npm - zero-query - Versions diffs - 1.0.9 → 1.2.0 - Mend

zero-query 1.0.9 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (154) hide show

package/LICENSE +21 -21
package/README.md +2 -0
package/cli/args.js +33 -33
package/cli/commands/build-api.js +443 -0
package/cli/commands/build.js +254 -216
package/cli/commands/bundle.js +1228 -1183
package/cli/commands/create.js +137 -121
package/cli/commands/dev/devtools/index.js +56 -56
package/cli/commands/dev/devtools/js/components.js +49 -49
package/cli/commands/dev/devtools/js/core.js +423 -423
package/cli/commands/dev/devtools/js/elements.js +421 -421
package/cli/commands/dev/devtools/js/network.js +166 -166
package/cli/commands/dev/devtools/js/performance.js +73 -73
package/cli/commands/dev/devtools/js/router.js +105 -105
package/cli/commands/dev/devtools/js/source.js +132 -132
package/cli/commands/dev/devtools/js/stats.js +35 -35
package/cli/commands/dev/devtools/js/tabs.js +79 -79
package/cli/commands/dev/devtools/panel.html +95 -95
package/cli/commands/dev/devtools/styles.css +244 -244
package/cli/commands/dev/index.js +107 -107
package/cli/commands/dev/logger.js +75 -75
package/cli/commands/dev/overlay.js +858 -858
package/cli/commands/dev/server.js +220 -167
package/cli/commands/dev/validator.js +94 -94
package/cli/commands/dev/watcher.js +172 -172
package/cli/help.js +114 -112
package/cli/index.js +52 -52
package/cli/scaffold/default/LICENSE +21 -21
package/cli/scaffold/default/app/app.js +207 -207
package/cli/scaffold/default/app/components/about.js +201 -201
package/cli/scaffold/default/app/components/api-demo.js +143 -143
package/cli/scaffold/default/app/components/contact-card.js +231 -231
package/cli/scaffold/default/app/components/contacts/contacts.css +706 -706
package/cli/scaffold/default/app/components/contacts/contacts.html +200 -200
package/cli/scaffold/default/app/components/contacts/contacts.js +196 -196
package/cli/scaffold/default/app/components/counter.js +127 -127
package/cli/scaffold/default/app/components/home.js +249 -249
package/cli/scaffold/default/app/components/not-found.js +16 -16
package/cli/scaffold/default/app/components/playground/playground.css +115 -115
package/cli/scaffold/default/app/components/playground/playground.html +161 -161
package/cli/scaffold/default/app/components/playground/playground.js +116 -116
package/cli/scaffold/default/app/components/todos.js +225 -225
package/cli/scaffold/default/app/components/toolkit/toolkit.css +97 -97
package/cli/scaffold/default/app/components/toolkit/toolkit.html +146 -146
package/cli/scaffold/default/app/components/toolkit/toolkit.js +280 -280
package/cli/scaffold/default/app/routes.js +15 -15
package/cli/scaffold/default/app/store.js +101 -101
package/cli/scaffold/default/global.css +552 -552
package/cli/scaffold/default/index.html +99 -99
package/cli/scaffold/minimal/app/app.js +85 -85
package/cli/scaffold/minimal/app/components/about.js +68 -68
package/cli/scaffold/minimal/app/components/counter.js +122 -122
package/cli/scaffold/minimal/app/components/home.js +68 -68
package/cli/scaffold/minimal/app/components/not-found.js +16 -16
package/cli/scaffold/minimal/app/routes.js +9 -9
package/cli/scaffold/minimal/app/store.js +36 -36
package/cli/scaffold/minimal/global.css +300 -300
package/cli/scaffold/minimal/index.html +44 -44
package/cli/scaffold/ssr/app/app.js +41 -41
package/cli/scaffold/ssr/app/components/about.js +55 -55
package/cli/scaffold/ssr/app/components/blog/index.js +65 -65
package/cli/scaffold/ssr/app/components/blog/post.js +86 -86
package/cli/scaffold/ssr/app/components/home.js +37 -37
package/cli/scaffold/ssr/app/components/not-found.js +15 -15
package/cli/scaffold/ssr/app/routes.js +8 -8
package/cli/scaffold/ssr/global.css +228 -228
package/cli/scaffold/ssr/index.html +37 -37
package/cli/scaffold/ssr/package.json +8 -8
package/cli/scaffold/ssr/server/data/posts.js +144 -144
package/cli/scaffold/ssr/server/index.js +213 -213
package/cli/scaffold/webrtc/app/app.js +11 -0
package/cli/scaffold/webrtc/app/components/video-room.js +295 -0
package/cli/scaffold/webrtc/app/lib/room.js +252 -0
package/cli/scaffold/webrtc/assets/.gitkeep +0 -0
package/cli/scaffold/webrtc/global.css +250 -0
package/cli/scaffold/webrtc/index.html +21 -0
package/cli/utils.js +305 -287
package/dist/API.md +7264 -0
package/dist/zquery.dist.zip +0 -0
package/dist/zquery.js +10313 -6252
package/dist/zquery.min.js +8 -601
package/index.d.ts +570 -365
package/index.js +311 -232
package/package.json +76 -69
package/src/component.js +1709 -1454
package/src/core.js +921 -921
package/src/diff.js +497 -497
package/src/errors.js +209 -209
package/src/expression.js +922 -922
package/src/http.js +242 -242
package/src/package.json +1 -1
package/src/reactive.js +255 -254
package/src/router.js +843 -773
package/src/ssr.js +418 -418
package/src/store.js +318 -272
package/src/utils.js +515 -515
package/src/webrtc/e2ee.js +351 -0
package/src/webrtc/errors.js +116 -0
package/src/webrtc/ice.js +301 -0
package/src/webrtc/index.js +131 -0
package/src/webrtc/joinToken.js +119 -0
package/src/webrtc/observe.js +172 -0
package/src/webrtc/peer.js +351 -0
package/src/webrtc/reactive.js +268 -0
package/src/webrtc/room.js +625 -0
package/src/webrtc/sdp.js +302 -0
package/src/webrtc/sfu/index.js +43 -0
package/src/webrtc/sfu/livekit.js +131 -0
package/src/webrtc/sfu/mediasoup.js +150 -0
package/src/webrtc/signaling.js +373 -0
package/src/webrtc/turn.js +237 -0
package/tests/_helpers/webrtcFakes.js +289 -0
package/tests/audit.test.js +4158 -4158
package/tests/cli.test.js +1136 -1023
package/tests/compare.test.js +497 -0
package/tests/component.test.js +3969 -3938
package/tests/core.test.js +1910 -1910
package/tests/dev-server.test.js +489 -0
package/tests/diff.test.js +1416 -1416
package/tests/docs.test.js +1664 -0
package/tests/electron-features.test.js +864 -0
package/tests/errors.test.js +619 -619
package/tests/expression.test.js +1056 -1056
package/tests/http.test.js +648 -648
package/tests/reactive.test.js +819 -819
package/tests/router.test.js +2327 -2327
package/tests/ssr.test.js +870 -870
package/tests/store.test.js +830 -830
package/tests/test-minifier.js +153 -153
package/tests/test-ssr.js +27 -27
package/tests/utils.test.js +1377 -1377
package/tests/webrtc/e2ee.test.js +283 -0
package/tests/webrtc/ice.test.js +202 -0
package/tests/webrtc/joinToken.test.js +89 -0
package/tests/webrtc/observe.test.js +111 -0
package/tests/webrtc/peer.test.js +373 -0
package/tests/webrtc/reactive.test.js +235 -0
package/tests/webrtc/room.test.js +406 -0
package/tests/webrtc/sdp.test.js +151 -0
package/tests/webrtc/sfu-livekit.test.js +119 -0
package/tests/webrtc/sfu.test.js +160 -0
package/tests/webrtc/signaling.test.js +251 -0
package/tests/webrtc/turn.test.js +256 -0
package/types/collection.d.ts +383 -383
package/types/component.d.ts +186 -186
package/types/errors.d.ts +135 -135
package/types/http.d.ts +92 -92
package/types/misc.d.ts +201 -201
package/types/reactive.d.ts +98 -98
package/types/router.d.ts +190 -190
package/types/ssr.d.ts +102 -102
package/types/store.d.ts +146 -145
package/types/utils.d.ts +245 -245
package/types/webrtc.d.ts +653 -0

package/tests/ssr.test.js CHANGED Viewed

@@ -1,870 +1,870 @@
-import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
-import { createSSRApp, renderToString, escapeHtml } from '../src/ssr.js';
-import { ZQueryError, ErrorCode, onError } from '../src/errors.js';
-// ---------------------------------------------------------------------------
-// createSSRApp
-// ---------------------------------------------------------------------------
-describe('createSSRApp', () => {
-  it('returns an SSRApp instance', () => {
-    const app = createSSRApp();
-    expect(app).toBeDefined();
-    expect(typeof app.component).toBe('function');
-    expect(typeof app.renderToString).toBe('function');
-    expect(typeof app.renderPage).toBe('function');
-    expect(typeof app.renderBatch).toBe('function');
-    expect(typeof app.has).toBe('function');
-  });
-  it('each call returns a fresh instance', () => {
-    const a = createSSRApp();
-    const b = createSSRApp();
-    expect(a).not.toBe(b);
-  });
-});
-// ---------------------------------------------------------------------------
-// component registration
-// ---------------------------------------------------------------------------
-describe('SSRApp - component', () => {
-  it('registers a component and returns self for chaining', () => {
-    const app = createSSRApp();
-    const result = app.component('my-comp', {
-      render() { return '<div>hello</div>'; }
-    });
-    expect(result).toBe(app);
-  });
-  it('throws ZQueryError when rendering unregistered component', async () => {
-    const app = createSSRApp();
-    await expect(app.renderToString('nonexistent')).rejects.toThrow(ZQueryError);
-    await expect(app.renderToString('nonexistent')).rejects.toThrow('not registered');
-  });
-  it('throws ZQueryError for invalid component name (empty string)', () => {
-    const app = createSSRApp();
-    expect(() => app.component('', {})).toThrow(ZQueryError);
-  });
-  it('throws ZQueryError for non-string component name', () => {
-    const app = createSSRApp();
-    expect(() => app.component(123, {})).toThrow(ZQueryError);
-  });
-  it('throws ZQueryError for invalid definition (null)', () => {
-    const app = createSSRApp();
-    expect(() => app.component('my-comp', null)).toThrow(ZQueryError);
-  });
-  it('throws ZQueryError for non-object definition', () => {
-    const app = createSSRApp();
-    expect(() => app.component('my-comp', 'not-an-object')).toThrow(ZQueryError);
-  });
-  it('allows re-registering a component (override)', async () => {
-    const app = createSSRApp();
-    app.component('my-comp', { render() { return '<p>v1</p>'; } });
-    app.component('my-comp', { render() { return '<p>v2</p>'; } });
-    const html = await app.renderToString('my-comp');
-    expect(html).toContain('v2');
-    expect(html).not.toContain('v1');
-  });
-});
-// ---------------------------------------------------------------------------
-// SSRApp.has()
-// ---------------------------------------------------------------------------
-describe('SSRApp - has', () => {
-  it('returns false for unregistered', () => {
-    const app = createSSRApp();
-    expect(app.has('nope')).toBe(false);
-  });
-  it('returns true for registered', () => {
-    const app = createSSRApp();
-    app.component('my-comp', { render() { return ''; } });
-    expect(app.has('my-comp')).toBe(true);
-  });
-});
-// ---------------------------------------------------------------------------
-// renderToString (app method)
-// ---------------------------------------------------------------------------
-describe('SSRApp - renderToString', () => {
-  it('renders basic component', async () => {
-    const app = createSSRApp();
-    app.component('my-page', {
-      state: () => ({ title: 'Hello' }),
-      render() { return `<h1>${this.state.title}</h1>`; }
-    });
-    const html = await app.renderToString('my-page');
-    expect(html).toContain('<h1>Hello</h1>');
-  });
-  it('adds hydration marker by default', async () => {
-    const app = createSSRApp();
-    app.component('my-comp', { render() { return '<p>test</p>'; } });
-    const html = await app.renderToString('my-comp');
-    expect(html).toContain('data-zq-ssr');
-  });
-  it('omits hydration marker when hydrate=false', async () => {
-    const app = createSSRApp();
-    app.component('my-comp', { render() { return '<p>test</p>'; } });
-    const html = await app.renderToString('my-comp', {}, { hydrate: false });
-    expect(html).not.toContain('data-zq-ssr');
-  });
-  it('wraps output in component tag', async () => {
-    const app = createSSRApp();
-    app.component('custom-tag', { render() { return '<span>ok</span>'; } });
-    const html = await app.renderToString('custom-tag');
-    expect(html).toMatch(/^<custom-tag[^>]*>.*<\/custom-tag>$/);
-  });
-  it('passes props to component', async () => {
-    const app = createSSRApp();
-    app.component('greet', {
-      render() { return `<span>${this.props.name}</span>`; }
-    });
-    const html = await app.renderToString('greet', { name: 'World' });
-    expect(html).toContain('World');
-  });
-  it('strips z-cloak attributes', async () => {
-    const app = createSSRApp();
-    app.component('my-comp', {
-      render() { return '<div z-cloak>content</div>'; }
-    });
-    const html = await app.renderToString('my-comp');
-    expect(html).not.toContain('z-cloak');
-    expect(html).toContain('content');
-  });
-  it('strips event bindings (@click, z-on:click)', async () => {
-    const app = createSSRApp();
-    app.component('my-comp', {
-      render() { return '<button @click="handle">Click</button>'; }
-    });
-    const html = await app.renderToString('my-comp');
-    expect(html).not.toContain('@click');
-  });
-  it('strips z-on: event bindings', async () => {
-    const app = createSSRApp();
-    app.component('my-comp', {
-      render() { return '<button z-on:click="handle">Click</button>'; }
-    });
-    const html = await app.renderToString('my-comp');
-    expect(html).not.toContain('z-on:');
-  });
-  it('renders empty string when no render function', async () => {
-    const app = createSSRApp();
-    app.component('empty', { state: () => ({}) });
-    const html = await app.renderToString('empty');
-    expect(html).toContain('<empty');
-    expect(html).toContain('</empty>');
-  });
-  it('fragment mode returns inner HTML only', async () => {
-    const app = createSSRApp();
-    app.component('frag', { render() { return '<p>inner</p>'; } });
-    const html = await app.renderToString('frag', {}, { mode: 'fragment' });
-    expect(html).toBe('<p>inner</p>');
-    expect(html).not.toContain('<frag');
-  });
-  it('error in render() produces comment and reports via error system', async () => {
-    const handler = vi.fn();
-    onError(handler);
-    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
-    const app = createSSRApp();
-    app.component('bad', {
-      render() { throw new Error('render boom'); }
-    });
-    const html = await app.renderToString('bad');
-    expect(html).toContain('<!-- SSR render error -->');
-    expect(html).not.toContain('render boom');
-    expect(handler).toHaveBeenCalled();
-    const err = handler.mock.calls[0][0];
-    expect(err.code).toBe(ErrorCode.SSR_RENDER);
-    spy.mockRestore();
-    onError(null);
-  });
-  it('error in init() is reported but does not crash', async () => {
-    const handler = vi.fn();
-    onError(handler);
-    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
-    const app = createSSRApp();
-    app.component('bad-init', {
-      init() { throw new Error('init boom'); },
-      render() { return '<div>ok</div>'; }
-    });
-    const html = await app.renderToString('bad-init');
-    expect(html).toContain('<div>ok</div>');
-    expect(handler).toHaveBeenCalled();
-    spy.mockRestore();
-    onError(null);
-  });
-});
-// ---------------------------------------------------------------------------
-// renderToString (standalone function)
-// ---------------------------------------------------------------------------
-describe('renderToString (standalone)', () => {
-  it('renders a definition directly', () => {
-    const html = renderToString({
-      state: () => ({ msg: 'hi' }),
-      render() { return `<p>${this.state.msg}</p>`; }
-    });
-    expect(html).toContain('<p>hi</p>');
-  });
-  it('returns empty string when no render function', () => {
-    const html = renderToString({ state: {} });
-    expect(html).toBe('');
-  });
-  it('throws ZQueryError for invalid definition', () => {
-    expect(() => renderToString(null)).toThrow(ZQueryError);
-    expect(() => renderToString('string')).toThrow(ZQueryError);
-  });
-  it('works with props', () => {
-    const html = renderToString({
-      render() { return `<span>${this.props.x}</span>`; }
-    }, { x: 42 });
-    expect(html).toContain('42');
-  });
-  it('props are frozen', () => {
-    let frozen = false;
-    renderToString({
-      init() { frozen = Object.isFrozen(this.props); },
-      render() { return ''; }
-    }, { a: 1 });
-    expect(frozen).toBe(true);
-  });
-});
-// ---------------------------------------------------------------------------
-// State factory
-// ---------------------------------------------------------------------------
-describe('SSR - state factory', () => {
-  it('calls state function for initial state', async () => {
-    const app = createSSRApp();
-    let callCount = 0;
-    app.component('comp', {
-      state: () => { callCount++; return { x: 1 }; },
-      render() { return `<div>${this.state.x}</div>`; }
-    });
-    await app.renderToString('comp');
-    expect(callCount).toBe(1);
-  });
-  it('supports state as object (copied)', async () => {
-    const app = createSSRApp();
-    const shared = { x: 1 };
-    app.component('comp', {
-      state: shared,
-      render() { return `<div>${this.state.x}</div>`; }
-    });
-    const html = await app.renderToString('comp');
-    expect(html).toContain('1');
-  });
-  it('each render gets fresh state from factory', async () => {
-    const app = createSSRApp();
-    app.component('comp', {
-      state: () => ({ count: 0 }),
-      init() { this.state.count++; },
-      render() { return `<p>${this.state.count}</p>`; }
-    });
-    const html1 = await app.renderToString('comp');
-    const html2 = await app.renderToString('comp');
-    expect(html1).toContain('<p>1</p>');
-    expect(html2).toContain('<p>1</p>');
-  });
-  it('has __raw property on state', () => {
-    let hasRaw = false;
-    renderToString({
-      init() { hasRaw = this.state.__raw === this.state; },
-      render() { return ''; }
-    });
-    expect(hasRaw).toBe(true);
-  });
-  it('__raw is non-enumerable', () => {
-    let keys = [];
-    renderToString({
-      state: () => ({ a: 1 }),
-      init() { keys = Object.keys(this.state); },
-      render() { return ''; }
-    });
-    expect(keys).not.toContain('__raw');
-  });
-});
-// ---------------------------------------------------------------------------
-// Computed properties
-// ---------------------------------------------------------------------------
-describe('SSR - computed', () => {
-  it('computes derived values', async () => {
-    const app = createSSRApp();
-    app.component('comp', {
-      state: () => ({ first: 'Jane', last: 'Doe' }),
-      computed: {
-        full(state) { return `${state.first} ${state.last}`; }
-      },
-      render() { return `<span>${this.computed.full}</span>`; }
-    });
-    const html = await app.renderToString('comp');
-    expect(html).toContain('Jane Doe');
-  });
-  it('computed has access to this context', async () => {
-    const app = createSSRApp();
-    app.component('comp', {
-      state: () => ({ items: [1, 2, 3] }),
-      computed: {
-        count() { return this.state.items.length; }
-      },
-      render() { return `<p>${this.computed.count}</p>`; }
-    });
-    const html = await app.renderToString('comp');
-    expect(html).toContain('<p>3</p>');
-  });
-  it('error in computed is reported and returns undefined', async () => {
-    const handler = vi.fn();
-    onError(handler);
-    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
-    const app = createSSRApp();
-    app.component('comp', {
-      state: () => ({}),
-      computed: {
-        broken() { throw new Error('computed boom'); }
-      },
-      render() { return `<p>${this.computed.broken}</p>`; }
-    });
-    const html = await app.renderToString('comp');
-    expect(html).toContain('undefined');
-    expect(handler).toHaveBeenCalled();
-    spy.mockRestore();
-    onError(null);
-  });
-});
-// ---------------------------------------------------------------------------
-// User methods
-// ---------------------------------------------------------------------------
-describe('SSR - user methods', () => {
-  it('binds user methods and they can be called in render', async () => {
-    const app = createSSRApp();
-    app.component('comp', {
-      state: () => ({ items: ['a', 'b'] }),
-      getCount() { return this.state.items.length; },
-      render() { return `<p>${this.getCount()}</p>`; }
-    });
-    const html = await app.renderToString('comp');
-    expect(html).toContain('<p>2</p>');
-  });
-  it('does not bind reserved keys', () => {
-    let hasMounted = false;
-    renderToString({
-      mounted() { hasMounted = true; },
-      render() { return ''; }
-    });
-    expect(hasMounted).toBe(false);
-  });
-});
-// ---------------------------------------------------------------------------
-// Init lifecycle
-// ---------------------------------------------------------------------------
-describe('SSR - init lifecycle', () => {
-  it('calls init() during construction', () => {
-    let initCalled = false;
-    renderToString({
-      init() { initCalled = true; },
-      render() { return '<div></div>'; }
-    });
-    expect(initCalled).toBe(true);
-  });
-  it('init can modify state before render', async () => {
-    const app = createSSRApp();
-    app.component('comp', {
-      state: () => ({ msg: 'before' }),
-      init() { this.state.msg = 'after'; },
-      render() { return `<p>${this.state.msg}</p>`; }
-    });
-    const html = await app.renderToString('comp');
-    expect(html).toContain('after');
-  });
-  it('init has access to props', () => {
-    let receivedProps = null;
-    renderToString({
-      init() { receivedProps = this.props; },
-      render() { return ''; }
-    }, { x: 42 });
-    expect(receivedProps.x).toBe(42);
-  });
-});
-// ---------------------------------------------------------------------------
-// {{expression}} interpolation
-// ---------------------------------------------------------------------------
-describe('SSR - expression interpolation', () => {
-  it('interpolates {{state.key}} patterns', () => {
-    const html = renderToString({
-      state: () => ({ name: 'World' }),
-      render() { return '<p>Hello {{name}}</p>'; }
-    });
-    expect(html).toContain('Hello World');
-  });
-  it('escapes HTML in interpolated values', () => {
-    const html = renderToString({
-      state: () => ({ xss: '<script>alert(1)</script>' }),
-      render() { return '<p>{{xss}}</p>'; }
-    });
-    expect(html).not.toContain('<script>');
-    expect(html).toContain('&lt;script&gt;');
-  });
-  it('renders empty string for null/undefined expressions', () => {
-    const html = renderToString({
-      state: () => ({ x: null }),
-      render() { return '<p>{{x}}</p>'; }
-    });
-    expect(html).toContain('<p></p>');
-  });
-  it('expression error is reported and produces empty string', () => {
-    const handler = vi.fn();
-    onError(handler);
-    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
-    const html = renderToString({
-      state: () => ({}),
-      render() { return '<p>{{nonexistent.deep.path}}</p>'; }
-    });
-    // Should still produce valid HTML (empty interpolation)
-    expect(html).toContain('<p>');
-    spy.mockRestore();
-    onError(null);
-  });
-});
-// ---------------------------------------------------------------------------
-// XSS sanitization via _escapeHtml
-// ---------------------------------------------------------------------------
-describe('SSR - XSS sanitization', () => {
-  it('escapes HTML in renderPage title', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({ title: '<script>alert("xss")</script>' });
-    expect(html).not.toContain('<script>alert("xss")</script>');
-    expect(html).toContain('&lt;script&gt;');
-  });
-  it('escapes script paths in renderPage', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({ scripts: ['"><script>alert(1)</script>'] });
-    expect(html).toContain('&quot;');
-  });
-  it('strips onXxx attributes from bodyAttrs', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({ bodyAttrs: 'onclick="alert(1)"' });
-    expect(html).not.toContain('onclick');
-  });
-  it('strips javascript: from bodyAttrs', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({ bodyAttrs: 'data-x="javascript:void(0)"' });
-    expect(html).not.toContain('javascript:');
-  });
-  it('escapes description in meta tag', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({ description: '"><script>xss</script>' });
-    expect(html).toContain('&quot;');
-    expect(html).not.toContain('"><script>');
-  });
-  it('escapes OG tag values', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({ head: { og: { title: '"><script>xss</script>' } } });
-    expect(html).toContain('og:title');
-    expect(html).not.toContain('"><script>');
-  });
-});
-// ---------------------------------------------------------------------------
-// renderPage
-// ---------------------------------------------------------------------------
-describe('SSRApp - renderPage', () => {
-  it('renders a full HTML page', async () => {
-    const app = createSSRApp();
-    app.component('page', { render() { return '<h1>Home</h1>'; } });
-    const html = await app.renderPage({
-      component: 'page',
-      title: 'My App',
-      lang: 'en'
-    });
-    expect(html).toContain('<!DOCTYPE html>');
-    expect(html).toContain('<title>My App</title>');
-    expect(html).toContain('<h1>Home</h1>');
-    expect(html).toContain('lang="en"');
-  });
-  it('renders without component', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({ title: 'Empty' });
-    expect(html).toContain('<title>Empty</title>');
-    expect(html).toContain('<div id="app"></div>');
-  });
-  it('includes style links', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({ styles: ['style.css', 'theme.css'] });
-    expect(html).toContain('href="style.css"');
-    expect(html).toContain('href="theme.css"');
-  });
-  it('includes script tags', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({ scripts: ['app.js'] });
-    expect(html).toContain('src="app.js"');
-  });
-  it('includes meta description when provided', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({ description: 'A cool page' });
-    expect(html).toContain('<meta name="description" content="A cool page">');
-  });
-  it('includes canonical URL', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({ head: { canonical: 'https://example.com/' } });
-    expect(html).toContain('<link rel="canonical" href="https://example.com/">');
-  });
-  it('includes Open Graph tags', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({
-      head: { og: { title: 'My Page', image: 'https://example.com/img.png' } }
-    });
-    expect(html).toContain('property="og:title"');
-    expect(html).toContain('content="My Page"');
-    expect(html).toContain('property="og:image"');
-  });
-  it('gracefully handles render failure in renderPage', async () => {
-    const handler = vi.fn();
-    onError(handler);
-    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
-    const app = createSSRApp();
-    app.component('bad-page', { render() { throw new Error('page boom'); } });
-    const html = await app.renderPage({ component: 'bad-page', title: 'Oops' });
-    expect(html).toContain('<!DOCTYPE html>');
-    expect(html).toContain('<!-- SSR render error -->');
-    expect(html).not.toContain('page boom');
-    expect(handler).toHaveBeenCalled();
-    spy.mockRestore();
-    onError(null);
-  });
-  it('has correct structure: doctype, html, head, body', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({});
-    expect(html).toMatch(/^<!DOCTYPE html>/);
-    expect(html).toContain('<html');
-    expect(html).toContain('<head>');
-    expect(html).toContain('</head>');
-    expect(html).toContain('<body');
-    expect(html).toContain('</body>');
-    expect(html).toContain('</html>');
-  });
-  it('defaults lang to "en"', async () => {
-    const app = createSSRApp();
-    const html = await app.renderPage({});
-    expect(html).toContain('lang="en"');
-  });
-});
-// ---------------------------------------------------------------------------
-// renderBatch
-// ---------------------------------------------------------------------------
-describe('SSRApp - renderBatch', () => {
-  it('renders multiple components at once', async () => {
-    const app = createSSRApp();
-    app.component('header-el', { render() { return '<header>Head</header>'; } });
-    app.component('footer-el', { render() { return '<footer>Foot</footer>'; } });
-    const results = await app.renderBatch([
-      { name: 'header-el' },
-      { name: 'footer-el' }
-    ]);
-    expect(results).toHaveLength(2);
-    expect(results[0]).toContain('Head');
-    expect(results[1]).toContain('Foot');
-  });
-  it('passes props per entry', async () => {
-    const app = createSSRApp();
-    app.component('greeting', {
-      render() { return `<span>${this.props.msg}</span>`; }
-    });
-    const results = await app.renderBatch([
-      { name: 'greeting', props: { msg: 'Hello' } },
-      { name: 'greeting', props: { msg: 'Bye' } }
-    ]);
-    expect(results[0]).toContain('Hello');
-    expect(results[1]).toContain('Bye');
-  });
-  it('rejects if any component is unregistered', async () => {
-    const app = createSSRApp();
-    app.component('ok-comp', { render() { return '<p>ok</p>'; } });
-    await expect(
-      app.renderBatch([{ name: 'ok-comp' }, { name: 'missing' }])
-    ).rejects.toThrow('not registered');
-  });
-});
-// ---------------------------------------------------------------------------
-// escapeHtml (exported utility)
-// ---------------------------------------------------------------------------
-describe('escapeHtml (exported)', () => {
-  it('escapes all dangerous characters', () => {
-    expect(escapeHtml('&<>"\'')).toBe('&amp;&lt;&gt;&quot;&#39;');
-  });
-  it('leaves safe strings unchanged', () => {
-    expect(escapeHtml('hello world')).toBe('hello world');
-  });
-  it('coerces numbers to string', () => {
-    expect(escapeHtml(42)).toBe('42');
-  });
-});
-// ---------------------------------------------------------------------------
-// SSRApp - renderShell
-// ---------------------------------------------------------------------------
-describe('SSRApp - renderShell', () => {
-  const shell = `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <title>Default Title</title>
-  <meta name="description" content="default desc">
-  <meta property="og:title" content="Default OG">
-  <meta property="og:description" content="">
-  <meta property="og:type" content="website">
-</head>
-<body>
-  <z-outlet></z-outlet>
-</body>
-</html>`;
-  let app;
-  beforeEach(() => {
-    app = createSSRApp();
-    app.component('test-page', {
-      state: () => ({ greeting: 'Hello' }),
-      render() { return `<h1>${this.state.greeting}</h1>`; }
-    });
-  });
-  it('renders a component into <z-outlet>', async () => {
-    const html = await app.renderShell(shell, { component: 'test-page' });
-    expect(html).toContain('<z-outlet><test-page data-zq-ssr><h1>Hello</h1></test-page></z-outlet>');
-  });
-  it('replaces the <title> tag', async () => {
-    const html = await app.renderShell(shell, { component: 'test-page', title: 'My App — Home' });
-    expect(html).toContain('<title>My App — Home</title>');
-    expect(html).not.toContain('Default Title');
-  });
-  it('replaces the meta description', async () => {
-    const html = await app.renderShell(shell, { component: 'test-page', description: 'A great page' });
-    expect(html).toContain('<meta name="description" content="A great page">');
-    expect(html).not.toContain('default desc');
-  });
-  it('replaces existing Open Graph tags', async () => {
-    const html = await app.renderShell(shell, {
-      component: 'test-page',
-      og: { title: 'OG Title', description: 'OG Desc', type: 'article' },
-    });
-    expect(html).toContain('<meta property="og:title" content="OG Title">');
-    expect(html).toContain('<meta property="og:description" content="OG Desc">');
-    expect(html).toContain('<meta property="og:type" content="article">');
-  });
-  it('injects new OG tags when they do not exist in the shell', async () => {
-    const html = await app.renderShell(shell, {
-      component: 'test-page',
-      og: { image: 'https://example.com/img.png' },
-    });
-    expect(html).toContain('<meta property="og:image" content="https://example.com/img.png">');
-  });
-  it('injects window.__SSR_DATA__ when ssrData is provided', async () => {
-    const data = { component: 'test-page', params: {}, props: {} };
-    const html = await app.renderShell(shell, { component: 'test-page', ssrData: data });
-    expect(html).toContain('window.__SSR_DATA__=');
-    expect(html).toContain('"component":"test-page"');
-    // Script is injected before </head>
-    expect(html.indexOf('__SSR_DATA__')).toBeLessThan(html.indexOf('</head>'));
-  });
-  it('does not inject ssrData when not provided', async () => {
-    const html = await app.renderShell(shell, { component: 'test-page' });
-    expect(html).not.toContain('__SSR_DATA__');
-  });
-  it('escapes title and description for XSS safety', async () => {
-    const html = await app.renderShell(shell, {
-      component: 'test-page',
-      title: '<script>alert("xss")</script>',
-      description: '"injected" & <dangerous>',
-    });
-    expect(html).toContain('&lt;script&gt;');
-    expect(html).toContain('&quot;injected&quot; &amp; &lt;dangerous&gt;');
-    expect(html).not.toContain('<script>alert');
-  });
-  it('leaves title and description alone when not provided', async () => {
-    const html = await app.renderShell(shell, { component: 'test-page' });
-    expect(html).toContain('<title>Default Title</title>');
-    expect(html).toContain('content="default desc"');
-  });
-  it('passes props to the rendered component', async () => {
-    app.component('greeting-page', {
-      render() { return `<p>Hi ${this.props.name}</p>`; }
-    });
-    const html = await app.renderShell(shell, { component: 'greeting-page', props: { name: 'Tony' } });
-    expect(html).toContain('<p>Hi Tony</p>');
-  });
-  it('passes renderOptions through to renderToString', async () => {
-    const html = await app.renderShell(shell, {
-      component: 'test-page',
-      renderOptions: { hydrate: false },
-    });
-    expect(html).toContain('<test-page><h1>Hello</h1></test-page>');
-    expect(html).not.toContain('data-zq-ssr');
-  });
-  it('handles a missing component gracefully', async () => {
-    const html = await app.renderShell(shell, { component: 'nonexistent' });
-    expect(html).toContain('<!-- SSR error:');
-  });
-  it('returns the shell untouched when no options are provided', async () => {
-    const html = await app.renderShell(shell);
-    expect(html).toContain('<title>Default Title</title>');
-    expect(html).toContain('<z-outlet></z-outlet>');
-  });
-  it('escapes </script> in ssrData to prevent script injection', async () => {
-    const html = await app.renderShell(shell, {
-      component: 'test-page',
-      ssrData: { payload: '</script><script>alert(1)</script>' },
-    });
-    expect(html).not.toContain('</script><script>alert(1)');
-    expect(html).toContain('<\\/script>');
-    // The JSON should still be parseable when unescaped
-    const match = html.match(/window\.__SSR_DATA__=(.+?);/);
-    expect(match).toBeTruthy();
-  });
-  it('escapes <!-- in ssrData to prevent HTML comment injection', async () => {
-    const html = await app.renderShell(shell, {
-      component: 'test-page',
-      ssrData: { payload: '<!-- injected -->' },
-    });
-    expect(html).not.toContain('<!-- injected');
-    expect(html).toContain('<\\!--');
-  });
-  it('sanitizes OG keys to prevent ReDoS and attribute injection', async () => {
-    const html = await app.renderShell(shell, {
-      component: 'test-page',
-      og: {
-        'title" onload="alert(1)': 'attack',   // attribute breakout attempt
-        'valid-key': 'safe value',
-        '': 'empty key should be skipped',       // empty after sanitization
-      },
-    });
-    // Attribute injection should be neutralized (quotes stripped from key)
-    expect(html).not.toContain('onload=');
-    expect(html).toContain('og:titleonloadalert1');
-    // Valid key should work fine
-    expect(html).toContain('og:valid-key');
-    expect(html).toContain('safe value');
-    // Empty key should be skipped
-    const emptyOgCount = (html.match(/og:""/g) || []).length;
-    expect(emptyOgCount).toBe(0);
-  });
-  it('handles $ substitution patterns in component output safely', async () => {
-    app.component('dollar-page', {
-      render() { return "<p>Price: $1.00 and $' and $` tricks</p>"; }
-    });
-    const html = await app.renderShell(shell, { component: 'dollar-page' });
-    expect(html).toContain("$1.00");
-    expect(html).toContain("$'");
-    expect(html).toContain("$`");
-  });
-});
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { createSSRApp, renderToString, escapeHtml } from '../src/ssr.js';
+import { ZQueryError, ErrorCode, onError } from '../src/errors.js';
+// ---------------------------------------------------------------------------
+// createSSRApp
+// ---------------------------------------------------------------------------
+describe('createSSRApp', () => {
+  it('returns an SSRApp instance', () => {
+    const app = createSSRApp();
+    expect(app).toBeDefined();
+    expect(typeof app.component).toBe('function');
+    expect(typeof app.renderToString).toBe('function');
+    expect(typeof app.renderPage).toBe('function');
+    expect(typeof app.renderBatch).toBe('function');
+    expect(typeof app.has).toBe('function');
+  });
+  it('each call returns a fresh instance', () => {
+    const a = createSSRApp();
+    const b = createSSRApp();
+    expect(a).not.toBe(b);
+  });
+});
+// ---------------------------------------------------------------------------
+// component registration
+// ---------------------------------------------------------------------------
+describe('SSRApp - component', () => {
+  it('registers a component and returns self for chaining', () => {
+    const app = createSSRApp();
+    const result = app.component('my-comp', {
+      render() { return '<div>hello</div>'; }
+    });
+    expect(result).toBe(app);
+  });
+  it('throws ZQueryError when rendering unregistered component', async () => {
+    const app = createSSRApp();
+    await expect(app.renderToString('nonexistent')).rejects.toThrow(ZQueryError);
+    await expect(app.renderToString('nonexistent')).rejects.toThrow('not registered');
+  });
+  it('throws ZQueryError for invalid component name (empty string)', () => {
+    const app = createSSRApp();
+    expect(() => app.component('', {})).toThrow(ZQueryError);
+  });
+  it('throws ZQueryError for non-string component name', () => {
+    const app = createSSRApp();
+    expect(() => app.component(123, {})).toThrow(ZQueryError);
+  });
+  it('throws ZQueryError for invalid definition (null)', () => {
+    const app = createSSRApp();
+    expect(() => app.component('my-comp', null)).toThrow(ZQueryError);
+  });
+  it('throws ZQueryError for non-object definition', () => {
+    const app = createSSRApp();
+    expect(() => app.component('my-comp', 'not-an-object')).toThrow(ZQueryError);
+  });
+  it('allows re-registering a component (override)', async () => {
+    const app = createSSRApp();
+    app.component('my-comp', { render() { return '<p>v1</p>'; } });
+    app.component('my-comp', { render() { return '<p>v2</p>'; } });
+    const html = await app.renderToString('my-comp');
+    expect(html).toContain('v2');
+    expect(html).not.toContain('v1');
+  });
+});
+// ---------------------------------------------------------------------------
+// SSRApp.has()
+// ---------------------------------------------------------------------------
+describe('SSRApp - has', () => {
+  it('returns false for unregistered', () => {
+    const app = createSSRApp();
+    expect(app.has('nope')).toBe(false);
+  });
+  it('returns true for registered', () => {
+    const app = createSSRApp();
+    app.component('my-comp', { render() { return ''; } });
+    expect(app.has('my-comp')).toBe(true);
+  });
+});
+// ---------------------------------------------------------------------------
+// renderToString (app method)
+// ---------------------------------------------------------------------------
+describe('SSRApp - renderToString', () => {
+  it('renders basic component', async () => {
+    const app = createSSRApp();
+    app.component('my-page', {
+      state: () => ({ title: 'Hello' }),
+      render() { return `<h1>${this.state.title}</h1>`; }
+    });
+    const html = await app.renderToString('my-page');
+    expect(html).toContain('<h1>Hello</h1>');
+  });
+  it('adds hydration marker by default', async () => {
+    const app = createSSRApp();
+    app.component('my-comp', { render() { return '<p>test</p>'; } });
+    const html = await app.renderToString('my-comp');
+    expect(html).toContain('data-zq-ssr');
+  });
+  it('omits hydration marker when hydrate=false', async () => {
+    const app = createSSRApp();
+    app.component('my-comp', { render() { return '<p>test</p>'; } });
+    const html = await app.renderToString('my-comp', {}, { hydrate: false });
+    expect(html).not.toContain('data-zq-ssr');
+  });
+  it('wraps output in component tag', async () => {
+    const app = createSSRApp();
+    app.component('custom-tag', { render() { return '<span>ok</span>'; } });
+    const html = await app.renderToString('custom-tag');
+    expect(html).toMatch(/^<custom-tag[^>]*>.*<\/custom-tag>$/);
+  });
+  it('passes props to component', async () => {
+    const app = createSSRApp();
+    app.component('greet', {
+      render() { return `<span>${this.props.name}</span>`; }
+    });
+    const html = await app.renderToString('greet', { name: 'World' });
+    expect(html).toContain('World');
+  });
+  it('strips z-cloak attributes', async () => {
+    const app = createSSRApp();
+    app.component('my-comp', {
+      render() { return '<div z-cloak>content</div>'; }
+    });
+    const html = await app.renderToString('my-comp');
+    expect(html).not.toContain('z-cloak');
+    expect(html).toContain('content');
+  });
+  it('strips event bindings (@click, z-on:click)', async () => {
+    const app = createSSRApp();
+    app.component('my-comp', {
+      render() { return '<button @click="handle">Click</button>'; }
+    });
+    const html = await app.renderToString('my-comp');
+    expect(html).not.toContain('@click');
+  });
+  it('strips z-on: event bindings', async () => {
+    const app = createSSRApp();
+    app.component('my-comp', {
+      render() { return '<button z-on:click="handle">Click</button>'; }
+    });
+    const html = await app.renderToString('my-comp');
+    expect(html).not.toContain('z-on:');
+  });
+  it('renders empty string when no render function', async () => {
+    const app = createSSRApp();
+    app.component('empty', { state: () => ({}) });
+    const html = await app.renderToString('empty');
+    expect(html).toContain('<empty');
+    expect(html).toContain('</empty>');
+  });
+  it('fragment mode returns inner HTML only', async () => {
+    const app = createSSRApp();
+    app.component('frag', { render() { return '<p>inner</p>'; } });
+    const html = await app.renderToString('frag', {}, { mode: 'fragment' });
+    expect(html).toBe('<p>inner</p>');
+    expect(html).not.toContain('<frag');
+  });
+  it('error in render() produces comment and reports via error system', async () => {
+    const handler = vi.fn();
+    onError(handler);
+    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    const app = createSSRApp();
+    app.component('bad', {
+      render() { throw new Error('render boom'); }
+    });
+    const html = await app.renderToString('bad');
+    expect(html).toContain('<!-- SSR render error -->');
+    expect(html).not.toContain('render boom');
+    expect(handler).toHaveBeenCalled();
+    const err = handler.mock.calls[0][0];
+    expect(err.code).toBe(ErrorCode.SSR_RENDER);
+    spy.mockRestore();
+    onError(null);
+  });
+  it('error in init() is reported but does not crash', async () => {
+    const handler = vi.fn();
+    onError(handler);
+    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    const app = createSSRApp();
+    app.component('bad-init', {
+      init() { throw new Error('init boom'); },
+      render() { return '<div>ok</div>'; }
+    });
+    const html = await app.renderToString('bad-init');
+    expect(html).toContain('<div>ok</div>');
+    expect(handler).toHaveBeenCalled();
+    spy.mockRestore();
+    onError(null);
+  });
+});
+// ---------------------------------------------------------------------------
+// renderToString (standalone function)
+// ---------------------------------------------------------------------------
+describe('renderToString (standalone)', () => {
+  it('renders a definition directly', () => {
+    const html = renderToString({
+      state: () => ({ msg: 'hi' }),
+      render() { return `<p>${this.state.msg}</p>`; }
+    });
+    expect(html).toContain('<p>hi</p>');
+  });
+  it('returns empty string when no render function', () => {
+    const html = renderToString({ state: {} });
+    expect(html).toBe('');
+  });
+  it('throws ZQueryError for invalid definition', () => {
+    expect(() => renderToString(null)).toThrow(ZQueryError);
+    expect(() => renderToString('string')).toThrow(ZQueryError);
+  });
+  it('works with props', () => {
+    const html = renderToString({
+      render() { return `<span>${this.props.x}</span>`; }
+    }, { x: 42 });
+    expect(html).toContain('42');
+  });
+  it('props are frozen', () => {
+    let frozen = false;
+    renderToString({
+      init() { frozen = Object.isFrozen(this.props); },
+      render() { return ''; }
+    }, { a: 1 });
+    expect(frozen).toBe(true);
+  });
+});
+// ---------------------------------------------------------------------------
+// State factory
+// ---------------------------------------------------------------------------
+describe('SSR - state factory', () => {
+  it('calls state function for initial state', async () => {
+    const app = createSSRApp();
+    let callCount = 0;
+    app.component('comp', {
+      state: () => { callCount++; return { x: 1 }; },
+      render() { return `<div>${this.state.x}</div>`; }
+    });
+    await app.renderToString('comp');
+    expect(callCount).toBe(1);
+  });
+  it('supports state as object (copied)', async () => {
+    const app = createSSRApp();
+    const shared = { x: 1 };
+    app.component('comp', {
+      state: shared,
+      render() { return `<div>${this.state.x}</div>`; }
+    });
+    const html = await app.renderToString('comp');
+    expect(html).toContain('1');
+  });
+  it('each render gets fresh state from factory', async () => {
+    const app = createSSRApp();
+    app.component('comp', {
+      state: () => ({ count: 0 }),
+      init() { this.state.count++; },
+      render() { return `<p>${this.state.count}</p>`; }
+    });
+    const html1 = await app.renderToString('comp');
+    const html2 = await app.renderToString('comp');
+    expect(html1).toContain('<p>1</p>');
+    expect(html2).toContain('<p>1</p>');
+  });
+  it('has __raw property on state', () => {
+    let hasRaw = false;
+    renderToString({
+      init() { hasRaw = this.state.__raw === this.state; },
+      render() { return ''; }
+    });
+    expect(hasRaw).toBe(true);
+  });
+  it('__raw is non-enumerable', () => {
+    let keys = [];
+    renderToString({
+      state: () => ({ a: 1 }),
+      init() { keys = Object.keys(this.state); },
+      render() { return ''; }
+    });
+    expect(keys).not.toContain('__raw');
+  });
+});
+// ---------------------------------------------------------------------------
+// Computed properties
+// ---------------------------------------------------------------------------
+describe('SSR - computed', () => {
+  it('computes derived values', async () => {
+    const app = createSSRApp();
+    app.component('comp', {
+      state: () => ({ first: 'Jane', last: 'Doe' }),
+      computed: {
+        full(state) { return `${state.first} ${state.last}`; }
+      },
+      render() { return `<span>${this.computed.full}</span>`; }
+    });
+    const html = await app.renderToString('comp');
+    expect(html).toContain('Jane Doe');
+  });
+  it('computed has access to this context', async () => {
+    const app = createSSRApp();
+    app.component('comp', {
+      state: () => ({ items: [1, 2, 3] }),
+      computed: {
+        count() { return this.state.items.length; }
+      },
+      render() { return `<p>${this.computed.count}</p>`; }
+    });
+    const html = await app.renderToString('comp');
+    expect(html).toContain('<p>3</p>');
+  });
+  it('error in computed is reported and returns undefined', async () => {
+    const handler = vi.fn();
+    onError(handler);
+    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    const app = createSSRApp();
+    app.component('comp', {
+      state: () => ({}),
+      computed: {
+        broken() { throw new Error('computed boom'); }
+      },
+      render() { return `<p>${this.computed.broken}</p>`; }
+    });
+    const html = await app.renderToString('comp');
+    expect(html).toContain('undefined');
+    expect(handler).toHaveBeenCalled();
+    spy.mockRestore();
+    onError(null);
+  });
+});
+// ---------------------------------------------------------------------------
+// User methods
+// ---------------------------------------------------------------------------
+describe('SSR - user methods', () => {
+  it('binds user methods and they can be called in render', async () => {
+    const app = createSSRApp();
+    app.component('comp', {
+      state: () => ({ items: ['a', 'b'] }),
+      getCount() { return this.state.items.length; },
+      render() { return `<p>${this.getCount()}</p>`; }
+    });
+    const html = await app.renderToString('comp');
+    expect(html).toContain('<p>2</p>');
+  });
+  it('does not bind reserved keys', () => {
+    let hasMounted = false;
+    renderToString({
+      mounted() { hasMounted = true; },
+      render() { return ''; }
+    });
+    expect(hasMounted).toBe(false);
+  });
+});
+// ---------------------------------------------------------------------------
+// Init lifecycle
+// ---------------------------------------------------------------------------
+describe('SSR - init lifecycle', () => {
+  it('calls init() during construction', () => {
+    let initCalled = false;
+    renderToString({
+      init() { initCalled = true; },
+      render() { return '<div></div>'; }
+    });
+    expect(initCalled).toBe(true);
+  });
+  it('init can modify state before render', async () => {
+    const app = createSSRApp();
+    app.component('comp', {
+      state: () => ({ msg: 'before' }),
+      init() { this.state.msg = 'after'; },
+      render() { return `<p>${this.state.msg}</p>`; }
+    });
+    const html = await app.renderToString('comp');
+    expect(html).toContain('after');
+  });
+  it('init has access to props', () => {
+    let receivedProps = null;
+    renderToString({
+      init() { receivedProps = this.props; },
+      render() { return ''; }
+    }, { x: 42 });
+    expect(receivedProps.x).toBe(42);
+  });
+});
+// ---------------------------------------------------------------------------
+// {{expression}} interpolation
+// ---------------------------------------------------------------------------
+describe('SSR - expression interpolation', () => {
+  it('interpolates {{state.key}} patterns', () => {
+    const html = renderToString({
+      state: () => ({ name: 'World' }),
+      render() { return '<p>Hello {{name}}</p>'; }
+    });
+    expect(html).toContain('Hello World');
+  });
+  it('escapes HTML in interpolated values', () => {
+    const html = renderToString({
+      state: () => ({ xss: '<script>alert(1)</script>' }),
+      render() { return '<p>{{xss}}</p>'; }
+    });
+    expect(html).not.toContain('<script>');
+    expect(html).toContain('&lt;script&gt;');
+  });
+  it('renders empty string for null/undefined expressions', () => {
+    const html = renderToString({
+      state: () => ({ x: null }),
+      render() { return '<p>{{x}}</p>'; }
+    });
+    expect(html).toContain('<p></p>');
+  });
+  it('expression error is reported and produces empty string', () => {
+    const handler = vi.fn();
+    onError(handler);
+    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    const html = renderToString({
+      state: () => ({}),
+      render() { return '<p>{{nonexistent.deep.path}}</p>'; }
+    });
+    // Should still produce valid HTML (empty interpolation)
+    expect(html).toContain('<p>');
+    spy.mockRestore();
+    onError(null);
+  });
+});
+// ---------------------------------------------------------------------------
+// XSS sanitization via _escapeHtml
+// ---------------------------------------------------------------------------
+describe('SSR - XSS sanitization', () => {
+  it('escapes HTML in renderPage title', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({ title: '<script>alert("xss")</script>' });
+    expect(html).not.toContain('<script>alert("xss")</script>');
+    expect(html).toContain('&lt;script&gt;');
+  });
+  it('escapes script paths in renderPage', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({ scripts: ['"><script>alert(1)</script>'] });
+    expect(html).toContain('&quot;');
+  });
+  it('strips onXxx attributes from bodyAttrs', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({ bodyAttrs: 'onclick="alert(1)"' });
+    expect(html).not.toContain('onclick');
+  });
+  it('strips javascript: from bodyAttrs', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({ bodyAttrs: 'data-x="javascript:void(0)"' });
+    expect(html).not.toContain('javascript:');
+  });
+  it('escapes description in meta tag', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({ description: '"><script>xss</script>' });
+    expect(html).toContain('&quot;');
+    expect(html).not.toContain('"><script>');
+  });
+  it('escapes OG tag values', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({ head: { og: { title: '"><script>xss</script>' } } });
+    expect(html).toContain('og:title');
+    expect(html).not.toContain('"><script>');
+  });
+});
+// ---------------------------------------------------------------------------
+// renderPage
+// ---------------------------------------------------------------------------
+describe('SSRApp - renderPage', () => {
+  it('renders a full HTML page', async () => {
+    const app = createSSRApp();
+    app.component('page', { render() { return '<h1>Home</h1>'; } });
+    const html = await app.renderPage({
+      component: 'page',
+      title: 'My App',
+      lang: 'en'
+    });
+    expect(html).toContain('<!DOCTYPE html>');
+    expect(html).toContain('<title>My App</title>');
+    expect(html).toContain('<h1>Home</h1>');
+    expect(html).toContain('lang="en"');
+  });
+  it('renders without component', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({ title: 'Empty' });
+    expect(html).toContain('<title>Empty</title>');
+    expect(html).toContain('<div id="app"></div>');
+  });
+  it('includes style links', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({ styles: ['style.css', 'theme.css'] });
+    expect(html).toContain('href="style.css"');
+    expect(html).toContain('href="theme.css"');
+  });
+  it('includes script tags', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({ scripts: ['app.js'] });
+    expect(html).toContain('src="app.js"');
+  });
+  it('includes meta description when provided', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({ description: 'A cool page' });
+    expect(html).toContain('<meta name="description" content="A cool page">');
+  });
+  it('includes canonical URL', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({ head: { canonical: 'https://example.com/' } });
+    expect(html).toContain('<link rel="canonical" href="https://example.com/">');
+  });
+  it('includes Open Graph tags', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({
+      head: { og: { title: 'My Page', image: 'https://example.com/img.png' } }
+    });
+    expect(html).toContain('property="og:title"');
+    expect(html).toContain('content="My Page"');
+    expect(html).toContain('property="og:image"');
+  });
+  it('gracefully handles render failure in renderPage', async () => {
+    const handler = vi.fn();
+    onError(handler);
+    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    const app = createSSRApp();
+    app.component('bad-page', { render() { throw new Error('page boom'); } });
+    const html = await app.renderPage({ component: 'bad-page', title: 'Oops' });
+    expect(html).toContain('<!DOCTYPE html>');
+    expect(html).toContain('<!-- SSR render error -->');
+    expect(html).not.toContain('page boom');
+    expect(handler).toHaveBeenCalled();
+    spy.mockRestore();
+    onError(null);
+  });
+  it('has correct structure: doctype, html, head, body', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({});
+    expect(html).toMatch(/^<!DOCTYPE html>/);
+    expect(html).toContain('<html');
+    expect(html).toContain('<head>');
+    expect(html).toContain('</head>');
+    expect(html).toContain('<body');
+    expect(html).toContain('</body>');
+    expect(html).toContain('</html>');
+  });
+  it('defaults lang to "en"', async () => {
+    const app = createSSRApp();
+    const html = await app.renderPage({});
+    expect(html).toContain('lang="en"');
+  });
+});
+// ---------------------------------------------------------------------------
+// renderBatch
+// ---------------------------------------------------------------------------
+describe('SSRApp - renderBatch', () => {
+  it('renders multiple components at once', async () => {
+    const app = createSSRApp();
+    app.component('header-el', { render() { return '<header>Head</header>'; } });
+    app.component('footer-el', { render() { return '<footer>Foot</footer>'; } });
+    const results = await app.renderBatch([
+      { name: 'header-el' },
+      { name: 'footer-el' }
+    ]);
+    expect(results).toHaveLength(2);
+    expect(results[0]).toContain('Head');
+    expect(results[1]).toContain('Foot');
+  });
+  it('passes props per entry', async () => {
+    const app = createSSRApp();
+    app.component('greeting', {
+      render() { return `<span>${this.props.msg}</span>`; }
+    });
+    const results = await app.renderBatch([
+      { name: 'greeting', props: { msg: 'Hello' } },
+      { name: 'greeting', props: { msg: 'Bye' } }
+    ]);
+    expect(results[0]).toContain('Hello');
+    expect(results[1]).toContain('Bye');
+  });
+  it('rejects if any component is unregistered', async () => {
+    const app = createSSRApp();
+    app.component('ok-comp', { render() { return '<p>ok</p>'; } });
+    await expect(
+      app.renderBatch([{ name: 'ok-comp' }, { name: 'missing' }])
+    ).rejects.toThrow('not registered');
+  });
+});
+// ---------------------------------------------------------------------------
+// escapeHtml (exported utility)
+// ---------------------------------------------------------------------------
+describe('escapeHtml (exported)', () => {
+  it('escapes all dangerous characters', () => {
+    expect(escapeHtml('&<>"\'')).toBe('&amp;&lt;&gt;&quot;&#39;');
+  });
+  it('leaves safe strings unchanged', () => {
+    expect(escapeHtml('hello world')).toBe('hello world');
+  });
+  it('coerces numbers to string', () => {
+    expect(escapeHtml(42)).toBe('42');
+  });
+});
+// ---------------------------------------------------------------------------
+// SSRApp - renderShell
+// ---------------------------------------------------------------------------
+describe('SSRApp - renderShell', () => {
+  const shell = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <title>Default Title</title>
+  <meta name="description" content="default desc">
+  <meta property="og:title" content="Default OG">
+  <meta property="og:description" content="">
+  <meta property="og:type" content="website">
+</head>
+<body>
+  <z-outlet></z-outlet>
+</body>
+</html>`;
+  let app;
+  beforeEach(() => {
+    app = createSSRApp();
+    app.component('test-page', {
+      state: () => ({ greeting: 'Hello' }),
+      render() { return `<h1>${this.state.greeting}</h1>`; }
+    });
+  });
+  it('renders a component into <z-outlet>', async () => {
+    const html = await app.renderShell(shell, { component: 'test-page' });
+    expect(html).toContain('<z-outlet><test-page data-zq-ssr><h1>Hello</h1></test-page></z-outlet>');
+  });
+  it('replaces the <title> tag', async () => {
+    const html = await app.renderShell(shell, { component: 'test-page', title: 'My App — Home' });
+    expect(html).toContain('<title>My App — Home</title>');
+    expect(html).not.toContain('Default Title');
+  });
+  it('replaces the meta description', async () => {
+    const html = await app.renderShell(shell, { component: 'test-page', description: 'A great page' });
+    expect(html).toContain('<meta name="description" content="A great page">');
+    expect(html).not.toContain('default desc');
+  });
+  it('replaces existing Open Graph tags', async () => {
+    const html = await app.renderShell(shell, {
+      component: 'test-page',
+      og: { title: 'OG Title', description: 'OG Desc', type: 'article' },
+    });
+    expect(html).toContain('<meta property="og:title" content="OG Title">');
+    expect(html).toContain('<meta property="og:description" content="OG Desc">');
+    expect(html).toContain('<meta property="og:type" content="article">');
+  });
+  it('injects new OG tags when they do not exist in the shell', async () => {
+    const html = await app.renderShell(shell, {
+      component: 'test-page',
+      og: { image: 'https://example.com/img.png' },
+    });
+    expect(html).toContain('<meta property="og:image" content="https://example.com/img.png">');
+  });
+  it('injects window.__SSR_DATA__ when ssrData is provided', async () => {
+    const data = { component: 'test-page', params: {}, props: {} };
+    const html = await app.renderShell(shell, { component: 'test-page', ssrData: data });
+    expect(html).toContain('window.__SSR_DATA__=');
+    expect(html).toContain('"component":"test-page"');
+    // Script is injected before </head>
+    expect(html.indexOf('__SSR_DATA__')).toBeLessThan(html.indexOf('</head>'));
+  });
+  it('does not inject ssrData when not provided', async () => {
+    const html = await app.renderShell(shell, { component: 'test-page' });
+    expect(html).not.toContain('__SSR_DATA__');
+  });
+  it('escapes title and description for XSS safety', async () => {
+    const html = await app.renderShell(shell, {
+      component: 'test-page',
+      title: '<script>alert("xss")</script>',
+      description: '"injected" & <dangerous>',
+    });
+    expect(html).toContain('&lt;script&gt;');
+    expect(html).toContain('&quot;injected&quot; &amp; &lt;dangerous&gt;');
+    expect(html).not.toContain('<script>alert');
+  });
+  it('leaves title and description alone when not provided', async () => {
+    const html = await app.renderShell(shell, { component: 'test-page' });
+    expect(html).toContain('<title>Default Title</title>');
+    expect(html).toContain('content="default desc"');
+  });
+  it('passes props to the rendered component', async () => {
+    app.component('greeting-page', {
+      render() { return `<p>Hi ${this.props.name}</p>`; }
+    });
+    const html = await app.renderShell(shell, { component: 'greeting-page', props: { name: 'Tony' } });
+    expect(html).toContain('<p>Hi Tony</p>');
+  });
+  it('passes renderOptions through to renderToString', async () => {
+    const html = await app.renderShell(shell, {
+      component: 'test-page',
+      renderOptions: { hydrate: false },
+    });
+    expect(html).toContain('<test-page><h1>Hello</h1></test-page>');
+    expect(html).not.toContain('data-zq-ssr');
+  });
+  it('handles a missing component gracefully', async () => {
+    const html = await app.renderShell(shell, { component: 'nonexistent' });
+    expect(html).toContain('<!-- SSR error:');
+  });
+  it('returns the shell untouched when no options are provided', async () => {
+    const html = await app.renderShell(shell);
+    expect(html).toContain('<title>Default Title</title>');
+    expect(html).toContain('<z-outlet></z-outlet>');
+  });
+  it('escapes </script> in ssrData to prevent script injection', async () => {
+    const html = await app.renderShell(shell, {
+      component: 'test-page',
+      ssrData: { payload: '</script><script>alert(1)</script>' },
+    });
+    expect(html).not.toContain('</script><script>alert(1)');
+    expect(html).toContain('<\\/script>');
+    // The JSON should still be parseable when unescaped
+    const match = html.match(/window\.__SSR_DATA__=(.+?);/);
+    expect(match).toBeTruthy();
+  });
+  it('escapes <!-- in ssrData to prevent HTML comment injection', async () => {
+    const html = await app.renderShell(shell, {
+      component: 'test-page',
+      ssrData: { payload: '<!-- injected -->' },
+    });
+    expect(html).not.toContain('<!-- injected');
+    expect(html).toContain('<\\!--');
+  });
+  it('sanitizes OG keys to prevent ReDoS and attribute injection', async () => {
+    const html = await app.renderShell(shell, {
+      component: 'test-page',
+      og: {
+        'title" onload="alert(1)': 'attack',   // attribute breakout attempt
+        'valid-key': 'safe value',
+        '': 'empty key should be skipped',       // empty after sanitization
+      },
+    });
+    // Attribute injection should be neutralized (quotes stripped from key)
+    expect(html).not.toContain('onload=');
+    expect(html).toContain('og:titleonloadalert1');
+    // Valid key should work fine
+    expect(html).toContain('og:valid-key');
+    expect(html).toContain('safe value');
+    // Empty key should be skipped
+    const emptyOgCount = (html.match(/og:""/g) || []).length;
+    expect(emptyOgCount).toBe(0);
+  });
+  it('handles $ substitution patterns in component output safely', async () => {
+    app.component('dollar-page', {
+      render() { return "<p>Price: $1.00 and $' and $` tricks</p>"; }
+    });
+    const html = await app.renderShell(shell, { component: 'dollar-page' });
+    expect(html).toContain("$1.00");
+    expect(html).toContain("$'");
+    expect(html).toContain("$`");
+  });
+});