fix(server): hard guardrail — never serve server-file source to the client

The dev HTTP layer used to look up .server.* / 'use server' files via
the action index built at boot; on index miss it fell through to
tsResponse() and returned the RAW SOURCE. That's a serious leak
vector: DB credentials, scrypt routines, privileged business logic
all live in these files.

Replace the index lookup with an independent per-request check via
isServerFile(abs), which inspects the actual file on disk. If the
file qualifies (suffix OR directive), we lazily populate the action
index (so stub minting still has a hash) and serve the RPC stub.
The source is unreachable regardless of index state, file creation
timing, or dev-reload races.

Six regression tests cover: .server.ts, .server.js, 'use server'
.ts, 'use server' .js, ordinary .ts negative control, and files
created after boot (index race).

Document this as a framework invariant in AGENTS.md.

Author: vivek7405

AGENTS.md

@@ -181,6 +181,13 @@ inspired by NextJs, Lit, and Rails.
   calls directly — the import is rewritten into an RPC stub. The RPC wire uses
   **superjson**, so `Date`, `Map`, `Set`, `BigInt`, `undefined`, `URL`, `RegExp`
   round-trip as their real types.
+- **Server-file source is unreachable from the browser (framework invariant).**
+  The HTTP layer independently re-verifies every JS/TS request against the
+  server-file predicate (filename suffix OR `'use server'` directive) before
+  serving bytes. A server file always responds with a generated RPC stub,
+  never its source — this holds regardless of index state, file-system
+  race conditions, or developer error. Enforced in `dev.js`; regression
+  tests in `test/server-file-guardrail.test.js`.
 
 ---
 

packages/server/src/dev.js

@@ -12,14 +12,15 @@ import { ssrPage, ssrNotFound } from './ssr.js';
 import { handleApi } from './api.js';
 import {
   buildActionIndex,
-  resolveServerModule,
   serveActionStub,
   invokeAction,
   matchExposedAction,
   matchAllAtPath,
   invokeExposedAction,
   buildPreflightResponse,
   withCors,
+  isServerFile,
+  hashFile,
 } from './actions.js';
 import { defaultLogger } from './logger.js';
 import { withRequest } from './context.js';
@@ -385,11 +386,26 @@ async function handleCore(req, ctx) {
       }
     }
     if (abs.startsWith(appDir) && (await exists(abs))) {
-      const serverFile = resolveServerModule(state.actionIndex, path) ||
-        // Also recognise stub requests for the .ts form.
-        (abs !== join(appDir, path) ? resolveServerModule(state.actionIndex, '/' + relative(appDir, abs).split(sep).join('/')) : null);
-      if (serverFile) {
-        const stub = await serveActionStub(state.actionIndex, serverFile);
+      // Server-file guardrail: a file is server-only if its name matches
+      // `.server.{js,ts,mjs,mts}` OR the source starts with `'use server'`.
+      // Such files MUST NEVER be served as source to the browser — they
+      // contain secrets, DB queries, and privileged logic. Always return a
+      // generated RPC stub instead.
+      //
+      // We re-verify via `isServerFile(abs)` on every request (not just the
+      // action-index snapshot taken at boot). This catches files created
+      // after boot, files that flipped their `'use server'` status, or any
+      // race between scan completion and request — the guardrail is an
+      // independent check, not a cache lookup.
+      if (await isServerFile(abs)) {
+        // Lazily ensure the index knows about this file so serveActionStub
+        // can mint a stable hash and function list.
+        if (!state.actionIndex.fileToHash.has(abs)) {
+          const h = hashFile(abs);
+          state.actionIndex.fileToHash.set(abs, h);
+          state.actionIndex.hashToFile.set(h, abs);
+        }
+        const stub = await serveActionStub(state.actionIndex, abs);
         return new Response(stub, {
           headers: { 'content-type': 'application/javascript; charset=utf-8', 'cache-control': 'no-store' },
         });

test/server-file-guardrail.test.js

@@ -0,0 +1,162 @@
+/**
+ * Server-file guardrail: the dev/prod HTTP layer MUST never serve the
+ * source of a server-only file to the browser. A file is considered
+ * server-only if either:
+ *   • its filename matches `.server.{js,ts,mjs,mts}`, OR
+ *   • its source begins with a literal `'use server'` directive.
+ *
+ * For such files, every response body must be a generated RPC stub —
+ * never the real module source. This guardrail is the last line of
+ * defense against an accidental source leak (DB credentials, privileged
+ * business logic, scrypt routines, etc.).
+ */
+import { test, before, after } from 'node:test';
+import assert from 'node:assert/strict';
+import { mkdtempSync, rmSync, writeFileSync, mkdirSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+import { createRequestHandler } from '../packages/server/src/dev.js';
+
+let tmpDir;
+
+before(() => {
+  tmpDir = mkdtempSync(join(tmpdir(), 'webjs-guard-'));
+});
+
+after(() => {
+  rmSync(tmpDir, { recursive: true, force: true });
+});
+
+function makeApp(files) {
+  const appDir = mkdtempSync(join(tmpDir, 'app-'));
+  for (const [rel, body] of Object.entries(files)) {
+    const abs = join(appDir, rel);
+    mkdirSync(join(abs, '..'), { recursive: true });
+    writeFileSync(abs, body);
+  }
+  return appDir;
+}
+
+function assertIsStub(text) {
+  assert.ok(
+    text.startsWith('// webjs: generated server-action stub'),
+    `expected RPC stub, got body starting with: ${text.slice(0, 80)}`
+  );
+  // Confirm the real source is NOT present by checking secrets markers
+  // that only show up in the scaffolded fixture source.
+  assert.ok(!/SECRET_DB_PASSWORD/.test(text),
+    `stub leaked the source — found SECRET_DB_PASSWORD:\n${text.slice(0, 400)}`);
+  assert.ok(!/fakePrismaClient/.test(text),
+    `stub leaked the source — found fakePrismaClient reference`);
+}
+
+test('guardrail: .server.ts request returns RPC stub, never source', async () => {
+  const appDir = makeApp({
+    'app/page.ts': `export default function P() { return 'ok'; }`,
+    'modules/posts/queries/list-posts.server.ts':
+      `const SECRET_DB_PASSWORD = 'hunter2';\n` +
+      `const fakePrismaClient = () => ({ findMany: () => [] });\n` +
+      `export async function listPosts() { return []; }\n`,
+  });
+  const app = await createRequestHandler({ appDir, dev: true });
+  const resp = await app.handle(new Request(
+    'http://localhost/modules/posts/queries/list-posts.server.ts'
+  ));
+  assert.equal(resp.status, 200);
+  assert.equal(
+    resp.headers.get('content-type'),
+    'application/javascript; charset=utf-8'
+  );
+  assertIsStub(await resp.text());
+});
+
+test(`guardrail: 'use server' plain .ts never leaks source`, async () => {
+  const appDir = makeApp({
+    'app/page.ts': `export default function P() { return 'ok'; }`,
+    'lib/prisma.ts':
+      `'use server';\n` +
+      `const SECRET_DB_PASSWORD = 'hunter2';\n` +
+      `const fakePrismaClient = () => ({ findMany: () => [] });\n` +
+      `export const prisma = fakePrismaClient();\n`,
+  });
+  const app = await createRequestHandler({ appDir, dev: true });
+  const resp = await app.handle(new Request(
+    'http://localhost/lib/prisma.ts'
+  ));
+  assert.equal(resp.status, 200);
+  assertIsStub(await resp.text());
+});
+
+test(`guardrail: 'use server' plain .js never leaks source`, async () => {
+  const appDir = makeApp({
+    'app/page.ts': `export default function P() { return 'ok'; }`,
+    'lib/secret.js':
+      `"use server";\n` +
+      `const SECRET_DB_PASSWORD = 'hunter2';\n` +
+      `export const secret = 'nope';\n`,
+  });
+  const app = await createRequestHandler({ appDir, dev: true });
+  const resp = await app.handle(new Request(
+    'http://localhost/lib/secret.js'
+  ));
+  assert.equal(resp.status, 200);
+  assertIsStub(await resp.text());
+});
+
+test('guardrail: .server.js request returns RPC stub, never source', async () => {
+  const appDir = makeApp({
+    'app/page.ts': `export default function P() { return 'ok'; }`,
+    'lib/action.server.js':
+      `const SECRET_DB_PASSWORD = 'hunter2';\n` +
+      `export async function doWork() { return 1; }\n`,
+  });
+  const app = await createRequestHandler({ appDir, dev: true });
+  const resp = await app.handle(new Request(
+    'http://localhost/lib/action.server.js'
+  ));
+  assert.equal(resp.status, 200);
+  assertIsStub(await resp.text());
+});
+
+test('guardrail: ordinary .ts files still serve source (negative control)', async () => {
+  const appDir = makeApp({
+    'app/page.ts': `export default function P() { return 'ok'; }`,
+    'components/widget.ts':
+      `export function hello() { return 'hi'; }\n`,
+  });
+  const app = await createRequestHandler({ appDir, dev: true });
+  const resp = await app.handle(new Request(
+    'http://localhost/components/widget.ts'
+  ));
+  assert.equal(resp.status, 200);
+  const text = await resp.text();
+  // Non-server .ts files are compiled (TS stripped) and served as JS.
+  assert.ok(!text.startsWith('// webjs: generated server-action stub'),
+    'ordinary .ts should NOT be stubbed');
+  assert.ok(/function hello/.test(text),
+    'ordinary .ts source should be present');
+});
+
+test('guardrail: file created AFTER boot is still caught (index race)', async () => {
+  // Simulates the race window: the action index is built at boot, but a
+  // developer adds a new .server.ts during dev. The guardrail must catch
+  // it on first request regardless of index state.
+  const appDir = makeApp({
+    'app/page.ts': `export default function P() { return 'ok'; }`,
+  });
+  const app = await createRequestHandler({ appDir, dev: true });
+
+  // Write the server file AFTER createRequestHandler returned.
+  const lateFile = join(appDir, 'modules/late.server.ts');
+  mkdirSync(join(lateFile, '..'), { recursive: true });
+  writeFileSync(lateFile,
+    `const SECRET_DB_PASSWORD = 'hunter2';\n` +
+    `export async function late() { return 42; }\n`);
+
+  const resp = await app.handle(new Request(
+    'http://localhost/modules/late.server.ts'
+  ));
+  assert.equal(resp.status, 200);
+  assertIsStub(await resp.text());
+});