toiljs 0.0.39 → 0.0.41

package/build/devserver/host.js

@@ -1,4 +1,5 @@
 import { buildCryptoImports, freshCryptoState } from './crypto.js';
+import { ratelimitCheck } from './ratelimit.js';
 const MAX_TOTAL_HEADERS_BYTES = 64 * 1024;
 const MAX_HEADER_NAME_LEN = 256;
 const MAX_HEADER_VALUE_LEN = 8192;
@@ -12,7 +13,14 @@ export class WasmAbortError extends Error {
     }
 }
 export function freshDispatchState() {
-    return { status: null, headers: [], headerBytes: 0, sendfile: null, crypto: freshCryptoState() };
+    return {
+        status: null,
+        headers: [],
+        headerBytes: 0,
+        sendfile: null,
+        clientIp: '',
+        crypto: freshCryptoState(),
+    };
 }
 function mem(ref) {
     if (!ref.memory)
@@ -66,6 +74,37 @@ export function buildHostImports(ref, state) {
                     throw new Error(`respond_file path too long: ${String(pathLen)} bytes`);
                 state.sendfile = readBytes(ref, pathPtr, pathLen).toString('utf8');
             },
+            client_ip: (outPtr, cap) => {
+                const ip = state.clientIp;
+                if (ip.length === 0)
+                    return 0;
+                const bytes = Buffer.from(ip, 'utf8');
+                if (bytes.length > cap)
+                    return -1;
+                const m = mem(ref);
+                if (outPtr < 0 || outPtr + bytes.length > m.length)
+                    throw new Error('client_ip write out of bounds');
+                bytes.copy(m, outPtr);
+                return bytes.length;
+            },
+            ratelimit_check: (routeId, strategy, limit, window, keyPtr, keyLen) => {
+                const identity = keyLen > 0
+                    ? readBytes(ref, keyPtr, keyLen).toString('utf8')
+                    : state.clientIp || '0';
+                const d = ratelimitCheck(routeId, strategy, limit, window, identity, Date.now());
+                return d.allowed ? 1 : -Math.max(1, d.retryAfterSecs);
+            },
+            email_send: (reqPtr, reqLen) => {
+                const raw = readBytes(ref, reqPtr, reqLen);
+                let to = '<unparsed>';
+                if (raw.length >= 14) {
+                    const toLen = raw.readUInt16LE(0);
+                    if (14 + toLen <= raw.length)
+                        to = raw.toString('utf8', 14, 14 + toLen);
+                }
+                process.stdout.write(`  ✉ dev email_send -> ${to} (not actually sent)\n`);
+                return 0;
+            },
             thread_spawn: (_startArg) => -1,
             'Date.now': () => Date.now(),
             ...buildCryptoImports(ref, state.crypto),

package/build/devserver/index.js

@@ -43,11 +43,14 @@ function resolveSendfile(root, file) {
 async function toEnvelopeRequest(request) {
     const hasBody = request.method !== 'GET' && request.method !== 'HEAD';
     const body = hasBody ? new Uint8Array(await request.buffer()) : new Uint8Array(0);
+    const xff = request.headers['x-forwarded-for'];
+    const clientIp = typeof xff === 'string' && xff.length > 0 ? xff.split(',')[0].trim() : '127.0.0.1';
     return {
         method: request.method,
         path: request.url,
         headers: Object.entries(request.headers),
         body,
+        clientIp,
     };
 }
 function sendWasmResponse(response, root, result) {

package/build/devserver/module.js

@@ -6,6 +6,7 @@ export const UNHANDLED_HEADER = 'x-toil-unhandled';
 const WASM_PAGE = 65536;
 const PROVIDED_IMPORTS = new Set([
     'abort', 'set_status', 'set_header', 'respond_file', 'thread_spawn', 'Date.now',
+    'client_ip', 'ratelimit_check', 'email_send',
     'crypto.fill_random', 'crypto.random_uuid', 'crypto.take_result', 'crypto.digest',
     'crypto.import_key', 'crypto.export_key', 'crypto.encrypt', 'crypto.decrypt',
     'crypto.sign', 'crypto.verify', 'crypto.derive_bits',
@@ -47,6 +48,7 @@ export class WasmServerModule {
         const envelope = encodeRequestEnvelope(req);
         const ref = { memory: null };
         const state = freshDispatchState();
+        state.clientIp = req.clientIp ?? '';
         const instance = new WebAssembly.Instance(this.module, buildHostImports(ref, state));
         const exports = instance.exports;
         ref.memory = exports.memory;
@@ -76,6 +78,7 @@ export class WasmServerModule {
         const envelope = encodeRequestEnvelope(req);
         const ref = { memory: null };
         const state = freshDispatchState();
+        state.clientIp = req.clientIp ?? '';
         const instance = new WebAssembly.Instance(this.module, buildHostImports(ref, state));
         const exports = instance.exports;
         if (typeof exports.render !== 'function')

package/build/devserver/ratelimit.d.ts

@@ -0,0 +1,8 @@
+export declare const STRATEGY_FIXED = 0;
+export declare const STRATEGY_SLIDING = 1;
+export declare const STRATEGY_TOKEN_BUCKET = 2;
+export interface DevDecision {
+    allowed: boolean;
+    retryAfterSecs: number;
+}
+export declare function ratelimitCheck(routeId: number, strategy: number, limit: number, window: number, identity: string, now: number): DevDecision;

package/build/devserver/ratelimit.js

@@ -0,0 +1,64 @@
+export const STRATEGY_FIXED = 0;
+export const STRATEGY_SLIDING = 1;
+export const STRATEGY_TOKEN_BUCKET = 2;
+const registry = new Map();
+export function ratelimitCheck(routeId, strategy, limit, window, identity, now) {
+    let rl = registry.get(routeId);
+    if (rl === undefined) {
+        rl = { strategy, a: Math.max(1, limit), b: Math.max(1, window), keys: new Map() };
+        registry.set(routeId, rl);
+    }
+    if (rl.strategy === STRATEGY_TOKEN_BUCKET)
+        return checkBucket(rl, identity, now);
+    return checkWindow(rl, identity, now, rl.strategy === STRATEGY_SLIDING);
+}
+function checkBucket(rl, key, now) {
+    const capMilli = rl.a * 1000;
+    const refillPerSec = rl.b;
+    let st = rl.keys.get(key);
+    if (st === undefined) {
+        st = { tokensMilli: capMilli, window: 0, cur: 0, prev: 0, lastMs: now };
+        rl.keys.set(key, st);
+    }
+    const elapsed = Math.max(0, now - st.lastMs);
+    st.tokensMilli = Math.min(capMilli, st.tokensMilli + elapsed * refillPerSec);
+    st.lastMs = now;
+    if (st.tokensMilli >= 1000) {
+        st.tokensMilli -= 1000;
+        return { allowed: true, retryAfterSecs: 0 };
+    }
+    const needed = 1000 - st.tokensMilli;
+    const waitMs = Math.ceil(needed / refillPerSec);
+    return { allowed: false, retryAfterSecs: Math.max(1, Math.ceil(waitMs / 1000)) };
+}
+function checkWindow(rl, key, now, sliding) {
+    const limit = rl.a;
+    const windowMs = rl.b * 1000;
+    const curWindow = Math.floor(now / windowMs);
+    let st = rl.keys.get(key);
+    if (st === undefined) {
+        st = { tokensMilli: 0, window: curWindow, cur: 0, prev: 0, lastMs: now };
+        rl.keys.set(key, st);
+    }
+    if (curWindow === st.window + 1) {
+        st.prev = st.cur;
+        st.cur = 0;
+        st.window = curWindow;
+    }
+    else if (curWindow > st.window) {
+        st.prev = 0;
+        st.cur = 0;
+        st.window = curWindow;
+    }
+    st.lastMs = now;
+    const posInWindow = now % windowMs;
+    const effective = sliding
+        ? Math.floor((st.prev * (windowMs - posInWindow)) / windowMs) + st.cur
+        : st.cur;
+    if (effective < limit) {
+        st.cur += 1;
+        return { allowed: true, retryAfterSecs: 0 };
+    }
+    const waitMs = windowMs - posInWindow;
+    return { allowed: false, retryAfterSecs: Math.max(1, Math.ceil(waitMs / 1000)) };
+}

package/docs/README.md

@@ -27,9 +27,15 @@ and as a named export from `toiljs/server/runtime`.
   REST fetch client.
 - [Caching](./caching.md): the `@cache` decorator and `Response.cache(...)`
   (edge vs browser TTL, private scope, auth gating).
+- [Rate limiting](./ratelimit.md): the `@ratelimit` decorator (FixedWindow /
+  SlidingWindow / TokenBucket), keyed on the unspoofable client IP, with
+  `429` + `Retry-After`.
 - [Auth, sessions, and `@user`](./auth.md): `@auth` route guards, the `@user`
   type, `AuthService` (post-quantum login, signed sessions, `getUser()`), and
   the client half.
+- [Email](./email.md): `EmailService`, `EmailTemplate`, the `emails/` React
+  template pipeline, the stateless `TwoFactor` codes, provider config
+  (Resend / Gmail / SMTP), and limits.
 - [Cookies](./cookies.md): the `Cookie` builder, the `Cookies` parser/codec,
   `CookieMap`, `SecureCookies` (HMAC signing and AES-256-GCM encryption), the
   `base64url` helpers, and the `Request` / `Response` integration.

package/docs/email.md

@@ -0,0 +1,273 @@
+# Email
+
+toiljs can send transactional email from a route handler. A handler calls
+`EmailService.send(...)` (or a typed `EmailTemplate` / `Emails.*` from the
+`emails/` folder, or the stateless `TwoFactor` helper); the edge hands the
+message to a single off-core mailer thread that talks to the provider over the
+kernel network (never the worker cores), and **suspends** the wasm call until the
+provider responds — so a slow send never blocks the worker.
+
+Everything here is an ambient **global** (no import), like `crypto` and
+`AuthService`. A tenant that never sends email pulls none of it into its build.
+
+- **`EmailService`** — send one email.
+- **`EmailTemplate`** — a reusable template with `{{placeholder}}` substitution
+  (plain text and/or HTML).
+- **`emails/*.tsx`** — author emails as React components; the build renders them
+  to static HTML and generates a typed `Emails.<Name>.send(...)`.
+- **`TwoFactor`** — stateless email verification codes (2FA / confirm), no DB.
+
+> **The one rule of HTML email:** email clients run **no JavaScript** and strip
+> `<style>`/external CSS. So HTML email is a static, inline-styled string, and
+> any "rendering" (React, CSS files) happens at **build time**, not at send time.
+> See [React email templates](#react-email-templates).
+
+## Configure email
+
+Email is configured **per host on the edge** (it is a deployment capability, not
+app code), in that host's TOML config — `hosts/<host>.toml`:
+
+```toml
+[email]
+enabled = true
+from = "you@example.com"          # validated; single address, no CRLF
+provider = "resend"               # "resend" | "gmail" | "smtp"
+secret_ref = "resend_key"         # a FILENAME, never the secret itself
+max_per_min = 60                  # per-tenant send budget
+max_per_recipient_per_hour = 5    # anti-abuse cap per recipient
+```
+
+When `enabled` is `false` (the default) the host has no email capability and
+`EmailService.send` returns `Disabled`. If `enabled` is `true` but the config is
+invalid or the secret can't be resolved, the **deploy fails** rather than
+shipping a host that can never send.
+
+### Secrets
+
+`secret_ref` is a **bare filename** (no path separators) under the secrets
+directory `$TOIL_SECRETS_DIR` (default `/run/toil/secrets`). The file holds the
+provider API key (Resend) or SMTP password. It is read once at load, zeroized in
+memory, and never written to the config, logs, or `/_admin`.
+
+```
+/run/toil/secrets/resend_key      # contents: re_xxxxxxxxxxxx…
+```
+
+### Providers
+
+**Resend** (`provider = "resend"`) — a JSON API; `secret_ref` holds the API key.
+
+**Gmail** (`provider = "gmail"`) — SMTP with Gmail defaults: `smtp.gmail.com`,
+port `587` (STARTTLS), username = `from`. `secret_ref` holds a Gmail **App
+Password** (create one at <https://myaccount.google.com/apppasswords>; the
+account needs 2-Step Verification). No extra keys needed:
+
+```toml
+[email]
+enabled = true
+from = "you@gmail.com"
+provider = "gmail"
+secret_ref = "gmail_app_password"
+```
+
+**Generic SMTP** (`provider = "smtp"`) — any submission server (Outlook,
+SendGrid/Mailgun SMTP, your own). Requires `smtp_host`; port defaults to `587`
+(STARTTLS), or set `465` for implicit TLS. `smtp_user` defaults to `from`.
+
+```toml
+[email]
+enabled = true
+from = "noreply@example.com"
+provider = "smtp"
+secret_ref = "smtp_password"
+smtp_host = "smtp.example.com"
+smtp_port = 587
+smtp_user = "noreply@example.com"
+```
+
+### In dev
+
+`toiljs dev` has no real provider: `EmailService.send` logs `✉ dev email_send ->
+<recipient> (not actually sent)` and returns `Sent`, so your flow proceeds. The
+ABI is identical to the edge, so code that runs in dev runs on the edge.
+
+## Sending email
+
+```ts
+import { Response, RouteContext } from 'toiljs/server/runtime';
+
+@rest('notify')
+class Notify {
+    @post('/welcome')
+    welcome(ctx: RouteContext): Response {
+        const status = EmailService.send(
+            'alice@example.com',
+            'Welcome!',
+            'Thanks for signing up.',   // plain-text body
+            'welcome',                  // purpose tag (dedup / abuse keying)
+            '<h1>Thanks for signing up.</h1>', // optional HTML body
+        );
+        return status == EmailStatus.Sent
+            ? Response.text('sent\n')
+            : Response.text('could not send\n', 503);
+    }
+}
+```
+
+`send(to, subject, body, purpose = 'tx', html = '')` returns an **`EmailStatus`**:
+
+| Status | Meaning | Retry? |
+| --- | --- | --- |
+| `Sent` | Accepted by the provider | — |
+| `Deduped` | An identical recent `(recipient, purpose)` was collapsed | treat as sent |
+| `Budget` | The host's per-minute budget is exhausted | yes, later |
+| `TryLater` | The mailer was saturated / a queue was full | yes, back off |
+| `RecipientCapped` | The per-recipient hourly cap was hit | no (this window) |
+| `BadRecipient` | The address failed validation (CRLF, multiple addresses) | no |
+| `Disabled` | This host has no `[email]` capability | no |
+| `ProviderError` | The provider rejected it, or transport failed after retries | no |
+
+`purpose` is a short, non-PII tag (`"welcome"`, `"reset"`, …). The mailer folds
+it into the **dedup** key (identical `(host, recipient, purpose)` within ~30s is
+collapsed to one send) and the abuse counters. It is never logged in the clear.
+
+The recipient is validated host-side (exactly one address, no CR/LF/`<>`), so a
+guest can never smuggle a second envelope recipient or a header into the send.
+
+## Templates
+
+`EmailTemplate` is a reusable message with `{{placeholder}}` substitution, for
+when the same email is sent with different values:
+
+```ts
+const welcome = new EmailTemplate(
+    'Welcome, {{name}}!',                                  // subject
+    'Hi {{name}}, your code is {{code}}.',                 // plain-text body
+    '<h1>Welcome, {{name}}</h1><p>Code: <b>{{code}}</b></p>', // html (optional)
+);
+
+const vars = new Map<string, string>();
+vars.set('name', 'Alice');
+vars.set('code', '123456');
+const status = welcome.send('alice@example.com', vars, 'welcome');
+```
+
+- `{{ name }}` (with surrounding spaces) is accepted; an unknown placeholder
+  renders to the empty string.
+- Omit the `html` argument for a plain-text template.
+- `template.render(vars)` returns the rendered `{ subject, body, html }` without
+  sending (useful for preview/testing).
+
+For anything richer than `{{token}}` substitution — real layout, CSS, brand —
+author the email as a React component instead.
+
+## React email templates
+
+Write emails as React components in an **`emails/`** folder. At `toiljs build`
+each one is rendered **once, at build time**, to static inline-CSS HTML (because
+the inbox runs no JS), with the component's props turned into `{{token}}` holes;
+the build then generates a typed `Emails.<Name>.send(...)` your server calls.
+
+```tsx
+// emails/Welcome.tsx
+export const subject = 'Welcome, {{name}}!';
+
+export default function Welcome({ name, code }: { name: string; code: string }) {
+    return (
+        <table width="100%" style={{ fontFamily: 'Arial, sans-serif' }}>
+            <tbody>
+                <tr>
+                    <td style={{ padding: '24px' }}>
+                        <h1 style={{ color: '#111' }}>Welcome, {name}!</h1>
+                        <p>Your code is <b>{code}</b>.</p>
+                    </td>
+                </tr>
+            </tbody>
+        </table>
+    );
+}
+```
+
+The generated `Emails.Welcome.send(...)` takes the recipient, then one argument
+per `{{token}}` **in alphabetical order**, then an optional `purpose`:
+
+```ts
+// emails/Welcome.tsx uses {{code}} and {{name}}  ->  params are (code, name)
+const status = Emails.Welcome.send('alice@example.com', '123456', 'Alice');
+```
+
+Authoring notes:
+
+- **Use inline `style={{ ... }}`.** Email clients strip `<style>`/external CSS;
+  inline styles render everywhere. A CSS file imported into the component is
+  inlined for you at build (via `juice`).
+- **Optional exports:** `export const subject` (a token template; defaults to the
+  email name), `export const text` (a plain-text alternative; otherwise derived
+  from the HTML), `export const purpose`.
+- **Build-time, field substitution only.** Because the component renders once at
+  build, per-send data is `{{token}}` substitution — a runtime `{items.map(...)}`
+  or conditional bakes in at build, it does not re-run per recipient. That covers
+  transactional / 2FA / confirmation email; dynamic lists need a different
+  approach.
+- The generated `server/_emails.ts` is regenerated on `build`/`dev` and should be
+  gitignored.
+
+## Email verification codes (`TwoFactor`)
+
+`TwoFactor` is a **stateless** email-code primitive (2FA, email confirmation,
+magic codes) — no database. It emails a random code and returns a signed
+**token** that commits to the code via HMAC, without putting the code in the
+token (the code is only in the email). Verification recomputes the HMAC from the
+token plus the user-entered code, so a valid `(token, code)` pair can only come
+from someone who both received the email and holds the token.
+
+```ts
+// 1. Issue + email a code; hand `token` to the client (a cookie or hidden field).
+const challenge = TwoFactor.send('alice@example.com', 'login'); // emails the code
+// challenge.token  -> give to the client
+// challenge.status -> the EmailStatus of the send
+
+// 2. Later, verify what the user typed.
+const ok: bool = TwoFactor.verify(challenge.token, 'alice@example.com', userEntered);
+```
+
+- **`send(recipient, purpose, ttlSecs = 600, digits = 6)`** — issues a code,
+  emails it with a built-in template, returns `{ token, status }`.
+- **`issue(recipient, purpose, ttlSecs, digits)`** — returns `{ code, token }`
+  **without** sending, so you can email `code` with your own `EmailTemplate` /
+  `Emails.*` for a branded message.
+- **`verify(token, recipient, code)`** — `true` only for a code issued for that
+  recipient that hasn't expired. Constant-time compare.
+- **`TwoFactor.setSecret(secret)`** — the HMAC secret for the tokens. Call once
+  at startup in `main.ts`; it must be identical on every edge instance and out of
+  any client bundle. (This is separate from the provider `secret_ref`.)
+
+**Limitation:** this gives integrity + expiry but **not single-use** — a valid
+code verifies repeatedly within its TTL, because there is no server state to burn
+it. Keep the TTL short; for true single-use, store a per-recipient
+last-verified-at and reject at or before it.
+
+## Limits and abuse controls
+
+All enforced authoritatively in the single mailer (so the counts are exact across
+all workers):
+
+- **Per-tenant budget** — `max_per_min` (a token bucket). Over it → `Budget`.
+- **Per-recipient cap** — `max_per_recipient_per_hour`. Over it →
+  `RecipientCapped`.
+- **Dedup** — identical `(host, recipient, purpose)` within ~30s → `Deduped`.
+
+Editing these in the host config takes effect on the next send (no restart).
+
+## Observability
+
+`GET /_admin/email` returns process-wide counters by reason (JSON), e.g.
+`submitted`, `sent`, `deduped`, `budget`, `recipient_capped`, `try_later`,
+`bad_recipient`, `provider_error`. It exposes **counts only** — never a
+recipient, code, subject, body, or secret.
+
+## See also
+
+- [Rate limiting](./ratelimit.md) — protect your routes (including any email
+  trigger) with `@ratelimit`.
+- [Web Crypto](./crypto.md) — the `crypto` global `TwoFactor` builds on.

package/docs/ratelimit.md

@@ -0,0 +1,95 @@
+# Rate limiting
+
+The `@ratelimit` decorator throttles **any** `@rest` route — a login, a signup, a
+public API, an email trigger, anything. It is enforced at the edge, before your
+handler runs, and keyed by default on the connecting client's **unspoofable** IP,
+so it works as an abuse / brute-force control out of the box.
+
+It composes with the other route decorators and is independent of email or auth.
+
+## Using `@ratelimit`
+
+Add it to a route alongside the verb decorator:
+
+```ts
+import { Response, RouteContext } from 'toiljs/server/runtime';
+
+@rest('auth')
+class Auth {
+    // At most 5 login attempts per 60 seconds per client IP.
+    @ratelimit(RateLimit.SlidingWindow, 5, 60)
+    @post('/login')
+    login(ctx: RouteContext): Response {
+        // ... only runs if under the limit ...
+        return Response.text('ok\n');
+    }
+}
+```
+
+`@ratelimit(strategy, limit, window)`:
+
+- **`strategy`** — a `RateLimit` value (ambient global, no import):
+  `RateLimit.FixedWindow`, `RateLimit.SlidingWindow`, or `RateLimit.TokenBucket`.
+- **`limit`** and **`window`** — integer literals whose meaning depends on the
+  strategy (see below).
+
+When a request is over the limit the edge returns **`429 Too Many Requests`**
+with a **`Retry-After`** header (whole seconds), and your handler never runs. The
+guard runs **before `@auth`**, so unauthenticated floods are limited too.
+
+> Both arguments must be **integer literals** and the strategy a `RateLimit`
+> member (or a bare integer tag). A malformed decorator emits no guard rather
+> than miscompiling — the same fail-safe rule as `@cache`.
+
+## Strategies
+
+| Strategy | `limit`, `window` mean | Behavior |
+| --- | --- | --- |
+| `FixedWindow` | `limit` events per `window` seconds | Cheapest. Counts in aligned wall-clock buckets; a caller hammering a boundary can briefly get up to ~2× `limit` across two adjacent windows. |
+| `SlidingWindow` | `limit` events per `window` seconds | Smooths the fixed-window boundary by weighting the previous window. Best general choice for "N per period". |
+| `TokenBucket` | `limit` = burst size, `window` = refill **per second** | Allows an initial burst of `limit`, then a steady `window` tokens/sec. Good for bursty-but-bounded APIs. |
+
+Examples:
+
+```ts
+// 100 requests / minute, smoothed:
+@ratelimit(RateLimit.SlidingWindow, 100, 60)
+
+// Burst of 20, then 5 per second sustained:
+@ratelimit(RateLimit.TokenBucket, 20, 5)
+
+// Exactly 3 per hour, cheapest:
+@ratelimit(RateLimit.FixedWindow, 3, 3600)
+```
+
+## How requests are keyed
+
+By default the limiter keys on the **client IP** — specifically the TCP peer
+address the edge observed (`ctx.clientIp()`), **not** a header like
+`X-Forwarded-For`, which a client can forge. That makes it a real abuse control:
+a caller can't reset their bucket by spoofing a header.
+
+The count is **exact across all 14 edge workers** (a given IP always maps to one
+authoritative shard), so the limit is global per route, not per worker. Only
+routes that opt in with `@ratelimit` ever pay anything — the lock-free fast path
+for everything else is untouched.
+
+> Each rate-limited route has its own independent limiter — a limit on `/login`
+> does not consume the budget of `/signup`.
+
+## Notes and limits
+
+- **Route-level only.** Put `@ratelimit` on each route you want limited; there is
+  no controller-wide form yet (unlike `@auth`).
+- **Keyed on IP.** The decorator keys on the peer IP today. (A per-user / custom
+  key — limiting by account instead of IP — exists in the runtime but is not yet
+  exposed through the decorator.)
+- **In dev.** `toiljs dev` runs a single-process mirror of the same three
+  strategies, so a limited route behaves the same locally as on the edge.
+
+## See also
+
+- [Email](./email.md) — `@ratelimit` pairs well with email triggers (verification
+  codes, password resets) to blunt abuse.
+- [Auth, sessions, and `@user`](./auth.md) — `@ratelimit` runs before the `@auth`
+  guard, so it protects the login itself.

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "toiljs",
     "type": "module",
-    "version": "0.0.39",
+    "version": "0.0.41",
     "author": "Dacely",
     "description": "The modern React framework: a file-based React frontend and a ToilScript-compiled WebAssembly backend.",
     "repository": {
@@ -126,9 +126,10 @@
         "eslint-plugin-react-hooks": "^7.1.1",
         "eslint-plugin-react-refresh": "^0.5.2",
         "hash-wasm": "^4.12.0",
+        "juice": "^12.1.0",
         "picocolors": "^1.1.1",
         "sharp": "^0.35.0",
-        "toilscript": "^0.1.22",
+        "toilscript": "^0.1.23",
         "typescript-eslint": "^8.60.0",
         "vite": "^8.0.14",
         "vite-imagetools": "^10.0.0",