Changelog

All notable changes to Bosia are documented in this file.

The format is based on Keep a Changelog.

---

[0.6.6] - 2026-05-27

Fixed

• Build now finds binaries (e.g. tailwindcss) when deps are hoisted to a monorepo root node_modules.
• Audit no longer false-flags <DemoComponent /> when bound via sibling {@const DemoComponent = ...}.

Changed

• Docs CI install now uses --linker=hoisted so registry blocks can resolve docs-declared deps.
• Switched docs domain to bosia.dev and moved hosting to Cloudflare Pages.
• Docs, READMEs, and templates now lead with the production-ready story (security, performance, reliability).

[0.6.5] - 2026-05-27

Added

• Build now catches <Card.Root> typos at compile time — names missing from the import file fail clearly.

Fixed

• Cookie sameSite now accepts lowercase (lax, strict, none) — matches SvelteKit/Express.
• Cookies passed secure:true over HTTP get auto-downgraded with a warn — fixes silent login loops in dev/preview.

Changed

• Secure cookie flag is now decided per-request from the transport protocol, not from NODE_ENV. Set TRUST_PROXY=true to honor x-forwarded-proto behind reverse proxies.

[0.6.4] - 2026-05-26

Changed

• Crop and upload blocks now share one combined demo — pick a file, optionally crop, upload.

Fixed

• Crop demo no longer breaks on CORS — uses your picked file (object URL) instead of a remote image.
• Docs pages no longer 404 in dev — content path now resolves from the project root, not the bundle location.
• Crop block's preview area no longer collapses to 0 height — uses inline style as a safe fallback when the host's Tailwind scan doesn't reach the registry source.
• Docs Tailwind now scans registry/blocks/** so block-defined utility classes get generated.

Added

• Tiny /api/demo-upload endpoint in docs so the upload demo completes end-to-end without a 500.
• New file-upload feature: a ready backend for the upload block — shrinks images and saves locally or to S3.
• bun x bosia feat now lets each feature declare its own flags — file-upload exposes -d sqlite|postgres|mysql; -y (auto-confirm, use defaults) stays a feat-level flag.
• New bosia-file-upload skill teaches the AI when and how to wire image uploads.

[0.6.3] - 2026-05-25

Added

• New skill teaches the AI how to query the database correctly without breaking.
• Skills API now lists each skill's reference files with URLs so AI agents can fetch them.
• Drizzle skill now covers migrations, dev-server restart, and the common AI failure modes.
• New skill enforces clean controller → service → repository layout so the AI stops putting database calls in pages.
• New file blocks: image cropper with zoom/aspect presets, and drag-and-drop upload area with progress.
• Crop block now resizes and re-compresses output (defaults 1920×1080 @ 0.85, WebP for round crops).

Fixed

• Svelte component libraries (like svelte-easy-crop) now resolve at build time via the svelte export condition.
• Fixed page-server crash (b0 is not defined / bundle_full_exports is not defined) caused by an overly broad resolver — now uses Bun's conditions option instead.
• Crop block exposes a crossOrigin prop and removes h-full from the outer wrapper so it lays out correctly inside unsized parents.
• Crop demo now uses an image source that returns Access-Control-Allow-Origin: * (the previous Picsum URL was being blocked by crossorigin="anonymous" and rendered as a broken image).

Changed

• db:migrate now runs bun-native instead of needing better-sqlite3/@libsql/client.
• Drizzle skills updated so each feature gets its own repository, service, and validator files.

[0.6.2] - 2026-05-24

Fixed

• Response cache no longer breaks SSE endpoints (auto-skips text/event-stream).
• Response cache now respects Cache-Control: no-store|private|no-cache headers.

[0.6.1] - 2026-05-24

Changed

• Updated SvelteKit differences documentation.

[0.6.0] - 2026-05-24

Added

• Database drizzle feature now supports postgres, mysql, and sqlite (choose via URL)
• New database intake skill guides users through engine selection during app setup
• Server response caching with automatic compression (gzip + brotli)
• Invalidate specific cached pages using invalidate() and invalidateAll() helpers
• Per-route cache opt-out with export const cache = false
• New response-cache guide with setup instructions and examples

Changed

• CSP-enabled apps now skip caching to avoid nonce conflicts
• Server-side invalidate functions moved to bosia/server (browser bundle cleanup)

Fixed

• Safari dev server now works (fixed proxy encoding issue)
• Browser hydration no longer crashes from missing process variable
• Type checking now passes on inspector error reporter

[0.5.13] - 2026-05-23

Added

• New skills: bosia-env (environment variable prefixes) and bosia-cors (cross-origin config)

Changed

• Inspector now shows full component chain (outer page → inner component) so AI edits right file

Added

• HTML comments track component call-sites for inspector overlay reconstruction
• Production now handles uncaught errors (logs and exits cleanly for restart)
• New MAX_INFLIGHT env var limits concurrent requests to prevent OOM under load

[0.5.12] - 2026-05-22

Fixed

• Dev server no longer misses file edits via atomic writes (added 5s mtime poll safety net)
• Dev crash loop no longer hangs (now retries with exponential backoff forever)
• Error pages now auto-reload when source is fixed (instead of stuck on error screen)

[0.5.11] - 2026-05-21

Fixed

• Fixed inspector in dev mode

[0.5.10] - 2026-05-20

Added

• New goto() function for programmatic page navigation without full reload
• New beforeNavigate() and afterNavigate() hooks to hook into navigation lifecycle
• New navigation guide documenting all navigation patterns (link, goto, form redirect)
• New bosia-navigation skill for AI agents building navigation features

Fixed

• Hydration errors now log to console (previously silent with stuck loading spinner)
• Error pages no longer show loading spinner that blocks clicking links

[0.5.9] - 2026-05-20

Added

• New src/app.html template support for customizing HTML shell
• New bosia add font command to add Google Fonts to src/app.css
• New bosia-app-css skill teaching font import order for Tailwind

[0.5.8] - 2026-05-19

Fixed

• Dev no longer crashes on bind directives in Svelte components (fixed shadow variable)
• Dev no longer fails when multiple routes import same component with styles

[0.5.7] - 2026-05-19

Added

• Inspector now shows runtime error badge in corner; click to see list and send to AI

Changed

• Route params now passed as separate params prop (not nested in data.params)
• Starter templates now organize public pages under (public)/ route group

Fixed

• Inspector stack traces now point to correct source line in .svelte files

[0.5.6] - 2026-05-18

Fixed

• Build and dev can now run simultaneously (build no longer deletes dev output)

[0.5.5] - 2026-05-18

Changed

• Dev server now writes to .bosia/dev/ instead of ./dist/ to avoid conflicts with prod builds

Added

• New BOSIA_OUT_DIR env var lets you build to a custom output folder

[0.5.4] - 2026-05-17

Fixed

• Dev no longer crashes on pages with multiple routes but no component styles

Added

• New IDLE_TIMEOUT setting for slow streaming responses (chat, etc)
• Six new brief-intake skills guide users through app design questions (name, audience, colors)
• New bosia-frontend-design skill forces aesthetic consistency (fonts, colors, memorable detail)
• Brief-intake now collects design direction and stores in BRIEF.md for consistency

Changed

• Component installation now batches 1-3 items per call (faster, avoids timeouts)
• All page scaffolds now read BRIEF.md to inherit design direction
• Brief review now checks that design direction was committed and applied

[0.5.3] - 2026-05-16

Added

• API routes can now be prerendered as static .json files at build time

Changed

• Docs API endpoints now use framework prerender instead of hand-rolled JSON generation
• API response field changed from mdFile to content for consistency

Fixed

• Dev .json URLs now work correctly for dynamic routes with catch-all siblings
• Docs pages no longer crash with syntax highlighter in production builds

[0.5.2] - 2026-05-15

Added

• New chat design skills: message composer and message feed with built-in markdown renderer
• bosia add now accepts multiple components in one call
• New -y / --yes flag on bosia add for CI/script automation
• Docs site now has /api/components and /api/blocks JSON endpoints

[0.5.1] - 2026-05-15

Added

• New DISABLE_X_FRAME_OPTIONS env var lets apps be embedded as iframes
• Docs site now has public /api/skills endpoint for AI agents to read guides

Changed

• New projects ship with Inspector plugin enabled by default (Alt+click to edit)

Fixed

• Dev no longer gets stuck on "App server is starting" after file save

[0.5.0] - 2026-05-14

Changed

• Page data now embedded as JSON in HTML (faster parsing than JavaScript)

Added

• Pages/layouts now skip reloading data when dependencies didn't change
• New depends() API lets loaders declare custom dependencies
• New invalidate() / invalidateAll() helpers for selective cache invalidation
• Loaders now auto-track reads and only re-fetch when inputs change
• New data invalidation guide with examples

Fixed

• Link prefetches now tell server which loaders are cached (no unnecessary re-runs)

[0.4.6] - 2026-05-13

Added

• New CSP_DIRECTIVES env var for strict Content Security Policy with nonces
• New event.locals.nonce field to use nonces on custom inline scripts

Changed

• CSP nonce only generated when CSP is enabled (performance improvement when off)

Fixed

• Redirects now reject javascript:/data:/vbscript: URLs (security)
• CSRF checks no longer trust forwarded headers by default (set TRUST_PROXY to enable)
• CORS responses now always include Vary: Origin header (cache safety)
• Prerender now validates dynamic routes don't escape output folder
• CORS preflight now checks methods and headers against allow-list
• Dev CSRF checks now work correctly behind proxy

[0.4.5] - 2026-05-11

Added

• Two new registry kinds: Blocks (ready-made UI sections) and Themes (color/font packs)
• New bosia add block and bosia add theme commands
• First theme ships: editorial (serif + warm cream)
• Docs site has Blocks and Themes sections with previews

[0.4.4] - 2026-05-09

Fixed

• Production builds no longer fail with CSS duplication errors on many routes

[0.4.3] - 2026-05-09

Changed

• Page route resolution now happens once per request (not 3-4 times) — slightly faster

Fixed

• Production builds no longer fail with CSS errors from Svelte inline styles

Removed

• Removed redundant API route pre-handler, removed bun-plugin-svelte dependency

[0.4.2] - 2026-05-07

Fixed

• New projects now ship with working .gitignore file
• bun run check now passes on freshly created projects

Added

• New bun run check:templates script validates template integrity

[0.4.1] - 2026-05-06

Added

• New inspector plugin: Alt+click any element to jump to its source code in your editor

[0.4.0] - 2026-05-05

Added

• New plugin system with bosia.config.ts (zero overhead if unused)
• New server-timing plugin shows request timing in browser DevTools
• New defineConfig helper for type-safe configs

Changed

• server-timing metric name changed from total to handler

Fixed

• Plugin imports now resolve correctly from node_modules

[0.3.4] - 2026-05-04

Added

• Error pages can now be nested in any route folder (not just root)
• In-app errors now use nearest error page without full reload

Fixed

• Ctrl+C now cleanly stops dev server (no misleading error code)

[0.3.3] - 2026-05-03

Added

• New testing guide with bun test examples
• Error pages now have type hints via ./$types

Changed

• Build now fails clearly on malformed tsconfig.json

Fixed

• Form submissions without JavaScript now work correctly

[0.3.2] - 2026-05-02

Fixed

• Ctrl+C now stops server on first press (not requiring second press)
• Server now shows proper error page instead of broken partial content
• Build cleanup prevents port conflicts when building multiple times
• Rapid file saves no longer trigger duplicate rebuilds

[0.3.1] - 2026-05-01

Added

• Public pages now share single server request (faster, less load)
• New (private) folder pattern for per-user pages (dashboards, etc)

Fixed

• Fixed security issue where users could see each other's data
• Fixed crash when creating new projects
• .env deletions now take effect immediately in dev server

[0.3.0] - 2026-04-30

Added

• New bosia test command with auto-configured environment
• 167 automated tests for framework utilities and build tools
• Automatic code formatting with Prettier across all templates
• New trailingSlash option to control URL format

Fixed

• Fixed trailingSlash setting being silently ignored

Changed

• Route params now have proper TypeScript types (errors on wrong param names)

[0.2.3] - 2026-04-29

Added

• Feature install now merges files instead of replacing them (preserves customizations)
• Forms now submit without full page reload (progressive enhancement)
• New ssr = false option for client-only pages

Security

• Page language tag validation (prevents code injection via lang attribute)
• CORS_MAX_AGE validation at startup

Changed

• Compression threshold raised to 2KB (small responses faster without compression)

Fixed

• Non-English character compression now works correctly
• .env comment parsing now ignores inline comments after value

[0.2.2] - 2026-04-28

Security

• Fixed cookies being sent to third-party APIs (only forwarded to own server now)

Changed

• Link prefetch cache limited to 50 entries (prevent unbounded memory growth)
• Prefetch data expires after 30 seconds (shows fresh content when idle)

Fixed

• Cmd/Ctrl+click and middle-click no longer intercepted by router

[0.2.1] - 2026-04-26

Changed

• Route matching now faster (patterns compiled once at startup)

[0.2.0] - 2026-04-25

Added

• Multiple visitors to same page now share single server call (less load)

Changed

• Builds now 500–1000ms faster (client + server bundles in parallel)
• Tailwind compiles during build (saves another 500–800ms)
• Middleware handlers now loop instead of nesting (prevent call stack issues)

[0.1.26] - 2026-04-24

Added

• Direction, Kbd, ScrollArea, Resizable, Menubar, ContextMenu components

Changed

• Kbd component can now trigger actual keyboard shortcuts

[0.1.25] - 2026-04-23

Added

• AspectRatio and RangeCalendar components

Fixed

• Component previews now display in correct position in docs
• Restored missing previews for sidebar, navbar, chart, data-table, icon
• Floating UI elements no longer cut off in preview containers

[0.1.24] - 2026-04-22

Added

• Popover now supports hover trigger with configurable close delay
• Popovers can now be controlled programmatically
• Sidebar submenus open on hover when collapsed

[0.1.23] - 2026-04-21

Added

• 12 Typography components (H1–H4, P, Blockquote, etc) for consistent text styling
• 6 new icons: terminal, book, package, hash, map, circle
• SidebarTrigger button for programmatic sidebar control
• Sidebar now has collapsed icon-only mode with hover submenus

Changed

• Sidebar demo redesigned with company header and user avatar footer

Fixed

• Sidebar text/labels properly hidden in icon-only mode
• Text no longer overflows during collapse animation
• Icons now properly centered in collapsed sidebar

[0.1.22] - 2026-04-20

Added

• Empty component for no-content states
• Carousel component with autoplay and keyboard navigation

[0.1.21] - 2026-04-19

Added

• Form component with validation state management (Zod/Valibot compatible)

[0.1.20] - 2026-04-18

Added

• Item, Collapsible, DatePicker components

[0.1.19] - 2026-04-17

Added

• Table components (Table, Header, Body, Row, Cell) for data display
• Calendar component with month/year nav and date constraints

Removed

• Removed clsx dependency (functionality moved to cn() utility)

[0.1.18] - 2026-04-16

Added

• NativeSelect component (styled native dropdown for mobile/forms)
• InputOTP component with copy-paste and SMS autofill

[0.1.17] - 2026-04-14

Added

• ButtonGroup component for connected button rows/columns

[0.1.16] - 2026-04-12

Added

• InputGroup component with prefix/suffix text and icons
• Combobox component with searchable filtering
• Command component for keyboard-driven palette search

[0.1.15] - 2026-04-11

Added

• Accordion, Pagination, Breadcrumb, NavigationMenu components

[0.1.14] - 2026-04-10

Added

• Tabs, HoverCard, Popover, Progress, Alert, AlertDialog components
• Sonner toast notification system
• Tooltip, Spinner, Skeleton components

[0.1.13] - 2026-04-09

Added

• Toggle, Textarea, Switch, Field, ToggleGroup, Slider components

[0.1.12] - 2026-04-08

Added

• Select, RadioGroup, Label, Dialog, Checkbox components

[0.1.11] - 2026-04-07

Changed

• --template drizzle renamed to --template todo

[0.1.10] - 2026-04-06

Changed

• Todo components now organized in subfolders like UI components
• Component docs moved to dedicated subfolders
• Docs sidebar shows UI and Todo as separate groups

[0.1.9] - 2026-04-05

Added

• Auto cache headers (private for user content, cacheable for public)
• Metadata documentation page for SEO/social sharing
• Open Graph, Twitter card, canonical tags on all docs
• Automatic sitemap.xml generation with language alternates

[0.1.8] - 2026-04-04

Changed

• Drizzle template now uses registry features (keeps in sync automatically)
• Feature/component install now supports non-interactive mode for scripts
• Missing DATABASE_URL now shows clear warning

[0.1.7] - 2026-04-04

Added

• Cookies now have secure defaults (httpOnly, secure, SameSite: Lax)

Changed

• Todo feature split into cleaner data/logic/handler layers

[0.1.6] - 2026-04-03

Fixed

• Cookie names now follow HTTP standard (work with other servers)
• Invalid .env variable names now show clear error with line number
• .env double-quoted values now support escape sequences (\n, \t, \)

[0.1.5] - 2026-04-01

Added

• Server graceful shutdown (waits up to 10s for in-flight requests)

Fixed

• Rapid file saves no longer trigger multiple builds (queued instead)

[0.1.4] - 2026-03-30

Added

• redirect() now blocks external URLs by default (security)

Fixed

• Page navigation now scrolls to top as expected
• Back/forward buttons no longer force scroll to top
• Stylesheets/scripts no longer duplicated in page head

[0.1.3] - 2026-03-29

Added

• bosia add now installs top-level components to correct path
• bosia feat auto-installs required dependencies and asks before overwriting
• New --template drizzle with PostgreSQL + todo demo
• New bosia feat drizzle and bosia feat todo features
• Component registry now supports features

[0.1.2] - 2026-03-28

Added

• Docs rebuilt using Bosia with Markdown parsing and Shiki syntax highlighting
• Docs now have sidebar, navbar, dark mode, i18n (EN/ID)
• Live component demos in documentation
• Landing page with hero and quick-start
• Dynamic route prerendering with entries() export
• generateStaticSite() for static hosting
• GitHub Actions deployment workflow for GitHub Pages

Changed

• Data endpoint now uses path-based URLs (for static hosting)
• Prerendered pages include data files for client-side navigation
• bosia add now fetches from GitHub directly

Fixed

• Mobile rendering now works with viewport meta tag
• Syntax highlighter errors now logged with language name

[0.1.1] - 2026-03-27

Added

• Component registry with 12 UI components (avatar, badge, button, card, etc)
• Live, interactive component demos in docs
• bosia add --local for local registry during development
• Custom component paths (bosia add shop/cart)
• cn() utility auto-created by bosia add
• Confirm/skip prompt when component already exists

[0.1.0] - 2026-03-26

Changed

• Renamed framework from bosbun to bosia
• Template picker now uses arrow keys for navigation

[0.0.8] - 2026-03-26

Changed

• Environment import path changed from bosbun:env to $env

Added

• Dev server now auto-restarts on crash (stops after 3 rapid crashes)
• Added docs site with 14 pages
• Full Indonesian documentation translations
• Automated GitHub Pages deployment

Removed

• Removed unused renderSSR and buildHtmlShell functions
• Made internal APIs private (STATIC_EXTS, DEFAULT_CSRF_CONFIG, etc)

Fixed

• PUT/PATCH/DELETE now use full middleware pipeline
• Fixed timer memory leak on request timeout
• Fixed caching bug with old HTML shells
• Client navigation with query strings/fragments now works

[0.0.7] - 2026-03-25

Added

• bosbun create now shows an interactive template picker — choose between default (minimal starter) and demo (full-featured with blog, API routes, form actions, and more).
• Added automated npm publishing — new versions are published automatically when the version in package.json is bumped.

Updated

• Updated the package description and README to better explain what Bosia is and what makes it different.

Changed

• Replaced the rabbit emoji with a new SVG logo across all templates, CLI output, and the favicon.

Fixed

• Fixed bosbun create to pin the framework to the version used when creating the project instead of always pulling the latest.
• Fixed Tailwind CSS not being found in certain install layouts (hoisted vs. nested node_modules).
• Fixed a crash on first page load when Bosia is installed via npm — caused by two separate copies of the Svelte runtime being loaded at the same time.
• Fixed an incorrect path being added for Tailwind CSS resolution in monorepo setups.

[0.0.6] - 2026-03-25

Changed

• Renamed framework from bunia to bosbun

[0.0.5] - 2026-03-24

Added

• Link prefetching on hover and scroll (5s cache)

[0.0.4] - 2026-03-23

Added

• Data loading timeouts (load: 5s, metadata: 3s; configurable)
• Build timeout for static prerendering

Fixed

• System PUBLIC_ env vars no longer leaked to browser
• Streaming errors now return proper status and error page
• JSON serialization no longer crashes on circular references
• Path traversal attacks now blocked on static files
• Invalid cookie percent-encoding now fails gracefully
• Cookie domain/path validation prevents header injection

Changed

• Routes now sorted and matched more efficiently

[0.0.3] - 2026-03-21

Added

• metadata() function for server-side page metadata (SEO-friendly)
• Form actions in +page.server.ts with validation and named actions

[0.0.2] - 2026-03-20

Added

• .env file support with prefix-based access control (PUBLIC*, STATIC*, server-only)
• Graceful shutdown with 10s safety net for in-progress requests
• Configurable request body size limit (default 512KB)
• CSRF protection on form submissions and API mutations
• CORS support via CORS_ALLOWED_ORIGINS env var
• Error responses now hide stack traces in production

Fixed

• XSS vulnerability: special chars in JSON now properly escaped
• SSRF risk: internal data endpoint now validates path parameter

[0.0.1] - 2026-03-19

Added

Core

• SSR with Svelte 5 Runes support
• File-based routing (+page.svelte, +layout.ts, +server.ts)
• Dynamic and catch-all routes with typed parameters
• Route groups for shared layouts
• Error pages with HTTP status codes

Data Loading

• load() function with auto-typed $types codegen
• PageData/PageProps and LayoutData/LayoutProps types

Server

• ElysiaJS server (port 3001 dev, 3000 prod)
• Gzip compression, static file caching
• /_health endpoint for monitoring
• Cookie support with Set-Cookie headers

Client

• Client-side hydration and router (instant page navigation)
• Navigation progress bar and HMR
• CSR opt-out with export const csr = false

Build

• Bun build pipeline with Svelte plugin
• Client/server bundles with manifest
• Static prerendering with export const prerender = true
• Tailwind CSS v4 built-in
• $lib alias for clean imports

CLI

• bosbun dev/build/start/create commands

Developer Experience

• Project template with Dockerfile
• Full TypeScript support with auto-patched tsconfig
• Hooks middleware system with sequence() helper

[0.0.0] - 2026-03-19

Added

• Initial framework scaffolding and core SSR/client infrastructure
• Dev server with proxy and file watcher
• CLI with dev/build/start/create commands
• Demo application