npm - @edge-base/server - Versions diffs - 0.1.1 - Mend

@edge-base/server 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/admin-build/.gitkeep +0 -0
package/admin-build/_app/env.js +1 -0
package/admin-build/_app/immutable/assets/0.Bm6cF078.css +1 -0
package/admin-build/_app/immutable/assets/1.BfW3pUNa.css +1 -0
package/admin-build/_app/immutable/assets/11.CVmQOewb.css +1 -0
package/admin-build/_app/immutable/assets/12.B1EhbRZT.css +1 -0
package/admin-build/_app/immutable/assets/13.BvwYeuwE.css +1 -0
package/admin-build/_app/immutable/assets/14.CdVfcO0R.css +1 -0
package/admin-build/_app/immutable/assets/15.2yeZ66b-.css +1 -0
package/admin-build/_app/immutable/assets/17.BVg0JEVu.css +1 -0
package/admin-build/_app/immutable/assets/18.Rwnl3x_i.css +1 -0
package/admin-build/_app/immutable/assets/20.DsPWA9AV.css +1 -0
package/admin-build/_app/immutable/assets/21.Dz2RJ56c.css +1 -0
package/admin-build/_app/immutable/assets/22.DwNLk5Ai.css +1 -0
package/admin-build/_app/immutable/assets/23.CFpu0gOO.css +1 -0
package/admin-build/_app/immutable/assets/24.Cy5LBeoJ.css +1 -0
package/admin-build/_app/immutable/assets/25.pUyLVf-h.css +1 -0
package/admin-build/_app/immutable/assets/26.DBcGrlXa.css +1 -0
package/admin-build/_app/immutable/assets/27.BswYyAJD.css +1 -0
package/admin-build/_app/immutable/assets/28.B4ueB1Kf.css +1 -0
package/admin-build/_app/immutable/assets/29.B-qU6PdF.css +1 -0
package/admin-build/_app/immutable/assets/3.Dg81Pgmd.css +1 -0
package/admin-build/_app/immutable/assets/30.CsdWum94.css +1 -0
package/admin-build/_app/immutable/assets/31.U6OwIp50.css +1 -0
package/admin-build/_app/immutable/assets/4.CyawCCux.css +1 -0
package/admin-build/_app/immutable/assets/5.C0YO2HTk.css +1 -0
package/admin-build/_app/immutable/assets/8.Br5jd6kD.css +1 -0
package/admin-build/_app/immutable/assets/Badge.EMYLHBxE.css +1 -0
package/admin-build/_app/immutable/assets/Button.DpzMRTjK.css +1 -0
package/admin-build/_app/immutable/assets/ConfirmDialog.DAnaWRRk.css +1 -0
package/admin-build/_app/immutable/assets/EmptyState.CwKsu57Y.css +1 -0
package/admin-build/_app/immutable/assets/Input.BDUSenmU.css +1 -0
package/admin-build/_app/immutable/assets/Modal.Dm5B0Xie.css +1 -0
package/admin-build/_app/immutable/assets/PageShell.CmU-Xh-b.css +1 -0
package/admin-build/_app/immutable/assets/SchemaFieldEditor.g4NsCdno.css +1 -0
package/admin-build/_app/immutable/assets/Select.BW4Keufm.css +1 -0
package/admin-build/_app/immutable/assets/Skeleton.KWUulTKJ.css +1 -0
package/admin-build/_app/immutable/assets/Tabs.CniGYb67.css +1 -0
package/admin-build/_app/immutable/assets/TimeChart.BTCDAvmT.css +1 -0
package/admin-build/_app/immutable/assets/Toggle.Cy_K12OM.css +1 -0
package/admin-build/_app/immutable/assets/TopList.ClFzmPlA.css +1 -0
package/admin-build/_app/immutable/chunks/7B47DvSx.js +1 -0
package/admin-build/_app/immutable/chunks/7f08Id8e.js +1 -0
package/admin-build/_app/immutable/chunks/8wJeQ7LN.js +1 -0
package/admin-build/_app/immutable/chunks/B-h2afW5.js +1 -0
package/admin-build/_app/immutable/chunks/B8vJP3wz.js +1 -0
package/admin-build/_app/immutable/chunks/BR_fL5Yv.js +1 -0
package/admin-build/_app/immutable/chunks/BY92tFS2.js +1 -0
package/admin-build/_app/immutable/chunks/BcR-Rdj9.js +1 -0
package/admin-build/_app/immutable/chunks/BdrwyZv8.js +1 -0
package/admin-build/_app/immutable/chunks/Bh56EfQ_.js +1 -0
package/admin-build/_app/immutable/chunks/BkrCkgYp.js +1 -0
package/admin-build/_app/immutable/chunks/BmRjiP5k.js +1 -0
package/admin-build/_app/immutable/chunks/BsokvhWC.js +1 -0
package/admin-build/_app/immutable/chunks/C4D51vTW.js +1 -0
package/admin-build/_app/immutable/chunks/C6puvcoR.js +2 -0
package/admin-build/_app/immutable/chunks/CCKNu7m7.js +1 -0
package/admin-build/_app/immutable/chunks/CWj6FrbW.js +1 -0
package/admin-build/_app/immutable/chunks/Ce-ngf4p.js +5 -0
package/admin-build/_app/immutable/chunks/Cs0GwzJA.js +1 -0
package/admin-build/_app/immutable/chunks/CwROoZK0.js +1 -0
package/admin-build/_app/immutable/chunks/CxCPv_Ut.js +1 -0
package/admin-build/_app/immutable/chunks/CxbRue-5.js +1 -0
package/admin-build/_app/immutable/chunks/CyqB6g-D.js +1 -0
package/admin-build/_app/immutable/chunks/D5h5A1cc.js +2 -0
package/admin-build/_app/immutable/chunks/DnyL7Zq-.js +1 -0
package/admin-build/_app/immutable/chunks/DoPXzH7F.js +1 -0
package/admin-build/_app/immutable/chunks/DrQSgw-f.js +1 -0
package/admin-build/_app/immutable/chunks/DttM2zNO.js +1 -0
package/admin-build/_app/immutable/chunks/DuXuUBWN.js +1 -0
package/admin-build/_app/immutable/chunks/MdeqaOQx.js +10 -0
package/admin-build/_app/immutable/chunks/NuUjtcO2.js +1 -0
package/admin-build/_app/immutable/chunks/Q2nPFxS6.js +1 -0
package/admin-build/_app/immutable/chunks/R6arueIl.js +1 -0
package/admin-build/_app/immutable/chunks/UUazaC_N.js +1 -0
package/admin-build/_app/immutable/chunks/cOYbrQxx.js +1 -0
package/admin-build/_app/immutable/chunks/eFQHTGwA.js +1 -0
package/admin-build/_app/immutable/chunks/ehbppgYb.js +1 -0
package/admin-build/_app/immutable/chunks/glwixJlP.js +1 -0
package/admin-build/_app/immutable/chunks/vApWTCBs.js +1 -0
package/admin-build/_app/immutable/chunks/w89G9Xpi.js +1 -0
package/admin-build/_app/immutable/chunks/wJsUhbfZ.js +1 -0
package/admin-build/_app/immutable/chunks/zfauFM8P.js +1 -0
package/admin-build/_app/immutable/entry/app.CcO-Uos3.js +2 -0
package/admin-build/_app/immutable/entry/start.COebYq3I.js +1 -0
package/admin-build/_app/immutable/nodes/0.CjtHKU-6.js +1 -0
package/admin-build/_app/immutable/nodes/1.DEisjlM0.js +1 -0
package/admin-build/_app/immutable/nodes/10.CvhdyWVB.js +1 -0
package/admin-build/_app/immutable/nodes/11.DjHqcOvy.js +1 -0
package/admin-build/_app/immutable/nodes/12.mQLz4Mj_.js +1 -0
package/admin-build/_app/immutable/nodes/13.CBonZZyP.js +110 -0
package/admin-build/_app/immutable/nodes/14.d-oiZL0j.js +3 -0
package/admin-build/_app/immutable/nodes/15.CKPQsUYF.js +1 -0
package/admin-build/_app/immutable/nodes/16.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/17.DayhKyEZ.js +1 -0
package/admin-build/_app/immutable/nodes/18.DKwS0Ir0.js +1 -0
package/admin-build/_app/immutable/nodes/19.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/2.BKoKrw1i.js +1 -0
package/admin-build/_app/immutable/nodes/20.BvIkkkrW.js +1 -0
package/admin-build/_app/immutable/nodes/21.DMaFhdHk.js +128 -0
package/admin-build/_app/immutable/nodes/22.3xdgwuK1.js +1 -0
package/admin-build/_app/immutable/nodes/23.8Bvgjbsl.js +112 -0
package/admin-build/_app/immutable/nodes/24.DzSSzRhG.js +2 -0
package/admin-build/_app/immutable/nodes/25.9KKYBnAE.js +2 -0
package/admin-build/_app/immutable/nodes/26.Bhn9dfhY.js +1 -0
package/admin-build/_app/immutable/nodes/27.kRLiC24G.js +1 -0
package/admin-build/_app/immutable/nodes/28.BVIN1-7N.js +1 -0
package/admin-build/_app/immutable/nodes/29.3yabZWj4.js +1 -0
package/admin-build/_app/immutable/nodes/3.BFtSOkX7.js +2 -0
package/admin-build/_app/immutable/nodes/30.CyCQlwaP.js +1 -0
package/admin-build/_app/immutable/nodes/31.C4LDXjES.js +1 -0
package/admin-build/_app/immutable/nodes/4.CvbiMlCa.js +1 -0
package/admin-build/_app/immutable/nodes/5.C6BLv2eM.js +1 -0
package/admin-build/_app/immutable/nodes/6.BcXvfl2P.js +1 -0
package/admin-build/_app/immutable/nodes/7.CIuqhPiK.js +1 -0
package/admin-build/_app/immutable/nodes/8.BQOR_JfO.js +1 -0
package/admin-build/_app/immutable/nodes/9.NZqXQxPy.js +1 -0
package/admin-build/_app/version.json +1 -0
package/admin-build/favicon.svg +26 -0
package/admin-build/index.html +45 -0
package/openapi.json +19543 -0
package/package.json +66 -0
package/src/__tests__/admin-assets.test.ts +55 -0
package/src/__tests__/admin-data-routes.test.ts +488 -0
package/src/__tests__/admin-db-target.test.ts +103 -0
package/src/__tests__/admin-routing.test.ts +31 -0
package/src/__tests__/admin-user-management.test.ts +311 -0
package/src/__tests__/analytics-query.test.ts +75 -0
package/src/__tests__/auth-d1.test.ts +749 -0
package/src/__tests__/auth-db-adapter.test.ts +73 -0
package/src/__tests__/auth-jwt.test.ts +440 -0
package/src/__tests__/auth-oauth.test.ts +389 -0
package/src/__tests__/auth-password.test.ts +367 -0
package/src/__tests__/auth-redirect.test.ts +87 -0
package/src/__tests__/backup-restore.test.ts +711 -0
package/src/__tests__/broadcast.test.ts +128 -0
package/src/__tests__/cli.test.ts +178 -0
package/src/__tests__/cloudflare-realtime.test.ts +113 -0
package/src/__tests__/config.test.ts +469 -0
package/src/__tests__/cors.test.ts +154 -0
package/src/__tests__/cron.test.ts +302 -0
package/src/__tests__/d1-handler.test.ts +402 -0
package/src/__tests__/d1-sql.test.ts +120 -0
package/src/__tests__/database-live-config.test.ts +42 -0
package/src/__tests__/database-live-emitter.test.ts +56 -0
package/src/__tests__/database-live-filters.test.ts +63 -0
package/src/__tests__/database-live-route.test.ts +113 -0
package/src/__tests__/db-sql.test.ts +163 -0
package/src/__tests__/do-lifecycle.test.ts +263 -0
package/src/__tests__/do-router.test.ts +729 -0
package/src/__tests__/email-provider.test.ts +128 -0
package/src/__tests__/email-templates.test.ts +528 -0
package/src/__tests__/error-format.test.ts +250 -0
package/src/__tests__/field-ops.test.ts +242 -0
package/src/__tests__/functions-context.test.ts +334 -0
package/src/__tests__/functions-d1-proxy.test.ts +229 -0
package/src/__tests__/functions-registry-runtime-config.test.ts +17 -0
package/src/__tests__/functions-route.test.ts +139 -0
package/src/__tests__/internal-request.test.ts +77 -0
package/src/__tests__/log-writer.test.ts +44 -0
package/src/__tests__/logger.test.ts +58 -0
package/src/__tests__/meta-admin-proxy.test.ts +48 -0
package/src/__tests__/meta-export-coverage.test.ts +191 -0
package/src/__tests__/meta-route-registration.test.ts +47 -0
package/src/__tests__/namespace-dump.test.ts +28 -0
package/src/__tests__/oauth-providers.test.ts +337 -0
package/src/__tests__/openapi-coverage.test.ts +144 -0
package/src/__tests__/pagination.test.ts +59 -0
package/src/__tests__/password-policy.test.ts +191 -0
package/src/__tests__/plugin-migrations.test.ts +379 -0
package/src/__tests__/postgres-batch-compat.test.ts +133 -0
package/src/__tests__/postgres-dialect.test.ts +328 -0
package/src/__tests__/postgres-executor.test.ts +79 -0
package/src/__tests__/postgres-field-ops-compat.test.ts +222 -0
package/src/__tests__/postgres-schema-init.test.ts +105 -0
package/src/__tests__/postgres-table-utils.test.ts +107 -0
package/src/__tests__/presence.test.ts +199 -0
package/src/__tests__/provider.test.ts +550 -0
package/src/__tests__/public-user-profile.test.ts +339 -0
package/src/__tests__/push-handlers.test.ts +179 -0
package/src/__tests__/push-provider.test.ts +80 -0
package/src/__tests__/push-token.test.ts +418 -0
package/src/__tests__/query.test.ts +771 -0
package/src/__tests__/rate-limit.test.ts +260 -0
package/src/__tests__/room-access-policy.test.ts +101 -0
package/src/__tests__/room-handler-context.test.ts +130 -0
package/src/__tests__/room-monitoring.test.ts +138 -0
package/src/__tests__/room-runtime-routing.test.ts +222 -0
package/src/__tests__/room.test.ts +254 -0
package/src/__tests__/route-parser.test.ts +490 -0
package/src/__tests__/rules.test.ts +234 -0
package/src/__tests__/runtime-surface-accounting.test.ts +120 -0
package/src/__tests__/scheduled.test.ts +80 -0
package/src/__tests__/schema.test.ts +1273 -0
package/src/__tests__/security-hardening.test.ts +312 -0
package/src/__tests__/server.unit.test.ts +333 -0
package/src/__tests__/service-key-db-proxy.test.ts +650 -0
package/src/__tests__/service-key-provider-bypass.test.ts +138 -0
package/src/__tests__/service-key.test.ts +757 -0
package/src/__tests__/smoke-skip-report.test.ts +72 -0
package/src/__tests__/sms-provider.test.ts +39 -0
package/src/__tests__/sql-route.test.ts +218 -0
package/src/__tests__/storage-hook-context.test.ts +115 -0
package/src/__tests__/totp.test.ts +200 -0
package/src/__tests__/uuid.test.ts +144 -0
package/src/__tests__/validation.test.ts +773 -0
package/src/__tests__/websocket-pending.test.ts +163 -0
package/src/_functions-registry.ts +51 -0
package/src/bench-entry.ts +9 -0
package/src/cloudflare-test.d.ts +1 -0
package/src/durable-objects/auth-do.ts +49 -0
package/src/durable-objects/database-do.ts +2240 -0
package/src/durable-objects/database-live-do.ts +949 -0
package/src/durable-objects/logs-do.ts +1200 -0
package/src/durable-objects/room-runtime-base.ts +1604 -0
package/src/durable-objects/rooms-do.ts +2191 -0
package/src/generated-config.ts +6 -0
package/src/index.ts +382 -0
package/src/lib/admin-assets.ts +54 -0
package/src/lib/admin-db-target.ts +301 -0
package/src/lib/admin-routing.ts +35 -0
package/src/lib/admin-user-management.ts +464 -0
package/src/lib/analytics-adapter.ts +103 -0
package/src/lib/analytics-query.ts +579 -0
package/src/lib/auth-d1-service.ts +1193 -0
package/src/lib/auth-d1.ts +1056 -0
package/src/lib/auth-db-adapter.ts +289 -0
package/src/lib/auth-redirect.ts +116 -0
package/src/lib/cidr.ts +115 -0
package/src/lib/client-ip.ts +51 -0
package/src/lib/cloudflare-realtime.ts +251 -0
package/src/lib/control-db.ts +36 -0
package/src/lib/cron.ts +163 -0
package/src/lib/d1-handler.ts +1425 -0
package/src/lib/d1-schema-init.ts +255 -0
package/src/lib/d1-sql.ts +33 -0
package/src/lib/database-live-config.ts +24 -0
package/src/lib/database-live-emitter.ts +111 -0
package/src/lib/db-sql.ts +66 -0
package/src/lib/do-retry.ts +36 -0
package/src/lib/do-router.ts +270 -0
package/src/lib/do-sql.ts +73 -0
package/src/lib/email-provider.ts +379 -0
package/src/lib/email-templates.ts +285 -0
package/src/lib/email-translations.ts +422 -0
package/src/lib/errors.ts +151 -0
package/src/lib/functions.ts +2091 -0
package/src/lib/hono.ts +56 -0
package/src/lib/internal-request.ts +56 -0
package/src/lib/jwt.ts +354 -0
package/src/lib/log-writer.ts +272 -0
package/src/lib/namespace-dump.ts +125 -0
package/src/lib/oauth-providers.ts +1225 -0
package/src/lib/op-parser.ts +99 -0
package/src/lib/openapi.ts +146 -0
package/src/lib/pagination.ts +19 -0
package/src/lib/password-policy.ts +102 -0
package/src/lib/password.ts +145 -0
package/src/lib/plugin-migrations.ts +612 -0
package/src/lib/postgres-executor.ts +203 -0
package/src/lib/postgres-handler.ts +1102 -0
package/src/lib/postgres-schema-init.ts +341 -0
package/src/lib/postgres-table-utils.ts +87 -0
package/src/lib/public-user-profile.ts +187 -0
package/src/lib/push-provider.ts +409 -0
package/src/lib/push-token.ts +294 -0
package/src/lib/query-engine.ts +768 -0
package/src/lib/room-monitoring.ts +97 -0
package/src/lib/room-runtime.ts +14 -0
package/src/lib/route-parser.ts +434 -0
package/src/lib/schema.ts +538 -0
package/src/lib/schemas.ts +152 -0
package/src/lib/service-key.ts +419 -0
package/src/lib/sms-provider.ts +230 -0
package/src/lib/startup-config.ts +99 -0
package/src/lib/totp.ts +242 -0
package/src/lib/uuid.ts +87 -0
package/src/lib/validation.ts +205 -0
package/src/lib/version.ts +2 -0
package/src/lib/websocket-pending.ts +40 -0
package/src/middleware/auth.ts +169 -0
package/src/middleware/captcha-verify.ts +217 -0
package/src/middleware/cors.ts +159 -0
package/src/middleware/error-handler.ts +54 -0
package/src/middleware/internal-guard.ts +26 -0
package/src/middleware/logger.ts +126 -0
package/src/middleware/rate-limit.ts +283 -0
package/src/middleware/rules.ts +475 -0
package/src/routes/admin-auth.ts +447 -0
package/src/routes/admin.ts +3501 -0
package/src/routes/analytics-api.ts +290 -0
package/src/routes/auth.ts +4222 -0
package/src/routes/backup.ts +1466 -0
package/src/routes/config.ts +53 -0
package/src/routes/d1.ts +109 -0
package/src/routes/database-live.ts +281 -0
package/src/routes/functions.ts +155 -0
package/src/routes/health.ts +32 -0
package/src/routes/kv.ts +167 -0
package/src/routes/oauth.ts +1055 -0
package/src/routes/push.ts +1465 -0
package/src/routes/room.ts +639 -0
package/src/routes/schema-endpoint.ts +76 -0
package/src/routes/sql.ts +176 -0
package/src/routes/storage.ts +1674 -0
package/src/routes/tables.ts +699 -0
package/src/routes/users.ts +21 -0
package/src/routes/vectorize.ts +372 -0
package/src/types.ts +99 -0

package/src/routes/room.ts ADDED Viewed

@@ -0,0 +1,639 @@
+/**
+ * Room WebSocket route — /api/room
+ *
+ * Handles WebSocket upgrade requests and routes to Room DO.
+ * v2: namespace + roomId identification.
+ *
+ * URL: /api/room?namespace={ns}&id={roomId}
+ * DO name: namespace::roomId
+ *
+ * DDoS defense (same pattern as Database Live,):
+ *   - IP-based pending connection limit (5 max)
+ *   - KV counter with expirationTtl: 60s
+ */
+import { OpenAPIHono, createRoute, z, type HonoEnv } from '../lib/hono.js';
+import type { RoomNamespaceConfig } from '@edge-base/shared';
+import type { Context } from 'hono';
+import { parseConfig } from '../lib/do-router.js';
+import { resolveRoomRuntime } from '../lib/room-runtime.js';
+import { zodDefaultHook, jsonResponseSchema, errorResponseSchema } from '../lib/schemas.js';
+import {
+  acquirePendingWebSocketSlot,
+  getPendingWebSocketCount,
+  releasePendingWebSocketSlot,
+} from '../lib/websocket-pending.js';
+import { getTrustedClientIp } from '../lib/client-ip.js';
+export const roomRoute = new OpenAPIHono<HonoEnv>({ defaultHook: zodDefaultHook });
+const MAX_PENDING_PER_IP = 5;
+const PENDING_TTL_SECONDS = 60;
+const roomFallbackWarnings = new Set<string>();
+const roomQuerySchema = z.object({
+  namespace: z.string().openapi({ description: 'Room namespace' }),
+  id: z.string().openapi({ description: 'Room ID' }),
+});
+const roomConnectDiagnosticSchema = z.object({
+  ok: z.boolean(),
+  type: z.string(),
+  category: z.string(),
+  message: z.string(),
+  namespace: z.string().optional(),
+  roomId: z.string().optional(),
+  runtime: z.string().optional(),
+  pendingCount: z.number().optional(),
+  maxPending: z.number().optional(),
+});
+const roomRealtimeSessionDescriptionSchema = z.object({
+  sdp: z.string().openapi({ description: 'WebRTC session description payload' }),
+  type: z.enum(['offer', 'answer']).openapi({ description: 'Session description type' }),
+});
+const roomRealtimeTrackSchema = z.object({
+  location: z.enum(['local', 'remote']).openapi({ description: 'Track direction relative to the caller' }),
+  mid: z.string().optional().openapi({ description: 'WebRTC media ID' }),
+  sessionId: z.string().optional().openapi({ description: 'Provider session ID associated with this track' }),
+  trackName: z.string().optional().openapi({ description: 'Track name used by the provider' }),
+  bidirectionalMediaStream: z.boolean().optional().openapi({ description: 'Whether the track should be bidirectional' }),
+  kind: z.string().optional().openapi({ description: 'Track kind reported by the provider' }),
+  simulcast: z.object({
+    preferredRid: z.string().optional(),
+    priorityOrdering: z.enum(['none', 'asciibetical']).optional(),
+    ridNotAvailable: z.enum(['none', 'asciibetical']).optional(),
+  }).optional().openapi({ description: 'Optional simulcast preferences' }),
+  errorCode: z.string().optional().openapi({ description: 'Provider-level error code for this track' }),
+  errorDescription: z.string().optional().openapi({ description: 'Provider-level error description for this track' }),
+});
+const roomRealtimeCreateSessionBodySchema = z.object({
+  connectionId: z.string().optional().openapi({ description: 'Specific room connection ID to bind the realtime session to' }),
+  correlationId: z.string().optional().openapi({ description: 'Optional provider correlation ID' }),
+  thirdparty: z.boolean().optional().openapi({ description: 'Forward Cloudflare Realtime thirdparty mode' }),
+  sessionDescription: roomRealtimeSessionDescriptionSchema.optional(),
+});
+const roomRealtimeCreateSessionResponseSchema = z.object({
+  sessionId: z.string().openapi({ description: 'Realtime provider session ID' }),
+  sessionDescription: roomRealtimeSessionDescriptionSchema.optional(),
+  errorCode: z.string().optional(),
+  errorDescription: z.string().optional(),
+  connectionId: z.string().optional().openapi({ description: 'Room connection ID associated with the session' }),
+  reused: z.boolean().optional().openapi({ description: 'Whether an existing provider session was reused' }),
+});
+const roomRealtimeSessionStateSchema = z.object({
+  sessionId: z.string().openapi({ description: 'Realtime provider session ID' }),
+  connectionId: z.string().optional().openapi({ description: 'Room connection ID associated with the session' }),
+  createdAt: z.number().openapi({ description: 'Unix epoch milliseconds when the session was created' }),
+  updatedAt: z.number().openapi({ description: 'Unix epoch milliseconds when the session was last updated' }),
+});
+const roomRealtimeIceServerSchema = z.object({
+  urls: z.union([z.array(z.string()), z.string()]).openapi({ description: 'ICE server URL or URL list' }),
+  username: z.string().optional(),
+  credential: z.string().optional(),
+});
+const roomRealtimeIceServersBodySchema = z.object({
+  ttl: z.number().optional().openapi({ description: 'Requested TURN credential TTL in seconds' }),
+});
+const roomRealtimeIceServersResponseSchema = z.object({
+  iceServers: z.array(roomRealtimeIceServerSchema).openapi({ description: 'ICE servers returned by Cloudflare TURN' }),
+});
+const roomRealtimeTracksResponseSchema = z.object({
+  errorCode: z.string().optional(),
+  errorDescription: z.string().optional(),
+  requiresImmediateRenegotiation: z.boolean().optional(),
+  sessionDescription: roomRealtimeSessionDescriptionSchema.optional(),
+  tracks: z.array(roomRealtimeTrackSchema).optional(),
+});
+const roomRealtimeTracksBodySchema = z.object({
+  sessionId: z.string().openapi({ description: 'Realtime provider session ID' }),
+  connectionId: z.string().optional().openapi({ description: 'Specific room connection ID to bind the track operation to' }),
+  sessionDescription: roomRealtimeSessionDescriptionSchema.optional(),
+  tracks: z.array(roomRealtimeTrackSchema).min(1).openapi({ description: 'Tracks to create or subscribe to' }),
+  autoDiscover: z.boolean().optional().openapi({ description: 'Ask the provider to auto-discover remote tracks' }),
+  publish: z.object({
+    kind: z.enum(['audio', 'video', 'screen']).optional(),
+    trackId: z.string().optional(),
+    deviceId: z.string().optional(),
+    muted: z.boolean().optional(),
+  }).optional().openapi({ description: 'Optional room media state updates to apply after track creation' }),
+});
+const roomRealtimeRenegotiateBodySchema = z.object({
+  sessionId: z.string().openapi({ description: 'Realtime provider session ID' }),
+  connectionId: z.string().optional().openapi({ description: 'Specific room connection ID to bind the renegotiation to' }),
+  sessionDescription: roomRealtimeSessionDescriptionSchema,
+});
+const roomRealtimeCloseTracksBodySchema = z.object({
+  sessionId: z.string().openapi({ description: 'Realtime provider session ID' }),
+  connectionId: z.string().optional().openapi({ description: 'Specific room connection ID to bind the close operation to' }),
+  sessionDescription: roomRealtimeSessionDescriptionSchema.optional(),
+  tracks: z.array(z.object({
+    mid: z.string().openapi({ description: 'Track MID to close' }),
+  })).min(1).openapi({ description: 'Tracks to close' }),
+  force: z.boolean().optional().openapi({ description: 'Force close even if the provider reports the track as active' }),
+  unpublish: z.object({
+    kind: z.enum(['audio', 'video', 'screen']).optional(),
+  }).optional().openapi({ description: 'Optional room media state cleanup after closing tracks' }),
+});
+function isRoomOperationPublic(
+  namespaceConfig: RoomNamespaceConfig | null | undefined,
+  operation: 'metadata' | 'join' | 'action',
+): boolean {
+  if (!namespaceConfig?.public) return false;
+  if (namespaceConfig.public === true) return true;
+  return !!namespaceConfig.public[operation];
+}
+function getRoomAuthContext(
+  auth: {
+    id?: string;
+    role?: string;
+    email?: string | null;
+    custom?: Record<string, unknown> | null;
+    isAnonymous?: boolean;
+    meta?: Record<string, unknown>;
+  } | null | undefined,
+) {
+  if (!auth?.id) return null;
+  return {
+    id: auth.id,
+    role: auth.role,
+    email: auth.email ?? undefined,
+    custom: auth.custom ?? undefined,
+    isAnonymous: auth.isAnonymous,
+    meta: auth.meta,
+  };
+}
+export async function proxyRoomDoRequest(
+  c: Context<HonoEnv>,
+  path: string,
+  method: string,
+  options?: { requireAuth?: boolean; validatedJson?: unknown },
+): Promise<Response> {
+  const namespace = c.req.query('namespace');
+  const roomId = c.req.query('id');
+  if (!namespace || !roomId) {
+    return c.json({ code: 400, message: 'namespace and id query parameters required' }, 400);
+  }
+  if (options?.requireAuth && !c.get('auth')) {
+    return c.json({ code: 401, message: 'Authentication required' }, 401);
+  }
+  const config = parseConfig(c.env);
+  if (config.release && !config.rooms?.[namespace]) {
+    return c.json({ code: 403, message: `Room namespace '${namespace}' not configured` }, 403);
+  }
+  const runtime = resolveRoomRuntime(c.env);
+  if (!runtime.binding) {
+    return c.json({ code: 404, message: `Room runtime '${runtime.target}' not configured` }, 404);
+  }
+  const doName = `${namespace}::${roomId}`;
+  const doId = runtime.binding.idFromName(doName);
+  const doStub = runtime.binding.get(doId);
+  const url = new URL(c.req.url);
+  url.pathname = path;
+  url.searchParams.set('room', doName);
+  let body: ArrayBuffer | undefined;
+  if (method !== 'GET' && method !== 'HEAD') {
+    if (!c.req.raw.bodyUsed) {
+      body = await c.req.raw.clone().arrayBuffer().catch(() => undefined);
+    }
+    if ((!body || body.byteLength === 0) && options?.validatedJson !== undefined) {
+      body = new TextEncoder().encode(JSON.stringify(options.validatedJson)).buffer;
+    }
+  }
+  const doRequest = new Request(url.toString(), {
+    method,
+    headers: c.req.raw.headers,
+    body: body && body.byteLength > 0 ? body : undefined,
+  });
+  return doStub.fetch(doRequest);
+}
+const connectRoom = createRoute({
+  operationId: 'connectRoom',
+  method: 'get',
+  path: '/',
+  tags: ['client'],
+  summary: 'Connect to room WebSocket',
+  description: 'WebSocket upgrade endpoint for Room connections. Requires Upgrade: websocket header.',
+  request: {
+    query: roomQuerySchema,
+  },
+  responses: {
+    101: { description: 'WebSocket upgrade successful' },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
+    429: { description: 'Rate limited', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
+const roomConnectCheck = createRoute({
+  operationId: 'checkRoomConnection',
+  method: 'get',
+  path: '/connect-check',
+  tags: ['client'],
+  summary: 'Check room WebSocket connection prerequisites',
+  request: {
+    query: roomQuerySchema,
+  },
+  responses: {
+    200: { description: 'Room connection looks ready', content: { 'application/json': { schema: roomConnectDiagnosticSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: roomConnectDiagnosticSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: roomConnectDiagnosticSchema } } },
+    404: { description: 'Room feature not configured', content: { 'application/json': { schema: roomConnectDiagnosticSchema } } },
+    429: { description: 'Rate limited', content: { 'application/json': { schema: roomConnectDiagnosticSchema } } },
+  },
+});
+roomRoute.openapi(roomConnectCheck, async (c) => {
+  const namespace = c.req.query('namespace');
+  const roomId = c.req.query('id');
+  if (!namespace || !roomId) {
+    return c.json({
+      ok: false,
+      type: 'room_connect_invalid_request',
+      category: 'request',
+      message: 'namespace and id query parameters required',
+    }, 400);
+  }
+  const config = parseConfig(c.env);
+  if (config.release && !config.rooms?.[namespace]) {
+    return c.json({
+      ok: false,
+      type: 'room_namespace_not_configured',
+      category: 'config',
+      message: `Room namespace '${namespace}' not configured`,
+      namespace,
+      roomId,
+    }, 403);
+  }
+  const runtime = resolveRoomRuntime(c.env);
+  if (!runtime.binding) {
+    return c.json({
+      ok: false,
+      type: 'room_runtime_unconfigured',
+      category: 'config',
+      message: `Room runtime '${runtime.target}' not configured`,
+      namespace,
+      roomId,
+      runtime: runtime.target,
+    }, 404);
+  }
+  const ip = getTrustedClientIp(c.env, c.req) ?? 'unknown';
+  const kvKey = `ws:room:pending:${ip}`;
+  const pendingCount = await getPendingWebSocketCount(c.env.KV, kvKey).catch(() => 0);
+  if (pendingCount >= MAX_PENDING_PER_IP) {
+    return c.json({
+      ok: false,
+      type: 'room_connect_rate_limited',
+      category: 'rate_limit',
+      message: 'Too many pending Room connections',
+      namespace,
+      roomId,
+      runtime: runtime.target,
+      pendingCount,
+      maxPending: MAX_PENDING_PER_IP,
+    }, 429);
+  }
+  return c.json({
+    ok: true,
+    type: 'room_connect_ready',
+    category: 'ready',
+    message: 'Room WebSocket preflight passed',
+    namespace,
+    roomId,
+    runtime: runtime.target,
+    pendingCount,
+    maxPending: MAX_PENDING_PER_IP,
+  }, 200);
+});
+roomRoute.openapi(connectRoom, async (c) => {
+  const upgradeHeader = c.req.header('Upgrade');
+  if (upgradeHeader !== 'websocket') {
+    return c.json({ code: 400, message: 'Expected WebSocket upgrade' }, 400);
+  }
+  const namespace = c.req.query('namespace');
+  const roomId = c.req.query('id');
+  if (!namespace || !roomId) {
+    return c.json({ code: 400, message: 'namespace and id query parameters required' }, 400);
+  }
+  // ─── Validate namespace against config ───
+  const config = parseConfig(c.env);
+  if (config.release) {
+    if (!config.rooms?.[namespace]) {
+      return c.json({
+        code: 403,
+        message: `Room namespace '${namespace}' not configured`,
+      }, 403);
+    }
+  }
+  const runtime = resolveRoomRuntime(c.env);
+  if (!runtime.binding) {
+    return c.json({ code: 404, message: `Room runtime '${runtime.target}' not configured` }, 404);
+  }
+  // ─── DDoS Defense: IP-based pending connection limit ───
+  const ip = getTrustedClientIp(c.env, c.req) ?? 'unknown';
+  const kvKey = `ws:room:pending:${ip}`;
+  let pendingTracked = false;
+  try {
+    pendingTracked = await acquirePendingWebSocketSlot(
+      c.env.KV,
+      kvKey,
+      MAX_PENDING_PER_IP,
+      PENDING_TTL_SECONDS,
+    );
+    if (!pendingTracked) {
+      return c.json({
+        code: 429,
+        message: 'Too many pending Room connections',
+      }, 429);
+    }
+  } catch {
+    // KV failure shouldn't block legitimate connections
+  }
+  // ─── Route to Room DO ───
+  const doName = `${namespace}::${roomId}`;
+  const doId = runtime.binding.idFromName(doName);
+  const doStub = runtime.binding.get(doId);
+  const url = new URL(c.req.url);
+  url.pathname = '/websocket';
+  url.searchParams.set('room', doName);
+  const doRequest = new Request(url.toString(), {
+    headers: c.req.raw.headers,
+  });
+  try {
+    return await doStub.fetch(doRequest);
+  } finally {
+    if (pendingTracked) {
+      try {
+        await releasePendingWebSocketSlot(c.env.KV, kvKey, PENDING_TTL_SECONDS);
+      } catch {
+        // KV failure shouldn't break an already accepted connection.
+      }
+    }
+  }
+});
+/**
+ * GET /room/metadata?namespace={ns}&id={roomId}
+ * HTTP endpoint to query room metadata without joining.
+ * In release mode, metadata requires either an explicit access rule or public.metadata opt-in.
+ */
+const getRoomMetadata = createRoute({
+  operationId: 'getRoomMetadata',
+  method: 'get',
+  path: '/metadata',
+  tags: ['client'],
+  summary: 'Get room metadata',
+  request: {
+    query: roomQuerySchema,
+  },
+  responses: {
+    200: { description: 'Room metadata', content: { 'application/json': { schema: jsonResponseSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
+    404: { description: 'Not found', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
+roomRoute.openapi(getRoomMetadata, async (c) => {
+  const namespace = c.req.query('namespace');
+  const roomId = c.req.query('id');
+  if (!namespace || !roomId) {
+    return c.json({ code: 400, message: 'namespace and id query parameters required' }, 400);
+  }
+  // Validate namespace against config
+  const config = parseConfig(c.env);
+  const namespaceConfig = config.rooms?.[namespace];
+  if (config.release) {
+    if (!config.rooms?.[namespace]) {
+      return c.json({
+        code: 403,
+        message: `Room namespace '${namespace}' not configured`,
+      }, 403);
+    }
+  }
+  const metadataAccess = namespaceConfig?.access?.metadata;
+  if (!metadataAccess) {
+    if (config.release && !isRoomOperationPublic(namespaceConfig, 'metadata')) {
+      return c.json({ code: 403, message: 'Room metadata requires access.metadata or public.metadata in release mode' }, 403);
+    }
+    if (!config.release) {
+      const warningKey = `${namespace}:metadata`;
+      if (!roomFallbackWarnings.has(warningKey)) {
+        roomFallbackWarnings.add(warningKey);
+        console.warn(`[Room] ${warningKey} is using development-mode allow-by-default. Add rooms.${namespace}.access.metadata or public.metadata to make this explicit.`);
+      }
+    }
+  }
+  if (metadataAccess) {
+    const auth = (c.get('auth') as { id?: string; role?: string; email?: string | null; custom?: Record<string, unknown> | null; isAnonymous?: boolean; meta?: Record<string, unknown> } | null | undefined) ?? null;
+    const allowed = await Promise.resolve(metadataAccess(
+      getRoomAuthContext(auth),
+      roomId,
+    )).catch(() => false);
+    if (!allowed) {
+      return c.json({ code: 403, message: 'Denied by room metadata access rule' }, 403);
+    }
+  }
+  const runtime = resolveRoomRuntime(c.env);
+  if (!runtime.binding) {
+    return c.json({ code: 404, message: `Room runtime '${runtime.target}' not configured` }, 404);
+  }
+  // Route to Room DO
+  const doName = `${namespace}::${roomId}`;
+  const doId = runtime.binding.idFromName(doName);
+  const doStub = runtime.binding.get(doId);
+  const url = new URL(c.req.url);
+  url.pathname = '/metadata';
+  url.searchParams.set('room', doName);
+  const doRequest = new Request(url.toString(), {
+    method: 'GET',
+    headers: c.req.raw.headers,
+  });
+  return doStub.fetch(doRequest);
+});
+const getRoomRealtimeSession = createRoute({
+  operationId: 'getRoomRealtimeSession',
+  method: 'get',
+  path: '/media/realtime/session',
+  tags: ['client'],
+  summary: 'Get the active room realtime media session',
+  description: 'Returns the provider session currently bound to the authenticated room member.',
+  request: {
+    query: roomQuerySchema.extend({
+      connectionId: z.string().optional().openapi({ description: 'Optional room connection ID override' }),
+    }),
+  },
+  responses: {
+    200: { description: 'Active room realtime session', content: { 'application/json': { schema: roomRealtimeSessionStateSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    401: { description: 'Authentication required', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
+    404: { description: 'No active session or runtime not found', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
+const createRoomRealtimeSession = createRoute({
+  operationId: 'createRoomRealtimeSession',
+  method: 'post',
+  path: '/media/realtime/session',
+  tags: ['client'],
+  summary: 'Create a room realtime media session',
+  description: 'Creates a Cloudflare Realtime session for the authenticated room member.',
+  request: {
+    query: roomQuerySchema,
+    body: { content: { 'application/json': { schema: roomRealtimeCreateSessionBodySchema } }, required: false },
+  },
+  responses: {
+    200: { description: 'Realtime session created', content: { 'application/json': { schema: roomRealtimeCreateSessionResponseSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    401: { description: 'Authentication required', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
+    404: { description: 'Room runtime not found', content: { 'application/json': { schema: errorResponseSchema } } },
+    409: { description: 'Conflicting existing published media', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
+const createRoomRealtimeIceServers = createRoute({
+  operationId: 'createRoomRealtimeIceServers',
+  method: 'post',
+  path: '/media/realtime/turn',
+  tags: ['client'],
+  summary: 'Generate TURN / ICE credentials for room realtime media',
+  description: 'Generates ICE server credentials for the authenticated room member.',
+  request: {
+    query: roomQuerySchema,
+    body: { content: { 'application/json': { schema: roomRealtimeIceServersBodySchema } }, required: false },
+  },
+  responses: {
+    200: { description: 'ICE servers generated', content: { 'application/json': { schema: roomRealtimeIceServersResponseSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    401: { description: 'Authentication required', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
+    404: { description: 'Room runtime not found', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
+const addRoomRealtimeTracks = createRoute({
+  operationId: 'addRoomRealtimeTracks',
+  method: 'post',
+  path: '/media/realtime/tracks/new',
+  tags: ['client'],
+  summary: 'Add realtime media tracks to a room session',
+  description: 'Creates or subscribes realtime tracks for the authenticated room member.',
+  request: {
+    query: roomQuerySchema,
+    body: { content: { 'application/json': { schema: roomRealtimeTracksBodySchema } }, required: true },
+  },
+  responses: {
+    200: { description: 'Realtime tracks updated', content: { 'application/json': { schema: roomRealtimeTracksResponseSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    401: { description: 'Authentication required', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
+    404: { description: 'Room runtime not found', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
+const renegotiateRoomRealtimeSession = createRoute({
+  operationId: 'renegotiateRoomRealtimeSession',
+  method: 'put',
+  path: '/media/realtime/renegotiate',
+  tags: ['client'],
+  summary: 'Renegotiate a room realtime media session',
+  description: 'Submits a new session description for an existing room realtime media session.',
+  request: {
+    query: roomQuerySchema,
+    body: { content: { 'application/json': { schema: roomRealtimeRenegotiateBodySchema } }, required: true },
+  },
+  responses: {
+    200: { description: 'Realtime session renegotiated', content: { 'application/json': { schema: roomRealtimeTracksResponseSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    401: { description: 'Authentication required', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
+    404: { description: 'Room runtime not found', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
+const closeRoomRealtimeTracks = createRoute({
+  operationId: 'closeRoomRealtimeTracks',
+  method: 'put',
+  path: '/media/realtime/tracks/close',
+  tags: ['client'],
+  summary: 'Close room realtime media tracks',
+  description: 'Closes provider tracks for the authenticated room member and optionally unpublishes room media state.',
+  request: {
+    query: roomQuerySchema,
+    body: { content: { 'application/json': { schema: roomRealtimeCloseTracksBodySchema } }, required: true },
+  },
+  responses: {
+    200: { description: 'Realtime tracks closed', content: { 'application/json': { schema: roomRealtimeTracksResponseSchema } } },
+    400: { description: 'Bad request', content: { 'application/json': { schema: errorResponseSchema } } },
+    401: { description: 'Authentication required', content: { 'application/json': { schema: errorResponseSchema } } },
+    403: { description: 'Forbidden', content: { 'application/json': { schema: errorResponseSchema } } },
+    404: { description: 'Room runtime not found', content: { 'application/json': { schema: errorResponseSchema } } },
+  },
+});
+roomRoute.openapi(getRoomRealtimeSession, async (c) =>
+  proxyRoomDoRequest(c, '/media/realtime/session', 'GET', { requireAuth: true }));
+roomRoute.openapi(createRoomRealtimeSession, async (c) =>
+  proxyRoomDoRequest(c, '/media/realtime/session', 'POST', {
+    requireAuth: true,
+    validatedJson: c.req.valid('json'),
+  }));
+roomRoute.openapi(createRoomRealtimeIceServers, async (c) =>
+  proxyRoomDoRequest(c, '/media/realtime/turn', 'POST', {
+    requireAuth: true,
+    validatedJson: c.req.valid('json'),
+  }));
+roomRoute.openapi(addRoomRealtimeTracks, async (c) =>
+  proxyRoomDoRequest(c, '/media/realtime/tracks/new', 'POST', {
+    requireAuth: true,
+    validatedJson: c.req.valid('json'),
+  }));
+roomRoute.openapi(renegotiateRoomRealtimeSession, async (c) =>
+  proxyRoomDoRequest(c, '/media/realtime/renegotiate', 'PUT', {
+    requireAuth: true,
+    validatedJson: c.req.valid('json'),
+  }));
+roomRoute.openapi(closeRoomRealtimeTracks, async (c) =>
+  proxyRoomDoRequest(c, '/media/realtime/tracks/close', 'PUT', {
+    requireAuth: true,
+    validatedJson: c.req.valid('json'),
+  }));