sibujs 1.5.0 → 2.1.0

package/dist/ssr.cjs

@@ -70,33 +70,105 @@ function isDev() {
 var _isDev = isDev();
 function devAssert(condition, message) {
   if (_isDev && !condition) {
-    throw new Error(`[Sibu] ${message}`);
+    throw new Error(`[SibuJS] ${message}`);
   }
 }
 function devWarn(message) {
   if (_isDev) {
-    console.warn(`[Sibu] ${message}`);
+    console.warn(`[SibuJS] ${message}`);
   }
 }
 
+// src/core/ssr-context.ts
+var als = null;
+try {
+  if (typeof process !== "undefined" && process.versions && process.versions.node) {
+    const req = Function("return typeof require==='function'?require:null")();
+    if (req) {
+      const mod = req("node:async_hooks");
+      als = new mod.AsyncLocalStorage();
+    }
+  }
+} catch {
+  als = null;
+}
+var fallbackStore = { ssr: false, suspenseIdCounter: 0 };
+function getSSRStore() {
+  if (als) {
+    const s2 = als.getStore();
+    if (s2) return s2;
+  }
+  return fallbackStore;
+}
+function isSSR() {
+  return getSSRStore().ssr;
+}
+
 // src/utils/sanitize.ts
+var SAFE_URL_PROTOCOLS = ["http:", "https:", "mailto:", "tel:", "ftp:"];
 function sanitizeUrl(url) {
   const trimmed = url.replace(/[\x00-\x20\x7f-\x9f]+/g, "").trim();
   if (!trimmed) return "";
   const lower = trimmed.toLowerCase();
-  if (lower.startsWith("javascript:") || lower.startsWith("data:") || lower.startsWith("vbscript:") || lower.startsWith("blob:")) {
-    return "";
+  let schemeEnd = -1;
+  for (let i2 = 0; i2 < lower.length; i2++) {
+    const ch = lower.charCodeAt(i2);
+    if (ch === 58) {
+      schemeEnd = i2;
+      break;
+    }
+    if (ch === 47 || ch === 63 || ch === 35) break;
   }
+  if (schemeEnd === -1) return trimmed;
+  const scheme = lower.slice(0, schemeEnd + 1);
+  if (!/^[a-z][a-z0-9+.-]*:$/.test(scheme)) return trimmed;
+  if (SAFE_URL_PROTOCOLS.indexOf(scheme) === -1) return "";
   return trimmed;
 }
+function sanitizeSrcset(value) {
+  const parts = value.split(",");
+  const out = [];
+  for (let i2 = 0; i2 < parts.length; i2++) {
+    const part = parts[i2].trim();
+    if (!part) continue;
+    const m = part.match(/^(\S+)(\s+.+)?$/);
+    if (!m) continue;
+    const safe = sanitizeUrl(m[1]);
+    if (!safe) continue;
+    out.push(m[2] ? `${safe}${m[2]}` : safe);
+  }
+  return out.join(", ");
+}
 function sanitizeCSSValue(value) {
-  const lower = value.toLowerCase().replace(/\s+/g, "");
-  if (lower.includes("url(") || lower.includes("expression(") || lower.includes("javascript:") || lower.includes("-moz-binding")) {
+  const decoded = value.replace(/\\([0-9a-fA-F]{1,6})\s?/g, (_m, hex) => {
+    const code2 = Number.parseInt(hex, 16);
+    if (!Number.isFinite(code2) || code2 < 0 || code2 > 1114111) return "";
+    try {
+      return String.fromCodePoint(code2);
+    } catch {
+      return "";
+    }
+  });
+  const lower = decoded.toLowerCase().replace(/\s+/g, "");
+  if (lower.includes("url(") || lower.includes("expression(") || lower.includes("javascript:") || lower.includes("vbscript:") || lower.includes("-moz-binding") || lower.includes("behavior:") || lower.includes("@import") || lower.includes("image-set(") || lower.includes("filter:progid")) {
     return "";
   }
   return value;
 }
-var URL_ATTRIBUTES = /* @__PURE__ */ new Set(["href", "src", "action", "formaction", "cite", "poster", "background", "srcset"]);
+var URL_ATTRIBUTES = /* @__PURE__ */ new Set([
+  "href",
+  "xlink:href",
+  "src",
+  "action",
+  "formaction",
+  "formtarget",
+  "cite",
+  "poster",
+  "background",
+  "srcset",
+  "ping",
+  "data"
+]);
 function isUrlAttribute(attr) {
   return URL_ATTRIBUTES.has(attr);
 }
@@ -219,7 +291,7 @@ function hydrate(component, container, options = {}) {
         options.onMismatch(first);
       } else if (_isDev2) {
         console.warn(
-          `[Sibu hydration] ${first.message}
+          `[SibuJS hydration] ${first.message}
   at ${first.path}
   server: ${first.serverValue}
   client: ${first.clientValue}`
@@ -227,17 +299,9 @@ function hydrate(component, container, options = {}) {
       }
     }
   }
-  hydrateNode(container.firstElementChild, clientTree);
+  container.replaceChildren(clientTree);
   container.setAttribute("data-sibu-hydrated", "true");
 }
-function hydrateNode(serverNode, clientNode) {
-  if (!serverNode) return;
-  const serverChildren = Array.from(serverNode.children);
-  const clientChildren = Array.from(clientNode.children);
-  for (let i2 = 0; i2 < Math.min(serverChildren.length, clientChildren.length); i2++) {
-    hydrateNode(serverChildren[i2], clientChildren[i2]);
-  }
-}
 function collectMismatches(serverNode, clientNode, path2, out, max = 5) {
   if (out.length >= max) return;
   const nodePath = path2 || clientNode?.tagName?.toLowerCase() || "(root)";
@@ -467,12 +531,16 @@ function renderToReadableStream(element) {
         controller.enqueue(value);
       }
     },
-    cancel() {
-      generator.return(void 0);
+    async cancel() {
+      await generator.return(void 0);
     }
   });
 }
+var SAFE_ID = /^[A-Za-z0-9_-]+$/;
 function island(id, component) {
+  if (!SAFE_ID.test(id)) {
+    throw new Error(`[SibuJS SSR] island: id must match [A-Za-z0-9_-]+ (got: ${JSON.stringify(id.slice(0, 32))})`);
+  }
   const el = component();
   el.setAttribute("data-sibu-island", id);
   return el;
@@ -485,8 +553,9 @@ function hydrateIslands(container, islands) {
     const factory = islands[id];
     if (typeof factory !== "function") continue;
     const clientTree = factory();
-    hydrateNode(marker2, clientTree);
-    marker2.setAttribute("data-sibu-hydrated", "true");
+    clientTree.setAttribute("data-sibu-island", id);
+    clientTree.setAttribute("data-sibu-hydrated", "true");
+    marker2.replaceWith(clientTree);
   }
   container.setAttribute("data-sibu-hydrated", "partial");
 }
@@ -503,8 +572,9 @@ function hydrateProgressively(container, islands, options) {
         for (const entry of entries) {
           if (entry.isIntersecting) {
             const clientTree = factory();
-            hydrateNode(marker2, clientTree);
-            marker2.setAttribute("data-sibu-hydrated", "true");
+            clientTree.setAttribute("data-sibu-island", id);
+            clientTree.setAttribute("data-sibu-hydrated", "true");
+            marker2.replaceWith(clientTree);
             observer.disconnect();
             break;
           }
@@ -520,20 +590,37 @@ function hydrateProgressively(container, islands, options) {
     for (const cleanup2 of cleanups) cleanup2();
   };
 }
-var suspenseIdCounter = 0;
 function resetSSRState() {
-  suspenseIdCounter = 0;
+  getSSRStore().suspenseIdCounter = 0;
+}
+function noop() {
 }
 function ssrSuspense(props) {
-  const id = `sibu-sus-${suspenseIdCounter++}`;
+  const store = getSSRStore();
+  const id = `sibu-sus-${store.suspenseIdCounter++}`;
+  const timeoutMs = props.timeoutMs ?? 3e4;
   const fallbackEl = props.fallback();
   const wrapper = document.createElement("div");
   wrapper.setAttribute("data-sibu-suspense-id", id);
   wrapper.appendChild(fallbackEl);
-  const promise = props.content().then((resolvedEl) => ({
-    id,
-    html: renderToString(resolvedEl)
-  }));
+  const fallbackHtml = renderToString(fallbackEl);
+  let timer;
+  const timeoutPromise = new Promise((_, reject) => {
+    timer = setTimeout(() => reject(new Error(`[SibuJS SSR] ssrSuspense timed out after ${timeoutMs}ms`)), timeoutMs);
+  });
+  const raced = Promise.race([props.content(), timeoutPromise]);
+  const promise = raced.then(
+    (resolvedEl) => {
+      if (timer) clearTimeout(timer);
+      return { id, html: renderToString(resolvedEl) };
+    },
+    (err) => {
+      if (timer) clearTimeout(timer);
+      if (_isDev2) console.warn("[SibuJS SSR] ssrSuspense rejected:", err);
+      return { id, html: fallbackHtml };
+    }
+  );
+  promise.catch(noop);
   return { element: wrapper, promise };
 }
 var SAFE_SUSPENSE_ID = /^[A-Za-z0-9_-]+$/;
@@ -561,14 +648,27 @@ var SSR_DATA_ATTR = "__SIBU_SSR_DATA__";
 function escapeScriptJson(json) {
   return json.replace(/</g, "\\u003c").replace(/>/g, "\\u003e").replace(/&/g, "\\u0026").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
 }
-function serializeState(state, nonce) {
-  const json = escapeScriptJson(JSON.stringify(state));
+var DEFAULT_MAX_SSR_BYTES = 1024 * 1024;
+function serializeState(state, nonce, options) {
+  const rawJson = JSON.stringify(state);
+  const maxBytes = options?.maxBytes ?? DEFAULT_MAX_SSR_BYTES;
+  const byteLen = typeof TextEncoder !== "undefined" ? new TextEncoder().encode(rawJson).byteLength : Buffer.byteLength(rawJson, "utf8");
+  if (byteLen > maxBytes) {
+    throw new Error(`[SibuJS SSR] serializeState: payload (${byteLen} bytes) exceeds maxBytes (${maxBytes})`);
+  }
+  const json = escapeScriptJson(rawJson);
   const nonceAttr = nonce ? ` nonce="${escapeAttr(nonce)}"` : "";
   return `<script${nonceAttr}>window.${SSR_DATA_ATTR}=${json}</script>`;
 }
 function deserializeState(validate) {
   if (typeof window === "undefined") return void 0;
-  const raw = window[SSR_DATA_ATTR];
+  if (_isDev2 && !validate) {
+    console.warn(
+      "[SibuJS SSR] deserializeState() called without a validate guard \u2014 tampered SSR payloads will not be detected."
+    );
+  }
+  const w = window;
+  const raw = w[SSR_DATA_ATTR];
   if (raw === void 0) return void 0;
   if (validate && !validate(raw)) return void 0;
   return raw;
@@ -582,15 +682,28 @@ function escapeAttr(str) {
 
 // src/reactivity/track.ts
 var _isDev3 = isDev();
-var subscriberStack = new Array(32);
-var stackCapacity = 32;
+var STACK_INITIAL = 32;
+var STACK_SHRINK_THRESHOLD = 128;
+var subscriberStack = new Array(STACK_INITIAL);
+var stackCapacity = STACK_INITIAL;
 var stackTop = -1;
 var currentSubscriber = null;
-var signalSubscribers = /* @__PURE__ */ new WeakMap();
 var SUBS = "__s";
+function syncFastPath(signal2, subs) {
+  const size = subs.size;
+  if (size === 0) {
+    signal2.__f = void 0;
+    delete signal2[SUBS];
+  } else if (size === 1) {
+    signal2.__f = subs.values().next().value;
+  } else {
+    signal2.__f = void 0;
+  }
+}
 var notifyDepth = 0;
 var pendingQueue = [];
 var pendingSet = /* @__PURE__ */ new Set();
+var propagateStack = [];
 function safeInvoke(sub2) {
   try {
     sub2();
@@ -613,37 +726,49 @@ function track(effectFn, subscriber) {
   } finally {
     stackTop--;
     currentSubscriber = stackTop >= 0 ? subscriberStack[stackTop] : null;
+    if (stackTop < 0 && stackCapacity > STACK_SHRINK_THRESHOLD) {
+      stackCapacity = Math.max(STACK_INITIAL, stackCapacity >>> 1);
+      subscriberStack.length = stackCapacity;
+    }
   }
   return () => cleanup(subscriber);
 }
 function recordDependency(signal2) {
   if (!currentSubscriber) return;
   const sub2 = currentSubscriber;
-  if (sub2._dep === signal2) return;
+  const epoch = sub2._epoch;
+  if (sub2._dep === signal2) {
+    sub2._depEpoch = epoch;
+    return;
+  }
   const deps = sub2._deps;
   if (deps) {
-    if (deps.has(signal2)) return;
-    deps.add(signal2);
+    deps.set(signal2, epoch);
   } else if (sub2._dep !== void 0) {
-    const set = /* @__PURE__ */ new Set();
-    set.add(sub2._dep);
-    set.add(signal2);
-    sub2._deps = set;
+    const map2 = /* @__PURE__ */ new Map();
+    map2.set(sub2._dep, sub2._depEpoch);
+    map2.set(signal2, epoch);
+    sub2._deps = map2;
     sub2._dep = void 0;
+    sub2._depEpoch = void 0;
   } else {
     sub2._dep = signal2;
+    sub2._depEpoch = epoch;
   }
-  let subs = signal2[SUBS];
+  const sig = signal2;
+  let subs = sig[SUBS];
   if (!subs) {
     subs = /* @__PURE__ */ new Set();
-    signalSubscribers.set(signal2, subs);
-    signal2[SUBS] = subs;
+    sig[SUBS] = subs;
   }
+  const prevSize = subs.size;
   subs.add(currentSubscriber);
-  if (subs.size === 1) {
-    signal2.__f = currentSubscriber;
-  } else if (signal2.__f !== void 0) {
-    signal2.__f = void 0;
+  if (subs.size !== prevSize) {
+    if (subs.size === 1) {
+      sig.__f = currentSubscriber;
+    } else if (sig.__f !== void 0) {
+      sig.__f = void 0;
+    }
   }
 }
 function queueSignalNotification(signal2) {
@@ -658,66 +783,102 @@ function queueSignalNotification(signal2) {
     }
   }
 }
-var MAX_DRAIN_ITERATIONS = 1e3;
+var maxSubscriberRepeats = 50;
+var maxDrainIterations = 1e6;
+var drainEpoch = 0;
+function tickRepeat(sub2) {
+  const s2 = sub2;
+  if (s2._runEpoch !== drainEpoch) {
+    s2._runEpoch = drainEpoch;
+    s2._runs = 1;
+    return false;
+  }
+  return ++s2._runs > maxSubscriberRepeats;
+}
+function cycleError(sub2) {
+  if (typeof console !== "undefined") {
+    const name = sub2.__name ?? "<unnamed>";
+    console.error(
+      `[SibuJS] subscriber "${name}" fired more than ${maxSubscriberRepeats} times \u2014 likely a write-reads-self cycle between effects/signals. Breaking to prevent infinite loop.`
+    );
+  }
+}
+function absoluteDrainError() {
+  if (typeof console !== "undefined") {
+    console.error(
+      `[SibuJS] Notification drain exceeded ${maxDrainIterations} iterations \u2014 absolute safety net tripped. Breaking to prevent infinite loop.`
+    );
+  }
+}
+function drainQueue() {
+  let i2 = 0;
+  while (i2 < pendingQueue.length) {
+    if (i2 >= maxDrainIterations) {
+      absoluteDrainError();
+      break;
+    }
+    const sub2 = pendingQueue[i2++];
+    if (tickRepeat(sub2)) {
+      cycleError(sub2);
+      break;
+    }
+    pendingSet.delete(sub2);
+    safeInvoke(sub2);
+  }
+}
 function drainNotificationQueue() {
   if (notifyDepth > 0) return;
   notifyDepth++;
+  drainEpoch++;
   try {
-    let i2 = 0;
-    while (i2 < pendingQueue.length) {
-      if (i2 >= MAX_DRAIN_ITERATIONS) {
-        if (typeof console !== "undefined") {
-          console.error(
-            `[SibuJS] Notification queue exceeded ${MAX_DRAIN_ITERATIONS} iterations \u2014 likely an effect that writes to a signal it reads. Breaking to prevent infinite loop.`
-          );
-        }
-        break;
-      }
-      safeInvoke(pendingQueue[i2]);
-      i2++;
-    }
+    drainQueue();
   } finally {
-    pendingQueue.length = 0;
-    pendingSet.clear();
     notifyDepth--;
+    if (notifyDepth === 0) {
+      pendingQueue.length = 0;
+      pendingSet.clear();
+    }
   }
 }
 function propagateDirty(sub2) {
   sub2();
-  let sig = sub2._sig;
-  while (sig) {
+  const rootSig = sub2._sig;
+  if (!rootSig) return;
+  const stack = propagateStack;
+  const baseLen = stack.length;
+  stack.push(rootSig);
+  while (stack.length > baseLen) {
+    const sig = stack.pop();
     const first = sig.__f;
     if (first) {
       if (first._c) {
         const nSig = first._sig;
-        nSig._d = true;
-        sig = nSig;
-        continue;
-      }
-      if (!pendingSet.has(first)) {
+        if (!nSig._d) {
+          nSig._d = true;
+          stack.push(nSig);
+        }
+      } else if (!pendingSet.has(first)) {
         pendingSet.add(first);
         pendingQueue.push(first);
       }
-      break;
+      continue;
     }
     const subs = sig[SUBS];
-    if (!subs) break;
-    let nextSig;
+    if (!subs) continue;
     for (const s2 of subs) {
       if (s2._c) {
-        s2();
         const nSig = s2._sig;
-        if (nSig && !nextSig) {
-          nextSig = nSig;
-        } else if (nSig) {
-          propagateDirty(s2);
+        if (nSig && !nSig._d) {
+          nSig._d = true;
+          stack.push(nSig);
+        } else if (!nSig) {
+          s2();
         }
       } else if (!pendingSet.has(s2)) {
         pendingSet.add(s2);
         pendingQueue.push(s2);
       }
     }
-    sig = nextSig;
   }
 }
 function notifySubscribers(signal2) {
@@ -733,21 +894,22 @@ function notifySubscribers(signal2) {
       return;
     }
     notifyDepth++;
+    drainEpoch++;
     try {
       if (first._c) {
         propagateDirty(first);
+      } else if (tickRepeat(first)) {
+        cycleError(first);
       } else {
         safeInvoke(first);
       }
-      let i2 = 0;
-      while (i2 < pendingQueue.length) {
-        safeInvoke(pendingQueue[i2]);
-        i2++;
-      }
+      drainQueue();
     } finally {
-      pendingQueue.length = 0;
-      pendingSet.clear();
       notifyDepth--;
+      if (notifyDepth === 0) {
+        pendingQueue.length = 0;
+        pendingSet.clear();
+      }
     }
     return;
   }
@@ -765,68 +927,50 @@ function notifySubscribers(signal2) {
     return;
   }
   notifyDepth++;
+  drainEpoch++;
   try {
-    let directCount = 0;
     for (const sub2 of subs) {
-      pendingQueue[directCount++] = sub2;
-    }
-    for (let i3 = 0; i3 < directCount; i3++) {
-      if (pendingQueue[i3]._c) {
-        propagateDirty(pendingQueue[i3]);
-      }
-    }
-    for (let i3 = 0; i3 < directCount; i3++) {
-      if (!pendingQueue[i3]._c) {
-        if (!pendingSet.has(pendingQueue[i3])) {
-          safeInvoke(pendingQueue[i3]);
-        }
+      if (sub2._c) {
+        propagateDirty(sub2);
+      } else if (!pendingSet.has(sub2)) {
+        pendingSet.add(sub2);
+        pendingQueue.push(sub2);
       }
     }
-    let i2 = directCount;
-    while (i2 < pendingQueue.length) {
-      safeInvoke(pendingQueue[i2]);
-      i2++;
-    }
+    drainQueue();
   } finally {
-    pendingQueue.length = 0;
-    pendingSet.clear();
     notifyDepth--;
+    if (notifyDepth === 0) {
+      pendingQueue.length = 0;
+      pendingSet.clear();
+    }
   }
 }
 function cleanup(subscriber) {
   const sub2 = subscriber;
   const singleDep = sub2._dep;
   if (singleDep !== void 0) {
-    const subs = singleDep[SUBS];
-    if (subs) {
-      subs.delete(subscriber);
-      if (singleDep.__f === subscriber) {
-        singleDep.__f = void 0;
-      }
+    const sig = singleDep;
+    const subs = sig[SUBS];
+    if (subs?.delete(subscriber)) {
+      syncFastPath(sig, subs);
     }
     sub2._dep = void 0;
+    sub2._depEpoch = void 0;
     return;
   }
   const deps = sub2._deps;
   if (!deps || deps.size === 0) return;
-  for (const signal2 of deps) {
-    const subs = signal2[SUBS];
-    if (subs) {
-      subs.delete(subscriber);
-      if (signal2.__f === subscriber) {
-        signal2.__f = void 0;
-      }
+  for (const signal2 of deps.keys()) {
+    const sig = signal2;
+    const subs = sig[SUBS];
+    if (subs?.delete(subscriber)) {
+      syncFastPath(sig, subs);
     }
   }
   deps.clear();
 }
 
-// src/core/ssr-context.ts
-var ssrMode = false;
-function isSSR() {
-  return ssrMode;
-}
-
 // src/core/signals/effect.ts
 var _g = globalThis;
 function effect(effectFn, options) {
@@ -834,26 +978,114 @@ function effect(effectFn, options) {
   if (isSSR()) return () => {
   };
   const onError = options?.onError;
+  let userCleanups = [];
+  const onCleanup = (fn) => {
+    userCleanups.push(fn);
+  };
+  const runUserCleanups = () => {
+    if (userCleanups.length === 0) return;
+    const list = userCleanups;
+    userCleanups = [];
+    for (let i2 = list.length - 1; i2 >= 0; i2--) {
+      try {
+        list[i2]();
+      } catch (err) {
+        if (typeof console !== "undefined") {
+          console.warn("[SibuJS effect] onCleanup threw:", err);
+        }
+      }
+    }
+  };
+  const invokeBody = () => effectFn(onCleanup);
   const wrappedFn = onError ? () => {
     try {
-      effectFn();
+      invokeBody();
     } catch (err) {
       onError(err);
     }
-  } : effectFn;
+  } : invokeBody;
   let cleanupHandle = () => {
   };
+  let running = false;
+  let rerunPending = false;
+  const MAX_RERUNS = 100;
   const subscriber = () => {
-    cleanupHandle();
-    cleanupHandle = track(wrappedFn, subscriber);
+    if (running) {
+      rerunPending = true;
+      return;
+    }
+    running = true;
+    try {
+      let reruns = 0;
+      do {
+        rerunPending = false;
+        runUserCleanups();
+        cleanupHandle();
+        cleanupHandle = track(wrappedFn, subscriber);
+        if (++reruns > MAX_RERUNS) {
+          if (_g.__SIBU_DEV_WARN__ !== false && typeof console !== "undefined") {
+            console.error(
+              `[SibuJS] effect re-requested itself ${MAX_RERUNS}+ times \u2014 likely a write-reads-self cycle. Breaking to prevent infinite loop.`
+            );
+          }
+          rerunPending = false;
+          break;
+        }
+      } while (rerunPending);
+    } finally {
+      running = false;
+      rerunPending = false;
+    }
   };
-  cleanupHandle = track(wrappedFn, subscriber);
+  running = true;
+  try {
+    let reruns = 0;
+    do {
+      rerunPending = false;
+      runUserCleanups();
+      cleanupHandle();
+      cleanupHandle = track(wrappedFn, subscriber);
+      if (++reruns > MAX_RERUNS) {
+        if (_g.__SIBU_DEV_WARN__ !== false && typeof console !== "undefined") {
+          console.error(
+            `[SibuJS] effect re-requested itself ${MAX_RERUNS}+ times on initial run \u2014 likely a write-reads-self cycle. Breaking to prevent infinite loop.`
+          );
+        }
+        rerunPending = false;
+        break;
+      }
+    } while (rerunPending);
+  } finally {
+    running = false;
+    rerunPending = false;
+  }
   const hook = _g.__SIBU_DEVTOOLS_GLOBAL_HOOK__;
   if (hook) hook.emit("effect:create", { effectFn });
+  let disposed = false;
   return () => {
+    if (disposed) return;
+    disposed = true;
     const h = _g.__SIBU_DEVTOOLS_GLOBAL_HOOK__;
-    if (h) h.emit("effect:destroy", { effectFn });
-    cleanupHandle();
+    if (h) {
+      try {
+        h.emit("effect:destroy", { effectFn });
+      } catch {
+      }
+    }
+    try {
+      runUserCleanups();
+    } catch (err) {
+      if (typeof console !== "undefined") {
+        console.warn("[SibuJS effect] onCleanup threw during dispose:", err);
+      }
+    }
+    try {
+      cleanupHandle();
+    } catch (err) {
+      if (typeof console !== "undefined") {
+        console.warn("[SibuJS effect] dispose threw:", err);
+      }
+    }
   };
 }
 
@@ -1025,10 +1257,13 @@ function enqueueBatchedSignal(signal2) {
   return true;
 }
 function flushBatch() {
-  for (const signal2 of pendingSignals) {
-    queueSignalNotification(signal2);
+  try {
+    for (const signal2 of pendingSignals) {
+      queueSignalNotification(signal2);
+    }
+  } finally {
+    pendingSignals.clear();
   }
-  pendingSignals.clear();
   drainNotificationQueue();
 }
 
@@ -1075,24 +1310,42 @@ function createISR(options) {
   const { revalidateAfter, fetcher, initialData } = options;
   const [data2, setData] = signal(initialData);
   const [timestamp, setTimestamp] = signal(initialData !== void 0 ? Date.now() : 0);
+  const controller = new AbortController();
+  let inFlight = false;
+  let disposed = false;
   const isStale = () => {
     const ts = timestamp();
     if (ts === 0) return true;
     return Date.now() - ts >= revalidateAfter;
   };
   const revalidate = async () => {
-    const result = await fetcher();
-    setData(result);
-    setTimestamp(Date.now());
+    if (disposed || inFlight) return;
+    if (controller.signal.aborted) return;
+    inFlight = true;
+    try {
+      const result = await fetcher({ signal: controller.signal });
+      if (disposed || controller.signal.aborted) return;
+      setData(result);
+      setTimestamp(Date.now());
+    } finally {
+      inFlight = false;
+    }
   };
   if (initialData === void 0) {
-    revalidate();
+    revalidate().catch((err) => {
+      if (typeof console !== "undefined") console.warn("[SibuJS ISR] initial fetch failed", err);
+    });
   }
   const intervalId = setInterval(() => {
-    revalidate();
+    revalidate().catch((err) => {
+      if (typeof console !== "undefined") console.warn("[SibuJS ISR] revalidate failed", err);
+    });
   }, revalidateAfter);
   const dispose = () => {
+    if (disposed) return;
+    disposed = true;
     clearInterval(intervalId);
+    controller.abort();
   };
   return { data: data2, isStale, revalidate, dispose };
 }
@@ -1200,6 +1453,9 @@ function createMiddlewareChain() {
 
 // src/reactivity/bindAttribute.ts
 var _isDev5 = isDev();
+function setProp(el, key, val) {
+  el[key] = val;
+}
 function isEventHandlerAttr3(name) {
   if (name.length < 3) return false;
   const lower = name.toLowerCase();
@@ -1225,7 +1481,7 @@ function bindAttribute(el, attr, getter) {
     }
     if (typeof value === "boolean") {
       if (attr in el && (attr === "checked" || attr === "disabled" || attr === "selected")) {
-        el[attr] = value;
+        setProp(el, attr, value);
       } else if (value) {
         el.setAttribute(attr, "");
       } else {
@@ -1235,7 +1491,7 @@ function bindAttribute(el, attr, getter) {
     }
     const str = String(value);
     if ((attr === "value" || attr === "checked") && attr in el) {
-      el[attr] = attr === "checked" ? Boolean(value) : str;
+      setProp(el, attr, attr === "checked" ? Boolean(value) : str);
     } else {
       el.setAttribute(attr, isUrlAttribute(attr) ? sanitizeUrl(str) : str);
     }
@@ -1272,24 +1528,29 @@ function bindChildNode(placeholder, getter) {
     let newNodes;
     if (Array.isArray(result)) {
       newNodes = [];
+      const seen = /* @__PURE__ */ new Set();
       for (let i2 = 0; i2 < result.length; i2++) {
         const item = result[i2];
         if (item == null || typeof item === "boolean") continue;
-        newNodes.push(item instanceof Node ? item : document.createTextNode(String(item)));
+        const node = item instanceof Node ? item : document.createTextNode(String(item));
+        if (seen.has(node)) {
+          if (_isDev6)
+            devWarn("bindChildNode: duplicate node reference in array \u2014 only the first occurrence is rendered.");
+          continue;
+        }
+        seen.add(node);
+        newNodes.push(node);
       }
     } else {
       const node = result instanceof Node ? result : document.createTextNode(String(result));
       newNodes = [node];
     }
-    const reused = lastNodes.length > 0 && newNodes.length > 0 ? /* @__PURE__ */ new Set() : void 0;
-    if (reused) {
+    let reused;
+    if (lastNodes.length > 0 && newNodes.length > 0) {
+      const lastSet = new Set(lastNodes);
+      reused = /* @__PURE__ */ new Set();
       for (let i2 = 0; i2 < newNodes.length; i2++) {
-        for (let j = 0; j < lastNodes.length; j++) {
-          if (newNodes[i2] === lastNodes[j]) {
-            reused.add(newNodes[i2]);
-            break;
-          }
-        }
+        if (lastSet.has(newNodes[i2])) reused.add(newNodes[i2]);
       }
     }
     for (let i2 = 0; i2 < lastNodes.length; i2++) {
@@ -1329,6 +1590,30 @@ function registerDisposer(node, teardown) {
 
 // src/core/rendering/tagFactory.ts
 var SVG_NS = "http://www.w3.org/2000/svg";
+var _isDev8 = isDev();
+var BLOCKED_TAGS = /* @__PURE__ */ new Set(["script", "iframe", "object", "embed", "frame", "frameset"]);
+function validateTagName(tag) {
+  const lower = tag.toLowerCase();
+  if (BLOCKED_TAGS.has(lower)) {
+    throw new Error(`tagFactory: refusing to create <${tag}> \u2014 tag is blocked for security reasons.`);
+  }
+}
+var CLOBBER_RISKY_IDS = /* @__PURE__ */ new Set([
+  "config",
+  "location",
+  "history",
+  "document",
+  "window",
+  "navigator",
+  "name",
+  "top",
+  "parent",
+  "self",
+  "frames"
+]);
+function setProp2(el, key, val) {
+  el[key] = val;
+}
 var kebabCache = /* @__PURE__ */ new Map();
 function toKebab(prop) {
   let cached = kebabCache.get(prop);
@@ -1453,79 +1738,103 @@ function appendChildren(el, nodes) {
     }
   }
 }
-var tagFactory = (tag, ns) => (first, second) => {
-  const el = ns ? document.createElementNS(ns, tag) : document.createElement(tag);
-  if (first === void 0) return el;
-  if (typeof first === "string") {
-    if (second !== void 0) {
-      el.setAttribute("class", first);
-      appendChildren(el, second);
+var tagFactory = (tag, ns) => {
+  return (first, second) => {
+    validateTagName(tag);
+    const el = ns ? document.createElementNS(ns, tag) : document.createElement(tag);
+    if (first === void 0) return el;
+    if (typeof first === "string") {
+      if (second !== void 0) {
+        el.setAttribute("class", first);
+        appendChildren(el, second);
+        return el;
+      }
+      el.textContent = first;
       return el;
     }
-    el.textContent = first;
-    return el;
-  }
-  if (typeof first === "number") {
-    el.textContent = String(first);
-    return el;
-  }
-  if (Array.isArray(first) || first instanceof Node || typeof first === "function") {
-    appendChildren(el, first);
-    return el;
-  }
-  const props = first;
-  const pClass = props.class;
-  if (pClass != null) applyClass(el, pClass);
-  const pId = props.id;
-  if (pId != null) el.id = pId;
-  const pNodes = second !== void 0 ? second : props.nodes;
-  if (pNodes != null) appendChildren(el, pNodes);
-  const pOn = props.on;
-  if (pOn) {
-    for (const ev in pOn) {
-      el.addEventListener(ev, pOn[ev]);
-    }
-  }
-  const pStyle = props.style;
-  if (pStyle != null) applyStyle(el, pStyle);
-  const pRef = props.ref;
-  if (pRef) pRef.current = el;
-  for (const key in props) {
-    switch (key) {
-      case "class":
-      case "id":
-      case "nodes":
-      case "on":
-      case "style":
-      case "ref":
-      case "onElement":
-        continue;
-      // already handled above / below
-      default: {
-        const value = props[key];
-        if (value == null) continue;
-        if (key[0] === "o" && key[1] === "n") continue;
-        if (typeof value === "function") {
-          registerDisposer(el, bindAttribute(el, key, value));
-        } else if (typeof value === "boolean") {
-          if (key in el && (key === "checked" || key === "disabled" || key === "selected")) {
-            el[key] = value;
-          } else if (value) {
-            el.setAttribute(key, "");
+    if (typeof first === "number") {
+      el.textContent = String(first);
+      return el;
+    }
+    if (Array.isArray(first) || first instanceof Node || typeof first === "function") {
+      appendChildren(el, first);
+      return el;
+    }
+    const props = first;
+    const pClass = props.class;
+    if (pClass != null) applyClass(el, pClass);
+    const pId = props.id;
+    if (pId != null) {
+      if (_isDev8 && typeof pId === "string" && CLOBBER_RISKY_IDS.has(pId.toLowerCase())) {
+        devWarn(
+          `tagFactory: element id="${pId}" matches a common global and may cause DOM clobbering. Avoid setting ids from untrusted input.`
+        );
+      }
+      el.id = pId;
+    }
+    const pNodes = second !== void 0 ? second : props.nodes;
+    if (pNodes != null) appendChildren(el, pNodes);
+    const pOn = props.on;
+    if (pOn) {
+      for (const ev in pOn) {
+        const handler = pOn[ev];
+        if (typeof handler === "function") {
+          el.addEventListener(ev, handler);
+        } else if (_isDev8) {
+          devWarn(
+            `tagFactory: on.${ev} handler is not a function (got ${typeof handler}). Event listener was not attached.`
+          );
+        }
+      }
+    }
+    const pStyle = props.style;
+    if (pStyle != null) applyStyle(el, pStyle);
+    const pRef = props.ref;
+    if (pRef) pRef.current = el;
+    for (const key in props) {
+      switch (key) {
+        case "class":
+        case "id":
+        case "nodes":
+        case "on":
+        case "style":
+        case "ref":
+        case "onElement":
+          continue;
+        // already handled above / below
+        default: {
+          const value = props[key];
+          if (value == null) continue;
+          const lkey = key.toLowerCase();
+          if (lkey[0] === "o" && lkey[1] === "n") continue;
+          if (typeof value === "function") {
+            registerDisposer(el, bindAttribute(el, key, value));
+          } else if (typeof value === "boolean") {
+            if (key in el && (key === "checked" || key === "disabled" || key === "selected")) {
+              setProp2(el, key, value);
+            } else if (value) {
+              el.setAttribute(key, "");
+            } else {
+              el.removeAttribute(key);
+            }
           } else {
-            el.removeAttribute(key);
+            const str = String(value);
+            if (lkey === "srcset") {
+              el.setAttribute(key, sanitizeSrcset(str));
+            } else if (isUrlAttribute(lkey)) {
+              el.setAttribute(key, sanitizeUrl(str));
+            } else {
+              el.setAttribute(key, str);
+            }
           }
-        } else {
-          const str = String(value);
-          el.setAttribute(key, isUrlAttribute(key) ? sanitizeUrl(str) : str);
         }
       }
     }
-  }
-  if (props.onElement && typeof props.onElement === "function") {
-    props.onElement(el);
-  }
-  return el;
+    if (props.onElement && typeof props.onElement === "function") {
+      props.onElement(el);
+    }
+    return el;
+  };
 };
 
 // src/core/rendering/html.ts
@@ -1679,31 +1988,38 @@ function createMicroApp(config) {
   }
   let mounted = false;
   function mount(component) {
-    if (root instanceof ShadowRoot) {
-      root.innerHTML = "";
-    } else {
-      while (root.firstChild) {
-        root.removeChild(root.firstChild);
-      }
-    }
+    root.replaceChildren();
     const el = component();
     root.appendChild(el);
     mounted = true;
   }
   function unmount() {
     if (!mounted) return;
-    if (root instanceof ShadowRoot) {
-      root.innerHTML = "";
-    } else {
-      while (root.firstChild) {
-        root.removeChild(root.firstChild);
-      }
-    }
+    root.replaceChildren();
     mounted = false;
   }
   return { mount, unmount, element: host };
 }
-function loadRemoteModule(url) {
+function loadRemoteModule(url, optionsOrAllowedOrigins = []) {
+  const opts = Array.isArray(optionsOrAllowedOrigins) ? { allowedOrigins: optionsOrAllowedOrigins } : optionsOrAllowedOrigins;
+  const allowedOrigins = opts.allowedOrigins ?? [];
+  if (allowedOrigins.length > 0) {
+    let parsed;
+    try {
+      parsed = new URL(url, typeof location !== "undefined" ? location.href : void 0);
+    } catch {
+      return Promise.reject(new Error(`loadRemoteModule: invalid URL "${url}"`));
+    }
+    if (!allowedOrigins.includes(parsed.origin)) {
+      return Promise.reject(new Error(`loadRemoteModule: origin "${parsed.origin}" is not in the allowlist`));
+    }
+  } else if (!opts.unsafelyAllowAnyOrigin) {
+    return Promise.reject(
+      new Error(
+        `loadRemoteModule: refused to import "${url}" with no allowedOrigins. Pass { allowedOrigins: [...] } to restrict the origin, or { unsafelyAllowAnyOrigin: true } to opt in to unrestricted imports (CWE-829).`
+      )
+    );
+  }
   const cached = moduleCache.get(url);
   if (cached) return cached;
   const promise = import(
@@ -1793,21 +2109,49 @@ function serviceWorker(scriptUrl, options) {
   const [isReady, setIsReady] = signal(false);
   const [isUpdateAvailable, setIsUpdateAvailable] = signal(false);
   const [error, setError] = signal(null);
+  let disposed = false;
+  let updateFoundHandler = null;
+  let stateChangeHandler = null;
+  let trackedWorker = null;
+  let trackedReg = null;
+  function detachListeners() {
+    if (trackedReg && updateFoundHandler) {
+      trackedReg.removeEventListener("updatefound", updateFoundHandler);
+    }
+    if (trackedWorker && stateChangeHandler) {
+      trackedWorker.removeEventListener("statechange", stateChangeHandler);
+    }
+    updateFoundHandler = null;
+    stateChangeHandler = null;
+    trackedWorker = null;
+    trackedReg = null;
+  }
   if ("serviceWorker" in navigator) {
     navigator.serviceWorker.register(scriptUrl, options).then((reg) => {
+      if (disposed) return;
       setRegistration(reg);
       setIsReady(true);
-      reg.addEventListener("updatefound", () => {
+      trackedReg = reg;
+      updateFoundHandler = () => {
+        if (disposed) return;
         const newWorker = reg.installing;
         if (newWorker) {
-          newWorker.addEventListener("statechange", () => {
+          if (trackedWorker && stateChangeHandler) {
+            trackedWorker.removeEventListener("statechange", stateChangeHandler);
+          }
+          trackedWorker = newWorker;
+          stateChangeHandler = () => {
+            if (disposed) return;
             if (newWorker.state === "installed" && navigator.serviceWorker.controller) {
               setIsUpdateAvailable(true);
             }
-          });
+          };
+          newWorker.addEventListener("statechange", stateChangeHandler);
         }
-      });
+      };
+      reg.addEventListener("updatefound", updateFoundHandler);
     }).catch((err) => {
+      if (disposed) return;
       setError(err instanceof Error ? err : new Error(String(err)));
     });
   }
@@ -1818,6 +2162,8 @@ function serviceWorker(scriptUrl, options) {
     }
   }
   async function unregister() {
+    disposed = true;
+    detachListeners();
     const reg = registration();
     if (reg) {
       const result = await reg.unregister();
@@ -1838,24 +2184,37 @@ function worker(workerFn2) {
   const [error, setError] = signal(null);
   const [loading, setLoading] = signal(false);
   let worker2 = null;
+  let blobUrl = null;
+  const revokeBlobUrl = () => {
+    if (blobUrl) {
+      URL.revokeObjectURL(blobUrl);
+      blobUrl = null;
+    }
+  };
   try {
     if (typeof Worker === "undefined") {
       throw new Error("Web Workers are not supported in this environment");
     }
     const fnBody = workerFn2.toString();
     const blob = new Blob([`self.onmessage = ${fnBody};`], { type: "application/javascript" });
-    const url = URL.createObjectURL(blob);
-    worker2 = new Worker(url);
-    URL.revokeObjectURL(url);
-    worker2.onmessage = (e) => {
+    blobUrl = URL.createObjectURL(blob);
+    worker2 = new Worker(blobUrl);
+    worker2.addEventListener("message", (e) => {
+      revokeBlobUrl();
       setResult(e.data);
       setLoading(false);
-    };
-    worker2.onerror = (e) => {
+    });
+    worker2.addEventListener("error", (e) => {
+      revokeBlobUrl();
       setError(new Error(e.message || "Worker error"));
       setLoading(false);
-    };
+      if (worker2) {
+        worker2.terminate();
+        worker2 = null;
+      }
+    });
   } catch (err) {
+    revokeBlobUrl();
     setError(err instanceof Error ? err : new Error(String(err)));
   }
   function post(data2) {
@@ -1869,6 +2228,7 @@ function worker(workerFn2) {
     if (!worker2) return;
     worker2.terminate();
     worker2 = null;
+    revokeBlobUrl();
     setLoading(false);
   }
   return { post, result, error, loading, terminate };
@@ -1876,6 +2236,14 @@ function worker(workerFn2) {
 function workerFn(fn) {
   const [loading, setLoading] = signal(false);
   let worker2 = null;
+  let blobUrl = null;
+  const revokeBlobUrl = () => {
+    if (blobUrl) {
+      URL.revokeObjectURL(blobUrl);
+      blobUrl = null;
+    }
+  };
+  const queue = [];
   try {
     if (typeof Worker === "undefined") {
       throw new Error("Web Workers are not supported in this environment");
@@ -1891,10 +2259,26 @@ function workerFn(fn) {
       ],
       { type: "application/javascript" }
     );
-    const url = URL.createObjectURL(blob);
-    worker2 = new Worker(url);
-    URL.revokeObjectURL(url);
+    blobUrl = URL.createObjectURL(blob);
+    worker2 = new Worker(blobUrl);
+    worker2.addEventListener("message", (e) => {
+      revokeBlobUrl();
+      const head2 = queue.shift();
+      if (queue.length === 0) setLoading(false);
+      if (head2) head2.resolve(e.data);
+    });
+    worker2.addEventListener("error", (e) => {
+      revokeBlobUrl();
+      const err = new Error(e.message || "Worker error");
+      while (queue.length > 0) queue.shift().reject(err);
+      setLoading(false);
+      if (worker2) {
+        worker2.terminate();
+        worker2 = null;
+      }
+    });
   } catch {
+    revokeBlobUrl();
   }
   function run(...args) {
     return new Promise((resolve, reject) => {
@@ -1903,14 +2287,7 @@ function workerFn(fn) {
         return;
       }
       setLoading(true);
-      worker2.onmessage = (e) => {
-        setLoading(false);
-        resolve(e.data);
-      };
-      worker2.onerror = (e) => {
-        setLoading(false);
-        reject(new Error(e.message || "Worker error"));
-      };
+      queue.push({ resolve, reject });
       worker2.postMessage(args);
     });
   }
@@ -1918,6 +2295,9 @@ function workerFn(fn) {
     if (!worker2) return;
     worker2.terminate();
     worker2 = null;
+    const err = new Error("Worker terminated");
+    while (queue.length > 0) queue.shift().reject(err);
+    revokeBlobUrl();
     setLoading(false);
   }
   return { run, loading, terminate };
@@ -1925,20 +2305,63 @@ function workerFn(fn) {
 function createWorkerPool(workerFn2, poolSize) {
   const size = poolSize || typeof navigator !== "undefined" && navigator.hardwareConcurrency || 4;
   const workers = [];
+  const queues = [];
+  const inflight = [];
   let currentIndex = 0;
   let alive = true;
+  let blobUrl = null;
+  let firedOnce = false;
+  const revokeBlobUrl = () => {
+    if (blobUrl) {
+      URL.revokeObjectURL(blobUrl);
+      blobUrl = null;
+    }
+  };
+  function dispatchNext(idx) {
+    if (!alive || inflight[idx] || queues[idx].length === 0) return;
+    const w = workers[idx];
+    const slot2 = queues[idx].shift();
+    const onMsg = (e) => {
+      if (!firedOnce) {
+        firedOnce = true;
+        revokeBlobUrl();
+      }
+      w.removeEventListener("message", onMsg);
+      w.removeEventListener("error", onErr);
+      inflight[idx] = null;
+      slot2.resolve(e.data);
+      dispatchNext(idx);
+    };
+    const onErr = (e) => {
+      if (!firedOnce) {
+        firedOnce = true;
+        revokeBlobUrl();
+      }
+      w.removeEventListener("message", onMsg);
+      w.removeEventListener("error", onErr);
+      inflight[idx] = null;
+      slot2.reject(new Error(e.message || "Worker error"));
+      dispatchNext(idx);
+    };
+    inflight[idx] = { ...slot2, onMsg, onErr };
+    w.addEventListener("message", onMsg);
+    w.addEventListener("error", onErr);
+    w.postMessage(slot2.data);
+  }
   try {
     if (typeof Worker === "undefined") {
       throw new Error("Web Workers are not supported in this environment");
     }
     const fnBody = workerFn2.toString();
     const blob = new Blob([`self.onmessage = ${fnBody};`], { type: "application/javascript" });
-    const url = URL.createObjectURL(blob);
+    blobUrl = URL.createObjectURL(blob);
     for (let i2 = 0; i2 < size; i2++) {
-      workers.push(new Worker(url));
+      workers.push(new Worker(blobUrl));
+      queues.push([]);
+      inflight.push(null);
     }
-    URL.revokeObjectURL(url);
   } catch {
+    revokeBlobUrl();
   }
   function execute(data2) {
     return new Promise((resolve, reject) => {
@@ -1946,23 +2369,25 @@ function createWorkerPool(workerFn2, poolSize) {
         reject(new Error("Worker pool is not available"));
         return;
       }
-      const worker2 = workers[currentIndex % workers.length];
+      const idx = currentIndex % workers.length;
       currentIndex++;
-      worker2.onmessage = (e) => {
-        resolve(e.data);
-      };
-      worker2.onerror = (e) => {
-        reject(new Error(e.message || "Worker error"));
-      };
-      worker2.postMessage(data2);
+      queues[idx].push({ data: data2, resolve, reject });
+      dispatchNext(idx);
     });
   }
   function terminate() {
     alive = false;
-    for (const w of workers) {
-      w.terminate();
+    for (const w of workers) w.terminate();
+    const err = new Error("Worker pool terminated");
+    for (let i2 = 0; i2 < queues.length; i2++) {
+      const inf = inflight[i2];
+      if (inf) inf.reject(err);
+      for (const s2 of queues[i2]) s2.reject(err);
+      queues[i2] = [];
+      inflight[i2] = null;
     }
     workers.length = 0;
+    revokeBlobUrl();
   }
   return { execute, terminate };
 }
@@ -1998,7 +2423,28 @@ function wasm(source2, config = {}) {
   };
 }
 async function loadWasmModule(source2, imports, cacheKey) {
-  const key = cacheKey || (typeof source2 === "string" ? source2 : void 0);
+  const isOptionsBag = !!(imports && ("allowedOrigins" in imports || "unsafelyAllowAnyOrigin" in imports));
+  const opts = isOptionsBag ? imports : { imports, cacheKey };
+  const wasmImports = opts.imports;
+  const key = opts.cacheKey || (typeof source2 === "string" ? source2 : void 0);
+  if (typeof source2 === "string") {
+    const allowed = opts.allowedOrigins ?? [];
+    if (allowed.length > 0) {
+      let parsed;
+      try {
+        parsed = new URL(source2, typeof location !== "undefined" ? location.href : void 0);
+      } catch {
+        throw new Error(`loadWasmModule: invalid URL "${source2}"`);
+      }
+      if (!allowed.includes(parsed.origin)) {
+        throw new Error(`loadWasmModule: origin "${parsed.origin}" is not in the allowlist`);
+      }
+    } else if (!opts.unsafelyAllowAnyOrigin) {
+      throw new Error(
+        `loadWasmModule: refused to fetch "${source2}" with no allowedOrigins. Pass { allowedOrigins: [...] } to restrict the origin, or { unsafelyAllowAnyOrigin: true } to opt in (CWE-829).`
+      );
+    }
+  }
   if (key) {
     const cachedInstance = instanceCache.get(key);
     if (cachedInstance) {
@@ -2014,7 +2460,7 @@ async function loadWasmModule(source2, imports, cacheKey) {
     if (typeof source2 === "string") {
       if (typeof WebAssembly.instantiateStreaming === "function") {
         const response2 = fetch(source2);
-        const result = await WebAssembly.instantiateStreaming(response2, imports || {});
+        const result = await WebAssembly.instantiateStreaming(response2, wasmImports || {});
         if (key) {
           moduleCache2.set(key, result.module);
           instanceCache.set(key, result.instance);
@@ -2031,12 +2477,28 @@ async function loadWasmModule(source2, imports, cacheKey) {
     module2 = await WebAssembly.compile(bytes);
     if (key) moduleCache2.set(key, module2);
   }
-  const instance = await WebAssembly.instantiate(module2, imports || {});
+  const instance = await WebAssembly.instantiate(module2, wasmImports || {});
   if (key) instanceCache.set(key, instance);
   return instance;
 }
-async function preloadWasm(url) {
+async function preloadWasm(url, options = {}) {
   if (moduleCache2.has(url)) return;
+  const allowed = options.allowedOrigins ?? [];
+  if (allowed.length > 0) {
+    let parsed;
+    try {
+      parsed = new URL(url, typeof location !== "undefined" ? location.href : void 0);
+    } catch {
+      throw new Error(`preloadWasm: invalid URL "${url}"`);
+    }
+    if (!allowed.includes(parsed.origin)) {
+      throw new Error(`preloadWasm: origin "${parsed.origin}" is not in the allowlist`);
+    }
+  } else if (!options.unsafelyAllowAnyOrigin) {
+    throw new Error(
+      `preloadWasm: refused to fetch "${url}" with no allowedOrigins. Pass { allowedOrigins: [...] } or { unsafelyAllowAnyOrigin: true } (CWE-829).`
+    );
+  }
   let module2;
   if (typeof WebAssembly.compileStreaming === "function") {
     module2 = await WebAssembly.compileStreaming(fetch(url));