Designing a theme system that stays safe

A theme decides how your site looks. In Ghostlite a theme is just a module — a bundle of components with a default export. That is powerful, and power applied to untrusted code is a problem waiting to happen.

The contract

Every theme receives a fixed, typed set of props and nothing else. It cannot read environment variables, it cannot reach the database, and it cannot call internal APIs.

  1. The platform loads the data and assembles a ThemeContext.

  2. The theme renders that context into HTML.

  3. The platform sends the result to the reader.

A theme is a pure function of its props. The moment it tries to be anything more, the type system stops it at the boundary.

Why isolation matters later

Today every theme ships inside the codebase and is fully trusted. But the contract is written for the day that stops being true — when themes are uploaded by users and pulled from storage at runtime.

Design the boundary before you need it. Retrofitting a sandbox is far harder than respecting one from the start.

The result is a system where a careless theme can produce an ugly page, but never an unsafe one.