@zenithbuild/cli 0.7.4 → 0.7.5

package/dist/auth/route-auth.js

@@ -0,0 +1,236 @@
+import { createHmac, timingSafeEqual } from 'node:crypto';
+import { assertJsonSerializable } from '../server-contract.js';
+export const SESSION_COOKIE_NAME = 'zenith_session';
+export const SESSION_SECRET_ENV = 'ZENITH_SESSION_SECRET';
+export const STAGED_SET_COOKIES_KEY = '__zenith_staged_set_cookies';
+export const AUTH_CONTROL_FLOW_FLAG = '__zenith_auth_control_flow';
+const SESSION_COOKIE_MAX_AGE_SECONDS = 60 * 60 * 24 * 7;
+const SESSION_COOKIE_MAX_BYTES = 3800;
+const SESSION_SCHEMA_VERSION = 1;
+function createAuthError(message) {
+    return new Error(`[Zenith] ${message}`);
+}
+function base64urlEncode(input) {
+    return Buffer.from(input)
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/g, '');
+}
+function base64urlDecode(input) {
+    const normalized = String(input || '')
+        .replace(/-/g, '+')
+        .replace(/_/g, '/');
+    const padded = normalized + '='.repeat((4 - (normalized.length % 4 || 4)) % 4);
+    return Buffer.from(padded, 'base64').toString('utf8');
+}
+function isPlainObject(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        return false;
+    }
+    const proto = Object.getPrototypeOf(value);
+    return proto === null || proto === Object.prototype || proto?.constructor?.name === 'Object';
+}
+function readSessionSecret() {
+    const secret = typeof process?.env?.[SESSION_SECRET_ENV] === 'string'
+        ? process.env[SESSION_SECRET_ENV].trim()
+        : '';
+    if (!secret) {
+        throw createAuthError(`ctx.auth requires ${SESSION_SECRET_ENV} to be set`);
+    }
+    return secret;
+}
+function signPayload(payload, secret) {
+    return createHmac('sha256', secret).update(payload).digest('base64url');
+}
+function createSignedSessionValue(session, secret) {
+    if (!isPlainObject(session)) {
+        throw createAuthError('ctx.auth.signIn(sessionObject) requires a JSON-safe plain object');
+    }
+    assertJsonSerializable(session, 'ctx.auth.signIn(sessionObject)');
+    const envelope = {
+        v: SESSION_SCHEMA_VERSION,
+        exp: Date.now() + SESSION_COOKIE_MAX_AGE_SECONDS * 1000,
+        session
+    };
+    const json = JSON.stringify(envelope);
+    const encodedPayload = base64urlEncode(json);
+    const signature = signPayload(encodedPayload, secret);
+    const token = `${encodedPayload}.${signature}`;
+    if (Buffer.byteLength(token, 'utf8') > SESSION_COOKIE_MAX_BYTES) {
+        throw createAuthError('ctx.auth.signIn(sessionObject) produced an oversized session cookie');
+    }
+    return token;
+}
+function parseSessionValue(rawValue, secret) {
+    if (typeof rawValue !== 'string' || rawValue.length === 0) {
+        return null;
+    }
+    const dot = rawValue.lastIndexOf('.');
+    if (dot <= 0 || dot === rawValue.length - 1) {
+        return null;
+    }
+    const encodedPayload = rawValue.slice(0, dot);
+    const receivedSignature = rawValue.slice(dot + 1);
+    const expectedSignature = signPayload(encodedPayload, secret);
+    const received = Buffer.from(receivedSignature);
+    const expected = Buffer.from(expectedSignature);
+    if (received.length !== expected.length || !timingSafeEqual(received, expected)) {
+        return null;
+    }
+    try {
+        const envelope = JSON.parse(base64urlDecode(encodedPayload));
+        if (!envelope || typeof envelope !== 'object' || envelope.v !== SESSION_SCHEMA_VERSION) {
+            return null;
+        }
+        if (!Number.isFinite(envelope.exp) || envelope.exp <= Date.now()) {
+            return null;
+        }
+        if (!isPlainObject(envelope.session)) {
+            return null;
+        }
+        assertJsonSerializable(envelope.session, 'ctx.auth session payload');
+        return envelope.session;
+    }
+    catch {
+        return null;
+    }
+}
+function shouldUseSecureCookies(requestUrl) {
+    try {
+        const url = requestUrl instanceof URL ? requestUrl : new URL(String(requestUrl || 'http://localhost/'));
+        return url.protocol === 'https:';
+    }
+    catch {
+        return false;
+    }
+}
+function buildCookieAttributes(requestUrl) {
+    const attributes = ['Path=/', 'HttpOnly', 'SameSite=Lax'];
+    if (shouldUseSecureCookies(requestUrl)) {
+        attributes.push('Secure');
+    }
+    return attributes;
+}
+function buildSessionSetCookie(value, requestUrl) {
+    const attributes = buildCookieAttributes(requestUrl);
+    attributes.push(`Max-Age=${SESSION_COOKIE_MAX_AGE_SECONDS}`);
+    attributes.push(`Expires=${new Date(Date.now() + SESSION_COOKIE_MAX_AGE_SECONDS * 1000).toUTCString()}`);
+    return `${SESSION_COOKIE_NAME}=${encodeURIComponent(value)}; ${attributes.join('; ')}`;
+}
+function buildSessionClearCookie(requestUrl) {
+    const attributes = buildCookieAttributes(requestUrl);
+    attributes.push('Max-Age=0');
+    attributes.push('Expires=Thu, 01 Jan 1970 00:00:00 GMT');
+    return `${SESSION_COOKIE_NAME}=; ${attributes.join('; ')}`;
+}
+function stageSetCookie(ctx, value) {
+    if (!Array.isArray(ctx[STAGED_SET_COOKIES_KEY])) {
+        Object.defineProperty(ctx, STAGED_SET_COOKIES_KEY, {
+            value: [],
+            enumerable: false,
+            configurable: true
+        });
+    }
+    ctx[STAGED_SET_COOKIES_KEY].push(value);
+}
+function toAuthControlFlow(result) {
+    const error = new Error('auth control flow');
+    error[AUTH_CONTROL_FLOW_FLAG] = true;
+    error.result = result;
+    return error;
+}
+function normalizeRequirePolicy(options, redirect, deny) {
+    if (!options || typeof options !== 'object' || Array.isArray(options)) {
+        throw createAuthError('ctx.auth.requireSession(...) requires an explicit redirect or deny policy object');
+    }
+    const hasRedirect = typeof options.redirectTo === 'string' && options.redirectTo.trim().length > 0;
+    const hasDeny = Number.isInteger(options.deny);
+    if (hasRedirect === hasDeny) {
+        throw createAuthError('ctx.auth.requireSession(...) requires exactly one of redirectTo or deny');
+    }
+    if (hasRedirect) {
+        const status = options.status === undefined ? 302 : options.status;
+        if (status !== 302 && status !== 303 && status !== 307) {
+            throw createAuthError('ctx.auth.requireSession({ redirectTo, status }) only supports 302, 303, or 307');
+        }
+        return redirect(options.redirectTo, status);
+    }
+    if (options.deny !== 401 && options.deny !== 403 && options.deny !== 404) {
+        throw createAuthError('ctx.auth.requireSession({ deny, message }) only supports 401, 403, or 404');
+    }
+    if (options.message !== undefined && typeof options.message !== 'string') {
+        throw createAuthError('ctx.auth.requireSession({ deny, message }) requires message to be a string when provided');
+    }
+    return deny(options.deny, options.message);
+}
+export function consumeStagedSetCookies(ctx) {
+    if (!ctx || typeof ctx !== 'object' || !Array.isArray(ctx[STAGED_SET_COOKIES_KEY])) {
+        return [];
+    }
+    return ctx[STAGED_SET_COOKIES_KEY].slice();
+}
+export function attachRouteAuth(ctx, options = {}) {
+    if (!ctx || typeof ctx !== 'object') {
+        throw createAuthError('attachRouteAuth(ctx) requires a route context object');
+    }
+    const requestUrl = options.requestUrl instanceof URL
+        ? options.requestUrl
+        : new URL(String(options.requestUrl || ctx.url || 'http://localhost/'));
+    const guardOnly = options.guardOnly === true;
+    const redirect = options.redirect;
+    const deny = options.deny;
+    if (typeof redirect !== 'function' || typeof deny !== 'function') {
+        throw createAuthError('attachRouteAuth(ctx) requires redirect() and deny() constructors');
+    }
+    let activeSession;
+    let activeSessionInitialized = false;
+    function readActiveSession() {
+        if (activeSessionInitialized) {
+            return activeSession;
+        }
+        const secret = readSessionSecret();
+        const rawCookieValue = typeof ctx.cookies?.[SESSION_COOKIE_NAME] === 'string'
+            ? ctx.cookies[SESSION_COOKIE_NAME]
+            : '';
+        activeSession = parseSessionValue(rawCookieValue, secret);
+        activeSessionInitialized = true;
+        return activeSession;
+    }
+    Object.defineProperty(ctx, STAGED_SET_COOKIES_KEY, {
+        value: [],
+        enumerable: false,
+        configurable: true
+    });
+    ctx.auth = {
+        async getSession() {
+            return readActiveSession();
+        },
+        async requireSession(policy) {
+            const session = await this.getSession();
+            if (session) {
+                return session;
+            }
+            throw toAuthControlFlow(normalizeRequirePolicy(policy, redirect, deny));
+        },
+        async signIn(sessionObject) {
+            if (guardOnly) {
+                throw createAuthError('ctx.auth.signIn(...) is unavailable during advisory route-check execution');
+            }
+            const secret = readSessionSecret();
+            const cookieValue = createSignedSessionValue(sessionObject, secret);
+            stageSetCookie(ctx, buildSessionSetCookie(cookieValue, requestUrl));
+            activeSession = sessionObject;
+            activeSessionInitialized = true;
+        },
+        async signOut() {
+            if (guardOnly) {
+                throw createAuthError('ctx.auth.signOut() is unavailable during advisory route-check execution');
+            }
+            stageSetCookie(ctx, buildSessionClearCookie(requestUrl));
+            activeSession = null;
+            activeSessionInitialized = true;
+        }
+    };
+    return ctx.auth;
+}

package/dist/build/compiler-runtime.d.ts

@@ -42,7 +42,7 @@ export function createTimedCompilerRunner(startupProfile: ReturnType<typeof impo
  * @param {object | null} [logger]
  * @param {boolean} [showInfo]
  * @param {string|object} [bundlerBin]
- * @param {{ devStableAssets?: boolean, rebuildStrategy?: 'full'|'bundle-only'|'page-only', changedRoutes?: string[], fastPath?: boolean, globalGraphHash?: string, basePath?: string, routeCheck?: boolean }} [bundlerOptions]
+ * @param {{ devStableAssets?: boolean, rebuildStrategy?: 'full'|'bundle-only'|'page-only', changedRoutes?: string[], fastPath?: boolean, globalGraphHash?: string, basePath?: string, routeCheck?: boolean, imageRuntimePayload?: object }} [bundlerOptions]
  * @returns {Promise<void>}
  */
 /**

package/dist/build/compiler-runtime.js

@@ -171,7 +171,7 @@ export function createTimedCompilerRunner(startupProfile, compilerTotals) {
  * @param {object | null} [logger]
  * @param {boolean} [showInfo]
  * @param {string|object} [bundlerBin]
- * @param {{ devStableAssets?: boolean, rebuildStrategy?: 'full'|'bundle-only'|'page-only', changedRoutes?: string[], fastPath?: boolean, globalGraphHash?: string, basePath?: string, routeCheck?: boolean }} [bundlerOptions]
+ * @param {{ devStableAssets?: boolean, rebuildStrategy?: 'full'|'bundle-only'|'page-only', changedRoutes?: string[], fastPath?: boolean, globalGraphHash?: string, basePath?: string, routeCheck?: boolean, imageRuntimePayload?: object }} [bundlerOptions]
  * @returns {Promise<void>}
  */
 /**
@@ -284,7 +284,13 @@ export function runBundler(envelope, outDir, projectRoot, logger = null, showInf
             }
             rejectPromise(new Error(`Bundler failed with exit code ${code}`));
         });
-        child.stdin.write(JSON.stringify(envelope));
+        const bundlerPayload = bundlerOptions.imageRuntimePayload
+            ? {
+                inputs: Array.isArray(envelope) ? envelope : [envelope],
+                image_runtime_payload: bundlerOptions.imageRuntimePayload
+            }
+            : envelope;
+        child.stdin.write(JSON.stringify(bundlerPayload));
         child.stdin.end();
     });
 }

package/dist/build/page-loop-state.js

@@ -48,7 +48,7 @@ export function preparePageIrForMerge(pageIr) {
 }
 export function applyServerEnvelopeToPageIr({ pageIr, composedServer, hasGuard, hasLoad, hasAction, entry, srcDir, sourceFile }) {
     if (composedServer.serverScript) {
-        const { has_action: _unusedHasAction, ...serverScript } = composedServer.serverScript;
+        const { has_action: _unusedHasAction, export_paths: _unusedExportPaths, ...serverScript } = composedServer.serverScript;
         pageIr.server_script = serverScript;
         pageIr.prerender = composedServer.serverScript.prerender === true;
         if (pageIr.ssr_data === undefined) {

package/dist/build/server-script.d.ts

@@ -2,7 +2,7 @@
  * @param {string} source
  * @param {string} sourceFile
  * @param {object} [compilerOpts]
- * @returns {{ source: string, serverScript: { source: string, prerender: boolean, has_guard: boolean, has_load: boolean, has_action: boolean, source_path: string } | null }}
+ * @returns {{ source: string, serverScript: { source: string, prerender: boolean, has_guard: boolean, has_load: boolean, has_action: boolean, source_path: string, export_paths?: string[] } | null }}
  */
 export function extractServerScript(source: string, sourceFile: string, compilerOpts?: object): {
     source: string;
@@ -13,6 +13,7 @@ export function extractServerScript(source: string, sourceFile: string, compiler
         has_load: boolean;
         has_action: boolean;
         source_path: string;
+        export_paths?: string[];
     } | null;
 };
 /**

package/dist/build/server-script.js

@@ -1,10 +1,11 @@
 import { readFileSync } from 'node:fs';
 import { findNextKnownComponentTag } from '../component-tag-parser.js';
+import { extractStaticExportPaths } from '../static-export-paths.js';
 /**
  * @param {string} source
  * @param {string} sourceFile
  * @param {object} [compilerOpts]
- * @returns {{ source: string, serverScript: { source: string, prerender: boolean, has_guard: boolean, has_load: boolean, has_action: boolean, source_path: string } | null }}
+ * @returns {{ source: string, serverScript: { source: string, prerender: boolean, has_guard: boolean, has_load: boolean, has_action: boolean, source_path: string, export_paths?: string[] } | null }}
  */
 export function extractServerScript(source, sourceFile, compilerOpts = {}) {
     const scriptRe = /<script\b([^>]*)>([\s\S]*?)<\/script>/gi;
@@ -155,6 +156,7 @@ export function extractServerScript(source, sourceFile, compilerOpts = {}) {
         }
         prerender = rawValue.startsWith('true');
     }
+    const exportPaths = extractStaticExportPaths(serverSource, sourceFile) || [];
     const start = match.index ?? -1;
     if (start < 0) {
         return {
@@ -165,7 +167,8 @@ export function extractServerScript(source, sourceFile, compilerOpts = {}) {
                 has_guard: hasGuard,
                 has_load: hasLoad,
                 has_action: hasAction,
-                source_path: sourceFile
+                source_path: sourceFile,
+                export_paths: exportPaths
             }
         };
     }
@@ -179,7 +182,8 @@ export function extractServerScript(source, sourceFile, compilerOpts = {}) {
             has_guard: hasGuard,
             has_load: hasLoad,
             has_action: hasAction,
-            source_path: sourceFile
+            source_path: sourceFile,
+            export_paths: exportPaths
         }
     };
 }

package/dist/build-output-manifest.d.ts

@@ -11,14 +11,15 @@ export function writeBuildOutputManifest({ coreOutputDir, staticDir, target, rou
     base_path: string;
     content_hash: any;
     routes: {
+        html: any;
+        assets: any[];
+        export_paths?: any[] | undefined;
         path: any;
         file: any;
         path_kind: any;
         render_mode: any;
         requires_hydration: boolean;
         params: any[];
-        html: any;
-        assets: any[];
     }[];
     assets: {
         js: any[];

package/dist/build-output-manifest.js

@@ -67,6 +67,9 @@ export async function writeBuildOutputManifest({ coreOutputDir, staticDir, targe
             render_mode: entry.render_mode,
             requires_hydration: /<script\b[^>]*type="module"/i.test(html),
             params: [...entry.params],
+            ...(Array.isArray(entry.export_paths) && entry.export_paths.length > 0
+                ? { export_paths: [...entry.export_paths] }
+                : {}),
             html: htmlPath,
             assets
         });

package/dist/build.js

@@ -1,15 +1,15 @@
-import { mkdir, rm } from 'node:fs/promises';
+import { cp, mkdir, rm } from 'node:fs/promises';
 import { join, resolve } from 'node:path';
 import { resolveBuildAdapter } from './adapters/resolve-adapter.js';
 import { normalizeBasePath } from './base-path.js';
 import { rewriteSoftNavigationHrefBasePathInHtmlFiles } from './base-path-html.js';
 import { writeBuildOutputManifest } from './build-output-manifest.js';
 import { generateManifest } from './manifest.js';
+import { writeResourceRouteManifest } from './resource-manifest.js';
 import { buildComponentRegistry } from './resolve-components.js';
 import { collectAssets, createCompilerWarningEmitter, runBundler } from './build/compiler-runtime.js';
 import { buildPageEnvelopes } from './build/page-loop.js';
 import { deriveProjectRootFromPagesDir, ensureZenithTypeDeclarations } from './build/type-declarations.js';
-import { materializeImageMarkupInHtmlFiles } from './images/materialize.js';
 import { buildImageArtifacts } from './images/service.js';
 import { injectImageMaterializationIntoRouterManifest } from './images/router-manifest.js';
 import { createImageRuntimePayload, injectImageRuntimePayloadIntoHtmlFiles } from './images/payload.js';
@@ -50,6 +50,7 @@ export async function build(options) {
     const projectRoot = deriveProjectRootFromPagesDir(pagesDir);
     const coreOutputDir = join(projectRoot, '.zenith-output');
     const staticOutputDir = join(coreOutputDir, 'static');
+    const imageStageDir = join(coreOutputDir, 'image-materialization-stage');
     const srcDir = resolve(pagesDir, '..');
     const compilerBin = createCompilerToolchain({ projectRoot, logger });
     const bundlerBin = createBundlerToolchain({ projectRoot, logger });
@@ -75,11 +76,12 @@ export async function build(options) {
     }
     const registry = startupProfile.measureSync('build_component_registry', () => buildComponentRegistry(srcDir));
     const manifest = await startupProfile.measureAsync('generate_manifest', () => generateManifest(pagesDir, '.zen', { compilerOpts }));
+    const pageManifest = manifest.filter((entry) => entry?.route_kind !== 'resource');
     if (mode !== 'legacy') {
         adapter.validateRoutes(manifest);
     }
     await startupProfile.measureAsync('ensure_zenith_type_declarations', () => ensureZenithTypeDeclarations({
-        manifest,
+        manifest: pageManifest,
         pagesDir
     }));
     await startupProfile.measureAsync('reset_core_output', () => rm(coreOutputDir, { recursive: true, force: true }));
@@ -92,7 +94,7 @@ export async function build(options) {
         console.warn(line);
     });
     const { envelopes, expressionRewriteMetrics } = await buildPageEnvelopes({
-        manifest,
+        manifest: pageManifest,
         pagesDir,
         srcDir,
         registry,
@@ -103,27 +105,37 @@ export async function build(options) {
         compilerTotals,
         emitCompilerWarning
     });
-    if (envelopes.length > 0) {
-        await startupProfile.measureAsync('run_bundler', () => runBundler(envelopes, staticOutputDir, projectRoot, logger, showBundlerInfo, bundlerBin, { basePath, routeCheck: routeCheckEnabled }), { envelopes: envelopes.length });
-        await startupProfile.measureAsync('inject_image_materialization_manifest', () => injectImageMaterializationIntoRouterManifest(staticOutputDir, envelopes), { envelopes: envelopes.length });
-    }
-    await startupProfile.measureAsync('rewrite_soft_navigation_base_path', () => rewriteSoftNavigationHrefBasePathInHtmlFiles(staticOutputDir, basePath));
     const { manifest: imageManifest } = await startupProfile.measureAsync('build_image_artifacts', () => buildImageArtifacts({
         projectRoot,
-        outDir: staticOutputDir,
+        outDir: imageStageDir,
         config: config.images
     }));
     const imageRuntimePayload = createImageRuntimePayload(config.images, imageManifest, 'passthrough', basePath);
-    await startupProfile.measureAsync('materialize_image_markup', () => materializeImageMarkupInHtmlFiles({
-        distDir: staticOutputDir,
-        payload: imageRuntimePayload
-    }));
+    if (envelopes.length > 0) {
+        await startupProfile.measureAsync('run_bundler', () => runBundler(envelopes, staticOutputDir, projectRoot, logger, showBundlerInfo, bundlerBin, {
+            basePath,
+            routeCheck: routeCheckEnabled,
+            imageRuntimePayload
+        }), { envelopes: envelopes.length });
+        await startupProfile.measureAsync('inject_image_materialization_manifest', () => injectImageMaterializationIntoRouterManifest(staticOutputDir, envelopes), { envelopes: envelopes.length });
+    }
+    await startupProfile.measureAsync('write_resource_manifest', () => writeResourceRouteManifest(staticOutputDir, manifest, basePath));
+    await startupProfile.measureAsync('rewrite_soft_navigation_base_path', () => rewriteSoftNavigationHrefBasePathInHtmlFiles(staticOutputDir, basePath));
+    await startupProfile.measureAsync('stage_image_artifacts_into_static_output', async () => {
+        if (Object.keys(imageManifest).length === 0) {
+            return;
+        }
+        await cp(join(imageStageDir, '_zenith'), join(staticOutputDir, '_zenith'), {
+            recursive: true,
+            force: true
+        });
+    });
     await startupProfile.measureAsync('inject_image_runtime_payload', () => injectImageRuntimePayloadIntoHtmlFiles(staticOutputDir, imageRuntimePayload));
     const buildManifest = await startupProfile.measureAsync('write_core_manifest', () => writeBuildOutputManifest({
         coreOutputDir,
         staticDir: staticOutputDir,
         target,
-        routeManifest: manifest,
+        routeManifest: pageManifest,
         basePath
     }));
     await startupProfile.measureAsync('write_server_output', () => writeServerOutput({
@@ -136,11 +148,11 @@ export async function build(options) {
     await startupProfile.measureAsync('adapt_output', () => adapter.adapt({ coreOutput: coreOutputDir, outDir, manifest: buildManifest, config }));
     const assets = await startupProfile.measureAsync('collect_assets', () => collectAssets(outDir));
     startupProfile.emit('build_complete', {
-        pages: manifest.length,
+        pages: pageManifest.length,
         assets: assets.length,
         target,
         compilerTotals,
         expressionRewriteMetrics
     });
-    return { pages: manifest.length, assets };
+    return { pages: pageManifest.length, assets };
 }