dalila 1.7.6 → 1.8.0

package/README.md

@@ -81,6 +81,10 @@ bind(document.getElementById('app')!, ctx);
 - [Query](./docs/core/query.md) — Cached queries
 - [Mutations](./docs/core/mutation.md) — Write operations
 
+### HTTP
+
+- [HTTP Client](./docs/http.md) — Native fetch-based client with XSRF protection and interceptors
+
 ### Forms
 
 - [Forms](./docs/forms.md) — DOM-first form management with validation, field arrays, and accessibility
@@ -97,6 +101,7 @@ bind(document.getElementById('app')!, ctx);
 dalila           → signal, computed, effect, batch, ...
 dalila/runtime   → bind() for HTML templates
 dalila/context   → createContext, provide, inject
+dalila/http      → createHttpClient with XSRF protection
 ```
 
 ### Signals
@@ -166,6 +171,28 @@ theme.set('light'); // Saved automatically
 // On reload: theme starts as 'light'
 ```
 
+### HTTP Client
+
+```ts
+import { createHttpClient } from 'dalila/http';
+
+const http = createHttpClient({
+  baseURL: 'https://api.example.com',
+  xsrf: true, // XSRF protection
+  onError: (error) => {
+    if (error.status === 401) window.location.href = '/login';
+    throw error;
+  }
+});
+
+// GET request
+const response = await http.get('/users');
+console.log(response.data);
+
+// POST with auto JSON serialization
+await http.post('/users', { name: 'John', email: 'john@example.com' });
+```
+
 ### File-Based Routing
 
 ```txt

package/dist/http/adapter.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Fetch Adapter
+ *
+ * Native fetch-based HTTP adapter with timeout and abort support.
+ * Uses only browser/Node native APIs (fetch, AbortController, URL).
+ */
+import { type RequestConfig, type HttpResponse } from './types.js';
+/**
+ * Execute an HTTP request using native fetch API.
+ *
+ * Features:
+ * - Timeout support via AbortController
+ * - Manual cancellation via config.signal
+ * - Automatic JSON serialization
+ * - URL params handling
+ * - Response type parsing
+ *
+ * @param config - Request configuration
+ * @returns Promise that resolves to HttpResponse
+ * @throws HttpError on any failure
+ */
+export declare function fetchAdapter<T = any>(config: RequestConfig): Promise<HttpResponse<T>>;

package/dist/http/adapter.js

@@ -0,0 +1,264 @@
+/**
+ * Fetch Adapter
+ *
+ * Native fetch-based HTTP adapter with timeout and abort support.
+ * Uses only browser/Node native APIs (fetch, AbortController, URL).
+ */
+import { HttpError } from './types.js';
+/**
+ * Execute an HTTP request using native fetch API.
+ *
+ * Features:
+ * - Timeout support via AbortController
+ * - Manual cancellation via config.signal
+ * - Automatic JSON serialization
+ * - URL params handling
+ * - Response type parsing
+ *
+ * @param config - Request configuration
+ * @returns Promise that resolves to HttpResponse
+ * @throws HttpError on any failure
+ */
+export async function fetchAdapter(config) {
+    const { url = '', method = 'GET', headers = {}, data, params, timeout, signal: userSignal, responseType = 'json', baseURL = '', } = config;
+    // Build full URL
+    const fullUrl = buildUrl(baseURL, url, params);
+    // Setup abort handling (timeout + manual signal)
+    const controller = new AbortController();
+    const { signal, cleanup } = setupAbort(controller, timeout, userSignal);
+    // Build request headers
+    const requestHeaders = buildHeaders(headers, data);
+    // Build request body
+    const body = buildBody(data);
+    let response;
+    try {
+        // Execute fetch
+        response = await fetch(fullUrl, {
+            method,
+            headers: requestHeaders,
+            body,
+            signal,
+        });
+        cleanup();
+        // Handle non-2xx responses
+        if (!response.ok) {
+            const errorData = await parseResponseSafe(response, responseType);
+            throw new HttpError(`HTTP Error ${response.status}: ${response.statusText}`, 'http', config, {
+                status: response.status,
+                data: errorData,
+                response,
+            });
+        }
+        // Check if response has a body
+        const hasBody = shouldParseResponseBody(response, method);
+        // Parse response (or return null for empty responses)
+        const responseData = hasBody
+            ? await parseResponse(response, responseType)
+            : null;
+        return {
+            data: responseData,
+            status: response.status,
+            statusText: response.statusText,
+            headers: response.headers,
+            config,
+        };
+    }
+    catch (error) {
+        cleanup();
+        // Already an HttpError (from non-2xx response)
+        if (error instanceof HttpError) {
+            throw error;
+        }
+        // AbortError (timeout or manual cancel)
+        if (error instanceof Error && error.name === 'AbortError') {
+            const isTimeout = controller.signal.reason === 'timeout';
+            throw new HttpError(isTimeout ? `Request timeout after ${timeout}ms` : 'Request aborted', isTimeout ? 'timeout' : 'abort', config);
+        }
+        // Parse error (invalid JSON, malformed response body, etc)
+        if (error instanceof Error && error.message.startsWith('Failed to parse response')) {
+            throw new HttpError(error.message, 'parse', config, {
+                status: response?.status,
+                response: response,
+            });
+        }
+        // Network error (DNS, connection refused, etc)
+        if (error instanceof TypeError) {
+            throw new HttpError(`Network error: ${error.message}`, 'network', config);
+        }
+        // Unknown error (treat as network error for backwards compatibility)
+        throw new HttpError(error instanceof Error ? error.message : String(error), 'network', config);
+    }
+}
+/**
+ * Check if a URL is absolute (starts with http://, https://, or //).
+ */
+function isAbsoluteUrl(url) {
+    return /^([a-z][a-z\d+\-.]*:)?\/\//i.test(url);
+}
+/**
+ * Build full URL with baseURL and query params.
+ */
+function buildUrl(baseURL, url, params) {
+    // Only prepend baseURL if url is relative
+    let fullUrl;
+    if (baseURL && !isAbsoluteUrl(url)) {
+        fullUrl = `${baseURL}${url}`;
+    }
+    else {
+        fullUrl = url;
+    }
+    if (params && Object.keys(params).length > 0) {
+        // Build query string
+        const searchParams = new URLSearchParams();
+        Object.entries(params).forEach(([key, value]) => {
+            searchParams.append(key, String(value));
+        });
+        const queryString = searchParams.toString();
+        // Append query string to original URL
+        // Preserve URL format (absolute http://, root-relative /, or path-relative)
+        if (fullUrl.includes('?')) {
+            // URL already has query params, append with &
+            fullUrl = `${fullUrl}&${queryString}`;
+        }
+        else {
+            // Add query params with ?
+            fullUrl = `${fullUrl}?${queryString}`;
+        }
+    }
+    return fullUrl;
+}
+/**
+ * Build request headers with automatic Content-Type for JSON.
+ */
+function buildHeaders(headers, data) {
+    const result = { ...headers };
+    // Auto-add Content-Type for JSON data (but not for FormData/Blob/ArrayBuffer)
+    // Browser automatically sets correct Content-Type for FormData/Blob
+    if (data &&
+        typeof data === 'object' &&
+        !(data instanceof FormData) &&
+        !(data instanceof Blob) &&
+        !(data instanceof ArrayBuffer) &&
+        !result['Content-Type'] &&
+        !result['content-type']) {
+        result['Content-Type'] = 'application/json';
+    }
+    return result;
+}
+/**
+ * Build request body (auto-stringify JSON objects).
+ */
+function buildBody(data) {
+    // Only skip for null/undefined (not other falsy values like 0, false, "")
+    if (data === null || data === undefined) {
+        return undefined;
+    }
+    // Already serialized (string, FormData, Blob, etc)
+    if (typeof data === 'string' || data instanceof FormData || data instanceof Blob || data instanceof ArrayBuffer) {
+        return data;
+    }
+    // Serialize objects to JSON
+    if (typeof data === 'object') {
+        return JSON.stringify(data);
+    }
+    // Serialize primitives (numbers, booleans, etc) to string
+    return String(data);
+}
+/**
+ * Setup abort handling (timeout + manual signal).
+ *
+ * Returns:
+ * - signal: AbortSignal to pass to fetch
+ * - cleanup: Function to clear timeout
+ */
+function setupAbort(controller, timeout, userSignal) {
+    let timeoutId;
+    // Link user signal (manual cancellation)
+    if (userSignal) {
+        if (userSignal.aborted) {
+            controller.abort(userSignal.reason);
+        }
+        else {
+            userSignal.addEventListener('abort', () => {
+                controller.abort(userSignal.reason);
+            }, { once: true });
+        }
+    }
+    // Setup timeout
+    if (timeout && timeout > 0) {
+        timeoutId = setTimeout(() => {
+            controller.abort('timeout');
+        }, timeout);
+    }
+    const cleanup = () => {
+        if (timeoutId !== undefined) {
+            clearTimeout(timeoutId);
+        }
+    };
+    return { signal: controller.signal, cleanup };
+}
+/**
+ * Check if response should be parsed (has a body).
+ *
+ * Responses without body:
+ * - 204 No Content
+ * - 205 Reset Content
+ * - 304 Not Modified
+ * - HEAD requests
+ * - Content-Length: 0
+ */
+function shouldParseResponseBody(response, method) {
+    // Status codes that never have a body
+    if (response.status === 204 || response.status === 205 || response.status === 304) {
+        return false;
+    }
+    // HEAD requests never have a body
+    if (method.toUpperCase() === 'HEAD') {
+        return false;
+    }
+    // Check Content-Length header
+    const contentLength = response.headers.get('Content-Length');
+    if (contentLength === '0') {
+        return false;
+    }
+    return true;
+}
+/**
+ * Parse response based on responseType.
+ */
+async function parseResponse(response, responseType) {
+    try {
+        switch (responseType) {
+            case 'json':
+                return await response.json();
+            case 'text':
+                return await response.text();
+            case 'blob':
+                return await response.blob();
+            case 'arraybuffer':
+                return await response.arrayBuffer();
+            default:
+                return await response.json();
+        }
+    }
+    catch (error) {
+        throw new Error(`Failed to parse response as ${responseType}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+/**
+ * Parse response safely for error handling (never throws).
+ */
+async function parseResponseSafe(response, responseType) {
+    try {
+        return await parseResponse(response, responseType);
+    }
+    catch {
+        // If parsing fails, try text as fallback
+        try {
+            return await response.text();
+        }
+        catch {
+            return null;
+        }
+    }
+}

package/dist/http/client.d.ts

@@ -0,0 +1,48 @@
+/**
+ * HTTP Client
+ *
+ * Main HTTP client factory for Dalila framework.
+ * Provides a simple, Axios-inspired API with native fetch under the hood.
+ */
+import { type HttpClient, type HttpClientConfig } from './types.js';
+/**
+ * Create an HTTP client instance.
+ *
+ * Features:
+ * - Global config (baseURL, headers, timeout)
+ * - Interceptors (onRequest, onResponse, onError)
+ * - Convenient methods (get, post, put, patch, delete)
+ * - Full TypeScript support
+ *
+ * Example:
+ * ```ts
+ * const http = createHttpClient({
+ *   baseURL: 'https://api.example.com',
+ *   headers: { 'Authorization': 'Bearer token' },
+ *   timeout: 5000,
+ *   onRequest: (config) => {
+ *     console.log('Sending request:', config.url);
+ *     return config;
+ *   },
+ *   onResponse: (response) => {
+ *     console.log('Received response:', response.status);
+ *     return response;
+ *   },
+ *   onError: (error) => {
+ *     if (error.status === 401) {
+ *       // Redirect to login
+ *       window.location.href = '/login';
+ *     }
+ *     throw error;
+ *   }
+ * });
+ *
+ * // Usage
+ * const response = await http.get('/users');
+ * await http.post('/login', { email, password });
+ * ```
+ *
+ * @param config - Global client configuration
+ * @returns HTTP client instance
+ */
+export declare function createHttpClient(config?: HttpClientConfig): HttpClient;

package/dist/http/client.js

@@ -0,0 +1,179 @@
+/**
+ * HTTP Client
+ *
+ * Main HTTP client factory for Dalila framework.
+ * Provides a simple, Axios-inspired API with native fetch under the hood.
+ */
+import { fetchAdapter } from './adapter.js';
+import { getXsrfToken, requiresXsrfToken } from './xsrf.js';
+/**
+ * Create an HTTP client instance.
+ *
+ * Features:
+ * - Global config (baseURL, headers, timeout)
+ * - Interceptors (onRequest, onResponse, onError)
+ * - Convenient methods (get, post, put, patch, delete)
+ * - Full TypeScript support
+ *
+ * Example:
+ * ```ts
+ * const http = createHttpClient({
+ *   baseURL: 'https://api.example.com',
+ *   headers: { 'Authorization': 'Bearer token' },
+ *   timeout: 5000,
+ *   onRequest: (config) => {
+ *     console.log('Sending request:', config.url);
+ *     return config;
+ *   },
+ *   onResponse: (response) => {
+ *     console.log('Received response:', response.status);
+ *     return response;
+ *   },
+ *   onError: (error) => {
+ *     if (error.status === 401) {
+ *       // Redirect to login
+ *       window.location.href = '/login';
+ *     }
+ *     throw error;
+ *   }
+ * });
+ *
+ * // Usage
+ * const response = await http.get('/users');
+ * await http.post('/login', { email, password });
+ * ```
+ *
+ * @param config - Global client configuration
+ * @returns HTTP client instance
+ */
+export function createHttpClient(config = {}) {
+    const { baseURL = '', headers: defaultHeaders = {}, timeout: defaultTimeout, responseType: defaultResponseType = 'json', xsrf: xsrfConfig, onRequest, onResponse, onError, } = config;
+    // Parse XSRF config
+    const xsrf = xsrfConfig === true
+        ? { cookieName: 'XSRF-TOKEN', headerName: 'X-XSRF-TOKEN', safeMethods: ['GET', 'HEAD', 'OPTIONS'] }
+        : xsrfConfig === false || !xsrfConfig
+            ? null
+            : { cookieName: 'XSRF-TOKEN', headerName: 'X-XSRF-TOKEN', safeMethods: ['GET', 'HEAD', 'OPTIONS'], ...xsrfConfig };
+    /**
+     * Core request method.
+     * Merges global config with per-request config and executes interceptors.
+     */
+    async function request(requestConfig) {
+        // Merge global config with request config
+        // Spread requestConfig first, then override with merged values
+        let mergedConfig = {
+            ...requestConfig,
+            baseURL: requestConfig.baseURL ?? baseURL,
+            timeout: requestConfig.timeout ?? defaultTimeout,
+            responseType: requestConfig.responseType ?? defaultResponseType,
+            headers: mergeHeaders(defaultHeaders, requestConfig.headers),
+        };
+        // XSRF: Add token to header if configured
+        if (xsrf) {
+            const method = (mergedConfig.method || 'GET');
+            const safeMethods = xsrf.safeMethods || ['GET', 'HEAD', 'OPTIONS'];
+            if (requiresXsrfToken(method, safeMethods)) {
+                const cookieName = xsrf.cookieName || 'XSRF-TOKEN';
+                const token = getXsrfToken(cookieName);
+                if (token) {
+                    const headerName = xsrf.headerName || 'X-XSRF-TOKEN';
+                    mergedConfig.headers = {
+                        ...mergedConfig.headers,
+                        [headerName]: token,
+                    };
+                }
+            }
+        }
+        try {
+            // Run request interceptor
+            if (onRequest) {
+                mergedConfig = await onRequest(mergedConfig);
+            }
+            // Execute request
+            let response = await fetchAdapter(mergedConfig);
+            // Run response interceptor
+            if (onResponse) {
+                response = await onResponse(response);
+            }
+            return response;
+        }
+        catch (error) {
+            // Run error interceptor
+            if (onError) {
+                await onError(error);
+            }
+            // Rethrow error
+            throw error;
+        }
+    }
+    /**
+     * GET request.
+     */
+    function get(url, requestConfig) {
+        return request({
+            ...requestConfig,
+            url,
+            method: 'GET',
+        });
+    }
+    /**
+     * POST request.
+     */
+    function post(url, data, requestConfig) {
+        return request({
+            ...requestConfig,
+            url,
+            method: 'POST',
+            data,
+        });
+    }
+    /**
+     * PUT request.
+     */
+    function put(url, data, requestConfig) {
+        return request({
+            ...requestConfig,
+            url,
+            method: 'PUT',
+            data,
+        });
+    }
+    /**
+     * PATCH request.
+     */
+    function patch(url, data, requestConfig) {
+        return request({
+            ...requestConfig,
+            url,
+            method: 'PATCH',
+            data,
+        });
+    }
+    /**
+     * DELETE request.
+     */
+    function deleteFn(url, requestConfig) {
+        return request({
+            ...requestConfig,
+            url,
+            method: 'DELETE',
+        });
+    }
+    return {
+        request,
+        get,
+        post,
+        put,
+        patch,
+        delete: deleteFn,
+    };
+}
+/**
+ * Merge headers (per-request headers override global headers).
+ */
+function mergeHeaders(globalHeaders, requestHeaders) {
+    return {
+        ...globalHeaders,
+        ...requestHeaders,
+    };
+}

package/dist/http/index.d.ts

@@ -0,0 +1,4 @@
+export { createHttpClient } from './client.js';
+export { fetchAdapter } from './adapter.js';
+export type { HttpClient, HttpClientConfig, HttpMethod, HttpResponse, HttpErrorType, RequestConfig, RequestInterceptor, ResponseInterceptor, ErrorInterceptor, Interceptors, XsrfConfig, } from './types.js';
+export { HttpError } from './types.js';

package/dist/http/index.js

@@ -0,0 +1,3 @@
+export { createHttpClient } from './client.js';
+export { fetchAdapter } from './adapter.js';
+export { HttpError } from './types.js';

package/dist/http/types.d.ts

@@ -0,0 +1,149 @@
+/**
+ * HTTP Client Types
+ *
+ * Type definitions for the Dalila HTTP client.
+ * Designed for simplicity and SPA-first workflows.
+ */
+/**
+ * HTTP methods supported by the client.
+ */
+export type HttpMethod = 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE' | 'HEAD' | 'OPTIONS';
+/**
+ * Request configuration.
+ */
+export interface RequestConfig {
+    /** Request URL (relative to baseURL if configured). */
+    url?: string;
+    /** HTTP method (defaults to GET). */
+    method?: HttpMethod;
+    /** Request headers. */
+    headers?: Record<string, string>;
+    /** Request body (auto-serialized to JSON if object). */
+    data?: any;
+    /** URL query parameters. */
+    params?: Record<string, string | number | boolean>;
+    /** Request timeout in milliseconds. */
+    timeout?: number;
+    /** AbortSignal for manual cancellation. */
+    signal?: AbortSignal;
+    /** Response type (defaults to 'json'). */
+    responseType?: 'json' | 'text' | 'blob' | 'arraybuffer';
+    /** Base URL for this request (overrides global baseURL). */
+    baseURL?: string;
+}
+/**
+ * HTTP response.
+ */
+export interface HttpResponse<T = any> {
+    /** Response data (parsed). */
+    data: T;
+    /** HTTP status code. */
+    status: number;
+    /** HTTP status text. */
+    statusText: string;
+    /** Response headers. */
+    headers: Headers;
+    /** Original request config. */
+    config: RequestConfig;
+}
+/**
+ * Error types for predictable error handling.
+ */
+export type HttpErrorType = 'network' | 'timeout' | 'abort' | 'http' | 'parse';
+/**
+ * HTTP error with structured information.
+ */
+export declare class HttpError extends Error {
+    /** Error type (network, timeout, http, etc). */
+    type: HttpErrorType;
+    /** HTTP status code (if available). */
+    status?: number;
+    /** Response data (if available). */
+    data?: any;
+    /** Original request config. */
+    config: RequestConfig;
+    /** Native Response object (if available). */
+    response?: Response;
+    constructor(message: string, type: HttpErrorType, config: RequestConfig, options?: {
+        status?: number;
+        data?: any;
+        response?: Response;
+    });
+}
+/**
+ * Request interceptor.
+ * Called before each request is sent.
+ * Can modify config or throw to abort the request.
+ */
+export type RequestInterceptor = (config: RequestConfig) => RequestConfig | Promise<RequestConfig>;
+/**
+ * Response interceptor.
+ * Called after each successful response.
+ * Can transform the response or throw to convert success to error.
+ */
+export type ResponseInterceptor = <T = any>(response: HttpResponse<T>) => HttpResponse<T> | Promise<HttpResponse<T>>;
+/**
+ * Error interceptor.
+ * Called when a request fails.
+ * Can recover from errors or rethrow.
+ */
+export type ErrorInterceptor = (error: HttpError) => never | Promise<never>;
+/**
+ * Interceptor hooks.
+ */
+export interface Interceptors {
+    /** Called before each request. */
+    onRequest?: RequestInterceptor;
+    /** Called after each successful response. */
+    onResponse?: ResponseInterceptor;
+    /** Called when a request fails. */
+    onError?: ErrorInterceptor;
+}
+/**
+ * XSRF (CSRF) protection configuration.
+ */
+export interface XsrfConfig {
+    /** Name of the cookie where the token is stored (default: 'XSRF-TOKEN'). */
+    cookieName?: string;
+    /** Name of the header to send the token in (default: 'X-XSRF-TOKEN'). */
+    headerName?: string;
+    /** HTTP methods that don't require XSRF protection (default: ['GET', 'HEAD', 'OPTIONS']). */
+    safeMethods?: HttpMethod[];
+}
+/**
+ * HTTP client configuration.
+ */
+export interface HttpClientConfig extends Interceptors {
+    /** Base URL for all requests. */
+    baseURL?: string;
+    /** Default headers for all requests. */
+    headers?: Record<string, string>;
+    /** Default timeout in milliseconds. */
+    timeout?: number;
+    /** Default response type. */
+    responseType?: 'json' | 'text' | 'blob' | 'arraybuffer';
+    /**
+     * XSRF (CSRF) protection configuration.
+     * - `true`: Enable with defaults (cookieName: 'XSRF-TOKEN', headerName: 'X-XSRF-TOKEN')
+     * - `false`: Disable XSRF protection
+     * - `XsrfConfig`: Custom configuration
+     */
+    xsrf?: boolean | XsrfConfig;
+}
+/**
+ * HTTP client instance.
+ */
+export interface HttpClient {
+    /** Make a request with full config. */
+    request<T = any>(config: RequestConfig): Promise<HttpResponse<T>>;
+    /** GET request. */
+    get<T = any>(url: string, config?: Omit<RequestConfig, 'url' | 'method'>): Promise<HttpResponse<T>>;
+    /** POST request. */
+    post<T = any>(url: string, data?: any, config?: Omit<RequestConfig, 'url' | 'method' | 'data'>): Promise<HttpResponse<T>>;
+    /** PUT request. */
+    put<T = any>(url: string, data?: any, config?: Omit<RequestConfig, 'url' | 'method' | 'data'>): Promise<HttpResponse<T>>;
+    /** PATCH request. */
+    patch<T = any>(url: string, data?: any, config?: Omit<RequestConfig, 'url' | 'method' | 'data'>): Promise<HttpResponse<T>>;
+    /** DELETE request. */
+    delete<T = any>(url: string, config?: Omit<RequestConfig, 'url' | 'method'>): Promise<HttpResponse<T>>;
+}

package/dist/http/types.js

@@ -0,0 +1,20 @@
+/**
+ * HTTP Client Types
+ *
+ * Type definitions for the Dalila HTTP client.
+ * Designed for simplicity and SPA-first workflows.
+ */
+/**
+ * HTTP error with structured information.
+ */
+export class HttpError extends Error {
+    constructor(message, type, config, options) {
+        super(message);
+        this.name = 'HttpError';
+        this.type = type;
+        this.config = config;
+        this.status = options?.status;
+        this.data = options?.data;
+        this.response = options?.response;
+    }
+}

package/dist/http/xsrf.d.ts

@@ -0,0 +1,24 @@
+/**
+ * XSRF (CSRF) Protection Utilities
+ *
+ * Helpers for reading XSRF tokens from cookies/meta tags and
+ * determining which HTTP methods require protection.
+ */
+import type { HttpMethod } from './types.js';
+/**
+ * Extract value from a cookie by name.
+ */
+export declare function getCookie(name: string): string | null;
+/**
+ * Extract XSRF token from meta tag.
+ */
+export declare function getMetaTag(name: string): string | null;
+/**
+ * Get XSRF token (tries cookie first, then meta tag fallback).
+ */
+export declare function getXsrfToken(cookieName: string): string | null;
+/**
+ * Check if HTTP method requires XSRF token.
+ * Safe methods (GET, HEAD, OPTIONS) don't need tokens.
+ */
+export declare function requiresXsrfToken(method: HttpMethod, safeMethods: HttpMethod[]): boolean;

package/dist/http/xsrf.js

@@ -0,0 +1,45 @@
+/**
+ * XSRF (CSRF) Protection Utilities
+ *
+ * Helpers for reading XSRF tokens from cookies/meta tags and
+ * determining which HTTP methods require protection.
+ */
+/**
+ * Extract value from a cookie by name.
+ */
+export function getCookie(name) {
+    if (typeof document === 'undefined')
+        return null;
+    const value = `; ${document.cookie}`;
+    const parts = value.split(`; ${name}=`);
+    if (parts.length === 2) {
+        return parts.pop()?.split(';').shift() || null;
+    }
+    return null;
+}
+/**
+ * Extract XSRF token from meta tag.
+ */
+export function getMetaTag(name) {
+    if (typeof document === 'undefined')
+        return null;
+    const element = document.querySelector(`meta[name="${name}"]`);
+    return element?.getAttribute('content') || null;
+}
+/**
+ * Get XSRF token (tries cookie first, then meta tag fallback).
+ */
+export function getXsrfToken(cookieName) {
+    const fromCookie = getCookie(cookieName);
+    if (fromCookie)
+        return fromCookie;
+    // Fallback to common meta tag names
+    return getMetaTag('csrf-token') || getMetaTag('xsrf-token');
+}
+/**
+ * Check if HTTP method requires XSRF token.
+ * Safe methods (GET, HEAD, OPTIONS) don't need tokens.
+ */
+export function requiresXsrfToken(method, safeMethods) {
+    return !safeMethods.includes(method);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dalila",
-  "version": "1.7.6",
+  "version": "1.8.0",
   "description": "DOM-first reactive framework based on signals",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -38,6 +38,10 @@
       "types": "./dist/form/index.d.ts",
       "default": "./dist/form/index.js"
     },
+    "./http": {
+      "types": "./dist/http/index.d.ts",
+      "default": "./dist/http/index.js"
+    },
     "./components/ui": {
       "types": "./dist/components/ui/index.d.ts",
       "default": "./dist/components/ui/index.js"