feat: add middleware, route groups, and codebase cleanup

* feat: add middleware example demonstrating route groups

Self-contained example covering v.Use(), v.Group(), nested groups,
Group.Use(), and middleware chaining with role-based access control.

* feat: add per-action middleware via WithMiddleware ActionOption

Reuses the existing Middleware type so the same auth/logging functions
work at both page and action level. Middleware runs after CSRF and
rate-limit checks, with full access to session and signals.

* feat: add RedirectView helper and refactor session example to use middleware

RedirectView lets middleware abort and redirect in one step. The session
example now uses an authRequired middleware on a route group instead of
an inline check inside the view.

* fix: remove dead code, fix double Load and extractParams mismatch

- Remove componentRegistry (written, never read)
- Remove unused signal methods: Bytes, Int64, Float
- Remove unreachable nil check in registerCtx
- Simplify injectRouteParams (extractParams already returns fresh map)
- Fix double sync.Map.Load in injectSignals
- Merge Shutdown/shutdown into single method
- Inline currSessionNum
- Fix extractParams: mismatched literal segment now returns nil
- Minor: new(bytes.Buffer), go c.Sync(), genRandID reads 4 bytes

README.md

@@ -1,30 +1,33 @@
-# ⚡Via
+# Via
+
 Real-time engine for building reactive web applications in pure Go.
 
-
 ## Why Via?
-Somewhere along the way, the web became tangled in layers of JavaScript, build chains, and frameworks stacked on frameworks.
 
-Via takes a radical stance:
+The web became tangled in layers of JavaScript, build chains, and frameworks stacked on frameworks. Via takes a different path.
 
-- No templates.
+**Philosophy**
-- No JavaScript.
+- No templates. No JavaScript. No transpilation. No hydration.
-- No transpilation.
+- Views are pure Go functions. HTML is composed with a type-safe DSL.
-- No hydration.
+- A single SSE stream carries all reactivity — no WebSocket juggling, no polling.
-- No front-end fatigue.
-- Single SSE stream.
-- Full reactivity.
-- Built-in Brotli compression.
-- Pure Go.
 
+**Batteries included**
+- Automatic CSRF protection on every action call
+- Token-bucket rate limiting (global defaults + per-action overrides)
+- Cookie-based sessions backed by SQLite
+- Pub/sub messaging with an embedded NATS backend
+- Structured logging via zerolog
+- Graceful shutdown with context draining
+- Brotli compression out of the box
 
 ## Example
+
 ```go
 package main
 
 import (
-	"github.com/go-via/via"
+	"github.com/ryanhamamura/via"
-	"github.com/go-via/via/h"
+	"github.com/ryanhamamura/via/h"
 )
 
 type Counter struct{ Count int }
@@ -57,25 +60,43 @@ func main() {
 }
 ```
 
+## What's built in
 
-## 🚧 Experimental
+- **Reactive views + signals** — bind state to the DOM; changes push over SSE automatically
-<s>Via is still a newborn.</s> Via is taking its first steps!
+- **Components** — self-contained subcontexts with their own data, actions, and signals
-- Version `0.1.0` released.
+- **Sessions** — cookie-based, backed by SQLite via `scs`
-- Expect a little less chaos.
+- **Pub/sub** — embedded NATS server with JetStream; generic `Publish[T]` / `Subscribe[T]` helpers
+- **CSRF protection** — automatic token generation and validation on every action
+- **Rate limiting** — token-bucket algorithm, configurable globally and per-action
+- **Event handling** — `OnClick`, `OnChange`, `OnSubmit`, `OnInput`, `OnFocus`, `OnBlur`, `OnMouseEnter`, `OnMouseLeave`, `OnScroll`, `OnDblClick`, `OnKeyDown`, and `OnKeyDownMap` for multi-key bindings
+- **Timed routines** — `OnInterval` with start/stop/update controls, tied to context lifecycle
+- **Redirects** — `Redirect`, `ReplaceURL`, and format-string variants
+- **Plugin system** — `func(v *V)` hooks for integrating CSS/JS libraries
+- **Structured logging** — zerolog with configurable levels; console output in dev, JSON in production
+- **Graceful shutdown** — listens for SIGINT/SIGTERM, drains contexts, closes pub/sub
+- **Context lifecycle** — background reaper cleans up disconnected contexts; configurable TTL
+- **HTML DSL** — the `h` package provides type-safe Go-native HTML composition
+
+## Examples
+
+The `internal/examples/` directory contains 14 runnable examples:
+
+`chatroom` · `counter` · `countercomp` · `greeter` · `keyboard` · `livereload` · `nats-chatroom` · `pathparams` · `picocss` · `plugins` · `pubsub-crud` · `realtimechart` · `session` · `shakespeare`
+
+## Experimental
+
+Via is maturing — sessions, CSRF, rate limiting, pub/sub, and graceful shutdown are in place — but the API is still evolving. Expect breaking changes before `v1`.
 
 ## Contributing
+
 - Via is intentionally minimal and opinionated — and so is contributing.
-- If you love Go, simplicity, and meaningful abstractions — Come along for the ride!
+- Fork, branch, build, tinker, submit a pull request.
-- Fork, branch, build, tinker with things, submit a pull request.
 - Keep every line purposeful.
 - Share feedback: open an issue or start a discussion.
 
-
 ## Credits
 
-Via builds upon the work of these amazing projects:
+Via builds upon the work of these projects:
 
-- 🚀 [Datastar](https://data-star.dev) - The hypermedia powerhouse at the core of Via. It powers browser reactivity through Signals and enables real-time HTML/Signal patches over an always-on SSE event stream.
+- [Datastar](https://data-star.dev) — the hypermedia framework powering browser reactivity through signals and real-time HTML patches over SSE.
-- 🧩 [Gomponents](https://maragu.dev/gomponents) - The awesome project that gifts Via with Go-native HTML composition superpowers through the `via/h` package.
+- [Gomponents](https://maragu.dev/gomponents) — Go-native HTML composition that powers the `via/h` package.
-
-> Thank you for building something that doesn’t just function — it inspires. 🫶

configuration.go

@@ -61,4 +61,9 @@ type Options struct {
 	// connection before the background reaper disposes it.
 	// Default: 30s. Negative value disables the reaper.
 	ContextTTL time.Duration
+
+	// ActionRateLimit configures the default token-bucket rate limiter for
+	// action endpoints. Zero values use built-in defaults (10 req/s, burst 20).
+	// Set Rate to -1 to disable rate limiting entirely.
+	ActionRateLimit RateLimitConfig
 }

context.go

@@ -5,13 +5,13 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"maps"
 	"reflect"
 	"sync"
 	"sync/atomic"
 	"time"
 
 	"github.com/ryanhamamura/via/h"
+	"golang.org/x/time/rate"
 )
 
 // Context is the living bridge between Go and the browser.
@@ -20,13 +20,14 @@ import (
 type Context struct {
 	id                string
 	route             string
+	csrfToken         string
 	app               *V
 	view              func() h.H
 	routeParams       map[string]string
-	componentRegistry map[string]*Context
 	parentPageCtx *Context
 	patchChan         chan patch
-	actionRegistry    map[string]func()
+	actionLimiter     *rate.Limiter
+	actionRegistry    map[string]actionEntry
 	signals           *sync.Map
 	mu                sync.RWMutex
 	ctxDisposedChan   chan struct{}
@@ -78,7 +79,6 @@ func (c *Context) Component(initCtx func(c *Context)) func() h.H {
 		compCtx.parentPageCtx = c
 	}
 	initCtx(compCtx)
-	c.componentRegistry[id] = compCtx
 	return compCtx.view
 }
 
@@ -103,26 +103,31 @@ func (c *Context) isComponent() bool {
 //		 	 	h.Button(h.Text("Increment n"), increment.OnClick()),
 //		 )
 //	})
-func (c *Context) Action(f func()) *actionTrigger {
+func (c *Context) Action(f func(), opts ...ActionOption) *actionTrigger {
 	id := genRandID()
 	if f == nil {
 		c.app.logErr(c, "failed to bind action '%s' to context: nil func", id)
 		return nil
 	}
 
+	entry := actionEntry{fn: f}
+	for _, opt := range opts {
+		opt(&entry)
+	}
+
 	if c.isComponent() {
-		c.parentPageCtx.actionRegistry[id] = f
+		c.parentPageCtx.actionRegistry[id] = entry
 	} else {
-		c.actionRegistry[id] = f
+		c.actionRegistry[id] = entry
 	}
 	return &actionTrigger{id}
 }
 
-func (c *Context) getActionFn(id string) (func(), error) {
+func (c *Context) getAction(id string) (actionEntry, error) {
-	if f, ok := c.actionRegistry[id]; ok {
+	if e, ok := c.actionRegistry[id]; ok {
-		return f, nil
+		return e, nil
 	}
-	return nil, fmt.Errorf("action '%s' not found", id)
+	return actionEntry{}, fmt.Errorf("action '%s' not found", id)
 }
 
 // OnInterval starts a go routine that sets a time.Ticker with the given duration and executes
@@ -200,14 +205,14 @@ func (c *Context) injectSignals(sigs map[string]any) {
 	defer c.mu.Unlock()
 
 	for sigID, val := range sigs {
-		if _, ok := c.signals.Load(sigID); !ok {
+		item, ok := c.signals.Load(sigID)
+		if !ok {
 			c.signals.Store(sigID, &signal{
 				id:  sigID,
 				val: val,
 			})
 			continue
 		}
-		item, _ := c.signals.Load(sigID)
 		if sig, ok := item.(*signal); ok {
 			sig.val = val
 			sig.changed = false
@@ -258,7 +263,7 @@ func (c *Context) sendPatch(p patch) {
 // Sync pushes the current view state and signal changes to the browser immediately
 // over the live SSE event stream.
 func (c *Context) Sync() {
-	elemsPatch := bytes.NewBuffer(make([]byte, 0))
+	elemsPatch := new(bytes.Buffer)
 	if err := c.view().Render(elemsPatch); err != nil {
 		c.app.logErr(c, "sync view failed: %v", err)
 		return
@@ -323,6 +328,15 @@ func (c *Context) ExecScript(s string) {
 	c.sendPatch(patch{patchTypeScript, s})
 }
 
+// RedirectView sets a view that redirects the browser to the given URL.
+// Use this in middleware to abort the chain and redirect in one step.
+func (c *Context) RedirectView(url string) {
+	c.View(func() h.H {
+		c.Redirect(url)
+		return h.Div()
+	})
+}
+
 // Redirect navigates the browser to the given URL.
 // This triggers a full page navigation - the current context will be disposed
 // and a new context created at the destination URL.
@@ -378,12 +392,9 @@ func (c *Context) injectRouteParams(params map[string]string) {
 	if params == nil {
 		return
 	}
-	m := make(map[string]string)
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	maps.Copy(m, params)
+	c.routeParams = params
-	c.routeParams = m
-
 }
 
 // GetPathParam retrieves the value from the page request URL for the given parameter name
@@ -477,10 +488,11 @@ func newContext(id string, route string, v *V) *Context {
 	return &Context{
 		id:                id,
 		route:             route,
+		csrfToken:         genCSRFToken(),
 		routeParams:       make(map[string]string),
 		app:               v,
-		componentRegistry: make(map[string]*Context),
+		actionLimiter: newLimiter(v.actionRateLimit, defaultActionRate, defaultActionBurst),
-		actionRegistry:    make(map[string]func()),
+		actionRegistry:    make(map[string]actionEntry),
 		signals:           new(sync.Map),
 		patchChan:         make(chan patch, 1),
 		ctxDisposedChan:   make(chan struct{}, 1),

go.mod

@@ -14,6 +14,7 @@ require (
 	github.com/rs/zerolog v1.34.0
 	github.com/starfederation/datastar-go v1.0.3
 	github.com/stretchr/testify v1.11.1
+	golang.org/x/time v0.14.0
 )
 
 require (
@@ -37,6 +38,6 @@ require (
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/time v0.14.0 // indirect
+	golang.org/x/time v0.14.0
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

internal/examples/middleware/main.go

@@ -0,0 +1,151 @@
+package main
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/ryanhamamura/via"
+	"github.com/ryanhamamura/via/h"
+)
+
+func main() {
+	v := via.New()
+	v.Config(via.Options{
+		ServerAddress: ":8080",
+		DocumentTitle: "Middleware Example",
+	})
+
+	// --- Middleware definitions ---
+
+	// requestLogger logs every page request to stdout.
+	requestLogger := func(c *via.Context, next func()) {
+		fmt.Printf("[%s] request\n", time.Now().Format("15:04:05"))
+		next()
+	}
+
+	// authRequired redirects unauthenticated users to /login.
+	authRequired := func(c *via.Context, next func()) {
+		if c.Session().GetString("role") == "" {
+			c.RedirectView("/login")
+			return
+		}
+		next()
+	}
+
+	// auditLog prints the authenticated username to stdout.
+	auditLog := func(c *via.Context, next func()) {
+		fmt.Printf("[audit] user=%s\n", c.Session().GetString("username"))
+		next()
+	}
+
+	// superAdminOnly rejects non-superadmin users with a forbidden view.
+	superAdminOnly := func(c *via.Context, next func()) {
+		if c.Session().GetString("role") != "superadmin" {
+			c.View(func() h.H {
+				return h.Div(
+					h.H1(h.Text("Forbidden")),
+					h.P(h.Text("Super-admin access required.")),
+					h.A(h.Href("/admin/dashboard"), h.Text("Back to dashboard")),
+				)
+			})
+			return
+		}
+		next()
+	}
+
+	// --- Route registration ---
+
+	v.Use(requestLogger) // global middleware
+
+	admin := v.Group("/admin", authRequired)            // prefixed group
+	admin.Use(auditLog)                                 // Group.Use()
+	superAdmin := admin.Group("/super", superAdminOnly) // nested group
+
+	// Public: redirect root to login
+	v.Page("/", func(c *via.Context) {
+		c.View(func() h.H {
+			c.Redirect("/login")
+			return h.Div()
+		})
+	})
+
+	// Public: login page with role-selection buttons
+	v.Page("/login", func(c *via.Context) {
+		loginAdmin := c.Action(func() {
+			c.Session().Set("role", "admin")
+			c.Session().Set("username", "alice")
+			c.Session().RenewToken()
+			c.Redirect("/admin/dashboard")
+		})
+
+		loginSuper := c.Action(func() {
+			c.Session().Set("role", "superadmin")
+			c.Session().Set("username", "bob")
+			c.Session().RenewToken()
+			c.Redirect("/admin/dashboard")
+		})
+
+		c.View(func() h.H {
+			return h.Div(
+				h.H1(h.Text("Login")),
+				h.P(h.Text("Choose a role:")),
+				h.Button(h.Text("Login as Admin"), loginAdmin.OnClick()),
+				h.Raw(" "),
+				h.Button(h.Text("Login as Super Admin"), loginSuper.OnClick()),
+			)
+		})
+	})
+
+	// Per-action middleware: only superadmins can invoke this action.
+	requireSuperAdmin := func(c *via.Context, next func()) {
+		if c.Session().GetString("role") != "superadmin" {
+			return
+		}
+		next()
+	}
+
+	// Admin: dashboard (requires authRequired + auditLog)
+	admin.Page("/dashboard", func(c *via.Context) {
+		logout := c.Action(func() {
+			c.Session().Delete("role")
+			c.Session().Delete("username")
+			c.Redirect("/login")
+		})
+
+		dangerAction := c.Action(func() {
+			fmt.Printf("[danger] executed by %s\n", c.Session().GetString("username"))
+			c.Sync()
+		}, via.WithMiddleware(requireSuperAdmin))
+
+		c.View(func() h.H {
+			username := c.Session().GetString("username")
+			role := c.Session().GetString("role")
+			return h.Div(
+				h.H1(h.Textf("Dashboard — %s (%s)", username, role)),
+				h.Ul(
+					h.Li(h.A(h.Href("/admin/super/settings"), h.Text("Super Admin Settings"))),
+				),
+				h.H2(h.Text("Danger Zone")),
+				h.P(h.Text("This action is protected by per-action middleware (superadmin only):")),
+				h.Button(h.Text("Delete Everything"), dangerAction.OnClick()),
+				h.Br(),
+				h.Br(),
+				h.Button(h.Text("Logout"), logout.OnClick()),
+			)
+		})
+	})
+
+	// Super-admin: settings (requires authRequired + auditLog + superAdminOnly)
+	superAdmin.Page("/settings", func(c *via.Context) {
+		c.View(func() h.H {
+			username := c.Session().GetString("username")
+			return h.Div(
+				h.H1(h.Textf("Super Admin Settings — %s", username)),
+				h.P(h.Text("Only super-admins can see this page.")),
+				h.A(h.Href("/admin/dashboard"), h.Text("Back to dashboard")),
+			)
+		})
+	})
+
+	v.Start()
+}

internal/examples/session/main.go

@@ -29,7 +29,17 @@ func main() {
 		SessionManager: sm,
 	})
 
-	// Login page
+	// Auth middleware — redirects unauthenticated users to /login
+	authRequired := func(c *via.Context, next func()) {
+		if c.Session().GetString("username") == "" {
+			c.Session().Set("flash", "Please log in first")
+			c.RedirectView("/login")
+			return
+		}
+		next()
+	}
+
+	// Login page (public)
 	v.Page("/login", func(c *via.Context) {
 		flash := c.Session().PopString("flash")
 		usernameInput := c.Signal("")
@@ -64,8 +74,10 @@ func main() {
 		})
 	})
 
-	// Dashboard page (protected)
+	// Protected pages
-	v.Page("/dashboard", func(c *via.Context) {
+	protected := v.Group("", authRequired)
+
+	protected.Page("/dashboard", func(c *via.Context) {
 		logout := c.Action(func() {
 			c.Session().Set("flash", "Goodbye!")
 			c.Session().Delete("username")
@@ -74,14 +86,6 @@ func main() {
 
 		c.View(func() h.H {
 			username := c.Session().GetString("username")
-
-			// Not logged in? Redirect to login
-			if username == "" {
-				c.Session().Set("flash", "Please log in first")
-				c.Redirect("/login")
-				return h.Div()
-			}
-
 			flash := c.Session().PopString("flash")
 			var flashMsg h.H
 			if flash != "" {

middleware.go

@@ -0,0 +1,82 @@
+package via
+
+// Middleware wraps a page init function. Call next to continue the chain;
+// return without calling next to abort (set a view first, e.g. RedirectView).
+type Middleware func(c *Context, next func())
+
+// Group is a route group with a shared prefix and middleware stack.
+type Group struct {
+	v          *V
+	prefix     string
+	middleware []Middleware
+}
+
+// Use appends middleware to the global stack.
+// Global middleware runs before every page handler.
+func (v *V) Use(mw ...Middleware) {
+	v.middleware = append(v.middleware, mw...)
+}
+
+// Group creates a route group with the given path prefix and middleware.
+// Routes registered on the group are prefixed and run the group's middleware
+// after any global middleware.
+func (v *V) Group(prefix string, mw ...Middleware) *Group {
+	return &Group{
+		v:          v,
+		prefix:     prefix,
+		middleware: mw,
+	}
+}
+
+// Page registers a route on this group. The full route is the group prefix
+// concatenated with route.
+func (g *Group) Page(route string, initContextFn func(c *Context)) {
+	fullRoute := g.prefix + route
+	allMw := make([]Middleware, 0, len(g.v.middleware)+len(g.middleware))
+	allMw = append(allMw, g.v.middleware...)
+	allMw = append(allMw, g.middleware...)
+	wrapped := chainMiddleware(allMw, initContextFn)
+	g.v.page(fullRoute, initContextFn, wrapped)
+}
+
+// Group creates a nested sub-group that inherits this group's prefix and
+// middleware, then adds its own.
+func (g *Group) Group(prefix string, mw ...Middleware) *Group {
+	combined := make([]Middleware, len(g.middleware), len(g.middleware)+len(mw))
+	copy(combined, g.middleware)
+	combined = append(combined, mw...)
+	return &Group{
+		v:          g.v,
+		prefix:     g.prefix + prefix,
+		middleware: combined,
+	}
+}
+
+// Use appends middleware to this group's stack.
+func (g *Group) Use(mw ...Middleware) {
+	g.middleware = append(g.middleware, mw...)
+}
+
+// WithMiddleware returns an ActionOption that attaches middleware to an action.
+// Action middleware runs after CSRF/rate-limit checks and signal injection.
+func WithMiddleware(mw ...Middleware) ActionOption {
+	return func(e *actionEntry) {
+		e.middleware = append(e.middleware, mw...)
+	}
+}
+
+// chainMiddleware wraps handler with the given middleware, outer-first.
+func chainMiddleware(mws []Middleware, handler func(*Context)) func(*Context) {
+	if len(mws) == 0 {
+		return handler
+	}
+	chained := handler
+	for i := len(mws) - 1; i >= 0; i-- {
+		mw := mws[i]
+		next := chained
+		chained = func(c *Context) {
+			mw(c, func() { next(c) })
+		}
+	}
+	return chained
+}

middleware_test.go

@@ -0,0 +1,340 @@
+package via
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/ryanhamamura/via/h"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMiddlewareRunsBeforeHandler(t *testing.T) {
+	var order []string
+
+	v := New()
+	v.Use(func(c *Context, next func()) {
+		order = append(order, "mw")
+		next()
+	})
+	v.Page("/", func(c *Context) {
+		order = append(order, "handler")
+		c.View(func() h.H { return h.Div() })
+	})
+
+	// Reset after registration (panic-check runs the raw handler)
+	order = nil
+
+	w := httptest.NewRecorder()
+	v.mux.ServeHTTP(w, httptest.NewRequest("GET", "/", nil))
+
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Equal(t, []string{"mw", "handler"}, order)
+}
+
+func TestMiddlewareAbortSkipsHandler(t *testing.T) {
+	handlerCalled := false
+
+	v := New()
+	v.Use(func(c *Context, next func()) {
+		c.RedirectView("/other")
+	})
+	v.Page("/", func(c *Context) {
+		handlerCalled = true
+		c.View(func() h.H { return h.Div() })
+	})
+
+	handlerCalled = false
+
+	w := httptest.NewRecorder()
+	v.mux.ServeHTTP(w, httptest.NewRequest("GET", "/", nil))
+
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.False(t, handlerCalled)
+}
+
+func TestMiddlewareChainOrder(t *testing.T) {
+	var order []string
+
+	v := New()
+	for _, label := range []string{"A", "B", "C"} {
+		l := label
+		v.Use(func(c *Context, next func()) {
+			order = append(order, l)
+			next()
+		})
+	}
+	v.Page("/", func(c *Context) {
+		order = append(order, "handler")
+		c.View(func() h.H { return h.Div() })
+	})
+
+	order = nil
+
+	w := httptest.NewRecorder()
+	v.mux.ServeHTTP(w, httptest.NewRequest("GET", "/", nil))
+
+	assert.Equal(t, []string{"A", "B", "C", "handler"}, order)
+}
+
+func TestGroupPrefixRouting(t *testing.T) {
+	v := New()
+	g := v.Group("/admin")
+	g.Page("/dashboard", func(c *Context) {
+		c.View(func() h.H { return h.Div(h.Text("admin dashboard")) })
+	})
+
+	w := httptest.NewRecorder()
+	v.mux.ServeHTTP(w, httptest.NewRequest("GET", "/admin/dashboard", nil))
+
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Contains(t, w.Body.String(), "admin dashboard")
+}
+
+func TestGroupMiddlewareAppliesToGroupOnly(t *testing.T) {
+	var groupMwCalled bool
+
+	v := New()
+	g := v.Group("/admin", func(c *Context, next func()) {
+		groupMwCalled = true
+		next()
+	})
+	g.Page("/panel", func(c *Context) {
+		c.View(func() h.H { return h.Div(h.Text("panel")) })
+	})
+	v.Page("/public", func(c *Context) {
+		c.View(func() h.H { return h.Div(h.Text("public")) })
+	})
+
+	// Hit public page — group middleware should NOT run
+	groupMwCalled = false
+	w := httptest.NewRecorder()
+	v.mux.ServeHTTP(w, httptest.NewRequest("GET", "/public", nil))
+	assert.False(t, groupMwCalled)
+	assert.Contains(t, w.Body.String(), "public")
+
+	// Hit group page — group middleware should run
+	groupMwCalled = false
+	w = httptest.NewRecorder()
+	v.mux.ServeHTTP(w, httptest.NewRequest("GET", "/admin/panel", nil))
+	assert.True(t, groupMwCalled)
+	assert.Contains(t, w.Body.String(), "panel")
+}
+
+func TestGlobalMiddlewareAppliesToGroupPages(t *testing.T) {
+	var globalCalled bool
+
+	v := New()
+	v.Use(func(c *Context, next func()) {
+		globalCalled = true
+		next()
+	})
+	g := v.Group("/admin")
+	g.Page("/dash", func(c *Context) {
+		c.View(func() h.H { return h.Div(h.Text("dash")) })
+	})
+
+	globalCalled = false
+
+	w := httptest.NewRecorder()
+	v.mux.ServeHTTP(w, httptest.NewRequest("GET", "/admin/dash", nil))
+
+	assert.True(t, globalCalled)
+	assert.Contains(t, w.Body.String(), "dash")
+}
+
+func TestNestedGroupInheritsPrefixAndMiddleware(t *testing.T) {
+	var order []string
+
+	v := New()
+	admin := v.Group("/admin", func(c *Context, next func()) {
+		order = append(order, "admin")
+		next()
+	})
+	superAdmin := admin.Group("/super", func(c *Context, next func()) {
+		order = append(order, "super")
+		next()
+	})
+	superAdmin.Page("/secret", func(c *Context) {
+		order = append(order, "handler")
+		c.View(func() h.H { return h.Div(h.Text("secret")) })
+	})
+
+	order = nil
+
+	w := httptest.NewRecorder()
+	v.mux.ServeHTTP(w, httptest.NewRequest("GET", "/admin/super/secret", nil))
+
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Equal(t, []string{"admin", "super", "handler"}, order)
+	assert.Contains(t, w.Body.String(), "secret")
+}
+
+func TestGroupUse(t *testing.T) {
+	var order []string
+
+	v := New()
+	g := v.Group("/api")
+	g.Use(func(c *Context, next func()) {
+		order = append(order, "added-later")
+		next()
+	})
+	g.Page("/items", func(c *Context) {
+		order = append(order, "handler")
+		c.View(func() h.H { return h.Div() })
+	})
+
+	order = nil
+
+	w := httptest.NewRecorder()
+	v.mux.ServeHTTP(w, httptest.NewRequest("GET", "/api/items", nil))
+
+	assert.Equal(t, []string{"added-later", "handler"}, order)
+}
+
+func TestRedirectViewSetsValidView(t *testing.T) {
+	v := New()
+	v.Page("/test", func(c *Context) {
+		c.RedirectView("/somewhere")
+	})
+
+	w := httptest.NewRecorder()
+	v.mux.ServeHTTP(w, httptest.NewRequest("GET", "/test", nil))
+
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Contains(t, w.Body.String(), "<!doctype html>")
+}
+
+func TestGlobalAndGroupMiddlewareOrder(t *testing.T) {
+	var order []string
+
+	v := New()
+	v.Use(func(c *Context, next func()) {
+		order = append(order, "global")
+		next()
+	})
+	g := v.Group("/g", func(c *Context, next func()) {
+		order = append(order, "group")
+		next()
+	})
+	g.Page("/page", func(c *Context) {
+		order = append(order, "handler")
+		c.View(func() h.H { return h.Div() })
+	})
+
+	order = nil
+
+	w := httptest.NewRecorder()
+	v.mux.ServeHTTP(w, httptest.NewRequest("GET", "/g/page", nil))
+
+	assert.Equal(t, []string{"global", "group", "handler"}, order)
+}
+
+// --- Action middleware tests ---
+
+func TestActionMiddlewareRunsBeforeAction(t *testing.T) {
+	var order []string
+
+	v := New()
+	c := newContext("test", "/", v)
+
+	mw := func(_ *Context, next func()) {
+		order = append(order, "mw")
+		next()
+	}
+
+	trigger := c.Action(func() {
+		order = append(order, "action")
+	}, WithMiddleware(mw))
+
+	entry, err := c.getAction(trigger.id)
+	assert.NoError(t, err)
+
+	chainMiddleware(entry.middleware, func(_ *Context) { entry.fn() })(c)
+
+	assert.Equal(t, []string{"mw", "action"}, order)
+}
+
+func TestActionMiddlewareAbortSkipsAction(t *testing.T) {
+	actionCalled := false
+
+	v := New()
+	c := newContext("test", "/", v)
+
+	mw := func(_ *Context, next func()) {
+		// don't call next — action should not run
+	}
+
+	trigger := c.Action(func() {
+		actionCalled = true
+	}, WithMiddleware(mw))
+
+	entry, err := c.getAction(trigger.id)
+	assert.NoError(t, err)
+
+	chainMiddleware(entry.middleware, func(_ *Context) { entry.fn() })(c)
+
+	assert.False(t, actionCalled)
+}
+
+func TestActionMiddlewareChainOrder(t *testing.T) {
+	var order []string
+
+	v := New()
+	c := newContext("test", "/", v)
+
+	var mws []Middleware
+	for _, label := range []string{"A", "B", "C"} {
+		l := label
+		mws = append(mws, func(_ *Context, next func()) {
+			order = append(order, l)
+			next()
+		})
+	}
+
+	trigger := c.Action(func() {
+		order = append(order, "action")
+	}, WithMiddleware(mws...))
+
+	entry, err := c.getAction(trigger.id)
+	assert.NoError(t, err)
+
+	chainMiddleware(entry.middleware, func(_ *Context) { entry.fn() })(c)
+
+	assert.Equal(t, []string{"A", "B", "C", "action"}, order)
+}
+
+func TestActionMiddlewareCombinedWithRateLimit(t *testing.T) {
+	v := New()
+	c := newContext("test", "/", v)
+
+	mw := func(_ *Context, next func()) { next() }
+
+	trigger := c.Action(func() {}, WithRateLimit(5, 10), WithMiddleware(mw))
+
+	entry, err := c.getAction(trigger.id)
+	assert.NoError(t, err)
+	assert.NotNil(t, entry.limiter)
+	assert.Len(t, entry.middleware, 1)
+}
+
+func TestGroupWithEmptyPrefix(t *testing.T) {
+	var mwCalled bool
+
+	v := New()
+	g := v.Group("", func(c *Context, next func()) {
+		mwCalled = true
+		next()
+	})
+	g.Page("/dashboard", func(c *Context) {
+		c.View(func() h.H { return h.Div(h.Text("dash")) })
+	})
+
+	mwCalled = false
+
+	w := httptest.NewRecorder()
+	v.mux.ServeHTTP(w, httptest.NewRequest("GET", "/dashboard", nil))
+
+	assert.True(t, mwCalled)
+	assert.Contains(t, w.Body.String(), "dash")
+}

ratelimit.go

@@ -0,0 +1,49 @@
+package via
+
+import "golang.org/x/time/rate"
+
+const (
+	defaultActionRate  float64 = 10.0
+	defaultActionBurst int     = 20
+)
+
+// RateLimitConfig configures token-bucket rate limiting for actions.
+// Zero values fall back to defaults. Rate of -1 disables limiting entirely.
+type RateLimitConfig struct {
+	Rate  float64
+	Burst int
+}
+
+// ActionOption configures per-action behaviour when passed to Context.Action.
+type ActionOption func(*actionEntry)
+
+type actionEntry struct {
+	fn         func()
+	limiter    *rate.Limiter // nil = use context default
+	middleware []Middleware
+}
+
+// WithRateLimit returns an ActionOption that gives this action its own
+// token-bucket limiter, overriding the context-level default.
+func WithRateLimit(r float64, burst int) ActionOption {
+	return func(e *actionEntry) {
+		e.limiter = newLimiter(RateLimitConfig{Rate: r, Burst: burst}, defaultActionRate, defaultActionBurst)
+	}
+}
+
+// newLimiter creates a *rate.Limiter from cfg, substituting defaults for zero
+// values. A Rate of -1 disables limiting (returns nil).
+func newLimiter(cfg RateLimitConfig, defaultRate float64, defaultBurst int) *rate.Limiter {
+	r := cfg.Rate
+	b := cfg.Burst
+	if r == -1 {
+		return nil
+	}
+	if r == 0 {
+		r = defaultRate
+	}
+	if b == 0 {
+		b = defaultBurst
+	}
+	return rate.NewLimiter(rate.Limit(r), b)
+}

ratelimit_test.go

@@ -0,0 +1,101 @@
+package via
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewLimiter_Defaults(t *testing.T) {
+	l := newLimiter(RateLimitConfig{}, defaultActionRate, defaultActionBurst)
+	require.NotNil(t, l)
+	assert.InDelta(t, defaultActionRate, float64(l.Limit()), 0.001)
+	assert.Equal(t, defaultActionBurst, l.Burst())
+}
+
+func TestNewLimiter_CustomValues(t *testing.T) {
+	l := newLimiter(RateLimitConfig{Rate: 5, Burst: 10}, defaultActionRate, defaultActionBurst)
+	require.NotNil(t, l)
+	assert.InDelta(t, 5.0, float64(l.Limit()), 0.001)
+	assert.Equal(t, 10, l.Burst())
+}
+
+func TestNewLimiter_DisabledWithNegativeRate(t *testing.T) {
+	l := newLimiter(RateLimitConfig{Rate: -1}, defaultActionRate, defaultActionBurst)
+	assert.Nil(t, l)
+}
+
+func TestTokenBucket_AllowsBurstThenRejects(t *testing.T) {
+	l := newLimiter(RateLimitConfig{Rate: 1, Burst: 3}, 1, 3)
+	require.NotNil(t, l)
+
+	for i := 0; i < 3; i++ {
+		assert.True(t, l.Allow(), "request %d should be allowed within burst", i)
+	}
+	assert.False(t, l.Allow(), "request beyond burst should be rejected")
+}
+
+func TestWithRateLimit_CreatesLimiter(t *testing.T) {
+	entry := actionEntry{fn: func() {}}
+	opt := WithRateLimit(2, 4)
+	opt(&entry)
+
+	require.NotNil(t, entry.limiter)
+	assert.InDelta(t, 2.0, float64(entry.limiter.Limit()), 0.001)
+	assert.Equal(t, 4, entry.limiter.Burst())
+}
+
+func TestContextAction_WithRateLimit(t *testing.T) {
+	v := New()
+	c := newContext("test-rl", "/", v)
+
+	called := false
+	c.Action(func() { called = true }, WithRateLimit(1, 2))
+
+	// Verify the entry has its own limiter
+	for _, entry := range c.actionRegistry {
+		require.NotNil(t, entry.limiter)
+		assert.InDelta(t, 1.0, float64(entry.limiter.Limit()), 0.001)
+		assert.Equal(t, 2, entry.limiter.Burst())
+	}
+	assert.False(t, called)
+}
+
+func TestContextAction_DefaultNoPerActionLimiter(t *testing.T) {
+	v := New()
+	c := newContext("test-no-rl", "/", v)
+
+	c.Action(func() {})
+
+	for _, entry := range c.actionRegistry {
+		assert.Nil(t, entry.limiter, "entry without WithRateLimit should have nil limiter")
+	}
+}
+
+func TestContextLimiter_DefaultsApplied(t *testing.T) {
+	v := New()
+	c := newContext("test-ctx-limiter", "/", v)
+
+	require.NotNil(t, c.actionLimiter)
+	assert.InDelta(t, defaultActionRate, float64(c.actionLimiter.Limit()), 0.001)
+	assert.Equal(t, defaultActionBurst, c.actionLimiter.Burst())
+}
+
+func TestContextLimiter_DisabledViaConfig(t *testing.T) {
+	v := New()
+	v.actionRateLimit = RateLimitConfig{Rate: -1}
+	c := newContext("test-disabled", "/", v)
+
+	assert.Nil(t, c.actionLimiter)
+}
+
+func TestContextLimiter_CustomConfig(t *testing.T) {
+	v := New()
+	v.Config(Options{ActionRateLimit: RateLimitConfig{Rate: 50, Burst: 100}})
+	c := newContext("test-custom", "/", v)
+
+	require.NotNil(t, c.actionLimiter)
+	assert.InDelta(t, 50.0, float64(c.actionLimiter.Limit()), 0.001)
+	assert.Equal(t, 100, c.actionLimiter.Burst())
+}

signal.go

@@ -81,26 +81,3 @@ func (s *signal) Int() int {
 	return 0
 }
 
-// Int64 tries to read the signal value as an int64.
-// Returns the value or 0 on failure.
-func (s *signal) Int64() int64 {
-	if n, err := strconv.ParseInt(s.String(), 10, 64); err == nil {
-		return n
-	}
-	return 0
-}
-
-// Float64 tries to read the signal value as a float64.
-// Returns the value or 0.0 on failure.
-func (s *signal) Float() float64 {
-	if n, err := strconv.ParseFloat(s.String(), 64); err == nil {
-		return n
-	}
-	return 0.0
-}
-
-// Bytes tries to read the signal value as a []byte
-// Returns the value or an empty []byte on failure.
-func (s *signal) Bytes() []byte {
-	return []byte(s.String())
-}

static_test.go

@@ -0,0 +1,143 @@
+package via
+
+import (
+	"io/fs"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+	"testing/fstest"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestStatic(t *testing.T) {
+	dir := t.TempDir()
+	os.MkdirAll(filepath.Join(dir, "sub"), 0755)
+	os.WriteFile(filepath.Join(dir, "hello.txt"), []byte("hello world"), 0644)
+	os.WriteFile(filepath.Join(dir, "sub", "nested.txt"), []byte("nested"), 0644)
+
+	v := New()
+	v.Static("/assets/", dir)
+
+	t.Run("serves file", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/assets/hello.txt", nil)
+		v.mux.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Equal(t, "hello world", w.Body.String())
+	})
+
+	t.Run("serves nested file", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/assets/sub/nested.txt", nil)
+		v.mux.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Equal(t, "nested", w.Body.String())
+	})
+
+	t.Run("directory listing returns 404", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/assets/", nil)
+		v.mux.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusNotFound, w.Code)
+	})
+
+	t.Run("subdirectory listing returns 404", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/assets/sub/", nil)
+		v.mux.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusNotFound, w.Code)
+	})
+
+	t.Run("missing file returns 404", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/assets/nope.txt", nil)
+		v.mux.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusNotFound, w.Code)
+	})
+}
+
+func TestStaticAutoSlash(t *testing.T) {
+	dir := t.TempDir()
+	os.WriteFile(filepath.Join(dir, "ok.txt"), []byte("ok"), 0644)
+
+	v := New()
+	v.Static("/files", dir) // no trailing slash
+
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest("GET", "/files/ok.txt", nil)
+	v.mux.ServeHTTP(w, r)
+
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Equal(t, "ok", w.Body.String())
+}
+
+func TestStaticFS(t *testing.T) {
+	fsys := fstest.MapFS{
+		"style.css":        {Data: []byte("body{}")},
+		"js/app.js":        {Data: []byte("console.log('hi')")},
+	}
+
+	v := New()
+	v.StaticFS("/static/", fsys)
+
+	t.Run("serves file", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/static/style.css", nil)
+		v.mux.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Equal(t, "body{}", w.Body.String())
+	})
+
+	t.Run("serves nested file", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/static/js/app.js", nil)
+		v.mux.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Equal(t, "console.log('hi')", w.Body.String())
+	})
+
+	t.Run("directory listing returns 404", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/static/", nil)
+		v.mux.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusNotFound, w.Code)
+	})
+
+	t.Run("missing file returns 404", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/static/nope.css", nil)
+		v.mux.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusNotFound, w.Code)
+	})
+}
+
+func TestStaticFSAutoSlash(t *testing.T) {
+	fsys := fstest.MapFS{
+		"ok.txt": {Data: []byte("ok")},
+	}
+
+	v := New()
+	v.StaticFS("/embed", fsys) // no trailing slash
+
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest("GET", "/embed/ok.txt", nil)
+	v.mux.ServeHTTP(w, r)
+
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Equal(t, "ok", w.Body.String())
+}
+
+// Verify StaticFS accepts the fs.FS interface (compile-time check).
+var _ fs.FS = fstest.MapFS{}

via.go

@@ -9,11 +9,13 @@ package via
 import (
 	"context"
 	"crypto/rand"
+	"crypto/subtle"
 	_ "embed"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/fs"
 	"net/http"
 	"net/url"
 	"os"
@@ -47,10 +49,12 @@ type V struct {
 	devModePageInitFnMap map[string]func(*Context)
 	sessionManager       *scs.SessionManager
 	pubsub               PubSub
+	actionRateLimit      RateLimitConfig
 	datastarPath         string
 	datastarContent      []byte
 	datastarOnce         sync.Once
 	reaperStop           chan struct{}
+	middleware           []Middleware
 }
 
 func (v *V) logEvent(evt *zerolog.Event, c *Context) *zerolog.Event {
@@ -131,6 +135,9 @@ func (v *V) Config(cfg Options) {
 	if cfg.ContextTTL != 0 {
 		v.cfg.ContextTTL = cfg.ContextTTL
 	}
+	if cfg.ActionRateLimit.Rate != 0 || cfg.ActionRateLimit.Burst != 0 {
+		v.actionRateLimit = cfg.ActionRateLimit
+	}
 }
 
 // AppendToHead appends the given h.H nodes to the head of the base HTML document.
@@ -164,8 +171,16 @@ func (v *V) AppendToFoot(elements ...h.H) {
 //		})
 //	})
 func (v *V) Page(route string, initContextFn func(c *Context)) {
+	wrapped := chainMiddleware(v.middleware, initContextFn)
+	v.page(route, initContextFn, wrapped)
+}
+
+// page registers a route with separate raw and wrapped init functions.
+// raw is used for the panic-check at registration time; wrapped includes
+// any middleware and is used as the live handler.
+func (v *V) page(route string, raw, wrapped func(*Context)) {
 	v.ensureDatastarHandler()
-	// check for panics
+	// check for panics using the raw handler (no middleware)
 	func() {
 		defer func() {
 			if err := recover(); err != nil {
@@ -174,14 +189,13 @@ func (v *V) Page(route string, initContextFn func(c *Context)) {
 			}
 		}()
 		c := newContext("", "", v)
-		initContextFn(c)
+		raw(c)
 		c.view()
 		c.stopAllRoutines()
 	}()
 
-	// save page init function allows devmode to restore persisted ctx later
 	if v.cfg.DevMode {
-		v.devModePageInitFnMap[route] = initContextFn
+		v.devModePageInitFnMap[route] = wrapped
 	}
 	v.mux.HandleFunc("GET "+route, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		v.logDebug(nil, "GET %s", r.URL.String())
@@ -195,7 +209,7 @@ func (v *V) Page(route string, initContextFn func(c *Context)) {
 		c.reqCtx = r.Context()
 		routeParams := extractParams(route, r.URL.Path)
 		c.injectRouteParams(routeParams)
-		initContextFn(c)
+		wrapped(c)
 		v.registerCtx(c)
 		if v.cfg.DevMode {
 			v.devModePersist(c)
@@ -203,7 +217,7 @@ func (v *V) Page(route string, initContextFn func(c *Context)) {
 		headElements := []h.H{h.Script(h.Type("module"), h.Src(v.datastarPath))}
 		headElements = append(headElements, v.documentHeadIncludes...)
 		headElements = append(headElements,
-			h.Meta(h.Data("signals", fmt.Sprintf("{'via-ctx':'%s'}", id))),
+			h.Meta(h.Data("signals", fmt.Sprintf("{'via-ctx':'%s','via-csrf':'%s'}", id, c.csrfToken))),
 			h.Meta(h.Data("init", "@get('/_sse')")),
 			h.Meta(h.Data("init", fmt.Sprintf(`window.addEventListener('beforeunload', (evt) => {
 			navigator.sendBeacon('/_session/close', '%s');});`, c.id))),
@@ -220,7 +234,6 @@ func (v *V) Page(route string, initContextFn func(c *Context)) {
 			Title:     v.cfg.DocumentTitle,
 			Head:      headElements,
 			Body:      bodyElements,
-			HTMLAttrs: []h.H{},
 			})
 		_ = view.Render(w)
 	}))
@@ -229,17 +242,9 @@ func (v *V) Page(route string, initContextFn func(c *Context)) {
 func (v *V) registerCtx(c *Context) {
 	v.contextRegistryMutex.Lock()
 	defer v.contextRegistryMutex.Unlock()
-	if c == nil {
-		v.logErr(c, "failed to add nil context to registry")
-		return
-	}
 	v.contextRegistry[c.id] = c
 	v.logDebug(c, "new context added to registry")
-	v.logDebug(nil, "number of sessions in registry: %d", v.currSessionNum())
+	v.logDebug(nil, "number of sessions in registry: %d", len(v.contextRegistry))
-}
-
-func (v *V) currSessionNum() int {
-	return len(v.contextRegistry)
 }
 
 func (v *V) cleanupCtx(c *Context) {
@@ -259,7 +264,7 @@ func (v *V) unregisterCtx(c *Context) {
 	defer v.contextRegistryMutex.Unlock()
 	v.logDebug(c, "ctx removed from registry")
 	delete(v.contextRegistry, c.id)
-	v.logDebug(nil, "number of sessions in registry: %d", v.currSessionNum())
+	v.logDebug(nil, "number of sessions in registry: %d", len(v.contextRegistry))
 }
 
 func (v *V) getCtx(id string) (*Context, error) {
@@ -349,16 +354,12 @@ func (v *V) Start() {
 		return
 	}
 
-	v.shutdown()
+	v.Shutdown()
 }
 
 // Shutdown gracefully shuts down the server and all contexts.
 // Safe for programmatic or test use.
 func (v *V) Shutdown() {
-	v.shutdown()
-}
-
-func (v *V) shutdown() {
 	if v.reaperStop != nil {
 		close(v.reaperStop)
 	}
@@ -407,6 +408,46 @@ func (v *V) HTTPServeMux() *http.ServeMux {
 	return v.mux
 }
 
+// Static serves files from a filesystem directory at the given URL prefix.
+//
+// Example:
+//
+//	v.Static("/assets/", "./public")
+func (v *V) Static(urlPrefix, dir string) {
+	if !strings.HasSuffix(urlPrefix, "/") {
+		urlPrefix += "/"
+	}
+	fileServer := http.StripPrefix(urlPrefix, http.FileServer(http.Dir(dir)))
+	v.mux.Handle("GET "+urlPrefix, noDirListing(fileServer))
+}
+
+// StaticFS serves files from an [fs.FS] at the given URL prefix.
+// This is useful with //go:embed filesystems.
+//
+// Example:
+//
+//	//go:embed static
+//	var staticFiles embed.FS
+//	v.StaticFS("/assets/", staticFiles)
+func (v *V) StaticFS(urlPrefix string, fsys fs.FS) {
+	if !strings.HasSuffix(urlPrefix, "/") {
+		urlPrefix += "/"
+	}
+	fileServer := http.StripPrefix(urlPrefix, http.FileServerFS(fsys))
+	v.mux.Handle("GET "+urlPrefix, noDirListing(fileServer))
+}
+
+// noDirListing wraps a file server handler to return 404 for directory requests.
+func noDirListing(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasSuffix(r.URL.Path, "/") {
+			http.NotFound(w, r)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
 func (v *V) ensureDatastarHandler() {
 	v.datastarOnce.Do(func() {
 		v.mux.HandleFunc("GET "+v.datastarPath, func(w http.ResponseWriter, r *http.Request) {
@@ -568,9 +609,7 @@ func New() *V {
 		c.sseConnected.Store(true)
 		v.logDebug(c, "SSE connection established")
 
-		go func() {
+		go c.Sync()
-			c.Sync()
-		}()
 
 		for {
 			select {
@@ -632,13 +671,29 @@ func New() *V {
 			v.logErr(nil, "action '%s' failed: %v", actionID, err)
 			return
 		}
+		csrfToken, _ := sigs["via-csrf"].(string)
+		if subtle.ConstantTimeCompare([]byte(csrfToken), []byte(c.csrfToken)) != 1 {
+			v.logWarn(c, "action '%s' rejected: invalid CSRF token", actionID)
+			http.Error(w, "invalid CSRF token", http.StatusForbidden)
+			return
+		}
+		if c.actionLimiter != nil && !c.actionLimiter.Allow() {
+			v.logWarn(c, "action '%s' rate limited", actionID)
+			http.Error(w, "rate limited", http.StatusTooManyRequests)
+			return
+		}
 		c.reqCtx = r.Context()
-		actionFn, err := c.getActionFn(actionID)
+		entry, err := c.getAction(actionID)
 		if err != nil {
 			v.logDebug(c, "action '%s' failed: %v", actionID, err)
 			return
 		}
-		// log err if actionFn panics
+		if entry.limiter != nil && !entry.limiter.Allow() {
+			v.logWarn(c, "action '%s' rate limited (per-action)", actionID)
+			http.Error(w, "rate limited", http.StatusTooManyRequests)
+			return
+		}
+		// log err if action panics
 		defer func() {
 			if r := recover(); r != nil {
 				v.logErr(c, "action '%s' failed: %v", actionID, r)
@@ -646,7 +701,11 @@ func New() *V {
 		}()
 
 		c.injectSignals(sigs)
-		actionFn()
+		if len(entry.middleware) > 0 {
+			chainMiddleware(entry.middleware, func(_ *Context) { entry.fn() })(c)
+		} else {
+			entry.fn()
+		}
 	})
 
 	v.mux.HandleFunc("POST /_session/close", func(w http.ResponseWriter, r *http.Request) {
@@ -670,9 +729,15 @@ func New() *V {
 }
 
 func genRandID() string {
+	b := make([]byte, 4)
+	rand.Read(b)
+	return hex.EncodeToString(b)
+}
+
+func genCSRFToken() string {
 	b := make([]byte, 16)
 	rand.Read(b)
-	return hex.EncodeToString(b)[:8]
+	return hex.EncodeToString(b)
 }
 
 func extractParams(pattern, path string) map[string]string {
@@ -687,7 +752,7 @@ func extractParams(pattern, path string) map[string]string {
 			key := p[i][1 : len(p[i])-1] // remove {}
 			params[key] = u[i]
 		} else if p[i] != u[i] {
-			continue
+			return nil
 		}
 	}
 	return params