sibujs 1.2.0 → 1.3.0

package/dist/ssr-Do_SiVoL.d.cts

@@ -0,0 +1,201 @@
+/**
+ * Converts an HTMLElement tree to an HTML string for server-side rendering.
+ *
+ * Security: attribute names are validated, `on*` handlers are dropped,
+ * URL-bearing attributes are routed through `sanitizeUrl`, and attribute
+ * values are escaped against both `"` and `'`. `<script>` and `<style>`
+ * tags are stripped from the serialized output.
+ */
+declare function renderToString(element: HTMLElement | DocumentFragment | Node): string;
+interface HydrateOptions {
+    /**
+     * Enable dev-mode hydration diagnostics. When true, the walker
+     * compares the server-rendered tree against the client tree and
+     * logs the first tag mismatch, attribute difference, or child count
+     * mismatch to the console. Disabled by default.
+     */
+    diagnostics?: boolean;
+    /**
+     * Called for each detected mismatch instead of the default console
+     * warning. Useful for routing diagnostics to a telemetry system.
+     */
+    onMismatch?: (report: HydrationMismatch) => void;
+}
+interface HydrationMismatch {
+    kind: "tag" | "attribute" | "child-count" | "text";
+    path: string;
+    serverValue: string;
+    clientValue: string;
+    message: string;
+}
+/**
+ * Hydrates a server-rendered DOM tree by attaching event listeners
+ * and activating reactive bindings.
+ *
+ * When `options.diagnostics` is true, the walker reports the first
+ * server/client mismatch it finds. This is a dev-mode tool — pass
+ * `diagnostics: false` (or omit it) in production.
+ */
+declare function hydrate(component: () => HTMLElement, container: HTMLElement, options?: HydrateOptions): void;
+/**
+ * Branded type for raw HTML that has been explicitly marked as trusted.
+ * Use `trustHTML()` to create a value of this type. This prevents
+ * accidental injection of unsanitized user input into `headExtra`.
+ */
+type TrustedHTML = string & {
+    readonly __brand: "TrustedHTML";
+};
+/**
+ * Mark an HTML string as trusted for use in contexts that accept raw HTML
+ * (e.g. `renderToDocument({ headExtra })`). Only call this on
+ * developer-controlled strings — never on user input.
+ *
+ * @example
+ * ```ts
+ * const extra = trustHTML('<link rel="preconnect" href="https://fonts.googleapis.com">');
+ * renderToDocument(App, { headExtra: extra });
+ * ```
+ */
+declare function trustHTML(html: string): TrustedHTML;
+/**
+ * Renders a component to a full HTML document string.
+ *
+ * `headExtra` requires a `TrustedHTML` value created via `trustHTML()`.
+ * This prevents accidental injection of unsanitized user input.
+ *
+ * Security: meta/link/bodyAttrs keys are validated against
+ * `SAFE_ATTR_NAME` (rejecting crafted keys that would break out of the
+ * attribute context). URL attributes in meta/link/scripts/bodyAttrs pass
+ * through `sanitizeUrl`. The page `title` is HTML-escaped.
+ */
+declare function renderToDocument(component: () => HTMLElement, options?: {
+    title?: string;
+    meta?: Record<string, string>[];
+    links?: Record<string, string>[];
+    scripts?: string[];
+    bodyAttrs?: Record<string, string>;
+    /**
+     * Raw HTML injected into `<head>`. Must be wrapped in `trustHTML()`
+     * to confirm the content is developer-controlled.
+     */
+    headExtra?: TrustedHTML;
+}): string;
+/**
+ * Renders a component tree to an async iterable of HTML chunks.
+ * Enables progressive server-side rendering — the consumer can write
+ * each chunk to a response stream as it becomes available.
+ *
+ * Same security posture as `renderToString`.
+ */
+declare function renderToStream(element: HTMLElement | DocumentFragment | Node): AsyncGenerator<string>;
+/**
+ * Collects the full output of renderToStream into a string.
+ */
+declare function collectStream(stream: AsyncGenerator<string> | AsyncIterable<string>): Promise<string>;
+/**
+ * Renders a component tree to a Web ReadableStream<string>.
+ * Compatible with Node 18+, Deno, and edge runtimes.
+ * Uses pull-based backpressure — chunks are produced on demand.
+ */
+declare function renderToReadableStream(element: HTMLElement | DocumentFragment | Node): ReadableStream<string>;
+/**
+ * Marks an element as a hydration island. During partial hydration
+ * only elements marked with `data-sibu-island` will be hydrated.
+ */
+declare function island(id: string, component: () => HTMLElement): HTMLElement;
+/**
+ * Hydrate only elements marked as islands (`data-sibu-island`).
+ * Non-island content keeps its server-rendered HTML untouched.
+ *
+ * Security: uses `hasOwnProperty.call` to guard against prototype-pollution
+ * lookups (e.g. an island id of `__proto__` must not resolve to `Object.prototype`).
+ */
+declare function hydrateIslands(container: HTMLElement, islands: Record<string, () => HTMLElement>): void;
+/**
+ * Progressively hydrate islands only when they enter the viewport.
+ * Uses IntersectionObserver to defer hydration of off-screen islands,
+ * reducing initial JavaScript execution cost.
+ *
+ * Returns a cleanup function that disconnects all observers.
+ */
+declare function hydrateProgressively(container: HTMLElement, islands: Record<string, () => HTMLElement>, options?: IntersectionObserverInit): () => void;
+/**
+ * Reset SSR state between requests. Call at the start of each SSR render
+ * to prevent ID drift in long-lived server processes.
+ */
+declare function resetSSRState(): void;
+/**
+ * Create a suspense boundary for SSR streaming.
+ * Renders fallback HTML inline and returns a promise for the resolved content.
+ *
+ * The returned element contains the fallback UI with a `data-sibu-suspense-id`
+ * marker. The promise resolves to `{ id, html }` once async content is ready.
+ */
+declare function ssrSuspense(props: {
+    fallback: () => HTMLElement;
+    content: () => Promise<HTMLElement>;
+}): {
+    element: HTMLElement;
+    promise: Promise<{
+        id: string;
+        html: string;
+    }>;
+};
+/**
+ * Generate an inline script that swaps a suspense fallback with resolved content.
+ *
+ * Security: the `id` is validated against a strict allowlist. Values that
+ * do not match throw, so an attacker-controlled id cannot inject context
+ * breakers into the selector or the JS string. `ssrSuspense()`'s internal
+ * generator always produces allowlist-safe ids.
+ */
+declare function suspenseSwapScript(id: string, nonce?: string): string;
+/**
+ * Renders a component tree with suspense boundaries as a stream.
+ * Yields the main tree HTML first (including fallback content for suspended
+ * boundaries), then flushes resolved content with inline swap scripts.
+ *
+ * Supports an optional `nonce` that is propagated to the resolved-content
+ * swap scripts so the stream works with strict CSP.
+ */
+declare function renderToSuspenseStream(element: HTMLElement | DocumentFragment | Node, pendingBoundaries?: Promise<{
+    id: string;
+    html: string;
+}>[], options?: {
+    nonce?: string;
+}): AsyncGenerator<string>;
+/**
+ * Escape a JSON string for safe embedding inside a `<script>` tag. This
+ * goes beyond the usual `</script>` concern:
+ *
+ *  - `<`, `>`, `&` are unicode-escaped so nothing inside a string literal
+ *    can close the script tag or start a new one.
+ *  - `U+2028` (LINE SEPARATOR) and `U+2029` (PARAGRAPH SEPARATOR) are
+ *    unicode-escaped. Before ES2019 these were illegal inside a JS string
+ *    literal, so including them verbatim would cause a SyntaxError on
+ *    older engines and could break out of string context.
+ */
+declare function escapeScriptJson(json: string): string;
+/**
+ * Serialize application state into an HTML script tag for SSR.
+ * The serialized data is embedded in the document and picked up
+ * on the client with `deserializeState()`.
+ *
+ * Security: the serialized JSON is escaped against `<`/`>`/`&` so nothing
+ * can close the `<script>` tag, plus `U+2028` / `U+2029` which otherwise
+ * break out of string literals on pre-ES2019 engines. Supports a `nonce`
+ * attribute so the script is compatible with strict CSP.
+ */
+declare function serializeState(state: Record<string, unknown>, nonce?: string): string;
+/**
+ * Retrieve state that was embedded by `serializeState()` during SSR.
+ *
+ * When a `validate` function is provided, it acts as a type guard —
+ * only data that passes validation is returned. This prevents
+ * tampered SSR payloads from being trusted by the client.
+ *
+ * @param validate Optional type guard to verify data integrity
+ */
+declare function deserializeState<T = Record<string, unknown>>(validate?: (data: unknown) => data is T): T | undefined;
+
+export { type HydrateOptions as H, type TrustedHTML as T, type HydrationMismatch as a, hydrateIslands as b, collectStream as c, deserializeState as d, escapeScriptJson as e, hydrateProgressively as f, renderToReadableStream as g, hydrate as h, island as i, renderToStream as j, renderToString as k, renderToSuspenseStream as l, resetSSRState as m, ssrSuspense as n, suspenseSwapScript as o, renderToDocument as r, serializeState as s, trustHTML as t };

package/dist/ssr-Do_SiVoL.d.ts

@@ -0,0 +1,201 @@
+/**
+ * Converts an HTMLElement tree to an HTML string for server-side rendering.
+ *
+ * Security: attribute names are validated, `on*` handlers are dropped,
+ * URL-bearing attributes are routed through `sanitizeUrl`, and attribute
+ * values are escaped against both `"` and `'`. `<script>` and `<style>`
+ * tags are stripped from the serialized output.
+ */
+declare function renderToString(element: HTMLElement | DocumentFragment | Node): string;
+interface HydrateOptions {
+    /**
+     * Enable dev-mode hydration diagnostics. When true, the walker
+     * compares the server-rendered tree against the client tree and
+     * logs the first tag mismatch, attribute difference, or child count
+     * mismatch to the console. Disabled by default.
+     */
+    diagnostics?: boolean;
+    /**
+     * Called for each detected mismatch instead of the default console
+     * warning. Useful for routing diagnostics to a telemetry system.
+     */
+    onMismatch?: (report: HydrationMismatch) => void;
+}
+interface HydrationMismatch {
+    kind: "tag" | "attribute" | "child-count" | "text";
+    path: string;
+    serverValue: string;
+    clientValue: string;
+    message: string;
+}
+/**
+ * Hydrates a server-rendered DOM tree by attaching event listeners
+ * and activating reactive bindings.
+ *
+ * When `options.diagnostics` is true, the walker reports the first
+ * server/client mismatch it finds. This is a dev-mode tool — pass
+ * `diagnostics: false` (or omit it) in production.
+ */
+declare function hydrate(component: () => HTMLElement, container: HTMLElement, options?: HydrateOptions): void;
+/**
+ * Branded type for raw HTML that has been explicitly marked as trusted.
+ * Use `trustHTML()` to create a value of this type. This prevents
+ * accidental injection of unsanitized user input into `headExtra`.
+ */
+type TrustedHTML = string & {
+    readonly __brand: "TrustedHTML";
+};
+/**
+ * Mark an HTML string as trusted for use in contexts that accept raw HTML
+ * (e.g. `renderToDocument({ headExtra })`). Only call this on
+ * developer-controlled strings — never on user input.
+ *
+ * @example
+ * ```ts
+ * const extra = trustHTML('<link rel="preconnect" href="https://fonts.googleapis.com">');
+ * renderToDocument(App, { headExtra: extra });
+ * ```
+ */
+declare function trustHTML(html: string): TrustedHTML;
+/**
+ * Renders a component to a full HTML document string.
+ *
+ * `headExtra` requires a `TrustedHTML` value created via `trustHTML()`.
+ * This prevents accidental injection of unsanitized user input.
+ *
+ * Security: meta/link/bodyAttrs keys are validated against
+ * `SAFE_ATTR_NAME` (rejecting crafted keys that would break out of the
+ * attribute context). URL attributes in meta/link/scripts/bodyAttrs pass
+ * through `sanitizeUrl`. The page `title` is HTML-escaped.
+ */
+declare function renderToDocument(component: () => HTMLElement, options?: {
+    title?: string;
+    meta?: Record<string, string>[];
+    links?: Record<string, string>[];
+    scripts?: string[];
+    bodyAttrs?: Record<string, string>;
+    /**
+     * Raw HTML injected into `<head>`. Must be wrapped in `trustHTML()`
+     * to confirm the content is developer-controlled.
+     */
+    headExtra?: TrustedHTML;
+}): string;
+/**
+ * Renders a component tree to an async iterable of HTML chunks.
+ * Enables progressive server-side rendering — the consumer can write
+ * each chunk to a response stream as it becomes available.
+ *
+ * Same security posture as `renderToString`.
+ */
+declare function renderToStream(element: HTMLElement | DocumentFragment | Node): AsyncGenerator<string>;
+/**
+ * Collects the full output of renderToStream into a string.
+ */
+declare function collectStream(stream: AsyncGenerator<string> | AsyncIterable<string>): Promise<string>;
+/**
+ * Renders a component tree to a Web ReadableStream<string>.
+ * Compatible with Node 18+, Deno, and edge runtimes.
+ * Uses pull-based backpressure — chunks are produced on demand.
+ */
+declare function renderToReadableStream(element: HTMLElement | DocumentFragment | Node): ReadableStream<string>;
+/**
+ * Marks an element as a hydration island. During partial hydration
+ * only elements marked with `data-sibu-island` will be hydrated.
+ */
+declare function island(id: string, component: () => HTMLElement): HTMLElement;
+/**
+ * Hydrate only elements marked as islands (`data-sibu-island`).
+ * Non-island content keeps its server-rendered HTML untouched.
+ *
+ * Security: uses `hasOwnProperty.call` to guard against prototype-pollution
+ * lookups (e.g. an island id of `__proto__` must not resolve to `Object.prototype`).
+ */
+declare function hydrateIslands(container: HTMLElement, islands: Record<string, () => HTMLElement>): void;
+/**
+ * Progressively hydrate islands only when they enter the viewport.
+ * Uses IntersectionObserver to defer hydration of off-screen islands,
+ * reducing initial JavaScript execution cost.
+ *
+ * Returns a cleanup function that disconnects all observers.
+ */
+declare function hydrateProgressively(container: HTMLElement, islands: Record<string, () => HTMLElement>, options?: IntersectionObserverInit): () => void;
+/**
+ * Reset SSR state between requests. Call at the start of each SSR render
+ * to prevent ID drift in long-lived server processes.
+ */
+declare function resetSSRState(): void;
+/**
+ * Create a suspense boundary for SSR streaming.
+ * Renders fallback HTML inline and returns a promise for the resolved content.
+ *
+ * The returned element contains the fallback UI with a `data-sibu-suspense-id`
+ * marker. The promise resolves to `{ id, html }` once async content is ready.
+ */
+declare function ssrSuspense(props: {
+    fallback: () => HTMLElement;
+    content: () => Promise<HTMLElement>;
+}): {
+    element: HTMLElement;
+    promise: Promise<{
+        id: string;
+        html: string;
+    }>;
+};
+/**
+ * Generate an inline script that swaps a suspense fallback with resolved content.
+ *
+ * Security: the `id` is validated against a strict allowlist. Values that
+ * do not match throw, so an attacker-controlled id cannot inject context
+ * breakers into the selector or the JS string. `ssrSuspense()`'s internal
+ * generator always produces allowlist-safe ids.
+ */
+declare function suspenseSwapScript(id: string, nonce?: string): string;
+/**
+ * Renders a component tree with suspense boundaries as a stream.
+ * Yields the main tree HTML first (including fallback content for suspended
+ * boundaries), then flushes resolved content with inline swap scripts.
+ *
+ * Supports an optional `nonce` that is propagated to the resolved-content
+ * swap scripts so the stream works with strict CSP.
+ */
+declare function renderToSuspenseStream(element: HTMLElement | DocumentFragment | Node, pendingBoundaries?: Promise<{
+    id: string;
+    html: string;
+}>[], options?: {
+    nonce?: string;
+}): AsyncGenerator<string>;
+/**
+ * Escape a JSON string for safe embedding inside a `<script>` tag. This
+ * goes beyond the usual `</script>` concern:
+ *
+ *  - `<`, `>`, `&` are unicode-escaped so nothing inside a string literal
+ *    can close the script tag or start a new one.
+ *  - `U+2028` (LINE SEPARATOR) and `U+2029` (PARAGRAPH SEPARATOR) are
+ *    unicode-escaped. Before ES2019 these were illegal inside a JS string
+ *    literal, so including them verbatim would cause a SyntaxError on
+ *    older engines and could break out of string context.
+ */
+declare function escapeScriptJson(json: string): string;
+/**
+ * Serialize application state into an HTML script tag for SSR.
+ * The serialized data is embedded in the document and picked up
+ * on the client with `deserializeState()`.
+ *
+ * Security: the serialized JSON is escaped against `<`/`>`/`&` so nothing
+ * can close the `<script>` tag, plus `U+2028` / `U+2029` which otherwise
+ * break out of string literals on pre-ES2019 engines. Supports a `nonce`
+ * attribute so the script is compatible with strict CSP.
+ */
+declare function serializeState(state: Record<string, unknown>, nonce?: string): string;
+/**
+ * Retrieve state that was embedded by `serializeState()` during SSR.
+ *
+ * When a `validate` function is provided, it acts as a type guard —
+ * only data that passes validation is returned. This prevents
+ * tampered SSR payloads from being trusted by the client.
+ *
+ * @param validate Optional type guard to verify data integrity
+ */
+declare function deserializeState<T = Record<string, unknown>>(validate?: (data: unknown) => data is T): T | undefined;
+
+export { type HydrateOptions as H, type TrustedHTML as T, type HydrationMismatch as a, hydrateIslands as b, collectStream as c, deserializeState as d, escapeScriptJson as e, hydrateProgressively as f, renderToReadableStream as g, hydrate as h, island as i, renderToStream as j, renderToString as k, renderToSuspenseStream as l, resetSSRState as m, ssrSuspense as n, suspenseSwapScript as o, renderToDocument as r, serializeState as s, trustHTML as t };