@mpen/routekit 0.1.0 → 0.1.2

package/dist/middleware.mjs

@@ -0,0 +1,1222 @@
+import { C as isChunkDirective, O as isStreamDirective, R as parseAcceptHeader, S as headers, T as isHeadersDirective, f as defineMiddleware, n as RequestBodyLengthMismatchError, r as RequestBodyTooLargeError, w as isHeadDirective } from "./request-Dn0zc-xm.mjs";
+import { a as response, i as isRoutekitResponse, n as isResponseBodyInit } from "./core-DbmQauwS.mjs";
+import { a as text, t as empty } from "./content-BuDOmhH_.mjs";
+import { CommonHeaders, HttpMethod, HttpStatus } from "@mpen/http";
+import { LogLevel } from "@mpen/logger";
+//#region src/router/middleware/request-id-ctx.ts
+globalThis._reloadCounter = globalThis._reloadCounter == null ? 0 : globalThis._reloadCounter + 1;
+globalThis._globalRequestCounter ??= 0;
+const isHMR = import.meta.hot !== void 0 || process.execArgv.includes("--hot");
+function defaultRequestIdGenerator(_ctx, extra) {
+	let requestId = extra.requestCounter.toString(36);
+	if (isHMR) requestId = extra.hotReloadCounter.toString(36) + "." + requestId;
+	if (extra.prefix) requestId = `${extra.prefix}.${requestId}`;
+	return requestId;
+}
+/**
+* Attach a correlated request id to every final response and contextual logger record.
+*
+* @example
+* ```ts
+* router.useRequest(requestIdCtx({
+*   readHeaderName: ['x-request-id', 'x-trace-id'],
+*   writeHeaderName: 'x-request-id',
+*   generate: () => crypto.randomUUID(),
+* }))
+* ```
+*
+* @param options - Configuration for reading, generating, and writing request ids.
+* @returns Request-boundary middleware that populates `requestId` and logger context.
+* @typeParam Ctx - Context available before request id generation.
+*/
+function requestIdCtx(options = {}) {
+	const prefix = options.prefix ?? "";
+	const headers = options.readHeaderName === void 0 ? [
+		"x-request-id",
+		"x-trace-id",
+		"traceparent"
+	] : options.readHeaderName == null ? [] : Array.isArray(options.readHeaderName) ? options.readHeaderName : [options.readHeaderName];
+	const writeHeaderName = options.writeHeaderName;
+	const hotReloadCounter = globalThis._reloadCounter;
+	let requestCounter = 0;
+	return async (ctx, next) => {
+		let headerId = null;
+		for (const name of headers) {
+			headerId = ctx.request.headers.get(name);
+			if (headerId !== null) break;
+		}
+		const extra = {
+			prefix,
+			hotReloadCounter,
+			requestCounter: ++requestCounter,
+			globalRequestCounter: ++globalThis._globalRequestCounter
+		};
+		const requestId = headerId ?? options.generate?.(ctx, extra) ?? defaultRequestIdGenerator(ctx, extra);
+		ctx.requestId = requestId;
+		ctx.logger = ctx.logger.withContext({ "request.id": requestId });
+		const response = await next();
+		if (writeHeaderName != null) response.headers.set(writeHeaderName, requestId);
+		return response;
+	};
+}
+//#endregion
+//#region src/router/middleware/request-logger-format.ts
+const ROUTEKIT_HTTP_SERVER_REQUEST_EVENT_NAME = "http.server.request";
+const ROUTEKIT_REQUEST_CONTEXT_KEYS = [
+	"http.request.method",
+	"url.path",
+	"request.id"
+];
+const REQUEST_ID_COLOR_KEYS = [
+	"cyanBright",
+	"magentaBright",
+	"greenBright",
+	"yellowBright",
+	"blueBright",
+	"redBright",
+	"cyan",
+	"magenta"
+];
+/**
+* Transform Routekit request activity records into production JSON access logs.
+*
+* Removes the fallback activity message from `http.server.request` records while preserving
+* normal application log messages written through the same contextual logger.
+*
+* @example
+* ```ts
+* import { JsonLogger } from '@mpen/logger'
+* import { transformRoutekitJsonLogRecord } from '@mpen/routekit/middleware'
+*
+* const logger = new JsonLogger({
+*     transformRecord: transformRoutekitJsonLogRecord,
+* })
+* ```
+*
+* @param record - Record emitted by a logger.
+* @returns The transformed record, or `undefined` to use the original record.
+*/
+const transformRoutekitJsonLogRecord = (record) => {
+	if (!isRoutekitRequestEvent(record)) return;
+	return {
+		...record,
+		data: stripActivityLifecycleMessage(record)
+	};
+};
+/**
+* Format Routekit request context for terminal logs.
+*
+* Renders compact request start/completion lines, color-correlated request identifiers, status
+* codes, elapsed time, and response sizes while leaving unrelated records to
+* [`TerminalLogger`]{@link import('@mpen/logger').TerminalLogger}'s default renderer.
+*
+* @example
+* ```ts
+* import { TerminalLogger } from '@mpen/logger'
+* import { formatRoutekitTerminalLogRecord } from '@mpen/routekit/middleware'
+*
+* const logger = new TerminalLogger({
+*     formatRecord: formatRoutekitTerminalLogRecord,
+* })
+* ```
+*
+* @param record - Record emitted by a logger.
+* @param terminal - Terminal formatting helpers.
+* @returns Formatted terminal output, or `undefined` to use the default renderer.
+*/
+const formatRoutekitTerminalLogRecord = (record, terminal) => {
+	if (!hasRoutekitRequestContext(record)) return;
+	const colors = terminal.colors;
+	const context = record.context;
+	const requestId = getStringContext(record, "request.id");
+	const method = getStringContext(record, "http.request.method");
+	const path = getStringContext(record, "url.path");
+	const route = getStringContext(record, "http.route");
+	const direction = getActivityDirection(record);
+	const parts = [
+		formatServiceName(getStringContext(record, "service.name"), colors),
+		requestId == null ? void 0 : formatRequestId(requestId, colors),
+		requestId == null ? void 0 : formatDirection(direction, colors),
+		requestId == null ? formatDirection(direction, colors) : void 0,
+		colors.bold(colors.whiteBright(method)),
+		colors.white(path),
+		route == null || route === path ? void 0 : colors.blackBright(`route=${route}`),
+		formatStatusCode(getNumberContext(context["http.response.status_code"]), colors),
+		formatDuration(getNumberContext(context.duration_ms), colors),
+		formatBodySize(getNumberContext(context["http.response.body.size"]), colors)
+	].filter((part) => part != null && part !== "");
+	const prefix = `${terminal.icon} ${colors.blackBright(terminal.time)} ${parts.join(" ")}`;
+	const data = direction == null ? record.data : stripActivityLifecycleMessage(record);
+	if (data.length === 0) return prefix.trimEnd();
+	const message = terminal.formatData(data);
+	if (message === "") return prefix.trimEnd();
+	const [firstLine = "", ...remainingLines] = message.split("\n");
+	return [prefix + " " + firstLine, ...remainingLines.map((line) => "   " + line)].join("\n");
+};
+function hasRoutekitRequestContext(record) {
+	return ROUTEKIT_REQUEST_CONTEXT_KEYS.every((key) => record.context[key] != null);
+}
+function isRoutekitRequestEvent(record) {
+	return record.context["event.name"] === ROUTEKIT_HTTP_SERVER_REQUEST_EVENT_NAME;
+}
+function stripActivityLifecycleMessage(record) {
+	return record.metadata.activity == null ? record.data : record.data.slice(1);
+}
+function getActivityDirection(record) {
+	switch (record.metadata.activity?.phase) {
+		case "start": return "→";
+		case "end": return "←";
+	}
+}
+function getStringContext(record, key) {
+	const value = record.context[key];
+	return value == null ? void 0 : String(value);
+}
+function getNumberContext(value) {
+	if (typeof value !== "number") return;
+	return Number.isFinite(value) ? value : void 0;
+}
+function formatServiceName(value, colors) {
+	if (value == null) return;
+	const text = `[${value}]`;
+	return colors.bold(colors.blueBright(text));
+}
+function formatRequestId(value, colors) {
+	const text = `[${value}]`;
+	let hash = 0;
+	for (const char of value) hash = hash * 31 + char.codePointAt(0) >>> 0;
+	return colors[REQUEST_ID_COLOR_KEYS[hash % REQUEST_ID_COLOR_KEYS.length]](text);
+}
+function formatDirection(value, colors) {
+	return value == null ? void 0 : colors.bold(colors.whiteBright(value));
+}
+function formatStatusCode(value, colors) {
+	if (value == null) return;
+	const text = String(value);
+	const formatted = value >= 500 ? colors.redBright(text) : value >= 400 ? colors.yellowBright(text) : value >= 300 ? colors.cyanBright(text) : colors.greenBright(text);
+	return colors.bold(formatted);
+}
+function formatDuration(value, colors) {
+	if (value == null) return;
+	const text = `${formatDurationMilliseconds(value)}ms`;
+	if (value >= 1e3) return colors.redBright(text);
+	return value >= 250 ? colors.yellowBright(text) : colors.greenBright(text);
+}
+/**
+* @internal
+*/
+function formatDurationMilliseconds(value) {
+	const p2 = value.toFixed(2);
+	if (Number(p2) < 1) return p2;
+	const p1 = value.toFixed(1);
+	if (Number(p1) < 100) return p1;
+	return value.toFixed(0);
+}
+function formatBodySize(value, colors) {
+	return value == null ? void 0 : colors.cyan(formatByteSize(value));
+}
+function formatByteSize(value) {
+	if (!Number.isFinite(value) || value < 0) return String(value);
+	if (value < 1024) return `${value} B`;
+	const units = [
+		"KiB",
+		"MiB",
+		"GiB"
+	];
+	let amount = value;
+	let unit = "B";
+	for (const nextUnit of units) {
+		amount /= 1024;
+		unit = nextUnit;
+		if (amount < 1024 || nextUnit === units.at(-1)) break;
+	}
+	const precision = amount >= 100 ? 0 : amount >= 10 ? 1 : 2;
+	return `${amount.toFixed(precision)} ${unit}`;
+}
+//#endregion
+//#region src/router/middleware/request-logger.ts
+function defaultCompletionLevel(response) {
+	return response.status >= 500 ? LogLevel.ERROR : LogLevel.INFO;
+}
+const HTTP_SERVER_REQUEST_EVENT = { "event.name": ROUTEKIT_HTTP_SERVER_REQUEST_EVENT_NAME };
+function getResponseBodySize(response) {
+	if (response.body == null) return 0;
+	const value = response.headers.get("content-length");
+	if (value == null || !/^\d+$/u.test(value)) return;
+	const size = Number(value);
+	return Number.isSafeInteger(size) ? size : void 0;
+}
+function getClientAddress(request, trustedHeader) {
+	if (trustedHeader == null) return;
+	const value = request.headers.get(trustedHeader)?.trim();
+	if (!value) return;
+	return trustedHeader.toLowerCase() === "x-forwarded-for" ? value.split(",", 1)[0]?.trim() : value;
+}
+/**
+* Log a timed request activity through the request's contextual logger.
+*
+* @example
+* ```ts
+* router.useRequest(requestIdCtx())
+* router.useRequest(requestLogger())
+* ```
+*
+* @param options - Request activity naming and severity options.
+* @returns Request-boundary middleware that logs final status and duration.
+* @typeParam Ctx - Context containing the correlated request identifier.
+*/
+function requestLogger(options = {}) {
+	const activityName = options.activityName ?? "request";
+	return async (ctx, next) => {
+		const clientAddress = getClientAddress(ctx.request, options.trustedClientAddressHeader);
+		const userAgent = ctx.request.headers.get("user-agent") ?? void 0;
+		const activity = ctx.logger.startActivity(activityName, {
+			...clientAddress == null ? {} : { "client.address": clientAddress },
+			...userAgent == null ? {} : { "user_agent.original": userAgent }
+		});
+		ctx.logger = activity.logger;
+		try {
+			const response = await next();
+			const bodySize = getResponseBodySize(response);
+			const level = typeof options.completionLevel === "function" ? options.completionLevel(response) : options.completionLevel ?? defaultCompletionLevel(response);
+			activity.end({
+				context: {
+					...HTTP_SERVER_REQUEST_EVENT,
+					"http.response.status_code": response.status,
+					...bodySize == null ? {} : { "http.response.body.size": bodySize }
+				},
+				level
+			});
+			return response;
+		} catch (error) {
+			activity.end({
+				context: HTTP_SERVER_REQUEST_EVENT,
+				data: [error],
+				level: LogLevel.ERROR
+			});
+			throw error;
+		}
+	};
+}
+//#endregion
+//#region src/router/middleware/body-limit.ts
+const utf8encoder = new TextEncoder();
+function parseContentLength(value) {
+	if (!value) return null;
+	const trimmed = value.trim();
+	if (!trimmed) return null;
+	const parsed = Number(trimmed);
+	if (!Number.isFinite(parsed) || !Number.isInteger(parsed) || parsed < 0) return null;
+	return parsed;
+}
+function chunkByteLength(chunk) {
+	if (typeof chunk === "string") return utf8encoder.encode(chunk).length;
+	return chunk.byteLength;
+}
+/**
+* Enforce a maximum request body size while preserving access to the incoming stream.
+*
+* @example
+* ```ts
+* router.use(bodyLimit({maxSize: 1024 * 1024}))
+* ```
+*
+* @param options - Configuration for maximum request body size enforcement.
+* @returns Middleware that rejects oversized bodies and mismatched Content-Length values.
+*/
+function bodyLimit(options) {
+	const textResponse = {
+		schema: { type: "string" },
+		parse(value) {
+			if (typeof value !== "string") throw new TypeError("Body limit responses must contain a string body.");
+			return value;
+		}
+	};
+	return defineMiddleware({
+		responses: {
+			[HttpStatus.BAD_REQUEST]: textResponse,
+			[HttpStatus.PAYLOAD_TOO_LARGE]: textResponse
+		},
+		async run(ctx, { next, forward, respond }) {
+			const maxSize = options.maxSize;
+			const contentLength = parseContentLength(ctx.request.headers.get("content-length"));
+			if (contentLength != null && contentLength > maxSize) {
+				ctx.request.body.stream()?.cancel();
+				return respond(text("Payload Too Large", { status: HttpStatus.PAYLOAD_TOO_LARGE }));
+			}
+			const bodyStream = ctx.request.body.stream();
+			if (!bodyStream) {
+				if (contentLength != null && contentLength !== 0) return respond(text("Bad Request", { status: HttpStatus.BAD_REQUEST }));
+				return forward(await next());
+			}
+			const reader = bodyStream.getReader();
+			let bytesRead = 0;
+			const monitoredBody = new ReadableStream({
+				async pull(controller) {
+					const result = await reader.read();
+					if (result.done) {
+						if (contentLength != null && bytesRead !== contentLength) {
+							controller.error(new RequestBodyLengthMismatchError(contentLength, bytesRead));
+							return;
+						}
+						controller.close();
+						return;
+					}
+					const value = result.value;
+					bytesRead += chunkByteLength(value);
+					if (bytesRead > maxSize) {
+						await reader.cancel();
+						controller.error(new RequestBodyTooLargeError(maxSize, bytesRead));
+						return;
+					}
+					controller.enqueue(value);
+				},
+				cancel(reason) {
+					return reader.cancel(reason);
+				}
+			});
+			ctx.request = ctx.request.withBody(ctx.request.body.withStream(monitoredBody));
+			try {
+				return forward(await next());
+			} catch (err) {
+				if (err instanceof RequestBodyTooLargeError) return respond(text("Payload Too Large", { status: HttpStatus.PAYLOAD_TOO_LARGE }));
+				if (err instanceof RequestBodyLengthMismatchError) return respond(text("Bad Request", { status: HttpStatus.BAD_REQUEST }));
+				throw err;
+			}
+		}
+	});
+}
+//#endregion
+//#region src/router/middleware/start-time-ctx.ts
+const startTimeCtx = () => (ctx) => {
+	ctx.startTime = Date.now();
+};
+//#endregion
+//#region src/router/middleware/accept-ctx.ts
+/**
+* Attach parsed Accept header values to the request context.
+*
+* @returns Middleware that adds `accept` to the request context.
+*/
+const acceptCtx = () => (ctx) => {
+	ctx.accept = parseAcceptHeader(ctx.request.headers.get("accept") ?? "*/*");
+};
+//#endregion
+//#region src/router/lib/host.ts
+function isLocalhost(hostname) {
+	const lower = hostname.toLowerCase();
+	return lower === "localhost" || lower === "127.0.0.1" || lower === "::1" || lower === "0.0.0.0";
+}
+//#endregion
+//#region src/router/middleware/cors.ts
+const headerOrigin = CommonHeaders.ORIGIN;
+const headerVary = CommonHeaders.VARY;
+const headerAccessControlRequestMethod = CommonHeaders.ACCESS_CONTROL_REQUEST_METHOD;
+const headerAccessControlRequestHeaders = CommonHeaders.ACCESS_CONTROL_REQUEST_HEADERS;
+const headerAllowOrigin = CommonHeaders.ACCESS_CONTROL_ALLOW_ORIGIN;
+const headerAllowMethods = CommonHeaders.ACCESS_CONTROL_ALLOW_METHODS;
+const headerAllowHeaders = CommonHeaders.ACCESS_CONTROL_ALLOW_HEADERS;
+const headerAllowCredentials = CommonHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS;
+const headerExposeHeaders = CommonHeaders.ACCESS_CONTROL_EXPOSE_HEADERS;
+const headerMaxAge = CommonHeaders.ACCESS_CONTROL_MAX_AGE;
+const defaultAllowedMethods = [
+	HttpMethod.GET,
+	HttpMethod.HEAD,
+	HttpMethod.PUT,
+	HttpMethod.POST,
+	HttpMethod.DELETE,
+	HttpMethod.PATCH
+];
+function normalizeHeaderValue(value) {
+	if (!value) return null;
+	const trimmed = value.trim();
+	return trimmed ? trimmed : null;
+}
+function normalizeOriginHeader(value) {
+	return normalizeHeaderValue(value);
+}
+function parseOrigin(originHeader) {
+	if (!originHeader || originHeader === "null") return null;
+	try {
+		return new URL(originHeader);
+	} catch {
+		return null;
+	}
+}
+function normalizeList(value) {
+	if (!value) return [];
+	return (Array.isArray(value) ? value : [value]).map((entry) => entry.trim()).filter(Boolean);
+}
+function normalizeMethods(value) {
+	return normalizeList(value).map((entry) => entry.toUpperCase());
+}
+function formatHeaderList(value) {
+	const list = normalizeList(value);
+	if (!list.length) return null;
+	return list.join(", ");
+}
+function formatMethodList(value) {
+	const list = normalizeMethods(value);
+	if (!list.length) return null;
+	return list.join(", ");
+}
+function normalizeAllowedOrigins(value) {
+	if (!value) return [];
+	const list = Array.isArray(value) ? value : [value];
+	const normalized = [];
+	for (const entry of list) {
+		if (entry instanceof RegExp) {
+			normalized.push({
+				kind: "regex",
+				value: entry
+			});
+			continue;
+		}
+		if (entry instanceof URL) {
+			normalized.push({
+				kind: "origin",
+				value: entry.origin
+			});
+			continue;
+		}
+		const trimmed = entry.trim();
+		if (!trimmed) continue;
+		if (trimmed === "null") {
+			normalized.push({ kind: "null" });
+			continue;
+		}
+		if (trimmed.includes("://")) try {
+			normalized.push({
+				kind: "origin",
+				value: new URL(trimmed).origin
+			});
+		} catch {
+			continue;
+		}
+		else normalized.push({
+			kind: "host",
+			value: trimmed.replace(/\/+$/, "")
+		});
+	}
+	return normalized;
+}
+function hasWildcardOrigin(value) {
+	if (!value) return false;
+	if (!Array.isArray(value)) return typeof value === "string" && value.trim() === "*";
+	return value.some((entry) => typeof entry === "string" && entry.trim() === "*");
+}
+function isOriginAllowed(originHeader, originUrl, allowlist, allowLocalhost) {
+	if (!originHeader) return false;
+	if (originHeader === "null") return allowlist.some((entry) => entry.kind === "null");
+	if (originUrl && allowLocalhost && isLocalhost(originUrl.hostname)) return true;
+	for (const entry of allowlist) {
+		if (entry.kind === "regex") {
+			if (entry.value.test(originHeader)) return true;
+			continue;
+		}
+		if (!originUrl) continue;
+		if (entry.kind === "origin") {
+			if (originUrl.origin === entry.value) return true;
+			continue;
+		}
+		if (entry.kind === "host") {
+			if (entry.value.includes(":")) {
+				if (originUrl.host === entry.value) return true;
+			} else if (originUrl.hostname === entry.value) return true;
+		}
+	}
+	return false;
+}
+function addVaryHeader(headers, value) {
+	const current = headers.get(headerVary);
+	if (!current) {
+		headers.set(headerVary, value);
+		return;
+	}
+	if (current.split(",").map((entry) => entry.trim().toLowerCase()).includes(value.toLowerCase())) return;
+	headers.set(headerVary, `${current}, ${value}`);
+}
+function applyCorsHeaders(headers, allowOrigin, allowCredentials, exposeHeaders, varyOrigin) {
+	headers.set(headerAllowOrigin, allowOrigin);
+	if (allowCredentials) headers.set(headerAllowCredentials, "true");
+	const expose = formatHeaderList(exposeHeaders);
+	if (expose) headers.set(headerExposeHeaders, expose);
+	if (varyOrigin) addVaryHeader(headers, "Origin");
+}
+function isAsyncGenerator(value) {
+	return !!value && typeof value[Symbol.asyncIterator] === "function";
+}
+function wrapGeneratorWithCors(generator, allowOrigin, allowCredentials, exposeHeaders, varyOrigin) {
+	const apply = (headers) => {
+		applyCorsHeaders(headers, allowOrigin, allowCredentials, exposeHeaders, varyOrigin);
+	};
+	async function* wrapped() {
+		let headersInjected = false;
+		while (true) {
+			const next = await generator.next();
+			if (next.done) {
+				if (!headersInjected) {
+					const headers$1 = new Headers();
+					apply(headers$1);
+					yield headers(headers$1);
+				}
+				return next.value;
+			}
+			const value = next.value;
+			if (isHeadersDirective(value)) {
+				const headers$2 = new Headers(value.headers);
+				apply(headers$2);
+				headersInjected = true;
+				yield headers(headers$2);
+				continue;
+			}
+			if (isHeadDirective(value)) {
+				const headers = new Headers(value.headers);
+				apply(headers);
+				headersInjected = true;
+				yield {
+					...value,
+					headers
+				};
+				continue;
+			}
+			if (isStreamDirective(value)) {
+				const headers = new Headers(value.headers);
+				apply(headers);
+				headersInjected = true;
+				yield {
+					...value,
+					headers
+				};
+				continue;
+			}
+			if (!headersInjected && isChunkDirective(value)) {
+				const headers$3 = new Headers();
+				apply(headers$3);
+				headersInjected = true;
+				yield headers(headers$3);
+			}
+			yield value;
+		}
+	}
+	return wrapped();
+}
+/**
+* Attach CORS response headers and handle OPTIONS preflight requests.
+*
+* @example
+* ```ts
+* router.use(cors({origin: '*'}))
+* router.use(cors({origin: ['https://app.example.com'], credentials: true}))
+* router.use(cors({origin: 'https://app.example.com', dev: true}))
+* ```
+*
+* @param options - Configuration for origin, preflight, and header behavior.
+* @returns Middleware that applies CORS headers to matching requests.
+*/
+function cors(options) {
+	const allowCredentials = options.credentials ?? false;
+	const allowLocalhost = options.allowLocalhost ?? options.dev ?? false;
+	const originOption = options.origin;
+	const originResolver = typeof originOption === "function" ? originOption : void 0;
+	const originList = originResolver ? void 0 : originOption;
+	const allowlist = originList ? normalizeAllowedOrigins(originList) : [];
+	const hasWildcard = originList ? hasWildcardOrigin(originList) : false;
+	const preflightStatus = options.preflightStatus ?? HttpStatus.NO_CONTENT;
+	return defineMiddleware({
+		responses: { [preflightStatus]: {
+			schema: { type: "null" },
+			parse(value) {
+				if (value !== void 0) throw new TypeError("CORS preflight responses must not contain a body.");
+			}
+		} },
+		schemaAppliesTo: ({ method }) => Array.isArray(method) ? method.includes(HttpMethod.OPTIONS) : method === HttpMethod.OPTIONS,
+		async run(ctx, { next, forward, respond }) {
+			const originHeader = normalizeOriginHeader(ctx.request.headers.get(headerOrigin));
+			const originUrl = parseOrigin(originHeader);
+			let allowOrigin = null;
+			let varyOrigin = false;
+			if (originResolver) {
+				const resolved = await originResolver(originHeader, ctx);
+				if (resolved) {
+					const normalized = String(resolved).trim();
+					if (normalized === "*") {
+						if (allowCredentials && originHeader) {
+							allowOrigin = originUrl?.origin ?? originHeader;
+							varyOrigin = true;
+						} else if (!allowCredentials) allowOrigin = "*";
+					} else if (normalized) {
+						allowOrigin = normalized;
+						varyOrigin = Boolean(originHeader);
+					}
+				}
+			} else if (hasWildcard) {
+				if (allowCredentials && originHeader) {
+					allowOrigin = originUrl?.origin ?? originHeader;
+					varyOrigin = true;
+				} else if (!allowCredentials) allowOrigin = "*";
+			} else if (originHeader && isOriginAllowed(originHeader, originUrl, allowlist, allowLocalhost)) {
+				allowOrigin = originUrl?.origin ?? originHeader;
+				varyOrigin = true;
+			}
+			if (ctx.request.method.toUpperCase() === "OPTIONS" && ctx.request.headers.has(headerAccessControlRequestMethod)) {
+				if (!allowOrigin) return respond(empty(preflightStatus));
+				const headers = new Headers();
+				applyCorsHeaders(headers, allowOrigin, allowCredentials, void 0, varyOrigin);
+				const allowMethodsValue = formatMethodList(typeof options.allowMethods === "function" ? await options.allowMethods(originHeader, ctx) : options.allowMethods ?? defaultAllowedMethods);
+				if (allowMethodsValue) headers.set(headerAllowMethods, allowMethodsValue);
+				const requestHeaders = normalizeHeaderValue(ctx.request.headers.get(headerAccessControlRequestHeaders));
+				const allowHeadersValue = formatHeaderList(options.allowHeaders ?? requestHeaders ?? void 0);
+				if (allowHeadersValue) headers.set(headerAllowHeaders, allowHeadersValue);
+				if (options.maxAge != null) headers.set(headerMaxAge, String(options.maxAge));
+				return respond(empty(preflightStatus, { headers }));
+			}
+			const result = await next();
+			if (!allowOrigin) return forward(result);
+			if (result instanceof Response) {
+				applyCorsHeaders(result.headers, allowOrigin, allowCredentials, options.exposeHeaders, varyOrigin);
+				return forward(result);
+			}
+			if (isRoutekitResponse(result)) {
+				applyCorsHeaders(result.headers, allowOrigin, allowCredentials, options.exposeHeaders, varyOrigin);
+				return forward(result);
+			}
+			if (isAsyncGenerator(result)) return forward(wrapGeneratorWithCors(result, allowOrigin, allowCredentials, options.exposeHeaders, varyOrigin));
+			if (result != null && isResponseBodyInit(result)) {
+				const headers = new Headers();
+				applyCorsHeaders(headers, allowOrigin, allowCredentials, options.exposeHeaders, varyOrigin);
+				return forward(new Response(result, { headers }));
+			}
+			const headers = new Headers();
+			applyCorsHeaders(headers, allowOrigin, allowCredentials, options.exposeHeaders, varyOrigin);
+			return forward(response(result, { headers }));
+		}
+	});
+}
+//#endregion
+//#region src/router/middleware/rate-limit.ts
+const DEFAULT_MAX_ENTRIES = 1e5;
+const ASN_OVERRIDES = {
+	16509: "cloud",
+	14618: "cloud",
+	15169: "cloud",
+	8075: "cloud",
+	31898: "cloud",
+	45102: "cloud",
+	132203: "cloud",
+	36351: "cloud",
+	13335: "cdn",
+	54113: "cdn",
+	20940: "cdn",
+	14061: "cloud",
+	20473: "cloud",
+	63949: "cloud",
+	24940: "hosting",
+	16276: "hosting",
+	12876: "hosting",
+	8560: "hosting",
+	47583: "hosting",
+	22612: "hosting"
+};
+const KEYWORDS = {
+	cdn: [
+		"cloudflare",
+		"fastly",
+		"akamai",
+		"cdn"
+	],
+	cloud: [
+		"amazon",
+		"aws",
+		"google",
+		"gcp",
+		"microsoft",
+		"azure",
+		"oracle",
+		"alibaba",
+		"tencent",
+		"digitalocean",
+		"vultr",
+		"linode",
+		"ibm"
+	],
+	hosting: [
+		"hosting",
+		"host",
+		"colo",
+		"datacenter",
+		"data center",
+		"ovh",
+		"scaleway",
+		"ionos",
+		"hostinger",
+		"namecheap"
+	],
+	mobile: [
+		"mobile",
+		"wireless",
+		"cellular",
+		"lte",
+		"5g"
+	],
+	residential: [
+		"telecom",
+		"broadband",
+		"cable",
+		"fiber"
+	],
+	unknown: []
+};
+var InMemoryRateLimitStorage = class {
+	maxEntries;
+	store = /* @__PURE__ */ new Map();
+	constructor(maxEntries) {
+		this.maxEntries = maxEntries;
+	}
+	async readCounter(_ctx, key) {
+		const entry = this.store.get(key);
+		if (!entry) return null;
+		if (entry.expiresAtMs <= Date.now()) {
+			this.store.delete(key);
+			return null;
+		}
+		this.store.delete(key);
+		this.store.set(key, entry);
+		return entry.counter;
+	}
+	async writeCounter(_ctx, key, counter, ttlMs) {
+		const expiresAtMs = Date.now() + ttlMs;
+		if (this.store.has(key)) this.store.delete(key);
+		this.store.set(key, {
+			counter,
+			expiresAtMs
+		});
+		this.evictIfNeeded();
+	}
+	evictIfNeeded() {
+		while (this.store.size > this.maxEntries) {
+			const firstKey = this.store.keys().next().value;
+			if (!firstKey) return;
+			this.store.delete(firstKey);
+		}
+	}
+};
+function defaultGetIpAddress(ctx) {
+	const forwardedFor = ctx.request.headers.get("x-forwarded-for");
+	if (forwardedFor) {
+		const first = forwardedFor.split(",")[0]?.trim();
+		if (first) return Promise.resolve(cleanIpAddress(first));
+	}
+	const realIp = ctx.request.headers.get("x-real-ip");
+	if (realIp) return Promise.resolve(cleanIpAddress(realIp.trim()));
+	return Promise.resolve("unknown");
+}
+function cleanIpAddress(ip) {
+	let value = ip.trim();
+	if (!value) return "unknown";
+	if (value.startsWith("[")) {
+		const closing = value.indexOf("]");
+		if (closing !== -1) value = value.slice(1, closing);
+	}
+	const zoneIndex = value.indexOf("%");
+	if (zoneIndex !== -1) value = value.slice(0, zoneIndex);
+	if (value.includes(".")) {
+		const lastSegment = value.split(":").pop()?.trim();
+		if (lastSegment && parseIpv4Address(lastSegment)) return lastSegment;
+		if (value.split(":").length === 2) {
+			const segment = value.split(":")[0];
+			if (!segment) return "unknown";
+			value = segment;
+		}
+	}
+	if (parseIpv4Address(value) || parseIpv6Hextets(value)) return value;
+	return "unknown";
+}
+function normalizeQueryString(url) {
+	const entries = Array.from(url.searchParams.entries());
+	entries.sort((a, b) => {
+		const keyCompare = a[0].localeCompare(b[0]);
+		if (keyCompare !== 0) return keyCompare;
+		return a[1].localeCompare(b[1]);
+	});
+	const normalized = new URLSearchParams();
+	for (const [key, value] of entries) normalized.append(key, value);
+	return normalized.toString();
+}
+function getBucketMax(baseMax, baseWindowMs, bucket) {
+	return Math.floor(baseMax * (bucket.windowMs / baseWindowMs) * bucket.scale);
+}
+function getBucketResetAt(nowMs, windowMs) {
+	return Math.floor(nowMs / windowMs) * windowMs + windowMs;
+}
+async function applyFixedWindowLimit(ctx, storage, key, windowMs, max, nowMs, retentionMs) {
+	const stored = await storage.readCounter(ctx, key);
+	const resetAtMs = getBucketResetAt(nowMs, windowMs);
+	const counter = stored && stored.resetAtMs > nowMs ? stored : {
+		resetAtMs,
+		count: 0
+	};
+	const nextCount = counter.count + 1;
+	const updated = {
+		resetAtMs: counter.resetAtMs,
+		count: nextCount
+	};
+	const ttlEffective = Math.max(1, counter.resetAtMs - nowMs + 1e3) + Math.max(0, retentionMs);
+	await storage.writeCounter(ctx, key, updated, ttlEffective);
+	return {
+		allowed: nextCount <= max,
+		resetAtMs: counter.resetAtMs
+	};
+}
+function toURLPattern(pattern) {
+	const URLPatternCtor = ensureURLPattern();
+	if (pattern instanceof URLPatternCtor) return pattern;
+	if (Array.isArray(pattern)) return new URLPatternCtor(...pattern);
+	if (typeof pattern === "string") {
+		if (pattern.startsWith("http://") || pattern.startsWith("https://")) return new URLPatternCtor(pattern);
+		return new URLPatternCtor({ pathname: pattern });
+	}
+	return new URLPatternCtor(pattern);
+}
+function resolveEndpointLimit(method, url, matchers) {
+	const normalizedMethod = method.toUpperCase();
+	let minLimit = null;
+	for (const matcher of matchers) {
+		if (!matcher.pattern.test(url)) continue;
+		const limit = matcher.limit;
+		const methodLimit = typeof limit === "number" ? limit : limit[normalizedMethod];
+		if (methodLimit == null) continue;
+		minLimit = minLimit == null ? methodLimit : Math.min(minLimit, methodLimit);
+	}
+	return minLimit;
+}
+function parseIpv4Address(ip) {
+	const parts = ip.split(".");
+	if (parts.length !== 4) return null;
+	const bytes = [];
+	for (const part of parts) {
+		if (!part) return null;
+		const value = Number(part);
+		if (!Number.isInteger(value) || value < 0 || value > 255) return null;
+		bytes.push(value);
+	}
+	return bytes;
+}
+function parseIpv6Hextets(ip) {
+	let value = ip.toLowerCase();
+	const zoneIndex = value.indexOf("%");
+	if (zoneIndex !== -1) value = value.slice(0, zoneIndex);
+	const halves = value.split("::");
+	if (halves.length > 2) return null;
+	const left = halves[0] ? halves[0].split(":") : [];
+	const right = halves.length === 2 && halves[1] ? halves[1].split(":") : [];
+	const leftParsed = parseIpv6Segments(left);
+	if (!leftParsed) return null;
+	const rightParsed = parseIpv6Segments(right);
+	if (!rightParsed) return null;
+	if (halves.length === 1) {
+		if (leftParsed.length !== 8) return null;
+		return leftParsed;
+	}
+	const missing = 8 - (leftParsed.length + rightParsed.length);
+	if (missing < 0) return null;
+	return [
+		...leftParsed,
+		...new Array(missing).fill(0),
+		...rightParsed
+	];
+}
+function parseIpv6Segments(parts) {
+	const hextets = [];
+	for (let index = 0; index < parts.length; index += 1) {
+		const part = parts[index];
+		if (!part) return null;
+		if (part.includes(".")) {
+			if (index !== parts.length - 1) return null;
+			const bytes = parseIpv4Address(part);
+			if (!bytes) return null;
+			if (bytes.length !== 4) return null;
+			const [b0, b1, b2, b3] = bytes;
+			if (b0 == null || b1 == null || b2 == null || b3 == null) return null;
+			hextets.push(b0 << 8 | b1, b2 << 8 | b3);
+			continue;
+		}
+		const value = Number.parseInt(part, 16);
+		if (!Number.isFinite(value) || value < 0 || value > 65535) return null;
+		hextets.push(value);
+	}
+	return hextets;
+}
+function deriveSubnet(ipAddress, ipv4Prefix = 24, ipv6Prefix = 64) {
+	const ipv4 = parseIpv4Address(ipAddress);
+	if (ipv4) {
+		if (ipv4.length !== 4) return {
+			key: "subnet:unknown",
+			version: "unknown"
+		};
+		const [o1, o2, o3] = ipv4;
+		if (o1 == null || o2 == null || o3 == null) return {
+			key: "subnet:unknown",
+			version: "unknown"
+		};
+		if (!Number.isInteger(ipv4Prefix) || ipv4Prefix < 0 || ipv4Prefix > 32) return {
+			key: "subnet:unknown",
+			version: "unknown"
+		};
+		if (ipv4Prefix !== 24) {
+			const network = (o1 << 24 | o2 << 16 | o3 << 8 | (ipv4[3] ?? 0)) >>> 0 & (ipv4Prefix === 0 ? 0 : 4294967295 << 32 - ipv4Prefix >>> 0);
+			return {
+				key: `subnet:ip4:${network >>> 24 & 255}.${network >>> 16 & 255}.${network >>> 8 & 255}.${network & 255}/${ipv4Prefix}`,
+				version: "ipv4"
+			};
+		}
+		return {
+			key: `subnet:ip24:${o1}.${o2}.${o3}.0/24`,
+			version: "ipv4"
+		};
+	}
+	const ipv6 = parseIpv6Hextets(ipAddress);
+	if (ipv6 && ipv6.length === 8) {
+		const h1 = ipv6[0];
+		const h2 = ipv6[1];
+		const h3 = ipv6[2];
+		const h4 = ipv6[3];
+		if (!Number.isInteger(ipv6Prefix) || ipv6Prefix < 0 || ipv6Prefix > 128) return {
+			key: "subnet:unknown",
+			version: "unknown"
+		};
+		if (ipv6Prefix !== 64) return {
+			key: `subnet:ip6:${maskIpv6(ipv6, ipv6Prefix).map((value) => value.toString(16)).join(":")}/${ipv6Prefix}`,
+			version: "ipv6"
+		};
+		return {
+			key: `subnet:ip64:${h1.toString(16)}:${h2.toString(16)}:${h3.toString(16)}:${h4.toString(16)}::/64`,
+			version: "ipv6"
+		};
+	}
+	return {
+		key: "subnet:unknown",
+		version: "unknown"
+	};
+}
+function maskIpv6(hextets, prefix) {
+	const masked = [];
+	let remaining = prefix;
+	for (const hextet of hextets) {
+		if (remaining >= 16) {
+			masked.push(hextet);
+			remaining -= 16;
+			continue;
+		}
+		if (remaining <= 0) {
+			masked.push(0);
+			continue;
+		}
+		const mask = (65535 << 16 - remaining & 65535) >>> 0;
+		masked.push(hextet & mask);
+		remaining = 0;
+	}
+	return masked;
+}
+function defaultAsnToClass(asn, organization) {
+	const override = ASN_OVERRIDES[asn];
+	if (override) return override;
+	const normalizedOrg = organization.toLowerCase();
+	const entries = Object.entries(KEYWORDS);
+	for (const [asnClass, keywords] of entries) {
+		if (asnClass === "unknown") continue;
+		if (keywords.some((keyword) => normalizedOrg.includes(keyword))) return asnClass;
+	}
+	return "unknown";
+}
+function normalizeAsnClass(asnClass) {
+	if (!asnClass) return "unknown";
+	return asnClass;
+}
+function normalizeCountryCode(code) {
+	if (!code) return null;
+	const trimmed = code.trim();
+	if (!trimmed) return null;
+	return trimmed.toUpperCase();
+}
+async function loadMaxmindModule() {
+	try {
+		return await import("maxmind");
+	} catch (err) {
+		throw new Error("maxmind is required for ASN or country lookups; install it as a peer dependency", { cause: err });
+	}
+}
+function createGeoResolvers(options) {
+	let maxmindModulePromise = null;
+	let asnReaderPromise = null;
+	let countryReaderPromise = null;
+	const loadMaxmind = () => {
+		if (!maxmindModulePromise) maxmindModulePromise = loadMaxmindModule();
+		return maxmindModulePromise;
+	};
+	const loadAsnReader = async () => {
+		if (!options.maxmindAsnDatabase) return null;
+		if (!asnReaderPromise) asnReaderPromise = loadMaxmind().then((module) => module.open(options.maxmindAsnDatabase));
+		return asnReaderPromise;
+	};
+	const loadCountryReader = async () => {
+		if (!options.maxmindCountryDatabase) return null;
+		if (!countryReaderPromise) countryReaderPromise = loadMaxmind().then((module) => module.open(options.maxmindCountryDatabase));
+		return countryReaderPromise;
+	};
+	return {
+		getAsn: options.getAsn ?? (async (_ctx, input) => {
+			const reader = await loadAsnReader();
+			if (!reader) return null;
+			const record = reader.get(input.ipAddress);
+			const asn = record?.autonomous_system_number ?? record?.autonomousSystemNumber;
+			const organization = record?.autonomous_system_organization ?? record?.autonomousSystemOrganization ?? record?.organization;
+			if (typeof asn !== "number" || !organization) return null;
+			return {
+				asn,
+				organization: String(organization)
+			};
+		}),
+		getCountry: options.getCountryCode ?? (async (_ctx, input) => {
+			const reader = await loadCountryReader();
+			if (!reader) return null;
+			const record = reader.get(input.ipAddress);
+			const code = record?.country?.iso_code ?? record?.country?.isoCode ?? record?.registered_country?.iso_code ?? record?.registeredCountry?.isoCode ?? record?.represented_country?.iso_code ?? record?.representedCountry?.isoCode;
+			return normalizeCountryCode(typeof code === "string" ? code : null);
+		})
+	};
+}
+function formatRetryAfterSeconds(resetAtMs, nowMs) {
+	const seconds = Math.max(1, Math.ceil((resetAtMs - nowMs) / 1e3));
+	return String(seconds);
+}
+function buildTooManyRequests(addRetryAfterHeader, resetAtMs, nowMs) {
+	const response = text("Too Many Requests", { status: HttpStatus.TOO_MANY_REQUESTS });
+	if (addRetryAfterHeader) response.headers.set("Retry-After", formatRetryAfterSeconds(resetAtMs, nowMs));
+	return response;
+}
+/**
+* Enforce per-identity, subnet, ASN, country, and endpoint rate limits using fixed-window buckets.
+*
+* @example
+* ```ts
+* router.use(rateLimit({
+*   getUserId: async ({user}) => user?.id,
+*   getGlobalPeakConcurrentUsers: async () => 5000,
+*   baseWindowMs: 60_000,
+*   baseMaxRequestsPerBaseWindow: 120,
+*   anonymousIpMultiplier: 0.5,
+*   addRetryAfterHeader: true,
+*   buckets: [{windowMs: 60_000, scale: 1}],
+*   endpointLimits: [{pattern: '/login', limit: {POST: 10}}],
+*   includeQueryInEndpointKey: false,
+*   scales: {subnet: {ipv4: 2, ipv6: 1}},
+* }))
+* ```
+*
+* @param options - Configuration for identity sources, buckets, scaling, and storage.
+* @returns Middleware that enforces rate limits and returns 429 responses when exceeded.
+*/
+function rateLimit(options) {
+	if (!options.buckets.length) throw new Error("rateLimit requires at least one bucket");
+	const storage = options.storage ?? new InMemoryRateLimitStorage(options.inMemory?.maxEntries ?? DEFAULT_MAX_ENTRIES);
+	const getIpAddress = options.getIpAddress ?? defaultGetIpAddress;
+	const normalizeQuery = options.normalizeQuery ?? normalizeQueryString;
+	const endpointMatchers = options.endpointLimits.map((limit) => ({
+		pattern: toURLPattern(limit.pattern),
+		limit: limit.limit
+	}));
+	const asnToClass = options.asnToClass ?? defaultAsnToClass;
+	const geoResolvers = createGeoResolvers(options);
+	const asnLimitEnabled = Boolean(options.scales.asnClass && (options.getAsn || options.maxmindAsnDatabase));
+	const countryLimitEnabled = Boolean(options.scales.country && (options.getCountryCode || options.maxmindCountryDatabase));
+	const subnetAsnClassEnabled = Boolean(options.scales.subnet.byAsnClass && (options.getAsn || options.maxmindAsnDatabase));
+	const retentionMs = options.storage ? 0 : options.inMemory?.ttlMs ?? 1e3;
+	return defineMiddleware({
+		responses: { [HttpStatus.TOO_MANY_REQUESTS]: {
+			schema: { type: "string" },
+			parse(value) {
+				if (typeof value !== "string") throw new TypeError("Rate limit responses must contain a string body.");
+				return value;
+			}
+		} },
+		async run(ctx, { next, forward, respond }) {
+			const reject = (addRetryAfterHeader, resetAtMs, nowMs) => respond(buildTooManyRequests(addRetryAfterHeader, resetAtMs, nowMs));
+			const nowMs = ctx.startTime ?? Date.now();
+			const url = ctx.request.url;
+			const method = ctx.request.method.toUpperCase();
+			const userId = await options.getUserId(ctx);
+			const ipAddress = cleanIpAddress(await getIpAddress(ctx));
+			const identityKey = userId ? `identity:user:${userId}` : `identity:ip:${ipAddress}`;
+			const identityMultiplier = userId ? 1 : options.anonymousIpMultiplier;
+			const subnet = deriveSubnet(ipAddress, options.scales.subnet.ipv4Prefix ?? 24, options.scales.subnet.ipv6Prefix ?? 64);
+			const subnetScaleBase = subnet.version === "ipv6" ? options.scales.subnet.ipv6 : subnet.version === "ipv4" ? options.scales.subnet.ipv4 : Math.min(options.scales.subnet.ipv4, options.scales.subnet.ipv6);
+			let asnRecord = null;
+			let asnClass = "unknown";
+			if (asnLimitEnabled || subnetAsnClassEnabled) {
+				asnRecord = await geoResolvers.getAsn(ctx, {
+					userId,
+					ipAddress
+				});
+				asnClass = normalizeAsnClass(asnRecord ? asnToClass(asnRecord.asn, asnRecord.organization) : "unknown");
+			}
+			const subnetMultiplier = subnetScaleBase * (options.scales.subnet.byAsnClass?.[asnClass] ?? 1);
+			let countryCode = null;
+			if (countryLimitEnabled) countryCode = normalizeCountryCode(await geoResolvers.getCountry(ctx, {
+				userId,
+				ipAddress
+			}));
+			const endpointBaseLimit = endpointMatchers.length ? resolveEndpointLimit(method, url, endpointMatchers) : null;
+			const endpointKeyBase = buildEndpointKeyBase(url, method, options.includeQueryInEndpointKey, normalizeQuery);
+			const endpointIdentityKey = endpointKeyBase ? `endpoint:${endpointKeyBase}:${identityKey}` : null;
+			const endpointSubnetKey = endpointKeyBase ? `endpoint:${endpointKeyBase}:${subnet.key}` : null;
+			const globalPeak = asnLimitEnabled || countryLimitEnabled ? await options.getGlobalPeakConcurrentUsers(ctx) : 1;
+			for (const bucket of options.buckets) {
+				const bucketMax = getBucketMax(options.baseMaxRequestsPerBaseWindow, options.baseWindowMs, bucket);
+				const bucketSuffix = `:w${bucket.windowMs}`;
+				const identityMax = Math.floor(bucketMax * identityMultiplier);
+				const identityResult = await applyFixedWindowLimit(ctx, storage, `${identityKey}${bucketSuffix}`, bucket.windowMs, identityMax, nowMs, retentionMs);
+				if (!identityResult.allowed) return reject(options.addRetryAfterHeader, identityResult.resetAtMs, nowMs);
+				const subnetMax = Math.floor(bucketMax * subnetMultiplier);
+				const subnetResult = await applyFixedWindowLimit(ctx, storage, `${subnet.key}${bucketSuffix}`, bucket.windowMs, subnetMax, nowMs, retentionMs);
+				if (!subnetResult.allowed) return reject(options.addRetryAfterHeader, subnetResult.resetAtMs, nowMs);
+				if (asnLimitEnabled && options.scales.asnClass) {
+					const asnScale = options.scales.asnClass[asnClass] ?? options.scales.asnClass.unknown;
+					const asnMax = Math.floor(bucketMax * asnScale * globalPeak);
+					const asnResult = await applyFixedWindowLimit(ctx, storage, `${asnRecord ? `asn:${asnRecord.asn}` : "asn:unknown"}${bucketSuffix}`, bucket.windowMs, asnMax, nowMs, retentionMs);
+					if (!asnResult.allowed) return reject(options.addRetryAfterHeader, asnResult.resetAtMs, nowMs);
+				}
+				if (countryLimitEnabled && options.scales.country) {
+					const countryScale = countryCode ? options.scales.country[countryCode] ?? options.scales.country.other : options.scales.country.unknown;
+					const countryMax = Math.floor(bucketMax * countryScale * globalPeak);
+					const countryResult = await applyFixedWindowLimit(ctx, storage, `${countryCode ? `country:${countryCode}` : "country:unknown"}${bucketSuffix}`, bucket.windowMs, countryMax, nowMs, retentionMs);
+					if (!countryResult.allowed) return reject(options.addRetryAfterHeader, countryResult.resetAtMs, nowMs);
+				}
+				if (endpointBaseLimit != null && endpointKeyBase && endpointIdentityKey && endpointSubnetKey) {
+					const endpointBucketMax = getBucketMax(endpointBaseLimit, options.baseWindowMs, bucket);
+					const endpointIdentityMax = Math.floor(endpointBucketMax * identityMultiplier);
+					const endpointSubnetMax = Math.floor(endpointBucketMax * subnetMultiplier);
+					const endpointIdentityResult = await applyFixedWindowLimit(ctx, storage, `${endpointIdentityKey}${bucketSuffix}`, bucket.windowMs, endpointIdentityMax, nowMs, retentionMs);
+					if (!endpointIdentityResult.allowed) return reject(options.addRetryAfterHeader, endpointIdentityResult.resetAtMs, nowMs);
+					const endpointSubnetResult = await applyFixedWindowLimit(ctx, storage, `${endpointSubnetKey}${bucketSuffix}`, bucket.windowMs, endpointSubnetMax, nowMs, retentionMs);
+					if (!endpointSubnetResult.allowed) return reject(options.addRetryAfterHeader, endpointSubnetResult.resetAtMs, nowMs);
+				}
+			}
+			return forward(await next());
+		}
+	});
+}
+function buildEndpointKeyBase(url, method, includeQuery, normalizeQuery) {
+	const pathname = url.pathname;
+	const normalizedMethod = method.toUpperCase();
+	if (!includeQuery) return `route:${normalizedMethod}:${pathname}`;
+	const query = normalizeQuery(url);
+	if (!query) return `routeq:${normalizedMethod}:${pathname}`;
+	return `routeq:${normalizedMethod}:${pathname}?${query}`;
+}
+function ensureURLPattern() {
+	if (typeof URLPattern === "undefined") throw new Error("URLPattern is not available in this runtime");
+	return URLPattern;
+}
+//#endregion
+export { acceptCtx, bodyLimit, cors, defineMiddleware, formatRoutekitTerminalLogRecord, rateLimit, requestIdCtx, requestLogger, startTimeCtx, transformRoutekitJsonLogRecord };