bosbun 0.0.1

package/src/core/build.ts

@@ -0,0 +1,157 @@
+import { SveltePlugin } from "bun-plugin-svelte";
+import { writeFileSync, rmSync, mkdirSync } from "fs";
+import { join, relative } from "path";
+import { spawnSync } from "bun";
+
+import { scanRoutes } from "./scanner.ts";
+import { generateRoutesFile } from "./routeFile.ts";
+import { generateRouteTypes, ensureRootDirs } from "./routeTypes.ts";
+import { makeBuniaPlugin } from "./plugin.ts";
+import { prerenderStaticRoutes } from "./prerender.ts";
+import { loadEnv, classifyEnvVars } from "./env.ts";
+import { generateEnvModules } from "./envCodegen.ts";
+
+// Resolved from this file's location inside the bunia package
+const CORE_DIR = import.meta.dir;
+const BUNIA_NODE_MODULES = join(CORE_DIR, "..", "..", "node_modules");
+
+// ─── Entry Point ─────────────────────────────────────────
+
+const isProduction = process.env.NODE_ENV === "production";
+
+console.log("🏗️  Starting Bunia build...\n");
+
+// 0. Load .env files (before cleaning .bunia so loadEnv can set process.env early)
+const envMode = isProduction ? "production" : "development";
+const envVars = loadEnv(envMode);
+const classifiedEnv = classifyEnvVars(envVars);
+
+// 0b. Clean all generated output first
+try { rmSync("./dist",   { recursive: true, force: true }); } catch { }
+try { rmSync("./.bunia", { recursive: true, force: true }); } catch { }
+
+// 1. Scan routes
+const manifest = scanRoutes();
+console.log(`📂 Found ${manifest.pages.length} page route(s):`);
+for (const r of manifest.pages) {
+    console.log(`   ${r.pattern} → ${r.page}${r.pageServer ? " (server)" : ""}`);
+}
+if (manifest.apis.length > 0) {
+    console.log(`📡 Found ${manifest.apis.length} API route(s):`);
+    for (const r of manifest.apis) {
+        console.log(`   ${r.pattern} → ${r.server}`);
+    }
+}
+
+// 2. Generate .bunia/routes.ts (single file replaces all old code generators)
+generateRoutesFile(manifest);
+
+// 2b. Generate .bunia/types/src/routes/**/$types.d.ts for IDE type inference
+generateRouteTypes(manifest);
+
+// 2c. Ensure tsconfig.json has rootDirs pointing at .bunia/types
+ensureRootDirs();
+
+// 2d. Generate .bunia/env.server.ts, .bunia/env.client.ts, .bunia/types/env.d.ts
+generateEnvModules(classifiedEnv);
+
+// 3. Build Tailwind CSS
+console.log("\n🎨 Building Tailwind CSS...");
+const tailwindBin = join(BUNIA_NODE_MODULES, ".bin", "tailwindcss");
+const tailwindResult = spawnSync(
+    [tailwindBin, "-i", "./src/app.css", "-o", "./public/bunia-tw.css", ...(isProduction ? ["--minify"] : [])],
+    {
+        cwd: process.cwd(),
+        env: { ...process.env, NODE_PATH: BUNIA_NODE_MODULES },
+    },
+);
+if (tailwindResult.exitCode !== 0) {
+    console.error("❌ Tailwind CSS build failed:\n" + tailwindResult.stderr.toString());
+    process.exit(1);
+}
+console.log("✅ Tailwind CSS built: public/bunia-tw.css");
+
+// Separate plugin instances per build target (bunia:env resolves differently)
+const clientPlugin = makeBuniaPlugin("browser");
+const serverPlugin = makeBuniaPlugin("bun");
+
+// Build-time defines: inline PUBLIC_STATIC_* and STATIC_* vars
+const staticDefines: Record<string, string> = {};
+for (const [key, value] of Object.entries(classifiedEnv.publicStatic)) {
+    staticDefines[`import.meta.env.${key}`] = JSON.stringify(value);
+}
+for (const [key, value] of Object.entries(classifiedEnv.privateStatic)) {
+    staticDefines[`import.meta.env.${key}`] = JSON.stringify(value);
+}
+
+// 5. Build client bundle
+console.log("\n📦 Building client bundle...");
+const clientResult = await Bun.build({
+    entrypoints: [join(CORE_DIR, "client", "hydrate.ts")],
+    outdir: "./dist/client",
+    target: "browser",
+    splitting: true,
+    naming: { chunk: "[name]-[hash].[ext]" },
+    minify: isProduction,
+    define: {
+        "process.env.NODE_ENV": JSON.stringify(process.env.NODE_ENV ?? "development"),
+        ...staticDefines,
+    },
+    plugins: [clientPlugin, SveltePlugin()],
+});
+
+if (!clientResult.success) {
+    console.error("❌ Client build failed:");
+    for (const msg of clientResult.logs) console.error(msg);
+    process.exit(1);
+}
+
+// 6. Collect output files for dist/manifest.json
+const jsFiles: string[] = [];
+const cssFiles: string[] = [];
+for (const output of clientResult.outputs) {
+    const rel = relative("./dist/client", output.path);
+    if (output.path.endsWith(".js")) jsFiles.push(rel);
+    if (output.path.endsWith(".css")) cssFiles.push(rel);
+}
+
+// 7. Build server bundle (before writing manifest so we can record the entry)
+console.log("\n📦 Building server bundle...");
+const serverResult = await Bun.build({
+    entrypoints: [join(CORE_DIR, "server.ts")],
+    outdir: "./dist/server",
+    target: "bun",
+    splitting: true,
+    naming: { entry: "index.[ext]", chunk: "[name]-[hash].[ext]" },
+    minify: isProduction,
+    external: ["elysia", "@elysiajs/static"],
+    plugins: [serverPlugin, SveltePlugin()],
+});
+
+if (!serverResult.success) {
+    console.error("❌ Server build failed:");
+    for (const msg of serverResult.logs) console.error(msg);
+    process.exit(1);
+}
+
+// Entry is always "index.js" due to naming: { entry: "index.[ext]" }
+const serverEntry = serverResult.outputs
+    .find(o => o.path.endsWith("index.js"))
+    ?.path.split("/").pop() ?? "index.js";
+
+// 8. Write dist/manifest.json
+mkdirSync("./dist", { recursive: true });
+const distManifest = {
+    js: jsFiles,
+    css: cssFiles,
+    entry: jsFiles.find(f => f.startsWith("hydrate")) ?? jsFiles[0] ?? "hydrate.js",
+    serverEntry,
+};
+writeFileSync("./dist/manifest.json", JSON.stringify(distManifest, null, 2));
+console.log(`✅ Client bundle: ${jsFiles.join(", ")}`);
+console.log(`✅ Server entry:  dist/server/${serverEntry}`);
+
+// 9. Prerender static routes
+await prerenderStaticRoutes(manifest);
+
+console.log("\n🎉 Build complete!");

package/src/core/client/App.svelte

@@ -0,0 +1,147 @@
+<script lang="ts">
+  import { router } from "./router.svelte.ts";
+  import { findMatch } from "../matcher.ts";
+  import { clientRoutes } from "bunia:routes";
+
+  let {
+    ssrMode = false,
+    ssrPageComponent = null,
+    ssrLayoutComponents = [],
+    ssrPageData = {},
+    ssrLayoutData = [],
+  }: {
+    ssrMode?: boolean;
+    ssrPageComponent?: any;
+    ssrLayoutComponents?: any[];
+    ssrPageData?: Record<string, any>;
+    ssrLayoutData?: Record<string, any>[];
+  } = $props();
+
+  let PageComponent = $state<any>(ssrPageComponent);
+  let layoutComponents = $state<any[]>(ssrLayoutComponents ?? []);
+  let pageData = $state<Record<string, any>>(ssrPageData ?? {});
+  let layoutData = $state<Record<string, any>[]>(ssrLayoutData ?? []);
+  // Kept separate to avoid a read→write cycle inside the $effect below
+  let routeParams = $state<Record<string, string>>(ssrPageData?.params ?? {});
+  let navigating = $state(false);
+  let navDone = $state(false);
+  // Skip bar on the very first effect run (initial hydration — data already present)
+  let firstNav = true;
+  let navDoneTimer: ReturnType<typeof setTimeout> | null = null;
+
+  $effect(() => {
+    if (ssrMode) return;
+
+    const path = router.currentRoute;
+    const match = findMatch(clientRoutes, path);
+    if (!match) return;
+
+    let cancelled = false;
+
+    const isFirst = firstNav;
+    firstNav = false;
+    if (!isFirst) {
+      if (navDoneTimer) { clearTimeout(navDoneTimer); navDoneTimer = null; }
+      navDone = false;
+      navigating = true;
+    }
+
+    // Load components + data in parallel, then update state atomically
+    // to avoid a flash of stale/empty data before the fetch completes.
+    const dataFetch = match.route.hasServerData
+      ? fetch(`/__bunia/data?path=${encodeURIComponent(path)}`).then(r => r.json()).catch(() => null)
+      : Promise.resolve(null);
+
+    Promise.all([
+      match.route.page(),
+      Promise.all(match.route.layouts.map((l: any) => l())),
+      dataFetch,
+    ]).then(([pageMod, layoutMods, result]: [any, any[], any]) => {
+      if (cancelled) return;
+      navigating = false;
+      navDone = true;
+      navDoneTimer = setTimeout(() => { navDone = false; }, 400);
+      if (result?.redirect) {
+        router.navigate(result.redirect);
+        return;
+      }
+      if (result?.error) {
+        window.location.href = path;
+        return;
+      }
+      PageComponent = pageMod.default;
+      layoutComponents = layoutMods.map((m: any) => m.default);
+      pageData = result?.pageData ?? {};
+      layoutData = result?.layoutData ?? [];
+      routeParams = result?.pageData?.params ?? match.params;
+    });
+
+    return () => { cancelled = true; };
+  });
+</script>
+
+<!--
+  Nested layout rendering:
+  layouts[0] wraps layouts[1] wraps ... wraps PageComponent
+-->
+
+{#if navigating}
+  <div class="bunia-bar loading"></div>
+{:else if navDone}
+  <div class="bunia-bar done"></div>
+{/if}
+
+{#if layoutComponents.length > 0}
+  {@render renderLayout(0)}
+{:else if PageComponent}
+  <PageComponent data={{ ...pageData, params: routeParams }} />
+{:else}
+  <p>Loading...</p>
+{/if}
+
+{#snippet renderLayout(index: number)}
+  {@const Layout = layoutComponents[index]}
+  {@const data = layoutData[index] ?? {}}
+
+  {#if index < layoutComponents.length - 1}
+    <Layout {data}>
+      {@render renderLayout(index + 1)}
+    </Layout>
+  {:else}
+    <Layout {data}>
+      {#if PageComponent}
+        <PageComponent data={{ ...pageData, params: routeParams }} />
+      {:else}
+        <p>Loading...</p>
+      {/if}
+    </Layout>
+  {/if}
+{/snippet}
+
+<style>
+  .bunia-bar {
+    position: fixed;
+    top: 0;
+    left: 0;
+    height: 2px;
+    width: 100%;
+    background: var(--bunia-loading-color, #f73b27);
+    z-index: 9999;
+    pointer-events: none;
+    transform-origin: left center;
+  }
+  .bunia-bar.loading {
+    animation: bunia-load 8s cubic-bezier(0.02, 0.5, 0.5, 1) forwards;
+  }
+  .bunia-bar.done {
+    animation: bunia-done 0.35s ease forwards;
+  }
+  @keyframes bunia-load {
+    from { transform: scaleX(0); }
+    to   { transform: scaleX(0.85); }
+  }
+  @keyframes bunia-done {
+    from { transform: scaleX(1); opacity: 1; }
+    to   { transform: scaleX(1); opacity: 0; }
+  }
+</style>

package/src/core/client/hydrate.ts

@@ -0,0 +1,78 @@
+import { hydrate } from "svelte";
+import App from "./App.svelte";
+import { router } from "./router.svelte.ts";
+import { findMatch } from "../matcher.ts";
+import { clientRoutes } from "bunia:routes";
+
+// ─── Hydration ────────────────────────────────────────────
+
+async function main() {
+    const path = window.location.pathname;
+
+    router.init();
+    router.currentRoute = path;
+
+    // Resolve the current route so we can pre-load the components
+    // before handing off to App.svelte (avoids a flash of "Loading...")
+    const match = findMatch(clientRoutes, path);
+
+    let ssrPageComponent = null;
+    let ssrLayoutComponents: any[] = [];
+
+    if (match) {
+        const [pageMod, ...layoutMods] = await Promise.all([
+            match.route.page(),
+            ...match.route.layouts.map(l => l()),
+        ]);
+        ssrPageComponent = pageMod.default;
+        ssrLayoutComponents = layoutMods.map(m => m.default);
+        router.params = match.params;
+    }
+
+    hydrate(App, {
+        target: document.getElementById("app")!,
+        props: {
+            ssrMode: false,
+            ssrPageComponent,
+            ssrLayoutComponents,
+            ssrPageData: (window as any).__BUNIA_PAGE_DATA__ ?? {},
+            ssrLayoutData: (window as any).__BUNIA_LAYOUT_DATA__ ?? [],
+        },
+    });
+}
+
+main();
+
+// ─── Hot Reload (dev only) ────────────────────────────────
+
+if (process.env.NODE_ENV !== "production") {
+    let connectedOnce = false;
+    let retryDelay = 1000;
+
+    function connectSSE() {
+        const es = new EventSource("/__bunia/sse");
+
+        es.addEventListener("reload", () => {
+            console.log("[Bunia] Reloading...");
+            window.location.reload();
+        });
+
+        es.onopen = () => {
+            retryDelay = 1000;
+            if (connectedOnce) {
+                // Server came back up after a restart — reload immediately
+                window.location.reload();
+            }
+            connectedOnce = true;
+        };
+
+        es.onerror = () => {
+            es.close();
+            console.log(`[Bunia] SSE disconnected. Retrying in ${retryDelay / 1000}s...`);
+            setTimeout(connectSSE, retryDelay);
+            retryDelay = Math.min(retryDelay + 1000, 5000);
+        };
+    }
+
+    connectSSE();
+}

package/src/core/client/router.svelte.ts

@@ -0,0 +1,46 @@
+// ─── Client Router ────────────────────────────────────────
+// Svelte 5 rune-based reactive router.
+// Singleton used by App.svelte and hydrate.ts.
+
+import { findMatch } from "../matcher.ts";
+import { clientRoutes } from "bunia:routes";
+
+export const router = new class Router {
+    currentRoute = $state(typeof window !== "undefined" ? window.location.pathname : "/");
+    params = $state<Record<string, string>>({});
+
+    navigate(path: string) {
+        if (this.currentRoute === path) return;
+        // Unknown route — let the server handle it (renders +error.svelte with 404)
+        if (!findMatch(clientRoutes, path)) {
+            window.location.href = path;
+            return;
+        }
+        this.currentRoute = path;
+        if (typeof history !== "undefined") {
+            history.pushState({}, "", path);
+        }
+    }
+
+    init() {
+        if (typeof window === "undefined") return;
+
+        // Intercept <a> clicks for client-side navigation
+        window.addEventListener("click", (e) => {
+            const anchor = (e.target as HTMLElement).closest("a");
+            if (!anchor) return;
+            if (anchor.origin !== window.location.origin) return;
+            if (anchor.target) return;
+            if (anchor.hasAttribute("download")) return;
+            if (anchor.protocol !== "https:" && anchor.protocol !== "http:") return;
+
+            e.preventDefault();
+            this.navigate(anchor.pathname + anchor.search + anchor.hash);
+        });
+
+        // Browser back/forward
+        window.addEventListener("popstate", () => {
+            this.currentRoute = window.location.pathname + window.location.search + window.location.hash;
+        });
+    }
+}();

package/src/core/cookies.ts

@@ -0,0 +1,52 @@
+import type { Cookies, CookieOptions } from "./hooks.ts";
+
+// ─── Cookie Helpers ──────────────────────────────────────
+
+function parseCookies(header: string): Record<string, string> {
+    const result: Record<string, string> = {};
+    for (const pair of header.split(";")) {
+        const idx = pair.indexOf("=");
+        if (idx === -1) continue;
+        const name = pair.slice(0, idx).trim();
+        const value = pair.slice(idx + 1).trim();
+        if (name) result[name] = decodeURIComponent(value);
+    }
+    return result;
+}
+
+export class CookieJar implements Cookies {
+    private _incoming: Record<string, string>;
+    private _outgoing: string[] = [];
+
+    constructor(cookieHeader: string) {
+        this._incoming = parseCookies(cookieHeader);
+    }
+
+    get(name: string): string | undefined {
+        return this._incoming[name];
+    }
+
+    getAll(): Record<string, string> {
+        return { ...this._incoming };
+    }
+
+    set(name: string, value: string, options?: CookieOptions): void {
+        let header = `${encodeURIComponent(name)}=${encodeURIComponent(value)}`;
+        header += `; Path=${options?.path ?? "/"}`;
+        if (options?.domain) header += `; Domain=${options.domain}`;
+        if (options?.maxAge != null) header += `; Max-Age=${options.maxAge}`;
+        if (options?.expires) header += `; Expires=${options.expires.toUTCString()}`;
+        if (options?.httpOnly) header += "; HttpOnly";
+        if (options?.secure) header += "; Secure";
+        if (options?.sameSite) header += `; SameSite=${options.sameSite}`;
+        this._outgoing.push(header);
+    }
+
+    delete(name: string, options?: Pick<CookieOptions, "path" | "domain">): void {
+        this.set(name, "", { path: options?.path, domain: options?.domain, maxAge: 0 });
+    }
+
+    get outgoing(): readonly string[] {
+        return this._outgoing;
+    }
+}

package/src/core/cors.ts

@@ -0,0 +1,60 @@
+export interface CorsConfig {
+    /** Origins allowed to make cross-origin requests (e.g. ["https://app.example.com"]) */
+    allowedOrigins: string[];
+    /** HTTP methods to allow. Default: GET, HEAD, PUT, PATCH, POST, DELETE */
+    allowedMethods?: string[];
+    /** Request headers to allow. Default: Content-Type, Authorization */
+    allowedHeaders?: string[];
+    /** Response headers to expose to the browser. Default: none */
+    exposedHeaders?: string[];
+    /** Whether to allow cookies/auth credentials. Default: false */
+    credentials?: boolean;
+    /** Preflight cache duration in seconds. Default: 86400 (24h) */
+    maxAge?: number;
+}
+
+const DEFAULT_METHODS = "GET, HEAD, PUT, PATCH, POST, DELETE";
+const DEFAULT_HEADERS = "Content-Type, Authorization";
+
+/**
+ * Returns CORS response headers if the request Origin is in the allowed list.
+ * Returns null if Origin is absent or not allowed.
+ */
+export function getCorsHeaders(request: Request, config: CorsConfig): Record<string, string> | null {
+    const origin = request.headers.get("origin");
+    if (!origin) return null;
+
+    const allowed = config.allowedOrigins.includes(origin);
+    if (!allowed) return null;
+
+    const headers: Record<string, string> = {
+        "Access-Control-Allow-Origin": origin,
+        "Vary": "Origin",
+    };
+
+    if (config.credentials) {
+        headers["Access-Control-Allow-Credentials"] = "true";
+    }
+
+    if (config.exposedHeaders?.length) {
+        headers["Access-Control-Expose-Headers"] = config.exposedHeaders.join(", ");
+    }
+
+    return headers;
+}
+
+/**
+ * Handles OPTIONS preflight requests.
+ * Returns a 204 response with CORS headers, or null if the origin is not allowed.
+ */
+export function handlePreflight(request: Request, config: CorsConfig): Response | null {
+    const base = getCorsHeaders(request, config);
+    if (!base) return null;
+
+    const headers = new Headers(base as HeadersInit);
+    headers.set("Access-Control-Allow-Methods", config.allowedMethods?.join(", ") ?? DEFAULT_METHODS);
+    headers.set("Access-Control-Allow-Headers", config.allowedHeaders?.join(", ") ?? DEFAULT_HEADERS);
+    headers.set("Access-Control-Max-Age", String(config.maxAge ?? 86400));
+
+    return new Response(null, { status: 204, headers });
+}

package/src/core/csrf.ts

@@ -0,0 +1,65 @@
+// ─── CSRF Protection ──────────────────────────────────────
+// Origin-based CSRF validation — same approach as SvelteKit.
+// All non-safe (state-changing) requests must originate from
+// the same origin as the server. Browsers always send `Origin`
+// on cross-origin requests, so a missing or mismatched header
+// is treated as a cross-origin attack.
+
+export interface CsrfConfig {
+    /** Whether to enforce origin checks. Default: true. */
+    checkOrigin: boolean;
+    /** Additional origins to allow (e.g. CDN or mobile app origin). */
+    allowedOrigins?: string[];
+}
+
+export const DEFAULT_CSRF_CONFIG: CsrfConfig = {
+    checkOrigin: true,
+};
+
+const SAFE_METHODS = new Set(["GET", "HEAD", "OPTIONS"]);
+
+/**
+ * Check whether a request passes CSRF validation.
+ * Returns `null` on success, or an error message string to reject with 403.
+ */
+export function checkCsrf(
+    request: Request,
+    url: URL,
+    config: CsrfConfig = DEFAULT_CSRF_CONFIG,
+): string | null {
+    if (!config.checkOrigin) return null;
+    if (SAFE_METHODS.has(request.method.toUpperCase())) return null;
+
+    // Derive the expected origin.
+    // In dev, the browser hits the proxy on DEV_PORT (e.g. localhost:9000)
+    // while the Elysia server sees url.origin as localhost:9001.
+    // X-Forwarded-Host / Host headers reflect the actual host the client used.
+    const forwardedHost = request.headers.get("x-forwarded-host");
+    const host = forwardedHost ?? request.headers.get("host");
+    const protocol = request.headers.get("x-forwarded-proto") ?? url.protocol.replace(":", "");
+    const expectedOrigin = host ? `${protocol}://${host}` : url.origin;
+
+    const allowedOrigins = new Set([expectedOrigin, ...(config.allowedOrigins ?? [])]);
+
+    // Check Origin header first (sent by all modern browsers on cross-origin requests)
+    const originHeader = request.headers.get("origin");
+    if (originHeader) {
+        if (allowedOrigins.has(originHeader)) return null;
+        return `Cross-origin request blocked: Origin "${originHeader}" is not allowed`;
+    }
+
+    // Fall back to Referer (older browsers, some same-origin form posts)
+    const refererHeader = request.headers.get("referer");
+    if (refererHeader) {
+        try {
+            const refererOrigin = new URL(refererHeader).origin;
+            if (allowedOrigins.has(refererOrigin)) return null;
+            return `Cross-origin request blocked: Referer "${refererHeader}" is not allowed`;
+        } catch {
+            return `Cross-origin request blocked: Referer header is malformed`;
+        }
+    }
+
+    // Neither Origin nor Referer present — reject
+    return "Forbidden: missing Origin or Referer header on non-safe request";
+}