bosia 0.7.3 → 0.7.6

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "bosia",
-	"version": "0.7.3",
+	"version": "0.7.6",
 	"type": "module",
 	"description": "A fast, batteries-included fullstack framework — SSR · Svelte 5 Runes · Bun · ElysiaJS. File-based routing inspired by SvelteKit. No Node.js, no Vite, no adapters.",
 	"keywords": [

package/src/cli/create.ts

@@ -16,6 +16,7 @@ const TEMPLATE_DESCRIPTIONS: Record<string, string> = {
 	default: "Minimal starter with routing and Tailwind",
 	demo: "Full-featured demo with hooks, API routes, form actions, and more",
 	shop: "Online store starter with auth, RBAC, S3 uploads, products/orders/cart",
+	store: "Online store starter (Postgres + MinIO/S3) with auth, RBAC, products/orders/cart",
 };
 
 export async function runCreate(name: string | undefined, args: string[] = []) {

package/src/core/client/App.svelte

@@ -3,7 +3,7 @@
 	import { router, scrollToHash } from "./router.svelte.ts";
 	import { findMatch } from "../matcher.ts";
 	import { clientRoutes } from "bosia:routes";
-	import { consumePrefetch, prefetchCache, dataUrl } from "./prefetch.ts";
+	import { consumePrefetch, prefetchCache, dataUrl, buildParentSnapshots } from "./prefetch.ts";
 	import { appState, clearDirty } from "./appState.svelte.ts";
 	import { captureSnapshot, liveContext, shouldRerun, type CacheEntry } from "./loaderCache.ts";
 	import { pickErrorPage } from "../errorMatch.ts";
@@ -123,10 +123,22 @@
 		// to avoid a flash of stale/empty data before the fetch completes.
 		const cached = match.route.hasServerData ? consumePrefetch(path) : null;
 		prefetchCache.clear(); // clear remaining entries on navigation — matches SvelteKit behavior
+		// Forward cached parent data for skipped layers so downstream loaders see
+		// real parent() data, not {}. POST only when there's something to carry —
+		// keeps the no-skip case a cacheable/dedupable GET.
+		const snapshots = buildParentSnapshots(path, maskBits);
+		const dataInit: RequestInit =
+			Object.keys(snapshots).length > 0
+				? {
+						method: "POST",
+						headers: { "Content-Type": "application/json" },
+						body: JSON.stringify({ parentSnapshots: snapshots }),
+					}
+				: {};
 		const dataFetch = cached
 			? Promise.resolve(cached)
 			: match.route.hasServerData
-				? fetch(dataUrl(path, maskBits))
+				? fetch(dataUrl(path, maskBits), dataInit)
 						.then((r) => r.json())
 						.catch(() => null)
 				: Promise.resolve(null);

package/src/core/client/prefetch.ts

@@ -38,6 +38,36 @@ export function buildMaskBits(path: string): string | null {
 	return (pageRun ? "1" : "0") + layoutRunFlags.map((b) => (b ? "1" : "0")).join("");
 }
 
+/**
+ * Build `parentSnapshots` (layout depth → cached data) for a target path from
+ * the current loader cache, given the mask bits from `buildMaskBits`. For each
+ * layout depth whose mask bit is '0' (skipped) and whose cached entry exists,
+ * forward that layer's data so server-side downstream loaders see real
+ * `parent()` data instead of `{}`. Returns `{}` when nothing to carry.
+ *
+ * Client-supplied perf hint only — the server never trusts it for authz.
+ */
+export function buildParentSnapshots(
+	path: string,
+	maskBits: string,
+): Record<number, Record<string, any>> {
+	const snapshots: Record<number, Record<string, any>> = {};
+	const url = new URL(path, window.location.origin);
+	const match = findMatch(clientRoutes, url.pathname);
+	if (!match) return snapshots;
+	const layoutIds = (match.route as any).layoutIds as (string | null)[];
+
+	layoutIds.forEach((id, depth) => {
+		// maskBits char 0 = page, char depth+1 = layout depth. '0' = skipped.
+		if (maskBits[depth + 1] !== "0") return;
+		if (id === null) return;
+		const entry = appState.loaderCache.layouts[id];
+		if (entry) snapshots[depth] = entry.data;
+	});
+
+	return snapshots;
+}
+
 /** Builds the `/__bosia/data/…` URL for a given client path. */
 export function dataUrl(path: string, invalidatedBits?: string): string {
 	const url = new URL(path, window.location.origin);
@@ -78,7 +108,19 @@ export async function prefetchPath(path: string): Promise<void> {
 		// loaders whose tracked inputs haven't changed. Falls back to running
 		// everything when the route can't be matched (e.g. external/unknown URL).
 		const maskBits = buildMaskBits(path) ?? undefined;
-		const res = await fetch(dataUrl(path, maskBits));
+		// Forward cached parent data for skipped layers so a prefetched response
+		// is computed with real parent() data, not {}. POST only when there's
+		// something to carry — keeps the no-skip case a cacheable/dedupable GET.
+		const snapshots = maskBits ? buildParentSnapshots(path, maskBits) : {};
+		const init: RequestInit =
+			Object.keys(snapshots).length > 0
+				? {
+						method: "POST",
+						headers: { "Content-Type": "application/json" },
+						body: JSON.stringify({ parentSnapshots: snapshots }),
+					}
+				: {};
+		const res = await fetch(dataUrl(path, maskBits), init);
 		if (res.ok) {
 			if (prefetchCache.size >= MAX_PREFETCH_ENTRIES) {
 				const oldest = prefetchCache.keys().next().value;

package/src/core/dev.ts

@@ -346,9 +346,17 @@ const devServer = Bun.serve({
 		target.hostname = "127.0.0.1";
 		target.port = String(APP_PORT);
 
+		// Preserve an X-Forwarded-* set by an OUTER proxy (e.g. a multi-tenant host
+		// fronting `bun run dev` behind TLS). Overwriting it with this dev proxy's
+		// own loopback host/scheme would strip the real public origin, so the app's
+		// redirects and `event.url` would point at localhost. Fall back to this
+		// proxy's request only when the outer hop didn't set them.
 		const forwardedHeaders = new Headers(req.headers);
-		forwardedHeaders.set("x-forwarded-host", reqUrl.host);
-		forwardedHeaders.set("x-forwarded-proto", reqUrl.protocol.replace(":", ""));
+		forwardedHeaders.set("x-forwarded-host", req.headers.get("x-forwarded-host") ?? reqUrl.host);
+		forwardedHeaders.set(
+			"x-forwarded-proto",
+			req.headers.get("x-forwarded-proto") ?? reqUrl.protocol.replace(":", ""),
+		);
 		// Force inner app to respond uncompressed. Bun's `fetch()` auto-decodes
 		// gzip/br bodies but leaves the original `Content-Encoding` header on
 		// the Response, so passing it through made Safari throw -1015 ("cannot

package/src/core/renderer.ts

@@ -296,10 +296,15 @@ function makeDepends(deps: LoaderDeps): (...keys: string[]) => void {
 //   - layouts[i] === true → run that layout; false → skip, emit null
 //   - page === true → run page; false → skip, emit null
 // When skipped, the parent() chain still receives the *combined parent
-// data* contributed by previously-cached layers, which the client
-// reconstructs and forwards in the request body. For now (initial
-// implementation), skipped loaders contribute `{}` to parent and the
-// response slot is `null`; the client merges with its cached data.
+// data* contributed by previously-cached layers. The client already holds
+// each skipped layer's data in its loader cache and forwards it as
+// `parentSnapshots` (depth → data) in the request body, so downstream
+// loaders that DO re-run see real parent() data, not `{}`. The response
+// slot stays `null` (client renders that layer from its cache).
+//
+// Trust boundary: parentSnapshots are a client-supplied perf hint, never
+// authoritative. Anything authz-related must read `event.locals` (populated
+// in hooks.server.ts), never `parent()`.
 
 export type LoaderMask = {
 	page: boolean;
@@ -314,6 +319,7 @@ export async function loadRouteData(
 	metadataData: Record<string, any> | null = null,
 	match?: RouteMatch<(typeof serverRoutes)[number]> | null,
 	mask?: LoaderMask,
+	parentSnapshots?: Record<number, Record<string, any>>,
 ) {
 	match ??= findMatch(serverRoutes, url.pathname);
 	if (!match) return null;
@@ -332,11 +338,11 @@ export async function loadRouteData(
 			if (skip) {
 				layoutData[ls.depth] = null;
 				layoutDeps[ls.depth] = null;
-				// Skipped layers contribute {} to the parent chain. The client
-				// already has their data and renders it from cache, so dependent
-				// loaders that DO re-run will see stale parent() data here. This
-				// is the same trade-off SvelteKit makes; loaders that need fresh
-				// upstream data should call `depends()` on a shared key.
+				// Skipped layers contribute their client-cached data (forwarded as
+				// parentSnapshots) to the parent chain, so downstream loaders that DO
+				// re-run see real parent() data. Falls back to {} when no snapshot was
+				// sent. Perf hint only — never authoritative for authz (use locals).
+				parentData = { ...parentData, ...(parentSnapshots?.[ls.depth] ?? {}) };
 				continue;
 			}
 			const mod = await ls.loader();

package/src/core/server.ts

@@ -237,8 +237,32 @@ async function resolve(event: RequestEvent): Promise<Response> {
 						pageMatch?.route ? ((pageMatch.route as any).layoutModules?.length ?? 0) : 0,
 					)
 				: undefined;
+			// Client forwards each skipped layout layer's cached data as
+			// parentSnapshots (depth → data) so downstream loaders see real
+			// parent() data instead of {}. Perf hint only — never authoritative;
+			// authz must read locals. Guarded: undefined for GET / malformed body.
+			let parentSnapshots: Record<number, Record<string, any>> | undefined;
+			if (method !== "GET") {
+				try {
+					const body = await request.json();
+					if (body && typeof body === "object" && body.parentSnapshots) {
+						parentSnapshots = body.parentSnapshots as Record<number, Record<string, any>>;
+					}
+				} catch {
+					parentSnapshots = undefined;
+				}
+			}
 			const runLoad = async () => {
-				const data = await loadRouteData(routeUrl, locals, request, cookies, null, pageMatch, mask);
+				const data = await loadRouteData(
+					routeUrl,
+					locals,
+					request,
+					cookies,
+					null,
+					pageMatch,
+					mask,
+					parentSnapshots,
+				);
 
 				let metadata = null;
 				if (pageMatch) {
@@ -757,6 +781,20 @@ if (_xfoDisabled) {
 }
 
 async function handleRequest(request: Request, url: URL): Promise<Response> {
+	// Behind a trusted proxy the inbound `Host`/scheme is the proxy's inner hop
+	// (e.g. `localhost:PORT` over plain HTTP), so `url` built from `request.url`
+	// misreports the public origin. Rebuild it from `X-Forwarded-Host`/`-Proto`
+	// so `event.url` — and every absolute redirect, canonical URL, and
+	// `url.origin` the app derives — points at the public-facing origin instead
+	// of localhost. Gated on TRUST_PROXY since these headers are client-spoofable
+	// when no proxy strips them.
+	if (TRUST_PROXY) {
+		const fwdHost = request.headers.get("x-forwarded-host");
+		if (fwdHost) url.host = fwdHost;
+		const fwdProto = request.headers.get("x-forwarded-proto")?.split(",")[0]?.trim();
+		if (fwdProto) url.protocol = `${fwdProto}:`;
+	}
+
 	// Reject new non-health requests during shutdown
 	if (shuttingDown && url.pathname !== "/_health") {
 		return new Response("Service Unavailable", {

package/templates/store/.env.example

@@ -0,0 +1,12 @@
+DATABASE_URL=postgres://postgres:postgres@localhost:5432/store
+
+SESSION_SECRET=change-me-in-production
+
+STORAGE_DRIVER=s3
+S3_BUCKET=uploads
+S3_REGION=auto
+S3_ACCESS_KEY_ID=minioadmin
+S3_SECRET_ACCESS_KEY=minioadmin
+S3_ENDPOINT=http://localhost:9000
+
+PUBLIC_BASE_URL=

package/templates/store/.prettierignore

@@ -0,0 +1,7 @@
+node_modules
+dist
+build
+.bosia
+bun.lock
+public/bosia-tw.css
+bosia.json

package/templates/store/.prettierrc.json

@@ -0,0 +1,9 @@
+{
+	"useTabs": true,
+	"tabWidth": 2,
+	"singleQuote": false,
+	"trailingComma": "all",
+	"printWidth": 100,
+	"plugins": ["prettier-plugin-svelte"],
+	"overrides": [{ "files": "*.svelte", "options": { "parser": "svelte" } }]
+}

package/templates/store/README.md

@@ -0,0 +1,62 @@
+# {{PROJECT_NAME}}
+
+An online-store starter built with [Bosia](https://github.com/bosapi/bosia) — Postgres database, MinIO (S3) uploads, auth, RBAC, and the shop domain (products / orders / cart).
+
+## Prerequisites
+
+- [Bun](https://bun.sh/) v1.1+
+- PostgreSQL running locally or remotely
+- An S3-compatible bucket (AWS S3, Cloudflare R2, MinIO, ...)
+
+## Getting Started
+
+```bash
+cp .env.example .env
+# fill DATABASE_URL, SESSION_SECRET, and S3_* in .env
+
+bun run db:generate
+bun run db:migrate
+bun run db:seed
+
+bun x bosia dev
+```
+
+Visit [http://localhost:9000](http://localhost:9000). The **first account you register becomes the admin** (gets `('*','*')` via the RBAC bootstrap seed).
+
+## What ships
+
+| Feature       | Path                                                                   |
+| ------------- | ---------------------------------------------------------------------- |
+| `auth`        | `src/features/auth/`, `(public)/login`, `(public)/register`, `/logout` |
+| `rbac`        | `src/features/rbac/`, `locals.can(r,a,scope?)`                         |
+| `file-upload` | `src/features/file-upload/`, `POST /api/files` (S3 via `Bun.s3`)       |
+| `shop`        | `src/features/shop/` (products / orders / cart services)               |
+
+## Routes
+
+- `/` — public landing
+- `/login`, `/register`, `POST /logout`
+- `/dashboard` — gated; redirects to `/login` if unauthenticated
+
+## Scripts
+
+| Command               | Description                                   |
+| --------------------- | --------------------------------------------- |
+| `bun x bosia dev`     | Dev server with HMR                           |
+| `bun x bosia build`   | Production build                              |
+| `bun run db:generate` | Generate migration from schema changes        |
+| `bun run db:migrate`  | Apply pending migrations                      |
+| `bun run db:seed`     | Run pending seed files (incl. RBAC bootstrap) |
+
+## S3 storage
+
+Uses native `Bun.s3` (no `@aws-sdk/*` dependency). Defaults target a local MinIO; point `S3_ENDPOINT` at any S3-compatible store (AWS S3, Cloudflare R2, ...):
+
+```
+STORAGE_DRIVER=s3
+S3_BUCKET=uploads
+S3_REGION=auto
+S3_ACCESS_KEY_ID=minioadmin
+S3_SECRET_ACCESS_KEY=minioadmin
+S3_ENDPOINT=http://localhost:9000   # MinIO; omit for AWS S3
+```

package/templates/store/_gitignore

@@ -0,0 +1,15 @@
+node_modules/
+dist/
+.bosia/
+.DS_Store
+*.log
+
+# Generated Tailwind output
+public/bosia-tw.css
+
+# Local env overrides — never commit secrets
+.env*.local
+.env
+
+# SQLite database artifacts
+data/*.db*

package/templates/store/bosia.config.ts

@@ -0,0 +1,10 @@
+import { defineConfig } from "bosia";
+import { inspector } from "bosia/plugins/inspector";
+
+export default defineConfig({
+	plugins: [
+		// Dev-only: Alt+click any element on the page to open its source in your editor.
+		// Change `editor` to "cursor" or "zed" if you don't use VS Code.
+		inspector({ editor: "code" }),
+	],
+});

package/templates/store/instructions.txt

@@ -0,0 +1,8 @@
+Update .env with your DATABASE_URL (Postgres, e.g. postgres://user:pass@localhost:5432/store) and S3_* credentials (MinIO or any S3-compatible store).
+Pick a strong SESSION_SECRET.
+
+bun run db:generate
+bun run db:migrate
+bun run db:seed
+
+The first account you register becomes the admin.

package/templates/store/package.json

@@ -0,0 +1,26 @@
+{
+	"name": "{{PROJECT_NAME}}",
+	"private": true,
+	"type": "module",
+	"scripts": {
+		"dev": "bosia dev",
+		"build": "bosia build",
+		"start": "bosia start",
+		"check": "tsc --noEmit && prettier --check .",
+		"format": "prettier --write .",
+		"format:check": "prettier --check ."
+	},
+	"dependencies": {
+		"bosia": "^{{BOSIA_VERSION}}",
+		"svelte": "^5.56.3",
+		"tailwind-merge": "^3.5.0",
+		"drizzle-orm": "^0.44.0"
+	},
+	"devDependencies": {
+		"@types/bun": "latest",
+		"prettier": "^3.3.0",
+		"prettier-plugin-svelte": "^3.2.0",
+		"typescript": "^5",
+		"drizzle-kit": "^0.31.0"
+	}
+}

package/templates/store/public/favicon.svg

@@ -0,0 +1,14 @@
+<svg width="200" height="200" viewBox="0 0 200 200" xmlns="http://www.w3.org/2000/svg">
+  <!-- Top block -->
+  <rect fill="currentColor" x="50" y="50" width="28" height="28" rx="6"/>
+  <rect fill="currentColor" x="86" y="50" width="60" height="28" rx="6"/>
+
+  <!-- Middle block -->
+  <rect fill="currentColor" x="86" y="86" width="72" height="28" rx="6"/>
+
+  <!-- Bottom block -->
+  <rect fill="currentColor" x="86" y="122" width="60" height="28" rx="6"/>
+
+  <!-- Connector bar on left -->
+  <rect fill="currentColor" x="50" y="50" width="28" height="100" rx="6"/>
+</svg>

package/templates/store/public/logo-dark.svg

@@ -0,0 +1,14 @@
+<svg width="200" height="200" viewBox="0 0 200 200" xmlns="http://www.w3.org/2000/svg">
+  <!-- Top block -->
+  <rect fill="#f0f0f0" x="50" y="50" width="28" height="28" rx="6"/>
+  <rect fill="#f0f0f0" x="86" y="50" width="60" height="28" rx="6"/>
+
+  <!-- Middle block -->
+  <rect fill="#f0f0f0" x="86" y="86" width="72" height="28" rx="6"/>
+
+  <!-- Bottom block -->
+  <rect fill="#f0f0f0" x="86" y="122" width="60" height="28" rx="6"/>
+
+  <!-- Connector bar on left -->
+  <rect fill="#f0f0f0" x="50" y="50" width="28" height="100" rx="6"/>
+</svg>

package/templates/store/public/logo-light.svg

@@ -0,0 +1,14 @@
+<svg width="200" height="200" viewBox="0 0 200 200" xmlns="http://www.w3.org/2000/svg">
+  <!-- Top block -->
+  <rect fill="#1a1a1a" x="50" y="50" width="28" height="28" rx="6"/>
+  <rect fill="#1a1a1a" x="86" y="50" width="60" height="28" rx="6"/>
+
+  <!-- Middle block -->
+  <rect fill="#1a1a1a" x="86" y="86" width="72" height="28" rx="6"/>
+
+  <!-- Bottom block -->
+  <rect fill="#1a1a1a" x="86" y="122" width="60" height="28" rx="6"/>
+
+  <!-- Connector bar on left -->
+  <rect fill="#1a1a1a" x="50" y="50" width="28" height="100" rx="6"/>
+</svg>

package/templates/store/src/app.css

@@ -0,0 +1,140 @@
+@import "tailwindcss";
+@source "../src";
+
+@custom-variant dark (&:where(.dark, .dark *));
+
+/*
+ * ─── shadcn-inspired Design Tokens ──────────────────────
+ * CSS custom properties for light & dark themes.
+ * Uses HSL values so Tailwind can apply opacity modifiers.
+ */
+
+@theme {
+	--color-background: hsl(var(--background));
+	--color-foreground: hsl(var(--foreground));
+
+	--color-card: hsl(var(--card));
+	--color-card-foreground: hsl(var(--card-foreground));
+
+	--color-popover: hsl(var(--popover));
+	--color-popover-foreground: hsl(var(--popover-foreground));
+
+	--color-primary: hsl(var(--primary));
+	--color-primary-foreground: hsl(var(--primary-foreground));
+
+	--color-secondary: hsl(var(--secondary));
+	--color-secondary-foreground: hsl(var(--secondary-foreground));
+
+	--color-muted: hsl(var(--muted));
+	--color-muted-foreground: hsl(var(--muted-foreground));
+
+	--color-accent: hsl(var(--accent));
+	--color-accent-foreground: hsl(var(--accent-foreground));
+
+	--color-destructive: hsl(var(--destructive));
+	--color-destructive-foreground: hsl(var(--destructive-foreground));
+
+	--color-border: hsl(var(--border));
+	--color-input: hsl(var(--input));
+	--color-ring: hsl(var(--ring));
+
+	--radius-sm: calc(var(--radius) - 4px);
+	--radius-md: calc(var(--radius) - 2px);
+	--radius-lg: var(--radius);
+	--radius-xl: calc(var(--radius) + 4px);
+}
+
+/* bosia-theme-vars: template default tokens. `bosia add theme` strips everything
+   between these markers (the installed theme owns these tokens). Do NOT add your
+   own :root rules inside the markers — put custom overrides after the close tag. */
+
+/* ─── Light Theme (Default) ─────────────────────────────── */
+
+:root {
+	--background: 0 0% 100%;
+	--foreground: 222.2 84% 4.9%;
+
+	--card: 0 0% 100%;
+	--card-foreground: 222.2 84% 4.9%;
+
+	--popover: 0 0% 100%;
+	--popover-foreground: 222.2 84% 4.9%;
+
+	--primary: 222.2 47.4% 11.2%;
+	--primary-foreground: 210 40% 98%;
+
+	--secondary: 210 40% 96.1%;
+	--secondary-foreground: 222.2 47.4% 11.2%;
+
+	--muted: 210 40% 96.1%;
+	--muted-foreground: 215.4 16.3% 46.9%;
+
+	--accent: 210 40% 96.1%;
+	--accent-foreground: 222.2 47.4% 11.2%;
+
+	--destructive: 0 84.2% 60.2%;
+	--destructive-foreground: 210 40% 98%;
+
+	--border: 214.3 31.8% 91.4%;
+	--input: 214.3 31.8% 91.4%;
+	--ring: 222.2 84% 4.9%;
+
+	--radius: 0.5rem;
+}
+
+/* ─── Dark Theme ─────────────────────────────────────────── */
+
+.dark {
+	--background: 222.2 84% 4.9%;
+	--foreground: 210 40% 98%;
+
+	--card: 222.2 84% 4.9%;
+	--card-foreground: 210 40% 98%;
+
+	--popover: 222.2 84% 4.9%;
+	--popover-foreground: 210 40% 98%;
+
+	--primary: 210 40% 98%;
+	--primary-foreground: 222.2 47.4% 11.2%;
+
+	--secondary: 217.2 32.6% 17.5%;
+	--secondary-foreground: 210 40% 98%;
+
+	--muted: 217.2 32.6% 17.5%;
+	--muted-foreground: 215 20.2% 65.1%;
+
+	--accent: 217.2 32.6% 17.5%;
+	--accent-foreground: 210 40% 98%;
+
+	--destructive: 0 62.8% 30.6%;
+	--destructive-foreground: 210 40% 98%;
+
+	--border: 217.2 32.6% 17.5%;
+	--input: 217.2 32.6% 17.5%;
+	--ring: 212.7 26.8% 83.9%;
+}
+
+/* /bosia-theme-vars */
+
+/* ─── Base Styles ────────────────────────────────────────── */
+
+@layer base {
+	* {
+		border-color: theme(--color-border);
+	}
+
+	body {
+		background-color: theme(--color-background);
+		color: theme(--color-foreground);
+		font-family:
+			"Inter",
+			system-ui,
+			-apple-system,
+			BlinkMacSystemFont,
+			"Segoe UI",
+			Roboto,
+			"Helvetica Neue",
+			Arial,
+			sans-serif;
+	}
+}

package/templates/store/src/app.d.ts

@@ -0,0 +1,14 @@
+/// <reference types="svelte" />
+
+declare module "*.svelte" {
+	import type { Component } from "svelte";
+	const component: Component<Record<string, any>, Record<string, any>, any>;
+	export default component;
+}
+
+declare namespace App {
+	interface Locals {
+		db: import("./features/drizzle").Database;
+		requestTime: number;
+	}
+}

package/templates/store/src/app.html

@@ -0,0 +1,11 @@
+<!doctype html>
+<html lang="%bosia.lang%">
+	<head>
+		<meta charset="UTF-8" />
+		<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+		%bosia.head%
+	</head>
+	<body>
+		%bosia.body%
+	</body>
+</html>

package/templates/store/src/hooks.server.ts

@@ -0,0 +1,21 @@
+import { sequence } from "bosia";
+import type { Handle } from "bosia";
+import { db } from "./features/drizzle";
+import { authHandle } from "./features/auth";
+
+const dbHandle: Handle = async ({ event, resolve }) => {
+	event.locals.db = db;
+	return resolve(event);
+};
+
+const loggingHandle: Handle = async ({ event, resolve }) => {
+	const start = Date.now();
+	event.locals.requestTime = start;
+	const res = await resolve(event);
+	const ms = Date.now() - start;
+	console.log(`[${event.request.method}] ${event.url.pathname} ${res.status} (${ms}ms)`);
+	res.headers.set("X-Response-Time", `${ms}ms`);
+	return res;
+};
+
+export const handle = sequence(dbHandle, authHandle, loggingHandle);

package/templates/store/src/lib/utils.ts

@@ -0,0 +1 @@
+export { cn } from "bosia";

package/templates/store/src/routes/(private)/+layout.server.ts

@@ -0,0 +1,10 @@
+import { redirect } from "bosia";
+import type { LoadEvent } from "bosia";
+
+export async function load({ locals, url }: LoadEvent) {
+	if (!locals.user) {
+		const next = encodeURIComponent(url.pathname + url.search);
+		throw redirect(303, `/login?next=${next}`);
+	}
+	return { user: locals.user };
+}

package/templates/store/src/routes/(private)/+layout.svelte

@@ -0,0 +1,44 @@
+<script lang="ts">
+	import { page } from "bosia/client";
+	import AdminSidebar from "$lib/components/AdminSidebar.svelte";
+	import {
+		Breadcrumb,
+		BreadcrumbList,
+		BreadcrumbItem,
+		BreadcrumbLink,
+		BreadcrumbPage,
+		BreadcrumbSeparator,
+	} from "$lib/components/ui/breadcrumb";
+
+	let { data, children }: { data: { user: { id: string; email: string } }; children: any } =
+		$props();
+
+	const segments = $derived(page.url.pathname.split("/").filter(Boolean));
+	const label = (s: string) => s[0].toUpperCase() + s.slice(1);
+	const hrefAt = (i: number) => "/" + segments.slice(0, i + 1).join("/");
+</script>
+
+<div class="flex min-h-screen">
+	<AdminSidebar currentPath={page.url.pathname} user={data.user} />
+	<main class="flex-1 overflow-x-hidden p-6">
+		{#if segments.length > 0}
+			<Breadcrumb class="mb-4">
+				<BreadcrumbList>
+					{#each segments as segment, i}
+						<BreadcrumbItem>
+							{#if i === segments.length - 1}
+								<BreadcrumbPage>{label(segment)}</BreadcrumbPage>
+							{:else}
+								<BreadcrumbLink href={hrefAt(i)}>{label(segment)}</BreadcrumbLink>
+							{/if}
+						</BreadcrumbItem>
+						{#if i < segments.length - 1}
+							<BreadcrumbSeparator />
+						{/if}
+					{/each}
+				</BreadcrumbList>
+			</Breadcrumb>
+		{/if}
+		{@render children()}
+	</main>
+</div>

package/templates/store/src/routes/(private)/dashboard/+page.svelte

@@ -0,0 +1,11 @@
+<!-- EDIT THIS FILE: add cards, KPIs, recent orders, sales charts, etc. -->
+<svelte:head>
+	<title>Dashboard</title>
+</svelte:head>
+
+<div class="flex flex-col gap-4">
+	<h1 class="text-2xl font-bold tracking-tight">Dashboard</h1>
+	<p class="text-muted-foreground text-sm">
+		This is your admin home. Add widgets, KPI cards, and recent activity here.
+	</p>
+</div>

package/templates/store/src/routes/(public)/+layout.svelte

@@ -0,0 +1,13 @@
+<script lang="ts">
+	import { page } from "bosia/client";
+	import PublicNavbar from "$lib/components/PublicNavbar.svelte";
+
+	let { data, children }: { data: { user: any }; children: any } = $props();
+</script>
+
+<div class="flex min-h-screen flex-col">
+	<PublicNavbar currentPath={page.url.pathname} user={data.user} />
+	<div class="flex-1">
+		{@render children()}
+	</div>
+</div>

package/templates/store/src/routes/(public)/+page.svelte

@@ -0,0 +1,38 @@
+<svelte:head>
+	<title>Welcome to your shop</title>
+	<meta
+		name="description"
+		content="A Bosia shop starter — auth, RBAC, S3 uploads, products & cart."
+	/>
+</svelte:head>
+
+<main class="flex min-h-[80vh] flex-col items-center justify-center gap-6 p-8">
+	<div class="flex flex-col items-center gap-3 text-center">
+		<img src="/favicon.svg" alt="" class="size-16" />
+		<h1 class="text-4xl font-bold tracking-tight">Welcome to your shop</h1>
+		<p class="text-muted-foreground text-lg">
+			A Bosia shop starter — auth, RBAC, S3 uploads, products & cart.
+		</p>
+	</div>
+
+	<div class="mt-4 flex gap-3">
+		<a
+			href="/products"
+			class="bg-primary text-primary-foreground hover:bg-primary/90 rounded-md px-4 py-2 text-sm font-medium transition-colors"
+		>
+			Browse products
+		</a>
+		<a
+			href="/login"
+			class="border-border bg-secondary text-secondary-foreground hover:bg-secondary/80 rounded-md border px-4 py-2 text-sm font-medium transition-colors"
+		>
+			Sign in
+		</a>
+	</div>
+
+	<p class="text-muted-foreground mt-6 text-sm">
+		Edit <code class="bg-muted rounded px-1 py-0.5 font-mono text-xs"
+			>src/routes/(public)/+page.svelte</code
+		> to get started
+	</p>
+</main>

package/templates/store/src/routes/+error.svelte

@@ -0,0 +1,19 @@
+<script lang="ts">
+	import type { ErrorProps } from "./$types";
+	let { error }: ErrorProps = $props();
+</script>
+
+<svelte:head>
+	<title>{error.status} — {error.message}</title>
+</svelte:head>
+
+<div class="min-h-screen flex flex-col items-center justify-center gap-4 text-center px-4">
+	<p class="text-8xl font-bold text-gray-200">{error.status}</p>
+	<p class="text-2xl font-semibold text-gray-700">{error.message}</p>
+	<a
+		href="/"
+		class="mt-4 px-5 py-2 rounded-lg bg-gray-900 text-white text-sm hover:bg-gray-700 transition-colors"
+	>
+		Go home
+	</a>
+</div>

package/templates/store/src/routes/+layout.server.ts

@@ -0,0 +1,9 @@
+import type { LoadEvent } from "bosia";
+
+export async function load({ locals }: LoadEvent) {
+	return {
+		appName: "Bosia Shop",
+		requestTime: (locals.requestTime as number | null) ?? null,
+		user: locals.user ?? null,
+	};
+}

package/templates/store/src/routes/+layout.svelte

@@ -0,0 +1,6 @@
+<script lang="ts">
+	import "../app.css";
+	let { children }: { children: any } = $props();
+</script>
+
+{@render children()}

package/templates/store/template.json

@@ -0,0 +1,11 @@
+{
+	"prebuilt": true,
+	"features": ["auth", "rbac", "file-upload", "shop"],
+	"featureOptions": {
+		"drizzle.dialect": "postgres",
+		"auth.dialect": "postgres",
+		"rbac.dialect": "postgres",
+		"file-upload.dialect": "postgres",
+		"shop.dialect": "postgres"
+	}
+}

package/templates/store/tsconfig.json

@@ -0,0 +1,22 @@
+{
+	"compilerOptions": {
+		"target": "ESNext",
+		"module": "ESNext",
+		"moduleResolution": "bundler",
+		"strict": true,
+		"allowJs": true,
+		"skipLibCheck": true,
+		"allowImportingTsExtensions": true,
+		"noEmit": true,
+		"verbatimModuleSyntax": true,
+		"types": ["bun-types"],
+		"lib": ["dom", "dom.iterable", "esnext"],
+		"rootDirs": [".", ".bosia/types"],
+		"paths": {
+			"$lib": ["./src/lib"],
+			"$lib/*": ["./src/lib/*"]
+		}
+	},
+	"include": ["src/**/*", ".bosia/types/**/*.d.ts"],
+	"exclude": ["node_modules", "dist"]
+}