@interopio/gateway-server 0.6.2-beta → 0.7.0-beta

package/dist/index.js

@@ -9,12 +9,12 @@ var server_exports = {};
 __export(server_exports, {
   Factory: () => Factory
 });
-import { WebSocketServer } from "ws";
-import http from "node:http";
+import * as ws from "ws";
+import http2 from "node:http";
 import https from "node:https";
 import { readFileSync } from "node:fs";
 import { AsyncLocalStorage as AsyncLocalStorage2 } from "node:async_hooks";
-import { IOGateway as IOGateway7 } from "@interopio/gateway";
+import { IOGateway as IOGateway6 } from "@interopio/gateway";
 
 // src/logger.ts
 import { IOGateway } from "@interopio/gateway";
@@ -22,26 +22,124 @@ function getLogger(name) {
   return IOGateway.Logging.getLogger(`gateway.server.${name}`);
 }
 
-// src/utils.ts
-function socketKey(socket) {
-  const remoteIp = socket.remoteAddress;
-  if (!remoteIp) {
-    throw new Error("Socket has no remote address");
+// src/gateway/ws/core.ts
+import { IOGateway as IOGateway2 } from "@interopio/gateway";
+var GatewayEncoders = IOGateway2.Encoding;
+var log = getLogger("ws");
+var codec = GatewayEncoders.json();
+function initClient(socket, authenticationPromise, key, host) {
+  const opts = {
+    key,
+    host,
+    codec,
+    onAuthenticate: async () => {
+      const authentication = await authenticationPromise();
+      if (authentication?.authenticated) {
+        return { type: "success", user: authentication.name };
+      }
+      throw new Error(`no valid client authentication ${key}`);
+    },
+    onPing: () => {
+      socket.ping((err) => {
+        if (err) {
+          log.warn(`failed to ping ${key}`, err);
+        } else {
+          log.info(`ping sent to ${key}`);
+        }
+      });
+    },
+    onDisconnect: (reason) => {
+      switch (reason) {
+        case "inactive": {
+          log.warn(`no heartbeat (ping) received from ${key}, closing socket`);
+          socket.close(4001, "ping expected");
+          break;
+        }
+        case "shutdown": {
+          socket.close(1001, "shutdown");
+          break;
+        }
+      }
+    }
+  };
+  try {
+    return this.client((data) => socket.send(data), opts);
+  } catch (err) {
+    log.warn(`${key} failed to create client`, err);
   }
-  return `${remoteIp}:${socket.remotePort}`;
 }
+async function create(server) {
+  log.info(`starting gateway on ${server.endpoint}`);
+  await this.start({ endpoint: server.endpoint });
+  return async (socket, handshake) => {
+    const key = handshake.logPrefix;
+    const host = handshake.remoteAddress;
+    log.info(`${key} connected on gw from ${host}`);
+    const client = initClient.call(this, socket, handshake.principal, key, host);
+    if (!client) {
+      log.error(`${key} gw client init failed`);
+      socket.terminate();
+      return;
+    }
+    socket.on("error", (err) => {
+      log.error(`${key} websocket error: ${err}`, err);
+    });
+    socket.on("message", (data, _isBinary) => {
+      if (Array.isArray(data)) {
+        data = Buffer.concat(data);
+      }
+      client.send(data);
+    });
+    socket.on("close", (code) => {
+      log.info(`${key} disconnected from gw. code: ${code}`);
+      client.close();
+    });
+  };
+}
+var core_default = create;
 
-// src/server/types.ts
-var WebExchange = class {
-  get method() {
-    return this.request.method;
+// src/common/compose.ts
+function compose(...middleware) {
+  if (!Array.isArray(middleware)) {
+    throw new Error("middleware must be array!");
   }
-  get path() {
-    return this.request.path;
+  const fns = middleware.flat();
+  for (const fn of fns) {
+    if (typeof fn !== "function") {
+      throw new Error("middleware must be compose of functions!");
+    }
   }
-};
+  return async function(ctx, next) {
+    const dispatch = async (i) => {
+      const fn = i === fns.length ? next : fns[i];
+      if (fn === void 0) {
+        return;
+      }
+      let nextCalled = false;
+      let nextResolved = false;
+      const nextFn = async () => {
+        if (nextCalled) {
+          throw new Error("next() called multiple times");
+        }
+        nextCalled = true;
+        try {
+          return await dispatch(i + 1);
+        } finally {
+          nextResolved = true;
+        }
+      };
+      const result = await fn(ctx, nextFn);
+      if (nextCalled && !nextResolved) {
+        throw new Error("middleware resolved before downstream.\n	 You are probably missing an await or return statement in your middleware function.");
+      }
+      return result;
+    };
+    return dispatch(0);
+  };
+}
 
 // src/server/exchange.ts
+import http from "node:http";
 import { Cookie } from "tough-cookie";
 function requestToProtocol(request, defaultProtocol) {
   let proto = request.headers.get("x-forwarded-proto");
@@ -82,53 +180,81 @@ function parseCookies(request) {
     return result;
   });
 }
+var ExtendedHttpIncomingMessage = class extends http.IncomingMessage {
+  // circular reference to the exchange
+  exchange;
+  get urlBang() {
+    return this.url;
+  }
+  get socketEncrypted() {
+    return this.socket["encrypted"] === true;
+  }
+};
+var ExtendedHttpServerResponse = class _ExtendedHttpServerResponse extends http.ServerResponse {
+  static forUpgrade(req, socket, head) {
+    const res = new _ExtendedHttpServerResponse(req);
+    res.upgradeHead = head;
+    res.assignSocket(socket);
+    return res;
+  }
+  upgradeHead;
+  markHeadersSent() {
+    this["_header"] = true;
+  }
+};
 var HttpServerRequest = class {
   _body;
   _url;
   _cookies;
-  _headers;
-  _req;
+  #headers;
+  #req;
   constructor(req) {
-    this._req = req;
-    this._headers = new IncomingMessageHeaders(this._req);
+    this.#req = req;
+    this.#headers = new IncomingMessageHeaders(this.#req);
+  }
+  get unsafeIncomingMessage() {
+    return this.#req;
+  }
+  get upgrade() {
+    return this.#req["upgrade"];
   }
   get http2() {
-    return this._req.httpVersionMajor >= 2;
+    return this.#req.httpVersionMajor >= 2;
   }
   get headers() {
-    return this._headers;
+    return this.#headers;
   }
   get path() {
     return this.URL?.pathname;
   }
   get URL() {
-    this._url ??= new URL(this._req.url, `${this.protocol}://${this.host}`);
+    this._url ??= new URL(this.#req.urlBang, `${this.protocol}://${this.host}`);
     return this._url;
   }
   get query() {
     return this.URL?.search;
   }
   get method() {
-    return this._req.method;
+    return this.#req.method;
   }
   get host() {
     let dh = void 0;
-    if (this._req.httpVersionMajor >= 2) {
-      dh = (this._req?.headers)[":authority"];
+    if (this.#req.httpVersionMajor >= 2) {
+      dh = this.#req.headers[":authority"];
     }
-    dh ??= this._req?.socket.remoteAddress;
+    dh ??= this.#req.socket.remoteAddress;
     return requestToHost(this, dh);
   }
   get protocol() {
     let dp = void 0;
-    if (this._req.httpVersionMajor > 2) {
-      dp = this._req.headers[":scheme"];
+    if (this.#req.httpVersionMajor > 2) {
+      dp = this.#req.headers[":scheme"];
     }
-    dp ??= this._req?.socket["encrypted"] ? "https" : "http";
+    dp ??= this.#req.socketEncrypted ? "https" : "http";
     return requestToProtocol(this, dp);
   }
   get socket() {
-    return this._req.socket;
+    return this.#req.socket;
   }
   get cookies() {
     this._cookies ??= parseCookies(this);
@@ -137,7 +263,7 @@ var HttpServerRequest = class {
   get body() {
     this._body ??= new Promise((resolve, reject) => {
       const chunks = [];
-      this._req.on("error", (err) => reject(err)).on("data", (chunk) => chunks.push(chunk)).on("end", () => {
+      this.#req.on("error", (err) => reject(err)).on("data", (chunk) => chunks.push(chunk)).on("end", () => {
         resolve(new Blob(chunks, { type: this.headers.one("content-type") }));
       });
     });
@@ -236,26 +362,29 @@ var OutgoingMessageHeaders = class {
   }
 };
 var HttpServerResponse = class {
-  _headers;
-  _res;
+  #headers;
+  #res;
   constructor(res) {
-    this._res = res;
-    this._headers = new OutgoingMessageHeaders(res);
+    this.#res = res;
+    this.#headers = new OutgoingMessageHeaders(res);
+  }
+  get unsafeServerResponse() {
+    return this.#res;
   }
   get statusCode() {
-    return this._res.statusCode;
+    return this.#res.statusCode;
   }
   set statusCode(value) {
-    if (this._res.headersSent) {
+    if (this.#res.headersSent) {
       return;
     }
-    this._res.statusCode = value;
+    this.#res.statusCode = value;
   }
   set statusMessage(value) {
-    this._res.statusMessage = value;
+    this.#res.statusMessage = value;
   }
   get headers() {
-    return this._headers;
+    return this.#headers;
   }
   get cookies() {
     return this.headers.list("set-cookie").map((cookie) => {
@@ -273,15 +402,15 @@ var HttpServerResponse = class {
     }).filter((cookie) => cookie !== void 0);
   }
   end(chunk) {
-    if (!this._res.headersSent) {
+    if (!this.#res.headersSent) {
       return new Promise((resolve, reject) => {
         try {
           if (chunk === void 0) {
-            this._res.end(() => {
+            this.#res.end(() => {
               resolve(true);
             });
           } else {
-            this._res.end(chunk, () => {
+            this.#res.end(chunk, () => {
               resolve(true);
             });
           }
@@ -307,15 +436,20 @@ var HttpServerResponse = class {
     return this;
   }
 };
-var DefaultWebExchange = class extends WebExchange {
+var DefaultWebExchange = class {
   request;
   response;
   constructor(request, response) {
-    super();
     this.request = request;
     this.response = response;
   }
-  get principal() {
+  get method() {
+    return this.request.method;
+  }
+  get path() {
+    return this.request.path;
+  }
+  principal() {
     return Promise.resolve(void 0);
   }
 };
@@ -402,6 +536,7 @@ var MockHttpRequest = class {
   #url;
   #body;
   headers = new MapHttpHeaders();
+  upgrade = false;
   constructor(url, method) {
     if (typeof url === "string") {
       if (URL.canParse(url)) {
@@ -485,185 +620,290 @@ var MockHttpResponse = class {
   }
 };
 
-// src/gateway/ws/core.ts
-import { IOGateway as IOGateway2 } from "@interopio/gateway";
-var GatewayEncoders = IOGateway2.Encoding;
-var log = getLogger("ws");
-var codec = GatewayEncoders.json();
-function initClient(key, socket, host, securityContextPromise) {
-  const opts = {
-    key,
-    host,
-    codec,
-    onAuthenticate: async () => {
-      const authentication = (await securityContextPromise)?.authentication;
-      if (authentication?.authenticated) {
-        return { type: "success", user: authentication.name };
-      }
-      throw new Error(`no valid client authentication ${key}`);
-    },
-    onPing: () => {
-      socket.ping((err) => {
-        if (err) {
-          log.warn(`failed to ping ${key}`, err);
-        } else {
-          log.info(`ping sent to ${key}`);
-        }
-      });
-    },
-    onDisconnect: (reason) => {
-      switch (reason) {
-        case "inactive": {
-          log.warn(`no heartbeat (ping) received from ${key}, closing socket`);
-          socket.close(4001, "ping expected");
-          break;
-        }
-        case "shutdown": {
-          socket.close(1001, "shutdown");
-          break;
-        }
-      }
-    }
-  };
-  try {
-    return this.client((data) => socket.send(data), opts);
-  } catch (err) {
-    log.warn(`${key} failed to create client`, err);
+// src/utils.ts
+function socketKey(socket) {
+  const remoteIp = socket.remoteAddress;
+  if (!remoteIp) {
+    throw new Error("Socket has no remote address");
   }
+  return `${remoteIp}:${socket.remotePort}`;
 }
-async function create(server) {
-  log.info("start gateway");
-  await this.start({ endpoint: server.endpoint });
-  server.wss.on("error", (err) => {
-    log.error("error starting the gateway websocket server", err);
-  }).on("connection", (socket, req) => {
-    const request = new HttpServerRequest(req);
-    const securityContextPromise = server.storage?.getStore()?.securityContext;
-    const key = socketKey(request.socket);
-    const host = request.host;
-    log.info(`${key} connected on gw from ${host}`);
-    const client = initClient.call(this, key, socket, host, securityContextPromise);
-    if (!client) {
-      log.error(`${key} gw client init failed`);
-      socket.terminate();
-      return;
-    }
-    socket.on("error", (err) => {
-      log.error(`${key} websocket error: ${err}`, err);
-    });
-    socket.on("message", (data, _isBinary) => {
-      if (Array.isArray(data)) {
-        data = Buffer.concat(data);
-      }
-      client.send(data);
-    });
-    socket.on("close", (code) => {
-      log.info(`${key} disconnected from gw. code: ${code}`);
-      client.close();
-    });
-  });
-  return {
-    close: async () => {
-      server.wss.close();
-      await this.stop();
-    }
-  };
-}
-var core_default = create;
 
-// src/mesh/connections.ts
-var logger = getLogger("mesh.connections");
-var InMemoryNodeConnections = class {
-  constructor(timeout = 6e4) {
-    this.timeout = timeout;
-  }
-  nodes = /* @__PURE__ */ new Map();
-  nodesByEndpoint = /* @__PURE__ */ new Map();
-  memberIds = 0;
-  announce(nodes) {
-    for (const node of nodes) {
-      const { node: nodeId, users, endpoint } = node;
-      const foundId = this.nodesByEndpoint.get(endpoint);
-      if (foundId) {
-        if (foundId !== nodeId) {
-          logger.warn(`endpoint ${endpoint} clash. replacing node ${foundId} with ${nodeId}`);
-          this.nodesByEndpoint.set(endpoint, nodeId);
-          this.nodes.delete(foundId);
+// src/server/address.ts
+import { networkInterfaces } from "node:os";
+var PORT_RANGE_MATCHER = /^(\d+|(0x[\da-f]+))(-(\d+|(0x[\da-f]+)))?$/i;
+function validPort(port) {
+  if (port > 65535) throw new Error(`bad port ${port}`);
+  return port;
+}
+function* portRange(port) {
+  if (typeof port === "string") {
+    for (const portRange2 of port.split(",")) {
+      const trimmed = portRange2.trim();
+      const matchResult = PORT_RANGE_MATCHER.exec(trimmed);
+      if (matchResult) {
+        const start2 = parseInt(matchResult[1]);
+        const end = parseInt(matchResult[4] ?? matchResult[1]);
+        for (let i = validPort(start2); i < validPort(end) + 1; i++) {
+          yield i;
         }
       } else {
-        logger.info(`endpoint ${endpoint} announced for ${nodeId}`);
-        this.nodesByEndpoint.set(endpoint, nodeId);
-      }
-      this.nodes.set(nodeId, this.updateNode(node, new Set(users ?? []), nodeId, this.nodes.get(nodeId)));
-    }
-    this.cleanupOldNodes();
-    const sortedNodes = Array.from(this.nodes.values()).sort((a, b) => a.memberId - b.memberId);
-    return nodes.map((e) => {
-      const node = e.node;
-      const connect = this.findConnections(sortedNodes, this.nodes.get(node));
-      return { node, connect };
-    });
-  }
-  remove(nodeId) {
-    const removed = this.nodes.get(nodeId);
-    if (removed) {
-      this.nodes.delete(nodeId);
-      const endpoint = removed.endpoint;
-      this.nodesByEndpoint.delete(endpoint);
-      logger.info(`endpoint ${endpoint} removed for ${nodeId}`);
-      return true;
-    }
-    return false;
-  }
-  updateNode(newNode, users, _key, oldNode) {
-    const node = !oldNode ? { ...newNode, memberId: this.memberIds++ } : oldNode;
-    return { ...node, users, lastAccess: Date.now() };
-  }
-  cleanupOldNodes() {
-    const threshold = Date.now() - this.timeout;
-    for (const [nodeId, v] of this.nodes) {
-      if (v.lastAccess < threshold) {
-        if (logger.enabledFor("debug")) {
-          logger.debug(`${nodeId} expired - no announcement since ${new Date(v.lastAccess).toISOString()}, timeout is ${this.timeout} ms.`);
-        }
-        this.nodes.delete(nodeId);
+        throw new Error(`'${portRange2}' is not a valid port or range.`);
       }
     }
+  } else {
+    yield validPort(port);
   }
-  findConnections(sortedNodes, node) {
-    return sortedNodes.reduce((l, c) => {
-      if (node !== void 0 && c.memberId < node.memberId) {
-        const intersection = new Set(c.users);
-        node.users.forEach((user) => {
-          if (!c.users.has(user)) {
-            intersection.delete(user);
-          }
-        });
-        c.users.forEach((user) => {
-          if (!node.users.has(user)) {
-            intersection.delete(user);
-          }
-        });
-        if (intersection.size > 0) {
-          const e = { node: c.node, endpoint: c.endpoint };
-          return l.concat(e);
-        }
-      }
-      return l;
-    }, new Array());
+}
+var localIp = (() => {
+  function first(a) {
+    return a.length > 0 ? a[0] : void 0;
   }
-};
+  const addresses = Object.values(networkInterfaces()).flatMap((details) => {
+    return (details ?? []).filter((info2) => info2.family === "IPv4");
+  }).reduce((acc, info2) => {
+    acc[info2.internal ? "internal" : "external"].push(info2);
+    return acc;
+  }, { internal: [], external: [] });
+  return (first(addresses.internal) ?? first(addresses.external))?.address;
+})();
 
-// src/server/util/matchers.ts
+// src/server/monitoring.ts
+import { getHeapStatistics, writeHeapSnapshot } from "node:v8";
+import { access, mkdir, rename, unlink } from "node:fs/promises";
+var log2 = getLogger("monitoring");
+var DEFAULT_OPTIONS = {
+  memoryLimit: 1024 * 1024 * 1024,
+  // 1GB
+  reportInterval: 10 * 60 * 1e3,
+  // 10 min
+  dumpLocation: ".",
+  // current folder
+  maxBackups: 10,
+  dumpPrefix: "Heap"
+};
+function fetchStats() {
+  return getHeapStatistics();
+}
+async function dumpHeap(opts) {
+  const prefix = opts.dumpPrefix ?? "Heap";
+  const target = `${opts.dumpLocation}/${prefix}.heapsnapshot`;
+  if (log2.enabledFor("debug")) {
+    log2.debug(`starting heap dump in ${target}`);
+  }
+  await fileExists(opts.dumpLocation).catch(async (_) => {
+    if (log2.enabledFor("debug")) {
+      log2.debug(`dump location  ${opts.dumpLocation} does not exists. Will try to create it`);
+    }
+    try {
+      await mkdir(opts.dumpLocation, { recursive: true });
+      log2.info(`dump location dir ${opts.dumpLocation} successfully created`);
+    } catch (e) {
+      log2.error(`failed to create dump location ${opts.dumpLocation}`);
+    }
+  });
+  const dumpFileName = writeHeapSnapshot(target);
+  log2.info(`heap dumped`);
+  try {
+    log2.debug(`rolling snapshot backups`);
+    const lastFileName = `${opts.dumpLocation}/${prefix}.${opts.maxBackups}.heapsnapshot`;
+    await fileExists(lastFileName).then(async () => {
+      if (log2.enabledFor("debug")) {
+        log2.debug(`deleting ${lastFileName}`);
+      }
+      try {
+        await unlink(lastFileName);
+      } catch (e) {
+        log2.warn(`failed to delete ${lastFileName}`, e);
+      }
+    }).catch(() => {
+    });
+    for (let i = opts.maxBackups - 1; i > 0; i--) {
+      const currentFileName = `${opts.dumpLocation}/${prefix}.${i}.heapsnapshot`;
+      const nextFileName = `${opts.dumpLocation}/${prefix}.${i + 1}.heapsnapshot`;
+      await fileExists(currentFileName).then(async () => {
+        try {
+          await rename(currentFileName, nextFileName);
+        } catch (e) {
+          log2.warn(`failed to rename ${currentFileName} to ${nextFileName}`, e);
+        }
+      }).catch(() => {
+      });
+    }
+    const firstFileName = `${opts.dumpLocation}/${prefix}.${1}.heapsnapshot`;
+    try {
+      await rename(dumpFileName, firstFileName);
+    } catch (e) {
+      log2.warn(`failed to rename ${dumpFileName} to ${firstFileName}`, e);
+    }
+    log2.debug("snapshots rolled");
+  } catch (e) {
+    log2.error("error rolling backups", e);
+    throw e;
+  }
+}
+async function fileExists(path) {
+  log2.trace(`checking file ${path}`);
+  await access(path);
+}
+async function processStats(stats, state, opts) {
+  if (log2.enabledFor("debug")) {
+    log2.debug(`processing heap stats ${JSON.stringify(stats)}`);
+  }
+  const limit = Math.min(opts.memoryLimit, 0.95 * stats.heap_size_limit);
+  const used = stats.used_heap_size;
+  log2.info(`heap stats ${JSON.stringify(stats)}`);
+  if (used >= limit) {
+    log2.warn(`used heap ${used} bytes exceeds memory limit ${limit} bytes`);
+    if (state.memoryLimitExceeded) {
+      delete state.snapshot;
+    } else {
+      state.memoryLimitExceeded = true;
+      state.snapshot = true;
+    }
+    await dumpHeap(opts);
+  } else {
+    state.memoryLimitExceeded = false;
+    delete state.snapshot;
+  }
+}
+function start(opts) {
+  const merged = { ...DEFAULT_OPTIONS, ...opts };
+  let stopped = false;
+  const state = { memoryLimitExceeded: false };
+  const report = async () => {
+    const stats = fetchStats();
+    await processStats(stats, state, merged);
+  };
+  const interval = setInterval(report, merged.reportInterval);
+  const channel = async (command) => {
+    if (!stopped) {
+      command ??= "run";
+      switch (command) {
+        case "run": {
+          await report();
+          break;
+        }
+        case "dump": {
+          await dumpHeap(merged);
+          break;
+        }
+        case "stop": {
+          stopped = true;
+          clearInterval(interval);
+          log2.info("exit memory diagnostic");
+          break;
+        }
+      }
+    }
+    return stopped;
+  };
+  return { ...merged, channel };
+}
+async function run({ channel }, command) {
+  if (!await channel(command)) {
+    log2.warn(`cannot execute command "${command}" already closed`);
+  }
+}
+async function stop(m) {
+  return await run(m, "stop");
+}
+
+// src/app/ws-client-verify.ts
+import { IOGateway as IOGateway3 } from "@interopio/gateway";
+var log3 = getLogger("gateway.ws.client-verify");
+function acceptsMissing(originFilters) {
+  switch (originFilters.missing) {
+    case "allow":
+    // fall-through
+    case "whitelist":
+      return true;
+    case "block":
+    // fall-through
+    case "blacklist":
+      return false;
+    default:
+      return false;
+  }
+}
+function tryMatch(originFilters, origin) {
+  const block = originFilters.block ?? originFilters["blacklist"];
+  const allow = originFilters.allow ?? originFilters["whitelist"];
+  if (block.length > 0 && IOGateway3.Filtering.valuesMatch(block, origin)) {
+    log3.warn(`origin ${origin} matches block filter`);
+    return false;
+  } else if (allow.length > 0 && IOGateway3.Filtering.valuesMatch(allow, origin)) {
+    if (log3.enabledFor("debug")) {
+      log3.debug(`origin ${origin} matches allow filter`);
+    }
+    return true;
+  }
+}
+function acceptsNonMatched(originFilters) {
+  switch (originFilters.non_matched) {
+    case "allow":
+    // fall-through
+    case "whitelist":
+      return true;
+    case "block":
+    // fall-through
+    case "blacklist":
+      return false;
+    default:
+      return false;
+  }
+}
+function acceptsOrigin(origin, originFilters) {
+  if (!originFilters) {
+    return true;
+  }
+  if (!origin) {
+    return acceptsMissing(originFilters);
+  } else {
+    const matchResult = tryMatch(originFilters, origin);
+    if (matchResult) {
+      return matchResult;
+    } else {
+      return acceptsNonMatched(originFilters);
+    }
+  }
+}
+function regexifyOriginFilters(originFilters) {
+  if (originFilters) {
+    const block = (originFilters.block ?? originFilters.blacklist ?? []).map(IOGateway3.Filtering.regexify);
+    const allow = (originFilters.allow ?? originFilters.whitelist ?? []).map(IOGateway3.Filtering.regexify);
+    return {
+      non_matched: originFilters.non_matched ?? "allow",
+      missing: originFilters.missing ?? "allow",
+      allow,
+      block
+    };
+  }
+}
+
+// src/server/server-header.ts
+import info from "@interopio/gateway-server/package.json" with { type: "json" };
+var serverHeader = (server) => {
+  server ??= `${info.name} - v${info.version}`;
+  return async ({ response }, next) => {
+    if (server !== false && !response.headers.has("server")) {
+      response.headers.set("Server", server);
+    }
+    await next();
+  };
+};
+var server_header_default = (server) => serverHeader(server);
+
+// src/server/util/matchers.ts
 var or = (matchers) => {
   return async (exchange) => {
     for (const matcher of matchers) {
       const result = await matcher(exchange);
       if (result.match) {
-        return { match: true };
+        return match();
       }
     }
-    return { match: false };
+    return NO_MATCH;
   };
 };
 var and = (matchers) => {
@@ -671,10 +911,10 @@ var and = (matchers) => {
     for (const matcher2 of matchers) {
       const result = await matcher2(exchange);
       if (!result.match) {
-        return { match: false };
+        return NO_MATCH;
       }
     }
-    return { match: true };
+    return match();
   };
   matcher.toString = () => `and(${matchers.map((m) => m.toString()).join(", ")})`;
   return matcher;
@@ -682,38 +922,41 @@ var and = (matchers) => {
 var not = (matcher) => {
   return async (exchange) => {
     const result = await matcher(exchange);
-    return { match: !result.match };
+    return result.match ? NO_MATCH : match();
   };
 };
 var anyExchange = async (_exchange) => {
-  return { match: true };
+  return match();
 };
 anyExchange.toString = () => "any-exchange";
+var EMPTY_OBJECT = Object.freeze({});
+var NO_MATCH = Object.freeze({ match: false, variables: EMPTY_OBJECT });
+var match = (variables = EMPTY_OBJECT) => {
+  return { match: true, variables };
+};
 var pattern = (pattern2, opts) => {
   const method = opts?.method;
   const matcher = async (exchange) => {
     const request = exchange.request;
     const path = request.path;
     if (method !== void 0 && request.method !== method) {
-      return { match: false };
+      return NO_MATCH;
     }
     if (typeof pattern2 === "string") {
       if (path === pattern2) {
-        return { match: true };
-      } else {
-        return { match: false };
+        return match();
       }
+      return NO_MATCH;
     } else {
-      const match = pattern2.exec(path);
-      if (match !== null) {
-        return { match: true };
-      } else {
-        return { match: false };
+      const match2 = pattern2.exec(path);
+      if (match2 === null) {
+        return NO_MATCH;
       }
+      return { match: true, variables: { ...match2.groups } };
     }
   };
   matcher.toString = () => {
-    return `pattern(${pattern2.toString()})${method ? ` method=${method}` : ""}`;
+    return `pattern(${pattern2.toString()}, method=${method ?? "<any>"})`;
   };
   return matcher;
 };
@@ -734,7 +977,7 @@ var mediaType = (opts) => {
     try {
       requestMediaTypes = request.headers.list("accept");
     } catch (e) {
-      return { match: false };
+      return NO_MATCH;
     }
     for (const requestedMediaType of requestMediaTypes) {
       if (shouldIgnore(requestedMediaType)) {
@@ -742,1814 +985,1160 @@ var mediaType = (opts) => {
       }
       for (const mediaType2 of opts.mediaTypes) {
         if (requestedMediaType.startsWith(mediaType2)) {
-          return { match: true };
+          return match();
         }
       }
     }
-    return { match: false };
+    return NO_MATCH;
   };
 };
 var upgradeMatcher = async ({ request }) => {
-  const match = request["_req"]?.["upgrade"] && request.headers.one("upgrade")?.toLowerCase() === "websocket";
-  return { match };
+  const upgrade = request.upgrade && request.headers.one("upgrade")?.toLowerCase() === "websocket";
+  return upgrade ? match() : NO_MATCH;
 };
 upgradeMatcher.toString = () => "websocket upgrade";
 
-// src/mesh/rest-directory/routes.ts
-function routes(connections, config, authorize) {
-  config.cors.push(
-    [pattern("/api/nodes"), { allowMethods: ["GET", "POST"] }],
-    [pattern(/\/api\/nodes\/(?<nodeId>.*)/), { allowMethods: ["GET", "DELETE"] }]
-  );
-  if (authorize) {
-    config.authorize.push([pattern(/\/api\/nodes(\/.*)?/), authorize]);
-  }
-  return [
-    async (ctx, next) => {
-      if (ctx.method === "POST" && ctx.path === "/api/nodes") {
-        const json = await ctx.request.json;
-        if (!Array.isArray(json)) {
-          ctx.response.statusCode = 400;
-          await ctx.response.end();
-        } else {
-          const nodes = json;
-          const result = connections.announce(nodes);
-          const buffer = Buffer.from(JSON.stringify(result), "utf-8");
-          ctx.response.statusCode = 200;
-          ctx.response.headers.set("Content-Type", "application/json").set("Content-Length", buffer.length);
-          await ctx.response.end(buffer);
-        }
-      } else {
-        await next();
-      }
-    },
-    async ({ method, path, response }, next) => {
-      if (method === "DELETE" && path?.startsWith("/api/nodes/")) {
-        const nodeId = path?.substring("/api/nodes/".length);
-        connections.remove(nodeId);
-        response.statusCode = 200;
-        await response.end();
-      } else {
-        await next();
-      }
-    }
-  ];
-}
-var routes_default = routes;
-
-// src/mesh/ws/broker/core.ts
-import { IOGateway as IOGateway3 } from "@interopio/gateway";
-var GatewayEncoders2 = IOGateway3.Encoding;
-var logger2 = getLogger("mesh.ws.broker");
-function broadcastNodeAdded(nodes, newSocket, newNodeId) {
-  Object.entries(nodes.nodes).forEach(([nodeId, socket]) => {
-    if (nodeId !== newNodeId) {
-      newSocket.send(codec2.encode({ type: "node-added", "node-id": newNodeId, "new-node": nodeId }));
-      socket.send(codec2.encode({ type: "node-added", "node-id": nodeId, "new-node": newNodeId }));
+// src/app/route.ts
+import { IOGateway as IOGateway4 } from "@interopio/gateway";
+function findSocketRoute({ request }, { sockets: routes }) {
+  const path = request.path ?? "/";
+  const route = routes.get(path) ?? Array.from(routes.values()).find((route2) => {
+    if (path === "/" && route2.default === true) {
+      return true;
     }
   });
+  return [route, path];
 }
-function broadcastNodeRemoved(nodes, removedNodeId) {
-  Object.entries(nodes.nodes).forEach(([nodeId, socket]) => {
-    if (nodeId !== removedNodeId) {
-      socket.send(codec2.encode({ type: "node-removed", "node-id": nodeId, "removed-node": removedNodeId }));
+async function configure(app, config, routes) {
+  const applyCors = (matcher, requestMethod, options) => {
+    if (options?.cors) {
+      const cors = options.cors === true ? {
+        allowOrigins: options.origins?.allow?.map(IOGateway4.Filtering.regexify),
+        allowMethods: requestMethod == void 0 ? void 0 : [requestMethod],
+        allowCredentials: options.authorize?.access !== "permitted"
+      } : options.cors;
+      routes.cors.push([matcher, cors]);
     }
-  });
-}
-function onOpen(connectedNodes, key) {
-  logger2.info(`[${key}] connection accepted`);
-}
-function onClose(connectedNodes, key, code, reason) {
-  logger2.info(`[${key}] connected closed [${code}](${reason})`);
-  const nodeIds = connectedNodes.sockets[key];
-  if (nodeIds) {
-    delete connectedNodes.sockets[key];
-    for (const nodeId of nodeIds) {
-      delete connectedNodes.nodes[nodeId];
-    }
-    for (const nodeId of nodeIds) {
-      broadcastNodeRemoved(connectedNodes, nodeId);
-    }
-  }
-}
-function processMessage(connectedNodes, socket, key, msg) {
-  switch (msg.type) {
-    case "hello": {
-      const nodeId = msg["node-id"];
-      connectedNodes.nodes[nodeId] = socket;
-      connectedNodes.sockets[key] = connectedNodes.sockets[key] ?? [];
-      connectedNodes.sockets[key].push(nodeId);
-      logger2.info(`[${key}] node ${nodeId} added.`);
-      broadcastNodeAdded(connectedNodes, socket, nodeId);
-      break;
-    }
-    case "bye": {
-      const nodeId = msg["node-id"];
-      delete connectedNodes[nodeId];
-      logger2.info(`[${key}] node ${nodeId} removed.`);
-      broadcastNodeRemoved(connectedNodes, nodeId);
-      break;
-    }
-    case "data": {
-      const sourceNodeId = msg.from;
-      const targetNodeId = msg.to;
-      if ("all" === targetNodeId) {
-        Object.entries(connectedNodes.nodes).forEach(([nodeId, socket2]) => {
-          if (nodeId !== sourceNodeId) {
-            socket2.send(codec2.encode(msg));
-          }
-        });
-      } else {
-        const socket2 = connectedNodes.nodes[targetNodeId];
-        if (socket2) {
-          socket2.send(codec2.encode(msg));
-        } else {
-          logger2.warn(`unable to send to node ${targetNodeId} message ${JSON.stringify(msg)}`);
+  };
+  const configurer = new class {
+    handle(...handlers) {
+      handlers.forEach(({ request, options, handler }) => {
+        const matcher = pattern(IOGateway4.Filtering.regexify(request.path), { method: request.method });
+        if (options?.authorize) {
+          routes.authorize.push([matcher, options.authorize]);
         }
-      }
-      break;
+        applyCors(matcher, request.method, options);
+        const middleware = async (exchange, next) => {
+          const { match: match2, variables } = await matcher(exchange);
+          if (match2) {
+            await handler(exchange, variables);
+          } else {
+            await next();
+          }
+        };
+        routes.middleware.push(middleware);
+      });
     }
-    default: {
-      logger2.warn(`[${key}] ignoring unknown message ${JSON.stringify(msg)}`);
-      break;
+    socket(...sockets) {
+      for (const { path, factory, options } of sockets) {
+        const route = path ?? "/";
+        routes.sockets.set(route, {
+          default: path === void 0,
+          ping: options?.ping,
+          factory,
+          maxConnections: options?.maxConnections,
+          authorize: options?.authorize,
+          originFilters: regexifyOriginFilters(options?.origins)
+        });
+      }
     }
-  }
+  }();
+  await app(configurer, config);
 }
-var codec2 = GatewayEncoders2.transit({
-  keywordize: /* @__PURE__ */ new Map([
-    ["/type", "*"],
-    ["/message/body/type", "*"],
-    ["/message/origin", "*"],
-    ["/message/receiver/type", "*"],
-    ["/message/source/type", "*"],
-    ["/message/body/type", "*"]
-  ])
-});
-function onMessage(connectedNodes, socket, key, msg) {
-  try {
-    const decoded = codec2.decode(msg);
-    if (logger2.enabledFor("debug")) {
-      logger2.debug(`[${key}] processing msg ${JSON.stringify(decoded)}`);
-    }
-    processMessage(connectedNodes, socket, key, decoded);
-  } catch (ex) {
-    logger2.error(`[${key}] unable to process message`, ex);
+
+// src/server/cors.ts
+import { IOGateway as IOGateway5 } from "@interopio/gateway";
+function isSameOrigin(request) {
+  const origin = request.headers.one("origin");
+  if (origin === void 0) {
+    return true;
   }
+  const url = request.URL;
+  const actualProtocol = url.protocol;
+  const actualHost = url.host;
+  const originUrl = URL.parse(origin);
+  const originHost = originUrl?.host;
+  const originProtocol = originUrl?.protocol;
+  return actualProtocol === originProtocol && actualHost === originHost;
 }
-var WebsocketBroker = class {
-  constructor(server) {
-    this.server = server;
-  }
-  async close() {
-    this.server.close();
-  }
-};
-async function create2(server) {
-  const connectedNodes = { nodes: {}, sockets: {} };
-  logger2.info(`mesh server is listening`);
-  server.wss.on("error", () => {
-    logger2.error(`error starting mesh server`);
-  }).on("connection", (socket, request) => {
-    const key = socketKey(request.socket);
-    onOpen(connectedNodes, key);
-    socket.on("error", (err) => {
-      logger2.error(`[${key}] websocket error: ${err}`, err);
-    });
-    socket.on("message", (data, isBinary) => {
-      if (Array.isArray(data)) {
-        data = Buffer.concat(data);
-      }
-      onMessage(connectedNodes, socket, key, data);
-    });
-    socket.on("close", (code, reason) => {
-      onClose(connectedNodes, key, code, reason);
-    });
-  });
-  return new WebsocketBroker(server.wss);
+function isCorsRequest(request) {
+  return request.headers.has("origin") && !isSameOrigin(request);
 }
-var core_default2 = create2;
-
-// src/mesh/ws/relays/core.ts
-import { IOGateway as IOGateway4 } from "@interopio/gateway";
-var GatewayEncoders3 = IOGateway4.Encoding;
-var logger3 = getLogger("mesh.ws.relay");
-var codec3 = GatewayEncoders3.transit({
-  keywordize: /* @__PURE__ */ new Map([
-    ["/type", "*"],
-    ["/message/body/type", "*"],
-    ["/message/origin", "*"],
-    ["/message/receiver/type", "*"],
-    ["/message/source/type", "*"],
-    ["/message/body/type", "*"]
-  ])
-});
-var InternalRelays = class {
-  // key -> socket
-  clients = /* @__PURE__ */ new Map();
-  // node -> key
-  links = /* @__PURE__ */ new Map();
-  onMsg;
-  onErr;
-  add(key, soc) {
-    this.clients.set(key, soc);
-  }
-  remove(key) {
-    this.clients.delete(key);
-    for (const [node, k] of this.links) {
-      if (k === key) {
-        this.links.delete(node);
+function isPreFlightRequest(request) {
+  return request.method === "OPTIONS" && request.headers.has("origin") && request.headers.has("access-control-request-method");
+}
+var VARY_HEADERS = ["Origin", "Access-Control-Request-Method", "Access-Control-Request-Headers"];
+var processRequest = (exchange, config) => {
+  const { request, response } = exchange;
+  const responseHeaders = response.headers;
+  if (!responseHeaders.has("Vary")) {
+    responseHeaders.set("Vary", VARY_HEADERS.join(", "));
+  } else {
+    const varyHeaders = responseHeaders.list("Vary");
+    for (const header of VARY_HEADERS) {
+      if (!varyHeaders.find((h) => h === header)) {
+        varyHeaders.push(header);
       }
     }
+    responseHeaders.set("Vary", varyHeaders.join(", "));
   }
-  receive(key, msg) {
-    const node = this.link(key, msg);
-    if (node && this.onMsg) {
-      this.onMsg(key, node, msg);
+  try {
+    if (!isCorsRequest(request)) {
+      return true;
     }
-  }
-  link(key, msg) {
-    try {
-      const decoded = codec3.decode(msg);
-      const { type, from, to } = decoded;
-      if (to === "all") {
-        switch (type) {
-          case "hello": {
-            if (logger3.enabledFor("debug")) {
-              logger3.debug(`${key} registers node ${from}`);
-            }
-            this.links.set(from, key);
-            break;
-          }
-          case "bye": {
-            if (logger3.enabledFor("debug")) {
-              logger3.debug(`${key} unregisters node ${from}`);
-            }
-            this.links.delete(from);
-            break;
-          }
-        }
-        return;
-      }
-      return from;
-    } catch (e) {
-      if (this.onErr) {
-        this.onErr(key, e instanceof Error ? e : new Error(`link failed :${e}`));
-      } else {
-        logger3.warn(`${key} unable to process ${msg}`, e);
-      }
+  } catch (e) {
+    if (logger.enabledFor("debug")) {
+      logger.debug(`reject: origin is malformed`);
     }
+    rejectRequest(response);
+    return false;
   }
-  send(key, node, msg, cb) {
-    const decoded = codec3.decode(msg);
-    if (logger3.enabledFor("debug")) {
-      logger3.debug(`${key} sending msg to ${node} ${JSON.stringify(decoded)}`);
-    }
-    const clientKey = this.links.get(node);
-    if (clientKey) {
-      const client = this.clients.get(clientKey);
-      if (client) {
-        client.send(msg, { binary: false }, (err) => {
-          cb(clientKey, err);
-        });
-        return;
-      }
-    }
-    throw new Error(`${key} no active link for ${decoded.to}`);
+  if (responseHeaders.has("access-control-allow-origin")) {
+    logger.trace(`skip: already contains "Access-Control-Allow-Origin"`);
+    return true;
+  }
+  const preFlightRequest = isPreFlightRequest(request);
+  if (config) {
+    return handleInternal(exchange, config, preFlightRequest);
+  }
+  if (preFlightRequest) {
+    rejectRequest(response);
+    return false;
   }
+  return true;
 };
-var internal = new InternalRelays();
-var relays = internal;
-async function create3(server) {
-  logger3.info(`relays server is listening`);
-  server.wss.on("error", () => {
-    logger3.error(`error starting relays server`);
-  }).on("connection", (socket, request) => {
-    const key = socketKey(request.socket);
-    logger3.info(`${key} connected on relays`);
-    internal.add(key, socket);
-    socket.on("error", (err) => {
-      logger3.error(`[${key}] websocket error: ${err}`, err);
-    });
-    socket.on("message", (data, _isBinary) => {
-      if (Array.isArray(data)) {
-        data = Buffer.concat(data);
-      }
-      try {
-        internal.receive(key, data);
-      } catch (e) {
-        logger3.warn(`[${key}] error processing received data '${data}'`, e);
-      }
-    });
-    socket.on("close", (code, reason) => {
-      internal.remove(key);
-      logger3.info(`${key} disconnected from relays`);
-    });
-  });
-  return {
-    close: async () => {
-      server.wss.close();
+var DEFAULT_PERMIT_ALL = ["*"];
+var DEFAULT_PERMIT_METHODS = ["GET", "HEAD", "POST"];
+var PERMIT_DEFAULT_CONFIG = {
+  allowOrigins: DEFAULT_PERMIT_ALL,
+  allowMethods: DEFAULT_PERMIT_METHODS,
+  allowHeaders: DEFAULT_PERMIT_ALL,
+  maxAge: 1800
+  // 30 minutes
+};
+function validateCorsConfig(config) {
+  if (config) {
+    const allowHeaders = config.allowHeaders;
+    if (allowHeaders && allowHeaders !== ALL) {
+      config = {
+        ...config,
+        allowHeaders: allowHeaders.map((header) => header.toLowerCase())
+      };
     }
-  };
-}
-var core_default3 = create3;
-
-// src/mesh/ws/cluster/core.ts
-var logger4 = getLogger("mesh.ws.cluster");
-function onMessage2(key, node, socketsByNodeId, msg) {
-  try {
-    relays.send(key, node, msg, (k, err) => {
-      if (err) {
-        logger4.warn(`${k} error writing msg ${msg}: ${err}`);
-        return;
-      }
-      if (logger4.enabledFor("debug")) {
-        logger4.debug(`${k} sent msg ${msg}`);
+    const allowOrigins = config.allowOrigins;
+    if (allowOrigins) {
+      if (allowOrigins === "*") {
+        validateAllowCredentials(config);
+        validateAllowPrivateNetwork(config);
+      } else {
+        config = {
+          ...config,
+          allowOrigins: allowOrigins.map((origin) => {
+            if (typeof origin === "string" && origin !== ALL) {
+              origin = IOGateway5.Filtering.regexify(origin);
+              if (typeof origin === "string") {
+                return trimTrailingSlash(origin).toLowerCase();
+              }
+            }
+            return origin;
+          })
+        };
       }
-    });
-  } catch (ex) {
-    logger4.error(`${key} unable to process message`, ex);
-    if (node) {
-      const socket = socketsByNodeId.get(node)?.get(key);
-      socket?.terminate();
     }
+    return config;
   }
 }
-async function create4(server) {
-  const socketsByNodeId = /* @__PURE__ */ new Map();
-  relays.onMsg = (k, nodeId, msg) => {
-    try {
-      const sockets = socketsByNodeId.get(nodeId);
-      if (sockets && sockets.size > 0) {
-        for (const [key, socket] of sockets) {
-          socket.send(msg, { binary: false }, (err) => {
-            if (err) {
-              logger4.warn(`${key} error writing from ${k} msg ${msg}: ${err}`);
-              return;
-            }
-            if (logger4.enabledFor("debug")) {
-              logger4.debug(`${key} sent from ${k} msg ${msg}`);
-            }
-          });
-        }
-      } else {
-        logger4.warn(`${k} dropped msg ${msg}.`);
-      }
-    } catch (ex) {
-      logger4.error(`${k} unable to process message`, ex);
-    }
+function combine(source, other) {
+  if (other === void 0) {
+    return source !== void 0 ? source === ALL ? [ALL] : source : [];
+  }
+  if (source === void 0) {
+    return other === ALL ? [ALL] : other;
+  }
+  if (source == DEFAULT_PERMIT_ALL || source === DEFAULT_PERMIT_METHODS) {
+    return other === ALL ? [ALL] : other;
+  }
+  if (other == DEFAULT_PERMIT_ALL || other === DEFAULT_PERMIT_METHODS) {
+    return source === ALL ? [ALL] : source;
+  }
+  if (source === ALL || source.includes(ALL) || other === ALL || other.includes(ALL)) {
+    return [ALL];
+  }
+  const combined = /* @__PURE__ */ new Set();
+  source.forEach((v) => combined.add(v));
+  other.forEach((v) => combined.add(v));
+  return Array.from(combined);
+}
+var combineCorsConfig = (source, other) => {
+  if (other === void 0) {
+    return source;
+  }
+  const config = {
+    allowOrigins: combine(source.allowOrigins, other?.allowOrigins),
+    allowMethods: combine(source.allowMethods, other?.allowMethods),
+    allowHeaders: combine(source.allowHeaders, other?.allowHeaders),
+    exposeHeaders: combine(source.exposeHeaders, other?.exposeHeaders),
+    allowCredentials: other?.allowCredentials ?? source.allowCredentials,
+    allowPrivateNetwork: other?.allowPrivateNetwork ?? source.allowPrivateNetwork,
+    maxAge: other?.maxAge ?? source.maxAge
   };
-  server.wss.on("error", () => {
-    logger4.error(`error starting mesh server`);
-  }).on("listening", () => {
-    logger4.info(`mesh server is listening`);
-  }).on("connection", (socket, req) => {
-    const request = new HttpServerRequest(req);
-    const key = socketKey(request.socket);
-    const query = new URLSearchParams(request.query ?? void 0);
-    logger4.info(`${key} connected on cluster with ${query}`);
-    const node = query.get("node");
-    if (node) {
-      let sockets = socketsByNodeId.get(node);
-      if (!sockets) {
-        sockets = /* @__PURE__ */ new Map();
-        socketsByNodeId.set(node, sockets);
-      }
-      sockets.set(key, socket);
-    } else {
-      socket.terminate();
+  return config;
+};
+var corsFilter = (opts) => {
+  const source = opts.corsConfigSource;
+  const processor = opts.corsProcessor ?? processRequest;
+  return async (ctx, next) => {
+    const config = await source(ctx);
+    const isValid = processor(ctx, config);
+    if (!isValid || isPreFlightRequest(ctx.request)) {
       return;
-    }
-    socket.on("error", (err) => {
-      logger4.error(`${key} websocket error: ${err}`, err);
-    });
-    socket.on("message", (data, _isBinary) => {
-      if (Array.isArray(data)) {
-        data = Buffer.concat(data);
-      }
-      onMessage2(key, node, socketsByNodeId, data);
-    });
-    socket.on("close", (_code, _reason) => {
-      logger4.info(`${key} disconnected from cluster`);
-      const sockets = socketsByNodeId.get(node);
-      if (sockets) {
-        sockets.delete(key);
-        if (sockets.size === 0) {
-          socketsByNodeId.delete(node);
-        }
-      }
-    });
-  });
-  return {
-    close: async () => {
-      server.wss.close();
+    } else {
+      await next();
     }
   };
+};
+var cors_default = corsFilter;
+var logger = getLogger("cors");
+function rejectRequest(response) {
+  response.statusCode = 403;
 }
-var core_default4 = create4;
-
-// src/metrics/routes.ts
-var logger5 = getLogger("metrics");
-async function routes2(config, { cors, authorize }) {
-  const { jsonFileAppender } = await import("@interopio/gateway/metrics/publisher/file");
-  const appender = jsonFileAppender(logger5);
-  await appender.open(config.file?.location ?? "metrics.ndjson", config.file?.append ?? true);
-  cors.push([pattern("/api/metrics"), { allowMethods: ["GET", "POST"] }]);
-  if (config.authorize) {
-    authorize.push([pattern("/api/metrics"), config.authorize]);
-  }
-  return [
-    async (ctx, next) => {
-      if (ctx.method === "GET" && ctx.path === "/api/metrics") {
-        ctx.response.statusCode = 200;
-        await ctx.response.end();
-      } else {
-        await next();
-      }
-    },
-    async ({ request, response }, next) => {
-      if (request.method === "POST" && request.path === "/api/metrics") {
-        response.statusCode = 202;
-        await response.end();
-        try {
-          const json = await request.json;
-          const update = json;
-          if (logger5.enabledFor("debug")) {
-            logger5.debug(`${JSON.stringify(update)}`);
-          }
-          if ((config.file?.status ?? false) || update.status === void 0) {
-            await appender.write(update);
-          }
-        } catch (e) {
-          logger5.error(`error processing metrics`, e);
-        }
-      } else {
-        await next();
-      }
+function handleInternal(exchange, config, preFlightRequest) {
+  const { request, response } = exchange;
+  const responseHeaders = response.headers;
+  const requestOrigin = request.headers.one("origin");
+  const allowOrigin = checkOrigin(config, requestOrigin);
+  if (allowOrigin === void 0) {
+    if (logger.enabledFor("debug")) {
+      logger.debug(`reject: '${requestOrigin}' origin is not allowed`);
     }
-  ];
-}
-var routes_default2 = routes2;
-
-// src/common/compose.ts
-function compose(...middleware) {
-  if (!Array.isArray(middleware)) {
-    throw new Error("middleware must be array!");
+    rejectRequest(response);
+    return false;
   }
-  const fns = middleware.flat();
-  for (const fn of fns) {
-    if (typeof fn !== "function") {
-      throw new Error("middleware must be compose of functions!");
-    }
-  }
-  return async function(ctx, next) {
-    const dispatch = async (i) => {
-      const fn = i === fns.length ? next : fns[i];
-      if (fn === void 0) {
-        return;
-      }
-      let nextCalled = false;
-      let nextResolved = false;
-      const nextFn = async () => {
-        if (nextCalled) {
-          throw new Error("next() called multiple times");
-        }
-        nextCalled = true;
-        try {
-          return await dispatch(i + 1);
-        } finally {
-          nextResolved = true;
-        }
-      };
-      const result = await fn(ctx, nextFn);
-      if (nextCalled && !nextResolved) {
-        throw new Error("middleware resolved before downstream.\n	 You are probably missing an await or return statement in your middleware function.");
-      }
-      return result;
-    };
-    return dispatch(0);
-  };
-}
-
-// src/server/address.ts
-import { networkInterfaces } from "node:os";
-var PORT_RANGE_MATCHER = /^(\d+|(0x[\da-f]+))(-(\d+|(0x[\da-f]+)))?$/i;
-function validPort(port) {
-  if (port > 65535) throw new Error(`bad port ${port}`);
-  return port;
-}
-function* portRange(port) {
-  if (typeof port === "string") {
-    for (const portRange2 of port.split(",")) {
-      const trimmed = portRange2.trim();
-      const matchResult = PORT_RANGE_MATCHER.exec(trimmed);
-      if (matchResult) {
-        const start2 = parseInt(matchResult[1]);
-        const end = parseInt(matchResult[4] ?? matchResult[1]);
-        for (let i = validPort(start2); i < validPort(end) + 1; i++) {
-          yield i;
-        }
-      } else {
-        throw new Error(`'${portRange2}' is not a valid port or range.`);
-      }
-    }
-  } else {
-    yield validPort(port);
-  }
-}
-var localIp = (() => {
-  function first(a) {
-    return a.length > 0 ? a[0] : void 0;
-  }
-  const addresses = Object.values(networkInterfaces()).flatMap((details) => {
-    return (details ?? []).filter((info2) => info2.family === "IPv4");
-  }).reduce((acc, info2) => {
-    acc[info2.internal ? "internal" : "external"].push(info2);
-    return acc;
-  }, { internal: [], external: [] });
-  return (first(addresses.internal) ?? first(addresses.external))?.address;
-})();
-
-// src/server/monitoring.ts
-import { getHeapStatistics, writeHeapSnapshot } from "node:v8";
-import { access, mkdir, rename, unlink } from "node:fs/promises";
-var log2 = getLogger("monitoring");
-var DEFAULT_OPTIONS = {
-  memoryLimit: 1024 * 1024 * 1024,
-  // 1GB
-  reportInterval: 10 * 60 * 1e3,
-  // 10 min
-  dumpLocation: ".",
-  // current folder
-  maxBackups: 10,
-  dumpPrefix: "Heap"
-};
-function fetchStats() {
-  return getHeapStatistics();
-}
-async function dumpHeap(opts) {
-  const prefix = opts.dumpPrefix ?? "Heap";
-  const target = `${opts.dumpLocation}/${prefix}.heapsnapshot`;
-  if (log2.enabledFor("debug")) {
-    log2.debug(`starting heap dump in ${target}`);
-  }
-  await fileExists(opts.dumpLocation).catch(async (_) => {
-    if (log2.enabledFor("debug")) {
-      log2.debug(`dump location  ${opts.dumpLocation} does not exists. Will try to create it`);
-    }
-    try {
-      await mkdir(opts.dumpLocation, { recursive: true });
-      log2.info(`dump location dir ${opts.dumpLocation} successfully created`);
-    } catch (e) {
-      log2.error(`failed to create dump location ${opts.dumpLocation}`);
-    }
-  });
-  const dumpFileName = writeHeapSnapshot(target);
-  log2.info(`heap dumped`);
-  try {
-    log2.debug(`rolling snapshot backups`);
-    const lastFileName = `${opts.dumpLocation}/${prefix}.${opts.maxBackups}.heapsnapshot`;
-    await fileExists(lastFileName).then(async () => {
-      if (log2.enabledFor("debug")) {
-        log2.debug(`deleting ${lastFileName}`);
-      }
-      try {
-        await unlink(lastFileName);
-      } catch (e) {
-        log2.warn(`failed to delete ${lastFileName}`, e);
-      }
-    }).catch(() => {
-    });
-    for (let i = opts.maxBackups - 1; i > 0; i--) {
-      const currentFileName = `${opts.dumpLocation}/${prefix}.${i}.heapsnapshot`;
-      const nextFileName = `${opts.dumpLocation}/${prefix}.${i + 1}.heapsnapshot`;
-      await fileExists(currentFileName).then(async () => {
-        try {
-          await rename(currentFileName, nextFileName);
-        } catch (e) {
-          log2.warn(`failed to rename ${currentFileName} to ${nextFileName}`, e);
-        }
-      }).catch(() => {
-      });
-    }
-    const firstFileName = `${opts.dumpLocation}/${prefix}.${1}.heapsnapshot`;
-    try {
-      await rename(dumpFileName, firstFileName);
-    } catch (e) {
-      log2.warn(`failed to rename ${dumpFileName} to ${firstFileName}`, e);
-    }
-    log2.debug("snapshots rolled");
-  } catch (e) {
-    log2.error("error rolling backups", e);
-    throw e;
-  }
-}
-async function fileExists(path) {
-  log2.trace(`checking file ${path}`);
-  await access(path);
-}
-async function processStats(stats, state, opts) {
-  if (log2.enabledFor("debug")) {
-    log2.debug(`processing heap stats ${JSON.stringify(stats)}`);
-  }
-  const limit = Math.min(opts.memoryLimit, 0.95 * stats.heap_size_limit);
-  const used = stats.used_heap_size;
-  log2.info(`heap stats ${JSON.stringify(stats)}`);
-  if (used >= limit) {
-    log2.warn(`used heap ${used} bytes exceeds memory limit ${limit} bytes`);
-    if (state.memoryLimitExceeded) {
-      delete state.snapshot;
-    } else {
-      state.memoryLimitExceeded = true;
-      state.snapshot = true;
-    }
-    await dumpHeap(opts);
-  } else {
-    state.memoryLimitExceeded = false;
-    delete state.snapshot;
-  }
-}
-function start(opts) {
-  const merged = { ...DEFAULT_OPTIONS, ...opts };
-  let stopped = false;
-  const state = { memoryLimitExceeded: false };
-  const report = async () => {
-    const stats = fetchStats();
-    await processStats(stats, state, merged);
-  };
-  const interval = setInterval(report, merged.reportInterval);
-  const channel = async (command) => {
-    if (!stopped) {
-      command ??= "run";
-      switch (command) {
-        case "run": {
-          await report();
-          break;
-        }
-        case "dump": {
-          await dumpHeap(merged);
-          break;
-        }
-        case "stop": {
-          stopped = true;
-          clearInterval(interval);
-          log2.info("exit memory diagnostic");
-          break;
-        }
-      }
-    }
-    return stopped;
-  };
-  return { ...merged, channel };
-}
-async function run({ channel }, command) {
-  if (!await channel(command)) {
-    log2.warn(`cannot execute command "${command}" already closed`);
-  }
-}
-async function stop(m) {
-  return await run(m, "stop");
-}
-
-// src/app/ws-client-verify.ts
-import { IOGateway as IOGateway5 } from "@interopio/gateway";
-var log3 = getLogger("gateway.ws.client-verify");
-function acceptsMissing(originFilters) {
-  switch (originFilters.missing) {
-    case "allow":
-    // fall-through
-    case "whitelist":
-      return true;
-    case "block":
-    // fall-through
-    case "blacklist":
-      return false;
-    default:
-      return false;
-  }
-}
-function tryMatch(originFilters, origin) {
-  const block = originFilters.block ?? originFilters["blacklist"];
-  const allow = originFilters.allow ?? originFilters["whitelist"];
-  if (block.length > 0 && IOGateway5.Filtering.valuesMatch(block, origin)) {
-    log3.warn(`origin ${origin} matches block filter`);
-    return false;
-  } else if (allow.length > 0 && IOGateway5.Filtering.valuesMatch(allow, origin)) {
-    if (log3.enabledFor("debug")) {
-      log3.debug(`origin ${origin} matches allow filter`);
-    }
-    return true;
-  }
-}
-function acceptsNonMatched(originFilters) {
-  switch (originFilters.non_matched) {
-    case "allow":
-    // fall-through
-    case "whitelist":
-      return true;
-    case "block":
-    // fall-through
-    case "blacklist":
-      return false;
-    default:
-      return false;
-  }
-}
-function acceptsOrigin(origin, originFilters) {
-  if (!originFilters) {
-    return true;
-  }
-  if (!origin) {
-    return acceptsMissing(originFilters);
-  } else {
-    const matchResult = tryMatch(originFilters, origin);
-    if (matchResult) {
-      return matchResult;
-    } else {
-      return acceptsNonMatched(originFilters);
-    }
-  }
-}
-function regexifyOriginFilters(originFilters) {
-  if (originFilters) {
-    const block = (originFilters.block ?? originFilters.blacklist ?? []).map(IOGateway5.Filtering.regexify);
-    const allow = (originFilters.allow ?? originFilters.whitelist ?? []).map(IOGateway5.Filtering.regexify);
-    return {
-      non_matched: originFilters.non_matched ?? "allow",
-      missing: originFilters.missing ?? "allow",
-      allow,
-      block
-    };
-  }
-}
-
-// src/server/server-header.ts
-import info from "@interopio/gateway-server/package.json" with { type: "json" };
-var serverHeader = (server) => {
-  server ??= `${info.name} - v${info.version}`;
-  return async ({ response }, next) => {
-    if (server !== false && !response.headers.has("server")) {
-      response.headers.set("Server", server);
-    }
-    await next();
-  };
-};
-var server_header_default = (server) => serverHeader(server);
-
-// src/app/route.ts
-function findSocketRoute({ request }, { sockets: routes3 }) {
-  const path = request.path ?? "/";
-  const route = routes3.get(path) ?? Array.from(routes3.values()).find((route2) => {
-    if (path === "/" && route2.default === true) {
-      return true;
-    }
-  });
-  return [route, path];
-}
-
-// src/server/security/http-headers.ts
-var staticServerHttpHeadersWriter = (headers2) => {
-  return async (exchange) => {
-    let containsNoHeaders = true;
-    const { response } = exchange;
-    for (const name of headers2.keys()) {
-      if (response.headers.has(name)) {
-        containsNoHeaders = false;
-      }
-    }
-    if (containsNoHeaders) {
-      for (const [name, value] of headers2) {
-        response.headers.set(name, value);
-      }
-    }
-  };
-};
-var cacheControlServerHttpHeadersWriter = () => staticServerHttpHeadersWriter(
-  new MapHttpHeaders().add("cache-control", "no-cache, no-store, max-age=0, must-revalidate").add("pragma", "no-cache").add("expires", "0")
-);
-var contentTypeServerHttpHeadersWriter = () => staticServerHttpHeadersWriter(
-  new MapHttpHeaders().add("x-content-type-options", "nosniff")
-);
-var strictTransportSecurityServerHttpHeadersWriter = (maxAgeInSeconds, includeSubDomains, preload) => {
-  let headerValue = `max-age=${maxAgeInSeconds}`;
-  if (includeSubDomains) {
-    headerValue += " ; includeSubDomains";
-  }
-  if (preload) {
-    headerValue += " ; preload";
-  }
-  const delegate = staticServerHttpHeadersWriter(
-    new MapHttpHeaders().add("strict-transport-security", headerValue)
-  );
-  const isSecure = (exchange) => {
-    const protocol = exchange.request.URL.protocol;
-    return protocol === "https:";
-  };
-  return async (exchange) => {
-    if (isSecure(exchange)) {
-      await delegate(exchange);
-    }
-  };
-};
-var frameOptionsServerHttpHeadersWriter = (mode) => {
-  return staticServerHttpHeadersWriter(
-    new MapHttpHeaders().add("x-frame-options", mode)
-  );
-};
-var xssProtectionServerHttpHeadersWriter = (headerValue) => staticServerHttpHeadersWriter(
-  new MapHttpHeaders().add("x-xss-protection", headerValue)
-);
-var permissionsPolicyServerHttpHeadersWriter = (policyDirectives) => {
-  const delegate = policyDirectives === void 0 ? void 0 : staticServerHttpHeadersWriter(
-    new MapHttpHeaders().add("permissions-policy", policyDirectives)
-  );
-  return async (exchange) => {
-    if (delegate !== void 0) {
-      await delegate(exchange);
-    }
-  };
-};
-var contentSecurityPolicyServerHttpHeadersWriter = (policyDirectives, reportOnly) => {
-  const headerName = reportOnly ? "content-security-policy-report-only" : "content-security-policy";
-  const delegate = policyDirectives === void 0 ? void 0 : staticServerHttpHeadersWriter(
-    new MapHttpHeaders().add(headerName, policyDirectives)
-  );
-  return async (exchange) => {
-    if (delegate !== void 0) {
-      await delegate(exchange);
-    }
-  };
-};
-var refererPolicyServerHttpHeadersWriter = (policy = "no-referrer") => {
-  return staticServerHttpHeadersWriter(
-    new MapHttpHeaders().add("referer-policy", policy)
-  );
-};
-var crossOriginOpenerPolicyServerHttpHeadersWriter = (policy) => {
-  const delegate = policy === void 0 ? void 0 : staticServerHttpHeadersWriter(
-    new MapHttpHeaders().add("cross-origin-opener-policy", policy)
-  );
-  return async (exchange) => {
-    if (delegate !== void 0) {
-      await delegate(exchange);
-    }
-  };
-};
-var crossOriginEmbedderPolicyServerHttpHeadersWriter = (policy) => {
-  const delegate = policy === void 0 ? void 0 : staticServerHttpHeadersWriter(
-    new MapHttpHeaders().add("cross-origin-embedder-policy", policy)
-  );
-  return async (exchange) => {
-    if (delegate !== void 0) {
-      await delegate(exchange);
-    }
-  };
-};
-var crossOriginResourcePolicyServerHttpHeadersWriter = (policy) => {
-  const delegate = policy === void 0 ? void 0 : staticServerHttpHeadersWriter(
-    new MapHttpHeaders().add("cross-origin-resource-policy", policy)
-  );
-  return async (exchange) => {
-    if (delegate !== void 0) {
-      await delegate(exchange);
-    }
-  };
-};
-var compositeServerHttpHeadersWriter = (...writers) => {
-  return async (exchange) => {
-    for (const writer of writers) {
-      await writer(exchange);
-    }
-  };
-};
-function headers(opts) {
-  const writers = [];
-  if (!opts?.cache?.disabled) {
-    writers.push(cacheControlServerHttpHeadersWriter());
-  }
-  if (!opts?.contentType?.disabled) {
-    writers.push(contentTypeServerHttpHeadersWriter());
-  }
-  if (!opts?.hsts?.disabled) {
-    writers.push(strictTransportSecurityServerHttpHeadersWriter(opts?.hsts?.maxAge ?? 365 * 24 * 60 * 60, opts?.hsts?.includeSubDomains ?? true, opts?.hsts?.preload ?? false));
-  }
-  if (!opts?.frameOptions?.disabled) {
-    writers.push(frameOptionsServerHttpHeadersWriter(opts?.frameOptions?.mode ?? "DENY"));
-  }
-  if (!opts?.xss?.disabled) {
-    writers.push(xssProtectionServerHttpHeadersWriter(opts?.xss?.headerValue ?? "0"));
-  }
-  if (!opts?.permissionsPolicy?.disabled) {
-    writers.push(permissionsPolicyServerHttpHeadersWriter(opts?.permissionsPolicy?.policyDirectives));
-  }
-  if (!opts?.contentSecurityPolicy?.disabled) {
-    writers.push(contentSecurityPolicyServerHttpHeadersWriter(opts?.contentSecurityPolicy?.policyDirectives ?? "default-src 'self'", opts?.contentSecurityPolicy?.reportOnly));
-  }
-  if (!opts?.refererPolicy?.disabled) {
-    writers.push(refererPolicyServerHttpHeadersWriter(opts?.refererPolicy?.policy ?? "no-referrer"));
-  }
-  if (!opts?.crossOriginOpenerPolicy?.disabled) {
-    writers.push(crossOriginOpenerPolicyServerHttpHeadersWriter(opts?.crossOriginOpenerPolicy?.policy));
-  }
-  if (!opts?.crossOriginEmbedderPolicy?.disabled) {
-    writers.push(crossOriginEmbedderPolicyServerHttpHeadersWriter(opts?.crossOriginEmbedderPolicy?.policy));
-  }
-  if (!opts?.crossOriginResourcePolicy?.disabled) {
-    writers.push(crossOriginResourcePolicyServerHttpHeadersWriter(opts?.crossOriginResourcePolicy?.policy));
-  }
-  if (opts?.writers) {
-    writers.push(...opts.writers);
-  }
-  const writer = compositeServerHttpHeadersWriter(...writers);
-  return async (exchange, next) => {
-    await writer(exchange);
-    await next();
-  };
-}
-
-// src/server/security/types.ts
-var AuthenticationError = class extends Error {
-  _authentication;
-  get authentication() {
-    return this._authentication;
-  }
-  set authentication(value) {
-    if (value === void 0) {
-      throw new TypeError("Authentication cannot be undefined");
-    }
-    this._authentication = value;
-  }
-};
-var InsufficientAuthenticationError = class extends AuthenticationError {
-};
-var BadCredentialsError = class extends AuthenticationError {
-};
-var AccessDeniedError = class extends Error {
-};
-var AuthorizationDecision = class {
-  constructor(granted) {
-    this.granted = granted;
-  }
-  granted;
-};
-var DefaultAuthorizationManager = class {
-  #check;
-  constructor(check) {
-    this.#check = check;
-  }
-  async verify(authentication, object) {
-    const decision = await this.#check(authentication, object);
-    if (!decision?.granted) {
-      throw new AccessDeniedError("Access denied");
+  const requestMethod = getMethodToUse(request, preFlightRequest);
+  const allowMethods = checkMethods(config, requestMethod);
+  if (allowMethods === void 0) {
+    if (logger.enabledFor("debug")) {
+      logger.debug(`reject: HTTP '${requestMethod}' is not allowed`);
     }
+    rejectRequest(response);
+    return false;
   }
-  async authorize(authentication, object) {
-    return await this.#check(authentication, object);
-  }
-};
-var AuthenticationServiceError = class extends AuthenticationError {
-};
-
-// src/server/security/entry-point-failure-handler.ts
-var serverAuthenticationEntryPointFailureHandler = (opts) => {
-  const entryPoint = opts.entryPoint;
-  const rethrowAuthenticationServiceError = opts?.rethrowAuthenticationServiceError ?? true;
-  return async ({ exchange }, error) => {
-    if (!rethrowAuthenticationServiceError) {
-      return entryPoint(exchange, error);
-    }
-    if (!(error instanceof AuthenticationServiceError)) {
-      return entryPoint(exchange, error);
-    }
-    throw error;
-  };
-};
-
-// src/server/security/http-basic-entry-point.ts
-var DEFAULT_REALM = "Realm";
-var createHeaderValue = (realm) => {
-  return `Basic realm="${realm}"`;
-};
-var httpBasicEntryPoint = (opts) => {
-  const headerValue = createHeaderValue(opts?.realm ?? DEFAULT_REALM);
-  return async (exchange, _error) => {
-    const { response } = exchange;
-    response.statusCode = 401;
-    response.headers.set("WWW-Authenticate", headerValue);
-  };
-};
-
-// src/server/security/http-basic-converter.ts
-var BASIC = "Basic ";
-var httpBasicAuthenticationConverter = (opts) => {
-  return async (exchange) => {
-    const { request } = exchange;
-    const authorization = request.headers.one("authorization");
-    if (!authorization || !/basic/i.test(authorization.substring(0))) {
-      return;
-    }
-    const credentials = authorization.length <= BASIC.length ? "" : authorization.substring(BASIC.length);
-    const decoded = Buffer.from(credentials, "base64").toString(opts?.credentialsEncoding ?? "utf-8");
-    const parts = decoded.split(":", 2);
-    if (parts.length !== 2) {
-      return void 0;
+  const requestHeaders = getHeadersToUse(request, preFlightRequest);
+  const allowHeaders = checkHeaders(config, requestHeaders);
+  if (preFlightRequest && allowHeaders === void 0) {
+    if (logger.enabledFor("debug")) {
+      logger.debug(`reject: headers '${requestHeaders}' are not allowed`);
     }
-    return { type: "UsernamePassword", authenticated: false, principal: parts[0], credentials: parts[1] };
-  };
-};
-
-// src/server/security/security-context.ts
-import { AsyncLocalStorage } from "node:async_hooks";
-var AsyncStorageSecurityContextHolder = class _AsyncStorageSecurityContextHolder {
-  static hasSecurityContext(storage) {
-    return storage.getStore()?.securityContext !== void 0;
-  }
-  static async getSecurityContext(storage) {
-    return await storage.getStore()?.securityContext;
-  }
-  static clearSecurityContext(storage) {
-    delete storage.getStore()?.securityContext;
-  }
-  static withSecurityContext(securityContext) {
-    return (storage = new AsyncLocalStorage()) => {
-      storage.getStore().securityContext = securityContext;
-      return storage;
-    };
+    rejectRequest(response);
+    return false;
   }
-  static withAuthentication(authentication) {
-    return _AsyncStorageSecurityContextHolder.withSecurityContext(Promise.resolve({ authentication }));
+  responseHeaders.set("Access-Control-Allow-Origin", allowOrigin);
+  if (preFlightRequest) {
+    responseHeaders.set("Access-Control-Allow-Methods", allowMethods.join(","));
   }
-  static async getContext(storage) {
-    if (_AsyncStorageSecurityContextHolder.hasSecurityContext(storage)) {
-      return _AsyncStorageSecurityContextHolder.getSecurityContext(storage);
-    }
+  if (preFlightRequest && allowHeaders !== void 0 && allowHeaders.length > 0) {
+    responseHeaders.set("Access-Control-Allow-Headers", allowHeaders.join(", "));
   }
-};
-
-// src/server/security/authentication-filter.ts
-async function authenticate(exchange, next, token, managerResolver, successHandler, storage) {
-  const authManager = await managerResolver(exchange);
-  const authentication = await authManager?.(token);
-  if (authentication === void 0) {
-    throw new Error("No authentication manager found for the exchange");
+  const exposeHeaders = config.exposeHeaders;
+  if (exposeHeaders && exposeHeaders.length > 0) {
+    responseHeaders.set("Access-Control-Expose-Headers", exposeHeaders.join(", "));
   }
-  try {
-    await onAuthenticationSuccess(authentication, { exchange, next }, successHandler, storage);
-  } catch (e) {
-    if (e instanceof AuthenticationError) {
-    }
-    throw e;
+  if (config.allowCredentials) {
+    responseHeaders.set("Access-Control-Allow-Credentials", "true");
   }
-}
-async function onAuthenticationSuccess(authentication, filterExchange, successHandler, storage) {
-  AsyncStorageSecurityContextHolder.withAuthentication(authentication)(storage);
-  await successHandler(filterExchange, authentication);
-}
-function authenticationFilter(opts) {
-  const auth = {
-    matcher: anyExchange,
-    successHandler: async ({ next }) => {
-      await next();
-    },
-    converter: httpBasicAuthenticationConverter({}),
-    failureHandler: serverAuthenticationEntryPointFailureHandler({ entryPoint: httpBasicEntryPoint({}) }),
-    ...opts
-  };
-  let managerResolver = auth.managerResolver;
-  if (managerResolver === void 0 && auth.manager !== void 0) {
-    const manager = auth.manager;
-    managerResolver = async (_exchange) => {
-      return manager;
-    };
+  if (config.allowPrivateNetwork && request.headers.one("access-control-request-private-network") === "true") {
+    responseHeaders.set("Access-Control-Allow-Private-Network", "true");
   }
-  if (managerResolver === void 0) {
-    throw new Error("Authentication filter requires a managerResolver or a manager");
+  if (preFlightRequest && config.maxAge !== void 0) {
+    responseHeaders.set("Access-Control-Max-Age", config.maxAge.toString());
   }
-  return async (exchange, next) => {
-    const matchResult = await auth.matcher(exchange);
-    const token = matchResult.match ? await auth.converter(exchange) : void 0;
-    if (token === void 0) {
-      await next();
-      return;
-    }
-    try {
-      await authenticate(exchange, next, token, managerResolver, auth.successHandler, auth.storage);
-    } catch (error) {
-      if (error instanceof AuthenticationError) {
-        await auth.failureHandler({ exchange, next }, error);
-        return;
-      }
-      throw error;
-    }
-  };
-}
-
-// src/server/security/oauth2/token-error.ts
-var BearerTokenErrorCodes = {
-  invalid_request: "invalid_request",
-  invalid_token: "invalid_token",
-  insufficient_scope: "insufficient_scope"
-};
-var DEFAULT_URI = "https://tools.ietf.org/html/rfc6750#section-3.1";
-function invalidToken(message) {
-  return {
-    errorCode: BearerTokenErrorCodes.invalid_token,
-    httpStatus: 401,
-    description: message,
-    uri: DEFAULT_URI
-  };
-}
-function invalidRequest(message) {
-  return {
-    errorCode: BearerTokenErrorCodes.invalid_request,
-    httpStatus: 400,
-    description: message,
-    uri: DEFAULT_URI
-  };
+  return true;
 }
-
-// src/server/security/oauth2/token-converter.ts
-var ACCESS_TOKEN_PARAMETER_NAME = "access_token";
-var authorizationPattern = /^Bearer\s+(?<token>[a-zA-Z0-9-._~+/]+=*)$/i;
-var Oauth2AuthenticationError = class extends AuthenticationError {
-  error;
-  constructor(error, message, options) {
-    super(message ?? (typeof error === "string" ? void 0 : error.description), options);
-    this.error = typeof error === "string" ? { errorCode: error } : error;
-  }
-};
-var isBearerTokenAuthenticationToken = (authentication) => {
-  return authentication.type === "BearerToken";
-};
-var serverBearerTokenAuthenticationConverter = (opts) => {
-  return async (exchange) => {
-    const { request } = exchange;
-    return Promise.all([
-      resolveFromAuthorizationHeader(request.headers, opts?.headerName).then((token) => token !== void 0 ? [token] : void 0),
-      resolveFromQueryString(request, opts?.uriQueryParameter),
-      resolveFromBody(exchange, opts?.formEncodedBodyParameter)
-    ]).then((rs) => rs.filter((r) => r !== void 0).flat(1)).then(resolveToken).then((token) => {
-      if (token) return { authenticated: false, type: "BearerToken", token };
-    });
-  };
-};
-async function resolveToken(accessTokens) {
-  if (accessTokens.length === 0) {
-    return;
-  }
-  if (accessTokens.length > 1) {
-    const error = invalidRequest("Found multiple access tokens in the request");
-    throw new Oauth2AuthenticationError(error);
-  }
-  const accessToken = accessTokens[0];
-  if (!accessToken || accessToken.length === 0) {
-    const error = invalidRequest("The requested access token parameter is an empty string");
-    throw new Oauth2AuthenticationError(error);
+var ALL = "*";
+var DEFAULT_METHODS = ["GET", "HEAD"];
+function validateAllowCredentials(config) {
+  if (config.allowCredentials === true && config.allowOrigins === ALL) {
+    throw new Error(`when allowCredentials is true allowOrigins cannot be "*"`);
   }
-  return accessToken;
 }
-async function resolveFromAuthorizationHeader(headers2, headerName = "authorization") {
-  const authorization = headers2.one(headerName);
-  if (!authorization || !/bearer/i.test(authorization.substring(0))) {
-    return;
+function validateAllowPrivateNetwork(config) {
+  if (config.allowPrivateNetwork === true && config.allowOrigins === ALL) {
+    throw new Error(`when allowPrivateNetwork is true allowOrigins cannot be "*"`);
   }
-  const match = authorizationPattern.exec(authorization);
-  if (match === null) {
-    const error = invalidToken("Bearer token is malformed");
-    throw new Oauth2AuthenticationError(error);
+}
+function checkOrigin(config, origin) {
+  if (origin) {
+    const allowedOrigins = config.allowOrigins;
+    if (allowedOrigins) {
+      if (allowedOrigins === ALL) {
+        validateAllowCredentials(config);
+        validateAllowPrivateNetwork(config);
+        return ALL;
+      }
+      const originToCheck = trimTrailingSlash(origin.toLowerCase());
+      for (const allowedOrigin of allowedOrigins) {
+        if (allowedOrigin === ALL || IOGateway5.Filtering.valueMatches(allowedOrigin, originToCheck)) {
+          return origin;
+        }
+      }
+    }
   }
-  return match.groups?.token;
 }
-async function resolveTokens(parameters) {
-  const accessTokens = parameters.getAll(ACCESS_TOKEN_PARAMETER_NAME);
-  if (accessTokens.length === 0) {
-    return;
+function checkMethods(config, requestMethod) {
+  if (requestMethod) {
+    const allowedMethods = config.allowMethods ?? DEFAULT_METHODS;
+    if (allowedMethods === ALL) {
+      return [requestMethod];
+    }
+    if (IOGateway5.Filtering.valuesMatch(allowedMethods, requestMethod)) {
+      return allowedMethods;
+    }
   }
-  return accessTokens;
 }
-async function resolveFromQueryString(request, allow = false) {
-  if (!allow || request.method !== "GET") {
+function checkHeaders(config, requestHeaders) {
+  if (requestHeaders === void 0) {
     return;
   }
-  return resolveTokens(request.URL.searchParams);
-}
-async function resolveFromBody(exchange, allow = false) {
-  const { request } = exchange;
-  if (!allow || "application/x-www-form-urlencoded" !== request.headers.one("content-type") || request.method !== "POST") {
+  if (requestHeaders.length == 0) {
+    return [];
+  }
+  const allowedHeaders = config.allowHeaders;
+  if (allowedHeaders === void 0) {
     return;
   }
-  return resolveTokens(await exchange.request.formData);
-}
-var token_converter_default = serverBearerTokenAuthenticationConverter;
-
-// src/server/security/oauth2/token-entry-point.ts
-function computeWWWAuthenticate(parameters) {
-  let wwwAuthenticate = "Bearer";
-  if (parameters.size !== 0) {
-    wwwAuthenticate += " ";
-    let i = 0;
-    for (const [key, value] of parameters) {
-      wwwAuthenticate += `${key}="${value}"`;
-      if (i !== parameters.size - 1) {
-        wwwAuthenticate += ", ";
+  const allowAnyHeader = allowedHeaders === ALL || allowedHeaders.includes(ALL);
+  const result = [];
+  for (const requestHeader of requestHeaders) {
+    const value = requestHeader?.trim();
+    if (value) {
+      if (allowAnyHeader) {
+        result.push(value);
+      } else {
+        for (const allowedHeader of allowedHeaders) {
+          if (value.toLowerCase() === allowedHeader) {
+            result.push(value);
+            break;
+          }
+        }
       }
-      i++;
     }
   }
-  return wwwAuthenticate;
+  if (result.length > 0) {
+    return result;
+  }
 }
-var isBearerTokenError = (error) => {
-  return error.httpStatus !== void 0;
+function trimTrailingSlash(origin) {
+  return origin.endsWith("/") ? origin.slice(0, -1) : origin;
+}
+function getMethodToUse(request, isPreFlight) {
+  return isPreFlight ? request.headers.one("access-control-request-method") : request.method;
+}
+function getHeadersToUse(request, isPreFlight) {
+  const headers2 = request.headers;
+  return isPreFlight ? headers2.list("access-control-request-headers") : Array.from(headers2.keys());
+}
+var matchingCorsConfigSource = (opts) => {
+  return async (exchange) => {
+    for (const [matcher, config] of opts.mappings) {
+      if ((await matcher(exchange)).match) {
+        logger.debug(`resolved cors config on '${exchange.request.path}' using ${matcher}: ${JSON.stringify(config)}`);
+        return config;
+      }
+    }
+  };
 };
-function getStatus(authError) {
-  if (authError instanceof Oauth2AuthenticationError) {
-    const { error } = authError;
-    if (isBearerTokenError(error)) {
-      return error.httpStatus;
+
+// src/app/cors.ts
+function mockUpgradeExchange(path) {
+  const request = new MockHttpRequest(path, "GET");
+  request.headers.set("Upgrade", "websocket");
+  request.upgrade = true;
+  return new DefaultWebExchange(request, new MockHttpResponse());
+}
+async function createCorsConfigSource(context) {
+  const { sockets: routes, cors } = context;
+  const defaultCorsConfig = combineCorsConfig(PERMIT_DEFAULT_CONFIG, context.corsConfig);
+  const validatedConfigs = [];
+  for (const [path, route] of routes) {
+    let routeCorsConfig = defaultCorsConfig;
+    const upgradeExchange = mockUpgradeExchange(path);
+    for (const [matcher, config] of cors) {
+      if ((await matcher(upgradeExchange)).match) {
+        routeCorsConfig = combineCorsConfig(routeCorsConfig, config);
+      }
     }
+    routeCorsConfig = combineCorsConfig(routeCorsConfig, {
+      allowOrigins: route.originFilters?.allow,
+      allowMethods: ["GET", "CONNECT"],
+      allowHeaders: ["upgrade", "connection", "origin", "sec-websocket-key", "sec-websocket-version", "sec-websocket-protocol", "sec-websocket-extensions"],
+      exposeHeaders: ["sec-websocket-accept", "sec-websocket-protocol", "sec-websocket-extensions"],
+      allowCredentials: route.authorize?.access !== "permitted"
+    });
+    validatedConfigs.push([and([upgradeMatcher, pattern(path)]), validateCorsConfig(routeCorsConfig)]);
   }
-  return 401;
+  for (const [matcher, config] of cors) {
+    const routeCorsConfig = combineCorsConfig(defaultCorsConfig, config);
+    validatedConfigs.push([matcher, validateCorsConfig(routeCorsConfig)]);
+  }
+  validatedConfigs.push([pattern(/\/api\/.*/), validateCorsConfig(defaultCorsConfig)]);
+  return matchingCorsConfigSource({ mappings: validatedConfigs });
 }
-function createParameters(authError, realm) {
-  const parameters = /* @__PURE__ */ new Map();
-  if (realm) {
-    parameters.set("realm", realm);
+
+// src/server/security/types.ts
+function isAuthentication(principal) {
+  return principal !== void 0 && typeof principal["type"] === "string" && typeof principal["authenticated"] === "boolean";
+}
+var AuthenticationError = class extends Error {
+  _authentication;
+  get authentication() {
+    return this._authentication;
   }
-  if (authError instanceof Oauth2AuthenticationError) {
-    const { error } = authError;
-    parameters.set("error", error.errorCode);
-    if (error.description) {
-      parameters.set("error_description", error.description);
-    }
-    if (error.uri) {
-      parameters.set("error_uri", error.uri);
+  set authentication(value) {
+    if (value === void 0) {
+      throw new TypeError("Authentication cannot be undefined");
     }
-    if (isBearerTokenError(error) && error.scope) {
-      parameters.set("scope", error.scope);
+    this._authentication = value;
+  }
+};
+var InsufficientAuthenticationError = class extends AuthenticationError {
+};
+var BadCredentialsError = class extends AuthenticationError {
+};
+var AccessDeniedError = class extends Error {
+};
+var AuthorizationDecision = class {
+  constructor(granted) {
+    this.granted = granted;
+  }
+  granted;
+};
+var DefaultAuthorizationManager = class {
+  #check;
+  constructor(check) {
+    this.#check = check;
+  }
+  async verify(authentication, object) {
+    const decision = await this.#check(authentication, object);
+    if (!decision?.granted) {
+      throw new AccessDeniedError("Access denied");
     }
   }
-  return parameters;
-}
-var bearerTokenServerAuthenticationEntryPoint = (opts) => {
-  return async (exchange, error) => {
-    const status = getStatus(error);
-    const parameters = createParameters(error, opts?.realmName);
-    const wwwAuthenticate = computeWWWAuthenticate(parameters);
-    const { response } = exchange;
-    response.headers.set("WWW-Authenticate", wwwAuthenticate);
-    response.statusCode = status;
-    await response.end();
-  };
+  async authorize(authentication, object) {
+    return await this.#check(authentication, object);
+  }
+};
+var AuthenticationServiceError = class extends AuthenticationError {
 };
-var token_entry_point_default = bearerTokenServerAuthenticationEntryPoint;
 
-// src/server/security/oauth2/jwt-auth-manager.ts
-var jwtAuthConverter = (opts) => {
-  const principalClaimName = opts?.principalClaimName ?? "sub";
-  return (jwt) => {
-    const name = jwt.getClaimAsString(principalClaimName);
-    return { type: "JwtToken", authenticated: true, name };
+// src/server/security/http-headers.ts
+var staticServerHttpHeadersWriter = (headers2) => {
+  return async (exchange) => {
+    let containsNoHeaders = true;
+    const { response } = exchange;
+    for (const name of headers2.keys()) {
+      if (response.headers.has(name)) {
+        containsNoHeaders = false;
+      }
+    }
+    if (containsNoHeaders) {
+      for (const [name, value] of headers2) {
+        response.headers.set(name, value);
+      }
+    }
   };
 };
-var asyncJwtConverter = (converter) => {
-  return async (jwt) => {
-    return converter(jwt);
+var cacheControlServerHttpHeadersWriter = () => staticServerHttpHeadersWriter(
+  new MapHttpHeaders().add("cache-control", "no-cache, no-store, max-age=0, must-revalidate").add("pragma", "no-cache").add("expires", "0")
+);
+var contentTypeServerHttpHeadersWriter = () => staticServerHttpHeadersWriter(
+  new MapHttpHeaders().add("x-content-type-options", "nosniff")
+);
+var strictTransportSecurityServerHttpHeadersWriter = (maxAgeInSeconds, includeSubDomains, preload) => {
+  let headerValue = `max-age=${maxAgeInSeconds}`;
+  if (includeSubDomains) {
+    headerValue += " ; includeSubDomains";
+  }
+  if (preload) {
+    headerValue += " ; preload";
+  }
+  const delegate = staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("strict-transport-security", headerValue)
+  );
+  const isSecure = (exchange) => {
+    const protocol = exchange.request.URL.protocol;
+    return protocol === "https:";
+  };
+  return async (exchange) => {
+    if (isSecure(exchange)) {
+      await delegate(exchange);
+    }
   };
 };
-var JwtError = class extends Error {
-};
-var BadJwtError = class extends JwtError {
+var frameOptionsServerHttpHeadersWriter = (mode) => {
+  return staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("x-frame-options", mode)
+  );
 };
-function onError(error) {
-  if (error instanceof BadJwtError) {
-    return new Oauth2AuthenticationError(invalidToken(error.message), error.message, { cause: error });
-  }
-  throw new AuthenticationServiceError(error.message, { cause: error });
-}
-function jwtAuthManager(opts) {
-  const decoder = opts.decoder;
-  const authConverter = opts.authConverter ?? asyncJwtConverter(jwtAuthConverter({}));
-  return async (authentication) => {
-    if (isBearerTokenAuthenticationToken(authentication)) {
-      const token = authentication.token;
-      try {
-        const jwt = await decoder(token);
-        return await authConverter(jwt);
-      } catch (e) {
-        if (e instanceof JwtError) {
-          throw onError(e);
-        }
-        throw e;
-      }
+var xssProtectionServerHttpHeadersWriter = (headerValue) => staticServerHttpHeadersWriter(
+  new MapHttpHeaders().add("x-xss-protection", headerValue)
+);
+var permissionsPolicyServerHttpHeadersWriter = (policyDirectives) => {
+  const delegate = policyDirectives === void 0 ? void 0 : staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("permissions-policy", policyDirectives)
+  );
+  return async (exchange) => {
+    if (delegate !== void 0) {
+      await delegate(exchange);
     }
   };
-}
-
-// src/server/security/oauth2-resource-server.ts
-function resourceServer(opts) {
-  const entryPoint = opts.entryPoint ?? token_entry_point_default({});
-  const converter = opts?.converter ?? token_converter_default({});
-  const failureHandler = opts.failureHandler ?? serverAuthenticationEntryPointFailureHandler({ entryPoint });
-  if (opts.managerResolver !== void 0) {
-    return authenticationFilter({
-      storage: opts.storage,
-      converter,
-      failureHandler,
-      managerResolver: opts.managerResolver
-    });
-  }
-  if (opts.jwt !== void 0) {
-    const manager = opts.jwt.manager ?? jwtAuthManager(opts.jwt);
-    return authenticationFilter({
-      storage: opts.storage,
-      converter,
-      failureHandler,
-      managerResolver: async (_exchange) => {
-        return manager;
-      }
-    });
-  }
-  throw new Error("Invalid resource server configuration: either managerResolver or jwt must be provided");
-}
-
-// src/server/security/http-status-entry-point.ts
-var httpStatusEntryPoint = (opts) => {
-  return async (exchange, _error) => {
-    const response = exchange.response;
-    response.statusCode = opts.httpStatus.code;
-    response.statusMessage = opts.httpStatus.message;
+};
+var contentSecurityPolicyServerHttpHeadersWriter = (policyDirectives, reportOnly) => {
+  const headerName = reportOnly ? "content-security-policy-report-only" : "content-security-policy";
+  const delegate = policyDirectives === void 0 ? void 0 : staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add(headerName, policyDirectives)
+  );
+  return async (exchange) => {
+    if (delegate !== void 0) {
+      await delegate(exchange);
+    }
   };
 };
-
-// src/server/security/delegating-entry-point.ts
-var logger6 = getLogger("auth.entry-point");
-var delegatingEntryPoint = (opts) => {
-  const defaultEntryPoint = opts.defaultEntryPoint ?? (async ({ response }, _error) => {
-    response.statusCode = 401;
-    await response.end();
-  });
-  return async (exchange, error) => {
-    for (const [matcher, entryPoint] of opts.entryPoints) {
-      if (logger6.enabledFor("debug")) {
-        logger6.debug(`trying to match using: ${matcher}`);
-      }
-      const match = await matcher(exchange);
-      if (match.match) {
-        if (logger6.enabledFor("debug")) {
-          logger6.debug(`match found. using default entry point ${entryPoint}`);
-        }
-        return entryPoint(exchange, error);
-      }
+var refererPolicyServerHttpHeadersWriter = (policy = "no-referrer") => {
+  return staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("referer-policy", policy)
+  );
+};
+var crossOriginOpenerPolicyServerHttpHeadersWriter = (policy) => {
+  const delegate = policy === void 0 ? void 0 : staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("cross-origin-opener-policy", policy)
+  );
+  return async (exchange) => {
+    if (delegate !== void 0) {
+      await delegate(exchange);
     }
-    if (logger6.enabledFor("debug")) {
-      logger6.debug(`no match found. using default entry point ${defaultEntryPoint}`);
+  };
+};
+var crossOriginEmbedderPolicyServerHttpHeadersWriter = (policy) => {
+  const delegate = policy === void 0 ? void 0 : staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("cross-origin-embedder-policy", policy)
+  );
+  return async (exchange) => {
+    if (delegate !== void 0) {
+      await delegate(exchange);
     }
-    return defaultEntryPoint(exchange, error);
   };
 };
-
-// src/server/security/delegating-success-handler.ts
-var delegatingSuccessHandler = (handlers) => {
-  return async ({ exchange, next }, authentication) => {
-    for (const handler of handlers) {
-      await handler({ exchange, next }, authentication);
+var crossOriginResourcePolicyServerHttpHeadersWriter = (policy) => {
+  const delegate = policy === void 0 ? void 0 : staticServerHttpHeadersWriter(
+    new MapHttpHeaders().add("cross-origin-resource-policy", policy)
+  );
+  return async (exchange) => {
+    if (delegate !== void 0) {
+      await delegate(exchange);
     }
   };
 };
-
-// src/server/security/http-basic.ts
-function httpBasic(opts) {
-  const xhrMatcher = async (exchange) => {
-    const headers2 = exchange.request.headers;
-    const h = headers2.list("X-Requested-With");
-    if (h.includes("XMLHttpRequest")) {
-      return { match: true };
+var compositeServerHttpHeadersWriter = (...writers) => {
+  return async (exchange) => {
+    for (const writer of writers) {
+      await writer(exchange);
     }
-    return { match: false };
   };
-  const defaultEntryPoint = delegatingEntryPoint({
-    entryPoints: [[xhrMatcher, httpStatusEntryPoint({ httpStatus: { code: 401 } })]],
-    defaultEntryPoint: httpBasicEntryPoint({})
-  });
-  const entryPoint = opts.entryPoint ?? defaultEntryPoint;
-  const manager = opts.manager;
-  const restMatcher = mediaType({
-    mediaTypes: [
-      "application/atom+xml",
-      "application/x-www-form-urlencoded",
-      "application/json",
-      "application/octet-stream",
-      "application/xml",
-      "multipart/form-data",
-      "text/xml"
-    ],
-    ignoredMediaTypes: ["*/*"]
-  });
-  const notHtmlMatcher = not(mediaType({ mediaTypes: ["text/html"] }));
-  const restNoHtmlMatcher = and([notHtmlMatcher, restMatcher]);
-  const preferredMatcher = or([xhrMatcher, restNoHtmlMatcher]);
-  opts.defaultEntryPoints.push([preferredMatcher, entryPoint]);
-  const failureHandler = opts.failureHandler ?? serverAuthenticationEntryPointFailureHandler({ entryPoint });
-  const successHandler = delegatingSuccessHandler(opts.successHandlers ?? opts.defaultSuccessHandlers);
-  const converter = httpBasicAuthenticationConverter({});
-  return authenticationFilter({
-    storage: opts.storage,
-    manager,
-    failureHandler,
-    successHandler,
-    converter
-  });
-}
-
-// src/server/security/config.ts
-import { jwtVerifier, JwtVerifyError } from "@interopio/gateway/jose/jwt";
-
-// src/server/security/error-filter.ts
-async function commenceAuthentication(exchange, authentication, entryPoint) {
-  const cause = new InsufficientAuthenticationError(`Full authentication is required to access this resource.`);
-  const e = new AuthenticationError("Access Denied", { cause });
-  if (authentication) {
-    e.authentication = authentication;
+};
+function headers(opts) {
+  const writers = [];
+  if (!opts?.cache?.disabled) {
+    writers.push(cacheControlServerHttpHeadersWriter());
   }
-  await entryPoint(exchange, e);
-}
-function httpStatusAccessDeniedHandler(status, message) {
-  return async (exchange, _error) => {
-    exchange.response.statusCode = status;
-    exchange.response.statusMessage = message;
-    exchange.response.headers.set("Content-Type", "text/plain");
-    const bytes = Buffer.from("Access Denied", "utf-8");
-    exchange.response.headers.set("Content-Length", bytes.length);
-    await exchange.response.end(bytes);
-  };
-}
-var errorFilter = (opts) => {
-  const accessDeniedHandler = httpStatusAccessDeniedHandler(403, "Forbidden");
-  const authenticationEntryPoint = opts.authenticationEntryPoint ?? httpBasicEntryPoint();
+  if (!opts?.contentType?.disabled) {
+    writers.push(contentTypeServerHttpHeadersWriter());
+  }
+  if (!opts?.hsts?.disabled) {
+    writers.push(strictTransportSecurityServerHttpHeadersWriter(opts?.hsts?.maxAge ?? 365 * 24 * 60 * 60, opts?.hsts?.includeSubDomains ?? true, opts?.hsts?.preload ?? false));
+  }
+  if (!opts?.frameOptions?.disabled) {
+    writers.push(frameOptionsServerHttpHeadersWriter(opts?.frameOptions?.mode ?? "DENY"));
+  }
+  if (!opts?.xss?.disabled) {
+    writers.push(xssProtectionServerHttpHeadersWriter(opts?.xss?.headerValue ?? "0"));
+  }
+  if (!opts?.permissionsPolicy?.disabled) {
+    writers.push(permissionsPolicyServerHttpHeadersWriter(opts?.permissionsPolicy?.policyDirectives));
+  }
+  if (!opts?.contentSecurityPolicy?.disabled) {
+    writers.push(contentSecurityPolicyServerHttpHeadersWriter(opts?.contentSecurityPolicy?.policyDirectives ?? "default-src 'self'", opts?.contentSecurityPolicy?.reportOnly));
+  }
+  if (!opts?.refererPolicy?.disabled) {
+    writers.push(refererPolicyServerHttpHeadersWriter(opts?.refererPolicy?.policy ?? "no-referrer"));
+  }
+  if (!opts?.crossOriginOpenerPolicy?.disabled) {
+    writers.push(crossOriginOpenerPolicyServerHttpHeadersWriter(opts?.crossOriginOpenerPolicy?.policy));
+  }
+  if (!opts?.crossOriginEmbedderPolicy?.disabled) {
+    writers.push(crossOriginEmbedderPolicyServerHttpHeadersWriter(opts?.crossOriginEmbedderPolicy?.policy));
+  }
+  if (!opts?.crossOriginResourcePolicy?.disabled) {
+    writers.push(crossOriginResourcePolicyServerHttpHeadersWriter(opts?.crossOriginResourcePolicy?.policy));
+  }
+  if (opts?.writers) {
+    writers.push(...opts.writers);
+  }
+  const writer = compositeServerHttpHeadersWriter(...writers);
   return async (exchange, next) => {
-    try {
-      await next();
-    } catch (error) {
-      if (error instanceof AccessDeniedError) {
-        const principal = await exchange.principal;
-        if (principal === void 0) {
-          await commenceAuthentication(exchange, void 0, authenticationEntryPoint);
-        } else {
-          if (!principal.authenticated) {
-            return accessDeniedHandler(exchange, error);
-          }
-          await commenceAuthentication(exchange, principal, authenticationEntryPoint);
-        }
-      }
+    await writer(exchange);
+    await next();
+  };
+}
+
+// src/server/security/entry-point-failure-handler.ts
+var serverAuthenticationEntryPointFailureHandler = (opts) => {
+  const entryPoint = opts.entryPoint;
+  const rethrowAuthenticationServiceError = opts?.rethrowAuthenticationServiceError ?? true;
+  return async ({ exchange }, error) => {
+    if (!rethrowAuthenticationServiceError) {
+      return entryPoint(exchange, error);
+    }
+    if (!(error instanceof AuthenticationServiceError)) {
+      return entryPoint(exchange, error);
     }
+    throw error;
   };
 };
 
-// src/server/security/authorization-filter.ts
-var logger7 = getLogger("security.auth");
-function authorizationFilter(opts) {
-  const { manager, storage } = opts;
-  return async (exchange, next) => {
-    const promise = AsyncStorageSecurityContextHolder.getContext(storage).then((c) => c?.authentication);
-    try {
-      await manager.verify(promise, exchange);
-      if (logger7.enabledFor("debug")) {
-        logger7.debug("authorization successful");
-      }
-    } catch (error) {
-      if (error instanceof AccessDeniedError) {
-        if (logger7.enabledFor("debug")) {
-          logger7.debug(`authorization failed: ${error.message}`);
-        }
-      }
-      throw error;
-    }
-    await next();
+// src/server/security/http-basic-entry-point.ts
+var DEFAULT_REALM = "Realm";
+var createHeaderValue = (realm) => {
+  return `Basic realm="${realm}"`;
+};
+var httpBasicEntryPoint = (opts) => {
+  const headerValue = createHeaderValue(opts?.realm ?? DEFAULT_REALM);
+  return async (exchange, _error) => {
+    const { response } = exchange;
+    response.statusCode = 401;
+    response.headers.set("WWW-Authenticate", headerValue);
   };
-}
+};
 
-// src/server/security/delegating-authorization-manager.ts
-var logger8 = getLogger("auth");
-function delegatingAuthorizationManager(opts) {
-  const check = async (authentication, exchange) => {
-    let decision;
-    for (const [matcher, manager] of opts.mappings) {
-      if ((await matcher(exchange))?.match) {
-        logger8.debug(`checking authorization on '${exchange.path}' using [${matcher}, ${manager}]`);
-        const checkResult = await manager.authorize(authentication, { exchange });
-        if (checkResult !== void 0) {
-          decision = checkResult;
-          break;
-        }
-      }
+// src/server/security/http-basic-converter.ts
+var BASIC = "Basic ";
+var httpBasicAuthenticationConverter = (opts) => {
+  return async (exchange) => {
+    const { request } = exchange;
+    const authorization = request.headers.one("authorization");
+    if (!authorization || !/basic/i.test(authorization.substring(0))) {
+      return;
     }
-    decision ??= new AuthorizationDecision(false);
-    return decision;
+    const credentials = authorization.length <= BASIC.length ? "" : authorization.substring(BASIC.length);
+    const decoded = Buffer.from(credentials, "base64").toString(opts?.credentialsEncoding ?? "utf-8");
+    const parts = decoded.split(":", 2);
+    if (parts.length !== 2) {
+      return void 0;
+    }
+    return { type: "UsernamePassword", authenticated: false, principal: parts[0], credentials: parts[1] };
   };
-  return new DefaultAuthorizationManager(check);
-}
+};
 
-// src/server/cors.ts
-import { IOGateway as IOGateway6 } from "@interopio/gateway";
-function isSameOrigin(request) {
-  const origin = request.headers.one("origin");
-  if (origin === void 0) {
-    return true;
+// src/server/security/security-context.ts
+import { AsyncLocalStorage } from "node:async_hooks";
+var AsyncStorageSecurityContextHolder = class _AsyncStorageSecurityContextHolder {
+  static hasSecurityContext(storage) {
+    return storage.getStore()?.securityContext !== void 0;
   }
-  const url = request.URL;
-  const actualProtocol = url.protocol;
-  const actualHost = url.host;
-  const originUrl = URL.parse(origin);
-  const originHost = originUrl?.host;
-  const originProtocol = originUrl?.protocol;
-  return actualProtocol === originProtocol && actualHost === originHost;
-}
-function isCorsRequest(request) {
-  return request.headers.has("origin") && !isSameOrigin(request);
-}
-function isPreFlightRequest(request) {
-  return request.method === "OPTIONS" && request.headers.has("origin") && request.headers.has("access-control-request-method");
-}
-var VARY_HEADERS = ["Origin", "Access-Control-Request-Method", "Access-Control-Request-Headers"];
-var processRequest = (exchange, config) => {
-  const { request, response } = exchange;
-  const responseHeaders = response.headers;
-  if (!responseHeaders.has("Vary")) {
-    responseHeaders.set("Vary", VARY_HEADERS.join(", "));
-  } else {
-    const varyHeaders = responseHeaders.list("Vary");
-    for (const header of VARY_HEADERS) {
-      if (!varyHeaders.find((h) => h === header)) {
-        varyHeaders.push(header);
-      }
-    }
-    responseHeaders.set("Vary", varyHeaders.join(", "));
+  static async getSecurityContext(storage) {
+    return await storage.getStore()?.securityContext;
   }
-  try {
-    if (!isCorsRequest(request)) {
-      return true;
-    }
-  } catch (e) {
-    if (logger9.enabledFor("debug")) {
-      logger9.debug(`reject: origin is malformed`);
-    }
-    rejectRequest(response);
-    return false;
+  static clearSecurityContext(storage) {
+    delete storage.getStore()?.securityContext;
   }
-  if (responseHeaders.has("access-control-allow-origin")) {
-    logger9.trace(`skip: already contains "Access-Control-Allow-Origin"`);
-    return true;
+  static withSecurityContext(securityContext) {
+    return (storage = new AsyncLocalStorage()) => {
+      storage.getStore().securityContext = securityContext;
+      return storage;
+    };
   }
-  const preFlightRequest = isPreFlightRequest(request);
-  if (config) {
-    return handleInternal(exchange, config, preFlightRequest);
+  static withAuthentication(authentication) {
+    return _AsyncStorageSecurityContextHolder.withSecurityContext(Promise.resolve({ authentication }));
   }
-  if (preFlightRequest) {
-    rejectRequest(response);
-    return false;
+  static async getContext(storage) {
+    if (_AsyncStorageSecurityContextHolder.hasSecurityContext(storage)) {
+      return _AsyncStorageSecurityContextHolder.getSecurityContext(storage);
+    }
   }
-  return true;
-};
-var DEFAULT_PERMIT_ALL = ["*"];
-var DEFAULT_PERMIT_METHODS = ["GET", "HEAD", "POST"];
-var PERMIT_DEFAULT_CONFIG = {
-  allowOrigins: DEFAULT_PERMIT_ALL,
-  allowMethods: DEFAULT_PERMIT_METHODS,
-  allowHeaders: DEFAULT_PERMIT_ALL,
-  maxAge: 1800
-  // 30 minutes
 };
-function validateCorsConfig(config) {
-  if (config) {
-    const allowHeaders = config.allowHeaders;
-    if (allowHeaders && allowHeaders !== ALL) {
-      config = {
-        ...config,
-        allowHeaders: allowHeaders.map((header) => header.toLowerCase())
-      };
-    }
-    const allowOrigins = config.allowOrigins;
-    if (allowOrigins) {
-      if (allowOrigins === "*") {
-        validateAllowCredentials(config);
-        validateAllowPrivateNetwork(config);
-      } else {
-        config = {
-          ...config,
-          allowOrigins: allowOrigins.map((origin) => {
-            if (typeof origin === "string" && origin !== ALL) {
-              origin = IOGateway6.Filtering.regexify(origin);
-              if (typeof origin === "string") {
-                return trimTrailingSlash(origin).toLowerCase();
-              }
-            }
-            return origin;
-          })
-        };
-      }
+
+// src/server/security/authentication-filter.ts
+async function authenticate(exchange, next, token, managerResolver, successHandler, storage) {
+  const authManager = await managerResolver(exchange);
+  const authentication = await authManager?.(token);
+  if (authentication === void 0) {
+    throw new Error("No authentication manager found for the exchange");
+  }
+  try {
+    await onAuthenticationSuccess(authentication, { exchange, next }, successHandler, storage);
+  } catch (e) {
+    if (e instanceof AuthenticationError) {
     }
-    return config;
+    throw e;
   }
 }
-function combine(source, other) {
-  if (other === void 0) {
-    return source !== void 0 ? source === ALL ? [ALL] : source : [];
-  }
-  if (source === void 0) {
-    return other === ALL ? [ALL] : other;
-  }
-  if (source == DEFAULT_PERMIT_ALL || source === DEFAULT_PERMIT_METHODS) {
-    return other === ALL ? [ALL] : other;
-  }
-  if (other == DEFAULT_PERMIT_ALL || other === DEFAULT_PERMIT_METHODS) {
-    return source === ALL ? [ALL] : source;
-  }
-  if (source === ALL || source.includes(ALL) || other === ALL || other.includes(ALL)) {
-    return [ALL];
-  }
-  const combined = /* @__PURE__ */ new Set();
-  source.forEach((v) => combined.add(v));
-  other.forEach((v) => combined.add(v));
-  return Array.from(combined);
+async function onAuthenticationSuccess(authentication, filterExchange, successHandler, storage) {
+  AsyncStorageSecurityContextHolder.withAuthentication(authentication)(storage);
+  await successHandler(filterExchange, authentication);
 }
-var combineCorsConfig = (source, other) => {
-  if (other === void 0) {
-    return source;
-  }
-  const config = {
-    allowOrigins: combine(source.allowOrigins, other?.allowOrigins),
-    allowMethods: combine(source.allowMethods, other?.allowMethods),
-    allowHeaders: combine(source.allowHeaders, other?.allowHeaders),
-    exposeHeaders: combine(source.exposeHeaders, other?.exposeHeaders),
-    allowCredentials: other?.allowCredentials ?? source.allowCredentials,
-    allowPrivateNetwork: other?.allowPrivateNetwork ?? source.allowPrivateNetwork,
-    maxAge: other?.maxAge ?? source.maxAge
+function authenticationFilter(opts) {
+  const auth = {
+    matcher: anyExchange,
+    successHandler: async ({ next }) => {
+      await next();
+    },
+    converter: httpBasicAuthenticationConverter({}),
+    failureHandler: serverAuthenticationEntryPointFailureHandler({ entryPoint: httpBasicEntryPoint({}) }),
+    ...opts
   };
-  return config;
-};
-var corsFilter = (opts) => {
-  const source = opts.corsConfigSource;
-  const processor = opts.corsProcessor ?? processRequest;
-  return async (ctx, next) => {
-    const config = await source(ctx);
-    const isValid = processor(ctx, config);
-    if (!isValid || isPreFlightRequest(ctx.request)) {
-      return;
-    } else {
+  let managerResolver = auth.managerResolver;
+  if (managerResolver === void 0 && auth.manager !== void 0) {
+    const manager = auth.manager;
+    managerResolver = async (_exchange) => {
+      return manager;
+    };
+  }
+  if (managerResolver === void 0) {
+    throw new Error("Authentication filter requires a managerResolver or a manager");
+  }
+  return async (exchange, next) => {
+    const matchResult = await auth.matcher(exchange);
+    const token = matchResult.match ? await auth.converter(exchange) : void 0;
+    if (token === void 0) {
       await next();
+      return;
+    }
+    try {
+      await authenticate(exchange, next, token, managerResolver, auth.successHandler, auth.storage);
+    } catch (error) {
+      if (error instanceof AuthenticationError) {
+        await auth.failureHandler({ exchange, next }, error);
+        return;
+      }
+      throw error;
     }
   };
-};
-var cors_default = corsFilter;
-var logger9 = getLogger("cors");
-function rejectRequest(response) {
-  response.statusCode = 403;
 }
-function handleInternal(exchange, config, preFlightRequest) {
-  const { request, response } = exchange;
-  const responseHeaders = response.headers;
-  const requestOrigin = request.headers.one("origin");
-  const allowOrigin = checkOrigin(config, requestOrigin);
-  if (allowOrigin === void 0) {
-    if (logger9.enabledFor("debug")) {
-      logger9.debug(`reject: '${requestOrigin}' origin is not allowed`);
+
+// src/server/security/http-status-entry-point.ts
+var httpStatusEntryPoint = (opts) => {
+  return async (exchange, _error) => {
+    const response = exchange.response;
+    response.statusCode = opts.httpStatus.code;
+    response.statusMessage = opts.httpStatus.message;
+  };
+};
+
+// src/server/security/delegating-entry-point.ts
+var logger2 = getLogger("auth.entry-point");
+var delegatingEntryPoint = (opts) => {
+  const defaultEntryPoint = opts.defaultEntryPoint ?? (async ({ response }, _error) => {
+    response.statusCode = 401;
+    await response.end();
+  });
+  return async (exchange, error) => {
+    for (const [matcher, entryPoint] of opts.entryPoints) {
+      if (logger2.enabledFor("debug")) {
+        logger2.debug(`trying to match using: ${matcher}`);
+      }
+      const match2 = await matcher(exchange);
+      if (match2.match) {
+        if (logger2.enabledFor("debug")) {
+          logger2.debug(`match found. using default entry point ${entryPoint}`);
+        }
+        return entryPoint(exchange, error);
+      }
     }
-    rejectRequest(response);
-    return false;
-  }
-  const requestMethod = getMethodToUse(request, preFlightRequest);
-  const allowMethods = checkMethods(config, requestMethod);
-  if (allowMethods === void 0) {
-    if (logger9.enabledFor("debug")) {
-      logger9.debug(`reject: HTTP '${requestMethod}' is not allowed`);
+    if (logger2.enabledFor("debug")) {
+      logger2.debug(`no match found. using default entry point ${defaultEntryPoint}`);
     }
-    rejectRequest(response);
-    return false;
-  }
-  const requestHeaders = getHeadersToUse(request, preFlightRequest);
-  const allowHeaders = checkHeaders(config, requestHeaders);
-  if (preFlightRequest && allowHeaders === void 0) {
-    if (logger9.enabledFor("debug")) {
-      logger9.debug(`reject: headers '${requestHeaders}' are not allowed`);
+    return defaultEntryPoint(exchange, error);
+  };
+};
+
+// src/server/security/delegating-success-handler.ts
+var delegatingSuccessHandler = (handlers) => {
+  return async ({ exchange, next }, authentication) => {
+    for (const handler of handlers) {
+      await handler({ exchange, next }, authentication);
     }
-    rejectRequest(response);
-    return false;
+  };
+};
+
+// src/server/security/http-basic.ts
+function httpBasic(opts) {
+  const xhrMatcher = async (exchange) => {
+    const headers2 = exchange.request.headers;
+    const h = headers2.list("X-Requested-With");
+    if (h.includes("XMLHttpRequest")) {
+      return { match: true };
+    }
+    return { match: false };
+  };
+  const defaultEntryPoint = delegatingEntryPoint({
+    entryPoints: [[xhrMatcher, httpStatusEntryPoint({ httpStatus: { code: 401 } })]],
+    defaultEntryPoint: httpBasicEntryPoint({})
+  });
+  const entryPoint = opts.entryPoint ?? defaultEntryPoint;
+  const manager = opts.manager;
+  const restMatcher = mediaType({
+    mediaTypes: [
+      "application/atom+xml",
+      "application/x-www-form-urlencoded",
+      "application/json",
+      "application/octet-stream",
+      "application/xml",
+      "multipart/form-data",
+      "text/xml"
+    ],
+    ignoredMediaTypes: ["*/*"]
+  });
+  const notHtmlMatcher = not(mediaType({ mediaTypes: ["text/html"] }));
+  const restNoHtmlMatcher = and([notHtmlMatcher, restMatcher]);
+  const preferredMatcher = or([xhrMatcher, restNoHtmlMatcher]);
+  opts.defaultEntryPoints.push([preferredMatcher, entryPoint]);
+  const failureHandler = opts.failureHandler ?? serverAuthenticationEntryPointFailureHandler({ entryPoint });
+  const successHandler = delegatingSuccessHandler(opts.successHandlers ?? opts.defaultSuccessHandlers);
+  const converter = httpBasicAuthenticationConverter({});
+  return authenticationFilter({
+    storage: opts.storage,
+    manager,
+    failureHandler,
+    successHandler,
+    converter
+  });
+}
+
+// src/server/security/oauth2/token-error.ts
+var BearerTokenErrorCodes = {
+  invalid_request: "invalid_request",
+  invalid_token: "invalid_token",
+  insufficient_scope: "insufficient_scope"
+};
+var DEFAULT_URI = "https://tools.ietf.org/html/rfc6750#section-3.1";
+function invalidToken(message) {
+  return {
+    errorCode: BearerTokenErrorCodes.invalid_token,
+    httpStatus: 401,
+    description: message,
+    uri: DEFAULT_URI
+  };
+}
+function invalidRequest(message) {
+  return {
+    errorCode: BearerTokenErrorCodes.invalid_request,
+    httpStatus: 400,
+    description: message,
+    uri: DEFAULT_URI
+  };
+}
+
+// src/server/security/oauth2/token-converter.ts
+var ACCESS_TOKEN_PARAMETER_NAME = "access_token";
+var authorizationPattern = /^Bearer\s+(?<token>[a-zA-Z0-9-._~+/]+=*)$/i;
+var Oauth2AuthenticationError = class extends AuthenticationError {
+  error;
+  constructor(error, message, options) {
+    super(message ?? (typeof error === "string" ? void 0 : error.description), options);
+    this.error = typeof error === "string" ? { errorCode: error } : error;
   }
-  responseHeaders.set("Access-Control-Allow-Origin", allowOrigin);
-  if (preFlightRequest) {
-    responseHeaders.set("Access-Control-Allow-Methods", allowMethods.join(","));
+};
+var isBearerTokenAuthenticationToken = (authentication) => {
+  return authentication.type === "BearerToken";
+};
+var serverBearerTokenAuthenticationConverter = (opts) => {
+  return async (exchange) => {
+    const { request } = exchange;
+    return Promise.all([
+      resolveFromAuthorizationHeader(request.headers, opts?.headerName).then((token) => token !== void 0 ? [token] : void 0),
+      resolveFromQueryString(request, opts?.uriQueryParameter),
+      resolveFromBody(exchange, opts?.formEncodedBodyParameter)
+    ]).then((rs) => rs.filter((r) => r !== void 0).flat(1)).then(resolveToken).then((token) => {
+      if (token) return { authenticated: false, type: "BearerToken", token };
+    });
+  };
+};
+async function resolveToken(accessTokens) {
+  if (accessTokens.length === 0) {
+    return;
   }
-  if (preFlightRequest && allowHeaders !== void 0 && allowHeaders.length > 0) {
-    responseHeaders.set("Access-Control-Allow-Headers", allowHeaders.join(", "));
+  if (accessTokens.length > 1) {
+    const error = invalidRequest("Found multiple access tokens in the request");
+    throw new Oauth2AuthenticationError(error);
   }
-  const exposeHeaders = config.exposeHeaders;
-  if (exposeHeaders && exposeHeaders.length > 0) {
-    responseHeaders.set("Access-Control-Expose-Headers", exposeHeaders.join(", "));
+  const accessToken = accessTokens[0];
+  if (!accessToken || accessToken.length === 0) {
+    const error = invalidRequest("The requested access token parameter is an empty string");
+    throw new Oauth2AuthenticationError(error);
   }
-  if (config.allowCredentials) {
-    responseHeaders.set("Access-Control-Allow-Credentials", "true");
+  return accessToken;
+}
+async function resolveFromAuthorizationHeader(headers2, headerName = "authorization") {
+  const authorization = headers2.one(headerName);
+  if (!authorization || !/bearer/i.test(authorization.substring(0))) {
+    return;
   }
-  if (config.allowPrivateNetwork && request.headers.one("access-control-request-private-network") === "true") {
-    responseHeaders.set("Access-Control-Allow-Private-Network", "true");
+  const match2 = authorizationPattern.exec(authorization);
+  if (match2 === null) {
+    const error = invalidToken("Bearer token is malformed");
+    throw new Oauth2AuthenticationError(error);
   }
-  if (preFlightRequest && config.maxAge !== void 0) {
-    responseHeaders.set("Access-Control-Max-Age", config.maxAge.toString());
+  return match2.groups?.token;
+}
+async function resolveTokens(parameters) {
+  const accessTokens = parameters.getAll(ACCESS_TOKEN_PARAMETER_NAME);
+  if (accessTokens.length === 0) {
+    return;
   }
-  return true;
+  return accessTokens;
 }
-var ALL = "*";
-var DEFAULT_METHODS = ["GET", "HEAD"];
-function validateAllowCredentials(config) {
-  if (config.allowCredentials === true && config.allowOrigins === ALL) {
-    throw new Error(`when allowCredentials is true allowOrigins cannot be "*"`);
+async function resolveFromQueryString(request, allow = false) {
+  if (!allow || request.method !== "GET") {
+    return;
   }
+  return resolveTokens(request.URL.searchParams);
 }
-function validateAllowPrivateNetwork(config) {
-  if (config.allowPrivateNetwork === true && config.allowOrigins === ALL) {
-    throw new Error(`when allowPrivateNetwork is true allowOrigins cannot be "*"`);
+async function resolveFromBody(exchange, allow = false) {
+  const { request } = exchange;
+  if (!allow || "application/x-www-form-urlencoded" !== request.headers.one("content-type") || request.method !== "POST") {
+    return;
   }
+  return resolveTokens(await exchange.request.formData);
 }
-function checkOrigin(config, origin) {
-  if (origin) {
-    const allowedOrigins = config.allowOrigins;
-    if (allowedOrigins) {
-      if (allowedOrigins === ALL) {
-        validateAllowCredentials(config);
-        validateAllowPrivateNetwork(config);
-        return ALL;
-      }
-      const originToCheck = trimTrailingSlash(origin.toLowerCase());
-      for (const allowedOrigin of allowedOrigins) {
-        if (allowedOrigin === ALL || IOGateway6.Filtering.valueMatches(allowedOrigin, originToCheck)) {
-          return origin;
-        }
+var token_converter_default = serverBearerTokenAuthenticationConverter;
+
+// src/server/security/oauth2/token-entry-point.ts
+function computeWWWAuthenticate(parameters) {
+  let wwwAuthenticate = "Bearer";
+  if (parameters.size !== 0) {
+    wwwAuthenticate += " ";
+    let i = 0;
+    for (const [key, value] of parameters) {
+      wwwAuthenticate += `${key}="${value}"`;
+      if (i !== parameters.size - 1) {
+        wwwAuthenticate += ", ";
       }
+      i++;
+    }
+  }
+  return wwwAuthenticate;
+}
+var isBearerTokenError = (error) => {
+  return error.httpStatus !== void 0;
+};
+function getStatus(authError) {
+  if (authError instanceof Oauth2AuthenticationError) {
+    const { error } = authError;
+    if (isBearerTokenError(error)) {
+      return error.httpStatus;
     }
   }
+  return 401;
 }
-function checkMethods(config, requestMethod) {
-  if (requestMethod) {
-    const allowedMethods = config.allowMethods ?? DEFAULT_METHODS;
-    if (allowedMethods === ALL) {
-      return [requestMethod];
+function createParameters(authError, realm) {
+  const parameters = /* @__PURE__ */ new Map();
+  if (realm) {
+    parameters.set("realm", realm);
+  }
+  if (authError instanceof Oauth2AuthenticationError) {
+    const { error } = authError;
+    parameters.set("error", error.errorCode);
+    if (error.description) {
+      parameters.set("error_description", error.description);
     }
-    if (IOGateway6.Filtering.valuesMatch(allowedMethods, requestMethod)) {
-      return allowedMethods;
+    if (error.uri) {
+      parameters.set("error_uri", error.uri);
+    }
+    if (isBearerTokenError(error) && error.scope) {
+      parameters.set("scope", error.scope);
     }
   }
+  return parameters;
 }
-function checkHeaders(config, requestHeaders) {
-  if (requestHeaders === void 0) {
-    return;
-  }
-  if (requestHeaders.length == 0) {
-    return [];
-  }
-  const allowedHeaders = config.allowHeaders;
-  if (allowedHeaders === void 0) {
-    return;
+var bearerTokenServerAuthenticationEntryPoint = (opts) => {
+  return async (exchange, error) => {
+    const status = getStatus(error);
+    const parameters = createParameters(error, opts?.realmName);
+    const wwwAuthenticate = computeWWWAuthenticate(parameters);
+    const { response } = exchange;
+    response.headers.set("WWW-Authenticate", wwwAuthenticate);
+    response.statusCode = status;
+    await response.end();
+  };
+};
+var token_entry_point_default = bearerTokenServerAuthenticationEntryPoint;
+
+// src/server/security/oauth2/jwt-auth-manager.ts
+var jwtAuthConverter = (opts) => {
+  const principalClaimName = opts?.principalClaimName ?? "sub";
+  return (jwt) => {
+    const name = jwt.getClaimAsString(principalClaimName);
+    return { type: "JwtToken", authenticated: true, name };
+  };
+};
+var asyncJwtConverter = (converter) => {
+  return async (jwt) => {
+    return converter(jwt);
+  };
+};
+var JwtError = class extends Error {
+};
+var BadJwtError = class extends JwtError {
+};
+function onError(error) {
+  if (error instanceof BadJwtError) {
+    return new Oauth2AuthenticationError(invalidToken(error.message), error.message, { cause: error });
   }
-  const allowAnyHeader = allowedHeaders === ALL || allowedHeaders.includes(ALL);
-  const result = [];
-  for (const requestHeader of requestHeaders) {
-    const value = requestHeader?.trim();
-    if (value) {
-      if (allowAnyHeader) {
-        result.push(value);
-      } else {
-        for (const allowedHeader of allowedHeaders) {
-          if (value.toLowerCase() === allowedHeader) {
-            result.push(value);
-            break;
-          }
+  throw new AuthenticationServiceError(error.message, { cause: error });
+}
+function jwtAuthManager(opts) {
+  const decoder = opts.decoder;
+  const authConverter = opts.authConverter ?? asyncJwtConverter(jwtAuthConverter({}));
+  return async (authentication) => {
+    if (isBearerTokenAuthenticationToken(authentication)) {
+      const token = authentication.token;
+      try {
+        const jwt = await decoder(token);
+        return await authConverter(jwt);
+      } catch (e) {
+        if (e instanceof JwtError) {
+          throw onError(e);
         }
+        throw e;
       }
     }
+  };
+}
+
+// src/server/security/oauth2-resource-server.ts
+function resourceServer(opts) {
+  const entryPoint = opts.entryPoint ?? token_entry_point_default({});
+  const converter = opts?.converter ?? token_converter_default({});
+  const failureHandler = opts.failureHandler ?? serverAuthenticationEntryPointFailureHandler({ entryPoint });
+  if (opts.managerResolver !== void 0) {
+    return authenticationFilter({
+      storage: opts.storage,
+      converter,
+      failureHandler,
+      managerResolver: opts.managerResolver
+    });
   }
-  if (result.length > 0) {
-    return result;
+  if (opts.jwt !== void 0) {
+    const manager = opts.jwt.manager ?? jwtAuthManager(opts.jwt);
+    return authenticationFilter({
+      storage: opts.storage,
+      converter,
+      failureHandler,
+      managerResolver: async (_exchange) => {
+        return manager;
+      }
+    });
   }
+  throw new Error("Invalid resource server configuration: either managerResolver or jwt must be provided");
 }
-function trimTrailingSlash(origin) {
-  return origin.endsWith("/") ? origin.slice(0, -1) : origin;
-}
-function getMethodToUse(request, isPreFlight) {
-  return isPreFlight ? request.headers.one("access-control-request-method") : request.method;
+
+// src/server/security/config.ts
+import { jwtVerifier, JwtVerifyError } from "@interopio/gateway/jose/jwt";
+
+// src/server/security/error-filter.ts
+async function commenceAuthentication(exchange, authentication, entryPoint) {
+  const cause = new InsufficientAuthenticationError(`Full authentication is required to access this resource.`);
+  const e = new AuthenticationError("Access Denied", { cause });
+  if (authentication) {
+    e.authentication = authentication;
+  }
+  await entryPoint(exchange, e);
 }
-function getHeadersToUse(request, isPreFlight) {
-  const headers2 = request.headers;
-  return isPreFlight ? headers2.list("access-control-request-headers") : Array.from(headers2.keys());
+function httpStatusAccessDeniedHandler(status, message) {
+  return async (exchange, _error) => {
+    exchange.response.statusCode = status;
+    exchange.response.statusMessage = message;
+    exchange.response.headers.set("Content-Type", "text/plain");
+    const bytes = Buffer.from("Access Denied", "utf-8");
+    exchange.response.headers.set("Content-Length", bytes.length);
+    await exchange.response.end(bytes);
+  };
 }
-var matchingCorsConfigSource = (opts) => {
-  return async (exchange) => {
-    for (const [matcher, config] of opts.mappings) {
-      if ((await matcher(exchange)).match) {
-        logger9.debug(`resolved cors config on '${exchange.path}' using ${matcher}: ${JSON.stringify(config)}`);
-        return config;
+var errorFilter = (opts) => {
+  const accessDeniedHandler = httpStatusAccessDeniedHandler(403, "Forbidden");
+  const authenticationEntryPoint = opts.authenticationEntryPoint ?? httpBasicEntryPoint();
+  return async (exchange, next) => {
+    try {
+      await next();
+    } catch (error) {
+      if (error instanceof AccessDeniedError) {
+        const principal = await exchange.principal();
+        if (!isAuthentication(principal)) {
+          await commenceAuthentication(exchange, void 0, authenticationEntryPoint);
+        } else {
+          if (!principal.authenticated) {
+            return accessDeniedHandler(exchange, error);
+          }
+          await commenceAuthentication(exchange, principal, authenticationEntryPoint);
+        }
       }
     }
   };
 };
 
+// src/server/security/delegating-authorization-manager.ts
+var logger3 = getLogger("auth");
+function delegatingAuthorizationManager(opts) {
+  const check = async (authentication, exchange) => {
+    let decision;
+    for (const [matcher, manager] of opts.mappings) {
+      if ((await matcher(exchange))?.match) {
+        logger3.debug(`checking authorization on '${exchange.request.path}' using [${matcher}, ${manager}]`);
+        const checkResult = await manager.authorize(authentication, { exchange });
+        if (checkResult !== void 0) {
+          decision = checkResult;
+          break;
+        }
+      }
+    }
+    decision ??= new AuthorizationDecision(false);
+    return decision;
+  };
+  return new DefaultAuthorizationManager(check);
+}
+
+// src/server/security/authorization-filter.ts
+var logger4 = getLogger("security.auth");
+function authorizationFilter(opts) {
+  const { manager, storage } = opts;
+  return async (exchange, next) => {
+    const promise = AsyncStorageSecurityContextHolder.getContext(storage).then((c) => c?.authentication);
+    try {
+      await manager.verify(promise, exchange);
+      if (logger4.enabledFor("debug")) {
+        logger4.debug("authorization successful");
+      }
+    } catch (error) {
+      if (error instanceof AccessDeniedError) {
+        if (logger4.enabledFor("debug")) {
+          logger4.debug(`authorization failed: ${error.message}`);
+        }
+      }
+      throw error;
+    }
+    await next();
+  };
+}
+
 // src/server/security/config.ts
 var filterOrder = {
   first: Number.MAX_SAFE_INTEGER,
@@ -2717,42 +2306,6 @@ var config_default = (config, context) => {
   return middleware;
 };
 
-// src/app/cors.ts
-function mockUpgradeExchange(path) {
-  const request = new MockHttpRequest(path, "GET");
-  request.headers.set("upgrade", "websocket");
-  request["_req"] = { upgrade: true };
-  return new DefaultWebExchange(request, new MockHttpResponse());
-}
-async function createCorsConfigSource(context) {
-  const { sockets: routes3, cors } = context;
-  const defaultCorsConfig = combineCorsConfig(PERMIT_DEFAULT_CONFIG, context.corsConfig);
-  const validatedConfigs = [];
-  for (const [path, route] of routes3) {
-    let routeCorsConfig = defaultCorsConfig;
-    const upgradeExchange = mockUpgradeExchange(path);
-    for (const [matcher, config] of cors) {
-      if ((await matcher(upgradeExchange)).match) {
-        routeCorsConfig = combineCorsConfig(routeCorsConfig, config);
-      }
-    }
-    routeCorsConfig = combineCorsConfig(routeCorsConfig, {
-      allowOrigins: route.originFilters?.allow,
-      allowMethods: ["GET", "CONNECT"],
-      allowHeaders: ["upgrade", "connection", "origin", "sec-websocket-key", "sec-websocket-version", "sec-websocket-protocol", "sec-websocket-extensions"],
-      exposeHeaders: ["sec-websocket-accept", "sec-websocket-protocol", "sec-websocket-extensions"],
-      allowCredentials: route.authorize?.access !== "permitted"
-    });
-    validatedConfigs.push([and([upgradeMatcher, pattern(path)]), validateCorsConfig(routeCorsConfig)]);
-  }
-  for (const [matcher, config] of cors) {
-    const routeCorsConfig = combineCorsConfig(defaultCorsConfig, config);
-    validatedConfigs.push([matcher, validateCorsConfig(routeCorsConfig)]);
-  }
-  validatedConfigs.push([pattern(/\/api\/.*/), validateCorsConfig(defaultCorsConfig)]);
-  return matchingCorsConfigSource({ mappings: validatedConfigs });
-}
-
 // src/app/auth.ts
 function createSecurityConfig(context) {
   const authorize = [];
@@ -2790,7 +2343,7 @@ async function httpSecurity(context) {
 }
 
 // src/server.ts
-var logger10 = getLogger("app");
+var logger5 = getLogger("app");
 function secureContextOptions(ssl) {
   const options = {};
   if (ssl.key) options.key = readFileSync(ssl.key);
@@ -2798,7 +2351,7 @@ function secureContextOptions(ssl) {
   if (ssl.ca) options.ca = readFileSync(ssl.ca);
   return options;
 }
-async function createListener(middleware, context, onSocketError) {
+async function createListener(context, onSocketError) {
   const storage = context.storage;
   const security = await httpSecurity(context);
   const listener = compose(
@@ -2811,35 +2364,36 @@ async function createListener(middleware, context, onSocketError) {
         const { request, response } = exchange;
         const upgradeMatchResult = await upgradeMatcher(exchange);
         if ((request.method === "GET" || request.method === "CONNECT") && upgradeMatchResult.match) {
-          const socket = request.socket;
+          const socket = response.unsafeServerResponse.socket;
           const host = request.host;
-          const info2 = socketKey(request._req.socket);
+          const info2 = socketKey(socket);
           if (route.wss) {
             socket.removeListener("error", onSocketError);
             const wss = route.wss;
             if (route.maxConnections !== void 0 && wss.clients?.size >= route.maxConnections) {
-              logger10.warn(`${info2} dropping ws connection request from ${host} on ${path}. max connections exceeded.`);
+              logger5.warn(`${info2} dropping ws connection request from ${host} on ${path}. max connections exceeded.`);
               socket.destroy();
               return;
             }
             const origin = request.headers.one("origin");
             if (!acceptsOrigin(origin, route.originFilters)) {
-              logger10.info(`${info2} dropping ws connection request from ${host} on ${path}. origin ${origin ?? "<missing>"}`);
+              logger5.info(`${info2} dropping ws connection request from ${host} on ${path}. origin ${origin ?? "<missing>"}`);
               socket.destroy();
               return;
             }
-            if (logger10.enabledFor("debug")) {
-              logger10.debug(`${info2} accepted new ws connection request from ${host} on ${path}`);
+            if (logger5.enabledFor("debug")) {
+              logger5.debug(`${info2} accepted new ws connection request from ${host} on ${path}`);
             }
-            wss.handleUpgrade(request._req, socket, request._req["_upgradeHead"], (ws) => {
-              response._res["_header"] = true;
-              ws.on("pong", () => ws["connected"] = true);
-              ws.on("ping", () => {
+            const upgradeHead = response.unsafeServerResponse.upgradeHead;
+            wss.handleUpgrade(request.unsafeIncomingMessage, socket, upgradeHead, (ws2) => {
+              response.unsafeServerResponse.markHeadersSent();
+              ws2.on("pong", () => ws2["connected"] = true);
+              ws2.on("ping", () => {
               });
-              wss.emit("connection", ws, request._req);
+              wss.emit("connection", ws2, request.unsafeIncomingMessage);
             });
           } else {
-            logger10.warn(`${info2} rejected upgrade request from ${host} on ${path}`);
+            logger5.warn(`${info2} rejected upgrade request from ${host} on ${path}`);
             socket.destroy();
           }
         } else {
@@ -2847,8 +2401,8 @@ async function createListener(middleware, context, onSocketError) {
             await next();
             return;
           }
-          if (logger10.enabledFor("debug")) {
-            logger10.debug(`rejecting request for ${path} with method ${request.method} from ${request.socket.remoteAddress}:${request.socket.remotePort} with headers: ${JSON.stringify(request._req.rawHeaders)}`);
+          if (logger5.enabledFor("debug")) {
+            logger5.debug(`rejecting request for ${path} with method ${request.method} from ${request.socket.remoteAddress}:${request.socket.remotePort} with headers: ${JSON.stringify(request.headers)}`);
           }
           response.statusCode = 426;
           response.headers.set("Upgrade", "websocket").set("Connection", "Upgrade").set("Content-Type", "text/plain");
@@ -2858,12 +2412,12 @@ async function createListener(middleware, context, onSocketError) {
         await next();
       }
     },
-    ...middleware,
-    // helth check
+    ...context.middleware,
+    // health check
     async ({ request, response }, next) => {
       if (request.method === "GET" && request.path === "/health") {
         response.statusCode = 200;
-        await response.end(http.STATUS_CODES[200]);
+        await response.end(http2.STATUS_CODES[200]);
       } else {
         await next();
       }
@@ -2879,24 +2433,25 @@ async function createListener(middleware, context, onSocketError) {
     // not found
     async ({ response }, _next) => {
       response.statusCode = 404;
-      await response.end(http.STATUS_CODES[404]);
+      await response.end(http2.STATUS_CODES[404]);
     }
   );
-  return (request, response) => {
+  return async (request, response) => {
     request.socket.addListener("error", onSocketError);
     const exchange = new DefaultWebExchange(new HttpServerRequest(request), new HttpServerResponse(response));
-    return storage.run({ exchange }, async () => {
-      if (logger10.enabledFor("debug")) {
-        const socket = exchange.request._req.socket;
-        if (logger10.enabledFor("debug")) {
-          logger10.debug(`received ${exchange.method} request for ${exchange.path} from ${socket.remoteAddress}:${socket.remotePort}`);
+    request.exchange = exchange;
+    return await storage.run({ exchange }, async () => {
+      if (logger5.enabledFor("debug")) {
+        const socket = exchange.request.socket;
+        if (logger5.enabledFor("debug")) {
+          logger5.debug(`received ${exchange.method} request for ${exchange.path} from ${socket.remoteAddress}:${socket.remotePort}`);
         }
       }
       try {
         return await listener(exchange);
       } catch (e) {
-        if (logger10.enabledFor("warn")) {
-          logger10.warn(`error processing request for ${exchange.path}`, e);
+        if (logger5.enabledFor("warn")) {
+          logger5.warn(`error processing request for ${exchange.path}`, e);
         }
       } finally {
         await exchange.response.end();
@@ -2931,10 +2486,10 @@ function regexAwareReplacer(_key, value) {
 }
 var Factory = async (options) => {
   const ssl = options.ssl;
-  const createServer = ssl ? (options2, handler) => https.createServer({ ...options2, ...secureContextOptions(ssl) }, handler) : (options2, handler) => http.createServer(options2, handler);
+  const createServer = ssl ? (options2, handler) => https.createServer({ ...options2, ...secureContextOptions(ssl) }, handler) : (options2, handler) => http2.createServer(options2, handler);
   const monitor = memoryMonitor(options.memory);
-  const middleware = [];
   const context = {
+    middleware: [],
     corsConfig: options.cors,
     cors: [],
     authConfig: options.auth,
@@ -2942,53 +2497,40 @@ var Factory = async (options) => {
     storage: new AsyncLocalStorage2(),
     sockets: /* @__PURE__ */ new Map()
   };
-  const gw = IOGateway7.Factory({ ...options.gateway });
+  const gw = IOGateway6.Factory({ ...options.gateway });
   if (options.gateway) {
     const config = options.gateway;
-    const route = config.route ?? "/";
-    context.sockets.set(route, {
-      default: config.route === void 0,
-      ping: options.gateway.ping,
-      factory: core_default.bind(gw),
-      maxConnections: config.limits?.max_connections,
-      authorize: config.authorize,
-      originFilters: regexifyOriginFilters(config.origins)
-    });
-  }
-  if (options.mesh) {
-    const connections = new InMemoryNodeConnections(options.mesh.timeout ?? 6e4);
-    const authorize = options.mesh.authorize;
-    middleware.push(...routes_default(connections, context, authorize));
-    const ping = options.mesh.ping ?? 3e4;
-    const originFilters = regexifyOriginFilters(options.mesh.origins);
-    context.sockets.set("/broker", { factory: core_default2, ping, originFilters, authorize });
-    context.sockets.set("/cluster", { factory: core_default4, ping, originFilters, authorize });
-    context.sockets.set("/relays", { factory: core_default3, ping, originFilters, authorize });
+    await configure(async (configurer) => {
+      configurer.socket({ path: config.route, factory: core_default.bind(gw), options: config });
+    }, options, context);
   }
-  if (options.metrics) {
-    middleware.push(...await routes_default2(options.metrics, context));
+  if (options.app) {
+    await configure(options.app, options, context);
   }
   const ports = portRange(options.port ?? 0);
   const host = options.host;
-  const onSocketError = (err) => logger10.error(`socket error: ${err}`, err);
-  const listener = await createListener(middleware, context, onSocketError);
+  const onSocketError = (err) => logger5.error(`socket error: ${err}`, err);
+  const listener = await createListener(context, onSocketError);
   const serverP = new Promise((resolve, reject) => {
-    const server2 = createServer({}, listener);
+    const server2 = createServer({
+      IncomingMessage: ExtendedHttpIncomingMessage,
+      ServerResponse: ExtendedHttpServerResponse
+    }, listener);
     server2.on("error", (e) => {
       if (e["code"] === "EADDRINUSE") {
-        logger10.debug(`port ${e["port"]} already in use on address ${e["address"]}`);
+        logger5.debug(`port ${e["port"]} already in use on address ${e["address"]}`);
         const { value: port } = ports.next();
         if (port) {
-          logger10.info(`retry starting server on port ${port} and host ${host ?? "<unspecified>"}`);
+          logger5.info(`retry starting server on port ${port} and host ${host ?? "<unspecified>"}`);
           server2.close();
           server2.listen(port, host);
         } else {
-          logger10.warn(`all configured port(s) ${options.port} are in use. closing...`);
+          logger5.warn(`all configured port(s) ${options.port} are in use. closing...`);
           server2.close();
           reject(e);
         }
       } else {
-        logger10.error(`server error: ${e.message}`, e);
+        logger5.error(`server error: ${e.message}`, e);
         reject(e);
       }
     });
@@ -2996,10 +2538,35 @@ var Factory = async (options) => {
       const info2 = server2.address();
       for (const [path, route] of context.sockets) {
         try {
-          logger10.info(`creating ws server for [${path}]. max connections: ${route.maxConnections ?? "<unlimited>"}, origin filters: ${route.originFilters ? JSON.stringify(route.originFilters, regexAwareReplacer) : "<none>"}`);
-          const wss = new WebSocketServer({ noServer: true });
+          logger5.info(`creating ws server for [${path}]. max connections: ${route.maxConnections ?? "<unlimited>"}, origin filters: ${route.originFilters ? JSON.stringify(route.originFilters, regexAwareReplacer) : "<none>"}`);
+          const wss = new ws.WebSocketServer({ noServer: true });
           const endpoint = `${ssl ? "wss" : "ws"}://${localIp}:${info2.port}${path}`;
-          const handler = await route.factory({ endpoint, wss, storage: context.storage });
+          const handler = await route.factory({ endpoint });
+          wss.on("error", (err) => {
+            logger5.error(`error starting the ws server for [${path}]`, err);
+          }).on("listening", () => {
+            logger5.info(`ws server for [${path}] is listening`);
+          }).on("connection", (socket, req) => {
+            const { request, principal } = req.exchange;
+            const url = request.URL;
+            const headers2 = new MapHttpHeaders();
+            for (const key of request.headers.keys()) {
+              headers2.set(key, request.headers.get(key));
+            }
+            const cookies = request.cookies;
+            const handshake = {
+              url,
+              headers: headers2,
+              cookies,
+              principal,
+              protocol: socket.protocol,
+              remoteAddress: request.socket.remoteAddress,
+              remoteFamily: request.socket.remoteFamily,
+              remotePort: request.socket.remotePort,
+              logPrefix: socketKey(request.socket)
+            };
+            handler(socket, handshake);
+          });
           const pingInterval = route.ping;
           if (pingInterval) {
             const pingIntervalId = setInterval(() => {
@@ -3018,30 +2585,28 @@ var Factory = async (options) => {
           route.wss = wss;
           route.close = handler.close?.bind(handler);
         } catch (e) {
-          logger10.warn(`failed to init route ${path}`, e);
+          logger5.warn(`failed to init route ${path}`, e);
         }
       }
-      logger10.info(`http server listening on ${info2.address}:${info2.port}`);
+      logger5.info(`http server listening on ${info2.address}:${info2.port}`);
       resolve(server2);
     });
     server2.on("upgrade", (req, socket, head) => {
-      socket.addListener("error", onSocketError);
+      socket.on("error", onSocketError);
       try {
-        req._upgradeHead = head;
-        const res = new http.ServerResponse(req);
-        res.assignSocket(socket);
+        const res = ExtendedHttpServerResponse.forUpgrade(req, socket, head);
         listener(req, res);
       } catch (err) {
-        logger10.error(`upgrade error: ${err}`, err);
+        logger5.error(`upgrade error: ${err}`, err);
       }
     }).on("close", async () => {
-      logger10.info(`http server closed.`);
+      logger5.info(`http server closed.`);
     });
     try {
       const { value: port } = ports.next();
       server2.listen(port, host);
     } catch (e) {
-      logger10.error(`error starting web socket server`, e);
+      logger5.error(`error starting web socket server`, e);
       reject(e instanceof Error ? e : new Error(`listen failed: ${e}`));
     }
   });
@@ -3054,13 +2619,13 @@ var Factory = async (options) => {
           if (route.close) {
             await route.close();
           }
-          logger10.info(`stopping ws server for [${path}]. clients: ${route.wss?.clients?.size ?? 0}`);
+          logger5.info(`stopping ws server for [${path}]. clients: ${route.wss?.clients?.size ?? 0}`);
           route.wss?.clients?.forEach((client) => {
             client.terminate();
           });
           route.wss?.close();
         } catch (e) {
-          logger10.warn(`error closing route ${path}`, e);
+          logger5.warn(`error closing route ${path}`, e);
         }
       }
       await promisify((cb) => {
@@ -3070,6 +2635,9 @@ var Factory = async (options) => {
       if (monitor) {
         await stop(monitor);
       }
+      if (gw) {
+        await gw.stop();
+      }
     }
   }();
 };