bosia 0.6.5 → 0.6.7

package/README.md

@@ -1,9 +1,11 @@
 # Bosia
 
-> Full documentation: [bosia.bosapi.com](https://bosia.bosapi.com)
+> Full documentation: [bosia.dev](https://bosia.dev)
 
 A fast, batteries-included fullstack framework — SSR · Svelte 5 Runes · Bun · ElysiaJS.
 
+**Production-ready out of the box** — built-in security (CSRF, XSS escaping, secure cookies, security headers), performance (response cache, gzip, static asset caching, prerendering), and reliability (graceful shutdown drain, request backpressure, crash backoff).
+
 File-based routing inspired by SvelteKit, built on top of the Bun runtime and ElysiaJS HTTP server. No Node.js, no Vite, no adapters.
 
 ## Features

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "bosia",
-	"version": "0.6.5",
+	"version": "0.6.7",
 	"type": "module",
 	"description": "A fast, batteries-included fullstack framework — SSR · Svelte 5 Runes · Bun · ElysiaJS. File-based routing inspired by SvelteKit. No Node.js, no Vite, no adapters.",
 	"keywords": [

package/src/cli/block.ts

@@ -2,9 +2,11 @@ import { join, dirname } from "path";
 import { mkdirSync, writeFileSync, existsSync } from "fs";
 import * as p from "@clack/prompts";
 import {
+	type InstallOptions,
 	resolveLocalRegistryOrExit,
 	readRegistryJSON,
 	readRegistryFile,
+	mergePkgJson,
 	bunAdd,
 } from "./registry.ts";
 import { addComponent, initAddRegistry, ensureUtils } from "./add.ts";
@@ -26,18 +28,28 @@ interface BlockMeta {
 	npmDeps: Record<string, string>;
 }
 
-export async function runAddBlock(name: string | undefined, flags: string[] = []) {
+export async function runAddBlock(
+	name: string | undefined,
+	flags: string[] = [],
+	options?: InstallOptions,
+) {
 	if (!name || !name.includes("/")) {
 		console.error(
-			"❌ Please provide a block path.\n   Usage: bun x bosia@latest add block <category>/<name> [--local]",
+			"❌ Please provide a block path.\n   Usage: bun x bosia@latest add block <category>/<name> [-y] [--local]",
 		);
 		process.exit(1);
 	}
 
 	const local = flags.includes("--local");
+	const flagYes = flags.includes("-y") || flags.includes("--yes");
 	const registryRoot = local ? resolveLocalRegistryOrExit() : null;
 	if (local) console.log(`⬡ Using local registry: ${registryRoot}\n`);
 
+	const resolvedOptions: InstallOptions = {
+		...(options ?? {}),
+		skipPrompts: options?.skipPrompts ?? flagYes,
+	};
+
 	await initAddRegistry(registryRoot);
 	ensureUtils();
 
@@ -47,14 +59,14 @@ export async function runAddBlock(name: string | undefined, flags: string[] = []
 
 	// 1. Install primitive dependencies first
 	for (const dep of meta.dependencies ?? []) {
-		await addComponent(dep, false);
+		await addComponent(dep, false, resolvedOptions);
 	}
 
 	// 2. Copy block files to src/lib/blocks/<path>/
-	const cwd = process.cwd();
+	const cwd = resolvedOptions.cwd ?? process.cwd();
 	const destDir = join(cwd, "src", "lib", "blocks", name);
 
-	if (existsSync(destDir)) {
+	if (!resolvedOptions.skipPrompts && existsSync(destDir)) {
 		const replace = await p.confirm({
 			message: `Block "${name}" already exists at src/lib/blocks/${name}/. Replace it?`,
 		});
@@ -87,7 +99,13 @@ export async function runAddBlock(name: string | undefined, flags: string[] = []
 
 	// 4. npm deps
 	if (meta.npmDeps && Object.keys(meta.npmDeps).length > 0) {
-		await bunAdd(cwd, meta.npmDeps);
+		if (resolvedOptions.skipInstall) {
+			const { addedDeps } = mergePkgJson(cwd, { deps: meta.npmDeps });
+			if (addedDeps.length > 0)
+				console.log(`   📥 Added to package.json: ${addedDeps.join(", ")}`);
+		} else {
+			await bunAdd(cwd, meta.npmDeps);
+		}
 	}
 
 	console.log(`\n✅ ${name} installed at src/lib/blocks/${name}/`);

package/src/cli/feat.ts

@@ -2,6 +2,7 @@ import { join, dirname, extname } from "path";
 import { mkdirSync, writeFileSync, readFileSync, existsSync } from "fs";
 import * as p from "@clack/prompts";
 import { addComponent, initAddRegistry } from "./add.ts";
+import { runAddBlock } from "./block.ts";
 import {
 	type InstallOptions,
 	resolveLocalRegistryOrExit,
@@ -46,6 +47,7 @@ interface FeatureMeta {
 	description: string;
 	features?: string[]; // other bosia features required
 	components: string[]; // bosia components to install via `bun x bosia@latest add`
+	blocks?: string[]; // bosia blocks to install via `bun x bosia@latest add block`
 	files: FileEntry[]; // file entries with per-file strategy
 	npmDeps: Record<string, string>;
 	npmDevDeps?: Record<string, string>;
@@ -255,6 +257,15 @@ export async function installFeature(name: string, isRoot: boolean, options?: In
 		console.log("");
 	}
 
+	// Install required blocks
+	if (meta.blocks && meta.blocks.length > 0) {
+		console.log("🧱 Installing required blocks...");
+		for (const blockName of meta.blocks) {
+			await runAddBlock(blockName, [], options);
+		}
+		console.log("");
+	}
+
 	// Apply each file entry per its strategy. Skip entries whose `when` clause doesn't match.
 	const createdDirs = new Set<string>();
 	for (const entry of meta.files) {

package/src/cli/index.ts

@@ -41,7 +41,7 @@ async function main() {
 			const flags = args.filter((a) => a.startsWith("-"));
 			const sub = positional[0];
 			if (sub === "block") {
-				const blockFlags = args.filter((a) => a.startsWith("--"));
+				const blockFlags = flags;
 				const { runAddBlock } = await import("./block.ts");
 				await runAddBlock(positional[1], blockFlags);
 			} else if (sub === "theme") {

package/src/core/paths.ts

@@ -4,19 +4,29 @@ import { existsSync } from "fs";
 // This file lives at src/core/paths.ts → package root is ../..
 const BOSIA_PKG_DIR = join(import.meta.dir, "..", "..");
 
-// Bun hoists dependencies flat, so bosia's deps may live in the parent
-// node_modules rather than a nested node_modules/bosia/node_modules.
 const NESTED_NM = join(BOSIA_PKG_DIR, "node_modules");
 
-// When installed as a dep (node_modules/bosia/), parent is node_modules/ itself.
-// Only include it if the package is actually inside a node_modules directory
-// AND the parent node_modules contains real (resolvable) packages.
-const parentDir = dirname(BOSIA_PKG_DIR); // node_modules/ when installed, packages/ in workspace
-const isInstalledAsDep = parentDir.endsWith("node_modules");
-const HOISTED_NM = isInstalledAsDep ? parentDir : null;
+// Walk up from bosia's package dir collecting every ancestor `node_modules/`.
+// Covers all install layouts: nested per-workspace, parent-of-node_modules (installed as dep),
+// monorepo root (--linker=hoisted), and any intermediate hoist target.
+function collectAncestorNodeModules(start: string): string[] {
+	const out: string[] = [];
+	let dir = start;
+	while (true) {
+		const nm = join(dir, "node_modules");
+		if (existsSync(nm)) out.push(nm);
+		const parent = dirname(dir);
+		if (parent === dir) break;
+		dir = parent;
+	}
+	return out;
+}
+
+const ANCESTOR_NM = collectAncestorNodeModules(dirname(BOSIA_PKG_DIR));
+const ALL_NM = [NESTED_NM, ...ANCESTOR_NM];
 
-/** NODE_PATH value covering both nested and hoisted dependency locations */
-export const BOSIA_NODE_PATH = HOISTED_NM ? [NESTED_NM, HOISTED_NM].join(":") : NESTED_NM;
+/** NODE_PATH value covering nested and every ancestor node_modules */
+export const BOSIA_NODE_PATH = ALL_NM.join(":");
 
 // On-disk output directory. URL namespace (/dist/client/...) stays stable;
 // only the on-disk location moves so dev (.bosia/dev) and a parallel
@@ -25,11 +35,9 @@ export const OUT_DIR = process.env.BOSIA_OUT_DIR ?? "./dist";
 
 /** Find a binary from bosia's dependencies (handles hoisting) */
 export function resolveBosiaBin(name: string): string {
-	const nested = join(NESTED_NM, ".bin", name);
-	if (existsSync(nested)) return nested;
-	if (HOISTED_NM) {
-		const hoisted = join(HOISTED_NM, ".bin", name);
-		if (existsSync(hoisted)) return hoisted;
+	for (const nm of ALL_NM) {
+		const bin = join(nm, ".bin", name);
+		if (existsSync(bin)) return bin;
 	}
-	return nested; // fallback — will produce a clear ENOENT
+	return join(NESTED_NM, ".bin", name); // fallback — will produce a clear ENOENT
 }

package/src/core/plugin.ts

@@ -1,5 +1,6 @@
 import { join, dirname } from "path";
-import { existsSync } from "fs";
+
+import { resolveImportPath } from "./resolveImport.ts";
 
 // ─── Bun Build Plugin ─────────────────────────────────────
 // Resolves:
@@ -7,25 +8,6 @@ import { existsSync } from "fs";
 //   $env           → .bosia/env.server.ts (bun) or .bosia/env.client.ts (browser)
 //   $*             → resolved dynamically via tsconfig.json compilerOptions.paths
 
-let cachedTsconfigPaths: Record<string, string[]> | null = null;
-async function getTsconfigPaths() {
-	if (cachedTsconfigPaths !== null) return cachedTsconfigPaths;
-	const tsconfigPath = join(process.cwd(), "tsconfig.json");
-	if (!existsSync(tsconfigPath)) {
-		cachedTsconfigPaths = {};
-		return cachedTsconfigPaths;
-	}
-	try {
-		const tsconfig = await Bun.file(tsconfigPath).json();
-		cachedTsconfigPaths = tsconfig?.compilerOptions?.paths || {};
-	} catch (err) {
-		throw new Error(
-			`tsconfig.json at ${tsconfigPath} is invalid JSON: ${(err as Error).message}. Fix the file and re-run.`,
-		);
-	}
-	return cachedTsconfigPaths!;
-}
-
 export function makeBosiaPlugin(target: "browser" | "bun" = "bun") {
 	return {
 		name: "bosia-resolver",
@@ -54,32 +36,14 @@ export function makeBosiaPlugin(target: "browser" | "bun" = "bun") {
 			build.onResolve({ filter: /^\$/ }, async (args) => {
 				if (args.path === "$env") return undefined; // Handled above
 
-				const paths = await getTsconfigPaths();
-				let longestMatch = "";
-				let targetPattern = "";
-
-				for (const [pattern, targets] of Object.entries(paths)) {
-					const prefix = pattern.replace(/\*$/, "");
-					if (args.path.startsWith(prefix) && prefix.length > longestMatch.length) {
-						longestMatch = prefix;
-						targetPattern = (targets as string[])[0];
-					}
-				}
-
-				if (longestMatch && targetPattern) {
-					const suffix = args.path.slice(longestMatch.length);
-					const targetDir = targetPattern.replace(/\*$/, "");
-					const resolved = join(process.cwd(), targetDir, suffix);
-					return { path: await resolveWithExts(resolved) };
-				}
-
-				// Fallback for $lib/* if not in tsconfig
-				if (args.path.startsWith("$lib/")) {
-					const rel = args.path.slice(5);
-					const base = join(process.cwd(), "src", "lib", rel);
-					return { path: await resolveWithExts(base) };
+				const resolved = await resolveImportPath(
+					args.path,
+					join(process.cwd(), "_"),
+					process.cwd(),
+				);
+				if (resolved.kind === "alias" && resolved.path) {
+					return { path: resolved.path };
 				}
-
 				return undefined;
 			});
 
@@ -146,15 +110,3 @@ export function makeBosiaPlugin(target: "browser" | "bun" = "bun") {
 		},
 	};
 }
-
-async function resolveWithExts(base: string): Promise<string> {
-	if (await Bun.file(base).exists()) return base;
-	for (const ext of [".ts", ".svelte", ".js"]) {
-		if (await Bun.file(base + ext).exists()) return base + ext;
-	}
-	for (const idx of ["index.ts", "index.svelte", "index.js"]) {
-		const p = join(base, idx);
-		if (await Bun.file(p).exists()) return p;
-	}
-	return base;
-}

package/src/core/plugins/inspector/bun-plugin.ts

@@ -3,6 +3,7 @@ import MagicString from "magic-string";
 import { basename, relative } from "node:path";
 import type { BunPlugin } from "bun";
 import { svelteMapCache } from "../../svelteCompiler.ts";
+import { lineColFromOffset } from "../../sourceLoc.ts";
 
 const VIRTUAL_NS = "bosia-inspector-css";
 
@@ -42,20 +43,6 @@ function walk(node: unknown, visit: (n: AnyNode) => void) {
 	}
 }
 
-function lineColFromOffset(source: string, offset: number): { line: number; col: number } {
-	let line = 1;
-	let col = 1;
-	for (let i = 0; i < offset && i < source.length; i++) {
-		if (source[i] === "\n") {
-			line++;
-			col = 1;
-		} else {
-			col++;
-		}
-	}
-	return { line, col };
-}
-
 function injectLocs(source: string, relPath: string): string {
 	let ast: { fragment?: AnyNode };
 	try {

package/src/core/resolveImport.ts

@@ -0,0 +1,114 @@
+import { existsSync } from "fs";
+import { join, dirname, resolve as pathResolve } from "path";
+
+// ─── Shared $alias / tsconfig-paths / relative resolver ──
+// Mirrors the resolution `plugin.ts` does inside Bun's `onResolve`, but as a
+// plain async function callable from contexts without a Bun PluginBuilder
+// (e.g. the svelte component-import audit).
+
+let cachedTsconfigPaths: Record<string, string[]> | null = null;
+let cachedTsconfigCwd: string | null = null;
+
+async function getTsconfigPaths(cwd: string): Promise<Record<string, string[]>> {
+	if (cachedTsconfigPaths !== null && cachedTsconfigCwd === cwd) return cachedTsconfigPaths;
+	const tsconfigPath = join(cwd, "tsconfig.json");
+	if (!existsSync(tsconfigPath)) {
+		cachedTsconfigPaths = {};
+		cachedTsconfigCwd = cwd;
+		return cachedTsconfigPaths;
+	}
+	try {
+		const tsconfig = await Bun.file(tsconfigPath).json();
+		cachedTsconfigPaths = tsconfig?.compilerOptions?.paths || {};
+	} catch (err) {
+		throw new Error(
+			`tsconfig.json at ${tsconfigPath} is invalid JSON: ${(err as Error).message}. Fix the file and re-run.`,
+		);
+	}
+	cachedTsconfigCwd = cwd;
+	return cachedTsconfigPaths!;
+}
+
+async function resolveWithExts(base: string): Promise<string> {
+	if (await Bun.file(base).exists()) return base;
+	for (const ext of [".ts", ".svelte", ".js"]) {
+		if (await Bun.file(base + ext).exists()) return base + ext;
+	}
+	for (const idx of ["index.ts", "index.svelte", "index.js"]) {
+		const p = join(base, idx);
+		if (await Bun.file(p).exists()) return p;
+	}
+	return base;
+}
+
+/**
+ * Kind classifies why the spec resolved (or did not):
+ *  - "alias"    — `$lib/...` / `$registry/...` (tsconfig paths or $lib fallback)
+ *  - "relative" — `./` or `../` from `fromFile`
+ *  - "absolute" — `/abs/path`
+ *  - "bare"     — bare package specifier; not introspectable from disk
+ *  - "virtual"  — bosia-special (`$env`, `bosia:routes`); skip
+ */
+export type ResolvedKind = "alias" | "relative" | "absolute" | "bare" | "virtual";
+
+export interface ResolvedImport {
+	kind: ResolvedKind;
+	/** Absolute path on disk for alias/relative/absolute kinds; otherwise null. */
+	path: string | null;
+}
+
+export async function resolveImportPath(
+	spec: string,
+	fromFile: string,
+	cwd: string,
+): Promise<ResolvedImport> {
+	if (spec === "$env" || spec === "bosia:routes") {
+		return { kind: "virtual", path: null };
+	}
+
+	if (spec.startsWith("./") || spec.startsWith("../")) {
+		const abs = pathResolve(dirname(fromFile), spec);
+		return { kind: "relative", path: await resolveWithExts(abs) };
+	}
+
+	if (spec.startsWith("/")) {
+		return { kind: "absolute", path: await resolveWithExts(spec) };
+	}
+
+	if (spec.startsWith("$")) {
+		const paths = await getTsconfigPaths(cwd);
+		let longestMatch = "";
+		let targetPattern = "";
+
+		for (const [pattern, targets] of Object.entries(paths)) {
+			const prefix = pattern.replace(/\*$/, "");
+			if (spec.startsWith(prefix) && prefix.length > longestMatch.length) {
+				longestMatch = prefix;
+				targetPattern = (targets as string[])[0];
+			}
+		}
+
+		if (longestMatch && targetPattern) {
+			const suffix = spec.slice(longestMatch.length);
+			const targetDir = targetPattern.replace(/\*$/, "");
+			const resolved = join(cwd, targetDir, suffix);
+			return { kind: "alias", path: await resolveWithExts(resolved) };
+		}
+
+		if (spec.startsWith("$lib/")) {
+			const rel = spec.slice(5);
+			const base = join(cwd, "src", "lib", rel);
+			return { kind: "alias", path: await resolveWithExts(base) };
+		}
+
+		return { kind: "alias", path: null };
+	}
+
+	return { kind: "bare", path: null };
+}
+
+/** Test-only — drop the tsconfig cache so fixtures with fresh tsconfig.json reload. */
+export function resetResolveImportCache(): void {
+	cachedTsconfigPaths = null;
+	cachedTsconfigCwd = null;
+}

package/src/core/sourceLoc.ts

@@ -0,0 +1,13 @@
+export function lineColFromOffset(source: string, offset: number): { line: number; col: number } {
+	let line = 1;
+	let col = 1;
+	for (let i = 0; i < offset && i < source.length; i++) {
+		if (source[i] === "\n") {
+			line++;
+			col = 1;
+		} else {
+			col++;
+		}
+	}
+	return { line, col };
+}

package/src/core/svelteAudit.ts

@@ -0,0 +1,563 @@
+import { resolveImportPath } from "./resolveImport.ts";
+import { lineColFromOffset } from "./sourceLoc.ts";
+import type { StrictImportsOption } from "./types/plugin.ts";
+
+// ─── Compile-time component-import audit ─────────────────
+// `bosia build` used to silently produce bundles that crashed on first SSR
+// render when a `.svelte` template did `<Card.Root>` while `card/index.ts`
+// exported `Card`/`CardContent` (not `Root`). Bun's bundler + svelte/compiler
+// validate JS, but neither cross-checks template component identifiers
+// against their imported source — the failure only surfaces at runtime as
+// `undefined is not a function`.
+//
+// This module walks the template fragment for `<Component>` / `<X.Y>` refs,
+// extracts top-level bindings from `<script>` / `<script module>`, and reports
+// unbound identifiers or missing namespace members as aggregated errors —
+// thrown from `onLoad`, captured into the Bun build's `result.logs`.
+
+type AnyNode = {
+	type?: string;
+	name?: string;
+	start?: number;
+	end?: number;
+	[k: string]: unknown;
+};
+
+// Same set the inspector plugin walks — `key` deliberately omitted because
+// KeyBlock uses `fragment`, which is already covered.
+const CHILD_KEYS = [
+	"nodes",
+	"fragment",
+	"consequent",
+	"alternate",
+	"body",
+	"fallback",
+	"pending",
+	"then",
+	"catch",
+];
+
+type BindingKind = "namespace-import" | "named-import" | "default-import" | "local";
+
+interface Binding {
+	name: string;
+	kind: BindingKind;
+	/** Source string from the `from` clause (only for `*-import` kinds). */
+	source?: string;
+}
+
+interface AuditError {
+	kind: "unbound-identifier" | "missing-namespace-export" | "dotted-on-non-namespace" | "warning";
+	line: number;
+	col: number;
+	message: string;
+}
+
+export interface SvelteAuditOptions {
+	source: string;
+	filename: string;
+	ast: unknown;
+	warnings: Array<{
+		code?: string;
+		message?: string;
+		start?: { line?: number; column?: number };
+	}>;
+	cwd: string;
+	exportCache: Map<string, Set<string> | null>;
+	strict: StrictImportsOption;
+}
+
+function resolveStrict(opt: StrictImportsOption): {
+	unbound: boolean;
+	namespaceMember: boolean;
+	warnings: boolean;
+} {
+	if (opt === false) return { unbound: false, namespaceMember: false, warnings: false };
+	if (opt === true || opt === undefined) {
+		return { unbound: true, namespaceMember: true, warnings: true };
+	}
+	return {
+		unbound: opt.unbound !== false,
+		namespaceMember: opt.namespaceMember !== false,
+		warnings: opt.warnings !== false,
+	};
+}
+
+function walk(node: unknown, visit: (n: AnyNode, parent: AnyNode | null) => boolean | void) {
+	const stack: Array<{ node: unknown; parent: AnyNode | null }> = [{ node, parent: null }];
+	while (stack.length) {
+		const { node: cur, parent } = stack.pop()!;
+		if (!cur) continue;
+		if (Array.isArray(cur)) {
+			for (const c of cur) stack.push({ node: c, parent });
+			continue;
+		}
+		if (typeof cur !== "object") continue;
+		const n = cur as AnyNode;
+		let descend = true;
+		if (typeof n.type === "string") {
+			const result = visit(n, parent);
+			if (result === false) descend = false;
+		}
+		if (!descend) continue;
+		for (const key of CHILD_KEYS) {
+			const child = n[key];
+			if (child) stack.push({ node: child, parent: n });
+		}
+	}
+}
+
+function extractBindings(ast: AnyNode): Binding[] {
+	const out: Binding[] = [];
+	const collectFromScript = (script: AnyNode | undefined | null) => {
+		if (!script || typeof script !== "object") return;
+		const content = script.content as AnyNode | undefined;
+		if (!content) return;
+		const body = content.body;
+		if (!Array.isArray(body)) return;
+		for (const stmt of body as AnyNode[]) {
+			if (!stmt || typeof stmt !== "object") continue;
+			switch (stmt.type) {
+				case "ImportDeclaration": {
+					const sourceNode = stmt.source as AnyNode | undefined;
+					const source =
+						sourceNode && typeof sourceNode.value === "string"
+							? (sourceNode.value as string)
+							: "";
+					const specs = stmt.specifiers as AnyNode[] | undefined;
+					if (!Array.isArray(specs)) break;
+					for (const spec of specs) {
+						const local = spec.local as AnyNode | undefined;
+						const name = local && typeof local.name === "string" ? local.name : null;
+						if (!name) continue;
+						if (spec.type === "ImportNamespaceSpecifier") {
+							out.push({ name, kind: "namespace-import", source });
+						} else if (spec.type === "ImportDefaultSpecifier") {
+							out.push({ name, kind: "default-import", source });
+						} else if (spec.type === "ImportSpecifier") {
+							out.push({ name, kind: "named-import", source });
+						}
+					}
+					break;
+				}
+				case "VariableDeclaration": {
+					const declarations = stmt.declarations as AnyNode[] | undefined;
+					if (!Array.isArray(declarations)) break;
+					for (const d of declarations) {
+						const id = d.id as AnyNode | undefined;
+						if (id && id.type === "Identifier" && typeof id.name === "string") {
+							out.push({ name: id.name as string, kind: "local" });
+						}
+					}
+					break;
+				}
+				case "FunctionDeclaration":
+				case "ClassDeclaration": {
+					const id = stmt.id as AnyNode | undefined;
+					if (id && typeof id.name === "string") {
+						out.push({ name: id.name as string, kind: "local" });
+					}
+					break;
+				}
+			}
+		}
+	};
+	collectFromScript(ast.instance as AnyNode | undefined);
+	collectFromScript(ast.module as AnyNode | undefined);
+	return out;
+}
+
+function collectShadowedNames(pattern: AnyNode | null | undefined, into: Set<string>): void {
+	if (!pattern || typeof pattern !== "object") return;
+	if (pattern.type === "Identifier" && typeof pattern.name === "string") {
+		into.add(pattern.name as string);
+		return;
+	}
+	if (pattern.type === "ArrayPattern") {
+		const elements = pattern.elements as AnyNode[] | undefined;
+		if (Array.isArray(elements)) {
+			for (const el of elements) collectShadowedNames(el, into);
+		}
+		return;
+	}
+	if (pattern.type === "ObjectPattern") {
+		const properties = pattern.properties as AnyNode[] | undefined;
+		if (Array.isArray(properties)) {
+			for (const prop of properties) {
+				if (prop.type === "Property") {
+					collectShadowedNames(prop.value as AnyNode | undefined, into);
+				} else if (prop.type === "RestElement") {
+					collectShadowedNames(prop.argument as AnyNode | undefined, into);
+				}
+			}
+		}
+		return;
+	}
+	if (pattern.type === "RestElement") {
+		collectShadowedNames(pattern.argument as AnyNode | undefined, into);
+		return;
+	}
+	if (pattern.type === "AssignmentPattern") {
+		collectShadowedNames(pattern.left as AnyNode | undefined, into);
+		return;
+	}
+}
+
+async function loadExports(
+	absPath: string,
+	cache: Map<string, Set<string> | null>,
+): Promise<Set<string> | null> {
+	const cached = cache.get(absPath);
+	if (cached !== undefined) return cached;
+	if (!(await Bun.file(absPath).exists())) {
+		cache.set(absPath, null);
+		return null;
+	}
+	const text = await Bun.file(absPath).text();
+	const ext = absPath.toLowerCase();
+	if (ext.endsWith(".svelte")) {
+		const set = new Set(["default"]);
+		cache.set(absPath, set);
+		return set;
+	}
+	// `export * from "..."` is opaque to a static scan — Bun.Transpiler.scan
+	// returns names declared locally, not re-exported star members. Treat such
+	// modules as un-introspectable so we don't false-positive on, e.g.,
+	// barrel files. The regex tolerates `export *`, `export * as Foo`, and
+	// preceding whitespace.
+	if (/(^|\n)\s*export\s+\*/.test(text)) {
+		cache.set(absPath, null);
+		return null;
+	}
+	try {
+		const loader: "ts" | "tsx" | "js" | "jsx" = ext.endsWith(".tsx")
+			? "tsx"
+			: ext.endsWith(".jsx")
+				? "jsx"
+				: ext.endsWith(".js") || ext.endsWith(".mjs")
+					? "js"
+					: "ts";
+		const scan = new Bun.Transpiler({ loader }).scan(text);
+		const exports = new Set<string>(scan.exports ?? []);
+		cache.set(absPath, exports);
+		return exports;
+	} catch {
+		cache.set(absPath, null);
+		return null;
+	}
+}
+
+function levenshtein1(a: string, b: string): boolean {
+	if (a === b) return false;
+	const la = a.length;
+	const lb = b.length;
+	if (Math.abs(la - lb) > 1) return false;
+	if (la === lb) {
+		let diffs = 0;
+		for (let i = 0; i < la; i++) {
+			if (a[i] !== b[i] && ++diffs > 1) return false;
+		}
+		return diffs === 1;
+	}
+	const [s, l] = la < lb ? [a, b] : [b, a];
+	let i = 0;
+	let j = 0;
+	let edits = 0;
+	while (i < s.length && j < l.length) {
+		if (s[i] !== l[j]) {
+			if (++edits > 1) return false;
+			j++;
+		} else {
+			i++;
+			j++;
+		}
+	}
+	return true;
+}
+
+function bestSuggestion(target: string, available: Set<string>): string | null {
+	for (const name of available) {
+		if (levenshtein1(target.toLowerCase(), name.toLowerCase())) return name;
+	}
+	return null;
+}
+
+const PROMOTABLE_WARNING_CODES = new Set([
+	"component_name_lowercase",
+	"bind_invalid_value",
+	"invalid_html_attribute",
+]);
+
+// Skip these template node types — they're not user-defined components and
+// reference no JS binding.
+const SKIP_TEMPLATE_TYPES = new Set([
+	"SvelteSelf",
+	"SvelteElement",
+	"SvelteFragment",
+	"SvelteHead",
+	"SvelteBody",
+	"SvelteWindow",
+	"SvelteDocument",
+	"SvelteOptions",
+	"SvelteBoundary",
+	"RegularElement",
+	"TitleElement",
+	"SlotElement",
+]);
+
+interface TemplateRef {
+	name: string;
+	line: number;
+	col: number;
+	shadow: Set<string>;
+}
+
+function collectTemplateRefs(source: string, fragment: AnyNode): TemplateRef[] {
+	const refs: TemplateRef[] = [];
+	const scopeStack: Array<Set<string>> = [];
+
+	const visit = (n: AnyNode, _parent: AnyNode | null): boolean | void => {
+		if (n.type === "ConstTag") {
+			// Handled by the Fragment pre-pass in walkWithScope — siblings need
+			// the binding visible across the fragment, not just for ConstTag's
+			// own children.
+			return;
+		}
+		if (n.type === "EachBlock") {
+			const ctx = n.context as AnyNode | null | undefined;
+			const indexName = typeof n.index === "string" ? (n.index as string) : null;
+			const names = new Set<string>();
+			collectShadowedNames(ctx ?? null, names);
+			if (indexName) names.add(indexName);
+			scopeStack.push(names);
+			return; // continue walking children
+		}
+		if (n.type === "SnippetBlock") {
+			const params = n.parameters as AnyNode[] | undefined;
+			const names = new Set<string>();
+			if (Array.isArray(params)) {
+				for (const p of params) collectShadowedNames(p, names);
+			}
+			// Snippet identifier itself is a local in the surrounding scope; the
+			// outer binding extractor already records top-level `{#snippet}`
+			// declarations? No — `{#snippet}` is template-level. Add the snippet
+			// name into the surrounding scope so `<MySnippet/>` doesn't false-
+			// positive. The expression's name is the snippet's identifier.
+			const expr = n.expression as AnyNode | undefined;
+			const snippetName =
+				expr && typeof expr.name === "string" ? (expr.name as string) : null;
+			if (snippetName && scopeStack.length > 0) {
+				scopeStack[scopeStack.length - 1].add(snippetName);
+			} else if (snippetName) {
+				// Top-level snippet — push into a synthetic root scope.
+				if (scopeStack.length === 0) scopeStack.push(new Set());
+				scopeStack[0].add(snippetName);
+			}
+			scopeStack.push(names);
+			return;
+		}
+		if (n.type === "Component") {
+			const name = typeof n.name === "string" ? (n.name as string) : "";
+			if (name) {
+				const start = typeof n.start === "number" ? (n.start as number) : 0;
+				const { line, col } = lineColFromOffset(source, start);
+				const shadow = new Set<string>();
+				for (const s of scopeStack) for (const v of s) shadow.add(v);
+				refs.push({ name, line, col, shadow });
+			}
+			return;
+		}
+		if (n.type === "SvelteComponent") {
+			const expr = n.expression as AnyNode | undefined;
+			if (expr && expr.type === "Identifier" && typeof expr.name === "string") {
+				const start = typeof n.start === "number" ? (n.start as number) : 0;
+				const { line, col } = lineColFromOffset(source, start);
+				const shadow = new Set<string>();
+				for (const s of scopeStack) for (const v of s) shadow.add(v);
+				refs.push({ name: expr.name as string, line, col, shadow });
+			}
+			return;
+		}
+		if (SKIP_TEMPLATE_TYPES.has(n.type ?? "")) {
+			return;
+		}
+	};
+
+	// Custom DFS that pops scopes when leaving Each/Snippet/Fragment nodes.
+	const walkWithScope = (node: unknown, parent: AnyNode | null) => {
+		if (!node) return;
+		if (Array.isArray(node)) {
+			for (const c of node) walkWithScope(c, parent);
+			return;
+		}
+		if (typeof node !== "object") return;
+		const n = node as AnyNode;
+		let pushed = false;
+		if (typeof n.type === "string") {
+			const before = scopeStack.length;
+			visit(n, parent);
+			if (scopeStack.length > before) pushed = true;
+		}
+		// Fragment pre-pass: `{@const}` bindings live across all siblings in the
+		// surrounding fragment, so collect them before descending. Without this,
+		// `<ComponentPreview>{@const X = ...}<X /></ComponentPreview>` would
+		// false-positive on `<X />`.
+		let fragmentScopePushed = false;
+		if (n.type === "Fragment" && Array.isArray(n.nodes)) {
+			const fragmentScope = new Set<string>();
+			for (const child of n.nodes as AnyNode[]) {
+				if (child && child.type === "ConstTag") {
+					const decl = child.declaration as AnyNode | undefined;
+					const decls = (decl?.declarations as AnyNode[] | undefined) ?? [];
+					for (const d of decls) {
+						collectShadowedNames(d.id as AnyNode | undefined, fragmentScope);
+					}
+				}
+			}
+			if (fragmentScope.size > 0) {
+				scopeStack.push(fragmentScope);
+				fragmentScopePushed = true;
+			}
+		}
+		for (const key of CHILD_KEYS) {
+			const child = n[key];
+			if (child) walkWithScope(child, n);
+		}
+		if (fragmentScopePushed) scopeStack.pop();
+		if (pushed) scopeStack.pop();
+	};
+
+	walkWithScope(fragment, null);
+	return refs;
+}
+
+export async function auditSvelteSource(opts: SvelteAuditOptions): Promise<string | null> {
+	const { source, filename, ast, warnings, cwd, exportCache, strict } = opts;
+	const flags = resolveStrict(strict);
+	const envOverride = process.env.BOSIA_STRICT_IMPORTS === "0";
+
+	const root = ast as AnyNode | undefined;
+	if (!root || !root.fragment) return null;
+
+	const errors: AuditError[] = [];
+
+	if (flags.unbound || flags.namespaceMember) {
+		const bindings = extractBindings(root);
+		const bindingByName = new Map<string, Binding>();
+		for (const b of bindings) bindingByName.set(b.name, b);
+
+		const refs = collectTemplateRefs(source, root.fragment as AnyNode);
+
+		for (const ref of refs) {
+			// Builtin / svelte special tags (already filtered as separate AST types).
+			if (ref.name.includes(":")) continue;
+			const dotIdx = ref.name.indexOf(".");
+			const head = dotIdx === -1 ? ref.name : ref.name.slice(0, dotIdx);
+			const member = dotIdx === -1 ? null : ref.name.slice(dotIdx + 1);
+
+			// Heuristic: lowercase head with no member is an HTML element that
+			// somehow landed in Component (rare — usually svelte/compiler rejects).
+			// Bail to avoid false positives.
+			if (!head || head.length === 0) continue;
+
+			if (ref.shadow.has(head)) continue;
+
+			const binding = bindingByName.get(head);
+			if (!binding) {
+				if (flags.unbound) {
+					errors.push({
+						kind: "unbound-identifier",
+						line: ref.line,
+						col: ref.col,
+						message: `<${ref.name}> — identifier \`${head}\` is not imported or declared in this component.`,
+					});
+				}
+				continue;
+			}
+
+			if (!member) continue;
+
+			if (binding.kind !== "namespace-import") {
+				if (flags.namespaceMember) {
+					errors.push({
+						kind: "dotted-on-non-namespace",
+						line: ref.line,
+						col: ref.col,
+						message:
+							`<${ref.name}> — \`${head}\` is a ` +
+							(binding.kind === "named-import"
+								? "named import"
+								: binding.kind === "default-import"
+									? "default import"
+									: "local declaration") +
+							`; only namespace imports (\`import * as ${head} from ...\`) support \`${head}.${member}\` usage.`,
+					});
+				}
+				continue;
+			}
+
+			if (!flags.namespaceMember) continue;
+
+			const spec = binding.source ?? "";
+			const resolved = await resolveImportPath(spec, filename, cwd);
+			if (resolved.kind === "bare" || resolved.kind === "virtual" || !resolved.path) {
+				// Bare-package / virtual sources are out of scope — too easy to
+				// false-positive on tree-shaken barrels (e.g. `lucide-svelte`).
+				continue;
+			}
+
+			const exportsSet = await loadExports(resolved.path, exportCache);
+			if (!exportsSet) continue; // un-introspectable source
+			if (exportsSet.has(member)) continue;
+
+			const available = Array.from(exportsSet).filter((e) => e !== "default");
+			const hint = bestSuggestion(member, exportsSet);
+			const availableStr = available.length
+				? `Available exports: ${available.join(", ")}.`
+				: `Module has no named exports.`;
+			const hintStr = hint ? ` Did you mean \`<${head}.${hint}>\`?` : "";
+			errors.push({
+				kind: "missing-namespace-export",
+				line: ref.line,
+				col: ref.col,
+				message: `<${ref.name}> — namespace import \`${head}\` (from "${spec}") has no export \`${member}\`. ${availableStr}${hintStr}`,
+			});
+		}
+	}
+
+	if (flags.warnings && Array.isArray(warnings)) {
+		for (const w of warnings) {
+			if (!w || !w.code) continue;
+			if (!PROMOTABLE_WARNING_CODES.has(w.code)) continue;
+			const line = w.start?.line ?? 1;
+			const col = (w.start?.column ?? 0) + 1;
+			errors.push({
+				kind: "warning",
+				line,
+				col,
+				message: `[${w.code}] ${w.message ?? "(no message)"}`,
+			});
+		}
+	}
+
+	if (errors.length === 0) return null;
+
+	errors.sort((a, b) => a.line - b.line || a.col - b.col);
+	const header = `Svelte component-import audit failed: ${filename}`;
+	const body = errors
+		.map((e) => {
+			const loc = `  ${e.line}:${e.col}`;
+			return `${loc}  ${e.message}`;
+		})
+		.join("\n");
+	const footer =
+		"\n\nSet BOSIA_STRICT_IMPORTS=0 to downgrade these to warnings, or configure \`strictImports\` in bosia.config.ts.";
+
+	const formatted = `${header}\n\n${body}${footer}`;
+
+	if (envOverride) {
+		console.warn(`[bosia] ${formatted}`);
+		return null;
+	}
+	return formatted;
+}

package/src/core/svelteCompiler.ts

@@ -1,6 +1,10 @@
 import { compile, compileModule } from "svelte/compiler";
 import type { BunPlugin } from "bun";
 
+import { auditSvelteSource } from "./svelteAudit.ts";
+import { loadBosiaConfig } from "./config.ts";
+import type { StrictImportsOption } from "./types/plugin.ts";
+
 const svelteHash = (s: string) => Bun.hash(s, 5381).toString(36);
 
 // Bun's bundler does not chain sourcemaps from `onLoad` results, so the final
@@ -11,6 +15,37 @@ const svelteHash = (s: string) => Bun.hash(s, 5381).toString(36);
 // the output `.map` files to chain back to original source positions.
 export const svelteMapCache = new Map<string, unknown>();
 
+// Module-scoped so both the `browser` and `bun` plugin instances share state.
+// Bosia spawns both per build (client + server in parallel) and each calls
+// `onLoad` on the same `.svelte` file. Without sharing, the audit would run
+// twice per file (wasteful) and the export cache wouldn't amortize across
+// targets. Keyed by absolute path. Cleared between builds is not needed —
+// stale entries are scoped to the (path, build-process) tuple.
+const auditInflight = new Map<string, Promise<void>>();
+const auditExportCache = new Map<string, Set<string> | null>();
+let auditStrictPromise: Promise<StrictImportsOption> | null = null;
+
+function getStrictImportsOption(): Promise<StrictImportsOption> {
+	if (!auditStrictPromise) {
+		auditStrictPromise = (async () => {
+			try {
+				const config = await loadBosiaConfig(process.cwd());
+				return config.strictImports ?? true;
+			} catch {
+				return true;
+			}
+		})();
+	}
+	return auditStrictPromise;
+}
+
+/** Test-only — drop cached audit state so fixtures with fresh configs reload. */
+export function resetSvelteAuditCache(): void {
+	auditInflight.clear();
+	auditExportCache.clear();
+	auditStrictPromise = null;
+}
+
 // Svelte 5 dev compile emits named `function get()` / `function set($$value)`
 // expressions inside `$.bind_*` calls (for nicer `$inspect` stack traces). Bun's
 // bundler destructures `import * as $ from "svelte/internal/client"` into named
@@ -47,7 +82,32 @@ export function makeBosiaSvelteCompiler(target: "browser" | "bun"): BunPlugin {
 					hmr: false,
 					cssHash: ({ css }) => `svelte-${svelteHash(css)}`,
 					filename: args.path,
+					// Modern AST shape (Svelte 5.x) — `fragment`, `instance`, `module`
+					// rather than the legacy `html`. The audit walker assumes modern.
+					modernAst: true,
 				});
+				const existing = auditInflight.get(args.path);
+				if (existing) {
+					await existing;
+				} else {
+					const promise = (async () => {
+						const strict = await getStrictImportsOption();
+						const failure = await auditSvelteSource({
+							source,
+							filename: args.path,
+							ast: (result as unknown as { ast?: unknown }).ast,
+							warnings: (result.warnings ?? []) as unknown as Parameters<
+								typeof auditSvelteSource
+							>[0]["warnings"],
+							cwd: process.cwd(),
+							exportCache: auditExportCache,
+							strict,
+						});
+						if (failure) throw new Error(failure);
+					})();
+					auditInflight.set(args.path, promise);
+					await promise;
+				}
 				// Only the client target's map is useful to the inspector's runtime
 				// resolver — browser-side stack frames are what we need to translate.
 				// Server (Bun) compile output has different line numbers and would

package/src/core/types/plugin.ts

@@ -71,8 +71,27 @@ export interface BosiaPlugin {
 	};
 }
 
+/**
+ * Compile-time audit of component imports in `.svelte` templates. When enabled
+ * (the default), `<Card.Root>` style usages are validated against the
+ * referenced module's actual exports so missing names fail the build instead
+ * of crashing on first SSR render. `BOSIA_STRICT_IMPORTS=0` downgrades to
+ * warnings at runtime.
+ */
+export type StrictImportsOption =
+	| boolean
+	| {
+			/** Catch `<Mystery />` where `Mystery` has no binding. Default: true. */
+			unbound?: boolean;
+			/** Catch `<Card.Root>` where the namespace has no `Root` export. Default: true. */
+			namespaceMember?: boolean;
+			/** Promote selected `svelte/compiler` warnings to errors. Default: true. */
+			warnings?: boolean;
+	  };
+
 export interface BosiaConfig {
 	plugins?: (BosiaPlugin | false | null | undefined)[];
+	strictImports?: StrictImportsOption;
 }
 
 /** Identity helper for type inference in `bosia.config.ts`. */

package/templates/default/README.md

@@ -2,6 +2,8 @@
 
 A [Bosia](https://github.com/bosapi/bosia) project — SSR · Svelte 5 · Bun · ElysiaJS.
 
+Bosia is **production-ready out of the box** — security (CSRF, XSS, secure cookies, headers), performance (response cache, gzip, prerendering), and reliability (graceful shutdown, request backpressure, crash backoff) are all built in.
+
 ## Getting Started
 
 ```bash
@@ -101,6 +103,6 @@ cn("px-4 py-2", isActive && "bg-primary");
 
 ## Learn More
 
-- [Bosia documentation](https://bosia.bosapi.com)
+- [Bosia documentation](https://bosia.dev)
 - [Svelte 5 docs](https://svelte.dev)
 - [Tailwind CSS v4](https://tailwindcss.com)

package/templates/demo/README.md

@@ -2,6 +2,8 @@
 
 A [Bosia](https://github.com/nicholascostadev/bosia) project with demo routes, hooks, API endpoints, and form actions.
 
+Bosia is **production-ready out of the box** — security (CSRF, XSS, secure cookies, headers), performance (response cache, gzip, prerendering), and reliability (graceful shutdown, request backpressure, crash backoff) are all built in.
+
 ## Running
 
 ```bash
@@ -24,6 +26,6 @@ bun x bosia start   # run production server
 
 ## Learn More
 
-- [Bosia documentation](https://bosia.bosapi.com)
+- [Bosia documentation](https://bosia.dev)
 - [Svelte 5 docs](https://svelte.dev)
 - [Tailwind CSS v4](https://tailwindcss.com)