@joint-ops/hitlimit-bun 1.0.4 → 1.0.6

package/README.md

@@ -19,20 +19,22 @@
 ```
 ┌─────────────────────────────────────────────────────────────────┐
 │                                                                 │
-│  bun:sqlite         ████████████████████████████  520,000 ops/s │
-│  better-sqlite3     ██████████████████░░░░░░░░░░  400,000 ops/s │
+│  bun:sqlite         ████████████████████████░░░  386,000 ops/s  │
+│  better-sqlite3     ████████████████████████░░░  400,000 ops/s* │
 │                                                                 │
-│  bun:sqlite is 30% faster with zero FFI overhead                │
+│  *estimated - bun:sqlite has zero FFI overhead                  │
 │                                                                 │
 └─────────────────────────────────────────────────────────────────┘
 ```
 
 - **Bun Native** - Built specifically for Bun's runtime, not a Node.js port
-- **7.2M ops/sec** - Memory store performance
-- **520K ops/sec** - With bun:sqlite persistence
+- **6.1M ops/sec** - Memory store (multi-IP scenarios)
+- **386K ops/sec** - With bun:sqlite (multi-IP scenarios)
 - **Zero Config** - Works out of the box with sensible defaults
 - **Elysia Plugin** - First-class Elysia framework integration
 - **TypeScript First** - Full type safety and IntelliSense support
+- **Auto-Ban** - Automatically ban repeat offenders after threshold violations
+- **Shared Limits** - Group rate limits via groupId for teams/tenants
 - **Tiny Footprint** - ~23KB total, zero runtime dependencies
 
 ## Installation
@@ -141,6 +143,36 @@ hitlimit({
 }, handler)
 ```
 
+### Auto-Ban Repeat Offenders
+
+Automatically ban clients that repeatedly exceed rate limits.
+
+```typescript
+hitlimit({
+  limit: 10,
+  window: '1m',
+  ban: {
+    threshold: 5,  // Ban after 5 violations
+    duration: '1h' // Ban lasts 1 hour
+  }
+}, handler)
+```
+
+Banned clients receive `X-RateLimit-Ban: true` header and `banned: true` in the response body.
+
+### Grouped / Shared Limits
+
+Rate limit by organization, API key, or any shared identifier.
+
+```typescript
+// Per-API-key rate limiting
+hitlimit({
+  limit: 1000,
+  window: '1h',
+  group: (req) => req.headers.get('x-api-key') || 'anonymous'
+}, handler)
+```
+
 ### Elysia Route-Specific Limits
 
 Apply different limits to different route groups in Elysia.
@@ -213,7 +245,16 @@ hitlimit({
   onStoreError: (error, req) => {
     console.error('Store error:', error)
     return 'allow' // or 'deny'
-  }
+  },
+
+  // Ban repeat offenders
+  ban: {
+    threshold: 5,    // violations before ban
+    duration: '1h'   // ban duration
+  },
+
+  // Group/shared limits
+  group: (req) => req.headers.get('x-api-key') || 'default'
 }, handler)
 ```
 

package/dist/core/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,eAAe,EACf,aAAa,EACb,YAAY,EACZ,cAAc,EACf,MAAM,2BAA2B,CAAA;AAGlC,wBAAgB,aAAa,CAAC,QAAQ,EACpC,OAAO,EAAE,eAAe,CAAC,QAAQ,CAAC,EAClC,YAAY,EAAE,aAAa,EAC3B,UAAU,EAAE,YAAY,CAAC,QAAQ,CAAC,GACjC,cAAc,CAAC,QAAQ,CAAC,CAiB1B"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,eAAe,EACf,aAAa,EACb,YAAY,EACZ,cAAc,EACf,MAAM,2BAA2B,CAAA;AAGlC,wBAAgB,aAAa,CAAC,QAAQ,EACpC,OAAO,EAAE,eAAe,CAAC,QAAQ,CAAC,EAClC,YAAY,EAAE,aAAa,EAC3B,UAAU,EAAE,YAAY,CAAC,QAAQ,CAAC,GACjC,cAAc,CAAC,QAAQ,CAAC,CAqB1B"}

package/dist/core/headers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/core/headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAA;AAE5E,wBAAgB,YAAY,CAC1B,IAAI,EAAE,YAAY,EAClB,MAAM,EAAE,QAAQ,CAAC,aAAa,CAAC,EAC/B,OAAO,EAAE,OAAO,GACf,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAoBxB"}
+{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/core/headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAA;AAE5E,wBAAgB,YAAY,CAC1B,IAAI,EAAE,YAAY,EAClB,MAAM,EAAE,QAAQ,CAAC,aAAa,CAAC,EAC/B,OAAO,EAAE,OAAO,GACf,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CA4BxB"}

package/dist/core/limiter.d.ts

@@ -1,3 +1,11 @@
 import type { HitLimitResult, ResolvedConfig } from '@joint-ops/hitlimit-types';
+export interface FastResult {
+    allowed: boolean;
+    limit: number;
+    remaining: number;
+    resetIn: number;
+    resetAt: number;
+}
+export declare function checkLimitFast<TRequest>(config: ResolvedConfig<TRequest>, req: TRequest): Promise<FastResult>;
 export declare function checkLimit<TRequest>(config: ResolvedConfig<TRequest>, req: TRequest): Promise<HitLimitResult>;
 //# sourceMappingURL=limiter.d.ts.map

package/dist/core/limiter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"limiter.d.ts","sourceRoot":"","sources":["../../src/core/limiter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAgB,cAAc,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAK7F,wBAAsB,UAAU,CAAC,QAAQ,EACvC,MAAM,EAAE,cAAc,CAAC,QAAQ,CAAC,EAChC,GAAG,EAAE,QAAQ,GACZ,OAAO,CAAC,cAAc,CAAC,CAiDzB"}
+{"version":3,"file":"limiter.d.ts","sourceRoot":"","sources":["../../src/core/limiter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAgB,cAAc,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAM7F,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,MAAM,CAAA;IACf,OAAO,EAAE,MAAM,CAAA;CAChB;AAsCD,wBAAsB,cAAc,CAAC,QAAQ,EAC3C,MAAM,EAAE,cAAc,CAAC,QAAQ,CAAC,EAChC,GAAG,EAAE,QAAQ,GACZ,OAAO,CAAC,UAAU,CAAC,CA8CrB;AAGD,wBAAsB,UAAU,CAAC,QAAQ,EACvC,MAAM,EAAE,cAAc,CAAC,QAAQ,CAAC,EAChC,GAAG,EAAE,QAAQ,GACZ,OAAO,CAAC,cAAc,CAAC,CA6EzB"}

package/dist/core/response.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"response.d.ts","sourceRoot":"","sources":["../../src/core/response.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAA;AAEhG,wBAAgB,SAAS,CACvB,QAAQ,EAAE,cAAc,GAAG,iBAAiB,EAC5C,IAAI,EAAE,YAAY,GACjB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAWrB"}
+{"version":3,"file":"response.d.ts","sourceRoot":"","sources":["../../src/core/response.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAA;AAEhG,wBAAgB,SAAS,CACvB,QAAQ,EAAE,cAAc,GAAG,iBAAiB,EAC5C,IAAI,EAAE,YAAY,GACjB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAmBrB"}

package/dist/elysia.js

@@ -7,6 +7,12 @@ class BunSqliteStore {
   hitStmt;
   getStmt;
   resetStmt;
+  isBannedStmt;
+  banStmt;
+  recordViolationStmt;
+  getViolationStmt;
+  resetBanStmt;
+  resetViolationStmt;
   cleanupTimer;
   constructor(options = {}) {
     this.db = new Database(options.path ?? ":memory:");
@@ -17,6 +23,19 @@ class BunSqliteStore {
         reset_at INTEGER NOT NULL
       )
     `);
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS hitlimit_bans (
+        key TEXT PRIMARY KEY,
+        expires_at INTEGER NOT NULL
+      )
+    `);
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS hitlimit_violations (
+        key TEXT PRIMARY KEY,
+        count INTEGER NOT NULL DEFAULT 1,
+        reset_at INTEGER NOT NULL
+      )
+    `);
     this.hitStmt = this.db.prepare(`
       INSERT INTO hitlimit (key, count, reset_at) VALUES (?1, 1, ?2)
       ON CONFLICT(key) DO UPDATE SET
@@ -25,8 +44,22 @@ class BunSqliteStore {
     `);
     this.getStmt = this.db.prepare("SELECT count, reset_at FROM hitlimit WHERE key = ?");
     this.resetStmt = this.db.prepare("DELETE FROM hitlimit WHERE key = ?");
+    this.isBannedStmt = this.db.prepare("SELECT 1 FROM hitlimit_bans WHERE key = ?1 AND expires_at > ?2");
+    this.banStmt = this.db.prepare("INSERT OR REPLACE INTO hitlimit_bans (key, expires_at) VALUES (?1, ?2)");
+    this.recordViolationStmt = this.db.prepare(`
+      INSERT INTO hitlimit_violations (key, count, reset_at) VALUES (?1, 1, ?2)
+      ON CONFLICT(key) DO UPDATE SET
+        count = CASE WHEN reset_at <= ?3 THEN 1 ELSE count + 1 END,
+        reset_at = CASE WHEN reset_at <= ?3 THEN ?2 ELSE reset_at END
+    `);
+    this.getViolationStmt = this.db.prepare("SELECT count FROM hitlimit_violations WHERE key = ?");
+    this.resetBanStmt = this.db.prepare("DELETE FROM hitlimit_bans WHERE key = ?");
+    this.resetViolationStmt = this.db.prepare("DELETE FROM hitlimit_violations WHERE key = ?");
     this.cleanupTimer = setInterval(() => {
-      this.db.prepare("DELETE FROM hitlimit WHERE reset_at <= ?").run(Date.now());
+      const now = Date.now();
+      this.db.prepare("DELETE FROM hitlimit WHERE reset_at <= ?").run(now);
+      this.db.prepare("DELETE FROM hitlimit_bans WHERE expires_at <= ?").run(now);
+      this.db.prepare("DELETE FROM hitlimit_violations WHERE reset_at <= ?").run(now);
     }, 60000);
   }
   hit(key, windowMs, _limit) {
@@ -36,8 +69,23 @@ class BunSqliteStore {
     const row = this.getStmt.get(key);
     return { count: row.count, resetAt: row.reset_at };
   }
+  isBanned(key) {
+    return this.isBannedStmt.get(key, Date.now()) !== null;
+  }
+  ban(key, durationMs) {
+    this.banStmt.run(key, Date.now() + durationMs);
+  }
+  recordViolation(key, windowMs) {
+    const now = Date.now();
+    const resetAt = now + windowMs;
+    this.recordViolationStmt.run(key, resetAt, now);
+    const row = this.getViolationStmt.get(key);
+    return row?.count ?? 1;
+  }
   reset(key) {
     this.resetStmt.run(key);
+    this.resetBanStmt.run(key);
+    this.resetViolationStmt.run(key);
   }
   shutdown() {
     clearInterval(this.cleanupTimer);
@@ -83,7 +131,9 @@ function resolveConfig(options, defaultStore, defaultKey) {
     },
     store: options.store ?? defaultStore,
     onStoreError: options.onStoreError ?? (() => "allow"),
-    skip: options.skip
+    skip: options.skip,
+    ban: options.ban ? { threshold: options.ban.threshold, durationMs: parseWindow(options.ban.duration) } : null,
+    group: options.group ?? null
   };
 }
 
@@ -103,6 +153,12 @@ function buildHeaders(info, config, allowed) {
   if (!allowed && config.retryAfter) {
     headers["Retry-After"] = String(info.resetIn);
   }
+  if (info.banned) {
+    headers["X-RateLimit-Ban"] = "true";
+    if (info.banExpiresAt) {
+      headers["X-RateLimit-Ban-Expires"] = String(Math.ceil(info.banExpiresAt / 1000));
+    }
+  }
   return headers;
 }
 
@@ -111,34 +167,76 @@ function buildBody(response, info) {
   if (typeof response === "function") {
     return response(info);
   }
-  return {
+  const body = {
     ...response,
     limit: info.limit,
     remaining: info.remaining,
     resetIn: info.resetIn
   };
+  if (info.banned) {
+    body.banned = true;
+    body.banExpiresAt = info.banExpiresAt;
+    body.message = "You have been temporarily banned due to repeated rate limit violations";
+  }
+  return body;
 }
 
 // src/core/limiter.ts
+async function resolveKey(config, req) {
+  let key = await config.key(req);
+  let groupId;
+  if (config.group) {
+    groupId = typeof config.group === "function" ? await config.group(req) : config.group;
+    key = `group:${groupId}:${key}`;
+  }
+  return { key, groupId };
+}
+function resolveTier(config, tierName) {
+  if (tierName && config.tiers) {
+    const tierConfig = config.tiers[tierName];
+    if (tierConfig) {
+      return {
+        limit: tierConfig.limit,
+        windowMs: tierConfig.window ? parseWindow(tierConfig.window) : config.windowMs
+      };
+    }
+  }
+  return { limit: config.limit, windowMs: config.windowMs };
+}
 async function checkLimit(config, req) {
-  const key = await config.key(req);
-  let limit = config.limit;
-  let windowMs = config.windowMs;
+  const { key, groupId } = await resolveKey(config, req);
   let tierName;
   if (config.tier && config.tiers) {
     tierName = await config.tier(req);
-    const tierConfig = config.tiers[tierName];
-    if (tierConfig) {
-      limit = tierConfig.limit;
-      if (tierConfig.window) {
-        windowMs = parseWindow(tierConfig.window);
-      }
+  }
+  const { limit, windowMs } = resolveTier(config, tierName);
+  if (config.ban && config.store.isBanned) {
+    const banned = await config.store.isBanned(key);
+    if (banned) {
+      const banResetIn = Math.ceil(config.ban.durationMs / 1000);
+      const info2 = {
+        limit,
+        remaining: 0,
+        resetIn: banResetIn,
+        resetAt: Date.now() + config.ban.durationMs,
+        key,
+        tier: tierName,
+        banned: true,
+        banExpiresAt: Date.now() + config.ban.durationMs,
+        group: groupId
+      };
+      return {
+        allowed: false,
+        info: info2,
+        headers: buildHeaders(info2, config.headers, false),
+        body: buildBody(config.response, info2)
+      };
     }
   }
   if (limit === Infinity) {
     return {
       allowed: true,
-      info: { limit, remaining: Infinity, resetIn: 0, resetAt: 0, key, tier: tierName },
+      info: { limit, remaining: Infinity, resetIn: 0, resetAt: 0, key, tier: tierName, group: groupId },
       headers: {},
       body: {}
     };
@@ -154,8 +252,18 @@ async function checkLimit(config, req) {
     resetIn,
     resetAt: result.resetAt,
     key,
-    tier: tierName
+    tier: tierName,
+    group: groupId
   };
+  if (!allowed && config.ban && config.store.recordViolation) {
+    const violations = await config.store.recordViolation(key, config.ban.durationMs);
+    info.violations = violations;
+    if (violations >= config.ban.threshold && config.store.ban) {
+      await config.store.ban(key, config.ban.durationMs);
+      info.banned = true;
+      info.banExpiresAt = now + config.ban.durationMs;
+    }
+  }
   return {
     allowed,
     info,

package/dist/index.d.ts

@@ -1,8 +1,9 @@
 import type { HitLimitOptions } from '@joint-ops/hitlimit-types';
-export type { HitLimitOptions, HitLimitInfo, HitLimitResult, HitLimitStore, StoreResult, TierConfig, HeadersConfig, ResolvedConfig, KeyGenerator, TierResolver, SkipFunction, StoreErrorHandler, ResponseFormatter, ResponseConfig } from '@joint-ops/hitlimit-types';
+import { checkLimit } from './core/limiter.js';
+export type { HitLimitOptions, HitLimitInfo, HitLimitResult, HitLimitStore, StoreResult, TierConfig, HeadersConfig, ResolvedConfig, KeyGenerator, TierResolver, SkipFunction, StoreErrorHandler, ResponseFormatter, ResponseConfig, BanConfig, GroupIdResolver } from '@joint-ops/hitlimit-types';
 export { DEFAULT_LIMIT, DEFAULT_WINDOW, DEFAULT_WINDOW_MS, DEFAULT_MESSAGE } from '@joint-ops/hitlimit-types';
 export { sqliteStore } from './stores/sqlite.js';
-export { checkLimit } from './core/limiter.js';
+export { checkLimit };
 export interface BunHitLimitOptions extends HitLimitOptions<Request> {
     sqlitePath?: string;
 }

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAIhE,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,cAAc,EAAE,aAAa,EAAE,WAAW,EAAE,UAAU,EAAE,aAAa,EAAE,cAAc,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAA;AACrQ,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC7G,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAE9C,MAAM,WAAW,kBAAmB,SAAQ,eAAe,CAAC,OAAO,CAAC;IAClE,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,KAAK,SAAS,GAAG;IAAE,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAA;CAAE,CAAA;AAExE,KAAK,YAAY,GAAG,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;AAMrF,wBAAgB,QAAQ,CACtB,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,YAAY,GACpB,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAkLnE;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,GAAG,QAAQ,GAAG,IAAI,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAClF,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;CACzC;AAED,wBAAgB,cAAc,CAAC,OAAO,GAAE,kBAAuB,GAAG,UAAU,CAsF3E"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAEhE,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAG9C,YAAY,EAAE,eAAe,EAAE,YAAY,EAAE,cAAc,EAAE,aAAa,EAAE,WAAW,EAAE,UAAU,EAAE,aAAa,EAAE,cAAc,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,cAAc,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AACjS,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAA;AAC7G,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAChD,OAAO,EAAE,UAAU,EAAE,CAAA;AAErB,MAAM,WAAW,kBAAmB,SAAQ,eAAe,CAAC,OAAO,CAAC;IAClE,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,KAAK,SAAS,GAAG;IAAE,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAA;CAAE,CAAA;AAExE,KAAK,YAAY,GAAG,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;AAMrF,wBAAgB,QAAQ,CACtB,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,YAAY,GACpB,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAiJnE;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,GAAG,QAAQ,GAAG,IAAI,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAClF,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;CACzC;AAED,wBAAgB,cAAc,CAAC,OAAO,GAAE,kBAAuB,GAAG,UAAU,CAgD3E"}

package/dist/index.js

@@ -7,6 +7,12 @@ class BunSqliteStore {
   hitStmt;
   getStmt;
   resetStmt;
+  isBannedStmt;
+  banStmt;
+  recordViolationStmt;
+  getViolationStmt;
+  resetBanStmt;
+  resetViolationStmt;
   cleanupTimer;
   constructor(options = {}) {
     this.db = new Database(options.path ?? ":memory:");
@@ -17,6 +23,19 @@ class BunSqliteStore {
         reset_at INTEGER NOT NULL
       )
     `);
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS hitlimit_bans (
+        key TEXT PRIMARY KEY,
+        expires_at INTEGER NOT NULL
+      )
+    `);
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS hitlimit_violations (
+        key TEXT PRIMARY KEY,
+        count INTEGER NOT NULL DEFAULT 1,
+        reset_at INTEGER NOT NULL
+      )
+    `);
     this.hitStmt = this.db.prepare(`
       INSERT INTO hitlimit (key, count, reset_at) VALUES (?1, 1, ?2)
       ON CONFLICT(key) DO UPDATE SET
@@ -25,8 +44,22 @@ class BunSqliteStore {
     `);
     this.getStmt = this.db.prepare("SELECT count, reset_at FROM hitlimit WHERE key = ?");
     this.resetStmt = this.db.prepare("DELETE FROM hitlimit WHERE key = ?");
+    this.isBannedStmt = this.db.prepare("SELECT 1 FROM hitlimit_bans WHERE key = ?1 AND expires_at > ?2");
+    this.banStmt = this.db.prepare("INSERT OR REPLACE INTO hitlimit_bans (key, expires_at) VALUES (?1, ?2)");
+    this.recordViolationStmt = this.db.prepare(`
+      INSERT INTO hitlimit_violations (key, count, reset_at) VALUES (?1, 1, ?2)
+      ON CONFLICT(key) DO UPDATE SET
+        count = CASE WHEN reset_at <= ?3 THEN 1 ELSE count + 1 END,
+        reset_at = CASE WHEN reset_at <= ?3 THEN ?2 ELSE reset_at END
+    `);
+    this.getViolationStmt = this.db.prepare("SELECT count FROM hitlimit_violations WHERE key = ?");
+    this.resetBanStmt = this.db.prepare("DELETE FROM hitlimit_bans WHERE key = ?");
+    this.resetViolationStmt = this.db.prepare("DELETE FROM hitlimit_violations WHERE key = ?");
     this.cleanupTimer = setInterval(() => {
-      this.db.prepare("DELETE FROM hitlimit WHERE reset_at <= ?").run(Date.now());
+      const now = Date.now();
+      this.db.prepare("DELETE FROM hitlimit WHERE reset_at <= ?").run(now);
+      this.db.prepare("DELETE FROM hitlimit_bans WHERE expires_at <= ?").run(now);
+      this.db.prepare("DELETE FROM hitlimit_violations WHERE reset_at <= ?").run(now);
     }, 60000);
   }
   hit(key, windowMs, _limit) {
@@ -36,8 +69,23 @@ class BunSqliteStore {
     const row = this.getStmt.get(key);
     return { count: row.count, resetAt: row.reset_at };
   }
+  isBanned(key) {
+    return this.isBannedStmt.get(key, Date.now()) !== null;
+  }
+  ban(key, durationMs) {
+    this.banStmt.run(key, Date.now() + durationMs);
+  }
+  recordViolation(key, windowMs) {
+    const now = Date.now();
+    const resetAt = now + windowMs;
+    this.recordViolationStmt.run(key, resetAt, now);
+    const row = this.getViolationStmt.get(key);
+    return row?.count ?? 1;
+  }
   reset(key) {
     this.resetStmt.run(key);
+    this.resetBanStmt.run(key);
+    this.resetViolationStmt.run(key);
   }
   shutdown() {
     clearInterval(this.cleanupTimer);
@@ -80,15 +128,12 @@ function resolveConfig(options, defaultStore, defaultKey) {
     },
     store: options.store ?? defaultStore,
     onStoreError: options.onStoreError ?? (() => "allow"),
-    skip: options.skip
+    skip: options.skip,
+    ban: options.ban ? { threshold: options.ban.threshold, durationMs: parseWindow(options.ban.duration) } : null,
+    group: options.group ?? null
   };
 }
 
-// ../types/dist/index.js
-var DEFAULT_LIMIT = 100;
-var DEFAULT_WINDOW = "1m";
-var DEFAULT_WINDOW_MS = 60000;
-var DEFAULT_MESSAGE = "Whoa there! Rate limit exceeded.";
 // src/core/headers.ts
 function buildHeaders(info, config, allowed) {
   const headers = {};
@@ -105,6 +150,12 @@ function buildHeaders(info, config, allowed) {
   if (!allowed && config.retryAfter) {
     headers["Retry-After"] = String(info.resetIn);
   }
+  if (info.banned) {
+    headers["X-RateLimit-Ban"] = "true";
+    if (info.banExpiresAt) {
+      headers["X-RateLimit-Ban-Expires"] = String(Math.ceil(info.banExpiresAt / 1000));
+    }
+  }
   return headers;
 }
 
@@ -113,34 +164,76 @@ function buildBody(response, info) {
   if (typeof response === "function") {
     return response(info);
   }
-  return {
+  const body = {
     ...response,
     limit: info.limit,
     remaining: info.remaining,
     resetIn: info.resetIn
   };
+  if (info.banned) {
+    body.banned = true;
+    body.banExpiresAt = info.banExpiresAt;
+    body.message = "You have been temporarily banned due to repeated rate limit violations";
+  }
+  return body;
 }
 
 // src/core/limiter.ts
+async function resolveKey(config, req) {
+  let key = await config.key(req);
+  let groupId;
+  if (config.group) {
+    groupId = typeof config.group === "function" ? await config.group(req) : config.group;
+    key = `group:${groupId}:${key}`;
+  }
+  return { key, groupId };
+}
+function resolveTier(config, tierName) {
+  if (tierName && config.tiers) {
+    const tierConfig = config.tiers[tierName];
+    if (tierConfig) {
+      return {
+        limit: tierConfig.limit,
+        windowMs: tierConfig.window ? parseWindow(tierConfig.window) : config.windowMs
+      };
+    }
+  }
+  return { limit: config.limit, windowMs: config.windowMs };
+}
 async function checkLimit(config, req) {
-  const key = await config.key(req);
-  let limit = config.limit;
-  let windowMs = config.windowMs;
+  const { key, groupId } = await resolveKey(config, req);
   let tierName;
   if (config.tier && config.tiers) {
     tierName = await config.tier(req);
-    const tierConfig = config.tiers[tierName];
-    if (tierConfig) {
-      limit = tierConfig.limit;
-      if (tierConfig.window) {
-        windowMs = parseWindow(tierConfig.window);
-      }
+  }
+  const { limit, windowMs } = resolveTier(config, tierName);
+  if (config.ban && config.store.isBanned) {
+    const banned = await config.store.isBanned(key);
+    if (banned) {
+      const banResetIn = Math.ceil(config.ban.durationMs / 1000);
+      const info2 = {
+        limit,
+        remaining: 0,
+        resetIn: banResetIn,
+        resetAt: Date.now() + config.ban.durationMs,
+        key,
+        tier: tierName,
+        banned: true,
+        banExpiresAt: Date.now() + config.ban.durationMs,
+        group: groupId
+      };
+      return {
+        allowed: false,
+        info: info2,
+        headers: buildHeaders(info2, config.headers, false),
+        body: buildBody(config.response, info2)
+      };
     }
   }
   if (limit === Infinity) {
     return {
       allowed: true,
-      info: { limit, remaining: Infinity, resetIn: 0, resetAt: 0, key, tier: tierName },
+      info: { limit, remaining: Infinity, resetIn: 0, resetAt: 0, key, tier: tierName, group: groupId },
       headers: {},
       body: {}
     };
@@ -156,8 +249,18 @@ async function checkLimit(config, req) {
     resetIn,
     resetAt: result.resetAt,
     key,
-    tier: tierName
+    tier: tierName,
+    group: groupId
   };
+  if (!allowed && config.ban && config.store.recordViolation) {
+    const violations = await config.store.recordViolation(key, config.ban.durationMs);
+    info.violations = violations;
+    if (violations >= config.ban.threshold && config.store.ban) {
+      await config.store.ban(key, config.ban.durationMs);
+      info.banned = true;
+      info.banExpiresAt = now + config.ban.durationMs;
+    }
+  }
   return {
     allowed,
     info,
@@ -166,15 +269,26 @@ async function checkLimit(config, req) {
   };
 }
 
+// ../types/dist/index.js
+var DEFAULT_LIMIT = 100;
+var DEFAULT_WINDOW = "1m";
+var DEFAULT_WINDOW_MS = 60000;
+var DEFAULT_MESSAGE = "Whoa there! Rate limit exceeded.";
 // src/index.ts
 function getDefaultKey(req, server) {
   return server.requestIP(req)?.address || "unknown";
 }
 function hitlimit(options, handler) {
+  let activeServer;
+  const defaultKey = (req) => {
+    return activeServer?.requestIP(req)?.address || "unknown";
+  };
   const store = options.store ?? sqliteStore({ path: options.sqlitePath });
-  const config = resolveConfig(options, store, () => "unknown");
+  const config = resolveConfig(options, store, options.key ?? defaultKey);
   const hasSkip = !!config.skip;
   const hasTiers = !!(config.tier && config.tiers);
+  const hasBan = !!config.ban;
+  const hasGroup = !!config.group;
   const standardHeaders = config.headers.standard;
   const legacyHeaders = config.headers.legacy;
   const retryAfterHeader = config.headers.retryAfter;
@@ -183,7 +297,7 @@ function hitlimit(options, handler) {
   const response = config.response;
   const customKey = options.key;
   const blockedBody = JSON.stringify(response);
-  if (!hasSkip && !hasTiers) {
+  if (!hasSkip && !hasTiers && !hasBan && !hasGroup) {
     return async (req, server) => {
       try {
         const key = customKey ? await customKey(req) : getDefaultKey(req, server);
@@ -242,6 +356,7 @@ function hitlimit(options, handler) {
     };
   }
   return async (req, server) => {
+    activeServer = server;
     if (hasSkip) {
       const shouldSkip = await config.skip(req);
       if (shouldSkip) {
@@ -249,56 +364,19 @@ function hitlimit(options, handler) {
       }
     }
     try {
-      const key = customKey ? await customKey(req) : getDefaultKey(req, server);
-      let effectiveLimit = limit;
-      let effectiveWindowMs = windowMs;
-      if (hasTiers) {
-        const tierName = await config.tier(req);
-        const tierConfig = config.tiers[tierName];
-        if (tierConfig) {
-          effectiveLimit = tierConfig.limit;
-          if (tierConfig.window) {
-            effectiveWindowMs = parseWindow2(tierConfig.window);
-          }
-        }
-      }
-      if (effectiveLimit === Infinity) {
-        return handler(req, server);
-      }
-      const result = await store.hit(key, effectiveWindowMs, effectiveLimit);
-      const allowed = result.count <= effectiveLimit;
-      if (!allowed) {
-        const headers = { "Content-Type": "application/json" };
-        const resetIn = Math.ceil((result.resetAt - Date.now()) / 1000);
-        if (standardHeaders) {
-          headers["RateLimit-Limit"] = String(effectiveLimit);
-          headers["RateLimit-Remaining"] = "0";
-          headers["RateLimit-Reset"] = String(resetIn);
-        }
-        if (legacyHeaders) {
-          headers["X-RateLimit-Limit"] = String(effectiveLimit);
-          headers["X-RateLimit-Remaining"] = "0";
-          headers["X-RateLimit-Reset"] = String(Math.ceil(result.resetAt / 1000));
-        }
-        if (retryAfterHeader) {
-          headers["Retry-After"] = String(resetIn);
-        }
-        return new Response(blockedBody, { status: 429, headers });
+      const result = await checkLimit(config, req);
+      if (!result.allowed) {
+        return new Response(JSON.stringify(result.body), {
+          status: 429,
+          headers: { "Content-Type": "application/json", ...result.headers }
+        });
       }
       const res = await handler(req, server);
-      if (standardHeaders || legacyHeaders) {
-        const resetIn = Math.ceil((result.resetAt - Date.now()) / 1000);
-        const remaining = Math.max(0, effectiveLimit - result.count);
+      const headerEntries = Object.entries(result.headers);
+      if (headerEntries.length > 0) {
         const newHeaders = new Headers(res.headers);
-        if (standardHeaders) {
-          newHeaders.set("RateLimit-Limit", String(effectiveLimit));
-          newHeaders.set("RateLimit-Remaining", String(remaining));
-          newHeaders.set("RateLimit-Reset", String(resetIn));
-        }
-        if (legacyHeaders) {
-          newHeaders.set("X-RateLimit-Limit", String(effectiveLimit));
-          newHeaders.set("X-RateLimit-Remaining", String(remaining));
-          newHeaders.set("X-RateLimit-Reset", String(Math.ceil(result.resetAt / 1000)));
+        for (const [key, value] of headerEntries) {
+          newHeaders.set(key, value);
         }
         return new Response(res.body, {
           status: res.status,
@@ -320,62 +398,28 @@ function hitlimit(options, handler) {
   };
 }
 function createHitLimit(options = {}) {
+  let activeServer;
+  const defaultKey = (req) => {
+    return activeServer?.requestIP(req)?.address || "unknown";
+  };
   const store = options.store ?? sqliteStore({ path: options.sqlitePath });
-  const config = resolveConfig(options, store, () => "unknown");
-  const hasSkip = !!config.skip;
-  const hasTiers = !!(config.tier && config.tiers);
-  const standardHeaders = config.headers.standard;
-  const legacyHeaders = config.headers.legacy;
-  const retryAfterHeader = config.headers.retryAfter;
-  const limit = config.limit;
-  const windowMs = config.windowMs;
-  const response = config.response;
-  const customKey = options.key;
-  const blockedBody = JSON.stringify(response);
+  const config = resolveConfig(options, store, options.key ?? defaultKey);
   return {
     async check(req, server) {
-      if (hasSkip) {
+      activeServer = server;
+      if (config.skip) {
         const shouldSkip = await config.skip(req);
         if (shouldSkip) {
           return null;
         }
       }
       try {
-        const key = customKey ? await customKey(req) : getDefaultKey(req, server);
-        let effectiveLimit = limit;
-        let effectiveWindowMs = windowMs;
-        if (hasTiers) {
-          const tierName = await config.tier(req);
-          const tierConfig = config.tiers[tierName];
-          if (tierConfig) {
-            effectiveLimit = tierConfig.limit;
-            if (tierConfig.window) {
-              effectiveWindowMs = parseWindow2(tierConfig.window);
-            }
-          }
-        }
-        if (effectiveLimit === Infinity) {
-          return null;
-        }
-        const result = await store.hit(key, effectiveWindowMs, effectiveLimit);
-        const allowed = result.count <= effectiveLimit;
-        if (!allowed) {
-          const headers = { "Content-Type": "application/json" };
-          const resetIn = Math.ceil((result.resetAt - Date.now()) / 1000);
-          if (standardHeaders) {
-            headers["RateLimit-Limit"] = String(effectiveLimit);
-            headers["RateLimit-Remaining"] = "0";
-            headers["RateLimit-Reset"] = String(resetIn);
-          }
-          if (legacyHeaders) {
-            headers["X-RateLimit-Limit"] = String(effectiveLimit);
-            headers["X-RateLimit-Remaining"] = "0";
-            headers["X-RateLimit-Reset"] = String(Math.ceil(result.resetAt / 1000));
-          }
-          if (retryAfterHeader) {
-            headers["Retry-After"] = String(resetIn);
-          }
-          return new Response(blockedBody, { status: 429, headers });
+        const result = await checkLimit(config, req);
+        if (!result.allowed) {
+          return new Response(JSON.stringify(result.body), {
+            status: 429,
+            headers: { "Content-Type": "application/json", ...result.headers }
+          });
         }
         return null;
       } catch (error) {
@@ -394,29 +438,6 @@ function createHitLimit(options = {}) {
     }
   };
 }
-function parseWindow2(window) {
-  if (typeof window === "number")
-    return window;
-  const match = window.match(/^(\d+)(ms|s|m|h|d)$/);
-  if (!match)
-    return 60000;
-  const value = parseInt(match[1], 10);
-  const unit = match[2];
-  switch (unit) {
-    case "ms":
-      return value;
-    case "s":
-      return value * 1000;
-    case "m":
-      return value * 60 * 1000;
-    case "h":
-      return value * 60 * 60 * 1000;
-    case "d":
-      return value * 24 * 60 * 60 * 1000;
-    default:
-      return 60000;
-  }
-}
 export {
   sqliteStore,
   hitlimit,

package/dist/stores/memory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"memory.d.ts","sourceRoot":"","sources":["../../src/stores/memory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAe,MAAM,2BAA2B,CAAA;AA+D3E,wBAAgB,WAAW,IAAI,aAAa,CAE3C"}
+{"version":3,"file":"memory.d.ts","sourceRoot":"","sources":["../../src/stores/memory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAe,MAAM,2BAA2B,CAAA;AAgJ3E,wBAAgB,WAAW,IAAI,aAAa,CAE3C"}

package/dist/stores/memory.js

@@ -2,6 +2,8 @@
 // src/stores/memory.ts
 class MemoryStore {
   hits = new Map;
+  bans = new Map;
+  violations = new Map;
   hit(key, windowMs, _limit) {
     const entry = this.hits.get(key);
     if (entry !== undefined) {
@@ -19,18 +21,78 @@ class MemoryStore {
     this.hits.set(key, { count: 1, resetAt, timeoutId });
     return { count: 1, resetAt };
   }
+  isBanned(key) {
+    const ban = this.bans.get(key);
+    if (!ban)
+      return false;
+    if (Date.now() >= ban.expiresAt) {
+      clearTimeout(ban.timeoutId);
+      this.bans.delete(key);
+      return false;
+    }
+    return true;
+  }
+  ban(key, durationMs) {
+    const existing = this.bans.get(key);
+    if (existing)
+      clearTimeout(existing.timeoutId);
+    const expiresAt = Date.now() + durationMs;
+    const timeoutId = setTimeout(() => {
+      this.bans.delete(key);
+    }, durationMs);
+    if (typeof timeoutId.unref === "function") {
+      timeoutId.unref();
+    }
+    this.bans.set(key, { expiresAt, timeoutId });
+  }
+  recordViolation(key, windowMs) {
+    const entry = this.violations.get(key);
+    if (entry && Date.now() < entry.resetAt) {
+      entry.count++;
+      return entry.count;
+    }
+    if (entry)
+      clearTimeout(entry.timeoutId);
+    const resetAt = Date.now() + windowMs;
+    const timeoutId = setTimeout(() => {
+      this.violations.delete(key);
+    }, windowMs);
+    if (typeof timeoutId.unref === "function") {
+      timeoutId.unref();
+    }
+    this.violations.set(key, { count: 1, resetAt, timeoutId });
+    return 1;
+  }
   reset(key) {
     const entry = this.hits.get(key);
     if (entry) {
       clearTimeout(entry.timeoutId);
       this.hits.delete(key);
     }
+    const ban = this.bans.get(key);
+    if (ban) {
+      clearTimeout(ban.timeoutId);
+      this.bans.delete(key);
+    }
+    const violation = this.violations.get(key);
+    if (violation) {
+      clearTimeout(violation.timeoutId);
+      this.violations.delete(key);
+    }
   }
   shutdown() {
     for (const [, entry] of this.hits) {
       clearTimeout(entry.timeoutId);
     }
     this.hits.clear();
+    for (const [, entry] of this.bans) {
+      clearTimeout(entry.timeoutId);
+    }
+    this.bans.clear();
+    for (const [, entry] of this.violations) {
+      clearTimeout(entry.timeoutId);
+    }
+    this.violations.clear();
   }
 }
 function memoryStore() {

package/dist/stores/redis.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"redis.d.ts","sourceRoot":"","sources":["../../src/stores/redis.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAe,MAAM,2BAA2B,CAAA;AAG3E,MAAM,WAAW,iBAAiB;IAChC,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AA2CD,wBAAgB,UAAU,CAAC,OAAO,CAAC,EAAE,iBAAiB,GAAG,aAAa,CAErE"}
+{"version":3,"file":"redis.d.ts","sourceRoot":"","sources":["../../src/stores/redis.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAe,MAAM,2BAA2B,CAAA;AAG3E,MAAM,WAAW,iBAAiB;IAChC,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAqED,wBAAgB,UAAU,CAAC,OAAO,CAAC,EAAE,iBAAiB,GAAG,aAAa,CAErE"}

package/dist/stores/redis.js

@@ -5,9 +5,13 @@ import Redis from "ioredis";
 class RedisStore {
   redis;
   prefix;
+  banPrefix;
+  violationPrefix;
   constructor(options = {}) {
     this.redis = new Redis(options.url ?? "redis://localhost:6379");
     this.prefix = options.keyPrefix ?? "hitlimit:";
+    this.banPrefix = (options.keyPrefix ?? "hitlimit:") + "ban:";
+    this.violationPrefix = (options.keyPrefix ?? "hitlimit:") + "violations:";
   }
   async hit(key, windowMs, _limit) {
     const redisKey = this.prefix + key;
@@ -22,8 +26,23 @@ class RedisStore {
     const resetAt = now + ttl;
     return { count, resetAt };
   }
+  async isBanned(key) {
+    const result = await this.redis.exists(this.banPrefix + key);
+    return result === 1;
+  }
+  async ban(key, durationMs) {
+    await this.redis.set(this.banPrefix + key, "1", "PX", durationMs);
+  }
+  async recordViolation(key, windowMs) {
+    const redisKey = this.violationPrefix + key;
+    const count = await this.redis.incr(redisKey);
+    if (count === 1) {
+      await this.redis.pexpire(redisKey, windowMs);
+    }
+    return count;
+  }
   async reset(key) {
-    await this.redis.del(this.prefix + key);
+    await this.redis.del(this.prefix + key, this.banPrefix + key, this.violationPrefix + key);
   }
   async shutdown() {
     await this.redis.quit();

package/dist/stores/sqlite.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sqlite.d.ts","sourceRoot":"","sources":["../../src/stores/sqlite.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAe,MAAM,2BAA2B,CAAA;AAE3E,MAAM,WAAW,kBAAkB;IACjC,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AAuDD,wBAAgB,WAAW,CAAC,OAAO,CAAC,EAAE,kBAAkB,GAAG,aAAa,CAEvE"}
+{"version":3,"file":"sqlite.d.ts","sourceRoot":"","sources":["../../src/stores/sqlite.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAe,MAAM,2BAA2B,CAAA;AAE3E,MAAM,WAAW,kBAAkB;IACjC,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AA+GD,wBAAgB,WAAW,CAAC,OAAO,CAAC,EAAE,kBAAkB,GAAG,aAAa,CAEvE"}

package/dist/stores/sqlite.js

@@ -7,6 +7,12 @@ class BunSqliteStore {
   hitStmt;
   getStmt;
   resetStmt;
+  isBannedStmt;
+  banStmt;
+  recordViolationStmt;
+  getViolationStmt;
+  resetBanStmt;
+  resetViolationStmt;
   cleanupTimer;
   constructor(options = {}) {
     this.db = new Database(options.path ?? ":memory:");
@@ -17,6 +23,19 @@ class BunSqliteStore {
         reset_at INTEGER NOT NULL
       )
     `);
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS hitlimit_bans (
+        key TEXT PRIMARY KEY,
+        expires_at INTEGER NOT NULL
+      )
+    `);
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS hitlimit_violations (
+        key TEXT PRIMARY KEY,
+        count INTEGER NOT NULL DEFAULT 1,
+        reset_at INTEGER NOT NULL
+      )
+    `);
     this.hitStmt = this.db.prepare(`
       INSERT INTO hitlimit (key, count, reset_at) VALUES (?1, 1, ?2)
       ON CONFLICT(key) DO UPDATE SET
@@ -25,8 +44,22 @@ class BunSqliteStore {
     `);
     this.getStmt = this.db.prepare("SELECT count, reset_at FROM hitlimit WHERE key = ?");
     this.resetStmt = this.db.prepare("DELETE FROM hitlimit WHERE key = ?");
+    this.isBannedStmt = this.db.prepare("SELECT 1 FROM hitlimit_bans WHERE key = ?1 AND expires_at > ?2");
+    this.banStmt = this.db.prepare("INSERT OR REPLACE INTO hitlimit_bans (key, expires_at) VALUES (?1, ?2)");
+    this.recordViolationStmt = this.db.prepare(`
+      INSERT INTO hitlimit_violations (key, count, reset_at) VALUES (?1, 1, ?2)
+      ON CONFLICT(key) DO UPDATE SET
+        count = CASE WHEN reset_at <= ?3 THEN 1 ELSE count + 1 END,
+        reset_at = CASE WHEN reset_at <= ?3 THEN ?2 ELSE reset_at END
+    `);
+    this.getViolationStmt = this.db.prepare("SELECT count FROM hitlimit_violations WHERE key = ?");
+    this.resetBanStmt = this.db.prepare("DELETE FROM hitlimit_bans WHERE key = ?");
+    this.resetViolationStmt = this.db.prepare("DELETE FROM hitlimit_violations WHERE key = ?");
     this.cleanupTimer = setInterval(() => {
-      this.db.prepare("DELETE FROM hitlimit WHERE reset_at <= ?").run(Date.now());
+      const now = Date.now();
+      this.db.prepare("DELETE FROM hitlimit WHERE reset_at <= ?").run(now);
+      this.db.prepare("DELETE FROM hitlimit_bans WHERE expires_at <= ?").run(now);
+      this.db.prepare("DELETE FROM hitlimit_violations WHERE reset_at <= ?").run(now);
     }, 60000);
   }
   hit(key, windowMs, _limit) {
@@ -36,8 +69,23 @@ class BunSqliteStore {
     const row = this.getStmt.get(key);
     return { count: row.count, resetAt: row.reset_at };
   }
+  isBanned(key) {
+    return this.isBannedStmt.get(key, Date.now()) !== null;
+  }
+  ban(key, durationMs) {
+    this.banStmt.run(key, Date.now() + durationMs);
+  }
+  recordViolation(key, windowMs) {
+    const now = Date.now();
+    const resetAt = now + windowMs;
+    this.recordViolationStmt.run(key, resetAt, now);
+    const row = this.getViolationStmt.get(key);
+    return row?.count ?? 1;
+  }
   reset(key) {
     this.resetStmt.run(key);
+    this.resetBanStmt.run(key);
+    this.resetViolationStmt.run(key);
   }
   shutdown() {
     clearInterval(this.cleanupTimer);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@joint-ops/hitlimit-bun",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "Fast Bun-native rate limiting for Bun.serve & Elysia - API throttling with bun:sqlite, high performance request limiting",
   "author": {
     "name": "Shayan M Hussain",
@@ -111,7 +111,7 @@
     "test:watch": "bun test --watch"
   },
   "dependencies": {
-    "@joint-ops/hitlimit-types": "1.0.4"
+    "@joint-ops/hitlimit-types": "1.0.6"
   },
   "peerDependencies": {
     "elysia": ">=1.0.0",