bosia 0.5.0 → 0.5.2

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "bosia",
-	"version": "0.5.0",
+	"version": "0.5.2",
 	"type": "module",
 	"description": "A fast, batteries-included fullstack framework — SSR · Svelte 5 Runes · Bun · ElysiaJS. File-based routing inspired by SvelteKit. No Node.js, no Vite, no adapters.",
 	"keywords": [

package/src/cli/add.ts

@@ -47,10 +47,10 @@ export async function initAddRegistry(root: string | null) {
 	registryIndex = await loadIndex();
 }
 
-export async function runAdd(name: string | undefined, flags: string[] = []) {
-	if (!name) {
+export async function runAdd(names: string[], flags: string[] = []) {
+	if (names.length === 0) {
 		console.error(
-			"❌ Please provide a component name.\n   Usage: bun x bosia@latest add <component> [--local]",
+			"❌ Please provide a component name.\n   Usage: bun x bosia@latest add <component...> [-y] [--local]",
 		);
 		process.exit(1);
 	}
@@ -60,11 +60,15 @@ export async function runAdd(name: string | undefined, flags: string[] = []) {
 		console.log(`⬡ Using local registry: ${registryRoot}\n`);
 	}
 
+	const skipPrompts = flags.includes("-y") || flags.includes("--yes");
+
 	// Load index once to resolve component paths
 	registryIndex = await loadIndex();
 
 	ensureUtils();
-	await addComponent(name, true);
+	for (const name of names) {
+		await addComponent(name, true, { skipPrompts });
+	}
 }
 
 /**

package/src/cli/index.ts

@@ -37,18 +37,20 @@ async function main() {
 			break;
 		}
 		case "add": {
-			const positional = args.filter((a) => !a.startsWith("--"));
-			const flags = args.filter((a) => a.startsWith("--"));
+			const positional = args.filter((a) => !a.startsWith("-"));
+			const flags = args.filter((a) => a.startsWith("-"));
 			const sub = positional[0];
 			if (sub === "block") {
+				const blockFlags = args.filter((a) => a.startsWith("--"));
 				const { runAddBlock } = await import("./block.ts");
-				await runAddBlock(positional[1], flags);
+				await runAddBlock(positional[1], blockFlags);
 			} else if (sub === "theme") {
+				const themeFlags = args.filter((a) => a.startsWith("--"));
 				const { runAddTheme } = await import("./theme.ts");
-				await runAddTheme(positional[1], flags);
+				await runAddTheme(positional[1], themeFlags);
 			} else {
 				const { runAdd } = await import("./add.ts");
-				await runAdd(sub, flags);
+				await runAdd(positional, flags);
 			}
 			break;
 		}
@@ -72,7 +74,7 @@ Commands:
   build               Build for production
   start               Run the production server
   test [args]         Run tests with bun test (auto-loads .env.test, sets BOSIA_ENV=test)
-  add <component>           Add a UI component from the registry
+  add <component...> [-y]   Add one or more UI components from the registry
   add block <cat>/<name>    Add a composed block from the registry
   add theme <name>          Add a theme (tokens.css) from the registry
   feat <feature>            Add a feature scaffold from the registry [--local]
@@ -87,6 +89,8 @@ Examples:
   bun x bosia test --watch
   bun x bosia test --coverage
   bun x bosia@latest add button              → src/lib/components/ui/button/
+  bun x bosia@latest add button card input   → install multiple at once
+  bun x bosia@latest add -y button card      → auto-confirm overwrites (CI / scripts)
   bun x bosia@latest add shop/cart           → src/lib/components/shop/cart/
   bun x bosia@latest add block cards/feature-editorial
   bun x bosia@latest add theme editorial

package/src/core/dev.ts

@@ -212,29 +212,43 @@ const devServer = Bun.serve({
 		// the app's CSRF origin check (gated behind TRUST_PROXY=true, also set in the
 		// app env above) reconstructs the public-facing origin from the dev proxy
 		// rather than the inner-app's host (localhost:APP_PORT).
-		try {
-			const reqUrl = new URL(req.url);
-			const target = new URL(req.url);
-			target.hostname = "localhost";
-			target.port = String(APP_PORT);
-
-			const forwardedHeaders = new Headers(req.headers);
-			forwardedHeaders.set("x-forwarded-host", reqUrl.host);
-			forwardedHeaders.set("x-forwarded-proto", reqUrl.protocol.replace(":", ""));
-
-			return await fetch(
-				new Request(target.toString(), {
-					method: req.method,
-					headers: forwardedHeaders,
-					body: req.body,
-					redirect: "manual",
-				}),
-			);
-		} catch {
-			return new Response("App server is starting...", {
-				status: 503,
-				headers: { "Content-Type": "text/plain", "Retry-After": "1" },
-			});
+		const reqUrl = new URL(req.url);
+		const target = new URL(req.url);
+		target.hostname = "localhost";
+		target.port = String(APP_PORT);
+
+		const forwardedHeaders = new Headers(req.headers);
+		forwardedHeaders.set("x-forwarded-host", reqUrl.host);
+		forwardedHeaders.set("x-forwarded-proto", reqUrl.protocol.replace(":", ""));
+
+		// HMR-driven reloads can land on the proxy before the freshly-respawned
+		// inner has bound APP_PORT. Retry for a few seconds on idempotent HTML
+		// navigations so the browser doesn't get stuck rendering the 503 body.
+		const accept = req.headers.get("accept") ?? "";
+		const retryable =
+			(req.method === "GET" || req.method === "HEAD") && accept.includes("text/html");
+		const deadline = Date.now() + (retryable ? 10_000 : 0);
+
+		while (true) {
+			try {
+				return await fetch(
+					new Request(target.toString(), {
+						method: req.method,
+						headers: forwardedHeaders,
+						body: req.body,
+						redirect: "manual",
+					}),
+				);
+			} catch {
+				if (retryable && Date.now() < deadline) {
+					await Bun.sleep(250);
+					continue;
+				}
+				return new Response("App server is starting...", {
+					status: 503,
+					headers: { "Content-Type": "text/plain", "Retry-After": "1" },
+				});
+			}
 		}
 	},
 });

package/src/core/server.ts

@@ -563,12 +563,21 @@ async function resolve(event: RequestEvent): Promise<Response> {
 
 // ─── Request Entry ────────────────────────────────────────
 
+// Set DISABLE_X_FRAME_OPTIONS=true to omit `X-Frame-Options: SAMEORIGIN`.
+// Useful when the app is intentionally embedded as an iframe by a different origin
+// (preview/proxy hubs, design tools, etc.). Other security headers stay on.
+const _xfoDisabled = process.env.DISABLE_X_FRAME_OPTIONS === "true";
+
 const SECURITY_HEADERS: Record<string, string> = {
 	"X-Content-Type-Options": "nosniff",
-	"X-Frame-Options": "SAMEORIGIN",
+	...(_xfoDisabled ? {} : { "X-Frame-Options": "SAMEORIGIN" }),
 	"Referrer-Policy": "strict-origin-when-cross-origin",
 };
 
+if (_xfoDisabled) {
+	console.log("🪟  X-Frame-Options disabled (DISABLE_X_FRAME_OPTIONS=true)");
+}
+
 async function handleRequest(request: Request, url: URL): Promise<Response> {
 	// Reject new non-health requests during shutdown
 	if (shuttingDown && url.pathname !== "/_health") {

package/templates/default/bosia.config.ts

@@ -0,0 +1,10 @@
+import { defineConfig } from "bosia";
+import { inspector } from "bosia/plugins/inspector";
+
+export default defineConfig({
+	plugins: [
+		// Dev-only: Alt+click any element on the page to open its source in your editor.
+		// Change `editor` to "cursor" or "zed" if you don't use VS Code.
+		inspector({ editor: "code" }),
+	],
+});

package/templates/demo/bosia.config.ts

@@ -0,0 +1,10 @@
+import { defineConfig } from "bosia";
+import { inspector } from "bosia/plugins/inspector";
+
+export default defineConfig({
+	plugins: [
+		// Dev-only: Alt+click any element on the page to open its source in your editor.
+		// Change `editor` to "cursor" or "zed" if you don't use VS Code.
+		inspector({ editor: "code" }),
+	],
+});

package/templates/todo/bosia.config.ts

@@ -0,0 +1,10 @@
+import { defineConfig } from "bosia";
+import { inspector } from "bosia/plugins/inspector";
+
+export default defineConfig({
+	plugins: [
+		// Dev-only: Alt+click any element on the page to open its source in your editor.
+		// Change `editor` to "cursor" or "zed" if you don't use VS Code.
+		inspector({ editor: "code" }),
+	],
+});