@kuratchi/js 0.0.16 → 0.0.18

package/dist/runtime/do.js

@@ -30,6 +30,10 @@ export function __getDoSelf() {
 }
 const _resolvers = new Map();
 const _classBindings = new WeakMap();
+const _rpcProxyCache = new WeakMap();
+function __isDevMode() {
+    return !!globalThis.__kuratchi_DEV__;
+}
 /** @internal — called by compiler-generated init code */
 export function __registerDoResolver(binding, resolver) {
     _resolvers.set(binding, resolver);
@@ -94,36 +98,47 @@ export class kuratchiDO {
      */
     static rpc() {
         const klass = this;
-        return new Proxy({}, {
+        // Cache proxy per class to avoid repeated Proxy creation
+        let cached = _rpcProxyCache.get(klass);
+        if (cached)
+            return cached;
+        const proxy = new Proxy({}, {
             get(_, method) {
                 return async (...args) => {
                     const binding = this.binding || _classBindings.get(klass);
                     if (!binding) {
                         throw new Error(`[KuratchiJS] Missing DO binding for class '${this?.name || 'UnknownDO'}'. Add static binding or ensure compiler binding registration is active.`);
                     }
-                    console.log(`[rpc] ${binding}.${method}() — resolving stub...`);
+                    if (__isDevMode())
+                        console.log(`[rpc] ${binding}.${method}() — resolving stub...`);
                     const stub = await __getDoStub(binding);
                     if (!stub) {
                         throw new Error(`[KuratchiJS] Not authenticated — cannot call '${method}' on ${binding}`);
                     }
-                    console.log(`[rpc] ${binding}.${method}() — stub type: ${stub?.constructor?.name ?? typeof stub}`);
-                    console.log(`[rpc] ${binding}.${method}() — calling with ${args.length} arg(s)...`);
+                    if (__isDevMode()) {
+                        console.log(`[rpc] ${binding}.${method}() — stub type: ${stub?.constructor?.name ?? typeof stub}`);
+                        console.log(`[rpc] ${binding}.${method}() — calling with ${args.length} arg(s)...`);
+                    }
                     try {
                         // Call method directly on the stub — DO NOT detach with stub[method]
                         // then .apply(). Workers RPC stubs are Proxy-based; detaching breaks
                         // the runtime's interception and causes DataCloneError trying to
                         // serialize the DurableObject as `this`.
                         const result = await stub[method](...args);
-                        console.log(`[rpc] ${binding}.${method}() — returned, result type: ${typeof result}`);
+                        if (__isDevMode())
+                            console.log(`[rpc] ${binding}.${method}() — returned, result type: ${typeof result}`);
                         return result;
                     }
                     catch (err) {
-                        console.error(`[rpc] ${binding}.${method}() — THREW: ${err.message}`);
+                        if (__isDevMode())
+                            console.error(`[rpc] ${binding}.${method}() — THREW: ${err.message}`);
                         throw err;
                     }
                 };
             },
         });
+        _rpcProxyCache.set(klass, proxy);
+        return proxy;
     }
 }
 /**

package/dist/runtime/generated-worker.d.ts

@@ -14,8 +14,28 @@ export interface GeneratedPageRoute {
     load?: (params: Record<string, string>) => Promise<unknown> | unknown;
     actions?: Record<string, (...args: any[]) => Promise<unknown> | unknown>;
     rpc?: Record<string, (...args: any[]) => Promise<unknown> | unknown>;
+    /** Allowed query function names for this route (for query override validation) */
+    allowedQueries?: string[];
     render: (data: Record<string, any>) => PageRenderOutput;
 }
+export interface SecurityOptions {
+    /** Enable CSRF protection (default: true) */
+    csrfEnabled?: boolean;
+    /** CSRF cookie name (default: '__kuratchi_csrf') */
+    csrfCookieName?: string;
+    /** CSRF header name (default: 'x-kuratchi-csrf') */
+    csrfHeaderName?: string;
+    /** Require authentication for RPC (default: false) */
+    rpcRequireAuth?: boolean;
+    /** Require authentication for form actions (default: false) */
+    actionRequireAuth?: boolean;
+    /** Content Security Policy directive string */
+    contentSecurityPolicy?: string | null;
+    /** Strict-Transport-Security header value */
+    strictTransportSecurity?: string | null;
+    /** Permissions-Policy header value */
+    permissionsPolicy?: string | null;
+}
 export interface GeneratedWorkerOptions {
     routes: Array<GeneratedPageRoute | GeneratedApiRoute>;
     layout: (content: string, head?: string) => Promise<string> | string;
@@ -27,6 +47,8 @@ export interface GeneratedWorkerOptions {
     workflowStatusRpc?: Record<string, (instanceId: string) => Promise<unknown>>;
     initializeRequest?: (ctx: RuntimeContext) => Promise<void> | void;
     preRouteChecks?: (ctx: RuntimeContext) => Promise<Response | null | undefined> | Response | null | undefined;
+    /** Security configuration */
+    security?: SecurityOptions;
 }
 export declare function createGeneratedWorker(opts: GeneratedWorkerOptions): {
     fetch(request: Request, env: Record<string, any>, ctx: ExecutionContext): Promise<Response>;

package/dist/runtime/generated-worker.js

@@ -1,11 +1,25 @@
 import { __esc, __getLocals, __setLocal, __setRequestContext, buildDefaultBreadcrumbs } from './context.js';
 import { Router } from './router.js';
+import { initCsrf, getCsrfCookieHeader, validateRpcRequest, validateActionRequest, validateSignedFragment, validateQueryOverride, parseQueryArgs, CSRF_DEFAULTS, } from './security.js';
 export function createGeneratedWorker(opts) {
     const router = new Router();
     const runtimeEntries = __getRuntimeEntries(opts.runtimeDefinition);
     for (let i = 0; i < opts.routes.length; i++) {
         router.add(opts.routes[i].pattern, i);
     }
+    // Security configuration with defaults
+    const securityConfig = {
+        csrfEnabled: opts.security?.csrfEnabled ?? true,
+        csrfCookieName: opts.security?.csrfCookieName ?? CSRF_DEFAULTS.cookieName,
+        csrfHeaderName: opts.security?.csrfHeaderName ?? CSRF_DEFAULTS.headerName,
+        rpcRequireAuth: opts.security?.rpcRequireAuth ?? false,
+        actionRequireAuth: opts.security?.actionRequireAuth ?? false,
+        contentSecurityPolicy: opts.security?.contentSecurityPolicy ?? null,
+        strictTransportSecurity: opts.security?.strictTransportSecurity ?? null,
+        permissionsPolicy: opts.security?.permissionsPolicy ?? null,
+    };
+    // Initialize configurable security headers
+    __initSecurityHeaders(securityConfig);
     return {
         async fetch(request, env, ctx) {
             __setRequestContext(ctx, request, env);
@@ -17,12 +31,17 @@ export function createGeneratedWorker(opts) {
                 params: {},
                 locals: __getLocals(),
             };
+            // Initialize CSRF token for the request
+            if (securityConfig.csrfEnabled) {
+                initCsrf(request, securityConfig.csrfCookieName);
+            }
             if (opts.initializeRequest) {
                 await opts.initializeRequest(runtimeCtx);
             }
             const coreFetch = async () => {
                 const { url } = runtimeCtx;
-                const fragmentId = request.headers.get('x-kuratchi-fragment');
+                const signedFragmentId = request.headers.get('x-kuratchi-fragment');
+                let fragmentId = null;
                 const preRoute = opts.preRouteChecks ? await opts.preRouteChecks(runtimeCtx) : null;
                 if (preRoute instanceof Response) {
                     return __secHeaders(preRoute);
@@ -53,28 +72,58 @@ export function createGeneratedWorker(opts) {
                 }
                 runtimeCtx.params = match.params;
                 __setLocal('params', match.params);
+                __setLocal('__currentRoutePath', url.pathname);
                 const route = opts.routes[match.index];
                 if ('__api' in route && route.__api) {
                     return __dispatchApiRoute(route, runtimeCtx);
                 }
                 const pageRoute = route;
+                // Validate fragment ID if present
+                if (signedFragmentId) {
+                    const fragmentValidation = validateSignedFragment(signedFragmentId, url.pathname);
+                    if (!fragmentValidation.valid) {
+                        return __secHeaders(new Response(fragmentValidation.reason || 'Invalid fragment', { status: 403 }));
+                    }
+                    fragmentId = fragmentValidation.fragmentId;
+                }
+                // Validate and parse query override if present
                 const queryFn = request.headers.get('x-kuratchi-query-fn') || '';
                 const queryArgsRaw = request.headers.get('x-kuratchi-query-args') || '[]';
                 let queryArgs = [];
-                try {
-                    const parsed = JSON.parse(queryArgsRaw);
-                    queryArgs = Array.isArray(parsed) ? parsed : [];
+                if (queryFn) {
+                    // Validate query function is allowed for this route
+                    const allowedQueries = pageRoute.allowedQueries || [];
+                    // Also allow RPC functions as queries
+                    const rpcFunctions = pageRoute.rpc ? Object.keys(pageRoute.rpc) : [];
+                    const allAllowed = [...allowedQueries, ...rpcFunctions];
+                    if (allAllowed.length > 0) {
+                        const queryValidation = validateQueryOverride(queryFn, allAllowed);
+                        if (!queryValidation.valid) {
+                            return __secHeaders(new Response(JSON.stringify({ ok: false, error: queryValidation.reason }), {
+                                status: 403,
+                                headers: { 'content-type': 'application/json' },
+                            }));
+                        }
+                    }
+                    // Parse and validate query arguments
+                    const argsValidation = parseQueryArgs(queryArgsRaw);
+                    if (!argsValidation.valid) {
+                        return __secHeaders(new Response(JSON.stringify({ ok: false, error: argsValidation.reason }), {
+                            status: 400,
+                            headers: { 'content-type': 'application/json' },
+                        }));
+                    }
+                    queryArgs = argsValidation.args;
                 }
-                catch { }
                 __setLocal('__queryOverride', queryFn ? { fn: queryFn, args: queryArgs } : null);
                 if (!__getLocals().__breadcrumbs) {
                     __setLocal('breadcrumbs', buildDefaultBreadcrumbs(url.pathname, match.params));
                 }
-                const rpcResponse = await __handleRpc(pageRoute, opts.workflowStatusRpc ?? {}, runtimeCtx);
+                const rpcResponse = await __handleRpc(pageRoute, opts.workflowStatusRpc ?? {}, runtimeCtx, securityConfig);
                 if (rpcResponse)
                     return rpcResponse;
                 if (request.method === 'POST') {
-                    const actionResponse = await __handleAction(pageRoute, opts.layoutActions, opts.layout, runtimeCtx, fragmentId);
+                    const actionResponse = await __handleAction(pageRoute, opts.layoutActions, opts.layout, runtimeCtx, fragmentId, securityConfig);
                     if (actionResponse)
                         return actionResponse;
                 }
@@ -101,7 +150,7 @@ export function createGeneratedWorker(opts) {
                         return __secHeaders(handled);
                     console.error('[kuratchi] Route load/render error:', err);
                     const pageErrStatus = err?.isPageError && err.status ? err.status : 500;
-                    const errDetail = err?.isPageError ? err.message : (__isDevMode() && err?.message) ? err.message : undefined;
+                    const errDetail = __sanitizeErrorDetail(err);
                     return __secHeaders(new Response(await opts.layout(__renderError(opts.errorPages, pageErrStatus, errDetail)), {
                         status: pageErrStatus,
                         headers: { 'content-type': 'text/html; charset=utf-8' },
@@ -147,7 +196,7 @@ async function __dispatchApiRoute(route, runtimeCtx) {
     }
     return __secHeaders(await handler(runtimeCtx));
 }
-async function __handleRpc(route, workflowStatusRpc, runtimeCtx) {
+async function __handleRpc(route, workflowStatusRpc, runtimeCtx, securityConfig) {
     const { request, url } = runtimeCtx;
     const rpcName = url.searchParams.get('_rpc');
     const hasRouteRpc = rpcName && route.rpc && Object.hasOwn(route.rpc, rpcName);
@@ -155,8 +204,22 @@ async function __handleRpc(route, workflowStatusRpc, runtimeCtx) {
     if (!(request.method === 'GET' && rpcName && (hasRouteRpc || hasWorkflowRpc))) {
         return null;
     }
+    // Validate RPC request security
+    const rpcSecConfig = {
+        requireAuth: securityConfig.rpcRequireAuth,
+        validateCsrf: securityConfig.csrfEnabled,
+        allowedMethods: ['GET', 'POST'],
+    };
+    const rpcValidation = validateRpcRequest(request, rpcSecConfig);
+    if (!rpcValidation.valid) {
+        return __secHeaders(new Response(JSON.stringify({ ok: false, error: rpcValidation.reason || 'Forbidden' }), {
+            status: rpcValidation.status,
+            headers: { 'content-type': 'application/json', 'cache-control': 'no-store' },
+        }));
+    }
+    // Legacy header check (still required for backward compatibility)
     if (request.headers.get('x-kuratchi-rpc') !== '1') {
-        return __secHeaders(new Response(JSON.stringify({ ok: false, error: 'Forbidden' }), {
+        return __secHeaders(new Response(JSON.stringify({ ok: false, error: 'Missing RPC header' }), {
             status: 403,
             headers: { 'content-type': 'application/json', 'cache-control': 'no-store' },
         }));
@@ -170,27 +233,41 @@ async function __handleRpc(route, workflowStatusRpc, runtimeCtx) {
         }
         const rpcFn = hasRouteRpc ? route.rpc[rpcName] : workflowStatusRpc[rpcName];
         const rpcResult = await rpcFn(...rpcArgs);
-        return __secHeaders(new Response(JSON.stringify({ ok: true, data: rpcResult }), {
+        return __attachCookies(new Response(JSON.stringify({ ok: true, data: rpcResult }), {
             headers: { 'content-type': 'application/json', 'cache-control': 'no-store' },
         }));
     }
     catch (err) {
         console.error('[kuratchi] RPC error:', err);
-        const errMsg = __isDevMode() ? err?.message : 'Internal Server Error';
+        const errMsg = __sanitizeErrorMessage(err);
         return __secHeaders(new Response(JSON.stringify({ ok: false, error: errMsg }), {
             status: 500,
             headers: { 'content-type': 'application/json', 'cache-control': 'no-store' },
         }));
     }
 }
-async function __handleAction(route, layoutActions, layout, runtimeCtx, fragmentId) {
+async function __handleAction(route, layoutActions, layout, runtimeCtx, fragmentId, securityConfig) {
     const { request, url, params } = runtimeCtx;
     if (request.method !== 'POST')
         return null;
-    if (!__isSameOrigin(request, url)) {
-        return __secHeaders(new Response('Forbidden', { status: 403 }));
-    }
     const formData = await request.formData();
+    // Validate action request security
+    const actionSecConfig = {
+        validateCsrf: securityConfig.csrfEnabled,
+        requireSameOrigin: true,
+    };
+    const actionValidation = validateActionRequest(request, url, formData, actionSecConfig);
+    if (!actionValidation.valid) {
+        return __secHeaders(new Response(actionValidation.reason || 'Forbidden', { status: actionValidation.status }));
+    }
+    // Check authentication if required
+    if (securityConfig.actionRequireAuth) {
+        const locals = __getLocals();
+        const user = locals.user || locals.session?.user;
+        if (!user) {
+            return __secHeaders(new Response('Authentication required', { status: 401 }));
+        }
+    }
     const actionName = formData.get('_action');
     const actionKey = typeof actionName === 'string' ? actionName : null;
     const actionFn = (actionKey && route.actions && Object.hasOwn(route.actions, actionKey) ? route.actions[actionKey] : null)
@@ -223,7 +300,7 @@ async function __handleAction(route, layoutActions, layout, runtimeCtx, fragment
         }
         console.error('[kuratchi] Action error:', err);
         if (isFetchAction) {
-            const errMsg = __isDevMode() && err?.message ? err.message : 'Internal Server Error';
+            const errMsg = __sanitizeErrorMessage(err);
             return __secHeaders(new Response(JSON.stringify({ ok: false, error: errMsg }), {
                 status: 500,
                 headers: { 'content-type': 'application/json' },
@@ -238,7 +315,7 @@ async function __handleAction(route, layoutActions, layout, runtimeCtx, fragment
             if (!(key in data))
                 data[key] = { error: undefined, loading: false, success: false };
         });
-        const errMsg = err?.isActionError ? err.message : (__isDevMode() && err?.message) ? err.message : 'Action failed';
+        const errMsg = __sanitizeErrorMessage(err, 'Action failed');
         data[actionKey] = { error: errMsg, loading: false, success: false };
         return await __renderPage(layout, route, data, fragmentId);
     }
@@ -299,18 +376,26 @@ function __isSameOrigin(request, url) {
     }
 }
 function __secHeaders(response) {
-    for (const [key, value] of Object.entries(__defaultSecHeaders)) {
+    for (const [key, value] of Object.entries(__configuredSecHeaders)) {
         if (!response.headers.has(key))
             response.headers.set(key, value);
     }
     return response;
 }
 function __attachCookies(response) {
-    const cookies = __getLocals().__setCookieHeaders;
-    if (cookies && cookies.length > 0) {
+    const locals = __getLocals();
+    const cookies = locals.__setCookieHeaders;
+    const csrfCookie = getCsrfCookieHeader();
+    const hasCookies = (cookies && cookies.length > 0) || csrfCookie;
+    if (hasCookies) {
         const newResponse = new Response(response.body, response);
-        for (const header of cookies)
-            newResponse.headers.append('Set-Cookie', header);
+        if (cookies) {
+            for (const header of cookies)
+                newResponse.headers.append('Set-Cookie', header);
+        }
+        if (csrfCookie) {
+            newResponse.headers.append('Set-Cookie', csrfCookie);
+        }
         return __secHeaders(newResponse);
     }
     return __secHeaders(response);
@@ -393,11 +478,57 @@ function __getRuntimeEntries(runtimeDefinition) {
 function __isDevMode() {
     return !!globalThis.__kuratchi_DEV__;
 }
+/**
+ * Sanitize error messages for client responses.
+ * In production, only expose safe error messages to prevent information leakage.
+ * In dev mode, expose full error details for debugging.
+ */
+function __sanitizeErrorMessage(err, fallback = 'Internal Server Error') {
+    // Always allow explicit user-facing errors (ActionError, PageError)
+    if (err?.isActionError || err?.isPageError) {
+        return err.message || fallback;
+    }
+    // In dev mode, expose full error message for debugging
+    if (__isDevMode() && err?.message) {
+        return err.message;
+    }
+    // In production, use generic message to prevent information leakage
+    return fallback;
+}
+/**
+ * Sanitize error details for HTML error pages.
+ * Returns undefined in production to hide error details.
+ */
+function __sanitizeErrorDetail(err) {
+    // PageError messages are always safe to show
+    if (err?.isPageError) {
+        return err.message;
+    }
+    // In dev mode, show error details
+    if (__isDevMode() && err?.message) {
+        return err.message;
+    }
+    // In production, hide error details
+    return undefined;
+}
 const __defaultSecHeaders = {
     'X-Content-Type-Options': 'nosniff',
     'X-Frame-Options': 'DENY',
     'Referrer-Policy': 'strict-origin-when-cross-origin',
 };
+let __configuredSecHeaders = { ...__defaultSecHeaders };
+function __initSecurityHeaders(config) {
+    __configuredSecHeaders = { ...__defaultSecHeaders };
+    if (config.contentSecurityPolicy) {
+        __configuredSecHeaders['Content-Security-Policy'] = config.contentSecurityPolicy;
+    }
+    if (config.strictTransportSecurity) {
+        __configuredSecHeaders['Strict-Transport-Security'] = config.strictTransportSecurity;
+    }
+    if (config.permissionsPolicy) {
+        __configuredSecHeaders['Permissions-Policy'] = config.permissionsPolicy;
+    }
+}
 const __errorMessages = {
     400: 'Bad Request',
     401: 'Unauthorized',

package/dist/runtime/index.d.ts

@@ -5,7 +5,9 @@ export { defineRuntime } from './runtime.js';
 export { Router, filePathToPattern } from './router.js';
 export { getCtx, getRequest, getLocals, getParams, getParam, RedirectError, redirect, goto, setBreadcrumbs, getBreadcrumbs, breadcrumbsHome, breadcrumbsPrev, breadcrumbsNext, breadcrumbsCurrent, buildDefaultBreadcrumbs, } from './context.js';
 export { kuratchiDO, doRpc } from './do.js';
+export { initCsrf, getCsrfToken, validateCsrf, getCsrfCookieHeader, validateRpcRequest, validateActionRequest, applySecurityHeaders, signFragmentId, validateSignedFragment, validateQueryOverride, parseQueryArgs, CSRF_DEFAULTS, } from './security.js';
+export type { RpcSecurityConfig, ActionSecurityConfig, SecurityHeadersConfig, } from './security.js';
 export { extractSubdomainSlug, extractSlugFromPrefix, matchContainerViewPath, rewriteProxyLocationHeader, buildContainerRequest, createContainerEnvVars, startContainer, proxyToContainer, handleContainerRouting, forwardJsonPostToContainerDO, matchSiteViewPath, buildSiteContainerRequest, createWpContainerEnvVars, startSiteContainer, proxyToSiteContainer, } from './containers.js';
-export type { AppConfig, Env, AuthConfig, RouteContext, RouteModule, ApiRouteModule, HttpMethod, LayoutModule, PageRenderOutput, PageRenderResult, RuntimeContext, RuntimeDefinition, RuntimeStep, RuntimeNext, RuntimeErrorResult, } from './types.js';
+export type { AppConfig, Env, AuthConfig, SecurityConfig, RouteContext, RouteModule, ApiRouteModule, HttpMethod, LayoutModule, PageRenderOutput, PageRenderResult, RuntimeContext, RuntimeDefinition, RuntimeStep, RuntimeNext, RuntimeErrorResult, } from './types.js';
 export type { RpcOf } from './do.js';
 export { url, pathname, searchParams, headers, method, params, slug } from './request.js';

package/dist/runtime/index.js

@@ -5,6 +5,7 @@ export { defineRuntime } from './runtime.js';
 export { Router, filePathToPattern } from './router.js';
 export { getCtx, getRequest, getLocals, getParams, getParam, RedirectError, redirect, goto, setBreadcrumbs, getBreadcrumbs, breadcrumbsHome, breadcrumbsPrev, breadcrumbsNext, breadcrumbsCurrent, buildDefaultBreadcrumbs, } from './context.js';
 export { kuratchiDO, doRpc } from './do.js';
+export { initCsrf, getCsrfToken, validateCsrf, getCsrfCookieHeader, validateRpcRequest, validateActionRequest, applySecurityHeaders, signFragmentId, validateSignedFragment, validateQueryOverride, parseQueryArgs, CSRF_DEFAULTS, } from './security.js';
 export { extractSubdomainSlug, extractSlugFromPrefix, matchContainerViewPath, rewriteProxyLocationHeader, buildContainerRequest, createContainerEnvVars, startContainer, proxyToContainer, handleContainerRouting, forwardJsonPostToContainerDO, 
 // Compatibility aliases
 matchSiteViewPath, buildSiteContainerRequest, createWpContainerEnvVars, startSiteContainer, proxyToSiteContainer, } from './containers.js';

package/dist/runtime/router.d.ts

@@ -5,6 +5,8 @@
  *   /todos          → static
  *   /blog/:slug     → named param
  *   /files/*rest    → catch-all
+ *
+ * Uses a radix tree for O(log n) dynamic route matching instead of O(n) linear scan.
  */
 export interface MatchResult {
     params: Record<string, string>;
@@ -12,11 +14,13 @@ export interface MatchResult {
 }
 export declare class Router {
     private staticRoutes;
-    private dynamicRoutes;
+    private root;
     /** Register a pattern (e.g. '/blog/:slug') and associate it with an index. */
     add(pattern: string, index: number): void;
     /** Match a pathname against registered routes. Returns null if no match. */
     match(pathname: string): MatchResult | null;
+    /** Recursive radix tree matching with backtracking */
+    private matchNode;
 }
 /**
  * Convert a file-system path to a route pattern.

package/dist/runtime/router.js

@@ -5,56 +5,141 @@
  *   /todos          → static
  *   /blog/:slug     → named param
  *   /files/*rest    → catch-all
+ *
+ * Uses a radix tree for O(log n) dynamic route matching instead of O(n) linear scan.
  */
+function createNode(segment, type, paramName) {
+    return {
+        segment,
+        type,
+        paramName,
+        children: new Map(),
+    };
+}
 export class Router {
     staticRoutes = new Map();
-    dynamicRoutes = [];
+    root = createNode('', 0 /* NodeType.Static */);
     /** Register a pattern (e.g. '/blog/:slug') and associate it with an index. */
     add(pattern, index) {
         if (!pattern.includes(':') && !pattern.includes('*')) {
             this.staticRoutes.set(pattern, index);
             return;
         }
-        const paramNames = [];
-        // Convert pattern to regex
-        // :param  → named capture group
-        // *param  → catch-all capture group
-        let regexStr = pattern
-            // Catch-all: /files/*rest → /files/(?<rest>.+)
-            .replace(/\*(\w+)/g, (_match, name) => {
-            paramNames.push(name);
-            return `(?<${name}>.+)`;
-        })
-            // Named params: /blog/:slug → /blog/(?<slug>[^/]+)
-            .replace(/:(\w+)/g, (_match, name) => {
-            paramNames.push(name);
-            return `(?<${name}>[^/]+)`;
-        });
-        // Anchor
-        regexStr = `^${regexStr}$`;
-        this.dynamicRoutes.push({
-            regex: new RegExp(regexStr),
-            paramNames,
-            index,
-        });
+        // Parse pattern into segments
+        const segments = pattern.split('/').filter(Boolean);
+        let node = this.root;
+        for (let i = 0; i < segments.length; i++) {
+            const seg = segments[i];
+            if (seg.startsWith('*')) {
+                // Catch-all: *param
+                const paramName = seg.slice(1);
+                if (!node.catchAllChild) {
+                    node.catchAllChild = createNode('', 2 /* NodeType.CatchAll */, paramName);
+                }
+                node = node.catchAllChild;
+                // Catch-all must be last segment
+                break;
+            }
+            else if (seg.startsWith(':')) {
+                // Param: :param
+                const paramName = seg.slice(1);
+                if (!node.paramChild) {
+                    node.paramChild = createNode('', 1 /* NodeType.Param */, paramName);
+                }
+                node = node.paramChild;
+            }
+            else {
+                // Static segment
+                const key = seg[0] || '';
+                let child = node.children.get(key);
+                if (!child) {
+                    child = createNode(seg, 0 /* NodeType.Static */);
+                    node.children.set(key, child);
+                }
+                else if (child.segment !== seg) {
+                    // Handle prefix splitting for true radix tree (simplified: exact match only)
+                    // For simplicity, we use segment-level matching which is sufficient for route patterns
+                    let found = false;
+                    for (const [, c] of node.children) {
+                        if (c.segment === seg) {
+                            child = c;
+                            found = true;
+                            break;
+                        }
+                    }
+                    if (!found) {
+                        child = createNode(seg, 0 /* NodeType.Static */);
+                        // Use full segment as key for collision handling
+                        node.children.set(seg, child);
+                    }
+                }
+                node = child;
+            }
+        }
+        node.routeIndex = index;
     }
     /** Match a pathname against registered routes. Returns null if no match. */
     match(pathname) {
         // Normalize: strip trailing slash (except root)
         const normalized = pathname === '/' ? '/' : pathname.replace(/\/$/, '');
+        // Fast path: static routes (O(1))
         const staticIdx = this.staticRoutes.get(normalized);
         if (staticIdx !== undefined) {
             return { params: {}, index: staticIdx };
         }
-        for (const route of this.dynamicRoutes) {
-            const m = normalized.match(route.regex);
-            if (m) {
-                const params = {};
-                for (const name of route.paramNames) {
-                    params[name] = m.groups?.[name] ?? '';
-                }
-                return { params, index: route.index };
+        // Radix tree traversal for dynamic routes
+        const segments = normalized.split('/').filter(Boolean);
+        const params = {};
+        const result = this.matchNode(this.root, segments, 0, params);
+        if (result !== null) {
+            return { params, index: result };
+        }
+        return null;
+    }
+    /** Recursive radix tree matching with backtracking */
+    matchNode(node, segments, segIdx, params) {
+        // Base case: consumed all segments
+        if (segIdx >= segments.length) {
+            return node.routeIndex ?? null;
+        }
+        const seg = segments[segIdx];
+        // 1. Try static children first (highest priority)
+        // Check by first char, then by full segment
+        const staticChild = node.children.get(seg[0]) ?? node.children.get(seg);
+        if (staticChild && staticChild.segment === seg) {
+            const result = this.matchNode(staticChild, segments, segIdx + 1, params);
+            if (result !== null)
+                return result;
+        }
+        // Also check full segment key for collision handling
+        for (const [key, child] of node.children) {
+            if (key !== seg[0] && child.segment === seg) {
+                const result = this.matchNode(child, segments, segIdx + 1, params);
+                if (result !== null)
+                    return result;
+            }
+        }
+        // 2. Try param child (second priority)
+        if (node.paramChild) {
+            const paramName = node.paramChild.paramName;
+            const oldValue = params[paramName];
+            params[paramName] = seg;
+            const result = this.matchNode(node.paramChild, segments, segIdx + 1, params);
+            if (result !== null)
+                return result;
+            // Backtrack
+            if (oldValue !== undefined) {
+                params[paramName] = oldValue;
             }
+            else {
+                delete params[paramName];
+            }
+        }
+        // 3. Try catch-all child (lowest priority, consumes rest)
+        if (node.catchAllChild) {
+            const paramName = node.catchAllChild.paramName;
+            params[paramName] = segments.slice(segIdx).join('/');
+            return node.catchAllChild.routeIndex ?? null;
         }
         return null;
     }