feat: rework igo-signal into igo-component

[mickael-coquer-igocreate]

Summary

• Rename @igojs/signal package to @igojs/component to better reflect its purpose
• Add ComponentLoader for automatic client-side component loading
• Add ComponentController and ComponentHelper for server-side component rendering
• Add ComponentSplitter in dust package for single-file component compilation
• Update skeleton project and all references to use the new package name
• Update documentation (README) for all packages
• Fix bug in create.js (recursive replaceInDirectory missing replacements parameter)

Test plan

• Run npm test to verify all existing tests pass
• Verify ComponentHelperTest and ComponentSplitterTest pass
• Test igo create scaffolding works correctly
• Test SSR rendering with {@component} helper

🤖 Generated with Claude Code

[mickael-coquer-igocreate]

Code review

Found 1 issue:

1. Path traversal in templates endpoint -- The templates handler reads req.query.file directly without any validation, while the component endpoint right below it uses SAFE_NAME_RE and a .. check. A request like GET /__component/templates?file=../../../../etc/passwd would attempt to read an arbitrary .dust file on disk. The same SAFE_NAME_RE guard should be applied to templates.

igo/packages/component/src/server/ComponentController.js

Lines 39 to 53 in bf02b28

	const templates = async (req, res) => {
	const file = req.query.file;
	const source = await IgoDust.getSource(`${file}.dust`);
	res.json({ file, source });
	};
	// Validate component name to prevent path traversal
	const SAFE_NAME_RE = /^[a-zA-Z0-9_/-]+$/;
	// Serve component data (script + template source) for client hydration
	const component = async (req, res) => {
	const name = req.query.name;
	if (!name || !SAFE_NAME_RE.test(name) || name.includes('..')) {
	return res.status(400).json({ error: 'Invalid component name' });
	}

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}