@hot-updater/server 0.31.4 → 0.32.0

package/dist/_virtual/_rolldown/runtime.cjs

@@ -5,7 +5,7 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __commonJSMin = (cb, mod) => () => (mod || (cb((mod = { exports: {} }).exports, mod), cb = null), mod.exports);
+var __commonJSMin = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
 var __copyProps = (to, from, except, desc) => {
 	if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
 		key = keys[i];

package/dist/_virtual/_rolldown/runtime.mjs

@@ -1,6 +1,6 @@
 import { createRequire } from "node:module";
 //#region \0rolldown/runtime.js
-var __commonJSMin = (cb, mod) => () => (mod || (cb((mod = { exports: {} }).exports, mod), cb = null), mod.exports);
+var __commonJSMin = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 //#endregion
 export { __commonJSMin, __require };

package/dist/db/createBundleDiff.cjs

@@ -1,12 +1,13 @@
 const require_runtime = require("../_virtual/_rolldown/runtime.cjs");
+let _hot_updater_plugin_core = require("@hot-updater/plugin-core");
 let node_crypto = require("node:crypto");
-node_crypto = require_runtime.__toESM(node_crypto, 1);
+node_crypto = require_runtime.__toESM(node_crypto);
 let node_fs_promises = require("node:fs/promises");
-node_fs_promises = require_runtime.__toESM(node_fs_promises, 1);
+node_fs_promises = require_runtime.__toESM(node_fs_promises);
 let node_os = require("node:os");
-node_os = require_runtime.__toESM(node_os, 1);
+node_os = require_runtime.__toESM(node_os);
 let node_path = require("node:path");
-node_path = require_runtime.__toESM(node_path, 1);
+node_path = require_runtime.__toESM(node_path);
 let node_util = require("node:util");
 let node_zlib = require("node:zlib");
 let _hot_updater_bsdiff = require("@hot-updater/bsdiff");
@@ -27,11 +28,6 @@ const isBundleManifest = (value) => {
 		return typeof manifestAsset.fileHash === "string" && (manifestAsset.signature === void 0 || typeof manifestAsset.signature === "string");
 	});
 };
-const createChildStorageUri = (baseStorageUri, relativePath) => {
-	const baseUrl = new URL(baseStorageUri);
-	baseUrl.pathname = `${baseUrl.pathname.replace(/\/+$/, "")}/${relativePath.split("/").filter(Boolean).map((segment) => encodeURIComponent(segment)).join("/")}`;
-	return baseUrl.toString();
-};
 const getRelativeStorageDir = (relativePath) => {
 	const normalized = relativePath.replace(/\\/g, "/");
 	const dirname = node_path.default.posix.dirname(normalized);
@@ -76,18 +72,28 @@ function resolveHbcAssetPath(manifest) {
 	if (candidates.length > 1) throw new Error(`Expected exactly one Hermes bundle asset in manifest, found ${candidates.length}: ${candidates.join(", ")}`);
 	return candidates[0];
 }
-async function fetchAssetBytes(bundle, assetPath, storagePlugin) {
+async function fetchAssetBytes(bundle, assetPath, manifest, storagePlugin) {
 	const assetBaseStorageUri = (0, _hot_updater_core.getAssetBaseStorageUri)(bundle);
 	if (!assetBaseStorageUri) throw new Error(`Bundle ${bundle.id} does not have asset storage metadata`);
+	const asset = manifest.assets[assetPath];
+	if (!asset) throw new Error(`Asset ${assetPath} is missing from manifest`);
 	if (BR_COMPRESSED_ASSET_PATH_RE.test(assetPath)) {
-		const compressedAssetStorageUri = createChildStorageUri(assetBaseStorageUri, `${assetPath}.br`);
+		const compressedAssetStorageUri = (0, _hot_updater_plugin_core.resolveManifestAssetStorageUri)({
+			assetBaseStorageUri,
+			assetPath: `${assetPath}.br`,
+			fileHash: asset.fileHash
+		});
 		let compressedBytes = null;
 		try {
 			compressedBytes = await downloadStorageBytes(compressedAssetStorageUri, storagePlugin);
 		} catch {}
 		if (compressedBytes) return new Uint8Array(await decompressBrotli(compressedBytes));
 	}
-	return downloadStorageBytes(createChildStorageUri(assetBaseStorageUri, assetPath), storagePlugin);
+	return downloadStorageBytes((0, _hot_updater_plugin_core.resolveManifestAssetStorageUri)({
+		assetBaseStorageUri,
+		assetPath,
+		fileHash: asset.fileHash
+	}), storagePlugin);
 }
 async function getFileHash(filePath) {
 	const file = await node_fs_promises.default.readFile(filePath);
@@ -117,7 +123,7 @@ async function createBundleDiff({ baseBundleId, bundleId }, deps, options = {})
 	const targetAssetHash = targetManifest.assets[targetAssetPath]?.fileHash;
 	if (!baseAssetHash || !targetAssetHash) throw new Error("Hermes asset hash is missing from manifest");
 	if (baseAssetHash === targetAssetHash) throw new Error("Hermes bundle is unchanged; no diff patch is required");
-	const [baseBytes, targetBytes] = await Promise.all([fetchAssetBytes(baseBundle, baseAssetPath, deps.storagePlugin), fetchAssetBytes(targetBundle, targetAssetPath, deps.storagePlugin)]);
+	const [baseBytes, targetBytes] = await Promise.all([fetchAssetBytes(baseBundle, baseAssetPath, baseManifest, deps.storagePlugin), fetchAssetBytes(targetBundle, targetAssetPath, targetManifest, deps.storagePlugin)]);
 	const patchBytes = await (0, _hot_updater_bsdiff.hdiff)(baseBytes, targetBytes);
 	const workDir = await node_fs_promises.default.mkdtemp(node_path.default.join(node_os.default.tmpdir(), "hot-updater-console-bsdiff-"));
 	const patchFilename = `${node_path.default.posix.basename(targetAssetPath)}.bsdiff`;

package/dist/db/createBundleDiff.mjs

@@ -1,3 +1,4 @@
+import { resolveManifestAssetStorageUri } from "@hot-updater/plugin-core";
 import crypto, { randomUUID } from "node:crypto";
 import fs from "node:fs/promises";
 import os from "node:os";
@@ -22,11 +23,6 @@ const isBundleManifest = (value) => {
 		return typeof manifestAsset.fileHash === "string" && (manifestAsset.signature === void 0 || typeof manifestAsset.signature === "string");
 	});
 };
-const createChildStorageUri = (baseStorageUri, relativePath) => {
-	const baseUrl = new URL(baseStorageUri);
-	baseUrl.pathname = `${baseUrl.pathname.replace(/\/+$/, "")}/${relativePath.split("/").filter(Boolean).map((segment) => encodeURIComponent(segment)).join("/")}`;
-	return baseUrl.toString();
-};
 const getRelativeStorageDir = (relativePath) => {
 	const normalized = relativePath.replace(/\\/g, "/");
 	const dirname = path.posix.dirname(normalized);
@@ -71,18 +67,28 @@ function resolveHbcAssetPath(manifest) {
 	if (candidates.length > 1) throw new Error(`Expected exactly one Hermes bundle asset in manifest, found ${candidates.length}: ${candidates.join(", ")}`);
 	return candidates[0];
 }
-async function fetchAssetBytes(bundle, assetPath, storagePlugin) {
+async function fetchAssetBytes(bundle, assetPath, manifest, storagePlugin) {
 	const assetBaseStorageUri = getAssetBaseStorageUri(bundle);
 	if (!assetBaseStorageUri) throw new Error(`Bundle ${bundle.id} does not have asset storage metadata`);
+	const asset = manifest.assets[assetPath];
+	if (!asset) throw new Error(`Asset ${assetPath} is missing from manifest`);
 	if (BR_COMPRESSED_ASSET_PATH_RE.test(assetPath)) {
-		const compressedAssetStorageUri = createChildStorageUri(assetBaseStorageUri, `${assetPath}.br`);
+		const compressedAssetStorageUri = resolveManifestAssetStorageUri({
+			assetBaseStorageUri,
+			assetPath: `${assetPath}.br`,
+			fileHash: asset.fileHash
+		});
 		let compressedBytes = null;
 		try {
 			compressedBytes = await downloadStorageBytes(compressedAssetStorageUri, storagePlugin);
 		} catch {}
 		if (compressedBytes) return new Uint8Array(await decompressBrotli(compressedBytes));
 	}
-	return downloadStorageBytes(createChildStorageUri(assetBaseStorageUri, assetPath), storagePlugin);
+	return downloadStorageBytes(resolveManifestAssetStorageUri({
+		assetBaseStorageUri,
+		assetPath,
+		fileHash: asset.fileHash
+	}), storagePlugin);
 }
 async function getFileHash(filePath) {
 	const file = await fs.readFile(filePath);
@@ -112,7 +118,7 @@ async function createBundleDiff({ baseBundleId, bundleId }, deps, options = {})
 	const targetAssetHash = targetManifest.assets[targetAssetPath]?.fileHash;
 	if (!baseAssetHash || !targetAssetHash) throw new Error("Hermes asset hash is missing from manifest");
 	if (baseAssetHash === targetAssetHash) throw new Error("Hermes bundle is unchanged; no diff patch is required");
-	const [baseBytes, targetBytes] = await Promise.all([fetchAssetBytes(baseBundle, baseAssetPath, deps.storagePlugin), fetchAssetBytes(targetBundle, targetAssetPath, deps.storagePlugin)]);
+	const [baseBytes, targetBytes] = await Promise.all([fetchAssetBytes(baseBundle, baseAssetPath, baseManifest, deps.storagePlugin), fetchAssetBytes(targetBundle, targetAssetPath, targetManifest, deps.storagePlugin)]);
 	const patchBytes = await hdiff(baseBytes, targetBytes);
 	const workDir = await fs.mkdtemp(path.join(os.tmpdir(), "hot-updater-console-bsdiff-"));
 	const patchFilename = `${path.posix.basename(targetAssetPath)}.bsdiff`;

package/dist/db/schemaEnhancements.cjs

@@ -1,7 +1,7 @@
 const require_runtime = require("../_virtual/_rolldown/runtime.cjs");
 let _hot_updater_core = require("@hot-updater/core");
 let semver = require("semver");
-semver = require_runtime.__toESM(semver, 1);
+semver = require_runtime.__toESM(semver);
 //#region src/db/schemaEnhancements.ts
 const normalizeNullableString = (value) => {
 	if (value === null || value === void 0) return null;

package/dist/db/updateArtifacts.cjs

@@ -1,4 +1,5 @@
 require("../_virtual/_rolldown/runtime.cjs");
+let _hot_updater_plugin_core = require("@hot-updater/plugin-core");
 let _hot_updater_core = require("@hot-updater/core");
 //#region src/db/updateArtifacts.ts
 const HBC_ASSET_PATH_RE = /\.bundle$/;
@@ -18,11 +19,6 @@ const isBundleManifest = (value) => {
 		return typeof manifestAsset.fileHash === "string" && (manifestAsset.signature === void 0 || typeof manifestAsset.signature === "string");
 	});
 };
-const createChildStorageUri = (baseStorageUri, relativePath) => {
-	const baseUrl = new URL(baseStorageUri);
-	baseUrl.pathname = `${baseUrl.pathname.replace(/\/+$/, "")}/${relativePath.split("/").filter(Boolean).map((segment) => encodeURIComponent(segment)).join("/")}`;
-	return baseUrl.toString();
-};
 const parseBundleMetadata = (value) => {
 	if (!value) return;
 	let parsedValue = value;
@@ -61,7 +57,11 @@ async function resolveChangedAssets({ assetBaseStorageUri, currentManifest, curr
 	const changedEntries = await Promise.all(Object.entries(targetManifest.assets).map(async ([assetPath, asset]) => {
 		if ((currentManifest?.assets[assetPath])?.fileHash === asset.fileHash) return null;
 		const usesBrotliAsset = BR_COMPRESSED_ASSET_PATH_RE.test(assetPath);
-		const storageUri = createChildStorageUri(assetBaseStorageUri, usesBrotliAsset ? `${assetPath}.br` : assetPath);
+		const storageUri = (0, _hot_updater_plugin_core.resolveManifestAssetStorageUri)({
+			assetBaseStorageUri,
+			assetPath: usesBrotliAsset ? `${assetPath}.br` : assetPath,
+			fileHash: asset.fileHash
+		});
 		const patch = patchDescriptor?.assetPath === assetPath ? patchDescriptor.patch : null;
 		let fileUrl = null;
 		try {

package/dist/db/updateArtifacts.mjs

@@ -1,3 +1,4 @@
+import { resolveManifestAssetStorageUri } from "@hot-updater/plugin-core";
 import { getAssetBaseStorageUri, getBundlePatch, getManifestFileHash, getManifestStorageUri, stripBundleArtifactMetadata } from "@hot-updater/core";
 //#region src/db/updateArtifacts.ts
 const HBC_ASSET_PATH_RE = /\.bundle$/;
@@ -17,11 +18,6 @@ const isBundleManifest = (value) => {
 		return typeof manifestAsset.fileHash === "string" && (manifestAsset.signature === void 0 || typeof manifestAsset.signature === "string");
 	});
 };
-const createChildStorageUri = (baseStorageUri, relativePath) => {
-	const baseUrl = new URL(baseStorageUri);
-	baseUrl.pathname = `${baseUrl.pathname.replace(/\/+$/, "")}/${relativePath.split("/").filter(Boolean).map((segment) => encodeURIComponent(segment)).join("/")}`;
-	return baseUrl.toString();
-};
 const parseBundleMetadata = (value) => {
 	if (!value) return;
 	let parsedValue = value;
@@ -60,7 +56,11 @@ async function resolveChangedAssets({ assetBaseStorageUri, currentManifest, curr
 	const changedEntries = await Promise.all(Object.entries(targetManifest.assets).map(async ([assetPath, asset]) => {
 		if ((currentManifest?.assets[assetPath])?.fileHash === asset.fileHash) return null;
 		const usesBrotliAsset = BR_COMPRESSED_ASSET_PATH_RE.test(assetPath);
-		const storageUri = createChildStorageUri(assetBaseStorageUri, usesBrotliAsset ? `${assetPath}.br` : assetPath);
+		const storageUri = resolveManifestAssetStorageUri({
+			assetBaseStorageUri,
+			assetPath: usesBrotliAsset ? `${assetPath}.br` : assetPath,
+			fileHash: asset.fileHash
+		});
 		const patch = patchDescriptor?.assetPath === assetPath ? patchDescriptor.patch : null;
 		let fileUrl = null;
 		try {

package/dist/handler.cjs

@@ -2,7 +2,7 @@ const require_runtime = require("./_virtual/_rolldown/runtime.cjs");
 const require_internalRouter = require("./internalRouter.cjs");
 const require_version = require("./version.cjs");
 let semver = require("semver");
-semver = require_runtime.__toESM(semver, 1);
+semver = require_runtime.__toESM(semver);
 //#region src/handler.ts
 var HandlerBadRequestError = class extends Error {
 	constructor(message) {
@@ -12,6 +12,8 @@ var HandlerBadRequestError = class extends Error {
 };
 const SDK_VERSION_HEADER = "Hot-Updater-SDK-Version";
 const EXPLICIT_NO_UPDATE_MIN_SDK_VERSION = "0.31.0";
+const DEFAULT_BUNDLE_LIST_LIMIT = 50;
+const MAX_BUNDLE_LIST_LIMIT = 100;
 const supportsExplicitNoUpdateResponse = (request) => {
 	const sdkVersion = request.headers.get(SDK_VERSION_HEADER)?.trim();
 	if (!sdkVersion) return false;
@@ -61,6 +63,13 @@ const parseStringArraySearchParam = (url, key) => {
 	const values = url.searchParams.getAll(key);
 	return values.length > 0 ? values : void 0;
 };
+const parsePositiveIntegerSearchParam = (url, key, defaultValue, maxValue) => {
+	const value = url.searchParams.get(key);
+	if (value === null) return defaultValue;
+	const parsed = Number(value);
+	if (!Number.isInteger(parsed) || parsed < 1 || parsed > maxValue) throw new HandlerBadRequestError(`The '${key}' query parameter must be a positive integer between 1 and ${maxValue}.`);
+	return parsed;
+};
 const requirePlatformParam = (params) => {
 	const platform = requireRouteParam(params, "platform");
 	if (!isPlatform(platform)) throw new HandlerBadRequestError(`Invalid platform: ${platform}. Expected 'ios' or 'android'.`);
@@ -129,7 +138,7 @@ const handleGetBundles = async (_params, request, api, context) => {
 	const url = new URL(request.url);
 	const channel = url.searchParams.get("channel") ?? void 0;
 	const platform = url.searchParams.get("platform");
-	const limit = Number(url.searchParams.get("limit")) || 50;
+	const limit = parsePositiveIntegerSearchParam(url, "limit", DEFAULT_BUNDLE_LIST_LIMIT, MAX_BUNDLE_LIST_LIMIT);
 	const pageParam = url.searchParams.get("page");
 	const offset = url.searchParams.get("offset");
 	const after = url.searchParams.get("after") ?? void 0;
@@ -231,18 +240,19 @@ const routes = {
 */
 function createHandler(api, options = {}) {
 	const basePath = options.basePath ?? "/api";
-	const updateCheckEnabled = options.routes?.updateCheck ?? true;
-	const versionEnabled = options.routes?.version ?? true;
-	const bundlesEnabled = options.routes?.bundles ?? true;
+	const routeOptions = {
+		updateCheck: options.routes?.updateCheck ?? true,
+		bundles: options.routes?.bundles ?? false
+	};
 	const router = require_internalRouter.createRouter();
-	if (versionEnabled) require_internalRouter.addRoute(router, "GET", "/version", "version");
-	if (updateCheckEnabled) {
+	require_internalRouter.addRoute(router, "GET", "/version", "version");
+	if (routeOptions.updateCheck) {
 		require_internalRouter.addRoute(router, "GET", "/fingerprint/:platform/:fingerprintHash/:channel/:minBundleId/:bundleId", "fingerprintUpdateWithCohort");
 		require_internalRouter.addRoute(router, "GET", "/fingerprint/:platform/:fingerprintHash/:channel/:minBundleId/:bundleId/:cohort", "fingerprintUpdateWithCohort");
 		require_internalRouter.addRoute(router, "GET", "/app-version/:platform/:appVersion/:channel/:minBundleId/:bundleId", "appVersionUpdateWithCohort");
 		require_internalRouter.addRoute(router, "GET", "/app-version/:platform/:appVersion/:channel/:minBundleId/:bundleId/:cohort", "appVersionUpdateWithCohort");
 	}
-	if (bundlesEnabled) {
+	if (routeOptions.bundles) {
 		require_internalRouter.addRoute(router, "GET", "/api/bundles/channels", "getChannels");
 		require_internalRouter.addRoute(router, "GET", "/api/bundles/:id", "getBundle");
 		require_internalRouter.addRoute(router, "GET", "/api/bundles", "getBundles");

package/dist/handler.d.cts

@@ -18,27 +18,26 @@ interface HandlerOptions {
    * @default "/api"
    */
   basePath?: string;
+  /**
+   * Route groups to mount. Omit this option to use the default route groups.
+   * When provided, both route groups must be specified explicitly.
+   * The `/version` endpoint is always mounted for diagnostics.
+   */
   routes?: HandlerRoutes;
 }
 interface HandlerRoutes {
   /**
    * Controls whether update-check routes are mounted.
-   * @default true
-   */
-  updateCheck?: boolean;
-  /**
-   * Controls whether the `/version` endpoint is mounted.
-   * Useful for diagnostics and lightweight health/version checks.
-   * @default true
+   * Defaults to `true` only when `routes` is omitted.
    */
-  version?: boolean;
+  updateCheck: boolean;
   /**
    * Controls whether bundle management routes are mounted.
    * This includes `/api/bundles*`, which are used by the
    * CLI `standaloneRepository` plugin.
-   * @default true
+   * Defaults to `false` only when `routes` is omitted.
    */
-  bundles?: boolean;
+  bundles: boolean;
 }
 /**
  * Creates a Web Standard Request handler for Hot Updater API

package/dist/handler.d.mts

@@ -18,27 +18,26 @@ interface HandlerOptions {
    * @default "/api"
    */
   basePath?: string;
+  /**
+   * Route groups to mount. Omit this option to use the default route groups.
+   * When provided, both route groups must be specified explicitly.
+   * The `/version` endpoint is always mounted for diagnostics.
+   */
   routes?: HandlerRoutes;
 }
 interface HandlerRoutes {
   /**
    * Controls whether update-check routes are mounted.
-   * @default true
-   */
-  updateCheck?: boolean;
-  /**
-   * Controls whether the `/version` endpoint is mounted.
-   * Useful for diagnostics and lightweight health/version checks.
-   * @default true
+   * Defaults to `true` only when `routes` is omitted.
    */
-  version?: boolean;
+  updateCheck: boolean;
   /**
    * Controls whether bundle management routes are mounted.
    * This includes `/api/bundles*`, which are used by the
    * CLI `standaloneRepository` plugin.
-   * @default true
+   * Defaults to `false` only when `routes` is omitted.
    */
-  bundles?: boolean;
+  bundles: boolean;
 }
 /**
  * Creates a Web Standard Request handler for Hot Updater API

package/dist/handler.mjs

@@ -10,6 +10,8 @@ var HandlerBadRequestError = class extends Error {
 };
 const SDK_VERSION_HEADER = "Hot-Updater-SDK-Version";
 const EXPLICIT_NO_UPDATE_MIN_SDK_VERSION = "0.31.0";
+const DEFAULT_BUNDLE_LIST_LIMIT = 50;
+const MAX_BUNDLE_LIST_LIMIT = 100;
 const supportsExplicitNoUpdateResponse = (request) => {
 	const sdkVersion = request.headers.get(SDK_VERSION_HEADER)?.trim();
 	if (!sdkVersion) return false;
@@ -59,6 +61,13 @@ const parseStringArraySearchParam = (url, key) => {
 	const values = url.searchParams.getAll(key);
 	return values.length > 0 ? values : void 0;
 };
+const parsePositiveIntegerSearchParam = (url, key, defaultValue, maxValue) => {
+	const value = url.searchParams.get(key);
+	if (value === null) return defaultValue;
+	const parsed = Number(value);
+	if (!Number.isInteger(parsed) || parsed < 1 || parsed > maxValue) throw new HandlerBadRequestError(`The '${key}' query parameter must be a positive integer between 1 and ${maxValue}.`);
+	return parsed;
+};
 const requirePlatformParam = (params) => {
 	const platform = requireRouteParam(params, "platform");
 	if (!isPlatform(platform)) throw new HandlerBadRequestError(`Invalid platform: ${platform}. Expected 'ios' or 'android'.`);
@@ -127,7 +136,7 @@ const handleGetBundles = async (_params, request, api, context) => {
 	const url = new URL(request.url);
 	const channel = url.searchParams.get("channel") ?? void 0;
 	const platform = url.searchParams.get("platform");
-	const limit = Number(url.searchParams.get("limit")) || 50;
+	const limit = parsePositiveIntegerSearchParam(url, "limit", DEFAULT_BUNDLE_LIST_LIMIT, MAX_BUNDLE_LIST_LIMIT);
 	const pageParam = url.searchParams.get("page");
 	const offset = url.searchParams.get("offset");
 	const after = url.searchParams.get("after") ?? void 0;
@@ -229,18 +238,19 @@ const routes = {
 */
 function createHandler(api, options = {}) {
 	const basePath = options.basePath ?? "/api";
-	const updateCheckEnabled = options.routes?.updateCheck ?? true;
-	const versionEnabled = options.routes?.version ?? true;
-	const bundlesEnabled = options.routes?.bundles ?? true;
+	const routeOptions = {
+		updateCheck: options.routes?.updateCheck ?? true,
+		bundles: options.routes?.bundles ?? false
+	};
 	const router = createRouter();
-	if (versionEnabled) addRoute(router, "GET", "/version", "version");
-	if (updateCheckEnabled) {
+	addRoute(router, "GET", "/version", "version");
+	if (routeOptions.updateCheck) {
 		addRoute(router, "GET", "/fingerprint/:platform/:fingerprintHash/:channel/:minBundleId/:bundleId", "fingerprintUpdateWithCohort");
 		addRoute(router, "GET", "/fingerprint/:platform/:fingerprintHash/:channel/:minBundleId/:bundleId/:cohort", "fingerprintUpdateWithCohort");
 		addRoute(router, "GET", "/app-version/:platform/:appVersion/:channel/:minBundleId/:bundleId", "appVersionUpdateWithCohort");
 		addRoute(router, "GET", "/app-version/:platform/:appVersion/:channel/:minBundleId/:bundleId/:cohort", "appVersionUpdateWithCohort");
 	}
-	if (bundlesEnabled) {
+	if (routeOptions.bundles) {
 		addRoute(router, "GET", "/api/bundles/channels", "getChannels");
 		addRoute(router, "GET", "/api/bundles/:id", "getBundle");
 		addRoute(router, "GET", "/api/bundles", "getBundles");

package/dist/index.d.cts

@@ -4,4 +4,4 @@ import { HotUpdaterClient, HotUpdaterDB, Migrator } from "./db/ormCore.cjs";
 import { HOT_UPDATER_SERVER_VERSION } from "./version.cjs";
 import { CreateHotUpdaterOptions, HotUpdaterAPI, createHotUpdater } from "./db/index.cjs";
 import { Bundle, ChannelsResponse, DataResponse, Paginated, PaginatedResult, PaginationInfo, PaginationOptions } from "./types/index.cjs";
-export { type Bundle, ChannelsResponse, CreateBundleDiffDependencies, CreateBundleDiffInput, CreateBundleDiffOptions, CreateHotUpdaterOptions, DataResponse, HOT_UPDATER_SERVER_VERSION, HandlerAPI, HandlerOptions, HandlerRoutes, HotUpdaterAPI, type HotUpdaterClient, HotUpdaterDB, type Migrator, Paginated, PaginatedResult, PaginationInfo, PaginationOptions, createBundleDiff, createHandler, createHotUpdater };
+export { Bundle, ChannelsResponse, CreateBundleDiffDependencies, CreateBundleDiffInput, CreateBundleDiffOptions, CreateHotUpdaterOptions, DataResponse, HOT_UPDATER_SERVER_VERSION, HandlerAPI, HandlerOptions, HandlerRoutes, HotUpdaterAPI, HotUpdaterClient, HotUpdaterDB, Migrator, Paginated, PaginatedResult, PaginationInfo, PaginationOptions, createBundleDiff, createHandler, createHotUpdater };

package/dist/index.d.mts

@@ -4,4 +4,4 @@ import { HotUpdaterClient, HotUpdaterDB, Migrator } from "./db/ormCore.mjs";
 import { HOT_UPDATER_SERVER_VERSION } from "./version.mjs";
 import { CreateHotUpdaterOptions, HotUpdaterAPI, createHotUpdater } from "./db/index.mjs";
 import { Bundle, ChannelsResponse, DataResponse, Paginated, PaginatedResult, PaginationInfo, PaginationOptions } from "./types/index.mjs";
-export { type Bundle, ChannelsResponse, CreateBundleDiffDependencies, CreateBundleDiffInput, CreateBundleDiffOptions, CreateHotUpdaterOptions, DataResponse, HOT_UPDATER_SERVER_VERSION, HandlerAPI, HandlerOptions, HandlerRoutes, HotUpdaterAPI, type HotUpdaterClient, HotUpdaterDB, type Migrator, Paginated, PaginatedResult, PaginationInfo, PaginationOptions, createBundleDiff, createHandler, createHotUpdater };
+export { Bundle, ChannelsResponse, CreateBundleDiffDependencies, CreateBundleDiffInput, CreateBundleDiffOptions, CreateHotUpdaterOptions, DataResponse, HOT_UPDATER_SERVER_VERSION, HandlerAPI, HandlerOptions, HandlerRoutes, HotUpdaterAPI, HotUpdaterClient, HotUpdaterDB, Migrator, Paginated, PaginatedResult, PaginationInfo, PaginationOptions, createBundleDiff, createHandler, createHotUpdater };

package/dist/node_modules/.pnpm/fumadb@0.2.2_drizzle-orm@0.44.7_@cloudflare_workers-types@4.20260313.1_@electric-sql_pg_c72c8c754becd21f6d6662e8fbd28e7f/node_modules/fumadb/dist/index.d.cts

@@ -46,4 +46,4 @@ interface FumaDBFactory<Schemas extends AnySchema[]> {
 }
 type InferFumaDB<Factory extends FumaDBFactory<any>> = Factory extends FumaDBFactory<infer Schemas> ? FumaDB<Schemas> : never;
 //#endregion
-export type { FumaDBFactory, InferFumaDB };
+export { type FumaDBFactory, type InferFumaDB };

package/dist/node_modules/.pnpm/fumadb@0.2.2_drizzle-orm@0.44.7_@cloudflare_workers-types@4.20260313.1_@electric-sql_pg_c72c8c754becd21f6d6662e8fbd28e7f/node_modules/fumadb/dist/index.d.mts

@@ -46,4 +46,4 @@ interface FumaDBFactory<Schemas extends AnySchema[]> {
 }
 type InferFumaDB<Factory extends FumaDBFactory<any>> = Factory extends FumaDBFactory<infer Schemas> ? FumaDB<Schemas> : never;
 //#endregion
-export type { FumaDBFactory, InferFumaDB };
+export { type FumaDBFactory, type InferFumaDB };

package/dist/node_modules/.pnpm/fumadb@0.2.2_drizzle-orm@0.44.7_@cloudflare_workers-types@4.20260313.1_@electric-sql_pg_c72c8c754becd21f6d6662e8fbd28e7f/node_modules/fumadb/dist/query/index.d.cts

@@ -153,4 +153,4 @@ interface AbstractQuery<S extends AnySchema> {
   }) => Promise<void>;
 }
 //#endregion
-export type { AbstractQuery };
+export { type AbstractQuery };

package/dist/node_modules/.pnpm/fumadb@0.2.2_drizzle-orm@0.44.7_@cloudflare_workers-types@4.20260313.1_@electric-sql_pg_c72c8c754becd21f6d6662e8fbd28e7f/node_modules/fumadb/dist/query/index.d.mts

@@ -153,4 +153,4 @@ interface AbstractQuery<S extends AnySchema> {
   }) => Promise<void>;
 }
 //#endregion
-export type { AbstractQuery };
+export { type AbstractQuery };

package/dist/packages/server/package.cjs

@@ -1,5 +1,5 @@
 //#region package.json
-var version = "0.31.4";
+var version = "0.32.0";
 //#endregion
 Object.defineProperty(exports, "version", {
 	enumerable: true,

package/dist/packages/server/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "0.31.4";
+var version = "0.32.0";
 //#endregion
 export { version };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hot-updater/server",
-  "version": "0.31.4",
+  "version": "0.32.0",
   "type": "module",
   "description": "React Native OTA solution for self-hosted",
   "sideEffects": false,
@@ -55,10 +55,10 @@
     "mongodb": "6.20.0",
     "rou3": "0.7.9",
     "semver": "^7.7.2",
-    "@hot-updater/bsdiff": "0.31.4",
-    "@hot-updater/plugin-core": "0.31.4",
-    "@hot-updater/js": "0.31.4",
-    "@hot-updater/core": "0.31.4"
+    "@hot-updater/bsdiff": "0.32.0",
+    "@hot-updater/core": "0.32.0",
+    "@hot-updater/plugin-core": "0.32.0",
+    "@hot-updater/js": "0.32.0"
   },
   "devDependencies": {
     "@electric-sql/pglite": "0.2.17",
@@ -68,8 +68,8 @@
     "kysely-pglite-dialect": "1.2.0",
     "msw": "^2.7.0",
     "uuidv7": "^1.0.2",
-    "@hot-updater/standalone": "0.31.4",
-    "@hot-updater/test-utils": "0.31.4"
+    "@hot-updater/standalone": "0.32.0",
+    "@hot-updater/test-utils": "0.32.0"
   },
   "inlinedDependencies": {
     "@noble/hashes": "1.8.0",

package/src/db/createBundleDiff.spec.ts

@@ -93,6 +93,9 @@ const createStoragePlugin = (
           new Uint8Array(await response.arrayBuffer()),
         );
       },
+      async exists() {
+        return false;
+      },
       upload,
     },
   },

package/src/db/createBundleDiff.ts

@@ -17,6 +17,7 @@ import type {
   DatabasePlugin,
   NodeStoragePlugin,
 } from "@hot-updater/plugin-core";
+import { resolveManifestAssetStorageUri } from "@hot-updater/plugin-core";
 
 type BundleManifest = {
   bundleId: string;
@@ -80,21 +81,6 @@ const isBundleManifest = (value: unknown): value is BundleManifest => {
   );
 };
 
-const createChildStorageUri = (
-  baseStorageUri: string,
-  relativePath: string,
-) => {
-  const baseUrl = new URL(baseStorageUri);
-  const normalizedBasePath = baseUrl.pathname.replace(/\/+$/, "");
-  const relativeSegments = relativePath
-    .split("/")
-    .filter(Boolean)
-    .map((segment) => encodeURIComponent(segment));
-
-  baseUrl.pathname = `${normalizedBasePath}/${relativeSegments.join("/")}`;
-  return baseUrl.toString();
-};
-
 const getRelativeStorageDir = (relativePath: string) => {
   const normalized = relativePath.replace(/\\/g, "/");
   const dirname = path.posix.dirname(normalized);
@@ -188,18 +174,24 @@ function resolveHbcAssetPath(manifest: BundleManifest) {
 async function fetchAssetBytes(
   bundle: Bundle,
   assetPath: string,
+  manifest: BundleManifest,
   storagePlugin: NodeStoragePlugin | null,
 ) {
   const assetBaseStorageUri = getAssetBaseStorageUri(bundle);
   if (!assetBaseStorageUri) {
     throw new Error(`Bundle ${bundle.id} does not have asset storage metadata`);
   }
+  const asset = manifest.assets[assetPath];
+  if (!asset) {
+    throw new Error(`Asset ${assetPath} is missing from manifest`);
+  }
 
   if (BR_COMPRESSED_ASSET_PATH_RE.test(assetPath)) {
-    const compressedAssetStorageUri = createChildStorageUri(
+    const compressedAssetStorageUri = resolveManifestAssetStorageUri({
       assetBaseStorageUri,
-      `${assetPath}.br`,
-    );
+      assetPath: `${assetPath}.br`,
+      fileHash: asset.fileHash,
+    });
 
     let compressedBytes: Uint8Array | null = null;
     try {
@@ -216,7 +208,11 @@ async function fetchAssetBytes(
     }
   }
 
-  const assetStorageUri = createChildStorageUri(assetBaseStorageUri, assetPath);
+  const assetStorageUri = resolveManifestAssetStorageUri({
+    assetBaseStorageUri,
+    assetPath,
+    fileHash: asset.fileHash,
+  });
   return downloadStorageBytes(assetStorageUri, storagePlugin);
 }
 
@@ -300,8 +296,18 @@ export async function createBundleDiff(
   }
 
   const [baseBytes, targetBytes] = await Promise.all([
-    fetchAssetBytes(baseBundle, baseAssetPath, deps.storagePlugin),
-    fetchAssetBytes(targetBundle, targetAssetPath, deps.storagePlugin),
+    fetchAssetBytes(
+      baseBundle,
+      baseAssetPath,
+      baseManifest,
+      deps.storagePlugin,
+    ),
+    fetchAssetBytes(
+      targetBundle,
+      targetAssetPath,
+      targetManifest,
+      deps.storagePlugin,
+    ),
   ]);
 
   const patchBytes = await hdiff(baseBytes, targetBytes);

package/src/db/pluginCore.spec.ts

@@ -195,6 +195,115 @@ describe("createPluginDatabaseCore", () => {
     });
   });
 
+  it("resolves manifest changed assets from deterministic content-addressed storage", async () => {
+    const currentBundle = {
+      ...baseBundle,
+      id: "00000000-0000-0000-0000-000000000001",
+      manifestStorageUri: "r2://bucket/current/manifest.json",
+      manifestFileHash: "sig:current-manifest",
+      assetBaseStorageUri: "r2://bucket/assets",
+    };
+    const targetBundle = {
+      ...baseBundle,
+      id: "00000000-0000-0000-0000-000000000002",
+      fileHash: "hash-2",
+      manifestStorageUri: "r2://bucket/target/manifest.json",
+      manifestFileHash: "sig:target-manifest",
+      assetBaseStorageUri: "r2://bucket/assets",
+    };
+    const manifests = new Map([
+      [
+        currentBundle.manifestStorageUri,
+        JSON.stringify({
+          bundleId: currentBundle.id,
+          assets: {
+            "index.ios.bundle": {
+              fileHash: "old-bundle-hash",
+            },
+          },
+        }),
+      ],
+      [
+        targetBundle.manifestStorageUri,
+        JSON.stringify({
+          bundleId: targetBundle.id,
+          assets: {
+            "index.ios.bundle": {
+              fileHash: "new-bundle-hash",
+            },
+          },
+        }),
+      ],
+    ]);
+    const plugin: DatabasePlugin<TestContext> = {
+      name: "content-addressed-manifest-plugin",
+      async appendBundle() {},
+      async commitBundle() {},
+      async deleteBundle() {},
+      async getBundleById(bundleId) {
+        if (bundleId === currentBundle.id) return currentBundle;
+        if (bundleId === targetBundle.id) return targetBundle;
+        return null;
+      },
+      async getUpdateInfo() {
+        return {
+          fileHash: targetBundle.fileHash,
+          id: targetBundle.id,
+          message: targetBundle.message,
+          shouldForceUpdate: targetBundle.shouldForceUpdate,
+          status: "UPDATE",
+          storageUri: targetBundle.storageUri,
+        };
+      },
+      async getBundles() {
+        return {
+          data: [targetBundle],
+          pagination: {
+            currentPage: 1,
+            hasNextPage: false,
+            hasPreviousPage: false,
+            total: 1,
+            totalPages: 1,
+          },
+        };
+      },
+      async getChannels() {
+        return ["production"];
+      },
+      async updateBundle() {},
+    };
+
+    const core = createPluginDatabaseCore(
+      () => plugin,
+      async (storageUri) => {
+        if (!storageUri) return null;
+        const url = new URL(storageUri);
+        return `https://assets.example.com/${url.host}${url.pathname}`;
+      },
+      {
+        readStorageText: async (storageUri) =>
+          manifests.get(storageUri) ?? null,
+      },
+    );
+
+    await expect(
+      core.api.getAppUpdateInfo({
+        ...updateArgs,
+        bundleId: currentBundle.id,
+      }),
+    ).resolves.toMatchObject({
+      changedAssets: {
+        "index.ios.bundle": {
+          file: {
+            compression: "br",
+            url: "https://assets.example.com/bucket/assets/sha256/ne/new-bundle-hash.br",
+          },
+          fileHash: "new-bundle-hash",
+        },
+      },
+    });
+  });
+
   it("falls back to archive metadata when manifest changed assets cannot be resolved", async () => {
     const currentBundle = {
       ...baseBundle,

package/src/db/updateArtifacts.ts

@@ -8,7 +8,10 @@ import {
   type Bundle,
   type ChangedAsset,
 } from "@hot-updater/core";
-import type { HotUpdaterContext } from "@hot-updater/plugin-core";
+import {
+  resolveManifestAssetStorageUri,
+  type HotUpdaterContext,
+} from "@hot-updater/plugin-core";
 
 type BundleManifest = {
   bundleId: string;
@@ -74,21 +77,6 @@ const isBundleManifest = (value: unknown): value is BundleManifest => {
   );
 };
 
-const createChildStorageUri = (
-  baseStorageUri: string,
-  relativePath: string,
-) => {
-  const baseUrl = new URL(baseStorageUri);
-  const normalizedBasePath = baseUrl.pathname.replace(/\/+$/, "");
-  const relativeSegments = relativePath
-    .split("/")
-    .filter(Boolean)
-    .map((segment) => encodeURIComponent(segment));
-
-  baseUrl.pathname = `${normalizedBasePath}/${relativeSegments.join("/")}`;
-  return baseUrl.toString();
-};
-
 export const parseBundleMetadata = (
   value: unknown,
 ): Bundle["metadata"] | undefined => {
@@ -213,10 +201,11 @@ async function resolveChangedAssets<TContext>({
 
       const usesBrotliAsset = BR_COMPRESSED_ASSET_PATH_RE.test(assetPath);
       const downloadPath = usesBrotliAsset ? `${assetPath}.br` : assetPath;
-      const storageUri = createChildStorageUri(
+      const storageUri = resolveManifestAssetStorageUri({
         assetBaseStorageUri,
-        downloadPath,
-      );
+        assetPath: downloadPath,
+        fileHash: asset.fileHash,
+      });
       const patch =
         patchDescriptor?.assetPath === assetPath ? patchDescriptor.patch : null;
 

package/src/handler-standalone.integration.spec.ts

@@ -34,6 +34,10 @@ const api = createHotUpdater({
     provider: "postgresql",
   }),
   basePath: "/hot-updater",
+  routes: {
+    updateCheck: true,
+    bundles: true,
+  },
 });
 
 // Setup MSW server to intercept HTTP requests
@@ -341,6 +345,10 @@ describe("Handler <-> Standalone Repository Integration", () => {
         provider: "postgresql",
       }),
       basePath: "/api/v2",
+      routes: {
+        updateCheck: true,
+        bundles: true,
+      },
     });
 
     // Setup MSW for custom basePath
@@ -411,6 +419,10 @@ describe("Handler <-> Standalone Repository Integration", () => {
     const blobApi = createHotUpdater({
       database: createInMemoryBlobDatabase(store),
       basePath: "/blob-hot-updater",
+      routes: {
+        updateCheck: true,
+        bundles: true,
+      },
     });
     const handleBlobRequest = async (request: Request) => {
       const response = await blobApi.handler(request);

package/src/handler.spec.ts

@@ -1,7 +1,7 @@
 import { type Bundle, NIL_UUID } from "@hot-updater/core";
 import { describe, expect, it, vi } from "vitest";
 
-import { createHandler, type HandlerAPI } from "./handler";
+import { createHandler, type HandlerAPI, type HandlerRoutes } from "./handler";
 import { HOT_UPDATER_SERVER_VERSION } from "./version";
 
 const NEXT_SDK_VERSION_FOR_TEST = "0.31.0";
@@ -51,6 +51,19 @@ const createApi = () =>
     deleteBundleById: vi.fn<HandlerAPI<TestContext>["deleteBundleById"]>(),
   }) satisfies HandlerAPI<TestContext>;
 
+const createManagementHandler = (
+  api: HandlerAPI<TestContext>,
+  routes: Partial<HandlerRoutes> = {},
+) =>
+  createHandler(api, {
+    basePath: "/hot-updater",
+    routes: {
+      updateCheck: true,
+      bundles: true,
+      ...routes,
+    },
+  });
+
 describe("createHandler", () => {
   it("supports the app-version route without a cohort segment", async () => {
     const api = createApi();
@@ -218,44 +231,113 @@ describe("createHandler", () => {
     expect(updateResponse.status).toBe(200);
   });
 
-  it("can disable the version route independently", async () => {
+  it("does not mount bundle routes by default", async () => {
+    const api = createApi();
+    const handler = createHandler(api, { basePath: "/hot-updater" });
+
+    const versionResponse = await handler(
+      new Request("http://localhost/hot-updater/version"),
+    );
+    const bundlesResponse = await handler(
+      new Request("http://localhost/hot-updater/api/bundles"),
+    );
+    const updateResponse = await handler(
+      new Request(
+        "http://localhost/hot-updater/app-version/ios/1.0.0/production/default/default",
+      ),
+    );
+
+    expect(versionResponse.status).toBe(200);
+    expect(bundlesResponse.status).toBe(404);
+    expect(updateResponse.status).toBe(200);
+  });
+
+  it("mounts bundle routes when explicitly enabled", async () => {
     const api = createApi();
+    api.getBundles.mockResolvedValueOnce({
+      data: [],
+      pagination: {
+        total: 0,
+        hasNextPage: false,
+        hasPreviousPage: false,
+        currentPage: 1,
+        totalPages: 0,
+      },
+    });
     const handler = createHandler(api, {
       basePath: "/hot-updater",
       routes: {
         updateCheck: true,
-        version: false,
-        bundles: false,
+        bundles: true,
       },
     });
 
-    const versionResponse = await handler(
-      new Request("http://localhost/hot-updater/version"),
-    );
-    const bundlesResponse = await handler(
+    const response = await handler(
       new Request("http://localhost/hot-updater/api/bundles"),
     );
+
+    expect(response.status).toBe(200);
+    expect(api.getBundles).toHaveBeenCalledWith(
+      {
+        cursor: undefined,
+        limit: 50,
+        page: undefined,
+        where: {},
+      },
+      undefined,
+    );
+  });
+
+  it("keeps update-check routes mounted for partial runtime route config", async () => {
+    const api = createApi();
+    const handler = createHandler(api, {
+      basePath: "/hot-updater",
+      routes: JSON.parse('{"bundles":true}') as HandlerRoutes,
+    });
+
     const updateResponse = await handler(
       new Request(
         "http://localhost/hot-updater/app-version/ios/1.0.0/production/default/default",
       ),
     );
 
-    expect(versionResponse.status).toBe(404);
-    expect(bundlesResponse.status).toBe(404);
     expect(updateResponse.status).toBe(200);
   });
 
-  it("can mount bundle routes without update-check routes", async () => {
+  it("keeps the version route mounted when update-check routes are disabled", async () => {
     const api = createApi();
     const handler = createHandler(api, {
       basePath: "/hot-updater",
       routes: {
         updateCheck: false,
-        bundles: true,
+        bundles: false,
       },
     });
 
+    const versionResponse = await handler(
+      new Request("http://localhost/hot-updater/version"),
+    );
+    const bundlesResponse = await handler(
+      new Request("http://localhost/hot-updater/api/bundles"),
+    );
+    const updateResponse = await handler(
+      new Request(
+        "http://localhost/hot-updater/app-version/ios/1.0.0/production/default/default",
+      ),
+    );
+
+    expect(versionResponse.status).toBe(200);
+    await expect(versionResponse.json()).resolves.toEqual({
+      version: HOT_UPDATER_SERVER_VERSION,
+    });
+    expect(bundlesResponse.status).toBe(404);
+    expect(updateResponse.status).toBe(404);
+  });
+
+  it("can mount bundle routes without update-check routes", async () => {
+    const api = createApi();
+    const handler = createManagementHandler(api, { updateCheck: false });
+
     const versionResponse = await handler(
       new Request("http://localhost/hot-updater/version"),
     );
@@ -294,7 +376,7 @@ describe("createHandler", () => {
         totalPages: 26,
       },
     });
-    const handler = createHandler(api, { basePath: "/hot-updater" });
+    const handler = createManagementHandler(api);
 
     const response = await handler(
       new Request(
@@ -339,7 +421,7 @@ describe("createHandler", () => {
         totalPages: 1,
       },
     });
-    const handler = createHandler(api, { basePath: "/hot-updater" });
+    const handler = createManagementHandler(api);
 
     const response = await handler(
       new Request(
@@ -382,7 +464,7 @@ describe("createHandler", () => {
         previousCursor: "bundle-9",
       },
     });
-    const handler = createHandler(api, { basePath: "/hot-updater" });
+    const handler = createManagementHandler(api);
 
     const response = await handler(
       new Request(
@@ -421,7 +503,7 @@ describe("createHandler", () => {
         previousCursor: null,
       },
     });
-    const handler = createHandler(api, { basePath: "/hot-updater" });
+    const handler = createManagementHandler(api);
 
     const response = await handler(
       new Request(
@@ -448,7 +530,7 @@ describe("createHandler", () => {
 
   it("returns 400 when bundle list requests still send offset pagination", async () => {
     const api = createApi();
-    const handler = createHandler(api, { basePath: "/hot-updater" });
+    const handler = createManagementHandler(api);
 
     const response = await handler(
       new Request(
@@ -478,7 +560,7 @@ describe("createHandler", () => {
         previousCursor: "bundle-9",
       },
     });
-    const handler = createHandler(api, { basePath: "/hot-updater" });
+    const handler = createManagementHandler(api);
 
     const response = await handler(
       new Request(
@@ -505,7 +587,7 @@ describe("createHandler", () => {
 
   it("returns 400 when bundle list requests send an invalid page", async () => {
     const api = createApi();
-    const handler = createHandler(api, { basePath: "/hot-updater" });
+    const handler = createManagementHandler(api);
 
     const response = await handler(
       new Request("http://localhost/hot-updater/api/bundles?limit=20&page=0"),
@@ -518,6 +600,22 @@ describe("createHandler", () => {
     expect(api.getBundles).not.toHaveBeenCalled();
   });
 
+  it("returns 400 when bundle list limit exceeds the maximum", async () => {
+    const api = createApi();
+    const handler = createManagementHandler(api);
+
+    const response = await handler(
+      new Request("http://localhost/hot-updater/api/bundles?limit=101"),
+    );
+
+    expect(response.status).toBe(400);
+    await expect(response.json()).resolves.toEqual({
+      error:
+        "The 'limit' query parameter must be a positive integer between 1 and 100.",
+    });
+    expect(api.getBundles).not.toHaveBeenCalled();
+  });
+
   it("returns 400 when the platform route parameter is invalid", async () => {
     const api = createApi();
     const handler = createHandler(api, { basePath: "/hot-updater" });

package/src/handler.ts

@@ -52,28 +52,27 @@ export interface HandlerOptions {
    * @default "/api"
    */
   basePath?: string;
+  /**
+   * Route groups to mount. Omit this option to use the default route groups.
+   * When provided, both route groups must be specified explicitly.
+   * The `/version` endpoint is always mounted for diagnostics.
+   */
   routes?: HandlerRoutes;
 }
 
 export interface HandlerRoutes {
   /**
    * Controls whether update-check routes are mounted.
-   * @default true
+   * Defaults to `true` only when `routes` is omitted.
    */
-  updateCheck?: boolean;
-  /**
-   * Controls whether the `/version` endpoint is mounted.
-   * Useful for diagnostics and lightweight health/version checks.
-   * @default true
-   */
-  version?: boolean;
+  updateCheck: boolean;
   /**
    * Controls whether bundle management routes are mounted.
    * This includes `/api/bundles*`, which are used by the
    * CLI `standaloneRepository` plugin.
-   * @default true
+   * Defaults to `false` only when `routes` is omitted.
    */
-  bundles?: boolean;
+  bundles: boolean;
 }
 
 type RouteHandler<TContext = unknown> = (
@@ -92,6 +91,8 @@ class HandlerBadRequestError extends Error {
 
 const SDK_VERSION_HEADER = "Hot-Updater-SDK-Version";
 const EXPLICIT_NO_UPDATE_MIN_SDK_VERSION = "0.31.0";
+const DEFAULT_BUNDLE_LIST_LIMIT = 50;
+const MAX_BUNDLE_LIST_LIMIT = 100;
 
 const supportsExplicitNoUpdateResponse = (request: Request) => {
   const sdkVersion = request.headers.get(SDK_VERSION_HEADER)?.trim();
@@ -191,6 +192,27 @@ const parseStringArraySearchParam = (url: URL, key: string) => {
   return values.length > 0 ? values : undefined;
 };
 
+const parsePositiveIntegerSearchParam = (
+  url: URL,
+  key: string,
+  defaultValue: number,
+  maxValue: number,
+): number => {
+  const value = url.searchParams.get(key);
+  if (value === null) {
+    return defaultValue;
+  }
+
+  const parsed = Number(value);
+  if (!Number.isInteger(parsed) || parsed < 1 || parsed > maxValue) {
+    throw new HandlerBadRequestError(
+      `The '${key}' query parameter must be a positive integer between 1 and ${maxValue}.`,
+    );
+  }
+
+  return parsed;
+};
+
 const requirePlatformParam = (params: Record<string, string>): Platform => {
   const platform = requireRouteParam(params, "platform");
 
@@ -317,7 +339,12 @@ const handleGetBundles: RouteHandler = async (
   const url = new URL(request.url);
   const channel = url.searchParams.get("channel") ?? undefined;
   const platform = url.searchParams.get("platform");
-  const limit = Number(url.searchParams.get("limit")) || 50;
+  const limit = parsePositiveIntegerSearchParam(
+    url,
+    "limit",
+    DEFAULT_BUNDLE_LIST_LIMIT,
+    MAX_BUNDLE_LIST_LIMIT,
+  );
   const pageParam = url.searchParams.get("page");
   const offset = url.searchParams.get("offset");
   const after = url.searchParams.get("after") ?? undefined;
@@ -511,19 +538,18 @@ export function createHandler<TContext = unknown>(
   context?: HotUpdaterContext<TContext>,
 ) => Promise<Response> {
   const basePath = options.basePath ?? "/api";
-  const updateCheckEnabled = options.routes?.updateCheck ?? true;
-  const versionEnabled = options.routes?.version ?? true;
-  const bundlesEnabled = options.routes?.bundles ?? true;
+  const routeOptions = {
+    updateCheck: options.routes?.updateCheck ?? true,
+    bundles: options.routes?.bundles ?? false,
+  };
 
   // Create and configure router
   const router = createRouter();
 
   // Register routes
-  if (versionEnabled) {
-    addRoute(router, "GET", "/version", "version");
-  }
+  addRoute(router, "GET", "/version", "version");
 
-  if (updateCheckEnabled) {
+  if (routeOptions.updateCheck) {
     addRoute(
       router,
       "GET",
@@ -550,7 +576,7 @@ export function createHandler<TContext = unknown>(
     );
   }
 
-  if (bundlesEnabled) {
+  if (routeOptions.bundles) {
     addRoute(router, "GET", "/api/bundles/channels", "getChannels");
     addRoute(router, "GET", "/api/bundles/:id", "getBundle");
     addRoute(router, "GET", "/api/bundles", "getBundles");
@@ -583,8 +609,8 @@ export function createHandler<TContext = unknown>(
         });
       }
 
-      // Get handler and execute
-      const handler = routes[match.data as string] as RouteHandler<TContext>;
+      const routeName = match.data as string;
+      const handler = routes[routeName] as RouteHandler<TContext>;
       if (!handler) {
         return new Response(JSON.stringify({ error: "Handler not found" }), {
           status: 500,

package/src/runtime.spec.ts

@@ -80,6 +80,7 @@ describe("runtime createHotUpdater", () => {
         node: {
           delete: vi.fn(),
           downloadFile: vi.fn(),
+          exists: vi.fn(async () => false),
           upload: vi.fn(),
         },
       },
@@ -660,7 +661,7 @@ describe("runtime createHotUpdater", () => {
     });
   });
 
-  it("can disable the version route independently", async () => {
+  it("keeps the version route mounted when update-check routes are disabled", async () => {
     const database = createDatabasePlugin({
       name: "version-disabled-plugin",
       factory: () => ({
@@ -690,8 +691,7 @@ describe("runtime createHotUpdater", () => {
       database,
       basePath: "/api/check-update",
       routes: {
-        updateCheck: true,
-        version: false,
+        updateCheck: false,
         bundles: false,
       },
     });
@@ -700,7 +700,10 @@ describe("runtime createHotUpdater", () => {
       new Request("https://updates.example.com/api/check-update/version"),
     );
 
-    expect(response.status).toBe(404);
+    expect(response.status).toBe(200);
+    await expect(response.json()).resolves.toEqual({
+      version: HOT_UPDATER_SERVER_VERSION,
+    });
   });
 
   it("clears pending plugin changes after a failed mutation commit", async () => {