npm - hono-preact - Versions diffs - 0.1.0 → 0.2.0 - Mend

hono-preact 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (88) hide show

package/README.md +2 -1
package/dist/adapter-cloudflare.d.ts +1 -0
package/dist/adapter-cloudflare.d.ts.map +1 -0
package/dist/adapter-cloudflare.js +2 -0
package/dist/adapter-node.d.ts +1 -0
package/dist/adapter-node.d.ts.map +1 -0
package/dist/adapter-node.js +2 -0
package/dist/internal.d.ts +1 -1
package/dist/internal.js +1 -1
package/dist/iso/action.d.ts +10 -14
package/dist/iso/action.js +57 -21
package/dist/iso/define-app.d.ts +7 -0
package/dist/iso/define-app.js +3 -0
package/dist/iso/define-loader.d.ts +19 -0
package/dist/iso/define-loader.js +4 -0
package/dist/iso/define-middleware.d.ts +43 -0
package/dist/iso/define-middleware.js +6 -0
package/dist/iso/define-page.d.ts +7 -2
package/dist/iso/define-page.js +1 -1
package/dist/iso/define-routes.d.ts +24 -1
package/dist/iso/define-routes.js +34 -0
package/dist/iso/define-stream-observer.d.ts +20 -0
package/dist/iso/define-stream-observer.js +3 -0
package/dist/iso/index.d.ts +10 -5
package/dist/iso/index.js +5 -3
package/dist/iso/internal/contexts.d.ts +0 -2
package/dist/iso/internal/contexts.js +0 -1
package/dist/iso/internal/loader-fetch.js +37 -7
package/dist/iso/internal/loader-runner.js +105 -8
package/dist/iso/internal/middleware-runner.d.ts +22 -0
package/dist/iso/internal/middleware-runner.js +79 -0
package/dist/iso/internal/page-middleware-host.d.ts +13 -0
package/dist/iso/internal/page-middleware-host.js +119 -0
package/dist/iso/internal/route-boundary.d.ts +1 -0
package/dist/iso/internal/route-boundary.js +16 -0
package/dist/iso/internal/stream-observer-runner.d.ts +13 -0
package/dist/iso/internal/stream-observer-runner.js +48 -0
package/dist/iso/internal/use-partitioner.d.ts +9 -0
package/dist/iso/internal/use-partitioner.js +11 -0
package/dist/iso/internal/use-types.d.ts +7 -0
package/dist/iso/internal/use-types.js +1 -0
package/dist/iso/internal.d.ts +5 -4
package/dist/iso/internal.js +8 -6
package/dist/iso/outcomes.d.ts +38 -0
package/dist/iso/outcomes.js +56 -0
package/dist/iso/page-only.d.ts +5 -0
package/dist/iso/page-only.js +20 -0
package/dist/iso/page.d.ts +3 -3
package/dist/iso/page.js +3 -3
package/dist/page.d.ts +1 -0
package/dist/page.d.ts.map +1 -0
package/dist/page.js +8 -0
package/dist/server/actions-handler.d.ts +20 -6
package/dist/server/actions-handler.js +83 -47
package/dist/server/context.js +1 -1
package/dist/server/index.d.ts +1 -1
package/dist/server/index.js +1 -1
package/dist/server/loaders-handler.d.ts +16 -0
package/dist/server/loaders-handler.js +94 -17
package/dist/server/render.d.ts +2 -0
package/dist/server/render.js +104 -33
package/dist/server/route-server-modules.d.ts +42 -1
package/dist/server/route-server-modules.js +184 -0
package/dist/server/sse.d.ts +24 -1
package/dist/server/sse.js +56 -4
package/dist/vite/adapter-cloudflare.d.ts +2 -0
package/dist/vite/adapter-cloudflare.js +25 -0
package/dist/vite/adapter-node.d.ts +2 -0
package/dist/vite/adapter-node.js +49 -0
package/dist/vite/adapter.d.ts +29 -0
package/dist/vite/adapter.js +1 -0
package/dist/vite/client-shim.js +5 -4
package/dist/vite/guard-strip.js +52 -27
package/dist/vite/hono-preact.d.ts +6 -6
package/dist/vite/hono-preact.js +48 -77
package/dist/vite/index.d.ts +2 -1
package/dist/vite/index.js +1 -1
package/dist/vite/node-dev-server.d.ts +4 -0
package/dist/vite/node-dev-server.js +121 -0
package/dist/vite/server-entry.d.ts +30 -7
package/dist/vite/server-entry.js +161 -78
package/dist/vite/server-exports-contract.d.ts +6 -0
package/dist/vite/server-exports-contract.js +43 -0
package/dist/vite/server-loader-validation.js +36 -9
package/dist/vite/server-loaders-parser.d.ts +17 -1
package/dist/vite/server-loaders-parser.js +41 -0
package/dist/vite/server-only.js +20 -2
package/package.json +32 -4

package/README.md CHANGED Viewed

@@ -37,7 +37,8 @@ Full walkthrough: https://framework.sbesh.com/docs/quick-start
 ## Subpaths
-- `hono-preact`: iso runtime exports (routes, pages, loaders, actions, forms, guards).
+- `hono-preact`: iso runtime exports (routes, pages, loaders, actions, forms, middleware, outcomes).
+- `hono-preact/page`: page-scope outcome kitchen sink (`redirect`, `deny`, `render`, predicates).
 - `hono-preact/server`: server entry, `renderPage`, SSR streaming helpers.
 - `hono-preact/vite`: `honoPreact()` plugin for Vite.
 - `hono-preact/internal`: advanced exports for tooling authors. No stability guarantee.

package/dist/adapter-cloudflare.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export * from './vite/adapter-cloudflare';

package/dist/adapter-cloudflare.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"adapter-cloudflare.d.ts","sourceRoot":"","sources":["../src/adapter-cloudflare.ts"],"names":[],"mappings":"AACA,cAAc,sCAAsC,CAAC"}

package/dist/adapter-cloudflare.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ // packages/hono-preact/src/adapter-cloudflare.ts
2	+ export * from './vite/adapter-cloudflare.js';

package/dist/adapter-node.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export * from './vite/adapter-node';

package/dist/adapter-node.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"adapter-node.d.ts","sourceRoot":"","sources":["../src/adapter-node.ts"],"names":[],"mappings":"AACA,cAAc,gCAAgC,CAAC"}

package/dist/adapter-node.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ // packages/hono-preact/src/adapter-node.ts
2	+ export * from './vite/adapter-node.js';

package/dist/internal.d.ts CHANGED Viewed

	@@ -1 +1 @@
1	- export * from './iso/internal~~/index~~';
1	+ export * from './iso/internal';

package/dist/internal.js CHANGED Viewed

	@@ -1 +1 @@
1	- export * from './iso/internal~~/index~~.js';
1	+ export * from './iso/internal.js';

package/dist/iso/action.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import type { Context } from 'hono';
-import type { ContentfulStatusCode } from 'hono/utils/http-status';
 import type { LoaderRef } from './define-loader.js';
+import type { ActionUse } from './internal/use-types.js';
 export type ActionStub<TPayload, TResult, TChunk = never> = {
     readonly __module: string;
     readonly __action: string;
@@ -12,7 +12,15 @@ export type ActionCtx = {
     signal: AbortSignal;
 };
 export type ActionFn<TPayload, TResult, TChunk = never> = ((ctx: ActionCtx, payload: TPayload) => Promise<TResult>) | ((ctx: ActionCtx, payload: TPayload) => Promise<ReadableStream<TChunk>>) | ((ctx: ActionCtx, payload: TPayload) => AsyncGenerator<TChunk, TResult, unknown>);
-export declare function defineAction<TPayload, TResult, TChunk = never>(fn: ActionFn<TPayload, TResult, TChunk>): ActionStub<TPayload, TResult, TChunk>;
+export type DefineActionOpts<TChunk = never, TResult = unknown> = {
+    /**
+     * Per-action middleware and (for streaming actions) stream observers.
+     * Attached to the function as a non-enumerable-feeling property; the
+     * actions-handler reads it via the dispatcher (Task 18).
+     */
+    use?: ActionUse<TChunk, TResult, boolean>;
+};
+export declare function defineAction<TPayload, TResult, TChunk = never>(fn: ActionFn<TPayload, TResult, TChunk>, opts?: DefineActionOpts<TChunk, TResult>): ActionStub<TPayload, TResult, TChunk>;
 export type UseActionOptions<TPayload, TResult, TChunk = never, TSnapshot = unknown> = {
     /**
      * How to update loader caches after the action commits. Three modes:
@@ -64,15 +72,3 @@ export type UseActionResult<TPayload, TResult> = {
     data: TResult | null;
 };
 export declare function useAction<TPayload, TResult, TChunk = never, TSnapshot = unknown>(stub: ActionStub<TPayload, TResult, TChunk>, options?: UseActionOptions<TPayload, TResult, TChunk, TSnapshot>): UseActionResult<TPayload, TResult>;
-export type ActionGuardContext = {
-    c: Context;
-    module: string;
-    action: string;
-    payload: unknown;
-};
-export type ActionGuardFn = (ctx: ActionGuardContext, next: () => Promise<void>) => Promise<void>;
-export declare class ActionGuardError extends Error {
-    readonly status: ContentfulStatusCode;
-    constructor(message: string, status?: ContentfulStatusCode);
-}
-export declare const defineActionGuard: (fn: ActionGuardFn) => ActionGuardFn;

package/dist/iso/action.js CHANGED Viewed

@@ -1,9 +1,23 @@
 import { useCallback, useContext, useRef, useState } from 'preact/hooks';
 import { ReloadContext } from './reload-context.js';
 import { ActiveLoaderIdContext } from './internal/contexts.js';
-export function defineAction(fn) {
-    // Runtime no-op: returns fn as-is. actionsHandler casts it back to a function.
-    // The ActionStub type is enforced only by TypeScript and the Vite plugin.
+export function defineAction(fn, opts) {
+    // Runtime no-op for the call itself: returns fn as-is. The ActionStub type
+    // is enforced only by TypeScript and the Vite plugin. The dispatcher reads
+    // `use` off the function-as-stub when running the chain.
+    //
+    // Use `Object.defineProperty` instead of direct assignment so a frozen
+    // module export (strict ESM, HMR-frozen modules) doesn't throw. The
+    // actions-handler reads via `(fn as { use?: ReadonlyArray<unknown> }).use`,
+    // which works whether the property was set by assignment or defineProperty.
+    if (opts?.use) {
+        Object.defineProperty(fn, 'use', {
+            value: opts.use,
+            configurable: true,
+            writable: true,
+            enumerable: false,
+        });
+    }
     return fn;
 }
 function hasFileValues(payload) {
@@ -67,13 +81,44 @@ export function useAction(stub, options) {
                 });
             }
             if (!response.ok) {
-                const body = (await response.json());
-                throw new Error(body.error ?? `Action failed with status ${response.status}`);
+                const body = (await response.json().catch(() => ({})));
+                // Deny outcomes carry `message` instead of the legacy `error`
+                // field; prefer the descriptive message when present. The deny()
+                // constructor defaults the message for first-party callers, but a
+                // hand-rolled envelope from custom server middleware might still
+                // ship without one; fall back to a deny-aware label so the user
+                // sees a hint that the status came from an explicit deny rather
+                // than a generic transport failure.
+                let msg;
+                if (body.__outcome === 'deny') {
+                    msg =
+                        typeof body.message === 'string'
+                            ? body.message
+                            : `Request denied (${response.status})`;
+                }
+                else {
+                    msg = body.error ?? `Action failed with status ${response.status}`;
+                }
+                throw new Error(msg);
             }
             const contentType = response.headers.get('Content-Type') ?? '';
-            // Server-side `GuardRedirect` thrown from an action (or its guards) comes
-            // back as `{ __redirect }`. Hand off to the browser; the rest of this
-            // promise will never settle, but the page is navigating away anyway.
+            // Server-side middleware that throws `redirect(...)` comes back as
+            // a redirect outcome envelope. Hand off to the browser; the rest of
+            // this promise will never settle, but the page is navigating away
+            // anyway.
+            //
+            // Trust boundary: `to` is taken straight from the JSON body and
+            // passed to `window.location.assign`. The framework's own handlers
+            // emit safe (typically same-origin) values, but a compromised or
+            // misconfigured server (or a proxy injecting JSON) could push the
+            // client anywhere. We don't validate origin here for v0.1; treat
+            // your own server as part of the trusted boundary. A same-origin
+            // check is a deferred enhancement (see C4 in the middleware review).
+            //
+            // We use `response.clone().json()` to peek at the body without
+            // consuming it: if the response is NOT a redirect outcome the
+            // downstream `await response.json()` still needs to read it. Clone
+            // is cheap on a small JSON payload.
             if (!contentType.includes('text/event-stream')) {
                 const peek = (await response
                     .clone()
@@ -81,11 +126,11 @@ export function useAction(stub, options) {
                     .catch(() => undefined));
                 if (peek !== null &&
                     typeof peek === 'object' &&
-                    peek !== undefined &&
-                    '__redirect' in peek &&
-                    typeof peek.__redirect === 'string') {
+                    peek.__outcome === 'redirect' &&
+                    typeof peek.to === 'string') {
+                    const to = peek.to;
                     if (typeof window !== 'undefined') {
-                        window.location.assign(peek.__redirect);
+                        window.location.assign(to);
                     }
                     // Cast through `as` because TS can't see this promise never settles.
                     return await new Promise(() => { });
@@ -178,12 +223,3 @@ export function useAction(stub, options) {
     }, []);
     return { mutate, pending, error, data };
 }
-export class ActionGuardError extends Error {
-    status;
-    constructor(message, status = 403) {
-        super(message);
-        this.status = status;
-        this.name = 'ActionGuardError';
-    }
-}
-export const defineActionGuard = (fn) => fn;

package/dist/iso/define-app.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { ServerMiddleware, ClientMiddleware } from './define-middleware.js';
+import type { StreamObserver } from './define-stream-observer.js';
+export type AppUseElement = ServerMiddleware<'page'> | ClientMiddleware | StreamObserver<unknown, never>;
+export type AppConfig = {
+    use?: ReadonlyArray<AppUseElement>;
+};
+export declare function defineApp(config: AppConfig): AppConfig;

package/dist/iso/define-app.js ADDED Viewed

@@ -0,0 +1,3 @@
+export function defineApp(config) {
+    return config;
+}

package/dist/iso/define-loader.d.ts CHANGED Viewed

@@ -2,6 +2,9 @@ import type { ComponentChildren, ComponentType, FunctionComponent } from 'preact
 import type { Context } from 'hono';
 import type { RouteHook } from 'preact-iso';
 import { type LoaderCache } from './cache.js';
+import type { LoaderUse } from './internal/use-types.js';
+import type { Middleware } from './define-middleware.js';
+import type { StreamObserver } from './define-stream-observer.js';
 export type LoaderCtx = {
     c: Context;
     location: RouteHook;
@@ -15,6 +18,15 @@ export interface LoaderRef<T> {
     readonly fn: Loader<T>;
     readonly cache: LoaderCache<T>;
     readonly params: string[] | '*';
+    /**
+     * Per-loader middleware and (for streaming loaders) stream observers,
+     * exactly as authored on `defineLoader({ use })`. The handler-side
+     * dispatcher calls `partitionUse(ref.use)` to split middleware from
+     * observers; both partitions flow through the SSR/RPC streaming pump.
+     * Typed as the union the partitioner accepts so the contract is
+     * advertised at the consumer rather than hidden behind `unknown`.
+     */
+    readonly use: ReadonlyArray<Middleware | StreamObserver<unknown, never>>;
     useData(): T;
     useError(): Error | null;
     invalidate(): void;
@@ -43,5 +55,12 @@ export type DefineLoaderOpts<T> = {
     __loaderName?: string;
     cache?: LoaderCache<T>;
     params?: string[] | '*';
+    /**
+     * Per-loader middleware and (for streaming loaders) stream observers.
+     * The element type LoaderUse<T, Streaming> structurally gates stream
+     * observers off non-streaming loaders, but a tighter compile-time gate
+     * via defineLoader overloads can be added in a follow-up if needed.
+     */
+    use?: LoaderUse<T, boolean>;
 };
 export declare function defineLoader<T>(fn: Loader<T>, opts?: DefineLoaderOpts<T>): LoaderRef<T>;

package/dist/iso/define-loader.js CHANGED Viewed

@@ -80,6 +80,10 @@ export function defineLoader(fn, opts) {
         fn,
         cache: cache,
         params: opts?.params ?? [],
+        // LoaderUse<T, boolean> structurally collapses to the same shape the
+        // partitioner accepts; the cast hides only the generic narrowing on
+        // StreamObserver's TChunk/TResult which is invariant. Identity-preserving.
+        use: (opts?.use ?? []),
         useData() {
             const ctx = useContext(LoaderDataContext);
             if (!ctx) {

package/dist/iso/define-middleware.d.ts ADDED Viewed

@@ -0,0 +1,43 @@
+import type { Context } from 'hono';
+import type { RouteHook } from 'preact-iso';
+import type { Outcome } from './outcomes.js';
+export type Scope = 'page' | 'loader' | 'action';
+export type ServerBaseCtx = {
+    c: Context;
+    signal: AbortSignal;
+};
+export type ServerPageCtx = ServerBaseCtx & {
+    scope: 'page';
+    location: RouteHook;
+};
+export type ServerLoaderCtx = ServerBaseCtx & {
+    scope: 'loader';
+    location: RouteHook;
+    module: string;
+    loader: string;
+};
+export type ServerActionCtx = ServerBaseCtx & {
+    scope: 'action';
+    module: string;
+    action: string;
+    payload: unknown;
+};
+export type ServerCtx<S extends Scope = Scope> = S extends 'page' ? ServerPageCtx : S extends 'loader' ? ServerLoaderCtx : S extends 'action' ? ServerActionCtx : ServerPageCtx | ServerLoaderCtx | ServerActionCtx;
+export type ClientPageCtx = {
+    scope: 'page';
+    location: RouteHook;
+};
+export type Next = () => Promise<unknown>;
+export type ServerMiddleware<S extends Scope = Scope> = {
+    __kind: 'middleware';
+    runs: 'server';
+    fn: (ctx: ServerCtx<S>, next: Next) => Promise<void | Outcome>;
+};
+export type ClientMiddleware = {
+    __kind: 'middleware';
+    runs: 'client';
+    fn: (ctx: ClientPageCtx, next: Next) => Promise<void | Outcome>;
+};
+export type Middleware = ServerMiddleware | ClientMiddleware;
+export declare function defineServerMiddleware<S extends Scope = Scope>(fn: ServerMiddleware<S>['fn']): ServerMiddleware<S>;
+export declare function defineClientMiddleware(fn: ClientMiddleware['fn']): ClientMiddleware;

package/dist/iso/define-middleware.js ADDED Viewed

@@ -0,0 +1,6 @@
+export function defineServerMiddleware(fn) {
+    return { __kind: 'middleware', runs: 'server', fn };
+}
+export function defineClientMiddleware(fn) {
+    return { __kind: 'middleware', runs: 'client', fn };
+}

package/dist/iso/define-page.d.ts CHANGED Viewed

@@ -1,10 +1,15 @@
 import type { ComponentType, FunctionComponent, JSX } from 'preact';
 import type { RouteHook } from 'preact-iso';
-import type { GuardFn } from './guard.js';
+import type { PageUse } from './internal/use-types.js';
 import { type WrapperProps } from './page.js';
 export type PageBindings = {
     Wrapper?: ComponentType<WrapperProps>;
     errorFallback?: JSX.Element | ((error: Error, reset: () => void) => JSX.Element);
-    guards?: GuardFn[];
+    /**
+     * Page-scope middleware and stream observers. The dispatcher partitions
+     * server vs client members by their `runs` tag, so mixed arrays of
+     * defineServerMiddleware + defineClientMiddleware work as one list.
+     */
+    use?: PageUse;
 };
 export declare function definePage(Component: ComponentType, bindings?: PageBindings): FunctionComponent<RouteHook>;

package/dist/iso/define-page.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import { jsx as _jsx } from "preact/jsx-runtime";
 import { Page } from './page.js';
 export function definePage(Component, bindings) {
-    const PageRoute = (location) => (_jsx(Page, { Wrapper: bindings?.Wrapper, errorFallback: bindings?.errorFallback, guards: bindings?.guards, location: location, children: _jsx(Component, {}) }));
+    const PageRoute = (location) => (_jsx(Page, { Wrapper: bindings?.Wrapper, errorFallback: bindings?.errorFallback, use: bindings?.use, location: location, children: _jsx(Component, {}) }));
     PageRoute.displayName = `definePage(${Component.displayName ?? Component.name ?? 'Anonymous'})`;
     return PageRoute;
 }

package/dist/iso/define-routes.d.ts CHANGED Viewed

@@ -7,7 +7,7 @@ export type ViewProps = RouteHook;
 type LazyImport<T> = () => Promise<{
     default: T;
 }>;
-type LazyServerImport = () => Promise<unknown>;
+export type LazyServerImport = () => Promise<unknown>;
 export type RouteDef = {
     path: string;
     view?: LazyImport<ComponentType<ViewProps>>;
@@ -20,10 +20,33 @@ export type FlatRoute = {
     component: ComponentType<ViewProps>;
     key: string;
 };
+export type ServerRoute = {
+    /** Absolute route path the server module belongs to. */
+    path: string;
+    /** Lazy `.server.*` module loader. */
+    server: LazyServerImport;
+    /**
+     * Lazy server-module loaders for every server-bearing ancestor in the
+     * route tree, outermost first, NOT including this route's own server.
+     * Used by the server-side pageUse resolver to compose page-layer
+     * middleware along the actual tree of layouts rather than relying on
+     * URL-prefix matching (which conflates siblings that share a path
+     * prefix, e.g. `/demo/projects` and `/demo/projects/:projectId/...`).
+     */
+    ancestors: ReadonlyArray<LazyServerImport>;
+};
 export type RoutesManifest = {
     tree: ReadonlyArray<RouteDef>;
     flat: ReadonlyArray<FlatRoute>;
     serverImports: ReadonlyArray<LazyServerImport>;
+    /**
+     * Path-keyed view of every server module in the tree. Lets server-side
+     * consumers (e.g. the page-layer `use` resolver) load a per-page module
+     * by the route path that matched, without re-walking the tree. The order
+     * mirrors `serverImports`; the two arrays exist side-by-side because most
+     * existing call sites only need the lazy thunks.
+     */
+    serverRoutes: ReadonlyArray<ServerRoute>;
 };
 export declare function defineRoutes(tree: RouteDef[]): RoutesManifest;
 export type RoutesProps = {

package/dist/iso/define-routes.js CHANGED Viewed

@@ -67,6 +67,39 @@ function collectServerImports(routes) {
     walk(routes);
     return out;
 }
+function collectServerRoutes(routes, parentPath = '') {
+    const out = [];
+    // `serverStack` tracks the lazy server-thunks for every server-bearing
+    // route on the path from the tree root down to (but not including) the
+    // node being emitted. Pushing on the way in / popping on the way out
+    // means each emitted ServerRoute captures its TRUE tree-walk ancestry,
+    // not whichever other patterns happen to share a URL prefix.
+    const walk = (rs, pp, serverStack) => {
+        for (const r of rs) {
+            const here = pp === '' ? r.path : pp + (r.path === '' ? '' : '/' + r.path);
+            if (r.server) {
+                // Capture the stack BEFORE pushing self -- ancestors exclude self.
+                out.push({
+                    path: here,
+                    server: r.server,
+                    ancestors: serverStack.slice(),
+                });
+            }
+            if (r.children) {
+                if (r.server) {
+                    serverStack.push(r.server);
+                    walk(r.children, here, serverStack);
+                    serverStack.pop();
+                }
+                else {
+                    walk(r.children, here, serverStack);
+                }
+            }
+        }
+    };
+    walk(routes, parentPath, []);
+    return out;
+}
 /**
  * Memoize `lazy(view)` per view-thunk identity. When the same `view` thunk is
  * referenced by multiple route registrations (e.g. `/docs` and `/docs/*`),
@@ -240,6 +273,7 @@ export function defineRoutes(tree) {
         tree,
         flat: flattenTree(tree, viewCache, keyCache),
         serverImports: collectServerImports(tree),
+        serverRoutes: collectServerRoutes(tree),
     };
 }
 export const Routes = ({ routes, onRouteChange, }) => {

package/dist/iso/define-stream-observer.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import type { ServerLoaderCtx, ServerActionCtx } from './define-middleware.js';
+export type ServerStreamCtx = ServerLoaderCtx | ServerActionCtx;
+export type StreamObserver<TChunk = unknown, TResult = void> = {
+    __kind: 'observer';
+    onStart?: (ctx: ServerStreamCtx) => void;
+    onChunk?: (ctx: ServerStreamCtx, chunk: TChunk, index: number) => void;
+    onEnd?: (ctx: ServerStreamCtx, info: {
+        chunks: number;
+        result: TResult;
+    }) => void;
+    onError?: (ctx: ServerStreamCtx, err: unknown, info: {
+        chunks: number;
+    }) => void;
+    onAbort?: (ctx: ServerStreamCtx, info: {
+        chunks: number;
+    }) => void;
+};
+type Spec<TChunk, TResult> = Omit<StreamObserver<TChunk, TResult>, '__kind'>;
+export declare function defineStreamObserver<TChunk = unknown, TResult = void>(spec: Spec<TChunk, TResult>): StreamObserver<TChunk, TResult>;
+export {};

package/dist/iso/define-stream-observer.js ADDED Viewed

@@ -0,0 +1,3 @@
+export function defineStreamObserver(spec) {
+    return { __kind: 'observer', ...spec };
+}

package/dist/iso/index.d.ts CHANGED Viewed

@@ -4,12 +4,11 @@ export { definePage } from './define-page.js';
 export type { PageBindings } from './define-page.js';
 export { Route, Router, lazy, useLocation, useRoute } from 'preact-iso';
 export { defineRoutes, Routes } from './define-routes.js';
-export type { RouteDef, RoutesManifest, FlatRoute, LayoutProps, ViewProps, } from './define-routes.js';
+export type { RouteDef, RoutesManifest, FlatRoute, ServerRoute, LayoutProps, ViewProps, } from './define-routes.js';
 export { defineLoader } from './define-loader.js';
 export type { LoaderRef, LoaderCtx, Loader as LoaderFn, } from './define-loader.js';
 export { defineAction, useAction } from './action.js';
-export type { ActionStub, UseActionOptions, UseActionResult, MutateResult, ActionGuardContext, ActionGuardFn, } from './action.js';
-export { ActionGuardError, defineActionGuard } from './action.js';
+export type { ActionStub, UseActionOptions, UseActionResult, MutateResult, } from './action.js';
 export type { ContentfulStatusCode } from 'hono/utils/http-status';
 export { useReload } from './reload-context.js';
 export { useOptimistic } from './optimistic.js';
@@ -19,8 +18,14 @@ export type { UseOptimisticActionOptions, UseOptimisticActionResult, } from './o
 export { Form } from './form.js';
 export { createCache } from './cache.js';
 export type { LoaderCache } from './cache.js';
-export { defineServerGuard, defineClientGuard, GuardRedirect, runServerGuards, runClientGuards, } from './guard.js';
-export type { GuardFn, ServerGuardFn, ClientGuardFn, GuardResult, ServerGuardContext, ClientGuardContext, GuardRunsOn, } from './guard.js';
+export { defineServerMiddleware, defineClientMiddleware, } from './define-middleware.js';
+export type { ServerMiddleware, ClientMiddleware, Middleware, ServerBaseCtx, ServerPageCtx, ServerLoaderCtx, ServerActionCtx, ServerCtx, ClientPageCtx, Scope, Next, } from './define-middleware.js';
+export { defineStreamObserver } from './define-stream-observer.js';
+export type { StreamObserver, ServerStreamCtx, } from './define-stream-observer.js';
+export { defineApp } from './define-app.js';
+export type { AppConfig, AppUseElement } from './define-app.js';
+export { redirect, deny, isOutcome, isRedirect, isDeny, isRender, } from './outcomes.js';
+export type { Outcome, RedirectOutcome, DenyOutcome, RenderOutcome, RedirectStatusCode, ErrorStatusCode, } from './outcomes.js';
 export { prefetch } from './prefetch.js';
 export { isBrowser, env } from './is-browser.js';
 export { useRouteChange } from './route-change.js';

package/dist/iso/index.js CHANGED Viewed

@@ -9,7 +9,6 @@ export { defineRoutes, Routes } from './define-routes.js';
 // Server bindings.
 export { defineLoader } from './define-loader.js';
 export { defineAction, useAction } from './action.js';
-export { ActionGuardError, defineActionGuard } from './action.js';
 // Hooks.
 export { useReload } from './reload-context.js';
 export { useOptimistic } from './optimistic.js';
@@ -18,8 +17,11 @@ export { useOptimisticAction } from './optimistic-action.js';
 export { Form } from './form.js';
 // Cache + invalidation.
 export { createCache } from './cache.js';
-// Guards.
-export { defineServerGuard, defineClientGuard, GuardRedirect, runServerGuards, runClientGuards, } from './guard.js';
+// Middleware + outcomes (the new system).
+export { defineServerMiddleware, defineClientMiddleware, } from './define-middleware.js';
+export { defineStreamObserver } from './define-stream-observer.js';
+export { defineApp } from './define-app.js';
+export { redirect, deny, isOutcome, isRedirect, isDeny, isRender, } from './outcomes.js';
 // Utilities.
 export { prefetch } from './prefetch.js';
 export { isBrowser, env } from './is-browser.js';

package/dist/iso/internal/contexts.d.ts CHANGED Viewed

@@ -1,5 +1,4 @@
 import type { Context } from 'hono';
-import type { GuardResult } from '../guard.js';
 export declare const HonoRequestContext: import("preact").Context<{
     context?: Context;
 }>;
@@ -7,6 +6,5 @@ export declare const LoaderIdContext: import("preact").Context<string | null>;
 export declare const LoaderDataContext: import("preact").Context<{
     data: unknown;
 } | null>;
-export declare const GuardResultContext: import("preact").Context<GuardResult | null>;
 export declare const ActiveLoaderIdContext: import("preact").Context<symbol | null>;
 export declare const LoaderErrorContext: import("preact").Context<Error | null>;

package/dist/iso/internal/contexts.js CHANGED Viewed

@@ -2,6 +2,5 @@ import { createContext } from 'preact';
 export const HonoRequestContext = createContext({});
 export const LoaderIdContext = createContext(null);
 export const LoaderDataContext = createContext(null);
-export const GuardResultContext = createContext(null);
 export const ActiveLoaderIdContext = createContext(null);
 export const LoaderErrorContext = createContext(null);

package/dist/iso/internal/loader-fetch.js CHANGED Viewed

@@ -15,22 +15,52 @@ export async function fetchLoaderData(moduleKey, loaderName, location, signal, c
         signal,
     });
     if (!res.ok) {
+        // Try to parse a deny outcome envelope first; it carries `message`
+        // rather than `error`. Fall back to the legacy `{ error }` shape.
         const body = (await res.json().catch(() => ({})));
+        if (body.__outcome === 'deny') {
+            // The `deny()` constructor defaults `message` for first-party
+            // callers, but a hand-rolled envelope from custom server middleware
+            // might still arrive without one. Surface a deny-aware fallback
+            // instead of the generic "Loader failed" so the user sees a hint
+            // that the status came from an explicit deny.
+            const msg = typeof body.message === 'string'
+                ? body.message
+                : `Request denied (${res.status})`;
+            throw new Error(msg);
+        }
         throw new Error(body.error ?? `Loader failed with status ${res.status}`);
     }
     const contentType = res.headers.get('Content-Type') ?? '';
     if (!contentType.includes('text/event-stream')) {
         const json = (await res.json());
-        // Server-side `GuardRedirect` thrown from a loader (or a guard that runs
-        // inside it) comes back as a `{ __redirect }` envelope. Hand off to the
-        // browser via `location.assign` and return a promise that never settles:
-        // the current document is being replaced, no caller will see a value.
+        // Collision risk note (deferred from middleware review C6): a loader
+        // that legitimately returns data shaped `{ __outcome: 'redirect', to:
+        // <string> }` would be misinterpreted here and navigate the browser.
+        // The probability is low (the magic key is namespaced and unusual) and
+        // a wire-version sentinel like `__envelope: 'hono-preact/redirect'` or
+        // a `X-Hono-Preact-Outcome: redirect` response header would close the
+        // gap. Deferred for v0.2: body-key sniffing is the documented contract
+        // for v0.1.
+        // Server-side middleware that throws `redirect(...)` comes back as a
+        // redirect outcome envelope. Hand off to the browser via
+        // `location.assign` and return a promise that never settles: the
+        // current document is being replaced, no caller will see a value.
+        //
+        // Trust boundary: `to` is taken straight from the JSON body and passed
+        // to `window.location.assign`. The framework's own handlers emit safe
+        // (typically same-origin) values, but a compromised or misconfigured
+        // server (or a proxy injecting JSON) could push the client anywhere.
+        // We don't validate origin here for v0.1; treat your own server as
+        // part of the trusted boundary. A same-origin check is a deferred
+        // enhancement (see C4 in the middleware review).
         if (json !== null &&
             typeof json === 'object' &&
-            '__redirect' in json &&
-            typeof json.__redirect === 'string') {
+            json.__outcome === 'redirect' &&
+            typeof json.to === 'string') {
+            const to = json.to;
             if (typeof window !== 'undefined') {
-                window.location.assign(json.__redirect);
+                window.location.assign(to);
             }
             return new Promise(() => {
                 /* never resolves; page is navigating */