bosia 0.6.3 → 0.6.5

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "bosia",
-	"version": "0.6.3",
+	"version": "0.6.5",
 	"type": "module",
 	"description": "A fast, batteries-included fullstack framework — SSR · Svelte 5 Runes · Bun · ElysiaJS. File-based routing inspired by SvelteKit. No Node.js, no Vite, no adapters.",
 	"keywords": [

package/src/cli/feat.ts

@@ -28,6 +28,17 @@ interface FileEntry {
 	target: string;
 	strategy?: FileStrategy;
 	marker?: string; // unique id within target (default = feature name)
+	when?: Record<string, string>; // install only if every option value matches
+}
+
+interface FeatureOption {
+	name: string; // option key, also used in FileEntry.when
+	flag?: string; // short flag, e.g. "-d"
+	long?: string; // long flag, e.g. "--dialect"
+	prompt?: string; // interactive prompt label
+	choices?: { value: string; label?: string; hint?: string }[]; // enum picker
+	default?: string; // fallback when -y is set or user accepts default
+	required?: boolean; // when true, missing value with no default errors out
 }
 
 interface FeatureMeta {
@@ -40,6 +51,7 @@ interface FeatureMeta {
 	npmDevDeps?: Record<string, string>;
 	scripts?: Record<string, string>; // package.json scripts to add
 	envVars?: Record<string, string>; // env vars to append to .env if missing
+	options?: FeatureOption[]; // feature-specific CLI flags (e.g. file-upload's -d)
 }
 
 let registryRoot: string | null = null;
@@ -47,15 +59,18 @@ let registryRoot: string | null = null;
 // Track installed features to prevent circular dependencies
 const installedFeats = new Set<string>();
 
-export async function runFeat(name: string | undefined, flags: string[] = []) {
+export async function runFeat(name: string | undefined, args: string[] = []) {
+	// Strip global flags (-y/--yes, --local); everything else is feature args.
+	const { autoYes, local, featureArgs } = splitGlobalFlags(args);
+
 	if (!name) {
 		console.error(
-			"❌ Please provide a feature name.\n   Usage: bun x bosia@latest feat <feature> [--local]",
+			"❌ Please provide a feature name.\n   Usage: bun x bosia@latest feat [-y] [--local] <feature> [feature options...]",
 		);
 		process.exit(1);
 	}
 
-	if (flags.includes("--local")) {
+	if (local) {
 		registryRoot = resolveLocalRegistryOrExit();
 		console.log(`⬡ Using local registry: ${registryRoot}\n`);
 	}
@@ -63,7 +78,119 @@ export async function runFeat(name: string | undefined, flags: string[] = []) {
 	// Initialize add.ts registry context so addComponent resolves paths correctly
 	await initAddRegistry(registryRoot);
 
-	await installFeature(name, true);
+	await installFeature(name, true, { skipPrompts: autoYes, featureArgs });
+}
+
+function splitGlobalFlags(args: string[]): {
+	autoYes: boolean;
+	local: boolean;
+	featureArgs: string[];
+} {
+	let autoYes = false;
+	let local = false;
+	const featureArgs: string[] = [];
+	for (const a of args) {
+		if (a === "-y" || a === "--yes") autoYes = true;
+		else if (a === "--local") local = true;
+		else featureArgs.push(a);
+	}
+	return { autoYes, local, featureArgs };
+}
+
+/**
+ * Parse `args` against `options` (the feature's declared schema). Unknown flags abort.
+ * Returns a `{name: value}` map; missing entries are filled by prompt or `default`.
+ */
+async function resolveFeatureOptions(
+	featName: string,
+	options: FeatureOption[],
+	args: string[],
+	skipPrompts: boolean,
+): Promise<Record<string, string>> {
+	const values: Record<string, string> = {};
+	const byFlag = new Map<string, FeatureOption>();
+	for (const opt of options) {
+		if (opt.flag) byFlag.set(opt.flag, opt);
+		if (opt.long) byFlag.set(opt.long, opt);
+	}
+
+	for (let i = 0; i < args.length; i++) {
+		const tok = args[i];
+		const opt = byFlag.get(tok);
+		if (!opt) {
+			console.error(`❌ Unknown option "${tok}" for feature "${featName}".`);
+			if (options.length > 0) {
+				const valid = options
+					.map((o) => [o.flag, o.long].filter(Boolean).join("/"))
+					.filter(Boolean)
+					.join(", ");
+				console.error(`   Valid options: ${valid}`);
+			}
+			process.exit(1);
+		}
+		const val = args[++i];
+		if (val === undefined) {
+			console.error(`❌ Option "${tok}" requires a value.`);
+			process.exit(1);
+		}
+		if (opt.choices && !opt.choices.some((c) => c.value === val)) {
+			console.error(
+				`❌ Invalid value "${val}" for "${tok}". Expected: ${opt.choices.map((c) => c.value).join(", ")}`,
+			);
+			process.exit(1);
+		}
+		values[opt.name] = val;
+	}
+
+	for (const opt of options) {
+		if (opt.name in values) continue;
+		if (skipPrompts) {
+			if (opt.default !== undefined) {
+				values[opt.name] = opt.default;
+				continue;
+			}
+			if (opt.required) {
+				console.error(
+					`❌ Feature "${featName}" requires "${opt.flag ?? opt.long ?? opt.name}".`,
+				);
+				process.exit(1);
+			}
+			continue;
+		}
+		values[opt.name] = await promptOption(featName, opt);
+	}
+
+	return values;
+}
+
+async function promptOption(featName: string, opt: FeatureOption): Promise<string> {
+	const message = opt.prompt ?? `Choose "${opt.name}" for "${featName}"`;
+	if (opt.choices && opt.choices.length > 0) {
+		const selected = await p.select({
+			message,
+			options: opt.choices.map((c) => ({
+				value: c.value,
+				label: c.label ?? c.value,
+				hint: c.hint,
+			})),
+			initialValue: opt.default ?? opt.choices[0].value,
+		});
+		if (p.isCancel(selected)) {
+			p.cancel("Operation cancelled.");
+			process.exit(0);
+		}
+		return selected as string;
+	}
+	const typed = await p.text({
+		message,
+		initialValue: opt.default,
+		validate: (v) => (opt.required && !v ? "Required" : undefined),
+	});
+	if (p.isCancel(typed)) {
+		p.cancel("Operation cancelled.");
+		process.exit(0);
+	}
+	return (typed as string) ?? "";
 }
 
 /** Set the registry root for feature resolution. Called by create.ts for template features. */
@@ -83,10 +210,39 @@ export async function installFeature(name: string, isRoot: boolean, options?: In
 
 	const meta = await readRegistryJSON<FeatureMeta>(registryRoot, "features", name, "meta.json");
 
+	// Resolve this feature's own options (from `featureArgs` if root, else from `featureOptions`).
+	const inheritedOptions = options?.featureOptions ?? {};
+	let myOptions: Record<string, string> = {};
+	if (meta.options && meta.options.length > 0) {
+		myOptions = isRoot
+			? await resolveFeatureOptions(
+					name,
+					meta.options,
+					options?.featureArgs ?? [],
+					options?.skipPrompts ?? false,
+				)
+			: // Dependency features inherit any caller-provided values; prompt only for unresolved required opts.
+				await resolveFeatureOptions(name, meta.options, [], options?.skipPrompts ?? false);
+		for (const [k, v] of Object.entries(inheritedOptions)) {
+			const [feat, optName] = k.split(".");
+			if (feat === name && !(optName in myOptions)) myOptions[optName] = v;
+		}
+	}
+
+	// Merge into the namespaced map for downstream dependency features.
+	const featureOptions = { ...inheritedOptions };
+	for (const [k, v] of Object.entries(myOptions)) featureOptions[`${name}.${k}`] = v;
+
+	const nextOptions: InstallOptions = {
+		...options,
+		featureOptions,
+		featureArgs: undefined, // already consumed by the root feature
+	};
+
 	// Install required feature dependencies first (recursive)
 	if (meta.features && meta.features.length > 0) {
 		for (const feat of meta.features) {
-			await installFeature(feat, false, options);
+			await installFeature(feat, false, nextOptions);
 		}
 	}
 
@@ -99,9 +255,10 @@ export async function installFeature(name: string, isRoot: boolean, options?: In
 		console.log("");
 	}
 
-	// Apply each file entry per its strategy
+	// Apply each file entry per its strategy. Skip entries whose `when` clause doesn't match.
 	const createdDirs = new Set<string>();
 	for (const entry of meta.files) {
+		if (entry.when && !whenMatches(entry.when, myOptions)) continue;
 		const dest = join(cwd, entry.target);
 		const strategy: FileStrategy = entry.strategy ?? "write";
 		const dir = dirname(dest);
@@ -117,7 +274,7 @@ export async function installFeature(name: string, isRoot: boolean, options?: In
 			strategy,
 			feat: name,
 			marker: entry.marker ?? name,
-			skipPrompts: options?.skipPrompts ?? false,
+			skipPrompts: nextOptions.skipPrompts ?? false,
 		});
 	}
 
@@ -285,6 +442,13 @@ async function applyStrategy(args: StrategyArgs): Promise<void> {
 	}
 }
 
+function whenMatches(when: Record<string, string>, values: Record<string, string>): boolean {
+	for (const [k, expected] of Object.entries(when)) {
+		if (values[k] !== expected) return false;
+	}
+	return true;
+}
+
 function blockDelim(ext: string): { start: string; end: string } {
 	if (ext === ".html" || ext === ".svelte") return { start: "<!--", end: "-->" };
 	if (ext === ".css") return { start: "/*", end: "*/" };

package/src/cli/index.ts

@@ -59,9 +59,14 @@ async function main() {
 		}
 		case "feat": {
 			const { runFeat } = await import("./feat.ts");
-			const featName = args.find((a) => !a.startsWith("--"));
-			const featFlags = args.filter((a) => a.startsWith("--"));
-			await runFeat(featName, featFlags);
+			// First non-flag token is the feature name; everything else flows through to the
+			// feature's own option parser. Global flags (-y, --local) are also accepted here
+			// and get split out inside runFeat.
+			const nameIdx = args.findIndex((a) => !a.startsWith("-"));
+			const featName = nameIdx === -1 ? undefined : args[nameIdx];
+			const rest =
+				nameIdx === -1 ? args : [...args.slice(0, nameIdx), ...args.slice(nameIdx + 1)];
+			await runFeat(featName, rest);
 			break;
 		}
 		default: {
@@ -81,7 +86,9 @@ Commands:
   add block <cat>/<name>    Add a composed block from the registry
   add theme <name>          Add a theme (tokens.css) from the registry
   add font <family> <url>   Prepend an @import url(...) for a font family to src/app.css
-  feat <feature>            Add a feature scaffold from the registry [--local]
+  feat [-y] <feature> [feature options...]   Add a feature scaffold from the registry [--local]
+                            -y / --yes auto-confirms prompts and uses each feature's default option values
+                            Feature-specific options (e.g. file-upload's -d) follow the feature name
 
 Examples:
   bun x bosia@latest create my-app

package/src/cli/registry.ts

@@ -10,6 +10,10 @@ export interface InstallOptions {
 	skipInstall?: boolean; // write deps to package.json instead of `bun add`
 	skipPrompts?: boolean; // auto-overwrite, no interactive prompts
 	cwd?: string; // override process.cwd() for file operations
+	/** Pre-resolved feature-specific option values, keyed by `featureName.optionName`. */
+	featureOptions?: Record<string, string>;
+	/** Remaining argv tokens to be parsed as the root feature's own options. */
+	featureArgs?: string[];
 }
 
 // ─── Local registry resolution ────────────────────────────

package/src/core/build.ts

@@ -154,6 +154,7 @@ const clientPromise = Bun.build({
 	entrypoints: [join(CORE_DIR, "client", "hydrate.ts")],
 	outdir: `${OUT_DIR}/client`,
 	target: "browser",
+	conditions: ["svelte"],
 	splitting: true,
 	naming: { chunk: "[name]-[hash].[ext]" },
 	minify: isProduction,
@@ -169,6 +170,7 @@ const serverPromise = Bun.build({
 	entrypoints: [join(CORE_DIR, "server.ts")],
 	outdir: `${OUT_DIR}/server`,
 	target: "bun",
+	conditions: ["svelte"],
 	splitting: true,
 	naming: { entry: "index.[ext]", chunk: "[name]-[hash].[ext]" },
 	minify: isProduction,

package/src/core/cookies.ts

@@ -3,7 +3,18 @@ import type { Cookies, CookieOptions } from "./hooks.ts";
 // ─── Cookie Validation (RFC 6265) ────────────────────────
 /** Rejects characters that could inject into Set-Cookie headers. */
 const UNSAFE_COOKIE_VALUE = /[;\r\n]/;
-const VALID_SAMESITE = new Set(["Strict", "Lax", "None"]);
+/**
+ * Accept both casings (matches SvelteKit/Express convention) and write the
+ * canonical capitalized form into the Set-Cookie header.
+ */
+const SAMESITE_NORMALIZE: Record<string, "Strict" | "Lax" | "None"> = {
+	strict: "Strict",
+	lax: "Lax",
+	none: "None",
+	Strict: "Strict",
+	Lax: "Lax",
+	None: "None",
+};
 
 /**
  * RFC 6265 §4.1.1: cookie-name is an HTTP token (RFC 2616 §2.2).
@@ -41,15 +52,20 @@ function parseCookies(header: string): Record<string, string> {
 }
 
 export class CookieJar implements Cookies {
+	private static _warnedSecureOverHttp = false;
+
 	private _incoming: Record<string, string>;
 	private _outgoing: string[] = [];
 	private _defaults: CookieOptions;
 	private _accessed = false;
+	private _isHttps: boolean;
 
-	constructor(cookieHeader: string, dev = false) {
+	constructor(cookieHeader: string, isHttps = false) {
 		this._incoming = parseCookies(cookieHeader);
-		// In dev mode, omit Secure — browsers reject Secure cookies over http://localhost
-		this._defaults = dev ? { ...COOKIE_DEFAULTS, secure: false } : COOKIE_DEFAULTS;
+		this._isHttps = isHttps;
+		// Browsers drop Secure cookies sent over HTTP — only default `secure` on
+		// when the current request actually arrived over HTTPS.
+		this._defaults = isHttps ? COOKIE_DEFAULTS : { ...COOKIE_DEFAULTS, secure: false };
 	}
 
 	get(name: string): string | undefined {
@@ -69,6 +85,17 @@ export class CookieJar implements Cookies {
 	set(name: string, value: string, options?: CookieOptions): void {
 		if (!VALID_COOKIE_NAME.test(name)) throw new Error(`Invalid cookie name: ${name}`);
 		const opts = { ...this._defaults, ...options };
+		if (!this._isHttps && opts.secure) {
+			opts.secure = false;
+			if (!CookieJar._warnedSecureOverHttp) {
+				console.warn(
+					"[bosia] cookies.set passed secure:true over HTTP — downgrading. " +
+						"Browsers drop Secure cookies on non-HTTPS. " +
+						"Remove the `secure` option; Bosia auto-applies it when the request is HTTPS.",
+				);
+				CookieJar._warnedSecureOverHttp = true;
+			}
+		}
 		let header = `${name}=${encodeURIComponent(value)}`;
 		if (opts.path) {
 			if (UNSAFE_COOKIE_VALUE.test(opts.path))
@@ -85,9 +112,9 @@ export class CookieJar implements Cookies {
 		if (opts.httpOnly) header += "; HttpOnly";
 		if (opts.secure) header += "; Secure";
 		if (opts.sameSite) {
-			if (!VALID_SAMESITE.has(opts.sameSite))
-				throw new Error(`Invalid cookie sameSite: ${opts.sameSite}`);
-			header += `; SameSite=${opts.sameSite}`;
+			const canonical = SAMESITE_NORMALIZE[opts.sameSite as string];
+			if (!canonical) throw new Error(`Invalid cookie sameSite: ${opts.sameSite}`);
+			header += `; SameSite=${canonical}`;
 		}
 		this._outgoing.push(header);
 	}

package/src/core/hooks.ts

@@ -15,7 +15,7 @@ export interface CookieOptions {
 	expires?: Date;
 	httpOnly?: boolean;
 	secure?: boolean;
-	sameSite?: "Strict" | "Lax" | "None";
+	sameSite?: "Strict" | "Lax" | "None" | "strict" | "lax" | "none";
 }
 
 export interface Cookies {

package/src/core/server.ts

@@ -711,6 +711,11 @@ async function resolve(event: RequestEvent): Promise<Response> {
 // (preview/proxy hubs, design tools, etc.). Other security headers stay on.
 const _xfoDisabled = process.env.DISABLE_X_FRAME_OPTIONS === "true";
 
+// Trust `x-forwarded-proto` header behind a TLS-terminating proxy when computing
+// per-request HTTPS-ness (drives `Secure` cookie flag). Off by default — the
+// header is spoofable from any client that talks directly to the app.
+const TRUST_PROXY = process.env.TRUST_PROXY === "true";
+
 const SECURITY_HEADERS: Record<string, string> = {
 	"X-Content-Type-Options": "nosniff",
 	...(_xfoDisabled ? {} : { "X-Frame-Options": "SAMEORIGIN" }),
@@ -754,7 +759,10 @@ async function handleRequest(request: Request, url: URL): Promise<Response> {
 			return Response.json({ error: "Forbidden", message: csrfError }, { status: 403 });
 		}
 
-		const cookieJar = new CookieJar(request.headers.get("cookie") ?? "", isDev);
+		const isHttps =
+			(TRUST_PROXY && request.headers.get("x-forwarded-proto") === "https") ||
+			url.protocol === "https:";
+		const cookieJar = new CookieJar(request.headers.get("cookie") ?? "", isHttps);
 		const nonce = CSP_ENABLED ? generateNonce() : "";
 		const event: RequestEvent = {
 			request,