@mmstack/resource 20.8.5 → 20.9.0

package/fesm2022/mmstack-resource.mjs

@@ -1,6 +1,6 @@
 import * as i0 from '@angular/core';
 import { InjectionToken, inject, runInInjectionContext, DestroyRef, isDevMode, signal, computed, untracked, PLATFORM_ID, effect, Injector, Injectable, linkedSignal } from '@angular/core';
-import { HttpHeaders, HttpResponse, HttpParams, HttpContextToken, HttpContext, httpResource, HttpClient } from '@angular/common/http';
+import { HttpHeaders, HttpParams, HttpResponse, HttpContextToken, HttpContext, httpResource, HttpClient } from '@angular/common/http';
 import { injectTransitionScope, mutable, toWritable, keepPrevious, sensor, injectPaused, nestedEffect } from '@mmstack/primitives';
 import { finalize, shareReplay, of, tap, map, interval, firstValueFrom, catchError, combineLatestWith, filter } from 'rxjs';
 import { takeUntilDestroyed, toObservable } from '@angular/core/rxjs-interop';
@@ -42,962 +42,1046 @@ function applyResourceRegistration(ref, register, injector) {
     });
 }
 
-function createNoopDB() {
-    return {
-        getAll: async () => [],
-        store: async () => {
-            // noop
-        },
-        remove: async () => {
-            // noop
-        },
-    };
+/**
+ * Returns `true` for any object-like value whose own enumerable keys should
+ * be sorted for stable hashing. Excludes arrays (positional), `Date`
+ * (handled by `toJSON`), `Map`/`Set` (handled explicitly), and binary types
+ * (`Blob`/`FormData`/`URLSearchParams`/`ArrayBuffer`/typed arrays — these
+ * should be branched on before reaching `hash()`, typically by `hashRequest`).
+ *
+ * Plain objects, class instances, and `Object.create(null)` all qualify.
+ */
+function isHashableObject(value) {
+    if (value === null || typeof value !== 'object')
+        return false;
+    if (Array.isArray(value))
+        return false;
+    if (value instanceof Date)
+        return false;
+    if (value instanceof Map)
+        return false;
+    if (value instanceof Set)
+        return false;
+    if (typeof Blob !== 'undefined' && value instanceof Blob)
+        return false;
+    if (typeof FormData !== 'undefined' && value instanceof FormData)
+        return false;
+    if (typeof URLSearchParams !== 'undefined' &&
+        value instanceof URLSearchParams)
+        return false;
+    if (value instanceof ArrayBuffer)
+        return false;
+    if (ArrayBuffer.isView(value))
+        return false;
+    return true;
 }
-function toCacheDB(db, storeName) {
-    const getAll = async () => {
-        const now = Date.now();
-        return new Promise((res, rej) => {
-            const transaction = db.transaction(storeName, 'readonly');
-            const store = transaction.objectStore(storeName);
-            const request = store.getAll();
-            request.onsuccess = () => res(request.result);
-            request.onerror = () => rej(request.error);
-            // some browsers abort (rather than error) e.g. on quota issues — without this the promise would stay pending forever
-            transaction.onabort = () => rej(transaction.error);
-        })
-            .then((entries) => entries.filter((e) => e.expiresAt > now))
-            .catch((err) => {
-            if (isDevMode())
-                console.error('Error getting all items from cache DB:', err);
-            return [];
-        });
-    };
-    const store = (value) => {
-        return new Promise((res, rej) => {
-            const transaction = db.transaction(storeName, 'readwrite');
-            const store = transaction.objectStore(storeName);
-            store.put(value);
-            transaction.oncomplete = () => res();
-            transaction.onerror = () => rej(transaction.error);
-            // QuotaExceededError surfaces as an abort in some browsers
-            transaction.onabort = () => rej(transaction.error);
-        }).catch((err) => {
-            if (isDevMode())
-                console.error('Error storing item in cache DB:', err);
-        });
-    };
-    const remove = (key) => {
-        return new Promise((res, rej) => {
-            const transaction = db.transaction(storeName, 'readwrite');
-            const store = transaction.objectStore(storeName);
-            store.delete(key);
-            transaction.oncomplete = () => res();
-            transaction.onerror = () => rej(transaction.error);
-            transaction.onabort = () => rej(transaction.error);
-        }).catch((err) => {
-            if (isDevMode())
-                console.error('Error removing item from cache DB:', err);
-        });
-    };
-    return {
-        getAll,
-        store,
-        remove,
-    };
+function sortKeys(val) {
+    return Object.keys(val)
+        .toSorted()
+        .reduce((result, key) => {
+        result[key] = val[key];
+        return result;
+    }, {});
 }
-function createSingleStoreDB(name, getStoreName, version = 1) {
-    const storeName = getStoreName(version);
-    if (!globalThis.indexedDB)
-        return Promise.resolve(createNoopDB());
-    return new Promise((res, rej) => {
-        if (version < 1) {
-            rej(new Error('Version must be 1 or greater'));
-            return; // rej does not stop execution — without this, indexedDB.open(name, 0) still runs
+/**
+ * Internal helper to generate a stable JSON string from an array.
+ * - Object-like values (plain, class instances, null-proto) get their own
+ *   enumerable keys sorted alphabetically.
+ * - `Map` → marker object with sorted entries (sorted by `JSON.stringify(key)`).
+ * - `Set` → marker object with sorted values (sorted by `JSON.stringify(value)`).
+ * - Arrays preserve order. `Date` serializes via `toJSON`.
+ *
+ * @internal
+ */
+function hashKey(queryKey) {
+    return JSON.stringify(queryKey, (_, val) => {
+        if (val instanceof Map) {
+            // Schwartzian: compute each entry's sort key (recursive hash of the
+            // Map key) once, then sort by the cheap string compare.
+            const entries = [...val.entries()]
+                .map((e) => [hash(e[0]), e])
+                .sort((a, b) => (a[0] < b[0] ? -1 : a[0] > b[0] ? 1 : 0))
+                .map(([, e]) => e);
+            return { __map__: entries };
         }
-        const req = indexedDB.open(name, version);
-        req.onupgradeneeded = (event) => {
-            const db = req.result;
-            const oldVersion = event.oldVersion;
-            db.createObjectStore(storeName, { keyPath: 'key' });
-            if (oldVersion > 0) {
-                db.deleteObjectStore(getStoreName(oldVersion));
-            }
-        };
-        req.onerror = () => {
-            rej(req.error);
-        };
-        req.onsuccess = () => res(req.result);
-    })
-        .then((db) => toCacheDB(db, storeName))
-        .catch((err) => {
-        if (isDevMode())
-            console.error('Error creating query DB:', err);
-        return createNoopDB();
+        if (val instanceof Set) {
+            const values = [...val]
+                .map((v) => [hash(v), v])
+                .sort((a, b) => (a[0] < b[0] ? -1 : a[0] > b[0] ? 1 : 0))
+                .map(([, v]) => v);
+            return { __set__: values };
+        }
+        if (isHashableObject(val))
+            return sortKeys(val);
+        return val;
     });
 }
-
-function generateID() {
-    if (globalThis.crypto?.randomUUID) {
-        return globalThis.crypto.randomUUID();
-    }
-    return Math.random().toString(36).substring(2);
-}
-function isSyncMessage(msg) {
-    return (typeof msg === 'object' &&
-        msg !== null &&
-        'type' in msg &&
-        msg.type === 'cache-sync-message');
+/**
+ * Generates a stable, unique string hash from one or more arguments.
+ * Useful for creating cache keys or identifiers where object key order shouldn't matter.
+ *
+ * How it works:
+ * - Object-like values (plain objects, class instances, `Object.create(null)`) have
+ *   their own enumerable keys sorted alphabetically before hashing. This ensures
+ *   `{ a: 1, b: 2 }` and `{ b: 2, a: 1 }` produce the same hash.
+ * - `Map` and `Set` are serialized via stable, sorted markers (`__map__` / `__set__`).
+ * - Arrays preserve positional order; `Date` uses its ISO string via `toJSON`.
+ *
+ * @param {...unknown} args Values to include in the hash.
+ * @returns A stable string hash representing the input arguments.
+ * @example
+ * hash('posts', 10);
+ * // => '["posts",10]'
+ *
+ * hash({ a: 1, b: 2 }) === hash({ b: 2, a: 1 }); // true
+ *
+ * hash(new Map([['a', 1]])) === hash(new Map([['a', 1]])); // true
+ *
+ * // Be mindful of values JSON.stringify cannot handle (functions, undefined, Symbols)
+ * // hash('a', undefined, function() {}) => '["a",null,null]'
+ */
+function hash(...args) {
+    return hashKey(args);
 }
+
 /**
- * setTimeout coerces its delay through a signed 32-bit conversion: `Infinity` becomes 0
- * (immediate!) and anything above 2^31-1 ms (~24.8 days) wraps negative. Entries beyond
- * this bound get NO timer and rely on lazy expiry (`expiresAt <= now` checks) plus the
- * periodic sweep instead.
+ * Top-level field separator for auto-generated cache keys. ASCII Unit Separator
+ * (`\x1f`) is deliberately content-rare: it never occurs in HTTP method tokens,
+ * URLs, or `encodeURIComponent`/digest output (params, vary headers, body hash),
+ * so the structural layout stays unambiguous even when a custom `cache.hash`
+ * *prepends* a namespace with ordinary chars (e.g. `tenant:${hashRequest(req)}`).
+ * Survives `JSON.stringify` (IndexedDB persistence) and `structuredClone`
+ * (cross-tab broadcast) intact.
  */
-const MAX_TIMER_DELAY = 2 ** 31 - 1;
-const ONE_DAY = 1000 * 60 * 60 * 24;
-const ONE_HOUR = 1000 * 60 * 60;
-const DEFAULT_CLEANUP_OPT = {
-    type: 'lru',
-    maxSize: 200,
-    checkInterval: ONE_HOUR,
-};
+const KEY_DELIMITER = '\x1f';
 /**
- * A generic cache implementation that stores data with time-to-live (TTL) and stale-while-revalidate capabilities.
+ * Recovers the URL portion of an auto-generated cache key — the segment between
+ * the 1st and 2nd {@link KEY_DELIMITER} (the key shape is
+ * `method␟url␟responseType[␟…]`). Returns `null` when the key has no delimiter
+ * (e.g. produced by a custom `hash` that doesn't follow this shape).
  *
- * @typeParam T - The type of data to be stored in the cache.
+ * A namespace prepended with non-delimiter chars collapses into segment 0
+ * (`tenant:GET`), so the URL remains segment 1 — method-agnostic and
+ * namespacing-tolerant by construction.
  */
-class Cache {
-    ttl;
-    staleTime;
-    db;
-    internal = mutable(new Map());
-    cleanupOpt;
-    id = generateID();
-    /** True once async hydration from the persistence layer has completed (or was empty). */
-    hydrated = false;
-    /** Keys invalidated while hydration was still in flight — must not be resurrected by it. */
-    hydrationTombstones = new Set();
-    hitCount = signal(0, ...(ngDevMode ? [{ debugName: "hitCount" }] : []));
-    missCount = signal(0, ...(ngDevMode ? [{ debugName: "missCount" }] : []));
-    /**
-     * Read-only cache statistics for debugging/observability — entry count plus
-     * request-level hit/miss counters (counted on direct lookups, e.g. the cache
-     * interceptor's, not on every reactive signal read). Render it in a debug
-     * panel; it intentionally exposes no way to mutate the cache.
-     */
-    stats = computed(() => ({
-        size: this.internal().size,
-        hits: this.hitCount(),
-        misses: this.missCount(),
-    }), ...(ngDevMode ? [{ debugName: "stats" }] : []));
-    /**
-     * Destroys the cache instance, clearing the cleanup interval and closing the
-     * cross-tab channel. Called automatically when the providing injector is destroyed
-     * (wired up by `provideQueryCache`); call it manually for caches you construct yourself.
-     */
-    destroy;
-    broadcast = () => {
-        // noop
-    };
-    /**
-     * Creates a new `Cache` instance.
-     *
-     * @param ttl - The default Time To Live (TTL) for cache entries, in milliseconds.  Defaults to one day.
-     * @param staleTime - The default duration, in milliseconds, during which a cache entry is considered
-     *                    stale but can still be used while revalidation occurs in the background. Defaults to 1 hour.
-     * @param cleanupOpt - Options for configuring the cache cleanup strategy.  Defaults to LRU with a
-     *                     `maxSize` of 200 and a `checkInterval` of one hour.
-     * @param syncTabs - If provided, the cache will use the options a BroadcastChannel to send updates between tabs.
-     *                   Defaults to `undefined`, meaning no synchronization across tabs.
-     */
-    constructor(ttl = ONE_DAY, staleTime = ONE_HOUR, cleanupOpt = DEFAULT_CLEANUP_OPT, syncTabs, db = Promise.resolve(createNoopDB())) {
-        this.ttl = ttl;
-        this.staleTime = staleTime;
-        this.db = db;
-        this.cleanupOpt = {
-            ...DEFAULT_CLEANUP_OPT,
-            ...cleanupOpt,
-        };
-        if (this.cleanupOpt.maxSize <= 0)
-            throw new Error('maxSize must be greater than 0');
-        // a non-finite checkInterval disables the sweeper entirely (used by the shared NoopCache)
-        const cleanupInterval = Number.isFinite(this.cleanupOpt.checkInterval)
-            ? setInterval(() => {
-                this.cleanup();
-            }, this.cleanupOpt.checkInterval)
-            : undefined;
-        let destroySyncTabs = () => {
-            // noop
-        };
-        if (syncTabs) {
-            const channel = new BroadcastChannel(syncTabs.id);
-            this.broadcast = (msg) => {
-                if (msg.action === 'invalidate')
-                    return channel.postMessage({
-                        action: 'invalidate',
-                        entry: { key: msg.entry.key },
-                        cacheId: this.id,
-                        type: 'cache-sync-message',
-                    });
-                return channel.postMessage({
-                    ...msg,
-                    entry: {
-                        ...msg.entry,
-                        value: syncTabs.serialize(msg.entry.value),
-                    },
-                    cacheId: this.id,
-                    type: 'cache-sync-message',
-                });
-            };
-            channel.onmessage = (event) => {
-                const msg = event.data;
-                if (!isSyncMessage(msg))
-                    return;
-                if (msg.cacheId === this.id)
-                    return; // ignore messages from this cache
-                if (msg.action === 'store') {
-                    const value = syncTabs.deserialize(msg.entry.value);
-                    if (value === null)
-                        return;
-                    // Last-write-wins by `updated` timestamp.
-                    const existing = untracked(this.internal).get(msg.entry.key);
-                    if (existing && existing.updated >= msg.entry.updated)
-                        return;
-                    this.restoreInternal({ ...msg.entry, value });
-                }
-                else if (msg.action === 'invalidate') {
-                    this.invalidateInternal(msg.entry.key, true);
-                }
-            };
-            destroySyncTabs = () => {
-                channel.close();
-            };
+function extractUrlFromKey(key) {
+    const start = key.indexOf(KEY_DELIMITER);
+    if (start === -1)
+        return null;
+    const end = key.indexOf(KEY_DELIMITER, start + 1);
+    return end === -1
+        ? key.slice(start + 1)
+        : key.slice(start + 1, end);
+}
+/**
+ * @internal
+ * One-way ~64-bit digest from two independent FNV-1a passes. Used for header VALUES in
+ * cache keys: keys are persisted (IndexedDB) and broadcast cross-tab, so raw values
+ * (auth tokens!) must never appear in them. A single 32-bit digest's 2^-32 collision
+ * chance is too thin at a security boundary — two colliding tokens would serve one
+ * user's cached data under another user's key; 64 bits puts collisions out of reach.
+ * High-entropy secrets are not recoverable from the digest.
+ */
+function digestHeaderValue(value) {
+    let h1 = 0x811c9dc5; // FNV-1a offset basis
+    let h2 = 0xcbf29ce4; // independent second pass
+    for (let i = 0; i < value.length; i++) {
+        const c = value.charCodeAt(i);
+        h1 = Math.imul(h1 ^ c, 0x01000193); // FNV prime
+        h2 = Math.imul(h2 ^ c, 0x01000197); // distinct odd multiplier
+    }
+    return ((h1 >>> 0).toString(16).padStart(8, '0') +
+        (h2 >>> 0).toString(16).padStart(8, '0'));
+}
+function readHeader(headers, name) {
+    if (!headers)
+        return null;
+    if (headers instanceof HttpHeaders) {
+        const all = headers.getAll(name);
+        return all && all.length ? all.join(',') : null;
+    }
+    // record form — header names are case-insensitive
+    const lower = name.toLowerCase();
+    for (const key of Object.keys(headers)) {
+        if (key.toLowerCase() !== lower)
+            continue;
+        const value = headers[key];
+        if (value == null)
+            return null;
+        return Array.isArray(value) ? value.join(',') : String(value);
+    }
+    return null;
+}
+/**
+ * Content-negotiation headers whose values are low-entropy and non-identifying —
+ * embedded (URI-encoded) raw, keeping keys human-readable and skipping the digest.
+ * Anything NOT on this list (Authorization, api keys, tenant/x-* headers — we can't
+ * know what they carry) is one-way digested instead.
+ */
+const SAFE_RAW_HEADERS = new Set([
+    'accept',
+    'accept-language',
+    'content-language',
+    'content-type',
+]);
+const UNSAFE_HEADER_MESSAGES = new Map([
+    [
+        'cookie',
+        "[@mmstack/resource]: varyHeaders includes 'cookie'. Browser-attached cookies never appear on the request object (so this usually partitions nothing), and manually-set cookie values often rotate per-request (shredding the hit rate). The header IS still honored (digested) — but prefer varying on 'Authorization' or a tenant header.",
+    ],
+    [
+        'set-cookie',
+        "[@mmstack/resource]: varyHeaders includes 'set-cookie'. Browser-attached cookies never appear on the request object (so this usually partitions nothing), and manually-set cookie values often rotate per-request (shredding the hit rate). The header IS still honored (digested) — but prefer varying on 'Authorization' or a tenant header.",
+    ],
+    [
+        'authorization',
+        "[@mmstack/resource]: varyHeaders includes 'Authorization'. If your token rotates frequently (e.g., short-lived JWTs), this will cause 100% cache churn on refresh. Consider adding a namespace prefix with the users sub, not using it as a cache-key or using a custom 'cache.hash' function with a stable session/user ID instead.",
+    ],
+    [
+        'x-request-id',
+        "[@mmstack/resource]: varyHeaders includes 'X-Request-ID'. This header is often set to a unique value per-request, which will cause 100% cache churn. Consider removing it from varyHeaders or using a custom 'cache.hash' function that ignores it.",
+    ],
+    [
+        'x-correlation-id',
+        "[@mmstack/resource]: varyHeaders includes 'X-Correlation-ID'. This header is often set to a unique value per-request, which will cause 100% cache churn. Consider removing it from varyHeaders or using a custom 'cache.hash' function that ignores it.",
+    ],
+    [
+        'if-none-match',
+        "[@mmstack/resource]: varyHeaders includes 'If-None-Match'. This header contains ETags that change whenever the server's resource version changes, which will cause cache misses on every update. Consider removing it from varyHeaders or using a custom 'cache.hash' function that ignores it.",
+    ],
+    [
+        'if-modified-since',
+        "[@mmstack/resource]: varyHeaders includes 'If-Modified-Since'. This header contains timestamps that change whenever the server's resource version changes, which will cause cache misses on every update. Consider removing it from varyHeaders or using a custom 'cache.hash' function that ignores it.",
+    ],
+]);
+function normalizeVaryHeaders(headers, names) {
+    const isDev = isDevMode();
+    return names
+        .map((n) => n.toLowerCase())
+        .toSorted()
+        .map((name) => {
+        if (isDev) {
+            const warning = UNSAFE_HEADER_MESSAGES.get(name);
+            if (warning)
+                console.warn(warning);
         }
-        let destroyed = false;
-        const destroy = () => {
-            if (destroyed)
-                return;
-            destroyed = true;
-            if (cleanupInterval !== undefined)
-                clearInterval(cleanupInterval);
-            destroySyncTabs();
-        };
-        this.db
-            .then(async (db) => {
-            if (destroyed)
-                return [];
-            return db.getAll();
-        })
-            .then((entries) => {
-            if (destroyed)
-                return;
-            const current = untracked(this.internal);
-            entries.forEach((entry) => {
-                if (current.has(entry.key))
-                    return;
-                // a key invalidated while hydration was in flight must stay dead
-                if (this.hydrationTombstones.has(entry.key))
-                    return;
-                this.restoreInternal(entry);
-            });
-            this.hydrated = true;
-            this.hydrationTombstones.clear();
-        });
-        this.destroy = destroy;
+        const value = readHeader(headers, name);
+        if (value === null)
+            return `${name}=`;
+        // known-safe values raw (readable, cheap); everything else digested, NEVER raw —
+        // keys are persisted to IndexedDB and broadcast across tabs
+        return SAFE_RAW_HEADERS.has(name)
+            ? `${name}=${encodeURIComponent(value)}`
+            : `${name}=${digestHeaderValue(value)}`;
+    })
+        .join('&');
+}
+function normalizeParams(params) {
+    const p = params instanceof HttpParams
+        ? params
+        : new HttpParams({ fromObject: params });
+    return p
+        .keys()
+        .toSorted()
+        .map((key) => {
+        const encodedKey = encodeURIComponent(key);
+        return (p.getAll(key) ?? [])
+            .map((v) => `${encodedKey}=${encodeURIComponent(v)}`)
+            .join('&');
+    })
+        .join('&');
+}
+function hashBody(body) {
+    // File extends Blob — must check File first
+    if (typeof File !== 'undefined' && body instanceof File) {
+        return `File:${body.name}:${body.type}:${body.size}:${body.lastModified}`;
     }
-    /** @internal */
-    getInternal(key) {
-        const keySignal = computed(() => key(), ...(ngDevMode ? [{ debugName: "keySignal" }] : []));
-        return computed(() => {
-            const key = keySignal();
-            if (!key)
-                return null;
-            const found = this.internal().get(key);
-            const now = Date.now();
-            if (!found || found.expiresAt <= now)
-                return null;
-            return {
-                ...found,
-                isStale: found.stale <= now,
-            };
-        }, {
-            equal: (a, b) => a === b ||
-                (!!a &&
-                    !!b &&
-                    a.key === b.key &&
-                    a.value === b.value &&
-                    a.updated === b.updated &&
-                    a.isStale === b.isStale),
+    if (typeof Blob !== 'undefined' && body instanceof Blob) {
+        return `Blob:${body.type}:${body.size}`;
+    }
+    if (typeof FormData !== 'undefined' && body instanceof FormData) {
+        const entries = [];
+        body.forEach((value, key) => {
+            entries.push([key, hashBody(value)]);
         });
+        entries.sort(([ak, av], [bk, bv]) => ak.localeCompare(bk) || av.localeCompare(bv));
+        return `FormData:${entries.map(([k, v]) => `${k}=${v}`).join('&')}`;
     }
-    /** @internal Imperative access bookkeeping for LRU eviction. */
-    touch(entry) {
-        entry.lastAccessed = Date.now();
-        entry.useCount++;
+    if (typeof URLSearchParams !== 'undefined' &&
+        body instanceof URLSearchParams) {
+        const sp = new URLSearchParams(body);
+        sp.sort();
+        return `URLSearchParams:${sp.toString()}`;
     }
-    /**
-     * Retrieves a cache entry directly (non-reactively), updating its access bookkeeping
-     * for LRU eviction.
-     * @internal
-     * @param key - The key of the entry to retrieve.
-     * @returns The cache entry, or `null` if not found or expired.
-     */
-    getUntracked(key) {
-        const found = untracked(this.internal).get(key);
+    if (body instanceof ArrayBuffer) {
+        return `ArrayBuffer:${body.byteLength}`;
+    }
+    if (ArrayBuffer.isView(body)) {
+        return `${body.constructor.name}:${body.byteLength}`;
+    }
+    return hash(body);
+}
+/**
+ * Builds a stable cache/dedupe key from an HTTP request shape (accepts both
+ * `HttpRequest` and `HttpResourceRequest`).
+ *
+ * Key composition: `${method}␟${url}␟${responseType}[␟${params}][␟${body}][␟${vary}]`,
+ * where `␟` is {@link KEY_DELIMITER} (ASCII Unit Separator) — a content-rare top-level
+ * separator. Sub-fields inside `params`/`vary` keep their own `&`/`=` delimiters.
+ * - `method` defaults to `'GET'`, `responseType` to `'json'` (Angular defaults).
+ * - Query params are sorted alphabetically and URL-encoded for stability.
+ * - Body hashing handles `File`/`Blob`/`FormData`/`URLSearchParams`/`ArrayBuffer`
+ *   and typed arrays explicitly; everything else flows through key-sorted
+ *   `JSON.stringify` via `hash()`.
+ * - `varyHeaders` (opt-in) mixes the named request headers into the key so responses
+ *   that differ per header (e.g. `Authorization` → per-user, `Accept-Language`) get
+ *   separate entries. Known-safe content-negotiation headers (`Accept`,
+ *   `Accept-Language`, `Content-Language`, `Content-Type`) embed their value raw for
+ *   readable keys; all other header VALUES are one-way digested, never embedded raw —
+ *   keys are persisted to IndexedDB and broadcast across tabs.
+ */
+function hashRequest(req, varyHeaders) {
+    const method = req.method ?? 'GET';
+    const responseType = req.responseType ?? 'json';
+    const base = `${method}${KEY_DELIMITER}${req.url}${KEY_DELIMITER}${responseType}`;
+    const params = req.params
+        ? `${KEY_DELIMITER}${normalizeParams(req.params)}`
+        : '';
+    const body = req.body != null ? `${KEY_DELIMITER}${hashBody(req.body)}` : '';
+    const vary = varyHeaders?.length
+        ? `${KEY_DELIMITER}vary(${normalizeVaryHeaders(req.headers, varyHeaders)})`
+        : '';
+    return base + params + body + vary;
+}
+
+function createNoopDB() {
+    return {
+        getAll: async () => [],
+        store: async () => {
+            // noop
+        },
+        remove: async () => {
+            // noop
+        },
+    };
+}
+function toCacheDB(db, storeName) {
+    const getAll = async () => {
         const now = Date.now();
-        if (!found || found.expiresAt <= now) {
-            this.missCount.update((c) => c + 1);
-            return null;
+        return new Promise((res, rej) => {
+            const transaction = db.transaction(storeName, 'readonly');
+            const store = transaction.objectStore(storeName);
+            const request = store.getAll();
+            request.onsuccess = () => res(request.result);
+            request.onerror = () => rej(request.error);
+            // some browsers abort (rather than error) e.g. on quota issues — without this the promise would stay pending forever
+            transaction.onabort = () => rej(transaction.error);
+        })
+            .then((entries) => entries.filter((e) => e.expiresAt > now))
+            .catch((err) => {
+            if (isDevMode())
+                console.error('Error getting all items from cache DB:', err);
+            return [];
+        });
+    };
+    const store = (value) => {
+        return new Promise((res, rej) => {
+            const transaction = db.transaction(storeName, 'readwrite');
+            const store = transaction.objectStore(storeName);
+            store.put(value);
+            transaction.oncomplete = () => res();
+            transaction.onerror = () => rej(transaction.error);
+            // QuotaExceededError surfaces as an abort in some browsers
+            transaction.onabort = () => rej(transaction.error);
+        }).catch((err) => {
+            if (isDevMode())
+                console.error('Error storing item in cache DB:', err);
+        });
+    };
+    const remove = (key) => {
+        return new Promise((res, rej) => {
+            const transaction = db.transaction(storeName, 'readwrite');
+            const store = transaction.objectStore(storeName);
+            store.delete(key);
+            transaction.oncomplete = () => res();
+            transaction.onerror = () => rej(transaction.error);
+            transaction.onabort = () => rej(transaction.error);
+        }).catch((err) => {
+            if (isDevMode())
+                console.error('Error removing item from cache DB:', err);
+        });
+    };
+    return {
+        getAll,
+        store,
+        remove,
+    };
+}
+function createSingleStoreDB(name, getStoreName, version = 1) {
+    const storeName = getStoreName(version);
+    if (!globalThis.indexedDB)
+        return Promise.resolve(createNoopDB());
+    return new Promise((res, rej) => {
+        if (version < 1) {
+            rej(new Error('Version must be 1 or greater'));
+            return; // rej does not stop execution — without this, indexedDB.open(name, 0) still runs
         }
-        this.touch(found);
-        this.hitCount.update((c) => c + 1);
-        return {
-            ...found,
-            isStale: found.stale <= now,
+        const req = indexedDB.open(name, version);
+        req.onupgradeneeded = (event) => {
+            const db = req.result;
+            const oldVersion = event.oldVersion;
+            db.createObjectStore(storeName, { keyPath: 'key' });
+            if (oldVersion > 0) {
+                db.deleteObjectStore(getStoreName(oldVersion));
+            }
+        };
+        req.onerror = () => {
+            rej(req.error);
         };
+        req.onsuccess = () => res(req.result);
+    })
+        .then((db) => toCacheDB(db, storeName))
+        .catch((err) => {
+        if (isDevMode())
+            console.error('Error creating query DB:', err);
+        return createNoopDB();
+    });
+}
+
+function generateID() {
+    if (globalThis.crypto?.randomUUID) {
+        return globalThis.crypto.randomUUID();
     }
+    return Math.random().toString(36).substring(2);
+}
+function isSyncMessage(msg) {
+    return (typeof msg === 'object' &&
+        msg !== null &&
+        'type' in msg &&
+        msg.type === 'cache-sync-message');
+}
+/**
+ * setTimeout coerces its delay through a signed 32-bit conversion: `Infinity` becomes 0
+ * (immediate!) and anything above 2^31-1 ms (~24.8 days) wraps negative. Entries beyond
+ * this bound get NO timer and rely on lazy expiry (`expiresAt <= now` checks) plus the
+ * periodic sweep instead.
+ */
+const MAX_TIMER_DELAY = 2 ** 31 - 1;
+const ONE_DAY = 1000 * 60 * 60 * 24;
+const ONE_HOUR = 1000 * 60 * 60;
+const DEFAULT_CLEANUP_OPT = {
+    type: 'lru',
+    maxSize: 200,
+    checkInterval: ONE_HOUR,
+};
+/**
+ * A generic cache implementation that stores data with time-to-live (TTL) and stale-while-revalidate capabilities.
+ *
+ * @typeParam T - The type of data to be stored in the cache.
+ */
+class Cache {
+    ttl;
+    staleTime;
+    db;
+    internal = mutable(new Map());
+    cleanupOpt;
+    id = generateID();
+    /** True once async hydration from the persistence layer has completed (or was empty). */
+    hydrated = false;
+    /** Keys invalidated while hydration was still in flight — must not be resurrected by it. */
+    hydrationTombstones = new Set();
+    /** Dev-only: ensures the "foreign keys, no matcher" hint in invalidateUrlPrefix fires at most once. */
+    warnedForeignKeys = false;
+    hitCount = signal(0, ...(ngDevMode ? [{ debugName: "hitCount" }] : []));
+    missCount = signal(0, ...(ngDevMode ? [{ debugName: "missCount" }] : []));
     /**
-     * Retrieves a cache entry as a signal.
-     *
-     * @param key - A function that returns the cache key. The key is a signal, allowing for dynamic keys. If the function returns null the value is also null.
-     * @returns A signal that holds the cache entry, or `null` if not found or expired.  The signal
-     *          updates whenever the cache entry changes (e.g., due to revalidation or expiration).
+     * Read-only cache statistics for debugging/observability — entry count plus
+     * request-level hit/miss counters (counted on direct lookups, e.g. the cache
+     * interceptor's, not on every reactive signal read). Render it in a debug
+     * panel; it intentionally exposes no way to mutate the cache.
      */
-    get(key) {
-        return this.getInternal(key);
-    }
+    stats = computed(() => ({
+        size: this.internal().size,
+        hits: this.hitCount(),
+        misses: this.missCount(),
+    }), ...(ngDevMode ? [{ debugName: "stats" }] : []));
     /**
-     * Retrieves a cache entry or an object with the key if not found.
-     *
-     * @param key - A function that returns the cache key. The key is a signal, allowing for dynamic keys. If the function returns null the value is also null.
-     * @returns  A signal that holds the cache entry or an object with the key if not found. The signal
-     *          updates whenever the cache entry changes (e.g., due to revalidation or expiration).
+     * Destroys the cache instance, clearing the cleanup interval and closing the
+     * cross-tab channel. Called automatically when the providing injector is destroyed
+     * (wired up by `provideQueryCache`); call it manually for caches you construct yourself.
      */
-    getEntryOrKey(key) {
-        const valueSig = this.getInternal(key);
-        return computed(() => valueSig() ?? key());
-    }
+    destroy;
+    broadcast = () => {
+        // noop
+    };
     /**
-     * Stores a value in the cache.
-     *
-     * NOTE: cached values are shared by reference across all consumers (current and
-     * future cache hits, persistence, cross-tab sync) — do not mutate a value after
-     * storing it or after reading it from the cache.
+     * Creates a new `Cache` instance.
      *
-     * @param key - The key under which to store the value.
-     * @param value - The value to store.
-     * @param staleTime - (Optional) The stale time for this entry, in milliseconds. Overrides the default `staleTime`.
-     * @param ttl - (Optional) The TTL for this entry, in milliseconds. Overrides the default `ttl`.
-     * @param persist - (Optional) Whether to also write the entry to the persistence layer (IndexedDB). Defaults to `false`.
+     * @param ttl - The default Time To Live (TTL) for cache entries, in milliseconds.  Defaults to one day.
+     * @param staleTime - The default duration, in milliseconds, during which a cache entry is considered
+     *                    stale but can still be used while revalidation occurs in the background. Defaults to 1 hour.
+     * @param cleanupOpt - Options for configuring the cache cleanup strategy.  Defaults to LRU with a
+     *                     `maxSize` of 200 and a `checkInterval` of one hour.
+     * @param syncTabs - If provided, the cache will use the options a BroadcastChannel to send updates between tabs.
+     *                   Defaults to `undefined`, meaning no synchronization across tabs.
      */
-    store(key, value, staleTime = this.staleTime, ttl = this.ttl, persist = false) {
-        this.storeInternal(key, value, staleTime, ttl, false, persist);
-    }
-    storeInternal(key, value, staleTime = this.staleTime, ttl = this.ttl, fromSync = false, persist = false) {
-        const entry = untracked(this.internal).get(key);
-        // ttl cannot be less than staleTime
-        if (ttl < staleTime)
-            staleTime = ttl;
-        const now = Date.now();
-        this.setEntry({
-            value,
-            created: entry?.created ?? now,
-            updated: now,
-            useCount: (entry?.useCount ?? 0) + 1,
-            lastAccessed: now,
-            stale: now + staleTime,
-            expiresAt: now + ttl,
-            key,
-        }, fromSync, persist);
-    }
-    /**
-     * @internal
-     * Inserts an entry that already carries ABSOLUTE timestamps — hydration from the
-     * persistence layer and cross-tab sync messages. Never re-anchors freshness to
-     * `Date.now()`, never persists, never broadcasts.
-     */
-    restoreInternal(entry) {
-        this.setEntry({
-            ...entry,
-            // rows persisted by older versions may lack the field
-            lastAccessed: entry.lastAccessed ?? entry.updated,
-        }, true, false);
-    }
-    /** @internal Shared writer: arms the expiry timer only within the safe delay range. */
-    setEntry(next, fromSync, persist) {
-        const existing = untracked(this.internal).get(next.key);
-        if (existing)
-            clearTimeout(existing.timeout); // stop the previous invalidation
-        const remaining = next.expiresAt - Date.now();
-        // already expired (clock skew on a synced/restored entry) — don't insert
-        if (remaining <= 0)
-            return;
-        // Infinity (immutable) or > 2^31-1 would coerce to an IMMEDIATE timeout — such
-        // entries get no timer and rely on lazy expiry + the periodic sweep instead
-        const timeout = Number.isFinite(remaining) && remaining <= MAX_TIMER_DELAY
-            ? setTimeout(() => this.invalidate(next.key), remaining)
+    constructor(ttl = ONE_DAY, staleTime = ONE_HOUR, cleanupOpt = DEFAULT_CLEANUP_OPT, syncTabs, db = Promise.resolve(createNoopDB())) {
+        this.ttl = ttl;
+        this.staleTime = staleTime;
+        this.db = db;
+        this.cleanupOpt = {
+            ...DEFAULT_CLEANUP_OPT,
+            ...cleanupOpt,
+        };
+        if (this.cleanupOpt.maxSize <= 0)
+            throw new Error('maxSize must be greater than 0');
+        // a non-finite checkInterval disables the sweeper entirely (used by the shared NoopCache)
+        const cleanupInterval = Number.isFinite(this.cleanupOpt.checkInterval)
+            ? setInterval(() => {
+                this.cleanup();
+            }, this.cleanupOpt.checkInterval)
             : undefined;
-        this.internal.mutate((map) => {
-            map.set(next.key, { ...next, timeout });
-            return map;
-        });
-        if (!fromSync) {
-            if (persist)
-                this.db.then((db) => db.store(next));
-            this.broadcast({
-                action: 'store',
-                entry: next,
-            });
-        }
-    }
-    /**
-     * Invalidates (removes) a cache entry.
-     *
-     * @param key - The key of the entry to invalidate.
-     */
-    invalidate(key) {
-        this.invalidateInternal(key);
-    }
-    /**
-     * Invalidates every cache entry whose key starts with `prefix`. Common after a
-     * list-mutating operation (e.g. invalidate every paginated `GET /api/posts*`
-     * after a POST). Returns the number of entries removed.
-     *
-     * @example
-     * cache.invalidatePrefix('GET https://api.example.com/posts');
-     */
-    invalidatePrefix(prefix) {
-        return this.invalidateWhere((key) => key.startsWith(prefix));
-    }
-    /**
-     * Invalidates every cache entry whose key matches the predicate. Use for
-     * arbitrary bulk invalidation that doesn't fit prefix matching (e.g.
-     * "everything containing `userId=42`"). Returns the number of entries removed.
-     *
-     * @example
-     * cache.invalidateWhere((key) => key.includes('/me/'));
-     */
-    invalidateWhere(predicate) {
-        const keys = Array.from(untracked(this.internal).keys()).filter(predicate);
-        for (const key of keys)
-            this.invalidateInternal(key);
-        return keys.length;
-    }
-    invalidateInternal(key, fromSync = false) {
-        // a key invalidated before async hydration completes must not be resurrected by it
-        if (!this.hydrated)
-            this.hydrationTombstones.add(key);
-        const entry = untracked(this.internal).get(key);
-        if (entry) {
-            clearTimeout(entry.timeout);
-            this.internal.mutate((map) => {
-                map.delete(key);
-                return map;
-            });
-        }
-        if (!fromSync) {
-            this.db.then((db) => db.remove(key));
-            this.broadcast({ action: 'invalidate', entry: { key } });
-        }
-    }
-    /**
-     * Removes EVERY entry — memory, persisted rows, and (via broadcast) other tabs.
-     * Call on logout/auth changes so no prior user's responses survive.
-     */
-    clear() {
-        for (const key of Array.from(untracked(this.internal).keys())) {
-            this.invalidateInternal(key);
+        let destroySyncTabs = () => {
+            // noop
+        };
+        if (syncTabs) {
+            const channel = new BroadcastChannel(syncTabs.id);
+            this.broadcast = (msg) => {
+                if (msg.action === 'invalidate')
+                    return channel.postMessage({
+                        action: 'invalidate',
+                        entry: { key: msg.entry.key },
+                        cacheId: this.id,
+                        type: 'cache-sync-message',
+                    });
+                return channel.postMessage({
+                    ...msg,
+                    entry: {
+                        ...msg.entry,
+                        value: syncTabs.serialize(msg.entry.value),
+                    },
+                    cacheId: this.id,
+                    type: 'cache-sync-message',
+                });
+            };
+            channel.onmessage = (event) => {
+                const msg = event.data;
+                if (!isSyncMessage(msg))
+                    return;
+                if (msg.cacheId === this.id)
+                    return; // ignore messages from this cache
+                if (msg.action === 'store') {
+                    const value = syncTabs.deserialize(msg.entry.value);
+                    if (value === null)
+                        return;
+                    // Last-write-wins by `updated` timestamp.
+                    const existing = untracked(this.internal).get(msg.entry.key);
+                    if (existing && existing.updated >= msg.entry.updated)
+                        return;
+                    this.restoreInternal({ ...msg.entry, value });
+                }
+                else if (msg.action === 'invalidate') {
+                    this.invalidateInternal(msg.entry.key, true);
+                }
+            };
+            destroySyncTabs = () => {
+                channel.close();
+            };
         }
-    }
-    /** @internal Drops expired entries, then enforces `maxSize` by the configured strategy. */
-    cleanup() {
-        const now = Date.now();
-        // expired entries first — their timers may never have fired (throttled background
-        // tabs, or timer-less long-TTL entries)
-        const expired = Array.from(untracked(this.internal).entries()).filter(([, e]) => e.expiresAt <= now);
-        if (expired.length) {
-            expired.forEach(([, e]) => clearTimeout(e.timeout));
-            this.internal.mutate((map) => {
-                expired.forEach(([key]) => map.delete(key));
-                return map;
+        let destroyed = false;
+        const destroy = () => {
+            if (destroyed)
+                return;
+            destroyed = true;
+            if (cleanupInterval !== undefined)
+                clearInterval(cleanupInterval);
+            destroySyncTabs();
+        };
+        this.db
+            .then(async (db) => {
+            if (destroyed)
+                return [];
+            return db.getAll();
+        })
+            .then((entries) => {
+            if (destroyed)
+                return;
+            const current = untracked(this.internal);
+            entries.forEach((entry) => {
+                if (current.has(entry.key))
+                    return;
+                // a key invalidated while hydration was in flight must stay dead
+                if (this.hydrationTombstones.has(entry.key))
+                    return;
+                this.restoreInternal(entry);
             });
-        }
-        if (untracked(this.internal).size <= this.cleanupOpt.maxSize)
-            return;
-        const sorted = Array.from(untracked(this.internal).entries()).toSorted((a, b) => {
-            if (this.cleanupOpt.type === 'lru') {
-                return a[1].lastAccessed - b[1].lastAccessed; // least recently accessed first
-            }
-            else {
-                return a[1].created - b[1].created; // oldest first
-            }
-        });
-        const keepCount = Math.max(1, Math.floor(this.cleanupOpt.maxSize / 2));
-        const removed = sorted.slice(0, sorted.length - keepCount);
-        const keep = sorted.slice(removed.length, sorted.length);
-        removed.forEach(([, e]) => {
-            clearTimeout(e.timeout);
+            this.hydrated = true;
+            this.hydrationTombstones.clear();
         });
-        this.internal.set(new Map(keep));
+        this.destroy = destroy;
     }
-}
-const CLIENT_CACHE_TOKEN = new InjectionToken('INTERNAL_CLIENT_CACHE');
-/**
- * Provides the instance of the QueryCache for queryResource. This should probably be called
- * in your application's root configuration, but can also be overriden with component/module providers.
- *
- * @param options - Optional configuration options for the cache.
- * @returns An Angular `Provider` for the cache.
- *
- * @example
- * // In your app.config.ts or AppModule providers:
- *
- * import { provideQueryCache } from './your-cache';
- *
- * export const appConfig: ApplicationConfig = {
- *   providers: [
- *     provideQueryCache({
- *       ttl: 60000, // Default TTL of 60 seconds
- *       staleTime: 30000, // Default staleTime of 30 seconds
- *     }),
- *     // ... other providers
- *   ]
- * };
- */
-function provideQueryCache(opt) {
-    const serialize = (value) => {
-        const headersRecord = {};
-        const headerKeys = value.headers.keys();
-        headerKeys.forEach((key) => {
-            const values = value.headers.getAll(key);
-            if (!values)
-                return;
-            headersRecord[key] = values;
-        });
-        return JSON.stringify({
-            body: value.body,
-            status: value.status,
-            // statusText intentionally omitted: deprecated in Angular, meaningless under
-            // HTTP/2+ (HttpResponse defaults it to 'OK' on reconstruction)
-            headers: headerKeys.length > 0 ? headersRecord : undefined,
-            url: value.url,
-        });
-    };
-    const deserialize = (value) => {
-        try {
-            const parsed = JSON.parse(value);
-            if (!parsed || typeof parsed !== 'object' || !('body' in parsed))
-                throw new Error('Invalid cache entry format');
-            const headers = parsed.headers
-                ? new HttpHeaders(parsed.headers)
-                : undefined;
-            return new HttpResponse({
-                body: parsed.body,
-                status: parsed.status,
-                headers: headers,
-                url: parsed.url,
-            });
-        }
-        catch (err) {
-            if (isDevMode())
-                console.error('Failed to deserialize cache entry:', err);
-            return null;
-        }
-    };
-    // version-suffixed so two deploys with incompatible schemas in adjacent tabs don't
-    // push entries into each other's caches (the `version` option only fences IndexedDB)
-    const syncChannelId = `mmstack-query-cache-sync_v${opt?.version ?? 1}`;
-    return {
-        provide: CLIENT_CACHE_TOKEN,
-        useFactory: () => {
-            const onServer = inject(PLATFORM_ID) === 'server';
-            // no IndexedDB / BroadcastChannel on the server — each request gets an
-            // isolated, request-lived, memory-only cache
-            const syncTabsOpt = !onServer && opt?.syncTabs
-                ? {
-                    id: syncChannelId,
-                    serialize,
-                    deserialize,
-                }
-                : undefined;
-            const db = onServer || opt?.persist === false
-                ? undefined
-                : createSingleStoreDB('mmstack-query-cache-db', (version) => `query-store_v${version}`, opt?.version).then((db) => {
-                    return {
-                        getAll: () => {
-                            return db.getAll().then((entries) => {
-                                return entries
-                                    .map((entry) => {
-                                    const value = deserialize(entry.value);
-                                    if (value === null)
-                                        return null;
-                                    return {
-                                        ...entry,
-                                        value,
-                                    };
-                                })
-                                    .filter((e) => e !== null);
-                            });
-                        },
-                        store: (entry) => {
-                            return db.store({ ...entry, value: serialize(entry.value) });
-                        },
-                        remove: db.remove,
-                    };
-                });
-            const cache = new Cache(opt?.ttl, opt?.staleTime, opt?.cleanup, syncTabsOpt, db);
-            // release the sweep interval / channel with the providing injector
-            inject(DestroyRef, { optional: true })?.onDestroy(() => cache.destroy());
-            return cache;
-        },
-    };
-}
-class NoopCache extends Cache {
-    constructor() {
-        // Infinity checkInterval → no sweep interval is ever armed, so the shared
-        // instance below never pins a timer
-        super(undefined, undefined, {
-            type: 'lru',
-            maxSize: 200,
-            checkInterval: Infinity,
+    /** @internal */
+    getInternal(key) {
+        const keySignal = computed(() => key(), ...(ngDevMode ? [{ debugName: "keySignal" }] : []));
+        return computed(() => {
+            const key = keySignal();
+            if (!key)
+                return null;
+            const found = this.internal().get(key);
+            const now = Date.now();
+            if (!found || found.expiresAt <= now)
+                return null;
+            return {
+                ...found,
+                isStale: found.stale <= now,
+            };
+        }, {
+            equal: (a, b) => a === b ||
+                (!!a &&
+                    !!b &&
+                    a.key === b.key &&
+                    a.value === b.value &&
+                    a.updated === b.updated &&
+                    a.isStale === b.isStale),
         });
     }
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    store(_, __, ___ = super.staleTime, ____ = super.ttl) {
-        // noop
+    /** @internal Imperative access bookkeeping for LRU eviction. */
+    touch(entry) {
+        entry.lastAccessed = Date.now();
+        entry.useCount++;
     }
-}
-// one shared instance — minting a NoopCache per injectQueryCache() miss would leak
-// an instance (and previously an interval) on every prod call without a provider
-let NOOP_CACHE;
-/**
- * Injects the `QueryCache` instance that is used within queryResource.
- * Allows for direct modification of cached data, but is mostly meant for internal use.
- *
- * @param injector - (Optional) The injector to use.  If not provided, the current
- *                   injection context is used.
- * @returns The `QueryCache` instance.
- *
- * @example
- * // In your component or service:
- *
- * import { injectQueryCache } from './your-cache';
- *
- * constructor() {
- *   const cache = injectQueryCache();
- *
- *   const myData = cache.get(() => 'my-data-key');
- *   if (myData() !== null) {
- *     // ... use cached data ...
- *   }
- * }
- */
-function injectQueryCache(injector) {
-    const cache = injector
-        ? injector.get(CLIENT_CACHE_TOKEN, null, {
-            optional: true,
-        })
-        : inject(CLIENT_CACHE_TOKEN, {
-            optional: true,
+    /**
+     * Retrieves a cache entry directly (non-reactively), updating its access bookkeeping
+     * for LRU eviction.
+     * @internal
+     * @param key - The key of the entry to retrieve.
+     * @returns The cache entry, or `null` if not found or expired.
+     */
+    getUntracked(key) {
+        const found = untracked(this.internal).get(key);
+        const now = Date.now();
+        if (!found || found.expiresAt <= now) {
+            this.missCount.update((c) => c + 1);
+            return null;
+        }
+        this.touch(found);
+        this.hitCount.update((c) => c + 1);
+        return {
+            ...found,
+            isStale: found.stale <= now,
+        };
+    }
+    /**
+     * Retrieves a cache entry as a signal.
+     *
+     * @param key - A function that returns the cache key. The key is a signal, allowing for dynamic keys. If the function returns null the value is also null.
+     * @returns A signal that holds the cache entry, or `null` if not found or expired.  The signal
+     *          updates whenever the cache entry changes (e.g., due to revalidation or expiration).
+     */
+    get(key) {
+        return this.getInternal(key);
+    }
+    /**
+     * Retrieves a cache entry or an object with the key if not found.
+     *
+     * @param key - A function that returns the cache key. The key is a signal, allowing for dynamic keys. If the function returns null the value is also null.
+     * @returns  A signal that holds the cache entry or an object with the key if not found. The signal
+     *          updates whenever the cache entry changes (e.g., due to revalidation or expiration).
+     */
+    getEntryOrKey(key) {
+        const valueSig = this.getInternal(key);
+        return computed(() => valueSig() ?? key());
+    }
+    /**
+     * Stores a value in the cache.
+     *
+     * NOTE: cached values are shared by reference across all consumers (current and
+     * future cache hits, persistence, cross-tab sync) — do not mutate a value after
+     * storing it or after reading it from the cache.
+     *
+     * @param key - The key under which to store the value.
+     * @param value - The value to store.
+     * @param staleTime - (Optional) The stale time for this entry, in milliseconds. Overrides the default `staleTime`.
+     * @param ttl - (Optional) The TTL for this entry, in milliseconds. Overrides the default `ttl`.
+     * @param persist - (Optional) Whether to also write the entry to the persistence layer (IndexedDB). Defaults to `false`.
+     */
+    store(key, value, staleTime = this.staleTime, ttl = this.ttl, persist = false) {
+        this.storeInternal(key, value, staleTime, ttl, false, persist);
+    }
+    storeInternal(key, value, staleTime = this.staleTime, ttl = this.ttl, fromSync = false, persist = false) {
+        const entry = untracked(this.internal).get(key);
+        // ttl cannot be less than staleTime
+        if (ttl < staleTime)
+            staleTime = ttl;
+        const now = Date.now();
+        this.setEntry({
+            value,
+            created: entry?.created ?? now,
+            updated: now,
+            useCount: (entry?.useCount ?? 0) + 1,
+            lastAccessed: now,
+            stale: now + staleTime,
+            expiresAt: now + ttl,
+            key,
+        }, fromSync, persist);
+    }
+    /**
+     * @internal
+     * Inserts an entry that already carries ABSOLUTE timestamps — hydration from the
+     * persistence layer and cross-tab sync messages. Never re-anchors freshness to
+     * `Date.now()`, never persists, never broadcasts.
+     */
+    restoreInternal(entry) {
+        this.setEntry({
+            ...entry,
+            // rows persisted by older versions may lack the field
+            lastAccessed: entry.lastAccessed ?? entry.updated,
+        }, true, false);
+    }
+    /** @internal Shared writer: arms the expiry timer only within the safe delay range. */
+    setEntry(next, fromSync, persist) {
+        const existing = untracked(this.internal).get(next.key);
+        if (existing)
+            clearTimeout(existing.timeout); // stop the previous invalidation
+        const remaining = next.expiresAt - Date.now();
+        // already expired (clock skew on a synced/restored entry) — don't insert
+        if (remaining <= 0)
+            return;
+        // Infinity (immutable) or > 2^31-1 would coerce to an IMMEDIATE timeout — such
+        // entries get no timer and rely on lazy expiry + the periodic sweep instead
+        const timeout = Number.isFinite(remaining) && remaining <= MAX_TIMER_DELAY
+            ? setTimeout(() => this.invalidate(next.key), remaining)
+            : undefined;
+        this.internal.mutate((map) => {
+            map.set(next.key, { ...next, timeout });
+            return map;
         });
-    if (!cache) {
-        if (isDevMode())
-            throw new Error('Cache not provided, please add provideQueryCache() to providers array');
-        else
-            return (NOOP_CACHE ??= new NoopCache());
+        if (!fromSync) {
+            if (persist)
+                this.db.then((db) => db.store(next));
+            this.broadcast({
+                action: 'store',
+                entry: next,
+            });
+        }
     }
-    return cache;
-}
-/**
- * Injects the cache statistics, including the current size of the cache and the number of hits and misses.
- *
- * @param injector - (Optional) The injector to use.  If not provided, the current
- *                   injection context is used.
- * @returns A signal containing the cache statistics.
- */
-function injectCacheStats(injector) {
-    const cache = injectQueryCache(injector);
-    return cache.stats;
-}
-
-/**
- * Returns `true` for any object-like value whose own enumerable keys should
- * be sorted for stable hashing. Excludes arrays (positional), `Date`
- * (handled by `toJSON`), `Map`/`Set` (handled explicitly), and binary types
- * (`Blob`/`FormData`/`URLSearchParams`/`ArrayBuffer`/typed arrays — these
- * should be branched on before reaching `hash()`, typically by `hashRequest`).
- *
- * Plain objects, class instances, and `Object.create(null)` all qualify.
- */
-function isHashableObject(value) {
-    if (value === null || typeof value !== 'object')
-        return false;
-    if (Array.isArray(value))
-        return false;
-    if (value instanceof Date)
-        return false;
-    if (value instanceof Map)
-        return false;
-    if (value instanceof Set)
-        return false;
-    if (typeof Blob !== 'undefined' && value instanceof Blob)
-        return false;
-    if (typeof FormData !== 'undefined' && value instanceof FormData)
-        return false;
-    if (typeof URLSearchParams !== 'undefined' &&
-        value instanceof URLSearchParams)
-        return false;
-    if (value instanceof ArrayBuffer)
-        return false;
-    if (ArrayBuffer.isView(value))
-        return false;
-    return true;
-}
-function sortKeys(val) {
-    return Object.keys(val)
-        .toSorted()
-        .reduce((result, key) => {
-        result[key] = val[key];
-        return result;
-    }, {});
-}
-/**
- * Internal helper to generate a stable JSON string from an array.
- * - Object-like values (plain, class instances, null-proto) get their own
- *   enumerable keys sorted alphabetically.
- * - `Map` → marker object with sorted entries (sorted by `JSON.stringify(key)`).
- * - `Set` → marker object with sorted values (sorted by `JSON.stringify(value)`).
- * - Arrays preserve order. `Date` serializes via `toJSON`.
- *
- * @internal
- */
-function hashKey(queryKey) {
-    return JSON.stringify(queryKey, (_, val) => {
-        if (val instanceof Map) {
-            // Schwartzian: compute each entry's sort key (recursive hash of the
-            // Map key) once, then sort by the cheap string compare.
-            const entries = [...val.entries()]
-                .map((e) => [hash(e[0]), e])
-                .sort((a, b) => (a[0] < b[0] ? -1 : a[0] > b[0] ? 1 : 0))
-                .map(([, e]) => e);
-            return { __map__: entries };
+    /**
+     * Invalidates (removes) a cache entry.
+     *
+     * @param key - The key of the entry to invalidate.
+     */
+    invalidate(key) {
+        this.invalidateInternal(key);
+    }
+    /**
+     * Invalidates every cache entry whose key starts with `prefix`. Common after a
+     * list-mutating operation (e.g. invalidate every paginated `GET /api/posts*`
+     * after a POST). Returns the number of entries removed.
+     *
+     * @example
+     * cache.invalidatePrefix('GET https://api.example.com/posts');
+     */
+    invalidatePrefix(prefix) {
+        return this.invalidateWhere((key) => key.startsWith(prefix));
+    }
+    /**
+     * Invalidates every cache entry whose *request URL* starts with `urlPrefix`,
+     * regardless of HTTP method. This is the engine behind `mutationResource`'s
+     * `invalidates` option: `'/api/posts'` clears `/api/posts` with any query
+     * params, subpaths like `/api/posts/123`, and all `varyHeaders` variants —
+     * across GET/HEAD/OPTIONS/POST or any other cached method. Returns the number
+     * of entries removed.
+     *
+     * Unlike {@link invalidatePrefix} (which matches the raw key from its start),
+     * this extracts the URL field from the auto-generated key shape, so it is not
+     * fooled by the leading method token nor by a namespace a custom `cache.hash`
+     * prepends (e.g. `tenant:…`). Plain prefix matching still catches siblings
+     * sharing the prefix (`/api/posts-archive`) — pass `'/api/posts/'` to narrow.
+     *
+     * Keys produced by a custom `hash` that don't follow the auto shape won't be
+     * matched by the default; pass `match` to describe how a URL prefix maps onto
+     * your key format. In dev mode, if a default-matcher call removes nothing and
+     * every cached key is foreign-shaped, this logs a one-time hint pointing at the
+     * `match` escape hatch (a likely sign of a custom `hash` with no matcher wired up).
+     *
+     * @param urlPrefix - URL prefix to match.
+     * @param match - Optional custom matcher: given the prefix, returns a key predicate.
+     *
+     * @example
+     * cache.invalidateUrlPrefix('/api/posts');
+     * // custom key scheme:
+     * cache.invalidateUrlPrefix('/api/posts', (p) => (k) => k.includes(`|url=${p}`));
+     */
+    invalidateUrlPrefix(urlPrefix, match) {
+        if (match)
+            return this.invalidateWhere(match(urlPrefix));
+        let sawAutoKey = false;
+        const removed = this.invalidateWhere((key) => {
+            const url = extractUrlFromKey(key);
+            if (url === null)
+                return false; // foreign-shaped key
+            sawAutoKey = true;
+            return url.startsWith(urlPrefix);
+        });
+        if (isDevMode() &&
+            !this.warnedForeignKeys &&
+            removed === 0 &&
+            !sawAutoKey &&
+            untracked(this.internal).size > 0) {
+            this.warnedForeignKeys = true;
+            console.warn(`[@mmstack/resource] invalidateUrlPrefix('${urlPrefix}') matched nothing, and no cached key follows the default key shape. If you use a custom 'cache.hash', pass an 'invalidateMatcher' (mutationResource) / 'match' (invalidateUrlPrefix) so invalidation can locate your keys.`);
         }
-        if (val instanceof Set) {
-            const values = [...val]
-                .map((v) => [hash(v), v])
-                .sort((a, b) => (a[0] < b[0] ? -1 : a[0] > b[0] ? 1 : 0))
-                .map(([, v]) => v);
-            return { __set__: values };
+        return removed;
+    }
+    /**
+     * Invalidates every cache entry whose key matches the predicate. Use for
+     * arbitrary bulk invalidation that doesn't fit prefix matching (e.g.
+     * "everything containing `userId=42`"). Returns the number of entries removed.
+     *
+     * @example
+     * cache.invalidateWhere((key) => key.includes('/me/'));
+     */
+    invalidateWhere(predicate) {
+        const keys = Array.from(untracked(this.internal).keys()).filter(predicate);
+        for (const key of keys)
+            this.invalidateInternal(key);
+        return keys.length;
+    }
+    invalidateInternal(key, fromSync = false) {
+        // a key invalidated before async hydration completes must not be resurrected by it
+        if (!this.hydrated)
+            this.hydrationTombstones.add(key);
+        const entry = untracked(this.internal).get(key);
+        if (entry) {
+            clearTimeout(entry.timeout);
+            this.internal.mutate((map) => {
+                map.delete(key);
+                return map;
+            });
         }
-        if (isHashableObject(val))
-            return sortKeys(val);
-        return val;
-    });
+        if (!fromSync) {
+            this.db.then((db) => db.remove(key));
+            this.broadcast({ action: 'invalidate', entry: { key } });
+        }
+    }
+    /**
+     * Removes EVERY entry — memory, persisted rows, and (via broadcast) other tabs.
+     * Call on logout/auth changes so no prior user's responses survive.
+     */
+    clear() {
+        for (const key of Array.from(untracked(this.internal).keys())) {
+            this.invalidateInternal(key);
+        }
+    }
+    /** @internal Drops expired entries, then enforces `maxSize` by the configured strategy. */
+    cleanup() {
+        const now = Date.now();
+        // expired entries first — their timers may never have fired (throttled background
+        // tabs, or timer-less long-TTL entries)
+        const expired = Array.from(untracked(this.internal).entries()).filter(([, e]) => e.expiresAt <= now);
+        if (expired.length) {
+            expired.forEach(([, e]) => clearTimeout(e.timeout));
+            this.internal.mutate((map) => {
+                expired.forEach(([key]) => map.delete(key));
+                return map;
+            });
+        }
+        if (untracked(this.internal).size <= this.cleanupOpt.maxSize)
+            return;
+        const sorted = Array.from(untracked(this.internal).entries()).toSorted((a, b) => {
+            if (this.cleanupOpt.type === 'lru') {
+                return a[1].lastAccessed - b[1].lastAccessed; // least recently accessed first
+            }
+            else {
+                return a[1].created - b[1].created; // oldest first
+            }
+        });
+        const keepCount = Math.max(1, Math.floor(this.cleanupOpt.maxSize / 2));
+        const removed = sorted.slice(0, sorted.length - keepCount);
+        const keep = sorted.slice(removed.length, sorted.length);
+        removed.forEach(([, e]) => {
+            clearTimeout(e.timeout);
+        });
+        this.internal.set(new Map(keep));
+    }
 }
+const CLIENT_CACHE_TOKEN = new InjectionToken('INTERNAL_CLIENT_CACHE');
 /**
- * Generates a stable, unique string hash from one or more arguments.
- * Useful for creating cache keys or identifiers where object key order shouldn't matter.
+ * Provides the instance of the QueryCache for queryResource. This should probably be called
+ * in your application's root configuration, but can also be overriden with component/module providers.
  *
- * How it works:
- * - Object-like values (plain objects, class instances, `Object.create(null)`) have
- *   their own enumerable keys sorted alphabetically before hashing. This ensures
- *   `{ a: 1, b: 2 }` and `{ b: 2, a: 1 }` produce the same hash.
- * - `Map` and `Set` are serialized via stable, sorted markers (`__map__` / `__set__`).
- * - Arrays preserve positional order; `Date` uses its ISO string via `toJSON`.
+ * @param options - Optional configuration options for the cache.
+ * @returns An Angular `Provider` for the cache.
  *
- * @param {...unknown} args Values to include in the hash.
- * @returns A stable string hash representing the input arguments.
  * @example
- * hash('posts', 10);
- * // => '["posts",10]'
- *
- * hash({ a: 1, b: 2 }) === hash({ b: 2, a: 1 }); // true
+ * // In your app.config.ts or AppModule providers:
  *
- * hash(new Map([['a', 1]])) === hash(new Map([['a', 1]])); // true
+ * import { provideQueryCache } from './your-cache';
  *
- * // Be mindful of values JSON.stringify cannot handle (functions, undefined, Symbols)
- * // hash('a', undefined, function() {}) => '["a",null,null]'
- */
-function hash(...args) {
-    return hashKey(args);
-}
-
-/**
- * @internal
- * One-way ~64-bit digest from two independent FNV-1a passes. Used for header VALUES in
- * cache keys: keys are persisted (IndexedDB) and broadcast cross-tab, so raw values
- * (auth tokens!) must never appear in them. A single 32-bit digest's 2^-32 collision
- * chance is too thin at a security boundary — two colliding tokens would serve one
- * user's cached data under another user's key; 64 bits puts collisions out of reach.
- * High-entropy secrets are not recoverable from the digest.
- */
-function digestHeaderValue(value) {
-    let h1 = 0x811c9dc5; // FNV-1a offset basis
-    let h2 = 0xcbf29ce4; // independent second pass
-    for (let i = 0; i < value.length; i++) {
-        const c = value.charCodeAt(i);
-        h1 = Math.imul(h1 ^ c, 0x01000193); // FNV prime
-        h2 = Math.imul(h2 ^ c, 0x01000197); // distinct odd multiplier
-    }
-    return ((h1 >>> 0).toString(16).padStart(8, '0') +
-        (h2 >>> 0).toString(16).padStart(8, '0'));
-}
-function readHeader(headers, name) {
-    if (!headers)
-        return null;
-    if (headers instanceof HttpHeaders) {
-        const all = headers.getAll(name);
-        return all && all.length ? all.join(',') : null;
-    }
-    // record form — header names are case-insensitive
-    const lower = name.toLowerCase();
-    for (const key of Object.keys(headers)) {
-        if (key.toLowerCase() !== lower)
-            continue;
-        const value = headers[key];
-        if (value == null)
-            return null;
-        return Array.isArray(value) ? value.join(',') : String(value);
-    }
-    return null;
-}
-/**
- * Content-negotiation headers whose values are low-entropy and non-identifying —
- * embedded (URI-encoded) raw, keeping keys human-readable and skipping the digest.
- * Anything NOT on this list (Authorization, api keys, tenant/x-* headers — we can't
- * know what they carry) is one-way digested instead.
+ * export const appConfig: ApplicationConfig = {
+ *   providers: [
+ *     provideQueryCache({
+ *       ttl: 60000, // Default TTL of 60 seconds
+ *       staleTime: 30000, // Default staleTime of 30 seconds
+ *     }),
+ *     // ... other providers
+ *   ]
+ * };
  */
-const SAFE_RAW_HEADERS = new Set([
-    'accept',
-    'accept-language',
-    'content-language',
-    'content-type',
-]);
-const UNSAFE_HEADER_MESSAGES = new Map([
-    [
-        'cookie',
-        "[@mmstack/resource]: varyHeaders includes 'cookie'. Browser-attached cookies never appear on the request object (so this usually partitions nothing), and manually-set cookie values often rotate per-request (shredding the hit rate). The header IS still honored (digested) — but prefer varying on 'Authorization' or a tenant header.",
-    ],
-    [
-        'set-cookie',
-        "[@mmstack/resource]: varyHeaders includes 'set-cookie'. Browser-attached cookies never appear on the request object (so this usually partitions nothing), and manually-set cookie values often rotate per-request (shredding the hit rate). The header IS still honored (digested) — but prefer varying on 'Authorization' or a tenant header.",
-    ],
-    [
-        'authorization',
-        "[@mmstack/resource]: varyHeaders includes 'Authorization'. If your token rotates frequently (e.g., short-lived JWTs), this will cause 100% cache churn on refresh. Consider adding a namespace prefix with the users sub, not using it as a cache-key or using a custom 'cache.hash' function with a stable session/user ID instead.",
-    ],
-    [
-        'x-request-id',
-        "[@mmstack/resource]: varyHeaders includes 'X-Request-ID'. This header is often set to a unique value per-request, which will cause 100% cache churn. Consider removing it from varyHeaders or using a custom 'cache.hash' function that ignores it.",
-    ],
-    [
-        'x-correlation-id',
-        "[@mmstack/resource]: varyHeaders includes 'X-Correlation-ID'. This header is often set to a unique value per-request, which will cause 100% cache churn. Consider removing it from varyHeaders or using a custom 'cache.hash' function that ignores it.",
-    ],
-    [
-        'if-none-match',
-        "[@mmstack/resource]: varyHeaders includes 'If-None-Match'. This header contains ETags that change whenever the server's resource version changes, which will cause cache misses on every update. Consider removing it from varyHeaders or using a custom 'cache.hash' function that ignores it.",
-    ],
-    [
-        'if-modified-since',
-        "[@mmstack/resource]: varyHeaders includes 'If-Modified-Since'. This header contains timestamps that change whenever the server's resource version changes, which will cause cache misses on every update. Consider removing it from varyHeaders or using a custom 'cache.hash' function that ignores it.",
-    ],
-]);
-function normalizeVaryHeaders(headers, names) {
-    const isDev = isDevMode();
-    return names
-        .map((n) => n.toLowerCase())
-        .toSorted()
-        .map((name) => {
-        if (isDev) {
-            const warning = UNSAFE_HEADER_MESSAGES.get(name);
-            if (warning)
-                console.warn(warning);
+function provideQueryCache(opt) {
+    const serialize = (value) => {
+        const headersRecord = {};
+        const headerKeys = value.headers.keys();
+        headerKeys.forEach((key) => {
+            const values = value.headers.getAll(key);
+            if (!values)
+                return;
+            headersRecord[key] = values;
+        });
+        return JSON.stringify({
+            body: value.body,
+            status: value.status,
+            // statusText intentionally omitted: deprecated in Angular, meaningless under
+            // HTTP/2+ (HttpResponse defaults it to 'OK' on reconstruction)
+            headers: headerKeys.length > 0 ? headersRecord : undefined,
+            url: value.url,
+        });
+    };
+    const deserialize = (value) => {
+        try {
+            const parsed = JSON.parse(value);
+            if (!parsed || typeof parsed !== 'object' || !('body' in parsed))
+                throw new Error('Invalid cache entry format');
+            const headers = parsed.headers
+                ? new HttpHeaders(parsed.headers)
+                : undefined;
+            return new HttpResponse({
+                body: parsed.body,
+                status: parsed.status,
+                headers: headers,
+                url: parsed.url,
+            });
+        }
+        catch (err) {
+            if (isDevMode())
+                console.error('Failed to deserialize cache entry:', err);
+            return null;
         }
-        const value = readHeader(headers, name);
-        if (value === null)
-            return `${name}=`;
-        // known-safe values raw (readable, cheap); everything else digested, NEVER raw —
-        // keys are persisted to IndexedDB and broadcast across tabs
-        return SAFE_RAW_HEADERS.has(name)
-            ? `${name}=${encodeURIComponent(value)}`
-            : `${name}=${digestHeaderValue(value)}`;
-    })
-        .join('&');
-}
-function normalizeParams(params) {
-    const p = params instanceof HttpParams
-        ? params
-        : new HttpParams({ fromObject: params });
-    return p
-        .keys()
-        .toSorted()
-        .map((key) => {
-        const encodedKey = encodeURIComponent(key);
-        return (p.getAll(key) ?? [])
-            .map((v) => `${encodedKey}=${encodeURIComponent(v)}`)
-            .join('&');
-    })
-        .join('&');
+    };
+    // version-suffixed so two deploys with incompatible schemas in adjacent tabs don't
+    // push entries into each other's caches (the `version` option only fences IndexedDB)
+    const syncChannelId = `mmstack-query-cache-sync_v${opt?.version ?? 1}`;
+    return {
+        provide: CLIENT_CACHE_TOKEN,
+        useFactory: () => {
+            const onServer = inject(PLATFORM_ID) === 'server';
+            // no IndexedDB / BroadcastChannel on the server — each request gets an
+            // isolated, request-lived, memory-only cache
+            const syncTabsOpt = !onServer && opt?.syncTabs
+                ? {
+                    id: syncChannelId,
+                    serialize,
+                    deserialize,
+                }
+                : undefined;
+            const db = onServer || opt?.persist === false
+                ? undefined
+                : createSingleStoreDB('mmstack-query-cache-db', (version) => `query-store_v${version}`, opt?.version).then((db) => {
+                    return {
+                        getAll: () => {
+                            return db.getAll().then((entries) => {
+                                return entries
+                                    .map((entry) => {
+                                    const value = deserialize(entry.value);
+                                    if (value === null)
+                                        return null;
+                                    return {
+                                        ...entry,
+                                        value,
+                                    };
+                                })
+                                    .filter((e) => e !== null);
+                            });
+                        },
+                        store: (entry) => {
+                            return db.store({ ...entry, value: serialize(entry.value) });
+                        },
+                        remove: db.remove,
+                    };
+                });
+            const cache = new Cache(opt?.ttl, opt?.staleTime, opt?.cleanup, syncTabsOpt, db);
+            // release the sweep interval / channel with the providing injector
+            inject(DestroyRef, { optional: true })?.onDestroy(() => cache.destroy());
+            return cache;
+        },
+    };
 }
-function hashBody(body) {
-    // File extends Blob — must check File first
-    if (typeof File !== 'undefined' && body instanceof File) {
-        return `File:${body.name}:${body.type}:${body.size}:${body.lastModified}`;
-    }
-    if (typeof Blob !== 'undefined' && body instanceof Blob) {
-        return `Blob:${body.type}:${body.size}`;
-    }
-    if (typeof FormData !== 'undefined' && body instanceof FormData) {
-        const entries = [];
-        body.forEach((value, key) => {
-            entries.push([key, hashBody(value)]);
+class NoopCache extends Cache {
+    constructor() {
+        // Infinity checkInterval → no sweep interval is ever armed, so the shared
+        // instance below never pins a timer
+        super(undefined, undefined, {
+            type: 'lru',
+            maxSize: 200,
+            checkInterval: Infinity,
         });
-        entries.sort(([ak, av], [bk, bv]) => ak.localeCompare(bk) || av.localeCompare(bv));
-        return `FormData:${entries.map(([k, v]) => `${k}=${v}`).join('&')}`;
     }
-    if (typeof URLSearchParams !== 'undefined' &&
-        body instanceof URLSearchParams) {
-        const sp = new URLSearchParams(body);
-        sp.sort();
-        return `URLSearchParams:${sp.toString()}`;
-    }
-    if (body instanceof ArrayBuffer) {
-        return `ArrayBuffer:${body.byteLength}`;
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    store(_, __, ___ = super.staleTime, ____ = super.ttl) {
+        // noop
     }
-    if (ArrayBuffer.isView(body)) {
-        return `${body.constructor.name}:${body.byteLength}`;
+}
+// one shared instance — minting a NoopCache per injectQueryCache() miss would leak
+// an instance (and previously an interval) on every prod call without a provider
+let NOOP_CACHE;
+/**
+ * Injects the `QueryCache` instance that is used within queryResource.
+ * Allows for direct modification of cached data, but is mostly meant for internal use.
+ *
+ * @param injector - (Optional) The injector to use.  If not provided, the current
+ *                   injection context is used.
+ * @returns The `QueryCache` instance.
+ *
+ * @example
+ * // In your component or service:
+ *
+ * import { injectQueryCache } from './your-cache';
+ *
+ * constructor() {
+ *   const cache = injectQueryCache();
+ *
+ *   const myData = cache.get(() => 'my-data-key');
+ *   if (myData() !== null) {
+ *     // ... use cached data ...
+ *   }
+ * }
+ */
+function injectQueryCache(injector) {
+    const cache = injector
+        ? injector.get(CLIENT_CACHE_TOKEN, null, {
+            optional: true,
+        })
+        : inject(CLIENT_CACHE_TOKEN, {
+            optional: true,
+        });
+    if (!cache) {
+        if (isDevMode())
+            throw new Error('Cache not provided, please add provideQueryCache() to providers array');
+        else
+            return (NOOP_CACHE ??= new NoopCache());
     }
-    return hash(body);
+    return cache;
 }
 /**
- * Builds a stable cache/dedupe key from an HTTP request shape (accepts both
- * `HttpRequest` and `HttpResourceRequest`).
+ * Injects the cache statistics, including the current size of the cache and the number of hits and misses.
  *
- * Key composition: `${method}:${url}:${responseType}[:${params}][:${body}][:${vary}]`
- * - `method` defaults to `'GET'`, `responseType` to `'json'` (Angular defaults).
- * - Query params are sorted alphabetically and URL-encoded for stability.
- * - Body hashing handles `File`/`Blob`/`FormData`/`URLSearchParams`/`ArrayBuffer`
- *   and typed arrays explicitly; everything else flows through key-sorted
- *   `JSON.stringify` via `hash()`.
- * - `varyHeaders` (opt-in) mixes the named request headers into the key so responses
- *   that differ per header (e.g. `Authorization` → per-user, `Accept-Language`) get
- *   separate entries. Known-safe content-negotiation headers (`Accept`,
- *   `Accept-Language`, `Content-Language`, `Content-Type`) embed their value raw for
- *   readable keys; all other header VALUES are one-way digested, never embedded raw —
- *   keys are persisted to IndexedDB and broadcast across tabs.
+ * @param injector - (Optional) The injector to use.  If not provided, the current
+ *                   injection context is used.
+ * @returns A signal containing the cache statistics.
  */
-function hashRequest(req, varyHeaders) {
-    const method = req.method ?? 'GET';
-    const responseType = req.responseType ?? 'json';
-    const base = `${method}:${req.url}:${responseType}`;
-    const params = req.params ? `:${normalizeParams(req.params)}` : '';
-    const body = req.body != null ? `:${hashBody(req.body)}` : '';
-    const vary = varyHeaders?.length
-        ? `:vary(${normalizeVaryHeaders(req.headers, varyHeaders)})`
-        : '';
-    return base + params + body + vary;
+function injectCacheStats(injector) {
+    const cache = injectQueryCache(injector);
+    return cache.stats;
 }
 
 /**
@@ -2400,6 +2484,23 @@ function manualQueryResource(request, options) {
 }
 
 const NULL_VALUE = Symbol('@mmstack/resource:null');
+/**
+ * Rejection reason for a {@link MutationResourceRef.mutateAsync} promise whose
+ * mutation never completed. The {@link MutationCancelledError.type} discriminant
+ * carries the cause ({@link MutationCancellationReason}); the message is a
+ * human-readable elaboration of it.
+ *
+ * Only `mutateAsync` promises reject with this; plain `mutate()` calls have no
+ * promise and so produce no (potentially unhandled) rejection.
+ */
+class MutationCancelledError extends Error {
+    type;
+    constructor(type, message) {
+        super(message);
+        this.type = type;
+        this.name = 'MutationCancelledError';
+    }
+}
 const MUTATION_RESOURCE_OPTIONS = new InjectionToken('@mmstack/resource:mutation-resource-options', { factory: () => ({}) });
 /**
  * Layer 2 (mutation): default options for every `mutationResource`, inheriting + overriding the
@@ -2413,55 +2514,6 @@ function injectMutationResourceOptions(injector) {
         ? injector.get(MUTATION_RESOURCE_OPTIONS)
         : inject(MUTATION_RESOURCE_OPTIONS);
 }
-/**
- * Creates a resource for performing mutations (e.g., POST, PUT, PATCH, DELETE requests).
- * Unlike `queryResource`, `mutationResource` is designed for one-off operations that change data.
- * It does *not* cache responses and does not provide a `value` signal.  Instead, it focuses on
- * managing the mutation lifecycle (pending, error, success) and provides callbacks for handling
- * these states.
- *
- * @param request A function that returns the base `HttpResourceRequest` to be made. This function is called reactively. The parameter is the mutation value provided by the `mutate` method.
- * @param options Configuration options for the mutation resource.  This includes callbacks
- *               for `onMutate`, `onError`, `onSuccess`, and `onSettled`.
- * @typeParam TResult - The type of the expected result from the mutation.
- * @typeParam TRaw - The raw response type from the HTTP request (defaults to TResult).
- * @typeParam TMutation - The type of the mutation value (the request body).
- * @typeParam TICTX - The type of the initial context value passed to `onMutate`.
- * @typeParam TCTX - The type of the context value returned by `onMutate`.
- * @typeParam TMethod - The HTTP method to be used for the mutation (defaults to `HttpResourceRequest['method']`).
- * @returns A `MutationResourceRef` instance, which provides methods for triggering the mutation
- *          and observing its status.
- *
- * @example
- * ```ts
- * // Basic PATCH mutation
- * const updateUser = mutationResource<User, User, Partial<User>>(
- *   (body) => ({ url: `/api/users/${userId()}`, method: 'PATCH', body }),
- *   {
- *     onSuccess: (saved) => toast.success(`Updated ${saved.name}`),
- *     onError: (err) => toast.error(err),
- *   },
- * );
- *
- * updateUser.mutate({ name: 'Alice' });
- * ```
- *
- * @example
- * ```ts
- * // Optimistic update with rollback via the `ctx` returned from `onMutate`
- * const updateUser = mutationResource<User, User, Partial<User>, { prev: User | null }>(
- *   (body) => ({ url: `/api/users/${userId()}`, method: 'PATCH', body }),
- *   {
- *     onMutate: (patch) => {
- *       const prev = current();
- *       current.update((u) => (u ? { ...u, ...patch } : u));
- *       return { prev };
- *     },
- *     onError: (_err, { prev }) => current.set(prev),
- *   },
- * );
- * ```
- */
 function mutationResource(request, options0 = {}) {
     // Two-layer option injection: per-call > provideMutationResourceOptions > provideResourceOptions.
     const globalOpts = injectResourceOptions(options0.injector);
@@ -2473,16 +2525,9 @@ function mutationResource(request, options0 = {}) {
         circuitBreaker: mergeCircuitBreakerOptions(globalOpts.circuitBreaker, mutOpts.circuitBreaker, options0?.circuitBreaker),
         retry: mergeRetryOptions(globalOpts.retry, mutOpts.retry, options0?.retry),
     };
-    // `register` is pulled out (and forced off on the inner query below) so the mutation ref is
-    // the only thing registered into the transition scope, not its internal query resource.
-    const { onMutate, onError, onSuccess, onSettled, equal, register, equalRequest, invalidates, ...rest } = options;
+    const { onMutate, onError, onSuccess, onSettled, equal, register, equalRequest, invalidates, invalidateMatcher, ...rest } = options;
     const cache = invalidates ? injectQueryCache(options.injector) : undefined;
     const requestEqual = equalRequest ?? createEqualRequest(equal);
-    // A mutation is an imperative command, so `triggerOnSameRequest` means "fire on EVERY mutate(),
-    // even with an identical body". By default we dedup an identical value/request while one is in
-    // flight (double-click protection); when this is set, both the `next` and `req` dedup are bypassed
-    // so a repeat click isn't silently swallowed mid-flight. (Otherwise it'd be dropped until `next`
-    // resets to NULL on settle — the "every other click" symptom.)
     const triggerOnSame = options.triggerOnSameRequest ?? false;
     const eq = equal ?? Object.is;
     const next = signal(NULL_VALUE, ...(ngDevMode ? [{ debugName: "next", equal: (a, b) => {
@@ -2507,29 +2552,24 @@ function mutationResource(request, options0 = {}) {
     const queueEnabled = !!options.queue;
     const queueKeyFn = typeof options.queue === 'object' ? options.queue.key : undefined;
     const queue = linkedSignal(...(ngDevMode ? [{ debugName: "queue", source: () => queueKeyFn?.(),
-            computation: () => signal([]) }] : [{
+            computation: (_key, prev) => {
+                // On a queue key change the previous pending entries are dropped — reject any
+                // mutateAsync promises waiting on them so awaiters don't hang.
+                if (prev)
+                    for (const [, , deferred] of untracked(prev.value))
+                        deferred?.reject(new MutationCancelledError('queue-key-changed', 'mutation dropped: queue key changed before it ran'));
+                return signal([]);
+            } }] : [{
             source: () => queueKeyFn?.(),
-            computation: () => signal([]),
+            computation: (_key, prev) => {
+                // On a queue key change the previous pending entries are dropped — reject any
+                // mutateAsync promises waiting on them so awaiters don't hang.
+                if (prev)
+                    for (const [, , deferred] of untracked(prev.value))
+                        deferred?.reject(new MutationCancelledError('queue-key-changed', 'mutation dropped: queue key changed before it ran'));
+                return signal([]);
+            },
         }]));
-    let ctx = undefined;
-    const queueRef = effect(() => {
-        const q = queue(); // subscribe to swaps (key change / clearQueue)
-        const nextInQueue = q().at(0); // subscribe to contents
-        if (nextInQueue === undefined || next() !== NULL_VALUE)
-            return;
-        q.update((arr) => arr.slice(1));
-        const [value, ictx] = nextInQueue;
-        try {
-            ctx = onMutate?.(value, ictx);
-            next.set(value);
-        }
-        catch (mutationErr) {
-            ctx = undefined;
-            next.set(NULL_VALUE);
-            if (isDevMode())
-                console.error('[@mmstack/resource]: error thrown in onMutate hook, mutation was not applied', mutationErr);
-        }
-    }, ...(ngDevMode ? [{ debugName: "queueRef", injector: options.injector }] : [{ injector: options.injector }]));
     const req = computed(() => {
         const nr = next();
         if (nr === NULL_VALUE)
@@ -2554,6 +2594,57 @@ function mutationResource(request, options0 = {}) {
                 return requestEqual(a, b);
             },
         }]));
+    let ctx = undefined;
+    let currentDeferred;
+    const begin = (value, ictx, deferred) => {
+        let nextCtx;
+        try {
+            nextCtx = onMutate?.(value, ictx);
+        }
+        catch (mutationErr) {
+            // match legacy mutate(): the throw aborts the mutation and resets state
+            ctx = undefined;
+            next.set(NULL_VALUE);
+            deferred?.reject(mutationErr);
+            if (isDevMode())
+                console.error('[@mmstack/resource]: error thrown in onMutate hook, mutation was not applied', mutationErr);
+            return;
+        }
+        ctx = nextCtx;
+        currentDeferred = deferred;
+        next.set(value);
+        if (deferred && untracked(req) === undefined) {
+            ctx = undefined;
+            currentDeferred = undefined;
+            next.set(NULL_VALUE);
+            deferred.reject(new MutationCancelledError('no-request', 'mutation not sent: request() returned undefined'));
+        }
+    };
+    const supersedeInFlight = () => {
+        if (untracked(next) === NULL_VALUE)
+            return;
+        if (isDevMode())
+            console.warn('[@mmstack/resource]: mutate() called while another mutation was in flight — the previous mutation was superseded (latest-wins) and its onSettled was invoked. Use `queue: true` for sequential mutations.');
+        try {
+            onSettled?.(ctx);
+        }
+        catch (settleErr) {
+            if (isDevMode())
+                console.error('[@mmstack/resource]: error thrown in onSettled hook for a superseded mutation', settleErr);
+        }
+        currentDeferred?.reject(new MutationCancelledError('superseded', 'mutation superseded by a newer mutation (latest-wins)'));
+        currentDeferred = undefined;
+        ctx = undefined;
+    };
+    const queueRef = effect(() => {
+        const q = queue(); // subscribe to swaps (key change / clearQueue)
+        const nextInQueue = q().at(0); // subscribe to contents
+        if (nextInQueue === undefined || next() !== NULL_VALUE)
+            return;
+        q.update((arr) => arr.slice(1));
+        const [value, ictx, deferred] = nextInQueue;
+        begin(value, ictx, deferred);
+    }, ...(ngDevMode ? [{ debugName: "queueRef", injector: options.injector }] : [{ injector: options.injector }]));
     const lastValue = linkedSignal(...(ngDevMode ? [{ debugName: "lastValue", source: next,
             computation: (next, prev) => {
                 if (next === NULL_VALUE && !!prev)
@@ -2623,8 +2714,12 @@ function mutationResource(request, options0 = {}) {
         return NULL_VALUE;
     }), filter((v) => v !== NULL_VALUE), takeUntilDestroyed(destroyRef))
         .subscribe((result) => {
-        if (result.status === 'error')
+        const deferred = currentDeferred;
+        currentDeferred = undefined;
+        if (result.status === 'error') {
             onError?.(result.error, ctx);
+            deferred?.reject(result.error);
+        }
         else {
             onSuccess?.(result.value, ctx);
             if (cache && invalidates) {
@@ -2632,11 +2727,10 @@ function mutationResource(request, options0 = {}) {
                 const prefixes = typeof invalidates === 'function'
                     ? invalidates(result.value, (mutation === NULL_VALUE ? undefined : mutation))
                     : invalidates;
-                // auto-keys are `${method}:${url}:...` — a `GET:`-prefixed url prefix hits
-                // the url with any params/subpaths and every varyHeaders variant
                 for (const prefix of prefixes)
-                    cache.invalidatePrefix(`GET:${prefix}`);
+                    cache.invalidateUrlPrefix(prefix, invalidateMatcher);
             }
+            deferred?.resolve(result.value);
         }
         onSettled?.(ctx);
         ctx = undefined;
@@ -2648,39 +2742,32 @@ function mutationResource(request, options0 = {}) {
             // queue first — a late queue flush must not poke an already-destroyed resource
             queueRef.destroy();
             statusSub.unsubscribe();
+            // reject any outstanding mutateAsync promises so awaiters don't hang
+            const cancelled = new MutationCancelledError('destroyed', 'mutation abandoned: resource destroyed');
+            currentDeferred?.reject(cancelled);
+            currentDeferred = undefined;
+            for (const [, , deferred] of untracked(queue)())
+                deferred?.reject(cancelled);
             resource.destroy();
         },
         mutate: (value, ictx) => {
             if (queueEnabled) {
-                return queue().update((arr) => [...arr, [value, ictx]]);
+                queue().update((arr) => [...arr, [value, ictx, undefined]]);
+                return;
+            }
+            supersedeInFlight();
+            begin(value, ictx, undefined);
+        },
+        mutateAsync: (value, ictx) => {
+            const deferred = Promise.withResolvers();
+            if (queueEnabled) {
+                queue().update((arr) => [...arr, [value, ictx, deferred]]);
             }
             else {
-                // latest-wins: a mutation already in flight gets superseded (its request is
-                // aborted by the request change), so its onSuccess/onError will never fire —
-                // settle its context NOW so optimistic state can be rolled back/cleaned up
-                if (untracked(next) !== NULL_VALUE) {
-                    if (isDevMode())
-                        console.warn('[@mmstack/resource]: mutate() called while another mutation was in flight — the previous mutation was superseded (latest-wins) and its onSettled was invoked. Use `queue: true` for sequential mutations.');
-                    try {
-                        onSettled?.(ctx);
-                    }
-                    catch (settleErr) {
-                        if (isDevMode())
-                            console.error('[@mmstack/resource]: error thrown in onSettled hook for a superseded mutation', settleErr);
-                    }
-                    ctx = undefined;
-                }
-                try {
-                    ctx = onMutate?.(value, ictx);
-                    next.set(value);
-                }
-                catch (mutationErr) {
-                    ctx = undefined;
-                    next.set(NULL_VALUE);
-                    if (isDevMode())
-                        console.error('[@mmstack/resource]: error thrown in onMutate hook, mutation was not applied', mutationErr);
-                }
+                supersedeInFlight();
+                begin(value, ictx, deferred);
             }
+            return deferred.promise;
         },
         current: computed(() => {
             const nv = next();
@@ -2689,7 +2776,11 @@ function mutationResource(request, options0 = {}) {
         clearQueue: () => {
             if (!queueEnabled)
                 return;
+            const dropped = untracked(queue)();
             queue.set(signal([]));
+            // reject mutateAsync promises whose entries we just dropped
+            for (const [, , deferred] of dropped)
+                deferred?.reject(new MutationCancelledError('queue-cleared', 'mutation dropped: queue cleared before it ran'));
         },
         // redeclare disabled with last value so that it is not affected by the resource's internal disablement logic
         disabled: computed(() => cb.isOpen() || lastValueRequest() === undefined),
@@ -2702,5 +2793,5 @@ function mutationResource(request, options0 = {}) {
  * Generated bundle index. Do not edit.
  */
 
-export { Cache, PAUSED, applyResourceRegistration, createCacheInterceptor, createCircuitBreaker, createDedupeRequestsInterceptor, hashRequest, infiniteQueryResource, injectQueryCache, injectResourceOptions, manualQueryResource, mutationResource, noDedupe, provideCircuitBreakerDefaultOptions, provideMutationResourceOptions, provideQueryCache, provideQueryResourceOptions, provideResourceOptions, provideTypedResourceOptions, queryResource };
+export { Cache, MutationCancelledError, PAUSED, applyResourceRegistration, createCacheInterceptor, createCircuitBreaker, createDedupeRequestsInterceptor, hashRequest, infiniteQueryResource, injectQueryCache, injectResourceOptions, manualQueryResource, mutationResource, noDedupe, provideCircuitBreakerDefaultOptions, provideMutationResourceOptions, provideQueryCache, provideQueryResourceOptions, provideResourceOptions, provideTypedResourceOptions, queryResource };
 //# sourceMappingURL=mmstack-resource.mjs.map