath, 'utf8');
-            if (resolved.matched && resolved.route?.page_asset) {
-                const pageAssetPath = resolveWithinDist(distDir, resolved.route.page_asset);
+            if (resolved.matched) {
                 html = await materializeImageMarkup({
                     html,
-                    pageAssetPath,
                     payload: createImageRuntimePayload(config.images, await loadImageManifest(), 'endpoint', basePath),
-                    ssrData: ssrPayload,
-                    routePathname: url.pathname
+                    imageMaterialization: Array.isArray(resolved.route?.image_materialization)
+                        ? resolved.route.image_materialization
+                        : []
                 });
             }
             if (ssrPayload) {
                 html = injectSsrPayload(html, ssrPayload);
             }
-            html = injectImageRuntimePayload(html, createImageRuntimePayload(config.images, await loadImageManifest(), 'endpoint', basePath));
-            res.writeHead(200, { 'Content-Type': 'text/html' });
+            if (!IMAGE_RUNTIME_TAG_RE.test(html)) {
+                html = injectImageRuntimePayload(html, createImageRuntimePayload(config.images, await loadImageManifest(), 'endpoint', basePath));
+            }
+            res.writeHead(Number.isInteger(routeExecution?.status) ? routeExecution.status : 200, {
+                'Content-Type': 'text/html'
+            });
             res.end(html);
         }
         catch {
@@ -691,13 +725,13 @@ async function loadRouteManifestState(distDir, fallbackBasePath = '/') {
 export const matchRoute = matchManifestRoute;
 /**
  * @param {{ source: string, sourcePath: string, params: Record<string, string>, requestUrl?: string, requestMethod?: string, requestHeaders?: Record<string, string | string[] | undefined>, routePattern?: string, routeFile?: string, routeId?: string }} input
- * @returns {Promise<{ result: { kind: string, [key: string]: unknown }, trace: { guard: string, load: string } }>}
+ * @returns {Promise<{ result: { kind: string, [key: string]: unknown }, trace: { guard: string, action: string, load: string }, status?: number }>}
  */
-export async function executeServerRoute({ source, sourcePath, params, requestUrl, requestMethod, requestHeaders, routePattern, routeFile, routeId, guardOnly = false }) {
+export async function executeServerRoute({ source, sourcePath, params, requestUrl, requestMethod, requestHeaders, requestBodyBase64, routePattern, routeFile, routeId, guardOnly = false }) {
     if (!source || !String(source).trim()) {
         return {
             result: { kind: 'data', data: {} },
-            trace: { guard: 'none', load: 'none' }
+            trace: { guard: 'none', action: 'none', load: 'none' }
         };
     }
     const payload = await spawnNodeServerRunner({
@@ -707,6 +741,7 @@ export async function executeServerRoute({ source, sourcePath, params, requestUr
         requestUrl: requestUrl || 'http://localhost/',
         requestMethod: requestMethod || 'GET',
         requestHeaders: sanitizeRequestHeaders(requestHeaders || {}),
+        requestBodyBase64: requestBodyBase64 || '',
         routePattern: routePattern || '',
         routeFile: routeFile || sourcePath || '',
         routeId: routeId || routeIdFromSourcePath(sourcePath || ''),
@@ -715,7 +750,7 @@ export async function executeServerRoute({ source, sourcePath, params, requestUr
     if (payload === null || payload === undefined) {
         return {
             result: { kind: 'data', data: {} },
-            trace: { guard: 'none', load: 'none' }
+            trace: { guard: 'none', action: 'none', load: 'none' }
         };
     }
     if (typeof payload !== 'object' || Array.isArray(payload)) {
@@ -727,9 +762,9 @@ export async function executeServerRoute({ source, sourcePath, params, requestUr
             result: {
                 kind: 'deny',
                 status: 500,
-                message: String(errorEnvelope.message || 'Server route execution failed')
+                message: defaultRouteDenyMessage(500)
             },
-            trace: { guard: 'none', load: 'deny' }
+            trace: { guard: 'none', action: 'none', load: 'deny' }
         };
     }
     const result = payload.result;
@@ -740,9 +775,11 @@ export async function executeServerRoute({ source, sourcePath, params, requestUr
             trace: trace && typeof trace === 'object'
                 ? {
                     guard: String(trace.guard || 'none'),
+                    action: String(trace.action || 'none'),
                     load: String(trace.load || 'none')
                 }
-                : { guard: 'none', load: 'none' }
+                : { guard: 'none', action: 'none', load: 'none' },
+            status: Number.isInteger(payload.status) ? payload.status : undefined
         };
     }
     return {
@@ -750,18 +787,9 @@ export async function executeServerRoute({ source, sourcePath, params, requestUr
             kind: 'data',
             data: payload
         },
-        trace: { guard: 'none', load: 'data' }
+        trace: { guard: 'none', action: 'none', load: 'data' }
     };
 }
-export function defaultRouteDenyMessage(status) {
-    if (status === 401)
-        return 'Unauthorized';
-    if (status === 403)
-        return 'Forbidden';
-    if (status === 404)
-        return 'Not Found';
-    return 'Internal Server Error';
-}
 /**
  * @param {{ source: string, sourcePath: string, params: Record<string, string>, requestUrl?: string, requestMethod?: string, requestHeaders?: Record<string, string | string[] | undefined>, routePattern?: string, routeFile?: string, routeId?: string }} input
  * @returns {Promise<Record<string, unknown> | null>}
@@ -790,7 +818,7 @@ export async function executeServerScript(input) {
             __zenith_error: {
                 status,
                 code: status >= 500 ? 'LOAD_FAILED' : (status === 404 ? 'NOT_FOUND' : 'ACCESS_DENIED'),
-                message: String(result.message || defaultRouteDenyMessage(status))
+                message: clientFacingRouteMessage(status, result.message)
             }
         };
     }
@@ -811,6 +839,7 @@ function spawnNodeServerRunner(input) {
                 ZENITH_SERVER_REQUEST_URL: input.requestUrl || 'http://localhost/',
                 ZENITH_SERVER_REQUEST_METHOD: input.requestMethod || 'GET',
                 ZENITH_SERVER_REQUEST_HEADERS: JSON.stringify(input.requestHeaders || {}),
+                ZENITH_SERVER_REQUEST_BODY_BASE64: input.requestBodyBase64 || '',
                 ZENITH_SERVER_ROUTE_PATTERN: input.routePattern || '',
                 ZENITH_SERVER_ROUTE_FILE: input.routeFile || input.sourcePath || '',
                 ZENITH_SERVER_ROUTE_ID: input.routeId || '',
@@ -835,6 +864,11 @@ function spawnNodeServerRunner(input) {
                 rejectPromise(new Error(`[zenith-preview] server script execution failed (${code}): ${stderr.trim() || stdout.trim()}`));
                 return;
             }
+            const stderrOutput = stderr.trim();
+            const internalErrorIndex = stderrOutput.indexOf('[Zenith:Server]');
+            if (internalErrorIndex >= 0) {
+                console.error(stderrOutput.slice(internalErrorIndex).trim());
+            }
             const raw = stdout.trim();
             if (!raw || raw === 'null') {
                 resolvePromise(null);

package/dist/request-body.d.ts

@@ -0,0 +1,2 @@
+export function readRequestBodyBuffer(req: any): Promise<Buffer<ArrayBuffer>>;
+export function encodeRequestBodyBase64(bodyBuffer: any): string;

package/dist/request-body.js

@@ -0,0 +1,13 @@
+export async function readRequestBodyBuffer(req) {
+    const chunks = [];
+    for await (const chunk of req) {
+        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    }
+    return Buffer.concat(chunks);
+}
+export function encodeRequestBodyBase64(bodyBuffer) {
+    if (!Buffer.isBuffer(bodyBuffer) || bodyBuffer.length === 0) {
+        return '';
+    }
+    return bodyBuffer.toString('base64');
+}

package/dist/request-origin.d.ts

@@ -0,0 +1,2 @@
+export function publicHost(host: any): string;
+export function createTrustedOriginResolver(options?: {}): () => string;

package/dist/request-origin.js

@@ -0,0 +1,45 @@
+const DEFAULT_HOST = '127.0.0.1';
+export function publicHost(host) {
+    const normalized = String(host || DEFAULT_HOST).trim() || DEFAULT_HOST;
+    if (normalized === '0.0.0.0' || normalized === '::') {
+        return DEFAULT_HOST;
+    }
+    return normalized;
+}
+function normalizePublicOrigin(value, label) {
+    const raw = String(value || '').trim();
+    if (!raw) {
+        throw new Error(`[Zenith:Server] ${label} must be a non-empty absolute origin`);
+    }
+    let parsed;
+    try {
+        parsed = new URL(raw);
+    }
+    catch {
+        throw new Error(`[Zenith:Server] ${label} must be an absolute origin`);
+    }
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+        throw new Error(`[Zenith:Server] ${label} must use http or https`);
+    }
+    if (parsed.username || parsed.password) {
+        throw new Error(`[Zenith:Server] ${label} must not include credentials`);
+    }
+    if (parsed.pathname !== '/' || parsed.search || parsed.hash) {
+        throw new Error(`[Zenith:Server] ${label} must not include a path, query, or hash`);
+    }
+    return parsed.origin;
+}
+export function createTrustedOriginResolver(options = {}) {
+    const { publicOrigin = undefined, host = DEFAULT_HOST, port = undefined, getPort = undefined, label = 'server' } = options;
+    if (publicOrigin !== undefined && publicOrigin !== null && String(publicOrigin).trim().length > 0) {
+        const origin = normalizePublicOrigin(publicOrigin, `${label} publicOrigin`);
+        return () => origin;
+    }
+    return () => {
+        const resolvedPort = typeof getPort === 'function' ? getPort() : port;
+        if (!Number.isInteger(resolvedPort) || resolvedPort <= 0) {
+            throw new Error(`[Zenith:Server] ${label} requires "publicOrigin" when a trusted port is unavailable; raw Host headers are not trusted`);
+        }
+        return `http://${publicHost(host)}:${resolvedPort}`;
+    };
+}

package/dist/route-check-support.d.ts

@@ -0,0 +1 @@
+export function supportsTargetRouteCheck(target: any): boolean;

package/dist/route-check-support.js

@@ -0,0 +1,4 @@
+const ROUTE_CHECK_UNSUPPORTED_TARGETS = new Set(['vercel', 'netlify']);
+export function supportsTargetRouteCheck(target) {
+    return !ROUTE_CHECK_UNSUPPORTED_TARGETS.has(String(target || '').trim());
+}

package/dist/server-contract.d.ts

@@ -15,6 +15,11 @@ export function data(payload: any): {
     kind: string;
     data: any;
 };
+export function invalid(payload: any, status?: number): {
+    kind: string;
+    data: any;
+    status: number;
+};
 export function validateServerExports({ exports, filePath }: {
     exports: any;
     filePath: any;
@@ -29,8 +34,18 @@ export function resolveRouteResult({ exports, ctx, filePath, guardOnly }: {
     result: any;
     trace: {
         guard: string;
+        action: string;
+        load: string;
+    };
+    status?: undefined;
+} | {
+    result: any;
+    trace: {
+        guard: string;
+        action: string;
         load: string;
     };
+    status: number | undefined;
 }>;
 export function resolveServerPayload({ exports, ctx, filePath }: {
     exports: any;