@joint-ops/hitlimit-bun 1.1.2 → 1.2.0

package/README.md

@@ -1,61 +1,40 @@
 # @joint-ops/hitlimit-bun
 
-[![npm version](https://img.shields.io/npm/v/@joint-ops/hitlimit-bun.svg)](https://www.npmjs.com/package/@joint-ops/hitlimit-bun)
-[![npm downloads](https://img.shields.io/npm/dm/@joint-ops/hitlimit-bun.svg)](https://www.npmjs.com/package/@joint-ops/hitlimit-bun)
-[![GitHub](https://img.shields.io/github/license/JointOps/hitlimit-monorepo)](https://github.com/JointOps/hitlimit-monorepo)
-[![TypeScript](https://img.shields.io/badge/TypeScript-Ready-blue.svg)](https://www.typescriptlang.org/)
-[![Bun](https://img.shields.io/badge/Bun-Native-black.svg)](https://bun.sh)
+> Rate limiting built for Bun. Not ported — built.
 
-> The fastest rate limiter for Bun - 5M+ ops/sec under real-world load | Elysia, Hono & Bun.serve
-
-**hitlimit-bun** is a blazing-fast, Bun-native rate limiting library for Bun.serve, Elysia, and Hono applications. **Memory-first by default** with 5.62M ops/sec under real-world load (~15x faster than SQLite). Optional persistence with native bun:sqlite or Redis when you need it.
-
-**[Documentation](https://hitlimit.jointops.dev/docs/bun)** | **[GitHub](https://github.com/JointOps/hitlimit-monorepo)** | **[npm](https://www.npmjs.com/package/@joint-ops/hitlimit-bun)**
-
-## ⚡ Why hitlimit-bun?
-
-**Memory-first for maximum performance.** ~15x faster than SQLite.
+**12.38M ops/sec** on memory. **8.32M at 10K IPs**. Native bun:sqlite. Atomic Redis Lua. Postgres. Zero dependencies.
 
+```bash
+bun add @joint-ops/hitlimit-bun
 ```
-┌─────────────────────────────────────────────────────────────────┐
-│                                                                 │
-│  Memory (v1.1+)     ██████████████████████████████  5.62M ops/s │
-│  SQLite (v1.0)      █░░░░░░░░░░░░░░░░░░░░░░░░░░░░  383K ops/s  │
-│                                                                 │
-│  ~15x performance improvement with memory default (10K IPs)    │
-│                                                                 │
-└─────────────────────────────────────────────────────────────────┘
+
+```typescript
+Bun.serve({
+  fetch: hitlimit({}, (req) => new Response('Hello!'))
+})
 ```
 
-- **🚀 Memory-First** - 5.62M ops/sec under real-world load (v1.1+), ~15x faster than SQLite
-- **Bun Native** - Built specifically for Bun's runtime, not a Node.js port
-- **Zero Config** - Works out of the box with sensible defaults
-- **Framework Support** - First-class Elysia and Hono integration
-- **Optional Persistence** - SQLite (383K ops/sec) or Redis (6.6K ops/sec) when needed
-- **TypeScript First** - Full type safety and IntelliSense support
-- **Auto-Ban** - Automatically ban repeat offenders after threshold violations
-- **Shared Limits** - Group rate limits via groupId for teams/tenants
-- **Tiny Footprint** - ~18KB core bundle, zero runtime dependencies
+One line. Done. Works with **Bun.serve**, **Elysia**, and **Hono** out of the box.
 
-## Installation
+**[Docs](https://hitlimit.jointops.dev/docs/bun)** · **[GitHub](https://github.com/JointOps/hitlimit-monorepo)** · **[Benchmarks](https://github.com/JointOps/hitlimit-monorepo/tree/main/benchmarks)**
 
-```bash
-bun add @joint-ops/hitlimit-bun
-```
+---
 
-## Quick Start
+## 30 Seconds to Production
 
-### Bun.serve Rate Limiting
+### Bun.serve
 
 ```typescript
 import { hitlimit } from '@joint-ops/hitlimit-bun'
 
 Bun.serve({
-  fetch: hitlimit({}, (req) => new Response('Hello!'))
+  fetch: hitlimit({ limit: 100, window: '1m' }, (req) => {
+    return new Response('Hello!')
+  })
 })
 ```
 
-### Elysia Rate Limiting
+### Elysia
 
 ```typescript
 import { Elysia } from 'elysia'
@@ -63,380 +42,116 @@ import { hitlimit } from '@joint-ops/hitlimit-bun/elysia'
 
 new Elysia()
   .use(hitlimit({ limit: 100, window: '1m' }))
-  .get('/', () => 'Hello World!')
+  .get('/', () => 'Hello!')
   .listen(3000)
 ```
 
-### Hono Rate Limiting
+### Hono
 
 ```typescript
 import { Hono } from 'hono'
 import { hitlimit } from '@joint-ops/hitlimit-bun/hono'
 
 const app = new Hono()
-
 app.use(hitlimit({ limit: 100, window: '1m' }))
-app.get('/', (c) => c.text('Hello Bun!'))
-
+app.get('/', (c) => c.text('Hello!'))
 Bun.serve({ port: 3000, fetch: app.fetch })
 ```
 
-### Using createHitLimit
+---
 
-```typescript
-import { createHitLimit } from '@joint-ops/hitlimit-bun'
-
-const limiter = createHitLimit({ limit: 100, window: '1m' })
+## What You Get
 
-Bun.serve({
-  async fetch(req, server) {
-    // Returns a 429 Response if blocked, or null if allowed
-    const blocked = await limiter.check(req, server)
-    if (blocked) return blocked
-
-    return new Response('Hello!')
-  }
-})
-```
-
-## Features
-
-### API Rate Limiting
-
-Protect your Bun APIs from abuse with high-performance rate limiting.
-
-```typescript
-Bun.serve({
-  fetch: hitlimit({ limit: 1000, window: '1h' }, handler)
-})
-```
-
-### Login & Authentication Protection
-
-Prevent brute force attacks on login endpoints.
-
-```typescript
-const authLimiter = createHitLimit({ limit: 5, window: '15m' })
-
-Bun.serve({
-  async fetch(req, server) {
-    const url = new URL(req.url)
-
-    if (url.pathname.startsWith('/auth')) {
-      const blocked = await authLimiter.check(req, server)
-      if (blocked) return blocked
-    }
-
-    return handler(req, server)
-  }
-})
-```
-
-### Tiered Rate Limits
-
-Different limits for different user tiers (free, pro, enterprise).
+**Tiered limits** — Free, Pro, Enterprise:
 
 ```typescript
 hitlimit({
-  tiers: {
-    free: { limit: 100, window: '1h' },
-    pro: { limit: 5000, window: '1h' },
-    enterprise: { limit: Infinity }
-  },
+  tiers: { free: { limit: 100, window: '1h' }, pro: { limit: 5000, window: '1h' } },
   tier: (req) => req.headers.get('x-tier') || 'free'
 }, handler)
 ```
 
-### Custom Rate Limit Keys
-
-Rate limit by IP address, user ID, API key, or any custom identifier.
+**Auto-ban** — Repeat offenders get blocked:
 
 ```typescript
-hitlimit({
-  key: (req) => req.headers.get('x-api-key') || 'anonymous'
-}, handler)
+hitlimit({ limit: 10, window: '1m', ban: { threshold: 5, duration: '1h' } }, handler)
 ```
 
-### Auto-Ban Repeat Offenders
-
-Automatically ban clients that repeatedly exceed rate limits.
+**Custom keys** — Rate limit by anything:
 
 ```typescript
-hitlimit({
-  limit: 10,
-  window: '1m',
-  ban: {
-    threshold: 5,  // Ban after 5 violations
-    duration: '1h' // Ban lasts 1 hour
-  }
-}, handler)
+hitlimit({ key: (req) => req.headers.get('x-api-key') || 'anon' }, handler)
 ```
 
-Banned clients receive `X-RateLimit-Ban: true` header and `banned: true` in the response body.
-
-### Grouped / Shared Limits
-
-Rate limit by organization, API key, or any shared identifier.
-
-```typescript
-// Per-API-key rate limiting
-hitlimit({
-  limit: 1000,
-  window: '1h',
-  group: (req) => req.headers.get('x-api-key') || 'anonymous'
-}, handler)
-```
-
-### Elysia Route-Specific Limits
-
-Apply different limits to different route groups in Elysia.
+**Route-specific limits** (Elysia):
 
 ```typescript
 new Elysia()
-  // Global limit
   .use(hitlimit({ limit: 100, window: '1m', name: 'global' }))
-
-  // Stricter limit for auth
-  .group('/auth', (app) =>
-    app
-      .use(hitlimit({ limit: 5, window: '15m', name: 'auth' }))
-      .post('/login', handler)
-  )
-
-  // Higher limit for API
-  .group('/api', (app) =>
-    app
-      .use(hitlimit({ limit: 1000, window: '1m', name: 'api' }))
-      .get('/data', handler)
-  )
+  .group('/auth', app => app.use(hitlimit({ limit: 5, window: '15m', name: 'auth' })))
   .listen(3000)
 ```
 
-## Configuration Options
-
-```typescript
-hitlimit({
-  // Basic options
-  limit: 100,              // Max requests per window (default: 100)
-  window: '1m',            // Time window: 30s, 15m, 1h, 1d (default: '1m')
-
-  // Custom key extraction
-  key: (req) => req.headers.get('x-api-key') || 'anonymous',
-
-  // Tiered rate limits
-  tiers: {
-    free: { limit: 100, window: '1h' },
-    pro: { limit: 5000, window: '1h' },
-    enterprise: { limit: Infinity }
-  },
-  tier: (req) => req.headers.get('x-tier') || 'free',
-
-  // Custom 429 response
-  response: {
-    message: 'Too many requests',
-    statusCode: 429
-  },
-  // Or function:
-  response: (info) => ({
-    error: 'RATE_LIMITED',
-    retryIn: info.resetIn
-  }),
-
-  // Headers configuration
-  headers: {
-    standard: true,   // RateLimit-* headers
-    legacy: true,     // X-RateLimit-* headers
-    retryAfter: true  // Retry-After header on 429
-  },
-
-  // Store (default: memory)
-  store: sqliteStore({ path: './ratelimit.db' }),
-
-  // Skip rate limiting
-  skip: (req) => req.url.includes('/health'),
-
-  // Error handling
-  onStoreError: (error, req) => {
-    console.error('Store error:', error)
-    return 'allow' // or 'deny'
-  },
-
-  // Ban repeat offenders
-  ban: {
-    threshold: 5,    // violations before ban
-    duration: '1h'   // ban duration
-  },
-
-  // Group/shared limits
-  group: (req) => req.headers.get('x-api-key') || 'default'
-}, handler)
-```
+---
 
-## Storage Backends
+## 4 Storage Backends
 
-### Memory Store (Default)
-
-Fastest option, used by default. No persistence.
+All built in. No extra packages to install.
 
 ```typescript
 import { hitlimit } from '@joint-ops/hitlimit-bun'
 
-// Default - uses memory store (no config needed)
-Bun.serve({
-  fetch: hitlimit({}, handler)
-})
-```
+// Memory (default) — fastest, no config
+Bun.serve({ fetch: hitlimit({}, handler) })
 
-### SQLite Store
-
-Uses Bun's native bun:sqlite for persistent rate limiting.
-
-```typescript
-import { hitlimit } from '@joint-ops/hitlimit-bun'
+// bun:sqlite — persists across restarts, native performance
 import { sqliteStore } from '@joint-ops/hitlimit-bun'
+Bun.serve({ fetch: hitlimit({ store: sqliteStore({ path: './ratelimit.db' }) }, handler) })
 
-Bun.serve({
-  fetch: hitlimit({
-    store: sqliteStore({ path: './ratelimit.db' })
-  }, handler)
-})
-```
-
-### Redis Store
-
-For distributed systems and multi-server deployments.
-
-```typescript
-import { hitlimit } from '@joint-ops/hitlimit-bun'
+// Redis — distributed, atomic Lua scripts
 import { redisStore } from '@joint-ops/hitlimit-bun/stores/redis'
+Bun.serve({ fetch: hitlimit({ store: redisStore({ url: 'redis://localhost:6379' }) }, handler) })
 
-Bun.serve({
-  fetch: hitlimit({
-    store: redisStore({ url: 'redis://localhost:6379' })
-  }, handler)
-})
-```
-
-## Response Headers
-
-Every response includes rate limit information:
-
-```
-RateLimit-Limit: 100
-RateLimit-Remaining: 99
-RateLimit-Reset: 1234567890
-X-RateLimit-Limit: 100
-X-RateLimit-Remaining: 99
-X-RateLimit-Reset: 1234567890
-```
-
-When rate limited (429 Too Many Requests):
-
-```
-Retry-After: 42
+// Postgres — distributed, atomic upserts
+import { postgresStore } from '@joint-ops/hitlimit-bun/stores/postgres'
+Bun.serve({ fetch: hitlimit({ store: postgresStore({ url: 'postgres://localhost:5432/mydb' }) }, handler) })
 ```
 
-## Default 429 Response
+| Store | Ops/sec | Latency | When to use |
+|-------|---------|---------|-------------|
+| Memory | 8,320,000 | 120ns | Single server, maximum speed |
+| bun:sqlite | 325,000 | 3.1μs | Single server, need persistence |
+| Redis | 6,700 | 148μs | Multi-server / distributed |
+| Postgres | 3,700 | 273μs | Multi-server / already using Postgres |
 
-```json
-{
-  "hitlimit": true,
-  "message": "Whoa there! Rate limit exceeded.",
-  "limit": 100,
-  "remaining": 0,
-  "resetIn": 42
-}
-```
+---
 
 ## Performance
 
-hitlimit-bun is optimized for Bun's runtime with native performance:
-
-### Store Benchmarks (Bun 1.3)
+### Bun vs Node.js — Memory Store, 10K unique IPs
 
-| Store | Operations/sec | vs Node.js |
-|-------|----------------|------------|
-| **Memory** | 5,620,000+ | +68% faster |
-| **bun:sqlite** | 383,000+ | ~same |
-| **Redis** | 6,600+ | ~same |
+| Runtime | Ops/sec | |
+|---------|---------|---|
+| **Bun** | **8,320,000** | ████████████████████ |
+| Node.js | 3,160,000 | ████████ |
 
-### HTTP Throughput
+Bun leads at 10K IPs (8.32M vs 3.16M) and single-IP (12.38M vs 4.83M). Same library, same algorithm, **memory store**. For Redis, Postgres, and cross-store breakdowns, see the [full benchmark results](https://github.com/JointOps/hitlimit-monorepo/tree/main/benchmarks). Controlled-environment microbenchmarks with transparent methodology. Run them yourself.
 
-| Framework | With hitlimit-bun | Overhead |
-|-----------|-------------------|----------|
-| **Bun.serve** | 105,000 req/s | 12% |
-| **Elysia** | 115,000 req/s | 11% |
-
-> **Note:** Benchmark results vary by hardware and environment. Run your own benchmarks to see results on your specific setup.
-
-### Why bun:sqlite is So Fast
+### Why bun:sqlite is faster than better-sqlite3
 
 ```
-Node.js (better-sqlite3)          Bun (bun:sqlite)
-─────────────────────────         ─────────────────
-JavaScript                        JavaScript
-    ↓                                 ↓
-  N-API                           Direct Call
-    ↓                                 ↓
-  C++ Binding                     Native SQLite
-    ↓                             (No overhead!)
-  SQLite
+Node.js: JS → N-API → C++ binding → SQLite
+Bun:     JS → Native call → SQLite (no overhead)
 ```
 
-better-sqlite3 uses N-API bindings with C++ overhead.
-bun:sqlite calls SQLite directly from Bun's native layer.
+No N-API. No C++ bindings. No FFI. Bun calls SQLite directly.
 
-<details>
-<summary>Run benchmarks yourself</summary>
+---
 
-```bash
-git clone https://github.com/JointOps/hitlimit-monorepo
-cd hitlimit-monorepo
-bun install
-bun run benchmark:bun
-```
+## Related
 
-</details>
-
-## Elysia Plugin Options
-
-```typescript
-import { Elysia } from 'elysia'
-import { hitlimit } from '@joint-ops/hitlimit-bun/elysia'
-
-new Elysia()
-  .use(hitlimit({
-    limit: 100,
-    window: '1m',
-    key: ({ request }) => request.headers.get('x-api-key') || 'anonymous',
-    tiers: {
-      free: { limit: 100, window: '1h' },
-      pro: { limit: 5000, window: '1h' }
-    },
-    tier: ({ request }) => request.headers.get('x-tier') || 'free'
-  }))
-  .get('/', () => 'Hello!')
-  .listen(3000)
-```
-
-## Related Packages
-
-- [@joint-ops/hitlimit](https://www.npmjs.com/package/@joint-ops/hitlimit) - Node.js rate limiting for Express, NestJS
-
-## Why Not Use Node.js Rate Limiters in Bun?
-
-Node.js rate limiters like express-rate-limit use better-sqlite3 which relies on N-API bindings. In Bun, this adds overhead and loses the performance benefits of Bun's native runtime.
-
-**hitlimit-bun** is built specifically for Bun:
-- Uses native `bun:sqlite` (no N-API overhead)
-- No FFI overhead or Node.js polyfills
-- First-class Elysia framework support
-- Optimized for Bun.serve's request handling
+- **[@joint-ops/hitlimit](https://www.npmjs.com/package/@joint-ops/hitlimit)** — Node.js variant for Express, Fastify, Hono, NestJS
 
 ## License
 
-MIT - Use freely in personal and commercial projects.
-
-## Keywords
-
-bun rate limit, bun rate limiter, bun middleware, bun api, bun server, bun serve, bun framework, bun native, bun sqlite, elysia rate limit, elysia plugin, elysia middleware, elysia throttle, elysia framework, api rate limiting, throttle requests, request throttling, bun api protection, ddos protection, brute force protection, login protection, redis rate limit, high performance rate limit, fast rate limiter, sliding window, fixed window, rate-limiter-flexible bun, express-rate-limit bun, bun http, bun backend, bun rest api
+MIT

package/dist/core/limiter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"limiter.d.ts","sourceRoot":"","sources":["../../src/core/limiter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAgB,cAAc,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAM7F,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,MAAM,CAAA;IACf,OAAO,EAAE,MAAM,CAAA;CAChB;AAsCD,wBAAsB,cAAc,CAAC,QAAQ,EAC3C,MAAM,EAAE,cAAc,CAAC,QAAQ,CAAC,EAChC,GAAG,EAAE,QAAQ,GACZ,OAAO,CAAC,UAAU,CAAC,CA8CrB;AAGD,wBAAsB,UAAU,CAAC,QAAQ,EACvC,MAAM,EAAE,cAAc,CAAC,QAAQ,CAAC,EAChC,GAAG,EAAE,QAAQ,GACZ,OAAO,CAAC,cAAc,CAAC,CA6EzB"}
+{"version":3,"file":"limiter.d.ts","sourceRoot":"","sources":["../../src/core/limiter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAgB,cAAc,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAM7F,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,MAAM,CAAA;IACf,OAAO,EAAE,MAAM,CAAA;CAChB;AAsCD,wBAAsB,cAAc,CAAC,QAAQ,EAC3C,MAAM,EAAE,cAAc,CAAC,QAAQ,CAAC,EAChC,GAAG,EAAE,QAAQ,GACZ,OAAO,CAAC,UAAU,CAAC,CAgErB;AAGD,wBAAsB,UAAU,CAAC,QAAQ,EACvC,MAAM,EAAE,cAAc,CAAC,QAAQ,CAAC,EAChC,GAAG,EAAE,QAAQ,GACZ,OAAO,CAAC,cAAc,CAAC,CA2GzB"}

package/dist/elysia.js

@@ -202,6 +202,49 @@ async function checkLimit(config, req) {
     tierName = await config.tier(req);
   }
   const { limit, windowMs } = resolveTier(config, tierName);
+  if (limit === Infinity) {
+    return {
+      allowed: true,
+      info: { limit, remaining: Infinity, resetIn: 0, resetAt: 0, key, tier: tierName, group: groupId },
+      headers: {},
+      body: {}
+    };
+  }
+  if (config.ban && config.store.hitWithBan) {
+    const r = await config.store.hitWithBan(key, windowMs, limit, config.ban.threshold, config.ban.durationMs);
+    if (r.banned && r.count === 0) {
+      const info3 = {
+        limit,
+        remaining: 0,
+        resetIn: Math.ceil((r.banExpiresAt - Date.now()) / 1000),
+        resetAt: r.banExpiresAt,
+        key,
+        tier: tierName,
+        banned: true,
+        banExpiresAt: r.banExpiresAt,
+        group: groupId
+      };
+      return { allowed: false, info: info3, headers: buildHeaders(info3, config.headers, false), body: buildBody(config.response, info3) };
+    }
+    const now2 = Date.now();
+    const allowed2 = r.count <= limit;
+    const info2 = {
+      limit,
+      remaining: Math.max(0, limit - r.count),
+      resetIn: Math.max(0, Math.ceil((r.resetAt - now2) / 1000)),
+      resetAt: r.resetAt,
+      key,
+      tier: tierName,
+      group: groupId
+    };
+    if (r.violations > 0)
+      info2.violations = r.violations;
+    if (r.banned) {
+      info2.banned = true;
+      info2.banExpiresAt = r.banExpiresAt;
+    }
+    return { allowed: allowed2, info: info2, headers: buildHeaders(info2, config.headers, allowed2), body: allowed2 ? {} : buildBody(config.response, info2) };
+  }
   if (config.ban && config.store.isBanned) {
     const banned = await config.store.isBanned(key);
     if (banned) {
@@ -225,14 +268,6 @@ async function checkLimit(config, req) {
       };
     }
   }
-  if (limit === Infinity) {
-    return {
-      allowed: true,
-      info: { limit, remaining: Infinity, resetIn: 0, resetAt: 0, key, tier: tierName, group: groupId },
-      headers: {},
-      body: {}
-    };
-  }
   const result = await config.store.hit(key, windowMs, limit);
   const now = Date.now();
   const resetIn = Math.max(0, Math.ceil((result.resetAt - now) / 1000));

package/dist/hono.js

@@ -202,6 +202,49 @@ async function checkLimit(config, req) {
     tierName = await config.tier(req);
   }
   const { limit, windowMs } = resolveTier(config, tierName);
+  if (limit === Infinity) {
+    return {
+      allowed: true,
+      info: { limit, remaining: Infinity, resetIn: 0, resetAt: 0, key, tier: tierName, group: groupId },
+      headers: {},
+      body: {}
+    };
+  }
+  if (config.ban && config.store.hitWithBan) {
+    const r = await config.store.hitWithBan(key, windowMs, limit, config.ban.threshold, config.ban.durationMs);
+    if (r.banned && r.count === 0) {
+      const info3 = {
+        limit,
+        remaining: 0,
+        resetIn: Math.ceil((r.banExpiresAt - Date.now()) / 1000),
+        resetAt: r.banExpiresAt,
+        key,
+        tier: tierName,
+        banned: true,
+        banExpiresAt: r.banExpiresAt,
+        group: groupId
+      };
+      return { allowed: false, info: info3, headers: buildHeaders(info3, config.headers, false), body: buildBody(config.response, info3) };
+    }
+    const now2 = Date.now();
+    const allowed2 = r.count <= limit;
+    const info2 = {
+      limit,
+      remaining: Math.max(0, limit - r.count),
+      resetIn: Math.max(0, Math.ceil((r.resetAt - now2) / 1000)),
+      resetAt: r.resetAt,
+      key,
+      tier: tierName,
+      group: groupId
+    };
+    if (r.violations > 0)
+      info2.violations = r.violations;
+    if (r.banned) {
+      info2.banned = true;
+      info2.banExpiresAt = r.banExpiresAt;
+    }
+    return { allowed: allowed2, info: info2, headers: buildHeaders(info2, config.headers, allowed2), body: allowed2 ? {} : buildBody(config.response, info2) };
+  }
   if (config.ban && config.store.isBanned) {
     const banned = await config.store.isBanned(key);
     if (banned) {
@@ -225,14 +268,6 @@ async function checkLimit(config, req) {
       };
     }
   }
-  if (limit === Infinity) {
-    return {
-      allowed: true,
-      info: { limit, remaining: Infinity, resetIn: 0, resetAt: 0, key, tier: tierName, group: groupId },
-      headers: {},
-      body: {}
-    };
-  }
   const result = await config.store.hit(key, windowMs, limit);
   const now = Date.now();
   const resetIn = Math.max(0, Math.ceil((result.resetAt - now) / 1000));

package/dist/index.js

@@ -199,6 +199,49 @@ async function checkLimit(config, req) {
     tierName = await config.tier(req);
   }
   const { limit, windowMs } = resolveTier(config, tierName);
+  if (limit === Infinity) {
+    return {
+      allowed: true,
+      info: { limit, remaining: Infinity, resetIn: 0, resetAt: 0, key, tier: tierName, group: groupId },
+      headers: {},
+      body: {}
+    };
+  }
+  if (config.ban && config.store.hitWithBan) {
+    const r = await config.store.hitWithBan(key, windowMs, limit, config.ban.threshold, config.ban.durationMs);
+    if (r.banned && r.count === 0) {
+      const info3 = {
+        limit,
+        remaining: 0,
+        resetIn: Math.ceil((r.banExpiresAt - Date.now()) / 1000),
+        resetAt: r.banExpiresAt,
+        key,
+        tier: tierName,
+        banned: true,
+        banExpiresAt: r.banExpiresAt,
+        group: groupId
+      };
+      return { allowed: false, info: info3, headers: buildHeaders(info3, config.headers, false), body: buildBody(config.response, info3) };
+    }
+    const now2 = Date.now();
+    const allowed2 = r.count <= limit;
+    const info2 = {
+      limit,
+      remaining: Math.max(0, limit - r.count),
+      resetIn: Math.max(0, Math.ceil((r.resetAt - now2) / 1000)),
+      resetAt: r.resetAt,
+      key,
+      tier: tierName,
+      group: groupId
+    };
+    if (r.violations > 0)
+      info2.violations = r.violations;
+    if (r.banned) {
+      info2.banned = true;
+      info2.banExpiresAt = r.banExpiresAt;
+    }
+    return { allowed: allowed2, info: info2, headers: buildHeaders(info2, config.headers, allowed2), body: allowed2 ? {} : buildBody(config.response, info2) };
+  }
   if (config.ban && config.store.isBanned) {
     const banned = await config.store.isBanned(key);
     if (banned) {
@@ -222,14 +265,6 @@ async function checkLimit(config, req) {
       };
     }
   }
-  if (limit === Infinity) {
-    return {
-      allowed: true,
-      info: { limit, remaining: Infinity, resetIn: 0, resetAt: 0, key, tier: tierName, group: groupId },
-      headers: {},
-      body: {}
-    };
-  }
   const result = await config.store.hit(key, windowMs, limit);
   const now = Date.now();
   const resetIn = Math.max(0, Math.ceil((result.resetAt - now) / 1000));

package/dist/stores/postgres.d.ts

@@ -0,0 +1,9 @@
+import type { HitLimitStore } from '@joint-ops/hitlimit-types';
+export interface PostgresStoreOptions {
+    pool: any;
+    tablePrefix?: string;
+    cleanupInterval?: number;
+    skipTableCreation?: boolean;
+}
+export declare function postgresStore(options: PostgresStoreOptions): HitLimitStore;
+//# sourceMappingURL=postgres.d.ts.map

package/dist/stores/postgres.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"postgres.d.ts","sourceRoot":"","sources":["../../src/stores/postgres.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAiC,MAAM,2BAA2B,CAAA;AAE7F,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,GAAG,CAAA;IACT,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,iBAAiB,CAAC,EAAE,OAAO,CAAA;CAC5B;AAqPD,wBAAgB,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,aAAa,CAE1E"}

package/dist/stores/postgres.js

@@ -0,0 +1,220 @@
+// @bun
+// src/stores/postgres.ts
+class PostgresStore {
+  pool;
+  cleanupTimer = null;
+  tablesReady = null;
+  ready;
+  hitQ;
+  banCheckQ;
+  hitUpsertQ;
+  violationQ;
+  banSetQ;
+  isBannedQ;
+  banQ;
+  recordViolationQ;
+  resetHitsQ;
+  resetBansQ;
+  resetViolationsQ;
+  cleanupHitsQ;
+  cleanupBansQ;
+  cleanupViolationsQ;
+  constructor(options) {
+    this.pool = options.pool;
+    const t = options.tablePrefix ?? "hitlimit";
+    const skipTableCreation = options.skipTableCreation ?? false;
+    if (skipTableCreation) {
+      this.ready = true;
+    } else {
+      this.ready = false;
+      this.tablesReady = this.createTables(t).then(() => {
+        this.ready = true;
+      });
+    }
+    this.hitQ = {
+      name: `hl_hit_${t}`,
+      text: `INSERT INTO ${t}_hits (key, count, reset_at) VALUES ($1, 1, $2) ON CONFLICT (key) DO UPDATE SET count = CASE WHEN ${t}_hits.reset_at <= $3 THEN 1 ELSE ${t}_hits.count + 1 END, reset_at = CASE WHEN ${t}_hits.reset_at <= $3 THEN $2 ELSE ${t}_hits.reset_at END RETURNING count, reset_at`
+    };
+    this.banCheckQ = {
+      name: `hl_banchk_${t}`,
+      text: `SELECT expires_at FROM ${t}_bans WHERE key = $1 AND expires_at > $2`
+    };
+    this.hitUpsertQ = this.hitQ;
+    this.violationQ = {
+      name: `hl_viol_${t}`,
+      text: `INSERT INTO ${t}_violations (key, count, reset_at) VALUES ($1, 1, $2) ON CONFLICT (key) DO UPDATE SET count = CASE WHEN ${t}_violations.reset_at <= $3 THEN 1 ELSE ${t}_violations.count + 1 END, reset_at = CASE WHEN ${t}_violations.reset_at <= $3 THEN $2 ELSE ${t}_violations.reset_at END RETURNING count`
+    };
+    this.banSetQ = {
+      name: `hl_banset_${t}`,
+      text: `INSERT INTO ${t}_bans (key, expires_at) VALUES ($1, $2) ON CONFLICT (key) DO UPDATE SET expires_at = $2`
+    };
+    this.isBannedQ = {
+      name: `hl_isbanned_${t}`,
+      text: `SELECT 1 FROM ${t}_bans WHERE key = $1 AND expires_at > $2`
+    };
+    this.banQ = this.banSetQ;
+    this.recordViolationQ = this.violationQ;
+    this.resetHitsQ = `DELETE FROM ${t}_hits WHERE key = $1`;
+    this.resetBansQ = `DELETE FROM ${t}_bans WHERE key = $1`;
+    this.resetViolationsQ = `DELETE FROM ${t}_violations WHERE key = $1`;
+    this.cleanupHitsQ = `DELETE FROM ${t}_hits WHERE reset_at <= $1`;
+    this.cleanupBansQ = `DELETE FROM ${t}_bans WHERE expires_at <= $1`;
+    this.cleanupViolationsQ = `DELETE FROM ${t}_violations WHERE reset_at <= $1`;
+    const interval = options.cleanupInterval ?? 60000;
+    this.cleanupTimer = setInterval(() => this.cleanup(), interval);
+    if (typeof this.cleanupTimer.unref === "function") {
+      this.cleanupTimer.unref();
+    }
+  }
+  async createTables(t) {
+    await this.pool.query(`
+      CREATE TABLE IF NOT EXISTS ${t}_hits (
+        key TEXT PRIMARY KEY,
+        count INTEGER NOT NULL DEFAULT 1,
+        reset_at BIGINT NOT NULL
+      )
+    `);
+    await this.pool.query(`
+      CREATE TABLE IF NOT EXISTS ${t}_bans (
+        key TEXT PRIMARY KEY,
+        expires_at BIGINT NOT NULL
+      )
+    `);
+    await this.pool.query(`
+      CREATE TABLE IF NOT EXISTS ${t}_violations (
+        key TEXT PRIMARY KEY,
+        count INTEGER NOT NULL DEFAULT 1,
+        reset_at BIGINT NOT NULL
+      )
+    `);
+  }
+  async hit(key, windowMs, _limit) {
+    if (!this.ready)
+      await this.tablesReady;
+    const now = Date.now();
+    const result = await this.pool.query({
+      name: this.hitQ.name,
+      text: this.hitQ.text,
+      values: [key, now + windowMs, now]
+    });
+    return {
+      count: result.rows[0].count,
+      resetAt: Number(result.rows[0].reset_at)
+    };
+  }
+  async hitWithBan(key, windowMs, limit, banThreshold, banDurationMs) {
+    if (!this.ready)
+      await this.tablesReady;
+    const now = Date.now();
+    const resetAt = now + windowMs;
+    const banExpiresAt = now + banDurationMs;
+    const banResult = await this.pool.query({
+      name: this.banCheckQ.name,
+      text: this.banCheckQ.text,
+      values: [key, now]
+    });
+    if (banResult.rowCount > 0) {
+      return {
+        count: 0,
+        resetAt,
+        banned: true,
+        violations: 0,
+        banExpiresAt: Number(banResult.rows[0].expires_at)
+      };
+    }
+    const hitResult = await this.pool.query({
+      name: this.hitUpsertQ.name,
+      text: this.hitUpsertQ.text,
+      values: [key, resetAt, now]
+    });
+    const hitCount = hitResult.rows[0].count;
+    const hitResetAt = Number(hitResult.rows[0].reset_at);
+    if (hitCount > limit) {
+      const violationResult = await this.pool.query({
+        name: this.violationQ.name,
+        text: this.violationQ.text,
+        values: [key, banExpiresAt, now]
+      });
+      const violations = violationResult.rows[0].count;
+      const shouldBan = violations >= banThreshold;
+      if (shouldBan) {
+        await this.pool.query({
+          name: this.banSetQ.name,
+          text: this.banSetQ.text,
+          values: [key, banExpiresAt]
+        });
+      }
+      return {
+        count: hitCount,
+        resetAt: hitResetAt,
+        banned: shouldBan,
+        violations,
+        banExpiresAt: shouldBan ? banExpiresAt : 0
+      };
+    }
+    return {
+      count: hitCount,
+      resetAt: hitResetAt,
+      banned: false,
+      violations: 0,
+      banExpiresAt: 0
+    };
+  }
+  async isBanned(key) {
+    if (!this.ready)
+      await this.tablesReady;
+    const result = await this.pool.query({
+      name: this.isBannedQ.name,
+      text: this.isBannedQ.text,
+      values: [key, Date.now()]
+    });
+    return result.rowCount > 0;
+  }
+  async ban(key, durationMs) {
+    if (!this.ready)
+      await this.tablesReady;
+    await this.pool.query({
+      name: this.banQ.name,
+      text: this.banQ.text,
+      values: [key, Date.now() + durationMs]
+    });
+  }
+  async recordViolation(key, windowMs) {
+    if (!this.ready)
+      await this.tablesReady;
+    const now = Date.now();
+    const result = await this.pool.query({
+      name: this.recordViolationQ.name,
+      text: this.recordViolationQ.text,
+      values: [key, now + windowMs, now]
+    });
+    return result.rows[0].count;
+  }
+  async reset(key) {
+    if (!this.ready)
+      await this.tablesReady;
+    await this.pool.query(this.resetHitsQ, [key]);
+    await this.pool.query(this.resetBansQ, [key]);
+    await this.pool.query(this.resetViolationsQ, [key]);
+  }
+  async cleanup() {
+    try {
+      const now = Date.now();
+      await this.pool.query(this.cleanupHitsQ, [now]);
+      await this.pool.query(this.cleanupBansQ, [now]);
+      await this.pool.query(this.cleanupViolationsQ, [now]);
+    } catch {}
+  }
+  shutdown() {
+    if (this.cleanupTimer) {
+      clearInterval(this.cleanupTimer);
+      this.cleanupTimer = null;
+    }
+  }
+}
+function postgresStore(options) {
+  return new PostgresStore(options);
+}
+export {
+  postgresStore
+};

package/dist/stores/redis.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"redis.d.ts","sourceRoot":"","sources":["../../src/stores/redis.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAe,MAAM,2BAA2B,CAAA;AAG3E,MAAM,WAAW,iBAAiB;IAChC,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAqED,wBAAgB,UAAU,CAAC,OAAO,CAAC,EAAE,iBAAiB,GAAG,aAAa,CAErE"}
+{"version":3,"file":"redis.d.ts","sourceRoot":"","sources":["../../src/stores/redis.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAiC,MAAM,2BAA2B,CAAA;AAG7F,MAAM,WAAW,iBAAiB;IAChC,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAmJD,wBAAgB,UAAU,CAAC,OAAO,CAAC,EAAE,iBAAiB,GAAG,aAAa,CAErE"}

package/dist/stores/redis.js

@@ -1,6 +1,56 @@
 // @bun
 // src/stores/redis.ts
 import Redis from "ioredis";
+var HIT_SCRIPT = `
+local key = KEYS[1]
+local windowMs = tonumber(ARGV[1])
+local count = redis.call('INCR', key)
+local ttl = redis.call('PTTL', key)
+if ttl < 0 then
+  redis.call('PEXPIRE', key, windowMs)
+  ttl = windowMs
+end
+return {count, ttl}
+`;
+var HIT_WITH_BAN_SCRIPT = `
+local hitKey = KEYS[1]
+local banKey = KEYS[2]
+local violationKey = KEYS[3]
+local windowMs = tonumber(ARGV[1])
+local limit = tonumber(ARGV[2])
+local banThreshold = tonumber(ARGV[3])
+local banDurationMs = tonumber(ARGV[4])
+
+-- Check ban first
+local banTTL = redis.call('PTTL', banKey)
+if banTTL > 0 then
+  return {-1, banTTL, 1, 0}
+end
+
+-- Hit counter
+local count = redis.call('INCR', hitKey)
+local ttl = redis.call('PTTL', hitKey)
+if ttl < 0 then
+  redis.call('PEXPIRE', hitKey, windowMs)
+  ttl = windowMs
+end
+
+-- Track violations if over limit
+local banned = 0
+local violations = 0
+if count > limit then
+  violations = redis.call('INCR', violationKey)
+  local vTTL = redis.call('PTTL', violationKey)
+  if vTTL < 0 then
+    redis.call('PEXPIRE', violationKey, banDurationMs)
+  end
+  if violations >= banThreshold then
+    redis.call('SET', banKey, '1', 'PX', banDurationMs)
+    banned = 1
+  end
+end
+return {count, ttl, banned, violations}
+`;
 
 class RedisStore {
   redis;
@@ -12,19 +62,41 @@ class RedisStore {
     this.prefix = options.keyPrefix ?? "hitlimit:";
     this.banPrefix = (options.keyPrefix ?? "hitlimit:") + "ban:";
     this.violationPrefix = (options.keyPrefix ?? "hitlimit:") + "violations:";
+    this.redis.defineCommand("hitlimitHit", {
+      numberOfKeys: 1,
+      lua: HIT_SCRIPT
+    });
+    this.redis.defineCommand("hitlimitHitWithBan", {
+      numberOfKeys: 3,
+      lua: HIT_WITH_BAN_SCRIPT
+    });
   }
   async hit(key, windowMs, _limit) {
     const redisKey = this.prefix + key;
-    const now = Date.now();
-    const results = await this.redis.multi().incr(redisKey).pttl(redisKey).exec();
-    const count = results[0][1];
-    let ttl = results[1][1];
-    if (ttl < 0) {
-      await this.redis.pexpire(redisKey, windowMs);
-      ttl = windowMs;
+    const result = await this.redis.hitlimitHit(redisKey, windowMs);
+    const count = result[0];
+    const ttl = result[1];
+    return { count, resetAt: Date.now() + ttl };
+  }
+  async hitWithBan(key, windowMs, limit, banThreshold, banDurationMs) {
+    const hitKey = this.prefix + key;
+    const banKey = this.banPrefix + key;
+    const violationKey = this.violationPrefix + key;
+    const result = await this.redis.hitlimitHitWithBan(hitKey, banKey, violationKey, windowMs, limit, banThreshold, banDurationMs);
+    const count = result[0];
+    const ttl = result[1];
+    const banned = result[2] === 1;
+    const violations = result[3];
+    if (count === -1) {
+      return { count: 0, resetAt: Date.now() + ttl, banned: true, violations: 0, banExpiresAt: Date.now() + ttl };
     }
-    const resetAt = now + ttl;
-    return { count, resetAt };
+    return {
+      count,
+      resetAt: Date.now() + ttl,
+      banned,
+      violations,
+      banExpiresAt: banned ? Date.now() + banDurationMs : 0
+    };
   }
   async isBanned(key) {
     const result = await this.redis.exists(this.banPrefix + key);

package/package.json

@@ -1,12 +1,30 @@
 {
   "name": "@joint-ops/hitlimit-bun",
-  "version": "1.1.2",
+  "version": "1.2.0",
   "description": "Ultra-fast Bun-native rate limiting - Memory-first with 6M+ ops/sec for Bun.serve, Elysia & Hono",
   "author": {
     "name": "Shayan M Hussain",
     "email": "shayanhussain48@gmail.com",
     "url": "https://github.com/ShayanHussainSB"
   },
+  "contributors": [
+    {
+      "name": "tanv33",
+      "url": "https://github.com/tanv33"
+    },
+    {
+      "name": "builtbyali",
+      "url": "https://github.com/builtbyali"
+    },
+    {
+      "name": "MuhammadRehanRasool",
+      "url": "https://github.com/MuhammadRehanRasool"
+    },
+    {
+      "name": "sultandilaram",
+      "url": "https://github.com/sultandilaram"
+    }
+  ],
   "license": "MIT",
   "homepage": "https://hitlimit.jointops.dev/docs/bun",
   "repository": {
@@ -104,6 +122,11 @@
       "types": "./dist/stores/sqlite.d.ts",
       "bun": "./dist/stores/sqlite.js",
       "import": "./dist/stores/sqlite.js"
+    },
+    "./stores/postgres": {
+      "types": "./dist/stores/postgres.d.ts",
+      "bun": "./dist/stores/postgres.js",
+      "import": "./dist/stores/postgres.js"
     }
   },
   "files": [
@@ -111,18 +134,19 @@
   ],
   "sideEffects": false,
   "scripts": {
-    "build": "bun build ./src/index.ts ./src/elysia.ts ./src/hono.ts ./src/stores/memory.ts ./src/stores/redis.ts ./src/stores/sqlite.ts --outdir=./dist --target=bun --external=elysia --external=hono --external=ioredis --external=@sinclair/typebox && tsc --emitDeclarationOnly",
+    "build": "bun build ./src/index.ts ./src/elysia.ts ./src/hono.ts ./src/stores/memory.ts ./src/stores/redis.ts ./src/stores/sqlite.ts ./src/stores/postgres.ts --outdir=./dist --target=bun --external=elysia --external=hono --external=ioredis --external=pg --external=@sinclair/typebox && tsc --emitDeclarationOnly",
     "clean": "rm -rf dist",
     "test": "bun test",
     "test:watch": "bun test --watch"
   },
   "dependencies": {
-    "@joint-ops/hitlimit-types": "1.1.2"
+    "@joint-ops/hitlimit-types": "1.2.0"
   },
   "peerDependencies": {
     "elysia": ">=1.0.0",
     "hono": ">=4.0.0",
-    "ioredis": ">=5.0.0"
+    "ioredis": ">=5.0.0",
+    "pg": ">=8.0.0"
   },
   "peerDependenciesMeta": {
     "elysia": {
@@ -133,14 +157,19 @@
     },
     "ioredis": {
       "optional": true
+    },
+    "pg": {
+      "optional": true
     }
   },
   "devDependencies": {
     "@sinclair/typebox": "^0.34.48",
     "@types/bun": "latest",
+    "@types/pg": "^8.11.0",
     "elysia": "^1.0.0",
     "hono": "^4.11.9",
     "ioredis": "^5.3.0",
+    "pg": "^8.13.0",
     "typescript": "^5.3.0"
   }
 }