evaleval 0.2.3__tar.gz

evaleval-0.2.3/.github/workflows/publish.yml

@@ -0,0 +1,23 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment: pypi
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: astral-sh/setup-uv@v4
+
+      - name: Build
+        run: uv build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

evaleval-0.2.3/.gitignore

@@ -0,0 +1,2 @@
+__pycache__/
+.venv/

evaleval-0.2.3/PKG-INFO

@@ -0,0 +1,128 @@
+Metadata-Version: 2.4
+Name: evaleval
+Version: 0.2.3
+Summary: Signed snippets, hiccup, and a dual-eval loop. The web that should have been.
+Project-URL: Homepage, https://github.com/tommy-mor/evaleval
+Project-URL: Repository, https://github.com/tommy-mor/evaleval
+Author: Tommy Morris
+License-Expression: MIT
+Classifier: Development Status :: 3 - Alpha
+Classifier: Framework :: FastAPI
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Internet :: WWW/HTTP
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+
+# evaleval
+
+`evaleval` is a tiny server-driven web pattern: signed Python expressions in forms, eval on submit, and UI patching over SSE.
+
+The entire client.
+
+```js
+import { Idiomorph } from 'idiomorph';
+window.Idiomorph = Idiomorph;
+const es = new EventSource('/sse');
+es.addEventListener('exec', e => eval(e.data));
+document.addEventListener('submit', async e => {
+  e.preventDefault();
+  const r = await fetch(e.target.action, { method: 'POST', body: new FormData(e.target) });
+  const t = await r.text();
+  if (t) eval(t);
+});
+```
+
+Three endpoints. No framework.
+
+```
+GET  /       — serve the shell
+GET  /sse    — push what you see
+POST /     — verify, eval
+```
+
+## Example: [evaleval-todo](https://github.com/tommy-mor/evaleval-todo)
+
+A todo list in ~170 lines.
+
+Forms are data. They carry their own signed handlers.
+
+```python
+from evaleval import Signer, Three, Two, Selector, MORPH, APPEND, REMOVE
+
+signer = Signer()
+
+def add_form():
+    return ["form", {"action": "/", "method": "post"},
+        *signer.snippet_hidden("add($text)"),
+        ["input", {"type": "text", "name": "text", "placeholder": "what needs doing?"}],
+        ["button", {"type": "submit"}, "add"],
+    ]
+```
+
+Sandbox functions return JS patch chains. The chains say how many parts they have, then become strings and disappear.
+
+```python
+def add(text):
+    t = {"id": uuid.uuid4().hex[:8], "text": text, "done": False}
+    TODOS.append(t)
+    return PlainTextResponse(";".join([
+        Three[Selector("#add-form")][MORPH][add_form()],
+        Three[Selector("#todo-list")][APPEND][todo_item(t)],
+        Three[Selector("p.count")][MORPH][remaining_count()],
+    ]))
+
+def delete(todo_id):
+    TODOS.remove(_find(todo_id))
+    return PlainTextResponse(";".join([
+        Two[Selector(f"#todo-{todo_id}")][REMOVE],
+        Three[Selector("p.count")][MORPH][remaining_count()],
+    ]))
+```
+
+The `POST /` route verifies the signature and evals the snippet. `verify_snippet` raises `SnippetExecutionError` with a status code.
+
+```python
+from evaleval import SnippetExecutionError
+
+@app.post("/")
+async def do(request):
+    form = await request.form()
+    try:
+        snippet = signer.verify_snippet(form)
+        return eval(snippet)
+    except SnippetExecutionError as e:
+        return PlainTextResponse(e.message, status_code=e.status_code)
+    except Exception as e:
+        return PlainTextResponse(str(e), status_code=500)
+```
+
+`eval` only accepts a single expression. Multi-line snippets and `return ...` statements will fail with `SyntaxError`.
+
+If you want side effects plus a return value, use an expression pattern like:
+
+```python
+(print("form callback for add todo", $text), add($text))[1]
+```
+
+SSE pushes the initial page as JS the browser evals.
+
+```python
+from evaleval import exec_event, shell_html, One, Eval
+
+@app.get("/")
+async def index():
+    return HTMLResponse(shell_html())
+
+@app.get("/sse")
+async def sse(request):
+    async def generate():
+        yield exec_event([
+            One[Eval("document.title = 'todos'")],
+            Three[Selector("body")][MORPH][["body", page()]],
+        ])
+    return StreamingResponse(generate(), media_type="text/event-stream")
+```
+
+`pip install evaleval`

evaleval-0.2.3/README.md

@@ -0,0 +1,111 @@
+# evaleval
+
+`evaleval` is a tiny server-driven web pattern: signed Python expressions in forms, eval on submit, and UI patching over SSE.
+
+The entire client.
+
+```js
+import { Idiomorph } from 'idiomorph';
+window.Idiomorph = Idiomorph;
+const es = new EventSource('/sse');
+es.addEventListener('exec', e => eval(e.data));
+document.addEventListener('submit', async e => {
+  e.preventDefault();
+  const r = await fetch(e.target.action, { method: 'POST', body: new FormData(e.target) });
+  const t = await r.text();
+  if (t) eval(t);
+});
+```
+
+Three endpoints. No framework.
+
+```
+GET  /       — serve the shell
+GET  /sse    — push what you see
+POST /     — verify, eval
+```
+
+## Example: [evaleval-todo](https://github.com/tommy-mor/evaleval-todo)
+
+A todo list in ~170 lines.
+
+Forms are data. They carry their own signed handlers.
+
+```python
+from evaleval import Signer, Three, Two, Selector, MORPH, APPEND, REMOVE
+
+signer = Signer()
+
+def add_form():
+    return ["form", {"action": "/", "method": "post"},
+        *signer.snippet_hidden("add($text)"),
+        ["input", {"type": "text", "name": "text", "placeholder": "what needs doing?"}],
+        ["button", {"type": "submit"}, "add"],
+    ]
+```
+
+Sandbox functions return JS patch chains. The chains say how many parts they have, then become strings and disappear.
+
+```python
+def add(text):
+    t = {"id": uuid.uuid4().hex[:8], "text": text, "done": False}
+    TODOS.append(t)
+    return PlainTextResponse(";".join([
+        Three[Selector("#add-form")][MORPH][add_form()],
+        Three[Selector("#todo-list")][APPEND][todo_item(t)],
+        Three[Selector("p.count")][MORPH][remaining_count()],
+    ]))
+
+def delete(todo_id):
+    TODOS.remove(_find(todo_id))
+    return PlainTextResponse(";".join([
+        Two[Selector(f"#todo-{todo_id}")][REMOVE],
+        Three[Selector("p.count")][MORPH][remaining_count()],
+    ]))
+```
+
+The `POST /` route verifies the signature and evals the snippet. `verify_snippet` raises `SnippetExecutionError` with a status code.
+
+```python
+from evaleval import SnippetExecutionError
+
+@app.post("/")
+async def do(request):
+    form = await request.form()
+    try:
+        snippet = signer.verify_snippet(form)
+        return eval(snippet)
+    except SnippetExecutionError as e:
+        return PlainTextResponse(e.message, status_code=e.status_code)
+    except Exception as e:
+        return PlainTextResponse(str(e), status_code=500)
+```
+
+`eval` only accepts a single expression. Multi-line snippets and `return ...` statements will fail with `SyntaxError`.
+
+If you want side effects plus a return value, use an expression pattern like:
+
+```python
+(print("form callback for add todo", $text), add($text))[1]
+```
+
+SSE pushes the initial page as JS the browser evals.
+
+```python
+from evaleval import exec_event, shell_html, One, Eval
+
+@app.get("/")
+async def index():
+    return HTMLResponse(shell_html())
+
+@app.get("/sse")
+async def sse(request):
+    async def generate():
+        yield exec_event([
+            One[Eval("document.title = 'todos'")],
+            Three[Selector("body")][MORPH][["body", page()]],
+        ])
+    return StreamingResponse(generate(), media_type="text/event-stream")
+```
+
+`pip install evaleval`

evaleval-0.2.3/pyproject.toml

@@ -0,0 +1,33 @@
+[project]
+name = "evaleval"
+version = "0.2.3"
+description = "Signed snippets, hiccup, and a dual-eval loop. The web that should have been."
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.10"
+authors = [
+    {name = "Tommy Morris"}
+]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Framework :: FastAPI",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Topic :: Internet :: WWW/HTTP",
+]
+
+[project.urls]
+Homepage = "https://github.com/tommy-mor/evaleval"
+Repository = "https://github.com/tommy-mor/evaleval"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/evaleval"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+addopts = "-v"

evaleval-0.2.3/scripts/release.clj

@@ -0,0 +1,81 @@
+(ns scripts.release
+  (:require [babashka.process :as p]
+            [clojure.string :as str]))
+
+(defn bump-version [version bump-type]
+  (let [[major minor patch] (map #(Integer/parseInt %) (str/split version #"\."))
+        [new-major new-minor new-patch]
+        (case bump-type
+          "major" [(inc major) 0 0]
+          "minor" [major (inc minor) 0]
+          "patch" [major minor (inc patch)]
+          [major minor (inc patch)])]
+    (str new-major "." new-minor "." new-patch)))
+
+(defn update-pyproject-version [version]
+  (let [path "pyproject.toml"
+        content (slurp path)
+        updated (str/replace content
+                             #"(?m)^version\s*=\s*\"[^\"]*\""
+                             (str "version = \"" version "\""))]
+    (spit path updated)))
+
+(defn release [& args]
+  (let [bump-type-or-version (first args)
+        explicit-version (when (and bump-type-or-version
+                                    (re-matches #"^\d+\.\d+\.\d+$" bump-type-or-version))
+                           bump-type-or-version)
+        bump-type (if explicit-version "patch" (or bump-type-or-version "patch"))
+
+        latest-tag (-> (p/process ["git" "tag" "--sort=-version:refname"] {:out :string})
+                       deref
+                       :out
+                       str/trim
+                       (str/split-lines)
+                       first
+                       (or ""))
+        latest-version (if (empty? latest-tag)
+                         "0.0.0"
+                         (str/replace latest-tag #"^v" ""))
+
+        version (if explicit-version
+                  (str/replace explicit-version #"^v" "")
+                  (bump-version latest-version bump-type))
+        tag (str "v" version)]
+
+    ;; Check for clean working tree
+    (let [result @(p/process ["git" "diff" "--quiet"] {:continue true})]
+      (when (not= 0 (:exit result))
+        (println "error: working tree has uncommitted changes — commit or stash first")
+        (System/exit 1)))
+    (let [result @(p/process ["git" "diff" "--cached" "--quiet"] {:continue true})]
+      (when (not= 0 (:exit result))
+        (println "error: working tree has staged uncommitted changes — commit or stash first")
+        (System/exit 1)))
+
+    (when (not explicit-version)
+      (println (str "Latest version: " latest-version))
+      (println (str "Bumping " bump-type " version to: " version)))
+
+    ;; Update version in pyproject.toml, commit, tag, push
+    (update-pyproject-version version)
+    @(p/process ["git" "add" "pyproject.toml"] {:inherit true})
+    @(p/process ["git" "commit" "-m" (str "Release " tag)] {:inherit true})
+
+    (println (str "Tagging " tag " and pushing to origin..."))
+    @(p/process ["git" "tag" "-a" tag "-m" (str "Release " tag)] {:inherit true})
+    @(p/process ["git" "push" "origin" "main" tag] {:inherit true})
+
+    ;; Create GitHub release (triggers the publish workflow)
+    (println (str "Creating GitHub release " tag "..."))
+    @(p/process ["gh" "release" "create" tag
+                 "--title" tag
+                 "--notes" (str "Release " tag)]
+                {:inherit true})
+
+    (println "")
+    (println (str "Done. " tag " released."))
+    (println "Watch the publish workflow at:")
+    (println "  https://github.com/tommy-mor/evaleval/actions")))
+
+(apply release *command-line-args*)

evaleval-0.2.3/src/evaleval/__init__.py

@@ -0,0 +1,26 @@
+from evaleval.hiccup import render, RawContent, parse_tag
+from evaleval.patch import (
+    Selector, Eval, Action,
+    MORPH, PREPEND, APPEND, REMOVE, OUTER, CLASSES, ADD, TOGGLE,
+    DepthChain, One, Two, Three, Four, Five, Six, Seven, Eight, Nine, Ten,
+)
+from evaleval.signing import (
+    Signer,
+    SnippetExecutionError,
+    scrub,
+    apply_snippet_substitutions,
+)
+from evaleval.sse import exec_event, shell_html
+
+__all__ = [
+    # hiccup
+    "render", "RawContent", "parse_tag",
+    # patch
+    "Selector", "Eval", "Action",
+    "MORPH", "PREPEND", "APPEND", "REMOVE", "OUTER", "CLASSES", "ADD", "TOGGLE",
+    "DepthChain", "One", "Two", "Three", "Four", "Five", "Six", "Seven", "Eight", "Nine", "Ten",
+    # signing
+    "Signer", "SnippetExecutionError", "scrub", "apply_snippet_substitutions",
+    # sse
+    "exec_event", "shell_html",
+]

evaleval-0.2.3/src/evaleval/hiccup.py

@@ -0,0 +1,96 @@
+from html import escape
+
+
+VOID_ELEMENTS = {
+    'area', 'base', 'br', 'col', 'embed', 'hr', 'img', 'input',
+    'link', 'meta', 'param', 'source', 'track', 'wbr'
+}
+
+
+class RawContent:
+    """Wrapper for content that should not be HTML-escaped.
+    Use with caution - only for trusted content like inline scripts/styles."""
+    def __init__(self, content):
+        self.content = content
+
+
+def parse_tag(tag_str):
+    """Parse 'div.class1.class2#id' into tag, id, classes."""
+    parts = tag_str.split('#')
+    tag_and_classes = parts[0]
+    id_val = parts[1].split('.')[0] if len(parts) > 1 else None
+
+    class_parts = tag_and_classes.split('.')
+    tag = class_parts[0] or 'div'
+    classes = class_parts[1:] + (parts[1].split('.')[1:] if len(parts) > 1 else [])
+
+    return tag, id_val, classes
+
+
+def render_attrs(attrs, id_val, classes):
+    """Render HTML attributes."""
+    parts = []
+
+    if id_val:
+        parts.append(f'id="{escape(id_val)}"')
+    elif 'id' in attrs:
+        parts.append(f'id="{escape(str(attrs["id"]))}"')
+
+    all_classes = classes[:]
+    if 'class' in attrs:
+        all_classes.append(attrs['class'])
+    if all_classes:
+        parts.append(f'class="{escape(" ".join(all_classes))}"')
+
+    for key, val in attrs.items():
+        if key not in ('id', 'class'):
+            parts.append(f'{escape(key)}="{escape(str(val))}"')
+
+    return ' ' + ' '.join(parts) if parts else ''
+
+
+def render(data, parent_tag=None):
+    """Render hiccup data structure to HTML string."""
+    if isinstance(data, RawContent):
+        return data.content
+
+    if isinstance(data, str):
+        return escape(data)
+
+    if not isinstance(data, (list, tuple)):
+        return ''
+
+    if len(data) == 0:
+        return ''
+
+    tag_str = data[0]
+
+    if not isinstance(tag_str, str):
+        return ''
+
+    tag, id_val, classes = parse_tag(tag_str)
+
+    attrs = {}
+    children_start = 1
+
+    if len(data) > 1 and isinstance(data[1], dict):
+        attrs = data[1]
+        children_start = 2
+
+    children = data[children_start:]
+
+    flattened = []
+    for child in children:
+        if isinstance(child, list) and len(child) > 0 and isinstance(child[0], list):
+            flattened.extend(child)
+        else:
+            flattened.append(child)
+
+    children_html = ''.join(render(child, tag) for child in flattened)
+
+    attrs_str = render_attrs(attrs, id_val, classes)
+
+    if tag in VOID_ELEMENTS:
+        return f'<{tag}{attrs_str} />'
+    else:
+        return f'<{tag}{attrs_str}>{children_html}</{tag}>'

evaleval-0.2.3/src/evaleval/patch.py

@@ -0,0 +1,126 @@
+from evaleval.hiccup import render
+
+
+class Selector:
+    def __init__(self, query): self.query = query
+
+class Eval:
+    def __init__(self, code): self.code = code
+
+class Action:
+    def __init__(self, name, requires=None):
+        self.name = name
+        self.requires = requires  # Selector or Action that must precede this
+
+MORPH   = Action("MORPH", requires=Selector)
+PREPEND = Action("PREPEND", requires=Selector)
+APPEND  = Action("APPEND", requires=Selector)
+REMOVE  = Action("REMOVE")
+OUTER   = Action("OUTER", requires=Selector)
+CLASSES = Action("CLASSES", requires=Selector)
+ADD     = Action("ADD", requires=CLASSES)
+TOGGLE  = Action("TOGGLE", requires=CLASSES)
+
+
+def _validate_step(items):
+    item = items[-1]
+    prior = items[:-1]
+
+    prior_actions = [x for x in prior if isinstance(x, Action)]
+    has_selector = any(isinstance(x, Selector) for x in prior)
+    prior_data = [x for x in prior if not isinstance(x, (Selector, Action, Eval))]
+
+    if prior_data:
+        raise ValueError(f"Data must be the last item in the chain")
+
+    if isinstance(item, Selector) and prior_actions:
+        raise ValueError(f"Selector must come before actions, not after {prior_actions[-1].name}")
+
+    if isinstance(item, Action) and item.requires is not None:
+        if item.requires is Selector:
+            if not has_selector:
+                raise ValueError(f"{item.name} requires a Selector before it")
+        elif isinstance(item.requires, Action):
+            if item.requires not in prior_actions:
+                raise ValueError(f"{item.name} requires {item.requires.name} before it")
+
+
+def _resolve(items):
+    selector = None
+    actions  = []
+    code     = None
+    data     = None
+
+    for item in items:
+        if isinstance(item, Selector): selector = item.query
+        elif isinstance(item, Action): actions.append(item)
+        elif isinstance(item, Eval):   code     = item.code
+        else:                          data     = item
+
+    if selector:
+        safe = selector.replace("\\", "\\\\").replace('"', '\\"')
+        sel_js = f'document.querySelector("{safe}")'
+    else:
+        sel_js = "null"
+
+    if code:
+        if code.startswith("=>"):
+            body = code.replace("=>", "", 1).strip()
+            return f"(($) => {{ {body} }})({sel_js})"
+        return code
+
+    html = ""
+    if data is not None:
+        raw = render(data) if not isinstance(data, str) else data
+        html = raw.replace("`", "\\`").replace("${", "\\${")
+
+    if CLASSES in actions:
+        if REMOVE in actions:
+            return f"{sel_js}?.classList.remove('{data}')"
+        if ADD in actions:
+            return f"{sel_js}?.classList.add('{data}')"
+        if TOGGLE in actions:
+            return f"{sel_js}?.classList.toggle('{data}')"
+
+    action = actions[0] if actions else None
+
+    if action == MORPH:
+        return f"Idiomorph.morph({sel_js}, `{html}`)"
+    if action == PREPEND:
+        return f"{sel_js}.insertAdjacentHTML('afterbegin', `{html}`)"
+    if action == APPEND:
+        return f"{sel_js}.insertAdjacentHTML('beforeend', `{html}`)"
+    if action == REMOVE:
+        return f"{sel_js}?.remove()"
+    if action == OUTER:
+        return f"{sel_js}.outerHTML = `{html}`"
+
+    return "console.warn('unresolved patch chain')"
+
+
+class DepthChain:
+    def __init__(self, depth, items=None):
+        self.depth = depth
+        self.items = items or []
+
+    def __getitem__(self, item):
+        items = self.items + [item]
+        _validate_step(items)
+        if len(items) >= self.depth:
+            return _resolve(items)
+        return DepthChain(self.depth, items)
+
+    def __str__(self):
+        return _resolve(self.items)
+
+
+One   = DepthChain(1)
+Two   = DepthChain(2)
+Three = DepthChain(3)
+Four  = DepthChain(4)
+Five  = DepthChain(5)
+Six   = DepthChain(6)
+Seven = DepthChain(7)
+Eight = DepthChain(8)
+Nine  = DepthChain(9)
+Ten   = DepthChain(10)

evaleval-0.2.3/src/evaleval/signing.py

@@ -0,0 +1,105 @@
+import hashlib
+import hmac
+import uuid
+import time
+import base64
+from collections.abc import Mapping
+from typing import Any
+
+def scrub(value: str) -> str:
+    """Escape a form value so it can't break out of an eval context."""
+    return repr(value)
+
+
+def apply_snippet_substitutions(snippet: str, form_data: dict[str, str]) -> str:
+    """Replace $key placeholders; longest keys first so $idx is not broken by $id."""
+    for key, value in sorted(form_data.items(), key=lambda x: len(x[0]), reverse=True):
+        snippet = snippet.replace(f"${key}", scrub(value))
+    return snippet
+
+
+class Signer:
+    """HMAC-SHA256 snippet signing with one-time nonces.
+
+    Usage:
+        signer = Signer()
+
+        # At render time — embed in the form
+        code = "go('whale', $message)"
+        hidden_fields = signer.snippet_hidden(code)
+
+        # At /do time — verify and consume
+        if not signer.verify(snippet, nonce, sig):
+            return 403
+        if not signer.consume_nonce(nonce):
+            return 403
+    """
+
+    def __init__(self, secret: bytes | None = None, nonce_ttl: int = 3600):
+        self.secret = secret or hashlib.sha256(f"snippets-{uuid.uuid4()}".encode()).digest()
+        self.nonce_ttl = nonce_ttl
+        self._nonces: dict[str, float] = {}
+        self._last_nonce_clean: float = 0.0
+
+    def _clean_nonces(self):
+        now = time.time()
+        if now - self._last_nonce_clean < 60:
+            return
+        self._last_nonce_clean = now
+        for n in [n for n, exp in self._nonces.items() if exp < now]:
+            del self._nonces[n]
+
+    def generate_nonce(self) -> str:
+        self._clean_nonces()
+        nonce = uuid.uuid4().hex
+        self._nonces[nonce] = time.time() + self.nonce_ttl
+        return nonce
+
+    def consume_nonce(self, nonce: str) -> bool:
+        self._clean_nonces()
+        if nonce in self._nonces:
+            del self._nonces[nonce]
+            return True
+        return False
+
+    def sign(self, code: str, nonce: str) -> str:
+        msg = f"{code}|{nonce}".encode()
+        return base64.urlsafe_b64encode(
+            hmac.new(self.secret, msg, hashlib.sha256).digest()
+        ).decode()
+
+    def verify(self, code: str, nonce: str, sig: str) -> bool:
+        return hmac.compare_digest(self.sign(code, nonce), sig)
+
+    def snippet_hidden(self, code: str) -> list:
+        """Generate hiccup hidden input fields for a signed snippet."""
+        nonce = self.generate_nonce()
+        sig = self.sign(code, nonce)
+        return [
+            ["input", {"type": "hidden", "name": "__snippet__", "value": code}],
+            ["input", {"type": "hidden", "name": "__sig__", "value": sig}],
+            ["input", {"type": "hidden", "name": "__nonce__", "value": nonce}],
+        ]
+
+    def verify_snippet(self, form: Mapping[str, Any]) -> str:
+        """Verify signed form payload and return substituted snippet."""
+        snippet = str(form.get("__snippet__", ""))
+        sig = str(form.get("__sig__", ""))
+        nonce = str(form.get("__nonce__", ""))
+
+        if not all([snippet, sig, nonce]):
+            raise SnippetExecutionError("Missing fields", status_code=400)
+        if not self.verify(snippet, nonce, sig):
+            raise SnippetExecutionError("Invalid signature", status_code=403)
+        if not self.consume_nonce(nonce):
+            raise SnippetExecutionError("Invalid nonce", status_code=403)
+
+        form_data = {k: str(v) for k, v in form.items() if not k.startswith("__")}
+        return apply_snippet_substitutions(snippet, form_data)
+
+
+class SnippetExecutionError(Exception):
+    def __init__(self, message: str, status_code: int):
+        super().__init__(message)
+        self.message = message
+        self.status_code = status_code

evaleval-0.2.3/src/evaleval/sse.py

@@ -0,0 +1,51 @@
+"""SSE helpers for the dual-eval loop."""
+
+
+def exec_event(js: str | list[str] | tuple[str, ...]) -> str:
+    """Wrap JavaScript code as an SSE 'exec' event."""
+    if isinstance(js, (list, tuple)):
+        js = ";".join(js)
+    lines = ["event: exec"]
+    for line in js.split('\n'):
+        lines.append(f"data: {line}")
+    lines += ["", ""]
+    return "\n".join(lines)
+
+
+SHELL_HTML_TEMPLATE = """<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"></head>
+<body>
+<script type="module">
+import { Idiomorph } from '__IDIOMORPH_URL__';
+window.Idiomorph = Idiomorph;
+const es = new EventSource(__SSE_PATH__);
+es.addEventListener('exec', e => {
+  eval(e.data);
+});
+document.addEventListener('submit', async e => {
+  e.preventDefault();
+  const f = e.target;
+  try {
+    const r = await fetch(f.action, { method: 'POST', body: new FormData(f) });
+    const t = await r.text();
+    if (t) eval(t);
+  } catch (err) {
+    console.error(err);
+  }
+  if (f.dataset.reset !== 'false') f.reset();
+});
+</script>
+</body>
+</html>"""
+
+
+def shell_html(sse_path: str | None = None, idiomorph_url: str | None = None) -> str:
+    """Generate the shell HTML with optional custom SSE path and Idiomorph URL."""
+    idi = idiomorph_url or "https://unpkg.com/idiomorph@0.3.0/dist/idiomorph.esm.js"
+    sse = f"'{sse_path}'" if sse_path else "'/sse'"
+    return (
+        SHELL_HTML_TEMPLATE
+        .replace("__IDIOMORPH_URL__", idi)
+        .replace("__SSE_PATH__", sse)
+    )

evaleval-0.2.3/uv.lock

@@ -0,0 +1,8 @@
+version = 1
+revision = 3
+requires-python = ">=3.10"
+
+[[package]]
+name = "evaleval"
+version = "0.2.2"
+source = { editable = "." }