attaform 0.16.4 → 0.17.1

package/dist/shared/attaform.CuE-bS1C.d.mts

@@ -0,0 +1,165 @@
+import { z } from 'zod';
+import { G as GenericForm, s as FlatPath, B as NestedType, U as UseFormConfiguration, b as AbstractSchema, D as DeepPartial, c as DefaultValuesShape, ag as ValidateOnConfig, d as UseFormReturnType } from './attaform.C_5aB6EQ.mjs';
+
+/**
+ * The shape `form.values.<key>` returns at runtime.
+ *
+ * Per leaf:
+ *
+ * 1. `z.preprocess(fn, inner)` — compiles to `ZodPipe<ZodTransform, inner>`.
+ *    The preprocess fn fires at the write boundary (synthesized into
+ *    `setValue`), so storage holds whatever `inner` stores. Recurse
+ *    `StorageShape` on `inner` so a defaulted leaf inside `inner` still
+ *    reads `T` (not `T | undefined`).
+ *
+ * 2. `inner.transform(fn)` — compiles to `ZodPipe<inner, ZodTransform>`.
+ *    Transforms fire at submit / validate, NOT at the write boundary,
+ *    so storage holds whatever `inner` stores. Recurse `StorageShape`
+ *    on `inner` for the same reason.
+ *
+ *    A bare top-level `ZodTransform` (no `in` schema) reads
+ *    `_zod.input` directly — there's no inner to recurse into.
+ *
+ * 3. Codec / generic pipe — neither side is a transform. Read
+ *    `_zod.output`. Codecs aren't write-boundary-synthesized, so the
+ *    post-parse view is the only honest storage type.
+ *
+ * 4. Everything else (defaults, catch, readonly, optional, primitives,
+ *    nested objects) — read `_zod.output`. Defaults and catches fire
+ *    at parse time, so the post-init view is what storage holds.
+ *    Nested objects delegate to Zod's own recursion on `_zod.output`,
+ *    which peels nested defaults inside structural containers.
+ *
+ * Recursion: the alias calls itself on the non-transform side of a
+ * pipe so the inner shape gets the same per-key storage treatment as
+ * the top level. Without it, an inner `.default(...)` inside a
+ * transformed object would peel back to `T | undefined` (the broad
+ * input contract). Recursion only fires for pipe leaves — most leaves
+ * skip it.
+ *
+ * Implementation note: direct `_zod` property access mirrors Zod's
+ * own `$InferObjectOutput` / `$InferObjectInput`, which read
+ * `T[k]['_zod']['output']` / `T[k]['_zod']['input']` directly rather
+ * than wrapping in the top-level `output<T>` / `input<T>` conditional.
+ * Wrapping per key spawns a fresh conditional instantiation for every
+ * key; Volar's web-worker checker collapses that per-key walk to
+ * `any` once the schema is non-trivial. Property access has no
+ * conditional and resolves cleanly under the same budget.
+ *
+ * Shape access also goes through `_zod.def.shape` rather than
+ * `infer Shape from z.ZodObject<Shape>` — the latter collapses to the
+ * `$ZodShape` upper bound in the same worker because of
+ * `z.ZodObject`'s `out Shape` covariance markers.
+ */
+type StorageShape<S> = S extends {
+    _zod: {
+        def: {
+            type: 'object';
+            shape: infer Shape;
+        };
+    };
+} ? {
+    [K in keyof Shape]-?: StorageLeaf<Shape[K]>;
+} : StorageLeaf<S>;
+type StorageLeaf<L> = L extends {
+    _zod: {
+        def: {
+            type: 'pipe';
+            in: infer A;
+            out: infer B;
+        };
+    };
+} ? A extends {
+    _zod: {
+        def: {
+            type: 'transform';
+        };
+    };
+} ? StorageShape<B> : B extends {
+    _zod: {
+        def: {
+            type: 'transform';
+        };
+    };
+} ? StorageShape<A> : L extends {
+    _zod: {
+        output: infer Out;
+    };
+} ? Out : never : L extends {
+    _zod: {
+        def: {
+            type: 'transform';
+        };
+    };
+} ? L extends {
+    _zod: {
+        input: infer In;
+    };
+} ? In : never : L extends {
+    _zod: {
+        output: infer Out;
+    };
+} ? Out : never;
+
+/**
+ * Zod v4 adapter entry point. Re-exports the adapter + the useForm
+ * wrapper that threads zod-v4-specific schema types through
+ * useAbstractForm.
+ */
+
+/**
+ * Type of the value accepted at `Path` for `setValue` / `defaultValues`
+ * — the schema's `z.input<Schema>` shape at that path. Matches what
+ * `form.values.X` returns at runtime (the honest input view storage
+ * holds before transforms run).
+ *
+ * ```ts
+ * const schema = z.object({
+ *   flag: z.string().transform((v) => v.length > 10),
+ * })
+ * type FlagWriteIn = PathInput<typeof schema, 'flag'> // string
+ * ```
+ */
+type PathInput<Schema extends z.ZodType, Path extends string> = z.input<Schema> extends GenericForm ? Path extends FlatPath<z.input<Schema>> ? NestedType<z.input<Schema>, Path> : never : never;
+/**
+ * Type produced at `Path` after the full parse pipeline — the schema's
+ * `z.output<Schema>` shape at that path. Matches the `data` payload of
+ * `form.process()` and the value handed to `handleSubmit`'s callback.
+ *
+ * ```ts
+ * const schema = z.object({
+ *   flag: z.string().transform((v) => v.length > 10),
+ * })
+ * type FlagParsedOut = PathOutput<typeof schema, 'flag'> // boolean
+ * ```
+ */
+type PathOutput<Schema extends z.ZodType, Path extends string> = z.output<Schema> extends GenericForm ? Path extends FlatPath<z.output<Schema>> ? NestedType<z.output<Schema>, Path> : never : never;
+/**
+ * Create a form bound to a Zod v4 schema.
+ *
+ * ```ts
+ * import { useForm } from 'attaform/zod'
+ * import { z } from 'zod'
+ *
+ * const form = useForm({
+ *   schema: z.object({
+ *     email: z.email(),
+ *     password: z.string().min(8),
+ *   }),
+ *   defaultValues: { email: '' },
+ * })
+ * ```
+ *
+ * Returns a form API exposing `register`, `values`, `errors`,
+ * `fields`, `setValue`, `handleSubmit`, `meta`, field-array
+ * helpers, and more. See `UseFormReturnType` for the full
+ * surface.
+ *
+ * For Zod v3, import from `attaform/zod-v3` instead.
+ */
+declare function useForm<Schema extends z.ZodObject>(configuration: Omit<UseFormConfiguration<z.input<Schema> extends GenericForm ? z.input<Schema> : never, z.output<Schema> extends GenericForm ? z.output<Schema> : never, AbstractSchema<z.input<Schema> extends GenericForm ? z.input<Schema> : never, z.output<Schema> extends GenericForm ? z.output<Schema> : never>, DeepPartial<DefaultValuesShape<z.input<Schema> extends GenericForm ? z.input<Schema> : never>>>, 'schema' | 'validateOn' | 'debounceMs'> & {
+    schema: Schema;
+} & ValidateOnConfig): UseFormReturnType<z.input<Schema> extends GenericForm ? z.input<Schema> : never, z.output<Schema> extends GenericForm ? z.output<Schema> : never, StorageShape<Schema> extends GenericForm ? StorageShape<Schema> : never>;
+
+export { useForm as u };
+export type { PathInput as P, StorageShape as S, PathOutput as a };

package/dist/shared/{attaform.rIRYSUI1.cjs → attaform.Dee2rU1P.cjs}

@@ -73,7 +73,7 @@ function formatAnonPersistMessage(opts) {
 }
 
 function detectSSR(options = {}) {
-  if (options.override !== void 0) return options.override;
+  if (options.ssr !== void 0) return options.ssr;
   return typeof window === "undefined" && typeof document === "undefined";
 }
 
@@ -383,91 +383,138 @@ function createPersistOptInRegistry() {
   };
 }
 
-const SENSITIVE_NAME_PATTERNS = [
-  // Passwords and PIN-like
-  /password/i,
-  /passwd/i,
-  /passwords/i,
-  /\bpwd\b/i,
-  /\bpin\b/i,
+const DEFAULT_SENSITIVE_NAMES = Object.freeze([
+  // Passwords + PIN-like
+  "password",
+  "passwd",
+  "pwd",
+  "pin",
   // Card / payment
-  /\bcvv\b/i,
-  /\bcvc\b/i,
-  /card[_\s-]?(?:number|num)/i,
-  /\bcard\b/i,
-  /\biban\b/i,
-  /routing[_\s-]?number/i,
-  /account[_\s-]?number/i,
+  "cvv",
+  "cvc",
+  "card_number",
+  "card_num",
+  "card",
+  "iban",
+  "routing_number",
+  "account_number",
   // Government / identity
-  /\bssn\b/i,
-  /social[_\s-]?security/i,
-  /\bdob\b/i,
-  /date[_\s-]?of[_\s-]?birth/i,
-  /passport/i,
-  /driver[_\s-]?license/i,
-  // Tax IDs (US + international common variants)
-  /\btin\b/i,
-  /\bein\b/i,
-  /\bitin\b/i,
-  /tax[_\s-]?id/i,
-  // Tokens, secrets, API/auth credentials
-  /\btoken\b/i,
-  /\btokens\b/i,
-  /secret/i,
-  /secrets/i,
-  /api[_\s-]?key/i,
-  /api[_\s-]?secret/i,
-  /api[_\s-]?token/i,
-  /private[_\s-]?key/i,
-  /\bbearer\b/i,
-  /\boauth\b/i,
-  /auth[_\s-]?token/i,
-  /access[_\s-]?token/i,
-  /refresh[_\s-]?token/i,
-  /session[_\s-]?(?:id|key|token)/i,
+  "ssn",
+  "social_security",
+  "dob",
+  "date_of_birth",
+  "passport",
+  "driver_license",
+  // Tax IDs
+  "tin",
+  "ein",
+  "itin",
+  "tax_id",
+  // Tokens / secrets / API auth
+  "token",
+  "tokens",
+  "secret",
+  "secrets",
+  "api_key",
+  "api_secret",
+  "api_token",
+  "private_key",
+  "bearer",
+  "oauth",
+  "auth_token",
+  "access_token",
+  "refresh_token",
+  "session_id",
+  "session_key",
+  "session_token",
   // MFA / OTP
-  /\botp\b/i,
-  /one[_\s-]?time[_\s-]?(?:password|code)/i,
-  /mfa[_\s-]?(?:secret|seed|code|token)/i,
-  /two[_\s-]?factor[_\s-]?(?:code|token)/i,
-  /\b2fa[_\s-]?(?:code|token)?\b/i,
-  /recovery[_\s-]?code/i,
-  /backup[_\s-]?code/i
-];
-function segmentMatchesSensitive(segment) {
-  if (typeof segment !== "string") return false;
-  for (const pattern of SENSITIVE_NAME_PATTERNS) {
-    if (pattern.test(segment)) return true;
+  "otp",
+  "one_time_password",
+  "one_time_code",
+  "mfa_secret",
+  "mfa_seed",
+  "mfa_code",
+  "mfa_token",
+  "two_factor_code",
+  "two_factor_token",
+  "2fa",
+  "2fa_code",
+  "2fa_token",
+  "recovery_code",
+  "backup_code"
+]);
+const WORD_BOUNDARY_THRESHOLD = 5;
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function nameToRegex(name) {
+  const parts = name.split(/[_\s-]/).filter((p) => p.length > 0);
+  if (parts.length === 0) {
+    return /(?!)/;
   }
-  return false;
-}
-function isSensitivePath(path) {
-  if (typeof path !== "string") {
-    for (const segment of path) {
-      if (segmentMatchesSensitive(segment)) return true;
+  const escaped = parts.map(escapeRegex).join("[_\\s-]?");
+  const compactLength = parts.reduce((sum, p) => sum + p.length, 0);
+  const useBoundary = compactLength <= WORD_BOUNDARY_THRESHOLD;
+  const source = useBoundary ? `\\b${escaped}\\b` : escaped;
+  return new RegExp(source, "i");
+}
+function namesToPatterns(names) {
+  const patterns = [];
+  for (const name of names) {
+    if (typeof name !== "string" || name.length === 0) continue;
+    patterns.push(nameToRegex(name));
+  }
+  return patterns;
+}
+const DEFAULT_PATTERNS = namesToPatterns(DEFAULT_SENSITIVE_NAMES);
+function createSegmentMatchesSensitive(names = DEFAULT_SENSITIVE_NAMES) {
+  const patterns = names === DEFAULT_SENSITIVE_NAMES ? DEFAULT_PATTERNS : namesToPatterns(names);
+  return (segment) => {
+    if (typeof segment !== "string") return false;
+    for (const p of patterns) {
+      if (p.test(segment)) return true;
     }
     return false;
-  }
-  if (path.startsWith("[")) {
-    try {
-      const parsed = JSON.parse(path);
-      if (Array.isArray(parsed)) {
-        for (const segment of parsed) {
-          if (segmentMatchesSensitive(segment)) return true;
+  };
+}
+function createIsSensitivePath(names = DEFAULT_SENSITIVE_NAMES) {
+  const segmentMatches = createSegmentMatchesSensitive(names);
+  return (path) => {
+    if (typeof path !== "string") {
+      for (const segment of path) {
+        if (segmentMatches(segment)) return true;
+      }
+      return false;
+    }
+    if (path.startsWith("[")) {
+      try {
+        const parsed = JSON.parse(path);
+        if (Array.isArray(parsed)) {
+          for (const segment of parsed) {
+            if (segmentMatches(segment)) return true;
+          }
+          return false;
         }
-        return false;
+      } catch {
       }
-    } catch {
     }
-  }
-  for (const segment of path.split(".")) {
-    if (segmentMatchesSensitive(segment)) return true;
-  }
-  return false;
+    for (const segment of path.split(".")) {
+      if (segmentMatches(segment)) return true;
+    }
+    return false;
+  };
 }
-function enforceSensitiveCheck(path, acknowledged) {
+const defaultSegmentMatches = createSegmentMatchesSensitive();
+const defaultIsSensitivePath = createIsSensitivePath();
+function segmentMatchesSensitive(segment) {
+  return defaultSegmentMatches(segment);
+}
+function isSensitivePath(path) {
+  return defaultIsSensitivePath(path);
+}
+function enforceSensitiveCheck(path, acknowledged, isSensitive = defaultIsSensitivePath) {
   if (acknowledged) return;
-  if (!isSensitivePath(path)) return;
+  if (!isSensitive(path)) return;
   throw new SensitivePersistFieldError(path);
 }
 
@@ -609,10 +656,25 @@ function syncPersistOptIn(el, value, oldValue) {
   }
   if (wantsOptIn) {
     const v = value;
-    enforceSensitiveCheck(v.path, v.acknowledgeSensitive);
+    enforceSensitiveCheck(v.path, v.acknowledgeSensitive, v.isSensitivePath);
     v.persistOptIns.add(elementId, v.path);
   }
 }
+function syncMultiTabOptOut(value, oldValue) {
+  const wasOptedOut = isRegisterValue(oldValue) && oldValue.unmarkNoSync !== void 0;
+  const wantsOptOut = isRegisterValue(value) && value.markNoSync !== void 0;
+  if (!wasOptedOut && !wantsOptOut) return;
+  if (wasOptedOut) {
+    const old = oldValue;
+    const samePath = wantsOptOut && value.path === old.path;
+    if (!samePath) old.unmarkNoSync?.();
+  }
+  if (wantsOptOut) {
+    const v = value;
+    const samePathOld = wasOptedOut && oldValue.path === v.path;
+    if (!samePathOld) v.markNoSync?.();
+  }
+}
 function syncElementRegistration(el, value, oldValue) {
   const wasRegistered = isRegisterValue(oldValue);
   const isRegistered = isRegisterValue(value);
@@ -1061,6 +1123,7 @@ const warnedUnsupportedElements = __DEV__ ? /* @__PURE__ */ new WeakSet() : null
 const vRegisterDynamic = {
   created(el, binding, vnode) {
     syncPersistOptIn(el, binding.value, void 0);
+    syncMultiTabOptOut(binding.value, void 0);
     callModelHook(el, binding, vnode, null, "created");
     if (__DEV__ && warnedUnsupportedElements !== null && !SUPPORTED_TAGS.has(el.tagName) && !warnedUnsupportedElements.has(el)) {
       void vue.nextTick(() => {
@@ -1082,6 +1145,7 @@ const vRegisterDynamic = {
   },
   beforeUpdate(el, binding, vnode, prevVNode) {
     syncPersistOptIn(el, binding.value, binding.oldValue);
+    syncMultiTabOptOut(binding.value, binding.oldValue);
     syncElementRegistration(el, binding.value, binding.oldValue);
     callModelHook(el, binding, vnode, prevVNode, "beforeUpdate");
   },
@@ -1092,6 +1156,7 @@ const vRegisterDynamic = {
     removeTrackedListeners(el);
     if (isRegisterValue(value)) {
       value.persistOptIns.removeAllFor(getOrAssignElementId(el));
+      value.unmarkNoSync?.();
     }
     if (!isRegisterValue(value)) return;
     value.deregisterElement(el);
@@ -1169,6 +1234,7 @@ function createAttaform(options = {}) {
 
 exports.AnonPersistError = AnonPersistError;
 exports.AttaformError = AttaformError;
+exports.DEFAULT_SENSITIVE_NAMES = DEFAULT_SENSITIVE_NAMES;
 exports.InvalidPathError = InvalidPathError;
 exports.InvalidUseFormConfigError = InvalidUseFormConfigError;
 exports.OutsideSetupError = OutsideSetupError;
@@ -1180,8 +1246,10 @@ exports.__DEV__ = __DEV__;
 exports.assignKey = assignKey;
 exports.captureUserCallSite = captureUserCallSite;
 exports.createAttaform = createAttaform;
+exports.createIsSensitivePath = createIsSensitivePath;
 exports.createPersistOptInRegistry = createPersistOptInRegistry;
 exports.createRegistry = createRegistry;
+exports.createSegmentMatchesSensitive = createSegmentMatchesSensitive;
 exports.enforceSensitiveCheck = enforceSensitiveCheck;
 exports.ensureAttaformInstalled = ensureAttaformInstalled;
 exports.getRegistryFromApp = getRegistryFromApp;
@@ -1194,4 +1262,4 @@ exports.segmentMatchesSensitive = segmentMatchesSensitive;
 exports.useRegister = useRegister;
 exports.useRegistry = useRegistry;
 exports.vRegister = vRegister;
-//# sourceMappingURL=attaform.rIRYSUI1.cjs.map
+//# sourceMappingURL=attaform.Dee2rU1P.cjs.map