@q32/core 0.1.5 → 0.1.7

package/src/oauth.ts

@@ -0,0 +1,44 @@
+export type OAuthMetadataOptions = {
+  issuer: string;
+  authorizationPath?: string;
+  tokenPath?: string;
+  registrationPath?: string;
+  revocationPath?: string;
+  scopes?: string[];
+  resourceDocumentation?: string;
+};
+
+export function oauthAuthorizationServerMetadata(options: OAuthMetadataOptions): Record<string, unknown> {
+  const issuer = options.issuer.replace(/\/$/, "");
+  return {
+    issuer,
+    authorization_endpoint: `${issuer}${options.authorizationPath ?? "/authorize"}`,
+    token_endpoint: `${issuer}${options.tokenPath ?? "/token"}`,
+    registration_endpoint: `${issuer}${options.registrationPath ?? "/register"}`,
+    revocation_endpoint: `${issuer}${options.revocationPath ?? "/revoke"}`,
+    response_types_supported: ["code"],
+    grant_types_supported: ["authorization_code", "refresh_token"],
+    token_endpoint_auth_methods_supported: ["client_secret_post", "none"],
+    code_challenge_methods_supported: ["S256"],
+    scopes_supported: options.scopes ?? ["mcp:read", "mcp:write"],
+    resource_documentation: options.resourceDocumentation ?? `${issuer}/mcp`,
+  };
+}
+
+export function oauthProtectedResourceMetadata(resource: string, authorizationServer: string, scopes?: string[]): Record<string, unknown> {
+  return {
+    resource,
+    authorization_servers: [authorizationServer.replace(/\/$/, "")],
+    scopes_supported: scopes ?? ["mcp:read", "mcp:write"],
+    bearer_methods_supported: ["header"],
+  };
+}
+
+export function mcpServerCard(options: { name: string; description?: string; url: string }): Record<string, unknown> {
+  return {
+    name: options.name,
+    description: options.description,
+    url: options.url,
+    transport: "http",
+  };
+}

package/src/ops-events.ts

@@ -0,0 +1,75 @@
+import type { D1DatabaseLike } from "./d1.js";
+import { stringifyJsonColumn } from "./d1.js";
+
+export type OpsSeverity = "debug" | "info" | "warn" | "error";
+
+export type OpsEventInput = {
+  eventType: string;
+  severity?: OpsSeverity;
+  source: string;
+  fingerprint?: string | null;
+  payload?: unknown;
+};
+
+export type OpsEventRow = {
+  id: number;
+  event_type: string;
+  severity: OpsSeverity;
+  source: string;
+  fingerprint: string | null;
+  payload_json: string;
+  created_at: string;
+};
+
+export async function recordOpsEvent(db: D1DatabaseLike, input: OpsEventInput): Promise<void> {
+  await db
+    .prepare(
+      `INSERT INTO ops_events (event_type, severity, source, fingerprint, payload_json)
+       VALUES (?, ?, ?, ?, ?)`,
+    )
+    .bind(input.eventType, input.severity ?? "info", input.source, input.fingerprint ?? null, stringifyJsonColumn(input.payload ?? {}))
+    .run();
+}
+
+export async function listRecentOpsEvents(
+  db: D1DatabaseLike,
+  options: { limit?: number; eventType?: string | null } = {},
+): Promise<OpsEventRow[]> {
+  const limit = Math.max(1, Math.min(200, Math.floor(options.limit ?? 25)));
+  const eventType = options.eventType?.trim();
+  const statement = eventType
+    ? db
+        .prepare(
+          `SELECT id, event_type, severity, source, fingerprint, payload_json, created_at
+           FROM ops_events
+           WHERE event_type = ?
+           ORDER BY created_at DESC, id DESC
+           LIMIT ?`,
+        )
+        .bind(eventType, limit)
+    : db
+        .prepare(
+          `SELECT id, event_type, severity, source, fingerprint, payload_json, created_at
+           FROM ops_events
+           ORDER BY created_at DESC, id DESC
+           LIMIT ?`,
+        )
+        .bind(limit);
+  const rows = await statement.all<OpsEventRow>();
+  return rows.results ?? [];
+}
+
+export const D1_OPS_EVENTS_SCHEMA = `
+CREATE TABLE IF NOT EXISTS ops_events (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  event_type TEXT NOT NULL,
+  severity TEXT NOT NULL DEFAULT 'info',
+  source TEXT NOT NULL,
+  fingerprint TEXT,
+  payload_json TEXT NOT NULL DEFAULT '{}',
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+CREATE INDEX IF NOT EXISTS ops_events_created_at_idx ON ops_events(created_at DESC);
+CREATE INDEX IF NOT EXISTS ops_events_type_created_idx ON ops_events(event_type, created_at DESC);
+CREATE INDEX IF NOT EXISTS ops_events_severity_created_idx ON ops_events(severity, created_at DESC);
+`;

package/src/pg-kysely.ts

@@ -0,0 +1,198 @@
+import { Kysely } from "kysely";
+import { PostgresJSDialect } from "kysely-postgres-js";
+import postgres from "postgres";
+
+export type PgConnectionSource = "hyperdrive" | "url" | "fallback";
+export type PgSslMode = "auto" | "disable" | "require" | "verify-ca";
+
+export type HyperdriveLike = {
+  connectionString?: string;
+};
+
+export type PgEnvLike = Record<string, unknown> & {
+  HYPERDRIVE?: HyperdriveLike;
+  PG_URL?: string;
+  PG_CA_CERT?: string;
+};
+
+export type ResolvedPgConnection = {
+  connectionString: string;
+  source: PgConnectionSource;
+  closeConnection: boolean;
+  caCert?: string;
+};
+
+export type PgConnectionOptions = {
+  hyperdriveKey?: string;
+  urlKey?: string;
+  caCertKey?: string;
+  fallbackConnectionString?: string;
+  requireConnection?: boolean;
+  closeConnection?: boolean;
+};
+
+export type PgClientOptions = {
+  max?: number;
+  prepare?: boolean;
+  idleTimeoutSeconds?: number;
+  connectTimeoutSeconds?: number;
+  sslMode?: PgSslMode;
+};
+
+export type KyselyPgOptions = PgConnectionOptions &
+  PgClientOptions & {
+    onDestroyError?: (error: unknown) => void;
+  };
+
+type PostgresOptions = NonNullable<Parameters<typeof postgres>[1]>;
+
+export function resolvePgConnection(
+  env: PgEnvLike,
+  options: PgConnectionOptions = {},
+): ResolvedPgConnection {
+  const hyperdriveKey = options.hyperdriveKey ?? "HYPERDRIVE";
+  const urlKey = options.urlKey ?? "PG_URL";
+  const caCertKey = options.caCertKey ?? "PG_CA_CERT";
+  const hyperdrive = env[hyperdriveKey] as HyperdriveLike | undefined;
+  const hyperdriveString = cleanString(hyperdrive?.connectionString);
+  if (hyperdriveString) {
+    return {
+      connectionString: hyperdriveString,
+      source: "hyperdrive",
+      closeConnection: options.closeConnection ?? false,
+    };
+  }
+
+  const urlString = cleanString(env[urlKey]);
+  if (urlString) {
+    return {
+      connectionString: urlString,
+      source: "url",
+      closeConnection: options.closeConnection ?? true,
+      caCert: normalizePem(cleanString(env[caCertKey])),
+    };
+  }
+
+  const fallback = cleanString(options.fallbackConnectionString);
+  if (fallback) {
+    return {
+      connectionString: fallback,
+      source: "fallback",
+      closeConnection: options.closeConnection ?? true,
+      caCert: normalizePem(cleanString(env[caCertKey])),
+    };
+  }
+
+  if (options.requireConnection ?? true) {
+    throw new Error(`${urlKey} or ${hyperdriveKey}.connectionString is required for Postgres.`);
+  }
+
+  return {
+    connectionString: "",
+    source: "fallback",
+    closeConnection: options.closeConnection ?? true,
+  };
+}
+
+export function postgresClientOptions(
+  connection: Pick<ResolvedPgConnection, "connectionString" | "source" | "caCert">,
+  options: PgClientOptions = {},
+): PostgresOptions {
+  const clientOptions: PostgresOptions = {
+    max: options.max ?? 1,
+    prepare: options.prepare ?? false,
+    idle_timeout: options.idleTimeoutSeconds ?? 20,
+    connect_timeout: options.connectTimeoutSeconds ?? 5,
+  };
+
+  const ssl = resolvePgSsl(connection, options.sslMode ?? "auto");
+  if (ssl !== undefined) clientOptions.ssl = ssl;
+  return clientOptions;
+}
+
+export function createPostgresSql(
+  connection: ResolvedPgConnection,
+  options: PgClientOptions = {},
+): postgres.Sql {
+  return postgres(connection.connectionString, postgresClientOptions(connection, options));
+}
+
+export function createKyselyPg<Database>(
+  env: PgEnvLike,
+  options: KyselyPgOptions = {},
+): {
+  db: Kysely<Database>;
+  sql: postgres.Sql;
+  connection: ResolvedPgConnection;
+  destroy(): Promise<void>;
+} {
+  const connection = resolvePgConnection(env, options);
+  const sql = createPostgresSql(connection, options);
+  const db = new Kysely<Database>({
+    dialect: new PostgresJSDialect({ postgres: sql }),
+  });
+
+  return {
+    db,
+    sql,
+    connection,
+    async destroy() {
+      try {
+        await db.destroy();
+      } catch (error) {
+        options.onDestroyError?.(error);
+        if (!options.onDestroyError) throw error;
+      }
+    },
+  };
+}
+
+export async function withKyselyPg<Database, Result>(
+  env: PgEnvLike,
+  fn: (db: Kysely<Database>, context: { sql: postgres.Sql; connection: ResolvedPgConnection }) => Promise<Result>,
+  options: KyselyPgOptions = {},
+): Promise<Result> {
+  const handle = createKyselyPg<Database>(env, options);
+  try {
+    return await fn(handle.db, { sql: handle.sql, connection: handle.connection });
+  } finally {
+    if (handle.connection.closeConnection) {
+      await handle.destroy();
+    }
+  }
+}
+
+export function normalizePem(value?: string): string | undefined {
+  const trimmed = value?.trim();
+  if (!trimmed) return undefined;
+  return trimmed.includes("\\n") ? trimmed.replace(/\\n/g, "\n") : trimmed;
+}
+
+function resolvePgSsl(
+  connection: Pick<ResolvedPgConnection, "connectionString" | "source" | "caCert">,
+  mode: PgSslMode,
+): PostgresOptions["ssl"] | undefined {
+  if (mode === "disable") return false;
+  if (mode === "require") return "require";
+  if (mode === "verify-ca") {
+    if (!connection.caCert) throw new Error("PG_CA_CERT is required when sslMode is verify-ca.");
+    return { ca: connection.caCert, rejectUnauthorized: true };
+  }
+  if (connection.source === "hyperdrive") return false;
+  if (connection.caCert) return { ca: connection.caCert, rejectUnauthorized: true };
+  if (isLocalPgUrl(connection.connectionString)) return false;
+  return "require";
+}
+
+function isLocalPgUrl(connectionString: string): boolean {
+  try {
+    const host = new URL(connectionString).hostname;
+    return host === "localhost" || host === "127.0.0.1" || host === "::1";
+  } catch {
+    return false;
+  }
+}
+
+function cleanString(value: unknown): string | undefined {
+  return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}

package/src/pg.ts

@@ -0,0 +1,81 @@
+export interface PgQueryResult<Row = unknown> {
+  rows: Row[];
+  rowCount: number | null;
+}
+
+export interface PgClientLike {
+  query<Row = unknown>(text: string, values?: readonly unknown[]): Promise<PgQueryResult<Row>>;
+}
+
+export interface PgPoolLike extends PgClientLike {
+  connect(): Promise<PgClientLike & { release(): void }>;
+}
+
+export type PgMigration = {
+  id: string;
+  sql: string;
+};
+
+export type PgMigrationResult = {
+  applied: string[];
+  skipped: string[];
+};
+
+export async function ensurePgMigrationsTable(client: PgClientLike, tableName = "schema_migrations"): Promise<void> {
+  assertSafeIdentifier(tableName);
+  await client.query(`
+    CREATE TABLE IF NOT EXISTS ${tableName} (
+      id TEXT PRIMARY KEY,
+      applied_at TIMESTAMPTZ NOT NULL DEFAULT now()
+    )
+  `);
+}
+
+export async function applyPgMigrations(
+  pool: PgPoolLike,
+  migrations: PgMigration[],
+  options: { tableName?: string; lockKey?: number } = {},
+): Promise<PgMigrationResult> {
+  const tableName = options.tableName ?? "schema_migrations";
+  assertSafeIdentifier(tableName);
+  const client = await pool.connect();
+  const applied: string[] = [];
+  const skipped: string[] = [];
+
+  try {
+    await client.query("BEGIN");
+    if (options.lockKey !== undefined) {
+      await client.query("SELECT pg_advisory_xact_lock($1)", [options.lockKey]);
+    }
+    await ensurePgMigrationsTable(client, tableName);
+
+    for (const migration of migrations) {
+      const existing = await client.query<{ id: string }>(`SELECT id FROM ${tableName} WHERE id = $1 LIMIT 1`, [migration.id]);
+      if (existing.rows[0]) {
+        skipped.push(migration.id);
+        continue;
+      }
+      await client.query(migration.sql);
+      await client.query(`INSERT INTO ${tableName} (id) VALUES ($1)`, [migration.id]);
+      applied.push(migration.id);
+    }
+
+    await client.query("COMMIT");
+    return { applied, skipped };
+  } catch (error) {
+    await client.query("ROLLBACK");
+    throw error;
+  } finally {
+    client.release();
+  }
+}
+
+export function pgJson<T>(value: T): string {
+  return JSON.stringify(value ?? null);
+}
+
+function assertSafeIdentifier(value: string): void {
+  if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(value)) {
+    throw new Error(`Unsafe SQL identifier: ${value}`);
+  }
+}

package/src/r2-json.ts

@@ -0,0 +1,32 @@
+import { sha256Hex } from "./ids.js";
+
+export type R2JsonPutOptions = {
+  contentType?: string;
+  customMetadata?: Record<string, string>;
+};
+
+export async function putR2Json(
+  bucket: R2Bucket,
+  key: string,
+  value: unknown,
+  options: R2JsonPutOptions = {},
+): Promise<R2Object> {
+  return bucket.put(key, JSON.stringify(value), {
+    httpMetadata: { contentType: options.contentType ?? "application/json; charset=utf-8" },
+    customMetadata: options.customMetadata,
+  });
+}
+
+export async function getR2Json<T>(bucket: R2Bucket, key: string): Promise<T | null> {
+  const object = await bucket.get(key);
+  if (!object) return null;
+  return (await object.json()) as T;
+}
+
+export async function digestR2Key(prefix: string, value: string | Uint8Array, extension = "json"): Promise<string> {
+  const input = typeof value === "string" ? value : [...value].map((byte) => String.fromCharCode(byte)).join("");
+  const digest = await sha256Hex(input);
+  const cleanPrefix = prefix.replace(/^\/+|\/+$/g, "");
+  const cleanExtension = extension.replace(/^\./, "");
+  return `${cleanPrefix}/${digest.slice(0, 2)}/${digest}.${cleanExtension}`;
+}

package/src/rate-limit.ts

@@ -0,0 +1,77 @@
+import type { D1DatabaseLike } from "./d1.js";
+import { sha256Hex } from "./ids.js";
+
+export type RateLimitDecision = {
+  allowed: boolean;
+  keyHash: string;
+  count: number;
+  limit: number;
+  resetAt: string;
+};
+
+export type FixedWindowRateLimitInput = {
+  namespace: string;
+  key: string;
+  limit: number;
+  windowSeconds: number;
+  now?: Date;
+};
+
+export async function checkD1FixedWindowRateLimit(
+  db: D1DatabaseLike,
+  input: FixedWindowRateLimitInput,
+): Promise<RateLimitDecision> {
+  const now = input.now ?? new Date();
+  const windowSeconds = Math.max(1, Math.floor(input.windowSeconds));
+  const limit = Math.max(1, Math.floor(input.limit));
+  const bucketStartMs = Math.floor(now.getTime() / (windowSeconds * 1000)) * windowSeconds * 1000;
+  const bucket = new Date(bucketStartMs).toISOString();
+  const resetAt = new Date(bucketStartMs + windowSeconds * 1000).toISOString();
+  const keyHash = await sha256Hex(`${input.namespace}:${input.key}`);
+
+  await db
+    .prepare(
+      `INSERT INTO rate_limits (namespace, key_hash, bucket, count, reset_at)
+       VALUES (?, ?, ?, 1, ?)
+       ON CONFLICT(namespace, key_hash, bucket)
+       DO UPDATE SET count = count + 1, reset_at = excluded.reset_at`,
+    )
+    .bind(input.namespace, keyHash, bucket, resetAt)
+    .run();
+
+  const row = await db
+    .prepare(
+      `SELECT count, reset_at AS resetAt
+       FROM rate_limits
+       WHERE namespace = ? AND key_hash = ? AND bucket = ?
+       LIMIT 1`,
+    )
+    .bind(input.namespace, keyHash, bucket)
+    .first<{ count: number; resetAt: string }>();
+
+  const count = Number(row?.count ?? 1);
+  return {
+    allowed: count <= limit,
+    keyHash,
+    count,
+    limit,
+    resetAt: row?.resetAt ?? resetAt,
+  };
+}
+
+export async function deleteExpiredD1RateLimitBuckets(db: D1DatabaseLike, now = new Date()): Promise<number> {
+  const result = await db.prepare("DELETE FROM rate_limits WHERE reset_at < ?").bind(now.toISOString()).run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export const D1_RATE_LIMITS_SCHEMA = `
+CREATE TABLE IF NOT EXISTS rate_limits (
+  namespace TEXT NOT NULL,
+  key_hash TEXT NOT NULL,
+  bucket TEXT NOT NULL,
+  count INTEGER NOT NULL DEFAULT 0,
+  reset_at TEXT NOT NULL,
+  PRIMARY KEY (namespace, key_hash, bucket)
+);
+CREATE INDEX IF NOT EXISTS rate_limits_reset_at_idx ON rate_limits(reset_at);
+`;

package/src/seo.ts

@@ -0,0 +1,73 @@
+export type SitemapUrl = {
+  loc: string;
+  lastmod?: string;
+  changefreq?: "always" | "hourly" | "daily" | "weekly" | "monthly" | "yearly" | "never";
+  priority?: number;
+};
+
+export type PageMeta = {
+  title: string;
+  description?: string;
+  canonical?: string;
+  image?: string;
+  type?: string;
+  noindex?: boolean;
+};
+
+export function xmlEscape(value: string): string {
+  return value
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&apos;");
+}
+
+export function renderSitemapXml(urls: SitemapUrl[]): string {
+  const body = urls
+    .map((url) => {
+      const fields = [
+        `<loc>${xmlEscape(url.loc)}</loc>`,
+        url.lastmod ? `<lastmod>${xmlEscape(url.lastmod)}</lastmod>` : "",
+        url.changefreq ? `<changefreq>${url.changefreq}</changefreq>` : "",
+        url.priority === undefined ? "" : `<priority>${clampPriority(url.priority).toFixed(1)}</priority>`,
+      ].filter(Boolean);
+      return `  <url>\n    ${fields.join("\n    ")}\n  </url>`;
+    })
+    .join("\n");
+  return `<?xml version="1.0" encoding="UTF-8"?>\n<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">\n${body}\n</urlset>\n`;
+}
+
+export function renderRobotsTxt(options: { allow?: string[]; disallow?: string[]; sitemap?: string | string[] } = {}): string {
+  const lines = ["User-agent: *"];
+  for (const path of options.allow ?? []) lines.push(`Allow: ${path}`);
+  for (const path of options.disallow ?? []) lines.push(`Disallow: ${path}`);
+  for (const sitemap of Array.isArray(options.sitemap) ? options.sitemap : options.sitemap ? [options.sitemap] : []) {
+    lines.push(`Sitemap: ${sitemap}`);
+  }
+  return `${lines.join("\n")}\n`;
+}
+
+export function metaTags(meta: PageMeta): Record<string, string> {
+  const tags: Record<string, string> = {
+    title: meta.title,
+    "og:title": meta.title,
+  };
+  if (meta.description) {
+    tags.description = meta.description;
+    tags["og:description"] = meta.description;
+  }
+  if (meta.canonical) {
+    tags.canonical = meta.canonical;
+    tags["og:url"] = meta.canonical;
+  }
+  if (meta.image) tags["og:image"] = meta.image;
+  if (meta.type) tags["og:type"] = meta.type;
+  if (meta.noindex) tags.robots = "noindex,nofollow";
+  return tags;
+}
+
+function clampPriority(priority: number): number {
+  if (!Number.isFinite(priority)) return 0.5;
+  return Math.max(0, Math.min(1, priority));
+}

package/src/session.ts

@@ -0,0 +1,81 @@
+import { fromBase64Url, toBase64Url } from "./ids.js";
+import { epochSeconds } from "./time.js";
+
+export type SignedSessionOptions = {
+  expiresInSeconds?: number;
+};
+
+type SessionEnvelope<T> = {
+  payload: T;
+  iat: number;
+  exp: number;
+};
+
+export async function signSession<T>(payload: T, secret: string, options: SignedSessionOptions = {}): Promise<string> {
+  if (!secret) throw new Error("Session secret is required.");
+  const now = epochSeconds();
+  const envelope: SessionEnvelope<T> = {
+    payload,
+    iat: now,
+    exp: now + (options.expiresInSeconds ?? 30 * 24 * 60 * 60),
+  };
+  const encoded = toBase64Url(JSON.stringify(envelope));
+  const signature = await hmacSha256(encoded, secret);
+  return `${encoded}.${signature}`;
+}
+
+export async function createSignedPayload(payload: string, secret: string): Promise<string> {
+  const encodedPayload = toBase64Url(payload);
+  const signature = await hmacSha256(encodedPayload, secret);
+  return `${encodedPayload}.${signature}`;
+}
+
+export async function verifySignedPayload(
+  token: string | null | undefined,
+  secret: string,
+): Promise<string | null> {
+  if (!token) return null;
+  const [encodedPayload, providedSignature] = token.split(".");
+  if (!encodedPayload || !providedSignature) return null;
+  const expectedSignature = await hmacSha256(encodedPayload, secret);
+  if (!constantTimeEqual(expectedSignature, providedSignature)) return null;
+  return new TextDecoder().decode(fromBase64Url(encodedPayload));
+}
+
+export async function verifySession<T>(token: string | null | undefined, secret: string): Promise<T | null> {
+  if (!token || !secret) return null;
+  const [encoded, signature] = token.split(".");
+  if (!encoded || !signature) return null;
+  const expected = await hmacSha256(encoded, secret);
+  if (!constantTimeEqual(signature, expected)) return null;
+
+  try {
+    const envelope = JSON.parse(new TextDecoder().decode(fromBase64Url(encoded))) as SessionEnvelope<T>;
+    if (!envelope || typeof envelope.exp !== "number" || envelope.exp < epochSeconds()) return null;
+    return envelope.payload;
+  } catch {
+    return null;
+  }
+}
+
+export function sessionCookie(name: string, value: string, options: { maxAgeSeconds?: number; secure?: boolean } = {}): string {
+  const secure = options.secure ? "; Secure" : "";
+  return `${name}=${value}; Path=/; HttpOnly; SameSite=Lax; Max-Age=${options.maxAgeSeconds ?? 30 * 24 * 60 * 60}${secure}`;
+}
+
+export function expiredSessionCookie(name: string, secure = false): string {
+  return `${name}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0${secure ? "; Secure" : ""}`;
+}
+
+async function hmacSha256(input: string, secret: string): Promise<string> {
+  const key = await crypto.subtle.importKey("raw", new TextEncoder().encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+  const signature = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(input));
+  return toBase64Url(new Uint8Array(signature));
+}
+
+function constantTimeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i += 1) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return diff === 0;
+}