gorsee 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (98) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +139 -0
  3. package/package.json +69 -0
  4. package/src/auth/index.ts +147 -0
  5. package/src/build/client.ts +121 -0
  6. package/src/build/css-modules.ts +69 -0
  7. package/src/build/devalue-parse.ts +2 -0
  8. package/src/build/rpc-transform.ts +62 -0
  9. package/src/build/server-strip.ts +87 -0
  10. package/src/build/ssg.ts +100 -0
  11. package/src/cli/bun-plugin.ts +37 -0
  12. package/src/cli/cmd-build.ts +182 -0
  13. package/src/cli/cmd-check.ts +225 -0
  14. package/src/cli/cmd-create.ts +313 -0
  15. package/src/cli/cmd-dev.ts +13 -0
  16. package/src/cli/cmd-generate.ts +147 -0
  17. package/src/cli/cmd-migrate.ts +45 -0
  18. package/src/cli/cmd-routes.ts +29 -0
  19. package/src/cli/cmd-start.ts +21 -0
  20. package/src/cli/cmd-typegen.ts +83 -0
  21. package/src/cli/framework-md.ts +196 -0
  22. package/src/cli/index.ts +84 -0
  23. package/src/db/index.ts +2 -0
  24. package/src/db/migrate.ts +89 -0
  25. package/src/db/sqlite.ts +40 -0
  26. package/src/deploy/dockerfile.ts +38 -0
  27. package/src/dev/error-overlay.ts +54 -0
  28. package/src/dev/hmr.ts +31 -0
  29. package/src/dev/partial-handler.ts +109 -0
  30. package/src/dev/request-handler.ts +158 -0
  31. package/src/dev/watcher.ts +48 -0
  32. package/src/dev.ts +273 -0
  33. package/src/env/index.ts +74 -0
  34. package/src/errors/catalog.ts +48 -0
  35. package/src/errors/formatter.ts +63 -0
  36. package/src/errors/index.ts +2 -0
  37. package/src/i18n/index.ts +72 -0
  38. package/src/index.ts +27 -0
  39. package/src/jsx-runtime-client.ts +13 -0
  40. package/src/jsx-runtime.ts +20 -0
  41. package/src/jsx-types-html.ts +242 -0
  42. package/src/log/index.ts +44 -0
  43. package/src/prod.ts +310 -0
  44. package/src/reactive/computed.ts +7 -0
  45. package/src/reactive/effect.ts +7 -0
  46. package/src/reactive/index.ts +7 -0
  47. package/src/reactive/live.ts +97 -0
  48. package/src/reactive/optimistic.ts +83 -0
  49. package/src/reactive/resource.ts +138 -0
  50. package/src/reactive/signal.ts +20 -0
  51. package/src/reactive/store.ts +36 -0
  52. package/src/router/index.ts +2 -0
  53. package/src/router/matcher.ts +53 -0
  54. package/src/router/scanner.ts +206 -0
  55. package/src/runtime/client.ts +28 -0
  56. package/src/runtime/error-boundary.ts +35 -0
  57. package/src/runtime/event-replay.ts +50 -0
  58. package/src/runtime/form.ts +49 -0
  59. package/src/runtime/head.ts +113 -0
  60. package/src/runtime/html-escape.ts +30 -0
  61. package/src/runtime/hydration.ts +95 -0
  62. package/src/runtime/image.ts +48 -0
  63. package/src/runtime/index.ts +12 -0
  64. package/src/runtime/island-hydrator.ts +84 -0
  65. package/src/runtime/island.ts +88 -0
  66. package/src/runtime/jsx-runtime.ts +167 -0
  67. package/src/runtime/link.ts +45 -0
  68. package/src/runtime/router.ts +224 -0
  69. package/src/runtime/server.ts +102 -0
  70. package/src/runtime/stream.ts +182 -0
  71. package/src/runtime/suspense.ts +37 -0
  72. package/src/runtime/typed-routes.ts +26 -0
  73. package/src/runtime/validated-form.ts +106 -0
  74. package/src/security/cors.ts +80 -0
  75. package/src/security/csrf.ts +85 -0
  76. package/src/security/headers.ts +50 -0
  77. package/src/security/index.ts +4 -0
  78. package/src/security/rate-limit.ts +80 -0
  79. package/src/server/action.ts +48 -0
  80. package/src/server/cache.ts +102 -0
  81. package/src/server/compress.ts +60 -0
  82. package/src/server/etag.ts +23 -0
  83. package/src/server/guard.ts +69 -0
  84. package/src/server/index.ts +19 -0
  85. package/src/server/middleware.ts +143 -0
  86. package/src/server/mime.ts +48 -0
  87. package/src/server/pipe.ts +46 -0
  88. package/src/server/rpc-hash.ts +17 -0
  89. package/src/server/rpc.ts +125 -0
  90. package/src/server/sse.ts +96 -0
  91. package/src/server/ws.ts +56 -0
  92. package/src/testing/index.ts +74 -0
  93. package/src/types/index.ts +4 -0
  94. package/src/types/safe-html.ts +32 -0
  95. package/src/types/safe-sql.ts +28 -0
  96. package/src/types/safe-url.ts +40 -0
  97. package/src/types/user-input.ts +12 -0
  98. package/src/unsafe/index.ts +18 -0
package/src/types/safe-url.ts ADDED
@@ -0,0 +1,40 @@
1
+ declare const __safeURLBrand: unique symbol
2
+
3
+ export type SafeURLValue = string & { readonly [__safeURLBrand]: true }
4
+
5
+ const ALLOWED_PROTOCOLS = ["http:", "https:", "mailto:"]
6
+ const DANGEROUS_PROTOCOLS = ["javascript:", "data:", "vbscript:", "blob:"]
7
+
8
+ export function validateURL(raw: string): SafeURLValue {
9
+ // Check dangerous protocols before URL parsing (handles case-insensitive)
10
+ const lower = raw.trim().toLowerCase()
11
+ for (const proto of DANGEROUS_PROTOCOLS) {
12
+ if (lower.startsWith(proto)) {
13
+ throw new Error(`[GORSEE E005] Dangerous URL protocol: "${proto}" is not allowed`)
14
+ }
15
+ }
16
+
17
+ let url: URL
18
+ try {
19
+ url = new URL(raw)
20
+ } catch {
21
+ // Relative URLs are allowed (they don't parse as absolute URLs)
22
+ return raw as SafeURLValue
23
+ }
24
+
25
+ if (!ALLOWED_PROTOCOLS.includes(url.protocol)) {
26
+ throw new Error(
27
+ `[GORSEE E005] Disallowed URL protocol: "${url.protocol}". Allowed: ${ALLOWED_PROTOCOLS.join(", ")}`
28
+ )
29
+ }
30
+
31
+ return raw as SafeURLValue
32
+ }
33
+
34
+ export function SafeURL(
35
+ strings: TemplateStringsArray,
36
+ ...values: unknown[]
37
+ ): SafeURLValue {
38
+ const raw = String.raw(strings, ...values.map(String))
39
+ return validateURL(raw)
40
+ }
package/src/types/user-input.ts ADDED
@@ -0,0 +1,12 @@
1
+ declare const __userInputBrand: unique symbol
2
+
3
+ export type UserInput<T> = T & { readonly [__userInputBrand]: true }
4
+
5
+ export interface ValidationSchema<T> {
6
+ parse(raw: unknown): T
7
+ }
8
+
9
+ export function validate<T>(schema: ValidationSchema<T>, raw: unknown): UserInput<T> {
10
+ const parsed = schema.parse(raw)
11
+ return parsed as UserInput<T>
12
+ }
package/src/unsafe/index.ts ADDED
@@ -0,0 +1,18 @@
1
+ import type { SafeSQLValue } from "../types/safe-sql.ts"
2
+ import type { SafeHTMLValue } from "../types/safe-html.ts"
3
+
4
+ /**
5
+ * DANGER: Bypasses SQL safety. Only use when you know the string is safe.
6
+ * This function exists as an explicit escape hatch -- its name signals danger.
7
+ */
8
+ export function unsafeSQL(raw: string): SafeSQLValue {
9
+ return { text: raw, params: [] } as unknown as SafeSQLValue
10
+ }
11
+
12
+ /**
13
+ * DANGER: Bypasses HTML sanitization. Only use for trusted content.
14
+ * This function exists as an explicit escape hatch -- its name signals danger.
15
+ */
16
+ export function unsafeHTML(raw: string): SafeHTMLValue {
17
+ return raw as unknown as SafeHTMLValue
18
+ }