toiljs 0.0.55 → 0.0.57

package/examples/basic/server/routes/Auth.ts

@@ -1,6 +1,5 @@
 import { Response, RouteContext } from 'toiljs/server/runtime';
 import { DataReader, DataWriter } from 'data';
-import { Record } from 'toildb';
 
 import { encodeSessionUser } from './Session';
 
@@ -64,11 +63,6 @@ function deriveSalt(username: string): Uint8Array {
     return crypto.sha256Text('toil-demo-salt-v1:' + username).slice(0, 16);
 }
 
-
-// ToilDB collections (the `kv.*` dev placeholder is gone). The key + value are
-// `@data` types: the binary codec is generated, the host marshals it, and the
-// challenge is consumed exactly once with `getDelete`.
-
 @data
 class Username {
     name: string = '';
@@ -106,8 +100,8 @@ class Challenge {
 
 @database
 class AuthDb {
-    @collection accounts!: Record<AuthAccount, Username>;
-    @collection challenges!: Record<Challenge, ChallengeId>;
+    @collection static accounts: Documents<Username, AuthAccount>;
+    @collection static challenges: Documents<ChallengeId, Challenge>;
 }
 
 @rest('auth')
@@ -237,8 +231,17 @@ class Auth {
         const acct = AuthDb.accounts.get(new Username(ch.username));
         if (acct == null) return fail();
         const message = AuthService.buildLoginMessage(
-            ch.username, AUD, cid, ch.nonce, ch.iat, ch.exp,
-            ct, DEMO_MEM_KIB, DEMO_ITERS, DEMO_PAR, AuthService.serverKemKeyId(),
+            ch.username,
+            AUD,
+            cid,
+            ch.nonce,
+            ch.iat,
+            ch.exp,
+            ct,
+            DEMO_MEM_KIB,
+            DEMO_ITERS,
+            DEMO_PAR,
+            AuthService.serverKemKeyId()
         );
         if (!AuthService.verifyLogin(acct.publicKey, message, sig)) return fail();
 

package/examples/basic/server/routes/EnvDemo.ts

@@ -34,9 +34,15 @@ class EnvDemo {
         const apiKeySet = Environment.getSecure('DEMO_API_KEY') != null;
 
         const body =
-            'PUBLIC_GREETING=' + greeting + '\n' +
-            'REGION=' + region + '\n' +
-            'DEMO_API_KEY set=' + (apiKeySet ? 'yes' : 'no') + '\n';
+            'PUBLIC_GREETING=' +
+            greeting +
+            '\n' +
+            'REGION=' +
+            region +
+            '\n' +
+            'DEMO_API_KEY set=' +
+            (apiKeySet ? 'yes' : 'no') +
+            '\n';
         return Response.text(body, 200);
     }
 }

package/examples/basic/server/routes/Guestbook.ts

@@ -1,5 +1,3 @@
-import { Counter, Events } from 'toildb';
-
 import { GuestEntry } from '../models/GuestEntry';
 import { GuestbookView } from '../models/GuestbookView';
 import { NewMessage } from '../models/NewMessage';
@@ -28,8 +26,8 @@ class GuestKey {
 
 @database
 class GuestbookDb {
-    @collection entries!: Events<GuestEntry, GuestKey>;
-    @collection totals!: Counter<GuestKey>;
+    @collection static entries: Events<GuestKey, GuestEntry>;
+    @collection static totals: Counter<GuestKey>;
 }
 
 /** The current total + the 10 newest entries. */

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "toiljs",
     "type": "module",
-    "version": "0.0.55",
+    "version": "0.0.57",
     "author": "Dacely",
     "description": "The modern React framework: a file-based React frontend and a ToilScript-compiled WebAssembly backend.",
     "repository": {
@@ -120,21 +120,21 @@
         "@dacely/noble-post-quantum": "^0.6.1",
         "@noble/curves": "^2.2.0",
         "@dacely/toilscript-loader": "^0.1.0",
-        "@eslint-react/eslint-plugin": "^5.8.8",
+        "@eslint-react/eslint-plugin": "^5.9.0",
         "@eslint/js": "^10.0.1",
-        "@typescript-eslint/utils": "^8.60.0",
+        "@typescript-eslint/utils": "^8.61.1",
         "@vitejs/plugin-react": "^6.0.2",
         "eslint-plugin-react-hooks": "^7.1.1",
-        "eslint-plugin-react-refresh": "^0.5.2",
+        "eslint-plugin-react-refresh": "^0.5.3",
         "hash-wasm": "^4.12.0",
-        "juice": "^12.1.0",
-        "nodemailer": "^9.0.0",
+        "juice": "^12.1.1",
+        "nodemailer": "^9.0.1",
         "picocolors": "^1.1.1",
-        "sharp": "^0.35.0",
-        "toilscript": "^0.1.28",
-        "typescript-eslint": "^8.60.0",
-        "vite": "^8.0.14",
-        "vite-imagetools": "^10.0.0",
+        "sharp": "^0.35.1",
+        "toilscript": "^0.1.29",
+        "typescript-eslint": "^8.61.1",
+        "vite": "^8.0.16",
+        "vite-imagetools": "^10.0.1",
         "vite-plugin-node-polyfills": "^0.28.0"
     },
     "peerDependencies": {
@@ -145,34 +145,34 @@
         "typescript": ">=6.0.0"
     },
     "devDependencies": {
-        "@babel/core": "^7.29.7",
-        "@babel/preset-env": "^7.29.7",
-        "@babel/preset-typescript": "^7.29.7",
+        "@babel/core": "^8.0.1",
+        "@babel/preset-env": "^8.0.1",
+        "@babel/preset-typescript": "^8.0.1",
         "@btc-vision/as-covers-assembly": "^0.4.5",
         "@btc-vision/as-covers-transform": "^0.4.5",
         "@btc-vision/as-pect-assembly": "^8.3.0",
         "@btc-vision/as-pect-cli": "^8.3.0",
         "@btc-vision/as-pect-transform": "^8.3.0",
-        "@clack/prompts": "^1.5.0",
+        "@clack/prompts": "^1.5.1",
         "@microsoft/api-extractor": "7.58.9",
         "@testing-library/dom": "^10.4.1",
         "@testing-library/react": "^16.3.2",
-        "@types/node": "^25.9.1",
+        "@types/node": "^26.0.0",
         "@types/nodemailer": "^8.0.1",
-        "@types/react": "^19.2.15",
+        "@types/react": "^19.2.17",
         "@types/react-dom": "^19.2.3",
-        "@vitest/coverage-v8": "^4.1.7",
-        "@vitest/ui": "^4.1.7",
-        "esbuild": "^0.28.0",
-        "eslint": "^10.4.1",
+        "@vitest/coverage-v8": "^4.1.9",
+        "@vitest/ui": "^4.1.9",
+        "esbuild": "^0.28.1",
+        "eslint": "^10.5.0",
         "jsdom": "^29.1.1",
         "micromatch": "^4.0.8",
-        "playwright": "^1.60.0",
-        "prettier": "^3.8.3",
-        "react": "^19.2.6",
-        "react-dom": "^19.2.6",
+        "playwright": "^1.61.0",
+        "prettier": "^3.8.4",
+        "react": "^19.2.7",
+        "react-dom": "^19.2.7",
         "typedoc": "^0.28.19",
         "typescript": "^6.0.3",
-        "vitest": "^4.1.7"
+        "vitest": "^4.1.9"
     }
 }

package/src/backend/index.ts

@@ -10,10 +10,10 @@ import fs from 'node:fs';
 import path from 'node:path';
 
 import {
-    Server,
     type MiddlewareNext,
     type Request,
     type Response,
+    Server,
     type Websocket,
 } from '@dacely/hyper-express';
 
@@ -172,7 +172,9 @@ export async function startBackend(options: BackendOptions): Promise<RunningBack
     // default upgrade handler (hyper-express links it to the companion ws route). Same-origin and
     // non-browser clients pass; others get 403.
     app.upgrade(wsPath, (request: Request, response: Response) => {
-        if (!isWsOriginAllowed(request.headers.origin, request.headers.host, options.allowedOrigins)) {
+        if (
+            !isWsOriginAllowed(request.headers.origin, request.headers.host, options.allowedOrigins)
+        ) {
             response.status(403).send();
             return;
         }

package/src/cli/create.ts

@@ -114,7 +114,7 @@ function scaffold(
         '@types/react-dom': '^19.2.3',
         eslint: '^10.2.0',
         prettier: '^3.8.1',
-        toilscript: '^0.1.27',
+        toilscript: '^0.1.35',
         typescript: '^6.0.3',
     };
     for (const dep of requiredPackages(features).sort()) {
@@ -165,10 +165,19 @@ function scaffold(
         '.prettierignore':
             'node_modules\nbuild\n.toil\nshared/server.ts\ntoil-env.d.ts\ntoil-routes.d.ts\nserver/_emails.ts\nserver/toil-server-env.d.ts\n',
         '.gitignore':
-            'node_modules\nbuild\n.toil\nshared/server.ts\ntoil-env.d.ts\ntoil-routes.d.ts\n# Local dev env vars/secrets (never commit)\n.env\n.env.secrets\n',
-        // Use the project's pinned TypeScript (node_modules) instead of VS Code's bundled version.
+            'node_modules\nbuild\n.toil\nshared/server.ts\ntoil-env.d.ts\ntoil-routes.d.ts\nhosts/*/_tmpl/\n# Local dev env vars/secrets (never commit)\n.env\n.env.secrets\n',
+        // Use the project's pinned TypeScript (node_modules) instead of VS Code's bundled
+        // version, and prompt to switch, so the editor loads the toilscript LS plugin wired
+        // in server/tsconfig.json (which clears the @database / @data editor false positives).
         '.vscode/settings.json':
-            JSON.stringify({ 'typescript.tsdk': 'node_modules/typescript/lib' }, null, 4) + '\n',
+            JSON.stringify(
+                {
+                    'typescript.tsdk': 'node_modules/typescript/lib',
+                    'typescript.enablePromptUseWorkspaceTsdk': true,
+                },
+                null,
+                4,
+            ) + '\n',
         'toil-env.d.ts': TOIL_ENV_DTS,
         // Stub typed-routes augmentation (RoutePath = string until the first dev/build regenerates it).
         'toil-routes.d.ts': '// AUTO-GENERATED by toil, do not edit.\nexport {};\n',
@@ -220,10 +229,16 @@ function scaffold(
                 null,
                 4,
             ) + '\n',
+        // The toilscript LS plugin teaches the editor about compiler-injected members
+        // (`@database` static collections like `Db.users`, the `@data` codec, `@user`), so
+        // stock TypeScript stops false-flagging them as TS2339. Editor-only; ignored by tsc.
         'server/tsconfig.json':
             JSON.stringify(
                 {
                     extends: 'toilscript/std/assembly.json',
+                    compilerOptions: {
+                        plugins: [{ name: 'toilscript/std/ts-plugin.cjs' }],
+                    },
                     include: ['./**/*.ts'],
                 },
                 null,

package/src/cli/diagnostics.ts

@@ -503,6 +503,54 @@ export function checkRestDispatch(f: RestFacts): Check {
     };
 }
 
+/**
+ * Whether the server's tsconfig wires the toilscript language-service plugin. The compiler turns
+ * each `@collection` field into a STATIC handle (`GuestbookDb.totals`) and injects the `@data`
+ * codec / `@user` members, none of which stock TypeScript can see, so without the plugin the editor
+ * false-flags them as TS2339. The plugin (editor-only; never runs under `tsc`) clears them.
+ */
+export function checkServerTsPlugin(present: boolean): Check {
+    return present
+        ? { id: 'server-ts-plugin', label: 'toilscript editor plugin', status: 'pass' }
+        : {
+              id: 'server-ts-plugin',
+              label: 'toilscript editor plugin',
+              status: 'warn',
+              detail: 'server tsconfig is missing the toilscript LS plugin, so the editor wrongly flags @database static collections (e.g. GuestbookDb.totals) and @data members as TS2339',
+              fix: 'Run `toiljs doctor --fix` to add { "plugins": [{ "name": "toilscript/std/ts-plugin.cjs" }] } to your server tsconfig, then pick the workspace TypeScript version and restart the TS server.',
+          };
+}
+
+// --- Security -------------------------------------------------------------------------------------
+
+/** Whether the project uses the auth primitive, and whether its session secret is configured. */
+export interface AuthFacts {
+    /** A server source references the auth primitive (`AuthService` / `@user` / `@auth`). */
+    readonly usesAuth: boolean;
+    /** `AUTH_SESSION_SECRET` is assigned a non-empty value in the local secrets source. */
+    readonly sessionSecretSet: boolean;
+}
+
+/**
+ * Flags the silent insecure default behind the auth primitive. When a project uses sessions but
+ * never sets `AUTH_SESSION_SECRET`, the server falls back to a PUBLISHED dev key (see
+ * `server/globals/auth.ts`), so anyone can forge a session cookie and skip login. doctor can only
+ * see the local secrets source, so it WARNS (the real secret may live on the deploy target) rather
+ * than failing CI on a false positive.
+ */
+export function checkAuthSecrets(f: AuthFacts): Check {
+    if (!f.usesAuth || f.sessionSecretSet) {
+        return { id: 'auth-secrets', label: 'Session secret', status: 'pass' };
+    }
+    return {
+        id: 'auth-secrets',
+        label: 'Session secret',
+        status: 'warn',
+        detail: 'auth is used but AUTH_SESSION_SECRET is unset: sessions fall back to a PUBLISHED key, so anyone can forge a session cookie and skip login',
+        fix: 'Set AUTH_SESSION_SECRET to a long random value in .env.secrets (local) and on your deploy target (also AUTH_OPRF_SEED / AUTH_KEM_SK if you use password login). Generate one: node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'hex\'))".',
+    };
+}
+
 // --- Summary --------------------------------------------------------------------------------------
 
 export function summarize(groups: readonly CheckGroup[]): DoctorSummary {

package/src/cli/doctor.ts

@@ -10,10 +10,17 @@ import { createRequire } from 'node:module';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 
-import { loadConfig, type ResolvedToilConfig, scanRoutes, TOIL_SERVER_ENV_DTS } from 'toiljs/compiler';
+import {
+    loadConfig,
+    type ResolvedToilConfig,
+    scanRoutes,
+    TOIL_SERVER_ENV_DTS,
+} from 'toiljs/compiler';
 
 import {
+    type AuthFacts,
     type Check,
+    checkAuthSecrets,
     checkBasePath,
     checkConfigLoads,
     checkDevScripts,
@@ -32,6 +39,7 @@ import {
     checkRpcWiring,
     checkSeoUrl,
     checkServerEntry,
+    checkServerTsPlugin,
     type CheckStatus,
     checkStyling,
     checkToilconfig,
@@ -41,8 +49,8 @@ import {
     findRelativeAssets,
     hasFailures,
     type RestFacts,
-    type RpcFacts,
     RPC_TOILSCRIPT_MIN,
+    type RpcFacts,
     satisfiesMin,
     type SourceFile,
     summarize,
@@ -226,6 +234,61 @@ function gatherRestFacts(root: string, toilconfig: Record<string, unknown> | nul
     return { hasControllers, dispatched };
 }
 
+/** Whether `.env.secrets` assigns `key` a non-empty value (a bare `KEY=` counts as unset). */
+function secretDefined(root: string, key: string): boolean {
+    const raw = readFile(path.join(root, '.env.secrets'));
+    if (raw === null) return false;
+    return new RegExp(`^\\s*(?:export\\s+)?${key}\\s*=\\s*\\S`, 'm').test(raw);
+}
+
+/**
+ * Whether the server uses the auth primitive (so a missing session secret matters) and whether
+ * `AUTH_SESSION_SECRET` is set locally. `getSecure` reads ONLY the `.env.secrets` bucket, so that
+ * is the source we check; on a deploy target the secret lives on the dashboard instead.
+ */
+function gatherAuthFacts(root: string, toilconfig: Record<string, unknown> | null): AuthFacts {
+    let usesAuth = false;
+    for (const src of serverSources(root, toilconfig)) {
+        if (/\bAuthService\b/.test(src) || /@user\b/.test(src) || /@auth\b/.test(src)) {
+            usesAuth = true;
+            break;
+        }
+    }
+    return { usesAuth, sessionSecretSet: secretDefined(root, 'AUTH_SESSION_SECRET') };
+}
+
+/** The toilscript language-service plugin id wired into a server tsconfig. */
+const TS_PLUGIN_NAME = 'toilscript/std/ts-plugin.cjs';
+
+/**
+ * The server's tsconfig.json (the one beside a toilconfig entry, conventionally
+ * `server/tsconfig.json`), or null if none exists. That is the project the editor uses for server
+ * files, so it is where the toilscript LS plugin must live.
+ */
+function serverTsconfigPath(root: string, toilconfig: Record<string, unknown> | null): string | null {
+    const dirs = new Set<string>();
+    const entries = Array.isArray(toilconfig?.entries)
+        ? (toilconfig.entries as unknown[]).filter((e): e is string => typeof e === 'string')
+        : [];
+    for (const e of entries) dirs.add(path.dirname(path.resolve(root, e)));
+    if (dirs.size === 0) dirs.add(path.join(root, 'server'));
+    for (const dir of dirs) {
+        const p = path.join(dir, 'tsconfig.json');
+        if (fs.existsSync(p)) return p;
+    }
+    return null;
+}
+
+/** Whether a parsed tsconfig's `compilerOptions.plugins` references the toilscript LS plugin. */
+function tsconfigHasToilPlugin(tsconfig: Record<string, unknown> | null): boolean {
+    const plugins = asRecord(tsconfig?.compilerOptions)?.plugins;
+    if (!Array.isArray(plugins)) return false;
+    return plugins.some((p) => {
+        const name = asRecord(p)?.name;
+        return typeof name === 'string' && name.includes('ts-plugin');
+    });
+}
+
 interface RpcFixResult {
     /** Files written. */
     readonly changed: string[];
@@ -353,7 +416,9 @@ function applyRpcFix(root: string): RpcFixResult {
     const serverToilconfig = readJsonObject(path.join(root, 'toilconfig.json'));
     if (serverToilconfig !== null) {
         const entries = Array.isArray(serverToilconfig.entries)
-            ? (serverToilconfig.entries as unknown[]).filter((e): e is string => typeof e === 'string')
+            ? (serverToilconfig.entries as unknown[]).filter(
+                  (e): e is string => typeof e === 'string',
+              )
             : [];
         const dirs = new Set<string>();
         for (const e of entries) dirs.add(path.dirname(path.resolve(root, e)));
@@ -464,6 +529,64 @@ function applyPrettierFix(root: string, pkg: Record<string, unknown> | null): Rp
     return { changed, skipped };
 }
 
+/**
+ * Wires the editor side of the toilscript server: adds the LS plugin to the server tsconfig (so the
+ * editor stops false-flagging `@database` static collections / `@data` members), and points VS Code
+ * at the workspace TypeScript (so it actually loads that plugin). Idempotent; only writes real
+ * changes, and skips (with a note) configs it can't safely edit (a tsconfig with comments).
+ */
+function applyServerEditorFix(root: string, toilconfig: Record<string, unknown> | null): RpcFixResult {
+    const changed: string[] = [];
+    const skipped: string[] = [];
+
+    // 1. The LS plugin in the server tsconfig.
+    const tsPath = serverTsconfigPath(root, toilconfig);
+    if (tsPath === null) {
+        skipped.push('server/tsconfig.json (not found; add the toilscript ts-plugin by hand)');
+    } else {
+        const rel = path.relative(root, tsPath);
+        const raw = readFile(tsPath);
+        const parsed = raw !== null ? readJsonObject(tsPath) : null;
+        if (parsed === null) {
+            skipped.push(`${rel} (JSON with comments; add the "${TS_PLUGIN_NAME}" plugin by hand)`);
+        } else if (!tsconfigHasToilPlugin(parsed)) {
+            const co = asRecord(parsed.compilerOptions) ?? {};
+            const existingPlugins: unknown[] = Array.isArray(co.plugins)
+                ? (co.plugins as unknown[])
+                : [];
+            co.plugins = [...existingPlugins, { name: TS_PLUGIN_NAME }];
+            parsed.compilerOptions = co;
+            writeFile(tsPath, JSON.stringify(parsed, null, 4) + '\n');
+            changed.push(rel);
+        }
+    }
+
+    // 2. Make VS Code use the workspace TypeScript, so it loads the plugin above.
+    const vsPath = path.join(root, '.vscode', 'settings.json');
+    const vsRaw = readFile(vsPath);
+    const vs = vsRaw !== null ? readJsonObject(vsPath) : {};
+    if (vs === null) {
+        skipped.push('.vscode/settings.json (unparseable; set typescript.tsdk by hand)');
+    } else {
+        let touched = false;
+        if (vs['typescript.tsdk'] !== 'node_modules/typescript/lib') {
+            vs['typescript.tsdk'] = 'node_modules/typescript/lib';
+            touched = true;
+        }
+        if (vs['typescript.enablePromptUseWorkspaceTsdk'] !== true) {
+            vs['typescript.enablePromptUseWorkspaceTsdk'] = true;
+            touched = true;
+        }
+        if (touched) {
+            fs.mkdirSync(path.dirname(vsPath), { recursive: true });
+            writeFile(vsPath, JSON.stringify(vs, null, 4) + '\n');
+            changed.push('.vscode/settings.json');
+        }
+    }
+
+    return { changed, skipped };
+}
+
 /** Reads the framework's own package.json (engines + peerDependencies) for the requirements. */
 function frameworkMeta(): { node: string; peers: Record<string, string> } {
     const pkgPath = path.resolve(
@@ -624,20 +747,37 @@ export async function runDoctor(opts: DoctorOptions): Promise<void> {
     const peerName = (n: string): Check => checkPeer(n, deps[n] ?? null, meta.peers[n] ?? '*');
     const peerChecks = Object.keys(meta.peers).map(peerName);
 
-    // Server tooling (RPC wiring + the prettier plugin): optionally fix in place, then re-read.
+    // Server tooling (RPC wiring + the prettier plugin + the editor LS plugin): optionally fix in
+    // place, then re-read.
     const rpcFix = serverPresent && opts.fix ? applyRpcFix(root) : null;
     const prettierFix = serverPresent && opts.fix ? applyPrettierFix(root, projectPkg) : null;
+    const editorFix = serverPresent && opts.fix ? applyServerEditorFix(root, toilconfig) : null;
     const rpcFacts = gatherRpcFacts(root);
     const restFacts = gatherRestFacts(root, toilconfig);
+    const authFacts = gatherAuthFacts(root, toilconfig);
     const prettierPresent = prettierPluginPresent(
         root,
         readJsonObject(path.join(root, 'package.json')),
     );
+    // Only assess the LS plugin when a server tsconfig exists and parses; an absent or
+    // commented one is left to the user rather than warned on.
+    const serverTsPath = serverPresent ? serverTsconfigPath(root, toilconfig) : null;
+    const serverTsParsed = serverTsPath ? readJsonObject(serverTsPath) : null;
+    const serverTsPluginPresent =
+        serverTsPath === null || serverTsParsed === null ? true : tsconfigHasToilPlugin(serverTsParsed);
     const serverFix =
-        rpcFix || prettierFix
+        rpcFix || prettierFix || editorFix
             ? {
-                  changed: [...(rpcFix?.changed ?? []), ...(prettierFix?.changed ?? [])],
-                  skipped: [...(rpcFix?.skipped ?? []), ...(prettierFix?.skipped ?? [])],
+                  changed: [
+                      ...(rpcFix?.changed ?? []),
+                      ...(prettierFix?.changed ?? []),
+                      ...(editorFix?.changed ?? []),
+                  ],
+                  skipped: [
+                      ...(rpcFix?.skipped ?? []),
+                      ...(prettierFix?.skipped ?? []),
+                      ...(editorFix?.skipped ?? []),
+                  ],
               }
             : null;
 
@@ -699,11 +839,17 @@ export async function runDoctor(opts: DoctorOptions): Promise<void> {
                       checkRpcWiring(rpcFacts),
                       checkRestDispatch(restFacts),
                       checkPrettierPlugin(prettierPresent),
+                      checkServerTsPlugin(serverTsPluginPresent),
                   ]
                 : [checkToilconfig(false)],
         },
     ];
 
+    // Security checks only apply to a server (no server, no sessions to forge).
+    if (serverPresent) {
+        groups.push({ title: 'Security', checks: [checkAuthSecrets(authFacts)] });
+    }
+
     const summary = summarize(groups);
     if (opts.json) {
         process.stdout.write(JSON.stringify({ groups, summary, fixed: serverFix }, null, 2) + '\n');
@@ -724,14 +870,14 @@ export async function runDoctor(opts: DoctorOptions): Promise<void> {
 function renderRpcFix(result: RpcFixResult): void {
     const out: string[] = [];
     if (result.changed.length > 0) {
-        out.push('  ' + success('fixed RPC wiring') + dim(`  ${result.changed.join(', ')}`));
+        out.push('  ' + success('fixed server wiring') + dim(`  ${result.changed.join(', ')}`));
         if (result.changed.includes('package.json')) {
             out.push(
                 '  ' + dim('run your installer (npm/pnpm/yarn) if the toilscript version changed.'),
             );
         }
     } else {
-        out.push('  ' + dim('RPC wiring already in place, nothing to fix.'));
+        out.push('  ' + dim('server wiring already in place, nothing to fix.'));
     }
     for (const item of result.skipped) out.push('  ' + warn('skipped') + dim(`  ${item}`));
     process.stdout.write(out.join('\n') + '\n\n');

package/src/cli/notify.ts

@@ -13,12 +13,7 @@ import { fileURLToPath } from 'node:url';
 
 import { detectPackageManager } from './update.js';
 import { accent, bold, box, dim, version as cliVersion, warn } from './ui.js';
-import {
-    findOutdated,
-    isCacheFresh,
-    type OutdatedRow,
-    parseCheckCache,
-} from './version-check.js';
+import { findOutdated, isCacheFresh, type OutdatedRow, parseCheckCache } from './version-check.js';
 
 const REGISTRY_URL = 'https://registry.npmjs.org/toiljs/latest';
 const FETCH_TIMEOUT_MS = 2000;

package/src/cli/ui.ts

@@ -118,9 +118,7 @@ function visibleWidth(s: string): number {
 export function box(lines: readonly string[], paint: (s: string) => string = (s) => s): string {
     const width = lines.reduce((w, l) => Math.max(w, visibleWidth(l)), 0);
     const side = paint('│');
-    const body = lines.map(
-        (l) => `  ${side}  ${l}${' '.repeat(width - visibleWidth(l))}  ${side}`,
-    );
+    const body = lines.map((l) => `  ${side}  ${l}${' '.repeat(width - visibleWidth(l))}  ${side}`);
     return [
         '  ' + paint(`╭${'─'.repeat(width + 4)}╮`),
         ...body,
@@ -167,3 +165,5 @@ export function banner(): void {
     const ver = `${dim('  v')}${brand(version())}`;
     process.stdout.write('\n' + lines.join('\n') + '\n\n  ' + tagline() + '   ' + ver + '\n\n');
 }
+
+

package/src/cli/version-check.ts

@@ -29,7 +29,11 @@ export function parseCheckCache(raw: string): CheckCache | null {
 }
 
 /** True when the cached answer is still trustworthy (also stale if the clock went backwards). */
-export function isCacheFresh(cache: CheckCache, now: number, ttlMs: number = CHECK_TTL_MS): boolean {
+export function isCacheFresh(
+    cache: CheckCache,
+    now: number,
+    ttlMs: number = CHECK_TTL_MS,
+): boolean {
     return cache.checkedAt <= now && now - cache.checkedAt < ttlMs;
 }