feat: add config option to prevent import into client code

[Dudek-AMS]

Closes #12477

Added serverProtectedPaths serverOnlyPaths to add additional rules to prevent import into client code

---

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

• Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 82f1df2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[Dudek-AMS]

Ive dropped the changeset so far to be added by maintainers.

[Dudek-AMS]

After reconsidering the naming, I would suggest naming the attribute serverOnlyPaths

[dominikg]

loading the config again could be a breaking change in case a config contains one time setup code that is then executed twice.

[Dudek-AMS]

Yeah mentioned it above, didnt saw another way to get the config on this part of code

[dominikg]

that would have to be found then. using top-level-await here is also not great.

[dominikg]

early return should only happen on true, otherwise a return false could give access to an id that would be denied by a later check

[Dudek-AMS]

that would be a design decision. If I want to make a exception and allow a file import, no matter what other rules say, the early return is needed. but depends on execution order then. If a rule dont care, it returns undefined/nothing

[dominikg]

this would allow for conflicting rules and a "first one wins" scenario, more complex, even harder to understand and not currently documented in the jsdoc in this PR.

[Dudek-AMS]

if really reducing to only one rule and not allowing exceptions i'd drop anything but regex, should be flexible enough IMO

[dominikg]

3 different ways to define user-supplied rules seems a bit much, esp. if there is ()=>boolean already, users can just use regex or string compare themselves. But before continuing on this PR please see my comment in #12477

[Dudek-AMS]

3 different ways to define user-supplied rules seems a bit much, esp. if there is ()=>boolean already, users can just use regex or string compare themselves. But before continuing on this PR please see my comment in #12477

the idea was to make the function method for more complicated rules, while string is prefered. ofc function only does work out