Changelog
Semua perubahan penting pada Bosia.
All notable changes to Bosia are documented in this file.
The format is based on Keep a Changelog.
[0.8.8] - 2026-07-11
Fixed
bun run checknow catches un-replaced__BRAND__in every app template.- Inspector AI popover now stays visible when clicking elements near the screen edge.
[0.8.7] - 2026-07-10
Added
- Pages can now set their own response headers, like how long browsers should cache them.
- Pages can now remember what you typed when you go back or forward in the browser.
[0.8.6] - 2026-07-05
Added
- Pressing Back now returns you to where you were on the page, not the top.
Changed
- Dev builds now bundle component styles the same way as production — simpler and consistent.
[0.8.5] - 2026-07-04
Changed
- Styles now load from a fingerprinted file cached for a year — no more stale styles after updates.
- Leftover
public/bosia-tw.cssfiles from older builds are unused now and safe to delete.
Fixed
- Evicting a full cache is now fast — cleanup touches only the evicted page's tags, not every tag.
- Startup notice now warns that custom auth headers must be added to CACHE_KEYS by hand.
[0.8.4] - 2026-07-03
Added
- New
CACHE_MAX_BODY_BYTESsetting stops very large responses from filling up server memory. - A loud warning now fires if a cached page reads a cookie the cache can't tell users apart by.
- Server startup now ends by listing which cookies the cache uses to tell users apart.
- Concurrent cache misses for the same page or API route now build once instead of N times.
Changed
- Prerendered pages are now found instantly at startup instead of checking disk on every visit.
- BREAKING:
(private)no longer switches off dedup — add custom session cookies to CACHE_KEYS. - Request deduplication now tells users apart by CACHE_KEYS, so per-user routes are deduped safely.
Fixed
- Cached pages for logged-in users now use a stronger hash, so one user can never see another's page.
- Brotli compression now actually works for cached pages — it was silently never applied before.
- Files with spaces or special characters in their names now load instead of returning 404.
- Building the cache identity no longer counts as a cookie read (no forced Cache-Control: private).
[0.8.3] - 2026-07-02
Added
- Checks now fail if a block's
__BRAND__placeholder is left un-renamed in an app.
Fixed
- One Ctrl+C now stops the dev and prod servers cleanly; pressing it twice force-quits.
- Stopping the dev server no longer pauses for a couple of seconds before exiting.
[0.8.2] - 2026-07-01
Added
- New opt-in dev mode lets a host trigger builds itself, avoiding mid-edit rebuild errors.
[0.8.1] - 2026-06-30
Fixed
+loading.svelteskeletons now appear instantly — chunks warm on link hover, no stale-page lag.
[0.8.0] - 2026-06-30
Added
- Drop a
+loading.sveltein a route folder to show a skeleton while that page loads during nav.
[0.7.9] - 2026-06-29
Changed
- New apps now prefetch links on hover by default — pages feel instant with no setup.
[0.7.8] - 2026-06-27
Changed
- The inspect comment box no longer shows the component file path on top — cleaner for non-technical users; the AI still receives full file/tree context.
[0.7.7] - 2026-06-23
Added
- A
handlecan set theNO_FRAME_GUARD_HEADERon a response to skip theX-Frame-Optionsguard — lets a proxy hub serve embeddable previews while keeping the guard on its own pages.
[0.7.6] - 2026-06-22
Fixed
- Behind a trusted proxy (
TRUST_PROXY=true),event.urlnow reflects the public origin fromX-Forwarded-Host/-Protoinstead of the proxy's innerlocalhosthop — so absolute redirects, canonical URLs, andurl.originno longer point at localhost (fixes preview "redirect to localhost" / redirect loops behind a host proxy). - The
bun run devproxy now preserves anX-Forwarded-Host/-Protoset by an outer proxy instead of overwriting it with its own loopback hop.
[0.7.5] - 2026-06-21
Added
- New
storetemplate — Postgres database + MinIO/S3 uploads out of the box.
[0.7.4] - 2026-06-17
Fixed
- Client-side navigation now sees correct parent layout data instead of empty values.
[0.7.3] - 2026-06-15
Added
- New login page family: ready-made sign-in, sign-up, forgot, magic-link, OTP and SSO screens.
- Creating a
shopproject is now near-instant via a prebuilt download (falls back to the old way).
[0.7.2] - 2026-06-14
Changed
- New apps now get a brief to-do to swap placeholder content for real database data.
Fixed
- Brief intake no longer installs the theme or asks you to start the app before the approval button shows.
[0.7.1] - 2026-06-13
Changed
- Inspector now sends the AI clear url/page/component fields so it edits the right file.
[0.7.0] - 2026-06-13
Added
- Restored
page.paramsas a deprecated fallback; new code should read params from props.
Changed
- Shop template now uses built-in SQLite instead of PostgreSQL — zero setup, no database server.
Fixed
- Login/register no longer fail after the app sits idle — database connections now refresh automatically.
[0.6.25] - 2026-06-12
Added
- New "pages" you can add in one command — a whole screen made of ready-made sections.
- A full storefront: home, product list, product, and checkout pages, ready to drop in.
- 24 storefront sections: header, footer, product cards, cart drawer, checkout, and more.
- New "Clay" theme — warm paper tones with a terracotta accent and elegant serif headings.
- One store, six looks — switch between fashion, grocery, tech, beauty, garden, or general.
[0.6.24] - 2026-06-12
Removed
- Removed the Todo starter template and its todo feature/components ahead of rebuilding the card blocks.
- Replaced the single "feature (editorial)" card block with a full set of 29 cards.
Added
- 17 ready-to-use hero sections for shops, schools, food, fashion, services, and apps.
- 29 ready-to-use card blocks: dashboards, profiles, products, media, notifications, and more.
- Six new themes: Paper, Carbon, Bloom, Terminal, Sage, and Grape.
- Every theme now ships matching shadows and a monospace font for numbers and code.
- Theme toggle now offers Light, Dark, and System (follows your OS) — System is the default.
- Dev server
POST /__bosia/hold+/__bosia/resumecontrol — a host orchestrator can hold the live-reload broadcast during a batch of edits and flush a single reload on resume.holddoubles as a heartbeat that re-arms a safety timer, so the hold survives arbitrarily long tasks and only auto-resumes if the heartbeats stop (orchestrator died) — never mid-task. Off by default, so plainbosia devreloads exactly as before.
Fixed
bosia add themenow removes the template's default:root/.darktoken block, so app.css no longer keeps two competing:rootrules where the template's overrides the theme's.- The "App server is starting…" page shown during a rebuild now reloads itself once the app is back, so the preview no longer gets stuck on it after a restart race.
Changed
- Card blocks use your theme's brand colour, so they restyle when you switch themes.
- Pinned Svelte to ^5.56.3 across docs, demo, and all templates so everyone gets the latest fixes.
[0.6.23] - 2026-06-11
Fixed
- Block installer now skips blocks already installed this session, so shared block deps no longer rewrite files twice.
Changed
- Shop feature drops unused component declarations (
typography) and auth-overlap (form/input/button) for cleaner installs. - Skills warn against installing the
postgresorpgnpm packages — Bun's built-inBun.SQLcovers Postgres. bosia-bun-runtimegains a Postgres section with theFailedToOpenSocketURL-string gotcha and object-form fix.bosia-drizzle-featureadds R11: registry files count relative imports from theirmeta.jsontarget, not the source.
Fixed
- Shop admin sidebar header now shows the Bosia logo SVG (theme-aware) and a working collapse trigger instead of a Unicode hex glyph and dead button.
- Shop admin sidebar user-menu dropdown is full-width, anchors from the chevron, rotates on open, and Sign out posts to
/logoutcleanly. - Sidebar leaf items render as plain links again —
SidebarMenuItemno longer mistakes whitespace around the icon snippet for nested children. - Shop admin sidebar groups the Orders sub-pages (All / Pending / Refunds) under one collapsible parent for cleaner navigation.
- Theme toggle now actually switches all four templates (default/shop/todo/demo) —
dark:utilities were silently OS-bound; templates now declare the class-baseddarkvariant. - Shop admin sidebar header logo renders at 20px instead of overflowing the rail at its native 200×200.
+server.tshandlers can nowthrow redirect(303, "/")(andthrow error(...)) — Bosia returns a real 303 / typed error response instead of swallowing it as a 500. The/logoutPOST now signs the user out and redirects to/as designed.
Added
- New
bosia-shop-templateskill so agents extending abosia create … --template shopscaffold don't re-install features or replace the wired sidebar/navbar. - Shop dashboard pages now render a path-derived breadcrumb above the main content;
ui/breadcrumbis wired into theshopfeature. - Home, login, and register pages set a
<title>and<meta name="description">so the shop has basic SEO out of the box.
Removed
- Dropped unused
postgresruntime dep fromshoptemplatepackage.json(scaffold usesBun.SQL).
[0.6.22] - 2026-06-10
Added
- New
shoptemplate scaffolds a storefront with auth, RBAC, S3 uploads, and products/orders/cart. - New registry features
auth,rbac,shop— composable in any Bosia app, not only the shop template. - Four new themes: sunset, midnight, mono, amber. Twelve total now ship in the registry.
- Docs: file-upload skill explains MinIO / R2 / DO Spaces setup via
S3_ENDPOINT, plus AWS Jakarta (ap-southeast-3). - Docs: bun-runtime skill now covers
Bun.s3(the zero-dep client behind the S3 adapter). - Docs: both skills warn against inventing a non-standard
S3_URLDSN — stick to Bun's discreteS3_*env names. - Sidebar docs: decision table for leaf vs collapsible vs label-only items, plus a working user-menu footer pattern.
- New
bosia-sidebarskill so AI agents stop wrappingSidebarMenuIteminDropdownMenuand start building the avatar dropdown. DropdownMenugainsfloatingmode, asideprop, and ananchorelement prop — menus inside overflow-clipped parents (like Sidebar) actually appear, and can pop from a specific child (e.g. a chevron) rather than the whole trigger.
Fixed
- Hydration crashed on components spreading
{...restProps}because Svelte 5.55.x emits the exclude list as an Array but the runtime expects a Set; framework now pins svelte to ^5.56.3 which emits the Set form. bosia create --template shopnow scaffolds Postgres tables by default instead of falling back to sqlite.- Drizzle feature: workaround for Bun 1.3.x bug where
new Bun.SQL("postgres://...")erroredFailedToOpenSocket; the URL is now parsed into an object before passing to Bun.SQL. bosia createno longer 404s when a block depends on another block (e.g.image-dialog→upload-area).- Auth feature:
/loginand/registerserver actions now importfeatures/authwith the correct relative path. - Sidebar user-menu dropdown was clipped by
Sidebar's overflow —floating side="top"now lets it open upward into the page. DropdownMenuContentfloating mode: first open was mispositioned because the menu briefly rendered in normal flow before the fixed-position style applied. The class now setsposition: fixedfrom the first paint, and the menu staysvisibility: hiddenuntil the measure resolves — so the first click lands at the same coordinates as subsequent clicks.- Sidebar now lists all themes; bosia-theme-tokens skill no longer claims only two ship.
- Drizzle feature: typecheck failures when a project mixed engine variants —
drizzle/index.tsnow ships per-dialect (pg / mysql / sqlite) sodb.insert / update / delete / select / execute / runall typecheck. bun x bosia create --template shopno longer scatters a straysrc/lib/utils.tsnext to the new project directory; the block installer now writes utils.ts into the project, not intoprocess.cwd().- Registry + framework now use
tabWidth: 2(matching templates and the wider Svelte/TS ecosystem) so scaffolded projects passbun run checkwithout reformatting.
Changed
- Drizzle tables across all registry features are now plural (variable + SQL identifier + filename):
user→users,session→sessions,permission→permissions,file→files,product→products,order→orders,orderItem→orderItems,cartItem→cartItems. Foreign-key columns stay singular (userId,productId). New R10 rule inbosia-drizzle-featureand updates tobosia-database-setup/bosia-clean-architecturecodify the convention.
[0.6.21] - 2026-06-09
Added
- Drawer component — mobile bottom-sheet overlay with slide-up animation and tap-to-close.
- Image dialog block — pick multiple images via upload, URL, or existing library in one modal.
bosia-image-dialogskill — guides AI agents to use the new picker for gallery/replace flows.bosia-image-externalskill — guides AI agents to call bosapi'simage_external_searchtool for real stock photos with attribution.- Reactive
pageexport onbosia/clientso apps can readpage.url.pathnamelike SvelteKit (params still come from$props()on routes). bosia add blocks/<cat>/<name>now works as an alias forbosia add block <cat>/<name>.
Changed
- Image dialog now pre-selects existing images on open so adding a new one no longer wipes them.
bosia addkeeps installing remaining files when one is owned by a different user, then prints a clear chown hint if it still cannot write.
[0.6.20] - 2026-06-08
Fixed
- Client hydration broken when a leaf chunk happened to share the
hydrate-*filename prefix and sort before the actual entry. 0.6.19 hashed the entry filename but kept the manifest detector'sfind(f => f.startsWith("hydrate"))fallback, which returned the first match by array order — sometimes a tiny chunk like aversion.tsimport, exporting only constants. The HTML then loaded that no-op script as the entry, somain()never ran,router.init()never fired, and no page hydrated. Manifest now identifies the entry via Bun'soutput.kind === "entry-point".
[0.6.19] - 2026-06-08
Fixed
.webmanifestfiles inpublic/now serve correctly instead of returning 404.- Apps no longer loop forever after a new deploy when old cached assets are missing on the server.
Changed
- Client entry file is now hashed so each new build gets a fresh URL the browser cannot serve stale.
[0.6.18] - 2026-06-07
Fixed
- Pure-SSR apps (zero prerendered routes) now also mirror
public/→dist/static/at build time, so production containers that droppublic/keep servingbosia-tw.css, favicons, and other public assets. 0.6.17 only ran the mirror when SSG output existed.
Changed
- Clean architecture skill: services may only call their own repository. Cross-feature is service → service, never service → other repository.
- Clean architecture skill: any file type (tables, validators, dtos, repositories, services) with 2+ files should promote into its matching subfolder; barrel still hides deep paths.
- Clean architecture skill: sub-feature folders (
auth/oauth/) only when the sub-domain owns its own tables.login//register/-style sub-domains that share parent tables stay underservices/.
[0.6.17] - 2026-06-07
Changed
- Production runtime no longer needs
src/hooks.server.tsorbosia.config.ts— build bundles them todist/hooks.server.jsanddist/bosia.config.js; runtime loads fromdist/first and falls back to source for dev. - Static assets in
public/are also served fromdist/static/in production, so containers can ship onlydist/(plusnode_modules/).
[0.6.16] - 2026-06-06
Changed
- Production runtime no longer needs
src/app.html— build now writes parsed segments todist/app-html.json, so Docker images can copy onlydist/. - Switched icons to
@lucide/svelte; registry components import lucide directly instead of a custom wrapper.
Removed
- Custom
registry/components/ui/iconcomponent and its hand-curated SVG map.
Added
bosia-iconskill telling AI agents to use@lucide/svelte(not deprecatedlucide-svelte).
[0.6.15] - 2026-06-05
Fixed
parent()now includes cached parent data on client-side navigation even when layout loaders are skipped.
[0.6.14] - 2026-06-02
Added
bosia.jsoninstall manifest at project root. Everyfeat,add, andadd blockrecords what was installed (files, deps, options) so future sessions can list and (eventually) uninstall them.bosia feat list— show installed features with their options.bosia add list— show installed components and blocks.
[0.6.13] - 2026-06-01
Added
inspectorplugin: env varBOSIA_INSPECTOR_AI_ENDPOINToverrides theaiEndpointoption frombosia.config.ts. Lets sandboxed hosts (bosapi running the app in a podman container) point inspector POSTs at an address reachable from inside the sandbox, since the baked URL otherwise resolves to the container's own loopback.
[0.6.12] - 2026-06-01
Added
bosia create --no-installflag: scaffold files only and skip the finalbun installstep. Lets hosts run the install in a sandbox (container, VM) instead of on the scaffolding host — fixes native-module arch mismatches when the host and runtime OS differ.
Fixed
bosia createnow picks the project name from the first non-flag argument, socreate --local --no-install appno longer scaffolds into a folder called--local.
[0.6.11] - 2026-05-30
Changed
feat file-uploadnow ships private-by-default: thefiletable carries a NOT NULLuser_id, the upload/list/delete API routes requirelocals.user, andGET /uploads/<key>checks ownership before streaming the bytes withCache-Control: private, no-store. Apps that previously relied on anonymous public uploads need to add a user backfill and rerun the migration.bosia-file-uploadskill now teaches AI to install [[bosia-auth-flow]] first, never to drop thelocals.usercheck or pointUPLOAD_DIRat./public/uploads.
Fixed
+server.tsAPI routes now win over the static fallthrough, so handlers can serve URLs ending in.webp/.png/.pdf(previously returned 404 becauseisStaticPathmatched the extension and short-circuited into the static-file lookup).
[0.6.10] - 2026-05-30
Added
bosia syncCLI: generates.bosia/routes.ts,$types, env modules without a full build (cheap codegen forcheck).- Default template
bun run checknow runssvelte-check(catches template reference errors like<Navbar {links} />when onlynavLinksexists). - Generated
$types.d.tsnow exportsActions(Record<string, Action>) so+page.server.tsactions type-check under svelte-check. - New skill
bosia-database-setup— on-demand engine swap + table creation, replacingbosia-brief-database. bosia-auth-flowR8: login/register must redirect server-side (throw redirect(303)), neveruse:enhance+ clientgoto()— avoids cookie/nav race that drops the session.
Changed
- Brief intake no longer asks the user about the database engine. Default = sqlite-file; load
bosia-database-setuponly when the user explicitly asks for postgres/mysql or new tables. - Brief intake Quick Start is now five questions (palette + direction merged), with an explicit "infer, don't loop back" inference rule.
- Brief intake now ends with the
brief_request_approvaltool call (host UI renders a Setuju button) instead of a plain-text "Setuju?" question. bosia-page-shellskill triggers now include+page.svelte,+layout.svelte,page shell,root layoutso AI auto-loads it before touching layout/page files.
Removed
- Skill
bosia-brief-database— superseded bybosia-database-setup.
Fixed
$envambient declaration now picked up bytsc/svelte-check(template tsconfigincludeextended with.bosia/types/**/*.d.ts).bosia:routesvirtual module ambient now reachable by consumers (triple-slash reference added tobosia'ssrc/lib/index.ts).- UI components no longer crash on plain http: switched id generation from
crypto.randomUUID/Math.randomto Svelte's built-in$props.id(). bosia feat drizzlenow defaults to a persistent sqlite file instead of in-memory, so data survives restarts out of the box.- Twelve UI components no longer crash with
props_id_invalid_placement—$props.id()is now assigned to its own variable before being interpolated into id strings.
[0.6.9] - 2026-05-29
Fixed
- Anchor links (
href="#section") now scroll to the target heading instead of jumping to the top. - Static assets with query strings (e.g.
/favicon.ico?v=2) now resolve correctly instead of 404'ing.
Changed
- Marked
beforeNavigate/afterNavigatenavigation hooks as done in the roadmap (already shipped). - Static assets now served from a boot-time manifest in production (single Map lookup, no per-request stat).
[0.6.8] - 2026-05-29
Removed
/aboutpage from the default project template — new projects now start with a clean home page only.
Fixed
- Sidebar no longer crashes with
crypto.randomUUID is not a functionin non-HTTPS / sandboxed runtimes.
Added
carticon —<Icon name="cart" />now renders the shopping-cart symbol.- New skill
bosia-data-tableso AI uses the registry data table instead of hand-rolled HTML tables. - New skill
bosia-debug-discipline— after two failed fixes, AI reads framework source before guessing again.
Changed
bosia-crud-flownow mandatesuse:enhance+ the correctexport const actions = { … }shape (silent no-op was the bug).bosia-drizzle-featurenow mandates UUID primary keys (pg + sqlite) andsql\CURRENT_TIMESTAMP`` for timestamps.bosia-file-uploadnow requires unlinking the file on delete so storage doesn't fill with orphans.bosia-navigationnow mandates the registry sidebar with ≥3 menu items + empty states.bosia-page-shellnow explains how child layoutloadmust spread parent data (cart-count bug).
[0.6.7] - 2026-05-28
Fixed
bosia feat file-uploadnow installs the upload-area and crop-image blocks properly (was 404'ing).bosia add block -yskips overwrite prompts so scripted installs no longer hang.- File upload now actually compresses images (was crashing on Bun.Image API mismatch).
- Uploaded image URLs are now relative so they render on any host (preview, prod, localhost).
- Routing/dashboard/CRUD skills now hard-rule authenticated pages into (private), never (public).
Added
FeatureMeta.blocks[]— features can now declare block dependencies separate from components.- New skill
bosia-page-shellso AI agents stop putting navbar/footer inside every page. - New skill
bosia-query-defaultsso every list is paginated and sorted newest-first.
[0.6.6] - 2026-05-27
Fixed
- Build now finds binaries (e.g.
tailwindcss) when deps are hoisted to a monorepo rootnode_modules. - Audit no longer false-flags
<DemoComponent />when bound via sibling{@const DemoComponent = ...}.
Changed
- Docs CI install now uses
--linker=hoistedso registry blocks can resolve docs-declared deps. - Switched docs domain to
bosia.devand moved hosting to Cloudflare Pages. - Docs, READMEs, and templates now lead with the production-ready story (security, performance, reliability).
[0.6.5] - 2026-05-27
Added
- Build now catches
<Card.Root>typos at compile time — names missing from the import file fail clearly.
Fixed
- Cookie
sameSitenow accepts lowercase (lax,strict,none) — matches SvelteKit/Express. - Cookies passed
secure:trueover HTTP get auto-downgraded with a warn — fixes silent login loops in dev/preview.
Changed
Securecookie flag is now decided per-request from the transport protocol, not fromNODE_ENV. SetTRUST_PROXY=trueto honorx-forwarded-protobehind reverse proxies.
[0.6.4] - 2026-05-26
Changed
- Crop and upload blocks now share one combined demo — pick a file, optionally crop, upload.
Fixed
- Crop demo no longer breaks on CORS — uses your picked file (object URL) instead of a remote image.
- Docs pages no longer 404 in dev — content path now resolves from the project root, not the bundle location.
- Crop block's preview area no longer collapses to 0 height — uses inline style as a safe fallback when the host's Tailwind scan doesn't reach the registry source.
- Docs Tailwind now scans
registry/blocks/**so block-defined utility classes get generated.
Added
- Tiny
/api/demo-uploadendpoint in docs so the upload demo completes end-to-end without a 500. - New
file-uploadfeature: a ready backend for the upload block — shrinks images and saves locally or to S3. bun x bosia featnow lets each feature declare its own flags —file-uploadexposes-d sqlite|postgres|mysql;-y(auto-confirm, use defaults) stays a feat-level flag.- New
bosia-file-uploadskill teaches the AI when and how to wire image uploads.
[0.6.3] - 2026-05-25
Added
- New skill teaches the AI how to query the database correctly without breaking.
- Skills API now lists each skill's reference files with URLs so AI agents can fetch them.
- Drizzle skill now covers migrations, dev-server restart, and the common AI failure modes.
- New skill enforces clean controller → service → repository layout so the AI stops putting database calls in pages.
- New file blocks: image cropper with zoom/aspect presets, and drag-and-drop upload area with progress.
- Crop block now resizes and re-compresses output (defaults 1920×1080 @ 0.85, WebP for round crops).
Fixed
- Svelte component libraries (like
svelte-easy-crop) now resolve at build time via thesvelteexport condition. - Fixed page-server crash (
b0 is not defined/bundle_full_exports is not defined) caused by an overly broad resolver — now uses Bun'sconditionsoption instead. - Crop block exposes a
crossOriginprop and removesh-fullfrom the outer wrapper so it lays out correctly inside unsized parents. - Crop demo now uses an image source that returns
Access-Control-Allow-Origin: *(the previous Picsum URL was being blocked bycrossorigin="anonymous"and rendered as a broken image).
Changed
db:migratenow runs bun-native instead of needingbetter-sqlite3/@libsql/client.- Drizzle skills updated so each feature gets its own repository, service, and validator files.
[0.6.2] - 2026-05-24
Fixed
- Response cache no longer breaks SSE endpoints (auto-skips
text/event-stream). - Response cache now respects
Cache-Control: no-store|private|no-cacheheaders.
[0.6.1] - 2026-05-24
Changed
- Updated SvelteKit differences documentation.
[0.6.0] - 2026-05-24
Added
- Database drizzle feature now supports postgres, mysql, and sqlite (choose via URL)
- New database intake skill guides users through engine selection during app setup
- Server response caching with automatic compression (gzip + brotli)
- Invalidate specific cached pages using
invalidate()andinvalidateAll()helpers - Per-route cache opt-out with
export const cache = false - New response-cache guide with setup instructions and examples
Changed
- CSP-enabled apps now skip caching to avoid nonce conflicts
- Server-side invalidate functions moved to bosia/server (browser bundle cleanup)
Fixed
- Safari dev server now works (fixed proxy encoding issue)
- Browser hydration no longer crashes from missing process variable
- Type checking now passes on inspector error reporter
[0.5.13] - 2026-05-23
Added
- New skills: bosia-env (environment variable prefixes) and bosia-cors (cross-origin config)
Changed
- Inspector now shows full component chain (outer page → inner component) so AI edits right file
Added
- HTML comments track component call-sites for inspector overlay reconstruction
- Production now handles uncaught errors (logs and exits cleanly for restart)
- New MAX_INFLIGHT env var limits concurrent requests to prevent OOM under load
[0.5.12] - 2026-05-22
Fixed
- Dev server no longer misses file edits via atomic writes (added 5s mtime poll safety net)
- Dev crash loop no longer hangs (now retries with exponential backoff forever)
- Error pages now auto-reload when source is fixed (instead of stuck on error screen)
[0.5.11] - 2026-05-21
Fixed
- Fixed inspector in dev mode
[0.5.10] - 2026-05-20
Added
- New
goto()function for programmatic page navigation without full reload - New
beforeNavigate()andafterNavigate()hooks to hook into navigation lifecycle - New navigation guide documenting all navigation patterns (link, goto, form redirect)
- New bosia-navigation skill for AI agents building navigation features
Fixed
- Hydration errors now log to console (previously silent with stuck loading spinner)
- Error pages no longer show loading spinner that blocks clicking links
[0.5.9] - 2026-05-20
Added
- New
src/app.htmltemplate support for customizing HTML shell - New
bosia add fontcommand to add Google Fonts to src/app.css - New bosia-app-css skill teaching font import order for Tailwind
[0.5.8] - 2026-05-19
Fixed
- Dev no longer crashes on bind directives in Svelte components (fixed shadow variable)
- Dev no longer fails when multiple routes import same component with styles
[0.5.7] - 2026-05-19
Added
- Inspector now shows runtime error badge in corner; click to see list and send to AI
Changed
- Route params now passed as separate
paramsprop (not nested indata.params) - Starter templates now organize public pages under
(public)/route group
Fixed
- Inspector stack traces now point to correct source line in .svelte files
[0.5.6] - 2026-05-18
Fixed
- Build and dev can now run simultaneously (build no longer deletes dev output)
[0.5.5] - 2026-05-18
Changed
- Dev server now writes to .bosia/dev/ instead of ./dist/ to avoid conflicts with prod builds
Added
- New BOSIA_OUT_DIR env var lets you build to a custom output folder
[0.5.4] - 2026-05-17
Fixed
- Dev no longer crashes on pages with multiple routes but no component styles
Added
- New IDLE_TIMEOUT setting for slow streaming responses (chat, etc)
- Six new brief-intake skills guide users through app design questions (name, audience, colors)
- New bosia-frontend-design skill forces aesthetic consistency (fonts, colors, memorable detail)
- Brief-intake now collects design direction and stores in BRIEF.md for consistency
Changed
- Component installation now batches 1-3 items per call (faster, avoids timeouts)
- All page scaffolds now read BRIEF.md to inherit design direction
- Brief review now checks that design direction was committed and applied
[0.5.3] - 2026-05-16
Added
- API routes can now be prerendered as static .json files at build time
Changed
- Docs API endpoints now use framework prerender instead of hand-rolled JSON generation
- API response field changed from
mdFiletocontentfor consistency
Fixed
- Dev .json URLs now work correctly for dynamic routes with catch-all siblings
- Docs pages no longer crash with syntax highlighter in production builds
[0.5.2] - 2026-05-15
Added
- New chat design skills: message composer and message feed with built-in markdown renderer
bosia addnow accepts multiple components in one call- New
-y/--yesflag onbosia addfor CI/script automation - Docs site now has /api/components and /api/blocks JSON endpoints
[0.5.1] - 2026-05-15
Added
- New DISABLE_X_FRAME_OPTIONS env var lets apps be embedded as iframes
- Docs site now has public /api/skills endpoint for AI agents to read guides
Changed
- New projects ship with Inspector plugin enabled by default (Alt+click to edit)
Fixed
- Dev no longer gets stuck on "App server is starting" after file save
[0.5.0] - 2026-05-14
Changed
- Page data now embedded as JSON in HTML (faster parsing than JavaScript)
Added
- Pages/layouts now skip reloading data when dependencies didn't change
- New
depends()API lets loaders declare custom dependencies - New
invalidate()/invalidateAll()helpers for selective cache invalidation - Loaders now auto-track reads and only re-fetch when inputs change
- New data invalidation guide with examples
Fixed
- Link prefetches now tell server which loaders are cached (no unnecessary re-runs)
[0.4.6] - 2026-05-13
Added
- New CSP_DIRECTIVES env var for strict Content Security Policy with nonces
- New event.locals.nonce field to use nonces on custom inline scripts
Changed
- CSP nonce only generated when CSP is enabled (performance improvement when off)
Fixed
- Redirects now reject javascript:/data:/vbscript: URLs (security)
- CSRF checks no longer trust forwarded headers by default (set TRUST_PROXY to enable)
- CORS responses now always include Vary: Origin header (cache safety)
- Prerender now validates dynamic routes don't escape output folder
- CORS preflight now checks methods and headers against allow-list
- Dev CSRF checks now work correctly behind proxy
[0.4.5] - 2026-05-11
Added
- Two new registry kinds: Blocks (ready-made UI sections) and Themes (color/font packs)
- New
bosia add blockandbosia add themecommands - First theme ships: editorial (serif + warm cream)
- Docs site has Blocks and Themes sections with previews
[0.4.4] - 2026-05-09
Fixed
- Production builds no longer fail with CSS duplication errors on many routes
[0.4.3] - 2026-05-09
Changed
- Page route resolution now happens once per request (not 3-4 times) — slightly faster
Fixed
- Production builds no longer fail with CSS errors from Svelte inline styles
Removed
- Removed redundant API route pre-handler, removed bun-plugin-svelte dependency
[0.4.2] - 2026-05-07
Fixed
- New projects now ship with working .gitignore file
bun run checknow passes on freshly created projects
Added
- New
bun run check:templatesscript validates template integrity
[0.4.1] - 2026-05-06
Added
- New inspector plugin: Alt+click any element to jump to its source code in your editor
[0.4.0] - 2026-05-05
Added
- New plugin system with bosia.config.ts (zero overhead if unused)
- New server-timing plugin shows request timing in browser DevTools
- New defineConfig helper for type-safe configs
Changed
- server-timing metric name changed from
totaltohandler
Fixed
- Plugin imports now resolve correctly from node_modules
[0.3.4] - 2026-05-04
Added
- Error pages can now be nested in any route folder (not just root)
- In-app errors now use nearest error page without full reload
Fixed
- Ctrl+C now cleanly stops dev server (no misleading error code)
[0.3.3] - 2026-05-03
Added
- New testing guide with bun test examples
- Error pages now have type hints via ./$types
Changed
- Build now fails clearly on malformed tsconfig.json
Fixed
- Form submissions without JavaScript now work correctly
[0.3.2] - 2026-05-02
Fixed
- Ctrl+C now stops server on first press (not requiring second press)
- Server now shows proper error page instead of broken partial content
- Build cleanup prevents port conflicts when building multiple times
- Rapid file saves no longer trigger duplicate rebuilds
[0.3.1] - 2026-05-01
Added
- Public pages now share single server request (faster, less load)
- New
(private)folder pattern for per-user pages (dashboards, etc)
Fixed
- Fixed security issue where users could see each other's data
- Fixed crash when creating new projects
- .env deletions now take effect immediately in dev server
[0.3.0] - 2026-04-30
Added
- New
bosia testcommand with auto-configured environment - 167 automated tests for framework utilities and build tools
- Automatic code formatting with Prettier across all templates
- New
trailingSlashoption to control URL format
Fixed
- Fixed trailingSlash setting being silently ignored
Changed
- Route params now have proper TypeScript types (errors on wrong param names)
[0.2.3] - 2026-04-29
Added
- Feature install now merges files instead of replacing them (preserves customizations)
- Forms now submit without full page reload (progressive enhancement)
- New
ssr = falseoption for client-only pages
Security
- Page language tag validation (prevents code injection via lang attribute)
- CORS_MAX_AGE validation at startup
Changed
- Compression threshold raised to 2KB (small responses faster without compression)
Fixed
- Non-English character compression now works correctly
- .env comment parsing now ignores inline comments after value
[0.2.2] - 2026-04-28
Security
- Fixed cookies being sent to third-party APIs (only forwarded to own server now)
Changed
- Link prefetch cache limited to 50 entries (prevent unbounded memory growth)
- Prefetch data expires after 30 seconds (shows fresh content when idle)
Fixed
- Cmd/Ctrl+click and middle-click no longer intercepted by router
[0.2.1] - 2026-04-26
Changed
- Route matching now faster (patterns compiled once at startup)
[0.2.0] - 2026-04-25
Added
- Multiple visitors to same page now share single server call (less load)
Changed
- Builds now 500–1000ms faster (client + server bundles in parallel)
- Tailwind compiles during build (saves another 500–800ms)
- Middleware handlers now loop instead of nesting (prevent call stack issues)
[0.1.26] - 2026-04-24
Added
- Direction, Kbd, ScrollArea, Resizable, Menubar, ContextMenu components
Changed
- Kbd component can now trigger actual keyboard shortcuts
[0.1.25] - 2026-04-23
Added
- AspectRatio and RangeCalendar components
Fixed
- Component previews now display in correct position in docs
- Restored missing previews for sidebar, navbar, chart, data-table, icon
- Floating UI elements no longer cut off in preview containers
[0.1.24] - 2026-04-22
Added
- Popover now supports hover trigger with configurable close delay
- Popovers can now be controlled programmatically
- Sidebar submenus open on hover when collapsed
[0.1.23] - 2026-04-21
Added
- 12 Typography components (H1–H4, P, Blockquote, etc) for consistent text styling
- 6 new icons: terminal, book, package, hash, map, circle
- SidebarTrigger button for programmatic sidebar control
- Sidebar now has collapsed icon-only mode with hover submenus
Changed
- Sidebar demo redesigned with company header and user avatar footer
Fixed
- Sidebar text/labels properly hidden in icon-only mode
- Text no longer overflows during collapse animation
- Icons now properly centered in collapsed sidebar
[0.1.22] - 2026-04-20
Added
- Empty component for no-content states
- Carousel component with autoplay and keyboard navigation
[0.1.21] - 2026-04-19
Added
- Form component with validation state management (Zod/Valibot compatible)
[0.1.20] - 2026-04-18
Added
- Item, Collapsible, DatePicker components
[0.1.19] - 2026-04-17
Added
- Table components (Table, Header, Body, Row, Cell) for data display
- Calendar component with month/year nav and date constraints
Removed
- Removed clsx dependency (functionality moved to cn() utility)
[0.1.18] - 2026-04-16
Added
- NativeSelect component (styled native dropdown for mobile/forms)
- InputOTP component with copy-paste and SMS autofill
[0.1.17] - 2026-04-14
Added
- ButtonGroup component for connected button rows/columns
[0.1.16] - 2026-04-12
Added
- InputGroup component with prefix/suffix text and icons
- Combobox component with searchable filtering
- Command component for keyboard-driven palette search
[0.1.15] - 2026-04-11
Added
- Accordion, Pagination, Breadcrumb, NavigationMenu components
[0.1.14] - 2026-04-10
Added
- Tabs, HoverCard, Popover, Progress, Alert, AlertDialog components
- Sonner toast notification system
- Tooltip, Spinner, Skeleton components
[0.1.13] - 2026-04-09
Added
- Toggle, Textarea, Switch, Field, ToggleGroup, Slider components
[0.1.12] - 2026-04-08
Added
- Select, RadioGroup, Label, Dialog, Checkbox components
[0.1.11] - 2026-04-07
Changed
--template drizzlerenamed to--template todo
[0.1.10] - 2026-04-06
Changed
- Todo components now organized in subfolders like UI components
- Component docs moved to dedicated subfolders
- Docs sidebar shows UI and Todo as separate groups
[0.1.9] - 2026-04-05
Added
- Auto cache headers (private for user content, cacheable for public)
- Metadata documentation page for SEO/social sharing
- Open Graph, Twitter card, canonical tags on all docs
- Automatic sitemap.xml generation with language alternates
[0.1.8] - 2026-04-04
Changed
- Drizzle template now uses registry features (keeps in sync automatically)
- Feature/component install now supports non-interactive mode for scripts
- Missing DATABASE_URL now shows clear warning
[0.1.7] - 2026-04-04
Added
- Cookies now have secure defaults (httpOnly, secure, SameSite: Lax)
Changed
- Todo feature split into cleaner data/logic/handler layers
[0.1.6] - 2026-04-03
Fixed
- Cookie names now follow HTTP standard (work with other servers)
- Invalid .env variable names now show clear error with line number
- .env double-quoted values now support escape sequences (\n, \t, \)
[0.1.5] - 2026-04-01
Added
- Server graceful shutdown (waits up to 10s for in-flight requests)
Fixed
- Rapid file saves no longer trigger multiple builds (queued instead)
[0.1.4] - 2026-03-30
Added
- redirect() now blocks external URLs by default (security)
Fixed
- Page navigation now scrolls to top as expected
- Back/forward buttons no longer force scroll to top
- Stylesheets/scripts no longer duplicated in page head
[0.1.3] - 2026-03-29
Added
bosia addnow installs top-level components to correct pathbosia featauto-installs required dependencies and asks before overwriting- New
--template drizzlewith PostgreSQL + todo demo - New
bosia feat drizzleandbosia feat todofeatures - Component registry now supports features
[0.1.2] - 2026-03-28
Added
- Docs rebuilt using Bosia with Markdown parsing and Shiki syntax highlighting
- Docs now have sidebar, navbar, dark mode, i18n (EN/ID)
- Live component demos in documentation
- Landing page with hero and quick-start
- Dynamic route prerendering with
entries()export generateStaticSite()for static hosting- GitHub Actions deployment workflow for GitHub Pages
Changed
- Data endpoint now uses path-based URLs (for static hosting)
- Prerendered pages include data files for client-side navigation
bosia addnow fetches from GitHub directly
Fixed
- Mobile rendering now works with viewport meta tag
- Syntax highlighter errors now logged with language name
[0.1.1] - 2026-03-27
Added
- Component registry with 12 UI components (avatar, badge, button, card, etc)
- Live, interactive component demos in docs
bosia add --localfor local registry during development- Custom component paths (
bosia add shop/cart) cn()utility auto-created bybosia add- Confirm/skip prompt when component already exists
[0.1.0] - 2026-03-26
Changed
- Renamed framework from bosbun to bosia
- Template picker now uses arrow keys for navigation
[0.0.8] - 2026-03-26
Changed
- Environment import path changed from bosbun:env to $env
Added
- Dev server now auto-restarts on crash (stops after 3 rapid crashes)
- Added docs site with 14 pages
- Full Indonesian documentation translations
- Automated GitHub Pages deployment
Removed
- Removed unused renderSSR and buildHtmlShell functions
- Made internal APIs private (STATIC_EXTS, DEFAULT_CSRF_CONFIG, etc)
Fixed
- PUT/PATCH/DELETE now use full middleware pipeline
- Fixed timer memory leak on request timeout
- Fixed caching bug with old HTML shells
- Client navigation with query strings/fragments now works
[0.0.7] - 2026-03-25
Added
bosbun createnow shows an interactive template picker — choose betweendefault(minimal starter) anddemo(full-featured with blog, API routes, form actions, and more).- Added automated npm publishing — new versions are published automatically when the version in
package.jsonis bumped.
Updated
- Updated the package description and README to better explain what Bosia is and what makes it different.
Changed
- Replaced the rabbit emoji with a new SVG logo across all templates, CLI output, and the favicon.
Fixed
- Fixed
bosbun createto pin the framework to the version used when creating the project instead of always pulling the latest. - Fixed Tailwind CSS not being found in certain install layouts (hoisted vs. nested
node_modules). - Fixed a crash on first page load when Bosia is installed via npm — caused by two separate copies of the Svelte runtime being loaded at the same time.
- Fixed an incorrect path being added for Tailwind CSS resolution in monorepo setups.
[0.0.6] - 2026-03-25
Changed
- Renamed framework from bunia to bosbun
[0.0.5] - 2026-03-24
Added
- Link prefetching on hover and scroll (5s cache)
[0.0.4] - 2026-03-23
Added
- Data loading timeouts (load: 5s, metadata: 3s; configurable)
- Build timeout for static prerendering
Fixed
- System PUBLIC_ env vars no longer leaked to browser
- Streaming errors now return proper status and error page
- JSON serialization no longer crashes on circular references
- Path traversal attacks now blocked on static files
- Invalid cookie percent-encoding now fails gracefully
- Cookie domain/path validation prevents header injection
Changed
- Routes now sorted and matched more efficiently
[0.0.3] - 2026-03-21
Added
- metadata() function for server-side page metadata (SEO-friendly)
- Form actions in +page.server.ts with validation and named actions
[0.0.2] - 2026-03-20
Added
- .env file support with prefix-based access control (PUBLIC*, STATIC*, server-only)
- Graceful shutdown with 10s safety net for in-progress requests
- Configurable request body size limit (default 512KB)
- CSRF protection on form submissions and API mutations
- CORS support via CORS_ALLOWED_ORIGINS env var
- Error responses now hide stack traces in production
Fixed
- XSS vulnerability: special chars in JSON now properly escaped
- SSRF risk: internal data endpoint now validates path parameter
[0.0.1] - 2026-03-19
Added
Core
- SSR with Svelte 5 Runes support
- File-based routing (+page.svelte, +layout.ts, +server.ts)
- Dynamic and catch-all routes with typed parameters
- Route groups for shared layouts
- Error pages with HTTP status codes
Data Loading
- load() function with auto-typed $types codegen
- PageData/PageProps and LayoutData/LayoutProps types
Server
- ElysiaJS server (port 3001 dev, 3000 prod)
- Gzip compression, static file caching
- /_health endpoint for monitoring
- Cookie support with Set-Cookie headers
Client
- Client-side hydration and router (instant page navigation)
- Navigation progress bar and HMR
- CSR opt-out with
export const csr = false
Build
- Bun build pipeline with Svelte plugin
- Client/server bundles with manifest
- Static prerendering with
export const prerender = true - Tailwind CSS v4 built-in
- $lib alias for clean imports
CLI
- bosbun dev/build/start/create commands
Developer Experience
- Project template with Dockerfile
- Full TypeScript support with auto-patched tsconfig
- Hooks middleware system with sequence() helper
[0.0.0] - 2026-03-19
Added
- Initial framework scaffolding and core SSR/client infrastructure
- Dev server with proxy and file watcher
- CLI with dev/build/start/create commands
- Demo application