Forms + mutations

Real form state, schema validation, server-side actions, automatic loader revalidation, and a no-JS path that works without the framework ever loading on the client.

The mental model

Forms in rogue are a marriage of two things you'd otherwise wire by hand: a client-side form-state library (think react-hook-form / Formik) and a server-side mutation endpoint (a POST route). The framework provides both sides + the wire between them.

On the page module, you export an actions map. Each action is a pair: a schema (validation rules used on both client and server) and a run function (the mutation itself, server-only). The schema lets the client do instant feedback as the user types, and the server enforces the same rules before it touches data — so you write the rules once.

In the component, useForm(actions.signup) returns an API you spread onto a regular

and its inputs. Submitting goes through fetch() when JS is loaded, and through a normal HTML form POST when it isn't — the server-side path is the same code either way, so the no-JS path keeps working without extra effort from you.

The shape

Putting both halves together looks like this:

// src/pages/signup.tsx
import type { ActionArgs } from './signup.types'
import { useForm, defineActions, redirect, invalid, formError } from '@jjordy/rogue/forms'

export const actions = defineActions({
  signup: {
    schema: {
      email: { type: 'email', required: 'Email is required' },
      password: { type: 'password', required: true, minLength: 8 },
      confirm: {
        required: true,
        validate: (v, all) => v === all.password ? null : 'must match',
      },
    },
    async run({ data, request }: ActionArgs<'signup'>) {
      if (await isTaken(data.email)) return invalid({ email: 'already registered' })
      await createUser(data)
      return redirect('/welcome')
    },
  },
})

export default function SignupPage() {
  const form = useForm(actions.signup)
  return (
    <form {...form.props}>
      {form.formError() && <div class="alert">{form.formError()}div>}

      <input {...form.field('email')} />
      <span class="err">{form.errors().email}span>

      <input {...form.field('password')} />
      <span class="err">{form.errors().password}span>

      <input {...form.field('confirm')} />
      <span class="err">{form.errors().confirm}span>

      <button disabled={form.submitting()}>
        {form.submitting() ? 'Creating…' : 'Sign up'}
      button>
    form>
  )
}

What's automatic

Form attributes: form.props sets method="POST", action="?_action=signup", and encType="multipart/form-data". The form submits natively if JS hasn't loaded.
Input bindings: form.field('email') returns name, value, onInput, onBlur, and aria-invalid — spread onto an , , or </code>. </li> <li> Submit lock: a second submit while one is in flight is rejected. Latest-wins for programmatic <code>form.submit()</code> calls. </li> <li> Validation cadence: errors hide until first submit. After that, each field validates on every keystroke so the user gets live feedback as they fix things. (Configurable: pass <code>{ mode: 'change' | 'blur' | 'submit' | 'submit-then-live' | 'touched' }</code> to <code>useForm()</code>.) </li> <li> Auto-revalidation: after a successful <code>run()</code> that doesn't redirect, the server re-runs the page's <code>loader()</code> and pushes the fresh data back. The page re-renders with new content. No navigation, no flash. </li> </ul> <h2>Validation</h2> A <code>schema</code> describes the rules for each field. The framework accepts two shapes and detects which you're using automatically — there's no setup or configuration switch. <h3>Built-in field map (zero deps)</h3> The simplest schema is a plain object: one entry per field, listing its constraints. It covers the common cases (required, length, pattern, type) and gives you an escape hatch via a custom <code>validate</code> function for everything else. <pre class="shiki" data-lang="jsx"><code>{ field: { type?: 'text' | 'email' | 'url' | 'number' | 'tel' | 'password' | 'file' required?: boolean | string // string is a custom error message minLength?: number; maxLength?: number min?: number; max?: number pattern?: RegExp | { value: RegExp; message: string } validate?(value, allValues): string | null | Promise<string | null> } }</code></pre> The <code>validate</code> escape hatch handles cross-field rules (password confirmation, mutually exclusive inputs) and anything else the built-in constraints don't cover. Returns the error message, or <code>null</code> for success. <h3>Any Standard Schema library</h3> Zod, Valibot, ArkType — anything that conforms to <a href="https://standardschema.dev" target="_blank" rel="noopener noreferrer"> standardschema.dev </a> works without configuration: <pre class="shiki" data-lang="jsx"><code>import { z } from 'zod' export const actions = defineActions({ signup: { schema: z.object({ email: z.string().email(), password: z.string().min(8).regex(/[A-Z]/, 'needs uppercase'), }), async run({ data }) { /* data: { email: string, password: string } */ }, }, })</code></pre> Neither library is bundled or required. The framework's adapter is ~50 lines and detects schema flavor via <code>safeParseAsync</code>. <h2>Action returns — telling the framework what happened</h2> <code>run()</code> isn't expected to set status codes or send responses. Instead, it communicates outcome by what it returns, and the framework translates that into the right HTTP response (and client-side behavior) for you. The four shapes: <ul> <li> <code>return</code> (undefined) — success. Loader re-runs, page re-renders with fresh data. </li> <li> <code>return redirect(path)</code> — success, navigate. The current page's loader doesn't re-run (you're leaving). With JS: SPA navigate. Without JS: 303 redirect. </li> <li> <code>return invalid({ field: message })</code> — business-logic error mapped to <code>form.errors().field</code>. Schema couldn't catch it (e.g., uniqueness constraints, server-side state). </li> <li> <code>return formError('message')</code> — error not tied to a field (session expired, rate limited). Shown via <code>form.formError()</code>. </li> <li> <code>throw err</code> — unrecoverable, routes to <code>_error.jsx</code>. </li> </ul> <h2>Progressive enhancement</h2> A <code><form></code> with a <code>method="POST"</code> and an <code>action</code> attribute is one of the few platform features that work whether JavaScript loaded or not — the browser submits natively, the server returns a response, the browser navigates to it. rogue's form helpers preserve that property. The framework chooses the JS vs no-JS path by inspecting the <code>Accept</code> header on the action POST. Either path runs the same server-side <code>run()</code>; only the response encoding differs. <div class="row"> <div class="card"> <h3>With JS</h3> <code>useForm()</code> intercepts submit, posts via <code>fetch()</code>, gets JSON, patches reactive state in place. No navigation, no scroll. Optimistic UI is a follow-up. </div> <div class="card"> <h3>Without JS</h3> Native form POST. Server runs the same action, re-renders the page with errors embedded in <code>__JSX_WC_DATA__.form</code>. User sees errors immediately; if JS loads later, useForm seamlessly picks up the embedded state. </div> </div> <h2>Types</h2> The <code>rogueRouter</code> plugin emits a typed <code>./<basename>.types</code> module alongside each page. Each export — <code>Params</code>, <code>LoaderArgs</code>, <code>ActionArgs<K></code> — is derived from the file path and the action's schema: <pre class="shiki" data-lang="jsx"><code>// src/pages/post/[id].tsx import type { LoaderArgs, ActionArgs } from './[id].types' export const loader = async ({ params }: LoaderArgs) => { // params.id autocompletes — typed from the file path's [id] bracket } export const actions = defineActions({ reply: { schema: { text: { required: true, maxLength: 5000 } }, async run({ data, params }: ActionArgs<'reply'>) { // data: { text: string } // params: { id: string } }, }, })</code></pre> Add this to <code>tsconfig.json</code> so the generated types resolve: <pre class="shiki" data-lang="jsx"><code>{ "compilerOptions": { "rootDirs": [".", "./.rogue/types"] } }</code></pre> The plugin auto-adds <code>.rogue/</code> to <code>.gitignore</code> on first run. The types regenerate on every page-file change. <h2>useForm() return value</h2> <pre class="shiki" data-lang="jsx"><code>interface FormApi<T> { props // spread on <form> field(name) // spread on <input>/<select>/<textarea> errors() // reactive: { fieldName: errorMessage } formError() // reactive: form-level error message or null submitting() // reactive: true while POST in flight values() // reactive: current field values touched() // reactive: which fields have been blurred validating() // reactive: per-field async validators in flight submit() // imperative submit (same path as form.props.onSubmit) reset() // back to initial values; clears errors + touched }</code></pre> <h2>Server wiring</h2> In dev mode, <code>rogueSsr()</code> (the Vite plugin) already handles action POSTs — you don't need to write any wiring code. For production deployment you call <code>handleAction()</code> yourself alongside <code>render()</code>. The decision is just "does the URL have a <code>?_action=…</code> query and a POST method? then it's an action": <pre class="shiki" data-lang="jsx"><code>import { render, handleAction } from '@jjordy/rogue/server' if (req.method === 'POST' && new URL(req.url, 'http://x').searchParams.has('_action')) { const out = await handleAction(req.url, vite, request) res.statusCode = out.status for (const [k, v] of Object.entries(out.headers ?? {})) res.setHeader(k, v) res.end(out.body ?? '') } else { const { html, status } = await render(req.url, vite, { request }) res.statusCode = status res.setHeader('Content-Type', 'text/html; charset=utf-8') res.end(html) }</code></pre> <a href="/rogue/api">→ Full API reference</a> </div></main> </div></div> <script>window.__JSX_WC_DATA__ = {"data":null,"params":{},"url":"/forms","form":null};</script> <script type="module" src="/rogue/src/main.js"></script> </body> </html>