npm - @daloyjs/core - Versions diffs - 0.6.0 → 0.7.1 - Mend

@daloyjs/core 0.6.0 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md CHANGED Viewed

@@ -1,10 +1,10 @@
 # DaloyJS
-> A **runtime-portable TypeScript web framework** with built-in **contract-first routing**, **validation**, **OpenAPI (Hey API)**, **typed client generation**, **large-scale maintainability**, and **secure-by-default runtime and supply-chain posture**.
+> A **runtime-portable TypeScript web framework** with built-in **contract-first routing**, **validation**, **OpenAPI (Hey API)**, **typed client generation**, **large-scale maintainability**, and **security-focused runtime plus supply-chain posture**.
 DaloyJS is maintained in the GitHub organization at <https://github.com/daloyjs>; the canonical framework repository is <https://github.com/daloyjs/daloy>.
-📚 **Documentation site:** [`./website`](./website) — a Next.js 16 + shadcn/ui + Tailwind v4 site with the landing page, getting-started guide, ORM integration guides, tutorials, security docs, and full API reference. Run it with:
+📚 **Documentation site:** <https://daloyjs.dev> — a Next.js 16 + shadcn/ui + Tailwind v4 site with the landing page, getting-started guide, ORM integration guides, tutorials, security docs, and full API reference. Run it with:
 ```zsh
 cd website
@@ -27,7 +27,7 @@ DaloyJS exists to be the framework you'd build if you took the best ideas from e
 | **Supply-chain-hardened installs and publishing** | [pnpm](https://pnpm.io/motivation) + hardened CI/CD | `ignore-scripts`, release-age cooldown, explicit build allowlist, SHA-pinned actions, isolated OIDC publish with provenance. |
 ```
-281/281 framework tests passing · 100% line + function coverage · clean strict TypeScript 6
+320/320 framework tests passing · 100% line + function coverage · clean strict TypeScript 6
 runs on Node, Bun, Deno, Cloudflare, Vercel
 ~12.3M static-route ops/sec · ~1.5M dynamic-route ops/sec on M-class CPU
 ```
@@ -50,13 +50,27 @@ DaloyJS combines the wins:
 1. **Explicit contracts, minimal ceremony.** One `app.route({...})` is the source of truth for validation, types, OpenAPI, the typed client, and contract tests.
 2. **One source of truth for validation, typing, and docs** via [Standard Schema](https://github.com/standard-schema/standard-schema) — Zod 4 / Valibot / ArkType / TypeBox all work, no lock-in.
 3. **Portable core, optional runtime optimizations** — the only thing the core knows is `Request → Response`. Adapters live at the edge.
-4. **Secure by default — bad defaults are bugs.** Body limits, prototype-pollution-safe JSON, path-traversal rejection, request timeouts, Helmet-grade headers, RFC 9457 problem+json errors with prod-mode redaction.
+4. **Security guardrails by default — bad defaults are bugs.** The core enforces body limits, prototype-pollution-safe JSON, path-traversal rejection, request timeouts, content-type checks, and RFC 9457 problem+json errors with prod-mode redaction. First-party middleware covers Helmet-grade headers, CORS, CSRF, rate limits, request ids, and signed-cookie sessions.
 5. **Tooling and inspectability over magic.** `app.introspect()` is a public API; contract-test runner is built in.
 6. **Optimize for large-team maintenance**, not only solo-dev speed. Encapsulated plugins, decorators, request ids, structured logger.
 ---
-## Install
+## Get started
+For a new DaloyJS project, the recommended path is the official scaffolder:
+```bash
+pnpm create daloy@latest my-api
+# or
+npm  create daloy@latest my-api
+```
+`create-daloy` gives you a working project structure, runtime template selection, docs routes, OpenAPI wiring, and production-oriented defaults without copying code out of the README.
+See [Scaffold a project](https://daloyjs.dev/docs/scaffolder) for templates and flags.
+## Install core manually
 DaloyJS is distributed via **pnpm** for [supply-chain hygiene](https://pnpm.io/motivation) and backed by a hardened release pipeline — strict isolation, content-addressable store, deterministic lockfile, no phantom dependencies, SHA-pinned CI actions, and provenance publishing.
@@ -83,16 +97,6 @@ Run `pnpm audit --prod` regularly (or `pnpm run audit` in this repo) — and `pn
 ---
-## Quick start
-```bash
-pnpm create daloy@latest my-api
-# or
-npm  create daloy@latest my-api
-```
-See [Scaffold a project](https://daloyjs.dev/docs/scaffolder) for templates and flags.
 ## Hello world
 ```ts
@@ -102,7 +106,7 @@ import { serve } from "@daloyjs/core/node";
 const app = new App({ bodyLimitBytes: 1024 * 1024, requestTimeoutMs: 5_000 });
-// Security defaults — usually three plugins in other frameworks.
+// First-party security middleware — usually three plugins in other frameworks.
 app.use(requestId());
 app.use(secureHeaders());
 app.use(rateLimit({ windowMs: 60_000, max: 120 }));
@@ -177,29 +181,34 @@ import { swaggerUiHtml, htmlResponse } from "@daloyjs/core/docs";
 ```
 Mount at `/docs` and the UI is always contract-accurate — never stale.
-`create-daloy@0.1.14` mounts Swagger UI at `/docs` and the live spec at `/openapi.json` by default.
+`create-daloy@0.1.20` mounts Swagger UI at `/docs` and the live spec at `/openapi.json` by default.
 ---
-## Security defaults (no plugins required)
+## Security guardrails
+Some protections are enforced by the `App` core whenever the relevant request
+path is used. Others are first-party middleware so applications can choose the
+right CORS policy, rate-limit key, CSP, session secret, or CSRF rollout for their
+deployment.
-| Threat | Default behavior |
+| Threat | Built-in behavior |
 |---|---|
-| **Body-size DoS** | Streamed read, hard cap (default 1 MiB), `Content-Length` checked first. |
-| **Prototype pollution** | `safeJsonParse` strips `__proto__` / `constructor` / `prototype` via reviver. |
-| **Header / response splitting** | `sanitizeHeaderName` / `sanitizeHeaderValue` reject CRLF + NUL. |
-| **Path traversal** | Router rejects `..` segments and `//` before walking. |
-| **Slow-loris / hung handlers** | `requestTimeoutMs` aborts handlers (default 30 s); Node adapter sets `requestTimeout` + `headersTimeout` + `maxHeaderSize`. |
-| **MIME sniffing** | `secureHeaders()` sets `X-Content-Type-Options: nosniff`. |
-| **Clickjacking** | `X-Frame-Options: DENY` + CSP `frame-ancestors 'none'`. |
-| **XSS via injected scripts** | Strict CSP `default-src 'self'` baseline. |
-| **Cross-origin leakage** | `cross-origin-opener-policy` + `cross-origin-resource-policy` set to `same-origin`. |
+| **Body-size DoS** | Core-enforced streamed read with a hard cap (default 1 MiB); `Content-Length` checked first. |
+| **Prototype pollution** | Core JSON parser strips `__proto__` / `constructor` / `prototype` via reviver. |
+| **Header / response splitting** | Core header sanitizers reject CRLF + NUL. |
+| **Path traversal** | Core router rejects `..` segments and `//` before walking. |
+| **Slow-loris / hung handlers** | Core `requestTimeoutMs` aborts handlers (default 30 s); Node adapter sets `requestTimeout` + `headersTimeout` + `maxHeaderSize`. |
+| **MIME sniffing** | First-party `secureHeaders()` sets `X-Content-Type-Options: nosniff`; scaffolded apps enable it. |
+| **Clickjacking** | First-party `secureHeaders()` sets `X-Frame-Options: DENY` + CSP `frame-ancestors 'none'`; scaffolded apps enable it. |
+| **XSS via injected scripts** | First-party `secureHeaders()` provides a strict CSP `default-src 'self'` baseline; scaffolded apps enable it. |
+| **Cross-origin leakage** | First-party `secureHeaders()` sets `cross-origin-opener-policy` + `cross-origin-resource-policy` to `same-origin`; scaffolded apps enable it. |
 | **Information disclosure (5xx)** | Production mode strips `detail` from 5xx problem+json automatically. |
-| **Credential timing attacks** | `timingSafeEqual()` for tokens & signatures. |
-| **Brute-force / scraping** | `rateLimit()` with token-bucket + `Retry-After`. |
+| **Credential timing attacks** | First-party `timingSafeEqual()` helper for tokens & signatures. |
+| **Brute-force / scraping** | First-party `rateLimit()` with token-bucket + `Retry-After`; Node/Bun/Deno scaffolded apps enable it. |
 | **Method confusion** | Real **405** with `Allow` header, not a misleading 404. |
-| **CORS misconfig** | Explicit allowlist; never `*` with credentials. |
-| **Request correlation** | Cryptographic `randomId()` request ids on every response. |
+| **CORS misconfig** | First-party `cors()` requires an explicit allowlist and throws for `*` with credentials. |
+| **Request correlation** | First-party `requestId()` uses cryptographic ids; scaffolded apps enable it. |
 | **Supply chain** | pnpm `ignore-scripts=true`, `minimum-release-age=1440`, verified store, reproducible lockfile, lockfile source verification, provenance publishing, and CI/CD hardening against cache poisoning and OIDC token abuse. |
 The publish pipeline is also hardened: no `pull_request_target`, no GitHub Actions cache in CI, top-level `permissions: {}`, `step-security/harden-runner`, a separate protected `release.yml` workflow, npm trusted publishing with `--provenance`, CodeQL, OpenSSF Scorecard, zizmor workflow linting, Dependabot, and CODEOWNERS on workflow/package files. See [SECURITY.md](SECURITY.md) and the [supply-chain security docs](https://daloyjs.dev/docs/security/supply-chain).
@@ -325,6 +334,7 @@ WebSockets and HTTP/2 + HTTP/3 adapters.
 **Shipped from the `0.x` extensibility track so far:**
 - [x] Plugin lifecycle events: `app.onPluginInstalled((info) => ...)` fires once per `register()` (sync or async), and `app.onShutdown(({ reason, timeoutMs }) => ...)` fires at the start of `app.shutdown()` before in-flight requests drain. `onClose()` still runs after drain for resource cleanup.
+- [x] Edge-friendly session middleware: `session({ secret, store })` exposes `ctx.state.session` (`get` / `set` / `delete` / `regenerate` / `destroy`) backed by a signed `__Host-` cookie (HMAC-SHA256, key rotation) and a pluggable `SessionStore` (`MemorySessionStore` ships in-process; KV/Redis stores plug in directly). Standalone `signValue` / `verifySignedValue` helpers are exported for ad-hoc cookie/token signing.
 **Shipped from `0.5.x` ("project ops") so far:**
@@ -332,6 +342,8 @@ WebSockets and HTTP/2 + HTTP/3 adapters.
 - [x] `--minimal` flag that strips the bookstore demo and `/docs` + `/openapi.json` routes from any template
 - [x] `daloy inspect` CLI: route table, schema summary, contract-test gate, OpenAPI dump, tag/method filters
 - [x] Redis-backed `RateLimitStore` at `@daloyjs/core/rate-limit-redis` with `ioredisAdapter` / `nodeRedisAdapter` and a fail-open default for shared counters across replicas
+- [x] AI-agent helper files (`AGENTS.md` + `SKILL.md`) shipped in every `create-daloy` template so Copilot/Claude/Cursor/Codex have project context out of the box
+- [x] Polished `create-daloy` terminal UX: DaloyJS welcome banner, arrow-key pickers, install spinner, and boxed next steps while preserving zero runtime dependencies
 ## License

package/dist/index.d.ts CHANGED Viewed

@@ -16,6 +16,8 @@ export { httpBearerScheme, httpBasicScheme, apiKeyScheme, oauth2Scheme, openIdCo
 export type { ApiKeyLocation, ApiKeyScheme, ApiKeySchemeOptions, HttpBasicScheme, HttpBasicSchemeOptions, HttpBearerScheme, HttpBearerSchemeOptions, OAuth2AuthorizationCodeFlow, OAuth2ClientCredentialsFlow, OAuth2Flows, OAuth2ImplicitFlow, OAuth2PasswordFlow, OAuth2Scheme, OAuth2SchemeOptions, OpenIdConnectScheme, OpenIdConnectSchemeOptions, SecurityScheme, } from "./security-schemes.js";
 export { discriminator, discriminatedUnion } from "./discriminator.js";
 export type { DiscriminatorObject, DiscriminatedUnion, DiscriminatedUnionOptions, } from "./discriminator.js";
+export { session, signValue, verifySignedValue, MemorySessionStore, } from "./session.js";
+export type { SessionOptions, SessionCookieOptions, SessionContext, SessionRecord, SessionStore, SessionState, } from "./session.js";
 export { fileField, multipartObject, isFileFieldSchema, isMultipartObjectSchema, } from "./multipart.js";
 export type { FileFieldSchema, FileFieldOptions, MultipartObjectOptions, MultipartShape, UploadedFile, } from "./multipart.js";
 export { otelTracing, TRACING_SPAN_KIND_SERVER, TRACING_SPAN_STATUS_UNSET, TRACING_SPAN_STATUS_OK, TRACING_SPAN_STATUS_ERROR, } from "./tracing.js";

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAC/B,YAAY,EAAE,UAAU,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEnG,YAAY,EACV,eAAe,EACf,UAAU,EACV,UAAU,EACV,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,QAAQ,EACR,KAAK,EACL,WAAW,EACX,QAAQ,EACR,aAAa,EACb,YAAY,EACZ,QAAQ,EACR,UAAU,EACV,kBAAkB,EAClB,WAAW,EACX,iBAAiB,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,EACT,eAAe,EACf,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,qBAAqB,EACrB,oBAAoB,EACpB,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,aAAa,GACd,MAAM,aAAa,CAAC;AACrB,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAExE,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEzD,OAAO,EACL,eAAe,EACf,aAAa,EACb,kBAAkB,EAClB,mBAAmB,EACnB,eAAe,EACf,QAAQ,GACT,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,SAAS,EACT,aAAa,EACb,IAAI,EACJ,SAAS,EACT,MAAM,EACN,UAAU,EACV,IAAI,GACL,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,gBAAgB,EAChB,oBAAoB,EACpB,WAAW,EACX,gBAAgB,EAChB,cAAc,EACd,WAAW,EACX,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACvD,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAE1E,OAAO,EACL,SAAS,EACT,WAAW,EACX,YAAY,EACZ,cAAc,GACf,MAAM,gBAAgB,CAAC;AACxB,YAAY,EACV,UAAU,EACV,aAAa,EACb,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,GACtB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,YAAY,EACZ,YAAY,EACZ,mBAAmB,GACpB,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EACV,cAAc,EACd,YAAY,EACZ,mBAAmB,EACnB,eAAe,EACf,sBAAsB,EACtB,gBAAgB,EAChB,uBAAuB,EACvB,2BAA2B,EAC3B,2BAA2B,EAC3B,WAAW,EACX,kBAAkB,EAClB,kBAAkB,EAClB,YAAY,EACZ,mBAAmB,EACnB,mBAAmB,EACnB,0BAA0B,EAC1B,cAAc,GACf,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACvE,YAAY,EACV,mBAAmB,EACnB,kBAAkB,EAClB,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,gBAAgB,CAAC;AACxB,YAAY,EACV,eAAe,EACf,gBAAgB,EAChB,sBAAsB,EACtB,cAAc,EACd,YAAY,GACb,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,yBAAyB,EACzB,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,kBAAkB,EAClB,iBAAiB,EACjB,qBAAqB,EACrB,WAAW,EACX,uBAAuB,EACvB,aAAa,GACd,MAAM,cAAc,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAC/B,YAAY,EAAE,UAAU,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEnG,YAAY,EACV,eAAe,EACf,UAAU,EACV,UAAU,EACV,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,QAAQ,EACR,KAAK,EACL,WAAW,EACX,QAAQ,EACR,aAAa,EACb,YAAY,EACZ,QAAQ,EACR,UAAU,EACV,kBAAkB,EAClB,WAAW,EACX,iBAAiB,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,SAAS,EACT,eAAe,EACf,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,qBAAqB,EACrB,oBAAoB,EACpB,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,aAAa,GACd,MAAM,aAAa,CAAC;AACrB,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAExE,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEzD,OAAO,EACL,eAAe,EACf,aAAa,EACb,kBAAkB,EAClB,mBAAmB,EACnB,eAAe,EACf,QAAQ,GACT,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,SAAS,EACT,aAAa,EACb,IAAI,EACJ,SAAS,EACT,MAAM,EACN,UAAU,EACV,IAAI,GACL,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,gBAAgB,EAChB,oBAAoB,EACpB,WAAW,EACX,gBAAgB,EAChB,cAAc,EACd,WAAW,EACX,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACvD,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAE1E,OAAO,EACL,SAAS,EACT,WAAW,EACX,YAAY,EACZ,cAAc,GACf,MAAM,gBAAgB,CAAC;AACxB,YAAY,EACV,UAAU,EACV,aAAa,EACb,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,GACtB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,YAAY,EACZ,YAAY,EACZ,mBAAmB,GACpB,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EACV,cAAc,EACd,YAAY,EACZ,mBAAmB,EACnB,eAAe,EACf,sBAAsB,EACtB,gBAAgB,EAChB,uBAAuB,EACvB,2BAA2B,EAC3B,2BAA2B,EAC3B,WAAW,EACX,kBAAkB,EAClB,kBAAkB,EAClB,YAAY,EACZ,mBAAmB,EACnB,mBAAmB,EACnB,0BAA0B,EAC1B,cAAc,GACf,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACvE,YAAY,EACV,mBAAmB,EACnB,kBAAkB,EAClB,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,OAAO,EACP,SAAS,EACT,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,aAAa,EACb,YAAY,EACZ,YAAY,GACb,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,gBAAgB,CAAC;AACxB,YAAY,EACV,eAAe,EACf,gBAAgB,EAChB,sBAAsB,EACtB,cAAc,EACd,YAAY,GACb,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,yBAAyB,EACzB,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,kBAAkB,EAClB,iBAAiB,EACjB,qBAAqB,EACrB,WAAW,EACX,uBAAuB,EACvB,aAAa,GACd,MAAM,cAAc,CAAC"}

package/dist/index.js CHANGED Viewed

@@ -7,6 +7,7 @@ export { createLogger, noopLogger } from "./logger.js";
 export { sseStream, sseResponse, ndjsonStream, ndjsonResponse, } from "./streaming.js";
 export { httpBearerScheme, httpBasicScheme, apiKeyScheme, oauth2Scheme, openIdConnectScheme, } from "./security-schemes.js";
 export { discriminator, discriminatedUnion } from "./discriminator.js";
+export { session, signValue, verifySignedValue, MemorySessionStore, } from "./session.js";
 export { fileField, multipartObject, isFileFieldSchema, isMultipartObjectSchema, } from "./multipart.js";
 export { otelTracing, TRACING_SPAN_KIND_SERVER, TRACING_SPAN_STATUS_UNSET, TRACING_SPAN_STATUS_OK, TRACING_SPAN_STATUS_ERROR, } from "./tracing.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAuB/B,OAAO,EACL,SAAS,EACT,eAAe,EACf,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,qBAAqB,EACrB,oBAAoB,EACpB,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,aAAa,GACd,MAAM,aAAa,CAAC;AAIrB,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEzD,OAAO,EACL,eAAe,EACf,aAAa,EACb,kBAAkB,EAClB,mBAAmB,EACnB,eAAe,EACf,QAAQ,GACT,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,SAAS,EACT,aAAa,EACb,IAAI,EACJ,SAAS,EACT,MAAM,EACN,UAAU,EACV,IAAI,GACL,MAAM,iBAAiB,CAAC;AAWzB,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGvD,OAAO,EACL,SAAS,EACT,WAAW,EACX,YAAY,EACZ,cAAc,GACf,MAAM,gBAAgB,CAAC;AASxB,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,YAAY,EACZ,YAAY,EACZ,mBAAmB,GACpB,MAAM,uBAAuB,CAAC;AAqB/B,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAOvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,gBAAgB,CAAC;AASxB,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,yBAAyB,EACzB,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,cAAc,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAuB/B,OAAO,EACL,SAAS,EACT,eAAe,EACf,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,qBAAqB,EACrB,oBAAoB,EACpB,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,aAAa,GACd,MAAM,aAAa,CAAC;AAIrB,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEzD,OAAO,EACL,eAAe,EACf,aAAa,EACb,kBAAkB,EAClB,mBAAmB,EACnB,eAAe,EACf,QAAQ,GACT,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,SAAS,EACT,aAAa,EACb,IAAI,EACJ,SAAS,EACT,MAAM,EACN,UAAU,EACV,IAAI,GACL,MAAM,iBAAiB,CAAC;AAWzB,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGvD,OAAO,EACL,SAAS,EACT,WAAW,EACX,YAAY,EACZ,cAAc,GACf,MAAM,gBAAgB,CAAC;AASxB,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,YAAY,EACZ,YAAY,EACZ,mBAAmB,GACpB,MAAM,uBAAuB,CAAC;AAqB/B,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAOvE,OAAO,EACL,OAAO,EACP,SAAS,EACT,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AAUtB,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,gBAAgB,CAAC;AASxB,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,yBAAyB,EACzB,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,cAAc,CAAC"}

package/dist/session.d.ts ADDED Viewed

@@ -0,0 +1,151 @@
+/**
+ * Edge-friendly session primitive.
+ *
+ * Implements signed session cookies plus a pluggable session store. The cookie
+ * format is `${sid}.${signature}` where `signature` is a URL-safe base64
+ * HMAC-SHA256 of the session id. Multiple secrets can be passed to support
+ * graceful key rotation: the first secret is always used for signing, while
+ * any of the configured secrets accept incoming cookies. Every signature
+ * comparison is timing-safe.
+ *
+ * The default {@link MemorySessionStore} is suitable for tests and single-
+ * process Node processes. Production deployments should pass a `SessionStore`
+ * backed by Redis, Cloudflare KV, Vercel KV, or any other shared store.
+ *
+ * The module is dependency-free and uses Web Crypto (`crypto.subtle`), so it
+ * works on Node, Bun, Deno, Cloudflare Workers, and Vercel Edge.
+ */
+import type { Hooks } from "./types.js";
+export interface SessionRecord {
+    /** Arbitrary serializable session payload. Mutating this object marks the session dirty. */
+    data: Record<string, unknown>;
+    /** Absolute expiration as ms since epoch. */
+    expiresAt: number;
+}
+/**
+ * Pluggable persistence backend for sessions. All methods may be sync or async.
+ * Implementations should treat `expiresAt` in the past as "missing" and may
+ * lazily delete expired records.
+ */
+export interface SessionStore {
+    get(sid: string): SessionRecord | null | Promise<SessionRecord | null>;
+    set(sid: string, record: SessionRecord): void | Promise<void>;
+    destroy(sid: string): void | Promise<void>;
+    /** Optional fast-path for rolling sessions; falls back to `set()` if omitted. */
+    touch?(sid: string, expiresAt: number): void | Promise<void>;
+}
+export interface SessionCookieOptions {
+    /** `Strict` | `Lax` | `None`. Default: `"Lax"`. */
+    sameSite?: "Strict" | "Lax" | "None";
+    /** Default: `true`. Required when `sameSite` is `"None"` or with `__Host-` cookie names. */
+    secure?: boolean;
+    /** Default: `"/"`. */
+    path?: string;
+    /** Optional `Domain=` attribute. Cannot be combined with a `__Host-` cookie name. */
+    domain?: string;
+    /** Optional `Max-Age=` (seconds). When omitted the cookie is a session cookie. */
+    maxAgeSeconds?: number;
+    /** Emit `Partitioned` (CHIPS) for cross-site contexts. Default: `false`. */
+    partitioned?: boolean;
+    /** Default: `true`. Sessions are server-side state, never readable by JS. */
+    httpOnly?: boolean;
+}
+export interface SessionOptions {
+    /**
+     * HMAC secret(s) used to sign session cookies. Pass an array to rotate
+     * secrets without invalidating existing sessions: the first entry is used to
+     * sign new cookies; any entry verifies incoming cookies. Each secret must be
+     * a non-empty string of at least 16 characters.
+     */
+    secret: string | string[];
+    /** Cookie name carrying the session id. Default: `"__Host-daloy.sid"`. */
+    cookieName?: string;
+    /** Cookie attributes (see {@link SessionCookieOptions}). */
+    cookieOptions?: SessionCookieOptions;
+    /** Pluggable persistence backend. Default: a fresh in-memory store. */
+    store?: SessionStore;
+    /** Default session lifetime in seconds. Default: `86400` (1 day). */
+    ttlSeconds?: number;
+    /**
+     * Reset the session expiration on every access. Default: `true`.
+     * Disable for fixed-duration sessions.
+     */
+    rolling?: boolean;
+    /** Override the random session-id generator (32 bytes URL-safe by default). */
+    generator?: () => string;
+    /**
+     * Persist a brand-new session and set its cookie even when the handler did
+     * not touch it. Default: `false` (GDPR-friendly: no cookie until consent or
+     * first write). Set to `true` to issue a session id on every first request.
+     */
+    saveUninitialized?: boolean;
+}
+/** Per-request session API exposed on `ctx.state.session`. */
+export type SessionContext = {
+    /** Current session id. Refreshed by `regenerate()`. */
+    readonly id: string;
+    /** Session payload. Mutating this object marks the session dirty. */
+    readonly data: Record<string, unknown>;
+    /** Read a single payload key. */
+    get<T = unknown>(key: string): T | undefined;
+    /** Set a payload key. Marks the session dirty. */
+    set(key: string, value: unknown): void;
+    /** Delete a payload key. Marks the session dirty. */
+    delete(key: string): void;
+    /** Drop all server-side state and clear the cookie on the response. */
+    destroy(): void;
+    /** Issue a new session id (defense against fixation). Carries `data` over by default; pass `{ keepData: false }` to start fresh. */
+    regenerate(opts?: {
+        keepData?: boolean;
+    }): Promise<string>;
+};
+/**
+ * In-memory `SessionStore`. Suitable for tests and single-process deployments.
+ * Expired records are dropped on access.
+ */
+export declare class MemorySessionStore implements SessionStore {
+    private readonly map;
+    get(sid: string): SessionRecord | null;
+    set(sid: string, record: SessionRecord): void;
+    destroy(sid: string): void;
+    touch(sid: string, expiresAt: number): void;
+    /** Test helper. Remove every record. */
+    clear(): void;
+    /** Test helper. Number of stored records (including expired). */
+    size(): number;
+}
+/**
+ * Session middleware. Reads (and verifies) a signed session cookie on every
+ * request, exposes a typed `ctx.state.session` API, and writes back any
+ * mutations on the response.
+ *
+ * @example
+ * ```ts
+ * import { App, session } from "@daloyjs/core";
+ *
+ * declare module "@daloyjs/core" {
+ *   interface AppState {
+ *     session: import("@daloyjs/core").SessionContext;
+ *   }
+ * }
+ *
+ * const app = new App();
+ * app.use(session({ secret: process.env.SESSION_SECRET! }));
+ * ```
+ */
+export declare function session(opts: SessionOptions): Hooks;
+/**
+ * Sign an arbitrary string with HMAC-SHA256. Returns `${value}.${sig}` where
+ * `sig` is URL-safe base64. Useful for building custom signed cookies or
+ * tokens that do not need a session store.
+ */
+export declare function signValue(value: string, secret: string): Promise<string>;
+/**
+ * Verify a `signValue()`-produced string. Returns the original value when the
+ * signature checks out, otherwise `null`. Constant-time on the signature.
+ */
+export declare function verifySignedValue(signed: string, secret: string | string[]): Promise<string | null>;
+export type SessionState = {
+    session: SessionContext;
+};
+//# sourceMappingURL=session.d.ts.map

package/dist/session.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAOxC,MAAM,WAAW,aAAa;IAC5B,4FAA4F;IAC5F,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IACvE,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9D,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3C,iFAAiF;IACjF,KAAK,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9D;AAED,MAAM,WAAW,oBAAoB;IACnC,mDAAmD;IACnD,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IACrC,4FAA4F;IAC5F,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,sBAAsB;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qFAAqF;IACrF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kFAAkF;IAClF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,4EAA4E;IAC5E,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B;;;;;OAKG;IACH,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1B,0EAA0E;IAC1E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,4DAA4D;IAC5D,aAAa,CAAC,EAAE,oBAAoB,CAAC;IACrC,uEAAuE;IACvE,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,qEAAqE;IACrE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,+EAA+E;IAC/E,SAAS,CAAC,EAAE,MAAM,MAAM,CAAC;IACzB;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,8DAA8D;AAC9D,MAAM,MAAM,cAAc,GAAG;IAC3B,uDAAuD;IACvD,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,qEAAqE;IACrE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvC,iCAAiC;IACjC,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,CAAC,GAAG,SAAS,CAAC;IAC7C,kDAAkD;IAClD,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI,CAAC;IACvC,qDAAqD;IACrD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,uEAAuE;IACvE,OAAO,IAAI,IAAI,CAAC;IAChB,oIAAoI;IACpI,UAAU,CAAC,IAAI,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC5D,CAAC;AAiOF;;;GAGG;AACH,qBAAa,kBAAmB,YAAW,YAAY;IACrD,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAoC;IAExD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI;IAUtC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,IAAI;IAI7C,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAI1B,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAK3C,wCAAwC;IACxC,KAAK,IAAI,IAAI;IAIb,iEAAiE;IACjE,IAAI,IAAI,MAAM;CAGf;AAID;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,cAAc,GAAG,KAAK,CA8JnD;AAID;;;;GAIG;AACH,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAO9E;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAYzG;AAGD,MAAM,MAAM,YAAY,GAAG;IAAE,OAAO,EAAE,cAAc,CAAA;CAAE,CAAC"}

package/dist/session.js ADDED Viewed

@@ -0,0 +1,448 @@
+/**
+ * Edge-friendly session primitive.
+ *
+ * Implements signed session cookies plus a pluggable session store. The cookie
+ * format is `${sid}.${signature}` where `signature` is a URL-safe base64
+ * HMAC-SHA256 of the session id. Multiple secrets can be passed to support
+ * graceful key rotation: the first secret is always used for signing, while
+ * any of the configured secrets accept incoming cookies. Every signature
+ * comparison is timing-safe.
+ *
+ * The default {@link MemorySessionStore} is suitable for tests and single-
+ * process Node processes. Production deployments should pass a `SessionStore`
+ * backed by Redis, Cloudflare KV, Vercel KV, or any other shared store.
+ *
+ * The module is dependency-free and uses Web Crypto (`crypto.subtle`), so it
+ * works on Node, Bun, Deno, Cloudflare Workers, and Vercel Edge.
+ */
+import { timingSafeEqual } from "./security.js";
+const DEFAULT_COOKIE_NAME = "__Host-daloy.sid";
+const STATE_KEY = "session";
+const STATE_INTERNAL = "__sessionInternal";
+// ---------- Implementation ----------
+const COOKIE_NAME_RE = /^[!#$%&'*+.^_`|~0-9A-Za-z-]+$/;
+const enc = new TextEncoder();
+function getSubtle() {
+    const c = globalThis.crypto;
+    if (!c?.subtle) {
+        throw new Error("session(): Web Crypto (crypto.subtle) is required. Provide a polyfill in environments without it.");
+    }
+    return c.subtle;
+}
+function bytesToBase64Url(bytes) {
+    let bin = "";
+    for (let i = 0; i < bytes.length; i++)
+        bin += String.fromCharCode(bytes[i]);
+    // btoa is defined on every supported runtime.
+    return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function makeSigner(secret) {
+    if (typeof secret !== "string" || secret.length < 16) {
+        throw new Error("session(): each secret must be a string of at least 16 characters.");
+    }
+    let keyPromise = null;
+    const getKey = () => {
+        if (!keyPromise) {
+            keyPromise = getSubtle().importKey("raw", enc.encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+        }
+        return keyPromise;
+    };
+    return {
+        async sign(value) {
+            const key = await getKey();
+            const sig = new Uint8Array(await getSubtle().sign("HMAC", key, enc.encode(value)));
+            return bytesToBase64Url(sig);
+        },
+        async verify(value, signature) {
+            const expected = await this.sign(value);
+            return timingSafeEqual(expected, signature);
+        },
+    };
+}
+function generateSessionId() {
+    const c = globalThis.crypto;
+    if (!c?.getRandomValues) {
+        throw new Error("session(): Web Crypto getRandomValues is required for the default id generator.");
+    }
+    const buf = new Uint8Array(32);
+    c.getRandomValues(buf);
+    return bytesToBase64Url(buf);
+}
+function validateCookieSegment(kind, value) {
+    if (/[;\r\n\0]/.test(value))
+        throw new Error(`session(): cookieOptions.${kind} contains an invalid character.`);
+}
+function validateCookieOptions(cookieName, opts) {
+    if (!COOKIE_NAME_RE.test(cookieName))
+        throw new Error("session(): cookieName is not a valid cookie name.");
+    if (opts.sameSite !== "Strict" && opts.sameSite !== "Lax" && opts.sameSite !== "None") {
+        throw new Error('session(): cookieOptions.sameSite must be "Strict", "Lax", or "None".');
+    }
+    if (!opts.path.startsWith("/"))
+        throw new Error('session(): cookieOptions.path must start with "/".');
+    validateCookieSegment("path", opts.path);
+    if (opts.domain)
+        validateCookieSegment("domain", opts.domain);
+    if (!Number.isInteger(opts.maxAgeSeconds) || opts.maxAgeSeconds < 0) {
+        throw new Error("session(): cookieOptions.maxAgeSeconds must be a non-negative integer.");
+    }
+    if (cookieName.startsWith("__Host-")) {
+        if (!opts.secure || opts.path !== "/" || opts.domain) {
+            throw new Error('session(): "__Host-" cookie names require secure: true, path: "/", and no domain. ' +
+                "Pass an explicit cookieName or relax cookieOptions to use a non-prefixed cookie.");
+        }
+    }
+    if (opts.sameSite === "None" && !opts.secure) {
+        throw new Error('session(): cookieOptions.sameSite: "None" requires secure: true.');
+    }
+}
+function readCookie(header, name) {
+    if (!header)
+        return null;
+    const parts = header.split(";");
+    for (let i = 0; i < parts.length; i++) {
+        const part = parts[i];
+        const eq = part.indexOf("=");
+        if (eq < 0)
+            continue;
+        const k = part.slice(0, eq).trim();
+        if (k === name) {
+            const v = part.slice(eq + 1).trim();
+            try {
+                return decodeURIComponent(v);
+            }
+            catch {
+                return v;
+            }
+        }
+    }
+    return null;
+}
+function buildSetCookie(name, value, opts) {
+    let s = `${name}=${encodeURIComponent(value)}`;
+    s += `; Path=${opts.path}`;
+    s += `; SameSite=${opts.sameSite}`;
+    if (opts.secure)
+        s += "; Secure";
+    if (opts.httpOnly)
+        s += "; HttpOnly";
+    if (opts.domain)
+        s += `; Domain=${opts.domain}`;
+    if (opts.maxAgeSeconds > 0)
+        s += `; Max-Age=${opts.maxAgeSeconds}`;
+    if (opts.partitioned)
+        s += "; Partitioned";
+    return s;
+}
+function buildClearCookie(name, opts) {
+    let s = `${name}=`;
+    s += `; Path=${opts.path}`;
+    s += `; SameSite=${opts.sameSite}`;
+    if (opts.secure)
+        s += "; Secure";
+    if (opts.httpOnly)
+        s += "; HttpOnly";
+    if (opts.domain)
+        s += `; Domain=${opts.domain}`;
+    s += "; Max-Age=0";
+    if (opts.partitioned)
+        s += "; Partitioned";
+    return s;
+}
+function markDirty(internal) {
+    internal.dirty = true;
+}
+function makeSessionContext(id, data, internal, regenerate) {
+    const proxy = new Proxy(data, {
+        set(target, key, value) {
+            target[key] = value;
+            markDirty(internal);
+            return true;
+        },
+        deleteProperty(target, key) {
+            const had = key in target;
+            delete target[key];
+            if (had)
+                markDirty(internal);
+            return true;
+        },
+    });
+    let currentId = id;
+    return {
+        get id() {
+            return currentId;
+        },
+        get data() {
+            return proxy;
+        },
+        get(key) {
+            return data[key];
+        },
+        set(key, value) {
+            data[key] = value;
+            markDirty(internal);
+        },
+        delete(key) {
+            if (key in data) {
+                delete data[key];
+                markDirty(internal);
+            }
+        },
+        destroy() {
+            for (const k of Object.keys(data))
+                delete data[k];
+            internal.destroyed = true;
+            internal.dirty = true;
+        },
+        async regenerate(opts) {
+            const keepData = opts?.keepData !== false;
+            const next = await regenerate(keepData);
+            currentId = next;
+            return next;
+        },
+    };
+}
+// ---------- Stores ----------
+/**
+ * In-memory `SessionStore`. Suitable for tests and single-process deployments.
+ * Expired records are dropped on access.
+ */
+export class MemorySessionStore {
+    map = new Map();
+    get(sid) {
+        const rec = this.map.get(sid);
+        if (!rec)
+            return null;
+        if (rec.expiresAt <= Date.now()) {
+            this.map.delete(sid);
+            return null;
+        }
+        return rec;
+    }
+    set(sid, record) {
+        this.map.set(sid, record);
+    }
+    destroy(sid) {
+        this.map.delete(sid);
+    }
+    touch(sid, expiresAt) {
+        const rec = this.map.get(sid);
+        if (rec)
+            rec.expiresAt = expiresAt;
+    }
+    /** Test helper. Remove every record. */
+    clear() {
+        this.map.clear();
+    }
+    /** Test helper. Number of stored records (including expired). */
+    size() {
+        return this.map.size;
+    }
+}
+// ---------- Middleware ----------
+/**
+ * Session middleware. Reads (and verifies) a signed session cookie on every
+ * request, exposes a typed `ctx.state.session` API, and writes back any
+ * mutations on the response.
+ *
+ * @example
+ * ```ts
+ * import { App, session } from "@daloyjs/core";
+ *
+ * declare module "@daloyjs/core" {
+ *   interface AppState {
+ *     session: import("@daloyjs/core").SessionContext;
+ *   }
+ * }
+ *
+ * const app = new App();
+ * app.use(session({ secret: process.env.SESSION_SECRET! }));
+ * ```
+ */
+export function session(opts) {
+    const cookieName = opts.cookieName ?? DEFAULT_COOKIE_NAME;
+    const secrets = Array.isArray(opts.secret) ? opts.secret : [opts.secret];
+    if (secrets.length === 0)
+        throw new Error("session(): at least one secret is required.");
+    const signers = secrets.map(makeSigner);
+    const cookieOverrides = opts.cookieOptions ?? {};
+    const cookieOpts = {
+        sameSite: cookieOverrides.sameSite ?? "Lax",
+        secure: cookieOverrides.secure ?? true,
+        path: cookieOverrides.path ?? "/",
+        domain: cookieOverrides.domain ?? "",
+        maxAgeSeconds: cookieOverrides.maxAgeSeconds ?? 0,
+        partitioned: cookieOverrides.partitioned ?? false,
+        httpOnly: cookieOverrides.httpOnly ?? true,
+    };
+    validateCookieOptions(cookieName, cookieOpts);
+    const ttlSeconds = opts.ttlSeconds ?? 86_400;
+    if (!Number.isInteger(ttlSeconds) || ttlSeconds <= 0) {
+        throw new Error("session(): ttlSeconds must be a positive integer.");
+    }
+    const ttlMs = ttlSeconds * 1000;
+    const rolling = opts.rolling !== false;
+    const store = opts.store ?? new MemorySessionStore();
+    const generator = opts.generator ?? generateSessionId;
+    const saveUninitialized = opts.saveUninitialized === true;
+    return {
+        async beforeHandle(ctx) {
+            const internal = {
+                cookieName,
+                cookieOpts,
+                store,
+                signers,
+                ttlMs,
+                rolling,
+                generator,
+                saveUninitialized,
+                originalId: null,
+                hadCookie: false,
+                activeId: null,
+                dirty: false,
+                destroyed: false,
+                regenerated: false,
+                created: false,
+            };
+            const raw = readCookie(ctx.request.headers.get("cookie"), cookieName);
+            internal.hadCookie = raw !== null;
+            let data = {};
+            let id = null;
+            if (raw) {
+                const dot = raw.lastIndexOf(".");
+                if (dot > 0 && dot < raw.length - 1) {
+                    const candidateId = raw.slice(0, dot);
+                    const sig = raw.slice(dot + 1);
+                    for (const signer of signers) {
+                        // eslint-disable-next-line no-await-in-loop
+                        if (await signer.verify(candidateId, sig)) {
+                            const rec = await store.get(candidateId);
+                            if (rec && rec.expiresAt > Date.now()) {
+                                id = candidateId;
+                                data = rec.data ? { ...rec.data } : {};
+                            }
+                            break;
+                        }
+                    }
+                }
+            }
+            if (!id) {
+                id = generator();
+                if (!id)
+                    throw new Error("session(): generator returned an empty id.");
+                internal.created = true;
+            }
+            else {
+                internal.originalId = id;
+            }
+            internal.activeId = id;
+            const regenerate = async (keepData) => {
+                if (internal.activeId && internal.originalId === internal.activeId) {
+                    await store.destroy(internal.activeId);
+                }
+                else if (internal.activeId && internal.activeId !== internal.originalId) {
+                    // We rotated mid-request previously; throw away the unsaved id.
+                }
+                const next = generator();
+                if (!next)
+                    throw new Error("session(): generator returned an empty id.");
+                if (!keepData) {
+                    for (const k of Object.keys(data))
+                        delete data[k];
+                }
+                internal.activeId = next;
+                internal.regenerated = true;
+                internal.dirty = true;
+                internal.destroyed = false;
+                internal.created = false;
+                internal.originalId = null;
+                return next;
+            };
+            const sessionCtx = makeSessionContext(id, data, internal, regenerate);
+            const state = ctx.state;
+            state[STATE_KEY] = sessionCtx;
+            state[STATE_INTERNAL] = internal;
+        },
+        async onSend(res, ctx) {
+            if (!ctx)
+                return undefined;
+            const state = ctx.state;
+            const internal = state[STATE_INTERNAL];
+            if (!internal)
+                return undefined;
+            if (internal.destroyed) {
+                if (internal.originalId)
+                    await store.destroy(internal.originalId);
+                // Clear stale or malformed client cookies too, not only verified sessions.
+                if (internal.hadCookie) {
+                    res.headers.append("set-cookie", buildClearCookie(internal.cookieName, internal.cookieOpts));
+                }
+                return undefined;
+            }
+            const sessionCtx = state[STATE_KEY];
+            const data = sessionCtx.data;
+            const sid = internal.activeId;
+            const expiresAt = Date.now() + internal.ttlMs;
+            // A brand-new, untouched session is a no-op unless saveUninitialized is on.
+            const initialized = internal.dirty || internal.regenerated || internal.originalId !== null;
+            if (!initialized && !internal.saveUninitialized)
+                return undefined;
+            const mustPersist = internal.dirty || internal.created || internal.regenerated;
+            if (mustPersist) {
+                await store.set(sid, { data: { ...data }, expiresAt });
+            }
+            else if (internal.rolling) {
+                if (store.touch)
+                    await store.touch(sid, expiresAt);
+                else
+                    await store.set(sid, { data: { ...data }, expiresAt });
+            }
+            if (internal.regenerated && internal.originalId && internal.originalId !== sid) {
+                await store.destroy(internal.originalId);
+            }
+            // Only refresh the cookie when something actually changed, the session
+            // was just created, or rolling sessions need a sliding expiration.
+            const mustWriteCookie = internal.created || internal.regenerated || internal.rolling;
+            if (!mustWriteCookie)
+                return undefined;
+            const signer = internal.signers[0];
+            const sig = await signer.sign(sid);
+            res.headers.append("set-cookie", buildSetCookie(internal.cookieName, `${sid}.${sig}`, internal.cookieOpts));
+            return undefined;
+        },
+    };
+}
+// ---------- Low-level signing helpers (re-exported for advanced use) ----------
+/**
+ * Sign an arbitrary string with HMAC-SHA256. Returns `${value}.${sig}` where
+ * `sig` is URL-safe base64. Useful for building custom signed cookies or
+ * tokens that do not need a session store.
+ */
+export async function signValue(value, secret) {
+    if (value.includes(".")) {
+        throw new Error("signValue(): value must not contain '.'");
+    }
+    const signer = makeSigner(secret);
+    const sig = await signer.sign(value);
+    return `${value}.${sig}`;
+}
+/**
+ * Verify a `signValue()`-produced string. Returns the original value when the
+ * signature checks out, otherwise `null`. Constant-time on the signature.
+ */
+export async function verifySignedValue(signed, secret) {
+    const dot = signed.lastIndexOf(".");
+    if (dot <= 0 || dot >= signed.length - 1)
+        return null;
+    const value = signed.slice(0, dot);
+    const sig = signed.slice(dot + 1);
+    const secrets = Array.isArray(secret) ? secret : [secret];
+    for (const s of secrets) {
+        const signer = makeSigner(s);
+        // eslint-disable-next-line no-await-in-loop
+        if (await signer.verify(value, sig))
+            return value;
+    }
+    return null;
+}
+//# sourceMappingURL=session.js.map

package/dist/session.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session.js","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEhD,MAAM,mBAAmB,GAAG,kBAAkB,CAAC;AAwF5C,MAAM,SAAS,GAAG,SAAS,CAAC;AAAC,MAAM,cAAc,GAAG,mBAAmB,CAAC;AAC3E,uCAAuC;AACvC,MAAM,cAAc,GAAG,+BAA+B,CAAC;AAgCvD,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;AAE9B,SAAS,SAAS;IAChB,MAAM,CAAC,GAAwB,UAAkC,CAAC,MAAM,CAAC;IACzE,IAAI,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,mGAAmG,CACpG,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,CAAC,MAAM,CAAC;AAClB,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAiB;IACzC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC;IAC7E,8CAA8C;IAC9C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,UAAU,CAAC,MAAc;IAChC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACrD,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IACxF,CAAC;IACD,IAAI,UAAU,GAA8B,IAAI,CAAC;IACjD,MAAM,MAAM,GAAG,GAAG,EAAE;QAClB,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,UAAU,GAAG,SAAS,EAAE,CAAC,SAAS,CAChC,KAAK,EACL,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,EAClB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACJ,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC,CAAC;IACF,OAAO;QACL,KAAK,CAAC,IAAI,CAAC,KAAK;YACd,MAAM,GAAG,GAAG,MAAM,MAAM,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,SAAS,EAAE,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACnF,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC;QAC/B,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,SAAS;YAC3B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACxC,OAAO,eAAe,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QAC9C,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB;IACxB,MAAM,CAAC,GAAwB,UAAkC,CAAC,MAAM,CAAC;IACzE,IAAI,CAAC,CAAC,EAAE,eAAe,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,iFAAiF,CAAC,CAAC;IACrG,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAC/B,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACvB,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAuB,EAAE,KAAa;IACnE,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,4BAA4B,IAAI,iCAAiC,CAAC,CAAC;AAClH,CAAC;AAED,SAAS,qBAAqB,CAAC,UAAkB,EAAE,IAAoC;IACrF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IAC3G,IAAI,IAAI,CAAC,QAAQ,KAAK,QAAQ,IAAI,IAAI,CAAC,QAAQ,KAAK,KAAK,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QACtF,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;IAC3F,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACtG,qBAAqB,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACzC,IAAI,IAAI,CAAC,MAAM;QAAE,qBAAqB,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9D,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,aAAa,GAAG,CAAC,EAAE,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;IAC5F,CAAC;IACD,IAAI,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACrC,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,KAAK,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CACb,oFAAoF;gBAClF,kFAAkF,CACrF,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,MAAqB,EAAE,IAAY;IACrD,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QACvB,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,EAAE,GAAG,CAAC;YAAE,SAAS;QACrB,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YACf,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,OAAO,kBAAkB,CAAC,CAAC,CAAC,CAAC;YAC/B,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,CAAC;YACX,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,cAAc,CAAC,IAAY,EAAE,KAAa,EAAE,IAAoC;IACvF,IAAI,CAAC,GAAG,GAAG,IAAI,IAAI,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;IAC/C,CAAC,IAAI,UAAU,IAAI,CAAC,IAAI,EAAE,CAAC;IAC3B,CAAC,IAAI,cAAc,IAAI,CAAC,QAAQ,EAAE,CAAC;IACnC,IAAI,IAAI,CAAC,MAAM;QAAE,CAAC,IAAI,UAAU,CAAC;IACjC,IAAI,IAAI,CAAC,QAAQ;QAAE,CAAC,IAAI,YAAY,CAAC;IACrC,IAAI,IAAI,CAAC,MAAM;QAAE,CAAC,IAAI,YAAY,IAAI,CAAC,MAAM,EAAE,CAAC;IAChD,IAAI,IAAI,CAAC,aAAa,GAAG,CAAC;QAAE,CAAC,IAAI,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;IACnE,IAAI,IAAI,CAAC,WAAW;QAAE,CAAC,IAAI,eAAe,CAAC;IAC3C,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY,EAAE,IAAoC;IAC1E,IAAI,CAAC,GAAG,GAAG,IAAI,GAAG,CAAC;IACnB,CAAC,IAAI,UAAU,IAAI,CAAC,IAAI,EAAE,CAAC;IAC3B,CAAC,IAAI,cAAc,IAAI,CAAC,QAAQ,EAAE,CAAC;IACnC,IAAI,IAAI,CAAC,MAAM;QAAE,CAAC,IAAI,UAAU,CAAC;IACjC,IAAI,IAAI,CAAC,QAAQ;QAAE,CAAC,IAAI,YAAY,CAAC;IACrC,IAAI,IAAI,CAAC,MAAM;QAAE,CAAC,IAAI,YAAY,IAAI,CAAC,MAAM,EAAE,CAAC;IAChD,CAAC,IAAI,aAAa,CAAC;IACnB,IAAI,IAAI,CAAC,WAAW;QAAE,CAAC,IAAI,eAAe,CAAC;IAC3C,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,SAAS,CAAC,QAAyB;IAC1C,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC;AACxB,CAAC;AAED,SAAS,kBAAkB,CACzB,EAAU,EACV,IAA6B,EAC7B,QAAyB,EACzB,UAAkD;IAElD,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE;QAC5B,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK;YACpB,MAAM,CAAC,GAAa,CAAC,GAAG,KAAK,CAAC;YAC9B,SAAS,CAAC,QAAQ,CAAC,CAAC;YACpB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,cAAc,CAAC,MAAM,EAAE,GAAG;YACxB,MAAM,GAAG,GAAG,GAAG,IAAI,MAAM,CAAC;YAC1B,OAAO,MAAM,CAAC,GAAa,CAAC,CAAC;YAC7B,IAAI,GAAG;gBAAE,SAAS,CAAC,QAAQ,CAAC,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC,CAAC;IACH,IAAI,SAAS,GAAG,EAAE,CAAC;IACnB,OAAO;QACL,IAAI,EAAE;YACJ,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,IAAI,IAAI;YACN,OAAO,KAAK,CAAC;QACf,CAAC;QACD,GAAG,CAAc,GAAW;YAC1B,OAAO,IAAI,CAAC,GAAG,CAAkB,CAAC;QACpC,CAAC;QACD,GAAG,CAAC,GAAG,EAAE,KAAK;YACZ,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YAClB,SAAS,CAAC,QAAQ,CAAC,CAAC;QACtB,CAAC;QACD,MAAM,CAAC,GAAG;YACR,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;gBAChB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;gBACjB,SAAS,CAAC,QAAQ,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;QACD,OAAO;YACL,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;YAClD,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC;YAC1B,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC;QACxB,CAAC;QACD,KAAK,CAAC,UAAU,CAAC,IAAI;YACnB,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,KAAK,KAAK,CAAC;YAC1C,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,QAAQ,CAAC,CAAC;YACxC,SAAS,GAAG,IAAI,CAAC;YACjB,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;AACJ,CAAC;AAED,+BAA+B;AAE/B;;;GAGG;AACH,MAAM,OAAO,kBAAkB;IACZ,GAAG,GAAG,IAAI,GAAG,EAAyB,CAAC;IAExD,GAAG,CAAC,GAAW;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,GAAG,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAChC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,GAAG,CAAC,GAAW,EAAE,MAAqB;QACpC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC5B,CAAC;IAED,OAAO,CAAC,GAAW;QACjB,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,GAAW,EAAE,SAAiB;QAClC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,GAAG;YAAE,GAAG,CAAC,SAAS,GAAG,SAAS,CAAC;IACrC,CAAC;IAED,wCAAwC;IACxC,KAAK;QACH,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;IACnB,CAAC;IAED,iEAAiE;IACjE,IAAI;QACF,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;IACvB,CAAC;CACF;AAED,mCAAmC;AAEnC;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,OAAO,CAAC,IAAoB;IAC1C,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,mBAAmB,CAAC;IAE1D,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACzE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACzF,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAExC,MAAM,eAAe,GAAG,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC;IACjD,MAAM,UAAU,GAAmC;QACjD,QAAQ,EAAE,eAAe,CAAC,QAAQ,IAAI,KAAK;QAC3C,MAAM,EAAE,eAAe,CAAC,MAAM,IAAI,IAAI;QACtC,IAAI,EAAE,eAAe,CAAC,IAAI,IAAI,GAAG;QACjC,MAAM,EAAE,eAAe,CAAC,MAAM,IAAI,EAAE;QACpC,aAAa,EAAE,eAAe,CAAC,aAAa,IAAI,CAAC;QACjD,WAAW,EAAE,eAAe,CAAC,WAAW,IAAI,KAAK;QACjD,QAAQ,EAAE,eAAe,CAAC,QAAQ,IAAI,IAAI;KAC3C,CAAC;IACF,qBAAqB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAE9C,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,MAAM,CAAC;IAC7C,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,IAAI,UAAU,IAAI,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IACD,MAAM,KAAK,GAAG,UAAU,GAAG,IAAI,CAAC;IAChC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,KAAK,KAAK,CAAC;IACvC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,IAAI,kBAAkB,EAAE,CAAC;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,iBAAiB,CAAC;IACtD,MAAM,iBAAiB,GAAG,IAAI,CAAC,iBAAiB,KAAK,IAAI,CAAC;IAE1D,OAAO;QACL,KAAK,CAAC,YAAY,CAAC,GAAG;YACpB,MAAM,QAAQ,GAAoB;gBAChC,UAAU;gBACV,UAAU;gBACV,KAAK;gBACL,OAAO;gBACP,KAAK;gBACL,OAAO;gBACP,SAAS;gBACT,iBAAiB;gBACjB,UAAU,EAAE,IAAI;gBAChB,SAAS,EAAE,KAAK;gBAChB,QAAQ,EAAE,IAAI;gBACd,KAAK,EAAE,KAAK;gBACZ,SAAS,EAAE,KAAK;gBAChB,WAAW,EAAE,KAAK;gBAClB,OAAO,EAAE,KAAK;aACf,CAAC;YAEF,MAAM,GAAG,GAAG,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;YACtE,QAAQ,CAAC,SAAS,GAAG,GAAG,KAAK,IAAI,CAAC;YAClC,IAAI,IAAI,GAA4B,EAAE,CAAC;YACvC,IAAI,EAAE,GAAkB,IAAI,CAAC;YAE7B,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,GAAG,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;gBACjC,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACpC,MAAM,WAAW,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;oBACtC,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;oBAC/B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;wBAC7B,4CAA4C;wBAC5C,IAAI,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;4BAC1C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;4BACzC,IAAI,GAAG,IAAI,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gCACtC,EAAE,GAAG,WAAW,CAAC;gCACjB,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;4BACzC,CAAC;4BACD,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,EAAE,GAAG,SAAS,EAAE,CAAC;gBACjB,IAAI,CAAC,EAAE;oBAAE,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;gBACvE,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC;YAC1B,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,UAAU,GAAG,EAAE,CAAC;YAC3B,CAAC;YACD,QAAQ,CAAC,QAAQ,GAAG,EAAE,CAAC;YAEvB,MAAM,UAAU,GAAG,KAAK,EAAE,QAAiB,EAAmB,EAAE;gBAC9D,IAAI,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,UAAU,KAAK,QAAQ,CAAC,QAAQ,EAAE,CAAC;oBACnE,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBACzC,CAAC;qBAAM,IAAI,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC;oBAC1E,gEAAgE;gBAClE,CAAC;gBACD,MAAM,IAAI,GAAG,SAAS,EAAE,CAAC;gBACzB,IAAI,CAAC,IAAI;oBAAE,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;gBACzE,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;wBAAE,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;gBACpD,CAAC;gBACD,QAAQ,CAAC,QAAQ,GAAG,IAAI,CAAC;gBACzB,QAAQ,CAAC,WAAW,GAAG,IAAI,CAAC;gBAC5B,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC;gBACtB,QAAQ,CAAC,SAAS,GAAG,KAAK,CAAC;gBAC3B,QAAQ,CAAC,OAAO,GAAG,KAAK,CAAC;gBACzB,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC;gBAC3B,OAAO,IAAI,CAAC;YACd,CAAC,CAAC;YAEF,MAAM,UAAU,GAAG,kBAAkB,CAAC,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;YACtE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAgC,CAAC;YACnD,KAAK,CAAC,SAAS,CAAC,GAAG,UAAU,CAAC;YAC9B,KAAK,CAAC,cAAc,CAAC,GAAG,QAAQ,CAAC;QACnC,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG;YACnB,IAAI,CAAC,GAAG;gBAAE,OAAO,SAAS,CAAC;YAC3B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAgC,CAAC;YACnD,MAAM,QAAQ,GAAG,KAAK,CAAC,cAAc,CAAgC,CAAC;YACtE,IAAI,CAAC,QAAQ;gBAAE,OAAO,SAAS,CAAC;YAEhC,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;gBACvB,IAAI,QAAQ,CAAC,UAAU;oBAAE,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;gBAClE,2EAA2E;gBAC3E,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;oBACvB,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,gBAAgB,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;gBAC/F,CAAC;gBACD,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,MAAM,UAAU,GAAG,KAAK,CAAC,SAAS,CAAmB,CAAC;YACtD,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC;YAC7B,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAS,CAAC;YAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC;YAE9C,4EAA4E;YAC5E,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,WAAW,IAAI,QAAQ,CAAC,UAAU,KAAK,IAAI,CAAC;YAC3F,IAAI,CAAC,WAAW,IAAI,CAAC,QAAQ,CAAC,iBAAiB;gBAAE,OAAO,SAAS,CAAC;YAElE,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,OAAO,IAAI,QAAQ,CAAC,WAAW,CAAC;YAE/E,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;YACzD,CAAC;iBAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;gBAC5B,IAAI,KAAK,CAAC,KAAK;oBAAE,MAAM,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;;oBAC9C,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;YAC9D,CAAC;YAED,IAAI,QAAQ,CAAC,WAAW,IAAI,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC/E,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC3C,CAAC;YAED,uEAAuE;YACvE,mEAAmE;YACnE,MAAM,eAAe,GAAG,QAAQ,CAAC,OAAO,IAAI,QAAQ,CAAC,WAAW,IAAI,QAAQ,CAAC,OAAO,CAAC;YACrF,IAAI,CAAC,eAAe;gBAAE,OAAO,SAAS,CAAC;YAEvC,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC;YACpC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACnC,GAAG,CAAC,OAAO,CAAC,MAAM,CAChB,YAAY,EACZ,cAAc,CAAC,QAAQ,CAAC,UAAU,EAAE,GAAG,GAAG,IAAI,GAAG,EAAE,EAAE,QAAQ,CAAC,UAAU,CAAC,CAC1E,CAAC;YACF,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,iFAAiF;AAEjF;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,KAAa,EAAE,MAAc;IAC3D,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IACD,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrC,OAAO,GAAG,KAAK,IAAI,GAAG,EAAE,CAAC;AAC3B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAyB;IAC/E,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IAClC,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAC1D,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;QAC7B,4CAA4C;QAC5C,IAAI,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;IACpD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@daloyjs/core",
-  "version": "0.6.0",
+  "version": "0.7.1",
   "description": "DaloyJS is a runtime-portable, contract-first TypeScript web framework with built-in OpenAPI (Hey API), typed client generation, large-scale maintainability, and security-first defaults. Hono-grade portability, Elysia-grade DX, FastAPI-grade docs, Fastify-grade ops — distributed via pnpm.",
   "type": "module",
   "publishConfig": {
@@ -10,7 +10,7 @@
     "type": "git",
     "url": "git+https://github.com/daloyjs/daloy.git"
   },
-  "homepage": "https://github.com/daloyjs/daloy#readme",
+  "homepage": "https://daloyjs.dev",
   "bugs": {
     "url": "https://github.com/daloyjs/daloy/issues"
   },
@@ -84,6 +84,10 @@
     "./cli": {
       "types": "./dist/cli.d.ts",
       "import": "./dist/cli.js"
+    },
+    "./session": {
+      "types": "./dist/session.d.ts",
+      "import": "./dist/session.js"
     }
   },
   "files": [