bosia 0.1.4 → 0.1.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bosia",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "type": "module",
   "description": "A fast, batteries-included fullstack framework — SSR · Svelte 5 Runes · Bun · ElysiaJS. File-based routing inspired by SvelteKit. No Node.js, no Vite, no adapters.",
   "keywords": [

package/src/core/client/App.svelte

@@ -86,6 +86,9 @@
       layoutData = result?.layoutData ?? [];
       routeParams = result?.pageData?.params ?? match.params;
 
+      // Scroll to top on forward navigation (not on popstate/back-forward)
+      if (router.isPush) window.scrollTo(0, 0);
+
       // Update document title and meta description from server metadata
       if (result?.metadata) {
         if (result.metadata.title) document.title = result.metadata.title;

package/src/core/client/router.svelte.ts

@@ -8,6 +8,8 @@ import { clientRoutes } from "bosia:routes";
 export const router = new class Router {
     currentRoute = $state(typeof window !== "undefined" ? window.location.pathname + window.location.search + window.location.hash : "/");
     params = $state<Record<string, string>>({});
+    /** True when navigation was triggered by a link click / navigate() call, false on popstate (back/forward). */
+    isPush = $state(true);
 
     navigate(path: string) {
         if (this.currentRoute === path) return;
@@ -17,6 +19,7 @@ export const router = new class Router {
             window.location.href = path;
             return;
         }
+        this.isPush = true;
         this.currentRoute = path;
         if (typeof history !== "undefined") {
             history.pushState({}, "", path);
@@ -41,6 +44,7 @@ export const router = new class Router {
 
         // Browser back/forward
         window.addEventListener("popstate", () => {
+            this.isPush = false;
             this.currentRoute = window.location.pathname + window.location.search + window.location.hash;
         });
     }

package/src/core/cookies.ts

@@ -1,10 +1,16 @@
 import type { Cookies, CookieOptions } from "./hooks.ts";
 
-// ─── Cookie Validation ───────────────────────────────────
+// ─── Cookie Validation (RFC 6265) ────────────────────────
 /** Rejects characters that could inject into Set-Cookie headers. */
 const UNSAFE_COOKIE_VALUE = /[;\r\n]/;
 const VALID_SAMESITE = new Set(["Strict", "Lax", "None"]);
 
+/**
+ * RFC 6265 §4.1.1: cookie-name is an HTTP token (RFC 2616 §2.2).
+ * Must be 1+ chars of ASCII 33-126, excluding separators: ( ) < > @ , ; : \ " / [ ] ? = { }
+ */
+const VALID_COOKIE_NAME = /^[!#$%&'*+\-.0-9A-Z^_`a-z|~]+$/;
+
 // ─── Cookie Helpers ──────────────────────────────────────
 
 function parseCookies(header: string): Record<string, string> {
@@ -39,7 +45,8 @@ export class CookieJar implements Cookies {
     }
 
     set(name: string, value: string, options?: CookieOptions): void {
-        let header = `${encodeURIComponent(name)}=${encodeURIComponent(value)}`;
+        if (!VALID_COOKIE_NAME.test(name)) throw new Error(`Invalid cookie name: ${name}`);
+        let header = `${name}=${encodeURIComponent(value)}`;
         const path = options?.path ?? "/";
         if (UNSAFE_COOKIE_VALUE.test(path)) throw new Error(`Invalid cookie path: ${path}`);
         header += `; Path=${path}`;

package/src/core/dev.ts

@@ -108,17 +108,32 @@ async function startAppServer() {
 // ─── Build & Restart ──────────────────────────────────────
 
 let buildTimer: ReturnType<typeof setTimeout> | null = null;
+let building = false;
+let buildPending = false;
 
 async function buildAndRestart() {
-    const ok = await runBuild();
-    if (!ok) {
-        console.error("❌ Build failed — fix errors and save again");
+    if (building) {
+        buildPending = true;
         return;
     }
-    await startAppServer();
-    // Give the app server a moment to bind its port
-    await Bun.sleep(200);
-    broadcastReload();
+    building = true;
+    try {
+        const ok = await runBuild();
+        if (!ok) {
+            console.error("❌ Build failed — fix errors and save again");
+            return;
+        }
+        await startAppServer();
+        // Give the app server a moment to bind its port
+        await Bun.sleep(200);
+        broadcastReload();
+    } finally {
+        building = false;
+    }
+    if (buildPending) {
+        buildPending = false;
+        buildAndRestart();
+    }
 }
 
 function scheduleBuild() {

package/src/core/env.ts

@@ -21,24 +21,54 @@ const FRAMEWORK_VARS = new Set([
 
 // ─── .env File Parser ────────────────────────────────────
 
+/** Valid JS/TS identifier: starts with letter/underscore, then alphanumeric/underscore. */
+const VALID_ENV_NAME = /^[A-Za-z_][A-Za-z0-9_]*$/;
+
+/** Process escape sequences in double-quoted values. */
+function processEscapes(raw: string): string {
+    return raw.replace(/\\(.)/g, (_, ch) => {
+        switch (ch) {
+            case "n": return "\n";
+            case "r": return "\r";
+            case "t": return "\t";
+            case "\\": return "\\";
+            case '"': return '"';
+            default: return `\\${ch}`; // preserve unknown escapes
+        }
+    });
+}
+
 /** Parse a .env file content into key/value pairs. Skips comments and empty lines. */
-function parseEnvFile(content: string): Record<string, string> {
+function parseEnvFile(content: string, filename?: string): Record<string, string> {
     const result: Record<string, string> = {};
-    for (const line of content.split("\n")) {
-        const trimmed = line.trim();
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const trimmed = lines[i].trim();
         if (!trimmed || trimmed.startsWith("#")) continue;
         const eqIdx = trimmed.indexOf("=");
         if (eqIdx === -1) continue;
         const key = trimmed.slice(0, eqIdx).trim();
+        if (!key) continue;
+
+        // Validate key is a valid identifier (required for codegen)
+        if (!VALID_ENV_NAME.test(key)) {
+            const loc = filename ? ` in ${filename}` : "";
+            throw new Error(
+                `Invalid env variable name "${key}"${loc} (line ${i + 1}). ` +
+                `Names must start with a letter or underscore and contain only [A-Za-z0-9_].`
+            );
+        }
+
         let value = trimmed.slice(eqIdx + 1).trim();
-        // Strip surrounding quotes (single or double)
-        if (
-            (value.startsWith('"') && value.endsWith('"')) ||
-            (value.startsWith("'") && value.endsWith("'"))
-        ) {
+        // Double-quoted: process escape sequences
+        if (value.startsWith('"') && value.endsWith('"')) {
+            value = processEscapes(value.slice(1, -1));
+        }
+        // Single-quoted: literal (no escape processing)
+        else if (value.startsWith("'") && value.endsWith("'")) {
             value = value.slice(1, -1);
         }
-        if (key) result[key] = value;
+        result[key] = value;
     }
     return result;
 }
@@ -75,7 +105,7 @@ export function loadEnv(mode: string, dir?: string): Record<string, string> {
         const filepath = join(root, filename);
         if (!existsSync(filepath)) continue;
         const content = readFileSync(filepath, "utf-8");
-        const parsed = parseEnvFile(content);
+        const parsed = parseEnvFile(content, filename);
         merged = { ...merged, ...parsed };
         loaded.push(filename);
     }

package/src/core/html.ts

@@ -173,7 +173,7 @@ export function buildHtmlTail(
 ): string {
     let out = `<script>document.getElementById('__bs__').remove()</script>`;
     out += `\n<div id="app">${body}</div>`;
-    if (head) out += `\n<script>document.head.innerHTML+=${safeJsonStringify(head)}</script>`;
+    if (head) out += `\n<script>document.head.insertAdjacentHTML('beforeend',${safeJsonStringify(head)})</script>`;
     if (csr) {
         const publicEnv = getPublicDynamicEnv();
         if (Object.keys(publicEnv).length > 0) {

package/src/core/server.ts

@@ -108,6 +108,9 @@ async function resolve(event: RequestEvent): Promise<Response> {
 
     // Health check endpoint — for load balancers and orchestrators
     if (path === "/_health") {
+        if (shuttingDown) {
+            return Response.json({ status: "shutting_down" }, { status: 503 });
+        }
         const { timestamp, timezone } = getServerTime();
         return Response.json({ status: "ok", timestamp, timezone });
     }
@@ -303,6 +306,15 @@ const SECURITY_HEADERS: Record<string, string> = {
 };
 
 async function handleRequest(request: Request, url: URL): Promise<Response> {
+    // Reject new non-health requests during shutdown
+    if (shuttingDown && url.pathname !== "/_health") {
+        return new Response("Service Unavailable", {
+            status: 503,
+            headers: { "Retry-After": "5" },
+        });
+    }
+
+    inFlight++;
     try {
         // Handle CORS preflight before CSRF check (OPTIONS is CSRF-exempt)
         if (CORS_CONFIG && request.method === "OPTIONS") {
@@ -338,6 +350,11 @@ async function handleRequest(request: Request, url: URL): Promise<Response> {
         if (isDev) console.error("Unhandled request error:", err);
         else console.error("Unhandled request error:", (err as Error).message ?? err);
         return Response.json({ error: "Internal Server Error" }, { status: 500 });
+    } finally {
+        inFlight--;
+        if (shuttingDown && inFlight === 0 && drainResolve) {
+            drainResolve();
+        }
     }
 }
 
@@ -367,6 +384,12 @@ if (BODY_SIZE_LIMIT === 0) {
     console.log(`📦 Body size limit: ${BODY_SIZE_LIMIT} bytes`);
 }
 
+// ─── Graceful Shutdown State ──────────────────────────────
+
+let shuttingDown = false;
+let inFlight = 0;
+let drainResolve: (() => void) | null = null;
+
 // ─── Elysia App ───────────────────────────────────────────
 
 const PORT = process.env.PORT ? parseInt(process.env.PORT, 10) : (isDev ? 9001 : 9000);
@@ -416,11 +439,26 @@ app.listen(PORT, () => {
     if (!isDev) console.log(`⬡ Bosia server running at http://localhost:${PORT}`);
 });
 
-function shutdown() {
-    console.log("Shutting down...");
+async function shutdown() {
+    if (shuttingDown) return;
+    shuttingDown = true;
+    console.log("⏳ Shutting down — draining in-flight requests...");
+
+    if (inFlight > 0) {
+        await Promise.race([
+            new Promise<void>(r => { drainResolve = r; }),
+            Bun.sleep(10_000),
+        ]);
+    }
+
+    if (inFlight > 0) {
+        console.warn(`⚠️  Force shutdown with ${inFlight} request(s) still in flight`);
+    } else {
+        console.log("✅ All requests drained");
+    }
+
     app.stop().then(() => process.exit(0));
-    // Force exit if stop hangs
-    setTimeout(() => process.exit(1), 10_000);
+    setTimeout(() => process.exit(1), 5_000);
 }
 
 process.on("SIGTERM", shutdown);