@concavejs/cli 0.0.1-alpha.6 → 0.0.1-alpha.7

package/dist/assets/runtime-node/server/index.js

@@ -12456,6 +12456,30 @@ class BaseSqliteDocStore {
     return scored.slice(0, limit);
   }
 }
+function createSerializedTransactionRunner(hooks) {
+  let queue = Promise.resolve();
+  return async function runInTransaction(fn) {
+    const run = queue.then(async () => {
+      await hooks.begin();
+      try {
+        const result = await fn();
+        await hooks.commit();
+        return result;
+      } catch (error) {
+        try {
+          await hooks.rollback();
+        } catch {}
+        throw error;
+      }
+    });
+    queue = run.then(() => {
+      return;
+    }, () => {
+      return;
+    });
+    return run;
+  };
+}
 
 class Long22 {
   low;
@@ -12608,8 +12632,14 @@ class NodePreparedStatement {
 
 class NodeSqliteAdapter {
   db;
+  runSerializedTransaction;
   constructor(db) {
     this.db = db;
+    this.runSerializedTransaction = createSerializedTransactionRunner({
+      begin: () => this.db.exec("BEGIN TRANSACTION"),
+      commit: () => this.db.exec("COMMIT"),
+      rollback: () => this.db.exec("ROLLBACK")
+    });
   }
   exec(sql) {
     this.db.exec(sql);
@@ -12618,15 +12648,7 @@ class NodeSqliteAdapter {
     return new NodePreparedStatement(this.db.prepare(sql));
   }
   async transaction(fn) {
-    try {
-      this.db.exec("BEGIN TRANSACTION");
-      const result = await fn();
-      this.db.exec("COMMIT");
-      return result;
-    } catch (error) {
-      this.db.exec("ROLLBACK");
-      throw error;
-    }
+    return this.runSerializedTransaction(fn);
   }
   hexToBuffer(hex) {
     return Buffer.from(hexToArrayBuffer32(hex));
@@ -12730,7 +12752,7 @@ var __defProp26, __export5 = (target, all) => {
   } catch {
     return;
   }
-}, AsyncLocalStorageCtor5, snapshotContext5, transactionContext5, idGeneratorContext5, CALL_CONTEXT_SYMBOL5, globalCallContext5, callContext5, JWKS_CACHE5, debug5 = () => {}, Convex24, UZERO22, TWO_PWR_16_DBL22, TWO_PWR_32_DBL22, TWO_PWR_64_DBL22, MAX_UNSIGNED_VALUE22, SqliteDocStore;
+}, AsyncLocalStorageCtor5, snapshotContext5, transactionContext5, idGeneratorContext5, CALL_CONTEXT_SYMBOL5, globalCallContext5, callContext5, DEFAULT_JWKS_CACHE_TTL_MS5, MAX_JWKS_CACHE_TTL_MS5, JWKS_CACHE5, debug5 = () => {}, Convex24, UZERO22, TWO_PWR_16_DBL22, TWO_PWR_32_DBL22, TWO_PWR_64_DBL22, MAX_UNSIGNED_VALUE22, SqliteDocStore;
 var init_dist = __esm(() => {
   __defProp26 = Object.defineProperty;
   init_base645 = __esm5(() => {
@@ -13828,6 +13850,8 @@ var init_dist = __esm(() => {
   init_values5();
   init_index_manager5();
   init_interface6();
+  DEFAULT_JWKS_CACHE_TTL_MS5 = 5 * 60 * 1000;
+  MAX_JWKS_CACHE_TTL_MS5 = 24 * 60 * 60 * 1000;
   JWKS_CACHE5 = new Map;
   init_values5();
   init_schema_service5();
@@ -13883,6 +13907,9 @@ class FsBlobStore {
       return false;
     }
   }
+  isNotFoundError(error) {
+    return !!error && typeof error === "object" && "code" in error && error.code === "ENOENT";
+  }
   generateStorageId() {
     return crypto.randomUUID();
   }
@@ -13923,31 +13950,25 @@ class FsBlobStore {
   async get(storageId) {
     const objectPath = this.getObjectPath(storageId);
     try {
-      const fileExists = await this.pathExists(objectPath);
-      if (!fileExists) {
-        return null;
-      }
       const data = await readFile(objectPath);
       const metadata = await this.getMetadata(storageId);
       const arrayBuffer = data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength);
       return new Blob([arrayBuffer], { type: metadata?.contentType || "application/octet-stream" });
     } catch (error) {
+      if (this.isNotFoundError(error)) {
+        return null;
+      }
       console.error("Error reading object from filesystem:", error);
-      return null;
+      throw error;
     }
   }
   async delete(storageId) {
     const objectPath = this.getObjectPath(storageId);
     const metadataPath = this.getMetadataPath(storageId);
-    try {
-      await Promise.all([
-        unlink(objectPath).catch(() => {}),
-        unlink(metadataPath).catch(() => {})
-      ]);
-    } catch (error) {
-      console.error("Error deleting object from filesystem:", error);
-      throw error;
-    }
+    await Promise.all([
+      this.unlinkIfExists(objectPath),
+      this.unlinkIfExists(metadataPath)
+    ]);
   }
   async getUrl(storageId) {
     const objectPath = this.getObjectPath(storageId);
@@ -13961,15 +13982,25 @@ class FsBlobStore {
   async getMetadata(storageId) {
     const metadataPath = this.getMetadataPath(storageId);
     try {
-      const fileExists = await this.pathExists(metadataPath);
-      if (!fileExists) {
-        return null;
-      }
       const data = await readFile(metadataPath, "utf-8");
       return JSON.parse(data);
     } catch (error) {
+      if (this.isNotFoundError(error)) {
+        return null;
+      }
       console.error("Error reading metadata from filesystem:", error);
-      return null;
+      throw error;
+    }
+  }
+  async unlinkIfExists(path2) {
+    try {
+      await unlink(path2);
+    } catch (error) {
+      if (this.isNotFoundError(error)) {
+        return;
+      }
+      console.error("Error deleting object from filesystem:", error);
+      throw error;
     }
   }
 }
@@ -19853,6 +19884,8 @@ class SystemAuthError extends Error {
   }
 }
 var DEFAULT_CLOCK_TOLERANCE_SECONDS = 60;
+var DEFAULT_JWKS_CACHE_TTL_MS = 5 * 60 * 1000;
+var MAX_JWKS_CACHE_TTL_MS = 24 * 60 * 60 * 1000;
 var JWKS_CACHE = new Map;
 var defaultValidationConfig;
 var adminAuthConfig;
@@ -19948,7 +19981,8 @@ function resolveJwtValidationConfigFromEnv(env) {
   const secret = getEnvValue("AUTH_SECRET", env) ?? getEnvValue("CONCAVE_JWT_SECRET", env) ?? getEnvValue("JWT_SECRET", env);
   const skipVerification = parseBoolean(getEnvValue("AUTH_SKIP_VERIFICATION", env)) ?? parseBoolean(getEnvValue("CONCAVE_JWT_SKIP_VERIFICATION", env));
   const clockTolerance = parseNumber(getEnvValue("AUTH_CLOCK_TOLERANCE", env)) ?? parseNumber(getEnvValue("CONCAVE_JWT_CLOCK_TOLERANCE", env));
-  if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined) {
+  const jwksCacheTtlMs = parseNumber(getEnvValue("AUTH_JWKS_CACHE_TTL_MS", env)) ?? parseNumber(getEnvValue("CONCAVE_JWT_JWKS_CACHE_TTL_MS", env));
+  if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined && jwksCacheTtlMs === undefined) {
     return;
   }
   return {
@@ -19957,7 +19991,8 @@ function resolveJwtValidationConfigFromEnv(env) {
     audience,
     secret,
     skipVerification,
-    clockTolerance
+    clockTolerance,
+    jwksCacheTtlMs
   };
 }
 function normalizeList(value) {
@@ -20001,15 +20036,33 @@ function validateClaims(claims, config) {
     throw new JWTValidationError("CLAIM_VALIDATION_FAILED", "JWT claim validation failed: aud");
   }
 }
-function getRemoteJwks(jwksUrl) {
+function getRemoteJwks(jwksUrl, config) {
+  const now = Date.now();
   const cached = JWKS_CACHE.get(jwksUrl);
+  if (cached && cached.expiresAtMs > now) {
+    return cached.resolver;
+  }
   if (cached) {
-    return cached;
+    JWKS_CACHE.delete(jwksUrl);
   }
   const jwks = createRemoteJWKSet(new URL(jwksUrl));
-  JWKS_CACHE.set(jwksUrl, jwks);
+  const configuredTtl = config?.jwksCacheTtlMs ?? defaultValidationConfig?.jwksCacheTtlMs;
+  const ttlMs = resolveJwksCacheTtlMs(configuredTtl);
+  JWKS_CACHE.set(jwksUrl, {
+    resolver: jwks,
+    expiresAtMs: now + ttlMs
+  });
   return jwks;
 }
+function resolveJwksCacheTtlMs(configuredTtl) {
+  if (configuredTtl === undefined) {
+    return DEFAULT_JWKS_CACHE_TTL_MS;
+  }
+  if (!Number.isFinite(configuredTtl)) {
+    return DEFAULT_JWKS_CACHE_TTL_MS;
+  }
+  return Math.max(0, Math.min(MAX_JWKS_CACHE_TTL_MS, Math.floor(configuredTtl)));
+}
 function decodeJwtUnsafe(token) {
   if (!token)
     return null;
@@ -20042,7 +20095,7 @@ async function verifyJwt(token, config) {
       const key = new TextEncoder().encode(effectiveConfig.secret);
       ({ payload } = await jwtVerify(token, key, options));
     } else {
-      ({ payload } = await jwtVerify(token, getRemoteJwks(effectiveConfig.jwksUrl), options));
+      ({ payload } = await jwtVerify(token, getRemoteJwks(effectiveConfig.jwksUrl, effectiveConfig), options));
     }
     const claims = payload;
     validateClaims(claims, effectiveConfig);
@@ -20097,7 +20150,7 @@ class UdfExecutionAdapter {
     this.executor = executor;
     this.callType = callType;
   }
-  async executeUdf(path, jsonArgs, type, auth, componentPath, requestId) {
+  async executeUdf(path, jsonArgs, type, auth, componentPath, requestId, snapshotTimestamp) {
     const convexArgs = convertClientArgs(jsonArgs);
     const target = normalizeExecutionTarget(path, componentPath);
     let authContext2;
@@ -20135,7 +20188,7 @@ class UdfExecutionAdapter {
     return runWithAuth(userIdentity, async () => {
       const executeWithContext = this.callType === "client" ? runAsClientCall : runAsServerCall;
       return executeWithContext(async () => {
-        return await this.executor.execute(target.path, convexArgs, type, authContext2 ?? userIdentity, normalizeComponentPath(target.componentPath), requestId);
+        return await this.executor.execute(target.path, convexArgs, type, authContext2 ?? userIdentity, normalizeComponentPath(target.componentPath), requestId, snapshotTimestamp);
       });
     });
   }
@@ -22409,6 +22462,11 @@ var WEBSOCKET_READY_STATE_OPEN = 1;
 var BACKPRESSURE_HIGH_WATER_MARK = 100;
 var BACKPRESSURE_BUFFER_LIMIT = 1024 * 1024;
 var SLOW_CLIENT_TIMEOUT_MS = 30000;
+var DEFAULT_RATE_LIMIT_WINDOW_MS = 5000;
+var DEFAULT_MAX_MESSAGES_PER_WINDOW = 1000;
+var DEFAULT_OPERATION_TIMEOUT_MS = 15000;
+var DEFAULT_MAX_ACTIVE_QUERIES_PER_SESSION = 1000;
+var RATE_LIMIT_HARD_MULTIPLIER = 5;
 
 class SyncSession {
   websocket;
@@ -22437,15 +22495,25 @@ class SyncSession {
 class SyncProtocolHandler {
   udfExecutor;
   sessions = new Map;
+  rateLimitStates = new Map;
   subscriptionManager;
   instanceName;
   backpressureController;
   heartbeatController;
   isDev;
+  maxMessagesPerWindow;
+  rateLimitWindowMs;
+  operationTimeoutMs;
+  maxActiveQueriesPerSession;
   constructor(instanceName, udfExecutor, options) {
     this.udfExecutor = udfExecutor;
     this.instanceName = instanceName;
     this.isDev = options?.isDev ?? true;
+    this.maxMessagesPerWindow = Math.max(1, options?.maxMessagesPerWindow ?? DEFAULT_MAX_MESSAGES_PER_WINDOW);
+    this.rateLimitWindowMs = Math.max(1, options?.rateLimitWindowMs ?? DEFAULT_RATE_LIMIT_WINDOW_MS);
+    const configuredOperationTimeout = options?.operationTimeoutMs ?? DEFAULT_OPERATION_TIMEOUT_MS;
+    this.operationTimeoutMs = Number.isFinite(configuredOperationTimeout) ? Math.max(0, Math.floor(configuredOperationTimeout)) : DEFAULT_OPERATION_TIMEOUT_MS;
+    this.maxActiveQueriesPerSession = Math.max(1, options?.maxActiveQueriesPerSession ?? DEFAULT_MAX_ACTIVE_QUERIES_PER_SESSION);
     this.subscriptionManager = new SubscriptionManager;
     this.backpressureController = new SessionBackpressureController({
       websocketReadyStateOpen: WEBSOCKET_READY_STATE_OPEN,
@@ -22463,6 +22531,10 @@ class SyncProtocolHandler {
   createSession(sessionId, websocket) {
     const session = new SyncSession(websocket);
     this.sessions.set(sessionId, session);
+    this.rateLimitStates.set(sessionId, {
+      windowStartedAt: Date.now(),
+      messagesInWindow: 0
+    });
     return session;
   }
   getSession(sessionId) {
@@ -22477,6 +22549,7 @@ class SyncProtocolHandler {
       session.isDraining = false;
       this.subscriptionManager.unsubscribeAll(sessionId);
       this.sessions.delete(sessionId);
+      this.rateLimitStates.delete(sessionId);
     }
   }
   updateSessionId(oldSessionId, newSessionId) {
@@ -22484,6 +22557,11 @@ class SyncProtocolHandler {
     if (session) {
       this.sessions.delete(oldSessionId);
       this.sessions.set(newSessionId, session);
+      const rateLimitState = this.rateLimitStates.get(oldSessionId);
+      if (rateLimitState) {
+        this.rateLimitStates.delete(oldSessionId);
+        this.rateLimitStates.set(newSessionId, rateLimitState);
+      }
       this.subscriptionManager.updateSessionId(oldSessionId, newSessionId);
     }
   }
@@ -22492,6 +22570,29 @@ class SyncProtocolHandler {
     if (!session && message2.type !== "Connect") {
       throw new Error("Session not found");
     }
+    if (session) {
+      const rateLimitDecision = this.consumeRateLimit(sessionId);
+      if (rateLimitDecision === "reject") {
+        return [
+          {
+            type: "FatalError",
+            error: "Rate limit exceeded, retry shortly"
+          }
+        ];
+      }
+      if (rateLimitDecision === "close") {
+        try {
+          session.websocket.close(1013, "Rate limit exceeded");
+        } catch {}
+        this.destroySession(sessionId);
+        return [
+          {
+            type: "FatalError",
+            error: "Rate limit exceeded"
+          }
+        ];
+      }
+    }
     switch (message2.type) {
       case "Connect":
         return this.handleConnect(sessionId, message2);
@@ -22548,6 +22649,15 @@ class SyncProtocolHandler {
         return [fatalError];
       }
       const startVersion = makeStateVersion(session.querySetVersion, session.identityVersion, session.timestamp);
+      const projectedActiveQueryCount = this.computeProjectedActiveQueryCount(session, message2);
+      if (projectedActiveQueryCount > this.maxActiveQueriesPerSession) {
+        return [
+          {
+            type: "FatalError",
+            error: `Too many active queries: ${projectedActiveQueryCount} exceeds limit ${this.maxActiveQueriesPerSession}`
+          }
+        ];
+      }
       session.querySetVersion = message2.newVersion;
       const modifications = [];
       for (const mod of message2.modifications) {
@@ -22871,7 +22981,54 @@ class SyncProtocolHandler {
     }, () => {
       return;
     });
-    return run;
+    return this.withOperationTimeout(run);
+  }
+  withOperationTimeout(promise) {
+    if (this.operationTimeoutMs <= 0) {
+      return promise;
+    }
+    let timeoutHandle;
+    const timeoutPromise = new Promise((_, reject) => {
+      timeoutHandle = setTimeout(() => {
+        reject(new Error(`Sync operation timed out after ${this.operationTimeoutMs}ms`));
+      }, this.operationTimeoutMs);
+    });
+    return Promise.race([promise, timeoutPromise]).finally(() => {
+      if (timeoutHandle) {
+        clearTimeout(timeoutHandle);
+      }
+    });
+  }
+  consumeRateLimit(sessionId) {
+    const state = this.rateLimitStates.get(sessionId);
+    if (!state) {
+      return "allow";
+    }
+    const now = Date.now();
+    if (now - state.windowStartedAt >= this.rateLimitWindowMs) {
+      state.windowStartedAt = now;
+      state.messagesInWindow = 0;
+    }
+    state.messagesInWindow += 1;
+    if (state.messagesInWindow <= this.maxMessagesPerWindow) {
+      return "allow";
+    }
+    const hardLimit = Math.max(this.maxMessagesPerWindow + 1, this.maxMessagesPerWindow * RATE_LIMIT_HARD_MULTIPLIER);
+    if (state.messagesInWindow >= hardLimit) {
+      return "close";
+    }
+    return "reject";
+  }
+  computeProjectedActiveQueryCount(session, message2) {
+    const projected = new Set(session.activeQueries.keys());
+    for (const mod of message2.modifications) {
+      if (mod.type === "Add") {
+        projected.add(mod.queryId);
+      } else if (mod.type === "Remove") {
+        projected.delete(mod.queryId);
+      }
+    }
+    return projected.size;
   }
   sendPing(session) {
     if (!session.websocket || session.websocket.readyState !== WEBSOCKET_READY_STATE_OPEN) {
@@ -24748,6 +24905,8 @@ class SystemAuthError2 extends Error {
   }
 }
 var DEFAULT_CLOCK_TOLERANCE_SECONDS2 = 60;
+var DEFAULT_JWKS_CACHE_TTL_MS2 = 5 * 60 * 1000;
+var MAX_JWKS_CACHE_TTL_MS2 = 24 * 60 * 60 * 1000;
 var JWKS_CACHE2 = new Map;
 var defaultValidationConfig2;
 var adminAuthConfig2;
@@ -24863,7 +25022,8 @@ function resolveJwtValidationConfigFromEnv2(env) {
   const secret = getEnvValue2("AUTH_SECRET", env) ?? getEnvValue2("CONCAVE_JWT_SECRET", env) ?? getEnvValue2("JWT_SECRET", env);
   const skipVerification = parseBoolean2(getEnvValue2("AUTH_SKIP_VERIFICATION", env)) ?? parseBoolean2(getEnvValue2("CONCAVE_JWT_SKIP_VERIFICATION", env));
   const clockTolerance = parseNumber2(getEnvValue2("AUTH_CLOCK_TOLERANCE", env)) ?? parseNumber2(getEnvValue2("CONCAVE_JWT_CLOCK_TOLERANCE", env));
-  if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined) {
+  const jwksCacheTtlMs = parseNumber2(getEnvValue2("AUTH_JWKS_CACHE_TTL_MS", env)) ?? parseNumber2(getEnvValue2("CONCAVE_JWT_JWKS_CACHE_TTL_MS", env));
+  if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined && jwksCacheTtlMs === undefined) {
     return;
   }
   return {
@@ -24872,7 +25032,8 @@ function resolveJwtValidationConfigFromEnv2(env) {
     audience,
     secret,
     skipVerification,
-    clockTolerance
+    clockTolerance,
+    jwksCacheTtlMs
   };
 }
 function normalizeList2(value) {
@@ -24916,15 +25077,33 @@ function validateClaims2(claims, config) {
     throw new JWTValidationError2("CLAIM_VALIDATION_FAILED", "JWT claim validation failed: aud");
   }
 }
-function getRemoteJwks2(jwksUrl) {
+function getRemoteJwks2(jwksUrl, config) {
+  const now = Date.now();
   const cached = JWKS_CACHE2.get(jwksUrl);
+  if (cached && cached.expiresAtMs > now) {
+    return cached.resolver;
+  }
   if (cached) {
-    return cached;
+    JWKS_CACHE2.delete(jwksUrl);
   }
   const jwks = createRemoteJWKSet2(new URL(jwksUrl));
-  JWKS_CACHE2.set(jwksUrl, jwks);
+  const configuredTtl = config?.jwksCacheTtlMs ?? defaultValidationConfig2?.jwksCacheTtlMs;
+  const ttlMs = resolveJwksCacheTtlMs2(configuredTtl);
+  JWKS_CACHE2.set(jwksUrl, {
+    resolver: jwks,
+    expiresAtMs: now + ttlMs
+  });
   return jwks;
 }
+function resolveJwksCacheTtlMs2(configuredTtl) {
+  if (configuredTtl === undefined) {
+    return DEFAULT_JWKS_CACHE_TTL_MS2;
+  }
+  if (!Number.isFinite(configuredTtl)) {
+    return DEFAULT_JWKS_CACHE_TTL_MS2;
+  }
+  return Math.max(0, Math.min(MAX_JWKS_CACHE_TTL_MS2, Math.floor(configuredTtl)));
+}
 function decodeJwtUnsafe2(token) {
   if (!token)
     return null;
@@ -24957,7 +25136,7 @@ async function verifyJwt2(token, config) {
       const key = new TextEncoder().encode(effectiveConfig.secret);
       ({ payload } = await jwtVerify2(token, key, options));
     } else {
-      ({ payload } = await jwtVerify2(token, getRemoteJwks2(effectiveConfig.jwksUrl), options));
+      ({ payload } = await jwtVerify2(token, getRemoteJwks2(effectiveConfig.jwksUrl, effectiveConfig), options));
     }
     const claims = payload;
     validateClaims2(claims, effectiveConfig);
@@ -25400,6 +25579,39 @@ async function resolveAuthContext(bodyAuth, headerToken, headerIdentity) {
   }
   return bodyAuth;
 }
+function parseTimestampInput(value) {
+  if (value === undefined || value === null) {
+    return;
+  }
+  if (typeof value === "bigint") {
+    return value >= 0n ? value : undefined;
+  }
+  if (typeof value === "number") {
+    if (!Number.isFinite(value) || !Number.isInteger(value) || value < 0) {
+      return;
+    }
+    return BigInt(value);
+  }
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    if (!/^\d+$/.test(trimmed)) {
+      return;
+    }
+    try {
+      return BigInt(trimmed);
+    } catch {
+      return;
+    }
+  }
+  return;
+}
+async function resolveSnapshotTimestamp(options, request) {
+  const fromCallback = options.getSnapshotTimestamp ? await options.getSnapshotTimestamp(request) : undefined;
+  if (typeof fromCallback === "bigint") {
+    return fromCallback;
+  }
+  return BigInt(Date.now());
+}
 async function handleCoreHttpApiRequest(request, options) {
   const url = new URL(request.url);
   const segments = url.pathname.split("/").filter(Boolean);
@@ -25439,6 +25651,19 @@ async function handleCoreHttpApiRequest(request, options) {
     throw error;
   }
   const route = routeSegments[0];
+  if (route === "query_ts") {
+    if (request.method !== "POST") {
+      return {
+        handled: true,
+        response: apply(Response.json({ error: "Method not allowed" }, { status: 405 }))
+      };
+    }
+    const snapshotTimestamp = await resolveSnapshotTimestamp(options, request);
+    return {
+      handled: true,
+      response: apply(Response.json({ ts: snapshotTimestamp.toString() }))
+    };
+  }
   if (route === "storage") {
     if (!options.storage) {
       return {
@@ -25496,7 +25721,7 @@ async function handleCoreHttpApiRequest(request, options) {
       }
     }
   }
-  if (route === "query" || route === "mutation" || route === "action") {
+  if (route === "query" || route === "mutation" || route === "action" || route === "query_at_ts") {
     if (request.method !== "POST") {
       return {
         handled: true,
@@ -25519,7 +25744,7 @@ async function handleCoreHttpApiRequest(request, options) {
           response: apply(Response.json({ error: "Invalid request body" }, { status: 400 }))
         };
       }
-      const { path, args, format, auth: bodyAuth, componentPath } = body;
+      const { path, args, format, auth: bodyAuth, componentPath, ts } = body;
       if (!path || typeof path !== "string") {
         return {
           handled: true,
@@ -25548,6 +25773,14 @@ async function handleCoreHttpApiRequest(request, options) {
         };
       }
       const jsonArgs = rawArgs ?? {};
+      const executionType = route === "query_at_ts" ? "query" : route;
+      const snapshotTimestamp = route === "query_at_ts" ? parseTimestampInput(ts) : undefined;
+      if (route === "query_at_ts" && snapshotTimestamp === undefined) {
+        return {
+          handled: true,
+          response: apply(Response.json({ error: "Invalid or missing ts" }, { status: 400 }))
+        };
+      }
       let authForExecution;
       try {
         authForExecution = await resolveAuthContext(bodyAuth, headerToken, headerIdentity);
@@ -25561,11 +25794,12 @@ async function handleCoreHttpApiRequest(request, options) {
         throw error;
       }
       const executionParams = {
-        type: route,
+        type: executionType,
         path,
         args: jsonArgs,
         auth: authForExecution,
         componentPath,
+        snapshotTimestamp,
         request
       };
       try {
@@ -25580,7 +25814,7 @@ async function handleCoreHttpApiRequest(request, options) {
         throw validationError;
       }
       const result = await options.executeFunction(executionParams);
-      if (options.notifyWrites && (route === "mutation" || route === "action") && (result.writtenRanges?.length || result.writtenTables?.length)) {
+      if (options.notifyWrites && (executionType === "mutation" || executionType === "action") && (result.writtenRanges?.length || result.writtenTables?.length)) {
         await options.notifyWrites(result.writtenRanges, result.writtenTables ?? writtenTablesFromRanges2(result.writtenRanges));
       }
       return {
@@ -28654,7 +28888,7 @@ class ForbiddenInQueriesOrMutations extends Error {
     this.name = "ForbiddenInQueriesOrMutations";
   }
 }
-async function runUdfAndGetLogs(docstore, fn, ops, auth, udfType, storage2, deterministicSeed, mutationTransaction, udfExecutor, componentPath) {
+async function runUdfAndGetLogs(docstore, fn, ops, auth, udfType, storage2, deterministicSeed, mutationTransaction, udfExecutor, componentPath, snapshotOverride) {
   const ambientIdentity = getAuthContext();
   let effectiveAuth;
   if (auth && typeof auth === "object" && "tokenType" in auth) {
@@ -28669,7 +28903,7 @@ async function runUdfAndGetLogs(docstore, fn, ops, auth, udfType, storage2, dete
   const inheritedSnapshot = snapshotContext2.getStore() ?? null;
   const existingIdGenerator = idGeneratorContext2.getStore() ?? undefined;
   const idGenerator = existingIdGenerator ?? (deterministicSeed ? createDeterministicIdGenerator(deterministicSeed) : undefined);
-  const convex = new UdfKernel(docstore, effectiveAuth, storage2, inheritedSnapshot, mutationTransaction, udfExecutor, componentPath, idGenerator);
+  const convex = new UdfKernel(docstore, effectiveAuth, storage2, snapshotOverride ?? inheritedSnapshot, mutationTransaction, udfExecutor, componentPath, idGenerator);
   convex.clearAccessLogs();
   const logLines = [];
   const logger = (level) => {
@@ -28725,7 +28959,7 @@ async function runUdfAndGetLogs(docstore, fn, ops, auth, udfType, storage2, dete
     };
   } finally {}
 }
-function runUdfQuery(docstore, fn, auth, storage2, requestId, udfExecutor, componentPath) {
+function runUdfQuery(docstore, fn, auth, storage2, requestId, udfExecutor, componentPath, snapshotOverride) {
   const tnow = Date.now();
   const seed = resolveSeed("query", requestId, tnow);
   const rng = udfRng(seed);
@@ -28737,7 +28971,7 @@ function runUdfQuery(docstore, fn, auth, storage2, requestId, udfExecutor, compo
     fetch: forbiddenAsyncOp("fetch"),
     setInterval: forbiddenAsyncOp("setInterval"),
     setTimeout: forbiddenAsyncOp("setTimeout")
-  }, auth, "query", storage2, seed, undefined, udfExecutor, componentPath);
+  }, auth, "query", storage2, seed, undefined, udfExecutor, componentPath, snapshotOverride);
 }
 function runUdfMutation(docstore, fn, auth, storage2, requestId, udfExecutor, componentPath) {
   const tnow = Date.now();
@@ -28862,7 +29096,7 @@ class InlineUdfExecutor {
     this.moduleRegistry = options.moduleRegistry;
     this.logSink = options.logSink;
   }
-  async execute(functionPath, args, udfType, auth, componentPath, requestId) {
+  async execute(functionPath, args, udfType, auth, componentPath, requestId, snapshotTimestamp) {
     const [moduleName, functionName3] = this.parseUdfPath(functionPath);
     const finalRequestId = requestId ?? this.requestIdFactory(udfType, functionPath);
     const isSystemFunction = moduleName === "_system" || functionPath.startsWith("_system:");
@@ -28887,7 +29121,7 @@ class InlineUdfExecutor {
     const runWithType = () => {
       switch (udfType) {
         case "query":
-          return runUdfQuery(this.docstore, runUdf3, auth, this.blobstore, finalRequestId, this, componentPath);
+          return runUdfQuery(this.docstore, runUdf3, auth, this.blobstore, finalRequestId, this, componentPath, snapshotTimestamp);
         case "mutation":
           return runUdfMutation(this.docstore, runUdf3, auth, this.blobstore, finalRequestId, this, componentPath);
         case "action":
@@ -28941,7 +29175,7 @@ class InlineUdfExecutor {
   async executeHttp(request, auth, requestId) {
     const url = new URL(request.url);
     const runHttpUdf = async () => {
-      const httpModule = await this.loadModule("http", request.url);
+      const httpModule = await this.loadModule("http");
       const router = httpModule?.default;
       if (!router?.isRouter || typeof router.lookup !== "function") {
         throw new Error("convex/http.ts must export a default httpRouter()");
@@ -29075,7 +29309,7 @@ class UdfExecutionAdapter2 {
     this.executor = executor;
     this.callType = callType;
   }
-  async executeUdf(path, jsonArgs, type, auth, componentPath, requestId) {
+  async executeUdf(path, jsonArgs, type, auth, componentPath, requestId, snapshotTimestamp) {
     const convexArgs = convertClientArgs2(jsonArgs);
     const target = normalizeExecutionTarget2(path, componentPath);
     let authContext3;
@@ -29113,7 +29347,7 @@ class UdfExecutionAdapter2 {
     return runWithAuth2(userIdentity, async () => {
       const executeWithContext = this.callType === "client" ? runAsClientCall2 : runAsServerCall2;
       return executeWithContext(async () => {
-        return await this.executor.execute(target.path, convexArgs, type, authContext3 ?? userIdentity, normalizeComponentPath5(target.componentPath), requestId);
+        return await this.executor.execute(target.path, convexArgs, type, authContext3 ?? userIdentity, normalizeComponentPath5(target.componentPath), requestId, snapshotTimestamp);
       });
     });
   }
@@ -29162,7 +29396,7 @@ function stripApiVersionPrefix(pathname) {
 }
 function isReservedApiPath(pathname) {
   const normalizedPath = stripApiVersionPrefix(pathname);
-  if (normalizedPath === "/api/execute" || normalizedPath === "/api/sync" || normalizedPath === "/api/reset-test-state" || normalizedPath === "/api/query" || normalizedPath === "/api/mutation" || normalizedPath === "/api/action") {
+  if (normalizedPath === "/api/execute" || normalizedPath === "/api/sync" || normalizedPath === "/api/reset-test-state" || normalizedPath === "/api/query" || normalizedPath === "/api/query_ts" || normalizedPath === "/api/query_at_ts" || normalizedPath === "/api/mutation" || normalizedPath === "/api/action") {
     return true;
   }
   if (normalizedPath === "/api/storage" || normalizedPath.startsWith("/api/storage/")) {
@@ -29233,7 +29467,7 @@ class HttpHandler {
       }
     };
     const coreResult = await handleCoreHttpApiRequest(request, {
-      executeFunction: async ({ type, path, args, auth, componentPath }) => this.adapter.executeUdf(path, args, type, auth, componentPath),
+      executeFunction: async ({ type, path, args, auth, componentPath, snapshotTimestamp }) => this.adapter.executeUdf(path, args, type, auth, componentPath, undefined, snapshotTimestamp),
       notifyWrites,
       storage: this.docstore && this.blobstore ? {
         store: async (blob) => {
@@ -29252,7 +29486,16 @@ class HttpHandler {
           return { blob: blob ?? null };
         }
       } : undefined,
-      corsHeaders
+      corsHeaders,
+      getSnapshotTimestamp: () => {
+        const oracle = this.docstore?.timestampOracle;
+        const oracleTimestamp = typeof oracle?.beginSnapshot === "function" ? oracle.beginSnapshot() : typeof oracle?.getCurrentTimestamp === "function" ? oracle.getCurrentTimestamp() : undefined;
+        const wallClock = BigInt(Date.now());
+        if (typeof oracleTimestamp === "bigint" && oracleTimestamp > wallClock) {
+          return oracleTimestamp;
+        }
+        return wallClock;
+      }
     });
     if (coreResult?.handled) {
       return coreResult.response;
@@ -35403,6 +35646,8 @@ function decodeJwtClaimsToken3(token) {
     return null;
   }
 }
+var DEFAULT_JWKS_CACHE_TTL_MS3 = 5 * 60 * 1000;
+var MAX_JWKS_CACHE_TTL_MS3 = 24 * 60 * 60 * 1000;
 var JWKS_CACHE3 = new Map;
 function decodeJwtUnsafe3(token) {
   if (!token)
@@ -36220,6 +36465,8 @@ class ScheduledFunctionExecutor {
   logger;
   runMutationInTransaction;
   tableName;
+  maxConcurrentJobs;
+  scanPageSize;
   constructor(options) {
     this.docstore = options.docstore;
     this.udfExecutor = options.udfExecutor;
@@ -36229,46 +36476,68 @@ class ScheduledFunctionExecutor {
     this.logger = options.logger ?? console;
     this.runMutationInTransaction = options.runMutationInTransaction;
     this.tableName = options.tableName ?? SCHEDULED_FUNCTIONS_TABLE;
+    this.maxConcurrentJobs = Math.max(1, options.maxConcurrentJobs ?? 8);
+    this.scanPageSize = Math.max(1, options.scanPageSize ?? 256);
   }
   async runDueJobs() {
     const tableId = stringToHex3(this.tableName);
-    const allJobs = await this.docstore.scan(tableId);
     const now = this.now();
-    const pendingJobs = allJobs.filter((doc) => {
-      const value = doc.value?.value;
-      if (!value || typeof value !== "object") {
-        return false;
-      }
-      const state = value.state;
-      const scheduledTime = value.scheduledTime;
-      return state?.kind === "pending" && typeof scheduledTime === "number" && scheduledTime <= now;
-    });
-    if (pendingJobs.length === 0) {
-      return {
-        executed: 0,
-        nextScheduledTime: this.computeNextScheduledTime(allJobs)
-      };
-    }
-    await Promise.all(pendingJobs.map((job) => {
-      const jobValue = job.value?.value;
-      if (!jobValue) {
-        throw new Error("Job value unexpectedly missing after filter");
+    let executed = 0;
+    const inFlight = new Set;
+    const schedule = async (jobValue) => {
+      const run = this.executeJob(jobValue, tableId).then(() => {
+        executed += 1;
+      }).finally(() => {
+        inFlight.delete(run);
+      });
+      inFlight.add(run);
+      if (inFlight.size >= this.maxConcurrentJobs) {
+        await Promise.race(inFlight);
       }
-      return this.executeJob(jobValue, tableId);
-    }));
-    return {
-      executed: pendingJobs.length,
-      nextScheduledTime: this.computeNextScheduledTime(await this.docstore.scan(tableId))
     };
+    await this.forEachScheduledJob(async (jobValue) => {
+      const state = jobValue.state;
+      const scheduledTime = jobValue.scheduledTime;
+      if (state?.kind !== "pending" || typeof scheduledTime !== "number") {
+        return;
+      }
+      if (scheduledTime <= now) {
+        await schedule(jobValue);
+      }
+    });
+    await Promise.all(inFlight);
+    return { executed, nextScheduledTime: await this.getNextScheduledTime() };
   }
   async getNextScheduledTime() {
-    const tableId = stringToHex3(this.tableName);
-    const allJobs = await this.docstore.scan(tableId);
-    return this.computeNextScheduledTime(allJobs);
+    let nextScheduledTime = null;
+    await this.forEachScheduledJob(async (jobValue) => {
+      const state = jobValue.state;
+      const scheduledTime = jobValue.scheduledTime;
+      if (state?.kind !== "pending" || typeof scheduledTime !== "number") {
+        return;
+      }
+      if (nextScheduledTime === null || scheduledTime < nextScheduledTime) {
+        nextScheduledTime = scheduledTime;
+      }
+    });
+    return nextScheduledTime;
   }
-  computeNextScheduledTime(allJobs) {
-    const pending = allJobs.map((doc) => doc.value?.value).filter((value) => !!value && value.state?.kind === "pending").map((value) => value.scheduledTime).filter((time) => typeof time === "number").sort((a, b) => a - b);
-    return pending.length > 0 ? pending[0] : null;
+  async forEachScheduledJob(visitor) {
+    const tableId = stringToHex3(this.tableName);
+    let cursor2 = null;
+    while (true) {
+      const page = await this.docstore.scanPaginated(tableId, cursor2, this.scanPageSize, Order3.Asc);
+      for (const doc of page.documents) {
+        const value = doc.value?.value;
+        if (value && typeof value === "object") {
+          await visitor(value);
+        }
+      }
+      if (!page.hasMore || !page.nextCursor) {
+        break;
+      }
+      cursor2 = page.nextCursor;
+    }
   }
   async executeJob(jobValue, tableId) {
     const jobId = jobValue?._id;
@@ -36400,6 +36669,8 @@ class CronExecutor {
   allocateTimestamp;
   now;
   logger;
+  maxConcurrentJobs;
+  scanPageSize;
   constructor(options) {
     this.docstore = options.docstore;
     this.udfExecutor = options.udfExecutor;
@@ -36407,6 +36678,8 @@ class CronExecutor {
     this.allocateTimestamp = options.allocateTimestamp;
     this.now = options.now ?? (() => Date.now());
     this.logger = options.logger ?? console;
+    this.maxConcurrentJobs = Math.max(1, options.maxConcurrentJobs ?? 8);
+    this.scanPageSize = Math.max(1, options.scanPageSize ?? 256);
   }
   async syncCronSpecs(cronSpecs) {
     const tableId = stringToHex3(CRONS_TABLE);
@@ -36492,33 +36765,58 @@ class CronExecutor {
   }
   async runDueJobs() {
     const tableId = stringToHex3(CRONS_TABLE);
-    const allJobs = await this.docstore.scan(tableId);
     const now = this.now();
-    const dueJobs = allJobs.filter((doc) => {
-      const value = doc.value?.value;
-      return value && value.nextRun <= now;
-    });
-    if (dueJobs.length === 0) {
-      return {
-        executed: 0,
-        nextScheduledTime: this.computeNextScheduledTime(allJobs)
-      };
-    }
-    await Promise.all(dueJobs.map((job) => this.executeJob(job, tableId)));
-    const updatedJobs = await this.docstore.scan(tableId);
-    return {
-      executed: dueJobs.length,
-      nextScheduledTime: this.computeNextScheduledTime(updatedJobs)
+    let executed = 0;
+    const inFlight = new Set;
+    const schedule = async (job) => {
+      const run = this.executeJob(job, tableId).then(() => {
+        executed += 1;
+      }).finally(() => {
+        inFlight.delete(run);
+      });
+      inFlight.add(run);
+      if (inFlight.size >= this.maxConcurrentJobs) {
+        await Promise.race(inFlight);
+      }
     };
+    await this.forEachCronJob(async (job) => {
+      const value = job.value?.value;
+      if (!value || typeof value.nextRun !== "number") {
+        return;
+      }
+      if (value.nextRun <= now) {
+        await schedule(job);
+      }
+    });
+    await Promise.all(inFlight);
+    return { executed, nextScheduledTime: await this.getNextScheduledTime() };
   }
   async getNextScheduledTime() {
-    const tableId = stringToHex3(CRONS_TABLE);
-    const allJobs = await this.docstore.scan(tableId);
-    return this.computeNextScheduledTime(allJobs);
+    let nextScheduledTime = null;
+    await this.forEachCronJob(async (job) => {
+      const nextRun = job.value?.value?.nextRun;
+      if (typeof nextRun !== "number") {
+        return;
+      }
+      if (nextScheduledTime === null || nextRun < nextScheduledTime) {
+        nextScheduledTime = nextRun;
+      }
+    });
+    return nextScheduledTime;
   }
-  computeNextScheduledTime(allJobs) {
-    const nextTimes = allJobs.map((doc) => doc.value?.value?.nextRun).filter((time) => typeof time === "number").sort((a, b) => a - b);
-    return nextTimes.length > 0 ? nextTimes[0] : null;
+  async forEachCronJob(visitor) {
+    const tableId = stringToHex3(CRONS_TABLE);
+    let cursor2 = null;
+    while (true) {
+      const page = await this.docstore.scanPaginated(tableId, cursor2, this.scanPageSize, Order3.Asc);
+      for (const job of page.documents) {
+        await visitor(job);
+      }
+      if (!page.hasMore || !page.nextCursor) {
+        break;
+      }
+      cursor2 = page.nextCursor;
+    }
   }
   async executeJob(job, tableId) {
     const value = job.value?.value;
@@ -44126,6 +44424,8 @@ class SystemAuthError3 extends Error {
   }
 }
 var DEFAULT_CLOCK_TOLERANCE_SECONDS3 = 60;
+var DEFAULT_JWKS_CACHE_TTL_MS4 = 5 * 60 * 1000;
+var MAX_JWKS_CACHE_TTL_MS4 = 24 * 60 * 60 * 1000;
 var JWKS_CACHE4 = new Map;
 var defaultValidationConfig3;
 var adminAuthConfig3;
@@ -44221,7 +44521,8 @@ function resolveJwtValidationConfigFromEnv3(env) {
   const secret = getEnvValue3("AUTH_SECRET", env) ?? getEnvValue3("CONCAVE_JWT_SECRET", env) ?? getEnvValue3("JWT_SECRET", env);
   const skipVerification = parseBoolean3(getEnvValue3("AUTH_SKIP_VERIFICATION", env)) ?? parseBoolean3(getEnvValue3("CONCAVE_JWT_SKIP_VERIFICATION", env));
   const clockTolerance = parseNumber3(getEnvValue3("AUTH_CLOCK_TOLERANCE", env)) ?? parseNumber3(getEnvValue3("CONCAVE_JWT_CLOCK_TOLERANCE", env));
-  if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined) {
+  const jwksCacheTtlMs = parseNumber3(getEnvValue3("AUTH_JWKS_CACHE_TTL_MS", env)) ?? parseNumber3(getEnvValue3("CONCAVE_JWT_JWKS_CACHE_TTL_MS", env));
+  if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined && jwksCacheTtlMs === undefined) {
     return;
   }
   return {
@@ -44230,7 +44531,8 @@ function resolveJwtValidationConfigFromEnv3(env) {
     audience,
     secret,
     skipVerification,
-    clockTolerance
+    clockTolerance,
+    jwksCacheTtlMs
   };
 }
 function normalizeList3(value) {
@@ -44274,15 +44576,33 @@ function validateClaims3(claims, config) {
     throw new JWTValidationError3("CLAIM_VALIDATION_FAILED", "JWT claim validation failed: aud");
   }
 }
-function getRemoteJwks3(jwksUrl) {
+function getRemoteJwks3(jwksUrl, config) {
+  const now = Date.now();
   const cached = JWKS_CACHE4.get(jwksUrl);
+  if (cached && cached.expiresAtMs > now) {
+    return cached.resolver;
+  }
   if (cached) {
-    return cached;
+    JWKS_CACHE4.delete(jwksUrl);
   }
   const jwks = createRemoteJWKSet3(new URL(jwksUrl));
-  JWKS_CACHE4.set(jwksUrl, jwks);
+  const configuredTtl = config?.jwksCacheTtlMs ?? defaultValidationConfig3?.jwksCacheTtlMs;
+  const ttlMs = resolveJwksCacheTtlMs3(configuredTtl);
+  JWKS_CACHE4.set(jwksUrl, {
+    resolver: jwks,
+    expiresAtMs: now + ttlMs
+  });
   return jwks;
 }
+function resolveJwksCacheTtlMs3(configuredTtl) {
+  if (configuredTtl === undefined) {
+    return DEFAULT_JWKS_CACHE_TTL_MS4;
+  }
+  if (!Number.isFinite(configuredTtl)) {
+    return DEFAULT_JWKS_CACHE_TTL_MS4;
+  }
+  return Math.max(0, Math.min(MAX_JWKS_CACHE_TTL_MS4, Math.floor(configuredTtl)));
+}
 function decodeJwtUnsafe4(token) {
   if (!token)
     return null;
@@ -44315,7 +44635,7 @@ async function verifyJwt3(token, config) {
       const key = new TextEncoder().encode(effectiveConfig.secret);
       ({ payload } = await jwtVerify3(token, key, options));
     } else {
-      ({ payload } = await jwtVerify3(token, getRemoteJwks3(effectiveConfig.jwksUrl), options));
+      ({ payload } = await jwtVerify3(token, getRemoteJwks3(effectiveConfig.jwksUrl, effectiveConfig), options));
     }
     const claims = payload;
     validateClaims3(claims, effectiveConfig);
@@ -45458,6 +45778,11 @@ var WEBSOCKET_READY_STATE_OPEN2 = 1;
 var BACKPRESSURE_HIGH_WATER_MARK2 = 100;
 var BACKPRESSURE_BUFFER_LIMIT2 = 1024 * 1024;
 var SLOW_CLIENT_TIMEOUT_MS2 = 30000;
+var DEFAULT_RATE_LIMIT_WINDOW_MS2 = 5000;
+var DEFAULT_MAX_MESSAGES_PER_WINDOW2 = 1000;
+var DEFAULT_OPERATION_TIMEOUT_MS2 = 15000;
+var DEFAULT_MAX_ACTIVE_QUERIES_PER_SESSION2 = 1000;
+var RATE_LIMIT_HARD_MULTIPLIER2 = 5;
 
 class SyncSession2 {
   websocket;
@@ -45486,15 +45811,25 @@ class SyncSession2 {
 class SyncProtocolHandler2 {
   udfExecutor;
   sessions = new Map;
+  rateLimitStates = new Map;
   subscriptionManager;
   instanceName;
   backpressureController;
   heartbeatController;
   isDev;
+  maxMessagesPerWindow;
+  rateLimitWindowMs;
+  operationTimeoutMs;
+  maxActiveQueriesPerSession;
   constructor(instanceName, udfExecutor, options) {
     this.udfExecutor = udfExecutor;
     this.instanceName = instanceName;
     this.isDev = options?.isDev ?? true;
+    this.maxMessagesPerWindow = Math.max(1, options?.maxMessagesPerWindow ?? DEFAULT_MAX_MESSAGES_PER_WINDOW2);
+    this.rateLimitWindowMs = Math.max(1, options?.rateLimitWindowMs ?? DEFAULT_RATE_LIMIT_WINDOW_MS2);
+    const configuredOperationTimeout = options?.operationTimeoutMs ?? DEFAULT_OPERATION_TIMEOUT_MS2;
+    this.operationTimeoutMs = Number.isFinite(configuredOperationTimeout) ? Math.max(0, Math.floor(configuredOperationTimeout)) : DEFAULT_OPERATION_TIMEOUT_MS2;
+    this.maxActiveQueriesPerSession = Math.max(1, options?.maxActiveQueriesPerSession ?? DEFAULT_MAX_ACTIVE_QUERIES_PER_SESSION2);
     this.subscriptionManager = new SubscriptionManager3;
     this.backpressureController = new SessionBackpressureController2({
       websocketReadyStateOpen: WEBSOCKET_READY_STATE_OPEN2,
@@ -45512,6 +45847,10 @@ class SyncProtocolHandler2 {
   createSession(sessionId, websocket) {
     const session = new SyncSession2(websocket);
     this.sessions.set(sessionId, session);
+    this.rateLimitStates.set(sessionId, {
+      windowStartedAt: Date.now(),
+      messagesInWindow: 0
+    });
     return session;
   }
   getSession(sessionId) {
@@ -45526,6 +45865,7 @@ class SyncProtocolHandler2 {
       session.isDraining = false;
       this.subscriptionManager.unsubscribeAll(sessionId);
       this.sessions.delete(sessionId);
+      this.rateLimitStates.delete(sessionId);
     }
   }
   updateSessionId(oldSessionId, newSessionId) {
@@ -45533,6 +45873,11 @@ class SyncProtocolHandler2 {
     if (session) {
       this.sessions.delete(oldSessionId);
       this.sessions.set(newSessionId, session);
+      const rateLimitState = this.rateLimitStates.get(oldSessionId);
+      if (rateLimitState) {
+        this.rateLimitStates.delete(oldSessionId);
+        this.rateLimitStates.set(newSessionId, rateLimitState);
+      }
       this.subscriptionManager.updateSessionId(oldSessionId, newSessionId);
     }
   }
@@ -45541,6 +45886,29 @@ class SyncProtocolHandler2 {
     if (!session && message22.type !== "Connect") {
       throw new Error("Session not found");
     }
+    if (session) {
+      const rateLimitDecision = this.consumeRateLimit(sessionId);
+      if (rateLimitDecision === "reject") {
+        return [
+          {
+            type: "FatalError",
+            error: "Rate limit exceeded, retry shortly"
+          }
+        ];
+      }
+      if (rateLimitDecision === "close") {
+        try {
+          session.websocket.close(1013, "Rate limit exceeded");
+        } catch {}
+        this.destroySession(sessionId);
+        return [
+          {
+            type: "FatalError",
+            error: "Rate limit exceeded"
+          }
+        ];
+      }
+    }
     switch (message22.type) {
       case "Connect":
         return this.handleConnect(sessionId, message22);
@@ -45597,6 +45965,15 @@ class SyncProtocolHandler2 {
         return [fatalError];
       }
       const startVersion = makeStateVersion2(session.querySetVersion, session.identityVersion, session.timestamp);
+      const projectedActiveQueryCount = this.computeProjectedActiveQueryCount(session, message22);
+      if (projectedActiveQueryCount > this.maxActiveQueriesPerSession) {
+        return [
+          {
+            type: "FatalError",
+            error: `Too many active queries: ${projectedActiveQueryCount} exceeds limit ${this.maxActiveQueriesPerSession}`
+          }
+        ];
+      }
       session.querySetVersion = message22.newVersion;
       const modifications = [];
       for (const mod of message22.modifications) {
@@ -45920,7 +46297,54 @@ class SyncProtocolHandler2 {
     }, () => {
       return;
     });
-    return run;
+    return this.withOperationTimeout(run);
+  }
+  withOperationTimeout(promise) {
+    if (this.operationTimeoutMs <= 0) {
+      return promise;
+    }
+    let timeoutHandle;
+    const timeoutPromise = new Promise((_, reject) => {
+      timeoutHandle = setTimeout(() => {
+        reject(new Error(`Sync operation timed out after ${this.operationTimeoutMs}ms`));
+      }, this.operationTimeoutMs);
+    });
+    return Promise.race([promise, timeoutPromise]).finally(() => {
+      if (timeoutHandle) {
+        clearTimeout(timeoutHandle);
+      }
+    });
+  }
+  consumeRateLimit(sessionId) {
+    const state = this.rateLimitStates.get(sessionId);
+    if (!state) {
+      return "allow";
+    }
+    const now = Date.now();
+    if (now - state.windowStartedAt >= this.rateLimitWindowMs) {
+      state.windowStartedAt = now;
+      state.messagesInWindow = 0;
+    }
+    state.messagesInWindow += 1;
+    if (state.messagesInWindow <= this.maxMessagesPerWindow) {
+      return "allow";
+    }
+    const hardLimit = Math.max(this.maxMessagesPerWindow + 1, this.maxMessagesPerWindow * RATE_LIMIT_HARD_MULTIPLIER2);
+    if (state.messagesInWindow >= hardLimit) {
+      return "close";
+    }
+    return "reject";
+  }
+  computeProjectedActiveQueryCount(session, message22) {
+    const projected = new Set(session.activeQueries.keys());
+    for (const mod of message22.modifications) {
+      if (mod.type === "Add") {
+        projected.add(mod.queryId);
+      } else if (mod.type === "Remove") {
+        projected.delete(mod.queryId);
+      }
+    }
+    return projected.size;
   }
   sendPing(session) {
     if (!session.websocket || session.websocket.readyState !== WEBSOCKET_READY_STATE_OPEN2) {