blumenjs 0.2.1 → 0.2.3

package/dist/templates/app/shared/RouterContext.tsx

@@ -14,6 +14,7 @@ import React, {
 	useCallback,
 	useEffect,
 	useRef,
+	Suspense,
 } from "react";
 import { matchRoute, type RouteDef } from "./router";
 import { BlumenErrorBoundary } from "./ErrorBoundary";
@@ -230,7 +231,9 @@ export function RouterProvider({
 					className={`page-transition ${transitioning ? "page-transition-exit" : "page-transition-active"}`}
 				>
 					<BlumenErrorBoundary>
-						<App Component={PageComponent} pageProps={pageProps} />
+						<Suspense fallback={LoadingComp ? <LoadingComp /> : <DefaultLoading />}>
+							<App Component={PageComponent} pageProps={pageProps} />
+						</Suspense>
 					</BlumenErrorBoundary>
 				</div>
 			)}

package/dist/templates/go-server/actions.go

@@ -0,0 +1,147 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// ─── Server Actions Handler ────────────────────────────────────
+// Handles POST /_blumen/action requests from client components.
+// Validates CSRF tokens, then forwards to the Node SSR server
+// for execution.
+
+// actionRequest is the JSON body from the client.
+type actionRequest struct {
+	Action string      `json:"action"`
+	Input  interface{} `json:"input"`
+}
+
+// actionResponse is the response from the Node SSR server.
+type actionResponse struct {
+	Success bool        `json:"success"`
+	Data    interface{} `json:"data,omitempty"`
+	Error   string      `json:"error,omitempty"`
+}
+
+// ActionHandler creates the HTTP handler for server actions.
+func ActionHandler() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Only POST is allowed
+		if r.Method != http.MethodPost {
+			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+
+		// ── CSRF Validation (double-submit cookie pattern) ────
+		// The client sends a token in the X-CSRF-Token header
+		// and also sets it as a _blumen_csrf cookie.
+		// We validate that they match.
+		headerToken := r.Header.Get("X-CSRF-Token")
+		if headerToken == "" {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusForbidden)
+			json.NewEncoder(w).Encode(actionResponse{
+				Success: false,
+				Error:   "Missing CSRF token",
+			})
+			return
+		}
+
+		// Get CSRF cookie
+		cookieToken := ""
+		if cookie, err := r.Cookie("_blumen_csrf"); err == nil {
+			cookieToken = cookie.Value
+		}
+
+		// Validate: header token must match cookie token
+		if cookieToken == "" || headerToken != cookieToken {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusForbidden)
+			json.NewEncoder(w).Encode(actionResponse{
+				Success: false,
+				Error:   "Invalid CSRF token",
+			})
+			return
+		}
+
+		// ── Parse request body ────────────────────────────────
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusBadRequest)
+			json.NewEncoder(w).Encode(actionResponse{
+				Success: false,
+				Error:   "Failed to read request body",
+			})
+			return
+		}
+		defer r.Body.Close()
+
+		var actionReq actionRequest
+		if err := json.Unmarshal(body, &actionReq); err != nil {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusBadRequest)
+			json.NewEncoder(w).Encode(actionResponse{
+				Success: false,
+				Error:   "Invalid request body",
+			})
+			return
+		}
+
+		if actionReq.Action == "" {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusBadRequest)
+			json.NewEncoder(w).Encode(actionResponse{
+				Success: false,
+				Error:   "Action name is required",
+			})
+			return
+		}
+
+		// ── Forward to Node SSR server ────────────────────────
+		nodeURL := fmt.Sprintf("http://localhost:4000/action")
+
+		nodeBody, _ := json.Marshal(map[string]interface{}{
+			"action": actionReq.Action,
+			"input":  actionReq.Input,
+		})
+
+		nodeReq, err := http.NewRequest("POST", nodeURL, strings.NewReader(string(nodeBody)))
+		if err != nil {
+			log.Printf("Action proxy error: %v", err)
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusInternalServerError)
+			json.NewEncoder(w).Encode(actionResponse{
+				Success: false,
+				Error:   "Failed to create action request",
+			})
+			return
+		}
+		nodeReq.Header.Set("Content-Type", "application/json")
+
+		client := &http.Client{Timeout: 30 * time.Second}
+		resp, err := client.Do(nodeReq)
+		if err != nil {
+			log.Printf("Action execution error: %v", err)
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusServiceUnavailable)
+			json.NewEncoder(w).Encode(actionResponse{
+				Success: false,
+				Error:   "Action server unavailable",
+			})
+			return
+		}
+		defer resp.Body.Close()
+
+		// Forward the response from Node
+		respBody, _ := io.ReadAll(resp.Body)
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(resp.StatusCode)
+		w.Write(respBody)
+	}
+}

package/dist/templates/go-server/main.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"io"
 	"log"
 	"net"
 	"net/http"
@@ -11,9 +12,10 @@ import (
 )
 
 const (
-	nodeSSRURL  = "http://localhost:4000/render"
-	nodeDataURL = "http://localhost:4000/data"
-	nodeAPIURL  = "http://localhost:4000/api"
+	nodeSSRURL       = "http://localhost:4000/render"
+	nodeStreamURL    = "http://localhost:4000/stream-render"
+	nodeDataURL      = "http://localhost:4000/data"
+	nodeAPIURL       = "http://localhost:4000/api"
 )
 
 // Global page cache — stores rendered HTML in Go memory for near-instant responses.
@@ -234,7 +236,23 @@ func PageHandler(loader DataLoader) http.HandlerFunc {
 			return
 		}
 
-		// CACHE MISS: render the page and cache the result
+		// CACHE MISS: try streaming SSR first for instant TTFB
+		// Streaming bypasses the cache — the HTML is sent directly to the browser.
+		// The next request will use renderPage and populate the cache.
+		if r.Header.Get("X-Blumen-Data") != "1" {
+			if streamRenderPage(w, r, loader) {
+				// Successfully streamed — also trigger a background cache fill
+				go func() {
+					html, revalidate := renderPage(r, loader)
+					if html != "" {
+						pageCache.Set(cacheKey, html, revalidate)
+					}
+				}()
+				return
+			}
+		}
+
+		// Streaming unavailable or SPA data request — fall back to renderPage
 		html, revalidate := renderPage(r, loader)
 		if html == "" {
 			// renderPage already wrote the error response
@@ -330,6 +348,91 @@ func renderPage(r *http.Request, loader DataLoader) (string, int) {
 	return ssrResp.HTML, revalidate
 }
 
+// streamRenderPage streams HTML from Node SSR directly to the client.
+// Uses chunked transfer encoding for instant TTFB.
+// Returns true if streaming succeeded, false if caller should fall back.
+func streamRenderPage(w http.ResponseWriter, r *http.Request, loader DataLoader) bool {
+	// Check if ResponseWriter supports flushing (required for streaming)
+	flusher, ok := w.(http.Flusher)
+	if !ok {
+		return false
+	}
+
+	var props map[string]interface{}
+	var err error
+
+	if loader != nil {
+		props, err = loader(r)
+		if err != nil {
+			log.Printf("Streaming: loader error: %v", err)
+			return false
+		}
+	} else {
+		tsProps, _, tsErr := fetchServerProps(r)
+		if tsErr != nil {
+			log.Printf("Streaming: getServerProps error: %v", tsErr)
+		} else if tsProps != nil {
+			props = tsProps
+		}
+	}
+
+	ssrReq := SSRRequest{
+		Path:  r.URL.Path,
+		Query: r.URL.Query(),
+		Params: map[string]interface{}{
+			"url":     r.URL.String(),
+			"headers": r.Header,
+		},
+		Data: props,
+	}
+
+	reqBody, err := json.Marshal(ssrReq)
+	if err != nil {
+		log.Printf("Streaming: marshal error: %v", err)
+		return false
+	}
+
+	resp, err := httpClient.Post(nodeStreamURL, "application/json", bytes.NewReader(reqBody))
+	if err != nil {
+		log.Printf("Streaming: node request error: %v", err)
+		return false
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		log.Printf("Streaming: node returned %d", resp.StatusCode)
+		return false
+	}
+
+	// Set response headers for streaming
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set("Transfer-Encoding", "chunked")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+	w.Header().Set("X-Blumen-Cache", "STREAM")
+	w.Header().Set("Cache-Control", "no-cache")
+	w.WriteHeader(http.StatusOK)
+
+	// Stream chunks from Node to the browser
+	buf := make([]byte, 4096)
+	for {
+		n, readErr := resp.Body.Read(buf)
+		if n > 0 {
+			w.Write(buf[:n])
+			flusher.Flush()
+		}
+		if readErr != nil {
+			if readErr != io.EOF {
+				log.Printf("Streaming: read error: %v", readErr)
+			}
+			break
+		}
+	}
+
+	return true
+}
+
 // fetchServerProps calls the Node SSR /data endpoint to run getServerProps.
 // Returns nil if the page doesn't export getServerProps.
 // Also returns the revalidate TTL (0 = no caching from getServerProps).

package/dist/templates/go-server/middleware.go

@@ -423,7 +423,7 @@ type SecurityConfig struct {
 // DefaultSecurityConfig returns production-ready security header defaults.
 func DefaultSecurityConfig() SecurityConfig {
 	return SecurityConfig{
-		CSP:                   "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' ws: wss:;",
+		CSP:                   "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:3100; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com; connect-src 'self' ws: wss: http://localhost:3100 ws://localhost:3100;",
 		HSTSMaxAge:            31536000, // 1 year
 		HSTSIncludeSubdomains: true,
 		FrameOptions:          "DENY",

package/dist/templates/go-server/redirects.go

@@ -0,0 +1,203 @@
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"os"
+	"regexp"
+	"strings"
+)
+
+// ─── Redirects & Rewrites Engine ───────────────────────────────
+// Declarative URL routing configured via blumen.routes.json.
+// Processed at the Go layer for zero-overhead URL manipulation.
+
+// RedirectRule defines a URL redirect.
+type RedirectRule struct {
+	Source      string `json:"source"`      // Source path pattern (e.g. "/old", "/blog/:slug")
+	Destination string `json:"destination"` // Destination URL
+	Permanent   bool   `json:"permanent"`   // 301 (permanent) or 307 (temporary)
+}
+
+// RewriteRule defines a URL rewrite (internal, transparent to browser).
+type RewriteRule struct {
+	Source      string `json:"source"`      // Source path pattern
+	Destination string `json:"destination"` // Internal destination path
+}
+
+// RoutesConfig holds all redirect and rewrite rules.
+type RoutesConfig struct {
+	Redirects []RedirectRule `json:"redirects"`
+	Rewrites  []RewriteRule  `json:"rewrites"`
+}
+
+// compiledRedirect is a pre-compiled redirect rule for fast matching.
+type compiledRedirect struct {
+	pattern     *regexp.Regexp
+	paramNames  []string
+	destination string
+	permanent   bool
+}
+
+// compiledRewrite is a pre-compiled rewrite rule for fast matching.
+type compiledRewrite struct {
+	pattern     *regexp.Regexp
+	paramNames  []string
+	destination string
+}
+
+// RoutesEngine processes redirects and rewrites.
+type RoutesEngine struct {
+	redirects []compiledRedirect
+	rewrites  []compiledRewrite
+}
+
+// LoadRoutesConfig reads the routes config from blumen.routes.json.
+func LoadRoutesConfig(path string) (*RoutesConfig, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	var config RoutesConfig
+	if err := json.Unmarshal(data, &config); err != nil {
+		return nil, err
+	}
+
+	return &config, nil
+}
+
+// NewRoutesEngine compiles redirect and rewrite rules for fast matching.
+func NewRoutesEngine(config *RoutesConfig) *RoutesEngine {
+	engine := &RoutesEngine{}
+
+	for _, r := range config.Redirects {
+		pattern, params := compileRoutePattern(r.Source)
+		engine.redirects = append(engine.redirects, compiledRedirect{
+			pattern:     pattern,
+			paramNames:  params,
+			destination: r.Destination,
+			permanent:   r.Permanent,
+		})
+	}
+
+	for _, r := range config.Rewrites {
+		pattern, params := compileRoutePattern(r.Source)
+		engine.rewrites = append(engine.rewrites, compiledRewrite{
+			pattern:     pattern,
+			paramNames:  params,
+			destination: r.Destination,
+		})
+	}
+
+	return engine
+}
+
+// compileRoutePattern converts a route pattern like "/blog/:slug" or "/old/*"
+// into a compiled regex and extracts parameter names.
+func compileRoutePattern(source string) (*regexp.Regexp, []string) {
+	var paramNames []string
+	regexStr := "^"
+
+	parts := strings.Split(source, "/")
+	for _, part := range parts {
+		if part == "" {
+			continue
+		}
+
+		regexStr += "/"
+
+		if part == "*" {
+			// Wildcard: match everything
+			regexStr += "(.*)"
+			paramNames = append(paramNames, "*")
+		} else if strings.HasPrefix(part, ":") {
+			// Named parameter: match path segment
+			paramName := strings.TrimPrefix(part, ":")
+			paramNames = append(paramNames, paramName)
+			regexStr += "([^/]+)"
+		} else {
+			// Literal match
+			regexStr += regexp.QuoteMeta(part)
+		}
+	}
+
+	regexStr += "$"
+	return regexp.MustCompile(regexStr), paramNames
+}
+
+// interpolateDestination replaces :param placeholders in the destination
+// with matched values from the source pattern.
+func interpolateDestination(destination string, paramNames []string, matches []string) string {
+	result := destination
+	for i, name := range paramNames {
+		if i+1 < len(matches) {
+			if name == "*" {
+				result = strings.ReplaceAll(result, ":splat", matches[i+1])
+			} else {
+				result = strings.ReplaceAll(result, ":"+name, matches[i+1])
+			}
+		}
+	}
+	return result
+}
+
+// RedirectsMiddleware creates a middleware that processes redirects and rewrites.
+func RedirectsMiddleware(engine *RoutesEngine) MiddlewareFunc {
+	return func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+		path := r.URL.Path
+
+		// Check redirects first (external, browser follows)
+		for _, redirect := range engine.redirects {
+			matches := redirect.pattern.FindStringSubmatch(path)
+			if matches != nil {
+				dest := interpolateDestination(redirect.destination, redirect.paramNames, matches)
+				status := http.StatusTemporaryRedirect // 307
+				if redirect.permanent {
+					status = http.StatusMovedPermanently // 301
+				}
+				http.Redirect(w, r, dest, status)
+				return
+			}
+		}
+
+		// Check rewrites (internal, transparent to browser)
+		for _, rewrite := range engine.rewrites {
+			matches := rewrite.pattern.FindStringSubmatch(path)
+			if matches != nil {
+				dest := interpolateDestination(rewrite.destination, rewrite.paramNames, matches)
+				r.URL.Path = dest
+				next(w, r)
+				return
+			}
+		}
+
+		// No match — continue to handler
+		next(w, r)
+	}
+}
+
+// SetupRedirects loads the routes config and registers the middleware.
+// Returns the number of rules loaded, or -1 if no config file exists.
+func SetupRedirects(chain *MiddlewareChain, configPath string) int {
+	config, err := LoadRoutesConfig(configPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return -1 // No config file — not an error
+		}
+		log.Printf("⚠ Failed to load routes config: %v", err)
+		return 0
+	}
+
+	total := len(config.Redirects) + len(config.Rewrites)
+	if total == 0 {
+		return 0
+	}
+
+	engine := NewRoutesEngine(config)
+	chain.Use(RedirectsMiddleware(engine))
+
+	log.Printf("🔀 Loaded %d redirect(s) and %d rewrite(s)", len(config.Redirects), len(config.Rewrites))
+	return total
+}