bosbun 0.0.1

package/src/core/routeFile.ts

@@ -0,0 +1,88 @@
+import { writeFileSync, mkdirSync } from "fs";
+import type { RouteManifest } from "./types.ts";
+
+// ─── Route File Generator ─────────────────────────────────
+// Generates .bunia/routes.ts — ONE file with three exports:
+//   clientRoutes  — used by client hydrator (page + layout lazy imports)
+//   serverRoutes  — used by SSR renderer (+ pageServer + layoutServers)
+//   apiRoutes     — used by API handler
+
+export function generateRoutesFile(manifest: RouteManifest): void {
+    const lines: string[] = [
+        "// AUTO-GENERATED by bunia build — do not edit\n",
+    ];
+
+    // clientRoutes
+    lines.push("export const clientRoutes: Array<{");
+    lines.push("  pattern: string;");
+    lines.push("  page: () => Promise<any>;");
+    lines.push("  layouts: (() => Promise<any>)[];");
+    lines.push("  hasServerData: boolean;");
+    lines.push("}> = [");
+    for (const r of manifest.pages) {
+        const layoutImports = r.layouts
+            .map(l => `() => import(${JSON.stringify(toImportPath(l))})`)
+            .join(", ");
+        const hasServerData = !!(r.pageServer || r.layoutServers.length > 0);
+        lines.push("  {");
+        lines.push(`    pattern: ${JSON.stringify(r.pattern)},`);
+        lines.push(`    page: () => import(${JSON.stringify(toImportPath(r.page))}),`);
+        lines.push(`    layouts: [${layoutImports}],`);
+        lines.push(`    hasServerData: ${hasServerData},`);
+        lines.push("  },");
+    }
+    lines.push("];\n");
+
+    // serverRoutes
+    lines.push("export const serverRoutes: Array<{");
+    lines.push("  pattern: string;");
+    lines.push("  pageModule: () => Promise<any>;");
+    lines.push("  layoutModules: (() => Promise<any>)[];");
+    lines.push("  pageServer: (() => Promise<any>) | null;");
+    lines.push("  layoutServers: { loader: () => Promise<any>; depth: number }[];");
+    lines.push("}> = [");
+    for (const r of manifest.pages) {
+        const layoutImports = r.layouts
+            .map(l => `() => import(${JSON.stringify(toImportPath(l))})`)
+            .join(", ");
+        const layoutServerImports = r.layoutServers
+            .map(ls => `{ loader: () => import(${JSON.stringify(toImportPath(ls.path))}), depth: ${ls.depth} }`)
+            .join(", ");
+        lines.push("  {");
+        lines.push(`    pattern: ${JSON.stringify(r.pattern)},`);
+        lines.push(`    pageModule: () => import(${JSON.stringify(toImportPath(r.page))}),`);
+        lines.push(`    layoutModules: [${layoutImports}],`);
+        lines.push(`    pageServer: ${r.pageServer ? `() => import(${JSON.stringify(toImportPath(r.pageServer))})` : "null"},`);
+        lines.push(`    layoutServers: [${layoutServerImports}],`);
+        lines.push("  },");
+    }
+    lines.push("];\n");
+
+    // apiRoutes
+    lines.push("export const apiRoutes: Array<{");
+    lines.push("  pattern: string;");
+    lines.push("  module: () => Promise<any>;");
+    lines.push("}> = [");
+    for (const r of manifest.apis) {
+        lines.push("  {");
+        lines.push(`    pattern: ${JSON.stringify(r.pattern)},`);
+        lines.push(`    module: () => import(${JSON.stringify(toImportPath(r.server))}),`);
+        lines.push("  },");
+    }
+    lines.push("];\n");
+
+    // errorPage
+    const ep = manifest.errorPage;
+    lines.push(`export const errorPage: (() => Promise<any>) | null = ${
+        ep ? `() => import(${JSON.stringify(toImportPath(ep))})` : "null"
+    };\n`);
+
+    mkdirSync(".bunia", { recursive: true });
+    writeFileSync(".bunia/routes.ts", lines.join("\n"));
+    console.log("✅ Routes generated: .bunia/routes.ts");
+}
+
+// Import path from .bunia/routes.ts to src/routes/<routePath>
+function toImportPath(routePath: string): string {
+    return "../src/routes/" + routePath.replace(/\\/g, "/");
+}

package/src/core/routeTypes.ts

@@ -0,0 +1,95 @@
+import { writeFileSync, readFileSync, existsSync, mkdirSync } from "fs";
+import { join } from "path";
+import type { RouteManifest } from "./types.ts";
+
+// ─── Route Types Generator ────────────────────────────────
+// Generates .bunia/types/src/routes/**/$types.d.ts for each
+// route directory. Combined with rootDirs in tsconfig.json,
+// this allows `import type { PageData } from './$types'` to
+// work in +page.svelte files — identical to SvelteKit's API.
+
+function routeDirOf(filePath: string): string {
+    const parts = filePath.replace(/\\/g, "/").split("/");
+    parts.pop();
+    return parts.join("/") || ".";
+}
+
+export function generateRouteTypes(manifest: RouteManifest): void {
+    // Collect { dir → { pageServer?, layoutServer? } }
+    const dirs = new Map<string, { pageServer?: string; layoutServer?: string }>();
+
+    for (const route of manifest.pages) {
+        const pageDir = routeDirOf(route.page);
+        if (!dirs.has(pageDir)) dirs.set(pageDir, {});
+        if (route.pageServer) {
+            dirs.get(pageDir)!.pageServer = route.pageServer;
+        }
+        for (const ls of route.layoutServers) {
+            const lsDir = routeDirOf(ls.path);
+            if (!dirs.has(lsDir)) dirs.set(lsDir, {});
+            dirs.get(lsDir)!.layoutServer = ls.path;
+        }
+    }
+
+    for (const [dir, info] of dirs) {
+        // Path segments of the route dir (empty array for root ".")
+        const segments = dir === "." ? [] : dir.split("/").filter(Boolean);
+
+        // Depth of the generated file from project root:
+        // .bunia/ + types/ + src/ + routes/ + ...segments
+        const depth = 4 + segments.length;
+        const up = "../".repeat(depth);
+        const srcBase = `${up}src/routes/${segments.length ? segments.join("/") + "/" : ""}`;
+
+        const lines: string[] = ["// AUTO-GENERATED by bunia — do not edit\n"];
+
+        if (info.pageServer) {
+            lines.push(`import type { load as _pageLoad } from '${srcBase}+page.server.ts';`);
+            lines.push(`export type PageData = Awaited<ReturnType<typeof _pageLoad>> & { params: Record<string, string> };`);
+        } else {
+            lines.push(`export type PageData = { params: Record<string, string> };`);
+        }
+        lines.push(`export type PageProps = { data: PageData };`);
+
+        if (info.layoutServer) {
+            lines.push(`\nimport type { load as _layoutLoad } from '${srcBase}+layout.server.ts';`);
+            lines.push(`export type LayoutData = Awaited<ReturnType<typeof _layoutLoad>> & { params: Record<string, string> };`);
+            lines.push(`export type LayoutProps = { data: LayoutData; children: any };`);
+        }
+
+        const outDir = join(process.cwd(), ".bunia", "types", "src", "routes", ...segments);
+        mkdirSync(outDir, { recursive: true });
+        writeFileSync(join(outDir, "$types.d.ts"), lines.join("\n") + "\n");
+    }
+
+    console.log(`✅ Route types generated: .bunia/types/ (${dirs.size} route director${dirs.size === 1 ? "y" : "ies"})`);
+}
+
+// ─── Ensure tsconfig rootDirs ─────────────────────────────
+// Adds ".bunia/types" to rootDirs so TypeScript resolves
+// `./$types` imports via the generated declaration files.
+// Only patches the file if rootDirs is not already set.
+
+export function ensureRootDirs(): void {
+    const tsconfigPath = join(process.cwd(), "tsconfig.json");
+    if (!existsSync(tsconfigPath)) return;
+
+    let tsconfig: any;
+    try {
+        tsconfig = JSON.parse(readFileSync(tsconfigPath, "utf-8"));
+    } catch {
+        console.warn("⚠️  Could not parse tsconfig.json — add rootDirs manually:\n" +
+            '   "rootDirs": [".", ".bunia/types"]');
+        return;
+    }
+
+    const rootDirs: string[] = tsconfig.compilerOptions?.rootDirs ?? [];
+    if (rootDirs.includes(".bunia/types")) return;
+
+    tsconfig.compilerOptions ??= {};
+    tsconfig.compilerOptions.rootDirs = [".", ".bunia/types",
+        ...rootDirs.filter((d: string) => d !== ".")];
+
+    writeFileSync(tsconfigPath, JSON.stringify(tsconfig, null, 2) + "\n");
+    console.log("✅ tsconfig.json: added .bunia/types to rootDirs");
+}

package/src/core/scanner.ts

@@ -0,0 +1,99 @@
+import { readdirSync, existsSync } from "fs";
+import { join } from "path";
+import type { PageRoute, ApiRoute, RouteManifest } from "./types.ts";
+
+// ─── Route Scanner ───────────────────────────────────────
+// Walks src/routes/ and produces a RouteManifest.
+//
+// Conventions (SvelteKit-compatible):
+//   +page.svelte         — page component
+//   +page.server.ts      — server loader for the page
+//   +layout.svelte       — layout component (wraps all children)
+//   +layout.server.ts    — server loader for the layout
+//   +server.ts           — API route (GET, POST, etc.)
+//   (group)/             — route group: invisible in URL, shares layouts
+//   [param]/             — dynamic segment
+//   [...rest]/           — catch-all segment
+
+const ROUTES_DIR = "./src/routes";
+
+export function scanRoutes(): RouteManifest {
+    const pages: PageRoute[] = [];
+    const apis: ApiRoute[] = [];
+
+    function walk(
+        dir: string,
+        urlSegments: string[],
+        layoutChain: string[],
+        layoutServerChain: { path: string; depth: number }[],
+    ) {
+        const fullDir = join(ROUTES_DIR, dir);
+        if (!existsSync(fullDir)) return;
+
+        const items = readdirSync(fullDir, { withFileTypes: true });
+
+        // Accumulate layouts for this level
+        const currentLayouts = [...layoutChain];
+        const currentLayoutServers = [...layoutServerChain];
+
+        if (items.some(i => i.isFile() && i.name === "+layout.svelte")) {
+            currentLayouts.push(join(dir, "+layout.svelte"));
+        }
+        if (items.some(i => i.isFile() && i.name === "+layout.server.ts")) {
+            currentLayoutServers.push({
+                path: join(dir, "+layout.server.ts"),
+                depth: currentLayouts.length - 1,
+            });
+        }
+
+        // API route (+server.ts)
+        if (items.some(i => i.isFile() && i.name === "+server.ts")) {
+            apis.push({
+                pattern: toUrlPath(urlSegments),
+                server: join(dir, "+server.ts"),
+            });
+        }
+
+        // Page route (+page.svelte)
+        if (items.some(i => i.isFile() && i.name === "+page.svelte")) {
+            const pageServerFile = items.some(i => i.isFile() && i.name === "+page.server.ts")
+                ? join(dir, "+page.server.ts")
+                : null;
+
+            pages.push({
+                pattern: toUrlPath(urlSegments),
+                page: join(dir, "+page.svelte"),
+                layouts: [...currentLayouts],
+                pageServer: pageServerFile,
+                layoutServers: [...currentLayoutServers],
+            });
+        }
+
+        // Recurse into subdirectories
+        for (const entry of items) {
+            if (!entry.isDirectory() || entry.name.startsWith(".") || entry.name === "node_modules") continue;
+
+            const dirName = entry.name;
+            // Route groups like (public), (auth) are invisible in URLs
+            const isGroup = /^\(.*\)$/.test(dirName);
+
+            walk(
+                dir ? join(dir, dirName) : dirName,
+                isGroup ? [...urlSegments] : [...urlSegments, dirName],
+                currentLayouts,
+                currentLayoutServers,
+            );
+        }
+    }
+
+    walk("", [], [], []);
+
+    const errorPage = existsSync(join(ROUTES_DIR, "+error.svelte")) ? "+error.svelte" : null;
+
+    return { pages, apis, errorPage };
+}
+
+function toUrlPath(segments: string[]): string {
+    if (segments.length === 0) return "/";
+    return "/" + segments.join("/");
+}

package/src/core/server.ts

@@ -0,0 +1,320 @@
+import { Elysia } from "elysia";
+import { staticPlugin } from "@elysiajs/static";
+import { existsSync } from "fs";
+import { join } from "path";
+
+import { findMatch } from "./matcher.ts";
+import { apiRoutes } from "bunia:routes";
+import type { Handle, RequestEvent } from "./hooks.ts";
+import { HttpError, Redirect } from "./errors.ts";
+import { CookieJar } from "./cookies.ts";
+import { checkCsrf } from "./csrf.ts";
+import type { CsrfConfig } from "./csrf.ts";
+import { getCorsHeaders, handlePreflight } from "./cors.ts";
+import type { CorsConfig } from "./cors.ts";
+import { isDev, compress, isStaticPath } from "./html.ts";
+import { loadRouteData, renderSSRStream, renderErrorPage } from "./renderer.ts";
+import { getServerTime } from "../lib/utils.ts";
+
+// ─── User Hooks ──────────────────────────────────────────
+// Load src/hooks.server.ts if present. Uses process.cwd() so
+// Bun can resolve it at runtime without bundling user code.
+
+let userHandle: Handle | null = null;
+
+const hooksPath = join(process.cwd(), "src", "hooks.server.ts");
+if (existsSync(hooksPath)) {
+    try {
+        const mod = await import(hooksPath);
+        if (typeof mod.handle === "function") {
+            userHandle = mod.handle as Handle;
+            console.log("🪝 Loaded hooks.server.ts");
+        }
+    } catch (err) {
+        console.warn("⚠️  Failed to load hooks.server.ts:", err);
+    }
+}
+
+// ─── CSRF Config ─────────────────────────────────────────
+// Parsed once at startup from CSRF_ALLOWED_ORIGINS env var.
+// Format: "https://x.com, https://y.com" — commas with or without spaces.
+
+const _csrfAllowedOrigins = process.env.CSRF_ALLOWED_ORIGINS
+    ?.split(",")
+    .map(s => s.trim())
+    .filter(Boolean);
+
+const CSRF_CONFIG: CsrfConfig = {
+    checkOrigin: true,
+    allowedOrigins: _csrfAllowedOrigins,
+};
+
+if (_csrfAllowedOrigins?.length) {
+    console.log(`🛡️  CSRF allowed origins: ${_csrfAllowedOrigins.join(", ")}`);
+} else {
+    console.log("🛡️  CSRF: same-origin only");
+}
+
+// ─── CORS Config ──────────────────────────────────────────
+// Parsed once at startup from CORS_ALLOWED_ORIGINS env var.
+// Format: "https://x.com, https://y.com" — commas with or without spaces.
+
+const _corsAllowedOrigins = process.env.CORS_ALLOWED_ORIGINS
+    ?.split(",")
+    .map(s => s.trim())
+    .filter(Boolean);
+
+function splitCsvEnv(key: string): string[] | undefined {
+    return process.env[key]?.split(",").map(s => s.trim()).filter(Boolean) || undefined;
+}
+
+const CORS_CONFIG: CorsConfig | null = _corsAllowedOrigins?.length
+    ? {
+        allowedOrigins: _corsAllowedOrigins,
+        allowedMethods: splitCsvEnv("CORS_ALLOWED_METHODS"),
+        allowedHeaders: splitCsvEnv("CORS_ALLOWED_HEADERS"),
+        exposedHeaders: splitCsvEnv("CORS_EXPOSED_HEADERS"),
+        credentials: process.env.CORS_CREDENTIALS === "true" || undefined,
+        maxAge: process.env.CORS_MAX_AGE ? parseInt(process.env.CORS_MAX_AGE, 10) : undefined,
+    }
+    : null;
+
+if (_corsAllowedOrigins?.length) {
+    console.log(`🌐 CORS allowed origins: ${_corsAllowedOrigins.join(", ")}`);
+}
+
+// ─── Core Request Resolver ────────────────────────────────
+// This is the inner handler that hooks wrap around.
+
+function isValidRoutePath(path: string, origin: string): boolean {
+    try {
+        return new URL(path, origin).origin === origin;
+    } catch {
+        return false;
+    }
+}
+
+async function resolve(event: RequestEvent): Promise<Response> {
+    const { request, url, locals, cookies } = event;
+    const path = url.pathname;
+    const method = request.method.toUpperCase();
+
+    // Health check endpoint — for load balancers and orchestrators
+    if (path === "/_health") {
+        const { timestamp, timezone } = getServerTime();
+        return Response.json({ status: "ok", timestamp, timezone });
+    }
+
+    // Data endpoint — returns server loader data as JSON for client-side navigation
+    if (path === "/__bunia/data") {
+        const routePath = url.searchParams.get("path") ?? "/";
+        if (!isValidRoutePath(routePath, url.origin)) {
+            return Response.json({ error: "Invalid path", status: 400 }, { status: 400 });
+        }
+        const routeUrl = new URL(routePath, url.origin);
+        // Rewrite event.url so logging middleware sees the real page path, not /__bunia/data
+        event.url = routeUrl;
+        try {
+            const data = await loadRouteData(routeUrl, locals, request, cookies);
+            if (!data) return compress(JSON.stringify({ pageData: {}, layoutData: [] }), "application/json", request);
+            return compress(JSON.stringify(data), "application/json", request);
+        } catch (err) {
+            if (err instanceof Redirect) {
+                return compress(JSON.stringify({ redirect: err.location, status: err.status }), "application/json", request);
+            }
+            if (err instanceof HttpError) {
+                return compress(JSON.stringify({ error: err.message, status: err.status }), "application/json", request, err.status);
+            }
+            if (isDev) console.error("Data endpoint error:", err);
+            else console.error("Data endpoint error:", (err as Error).message ?? err);
+            return Response.json({ error: "Internal Server Error" }, { status: 500 });
+        }
+    }
+
+    // Static files
+    if (isStaticPath(path)) {
+        // dist/client: serve with cache headers based on whether filename is hashed
+        if (path.startsWith("/dist/client/")) {
+            const file = Bun.file(`.${path.split("?")[0]}`);
+            if (await file.exists()) {
+                const filename = path.split("/").pop() ?? "";
+                const isHashed = /\-[a-z0-9]{8,}\.[a-z]+$/.test(filename);
+                const cacheControl = !isDev && isHashed
+                    ? "public, max-age=31536000, immutable"
+                    : "no-cache";
+                return new Response(file, { headers: { "Cache-Control": cacheControl } });
+            }
+            return new Response("Not Found", { status: 404 });
+        }
+        const pub = Bun.file(`./public${path}`);
+        if (await pub.exists()) return new Response(pub);
+        const dist = Bun.file(`.${path}`);
+        if (await dist.exists()) return new Response(dist);
+        return new Response("Not Found", { status: 404 });
+    }
+
+    // Prerendered pages — serve static HTML built at build time
+    const prerenderFile = Bun.file(
+        path === "/" ? "./dist/prerendered/index.html" : `./dist/prerendered${path}/index.html`
+    );
+    if (await prerenderFile.exists()) {
+        return new Response(prerenderFile, {
+            headers: {
+                "Content-Type": "text/html; charset=utf-8",
+                "Cache-Control": "public, max-age=3600",
+            },
+        });
+    }
+
+    // API routes (+server.ts)
+    const apiMatch = findMatch(apiRoutes, path);
+    if (apiMatch) {
+        try {
+            const mod = await apiMatch.route.module();
+            const handler = mod[method];
+
+            if (!handler) {
+                const allowed = Object.keys(mod).filter(k => /^[A-Z]+$/.test(k)).join(", ");
+                return Response.json(
+                    { error: `Method ${method} not allowed` },
+                    { status: 405, headers: { Allow: allowed } },
+                );
+            }
+
+            event.params = apiMatch.params;
+            return await handler({ request, params: apiMatch.params, url, locals, cookies });
+        } catch (err) {
+            if (isDev) console.error("API route error:", err);
+            else console.error("API route error:", (err as Error).message ?? err);
+            return Response.json({ error: "Internal Server Error" }, { status: 500 });
+        }
+    }
+
+    // SSR pages (+page.svelte) — streaming by default
+    const streamResponse = renderSSRStream(url, locals, request, cookies);
+    if (!streamResponse) return renderErrorPage(404, "Not Found", url, request);
+    return streamResponse;
+}
+
+// ─── Request Entry ────────────────────────────────────────
+
+const SECURITY_HEADERS: Record<string, string> = {
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "SAMEORIGIN",
+    "Referrer-Policy": "strict-origin-when-cross-origin",
+};
+
+async function handleRequest(request: Request, url: URL): Promise<Response> {
+    try {
+        // Handle CORS preflight before CSRF check (OPTIONS is CSRF-exempt)
+        if (CORS_CONFIG && request.method === "OPTIONS") {
+            const preflight = handlePreflight(request, CORS_CONFIG);
+            if (preflight) return preflight;
+        }
+
+        const csrfError = checkCsrf(request, url, CSRF_CONFIG);
+        if (csrfError) {
+            console.warn(`[CSRF] Blocked request: ${csrfError}`);
+            return Response.json({ error: "Forbidden", message: csrfError }, { status: 403 });
+        }
+
+        const cookieJar = new CookieJar(request.headers.get("cookie") ?? "");
+        const event: RequestEvent = { request, url, locals: {}, params: {}, cookies: cookieJar };
+        const response = userHandle
+            ? await userHandle({ event, resolve })
+            : await resolve(event);
+
+        const headers = new Headers(response.headers);
+        for (const [k, v] of Object.entries(SECURITY_HEADERS)) headers.set(k, v);
+        // Apply CORS headers for allowed origins
+        if (CORS_CONFIG) {
+            const corsHeaders = getCorsHeaders(request, CORS_CONFIG);
+            if (corsHeaders) {
+                for (const [k, v] of Object.entries(corsHeaders)) headers.set(k, v);
+            }
+        }
+        // Apply any Set-Cookie headers accumulated during the request
+        for (const cookie of cookieJar.outgoing) headers.append("Set-Cookie", cookie);
+        return new Response(response.body, { status: response.status, statusText: response.statusText, headers });
+    } catch (err) {
+        if (isDev) console.error("Unhandled request error:", err);
+        else console.error("Unhandled request error:", (err as Error).message ?? err);
+        return Response.json({ error: "Internal Server Error" }, { status: 500 });
+    }
+}
+
+// ─── Body Size Limit ──────────────────────────────────────
+// Parsed once at startup from BODY_SIZE_LIMIT env var.
+// Format: "512K", "1M", "1G", plain bytes, or "Infinity".
+// Default: 512K (matches SvelteKit).
+
+function parseBodySizeLimit(value?: string): number {
+    if (!value) return 512 * 1024;
+    if (value === "Infinity") return 0; // Bun: 0 = no limit
+    const match = value.match(/^(\d+(?:\.\d+)?)\s*([KMG]?)$/i);
+    if (!match) throw new Error(`Invalid BODY_SIZE_LIMIT: "${value}"`);
+    const num = parseFloat(match[1]);
+    const unit = match[2].toUpperCase();
+    if (unit === "K") return Math.floor(num * 1024);
+    if (unit === "M") return Math.floor(num * 1024 * 1024);
+    if (unit === "G") return Math.floor(num * 1024 * 1024 * 1024);
+    return Math.floor(num);
+}
+
+const BODY_SIZE_LIMIT = parseBodySizeLimit(process.env.BODY_SIZE_LIMIT);
+
+if (BODY_SIZE_LIMIT === 0) {
+    console.log("📦 Body size limit: none");
+} else {
+    console.log(`📦 Body size limit: ${BODY_SIZE_LIMIT} bytes`);
+}
+
+// ─── Elysia App ───────────────────────────────────────────
+
+const PORT = process.env.PORT ? parseInt(process.env.PORT, 10) : (isDev ? 9001 : 9000);
+
+const app = new Elysia({ serve: { maxRequestBodySize: BODY_SIZE_LIMIT } })
+    .onError(({ error }) => {
+        if (isDev) console.error("Uncaught server error:", error);
+        else console.error("Uncaught server error:", (error as Error)?.message ?? error);
+        return Response.json({ error: "Internal Server Error" }, { status: 500 });
+    })
+    .use(staticPlugin({ assets: "public", prefix: "/" }))
+    // dist/client is served by our resolve() handler with proper cache headers
+    // API routes must intercept all HTTP methods before the GET catch-all
+    .onBeforeHandle(async ({ request }) => {
+        const url = new URL(request.url);
+        if (!findMatch(apiRoutes, url.pathname)) return; // not an API route
+        return handleRequest(request, url);
+    })
+    // SSR pages
+    .get("*", ({ request }) => {
+        const url = new URL(request.url);
+        return handleRequest(request, url);
+    })
+    // Non-GET catch-alls so onBeforeHandle fires for API routes on other methods
+    .post("*", () => new Response("Not Found", { status: 404 }))
+    .put("*", () => new Response("Not Found", { status: 404 }))
+    .patch("*", () => new Response("Not Found", { status: 404 }))
+    .delete("*", () => new Response("Not Found", { status: 404 }))
+    .options("*", ({ request }) => {
+        const url = new URL(request.url);
+        return handleRequest(request, url);
+    });
+
+app.listen(PORT, () => {
+    // In dev mode the proxy owns the user-facing port — don't print the internal port
+    if (!isDev) console.log(`🐰 Bunia server running at http://localhost:${PORT}`);
+});
+
+function shutdown() {
+    console.log("Shutting down...");
+    app.stop().then(() => process.exit(0));
+    // Force exit if stop hangs
+    setTimeout(() => process.exit(1), 10_000);
+}
+
+process.on("SIGTERM", shutdown);
+process.on("SIGINT", shutdown);
+
+export { app };

package/src/core/types.ts

@@ -0,0 +1,37 @@
+// ─── Bunia Core Types ────────────────────────────────────
+
+/** A page route discovered from the file system */
+export interface PageRoute {
+    /** URL pattern, e.g. "/" or "/blog/[slug]" or "/[...rest]" */
+    pattern: string;
+    /** Path to +page.svelte, relative to src/routes/ */
+    page: string;
+    /** Chain of +layout.svelte paths root → leaf, relative to src/routes/ */
+    layouts: string[];
+    /** Path to +page.server.ts if exists, relative to src/routes/ */
+    pageServer: string | null;
+    /** Chain of +layout.server.ts files root → leaf, with their layout depth */
+    layoutServers: { path: string; depth: number }[];
+}
+
+/** An API route discovered from the file system */
+export interface ApiRoute {
+    /** URL pattern, e.g. "/api/hello" or "/api/users/[id]" */
+    pattern: string;
+    /** Path to +server.ts, relative to src/routes/ */
+    server: string;
+}
+
+/** The full route manifest produced by the scanner */
+export interface RouteManifest {
+    pages: PageRoute[];
+    apis: ApiRoute[];
+    /** Path to root +error.svelte if it exists, relative to src/routes/ */
+    errorPage: string | null;
+}
+
+/** Result of matching a URL against a route */
+export interface RouteMatch<T> {
+    route: T;
+    params: Record<string, string>;
+}

package/src/lib/index.ts

@@ -0,0 +1,19 @@
+// ─── Bunia Public API ─────────────────────────────────────
+// Usage in user apps:
+//   import { cn, sequence } from "bunia"
+//   import type { RequestEvent, LoadEvent, Handle, Cookies } from "bunia"
+
+export { cn, getServerTime } from "./utils.ts";
+export { sequence } from "../core/hooks.ts";
+export { error, redirect } from "../core/errors.ts";
+export type { HttpError, Redirect } from "../core/errors.ts";
+export type {
+    RequestEvent,
+    LoadEvent,
+    Handle,
+    ResolveFunction,
+    Cookies,
+    CookieOptions,
+} from "../core/hooks.ts";
+export type { CsrfConfig } from "../core/csrf.ts";
+export type { CorsConfig } from "../core/cors.ts";