eclipsa 0.1.8 → 0.1.10

package/{action-DqgkV3zb.mjs → action-DCc4fBhy.mjs}

@@ -378,6 +378,96 @@ const resetClientHooks = () => {
 	clientHooks = {};
 };
 //#endregion
+//#region core/action-csrf.ts
+const ACTION_CSRF_COOKIE = "__eclipsa_action_csrf";
+const ACTION_CSRF_FIELD = "__e_csrf";
+const ACTION_CSRF_HEADER = "x-eclipsa-csrf";
+const ACTION_CSRF_INPUT_ATTR = "data-e-action-csrf";
+const ACTION_CSRF_ERROR_MESSAGE = "Invalid CSRF token.";
+const ACTION_CSRF_TOKEN_KEY = Symbol.for("eclipsa.action-csrf-token");
+const ACTION_CSRF_SET_COOKIE_KEY = Symbol.for("eclipsa.action-csrf-set-cookie");
+const getCrypto = () => {
+	if (globalThis.crypto) return globalThis.crypto;
+	const nodeCrypto = typeof process === "undefined" ? void 0 : process.getBuiltinModule?.("node:crypto");
+	if (nodeCrypto?.webcrypto) return nodeCrypto.webcrypto;
+	throw new Error("Web Crypto API is not available in this environment.");
+};
+const toHex = (bytes) => [...bytes].map((value) => value.toString(16).padStart(2, "0")).join("");
+const createActionCsrfToken = () => {
+	const bytes = new Uint8Array(32);
+	getCrypto().getRandomValues(bytes);
+	return toHex(bytes);
+};
+const parseCookie = (cookieHeader, name) => {
+	if (!cookieHeader) return null;
+	for (const entry of cookieHeader.split(";")) {
+		const trimmed = entry.trim();
+		if (!trimmed.startsWith(`${name}=`)) continue;
+		const value = trimmed.slice(name.length + 1);
+		if (value.length === 0) return null;
+		try {
+			return decodeURIComponent(value);
+		} catch {
+			return value;
+		}
+	}
+	return null;
+};
+const shouldUseSecureCookie = (c) => {
+	try {
+		if (new URL(c.req.raw.url).protocol === "https:") return true;
+	} catch {}
+	return c.req.header("x-forwarded-proto")?.split(",")[0]?.trim().toLowerCase() === "https";
+};
+const readActionCsrfTokenFromCookieHeader = (cookieHeader) => parseCookie(cookieHeader, ACTION_CSRF_COOKIE);
+const readActionCsrfTokenFromDocument = (doc) => readActionCsrfTokenFromCookieHeader(doc.cookie);
+const readActionCsrfTokenFromFormData = (value) => {
+	const token = value.get(ACTION_CSRF_FIELD);
+	return typeof token === "string" && token.length > 0 ? token : null;
+};
+const readActionCsrfTokenFromRequest = (c) => readActionCsrfTokenFromCookieHeader(c.req.header("cookie"));
+const ensureActionCsrfToken = (c) => {
+	const record = c;
+	const existing = record[ACTION_CSRF_TOKEN_KEY];
+	if (typeof existing === "string" && existing.length > 0) return existing;
+	const cookieToken = readActionCsrfTokenFromRequest(c);
+	if (cookieToken) {
+		record[ACTION_CSRF_TOKEN_KEY] = cookieToken;
+		record[ACTION_CSRF_SET_COOKIE_KEY] = false;
+		return cookieToken;
+	}
+	const created = createActionCsrfToken();
+	record[ACTION_CSRF_TOKEN_KEY] = created;
+	record[ACTION_CSRF_SET_COOKIE_KEY] = true;
+	return created;
+};
+const getCurrentActionCsrfToken = () => {
+	const context = getCurrentServerRequestContext();
+	return context ? ensureActionCsrfToken(context) : null;
+};
+const serializeActionCsrfCookie = (token, secure) => [
+	`${ACTION_CSRF_COOKIE}=${encodeURIComponent(token)}`,
+	"Path=/",
+	"SameSite=Lax",
+	...secure ? ["Secure"] : []
+].join("; ");
+const applyActionCsrfCookie = (response, c) => {
+	const record = c;
+	if (record[ACTION_CSRF_SET_COOKIE_KEY] !== true) return response;
+	const token = record[ACTION_CSRF_TOKEN_KEY];
+	if (!token) return response;
+	const cookieValue = serializeActionCsrfCookie(token, shouldUseSecureCookie(c));
+	try {
+		response.headers.append("set-cookie", cookieValue);
+	} catch {
+		const next = new Response(response.body, response);
+		next.headers.append("set-cookie", cookieValue);
+		response = next;
+	}
+	record[ACTION_CSRF_SET_COOKIE_KEY] = false;
+	return response;
+};
+//#endregion
 //#region core/suspense.ts
 const PENDING_SIGNAL_ERROR_KEY = Symbol.for("eclipsa.pending-signal-error");
 const SUSPENSE_TYPE_KEY = Symbol.for("eclipsa.suspense-type");
@@ -1399,7 +1489,15 @@ const ROUTE_DOCUMENT_FALLBACK = Object.freeze({
 	document: true,
 	ok: false
 });
-const splitRoutePath = (pathname) => normalizeRoutePath(pathname).split("/").filter(Boolean);
+const decodeRoutePathSegment = (segment) => {
+	try {
+		return decodeURIComponent(segment);
+	} catch {
+		return segment;
+	}
+};
+const splitRawRoutePath = (pathname) => normalizeRoutePath(pathname).split("/").filter(Boolean);
+const splitRoutePath = (pathname) => splitRawRoutePath(pathname).map(decodeRoutePathSegment);
 const matchRouteSegments = (segments, pathnameSegments, routeIndex = 0, pathIndex = 0, params = {}) => {
 	if (routeIndex >= segments.length) return pathIndex >= pathnameSegments.length ? params : null;
 	const segment = segments[routeIndex];
@@ -1464,8 +1562,14 @@ const scoreSpecialManifestEntry = (entry, pathname) => {
 	return score;
 };
 const findSpecialManifestEntry = (manifest, pathname, kind) => {
-	const matched = matchRouteManifest(manifest, pathname);
+	const normalizedPath = normalizeRoutePath(pathname);
+	const matched = matchRouteManifest(manifest, normalizedPath);
 	if (matched?.entry[kind]) return matched;
+	const rawPathSegments = splitRawRoutePath(normalizedPath);
+	for (let length = rawPathSegments.length - 1; length >= 0; length -= 1) {
+		const candidate = matchRouteManifest(manifest, length === 0 ? "/" : `/${rawPathSegments.slice(0, length).join("/")}`);
+		if (candidate?.entry[kind]) return candidate;
+	}
 	let best = null;
 	let bestScore = -1;
 	for (const entry of manifest) {
@@ -1475,7 +1579,7 @@ const findSpecialManifestEntry = (manifest, pathname, kind) => {
 			best = {
 				entry,
 				params: EMPTY_ROUTE_PARAMS,
-				pathname: normalizeRoutePath(pathname)
+				pathname: normalizedPath
 			};
 			bestScore = score;
 		}
@@ -1766,7 +1870,7 @@ const parseInsertMarker = (value) => {
 };
 //#endregion
 //#region core/runtime/serialization.ts
-const createRuntimeSerialization = ({ createProjectionSlot, ensureRouterState, ensureRuntimeElementId, evaluateProps, findRuntimeElement, getResolvedRuntimeSymbols, isPlainObject, isProjectionSlot, isRenderObject, isRouteSlot, loadSymbol, materializeScope, materializeSymbolReference, registerScope, registerSerializedScope, resolveRenderable }) => {
+const createRuntimeSerialization = ({ createProjectionSlot, ensureRouterState, ensureRuntimeElementId, evaluateProps, findRuntimeElement, getResolvedRuntimeSymbols, isPlainObject, isProjectionSlot, isRenderObject, isRouteSlot, loadSymbol, materializeComputedSignalReference, materializeScope, materializeSymbolReference, registerScope, registerSerializedScope, resolveRenderable }) => {
 	const getRenderComponentTypeRef = (value) => {
 		if (typeof value !== "function") return null;
 		return value[RENDER_COMPONENT_TYPE_KEY] ?? null;
@@ -1890,7 +1994,7 @@ const createRuntimeSerialization = ({ createProjectionSlot, ensureRouterState, e
 		const signalMeta = getSignalMeta(candidate);
 		if (signalMeta) return {
 			__eclipsa_type: "ref",
-			kind: "signal",
+			kind: signalMeta.kind === "computed-signal" ? "computed-signal" : "signal",
 			token: signalMeta.id
 		};
 		if (getNavigateMeta(candidate)) return {
@@ -2024,6 +2128,7 @@ const createRuntimeSerialization = ({ createProjectionSlot, ensureRouterState, e
 			if (!record) throw new Error(`Missing signal ${reference.token}.`);
 			return record.handle;
 		}
+		if (reference.kind === "computed-signal") return materializeComputedSignalReference(container, reference.token);
 		if (reference.kind === "symbol") {
 			if (!reference.data || !Array.isArray(reference.data)) throw new TypeError("Symbol references require an encoded scope array.");
 			const scopeId = registerSerializedScope(container, reference.data);
@@ -2133,6 +2238,16 @@ const renderScopedStyleNode = (container, scopeId, style) => {
 };
 const renderFrameScopedStylesToString = (frame) => frame.scopedStyles.map((style) => renderScopedStyleString(frame.component.scopeId, style)).join("");
 const renderFrameScopedStylesToNodes = (frame, container) => frame.scopedStyles.map((style) => renderScopedStyleNode(container, frame.component.scopeId, style));
+const createActionCsrfInputString = (token) => `<input ${ACTION_CSRF_INPUT_ATTR}="" name="${escapeAttr(ACTION_CSRF_FIELD)}" type="hidden" value="${escapeAttr(token)}">`;
+const createActionCsrfInputNode = (doc, token) => {
+	const input = createElementNode(doc, "input");
+	input.setAttribute(ACTION_CSRF_INPUT_ATTR, "");
+	input.setAttribute("name", ACTION_CSRF_FIELD);
+	input.setAttribute("type", "hidden");
+	input.setAttribute("value", token);
+	return input;
+};
+const readActionCsrfTokenFromRuntimeDocument = (doc) => doc && "cookie" in doc && typeof doc.cookie === "string" ? readActionCsrfTokenFromDocument(doc) : null;
 const registerRuntimeScopedStyle = (cssText, attributes = {}) => {
 	const frame = getCurrentFrame();
 	if (!frame || frame.component.id === "$root") throw new Error("useStyleScoped() can only be used while rendering a component.");
@@ -2259,6 +2374,7 @@ const getRuntimeSerialization = () => {
 		isRenderObject,
 		isRouteSlot,
 		loadSymbol,
+		materializeComputedSignalReference,
 		materializeScope,
 		materializeSymbolReference,
 		registerScope,
@@ -2280,8 +2396,15 @@ const findNextNumericId = (ids, prefix) => {
 	}
 	return nextId;
 };
-const getRefSignalId = (value) => getSignalMeta(value)?.id ?? null;
-const getBindableSignalId = (value) => getSignalMeta(value)?.id ?? null;
+const isWritableSignalMeta = (meta) => !!meta && meta.kind !== "computed-signal";
+const getRefSignalId = (value) => {
+	const signalMeta = getSignalMeta(value);
+	return isWritableSignalMeta(signalMeta) ? signalMeta.id : null;
+};
+const getBindableSignalId = (value) => {
+	const signalMeta = getSignalMeta(value);
+	return isWritableSignalMeta(signalMeta) ? signalMeta.id : null;
+};
 const syncRuntimeRefMarker = (element, value) => {
 	const signalId = getRefSignalId(value);
 	if (signalId) {
@@ -2298,7 +2421,7 @@ const readBindableSignalValue = (value) => {
 };
 const assignRuntimeRef = (value, element, container = getCurrentContainer()) => {
 	const signalMeta = getSignalMeta(value);
-	if (!signalMeta) return false;
+	if (!isWritableSignalMeta(signalMeta)) return false;
 	const record = container?.signals.get(signalMeta.id);
 	if (record) {
 		writeSignalValue(container, record, element);
@@ -2453,12 +2576,41 @@ const createSignalHandle = (record, container) => {
 	setSignalMeta(handle, {
 		get: () => record.value,
 		id: record.id,
+		kind: "signal",
 		set: (value) => {
 			writeSignalValue(container, record, value);
 		}
 	});
 	return handle;
 };
+const isComputedSignalSnapshot = (value) => !!value && typeof value === "object" && value.__e_async_computed === true;
+const readComputedSignalValue = (record) => {
+	recordSignalRead(record);
+	const snapshot = record.value;
+	if (!isComputedSignalSnapshot(snapshot)) return snapshot;
+	if (snapshot.status === "pending") throw createPendingSignalError(snapshot.promise ?? Promise.resolve(void 0));
+	if (snapshot.status === "rejected") throw snapshot.error;
+	return snapshot.value;
+};
+const createComputedSignalHandle = (record, _container) => {
+	const handle = {};
+	Object.defineProperty(handle, "value", {
+		configurable: true,
+		enumerable: true,
+		get() {
+			return readComputedSignalValue(record);
+		}
+	});
+	setSignalMeta(handle, {
+		get: () => readComputedSignalValue(record),
+		id: record.id,
+		kind: "computed-signal",
+		set: () => {
+			throw new TypeError("Computed signals are read-only.");
+		}
+	});
+	return handle;
+};
 const isPrimitiveSignalValue = (value) => value === null || typeof value !== "object" && typeof value !== "function";
 const didSignalValueChange = (previous, next) => {
 	if (isPrimitiveSignalValue(previous) && isPrimitiveSignalValue(next)) return !Object.is(previous, next);
@@ -2683,6 +2835,11 @@ const materializeSymbolReference = (container, symbolId, scopeId) => {
 	});
 	return fn;
 };
+const materializeComputedSignalReference = (container, signalId) => {
+	const record = container.signals.get(signalId);
+	if (!record) throw new Error(`Missing signal ${signalId}.`);
+	return createComputedSignalHandle(record, container);
+};
 const materializeScope = (container, scopeId) => {
 	const slots = container.scopes.get(scopeId);
 	if (!slots) throw new Error(`Missing scope ${scopeId}.`);
@@ -3990,6 +4147,7 @@ const renderStringNode = (inputElementLike) => {
 	const frame = getCurrentFrame();
 	let hasInnerHTML = false;
 	let innerHTML = null;
+	let isActionForm = false;
 	if (frame && hasScopedStyles(frame) && resolved.type !== "style") attrParts.push(`${SCOPED_STYLE_ATTR}="${escapeAttr(frame.component.scopeId)}"`);
 	for (const name in resolved.props) {
 		if (!Object.hasOwn(resolved.props, name)) continue;
@@ -4033,13 +4191,21 @@ const renderStringNode = (inputElementLike) => {
 		if (resolved.type === "body" && name === "data-e-resume") continue;
 		if (value === true) {
 			attrParts.push(name);
+			if (name === "data-e-action-form") isActionForm = true;
 			continue;
 		}
+		if (name === "data-e-action-form") isActionForm = true;
 		attrParts.push(`${name}="${escapeAttr(String(value))}"`);
 	}
 	if (resolved.type === "body" && container) attrParts.push("data-e-resume=\"paused\"");
 	let childrenText = innerHTML ?? "";
-	if (!hasInnerHTML) childrenText += renderStringNode(resolved.props.children);
+	if (!hasInnerHTML) {
+		if (resolved.type === "form" && isActionForm) {
+			const csrfToken = getCurrentActionCsrfToken();
+			if (csrfToken) childrenText += createActionCsrfInputString(csrfToken);
+		}
+		childrenText += renderStringNode(resolved.props.children);
+	}
 	const rendered = resolved.type === "__ECLIPSA_FRAGMENT" ? childrenText : `<${resolved.type}${attrParts.length > 0 ? ` ${attrParts.join(" ")}` : ""}>${childrenText}</${resolved.type}>`;
 	return resolved.key === null || resolved.key === void 0 ? rendered : wrapStringWithKeyedRange(rendered, resolveKeyedRangeScope(), resolved.key);
 };
@@ -4271,6 +4437,10 @@ const renderClientNodes = (inputElementLike, container) => {
 			rememberManagedAttributesForNode(element);
 			nodes = [element];
 		} else {
+			if (resolved.type === "form" && element.getAttribute("data-e-action-form") !== null) {
+				const csrfToken = readActionCsrfTokenFromRuntimeDocument(container.doc);
+				if (csrfToken) element.appendChild(createActionCsrfInputNode(container.doc, csrfToken));
+			}
 			const childNodes = renderClientNodes(resolved.props.children, container);
 			for (const child of childNodes) element.appendChild(child);
 			rememberManagedAttributesForNode(element);
@@ -5350,6 +5520,32 @@ const collectResumeHmrBoundaryIds = (container, symbolIds) => {
 	}
 	return result;
 };
+const rewriteSerializedSymbolReferenceToken = (value, affectedIds, nextSymbolId) => {
+	if (Array.isArray(value)) {
+		for (const entry of value) rewriteSerializedSymbolReferenceToken(entry, affectedIds, nextSymbolId);
+		return;
+	}
+	if (!value || typeof value !== "object" || !("__eclipsa_type" in value)) return;
+	switch (value.__eclipsa_type) {
+		case "object":
+			for (const [, entry] of value.entries) rewriteSerializedSymbolReferenceToken(entry, affectedIds, nextSymbolId);
+			return;
+		case "map":
+			for (const [key, entry] of value.entries) {
+				rewriteSerializedSymbolReferenceToken(key, affectedIds, nextSymbolId);
+				rewriteSerializedSymbolReferenceToken(entry, affectedIds, nextSymbolId);
+			}
+			return;
+		case "set":
+			for (const entry of value.entries) rewriteSerializedSymbolReferenceToken(entry, affectedIds, nextSymbolId);
+			return;
+		case "ref":
+			if (value.kind === "symbol" && affectedIds.has(value.token)) value.token = nextSymbolId;
+			if (value.data !== void 0) rewriteSerializedSymbolReferenceToken(value.data, affectedIds, nextSymbolId);
+			return;
+		default: return;
+	}
+};
 const applyResumeHmrSymbolReplacements = (container, replacements) => {
 	for (const [oldSymbolId, url] of Object.entries(replacements)) {
 		const currentUrl = container.symbols.get(oldSymbolId);
@@ -5364,6 +5560,7 @@ const applyResumeHmrSymbolReplacements = (container, replacements) => {
 		for (const component of container.components.values()) if (affectedIds.has(component.symbol)) component.symbol = nextSymbolId;
 		for (const watch of container.watches.values()) if (affectedIds.has(watch.symbol)) watch.symbol = nextSymbolId;
 		for (const visible of container.visibles.values()) if (affectedIds.has(visible.symbol)) visible.symbol = nextSymbolId;
+		for (const slots of container.scopes.values()) for (const slot of slots) rewriteSerializedSymbolReferenceToken(slot, affectedIds, nextSymbolId);
 		container.symbols.set(nextSymbolId, url);
 		invalidateRuntimeSymbolCaches(container, [nextSymbolId]);
 	}
@@ -6111,7 +6308,10 @@ const useRuntimeSignal = (fallback) => {
 };
 const createDetachedRuntimeSignal = (container, id, fallback) => ensureSignalRecord(container, id, fallback).handle;
 const getRuntimeComponentId = () => getCurrentFrame()?.component.id ?? null;
-const getRuntimeSignalId = (value) => getSignalMeta(value)?.id ?? null;
+const getRuntimeSignalId = (value) => {
+	const signalMeta = getSignalMeta(value);
+	return isWritableSignalMeta(signalMeta) ? signalMeta.id : null;
+};
 const useRuntimeNavigate = () => {
 	const container = getCurrentContainer();
 	if (!container) return createStandaloneNavigate();
@@ -6233,6 +6433,14 @@ const ACTION_STREAM_CONTENT_TYPE = "application/eclipsa-action-stream+json";
 const ACTION_FORM_ATTR = "data-e-action-form";
 const ACTION_FORM_FIELD = "__e_action";
 const ACTION_INPUT_CACHE_KEY = Symbol.for("eclipsa.action-input-cache");
+const ACTION_CSRF_ERROR_CODE = Symbol.for("eclipsa.action-csrf-error");
+var ActionCsrfError = class extends Error {
+	[ACTION_CSRF_ERROR_CODE] = true;
+	constructor() {
+		super(ACTION_CSRF_ERROR_MESSAGE);
+		this.name = "ActionCsrfError";
+	}
+};
 const getActionRegistry = () => {
 	const globalRecord = globalThis;
 	const existing = globalRecord[ACTION_REGISTRY_KEY];
@@ -6258,7 +6466,7 @@ const normalizeFormSubmissionInput = (value) => {
 	if (!isFormDataValue(value)) return value;
 	const normalized = formDataToInputObject(value);
 	return Object.fromEntries(Object.entries(normalized).flatMap(([key, entry]) => {
-		if (key === "__e_action") return [];
+		if (key === "__e_action" || key === "__e_csrf") return [];
 		if (Array.isArray(entry)) {
 			const values = entry.filter((candidate) => typeof candidate === "string").map((candidate) => candidate);
 			return values.length > 0 ? [[key, values.length === 1 ? values[0] : values]] : [];
@@ -6322,6 +6530,17 @@ const deserializeActionServerValue = (value) => deserializePublicValue(value, {
 	};
 	throw new TypeError(`Unsupported action input reference kind "${reference.kind}".`);
 } });
+const isActionCsrfValid = async (c) => {
+	const cookieToken = readActionCsrfTokenFromRequest(c);
+	if (!cookieToken) return false;
+	const contentType = c.req.header("content-type") ?? "";
+	if (contentType.startsWith("application/eclipsa-action+json")) return c.req.header(ACTION_CSRF_HEADER) === cookieToken;
+	if (contentType.startsWith("application/x-www-form-urlencoded") || contentType.startsWith("multipart/form-data")) {
+		const input = await getActionInputCache(c);
+		return isFormDataValue(input) && readActionCsrfTokenFromFormData(input) === cookieToken;
+	}
+	return false;
+};
 const deserializeActionClientValue = (container, value) => deserializePublicValue(value, { deserializeReference(reference) {
 	if (!container) throw new TypeError("Action references require an active runtime container.");
 	if (readActionRefContainerId(reference) !== container.id) throw new TypeError("Action reference does not belong to the active runtime container.");
@@ -6471,12 +6690,22 @@ const invokeAction = async (id, input, container) => {
 	const isFormSubmission = isFormDataValue(input);
 	const actionPath = `/__eclipsa/action/${encodeURIComponent(id)}`;
 	const requestContext = typeof window === "undefined" ? getCurrentServerRequestContext() : null;
+	const csrfToken = typeof document !== "undefined" ? readActionCsrfTokenFromDocument(document) : requestContext ? ensureActionCsrfToken(requestContext) : null;
 	const currentRouteUrl = typeof window !== "undefined" ? window.location.href : requestContext?.req.header("x-eclipsa-route-url") ?? requestContext?.req.raw.url ?? null;
 	const requestUrl = requestContext ? new URL(actionPath, requestContext.req.raw.url).href : actionPath;
-	const response = await (requestContext && typeof requestContext.var.fetch === "function" ? requestContext.var.fetch : fetch)(requestUrl, {
-		body: isFormSubmission ? input : JSON.stringify({ input: serializeActionClientValue(container, input) }),
+	const fetchImpl = requestContext && typeof requestContext.var.fetch === "function" ? requestContext.var.fetch : fetch;
+	const csrfCookie = requestContext && csrfToken ? [requestContext.req.header("cookie"), `${ACTION_CSRF_COOKIE}=${encodeURIComponent(csrfToken)}`].filter(Boolean).join("; ") : null;
+	const response = await fetchImpl(requestUrl, {
+		body: isFormSubmission && csrfToken ? (() => {
+			const next = new FormData();
+			for (const [name, value] of input.entries()) next.append(name, value);
+			next.set(ACTION_CSRF_FIELD, csrfToken);
+			return next;
+		})() : isFormSubmission ? input : JSON.stringify({ input: serializeActionClientValue(container, input) }),
 		headers: {
 			accept: `${ACTION_STREAM_CONTENT_TYPE}, ${ACTION_CONTENT_TYPE}`,
+			...csrfCookie ? { cookie: csrfCookie } : {},
+			...csrfToken ? { [ACTION_CSRF_HEADER]: csrfToken } : {},
 			...currentRouteUrl ? { [ROUTE_RPC_URL_HEADER]: currentRouteUrl } : {},
 			...isFormSubmission ? {} : { "content-type": ACTION_CONTENT_TYPE }
 		},
@@ -6540,6 +6769,7 @@ const getActionFormSubmissionId = async (c) => {
 const executeActionSubmission = async (id, c) => {
 	const action = getActionRegistry().get(id);
 	if (!action) throw new Error(`Unknown action ${id}.`);
+	if (!await isActionCsrfValid(c)) throw new ActionCsrfError();
 	const input = await readActionSubmissionInput(c);
 	const result = await composeMiddlewares(c, action.middlewares, action.handler);
 	if (result instanceof Response) return {
@@ -6583,6 +6813,15 @@ const createActionFormNode = (id, props) => {
 	hiddenInput.type = "hidden";
 	hiddenInput.value = id;
 	form.appendChild(hiddenInput);
+	const csrfToken = readActionCsrfTokenFromDocument(document);
+	if (csrfToken) {
+		const csrfInput = document.createElement("input");
+		csrfInput.name = ACTION_CSRF_FIELD;
+		csrfInput.type = "hidden";
+		csrfInput.value = csrfToken;
+		csrfInput.setAttribute(ACTION_CSRF_INPUT_ATTR, "");
+		form.appendChild(csrfInput);
+	}
 	for (const [name, value] of Object.entries(props)) {
 		if (name === "children" || name === "action" || name === "method" || value === false || value === void 0 || value === null) continue;
 		if (name === "class") {
@@ -6639,16 +6878,16 @@ const hasAction = (id) => getActionRegistry().has(id);
 const executeAction = async (id, c) => {
 	try {
 		const result = await executeActionSubmission(id, c);
-		return result.kind === "response" ? result.response : toActionResponse(result.value);
+		return applyActionCsrfCookie(result.kind === "response" ? result.response : toActionResponse(result.value), c);
 	} catch (error) {
 		const publicError = await transformCurrentPublicError(error, "action");
-		return new Response(JSON.stringify({
+		return applyActionCsrfCookie(new Response(JSON.stringify({
 			error: toSerializedActionError(publicError),
 			ok: false
 		}), {
 			headers: { "content-type": ACTION_CONTENT_TYPE },
-			status: 500
-		});
+			status: error instanceof ActionCsrfError ? 403 : 500
+		}), c);
 	}
 };
 const __eclipsaAction = (id, middlewares, handler) => {
@@ -6795,6 +7034,6 @@ const __eclipsaAction = (id, middlewares, handler) => {
 	}, id));
 };
 //#endregion
-export { shouldReconnectDetachedInsertMarkers as $, IS_BROWSER as $n, consumePendingSsrLoaderIds as $t, getRuntimeComponentId as A, isPendingSignalError as An, getComponentMeta as At, refreshRegisteredRouteContainers as B, resetClientHooks as Bn, getRegisteredLoaderHookIds as Bt, createOnCleanup as C, getContextProviderMeta as Cn, RESUME_STATE_ELEMENT_ID as Ct, createStandaloneRuntimeSignal as D, useContext as Dn, __eclipsaWatch as Dt, createResumeContainer as E, materializeRuntimeContextProvider as En, __eclipsaLazy as Et, notFound as F, deserializePublicValue as Fn, getLoaderHookMeta as Ft, renderSSRAttr as G, transformCurrentPublicError as Gn, setActionHandleMeta as Gt, registerRuntimeScopedStyle as H, runHandleError as Hn, getWatchMeta as Ht, preserveReusableContentInRoots as I, getClientHooks as In, getNavigateMeta as It, renderString as J, escapeInlineScriptText as Jn, setLoaderHandleMeta as Jt, renderSSRMap as K, withServerRequestContext as Kn, setActionHookMeta as Kt, primeLocationState as L, getCurrentServerRequestContext as Ln, getRegisteredActionHook as Lt, getRuntimeSignalId as M, APP_HOOKS_ELEMENT_ID as Mn, getExternalComponentMeta as Mt, getStreamingResumeBootstrapScriptContent as N, attachRequestFetch as Nn, getLazyMeta as Nt, createWatch as O, Suspense as On, getActionHandleMeta as Ot, installResumeListeners as P, createRequestFetch as Pn, getLoaderHandleMeta as Pt, restoreSignalRefs as Q, serializeValue as Qn, __eclipsaLoader as Qt, primeRouteModules as R, markPublicError as Rn, getRegisteredActionHookIds as Rt, createEffect as S, createContext as Sn, RESUME_FINAL_STATE_ELEMENT_ID as St, createOnVisible as T, materializeRuntimeContext as Tn, __eclipsaEvent as Tt, renderClientInsertable as U, serializePublicValue as Un, registerActionHook as Ut, registerResumeContainer as V, resolveReroute as Vn, getSignalMeta as Vt, renderClientInsertableForOwner as W, toPublicError as Wn, registerLoaderHook as Wt, restoreResumedExternalComponents as X, parseSerializedJSON as Xn, setNavigateMeta as Xt, restoreRegisteredRpcHandles as Y, escapeJSONScriptText as Yn, setLoaderHookMeta as Yt, restoreResumedLocalSignalEffects as Z, serializeJSONScriptContent as Zn, setSignalMeta as Zt, beginSSRContainer as _, ROUTE_RPC_URL_HEADER as _n, getRememberedInsertMarkerNodeCount as _t, action as a, markPendingSsrLoader as an, useRuntimeLocation as at, collectPendingSuspenseBoundaryIds as b, renderRouteMetadataHead as bn, rememberManagedAttributesForNodes as bt, getActionFormSubmissionId as c, resolvePendingLoaders as cn, useRuntimeRouteParams as ct, primeActionState as d, ROUTE_LINK_ATTR as dn, writeAsyncSignalSnapshot as dt, executeLoader as en, IS_SSR as er, syncRuntimeRefMarker as et, registerAction as f, ROUTE_MANIFEST_ELEMENT_ID as fn, INSERT_MARKER_PREFIX as ft, beginAsyncSSRContainer as g, ROUTE_REPLACE_ATTR as gn, parseInsertMarker as gt, assignRuntimeRef as h, ROUTE_PREFLIGHT_REQUEST_HEADER as hn, parseComponentBoundaryMarker as ht, __eclipsaAction as i, loader_exports as in, tryPatchNodeSequenceInPlace as it, getRuntimeContainer as j, isSuspenseType as jn, getEventMeta as jt, getResumePayloadScriptContent as k, createPendingSignalError as kn, getActionHookMeta as kt, getNormalizedActionInput as l, ROUTE_DATA_ENDPOINT as ln, useRuntimeSignal as lt, applyResumeHmrUpdateToRegisteredContainers as m, ROUTE_PREFLIGHT_ENDPOINT as mn, createInsertMarker as mt, ACTION_FORM_ATTR as n, isPendingSsrLoaderError as nn, noSerialize as nr, toResumePayloadSubset as nt, executeAction as o, primeLoaderState as on, useRuntimeNavigate as ot, validator as p, ROUTE_PREFETCH_ATTR as pn, createComponentBoundaryHtmlComment as pt, renderSSRValue as q, deserializeValue as qn, setExternalComponentMeta as qt, ACTION_FORM_FIELD as r, loader as rn, tryPatchElementShellInPlace as rt, executeActionSubmission as s, registerLoader as sn, useRuntimeRouteError as st, ACTION_CONTENT_TYPE as t, hasLoader as tn, isNoSerialize as tr, toResumePayload as tt, hasAction as u, ROUTE_DATA_REQUEST_HEADER as un, withRuntimeContainer as ut, bindRuntimeEvent as v, ROUTE_METADATA_HEAD_ATTR as vn, rememberInsertMarkerRange as vt, createOnMount as w, getRuntimeContextReference as wn, __eclipsaComponent as wt, createDetachedClientInsertOwner as x, resolveRouteMetadata as xn, syncManagedAttributeSnapshot as xt, captureClientInsertOwner as y, composeRouteMetadata as yn, rememberManagedAttributesForNode as yt, readAsyncSignalSnapshot as z, registerClientHooks as zn, getRegisteredLoaderHook as zt };
+export { shouldReconnectDetachedInsertMarkers as $, deserializeValue as $n, __eclipsaLoader as $t, getRuntimeComponentId as A, createPendingSignalError as An, getActionHookMeta as At, refreshRegisteredRouteContainers as B, createRequestFetch as Bn, getRegisteredLoaderHook as Bt, createOnCleanup as C, createContext as Cn, RESUME_FINAL_STATE_ELEMENT_ID as Ct, createStandaloneRuntimeSignal as D, materializeRuntimeContextProvider as Dn, __eclipsaLazy as Dt, createResumeContainer as E, materializeRuntimeContext as En, __eclipsaEvent as Et, notFound as F, applyActionCsrfCookie as Fn, getLoaderHandleMeta as Ft, renderSSRAttr as G, registerClientHooks as Gn, registerLoaderHook as Gt, registerRuntimeScopedStyle as H, getClientHooks as Hn, getSignalMeta as Ht, preserveReusableContentInRoots as I, ensureActionCsrfToken as In, getLoaderHookMeta as It, renderString as J, runHandleError as Jn, setExternalComponentMeta as Jt, renderSSRMap as K, resetClientHooks as Kn, setActionHandleMeta as Kt, primeLocationState as L, readActionCsrfTokenFromDocument as Ln, getNavigateMeta as Lt, getRuntimeSignalId as M, isSuspenseType as Mn, getEventMeta as Mt, getStreamingResumeBootstrapScriptContent as N, ACTION_CSRF_FIELD as Nn, getExternalComponentMeta as Nt, createWatch as O, useContext as On, __eclipsaWatch as Ot, installResumeListeners as P, ACTION_CSRF_INPUT_ATTR as Pn, getLazyMeta as Pt, restoreSignalRefs as Q, withServerRequestContext as Qn, setSignalMeta as Qt, primeRouteModules as R, APP_HOOKS_ELEMENT_ID as Rn, getRegisteredActionHook as Rt, createEffect as S, resolveRouteMetadata as Sn, ACTION_FORM_ATTR$1 as St, createOnVisible as T, getRuntimeContextReference as Tn, __eclipsaComponent as Tt, renderClientInsertable as U, getCurrentServerRequestContext as Un, getWatchMeta as Ut, registerResumeContainer as V, deserializePublicValue as Vn, getRegisteredLoaderHookIds as Vt, renderClientInsertableForOwner as W, markPublicError as Wn, registerActionHook as Wt, restoreResumedExternalComponents as X, toPublicError as Xn, setLoaderHookMeta as Xt, restoreRegisteredRpcHandles as Y, serializePublicValue as Yn, setLoaderHandleMeta as Yt, restoreResumedLocalSignalEffects as Z, transformCurrentPublicError as Zn, setNavigateMeta as Zt, beginSSRContainer as _, ROUTE_REPLACE_ATTR as _n, getRememberedInsertMarkerNodeCount as _t, action as a, loader_exports as an, IS_BROWSER as ar, useRuntimeLocation as at, collectPendingSuspenseBoundaryIds as b, composeRouteMetadata as bn, rememberManagedAttributesForNodes as bt, getActionFormSubmissionId as c, registerLoader as cn, noSerialize as cr, useRuntimeRouteParams as ct, primeActionState as d, ROUTE_DATA_REQUEST_HEADER as dn, writeAsyncSignalSnapshot as dt, consumePendingSsrLoaderIds as en, escapeInlineScriptText as er, syncRuntimeRefMarker as et, registerAction as f, ROUTE_LINK_ATTR as fn, INSERT_MARKER_PREFIX as ft, beginAsyncSSRContainer as g, ROUTE_PREFLIGHT_REQUEST_HEADER as gn, parseInsertMarker as gt, assignRuntimeRef as h, ROUTE_PREFLIGHT_ENDPOINT as hn, parseComponentBoundaryMarker as ht, __eclipsaAction as i, loader as in, serializeValue as ir, tryPatchNodeSequenceInPlace as it, getRuntimeContainer as j, isPendingSignalError as jn, getComponentMeta as jt, getResumePayloadScriptContent as k, Suspense as kn, getActionHandleMeta as kt, getNormalizedActionInput as l, resolvePendingLoaders as ln, useRuntimeSignal as lt, applyResumeHmrUpdateToRegisteredContainers as m, ROUTE_PREFETCH_ATTR as mn, createInsertMarker as mt, ACTION_FORM_ATTR as n, hasLoader as nn, parseSerializedJSON as nr, toResumePayloadSubset as nt, executeAction as o, markPendingSsrLoader as on, IS_SSR as or, useRuntimeNavigate as ot, validator as p, ROUTE_MANIFEST_ELEMENT_ID as pn, createComponentBoundaryHtmlComment as pt, renderSSRValue as q, resolveReroute as qn, setActionHookMeta as qt, ACTION_FORM_FIELD as r, isPendingSsrLoaderError as rn, serializeJSONScriptContent as rr, tryPatchElementShellInPlace as rt, executeActionSubmission as s, primeLoaderState as sn, isNoSerialize as sr, useRuntimeRouteError as st, ACTION_CONTENT_TYPE as t, executeLoader as tn, escapeJSONScriptText as tr, toResumePayload as tt, hasAction as u, ROUTE_DATA_ENDPOINT as un, withRuntimeContainer as ut, bindRuntimeEvent as v, ROUTE_RPC_URL_HEADER as vn, rememberInsertMarkerRange as vt, createOnMount as w, getContextProviderMeta as wn, RESUME_STATE_ELEMENT_ID as wt, createDetachedClientInsertOwner as x, renderRouteMetadataHead as xn, syncManagedAttributeSnapshot as xt, captureClientInsertOwner as y, ROUTE_METADATA_HEAD_ATTR as yn, rememberManagedAttributesForNode as yt, readAsyncSignalSnapshot as z, attachRequestFetch as zn, getRegisteredActionHookIds as zt };
 
-//# sourceMappingURL=action-DqgkV3zb.mjs.map
+//# sourceMappingURL=action-DCc4fBhy.mjs.map