npm - @edge-base/server - Versions diffs - 0.1.1 - Mend

@edge-base/server 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/admin-build/.gitkeep +0 -0
package/admin-build/_app/env.js +1 -0
package/admin-build/_app/immutable/assets/0.Bm6cF078.css +1 -0
package/admin-build/_app/immutable/assets/1.BfW3pUNa.css +1 -0
package/admin-build/_app/immutable/assets/11.CVmQOewb.css +1 -0
package/admin-build/_app/immutable/assets/12.B1EhbRZT.css +1 -0
package/admin-build/_app/immutable/assets/13.BvwYeuwE.css +1 -0
package/admin-build/_app/immutable/assets/14.CdVfcO0R.css +1 -0
package/admin-build/_app/immutable/assets/15.2yeZ66b-.css +1 -0
package/admin-build/_app/immutable/assets/17.BVg0JEVu.css +1 -0
package/admin-build/_app/immutable/assets/18.Rwnl3x_i.css +1 -0
package/admin-build/_app/immutable/assets/20.DsPWA9AV.css +1 -0
package/admin-build/_app/immutable/assets/21.Dz2RJ56c.css +1 -0
package/admin-build/_app/immutable/assets/22.DwNLk5Ai.css +1 -0
package/admin-build/_app/immutable/assets/23.CFpu0gOO.css +1 -0
package/admin-build/_app/immutable/assets/24.Cy5LBeoJ.css +1 -0
package/admin-build/_app/immutable/assets/25.pUyLVf-h.css +1 -0
package/admin-build/_app/immutable/assets/26.DBcGrlXa.css +1 -0
package/admin-build/_app/immutable/assets/27.BswYyAJD.css +1 -0
package/admin-build/_app/immutable/assets/28.B4ueB1Kf.css +1 -0
package/admin-build/_app/immutable/assets/29.B-qU6PdF.css +1 -0
package/admin-build/_app/immutable/assets/3.Dg81Pgmd.css +1 -0
package/admin-build/_app/immutable/assets/30.CsdWum94.css +1 -0
package/admin-build/_app/immutable/assets/31.U6OwIp50.css +1 -0
package/admin-build/_app/immutable/assets/4.CyawCCux.css +1 -0
package/admin-build/_app/immutable/assets/5.C0YO2HTk.css +1 -0
package/admin-build/_app/immutable/assets/8.Br5jd6kD.css +1 -0
package/admin-build/_app/immutable/assets/Badge.EMYLHBxE.css +1 -0
package/admin-build/_app/immutable/assets/Button.DpzMRTjK.css +1 -0
package/admin-build/_app/immutable/assets/ConfirmDialog.DAnaWRRk.css +1 -0
package/admin-build/_app/immutable/assets/EmptyState.CwKsu57Y.css +1 -0
package/admin-build/_app/immutable/assets/Input.BDUSenmU.css +1 -0
package/admin-build/_app/immutable/assets/Modal.Dm5B0Xie.css +1 -0
package/admin-build/_app/immutable/assets/PageShell.CmU-Xh-b.css +1 -0
package/admin-build/_app/immutable/assets/SchemaFieldEditor.g4NsCdno.css +1 -0
package/admin-build/_app/immutable/assets/Select.BW4Keufm.css +1 -0
package/admin-build/_app/immutable/assets/Skeleton.KWUulTKJ.css +1 -0
package/admin-build/_app/immutable/assets/Tabs.CniGYb67.css +1 -0
package/admin-build/_app/immutable/assets/TimeChart.BTCDAvmT.css +1 -0
package/admin-build/_app/immutable/assets/Toggle.Cy_K12OM.css +1 -0
package/admin-build/_app/immutable/assets/TopList.ClFzmPlA.css +1 -0
package/admin-build/_app/immutable/chunks/7B47DvSx.js +1 -0
package/admin-build/_app/immutable/chunks/7f08Id8e.js +1 -0
package/admin-build/_app/immutable/chunks/8wJeQ7LN.js +1 -0
package/admin-build/_app/immutable/chunks/B-h2afW5.js +1 -0
package/admin-build/_app/immutable/chunks/B8vJP3wz.js +1 -0
package/admin-build/_app/immutable/chunks/BR_fL5Yv.js +1 -0
package/admin-build/_app/immutable/chunks/BY92tFS2.js +1 -0
package/admin-build/_app/immutable/chunks/BcR-Rdj9.js +1 -0
package/admin-build/_app/immutable/chunks/BdrwyZv8.js +1 -0
package/admin-build/_app/immutable/chunks/Bh56EfQ_.js +1 -0
package/admin-build/_app/immutable/chunks/BkrCkgYp.js +1 -0
package/admin-build/_app/immutable/chunks/BmRjiP5k.js +1 -0
package/admin-build/_app/immutable/chunks/BsokvhWC.js +1 -0
package/admin-build/_app/immutable/chunks/C4D51vTW.js +1 -0
package/admin-build/_app/immutable/chunks/C6puvcoR.js +2 -0
package/admin-build/_app/immutable/chunks/CCKNu7m7.js +1 -0
package/admin-build/_app/immutable/chunks/CWj6FrbW.js +1 -0
package/admin-build/_app/immutable/chunks/Ce-ngf4p.js +5 -0
package/admin-build/_app/immutable/chunks/Cs0GwzJA.js +1 -0
package/admin-build/_app/immutable/chunks/CwROoZK0.js +1 -0
package/admin-build/_app/immutable/chunks/CxCPv_Ut.js +1 -0
package/admin-build/_app/immutable/chunks/CxbRue-5.js +1 -0
package/admin-build/_app/immutable/chunks/CyqB6g-D.js +1 -0
package/admin-build/_app/immutable/chunks/D5h5A1cc.js +2 -0
package/admin-build/_app/immutable/chunks/DnyL7Zq-.js +1 -0
package/admin-build/_app/immutable/chunks/DoPXzH7F.js +1 -0
package/admin-build/_app/immutable/chunks/DrQSgw-f.js +1 -0
package/admin-build/_app/immutable/chunks/DttM2zNO.js +1 -0
package/admin-build/_app/immutable/chunks/DuXuUBWN.js +1 -0
package/admin-build/_app/immutable/chunks/MdeqaOQx.js +10 -0
package/admin-build/_app/immutable/chunks/NuUjtcO2.js +1 -0
package/admin-build/_app/immutable/chunks/Q2nPFxS6.js +1 -0
package/admin-build/_app/immutable/chunks/R6arueIl.js +1 -0
package/admin-build/_app/immutable/chunks/UUazaC_N.js +1 -0
package/admin-build/_app/immutable/chunks/cOYbrQxx.js +1 -0
package/admin-build/_app/immutable/chunks/eFQHTGwA.js +1 -0
package/admin-build/_app/immutable/chunks/ehbppgYb.js +1 -0
package/admin-build/_app/immutable/chunks/glwixJlP.js +1 -0
package/admin-build/_app/immutable/chunks/vApWTCBs.js +1 -0
package/admin-build/_app/immutable/chunks/w89G9Xpi.js +1 -0
package/admin-build/_app/immutable/chunks/wJsUhbfZ.js +1 -0
package/admin-build/_app/immutable/chunks/zfauFM8P.js +1 -0
package/admin-build/_app/immutable/entry/app.CcO-Uos3.js +2 -0
package/admin-build/_app/immutable/entry/start.COebYq3I.js +1 -0
package/admin-build/_app/immutable/nodes/0.CjtHKU-6.js +1 -0
package/admin-build/_app/immutable/nodes/1.DEisjlM0.js +1 -0
package/admin-build/_app/immutable/nodes/10.CvhdyWVB.js +1 -0
package/admin-build/_app/immutable/nodes/11.DjHqcOvy.js +1 -0
package/admin-build/_app/immutable/nodes/12.mQLz4Mj_.js +1 -0
package/admin-build/_app/immutable/nodes/13.CBonZZyP.js +110 -0
package/admin-build/_app/immutable/nodes/14.d-oiZL0j.js +3 -0
package/admin-build/_app/immutable/nodes/15.CKPQsUYF.js +1 -0
package/admin-build/_app/immutable/nodes/16.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/17.DayhKyEZ.js +1 -0
package/admin-build/_app/immutable/nodes/18.DKwS0Ir0.js +1 -0
package/admin-build/_app/immutable/nodes/19.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/2.BKoKrw1i.js +1 -0
package/admin-build/_app/immutable/nodes/20.BvIkkkrW.js +1 -0
package/admin-build/_app/immutable/nodes/21.DMaFhdHk.js +128 -0
package/admin-build/_app/immutable/nodes/22.3xdgwuK1.js +1 -0
package/admin-build/_app/immutable/nodes/23.8Bvgjbsl.js +112 -0
package/admin-build/_app/immutable/nodes/24.DzSSzRhG.js +2 -0
package/admin-build/_app/immutable/nodes/25.9KKYBnAE.js +2 -0
package/admin-build/_app/immutable/nodes/26.Bhn9dfhY.js +1 -0
package/admin-build/_app/immutable/nodes/27.kRLiC24G.js +1 -0
package/admin-build/_app/immutable/nodes/28.BVIN1-7N.js +1 -0
package/admin-build/_app/immutable/nodes/29.3yabZWj4.js +1 -0
package/admin-build/_app/immutable/nodes/3.BFtSOkX7.js +2 -0
package/admin-build/_app/immutable/nodes/30.CyCQlwaP.js +1 -0
package/admin-build/_app/immutable/nodes/31.C4LDXjES.js +1 -0
package/admin-build/_app/immutable/nodes/4.CvbiMlCa.js +1 -0
package/admin-build/_app/immutable/nodes/5.C6BLv2eM.js +1 -0
package/admin-build/_app/immutable/nodes/6.BcXvfl2P.js +1 -0
package/admin-build/_app/immutable/nodes/7.CIuqhPiK.js +1 -0
package/admin-build/_app/immutable/nodes/8.BQOR_JfO.js +1 -0
package/admin-build/_app/immutable/nodes/9.NZqXQxPy.js +1 -0
package/admin-build/_app/version.json +1 -0
package/admin-build/favicon.svg +26 -0
package/admin-build/index.html +45 -0
package/openapi.json +19543 -0
package/package.json +66 -0
package/src/__tests__/admin-assets.test.ts +55 -0
package/src/__tests__/admin-data-routes.test.ts +488 -0
package/src/__tests__/admin-db-target.test.ts +103 -0
package/src/__tests__/admin-routing.test.ts +31 -0
package/src/__tests__/admin-user-management.test.ts +311 -0
package/src/__tests__/analytics-query.test.ts +75 -0
package/src/__tests__/auth-d1.test.ts +749 -0
package/src/__tests__/auth-db-adapter.test.ts +73 -0
package/src/__tests__/auth-jwt.test.ts +440 -0
package/src/__tests__/auth-oauth.test.ts +389 -0
package/src/__tests__/auth-password.test.ts +367 -0
package/src/__tests__/auth-redirect.test.ts +87 -0
package/src/__tests__/backup-restore.test.ts +711 -0
package/src/__tests__/broadcast.test.ts +128 -0
package/src/__tests__/cli.test.ts +178 -0
package/src/__tests__/cloudflare-realtime.test.ts +113 -0
package/src/__tests__/config.test.ts +469 -0
package/src/__tests__/cors.test.ts +154 -0
package/src/__tests__/cron.test.ts +302 -0
package/src/__tests__/d1-handler.test.ts +402 -0
package/src/__tests__/d1-sql.test.ts +120 -0
package/src/__tests__/database-live-config.test.ts +42 -0
package/src/__tests__/database-live-emitter.test.ts +56 -0
package/src/__tests__/database-live-filters.test.ts +63 -0
package/src/__tests__/database-live-route.test.ts +113 -0
package/src/__tests__/db-sql.test.ts +163 -0
package/src/__tests__/do-lifecycle.test.ts +263 -0
package/src/__tests__/do-router.test.ts +729 -0
package/src/__tests__/email-provider.test.ts +128 -0
package/src/__tests__/email-templates.test.ts +528 -0
package/src/__tests__/error-format.test.ts +250 -0
package/src/__tests__/field-ops.test.ts +242 -0
package/src/__tests__/functions-context.test.ts +334 -0
package/src/__tests__/functions-d1-proxy.test.ts +229 -0
package/src/__tests__/functions-registry-runtime-config.test.ts +17 -0
package/src/__tests__/functions-route.test.ts +139 -0
package/src/__tests__/internal-request.test.ts +77 -0
package/src/__tests__/log-writer.test.ts +44 -0
package/src/__tests__/logger.test.ts +58 -0
package/src/__tests__/meta-admin-proxy.test.ts +48 -0
package/src/__tests__/meta-export-coverage.test.ts +191 -0
package/src/__tests__/meta-route-registration.test.ts +47 -0
package/src/__tests__/namespace-dump.test.ts +28 -0
package/src/__tests__/oauth-providers.test.ts +337 -0
package/src/__tests__/openapi-coverage.test.ts +144 -0
package/src/__tests__/pagination.test.ts +59 -0
package/src/__tests__/password-policy.test.ts +191 -0
package/src/__tests__/plugin-migrations.test.ts +379 -0
package/src/__tests__/postgres-batch-compat.test.ts +133 -0
package/src/__tests__/postgres-dialect.test.ts +328 -0
package/src/__tests__/postgres-executor.test.ts +79 -0
package/src/__tests__/postgres-field-ops-compat.test.ts +222 -0
package/src/__tests__/postgres-schema-init.test.ts +105 -0
package/src/__tests__/postgres-table-utils.test.ts +107 -0
package/src/__tests__/presence.test.ts +199 -0
package/src/__tests__/provider.test.ts +550 -0
package/src/__tests__/public-user-profile.test.ts +339 -0
package/src/__tests__/push-handlers.test.ts +179 -0
package/src/__tests__/push-provider.test.ts +80 -0
package/src/__tests__/push-token.test.ts +418 -0
package/src/__tests__/query.test.ts +771 -0
package/src/__tests__/rate-limit.test.ts +260 -0
package/src/__tests__/room-access-policy.test.ts +101 -0
package/src/__tests__/room-handler-context.test.ts +130 -0
package/src/__tests__/room-monitoring.test.ts +138 -0
package/src/__tests__/room-runtime-routing.test.ts +222 -0
package/src/__tests__/room.test.ts +254 -0
package/src/__tests__/route-parser.test.ts +490 -0
package/src/__tests__/rules.test.ts +234 -0
package/src/__tests__/runtime-surface-accounting.test.ts +120 -0
package/src/__tests__/scheduled.test.ts +80 -0
package/src/__tests__/schema.test.ts +1273 -0
package/src/__tests__/security-hardening.test.ts +312 -0
package/src/__tests__/server.unit.test.ts +333 -0
package/src/__tests__/service-key-db-proxy.test.ts +650 -0
package/src/__tests__/service-key-provider-bypass.test.ts +138 -0
package/src/__tests__/service-key.test.ts +757 -0
package/src/__tests__/smoke-skip-report.test.ts +72 -0
package/src/__tests__/sms-provider.test.ts +39 -0
package/src/__tests__/sql-route.test.ts +218 -0
package/src/__tests__/storage-hook-context.test.ts +115 -0
package/src/__tests__/totp.test.ts +200 -0
package/src/__tests__/uuid.test.ts +144 -0
package/src/__tests__/validation.test.ts +773 -0
package/src/__tests__/websocket-pending.test.ts +163 -0
package/src/_functions-registry.ts +51 -0
package/src/bench-entry.ts +9 -0
package/src/cloudflare-test.d.ts +1 -0
package/src/durable-objects/auth-do.ts +49 -0
package/src/durable-objects/database-do.ts +2240 -0
package/src/durable-objects/database-live-do.ts +949 -0
package/src/durable-objects/logs-do.ts +1200 -0
package/src/durable-objects/room-runtime-base.ts +1604 -0
package/src/durable-objects/rooms-do.ts +2191 -0
package/src/generated-config.ts +6 -0
package/src/index.ts +382 -0
package/src/lib/admin-assets.ts +54 -0
package/src/lib/admin-db-target.ts +301 -0
package/src/lib/admin-routing.ts +35 -0
package/src/lib/admin-user-management.ts +464 -0
package/src/lib/analytics-adapter.ts +103 -0
package/src/lib/analytics-query.ts +579 -0
package/src/lib/auth-d1-service.ts +1193 -0
package/src/lib/auth-d1.ts +1056 -0
package/src/lib/auth-db-adapter.ts +289 -0
package/src/lib/auth-redirect.ts +116 -0
package/src/lib/cidr.ts +115 -0
package/src/lib/client-ip.ts +51 -0
package/src/lib/cloudflare-realtime.ts +251 -0
package/src/lib/control-db.ts +36 -0
package/src/lib/cron.ts +163 -0
package/src/lib/d1-handler.ts +1425 -0
package/src/lib/d1-schema-init.ts +255 -0
package/src/lib/d1-sql.ts +33 -0
package/src/lib/database-live-config.ts +24 -0
package/src/lib/database-live-emitter.ts +111 -0
package/src/lib/db-sql.ts +66 -0
package/src/lib/do-retry.ts +36 -0
package/src/lib/do-router.ts +270 -0
package/src/lib/do-sql.ts +73 -0
package/src/lib/email-provider.ts +379 -0
package/src/lib/email-templates.ts +285 -0
package/src/lib/email-translations.ts +422 -0
package/src/lib/errors.ts +151 -0
package/src/lib/functions.ts +2091 -0
package/src/lib/hono.ts +56 -0
package/src/lib/internal-request.ts +56 -0
package/src/lib/jwt.ts +354 -0
package/src/lib/log-writer.ts +272 -0
package/src/lib/namespace-dump.ts +125 -0
package/src/lib/oauth-providers.ts +1225 -0
package/src/lib/op-parser.ts +99 -0
package/src/lib/openapi.ts +146 -0
package/src/lib/pagination.ts +19 -0
package/src/lib/password-policy.ts +102 -0
package/src/lib/password.ts +145 -0
package/src/lib/plugin-migrations.ts +612 -0
package/src/lib/postgres-executor.ts +203 -0
package/src/lib/postgres-handler.ts +1102 -0
package/src/lib/postgres-schema-init.ts +341 -0
package/src/lib/postgres-table-utils.ts +87 -0
package/src/lib/public-user-profile.ts +187 -0
package/src/lib/push-provider.ts +409 -0
package/src/lib/push-token.ts +294 -0
package/src/lib/query-engine.ts +768 -0
package/src/lib/room-monitoring.ts +97 -0
package/src/lib/room-runtime.ts +14 -0
package/src/lib/route-parser.ts +434 -0
package/src/lib/schema.ts +538 -0
package/src/lib/schemas.ts +152 -0
package/src/lib/service-key.ts +419 -0
package/src/lib/sms-provider.ts +230 -0
package/src/lib/startup-config.ts +99 -0
package/src/lib/totp.ts +242 -0
package/src/lib/uuid.ts +87 -0
package/src/lib/validation.ts +205 -0
package/src/lib/version.ts +2 -0
package/src/lib/websocket-pending.ts +40 -0
package/src/middleware/auth.ts +169 -0
package/src/middleware/captcha-verify.ts +217 -0
package/src/middleware/cors.ts +159 -0
package/src/middleware/error-handler.ts +54 -0
package/src/middleware/internal-guard.ts +26 -0
package/src/middleware/logger.ts +126 -0
package/src/middleware/rate-limit.ts +283 -0
package/src/middleware/rules.ts +475 -0
package/src/routes/admin-auth.ts +447 -0
package/src/routes/admin.ts +3501 -0
package/src/routes/analytics-api.ts +290 -0
package/src/routes/auth.ts +4222 -0
package/src/routes/backup.ts +1466 -0
package/src/routes/config.ts +53 -0
package/src/routes/d1.ts +109 -0
package/src/routes/database-live.ts +281 -0
package/src/routes/functions.ts +155 -0
package/src/routes/health.ts +32 -0
package/src/routes/kv.ts +167 -0
package/src/routes/oauth.ts +1055 -0
package/src/routes/push.ts +1465 -0
package/src/routes/room.ts +639 -0
package/src/routes/schema-endpoint.ts +76 -0
package/src/routes/sql.ts +176 -0
package/src/routes/storage.ts +1674 -0
package/src/routes/tables.ts +699 -0
package/src/routes/users.ts +21 -0
package/src/routes/vectorize.ts +372 -0
package/src/types.ts +99 -0

package/src/middleware/logger.ts ADDED Viewed

@@ -0,0 +1,126 @@
+/**
+ * Request logging middleware.
+ *
+ * Records method, path, status, duration, userId, and enriched analytics
+ * fields (category, subcategory, target, operation, region, sizes) for
+ * every request. Uses LogWriter adapter for environment-aware storage.
+ */
+import type { MiddlewareHandler } from 'hono';
+import type { Env } from '../types.js';
+import { createLogWriter } from '../lib/log-writer.js';
+import { parseRoute } from '../lib/route-parser.js';
+type HonoEnv = { Bindings: Env };
+type LogFieldOverrides = Partial<{
+  category: string;
+  subcategory: string;
+  target1: string;
+  target2: string;
+  operation: string;
+  region: string;
+  requestSize: number;
+  responseSize: number;
+  resultCount: number;
+  userId: string;
+}>;
+function resolveRequestPath(c: {
+  req: {
+    path?: string;
+    url: string;
+  };
+}): string {
+  if (typeof c.req.path === 'string' && c.req.path.length > 0) {
+    return c.req.path;
+  }
+  try {
+    return new URL(c.req.url, 'http://edgebase.local').pathname;
+  } catch {
+    return '/';
+  }
+}
+export const loggerMiddleware: MiddlewareHandler<HonoEnv> = async (c, next) => {
+  const start = Date.now();
+  // Pre-compute route classification before response
+  const path = resolveRequestPath(c);
+  const method = c.req.method;
+  const route = parseRoute(method, path);
+  // Capture request size from Content-Length header
+  const requestSize = parseInt(c.req.header('content-length') || '0', 10) || 0;
+  await next();
+  const duration = Date.now() - start;
+  const auth = c.get('auth' as never) as { id: string } | null | undefined;
+  // Extract region from Cloudflare cf object or cf-ray header
+  let region = '';
+  try {
+    const cf = (c.req.raw as unknown as { cf?: { colo?: string } }).cf;
+    if (cf?.colo) {
+      region = cf.colo;
+    }
+  } catch {
+    // cf object not available (non-CF environment)
+  }
+  if (!region) {
+    // Fallback: extract datacenter code from CF-Ray header (e.g., "abc123-ICN" → "ICN")
+    const cfRay = c.req.header('cf-ray');
+    if (cfRay) {
+      const parts = cfRay.split('-');
+      if (parts.length >= 2) {
+        region = parts[parts.length - 1];
+      }
+    }
+  }
+  // Capture response size from Content-Length header
+  const responseSize = parseInt(c.res.headers.get('content-length') || '0', 10) || 0;
+  const overrides = (c.get('logFields' as never) ?? {}) as LogFieldOverrides;
+  // Get execution context for non-blocking writes
+  let executionCtx: { waitUntil: (promise: Promise<unknown>) => void } | undefined;
+  try {
+    executionCtx = c.executionCtx;
+  } catch {
+    // No execution context (unit tests)
+  }
+  const logger = createLogWriter(
+    (c.env || {}) as unknown as Record<string, unknown>,
+    executionCtx,
+  );
+  const entry = {
+    method,
+    path,
+    status: c.res.status,
+    duration,
+    userId: overrides.userId ?? auth?.id,
+    timestamp: Date.now(),
+    // Enriched analytics fields
+    category: overrides.category ?? route.category,
+    subcategory: overrides.subcategory ?? route.subcategory,
+    target1: overrides.target1 ?? route.target1,
+    target2: overrides.target2 ?? route.target2,
+    operation: overrides.operation ?? route.operation,
+    region: overrides.region ?? region,
+    requestSize: overrides.requestSize ?? requestSize,
+    responseSize: overrides.responseSize ?? responseSize,
+    resultCount: overrides.resultCount ?? 0,
+  };
+  // Fire-and-forget — don't block response
+  if (executionCtx) {
+    executionCtx.waitUntil(
+      Promise.resolve().then(() => logger.write(entry)),
+    );
+  } else {
+    // Unit test environment or no execution context — write synchronously
+    logger.write(entry);
+  }
+};

package/src/middleware/rate-limit.ts ADDED Viewed

@@ -0,0 +1,283 @@
+import type { MiddlewareHandler } from 'hono';
+import type { Env } from '../types.js';
+import type { EdgeBaseConfig } from '@edge-base/shared';
+import {
+  buildKeymap,
+  extractBearerToken,
+  extractServiceKeyHeader,
+  validateConfiguredKey,
+  type ConstraintContext,
+} from '../lib/service-key.js';
+import { parseConfig } from '../lib/do-router.js';
+import { getTrustedClientIp } from '../lib/client-ip.js';
+type HonoEnv = { Bindings: Env };
+/**
+ * Rate Limiting middleware — 2-layer architecture.
+ *
+ * Layer 1: Software counter (per-isolate FixedWindowCounter)
+ *   - Reads limits from the bundled runtime config (user-configurable)
+ *   - Falls back to sensible defaults if config is not set
+ *
+ * Layer 2: Cloudflare Rate Limiting Binding (ceiling safety net)
+ *   - All Bindings set to 10,000,000/60s in wrangler.toml
+ *   - Catches cases where isolate restarts reset software counters
+ *   - Miniflare emulates in all environments (Edge, dev, self-hosting)
+ *
+ * Groups handled here:
+ *   - `global`      — all routes (last-resort safety net)
+ *   - `db` — /api/db/* table CRUD
+ *   - `storage`     — /api/storage/*
+ *   - `functions`   — /api/functions/*
+ *
+ * Auth-specific groups (auth, authSignin, authSignup) are applied
+ * directly in auth routes using the exported counter and helpers.
+ *
+ * Valid Service Key requests bypass app-level rate limits entirely.
+ */
+// ─── Defaults (used when config.rateLimiting is not set) ───
+export const RATE_LIMIT_DEFAULTS: Record<string, { requests: number; windowSec: number }> = {
+  global:      { requests: 10_000_000, windowSec: 60 },
+  db: { requests: 100,        windowSec: 60 },
+  storage:     { requests: 50,         windowSec: 60 },
+  functions:   { requests: 50,         windowSec: 60 },
+  auth:        { requests: 30,         windowSec: 60 },
+  authSignin:  { requests: 10,         windowSec: 60 },
+  authSignup:  { requests: 10,         windowSec: 60 },
+  events:      { requests: 100,        windowSec: 60 },
+};
+// ─── Window parser ───
+/** Parse window string ('60s', '5m', '1h') or number (seconds) to seconds */
+export function parseWindow(window: string | number): number {
+  if (typeof window === 'number') return window > 0 ? window : 60;
+  const match = window.match(/^(\d+)(s|m|h)$/);
+  if (!match) return 60; // fallback
+  const value = parseInt(match[1], 10);
+  switch (match[2]) {
+    case 's': return value;
+    case 'm': return value * 60;
+    case 'h': return value * 3600;
+    default:  return 60;
+  }
+}
+// ─── Fixed Window Counter (per-isolate memory) ───
+interface Bucket {
+  count: number;
+  resetAt: number;
+}
+/**
+ * Per-isolate in-memory Fixed Window Counter.
+ * Provides config-driven rate limiting with automatic expiry cleanup.
+ *
+ * Accuracy:
+ * - Self-hosting (single process): exact
+ * - Cloudflare Edge (multiple isolates): approximate (each isolate has own counter)
+ * - Binding ceiling provides absolute safety regardless of counter accuracy
+ */
+export class FixedWindowCounter {
+  private buckets = new Map<string, Bucket>();
+  private lastCleanup = Date.now();
+  private static readonly CLEANUP_INTERVAL = 120_000; // 2 minutes
+  /**
+   * Check and increment counter. Returns true if within limit.
+   * @param key Unique key (e.g., 'db:1.2.3.4')
+   * @param limit Max requests per window
+   * @param windowSec Window size in seconds
+   */
+  check(key: string, limit: number, windowSec: number): boolean {
+    const now = Date.now();
+    this.maybeCleanup(now);
+    // limit=0 means "always blocked" (ban-mode) — never allow any request
+    if (limit <= 0) return false;
+    const windowMs = windowSec * 1000;
+    const bucket = this.buckets.get(key);
+    if (!bucket || now >= bucket.resetAt) {
+      this.buckets.set(key, { count: 1, resetAt: now + windowMs });
+      return true;
+    }
+    if (bucket.count >= limit) {
+      return false;
+    }
+    bucket.count++;
+    return true;
+  }
+  /** Get remaining seconds until reset for a key (for Retry-After header).
+   * Returns 0 if key has never been seen — no active rate-limit window exists. */
+  getRetryAfter(key: string): number {
+    const bucket = this.buckets.get(key);
+    if (!bucket) return 0;
+    return Math.max(1, Math.ceil((bucket.resetAt - Date.now()) / 1000));
+  }
+  private maybeCleanup(now: number): void {
+    if (now - this.lastCleanup < FixedWindowCounter.CLEANUP_INTERVAL) return;
+    this.lastCleanup = now;
+    for (const [key, bucket] of this.buckets) {
+      if (now >= bucket.resetAt) this.buckets.delete(key);
+    }
+  }
+}
+// ─── Singleton counter (shared within isolate) ───
+export const counter = new FixedWindowCounter();
+// ─── Helpers ───
+/** Get config-based limit for a group, with fallback to defaults */
+export function getLimit(
+  config: EdgeBaseConfig | undefined,
+  group: string,
+): { requests: number; windowSec: number } {
+  const rl = config?.rateLimiting;
+  if (rl) {
+    const configGroup = rl[group as keyof typeof rl];
+    if (configGroup?.requests != null && configGroup?.window) {
+      return {
+        requests: configGroup.requests,
+        windowSec: parseWindow(configGroup.window),
+      };
+    }
+  }
+  return RATE_LIMIT_DEFAULTS[group] ?? { requests: 10_000_000, windowSec: 60 };
+}
+/** Map group name to the corresponding env binding */
+function getBinding(env: Env, group: string): RateLimit | undefined {
+  if (!env) return undefined;
+  switch (group) {
+    case 'global':      return env.GLOBAL_RATE_LIMITER;
+    case 'db': return env.DB_RATE_LIMITER;
+    case 'storage':     return env.STORAGE_RATE_LIMITER;
+    case 'functions':   return env.FUNCTIONS_RATE_LIMITER;
+    case 'events':      return env.EVENTS_RATE_LIMITER;
+    default:            return undefined;
+  }
+}
+/** Determine the rate limit group for a request path */
+export function getGroup(path: string): string {
+  if (path.startsWith('/api/db/')) {
+    // Database-live endpoints live under /api/db/ but are not database CRUD operations
+    if (path === '/api/db/subscribe' || path === '/api/db/connect-check' || path === '/api/db/broadcast') {
+      return 'global';
+    }
+    return 'db';
+  }
+  if (path.startsWith('/api/storage/'))         return 'storage';
+  if (path.startsWith('/api/functions/'))        return 'functions';
+  if (path.startsWith('/api/analytics/track'))   return 'events';
+  return 'global';
+}
+/**
+ * Rate Limiting middleware — 2-layer architecture.
+ *
+ * 1. Software counter: config-driven (runtime config)
+ * 2. Binding: ceiling safety net (wrangler.toml, 10M/60s)
+ *
+ * Auth routes are included in global group.
+ * Valid Service Key requests bypass app-level rate limits.
+ * Identifier: always IP-based (auth middleware runs after rate limit).
+ */
+export const rateLimitMiddleware: MiddlewareHandler<HonoEnv> = async (c, next) => {
+  const path = new URL(c.req.url).pathname;
+  const group = getGroup(path);
+  // ── Determine identifier — always IP ──
+  // Security: CF-Connecting-IP is set by Cloudflare and cannot be spoofed by clients.
+  // X-Forwarded-For is only used as a fallback for self-hosted environments and
+  // MUST be set by a trusted reverse proxy (Nginx/Caddy). If EdgeBase is exposed
+  // directly without a proxy, clients can forge this header to bypass rate limits.
+  const ip = getTrustedClientIp(c.env, c.req) ?? 'unknown';
+  // ── Service Key check ──
+  const serviceKeyHeader = extractServiceKeyHeader(c.req) ?? extractBearerToken(c.req) ?? undefined;
+  let isServiceKey = false;
+  if (serviceKeyHeader) {
+    const config = c.env ? parseConfig(c.env) : {};
+    const constraintCtx: ConstraintContext = {
+      env: c.env?.ENVIRONMENT,
+      ip: ip !== 'unknown' ? ip : undefined,
+    };
+    const keymap = c.env ? buildKeymap(config, c.env as never) : null;
+    isServiceKey = validateConfiguredKey(serviceKeyHeader, keymap, constraintCtx) === 'valid';
+  }
+  if (isServiceKey) {
+    await next();
+    return;
+  }
+  // ── Parse config ──
+  const config = c.env ? parseConfig(c.env) : undefined;
+  // ── Layer 1: Software counter (config-driven) ──
+  const { requests, windowSec } = getLimit(config, group);
+  const counterKey = `${group}:${ip}`;
+  if (!counter.check(counterKey, requests, windowSec)) {
+    c.header('Retry-After', String(counter.getRetryAfter(counterKey)));
+    return c.json(
+      { code: 429, message: 'Too many requests. Please try again later.' },
+      429,
+    );
+  }
+  // ── Layer 2: Binding ceiling ──
+  const limiter = getBinding(c.env, group);
+  if (limiter) {
+    const { success } = await limiter.limit({ key: ip });
+    if (!success) {
+      c.header('Retry-After', '60');
+      return c.json(
+        { code: 429, message: 'Too many requests. Please try again later.' },
+        429,
+      );
+    }
+  }
+  // ── Also check global for non-global groups ──
+  if (group !== 'global') {
+    // Software counter for global
+    const globalLimit = getLimit(config, 'global');
+    const globalKey = `global:${ip}`;
+    if (!counter.check(globalKey, globalLimit.requests, globalLimit.windowSec)) {
+      c.header('Retry-After', String(counter.getRetryAfter(globalKey)));
+      return c.json(
+        { code: 429, message: 'Too many requests. Please try again later.' },
+        429,
+      );
+    }
+    // Binding ceiling for global
+    const globalLimiter = getBinding(c.env, 'global');
+    if (globalLimiter) {
+      const { success } = await globalLimiter.limit({ key: ip });
+      if (!success) {
+        c.header('Retry-After', '60');
+        return c.json(
+          { code: 429, message: 'Too many requests. Please try again later.' },
+          429,
+        );
+      }
+    }
+  }
+  await next();
+};