glashjs 0.12.0 → 0.13.0

package/README.md

@@ -1,228 +1,225 @@
 # glashjs
 
-The glashdb-native web framework — **a Next.js alternative** with the file-based routing, SSR, API routes, layouts, and JSX component model you know from Next, made **fast, offline-capable, and secure by default**. It ships real features instead of promises.
+**The Postgres-native full-stack framework for builders who want to ship without DevOps.**
 
-> **Status:** `0.6.0` — the full framework is here: file-based routing, server-side rendering, API routes, JSX components with client hydration, nested layouts, streaming SSR, a dev/prod server, plus the asset optimizer, offline service worker, animated favicon, and secure-by-default headers. Core installs with zero mandatory dependencies.
+glashjs is the GlashDB-native framework layer: **Framework + Hosting + Database + Auth + Deploy**. It gives you file-based routing, typed routes, server functions, API routes, Postgres helpers, glashAuth helpers, SQL runner support, AI deployment prompts, zero-config hosting, automatic env management, and one-command deployment.
 
-## What it does today
+## Create a Glash project
 
 ```bash
-glash build            # optimize assets, emit offline SW + PWA + security manifests
-glash optimize public  # just run the asset optimizer over a directory
+npx glashjs create my-app
+cd my-app
+npm run dev
 ```
 
-Run against the real glashdb SVG logos (zero optional deps installed):
+The create CLI asks for:
 
-```
-assets        6
-original      33.2 KB
-optimized     10.1 KB
-saved         69.7%   ← real Brotli, browser-transparent
-offline       10 files precached (works offline after first visit)
-security      strict CSP + 11 headers
-```
+- Project name and folder.
+- CSS setup: Tailwind, plain CSS, or none.
+- Postgres by default.
+- glashAuth route helpers.
+- SQL runner support.
+- AI deployment prompts.
+- Package manager and dependency install.
+
+For non-interactive use:
 
-## The three pillars
+```bash
+npx glashjs create my-app --yes --css tailwind --pm npm
+npx glashjs create my-app --yes --css plain --no-install
+```
 
-### 1. Asset optimizer — the smallest payload a browser can decode
-At build time glashjs re-encodes every asset to the leanest format the client supports, then serves the best variant per request — no config, no runtime image server, originals never touched. How each asset type is handled:
-- **Text / SVG / JS / CSS / HTML** → **Brotli + Gzip** (`zlib`, built in). Real 4–8× on text/SVG. The browser decompresses transparently via `Content-Encoding` — compress on build, decompress in the browser.
-- **jpg / png / webp** → **AVIF + WebP** variants (needs optional `sharp`). Typically 3–10× vs unoptimized originals.
-- **mp4 / mov / webm** → **AV1** + poster frame (needs optional `ffmpeg`).
-- Emits `glash-assets.manifest.json` so the glashdb edge (or any server) serves the best variant per client. Originals are never mutated.
+The generated app includes:
 
-> **glashjs installs with zero dependencies.** Brotli/Gzip works out of the box.
-> To enable image/video transcoding, add the optional enhancers yourself:
-> `npm i sharp` (AVIF/WebP) and install `ffmpeg` on your PATH (AV1). They're
-> declared as **optional peers**, so a plain `npm i glashjs` pulls nothing else.
+```text
+routes/
+  index.jsx
+  _layout.jsx
+  api/health.mjs
+  api/auth/signin.mjs
+  api/auth/signup.mjs
+  api/auth/me.mjs
+  api/functions/contact.mjs
+  api/sql/run.mjs
+db/schema.sql
+.glash/prompts/deploy.md
+glash.config.mjs
+.env.example
+.env.local
+```
+
+## First-class features
+
+- **File-based routing**: every file in `routes/` becomes a page or API route.
+- **Typed routes**: `glashjs typegen` writes `glash-routes.d.ts` with literal page/API route unions.
+- **Server functions**: wrap trusted server code with `serverFunction()` and call it from the browser.
+- **API routes**: method exports such as `GET`, `POST`, `PUT`, and `DELETE`.
+- **Postgres by default**: `glashjs/postgres` reads `DATABASE_URL` and exposes `sql`, `query`, and transactions.
+- **glashAuth built in**: `glashjs/auth` calls the real GlashDB auth API under `/api/auth/v1/:projectId`.
+- **SQL runner support**: `glashjs sql db/schema.sql` runs checked-in SQL against `DATABASE_URL`.
+- **AI deployment prompts**: starters include `.glash/prompts/deploy.md` for agents and deployment review.
+- **Zero-config hosting**: `glashjs deploy` builds and hands off to the GlashDB deploy CLI.
+- **Automatic env management**: `.env`, `.env.local`, and mode-specific env files load automatically; hosted deploys use GlashDB project env vars.
+- **One-command deployment**: `npm run deploy`.
+
+## Commands
 
-### 2. Offline layer — usable with no internet after first visit
-Generates a **Service Worker** (`glash-sw.js`) + PWA manifest that precache the app shell and hashed assets into small cached files. Strategies:
-- **assets** → cache-first (immutable, hash-busted on deploy)
-- **HTML** → stale-while-revalidate (instant, self-healing)
-- **`/api` `/rest` `/auth` `/live` `/stream`** → **network-first**, so offline mode degrades *exactly* at live/updated data and streaming — the site keeps working, just without fresh data. (Configurable via `dataPrefixes`.)
+```bash
+glashjs create [name]          # scaffold a new Glash project
+glashjs dev [--port 3000]     # dev server with live reload and LAN URL
+glashjs build                 # optimize assets, precompile routes, emit PWA/security manifests
+glashjs serve                 # serve the production build
+glashjs typegen               # generate typed route declarations
+glashjs sql <file.sql>        # run SQL against DATABASE_URL
+glashjs deploy                # build, then deploy to GlashDB
+glashjs optimize public       # optimize public assets only
+glashjs migrate               # scaffold routes from an existing Next app
+glashjs update                # update glashjs
+```
 
-### 3. Security — secure by default
-glashjs ships strong, opinionated defaults so you're secure unless you loosen them:
-- **Strict CSP** with no `'unsafe-inline'` scripts (XSS-via-injection blocked by default)
-- HSTS, `X-Content-Type-Options`, `X-Frame-Options: DENY`, COOP/COEP/CORP isolation, tight `Permissions-Policy` & `Referrer-Policy`
-- **Subresource Integrity** helper (`sri()`) for build assets
-- Emitted to `glash-headers.json` for the edge, plus a `glashSecurity()` Express middleware
+`glashjs` installs two bins: `glashjs` and `glash`. In projects that also install the GlashDB deploy CLI, prefer `glashjs <cmd>` so the package names stay clear.
 
-## Routing, SSR & API (new in 0.1)
-glashjs now has a real server runtime — **file-based routing**, **server-side rendering**, and **API routes** — on Node built-ins, zero deps.
+## Routing
 
-```
+```text
 routes/
-  index.mjs          ->  /                 (SSR page)
-  about.mjs          ->  /about
-  blog/[slug].mjs    ->  /blog/:slug       (dynamic segment -> ctx.params.slug)
-  docs/[...path].mjs ->  /docs/*           (catch-all)
-  api/hello.mjs      ->  /api/hello        (API: export GET/POST/…)
-  404.jsx            ->  custom not-found page (any unmatched path -> 404)
-  500.jsx            ->  custom error page (rendered in production on a throw)
+  index.mjs          -> /
+  about.jsx          -> /about
+  blog/[slug].jsx    -> /blog/:slug
+  docs/[...path].mjs -> /docs/*
+  api/hello.mjs      -> /api/hello
+  404.jsx            -> custom not-found page
+  500.jsx            -> custom error page
 ```
 
 ```js
-// routes/index.mjs  — a server-rendered page (XSS-safe `html` template)
-import { html } from 'glashjs';
-export default (ctx) => ({ title: 'Home', body: html`<h1>Hello ${ctx.query.name}</h1>` });
-
-// routes/api/hello.mjs — an API route
+// routes/api/hello.mjs
 import { json } from 'glashjs';
-export const GET  = (ctx) => ({ ok: true, name: ctx.query.name });
-export const POST = (ctx) => json({ created: ctx.body }, { status: 201 });
-```
 
-```bash
-glashjs dev      # dev server (live reload) — prints a Local + Network (LAN IP) URL
-                 #   ➜ Local:    http://localhost:3000
-                 #   ➜ Network:  http://192.168.1.57:3000   (open from your phone/other devices)
-glashjs serve    # production server over routes/ + built assets (Brotli-negotiated)
-glashjs update   # update glashjs to the latest published version
-glashjs build    # optimize assets + precompile routes
-glashjs deploy   # build, then deploy to glashdb
+export const GET = (ctx) => json({
+  ok: true,
+  name: ctx.query.name ?? 'builder',
+});
 ```
 
-> glashjs installs **two** bins — `glashjs` and `glash` — both run the same CLI.
-> Use **`glashjs <cmd>`** in projects that also have the `@glash/cli`/`glashdb`
-> deploy CLI installed, since that package owns the `glash` name there.
-
-**`<Image>`** (better than `next/image` — no runtime image server, uses the build's AVIF/WebP):
 ```jsx
-import { Image } from 'glashjs/image';
-<Image src="/hero.png" alt="Hero" width={1200} height={630} />
-// -> <picture><source …avif><source …webp><img loading=lazy decoding=async></picture>
-```
+// routes/index.jsx
+export const metadata = { title: 'Home' };
 
-**File-based middleware** (`_middleware.mjs`, runs root→leaf before the route):
-```js
-import { redirect } from 'glashjs';
-export default (ctx) => { if (!ctx.headers.authorization) return redirect('/login'); };
+export default function Home() {
+  return <main>Ship without DevOps.</main>;
+}
 ```
 
-**SEO metadata** + **client-side navigation**:
-```jsx
-import { Link } from 'glashjs/link';
-export const metadata = { title: 'About', description: '…', openGraph: { image: '/og.png' } };
-export default () => <Link href="/">Home</Link>;   // SPA swap, no full reload; crawlable <a>
-```
+## Postgres
 
-Every response carries the secure-by-default headers; static files are served from the build with Brotli negotiation.
+```js
+import { sql, transaction } from 'glashjs/postgres';
 
-### JSX components + client hydration (new in 0.2)
-Author pages as **JSX components**, server-render them, and **hydrate** in the browser so hooks work — real interactivity, the Next-style model. Built on **Preact** (React-compatible) + **esbuild**, added as *optional peers* (`npm i preact preact-render-to-string esbuild`); glashjs core stays zero-dep.
+const users = await sql`
+  select id, email
+  from users
+  order by created_at desc
+  limit ${20}
+`;
 
-```jsx
-// routes/counter.jsx  — SSR + hydrated, the button is interactive
-import { useState } from 'preact/hooks';
-export function getServerData(ctx) { return { start: Number(ctx.query.start || 0) }; }  // server props
-export default function Counter({ start = 0 }) {
-  const [n, setN] = useState(start);
-  return <button onClick={() => setN(n + 1)}>count is {n}</button>;
-}
+await transaction(async (db) => {
+  await db.query('insert into events(name) values ($1)', ['signup']);
+});
 ```
 
-Hydration is **CSP-safe**: server props ride in a non-executed `<script type="application/json">` and the hydration bundle is an external `'self'` module with a per-request **nonce** — so the strict CSP stays intact (no `'unsafe-inline'`).
+## glashAuth
 
-**Nested layouts** (`_layout.jsx` in any routes dir wrap pages root→leaf, server + hydration), **streaming SSR** (the shell flushes before the component renders — `Transfer-Encoding: chunked`), and **instant HMR** (`glash dev` does an in-place soft re-render on save over SSE — no full reload, no flash, and scroll/focus/form-input are preserved across the swap) are all in. **Suspense streaming** is in too — wrap a data-dependent subtree in `<Suspense fallback={…}>` (from `preact/compat`) and the shell + fallback flush immediately, then each boundary streams in as its data resolves (`renderToPipeableStream`), with preact's inline swap scripts nonce-injected so the strict CSP holds. **Honest scope:** uses Preact (React-compatible via `preact/compat`), not React; HMR preserves DOM/scroll/input state but **not** component `useState` (that's React-Fast-Refresh via `@prefresh`, still ahead).
+```js
+import { glashAuth } from 'glashjs/auth';
 
-## Migrating from Next.js
+const auth = glashAuth();
+const session = await auth.signin({ email, password });
+const user = await auth.me(session.accessToken);
+```
 
-glashjs is a Next.js alternative with the same conventions, so an existing Next app can be moved over with one command:
+Required env:
 
 ```bash
-npx glashjs migrate          # scaffold routes/ from your app/ or pages/ + a report
-npx glashjs migrate --dry-run  # preview the mapping first, write nothing
+GLASHDB_API_URL="https://api.glashdb.com/api"
+GLASHDB_PROJECT_ID="..."
+GLASHDB_ANON_KEY="..."
+DATABASE_URL="postgresql://..."
 ```
 
-`glashjs migrate` does the **mechanical** migration and writes a `MIGRATION.md` punch-list — it never deletes your Next code:
-
-| Next.js | → | glashjs |
-|---|---|---|
-| `app/page.tsx` | → | `routes/index.tsx` |
-| `app/blog/[slug]/page.tsx` | → | `routes/blog/[slug].tsx` |
-| `app/layout.tsx` | → | `routes/_layout.tsx` |
-| `app/api/x/route.ts` (`GET`/`POST`) | → | `routes/api/x.ts` (same `GET`/`POST` exports) |
-| `pages/index.tsx`, `pages/api/x.ts` | → | `routes/index.tsx`, `routes/api/x.ts` |
-| `middleware.ts` | → | `routes/_middleware.mjs` |
-| `getServerSideProps` | → | `getServerData(ctx)` (auto-renamed) |
-| `next/link`, `next/image` | → | `glashjs/link`, `glashjs/image` (auto-rewritten) |
+## Server Functions
 
-Your **React/Next components run as-is**: glashjs aliases `react`/`react-dom` → `preact/compat` in its build, and runs **TypeScript** routes/API/middleware directly (esbuild). `'use client'` is stripped (glashjs hydrates by default).
+```js
+// routes/api/functions/contact.mjs
+import { serverFunction } from 'glashjs/server-functions';
+import { sql } from 'glashjs/postgres';
 
-```bash
-npm i glashjs preact preact-render-to-string esbuild
-npx glashjs dev      # then work the TODOs the report flagged
+export const POST = serverFunction(async ({ email }) => {
+  await sql`insert into contacts(email) values (${email}) on conflict do nothing`;
+  return { saved: true };
+});
 ```
 
-**Honest scope:** the mechanical 80% is automatic. **React Server Components**, **Server Actions**, `getStaticProps` (SSG), and `next/navigation`/`next/headers`/Supabase-server-auth are **flagged in `MIGRATION.md` for hands-on porting** — they don't map 1:1 and glashjs won't pretend they do.
+```js
+import { callServerFunction } from 'glashjs/server-functions';
+
+await callServerFunction('/api/functions/contact', { email: 'you@example.com' });
+```
 
-## Usage
+## Configuration
 
 ```js
 // glash.config.mjs
 import { defineConfig } from 'glashjs/config';
 
 export default defineConfig({
-  name: 'My Site',
+  name: 'My Glash App',
+  routesDir: 'routes',
   publicDir: 'public',
   outDir: '.glash/out',
+  stylesheets: ['/app.css'],
   offline: true,
-  dataPrefixes: ['/api/', '/rest/', '/live'], // network-first (no stale live data offline)
-  // favicon defaults to the official glashdb logo bundled with glashjs
+  animatedFavicon: true,
+  dataPrefixes: ['/api/', '/auth/', '/rest/', '/live', '/stream'],
 });
 ```
 
-```js
-import { build, optimizeAssets, securityHeaders, sri } from 'glashjs';
+## Deploy
+
+```bash
+npm run build
+npm run deploy
 ```
 
-The preview favicon defaults to the **official glashdb logo** (`templates/favicon.svg`).
+`glashjs deploy`:
 
-### Animated favicon (on by default)
-Every build also emits an **animated favicon** — the bundled glash mark, your own
-animated SVG/GIF, or a set of frames that cycle in the tab. The build writes a tiny
-runtime; call it once and it animates the tab icon, pausing while the tab is hidden:
+1. Loads env files.
+2. Builds the app.
+3. Optimizes public assets.
+4. Precompiles JSX routes and client bundles.
+5. Emits PWA, offline, security, and asset manifests.
+6. Hands off to the GlashDB CLI for upload, env sync, build logs, live URL, and hosting.
 
-```js
-import { startGlashFavicon } from '/glash-favicon.mjs';
-startGlashFavicon(); // config is baked in at build time
-```
+## Asset Optimization
 
-```js
-// glash.config.mjs
-animatedFavicon: true,                         // bundled animated glash mark (default)
-// animatedFavicon: '/brand/logo-animated.svg' // your own animated SVG/GIF
-// animatedFavicon: { frames: ['/f0.svg','/f1.svg'], fps: 10 }
+glashjs optimizes assets at build time:
+
+- Text, SVG, JS, CSS, and HTML -> Brotli + Gzip.
+- Images -> AVIF/WebP when optional `sharp` is installed.
+- Video -> AV1/WebM with ffmpeg available.
+- Emits `glash-assets.manifest.json` for edge/runtime negotiation.
+
+Core remains light. Optional image/video enhancers are installed only when you choose them.
+
+## Migrating an Existing App
+
+```bash
+npx glashjs migrate
+npx glashjs migrate --dry-run
 ```
 
-## What's built (a Next.js alternative)
-- [x] Asset optimizer (Brotli/Gzip real; AVIF/WebP/AV1 via optional sharp/ffmpeg)
-- [x] Offline Service Worker + PWA manifest
-- [x] Secure-by-default headers + CSP + SRI
-- [x] File-based routing (pages + `api/`, dynamic `[param]` & catch-all `[...path]`)
-- [x] Server-side rendering (XSS-safe `html` templates) + full-document runtime
-- [x] API routes (per-method handlers, JSON body parsing, typed `json()` responses)
-- [x] Dev/prod server with live route reload + Brotli-negotiated static serving
-- [x] JSX components + client-side hydration (Preact + esbuild) — CSP-safe with nonces
-- [x] Client-JS bundling (esbuild) per route
-- [x] Nested layouts (`_layout.jsx` composing root→leaf, server + hydration)
-- [x] Streaming SSR (shell flushed before the component renders)
-- [x] Instant HMR — in-place soft re-render on save (no full reload, no flash; preserves scroll, focus, and form input)
-- [x] `<Image>` — zero-config `<picture>` with AVIF/WebP from the optimizer (beats next/image: no runtime image server)
-- [x] `<Video>` — `<video>` with AV1/WebM + mp4 fallback + auto poster
-- [x] File-based middleware (`_middleware.mjs`, root→leaf) — auth, redirects, headers
-- [x] Production route precompile (`glash build` bakes server modules + minified client bundles → no runtime esbuild on `glash serve`)
-- [x] SEO metadata API (`export const metadata` → title, description, Open Graph, Twitter cards)
-- [x] `<Link>` client-side navigation (SPA swap of `#glash-root` + re-hydrate; progressive-enhancement `<a>`)
-- [x] `glash deploy` → glashdb (builds, then hands off to the `glashdb` CLI)
-- [x] Production-grade runtime — custom `404`/`500` routes, dev error overlay, HEAD support, Range requests + streamed static (video seeking), graceful mid-stream error handling
-- [x] Suspense streaming (`renderToPipeableStream` — fallback in the shell, each boundary streams in as its data resolves; CSP-safe via per-request nonce injection)
-- [ ] React-Fast-Refresh (`useState` preservation via `@prefresh`; browser-verified), edge adapter
-- [ ] `<Image>` / `<Video>` components that emit `<picture>`/`<source>` from the manifest
-- [ ] Edge adapter for the glashdb Worker (serve `.br`/`.avif` by `Accept`)
-- [ ] `glash deploy` → glashdb hosting in one command
-
-## Design stance
-glashjs is **a Next.js alternative** — it keeps the conventions you know from Next (file-based routing, SSR, layouts, the component model) and composes proven primitives rather than reinventing them. The value is in the **defaults**: every glashjs site is optimized, offline-capable, and secure out of the box.
+The migration command scaffolds `routes/` beside your existing app and writes a report. It handles mechanical route mapping and flags framework-specific code that needs hands-on porting.
+
+## Design Stance
+
+glashjs is built for builders who want the product surface and the production platform to work together. Your app code, Postgres database, auth system, environment variables, deploy logs, domains, and live URL all belong to one GlashDB project.

package/bin/glash.mjs

@@ -8,6 +8,8 @@ import { createGlashServer } from '../src/server/server.mjs';
 import { deploy } from '../src/deploy.mjs';
 import { update } from '../src/update.mjs';
 import { migrate } from '../src/migrate.mjs';
+import { createProject } from '../src/create.mjs';
+import { generateTypedRoutes } from '../src/typed-routes.mjs';
 
 const VERSION = JSON.parse(readFileSync(new URL('../package.json', import.meta.url), 'utf8')).version;
 const [, , cmd, ...rest] = process.argv;
@@ -17,6 +19,26 @@ function arg(name, fallback) {
   return i >= 0 && rest[i + 1] ? rest[i + 1] : fallback;
 }
 
+function flag(name) {
+  return rest.includes(name);
+}
+
+function optionBool(disableFlag, fallback = true) {
+  return rest.includes(disableFlag) ? false : fallback;
+}
+
+function firstPositional(args = rest) {
+  for (let i = 0; i < args.length; i += 1) {
+    const item = args[i];
+    if (item.startsWith('--')) {
+      if (!item.includes('=') && args[i + 1] && !args[i + 1].startsWith('--')) i += 1;
+      continue;
+    }
+    return item;
+  }
+  return undefined;
+}
+
 // LAN IPv4 addresses, so the dev server prints a Network URL you can open from
 // your phone or another device on the same network.
 function lanAddresses() {
@@ -49,10 +71,43 @@ async function serve(dev) {
 
 async function main() {
   switch (cmd) {
+    case 'create':
+    case 'init':
+    case 'new': {
+      await createProject({
+        name: firstPositional(),
+        css: arg('--css', undefined),
+        packageManager: arg('--pm', arg('--package-manager', undefined)),
+        yes: flag('--yes') || flag('-y'),
+        force: flag('--force'),
+        install: optionBool('--no-install', undefined),
+        git: optionBool('--no-git', undefined),
+        postgres: optionBool('--no-postgres', undefined),
+        auth: optionBool('--no-auth', undefined),
+        sqlRunner: optionBool('--no-sql-runner', undefined),
+        aiPrompts: optionBool('--no-ai-prompts', undefined),
+      });
+      break;
+    }
     case 'build': {
       await build({ root: arg('--root', process.cwd()) });
       break;
     }
+    case 'typegen':
+    case 'routes': {
+      await generateTypedRoutes({ root: arg('--root', process.cwd()), outFile: arg('--out', 'glash-routes.d.ts') });
+      break;
+    }
+    case 'sql': {
+      const files = rest.filter((item, i) => !item.startsWith('--') && rest[i - 1] !== '--root');
+      if (!files.length) throw new Error('usage: glashjs sql <file.sql> [...more.sql]');
+      const { runSqlFiles } = await import('../src/sql-runner.mjs');
+      const results = await runSqlFiles(files, { root: arg('--root', process.cwd()) });
+      for (const result of results) {
+        console.log(`sql ${result.file} -> ${result.rowCount} row(s), ${result.ms}ms`);
+      }
+      break;
+    }
     case 'deploy': {
       const passthrough = rest.filter((a, i) => a !== '--dry-run' && a !== '--root' && rest[i - 1] !== '--root');
       await deploy({ root: arg('--root', process.cwd()), dryRun: rest.includes('--dry-run'), args: passthrough });
@@ -89,9 +144,12 @@ async function main() {
       console.log(`glashjs — fast, offline-capable, hard-to-hack sites
 
 Usage: (run as "glashjs <cmd>"; "glash <cmd>" also works unless the glashdb deploy CLI owns that name)
+  glashjs create [name]          Create a new Glash project (interactive)
   glashjs dev [--port 3000]     Run the dev server (routing, SSR, API, live reload) + Network preview URL
   glashjs serve [--port 3000]   Run the production server over routes/ + built assets
   glashjs build [--root <dir>]  Optimize assets, precompile routes, generate offline SW + PWA + security
+  glashjs typegen               Generate typed route declarations from routes/
+  glashjs sql <file.sql>        Run a SQL file against DATABASE_URL
   glashjs migrate [--dry-run]   Migrate a Next.js project to glashjs (scaffold routes/ + report)
   glashjs update                Update glashjs to the latest published version
   glashjs deploy [--dry-run]    Build, then deploy to glashdb (hands off to the glashdb CLI)

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "glashjs",
-  "version": "0.12.0",
-  "description": "glashjs — a web framework built on top of Next.js: file-based routing, SSR, API routes, JSX components with client hydration, nested layouts, streaming SSR, a best-in-class build-time asset optimizer, offline PWA layer, animated favicon, and secure-by-default headers. Zero mandatory dependencies.",
+  "version": "0.13.0",
+  "description": "glashjs — The Postgres-native full-stack framework for builders who want to ship without DevOps. Framework, hosting, database, auth, and deploy in one GlashDB-native runtime.",
   "type": "module",
   "bin": {
     "glashjs": "bin/glash.mjs",
@@ -11,6 +11,13 @@
     ".": "./src/index.mjs",
     "./config": "./src/config.mjs",
     "./security": "./src/security/headers.mjs",
+    "./env": "./src/env.mjs",
+    "./postgres": "./src/postgres.mjs",
+    "./auth": "./src/auth.mjs",
+    "./server-functions": "./src/server-functions.mjs",
+    "./sql": "./src/sql-runner.mjs",
+    "./typed-routes": "./src/typed-routes.mjs",
+    "./routes": "./src/routes.mjs",
     "./image": "./src/components/image.mjs",
     "./video": "./src/components/video.mjs",
     "./link": "./src/components/link.mjs",
@@ -28,9 +35,13 @@
     "esbuild": ">=0.20.0",
     "preact": "^10.25.0",
     "preact-render-to-string": "^6.5.0",
+    "pg": "^8.16.0",
     "sharp": "^0.34.5"
   },
   "peerDependenciesMeta": {
+    "pg": {
+      "optional": true
+    },
     "sharp": {
       "optional": true
     },

package/src/auth.mjs

@@ -0,0 +1,96 @@
+// glashAuth helpers for glashjs
+// ---------------------------------------------------------------------------
+// Thin client/server wrapper for the GlashDB auth API:
+//   /api/auth/v1/:projectId/signup
+//   /api/auth/v1/:projectId/signin
+//   /api/auth/v1/:projectId/me
+
+export function glashAuth(options = {}) {
+  const apiUrl = trimSlash(options.apiUrl ?? process.env.GLASHDB_API_URL ?? 'https://api.glashdb.com/api');
+  const projectId = options.projectId
+    ?? process.env.GLASHDB_PROJECT_ID
+    ?? process.env.GLASHAUTH_PROJECT_ID
+    ?? process.env.NEXT_PUBLIC_GLASHDB_PROJECT_ID;
+  const anonKey = options.anonKey
+    ?? process.env.GLASHDB_ANON_KEY
+    ?? process.env.GLASHAUTH_ANON_KEY
+    ?? process.env.NEXT_PUBLIC_GLASHAUTH_ANON_KEY;
+
+  if (!projectId) throw new Error('GLASHDB_PROJECT_ID is required for glashAuth');
+  if (!anonKey) throw new Error('GLASHDB_ANON_KEY is required for glashAuth');
+
+  async function request(path, { body, accessToken, method = 'POST', headers = {} } = {}) {
+    const res = await fetch(`${apiUrl}/auth/v1/${encodeURIComponent(projectId)}/${path.replace(/^\/+/, '')}`, {
+      method,
+      headers: {
+        apikey: anonKey,
+        'content-type': 'application/json',
+        ...(accessToken ? { authorization: `Bearer ${accessToken}` } : {}),
+        ...headers,
+      },
+      body: body === undefined ? undefined : JSON.stringify(body),
+    });
+    const data = await readJson(res);
+    if (!res.ok) {
+      const message = data?.message || data?.error || `glashAuth ${path} failed with HTTP ${res.status}`;
+      throw new Error(message);
+    }
+    return data;
+  }
+
+  return {
+    projectId,
+    apiUrl,
+    signup: ({ email, password, fullName }) => request('signup', { body: { email, password, fullName } }),
+    signin: ({ email, password }) => request('signin', { body: { email, password } }),
+    signout: (refreshToken) => request('signout', { body: { refreshToken } }),
+    refresh: (refreshToken) => request('refresh', { body: { refreshToken } }),
+    magicLink: ({ email, redirectTo }) => request('magic-link/request', { body: { email, redirectTo } }),
+    me: (accessToken) => request('me', { method: 'GET', accessToken }),
+    googleAuthorizeUrl: (redirectTo) => {
+      const url = new URL(`${apiUrl}/auth/v1/${encodeURIComponent(projectId)}/google/authorize`);
+      if (redirectTo) url.searchParams.set('redirect_to', redirectTo);
+      return url.toString();
+    },
+  };
+}
+
+export function readSessionCookie(ctx, name = 'glash_session') {
+  const cookie = ctx?.headers?.cookie || ctx?.req?.headers?.cookie || '';
+  const found = cookie.split(';').map((part) => part.trim()).find((part) => part.startsWith(`${name}=`));
+  if (!found) return null;
+  try {
+    return JSON.parse(Buffer.from(decodeURIComponent(found.slice(name.length + 1)), 'base64url').toString('utf8'));
+  } catch {
+    return null;
+  }
+}
+
+export function sessionCookie(session, options = {}) {
+  const name = options.name ?? 'glash_session';
+  const maxAge = options.maxAge ?? 60 * 60 * 24 * 30;
+  const encoded = Buffer.from(JSON.stringify(session), 'utf8').toString('base64url');
+  const parts = [
+    `${name}=${encodeURIComponent(encoded)}`,
+    'Path=/',
+    `Max-Age=${maxAge}`,
+    'HttpOnly',
+    'SameSite=Lax',
+  ];
+  if (options.secure ?? process.env.NODE_ENV === 'production') parts.push('Secure');
+  return parts.join('; ');
+}
+
+export function clearSessionCookie(name = 'glash_session') {
+  return `${name}=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax`;
+}
+
+async function readJson(res) {
+  const text = await res.text();
+  if (!text) return null;
+  try { return JSON.parse(text); } catch { return { message: text }; }
+}
+
+function trimSlash(value) {
+  return String(value || '').replace(/\/+$/, '');
+}

package/src/build.mjs

@@ -13,6 +13,7 @@ import { securityHeaders } from './security/headers.mjs';
 import { discoverRoutes } from './server/router.mjs';
 import { isComponentRoute, findLayouts, loadComponentRoute, clientBundle, routeId } from './server/jsx.mjs';
 import { loadConfig } from './config.mjs';
+import { loadEnvFiles } from './env.mjs';
 
 // Precompile JSX routes: server modules (-> .glash/server) + minified client
 // hydration bundles (-> outDir/_glash/<id>.js). Production `glash serve` then
@@ -56,6 +57,7 @@ function pwaManifest(cfg, version) {
 }
 
 export async function build({ root = process.cwd(), log = console.log } = {}) {
+  loadEnvFiles(root, { mode: process.env.NODE_ENV || 'production' });
   const cfg = await loadConfig(root);
   const publicDir = path.resolve(root, cfg.publicDir);
   const outDir = path.resolve(root, cfg.outDir);
@@ -77,6 +79,9 @@ export async function build({ root = process.cwd(), log = console.log } = {}) {
   manifest.generatedAt = new Date().toISOString();
 
   await fs.mkdir(outDir, { recursive: true });
+  if (existsSync(publicDir)) {
+    await fs.cp(publicDir, outDir, { recursive: true, force: true });
+  }
 
   // Precompile JSX routes (server modules + client bundles) for production.
   let routesBuilt = { compiled: 0 };