bosia 0.4.4 → 0.5.0

package/src/core/renderer.ts

@@ -3,7 +3,8 @@ import { render } from "svelte/server";
 import { findMatch } from "./matcher.ts";
 import { serverRoutes, errorPage } from "bosia:routes";
 import type { RouteMatch } from "./types.ts";
-import type { Cookies } from "./hooks.ts";
+import type { Cookies, LoaderDeps } from "./hooks.ts";
+import { CSP_ENABLED } from "./csp.ts";
 import { HttpError, Redirect } from "./errors.ts";
 import { pickErrorPage, type ErrorOrigin } from "./errorMatch.ts";
 import App from "./client/App.svelte";
@@ -157,9 +158,134 @@ function stampErrorContext(
 	e.partialLayoutData ??= [...partialLayoutData];
 }
 
+// ─── Per-Loader Dependency Tracking ──────────────────────
+// Wraps `params`, `url`, `cookies`, and `fetch` with proxies/closures
+// that record every key read during a single loader run. The client
+// cache uses these records to skip re-runs on subsequent navigations
+// when none of the tracked inputs changed.
+
+function emptyDeps(): LoaderDeps {
+	return {
+		keys: [],
+		urls: [],
+		params: [],
+		searchParams: [],
+		cookies: [],
+		uses_url: false,
+	};
+}
+
+function trackedParams(params: Record<string, string>, deps: LoaderDeps): Record<string, string> {
+	return new Proxy(params, {
+		get(target, prop) {
+			if (typeof prop === "string") {
+				if (!deps.params.includes(prop)) deps.params.push(prop);
+			}
+			return Reflect.get(target, prop);
+		},
+	});
+}
+
+const URL_TRACKED_PROPS = new Set(["pathname", "origin", "hash", "href", "host", "hostname"]);
+
+function trackedUrl(url: URL, deps: LoaderDeps): URL {
+	const trackedSearch = new Proxy(url.searchParams, {
+		get(target, prop) {
+			if (prop === "get" || prop === "has" || prop === "getAll") {
+				return (key: string) => {
+					if (typeof key === "string" && !deps.searchParams.includes(key)) {
+						deps.searchParams.push(key);
+					}
+					return (target as any)[prop](key);
+				};
+			}
+			const value = Reflect.get(target, prop);
+			return typeof value === "function" ? value.bind(target) : value;
+		},
+	});
+	return new Proxy(url, {
+		get(target, prop) {
+			if (prop === "searchParams") return trackedSearch;
+			if (prop === "search") {
+				// Whole search string read → treat as broad searchParams dep
+				deps.uses_url = true;
+				return target.search;
+			}
+			if (typeof prop === "string" && URL_TRACKED_PROPS.has(prop)) {
+				deps.uses_url = true;
+			}
+			const value = Reflect.get(target, prop);
+			return typeof value === "function" ? value.bind(target) : value;
+		},
+	});
+}
+
+function trackedCookies(cookies: Cookies, deps: LoaderDeps): Cookies {
+	return {
+		get(name: string) {
+			if (!deps.cookies.includes(name)) deps.cookies.push(name);
+			return cookies.get(name);
+		},
+		getAll() {
+			// Broad read — treat as wildcard; record empty marker so any cookie
+			// invalidation triggers re-run. Use a sentinel "*" to mean "all".
+			if (!deps.cookies.includes("*")) deps.cookies.push("*");
+			return cookies.getAll();
+		},
+		set(name, value, options) {
+			cookies.set(name, value, options);
+		},
+		delete(name, options) {
+			cookies.delete(name, options);
+		},
+	};
+}
+
+function trackedFetch(
+	fetch: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>,
+	origin: string,
+	deps: LoaderDeps,
+): (input: RequestInfo | URL, init?: RequestInit) => Promise<Response> {
+	return (input, init) => {
+		let href: string | null = null;
+		try {
+			if (typeof input === "string") href = new URL(input, origin).href;
+			else if (input instanceof URL) href = input.href;
+			else href = new URL(input.url, origin).href;
+		} catch {
+			href = null;
+		}
+		if (href && !deps.urls.includes(href)) deps.urls.push(href);
+		return fetch(input, init);
+	};
+}
+
+function makeDepends(deps: LoaderDeps): (...keys: string[]) => void {
+	return (...keys: string[]) => {
+		for (const k of keys) {
+			if (typeof k === "string" && !deps.keys.includes(k)) deps.keys.push(k);
+		}
+	};
+}
+
 // ─── Route Data Loader ───────────────────────────────────
 // Runs layout + page server loaders for a given URL.
 // Used by both SSR and the /__bosia/data JSON endpoint.
+//
+// `mask` controls selective re-runs from the client data endpoint:
+//   - undefined → run everything (SSR, first nav)
+//   - layouts[i] === true → run that layout; false → skip, emit null
+//   - page === true → run page; false → skip, emit null
+// When skipped, the parent() chain still receives the *combined parent
+// data* contributed by previously-cached layers, which the client
+// reconstructs and forwards in the request body. For now (initial
+// implementation), skipped loaders contribute `{}` to parent and the
+// response slot is `null`; the client merges with its cached data.
+
+export type LoaderMask = {
+	page: boolean;
+	layouts: boolean[];
+};
 
 export async function loadRouteData(
 	url: URL,
@@ -168,89 +294,155 @@ export async function loadRouteData(
 	cookies: Cookies,
 	metadataData: Record<string, any> | null = null,
 	match?: RouteMatch<(typeof serverRoutes)[number]> | null,
+	mask?: LoaderMask,
 ) {
 	match ??= findMatch(serverRoutes, url.pathname);
 	if (!match) return null;
 
 	const { route, params } = match;
 	const fetch = makeFetch(req, url);
-	const layoutData: Record<string, any>[] = [];
+	const origin = url.origin;
+	const layoutData: (Record<string, any> | null)[] = [];
+	const layoutDeps: (LoaderDeps | null)[] = [];
 	let parentData: Record<string, any> = {};
 
 	// Run layout server loaders root → leaf, each gets parent() data
 	for (const ls of route.layoutServers) {
+		const skip = mask && mask.layouts[ls.depth] === false;
 		try {
+			if (skip) {
+				layoutData[ls.depth] = null;
+				layoutDeps[ls.depth] = null;
+				// Skipped layers contribute {} to the parent chain. The client
+				// already has their data and renders it from cache, so dependent
+				// loaders that DO re-run will see stale parent() data here. This
+				// is the same trade-off SvelteKit makes; loaders that need fresh
+				// upstream data should call `depends()` on a shared key.
+				continue;
+			}
 			const mod = await ls.loader();
 			if (typeof mod.load === "function") {
 				// Snapshot per layer so loaders cannot mutate the shared accumulator,
 				// preserving the same isolation semantics as the previous merge-on-call code.
 				const snapshot = { ...parentData };
 				const parent = async () => snapshot;
+				const deps = emptyDeps();
 				const result =
 					(await withTimeout(
-						mod.load({ params, url, locals, cookies, parent, fetch, metadata: null }),
+						mod.load({
+							params: trackedParams(params, deps),
+							url: trackedUrl(url, deps),
+							locals,
+							cookies: trackedCookies(cookies, deps),
+							parent,
+							fetch: trackedFetch(fetch, origin, deps),
+							metadata: null,
+							depends: makeDepends(deps),
+						}),
 						LOAD_TIMEOUT,
 						`layout load (depth=${ls.depth}, ${url.pathname})`,
 					)) ?? {};
 				layoutData[ls.depth] = result;
+				layoutDeps[ls.depth] = deps;
 				parentData = { ...parentData, ...result };
+			} else {
+				layoutData[ls.depth] = {};
+				layoutDeps[ls.depth] = emptyDeps();
 			}
 		} catch (err) {
 			if (err instanceof Redirect) throw err;
 			if (err instanceof HttpError) {
-				stampErrorContext(err, ls.depth, "layout", layoutData);
+				stampErrorContext(
+					err,
+					ls.depth,
+					"layout",
+					layoutData.map((d) => d ?? {}),
+				);
 				throw err;
 			}
 			if (isDev) console.error("Layout server load error:", err);
 			else console.error("Layout server load error:", (err as Error).message ?? err);
 			const wrapped = new HttpError(500, "Internal Server Error");
-			stampErrorContext(wrapped, ls.depth, "layout", layoutData);
+			stampErrorContext(
+				wrapped,
+				ls.depth,
+				"layout",
+				layoutData.map((d) => d ?? {}),
+			);
 			throw wrapped;
 		}
 	}
 
 	// Run page server loader
-	let pageData: Record<string, any> = {};
+	let pageData: Record<string, any> | null = null;
+	let pageDeps: LoaderDeps | null = null;
 	let csr = true;
 	let ssr = true;
+	const skipPage = mask && mask.page === false;
 	if (route.pageServer) {
 		try {
 			const mod = await route.pageServer();
 			if (mod.csr === false) csr = false;
 			if (mod.ssr === false) ssr = false;
-			if (typeof mod.load === "function") {
+			if (skipPage) {
+				pageData = null;
+				pageDeps = null;
+			} else if (typeof mod.load === "function") {
 				const snapshot = { ...parentData };
 				const parent = async () => snapshot;
+				const deps = emptyDeps();
 				pageData =
 					(await withTimeout(
 						mod.load({
-							params,
-							url,
+							params: trackedParams(params, deps),
+							url: trackedUrl(url, deps),
 							locals,
-							cookies,
+							cookies: trackedCookies(cookies, deps),
 							parent,
-							fetch,
+							fetch: trackedFetch(fetch, origin, deps),
 							metadata: metadataData,
+							depends: makeDepends(deps),
 						}),
 						LOAD_TIMEOUT,
 						`page load (${url.pathname})`,
 					)) ?? {};
+				pageDeps = deps;
+			} else {
+				pageData = {};
+				pageDeps = emptyDeps();
 			}
 		} catch (err) {
 			if (err instanceof Redirect) throw err;
 			if (err instanceof HttpError) {
-				stampErrorContext(err, route.layoutModules.length, "page", layoutData);
+				stampErrorContext(
+					err,
+					route.layoutModules.length,
+					"page",
+					layoutData.map((d) => d ?? {}),
+				);
 				throw err;
 			}
 			if (isDev) console.error("Page server load error:", err);
 			else console.error("Page server load error:", (err as Error).message ?? err);
 			const wrapped = new HttpError(500, "Internal Server Error");
-			stampErrorContext(wrapped, route.layoutModules.length, "page", layoutData);
+			stampErrorContext(
+				wrapped,
+				route.layoutModules.length,
+				"page",
+				layoutData.map((d) => d ?? {}),
+			);
 			throw wrapped;
 		}
+	} else {
+		pageData = {};
+		pageDeps = emptyDeps();
 	}
 
-	return { pageData: { ...pageData, params }, layoutData, csr, ssr };
+	// `params` are always attached to pageData for client-side router consumption.
+	// When pageData is skipped, the client merges its cached pageData with current
+	// route params separately, so we keep the `null` sentinel here.
+	const pageOut = pageData === null ? null : { ...pageData, params };
+	return { pageData: pageOut, layoutData, csr, ssr, pageDeps, layoutDeps };
 }
 
 // ─── Metadata Loader ─────────────────────────────────────
@@ -296,6 +488,7 @@ export async function renderSSRStream(
 	if (!match) return null;
 
 	const { route, params } = match;
+	const nonce = CSP_ENABLED && typeof locals.nonce === "string" ? locals.nonce : undefined;
 
 	// ── Pre-stream phase: resolve metadata before committing to a 200 ──
 	// Errors here return a proper error response with correct status code.
@@ -307,7 +500,17 @@ export async function renderSSRStream(
 			return Response.redirect(err.location, err.status);
 		}
 		if (err instanceof HttpError) {
-			return renderErrorPage(err.status, err.message, url, req, route);
+			return renderErrorPage(
+				err.status,
+				err.message,
+				url,
+				req,
+				route,
+				undefined,
+				undefined,
+				undefined,
+				nonce,
+			);
 		}
 		if (isDev) console.error("Metadata load error:", err);
 		else console.error("Metadata load error:", (err as Error).message ?? err);
@@ -344,14 +547,36 @@ export async function renderSSRStream(
 				e.errorDepth,
 				e.errorOrigin,
 				e.partialLayoutData,
+				nonce,
 			);
 		}
 		if (isDev) console.error("SSR load error:", err);
 		else console.error("SSR load error:", (err as Error).message ?? err);
-		return renderErrorPage(500, "Internal Server Error", url, req, route);
+		return renderErrorPage(
+			500,
+			"Internal Server Error",
+			url,
+			req,
+			route,
+			undefined,
+			undefined,
+			undefined,
+			nonce,
+		);
 	}
 
-	if (!data) return renderErrorPage(404, "Not Found", url, req);
+	if (!data)
+		return renderErrorPage(
+			404,
+			"Not Found",
+			url,
+			req,
+			undefined,
+			undefined,
+			undefined,
+			undefined,
+			nonce,
+		);
 
 	const enc = new TextEncoder();
 	const renderCtx: RenderContext = {
@@ -365,6 +590,10 @@ export async function renderSSRStream(
 		pluginRenderFragments("bodyEnd", renderCtx),
 	]);
 
+	// SSR always runs every loader, so coerce types from the optional sparse shape.
+	const layoutDataFull = (data.layoutData as Record<string, any>[]).map((d) => d ?? {});
+	const pageDataFull = data.pageData ?? {};
+
 	// ssr=false → no render() needed; ship shell + hydration as a single response.
 	// ssr=false && csr=false is meaningless (nothing renders) — force csr=true.
 	if (!data.ssr) {
@@ -374,9 +603,21 @@ export async function renderSSRStream(
 			);
 		}
 		const html =
-			buildHtmlShellOpen(metadata?.lang) +
+			buildHtmlShellOpen(metadata?.lang, nonce) +
 			buildMetadataChunk(metadata, headExtras) +
-			buildHtmlTail("", "", data.pageData, data.layoutData, true, null, false, bodyEndExtras);
+			buildHtmlTail(
+				"",
+				"",
+				pageDataFull,
+				layoutDataFull,
+				true,
+				null,
+				false,
+				bodyEndExtras,
+				nonce,
+				data.pageDeps,
+				data.layoutDeps,
+			);
 		return new Response(html, {
 			headers: { "Content-Type": "text/html; charset=utf-8" },
 		});
@@ -391,8 +632,8 @@ export async function renderSSRStream(
 				ssrMode: true,
 				ssrPageComponent: pageMod.default,
 				ssrLayoutComponents: layoutMods.map((m: any) => m.default),
-				ssrPageData: data.pageData,
-				ssrLayoutData: data.layoutData,
+				ssrPageData: pageDataFull,
+				ssrLayoutData: layoutDataFull,
 			},
 		}));
 	} catch (err) {
@@ -407,24 +648,28 @@ export async function renderSSRStream(
 			route,
 			route.layoutModules.length,
 			"page",
-			data.layoutData,
+			layoutDataFull,
+			nonce,
 		);
 	}
 
 	// Pre-compute all chunks; pull-based stream gives Bun native backpressure.
 	const chunks: Uint8Array[] = [
-		enc.encode(buildHtmlShellOpen(metadata?.lang)),
+		enc.encode(buildHtmlShellOpen(metadata?.lang, nonce)),
 		enc.encode(buildMetadataChunk(metadata, headExtras)),
 		enc.encode(
 			buildHtmlTail(
 				body,
 				head,
-				data.pageData,
-				data.layoutData,
+				pageDataFull,
+				layoutDataFull,
 				data.csr,
 				null,
 				true,
 				bodyEndExtras,
+				nonce,
+				data.pageDeps,
+				data.layoutDeps,
 			),
 		),
 	];
@@ -473,8 +718,20 @@ export async function renderPageWithFormData(
 	status: number,
 	match?: RouteMatch<(typeof serverRoutes)[number]> | null,
 ): Promise<Response> {
+	const nonce = CSP_ENABLED && typeof locals.nonce === "string" ? locals.nonce : undefined;
 	match ??= findMatch(serverRoutes, url.pathname);
-	if (!match) return renderErrorPage(404, "Not Found", url, req);
+	if (!match)
+		return renderErrorPage(
+			404,
+			"Not Found",
+			url,
+			req,
+			undefined,
+			undefined,
+			undefined,
+			undefined,
+			nonce,
+		);
 
 	const { route } = match;
 
@@ -485,7 +742,22 @@ export async function renderPageWithFormData(
 		Promise.all(route.layoutModules.map((l: () => Promise<any>) => l())),
 	]);
 
-	if (!data) return renderErrorPage(404, "Not Found", url, req);
+	if (!data)
+		return renderErrorPage(
+			404,
+			"Not Found",
+			url,
+			req,
+			undefined,
+			undefined,
+			undefined,
+			undefined,
+			nonce,
+		);
+
+	// Form-action re-render always runs every loader (no client mask).
+	const layoutDataFull = (data.layoutData as Record<string, any>[]).map((d) => d ?? {});
+	const pageDataFull = data.pageData ?? {};
 
 	if (!data.ssr) {
 		if (!data.csr && isDev) {
@@ -496,12 +768,15 @@ export async function renderPageWithFormData(
 		const html = buildHtml(
 			"",
 			"",
-			data.pageData,
-			data.layoutData,
+			pageDataFull,
+			layoutDataFull,
 			true,
 			formData,
 			undefined,
 			false,
+			nonce,
+			data.pageDeps,
+			data.layoutDeps,
 		);
 		return compress(html, "text/html; charset=utf-8", req, status);
 	}
@@ -511,13 +786,25 @@ export async function renderPageWithFormData(
 			ssrMode: true,
 			ssrPageComponent: pageMod.default,
 			ssrLayoutComponents: layoutMods.map((m: any) => m.default),
-			ssrPageData: data.pageData,
-			ssrLayoutData: data.layoutData,
+			ssrPageData: pageDataFull,
+			ssrLayoutData: layoutDataFull,
 			ssrFormData: formData,
 		},
 	});
 
-	const html = buildHtml(body, head, data.pageData, data.layoutData, data.csr, formData);
+	const html = buildHtml(
+		body,
+		head,
+		pageDataFull,
+		layoutDataFull,
+		data.csr,
+		formData,
+		undefined,
+		true,
+		nonce,
+		data.pageDeps,
+		data.layoutDeps,
+	);
 	return compress(html, "text/html; charset=utf-8", req, status);
 }
 
@@ -535,8 +822,12 @@ export async function renderErrorPage(
 	route?: any,
 	errorDepth?: number,
 	errorOrigin?: ErrorOrigin,
-	partialLayoutData?: Record<string, any>[],
+	partialLayoutData?: (Record<string, any> | null)[],
+	nonce?: string,
 ): Promise<Response> {
+	// Strip the nonce from emitted scripts when CSP is off — the attribute
+	// is dead bytes without a matching policy header.
+	if (!CSP_ENABLED) nonce = undefined;
 	// 1. Nested boundary
 	if (route && errorDepth !== undefined && route.errorPages?.length) {
 		const origin = errorOrigin ?? "page";
@@ -567,7 +858,17 @@ export async function renderErrorPage(
 					},
 				});
 				// csr=false: no client hydration on the error page itself.
-				const html = buildHtml(body, head, { status, message }, layoutData, false);
+				const html = buildHtml(
+					body,
+					head,
+					{ status, message },
+					layoutData,
+					false,
+					null,
+					undefined,
+					true,
+					nonce,
+				);
 				return compress(html, "text/html; charset=utf-8", req, status);
 			} catch (err) {
 				if (isDev) console.error("Nested error page render failed:", err);
@@ -591,7 +892,17 @@ export async function renderErrorPage(
 			const { body, head } = render(mod.default, {
 				props: { error: { status, message } },
 			});
-			const html = buildHtml(body, head, { status, message }, [], false);
+			const html = buildHtml(
+				body,
+				head,
+				{ status, message },
+				[],
+				false,
+				null,
+				undefined,
+				true,
+				nonce,
+			);
 			return compress(html, "text/html; charset=utf-8", req, status);
 		} catch (err) {
 			if (isDev) console.error("Error page render failed:", err);

package/src/core/routeFile.ts

@@ -40,6 +40,11 @@ export function generateRoutesFile(manifest: RouteManifest): void {
 	lines.push("  errorPages: { loader: () => Promise<any>; depth: number }[];");
 	lines.push("  hasServerData: boolean;");
 	lines.push('  trailingSlash: "never" | "always" | "ignore";');
+	// Stable ids per node, used by the client loader cache to detect whether
+	// a layout/page at a given depth is the same as last nav's (skip) or new
+	// (re-run). One id per layout in order, plus an optional page id.
+	lines.push("  pageId: string | null;");
+	lines.push("  layoutIds: (string | null)[];");
 	lines.push("}> = [");
 	for (const r of pages) {
 		const layoutImports = r.layouts
@@ -52,6 +57,15 @@ export function generateRoutesFile(manifest: RouteManifest): void {
 			)
 			.join(", ");
 		const hasServerData = !!(r.pageServer || r.layoutServers.length > 0);
+		const pageId = r.pageServer ? JSON.stringify(r.pageServer) : "null";
+		// Map +layout.server.ts paths to their layout depth, leaving nulls for
+		// layouts that have no server loader. Length matches layouts.length so
+		// client cache can index by depth.
+		const layoutIdByDepth: (string | null)[] = new Array(r.layouts.length).fill(null);
+		for (const ls of r.layoutServers) layoutIdByDepth[ls.depth] = ls.path;
+		const layoutIds = layoutIdByDepth
+			.map((id) => (id === null ? "null" : JSON.stringify(id)))
+			.join(", ");
 		lines.push("  {");
 		lines.push(`    pattern: ${JSON.stringify(r.pattern)},`);
 		lines.push(`    page: () => import(${JSON.stringify(toImportPath(r.page))}),`);
@@ -59,6 +73,8 @@ export function generateRoutesFile(manifest: RouteManifest): void {
 		lines.push(`    errorPages: [${errorPageImports}],`);
 		lines.push(`    hasServerData: ${hasServerData},`);
 		lines.push(`    trailingSlash: ${JSON.stringify(r.trailingSlash)},`);
+		lines.push(`    pageId: ${pageId},`);
+		lines.push(`    layoutIds: [${layoutIds}],`);
 		lines.push("  },");
 	}
 	lines.push("];\n");
@@ -157,6 +173,8 @@ function generateClientRoutesFile(
 	lines.push("  errorPages: { loader: () => Promise<any>; depth: number }[];");
 	lines.push("  hasServerData: boolean;");
 	lines.push('  trailingSlash: "never" | "always" | "ignore";');
+	lines.push("  pageId: string | null;");
+	lines.push("  layoutIds: (string | null)[];");
 	lines.push("}> = [");
 	for (const r of pages) {
 		const layoutImports = r.layouts
@@ -169,6 +187,12 @@ function generateClientRoutesFile(
 			)
 			.join(", ");
 		const hasServerData = !!(r.pageServer || r.layoutServers.length > 0);
+		const pageId = r.pageServer ? JSON.stringify(r.pageServer) : "null";
+		const layoutIdByDepth: (string | null)[] = new Array(r.layouts.length).fill(null);
+		for (const ls of r.layoutServers) layoutIdByDepth[ls.depth] = ls.path;
+		const layoutIds = layoutIdByDepth
+			.map((id) => (id === null ? "null" : JSON.stringify(id)))
+			.join(", ");
 		lines.push("  {");
 		lines.push(`    pattern: ${JSON.stringify(r.pattern)},`);
 		lines.push(`    page: () => import(${JSON.stringify(toImportPath(r.page))}),`);
@@ -176,6 +200,8 @@ function generateClientRoutesFile(
 		lines.push(`    errorPages: [${errorPageImports}],`);
 		lines.push(`    hasServerData: ${hasServerData},`);
 		lines.push(`    trailingSlash: ${JSON.stringify(r.trailingSlash)},`);
+		lines.push(`    pageId: ${pageId},`);
+		lines.push(`    layoutIds: [${layoutIds}],`);
 		lines.push("  },");
 	}
 	lines.push("];\n");

package/src/core/safePath.ts

@@ -0,0 +1,14 @@
+import { join, resolve as resolvePath } from "path";
+
+/**
+ * Resolve `untrusted` relative to `base` and verify the result stays inside
+ * `base`. Returns the absolute resolved path on success, or `null` when the
+ * resolved location escapes the base directory (traversal, absolute path
+ * pointing elsewhere, etc.). Use this on every untrusted path segment before
+ * touching the filesystem.
+ */
+export function safePath(base: string, untrusted: string): string | null {
+	const root = resolvePath(base);
+	const full = resolvePath(join(base, untrusted));
+	return full.startsWith(root + "/") || full === root ? full : null;
+}