bosia 0.2.3 → 0.3.0

package/src/core/env.ts

@@ -4,20 +4,20 @@ import { join } from "path";
 // ─── Framework-reserved vars ─────────────────────────────
 // These are controlled by Bosia itself — users access them via process.env directly.
 const FRAMEWORK_VARS = new Set([
-    "PORT",
-    "NODE_ENV",
-    "BODY_SIZE_LIMIT",
-    "CSRF_ALLOWED_ORIGINS",
-    "INTERNAL_HOSTS",
-    "CORS_ALLOWED_ORIGINS",
-    "CORS_ALLOWED_METHODS",
-    "CORS_ALLOWED_HEADERS",
-    "CORS_EXPOSED_HEADERS",
-    "CORS_CREDENTIALS",
-    "CORS_MAX_AGE",
-    "LOAD_TIMEOUT",
-    "METADATA_TIMEOUT",
-    "PRERENDER_TIMEOUT",
+	"PORT",
+	"NODE_ENV",
+	"BODY_SIZE_LIMIT",
+	"CSRF_ALLOWED_ORIGINS",
+	"INTERNAL_HOSTS",
+	"CORS_ALLOWED_ORIGINS",
+	"CORS_ALLOWED_METHODS",
+	"CORS_ALLOWED_HEADERS",
+	"CORS_EXPOSED_HEADERS",
+	"CORS_CREDENTIALS",
+	"CORS_MAX_AGE",
+	"LOAD_TIMEOUT",
+	"METADATA_TIMEOUT",
+	"PRERENDER_TIMEOUT",
 ]);
 
 // ─── .env File Parser ────────────────────────────────────
@@ -27,71 +27,83 @@ const VALID_ENV_NAME = /^[A-Za-z_][A-Za-z0-9_]*$/;
 
 /** Process escape sequences in double-quoted values. */
 function processEscapes(raw: string): string {
-    return raw.replace(/\\(.)/g, (_, ch) => {
-        switch (ch) {
-            case "n": return "\n";
-            case "r": return "\r";
-            case "t": return "\t";
-            case "\\": return "\\";
-            case '"': return '"';
-            default: return `\\${ch}`; // preserve unknown escapes
-        }
-    });
+	return raw.replace(/\\(.)/g, (_, ch) => {
+		switch (ch) {
+			case "n":
+				return "\n";
+			case "r":
+				return "\r";
+			case "t":
+				return "\t";
+			case "\\":
+				return "\\";
+			case '"':
+				return '"';
+			default:
+				return `\\${ch}`; // preserve unknown escapes
+		}
+	});
 }
 
 /** Parse a .env file content into key/value pairs. Skips comments and empty lines. */
-function parseEnvFile(content: string, filename?: string): Record<string, string> {
-    const result: Record<string, string> = {};
-    const lines = content.split("\n");
-    for (let i = 0; i < lines.length; i++) {
-        const trimmed = lines[i].trim();
-        if (!trimmed || trimmed.startsWith("#")) continue;
-        const eqIdx = trimmed.indexOf("=");
-        if (eqIdx === -1) continue;
-        const key = trimmed.slice(0, eqIdx).trim();
-        if (!key) continue;
-
-        // Validate key is a valid identifier (required for codegen)
-        if (!VALID_ENV_NAME.test(key)) {
-            const loc = filename ? ` in ${filename}` : "";
-            throw new Error(
-                `Invalid env variable name "${key}"${loc} (line ${i + 1}). ` +
-                `Names must start with a letter or underscore and contain only [A-Za-z0-9_].`
-            );
-        }
-
-        let value = trimmed.slice(eqIdx + 1).trim();
-        // Strip inline comments before quote-unescaping.
-        // Quoted: find the real closing quote, verify trailing chars are whitespace+comment, truncate.
-        // Unquoted: strip \s+#... (no space before # keeps foo#bar intact).
-        if (value.startsWith('"')) {
-            let end = -1;
-            for (let j = 1; j < value.length; j++) {
-                if (value[j] === "\\") { j++; continue; } // skip escaped char
-                if (value[j] === '"') { end = j; break; }
-            }
-            if (end !== -1 && /^\s*(#.*)?$/.test(value.slice(end + 1))) {
-                value = value.slice(0, end + 1);
-            }
-        } else if (value.startsWith("'")) {
-            const end = value.indexOf("'", 1);
-            if (end !== -1 && /^\s*(#.*)?$/.test(value.slice(end + 1))) {
-                value = value.slice(0, end + 1);
-            }
-        } else {
-            value = value.startsWith("#") ? "" : value.replace(/\s+#.*$/, "");
-        }
-        // Double-quoted: process escape sequences
-        if (value.startsWith('"') && value.endsWith('"')) {
-            value = processEscapes(value.slice(1, -1));
-        }
-        // Single-quoted: literal (no escape processing)
-        else if (value.startsWith("'") && value.endsWith("'")) {
-            value = value.slice(1, -1);
-        }
-        result[key] = value;
-    }
-    return result;
+export function parseEnvFile(content: string, filename?: string): Record<string, string> {
+	const result: Record<string, string> = {};
+	const lines = content.split("\n");
+	for (let i = 0; i < lines.length; i++) {
+		const trimmed = lines[i].trim();
+		if (!trimmed || trimmed.startsWith("#")) continue;
+		const eqIdx = trimmed.indexOf("=");
+		if (eqIdx === -1) continue;
+		const key = trimmed.slice(0, eqIdx).trim();
+		if (!key) continue;
+
+		// Validate key is a valid identifier (required for codegen)
+		if (!VALID_ENV_NAME.test(key)) {
+			const loc = filename ? ` in ${filename}` : "";
+			throw new Error(
+				`Invalid env variable name "${key}"${loc} (line ${i + 1}). ` +
+					`Names must start with a letter or underscore and contain only [A-Za-z0-9_].`,
+			);
+		}
+
+		let value = trimmed.slice(eqIdx + 1).trim();
+		// Strip inline comments before quote-unescaping.
+		// Quoted: find the real closing quote, verify trailing chars are whitespace+comment, truncate.
+		// Unquoted: strip \s+#... (no space before # keeps foo#bar intact).
+		if (value.startsWith('"')) {
+			let end = -1;
+			for (let j = 1; j < value.length; j++) {
+				if (value[j] === "\\") {
+					j++;
+					continue;
+				} // skip escaped char
+				if (value[j] === '"') {
+					end = j;
+					break;
+				}
+			}
+			if (end !== -1 && /^\s*(#.*)?$/.test(value.slice(end + 1))) {
+				value = value.slice(0, end + 1);
+			}
+		} else if (value.startsWith("'")) {
+			const end = value.indexOf("'", 1);
+			if (end !== -1 && /^\s*(#.*)?$/.test(value.slice(end + 1))) {
+				value = value.slice(0, end + 1);
+			}
+		} else {
+			value = value.startsWith("#") ? "" : value.replace(/\s+#.*$/, "");
+		}
+		// Double-quoted: process escape sequences
+		if (value.startsWith('"') && value.endsWith('"')) {
+			value = processEscapes(value.slice(1, -1));
+		}
+		// Single-quoted: literal (no escape processing)
+		else if (value.startsWith("'") && value.endsWith("'")) {
+			value = value.slice(1, -1);
+		}
+		result[key] = value;
+	}
+	return result;
 }
 
 // ─── Env Loader ──────────────────────────────────────────
@@ -111,51 +123,46 @@ function parseEnvFile(content: string, filename?: string): Record<string, string
  * @returns merged env record (only vars from .env files, excluding framework vars)
  */
 export function loadEnv(mode: string, dir?: string): Record<string, string> {
-    const root = dir ?? process.cwd();
-    const files = [
-        ".env",
-        ".env.local",
-        `.env.${mode}`,
-        `.env.${mode}.local`,
-    ];
-
-    let merged: Record<string, string> = {};
-    const loaded: string[] = [];
-
-    for (const filename of files) {
-        const filepath = join(root, filename);
-        if (!existsSync(filepath)) continue;
-        const content = readFileSync(filepath, "utf-8");
-        const parsed = parseEnvFile(content, filename);
-        merged = { ...merged, ...parsed };
-        loaded.push(filename);
-    }
-
-    if (loaded.length > 0) {
-        console.log(`✓ Loaded ${loaded.join(", ")}`);
-    }
-
-    // Track declared keys so html.ts only exposes .env-declared PUBLIC_* vars
-    for (const key of Object.keys(merged)) {
-        _declaredKeys.add(key);
-    }
-
-    // Apply to process.env — system env wins (don't overwrite existing)
-    for (const [key, value] of Object.entries(merged)) {
-        if (!(key in process.env)) {
-            process.env[key] = value;
-        }
-    }
-
-    // Return only non-framework vars
-    const result: Record<string, string> = {};
-    for (const [key, value] of Object.entries(merged)) {
-        if (!FRAMEWORK_VARS.has(key)) {
-            result[key] = process.env[key] ?? value;
-        }
-    }
-
-    return result;
+	const root = dir ?? process.cwd();
+	const files = [".env", ".env.local", `.env.${mode}`, `.env.${mode}.local`];
+
+	let merged: Record<string, string> = {};
+	const loaded: string[] = [];
+
+	for (const filename of files) {
+		const filepath = join(root, filename);
+		if (!existsSync(filepath)) continue;
+		const content = readFileSync(filepath, "utf-8");
+		const parsed = parseEnvFile(content, filename);
+		merged = { ...merged, ...parsed };
+		loaded.push(filename);
+	}
+
+	if (loaded.length > 0) {
+		console.log(`✓ Loaded ${loaded.join(", ")}`);
+	}
+
+	// Track declared keys so html.ts only exposes .env-declared PUBLIC_* vars
+	for (const key of Object.keys(merged)) {
+		_declaredKeys.add(key);
+	}
+
+	// Apply to process.env — system env wins (don't overwrite existing)
+	for (const [key, value] of Object.entries(merged)) {
+		if (!(key in process.env)) {
+			process.env[key] = value;
+		}
+	}
+
+	// Return only non-framework vars
+	const result: Record<string, string> = {};
+	for (const [key, value] of Object.entries(merged)) {
+		if (!FRAMEWORK_VARS.has(key)) {
+			result[key] = process.env[key] ?? value;
+		}
+	}
+
+	return result;
 }
 
 // ─── Declared Key Tracking ───────────────────────────
@@ -165,40 +172,40 @@ const _declaredKeys = new Set<string>();
 
 /** Returns the set of env var keys that were declared in .env files. */
 export function getDeclaredEnvKeys(): ReadonlySet<string> {
-    return _declaredKeys;
+	return _declaredKeys;
 }
 
 // ─── Classifier ──────────────────────────────────────────
 
 export interface ClassifiedEnv {
-    /** PUBLIC_STATIC_* — client+server, build-time inlined */
-    publicStatic: Record<string, string>;
-    /** PUBLIC_* (excluding PUBLIC_STATIC_*) — client+server, runtime */
-    publicDynamic: Record<string, string>;
-    /** STATIC_* — server only, build-time inlined */
-    privateStatic: Record<string, string>;
-    /** everything else — server only, runtime */
-    privateDynamic: Record<string, string>;
+	/** PUBLIC_STATIC_* — client+server, build-time inlined */
+	publicStatic: Record<string, string>;
+	/** PUBLIC_* (excluding PUBLIC_STATIC_*) — client+server, runtime */
+	publicDynamic: Record<string, string>;
+	/** STATIC_* — server only, build-time inlined */
+	privateStatic: Record<string, string>;
+	/** everything else — server only, runtime */
+	privateDynamic: Record<string, string>;
 }
 
 /** Classify env vars by prefix into the four visibility/timing buckets. */
 export function classifyEnvVars(env: Record<string, string>): ClassifiedEnv {
-    const publicStatic: Record<string, string> = {};
-    const publicDynamic: Record<string, string> = {};
-    const privateStatic: Record<string, string> = {};
-    const privateDynamic: Record<string, string> = {};
-
-    for (const [key, value] of Object.entries(env)) {
-        if (key.startsWith("PUBLIC_STATIC_")) {
-            publicStatic[key] = value;
-        } else if (key.startsWith("PUBLIC_")) {
-            publicDynamic[key] = value;
-        } else if (key.startsWith("STATIC_")) {
-            privateStatic[key] = value;
-        } else {
-            privateDynamic[key] = value;
-        }
-    }
-
-    return { publicStatic, publicDynamic, privateStatic, privateDynamic };
+	const publicStatic: Record<string, string> = {};
+	const publicDynamic: Record<string, string> = {};
+	const privateStatic: Record<string, string> = {};
+	const privateDynamic: Record<string, string> = {};
+
+	for (const [key, value] of Object.entries(env)) {
+		if (key.startsWith("PUBLIC_STATIC_")) {
+			publicStatic[key] = value;
+		} else if (key.startsWith("PUBLIC_")) {
+			publicDynamic[key] = value;
+		} else if (key.startsWith("STATIC_")) {
+			privateStatic[key] = value;
+		} else {
+			privateDynamic[key] = value;
+		}
+	}
+
+	return { publicStatic, publicDynamic, privateStatic, privateDynamic };
 }

package/src/core/envCodegen.ts

@@ -9,86 +9,86 @@ import type { ClassifiedEnv } from "./env.ts";
 //   types/env.d.ts — declare module '$env' for IDE autocomplete
 
 export function generateEnvModules(classified: ClassifiedEnv): void {
-    const bosiaDir = join(process.cwd(), ".bosia");
-    const typesDir = join(bosiaDir, "types");
-    mkdirSync(bosiaDir, { recursive: true });
-    mkdirSync(typesDir, { recursive: true });
-
-    writeServerEnv(classified, bosiaDir);
-    writeClientEnv(classified, bosiaDir);
-    writeEnvTypes(classified, typesDir);
+	const bosiaDir = join(process.cwd(), ".bosia");
+	const typesDir = join(bosiaDir, "types");
+	mkdirSync(bosiaDir, { recursive: true });
+	mkdirSync(typesDir, { recursive: true });
+
+	writeServerEnv(classified, bosiaDir);
+	writeClientEnv(classified, bosiaDir);
+	writeEnvTypes(classified, typesDir);
 }
 
 function writeServerEnv(classified: ClassifiedEnv, bosiaDir: string): void {
-    const lines: string[] = [
-        "// Auto-generated by Bosia. Do not edit.",
-        "// $env → server — all vars",
-        "",
-    ];
-
-    // PUBLIC_STATIC_* — inlined literals
-    for (const [key, value] of Object.entries(classified.publicStatic)) {
-        lines.push(`export const ${key} = ${JSON.stringify(value)};`);
-    }
-
-    // PUBLIC_* dynamic — read from process.env at runtime
-    for (const key of Object.keys(classified.publicDynamic)) {
-        lines.push(`export const ${key} = process.env.${key} ?? "";`);
-    }
-
-    // STATIC_* — inlined literals
-    for (const [key, value] of Object.entries(classified.privateStatic)) {
-        lines.push(`export const ${key} = ${JSON.stringify(value)};`);
-    }
-
-    // private dynamic — read from process.env at runtime
-    for (const key of Object.keys(classified.privateDynamic)) {
-        lines.push(`export const ${key} = process.env.${key} ?? "";`);
-    }
-
-    writeFileSync(join(bosiaDir, "env.server.ts"), lines.join("\n") + "\n");
+	const lines: string[] = [
+		"// Auto-generated by Bosia. Do not edit.",
+		"// $env → server — all vars",
+		"",
+	];
+
+	// PUBLIC_STATIC_* — inlined literals
+	for (const [key, value] of Object.entries(classified.publicStatic)) {
+		lines.push(`export const ${key} = ${JSON.stringify(value)};`);
+	}
+
+	// PUBLIC_* dynamic — read from process.env at runtime
+	for (const key of Object.keys(classified.publicDynamic)) {
+		lines.push(`export const ${key} = process.env.${key} ?? "";`);
+	}
+
+	// STATIC_* — inlined literals
+	for (const [key, value] of Object.entries(classified.privateStatic)) {
+		lines.push(`export const ${key} = ${JSON.stringify(value)};`);
+	}
+
+	// private dynamic — read from process.env at runtime
+	for (const key of Object.keys(classified.privateDynamic)) {
+		lines.push(`export const ${key} = process.env.${key} ?? "";`);
+	}
+
+	writeFileSync(join(bosiaDir, "env.server.ts"), lines.join("\n") + "\n");
 }
 
 function writeClientEnv(classified: ClassifiedEnv, bosiaDir: string): void {
-    const lines: string[] = [
-        "// Auto-generated by Bosia. Do not edit.",
-        "// $env → client — PUBLIC_* vars only",
-        "",
-        "const __env: Record<string, string> =",
-        "  typeof window !== 'undefined' && (window as any).__BOSIA_ENV__ || {};",
-        "",
-    ];
-
-    // PUBLIC_STATIC_* — inlined literals
-    for (const [key, value] of Object.entries(classified.publicStatic)) {
-        lines.push(`export const ${key} = ${JSON.stringify(value)};`);
-    }
-
-    // PUBLIC_* dynamic — read from window.__BOSIA_ENV__ at runtime
-    for (const key of Object.keys(classified.publicDynamic)) {
-        lines.push(`export const ${key} = __env.${key} ?? "";`);
-    }
-
-    writeFileSync(join(bosiaDir, "env.client.ts"), lines.join("\n") + "\n");
+	const lines: string[] = [
+		"// Auto-generated by Bosia. Do not edit.",
+		"// $env → client — PUBLIC_* vars only",
+		"",
+		"const __env: Record<string, string> =",
+		"  typeof window !== 'undefined' && (window as any).__BOSIA_ENV__ || {};",
+		"",
+	];
+
+	// PUBLIC_STATIC_* — inlined literals
+	for (const [key, value] of Object.entries(classified.publicStatic)) {
+		lines.push(`export const ${key} = ${JSON.stringify(value)};`);
+	}
+
+	// PUBLIC_* dynamic — read from window.__BOSIA_ENV__ at runtime
+	for (const key of Object.keys(classified.publicDynamic)) {
+		lines.push(`export const ${key} = __env.${key} ?? "";`);
+	}
+
+	writeFileSync(join(bosiaDir, "env.client.ts"), lines.join("\n") + "\n");
 }
 
 function writeEnvTypes(classified: ClassifiedEnv, typesDir: string): void {
-    const allKeys = [
-        ...Object.keys(classified.publicStatic),
-        ...Object.keys(classified.publicDynamic),
-        ...Object.keys(classified.privateStatic),
-        ...Object.keys(classified.privateDynamic),
-    ];
-
-    const declarations = allKeys.map(key => `    export const ${key}: string;`);
-
-    const content = [
-        "// Auto-generated by Bosia. Do not edit.",
-        "declare module '$env' {",
-        ...declarations,
-        "}",
-        "",
-    ].join("\n");
-
-    writeFileSync(join(typesDir, "env.d.ts"), content);
+	const allKeys = [
+		...Object.keys(classified.publicStatic),
+		...Object.keys(classified.publicDynamic),
+		...Object.keys(classified.privateStatic),
+		...Object.keys(classified.privateDynamic),
+	];
+
+	const declarations = allKeys.map((key) => `    export const ${key}: string;`);
+
+	const content = [
+		"// Auto-generated by Bosia. Do not edit.",
+		"declare module '$env' {",
+		...declarations,
+		"}",
+		"",
+	].join("\n");
+
+	writeFileSync(join(typesDir, "env.d.ts"), content);
 }

package/src/core/errors.ts

@@ -2,85 +2,84 @@
 // Throw these from load() functions; the server catches and handles them.
 
 export class HttpError extends Error {
-    constructor(public status: number, message: string) {
-        super(message);
-        this.name = "HttpError";
-    }
+	constructor(
+		public status: number,
+		message: string,
+	) {
+		super(message);
+		this.name = "HttpError";
+	}
 }
 
 export interface RedirectOptions {
-    /** Set to `true` to allow redirects to external origins (e.g. OAuth providers). */
-    allowExternal?: boolean;
+	/** Set to `true` to allow redirects to external origins (e.g. OAuth providers). */
+	allowExternal?: boolean;
 }
 
 export class Redirect {
-    constructor(
-        public status: number,
-        public location: string,
-        options?: RedirectOptions,
-    ) {
-        validateRedirectLocation(location, options);
-    }
+	constructor(
+		public status: number,
+		public location: string,
+		options?: RedirectOptions,
+	) {
+		validateRedirectLocation(location, options);
+	}
 }
 
 const DANGEROUS_SCHEMES = /^(javascript|data|vbscript):/i;
 
-function validateRedirectLocation(
-    location: string,
-    options?: RedirectOptions,
-): void {
-    if (options?.allowExternal) return;
+function validateRedirectLocation(location: string, options?: RedirectOptions): void {
+	if (options?.allowExternal) return;
 
-    const trimmed = location.trim();
+	const trimmed = location.trim();
 
-    // Reject dangerous schemes
-    if (DANGEROUS_SCHEMES.test(trimmed)) {
-        throw new Error(
-            `redirect(): dangerous scheme in URL "${location}". ` +
-                `Only relative paths and same-origin URLs are allowed.`,
-        );
-    }
+	// Reject dangerous schemes
+	if (DANGEROUS_SCHEMES.test(trimmed)) {
+		throw new Error(
+			`redirect(): dangerous scheme in URL "${location}". ` +
+				`Only relative paths and same-origin URLs are allowed.`,
+		);
+	}
 
-    // Reject protocol-relative URLs (//evil.com)
-    if (trimmed.startsWith("//")) {
-        throw new Error(
-            `redirect(): protocol-relative URLs like "${location}" are not allowed. ` +
-                `Use a relative path or pass { allowExternal: true } for external redirects.`,
-        );
-    }
+	// Reject protocol-relative URLs (//evil.com)
+	if (trimmed.startsWith("//")) {
+		throw new Error(
+			`redirect(): protocol-relative URLs like "${location}" are not allowed. ` +
+				`Use a relative path or pass { allowExternal: true } for external redirects.`,
+		);
+	}
 
-    // Allow relative paths (no scheme)
-    if (!/^[a-zA-Z][a-zA-Z0-9+\-.]*:/.test(trimmed)) return;
+	// Allow relative paths (no scheme)
+	if (!/^[a-zA-Z][a-zA-Z0-9+\-.]*:/.test(trimmed)) return;
 
-    // It's an absolute URL — reject external origins
-    throw new Error(
-        `redirect(): external URL "${location}" is not allowed. ` +
-            `Use a relative path or pass { allowExternal: true } for external redirects.`,
-    );
+	// It's an absolute URL — reject external origins
+	throw new Error(
+		`redirect(): external URL "${location}" is not allowed. ` +
+			`Use a relative path or pass { allowExternal: true } for external redirects.`,
+	);
 }
 
 /** Throw an HTTP error from a load() function. */
 export function error(status: number, message: string): never {
-    throw new HttpError(status, message);
+	throw new HttpError(status, message);
 }
 
 /** Redirect the user from a load() function. */
-export function redirect(
-    status: number,
-    location: string,
-    options?: RedirectOptions,
-): never {
-    throw new Redirect(status, location, options);
+export function redirect(status: number, location: string, options?: RedirectOptions): never {
+	throw new Redirect(status, location, options);
 }
 
 // ─── Form Action Helpers ─────────────────────────────────
 // Return from form actions — not thrown, just returned.
 
 export class ActionFailure<T extends Record<string, any> = Record<string, any>> {
-    constructor(public status: number, public data: T) {}
+	constructor(
+		public status: number,
+		public data: T,
+	) {}
 }
 
 /** Return a failure from a form action with a status code and data. */
 export function fail<T extends Record<string, any>>(status: number, data: T): ActionFailure<T> {
-    return new ActionFailure(status, data);
+	return new ActionFailure(status, data);
 }