@benqoder/beam 0.1.1 → 0.1.3

package/README.md

@@ -1310,6 +1310,135 @@ ctx.session.set('cart')  → adapter.set()
 
 ---
 
+## Security: WebSocket Authentication
+
+Beam uses **in-band authentication** to prevent Cross-Site WebSocket Hijacking (CSWSH) attacks. This is the pattern recommended by [capnweb](https://github.com/nickelsworth/capnweb).
+
+### The Problem
+
+WebSocket connections in browsers:
+- **Always permit cross-site connections** (no CORS for WebSocket)
+- **Automatically send cookies** with the upgrade request
+- **Cannot use custom headers** for authentication
+
+This means a malicious site could open a WebSocket to your server, and the browser would send your cookies, authenticating the attacker.
+
+### The Solution: In-Band Authentication
+
+Instead of relying on cookies, Beam requires clients to authenticate explicitly:
+
+1. **Server generates a short-lived token** (embedded in same-origin page)
+2. **WebSocket connects unauthenticated** (gets `PublicApi`)
+3. **Client calls `authenticate(token)`** to get the full API
+4. **Malicious sites can't get the token** (CORS blocks page requests)
+
+### Setup
+
+#### 1. Enable Sessions (Required)
+
+The auth token is tied to sessions:
+
+```typescript
+// vite.config.ts
+beamPlugin({
+  actions: '/app/actions/*.tsx',
+  modals: '/app/modals/*.tsx',
+  session: true, // Uses env.SESSION_SECRET
+})
+```
+
+#### 2. Use authMiddleware
+
+```typescript
+// app/server.ts
+import { createApp } from 'honox/server'
+import { beam } from 'virtual:beam'
+
+const app = createApp({
+  init(app) {
+    app.use('*', beam.authMiddleware()) // Generates token
+    beam.init(app)
+  }
+})
+
+export default app
+```
+
+#### 3. Inject Token in Layout
+
+```tsx
+// app/routes/_renderer.tsx
+import { jsxRenderer } from 'hono/jsx-renderer'
+
+export default jsxRenderer((c, { children }) => {
+  const token = c.get('beamAuthToken')
+
+  return (
+    <html>
+      <head>
+        <meta name="beam-token" content={token} />
+        <script type="module" src="/app/client.ts"></script>
+      </head>
+      <body>{children}</body>
+    </html>
+  )
+})
+```
+
+Or use the helper:
+
+```tsx
+import { beamTokenMeta } from '@benqoder/beam'
+import { Raw } from 'hono/html'
+
+<head>
+  <Raw html={beamTokenMeta(c.get('beamAuthToken'))} />
+</head>
+```
+
+#### 4. Set Environment Variable
+
+```bash
+# .dev.vars (local) or Cloudflare dashboard (production)
+SESSION_SECRET=your-secret-key-at-least-32-chars
+```
+
+### How It Works
+
+| Step | What Happens |
+|------|--------------|
+| 1. Page Load | Server generates 5-minute token, embeds in HTML |
+| 2. Client Connects | WebSocket opens, gets `PublicApi` (unauthenticated) |
+| 3. Client Authenticates | Calls `publicApi.authenticate(token)` |
+| 4. Server Validates | Verifies signature, expiration, session match |
+| 5. Server Returns | Full `BeamServer` API (authenticated) |
+
+### Security Properties
+
+| Attack | Result |
+|--------|--------|
+| Cross-site WebSocket | Can connect, but `authenticate()` fails (no token) |
+| Stolen token | Expires in 5 minutes, tied to session ID |
+| Replay attack | Token is single-use per session |
+| Token tampering | HMAC-SHA256 signature verification fails |
+
+### Token Details
+
+- **Algorithm**: HMAC-SHA256
+- **Lifetime**: 5 minutes (configurable)
+- **Payload**: `{ sid: sessionId, uid: userId, exp: timestamp }`
+- **Format**: `base64(payload).base64(signature)`
+
+### Generating Tokens Manually
+
+If you need to generate tokens outside the middleware:
+
+```typescript
+const token = await beam.generateAuthToken(ctx)
+```
+
+---
+
 ## Programmatic API
 
 Call actions directly from JavaScript using `window.beam`:

package/dist/client.d.ts

@@ -3,6 +3,8 @@ interface ActionResponse {
     html?: string;
     script?: string;
     redirect?: string;
+    target?: string;
+    swap?: string;
 }
 interface BeamServer {
     call(action: string, data?: Record<string, unknown>): Promise<ActionResponse>;

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AACA,OAAO,EAA0B,KAAK,OAAO,EAAE,MAAM,SAAS,CAAA;AAkB9D,UAAU,cAAc;IACtB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAGD,UAAU,UAAU;IAClB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,cAAc,CAAC,CAAA;IAC7E,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IACvE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IACzE,gBAAgB,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAClF;AAGD,KAAK,cAAc,GAAG,OAAO,CAAC,UAAU,CAAC,CAAA;AAiuBzC,iBAAS,UAAU,IAAI,IAAI,CAU1B;AA2CD,iBAAS,WAAW,IAAI,IAAI,CAU3B;AAID,iBAAS,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,SAAS,GAAG,OAAmB,GAAG,IAAI,CAsB/E;AAwqBD,iBAAS,UAAU,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAUzC;AAogBD,UAAU,WAAW;IACnB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAMD,iBAAS,gBAAgB,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI,CA0B9D;AAGD,QAAA,MAAM,SAAS;;;;;;;sBAr7DO,OAAO,CAAC,cAAc,CAAC;CA67D5C,CAAA;AAGD,KAAK,YAAY,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,WAAW,KAAK,OAAO,CAAC,cAAc,CAAC,CAAA;AAE/G,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,MAAM;QACd,IAAI,EAAE,OAAO,SAAS,GAAG;YACvB,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,CAAA;SAC/B,CAAA;KACF;CACF"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AACA,OAAO,EAA0B,KAAK,OAAO,EAAE,MAAM,SAAS,CAAA;AA8B9D,UAAU,cAAc;IACtB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAGD,UAAU,UAAU;IAClB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,cAAc,CAAC,CAAA;IAC7E,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IACvE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IACzE,gBAAgB,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAClF;AAQD,KAAK,cAAc,GAAG,OAAO,CAAC,UAAU,CAAC,CAAA;AAivBzC,iBAAS,UAAU,IAAI,IAAI,CAU1B;AA2CD,iBAAS,WAAW,IAAI,IAAI,CAU3B;AAID,iBAAS,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,SAAS,GAAG,OAAmB,GAAG,IAAI,CAsB/E;AAwqBD,iBAAS,UAAU,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAUzC;AAogBD,UAAU,WAAW;IACnB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAMD,iBAAS,gBAAgB,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI,CA0B9D;AAGD,QAAA,MAAM,SAAS;;;;;;;sBAz7DO,OAAO,CAAC,cAAc,CAAC;CAi8D5C,CAAA;AAGD,KAAK,YAAY,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,WAAW,KAAK,OAAO,CAAC,cAAc,CAAC,CAAA;AAE/G,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,MAAM;QACd,IAAI,EAAE,OAAO,SAAS,GAAG;YACvB,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,CAAA;SAC/B,CAAA;KACF;CACF"}

package/dist/client.js

@@ -7,12 +7,23 @@ import { newWebSocketRpcSession } from 'capnweb';
 // - Bidirectional RPC (server can call client callbacks)
 // - Automatic reconnection
 // - Type-safe method calls
+//
+// SECURITY: Implements in-band authentication pattern
+// - WebSocket connections start unauthenticated (PublicApi)
+// - Client must call authenticate(token) to get AuthenticatedApi
+// - Token is obtained from same-origin page (prevents CSWSH attacks)
 // Get endpoint from meta tag or default to /beam
 // Usage: <meta name="beam-endpoint" content="/custom-endpoint">
 function getEndpoint() {
     const meta = document.querySelector('meta[name="beam-endpoint"]');
     return meta?.getAttribute('content') ?? '/beam';
 }
+// Get auth token from meta tag
+// Usage: <meta name="beam-token" content="...">
+function getAuthToken() {
+    const meta = document.querySelector('meta[name="beam-token"]');
+    return meta?.getAttribute('content') ?? '';
+}
 let isOnline = navigator.onLine;
 let rpcSession = null;
 let connectingPromise = null;
@@ -38,27 +49,36 @@ function connect() {
     if (rpcSession) {
         return Promise.resolve(rpcSession);
     }
-    connectingPromise = new Promise((resolve, reject) => {
+    connectingPromise = (async () => {
         try {
             const protocol = location.protocol === 'https:' ? 'wss:' : 'ws:';
             const endpoint = getEndpoint();
             const url = `${protocol}//${location.host}${endpoint}`;
-            // Create capnweb RPC session with BeamServer type
-            const session = newWebSocketRpcSession(url);
+            // Get auth token from page (proves same-origin access)
+            const token = getAuthToken();
+            if (!token) {
+                throw new Error('No auth token found. Ensure <meta name="beam-token" content="..."> is set.');
+            }
+            // Create capnweb RPC session - starts with PublicBeamServer
+            const publicSession = newWebSocketRpcSession(url);
+            // Authenticate to get the full BeamServer API
+            // This is the capnweb in-band authentication pattern
+            // @ts-ignore - capnweb stub methods are dynamically typed
+            const authenticatedSession = await publicSession.authenticate(token);
             // Register client callback for bidirectional communication
             // @ts-ignore - capnweb stub methods are dynamically typed
-            session.registerCallback?.(handleServerEvent)?.catch?.(() => {
+            authenticatedSession.registerCallback?.(handleServerEvent)?.catch?.(() => {
                 // Server may not support callbacks, that's ok
             });
-            rpcSession = session;
+            rpcSession = authenticatedSession;
             connectingPromise = null;
-            resolve(session);
+            return authenticatedSession;
         }
         catch (err) {
             connectingPromise = null;
-            reject(err);
+            throw err;
         }
-    });
+    })();
     return connectingPromise;
 }
 async function ensureConnected() {
@@ -452,8 +472,8 @@ function parseOobSwaps(html) {
 }
 // ============ RPC WRAPPER ============
 async function rpc(action, data, el) {
-    const targetSelector = el.getAttribute('beam-target');
-    const swapMode = el.getAttribute('beam-swap') || 'morph';
+    const frontendTarget = el.getAttribute('beam-target');
+    const frontendSwap = el.getAttribute('beam-swap') || 'morph';
     const opt = optimistic(el);
     const placeholder = showPlaceholder(el);
     setLoading(el, true, action, data);
@@ -464,6 +484,9 @@ async function rpc(action, data, el) {
             location.href = response.redirect;
             return;
         }
+        // Server target/swap override frontend values
+        const targetSelector = response.target || frontendTarget;
+        const swapMode = response.swap || frontendSwap;
         // Handle HTML (if present)
         if (response.html && targetSelector) {
             const target = $(targetSelector);
@@ -1826,11 +1849,14 @@ window.beam = new Proxy(beamUtils, {
             const opts = typeof options === 'string'
                 ? { target: options }
                 : (options || {});
+            // Server target/swap override frontend options
+            const targetSelector = response.target || opts.target;
+            const swapMode = response.swap || opts.swap || 'morph';
             // Handle HTML swap if target provided
-            if (response.html && opts.target) {
-                const targetEl = document.querySelector(opts.target);
+            if (response.html && targetSelector) {
+                const targetEl = document.querySelector(targetSelector);
                 if (targetEl) {
-                    swap(targetEl, response.html, opts.swap || 'morph');
+                    swap(targetEl, response.html, swapMode);
                 }
             }
             // Execute script if present

package/dist/createBeam.d.ts

@@ -1,5 +1,5 @@
 import { RpcTarget } from 'capnweb';
-import type { ActionHandler, ActionResponse, ModalHandler, DrawerHandler, BeamConfig, BeamInstance, BeamContext, BeamSession } from './types';
+import type { ActionHandler, ActionResponse, ModalHandler, DrawerHandler, BeamConfig, BeamInstance, BeamContext, BeamSession, SessionConfig } from './types';
 /**
  * Session implementation using KV storage.
  * Exported for users who need custom storage adapter.
@@ -100,5 +100,52 @@ declare class BeamServer<TEnv extends object> extends RpcTarget {
  * ```
  */
 export declare function createBeam<TEnv extends object = object>(config: BeamConfig<TEnv>): BeamInstance<TEnv>;
-export { BeamServer };
+/**
+ * Public Beam RPC Server - initial unauthenticated API
+ *
+ * This follows the capnweb in-band authentication pattern:
+ * - WebSocket connections start with this unauthenticated API
+ * - Client calls authenticate(token) to get the authenticated BeamServer
+ * - This prevents Cross-Site WebSocket Hijacking (CSWSH) attacks
+ */
+declare class PublicBeamServer<TEnv extends object> extends RpcTarget {
+    private secret;
+    private sessionConfig;
+    private env;
+    private request;
+    private actions;
+    private modals;
+    private drawers;
+    private auth;
+    constructor(secret: string, sessionConfig: SessionConfig<TEnv> | undefined, env: TEnv, request: Request, actions: Record<string, ActionHandler<TEnv>>, modals: Record<string, ModalHandler<TEnv>>, drawers: Record<string, DrawerHandler<TEnv>>, auth: ((request: Request, env: TEnv) => Promise<import('./types').BeamUser | null>) | undefined);
+    /**
+     * Authenticate with a token and return the authenticated API
+     * This is the only method available on the public API
+     */
+    authenticate(token: string): Promise<BeamServer<TEnv>>;
+}
+/**
+ * Generate the auth token meta tag HTML for in-band WebSocket authentication.
+ * Call this in your layout/page to inject the token.
+ *
+ * @example
+ * ```tsx
+ * // app/routes/_renderer.tsx
+ * import { beamTokenMeta } from '@benqoder/beam'
+ *
+ * export default defineRenderer((c, { Layout, children }) => {
+ *   const token = c.get('beamAuthToken')
+ *   return (
+ *     <html>
+ *       <head>
+ *         <RawHTML>{beamTokenMeta(token)}</RawHTML>
+ *       </head>
+ *       <body>{children}</body>
+ *     </html>
+ *   )
+ * })
+ * ```
+ */
+export declare function beamTokenMeta(token: string): string;
+export { BeamServer, PublicBeamServer };
 //# sourceMappingURL=createBeam.d.ts.map

package/dist/createBeam.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"createBeam.d.ts","sourceRoot":"","sources":["../src/createBeam.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,SAAS,EAAyB,MAAM,SAAS,CAAA;AAC1D,OAAO,KAAK,EACV,aAAa,EACb,cAAc,EACd,YAAY,EACZ,aAAa,EACb,UAAU,EACV,YAAY,EACZ,WAAW,EAEX,WAAW,EAIZ,MAAM,SAAS,CAAA;AAEhB;;;;;;;;;;GAUG;AACH,qBAAa,SAAU,YAAW,WAAW;IAC3C,OAAO,CAAC,SAAS,CAAQ;IACzB,OAAO,CAAC,EAAE,CAAa;gBAEX,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW;IAK9C,OAAO,CAAC,GAAG;IAIL,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IAMhD,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAItD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGzC;AAED;;;;;GAKG;AACH,qBAAa,aAAc,YAAW,WAAW;IAC/C,OAAO,CAAC,IAAI,CAAyB;IACrC,OAAO,CAAC,MAAM,CAAiB;gBAEnB,WAAW,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM;IAI/C,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IAIhD,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAKtD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKxC,8CAA8C;IAC9C,OAAO,IAAI,OAAO;IAIlB,uDAAuD;IACvD,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAGnC;AA4ED;;;;;;;;GAQG;AACH,cAAM,UAAU,CAAC,IAAI,SAAS,MAAM,CAAE,SAAQ,SAAS;IACrD,OAAO,CAAC,GAAG,CAAmB;IAC9B,OAAO,CAAC,OAAO,CAAqC;IACpD,OAAO,CAAC,MAAM,CAAoC;IAClD,OAAO,CAAC,OAAO,CAAqC;gBAGlD,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,EACtB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,EAC5C,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,IAAI,CAAC,CAAC,EAC1C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;IAS9C;;OAEG;IACG,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAavF;;OAEG;IACG,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQjF;;OAEG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQnF;;;OAGG;IACH,gBAAgB,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,KAAK,IAAI,GAAG,IAAI;IAKxE;;OAEG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;CAM1D;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,UAAU,CAAC,IAAI,SAAS,MAAM,GAAG,MAAM,EACrD,MAAM,EAAE,UAAU,CAAC,IAAI,CAAC,GACvB,YAAY,CAAC,IAAI,CAAC,CA8MpB;AAGD,OAAO,EAAE,UAAU,EAAE,CAAA"}
+{"version":3,"file":"createBeam.d.ts","sourceRoot":"","sources":["../src/createBeam.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,SAAS,EAAyB,MAAM,SAAS,CAAA;AAC1D,OAAO,KAAK,EACV,aAAa,EACb,cAAc,EACd,YAAY,EACZ,aAAa,EACb,UAAU,EACV,YAAY,EACZ,WAAW,EAEX,WAAW,EACX,aAAa,EAId,MAAM,SAAS,CAAA;AAwDhB;;;;;;;;;;GAUG;AACH,qBAAa,SAAU,YAAW,WAAW;IAC3C,OAAO,CAAC,SAAS,CAAQ;IACzB,OAAO,CAAC,EAAE,CAAa;gBAEX,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW;IAK9C,OAAO,CAAC,GAAG;IAIL,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IAMhD,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAItD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGzC;AAED;;;;;GAKG;AACH,qBAAa,aAAc,YAAW,WAAW;IAC/C,OAAO,CAAC,IAAI,CAAyB;IACrC,OAAO,CAAC,MAAM,CAAiB;gBAEnB,WAAW,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM;IAI/C,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IAIhD,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAKtD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKxC,8CAA8C;IAC9C,OAAO,IAAI,OAAO;IAIlB,uDAAuD;IACvD,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAGnC;AAsFD;;;;;;;;GAQG;AACH,cAAM,UAAU,CAAC,IAAI,SAAS,MAAM,CAAE,SAAQ,SAAS;IACrD,OAAO,CAAC,GAAG,CAAmB;IAC9B,OAAO,CAAC,OAAO,CAAqC;IACpD,OAAO,CAAC,MAAM,CAAoC;IAClD,OAAO,CAAC,OAAO,CAAqC;gBAGlD,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,EACtB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,EAC5C,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,IAAI,CAAC,CAAC,EAC1C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;IAS9C;;OAEG;IACG,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAavF;;OAEG;IACG,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQjF;;OAEG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQnF;;;OAGG;IACH,gBAAgB,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,KAAK,IAAI,GAAG,IAAI;IAKxE;;OAEG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;CAM1D;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,UAAU,CAAC,IAAI,SAAS,MAAM,GAAG,MAAM,EACrD,MAAM,EAAE,UAAU,CAAC,IAAI,CAAC,GACvB,YAAY,CAAC,IAAI,CAAC,CAsOpB;AAED;;;;;;;GAOG;AACH,cAAM,gBAAgB,CAAC,IAAI,SAAS,MAAM,CAAE,SAAQ,SAAS;IAC3D,OAAO,CAAC,MAAM,CAAQ;IACtB,OAAO,CAAC,aAAa,CAAiC;IACtD,OAAO,CAAC,GAAG,CAAM;IACjB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,OAAO,CAAqC;IACpD,OAAO,CAAC,MAAM,CAAoC;IAClD,OAAO,CAAC,OAAO,CAAqC;IACpD,OAAO,CAAC,IAAI,CAA2F;gBAGrG,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,aAAa,CAAC,IAAI,CAAC,GAAG,SAAS,EAC9C,GAAG,EAAE,IAAI,EACT,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,EAC5C,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,IAAI,CAAC,CAAC,EAC1C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,EAC5C,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,KAAK,OAAO,CAAC,OAAO,SAAS,EAAE,QAAQ,GAAG,IAAI,CAAC,CAAC,GAAG,SAAS;IAajG;;;OAGG;IACG,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;CA4C7D;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAInD;AAGD,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,CAAA"}

package/dist/createBeam.js

@@ -1,5 +1,43 @@
 import { getSignedCookie, setSignedCookie } from 'hono/cookie';
 import { RpcTarget, newWorkersRpcResponse } from 'capnweb';
+/** Default token lifetime: 5 minutes */
+const DEFAULT_TOKEN_LIFETIME = 5 * 60 * 1000;
+/**
+ * Sign an auth token payload using HMAC-SHA256
+ */
+async function signToken(payload, secret) {
+    const encoder = new TextEncoder();
+    const data = JSON.stringify(payload);
+    const key = await crypto.subtle.importKey('raw', encoder.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
+    const sigBase64 = btoa(String.fromCharCode(...new Uint8Array(signature)));
+    return `${btoa(data)}.${sigBase64}`;
+}
+/**
+ * Verify and decode an auth token
+ */
+async function verifyToken(token, secret) {
+    try {
+        const [dataBase64, sigBase64] = token.split('.');
+        if (!dataBase64 || !sigBase64)
+            return null;
+        const data = atob(dataBase64);
+        const encoder = new TextEncoder();
+        const key = await crypto.subtle.importKey('raw', encoder.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['verify']);
+        const signature = Uint8Array.from(atob(sigBase64), c => c.charCodeAt(0));
+        const valid = await crypto.subtle.verify('HMAC', key, signature, encoder.encode(data));
+        if (!valid)
+            return null;
+        const payload = JSON.parse(data);
+        // Check expiration
+        if (payload.exp < Date.now())
+            return null;
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
 /**
  * Session implementation using KV storage.
  * Exported for users who need custom storage adapter.
@@ -122,9 +160,19 @@ function createBeamContext(base) {
         script: (code) => ({ script: code }),
         render: (html, options) => {
             if (html instanceof Promise) {
-                return html.then((resolved) => ({ html: resolved, script: options?.script }));
+                return html.then((resolved) => ({
+                    html: resolved,
+                    script: options?.script,
+                    target: options?.target,
+                    swap: options?.swap,
+                }));
             }
-            return { html, script: options?.script };
+            return {
+                html,
+                script: options?.script,
+                target: options?.target,
+                swap: options?.swap,
+            };
         },
         redirect: (url) => ({ redirect: url }),
     };
@@ -323,8 +371,22 @@ export function createBeam(config) {
                     request: c.req.raw,
                     session,
                 });
+                // Generate auth token for in-band WebSocket authentication
+                const secret = sessionConfig?.secretEnvKey
+                    ? c.env[sessionConfig.secretEnvKey]
+                    : sessionConfig?.secret;
+                let authToken = '';
+                if (secret && sessionId) {
+                    const tokenPayload = {
+                        sid: sessionId,
+                        uid: user?.id ?? null,
+                        exp: Date.now() + DEFAULT_TOKEN_LIFETIME,
+                    };
+                    authToken = await signToken(tokenPayload, secret);
+                }
                 // Set in Hono context for use by routes
                 c.set('beam', ctx);
+                c.set('beamAuthToken', authToken);
                 await next();
                 // If using cookie session and data was modified, save it back to cookie
                 if (cookieSession && cookieSession.isDirty() && sessionConfig) {
@@ -341,10 +403,46 @@ export function createBeam(config) {
                 }
             };
         },
+        /**
+         * Generate a short-lived auth token for in-band WebSocket authentication.
+         * Use this when you need to generate a token outside of the authMiddleware.
+         *
+         * @example
+         * ```typescript
+         * const token = await beam.generateAuthToken(ctx)
+         * // Embed in page: <meta name="beam-token" content="${token}">
+         * ```
+         */
+        async generateAuthToken(ctx) {
+            if (!sessionConfig) {
+                throw new Error('Session config is required for auth token generation');
+            }
+            const secret = sessionConfig.secretEnvKey
+                ? ctx.env[sessionConfig.secretEnvKey]
+                : sessionConfig.secret;
+            if (!secret) {
+                throw new Error('Session secret is required for auth token generation');
+            }
+            // Get session ID from request cookies
+            const sessionId = parseSessionFromRequest(ctx.request, cookieName);
+            if (!sessionId) {
+                throw new Error('No session found - ensure authMiddleware is used');
+            }
+            const tokenPayload = {
+                sid: sessionId,
+                uid: ctx.user?.id ?? null,
+                exp: Date.now() + DEFAULT_TOKEN_LIFETIME,
+            };
+            return signToken(tokenPayload, secret);
+        },
         /**
          * Init function for HonoX createApp().
          * Registers the WebSocket RPC endpoint using capnweb.
          *
+         * SECURITY: Uses in-band authentication pattern to prevent CSWSH attacks.
+         * WebSocket connections start unauthenticated, client must call authenticate(token)
+         * with a valid token obtained from a same-origin page request.
+         *
          * @example
          * ```typescript
          * const app = createApp({
@@ -362,60 +460,121 @@ export function createBeam(config) {
                 if (upgradeHeader !== 'websocket') {
                     return c.text('Expected WebSocket', 426);
                 }
-                // Try to get context from middleware, otherwise resolve fresh
-                let ctx;
-                const existingCtx = c.var.beam;
-                if (existingCtx) {
-                    ctx = existingCtx;
+                // Get the session secret for token verification
+                const secret = sessionConfig?.secretEnvKey
+                    ? c.env[sessionConfig.secretEnvKey]
+                    : sessionConfig?.secret;
+                if (!secret) {
+                    return c.text('Session secret is required for secure WebSocket connections', 500);
                 }
-                else {
-                    // Resolve auth
-                    const user = auth ? await auth(c.req.raw, c.env) : null;
-                    // Resolve session for WebSocket (cookie storage is read-only in WebSocket context)
-                    let session;
-                    if (sessionConfig) {
-                        const sessionId = parseSessionFromRequest(c.req.raw, cookieName);
-                        if (sessionId) {
-                            // Use custom storage factory if provided
-                            if (sessionConfig.storageFactory) {
-                                session = sessionConfig.storageFactory(sessionId, c.env);
-                            }
-                            else {
-                                // Default: cookie-based session (read-only - can't set cookies in WebSocket)
-                                const existingData = parseSessionDataFromRequest(c.req.raw);
-                                session = new CookieSession(existingData);
-                            }
-                        }
-                        else {
-                            // No session cookie - provide noop (rare edge case)
-                            session = {
-                                get: async () => null,
-                                set: async () => { },
-                                delete: async () => { },
-                            };
-                        }
-                    }
-                    else {
-                        session = {
-                            get: async () => null,
-                            set: async () => { },
-                            delete: async () => { },
-                        };
-                    }
-                    ctx = createBeamContext({
-                        env: c.env,
-                        user,
-                        request: c.req.raw,
-                        session,
-                    });
-                }
-                // Create BeamServer instance with capnweb RpcTarget
-                const server = new BeamServer(ctx, actions, modals, drawers);
+                // Create PublicBeamServer - client must authenticate to get full API
+                const server = new PublicBeamServer(secret, sessionConfig, c.env, c.req.raw, actions, modals, drawers, auth);
                 // Use capnweb to handle the RPC connection
                 return newWorkersRpcResponse(c.req.raw, server);
             });
         },
     };
 }
+/**
+ * Public Beam RPC Server - initial unauthenticated API
+ *
+ * This follows the capnweb in-band authentication pattern:
+ * - WebSocket connections start with this unauthenticated API
+ * - Client calls authenticate(token) to get the authenticated BeamServer
+ * - This prevents Cross-Site WebSocket Hijacking (CSWSH) attacks
+ */
+class PublicBeamServer extends RpcTarget {
+    secret;
+    sessionConfig;
+    env;
+    request;
+    actions;
+    modals;
+    drawers;
+    auth;
+    constructor(secret, sessionConfig, env, request, actions, modals, drawers, auth) {
+        super();
+        this.secret = secret;
+        this.sessionConfig = sessionConfig;
+        this.env = env;
+        this.request = request;
+        this.actions = actions;
+        this.modals = modals;
+        this.drawers = drawers;
+        this.auth = auth;
+    }
+    /**
+     * Authenticate with a token and return the authenticated API
+     * This is the only method available on the public API
+     */
+    async authenticate(token) {
+        // Verify the token
+        const payload = await verifyToken(token, this.secret);
+        if (!payload) {
+            throw new Error('Invalid or expired auth token');
+        }
+        // Resolve auth (user info is embedded in token, but we re-resolve for fresh data)
+        const user = this.auth ? await this.auth(this.request, this.env) : null;
+        // Resolve session
+        let session;
+        if (this.sessionConfig) {
+            const cookieName = this.sessionConfig.cookieName ?? 'beam_sid';
+            const sessionId = parseSessionFromRequest(this.request, cookieName);
+            // Verify session ID matches token
+            if (sessionId !== payload.sid) {
+                throw new Error('Session mismatch');
+            }
+            if (sessionId && this.sessionConfig.storageFactory) {
+                session = this.sessionConfig.storageFactory(sessionId, this.env);
+            }
+            else if (sessionId) {
+                const existingData = parseSessionDataFromRequest(this.request);
+                session = new CookieSession(existingData);
+            }
+            else {
+                session = { get: async () => null, set: async () => { }, delete: async () => { } };
+            }
+        }
+        else {
+            session = { get: async () => null, set: async () => { }, delete: async () => { } };
+        }
+        // Create authenticated context
+        const ctx = createBeamContext({
+            env: this.env,
+            user,
+            request: this.request,
+            session,
+        });
+        // Return the authenticated BeamServer
+        return new BeamServer(ctx, this.actions, this.modals, this.drawers);
+    }
+}
+/**
+ * Generate the auth token meta tag HTML for in-band WebSocket authentication.
+ * Call this in your layout/page to inject the token.
+ *
+ * @example
+ * ```tsx
+ * // app/routes/_renderer.tsx
+ * import { beamTokenMeta } from '@benqoder/beam'
+ *
+ * export default defineRenderer((c, { Layout, children }) => {
+ *   const token = c.get('beamAuthToken')
+ *   return (
+ *     <html>
+ *       <head>
+ *         <RawHTML>{beamTokenMeta(token)}</RawHTML>
+ *       </head>
+ *       <body>{children}</body>
+ *     </html>
+ *   )
+ * })
+ * ```
+ */
+export function beamTokenMeta(token) {
+    // Escape any quotes in the token for safe HTML embedding
+    const escapedToken = token.replace(/"/g, '&quot;');
+    return `<meta name="beam-token" content="${escapedToken}">`;
+}
 // Export BeamServer for advanced usage (e.g., extending with custom methods)
-export { BeamServer };
+export { BeamServer, PublicBeamServer };

package/dist/index.d.ts

@@ -1,7 +1,7 @@
-export { createBeam, KVSession, CookieSession } from './createBeam';
+export { createBeam, KVSession, CookieSession, beamTokenMeta } from './createBeam';
 export { render } from './render';
 export { ModalFrame } from './ModalFrame';
 export { DrawerFrame } from './DrawerFrame';
 export { collectActions, collectModals, collectDrawers, collectHandlers, } from './collect';
-export type { ActionHandler, ModalHandler, DrawerHandler, BeamConfig, BeamInstance, BeamInitOptions, BeamUser, BeamContext, BeamVariables, AuthResolver, BeamSession, SessionConfig, SessionStorageFactory, } from './types';
+export type { ActionHandler, ModalHandler, DrawerHandler, BeamConfig, BeamInstance, BeamInitOptions, BeamUser, BeamContext, BeamVariables, AuthResolver, BeamSession, SessionConfig, SessionStorageFactory, AuthTokenPayload, } from './types';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AACnE,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAG3C,OAAO,EACL,cAAc,EACd,aAAa,EACb,cAAc,EACd,eAAe,GAChB,MAAM,WAAW,CAAA;AAGlB,YAAY,EACV,aAAa,EACb,YAAY,EACZ,aAAa,EACb,UAAU,EACV,YAAY,EACZ,eAAe,EACf,QAAQ,EACR,WAAW,EACX,aAAa,EACb,YAAY,EACZ,WAAW,EACX,aAAa,EACb,qBAAqB,GACtB,MAAM,SAAS,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAClF,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAA;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAG3C,OAAO,EACL,cAAc,EACd,aAAa,EACb,cAAc,EACd,eAAe,GAChB,MAAM,WAAW,CAAA;AAGlB,YAAY,EACV,aAAa,EACb,YAAY,EACZ,aAAa,EACb,UAAU,EACV,YAAY,EACZ,eAAe,EACf,QAAQ,EACR,WAAW,EACX,aAAa,EACb,YAAY,EACZ,WAAW,EACX,aAAa,EACb,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,SAAS,CAAA"}

package/dist/index.js

@@ -1,5 +1,5 @@
 // Main server-side exports for @benqoder/beam
-export { createBeam, KVSession, CookieSession } from './createBeam';
+export { createBeam, KVSession, CookieSession, beamTokenMeta } from './createBeam';
 export { render } from './render';
 export { ModalFrame } from './ModalFrame';
 export { DrawerFrame } from './DrawerFrame';

package/dist/types.d.ts

@@ -24,6 +24,10 @@ export interface BeamSession {
 export interface RenderOptions {
     /** JavaScript to execute on client after rendering */
     script?: string;
+    /** CSS selector for target element (overrides frontend target) */
+    target?: string;
+    /** Swap mode: 'morph' | 'replace' | 'append' | 'prepend' | 'delete' */
+    swap?: string;
 }
 /**
  * Context passed to all handlers
@@ -54,6 +58,25 @@ export interface BeamContext<TEnv = object> {
  * Auth resolver function - user provides this to extract user from request
  */
 export type AuthResolver<TEnv = object> = (request: Request, env: TEnv) => Promise<BeamUser | null>;
+/**
+ * Auth token payload - signed and short-lived
+ * Used for secure in-band WebSocket authentication
+ */
+export interface AuthTokenPayload {
+    /** Session ID */
+    sid: string;
+    /** User ID (null for guest) */
+    uid: string | null;
+    /** Expiration timestamp (ms) */
+    exp: number;
+}
+/**
+ * Auth token configuration
+ */
+export interface AuthTokenConfig {
+    /** Token lifetime in milliseconds (default: 5 minutes) */
+    tokenLifetime?: number;
+}
 /**
  * Response type for actions - can include HTML and/or script to execute
  */
@@ -64,6 +87,10 @@ export interface ActionResponse {
     script?: string;
     /** URL to redirect to (optional) */
     redirect?: string;
+    /** CSS selector for target element (optional - overrides frontend target) */
+    target?: string;
+    /** Swap mode: 'morph' | 'replace' | 'append' | 'prepend' | 'delete' (optional) */
+    swap?: string;
 }
 /**
  * Type for action handlers - receives context and data, returns ActionResponse
@@ -128,6 +155,8 @@ export interface BeamInitOptions {
  */
 export interface BeamVariables<TEnv = object> {
     beam: BeamContext<TEnv>;
+    /** Short-lived auth token for in-band WebSocket authentication */
+    beamAuthToken: string;
 }
 /**
  * The Beam instance returned by createBeam
@@ -147,5 +176,12 @@ export interface BeamInstance<TEnv extends object = object> {
         Bindings: TEnv;
         Variables: BeamVariables<TEnv>;
     }>;
+    /**
+     * Generate a short-lived auth token for in-band WebSocket authentication.
+     * This token should be embedded in the page and used by the client to authenticate.
+     * @param ctx - The Beam context (from authMiddleware)
+     * @returns A signed, short-lived token string
+     */
+    generateAuthToken: (ctx: BeamContext<TEnv>) => Promise<string>;
 }
 //# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAEnD;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAA;IACV,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,6BAA6B;IAC7B,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;IAChD,2BAA2B;IAC3B,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACtD,gCAAgC;IAChC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,sDAAsD;IACtD,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW,CAAC,IAAI,GAAG,MAAM;IACxC,GAAG,EAAE,IAAI,CAAA;IACT,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAA;IACrB,OAAO,EAAE,OAAO,CAAA;IAChB,OAAO,EAAE,WAAW,CAAA;IAEpB;;;OAGG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,CAAA;IAEpC;;;OAGG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,EAAE,aAAa,GAAG,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC,CAAA;IAEzG;;;;OAIG;IACH,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,CAAA;CACtC;AAED;;GAEG;AACH,MAAM,MAAM,YAAY,CAAC,IAAI,GAAG,MAAM,IAAI,CACxC,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,IAAI,KACN,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;AAE7B;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,gCAAgC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,iDAAiD;IACjD,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,aAAa,CAAC,IAAI,GAAG,MAAM,IAAI,CACzC,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,EACtB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC1B,OAAO,CAAC,cAAc,CAAC,GAAG,cAAc,CAAA;AAE7C;;GAEG;AACH,MAAM,MAAM,YAAY,CAAC,IAAI,GAAG,MAAM,IAAI,CACxC,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,EACtB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,MAAM,CAAC,CAAA;AAEpB;;GAEG;AACH,MAAM,MAAM,aAAa,CAAC,IAAI,GAAG,MAAM,IAAI,CACzC,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,EACtB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,MAAM,CAAC,CAAA;AAEpB;;;;;;;;;;GAUG;AACH,MAAM,MAAM,qBAAqB,CAAC,IAAI,GAAG,MAAM,IAAI,CACjD,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,IAAI,KACN,WAAW,CAAA;AAEhB;;GAEG;AACH,MAAM,WAAW,aAAa,CAAC,IAAI,GAAG,MAAM;IAC1C,wFAAwF;IACxF,MAAM,EAAE,MAAM,CAAA;IACd,wEAAwE;IACxE,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,wCAAwC;IACxC,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,kDAAkD;IAClD,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,uDAAuD;IACvD,cAAc,CAAC,EAAE,qBAAqB,CAAC,IAAI,CAAC,CAAA;CAC7C;AAED;;GAEG;AACH,MAAM,WAAW,UAAU,CAAC,IAAI,GAAG,MAAM;IACvC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,CAAA;IAC5C,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,IAAI,CAAC,CAAC,CAAA;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,CAAA;IAC7C,IAAI,CAAC,EAAE,YAAY,CAAC,IAAI,CAAC,CAAA;IACzB,iGAAiG;IACjG,OAAO,CAAC,EAAE,aAAa,CAAC,IAAI,CAAC,CAAA;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,iDAAiD;IACjD,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa,CAAC,IAAI,GAAG,MAAM;IAC1C,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,CAAA;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY,CAAC,IAAI,SAAS,MAAM,GAAG,MAAM;IACxD,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,CAAA;IAC5C,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,IAAI,CAAC,CAAC,CAAA;IAC1C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,CAAA;IAC5C,kCAAkC;IAClC,IAAI,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,SAAS,CAAA;IACpC,mFAAmF;IACnF,IAAI,EAAE,CAAC,GAAG,EAAE,IAAI,CAAC;QAAE,QAAQ,EAAE,IAAI,CAAA;KAAE,CAAC,EAAE,OAAO,CAAC,EAAE,eAAe,KAAK,IAAI,CAAA;IACxE,kFAAkF;IAClF,cAAc,EAAE,MAAM,iBAAiB,CAAC;QAAE,QAAQ,EAAE,IAAI,CAAC;QAAC,SAAS,EAAE,aAAa,CAAC,IAAI,CAAC,CAAA;KAAE,CAAC,CAAA;CAC5F"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAEnD;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAA;IACV,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,6BAA6B;IAC7B,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;IAChD,2BAA2B;IAC3B,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACtD,gCAAgC;IAChC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,sDAAsD;IACtD,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,kEAAkE;IAClE,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,uEAAuE;IACvE,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAED;;GAEG;AACH,MAAM,WAAW,WAAW,CAAC,IAAI,GAAG,MAAM;IACxC,GAAG,EAAE,IAAI,CAAA;IACT,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAA;IACrB,OAAO,EAAE,OAAO,CAAA;IAChB,OAAO,EAAE,WAAW,CAAA;IAEpB;;;OAGG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,CAAA;IAEpC;;;OAGG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,EAAE,aAAa,GAAG,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC,CAAA;IAEzG;;;;OAIG;IACH,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,CAAA;CACtC;AAED;;GAEG;AACH,MAAM,MAAM,YAAY,CAAC,IAAI,GAAG,MAAM,IAAI,CACxC,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,IAAI,KACN,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;AAE7B;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB;IACjB,GAAG,EAAE,MAAM,CAAA;IACX,+BAA+B;IAC/B,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;IAClB,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAA;CACZ;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,0DAA0D;IAC1D,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,gCAAgC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,iDAAiD;IACjD,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,6EAA6E;IAC7E,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,kFAAkF;IAClF,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAED;;GAEG;AACH,MAAM,MAAM,aAAa,CAAC,IAAI,GAAG,MAAM,IAAI,CACzC,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,EACtB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC1B,OAAO,CAAC,cAAc,CAAC,GAAG,cAAc,CAAA;AAE7C;;GAEG;AACH,MAAM,MAAM,YAAY,CAAC,IAAI,GAAG,MAAM,IAAI,CACxC,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,EACtB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,MAAM,CAAC,CAAA;AAEpB;;GAEG;AACH,MAAM,MAAM,aAAa,CAAC,IAAI,GAAG,MAAM,IAAI,CACzC,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,EACtB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B,OAAO,CAAC,MAAM,CAAC,CAAA;AAEpB;;;;;;;;;;GAUG;AACH,MAAM,MAAM,qBAAqB,CAAC,IAAI,GAAG,MAAM,IAAI,CACjD,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,IAAI,KACN,WAAW,CAAA;AAEhB;;GAEG;AACH,MAAM,WAAW,aAAa,CAAC,IAAI,GAAG,MAAM;IAC1C,wFAAwF;IACxF,MAAM,EAAE,MAAM,CAAA;IACd,wEAAwE;IACxE,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,wCAAwC;IACxC,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,kDAAkD;IAClD,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,uDAAuD;IACvD,cAAc,CAAC,EAAE,qBAAqB,CAAC,IAAI,CAAC,CAAA;CAC7C;AAED;;GAEG;AACH,MAAM,WAAW,UAAU,CAAC,IAAI,GAAG,MAAM;IACvC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,CAAA;IAC5C,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,IAAI,CAAC,CAAC,CAAA;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,CAAA;IAC7C,IAAI,CAAC,EAAE,YAAY,CAAC,IAAI,CAAC,CAAA;IACzB,iGAAiG;IACjG,OAAO,CAAC,EAAE,aAAa,CAAC,IAAI,CAAC,CAAA;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,iDAAiD;IACjD,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa,CAAC,IAAI,GAAG,MAAM;IAC1C,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,CAAA;IACvB,kEAAkE;IAClE,aAAa,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY,CAAC,IAAI,SAAS,MAAM,GAAG,MAAM;IACxD,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,CAAA;IAC5C,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,IAAI,CAAC,CAAC,CAAA;IAC1C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC,CAAA;IAC5C,kCAAkC;IAClC,IAAI,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,SAAS,CAAA;IACpC,mFAAmF;IACnF,IAAI,EAAE,CAAC,GAAG,EAAE,IAAI,CAAC;QAAE,QAAQ,EAAE,IAAI,CAAA;KAAE,CAAC,EAAE,OAAO,CAAC,EAAE,eAAe,KAAK,IAAI,CAAA;IACxE,kFAAkF;IAClF,cAAc,EAAE,MAAM,iBAAiB,CAAC;QAAE,QAAQ,EAAE,IAAI,CAAC;QAAC,SAAS,EAAE,aAAa,CAAC,IAAI,CAAC,CAAA;KAAE,CAAC,CAAA;IAC3F;;;;;OAKG;IACH,iBAAiB,EAAE,CAAC,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;CAC/D"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@benqoder/beam",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "type": "module",
   "publishConfig": {
     "registry": "https://registry.npmjs.org",
@@ -42,7 +42,7 @@
     "capnweb": "^0.4.0",
     "hono": "^4.0.0",
     "honox": "^0.1.0",
-    "idiomorph": "^0.3.0",
+    "idiomorph": "^0.7.0",
     "vite": "^5.0.0 || ^6.0.0"
   },
   "peerDependenciesMeta": {
@@ -51,11 +51,11 @@
     }
   },
   "devDependencies": {
-    "@cloudflare/workers-types": "^4.20241127.0",
+    "@cloudflare/workers-types": "^4.20260124.0",
     "capnweb": "^0.4.0",
     "hono": "^4.6.0",
     "honox": "^0.1.0",
-    "idiomorph": "^0.3.0",
+    "idiomorph": "^0.7.4",
     "typescript": "^5.0.0",
     "vite": "^6.0.0"
   }