@spfn/core 0.2.0-beta.5 → 0.2.0-beta.50

package/dist/server/index.js

@@ -1,13 +1,15 @@
 import { env } from '@spfn/core/config';
-import { config } from 'dotenv';
-import { existsSync } from 'fs';
+import { existsSync, readFileSync } from 'fs';
 import { resolve, join } from 'path';
+import { parse } from 'dotenv';
+import { logger } from '@spfn/core/logger';
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
 import { registerRoutes } from '@spfn/core/route';
 import { ErrorHandler, RequestLogger } from '@spfn/core/middleware';
 import { streamSSE } from 'hono/streaming';
-import { logger } from '@spfn/core/logger';
+import { randomBytes } from 'crypto';
+import { Agent, setGlobalDispatcher } from 'undici';
 import { initDatabase, getDatabase, closeDatabase } from '@spfn/core/db';
 import { initCache, getCache, closeCache } from '@spfn/core/cache';
 import { serve } from '@hono/node-server';
@@ -94,6 +96,11 @@ function formatError(error) {
     const stackLines = error.stack.split("\n").slice(1);
     lines.push(...stackLines);
   }
+  if (error.cause instanceof Error) {
+    lines.push(`Caused by: ${formatError(error.cause)}`);
+  } else if (error.cause !== void 0) {
+    lines.push(`Caused by: ${String(error.cause)}`);
+  }
   return lines.join("\n");
 }
 function formatContext(context) {
@@ -163,6 +170,19 @@ function formatConsole(metadata, colorize = true) {
   }
   return output;
 }
+function formatErrorCauseChain(error) {
+  const result = {
+    name: error.name,
+    message: error.message,
+    stack: error.stack
+  };
+  if (error.cause instanceof Error) {
+    result.cause = formatErrorCauseChain(error.cause);
+  } else if (error.cause !== void 0) {
+    result.cause = String(error.cause);
+  }
+  return result;
+}
 function formatJSON(metadata) {
   const obj = {
     timestamp: formatTimestamp(metadata.timestamp),
@@ -176,11 +196,7 @@ function formatJSON(metadata) {
     obj.context = metadata.context;
   }
   if (metadata.error) {
-    obj.error = {
-      name: metadata.error.name,
-      message: metadata.error.message,
-      stack: metadata.error.stack
-    };
+    obj.error = formatErrorCauseChain(metadata.error);
   }
   return JSON.stringify(obj);
 }
@@ -314,36 +330,95 @@ var init_formatters = __esm({
     };
   }
 });
-function loadEnvFiles() {
-  const cwd = process.cwd();
-  const nodeEnv = process.env.NODE_ENV || "development";
-  const envFiles = [
-    ".env.server.local",
-    ".env.server",
-    `.env.${nodeEnv}.local`,
-    nodeEnv !== "test" ? ".env.local" : null,
-    `.env.${nodeEnv}`,
-    ".env"
-  ].filter((file) => file !== null);
-  for (const file of envFiles) {
-    const filePath = resolve(cwd, file);
-    if (existsSync(filePath)) {
-      config({ path: filePath });
+var envLogger = logger.child("@spfn/core:env-loader");
+function getEnvFiles(nodeEnv, server) {
+  const files = [
+    ".env",
+    `.env.${nodeEnv}`
+  ];
+  if (nodeEnv !== "test") {
+    files.push(".env.local");
+  }
+  files.push(`.env.${nodeEnv}.local`);
+  if (server) {
+    files.push(".env.server");
+  }
+  return files;
+}
+function parseEnvFile(filePath) {
+  if (!existsSync(filePath)) {
+    return null;
+  }
+  return parse(readFileSync(filePath, "utf-8"));
+}
+function loadEnv(options = {}) {
+  const {
+    cwd = process.cwd(),
+    nodeEnv = process.env.NODE_ENV || "local",
+    server = true,
+    debug = false,
+    override = false
+  } = options;
+  const envFiles = getEnvFiles(nodeEnv, server);
+  const loadedFiles = [];
+  const existingKeys = new Set(Object.keys(process.env));
+  const merged = {};
+  for (const fileName of envFiles) {
+    const filePath = resolve(cwd, fileName);
+    const parsed = parseEnvFile(filePath);
+    if (parsed === null) {
+      continue;
+    }
+    loadedFiles.push(fileName);
+    Object.assign(merged, parsed);
+  }
+  const loadedKeys = [];
+  for (const [key, value] of Object.entries(merged)) {
+    if (!override && existingKeys.has(key)) {
+      continue;
     }
+    process.env[key] = value;
+    loadedKeys.push(key);
+  }
+  if (debug && loadedFiles.length > 0) {
+    envLogger.debug(`Loaded env files: ${loadedFiles.join(", ")}`);
+    envLogger.debug(`Loaded ${loadedKeys.length} environment variables`);
   }
+  return { loadedFiles, loadedKeys };
+}
+
+// src/server/dotenv-loader.ts
+var warned = false;
+function loadEnvFiles() {
+  if (!warned) {
+    warned = true;
+    console.warn(
+      '[SPFN] loadEnvFiles() is deprecated. Use loadEnv() from "@spfn/core/env/loader" instead.'
+    );
+  }
+  loadEnv();
 }
 var sseLogger = logger.child("@spfn/core:sse");
-function createSSEHandler(router, config2 = {}) {
+function createSSEHandler(router, config = {}, tokenManager) {
   const {
-    pingInterval = 3e4
-    // headers: customHeaders = {},  // Reserved for future use
-  } = config2;
+    pingInterval = 3e4,
+    auth: authConfig
+  } = config;
   return async (c) => {
-    const eventsParam = c.req.query("events");
-    if (!eventsParam) {
+    const subject = await authenticateToken(c, tokenManager);
+    if (subject === false) {
+      return c.json({ error: "Missing token parameter" }, 401);
+    }
+    if (subject === null) {
+      return c.json({ error: "Invalid or expired token" }, 401);
+    }
+    if (subject) {
+      c.set("sseSubject", subject);
+    }
+    const requestedEvents = parseRequestedEvents(c);
+    if (!requestedEvents) {
       return c.json({ error: "Missing events parameter" }, 400);
     }
-    const requestedEvents = eventsParam.split(",").map((e) => e.trim());
     const validEventNames = router.eventNames;
     const invalidEvents = requestedEvents.filter((e) => !validEventNames.includes(e));
     if (invalidEvents.length > 0) {
@@ -353,19 +428,42 @@ function createSSEHandler(router, config2 = {}) {
         validEvents: validEventNames
       }, 400);
     }
+    const allowedEvents = await authorizeEvents(subject, requestedEvents, authConfig);
+    if (allowedEvents === null) {
+      return c.json({ error: "Not authorized for any requested events" }, 403);
+    }
     sseLogger.debug("SSE connection requested", {
-      events: requestedEvents,
+      events: allowedEvents,
+      subject: subject || void 0,
       clientIp: c.req.header("x-forwarded-for") || c.req.header("x-real-ip")
     });
+    c.header("X-Accel-Buffering", "no");
     return streamSSE(c, async (stream) => {
       const unsubscribes = [];
       let messageId = 0;
-      for (const eventName of requestedEvents) {
+      let connectionDead = false;
+      let pingTimer;
+      const cleanup = () => {
+        if (connectionDead) return;
+        connectionDead = true;
+        clearInterval(pingTimer);
+        unsubscribes.forEach((fn) => fn());
+        sseLogger.info("SSE dead connection cleaned up", {
+          events: allowedEvents
+        });
+      };
+      for (const eventName of allowedEvents) {
         const eventDef = router.events[eventName];
         if (!eventDef) {
           continue;
         }
         const unsubscribe = eventDef.subscribe((payload) => {
+          if (connectionDead) return;
+          if (subject && authConfig?.filter?.[eventName]) {
+            if (!authConfig.filter[eventName](subject, payload)) {
+              return;
+            }
+          }
           messageId++;
           const message = {
             event: eventName,
@@ -375,40 +473,49 @@ function createSSEHandler(router, config2 = {}) {
             event: eventName,
             messageId
           });
-          void stream.writeSSE({
+          stream.writeSSE({
             id: String(messageId),
             event: eventName,
             data: JSON.stringify(message)
+          }).catch((err) => {
+            sseLogger.warn("SSE write failed", {
+              event: eventName,
+              messageId,
+              error: err.message
+            });
+            cleanup();
           });
         });
         unsubscribes.push(unsubscribe);
       }
       sseLogger.info("SSE connection established", {
-        events: requestedEvents,
+        events: allowedEvents,
         subscriptionCount: unsubscribes.length
       });
       await stream.writeSSE({
         event: "connected",
         data: JSON.stringify({
-          subscribedEvents: requestedEvents,
+          subscribedEvents: allowedEvents,
           timestamp: Date.now()
         })
       });
-      const pingTimer = setInterval(() => {
-        void stream.writeSSE({
+      pingTimer = setInterval(() => {
+        if (connectionDead) return;
+        stream.writeSSE({
           event: "ping",
           data: JSON.stringify({ timestamp: Date.now() })
+        }).catch((err) => {
+          sseLogger.warn("SSE ping failed", {
+            error: err.message
+          });
+          cleanup();
         });
       }, pingInterval);
       const abortSignal = c.req.raw.signal;
-      while (!abortSignal.aborted) {
+      while (!abortSignal.aborted && !connectionDead) {
         await stream.sleep(pingInterval);
       }
-      clearInterval(pingTimer);
-      unsubscribes.forEach((fn) => fn());
-      sseLogger.info("SSE connection closed", {
-        events: requestedEvents
-      });
+      cleanup();
     }, async (err) => {
       sseLogger.error("SSE stream error", {
         error: err.message
@@ -416,8 +523,357 @@ function createSSEHandler(router, config2 = {}) {
     });
   };
 }
+async function authenticateToken(c, tokenManager) {
+  if (!tokenManager) {
+    return void 0;
+  }
+  const token = c.req.query("token");
+  if (!token) {
+    return false;
+  }
+  return await tokenManager.verify(token);
+}
+function parseRequestedEvents(c) {
+  const eventsParam = c.req.query("events");
+  if (!eventsParam) {
+    return null;
+  }
+  return eventsParam.split(",").map((e) => e.trim());
+}
+async function authorizeEvents(subject, requestedEvents, authConfig) {
+  if (!subject || !authConfig?.authorize) {
+    return requestedEvents;
+  }
+  const allowed = await authConfig.authorize(subject, requestedEvents);
+  if (allowed.length === 0) {
+    return null;
+  }
+  return allowed;
+}
+var InMemoryTokenStore = class {
+  tokens = /* @__PURE__ */ new Map();
+  async set(token, data) {
+    this.tokens.set(token, data);
+  }
+  async consume(token) {
+    const data = this.tokens.get(token);
+    if (!data) {
+      return null;
+    }
+    this.tokens.delete(token);
+    return data;
+  }
+  async cleanup() {
+    const now = Date.now();
+    for (const [token, data] of this.tokens) {
+      if (data.expiresAt <= now) {
+        this.tokens.delete(token);
+      }
+    }
+  }
+};
+var CacheTokenStore = class {
+  constructor(cache) {
+    this.cache = cache;
+  }
+  prefix = "sse:token:";
+  async set(token, data) {
+    const ttlSeconds = Math.max(1, Math.ceil((data.expiresAt - Date.now()) / 1e3));
+    await this.cache.set(
+      this.prefix + token,
+      JSON.stringify(data),
+      "EX",
+      ttlSeconds
+    );
+  }
+  async consume(token) {
+    const key = this.prefix + token;
+    let raw = null;
+    if (this.cache.getdel) {
+      raw = await this.cache.getdel(key);
+    } else {
+      raw = await this.cache.get(key);
+      if (raw) {
+        await this.cache.del(key);
+      }
+    }
+    if (!raw) {
+      return null;
+    }
+    return JSON.parse(raw);
+  }
+  async cleanup() {
+  }
+};
+var SSETokenManager = class {
+  store;
+  ttl;
+  cleanupTimer = null;
+  constructor(config) {
+    this.ttl = config?.ttl ?? 3e4;
+    this.store = config?.store ?? new InMemoryTokenStore();
+    const cleanupInterval = config?.cleanupInterval ?? 6e4;
+    this.cleanupTimer = setInterval(() => void this.store.cleanup(), cleanupInterval);
+    this.cleanupTimer.unref();
+  }
+  /**
+   * Issue a new one-time-use token for the given subject
+   */
+  async issue(subject) {
+    const token = randomBytes(32).toString("hex");
+    await this.store.set(token, {
+      token,
+      subject,
+      expiresAt: Date.now() + this.ttl
+    });
+    return token;
+  }
+  /**
+   * Verify and consume a token
+   * @returns subject string if valid, null if invalid/expired/already consumed
+   */
+  async verify(token) {
+    const data = await this.store.consume(token);
+    if (!data || data.expiresAt <= Date.now()) {
+      return null;
+    }
+    return data.subject;
+  }
+  /**
+   * Cleanup timer and resources
+   */
+  destroy() {
+    if (this.cleanupTimer) {
+      clearInterval(this.cleanupTimer);
+      this.cleanupTimer = null;
+    }
+  }
+};
+var serverLogger = logger.child("@spfn/core:server");
+
+// src/server/shutdown-manager.ts
+var DEFAULT_HOOK_TIMEOUT = 1e4;
+var DEFAULT_HOOK_ORDER = 100;
+var DRAIN_POLL_INTERVAL = 500;
+var ShutdownManager = class {
+  state = "running";
+  hooks = [];
+  operations = /* @__PURE__ */ new Map();
+  operationCounter = 0;
+  /**
+   * Register a shutdown hook
+   *
+   * Hooks run in order during shutdown, after all tracked operations drain.
+   * Each hook has its own timeout — failure does not block subsequent hooks.
+   *
+   * @example
+   * shutdown.onShutdown('ai-service', async () => {
+   *     await aiService.cancelPending();
+   * }, { timeout: 30000, order: 10 });
+   */
+  onShutdown(name, handler, options) {
+    this.hooks.push({
+      name,
+      handler,
+      timeout: options?.timeout ?? DEFAULT_HOOK_TIMEOUT,
+      order: options?.order ?? DEFAULT_HOOK_ORDER
+    });
+    this.hooks.sort((a, b) => a.order - b.order);
+    serverLogger.debug(`Shutdown hook registered: ${name}`, {
+      order: options?.order ?? DEFAULT_HOOK_ORDER,
+      timeout: `${options?.timeout ?? DEFAULT_HOOK_TIMEOUT}ms`
+    });
+  }
+  /**
+   * Track a long-running operation
+   *
+   * During shutdown (drain phase), the process waits for ALL tracked
+   * operations to complete before proceeding with cleanup.
+   *
+   * If shutdown has already started, the operation is rejected immediately.
+   *
+   * @returns The operation result (pass-through)
+   *
+   * @example
+   * const result = await shutdown.trackOperation(
+   *     'ai-generate',
+   *     aiService.generate(prompt)
+   * );
+   */
+  async trackOperation(name, operation) {
+    if (this.state !== "running") {
+      throw new Error(`Cannot start operation '${name}': server is shutting down`);
+    }
+    const id = `${name}-${++this.operationCounter}`;
+    this.operations.set(id, {
+      name,
+      startedAt: Date.now()
+    });
+    serverLogger.debug(`Operation tracked: ${id}`, {
+      activeOperations: this.operations.size
+    });
+    try {
+      return await operation;
+    } finally {
+      this.operations.delete(id);
+      serverLogger.debug(`Operation completed: ${id}`, {
+        activeOperations: this.operations.size
+      });
+    }
+  }
+  /**
+   * Whether the server is shutting down
+   *
+   * Use this to reject new work early (e.g., return 503 in route handlers).
+   */
+  isShuttingDown() {
+    return this.state !== "running";
+  }
+  /**
+   * Number of currently active tracked operations
+   */
+  getActiveOperationCount() {
+    return this.operations.size;
+  }
+  /**
+   * Mark shutdown as started immediately
+   *
+   * Call this at the very beginning of the shutdown sequence so that:
+   * - Health check returns 503 right away
+   * - trackOperation() rejects new work
+   * - isShuttingDown() returns true
+   */
+  beginShutdown() {
+    if (this.state !== "running") {
+      return;
+    }
+    this.state = "draining";
+    serverLogger.info("Shutdown manager: state set to draining");
+  }
+  /**
+   * Execute the full shutdown sequence
+   *
+   * 1. State → draining (reject new operations)
+   * 2. Wait for all tracked operations to complete (drain)
+   * 3. Run shutdown hooks in order
+   * 4. State → closed
+   *
+   * @param drainTimeout - Max time to wait for operations to drain (ms)
+   */
+  async execute(drainTimeout) {
+    if (this.state === "closed") {
+      serverLogger.warn("ShutdownManager.execute() called but already closed");
+      return;
+    }
+    this.state = "draining";
+    serverLogger.info("Shutdown manager: draining started", {
+      activeOperations: this.operations.size,
+      registeredHooks: this.hooks.length,
+      drainTimeout: `${drainTimeout}ms`
+    });
+    await this.drain(drainTimeout);
+    await this.executeHooks();
+    this.state = "closed";
+    serverLogger.info("Shutdown manager: all hooks executed");
+  }
+  // ========================================================================
+  // Private
+  // ========================================================================
+  /**
+   * Wait for all tracked operations to complete, up to drainTimeout
+   */
+  async drain(drainTimeout) {
+    if (this.operations.size === 0) {
+      serverLogger.info("Shutdown manager: no active operations, drain skipped");
+      return;
+    }
+    serverLogger.info(`Shutdown manager: waiting for ${this.operations.size} operations to drain...`);
+    const deadline = Date.now() + drainTimeout;
+    while (this.operations.size > 0 && Date.now() < deadline) {
+      const remaining = deadline - Date.now();
+      const ops = Array.from(this.operations.values()).map((op) => ({
+        name: op.name,
+        elapsed: `${Math.round((Date.now() - op.startedAt) / 1e3)}s`
+      }));
+      serverLogger.info("Shutdown manager: drain in progress", {
+        activeOperations: this.operations.size,
+        remainingTimeout: `${Math.round(remaining / 1e3)}s`,
+        operations: ops
+      });
+      await sleep(Math.min(DRAIN_POLL_INTERVAL, remaining));
+    }
+    if (this.operations.size > 0) {
+      const abandoned = Array.from(this.operations.values()).map((op) => op.name);
+      serverLogger.warn("Shutdown manager: drain timeout \u2014 abandoning operations", {
+        abandoned
+      });
+    } else {
+      serverLogger.info("Shutdown manager: all operations drained successfully");
+    }
+  }
+  /**
+   * Execute registered shutdown hooks in order
+   */
+  async executeHooks() {
+    if (this.hooks.length === 0) {
+      return;
+    }
+    serverLogger.info(`Shutdown manager: executing ${this.hooks.length} hooks...`);
+    for (const hook of this.hooks) {
+      serverLogger.debug(`Shutdown hook [${hook.name}] starting (timeout: ${hook.timeout}ms)`);
+      try {
+        await withTimeout(
+          hook.handler(),
+          hook.timeout,
+          `Shutdown hook '${hook.name}' timeout after ${hook.timeout}ms`
+        );
+        serverLogger.info(`Shutdown hook [${hook.name}] completed`);
+      } catch (error) {
+        serverLogger.error(
+          `Shutdown hook [${hook.name}] failed`,
+          error
+        );
+      }
+    }
+  }
+};
+var instance = null;
+function getShutdownManager() {
+  if (!instance) {
+    instance = new ShutdownManager();
+  }
+  return instance;
+}
+function resetShutdownManager() {
+  instance = null;
+}
+function sleep(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+async function withTimeout(promise, timeout, message) {
+  let timeoutId;
+  return Promise.race([
+    promise.finally(() => {
+      if (timeoutId) clearTimeout(timeoutId);
+    }),
+    new Promise((_, reject) => {
+      timeoutId = setTimeout(() => {
+        reject(new Error(message));
+      }, timeout);
+    })
+  ]);
+}
+
+// src/server/helpers.ts
 function createHealthCheckHandler(detailed) {
   return async (c) => {
+    const shutdownManager = getShutdownManager();
+    if (shutdownManager.isShuttingDown()) {
+      return c.json({
+        status: "shutting_down",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      }, 503);
+    }
     const response = {
       status: "ok",
       timestamp: (/* @__PURE__ */ new Date()).toISOString()
@@ -474,34 +930,49 @@ function applyServerTimeouts(server, timeouts) {
     server.headersTimeout = timeouts.headers;
   }
 }
-function getTimeoutConfig(config2) {
+function getTimeoutConfig(config) {
+  return {
+    request: config?.request ?? env.SERVER_TIMEOUT,
+    keepAlive: config?.keepAlive ?? env.SERVER_KEEPALIVE_TIMEOUT,
+    headers: config?.headers ?? env.SERVER_HEADERS_TIMEOUT
+  };
+}
+function getShutdownTimeout(config) {
+  return config?.timeout ?? env.SHUTDOWN_TIMEOUT;
+}
+function getFetchTimeoutConfig(config) {
   return {
-    request: config2?.request ?? env.SERVER_TIMEOUT,
-    keepAlive: config2?.keepAlive ?? env.SERVER_KEEPALIVE_TIMEOUT,
-    headers: config2?.headers ?? env.SERVER_HEADERS_TIMEOUT
+    connect: config?.connect ?? env.FETCH_CONNECT_TIMEOUT,
+    headers: config?.headers ?? env.FETCH_HEADERS_TIMEOUT,
+    body: config?.body ?? env.FETCH_BODY_TIMEOUT
   };
 }
-function getShutdownTimeout(config2) {
-  return config2?.timeout ?? env.SHUTDOWN_TIMEOUT;
+function applyGlobalFetchTimeouts(timeouts) {
+  const agent = new Agent({
+    connect: { timeout: timeouts.connect },
+    headersTimeout: timeouts.headers,
+    bodyTimeout: timeouts.body
+  });
+  setGlobalDispatcher(agent);
 }
-function buildMiddlewareOrder(config2) {
+function buildMiddlewareOrder(config) {
   const order = [];
-  const middlewareConfig = config2.middleware ?? {};
+  const middlewareConfig = config.middleware ?? {};
   const enableLogger = middlewareConfig.logger !== false;
   const enableCors = middlewareConfig.cors !== false;
   const enableErrorHandler = middlewareConfig.errorHandler !== false;
   if (enableLogger) order.push("RequestLogger");
   if (enableCors) order.push("CORS");
-  config2.use?.forEach((_, i) => order.push(`Custom[${i}]`));
-  if (config2.beforeRoutes) order.push("beforeRoutes hook");
+  config.use?.forEach((_, i) => order.push(`Custom[${i}]`));
+  if (config.beforeRoutes) order.push("beforeRoutes hook");
   order.push("Routes");
-  if (config2.afterRoutes) order.push("afterRoutes hook");
+  if (config.afterRoutes) order.push("afterRoutes hook");
   if (enableErrorHandler) order.push("ErrorHandler");
   return order;
 }
-function buildStartupConfig(config2, timeouts) {
-  const middlewareConfig = config2.middleware ?? {};
-  const healthCheckConfig = config2.healthCheck ?? {};
+function buildStartupConfig(config, timeouts) {
+  const middlewareConfig = config.middleware ?? {};
+  const healthCheckConfig = config.healthCheck ?? {};
   const healthCheckEnabled = healthCheckConfig.enabled !== false;
   const healthCheckPath = healthCheckConfig.path ?? "/health";
   const healthCheckDetailed = healthCheckConfig.detailed ?? env.NODE_ENV === "development";
@@ -510,7 +981,7 @@ function buildStartupConfig(config2, timeouts) {
       logger: middlewareConfig.logger !== false,
       cors: middlewareConfig.cors !== false,
       errorHandler: middlewareConfig.errorHandler !== false,
-      custom: config2.use?.length ?? 0
+      custom: config.use?.length ?? 0
     },
     healthCheck: healthCheckEnabled ? {
       enabled: true,
@@ -518,8 +989,8 @@ function buildStartupConfig(config2, timeouts) {
       detailed: healthCheckDetailed
     } : { enabled: false },
     hooks: {
-      beforeRoutes: !!config2.beforeRoutes,
-      afterRoutes: !!config2.afterRoutes
+      beforeRoutes: !!config.beforeRoutes,
+      afterRoutes: !!config.afterRoutes
     },
     timeout: {
       request: `${timeouts.request}ms`,
@@ -527,23 +998,22 @@ function buildStartupConfig(config2, timeouts) {
       headers: `${timeouts.headers}ms`
     },
     shutdown: {
-      timeout: `${config2.shutdown?.timeout ?? env.SHUTDOWN_TIMEOUT}ms`
+      timeout: `${config.shutdown?.timeout ?? env.SHUTDOWN_TIMEOUT}ms`
     }
   };
 }
-var serverLogger = logger.child("@spfn/core:server");
 
 // src/server/create-server.ts
-async function createServer(config2) {
+async function createServer(config) {
   const cwd = process.cwd();
   const appPath = join(cwd, "src", "server", "app.ts");
   const appJsPath = join(cwd, "src", "server", "app");
   if (existsSync(appPath) || existsSync(appJsPath)) {
-    return await loadCustomApp(appPath, appJsPath, config2);
+    return await loadCustomApp(appPath, appJsPath, config);
   }
-  return await createAutoConfiguredApp(config2);
+  return await createAutoConfiguredApp(config);
 }
-async function loadCustomApp(appPath, appJsPath, config2) {
+async function loadCustomApp(appPath, appJsPath, config) {
   const actualPath = existsSync(appPath) ? appPath : appJsPath;
   const appModule = await import(actualPath);
   const appFactory = appModule.default;
@@ -551,15 +1021,15 @@ async function loadCustomApp(appPath, appJsPath, config2) {
     throw new Error("app.ts must export a default function that returns a Hono app");
   }
   const app = await appFactory();
-  if (config2?.routes) {
-    const routes = registerRoutes(app, config2.routes, config2.middlewares);
-    logRegisteredRoutes(routes, config2?.debug ?? false);
+  if (config?.routes) {
+    const routes = registerRoutes(app, config.routes, config.middlewares);
+    logRegisteredRoutes(routes, config?.debug ?? false);
   }
   return app;
 }
-async function createAutoConfiguredApp(config2) {
+async function createAutoConfiguredApp(config) {
   const app = new Hono();
-  const middlewareConfig = config2?.middleware ?? {};
+  const middlewareConfig = config?.middleware ?? {};
   const enableLogger = middlewareConfig.logger !== false;
   const enableCors = middlewareConfig.cors !== false;
   const enableErrorHandler = middlewareConfig.errorHandler !== false;
@@ -569,31 +1039,31 @@ async function createAutoConfiguredApp(config2) {
       await next();
     });
   }
-  applyDefaultMiddleware(app, config2, enableLogger, enableCors);
-  if (Array.isArray(config2?.use)) {
-    config2.use.forEach((mw) => app.use("*", mw));
+  applyDefaultMiddleware(app, config, enableLogger, enableCors);
+  if (Array.isArray(config?.use)) {
+    config.use.forEach((mw) => app.use("*", mw));
   }
-  registerHealthCheckEndpoint(app, config2);
-  await executeBeforeRoutesHook(app, config2);
-  await loadAppRoutes(app, config2);
-  registerSSEEndpoint(app, config2);
-  await executeAfterRoutesHook(app, config2);
+  registerHealthCheckEndpoint(app, config);
+  await executeBeforeRoutesHook(app, config);
+  await loadAppRoutes(app, config);
+  await registerSSEEndpoint(app, config);
+  await executeAfterRoutesHook(app, config);
   if (enableErrorHandler) {
-    app.onError(ErrorHandler());
+    app.onError(ErrorHandler({ onError: config?.middleware?.onError }));
   }
   return app;
 }
-function applyDefaultMiddleware(app, config2, enableLogger, enableCors) {
+function applyDefaultMiddleware(app, config, enableLogger, enableCors) {
   if (enableLogger) {
     app.use("*", RequestLogger());
   }
   if (enableCors) {
-    const corsOptions = config2?.cors !== false ? config2?.cors : void 0;
+    const corsOptions = config?.cors !== false ? config?.cors : void 0;
     app.use("*", cors(corsOptions));
   }
 }
-function registerHealthCheckEndpoint(app, config2) {
-  const healthCheckConfig = config2?.healthCheck ?? {};
+function registerHealthCheckEndpoint(app, config) {
+  const healthCheckConfig = config?.healthCheck ?? {};
   const healthCheckEnabled = healthCheckConfig.enabled !== false;
   const healthCheckPath = healthCheckConfig.path ?? "/health";
   const healthCheckDetailed = healthCheckConfig.detailed ?? process.env.NODE_ENV === "development";
@@ -602,15 +1072,15 @@ function registerHealthCheckEndpoint(app, config2) {
     serverLogger.debug(`Health check endpoint enabled at ${healthCheckPath}`);
   }
 }
-async function executeBeforeRoutesHook(app, config2) {
-  if (config2?.lifecycle?.beforeRoutes) {
-    await config2.lifecycle.beforeRoutes(app);
+async function executeBeforeRoutesHook(app, config) {
+  if (config?.lifecycle?.beforeRoutes) {
+    await config.lifecycle.beforeRoutes(app);
   }
 }
-async function loadAppRoutes(app, config2) {
-  const debug = isDebugMode(config2);
-  if (config2?.routes) {
-    const routes = registerRoutes(app, config2.routes, config2.middlewares);
+async function loadAppRoutes(app, config) {
+  const debug = isDebugMode(config);
+  if (config?.routes) {
+    const routes = registerRoutes(app, config.routes, config.middlewares);
     logRegisteredRoutes(routes, debug);
   } else if (debug) {
     serverLogger.warn("\u26A0\uFE0F  No routes configured. Use defineServerConfig().routes() to register routes.");
@@ -631,76 +1101,150 @@ function logRegisteredRoutes(routes, debug) {
   serverLogger.info(`\u2713 Routes registered (${routes.length}):
 ${routeLines}`);
 }
-async function executeAfterRoutesHook(app, config2) {
-  if (config2?.lifecycle?.afterRoutes) {
-    await config2.lifecycle.afterRoutes(app);
+async function executeAfterRoutesHook(app, config) {
+  if (config?.lifecycle?.afterRoutes) {
+    await config.lifecycle.afterRoutes(app);
   }
 }
-function registerSSEEndpoint(app, config2) {
-  if (!config2?.events) {
+async function registerSSEEndpoint(app, config) {
+  if (!config?.events) {
     return;
   }
-  const eventsConfig = config2.eventsConfig ?? {};
-  const path = eventsConfig.path ?? "/events/stream";
-  const debug = isDebugMode(config2);
-  app.get(path, createSSEHandler(config2.events, eventsConfig));
+  const eventsConfig = config.eventsConfig ?? {};
+  const streamPath = eventsConfig.path ?? "/events/stream";
+  const authConfig = eventsConfig.auth;
+  const debug = isDebugMode(config);
+  let tokenManager;
+  if (authConfig?.enabled) {
+    let store = authConfig.store;
+    if (!store) {
+      try {
+        const { getCache: getCache2 } = await import('@spfn/core/cache');
+        const cache = getCache2();
+        if (cache) {
+          store = new CacheTokenStore(cache);
+          if (debug) {
+            serverLogger.info("SSE token store: cache (Redis/Valkey)");
+          }
+        }
+      } catch {
+      }
+    }
+    const externalManager = typeof authConfig.tokenManager === "function" ? authConfig.tokenManager() : authConfig.tokenManager;
+    tokenManager = externalManager ?? new SSETokenManager({
+      ttl: authConfig.tokenTtl,
+      store
+    });
+    const tokenPath = streamPath.replace(/\/[^/]+$/, "/token");
+    const mwHandlers = (config.middlewares ?? []).map((mw) => mw.handler);
+    const getSubject = authConfig.getSubject ?? ((c) => c.get("auth")?.userId ?? null);
+    app.on(["POST"], [tokenPath], ...mwHandlers, async (c) => {
+      const subject = getSubject(c);
+      if (!subject) {
+        return c.json({ error: "Unable to identify subject" }, 401);
+      }
+      const token = await tokenManager.issue(subject);
+      return c.json({ token });
+    });
+    if (debug) {
+      serverLogger.info(`\u2713 SSE token endpoint registered at POST ${tokenPath}`);
+    }
+  }
+  app.get(streamPath, createSSEHandler(config.events, eventsConfig, tokenManager));
   if (debug) {
-    const eventNames = config2.events.eventNames;
-    serverLogger.info(`\u2713 SSE endpoint registered at ${path}`, {
-      events: eventNames
+    const eventNames = config.events.eventNames;
+    serverLogger.info(`\u2713 SSE endpoint registered at ${streamPath}`, {
+      events: eventNames,
+      auth: !!authConfig?.enabled
     });
   }
 }
-function isDebugMode(config2) {
-  return config2?.debug ?? process.env.NODE_ENV === "development";
+function isDebugMode(config) {
+  return config?.debug ?? process.env.NODE_ENV === "development";
 }
 var jobLogger = logger.child("@spfn/core:job");
-var bossInstance = null;
-var bossConfig = null;
+function requiresSSLWithoutVerification(connectionString) {
+  try {
+    const url = new URL(connectionString);
+    const sslmode = url.searchParams.get("sslmode");
+    return sslmode === "require" || sslmode === "prefer";
+  } catch {
+    return false;
+  }
+}
+function stripSslModeFromUrl(connectionString) {
+  const url = new URL(connectionString);
+  url.searchParams.delete("sslmode");
+  return url.toString();
+}
+var BOSS_KEY = Symbol.for("spfn:boss-instance");
+var CONFIG_KEY = Symbol.for("spfn:boss-config");
+var g = globalThis;
+function getBossInstance() {
+  return g[BOSS_KEY] ?? null;
+}
+function setBossInstance(instance2) {
+  g[BOSS_KEY] = instance2;
+}
+function getBossConfig() {
+  return g[CONFIG_KEY] ?? null;
+}
+function setBossConfig(config) {
+  g[CONFIG_KEY] = config;
+}
 async function initBoss(options) {
-  if (bossInstance) {
+  const existing = getBossInstance();
+  if (existing) {
     jobLogger.warn("pg-boss already initialized, returning existing instance");
-    return bossInstance;
+    return existing;
   }
   jobLogger.info("Initializing pg-boss...");
-  bossConfig = options;
+  setBossConfig(options);
+  const needsSSL = requiresSSLWithoutVerification(options.connectionString);
   const pgBossOptions = {
-    connectionString: options.connectionString,
+    // pg 드라이버가 URL의 sslmode=require를 verify-full로 해석해서
+    // ssl 옵션을 무시하므로, URL에서 sslmode를 빼고 ssl 객체만 전달
+    connectionString: needsSSL ? stripSslModeFromUrl(options.connectionString) : options.connectionString,
     schema: options.schema ?? "spfn_queue",
     maintenanceIntervalSeconds: options.maintenanceIntervalSeconds ?? 120
   };
+  if (needsSSL) {
+    pgBossOptions.ssl = { rejectUnauthorized: false };
+  }
   if (options.monitorIntervalSeconds !== void 0 && options.monitorIntervalSeconds >= 1) {
     pgBossOptions.monitorIntervalSeconds = options.monitorIntervalSeconds;
   }
-  bossInstance = new PgBoss(pgBossOptions);
-  bossInstance.on("error", (error) => {
+  const boss = new PgBoss(pgBossOptions);
+  boss.on("error", (error) => {
     jobLogger.error("pg-boss error:", error);
   });
-  await bossInstance.start();
+  await boss.start();
+  setBossInstance(boss);
   jobLogger.info("pg-boss started successfully");
-  return bossInstance;
+  return boss;
 }
 function getBoss() {
-  return bossInstance;
+  return getBossInstance();
 }
 async function stopBoss() {
-  if (!bossInstance) {
+  const boss = getBossInstance();
+  if (!boss) {
     return;
   }
   jobLogger.info("Stopping pg-boss...");
   try {
-    await bossInstance.stop({ graceful: true, timeout: 3e4 });
+    await boss.stop({ graceful: true, timeout: 3e4 });
     jobLogger.info("pg-boss stopped gracefully");
   } catch (error) {
     jobLogger.error("Error stopping pg-boss:", error);
     throw error;
   } finally {
-    bossInstance = null;
-    bossConfig = null;
+    setBossInstance(null);
+    setBossConfig(null);
   }
 }
 function shouldClearOnStart() {
-  return bossConfig?.clearOnStart ?? false;
+  return getBossConfig()?.clearOnStart ?? false;
 }
 
 // src/job/job-router.ts
@@ -762,36 +1306,53 @@ async function registerJobs(router) {
 async function ensureQueue(boss, queueName) {
   await boss.createQueue(queueName);
 }
+async function executeJobHandler(job2, pgBossJob) {
+  jobLogger2.debug(`[Job:${job2.name}] Executing...`, { jobId: pgBossJob.id });
+  const startTime = Date.now();
+  try {
+    if (job2.inputSchema) {
+      await job2.handler(pgBossJob.data);
+    } else {
+      await job2.handler();
+    }
+    const duration = Date.now() - startTime;
+    jobLogger2.info(`[Job:${job2.name}] Completed in ${duration}ms`, {
+      jobId: pgBossJob.id,
+      duration
+    });
+  } catch (error) {
+    const duration = Date.now() - startTime;
+    jobLogger2.error(`[Job:${job2.name}] Failed after ${duration}ms`, {
+      jobId: pgBossJob.id,
+      duration,
+      error: error instanceof Error ? error.message : String(error)
+    });
+    throw error;
+  }
+}
 async function registerWorker(boss, job2, queueName) {
   await ensureQueue(boss, queueName);
+  const batchSize = job2.options?.batchSize ?? 1;
   await boss.work(
     queueName,
-    { batchSize: 1 },
-    async (jobs) => {
-      for (const pgBossJob of jobs) {
-        jobLogger2.debug(`[Job:${job2.name}] Executing...`, { jobId: pgBossJob.id });
-        const startTime = Date.now();
-        try {
-          if (job2.inputSchema) {
-            await job2.handler(pgBossJob.data);
-          } else {
-            await job2.handler();
-          }
-          const duration = Date.now() - startTime;
-          jobLogger2.info(`[Job:${job2.name}] Completed in ${duration}ms`, {
-            jobId: pgBossJob.id,
-            duration
-          });
-        } catch (error) {
-          const duration = Date.now() - startTime;
-          jobLogger2.error(`[Job:${job2.name}] Failed after ${duration}ms`, {
-            jobId: pgBossJob.id,
-            duration,
-            error: error instanceof Error ? error.message : String(error)
-          });
-          throw error;
+    { batchSize },
+    async (pgBossJobs) => {
+      if (batchSize <= 1) {
+        await executeJobHandler(job2, pgBossJobs[0]);
+        return;
+      }
+      const results = await Promise.allSettled(
+        pgBossJobs.map((pgBossJob) => executeJobHandler(job2, pgBossJob))
+      );
+      const failedIds = [];
+      for (let i = 0; i < results.length; i++) {
+        if (results[i].status === "rejected") {
+          failedIds.push(pgBossJobs[i].id);
         }
       }
+      if (failedIds.length > 0) {
+        await boss.fail(queueName, failedIds);
+      }
     }
   );
 }
@@ -851,6 +1412,202 @@ async function registerJob(job2) {
   await queueRunOnceJob(boss, job2);
   jobLogger2.debug(`Job registered: ${job2.name}`);
 }
+var wsLogger = logger.child("@spfn/core:ws");
+async function attachWSHandler(server, router, config = {}, tokenManager) {
+  const WebSocketServer = await loadWSServer();
+  const {
+    pingInterval = 3e4,
+    path = "/ws",
+    auth: authConfig
+  } = config;
+  if (authConfig?.enabled && !tokenManager) {
+    throw new Error(
+      "WebSocket auth.enabled=true requires a tokenManager. Pass tokenManager or use .websockets(router, { auth: { enabled: true } }) via startServer."
+    );
+  }
+  const wss = new WebSocketServer({ server, path });
+  const clients = /* @__PURE__ */ new Set();
+  wss.on("connection", (ws, req) => {
+    clients.add(ws);
+    ws.on("close", () => clients.delete(ws));
+    handleConnection(ws, req, router, authConfig, tokenManager, pingInterval).catch((err) => {
+      wsLogger.error("WebSocket connection handler error", err);
+      if (ws.readyState === 1) ws.close(1011, "Internal server error");
+    });
+  });
+  wss.on("error", (err) => {
+    wsLogger.error("WebSocket server error", err);
+  });
+  wsLogger.info(`\u2713 WebSocket endpoint registered at ${path}`, {
+    events: router.eventNames,
+    auth: !!authConfig?.enabled
+  });
+  return () => new Promise((resolve2, reject) => {
+    for (const client of clients) {
+      client.close(1001, "Server shutting down");
+    }
+    clients.clear();
+    wss.close((err) => {
+      if (err) reject(err);
+      else resolve2();
+    });
+  });
+}
+async function handleConnection(ws, req, router, authConfig, tokenManager, pingInterval) {
+  let pingTimer;
+  let connectionUnsubscribes = [];
+  let subscribedEvents = [];
+  ws.on("close", () => {
+    clearInterval(pingTimer);
+    connectionUnsubscribes.forEach((fn) => fn());
+    if (subscribedEvents.length > 0)
+      wsLogger.info("WebSocket connection closed", { events: subscribedEvents });
+  });
+  const url = parseURL(req);
+  if (!url) {
+    ws.close(1002, "Invalid request URL");
+    return;
+  }
+  const subject = await resolveSubject(url, authConfig?.enabled ? tokenManager : void 0);
+  if (subject === false) {
+    ws.close(4001, "Missing token");
+    return;
+  }
+  if (subject === null) {
+    ws.close(4001, "Invalid or expired token");
+    return;
+  }
+  const requestedEvents = parseRequestedEvents2(url, router.eventNames);
+  if (requestedEvents.length === 0) {
+    ws.close(4e3, "No valid event names specified");
+    return;
+  }
+  const allowedEvents = await resolveAllowedEvents(subject, requestedEvents, authConfig);
+  if (allowedEvents === null) {
+    ws.close(4003, "Not authorized for any requested events");
+    return;
+  }
+  subscribedEvents = allowedEvents;
+  wsLogger.info("WebSocket connection established", {
+    events: allowedEvents,
+    subject: subject ?? void 0
+  });
+  const connection = createConnection(ws);
+  connectionUnsubscribes = subscribeEvents(ws, router, allowedEvents, subject, authConfig);
+  if (ws.readyState !== 1) {
+    connectionUnsubscribes.forEach((fn) => fn());
+    connectionUnsubscribes = [];
+    return;
+  }
+  ws.on("message", (data) => {
+    onClientMessage(data, router, connection, subject).catch((err) => wsLogger.error("Unhandled message error", err));
+  });
+  if (pingInterval > 0) {
+    pingTimer = setInterval(() => {
+      if (ws.readyState === 1) ws.ping();
+    }, pingInterval);
+  }
+  connection.send("__connected", {
+    subscribedEvents: allowedEvents,
+    timestamp: Date.now()
+  });
+}
+function parseURL(req) {
+  try {
+    return new URL(req.url ?? "/", "ws://localhost");
+  } catch {
+    return null;
+  }
+}
+async function resolveSubject(url, tokenManager) {
+  if (!tokenManager) {
+    return void 0;
+  }
+  const token = url.searchParams.get("token");
+  if (!token) {
+    return false;
+  }
+  return await tokenManager.verify(token);
+}
+function parseRequestedEvents2(url, validEventNames) {
+  const eventsParam = url.searchParams.get("events");
+  if (!eventsParam) {
+    return [];
+  }
+  return eventsParam.split(",").map((e) => e.trim()).filter((e) => validEventNames.includes(e));
+}
+async function resolveAllowedEvents(subject, requestedEvents, authConfig) {
+  if (!subject || !authConfig?.authorize) {
+    return requestedEvents;
+  }
+  const allowed = await authConfig.authorize(subject, requestedEvents);
+  return allowed.length === 0 ? null : allowed;
+}
+function createConnection(ws) {
+  return {
+    send: (type, payload) => {
+      if (ws.readyState !== 1) return;
+      ws.send(JSON.stringify({ type, data: payload }));
+    },
+    close: (code, reason) => ws.close(code, reason)
+  };
+}
+function subscribeEvents(ws, router, allowedEvents, subject, authConfig) {
+  const unsubscribes = [];
+  for (const eventName of allowedEvents) {
+    const eventDef = router.events[eventName];
+    if (!eventDef) continue;
+    const unsubscribe = eventDef.subscribe((payload) => {
+      if (ws.readyState !== 1) return;
+      if (subject && authConfig?.filter?.[eventName]) {
+        if (!authConfig.filter[eventName](subject, payload)) return;
+      }
+      try {
+        ws.send(JSON.stringify({ type: eventName, data: payload }));
+      } catch {
+      }
+    });
+    unsubscribes.push(unsubscribe);
+  }
+  return unsubscribes;
+}
+async function onClientMessage(data, router, connection, subject) {
+  let message;
+  try {
+    message = JSON.parse(data.toString());
+  } catch {
+    return;
+  }
+  const { type, data: payload } = message;
+  if (!type) return;
+  const handler = router.messages[type];
+  if (!handler) return;
+  try {
+    await handler({ payload, subject, ws: connection });
+  } catch (err) {
+    wsLogger.error(`WebSocket message handler error: ${type}`, err);
+  }
+}
+async function loadWSServer() {
+  try {
+    const mod = await import('ws');
+    const WS = mod.default ?? mod;
+    const WSS = WS.WebSocketServer ?? WS.Server;
+    if (typeof WSS !== "function") {
+      throw new Error(
+        "WebSocketServer not found in ws module. Ensure ws@^8 is installed: pnpm add ws"
+      );
+    }
+    return WSS;
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("WebSocketServer not found")) {
+      throw err;
+    }
+    throw new Error(
+      '@spfn/core WebSocket support requires the "ws" package.\nInstall it with: pnpm add ws'
+    );
+  }
+}
 function getNetworkAddress() {
   const nets = networkInterfaces();
   for (const name of Object.keys(nets)) {
@@ -888,16 +1645,16 @@ function printBanner(options) {
 }
 
 // src/server/validation.ts
-function validateServerConfig(config2) {
-  if (config2.port !== void 0) {
-    if (!Number.isInteger(config2.port) || config2.port < 0 || config2.port > 65535) {
+function validateServerConfig(config) {
+  if (config.port !== void 0) {
+    if (!Number.isInteger(config.port) || config.port < 0 || config.port > 65535) {
       throw new Error(
-        `Invalid port: ${config2.port}. Port must be an integer between 0 and 65535.`
+        `Invalid port: ${config.port}. Port must be an integer between 0 and 65535.`
       );
     }
   }
-  if (config2.timeout) {
-    const { request, keepAlive, headers } = config2.timeout;
+  if (config.timeout) {
+    const { request, keepAlive, headers } = config.timeout;
     if (request !== void 0 && (request < 0 || !Number.isFinite(request))) {
       throw new Error(`Invalid timeout.request: ${request}. Must be a positive number.`);
     }
@@ -913,16 +1670,16 @@ function validateServerConfig(config2) {
       );
     }
   }
-  if (config2.shutdown?.timeout !== void 0) {
-    const timeout = config2.shutdown.timeout;
+  if (config.shutdown?.timeout !== void 0) {
+    const timeout = config.shutdown.timeout;
     if (timeout < 0 || !Number.isFinite(timeout)) {
       throw new Error(`Invalid shutdown.timeout: ${timeout}. Must be a positive number.`);
     }
   }
-  if (config2.healthCheck?.path) {
-    if (!config2.healthCheck.path.startsWith("/")) {
+  if (config.healthCheck?.path) {
+    if (!config.healthCheck.path.startsWith("/")) {
       throw new Error(
-        `Invalid healthCheck.path: "${config2.healthCheck.path}". Must start with "/".`
+        `Invalid healthCheck.path: "${config.healthCheck.path}". Must start with "/".`
       );
     }
   }
@@ -931,9 +1688,7 @@ var DEFAULT_MAX_LISTENERS = 15;
 var TIMEOUTS = {
   SERVER_CLOSE: 5e3,
   DATABASE_CLOSE: 5e3,
-  REDIS_CLOSE: 5e3,
-  PRODUCTION_ERROR_SHUTDOWN: 1e4
-};
+  REDIS_CLOSE: 5e3};
 var CONFIG_FILE_PATHS = [
   ".spfn/server/server.config.mjs",
   ".spfn/server/server.config",
@@ -941,9 +1696,9 @@ var CONFIG_FILE_PATHS = [
   "src/server/server.config.ts"
 ];
 var processHandlersRegistered = false;
-async function startServer(config2) {
-  loadEnvFiles();
-  const finalConfig = await loadAndMergeConfig(config2);
+async function startServer(config) {
+  loadEnv();
+  const finalConfig = await loadAndMergeConfig(config);
   const { host, port, debug } = finalConfig;
   validateServerConfig(finalConfig);
   if (!host || !port) {
@@ -959,8 +1714,14 @@ async function startServer(config2) {
     await initializeInfrastructure(finalConfig);
     const app = await createServer(finalConfig);
     const server = startHttpServer(app, host, port);
+    let wsCleanup;
+    if (finalConfig.websockets) {
+      wsCleanup = await initializeWebSocket(server, app, finalConfig);
+    }
     const timeouts = getTimeoutConfig(finalConfig.timeout);
     applyServerTimeouts(server, timeouts);
+    const fetchTimeouts = getFetchTimeoutConfig(finalConfig.fetchTimeout);
+    applyGlobalFetchTimeouts(fetchTimeouts);
     logServerTimeouts(timeouts);
     printBanner({
       mode: debug ? "Development" : "Production",
@@ -968,7 +1729,7 @@ async function startServer(config2) {
       port
     });
     logServerStarted(debug, host, port, finalConfig, timeouts);
-    const shutdownServer = createShutdownHandler(server, finalConfig, shutdownState);
+    const shutdownServer = createShutdownHandler(server, finalConfig, shutdownState, wsCleanup);
     const shutdown = createGracefulShutdown(shutdownServer, finalConfig, shutdownState);
     registerProcessHandlers(shutdown);
     const serverInstance = {
@@ -977,11 +1738,6 @@ async function startServer(config2) {
       config: finalConfig,
       close: async () => {
         serverLogger.info("Manual server shutdown requested");
-        if (shutdownState.isShuttingDown) {
-          serverLogger.warn("Shutdown already in progress, ignoring manual close request");
-          return;
-        }
-        shutdownState.isShuttingDown = true;
         await shutdownServer();
       }
     };
@@ -1001,7 +1757,7 @@ async function startServer(config2) {
     throw error;
   }
 }
-async function loadAndMergeConfig(config2) {
+async function loadAndMergeConfig(config) {
   const cwd = process.cwd();
   let fileConfig = {};
   let loadedConfigPath = null;
@@ -1025,26 +1781,26 @@ async function loadAndMergeConfig(config2) {
   }
   return {
     ...fileConfig,
-    ...config2,
-    port: config2?.port ?? fileConfig?.port ?? env.PORT,
-    host: config2?.host ?? fileConfig?.host ?? env.HOST
+    ...config,
+    port: config?.port ?? fileConfig?.port ?? env.PORT,
+    host: config?.host ?? fileConfig?.host ?? env.HOST
   };
 }
-function getInfrastructureConfig(config2) {
+function getInfrastructureConfig(config) {
   return {
-    database: config2.infrastructure?.database !== false,
-    redis: config2.infrastructure?.redis !== false
+    database: config.infrastructure?.database !== false,
+    redis: config.infrastructure?.redis !== false
   };
 }
-async function initializeInfrastructure(config2) {
-  if (config2.lifecycle?.beforeInfrastructure) {
+async function initializeInfrastructure(config) {
+  if (config.lifecycle?.beforeInfrastructure) {
     serverLogger.debug("Executing beforeInfrastructure hook...");
-    await config2.lifecycle.beforeInfrastructure(config2);
+    await config.lifecycle.beforeInfrastructure(config);
   }
-  const infraConfig = getInfrastructureConfig(config2);
+  const infraConfig = getInfrastructureConfig(config);
   if (infraConfig.database) {
     serverLogger.debug("Initializing database...");
-    await initDatabase(config2.database);
+    await initDatabase(config.database);
   } else {
     serverLogger.debug("Database initialization disabled");
   }
@@ -1054,11 +1810,11 @@ async function initializeInfrastructure(config2) {
   } else {
     serverLogger.debug("Redis initialization disabled");
   }
-  if (config2.lifecycle?.afterInfrastructure) {
+  if (config.lifecycle?.afterInfrastructure) {
     serverLogger.debug("Executing afterInfrastructure hook...");
-    await config2.lifecycle.afterInfrastructure();
+    await config.lifecycle.afterInfrastructure();
   }
-  if (config2.jobs) {
+  if (config.jobs) {
     const dbUrl = env.DATABASE_URL;
     if (!dbUrl) {
       throw new Error(
@@ -1068,10 +1824,24 @@ async function initializeInfrastructure(config2) {
     serverLogger.debug("Initializing pg-boss...");
     await initBoss({
       connectionString: dbUrl,
-      ...config2.jobsConfig
+      ...config.jobsConfig
     });
     serverLogger.debug("Registering jobs...");
-    await registerJobs(config2.jobs);
+    await registerJobs(config.jobs);
+  }
+  if (config.workflows) {
+    const infraConfig2 = getInfrastructureConfig(config);
+    if (!infraConfig2.database) {
+      throw new Error(
+        "Workflows require database connection. Ensure database is enabled in infrastructure config."
+      );
+    }
+    serverLogger.debug("Initializing workflow engine...");
+    config.workflows._init(
+      getDatabase(),
+      config.workflowsConfig
+    );
+    serverLogger.info("Workflow engine initialized");
   }
 }
 function startHttpServer(app, host, port) {
@@ -1082,8 +1852,48 @@ function startHttpServer(app, host, port) {
     hostname: host
   });
 }
-function logMiddlewareOrder(config2) {
-  const middlewareOrder = buildMiddlewareOrder(config2);
+async function initializeWebSocket(server, app, config) {
+  const wsRouter = config.websockets;
+  const wsConfig = config.websocketsConfig ?? {};
+  const authConfig = wsConfig.auth;
+  const wsPath = wsConfig.path ?? "/ws";
+  const debug = config.debug ?? process.env.NODE_ENV === "development";
+  let tokenManager;
+  if (authConfig?.enabled) {
+    let store = authConfig.store;
+    if (!store) {
+      try {
+        const { getCache: getCache2 } = await import('@spfn/core/cache');
+        const cache = getCache2();
+        if (cache) {
+          store = new CacheTokenStore(cache);
+          if (debug) serverLogger.info("WS token store: cache (Redis/Valkey)");
+        }
+      } catch {
+      }
+    }
+    const externalManager = typeof authConfig.tokenManager === "function" ? authConfig.tokenManager() : authConfig.tokenManager;
+    tokenManager = externalManager ?? new SSETokenManager({
+      ttl: authConfig.tokenTtl,
+      store
+    });
+    const tokenPath = wsPath.replace(/\/[^/]+$/, "/token");
+    const mwHandlers = (config.middlewares ?? []).map((mw) => mw.handler);
+    const getSubject = authConfig.getSubject ?? ((c) => c.get("auth")?.userId ?? null);
+    app.on(["POST"], [tokenPath], ...mwHandlers, async (c) => {
+      const subject = getSubject(c);
+      if (!subject) {
+        return c.json({ error: "Unable to identify subject" }, 401);
+      }
+      const token = await tokenManager.issue(subject);
+      return c.json({ token });
+    });
+    if (debug) serverLogger.info(`\u2713 WS token endpoint registered at POST ${tokenPath}`);
+  }
+  return await attachWSHandler(server, wsRouter, wsConfig, tokenManager);
+}
+function logMiddlewareOrder(config) {
+  const middlewareOrder = buildMiddlewareOrder(config);
   serverLogger.debug("Middleware execution order", {
     order: middlewareOrder
   });
@@ -1095,8 +1905,8 @@ function logServerTimeouts(timeouts) {
     headers: `${timeouts.headers}ms`
   });
 }
-function logServerStarted(debug, host, port, config2, timeouts) {
-  const startupConfig = buildStartupConfig(config2, timeouts);
+function logServerStarted(debug, host, port, config, timeouts) {
+  const startupConfig = buildStartupConfig(config, timeouts);
   serverLogger.info("Server started successfully", {
     mode: debug ? "development" : "production",
     host,
@@ -1104,65 +1914,83 @@ function logServerStarted(debug, host, port, config2, timeouts) {
     config: startupConfig
   });
 }
-function createShutdownHandler(server, config2, shutdownState) {
+function createShutdownHandler(server, config, shutdownState, wsCleanup) {
   return async () => {
     if (shutdownState.isShuttingDown) {
       serverLogger.debug("Shutdown already in progress for this instance, skipping");
       return;
     }
     shutdownState.isShuttingDown = true;
-    serverLogger.debug("Closing HTTP server...");
-    let timeoutId;
-    await Promise.race([
-      new Promise((resolve2, reject) => {
-        server.close((err) => {
-          if (timeoutId) clearTimeout(timeoutId);
-          if (err) {
-            serverLogger.error("HTTP server close error", err);
-            reject(err);
-          } else {
-            serverLogger.info("HTTP server closed");
-            resolve2();
-          }
-        });
-      }),
-      new Promise((_, reject) => {
-        timeoutId = setTimeout(() => {
-          reject(new Error(`HTTP server close timeout after ${TIMEOUTS.SERVER_CLOSE}ms`));
-        }, TIMEOUTS.SERVER_CLOSE);
-      })
-    ]).catch((error) => {
-      if (timeoutId) clearTimeout(timeoutId);
-      serverLogger.warn("HTTP server close timeout, forcing shutdown", error);
-    });
-    if (config2.jobs) {
-      serverLogger.debug("Stopping pg-boss...");
+    const shutdownTimeout = getShutdownTimeout(config.shutdown);
+    const shutdownManager = getShutdownManager();
+    shutdownManager.beginShutdown();
+    serverLogger.info("Phase 1: Closing HTTP server (stop accepting new connections)...");
+    await closeHttpServer(server);
+    if (wsCleanup) {
+      serverLogger.info("Phase 1.5: Closing WebSocket server...");
+      try {
+        await wsCleanup();
+        serverLogger.info("WebSocket server closed");
+      } catch (error) {
+        serverLogger.error("WebSocket server close failed", error);
+      }
+    }
+    if (config.jobs) {
+      serverLogger.info("Phase 2: Stopping pg-boss...");
       try {
         await stopBoss();
+        serverLogger.info("pg-boss stopped");
       } catch (error) {
         serverLogger.error("pg-boss stop failed", error);
       }
     }
-    if (config2.lifecycle?.beforeShutdown) {
-      serverLogger.debug("Executing beforeShutdown hook...");
+    const drainTimeout = Math.floor(shutdownTimeout * 0.8);
+    serverLogger.info(`Phase 3: Draining tracked operations (timeout: ${drainTimeout}ms)...`);
+    await shutdownManager.execute(drainTimeout);
+    if (config.lifecycle?.beforeShutdown) {
+      serverLogger.info("Phase 4: Executing beforeShutdown lifecycle hook...");
       try {
-        await config2.lifecycle.beforeShutdown();
+        await config.lifecycle.beforeShutdown();
       } catch (error) {
-        serverLogger.error("beforeShutdown hook failed", error);
+        serverLogger.error("beforeShutdown lifecycle hook failed", error);
       }
     }
-    const infraConfig = getInfrastructureConfig(config2);
+    serverLogger.info("Phase 5: Closing infrastructure...");
+    const infraConfig = getInfrastructureConfig(config);
     if (infraConfig.database) {
-      serverLogger.debug("Closing database connections...");
       await closeInfrastructure(closeDatabase, "Database", TIMEOUTS.DATABASE_CLOSE);
     }
     if (infraConfig.redis) {
-      serverLogger.debug("Closing Redis connections...");
       await closeInfrastructure(closeCache, "Redis", TIMEOUTS.REDIS_CLOSE);
     }
     serverLogger.info("Server shutdown completed");
   };
 }
+async function closeHttpServer(server) {
+  let timeoutId;
+  await Promise.race([
+    new Promise((resolve2, reject) => {
+      server.close((err) => {
+        if (timeoutId) clearTimeout(timeoutId);
+        if (err) {
+          serverLogger.error("HTTP server close error", err);
+          reject(err);
+        } else {
+          serverLogger.info("HTTP server closed");
+          resolve2();
+        }
+      });
+    }),
+    new Promise((_, reject) => {
+      timeoutId = setTimeout(() => {
+        reject(new Error(`HTTP server close timeout after ${TIMEOUTS.SERVER_CLOSE}ms`));
+      }, TIMEOUTS.SERVER_CLOSE);
+    })
+  ]).catch((error) => {
+    if (timeoutId) clearTimeout(timeoutId);
+    serverLogger.warn("HTTP server close timeout, forcing shutdown", error);
+  });
+}
 async function closeInfrastructure(closeFn, name, timeout) {
   let timeoutId;
   try {
@@ -1182,14 +2010,14 @@ async function closeInfrastructure(closeFn, name, timeout) {
     serverLogger.error(`${name} close failed or timed out`, error);
   }
 }
-function createGracefulShutdown(shutdownServer, config2, shutdownState) {
+function createGracefulShutdown(shutdownServer, config, shutdownState) {
   return async (signal) => {
     if (shutdownState.isShuttingDown) {
       serverLogger.warn(`${signal} received but shutdown already in progress, ignoring`);
       return;
     }
     serverLogger.info(`${signal} received, starting graceful shutdown...`);
-    const shutdownTimeout = getShutdownTimeout(config2.shutdown);
+    const shutdownTimeout = getShutdownTimeout(config.shutdown);
     let timeoutId;
     try {
       await Promise.race([
@@ -1217,31 +2045,8 @@ function createGracefulShutdown(shutdownServer, config2, shutdownState) {
     }
   };
 }
-function handleProcessError(errorType, shutdown) {
-  const isProduction = env.NODE_ENV === "production";
-  const isDevelopment = env.NODE_ENV === "development";
-  if (isDevelopment || process.env.WATCH_MODE === "true") {
-    serverLogger.info("Exiting immediately for clean restart");
-    process.exit(1);
-  } else if (isProduction) {
-    serverLogger.info(`Attempting graceful shutdown after ${errorType}`);
-    const forceExitTimer = setTimeout(() => {
-      serverLogger.error(`Forced exit after ${TIMEOUTS.PRODUCTION_ERROR_SHUTDOWN}ms - graceful shutdown did not complete`);
-      process.exit(1);
-    }, TIMEOUTS.PRODUCTION_ERROR_SHUTDOWN);
-    shutdown(errorType).then(() => {
-      clearTimeout(forceExitTimer);
-      serverLogger.info("Graceful shutdown completed, exiting");
-      process.exit(0);
-    }).catch((shutdownError) => {
-      clearTimeout(forceExitTimer);
-      serverLogger.error("Graceful shutdown failed", shutdownError);
-      process.exit(1);
-    });
-  } else {
-    serverLogger.info("Exiting immediately");
-    process.exit(1);
-  }
+function handleProcessError(errorType) {
+  serverLogger.warn(`${errorType} occurred - server continues running. Check logs above for details.`);
 }
 function registerProcessHandlers(shutdown) {
   if (processHandlersRegistered) {
@@ -1276,7 +2081,7 @@ function registerProcessHandlers(shutdown) {
     } else {
       serverLogger.error("Uncaught exception", error);
     }
-    handleProcessError("UNCAUGHT_EXCEPTION", shutdown);
+    handleProcessError("UNCAUGHT_EXCEPTION");
   });
   process.on("unhandledRejection", (reason, promise) => {
     if (reason instanceof Error) {
@@ -1294,20 +2099,21 @@ function registerProcessHandlers(shutdown) {
         promise
       });
     }
-    handleProcessError("UNHANDLED_REJECTION", shutdown);
+    handleProcessError("UNHANDLED_REJECTION");
   });
   serverLogger.debug("Process-level shutdown handlers registered successfully");
 }
-async function cleanupOnFailure(config2) {
+async function cleanupOnFailure(config) {
   try {
     serverLogger.debug("Cleaning up after initialization failure...");
-    const infraConfig = getInfrastructureConfig(config2);
+    const infraConfig = getInfrastructureConfig(config);
     if (infraConfig.database) {
       await closeInfrastructure(closeDatabase, "Database", TIMEOUTS.DATABASE_CLOSE);
     }
     if (infraConfig.redis) {
       await closeInfrastructure(closeCache, "Redis", TIMEOUTS.REDIS_CLOSE);
     }
+    resetShutdownManager();
     serverLogger.debug("Cleanup completed");
   } catch (cleanupError) {
     serverLogger.error("Cleanup failed", cleanupError);
@@ -1433,10 +2239,10 @@ var ServerConfigBuilder = class {
    *   .build();
    * ```
    */
-  jobs(router, config2) {
+  jobs(router, config) {
     this.config.jobs = router;
-    if (config2) {
-      this.config.jobsConfig = config2;
+    if (config) {
+      this.config.jobsConfig = config;
     }
     return this;
   }
@@ -1468,10 +2274,44 @@ var ServerConfigBuilder = class {
    * .events(eventRouter, { path: '/sse' })
    * ```
    */
-  events(router, config2) {
+  events(router, config) {
     this.config.events = router;
-    if (config2) {
-      this.config.eventsConfig = config2;
+    if (config) {
+      this.config.eventsConfig = config;
+    }
+    return this;
+  }
+  /**
+   * Register WebSocket router for bidirectional real-time communication
+   *
+   * Enables type-safe WebSocket connections with:
+   * - Server→client event push (via defineEvent + emit)
+   * - Client→server message handling (via messages in defineWSRouter)
+   *
+   * @example
+   * ```typescript
+   * // src/server/ws.ts
+   * export const wsRouter = defineWSRouter({
+   *     events: { userUpdated, notification },
+   *     messages: {
+   *         ping: ({ ws }) => ws.send('pong', {}),
+   *     },
+   * });
+   *
+   * // server.config.ts
+   * export default defineServerConfig()
+   *     .websockets(wsRouter)              // → WS /ws
+   *     .websockets(wsRouter, {
+   *         path: '/realtime',             // custom path
+   *         auth: { enabled: true },       // token authentication
+   *     })
+   *     .build();
+   * ```
+   */
+  websockets(router, config) {
+    this.config.websockets = router;
+    if (config) {
+      this.config.websocketsConfig = config;
     }
     return this;
   }
@@ -1517,6 +2357,33 @@ var ServerConfigBuilder = class {
     this.config.infrastructure = infrastructure;
     return this;
   }
+  /**
+   * Register workflow router for workflow orchestration
+   *
+   * Automatically initializes the workflow engine after database is ready.
+   *
+   * @example
+   * ```typescript
+   * import { defineWorkflowRouter } from '@spfn/workflow';
+   *
+   * const workflowRouter = defineWorkflowRouter([
+   *     provisionTenant,
+   *     deprovisionTenant,
+   * ]);
+   *
+   * export default defineServerConfig()
+   *     .routes(appRouter)
+   *     .workflows(workflowRouter)
+   *     .build();
+   * ```
+   */
+  workflows(router, config) {
+    this.config.workflows = router;
+    if (config) {
+      this.config.workflowsConfig = config;
+    }
+    return this;
+  }
   /**
    * Configure lifecycle hooks
    * Can be called multiple times - hooks will be executed in registration order
@@ -1564,6 +2431,6 @@ function defineServerConfig() {
   return new ServerConfigBuilder();
 }
 
-export { createServer, defineServerConfig, loadEnvFiles, startServer };
+export { createServer, defineServerConfig, getShutdownManager, loadEnv, loadEnvFiles, startServer };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map