@concavejs/core 0.0.1-alpha.6 → 0.0.1-alpha.7

package/dist/auth/jwt.d.ts

@@ -36,6 +36,11 @@ export type JWTValidationConfig = {
     secret?: string;
     skipVerification?: boolean;
     clockTolerance?: number;
+    /**
+     * Optional TTL (in milliseconds) for cached remote JWKS resolvers.
+     * Defaults to 5 minutes when omitted.
+     */
+    jwksCacheTtlMs?: number;
 };
 export type JWTValidationErrorCode = "MISSING_CONFIG" | "INVALID_SIGNATURE" | "TOKEN_EXPIRED" | "TOKEN_NOT_ACTIVE" | "CLAIM_VALIDATION_FAILED" | "MISSING_SUBJECT" | "MISSING_ISSUER" | "INVALID_TOKEN";
 export declare class JWTValidationError extends Error {

package/dist/auth/jwt.js

@@ -123,12 +123,17 @@ export const WELL_KNOWN_JWKS_URLS = {
     firebase: () => "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com",
 };
 const DEFAULT_CLOCK_TOLERANCE_SECONDS = 60;
+const DEFAULT_JWKS_CACHE_TTL_MS = 5 * 60 * 1000;
+const MAX_JWKS_CACHE_TTL_MS = 24 * 60 * 60 * 1000;
 const JWKS_CACHE = new Map();
 let defaultValidationConfig;
 let adminAuthConfig;
 let systemAuthConfig;
 export function setJwtValidationConfig(config) {
     defaultValidationConfig = config;
+    // Config updates can change issuer/audience/JWKS source semantics.
+    // Clearing resolver cache avoids stale long-lived entries across reconfiguration.
+    JWKS_CACHE.clear();
 }
 export function getJwtValidationConfig() {
     return defaultValidationConfig;
@@ -268,7 +273,15 @@ export function resolveJwtValidationConfigFromEnv(env) {
         parseBoolean(getEnvValue("CONCAVE_JWT_SKIP_VERIFICATION", env));
     const clockTolerance = parseNumber(getEnvValue("AUTH_CLOCK_TOLERANCE", env)) ??
         parseNumber(getEnvValue("CONCAVE_JWT_CLOCK_TOLERANCE", env));
-    if (!jwksUrl && !issuer && !audience && !secret && skipVerification === undefined && clockTolerance === undefined) {
+    const jwksCacheTtlMs = parseNumber(getEnvValue("AUTH_JWKS_CACHE_TTL_MS", env)) ??
+        parseNumber(getEnvValue("CONCAVE_JWT_JWKS_CACHE_TTL_MS", env));
+    if (!jwksUrl &&
+        !issuer &&
+        !audience &&
+        !secret &&
+        skipVerification === undefined &&
+        clockTolerance === undefined &&
+        jwksCacheTtlMs === undefined) {
         return undefined;
     }
     return {
@@ -278,6 +291,7 @@ export function resolveJwtValidationConfigFromEnv(env) {
         secret,
         skipVerification,
         clockTolerance,
+        jwksCacheTtlMs,
     };
 }
 function normalizeList(value) {
@@ -324,15 +338,33 @@ function validateClaims(claims, config) {
         throw new JWTValidationError("CLAIM_VALIDATION_FAILED", "JWT claim validation failed: aud");
     }
 }
-function getRemoteJwks(jwksUrl) {
+function getRemoteJwks(jwksUrl, config) {
+    const now = Date.now();
     const cached = JWKS_CACHE.get(jwksUrl);
+    if (cached && cached.expiresAtMs > now) {
+        return cached.resolver;
+    }
     if (cached) {
-        return cached;
+        JWKS_CACHE.delete(jwksUrl);
     }
     const jwks = createRemoteJWKSet(new URL(jwksUrl));
-    JWKS_CACHE.set(jwksUrl, jwks);
+    const configuredTtl = config?.jwksCacheTtlMs ?? defaultValidationConfig?.jwksCacheTtlMs;
+    const ttlMs = resolveJwksCacheTtlMs(configuredTtl);
+    JWKS_CACHE.set(jwksUrl, {
+        resolver: jwks,
+        expiresAtMs: now + ttlMs,
+    });
     return jwks;
 }
+function resolveJwksCacheTtlMs(configuredTtl) {
+    if (configuredTtl === undefined) {
+        return DEFAULT_JWKS_CACHE_TTL_MS;
+    }
+    if (!Number.isFinite(configuredTtl)) {
+        return DEFAULT_JWKS_CACHE_TTL_MS;
+    }
+    return Math.max(0, Math.min(MAX_JWKS_CACHE_TTL_MS, Math.floor(configuredTtl)));
+}
 export function decodeJwtUnsafe(token) {
     if (!token)
         return null;
@@ -366,7 +398,7 @@ export async function verifyJwt(token, config) {
             ({ payload } = await jwtVerify(token, key, options));
         }
         else {
-            ({ payload } = await jwtVerify(token, getRemoteJwks(effectiveConfig.jwksUrl), options));
+            ({ payload } = await jwtVerify(token, getRemoteJwks(effectiveConfig.jwksUrl, effectiveConfig), options));
         }
         const claims = payload;
         validateClaims(claims, effectiveConfig);

package/dist/http/api-router.d.ts

@@ -7,6 +7,7 @@ export interface FunctionExecutionParams {
     args: Record<string, any>;
     auth?: AuthContext | UserIdentityAttributes;
     componentPath?: string;
+    snapshotTimestamp?: bigint;
     request: Request;
 }
 export interface FunctionExecutionResult {
@@ -36,6 +37,7 @@ export interface CoreHttpApiOptions {
     notifyWrites?: (writtenRanges?: SerializedKeyRange[], writtenTables?: string[], commitTimestamp?: bigint) => Promise<void> | void;
     storage?: StorageAdapter;
     corsHeaders?: Record<string, string>;
+    getSnapshotTimestamp?: (request: Request) => Promise<bigint> | bigint;
 }
 export interface CoreHttpApiResult {
     handled: boolean;

package/dist/http/api-router.js

@@ -81,6 +81,40 @@ export async function resolveAuthContext(bodyAuth, headerToken, headerIdentity)
     }
     return bodyAuth;
 }
+function parseTimestampInput(value) {
+    if (value === undefined || value === null) {
+        return undefined;
+    }
+    if (typeof value === "bigint") {
+        return value >= 0n ? value : undefined;
+    }
+    if (typeof value === "number") {
+        if (!Number.isFinite(value) || !Number.isInteger(value) || value < 0) {
+            return undefined;
+        }
+        return BigInt(value);
+    }
+    if (typeof value === "string") {
+        const trimmed = value.trim();
+        if (!/^\d+$/.test(trimmed)) {
+            return undefined;
+        }
+        try {
+            return BigInt(trimmed);
+        }
+        catch {
+            return undefined;
+        }
+    }
+    return undefined;
+}
+async function resolveSnapshotTimestamp(options, request) {
+    const fromCallback = options.getSnapshotTimestamp ? await options.getSnapshotTimestamp(request) : undefined;
+    if (typeof fromCallback === "bigint") {
+        return fromCallback;
+    }
+    return BigInt(Date.now());
+}
 export async function handleCoreHttpApiRequest(request, options) {
     const url = new URL(request.url);
     const segments = url.pathname.split("/").filter(Boolean);
@@ -124,6 +158,19 @@ export async function handleCoreHttpApiRequest(request, options) {
         throw error;
     }
     const route = routeSegments[0];
+    if (route === "query_ts") {
+        if (request.method !== "POST") {
+            return {
+                handled: true,
+                response: apply(Response.json({ error: "Method not allowed" }, { status: 405 })),
+            };
+        }
+        const snapshotTimestamp = await resolveSnapshotTimestamp(options, request);
+        return {
+            handled: true,
+            response: apply(Response.json({ ts: snapshotTimestamp.toString() })),
+        };
+    }
     if (route === "storage") {
         if (!options.storage) {
             return {
@@ -183,7 +230,7 @@ export async function handleCoreHttpApiRequest(request, options) {
             }
         }
     }
-    if (route === "query" || route === "mutation" || route === "action") {
+    if (route === "query" || route === "mutation" || route === "action" || route === "query_at_ts") {
         if (request.method !== "POST") {
             return {
                 handled: true,
@@ -207,7 +254,7 @@ export async function handleCoreHttpApiRequest(request, options) {
                     response: apply(Response.json({ error: "Invalid request body" }, { status: 400 })),
                 };
             }
-            const { path, args, format, auth: bodyAuth, componentPath } = body;
+            const { path, args, format, auth: bodyAuth, componentPath, ts } = body;
             if (!path || typeof path !== "string") {
                 return {
                     handled: true,
@@ -236,6 +283,14 @@ export async function handleCoreHttpApiRequest(request, options) {
                 };
             }
             const jsonArgs = rawArgs ?? {};
+            const executionType = route === "query_at_ts" ? "query" : route;
+            const snapshotTimestamp = route === "query_at_ts" ? parseTimestampInput(ts) : undefined;
+            if (route === "query_at_ts" && snapshotTimestamp === undefined) {
+                return {
+                    handled: true,
+                    response: apply(Response.json({ error: "Invalid or missing ts" }, { status: 400 })),
+                };
+            }
             let authForExecution;
             try {
                 authForExecution = await resolveAuthContext(bodyAuth, headerToken, headerIdentity);
@@ -252,11 +307,12 @@ export async function handleCoreHttpApiRequest(request, options) {
                 throw error;
             }
             const executionParams = {
-                type: route,
+                type: executionType,
                 path,
                 args: jsonArgs,
                 auth: authForExecution,
                 componentPath,
+                snapshotTimestamp,
                 request,
             };
             try {
@@ -273,7 +329,7 @@ export async function handleCoreHttpApiRequest(request, options) {
             }
             const result = await options.executeFunction(executionParams);
             if (options.notifyWrites &&
-                (route === "mutation" || route === "action") &&
+                (executionType === "mutation" || executionType === "action") &&
                 (result.writtenRanges?.length || result.writtenTables?.length)) {
                 await options.notifyWrites(result.writtenRanges, result.writtenTables ?? writtenTablesFromRanges(result.writtenRanges));
             }

package/dist/http/http-handler.js

@@ -20,6 +20,8 @@ function isReservedApiPath(pathname) {
         normalizedPath === "/api/sync" ||
         normalizedPath === "/api/reset-test-state" ||
         normalizedPath === "/api/query" ||
+        normalizedPath === "/api/query_ts" ||
+        normalizedPath === "/api/query_at_ts" ||
         normalizedPath === "/api/mutation" ||
         normalizedPath === "/api/action") {
         return true;
@@ -108,7 +110,7 @@ export class HttpHandler {
             }
         };
         const coreResult = await handleCoreHttpApiRequest(request, {
-            executeFunction: async ({ type, path, args, auth, componentPath }) => this.adapter.executeUdf(path, args, type, auth, componentPath),
+            executeFunction: async ({ type, path, args, auth, componentPath, snapshotTimestamp }) => this.adapter.executeUdf(path, args, type, auth, componentPath, undefined, snapshotTimestamp),
             notifyWrites,
             storage: this.docstore && this.blobstore
                 ? {
@@ -130,6 +132,19 @@ export class HttpHandler {
                 }
                 : undefined,
             corsHeaders,
+            getSnapshotTimestamp: () => {
+                const oracle = this.docstore?.timestampOracle;
+                const oracleTimestamp = typeof oracle?.beginSnapshot === "function"
+                    ? oracle.beginSnapshot()
+                    : typeof oracle?.getCurrentTimestamp === "function"
+                        ? oracle.getCurrentTimestamp()
+                        : undefined;
+                const wallClock = BigInt(Date.now());
+                if (typeof oracleTimestamp === "bigint" && oracleTimestamp > wallClock) {
+                    return oracleTimestamp;
+                }
+                return wallClock;
+            },
         });
         if (coreResult?.handled) {
             return coreResult.response;

package/dist/scheduler/cron-executor.d.ts

@@ -6,7 +6,7 @@
  *
  * Compatible with Convex's cron system - parses cron specs from convex/crons.ts
  */
-import type { DocStore } from "../docstore";
+import { type DocStore } from "../docstore";
 import type { SerializedKeyRange } from "../queryengine";
 import type { UdfExec } from "../udf";
 /**
@@ -71,6 +71,8 @@ export interface CronExecutorOptions {
     allocateTimestamp?: () => bigint;
     now?: () => number;
     logger?: Pick<typeof console, "info" | "warn" | "error">;
+    maxConcurrentJobs?: number;
+    scanPageSize?: number;
 }
 export interface CronExecutionResult {
     executed: number;
@@ -83,6 +85,8 @@ export declare class CronExecutor {
     private readonly allocateTimestamp?;
     private readonly now;
     private readonly logger;
+    private readonly maxConcurrentJobs;
+    private readonly scanPageSize;
     constructor(options: CronExecutorOptions);
     /**
      * Sync cron definitions from convex/crons.ts to the _crons table
@@ -96,7 +100,7 @@ export declare class CronExecutor {
      * Get the next scheduled execution time across all cron jobs
      */
     getNextScheduledTime(): Promise<number | null>;
-    private computeNextScheduledTime;
+    private forEachCronJob;
     private executeJob;
     private updateJob;
 }

package/dist/scheduler/cron-executor.js

@@ -6,6 +6,7 @@
  *
  * Compatible with Convex's cron system - parses cron specs from convex/crons.ts
  */
+import { Order } from "../docstore";
 import { stringToHex, writtenTablesFromRanges } from "../utils";
 import { runAsServerCall } from "../udf/module-loader/call-context";
 const CRONS_TABLE = "_crons";
@@ -16,6 +17,8 @@ export class CronExecutor {
     allocateTimestamp;
     now;
     logger;
+    maxConcurrentJobs;
+    scanPageSize;
     constructor(options) {
         this.docstore = options.docstore;
         this.udfExecutor = options.udfExecutor;
@@ -23,6 +26,8 @@ export class CronExecutor {
         this.allocateTimestamp = options.allocateTimestamp;
         this.now = options.now ?? (() => Date.now());
         this.logger = options.logger ?? console;
+        this.maxConcurrentJobs = Math.max(1, options.maxConcurrentJobs ?? 8);
+        this.scanPageSize = Math.max(1, options.scanPageSize ?? 256);
     }
     /**
      * Sync cron definitions from convex/crons.ts to the _crons table
@@ -119,40 +124,63 @@ export class CronExecutor {
      */
     async runDueJobs() {
         const tableId = stringToHex(CRONS_TABLE);
-        const allJobs = await this.docstore.scan(tableId);
         const now = this.now();
-        const dueJobs = allJobs.filter((doc) => {
-            const value = doc.value?.value;
-            return value && value.nextRun <= now;
-        });
-        if (dueJobs.length === 0) {
-            return {
-                executed: 0,
-                nextScheduledTime: this.computeNextScheduledTime(allJobs),
-            };
-        }
-        await Promise.all(dueJobs.map((job) => this.executeJob(job, tableId)));
-        // Re-scan to get updated next times
-        const updatedJobs = await this.docstore.scan(tableId);
-        return {
-            executed: dueJobs.length,
-            nextScheduledTime: this.computeNextScheduledTime(updatedJobs),
+        let executed = 0;
+        const inFlight = new Set();
+        const schedule = async (job) => {
+            const run = this.executeJob(job, tableId)
+                .then(() => {
+                executed += 1;
+            })
+                .finally(() => {
+                inFlight.delete(run);
+            });
+            inFlight.add(run);
+            if (inFlight.size >= this.maxConcurrentJobs) {
+                await Promise.race(inFlight);
+            }
         };
+        await this.forEachCronJob(async (job) => {
+            const value = job.value?.value;
+            if (!value || typeof value.nextRun !== "number") {
+                return;
+            }
+            if (value.nextRun <= now) {
+                await schedule(job);
+            }
+        });
+        await Promise.all(inFlight);
+        return { executed, nextScheduledTime: await this.getNextScheduledTime() };
     }
     /**
      * Get the next scheduled execution time across all cron jobs
      */
     async getNextScheduledTime() {
-        const tableId = stringToHex(CRONS_TABLE);
-        const allJobs = await this.docstore.scan(tableId);
-        return this.computeNextScheduledTime(allJobs);
+        let nextScheduledTime = null;
+        await this.forEachCronJob(async (job) => {
+            const nextRun = job.value?.value?.nextRun;
+            if (typeof nextRun !== "number") {
+                return;
+            }
+            if (nextScheduledTime === null || nextRun < nextScheduledTime) {
+                nextScheduledTime = nextRun;
+            }
+        });
+        return nextScheduledTime;
     }
-    computeNextScheduledTime(allJobs) {
-        const nextTimes = allJobs
-            .map((doc) => doc.value?.value?.nextRun)
-            .filter((time) => typeof time === "number")
-            .sort((a, b) => a - b);
-        return nextTimes.length > 0 ? nextTimes[0] : null;
+    async forEachCronJob(visitor) {
+        const tableId = stringToHex(CRONS_TABLE);
+        let cursor = null;
+        while (true) {
+            const page = await this.docstore.scanPaginated(tableId, cursor, this.scanPageSize, Order.Asc);
+            for (const job of page.documents) {
+                await visitor(job);
+            }
+            if (!page.hasMore || !page.nextCursor) {
+                break;
+            }
+            cursor = page.nextCursor;
+        }
     }
     async executeJob(job, tableId) {
         const value = job.value?.value;

package/dist/scheduler/scheduled-function-executor.d.ts

@@ -1,4 +1,4 @@
-import type { DocStore } from "../docstore";
+import { type DocStore } from "../docstore";
 import type { SerializedKeyRange } from "../queryengine";
 import type { UdfExec } from "../udf";
 export interface ScheduledFunctionExecutorOptions {
@@ -10,6 +10,8 @@ export interface ScheduledFunctionExecutorOptions {
     logger?: Pick<typeof console, "info" | "warn" | "error">;
     runMutationInTransaction?: <T>(operation: () => Promise<T>) => Promise<T>;
     tableName?: string;
+    maxConcurrentJobs?: number;
+    scanPageSize?: number;
 }
 export interface ScheduledExecutionResult {
     executed: number;
@@ -24,10 +26,12 @@ export declare class ScheduledFunctionExecutor {
     private readonly logger;
     private readonly runMutationInTransaction?;
     private readonly tableName;
+    private readonly maxConcurrentJobs;
+    private readonly scanPageSize;
     constructor(options: ScheduledFunctionExecutorOptions);
     runDueJobs(): Promise<ScheduledExecutionResult>;
     getNextScheduledTime(): Promise<number | null>;
-    private computeNextScheduledTime;
+    private forEachScheduledJob;
     private executeJob;
     private updateJobState;
     private getDocumentId;

package/dist/scheduler/scheduled-function-executor.js

@@ -1,3 +1,4 @@
+import { Order } from "../docstore";
 import { deserializeDeveloperId, stringToHex, writtenTablesFromRanges } from "../utils";
 import { runAsServerCall } from "../udf/module-loader/call-context";
 const SCHEDULED_FUNCTIONS_TABLE = "_scheduled_functions";
@@ -10,6 +11,8 @@ export class ScheduledFunctionExecutor {
     logger;
     runMutationInTransaction;
     tableName;
+    maxConcurrentJobs;
+    scanPageSize;
     constructor(options) {
         this.docstore = options.docstore;
         this.udfExecutor = options.udfExecutor;
@@ -19,51 +22,70 @@ export class ScheduledFunctionExecutor {
         this.logger = options.logger ?? console;
         this.runMutationInTransaction = options.runMutationInTransaction;
         this.tableName = options.tableName ?? SCHEDULED_FUNCTIONS_TABLE;
+        this.maxConcurrentJobs = Math.max(1, options.maxConcurrentJobs ?? 8);
+        this.scanPageSize = Math.max(1, options.scanPageSize ?? 256);
     }
     async runDueJobs() {
         const tableId = stringToHex(this.tableName);
-        const allJobs = await this.docstore.scan(tableId);
         const now = this.now();
-        const pendingJobs = allJobs.filter((doc) => {
-            const value = doc.value?.value;
-            if (!value || typeof value !== "object") {
-                return false;
+        let executed = 0;
+        const inFlight = new Set();
+        const schedule = async (jobValue) => {
+            const run = this.executeJob(jobValue, tableId)
+                .then(() => {
+                executed += 1;
+            })
+                .finally(() => {
+                inFlight.delete(run);
+            });
+            inFlight.add(run);
+            if (inFlight.size >= this.maxConcurrentJobs) {
+                await Promise.race(inFlight);
             }
-            const state = value.state;
-            const scheduledTime = value.scheduledTime;
-            return state?.kind === "pending" && typeof scheduledTime === "number" && scheduledTime <= now;
-        });
-        if (pendingJobs.length === 0) {
-            return {
-                executed: 0,
-                nextScheduledTime: this.computeNextScheduledTime(allJobs),
-            };
-        }
-        await Promise.all(pendingJobs.map((job) => {
-            const jobValue = job.value?.value;
-            if (!jobValue) {
-                throw new Error("Job value unexpectedly missing after filter");
-            }
-            return this.executeJob(jobValue, tableId);
-        }));
-        return {
-            executed: pendingJobs.length,
-            nextScheduledTime: this.computeNextScheduledTime(await this.docstore.scan(tableId)),
         };
+        await this.forEachScheduledJob(async (jobValue) => {
+            const state = jobValue.state;
+            const scheduledTime = jobValue.scheduledTime;
+            if (state?.kind !== "pending" || typeof scheduledTime !== "number") {
+                return;
+            }
+            if (scheduledTime <= now) {
+                await schedule(jobValue);
+            }
+        });
+        await Promise.all(inFlight);
+        return { executed, nextScheduledTime: await this.getNextScheduledTime() };
     }
     async getNextScheduledTime() {
-        const tableId = stringToHex(this.tableName);
-        const allJobs = await this.docstore.scan(tableId);
-        return this.computeNextScheduledTime(allJobs);
+        let nextScheduledTime = null;
+        await this.forEachScheduledJob(async (jobValue) => {
+            const state = jobValue.state;
+            const scheduledTime = jobValue.scheduledTime;
+            if (state?.kind !== "pending" || typeof scheduledTime !== "number") {
+                return;
+            }
+            if (nextScheduledTime === null || scheduledTime < nextScheduledTime) {
+                nextScheduledTime = scheduledTime;
+            }
+        });
+        return nextScheduledTime;
     }
-    computeNextScheduledTime(allJobs) {
-        const pending = allJobs
-            .map((doc) => doc.value?.value)
-            .filter((value) => !!value && value.state?.kind === "pending")
-            .map((value) => value.scheduledTime)
-            .filter((time) => typeof time === "number")
-            .sort((a, b) => a - b);
-        return pending.length > 0 ? pending[0] : null;
+    async forEachScheduledJob(visitor) {
+        const tableId = stringToHex(this.tableName);
+        let cursor = null;
+        while (true) {
+            const page = await this.docstore.scanPaginated(tableId, cursor, this.scanPageSize, Order.Asc);
+            for (const doc of page.documents) {
+                const value = doc.value?.value;
+                if (value && typeof value === "object") {
+                    await visitor(value);
+                }
+            }
+            if (!page.hasMore || !page.nextCursor) {
+                break;
+            }
+            cursor = page.nextCursor;
+        }
     }
     async executeJob(jobValue, tableId) {
         const jobId = jobValue?._id;

package/dist/sync/protocol-handler.d.ts

@@ -98,15 +98,37 @@ export interface RoutedMessage {
  */
 export interface SyncProtocolOptions {
     isDev?: boolean;
+    /**
+     * Maximum number of client messages accepted per session per rolling window.
+     */
+    maxMessagesPerWindow?: number;
+    /**
+     * Rolling window duration for message rate limiting.
+     */
+    rateLimitWindowMs?: number;
+    /**
+     * Timeout for a single locked operation.
+     * This does not cancel the underlying work; it bounds client-visible wait time.
+     */
+    operationTimeoutMs?: number;
+    /**
+     * Maximum number of active subscribed queries a single session can hold.
+     */
+    maxActiveQueriesPerSession?: number;
 }
 export declare class SyncProtocolHandler {
     private readonly udfExecutor;
     private sessions;
+    private rateLimitStates;
     private subscriptionManager;
     private readonly instanceName;
     private readonly backpressureController;
     private readonly heartbeatController;
     private readonly isDev;
+    private readonly maxMessagesPerWindow;
+    private readonly rateLimitWindowMs;
+    private readonly operationTimeoutMs;
+    private readonly maxActiveQueriesPerSession;
     constructor(instanceName: string, udfExecutor: SyncUdfExecutor, options?: SyncProtocolOptions);
     /**
      * Create a new client session
@@ -156,6 +178,9 @@ export declare class SyncProtocolHandler {
     private rerunSpecificQueries;
     private logRanges;
     private withSessionLock;
+    private withOperationTimeout;
+    private consumeRateLimit;
+    private computeProjectedActiveQueryCount;
     private sendPing;
     /**
      * Send a message to a client with backpressure handling.

package/dist/sync/protocol-handler.js

@@ -60,6 +60,11 @@ export const WEBSOCKET_READY_STATE_OPEN = 1;
 const BACKPRESSURE_HIGH_WATER_MARK = 100; // Max messages in queue before dropping
 const BACKPRESSURE_BUFFER_LIMIT = 1024 * 1024; // 1MB buffer limit
 const SLOW_CLIENT_TIMEOUT_MS = 30000; // 30 seconds to drain queue before disconnect
+const DEFAULT_RATE_LIMIT_WINDOW_MS = 5000;
+const DEFAULT_MAX_MESSAGES_PER_WINDOW = 1000;
+const DEFAULT_OPERATION_TIMEOUT_MS = 15000;
+const DEFAULT_MAX_ACTIVE_QUERIES_PER_SESSION = 1_000;
+const RATE_LIMIT_HARD_MULTIPLIER = 5;
 /**
  * Session state for a connected client
  */
@@ -96,15 +101,27 @@ export class SyncSession {
 export class SyncProtocolHandler {
     udfExecutor;
     sessions = new Map();
+    rateLimitStates = new Map();
     subscriptionManager;
     instanceName;
     backpressureController;
     heartbeatController;
     isDev;
+    maxMessagesPerWindow;
+    rateLimitWindowMs;
+    operationTimeoutMs;
+    maxActiveQueriesPerSession;
     constructor(instanceName, udfExecutor, options) {
         this.udfExecutor = udfExecutor;
         this.instanceName = instanceName;
         this.isDev = options?.isDev ?? true;
+        this.maxMessagesPerWindow = Math.max(1, options?.maxMessagesPerWindow ?? DEFAULT_MAX_MESSAGES_PER_WINDOW);
+        this.rateLimitWindowMs = Math.max(1, options?.rateLimitWindowMs ?? DEFAULT_RATE_LIMIT_WINDOW_MS);
+        const configuredOperationTimeout = options?.operationTimeoutMs ?? DEFAULT_OPERATION_TIMEOUT_MS;
+        this.operationTimeoutMs = Number.isFinite(configuredOperationTimeout)
+            ? Math.max(0, Math.floor(configuredOperationTimeout))
+            : DEFAULT_OPERATION_TIMEOUT_MS;
+        this.maxActiveQueriesPerSession = Math.max(1, options?.maxActiveQueriesPerSession ?? DEFAULT_MAX_ACTIVE_QUERIES_PER_SESSION);
         this.subscriptionManager = new SubscriptionManager();
         this.backpressureController = new SessionBackpressureController({
             websocketReadyStateOpen: WEBSOCKET_READY_STATE_OPEN,
@@ -125,6 +142,10 @@ export class SyncProtocolHandler {
     createSession(sessionId, websocket) {
         const session = new SyncSession(websocket);
         this.sessions.set(sessionId, session);
+        this.rateLimitStates.set(sessionId, {
+            windowStartedAt: Date.now(),
+            messagesInWindow: 0,
+        });
         return session;
     }
     /**
@@ -146,6 +167,7 @@ export class SyncProtocolHandler {
             session.isDraining = false;
             this.subscriptionManager.unsubscribeAll(sessionId);
             this.sessions.delete(sessionId);
+            this.rateLimitStates.delete(sessionId);
         }
     }
     /**
@@ -156,6 +178,11 @@ export class SyncProtocolHandler {
         if (session) {
             this.sessions.delete(oldSessionId);
             this.sessions.set(newSessionId, session);
+            const rateLimitState = this.rateLimitStates.get(oldSessionId);
+            if (rateLimitState) {
+                this.rateLimitStates.delete(oldSessionId);
+                this.rateLimitStates.set(newSessionId, rateLimitState);
+            }
             // Update subscription manager mappings
             this.subscriptionManager.updateSessionId(oldSessionId, newSessionId);
         }
@@ -169,6 +196,32 @@ export class SyncProtocolHandler {
         if (!session && message.type !== "Connect") {
             throw new Error("Session not found");
         }
+        if (session) {
+            const rateLimitDecision = this.consumeRateLimit(sessionId);
+            if (rateLimitDecision === "reject") {
+                return [
+                    {
+                        type: "FatalError",
+                        error: "Rate limit exceeded, retry shortly",
+                    },
+                ];
+            }
+            if (rateLimitDecision === "close") {
+                try {
+                    session.websocket.close(1013, "Rate limit exceeded");
+                }
+                catch {
+                    // Ignore close errors and still destroy local session state.
+                }
+                this.destroySession(sessionId);
+                return [
+                    {
+                        type: "FatalError",
+                        error: "Rate limit exceeded",
+                    },
+                ];
+            }
+        }
         switch (message.type) {
             case "Connect":
                 return this.handleConnect(sessionId, message);
@@ -241,6 +294,15 @@ export class SyncProtocolHandler {
                 return [fatalError];
             }
             const startVersion = makeStateVersion(session.querySetVersion, session.identityVersion, session.timestamp);
+            const projectedActiveQueryCount = this.computeProjectedActiveQueryCount(session, message);
+            if (projectedActiveQueryCount > this.maxActiveQueriesPerSession) {
+                return [
+                    {
+                        type: "FatalError",
+                        error: `Too many active queries: ${projectedActiveQueryCount} exceeds limit ${this.maxActiveQueriesPerSession}`,
+                    },
+                ];
+            }
             // Update version before async work
             session.querySetVersion = message.newVersion;
             const modifications = [];
@@ -614,7 +676,55 @@ export class SyncProtocolHandler {
             }
         });
         session.lock = run.then(() => undefined, () => undefined);
-        return run;
+        return this.withOperationTimeout(run);
+    }
+    withOperationTimeout(promise) {
+        if (this.operationTimeoutMs <= 0) {
+            return promise;
+        }
+        let timeoutHandle;
+        const timeoutPromise = new Promise((_, reject) => {
+            timeoutHandle = setTimeout(() => {
+                reject(new Error(`Sync operation timed out after ${this.operationTimeoutMs}ms`));
+            }, this.operationTimeoutMs);
+        });
+        return Promise.race([promise, timeoutPromise]).finally(() => {
+            if (timeoutHandle) {
+                clearTimeout(timeoutHandle);
+            }
+        });
+    }
+    consumeRateLimit(sessionId) {
+        const state = this.rateLimitStates.get(sessionId);
+        if (!state) {
+            return "allow";
+        }
+        const now = Date.now();
+        if (now - state.windowStartedAt >= this.rateLimitWindowMs) {
+            state.windowStartedAt = now;
+            state.messagesInWindow = 0;
+        }
+        state.messagesInWindow += 1;
+        if (state.messagesInWindow <= this.maxMessagesPerWindow) {
+            return "allow";
+        }
+        const hardLimit = Math.max(this.maxMessagesPerWindow + 1, this.maxMessagesPerWindow * RATE_LIMIT_HARD_MULTIPLIER);
+        if (state.messagesInWindow >= hardLimit) {
+            return "close";
+        }
+        return "reject";
+    }
+    computeProjectedActiveQueryCount(session, message) {
+        const projected = new Set(session.activeQueries.keys());
+        for (const mod of message.modifications) {
+            if (mod.type === "Add") {
+                projected.add(mod.queryId);
+            }
+            else if (mod.type === "Remove") {
+                projected.delete(mod.queryId);
+            }
+        }
+        return projected.size;
     }
     sendPing(session) {
         if (!session.websocket || session.websocket.readyState !== WEBSOCKET_READY_STATE_OPEN) {

package/dist/udf/execution-adapter.d.ts

@@ -42,7 +42,7 @@ export declare class UdfExecutionAdapter {
      * @param requestId - Optional request ID for tracing
      * @returns UDF execution result
      */
-    executeUdf(path: string, jsonArgs: JsonArgs, type: "query" | "mutation" | "action", auth?: AuthContext | UserIdentityAttributes, componentPath?: string, requestId?: string): Promise<UdfResult>;
+    executeUdf(path: string, jsonArgs: JsonArgs, type: "query" | "mutation" | "action", auth?: AuthContext | UserIdentityAttributes, componentPath?: string, requestId?: string, snapshotTimestamp?: bigint): Promise<UdfResult>;
 }
 /**
  * Factory function to create a client-side adapter (for HTTP/WebSocket requests)

package/dist/udf/execution-adapter.js

@@ -58,7 +58,7 @@ export class UdfExecutionAdapter {
      * @param requestId - Optional request ID for tracing
      * @returns UDF execution result
      */
-    async executeUdf(path, jsonArgs, type, auth, componentPath, requestId) {
+    async executeUdf(path, jsonArgs, type, auth, componentPath, requestId, snapshotTimestamp) {
         // Step 1: Convert args with type safety
         const convexArgs = convertClientArgs(jsonArgs);
         const target = normalizeExecutionTarget(path, componentPath);
@@ -104,7 +104,7 @@ export class UdfExecutionAdapter {
             const executeWithContext = this.callType === "client" ? runAsClientCall : runAsServerCall;
             // Step 4: Execute with all context properly set
             return executeWithContext(async () => {
-                return await this.executor.execute(target.path, convexArgs, type, authContext ?? userIdentity, normalizeComponentPath(target.componentPath), requestId);
+                return await this.executor.execute(target.path, convexArgs, type, authContext ?? userIdentity, normalizeComponentPath(target.componentPath), requestId, snapshotTimestamp);
             });
         });
     }

package/dist/udf/executor/inline.d.ts

@@ -22,7 +22,7 @@ export declare class InlineUdfExecutor implements UdfExec {
     private moduleRegistry?;
     private readonly logSink?;
     constructor(options: InlineUdfExecutorOptions);
-    execute(functionPath: string, args: Record<string, any>, udfType: "query" | "mutation" | "action", auth?: AuthContext | UserIdentityAttributes, componentPath?: string, requestId?: string): Promise<UdfResult>;
+    execute(functionPath: string, args: Record<string, any>, udfType: "query" | "mutation" | "action", auth?: AuthContext | UserIdentityAttributes, componentPath?: string, requestId?: string, snapshotTimestamp?: bigint): Promise<UdfResult>;
     executeHttp(request: Request, auth?: AuthContext | UserIdentityAttributes, requestId?: string): Promise<Response>;
     setModuleRegistry(moduleRegistry?: ModuleRegistry): void;
     protected loadModule(moduleName: string, componentPath?: string): Promise<any>;

package/dist/udf/executor/inline.js

@@ -21,7 +21,7 @@ export class InlineUdfExecutor {
         this.moduleRegistry = options.moduleRegistry;
         this.logSink = options.logSink;
     }
-    async execute(functionPath, args, udfType, auth, componentPath, requestId) {
+    async execute(functionPath, args, udfType, auth, componentPath, requestId, snapshotTimestamp) {
         const [moduleName, functionName] = this.parseUdfPath(functionPath);
         const finalRequestId = requestId ?? this.requestIdFactory(udfType, functionPath);
         // Skip logging for system functions to avoid recursion
@@ -47,7 +47,7 @@ export class InlineUdfExecutor {
         const runWithType = () => {
             switch (udfType) {
                 case "query":
-                    return runUdfQuery(this.docstore, runUdf, auth, this.blobstore, finalRequestId, this, componentPath);
+                    return runUdfQuery(this.docstore, runUdf, auth, this.blobstore, finalRequestId, this, componentPath, snapshotTimestamp);
                 case "mutation":
                     return runUdfMutation(this.docstore, runUdf, auth, this.blobstore, finalRequestId, this, componentPath);
                 case "action":
@@ -106,7 +106,7 @@ export class InlineUdfExecutor {
     async executeHttp(request, auth, requestId) {
         const url = new URL(request.url);
         const runHttpUdf = async () => {
-            const httpModule = await this.loadModule("http", request.url);
+            const httpModule = await this.loadModule("http");
             const router = httpModule?.default;
             if (!router?.isRouter || typeof router.lookup !== "function") {
                 throw new Error("convex/http.ts must export a default httpRouter()");

package/dist/udf/executor/interface.d.ts

@@ -3,6 +3,6 @@ import type { AuthContext } from "../../sync/protocol-handler";
 import type { UserIdentityAttributes } from "convex/server";
 export type { UdfResult };
 export interface UdfExec {
-    execute(path: string, args: Record<string, unknown>, type: "query" | "mutation" | "action", auth?: AuthContext | UserIdentityAttributes, componentPath?: string, requestId?: string): Promise<UdfResult>;
+    execute(path: string, args: Record<string, unknown>, type: "query" | "mutation" | "action", auth?: AuthContext | UserIdentityAttributes, componentPath?: string, requestId?: string, snapshotTimestamp?: bigint): Promise<UdfResult>;
     executeHttp(request: Request, auth?: AuthContext | UserIdentityAttributes, requestId?: string): Promise<Response>;
 }

package/dist/udf/runtime/udf-setup.d.ts

@@ -24,7 +24,7 @@ export interface UdfRuntimeOps {
     console: typeof console | null;
     convex: ConvexInterface;
 }
-export declare function runUdfQuery(docstore: DocStore, fn: () => Promise<JSONValue>, auth?: any, storage?: BlobStore, requestId?: string, udfExecutor?: any, componentPath?: string): Promise<UdfResult>;
+export declare function runUdfQuery(docstore: DocStore, fn: () => Promise<JSONValue>, auth?: any, storage?: BlobStore, requestId?: string, udfExecutor?: any, componentPath?: string, snapshotOverride?: bigint): Promise<UdfResult>;
 export declare function runUdfMutation(docstore: DocStore, fn: () => Promise<JSONValue>, auth?: any, storage?: BlobStore, requestId?: string, udfExecutor?: any, componentPath?: string): Promise<UdfResult>;
 export declare function runUdfAction(docstore: DocStore, fn: () => Promise<JSONValue>, auth?: any, storage?: BlobStore, requestId?: string, udfExecutor?: any, componentPath?: string): Promise<UdfResult>;
 export declare function runUdfHttpAction(docstore: DocStore, fn: () => Promise<Response>, auth?: any, storage?: BlobStore, requestId?: string, udfExecutor?: any): Promise<Response>;

package/dist/udf/runtime/udf-setup.js

@@ -116,7 +116,7 @@ class ForbiddenInQueriesOrMutations extends Error {
     }
 }
 async function runUdfAndGetLogs(docstore, fn, ops, auth, // Still accept for backwards compatibility, but prefer ambient context
-udfType, storage, deterministicSeed, mutationTransaction, udfExecutor, componentPath) {
+udfType, storage, deterministicSeed, mutationTransaction, udfExecutor, componentPath, snapshotOverride) {
     // Get auth from ambient context (set by execution adapter) or fallback to explicit param
     const ambientIdentity = getAuthContext();
     let effectiveAuth;
@@ -133,7 +133,7 @@ udfType, storage, deterministicSeed, mutationTransaction, udfExecutor, component
     const inheritedSnapshot = snapshotContext.getStore() ?? null;
     const existingIdGenerator = idGeneratorContext.getStore() ?? undefined;
     const idGenerator = existingIdGenerator ?? (deterministicSeed ? createDeterministicIdGenerator(deterministicSeed) : undefined);
-    const convex = new UdfKernel(docstore, effectiveAuth, storage, inheritedSnapshot, mutationTransaction, udfExecutor, componentPath, idGenerator);
+    const convex = new UdfKernel(docstore, effectiveAuth, storage, snapshotOverride ?? inheritedSnapshot, mutationTransaction, udfExecutor, componentPath, idGenerator);
     convex.clearAccessLogs();
     const logLines = [];
     const logger = (level) => {
@@ -196,7 +196,7 @@ udfType, storage, deterministicSeed, mutationTransaction, udfExecutor, component
         // Globals are unpatched in runWithUdfRuntime
     }
 }
-export function runUdfQuery(docstore, fn, auth, storage, requestId, udfExecutor, componentPath) {
+export function runUdfQuery(docstore, fn, auth, storage, requestId, udfExecutor, componentPath, snapshotOverride) {
     const tnow = Date.now();
     const seed = resolveSeed("query", requestId, tnow);
     const rng = udfRng(seed);
@@ -210,7 +210,7 @@ export function runUdfQuery(docstore, fn, auth, storage, requestId, udfExecutor,
         fetch: forbiddenAsyncOp("fetch"),
         setInterval: forbiddenAsyncOp("setInterval"),
         setTimeout: forbiddenAsyncOp("setTimeout"),
-    }, auth, "query", storage, seed, undefined, udfExecutor, componentPath);
+    }, auth, "query", storage, seed, undefined, udfExecutor, componentPath, snapshotOverride);
 }
 export function runUdfMutation(docstore, fn, auth, storage, requestId, udfExecutor, componentPath) {
     const tnow = Date.now();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@concavejs/core",
-  "version": "0.0.1-alpha.6",
+  "version": "0.0.1-alpha.7",
   "license": "FSL-1.1-Apache-2.0",
   "publishConfig": {
     "access": "public"