@zenithbuild/cli 0.7.3 → 0.7.5

package/dist/adapters/validate-hosted-resource-routes.js

@@ -0,0 +1,13 @@
+const HOSTED_RESOURCE_DOWNLOAD_RE = /\b(?:ctx\.)?download\s*\(/;
+export function validateHostedResourceRoutes(manifest, targetName) {
+    for (const route of Array.isArray(manifest) ? manifest : []) {
+        if (route?.route_kind !== 'resource') {
+            continue;
+        }
+        const source = typeof route.server_script === 'string' ? route.server_script : '';
+        if (HOSTED_RESOURCE_DOWNLOAD_RE.test(source)) {
+            throw new Error(`[Zenith:Build] target "${targetName}" does not support resource downloads in this milestone. ` +
+                `Route "${route.path}" (${route.file}) must run on dev, preview, or target "node".`);
+        }
+    }
+}

package/dist/auth/route-auth.d.ts

@@ -0,0 +1,6 @@
+export function consumeStagedSetCookies(ctx: any): any[];
+export function attachRouteAuth(ctx: any, options?: {}): any;
+export const SESSION_COOKIE_NAME: "zenith_session";
+export const SESSION_SECRET_ENV: "ZENITH_SESSION_SECRET";
+export const STAGED_SET_COOKIES_KEY: "__zenith_staged_set_cookies";
+export const AUTH_CONTROL_FLOW_FLAG: "__zenith_auth_control_flow";

package/dist/auth/route-auth.js

@@ -0,0 +1,236 @@
+import { createHmac, timingSafeEqual } from 'node:crypto';
+import { assertJsonSerializable } from '../server-contract.js';
+export const SESSION_COOKIE_NAME = 'zenith_session';
+export const SESSION_SECRET_ENV = 'ZENITH_SESSION_SECRET';
+export const STAGED_SET_COOKIES_KEY = '__zenith_staged_set_cookies';
+export const AUTH_CONTROL_FLOW_FLAG = '__zenith_auth_control_flow';
+const SESSION_COOKIE_MAX_AGE_SECONDS = 60 * 60 * 24 * 7;
+const SESSION_COOKIE_MAX_BYTES = 3800;
+const SESSION_SCHEMA_VERSION = 1;
+function createAuthError(message) {
+    return new Error(`[Zenith] ${message}`);
+}
+function base64urlEncode(input) {
+    return Buffer.from(input)
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/g, '');
+}
+function base64urlDecode(input) {
+    const normalized = String(input || '')
+        .replace(/-/g, '+')
+        .replace(/_/g, '/');
+    const padded = normalized + '='.repeat((4 - (normalized.length % 4 || 4)) % 4);
+    return Buffer.from(padded, 'base64').toString('utf8');
+}
+function isPlainObject(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        return false;
+    }
+    const proto = Object.getPrototypeOf(value);
+    return proto === null || proto === Object.prototype || proto?.constructor?.name === 'Object';
+}
+function readSessionSecret() {
+    const secret = typeof process?.env?.[SESSION_SECRET_ENV] === 'string'
+        ? process.env[SESSION_SECRET_ENV].trim()
+        : '';
+    if (!secret) {
+        throw createAuthError(`ctx.auth requires ${SESSION_SECRET_ENV} to be set`);
+    }
+    return secret;
+}
+function signPayload(payload, secret) {
+    return createHmac('sha256', secret).update(payload).digest('base64url');
+}
+function createSignedSessionValue(session, secret) {
+    if (!isPlainObject(session)) {
+        throw createAuthError('ctx.auth.signIn(sessionObject) requires a JSON-safe plain object');
+    }
+    assertJsonSerializable(session, 'ctx.auth.signIn(sessionObject)');
+    const envelope = {
+        v: SESSION_SCHEMA_VERSION,
+        exp: Date.now() + SESSION_COOKIE_MAX_AGE_SECONDS * 1000,
+        session
+    };
+    const json = JSON.stringify(envelope);
+    const encodedPayload = base64urlEncode(json);
+    const signature = signPayload(encodedPayload, secret);
+    const token = `${encodedPayload}.${signature}`;
+    if (Buffer.byteLength(token, 'utf8') > SESSION_COOKIE_MAX_BYTES) {
+        throw createAuthError('ctx.auth.signIn(sessionObject) produced an oversized session cookie');
+    }
+    return token;
+}
+function parseSessionValue(rawValue, secret) {
+    if (typeof rawValue !== 'string' || rawValue.length === 0) {
+        return null;
+    }
+    const dot = rawValue.lastIndexOf('.');
+    if (dot <= 0 || dot === rawValue.length - 1) {
+        return null;
+    }
+    const encodedPayload = rawValue.slice(0, dot);
+    const receivedSignature = rawValue.slice(dot + 1);
+    const expectedSignature = signPayload(encodedPayload, secret);
+    const received = Buffer.from(receivedSignature);
+    const expected = Buffer.from(expectedSignature);
+    if (received.length !== expected.length || !timingSafeEqual(received, expected)) {
+        return null;
+    }
+    try {
+        const envelope = JSON.parse(base64urlDecode(encodedPayload));
+        if (!envelope || typeof envelope !== 'object' || envelope.v !== SESSION_SCHEMA_VERSION) {
+            return null;
+        }
+        if (!Number.isFinite(envelope.exp) || envelope.exp <= Date.now()) {
+            return null;
+        }
+        if (!isPlainObject(envelope.session)) {
+            return null;
+        }
+        assertJsonSerializable(envelope.session, 'ctx.auth session payload');
+        return envelope.session;
+    }
+    catch {
+        return null;
+    }
+}
+function shouldUseSecureCookies(requestUrl) {
+    try {
+        const url = requestUrl instanceof URL ? requestUrl : new URL(String(requestUrl || 'http://localhost/'));
+        return url.protocol === 'https:';
+    }
+    catch {
+        return false;
+    }
+}
+function buildCookieAttributes(requestUrl) {
+    const attributes = ['Path=/', 'HttpOnly', 'SameSite=Lax'];
+    if (shouldUseSecureCookies(requestUrl)) {
+        attributes.push('Secure');
+    }
+    return attributes;
+}
+function buildSessionSetCookie(value, requestUrl) {
+    const attributes = buildCookieAttributes(requestUrl);
+    attributes.push(`Max-Age=${SESSION_COOKIE_MAX_AGE_SECONDS}`);
+    attributes.push(`Expires=${new Date(Date.now() + SESSION_COOKIE_MAX_AGE_SECONDS * 1000).toUTCString()}`);
+    return `${SESSION_COOKIE_NAME}=${encodeURIComponent(value)}; ${attributes.join('; ')}`;
+}
+function buildSessionClearCookie(requestUrl) {
+    const attributes = buildCookieAttributes(requestUrl);
+    attributes.push('Max-Age=0');
+    attributes.push('Expires=Thu, 01 Jan 1970 00:00:00 GMT');
+    return `${SESSION_COOKIE_NAME}=; ${attributes.join('; ')}`;
+}
+function stageSetCookie(ctx, value) {
+    if (!Array.isArray(ctx[STAGED_SET_COOKIES_KEY])) {
+        Object.defineProperty(ctx, STAGED_SET_COOKIES_KEY, {
+            value: [],
+            enumerable: false,
+            configurable: true
+        });
+    }
+    ctx[STAGED_SET_COOKIES_KEY].push(value);
+}
+function toAuthControlFlow(result) {
+    const error = new Error('auth control flow');
+    error[AUTH_CONTROL_FLOW_FLAG] = true;
+    error.result = result;
+    return error;
+}
+function normalizeRequirePolicy(options, redirect, deny) {
+    if (!options || typeof options !== 'object' || Array.isArray(options)) {
+        throw createAuthError('ctx.auth.requireSession(...) requires an explicit redirect or deny policy object');
+    }
+    const hasRedirect = typeof options.redirectTo === 'string' && options.redirectTo.trim().length > 0;
+    const hasDeny = Number.isInteger(options.deny);
+    if (hasRedirect === hasDeny) {
+        throw createAuthError('ctx.auth.requireSession(...) requires exactly one of redirectTo or deny');
+    }
+    if (hasRedirect) {
+        const status = options.status === undefined ? 302 : options.status;
+        if (status !== 302 && status !== 303 && status !== 307) {
+            throw createAuthError('ctx.auth.requireSession({ redirectTo, status }) only supports 302, 303, or 307');
+        }
+        return redirect(options.redirectTo, status);
+    }
+    if (options.deny !== 401 && options.deny !== 403 && options.deny !== 404) {
+        throw createAuthError('ctx.auth.requireSession({ deny, message }) only supports 401, 403, or 404');
+    }
+    if (options.message !== undefined && typeof options.message !== 'string') {
+        throw createAuthError('ctx.auth.requireSession({ deny, message }) requires message to be a string when provided');
+    }
+    return deny(options.deny, options.message);
+}
+export function consumeStagedSetCookies(ctx) {
+    if (!ctx || typeof ctx !== 'object' || !Array.isArray(ctx[STAGED_SET_COOKIES_KEY])) {
+        return [];
+    }
+    return ctx[STAGED_SET_COOKIES_KEY].slice();
+}
+export function attachRouteAuth(ctx, options = {}) {
+    if (!ctx || typeof ctx !== 'object') {
+        throw createAuthError('attachRouteAuth(ctx) requires a route context object');
+    }
+    const requestUrl = options.requestUrl instanceof URL
+        ? options.requestUrl
+        : new URL(String(options.requestUrl || ctx.url || 'http://localhost/'));
+    const guardOnly = options.guardOnly === true;
+    const redirect = options.redirect;
+    const deny = options.deny;
+    if (typeof redirect !== 'function' || typeof deny !== 'function') {
+        throw createAuthError('attachRouteAuth(ctx) requires redirect() and deny() constructors');
+    }
+    let activeSession;
+    let activeSessionInitialized = false;
+    function readActiveSession() {
+        if (activeSessionInitialized) {
+            return activeSession;
+        }
+        const secret = readSessionSecret();
+        const rawCookieValue = typeof ctx.cookies?.[SESSION_COOKIE_NAME] === 'string'
+            ? ctx.cookies[SESSION_COOKIE_NAME]
+            : '';
+        activeSession = parseSessionValue(rawCookieValue, secret);
+        activeSessionInitialized = true;
+        return activeSession;
+    }
+    Object.defineProperty(ctx, STAGED_SET_COOKIES_KEY, {
+        value: [],
+        enumerable: false,
+        configurable: true
+    });
+    ctx.auth = {
+        async getSession() {
+            return readActiveSession();
+        },
+        async requireSession(policy) {
+            const session = await this.getSession();
+            if (session) {
+                return session;
+            }
+            throw toAuthControlFlow(normalizeRequirePolicy(policy, redirect, deny));
+        },
+        async signIn(sessionObject) {
+            if (guardOnly) {
+                throw createAuthError('ctx.auth.signIn(...) is unavailable during advisory route-check execution');
+            }
+            const secret = readSessionSecret();
+            const cookieValue = createSignedSessionValue(sessionObject, secret);
+            stageSetCookie(ctx, buildSessionSetCookie(cookieValue, requestUrl));
+            activeSession = sessionObject;
+            activeSessionInitialized = true;
+        },
+        async signOut() {
+            if (guardOnly) {
+                throw createAuthError('ctx.auth.signOut() is unavailable during advisory route-check execution');
+            }
+            stageSetCookie(ctx, buildSessionClearCookie(requestUrl));
+            activeSession = null;
+            activeSessionInitialized = true;
+        }
+    };
+    return ctx.auth;
+}

package/dist/build/compiler-runtime.d.ts

@@ -42,17 +42,18 @@ export function createTimedCompilerRunner(startupProfile: ReturnType<typeof impo
  * @param {object | null} [logger]
  * @param {boolean} [showInfo]
  * @param {string|object} [bundlerBin]
- * @param {{ devStableAssets?: boolean, rebuildStrategy?: 'full'|'bundle-only'|'page-only', changedRoutes?: string[], fastPath?: boolean, globalGraphHash?: string, basePath?: string }} [bundlerOptions]
+ * @param {{ devStableAssets?: boolean, rebuildStrategy?: 'full'|'bundle-only'|'page-only', changedRoutes?: string[], fastPath?: boolean, globalGraphHash?: string, basePath?: string, routeCheck?: boolean, imageRuntimePayload?: object }} [bundlerOptions]
  * @returns {Promise<void>}
  */
-export function runBundler(envelope: object | object[], outDir: string, projectRoot: string, logger?: object | null, showInfo?: boolean, bundlerBin?: string | object, bundlerOptions?: {
-    devStableAssets?: boolean;
-    rebuildStrategy?: "full" | "bundle-only" | "page-only";
-    changedRoutes?: string[];
-    fastPath?: boolean;
-    globalGraphHash?: string;
-    basePath?: string;
-}): Promise<void>;
+/**
+ * Merge compiler-owned static image materialization rows from marker bindings + rewritten props literals.
+ * @param {object} pageIr
+ * @param {string[]} literals
+ * @param {object} [compilerRunOptions]
+ * @returns {object}
+ */
+export function mergePageImageMaterialization(pageIr: object, literals: string[], compilerRunOptions?: object): object;
+export function runBundler(envelope: any, outDir: any, projectRoot: any, logger?: null, showInfo?: boolean, bundlerBin?: string, bundlerOptions?: {}): Promise<any>;
 /**
  * @param {string} rootDir
  * @returns {Promise<string[]>}

package/dist/build/compiler-runtime.js

@@ -171,9 +171,56 @@ export function createTimedCompilerRunner(startupProfile, compilerTotals) {
  * @param {object | null} [logger]
  * @param {boolean} [showInfo]
  * @param {string|object} [bundlerBin]
- * @param {{ devStableAssets?: boolean, rebuildStrategy?: 'full'|'bundle-only'|'page-only', changedRoutes?: string[], fastPath?: boolean, globalGraphHash?: string, basePath?: string }} [bundlerOptions]
+ * @param {{ devStableAssets?: boolean, rebuildStrategy?: 'full'|'bundle-only'|'page-only', changedRoutes?: string[], fastPath?: boolean, globalGraphHash?: string, basePath?: string, routeCheck?: boolean, imageRuntimePayload?: object }} [bundlerOptions]
  * @returns {Promise<void>}
  */
+/**
+ * Merge compiler-owned static image materialization rows from marker bindings + rewritten props literals.
+ * @param {object} pageIr
+ * @param {string[]} literals
+ * @param {object} [compilerRunOptions]
+ * @returns {object}
+ */
+export function mergePageImageMaterialization(pageIr, literals, compilerRunOptions = {}) {
+    if (!Array.isArray(literals) || literals.length === 0) {
+        return pageIr;
+    }
+    const compilerToolchain = compilerRunOptions.compilerToolchain
+        || (compilerRunOptions.compilerBin && typeof compilerRunOptions.compilerBin === 'object'
+            ? compilerRunOptions.compilerBin
+            : null);
+    const compilerBin = !compilerToolchain && typeof compilerRunOptions.compilerBin === 'string'
+        ? compilerRunOptions.compilerBin
+        : null;
+    const payload = JSON.stringify({
+        marker_bindings: pageIr.marker_bindings,
+        literals
+    });
+    const args = ['--merge-image-materialization'];
+    const opts = {
+        encoding: 'utf8',
+        maxBuffer: COMPILER_SPAWN_MAX_BUFFER,
+        input: payload
+    };
+    const result = compilerToolchain
+        ? runToolchainSync(compilerToolchain, args, opts).result
+        : (compilerBin
+            ? spawnSync(compilerBin, args, opts)
+            : runToolchainSync(createCompilerToolchain({
+                logger: compilerRunOptions.logger || null
+            }), args, opts).result);
+    if (result.error) {
+        throw new Error(`merge image materialization spawn failed: ${result.error.message}`);
+    }
+    if (result.status !== 0) {
+        throw new Error(`merge image materialization failed with exit code ${result.status}\n${result.stderr || ''}`);
+    }
+    const parsed = JSON.parse(result.stdout);
+    return {
+        ...pageIr,
+        image_materialization: parsed.image_materialization
+    };
+}
 export function runBundler(envelope, outDir, projectRoot, logger = null, showInfo = true, bundlerBin = resolveBundlerBin(projectRoot), bundlerOptions = {}) {
     return new Promise((resolvePromise, rejectPromise) => {
         const useStructuredLogger = Boolean(logger && typeof logger.childLine === 'function');
@@ -192,6 +239,9 @@ export function runBundler(envelope, outDir, projectRoot, logger = null, showInf
         if (typeof bundlerOptions.basePath === 'string' && bundlerOptions.basePath.length > 0) {
             bundlerArgs.push('--base-path', bundlerOptions.basePath);
         }
+        if (bundlerOptions.routeCheck === true) {
+            bundlerArgs.push('--route-check');
+        }
         if (bundlerOptions.devStableAssets === true) {
             bundlerArgs.push('--dev-stable-assets');
         }
@@ -234,7 +284,13 @@ export function runBundler(envelope, outDir, projectRoot, logger = null, showInf
             }
             rejectPromise(new Error(`Bundler failed with exit code ${code}`));
         });
-        child.stdin.write(JSON.stringify(envelope));
+        const bundlerPayload = bundlerOptions.imageRuntimePayload
+            ? {
+                inputs: Array.isArray(envelope) ? envelope : [envelope],
+                image_runtime_payload: bundlerOptions.imageRuntimePayload
+            }
+            : envelope;
+        child.stdin.write(JSON.stringify(bundlerPayload));
         child.stdin.end();
     });
 }

package/dist/build/compiler-signal-expression.d.ts

@@ -0,0 +1 @@
+export function rewriteCompilerSignalMapReferences(compiledExpr: any, buildReplacement: any): string | null;

package/dist/build/compiler-signal-expression.js

@@ -0,0 +1,155 @@
+import { loadTypeScriptApi } from './compiler-runtime.js';
+import { normalizeTypeScriptExpression } from './typescript-expression-utils.js';
+function collectBindingNames(ts, name, target) {
+    if (ts.isIdentifier(name)) {
+        target.add(name.text);
+        return;
+    }
+    if (ts.isObjectBindingPattern(name) || ts.isArrayBindingPattern(name)) {
+        for (const element of name.elements) {
+            if (ts.isBindingElement(element)) {
+                collectBindingNames(ts, element.name, target);
+            }
+        }
+    }
+}
+function collectDirectBlockBindings(ts, block, target) {
+    const statements = Array.isArray(block?.statements) ? block.statements : [];
+    for (const statement of statements) {
+        if (ts.isVariableStatement(statement)) {
+            for (const declaration of statement.declarationList.declarations) {
+                collectBindingNames(ts, declaration.name, target);
+            }
+            continue;
+        }
+        if ((ts.isFunctionDeclaration(statement) || ts.isClassDeclaration(statement)) && statement.name) {
+            target.add(statement.name.text);
+        }
+    }
+}
+function isNestedBlockScope(ts, node) {
+    return (ts.isBlock(node) || ts.isModuleBlock(node)) && !ts.isSourceFile(node.parent);
+}
+function resolveCompilerSignalIndex(ts, node, localBindings) {
+    if (!ts.isCallExpression(node)) {
+        return null;
+    }
+    if (node.arguments.length !== 1) {
+        return null;
+    }
+    const expression = node.expression;
+    if (!ts.isPropertyAccessExpression(expression) || expression.name.text !== 'get') {
+        return null;
+    }
+    if (!ts.isIdentifier(expression.expression) || expression.expression.text !== 'signalMap') {
+        return null;
+    }
+    if (localBindings.has('signalMap')) {
+        return null;
+    }
+    const [indexArg] = node.arguments;
+    if (!ts.isNumericLiteral(indexArg)) {
+        return null;
+    }
+    const signalIndex = Number.parseInt(indexArg.text, 10);
+    return Number.isInteger(signalIndex) ? signalIndex : null;
+}
+export function rewriteCompilerSignalMapReferences(compiledExpr, buildReplacement) {
+    const source = typeof compiledExpr === 'string' ? compiledExpr.trim() : '';
+    if (!source) {
+        return null;
+    }
+    if (!source.includes('signalMap.get(') || typeof buildReplacement !== 'function') {
+        return normalizeTypeScriptExpression(source);
+    }
+    const ts = loadTypeScriptApi();
+    if (!ts) {
+        return normalizeTypeScriptExpression(source);
+    }
+    let sourceFile;
+    try {
+        sourceFile = ts.createSourceFile('zenith-compiled-expression.ts', `const __zenith_expr__ = (${source});`, ts.ScriptTarget.Latest, true, ts.ScriptKind.TS);
+    }
+    catch {
+        return normalizeTypeScriptExpression(source);
+    }
+    const nextScopeBindings = (node, localBindings) => {
+        if (ts.isSourceFile(node)) {
+            return localBindings;
+        }
+        if (ts.isFunctionLike(node)) {
+            const next = new Set(localBindings);
+            if (node.name && ts.isIdentifier(node.name) && !ts.isSourceFile(node.parent)) {
+                next.add(node.name.text);
+            }
+            for (const param of node.parameters) {
+                collectBindingNames(ts, param.name, next);
+            }
+            return next;
+        }
+        if (isNestedBlockScope(ts, node)) {
+            const next = new Set(localBindings);
+            collectDirectBlockBindings(ts, node, next);
+            return next;
+        }
+        if (ts.isCatchClause(node) && node.variableDeclaration) {
+            const next = new Set(localBindings);
+            collectBindingNames(ts, node.variableDeclaration.name, next);
+            return next;
+        }
+        if ((ts.isForStatement(node) || ts.isForInStatement(node) || ts.isForOfStatement(node))
+            && node.initializer
+            && ts.isVariableDeclarationList(node.initializer)) {
+            const next = new Set(localBindings);
+            for (const declaration of node.initializer.declarations) {
+                collectBindingNames(ts, declaration.name, next);
+            }
+            return next;
+        }
+        return localBindings;
+    };
+    const transformer = (context) => {
+        const visit = (node, localBindings) => {
+            const scopeBindings = nextScopeBindings(node, localBindings);
+            if (ts.isCallExpression(node) && node.arguments.length === 0) {
+                const expression = node.expression;
+                if (ts.isPropertyAccessExpression(expression) && expression.name.text === 'get') {
+                    const signalIndex = resolveCompilerSignalIndex(ts, expression.expression, scopeBindings);
+                    if (Number.isInteger(signalIndex)) {
+                        const replacement = buildReplacement({ ts, signalIndex, valueRead: true });
+                        if (replacement) {
+                            return replacement;
+                        }
+                    }
+                }
+            }
+            const signalIndex = resolveCompilerSignalIndex(ts, node, scopeBindings);
+            if (Number.isInteger(signalIndex)) {
+                const replacement = buildReplacement({ ts, signalIndex, valueRead: false });
+                if (replacement) {
+                    return replacement;
+                }
+            }
+            return ts.visitEachChild(node, (child) => visit(child, scopeBindings), context);
+        };
+        return (node) => ts.visitNode(node, (child) => visit(child, new Set()));
+    };
+    const result = ts.transform(sourceFile, [transformer]);
+    try {
+        const printed = ts.createPrinter({ newLine: ts.NewLineKind.LineFeed })
+            .printFile(result.transformed[0])
+            .trimEnd();
+        const prefix = 'const __zenith_expr__ = (';
+        const suffix = ');';
+        if (!printed.startsWith(prefix) || !printed.endsWith(suffix)) {
+            return normalizeTypeScriptExpression(source);
+        }
+        return normalizeTypeScriptExpression(printed.slice(prefix.length, printed.length - suffix.length));
+    }
+    catch {
+        return normalizeTypeScriptExpression(source);
+    }
+    finally {
+        result.dispose();
+    }
+}

package/dist/build/expression-rewrites.d.ts

@@ -1,10 +1,5 @@
 /**
- * @param {string} compPath
- * @param {string} componentSource
  * @param {object} compIr
- * @param {object} compilerOpts
- * @param {string|object} compilerBin
- * @param {Map<string, string[]> | null} [templateExpressionCache]
  * @param {Record<string, number> | null} [rewriteMetrics]
  * @returns {{
  *   map: Map<string, string>,
@@ -22,7 +17,7 @@
  *   sequence: Array<{ raw: string, rewritten: string, binding: object | null }>
  * }}
  */
-export function buildComponentExpressionRewrite(compPath: string, componentSource: string, compIr: object, compilerOpts: object, compilerBin: string | object, templateExpressionCache?: Map<string, string[]> | null, rewriteMetrics?: Record<string, number> | null): {
+export function buildComponentExpressionRewrite(compIr: object, rewriteMetrics?: Record<string, number> | null): {
     map: Map<string, string>;
     bindings: Map<string, {
         compiled_expr: string | null;