@mantiq/core 0.0.1

package/src/index.ts

@@ -0,0 +1,97 @@
+// ── Application ───────────────────────────────────────────────────────────────
+export { Application } from './application/Application.ts'
+
+// ── Macroable ────────────────────────────────────────────────────────────────
+export { Macroable, applyMacros } from './macroable/Macroable.ts'
+export type { MacroableStatic, MacroableInstance } from './macroable/Macroable.ts'
+
+// ── Contracts (interfaces + base classes) ────────────────────────────────────
+export type { Container, Bindable, Resolvable, Constructor, ContextualBindingBuilder } from './contracts/Container.ts'
+export type { Config } from './contracts/Config.ts'
+export type { Middleware, NextFunction } from './contracts/Middleware.ts'
+export type { MantiqRequest } from './contracts/Request.ts'
+export type { MantiqResponseBuilder, CookieOptions } from './contracts/Response.ts'
+export type { Router, RouterRoute, RouteAction, RouteGroupOptions, RouteMatch, RouteDefinition, HttpMethod } from './contracts/Router.ts'
+export type { ExceptionHandler } from './contracts/ExceptionHandler.ts'
+export type { DriverManager } from './contracts/DriverManager.ts'
+export type { Encrypter } from './contracts/Encrypter.ts'
+export type { Hasher } from './contracts/Hasher.ts'
+export type { CacheStore } from './contracts/Cache.ts'
+export type { SessionHandler, SessionConfig } from './contracts/Session.ts'
+export type { EventDispatcher, EventHandler } from './contracts/EventDispatcher.ts'
+export { ServiceProvider } from './contracts/ServiceProvider.ts'
+export { Event, Listener } from './contracts/EventDispatcher.ts'
+export type { WebSocketHandler, WebSocketContext } from './websocket/WebSocketContext.ts'
+
+// ── Errors ────────────────────────────────────────────────────────────────────
+export { MantiqError } from './errors/MantiqError.ts'
+export { HttpError } from './errors/HttpError.ts'
+export { NotFoundError } from './errors/NotFoundError.ts'
+export { UnauthorizedError } from './errors/UnauthorizedError.ts'
+export { ForbiddenError } from './errors/ForbiddenError.ts'
+export { ValidationError } from './errors/ValidationError.ts'
+export { TooManyRequestsError } from './errors/TooManyRequestsError.ts'
+export { ContainerResolutionError } from './errors/ContainerResolutionError.ts'
+export { ConfigKeyNotFoundError } from './errors/ConfigKeyNotFoundError.ts'
+export { TokenMismatchError } from './errors/TokenMismatchError.ts'
+export { EncryptionError, DecryptionError, MissingAppKeyError } from './encryption/errors.ts'
+
+// ── Implementations ───────────────────────────────────────────────────────────
+export { ContainerImpl } from './container/Container.ts'
+export { ConfigRepository } from './config/ConfigRepository.ts'
+export { MantiqRequest as MantiqRequestImpl } from './http/Request.ts'
+export { MantiqResponse, ResponseBuilder } from './http/Response.ts'
+export { serializeCookie, parseCookies } from './http/Cookie.ts'
+export { UploadedFile } from './http/UploadedFile.ts'
+export { HttpKernel } from './http/Kernel.ts'
+export { RouterImpl } from './routing/Router.ts'
+export { Route } from './routing/Route.ts'
+export { RouteMatched } from './routing/events.ts'
+export { Pipeline } from './middleware/Pipeline.ts'
+export { CorsMiddleware } from './middleware/Cors.ts'
+export { TrimStringsMiddleware } from './middleware/TrimStrings.ts'
+export { StartSession } from './middleware/StartSession.ts'
+export { EncryptCookies } from './middleware/EncryptCookies.ts'
+export { VerifyCsrfToken } from './middleware/VerifyCsrfToken.ts'
+export { WebSocketKernel } from './websocket/WebSocketKernel.ts'
+export { DefaultExceptionHandler } from './exceptions/Handler.ts'
+export { CoreServiceProvider } from './providers/CoreServiceProvider.ts'
+
+// ── Encryption ────────────────────────────────────────────────────────────────
+export { AesEncrypter } from './encryption/Encrypter.ts'
+
+// ── Hashing ───────────────────────────────────────────────────────────────────
+export { HashManager } from './hashing/HashManager.ts'
+export { BcryptHasher } from './hashing/BcryptHasher.ts'
+export { Argon2Hasher } from './hashing/Argon2Hasher.ts'
+
+// ── Cache ─────────────────────────────────────────────────────────────────────
+export { CacheManager } from './cache/CacheManager.ts'
+export type { CacheConfig } from './cache/CacheManager.ts'
+export { MemoryCacheStore } from './cache/MemoryCacheStore.ts'
+export { FileCacheStore } from './cache/FileCacheStore.ts'
+export { RedisCacheStore } from './cache/RedisCacheStore.ts'
+export type { RedisCacheConfig } from './cache/RedisCacheStore.ts'
+export { MemcachedCacheStore } from './cache/MemcachedCacheStore.ts'
+export type { MemcachedCacheConfig } from './cache/MemcachedCacheStore.ts'
+export { NullCacheStore } from './cache/NullCacheStore.ts'
+export { CacheHit, CacheMissed, KeyWritten, KeyForgotten } from './cache/events.ts'
+
+// ── Session ───────────────────────────────────────────────────────────────────
+export { SessionManager } from './session/SessionManager.ts'
+export { SessionStore } from './session/Store.ts'
+export { MemorySessionHandler } from './session/handlers/MemorySessionHandler.ts'
+export { FileSessionHandler } from './session/handlers/FileSessionHandler.ts'
+export { CookieSessionHandler } from './session/handlers/CookieSessionHandler.ts'
+
+// ── Global helpers ────────────────────────────────────────────────────────────
+export { config } from './helpers/config.ts'
+export { env } from './helpers/env.ts'
+export { app } from './helpers/app.ts'
+export { route, ROUTER } from './helpers/route.ts'
+export { abort } from './helpers/abort.ts'
+export { encrypt, decrypt, ENCRYPTER } from './helpers/encrypt.ts'
+export { response, json, html, redirect, noContent, stream, download } from './helpers/response.ts'
+export { hash, hashCheck } from './helpers/hash.ts'
+export { cache } from './helpers/cache.ts'
+export { session } from './helpers/session.ts'

package/src/macroable/Macroable.ts

@@ -0,0 +1,174 @@
+/**
+ * Macroable — allows dynamically adding methods to classes at runtime.
+ *
+ * Laravel equivalent: `Illuminate\Support\Traits\Macroable`
+ *
+ * Two usage patterns:
+ *
+ * 1. **Mixin function** — wrap a class to get full Proxy-based macro support:
+ *    ```ts
+ *    const MyClass = Macroable(BaseClass)
+ *    MyClass.macro('custom', function() { return this.value })
+ *    new MyClass().custom() // works transparently
+ *    ```
+ *
+ * 2. **Apply to existing class** — add macro support without changing class identity:
+ *    ```ts
+ *    applyMacros(QueryBuilder)
+ *    QueryBuilder.macro('toCsv', function() { ... })
+ *    // Call via __macro() or extend the prototype
+ *    ```
+ *
+ * For TypeScript type safety, users can augment the interface:
+ *   declare module '@mantiq/database' {
+ *     interface QueryBuilder { toCsv(): Promise<string> }
+ *   }
+ */
+
+type Constructor<T = object> = new (...args: any[]) => T
+
+export interface MacroableStatic {
+  macro(name: string, fn: Function): void
+  mixin(mixins: Record<string, Function>, replace?: boolean): void
+  hasMacro(name: string): boolean
+  flushMacros(): void
+}
+
+export interface MacroableInstance {
+  __macro(name: string, ...args: any[]): any
+}
+
+/**
+ * Mixin function that adds macro support to a class.
+ *
+ * Returns a Proxy-wrapped class where:
+ * - Static macro/mixin/hasMacro/flushMacros methods are available
+ * - Instance method calls fall through to registered macros
+ * - Each subclass inherits parent macros but gets its own macro registry
+ */
+export function Macroable<T extends Constructor>(Base: T): T & MacroableStatic {
+  class MacroableClass extends (Base as Constructor) {
+    private static _macros = new Map<string, Function>()
+
+    static macro(name: string, fn: Function): void {
+      this._ensureOwnMacros()
+      this._macros.set(name, fn)
+    }
+
+    static mixin(mixins: Record<string, Function>, replace = true): void {
+      for (const [name, fn] of Object.entries(mixins)) {
+        if (replace || !this.hasMacro(name)) {
+          this.macro(name, fn)
+        }
+      }
+    }
+
+    static hasMacro(name: string): boolean {
+      return this._macros.has(name)
+    }
+
+    static flushMacros(): void {
+      this._ensureOwnMacros()
+      this._macros.clear()
+    }
+
+    __macro(name: string, ...args: any[]): any {
+      const fn = (this.constructor as typeof MacroableClass)._macros?.get(name)
+      if (!fn) {
+        throw new Error(
+          `Method ${name} does not exist on ${this.constructor.name}. Did you forget to register it with ${this.constructor.name}.macro()?`,
+        )
+      }
+      return fn.apply(this, args)
+    }
+
+    private static _ensureOwnMacros(): void {
+      if (!Object.prototype.hasOwnProperty.call(this, '_macros')) {
+        this._macros = new Map(this._macros)
+      }
+    }
+  }
+
+  // Proxy for transparent macro calls on instances
+  return new Proxy(MacroableClass, {
+    construct(target, args, newTarget) {
+      const instance = Reflect.construct(target, args, newTarget)
+      return new Proxy(instance, {
+        get(obj, prop, receiver) {
+          const value = Reflect.get(obj, prop, receiver)
+          if (value !== undefined) return value
+
+          if (typeof prop === 'string') {
+            const macroFn = (obj.constructor as typeof MacroableClass)._macros?.get(prop)
+            if (macroFn) {
+              return (...callArgs: any[]) => macroFn.apply(obj, callArgs)
+            }
+          }
+
+          return value
+        },
+      })
+    },
+  }) as unknown as T & MacroableStatic
+}
+
+/**
+ * Apply macro support to an existing class without wrapping it in a Proxy.
+ *
+ * This is the non-destructive approach — it doesn't change the class identity,
+ * preserving `instanceof` checks and existing imports. Macros are called via
+ * `instance.__macro('name', ...args)`.
+ *
+ * Use this for framework classes (QueryBuilder, Collection, etc.) that are
+ * already widely exported.
+ */
+export function applyMacros<T extends Constructor>(Target: T): void {
+  const macros = new Map<string, Function>()
+
+  Object.defineProperties(Target, {
+    _macros: { value: macros, writable: true, configurable: true },
+
+    macro: {
+      value(name: string, fn: Function): void {
+        macros.set(name, fn)
+      },
+      configurable: true,
+    },
+
+    mixin: {
+      value(mixins: Record<string, Function>, replace = true): void {
+        for (const [name, fn] of Object.entries(mixins)) {
+          if (replace || !macros.has(name)) {
+            macros.set(name, fn)
+          }
+        }
+      },
+      configurable: true,
+    },
+
+    hasMacro: {
+      value(name: string): boolean {
+        return macros.has(name)
+      },
+      configurable: true,
+    },
+
+    flushMacros: {
+      value(): void {
+        macros.clear()
+      },
+      configurable: true,
+    },
+  })
+
+  // Add __macro to prototype
+  Target.prototype.__macro = function (name: string, ...args: any[]): any {
+    const fn = macros.get(name)
+    if (!fn) {
+      throw new Error(
+        `Method ${name} does not exist on ${Target.name}. Did you forget to register it with ${Target.name}.macro()?`,
+      )
+    }
+    return fn.apply(this, args)
+  }
+}

package/src/middleware/Cors.ts

@@ -0,0 +1,91 @@
+import type { Middleware, NextFunction } from '../contracts/Middleware.ts'
+import type { MantiqRequest } from '../contracts/Request.ts'
+import { ConfigRepository } from '../config/ConfigRepository.ts'
+
+interface CorsConfig {
+  origin: string | string[] | '*'
+  methods: string[]
+  allowedHeaders: string[]
+  exposedHeaders: string[]
+  credentials: boolean
+  maxAge: number
+}
+
+/**
+ * Cross-Origin Resource Sharing middleware.
+ * Configure via config/cors.ts.
+ */
+export class CorsMiddleware implements Middleware {
+  private config: CorsConfig
+
+  constructor(configRepo?: ConfigRepository) {
+    this.config = {
+      origin: configRepo?.get('cors.origin', '*') ?? '*',
+      methods: configRepo?.get('cors.methods', ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS']) ?? ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
+      allowedHeaders: configRepo?.get('cors.allowedHeaders', ['Content-Type', 'Authorization', 'X-Requested-With']) ?? ['Content-Type', 'Authorization', 'X-Requested-With'],
+      exposedHeaders: configRepo?.get('cors.exposedHeaders', []) ?? [],
+      credentials: configRepo?.get('cors.credentials', false) ?? false,
+      maxAge: configRepo?.get('cors.maxAge', 0) ?? 0,
+    }
+  }
+
+  async handle(request: MantiqRequest, next: NextFunction): Promise<Response> {
+    const origin = request.header('origin') ?? ''
+
+    // Handle preflight
+    if (request.method() === 'OPTIONS') {
+      return this.buildPreflightResponse(origin)
+    }
+
+    const response = await next()
+    return this.addCorsHeaders(response, origin)
+  }
+
+  private buildPreflightResponse(origin: string): Response {
+    const headers: Record<string, string> = {
+      'Access-Control-Allow-Methods': this.config.methods.join(', '),
+      'Access-Control-Allow-Headers': this.config.allowedHeaders.join(', '),
+    }
+
+    this.applyOriginHeader(headers, origin)
+
+    if (this.config.credentials) headers['Access-Control-Allow-Credentials'] = 'true'
+    if (this.config.maxAge > 0) headers['Access-Control-Max-Age'] = String(this.config.maxAge)
+    if (this.config.exposedHeaders.length > 0) {
+      headers['Access-Control-Expose-Headers'] = this.config.exposedHeaders.join(', ')
+    }
+
+    return new Response(null, { status: 204, headers })
+  }
+
+  private addCorsHeaders(response: Response, origin: string): Response {
+    const headers = new Headers(response.headers)
+    this.setOriginHeader(headers, origin)
+    if (this.config.credentials) headers.set('Access-Control-Allow-Credentials', 'true')
+    if (this.config.exposedHeaders.length > 0) {
+      headers.set('Access-Control-Expose-Headers', this.config.exposedHeaders.join(', '))
+    }
+    return new Response(response.body, { status: response.status, headers })
+  }
+
+  private setOriginHeader(headers: Headers, requestOrigin: string): void {
+    const { origin } = this.config
+    if (origin === '*') {
+      headers.set('Access-Control-Allow-Origin', '*')
+    } else if (Array.isArray(origin)) {
+      if (origin.includes(requestOrigin)) {
+        headers.set('Access-Control-Allow-Origin', requestOrigin)
+        headers.set('Vary', 'Origin')
+      }
+    } else if (origin === requestOrigin) {
+      headers.set('Access-Control-Allow-Origin', requestOrigin)
+      headers.set('Vary', 'Origin')
+    }
+  }
+
+  private applyOriginHeader(headers: Record<string, string>, requestOrigin: string): void {
+    const tmp = new Headers()
+    this.setOriginHeader(tmp, requestOrigin)
+    tmp.forEach((v, k) => { headers[k] = v })
+  }
+}

package/src/middleware/EncryptCookies.ts

@@ -0,0 +1,101 @@
+import type { Middleware, NextFunction } from '../contracts/Middleware.ts'
+import type { MantiqRequest } from '../contracts/Request.ts'
+import { AesEncrypter } from '../encryption/Encrypter.ts'
+import { parseCookies, serializeCookie } from '../http/Cookie.ts'
+
+/**
+ * Middleware that encrypts outgoing cookies and decrypts incoming cookies.
+ *
+ * Cookies listed in `except` are left unencrypted (e.g. XSRF-TOKEN must be
+ * readable by JavaScript for the double-submit pattern).
+ */
+export class EncryptCookies implements Middleware {
+  /** Cookie names that should NOT be encrypted/decrypted. */
+  protected except: string[] = []
+
+  constructor(private readonly encrypter: AesEncrypter) {}
+
+  async handle(request: MantiqRequest, next: NextFunction): Promise<Response> {
+    // Decrypt incoming cookies by replacing the raw Request with decrypted values
+    const decryptedRequest = await this.decryptRequest(request)
+
+    const response = await next()
+
+    return this.encryptResponse(response)
+  }
+
+  /**
+   * Decrypt cookies on the incoming request.
+   * We patch the raw Request's cookie header with decrypted values.
+   */
+  private async decryptRequest(request: MantiqRequest): Promise<MantiqRequest> {
+    const raw = request.raw()
+    const cookieHeader = raw.headers.get('cookie')
+    if (!cookieHeader) return request
+
+    const cookies = parseCookies(cookieHeader)
+    const decrypted: Record<string, string> = {}
+
+    for (const [name, value] of Object.entries(cookies)) {
+      if (this.isExcluded(name)) {
+        decrypted[name] = value
+        continue
+      }
+
+      try {
+        decrypted[name] = await this.encrypter.decrypt(value)
+      } catch {
+        // Can't decrypt — skip this cookie (expired key, tampered, etc.)
+        decrypted[name] = value
+      }
+    }
+
+    // Inject the decrypted cookies so subsequent middleware/handlers see plain values
+    request.setCookies(decrypted)
+    return request
+  }
+
+  /**
+   * Encrypt cookies on the outgoing response.
+   */
+  private async encryptResponse(response: Response): Promise<Response> {
+    const headers = new Headers(response.headers)
+    const setCookies = headers.getSetCookie()
+
+    if (setCookies.length === 0) return response
+
+    // Remove existing Set-Cookie headers
+    headers.delete('Set-Cookie')
+
+    for (const setCookie of setCookies) {
+      const [nameValue, ...parts] = setCookie.split('; ')
+      const eqIdx = nameValue!.indexOf('=')
+      const name = decodeURIComponent(nameValue!.slice(0, eqIdx))
+      const value = decodeURIComponent(nameValue!.slice(eqIdx + 1))
+
+      if (this.isExcluded(name)) {
+        headers.append('Set-Cookie', setCookie)
+        continue
+      }
+
+      try {
+        const encrypted = await this.encrypter.encrypt(value)
+        const newSetCookie = `${encodeURIComponent(name)}=${encodeURIComponent(encrypted)}; ${parts.join('; ')}`
+        headers.append('Set-Cookie', newSetCookie)
+      } catch {
+        // If encryption fails, send unencrypted (shouldn't happen with valid key)
+        headers.append('Set-Cookie', setCookie)
+      }
+    }
+
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers,
+    })
+  }
+
+  private isExcluded(name: string): boolean {
+    return this.except.includes(name)
+  }
+}

package/src/middleware/Pipeline.ts

@@ -0,0 +1,66 @@
+import type { Container, Constructor } from '../contracts/Container.ts'
+import type { Middleware, NextFunction } from '../contracts/Middleware.ts'
+import type { MantiqRequest } from '../contracts/Request.ts'
+
+/**
+ * Executes a chain of middleware around a destination handler.
+ *
+ * Usage:
+ *   const response = await new Pipeline(container)
+ *     .send(request)
+ *     .through([AuthMiddleware, ThrottleMiddleware])
+ *     .then(async (req) => controller.handle(req))
+ */
+export class Pipeline {
+  private passable!: MantiqRequest
+  private pipes: Constructor<Middleware>[] = []
+  /** Track middleware instances for terminable cleanup */
+  private resolved: Middleware[] = []
+
+  constructor(private readonly container: Container) {}
+
+  send(request: MantiqRequest): this {
+    this.passable = request
+    return this
+  }
+
+  through(middleware: Constructor<Middleware>[]): this {
+    this.pipes = middleware
+    return this
+  }
+
+  async then(destination: (request: MantiqRequest) => Promise<Response>): Promise<Response> {
+    const pipeline = this.build(destination)
+    return pipeline()
+  }
+
+  /**
+   * Run terminable middleware after the response has been sent.
+   * Call this after the response is returned from then().
+   */
+  async terminate(response: Response): Promise<void> {
+    for (const middleware of this.resolved) {
+      if (middleware.terminate) {
+        await middleware.terminate(this.passable, response)
+      }
+    }
+  }
+
+  // ── Private ───────────────────────────────────────────────────────────────
+
+  private build(
+    destination: (request: MantiqRequest) => Promise<Response>,
+  ): NextFunction {
+    // Build from the inside out: last middleware wraps the destination
+    return this.pipes.reduceRight(
+      (next: NextFunction, MiddlewareClass: Constructor<Middleware>): NextFunction => {
+        return async (): Promise<Response> => {
+          const middleware = this.container.make(MiddlewareClass)
+          this.resolved.push(middleware)
+          return middleware.handle(this.passable, next)
+        }
+      },
+      () => destination(this.passable),
+    )
+  }
+}

package/src/middleware/StartSession.ts

@@ -0,0 +1,90 @@
+import type { Middleware, NextFunction } from '../contracts/Middleware.ts'
+import type { MantiqRequest } from '../contracts/Request.ts'
+import { SessionManager } from '../session/SessionManager.ts'
+import { SessionStore } from '../session/Store.ts'
+import { CookieSessionHandler } from '../session/handlers/CookieSessionHandler.ts'
+import { serializeCookie } from '../http/Cookie.ts'
+
+/**
+ * Middleware that starts a session on each request.
+ *
+ * Lifecycle:
+ * 1. Read session ID from cookie (or generate a new one)
+ * 2. Load session data from the handler
+ * 3. Attach session to request
+ * 4. Call next()
+ * 5. Age flash data
+ * 6. Save session
+ * 7. Attach session cookie to response
+ */
+export class StartSession implements Middleware {
+  constructor(private readonly manager: SessionManager) {}
+
+  async handle(request: MantiqRequest, next: NextFunction): Promise<Response> {
+    const config = this.manager.getConfig()
+    const handler = this.manager.driver()
+
+    // Read session ID from cookie
+    const sessionId = request.cookie(config.cookie) ?? SessionStore.generateId()
+
+    // For cookie driver: seed data from cookie before starting
+    if (handler instanceof CookieSessionHandler) {
+      const cookieData = request.cookie(config.cookie + '_data') ?? ''
+      if (cookieData) {
+        try {
+          handler.setDataFromCookie(sessionId, decodeURIComponent(cookieData))
+        } catch {
+          // Invalid cookie data — will start fresh
+        }
+      }
+    }
+
+    // Create and start session
+    const session = new SessionStore(config.cookie, handler, sessionId)
+    await session.start()
+
+    // Attach to request
+    request.setSession(session)
+
+    // Process request
+    const response = await next()
+
+    // Age flash data
+    session.ageFlashData()
+
+    // Save session
+    await session.save()
+
+    // Attach cookie to response
+    return this.addCookieToResponse(response, session, config)
+  }
+
+  private addCookieToResponse(
+    response: Response,
+    session: SessionStore,
+    config: ReturnType<SessionManager['getConfig']>,
+  ): Response {
+    const headers = new Headers(response.headers)
+
+    // Session ID cookie
+    const cookieOpts: Record<string, any> = {
+      path: config.path,
+      secure: config.secure,
+      httpOnly: config.httpOnly,
+      sameSite: config.sameSite,
+      maxAge: config.lifetime * 60,
+    }
+    if (config.domain) cookieOpts.domain = config.domain
+
+    headers.append(
+      'Set-Cookie',
+      serializeCookie(session.getName(), session.getId(), cookieOpts),
+    )
+
+    return new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers,
+    })
+  }
+}

package/src/middleware/TrimStrings.ts

@@ -0,0 +1,32 @@
+import type { Middleware, NextFunction } from '../contracts/Middleware.ts'
+import type { MantiqRequest } from '../contracts/Request.ts'
+
+/**
+ * Trims whitespace from all string input values.
+ * Applied globally in the web middleware group.
+ */
+export class TrimStringsMiddleware implements Middleware {
+  /** Input keys to skip (e.g., passwords). */
+  protected except: string[] = ['password', 'password_confirmation', 'current_password']
+
+  async handle(request: MantiqRequest, next: NextFunction): Promise<Response> {
+    // @internal: Trimming happens lazily when input() is accessed.
+    // We wrap the request's input by patching parsedBody after first access.
+    // Since MantiqRequest.input() is async and parses lazily, we can intercept
+    // by using a Proxy or post-parse hook. For simplicity we pre-parse here.
+    try {
+      const body = await (request as any).parseBodyForTrimming?.()
+      if (body && typeof body === 'object') {
+        for (const key of Object.keys(body)) {
+          if (!this.except.includes(key) && typeof body[key] === 'string') {
+            body[key] = (body[key] as string).trim()
+          }
+        }
+      }
+    } catch {
+      // Ignore parse errors — next middleware will handle them
+    }
+
+    return next()
+  }
+}