theokit 0.5.4 → 0.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{actions-virtual-module-DL74V6SR.js → actions-virtual-module-4WVKHQ2X.js} +5 -2
- package/dist/actions-virtual-module-4WVKHQ2X.js.map +1 -0
- package/dist/{actions-virtual-module-ZDD54ZZE.js → actions-virtual-module-LTOXBSCF.js} +16 -2
- package/dist/actions-virtual-module-LTOXBSCF.js.map +1 -0
- package/dist/{app-typed-client-4M4NVSK3.js → app-typed-client-4N5OGNOQ.js} +15 -4
- package/dist/app-typed-client-4N5OGNOQ.js.map +1 -0
- package/dist/{app-typed-client-4GIKUKRT.js → app-typed-client-SAETWZT5.js} +5 -4
- package/dist/app-typed-client-SAETWZT5.js.map +1 -0
- package/dist/{aws-lambda-SCRGTGF5.js → aws-lambda-WT4HRBNL.js} +3 -3
- package/dist/{build-R74EU6BP.js → build-KQD2EDU4.js} +10 -11
- package/dist/build-KQD2EDU4.js.map +1 -0
- package/dist/{bun-FURRCQMS.js → bun-UTDVN6R4.js} +3 -3
- package/dist/{check-NXYPLM6M.js → check-F3UDYSZ4.js} +2 -2
- package/dist/chunk-223EFY5X.js +469 -0
- package/dist/chunk-223EFY5X.js.map +1 -0
- package/dist/{chunk-KJLECZWQ.js → chunk-3FYJ7R7N.js} +57 -14
- package/dist/chunk-3FYJ7R7N.js.map +1 -0
- package/dist/{chunk-HDA6M7P4.js → chunk-3LVRAGAZ.js} +3 -5
- package/dist/{chunk-JD7AQNJS.js → chunk-4I47JW5O.js} +38 -425
- package/dist/chunk-4I47JW5O.js.map +1 -0
- package/dist/{chunk-H4J2LECY.js → chunk-6BUUZ2PK.js} +9 -9
- package/dist/chunk-6BUUZ2PK.js.map +1 -0
- package/dist/{chunk-P2RS3WWY.js → chunk-6FYD34NX.js} +194 -22
- package/dist/chunk-6FYD34NX.js.map +1 -0
- package/dist/{chunk-X3VNROZ7.js → chunk-6VSKLYT6.js} +78 -21
- package/dist/chunk-6VSKLYT6.js.map +1 -0
- package/dist/{chunk-FGOX37NB.js → chunk-BNGBG2SQ.js} +21 -2
- package/dist/chunk-BNGBG2SQ.js.map +1 -0
- package/dist/chunk-CBGRFVF5.js +421 -0
- package/dist/chunk-CBGRFVF5.js.map +1 -0
- package/dist/{chunk-X32KQH5C.js → chunk-CCVC6P6B.js} +3 -3
- package/dist/chunk-CCVC6P6B.js.map +1 -0
- package/dist/{chunk-DNMSV3R3.js → chunk-D7ZH7DTG.js} +3 -3
- package/dist/chunk-D7ZH7DTG.js.map +1 -0
- package/dist/{chunk-MWYSRZI4.js → chunk-EQV67HZL.js} +2 -2
- package/dist/{chunk-CG563V5M.js → chunk-IEES3CHD.js} +39 -5
- package/dist/chunk-IEES3CHD.js.map +1 -0
- package/dist/{chunk-DUKXQNM7.js → chunk-IHMJV2OK.js} +2 -2
- package/dist/{chunk-WGHJD6I7.js → chunk-JAIKGP3Q.js} +76 -21
- package/dist/chunk-JAIKGP3Q.js.map +1 -0
- package/dist/{chunk-B3L3TJVF.js → chunk-JBCHWRKF.js} +50 -50
- package/dist/chunk-JBCHWRKF.js.map +1 -0
- package/dist/{chunk-XMS5VRIK.js → chunk-JQSFBJR5.js} +3 -3
- package/dist/chunk-JQSFBJR5.js.map +1 -0
- package/dist/{chunk-S74FECKW.js → chunk-MV4LKTW6.js} +119 -153
- package/dist/chunk-MV4LKTW6.js.map +1 -0
- package/dist/chunk-PBEH6NXR.js +44 -0
- package/dist/chunk-PBEH6NXR.js.map +1 -0
- package/dist/chunk-PPPR5DGR.js +1 -0
- package/dist/{chunk-NZXH2LQQ.js → chunk-SJIRP73B.js} +18 -1
- package/dist/chunk-SJIRP73B.js.map +1 -0
- package/dist/cli/index.js +25 -10
- package/dist/cli/index.js.map +1 -1
- package/dist/client/index.d.ts +4 -4
- package/dist/{cloudflare-IZ6VJ2OU.js → cloudflare-U5GYYI47.js} +3 -3
- package/dist/db-ZPDW3UCU.js +78 -0
- package/dist/db-ZPDW3UCU.js.map +1 -0
- package/dist/{deno-deploy-O73NBXIW.js → deno-deploy-3QHJ3AJQ.js} +3 -3
- package/dist/{dev-ZU46C5AZ.js → dev-NDEZA2MP.js} +21 -11
- package/dist/dev-NDEZA2MP.js.map +1 -0
- package/dist/{dev-emit-JBVINGHU.js → dev-emit-O4EGOSNV.js} +77 -24
- package/dist/dev-emit-O4EGOSNV.js.map +1 -0
- package/dist/{dev-emit-66FCOS7V.js → dev-emit-OUPI7NAQ.js} +4 -5
- package/dist/{dev-emit-66FCOS7V.js.map → dev-emit-OUPI7NAQ.js.map} +1 -1
- package/dist/devtools/entry.js +1 -0
- package/dist/devtools/entry.js.map +1 -1
- package/dist/{dist-KRW6OVD4.js → dist-6GPD6WCU.js} +10231 -8164
- package/dist/dist-6GPD6WCU.js.map +1 -0
- package/dist/generate-ODDAYXNR.js +494 -0
- package/dist/generate-ODDAYXNR.js.map +1 -0
- package/dist/{index-CuHICqb9.d.ts → index-DWZF8uQD.d.ts} +132 -132
- package/dist/index.d.ts +32 -3
- package/dist/index.js +8 -9
- package/dist/index.js.map +1 -1
- package/dist/{info-CORLCPEJ.js → info-CSGWIAXA.js} +5 -5
- package/dist/{lib-NST3PNZX.js → lib-JBI3XXH3.js} +27 -27
- package/dist/{lib-NST3PNZX.js.map → lib-JBI3XXH3.js.map} +1 -1
- package/dist/{netlify-O7G3RLK4.js → netlify-DUB7BZ4E.js} +3 -3
- package/dist/{node-LXPQLMVB.js → node-ELE236WK.js} +3 -3
- package/dist/{openapi-TEOUOIJ2.js → openapi-NXGRXABL.js} +7 -8
- package/dist/{openapi-TEOUOIJ2.js.map → openapi-NXGRXABL.js.map} +1 -1
- package/dist/registry-B7FA6KMI.js +25 -0
- package/dist/{routes-GAXVWJUK.js → routes-6A5XFGF7.js} +7 -9
- package/dist/routes-6A5XFGF7.js.map +1 -0
- package/dist/{scan-NQFI5S7P.js → scan-I5PT6TUX.js} +2 -2
- package/dist/{schema-D3v8VB7o.d.ts → schema-BpH6ivDY.d.ts} +2 -4
- package/dist/{schema-Z5VJ2I76.js → schema-NPI4NJEF.js} +3 -3
- package/dist/server/auth/index.d.ts +20 -20
- package/dist/server/auth/index.js +3 -5
- package/dist/server/define/index.d.ts +7 -0
- package/dist/server/define/index.js +1 -1
- package/dist/server/http/index.d.ts +2 -2
- package/dist/server/http/index.js +1 -2
- package/dist/server/index.d.ts +36 -3
- package/dist/server/index.js +66 -61
- package/dist/server/index.js.map +1 -1
- package/dist/server/scan/index.d.ts +13 -13
- package/dist/server/scan/index.js +8 -12
- package/dist/server/security/index.d.ts +69 -69
- package/dist/server/security/index.js +1 -1
- package/dist/{services-typed-client-ASZL7FQV.js → services-typed-client-24VBMDOF.js} +2 -2
- package/dist/{services-typed-client-KK6RHRDG.js → services-typed-client-IETY2SAK.js} +2 -2
- package/dist/{start-HGUNNF5X.js → start-SPFWOGHL.js} +95 -80
- package/dist/start-SPFWOGHL.js.map +1 -0
- package/dist/{static-EO73I4C7.js → static-YWF2M6YT.js} +4 -4
- package/dist/{theo-cloud-HBCYEODQ.js → theo-cloud-EUK56I7O.js} +2 -2
- package/dist/{vercel-GSFDMF7K.js → vercel-LGDQWYZD.js} +3 -3
- package/dist/vite-plugin/index.d.ts +1 -1
- package/dist/vite-plugin/index.js +6 -7
- package/dist/{vite-plugin-TX5H4MB6.js → vite-plugin-43KQU5S7.js} +11 -9
- package/dist/vite-plugin-43KQU5S7.js.map +1 -0
- package/package.json +22 -19
- package/dist/actions-virtual-module-DL74V6SR.js.map +0 -1
- package/dist/actions-virtual-module-ZDD54ZZE.js.map +0 -1
- package/dist/app-typed-client-4GIKUKRT.js.map +0 -1
- package/dist/app-typed-client-4M4NVSK3.js.map +0 -1
- package/dist/build-R74EU6BP.js.map +0 -1
- package/dist/chunk-4HBI7DHP.js +0 -20
- package/dist/chunk-4HBI7DHP.js.map +0 -1
- package/dist/chunk-B3L3TJVF.js.map +0 -1
- package/dist/chunk-CG563V5M.js.map +0 -1
- package/dist/chunk-DNMSV3R3.js.map +0 -1
- package/dist/chunk-FGOX37NB.js.map +0 -1
- package/dist/chunk-GPF64ENM.js +0 -73
- package/dist/chunk-H4J2LECY.js.map +0 -1
- package/dist/chunk-HDA6M7P4.js.map +0 -1
- package/dist/chunk-JD7AQNJS.js.map +0 -1
- package/dist/chunk-KJLECZWQ.js.map +0 -1
- package/dist/chunk-NZXH2LQQ.js.map +0 -1
- package/dist/chunk-OLPB36O2.js +0 -259
- package/dist/chunk-OLPB36O2.js.map +0 -1
- package/dist/chunk-P2RS3WWY.js.map +0 -1
- package/dist/chunk-P3SGM4NR.js +0 -156
- package/dist/chunk-P3SGM4NR.js.map +0 -1
- package/dist/chunk-S74FECKW.js.map +0 -1
- package/dist/chunk-UVHRD33F.js +0 -181
- package/dist/chunk-UVHRD33F.js.map +0 -1
- package/dist/chunk-WGHJD6I7.js.map +0 -1
- package/dist/chunk-X32KQH5C.js.map +0 -1
- package/dist/chunk-X3VNROZ7.js.map +0 -1
- package/dist/chunk-XMS5VRIK.js.map +0 -1
- package/dist/dev-ZU46C5AZ.js.map +0 -1
- package/dist/dev-emit-JBVINGHU.js.map +0 -1
- package/dist/dist-KRW6OVD4.js.map +0 -1
- package/dist/generate-AZ2K6Z2Z.js +0 -281
- package/dist/generate-AZ2K6Z2Z.js.map +0 -1
- package/dist/registry-KW4F4D2L.js +0 -25
- package/dist/routes-GAXVWJUK.js.map +0 -1
- package/dist/start-HGUNNF5X.js.map +0 -1
- package/dist/{aws-lambda-SCRGTGF5.js.map → aws-lambda-WT4HRBNL.js.map} +0 -0
- package/dist/{bun-FURRCQMS.js.map → bun-UTDVN6R4.js.map} +0 -0
- package/dist/{check-NXYPLM6M.js.map → check-F3UDYSZ4.js.map} +0 -0
- package/dist/{chunk-GPF64ENM.js.map → chunk-3LVRAGAZ.js.map} +0 -0
- package/dist/{chunk-MWYSRZI4.js.map → chunk-EQV67HZL.js.map} +0 -0
- package/dist/{chunk-DUKXQNM7.js.map → chunk-IHMJV2OK.js.map} +0 -0
- package/dist/{node-LXPQLMVB.js.map → chunk-PPPR5DGR.js.map} +0 -0
- package/dist/{cloudflare-IZ6VJ2OU.js.map → cloudflare-U5GYYI47.js.map} +0 -0
- package/dist/{deno-deploy-O73NBXIW.js.map → deno-deploy-3QHJ3AJQ.js.map} +0 -0
- package/dist/{info-CORLCPEJ.js.map → info-CSGWIAXA.js.map} +0 -0
- package/dist/{module-loader-Cfz7dgCP.d.ts → match-CfbEFRG4.d.ts} +4 -4
- /package/dist/{netlify-O7G3RLK4.js.map → netlify-DUB7BZ4E.js.map} +0 -0
- /package/dist/{scan-NQFI5S7P.js.map → node-ELE236WK.js.map} +0 -0
- /package/dist/{registry-KW4F4D2L.js.map → registry-B7FA6KMI.js.map} +0 -0
- /package/dist/{schema-Z5VJ2I76.js.map → scan-I5PT6TUX.js.map} +0 -0
- /package/dist/{vite-plugin-TX5H4MB6.js.map → schema-NPI4NJEF.js.map} +0 -0
- /package/dist/{services-typed-client-ASZL7FQV.js.map → services-typed-client-24VBMDOF.js.map} +0 -0
- /package/dist/{services-typed-client-KK6RHRDG.js.map → services-typed-client-IETY2SAK.js.map} +0 -0
- /package/dist/{static-EO73I4C7.js.map → static-YWF2M6YT.js.map} +0 -0
- /package/dist/{theo-cloud-HBCYEODQ.js.map → theo-cloud-EUK56I7O.js.map} +0 -0
- /package/dist/{vercel-GSFDMF7K.js.map → vercel-LGDQWYZD.js.map} +0 -0
|
@@ -1,9 +1,7 @@
|
|
|
1
|
-
import { S as ServerRouteNode } from '../../
|
|
2
|
-
export { L as LoadModule, c as compilePattern, a as createProductionLoader, b as createViteLoader, m as matchRoute } from '../../
|
|
1
|
+
import { S as ServerRouteNode } from '../../match-CfbEFRG4.js';
|
|
2
|
+
export { L as LoadModule, c as compilePattern, a as createProductionLoader, b as createViteLoader, m as matchRoute } from '../../match-CfbEFRG4.js';
|
|
3
3
|
import 'vite';
|
|
4
4
|
|
|
5
|
-
declare function scanServerRoutes(serverDir: string): ServerRouteNode[];
|
|
6
|
-
|
|
7
5
|
interface ActionNode {
|
|
8
6
|
filePath: string;
|
|
9
7
|
actionPath: string;
|
|
@@ -56,21 +54,14 @@ declare function scanServerActions(serverDir: string): ActionNode[];
|
|
|
56
54
|
*/
|
|
57
55
|
declare function scanServerActionsEnriched(serverDir: string): ActionManifestEntry[];
|
|
58
56
|
|
|
57
|
+
declare function scanServerRoutes(serverDir: string): ServerRouteNode[];
|
|
58
|
+
|
|
59
59
|
interface WebSocketRouteNode {
|
|
60
60
|
filePath: string;
|
|
61
61
|
wsPath: string;
|
|
62
62
|
}
|
|
63
63
|
declare function scanWebSocketRoutes(serverDir: string): WebSocketRouteNode[];
|
|
64
64
|
|
|
65
|
-
/**
|
|
66
|
-
* Scan the server/middleware/ directory for middleware files.
|
|
67
|
-
* Files are returned sorted alphabetically — use numeric prefixes
|
|
68
|
-
* (e.g. 01-cors.ts, 02-auth.ts) to control execution order.
|
|
69
|
-
*
|
|
70
|
-
* Files starting with '_' or '.' are ignored (helpers, hidden files).
|
|
71
|
-
*/
|
|
72
|
-
declare function scanMiddlewares(serverDir: string): string[];
|
|
73
|
-
|
|
74
65
|
interface ManifestRoute {
|
|
75
66
|
filePath: string;
|
|
76
67
|
routePath: string;
|
|
@@ -103,4 +94,13 @@ declare function generateManifest(serverDir: string): TheoManifest;
|
|
|
103
94
|
declare function writeManifest(manifest: TheoManifest, outputDir: string): void;
|
|
104
95
|
declare function loadManifest(distDir: string, serverDir: string): LoadedManifest;
|
|
105
96
|
|
|
97
|
+
/**
|
|
98
|
+
* Scan the server/middleware/ directory for middleware files.
|
|
99
|
+
* Files are returned sorted alphabetically — use numeric prefixes
|
|
100
|
+
* (e.g. 01-cors.ts, 02-auth.ts) to control execution order.
|
|
101
|
+
*
|
|
102
|
+
* Files starting with '_' or '.' are ignored (helpers, hidden files).
|
|
103
|
+
*/
|
|
104
|
+
declare function scanMiddlewares(serverDir: string): string[];
|
|
105
|
+
|
|
106
106
|
export { type ActionManifestEntry, type ActionNode, ActionScanError, type LoadedManifest, type ManifestAction, type ManifestRoute, type ManifestWebSocket, ServerRouteNode, type TheoManifest, type WebSocketRouteNode, generateManifest, loadManifest, scanMiddlewares, scanServerActions, scanServerActionsEnriched, scanServerRoutes, scanWebSocketRoutes, writeManifest };
|
|
@@ -1,24 +1,20 @@
|
|
|
1
1
|
import "../../chunk-E3JH6YUM.js";
|
|
2
|
-
import {
|
|
3
|
-
generateManifest,
|
|
4
|
-
loadManifest,
|
|
5
|
-
writeManifest
|
|
6
|
-
} from "../../chunk-GPF64ENM.js";
|
|
7
2
|
import {
|
|
8
3
|
createProductionLoader,
|
|
9
4
|
createViteLoader
|
|
10
5
|
} from "../../chunk-JQSKBMXP.js";
|
|
11
6
|
import {
|
|
7
|
+
ActionScanError,
|
|
12
8
|
compilePattern,
|
|
9
|
+
generateManifest,
|
|
10
|
+
loadManifest,
|
|
13
11
|
matchRoute,
|
|
14
|
-
scanServerRoutes,
|
|
15
|
-
scanWebSocketRoutes
|
|
16
|
-
} from "../../chunk-OLPB36O2.js";
|
|
17
|
-
import {
|
|
18
|
-
ActionScanError,
|
|
19
12
|
scanServerActions,
|
|
20
|
-
scanServerActionsEnriched
|
|
21
|
-
|
|
13
|
+
scanServerActionsEnriched,
|
|
14
|
+
scanServerRoutes,
|
|
15
|
+
scanWebSocketRoutes,
|
|
16
|
+
writeManifest
|
|
17
|
+
} from "../../chunk-223EFY5X.js";
|
|
22
18
|
import "../../chunk-WSJKACWB.js";
|
|
23
19
|
import "../../chunk-X2VVCJ4V.js";
|
|
24
20
|
import {
|
|
@@ -1,9 +1,77 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { IncomingMessage, ServerResponse } from 'node:http';
|
|
2
2
|
import { A as AuditLogger } from '../../audit-log-BQWM5YLG.js';
|
|
3
3
|
export { C as CSRF_WARN_CODE, a as CSRF_WARN_DOCS_URL, b as CsrfLogger, c as CsrfMode, d as CsrfWarnPayload, D as DisallowedConfig, e as enforceCsrf, m as matchDisallowed, v as validateCsrf, f as validateCsrfRequest } from '../../csrf-BBrEZSBW.js';
|
|
4
4
|
import { C as CsrfReadinessStore } from '../../csrf-readiness-store-CjIoub3U.js';
|
|
5
5
|
export { a as CsrfReadinessRouteSummary, b as CsrfReadinessSummary, c as CsrfWarnRecord } from '../../csrf-readiness-store-CjIoub3U.js';
|
|
6
6
|
|
|
7
|
+
/**
|
|
8
|
+
* T5.1 — Built-in CSP report endpoint.
|
|
9
|
+
*
|
|
10
|
+
* Browsers POST violation reports to `report-uri` (legacy `application/csp-report`)
|
|
11
|
+
* or `Reporting API` (`application/reports+json`). Framework auto-registers this
|
|
12
|
+
* endpoint so `cspMode: 'report-only'` is actually useful out of the box.
|
|
13
|
+
*
|
|
14
|
+
* Forwards normalized violations to:
|
|
15
|
+
* - audit logger (`csp.violation`)
|
|
16
|
+
* - devtools dispatcher (dev only, for Errors tab)
|
|
17
|
+
* - optional user hook (Sentry, etc.)
|
|
18
|
+
*
|
|
19
|
+
* EC-2: browser MAY send `{"csp-report": null}`, empty `{}`, or
|
|
20
|
+
* reports+json entries lacking `body`. Handler MUST short-circuit to
|
|
21
|
+
* 204 (valid format, no violation), NEVER crash via null deref.
|
|
22
|
+
*/
|
|
23
|
+
declare const CSP_REPORT_PATH = "/__theo/csp-report";
|
|
24
|
+
interface CspViolation {
|
|
25
|
+
blockedUrl: string;
|
|
26
|
+
documentUrl: string;
|
|
27
|
+
violatedDirective: string;
|
|
28
|
+
effectiveDirective?: string;
|
|
29
|
+
originalPolicy?: string;
|
|
30
|
+
disposition?: 'enforce' | 'report';
|
|
31
|
+
statusCode?: number;
|
|
32
|
+
sourceFile?: string;
|
|
33
|
+
lineNumber?: number;
|
|
34
|
+
columnNumber?: number;
|
|
35
|
+
}
|
|
36
|
+
interface CspReportHandlerOptions {
|
|
37
|
+
auditLogger?: AuditLogger;
|
|
38
|
+
devtoolsDispatcher?: {
|
|
39
|
+
onCspViolation?: (v: CspViolation) => void;
|
|
40
|
+
};
|
|
41
|
+
/** Optional user-provided sink (Sentry, custom log router). Errors here are swallowed. */
|
|
42
|
+
onViolation?: (v: CspViolation) => void;
|
|
43
|
+
}
|
|
44
|
+
declare function normalizeLegacy(raw: Record<string, unknown>): CspViolation;
|
|
45
|
+
/**
|
|
46
|
+
* Map a `reports+json` entry to the internal shape. Returns `null` if
|
|
47
|
+
* the entry lacks a usable `body` object (EC-2).
|
|
48
|
+
*/
|
|
49
|
+
declare function normalizeNew(entry: unknown): CspViolation | null;
|
|
50
|
+
declare function handleCspReport(req: IncomingMessage, res: ServerResponse, opts: CspReportHandlerOptions): Promise<void>;
|
|
51
|
+
declare function handleCspReportRequest(request: Request, opts: CspReportHandlerOptions): Promise<Response>;
|
|
52
|
+
|
|
53
|
+
/**
|
|
54
|
+
* T2.2 — `/__theo/csrf-readiness` endpoint.
|
|
55
|
+
*
|
|
56
|
+
* GET /__theo/csrf-readiness → 200 + JSON summary
|
|
57
|
+
* POST /__theo/csrf-readiness/reset → 204; clears the store
|
|
58
|
+
*
|
|
59
|
+
* The reset endpoint enforces CSRF (own dog food) — requires
|
|
60
|
+
* `X-Theo-Action: 1` AND a matching Origin header (EC-15). This avoids
|
|
61
|
+
* the endpoint being weaponizable from a cross-origin page when the
|
|
62
|
+
* endpoint is opt-in exposed in production.
|
|
63
|
+
*
|
|
64
|
+
* Mount opt-in: in dev mode, the host wires this in unconditionally. In
|
|
65
|
+
* production, only mount when `config.security.csrfTelemetry.exposeReadinessEndpoint === true`.
|
|
66
|
+
* EC-10 parallel: returns 404 (via boolean false return) when the URL
|
|
67
|
+
* does not match — the caller continues normal request handling.
|
|
68
|
+
*/
|
|
69
|
+
|
|
70
|
+
declare const CSRF_READINESS_PATH = "/__theo/csrf-readiness";
|
|
71
|
+
declare const CSRF_READINESS_RESET_PATH = "/__theo/csrf-readiness/reset";
|
|
72
|
+
declare function handleCsrfReadiness(req: IncomingMessage, res: ServerResponse, store: CsrfReadinessStore): Promise<boolean>;
|
|
73
|
+
declare function handleCsrfReadinessRequest(request: Request, store: CsrfReadinessStore): Promise<Response | null>;
|
|
74
|
+
|
|
7
75
|
/**
|
|
8
76
|
* Phase 6 — Default Security Headers (D4 / EC-2).
|
|
9
77
|
*
|
|
@@ -122,72 +190,4 @@ declare function buildSecurityHeaders(config: SecurityHeadersConfig, env: Securi
|
|
|
122
190
|
*/
|
|
123
191
|
declare function applySecurityHeaders(res: ServerResponse, config: SecurityHeadersConfig, env: SecurityEnv, options?: SecurityHeadersOptions): void;
|
|
124
192
|
|
|
125
|
-
/**
|
|
126
|
-
* T5.1 — Built-in CSP report endpoint.
|
|
127
|
-
*
|
|
128
|
-
* Browsers POST violation reports to `report-uri` (legacy `application/csp-report`)
|
|
129
|
-
* or `Reporting API` (`application/reports+json`). Framework auto-registers this
|
|
130
|
-
* endpoint so `cspMode: 'report-only'` is actually useful out of the box.
|
|
131
|
-
*
|
|
132
|
-
* Forwards normalized violations to:
|
|
133
|
-
* - audit logger (`csp.violation`)
|
|
134
|
-
* - devtools dispatcher (dev only, for Errors tab)
|
|
135
|
-
* - optional user hook (Sentry, etc.)
|
|
136
|
-
*
|
|
137
|
-
* EC-2: browser MAY send `{"csp-report": null}`, empty `{}`, or
|
|
138
|
-
* reports+json entries lacking `body`. Handler MUST short-circuit to
|
|
139
|
-
* 204 (valid format, no violation), NEVER crash via null deref.
|
|
140
|
-
*/
|
|
141
|
-
declare const CSP_REPORT_PATH = "/__theo/csp-report";
|
|
142
|
-
interface CspViolation {
|
|
143
|
-
blockedUrl: string;
|
|
144
|
-
documentUrl: string;
|
|
145
|
-
violatedDirective: string;
|
|
146
|
-
effectiveDirective?: string;
|
|
147
|
-
originalPolicy?: string;
|
|
148
|
-
disposition?: 'enforce' | 'report';
|
|
149
|
-
statusCode?: number;
|
|
150
|
-
sourceFile?: string;
|
|
151
|
-
lineNumber?: number;
|
|
152
|
-
columnNumber?: number;
|
|
153
|
-
}
|
|
154
|
-
interface CspReportHandlerOptions {
|
|
155
|
-
auditLogger?: AuditLogger;
|
|
156
|
-
devtoolsDispatcher?: {
|
|
157
|
-
onCspViolation?: (v: CspViolation) => void;
|
|
158
|
-
};
|
|
159
|
-
/** Optional user-provided sink (Sentry, custom log router). Errors here are swallowed. */
|
|
160
|
-
onViolation?: (v: CspViolation) => void;
|
|
161
|
-
}
|
|
162
|
-
declare function normalizeLegacy(raw: Record<string, unknown>): CspViolation;
|
|
163
|
-
/**
|
|
164
|
-
* Map a `reports+json` entry to the internal shape. Returns `null` if
|
|
165
|
-
* the entry lacks a usable `body` object (EC-2).
|
|
166
|
-
*/
|
|
167
|
-
declare function normalizeNew(entry: unknown): CspViolation | null;
|
|
168
|
-
declare function handleCspReport(req: IncomingMessage, res: ServerResponse, opts: CspReportHandlerOptions): Promise<void>;
|
|
169
|
-
declare function handleCspReportRequest(request: Request, opts: CspReportHandlerOptions): Promise<Response>;
|
|
170
|
-
|
|
171
|
-
/**
|
|
172
|
-
* T2.2 — `/__theo/csrf-readiness` endpoint.
|
|
173
|
-
*
|
|
174
|
-
* GET /__theo/csrf-readiness → 200 + JSON summary
|
|
175
|
-
* POST /__theo/csrf-readiness/reset → 204; clears the store
|
|
176
|
-
*
|
|
177
|
-
* The reset endpoint enforces CSRF (own dog food) — requires
|
|
178
|
-
* `X-Theo-Action: 1` AND a matching Origin header (EC-15). This avoids
|
|
179
|
-
* the endpoint being weaponizable from a cross-origin page when the
|
|
180
|
-
* endpoint is opt-in exposed in production.
|
|
181
|
-
*
|
|
182
|
-
* Mount opt-in: in dev mode, the host wires this in unconditionally. In
|
|
183
|
-
* production, only mount when `config.security.csrfTelemetry.exposeReadinessEndpoint === true`.
|
|
184
|
-
* EC-10 parallel: returns 404 (via boolean false return) when the URL
|
|
185
|
-
* does not match — the caller continues normal request handling.
|
|
186
|
-
*/
|
|
187
|
-
|
|
188
|
-
declare const CSRF_READINESS_PATH = "/__theo/csrf-readiness";
|
|
189
|
-
declare const CSRF_READINESS_RESET_PATH = "/__theo/csrf-readiness/reset";
|
|
190
|
-
declare function handleCsrfReadiness(req: IncomingMessage, res: ServerResponse, store: CsrfReadinessStore): Promise<boolean>;
|
|
191
|
-
declare function handleCsrfReadinessRequest(request: Request, store: CsrfReadinessStore): Promise<Response | null>;
|
|
192
|
-
|
|
193
193
|
export { CSP_REPORT_PATH, CSRF_READINESS_PATH, CSRF_READINESS_RESET_PATH, type CspMode, type CspReportHandlerOptions, type CspViolation, CsrfReadinessStore, DEFAULT_CSP, DEFAULT_PERMISSIONS_POLICY, type SecurityEnv, type SecurityHeadersConfig, type SecurityHeadersOptions, applySecurityHeaders, buildSecurityHeaders, handleCspReport, handleCspReportRequest, handleCsrfReadiness, handleCsrfReadinessRequest, normalizeLegacy, normalizeNew };
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
import "tsx/esm";
|
|
3
3
|
import {
|
|
4
4
|
generateTypedClient
|
|
5
|
-
} from "./chunk-
|
|
5
|
+
} from "./chunk-CCVC6P6B.js";
|
|
6
6
|
import "./chunk-KT3MWNZG.js";
|
|
7
7
|
|
|
8
8
|
// src/vite-plugin/services-typed-client.ts
|
|
@@ -45,4 +45,4 @@ function servicesTypedClientPlugin(opts) {
|
|
|
45
45
|
export {
|
|
46
46
|
servicesTypedClientPlugin
|
|
47
47
|
};
|
|
48
|
-
//# sourceMappingURL=services-typed-client-
|
|
48
|
+
//# sourceMappingURL=services-typed-client-24VBMDOF.js.map
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import {
|
|
2
2
|
generateTypedClient
|
|
3
|
-
} from "./chunk-
|
|
3
|
+
} from "./chunk-D7ZH7DTG.js";
|
|
4
4
|
import "./chunk-DGUM43GV.js";
|
|
5
5
|
|
|
6
6
|
// src/vite-plugin/services-typed-client.ts
|
|
@@ -43,4 +43,4 @@ function servicesTypedClientPlugin(opts) {
|
|
|
43
43
|
export {
|
|
44
44
|
servicesTypedClientPlugin
|
|
45
45
|
};
|
|
46
|
-
//# sourceMappingURL=services-typed-client-
|
|
46
|
+
//# sourceMappingURL=services-typed-client-IETY2SAK.js.map
|
|
@@ -3,6 +3,13 @@ import "tsx/esm";
|
|
|
3
3
|
import {
|
|
4
4
|
preflightNodeAndBindings
|
|
5
5
|
} from "./chunk-HNBWZKIQ.js";
|
|
6
|
+
import {
|
|
7
|
+
resolveTransformer
|
|
8
|
+
} from "./chunk-PBEH6NXR.js";
|
|
9
|
+
import {
|
|
10
|
+
loadConfig,
|
|
11
|
+
loadEnv
|
|
12
|
+
} from "./chunk-IHMJV2OK.js";
|
|
6
13
|
import {
|
|
7
14
|
buildSecurityHeaders,
|
|
8
15
|
createPluginRunnerFromConfig,
|
|
@@ -13,27 +20,20 @@ import {
|
|
|
13
20
|
findSuggestion,
|
|
14
21
|
generateNonce,
|
|
15
22
|
logRequest,
|
|
16
|
-
resolveTransformer,
|
|
17
23
|
sendError,
|
|
18
24
|
warnOnce
|
|
19
|
-
} from "./chunk-
|
|
20
|
-
import
|
|
21
|
-
|
|
22
|
-
loadEnv
|
|
23
|
-
} from "./chunk-DUKXQNM7.js";
|
|
24
|
-
import "./chunk-FGOX37NB.js";
|
|
25
|
-
import "./chunk-X32KQH5C.js";
|
|
25
|
+
} from "./chunk-MV4LKTW6.js";
|
|
26
|
+
import "./chunk-BNGBG2SQ.js";
|
|
27
|
+
import "./chunk-CCVC6P6B.js";
|
|
26
28
|
import {
|
|
27
29
|
loadManifest
|
|
28
|
-
} from "./chunk-
|
|
30
|
+
} from "./chunk-3LVRAGAZ.js";
|
|
29
31
|
import {
|
|
30
32
|
matchRoute,
|
|
33
|
+
scanServerActions,
|
|
31
34
|
scanServerRoutes,
|
|
32
35
|
scanWebSocketRoutes
|
|
33
|
-
} from "./chunk-
|
|
34
|
-
import {
|
|
35
|
-
scanServerActions
|
|
36
|
-
} from "./chunk-UVHRD33F.js";
|
|
36
|
+
} from "./chunk-6FYD34NX.js";
|
|
37
37
|
import "./chunk-KT3MWNZG.js";
|
|
38
38
|
|
|
39
39
|
// src/cli/commands/start/index.ts
|
|
@@ -47,7 +47,7 @@ import { resolve } from "path";
|
|
|
47
47
|
async function configureAgentRegistryFromConfig(registryConfig) {
|
|
48
48
|
if (registryConfig === void 0) return;
|
|
49
49
|
try {
|
|
50
|
-
const sdk = await import("./dist-
|
|
50
|
+
const sdk = await import("./dist-6GPD6WCU.js").catch(() => null);
|
|
51
51
|
const sdkConfigure = sdk?.Agent?.registry?.configure;
|
|
52
52
|
if (sdkConfigure === void 0) return;
|
|
53
53
|
const { configureAgentRegistryOnce } = await import("./configure-agent-registry-6YGTJYBC.js");
|
|
@@ -71,7 +71,7 @@ async function configureStorageManagerFromConfig(storageConfig) {
|
|
|
71
71
|
if (storageConfig === void 0 || storageConfig === null) return;
|
|
72
72
|
try {
|
|
73
73
|
const { getStorageManager } = await import("./storage-manager-D5KBXXKB.js");
|
|
74
|
-
const { storageSchema } = await import("./schema-
|
|
74
|
+
const { storageSchema } = await import("./schema-NPI4NJEF.js");
|
|
75
75
|
const parsed = storageSchema.parse(storageConfig);
|
|
76
76
|
getStorageManager().configure(parsed);
|
|
77
77
|
} catch (err) {
|
|
@@ -101,7 +101,7 @@ function installGracefulShutdown(server) {
|
|
|
101
101
|
[theokit] ${signal} received \u2014 evicting agents`);
|
|
102
102
|
void (async () => {
|
|
103
103
|
try {
|
|
104
|
-
const sdk = await import("./dist-
|
|
104
|
+
const sdk = await import("./dist-6GPD6WCU.js").catch(() => null);
|
|
105
105
|
if (sdk?.Agent?.registry?.evictAll !== void 0) {
|
|
106
106
|
await sdk.Agent.registry.evictAll();
|
|
107
107
|
}
|
|
@@ -395,6 +395,81 @@ async function setupSsr(opts) {
|
|
|
395
395
|
function asSsrRenderResult(value) {
|
|
396
396
|
return value;
|
|
397
397
|
}
|
|
398
|
+
function isRedirectResult(result) {
|
|
399
|
+
return result !== null && typeof result === "object" && "redirect" in result;
|
|
400
|
+
}
|
|
401
|
+
function sendRedirect(res, result) {
|
|
402
|
+
res.writeHead(302, { Location: result.redirect.headers.get("location") ?? "/" });
|
|
403
|
+
res.end();
|
|
404
|
+
}
|
|
405
|
+
function send500(res, custom500Html) {
|
|
406
|
+
if (!res.headersSent) {
|
|
407
|
+
res.writeHead(500, { "Content-Type": "text/html" });
|
|
408
|
+
}
|
|
409
|
+
if (!res.writableEnded) {
|
|
410
|
+
res.end(custom500Html ?? "<h1>500 \u2014 Server Error</h1>");
|
|
411
|
+
}
|
|
412
|
+
}
|
|
413
|
+
function buildSsrHtml(ctx, result, nonce) {
|
|
414
|
+
if (typeof result === "string") {
|
|
415
|
+
return ctx.htmlHead + result + ctx.htmlTail;
|
|
416
|
+
}
|
|
417
|
+
if (isSsrRenderResult(result)) {
|
|
418
|
+
const rendered = asSsrRenderResult(result);
|
|
419
|
+
const dataJson = JSON.stringify(rendered.hydrationData).replace(/</g, "\\u003c");
|
|
420
|
+
const hydrationScript = `<script${nonce ? ` nonce="${nonce}"` : ""}>window.__staticRouterHydrationData=${dataJson}</script>`;
|
|
421
|
+
return ctx.htmlHead + rendered.html + hydrationScript + ctx.htmlTail;
|
|
422
|
+
}
|
|
423
|
+
return ctx.htmlHead + ctx.htmlTail;
|
|
424
|
+
}
|
|
425
|
+
async function handleSsrStreaming(ctx, req, res, url, nonce) {
|
|
426
|
+
if (!ctx.ssrStreamingEnabled || !ctx.ssrRenderStreaming) return false;
|
|
427
|
+
const controller = new AbortController();
|
|
428
|
+
const onClose = () => {
|
|
429
|
+
controller.abort();
|
|
430
|
+
};
|
|
431
|
+
req.on("close", onClose);
|
|
432
|
+
try {
|
|
433
|
+
const result = await ctx.ssrRenderStreaming(url, res, {
|
|
434
|
+
signal: controller.signal,
|
|
435
|
+
nonce
|
|
436
|
+
});
|
|
437
|
+
if (isRedirectResult(result)) sendRedirect(res, result);
|
|
438
|
+
return true;
|
|
439
|
+
} catch (streamErr) {
|
|
440
|
+
console.error("[SSR Stream Error]", streamErr.message);
|
|
441
|
+
send500(res, ctx.custom500Html);
|
|
442
|
+
return true;
|
|
443
|
+
} finally {
|
|
444
|
+
req.removeListener("close", onClose);
|
|
445
|
+
}
|
|
446
|
+
}
|
|
447
|
+
async function handleSsrSync(ctx, res, url, nonce) {
|
|
448
|
+
if (!ctx.ssrRender) return false;
|
|
449
|
+
try {
|
|
450
|
+
const result = await ctx.ssrRender(url, { nonce });
|
|
451
|
+
if (isRedirectResult(result)) {
|
|
452
|
+
sendRedirect(res, result);
|
|
453
|
+
return true;
|
|
454
|
+
}
|
|
455
|
+
res.writeHead(200, { "Content-Type": "text/html" });
|
|
456
|
+
res.end(buildSsrHtml(ctx, result, nonce));
|
|
457
|
+
return true;
|
|
458
|
+
} catch (ssrErr) {
|
|
459
|
+
console.error("[SSR Error] Falling back to CSR:", ssrErr.message);
|
|
460
|
+
return false;
|
|
461
|
+
}
|
|
462
|
+
}
|
|
463
|
+
function handleFatalError(ctx, res, err) {
|
|
464
|
+
if (ctx.custom500Html && !res.headersSent) {
|
|
465
|
+
res.writeHead(500, { "Content-Type": "text/html" });
|
|
466
|
+
res.end(ctx.custom500Html);
|
|
467
|
+
} else if (!res.headersSent) {
|
|
468
|
+
sendError(res, "INTERNAL_ERROR", err.message, 500);
|
|
469
|
+
} else {
|
|
470
|
+
res.end();
|
|
471
|
+
}
|
|
472
|
+
}
|
|
398
473
|
function createRequestHandler(ctx) {
|
|
399
474
|
return (req, res) => {
|
|
400
475
|
void (async () => {
|
|
@@ -416,72 +491,12 @@ function createRequestHandler(ctx) {
|
|
|
416
491
|
if (await tryServeApiRoute(handlerCtx)) return;
|
|
417
492
|
if (tryServeStatic(handlerCtx)) return;
|
|
418
493
|
if (tryServeCustom404(handlerCtx)) return;
|
|
419
|
-
if (ctx
|
|
420
|
-
|
|
421
|
-
const onClose = () => {
|
|
422
|
-
controller.abort();
|
|
423
|
-
};
|
|
424
|
-
req.on("close", onClose);
|
|
425
|
-
try {
|
|
426
|
-
const result = await ctx.ssrRenderStreaming(url, res, {
|
|
427
|
-
signal: controller.signal,
|
|
428
|
-
nonce
|
|
429
|
-
});
|
|
430
|
-
if (result && typeof result === "object" && "redirect" in result) {
|
|
431
|
-
res.writeHead(302, { Location: result.redirect.headers.get("location") ?? "/" });
|
|
432
|
-
res.end();
|
|
433
|
-
return;
|
|
434
|
-
}
|
|
435
|
-
return;
|
|
436
|
-
} catch (streamErr) {
|
|
437
|
-
console.error("[SSR Stream Error]", streamErr.message);
|
|
438
|
-
if (!res.headersSent) {
|
|
439
|
-
res.writeHead(500, { "Content-Type": "text/html" });
|
|
440
|
-
}
|
|
441
|
-
if (!res.writableEnded) {
|
|
442
|
-
res.end(ctx.custom500Html ?? "<h1>500 \u2014 Server Error</h1>");
|
|
443
|
-
}
|
|
444
|
-
return;
|
|
445
|
-
} finally {
|
|
446
|
-
req.removeListener("close", onClose);
|
|
447
|
-
}
|
|
448
|
-
}
|
|
449
|
-
if (ctx.ssrRender) {
|
|
450
|
-
try {
|
|
451
|
-
const result = await ctx.ssrRender(url, { nonce });
|
|
452
|
-
if (result && typeof result === "object" && "redirect" in result) {
|
|
453
|
-
res.writeHead(302, { Location: result.redirect.headers.get("location") ?? "/" });
|
|
454
|
-
res.end();
|
|
455
|
-
return;
|
|
456
|
-
}
|
|
457
|
-
let ssrHtml = "";
|
|
458
|
-
let hydrationScript = "";
|
|
459
|
-
if (typeof result === "string") {
|
|
460
|
-
ssrHtml = result;
|
|
461
|
-
} else if (isSsrRenderResult(result)) {
|
|
462
|
-
const rendered = asSsrRenderResult(result);
|
|
463
|
-
ssrHtml = rendered.html;
|
|
464
|
-
const dataJson = JSON.stringify(rendered.hydrationData).replace(/</g, "\\u003c");
|
|
465
|
-
hydrationScript = `<script${nonce ? ` nonce="${nonce}"` : ""}>window.__staticRouterHydrationData=${dataJson}</script>`;
|
|
466
|
-
}
|
|
467
|
-
res.writeHead(200, { "Content-Type": "text/html" });
|
|
468
|
-
res.end(ctx.htmlHead + ssrHtml + hydrationScript + ctx.htmlTail);
|
|
469
|
-
return;
|
|
470
|
-
} catch (ssrErr) {
|
|
471
|
-
console.error("[SSR Error] Falling back to CSR:", ssrErr.message);
|
|
472
|
-
}
|
|
473
|
-
}
|
|
494
|
+
if (await handleSsrStreaming(ctx, req, res, url, nonce)) return;
|
|
495
|
+
if (await handleSsrSync(ctx, res, url, nonce)) return;
|
|
474
496
|
res.writeHead(200, { "Content-Type": "text/html" });
|
|
475
497
|
res.end(ctx.indexHtml);
|
|
476
498
|
} catch (err) {
|
|
477
|
-
|
|
478
|
-
res.writeHead(500, { "Content-Type": "text/html" });
|
|
479
|
-
res.end(ctx.custom500Html);
|
|
480
|
-
} else if (!res.headersSent) {
|
|
481
|
-
sendError(res, "INTERNAL_ERROR", err.message, 500);
|
|
482
|
-
} else {
|
|
483
|
-
res.end();
|
|
484
|
-
}
|
|
499
|
+
handleFatalError(ctx, res, err);
|
|
485
500
|
}
|
|
486
501
|
})();
|
|
487
502
|
};
|
|
@@ -612,4 +627,4 @@ export {
|
|
|
612
627
|
resolveSsrEntry,
|
|
613
628
|
startCommand
|
|
614
629
|
};
|
|
615
|
-
//# sourceMappingURL=start-
|
|
630
|
+
//# sourceMappingURL=start-SPFWOGHL.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/cli/commands/start/index.ts","../src/cli/commands/start/bootstrap-stages.ts","../src/cli/commands/start/graceful-shutdown.ts","../src/cli/commands/start/manifest-loader.ts","../src/cli/commands/start/request-handler.ts","../src/cli/commands/start/handlers.ts","../src/server/http/static.ts","../src/cli/commands/start/ssr-setup.ts","../src/cli/commands/start/websocket-handler.ts"],"sourcesContent":["/**\n * theokit start — production server orchestration spine.\n *\n * T4.2 (architecture-cleanup, ADR-0017): stages extracted to sibling modules.\n * - start-bootstrap-stages.ts — config/registry/storage bootstrap + resolveSsrEntry\n * - start-manifest-loader.ts — manifest.json or scan fallback\n * - start-ssr-setup.ts — SSR entry-server + HTML template split\n * - start-handlers.ts — branch handlers (action/route/static/404)\n * - start-request-handler.ts — request lifecycle wiring\n * - start-websocket-handler.ts — WS upgrade (opt-in)\n * - start-graceful-shutdown.ts — SIGTERM/SIGINT drain\n */\n\nimport { existsSync, readFileSync } from 'node:fs'\nimport { createServer } from 'node:http'\nimport { join, resolve } from 'node:path'\n\nimport { loadConfig } from '../../../config/load-config.js'\nimport { loadEnv } from '../../../config/load-env.js'\nimport { createPluginRunnerFromConfig } from '../../../server/plugins/load-plugins.js'\nimport { createRateLimiter } from '../../../server/rate-limit/rate-limit.js'\nimport { createProductionLoader } from '../../../server/scan/module-loader.js'\nimport { resolveTransformer } from '../../../server/transformer.js'\nimport { preflightNodeAndBindings } from '../../preflight-node-version.js'\n\nimport {\n configureAgentRegistryFromConfig,\n configureStorageManagerFromConfig,\n} from './bootstrap-stages.js'\nimport { installGracefulShutdown } from './graceful-shutdown.js'\nimport type { RequestHandlerCtx } from './handlers.js'\nimport { loadRoutesAndActions } from './manifest-loader.js'\nimport { createRequestHandler } from './request-handler.js'\nimport { setupSsr } from './ssr-setup.js'\nimport { attachWebSocketHandler } from './websocket-handler.js'\n\n// Backwards-compat: external test fixtures may import resolveSsrEntry from here.\nexport { resolveSsrEntry } from './bootstrap-stages.js'\n\ninterface StartOptions {\n port?: number\n}\n\nexport async function startCommand(options: StartOptions): Promise<void> {\n const cwd = process.cwd()\n // Preflight (FIRST — BEFORE anything that touches native bindings).\n preflightNodeAndBindings(cwd)\n loadEnv({ cwd, mode: 'production' })\n const config = await loadConfig(cwd)\n\n await configureAgentRegistryFromConfig(config.agents?.registry)\n await configureStorageManagerFromConfig(config.storage)\n\n const distDir = resolve(cwd, '.theokit')\n const clientDir = resolve(distDir, 'client')\n const serverDir = resolve(cwd, 'server')\n\n if (!existsSync(clientDir)) {\n throw new Error('No build found. Run `theo build` first.')\n }\n\n const indexHtml = readFileSync(join(clientDir, 'index.html'), 'utf-8')\n const loadModule = createProductionLoader()\n const port = options.port ?? config.port\n const pluginRunner = await createPluginRunnerFromConfig(config.plugins)\n const transformer = resolveTransformer(config.serialization)\n\n const custom404Path = join(clientDir, '404.html')\n const custom500Path = join(clientDir, '500.html')\n const custom404Html = existsSync(custom404Path) ? readFileSync(custom404Path, 'utf-8') : null\n const custom500Html = existsSync(custom500Path) ? readFileSync(custom500Path, 'utf-8') : null\n\n const {\n routes: cachedRoutes,\n actions: cachedActions,\n wsRoutes: cachedWsRoutes,\n } = loadRoutesAndActions(distDir, serverDir)\n\n // Rate limiter (legacy flat form only — per-route variant is handled in\n // api-middleware integration path, not this fallback).\n const flatRateLimit =\n config.rateLimit && 'windowMs' in config.rateLimit && 'max' in config.rateLimit\n ? config.rateLimit\n : undefined\n const rateLimiter = flatRateLimit ? createRateLimiter(flatRateLimit) : null\n\n const ssr = await setupSsr({\n distDir,\n indexHtml,\n ssrConfigEnabled: config.ssr,\n ssrStreamingConfig: config.ssrStreaming,\n })\n\n const server = createServer(\n createRequestHandler({\n buildCtx: (req, res, requestId, startTime): RequestHandlerCtx => ({\n req,\n res,\n url: req.url ?? '/',\n requestId,\n startTime,\n clientDir,\n custom404Html,\n cachedRoutes,\n cachedActions,\n loadModule,\n serverDir,\n pluginRunner,\n transformer,\n csrfMode: config.security?.csrf ?? 'strict',\n disallowed: config.security?.disallowed,\n rateLimiter,\n }),\n securityHeadersConfig: config.security?.headers ?? {},\n ssrRender: ssr.render,\n ssrRenderStreaming: ssr.renderStreaming,\n ssrStreamingEnabled: ssr.streamingEnabled,\n htmlHead: ssr.htmlHead,\n htmlTail: ssr.htmlTail,\n indexHtml,\n custom500Html,\n }),\n )\n\n await attachWebSocketHandler(server, cachedWsRoutes, loadModule)\n\n server.listen(port, () => {\n console.log(`\\n Theo production server`)\n console.log(` → http://localhost:${String(port)}\\n`)\n })\n\n installGracefulShutdown(server)\n}\n","/**\n * Bootstrap stages extracted from `start.ts` per T4.2 (architecture-cleanup, ADR-0017).\n *\n * The full goal of T4.2 is a ≤30-LOC `startCommand` spine + 6-8 stage files. This\n * file ships the first batch: the configure-from-config bootstrap helpers + the\n * SSR entry resolver. They are stand-alone, side-effect-free at module load, and\n * already individually testable.\n *\n * Remaining stages (request-handler extraction, graceful-shutdown extraction,\n * signal-handlers extraction) are deferred to a follow-up sprint — see plan\n * `docs/plans/architecture-cleanup-plan.md` T4.2 Deferred sub-tasks.\n */\n\nimport { existsSync } from 'node:fs'\nimport { resolve } from 'node:path'\n\nimport { warnOnce } from '../../../server/observability/logger.js'\n\ninterface SdkAgentRegistry {\n configure?: (opts: { maxAgents?: number; idleTimeoutMs?: number }) => void\n}\ninterface SdkModule {\n Agent?: { registry?: SdkAgentRegistry }\n}\n\n/**\n * Configure SDK's Agent.registry from `theo.config.ts > agents.registry`.\n * Lazy at boot; EC-3 sync flag flip prevents race under concurrent boot.\n * Silent no-op when registry config is absent or SDK is uninstalled.\n */\nexport async function configureAgentRegistryFromConfig(\n registryConfig: { maxAgents: number; idleTimeoutMs: number } | undefined,\n): Promise<void> {\n if (registryConfig === undefined) return\n try {\n const sdk = (await import('@theokit/sdk').catch(() => null)) as SdkModule | null\n const sdkConfigure = sdk?.Agent?.registry?.configure\n if (sdkConfigure === undefined) return\n const { configureAgentRegistryOnce } =\n await import('../../../server/agent/configure-agent-registry.js')\n configureAgentRegistryOnce(\n {\n configure: (opts) => {\n sdkConfigure(opts)\n },\n },\n registryConfig,\n )\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err)\n warnOnce('bootstrap.agent_registry_skip', {\n event: 'bootstrap.agent_registry_skip',\n message: msg,\n })\n }\n}\n\n/**\n * Configure the StorageManager from `theo.config.ts > storage` (ADR-0007).\n * Manager enforces configure-once internally (D3); this helper bridges the\n * config to the singleton with actionable error handling.\n */\nexport async function configureStorageManagerFromConfig(storageConfig: unknown): Promise<void> {\n if (storageConfig === undefined || storageConfig === null) return\n try {\n const { getStorageManager } = await import('../../../server/storage/storage-manager.js')\n const { storageSchema } = await import('../../../config/schema.js')\n // Re-validate at boot so a malformed config from a non-Zod source\n // (test fixtures, dynamic configs) surfaces a clear error early.\n const parsed = storageSchema.parse(storageConfig)\n getStorageManager().configure(parsed)\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err)\n warnOnce('bootstrap.storage_skip', {\n event: 'bootstrap.storage_skip',\n message: msg,\n })\n }\n}\n\nconst SSR_EXTENSIONS = ['.mjs', '.js'] as const\n\n/**\n * Resolve the SSR entry-server module path. tsup may emit `.mjs` or `.js`\n * depending on output format. Try `.mjs` first (modern default) then fall\n * back to `.js`. Returns null when neither exists — SSR stays disabled.\n *\n * Exported so unit tests can pin the resolution order without booting the\n * full CLI.\n */\nexport function resolveSsrEntry(distDir: string): string | null {\n for (const ext of SSR_EXTENSIONS) {\n const path = resolve(distDir, `server/entry-server${ext}`)\n // eslint-disable-next-line security/detect-non-literal-fs-filename -- distDir is from `theokit start`'s own caller-controlled config; the suffix is from a const literal array\n if (existsSync(path)) return path\n }\n return null\n}\n","/**\n * Graceful shutdown stage for `theokit start` (T4.2 architecture-cleanup,\n * ADR-0007 D6 — SIGTERM evicts agents + drains StorageManager).\n *\n * EC-13: SIGTERM evicts agents IMMEDIATELY (no per-request drain). In-flight\n * requests get aborted mid-stream — acceptable because the platform LB\n * removed this pod from rotation BEFORE sending SIGTERM (K8s preStop hook +\n * terminationGracePeriodSeconds; same on Vercel/CF/Render).\n *\n * Re-entry guard: multiple SIGTERMs in quick succession run shutdown ONCE.\n */\n\nimport type { Server as HttpServer } from 'node:http'\n\nimport { warnOnce } from '../../../server/observability/logger.js'\n\nexport function installGracefulShutdown(server: HttpServer): void {\n let shuttingDown = false\n const shutdown = (signal: NodeJS.Signals): void => {\n if (shuttingDown) return\n shuttingDown = true\n console.log(`\\n [theokit] ${signal} received — evicting agents`)\n void (async () => {\n // Lazy-import SDK only at shutdown time to avoid forcing the dep on\n // apps that don't use agents at all.\n try {\n const sdk = (await import('@theokit/sdk').catch(() => null)) as {\n Agent?: { registry?: { evictAll?: () => Promise<void> } }\n } | null\n if (sdk?.Agent?.registry?.evictAll !== undefined) {\n await sdk.Agent.registry.evictAll()\n }\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err)\n warnOnce('shutdown.evict_error', {\n event: 'shutdown.evict_error',\n message: msg,\n })\n }\n // T3.1 — drain the StorageManager AFTER agent eviction. Order matters:\n // agents may still hold open pool refs while evicting; closing pools\n // first would break in-flight queries.\n try {\n const { getStorageManager } = await import('../../../server/storage/storage-manager.js')\n const manager = getStorageManager()\n await manager.dispose()\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err)\n warnOnce('shutdown.dispose_error', {\n event: 'shutdown.dispose_error',\n message: msg,\n })\n }\n console.log(` [theokit] shutdown complete`)\n server.close(() => {\n process.exit(0)\n })\n setTimeout(() => {\n warnOnce('shutdown.forced_exit', {\n event: 'shutdown.forced_exit',\n message: 'forced exit after 25s timeout',\n })\n process.exit(0)\n }, 25_000).unref()\n })()\n }\n process.on('SIGTERM', () => {\n shutdown('SIGTERM')\n })\n process.on('SIGINT', () => {\n shutdown('SIGINT')\n })\n}\n","/**\n * Manifest loading stage for `theokit start` (T4.2 architecture-cleanup).\n *\n * Loads pre-built manifest from `.theokit/manifest.json` if present; otherwise\n * scans server/ for routes/actions/ws at startup with a structured warn.\n */\n\nimport { existsSync } from 'node:fs'\nimport { join } from 'node:path'\n\nimport { warnOnce } from '../../../server/observability/logger.js'\nimport type { ActionNode } from '../../../server/scan/action-scan.js'\nimport { scanServerActions } from '../../../server/scan/action-scan.js'\nimport { loadManifest } from '../../../server/scan/manifest.js'\nimport type { ServerRouteNode } from '../../../server/scan/match.js'\nimport { scanServerRoutes } from '../../../server/scan/scan.js'\nimport type { WebSocketRouteNode } from '../../../server/scan/ws-scan.js'\nimport { scanWebSocketRoutes } from '../../../server/scan/ws-scan.js'\n\nexport interface LoadedRoutes {\n routes: ServerRouteNode[]\n actions: ActionNode[]\n wsRoutes: WebSocketRouteNode[]\n}\n\nexport function loadRoutesAndActions(distDir: string, serverDir: string): LoadedRoutes {\n const manifestPath = join(distDir, 'manifest.json')\n\n if (existsSync(manifestPath)) {\n const manifest = loadManifest(distDir, serverDir)\n return {\n routes: manifest.routes,\n actions: manifest.actions,\n wsRoutes: manifest.websockets,\n }\n }\n warnOnce('bootstrap.manifest_not_found', {\n event: 'bootstrap.manifest_not_found',\n message:\n 'No manifest found, scanning routes at startup. Run \"theo build\" to generate manifest.',\n serverDir,\n })\n return {\n routes: scanServerRoutes(serverDir),\n actions: scanServerActions(serverDir),\n wsRoutes: scanWebSocketRoutes(serverDir),\n }\n}\n","/**\n * Inline request handler for `theokit start` (T4.2 architecture-cleanup).\n *\n * Wires the per-request flow: security headers → action/route/static branches\n * → SSR fallback → CSR fallback → 500 page.\n *\n * Refactored: CC reduced from 33 to ≤10 per function\n * (architecture-remediation T2.1, 2026-06-12).\n */\n\nimport { randomUUID } from 'node:crypto'\nimport type { IncomingMessage, ServerResponse } from 'node:http'\n\nimport { generateNonce } from '../../../server/auth/nonce.js'\nimport { sendError } from '../../../server/http/send-response.js'\nimport { buildSecurityHeaders } from '../../../server/security/security-headers.js'\n\nimport {\n tryServeAction,\n tryServeApiRoute,\n tryServeCustom404,\n tryServeStatic,\n type RequestHandlerCtx,\n} from './handlers.js'\nimport {\n isSsrRenderResult,\n type SsrRender,\n type SsrRenderResult,\n type SsrRenderStreaming,\n} from './ssr-setup.js'\n\nexport interface RequestHandlerContext {\n buildCtx: (\n req: IncomingMessage,\n res: ServerResponse,\n requestId: string,\n startTime: number,\n ) => RequestHandlerCtx\n securityHeadersConfig: Parameters<typeof buildSecurityHeaders>[0]\n ssrRender: SsrRender | null\n ssrRenderStreaming: SsrRenderStreaming | null\n ssrStreamingEnabled: boolean\n htmlHead: string\n htmlTail: string\n indexHtml: string\n custom500Html: string | null\n}\n\nfunction asSsrRenderResult(value: SsrRenderResult): SsrRenderResult {\n return value\n}\n\nfunction isRedirectResult(result: unknown): result is { redirect: Response } {\n return result !== null && typeof result === 'object' && 'redirect' in result\n}\n\nfunction sendRedirect(res: ServerResponse, result: { redirect: Response }): void {\n res.writeHead(302, { Location: result.redirect.headers.get('location') ?? '/' })\n res.end()\n}\n\nfunction send500(res: ServerResponse, custom500Html: string | null): void {\n if (!res.headersSent) {\n res.writeHead(500, { 'Content-Type': 'text/html' })\n }\n if (!res.writableEnded) {\n res.end(custom500Html ?? '<h1>500 — Server Error</h1>')\n }\n}\n\nfunction buildSsrHtml(\n ctx: RequestHandlerContext,\n result: string | SsrRenderResult,\n nonce: string,\n): string {\n if (typeof result === 'string') {\n return ctx.htmlHead + result + ctx.htmlTail\n }\n if (isSsrRenderResult(result)) {\n const rendered = asSsrRenderResult(result)\n const dataJson = JSON.stringify(rendered.hydrationData).replace(/</g, '\\\\u003c')\n const hydrationScript = `<script${\n nonce ? ` nonce=\"${nonce}\"` : ''\n }>window.__staticRouterHydrationData=${dataJson}</script>`\n return ctx.htmlHead + rendered.html + hydrationScript + ctx.htmlTail\n }\n return ctx.htmlHead + ctx.htmlTail\n}\n\nasync function handleSsrStreaming(\n ctx: RequestHandlerContext,\n req: IncomingMessage,\n res: ServerResponse,\n url: string,\n nonce: string,\n): Promise<boolean> {\n if (!ctx.ssrStreamingEnabled || !ctx.ssrRenderStreaming) return false\n\n const controller = new AbortController()\n const onClose = (): void => {\n controller.abort()\n }\n req.on('close', onClose)\n try {\n const result = await ctx.ssrRenderStreaming(url, res, {\n signal: controller.signal,\n nonce,\n })\n if (isRedirectResult(result)) sendRedirect(res, result)\n return true\n } catch (streamErr) {\n console.error('[SSR Stream Error]', (streamErr as Error).message)\n send500(res, ctx.custom500Html)\n return true\n } finally {\n req.removeListener('close', onClose)\n }\n}\n\nasync function handleSsrSync(\n ctx: RequestHandlerContext,\n res: ServerResponse,\n url: string,\n nonce: string,\n): Promise<boolean> {\n if (!ctx.ssrRender) return false\n\n try {\n const result = await ctx.ssrRender(url, { nonce })\n if (isRedirectResult(result)) {\n sendRedirect(res, result)\n return true\n }\n res.writeHead(200, { 'Content-Type': 'text/html' })\n res.end(buildSsrHtml(ctx, result, nonce))\n return true\n } catch (ssrErr) {\n console.error('[SSR Error] Falling back to CSR:', (ssrErr as Error).message)\n return false\n }\n}\n\nfunction handleFatalError(ctx: RequestHandlerContext, res: ServerResponse, err: unknown): void {\n if (ctx.custom500Html && !res.headersSent) {\n res.writeHead(500, { 'Content-Type': 'text/html' })\n res.end(ctx.custom500Html)\n } else if (!res.headersSent) {\n sendError(res, 'INTERNAL_ERROR', (err as Error).message, 500)\n } else {\n res.end()\n }\n}\n\nexport function createRequestHandler(\n ctx: RequestHandlerContext,\n): (req: IncomingMessage, res: ServerResponse) => void {\n return (req: IncomingMessage, res: ServerResponse) => {\n void (async () => {\n const url = req.url ?? '/'\n const requestId = randomUUID()\n const start = Date.now()\n\n const nonce = generateNonce()\n const securityHeaders = buildSecurityHeaders(\n ctx.securityHeadersConfig,\n { production: true },\n { nonce },\n )\n for (const [k, v] of Object.entries(securityHeaders)) {\n res.setHeader(k, v)\n }\n\n const handlerCtx = ctx.buildCtx(req, res, requestId, start)\n\n try {\n if (await tryServeAction(handlerCtx)) return\n if (await tryServeApiRoute(handlerCtx)) return\n if (tryServeStatic(handlerCtx)) return\n if (tryServeCustom404(handlerCtx)) return\n\n if (await handleSsrStreaming(ctx, req, res, url, nonce)) return\n if (await handleSsrSync(ctx, res, url, nonce)) return\n\n // CSR fallback\n res.writeHead(200, { 'Content-Type': 'text/html' })\n res.end(ctx.indexHtml)\n } catch (err) {\n handleFatalError(ctx, res, err)\n }\n })()\n }\n}\n","import type { IncomingMessage, ServerResponse } from 'node:http'\nimport { extname } from 'node:path'\n\nimport { executeAction } from '../../../server/http/action-execute.js'\nimport { executeRoute } from '../../../server/http/execute.js'\nimport { sendError } from '../../../server/http/send-response.js'\nimport { serveStaticFile } from '../../../server/http/static.js'\nimport { logRequest } from '../../../server/observability/logger.js'\nimport { findSuggestion } from '../../../server/observability/suggest.js'\nimport type { PluginRunner } from '../../../server/plugins/plugin-runner.js'\nimport type { ActionNode } from '../../../server/scan/action-scan.js'\nimport { matchRoute } from '../../../server/scan/match.js'\nimport type { ServerRouteNode } from '../../../server/scan/match.js'\nimport type { LoadModule } from '../../../server/scan/module-loader.js'\nimport type { CsrfMode, DisallowedConfig } from '../../../server/security/csrf.js'\nimport type { TheoTransformer } from '../../../server/transformer.js'\n\n/**\n * T6.1 (PV-7 SRP): start.ts request orchestrator decomposed into 5 focused\n * per-branch handlers. Each handler returns `true` if it handled the\n * request (response sent) so the orchestrator can stop iterating.\n *\n * The original 455-LOC monolith closed over 14+ locals; the shared shape\n * `RequestHandlerCtx` makes the dependencies explicit + reviewable.\n */\nexport interface RequestHandlerCtx {\n req: IncomingMessage\n res: ServerResponse\n url: string\n requestId: string\n startTime: number\n // Pre-loaded build artifacts\n clientDir: string\n custom404Html: string | null\n // Manifest-resolved tables\n cachedRoutes: ServerRouteNode[]\n cachedActions: ActionNode[]\n // Runtime infra\n loadModule: LoadModule\n serverDir: string\n pluginRunner: PluginRunner | undefined\n transformer: TheoTransformer | undefined\n csrfMode: CsrfMode\n disallowed: DisallowedConfig | undefined\n rateLimiter:\n | ((req: IncomingMessage) => { limited: boolean; headers: Record<string, string> })\n | null\n}\n\n/** Apply rate limit; return true if request was limited (response sent). */\nfunction applyRateLimit(c: RequestHandlerCtx, method: string): boolean {\n if (!c.rateLimiter) return false\n const check = c.rateLimiter(c.req)\n for (const [k, v] of Object.entries(check.headers)) c.res.setHeader(k, v)\n if (check.limited) {\n sendError(c.res, 'RATE_LIMITED', 'Too many requests', 429, undefined, c.requestId)\n logRequest({\n method,\n url: c.url,\n status: 429,\n duration: Date.now() - c.startTime,\n requestId: c.requestId,\n })\n return true\n }\n return false\n}\n\n/** Branch 1: action routes (`/api/__actions/{file}/{exportName}`). */\nexport async function tryServeAction(c: RequestHandlerCtx): Promise<boolean> {\n if (!c.url.startsWith('/api/__actions/')) return false\n c.res.setHeader('x-request-id', c.requestId)\n\n if (applyRateLimit(c, c.req.method ?? 'POST')) return true\n\n const pathAfterPrefix = c.url.slice('/api/__actions/'.length).split('?')[0]\n const segments = pathAfterPrefix.split('/').filter(Boolean)\n if (segments.length < 2) {\n sendError(\n c.res,\n 'BAD_REQUEST',\n 'Action URL must be /api/__actions/{file}/{exportName}',\n 400,\n undefined,\n c.requestId,\n )\n logRequest({\n method: c.req.method ?? 'POST',\n url: c.url,\n status: 400,\n duration: Date.now() - c.startTime,\n requestId: c.requestId,\n })\n return true\n }\n const exportName = segments[segments.length - 1]\n const actionPath = segments.slice(0, -1).join('/')\n const action = c.cachedActions.find((a) => a.actionPath === actionPath)\n if (!action) {\n const actionPaths = c.cachedActions.map((a) => a.actionPath)\n const suggestion = findSuggestion(actionPath, actionPaths)\n const msg = suggestion\n ? `Action \"${actionPath}\" not found. Did you mean: ${suggestion}?`\n : `Action \"${actionPath}\" not found`\n sendError(c.res, 'NOT_FOUND', msg, 404, undefined, c.requestId)\n logRequest({\n method: c.req.method ?? 'POST',\n url: c.url,\n status: 404,\n duration: Date.now() - c.startTime,\n requestId: c.requestId,\n })\n return true\n }\n await executeAction(\n action.filePath,\n exportName,\n c.req,\n c.res,\n c.loadModule,\n c.serverDir,\n c.requestId,\n c.pluginRunner,\n c.csrfMode,\n c.disallowed,\n )\n logRequest({\n method: c.req.method ?? 'POST',\n url: c.url,\n status: c.res.statusCode,\n duration: Date.now() - c.startTime,\n requestId: c.requestId,\n })\n return true\n}\n\n/** Branch 2: API routes (`/api/*` excluding actions). */\nexport async function tryServeApiRoute(c: RequestHandlerCtx): Promise<boolean> {\n if (!c.url.startsWith('/api/')) return false\n c.res.setHeader('x-request-id', c.requestId)\n\n if (applyRateLimit(c, c.req.method ?? 'GET')) return true\n\n const match = matchRoute(c.url, c.cachedRoutes)\n if (!match) {\n const urlPath = c.url.split('?')[0]\n const routePaths = c.cachedRoutes.map((r) => r.routePath)\n const suggestion = findSuggestion(urlPath, routePaths)\n const msg = suggestion\n ? `API route not found: ${urlPath}. Did you mean: ${suggestion}?`\n : 'API route not found'\n sendError(c.res, 'NOT_FOUND', msg, 404, undefined, c.requestId)\n logRequest({\n method: c.req.method ?? 'GET',\n url: c.url,\n status: 404,\n duration: Date.now() - c.startTime,\n requestId: c.requestId,\n })\n return true\n }\n const method = (c.req.method ?? 'GET').toUpperCase()\n // T3.1 (ADR-0016) — context object replaces 12 positional args\n await executeRoute({\n route: match.route,\n method,\n params: match.params,\n req: c.req,\n res: c.res,\n loadModule: c.loadModule,\n serverDir: c.serverDir,\n requestId: c.requestId,\n pluginRunner: c.pluginRunner,\n transformer: c.transformer,\n csrfMode: c.csrfMode,\n disallowed: c.disallowed,\n })\n logRequest({\n method,\n url: c.url,\n status: c.res.statusCode,\n duration: Date.now() - c.startTime,\n requestId: c.requestId,\n })\n return true\n}\n\n/** Branch 3: static files (returns true if a static asset was served). */\nexport function tryServeStatic(c: RequestHandlerCtx): boolean {\n return serveStaticFile(c.req, c.res, c.clientDir)\n}\n\n/** Branch 4: custom 404 for URLs that look like missing assets. */\nexport function tryServeCustom404(c: RequestHandlerCtx): boolean {\n const urlPath = c.url.split('?')[0]\n if (c.custom404Html && extname(urlPath)) {\n c.res.writeHead(404, { 'Content-Type': 'text/html' })\n c.res.end(c.custom404Html)\n return true\n }\n return false\n}\n","/* eslint-disable security/detect-non-literal-fs-filename --\n * Static-file server. The URL path IS user-controlled, BUT before any fs\n * call we resolve to absolute and reject with 403 if the resolved path\n * escapes `clientDir` (see EC-1 guard at line below). The guard is\n * authoritative; the rule cannot see it.\n */\nimport { existsSync, readFileSync, statSync } from 'node:fs'\nimport type { IncomingMessage, ServerResponse } from 'node:http'\nimport { resolve, extname } from 'node:path'\n\nconst MIME_TYPES: Record<string, string> = {\n '.html': 'text/html',\n '.js': 'application/javascript',\n '.mjs': 'application/javascript',\n '.css': 'text/css',\n '.json': 'application/json',\n '.png': 'image/png',\n '.jpg': 'image/jpeg',\n '.jpeg': 'image/jpeg',\n '.gif': 'image/gif',\n '.svg': 'image/svg+xml',\n '.ico': 'image/x-icon',\n '.woff': 'font/woff',\n '.woff2': 'font/woff2',\n '.ttf': 'font/ttf',\n '.txt': 'text/plain',\n '.map': 'application/json',\n}\n\nexport function serveStaticFile(\n req: IncomingMessage,\n res: ServerResponse,\n clientDir: string,\n): boolean {\n const urlPath = (req.url ?? '/').split('?')[0]\n\n // Path traversal prevention (EC-1)\n const filePath = resolve(clientDir, '.' + urlPath)\n if (!filePath.startsWith(clientDir)) {\n res.writeHead(403)\n res.end('Forbidden')\n return true\n }\n\n if (!existsSync(filePath)) return false\n\n const stat = statSync(filePath)\n if (!stat.isFile()) return false\n\n const ext = extname(filePath)\n const contentType = MIME_TYPES[ext] ?? 'application/octet-stream'\n const content = readFileSync(filePath)\n\n res.writeHead(200, {\n 'Content-Type': contentType,\n 'Content-Length': content.length,\n })\n res.end(content)\n return true\n}\n","/**\n * SSR setup stage for `theokit start` (T4.2 architecture-cleanup).\n *\n * Loads the SSR entry-server module if configured + builds template split\n * around the React root div. Returns null renderers when SSR is disabled.\n */\n\nimport type { ServerResponse } from 'node:http'\n\nimport { resolveSsrEntry } from './bootstrap-stages.js'\n\nexport interface SsrRenderResult {\n html: string\n hydrationData: {\n loaderData?: unknown\n actionData?: unknown\n errors?: unknown\n }\n}\n\nexport type RenderStreamingResult = { redirect: Response } | { streaming: true } | undefined\n\nexport type SsrRender = (\n url: string,\n options?: { nonce?: string },\n) => Promise<SsrRenderResult | { redirect: Response } | string>\n\nexport type SsrRenderStreaming = (\n url: string,\n response: ServerResponse,\n options?: { signal?: AbortSignal; nonce?: string },\n) => Promise<RenderStreamingResult>\n\nexport interface SsrSetupResult {\n enabled: boolean\n streamingEnabled: boolean\n render: SsrRender | null\n renderStreaming: SsrRenderStreaming | null\n htmlHead: string\n htmlTail: string\n}\n\nexport function isSsrRenderResult(value: unknown): value is SsrRenderResult {\n if (typeof value !== 'object' || value === null) return false\n if (!('html' in value)) return false\n const html = (value as Record<string, unknown>).html\n if (typeof html !== 'string') return false\n return true\n}\n\ninterface SsrEntryServer {\n render: SsrRender\n renderStreaming?: SsrRenderStreaming\n}\n\nexport async function setupSsr(opts: {\n distDir: string\n indexHtml: string\n ssrConfigEnabled: boolean\n ssrStreamingConfig: boolean | undefined\n}): Promise<SsrSetupResult> {\n const ssrServerPath: string | null = opts.ssrConfigEnabled ? resolveSsrEntry(opts.distDir) : null\n const enabled = ssrServerPath !== null\n const streamingEnabled = enabled && Boolean(opts.ssrStreamingConfig)\n\n if (ssrServerPath === null) {\n return {\n enabled: false,\n streamingEnabled: false,\n render: null,\n renderStreaming: null,\n htmlHead: '',\n htmlTail: '',\n }\n }\n\n const mod = (await import(ssrServerPath)) as SsrEntryServer\n const render = mod.render\n const renderStreaming = typeof mod.renderStreaming === 'function' ? mod.renderStreaming : null\n\n // Split HTML template on root div\n let htmlHead = ''\n let htmlTail = ''\n const rootDivMatch = /<div id=[\"']root[\"'][^>]*>/.exec(opts.indexHtml)\n if (rootDivMatch) {\n const splitIdx = opts.indexHtml.indexOf(rootDivMatch[0]) + rootDivMatch[0].length\n htmlHead = opts.indexHtml.slice(0, splitIdx)\n htmlTail = opts.indexHtml.slice(splitIdx)\n }\n\n return { enabled, streamingEnabled, render, renderStreaming, htmlHead, htmlTail }\n}\n","/**\n * WebSocket upgrade handler for `theokit start` (T4.2 architecture-cleanup).\n *\n * Wires `server.on('upgrade')` for declared WS routes. Opt-in: only attached\n * when `wsRoutes.length > 0`. Lazy-imports `ws` package — throws an actionable\n * error when wsRoutes declared but `ws` not installed.\n */\n\nimport type { Server as HttpServer } from 'node:http'\n\nimport type * as WsLib from 'ws'\n\nimport type { WebSocketHandler } from '../../../server/define/define-websocket.js'\nimport type { LoadModule } from '../../../server/scan/module-loader.js'\nimport type { WebSocketRouteNode } from '../../../server/scan/ws-scan.js'\n\nexport async function attachWebSocketHandler(\n server: HttpServer,\n wsRoutes: WebSocketRouteNode[],\n loadModule: LoadModule,\n): Promise<void> {\n if (wsRoutes.length === 0) return\n\n let WebSocketServerCtor: typeof WsLib.WebSocketServer\n try {\n const wsModule = await import('ws')\n WebSocketServerCtor = wsModule.WebSocketServer\n } catch {\n throw new Error('WebSocket routes found but \"ws\" package is not installed. Run: npm install ws')\n }\n\n const wss = new WebSocketServerCtor({ noServer: true })\n\n server.on('upgrade', (request, socket, head) => {\n void (async () => {\n const url = request.url ?? '/'\n if (!url.startsWith('/ws/')) {\n socket.destroy()\n return\n }\n\n const wsPath = url.split('?')[0]\n const match = wsRoutes.find((r) => r.wsPath === wsPath)\n if (!match) {\n socket.destroy()\n return\n }\n\n try {\n const mod = await loadModule(match.filePath)\n const handler = ((mod as { default?: unknown }).default ?? mod) as WebSocketHandler\n\n wss.handleUpgrade(request, socket, head, (ws) => {\n handler.onOpen?.(ws, request)\n ws.on('message', (data: Buffer) => {\n handler.onMessage?.(ws, data.toString())\n })\n ws.on('close', (code: number, reason: Buffer) => {\n handler.onClose?.(ws, code, reason)\n })\n ws.on('error', (err: Error) => {\n handler.onError?.(ws, err)\n })\n })\n } catch {\n socket.destroy()\n }\n })()\n })\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA,SAAS,cAAAA,aAAY,gBAAAC,qBAAoB;AACzC,SAAS,oBAAoB;AAC7B,SAAS,QAAAC,OAAM,WAAAC,gBAAe;;;ACF9B,SAAS,kBAAkB;AAC3B,SAAS,eAAe;AAgBxB,eAAsB,iCACpB,gBACe;AACf,MAAI,mBAAmB,OAAW;AAClC,MAAI;AACF,UAAM,MAAO,MAAM,OAAO,oBAAc,EAAE,MAAM,MAAM,IAAI;AAC1D,UAAM,eAAe,KAAK,OAAO,UAAU;AAC3C,QAAI,iBAAiB,OAAW;AAChC,UAAM,EAAE,2BAA2B,IACjC,MAAM,OAAO,wCAAmD;AAClE;AAAA,MACE;AAAA,QACE,WAAW,CAAC,SAAS;AACnB,uBAAa,IAAI;AAAA,QACnB;AAAA,MACF;AAAA,MACA;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,aAAS,iCAAiC;AAAA,MACxC,OAAO;AAAA,MACP,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AACF;AAOA,eAAsB,kCAAkC,eAAuC;AAC7F,MAAI,kBAAkB,UAAa,kBAAkB,KAAM;AAC3D,MAAI;AACF,UAAM,EAAE,kBAAkB,IAAI,MAAM,OAAO,+BAA4C;AACvF,UAAM,EAAE,cAAc,IAAI,MAAM,OAAO,sBAA2B;AAGlE,UAAM,SAAS,cAAc,MAAM,aAAa;AAChD,sBAAkB,EAAE,UAAU,MAAM;AAAA,EACtC,SAAS,KAAK;AACZ,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,aAAS,0BAA0B;AAAA,MACjC,OAAO;AAAA,MACP,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AACF;AAEA,IAAM,iBAAiB,CAAC,QAAQ,KAAK;AAU9B,SAAS,gBAAgB,SAAgC;AAC9D,aAAW,OAAO,gBAAgB;AAChC,UAAM,OAAO,QAAQ,SAAS,sBAAsB,GAAG,EAAE;AAEzD,QAAI,WAAW,IAAI,EAAG,QAAO;AAAA,EAC/B;AACA,SAAO;AACT;;;ACjFO,SAAS,wBAAwB,QAA0B;AAChE,MAAI,eAAe;AACnB,QAAM,WAAW,CAAC,WAAiC;AACjD,QAAI,aAAc;AAClB,mBAAe;AACf,YAAQ,IAAI;AAAA,cAAiB,MAAM,kCAA6B;AAChE,UAAM,YAAY;AAGhB,UAAI;AACF,cAAM,MAAO,MAAM,OAAO,oBAAc,EAAE,MAAM,MAAM,IAAI;AAG1D,YAAI,KAAK,OAAO,UAAU,aAAa,QAAW;AAChD,gBAAM,IAAI,MAAM,SAAS,SAAS;AAAA,QACpC;AAAA,MACF,SAAS,KAAK;AACZ,cAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,iBAAS,wBAAwB;AAAA,UAC/B,OAAO;AAAA,UACP,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AAIA,UAAI;AACF,cAAM,EAAE,kBAAkB,IAAI,MAAM,OAAO,+BAA4C;AACvF,cAAM,UAAU,kBAAkB;AAClC,cAAM,QAAQ,QAAQ;AAAA,MACxB,SAAS,KAAK;AACZ,cAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,iBAAS,0BAA0B;AAAA,UACjC,OAAO;AAAA,UACP,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AACA,cAAQ,IAAI,+BAA+B;AAC3C,aAAO,MAAM,MAAM;AACjB,gBAAQ,KAAK,CAAC;AAAA,MAChB,CAAC;AACD,iBAAW,MAAM;AACf,iBAAS,wBAAwB;AAAA,UAC/B,OAAO;AAAA,UACP,SAAS;AAAA,QACX,CAAC;AACD,gBAAQ,KAAK,CAAC;AAAA,MAChB,GAAG,IAAM,EAAE,MAAM;AAAA,IACnB,GAAG;AAAA,EACL;AACA,UAAQ,GAAG,WAAW,MAAM;AAC1B,aAAS,SAAS;AAAA,EACpB,CAAC;AACD,UAAQ,GAAG,UAAU,MAAM;AACzB,aAAS,QAAQ;AAAA,EACnB,CAAC;AACH;;;ACjEA,SAAS,cAAAC,mBAAkB;AAC3B,SAAS,YAAY;AAiBd,SAAS,qBAAqB,SAAiB,WAAiC;AACrF,QAAM,eAAe,KAAK,SAAS,eAAe;AAElD,MAAIC,YAAW,YAAY,GAAG;AAC5B,UAAM,WAAW,aAAa,SAAS,SAAS;AAChD,WAAO;AAAA,MACL,QAAQ,SAAS;AAAA,MACjB,SAAS,SAAS;AAAA,MAClB,UAAU,SAAS;AAAA,IACrB;AAAA,EACF;AACA,WAAS,gCAAgC;AAAA,IACvC,OAAO;AAAA,IACP,SACE;AAAA,IACF;AAAA,EACF,CAAC;AACD,SAAO;AAAA,IACL,QAAQ,iBAAiB,SAAS;AAAA,IAClC,SAAS,kBAAkB,SAAS;AAAA,IACpC,UAAU,oBAAoB,SAAS;AAAA,EACzC;AACF;;;ACrCA,SAAS,kBAAkB;;;ACT3B,SAAS,WAAAC,gBAAe;;;ACKxB,SAAS,cAAAC,aAAY,cAAc,gBAAgB;AAEnD,SAAS,WAAAC,UAAS,eAAe;AAEjC,IAAM,aAAqC;AAAA,EACzC,SAAS;AAAA,EACT,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,UAAU;AAAA,EACV,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,QAAQ;AACV;AAEO,SAAS,gBACd,KACA,KACA,WACS;AACT,QAAM,WAAW,IAAI,OAAO,KAAK,MAAM,GAAG,EAAE,CAAC;AAG7C,QAAM,WAAWA,SAAQ,WAAW,MAAM,OAAO;AACjD,MAAI,CAAC,SAAS,WAAW,SAAS,GAAG;AACnC,QAAI,UAAU,GAAG;AACjB,QAAI,IAAI,WAAW;AACnB,WAAO;AAAA,EACT;AAEA,MAAI,CAACD,YAAW,QAAQ,EAAG,QAAO;AAElC,QAAM,OAAO,SAAS,QAAQ;AAC9B,MAAI,CAAC,KAAK,OAAO,EAAG,QAAO;AAE3B,QAAM,MAAM,QAAQ,QAAQ;AAC5B,QAAM,cAAc,WAAW,GAAG,KAAK;AACvC,QAAM,UAAU,aAAa,QAAQ;AAErC,MAAI,UAAU,KAAK;AAAA,IACjB,gBAAgB;AAAA,IAChB,kBAAkB,QAAQ;AAAA,EAC5B,CAAC;AACD,MAAI,IAAI,OAAO;AACf,SAAO;AACT;;;ADTA,SAAS,eAAe,GAAsB,QAAyB;AACrE,MAAI,CAAC,EAAE,YAAa,QAAO;AAC3B,QAAM,QAAQ,EAAE,YAAY,EAAE,GAAG;AACjC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,MAAM,OAAO,EAAG,GAAE,IAAI,UAAU,GAAG,CAAC;AACxE,MAAI,MAAM,SAAS;AACjB,cAAU,EAAE,KAAK,gBAAgB,qBAAqB,KAAK,QAAW,EAAE,SAAS;AACjF,eAAW;AAAA,MACT;AAAA,MACA,KAAK,EAAE;AAAA,MACP,QAAQ;AAAA,MACR,UAAU,KAAK,IAAI,IAAI,EAAE;AAAA,MACzB,WAAW,EAAE;AAAA,IACf,CAAC;AACD,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAGA,eAAsB,eAAe,GAAwC;AAC3E,MAAI,CAAC,EAAE,IAAI,WAAW,iBAAiB,EAAG,QAAO;AACjD,IAAE,IAAI,UAAU,gBAAgB,EAAE,SAAS;AAE3C,MAAI,eAAe,GAAG,EAAE,IAAI,UAAU,MAAM,EAAG,QAAO;AAEtD,QAAM,kBAAkB,EAAE,IAAI,MAAM,kBAAkB,MAAM,EAAE,MAAM,GAAG,EAAE,CAAC;AAC1E,QAAM,WAAW,gBAAgB,MAAM,GAAG,EAAE,OAAO,OAAO;AAC1D,MAAI,SAAS,SAAS,GAAG;AACvB;AAAA,MACE,EAAE;AAAA,MACF;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,EAAE;AAAA,IACJ;AACA,eAAW;AAAA,MACT,QAAQ,EAAE,IAAI,UAAU;AAAA,MACxB,KAAK,EAAE;AAAA,MACP,QAAQ;AAAA,MACR,UAAU,KAAK,IAAI,IAAI,EAAE;AAAA,MACzB,WAAW,EAAE;AAAA,IACf,CAAC;AACD,WAAO;AAAA,EACT;AACA,QAAM,aAAa,SAAS,SAAS,SAAS,CAAC;AAC/C,QAAM,aAAa,SAAS,MAAM,GAAG,EAAE,EAAE,KAAK,GAAG;AACjD,QAAM,SAAS,EAAE,cAAc,KAAK,CAAC,MAAM,EAAE,eAAe,UAAU;AACtE,MAAI,CAAC,QAAQ;AACX,UAAM,cAAc,EAAE,cAAc,IAAI,CAAC,MAAM,EAAE,UAAU;AAC3D,UAAM,aAAa,eAAe,YAAY,WAAW;AACzD,UAAM,MAAM,aACR,WAAW,UAAU,8BAA8B,UAAU,MAC7D,WAAW,UAAU;AACzB,cAAU,EAAE,KAAK,aAAa,KAAK,KAAK,QAAW,EAAE,SAAS;AAC9D,eAAW;AAAA,MACT,QAAQ,EAAE,IAAI,UAAU;AAAA,MACxB,KAAK,EAAE;AAAA,MACP,QAAQ;AAAA,MACR,UAAU,KAAK,IAAI,IAAI,EAAE;AAAA,MACzB,WAAW,EAAE;AAAA,IACf,CAAC;AACD,WAAO;AAAA,EACT;AACA,QAAM;AAAA,IACJ,OAAO;AAAA,IACP;AAAA,IACA,EAAE;AAAA,IACF,EAAE;AAAA,IACF,EAAE;AAAA,IACF,EAAE;AAAA,IACF,EAAE;AAAA,IACF,EAAE;AAAA,IACF,EAAE;AAAA,IACF,EAAE;AAAA,EACJ;AACA,aAAW;AAAA,IACT,QAAQ,EAAE,IAAI,UAAU;AAAA,IACxB,KAAK,EAAE;AAAA,IACP,QAAQ,EAAE,IAAI;AAAA,IACd,UAAU,KAAK,IAAI,IAAI,EAAE;AAAA,IACzB,WAAW,EAAE;AAAA,EACf,CAAC;AACD,SAAO;AACT;AAGA,eAAsB,iBAAiB,GAAwC;AAC7E,MAAI,CAAC,EAAE,IAAI,WAAW,OAAO,EAAG,QAAO;AACvC,IAAE,IAAI,UAAU,gBAAgB,EAAE,SAAS;AAE3C,MAAI,eAAe,GAAG,EAAE,IAAI,UAAU,KAAK,EAAG,QAAO;AAErD,QAAM,QAAQ,WAAW,EAAE,KAAK,EAAE,YAAY;AAC9C,MAAI,CAAC,OAAO;AACV,UAAM,UAAU,EAAE,IAAI,MAAM,GAAG,EAAE,CAAC;AAClC,UAAM,aAAa,EAAE,aAAa,IAAI,CAAC,MAAM,EAAE,SAAS;AACxD,UAAM,aAAa,eAAe,SAAS,UAAU;AACrD,UAAM,MAAM,aACR,wBAAwB,OAAO,mBAAmB,UAAU,MAC5D;AACJ,cAAU,EAAE,KAAK,aAAa,KAAK,KAAK,QAAW,EAAE,SAAS;AAC9D,eAAW;AAAA,MACT,QAAQ,EAAE,IAAI,UAAU;AAAA,MACxB,KAAK,EAAE;AAAA,MACP,QAAQ;AAAA,MACR,UAAU,KAAK,IAAI,IAAI,EAAE;AAAA,MACzB,WAAW,EAAE;AAAA,IACf,CAAC;AACD,WAAO;AAAA,EACT;AACA,QAAM,UAAU,EAAE,IAAI,UAAU,OAAO,YAAY;AAEnD,QAAM,aAAa;AAAA,IACjB,OAAO,MAAM;AAAA,IACb;AAAA,IACA,QAAQ,MAAM;AAAA,IACd,KAAK,EAAE;AAAA,IACP,KAAK,EAAE;AAAA,IACP,YAAY,EAAE;AAAA,IACd,WAAW,EAAE;AAAA,IACb,WAAW,EAAE;AAAA,IACb,cAAc,EAAE;AAAA,IAChB,aAAa,EAAE;AAAA,IACf,UAAU,EAAE;AAAA,IACZ,YAAY,EAAE;AAAA,EAChB,CAAC;AACD,aAAW;AAAA,IACT;AAAA,IACA,KAAK,EAAE;AAAA,IACP,QAAQ,EAAE,IAAI;AAAA,IACd,UAAU,KAAK,IAAI,IAAI,EAAE;AAAA,IACzB,WAAW,EAAE;AAAA,EACf,CAAC;AACD,SAAO;AACT;AAGO,SAAS,eAAe,GAA+B;AAC5D,SAAO,gBAAgB,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS;AAClD;AAGO,SAAS,kBAAkB,GAA+B;AAC/D,QAAM,UAAU,EAAE,IAAI,MAAM,GAAG,EAAE,CAAC;AAClC,MAAI,EAAE,iBAAiBE,SAAQ,OAAO,GAAG;AACvC,MAAE,IAAI,UAAU,KAAK,EAAE,gBAAgB,YAAY,CAAC;AACpD,MAAE,IAAI,IAAI,EAAE,aAAa;AACzB,WAAO;AAAA,EACT;AACA,SAAO;AACT;;;AE/JO,SAAS,kBAAkB,OAA0C;AAC1E,MAAI,OAAO,UAAU,YAAY,UAAU,KAAM,QAAO;AACxD,MAAI,EAAE,UAAU,OAAQ,QAAO;AAC/B,QAAM,OAAQ,MAAkC;AAChD,MAAI,OAAO,SAAS,SAAU,QAAO;AACrC,SAAO;AACT;AAOA,eAAsB,SAAS,MAKH;AAC1B,QAAM,gBAA+B,KAAK,mBAAmB,gBAAgB,KAAK,OAAO,IAAI;AAC7F,QAAM,UAAU,kBAAkB;AAClC,QAAM,mBAAmB,WAAW,QAAQ,KAAK,kBAAkB;AAEnE,MAAI,kBAAkB,MAAM;AAC1B,WAAO;AAAA,MACL,SAAS;AAAA,MACT,kBAAkB;AAAA,MAClB,QAAQ;AAAA,MACR,iBAAiB;AAAA,MACjB,UAAU;AAAA,MACV,UAAU;AAAA,IACZ;AAAA,EACF;AAEA,QAAM,MAAO,MAAM,OAAO;AAC1B,QAAM,SAAS,IAAI;AACnB,QAAM,kBAAkB,OAAO,IAAI,oBAAoB,aAAa,IAAI,kBAAkB;AAG1F,MAAI,WAAW;AACf,MAAI,WAAW;AACf,QAAM,eAAe,6BAA6B,KAAK,KAAK,SAAS;AACrE,MAAI,cAAc;AAChB,UAAM,WAAW,KAAK,UAAU,QAAQ,aAAa,CAAC,CAAC,IAAI,aAAa,CAAC,EAAE;AAC3E,eAAW,KAAK,UAAU,MAAM,GAAG,QAAQ;AAC3C,eAAW,KAAK,UAAU,MAAM,QAAQ;AAAA,EAC1C;AAEA,SAAO,EAAE,SAAS,kBAAkB,QAAQ,iBAAiB,UAAU,SAAS;AAClF;;;AH3CA,SAAS,kBAAkB,OAAyC;AAClE,SAAO;AACT;AAEA,SAAS,iBAAiB,QAAmD;AAC3E,SAAO,WAAW,QAAQ,OAAO,WAAW,YAAY,cAAc;AACxE;AAEA,SAAS,aAAa,KAAqB,QAAsC;AAC/E,MAAI,UAAU,KAAK,EAAE,UAAU,OAAO,SAAS,QAAQ,IAAI,UAAU,KAAK,IAAI,CAAC;AAC/E,MAAI,IAAI;AACV;AAEA,SAAS,QAAQ,KAAqB,eAAoC;AACxE,MAAI,CAAC,IAAI,aAAa;AACpB,QAAI,UAAU,KAAK,EAAE,gBAAgB,YAAY,CAAC;AAAA,EACpD;AACA,MAAI,CAAC,IAAI,eAAe;AACtB,QAAI,IAAI,iBAAiB,kCAA6B;AAAA,EACxD;AACF;AAEA,SAAS,aACP,KACA,QACA,OACQ;AACR,MAAI,OAAO,WAAW,UAAU;AAC9B,WAAO,IAAI,WAAW,SAAS,IAAI;AAAA,EACrC;AACA,MAAI,kBAAkB,MAAM,GAAG;AAC7B,UAAM,WAAW,kBAAkB,MAAM;AACzC,UAAM,WAAW,KAAK,UAAU,SAAS,aAAa,EAAE,QAAQ,MAAM,SAAS;AAC/E,UAAM,kBAAkB,UACtB,QAAQ,WAAW,KAAK,MAAM,EAChC,uCAAuC,QAAQ;AAC/C,WAAO,IAAI,WAAW,SAAS,OAAO,kBAAkB,IAAI;AAAA,EAC9D;AACA,SAAO,IAAI,WAAW,IAAI;AAC5B;AAEA,eAAe,mBACb,KACA,KACA,KACA,KACA,OACkB;AAClB,MAAI,CAAC,IAAI,uBAAuB,CAAC,IAAI,mBAAoB,QAAO;AAEhE,QAAM,aAAa,IAAI,gBAAgB;AACvC,QAAM,UAAU,MAAY;AAC1B,eAAW,MAAM;AAAA,EACnB;AACA,MAAI,GAAG,SAAS,OAAO;AACvB,MAAI;AACF,UAAM,SAAS,MAAM,IAAI,mBAAmB,KAAK,KAAK;AAAA,MACpD,QAAQ,WAAW;AAAA,MACnB;AAAA,IACF,CAAC;AACD,QAAI,iBAAiB,MAAM,EAAG,cAAa,KAAK,MAAM;AACtD,WAAO;AAAA,EACT,SAAS,WAAW;AAClB,YAAQ,MAAM,sBAAuB,UAAoB,OAAO;AAChE,YAAQ,KAAK,IAAI,aAAa;AAC9B,WAAO;AAAA,EACT,UAAE;AACA,QAAI,eAAe,SAAS,OAAO;AAAA,EACrC;AACF;AAEA,eAAe,cACb,KACA,KACA,KACA,OACkB;AAClB,MAAI,CAAC,IAAI,UAAW,QAAO;AAE3B,MAAI;AACF,UAAM,SAAS,MAAM,IAAI,UAAU,KAAK,EAAE,MAAM,CAAC;AACjD,QAAI,iBAAiB,MAAM,GAAG;AAC5B,mBAAa,KAAK,MAAM;AACxB,aAAO;AAAA,IACT;AACA,QAAI,UAAU,KAAK,EAAE,gBAAgB,YAAY,CAAC;AAClD,QAAI,IAAI,aAAa,KAAK,QAAQ,KAAK,CAAC;AACxC,WAAO;AAAA,EACT,SAAS,QAAQ;AACf,YAAQ,MAAM,oCAAqC,OAAiB,OAAO;AAC3E,WAAO;AAAA,EACT;AACF;AAEA,SAAS,iBAAiB,KAA4B,KAAqB,KAAoB;AAC7F,MAAI,IAAI,iBAAiB,CAAC,IAAI,aAAa;AACzC,QAAI,UAAU,KAAK,EAAE,gBAAgB,YAAY,CAAC;AAClD,QAAI,IAAI,IAAI,aAAa;AAAA,EAC3B,WAAW,CAAC,IAAI,aAAa;AAC3B,cAAU,KAAK,kBAAmB,IAAc,SAAS,GAAG;AAAA,EAC9D,OAAO;AACL,QAAI,IAAI;AAAA,EACV;AACF;AAEO,SAAS,qBACd,KACqD;AACrD,SAAO,CAAC,KAAsB,QAAwB;AACpD,UAAM,YAAY;AAChB,YAAM,MAAM,IAAI,OAAO;AACvB,YAAM,YAAY,WAAW;AAC7B,YAAM,QAAQ,KAAK,IAAI;AAEvB,YAAM,QAAQ,cAAc;AAC5B,YAAM,kBAAkB;AAAA,QACtB,IAAI;AAAA,QACJ,EAAE,YAAY,KAAK;AAAA,QACnB,EAAE,MAAM;AAAA,MACV;AACA,iBAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,eAAe,GAAG;AACpD,YAAI,UAAU,GAAG,CAAC;AAAA,MACpB;AAEA,YAAM,aAAa,IAAI,SAAS,KAAK,KAAK,WAAW,KAAK;AAE1D,UAAI;AACF,YAAI,MAAM,eAAe,UAAU,EAAG;AACtC,YAAI,MAAM,iBAAiB,UAAU,EAAG;AACxC,YAAI,eAAe,UAAU,EAAG;AAChC,YAAI,kBAAkB,UAAU,EAAG;AAEnC,YAAI,MAAM,mBAAmB,KAAK,KAAK,KAAK,KAAK,KAAK,EAAG;AACzD,YAAI,MAAM,cAAc,KAAK,KAAK,KAAK,KAAK,EAAG;AAG/C,YAAI,UAAU,KAAK,EAAE,gBAAgB,YAAY,CAAC;AAClD,YAAI,IAAI,IAAI,SAAS;AAAA,MACvB,SAAS,KAAK;AACZ,yBAAiB,KAAK,KAAK,GAAG;AAAA,MAChC;AAAA,IACF,GAAG;AAAA,EACL;AACF;;;AI/KA,eAAsB,uBACpB,QACA,UACA,YACe;AACf,MAAI,SAAS,WAAW,EAAG;AAE3B,MAAI;AACJ,MAAI;AACF,UAAM,WAAW,MAAM,OAAO,IAAI;AAClC,0BAAsB,SAAS;AAAA,EACjC,QAAQ;AACN,UAAM,IAAI,MAAM,+EAA+E;AAAA,EACjG;AAEA,QAAM,MAAM,IAAI,oBAAoB,EAAE,UAAU,KAAK,CAAC;AAEtD,SAAO,GAAG,WAAW,CAAC,SAAS,QAAQ,SAAS;AAC9C,UAAM,YAAY;AAChB,YAAM,MAAM,QAAQ,OAAO;AAC3B,UAAI,CAAC,IAAI,WAAW,MAAM,GAAG;AAC3B,eAAO,QAAQ;AACf;AAAA,MACF;AAEA,YAAM,SAAS,IAAI,MAAM,GAAG,EAAE,CAAC;AAC/B,YAAM,QAAQ,SAAS,KAAK,CAAC,MAAM,EAAE,WAAW,MAAM;AACtD,UAAI,CAAC,OAAO;AACV,eAAO,QAAQ;AACf;AAAA,MACF;AAEA,UAAI;AACF,cAAM,MAAM,MAAM,WAAW,MAAM,QAAQ;AAC3C,cAAM,UAAY,IAA8B,WAAW;AAE3D,YAAI,cAAc,SAAS,QAAQ,MAAM,CAAC,OAAO;AAC/C,kBAAQ,SAAS,IAAI,OAAO;AAC5B,aAAG,GAAG,WAAW,CAAC,SAAiB;AACjC,oBAAQ,YAAY,IAAI,KAAK,SAAS,CAAC;AAAA,UACzC,CAAC;AACD,aAAG,GAAG,SAAS,CAAC,MAAc,WAAmB;AAC/C,oBAAQ,UAAU,IAAI,MAAM,MAAM;AAAA,UACpC,CAAC;AACD,aAAG,GAAG,SAAS,CAAC,QAAe;AAC7B,oBAAQ,UAAU,IAAI,GAAG;AAAA,UAC3B,CAAC;AAAA,QACH,CAAC;AAAA,MACH,QAAQ;AACN,eAAO,QAAQ;AAAA,MACjB;AAAA,IACF,GAAG;AAAA,EACL,CAAC;AACH;;;AR1BA,eAAsB,aAAa,SAAsC;AACvE,QAAM,MAAM,QAAQ,IAAI;AAExB,2BAAyB,GAAG;AAC5B,UAAQ,EAAE,KAAK,MAAM,aAAa,CAAC;AACnC,QAAM,SAAS,MAAM,WAAW,GAAG;AAEnC,QAAM,iCAAiC,OAAO,QAAQ,QAAQ;AAC9D,QAAM,kCAAkC,OAAO,OAAO;AAEtD,QAAM,UAAUC,SAAQ,KAAK,UAAU;AACvC,QAAM,YAAYA,SAAQ,SAAS,QAAQ;AAC3C,QAAM,YAAYA,SAAQ,KAAK,QAAQ;AAEvC,MAAI,CAACC,YAAW,SAAS,GAAG;AAC1B,UAAM,IAAI,MAAM,yCAAyC;AAAA,EAC3D;AAEA,QAAM,YAAYC,cAAaC,MAAK,WAAW,YAAY,GAAG,OAAO;AACrE,QAAM,aAAa,uBAAuB;AAC1C,QAAM,OAAO,QAAQ,QAAQ,OAAO;AACpC,QAAM,eAAe,MAAM,6BAA6B,OAAO,OAAO;AACtE,QAAM,cAAc,mBAAmB,OAAO,aAAa;AAE3D,QAAM,gBAAgBA,MAAK,WAAW,UAAU;AAChD,QAAM,gBAAgBA,MAAK,WAAW,UAAU;AAChD,QAAM,gBAAgBF,YAAW,aAAa,IAAIC,cAAa,eAAe,OAAO,IAAI;AACzF,QAAM,gBAAgBD,YAAW,aAAa,IAAIC,cAAa,eAAe,OAAO,IAAI;AAEzF,QAAM;AAAA,IACJ,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,UAAU;AAAA,EACZ,IAAI,qBAAqB,SAAS,SAAS;AAI3C,QAAM,gBACJ,OAAO,aAAa,cAAc,OAAO,aAAa,SAAS,OAAO,YAClE,OAAO,YACP;AACN,QAAM,cAAc,gBAAgB,kBAAkB,aAAa,IAAI;AAEvE,QAAM,MAAM,MAAM,SAAS;AAAA,IACzB;AAAA,IACA;AAAA,IACA,kBAAkB,OAAO;AAAA,IACzB,oBAAoB,OAAO;AAAA,EAC7B,CAAC;AAED,QAAM,SAAS;AAAA,IACb,qBAAqB;AAAA,MACnB,UAAU,CAAC,KAAK,KAAK,WAAW,eAAkC;AAAA,QAChE;AAAA,QACA;AAAA,QACA,KAAK,IAAI,OAAO;AAAA,QAChB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,UAAU,OAAO,UAAU,QAAQ;AAAA,QACnC,YAAY,OAAO,UAAU;AAAA,QAC7B;AAAA,MACF;AAAA,MACA,uBAAuB,OAAO,UAAU,WAAW,CAAC;AAAA,MACpD,WAAW,IAAI;AAAA,MACf,oBAAoB,IAAI;AAAA,MACxB,qBAAqB,IAAI;AAAA,MACzB,UAAU,IAAI;AAAA,MACd,UAAU,IAAI;AAAA,MACd;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAEA,QAAM,uBAAuB,QAAQ,gBAAgB,UAAU;AAE/D,SAAO,OAAO,MAAM,MAAM;AACxB,YAAQ,IAAI;AAAA,yBAA4B;AACxC,YAAQ,IAAI,6BAAwB,OAAO,IAAI,CAAC;AAAA,CAAI;AAAA,EACtD,CAAC;AAED,0BAAwB,MAAM;AAChC;","names":["existsSync","readFileSync","join","resolve","existsSync","existsSync","extname","existsSync","resolve","extname","resolve","existsSync","readFileSync","join"]}
|
|
@@ -2,14 +2,14 @@
|
|
|
2
2
|
import "tsx/esm";
|
|
3
3
|
import {
|
|
4
4
|
nodeAdapter
|
|
5
|
-
} from "./chunk-
|
|
5
|
+
} from "./chunk-EQV67HZL.js";
|
|
6
6
|
import {
|
|
7
7
|
assertServicesUnsupported,
|
|
8
8
|
readManifest
|
|
9
|
-
} from "./chunk-
|
|
9
|
+
} from "./chunk-CCVC6P6B.js";
|
|
10
10
|
import {
|
|
11
11
|
scanRoutes
|
|
12
|
-
} from "./chunk-
|
|
12
|
+
} from "./chunk-IEES3CHD.js";
|
|
13
13
|
import "./chunk-KT3MWNZG.js";
|
|
14
14
|
|
|
15
15
|
// src/adapters/static.ts
|
|
@@ -226,4 +226,4 @@ export {
|
|
|
226
226
|
detectApiRoutes,
|
|
227
227
|
staticAdapter
|
|
228
228
|
};
|
|
229
|
-
//# sourceMappingURL=static-
|
|
229
|
+
//# sourceMappingURL=static-YWF2M6YT.js.map
|