@jellyfungus/hono-rate-limiter 0.2.0 → 0.4.0

package/README.md

@@ -13,7 +13,7 @@ Production-ready rate limiting middleware for [Hono](https://hono.dev) web frame
 - **Multiple Stores** - Memory (default), Redis (with atomic Lua scripts), Cloudflare KV
 - **Cloudflare Rate Limiting Binding** - Native support for Cloudflare's globally distributed rate limiter
 - **WebSocket Support** - Rate limit WebSocket connections
-- **IETF Compliant Headers** - Full support for `RateLimit-*` headers (draft-6, draft-7)
+- **Standard Rate Limit Headers** - Support for both IETF standard (`RateLimit`) and legacy (`X-RateLimit-*`) headers
 - **TypeScript First** - Complete type safety
 
 ## Installation
@@ -68,26 +68,28 @@ app.use(
     limit: 100, // Max requests per window (default: 60)
     windowMs: 60 * 1000, // Window duration in ms (default: 60000)
     algorithm: "sliding-window", // or "fixed-window" (default: sliding-window)
-    headers: "draft-6", // or "draft-7" or false (default: draft-6)
+    headers: "legacy", // Header format (see Response Headers section)
   }),
 );
 ```
 
 ### All Options
 
-| Option                   | Type                                 | Default            | Description                      |
-| ------------------------ | ------------------------------------ | ------------------ | -------------------------------- |
-| `limit`                  | `number \| Function`                 | `60`               | Max requests per window          |
-| `windowMs`               | `number`                             | `60000`            | Window duration in ms            |
-| `algorithm`              | `'sliding-window' \| 'fixed-window'` | `'sliding-window'` | Rate limiting algorithm          |
-| `store`                  | `RateLimitStore`                     | `MemoryStore`      | Storage backend                  |
-| `keyGenerator`           | `Function`                           | IP detection       | Generate unique client key       |
-| `handler`                | `Function`                           | 429 response       | Custom rate limit response       |
-| `headers`                | `'draft-6' \| 'draft-7' \| false`    | `'draft-6'`        | IETF header format               |
-| `skip`                   | `Function`                           | -                  | Skip rate limiting conditionally |
-| `skipSuccessfulRequests` | `boolean`                            | `false`            | Don't count 2xx responses        |
-| `skipFailedRequests`     | `boolean`                            | `false`            | Don't count 4xx/5xx responses    |
-| `onRateLimited`          | `Function`                           | -                  | Callback when rate limited       |
+| Option                   | Type                                                        | Default            | Description                          |
+| ------------------------ | ----------------------------------------------------------- | ------------------ | ------------------------------------ |
+| `limit`                  | `number \| Function`                                        | `60`               | Max requests per window              |
+| `windowMs`               | `number`                                                    | `60000`            | Window duration in ms                |
+| `algorithm`              | `'sliding-window' \| 'fixed-window'`                        | `'sliding-window'` | Rate limiting algorithm              |
+| `store`                  | `RateLimitStore`                                            | `MemoryStore`      | Storage backend                      |
+| `keyGenerator`           | `Function`                                                  | IP detection       | Generate unique client key           |
+| `handler`                | `Function`                                                  | 429 response       | Custom rate limit response           |
+| `headers`                | `'legacy' \| 'draft-6' \| 'draft-7' \| 'standard' \| false` | `'legacy'`         | Header format (see below)            |
+| `identifier`             | `string`                                                    | `'default'`        | Policy name for IETF headers         |
+| `quotaUnit`              | `'requests' \| 'content-bytes' \| 'concurrent-requests'`    | `'requests'`       | Quota unit for IETF standard headers |
+| `skip`                   | `Function`                                                  | -                  | Skip rate limiting conditionally     |
+| `skipSuccessfulRequests` | `boolean`                                                   | `false`            | Don't count 2xx responses            |
+| `skipFailedRequests`     | `boolean`                                                   | `false`            | Don't count 4xx/5xx responses        |
+| `onRateLimited`          | `Function`                                                  | -                  | Callback when rate limited           |
 
 ## Stores
 
@@ -121,6 +123,8 @@ app.use(
 
 For Cloudflare Workers with KV:
 
+> **Warning:** Cloudflare KV is eventually consistent and does not support atomic increment operations. Under high concurrency, rate limits may be slightly exceeded. For strict rate limiting on Cloudflare, use [Durable Objects](https://developers.cloudflare.com/durable-objects/) or the native [Rate Limiting binding](#cloudflare-rate-limiting-binding) below.
+
 ```ts
 import { rateLimiter } from "@jellyfungus/hono-rate-limiter";
 import { CloudflareKVStore } from "@jellyfungus/hono-rate-limiter/store/cloudflare-kv";
@@ -282,24 +286,142 @@ app.use(
 
 ## Response Headers
 
-The middleware sets standard rate limit headers:
+The middleware supports multiple header formats. Choose based on your needs:
+
+### `"legacy"` (default)
 
-**draft-6 (default):**
+The widely-used `X-RateLimit-*` headers. Used by GitHub, Twitter, and most APIs:
 
 ```
 X-RateLimit-Limit: 60
 X-RateLimit-Remaining: 45
 X-RateLimit-Reset: 1640000000
-RateLimit-Policy: 60;w=60
 ```
 
-**draft-7:**
+- **Reset** is a Unix timestamp (seconds since epoch)
+- Best for broad client compatibility
+
+### `"draft-6"`
+
+IETF draft-06 format with individual `RateLimit-*` headers:
 
 ```
+RateLimit-Policy: 60;w=60
 RateLimit-Limit: 60
 RateLimit-Remaining: 45
 RateLimit-Reset: 30
+```
+
+- **Reset** is seconds until the window resets (not a timestamp)
+- Compatible with express-rate-limit's `draft-6` option
+
+### `"draft-7"`
+
+IETF draft-07 format with a combined `RateLimit` header:
+
+```
 RateLimit-Policy: 60;w=60
+RateLimit: limit=60, remaining=45, reset=30
+```
+
+- Uses comma-separated values in a single header
+- Compatible with express-rate-limit's `draft-7` option
+
+### `"standard"` (IETF draft-08+)
+
+Current IETF `draft-ietf-httpapi-ratelimit-headers` specification using structured field values ([RFC 9651](https://datatracker.ietf.org/doc/rfc9651/)):
+
+```
+RateLimit-Policy: "default";q=60;w=60
+RateLimit: "default";r=45;t=30
+```
+
+Parameters:
+
+| Header           | Param | Meaning                    |
+| ---------------- | ----- | -------------------------- |
+| RateLimit-Policy | `q`   | quota (max requests)       |
+| RateLimit-Policy | `w`   | window (seconds)           |
+| RateLimit-Policy | `qu`  | quota unit (optional)      |
+| RateLimit        | `r`   | remaining requests         |
+| RateLimit        | `t`   | time until reset (seconds) |
+
+Use the `identifier` option to customize the policy name:
+
+```ts
+rateLimiter({
+  headers: "standard",
+  identifier: "api-v1",
+  // Headers: RateLimit-Policy: "api-v1";q=60;w=60
+});
+```
+
+Use the `quotaUnit` option for non-request-based limits:
+
+```ts
+rateLimiter({
+  headers: "standard",
+  identifier: "bandwidth",
+  quotaUnit: "content-bytes",
+  // Headers: RateLimit-Policy: "bandwidth";q=1000000;w=60;qu="content-bytes"
+});
+```
+
+### Disabled
+
+Use `headers: false` to disable all rate limit headers.
+
+### Retry-After Header
+
+When a request is rate limited (429 response), the `Retry-After` header is always included with the number of seconds until the client can retry.
+
+## Security Considerations
+
+### IP Header Spoofing
+
+The default key generator uses request headers (`X-Forwarded-For`, `X-Real-IP`, `CF-Connecting-IP`) to identify clients. **These headers can be spoofed by malicious clients** if your application is not behind a trusted reverse proxy.
+
+**Only trust these headers when your app is behind a trusted proxy** (nginx, Cloudflare, AWS ALB, etc.) that overwrites them.
+
+For untrusted environments or additional security, use authenticated identifiers:
+
+```ts
+app.use(
+  rateLimiter({
+    keyGenerator: (c) => {
+      // Use authenticated user ID instead of IP
+      const user = c.get("user");
+      return user?.id ?? "anonymous";
+    },
+  }),
+);
+```
+
+### Error Handling
+
+By default, the rate limiter uses a "fail-open" strategy: if the store (Redis, KV, etc.) is unavailable, requests are allowed through. This prioritizes availability over strict rate limiting.
+
+For stricter security, use "fail-closed":
+
+```ts
+app.use(
+  rateLimiter({
+    onStoreError: "deny", // Block requests when store fails
+  }),
+);
+```
+
+Or use a custom handler:
+
+```ts
+app.use(
+  rateLimiter({
+    onStoreError: (error, c) => {
+      console.error("Rate limiter error:", error);
+      return false; // false = deny, true = allow
+    },
+  }),
+);
 ```
 
 ## License

package/dist/index.cjs

@@ -23,7 +23,8 @@ __export(index_exports, {
   MemoryStore: () => MemoryStore,
   cloudflareRateLimiter: () => cloudflareRateLimiter,
   getClientIP: () => getClientIP,
-  rateLimiter: () => rateLimiter
+  rateLimiter: () => rateLimiter,
+  shutdownDefaultStore: () => shutdownDefaultStore
 });
 module.exports = __toCommonJS(index_exports);
 var MemoryStore = class {
@@ -82,21 +83,47 @@ var MemoryStore = class {
   }
 };
 var defaultStore;
-function setHeaders(c, info, format, windowMs) {
+function shutdownDefaultStore() {
+  if (defaultStore) {
+    defaultStore.shutdown();
+    defaultStore = void 0;
+  }
+}
+function setHeaders(c, info, format, windowMs, identifier, quotaUnit) {
   if (format === false) {
     return;
   }
   const windowSeconds = Math.ceil(windowMs / 1e3);
   const resetSeconds = Math.max(0, Math.ceil((info.reset - Date.now()) / 1e3));
-  c.header("RateLimit-Policy", `${info.limit};w=${windowSeconds}`);
+  const safeId = sanitizeIdentifier(identifier);
   switch (format) {
+    case "standard":
+      {
+        let policy = `"${safeId}";q=${info.limit};w=${windowSeconds}`;
+        if (quotaUnit !== "requests") {
+          policy += `;qu="${quotaUnit}"`;
+        }
+        c.header("RateLimit-Policy", policy);
+        c.header(
+          "RateLimit",
+          `"${safeId}";r=${info.remaining};t=${resetSeconds}`
+        );
+      }
+      break;
     case "draft-7":
+      c.header("RateLimit-Policy", `${info.limit};w=${windowSeconds}`);
       c.header(
         "RateLimit",
         `limit=${info.limit}, remaining=${info.remaining}, reset=${resetSeconds}`
       );
       break;
     case "draft-6":
+      c.header("RateLimit-Policy", `${info.limit};w=${windowSeconds}`);
+      c.header("RateLimit-Limit", String(info.limit));
+      c.header("RateLimit-Remaining", String(info.remaining));
+      c.header("RateLimit-Reset", String(resetSeconds));
+      break;
+    case "legacy":
     default:
       c.header("X-RateLimit-Limit", String(info.limit));
       c.header("X-RateLimit-Remaining", String(info.remaining));
@@ -104,6 +131,16 @@ function setHeaders(c, info, format, windowMs) {
       break;
   }
 }
+function sanitizeIdentifier(id) {
+  if (!id || typeof id !== "string") {
+    return "default";
+  }
+  const sanitized = id.replace(/[^a-zA-Z0-9_\-.:*/]/g, "-");
+  if (!sanitized || !/^[a-zA-Z]/.test(sanitized)) {
+    return "default";
+  }
+  return sanitized;
+}
 function getClientIP(c) {
   const cfIP = c.req.header("cf-connecting-ip");
   if (cfIP) {
@@ -119,14 +156,59 @@ function getClientIP(c) {
   }
   return "unknown";
 }
-function createDefaultResponse(info) {
-  const retryAfter = Math.max(0, Math.ceil((info.reset - Date.now()) / 1e3));
+function buildRateLimitHeaders(info, format, windowMs, identifier, quotaUnit) {
+  const headers = {
+    "Content-Type": "text/plain",
+    "Retry-After": String(
+      Math.max(0, Math.ceil((info.reset - Date.now()) / 1e3))
+    )
+  };
+  if (format === false) {
+    return headers;
+  }
+  const windowSeconds = Math.ceil(windowMs / 1e3);
+  const resetSeconds = Math.max(0, Math.ceil((info.reset - Date.now()) / 1e3));
+  const safeId = sanitizeIdentifier(identifier);
+  switch (format) {
+    case "standard": {
+      let policy = `"${safeId}";q=${info.limit};w=${windowSeconds}`;
+      if (quotaUnit !== "requests") {
+        policy += `;qu="${quotaUnit}"`;
+      }
+      headers["RateLimit-Policy"] = policy;
+      headers["RateLimit"] = `"${safeId}";r=${info.remaining};t=${resetSeconds}`;
+      break;
+    }
+    case "draft-7":
+      headers["RateLimit-Policy"] = `${info.limit};w=${windowSeconds}`;
+      headers["RateLimit"] = `limit=${info.limit}, remaining=${info.remaining}, reset=${resetSeconds}`;
+      break;
+    case "draft-6":
+      headers["RateLimit-Policy"] = `${info.limit};w=${windowSeconds}`;
+      headers["RateLimit-Limit"] = String(info.limit);
+      headers["RateLimit-Remaining"] = String(info.remaining);
+      headers["RateLimit-Reset"] = String(resetSeconds);
+      break;
+    case "legacy":
+    default:
+      headers["X-RateLimit-Limit"] = String(info.limit);
+      headers["X-RateLimit-Remaining"] = String(info.remaining);
+      headers["X-RateLimit-Reset"] = String(Math.ceil(info.reset / 1e3));
+      break;
+  }
+  return headers;
+}
+function createDefaultResponse(info, format, windowMs, identifier, quotaUnit) {
+  const headers = buildRateLimitHeaders(
+    info,
+    format,
+    windowMs,
+    identifier,
+    quotaUnit
+  );
   return new Response("Rate limit exceeded", {
     status: 429,
-    headers: {
-      "Content-Type": "text/plain",
-      "Retry-After": String(retryAfter)
-    }
+    headers
   });
 }
 async function checkSlidingWindow(store, key, limit, windowMs) {
@@ -172,19 +254,44 @@ var rateLimiter = (options) => {
     store: void 0,
     keyGenerator: getClientIP,
     handler: void 0,
-    headers: "draft-6",
+    headers: "legacy",
+    identifier: "default",
+    quotaUnit: "requests",
     skip: void 0,
     skipSuccessfulRequests: false,
     skipFailedRequests: false,
     onRateLimited: void 0,
+    onStoreError: "allow",
     ...options
   };
   const store = opts.store ?? (defaultStore ??= new MemoryStore());
-  let initialized = false;
+  let initPromise = null;
+  async function handleStoreError(error, c) {
+    if (typeof opts.onStoreError === "function") {
+      return opts.onStoreError(error, c);
+    }
+    return opts.onStoreError === "allow";
+  }
   return async function rateLimiter2(c, next) {
-    if (!initialized && store.init) {
-      await store.init(opts.windowMs);
-      initialized = true;
+    if (!initPromise && store.init) {
+      const result = store.init(opts.windowMs);
+      initPromise = result instanceof Promise ? result : Promise.resolve();
+    }
+    if (initPromise) {
+      try {
+        await initPromise;
+      } catch (error) {
+        const shouldAllow = await handleStoreError(
+          error instanceof Error ? error : new Error(String(error)),
+          c
+        );
+        if (shouldAllow) {
+          return next();
+        }
+        return new Response("Rate limiter initialization failed", {
+          status: 500
+        });
+      }
     }
     if (opts.skip) {
       const shouldSkip = await opts.skip(c);
@@ -194,13 +301,35 @@ var rateLimiter = (options) => {
     }
     const key = await opts.keyGenerator(c);
     const limit = typeof opts.limit === "function" ? await opts.limit(c) : opts.limit;
-    const { allowed, info } = opts.algorithm === "sliding-window" ? await checkSlidingWindow(store, key, limit, opts.windowMs) : await checkFixedWindow(store, key, limit, opts.windowMs);
+    let allowed;
+    let info;
+    try {
+      const result = opts.algorithm === "sliding-window" ? await checkSlidingWindow(store, key, limit, opts.windowMs) : await checkFixedWindow(store, key, limit, opts.windowMs);
+      allowed = result.allowed;
+      info = result.info;
+    } catch (error) {
+      const shouldAllow = await handleStoreError(
+        error instanceof Error ? error : new Error(String(error)),
+        c
+      );
+      if (shouldAllow) {
+        return next();
+      }
+      return new Response("Rate limiter error", { status: 500 });
+    }
     c.set("rateLimit", info);
     c.set("rateLimitStore", {
       getKey: store.get?.bind(store) ?? (() => void 0),
       resetKey: store.resetKey.bind(store)
     });
-    setHeaders(c, info, opts.headers, opts.windowMs);
+    setHeaders(
+      c,
+      info,
+      opts.headers,
+      opts.windowMs,
+      opts.identifier,
+      opts.quotaUnit
+    );
     if (!allowed) {
       if (opts.onRateLimited) {
         await opts.onRateLimited(c, info);
@@ -208,7 +337,13 @@ var rateLimiter = (options) => {
       if (opts.handler) {
         return opts.handler(c, info);
       }
-      return createDefaultResponse(info);
+      return createDefaultResponse(
+        info,
+        opts.headers,
+        opts.windowMs,
+        opts.identifier,
+        opts.quotaUnit
+      );
     }
     await next();
     if (opts.skipSuccessfulRequests || opts.skipFailedRequests) {
@@ -217,7 +352,10 @@ var rateLimiter = (options) => {
       if (shouldDecrement && store.decrement) {
         const windowStart = Math.floor(Date.now() / opts.windowMs) * opts.windowMs;
         const windowKey = `${key}:${windowStart}`;
-        await store.decrement(windowKey);
+        try {
+          await store.decrement(windowKey);
+        } catch {
+        }
       }
     }
   };
@@ -251,6 +389,7 @@ var cloudflareRateLimiter = (options) => {
   MemoryStore,
   cloudflareRateLimiter,
   getClientIP,
-  rateLimiter
+  rateLimiter,
+  shutdownDefaultStore
 });
 //# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @module\n * Rate Limit Middleware for Hono.\n */\n\nimport type { Context, Env, MiddlewareHandler } from \"hono\";\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/**\n * Rate limit information for a single request\n */\nexport type RateLimitInfo = {\n  /** Maximum requests allowed in window */\n  limit: number;\n  /** Remaining requests in current window */\n  remaining: number;\n  /** Unix timestamp (ms) when window resets */\n  reset: number;\n};\n\n/**\n * Result from store increment operation\n */\nexport type StoreResult = {\n  /** Current request count in window */\n  count: number;\n  /** When the window resets (Unix timestamp ms) */\n  reset: number;\n};\n\n/**\n * Header format versions\n */\nexport type HeadersFormat =\n  | \"draft-6\" // X-RateLimit-* headers\n  | \"draft-7\" // RateLimit-* without structured fields\n  | false; // Disable headers\n\n/**\n * Rate limit algorithm\n */\nexport type Algorithm = \"fixed-window\" | \"sliding-window\";\n\n/**\n * Store interface for rate limit state\n */\nexport type RateLimitStore = {\n  /**\n   * Initialize store. Called once before first use.\n   */\n  init?: (windowMs: number) => void | Promise<void>;\n\n  /**\n   * Increment counter for key and return current state.\n   */\n  increment: (key: string) => StoreResult | Promise<StoreResult>;\n\n  /**\n   * Decrement counter for key.\n   */\n  decrement?: (key: string) => void | Promise<void>;\n\n  /**\n   * Reset a specific key.\n   */\n  resetKey: (key: string) => void | Promise<void>;\n\n  /**\n   * Reset all keys.\n   */\n  resetAll?: () => void | Promise<void>;\n\n  /**\n   * Get current state for key.\n   */\n  get?: (\n    key: string,\n  ) => StoreResult | Promise<StoreResult | undefined> | undefined;\n\n  /**\n   * Graceful shutdown.\n   */\n  shutdown?: () => void | Promise<void>;\n};\n\n/**\n * Store access interface exposed in context\n */\nexport type RateLimitStoreAccess = {\n  /** Get rate limit info for a key */\n  getKey: (\n    key: string,\n  ) => StoreResult | Promise<StoreResult | undefined> | undefined;\n  /** Reset rate limit for a key */\n  resetKey: (key: string) => void | Promise<void>;\n};\n\n/**\n * Options for rate limit middleware\n */\nexport type RateLimitOptions<E extends Env = Env> = {\n  /**\n   * Maximum requests allowed in the time window.\n   * @default 60\n   */\n  limit?: number | ((c: Context<E>) => number | Promise<number>);\n\n  /**\n   * Time window in milliseconds.\n   * @default 60000 (1 minute)\n   */\n  windowMs?: number;\n\n  /**\n   * Rate limiting algorithm.\n   * @default 'sliding-window'\n   */\n  algorithm?: Algorithm;\n\n  /**\n   * Storage backend for rate limit state.\n   * @default MemoryStore\n   */\n  store?: RateLimitStore;\n\n  /**\n   * Generate unique key for each client.\n   * @default IP address from headers\n   */\n  keyGenerator?: (c: Context<E>) => string | Promise<string>;\n\n  /**\n   * Handler called when rate limit is exceeded.\n   */\n  handler?: (\n    c: Context<E>,\n    info: RateLimitInfo,\n  ) => Response | Promise<Response>;\n\n  /**\n   * HTTP header format to use.\n   * @default 'draft-6'\n   */\n  headers?: HeadersFormat;\n\n  /**\n   * Skip rate limiting for certain requests.\n   */\n  skip?: (c: Context<E>) => boolean | Promise<boolean>;\n\n  /**\n   * Don't count successful (2xx) requests against limit.\n   * @default false\n   */\n  skipSuccessfulRequests?: boolean;\n\n  /**\n   * Don't count failed (4xx, 5xx) requests against limit.\n   * @default false\n   */\n  skipFailedRequests?: boolean;\n\n  /**\n   * Callback when a request is rate limited.\n   */\n  onRateLimited?: (c: Context<E>, info: RateLimitInfo) => void | Promise<void>;\n};\n\n/**\n * Cloudflare Rate Limiting binding interface\n */\nexport type RateLimitBinding = {\n  limit: (options: { key: string }) => Promise<{ success: boolean }>;\n};\n\n/**\n * Options for Cloudflare Rate Limiting binding\n */\nexport type CloudflareRateLimitOptions<E extends Env = Env> = {\n  /**\n   * Cloudflare Rate Limiting binding from env\n   */\n  binding: RateLimitBinding | ((c: Context<E>) => RateLimitBinding);\n\n  /**\n   * Generate unique key for each client.\n   */\n  keyGenerator: (c: Context<E>) => string | Promise<string>;\n\n  /**\n   * Handler called when rate limit is exceeded.\n   */\n  handler?: (c: Context<E>) => Response | Promise<Response>;\n\n  /**\n   * Skip rate limiting for certain requests.\n   */\n  skip?: (c: Context<E>) => boolean | Promise<boolean>;\n};\n\n// ============================================================================\n// Context Variable Type Extension\n// ============================================================================\n\ndeclare module \"hono\" {\n  interface ContextVariableMap {\n    rateLimit?: RateLimitInfo;\n    rateLimitStore?: RateLimitStoreAccess;\n  }\n}\n\n// ============================================================================\n// Memory Store\n// ============================================================================\n\ntype MemoryEntry = {\n  count: number;\n  reset: number;\n};\n\n/**\n * In-memory store for rate limiting.\n * Suitable for single-instance deployments.\n */\nexport class MemoryStore implements RateLimitStore {\n  private entries = new Map<string, MemoryEntry>();\n  private windowMs = 60_000;\n  private cleanupTimer?: ReturnType<typeof setInterval>;\n\n  init(windowMs: number): void {\n    this.windowMs = windowMs;\n\n    // Cleanup expired entries every minute\n    this.cleanupTimer = setInterval(() => {\n      const now = Date.now();\n      for (const [key, entry] of this.entries) {\n        if (entry.reset <= now) {\n          this.entries.delete(key);\n        }\n      }\n    }, 60_000);\n\n    // Don't keep process alive for cleanup\n    if (typeof this.cleanupTimer.unref === \"function\") {\n      this.cleanupTimer.unref();\n    }\n  }\n\n  increment(key: string): StoreResult {\n    const now = Date.now();\n    const existing = this.entries.get(key);\n\n    if (!existing || existing.reset <= now) {\n      // New window\n      const reset = now + this.windowMs;\n      this.entries.set(key, { count: 1, reset });\n      return { count: 1, reset };\n    }\n\n    // Increment existing\n    existing.count++;\n    return { count: existing.count, reset: existing.reset };\n  }\n\n  get(key: string): StoreResult | undefined {\n    const entry = this.entries.get(key);\n    if (!entry || entry.reset <= Date.now()) {\n      return undefined;\n    }\n    return { count: entry.count, reset: entry.reset };\n  }\n\n  decrement(key: string): void {\n    const entry = this.entries.get(key);\n    if (entry && entry.count > 0) {\n      entry.count--;\n    }\n  }\n\n  resetKey(key: string): void {\n    this.entries.delete(key);\n  }\n\n  resetAll(): void {\n    this.entries.clear();\n  }\n\n  shutdown(): void {\n    if (this.cleanupTimer) {\n      clearInterval(this.cleanupTimer);\n    }\n    this.entries.clear();\n  }\n}\n\n// Singleton default store\nlet defaultStore: MemoryStore | undefined;\n\n// ============================================================================\n// Header Generation\n// ============================================================================\n\nfunction setHeaders(\n  c: Context,\n  info: RateLimitInfo,\n  format: HeadersFormat,\n  windowMs: number,\n): void {\n  if (format === false) {\n    return;\n  }\n\n  const windowSeconds = Math.ceil(windowMs / 1000);\n  const resetSeconds = Math.max(0, Math.ceil((info.reset - Date.now()) / 1000));\n\n  // RateLimit-Policy header (IETF compliant)\n  c.header(\"RateLimit-Policy\", `${info.limit};w=${windowSeconds}`);\n\n  switch (format) {\n    case \"draft-7\":\n      c.header(\n        \"RateLimit\",\n        `limit=${info.limit}, remaining=${info.remaining}, reset=${resetSeconds}`,\n      );\n      break;\n\n    case \"draft-6\":\n    default:\n      c.header(\"X-RateLimit-Limit\", String(info.limit));\n      c.header(\"X-RateLimit-Remaining\", String(info.remaining));\n      c.header(\"X-RateLimit-Reset\", String(Math.ceil(info.reset / 1000)));\n      break;\n  }\n}\n\n// ============================================================================\n// Default Key Generator\n// ============================================================================\n\nfunction getClientIP(c: Context): string {\n  // Platform-specific headers (most reliable)\n  const cfIP = c.req.header(\"cf-connecting-ip\");\n  if (cfIP) {\n    return cfIP;\n  }\n\n  const xRealIP = c.req.header(\"x-real-ip\");\n  if (xRealIP) {\n    return xRealIP;\n  }\n\n  // X-Forwarded-For - take first IP\n  const xff = c.req.header(\"x-forwarded-for\");\n  if (xff) {\n    return xff.split(\",\")[0].trim();\n  }\n\n  return \"unknown\";\n}\n\n// ============================================================================\n// Default Handler\n// ============================================================================\n\nfunction createDefaultResponse(info: RateLimitInfo): Response {\n  const retryAfter = Math.max(0, Math.ceil((info.reset - Date.now()) / 1000));\n\n  return new Response(\"Rate limit exceeded\", {\n    status: 429,\n    headers: {\n      \"Content-Type\": \"text/plain\",\n      \"Retry-After\": String(retryAfter),\n    },\n  });\n}\n\n// ============================================================================\n// Sliding Window Algorithm\n// ============================================================================\n\nasync function checkSlidingWindow(\n  store: RateLimitStore,\n  key: string,\n  limit: number,\n  windowMs: number,\n): Promise<{ allowed: boolean; info: RateLimitInfo }> {\n  const now = Date.now();\n  const currentWindowStart = Math.floor(now / windowMs) * windowMs;\n  const previousWindowStart = currentWindowStart - windowMs;\n\n  const previousKey = `${key}:${previousWindowStart}`;\n  const currentKey = `${key}:${currentWindowStart}`;\n\n  // Increment current window\n  const current = await store.increment(currentKey);\n\n  // Get previous window (may not exist)\n  let previousCount = 0;\n  if (store.get) {\n    const prev = await store.get(previousKey);\n    previousCount = prev?.count ?? 0;\n  }\n\n  // Cloudflare's weighted formula\n  const elapsedMs = now - currentWindowStart;\n  const weight = (windowMs - elapsedMs) / windowMs;\n  const estimatedCount = Math.floor(previousCount * weight) + current.count;\n\n  const remaining = Math.max(0, limit - estimatedCount);\n  const allowed = estimatedCount <= limit;\n  const reset = currentWindowStart + windowMs;\n\n  return {\n    allowed,\n    info: { limit, remaining, reset },\n  };\n}\n\n// ============================================================================\n// Fixed Window Algorithm\n// ============================================================================\n\nasync function checkFixedWindow(\n  store: RateLimitStore,\n  key: string,\n  limit: number,\n  windowMs: number,\n): Promise<{ allowed: boolean; info: RateLimitInfo }> {\n  const now = Date.now();\n  const windowStart = Math.floor(now / windowMs) * windowMs;\n  const windowKey = `${key}:${windowStart}`;\n\n  const { count, reset } = await store.increment(windowKey);\n\n  const remaining = Math.max(0, limit - count);\n  const allowed = count <= limit;\n\n  return {\n    allowed,\n    info: { limit, remaining, reset },\n  };\n}\n\n// ============================================================================\n// Main Middleware\n// ============================================================================\n\n/**\n * Rate Limit Middleware for Hono.\n *\n * @param {RateLimitOptions} [options] - Configuration options\n * @returns {MiddlewareHandler} Middleware handler\n *\n * @example\n * ```ts\n * import { Hono } from 'hono'\n * import { rateLimiter } from '@jellyfungus/hono-rate-limiter'\n *\n * const app = new Hono()\n *\n * // Basic usage - 60 requests per minute\n * app.use(rateLimiter())\n *\n * // Custom configuration\n * app.use('/api/*', rateLimiter({\n *   limit: 100,\n *   windowMs: 60 * 1000,\n * }))\n * ```\n */\nexport const rateLimiter = <E extends Env = Env>(\n  options?: RateLimitOptions<E>,\n): MiddlewareHandler<E> => {\n  // Merge with defaults\n  const opts = {\n    limit: 60 as number | ((c: Context<E>) => number | Promise<number>),\n    windowMs: 60_000,\n    algorithm: \"sliding-window\" as Algorithm,\n    store: undefined as RateLimitStore | undefined,\n    keyGenerator: getClientIP as (c: Context<E>) => string | Promise<string>,\n    handler: undefined as\n      | ((c: Context<E>, info: RateLimitInfo) => Response | Promise<Response>)\n      | undefined,\n    headers: \"draft-6\" as HeadersFormat,\n    skip: undefined as\n      | ((c: Context<E>) => boolean | Promise<boolean>)\n      | undefined,\n    skipSuccessfulRequests: false,\n    skipFailedRequests: false,\n    onRateLimited: undefined as\n      | ((c: Context<E>, info: RateLimitInfo) => void | Promise<void>)\n      | undefined,\n    ...options,\n  };\n\n  // Use default store if none provided\n  const store = opts.store ?? (defaultStore ??= new MemoryStore());\n\n  // Track initialization\n  let initialized = false;\n\n  return async function rateLimiter(c, next) {\n    // Initialize store on first request\n    if (!initialized && store.init) {\n      await store.init(opts.windowMs);\n      initialized = true;\n    }\n\n    // Check if should skip\n    if (opts.skip) {\n      const shouldSkip = await opts.skip(c);\n      if (shouldSkip) {\n        return next();\n      }\n    }\n\n    // Generate key\n    const key = await opts.keyGenerator(c);\n\n    // Get limit (may be dynamic)\n    const limit =\n      typeof opts.limit === \"function\" ? await opts.limit(c) : opts.limit;\n\n    // Check rate limit\n    const { allowed, info } =\n      opts.algorithm === \"sliding-window\"\n        ? await checkSlidingWindow(store, key, limit, opts.windowMs)\n        : await checkFixedWindow(store, key, limit, opts.windowMs);\n\n    // Set context variable for downstream middleware\n    c.set(\"rateLimit\", info);\n\n    // Expose store access in context\n    c.set(\"rateLimitStore\", {\n      getKey: store.get?.bind(store) ?? (() => undefined),\n      resetKey: store.resetKey.bind(store),\n    });\n\n    // Set headers\n    setHeaders(c, info, opts.headers, opts.windowMs);\n\n    // Handle rate limited\n    if (!allowed) {\n      // Fire callback\n      if (opts.onRateLimited) {\n        await opts.onRateLimited(c, info);\n      }\n\n      // Custom handler or default\n      if (opts.handler) {\n        return opts.handler(c, info);\n      }\n      return createDefaultResponse(info);\n    }\n\n    // Continue\n    await next();\n\n    // Handle skip options after response\n    if (opts.skipSuccessfulRequests || opts.skipFailedRequests) {\n      const status = c.res.status;\n      const shouldDecrement =\n        (opts.skipSuccessfulRequests && status >= 200 && status < 300) ||\n        (opts.skipFailedRequests && status >= 400);\n\n      if (shouldDecrement && store.decrement) {\n        const windowStart =\n          Math.floor(Date.now() / opts.windowMs) * opts.windowMs;\n        const windowKey = `${key}:${windowStart}`;\n        await store.decrement(windowKey);\n      }\n    }\n  };\n};\n\n// ============================================================================\n// Cloudflare Rate Limiting Binding Middleware\n// ============================================================================\n\n/**\n * Rate limiter using Cloudflare's built-in Rate Limiting binding.\n *\n * This uses Cloudflare's globally distributed rate limiting infrastructure,\n * which is ideal for high-traffic applications.\n *\n * @example\n * ```ts\n * import { cloudflareRateLimiter } from '@jellyfungus/hono-rate-limiter'\n *\n * type Bindings = { RATE_LIMITER: RateLimitBinding }\n *\n * const app = new Hono<{ Bindings: Bindings }>()\n *\n * app.use(cloudflareRateLimiter({\n *   binding: (c) => c.env.RATE_LIMITER,\n *   keyGenerator: (c) => c.req.header('cf-connecting-ip') ?? 'unknown',\n * }))\n * ```\n */\nexport const cloudflareRateLimiter = <E extends Env = Env>(\n  options: CloudflareRateLimitOptions<E>,\n): MiddlewareHandler<E> => {\n  const { binding, keyGenerator, handler, skip } = options;\n\n  return async function cloudflareRateLimiter(c, next) {\n    // Check if should skip\n    if (skip) {\n      const shouldSkip = await skip(c);\n      if (shouldSkip) {\n        return next();\n      }\n    }\n\n    // Get binding (may be dynamic)\n    const rateLimitBinding =\n      typeof binding === \"function\" ? binding(c) : binding;\n\n    // Generate key\n    const key = await keyGenerator(c);\n\n    // Check rate limit\n    const { success } = await rateLimitBinding.limit({ key });\n\n    if (!success) {\n      if (handler) {\n        return handler(c);\n      }\n      return new Response(\"Rate limit exceeded\", {\n        status: 429,\n        headers: { \"Content-Type\": \"text/plain\" },\n      });\n    }\n\n    return next();\n  };\n};\n\n// ============================================================================\n// Exports\n// ============================================================================\n\nexport { getClientIP };\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAmOO,IAAM,cAAN,MAA4C;AAAA,EACzC,UAAU,oBAAI,IAAyB;AAAA,EACvC,WAAW;AAAA,EACX;AAAA,EAER,KAAK,UAAwB;AAC3B,SAAK,WAAW;AAGhB,SAAK,eAAe,YAAY,MAAM;AACpC,YAAM,MAAM,KAAK,IAAI;AACrB,iBAAW,CAAC,KAAK,KAAK,KAAK,KAAK,SAAS;AACvC,YAAI,MAAM,SAAS,KAAK;AACtB,eAAK,QAAQ,OAAO,GAAG;AAAA,QACzB;AAAA,MACF;AAAA,IACF,GAAG,GAAM;AAGT,QAAI,OAAO,KAAK,aAAa,UAAU,YAAY;AACjD,WAAK,aAAa,MAAM;AAAA,IAC1B;AAAA,EACF;AAAA,EAEA,UAAU,KAA0B;AAClC,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,WAAW,KAAK,QAAQ,IAAI,GAAG;AAErC,QAAI,CAAC,YAAY,SAAS,SAAS,KAAK;AAEtC,YAAM,QAAQ,MAAM,KAAK;AACzB,WAAK,QAAQ,IAAI,KAAK,EAAE,OAAO,GAAG,MAAM,CAAC;AACzC,aAAO,EAAE,OAAO,GAAG,MAAM;AAAA,IAC3B;AAGA,aAAS;AACT,WAAO,EAAE,OAAO,SAAS,OAAO,OAAO,SAAS,MAAM;AAAA,EACxD;AAAA,EAEA,IAAI,KAAsC;AACxC,UAAM,QAAQ,KAAK,QAAQ,IAAI,GAAG;AAClC,QAAI,CAAC,SAAS,MAAM,SAAS,KAAK,IAAI,GAAG;AACvC,aAAO;AAAA,IACT;AACA,WAAO,EAAE,OAAO,MAAM,OAAO,OAAO,MAAM,MAAM;AAAA,EAClD;AAAA,EAEA,UAAU,KAAmB;AAC3B,UAAM,QAAQ,KAAK,QAAQ,IAAI,GAAG;AAClC,QAAI,SAAS,MAAM,QAAQ,GAAG;AAC5B,YAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEA,SAAS,KAAmB;AAC1B,SAAK,QAAQ,OAAO,GAAG;AAAA,EACzB;AAAA,EAEA,WAAiB;AACf,SAAK,QAAQ,MAAM;AAAA,EACrB;AAAA,EAEA,WAAiB;AACf,QAAI,KAAK,cAAc;AACrB,oBAAc,KAAK,YAAY;AAAA,IACjC;AACA,SAAK,QAAQ,MAAM;AAAA,EACrB;AACF;AAGA,IAAI;AAMJ,SAAS,WACP,GACA,MACA,QACA,UACM;AACN,MAAI,WAAW,OAAO;AACpB;AAAA,EACF;AAEA,QAAM,gBAAgB,KAAK,KAAK,WAAW,GAAI;AAC/C,QAAM,eAAe,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,QAAQ,KAAK,IAAI,KAAK,GAAI,CAAC;AAG5E,IAAE,OAAO,oBAAoB,GAAG,KAAK,KAAK,MAAM,aAAa,EAAE;AAE/D,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,QAAE;AAAA,QACA;AAAA,QACA,SAAS,KAAK,KAAK,eAAe,KAAK,SAAS,WAAW,YAAY;AAAA,MACzE;AACA;AAAA,IAEF,KAAK;AAAA,IACL;AACE,QAAE,OAAO,qBAAqB,OAAO,KAAK,KAAK,CAAC;AAChD,QAAE,OAAO,yBAAyB,OAAO,KAAK,SAAS,CAAC;AACxD,QAAE,OAAO,qBAAqB,OAAO,KAAK,KAAK,KAAK,QAAQ,GAAI,CAAC,CAAC;AAClE;AAAA,EACJ;AACF;AAMA,SAAS,YAAY,GAAoB;AAEvC,QAAM,OAAO,EAAE,IAAI,OAAO,kBAAkB;AAC5C,MAAI,MAAM;AACR,WAAO;AAAA,EACT;AAEA,QAAM,UAAU,EAAE,IAAI,OAAO,WAAW;AACxC,MAAI,SAAS;AACX,WAAO;AAAA,EACT;AAGA,QAAM,MAAM,EAAE,IAAI,OAAO,iBAAiB;AAC1C,MAAI,KAAK;AACP,WAAO,IAAI,MAAM,GAAG,EAAE,CAAC,EAAE,KAAK;AAAA,EAChC;AAEA,SAAO;AACT;AAMA,SAAS,sBAAsB,MAA+B;AAC5D,QAAM,aAAa,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,QAAQ,KAAK,IAAI,KAAK,GAAI,CAAC;AAE1E,SAAO,IAAI,SAAS,uBAAuB;AAAA,IACzC,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,gBAAgB;AAAA,MAChB,eAAe,OAAO,UAAU;AAAA,IAClC;AAAA,EACF,CAAC;AACH;AAMA,eAAe,mBACb,OACA,KACA,OACA,UACoD;AACpD,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,qBAAqB,KAAK,MAAM,MAAM,QAAQ,IAAI;AACxD,QAAM,sBAAsB,qBAAqB;AAEjD,QAAM,cAAc,GAAG,GAAG,IAAI,mBAAmB;AACjD,QAAM,aAAa,GAAG,GAAG,IAAI,kBAAkB;AAG/C,QAAM,UAAU,MAAM,MAAM,UAAU,UAAU;AAGhD,MAAI,gBAAgB;AACpB,MAAI,MAAM,KAAK;AACb,UAAM,OAAO,MAAM,MAAM,IAAI,WAAW;AACxC,oBAAgB,MAAM,SAAS;AAAA,EACjC;AAGA,QAAM,YAAY,MAAM;AACxB,QAAM,UAAU,WAAW,aAAa;AACxC,QAAM,iBAAiB,KAAK,MAAM,gBAAgB,MAAM,IAAI,QAAQ;AAEpE,QAAM,YAAY,KAAK,IAAI,GAAG,QAAQ,cAAc;AACpD,QAAM,UAAU,kBAAkB;AAClC,QAAM,QAAQ,qBAAqB;AAEnC,SAAO;AAAA,IACL;AAAA,IACA,MAAM,EAAE,OAAO,WAAW,MAAM;AAAA,EAClC;AACF;AAMA,eAAe,iBACb,OACA,KACA,OACA,UACoD;AACpD,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,cAAc,KAAK,MAAM,MAAM,QAAQ,IAAI;AACjD,QAAM,YAAY,GAAG,GAAG,IAAI,WAAW;AAEvC,QAAM,EAAE,OAAO,MAAM,IAAI,MAAM,MAAM,UAAU,SAAS;AAExD,QAAM,YAAY,KAAK,IAAI,GAAG,QAAQ,KAAK;AAC3C,QAAM,UAAU,SAAS;AAEzB,SAAO;AAAA,IACL;AAAA,IACA,MAAM,EAAE,OAAO,WAAW,MAAM;AAAA,EAClC;AACF;AA6BO,IAAM,cAAc,CACzB,YACyB;AAEzB,QAAM,OAAO;AAAA,IACX,OAAO;AAAA,IACP,UAAU;AAAA,IACV,WAAW;AAAA,IACX,OAAO;AAAA,IACP,cAAc;AAAA,IACd,SAAS;AAAA,IAGT,SAAS;AAAA,IACT,MAAM;AAAA,IAGN,wBAAwB;AAAA,IACxB,oBAAoB;AAAA,IACpB,eAAe;AAAA,IAGf,GAAG;AAAA,EACL;AAGA,QAAM,QAAQ,KAAK,UAAU,iBAAiB,IAAI,YAAY;AAG9D,MAAI,cAAc;AAElB,SAAO,eAAeA,aAAY,GAAG,MAAM;AAEzC,QAAI,CAAC,eAAe,MAAM,MAAM;AAC9B,YAAM,MAAM,KAAK,KAAK,QAAQ;AAC9B,oBAAc;AAAA,IAChB;AAGA,QAAI,KAAK,MAAM;AACb,YAAM,aAAa,MAAM,KAAK,KAAK,CAAC;AACpC,UAAI,YAAY;AACd,eAAO,KAAK;AAAA,MACd;AAAA,IACF;AAGA,UAAM,MAAM,MAAM,KAAK,aAAa,CAAC;AAGrC,UAAM,QACJ,OAAO,KAAK,UAAU,aAAa,MAAM,KAAK,MAAM,CAAC,IAAI,KAAK;AAGhE,UAAM,EAAE,SAAS,KAAK,IACpB,KAAK,cAAc,mBACf,MAAM,mBAAmB,OAAO,KAAK,OAAO,KAAK,QAAQ,IACzD,MAAM,iBAAiB,OAAO,KAAK,OAAO,KAAK,QAAQ;AAG7D,MAAE,IAAI,aAAa,IAAI;AAGvB,MAAE,IAAI,kBAAkB;AAAA,MACtB,QAAQ,MAAM,KAAK,KAAK,KAAK,MAAM,MAAM;AAAA,MACzC,UAAU,MAAM,SAAS,KAAK,KAAK;AAAA,IACrC,CAAC;AAGD,eAAW,GAAG,MAAM,KAAK,SAAS,KAAK,QAAQ;AAG/C,QAAI,CAAC,SAAS;AAEZ,UAAI,KAAK,eAAe;AACtB,cAAM,KAAK,cAAc,GAAG,IAAI;AAAA,MAClC;AAGA,UAAI,KAAK,SAAS;AAChB,eAAO,KAAK,QAAQ,GAAG,IAAI;AAAA,MAC7B;AACA,aAAO,sBAAsB,IAAI;AAAA,IACnC;AAGA,UAAM,KAAK;AAGX,QAAI,KAAK,0BAA0B,KAAK,oBAAoB;AAC1D,YAAM,SAAS,EAAE,IAAI;AACrB,YAAM,kBACH,KAAK,0BAA0B,UAAU,OAAO,SAAS,OACzD,KAAK,sBAAsB,UAAU;AAExC,UAAI,mBAAmB,MAAM,WAAW;AACtC,cAAM,cACJ,KAAK,MAAM,KAAK,IAAI,IAAI,KAAK,QAAQ,IAAI,KAAK;AAChD,cAAM,YAAY,GAAG,GAAG,IAAI,WAAW;AACvC,cAAM,MAAM,UAAU,SAAS;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;AA0BO,IAAM,wBAAwB,CACnC,YACyB;AACzB,QAAM,EAAE,SAAS,cAAc,SAAS,KAAK,IAAI;AAEjD,SAAO,eAAeC,uBAAsB,GAAG,MAAM;AAEnD,QAAI,MAAM;AACR,YAAM,aAAa,MAAM,KAAK,CAAC;AAC/B,UAAI,YAAY;AACd,eAAO,KAAK;AAAA,MACd;AAAA,IACF;AAGA,UAAM,mBACJ,OAAO,YAAY,aAAa,QAAQ,CAAC,IAAI;AAG/C,UAAM,MAAM,MAAM,aAAa,CAAC;AAGhC,UAAM,EAAE,QAAQ,IAAI,MAAM,iBAAiB,MAAM,EAAE,IAAI,CAAC;AAExD,QAAI,CAAC,SAAS;AACZ,UAAI,SAAS;AACX,eAAO,QAAQ,CAAC;AAAA,MAClB;AACA,aAAO,IAAI,SAAS,uBAAuB;AAAA,QACzC,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,aAAa;AAAA,MAC1C,CAAC;AAAA,IACH;AAEA,WAAO,KAAK;AAAA,EACd;AACF;","names":["rateLimiter","cloudflareRateLimiter"]}
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @module\n * Rate Limit Middleware for Hono.\n */\n\nimport type { Context, Env, MiddlewareHandler } from \"hono\";\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/**\n * Rate limit information for a single request\n */\nexport type RateLimitInfo = {\n  /** Maximum requests allowed in window */\n  limit: number;\n  /** Remaining requests in current window */\n  remaining: number;\n  /** Unix timestamp (ms) when window resets */\n  reset: number;\n};\n\n/**\n * Result from store increment operation\n */\nexport type StoreResult = {\n  /** Current request count in window */\n  count: number;\n  /** When the window resets (Unix timestamp ms) */\n  reset: number;\n};\n\n/**\n * Quota unit for IETF standard headers.\n * @see https://datatracker.ietf.org/doc/draft-ietf-httpapi-ratelimit-headers/\n */\nexport type QuotaUnit = \"requests\" | \"content-bytes\" | \"concurrent-requests\";\n\n/**\n * Header format options.\n *\n * ## \"legacy\" (default)\n * Common X-RateLimit-* headers used by GitHub, Twitter, and most APIs:\n * - `X-RateLimit-Limit`: max requests in window\n * - `X-RateLimit-Remaining`: remaining requests\n * - `X-RateLimit-Reset`: Unix timestamp (seconds) when window resets\n *\n * ## \"draft-6\"\n * IETF draft-06 format with individual RateLimit-* headers:\n * - `RateLimit-Policy`: policy description (e.g., `100;w=60`)\n * - `RateLimit-Limit`: max requests\n * - `RateLimit-Remaining`: remaining requests\n * - `RateLimit-Reset`: seconds until reset\n *\n * ## \"draft-7\"\n * IETF draft-07 format with combined RateLimit header:\n * - `RateLimit-Policy`: policy description\n * - `RateLimit`: combined (e.g., `limit=100, remaining=50, reset=30`)\n *\n * ## \"standard\"\n * Current IETF draft-08+ format with structured field values (RFC 9651):\n * - `RateLimit-Policy`: `\"name\";q=100;w=60`\n * - `RateLimit`: `\"name\";r=50;t=30`\n *\n * ## false\n * Disable all rate limit headers.\n *\n * @see https://datatracker.ietf.org/doc/draft-ietf-httpapi-ratelimit-headers/\n */\nexport type HeadersFormat =\n  | \"legacy\" // X-RateLimit-* headers (GitHub/Twitter style)\n  | \"draft-6\" // IETF draft-06: individual RateLimit-* headers\n  | \"draft-7\" // IETF draft-07: combined RateLimit header\n  | \"standard\" // IETF draft-08+: structured field format (current)\n  | false; // Disable headers\n\n/**\n * Rate limit algorithm\n */\nexport type Algorithm = \"fixed-window\" | \"sliding-window\";\n\n/**\n * Store interface for rate limit state\n */\nexport type RateLimitStore = {\n  /**\n   * Initialize store. Called once before first use.\n   */\n  init?: (windowMs: number) => void | Promise<void>;\n\n  /**\n   * Increment counter for key and return current state.\n   */\n  increment: (key: string) => StoreResult | Promise<StoreResult>;\n\n  /**\n   * Decrement counter for key.\n   */\n  decrement?: (key: string) => void | Promise<void>;\n\n  /**\n   * Reset a specific key.\n   */\n  resetKey: (key: string) => void | Promise<void>;\n\n  /**\n   * Reset all keys.\n   */\n  resetAll?: () => void | Promise<void>;\n\n  /**\n   * Get current state for key.\n   */\n  get?: (\n    key: string,\n  ) => StoreResult | Promise<StoreResult | undefined> | undefined;\n\n  /**\n   * Graceful shutdown.\n   */\n  shutdown?: () => void | Promise<void>;\n};\n\n/**\n * Store access interface exposed in context\n */\nexport type RateLimitStoreAccess = {\n  /** Get rate limit info for a key */\n  getKey: (\n    key: string,\n  ) => StoreResult | Promise<StoreResult | undefined> | undefined;\n  /** Reset rate limit for a key */\n  resetKey: (key: string) => void | Promise<void>;\n};\n\n/**\n * Options for rate limit middleware\n */\nexport type RateLimitOptions<E extends Env = Env> = {\n  /**\n   * Maximum requests allowed in the time window.\n   * @default 60\n   */\n  limit?: number | ((c: Context<E>) => number | Promise<number>);\n\n  /**\n   * Time window in milliseconds.\n   * @default 60000 (1 minute)\n   */\n  windowMs?: number;\n\n  /**\n   * Rate limiting algorithm.\n   * @default 'sliding-window'\n   */\n  algorithm?: Algorithm;\n\n  /**\n   * Storage backend for rate limit state.\n   * @default MemoryStore\n   */\n  store?: RateLimitStore;\n\n  /**\n   * Generate unique key for each client.\n   * @default IP address from headers\n   */\n  keyGenerator?: (c: Context<E>) => string | Promise<string>;\n\n  /**\n   * Handler called when rate limit is exceeded.\n   */\n  handler?: (\n    c: Context<E>,\n    info: RateLimitInfo,\n  ) => Response | Promise<Response>;\n\n  /**\n   * HTTP header format to use.\n   *\n   * - \"legacy\": X-RateLimit-* headers (GitHub/Twitter style, default)\n   * - \"draft-6\": IETF draft-06 individual headers\n   * - \"draft-7\": IETF draft-07 combined header\n   * - \"standard\": IETF draft-08+ structured fields (current spec)\n   * - false: Disable headers\n   *\n   * @default 'legacy'\n   */\n  headers?: HeadersFormat;\n\n  /**\n   * Policy identifier for IETF headers (draft-6+).\n   * Used in RateLimit and RateLimit-Policy headers.\n   * @default 'default'\n   */\n  identifier?: string;\n\n  /**\n   * Quota unit for IETF standard headers.\n   * Only included in \"standard\" format when not \"requests\".\n   * @default 'requests'\n   */\n  quotaUnit?: QuotaUnit;\n\n  /**\n   * Skip rate limiting for certain requests.\n   */\n  skip?: (c: Context<E>) => boolean | Promise<boolean>;\n\n  /**\n   * Don't count successful (2xx) requests against limit.\n   * @default false\n   */\n  skipSuccessfulRequests?: boolean;\n\n  /**\n   * Don't count failed (4xx, 5xx) requests against limit.\n   * @default false\n   */\n  skipFailedRequests?: boolean;\n\n  /**\n   * Callback when a request is rate limited.\n   */\n  onRateLimited?: (c: Context<E>, info: RateLimitInfo) => void | Promise<void>;\n\n  /**\n   * Behavior when store operations fail.\n   *\n   * - 'allow': Allow the request through (fail-open, default)\n   * - 'deny': Block the request with 500 error (fail-closed)\n   * - Function: Custom handler returning true to allow, false to deny\n   *\n   * @default 'allow'\n   */\n  onStoreError?:\n    | \"allow\"\n    | \"deny\"\n    | ((error: Error, c: Context<E>) => boolean | Promise<boolean>);\n};\n\n/**\n * Cloudflare Rate Limiting binding interface\n */\nexport type RateLimitBinding = {\n  limit: (options: { key: string }) => Promise<{ success: boolean }>;\n};\n\n/**\n * Options for Cloudflare Rate Limiting binding\n */\nexport type CloudflareRateLimitOptions<E extends Env = Env> = {\n  /**\n   * Cloudflare Rate Limiting binding from env\n   */\n  binding: RateLimitBinding | ((c: Context<E>) => RateLimitBinding);\n\n  /**\n   * Generate unique key for each client.\n   */\n  keyGenerator: (c: Context<E>) => string | Promise<string>;\n\n  /**\n   * Handler called when rate limit is exceeded.\n   */\n  handler?: (c: Context<E>) => Response | Promise<Response>;\n\n  /**\n   * Skip rate limiting for certain requests.\n   */\n  skip?: (c: Context<E>) => boolean | Promise<boolean>;\n};\n\n// ============================================================================\n// Context Variable Type Extension\n// ============================================================================\n\ndeclare module \"hono\" {\n  interface ContextVariableMap {\n    rateLimit?: RateLimitInfo;\n    rateLimitStore?: RateLimitStoreAccess;\n  }\n}\n\n// ============================================================================\n// Memory Store\n// ============================================================================\n\ntype MemoryEntry = {\n  count: number;\n  reset: number;\n};\n\n/**\n * In-memory store for rate limiting.\n * Suitable for single-instance deployments.\n */\nexport class MemoryStore implements RateLimitStore {\n  private entries = new Map<string, MemoryEntry>();\n  private windowMs = 60_000;\n  private cleanupTimer?: ReturnType<typeof setInterval>;\n\n  init(windowMs: number): void {\n    this.windowMs = windowMs;\n\n    // Cleanup expired entries every minute\n    this.cleanupTimer = setInterval(() => {\n      const now = Date.now();\n      for (const [key, entry] of this.entries) {\n        if (entry.reset <= now) {\n          this.entries.delete(key);\n        }\n      }\n    }, 60_000);\n\n    // Don't keep process alive for cleanup\n    if (typeof this.cleanupTimer.unref === \"function\") {\n      this.cleanupTimer.unref();\n    }\n  }\n\n  increment(key: string): StoreResult {\n    const now = Date.now();\n    const existing = this.entries.get(key);\n\n    if (!existing || existing.reset <= now) {\n      // New window\n      const reset = now + this.windowMs;\n      this.entries.set(key, { count: 1, reset });\n      return { count: 1, reset };\n    }\n\n    // Increment existing\n    existing.count++;\n    return { count: existing.count, reset: existing.reset };\n  }\n\n  get(key: string): StoreResult | undefined {\n    const entry = this.entries.get(key);\n    if (!entry || entry.reset <= Date.now()) {\n      return undefined;\n    }\n    return { count: entry.count, reset: entry.reset };\n  }\n\n  decrement(key: string): void {\n    const entry = this.entries.get(key);\n    if (entry && entry.count > 0) {\n      entry.count--;\n    }\n  }\n\n  resetKey(key: string): void {\n    this.entries.delete(key);\n  }\n\n  resetAll(): void {\n    this.entries.clear();\n  }\n\n  shutdown(): void {\n    if (this.cleanupTimer) {\n      clearInterval(this.cleanupTimer);\n    }\n    this.entries.clear();\n  }\n}\n\n// Singleton default store\nlet defaultStore: MemoryStore | undefined;\n\n/**\n * Shutdown the default memory store.\n * Call this during graceful shutdown to clean up timers.\n *\n * @example\n * ```ts\n * import { shutdownDefaultStore } from '@jellyfungus/hono-rate-limiter'\n *\n * process.on('SIGTERM', () => {\n *   shutdownDefaultStore()\n *   process.exit(0)\n * })\n * ```\n */\nexport function shutdownDefaultStore(): void {\n  if (defaultStore) {\n    defaultStore.shutdown();\n    defaultStore = undefined;\n  }\n}\n\n// ============================================================================\n// Header Generation\n// ============================================================================\n\n/**\n * Set rate limit response headers based on the configured format.\n *\n * @see https://datatracker.ietf.org/doc/draft-ietf-httpapi-ratelimit-headers/\n */\nfunction setHeaders(\n  c: Context,\n  info: RateLimitInfo,\n  format: HeadersFormat,\n  windowMs: number,\n  identifier: string,\n  quotaUnit: QuotaUnit,\n): void {\n  if (format === false) {\n    return;\n  }\n\n  const windowSeconds = Math.ceil(windowMs / 1000);\n  const resetSeconds = Math.max(0, Math.ceil((info.reset - Date.now()) / 1000));\n  const safeId = sanitizeIdentifier(identifier);\n\n  switch (format) {\n    case \"standard\":\n      // IETF draft-08+ (current): Structured field values per RFC 9651\n      // RateLimit-Policy: describes the quota policy\n      // Format: \"name\";q=<quota>;w=<window>[;qu=\"<unit>\"]\n      {\n        let policy = `\"${safeId}\";q=${info.limit};w=${windowSeconds}`;\n        if (quotaUnit !== \"requests\") {\n          policy += `;qu=\"${quotaUnit}\"`;\n        }\n        c.header(\"RateLimit-Policy\", policy);\n        // RateLimit: describes current service limits\n        // Format: \"name\";r=<remaining>;t=<reset>\n        c.header(\n          \"RateLimit\",\n          `\"${safeId}\";r=${info.remaining};t=${resetSeconds}`,\n        );\n      }\n      break;\n\n    case \"draft-7\":\n      // IETF draft-07: Combined RateLimit header with comma-separated values\n      c.header(\"RateLimit-Policy\", `${info.limit};w=${windowSeconds}`);\n      c.header(\n        \"RateLimit\",\n        `limit=${info.limit}, remaining=${info.remaining}, reset=${resetSeconds}`,\n      );\n      break;\n\n    case \"draft-6\":\n      // IETF draft-06: Individual RateLimit-* headers\n      c.header(\"RateLimit-Policy\", `${info.limit};w=${windowSeconds}`);\n      c.header(\"RateLimit-Limit\", String(info.limit));\n      c.header(\"RateLimit-Remaining\", String(info.remaining));\n      c.header(\"RateLimit-Reset\", String(resetSeconds));\n      break;\n\n    case \"legacy\":\n    default:\n      // Common X-RateLimit-* headers (GitHub, Twitter, most APIs)\n      // Uses Unix timestamp for reset (seconds since epoch)\n      c.header(\"X-RateLimit-Limit\", String(info.limit));\n      c.header(\"X-RateLimit-Remaining\", String(info.remaining));\n      c.header(\"X-RateLimit-Reset\", String(Math.ceil(info.reset / 1000)));\n      break;\n  }\n}\n\n// ============================================================================\n// Identifier Sanitization\n// ============================================================================\n\n/**\n * Sanitize identifier for RFC 9651 structured field compliance.\n * Identifiers are used in the RateLimit and RateLimit-Policy headers.\n */\nfunction sanitizeIdentifier(id: string): string {\n  if (!id || typeof id !== \"string\") {\n    return \"default\";\n  }\n  // RFC 9651 tokens: Only allow alphanumeric, underscore, hyphen, dot, colon, asterisk, slash\n  // Must start with a letter\n  const sanitized = id.replace(/[^a-zA-Z0-9_\\-.:*/]/g, \"-\");\n  if (!sanitized || !/^[a-zA-Z]/.test(sanitized)) {\n    return \"default\";\n  }\n  return sanitized;\n}\n\n// ============================================================================\n// Default Key Generator\n// ============================================================================\n\nfunction getClientIP(c: Context): string {\n  // Platform-specific headers (most reliable)\n  const cfIP = c.req.header(\"cf-connecting-ip\");\n  if (cfIP) {\n    return cfIP;\n  }\n\n  const xRealIP = c.req.header(\"x-real-ip\");\n  if (xRealIP) {\n    return xRealIP;\n  }\n\n  // X-Forwarded-For - take first IP\n  const xff = c.req.header(\"x-forwarded-for\");\n  if (xff) {\n    return xff.split(\",\")[0].trim();\n  }\n\n  return \"unknown\";\n}\n\n// ============================================================================\n// Default Handler\n// ============================================================================\n\n/**\n * Build headers object for rate limit responses.\n * This ensures headers are included in both custom and default responses.\n */\nfunction buildRateLimitHeaders(\n  info: RateLimitInfo,\n  format: HeadersFormat,\n  windowMs: number,\n  identifier: string,\n  quotaUnit: QuotaUnit,\n): Record<string, string> {\n  const headers: Record<string, string> = {\n    \"Content-Type\": \"text/plain\",\n    \"Retry-After\": String(\n      Math.max(0, Math.ceil((info.reset - Date.now()) / 1000)),\n    ),\n  };\n\n  if (format === false) {\n    return headers;\n  }\n\n  const windowSeconds = Math.ceil(windowMs / 1000);\n  const resetSeconds = Math.max(0, Math.ceil((info.reset - Date.now()) / 1000));\n  const safeId = sanitizeIdentifier(identifier);\n\n  switch (format) {\n    case \"standard\": {\n      let policy = `\"${safeId}\";q=${info.limit};w=${windowSeconds}`;\n      if (quotaUnit !== \"requests\") {\n        policy += `;qu=\"${quotaUnit}\"`;\n      }\n      headers[\"RateLimit-Policy\"] = policy;\n      headers[\"RateLimit\"] =\n        `\"${safeId}\";r=${info.remaining};t=${resetSeconds}`;\n      break;\n    }\n    case \"draft-7\":\n      headers[\"RateLimit-Policy\"] = `${info.limit};w=${windowSeconds}`;\n      headers[\"RateLimit\"] =\n        `limit=${info.limit}, remaining=${info.remaining}, reset=${resetSeconds}`;\n      break;\n    case \"draft-6\":\n      headers[\"RateLimit-Policy\"] = `${info.limit};w=${windowSeconds}`;\n      headers[\"RateLimit-Limit\"] = String(info.limit);\n      headers[\"RateLimit-Remaining\"] = String(info.remaining);\n      headers[\"RateLimit-Reset\"] = String(resetSeconds);\n      break;\n    case \"legacy\":\n    default:\n      headers[\"X-RateLimit-Limit\"] = String(info.limit);\n      headers[\"X-RateLimit-Remaining\"] = String(info.remaining);\n      headers[\"X-RateLimit-Reset\"] = String(Math.ceil(info.reset / 1000));\n      break;\n  }\n\n  return headers;\n}\n\nfunction createDefaultResponse(\n  info: RateLimitInfo,\n  format: HeadersFormat,\n  windowMs: number,\n  identifier: string,\n  quotaUnit: QuotaUnit,\n): Response {\n  const headers = buildRateLimitHeaders(\n    info,\n    format,\n    windowMs,\n    identifier,\n    quotaUnit,\n  );\n\n  return new Response(\"Rate limit exceeded\", {\n    status: 429,\n    headers,\n  });\n}\n\n// ============================================================================\n// Sliding Window Algorithm\n// ============================================================================\n\nasync function checkSlidingWindow(\n  store: RateLimitStore,\n  key: string,\n  limit: number,\n  windowMs: number,\n): Promise<{ allowed: boolean; info: RateLimitInfo }> {\n  const now = Date.now();\n  const currentWindowStart = Math.floor(now / windowMs) * windowMs;\n  const previousWindowStart = currentWindowStart - windowMs;\n\n  const previousKey = `${key}:${previousWindowStart}`;\n  const currentKey = `${key}:${currentWindowStart}`;\n\n  // Increment current window\n  const current = await store.increment(currentKey);\n\n  // Get previous window (may not exist)\n  let previousCount = 0;\n  if (store.get) {\n    const prev = await store.get(previousKey);\n    previousCount = prev?.count ?? 0;\n  }\n\n  // Cloudflare's weighted formula\n  const elapsedMs = now - currentWindowStart;\n  const weight = (windowMs - elapsedMs) / windowMs;\n  const estimatedCount = Math.floor(previousCount * weight) + current.count;\n\n  const remaining = Math.max(0, limit - estimatedCount);\n  const allowed = estimatedCount <= limit;\n  const reset = currentWindowStart + windowMs;\n\n  return {\n    allowed,\n    info: { limit, remaining, reset },\n  };\n}\n\n// ============================================================================\n// Fixed Window Algorithm\n// ============================================================================\n\nasync function checkFixedWindow(\n  store: RateLimitStore,\n  key: string,\n  limit: number,\n  windowMs: number,\n): Promise<{ allowed: boolean; info: RateLimitInfo }> {\n  const now = Date.now();\n  const windowStart = Math.floor(now / windowMs) * windowMs;\n  const windowKey = `${key}:${windowStart}`;\n\n  const { count, reset } = await store.increment(windowKey);\n\n  const remaining = Math.max(0, limit - count);\n  const allowed = count <= limit;\n\n  return {\n    allowed,\n    info: { limit, remaining, reset },\n  };\n}\n\n// ============================================================================\n// Main Middleware\n// ============================================================================\n\n/**\n * Rate Limit Middleware for Hono.\n *\n * @param {RateLimitOptions} [options] - Configuration options\n * @returns {MiddlewareHandler} Middleware handler\n *\n * @example\n * ```ts\n * import { Hono } from 'hono'\n * import { rateLimiter } from '@jellyfungus/hono-rate-limiter'\n *\n * const app = new Hono()\n *\n * // Basic usage - 60 requests per minute\n * app.use(rateLimiter())\n *\n * // Custom configuration\n * app.use('/api/*', rateLimiter({\n *   limit: 100,\n *   windowMs: 60 * 1000,\n * }))\n * ```\n */\nexport const rateLimiter = <E extends Env = Env>(\n  options?: RateLimitOptions<E>,\n): MiddlewareHandler<E> => {\n  // Merge with defaults\n  const opts = {\n    limit: 60 as number | ((c: Context<E>) => number | Promise<number>),\n    windowMs: 60_000,\n    algorithm: \"sliding-window\" as Algorithm,\n    store: undefined as RateLimitStore | undefined,\n    keyGenerator: getClientIP as (c: Context<E>) => string | Promise<string>,\n    handler: undefined as\n      | ((c: Context<E>, info: RateLimitInfo) => Response | Promise<Response>)\n      | undefined,\n    headers: \"legacy\" as HeadersFormat,\n    identifier: \"default\",\n    quotaUnit: \"requests\" as QuotaUnit,\n    skip: undefined as\n      | ((c: Context<E>) => boolean | Promise<boolean>)\n      | undefined,\n    skipSuccessfulRequests: false,\n    skipFailedRequests: false,\n    onRateLimited: undefined as\n      | ((c: Context<E>, info: RateLimitInfo) => void | Promise<void>)\n      | undefined,\n    onStoreError: \"allow\" as\n      | \"allow\"\n      | \"deny\"\n      | ((error: Error, c: Context<E>) => boolean | Promise<boolean>),\n    ...options,\n  };\n\n  // Use default store if none provided\n  const store = opts.store ?? (defaultStore ??= new MemoryStore());\n\n  // Track initialization\n  let initPromise: Promise<void> | null = null;\n\n  /**\n   * Handle store errors based on configuration.\n   * @returns true to allow request, false to deny\n   */\n  async function handleStoreError(\n    error: Error,\n    c: Context<E>,\n  ): Promise<boolean> {\n    if (typeof opts.onStoreError === \"function\") {\n      return opts.onStoreError(error, c);\n    }\n    // Default: fail-open (allow request through)\n    return opts.onStoreError === \"allow\";\n  }\n\n  return async function rateLimiter(c, next) {\n    // Initialize store on first request (with proper locking)\n    if (!initPromise && store.init) {\n      const result = store.init(opts.windowMs);\n      // Handle both sync and async init\n      initPromise = result instanceof Promise ? result : Promise.resolve();\n    }\n    if (initPromise) {\n      try {\n        await initPromise;\n      } catch (error) {\n        const shouldAllow = await handleStoreError(\n          error instanceof Error ? error : new Error(String(error)),\n          c,\n        );\n        if (shouldAllow) {\n          return next();\n        }\n        return new Response(\"Rate limiter initialization failed\", {\n          status: 500,\n        });\n      }\n    }\n\n    // Check if should skip\n    if (opts.skip) {\n      const shouldSkip = await opts.skip(c);\n      if (shouldSkip) {\n        return next();\n      }\n    }\n\n    // Generate key\n    const key = await opts.keyGenerator(c);\n\n    // Get limit (may be dynamic)\n    const limit =\n      typeof opts.limit === \"function\" ? await opts.limit(c) : opts.limit;\n\n    // Check rate limit with error handling\n    let allowed: boolean;\n    let info: RateLimitInfo;\n\n    try {\n      const result =\n        opts.algorithm === \"sliding-window\"\n          ? await checkSlidingWindow(store, key, limit, opts.windowMs)\n          : await checkFixedWindow(store, key, limit, opts.windowMs);\n      allowed = result.allowed;\n      info = result.info;\n    } catch (error) {\n      const shouldAllow = await handleStoreError(\n        error instanceof Error ? error : new Error(String(error)),\n        c,\n      );\n      if (shouldAllow) {\n        return next();\n      }\n      return new Response(\"Rate limiter error\", { status: 500 });\n    }\n\n    // Set context variable for downstream middleware\n    c.set(\"rateLimit\", info);\n\n    // Expose store access in context\n    c.set(\"rateLimitStore\", {\n      getKey: store.get?.bind(store) ?? (() => undefined),\n      resetKey: store.resetKey.bind(store),\n    });\n\n    // Set headers\n    setHeaders(\n      c,\n      info,\n      opts.headers,\n      opts.windowMs,\n      opts.identifier,\n      opts.quotaUnit,\n    );\n\n    // Handle rate limited\n    if (!allowed) {\n      // Fire callback\n      if (opts.onRateLimited) {\n        await opts.onRateLimited(c, info);\n      }\n\n      // Custom handler or default\n      if (opts.handler) {\n        return opts.handler(c, info);\n      }\n      return createDefaultResponse(\n        info,\n        opts.headers,\n        opts.windowMs,\n        opts.identifier,\n        opts.quotaUnit,\n      );\n    }\n\n    // Continue\n    await next();\n\n    // Handle skip options after response\n    if (opts.skipSuccessfulRequests || opts.skipFailedRequests) {\n      const status = c.res.status;\n      const shouldDecrement =\n        (opts.skipSuccessfulRequests && status >= 200 && status < 300) ||\n        (opts.skipFailedRequests && status >= 400);\n\n      if (shouldDecrement && store.decrement) {\n        const windowStart =\n          Math.floor(Date.now() / opts.windowMs) * opts.windowMs;\n        const windowKey = `${key}:${windowStart}`;\n        try {\n          await store.decrement(windowKey);\n        } catch {\n          // Ignore decrement errors - request already processed\n        }\n      }\n    }\n  };\n};\n\n// ============================================================================\n// Cloudflare Rate Limiting Binding Middleware\n// ============================================================================\n\n/**\n * Rate limiter using Cloudflare's built-in Rate Limiting binding.\n *\n * This uses Cloudflare's globally distributed rate limiting infrastructure,\n * which is ideal for high-traffic applications.\n *\n * @example\n * ```ts\n * import { cloudflareRateLimiter } from '@jellyfungus/hono-rate-limiter'\n *\n * type Bindings = { RATE_LIMITER: RateLimitBinding }\n *\n * const app = new Hono<{ Bindings: Bindings }>()\n *\n * app.use(cloudflareRateLimiter({\n *   binding: (c) => c.env.RATE_LIMITER,\n *   keyGenerator: (c) => c.req.header('cf-connecting-ip') ?? 'unknown',\n * }))\n * ```\n */\nexport const cloudflareRateLimiter = <E extends Env = Env>(\n  options: CloudflareRateLimitOptions<E>,\n): MiddlewareHandler<E> => {\n  const { binding, keyGenerator, handler, skip } = options;\n\n  return async function cloudflareRateLimiter(c, next) {\n    // Check if should skip\n    if (skip) {\n      const shouldSkip = await skip(c);\n      if (shouldSkip) {\n        return next();\n      }\n    }\n\n    // Get binding (may be dynamic)\n    const rateLimitBinding =\n      typeof binding === \"function\" ? binding(c) : binding;\n\n    // Generate key\n    const key = await keyGenerator(c);\n\n    // Check rate limit\n    const { success } = await rateLimitBinding.limit({ key });\n\n    if (!success) {\n      if (handler) {\n        return handler(c);\n      }\n      return new Response(\"Rate limit exceeded\", {\n        status: 429,\n        headers: { \"Content-Type\": \"text/plain\" },\n      });\n    }\n\n    return next();\n  };\n};\n\n// ============================================================================\n// Exports\n// ============================================================================\n\nexport { getClientIP };\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA0SO,IAAM,cAAN,MAA4C;AAAA,EACzC,UAAU,oBAAI,IAAyB;AAAA,EACvC,WAAW;AAAA,EACX;AAAA,EAER,KAAK,UAAwB;AAC3B,SAAK,WAAW;AAGhB,SAAK,eAAe,YAAY,MAAM;AACpC,YAAM,MAAM,KAAK,IAAI;AACrB,iBAAW,CAAC,KAAK,KAAK,KAAK,KAAK,SAAS;AACvC,YAAI,MAAM,SAAS,KAAK;AACtB,eAAK,QAAQ,OAAO,GAAG;AAAA,QACzB;AAAA,MACF;AAAA,IACF,GAAG,GAAM;AAGT,QAAI,OAAO,KAAK,aAAa,UAAU,YAAY;AACjD,WAAK,aAAa,MAAM;AAAA,IAC1B;AAAA,EACF;AAAA,EAEA,UAAU,KAA0B;AAClC,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,WAAW,KAAK,QAAQ,IAAI,GAAG;AAErC,QAAI,CAAC,YAAY,SAAS,SAAS,KAAK;AAEtC,YAAM,QAAQ,MAAM,KAAK;AACzB,WAAK,QAAQ,IAAI,KAAK,EAAE,OAAO,GAAG,MAAM,CAAC;AACzC,aAAO,EAAE,OAAO,GAAG,MAAM;AAAA,IAC3B;AAGA,aAAS;AACT,WAAO,EAAE,OAAO,SAAS,OAAO,OAAO,SAAS,MAAM;AAAA,EACxD;AAAA,EAEA,IAAI,KAAsC;AACxC,UAAM,QAAQ,KAAK,QAAQ,IAAI,GAAG;AAClC,QAAI,CAAC,SAAS,MAAM,SAAS,KAAK,IAAI,GAAG;AACvC,aAAO;AAAA,IACT;AACA,WAAO,EAAE,OAAO,MAAM,OAAO,OAAO,MAAM,MAAM;AAAA,EAClD;AAAA,EAEA,UAAU,KAAmB;AAC3B,UAAM,QAAQ,KAAK,QAAQ,IAAI,GAAG;AAClC,QAAI,SAAS,MAAM,QAAQ,GAAG;AAC5B,YAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEA,SAAS,KAAmB;AAC1B,SAAK,QAAQ,OAAO,GAAG;AAAA,EACzB;AAAA,EAEA,WAAiB;AACf,SAAK,QAAQ,MAAM;AAAA,EACrB;AAAA,EAEA,WAAiB;AACf,QAAI,KAAK,cAAc;AACrB,oBAAc,KAAK,YAAY;AAAA,IACjC;AACA,SAAK,QAAQ,MAAM;AAAA,EACrB;AACF;AAGA,IAAI;AAgBG,SAAS,uBAA6B;AAC3C,MAAI,cAAc;AAChB,iBAAa,SAAS;AACtB,mBAAe;AAAA,EACjB;AACF;AAWA,SAAS,WACP,GACA,MACA,QACA,UACA,YACA,WACM;AACN,MAAI,WAAW,OAAO;AACpB;AAAA,EACF;AAEA,QAAM,gBAAgB,KAAK,KAAK,WAAW,GAAI;AAC/C,QAAM,eAAe,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,QAAQ,KAAK,IAAI,KAAK,GAAI,CAAC;AAC5E,QAAM,SAAS,mBAAmB,UAAU;AAE5C,UAAQ,QAAQ;AAAA,IACd,KAAK;AAIH;AACE,YAAI,SAAS,IAAI,MAAM,OAAO,KAAK,KAAK,MAAM,aAAa;AAC3D,YAAI,cAAc,YAAY;AAC5B,oBAAU,QAAQ,SAAS;AAAA,QAC7B;AACA,UAAE,OAAO,oBAAoB,MAAM;AAGnC,UAAE;AAAA,UACA;AAAA,UACA,IAAI,MAAM,OAAO,KAAK,SAAS,MAAM,YAAY;AAAA,QACnD;AAAA,MACF;AACA;AAAA,IAEF,KAAK;AAEH,QAAE,OAAO,oBAAoB,GAAG,KAAK,KAAK,MAAM,aAAa,EAAE;AAC/D,QAAE;AAAA,QACA;AAAA,QACA,SAAS,KAAK,KAAK,eAAe,KAAK,SAAS,WAAW,YAAY;AAAA,MACzE;AACA;AAAA,IAEF,KAAK;AAEH,QAAE,OAAO,oBAAoB,GAAG,KAAK,KAAK,MAAM,aAAa,EAAE;AAC/D,QAAE,OAAO,mBAAmB,OAAO,KAAK,KAAK,CAAC;AAC9C,QAAE,OAAO,uBAAuB,OAAO,KAAK,SAAS,CAAC;AACtD,QAAE,OAAO,mBAAmB,OAAO,YAAY,CAAC;AAChD;AAAA,IAEF,KAAK;AAAA,IACL;AAGE,QAAE,OAAO,qBAAqB,OAAO,KAAK,KAAK,CAAC;AAChD,QAAE,OAAO,yBAAyB,OAAO,KAAK,SAAS,CAAC;AACxD,QAAE,OAAO,qBAAqB,OAAO,KAAK,KAAK,KAAK,QAAQ,GAAI,CAAC,CAAC;AAClE;AAAA,EACJ;AACF;AAUA,SAAS,mBAAmB,IAAoB;AAC9C,MAAI,CAAC,MAAM,OAAO,OAAO,UAAU;AACjC,WAAO;AAAA,EACT;AAGA,QAAM,YAAY,GAAG,QAAQ,wBAAwB,GAAG;AACxD,MAAI,CAAC,aAAa,CAAC,YAAY,KAAK,SAAS,GAAG;AAC9C,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAMA,SAAS,YAAY,GAAoB;AAEvC,QAAM,OAAO,EAAE,IAAI,OAAO,kBAAkB;AAC5C,MAAI,MAAM;AACR,WAAO;AAAA,EACT;AAEA,QAAM,UAAU,EAAE,IAAI,OAAO,WAAW;AACxC,MAAI,SAAS;AACX,WAAO;AAAA,EACT;AAGA,QAAM,MAAM,EAAE,IAAI,OAAO,iBAAiB;AAC1C,MAAI,KAAK;AACP,WAAO,IAAI,MAAM,GAAG,EAAE,CAAC,EAAE,KAAK;AAAA,EAChC;AAEA,SAAO;AACT;AAUA,SAAS,sBACP,MACA,QACA,UACA,YACA,WACwB;AACxB,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,IAChB,eAAe;AAAA,MACb,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,QAAQ,KAAK,IAAI,KAAK,GAAI,CAAC;AAAA,IACzD;AAAA,EACF;AAEA,MAAI,WAAW,OAAO;AACpB,WAAO;AAAA,EACT;AAEA,QAAM,gBAAgB,KAAK,KAAK,WAAW,GAAI;AAC/C,QAAM,eAAe,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,QAAQ,KAAK,IAAI,KAAK,GAAI,CAAC;AAC5E,QAAM,SAAS,mBAAmB,UAAU;AAE5C,UAAQ,QAAQ;AAAA,IACd,KAAK,YAAY;AACf,UAAI,SAAS,IAAI,MAAM,OAAO,KAAK,KAAK,MAAM,aAAa;AAC3D,UAAI,cAAc,YAAY;AAC5B,kBAAU,QAAQ,SAAS;AAAA,MAC7B;AACA,cAAQ,kBAAkB,IAAI;AAC9B,cAAQ,WAAW,IACjB,IAAI,MAAM,OAAO,KAAK,SAAS,MAAM,YAAY;AACnD;AAAA,IACF;AAAA,IACA,KAAK;AACH,cAAQ,kBAAkB,IAAI,GAAG,KAAK,KAAK,MAAM,aAAa;AAC9D,cAAQ,WAAW,IACjB,SAAS,KAAK,KAAK,eAAe,KAAK,SAAS,WAAW,YAAY;AACzE;AAAA,IACF,KAAK;AACH,cAAQ,kBAAkB,IAAI,GAAG,KAAK,KAAK,MAAM,aAAa;AAC9D,cAAQ,iBAAiB,IAAI,OAAO,KAAK,KAAK;AAC9C,cAAQ,qBAAqB,IAAI,OAAO,KAAK,SAAS;AACtD,cAAQ,iBAAiB,IAAI,OAAO,YAAY;AAChD;AAAA,IACF,KAAK;AAAA,IACL;AACE,cAAQ,mBAAmB,IAAI,OAAO,KAAK,KAAK;AAChD,cAAQ,uBAAuB,IAAI,OAAO,KAAK,SAAS;AACxD,cAAQ,mBAAmB,IAAI,OAAO,KAAK,KAAK,KAAK,QAAQ,GAAI,CAAC;AAClE;AAAA,EACJ;AAEA,SAAO;AACT;AAEA,SAAS,sBACP,MACA,QACA,UACA,YACA,WACU;AACV,QAAM,UAAU;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,IAAI,SAAS,uBAAuB;AAAA,IACzC,QAAQ;AAAA,IACR;AAAA,EACF,CAAC;AACH;AAMA,eAAe,mBACb,OACA,KACA,OACA,UACoD;AACpD,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,qBAAqB,KAAK,MAAM,MAAM,QAAQ,IAAI;AACxD,QAAM,sBAAsB,qBAAqB;AAEjD,QAAM,cAAc,GAAG,GAAG,IAAI,mBAAmB;AACjD,QAAM,aAAa,GAAG,GAAG,IAAI,kBAAkB;AAG/C,QAAM,UAAU,MAAM,MAAM,UAAU,UAAU;AAGhD,MAAI,gBAAgB;AACpB,MAAI,MAAM,KAAK;AACb,UAAM,OAAO,MAAM,MAAM,IAAI,WAAW;AACxC,oBAAgB,MAAM,SAAS;AAAA,EACjC;AAGA,QAAM,YAAY,MAAM;AACxB,QAAM,UAAU,WAAW,aAAa;AACxC,QAAM,iBAAiB,KAAK,MAAM,gBAAgB,MAAM,IAAI,QAAQ;AAEpE,QAAM,YAAY,KAAK,IAAI,GAAG,QAAQ,cAAc;AACpD,QAAM,UAAU,kBAAkB;AAClC,QAAM,QAAQ,qBAAqB;AAEnC,SAAO;AAAA,IACL;AAAA,IACA,MAAM,EAAE,OAAO,WAAW,MAAM;AAAA,EAClC;AACF;AAMA,eAAe,iBACb,OACA,KACA,OACA,UACoD;AACpD,QAAM,MAAM,KAAK,IAAI;AACrB,QAAM,cAAc,KAAK,MAAM,MAAM,QAAQ,IAAI;AACjD,QAAM,YAAY,GAAG,GAAG,IAAI,WAAW;AAEvC,QAAM,EAAE,OAAO,MAAM,IAAI,MAAM,MAAM,UAAU,SAAS;AAExD,QAAM,YAAY,KAAK,IAAI,GAAG,QAAQ,KAAK;AAC3C,QAAM,UAAU,SAAS;AAEzB,SAAO;AAAA,IACL;AAAA,IACA,MAAM,EAAE,OAAO,WAAW,MAAM;AAAA,EAClC;AACF;AA6BO,IAAM,cAAc,CACzB,YACyB;AAEzB,QAAM,OAAO;AAAA,IACX,OAAO;AAAA,IACP,UAAU;AAAA,IACV,WAAW;AAAA,IACX,OAAO;AAAA,IACP,cAAc;AAAA,IACd,SAAS;AAAA,IAGT,SAAS;AAAA,IACT,YAAY;AAAA,IACZ,WAAW;AAAA,IACX,MAAM;AAAA,IAGN,wBAAwB;AAAA,IACxB,oBAAoB;AAAA,IACpB,eAAe;AAAA,IAGf,cAAc;AAAA,IAId,GAAG;AAAA,EACL;AAGA,QAAM,QAAQ,KAAK,UAAU,iBAAiB,IAAI,YAAY;AAG9D,MAAI,cAAoC;AAMxC,iBAAe,iBACb,OACA,GACkB;AAClB,QAAI,OAAO,KAAK,iBAAiB,YAAY;AAC3C,aAAO,KAAK,aAAa,OAAO,CAAC;AAAA,IACnC;AAEA,WAAO,KAAK,iBAAiB;AAAA,EAC/B;AAEA,SAAO,eAAeA,aAAY,GAAG,MAAM;AAEzC,QAAI,CAAC,eAAe,MAAM,MAAM;AAC9B,YAAM,SAAS,MAAM,KAAK,KAAK,QAAQ;AAEvC,oBAAc,kBAAkB,UAAU,SAAS,QAAQ,QAAQ;AAAA,IACrE;AACA,QAAI,aAAa;AACf,UAAI;AACF,cAAM;AAAA,MACR,SAAS,OAAO;AACd,cAAM,cAAc,MAAM;AAAA,UACxB,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AAAA,UACxD;AAAA,QACF;AACA,YAAI,aAAa;AACf,iBAAO,KAAK;AAAA,QACd;AACA,eAAO,IAAI,SAAS,sCAAsC;AAAA,UACxD,QAAQ;AAAA,QACV,CAAC;AAAA,MACH;AAAA,IACF;AAGA,QAAI,KAAK,MAAM;AACb,YAAM,aAAa,MAAM,KAAK,KAAK,CAAC;AACpC,UAAI,YAAY;AACd,eAAO,KAAK;AAAA,MACd;AAAA,IACF;AAGA,UAAM,MAAM,MAAM,KAAK,aAAa,CAAC;AAGrC,UAAM,QACJ,OAAO,KAAK,UAAU,aAAa,MAAM,KAAK,MAAM,CAAC,IAAI,KAAK;AAGhE,QAAI;AACJ,QAAI;AAEJ,QAAI;AACF,YAAM,SACJ,KAAK,cAAc,mBACf,MAAM,mBAAmB,OAAO,KAAK,OAAO,KAAK,QAAQ,IACzD,MAAM,iBAAiB,OAAO,KAAK,OAAO,KAAK,QAAQ;AAC7D,gBAAU,OAAO;AACjB,aAAO,OAAO;AAAA,IAChB,SAAS,OAAO;AACd,YAAM,cAAc,MAAM;AAAA,QACxB,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AAAA,QACxD;AAAA,MACF;AACA,UAAI,aAAa;AACf,eAAO,KAAK;AAAA,MACd;AACA,aAAO,IAAI,SAAS,sBAAsB,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC3D;AAGA,MAAE,IAAI,aAAa,IAAI;AAGvB,MAAE,IAAI,kBAAkB;AAAA,MACtB,QAAQ,MAAM,KAAK,KAAK,KAAK,MAAM,MAAM;AAAA,MACzC,UAAU,MAAM,SAAS,KAAK,KAAK;AAAA,IACrC,CAAC;AAGD;AAAA,MACE;AAAA,MACA;AAAA,MACA,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AAGA,QAAI,CAAC,SAAS;AAEZ,UAAI,KAAK,eAAe;AACtB,cAAM,KAAK,cAAc,GAAG,IAAI;AAAA,MAClC;AAGA,UAAI,KAAK,SAAS;AAChB,eAAO,KAAK,QAAQ,GAAG,IAAI;AAAA,MAC7B;AACA,aAAO;AAAA,QACL;AAAA,QACA,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AAAA,MACP;AAAA,IACF;AAGA,UAAM,KAAK;AAGX,QAAI,KAAK,0BAA0B,KAAK,oBAAoB;AAC1D,YAAM,SAAS,EAAE,IAAI;AACrB,YAAM,kBACH,KAAK,0BAA0B,UAAU,OAAO,SAAS,OACzD,KAAK,sBAAsB,UAAU;AAExC,UAAI,mBAAmB,MAAM,WAAW;AACtC,cAAM,cACJ,KAAK,MAAM,KAAK,IAAI,IAAI,KAAK,QAAQ,IAAI,KAAK;AAChD,cAAM,YAAY,GAAG,GAAG,IAAI,WAAW;AACvC,YAAI;AACF,gBAAM,MAAM,UAAU,SAAS;AAAA,QACjC,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AA0BO,IAAM,wBAAwB,CACnC,YACyB;AACzB,QAAM,EAAE,SAAS,cAAc,SAAS,KAAK,IAAI;AAEjD,SAAO,eAAeC,uBAAsB,GAAG,MAAM;AAEnD,QAAI,MAAM;AACR,YAAM,aAAa,MAAM,KAAK,CAAC;AAC/B,UAAI,YAAY;AACd,eAAO,KAAK;AAAA,MACd;AAAA,IACF;AAGA,UAAM,mBACJ,OAAO,YAAY,aAAa,QAAQ,CAAC,IAAI;AAG/C,UAAM,MAAM,MAAM,aAAa,CAAC;AAGhC,UAAM,EAAE,QAAQ,IAAI,MAAM,iBAAiB,MAAM,EAAE,IAAI,CAAC;AAExD,QAAI,CAAC,SAAS;AACZ,UAAI,SAAS;AACX,eAAO,QAAQ,CAAC;AAAA,MAClB;AACA,aAAO,IAAI,SAAS,uBAAuB;AAAA,QACzC,QAAQ;AAAA,QACR,SAAS,EAAE,gBAAgB,aAAa;AAAA,MAC1C,CAAC;AAAA,IACH;AAEA,WAAO,KAAK;AAAA,EACd;AACF;","names":["rateLimiter","cloudflareRateLimiter"]}