@taujs/server 0.3.7 → 0.4.0

package/dist/index.js

@@ -187,36 +187,14 @@ var require_picocolors = __commonJS({
   }
 });
 
-// src/types.d.ts
+// src/fastify.d.ts
 import "fastify";
 
 // src/SSRServer.ts
-var import_fastify_plugin2 = __toESM(require_plugin(), 1);
-var import_picocolors = __toESM(require_picocolors(), 1);
-import { readFile } from "fs/promises";
-import path2 from "path";
-
-// src/utils/Logger.ts
-var createLogger = (debug) => ({
-  log: (...args) => {
-    if (debug) console.log(...args);
-  },
-  warn: (...args) => {
-    if (debug) console.warn(...args);
-  },
-  error: (...args) => {
-    if (debug) console.error(...args);
-  }
-});
-var debugLog = (logger, message, req) => {
-  const prefix = "[\u03C4js]";
-  const method = req?.method ?? "";
-  const url = req?.url ?? "";
-  const tag = method && url ? `${method} ${url}` : "";
-  logger.log(`${prefix} ${tag} ${message}`);
-};
+var import_fastify_plugin3 = __toESM(require_plugin(), 1);
 
 // src/constants.ts
+var import_picocolors = __toESM(require_picocolors(), 1);
 var RENDERTYPE = {
   ssr: "ssr",
   streaming: "streaming"
@@ -236,45 +214,649 @@ var DEV_CSP_DIRECTIVES = {
   "style-src": ["'self'", "'unsafe-inline'"],
   "img-src": ["'self'", "data:"]
 };
+var CONTENT = {
+  TAG: "\u03C4js"
+};
+var DEBUG = {
+  auth: { label: "auth", colour: import_picocolors.default.blue },
+  csp: { label: "csp", colour: import_picocolors.default.yellow },
+  errors: { label: "errors", colour: import_picocolors.default.red },
+  routes: { label: "routes", colour: import_picocolors.default.cyan },
+  security: { label: "security", colour: import_picocolors.default.yellow },
+  trx: { label: "trx", colour: import_picocolors.default.magenta },
+  vite: { label: "vite", colour: import_picocolors.default.yellow }
+};
+var REGEX = {
+  BENIGN_NET_ERR: /\b(?:ECONNRESET|EPIPE|ECONNABORTED)\b|socket hang up|aborted|premature(?: close)?/i,
+  SAFE_TRACE: /^[a-zA-Z0-9-_:.]{1,128}$/
+};
+
+// src/logging/AppError.ts
+var HTTP_STATUS = {
+  infra: 500,
+  upstream: 502,
+  domain: 404,
+  validation: 400,
+  auth: 403,
+  canceled: 499,
+  // Client Closed Request (nginx convention)
+  timeout: 504
+};
+var AppError = class _AppError extends Error {
+  kind;
+  httpStatus;
+  details;
+  safeMessage;
+  code;
+  constructor(message, kind, options = {}) {
+    super(message);
+    this.name = "AppError";
+    Object.setPrototypeOf(this, new.target.prototype);
+    if (options.cause !== void 0) {
+      Object.defineProperty(this, "cause", {
+        value: options.cause,
+        enumerable: false,
+        writable: false,
+        configurable: true
+      });
+    }
+    this.kind = kind;
+    this.httpStatus = options.httpStatus ?? HTTP_STATUS[kind];
+    this.details = options.details;
+    this.safeMessage = options.safeMessage ?? this.getSafeMessage(kind, message);
+    this.code = options.code;
+    if (Error.captureStackTrace) Error.captureStackTrace(this, this.constructor);
+  }
+  getSafeMessage(kind, message) {
+    return kind === "domain" || kind === "validation" || kind === "auth" ? message : "Internal Server Error";
+  }
+  serialiseValue(value, seen = /* @__PURE__ */ new WeakSet()) {
+    if (value === null || value === void 0) return value;
+    if (typeof value !== "object") return value;
+    if (seen.has(value)) return "[circular]";
+    seen.add(value);
+    if (value instanceof Error) {
+      return {
+        name: value.name,
+        message: value.message,
+        stack: value.stack,
+        ...value instanceof _AppError && {
+          kind: value.kind,
+          httpStatus: value.httpStatus,
+          code: value.code
+        }
+      };
+    }
+    if (Array.isArray(value)) return value.map((item) => this.serialiseValue(item, seen));
+    const result = {};
+    for (const [key, val] of Object.entries(value)) {
+      result[key] = this.serialiseValue(val, seen);
+    }
+    return result;
+  }
+  toJSON() {
+    return {
+      name: this.name,
+      kind: this.kind,
+      message: this.message,
+      safeMessage: this.safeMessage,
+      httpStatus: this.httpStatus,
+      ...this.code && { code: this.code },
+      details: this.serialiseValue(this.details),
+      stack: this.stack,
+      ...this.cause && {
+        cause: this.serialiseValue(this.cause)
+      }
+    };
+  }
+  static notFound(message, details, code) {
+    return new _AppError(message, "domain", { httpStatus: 404, details, code });
+  }
+  static forbidden(message, details, code) {
+    return new _AppError(message, "auth", { httpStatus: 403, details, code });
+  }
+  static badRequest(message, details, code) {
+    return new _AppError(message, "validation", { httpStatus: 400, details, code });
+  }
+  static unprocessable(message, details, code) {
+    return new _AppError(message, "validation", { httpStatus: 422, details, code });
+  }
+  static timeout(message, details, code) {
+    return new _AppError(message, "timeout", { details, code });
+  }
+  static canceled(message, details, code) {
+    return new _AppError(message, "canceled", { details, code });
+  }
+  static internal(message, cause, details, code) {
+    return new _AppError(message, "infra", { cause, details, code });
+  }
+  static upstream(message, cause, details, code) {
+    return new _AppError(message, "upstream", { cause, details, code });
+  }
+  static serviceUnavailable(message, cause, details, code) {
+    return new _AppError(message, "infra", { httpStatus: 503, cause, details, code });
+  }
+  static from(err, fallback = "Internal error") {
+    return err instanceof _AppError ? err : _AppError.internal(err?.message ?? fallback, err);
+  }
+};
+function normaliseError(e) {
+  if (e instanceof Error) return { name: e.name, message: e.message, stack: e.stack };
+  const hasMessageProp = e != null && typeof e.message !== "undefined";
+  const msg = hasMessageProp ? String(e.message) : String(e);
+  return { name: "Error", message: msg };
+}
+function toReason(e) {
+  if (e instanceof Error) return e;
+  if (e === null) return new Error("null");
+  if (typeof e === "undefined") return new Error("Unknown render error");
+  const maybeMsg = e?.message;
+  if (typeof maybeMsg !== "undefined") return new Error(String(maybeMsg));
+  return new Error(String(e));
+}
 
-// src/security/auth.ts
-function createAuthHook(routes, isDebug) {
-  const logger = createLogger(Boolean(isDebug));
+// src/logging/utils/index.ts
+var httpStatusFrom = (err, fallback = 500) => err instanceof AppError ? err.httpStatus : fallback;
+var toHttp = (err) => {
+  const app = AppError.from(err);
+  const status = httpStatusFrom(app);
+  const errorMessage = app.safeMessage;
+  return {
+    status,
+    body: {
+      error: errorMessage,
+      ...app.code && { code: app.code },
+      statusText: statusText(status)
+    }
+  };
+};
+var statusText = (status) => {
+  const map = {
+    400: "Bad Request",
+    401: "Unauthorized",
+    403: "Forbidden",
+    404: "Not Found",
+    405: "Method Not Allowed",
+    408: "Request Timeout",
+    422: "Unprocessable Entity",
+    429: "Too Many Requests",
+    499: "Client Closed Request",
+    500: "Internal Server Error",
+    502: "Bad Gateway",
+    503: "Service Unavailable",
+    504: "Gateway Timeout"
+  };
+  return map[status] ?? "Error";
+};
+
+// src/utils/DataRoutes.ts
+import { match } from "path-to-regexp";
+
+// src/utils/DataServices.ts
+async function callServiceMethod(registry, serviceName, methodName, params, ctx) {
+  if (ctx.signal?.aborted) throw AppError.timeout("Request canceled");
+  const service = registry[serviceName];
+  if (!service) throw AppError.notFound(`Unknown service: ${serviceName}`);
+  const desc = service[methodName];
+  if (!desc) throw AppError.notFound(`Unknown method: ${serviceName}.${methodName}`);
+  const logger = ctx.logger?.child({
+    component: "service-call",
+    service: serviceName,
+    method: methodName,
+    traceId: ctx.traceId
+  });
+  try {
+    const p = desc.parsers?.params ? desc.parsers.params(params) : params;
+    const data = await desc.handler(p, ctx);
+    const out = desc.parsers?.result ? desc.parsers.result(data) : data;
+    if (typeof out !== "object" || out === null) throw AppError.internal(`Non-object result from ${serviceName}.${methodName}`);
+    return out;
+  } catch (err) {
+    logger?.error("Service method failed", {
+      params,
+      error: err instanceof Error ? { name: err.name, message: err.message, stack: err.stack } : String(err)
+    });
+    throw err;
+  }
+}
+var isServiceDescriptor = (obj) => {
+  if (typeof obj !== "object" || obj === null || Array.isArray(obj)) return false;
+  const maybe = obj;
+  return typeof maybe.serviceName === "string" && typeof maybe.serviceMethod === "string";
+};
+
+// src/utils/DataRoutes.ts
+var safeDecode = (value) => {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+};
+var cleanPath = (path6) => {
+  if (!path6) return "/";
+  const basePart = path6.split("?")[0];
+  const base = basePart ? basePart.split("#")[0] : "/";
+  return base || "/";
+};
+var calculateSpecificity = (path6) => {
+  let score = 0;
+  const segments = path6.split("/").filter(Boolean);
+  for (const segment of segments) {
+    if (segment.startsWith(":")) {
+      score += 1;
+      if (/[?+*]$/.test(segment)) score -= 0.5;
+    } else if (segment === "*") {
+      score += 0.1;
+    } else {
+      score += 10;
+    }
+  }
+  score += segments.length * 0.1;
+  return score;
+};
+var isPlainObject = (v) => !!v && typeof v === "object" && Object.getPrototypeOf(v) === Object.prototype;
+var createRouteMatchers = (routes) => {
+  const sortedRoutes = [...routes].sort((a, b) => calculateSpecificity(b.path) - calculateSpecificity(a.path));
+  return sortedRoutes.map((route) => {
+    const matcher = match(route.path, { decode: safeDecode });
+    const specificity = calculateSpecificity(route.path);
+    const keys = [];
+    return { route, matcher, keys, specificity };
+  });
+};
+var matchRoute = (url, routeMatchers) => {
+  const path6 = cleanPath(url);
+  for (const { route, matcher, keys } of routeMatchers) {
+    const match2 = matcher(path6);
+    if (match2) {
+      return {
+        route,
+        params: match2.params,
+        keys
+      };
+    }
+  }
+  return null;
+};
+var fetchInitialData = async (attr, params, serviceRegistry, ctx, callServiceMethodImpl = callServiceMethod) => {
+  const dataHandler = attr?.data;
+  if (!dataHandler || typeof dataHandler !== "function") return {};
+  try {
+    const result = await dataHandler(params, {
+      ...ctx,
+      headers: ctx.headers ?? {}
+    });
+    if (isServiceDescriptor(result)) {
+      const { serviceName, serviceMethod, args } = result;
+      return callServiceMethodImpl(serviceRegistry, serviceName, serviceMethod, args ?? {}, ctx);
+    }
+    if (isPlainObject(result)) return result;
+    throw AppError.badRequest("attr.data must return a plain object or a ServiceDescriptor");
+  } catch (err) {
+    const e = AppError.from(err);
+    const level = e.kind === "domain" || e.kind === "validation" || e.kind === "auth" ? "warn" : "error";
+    ctx.logger?.[level](e.message, {
+      component: "fetch-initial-data",
+      kind: e.kind,
+      httpStatus: e.httpStatus,
+      ...e.code && { code: e.code },
+      details: e.details,
+      params,
+      traceId: ctx.traceId
+    });
+    throw e;
+  }
+};
+
+// src/security/Auth.ts
+var createAuthHook = (routeMatchers, logger) => {
   return async function authHook(req, reply) {
     const url = new URL(req.url, `http://${req.headers.host}`).pathname;
-    const matched = routes.find((r) => r.path === url);
-    const authConfig = matched?.attr?.middleware?.auth;
-    if (!authConfig?.required) {
-      debugLog(logger, "Auth not required for route", req);
+    const match2 = matchRoute(url, routeMatchers);
+    if (!match2) return;
+    const { route } = match2;
+    const authConfig = route.attr?.middleware?.auth;
+    if (!authConfig) {
+      logger.debug("auth", "(none)", { method: req.method, url: req.url });
       return;
     }
     if (typeof req.server.authenticate !== "function") {
-      req.log.warn('Route requires auth but no "authenticate" decorator is defined on Fastify.');
+      logger.warn("Route requires auth but Fastify authenticate decorator is missing", {
+        path: url,
+        appId: route.appId
+      });
       return reply.status(500).send("Server misconfiguration: auth decorator missing.");
     }
     try {
-      debugLog(logger, "Invoking authenticate(...)", req);
+      logger.debug("auth", "Invoking authenticate(...)", { method: req.method, url: req.url });
       await req.server.authenticate(req, reply);
-      debugLog(logger, "Authentication successful", req);
+      logger.debug("auth", "Authentication successful", { method: req.method, url: req.url });
     } catch (err) {
-      debugLog(logger, "Authentication failed", req);
+      logger.debug("auth", "Authentication failed", { method: req.method, url: req.url });
       return reply.send(err);
     }
   };
-}
+};
 
-// src/security/csp.ts
+// src/security/CSP.ts
 var import_fastify_plugin = __toESM(require_plugin(), 1);
 import crypto from "crypto";
 
-// src/utils/Utils.ts
+// src/utils/System.ts
 import { dirname, join } from "path";
 import "path";
 import { fileURLToPath } from "url";
-import { match } from "path-to-regexp";
 var isDevelopment = process.env.NODE_ENV === "development";
 var __filename = fileURLToPath(import.meta.url);
 var __dirname = join(dirname(__filename), !isDevelopment ? "./" : "..");
+
+// src/logging/Logger.ts
+var import_picocolors2 = __toESM(require_picocolors(), 1);
+
+// src/logging/Parser.ts
+function parseDebugInput(input) {
+  if (input === void 0) return void 0;
+  if (typeof input === "boolean") return input;
+  if (Array.isArray(input)) {
+    const pos = /* @__PURE__ */ new Set();
+    const neg = /* @__PURE__ */ new Set();
+    for (const raw of input) {
+      const s = String(raw);
+      const isNeg = s.startsWith("-") || s.startsWith("!");
+      const key = isNeg ? s.slice(1) : s;
+      const isValid = DEBUG_CATEGORIES.includes(key);
+      if (!isValid) {
+        console.warn(`[parseDebugInput] Invalid debug category: "${key}". Valid: ${DEBUG_CATEGORIES.join(", ")}`);
+        continue;
+      }
+      (isNeg ? neg : pos).add(key);
+    }
+    if (neg.size > 0 && pos.size === 0) {
+      const o = { all: true };
+      for (const k of neg) o[k] = false;
+      return o;
+    }
+    if (pos.size > 0 || neg.size > 0) {
+      const o = {};
+      for (const k of pos) o[k] = true;
+      for (const k of neg) o[k] = false;
+      return o;
+    }
+    return void 0;
+  }
+  if (typeof input === "string") {
+    const raw = input.trim();
+    if (!raw) return void 0;
+    if (raw === "*" || raw.toLowerCase() === "true" || raw.toLowerCase() === "all") return true;
+    const parts = raw.split(",").map((s) => s.trim()).filter(Boolean);
+    const flags = {};
+    const on = /* @__PURE__ */ new Set();
+    const off = /* @__PURE__ */ new Set();
+    for (const p of parts) {
+      const neg = p.startsWith("-") || p.startsWith("!");
+      const key = neg ? p.slice(1) : p;
+      const isValid = DEBUG_CATEGORIES.includes(key);
+      if (!isValid) {
+        console.warn(`[parseDebugInput] Invalid debug category: "${key}". Valid: ${DEBUG_CATEGORIES.join(", ")}`);
+        continue;
+      }
+      (neg ? off : on).add(key);
+    }
+    if (off.size > 0 && on.size === 0) {
+      flags.all = true;
+      for (const k of off) flags[k] = false;
+      return flags;
+    }
+    for (const k of on) flags[k] = true;
+    for (const k of off) flags[k] = false;
+    return flags;
+  }
+  return input;
+}
+
+// src/logging/Logger.ts
+var DEBUG_CATEGORIES = ["auth", "routes", "errors", "vite", "network", "ssr"];
+var Logger = class _Logger {
+  constructor(config = {}) {
+    this.config = config;
+    if (config.context) this.context = { ...config.context };
+  }
+  debugEnabled = /* @__PURE__ */ new Set();
+  context = {};
+  child(context) {
+    const child = new _Logger({
+      ...this.config,
+      context: { ...this.context, ...context }
+    });
+    child.debugEnabled = new Set(this.debugEnabled);
+    return child;
+  }
+  configure(debug) {
+    this.debugEnabled.clear();
+    if (debug === true) {
+      this.debugEnabled = new Set(DEBUG_CATEGORIES);
+    } else if (Array.isArray(debug)) {
+      this.debugEnabled = new Set(debug);
+    } else if (typeof debug === "object" && debug) {
+      if (debug.all) this.debugEnabled = new Set(DEBUG_CATEGORIES);
+      Object.entries(debug).forEach(([key, value]) => {
+        if (key !== "all" && typeof value === "boolean") {
+          if (value) this.debugEnabled.add(key);
+          else this.debugEnabled.delete(key);
+        }
+      });
+    }
+  }
+  isDebugEnabled(category) {
+    return this.debugEnabled.has(category);
+  }
+  shouldEmit(level) {
+    const order = { debug: 0, info: 1, warn: 2, error: 3 };
+    const minLevel = this.config.minLevel ?? "info";
+    return order[level] >= order[minLevel];
+  }
+  shouldIncludeStack(level) {
+    const include = this.config.includeStack;
+    if (include === void 0) return level === "error" || level === "warn" && process.env.NODE_ENV !== "production";
+    if (typeof include === "boolean") return include;
+    return include(level);
+  }
+  stripStacks(meta, seen = /* @__PURE__ */ new WeakSet()) {
+    if (!meta || typeof meta !== "object") return meta;
+    if (seen.has(meta)) return "[circular]";
+    seen.add(meta);
+    if (Array.isArray(meta)) return meta.map((v) => this.stripStacks(v, seen));
+    const copy = { ...meta };
+    for (const k of Object.keys(copy)) {
+      if (k === "stack" || k.endsWith("Stack")) {
+        delete copy[k];
+      } else {
+        copy[k] = this.stripStacks(copy[k], seen);
+      }
+    }
+    return copy;
+  }
+  formatTimestamp() {
+    const now = /* @__PURE__ */ new Date();
+    if (process.env.NODE_ENV === "production") return now.toISOString();
+    const hours = String(now.getHours()).padStart(2, "0");
+    const minutes = String(now.getMinutes()).padStart(2, "0");
+    const seconds = String(now.getSeconds()).padStart(2, "0");
+    const millis = String(now.getMilliseconds()).padStart(3, "0");
+    return `${hours}:${minutes}:${seconds}.${millis}`;
+  }
+  emit(level, message, meta, category) {
+    if (!this.shouldEmit(level)) return;
+    const timestamp = this.formatTimestamp();
+    const wantCtx = this.config.includeContext === void 0 ? false : typeof this.config.includeContext === "function" ? this.config.includeContext(level) : this.config.includeContext;
+    const customSink = this.config.custom?.[level] ?? (level === "debug" ? this.config.custom?.info : void 0) ?? this.config.custom?.log;
+    const consoleFallback = level === "error" ? console.error : level === "warn" ? console.warn : console.log;
+    const sink = customSink ?? consoleFallback;
+    const merged = meta ?? {};
+    const withCtx = wantCtx && Object.keys(this.context).length > 0 ? { context: this.context, ...merged } : merged;
+    const finalMeta = this.shouldIncludeStack(level) ? withCtx : this.stripStacks(withCtx);
+    const hasMeta = finalMeta && typeof finalMeta === "object" ? Object.keys(finalMeta).length > 0 : false;
+    const coloredLevel = (() => {
+      const levelText = level.toLowerCase() + (category ? `:${category.toLowerCase()}` : "");
+      switch (level) {
+        case "debug":
+          return import_picocolors2.default.gray(`[${levelText}]`);
+        case "info":
+          return import_picocolors2.default.cyan(`[${levelText}]`);
+        case "warn":
+          return import_picocolors2.default.yellow(`[${levelText}]`);
+        case "error":
+          return import_picocolors2.default.red(`[${levelText}]`);
+        default:
+          return `[${levelText}]`;
+      }
+    })();
+    const formatted = `${timestamp} ${coloredLevel} ${message}`;
+    if (this.config.singleLine && hasMeta) {
+      const metaStr = JSON.stringify(finalMeta).replace(/\n/g, "\\n");
+      sink(`${formatted} ${metaStr}`);
+      return;
+    }
+    if (customSink) {
+      if (hasMeta) sink(formatted, finalMeta);
+      else sink(formatted);
+    } else {
+      if (hasMeta) consoleFallback(formatted, finalMeta);
+      else consoleFallback(formatted);
+    }
+  }
+  info(message, meta) {
+    this.emit("info", message, meta);
+  }
+  warn(message, meta) {
+    this.emit("warn", message, meta);
+  }
+  error(message, meta) {
+    this.emit("error", message, meta);
+  }
+  debug(category, message, meta) {
+    if (!this.debugEnabled.has(category)) return;
+    this.emit("debug", message, meta, category);
+  }
+};
+function createLogger(opts) {
+  const logger = new Logger({
+    custom: opts?.custom,
+    context: opts?.context,
+    minLevel: opts?.minLevel,
+    includeStack: opts?.includeStack,
+    includeContext: opts?.includeContext,
+    singleLine: opts?.singleLine
+  });
+  const parsed = parseDebugInput(opts?.debug);
+  if (parsed !== void 0) logger.configure(parsed);
+  return logger;
+}
+
+// src/security/CSP.ts
+var defaultGenerateCSP = (directives, nonce, req) => {
+  const merged = { ...directives };
+  merged["script-src"] = merged["script-src"] || ["'self'"];
+  if (!merged["script-src"].some((v) => v.startsWith("'nonce-"))) {
+    merged["script-src"].push(`'nonce-${nonce}'`);
+  }
+  if (isDevelopment) {
+    const connect = merged["connect-src"] || ["'self'"];
+    if (!connect.includes("ws:")) connect.push("ws:");
+    if (!connect.includes("http:")) connect.push("http:");
+    merged["connect-src"] = connect;
+    const style = merged["style-src"] || ["'self'"];
+    if (!style.includes("'unsafe-inline'")) style.push("'unsafe-inline'");
+    merged["style-src"] = style;
+  }
+  return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
+};
+var generateNonce = () => crypto.randomBytes(16).toString("base64");
+var mergeDirectives = (base, override) => {
+  const merged = { ...base };
+  for (const [directive, values] of Object.entries(override)) {
+    if (merged[directive]) {
+      merged[directive] = [.../* @__PURE__ */ new Set([...merged[directive], ...values])];
+    } else {
+      merged[directive] = [...values];
+    }
+  }
+  return merged;
+};
+var findMatchingRoute = (routeMatchers, path6) => {
+  if (!routeMatchers) return null;
+  const match2 = matchRoute(path6, routeMatchers);
+  return match2 ? { route: match2.route, params: match2.params } : null;
+};
+var cspPlugin = (0, import_fastify_plugin.default)(
+  async (fastify, opts) => {
+    const { generateCSP = defaultGenerateCSP, routes = [], routeMatchers, debug } = opts;
+    const globalDirectives = opts.directives || DEV_CSP_DIRECTIVES;
+    const matchers = routeMatchers || (routes.length > 0 ? createRouteMatchers(routes) : null);
+    const logger = createLogger({
+      debug,
+      context: { component: "csp-plugin" }
+    });
+    fastify.addHook("onRequest", (req, reply, done) => {
+      const nonce = generateNonce();
+      req.cspNonce = nonce;
+      try {
+        const routeMatch = findMatchingRoute(matchers, req.url);
+        const routeCSP = routeMatch?.route.attr?.middleware?.csp;
+        if (routeCSP === false) {
+          done();
+          return;
+        }
+        let finalDirectives = globalDirectives;
+        if (routeCSP && typeof routeCSP === "object") {
+          if (!routeCSP.disabled) {
+            let routeDirectives;
+            if (typeof routeCSP.directives === "function") {
+              const params = routeMatch?.params || {};
+              routeDirectives = routeCSP.directives({
+                url: req.url,
+                params,
+                headers: req.headers,
+                req
+              });
+            } else {
+              routeDirectives = routeCSP.directives || {};
+            }
+            if (routeCSP.mode === "replace") {
+              finalDirectives = routeDirectives;
+            } else {
+              finalDirectives = mergeDirectives(globalDirectives, routeDirectives);
+            }
+          }
+        }
+        let cspHeader;
+        if (routeCSP?.generateCSP) {
+          cspHeader = routeCSP.generateCSP(finalDirectives, nonce, req);
+        } else {
+          cspHeader = generateCSP(finalDirectives, nonce, req);
+        }
+        reply.header("Content-Security-Policy", cspHeader);
+      } catch (error) {
+        logger.error("CSP plugin error", {
+          url: req.url,
+          error: error instanceof Error ? { name: error.name, message: error.message, stack: error.stack } : String(error)
+        });
+        const fallbackHeader = generateCSP(globalDirectives, nonce, req);
+        reply.header("Content-Security-Policy", fallbackHeader);
+      }
+      done();
+    });
+  },
+  { name: "taujs-csp-plugin" }
+);
+
+// src/utils/AssetManager.ts
+import { readFile } from "fs/promises";
+import path2 from "path";
+import { pathToFileURL } from "url";
+
+// src/utils/Templates.ts
 var CSS_LANGS_RE = /\.(css|less|sass|scss|styl|stylus|pcss|postcss|sss)(?:$|\?)/;
 async function collectStyle(server, entries) {
   const urls = await collectStyleUrls(server, entries);
@@ -337,44 +919,6 @@ function renderPreloadLink(file) {
       return "";
   }
 }
-var callServiceMethod = async (registry, serviceName, methodName, params) => {
-  const service = registry[serviceName];
-  if (!service) throw new Error(`Service ${String(serviceName)} does not exist in the registry`);
-  const method = service[methodName];
-  if (typeof method !== "function") throw new Error(`Service method ${String(methodName)} does not exist on ${String(serviceName)}`);
-  const data = await method(params);
-  if (typeof data !== "object" || data === null)
-    throw new Error(`Expected object response from ${String(serviceName)}.${String(methodName)}, but got ${typeof data}`);
-  return data;
-};
-var isServiceDescriptor = (obj) => {
-  if (typeof obj !== "object" || obj === null || Array.isArray(obj)) return false;
-  const maybe = obj;
-  return typeof maybe.serviceName === "string" && typeof maybe.serviceMethod === "string";
-};
-var fetchInitialData = async (attr, params, serviceRegistry, ctx = { headers: {} }, callServiceMethodImpl = callServiceMethod) => {
-  const dataHandler = attr?.data;
-  if (!dataHandler || typeof dataHandler !== "function") return Promise.resolve({});
-  return dataHandler(params, ctx).then(async (result) => {
-    if (isServiceDescriptor(result)) {
-      const { serviceName, serviceMethod, args } = result;
-      if (serviceRegistry[serviceName]?.[serviceMethod]) return callServiceMethodImpl(serviceRegistry, serviceName, serviceMethod, args ?? {});
-      throw new Error(`Invalid service: serviceName=${String(serviceName)}, method=${String(serviceMethod)}`);
-    }
-    if (typeof result === "object" && result !== null) return result;
-    throw new Error("Invalid result from attr.data");
-  });
-};
-var matchRoute = (url, renderRoutes) => {
-  for (const route of renderRoutes) {
-    const matcher = match(route.path, {
-      decode: decodeURIComponent
-    });
-    const matched = matcher(url);
-    if (matched) return { route, params: matched.params };
-  }
-  return null;
-};
 function getCssLinks(manifest, basePath = "") {
   const seen = /* @__PURE__ */ new Set();
   const styles = [];
@@ -402,73 +946,32 @@ var ensureNonNull = (value, errorMessage) => {
   if (value === void 0 || value === null) throw new Error(errorMessage);
   return value;
 };
-
-// src/security/csp.ts
-var defaultGenerateCSP = (directives, nonce) => {
-  const merged = { ...directives };
-  merged["script-src"] = merged["script-src"] || ["'self'"];
-  if (!merged["script-src"].some((v) => v.startsWith("'nonce-"))) merged["script-src"].push(`'nonce-${nonce}'`);
-  if (isDevelopment) {
-    const connect = merged["connect-src"] || ["'self'"];
-    if (!connect.includes("ws:")) connect.push("ws:");
-    if (!connect.includes("http:")) connect.push("http:");
-    merged["connect-src"] = connect;
-    const style = merged["style-src"] || ["'self'"];
-    if (!style.includes("'unsafe-inline'")) style.push("'unsafe-inline'");
-    merged["style-src"] = style;
-  }
-  return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
-};
-var generateNonce = () => crypto.randomBytes(16).toString("base64");
-var cspPlugin = (0, import_fastify_plugin.default)(
-  async (fastify, opts) => {
-    fastify.addHook("onRequest", (req, reply, done) => {
-      const nonce = generateNonce();
-      req.cspNonce = nonce;
-      const directives = opts.directives ?? DEV_CSP_DIRECTIVES;
-      const generate = opts.generateCSP ?? defaultGenerateCSP;
-      const cspHeader = generate(directives, nonce);
-      reply.header("Content-Security-Policy", cspHeader);
-      done();
-    });
-  },
-  {
-    name: "taujs-csp-plugin"
-  }
-);
-
-// src/security/verifyMiddleware.ts
-var isAuthRequired = (r) => r.attr?.middleware?.auth?.required === true;
-var hasAuthenticate = (app) => typeof app.authenticate === "function";
-var verifyContracts = (app, routes, contracts, isDebug) => {
-  const logger = createLogger(Boolean(isDebug));
-  for (const contract of contracts) {
-    const isUsed = routes.some(contract.required);
-    if (!isUsed) {
-      debugLog(logger, `Middleware "${contract.key}" not used in any routes`);
-      continue;
-    }
-    if (!contract.verify(app)) {
-      const error = new Error(`[\u03C4js] ${contract.errorMessage}`);
-      logger.error(error.message);
-      throw error;
-    }
-    debugLog(logger, `Middleware "${contract.key}" verified \u2713`);
-  }
-};
-
-// src/SSRServer.ts
-var createMaps = () => {
+function processTemplate(template) {
+  const [headSplit, bodySplit] = template.split(SSRTAG.ssrHead);
+  if (typeof bodySplit === "undefined") throw new Error(`Template is missing ${SSRTAG.ssrHead} marker.`);
+  const [beforeBody, afterBody] = bodySplit.split(SSRTAG.ssrHtml);
+  if (typeof beforeBody === "undefined" || typeof afterBody === "undefined") throw new Error(`Template is missing ${SSRTAG.ssrHtml} marker.`);
   return {
-    bootstrapModules: /* @__PURE__ */ new Map(),
-    cssLinks: /* @__PURE__ */ new Map(),
-    manifests: /* @__PURE__ */ new Map(),
-    preloadLinks: /* @__PURE__ */ new Map(),
-    renderModules: /* @__PURE__ */ new Map(),
-    ssrManifests: /* @__PURE__ */ new Map(),
-    templates: /* @__PURE__ */ new Map()
+    beforeHead: headSplit,
+    afterHead: "",
+    beforeBody: beforeBody.replace(/\s*$/, ""),
+    afterBody: afterBody.replace(/^\s*/, "")
   };
+}
+var rebuildTemplate = (parts, headContent, bodyContent) => {
+  return `${parts.beforeHead}${headContent}${parts.afterHead}${parts.beforeBody}${bodyContent}${parts.afterBody}`;
 };
+
+// src/utils/AssetManager.ts
+var createMaps = () => ({
+  bootstrapModules: /* @__PURE__ */ new Map(),
+  cssLinks: /* @__PURE__ */ new Map(),
+  manifests: /* @__PURE__ */ new Map(),
+  preloadLinks: /* @__PURE__ */ new Map(),
+  renderModules: /* @__PURE__ */ new Map(),
+  ssrManifests: /* @__PURE__ */ new Map(),
+  templates: /* @__PURE__ */ new Map()
+});
 var processConfigs = (configs, baseClientRoot, templateDefaults) => {
   return configs.map((config) => {
     const clientRoot = path2.resolve(baseClientRoot, config.entryPoint);
@@ -482,54 +985,605 @@ var processConfigs = (configs, baseClientRoot, templateDefaults) => {
     };
   });
 };
-var SSRServer = (0, import_fastify_plugin2.default)(
-  async (app, opts) => {
-    const logger = createLogger(opts.isDebug ?? false);
-    const { alias, configs, routes, serviceRegistry, isDebug, clientRoot: baseClientRoot } = opts;
-    const { bootstrapModules, cssLinks, manifests, preloadLinks, renderModules, ssrManifests, templates } = createMaps();
-    const processedConfigs = processConfigs(configs, baseClientRoot, TEMPLATE);
-    for (const config of processedConfigs) {
-      const { clientRoot, entryClient, htmlTemplate } = config;
+var loadAssets = async (processedConfigs, baseClientRoot, bootstrapModules, cssLinks, manifests, preloadLinks, renderModules, ssrManifests, templates, opts = {}) => {
+  const logger = opts.logger ?? createLogger({
+    debug: opts.debug,
+    includeContext: true
+  });
+  for (const config of processedConfigs) {
+    const { clientRoot, entryClient, entryServer, htmlTemplate } = config;
+    try {
       const templateHtmlPath = path2.join(clientRoot, htmlTemplate);
       const templateHtml = await readFile(templateHtmlPath, "utf-8");
       templates.set(clientRoot, templateHtml);
       const relativeBasePath = path2.relative(baseClientRoot, clientRoot).replace(/\\/g, "/");
       const adjustedRelativePath = relativeBasePath ? `/${relativeBasePath}` : "";
       if (!isDevelopment) {
-        const manifestPath = path2.join(clientRoot, ".vite/manifest.json");
-        const manifestContent = await readFile(manifestPath, "utf-8");
-        const manifest = JSON.parse(manifestContent);
-        manifests.set(clientRoot, manifest);
-        const ssrManifestPath = path2.join(clientRoot, ".vite/ssr-manifest.json");
-        const ssrManifestContent = await readFile(ssrManifestPath, "utf-8");
-        const ssrManifest = JSON.parse(ssrManifestContent);
-        ssrManifests.set(clientRoot, ssrManifest);
-        const entryClientFile = manifest[`${entryClient}.tsx`]?.file;
-        if (!entryClientFile) throw new Error(`Entry client file not found in manifest for ${entryClient}.tsx`);
-        const bootstrapModule = `/${adjustedRelativePath}/${entryClientFile}`.replace(/\/{2,}/g, "/");
-        bootstrapModules.set(clientRoot, bootstrapModule);
-        const preloadLink = renderPreloadLinks(ssrManifest, adjustedRelativePath);
-        preloadLinks.set(clientRoot, preloadLink);
-        const cssLink = getCssLinks(manifest, adjustedRelativePath);
-        cssLinks.set(clientRoot, cssLink);
+        try {
+          const manifestPath = path2.join(clientRoot, ".vite/manifest.json");
+          const manifestContent = await readFile(manifestPath, "utf-8");
+          const manifest = JSON.parse(manifestContent);
+          manifests.set(clientRoot, manifest);
+          const ssrManifestPath = path2.join(clientRoot, ".vite/ssr-manifest.json");
+          const ssrManifestContent = await readFile(ssrManifestPath, "utf-8");
+          const ssrManifest = JSON.parse(ssrManifestContent);
+          ssrManifests.set(clientRoot, ssrManifest);
+          const entryClientFile = manifest[`${entryClient}.tsx`]?.file;
+          if (!entryClientFile) {
+            throw AppError.internal(`Entry client file not found in manifest for ${entryClient}.tsx`, {
+              details: {
+                clientRoot,
+                entryClient,
+                availableKeys: Object.keys(manifest)
+              }
+            });
+          }
+          const bootstrapModule = `/${adjustedRelativePath}/${entryClientFile}`.replace(/\/{2,}/g, "/");
+          bootstrapModules.set(clientRoot, bootstrapModule);
+          const preloadLink = renderPreloadLinks(ssrManifest, adjustedRelativePath);
+          preloadLinks.set(clientRoot, preloadLink);
+          const cssLink = getCssLinks(manifest, adjustedRelativePath);
+          cssLinks.set(clientRoot, cssLink);
+          const renderModulePath = path2.join(clientRoot, `${entryServer}.js`);
+          const moduleUrl = pathToFileURL(renderModulePath).href;
+          try {
+            const importedModule = await import(moduleUrl);
+            renderModules.set(clientRoot, importedModule);
+          } catch (err) {
+            throw AppError.internal(`Failed to load render module ${renderModulePath}`, {
+              cause: err,
+              details: { moduleUrl, clientRoot, entryServer }
+            });
+          }
+        } catch (err) {
+          if (err instanceof AppError) {
+            logger.error("Asset load failed", {
+              error: { name: err.name, message: err.message, stack: err.stack, code: err.code },
+              stage: "loadAssets:production"
+            });
+          } else {
+            logger.error("Asset load failed", {
+              error: err instanceof Error ? { name: err.name, message: err.message, stack: err.stack } : String(err),
+              stage: "loadAssets:production"
+            });
+          }
+        }
       } else {
         const bootstrapModule = `/${adjustedRelativePath}/${entryClient}`.replace(/\/{2,}/g, "/");
         bootstrapModules.set(clientRoot, bootstrapModule);
       }
+    } catch (err) {
+      logger.error("Failed to process config", {
+        error: err instanceof Error ? { name: err.name, message: err.message, stack: err.stack } : String(err),
+        stage: "loadAssets:config"
+      });
     }
-    let viteDevServer;
-    verifyContracts(
-      app,
-      routes,
-      [
+  }
+};
+
+// src/utils/DevServer.ts
+import path3 from "path";
+var setupDevServer = async (app, baseClientRoot, alias, debug, devNet) => {
+  const logger = createLogger({
+    context: { service: "setupDevServer" },
+    debug,
+    minLevel: "debug"
+  });
+  const host = devNet?.host ?? process.env.HOST?.trim() ?? process.env.FASTIFY_ADDRESS?.trim() ?? "localhost";
+  const hmrPort = devNet?.hmrPort ?? (Number(process.env.HMR_PORT) || 5174);
+  const { createServer: createServer2 } = await import("vite");
+  const viteDevServer = await createServer2({
+    appType: "custom",
+    css: {
+      preprocessorOptions: {
+        scss: {
+          api: "modern-compiler"
+        }
+      }
+    },
+    mode: "development",
+    plugins: [
+      ...debug ? [
         {
-          key: "auth",
-          required: isAuthRequired,
-          verify: hasAuthenticate,
-          errorMessage: "Routes require auth but Fastify instance is missing `.authenticate` decorator."
+          name: "\u03C4js-development-server-debug-logging",
+          configureServer(server) {
+            logger.debug("vite", `${CONTENT.TAG} Development server debug started`);
+            server.middlewares.use((req, res, next) => {
+              logger.debug("vite", "\u2190 rx", {
+                method: req.method,
+                url: req.url,
+                host: req.headers.host,
+                ua: req.headers["user-agent"]
+              });
+              res.on("finish", () => {
+                logger.debug("vite", "\u2192 tx", {
+                  method: req.method,
+                  url: req.url,
+                  statusCode: res.statusCode
+                });
+              });
+              next();
+            });
+          }
+        }
+      ] : []
+    ],
+    resolve: {
+      alias: {
+        "@client": path3.resolve(baseClientRoot),
+        "@server": path3.resolve(__dirname),
+        "@shared": path3.resolve(__dirname, "../shared"),
+        ...alias
+      }
+    },
+    root: baseClientRoot,
+    server: {
+      middlewareMode: true,
+      hmr: {
+        clientPort: hmrPort,
+        host: host !== "localhost" ? host : void 0,
+        port: hmrPort,
+        protocol: "ws"
+      }
+    }
+  });
+  overrideCSSHMRConsoleError();
+  app.addHook("onRequest", async (request, reply) => {
+    await new Promise((resolve) => {
+      viteDevServer.middlewares(request.raw, reply.raw, () => {
+        if (!reply.sent) resolve();
+      });
+    });
+  });
+  return viteDevServer;
+};
+
+// src/utils/HandleRender.ts
+import path4 from "path";
+import { PassThrough } from "stream";
+
+// src/utils/Telemetry.ts
+import crypto2 from "crypto";
+function createRequestContext(req, reply, baseLogger) {
+  const raw = typeof req.headers["x-trace-id"] === "string" ? req.headers["x-trace-id"] : "";
+  const traceId = raw && REGEX.SAFE_TRACE.test(raw) ? raw : typeof req.id === "string" ? req.id : crypto2.randomUUID();
+  reply.header("x-trace-id", traceId);
+  const anyLogger = baseLogger;
+  const child = anyLogger.child;
+  const logger = typeof child === "function" ? child.call(baseLogger, { traceId, url: req.url, method: req.method }) : baseLogger;
+  const headers = Object.fromEntries(
+    Object.entries(req.headers).map(([headerName, headerValue]) => {
+      const normalisedValue = Array.isArray(headerValue) ? headerValue.join(",") : headerValue ?? "";
+      return [headerName, normalisedValue];
+    })
+  );
+  return { traceId, logger, headers };
+}
+
+// src/utils/HandleRender.ts
+var handleRender = async (req, reply, routeMatchers, processedConfigs, serviceRegistry, maps, opts = {}) => {
+  const { viteDevServer } = opts;
+  const logger = opts.logger ?? createLogger({
+    debug: opts.debug,
+    minLevel: isDevelopment ? "debug" : "info",
+    includeContext: true,
+    includeStack: (lvl) => lvl === "error" || isDevelopment
+  });
+  try {
+    if (/\.\w+$/.test(req.raw.url ?? "")) return reply.callNotFound();
+    const url = req.url ? new URL(req.url, `http://${req.headers.host}`).pathname : "/";
+    const matchedRoute = matchRoute(url, routeMatchers);
+    const rawNonce = req.cspNonce;
+    const cspNonce = rawNonce && rawNonce.length > 0 ? rawNonce : void 0;
+    if (!matchedRoute) {
+      reply.callNotFound();
+      return;
+    }
+    const { route, params } = matchedRoute;
+    const { attr, appId } = route;
+    const config = processedConfigs.find((c) => c.appId === appId);
+    if (!config) {
+      throw AppError.internal("No configuration found for the request", {
+        details: {
+          appId,
+          availableAppIds: processedConfigs.map((c) => c.appId),
+          url
         }
-      ],
-      opts.isDebug
+      });
+    }
+    const { clientRoot, entryServer } = config;
+    let template = ensureNonNull(maps.templates.get(clientRoot), `Template not found for clientRoot: ${clientRoot}`);
+    const bootstrapModule = maps.bootstrapModules.get(clientRoot);
+    const cssLink = maps.cssLinks.get(clientRoot);
+    const manifest = maps.manifests.get(clientRoot);
+    const preloadLink = maps.preloadLinks.get(clientRoot);
+    const ssrManifest = maps.ssrManifests.get(clientRoot);
+    let renderModule;
+    if (isDevelopment && viteDevServer) {
+      try {
+        template = template.replace(/<script type="module" src="\/@vite\/client"><\/script>/g, "");
+        template = template.replace(/<style type="text\/css">[\s\S]*?<\/style>/g, "");
+        const entryServerPath = path4.join(clientRoot, `${entryServer}.tsx`);
+        const executedModule = await viteDevServer.ssrLoadModule(entryServerPath);
+        renderModule = executedModule;
+        const styles = await collectStyle(viteDevServer, [entryServerPath]);
+        const styleNonce = cspNonce ? ` nonce="${cspNonce}"` : "";
+        template = template?.replace("</head>", `<style type="text/css"${styleNonce}>${styles}</style></head>`);
+        template = await viteDevServer.transformIndexHtml(url, template);
+      } catch (error) {
+        throw AppError.internal("Failed to load dev assets", { cause: error, details: { clientRoot, entryServer, url } });
+      }
+    } else {
+      renderModule = maps.renderModules.get(clientRoot);
+      if (!renderModule) throw AppError.internal(`Render module not found for clientRoot: ${clientRoot}. Module should have been preloaded.`);
+    }
+    const renderType = attr?.render ?? RENDERTYPE.ssr;
+    const templateParts = processTemplate(template);
+    const baseLogger = opts.logger ?? logger;
+    const { traceId, logger: reqLogger, headers } = createRequestContext(req, reply, baseLogger);
+    const ctx = { traceId, logger: reqLogger, headers };
+    const initialDataInput = () => fetchInitialData(attr, params, serviceRegistry, ctx);
+    if (renderType === RENDERTYPE.ssr) {
+      const { renderSSR } = renderModule;
+      if (!renderSSR) {
+        throw AppError.internal("renderSSR function not found in module", {
+          details: { clientRoot, availableFunctions: Object.keys(renderModule) }
+        });
+      }
+      const ac = new AbortController();
+      const onAborted = () => ac.abort("client_aborted");
+      req.raw.on("aborted", onAborted);
+      reply.raw.on("close", () => {
+        if (!reply.raw.writableEnded) ac.abort("socket_closed");
+      });
+      reply.raw.on("finish", () => req.raw.off("aborted", onAborted));
+      if (ac.signal.aborted) {
+        logger.warn("SSR skipped; already aborted", { url: req.url });
+        return;
+      }
+      const initialDataResolved = await initialDataInput();
+      let headContent = "";
+      let appHtml = "";
+      try {
+        const res = await renderSSR(initialDataResolved, req.url, attr?.meta, ac.signal, { logger: reqLogger });
+        headContent = res.headContent;
+        appHtml = res.appHtml;
+      } catch (err) {
+        const msg = String(err?.message ?? err ?? "");
+        const benign = REGEX.BENIGN_NET_ERR.test(msg);
+        if (ac.signal.aborted || benign) {
+          logger.warn("SSR aborted mid-render (benign)", { url: req.url, reason: msg });
+          return;
+        }
+        logger.error("SSR render failed", { url: req.url, error: normaliseError(err) });
+        throw err;
+      }
+      let aggregateHeadContent = headContent;
+      if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
+      if (manifest && cssLink) aggregateHeadContent += cssLink;
+      const shouldHydrate = attr?.hydrate !== false;
+      const nonceAttr = cspNonce ? ` nonce="${cspNonce}"` : "";
+      const initialDataScript = `<script${nonceAttr}>window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")};</script>`;
+      const bootstrapScriptTag = shouldHydrate && bootstrapModule ? `<script${nonceAttr} type="module" src="${bootstrapModule}" defer></script>` : "";
+      const safeAppHtml = appHtml.trim();
+      const fullHtml = rebuildTemplate(templateParts, aggregateHeadContent, `${safeAppHtml}${initialDataScript}${bootstrapScriptTag}`);
+      try {
+        return reply.status(200).header("Content-Type", "text/html").send(fullHtml);
+      } catch (err) {
+        const msg = String(err?.message ?? err ?? "");
+        const benign = REGEX.BENIGN_NET_ERR.test(msg);
+        if (!benign) logger.error("SSR send failed", { url: req.url, error: normaliseError(err) });
+        else logger.warn("SSR send aborted (benign)", { url: req.url, reason: msg });
+        return;
+      }
+    } else {
+      const { renderStream } = renderModule;
+      if (!renderStream) {
+        throw AppError.internal("renderStream function not found in module", {
+          details: { clientRoot, availableFunctions: Object.keys(renderModule) }
+        });
+      }
+      const cspHeader = reply.getHeader("Content-Security-Policy");
+      reply.raw.writeHead(200, {
+        "Content-Security-Policy": cspHeader,
+        "Content-Type": "text/html; charset=utf-8"
+      });
+      const ac = new AbortController();
+      const onAborted = () => ac.abort();
+      req.raw.on("aborted", onAborted);
+      reply.raw.on("close", () => {
+        if (!reply.raw.writableEnded) ac.abort();
+      });
+      reply.raw.on("finish", () => req.raw.off("aborted", onAborted));
+      const shouldHydrate = attr?.hydrate !== false;
+      const abortedState = { aborted: false };
+      const isBenignSocketAbort = (e) => {
+        const msg = String(e?.message ?? e ?? "");
+        return REGEX.BENIGN_NET_ERR.test(msg);
+      };
+      const writable = new PassThrough();
+      writable.on("error", (err) => {
+        if (!isBenignSocketAbort(err)) logger.error("PassThrough error:", { error: err });
+      });
+      reply.raw.on("error", (err) => {
+        if (!isBenignSocketAbort(err)) logger.error("HTTP socket error:", { error: err });
+      });
+      writable.pipe(reply.raw, { end: false });
+      let finalData = void 0;
+      renderStream(
+        writable,
+        {
+          onHead: (headContent) => {
+            let aggregateHeadContent = headContent;
+            if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
+            if (manifest && cssLink) aggregateHeadContent += cssLink;
+            return reply.raw.write(`${templateParts.beforeHead}${aggregateHeadContent}${templateParts.afterHead}${templateParts.beforeBody}`);
+          },
+          onShellReady: () => {
+          },
+          onAllReady: (data) => {
+            if (!abortedState.aborted) finalData = data;
+          },
+          onError: (err) => {
+            if (abortedState.aborted || isBenignSocketAbort(err)) {
+              logger.warn("Client disconnected before stream finished");
+              try {
+                if (!reply.raw.writableEnded && !reply.raw.destroyed) reply.raw.destroy();
+              } catch (e) {
+                logger.debug?.("stream teardown: destroy() failed", { error: normaliseError(e) });
+              }
+              return;
+            }
+            abortedState.aborted = true;
+            logger.error("Critical rendering error during stream", {
+              error: normaliseError(err),
+              clientRoot,
+              url: req.url
+            });
+            try {
+              ac?.abort?.();
+            } catch (e) {
+              logger.debug?.("stream teardown: abort() failed", { error: normaliseError(e) });
+            }
+            const reason = toReason(err);
+            try {
+              if (!reply.raw.writableEnded && !reply.raw.destroyed) reply.raw.destroy(reason);
+            } catch (e) {
+              logger.debug?.("stream teardown: destroy() failed", { error: normaliseError(e) });
+            }
+          }
+        },
+        initialDataInput,
+        req.url,
+        shouldHydrate ? bootstrapModule : void 0,
+        attr?.meta,
+        cspNonce,
+        ac.signal,
+        { logger: reqLogger }
+      );
+      writable.on("finish", () => {
+        if (abortedState.aborted || reply.raw.writableEnded) return;
+        const data = finalData ?? {};
+        const initialDataScript = `<script${cspNonce ? ` nonce="${cspNonce}"` : ""}>window.__INITIAL_DATA__ = ${JSON.stringify(data).replace(
+          /</g,
+          "\\u003c"
+        )}; window.dispatchEvent(new Event('taujs:data-ready'));</script>`;
+        reply.raw.write(initialDataScript);
+        reply.raw.write(templateParts.afterBody);
+        reply.raw.end();
+      });
+    }
+  } catch (err) {
+    if (err instanceof AppError) throw err;
+    throw AppError.internal("handleRender failed", err, {
+      url: req.url,
+      route: req.routeOptions?.url
+    });
+  }
+};
+
+// src/utils/HandleNotFound.ts
+var handleNotFound = async (req, reply, processedConfigs, maps, opts = {}) => {
+  const logger = opts.logger ?? createLogger({
+    debug: opts.debug,
+    context: { component: "handle-not-found", url: req.url, method: req.method, traceId: req.id }
+  });
+  try {
+    if (/\.\w+$/.test(req.raw.url ?? "")) {
+      logger.debug?.("ssr", "Delegating asset-like request to Fastify notFound handler", { url: req.raw.url });
+      return reply.callNotFound();
+    }
+    const defaultConfig = processedConfigs[0];
+    if (!defaultConfig) {
+      logger.error?.("No default configuration found", { configCount: processedConfigs.length, url: req.raw.url });
+      throw AppError.internal("No default configuration found", {
+        details: { configCount: processedConfigs.length, url: req.raw.url }
+      });
+    }
+    const { clientRoot } = defaultConfig;
+    const cspNonce = req.cspNonce ?? void 0;
+    const template = ensureNonNull(maps.templates.get(clientRoot), `Template not found for clientRoot: ${clientRoot}`);
+    const cssLink = maps.cssLinks.get(clientRoot);
+    const bootstrapModule = maps.bootstrapModules.get(clientRoot);
+    logger.debug?.("ssr", "Preparing not-found fallback HTML", {
+      clientRoot,
+      hasCssLink: Boolean(cssLink),
+      hasBootstrapModule: Boolean(bootstrapModule),
+      isDevelopment,
+      hasCspNonce: Boolean(cspNonce)
+    });
+    let processedTemplate = template.replace(SSRTAG.ssrHead, "").replace(SSRTAG.ssrHtml, "");
+    if (!isDevelopment && cssLink) {
+      processedTemplate = processedTemplate.replace("</head>", `${cssLink}</head>`);
+    }
+    if (bootstrapModule) {
+      const nonceAttr = cspNonce ? ` nonce="${cspNonce}"` : "";
+      processedTemplate = processedTemplate.replace("</body>", `<script${nonceAttr} type="module" src="${bootstrapModule}" defer></script></body>`);
+    }
+    logger.debug?.("ssr", "Sending not-found fallback HTML", { status: 200 });
+    return reply.status(200).type("text/html").send(processedTemplate);
+  } catch (err) {
+    logger.error?.("handleNotFound failed", { error: err, url: req.url, clientRoot: processedConfigs[0]?.clientRoot });
+    throw AppError.internal("handleNotFound failed", err, {
+      stage: "handleNotFound",
+      url: req.url,
+      clientRoot: processedConfigs[0]?.clientRoot
+    });
+  }
+};
+
+// src/security/CSPReporting.ts
+var import_fastify_plugin2 = __toESM(require_plugin(), 1);
+function sanitiseContext(ctx) {
+  return {
+    userAgent: ctx.userAgent,
+    ip: ctx.ip,
+    referer: ctx.referer,
+    timestamp: ctx.timestamp
+    // headers: ctx.headers,
+  };
+}
+function logCspViolation(logger, report, context) {
+  logger.warn("CSP Violation", {
+    violation: {
+      documentUri: report["document-uri"],
+      violatedDirective: report["violated-directive"],
+      blockedUri: report["blocked-uri"],
+      sourceFile: report["source-file"],
+      line: report["line-number"],
+      column: report["column-number"],
+      scriptSample: report["script-sample"],
+      originalPolicy: report["original-policy"],
+      disposition: report.disposition
+    },
+    context: {
+      userAgent: context.userAgent,
+      ip: context.ip,
+      referer: context.referer,
+      timestamp: context.timestamp
+    }
+  });
+}
+var processCSPReport = (body, context, logger) => {
+  try {
+    const reportData = body?.["csp-report"] || body;
+    if (!reportData || typeof reportData !== "object") {
+      logger.warn("Ignoring malformed CSP report", {
+        bodyType: typeof body,
+        context: sanitiseContext(context)
+      });
+      return;
+    }
+    const documentUri = reportData["document-uri"] ?? reportData["documentURL"];
+    const violatedDirective = reportData["violated-directive"] ?? reportData["violatedDirective"];
+    if (!documentUri || !violatedDirective) {
+      logger.warn("Ignoring incomplete CSP report", {
+        hasDocumentUri: !!documentUri,
+        hasViolatedDirective: !!violatedDirective,
+        context: sanitiseContext(context)
+      });
+      return;
+    }
+    const violation = {
+      "document-uri": String(documentUri),
+      "violated-directive": String(violatedDirective),
+      "blocked-uri": reportData["blocked-uri"] ?? reportData["blockedURL"] ?? "",
+      "source-file": reportData["source-file"] ?? reportData["sourceFile"],
+      "line-number": reportData["line-number"] ?? reportData["lineNumber"],
+      "column-number": reportData["column-number"] ?? reportData["columnNumber"],
+      "script-sample": reportData["script-sample"] ?? reportData["sample"],
+      "original-policy": reportData["original-policy"] ?? reportData["originalPolicy"] ?? "",
+      disposition: reportData.disposition ?? "enforce"
+    };
+    logCspViolation(logger, violation, context);
+  } catch (processingError) {
+    logger.warn("CSP report processing failed", {
+      error: processingError instanceof Error ? processingError.message : String(processingError),
+      bodyType: typeof body,
+      context: sanitiseContext(context)
+    });
+  }
+};
+var cspReportPlugin = (0, import_fastify_plugin2.default)(
+  async (fastify, opts) => {
+    const { onViolation } = opts;
+    if (!opts.path || typeof opts.path !== "string") throw AppError.badRequest("CSP report path is required and must be a string");
+    const logger = createLogger({
+      debug: opts.debug,
+      context: { service: "csp-reporting" },
+      minLevel: "info"
+    });
+    fastify.post(opts.path, async (req, reply) => {
+      const context = {
+        userAgent: req.headers["user-agent"],
+        ip: req.ip,
+        referer: req.headers.referer,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        headers: req.headers,
+        __fastifyRequest: req
+        // onViolation callback
+      };
+      try {
+        processCSPReport(req.body, context, logger);
+        const reportData = req.body?.["csp-report"] || req.body;
+        if (onViolation && reportData && typeof reportData === "object") {
+          const documentUri = reportData["document-uri"] ?? reportData["documentURL"];
+          const violatedDirective = reportData["violated-directive"] ?? reportData["violatedDirective"];
+          if (documentUri && violatedDirective) {
+            const violation = {
+              "document-uri": String(documentUri),
+              "violated-directive": String(violatedDirective),
+              "blocked-uri": reportData["blocked-uri"] ?? reportData["blockedURL"] ?? "",
+              "source-file": reportData["source-file"] ?? reportData["sourceFile"],
+              "line-number": reportData["line-number"] ?? reportData["lineNumber"],
+              "column-number": reportData["column-number"] ?? reportData["columnNumber"],
+              "script-sample": reportData["script-sample"] ?? reportData["sample"],
+              "original-policy": reportData["original-policy"] ?? reportData["originalPolicy"] ?? "",
+              disposition: reportData.disposition ?? "enforce"
+            };
+            onViolation(violation, req);
+          }
+        }
+      } catch (err) {
+        logger.warn("CSP reporting route failed", {
+          error: err instanceof Error ? err.message : String(err)
+        });
+      }
+      reply.code(204).send();
+    });
+  },
+  { name: "taujs-csp-report-plugin" }
+);
+
+// src/SSRServer.ts
+var SSRServer = (0, import_fastify_plugin3.default)(
+  async (app, opts) => {
+    const { alias, configs, routes, serviceRegistry, clientRoot: baseClientRoot, security } = opts;
+    const logger = createLogger({
+      debug: opts.debug,
+      context: { component: "ssr-server" },
+      minLevel: process.env.NODE_ENV === "production" ? "info" : "debug",
+      includeContext: true,
+      singleLine: true
+    });
+    const maps = createMaps();
+    const processedConfigs = processConfigs(configs, baseClientRoot, TEMPLATE);
+    const routeMatchers = createRouteMatchers(routes);
+    let viteDevServer;
+    await loadAssets(
+      processedConfigs,
+      baseClientRoot,
+      maps.bootstrapModules,
+      maps.cssLinks,
+      maps.manifests,
+      maps.preloadLinks,
+      maps.renderModules,
+      maps.ssrManifests,
+      maps.templates,
+      {
+        debug: opts.debug,
+        logger
+      }
     );
     if (opts.registerStaticAssets && typeof opts.registerStaticAssets === "object") {
       const { plugin, options } = opts.registerStaticAssets;
@@ -541,187 +1595,420 @@ var SSRServer = (0, import_fastify_plugin2.default)(
         ...options ?? {}
       });
     }
+    if (security?.csp?.reporting) {
+      app.register(cspReportPlugin, {
+        path: security.csp.reporting.endpoint,
+        debug: opts.debug,
+        logger,
+        onViolation: security.csp.reporting.onViolation
+      });
+    }
     app.register(cspPlugin, {
       directives: opts.security?.csp?.directives,
-      generateCSP: opts.security?.csp?.generateCSP
+      generateCSP: opts.security?.csp?.generateCSP,
+      routeMatchers,
+      debug: opts.debug
     });
-    app.addHook("onRequest", createAuthHook(routes));
-    if (isDevelopment) {
-      const { createServer } = await import("vite");
-      viteDevServer = await createServer({
-        appType: "custom",
-        css: {
-          preprocessorOptions: {
-            scss: {
-              api: "modern-compiler"
-            }
-          }
-        },
-        mode: "development",
-        plugins: [
-          ...isDebug ? [
-            {
-              name: "taujs-development-server-debug-logging",
-              configureServer(server) {
-                logger.log(import_picocolors.default.green("\u03C4js development server debug started."));
-                server.middlewares.use((req, res, next) => {
-                  logger.log(import_picocolors.default.cyan(`\u2190 rx: ${req.url}`));
-                  res.on("finish", () => logger.log(import_picocolors.default.yellow(`\u2192 tx: ${req.url}`)));
-                  next();
-                });
-              }
-            }
-          ] : []
-        ],
-        resolve: {
-          alias: {
-            "@client": path2.resolve(baseClientRoot),
-            "@server": path2.resolve(__dirname),
-            "@shared": path2.resolve(__dirname, "../shared"),
-            ...alias
-          }
+    if (isDevelopment) viteDevServer = await setupDevServer(app, baseClientRoot, alias, opts.debug, opts.devNet);
+    app.addHook("onRequest", createAuthHook(routeMatchers, logger));
+    app.get("/*", async (req, reply) => {
+      await handleRender(req, reply, routeMatchers, processedConfigs, serviceRegistry, maps, {
+        debug: opts.debug,
+        logger,
+        viteDevServer
+      });
+    });
+    app.setNotFoundHandler(async (req, reply) => {
+      await handleNotFound(
+        req,
+        reply,
+        processedConfigs,
+        {
+          cssLinks: maps.cssLinks,
+          bootstrapModules: maps.bootstrapModules,
+          templates: maps.templates
         },
-        root: baseClientRoot,
-        server: {
-          middlewareMode: true,
-          hmr: {
-            port: 5174
-          }
+        {
+          debug: opts.debug,
+          logger
         }
+      );
+    });
+    app.setErrorHandler((err, req, reply) => {
+      const e = AppError.from(err);
+      logger.error(e.message, {
+        kind: e.kind,
+        httpStatus: e.httpStatus,
+        ...e.code && { code: e.code },
+        details: e.details,
+        method: req.method,
+        url: req.url,
+        route: req.routeOptions?.url,
+        stack: e.stack
       });
-      overrideCSSHMRConsoleError();
-      app.addHook("onRequest", async (request, reply) => {
-        await new Promise((resolve) => {
-          viteDevServer.middlewares(request.raw, reply.raw, () => {
-            if (!reply.sent) resolve();
-          });
-        });
-      });
+      if (!reply.raw.headersSent) {
+        const { status, body } = toHttp(e);
+        reply.status(status).send(body);
+      } else {
+        reply.raw.end();
+      }
+    });
+  },
+  { name: "\u03C4js-ssr-server" }
+);
+
+// src/CreateServer.ts
+var import_picocolors4 = __toESM(require_picocolors(), 1);
+import path5 from "path";
+import { performance as performance2 } from "perf_hooks";
+import fastifyStatic from "@fastify/static";
+import Fastify from "fastify";
+
+// src/Setup.ts
+import { performance } from "perf_hooks";
+var extractBuildConfigs = (config) => {
+  return config.apps.map(({ appId, entryPoint, plugins }) => ({
+    appId,
+    entryPoint,
+    plugins
+  }));
+};
+var extractRoutes = (taujsConfig) => {
+  const t0 = performance.now();
+  const allRoutes = [];
+  const apps = [];
+  const warnings = [];
+  const pathTracker = /* @__PURE__ */ new Map();
+  for (const app of taujsConfig.apps) {
+    const appRoutes = (app.routes ?? []).map((route) => {
+      const fullRoute = { ...route, appId: app.appId };
+      if (!pathTracker.has(route.path)) pathTracker.set(route.path, []);
+      pathTracker.get(route.path).push(app.appId);
+      return fullRoute;
+    });
+    apps.push({ appId: app.appId, routeCount: appRoutes.length });
+    allRoutes.push(...appRoutes);
+  }
+  for (const [path6, appIds] of pathTracker.entries()) {
+    if (appIds.length > 1) warnings.push(`Route path "${path6}" is declared in multiple apps: ${appIds.join(", ")}`);
+  }
+  const sortedRoutes = allRoutes.sort((a, b) => computeScore(b.path) - computeScore(a.path));
+  const durationMs = performance.now() - t0;
+  return {
+    routes: sortedRoutes,
+    apps,
+    totalRoutes: allRoutes.length,
+    durationMs,
+    warnings
+  };
+};
+var extractSecurity = (taujsConfig) => {
+  const t0 = performance.now();
+  const user = taujsConfig.security ?? {};
+  const userCsp = user.csp;
+  const hasExplicitCSP = !!userCsp;
+  const normalisedCsp = userCsp ? {
+    defaultMode: userCsp.defaultMode ?? "merge",
+    directives: userCsp.directives,
+    generateCSP: userCsp.generateCSP,
+    reporting: userCsp.reporting ? {
+      endpoint: userCsp.reporting.endpoint,
+      onViolation: userCsp.reporting.onViolation,
+      reportOnly: userCsp.reporting.reportOnly ?? false
+    } : void 0
+  } : void 0;
+  const security = { csp: normalisedCsp };
+  const summary = {
+    mode: hasExplicitCSP ? "explicit" : "dev-defaults",
+    defaultMode: normalisedCsp?.defaultMode ?? "merge",
+    hasReporting: !!normalisedCsp?.reporting?.endpoint,
+    reportOnly: !!normalisedCsp?.reporting?.reportOnly
+  };
+  const durationMs = performance.now() - t0;
+  return {
+    security,
+    durationMs,
+    hasExplicitCSP,
+    summary
+  };
+};
+function printConfigSummary(logger, apps, configsCount, totalRoutes, durationMs, warnings) {
+  logger.info(`${CONTENT.TAG} [config] Loaded ${configsCount} app(s), ${totalRoutes} route(s) in ${durationMs.toFixed(1)}ms`);
+  apps.forEach((a) => logger.debug("routes", `\u2022 ${a.appId}: ${a.routeCount} route(s)`));
+  warnings.forEach((w) => logger.warn(`${CONTENT.TAG} [warn] ${w}`));
+}
+function printSecuritySummary(logger, routes, security, hasExplicitCSP, securityDurationMs) {
+  const total = routes.length;
+  const disabled = routes.filter((r) => r.attr?.middleware?.csp === false).length;
+  const custom = routes.filter((r) => {
+    const v = r.attr?.middleware?.csp;
+    return v !== void 0 && v !== false;
+  }).length;
+  const enabled = total - disabled;
+  const hasReporting = !!security.csp?.reporting?.endpoint;
+  const mode = security.csp?.defaultMode ?? "merge";
+  let status = "configured";
+  let detail = "";
+  if (hasExplicitCSP) {
+    detail = `explicit, mode=${mode}`;
+    if (hasReporting) detail += ", reporting";
+    if (custom > 0) detail += `, ${custom} route override(s)`;
+  } else {
+    if (process.env.NODE_ENV === "production") {
+      logger.warn("(consider explicit config for production)");
     }
-    app.get("/*", async (req, reply) => {
-      try {
-        if (/\.\w+$/.test(req.raw.url ?? "")) return reply.callNotFound();
-        const url = req.url ? new URL(req.url, `http://${req.headers.host}`).pathname : "/";
-        const matchedRoute = matchRoute(url, routes);
-        const cspNonce = req.cspNonce;
-        if (!matchedRoute) {
-          reply.callNotFound();
-          return;
-        }
-        const { route, params } = matchedRoute;
-        const { attr, appId } = route;
-        const config = processedConfigs.find((config2) => config2.appId === appId) || processedConfigs[0];
-        if (!config) throw new Error("No configuration found for the request.");
-        const { clientRoot, entryServer } = config;
-        let template = ensureNonNull(templates.get(clientRoot), `Template not found for clientRoot: ${clientRoot}`);
-        const bootstrapModule = bootstrapModules.get(clientRoot);
-        const cssLink = cssLinks.get(clientRoot);
-        const manifest = manifests.get(clientRoot);
-        const preloadLink = preloadLinks.get(clientRoot);
-        const ssrManifest = ssrManifests.get(clientRoot);
-        let renderModule;
-        if (isDevelopment) {
-          template = template.replace(/<script type="module" src="\/@vite\/client"><\/script>/g, "");
-          template = template.replace(/<style type="text\/css">[\s\S]*?<\/style>/g, "");
-          const entryServerPath = path2.join(clientRoot, `${entryServer}.tsx`);
-          const executedModule = await viteDevServer.ssrLoadModule(entryServerPath);
-          renderModule = executedModule;
-          const styles = await collectStyle(viteDevServer, [entryServerPath]);
-          template = template?.replace("</head>", `<style type="text/css">${styles}</style></head>`);
-          template = await viteDevServer.transformIndexHtml(url, template);
-        } else {
-          renderModule = renderModules.get(clientRoot);
-          if (!renderModule) {
-            const renderModulePath = path2.join(clientRoot, `${entryServer}.js`);
-            const importedModule = await import(renderModulePath);
-            renderModule = importedModule;
-            renderModules.set(clientRoot, renderModule);
-          }
-        }
-        const renderType = attr?.render || RENDERTYPE.ssr;
-        const [beforeBody = "", afterBody = ""] = template.split(SSRTAG.ssrHtml);
-        const [beforeHead = "", afterHead = ""] = beforeBody.split(SSRTAG.ssrHead);
-        const initialDataPromise = fetchInitialData(attr, params, serviceRegistry);
-        if (renderType === RENDERTYPE.ssr) {
-          const { renderSSR } = renderModule;
-          const initialDataResolved = await initialDataPromise;
-          const initialDataScript = `<script nonce="${cspNonce}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`;
-          const { headContent, appHtml } = await renderSSR(initialDataResolved, req.url, attr?.meta);
-          let aggregateHeadContent = headContent;
-          if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
-          if (manifest && cssLink) aggregateHeadContent += cssLink;
-          const shouldHydrate = attr?.hydrate !== false;
-          const bootstrapScriptTag = shouldHydrate ? `<script nonce="${cspNonce}" type="module" src="${bootstrapModule}" defer></script>` : "";
-          const fullHtml = template.replace(SSRTAG.ssrHead, aggregateHeadContent).replace(SSRTAG.ssrHtml, `${appHtml}${initialDataScript}${bootstrapScriptTag}`);
-          return reply.status(200).header("Content-Type", "text/html").send(fullHtml);
-        } else {
-          const { renderStream } = renderModule;
-          const cspNonce2 = req.cspNonce;
-          const cspHeader = reply.getHeader("Content-Security-Policy");
-          reply.raw.writeHead(200, {
-            "Content-Security-Policy": cspHeader,
-            "Content-Type": "text/html"
-          });
-          renderStream(
-            reply.raw,
-            {
-              onHead: (headContent) => {
-                let aggregateHeadContent = headContent;
-                if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
-                if (manifest && cssLink) aggregateHeadContent += cssLink;
-                reply.raw.write(`${beforeHead}${aggregateHeadContent}${afterHead}`);
-              },
-              onFinish: async (initialDataResolved) => {
-                reply.raw.write(
-                  `<script nonce="${cspNonce2}">window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")}</script>`
-                );
-                reply.raw.write(afterBody);
-                reply.raw.end();
-              },
-              onError: (error) => {
-                console.error("Critical rendering onError:", error);
-                reply.raw.end("Internal Server Error");
-              }
-            },
-            initialDataPromise,
-            req.url,
-            bootstrapModule,
-            attr?.meta,
-            cspNonce2
-          );
+  }
+  logger.info(`${CONTENT.TAG} [security] CSP ${status} (${enabled}/${total} routes) in ${securityDurationMs.toFixed(1)}ms`);
+}
+function printContractReport(logger, report) {
+  for (const r of report.items) {
+    const line = `${CONTENT.TAG} [security][${r.key}] ${r.message}`;
+    if (r.status === "error") {
+      logger.error(line);
+    } else if (r.status === "warning") {
+      logger.warn(line);
+    } else if (r.status === "skipped") {
+      logger.debug(r.key, line);
+    } else {
+      logger.info(line);
+    }
+  }
+}
+var computeScore = (path6) => {
+  return path6.split("/").filter(Boolean).reduce((score, segment) => score + (segment.startsWith(":") ? 1 : 10), 0);
+};
+
+// src/network/Network.ts
+var import_picocolors3 = __toESM(require_picocolors(), 1);
+import { networkInterfaces } from "os";
+var isPrivateIPv4 = (addr) => {
+  if (!/^\d+\.\d+\.\d+\.\d+$/.test(addr)) return false;
+  const [a, b, _c, _d] = addr.split(".").map(Number);
+  if (a === 10) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  return false;
+};
+var bannerPlugin = async (fastify, options) => {
+  const logger = createLogger({ debug: options.debug });
+  const dbgNetwork = logger.isDebugEnabled("network");
+  fastify.decorate("showBanner", function showBanner() {
+    const addr = this.server.address();
+    if (!addr || typeof addr === "string") return;
+    const { address, port } = addr;
+    const boundHost = address === "::1" ? "localhost" : address === "::" ? "::" : address === "0.0.0.0" ? "0.0.0.0" : address;
+    console.log(`\u2503 Local    ${import_picocolors3.default.bold(`http://localhost:${port}/`)}`);
+    if (boundHost === "localhost" || boundHost === "127.0.0.1") {
+      console.log("\u2503 Network  use --host to expose\n");
+      return;
+    }
+    const nets = networkInterfaces();
+    let networkAddress = null;
+    for (const ifaces of Object.values(nets)) {
+      if (!ifaces) continue;
+      for (const iface of ifaces) {
+        if (iface.internal || iface.family !== "IPv4") continue;
+        if (isPrivateIPv4(iface.address)) {
+          networkAddress = iface.address;
+          break;
         }
-      } catch (error) {
-        console.error("Error setting up SSR stream:", error);
-        if (!reply.raw.headersSent) reply.raw.writeHead(500, { "Content-Type": "text/plain" });
-        reply.raw.end("Internal Server Error");
+        if (!networkAddress) networkAddress = iface.address;
       }
-    });
-    app.setNotFoundHandler(async (req, reply) => {
-      if (/\.\w+$/.test(req.raw.url ?? "")) return reply.callNotFound();
-      try {
-        const defaultConfig = processedConfigs[0];
-        if (!defaultConfig) throw new Error("No default configuration found.");
-        const { clientRoot } = defaultConfig;
-        const cspNonce = req.cspNonce;
-        let template = ensureNonNull(templates.get(clientRoot), `Template not found for clientRoot: ${clientRoot}`);
-        const cssLink = cssLinks.get(clientRoot);
-        const bootstrapModule = bootstrapModules.get(clientRoot);
-        template = template.replace(SSRTAG.ssrHead, "").replace(SSRTAG.ssrHtml, "");
-        if (!isDevelopment && cssLink) template = template.replace("</head>", `${cssLink}</head>`);
-        if (bootstrapModule)
-          template = template.replace("</body>", `<script nonce="${cspNonce}" type="module" src="${bootstrapModule}" defer></script></body>`);
-        reply.status(200).type("text/html").send(template);
-      } catch (error) {
-        console.error("Failed to serve clientHtmlTemplate:", error);
-        reply.status(500).send("Internal Server Error");
+      if (networkAddress && isPrivateIPv4(networkAddress)) break;
+    }
+    if (networkAddress) {
+      console.log(`\u2503 Network  http://${networkAddress}:${port}/
+`);
+      if (dbgNetwork) logger.warn(import_picocolors3.default.yellow(`${CONTENT.TAG} [network] Dev server exposed on network - for local testing only.`));
+    }
+    logger.info(import_picocolors3.default.green(`${CONTENT.TAG} [network] Bound to host: ${boundHost}`));
+  });
+  fastify.addHook("onReady", async function() {
+    if (this.server.listening) {
+      this.showBanner();
+      return;
+    }
+    this.server.once("listening", () => this.showBanner());
+  });
+};
+
+// src/network/CLI.ts
+function readFlag(argv, keys, bareValue) {
+  const end = argv.indexOf("--");
+  const limit = end === -1 ? argv.length : end;
+  for (let i = 0; i < limit; i++) {
+    const arg = argv[i];
+    for (const key of keys) {
+      if (arg === key) {
+        const next = argv[i + 1];
+        if (!next || next.startsWith("-")) return bareValue;
+        return next.trim();
+      }
+      const pref = `${key}=`;
+      if (arg && arg.startsWith(pref)) {
+        const v = arg.slice(pref.length).trim();
+        return v || bareValue;
       }
+    }
+  }
+  return void 0;
+}
+function resolveNet(input) {
+  const env = process.env;
+  const argv = process.argv;
+  let host = "localhost";
+  let port = 5173;
+  let hmrPort = 5174;
+  if (input?.host) host = input.host;
+  if (Number.isFinite(input?.port)) port = Number(input.port);
+  if (Number.isFinite(input?.hmrPort)) hmrPort = Number(input.hmrPort);
+  if (env.HOST?.trim()) host = env.HOST.trim();
+  else if (env.FASTIFY_ADDRESS?.trim()) host = env.FASTIFY_ADDRESS.trim();
+  if (env.PORT) port = Number(env.PORT) || port;
+  if (env.FASTIFY_PORT) port = Number(env.FASTIFY_PORT) || port;
+  if (env.HMR_PORT) hmrPort = Number(env.HMR_PORT) || hmrPort;
+  const cliHost = readFlag(argv, ["--host", "--hostname", "-H"], "0.0.0.0");
+  const cliPort = readFlag(argv, ["--port", "-p"]);
+  const cliHMR = readFlag(argv, ["--hmr-port"]);
+  if (cliHost) host = cliHost;
+  if (cliPort) port = Number(cliPort) || port;
+  if (cliHMR) hmrPort = Number(cliHMR) || hmrPort;
+  if (host === "true" || host === "") host = "0.0.0.0";
+  return { host, port, hmrPort };
+}
+
+// src/security/VerifyMiddleware.ts
+var isAuthRequired = (route) => Boolean(route.attr?.middleware?.auth);
+var hasAuthenticate = (app) => typeof app.authenticate === "function";
+function formatCspLoadedMsg(hasGlobal, custom) {
+  if (hasGlobal) {
+    return custom > 0 ? `Loaded global config with ${custom} route override(s)` : "Loaded global config";
+  }
+  return custom > 0 ? `Loaded development defaults with ${custom} route override(s)` : "Loaded development defaults";
+}
+var verifyContracts = (app, routes, contracts, security) => {
+  const items = [];
+  for (const contract of contracts) {
+    const isRequired = contract.required(routes, security);
+    if (!isRequired) {
+      items.push({
+        key: contract.key,
+        status: "skipped",
+        message: `No routes require "${contract.key}"`
+      });
+      continue;
+    }
+    if (!contract.verify(app)) {
+      const msg = `[\u03C4js] ${contract.errorMessage}`;
+      items.push({ key: contract.key, status: "error", message: msg });
+      throw new Error(msg);
+    }
+    if (contract.key === "csp") {
+      const total = routes.length;
+      const disabled = routes.filter((r) => r.attr?.middleware?.csp === false).length;
+      const custom = routes.filter((r) => {
+        const v = r.attr?.middleware?.csp;
+        return v !== void 0 && v !== false;
+      }).length;
+      const enabled = total - disabled;
+      const hasGlobal = !!security?.csp;
+      let status = "verified";
+      let tail = "";
+      if (!hasGlobal && process.env.NODE_ENV === "production") {
+        status = "warning";
+        tail = " (consider adding global CSP for production)";
+      }
+      const baseMsg = formatCspLoadedMsg(hasGlobal, custom);
+      items.push({
+        key: "csp",
+        status,
+        message: baseMsg + tail
+      });
+      items.push({
+        key: "csp",
+        status,
+        message: `\u2713 Verified (${enabled} enabled, ${disabled} disabled, ${total} total). ` + tail
+      });
+    } else {
+      const count = routes.filter((r) => contract.required([r], security)).length;
+      items.push({
+        key: contract.key,
+        status: "verified",
+        message: `\u2713 ${count} route(s)`
+      });
+    }
+  }
+  return { items };
+};
+
+// src/CreateServer.ts
+var createServer = async (opts) => {
+  const t0 = performance2.now();
+  const clientRoot = opts.clientRoot ?? path5.resolve(process.cwd(), "client");
+  const app = opts.fastify ?? Fastify({ logger: false });
+  const net = resolveNet(opts.config.server);
+  await app.register(bannerPlugin, {
+    debug: opts.debug,
+    hmr: { host: net.host, port: net.hmrPort }
+  });
+  const logger = createLogger({
+    debug: opts.debug,
+    custom: opts.logger,
+    minLevel: process.env.NODE_ENV === "production" ? "info" : "debug",
+    includeContext: true
+  });
+  const configs = extractBuildConfigs(opts.config);
+  const { routes, apps, totalRoutes, durationMs, warnings } = extractRoutes(opts.config);
+  const { security, durationMs: securityDuration, hasExplicitCSP } = extractSecurity(opts.config);
+  printConfigSummary(logger, apps, configs.length, totalRoutes, durationMs, warnings);
+  printSecuritySummary(logger, routes, security, hasExplicitCSP, securityDuration);
+  const report = verifyContracts(
+    app,
+    routes,
+    [
+      {
+        key: "auth",
+        required: (rts) => rts.some(isAuthRequired),
+        verify: hasAuthenticate,
+        errorMessage: "Routes require auth but Fastify is missing .authenticate decorator."
+      },
+      {
+        key: "csp",
+        required: () => true,
+        verify: () => true,
+        errorMessage: "CSP plugin failed to register."
+      }
+    ],
+    security
+  );
+  printContractReport(logger, report);
+  try {
+    await app.register(SSRServer, {
+      clientRoot,
+      configs,
+      routes,
+      serviceRegistry: opts.serviceRegistry,
+      registerStaticAssets: opts.registerStaticAssets !== void 0 ? opts.registerStaticAssets : { plugin: fastifyStatic },
+      debug: opts.debug,
+      alias: opts.alias,
+      security,
+      devNet: { host: net.host, hmrPort: net.hmrPort }
     });
-  },
-  { name: "taujs-ssr-server" }
-);
+  } catch (err) {
+    logger.error("Failed to register SSRServer", {
+      step: "register:SSRServer",
+      error: normaliseError(err)
+    });
+  }
+  const t1 = performance2.now();
+  console.log(`
+${import_picocolors4.default.bgGreen(import_picocolors4.default.black(` ${CONTENT.TAG} `))} configured in ${(t1 - t0).toFixed(0)}ms
+`);
+  if (opts.fastify) return { net };
+  return { app, net };
+};
 export {
   SSRServer,
   TEMPLATE,
-  createMaps,
-  processConfigs
+  createServer
 };