Lewati ke konten
Bosia

Roadmap

Konten ini belum tersedia dalam bahasa Anda.

Track what’s done, what’s next, and where we’re headed. Current version: 0.1.0

Completed (v0.0.1 – v0.1.0)

Section titled “Completed (v0.0.1 – v0.1.0)”
Click to expand completed items

Core Framework

Section titled “Core Framework”
  • SSR with Svelte 5 Runes ($props, $state)
  • File-based routing (+page.svelte, +layout.svelte, +server.ts)
  • Dynamic routes ([param]) and catch-all routes ([...rest])
  • Route groups ((group)) for layout grouping
  • API routes — +server.ts with HTTP verb exports
  • Error pages — +error.svelte

Data Loading

Section titled “Data Loading”
  • Plain export async function load() pattern (no wrapper)
  • $types codegen — auto-generated PageData, PageProps, LayoutData, LayoutProps
  • parent() data threading in layouts
  • Streaming SSR for metadata (non-blocking load())
  • Form actions (SvelteKit-style)

Server

Section titled “Server”
  • ElysiaJS HTTP server
  • Gzip compression
  • Static file caching (Cache-Control headers)
  • /_health endpoint
  • Cookie support (cookies.get, cookies.set, cookies.delete)
  • Security headers (X-Content-Type-Options, X-Frame-Options, etc.)
  • Graceful shutdown handler (SIGTERM/SIGINT)
  • .env file support with $env virtual module
  • CORS configuration (framework-level)
  • Session-aware fetch (cookies forwarded in internal API calls)
  • Request timeouts on load() and metadata() functions
  • Route PUT/PATCH/DELETE through handleRequest() — consistent CSRF, CORS, security headers, and cookie handling

Security

Section titled “Security”
  • XSS escaping in HTML templates — sanitize JSON.stringify() output in <script> tags
  • SSRF validation on /__bosia/data — validate path query param
  • CSRF protection — Origin/Referer header validation for state-changing requests
  • Strip stack traces from error responses in production
  • Request body size limits
  • Path traversal protection — validate static/prerendered file paths stay within allowed directories
  • Cookie parsing error recovery — wrap decodeURIComponent() in try-catch
  • Cookie option validation — whitelist/validate domain, path, sameSite values
  • PUBLIC_ env scoping — only expose vars declared in .env files
  • Streaming error safety — validate route match before creating stream
  • safeJsonStringify crash guard — try-catch for circular reference protection

Client

Section titled “Client”
  • Client-side hydration
  • SPA router (client-side navigation)
  • Navigation progress bar
  • HMR via SSE in dev mode
  • Per-page CSR opt-out (export const csr = false)
  • Link prefetching — data-bosia-preload attribute for hover/viewport prefetch
  • Fix client-side navigation with query strings/hashes

Build & Tooling

Section titled “Build & Tooling”
  • Bun build pipeline (client + server bundles)
  • Manifest generation (dist/manifest.json)
  • Static route prerendering (export const prerender = true)
  • Tailwind CSS v4 integration
  • $lib alias → src/lib/*
  • bosia:routes virtual module
  • Validate Tailwind CSS binary exists before build
  • Prerender fetch timeout
  • Fix withTimeout timer leak
  • Remove duplicate static file serving

CLI

Section titled “CLI”
  • bosia dev — dev server with file watching
  • bosia build — production build
  • bosia start — production server
  • bosia create — scaffold new project (with --template flag and interactive picker)
  • bosia add — registry-based UI component installation
  • bosia feat — registry-based feature scaffolding

Hooks & Middleware

Section titled “Hooks & Middleware”
  • hooks.server.ts with Handle interface
  • sequence() helper for composing middleware
  • RequestEventrequest, params, url, cookies, locals

Docs & Ecosystem

Section titled “Docs & Ecosystem”
  • Documentation site (Astro Starlight) — 14 pages
  • Indonesian (Bahasa Indonesia) translation with Starlight i18n
  • Deployment guides (Docker, Railway, Fly.io)
  • GitHub Actions for auto-publishing to npm and deploying docs
  • Dev server auto-restart on crash
  • Components documentation page with usage examples and prop tables

v0.1.0

Section titled “v0.1.0”
  • Rename framework from bosbun to bosia
  • Dead code cleanup (renderSSR, buildHtmlShell, unexported internals)
  • splitCsvEnv helper for CSRF/CORS origin parsing

v0.1.1 — Production Hardening & Security

Section titled “v0.1.1 — Production Hardening & Security”

Stability, reliability, and security improvements for production workloads.

Security

Section titled “Security”
  • Trusted proxy configuration — TRUST_PROXY env to control when X-Forwarded-* headers are trusted in CSRF checks
  • Cookie RFC 6265 validation — also review encodeURIComponent on cookie names (interop concern)
  • Open redirect validation on redirect()
  • CORS preflight validation — validate requested method/headers against allowed config

Server Reliability

Section titled “Server Reliability”
  • Graceful shutdown drain — drain in-flight requests before stopping; return 503 from health check during shutdown
  • Stream backpressure handling — check controller.desiredSize to prevent memory buildup on slow/disconnected clients
  • Prerender process cleanup — proper signal handling, verified termination, use random port instead of hardcoded 13572
  • Concurrent build guard in dev — prevent overlapping builds when rapid file changes trigger buildAndRestart() while a build is already running

Client

Section titled “Client”
  • Use insertAdjacentHTML for head injection — current innerHTML+= re-parses entire <head>, risking duplicate stylesheets and script re-execution
  • Bound prefetch cache size — prefetchCache grows unbounded between navigations

Build

Section titled “Build”
  • Validate .env variable names — reject invalid identifiers that break codegen
  • Fail build on tsconfig.json corruption — don’t silently continue with degraded config
  • .env parser escape sequence support — handle \n, \", etc. in quoted values
  • Tune gzip compression threshold — current 1024-byte threshold is low; consider raising to ~2KB

DX

Section titled “DX”
  • Stale env cleanup in dev — reset removed .env vars on hot-reload

v0.1.2 — Features & DX

Section titled “v0.1.2 — Features & DX”

New capabilities and developer experience improvements.

Data Loading

Section titled “Data Loading”
  • depends() and invalidate() — selective data reloading
  • setHeaders() in load functions — set response headers from loaders
Section titled “Navigation”
  • beforeNavigate / afterNavigate lifecycle hooks
  • Scroll restoration and snapshot support (export const snapshot)

Routing

Section titled “Routing”
  • Dynamic route prerendering with entries() export
  • Page option: ssr toggle (export const ssr = false)
  • Page option: trailingSlash configuration
  • Layout reset (+layout@.svelte or +page@.svelte)

Server

Section titled “Server”
  • Structured logging with request correlation IDs

Types

Section titled “Types”
  • Error page types in generated $types.d.ts

v0.1.3 — Ecosystem & Observability

Section titled “v0.1.3 — Ecosystem & Observability”

Nice-to-haves for a growing framework.

  • Production sourcemaps — external source maps for debuggable production errors
  • Testing guide (Vitest + Playwright)

Not Planned

Section titled “Not Planned”

Intentional omissions — out of scope for the framework:

  • +page.ts / +layout.ts universal load (decided against)
  • Image optimization (infrastructure concern)
  • i18n (user’s responsibility)
  • Rate limiting (reverse proxy concern)
  • Plugin/extension system (premature)
  • Adapter system (intentionally tied to Bun + Elysia)
  • Service worker tooling (out of scope)