GCR deployment testing in progress - content type issue still remaining.

2026-05-05 14:42:03 +05:00
parent 40fe69ed65
commit f8112f897e
22 changed files with 348 additions and 2431 deletions
@@ -0,0 +1,5 @@
 **/obj/
 **/bin/
 **/.git/
 **/.vs/
 **/node_modules/
@@ -1,98 +1,70 @@
 # ─────────────────────────────────────────────────────────────────────────────
 # Stage 1 — npm install (Tailwind CLI)
-# The .NET SDK stage needs node_modules present before running dotnet publish
+# Uses node:24-alpine for a small image. npm ci is used for reproducible,
-# because the MSBuild Tailwind target calls `npx @tailwindcss/cli` during build.
+# fast installs from the lockfile.
 #
 # We use the official node:24-slim image here.  This means the npm that ships
 # with Node 24 (npm 10.x) is used as-is — we deliberately do NOT run
 # `npm install -g npm@latest` anywhere.  Running a global npm self-upgrade
 # inside a Debian container is a known reliability hazard: npm replaces its
 # own running binaries mid-flight, which can cause EBUSY / ENOENT failures
 # that corrupt the install.  The bundled npm is current enough.
 # ─────────────────────────────────────────────────────────────────────────────
-FROM node:24-slim AS npm-install
+FROM node:24-alpine AS npm-install
 WORKDIR /npm
-COPY Htmx.ApiDemo/package.json .
+COPY Htmx.ApiDemo/package.json Htmx.ApiDemo/package-lock.json* ./
 # npm ci requires package-lock.json; if it doesn't exist yet, run
 # `npm install` locally first to generate it, then commit it to the repo.
 COPY Htmx.ApiDemo/package-lock.json* ./
 # ci is preferred over install in CI/Docker contexts: respects package-lock,
 # clean installs, and is faster.
 RUN npm ci
 # ─────────────────────────────────────────────────────────────────────────────
 # Stage 2 — AOT publish
-# Uses the full .NET 10 SDK image.  Node/npx must also be present here so the
+# Uses the Alpine SDK image so the binary is linked against musl libc,
-# Tailwind MSBuild target can run.  We install Node 24 from NodeSource using
+# making it compatible with the Alpine runtime image in Stage 3.
-# the official setup script and then immediately install nodejs via apt — no
+#
-# subsequent `npm install -g npm` step, for the same reason as above.
+# Alpine packages are cached via BuildKit mount cache — after the first build
 # `apk add` is near-instant because the package index and downloads are
 # reused from the local cache rather than re-fetched from the network.
 # ─────────────────────────────────────────────────────────────────────────────
-FROM mcr.microsoft.com/dotnet/sdk:10.0 AS publish
+FROM mcr.microsoft.com/dotnet/sdk:10.0-alpine AS publish
-# Install Node.js 24 (required by the Tailwind MSBuild target at publish time).
+# Install AOT linker tools and Node.js (for the Tailwind MSBuild target).
-# We download the NodeSource setup script to a file first so we can inspect it
+# --mount=type=cache keeps the apk package cache between builds on this machine.
-# if needed, then run it.  Using `| bash -` directly is convenient but hides
+RUN --mount=type=cache,target=/var/cache/apk \
-# the script from audit — the two-step form is safer in CI/CD contexts.
+    apk add --no-cache clang lld musl-dev build-base nodejs npm
 RUN apt-get update && \
    apt-get install -y --no-install-recommends curl ca-certificates && \
    curl -fsSL https://deb.nodesource.com/setup_24.x -o /tmp/nodesource_setup.sh && \
    bash /tmp/nodesource_setup.sh && \
    apt-get install -y --no-install-recommends nodejs && \
    rm /tmp/nodesource_setup.sh && \
    rm -rf /var/lib/apt/lists/*
 # Intentionally no `npm install -g npm` — see Stage 1 note above.
 WORKDIR /src
-# Copy solution and project files first so NuGet restore is cached separately
+# Copy project files first — NuGet restore layer is cached until these change.
 COPY Htmx.slnx .
 COPY Htmx.ApiDemo/Htmx.ApiDemo.csproj          Htmx.ApiDemo/
 COPY Htmx.SourceGenerator/Htmx.SourceGenerator.csproj Htmx.SourceGenerator/
-RUN dotnet restore Htmx.ApiDemo/Htmx.ApiDemo.csproj
+RUN dotnet restore Htmx.ApiDemo/Htmx.ApiDemo.csproj -r linux-musl-x64
-# Bring in the pre-installed node_modules from Stage 1.
+# Bring in pre-installed node_modules from Stage 1.
 # These were installed with `npm ci` on Node 24 — no npm upgrade was performed.
 COPY --from=npm-install /npm/node_modules Htmx.ApiDemo/node_modules
 # Copy the rest of the source
 COPY . .
-# AOT publish — output goes to /publish
+# AOT publish targeting musl so the binary runs on Alpine.
 RUN dotnet publish Htmx.ApiDemo/Htmx.ApiDemo.csproj \
        -c Release \
        -r linux-musl-x64 \
        --no-restore \
        --self-contained true \
        -o /publish
 # ─────────────────────────────────────────────────────────────────────────────
-# Stage 3 — Runtime image
+# Stage 3 — Runtime image (~12 MB base vs ~100 MB on Debian)
-# runtime-deps provides the native library dependencies (libc, libssl, libicu)
+# runtime-deps:alpine provides only the native libs the AOT binary needs.
-# that the AOT binary links against at runtime — no .NET runtime needed.
+# No .NET runtime is included — the binary is fully self-contained.
 # ─────────────────────────────────────────────────────────────────────────────
-FROM mcr.microsoft.com/dotnet/runtime-deps:10.0 AS runtime
+FROM mcr.microsoft.com/dotnet/runtime-deps:10.0-alpine AS runtime
 # Run as non-root for security hardening (recommended by Cloud Run docs)
 RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser
 WORKDIR /app
 COPY --from=publish /publish .
 # Ensure the binary is executable
 RUN chmod +x ./Htmx.ApiDemo
 # Cloud Run injects PORT (default 8080).
-# ASP.NET Core reads ASPNETCORE_HTTP_PORTS, not PORT directly, so we set it.
+# ASP.NET Core reads ASPNETCORE_HTTP_PORTS directly — no entrypoint script needed.
-# The entrypoint script below maps $PORT → ASPNETCORE_HTTP_PORTS at startup.
+ENV ASPNETCORE_HTTP_PORTS=8080
 COPY GCR/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
-# Transfer ownership so the app can write temp files if needed
+# Use the built-in non-root user provided by the official .NET Alpine image.
-RUN chown -R appuser:appgroup /app
+USER $APP_UID
 USER appuser
 EXPOSE 8080
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["./Htmx.ApiDemo"]
@@ -1,11 +1,12 @@
 #Requires -Version 5.1
 Set-StrictMode -Version Latest
 $ErrorActionPreference = 'Stop'
 param(
    [switch]$Yes
 )
 Set-StrictMode -Version Latest
 $ErrorActionPreference = 'Stop'
 $RootDir = Split-Path -Parent $MyInvocation.MyCommand.Path
 $EnvFile = Join-Path $RootDir ".env"
@@ -63,7 +64,8 @@ function Test-Login {
    $dockerCfg = if ($env:DOCKER_CONFIG) { Join-Path $env:DOCKER_CONFIG "config.json" } else { Join-Path $HOME ".docker\config.json" }
    $dockerOk = $false
    if (Test-Path $dockerCfg) {
-        $dockerOk = (Select-String -Path $dockerCfg -Pattern "\"$($Cfg['GCP_REGION'])-docker.pkg.dev\"" -SimpleMatch -Quiet)
+        $dockerPattern = "`"$($Cfg['GCP_REGION'])-docker.pkg.dev`""
        $dockerOk = (Select-String -Path $dockerCfg -Pattern $dockerPattern -SimpleMatch -Quiet)
    }
    return (-not [string]::IsNullOrWhiteSpace($activeAccount)) -and
@@ -75,7 +77,7 @@ function Test-Login {
 function Test-ProjectSetup {
    param([hashtable]$Cfg)
-    $billingEnabled = (gcloud billing projects describe $Cfg['GCP_PROJECT_ID'] --format="value(billingEnabled)" 2>$null)
+    $billingEnabled = (gcloud billing projects describe $Cfg['GCP_PROJECT_ID'] --format='value(billingEnabled)' 2>$null)
    if ($billingEnabled -ne 'True') { return $false }
    try {
@@ -85,7 +87,7 @@ function Test-ProjectSetup {
    }
    foreach ($api in @('run.googleapis.com', 'artifactregistry.googleapis.com', 'secretmanager.googleapis.com', 'cloudresourcemanager.googleapis.com')) {
-        $enabled = gcloud services list --enabled --project=$Cfg['GCP_PROJECT_ID'] --format="value(config.name)" 2>$null | Select-String -Pattern "^$([regex]::Escape($api))$"
+        $enabled = gcloud services list --enabled --project=$Cfg['GCP_PROJECT_ID'] --format='value(config.name)' 2>$null | Select-String -Pattern "^$([regex]::Escape($api))$"
        if (-not $enabled) { return $false }
    }
@@ -101,14 +103,14 @@ function Test-SecretsSetup {
        return $false
    }
-    $serviceAccount = "serviceAccount:$($Cfg['GCP_PROJECT_ID'])@appspot.gserviceaccount.com"
+    # Check if any service account has secretAccessor access (not just @appspot)
-    $binding = gcloud secrets get-iam-policy mongodb-connection-string `
+    $bindings = gcloud secrets get-iam-policy mongodb-connection-string `
        --project=$Cfg['GCP_PROJECT_ID'] `
-        --flatten="bindings[].members" `
+        --flatten='bindings[].members' `
-        --filter="bindings.role=roles/secretmanager.secretAccessor AND bindings.members=$serviceAccount" `
+        --filter='bindings.role=roles/secretmanager.secretAccessor' `
-        --format="value(bindings.members)" 2>$null
+        --format='value(bindings.members)' 2>$null
-    return ($binding -match [regex]::Escape($serviceAccount))
+    return (-not [string]::IsNullOrWhiteSpace($bindings))
 }
 function Test-DeployDone {
@@ -28,8 +28,8 @@ foreach ($line in Get-Content $EnvFile) {
    }
 }
-$GCP_PROJECT_ID = $config['GCP_PROJECT_ID'] ?? ''
+$GCP_PROJECT_ID = if ($config['GCP_PROJECT_ID']) { $config['GCP_PROJECT_ID'] } else { '' }
-$GCP_REGION     = $config['GCP_REGION']     ?? ''
+$GCP_REGION     = if ($config['GCP_REGION'])     { $config['GCP_REGION'] }     else { '' }
 if (-not $GCP_PROJECT_ID) { Write-Error "GCP_PROJECT_ID is not set in .env"; exit 1 }
 if (-not $GCP_REGION)     { Write-Error "GCP_REGION is not set in .env";     exit 1 }
@@ -57,6 +57,6 @@ gcloud auth configure-docker "$GCP_REGION-docker.pkg.dev" --quiet
 Write-Host ""
 Write-Host ">>> Login complete. You are now authenticated as:"
-gcloud auth list --filter=status:ACTIVE --format="value(account)"
+gcloud auth list --filter=status:ACTIVE --format='value(account)'
 Write-Host ""
 Write-Host ">>> Next step: run GCR\scripts\02-setup-project.ps1"
@@ -1,126 +1,71 @@
-# =============================================================================
+#Requires -Version 5.1
-# 02-setup-project.ps1  (Windows)
+param()
 # One-time GCP project setup:
 #   - Links a billing account to the project
 #   - Enables required APIs (Cloud Run, Artifact Registry, Secret Manager)
 #   - Creates an Artifact Registry Docker repository
 #   - Grants the current user the minimum required IAM roles
 #
 # Safe to re-run — most operations are idempotent.
 # Linux users: run GCR/scripts/02-setup-project.sh instead.
 # =============================================================================
 #Requires -Version 5.1
 Set-StrictMode -Version Latest
-$ErrorActionPreference = 'Stop'
+$ErrorActionPreference = 'Continue'
 $ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
 $EnvFile   = Join-Path $ScriptDir "..\\.env"
-
+if (-not (Test-Path $EnvFile)) { Write-Error "ERROR: $EnvFile not found."; exit 1 }
 # ── Load .env ─────────────────────────────────────────────────────────────────
 if (-not (Test-Path $EnvFile)) {
    Write-Error "ERROR: $EnvFile not found.`nCopy GCR\.env.example to GCR\.env and fill in your values first."
    exit 1
 }
 $config = @{}
 foreach ($line in Get-Content $EnvFile) {
    if ($line -match '^\s*$' -or $line -match '^\s*#') { continue }
-    if ($line -match '^([^=]+)=(.*)$') {
+    if ($line -match '^([^=]+)=(.*)$') { $config[$Matches[1].Trim()] = $Matches[2].Trim() }
        $config[$Matches[1].Trim()] = $Matches[2].Trim()
    }
 }
-$GCP_PROJECT_ID  = $config['GCP_PROJECT_ID']  ?? ''
+$GCP_PROJECT_ID = if ($config['GCP_PROJECT_ID']) { $config['GCP_PROJECT_ID'] } else { '' }
-$GCP_REGION      = $config['GCP_REGION']      ?? ''
+$GCP_REGION     = if ($config['GCP_REGION'])     { $config['GCP_REGION'] }     else { '' }
-$GCP_REPOSITORY  = $config['GCP_REPOSITORY']  ?? ''
+$GCP_REPOSITORY = if ($config['GCP_REPOSITORY']) { $config['GCP_REPOSITORY'] } else { '' }
-
+if (-not $GCP_PROJECT_ID) { Write-Error "GCP_PROJECT_ID not set"; exit 1 }
-if (-not $GCP_PROJECT_ID) { Write-Error "GCP_PROJECT_ID is not set in .env";  exit 1 }
+if (-not $GCP_REGION)     { Write-Error "GCP_REGION not set";     exit 1 }
-if (-not $GCP_REGION)     { Write-Error "GCP_REGION is not set in .env";      exit 1 }
+if (-not $GCP_REPOSITORY) { Write-Error "GCP_REPOSITORY not set"; exit 1 }
 if (-not $GCP_REPOSITORY) { Write-Error "GCP_REPOSITORY is not set in .env";  exit 1 }
 Write-Host ">>> Active project: $GCP_PROJECT_ID"
 Write-Host ">>> Region:         $GCP_REGION"
 Write-Host ">>> AR repository:  $GCP_REPOSITORY"
 Write-Host ""
-
+Write-Host ">>> Checking billing..."
-# ── Step 1: Link billing account ──────────────────────────────────────────────
+$billing = gcloud billing projects describe $GCP_PROJECT_ID --format='value(billingEnabled)' 2>$null
-Write-Host ">>> Checking billing status..."
+if ($billing -eq 'True') {
-$billingOutput = gcloud billing projects describe $GCP_PROJECT_ID --format="value(billingEnabled)" 2>$null
+    Write-Host "    Billing already enabled."
 $billingEnabled = ($billingOutput -eq "True")
 if ($billingEnabled) {
    Write-Host "    Billing is already enabled — skipping."
 } else {
-    Write-Host ""
+    Write-Host "    Billing NOT enabled. Listing accounts..."
-    Write-Host "    Billing is NOT enabled on this project."
+    gcloud billing accounts list --format='table(name,displayName,open)' 2>$null
-    Write-Host "    Listing available billing accounts..."
+    $BILLING_ACCOUNT_ID = Read-Host "    Enter BILLING_ACCOUNT_ID"
-    Write-Host ""
+    gcloud billing projects link $GCP_PROJECT_ID --billing-account=$BILLING_ACCOUNT_ID 2>$null
-    gcloud billing accounts list --format="table(name,displayName,open)"
+    if ($LASTEXITCODE -ne 0) { Write-Error "Failed to link billing."; exit 1 }
    Write-Host ""
    $BILLING_ACCOUNT_ID = Read-Host "    Enter the BILLING_ACCOUNT_ID from the list above (format: XXXXXX-XXXXXX-XXXXXX)"
    gcloud billing projects link $GCP_PROJECT_ID --billing-account=$BILLING_ACCOUNT_ID
    Write-Host "    Billing linked."
 }
 # ── Step 2: Enable required APIs ─────────────────────────────────────────────
 Write-Host ""
-Write-Host ">>> Enabling required Google Cloud APIs (this may take a minute)..."
+Write-Host ">>> Enabling required APIs..."
-gcloud services enable `
+gcloud services enable run.googleapis.com artifactregistry.googleapis.com secretmanager.googleapis.com cloudresourcemanager.googleapis.com --project=$GCP_PROJECT_ID 2>$null
-    run.googleapis.com `
+if ($LASTEXITCODE -ne 0) { Write-Error "Failed to enable APIs."; exit 1 }
    artifactregistry.googleapis.com `
    secretmanager.googleapis.com `
    cloudresourcemanager.googleapis.com `
    --project=$GCP_PROJECT_ID
 Write-Host "    APIs enabled."
 # ── Step 3: Create Artifact Registry Docker repository ───────────────────────
 Write-Host ""
-Write-Host ">>> Creating Artifact Registry repository: $GCP_REPOSITORY ..."
+Write-Host ">>> Checking Artifact Registry repository: $GCP_REPOSITORY ..."
-$repoExists = $false
+gcloud artifacts repositories describe $GCP_REPOSITORY --location=$GCP_REGION --project=$GCP_PROJECT_ID 2>$null | Out-Null
-try {
+if ($LASTEXITCODE -eq 0) {
-    gcloud artifacts repositories describe $GCP_REPOSITORY `
+    Write-Host "    Repository already exists."
        --location=$GCP_REGION `
        --project=$GCP_PROJECT_ID 2>$null | Out-Null
    $repoExists = $true
 } catch { }
 if ($repoExists) {
    Write-Host "    Repository already exists — skipping."
 } else {
-    gcloud artifacts repositories create $GCP_REPOSITORY `
+    Write-Host "    Creating repository..."
-        --repository-format=docker `
+    gcloud artifacts repositories create $GCP_REPOSITORY --repository-format=docker --location=$GCP_REGION --description="Container images for Htmx app" --project=$GCP_PROJECT_ID 2>$null
-        --location=$GCP_REGION `
+    if ($LASTEXITCODE -ne 0) { Write-Error "Failed to create repository."; exit 1 }
        --description="Container images for Htmx app" `
        --project=$GCP_PROJECT_ID
    Write-Host "    Repository created."
 }
-# ── Step 4: Grant current user the minimum required IAM roles ─────────────────
+$CURRENT_USER = (gcloud config get-value account 2>$null).Trim()
 $CURRENT_USER = (gcloud config get-value account).Trim()
 Write-Host ""
 Write-Host ">>> Granting IAM roles to $CURRENT_USER ..."
-
+foreach ($role in @("roles/run.developer","roles/artifactregistry.writer","roles/iam.serviceAccountUser","roles/secretmanager.admin","roles/secretmanager.secretAccessor","roles/secretmanager.secretVersionAdder")) {
-foreach ($role in @(
+    Write-Host "    $role"
-    "roles/run.developer",
+    gcloud projects add-iam-policy-binding $GCP_PROJECT_ID --member="user:$CURRENT_USER" --role=$role --quiet 2>$null | Out-Null
    "roles/artifactregistry.writer",
    "roles/iam.serviceAccountUser",
    "roles/secretmanager.admin",
    "roles/secretmanager.secretAccessor",
    "roles/secretmanager.secretVersionAdder"
 )) {
    Write-Host "    Adding role: $role"
    gcloud projects add-iam-policy-binding $GCP_PROJECT_ID `
        --member="user:$CURRENT_USER" `
        --role=$role `
        --quiet
 }
 Write-Host ""
 Write-Host ">>> Project setup complete."
 Write-Host ""
 Write-Host ">>> Summary:"
 Write-Host "    Project ID:          $GCP_PROJECT_ID"
 Write-Host "    Region:              $GCP_REGION"
 Write-Host "    Artifact Registry:   $GCP_REGION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_REPOSITORY"
 Write-Host ""
 Write-Host ">>> Next step: run GCR\scripts\03-create-secrets.ps1"
@@ -1,122 +1,57 @@
-# =============================================================================
+#Requires -Version 5.1
-# 03-create-secrets.ps1  (Windows)
+param()
 # Creates and configures secrets in Google Cloud Secret Manager.
 #
 # Run this after 02-setup-project.ps1 to set up sensitive configuration
 # values (e.g., MongoDB connection string).
 #
 # Linux users: run GCR/scripts/03-create-secrets.sh instead.
 # =============================================================================
 #Requires -Version 5.1
 Set-StrictMode -Version Latest
-$ErrorActionPreference = 'Stop'
+$ErrorActionPreference = 'Continue'
 $ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
 $EnvFile   = Join-Path $ScriptDir "..\\.env"
-
+if (-not (Test-Path $EnvFile)) { Write-Error "ERROR: $EnvFile not found."; exit 1 }
 # ── Load .env ─────────────────────────────────────────────────────────────────
 if (-not (Test-Path $EnvFile)) {
    Write-Error "ERROR: $EnvFile not found.`nCopy GCR\.env.example to GCR\.env and fill in your values first."
    exit 1
 }
 $config = @{}
 foreach ($line in Get-Content $EnvFile) {
    if ($line -match '^\s*$' -or $line -match '^\s*#') { continue }
-    if ($line -match '^([^=]+)=(.*)$') {
+    if ($line -match '^([^=]+)=(.*)$') { $config[$Matches[1].Trim()] = $Matches[2].Trim() }
        $config[$Matches[1].Trim()] = $Matches[2].Trim()
    }
 }
-$GCP_PROJECT_ID = $config['GCP_PROJECT_ID'] ?? ''
+$GCP_PROJECT_ID = if ($config['GCP_PROJECT_ID']) { $config['GCP_PROJECT_ID'] } else { '' }
-if (-not $GCP_PROJECT_ID) { Write-Error "GCP_PROJECT_ID is not set in .env"; exit 1 }
+if (-not $GCP_PROJECT_ID) { Write-Error "GCP_PROJECT_ID not set"; exit 1 }
 Write-Host "================================================================"
-Write-Host "  Google Cloud Secret Manager setup"
+Write-Host "  Google Cloud Secret Manager setup - Project: $GCP_PROJECT_ID"
 Write-Host "================================================================"
 Write-Host "  Project: $GCP_PROJECT_ID"
 Write-Host ""
-# ── Helper function to create or update a secret ──────────────────────────────
+$SecretName = "mongodb-connection-string"
-function New-OrUpdateSecret {
+Write-Host ">>> Secret: $SecretName"
-    param(
+Write-Host "    MongoDB connection URI (e.g. mongodb+srv://user:pass@cluster.mongodb.net)"
-        [string]$SecretName,
+$val = Read-Host "    Enter value" -AsSecureString
-        [string]$SecretPrompt
+$plain = [System.Net.NetworkCredential]::new("", $val).Password
-    )
+$tmp = [System.IO.Path]::GetTempFileName()
-
+try {
-    Write-Host ">>> Setting up secret: $SecretName"
+    [System.IO.File]::WriteAllText($tmp, $plain, [System.Text.Encoding]::UTF8)
    Write-Host "    $SecretPrompt"
    # Read secret without echo
    $SecretValue = Read-Host "    Enter value (will not be echoed)" -AsSecureString
    $PlainValue = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto(
        [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUni($SecretValue)
    )
    # Write to temp file without trailing newline to avoid contaminating the secret
    $TempFile = [System.IO.Path]::GetTempFileName()
    try {
        [System.IO.File]::WriteAllText($TempFile, $PlainValue, [System.Text.Encoding]::UTF8)
        $secretExists = $false
        try {
    gcloud secrets describe $SecretName --project=$GCP_PROJECT_ID 2>$null | Out-Null
-            $secretExists = $true
+    if ($LASTEXITCODE -eq 0) {
-        } catch { }
+        gcloud secrets versions add $SecretName --data-file=$tmp --project=$GCP_PROJECT_ID 2>$null | Out-Null
        if ($secretExists) {
            Write-Host "    Secret already exists — creating new version..."
            gcloud secrets versions add $SecretName `
                --data-file=$TempFile `
                --project=$GCP_PROJECT_ID
    } else {
-            Write-Host "    Creating new secret..."
+        gcloud secrets create $SecretName --data-file=$tmp --replication-policy=automatic --project=$GCP_PROJECT_ID 2>$null | Out-Null
            gcloud secrets create $SecretName `
                --data-file=$TempFile `
                --replication-policy="automatic" `
                --project=$GCP_PROJECT_ID
    }
-    } finally {
+    if ($LASTEXITCODE -ne 0) { Write-Error "Failed to save secret."; exit 1 }
-        Remove-Item $TempFile -Force -ErrorAction SilentlyContinue
+} finally {
-    }
+    Remove-Item $tmp -Force -ErrorAction SilentlyContinue
    Write-Host "    ✓ Secret '$SecretName' ready."
    Write-Host ""
 }
 Write-Host "    Secret saved."
 Write-Host ""
 # ── Step 1: Create MongoDB connection string secret ──────────────────────────
 New-OrUpdateSecret `
    "mongodb-connection-string" `
    "MongoDB Atlas or self-hosted connection URI (e.g., mongodb+srv://user:pass@cluster.mongodb.net)"
 # ── Step 2: Grant Cloud Run service account access to secrets ─────────────────
 Write-Host ">>> Granting Cloud Run service account access to secrets..."
-Write-Host ""
+$PROJECT_NUMBER = (gcloud projects describe $GCP_PROJECT_ID --format='value(projectNumber)' 2>$null).Trim()
-
+$APPENGINE_SA = "$GCP_PROJECT_ID@appspot.gserviceaccount.com"
-# Get the default Cloud Run service account for this project
+$COMPUTE_SA = "$PROJECT_NUMBER-compute@developer.gserviceaccount.com"
-$SERVICE_ACCOUNT = "$GCP_PROJECT_ID@appspot.gserviceaccount.com"
+gcloud iam service-accounts describe $APPENGINE_SA --project=$GCP_PROJECT_ID 2>$null | Out-Null
-
+$SA = if ($LASTEXITCODE -eq 0) { $APPENGINE_SA } else { $COMPUTE_SA }
-foreach ($SECRET_NAME in @("mongodb-connection-string")) {
+Write-Host "    Granting secretAccessor on '$SecretName' to: $SA"
-    Write-Host "    Granting Secret Accessor role for '$SECRET_NAME' to $SERVICE_ACCOUNT"
+gcloud secrets add-iam-policy-binding $SecretName --member="serviceAccount:$SA" --role=roles/secretmanager.secretAccessor --project=$GCP_PROJECT_ID --quiet 2>$null | Out-Null
-    gcloud secrets add-iam-policy-binding $SECRET_NAME `
+if ($LASTEXITCODE -ne 0) { Write-Error "Failed to grant access."; exit 1 }
        --member="serviceAccount:$SERVICE_ACCOUNT" `
        --role="roles/secretmanager.secretAccessor" `
        --project=$GCP_PROJECT_ID `
        --quiet
 }
 Write-Host ""
-Write-Host "================================================================"
+Write-Host ">>> Secrets setup complete."
 Write-Host "  Secret Manager setup complete!"
 Write-Host "================================================================"
 Write-Host ""
 Write-Host ">>> Summary:"
 Write-Host "    Secrets created:"
 Write-Host "      • mongodb-connection-string"
 Write-Host ""
 Write-Host "    Service account granted access:"
 Write-Host "      • $SERVICE_ACCOUNT"
 Write-Host ""
 Write-Host ">>> Next step: run GCR\scripts\04-deploy.ps1"
 Write-Host "    (The deploy script will automatically inject secrets into"
 Write-Host "     the running container.)"
@@ -1,112 +1,54 @@
-# =============================================================================
+#Requires -Version 5.1
-# 04-deploy.ps1  (Windows)
+param([string]$Tag)
 # Builds the Docker image, pushes it to Artifact Registry, and deploys it
 # to Cloud Run — all in one command.
 #
 # Usage:
 #   .\GCR\scripts\04-deploy.ps1              # deploy with tag = git short SHA
 #   .\GCR\scripts\04-deploy.ps1 -Tag my-tag  # deploy with a custom tag
 #
 # Prerequisites:
 #   1. GCR\.env exists and is filled in  (copy from GCR\.env.example)
 #   2. 01-login.ps1 has been run (gcloud auth + Docker configured)
 #   3. 02-setup-project.ps1 has been run (APIs enabled, repo created)
 #   4. 03-create-secrets.ps1 has been run (MongoDB secret created)
 #   5. Docker Desktop is running
 #
 # Linux users: run GCR/scripts/04-deploy.sh instead.
 # =============================================================================
 #Requires -Version 5.1
 [CmdletBinding()]
 param(
    [string]$Tag = ""
 )
 Set-StrictMode -Version Latest
-$ErrorActionPreference = 'Stop'
+$ErrorActionPreference = 'Continue'
 $ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
 $RepoRoot  = (Resolve-Path (Join-Path $ScriptDir "..\..")).Path
 $EnvFile   = Join-Path $ScriptDir "..\\.env"
-
+if (-not (Test-Path $EnvFile)) { Write-Error "ERROR: $EnvFile not found."; exit 1 }
 # ── Load .env ─────────────────────────────────────────────────────────────────
 if (-not (Test-Path $EnvFile)) {
    Write-Error "ERROR: $EnvFile not found.`nCopy GCR\.env.example to GCR\.env and fill in your values first."
    exit 1
 }
 $config = @{}
 foreach ($line in Get-Content $EnvFile) {
    if ($line -match '^\s*$' -or $line -match '^\s*#') { continue }
-    if ($line -match '^([^=]+)=(.*)$') {
+    if ($line -match '^([^=]+)=(.*)$') { $config[$Matches[1].Trim()] = $Matches[2].Trim() }
        $config[$Matches[1].Trim()] = $Matches[2].Trim()
    }
 }
-$GCP_PROJECT_ID        = $config['GCP_PROJECT_ID']        ?? ''
+$GCP_PROJECT_ID        = if ($config['GCP_PROJECT_ID'])        { $config['GCP_PROJECT_ID'] }        else { '' }
-$GCP_REGION            = $config['GCP_REGION']            ?? ''
+$GCP_REGION            = if ($config['GCP_REGION'])            { $config['GCP_REGION'] }            else { '' }
-$GCP_REPOSITORY        = $config['GCP_REPOSITORY']        ?? ''
+$GCP_REPOSITORY        = if ($config['GCP_REPOSITORY'])        { $config['GCP_REPOSITORY'] }        else { '' }
-$SERVICE_NAME          = $config['SERVICE_NAME']          ?? ''
+$SERVICE_NAME          = if ($config['SERVICE_NAME'])          { $config['SERVICE_NAME'] }          else { '' }
-$MONGODB_DATABASE_NAME = $config['MONGODB_DATABASE_NAME'] ?? 'HtmxAppDb'
+$MONGODB_DATABASE_NAME = if ($config['MONGODB_DATABASE_NAME']) { $config['MONGODB_DATABASE_NAME'] } else { 'HtmxAppDb' }
-# Note: MONGODB_CONNECTION_STRING is stored in Secret Manager (mongodb-connection-string)
+if (-not $GCP_PROJECT_ID)   { Write-Error "GCP_PROJECT_ID not set";   exit 1 }
 if (-not $GCP_REGION)       { Write-Error "GCP_REGION not set";       exit 1 }
 if (-not $GCP_REPOSITORY)   { Write-Error "GCP_REPOSITORY not set";   exit 1 }
 if (-not $SERVICE_NAME)     { Write-Error "SERVICE_NAME not set";     exit 1 }
-if (-not $GCP_PROJECT_ID)   { Write-Error "GCP_PROJECT_ID is not set in .env";   exit 1 }
+gcloud secrets describe mongodb-connection-string --project=$GCP_PROJECT_ID 2>$null | Out-Null
-if (-not $GCP_REGION)       { Write-Error "GCP_REGION is not set in .env";       exit 1 }
+if ($LASTEXITCODE -ne 0) {
-if (-not $GCP_REPOSITORY)   { Write-Error "GCP_REPOSITORY is not set in .env";   exit 1 }
+    Write-Host ">>> Required secrets not configured."
-if (-not $SERVICE_NAME)     { Write-Error "SERVICE_NAME is not set in .env";     exit 1 }
+    $ans = Read-Host "    Run 03-create-secrets.ps1 now? [y/N]"
-
+    if ($ans -match '^[Yy]$') {
 # Note: MONGODB_CONNECTION_STRING is stored in Secret Manager
 function Test-SecretsReady {
    $serviceAccount = "serviceAccount:$GCP_PROJECT_ID@appspot.gserviceaccount.com"
    try {
        gcloud secrets describe mongodb-connection-string --project=$GCP_PROJECT_ID 2>$null | Out-Null
    } catch {
        return $false
    }
    $binding = gcloud secrets get-iam-policy mongodb-connection-string `
        --project=$GCP_PROJECT_ID `
        --flatten="bindings[].members" `
        --filter="bindings.role=roles/secretmanager.secretAccessor AND bindings.members=$serviceAccount" `
        --format="value(bindings.members)" 2>$null
    return ($binding -match [regex]::Escape($serviceAccount))
 }
 if (-not (Test-SecretsReady)) {
    Write-Host ""
    Write-Host ">>> Required secrets are not fully configured yet."
    $runSecretSetup = Read-Host "    Run GCR\scripts\03-create-secrets.ps1 now? [y/N]"
    if ($runSecretSetup -match '^[Yy]$') {
        & (Join-Path $ScriptDir "03-create-secrets.ps1")
        gcloud secrets describe mongodb-connection-string --project=$GCP_PROJECT_ID 2>$null | Out-Null
        if ($LASTEXITCODE -ne 0) { Write-Error "Secret setup failed."; exit 1 }
    } else {
-        Write-Host ""
+        Write-Error "Run 03-create-secrets.ps1 first."; exit 1
        Write-Error "Deployment requires secret setup first. Run: .\GCR\scripts\03-create-secrets.ps1"
        exit 1
    }
    if (-not (Test-SecretsReady)) {
        Write-Host ""
        Write-Error "Secret setup check still failing after running 03-create-secrets.ps1."
        exit 1
    }
 }
 $bindings = gcloud secrets get-iam-policy mongodb-connection-string --project=$GCP_PROJECT_ID --flatten='bindings[].members' --filter='bindings.role=roles/secretmanager.secretAccessor' --format='value(bindings.members)' 2>$null
 if ([string]::IsNullOrWhiteSpace($bindings)) {
    Write-Error "No service account has secretAccessor access. Run 03-create-secrets.ps1 first."
    exit 1
 }
 # ── Determine image tag ────────────────────────────────────────────────────────
 if (-not $Tag) {
-    # Default to git short SHA if inside a git repo; otherwise use timestamp
+    try { $Tag = (git rev-parse --short HEAD 2>$null).Trim() } catch { }
-    try {
+    if ([string]::IsNullOrWhiteSpace($Tag)) { $Tag = (Get-Date -Format "yyyyMMdd-HHmmss") }
        $Tag = (git -C $RepoRoot rev-parse --short HEAD 2>$null).Trim()
    } catch { }
    if (-not $Tag) {
        $Tag = (Get-Date -Format "yyyyMMddHHmmss")
    }
 }
-$REGISTRY  = "$GCP_REGION-docker.pkg.dev"
+$IMAGE = "$GCP_REGION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_REPOSITORY/htmx-demo-app:$Tag"
-$IMAGE_URI = "$REGISTRY/$GCP_PROJECT_ID/$GCP_REPOSITORY/${SERVICE_NAME}:$Tag"
+$contextDir = Split-Path -Parent (Split-Path -Parent $ScriptDir)
 Write-Host "================================================================"
 Write-Host "  Htmx -> Cloud Run deployment"
@@ -114,81 +56,40 @@ Write-Host "================================================================"
 Write-Host "  Project:   $GCP_PROJECT_ID"
 Write-Host "  Region:    $GCP_REGION"
 Write-Host "  Service:   $SERVICE_NAME"
-Write-Host "  Image:     $IMAGE_URI"
+Write-Host "  Image:     $IMAGE"
 Write-Host "================================================================"
 Write-Host ""
-# ── Step 1: Ensure package-lock.json exists (required for `npm ci`) ───────────
+docker info 2>$null | Out-Null
-$LockFile = Join-Path $RepoRoot "Htmx.ApiDemo\package-lock.json"
+if ($LASTEXITCODE -ne 0) {
-if (-not (Test-Path $LockFile)) {
+    Write-Error "Docker is not running. Start Docker Desktop first."
-    Write-Host ">>> package-lock.json not found. Generating it now..."
+    exit 1
    Write-Host "    (This requires node + npm to be installed locally)"
    Push-Location (Join-Path $RepoRoot "Htmx.ApiDemo")
    npm install --package-lock-only
    Pop-Location
    Write-Host "    package-lock.json generated. Commit it to the repository."
    Write-Host ""
 }
 # ── Step 2: Build the Docker image ────────────────────────────────────────────
 Write-Host ">>> Building Docker image..."
-Write-Host "    Context:    $RepoRoot"
+$env:DOCKER_BUILDKIT = "1"
-Write-Host "    Dockerfile: GCR\Dockerfile"
+docker build -t $IMAGE -f "$contextDir\GCR\Dockerfile" $contextDir
-Write-Host ""
+if ($LASTEXITCODE -ne 0) { Write-Error "Docker build failed."; exit 1 }
-
+Write-Host ">>> Image built: $IMAGE"
 # Build from repo root so COPY instructions can reach both project directories.
 # Docker on Windows accepts forward slashes in --file.
 $DockerFile = Join-Path $RepoRoot "GCR\Dockerfile"
 docker build --file $DockerFile --tag $IMAGE_URI $RepoRoot
 Write-Host ""
-Write-Host ">>> Image built: $IMAGE_URI"
+Write-Host ">>> Pushing to Artifact Registry..."
-
+docker push $IMAGE
-# ── Step 3: Push image to Artifact Registry ───────────────────────────────────
+if ($LASTEXITCODE -ne 0) { Write-Error "Docker push failed."; exit 1 }
 Write-Host ""
 Write-Host ">>> Pushing image to Artifact Registry..."
 docker push $IMAGE_URI
 Write-Host ">>> Push complete."
 # ── Step 4: Deploy to Cloud Run via docker-compose.yml ───────────────────────
 Write-Host ""
 Write-Host ">>> Deploying to Cloud Run..."
 gcloud run services update $SERVICE_NAME --project=$GCP_PROJECT_ID --region=$GCP_REGION --image=$IMAGE --set-env-vars=MONGODB_DATABASE_NAME=$MONGODB_DATABASE_NAME --set-secrets=ConnectionStrings__DefaultConnection=mongodb-connection-string:latest --allow-unauthenticated 2>$null
 if ($LASTEXITCODE -ne 0) {
    Write-Host "    Service not found, creating..."
    gcloud run deploy $SERVICE_NAME --project=$GCP_PROJECT_ID --region=$GCP_REGION --image=$IMAGE --set-env-vars=MONGODB_DATABASE_NAME=$MONGODB_DATABASE_NAME --set-secrets=ConnectionStrings__DefaultConnection=mongodb-connection-string:latest --allow-unauthenticated 2>$null
    if ($LASTEXITCODE -ne 0) { Write-Error "Deployment failed."; exit 1 }
 }
 Write-Host ">>> Deployment complete."
-# Set env vars consumed by docker-compose.yml variable substitution
+$SERVICE_URL = (gcloud run services describe $SERVICE_NAME --region=$GCP_REGION --project=$GCP_PROJECT_ID --format='value(status.url)' 2>$null).Trim()
 $env:IMAGE_URI             = $IMAGE_URI
 $env:MONGODB_DATABASE_NAME = $MONGODB_DATABASE_NAME
 $ComposeFile = Join-Path $RepoRoot "GCR\docker-compose.yml"
 gcloud run services replace $ComposeFile `
    --region=$GCP_REGION `
    --project=$GCP_PROJECT_ID
 # ── Step 4b: Inject MongoDB connection string from Secret Manager ────────────
 Write-Host ""
 Write-Host ">>> Injecting MongoDB connection string from Secret Manager..."
 gcloud run services update $SERVICE_NAME `
    --region=$GCP_REGION `
    --project=$GCP_PROJECT_ID `
    --set-secrets="ConnectionStrings__DefaultConnection=mongodb-connection-string:latest"
 # ── Step 5: Make the service publicly accessible ──────────────────────────────
 # Remove this block if you want the service to require authentication.
 Write-Host ""
 Write-Host ">>> Allowing public (unauthenticated) access to the service..."
 gcloud run services add-iam-policy-binding $SERVICE_NAME `
    --region=$GCP_REGION `
    --project=$GCP_PROJECT_ID `
    --member="allUsers" `
    --role="roles/run.invoker"
 # ── Print service URL ─────────────────────────────────────────────────────────
 Write-Host ""
 $SERVICE_URL = (gcloud run services describe $SERVICE_NAME `
    --region=$GCP_REGION `
    --project=$GCP_PROJECT_ID `
    --format="value(status.url)").Trim()
 Write-Host "================================================================"
-Write-Host "  Deployment complete!"
+Write-Host "  Done! Service URL: $SERVICE_URL"
 Write-Host "  Service URL: $SERVICE_URL"
 Write-Host "================================================================"
@@ -1,13 +1,18 @@
 using System.Text.Json.Serialization;
 using Htmx.ApiDemo.Templates;
 using Microsoft.AspNetCore.Http;
 namespace Htmx.ApiDemo;
 [JsonSerializable(typeof(string))]
 [JsonSerializable(typeof(Task),                  GenerationMode = JsonSourceGenerationMode.Metadata)]
 [JsonSerializable(typeof(ValueTask),             GenerationMode = JsonSourceGenerationMode.Metadata)]
 [JsonSerializable(typeof(IResult),               GenerationMode = JsonSourceGenerationMode.Metadata)]
 [JsonSerializable(typeof(Task<IResult>),         GenerationMode = JsonSourceGenerationMode.Metadata)]
 [JsonSerializable(typeof(ValueTask<IResult>),    GenerationMode = JsonSourceGenerationMode.Metadata)]
 [JsonSerializable(typeof(PostLoginHandler.Command),    TypeInfoPropertyName = "LoginCommand")]
 [JsonSerializable(typeof(PostRegisterHandler.Command), TypeInfoPropertyName = "RegisterCommand")]
 [JsonSerializable(typeof(PostLogoutHandler.Command),   TypeInfoPropertyName = "LogoutCommand")]
 internal partial class AppJsonSerializerContext : JsonSerializerContext
 {
 }
@@ -13,8 +13,19 @@
    <EnableRequestDelegateGenerator>true</EnableRequestDelegateGenerator>
    <PublishAot>true</PublishAot>
    <InterceptorsPreviewNamespaces>$(InterceptorsPreviewNamespaces);Immediate.Apis.Generators</InterceptorsPreviewNamespaces>
    <!--
      IL2026 warnings come from STJ-generated serializers for Task → AggregateException → Exception.TargetSite.
      We register Task/ValueTask in AppJsonSerializerContext only so RequestDelegateFactory.GetTypeInfo()
      doesn't throw at startup — we never actually serialize a Task. TargetSite is unsupported in
      NativeAOT anyway, so suppressing this warning here is safe.
    -->
    <NoWarn>$(NoWarn);IL2026</NoWarn>
  </PropertyGroup>
  <ItemGroup>
    <RdXmlFile Include="rd.xml" />
  </ItemGroup>
  <ItemGroup>
    <CompilerVisibleProperty Include="RootNamespace" />
    <CompilerVisibleProperty Include="MSBuildProjectDirectory" />
@@ -12,7 +12,7 @@ namespace Htmx.ApiDemo;
 /// </summary>
 public static class HtmxPageExtensions
 {
-    public static void WriteHtmxPage(
+    public static HtmxResult WriteHtmxPage(
        this HttpContext ctx,
        IHtmxComponent body,
        string title     = "App",
@@ -21,24 +21,20 @@ public static class HtmxPageExtensions
    {
        if (ctx.Request.Headers.ContainsKey("HX-Request"))
        {
            // Partial swap: tell HTMX to update the browser <title> tag
            ctx.Response.Headers["HX-Title"] = title;
-            ctx.WriteHtmxBody(body);
+            return ctx.WriteHtmxBody(body);
        }
        else
        {
            // Resolve display name: prefer DisplayName claim, fall back to email/name
            string? userName = ctx.User.Identity?.IsAuthenticated == true
                ? (ctx.User.FindFirst("DisplayName")?.Value
                   ?? ctx.User.FindFirst(System.Security.Claims.ClaimTypes.Name)?.Value)
                : null;
            // Resolve antiforgery token for the logout form in the layout
            var antiforgery = ctx.RequestServices.GetRequiredService<IAntiforgery>();
            var afTokens    = antiforgery.GetAndStoreTokens(ctx);
-            // Full page load: wrap in the shell layout
+            return ctx.WriteHtmxBody(new Templates.MainLayout(body, title, appName, pageTitle, userName, afTokens.RequestToken));
            ctx.WriteHtmxBody(new Templates.MainLayout(body, title, appName, pageTitle, userName, afTokens.RequestToken));
        }
    }
 }
@@ -0,0 +1,31 @@
 using Microsoft.AspNetCore.Http;
 namespace Htmx.ApiDemo;
 /// <summary>
 /// IResult implementation for rendering Htmx components as HTML or issuing redirects.
 /// Defined as user code (not source-generated) so that RequestDelegateGenerator can
 /// see it and emit NativeAOT-safe endpoint interceptors for lambdas returning this type.
 /// </summary>
 public readonly struct HtmxResult : IResult
 {
    private readonly IHtmxComponent? _component;
    private readonly string? _redirectUrl;
    public HtmxResult(IHtmxComponent component) { _component = component; _redirectUrl = null; }
    public HtmxResult(string redirectUrl)        { _component = null; _redirectUrl = redirectUrl; }
    public Task ExecuteAsync(HttpContext context)
    {
        if (_redirectUrl is not null)
        {
            context.Response.Redirect(_redirectUrl);
            return Task.CompletedTask;
        }
        context.Response.ContentType = "text/html; charset=utf-8";
        var writerContext = new HtmxRenderContext(context.Response.BodyWriter);
        _component!.Render(writerContext);
        return Task.CompletedTask;
    }
 }
@@ -9,9 +9,16 @@ using MongoDB.Bson.Serialization;
 using MongoDB.Bson.Serialization.Serializers;
 using MongoDB.Driver;
 // ── Explicit serializer registrations — force AOT to preserve constructors ─
 BsonSerializer.RegisterSerializer(new ObjectIdSerializer());
 BsonSerializer.RegisterSerializer(new StringSerializer());
 BsonSerializer.RegisterSerializer(new DateTimeSerializer());
 BsonSerializer.RegisterSerializer(new BooleanSerializer());
 BsonSerializer.RegisterSerializer(new NullableSerializer<DateTime>(new DateTimeSerializer()));
 // ── Explicit BsonClassMap — no AutoMap() reflection, fully AOT-safe ───────
 BsonClassMap.RegisterClassMap<AppUser>(cm =>
 {
    cm.AutoMap();
    cm.MapIdProperty(u => u.Id).SetSerializer(new ObjectIdSerializer());
    cm.MapProperty(u => u.Email).SetElementName("email");
    cm.MapProperty(u => u.NormalizedEmail).SetElementName("normalizedEmail");
@@ -95,6 +102,47 @@ app.Use(async (context, next) =>
    await next();
 });
-app.MapHtmxApiDemoEndpoints();
+// Explicit MapGet/MapPost so RequestDelegateGenerator can intercept and emit
 // NativeAOT-safe endpoint code. Handlers return ValueTask<IResult> which the
 // generator knows how to handle: it emits `await result.ExecuteAsync(httpContext)`.
 app.MapGet("/", static (
    [AsParameters] Htmx.ApiDemo.Templates.GetIndexHandler.Command cmd,
    Htmx.ApiDemo.Templates.GetIndexHandler.Handler handler,
    CancellationToken token) => handler.HandleAsync(cmd, token));
 app.MapGet("/greet/{username}/{count?}/{id?}", static (
    [AsParameters] Htmx.ApiDemo.Templates.GetGreetingHandler.Query query,
    Htmx.ApiDemo.Templates.GetGreetingHandler.Handler handler,
    CancellationToken token) => handler.HandleAsync(query, token));
 app.MapGet("/login", static (
    [AsParameters] Htmx.ApiDemo.Templates.GetLoginHandler.Query query,
    Htmx.ApiDemo.Templates.GetLoginHandler.Handler handler,
    CancellationToken token) => handler.HandleAsync(query, token));
 app.MapPost("/login", static (
    [AsParameters] Htmx.ApiDemo.Templates.PostLoginHandler.Command cmd,
    Htmx.ApiDemo.Templates.PostLoginHandler.Handler handler,
    CancellationToken token) => handler.HandleAsync(cmd, token));
 app.MapGet("/register", static (
    [AsParameters] Htmx.ApiDemo.Templates.GetRegisterHandler.Query query,
    Htmx.ApiDemo.Templates.GetRegisterHandler.Handler handler,
    CancellationToken token) => handler.HandleAsync(query, token));
 app.MapPost("/register", static (
    [AsParameters] Htmx.ApiDemo.Templates.PostRegisterHandler.Command cmd,
    Htmx.ApiDemo.Templates.PostRegisterHandler.Handler handler,
    CancellationToken token) => handler.HandleAsync(cmd, token));
 app.MapPost("/logout", static (
    [AsParameters] Htmx.ApiDemo.Templates.PostLogoutHandler.Command cmd,
    Htmx.ApiDemo.Templates.PostLogoutHandler.Handler handler,
    CancellationToken token) => handler.HandleAsync(cmd, token));
 app.MapGet("/ui-demo", static (
    [AsParameters] Htmx.ApiDemo.Templates.GetUiDemoHandler.Query query,
    Htmx.ApiDemo.Templates.GetUiDemoHandler.Handler handler,
    CancellationToken token) => handler.HandleAsync(query, token));
 app.Run();
@@ -1,5 +1,7 @@
 using Immediate.Apis.Shared;
 using Immediate.Handlers.Shared;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 namespace Htmx.ApiDemo.Templates;
@@ -21,9 +23,14 @@ public sealed class Greeting : GreetingBase
 [MapGet("/greet/{username}/{count?}/{id?}")]
 public static partial class GetGreetingHandler
 {
-    public record Query(string Username, int? Count, Guid? Id);
+    public class Query
    {
        [FromRoute] public string  Username { get; set; } = default!;
        [FromRoute] public string? Count    { get; set; }
        [FromRoute] public string? Id       { get; set; }
    }
-    private static ValueTask HandleAsync(
+    private static ValueTask<IResult> HandleAsync(
        Query query,
        IHttpContextAccessor httpContextAccessor,
        CancellationToken token)
@@ -31,8 +38,9 @@ public static partial class GetGreetingHandler
        var context = httpContextAccessor.HttpContext
            ?? throw new InvalidOperationException("HttpContext is not available.");
-        var template = new Greeting { Username = query.Username, Count = query.Count + 1 ?? 0, GreetingId = query.Id ?? Guid.NewGuid() };
+        var count = int.TryParse(query.Count, out var parsedCount) ? parsedCount + 1 : 0;
-        context.WriteHtmxBody(template);
+        var greetingId = Guid.TryParse(query.Id, out var parsedId) ? parsedId : Guid.NewGuid();
-        return ValueTask.CompletedTask;
+        var template = new Greeting { Username = query.Username, Count = count, GreetingId = greetingId };
        return ValueTask.FromResult<IResult>(context.WriteHtmxBody(template));
    }
 }
@@ -2,6 +2,7 @@ using Htmx.ApiDemo.Data;
 using Immediate.Apis.Shared;
 using Immediate.Handlers.Shared;
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 namespace Htmx.ApiDemo.Templates;
@@ -31,9 +32,9 @@ public sealed class Login : LoginBase
 [MapGet("/login")]
 public static partial class GetLoginHandler
 {
-    public record Query;
+    public class Query;
-    private static ValueTask HandleAsync(
+    private static ValueTask<IResult> HandleAsync(
        Query _,
        IHttpContextAccessor httpContextAccessor,
        IAntiforgery antiforgery,
@@ -43,14 +44,10 @@ public static partial class GetLoginHandler
            ?? throw new InvalidOperationException("HttpContext is not available.");
        if (ctx.User.Identity?.IsAuthenticated == true)
-        {
+            return ValueTask.FromResult<IResult>(new HtmxResult("/"));
            ctx.Response.Redirect("/");
            return ValueTask.CompletedTask;
        }
        var afTokens = antiforgery.GetAndStoreTokens(ctx);
-        ctx.WriteHtmxPage(new Login(afToken: afTokens.RequestToken), title: "Sign in", appName: "HtmxApp", pageTitle: "Sign in");
+        return ValueTask.FromResult<IResult>(ctx.WriteHtmxPage(new Login(afToken: afTokens.RequestToken), title: "Sign in", appName: "HtmxApp", pageTitle: "Sign in"));
        return ValueTask.CompletedTask;
    }
 }
@@ -59,12 +56,13 @@ public static partial class GetLoginHandler
 [MapPost("/login")]
 public static partial class PostLoginHandler
 {
-    public record Command(
+    public class Command
-        [property: FromForm] string Email,
+    {
-        [property: FromForm] string Password
+        [FromForm] public string Email { get; set; } = default!;
-    );
+        [FromForm] public string Password { get; set; } = default!;
    }
-    private static async ValueTask HandleAsync(
+    private static async ValueTask<IResult> HandleAsync(
        [AsParameters] Command command,
        IHttpContextAccessor httpContextAccessor,
        IAntiforgery antiforgery,
@@ -77,12 +75,9 @@ public static partial class PostLoginHandler
        var (success, error) = await authService.LoginAsync(command.Email, command.Password);
        if (success)
-        {
+            return new HtmxResult("/");
            ctx.Response.Redirect("/");
            return;
        }
        var afTokens = antiforgery.GetAndStoreTokens(ctx);
-        ctx.WriteHtmxPage(new Login(error, afToken: afTokens.RequestToken), title: "Sign in", appName: "HtmxApp", pageTitle: "Sign in");
+        return ctx.WriteHtmxPage(new Login(error, afToken: afTokens.RequestToken), title: "Sign in", appName: "HtmxApp", pageTitle: "Sign in");
    }
 }
@@ -11,7 +11,7 @@ public static partial class PostLogoutHandler
 {
    // Empty command — [AsParameters] ensures form content-type is accepted
    // and antiforgery token in the form is validated by the middleware.
-    public record Command;
+    public class Command;
    private static async ValueTask HandleAsync(
        [AsParameters] Command _,
@@ -2,6 +2,7 @@ using Htmx.ApiDemo;
 using Htmx.ApiDemo.Templates.Components;
 using Immediate.Apis.Shared;
 using Immediate.Handlers.Shared;
 using Microsoft.AspNetCore.Http;
 namespace Htmx.ApiDemo.Templates;
@@ -73,9 +74,9 @@ public sealed class MainLayout : MainLayoutBase
 [MapGet("/")]
 public static partial class GetIndexHandler
 {
-    public record Command;
+    public class Command;
-    private static ValueTask HandleAsync(
+    private static ValueTask<IResult> HandleAsync(
        Command command,
        IHttpContextAccessor httpContextAccessor,
        CancellationToken token)
@@ -84,8 +85,6 @@ public static partial class GetIndexHandler
            ?? throw new InvalidOperationException("HttpContext is not available.");
        var greet  = new Greeting { Username = "Enciphered", Count = 0, GreetingId = Guid.NewGuid() };
-        context.WriteHtmxPage(greet, title: "Home", appName: "HtmxApp", pageTitle: "Home");
+        return ValueTask.FromResult<IResult>(context.WriteHtmxPage(greet, title: "Home", appName: "HtmxApp", pageTitle: "Home"));
        return ValueTask.CompletedTask;
    }
 }
@@ -2,6 +2,7 @@ using Htmx.ApiDemo.Data;
 using Immediate.Apis.Shared;
 using Immediate.Handlers.Shared;
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 namespace Htmx.ApiDemo.Templates;
@@ -31,9 +32,9 @@ public sealed class Register : RegisterBase
 [MapGet("/register")]
 public static partial class GetRegisterHandler
 {
-    public record Query;
+    public class Query;
-    private static ValueTask HandleAsync(
+    private static ValueTask<IResult> HandleAsync(
        Query _,
        IHttpContextAccessor httpContextAccessor,
        IAntiforgery antiforgery,
@@ -43,14 +44,10 @@ public static partial class GetRegisterHandler
            ?? throw new InvalidOperationException("HttpContext is not available.");
        if (ctx.User.Identity?.IsAuthenticated == true)
-        {
+            return ValueTask.FromResult<IResult>(new HtmxResult("/"));
            ctx.Response.Redirect("/");
            return ValueTask.CompletedTask;
        }
        var afTokens = antiforgery.GetAndStoreTokens(ctx);
-        ctx.WriteHtmxPage(new Register(afToken: afTokens.RequestToken), title: "Register", appName: "HtmxApp", pageTitle: "Create account");
+        return ValueTask.FromResult<IResult>(ctx.WriteHtmxPage(new Register(afToken: afTokens.RequestToken), title: "Register", appName: "HtmxApp", pageTitle: "Create account"));
        return ValueTask.CompletedTask;
    }
 }
@@ -59,14 +56,15 @@ public static partial class GetRegisterHandler
 [MapPost("/register")]
 public static partial class PostRegisterHandler
 {
-    public record Command(
+    public class Command
-        [property: FromForm] string Email,
+    {
-        [property: FromForm] string Password,
+        [FromForm] public string Email { get; set; } = default!;
-        [property: FromForm] string ConfirmPassword,
+        [FromForm] public string Password { get; set; } = default!;
-        [property: FromForm] string? DisplayName
+        [FromForm] public string ConfirmPassword { get; set; } = default!;
-    );
+        [FromForm] public string? DisplayName { get; set; }
    }
-    private static async ValueTask HandleAsync(
+    private static async ValueTask<IResult> HandleAsync(
        [AsParameters] Command command,
        IHttpContextAccessor httpContextAccessor,
        IAntiforgery antiforgery,
@@ -79,21 +77,17 @@ public static partial class PostRegisterHandler
        if (command.Password != command.ConfirmPassword)
        {
            var afTokens1 = antiforgery.GetAndStoreTokens(ctx);
-            ctx.WriteHtmxPage(new Register("Passwords do not match.", afToken: afTokens1.RequestToken),
+            return ctx.WriteHtmxPage(new Register("Passwords do not match.", afToken: afTokens1.RequestToken),
                title: "Register", appName: "HtmxApp", pageTitle: "Create account");
            return;
        }
        var (success, error) = await authService.RegisterAsync(command.Email, command.Password, command.DisplayName);
        if (success)
-        {
+            return new HtmxResult("/");
            ctx.Response.Redirect("/");
            return;
        }
        var afTokens2 = antiforgery.GetAndStoreTokens(ctx);
-        ctx.WriteHtmxPage(new Register(error, afToken: afTokens2.RequestToken),
+        return ctx.WriteHtmxPage(new Register(error, afToken: afTokens2.RequestToken),
            title: "Register", appName: "HtmxApp", pageTitle: "Create account");
    }
 }
@@ -1,6 +1,7 @@
 using Htmx.ApiDemo.Templates.Components;
 using Immediate.Apis.Shared;
 using Immediate.Handlers.Shared;
 using Microsoft.AspNetCore.Http;
 namespace Htmx.ApiDemo.Templates;
@@ -370,9 +371,9 @@ public sealed class UiDemo : UiDemoBase
 [MapGet("/ui-demo")]
 public static partial class GetUiDemoHandler
 {
-    public record Query;
+    public class Query;
-    private static ValueTask HandleAsync(
+    private static ValueTask<IResult> HandleAsync(
        Query query,
        IHttpContextAccessor httpContextAccessor,
        CancellationToken token)
@@ -381,8 +382,6 @@ public static partial class GetUiDemoHandler
            ?? throw new InvalidOperationException("HttpContext is not available.");
        var page = new UiDemo();
-        context.WriteHtmxPage(page, title: "UI Demo", appName: "HtmxApp", pageTitle: "UI Components");
+        return ValueTask.FromResult<IResult>(context.WriteHtmxPage(page, title: "UI Demo", appName: "HtmxApp", pageTitle: "UI Components"));
        return ValueTask.CompletedTask;
    }
 }
@@ -0,0 +1,17 @@
 <Directives xmlns="http://schemas.microsoft.com/netfx/2013/01/metadata">
  <!--
    NativeAOT runtime directives.
    1. MongoDB.Bson: preserve all serializer constructors used via reflection.
    2. Htmx.ApiDemo: preserve constructors of Query/Command types so that
       the runtime RequestDelegateFactory can bind [AsParameters] parameters.
    3. Microsoft.Extensions.Primitives: preserve StringValues coercion operators
       used by RequestDelegateFactory expression trees (StringValues → string).
    4. System.Private.CoreLib primitive types: preserve TryParse methods used
       by RequestDelegateFactory to bind route/query values.
  -->
  <Application>
    <Assembly Name="MongoDB.Bson"                    Dynamic="Required All" />
    <Assembly Name="Htmx.ApiDemo"                    Dynamic="Required All" />
    <Assembly Name="Microsoft.Extensions.Primitives" Dynamic="Required All" />
  </Application>
 </Directives>
@@ -25,6 +25,8 @@ namespace Htmx.SourceGenerator
 using System;
 using System.Buffers;
 using System.Runtime.CompilerServices;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 namespace {opt.RootNamespace};
@@ -67,12 +69,8 @@ public static class HtmxGeneratedExtensions
        writer.Advance(data.Length);
    }}
-    public static void WriteHtmxBody(this HttpContext context, IHtmxComponent component)
+    public static HtmxResult WriteHtmxBody(this HttpContext context, IHtmxComponent component)
-    {{
+        => new HtmxResult(component);
        context.Response.ContentType = ""text/html; charset=utf-8"";
        var writerContext = new HtmxRenderContext(context.Response.BodyWriter);
        component.Render(writerContext);
    }}
 }}";
                spc.AddSource("HtmxInfrastructure.g.cs", SourceText.From(infrastructureSource, Encoding.UTF8));
            });