@coderbuzz/ken 0.1.0

package/dist/index.js

@@ -0,0 +1,2728 @@
+import {
+  getPathname
+} from "./chunk-2BOPD5H7.js";
+import {
+  Router,
+  WsReadyState,
+  WsTopicHub,
+  defaultErrorHandler
+} from "./chunk-DPU3PBLP.js";
+
+// src/core/app.ts
+var App = class _App extends Router {
+  // Middleware patterns
+  middleware = [];
+  /** App-level error handler */
+  _onError;
+  /** Not-found handler for this app */
+  _notFoundHandler;
+  /** Accumulated not-found entries from child apps (via .use() and .define()) */
+  _notFoundEntries = [];
+  /** WebSocket route registrations */
+  wsRoutes = [];
+  /**
+   * Set app-level error handler.
+   * Called when route handlers or middleware throw errors.
+   * Route-level onError (in schema) takes priority over app-level.
+   *
+   * @param handler - Error handler function
+   *
+   * @example
+   * ```ts
+   * app.onError((error, ctx) => {
+   *   console.error(ctx.method, ctx.url, error);
+   *   return Response.json(
+   *     { status: 500, message: error instanceof Error ? error.message : 'Internal Server Error' },
+   *     { status: 500 }
+   *   );
+   * });
+   * ```
+   */
+  onError(handler) {
+    this._onError = handler;
+  }
+  /**
+   * Set custom 404 Not Found handler.
+   * Called when no route matches the request.
+   * Supports nested configuration via .use() prefix scoping.
+   *
+   * @param handler - Handler function that receives Context
+   *
+   * @example
+   * ```ts
+   * // App-level
+   * app.notFound((ctx) => {
+   *   return Response.json({ error: 'Not Found', path: ctx.url }, { status: 404 });
+   * });
+   *
+   * // Sub-app with prefix scoping
+   * const api = new App();
+   * api.notFound((ctx) => Response.json({ error: 'API Not Found' }, { status: 404 }));
+   * app.use('/api', api);
+   *
+   * // Define scope with middleware state
+   * app.define({ auth: (ctx) => verifyAuth(ctx) }, (app) => {
+   *   app.notFound((ctx) => Response.json({ error: 'Protected', user: ctx.state.auth }, { status: 404 }));
+   * });
+   * ```
+   */
+  notFound(handler) {
+    this._notFoundHandler = handler;
+  }
+  apply(pattern = "/*", stateOrHandler) {
+    if (typeof stateOrHandler === "function") {
+      const randomKey = `_mw_${Math.random().toString(36).substring(2, 11)}`;
+      this.middleware.push({ pattern, state: { [randomKey]: stateOrHandler } });
+    } else {
+      this.middleware.push({ pattern, state: stateOrHandler });
+    }
+  }
+  /**
+   * Define middleware with lexical scoping and automatic type inference.
+   * Routes registered in the callback inherit middleware state types.
+   * 
+   * @param state - State middleware object
+   * @param callback - Callback that receives scoped app with accumulated state types
+   */
+  define(state, callback) {
+    const childApp = new _App();
+    childApp.middleware = [...this.middleware];
+    childApp.apply("/*", state);
+    callback(childApp);
+    for (const route of childApp.routes) {
+      const matchedMiddleware = childApp.matchMiddleware(route.path);
+      const mergedSchema = childApp.mergeSchemas(matchedMiddleware, route.schema);
+      this.routes.push({
+        ...route,
+        schema: mergedSchema
+      });
+    }
+    if (childApp._notFoundHandler) {
+      const nfMiddleware = childApp.matchMiddleware("/*");
+      const nfSchema = childApp.mergeSchemas(nfMiddleware, void 0);
+      this._notFoundEntries.push({
+        prefix: "",
+        handler: childApp._notFoundHandler,
+        schema: nfSchema
+      });
+    }
+    for (const entry of childApp._notFoundEntries) {
+      this._notFoundEntries.push(entry);
+    }
+  }
+  /**
+   * Match middleware patterns against route path.
+   */
+  matchMiddleware(path) {
+    const matched = [];
+    for (const { pattern, state } of this.middleware) {
+      if (this.matchPattern(pattern, path)) {
+        matched.push(state);
+      }
+    }
+    return matched;
+  }
+  /**
+   * Simple wildcard pattern matching.
+   */
+  matchPattern(pattern, path) {
+    if (pattern === "/*") return true;
+    if (pattern.endsWith("/*")) {
+      const prefix = pattern.slice(0, -2);
+      return path === prefix || path.startsWith(prefix + "/");
+    }
+    return pattern === path;
+  }
+  /**
+   * Merge multiple middleware states with route schema.
+   */
+  mergeSchemas(middlewareStates, routeSchema) {
+    if (middlewareStates.length === 0 && !routeSchema?.state) {
+      if (this._onError && (!routeSchema || !routeSchema.onError)) {
+        return { ...routeSchema, onError: this._onError };
+      }
+      return routeSchema;
+    }
+    const mergedState = {};
+    for (const mwState of middlewareStates) {
+      Object.assign(mergedState, mwState);
+    }
+    if (routeSchema?.state) {
+      Object.assign(mergedState, routeSchema.state);
+    }
+    const result = {
+      ...routeSchema,
+      state: mergedState
+    };
+    if (this._onError && !result.onError) {
+      result.onError = this._onError;
+    }
+    return result;
+  }
+  /**
+   * Store raw route registration
+   */
+  storeRoute(method, path, schema, handler, staticValue) {
+    this.routes.push({
+      method,
+      path,
+      schema,
+      handler,
+      staticValue
+    });
+  }
+  /**
+   * Internal route registration logic
+   */
+  register(method, path, arg2, arg3) {
+    if (typeof arg2 === "function") {
+      this.storeRoute(method, path, void 0, arg2, void 0);
+      return;
+    }
+    if (arg2 !== null && typeof arg2 === "object" && arg3 !== void 0) {
+      if (typeof arg3 === "function") {
+        this.storeRoute(method, path, arg2, arg3, void 0);
+      } else {
+        this.storeRoute(method, path, arg2, void 0, arg3);
+      }
+      return;
+    }
+    this.storeRoute(method, path, void 0, void 0, arg2);
+  }
+  get(arg1, arg2, arg3) {
+    this.register("GET", arg1, arg2, arg3);
+  }
+  post(arg1, arg2, arg3) {
+    this.register("POST", arg1, arg2, arg3);
+  }
+  put(arg1, arg2, arg3) {
+    this.register("PUT", arg1, arg2, arg3);
+  }
+  patch(arg1, arg2, arg3) {
+    this.register("PATCH", arg1, arg2, arg3);
+  }
+  delete(arg1, arg2, arg3) {
+    this.register("DELETE", arg1, arg2, arg3);
+  }
+  head(arg1, arg2, arg3) {
+    this.register("HEAD", arg1, arg2, arg3);
+  }
+  options(arg1, arg2, arg3) {
+    this.register("OPTIONS", arg1, arg2, arg3);
+  }
+  use(arg1, arg2) {
+    const prefix = typeof arg1 === "string" ? arg1 : "";
+    const other = typeof arg1 === "string" ? arg2 : arg1;
+    for (const mw of other.middleware) {
+      const combinedPattern = this.combinePath(prefix, mw.pattern);
+      this.middleware.push({
+        pattern: combinedPattern,
+        state: mw.state
+      });
+    }
+    for (const route of other.routes) {
+      const combinedPath = this.combinePath(prefix, route.path);
+      let schema = route.schema;
+      if (other._onError && (!schema || !schema.onError)) {
+        schema = { ...schema, onError: other._onError };
+      }
+      this.routes.push({
+        ...route,
+        path: combinedPath,
+        schema
+      });
+    }
+    if (other._notFoundHandler) {
+      const schema = other._onError ? { onError: other._onError } : void 0;
+      this._notFoundEntries.push({
+        prefix: prefix || "",
+        handler: other._notFoundHandler,
+        schema
+      });
+    }
+    for (const entry of other._notFoundEntries) {
+      let schema = entry.schema;
+      if (other._onError && (!schema || !schema.onError)) {
+        schema = { ...schema, onError: other._onError };
+      }
+      this._notFoundEntries.push({
+        prefix: this.combinePath(prefix, entry.prefix),
+        handler: entry.handler,
+        schema
+      });
+    }
+    for (const wsRoute of other.wsRoutes) {
+      this.wsRoutes.push({
+        ...wsRoute,
+        path: this.combinePath(prefix, wsRoute.path)
+      });
+    }
+  }
+  /**
+   * Register a WebSocket handler at the given path.
+   * 
+   * The generic type parameter `T` defines per-connection data,
+   * which is set in the `upgrade` handler and accessible via `peer.data`.
+   * 
+   * @template T - Per-connection data type
+   * @param path - URL path to handle WebSocket upgrades
+   * @param handler - WebSocket event handlers
+   * 
+   * @example
+   * ```ts
+   * // Simple echo server
+   * app.ws('/ws', {
+   *   message(peer, message) {
+   *     peer.send(message);
+   *   },
+   * });
+   * 
+   * // Chat with authentication and pub/sub
+   * app.ws<{ userId: string }>('/chat', {
+   *   upgrade(req) {
+   *     const token = req.headers.get('authorization');
+   *     return { userId: verifyToken(token) };
+   *   },
+   *   open(peer) {
+   *     peer.subscribe('chat');
+   *     peer.publish('chat', `${peer.data.userId} joined`);
+   *   },
+   *   message(peer, message) {
+   *     peer.publish('chat', `${peer.data.userId}: ${message}`);
+   *   },
+   *   close(peer) {
+   *     peer.publish('chat', `${peer.data.userId} left`);
+   *   },
+   * });
+   * 
+   * // With options
+   * app.ws('/live', {
+   *   message(peer, message) { peer.send(message); },
+   * }, {
+   *   pingInterval: 15,
+   *   maxPayloadLength: 1024 * 1024,
+   * });
+   * ```
+   */
+  ws(path, handler, options) {
+    this.wsRoutes.push({ path, handler, options });
+  }
+  /**
+   * Print all registered routes to the console with colored formatting.
+   *
+   * Each HTTP method is color-coded:
+   * - GET (green), POST (blue), PUT (yellow), PATCH (cyan)
+   * - DELETE (red), HEAD (magenta), OPTIONS (white)
+   *
+   * @example
+   * ```ts
+   * app.get('/', 'Hello!');
+   * app.post('/users', handler);
+   * app.get('/users/:id', handler);
+   * app.ws('/chat', wsHandler);
+   * app.printRoutes();
+   * // ┌──────────┬────────────────────┐
+   * // │  Method  │ Path               │
+   * // ├──────────┼────────────────────┤
+   * // │  GET     │ /                  │
+   * // │  POST    │ /users             │
+   * // │  GET     │ /users/:id         │
+   * // │  WS      │ /chat              │
+   * // └──────────┴────────────────────┘
+   * ```
+   */
+  printRoutes() {
+    const routes = this.getRoutes();
+    const hasHttp = routes.length > 0;
+    const hasWs = this.wsRoutes.length > 0;
+    if (!hasHttp && !hasWs) {
+      console.log("No routes registered.");
+      return;
+    }
+    const reset = "\x1B[0m";
+    const bold = "\x1B[1m";
+    const dim = "\x1B[2m";
+    const methodColors = {
+      GET: "\x1B[32m",
+      // green
+      POST: "\x1B[34m",
+      // blue
+      PUT: "\x1B[33m",
+      // yellow
+      PATCH: "\x1B[36m",
+      // cyan
+      DELETE: "\x1B[31m",
+      // red
+      HEAD: "\x1B[35m",
+      // magenta
+      OPTIONS: "\x1B[37m",
+      // white
+      WS: "\x1B[35m"
+      // magenta
+    };
+    const allRows = [
+      ...routes.map((r) => ({ method: r.method, path: r.path })),
+      ...this.wsRoutes.map((r) => ({ method: "WS", path: r.path }))
+    ];
+    const methodInnerWidth = Math.max(
+      "Method".length,
+      allRows.reduce((max, row) => Math.max(max, row.method.length), 0)
+    );
+    const pathInnerWidth = Math.max(
+      "Path".length,
+      allRows.reduce((max, row) => Math.max(max, row.path.length), 0)
+    );
+    const methodCellWidth = methodInnerWidth + 2;
+    const pathCellWidth = pathInnerWidth + 2;
+    const top = `${dim}\u250C${"\u2500".repeat(methodCellWidth)}\u252C${"\u2500".repeat(pathCellWidth)}\u2510${reset}`;
+    const headerSep = `${dim}\u251C${"\u2500".repeat(methodCellWidth)}\u253C${"\u2500".repeat(pathCellWidth)}\u2524${reset}`;
+    const bottom = `${dim}\u2514${"\u2500".repeat(methodCellWidth)}\u2534${"\u2500".repeat(pathCellWidth)}\u2518${reset}`;
+    const header = `${dim}\u2502${reset} ${bold}${"Method".padEnd(methodInnerWidth)}${reset} ${dim}\u2502${reset} ${bold}${"Path".padEnd(pathInnerWidth)}${reset} ${dim}\u2502${reset}`;
+    const lines = [top, header, headerSep];
+    for (const row of allRows) {
+      const color = methodColors[row.method] || "";
+      const method = `${color}${bold}${row.method}${reset}`;
+      const methodPad = " ".repeat(methodInnerWidth - row.method.length);
+      const pathPad = " ".repeat(pathInnerWidth - row.path.length);
+      lines.push(
+        `${dim}\u2502${reset} ${method}${methodPad} ${dim}\u2502${reset} ${row.path}${pathPad} ${dim}\u2502${reset}`
+      );
+    }
+    lines.push(bottom);
+    console.log(lines.join("\n"));
+  }
+  /**
+   * Combine prefix with path
+   */
+  combinePath(prefix, path) {
+    if (!prefix) return path;
+    if (!path || path === "/") return prefix;
+    let combined = prefix.endsWith("/") ? prefix : prefix + "/";
+    combined += path.startsWith("/") ? path.substring(1) : path;
+    if (!combined.startsWith("/")) combined = "/" + combined;
+    return combined;
+  }
+};
+
+// src/runtime/index.ts
+var isDeno = typeof Deno !== "undefined" && typeof Deno.version !== "undefined";
+var isBun = typeof Bun !== "undefined" && typeof Bun.version !== "undefined";
+var isNode = !isBun && typeof globalThis.process !== "undefined" && globalThis.process.versions != null && globalThis.process.versions.node != null;
+async function resolveNodeRuntime() {
+  const flag = globalThis.process?.env?.UWS;
+  console.log("UWS flag:", flag);
+  if (flag === "1" || flag === "true") {
+    try {
+      await import("uWebSockets.js");
+      return (await import("./uws-VNY2LPIZ.js")).server;
+    } catch {
+      throw new Error(
+        "UWS is enabled but uWebSockets.js is not installed. Install with: npm install uWebSockets.js"
+      );
+    }
+  }
+  return (await import("./node-JLUTIPEN.js")).server;
+}
+async function server(options) {
+  if (isDeno) {
+    const { server: server2 } = await import("./deno-LZU5JBGL.js");
+    return server2(options);
+  }
+  if (isBun) {
+    const { server: server2 } = await import("./bun-GUK26ACN.js");
+    return server2(options);
+  }
+  if (isNode) {
+    const factory = await resolveNodeRuntime();
+    return factory(options);
+  }
+  throw new Error(
+    "Unsupported runtime. Ken supports Bun, Deno, and Node.js (with optional uWebSockets.js)."
+  );
+}
+
+// src/core/server.ts
+var AppServer = class extends App {
+  /** Configured hostname */
+  hostname;
+  /** Configured port */
+  port;
+  _server;
+  constructor(init = {}) {
+    super();
+    this.hostname = init.hostname ?? "0.0.0.0";
+    this.port = init.port ?? 3e3;
+  }
+  /**
+   * Start the server with automatic runtime detection.
+   * Returns the resolved hostname and port.
+   * 
+   * @example
+   * ```ts
+   * const app = new AppServer({ port: 3000 });
+   * app.get('/', 'Hello!');
+   * const { hostname, port } = await app.run();
+   * console.log(`Listening on ${hostname}:${port}`);
+   * ```
+   */
+  async run() {
+    await this.stop();
+    this._server = await server({
+      port: this.port,
+      hostname: this.hostname,
+      router: this
+    });
+    return this._server.run();
+  }
+  /**
+   * Stop the server gracefully.
+   */
+  async stop() {
+    if (this._server) {
+      await this._server.stop();
+      this._server = void 0;
+    }
+  }
+};
+
+// src/utils/encoding.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var B64_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+var B64_LOOKUP = new Uint8Array(128);
+for (let i = 0; i < B64_CHARS.length; i++) B64_LOOKUP[B64_CHARS.charCodeAt(i)] = i;
+function toBase64(bytes) {
+  const len = bytes.length;
+  const pad = len % 3;
+  const mainLen = len - pad;
+  let result = "";
+  for (let i = 0; i < mainLen; i += 3) {
+    const b0 = bytes[i], b1 = bytes[i + 1], b2 = bytes[i + 2];
+    result += B64_CHARS[b0 >> 2] + B64_CHARS[(b0 & 3) << 4 | b1 >> 4] + B64_CHARS[(b1 & 15) << 2 | b2 >> 6] + B64_CHARS[b2 & 63];
+  }
+  if (pad === 1) {
+    const b0 = bytes[mainLen];
+    result += B64_CHARS[b0 >> 2] + B64_CHARS[(b0 & 3) << 4] + "==";
+  } else if (pad === 2) {
+    const b0 = bytes[mainLen], b1 = bytes[mainLen + 1];
+    result += B64_CHARS[b0 >> 2] + B64_CHARS[(b0 & 3) << 4 | b1 >> 4] + B64_CHARS[(b1 & 15) << 2] + "=";
+  }
+  return result;
+}
+function fromBase64(str) {
+  let len = str.length;
+  let pad = 0;
+  if (str.charCodeAt(len - 1) === 61) pad++;
+  if (str.charCodeAt(len - 2) === 61) pad++;
+  const byteLen = (len * 3 >> 2) - pad;
+  const out = new Uint8Array(byteLen);
+  let j = 0;
+  for (let i = 0; i < len; i += 4) {
+    const a = B64_LOOKUP[str.charCodeAt(i)];
+    const b = B64_LOOKUP[str.charCodeAt(i + 1)];
+    const c = B64_LOOKUP[str.charCodeAt(i + 2)];
+    const d = B64_LOOKUP[str.charCodeAt(i + 3)];
+    out[j++] = a << 2 | b >> 4;
+    if (j < byteLen) out[j++] = (b & 15) << 4 | c >> 2;
+    if (j < byteLen) out[j++] = (c & 3) << 6 | d;
+  }
+  return out;
+}
+var B64URL_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+var B64URL_LOOKUP = new Uint8Array(128);
+for (let i = 0; i < B64URL_CHARS.length; i++) B64URL_LOOKUP[B64URL_CHARS.charCodeAt(i)] = i;
+function encodeBase64Url(bytes) {
+  const len = bytes.length;
+  const rem = len % 3;
+  const mainLen = len - rem;
+  let result = "";
+  for (let i = 0; i < mainLen; i += 3) {
+    const b0 = bytes[i], b1 = bytes[i + 1], b2 = bytes[i + 2];
+    result += B64URL_CHARS[b0 >> 2] + B64URL_CHARS[(b0 & 3) << 4 | b1 >> 4] + B64URL_CHARS[(b1 & 15) << 2 | b2 >> 6] + B64URL_CHARS[b2 & 63];
+  }
+  if (rem === 1) {
+    const b0 = bytes[mainLen];
+    result += B64URL_CHARS[b0 >> 2] + B64URL_CHARS[(b0 & 3) << 4];
+  } else if (rem === 2) {
+    const b0 = bytes[mainLen], b1 = bytes[mainLen + 1];
+    result += B64URL_CHARS[b0 >> 2] + B64URL_CHARS[(b0 & 3) << 4 | b1 >> 4] + B64URL_CHARS[(b1 & 15) << 2];
+  }
+  return result;
+}
+function decodeBase64Url(str) {
+  const len = str.length;
+  const rem = len & 3;
+  const fullGroups = len - rem >> 2;
+  const byteLen = fullGroups * 3 + (rem === 2 ? 1 : rem === 3 ? 2 : 0);
+  const out = new Uint8Array(byteLen);
+  const mainLen = fullGroups << 2;
+  let j = 0;
+  for (let i = 0; i < mainLen; i += 4) {
+    const a = B64URL_LOOKUP[str.charCodeAt(i)];
+    const b = B64URL_LOOKUP[str.charCodeAt(i + 1)];
+    const c = B64URL_LOOKUP[str.charCodeAt(i + 2)];
+    const d = B64URL_LOOKUP[str.charCodeAt(i + 3)];
+    out[j++] = a << 2 | b >> 4;
+    out[j++] = (b & 15) << 4 | c >> 2;
+    out[j++] = (c & 3) << 6 | d;
+  }
+  if (rem === 2) {
+    const a = B64URL_LOOKUP[str.charCodeAt(mainLen)];
+    const b = B64URL_LOOKUP[str.charCodeAt(mainLen + 1)];
+    out[j] = a << 2 | b >> 4;
+  } else if (rem === 3) {
+    const a = B64URL_LOOKUP[str.charCodeAt(mainLen)];
+    const b = B64URL_LOOKUP[str.charCodeAt(mainLen + 1)];
+    const c = B64URL_LOOKUP[str.charCodeAt(mainLen + 2)];
+    out[j++] = a << 2 | b >> 4;
+    out[j] = (b & 15) << 4 | c >> 2;
+  }
+  return out;
+}
+
+// src/utils/encryption.ts
+var AES_GCM = { name: "AES-GCM", length: 256 };
+var KEY_CACHE_MAX = 64;
+var keyCache = /* @__PURE__ */ new Map();
+async function deriveCryptoKey(password) {
+  const cached = keyCache.get(password);
+  if (cached !== void 0) return cached;
+  const keyData = await crypto.subtle.digest("SHA-256", encoder.encode(password));
+  const key = await crypto.subtle.importKey("raw", keyData, AES_GCM, false, ["encrypt", "decrypt"]);
+  if (keyCache.size >= KEY_CACHE_MAX) {
+    const oldest = keyCache.keys().next().value;
+    keyCache.delete(oldest);
+  }
+  keyCache.set(password, key);
+  return key;
+}
+function generateSecretKey() {
+  return toBase64(crypto.getRandomValues(new Uint8Array(32)));
+}
+async function encryptString(value, password) {
+  const key = await deriveCryptoKey(password);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    encoder.encode(value)
+  );
+  const ctBytes = new Uint8Array(ciphertext);
+  const combined = new Uint8Array(12 + ctBytes.byteLength);
+  combined.set(iv, 0);
+  combined.set(ctBytes, 12);
+  return toBase64(combined);
+}
+async function decryptString(encrypted, password) {
+  const key = await deriveCryptoKey(password);
+  const combined = fromBase64(encrypted);
+  const iv = combined.subarray(0, 12);
+  const ciphertext = combined.subarray(12);
+  const decrypted = await crypto.subtle.decrypt(
+    { name: "AES-GCM", iv },
+    key,
+    ciphertext
+  );
+  return decoder.decode(decrypted);
+}
+
+// src/utils/memoize.ts
+function memoize(fn, options) {
+  if (fn.constructor.name === "AsyncFunction") {
+    return createAsyncMemoized(fn, options);
+  }
+  return createSyncMemoized(fn, options);
+}
+function createSyncMemoized(fn, options) {
+  const maxSize = options?.maxSize ?? 256;
+  const ttl = options?.ttl ?? 0;
+  const keyFn = options?.key;
+  const cache2 = /* @__PURE__ */ new Map();
+  const memoized = (...args) => {
+    const k = keyFn ? keyFn(...args) : args[0];
+    const entry = cache2.get(k);
+    if (entry !== void 0) {
+      if (entry.expiry !== 0 && Date.now() > entry.expiry) {
+        cache2.delete(k);
+      } else {
+        return entry.value;
+      }
+    }
+    const result = fn(...args);
+    if (cache2.size >= maxSize) {
+      const oldest = cache2.keys().next().value;
+      cache2.delete(oldest);
+    }
+    cache2.set(k, {
+      value: result,
+      expiry: ttl > 0 ? Date.now() + ttl : 0
+    });
+    return result;
+  };
+  memoized.cache = cache2;
+  memoized.clear = () => cache2.clear();
+  return memoized;
+}
+function createAsyncMemoized(fn, options) {
+  const maxSize = options?.maxSize ?? 256;
+  const ttl = options?.ttl ?? 0;
+  const keyFn = options?.key;
+  const cache2 = /* @__PURE__ */ new Map();
+  const inflight = /* @__PURE__ */ new Map();
+  const memoized = (...args) => {
+    const k = keyFn ? keyFn(...args) : args[0];
+    const entry = cache2.get(k);
+    if (entry !== void 0) {
+      if (entry.expiry !== 0 && Date.now() > entry.expiry) {
+        cache2.delete(k);
+      } else {
+        return Promise.resolve(entry.value);
+      }
+    }
+    const pending = inflight.get(k);
+    if (pending !== void 0) return pending;
+    const promise = fn(...args).then((result) => {
+      inflight.delete(k);
+      if (cache2.size >= maxSize) {
+        const oldest = cache2.keys().next().value;
+        cache2.delete(oldest);
+      }
+      cache2.set(k, {
+        value: result,
+        expiry: ttl > 0 ? Date.now() + ttl : 0
+      });
+      return result;
+    }, (err) => {
+      inflight.delete(k);
+      throw err;
+    });
+    inflight.set(k, promise);
+    return promise;
+  };
+  memoized.cache = cache2;
+  memoized.inflight = inflight;
+  memoized.clear = () => {
+    cache2.clear();
+    inflight.clear();
+  };
+  return memoized;
+}
+
+// src/utils/compress.ts
+async function readAllBytes(readable) {
+  const reader = readable.getReader();
+  const chunks = [];
+  let totalLen = 0;
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    chunks.push(value);
+    totalLen += value.byteLength;
+  }
+  if (chunks.length === 1) return chunks[0];
+  const result = new Uint8Array(totalLen);
+  let offset = 0;
+  for (let i = 0; i < chunks.length; i++) {
+    result.set(chunks[i], offset);
+    offset += chunks[i].byteLength;
+  }
+  return result;
+}
+async function compressString(input, options) {
+  const encoding = options?.encoding ?? "brotli";
+  const cs = options?.level !== void 0 ? new CompressionStream(encoding, { level: options.level }) : new CompressionStream(encoding);
+  const writer = cs.writable.getWriter();
+  writer.write(encoder.encode(input)).catch(() => {
+  });
+  writer.close().catch(() => {
+  });
+  return encodeBase64Url(await readAllBytes(cs.readable));
+}
+async function decompressString(compressed, options) {
+  const encoding = options?.encoding ?? "brotli";
+  const ds = new DecompressionStream(encoding);
+  const writer = ds.writable.getWriter();
+  writer.write(decodeBase64Url(compressed)).catch(() => {
+  });
+  writer.close().catch(() => {
+  });
+  return decoder.decode(await readAllBytes(ds.readable));
+}
+
+// src/utils/file.ts
+import { stat, readdir, writeFile, mkdir } from "fs/promises";
+import { createReadStream } from "fs";
+import { join, extname, dirname } from "path";
+var _isBun = typeof globalThis.Bun !== "undefined" && typeof globalThis.Bun.version !== "undefined";
+var MIME_TYPES = Object.freeze({
+  // Text
+  ".html": "text/html; charset=utf-8",
+  ".htm": "text/html; charset=utf-8",
+  ".css": "text/css; charset=utf-8",
+  ".js": "text/javascript; charset=utf-8",
+  ".mjs": "text/javascript; charset=utf-8",
+  ".json": "application/json; charset=utf-8",
+  ".xml": "application/xml; charset=utf-8",
+  ".txt": "text/plain; charset=utf-8",
+  ".csv": "text/csv; charset=utf-8",
+  ".md": "text/markdown; charset=utf-8",
+  ".yaml": "text/yaml; charset=utf-8",
+  ".yml": "text/yaml; charset=utf-8",
+  ".svg": "image/svg+xml",
+  ".ts": "text/typescript; charset=utf-8",
+  ".tsx": "text/tsx; charset=utf-8",
+  ".jsx": "text/jsx; charset=utf-8",
+  // Images
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".webp": "image/webp",
+  ".ico": "image/x-icon",
+  ".avif": "image/avif",
+  ".bmp": "image/bmp",
+  ".tiff": "image/tiff",
+  ".tif": "image/tiff",
+  // Fonts
+  ".woff": "font/woff",
+  ".woff2": "font/woff2",
+  ".ttf": "font/ttf",
+  ".otf": "font/otf",
+  ".eot": "application/vnd.ms-fontobject",
+  // Audio / Video
+  ".mp3": "audio/mpeg",
+  ".mp4": "video/mp4",
+  ".webm": "video/webm",
+  ".ogg": "audio/ogg",
+  ".ogv": "video/ogg",
+  ".wav": "audio/wav",
+  ".flac": "audio/flac",
+  ".aac": "audio/aac",
+  ".m4a": "audio/mp4",
+  ".m4v": "video/mp4",
+  ".avi": "video/x-msvideo",
+  ".mov": "video/quicktime",
+  ".mkv": "video/x-matroska",
+  // Archives
+  ".zip": "application/zip",
+  ".gz": "application/gzip",
+  ".tar": "application/x-tar",
+  ".bz2": "application/x-bzip2",
+  ".7z": "application/x-7z-compressed",
+  ".rar": "application/vnd.rar",
+  // Documents
+  ".pdf": "application/pdf",
+  ".doc": "application/msword",
+  ".docx": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  ".xls": "application/vnd.ms-excel",
+  ".xlsx": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  ".ppt": "application/vnd.ms-powerpoint",
+  ".pptx": "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+  // Other
+  ".wasm": "application/wasm",
+  ".map": "application/json",
+  ".bin": "application/octet-stream"
+});
+function getMimeType(filePath) {
+  return MIME_TYPES[extname(filePath).toLowerCase()] || "application/octet-stream";
+}
+function getHeader(headers, key) {
+  if (!headers) return null;
+  if (typeof headers.get === "function") return headers.get(key);
+  return headers[key] ?? null;
+}
+function parseRange(header, size) {
+  if (header.charCodeAt(0) !== 98 || !header.startsWith("bytes=")) return null;
+  const range = header.slice(6);
+  const comma = range.indexOf(",");
+  const single = comma === -1 ? range : range.slice(0, comma);
+  const dash = single.indexOf("-");
+  if (dash === -1) return null;
+  const startStr = single.slice(0, dash).trim();
+  const endStr = single.slice(dash + 1).trim();
+  let start;
+  let end;
+  if (startStr === "") {
+    const suffix = parseInt(endStr, 10);
+    if (isNaN(suffix) || suffix <= 0) return null;
+    start = Math.max(0, size - suffix);
+    end = size - 1;
+  } else {
+    start = parseInt(startStr, 10);
+    if (isNaN(start) || start < 0) return null;
+    end = endStr === "" ? size - 1 : parseInt(endStr, 10);
+    if (isNaN(end)) return null;
+  }
+  if (start > end || start >= size) return null;
+  end = Math.min(end, size - 1);
+  return { start, end };
+}
+function nodeStreamToWeb(nodeStream) {
+  return new ReadableStream({
+    start(controller) {
+      nodeStream.on("data", (chunk) => {
+        controller.enqueue(chunk);
+        if (controller.desiredSize !== null && controller.desiredSize <= 0) {
+          nodeStream.pause();
+        }
+      });
+      nodeStream.on("end", () => controller.close());
+      nodeStream.on("error", (err) => controller.error(err));
+    },
+    pull() {
+      nodeStream.resume();
+    },
+    cancel() {
+      nodeStream.destroy?.();
+    }
+  });
+}
+function generateEtag(size, mtimeMs) {
+  return `W/"${size.toString(16)}-${Math.floor(mtimeMs).toString(16)}"`;
+}
+async function sendFile(filePath, options) {
+  let fileStats;
+  try {
+    fileStats = await stat(filePath);
+  } catch (err) {
+    if (err.code === "ENOENT" || err.code === "ENOTDIR") {
+      return new Response("Not Found", { status: 404 });
+    }
+    throw err;
+  }
+  if (!fileStats.isFile()) {
+    return new Response("Not Found", { status: 404 });
+  }
+  const size = fileStats.size;
+  const mtimeMs = fileStats.mtimeMs;
+  const etag2 = generateEtag(size, mtimeMs);
+  const lastModified = new Date(mtimeMs).toUTCString();
+  const contentType = options?.contentType || getMimeType(filePath);
+  const reqHeaders = options?.reqHeaders;
+  const conditionalHeaders = {
+    etag: etag2,
+    "last-modified": lastModified
+  };
+  if (options?.cacheControl) conditionalHeaders["cache-control"] = options.cacheControl;
+  const ifNoneMatch = getHeader(reqHeaders, "if-none-match");
+  if (ifNoneMatch) {
+    if (ifNoneMatch === etag2 || ifNoneMatch === "*") {
+      return new Response(null, { status: 304, headers: conditionalHeaders });
+    }
+    if (ifNoneMatch.indexOf(",") !== -1) {
+      const tags = ifNoneMatch.split(",");
+      for (let i = 0; i < tags.length; i++) {
+        if (tags[i].trim() === etag2) {
+          return new Response(null, { status: 304, headers: conditionalHeaders });
+        }
+      }
+    }
+  }
+  if (!ifNoneMatch) {
+    const ifModifiedSince = getHeader(reqHeaders, "if-modified-since");
+    if (ifModifiedSince) {
+      const clientTime = Date.parse(ifModifiedSince);
+      if (!isNaN(clientTime) && Math.floor(mtimeMs / 1e3) <= Math.floor(clientTime / 1e3)) {
+        return new Response(null, { status: 304, headers: conditionalHeaders });
+      }
+    }
+  }
+  const headers = {
+    "content-type": contentType,
+    etag: etag2,
+    "last-modified": lastModified,
+    "accept-ranges": "bytes"
+  };
+  if (options?.cacheControl) headers["cache-control"] = options.cacheControl;
+  if (options?.download) {
+    const filename = typeof options.download === "string" ? options.download : filePath.slice(Math.max(filePath.lastIndexOf("/"), filePath.lastIndexOf("\\")) + 1);
+    headers["content-disposition"] = `attachment; filename="${filename}"`;
+  }
+  if (options?.headers) {
+    for (const key in options.headers) {
+      headers[key] = options.headers[key];
+    }
+  }
+  const rangeHeader = getHeader(reqHeaders, "range");
+  if (rangeHeader) {
+    const range = parseRange(rangeHeader, size);
+    if (range) {
+      const { start, end } = range;
+      headers["content-range"] = `bytes ${start}-${end}/${size}`;
+      headers["content-length"] = String(end - start + 1);
+      let body2;
+      if (_isBun) {
+        body2 = globalThis.Bun.file(filePath).slice(start, end + 1);
+      } else {
+        body2 = nodeStreamToWeb(createReadStream(filePath, { start, end }));
+      }
+      return new Response(body2, { status: 206, headers });
+    }
+    return new Response(null, {
+      status: 416,
+      headers: { "content-range": `bytes */${size}` }
+    });
+  }
+  headers["content-length"] = String(size);
+  let body;
+  if (_isBun) {
+    body = globalThis.Bun.file(filePath);
+  } else {
+    body = nodeStreamToWeb(createReadStream(filePath));
+  }
+  return new Response(body, { status: options?.status || 200, headers });
+}
+async function listDirectory(dirPath, options) {
+  const includeStats = options?.stats !== false;
+  const recursive = options?.recursive === true;
+  const maxDepth = options?.maxDepth ?? 10;
+  const filter = options?.filter;
+  const entries = [];
+  const stack = [
+    { dir: dirPath, relativePath: "", depth: 0 }
+  ];
+  while (stack.length > 0) {
+    const { dir, relativePath, depth } = stack.pop();
+    let dirents;
+    try {
+      dirents = await readdir(dir, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    if (includeStats) {
+      const statResults = await Promise.all(
+        dirents.map(async (dirent) => {
+          try {
+            return await stat(join(dir, dirent.name));
+          } catch {
+            return null;
+          }
+        })
+      );
+      for (let i = 0; i < dirents.length; i++) {
+        const dirent = dirents[i];
+        const s = statResults[i];
+        const name = dirent.name;
+        const entryPath = relativePath ? `${relativePath}/${name}` : name;
+        const isDir = dirent.isDirectory();
+        const entry = {
+          name,
+          path: entryPath,
+          isDirectory: isDir,
+          size: isDir ? 0 : s?.size ?? 0,
+          modifiedAt: s ? s.mtime : /* @__PURE__ */ new Date(0)
+        };
+        if (!filter || filter(entry)) entries.push(entry);
+        if (isDir && recursive && depth < maxDepth) {
+          stack.push({ dir: join(dir, name), relativePath: entryPath, depth: depth + 1 });
+        }
+      }
+    } else {
+      for (const dirent of dirents) {
+        const name = dirent.name;
+        const entryPath = relativePath ? `${relativePath}/${name}` : name;
+        const isDir = dirent.isDirectory();
+        const entry = {
+          name,
+          path: entryPath,
+          isDirectory: isDir,
+          size: 0,
+          modifiedAt: /* @__PURE__ */ new Date(0)
+        };
+        if (!filter || filter(entry)) entries.push(entry);
+        if (isDir && recursive && depth < maxDepth) {
+          stack.push({ dir: join(dir, name), relativePath: entryPath, depth: depth + 1 });
+        }
+      }
+    }
+  }
+  return entries;
+}
+async function receiveFiles(formData, options) {
+  const maxSize = options?.maxFileSize ?? Infinity;
+  const maxCount = options?.maxFiles ?? Infinity;
+  const allowedTypes = options?.allowedTypes;
+  const fields = options?.fields;
+  const files = [];
+  for (const [key, value] of formData.entries()) {
+    if (typeof value === "string") continue;
+    const file = value;
+    if (fields && !fields.includes(key)) continue;
+    if (files.length >= maxCount) break;
+    if (file.size > maxSize) {
+      throw new Error(`File "${file.name}" exceeds maximum size of ${maxSize} bytes`);
+    }
+    if (allowedTypes && !allowedTypes.includes(file.type)) {
+      throw new Error(
+        `File type "${file.type}" is not allowed. Allowed: ${allowedTypes.join(", ")}`
+      );
+    }
+    files.push({
+      fieldName: key,
+      fileName: file.name,
+      type: file.type,
+      size: file.size,
+      data: await file.arrayBuffer()
+    });
+  }
+  return files;
+}
+async function saveFile(filePath, data) {
+  let bytes;
+  if (data instanceof Blob) {
+    bytes = new Uint8Array(await data.arrayBuffer());
+  } else if (data instanceof ArrayBuffer) {
+    bytes = new Uint8Array(data);
+  } else {
+    bytes = data;
+  }
+  try {
+    await writeFile(filePath, bytes);
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      await mkdir(dirname(filePath), { recursive: true });
+      await writeFile(filePath, bytes);
+    } else {
+      throw err;
+    }
+  }
+}
+
+// src/middleware/basic-auth.ts
+function basicAuth(options) {
+  const realm = options.realm ?? "Secure Area";
+  const wwwAuth = `Basic realm="${realm}"`;
+  const unauthorizedResponse = () => new Response("Unauthorized", {
+    status: 401,
+    headers: { "WWW-Authenticate": wwwAuth }
+  });
+  if (options.verifyUser) {
+    const verify = options.verifyUser;
+    return async (ctx) => {
+      const authorization = ctx.headers["authorization"];
+      if (!authorization || !authorization.startsWith("Basic ")) {
+        return unauthorizedResponse();
+      }
+      const decoded = atob(authorization.slice(6));
+      const colonIndex = decoded.indexOf(":");
+      if (colonIndex === -1) return unauthorizedResponse();
+      const username = decoded.substring(0, colonIndex);
+      const password = decoded.substring(colonIndex + 1);
+      const valid = await verify(username, password, ctx);
+      if (!valid) return unauthorizedResponse();
+      return { username };
+    };
+  }
+  const expectedUser = options.username;
+  const expectedPass = options.password;
+  return (ctx) => {
+    const authorization = ctx.headers["authorization"];
+    if (!authorization || !authorization.startsWith("Basic ")) {
+      return unauthorizedResponse();
+    }
+    const decoded = atob(authorization.slice(6));
+    const colonIndex = decoded.indexOf(":");
+    if (colonIndex === -1) return unauthorizedResponse();
+    const username = decoded.substring(0, colonIndex);
+    const password = decoded.substring(colonIndex + 1);
+    if (username !== expectedUser || password !== expectedPass) {
+      return unauthorizedResponse();
+    }
+    return { username };
+  };
+}
+
+// src/middleware/bearer-auth.ts
+function bearerAuth(options) {
+  const realm = options.realm ?? "";
+  const prefix = options.prefix ?? "Bearer";
+  const headerName = (options.headerName ?? "authorization").toLowerCase();
+  const prefixWithSpace = prefix + " ";
+  const unauthorizedResponse = (message = "Unauthorized") => new Response(message, {
+    status: 401,
+    headers: {
+      "WWW-Authenticate": `${prefix} realm="${realm}"${realm ? "" : ', error="invalid_token"'}`
+    }
+  });
+  if (options.verifyToken) {
+    const verify = options.verifyToken;
+    return async (ctx) => {
+      const authHeader = ctx.headers[headerName];
+      if (!authHeader || !authHeader.startsWith(prefixWithSpace)) {
+        return unauthorizedResponse("No authentication token provided");
+      }
+      const token = authHeader.slice(prefixWithSpace.length).trim();
+      if (!token) return unauthorizedResponse("No authentication token provided");
+      const valid = await verify(token, ctx);
+      if (!valid) return unauthorizedResponse("Invalid token");
+      return { token };
+    };
+  }
+  const validTokens = Array.isArray(options.token) ? new Set(options.token) : new Set(options.token ? [options.token] : []);
+  return (ctx) => {
+    const authHeader = ctx.headers[headerName];
+    if (!authHeader || !authHeader.startsWith(prefixWithSpace)) {
+      return unauthorizedResponse("No authentication token provided");
+    }
+    const token = authHeader.slice(prefixWithSpace.length).trim();
+    if (!token) return unauthorizedResponse("No authentication token provided");
+    if (!validTokens.has(token)) {
+      return unauthorizedResponse("Invalid token");
+    }
+    return { token };
+  };
+}
+
+// src/middleware/body-limit.ts
+function bodyLimit(options) {
+  const maxSize = options.maxSize;
+  const onError = options.onError;
+  return (ctx) => {
+    const contentLength = ctx.headers["content-length"];
+    if (contentLength) {
+      const size = parseInt(contentLength, 10);
+      if (!isNaN(size) && size > maxSize) {
+        if (onError) {
+          return onError(ctx);
+        }
+        return new Response(`Payload Too Large. Max size: ${maxSize} bytes`, {
+          status: 413
+        });
+      }
+    }
+  };
+}
+
+// src/middleware/cache.ts
+function cache(options = {}) {
+  const directives = [];
+  if (options.public) directives.push("public");
+  if (options.private) directives.push("private");
+  if (options.noCache) directives.push("no-cache");
+  if (options.noStore) directives.push("no-store");
+  if (options.mustRevalidate) directives.push("must-revalidate");
+  if (options.proxyRevalidate) directives.push("proxy-revalidate");
+  if (options.immutable) directives.push("immutable");
+  if (options.noTransform) directives.push("no-transform");
+  if (options.maxAge !== void 0) directives.push(`max-age=${options.maxAge}`);
+  if (options.sMaxAge !== void 0) directives.push(`s-maxage=${options.sMaxAge}`);
+  if (options.staleWhileRevalidate !== void 0) directives.push(`stale-while-revalidate=${options.staleWhileRevalidate}`);
+  if (options.staleIfError !== void 0) directives.push(`stale-if-error=${options.staleIfError}`);
+  const cacheControl = directives.length > 0 ? directives.join(", ") : "no-cache";
+  const vary = options.vary;
+  return (ctx) => {
+    ctx.onFinish((resp) => {
+      if (resp instanceof Response) {
+        resp.headers.set("Cache-Control", cacheControl);
+        if (vary) {
+          resp.headers.set("Vary", vary);
+        }
+      }
+    });
+  };
+}
+
+// src/middleware/compress.ts
+function compress(options = {}) {
+  const preferred = options.preferred ?? ["br", "gzip", "deflate"];
+  return (ctx) => {
+    const acceptEncoding = ctx.headers["accept-encoding"] ?? "";
+    let encoding = null;
+    for (let i = 0; i < preferred.length; i++) {
+      if (acceptEncoding.indexOf(preferred[i]) !== -1) {
+        encoding = preferred[i];
+        break;
+      }
+    }
+    ctx.onFinish((resp) => {
+      if (resp instanceof Response) {
+        resp.headers.append("Vary", "Accept-Encoding");
+      }
+    });
+    return { encoding };
+  };
+}
+
+// src/middleware/cors.ts
+function cors(options = {}) {
+  const originOpt = options.origin ?? "*";
+  const allowMethods = (options.allowMethods ?? ["GET", "HEAD", "PUT", "POST", "DELETE", "PATCH"]).join(",");
+  const allowHeaders = options.allowHeaders?.join(",") ?? "";
+  const exposeHeaders = options.exposeHeaders?.join(",") ?? "";
+  const maxAge = options.maxAge !== void 0 ? String(options.maxAge) : "";
+  const credentials = options.credentials ?? false;
+  const resolveOrigin = (requestOrigin, ctx) => {
+    if (typeof originOpt === "string") return originOpt;
+    if (Array.isArray(originOpt)) {
+      return originOpt.includes(requestOrigin) ? requestOrigin : originOpt[0];
+    }
+    return originOpt(requestOrigin, ctx);
+  };
+  const corsMiddleware = (ctx) => {
+    const requestOrigin = ctx.headers["origin"] ?? "";
+    const allowedOrigin = resolveOrigin(requestOrigin, ctx);
+    ctx.onFinish((resp) => {
+      if (resp instanceof Response) {
+        resp.headers.set("Access-Control-Allow-Origin", allowedOrigin);
+        if (credentials) resp.headers.set("Access-Control-Allow-Credentials", "true");
+        if (exposeHeaders) resp.headers.set("Access-Control-Expose-Headers", exposeHeaders);
+      }
+    });
+  };
+  const preflightHandler = (ctx) => {
+    const requestOrigin = ctx.headers["origin"] ?? "";
+    const allowedOrigin = resolveOrigin(requestOrigin, ctx);
+    const headers = {
+      "Access-Control-Allow-Origin": allowedOrigin,
+      "Access-Control-Allow-Methods": allowMethods
+    };
+    if (allowHeaders) {
+      headers["Access-Control-Allow-Headers"] = allowHeaders;
+    } else {
+      const requestedHeaders = ctx.headers["access-control-request-headers"];
+      if (requestedHeaders) {
+        headers["Access-Control-Allow-Headers"] = requestedHeaders;
+      }
+    }
+    if (maxAge) headers["Access-Control-Max-Age"] = maxAge;
+    if (credentials) headers["Access-Control-Allow-Credentials"] = "true";
+    if (exposeHeaders) headers["Access-Control-Expose-Headers"] = exposeHeaders;
+    return new Response(null, { status: 204, headers });
+  };
+  const corsApp = new App();
+  corsApp.apply("/*", corsMiddleware);
+  corsApp.options("/", preflightHandler);
+  return corsApp;
+}
+
+// src/middleware/csrf.ts
+var UNSAFE_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH", "DELETE"]);
+var FORM_CONTENT_TYPES = ["application/x-www-form-urlencoded", "multipart/form-data", "text/plain"];
+function csrf(options = {}) {
+  const originOpt = options.origin;
+  return (ctx) => {
+    if (!UNSAFE_METHODS.has(ctx.method)) return;
+    const contentType = (ctx.headers["content-type"] ?? "").toLowerCase();
+    const isFormLike = FORM_CONTENT_TYPES.some((t) => contentType.startsWith(t));
+    if (contentType && !isFormLike) return;
+    const requestOrigin = ctx.headers["origin"] ?? "";
+    if (!requestOrigin) {
+      const referer = ctx.headers["referer"];
+      if (referer) {
+        try {
+          const refOrigin = new URL(referer).origin;
+          if (isAllowed(refOrigin, ctx, originOpt)) return;
+        } catch {
+        }
+      }
+      return new Response("CSRF validation failed: missing Origin header", {
+        status: 403
+      });
+    }
+    if (!isAllowed(requestOrigin, ctx, originOpt)) {
+      return new Response("CSRF validation failed: origin not allowed", {
+        status: 403
+      });
+    }
+  };
+}
+function isAllowed(origin, ctx, originOpt) {
+  if (!originOpt) {
+    try {
+      const requestUrl = new URL(ctx.url);
+      const requestOrigin = requestUrl.origin;
+      return origin === requestOrigin;
+    } catch {
+      return false;
+    }
+  }
+  if (typeof originOpt === "string") {
+    return origin === originOpt;
+  }
+  if (Array.isArray(originOpt)) {
+    return originOpt.includes(origin);
+  }
+  return originOpt(origin, ctx);
+}
+
+// src/middleware/etag.ts
+function etag(_options = {}) {
+  return (ctx) => {
+    const ifNoneMatch = ctx.headers["if-none-match"] ?? null;
+    return ifNoneMatch;
+  };
+}
+
+// src/middleware/ip-restriction.ts
+function ipRestriction(options) {
+  const allowSet = options.allowList ? new Set(options.allowList) : null;
+  const denySet = options.denyList ? new Set(options.denyList) : null;
+  const onError = options.onError;
+  const forbiddenResponse = (ctx) => {
+    if (onError) return onError(ctx);
+    return new Response("Forbidden", { status: 403 });
+  };
+  return (ctx) => {
+    const ip = ctx.remoteInfo.address;
+    if (allowSet && !allowSet.has(ip)) {
+      return forbiddenResponse(ctx);
+    }
+    if (denySet && denySet.has(ip)) {
+      return forbiddenResponse(ctx);
+    }
+  };
+}
+
+// src/middleware/jwk.ts
+var RSA_HASH_MAP = {
+  "RS256": "SHA-256",
+  "RS384": "SHA-384",
+  "RS512": "SHA-512"
+};
+var EC_HASH_MAP = {
+  "ES256": { hash: "SHA-256", namedCurve: "P-256" },
+  "ES384": { hash: "SHA-384", namedCurve: "P-384" },
+  "ES512": { hash: "SHA-512", namedCurve: "P-521" }
+};
+var cachedKeys = null;
+var cacheExpiry = 0;
+async function fetchJwks(url, ttl) {
+  const now = Date.now();
+  if (cachedKeys && now < cacheExpiry) {
+    return cachedKeys;
+  }
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch JWKS: ${response.status}`);
+  }
+  const jwks = await response.json();
+  cachedKeys = jwks.keys;
+  cacheExpiry = now + ttl;
+  return cachedKeys;
+}
+async function verifyWithJwk(token, keys, options) {
+  const parts = token.split(".");
+  if (parts.length !== 3) throw new Error("Invalid JWT format");
+  const headerJson = decoder.decode(decodeBase64Url(parts[0]));
+  const header = JSON.parse(headerJson);
+  const alg = header.alg;
+  const kid = header.kid;
+  let jwk2;
+  if (kid) {
+    jwk2 = keys.find((k) => k.kid === kid);
+  }
+  if (!jwk2) {
+    jwk2 = keys.find((k) => k.alg === alg || !k.alg && k.use === "sig");
+  }
+  if (!jwk2) {
+    throw new Error(`No matching JWK found for kid=${kid}, alg=${alg}`);
+  }
+  const data = encoder.encode(`${parts[0]}.${parts[1]}`);
+  const signature = decodeBase64Url(parts[2]);
+  let key;
+  if (RSA_HASH_MAP[alg]) {
+    key = await crypto.subtle.importKey(
+      "jwk",
+      jwk2,
+      { name: "RSASSA-PKCS1-v1_5", hash: RSA_HASH_MAP[alg] },
+      false,
+      ["verify"]
+    );
+    const valid = await crypto.subtle.verify("RSASSA-PKCS1-v1_5", key, signature, data);
+    if (!valid) throw new Error("Invalid JWT signature");
+  } else if (EC_HASH_MAP[alg]) {
+    const ecInfo = EC_HASH_MAP[alg];
+    key = await crypto.subtle.importKey(
+      "jwk",
+      jwk2,
+      { name: "ECDSA", namedCurve: ecInfo.namedCurve },
+      false,
+      ["verify"]
+    );
+    const valid = await crypto.subtle.verify(
+      { name: "ECDSA", hash: ecInfo.hash },
+      key,
+      signature,
+      data
+    );
+    if (!valid) throw new Error("Invalid JWT signature");
+  } else {
+    throw new Error(`Unsupported algorithm: ${alg}`);
+  }
+  const payloadJson = decoder.decode(decodeBase64Url(parts[1]));
+  const payload = JSON.parse(payloadJson);
+  const now = Math.floor(Date.now() / 1e3);
+  const tolerance = options.clockTolerance ?? 0;
+  if (payload.exp !== void 0 && now >= payload.exp + tolerance) {
+    throw new Error("JWT expired");
+  }
+  if (payload.nbf !== void 0 && now < payload.nbf - tolerance) {
+    throw new Error("JWT not yet valid");
+  }
+  if (options.issuer && payload.iss !== options.issuer) {
+    throw new Error(`Invalid issuer: expected ${options.issuer}`);
+  }
+  if (options.audience) {
+    const aud = payload.aud;
+    const validAudience = Array.isArray(aud) ? aud.includes(options.audience) : aud === options.audience;
+    if (!validAudience) {
+      throw new Error(`Invalid audience: expected ${options.audience}`);
+    }
+  }
+  return payload;
+}
+function jwk(options) {
+  const headerName = (options.headerName ?? "authorization").toLowerCase();
+  const prefix = options.prefix ?? "Bearer";
+  const prefixWithSpace = prefix + " ";
+  const cacheTtl = options.cacheTtl ?? 6e5;
+  const verifyOpts = {
+    issuer: options.issuer,
+    audience: options.audience,
+    clockTolerance: options.clockTolerance
+  };
+  return async (ctx) => {
+    const authHeader = ctx.headers[headerName];
+    if (!authHeader || !authHeader.startsWith(prefixWithSpace)) {
+      return new Response("JWT token required", {
+        status: 401,
+        headers: { "WWW-Authenticate": `Bearer realm="", error="invalid_token"` }
+      });
+    }
+    const token = authHeader.slice(prefixWithSpace.length).trim();
+    if (!token) {
+      return new Response("JWT token required", {
+        status: 401,
+        headers: { "WWW-Authenticate": `Bearer realm="", error="invalid_token"` }
+      });
+    }
+    try {
+      let keys;
+      if (options.keys) {
+        keys = options.keys;
+      } else if (options.jwksUrl) {
+        keys = await fetchJwks(options.jwksUrl, cacheTtl);
+      } else {
+        throw new Error("Either jwksUrl or keys must be provided");
+      }
+      return await verifyWithJwk(token, keys, verifyOpts);
+    } catch (err) {
+      return new Response(`JWK verification failed: ${err.message}`, {
+        status: 401,
+        headers: { "WWW-Authenticate": `Bearer realm="", error="invalid_token"` }
+      });
+    }
+  };
+}
+
+// src/middleware/jwt.ts
+var HASH_MAP = {
+  "HS256": "SHA-256",
+  "HS384": "SHA-384",
+  "HS512": "SHA-512"
+};
+async function verifyJwt(token, secret, options = {}) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Invalid JWT format");
+  }
+  const headerJson = decoder.decode(decodeBase64Url(parts[0]));
+  const header = JSON.parse(headerJson);
+  const alg = header.alg;
+  const expectedAlg = options.algorithm ?? "HS256";
+  if (alg !== expectedAlg) {
+    throw new Error(`Algorithm mismatch: expected ${expectedAlg}, got ${alg}`);
+  }
+  const hash = HASH_MAP[alg];
+  if (!hash) {
+    throw new Error(`Unsupported algorithm: ${alg}`);
+  }
+  const keyData = encoder.encode(secret);
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyData,
+    { name: "HMAC", hash },
+    false,
+    ["verify"]
+  );
+  const data = encoder.encode(`${parts[0]}.${parts[1]}`);
+  const signature = decodeBase64Url(parts[2]);
+  const valid = await crypto.subtle.verify("HMAC", key, signature, data);
+  if (!valid) {
+    throw new Error("Invalid JWT signature");
+  }
+  const payloadJson = decoder.decode(decodeBase64Url(parts[1]));
+  const payload = JSON.parse(payloadJson);
+  const now = Math.floor(Date.now() / 1e3);
+  const tolerance = options.clockTolerance ?? 0;
+  if (payload.exp !== void 0 && now >= payload.exp + tolerance) {
+    throw new Error("JWT expired");
+  }
+  if (payload.nbf !== void 0 && now < payload.nbf - tolerance) {
+    throw new Error("JWT not yet valid");
+  }
+  if (options.issuer && payload.iss !== options.issuer) {
+    throw new Error(`Invalid issuer: expected ${options.issuer}, got ${payload.iss}`);
+  }
+  if (options.audience) {
+    const aud = payload.aud;
+    const validAudience = Array.isArray(aud) ? aud.includes(options.audience) : aud === options.audience;
+    if (!validAudience) {
+      throw new Error(`Invalid audience: expected ${options.audience}`);
+    }
+  }
+  return payload;
+}
+async function signJwt(payload, secret, algorithm = "HS256") {
+  const header = { alg: algorithm, typ: "JWT" };
+  const headerB64 = encodeBase64Url(encoder.encode(JSON.stringify(header)));
+  const payloadB64 = encodeBase64Url(encoder.encode(JSON.stringify(payload)));
+  const hash = HASH_MAP[algorithm];
+  const keyData = encoder.encode(secret);
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyData,
+    { name: "HMAC", hash },
+    false,
+    ["sign"]
+  );
+  const data = encoder.encode(`${headerB64}.${payloadB64}`);
+  const signature = await crypto.subtle.sign("HMAC", key, data);
+  const signatureB64 = encodeBase64Url(new Uint8Array(signature));
+  return `${headerB64}.${payloadB64}.${signatureB64}`;
+}
+function decodeJwt(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) throw new Error("Invalid JWT format");
+  const header = JSON.parse(decoder.decode(decodeBase64Url(parts[0])));
+  const payload = JSON.parse(decoder.decode(decodeBase64Url(parts[1])));
+  return { header, payload };
+}
+function jwt(options) {
+  const secret = options.secret;
+  const algorithm = options.algorithm ?? "HS256";
+  const headerName = (options.headerName ?? "authorization").toLowerCase();
+  const prefix = options.prefix ?? "Bearer";
+  const prefixWithSpace = prefix + " ";
+  const verifyOpts = {
+    algorithm,
+    issuer: options.issuer,
+    audience: options.audience,
+    clockTolerance: options.clockTolerance
+  };
+  return async (ctx) => {
+    const authHeader = ctx.headers[headerName];
+    if (!authHeader || !authHeader.startsWith(prefixWithSpace)) {
+      return new Response("JWT token required", {
+        status: 401,
+        headers: { "WWW-Authenticate": `Bearer realm="", error="invalid_token"` }
+      });
+    }
+    const token = authHeader.slice(prefixWithSpace.length).trim();
+    if (!token) {
+      return new Response("JWT token required", {
+        status: 401,
+        headers: { "WWW-Authenticate": `Bearer realm="", error="invalid_token"` }
+      });
+    }
+    try {
+      return await verifyJwt(token, secret, verifyOpts);
+    } catch (err) {
+      return new Response(`JWT verification failed: ${err.message}`, {
+        status: 401,
+        headers: { "WWW-Authenticate": `Bearer realm="", error="invalid_token"` }
+      });
+    }
+  };
+}
+
+// src/middleware/logger.ts
+function logger(options = {}) {
+  const logFn = options.logFn ?? console.log;
+  const formatter = options.format ? (method, url, status, duration) => options.format({ method, url, status, duration }) : (method, url, status, duration) => {
+    const methodColor = "\x1B[36m";
+    const statusColor = status >= 500 ? "\x1B[31m" : status >= 400 ? "\x1B[33m" : status >= 300 ? "\x1B[36m" : "\x1B[32m";
+    const reset = "\x1B[0m";
+    return `${methodColor}${method}${reset} ${url} - ${statusColor}${status}${reset} - ${duration}ms`;
+  };
+  const loggerMiddleware = (ctx) => {
+    const start = Date.now();
+    ctx.onFinish((resp) => {
+      const duration = Date.now() - start;
+      const status = resp instanceof Response ? resp.status : 200;
+      logFn(formatter(ctx.method, ctx.url, status, duration));
+    });
+  };
+  const loggerApp = new App();
+  loggerApp.apply("/*", loggerMiddleware);
+  return loggerApp;
+}
+
+// src/middleware/request-id.ts
+function requestId(options = {}) {
+  const generator = options.generator ?? (() => crypto.randomUUID());
+  const responseHeader = options.headerName ?? "X-Request-Id";
+  const requestHeader = options.requestHeaderName;
+  return (ctx) => {
+    let id;
+    if (requestHeader) {
+      id = ctx.headers[requestHeader.toLowerCase()] || void 0;
+    }
+    if (!id) {
+      id = generator();
+    }
+    ctx.onFinish((resp) => {
+      if (resp instanceof Response) {
+        resp.headers.set(responseHeader, id);
+      }
+    });
+    return id;
+  };
+}
+
+// src/middleware/secure-headers.ts
+var DEFAULTS = {
+  "Cross-Origin-Opener-Policy": "same-origin",
+  "Cross-Origin-Resource-Policy": "same-origin",
+  "Origin-Agent-Cluster": "?1",
+  "Referrer-Policy": "no-referrer",
+  "Strict-Transport-Security": "max-age=15552000; includeSubDomains",
+  "X-Content-Type-Options": "nosniff",
+  "X-DNS-Prefetch-Control": "off",
+  "X-Download-Options": "noopen",
+  "X-Frame-Options": "SAMEORIGIN",
+  "X-Permitted-Cross-Domain-Policies": "none",
+  "X-XSS-Protection": "0"
+};
+var OPTION_TO_HEADER = {
+  contentSecurityPolicy: "Content-Security-Policy",
+  crossOriginEmbedderPolicy: "Cross-Origin-Embedder-Policy",
+  crossOriginOpenerPolicy: "Cross-Origin-Opener-Policy",
+  crossOriginResourcePolicy: "Cross-Origin-Resource-Policy",
+  originAgentCluster: "Origin-Agent-Cluster",
+  referrerPolicy: "Referrer-Policy",
+  strictTransportSecurity: "Strict-Transport-Security",
+  xContentTypeOptions: "X-Content-Type-Options",
+  xDnsPrefetchControl: "X-DNS-Prefetch-Control",
+  xDownloadOptions: "X-Download-Options",
+  xFrameOptions: "X-Frame-Options",
+  xPermittedCrossDomainPolicies: "X-Permitted-Cross-Domain-Policies",
+  xXssProtection: "X-XSS-Protection"
+};
+function secureHeaders(options = {}) {
+  const removePoweredBy = options.removePoweredBy !== false;
+  const headers = [];
+  for (const [optKey, headerName] of Object.entries(OPTION_TO_HEADER)) {
+    const optValue = options[optKey];
+    if (optValue === false) {
+      continue;
+    }
+    if (typeof optValue === "string") {
+      headers.push([headerName, optValue]);
+    } else if (DEFAULTS[headerName]) {
+      headers.push([headerName, DEFAULTS[headerName]]);
+    }
+  }
+  return (ctx) => {
+    ctx.onFinish((resp) => {
+      if (resp instanceof Response) {
+        for (let i = 0; i < headers.length; i++) {
+          resp.headers.set(headers[i][0], headers[i][1]);
+        }
+        if (removePoweredBy) {
+          resp.headers.delete("X-Powered-By");
+        }
+      }
+    });
+  };
+}
+
+// src/middleware/session.ts
+var UNAUTHORIZED_BODY = "Unauthorized";
+function session(options) {
+  const { cookieName, validate, onUnauthorized } = options;
+  const unauthorized = onUnauthorized ?? (() => new Response(UNAUTHORIZED_BODY, { status: 401 }));
+  if (validate.constructor.name === "AsyncFunction") {
+    return async (ctx) => {
+      const cookie = ctx.cookies[cookieName];
+      if (!cookie) return unauthorized(ctx);
+      try {
+        const result = await validate(cookie, ctx);
+        if (result == null || result instanceof Response) {
+          return result ?? unauthorized(ctx);
+        }
+        return result;
+      } catch (e) {
+        return e instanceof Response ? e : unauthorized(ctx);
+      }
+    };
+  }
+  return (ctx) => {
+    const cookie = ctx.cookies[cookieName];
+    if (!cookie) return unauthorized(ctx);
+    try {
+      const result = validate(cookie, ctx);
+      if (result == null || result instanceof Response) {
+        return result ?? unauthorized(ctx);
+      }
+      return result;
+    } catch (e) {
+      return e instanceof Response ? e : unauthorized(ctx);
+    }
+  };
+}
+
+// src/middleware/timeout.ts
+function timeout(options) {
+  const duration = options.duration;
+  const onTimeout = options.onTimeout;
+  return (ctx) => {
+    const controller = new AbortController();
+    const timer = setTimeout(() => {
+      controller.abort();
+      if (onTimeout) {
+        return onTimeout(ctx);
+      }
+    }, duration);
+    ctx.onFinish(() => {
+      clearTimeout(timer);
+    });
+    return { signal: controller.signal };
+  };
+}
+
+// src/middleware/timing.ts
+function timing(options = {}) {
+  const name = options.name ?? "total";
+  const description = options.description;
+  const enabled = options.enabled !== false;
+  return (ctx) => {
+    if (!enabled) return;
+    const start = performance.now();
+    ctx.onFinish((resp) => {
+      if (resp instanceof Response) {
+        const dur = (performance.now() - start).toFixed(2);
+        let value = `${name};dur=${dur}`;
+        if (description) {
+          value = `${name};desc="${description}";dur=${dur}`;
+        }
+        const existing = resp.headers.get("Server-Timing");
+        if (existing) {
+          resp.headers.set("Server-Timing", `${existing}, ${value}`);
+        } else {
+          resp.headers.set("Server-Timing", value);
+        }
+      }
+    });
+  };
+}
+
+// src/ws/codec.ts
+var MsgType = {
+  PING: 1,
+  PONG: 2,
+  REQUEST: 3,
+  RESPONSE: 4,
+  SUBSCRIBE: 5,
+  UNSUBSCRIBE: 6,
+  PUBLISH: 7,
+  MESSAGE: 8,
+  AUTH: 9,
+  AUTH_OK: 10,
+  AUTH_FAIL: 11
+};
+var encoder2 = new TextEncoder();
+var decoder2 = new TextDecoder();
+var PING_BUF = new Uint8Array([MsgType.PING]);
+var PONG_BUF = new Uint8Array([MsgType.PONG]);
+function encodePing() {
+  return PING_BUF;
+}
+function encodePong() {
+  return PONG_BUF;
+}
+function encodeRequest(corrId, payload) {
+  const payloadBytes = encoder2.encode(payload);
+  const buf = new Uint8Array(5 + payloadBytes.length);
+  buf[0] = MsgType.REQUEST;
+  buf[1] = corrId >>> 24 & 255;
+  buf[2] = corrId >>> 16 & 255;
+  buf[3] = corrId >>> 8 & 255;
+  buf[4] = corrId & 255;
+  buf.set(payloadBytes, 5);
+  return buf;
+}
+function encodeResponse(corrId, payload) {
+  const payloadBytes = typeof payload === "string" ? encoder2.encode(payload) : payload;
+  const buf = new Uint8Array(5 + payloadBytes.length);
+  buf[0] = MsgType.RESPONSE;
+  buf[1] = corrId >>> 24 & 255;
+  buf[2] = corrId >>> 16 & 255;
+  buf[3] = corrId >>> 8 & 255;
+  buf[4] = corrId & 255;
+  buf.set(payloadBytes, 5);
+  return buf;
+}
+function encodeSubscribe(topic) {
+  const topicBytes = encoder2.encode(topic);
+  const buf = new Uint8Array(2 + topicBytes.length);
+  buf[0] = MsgType.SUBSCRIBE;
+  buf[1] = topicBytes.length;
+  buf.set(topicBytes, 2);
+  return buf;
+}
+function encodeUnsubscribe(topic) {
+  const topicBytes = encoder2.encode(topic);
+  const buf = new Uint8Array(2 + topicBytes.length);
+  buf[0] = MsgType.UNSUBSCRIBE;
+  buf[1] = topicBytes.length;
+  buf.set(topicBytes, 2);
+  return buf;
+}
+function encodePublish(topic, payload) {
+  const topicBytes = encoder2.encode(topic);
+  const payloadBytes = encoder2.encode(payload);
+  const buf = new Uint8Array(2 + topicBytes.length + payloadBytes.length);
+  buf[0] = MsgType.PUBLISH;
+  buf[1] = topicBytes.length;
+  buf.set(topicBytes, 2);
+  buf.set(payloadBytes, 2 + topicBytes.length);
+  return buf;
+}
+function encodeMessage(topic, payload) {
+  const topicBytes = encoder2.encode(topic);
+  const payloadBytes = encoder2.encode(payload);
+  const buf = new Uint8Array(2 + topicBytes.length + payloadBytes.length);
+  buf[0] = MsgType.MESSAGE;
+  buf[1] = topicBytes.length;
+  buf.set(topicBytes, 2);
+  buf.set(payloadBytes, 2 + topicBytes.length);
+  return buf;
+}
+function encodeAuth(token) {
+  const tokenBytes = encoder2.encode(token);
+  const buf = new Uint8Array(1 + tokenBytes.length);
+  buf[0] = MsgType.AUTH;
+  buf.set(tokenBytes, 1);
+  return buf;
+}
+function encodeAuthOk(payload = "") {
+  if (payload.length === 0) return new Uint8Array([MsgType.AUTH_OK]);
+  const payloadBytes = encoder2.encode(payload);
+  const buf = new Uint8Array(1 + payloadBytes.length);
+  buf[0] = MsgType.AUTH_OK;
+  buf.set(payloadBytes, 1);
+  return buf;
+}
+function encodeAuthFail(reason) {
+  const reasonBytes = encoder2.encode(reason);
+  const buf = new Uint8Array(1 + reasonBytes.length);
+  buf[0] = MsgType.AUTH_FAIL;
+  buf.set(reasonBytes, 1);
+  return buf;
+}
+function decode(data) {
+  const bytes = data instanceof Uint8Array ? data : new Uint8Array(data);
+  if (bytes.length === 0) return null;
+  const type = bytes[0];
+  switch (type) {
+    // ── Ping / Pong ───────────────────────────────────────────────────────
+    case MsgType.PING:
+      return { type: MsgType.PING };
+    case MsgType.PONG:
+      return { type: MsgType.PONG };
+    // ── Request / Response ────────────────────────────────────────────────
+    case MsgType.REQUEST:
+    case MsgType.RESPONSE: {
+      if (bytes.length < 5) return null;
+      const corrId = (bytes[1] << 24 | bytes[2] << 16 | bytes[3] << 8 | bytes[4]) >>> 0;
+      const payload = bytes.length > 5 ? decoder2.decode(bytes.subarray(5)) : "";
+      return type === MsgType.REQUEST ? { type: MsgType.REQUEST, corrId, payload } : { type: MsgType.RESPONSE, corrId, payload };
+    }
+    // ── Subscribe / Unsubscribe ───────────────────────────────────────────
+    case MsgType.SUBSCRIBE:
+    case MsgType.UNSUBSCRIBE: {
+      if (bytes.length < 2) return null;
+      const topicLen = bytes[1];
+      if (bytes.length < 2 + topicLen) return null;
+      const topic = decoder2.decode(bytes.subarray(2, 2 + topicLen));
+      return type === MsgType.SUBSCRIBE ? { type: MsgType.SUBSCRIBE, topic } : { type: MsgType.UNSUBSCRIBE, topic };
+    }
+    // ── Publish / Message ─────────────────────────────────────────────────
+    case MsgType.PUBLISH:
+    case MsgType.MESSAGE: {
+      if (bytes.length < 2) return null;
+      const topicLen = bytes[1];
+      if (bytes.length < 2 + topicLen) return null;
+      const topic = decoder2.decode(bytes.subarray(2, 2 + topicLen));
+      const payloadOffset = 2 + topicLen;
+      const payload = bytes.length > payloadOffset ? decoder2.decode(bytes.subarray(payloadOffset)) : "";
+      return type === MsgType.PUBLISH ? { type: MsgType.PUBLISH, topic, payload } : { type: MsgType.MESSAGE, topic, payload };
+    }
+    // ── Auth ───────────────────────────────────────────────────────────────
+    case MsgType.AUTH:
+    case MsgType.AUTH_OK:
+    case MsgType.AUTH_FAIL: {
+      const payload = bytes.length > 1 ? decoder2.decode(bytes.subarray(1)) : "";
+      return type === MsgType.AUTH ? { type: MsgType.AUTH, payload } : type === MsgType.AUTH_OK ? { type: MsgType.AUTH_OK, payload } : { type: MsgType.AUTH_FAIL, payload };
+    }
+    default:
+      return null;
+  }
+}
+function isKenBinaryFrame(data) {
+  const firstByte = data instanceof Uint8Array ? data[0] : new Uint8Array(data, 0, 1)[0];
+  return firstByte !== void 0 && firstByte >= MsgType.PING && firstByte <= MsgType.AUTH_FAIL;
+}
+
+// src/middleware/ws-client-protocol.ts
+var PONG_BIN = encodePong();
+var AUTHOK_BIN = encodeAuthOk();
+var PROTO_MESSAGE = "message";
+var AUTH_CLOSE_CODE = 4001;
+var AUTH_FAIL_INVALID_BIN = encodeAuthFail("Invalid token");
+var UNAUTHED = /* @__PURE__ */ Symbol("unauthed");
+function wsClientProtocol(config) {
+  const {
+    upgrade: userUpgrade,
+    open: userOpen,
+    message: userMessage,
+    close: userClose,
+    ping,
+    pong,
+    error,
+    authenticate,
+    tokenParam,
+    maxPayloadLength,
+    backpressureLimit,
+    pingInterval,
+    pongTimeout,
+    perMessageDeflate,
+    idleTimeout
+  } = config;
+  const authTokenParam = tokenParam ?? "token";
+  const options = {};
+  if (maxPayloadLength !== void 0) options.maxPayloadLength = maxPayloadLength;
+  if (backpressureLimit !== void 0) options.backpressureLimit = backpressureLimit;
+  if (pingInterval !== void 0) options.pingInterval = pingInterval;
+  if (pongTimeout !== void 0) options.pongTimeout = pongTimeout;
+  if (perMessageDeflate !== void 0) options.perMessageDeflate = perMessageDeflate;
+  if (idleTimeout !== void 0) options.idleTimeout = idleTimeout;
+  const preAuthPeers = authenticate ? /* @__PURE__ */ new WeakSet() : null;
+  const handleKbwp = (peer, message) => {
+    if (typeof message !== "string") {
+      const bytes = message instanceof Uint8Array ? message : new Uint8Array(message);
+      if (bytes.length === 0) return userMessage(peer, message);
+      if (bytes.length === 1) {
+        if (bytes[0] === MsgType.PING) {
+          peer.send(PONG_BIN);
+          return;
+        }
+        if (bytes[0] === MsgType.PONG) return;
+        return userMessage(peer, message);
+      }
+      const frame = decode(bytes);
+      if (frame === null) return userMessage(peer, message);
+      switch (frame.type) {
+        // ── Binary pub/sub ────────────────────────────────────────────────
+        case MsgType.SUBSCRIBE:
+          peer.subscribe(frame.topic);
+          return;
+        case MsgType.UNSUBSCRIBE:
+          peer.unsubscribe(frame.topic);
+          return;
+        case MsgType.PUBLISH:
+          if (frame.topic) {
+            peer.publish(
+              frame.topic,
+              '{"type":"' + PROTO_MESSAGE + '","topic":' + JSON.stringify(frame.topic) + ',"data":' + frame.payload + "}"
+            );
+          }
+          return;
+        // ── Binary request-response ───────────────────────────────────────
+        case MsgType.REQUEST: {
+          const { corrId, payload } = frame;
+          const origSend = peer.send;
+          peer.send = (data, compress2) => {
+            peer.send = origSend;
+            return origSend.call(
+              peer,
+              typeof data === "string" ? encodeResponse(corrId, data) : encodeResponse(corrId, data),
+              compress2
+            );
+          };
+          const result = userMessage(peer, payload);
+          if (result && typeof result.then === "function") {
+            return result.finally(() => {
+              if (peer.send !== origSend) {
+                peer.send = origSend;
+              }
+            });
+          }
+          if (peer.send !== origSend) {
+            peer.send = origSend;
+          }
+          return result;
+        }
+        // ── Binary message / response (server→server, handle gracefully) ──
+        case MsgType.MESSAGE:
+        case MsgType.RESPONSE:
+          return userMessage(peer, message);
+      }
+    }
+    return userMessage(peer, message);
+  };
+  let wrappedUpgrade;
+  let wrappedOpen;
+  let wrappedClose;
+  let wrappedMessage;
+  if (authenticate) {
+    const authSuccess = (peer, data) => {
+      peer.data = data;
+      peer.send(AUTHOK_BIN);
+      userOpen?.(peer);
+    };
+    const handleAuth = (peer, token) => {
+      const result = authenticate(token);
+      if (result !== null && typeof result.then === "function") {
+        return result.then((data) => {
+          if (data === null || data === void 0) {
+            peer.send(AUTH_FAIL_INVALID_BIN);
+            peer.close(AUTH_CLOSE_CODE, "Invalid token");
+            return;
+          }
+          authSuccess(peer, data);
+        });
+      }
+      if (result === null || result === void 0) {
+        peer.send(AUTH_FAIL_INVALID_BIN);
+        peer.close(AUTH_CLOSE_CODE, "Invalid token");
+        return;
+      }
+      authSuccess(peer, result);
+    };
+    wrappedUpgrade = (req) => {
+      const url = new URL(req.url);
+      const token = url.searchParams.get(authTokenParam);
+      if (token) {
+        const result = authenticate(token);
+        if (result !== null && typeof result.then === "function") {
+          return result.then((data2) => {
+            if (data2 === null || data2 === void 0) {
+              return new Response("Unauthorized", { status: 401 });
+            }
+            if (typeof data2 === "object" && data2 !== null) {
+              preAuthPeers.add(data2);
+            }
+            return data2;
+          });
+        }
+        if (result === null || result === void 0) {
+          return new Response("Unauthorized", { status: 401 });
+        }
+        const data = result;
+        if (typeof data === "object" && data !== null) {
+          preAuthPeers.add(data);
+        }
+        return data;
+      }
+      if (userUpgrade) return userUpgrade(req);
+      return void 0;
+    };
+    wrappedOpen = (peer) => {
+      if (peer.data && typeof peer.data === "object" && preAuthPeers.has(peer.data)) {
+        preAuthPeers.delete(peer.data);
+        userOpen?.(peer);
+        return;
+      }
+      peer.data = UNAUTHED;
+    };
+    wrappedClose = userClose;
+    wrappedMessage = (peer, message) => {
+      if (peer.data !== UNAUTHED) {
+        return handleKbwp(peer, message);
+      }
+      if (typeof message !== "string") {
+        const bytes = message instanceof Uint8Array ? message : new Uint8Array(message);
+        if (bytes.length > 0 && bytes[0] === MsgType.AUTH) {
+          const frame = decode(bytes);
+          if (frame && frame.type === MsgType.AUTH) {
+            return handleAuth(peer, frame.payload);
+          }
+        }
+      }
+      peer.close(AUTH_CLOSE_CODE, "Not authenticated");
+    };
+  } else {
+    wrappedUpgrade = userUpgrade;
+    wrappedOpen = userOpen;
+    wrappedClose = userClose;
+    wrappedMessage = handleKbwp;
+  }
+  const handler = { message: wrappedMessage };
+  if (wrappedUpgrade !== void 0) handler.upgrade = wrappedUpgrade;
+  if (wrappedOpen !== void 0) handler.open = wrappedOpen;
+  if (wrappedClose !== void 0) handler.close = wrappedClose;
+  if (ping !== void 0) handler.ping = ping;
+  if (pong !== void 0) handler.pong = pong;
+  if (error !== void 0) handler.error = error;
+  const wsApp = new App();
+  wsApp.ws("/", handler, options);
+  return wsApp;
+}
+
+// src/ws/client.ts
+var DEFAULT_MAX_RETRIES = Infinity;
+var DEFAULT_BACKOFF_BASE = 500;
+var DEFAULT_BACKOFF_MAX = 3e4;
+var DEFAULT_BACKOFF_FACTOR = 2;
+var DEFAULT_HEARTBEAT_INTERVAL = 3e4;
+var DEFAULT_REQUEST_TIMEOUT = 1e4;
+var DEFAULT_AUTH_TIMEOUT = 1e4;
+var PING_FRAME = encodePing();
+function sendBinary(ws, data) {
+  ws.send(data.buffer);
+}
+var WsClientState = {
+  CONNECTING: 0,
+  OPEN: 1,
+  CLOSING: 2,
+  CLOSED: 3,
+  RECONNECTING: 4
+};
+var WSClient = class {
+  // ── Public state ────────────────────────────────────────────────────────
+  /** Current state of the connection */
+  state = WsClientState.CLOSED;
+  // ── Private fields — all initialized here for V8 monomorphic shape ──────
+  _url;
+  _authTimeout;
+  _maxRetries;
+  _backoffFactor;
+  _backoffMax;
+  _backoffBase;
+  _heartbeatInterval;
+  _requestTimeout;
+  _onConnect;
+  _onDisconnect;
+  _onReconnectAttempt;
+  _onData;
+  _onFrame;
+  /** Active WebSocket instance */
+  _ws = null;
+  /** Number of consecutive failed reconnect attempts */
+  _retries = 0;
+  /** Correlation registry: corrId (uint32) → PendingRequest */
+  _pending = /* @__PURE__ */ new Map();
+  /**
+   * Active pub/sub subscriptions: topic → callback.
+   * Persists across reconnects so topics are re-sent in _onOpen.
+   */
+  _subscriptions = /* @__PURE__ */ new Map();
+  /** Heartbeat timer handle */
+  _heartbeatTimer = null;
+  /** Reconnect delay timer handle */
+  _reconnectTimer = null;
+  /** Whether destroy() / close() was explicitly called */
+  _destroyed = false;
+  /** Post-connect auth resolve/reject for the connect() promise */
+  _authResolve = null;
+  _authReject = null;
+  /** Auth timeout timer handle */
+  _authTimer = null;
+  /** Whether auth is pending (post-connect, waiting for AUTH_OK/AUTH_FAIL) */
+  _authPending = false;
+  /** Pre-encoded AUTH frame — zero per-reconnect allocation */
+  _authFrame;
+  /**
+   * Monotonically increasing uint32 counter for correlation IDs.
+   * Wraps at 0xFFFFFFFF to stay within 4-byte range.
+   */
+  _idCounter = 0;
+  // ── Bound event handlers — created once, reused per connection ───────────
+  _handleOpen;
+  _handleMessage;
+  _handleClose;
+  _handleError;
+  constructor(url, options = {}) {
+    const token = options.token;
+    const authMode = options.authMode ?? "message";
+    this._authTimeout = options.authTimeout ?? DEFAULT_AUTH_TIMEOUT;
+    this._url = token && authMode === "query" ? `${url}${url.includes("?") ? "&" : "?"}token=${encodeURIComponent(token)}` : url;
+    this._maxRetries = options.maxRetries ?? DEFAULT_MAX_RETRIES;
+    this._backoffFactor = options.backoffFactor ?? DEFAULT_BACKOFF_FACTOR;
+    this._backoffMax = options.backoffMax ?? DEFAULT_BACKOFF_MAX;
+    this._backoffBase = options.backoffBase ?? DEFAULT_BACKOFF_BASE;
+    this._heartbeatInterval = options.heartbeatInterval ?? DEFAULT_HEARTBEAT_INTERVAL;
+    this._requestTimeout = options.requestTimeout ?? DEFAULT_REQUEST_TIMEOUT;
+    this._onConnect = options.onConnect;
+    this._onDisconnect = options.onDisconnect;
+    this._onReconnectAttempt = options.onReconnectAttempt;
+    this._onData = options.onData;
+    this._onFrame = options.onFrame;
+    const needsAuth = !!(token && authMode === "message");
+    this._authFrame = needsAuth ? encodeAuth(token) : null;
+    this._handleOpen = needsAuth ? this._onOpenAuth.bind(this) : this._onOpenNoAuth.bind(this);
+    this._handleMessage = this._onMessage.bind(this);
+    this._handleClose = this._onClose.bind(this);
+    this._handleError = this._onError.bind(this);
+  }
+  // ── Public API ────────────────────────────────────────────────────────────
+  /**
+   * Connect to the WebSocket server.
+   * Returns a Promise that resolves when the connection is established.
+   * Safe to call multiple times — subsequent calls while already OPEN are no-ops.
+   */
+  connect() {
+    if (this.state === WsClientState.OPEN) return Promise.resolve();
+    return this._openConnection();
+  }
+  /**
+   * Send a raw string or binary message. The connection must be OPEN.
+   * For fire-and-forget use cases.
+   *
+   * @returns true if sent, false if not connected.
+   */
+  send(data) {
+    if (this.state !== WsClientState.OPEN || this._ws === null) return false;
+    this._ws.send(data);
+    return true;
+  }
+  /**
+   * Send a JSON message and wait for a correlated response.
+   *
+   * Uses the binary REQUEST frame format: [0x03][corrId:u32][JSON payload].
+   * The correlation ID is carried in the binary header — NOT mixed into the
+   * user payload — eliminating the previous `_kid` field collision issue.
+   *
+   * The server must respond with a binary RESPONSE frame echoing the same
+   * corrId. When using `defineWsHandler`, this is handled automatically.
+   *
+   * @param data - Object to JSON-serialize and send.
+   * @param timeout - Override the default `requestTimeout` for this request.
+   * @returns Promise resolving with the parsed response payload.
+   * @throws If the connection is not open, the request times out, or the
+   *         connection closes before a response arrives.
+   */
+  sendWait(data, timeout2) {
+    if (this.state !== WsClientState.OPEN || this._ws === null) {
+      return Promise.reject(new Error("WSClient: not connected"));
+    }
+    const corrId = this._nextId();
+    const payload = JSON.stringify(data);
+    const frame = encodeRequest(corrId, payload);
+    const ms = timeout2 ?? this._requestTimeout;
+    return new Promise((resolve, reject) => {
+      const timer = setTimeout(() => {
+        this._pending.delete(corrId);
+        reject(new Error(`WSClient: request ${corrId} timed out after ${ms}ms`));
+      }, ms);
+      this._pending.set(corrId, {
+        resolve,
+        reject,
+        timer
+      });
+      sendBinary(this._ws, frame);
+    });
+  }
+  // ── Pub/Sub API ──────────────────────────────────────────────────────────
+  /**
+   * Subscribe to a server-side topic.
+   * Sends `{"type":"subscribe","topic":"..."}` to the server and registers a
+   * local callback invoked for each `{"type":"message","topic":"...","data":...}`
+   * frame received on that topic.
+   *
+   * Safe to call before `connect()` — the subscription is registered locally
+   * and sent once the connection opens (or re-opens after reconnect).
+   *
+   * Calling with the same topic replaces the existing callback.
+   *
+   * @param topic    - Topic name to subscribe to
+   * @param callback - Called with the `data` field from each topic message
+   */
+  subscribe(topic, callback) {
+    this._subscriptions.set(topic, callback);
+    if (this.state === WsClientState.OPEN && this._ws !== null) {
+      sendBinary(this._ws, encodeSubscribe(topic));
+    }
+  }
+  /**
+   * Unsubscribe from a server-side topic.
+   * Sends `{"type":"unsubscribe","topic":"..."}` if currently connected.
+   * The local callback is removed regardless of connection state.
+   *
+   * @param topic - Topic name to unsubscribe from
+   */
+  unsubscribe(topic) {
+    if (this._subscriptions.delete(topic)) {
+      if (this.state === WsClientState.OPEN && this._ws !== null) {
+        sendBinary(this._ws, encodeUnsubscribe(topic));
+      }
+    }
+  }
+  /**
+   * Publish a message to a server-side topic.
+   * Sends `{"type":"publish","topic":"...","data":...}` to the server.
+   * The server (when using `defineWsHandler`) re-broadcasts the message to all
+   * topic subscribers as `{"type":"message","topic":"...","data":...}`.
+   *
+   * @param topic - Topic to publish to
+   * @param data  - Payload (JSON-serializable)
+   * @returns true if sent, false if not connected
+   */
+  publish(topic, data) {
+    if (this.state !== WsClientState.OPEN || this._ws === null) return false;
+    sendBinary(this._ws, encodePublish(topic, JSON.stringify(data)));
+    return true;
+  }
+  /**
+   * Gracefully close the connection.
+   * Does NOT reconnect. Cleans up all resources.
+   */
+  close(code = 1e3, reason = "") {
+    this._destroyed = true;
+    this._clearReconnectTimer();
+    this._authPending = false;
+    if (this._authTimer !== null) {
+      clearTimeout(this._authTimer);
+      this._authTimer = null;
+    }
+    this._authResolve = null;
+    this._authReject = null;
+    if (this._ws === null || this.state === WsClientState.CLOSED) {
+      this.state = WsClientState.CLOSED;
+      return Promise.resolve();
+    }
+    return new Promise((resolve) => {
+      const ws = this._ws;
+      const onClose = () => {
+        ws.removeEventListener("close", onClose);
+        resolve();
+      };
+      ws.addEventListener("close", onClose);
+      this.state = WsClientState.CLOSING;
+      ws.close(code, reason);
+    });
+  }
+  // ── Private: Connection lifecycle ─────────────────────────────────────────
+  _openConnection() {
+    this._destroyed = false;
+    this.state = WsClientState.CONNECTING;
+    return new Promise((resolve, reject) => {
+      let settled = false;
+      const ws = new WebSocket(this._url);
+      ws.binaryType = "arraybuffer";
+      this._ws = ws;
+      ws.addEventListener("open", this._handleOpen);
+      ws.addEventListener("message", this._handleMessage);
+      ws.addEventListener("close", this._handleClose);
+      ws.addEventListener("error", this._handleError);
+      const onOpenOnce = () => {
+        if (settled) return;
+        settled = true;
+        ws.removeEventListener("open", onOpenOnce);
+        ws.removeEventListener("error", onErrorOnce);
+        if (this._authFrame !== null) {
+          this._authResolve = resolve;
+          this._authReject = reject;
+          return;
+        }
+        resolve();
+      };
+      const onErrorOnce = (e) => {
+        if (settled) return;
+        settled = true;
+        ws.removeEventListener("open", onOpenOnce);
+        ws.removeEventListener("error", onErrorOnce);
+        reject(new Error(`WSClient: connection failed \u2014 ${e.message ?? "unknown error"}`));
+      };
+      ws.addEventListener("open", onOpenOnce);
+      ws.addEventListener("error", onErrorOnce);
+    });
+  }
+  /** Open handler for auth mode — sends pre-encoded AUTH frame */
+  _onOpenAuth() {
+    this.state = WsClientState.OPEN;
+    this._retries = 0;
+    this._authPending = true;
+    sendBinary(this._ws, this._authFrame);
+    this._authTimer = setTimeout(() => {
+      this._authTimer = null;
+      this._authPending = false;
+      const reject = this._authReject;
+      this._authResolve = null;
+      this._authReject = null;
+      reject?.(new Error("WSClient: auth timeout"));
+      this._ws?.close(4001, "Auth timeout");
+    }, this._authTimeout);
+  }
+  /** Open handler for no-auth mode — proceeds directly to _finishOpen */
+  _onOpenNoAuth() {
+    this.state = WsClientState.OPEN;
+    this._retries = 0;
+    this._finishOpen();
+  }
+  /**
+   * Complete the open sequence: re-subscribe, start heartbeat, fire onConnect.
+   * Called directly from _onOpen (no auth) or from _onMessage after AUTH_OK.
+   */
+  _finishOpen() {
+    if (this._subscriptions.size > 0) {
+      for (const topic of this._subscriptions.keys()) {
+        sendBinary(this._ws, encodeSubscribe(topic));
+      }
+    }
+    this._startHeartbeat();
+    this._onConnect?.();
+  }
+  _onMessage(event) {
+    const raw = event.data;
+    this._onData?.(raw);
+    if (raw instanceof ArrayBuffer) {
+      if (raw.byteLength === 0) return;
+      const frame = decode(raw);
+      if (frame === null) return;
+      this._onFrame?.(frame);
+      switch (frame.type) {
+        // ── Auth response handling ────────────────────────────────────
+        case MsgType.AUTH_OK: {
+          if (!this._authPending) return;
+          this._authPending = false;
+          if (this._authTimer !== null) {
+            clearTimeout(this._authTimer);
+            this._authTimer = null;
+          }
+          const resolve = this._authResolve;
+          this._authResolve = null;
+          this._authReject = null;
+          this._finishOpen();
+          resolve?.();
+          return;
+        }
+        case MsgType.AUTH_FAIL: {
+          if (!this._authPending) return;
+          this._authPending = false;
+          if (this._authTimer !== null) {
+            clearTimeout(this._authTimer);
+            this._authTimer = null;
+          }
+          const reject = this._authReject;
+          this._authResolve = null;
+          this._authReject = null;
+          const reason = frame.payload || "Authentication failed";
+          reject?.(new Error(`WSClient: auth failed \u2014 ${reason}`));
+          return;
+        }
+        // ── Response correlation ───────────────────────────────────────
+        case MsgType.RESPONSE: {
+          const pending = this._pending.get(frame.corrId);
+          if (pending !== void 0) {
+            this._pending.delete(frame.corrId);
+            clearTimeout(pending.timer);
+            let parsed;
+            try {
+              parsed = JSON.parse(frame.payload);
+            } catch {
+              parsed = frame.payload;
+            }
+            pending.resolve(parsed);
+          }
+          return;
+        }
+        // ── Pub/sub topic message ─────────────────────────────────────
+        case MsgType.MESSAGE: {
+          const cb = this._subscriptions.get(frame.topic);
+          if (cb !== void 0) {
+            let data;
+            try {
+              data = JSON.parse(frame.payload);
+            } catch {
+              data = frame.payload;
+            }
+            cb(data);
+          }
+          return;
+        }
+        // ── Pong (heartbeat ack) — no action needed ───────────────────
+        case MsgType.PONG:
+          return;
+        // Other binary frame types are not expected client-side
+        default:
+          return;
+      }
+    }
+    if (typeof raw === "string" && this._subscriptions.size > 0) {
+      if (raw.charCodeAt(0) === 123 && raw.includes('"message"')) {
+        let msg = null;
+        try {
+          msg = JSON.parse(raw);
+        } catch {
+        }
+        if (msg?.type === "message" && typeof msg.topic === "string") {
+          const cb = this._subscriptions.get(msg.topic);
+          cb?.(msg.data);
+        }
+      }
+    }
+  }
+  _onClose(event) {
+    this._stopHeartbeat();
+    this._detachHandlers();
+    this._ws = null;
+    this._authPending = false;
+    if (this._authTimer !== null) {
+      clearTimeout(this._authTimer);
+      this._authTimer = null;
+    }
+    if (this._authReject) {
+      const reject = this._authReject;
+      this._authResolve = null;
+      this._authReject = null;
+      reject(new Error(`WSClient: connection closed during auth (${event.code})`));
+    }
+    const code = event.code;
+    const reason = event.reason ?? "";
+    if (this._pending.size > 0) {
+      const err = new Error(`WSClient: connection closed (${code})`);
+      for (const pending of this._pending.values()) {
+        clearTimeout(pending.timer);
+        pending.reject(err);
+      }
+      this._pending.clear();
+    }
+    this._onDisconnect?.(code, reason);
+    if (this._destroyed || code === 1e3 || code === 1001) {
+      this.state = WsClientState.CLOSED;
+      return;
+    }
+    this._scheduleReconnect();
+  }
+  _onError(_event) {
+  }
+  // ── Private: Reconnect ────────────────────────────────────────────────────
+  _scheduleReconnect() {
+    if (this._retries >= this._maxRetries) {
+      this.state = WsClientState.CLOSED;
+      return;
+    }
+    this.state = WsClientState.RECONNECTING;
+    this._retries++;
+    const delay = this._computeBackoff(this._retries);
+    this._onReconnectAttempt?.(this._retries, delay);
+    this._reconnectTimer = setTimeout(async () => {
+      this._reconnectTimer = null;
+      if (this._destroyed) return;
+      try {
+        await this._openConnection();
+      } catch {
+      }
+    }, delay);
+  }
+  /**
+   * Exponential backoff with full jitter to avoid thundering-herd reconnects.
+   * delay = random(0, min(backoffMax, backoffBase * backoffFactor^attempt))
+   */
+  _computeBackoff(attempt) {
+    const cap = Math.min(this._backoffMax, this._backoffBase * Math.pow(this._backoffFactor, attempt - 1));
+    return Math.floor(Math.random() * cap);
+  }
+  _clearReconnectTimer() {
+    if (this._reconnectTimer !== null) {
+      clearTimeout(this._reconnectTimer);
+      this._reconnectTimer = null;
+    }
+  }
+  // ── Private: Heartbeat ────────────────────────────────────────────────────
+  _startHeartbeat() {
+    if (this._heartbeatInterval <= 0) return;
+    this._stopHeartbeat();
+    this._heartbeatTimer = setInterval(() => {
+      if (this.state === WsClientState.OPEN && this._ws !== null) {
+        sendBinary(this._ws, PING_FRAME);
+      }
+    }, this._heartbeatInterval);
+  }
+  _stopHeartbeat() {
+    if (this._heartbeatTimer !== null) {
+      clearInterval(this._heartbeatTimer);
+      this._heartbeatTimer = null;
+    }
+  }
+  // ── Private: Handler cleanup ──────────────────────────────────────────────
+  _detachHandlers() {
+    if (this._ws === null) return;
+    this._ws.removeEventListener("open", this._handleOpen);
+    this._ws.removeEventListener("message", this._handleMessage);
+    this._ws.removeEventListener("close", this._handleClose);
+    this._ws.removeEventListener("error", this._handleError);
+  }
+  // ── Private: Utilities ────────────────────────────────────────────────────
+  /**
+   * Returns a monotonically increasing uint32 correlation ID.
+   * Wraps at 0xFFFFFFFF back to 1 (zero is reserved).
+   * No random component needed — IDs are scoped to a single connection
+   * and the uint32 space (4B values) far exceeds concurrent in-flight requests.
+   */
+  _nextId() {
+    this._idCounter = this._idCounter + 1 & 4294967295;
+    if (this._idCounter === 0) this._idCounter = 1;
+    return this._idCounter;
+  }
+};
+export {
+  App,
+  AppServer,
+  MsgType,
+  WSClient,
+  WsClientState,
+  WsReadyState,
+  WsTopicHub,
+  basicAuth,
+  bearerAuth,
+  bodyLimit,
+  cache,
+  compress,
+  compressString,
+  cors,
+  csrf,
+  decode as decodeFrame,
+  decodeJwt,
+  decompressString,
+  decryptString,
+  defaultErrorHandler,
+  encodeMessage,
+  encodePing,
+  encodePong,
+  encodePublish,
+  encodeRequest,
+  encodeResponse,
+  encodeSubscribe,
+  encodeUnsubscribe,
+  encryptString,
+  etag,
+  generateSecretKey,
+  getMimeType,
+  getPathname,
+  ipRestriction,
+  isBun,
+  isDeno,
+  isKenBinaryFrame,
+  isNode,
+  jwk,
+  jwt,
+  listDirectory,
+  logger,
+  memoize,
+  receiveFiles,
+  requestId,
+  saveFile,
+  secureHeaders,
+  sendFile,
+  session,
+  signJwt,
+  timeout,
+  timing,
+  verifyJwt,
+  wsClientProtocol
+};
+//# sourceMappingURL=index.js.map