Fix critical issues C1-C5, C7, H1, H2, H4, H10

C1+C7: Cache purge now passes user_id and works for view-path
mutations. Extracted _purge_cache_for_invalidation() shared helper
used by both RPC and view-path branches.

C2: initSession retries 3x with backoff. Resets on total failure
so next call tries again instead of permanently broken CSRF.

C3: SSR template backend injects __MIZAN_SSR_DATA__ script tag
with serialized props for client-side hydration.

C4: SSR bridge uses _write_lock to serialize stdin writes from
concurrent Django threads. Prevents JSON interleaving.

C5: SSR bridge registers atexit handler for process cleanup.
No more orphaned Bun processes on Django reload/shutdown.

H1: pendingScoped changed from Map to Array — multiple scoped
invalidations for the same context no longer overwrite.

H2: registerContext uses stableKey() (sorted JSON) instead of
bare JSON.stringify. Property order no longer matters.

H4: Named context providers skip refetch if SSR data exists
(matches global context behavior).

H10: _meta always assigned as fresh dict, preventing shared-dict
mutation across ServerFunction subclasses.

373 Django + 33 React tests pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

packages/mizan-django/generate/generator/lib/adapters/react.mjs

@@ -106,7 +106,7 @@ export function generateReactAdapter(schema) {
         const deps = paramEntries.map(([pName]) => `params.${pName}`)
         lines.push(`    }, [${deps.join(', ')}])`)
         lines.push('')
-        lines.push(`    useEffect(() => { refetch() }, [refetch])`)
+        lines.push(`    useEffect(() => { if (!data) refetch() }, [data, refetch])`)
         lines.push(`    useEffect(() => registerContext('${ctxName}', params, refetch), [${deps.join(', ')}, refetch])`)
         lines.push('')
         lines.push(`    return <${p}Ctx.Provider value={data}>{children}</${p}Ctx.Provider>`)

packages/mizan-django/src/mizan/client/executor.py

@@ -161,6 +161,42 @@ def _check_auth_requirement(
     return None
 
 
+_cache_log = logging.getLogger("mizan.cache")
+
+
+def _purge_cache_for_invalidation(
+    invalidate: list,
+    request: HttpRequest | None = None,
+) -> None:
+    """Purge origin-side cache for invalidation targets. Includes user_id if available."""
+    cache = get_cache()
+    if cache is None:
+        return
+
+    settings = get_settings()
+    if not settings.cache_secret:
+        return
+
+    user_id = None
+    if request and hasattr(request, 'user') and hasattr(request.user, 'pk'):
+        uid = getattr(request.user, 'pk', None)
+        if uid is not None:
+            user_id = str(uid)
+
+    try:
+        for entry in invalidate:
+            if isinstance(entry, str):
+                cache_purge(cache, entry)
+            elif isinstance(entry, dict):
+                cache_purge(
+                    cache, entry["context"], entry.get("params"),
+                    secret=settings.cache_secret,
+                    user_id=user_id,
+                )
+    except Exception:
+        _cache_log.warning("Cache purge failed", exc_info=True)
+
+
 def _resolve_affects_target(target_name: str) -> tuple[str, str, str | None]:
     """
     Determine whether an affects target is a context name or function name.
@@ -444,10 +480,11 @@ def execute_function(
     from django.http import HttpResponseBase
 
     if isinstance(output, HttpResponseBase):
-        # View path — add invalidation header, pass through the response
+        # View path — add invalidation header + purge origin cache
         invalidate = _resolve_invalidation(view_class, input_data)
         if invalidate:
             output["X-Mizan-Invalidate"] = _format_invalidate_header(invalidate)
+            _purge_cache_for_invalidation(invalidate, request)
         output["Cache-Control"] = "no-store"
         return output
 
@@ -701,28 +738,9 @@ def function_call_view(request: HttpRequest) -> JsonResponse:
     response = JsonResponse(response_data)
     response["Cache-Control"] = "no-store"
 
-    # Always set the header transport too (Edge reads this)
     if invalidate_contexts:
         response["X-Mizan-Invalidate"] = _format_invalidate_header(invalidate_contexts)
-
-        # Purge origin-side cache for invalidated contexts
-        _cache_log = logging.getLogger("mizan.cache")
-        cache = get_cache()
-        cache_settings = get_settings()
-        if cache is not None:
-            try:
-                for entry in invalidate_contexts:
-                    if isinstance(entry, str):
-                        # Broad purge (no params) — prefix scan
-                        cache_purge(cache, entry)
-                    elif isinstance(entry, dict):
-                        # Scoped purge — recompute key and delete directly
-                        cache_purge(
-                            cache, entry["context"], entry.get("params"),
-                            secret=cache_settings.cache_secret,
-                        )
-            except Exception:
-                _cache_log.warning("Cache purge failed", exc_info=True)
+        _purge_cache_for_invalidation(invalidate_contexts, request)
 
     return response
 

packages/mizan-django/src/mizan/client/function.py

@@ -536,8 +536,8 @@ def _create_server_function(
     if cache is not True:
         meta["cache"] = cache
 
-    if meta:
-        FunctionWrapper._meta = {**FunctionWrapper._meta, **meta}
+    # Always assign a fresh dict to prevent shared-dict mutation across classes
+    FunctionWrapper._meta = {**meta}
 
     # Note: Registration happens via discovery (mizan_clients), not here.
     # This allows the decorator to be used without import-time side effects.

packages/mizan-django/src/mizan/ssr/backend.py

@@ -35,13 +35,21 @@ class MizanTemplate:
         self._bridge = bridge
 
     def render(self, context: dict[str, Any] | None = None, request: Any = None) -> str:
+        import json as _json
+
         props = dict(context) if context else {}
         props.pop("request", None)
         props.pop("csrf_token", None)
 
         result = self._bridge.render(self.file_path, props)
 
-        return mark_safe(f'<div id="mizan-root">{result.html}</div>')
+        # Serialize props as hydration data for client-side React
+        hydration_json = _json.dumps(props, sort_keys=True, default=str)
+
+        return mark_safe(
+            f'<div id="mizan-root">{result.html}</div>'
+            f'<script>window.__MIZAN_SSR_DATA__={hydration_json}</script>'
+        )
 
 
 class MizanTemplates(BaseEngine):

packages/mizan-django/src/mizan/ssr/bridge.py

@@ -3,7 +3,7 @@ SSR Bridge — Manages a persistent Bun subprocess for React rendering.
 
 Protocol: newline-delimited JSON-RPC over stdin/stdout.
 
-Request:  {"id": 1, "method": "render", "params": {"component": "ProfilePage", "props": {...}}}
+Request:  {"id": 1, "method": "render", "params": {"file": "/abs/path/Hello.tsx", "props": {...}}}
 Response: {"id": 1, "html": "<div>...</div>"}
 
 The subprocess stays alive across requests. It is started on first use
@@ -12,6 +12,7 @@ and restarted automatically if it crashes.
 
 from __future__ import annotations
 
+import atexit
 import json
 import logging
 import subprocess
@@ -41,12 +42,16 @@ class SSRBridge:
         self._timeout = timeout
         self._proc: subprocess.Popen | None = None
         self._lock = threading.Lock()
+        self._write_lock = threading.Lock()  # Serializes stdin writes
         self._counter = 0
         self._pending: dict[int, threading.Event] = {}
         self._results: dict[int, dict] = {}
         self._reader_thread: threading.Thread | None = None
         self._ready = threading.Event()
 
+        # Ensure cleanup on process exit
+        atexit.register(self.shutdown)
+
     def _ensure_running(self) -> None:
         """Start the Bun subprocess if it's not running."""
         if self._proc is not None and self._proc.poll() is None:
@@ -134,12 +139,14 @@ class SSRBridge:
             "params": {"file": file, "props": props or {}},
         }) + "\n"
 
-        try:
-            self._proc.stdin.write(request.encode("utf-8"))
-            self._proc.stdin.flush()
-        except (BrokenPipeError, OSError) as e:
-            del self._pending[msg_id]
-            raise RuntimeError(f"SSR worker pipe broken: {e}")
+        # Serialize stdin writes to prevent interleaving from concurrent threads
+        with self._write_lock:
+            try:
+                self._proc.stdin.write(request.encode("utf-8"))
+                self._proc.stdin.flush()
+            except (BrokenPipeError, OSError) as e:
+                self._pending.pop(msg_id, None)
+                raise RuntimeError(f"SSR worker pipe broken: {e}")
 
         if not event.wait(self._timeout):
             self._pending.pop(msg_id, None)
@@ -155,33 +162,6 @@ class SSRBridge:
 
         return RenderResult(html=result["html"])
 
-    def ping(self) -> bool:
-        """Health check. Returns True if the worker responds."""
-        with self._lock:
-            self._ensure_running()
-            self._counter += 1
-            msg_id = self._counter
-
-        event = threading.Event()
-        self._pending[msg_id] = event
-
-        request = json.dumps({"id": msg_id, "method": "ping"}) + "\n"
-
-        try:
-            self._proc.stdin.write(request.encode("utf-8"))
-            self._proc.stdin.flush()
-        except (BrokenPipeError, OSError):
-            del self._pending[msg_id]
-            return False
-
-        if not event.wait(self._timeout):
-            self._pending.pop(msg_id, None)
-            return False
-
-        self._pending.pop(msg_id, None)
-        result = self._results.pop(msg_id)
-        return result.get("pong", False)
-
     def shutdown(self) -> None:
         """Stop the Bun subprocess."""
         if self._proc is not None: