bosbun 0.0.2 → 0.0.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bosbun",
-  "version": "0.0.2",
+  "version": "0.0.4",
   "type": "module",
   "description": "A minimalist fullstack framework — SSR + Svelte 5 Runes + Bun + ElysiaJS",
   "keywords": [

package/src/core/client/App.svelte

@@ -9,12 +9,14 @@
     ssrLayoutComponents = [],
     ssrPageData = {},
     ssrLayoutData = [],
+    ssrFormData = null,
   }: {
     ssrMode?: boolean;
     ssrPageComponent?: any;
     ssrLayoutComponents?: any[];
     ssrPageData?: Record<string, any>;
     ssrLayoutData?: Record<string, any>[];
+    ssrFormData?: any;
   } = $props();
 
   let PageComponent = $state<any>(ssrPageComponent);
@@ -23,6 +25,7 @@
   let layoutData = $state<Record<string, any>[]>(ssrLayoutData ?? []);
   // Kept separate to avoid a read→write cycle inside the $effect below
   let routeParams = $state<Record<string, string>>(ssrPageData?.params ?? {});
+  let formData = $state<any>(ssrFormData);
   let navigating = $state(false);
   let navDone = $state(false);
   // Skip bar on the very first effect run (initial hydration — data already present)
@@ -41,6 +44,7 @@
     const isFirst = firstNav;
     firstNav = false;
     if (!isFirst) {
+      formData = null;
       if (navDoneTimer) { clearTimeout(navDoneTimer); navDoneTimer = null; }
       navDone = false;
       navigating = true;
@@ -94,7 +98,7 @@
 {#if layoutComponents.length > 0}
   {@render renderLayout(0)}
 {:else if PageComponent}
-  <PageComponent data={{ ...pageData, params: routeParams }} />
+  <PageComponent data={{ ...pageData, params: routeParams }} form={formData} />
 {:else}
   <p>Loading...</p>
 {/if}
@@ -110,7 +114,7 @@
   {:else}
     <Layout {data}>
       {#if PageComponent}
-        <PageComponent data={{ ...pageData, params: routeParams }} />
+        <PageComponent data={{ ...pageData, params: routeParams }} form={formData} />
       {:else}
         <p>Loading...</p>
       {/if}

package/src/core/client/hydrate.ts

@@ -37,6 +37,7 @@ async function main() {
             ssrLayoutComponents,
             ssrPageData: (window as any).__BUNIA_PAGE_DATA__ ?? {},
             ssrLayoutData: (window as any).__BUNIA_LAYOUT_DATA__ ?? [],
+            ssrFormData: (window as any).__BUNIA_FORM_DATA__ ?? null,
         },
     });
 }

package/src/core/cookies.ts

@@ -1,5 +1,10 @@
 import type { Cookies, CookieOptions } from "./hooks.ts";
 
+// ─── Cookie Validation ───────────────────────────────────
+/** Rejects characters that could inject into Set-Cookie headers. */
+const UNSAFE_COOKIE_VALUE = /[;\r\n]/;
+const VALID_SAMESITE = new Set(["Strict", "Lax", "None"]);
+
 // ─── Cookie Helpers ──────────────────────────────────────
 
 function parseCookies(header: string): Record<string, string> {
@@ -9,7 +14,10 @@ function parseCookies(header: string): Record<string, string> {
         if (idx === -1) continue;
         const name = pair.slice(0, idx).trim();
         const value = pair.slice(idx + 1).trim();
-        if (name) result[name] = decodeURIComponent(value);
+        if (name) {
+            try { result[name] = decodeURIComponent(value); }
+            catch { result[name] = value; }
+        }
     }
     return result;
 }
@@ -32,13 +40,21 @@ export class CookieJar implements Cookies {
 
     set(name: string, value: string, options?: CookieOptions): void {
         let header = `${encodeURIComponent(name)}=${encodeURIComponent(value)}`;
-        header += `; Path=${options?.path ?? "/"}`;
-        if (options?.domain) header += `; Domain=${options.domain}`;
+        const path = options?.path ?? "/";
+        if (UNSAFE_COOKIE_VALUE.test(path)) throw new Error(`Invalid cookie path: ${path}`);
+        header += `; Path=${path}`;
+        if (options?.domain) {
+            if (UNSAFE_COOKIE_VALUE.test(options.domain)) throw new Error(`Invalid cookie domain: ${options.domain}`);
+            header += `; Domain=${options.domain}`;
+        }
         if (options?.maxAge != null) header += `; Max-Age=${options.maxAge}`;
         if (options?.expires) header += `; Expires=${options.expires.toUTCString()}`;
         if (options?.httpOnly) header += "; HttpOnly";
         if (options?.secure) header += "; Secure";
-        if (options?.sameSite) header += `; SameSite=${options.sameSite}`;
+        if (options?.sameSite) {
+            if (!VALID_SAMESITE.has(options.sameSite)) throw new Error(`Invalid cookie sameSite: ${options.sameSite}`);
+            header += `; SameSite=${options.sameSite}`;
+        }
         this._outgoing.push(header);
     }
 

package/src/core/env.ts

@@ -14,6 +14,9 @@ const FRAMEWORK_VARS = new Set([
     "CORS_EXPOSED_HEADERS",
     "CORS_CREDENTIALS",
     "CORS_MAX_AGE",
+    "LOAD_TIMEOUT",
+    "METADATA_TIMEOUT",
+    "PRERENDER_TIMEOUT",
 ]);
 
 // ─── .env File Parser ────────────────────────────────────
@@ -81,6 +84,11 @@ export function loadEnv(mode: string, dir?: string): Record<string, string> {
         console.log(`✓ Loaded ${loaded.join(", ")}`);
     }
 
+    // Track declared keys so html.ts only exposes .env-declared PUBLIC_* vars
+    for (const key of Object.keys(merged)) {
+        _declaredKeys.add(key);
+    }
+
     // Apply to process.env — system env wins (don't overwrite existing)
     for (const [key, value] of Object.entries(merged)) {
         if (!(key in process.env)) {
@@ -99,6 +107,16 @@ export function loadEnv(mode: string, dir?: string): Record<string, string> {
     return result;
 }
 
+// ─── Declared Key Tracking ───────────────────────────
+// Track which keys were declared in .env files so html.ts only exposes those to the client.
+
+const _declaredKeys = new Set<string>();
+
+/** Returns the set of env var keys that were declared in .env files. */
+export function getDeclaredEnvKeys(): ReadonlySet<string> {
+    return _declaredKeys;
+}
+
 // ─── Classifier ──────────────────────────────────────────
 
 export interface ClassifiedEnv {

package/src/core/errors.ts

@@ -21,3 +21,15 @@ export function error(status: number, message: string): never {
 export function redirect(status: number, location: string): never {
     throw new Redirect(status, location);
 }
+
+// ─── Form Action Helpers ─────────────────────────────────
+// Return from form actions — not thrown, just returned.
+
+export class ActionFailure<T extends Record<string, any> = Record<string, any>> {
+    constructor(public status: number, public data: T) {}
+}
+
+/** Return a failure from a form action with a status code and data. */
+export function fail<T extends Record<string, any>>(status: number, data: T): ActionFailure<T> {
+    return new ActionFailure(status, data);
+}

package/src/core/hooks.ts

@@ -46,6 +46,7 @@ export type LoadEvent = {
     cookies: Cookies;
     fetch: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
     parent: () => Promise<Record<string, any>>;
+    metadata: Record<string, any> | null;
 };
 
 export type ResolveFunction = (event: RequestEvent) => MaybePromise<Response>;
@@ -55,6 +56,23 @@ export type Handle = (input: {
     resolve: ResolveFunction;
 }) => MaybePromise<Response>;
 
+// ─── Metadata Types ──────────────────────────────────────
+
+export type MetadataEvent = {
+    params: Record<string, string>;
+    url: URL;
+    locals: Record<string, any>;
+    cookies: Cookies;
+    fetch: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+};
+
+export type Metadata = {
+    title?: string;
+    description?: string;
+    meta?: Array<{ name?: string; property?: string; content: string }>;
+    data?: Record<string, any>;
+};
+
 type MaybePromise<T> = T | Promise<T>;
 
 // ─── Middleware Composition ────────────────────────────────

package/src/core/html.ts

@@ -1,4 +1,5 @@
 import { existsSync, readFileSync } from "fs";
+import { getDeclaredEnvKeys } from "./env.ts";
 
 // ─── Dist Manifest ───────────────────────────────────────
 // Maps hashed filenames → script/link tags.
@@ -24,25 +25,30 @@ export function safeJsonStringify(data: unknown): string {
         "\u2028": "\\u2028",
         "\u2029": "\\u2029",
     };
-    return JSON.stringify(data).replace(/[<>&\u2028\u2029]/g, c => map[c]);
+    let json: string;
+    try {
+        json = JSON.stringify(data);
+    } catch {
+        console.error("safeJsonStringify: failed to serialize data (circular reference?)");
+        json = "null";
+    }
+    return json.replace(/[<>&\u2028\u2029]/g, c => map[c]);
 }
 
 // ─── Public Env Injection ─────────────────────────────────
 
 /**
- * Collect PUBLIC_* (non-static) vars from process.env that were declared in .bunia/env.server.ts.
- * We read the generated server env module to know which keys to expose.
- * Falls back to an empty object if the module hasn't been generated yet (e.g., dev before first build).
+ * Collect PUBLIC_* (non-static) vars that were declared in .env files.
+ * Only exposes keys tracked by loadEnv() — never leaks system env vars
+ * that happen to start with PUBLIC_.
  */
 function getPublicDynamicEnv(): Record<string, string> {
-    // Read keys from .bunia/env.server.ts declarations of PUBLIC_* (non-static) vars
-    // by inspecting process.env keys that start with PUBLIC_ but not PUBLIC_STATIC_.
-    // We only expose keys that came from .env files — tracked in process.env via loadEnv.
-    // At runtime the server module exports are inlined; we collect from process.env here.
+    const declared = getDeclaredEnvKeys();
     const result: Record<string, string> = {};
-    for (const [key, value] of Object.entries(process.env)) {
-        if (key.startsWith("PUBLIC_") && !key.startsWith("PUBLIC_STATIC_") && value !== undefined) {
-            result[key] = value;
+    for (const key of declared) {
+        if (key.startsWith("PUBLIC_") && !key.startsWith("PUBLIC_STATIC_")) {
+            const value = process.env[key];
+            if (value !== undefined) result[key] = value;
         }
     }
     return result;
@@ -56,6 +62,7 @@ export function buildHtml(
     pageData: any,
     layoutData: any[],
     csr = true,
+    formData: any = null,
 ): string {
     const cacheBust = isDev ? `?v=${Date.now()}` : "";
 
@@ -70,8 +77,12 @@ export function buildHtml(
         ? `\n  <script>window.__BUNIA_ENV__=${safeJsonStringify(publicEnv)};</script>`
         : "";
 
+    const formScript = formData != null
+        ? `window.__BUNIA_FORM_DATA__=${safeJsonStringify(formData)};`
+        : "";
+
     const scripts = csr
-        ? `${envScript}\n  <script>window.__BUNIA_PAGE_DATA__=${safeJsonStringify(pageData)};window.__BUNIA_LAYOUT_DATA__=${safeJsonStringify(layoutData)};</script>\n  <script type="module" src="/dist/client/${distManifest.entry}${cacheBust}"></script>`
+        ? `${envScript}\n  <script>window.__BUNIA_PAGE_DATA__=${safeJsonStringify(pageData)};window.__BUNIA_LAYOUT_DATA__=${safeJsonStringify(layoutData)};${formScript}</script>\n  <script type="module" src="/dist/client/${distManifest.entry}${cacheBust}"></script>`
         : isDev
             ? `\n  <script>!function r(){var e=new EventSource("/__bunia/sse");e.addEventListener("reload",()=>location.reload());e.onopen=()=>r._ok||(r._ok=1);e.onerror=()=>{e.close();setTimeout(r,2000)}}()</script>`
             : "";
@@ -95,29 +106,69 @@ export function buildHtml(
 
 // ─── Streaming HTML Helpers ──────────────────────────────
 
+import type { Metadata } from "./hooks.ts";
+
 let _shell: string | null = null;
 
 export function buildHtmlShell(): string {
     if (_shell) return _shell;
+    _shell = buildHtmlShellOpen() + buildMetadataChunk(null);
+    return _shell;
+}
+
+let _shellOpen: string | null = null;
+
+/** Chunk 1: everything from <!DOCTYPE> through CSS/modulepreload links (head still open) */
+export function buildHtmlShellOpen(): string {
+    if (_shellOpen) return _shellOpen;
     const cacheBust = isDev ? `?v=${Date.now()}` : "";
     const cssLinks = (distManifest.css ?? [])
         .map((f: string) => `<link rel="stylesheet" href="/dist/client/${f}">`)
         .join("\n  ");
-    _shell = `<!DOCTYPE html>\n<html lang="en">\n<head>\n` +
+    _shellOpen = `<!DOCTYPE html>\n<html lang="en">\n<head>\n` +
         `  <meta charset="UTF-8">\n` +
         `  <meta name="viewport" content="width=device-width, initial-scale=1.0">\n` +
         `  <link rel="icon" href="data:,">\n` +
         `  ${cssLinks}\n` +
         `  <link rel="stylesheet" href="/bunia-tw.css${cacheBust}">\n` +
-        `  <link rel="modulepreload" href="/dist/client/${distManifest.entry}${cacheBust}">\n` +
-        `</head>\n<body>\n` +
-        `<div id="__bs__"><style>` +
-        `:root{--bunia-loading-color:#f73b27}` +
-        `#__bs__{position:fixed;inset:0;display:flex;align-items:center;justify-content:center}` +
-        `#__bs__ i{width:32px;height:32px;border:3px solid #e5e7eb;border-top-color:var(--bunia-loading-color);` +
-        `border-radius:50%;animation:__bs__ .8s linear infinite}` +
-        `@keyframes __bs__{to{transform:rotate(360deg)}}</style><i></i></div>`;
-    return _shell;
+        `  <link rel="modulepreload" href="/dist/client/${distManifest.entry}${cacheBust}">`;
+    return _shellOpen;
+}
+
+const SPINNER = `<div id="__bs__"><style>` +
+    `:root{--bunia-loading-color:#f73b27}` +
+    `#__bs__{position:fixed;inset:0;display:flex;align-items:center;justify-content:center}` +
+    `#__bs__ i{width:32px;height:32px;border:3px solid #e5e7eb;border-top-color:var(--bunia-loading-color);` +
+    `border-radius:50%;animation:__bs__ .8s linear infinite}` +
+    `@keyframes __bs__{to{transform:rotate(360deg)}}</style><i></i></div>`;
+
+/** Chunk 2: metadata tags + close </head> + open <body> + spinner */
+export function buildMetadataChunk(metadata: Metadata | null): string {
+    let out = "\n";
+    if (metadata) {
+        if (metadata.title) out += `  <title>${escapeHtml(metadata.title)}</title>\n`;
+        if (metadata.description) {
+            out += `  <meta name="description" content="${escapeAttr(metadata.description)}">\n`;
+        }
+        if (metadata.meta) {
+            for (const m of metadata.meta) {
+                const attrs = m.name ? `name="${escapeAttr(m.name)}"` : `property="${escapeAttr(m.property ?? "")}"`;
+                out += `  <meta ${attrs} content="${escapeAttr(m.content)}">\n`;
+            }
+        }
+    } else {
+        out += `  <title>Bunia App</title>\n`;
+    }
+    out += `</head>\n<body>\n${SPINNER}`;
+    return out;
+}
+
+function escapeHtml(s: string): string {
+    return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+
+function escapeAttr(s: string): string {
+    return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
 
 export function buildHtmlTail(
@@ -126,6 +177,7 @@ export function buildHtmlTail(
     pageData: any,
     layoutData: any[],
     csr: boolean,
+    formData: any = null,
 ): string {
     const cacheBust = isDev ? `?v=${Date.now()}` : "";
     let out = `<script>document.getElementById('__bs__').remove()</script>`;
@@ -136,8 +188,9 @@ export function buildHtmlTail(
         if (Object.keys(publicEnv).length > 0) {
             out += `\n<script>window.__BUNIA_ENV__=${safeJsonStringify(publicEnv)};</script>`;
         }
+        const formInject = formData != null ? `window.__BUNIA_FORM_DATA__=${safeJsonStringify(formData)};` : "";
         out += `\n<script>window.__BUNIA_PAGE_DATA__=${safeJsonStringify(pageData)};` +
-               `window.__BUNIA_LAYOUT_DATA__=${safeJsonStringify(layoutData)};</script>`;
+               `window.__BUNIA_LAYOUT_DATA__=${safeJsonStringify(layoutData)};${formInject}</script>`;
         out += `\n<script type="module" src="/dist/client/${distManifest.entry}${cacheBust}"></script>`;
     } else if (isDev) {
         out += `\n<script>!function r(){var e=new EventSource("/__bunia/sse");e.addEventListener("reload",()=>location.reload());e.onopen=()=>r._ok||(r._ok=1);e.onerror=()=>{e.close();setTimeout(r,2000)}}()</script>`;

package/src/core/matcher.ts

@@ -17,6 +17,11 @@ export function matchPattern(
     pattern: string,
     pathname: string,
 ): Record<string, string> | null {
+    // Strip trailing slash (but keep "/" as-is)
+    if (pathname.length > 1 && pathname.endsWith("/")) {
+        pathname = pathname.slice(0, -1);
+    }
+
     // Exact match
     if (pattern === pathname) return {};
 
@@ -54,29 +59,19 @@ export function matchPattern(
 
 /**
  * Find the first matching route from a list.
- * Uses 3-pass priority: exact → dynamic → catch-all.
+ * Routes must be pre-sorted by priority (exact → dynamic → catch-all).
+ * Single pass — first match wins.
  */
 export function findMatch<T extends { pattern: string }>(
     routes: T[],
     pathname: string,
 ): RouteMatch<T> | null {
-    // Pass 1 — exact
-    for (const route of routes) {
-        if (route.pattern === pathname) {
-            return { route, params: {} };
-        }
-    }
-
-    // Pass 2 — dynamic segments (no catch-all)
-    for (const route of routes) {
-        if (!route.pattern.includes("[") || route.pattern.includes("[...")) continue;
-        const params = matchPattern(route.pattern, pathname);
-        if (params !== null) return { route, params };
+    // Strip trailing slash (but keep "/" as-is)
+    if (pathname.length > 1 && pathname.endsWith("/")) {
+        pathname = pathname.slice(0, -1);
     }
 
-    // Pass 3 — catch-all
     for (const route of routes) {
-        if (!route.pattern.includes("[...")) continue;
         const params = matchPattern(route.pattern, pathname);
         if (params !== null) return { route, params };
     }

package/src/core/prerender.ts

@@ -5,6 +5,8 @@ import type { RouteManifest } from "./types.ts";
 const CORE_DIR = import.meta.dir;
 const BUNIA_NODE_MODULES = join(CORE_DIR, "..", "..", "node_modules");
 
+const PRERENDER_TIMEOUT = Number(process.env.PRERENDER_TIMEOUT) || 5_000; // 5s default
+
 // ─── Prerendering ─────────────────────────────────────────
 
 async function detectPrerenderRoutes(manifest: RouteManifest): Promise<string[]> {
@@ -61,7 +63,7 @@ export async function prerenderStaticRoutes(manifest: RouteManifest): Promise<vo
 
     for (const routePath of paths) {
         try {
-            const res = await fetch(`${base}${routePath}`);
+            const res = await fetch(`${base}${routePath}`, { signal: AbortSignal.timeout(PRERENDER_TIMEOUT) });
             const html = await res.text();
             const outPath = routePath === "/"
                 ? "./dist/prerendered/index.html"
@@ -70,7 +72,11 @@ export async function prerenderStaticRoutes(manifest: RouteManifest): Promise<vo
             writeFileSync(outPath, html);
             console.log(`   ✅ ${routePath} → ${outPath}`);
         } catch (err) {
-            console.error(`   ❌ Failed to prerender ${routePath}:`, err);
+            if (err instanceof DOMException && err.name === "TimeoutError") {
+                console.error(`   ❌ Prerender timed out for ${routePath} after ${PRERENDER_TIMEOUT / 1000}s — increase PRERENDER_TIMEOUT to raise the limit`);
+            } else {
+                console.error(`   ❌ Failed to prerender ${routePath}:`, err);
+            }
         }
     }
 

package/src/core/renderer.ts

@@ -5,7 +5,36 @@ import { serverRoutes, errorPage } from "bunia:routes";
 import type { Cookies } from "./hooks.ts";
 import { HttpError, Redirect } from "./errors.ts";
 import App from "./client/App.svelte";
-import { buildHtml, buildHtmlShell, buildHtmlTail, compress, safeJsonStringify, isDev } from "./html.ts";
+import { buildHtml, buildHtmlShell, buildHtmlShellOpen, buildMetadataChunk, buildHtmlTail, compress, safeJsonStringify, isDev } from "./html.ts";
+import type { Metadata } from "./hooks.ts";
+
+// ─── Timeout Helpers ─────────────────────────────────────
+
+class LoadTimeoutError extends Error {
+    constructor(label: string, ms: number) {
+        super(`${label} timed out after ${ms}ms`);
+        this.name = "LoadTimeoutError";
+    }
+}
+
+function parseTimeout(raw: string | undefined, fallback: number): number {
+    if (!raw || raw === "Infinity") return 0;
+    const n = parseInt(raw, 10);
+    return Number.isFinite(n) && n > 0 ? n : fallback;
+}
+
+const LOAD_TIMEOUT = parseTimeout(process.env.LOAD_TIMEOUT, 5000);
+const METADATA_TIMEOUT = parseTimeout(process.env.METADATA_TIMEOUT, 3000);
+
+function withTimeout<T>(promise: Promise<T>, ms: number, label: string): Promise<T> {
+    if (ms <= 0) return promise;
+    return Promise.race([
+        promise,
+        new Promise<never>((_, reject) =>
+            setTimeout(() => reject(new LoadTimeoutError(label, ms)), ms)
+        ),
+    ]);
+}
 
 // ─── Session-Aware Fetch ─────────────────────────────────
 // Passed to load() functions so they can call internal APIs
@@ -37,6 +66,7 @@ export async function loadRouteData(
     locals: Record<string, any>,
     req: Request,
     cookies: Cookies,
+    metadataData: Record<string, any> | null = null,
 ) {
     const match = findMatch(serverRoutes, url.pathname);
     if (!match) return null;
@@ -55,7 +85,7 @@ export async function loadRouteData(
                     for (let d = 0; d < ls.depth; d++) Object.assign(merged, layoutData[d] ?? {});
                     return merged;
                 };
-                layoutData[ls.depth] = (await mod.load({ params, url, locals, cookies, parent, fetch })) ?? {};
+                layoutData[ls.depth] = (await withTimeout(mod.load({ params, url, locals, cookies, parent, fetch, metadata: null }), LOAD_TIMEOUT, `layout load (depth=${ls.depth}, ${url.pathname})`)) ?? {};
             }
         } catch (err) {
             if (err instanceof HttpError || err instanceof Redirect) throw err;
@@ -77,7 +107,7 @@ export async function loadRouteData(
                     for (const d of layoutData) if (d) Object.assign(merged, d);
                     return merged;
                 };
-                pageData = (await mod.load({ params, url, locals, cookies, parent, fetch })) ?? {};
+                pageData = (await withTimeout(mod.load({ params, url, locals, cookies, parent, fetch, metadata: metadataData }), LOAD_TIMEOUT, `page load (${url.pathname})`)) ?? {};
             }
         } catch (err) {
             if (err instanceof HttpError || err instanceof Redirect) throw err;
@@ -119,32 +149,81 @@ export async function renderSSR(url: URL, locals: Record<string, any>, req: Requ
     return { body, head, pageData: data.pageData, layoutData: data.layoutData, csr: data.csr };
 }
 
+// ─── Metadata Loader ─────────────────────────────────────
+
+async function loadMetadata(
+    route: any,
+    params: Record<string, string>,
+    url: URL,
+    locals: Record<string, any>,
+    cookies: Cookies,
+    req: Request,
+): Promise<Metadata | null> {
+    if (!route.pageServer) return null;
+    try {
+        const mod = await route.pageServer();
+        if (typeof mod.metadata === "function") {
+            const fetch = makeFetch(req, url);
+            return (await withTimeout(mod.metadata({ params, url, locals, cookies, fetch }), METADATA_TIMEOUT, `metadata (${url.pathname})`)) ?? null;
+        }
+    } catch (err) {
+        if (isDev) console.error("Metadata load error:", err);
+        else console.error("Metadata load error:", (err as Error).message ?? err);
+    }
+    return null;
+}
+
 // ─── Streaming SSR Renderer ──────────────────────────────
 
-export function renderSSRStream(
+export async function renderSSRStream(
     url: URL,
     locals: Record<string, any>,
     req: Request,
     cookies: Cookies,
-): Response | null {
+): Promise<Response | null> {
     const match = findMatch(serverRoutes, url.pathname);
     if (!match) return null;
 
-    const { route } = match;
-    const enc = new TextEncoder();
+    const { route, params } = match;
+
+    // ── Pre-stream phase: resolve metadata before committing to a 200 ──
+    // Errors here return a proper error response with correct status code.
+    let metadata: Metadata | null = null;
+    try {
+        metadata = await loadMetadata(route, params, url, locals, cookies, req);
+    } catch (err) {
+        if (err instanceof Redirect) {
+            return Response.redirect(err.location, err.status);
+        }
+        if (err instanceof HttpError) {
+            return renderErrorPage(err.status, err.message, url, req);
+        }
+        if (isDev) console.error("Metadata load error:", err);
+        else console.error("Metadata load error:", (err as Error).message ?? err);
+        // Continue with null metadata — don't break the page for a metadata failure
+    }
 
     // Kick off imports immediately (parallel with data loading)
     const pageModPromise = route.pageModule();
     const layoutModsPromise = Promise.all(route.layoutModules.map((l: () => Promise<any>) => l()));
 
+    const enc = new TextEncoder();
+
     const stream = new ReadableStream<Uint8Array>({
         async start(controller) {
-            // Chunk 1: shell (cached at startup)
-            controller.enqueue(enc.encode(buildHtmlShell()));
+            // Chunk 1: head opening (CSS, modulepreload — cached)
+            controller.enqueue(enc.encode(buildHtmlShellOpen()));
+
+            // Chunk 2: metadata tags, close </head>, open <body> + spinner
+            controller.enqueue(enc.encode(buildMetadataChunk(metadata)));
 
             try {
+                // Pass metadata.data to load() so it can reuse fetched data
+                const metadataData = metadata?.data ?? null;
+
+                // Wait for data + component imports
                 const [data, pageMod, layoutMods] = await Promise.all([
-                    loadRouteData(url, locals, req, cookies),
+                    loadRouteData(url, locals, req, cookies, metadataData),
                     pageModPromise,
                     layoutModsPromise,
                 ]);
@@ -165,10 +244,11 @@ export function renderSSRStream(
                     },
                 });
 
-                // Chunk 2: content
+                // Chunk 3: rendered content
                 controller.enqueue(enc.encode(buildHtmlTail(body, head, data.pageData, data.layoutData, data.csr)));
                 controller.close();
             } catch (err) {
+                // Head is closed and body is open at this point — HTML structure is valid
                 if (err instanceof Redirect) {
                     controller.enqueue(enc.encode(
                         `<script>location.replace(${safeJsonStringify(err.location)})</script></body></html>`
@@ -178,7 +258,7 @@ export function renderSSRStream(
                 }
                 if (err instanceof HttpError) {
                     controller.enqueue(enc.encode(
-                        `<script>location.replace("/__bunia/error?status=${err.status}&message=${encodeURIComponent(err.message)}")</script></body></html>`
+                        `<script>location.replace("/__bunia/error?status=${err.status}&message="+encodeURIComponent(${safeJsonStringify(err.message)}))</script></body></html>`
                     ));
                     controller.close();
                     return;
@@ -196,6 +276,47 @@ export function renderSSRStream(
     });
 }
 
+// ─── Form Action Page Renderer ───────────────────────────
+// Re-runs load functions after a form action, renders with form data.
+// Uses non-streaming buildHtml so we can control the status code.
+
+export async function renderPageWithFormData(
+    url: URL,
+    locals: Record<string, any>,
+    req: Request,
+    cookies: Cookies,
+    formData: any,
+    status: number,
+): Promise<Response> {
+    const match = findMatch(serverRoutes, url.pathname);
+    if (!match) return renderErrorPage(404, "Not Found", url, req);
+
+    const { route } = match;
+
+    // Load components + data in parallel
+    const [data, pageMod, layoutMods] = await Promise.all([
+        loadRouteData(url, locals, req, cookies),
+        route.pageModule(),
+        Promise.all(route.layoutModules.map((l: () => Promise<any>) => l())),
+    ]);
+
+    if (!data) return renderErrorPage(404, "Not Found", url, req);
+
+    const { body, head } = render(App, {
+        props: {
+            ssrMode: true,
+            ssrPageComponent: pageMod.default,
+            ssrLayoutComponents: layoutMods.map((m: any) => m.default),
+            ssrPageData: data.pageData,
+            ssrLayoutData: data.layoutData,
+            ssrFormData: formData,
+        },
+    });
+
+    const html = buildHtml(body, head, data.pageData, data.layoutData, data.csr, formData);
+    return compress(html, "text/html; charset=utf-8", req, status);
+}
+
 // ─── Error Page Renderer ──────────────────────────────────
 
 export async function renderErrorPage(status: number, message: string, url: URL, req: Request): Promise<Response> {

package/src/core/routeFile.ts

@@ -7,11 +7,33 @@ import type { RouteManifest } from "./types.ts";
 //   serverRoutes  — used by SSR renderer (+ pageServer + layoutServers)
 //   apiRoutes     — used by API handler
 
+function routePriority(pattern: string): number {
+    if (!pattern.includes("[")) return 0;       // exact
+    if (!pattern.includes("[...")) return 1;    // dynamic
+    return 2;                                   // catch-all
+}
+
+function sortRoutes<T extends { pattern: string }>(routes: T[]): T[] {
+    return [...routes].sort((a, b) => {
+        const pa = routePriority(a.pattern);
+        const pb = routePriority(b.pattern);
+        if (pa !== pb) return pa - pb;
+        // same tier: more segments first, then alphabetical
+        const sa = a.pattern.split("/").length;
+        const sb = b.pattern.split("/").length;
+        if (sa !== sb) return sb - sa;
+        return a.pattern.localeCompare(b.pattern);
+    });
+}
+
 export function generateRoutesFile(manifest: RouteManifest): void {
     const lines: string[] = [
         "// AUTO-GENERATED by bunia build — do not edit\n",
     ];
 
+    const pages = sortRoutes(manifest.pages);
+    const apis = sortRoutes(manifest.apis);
+
     // clientRoutes
     lines.push("export const clientRoutes: Array<{");
     lines.push("  pattern: string;");
@@ -19,7 +41,7 @@ export function generateRoutesFile(manifest: RouteManifest): void {
     lines.push("  layouts: (() => Promise<any>)[];");
     lines.push("  hasServerData: boolean;");
     lines.push("}> = [");
-    for (const r of manifest.pages) {
+    for (const r of pages) {
         const layoutImports = r.layouts
             .map(l => `() => import(${JSON.stringify(toImportPath(l))})`)
             .join(", ");
@@ -41,7 +63,7 @@ export function generateRoutesFile(manifest: RouteManifest): void {
     lines.push("  pageServer: (() => Promise<any>) | null;");
     lines.push("  layoutServers: { loader: () => Promise<any>; depth: number }[];");
     lines.push("}> = [");
-    for (const r of manifest.pages) {
+    for (const r of pages) {
         const layoutImports = r.layouts
             .map(l => `() => import(${JSON.stringify(toImportPath(l))})`)
             .join(", ");
@@ -63,7 +85,7 @@ export function generateRoutesFile(manifest: RouteManifest): void {
     lines.push("  pattern: string;");
     lines.push("  module: () => Promise<any>;");
     lines.push("}> = [");
-    for (const r of manifest.apis) {
+    for (const r of apis) {
         lines.push("  {");
         lines.push(`    pattern: ${JSON.stringify(r.pattern)},`);
         lines.push(`    module: () => import(${JSON.stringify(toImportPath(r.server))}),`);

package/src/core/routeTypes.ts

@@ -51,6 +51,17 @@ export function generateRouteTypes(manifest: RouteManifest): void {
         }
         lines.push(`export type PageProps = { data: PageData };`);
 
+        // ActionData — union of all action return types, unwrapping ActionFailure
+        if (info.pageServer) {
+            lines.push(``);
+            lines.push(`import type { actions as _actions } from '${srcBase}+page.server.ts';`);
+            lines.push(`type _ActionReturn<T> = T extends (...args: any[]) => infer R ? Awaited<R> : never;`);
+            lines.push(`type _UnwrapFailure<T> = T extends { status: number; data: infer D } ? D : T;`);
+            lines.push(`export type ActionData = _actions extends Record<string, (...args: any[]) => any>`);
+            lines.push(`  ? _UnwrapFailure<_ActionReturn<_actions[keyof _actions]>> | null`);
+            lines.push(`  : null;`);
+        }
+
         if (info.layoutServer) {
             lines.push(`\nimport type { load as _layoutLoad } from '${srcBase}+layout.server.ts';`);
             lines.push(`export type LayoutData = Awaited<ReturnType<typeof _layoutLoad>> & { params: Record<string, string> };`);

package/src/core/server.ts

@@ -1,19 +1,19 @@
 import { Elysia } from "elysia";
 import { staticPlugin } from "@elysiajs/static";
 import { existsSync } from "fs";
-import { join } from "path";
+import { join, resolve as resolvePath } from "path";
 
 import { findMatch } from "./matcher.ts";
-import { apiRoutes } from "bunia:routes";
+import { apiRoutes, serverRoutes } from "bunia:routes";
 import type { Handle, RequestEvent } from "./hooks.ts";
-import { HttpError, Redirect } from "./errors.ts";
+import { HttpError, Redirect, ActionFailure } from "./errors.ts";
 import { CookieJar } from "./cookies.ts";
 import { checkCsrf } from "./csrf.ts";
 import type { CsrfConfig } from "./csrf.ts";
 import { getCorsHeaders, handlePreflight } from "./cors.ts";
 import type { CorsConfig } from "./cors.ts";
 import { isDev, compress, isStaticPath } from "./html.ts";
-import { loadRouteData, renderSSRStream, renderErrorPage } from "./renderer.ts";
+import { loadRouteData, renderSSRStream, renderErrorPage, renderPageWithFormData } from "./renderer.ts";
 import { getServerTime } from "../lib/utils.ts";
 
 // ─── User Hooks ──────────────────────────────────────────
@@ -94,6 +94,21 @@ function isValidRoutePath(path: string, origin: string): boolean {
     }
 }
 
+/** Resolve a file path and verify it stays within the allowed base directory. Returns null if traversal detected. */
+function safePath(base: string, untrusted: string): string | null {
+    const root = resolvePath(base);
+    const full = resolvePath(join(base, untrusted));
+    return full.startsWith(root + "/") || full === root ? full : null;
+}
+
+/** Extract action name from URL searchParams — `?/login` → "login", no slash key → "default". */
+function parseActionName(url: URL): string {
+    for (const key of url.searchParams.keys()) {
+        if (key.startsWith("/")) return key.slice(1) || "default";
+    }
+    return "default";
+}
+
 async function resolve(event: RequestEvent): Promise<Response> {
     const { request, url, locals, cookies } = event;
     const path = url.pathname;
@@ -135,35 +150,48 @@ async function resolve(event: RequestEvent): Promise<Response> {
     if (isStaticPath(path)) {
         // dist/client: serve with cache headers based on whether filename is hashed
         if (path.startsWith("/dist/client/")) {
-            const file = Bun.file(`.${path.split("?")[0]}`);
-            if (await file.exists()) {
-                const filename = path.split("/").pop() ?? "";
-                const isHashed = /\-[a-z0-9]{8,}\.[a-z]+$/.test(filename);
-                const cacheControl = !isDev && isHashed
-                    ? "public, max-age=31536000, immutable"
-                    : "no-cache";
-                return new Response(file, { headers: { "Cache-Control": cacheControl } });
+            const resolved = safePath("./dist/client", path.split("?")[0].slice("/dist/client".length));
+            if (resolved) {
+                const file = Bun.file(resolved);
+                if (await file.exists()) {
+                    const filename = path.split("/").pop() ?? "";
+                    const isHashed = /\-[a-z0-9]{8,}\.[a-z]+$/.test(filename);
+                    const cacheControl = !isDev && isHashed
+                        ? "public, max-age=31536000, immutable"
+                        : "no-cache";
+                    return new Response(file, { headers: { "Cache-Control": cacheControl } });
+                }
             }
             return new Response("Not Found", { status: 404 });
         }
-        const pub = Bun.file(`./public${path}`);
-        if (await pub.exists()) return new Response(pub);
-        const dist = Bun.file(`.${path}`);
-        if (await dist.exists()) return new Response(dist);
+        const pubPath = safePath("./public", path);
+        if (pubPath) {
+            const pub = Bun.file(pubPath);
+            if (await pub.exists()) return new Response(pub);
+        }
+        const distPath = safePath("./dist", path);
+        if (distPath) {
+            const dist = Bun.file(distPath);
+            if (await dist.exists()) return new Response(dist);
+        }
         return new Response("Not Found", { status: 404 });
     }
 
     // Prerendered pages — serve static HTML built at build time
-    const prerenderFile = Bun.file(
-        path === "/" ? "./dist/prerendered/index.html" : `./dist/prerendered${path}/index.html`
+    const prerenderPath = safePath(
+        "./dist/prerendered",
+        path === "/" ? "index.html" : `${path}/index.html`,
     );
-    if (await prerenderFile.exists()) {
-        return new Response(prerenderFile, {
-            headers: {
-                "Content-Type": "text/html; charset=utf-8",
-                "Cache-Control": "public, max-age=3600",
-            },
-        });
+    if (prerenderPath) {
+        const prerenderFile = Bun.file(prerenderPath);
+        if (await prerenderFile.exists()) {
+            return new Response(prerenderFile, {
+                headers: {
+                    "Content-Type": "text/html; charset=utf-8",
+                    "Cache-Control": "public, max-age=3600",
+                },
+            });
+        }
     }
 
     // API routes (+server.ts)
@@ -190,8 +218,71 @@ async function resolve(event: RequestEvent): Promise<Response> {
         }
     }
 
+    // Form actions — POST to page routes with `actions` export
+    if (method === "POST") {
+        const pageMatch = findMatch(serverRoutes, path);
+        if (pageMatch?.route.pageServer) {
+            try {
+                const mod = await pageMatch.route.pageServer();
+                if (mod.actions && typeof mod.actions === "object") {
+                    const actionName = parseActionName(url);
+                    const action = mod.actions[actionName];
+                    if (!action) {
+                        return renderErrorPage(404, `Action "${actionName}" not found`, url, request);
+                    }
+
+                    event.params = pageMatch.params;
+                    let result: any;
+                    try {
+                        result = await action(event);
+                    } catch (err) {
+                        if (err instanceof Redirect) {
+                            return new Response(null, {
+                                status: 303,
+                                headers: { Location: err.location },
+                            });
+                        }
+                        if (err instanceof HttpError) {
+                            return renderErrorPage(err.status, err.message, url, request);
+                        }
+                        throw err;
+                    }
+
+                    // Redirect returned (not thrown)
+                    if (result instanceof Redirect) {
+                        return new Response(null, {
+                            status: 303,
+                            headers: { Location: result.location },
+                        });
+                    }
+
+                    // ActionFailure — re-render with failure status
+                    if (result instanceof ActionFailure) {
+                        return renderPageWithFormData(url, locals, request, cookies, result.data, result.status);
+                    }
+
+                    // Success — re-render page with action return data
+                    return renderPageWithFormData(url, locals, request, cookies, result ?? null, 200);
+                }
+            } catch (err) {
+                if (err instanceof Redirect) {
+                    return new Response(null, {
+                        status: 303,
+                        headers: { Location: err.location },
+                    });
+                }
+                if (err instanceof HttpError) {
+                    return renderErrorPage(err.status, err.message, url, request);
+                }
+                if (isDev) console.error("Form action error:", err);
+                else console.error("Form action error:", (err as Error).message ?? err);
+                return Response.json({ error: "Internal Server Error" }, { status: 500 });
+            }
+        }
+    }
+
     // SSR pages (+page.svelte) — streaming by default
-    const streamResponse = renderSSRStream(url, locals, request, cookies);
+    const streamResponse = await renderSSRStream(url, locals, request, cookies);
     if (!streamResponse) return renderErrorPage(404, "Not Found", url, request);
     return streamResponse;
 }
@@ -293,7 +384,10 @@ const app = new Elysia({ serve: { maxRequestBodySize: BODY_SIZE_LIMIT } })
         return handleRequest(request, url);
     })
     // Non-GET catch-alls so onBeforeHandle fires for API routes on other methods
-    .post("*", () => new Response("Not Found", { status: 404 }))
+    .post("*", ({ request }) => {
+        const url = new URL(request.url);
+        return handleRequest(request, url);
+    })
     .put("*", () => new Response("Not Found", { status: 404 }))
     .patch("*", () => new Response("Not Found", { status: 404 }))
     .delete("*", () => new Response("Not Found", { status: 404 }))

package/src/lib/index.ts

@@ -5,11 +5,13 @@
 
 export { cn, getServerTime } from "./utils.ts";
 export { sequence } from "../core/hooks.ts";
-export { error, redirect } from "../core/errors.ts";
-export type { HttpError, Redirect } from "../core/errors.ts";
+export { error, redirect, fail } from "../core/errors.ts";
+export type { HttpError, Redirect, ActionFailure } from "../core/errors.ts";
 export type {
     RequestEvent,
     LoadEvent,
+    MetadataEvent,
+    Metadata,
     Handle,
     ResolveFunction,
     Cookies,

package/templates/default/.env.example

@@ -14,16 +14,57 @@
 # Import in your code:
 #   import { PUBLIC_STATIC_APP_NAME, DB_PASSWORD } from 'bunia:env';
 #
-# Framework vars (PORT, NODE_ENV, BODY_SIZE_LIMIT, CSRF_ALLOWED_ORIGINS) are
-# NOT exposed via bunia:env — access them via process.env directly.
+# Framework vars (PORT, NODE_ENV, BODY_SIZE_LIMIT, CSRF_ALLOWED_ORIGINS,
+# CORS_*, LOAD_TIMEOUT, METADATA_TIMEOUT, PRERENDER_TIMEOUT) are NOT exposed via bunia:env —
+# access them via process.env directly.
 # ────────────────────────────────────────────────────────────────────────────────
 
 # Public build-time constant (safe to expose to client)
 PUBLIC_STATIC_APP_NAME=My Bunia App
 
-# Framework vars — access via process.env directly (not via bunia:env)
+# ─── Framework vars — access via process.env (not via bunia:env) ─────────────
+
+# Server port. Defaults to 9000 in production, 9001 in dev (proxied via :9000).
 # PORT=9000
 
+# Maximum request body size. Supports K/M/G suffixes or "Infinity". Defaults to 512K.
+# BODY_SIZE_LIMIT=512K
+
+# Timeout for load() functions (layout + page) in milliseconds. Defaults to 5000 (5s).
+# Set to 0 or Infinity to disable.
+# LOAD_TIMEOUT=5000
+
+# Timeout for metadata() functions in milliseconds. Defaults to 3000 (3s).
+# Set to 0 or Infinity to disable.
+# METADATA_TIMEOUT=3000
+
+# Timeout for prerender fetches during build in milliseconds. Defaults to 5000 (5s).
+# Set to 0 or Infinity to disable.
+# PRERENDER_TIMEOUT=5000
+
+# Comma-separated list of allowed origins for CSRF validation.
+# Leave unset to allow same-origin requests only.
+# CSRF_ALLOWED_ORIGINS=
+
+# Comma-separated list of origins allowed to make cross-origin requests.
+# Leave unset to disable CORS.
+# CORS_ALLOWED_ORIGINS=
+
+# Comma-separated HTTP methods to allow in CORS requests. Default: GET, HEAD, PUT, PATCH, POST, DELETE
+# CORS_ALLOWED_METHODS=GET, POST
+
+# Comma-separated request headers to allow in CORS requests. Default: Content-Type, Authorization
+# CORS_ALLOWED_HEADERS=Content-Type, Authorization
+
+# Comma-separated response headers to expose to the browser. Default: none
+# CORS_EXPOSED_HEADERS=
+
+# Allow cookies and auth credentials in cross-origin requests. Default: false
+# CORS_CREDENTIALS=true
+
+# Preflight response cache duration in seconds. Default: 86400 (24 hours)
+# CORS_MAX_AGE=86400
+
 # Public runtime var (safe to expose to client, can change without rebuild)
 # PUBLIC_API_URL=https://api.example.com