@taujs/server 0.4.0 → 0.4.1

package/dist/index.js

@@ -24,6 +24,79 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 
+// node_modules/picocolors/picocolors.js
+var require_picocolors = __commonJS({
+  "node_modules/picocolors/picocolors.js"(exports, module) {
+    "use strict";
+    var p = process || {};
+    var argv = p.argv || [];
+    var env = p.env || {};
+    var isColorSupported = !(!!env.NO_COLOR || argv.includes("--no-color")) && (!!env.FORCE_COLOR || argv.includes("--color") || p.platform === "win32" || (p.stdout || {}).isTTY && env.TERM !== "dumb" || !!env.CI);
+    var formatter = (open, close, replace = open) => (input) => {
+      let string = "" + input, index = string.indexOf(close, open.length);
+      return ~index ? open + replaceClose(string, close, replace, index) + close : open + string + close;
+    };
+    var replaceClose = (string, close, replace, index) => {
+      let result = "", cursor = 0;
+      do {
+        result += string.substring(cursor, index) + replace;
+        cursor = index + close.length;
+        index = string.indexOf(close, cursor);
+      } while (~index);
+      return result + string.substring(cursor);
+    };
+    var createColors = (enabled = isColorSupported) => {
+      let f = enabled ? formatter : () => String;
+      return {
+        isColorSupported: enabled,
+        reset: f("\x1B[0m", "\x1B[0m"),
+        bold: f("\x1B[1m", "\x1B[22m", "\x1B[22m\x1B[1m"),
+        dim: f("\x1B[2m", "\x1B[22m", "\x1B[22m\x1B[2m"),
+        italic: f("\x1B[3m", "\x1B[23m"),
+        underline: f("\x1B[4m", "\x1B[24m"),
+        inverse: f("\x1B[7m", "\x1B[27m"),
+        hidden: f("\x1B[8m", "\x1B[28m"),
+        strikethrough: f("\x1B[9m", "\x1B[29m"),
+        black: f("\x1B[30m", "\x1B[39m"),
+        red: f("\x1B[31m", "\x1B[39m"),
+        green: f("\x1B[32m", "\x1B[39m"),
+        yellow: f("\x1B[33m", "\x1B[39m"),
+        blue: f("\x1B[34m", "\x1B[39m"),
+        magenta: f("\x1B[35m", "\x1B[39m"),
+        cyan: f("\x1B[36m", "\x1B[39m"),
+        white: f("\x1B[37m", "\x1B[39m"),
+        gray: f("\x1B[90m", "\x1B[39m"),
+        bgBlack: f("\x1B[40m", "\x1B[49m"),
+        bgRed: f("\x1B[41m", "\x1B[49m"),
+        bgGreen: f("\x1B[42m", "\x1B[49m"),
+        bgYellow: f("\x1B[43m", "\x1B[49m"),
+        bgBlue: f("\x1B[44m", "\x1B[49m"),
+        bgMagenta: f("\x1B[45m", "\x1B[49m"),
+        bgCyan: f("\x1B[46m", "\x1B[49m"),
+        bgWhite: f("\x1B[47m", "\x1B[49m"),
+        blackBright: f("\x1B[90m", "\x1B[39m"),
+        redBright: f("\x1B[91m", "\x1B[39m"),
+        greenBright: f("\x1B[92m", "\x1B[39m"),
+        yellowBright: f("\x1B[93m", "\x1B[39m"),
+        blueBright: f("\x1B[94m", "\x1B[39m"),
+        magentaBright: f("\x1B[95m", "\x1B[39m"),
+        cyanBright: f("\x1B[96m", "\x1B[39m"),
+        whiteBright: f("\x1B[97m", "\x1B[39m"),
+        bgBlackBright: f("\x1B[100m", "\x1B[49m"),
+        bgRedBright: f("\x1B[101m", "\x1B[49m"),
+        bgGreenBright: f("\x1B[102m", "\x1B[49m"),
+        bgYellowBright: f("\x1B[103m", "\x1B[49m"),
+        bgBlueBright: f("\x1B[104m", "\x1B[49m"),
+        bgMagentaBright: f("\x1B[105m", "\x1B[49m"),
+        bgCyanBright: f("\x1B[106m", "\x1B[49m"),
+        bgWhiteBright: f("\x1B[107m", "\x1B[49m")
+      };
+    };
+    module.exports = createColors();
+    module.exports.createColors = createColors;
+  }
+});
+
 // node_modules/fastify-plugin/lib/getPluginName.js
 var require_getPluginName = __commonJS({
   "node_modules/fastify-plugin/lib/getPluginName.js"(exports, module) {
@@ -114,84 +187,15 @@ var require_plugin = __commonJS({
   }
 });
 
-// node_modules/picocolors/picocolors.js
-var require_picocolors = __commonJS({
-  "node_modules/picocolors/picocolors.js"(exports, module) {
-    "use strict";
-    var p = process || {};
-    var argv = p.argv || [];
-    var env = p.env || {};
-    var isColorSupported = !(!!env.NO_COLOR || argv.includes("--no-color")) && (!!env.FORCE_COLOR || argv.includes("--color") || p.platform === "win32" || (p.stdout || {}).isTTY && env.TERM !== "dumb" || !!env.CI);
-    var formatter = (open, close, replace = open) => (input) => {
-      let string = "" + input, index = string.indexOf(close, open.length);
-      return ~index ? open + replaceClose(string, close, replace, index) + close : open + string + close;
-    };
-    var replaceClose = (string, close, replace, index) => {
-      let result = "", cursor = 0;
-      do {
-        result += string.substring(cursor, index) + replace;
-        cursor = index + close.length;
-        index = string.indexOf(close, cursor);
-      } while (~index);
-      return result + string.substring(cursor);
-    };
-    var createColors = (enabled = isColorSupported) => {
-      let f = enabled ? formatter : () => String;
-      return {
-        isColorSupported: enabled,
-        reset: f("\x1B[0m", "\x1B[0m"),
-        bold: f("\x1B[1m", "\x1B[22m", "\x1B[22m\x1B[1m"),
-        dim: f("\x1B[2m", "\x1B[22m", "\x1B[22m\x1B[2m"),
-        italic: f("\x1B[3m", "\x1B[23m"),
-        underline: f("\x1B[4m", "\x1B[24m"),
-        inverse: f("\x1B[7m", "\x1B[27m"),
-        hidden: f("\x1B[8m", "\x1B[28m"),
-        strikethrough: f("\x1B[9m", "\x1B[29m"),
-        black: f("\x1B[30m", "\x1B[39m"),
-        red: f("\x1B[31m", "\x1B[39m"),
-        green: f("\x1B[32m", "\x1B[39m"),
-        yellow: f("\x1B[33m", "\x1B[39m"),
-        blue: f("\x1B[34m", "\x1B[39m"),
-        magenta: f("\x1B[35m", "\x1B[39m"),
-        cyan: f("\x1B[36m", "\x1B[39m"),
-        white: f("\x1B[37m", "\x1B[39m"),
-        gray: f("\x1B[90m", "\x1B[39m"),
-        bgBlack: f("\x1B[40m", "\x1B[49m"),
-        bgRed: f("\x1B[41m", "\x1B[49m"),
-        bgGreen: f("\x1B[42m", "\x1B[49m"),
-        bgYellow: f("\x1B[43m", "\x1B[49m"),
-        bgBlue: f("\x1B[44m", "\x1B[49m"),
-        bgMagenta: f("\x1B[45m", "\x1B[49m"),
-        bgCyan: f("\x1B[46m", "\x1B[49m"),
-        bgWhite: f("\x1B[47m", "\x1B[49m"),
-        blackBright: f("\x1B[90m", "\x1B[39m"),
-        redBright: f("\x1B[91m", "\x1B[39m"),
-        greenBright: f("\x1B[92m", "\x1B[39m"),
-        yellowBright: f("\x1B[93m", "\x1B[39m"),
-        blueBright: f("\x1B[94m", "\x1B[39m"),
-        magentaBright: f("\x1B[95m", "\x1B[39m"),
-        cyanBright: f("\x1B[96m", "\x1B[39m"),
-        whiteBright: f("\x1B[97m", "\x1B[39m"),
-        bgBlackBright: f("\x1B[100m", "\x1B[49m"),
-        bgRedBright: f("\x1B[101m", "\x1B[49m"),
-        bgGreenBright: f("\x1B[102m", "\x1B[49m"),
-        bgYellowBright: f("\x1B[103m", "\x1B[49m"),
-        bgBlueBright: f("\x1B[104m", "\x1B[49m"),
-        bgMagentaBright: f("\x1B[105m", "\x1B[49m"),
-        bgCyanBright: f("\x1B[106m", "\x1B[49m"),
-        bgWhiteBright: f("\x1B[107m", "\x1B[49m")
-      };
-    };
-    module.exports = createColors();
-    module.exports.createColors = createColors;
-  }
-});
-
-// src/fastify.d.ts
-import "fastify";
+// src/CreateServer.ts
+var import_picocolors4 = __toESM(require_picocolors(), 1);
+import path5 from "path";
+import { performance as performance2 } from "perf_hooks";
+import fastifyStatic from "@fastify/static";
+import Fastify from "fastify";
 
-// src/SSRServer.ts
-var import_fastify_plugin3 = __toESM(require_plugin(), 1);
+// src/Setup.ts
+import { performance } from "perf_hooks";
 
 // src/constants.ts
 var import_picocolors = __toESM(require_picocolors(), 1);
@@ -231,351 +235,148 @@ var REGEX = {
   SAFE_TRACE: /^[a-zA-Z0-9-_:.]{1,128}$/
 };
 
-// src/logging/AppError.ts
-var HTTP_STATUS = {
-  infra: 500,
-  upstream: 502,
-  domain: 404,
-  validation: 400,
-  auth: 403,
-  canceled: 499,
-  // Client Closed Request (nginx convention)
-  timeout: 504
+// src/Setup.ts
+var extractBuildConfigs = (config) => {
+  return config.apps.map(({ appId, entryPoint, plugins }) => ({
+    appId,
+    entryPoint,
+    plugins
+  }));
 };
-var AppError = class _AppError extends Error {
-  kind;
-  httpStatus;
-  details;
-  safeMessage;
-  code;
-  constructor(message, kind, options = {}) {
-    super(message);
-    this.name = "AppError";
-    Object.setPrototypeOf(this, new.target.prototype);
-    if (options.cause !== void 0) {
-      Object.defineProperty(this, "cause", {
-        value: options.cause,
-        enumerable: false,
-        writable: false,
-        configurable: true
-      });
-    }
-    this.kind = kind;
-    this.httpStatus = options.httpStatus ?? HTTP_STATUS[kind];
-    this.details = options.details;
-    this.safeMessage = options.safeMessage ?? this.getSafeMessage(kind, message);
-    this.code = options.code;
-    if (Error.captureStackTrace) Error.captureStackTrace(this, this.constructor);
-  }
-  getSafeMessage(kind, message) {
-    return kind === "domain" || kind === "validation" || kind === "auth" ? message : "Internal Server Error";
-  }
-  serialiseValue(value, seen = /* @__PURE__ */ new WeakSet()) {
-    if (value === null || value === void 0) return value;
-    if (typeof value !== "object") return value;
-    if (seen.has(value)) return "[circular]";
-    seen.add(value);
-    if (value instanceof Error) {
-      return {
-        name: value.name,
-        message: value.message,
-        stack: value.stack,
-        ...value instanceof _AppError && {
-          kind: value.kind,
-          httpStatus: value.httpStatus,
-          code: value.code
-        }
-      };
-    }
-    if (Array.isArray(value)) return value.map((item) => this.serialiseValue(item, seen));
-    const result = {};
-    for (const [key, val] of Object.entries(value)) {
-      result[key] = this.serialiseValue(val, seen);
-    }
-    return result;
-  }
-  toJSON() {
-    return {
-      name: this.name,
-      kind: this.kind,
-      message: this.message,
-      safeMessage: this.safeMessage,
-      httpStatus: this.httpStatus,
-      ...this.code && { code: this.code },
-      details: this.serialiseValue(this.details),
-      stack: this.stack,
-      ...this.cause && {
-        cause: this.serialiseValue(this.cause)
-      }
-    };
+var extractRoutes = (taujsConfig) => {
+  const t0 = performance.now();
+  const allRoutes = [];
+  const apps = [];
+  const warnings = [];
+  const pathTracker = /* @__PURE__ */ new Map();
+  for (const app of taujsConfig.apps) {
+    const appRoutes = (app.routes ?? []).map((route) => {
+      const fullRoute = { ...route, appId: app.appId };
+      if (!pathTracker.has(route.path)) pathTracker.set(route.path, []);
+      pathTracker.get(route.path).push(app.appId);
+      return fullRoute;
+    });
+    apps.push({ appId: app.appId, routeCount: appRoutes.length });
+    allRoutes.push(...appRoutes);
   }
-  static notFound(message, details, code) {
-    return new _AppError(message, "domain", { httpStatus: 404, details, code });
+  for (const [path7, appIds] of pathTracker.entries()) {
+    if (appIds.length > 1) warnings.push(`Route path "${path7}" is declared in multiple apps: ${appIds.join(", ")}`);
   }
-  static forbidden(message, details, code) {
-    return new _AppError(message, "auth", { httpStatus: 403, details, code });
-  }
-  static badRequest(message, details, code) {
-    return new _AppError(message, "validation", { httpStatus: 400, details, code });
-  }
-  static unprocessable(message, details, code) {
-    return new _AppError(message, "validation", { httpStatus: 422, details, code });
-  }
-  static timeout(message, details, code) {
-    return new _AppError(message, "timeout", { details, code });
-  }
-  static canceled(message, details, code) {
-    return new _AppError(message, "canceled", { details, code });
-  }
-  static internal(message, cause, details, code) {
-    return new _AppError(message, "infra", { cause, details, code });
-  }
-  static upstream(message, cause, details, code) {
-    return new _AppError(message, "upstream", { cause, details, code });
-  }
-  static serviceUnavailable(message, cause, details, code) {
-    return new _AppError(message, "infra", { httpStatus: 503, cause, details, code });
-  }
-  static from(err, fallback = "Internal error") {
-    return err instanceof _AppError ? err : _AppError.internal(err?.message ?? fallback, err);
-  }
-};
-function normaliseError(e) {
-  if (e instanceof Error) return { name: e.name, message: e.message, stack: e.stack };
-  const hasMessageProp = e != null && typeof e.message !== "undefined";
-  const msg = hasMessageProp ? String(e.message) : String(e);
-  return { name: "Error", message: msg };
-}
-function toReason(e) {
-  if (e instanceof Error) return e;
-  if (e === null) return new Error("null");
-  if (typeof e === "undefined") return new Error("Unknown render error");
-  const maybeMsg = e?.message;
-  if (typeof maybeMsg !== "undefined") return new Error(String(maybeMsg));
-  return new Error(String(e));
-}
-
-// src/logging/utils/index.ts
-var httpStatusFrom = (err, fallback = 500) => err instanceof AppError ? err.httpStatus : fallback;
-var toHttp = (err) => {
-  const app = AppError.from(err);
-  const status = httpStatusFrom(app);
-  const errorMessage = app.safeMessage;
+  const sortedRoutes = allRoutes.sort((a, b) => computeScore(b.path) - computeScore(a.path));
+  const durationMs = performance.now() - t0;
   return {
-    status,
-    body: {
-      error: errorMessage,
-      ...app.code && { code: app.code },
-      statusText: statusText(status)
-    }
+    routes: sortedRoutes,
+    apps,
+    totalRoutes: allRoutes.length,
+    durationMs,
+    warnings
   };
 };
-var statusText = (status) => {
-  const map = {
-    400: "Bad Request",
-    401: "Unauthorized",
-    403: "Forbidden",
-    404: "Not Found",
-    405: "Method Not Allowed",
-    408: "Request Timeout",
-    422: "Unprocessable Entity",
-    429: "Too Many Requests",
-    499: "Client Closed Request",
-    500: "Internal Server Error",
-    502: "Bad Gateway",
-    503: "Service Unavailable",
-    504: "Gateway Timeout"
+var extractSecurity = (taujsConfig) => {
+  const t0 = performance.now();
+  const user = taujsConfig.security ?? {};
+  const userCsp = user.csp;
+  const hasExplicitCSP = !!userCsp;
+  const normalisedCsp = userCsp ? {
+    defaultMode: userCsp.defaultMode ?? "merge",
+    directives: userCsp.directives,
+    generateCSP: userCsp.generateCSP,
+    reporting: userCsp.reporting ? {
+      endpoint: userCsp.reporting.endpoint,
+      onViolation: userCsp.reporting.onViolation,
+      reportOnly: userCsp.reporting.reportOnly ?? false
+    } : void 0
+  } : void 0;
+  const security = { csp: normalisedCsp };
+  const summary = {
+    mode: hasExplicitCSP ? "explicit" : "dev-defaults",
+    defaultMode: normalisedCsp?.defaultMode ?? "merge",
+    hasReporting: !!normalisedCsp?.reporting?.endpoint,
+    reportOnly: !!normalisedCsp?.reporting?.reportOnly
+  };
+  const durationMs = performance.now() - t0;
+  return {
+    security,
+    durationMs,
+    hasExplicitCSP,
+    summary
   };
-  return map[status] ?? "Error";
 };
-
-// src/utils/DataRoutes.ts
-import { match } from "path-to-regexp";
-
-// src/utils/DataServices.ts
-async function callServiceMethod(registry, serviceName, methodName, params, ctx) {
-  if (ctx.signal?.aborted) throw AppError.timeout("Request canceled");
-  const service = registry[serviceName];
-  if (!service) throw AppError.notFound(`Unknown service: ${serviceName}`);
-  const desc = service[methodName];
-  if (!desc) throw AppError.notFound(`Unknown method: ${serviceName}.${methodName}`);
-  const logger = ctx.logger?.child({
-    component: "service-call",
-    service: serviceName,
-    method: methodName,
-    traceId: ctx.traceId
-  });
-  try {
-    const p = desc.parsers?.params ? desc.parsers.params(params) : params;
-    const data = await desc.handler(p, ctx);
-    const out = desc.parsers?.result ? desc.parsers.result(data) : data;
-    if (typeof out !== "object" || out === null) throw AppError.internal(`Non-object result from ${serviceName}.${methodName}`);
-    return out;
-  } catch (err) {
-    logger?.error("Service method failed", {
-      params,
-      error: err instanceof Error ? { name: err.name, message: err.message, stack: err.stack } : String(err)
-    });
-    throw err;
-  }
+function printConfigSummary(logger, apps, configsCount, totalRoutes, durationMs, warnings) {
+  logger.info({}, `${CONTENT.TAG} [config] Loaded ${configsCount} app(s), ${totalRoutes} route(s) in ${durationMs.toFixed(1)}ms`);
+  apps.forEach((a) => logger.debug("routes", {}, `\u2022 ${a.appId}: ${a.routeCount} route(s)`));
+  warnings.forEach((w) => logger.warn({}, `${CONTENT.TAG} [warn] ${w}`));
 }
-var isServiceDescriptor = (obj) => {
-  if (typeof obj !== "object" || obj === null || Array.isArray(obj)) return false;
-  const maybe = obj;
-  return typeof maybe.serviceName === "string" && typeof maybe.serviceMethod === "string";
-};
-
-// src/utils/DataRoutes.ts
-var safeDecode = (value) => {
-  try {
-    return decodeURIComponent(value);
-  } catch {
-    return value;
+function printSecuritySummary(logger, routes, security, hasExplicitCSP, securityDurationMs) {
+  const total = routes.length;
+  const disabled = routes.filter((r) => r.attr?.middleware?.csp === false).length;
+  const custom = routes.filter((r) => {
+    const v = r.attr?.middleware?.csp;
+    return v !== void 0 && v !== false;
+  }).length;
+  const enabled = total - disabled;
+  const hasReporting = !!security.csp?.reporting?.endpoint;
+  const mode = security.csp?.defaultMode ?? "merge";
+  let status = "configured";
+  let detail = "";
+  if (hasExplicitCSP) {
+    detail = `explicit, mode=${mode}`;
+    if (hasReporting) detail += ", reporting";
+    if (custom > 0) detail += `, ${custom} route override(s)`;
+  } else {
+    if (process.env.NODE_ENV === "production") {
+      logger.warn({}, "(consider explicit config for production)");
+    }
   }
-};
-var cleanPath = (path6) => {
-  if (!path6) return "/";
-  const basePart = path6.split("?")[0];
-  const base = basePart ? basePart.split("#")[0] : "/";
-  return base || "/";
-};
-var calculateSpecificity = (path6) => {
-  let score = 0;
-  const segments = path6.split("/").filter(Boolean);
-  for (const segment of segments) {
-    if (segment.startsWith(":")) {
-      score += 1;
-      if (/[?+*]$/.test(segment)) score -= 0.5;
-    } else if (segment === "*") {
-      score += 0.1;
+  logger.info({}, `${CONTENT.TAG} [security] CSP ${status} (${enabled}/${total} routes) in ${securityDurationMs.toFixed(1)}ms`);
+}
+function printContractReport(logger, report) {
+  for (const r of report.items) {
+    const line = `${CONTENT.TAG} [security][${r.key}] ${r.message}`;
+    if (r.status === "error") {
+      logger.error({}, line);
+    } else if (r.status === "warning") {
+      logger.warn({}, line);
+    } else if (r.status === "skipped") {
+      logger.debug(r.key, {}, line);
     } else {
-      score += 10;
+      logger.info({}, line);
     }
   }
-  score += segments.length * 0.1;
-  return score;
-};
-var isPlainObject = (v) => !!v && typeof v === "object" && Object.getPrototypeOf(v) === Object.prototype;
-var createRouteMatchers = (routes) => {
-  const sortedRoutes = [...routes].sort((a, b) => calculateSpecificity(b.path) - calculateSpecificity(a.path));
-  return sortedRoutes.map((route) => {
-    const matcher = match(route.path, { decode: safeDecode });
-    const specificity = calculateSpecificity(route.path);
-    const keys = [];
-    return { route, matcher, keys, specificity };
-  });
+}
+var computeScore = (path7) => {
+  return path7.split("/").filter(Boolean).reduce((score, segment) => score + (segment.startsWith(":") ? 1 : 10), 0);
 };
-var matchRoute = (url, routeMatchers) => {
-  const path6 = cleanPath(url);
-  for (const { route, matcher, keys } of routeMatchers) {
-    const match2 = matcher(path6);
-    if (match2) {
-      return {
-        route,
-        params: match2.params,
-        keys
-      };
+
+// src/network/Network.ts
+var import_picocolors3 = __toESM(require_picocolors(), 1);
+import { networkInterfaces } from "os";
+
+// src/logging/Logger.ts
+var import_picocolors2 = __toESM(require_picocolors(), 1);
+
+// src/logging/Parser.ts
+function parseDebugInput(input) {
+  if (input === void 0) return void 0;
+  if (typeof input === "boolean") return input;
+  if (Array.isArray(input)) {
+    const pos = /* @__PURE__ */ new Set();
+    const neg = /* @__PURE__ */ new Set();
+    for (const raw of input) {
+      const s = String(raw);
+      const isNeg = s.startsWith("-") || s.startsWith("!");
+      const key = isNeg ? s.slice(1) : s;
+      const isValid = DEBUG_CATEGORIES.includes(key);
+      if (!isValid) {
+        console.warn(`[parseDebugInput] Invalid debug category: "${key}". Valid: ${DEBUG_CATEGORIES.join(", ")}`);
+        continue;
+      }
+      (isNeg ? neg : pos).add(key);
     }
-  }
-  return null;
-};
-var fetchInitialData = async (attr, params, serviceRegistry, ctx, callServiceMethodImpl = callServiceMethod) => {
-  const dataHandler = attr?.data;
-  if (!dataHandler || typeof dataHandler !== "function") return {};
-  try {
-    const result = await dataHandler(params, {
-      ...ctx,
-      headers: ctx.headers ?? {}
-    });
-    if (isServiceDescriptor(result)) {
-      const { serviceName, serviceMethod, args } = result;
-      return callServiceMethodImpl(serviceRegistry, serviceName, serviceMethod, args ?? {}, ctx);
-    }
-    if (isPlainObject(result)) return result;
-    throw AppError.badRequest("attr.data must return a plain object or a ServiceDescriptor");
-  } catch (err) {
-    const e = AppError.from(err);
-    const level = e.kind === "domain" || e.kind === "validation" || e.kind === "auth" ? "warn" : "error";
-    ctx.logger?.[level](e.message, {
-      component: "fetch-initial-data",
-      kind: e.kind,
-      httpStatus: e.httpStatus,
-      ...e.code && { code: e.code },
-      details: e.details,
-      params,
-      traceId: ctx.traceId
-    });
-    throw e;
-  }
-};
-
-// src/security/Auth.ts
-var createAuthHook = (routeMatchers, logger) => {
-  return async function authHook(req, reply) {
-    const url = new URL(req.url, `http://${req.headers.host}`).pathname;
-    const match2 = matchRoute(url, routeMatchers);
-    if (!match2) return;
-    const { route } = match2;
-    const authConfig = route.attr?.middleware?.auth;
-    if (!authConfig) {
-      logger.debug("auth", "(none)", { method: req.method, url: req.url });
-      return;
-    }
-    if (typeof req.server.authenticate !== "function") {
-      logger.warn("Route requires auth but Fastify authenticate decorator is missing", {
-        path: url,
-        appId: route.appId
-      });
-      return reply.status(500).send("Server misconfiguration: auth decorator missing.");
-    }
-    try {
-      logger.debug("auth", "Invoking authenticate(...)", { method: req.method, url: req.url });
-      await req.server.authenticate(req, reply);
-      logger.debug("auth", "Authentication successful", { method: req.method, url: req.url });
-    } catch (err) {
-      logger.debug("auth", "Authentication failed", { method: req.method, url: req.url });
-      return reply.send(err);
-    }
-  };
-};
-
-// src/security/CSP.ts
-var import_fastify_plugin = __toESM(require_plugin(), 1);
-import crypto from "crypto";
-
-// src/utils/System.ts
-import { dirname, join } from "path";
-import "path";
-import { fileURLToPath } from "url";
-var isDevelopment = process.env.NODE_ENV === "development";
-var __filename = fileURLToPath(import.meta.url);
-var __dirname = join(dirname(__filename), !isDevelopment ? "./" : "..");
-
-// src/logging/Logger.ts
-var import_picocolors2 = __toESM(require_picocolors(), 1);
-
-// src/logging/Parser.ts
-function parseDebugInput(input) {
-  if (input === void 0) return void 0;
-  if (typeof input === "boolean") return input;
-  if (Array.isArray(input)) {
-    const pos = /* @__PURE__ */ new Set();
-    const neg = /* @__PURE__ */ new Set();
-    for (const raw of input) {
-      const s = String(raw);
-      const isNeg = s.startsWith("-") || s.startsWith("!");
-      const key = isNeg ? s.slice(1) : s;
-      const isValid = DEBUG_CATEGORIES.includes(key);
-      if (!isValid) {
-        console.warn(`[parseDebugInput] Invalid debug category: "${key}". Valid: ${DEBUG_CATEGORIES.join(", ")}`);
-        continue;
-      }
-      (isNeg ? neg : pos).add(key);
-    }
-    if (neg.size > 0 && pos.size === 0) {
-      const o = { all: true };
-      for (const k of neg) o[k] = false;
-      return o;
+    if (neg.size > 0 && pos.size === 0) {
+      const o = { all: true };
+      for (const k of neg) o[k] = false;
+      return o;
     }
     if (pos.size > 0 || neg.size > 0) {
       const o = {};
@@ -625,10 +426,8 @@ var Logger = class _Logger {
   debugEnabled = /* @__PURE__ */ new Set();
   context = {};
   child(context) {
-    const child = new _Logger({
-      ...this.config,
-      context: { ...this.context, ...context }
-    });
+    const customChild = this.config.custom?.child?.(context) ?? this.config.custom;
+    const child = new _Logger({ ...this.config, custom: customChild, context: { ...this.context, ...context } });
     child.debugEnabled = new Set(this.debugEnabled);
     return child;
   }
@@ -690,54 +489,55 @@ var Logger = class _Logger {
     if (!this.shouldEmit(level)) return;
     const timestamp = this.formatTimestamp();
     const wantCtx = this.config.includeContext === void 0 ? false : typeof this.config.includeContext === "function" ? this.config.includeContext(level) : this.config.includeContext;
-    const customSink = this.config.custom?.[level] ?? (level === "debug" ? this.config.custom?.info : void 0) ?? this.config.custom?.log;
+    const customSink = this.config.custom?.[level];
     const consoleFallback = level === "error" ? console.error : level === "warn" ? console.warn : console.log;
     const sink = customSink ?? consoleFallback;
     const merged = meta ?? {};
     const withCtx = wantCtx && Object.keys(this.context).length > 0 ? { context: this.context, ...merged } : merged;
     const finalMeta = this.shouldIncludeStack(level) ? withCtx : this.stripStacks(withCtx);
     const hasMeta = finalMeta && typeof finalMeta === "object" ? Object.keys(finalMeta).length > 0 : false;
-    const coloredLevel = (() => {
-      const levelText = level.toLowerCase() + (category ? `:${category.toLowerCase()}` : "");
+    const levelText = level.toLowerCase() + (category ? `:${category.toLowerCase()}` : "");
+    const plainTag = `[${levelText}]`;
+    const coloredTag = (() => {
       switch (level) {
         case "debug":
-          return import_picocolors2.default.gray(`[${levelText}]`);
+          return import_picocolors2.default.gray(plainTag);
         case "info":
-          return import_picocolors2.default.cyan(`[${levelText}]`);
+          return import_picocolors2.default.cyan(plainTag);
         case "warn":
-          return import_picocolors2.default.yellow(`[${levelText}]`);
+          return import_picocolors2.default.yellow(plainTag);
         case "error":
-          return import_picocolors2.default.red(`[${levelText}]`);
+          return import_picocolors2.default.red(plainTag);
         default:
-          return `[${levelText}]`;
+          return plainTag;
       }
     })();
-    const formatted = `${timestamp} ${coloredLevel} ${message}`;
-    if (this.config.singleLine && hasMeta) {
+    const tagForOutput = customSink ? plainTag : coloredTag;
+    const formatted = `${timestamp} ${tagForOutput} ${message}`;
+    if (this.config.singleLine && hasMeta && !customSink) {
       const metaStr = JSON.stringify(finalMeta).replace(/\n/g, "\\n");
-      sink(`${formatted} ${metaStr}`);
+      consoleFallback(`${formatted} ${metaStr}`);
       return;
     }
     if (customSink) {
-      if (hasMeta) sink(formatted, finalMeta);
-      else sink(formatted);
+      const obj = hasMeta ? finalMeta : {};
+      customSink(obj, formatted);
     } else {
-      if (hasMeta) consoleFallback(formatted, finalMeta);
-      else consoleFallback(formatted);
+      hasMeta ? consoleFallback(formatted, finalMeta) : consoleFallback(formatted);
     }
   }
-  info(message, meta) {
-    this.emit("info", message, meta);
+  info(meta, message) {
+    this.emit("info", message ?? "", meta);
   }
-  warn(message, meta) {
-    this.emit("warn", message, meta);
+  warn(meta, message) {
+    this.emit("warn", message ?? "", meta);
   }
-  error(message, meta) {
-    this.emit("error", message, meta);
+  error(meta, message) {
+    this.emit("error", message ?? "", meta);
   }
-  debug(category, message, meta) {
+  debug(category, meta, message) {
     if (!this.debugEnabled.has(category)) return;
-    this.emit("debug", message, meta, category);
+    this.emit("debug", message ?? "", meta, category);
   }
 };
 function createLogger(opts) {
@@ -754,1192 +554,1473 @@ function createLogger(opts) {
   return logger;
 }
 
-// src/security/CSP.ts
-var defaultGenerateCSP = (directives, nonce, req) => {
-  const merged = { ...directives };
-  merged["script-src"] = merged["script-src"] || ["'self'"];
-  if (!merged["script-src"].some((v) => v.startsWith("'nonce-"))) {
-    merged["script-src"].push(`'nonce-${nonce}'`);
-  }
-  if (isDevelopment) {
-    const connect = merged["connect-src"] || ["'self'"];
-    if (!connect.includes("ws:")) connect.push("ws:");
-    if (!connect.includes("http:")) connect.push("http:");
-    merged["connect-src"] = connect;
-    const style = merged["style-src"] || ["'self'"];
-    if (!style.includes("'unsafe-inline'")) style.push("'unsafe-inline'");
-    merged["style-src"] = style;
-  }
-  return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
+// src/network/Network.ts
+var isPrivateIPv4 = (addr) => {
+  if (!/^\d+\.\d+\.\d+\.\d+$/.test(addr)) return false;
+  const [a, b, _c, _d] = addr.split(".").map(Number);
+  if (a === 10) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  return false;
 };
-var generateNonce = () => crypto.randomBytes(16).toString("base64");
-var mergeDirectives = (base, override) => {
-  const merged = { ...base };
-  for (const [directive, values] of Object.entries(override)) {
-    if (merged[directive]) {
-      merged[directive] = [.../* @__PURE__ */ new Set([...merged[directive], ...values])];
-    } else {
-      merged[directive] = [...values];
+var bannerPlugin = async (fastify, options) => {
+  const logger = createLogger({ debug: options.debug });
+  const dbgNetwork = logger.isDebugEnabled("network");
+  fastify.decorate("showBanner", function showBanner() {
+    const addr = this.server.address();
+    if (!addr || typeof addr === "string") return;
+    const { address, port } = addr;
+    const boundHost = address === "::1" ? "localhost" : address === "::" ? "::" : address === "0.0.0.0" ? "0.0.0.0" : address;
+    console.log(`\u2503 Local    ${import_picocolors3.default.bold(`http://localhost:${port}/`)}`);
+    if (boundHost === "localhost" || boundHost === "127.0.0.1") {
+      console.log("\u2503 Network  use --host to expose\n");
+      return;
     }
-  }
-  return merged;
-};
-var findMatchingRoute = (routeMatchers, path6) => {
-  if (!routeMatchers) return null;
-  const match2 = matchRoute(path6, routeMatchers);
-  return match2 ? { route: match2.route, params: match2.params } : null;
-};
-var cspPlugin = (0, import_fastify_plugin.default)(
-  async (fastify, opts) => {
-    const { generateCSP = defaultGenerateCSP, routes = [], routeMatchers, debug } = opts;
-    const globalDirectives = opts.directives || DEV_CSP_DIRECTIVES;
-    const matchers = routeMatchers || (routes.length > 0 ? createRouteMatchers(routes) : null);
-    const logger = createLogger({
-      debug,
-      context: { component: "csp-plugin" }
-    });
-    fastify.addHook("onRequest", (req, reply, done) => {
-      const nonce = generateNonce();
-      req.cspNonce = nonce;
-      try {
-        const routeMatch = findMatchingRoute(matchers, req.url);
-        const routeCSP = routeMatch?.route.attr?.middleware?.csp;
-        if (routeCSP === false) {
-          done();
-          return;
-        }
-        let finalDirectives = globalDirectives;
-        if (routeCSP && typeof routeCSP === "object") {
-          if (!routeCSP.disabled) {
-            let routeDirectives;
-            if (typeof routeCSP.directives === "function") {
-              const params = routeMatch?.params || {};
-              routeDirectives = routeCSP.directives({
-                url: req.url,
-                params,
-                headers: req.headers,
-                req
-              });
-            } else {
-              routeDirectives = routeCSP.directives || {};
-            }
-            if (routeCSP.mode === "replace") {
-              finalDirectives = routeDirectives;
-            } else {
-              finalDirectives = mergeDirectives(globalDirectives, routeDirectives);
-            }
-          }
-        }
-        let cspHeader;
-        if (routeCSP?.generateCSP) {
-          cspHeader = routeCSP.generateCSP(finalDirectives, nonce, req);
-        } else {
-          cspHeader = generateCSP(finalDirectives, nonce, req);
+    const nets = networkInterfaces();
+    let networkAddress = null;
+    for (const ifaces of Object.values(nets)) {
+      if (!ifaces) continue;
+      for (const iface of ifaces) {
+        if (iface.internal || iface.family !== "IPv4") continue;
+        if (isPrivateIPv4(iface.address)) {
+          networkAddress = iface.address;
+          break;
         }
-        reply.header("Content-Security-Policy", cspHeader);
-      } catch (error) {
-        logger.error("CSP plugin error", {
-          url: req.url,
-          error: error instanceof Error ? { name: error.name, message: error.message, stack: error.stack } : String(error)
-        });
-        const fallbackHeader = generateCSP(globalDirectives, nonce, req);
-        reply.header("Content-Security-Policy", fallbackHeader);
+        if (!networkAddress) networkAddress = iface.address;
       }
-      done();
-    });
-  },
-  { name: "taujs-csp-plugin" }
-);
-
-// src/utils/AssetManager.ts
-import { readFile } from "fs/promises";
-import path2 from "path";
-import { pathToFileURL } from "url";
+      if (networkAddress && isPrivateIPv4(networkAddress)) break;
+    }
+    if (networkAddress) {
+      console.log(`\u2503 Network  http://${networkAddress}:${port}/
+`);
+      if (dbgNetwork) logger.warn({}, import_picocolors3.default.yellow(`${CONTENT.TAG} [network] Dev server exposed on network - for local testing only.`));
+    }
+    logger.info({}, import_picocolors3.default.green(`${CONTENT.TAG} [network] Bound to host: ${boundHost}`));
+  });
+  fastify.addHook("onReady", async function() {
+    if (this.server.listening) {
+      this.showBanner();
+      return;
+    }
+    this.server.once("listening", () => this.showBanner());
+  });
+};
 
-// src/utils/Templates.ts
-var CSS_LANGS_RE = /\.(css|less|sass|scss|styl|stylus|pcss|postcss|sss)(?:$|\?)/;
-async function collectStyle(server, entries) {
-  const urls = await collectStyleUrls(server, entries);
-  const codes = await Promise.all(
-    urls.map(async (url) => {
-      const res = await server.transformRequest(url + "?direct");
-      return [`/* [collectStyle] ${url} */`, res?.code];
-    })
-  );
-  return codes.flat().filter(Boolean).join("\n\n");
-}
-async function collectStyleUrls(server, entries) {
-  const visited = /* @__PURE__ */ new Set();
-  async function traverse(url) {
-    const [, id] = await server.moduleGraph.resolveUrl(url);
-    if (visited.has(id)) return;
-    visited.add(id);
-    const mod = server.moduleGraph.getModuleById(id);
-    if (!mod) return;
-    await Promise.all([...mod.importedModules].map((childMod) => traverse(childMod.url)));
+// src/network/CLI.ts
+function readFlag(argv, keys, bareValue) {
+  const end = argv.indexOf("--");
+  const limit = end === -1 ? argv.length : end;
+  for (let i = 0; i < limit; i++) {
+    const arg = argv[i];
+    for (const key of keys) {
+      if (arg === key) {
+        const next = argv[i + 1];
+        if (!next || next.startsWith("-")) return bareValue;
+        return next.trim();
+      }
+      const pref = `${key}=`;
+      if (arg && arg.startsWith(pref)) {
+        const v = arg.slice(pref.length).trim();
+        return v || bareValue;
+      }
+    }
   }
-  await Promise.all(entries.map((e) => server.transformRequest(e)));
-  await Promise.all(entries.map((url) => traverse(url)));
-  return [...visited].filter((url) => url.match(CSS_LANGS_RE));
+  return void 0;
 }
-function renderPreloadLinks(ssrManifest, basePath = "") {
-  const seen = /* @__PURE__ */ new Set();
-  let links = "";
-  for (const moduleId in ssrManifest) {
-    const files = ssrManifest[moduleId];
-    if (files) {
-      files.forEach((file) => {
-        if (!seen.has(file)) {
-          seen.add(file);
-          links += renderPreloadLink(basePath ? `${basePath}/${file}` : `${file}`);
-        }
-      });
-    }
-  }
-  return links;
+function resolveNet(input) {
+  const env = process.env;
+  const argv = process.argv;
+  let host = "localhost";
+  let port = 5173;
+  let hmrPort = 5174;
+  if (input?.host) host = input.host;
+  if (Number.isFinite(input?.port)) port = Number(input.port);
+  if (Number.isFinite(input?.hmrPort)) hmrPort = Number(input.hmrPort);
+  if (env.HOST?.trim()) host = env.HOST.trim();
+  else if (env.FASTIFY_ADDRESS?.trim()) host = env.FASTIFY_ADDRESS.trim();
+  if (env.PORT) port = Number(env.PORT) || port;
+  if (env.FASTIFY_PORT) port = Number(env.FASTIFY_PORT) || port;
+  if (env.HMR_PORT) hmrPort = Number(env.HMR_PORT) || hmrPort;
+  const cliHost = readFlag(argv, ["--host", "--hostname", "-H"], "0.0.0.0");
+  const cliPort = readFlag(argv, ["--port", "-p"]);
+  const cliHMR = readFlag(argv, ["--hmr-port"]);
+  if (cliHost) host = cliHost;
+  if (cliPort) port = Number(cliPort) || port;
+  if (cliHMR) hmrPort = Number(cliHMR) || hmrPort;
+  if (host === "true" || host === "") host = "0.0.0.0";
+  return { host, port, hmrPort };
 }
-function renderPreloadLink(file) {
-  const fileType = file.match(/\.(js|css|woff2?|gif|jpe?g|png|svg)$/)?.[1];
-  switch (fileType) {
-    case "js":
-      return `<link rel="modulepreload" href="${file}">`;
-    case "css":
-      return `<link rel="stylesheet" href="${file}">`;
-    case "woff":
-    case "woff2":
-      return `<link rel="preload" href="${file}" as="font" type="font/${fileType}" crossorigin>`;
-    case "gif":
-    case "jpeg":
-    case "jpg":
-    case "png":
-      return `<link rel="preload" href="${file}" as="image" type="image/${fileType}">`;
-    case "svg":
-      return `<link rel="preload" href="${file}" as="image" type="image/svg+xml">`;
-    default:
-      return "";
+
+// src/security/VerifyMiddleware.ts
+var isAuthRequired = (route) => Boolean(route.attr?.middleware?.auth);
+var hasAuthenticate = (app) => typeof app.authenticate === "function";
+function formatCspLoadedMsg(hasGlobal, custom) {
+  if (hasGlobal) {
+    return custom > 0 ? `Loaded global config with ${custom} route override(s)` : "Loaded global config";
   }
+  return custom > 0 ? `Loaded development defaults with ${custom} route override(s)` : "Loaded development defaults";
 }
-function getCssLinks(manifest, basePath = "") {
-  const seen = /* @__PURE__ */ new Set();
-  const styles = [];
-  for (const key in manifest) {
-    const entry = manifest[key];
-    if (entry && entry.css) {
-      for (const cssFile of entry.css) {
-        if (!seen.has(cssFile)) {
-          seen.add(cssFile);
-          styles.push(`<link rel="preload stylesheet" as="style" type="text/css" href="${basePath}/${cssFile}">`);
-        }
+var verifyContracts = (app, routes, contracts, security) => {
+  const items = [];
+  for (const contract of contracts) {
+    const isRequired = contract.required(routes, security);
+    if (!isRequired) {
+      items.push({
+        key: contract.key,
+        status: "skipped",
+        message: `No routes require "${contract.key}"`
+      });
+      continue;
+    }
+    if (!contract.verify(app)) {
+      const msg = `[\u03C4js] ${contract.errorMessage}`;
+      items.push({ key: contract.key, status: "error", message: msg });
+      throw new Error(msg);
+    }
+    if (contract.key === "csp") {
+      const total = routes.length;
+      const disabled = routes.filter((r) => r.attr?.middleware?.csp === false).length;
+      const custom = routes.filter((r) => {
+        const v = r.attr?.middleware?.csp;
+        return v !== void 0 && v !== false;
+      }).length;
+      const enabled = total - disabled;
+      const hasGlobal = !!security?.csp;
+      let status = "verified";
+      let tail = "";
+      if (!hasGlobal && process.env.NODE_ENV === "production") {
+        status = "warning";
+        tail = " (consider adding global CSP for production)";
       }
+      const baseMsg = formatCspLoadedMsg(hasGlobal, custom);
+      items.push({
+        key: "csp",
+        status,
+        message: baseMsg + tail
+      });
+      items.push({
+        key: "csp",
+        status,
+        message: `\u2713 Verified (${enabled} enabled, ${disabled} disabled, ${total} total). ` + tail
+      });
+    } else {
+      const count = routes.filter((r) => contract.required([r], security)).length;
+      items.push({
+        key: contract.key,
+        status: "verified",
+        message: `\u2713 ${count} route(s)`
+      });
     }
   }
-  return styles.join("\n");
-}
-var overrideCSSHMRConsoleError = () => {
-  const originalConsoleError = console.error;
-  console.error = function(message, ...optionalParams) {
-    if (typeof message === "string" && message.includes("css hmr is not supported in runtime mode")) return;
-    originalConsoleError.apply(console, [message, ...optionalParams]);
-  };
-};
-var ensureNonNull = (value, errorMessage) => {
-  if (value === void 0 || value === null) throw new Error(errorMessage);
-  return value;
-};
-function processTemplate(template) {
-  const [headSplit, bodySplit] = template.split(SSRTAG.ssrHead);
-  if (typeof bodySplit === "undefined") throw new Error(`Template is missing ${SSRTAG.ssrHead} marker.`);
-  const [beforeBody, afterBody] = bodySplit.split(SSRTAG.ssrHtml);
-  if (typeof beforeBody === "undefined" || typeof afterBody === "undefined") throw new Error(`Template is missing ${SSRTAG.ssrHtml} marker.`);
-  return {
-    beforeHead: headSplit,
-    afterHead: "",
-    beforeBody: beforeBody.replace(/\s*$/, ""),
-    afterBody: afterBody.replace(/^\s*/, "")
-  };
-}
-var rebuildTemplate = (parts, headContent, bodyContent) => {
-  return `${parts.beforeHead}${headContent}${parts.afterHead}${parts.beforeBody}${bodyContent}${parts.afterBody}`;
+  return { items };
 };
 
-// src/utils/AssetManager.ts
-var createMaps = () => ({
-  bootstrapModules: /* @__PURE__ */ new Map(),
-  cssLinks: /* @__PURE__ */ new Map(),
-  manifests: /* @__PURE__ */ new Map(),
-  preloadLinks: /* @__PURE__ */ new Map(),
-  renderModules: /* @__PURE__ */ new Map(),
-  ssrManifests: /* @__PURE__ */ new Map(),
-  templates: /* @__PURE__ */ new Map()
-});
-var processConfigs = (configs, baseClientRoot, templateDefaults) => {
-  return configs.map((config) => {
-    const clientRoot = path2.resolve(baseClientRoot, config.entryPoint);
-    return {
-      clientRoot,
-      entryPoint: config.entryPoint,
-      entryClient: config.entryClient || templateDefaults.defaultEntryClient,
-      entryServer: config.entryServer || templateDefaults.defaultEntryServer,
-      htmlTemplate: config.htmlTemplate || templateDefaults.defaultHtmlTemplate,
-      appId: config.appId
-    };
-  });
+// src/SSRServer.ts
+var import_fastify_plugin3 = __toESM(require_plugin(), 1);
+
+// src/logging/AppError.ts
+var HTTP_STATUS = {
+  infra: 500,
+  upstream: 502,
+  domain: 404,
+  validation: 400,
+  auth: 403,
+  canceled: 499,
+  // Client Closed Request (nginx convention)
+  timeout: 504
 };
-var loadAssets = async (processedConfigs, baseClientRoot, bootstrapModules, cssLinks, manifests, preloadLinks, renderModules, ssrManifests, templates, opts = {}) => {
-  const logger = opts.logger ?? createLogger({
-    debug: opts.debug,
-    includeContext: true
-  });
-  for (const config of processedConfigs) {
-    const { clientRoot, entryClient, entryServer, htmlTemplate } = config;
-    try {
-      const templateHtmlPath = path2.join(clientRoot, htmlTemplate);
-      const templateHtml = await readFile(templateHtmlPath, "utf-8");
-      templates.set(clientRoot, templateHtml);
-      const relativeBasePath = path2.relative(baseClientRoot, clientRoot).replace(/\\/g, "/");
-      const adjustedRelativePath = relativeBasePath ? `/${relativeBasePath}` : "";
-      if (!isDevelopment) {
-        try {
-          const manifestPath = path2.join(clientRoot, ".vite/manifest.json");
-          const manifestContent = await readFile(manifestPath, "utf-8");
-          const manifest = JSON.parse(manifestContent);
-          manifests.set(clientRoot, manifest);
-          const ssrManifestPath = path2.join(clientRoot, ".vite/ssr-manifest.json");
-          const ssrManifestContent = await readFile(ssrManifestPath, "utf-8");
-          const ssrManifest = JSON.parse(ssrManifestContent);
-          ssrManifests.set(clientRoot, ssrManifest);
-          const entryClientFile = manifest[`${entryClient}.tsx`]?.file;
-          if (!entryClientFile) {
-            throw AppError.internal(`Entry client file not found in manifest for ${entryClient}.tsx`, {
-              details: {
-                clientRoot,
-                entryClient,
-                availableKeys: Object.keys(manifest)
-              }
-            });
-          }
-          const bootstrapModule = `/${adjustedRelativePath}/${entryClientFile}`.replace(/\/{2,}/g, "/");
-          bootstrapModules.set(clientRoot, bootstrapModule);
-          const preloadLink = renderPreloadLinks(ssrManifest, adjustedRelativePath);
-          preloadLinks.set(clientRoot, preloadLink);
-          const cssLink = getCssLinks(manifest, adjustedRelativePath);
-          cssLinks.set(clientRoot, cssLink);
-          const renderModulePath = path2.join(clientRoot, `${entryServer}.js`);
-          const moduleUrl = pathToFileURL(renderModulePath).href;
-          try {
-            const importedModule = await import(moduleUrl);
-            renderModules.set(clientRoot, importedModule);
-          } catch (err) {
-            throw AppError.internal(`Failed to load render module ${renderModulePath}`, {
-              cause: err,
-              details: { moduleUrl, clientRoot, entryServer }
-            });
-          }
-        } catch (err) {
-          if (err instanceof AppError) {
-            logger.error("Asset load failed", {
-              error: { name: err.name, message: err.message, stack: err.stack, code: err.code },
-              stage: "loadAssets:production"
-            });
-          } else {
-            logger.error("Asset load failed", {
-              error: err instanceof Error ? { name: err.name, message: err.message, stack: err.stack } : String(err),
-              stage: "loadAssets:production"
-            });
-          }
-        }
-      } else {
-        const bootstrapModule = `/${adjustedRelativePath}/${entryClient}`.replace(/\/{2,}/g, "/");
-        bootstrapModules.set(clientRoot, bootstrapModule);
-      }
-    } catch (err) {
-      logger.error("Failed to process config", {
-        error: err instanceof Error ? { name: err.name, message: err.message, stack: err.stack } : String(err),
-        stage: "loadAssets:config"
+var AppError = class _AppError extends Error {
+  kind;
+  httpStatus;
+  details;
+  safeMessage;
+  code;
+  constructor(message, kind, options = {}) {
+    super(message);
+    this.name = "AppError";
+    Object.setPrototypeOf(this, new.target.prototype);
+    if (options.cause !== void 0) {
+      Object.defineProperty(this, "cause", {
+        value: options.cause,
+        enumerable: false,
+        writable: false,
+        configurable: true
       });
     }
+    this.kind = kind;
+    this.httpStatus = options.httpStatus ?? HTTP_STATUS[kind];
+    this.details = options.details;
+    this.safeMessage = options.safeMessage ?? this.getSafeMessage(kind, message);
+    this.code = options.code;
+    if (Error.captureStackTrace) Error.captureStackTrace(this, this.constructor);
   }
-};
-
-// src/utils/DevServer.ts
-import path3 from "path";
-var setupDevServer = async (app, baseClientRoot, alias, debug, devNet) => {
-  const logger = createLogger({
-    context: { service: "setupDevServer" },
-    debug,
-    minLevel: "debug"
-  });
-  const host = devNet?.host ?? process.env.HOST?.trim() ?? process.env.FASTIFY_ADDRESS?.trim() ?? "localhost";
-  const hmrPort = devNet?.hmrPort ?? (Number(process.env.HMR_PORT) || 5174);
-  const { createServer: createServer2 } = await import("vite");
-  const viteDevServer = await createServer2({
-    appType: "custom",
-    css: {
-      preprocessorOptions: {
-        scss: {
-          api: "modern-compiler"
-        }
-      }
-    },
-    mode: "development",
-    plugins: [
-      ...debug ? [
-        {
-          name: "\u03C4js-development-server-debug-logging",
-          configureServer(server) {
-            logger.debug("vite", `${CONTENT.TAG} Development server debug started`);
-            server.middlewares.use((req, res, next) => {
-              logger.debug("vite", "\u2190 rx", {
-                method: req.method,
-                url: req.url,
-                host: req.headers.host,
-                ua: req.headers["user-agent"]
-              });
-              res.on("finish", () => {
-                logger.debug("vite", "\u2192 tx", {
-                  method: req.method,
-                  url: req.url,
-                  statusCode: res.statusCode
-                });
-              });
-              next();
-            });
-          }
+  getSafeMessage(kind, message) {
+    return kind === "domain" || kind === "validation" || kind === "auth" ? message : "Internal Server Error";
+  }
+  serialiseValue(value, seen = /* @__PURE__ */ new WeakSet()) {
+    if (value === null || value === void 0) return value;
+    if (typeof value !== "object") return value;
+    if (seen.has(value)) return "[circular]";
+    seen.add(value);
+    if (value instanceof Error) {
+      return {
+        name: value.name,
+        message: value.message,
+        stack: value.stack,
+        ...value instanceof _AppError && {
+          kind: value.kind,
+          httpStatus: value.httpStatus,
+          code: value.code
         }
-      ] : []
-    ],
-    resolve: {
-      alias: {
-        "@client": path3.resolve(baseClientRoot),
-        "@server": path3.resolve(__dirname),
-        "@shared": path3.resolve(__dirname, "../shared"),
-        ...alias
-      }
-    },
-    root: baseClientRoot,
-    server: {
-      middlewareMode: true,
-      hmr: {
-        clientPort: hmrPort,
-        host: host !== "localhost" ? host : void 0,
-        port: hmrPort,
-        protocol: "ws"
+      };
+    }
+    if (Array.isArray(value)) return value.map((item) => this.serialiseValue(item, seen));
+    const result = {};
+    for (const [key, val] of Object.entries(value)) {
+      result[key] = this.serialiseValue(val, seen);
+    }
+    return result;
+  }
+  toJSON() {
+    return {
+      name: this.name,
+      kind: this.kind,
+      message: this.message,
+      safeMessage: this.safeMessage,
+      httpStatus: this.httpStatus,
+      ...this.code && { code: this.code },
+      details: this.serialiseValue(this.details),
+      stack: this.stack,
+      ...this.cause && {
+        cause: this.serialiseValue(this.cause)
       }
+    };
+  }
+  static notFound(message, details, code) {
+    return new _AppError(message, "domain", { httpStatus: 404, details, code });
+  }
+  static forbidden(message, details, code) {
+    return new _AppError(message, "auth", { httpStatus: 403, details, code });
+  }
+  static badRequest(message, details, code) {
+    return new _AppError(message, "validation", { httpStatus: 400, details, code });
+  }
+  static unprocessable(message, details, code) {
+    return new _AppError(message, "validation", { httpStatus: 422, details, code });
+  }
+  static timeout(message, details, code) {
+    return new _AppError(message, "timeout", { details, code });
+  }
+  static canceled(message, details, code) {
+    return new _AppError(message, "canceled", { details, code });
+  }
+  static internal(message, cause, details, code) {
+    return new _AppError(message, "infra", { cause, details, code });
+  }
+  static upstream(message, cause, details, code) {
+    return new _AppError(message, "upstream", { cause, details, code });
+  }
+  static serviceUnavailable(message, cause, details, code) {
+    return new _AppError(message, "infra", { httpStatus: 503, cause, details, code });
+  }
+  static from(err, fallback = "Internal error") {
+    return err instanceof _AppError ? err : _AppError.internal(err?.message ?? fallback, err);
+  }
+};
+function normaliseError(e) {
+  if (e instanceof Error) return { name: e.name, message: e.message, stack: e.stack };
+  const hasMessageProp = e != null && typeof e.message !== "undefined";
+  const msg = hasMessageProp ? String(e.message) : String(e);
+  return { name: "Error", message: msg };
+}
+function toReason(e) {
+  if (e instanceof Error) return e;
+  if (e === null) return new Error("null");
+  if (typeof e === "undefined") return new Error("Unknown render error");
+  const maybeMsg = e?.message;
+  if (typeof maybeMsg !== "undefined") return new Error(String(maybeMsg));
+  return new Error(String(e));
+}
+
+// src/logging/utils/index.ts
+var httpStatusFrom = (err, fallback = 500) => err instanceof AppError ? err.httpStatus : fallback;
+var toHttp = (err) => {
+  const app = AppError.from(err);
+  const status = httpStatusFrom(app);
+  const errorMessage = app.safeMessage;
+  return {
+    status,
+    body: {
+      error: errorMessage,
+      ...app.code && { code: app.code },
+      statusText: statusText(status)
     }
-  });
-  overrideCSSHMRConsoleError();
-  app.addHook("onRequest", async (request, reply) => {
-    await new Promise((resolve) => {
-      viteDevServer.middlewares(request.raw, reply.raw, () => {
-        if (!reply.sent) resolve();
-      });
-    });
-  });
-  return viteDevServer;
+  };
+};
+var statusText = (status) => {
+  const map = {
+    400: "Bad Request",
+    401: "Unauthorized",
+    403: "Forbidden",
+    404: "Not Found",
+    405: "Method Not Allowed",
+    408: "Request Timeout",
+    422: "Unprocessable Entity",
+    429: "Too Many Requests",
+    499: "Client Closed Request",
+    500: "Internal Server Error",
+    502: "Bad Gateway",
+    503: "Service Unavailable",
+    504: "Gateway Timeout"
+  };
+  return map[status] ?? "Error";
 };
 
-// src/utils/HandleRender.ts
-import path4 from "path";
-import { PassThrough } from "stream";
+// src/utils/DataRoutes.ts
+import { match } from "path-to-regexp";
 
-// src/utils/Telemetry.ts
-import crypto2 from "crypto";
-function createRequestContext(req, reply, baseLogger) {
-  const raw = typeof req.headers["x-trace-id"] === "string" ? req.headers["x-trace-id"] : "";
-  const traceId = raw && REGEX.SAFE_TRACE.test(raw) ? raw : typeof req.id === "string" ? req.id : crypto2.randomUUID();
-  reply.header("x-trace-id", traceId);
-  const anyLogger = baseLogger;
-  const child = anyLogger.child;
-  const logger = typeof child === "function" ? child.call(baseLogger, { traceId, url: req.url, method: req.method }) : baseLogger;
-  const headers = Object.fromEntries(
-    Object.entries(req.headers).map(([headerName, headerValue]) => {
-      const normalisedValue = Array.isArray(headerValue) ? headerValue.join(",") : headerValue ?? "";
-      return [headerName, normalisedValue];
-    })
-  );
-  return { traceId, logger, headers };
+// src/utils/DataServices.ts
+async function callServiceMethod(registry, serviceName, methodName, params, ctx) {
+  if (ctx.signal?.aborted) throw AppError.timeout("Request canceled");
+  const service = registry[serviceName];
+  if (!service) throw AppError.notFound(`Unknown service: ${serviceName}`);
+  const desc = service[methodName];
+  if (!desc) throw AppError.notFound(`Unknown method: ${serviceName}.${methodName}`);
+  const logger = ctx.logger?.child({
+    component: "service-call",
+    service: serviceName,
+    method: methodName,
+    traceId: ctx.traceId
+  });
+  try {
+    const p = desc.parsers?.params ? desc.parsers.params(params) : params;
+    const data = await desc.handler(p, ctx);
+    const out = desc.parsers?.result ? desc.parsers.result(data) : data;
+    if (typeof out !== "object" || out === null) throw AppError.internal(`Non-object result from ${serviceName}.${methodName}`);
+    return out;
+  } catch (err) {
+    logger?.error(
+      {
+        params,
+        error: err instanceof Error ? { name: err.name, message: err.message, stack: err.stack } : String(err)
+      },
+      "Service method failed"
+    );
+    throw err;
+  }
 }
+var isServiceDescriptor = (obj) => {
+  if (typeof obj !== "object" || obj === null || Array.isArray(obj)) return false;
+  const maybe = obj;
+  return typeof maybe.serviceName === "string" && typeof maybe.serviceMethod === "string";
+};
 
-// src/utils/HandleRender.ts
-var handleRender = async (req, reply, routeMatchers, processedConfigs, serviceRegistry, maps, opts = {}) => {
-  const { viteDevServer } = opts;
-  const logger = opts.logger ?? createLogger({
-    debug: opts.debug,
-    minLevel: isDevelopment ? "debug" : "info",
-    includeContext: true,
-    includeStack: (lvl) => lvl === "error" || isDevelopment
-  });
+// src/utils/DataRoutes.ts
+var safeDecode = (value) => {
   try {
-    if (/\.\w+$/.test(req.raw.url ?? "")) return reply.callNotFound();
-    const url = req.url ? new URL(req.url, `http://${req.headers.host}`).pathname : "/";
-    const matchedRoute = matchRoute(url, routeMatchers);
-    const rawNonce = req.cspNonce;
-    const cspNonce = rawNonce && rawNonce.length > 0 ? rawNonce : void 0;
-    if (!matchedRoute) {
-      reply.callNotFound();
-      return;
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+};
+var cleanPath = (path7) => {
+  if (!path7) return "/";
+  const basePart = path7.split("?")[0];
+  const base = basePart ? basePart.split("#")[0] : "/";
+  return base || "/";
+};
+var calculateSpecificity = (path7) => {
+  let score = 0;
+  const segments = path7.split("/").filter(Boolean);
+  for (const segment of segments) {
+    if (segment.startsWith(":")) {
+      score += 1;
+      if (/[?+*]$/.test(segment)) score -= 0.5;
+    } else if (segment === "*") {
+      score += 0.1;
+    } else {
+      score += 10;
     }
-    const { route, params } = matchedRoute;
-    const { attr, appId } = route;
-    const config = processedConfigs.find((c) => c.appId === appId);
-    if (!config) {
-      throw AppError.internal("No configuration found for the request", {
-        details: {
-          appId,
-          availableAppIds: processedConfigs.map((c) => c.appId),
-          url
-        }
+  }
+  score += segments.length * 0.1;
+  return score;
+};
+var isPlainObject = (v) => !!v && typeof v === "object" && Object.getPrototypeOf(v) === Object.prototype;
+var createRouteMatchers = (routes) => {
+  const sortedRoutes = [...routes].sort((a, b) => calculateSpecificity(b.path) - calculateSpecificity(a.path));
+  return sortedRoutes.map((route) => {
+    const matcher = match(route.path, { decode: safeDecode });
+    const specificity = calculateSpecificity(route.path);
+    const keys = [];
+    return { route, matcher, keys, specificity };
+  });
+};
+var matchRoute = (url, routeMatchers) => {
+  const path7 = cleanPath(url);
+  for (const { route, matcher, keys } of routeMatchers) {
+    const match2 = matcher(path7);
+    if (match2) {
+      return {
+        route,
+        params: match2.params,
+        keys
+      };
+    }
+  }
+  return null;
+};
+var fetchInitialData = async (attr, params, serviceRegistry, ctx, callServiceMethodImpl = callServiceMethod) => {
+  const dataHandler = attr?.data;
+  if (!dataHandler || typeof dataHandler !== "function") return {};
+  try {
+    const result = await dataHandler(params, {
+      ...ctx,
+      headers: ctx.headers ?? {}
+    });
+    if (isServiceDescriptor(result)) {
+      const { serviceName, serviceMethod, args } = result;
+      return callServiceMethodImpl(serviceRegistry, serviceName, serviceMethod, args ?? {}, ctx);
+    }
+    if (isPlainObject(result)) return result;
+    throw AppError.badRequest("attr.data must return a plain object or a ServiceDescriptor");
+  } catch (err) {
+    let e = AppError.from(err);
+    const msg = String(err?.message ?? "");
+    const looksLikeHtml = /<!DOCTYPE/i.test(msg) || /<html/i.test(msg) || /Unexpected token <.*JSON/i.test(msg);
+    if (looksLikeHtml) {
+      const prevDetails = e.details && typeof e.details === "object" ? e.details : {};
+      e = AppError.internal("attr.data expected JSON but received HTML. Likely cause: API route missing or returning HTML.", err, {
+        ...prevDetails,
+        hint: "api-missing-or-content-type",
+        suggestion: "Register api route so it returns JSON, or return a ServiceDescriptor from attr.data and use the ServiceRegistry.",
+        logged: true
       });
     }
-    const { clientRoot, entryServer } = config;
-    let template = ensureNonNull(maps.templates.get(clientRoot), `Template not found for clientRoot: ${clientRoot}`);
-    const bootstrapModule = maps.bootstrapModules.get(clientRoot);
-    const cssLink = maps.cssLinks.get(clientRoot);
-    const manifest = maps.manifests.get(clientRoot);
-    const preloadLink = maps.preloadLinks.get(clientRoot);
-    const ssrManifest = maps.ssrManifests.get(clientRoot);
-    let renderModule;
-    if (isDevelopment && viteDevServer) {
-      try {
-        template = template.replace(/<script type="module" src="\/@vite\/client"><\/script>/g, "");
-        template = template.replace(/<style type="text\/css">[\s\S]*?<\/style>/g, "");
-        const entryServerPath = path4.join(clientRoot, `${entryServer}.tsx`);
-        const executedModule = await viteDevServer.ssrLoadModule(entryServerPath);
-        renderModule = executedModule;
-        const styles = await collectStyle(viteDevServer, [entryServerPath]);
-        const styleNonce = cspNonce ? ` nonce="${cspNonce}"` : "";
-        template = template?.replace("</head>", `<style type="text/css"${styleNonce}>${styles}</style></head>`);
-        template = await viteDevServer.transformIndexHtml(url, template);
-      } catch (error) {
-        throw AppError.internal("Failed to load dev assets", { cause: error, details: { clientRoot, entryServer, url } });
-      }
+    const level = e.kind === "domain" || e.kind === "validation" || e.kind === "auth" ? "warn" : "error";
+    const meta = {
+      component: "fetch-initial-data",
+      kind: e.kind,
+      httpStatus: e.httpStatus,
+      ...e.code ? { code: e.code } : {},
+      ...e.details ? { details: e.details } : {},
+      ...params ? { params } : {},
+      traceId: ctx.traceId
+    };
+    ctx.logger?.[level](meta, e.message);
+    throw e;
+  }
+};
+
+// src/security/Auth.ts
+var createAuthHook = (routeMatchers, logger) => {
+  return async function authHook(req, reply) {
+    const url = new URL(req.url, `http://${req.headers.host}`).pathname;
+    const match2 = matchRoute(url, routeMatchers);
+    if (!match2) return;
+    const { route } = match2;
+    const authConfig = route.attr?.middleware?.auth;
+    if (!authConfig) {
+      logger.debug("auth", { method: req.method, url: req.url }, "(none)");
+      return;
+    }
+    if (typeof req.server.authenticate !== "function") {
+      logger.warn(
+        {
+          path: url,
+          appId: route.appId
+        },
+        "Route requires auth but Fastify authenticate decorator is missing"
+      );
+      return reply.status(500).send("Server misconfiguration: auth decorator missing.");
+    }
+    try {
+      logger.debug("auth", { method: req.method, url: req.url }, "Invoking authenticate(...)");
+      await req.server.authenticate(req, reply);
+      logger.debug("auth", { method: req.method, url: req.url }, "Authentication successful");
+    } catch (err) {
+      logger.debug("auth", { method: req.method, url: req.url }, "Authentication failed");
+      return reply.send(err);
+    }
+  };
+};
+
+// src/security/CSP.ts
+var import_fastify_plugin = __toESM(require_plugin(), 1);
+import crypto from "crypto";
+
+// src/utils/System.ts
+import { dirname, join } from "path";
+import "path";
+import { fileURLToPath } from "url";
+var isDevelopment = process.env.NODE_ENV === "development";
+var __filename = fileURLToPath(import.meta.url);
+var __dirname = join(dirname(__filename), !isDevelopment ? "./" : "..");
+
+// src/security/CSP.ts
+var defaultGenerateCSP = (directives, nonce, req) => {
+  const merged = { ...directives };
+  merged["script-src"] = merged["script-src"] || ["'self'"];
+  if (!merged["script-src"].some((v) => v.startsWith("'nonce-"))) {
+    merged["script-src"].push(`'nonce-${nonce}'`);
+  }
+  if (isDevelopment) {
+    const connect = merged["connect-src"] || ["'self'"];
+    if (!connect.includes("ws:")) connect.push("ws:");
+    if (!connect.includes("http:")) connect.push("http:");
+    merged["connect-src"] = connect;
+    const style = merged["style-src"] || ["'self'"];
+    if (!style.includes("'unsafe-inline'")) style.push("'unsafe-inline'");
+    merged["style-src"] = style;
+  }
+  return Object.entries(merged).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
+};
+var generateNonce = () => crypto.randomBytes(16).toString("base64");
+var mergeDirectives = (base, override) => {
+  const merged = { ...base };
+  for (const [directive, values] of Object.entries(override)) {
+    if (merged[directive]) {
+      merged[directive] = [.../* @__PURE__ */ new Set([...merged[directive], ...values])];
     } else {
-      renderModule = maps.renderModules.get(clientRoot);
-      if (!renderModule) throw AppError.internal(`Render module not found for clientRoot: ${clientRoot}. Module should have been preloaded.`);
+      merged[directive] = [...values];
     }
-    const renderType = attr?.render ?? RENDERTYPE.ssr;
-    const templateParts = processTemplate(template);
-    const baseLogger = opts.logger ?? logger;
-    const { traceId, logger: reqLogger, headers } = createRequestContext(req, reply, baseLogger);
-    const ctx = { traceId, logger: reqLogger, headers };
-    const initialDataInput = () => fetchInitialData(attr, params, serviceRegistry, ctx);
-    if (renderType === RENDERTYPE.ssr) {
-      const { renderSSR } = renderModule;
-      if (!renderSSR) {
-        throw AppError.internal("renderSSR function not found in module", {
-          details: { clientRoot, availableFunctions: Object.keys(renderModule) }
-        });
-      }
-      const ac = new AbortController();
-      const onAborted = () => ac.abort("client_aborted");
-      req.raw.on("aborted", onAborted);
-      reply.raw.on("close", () => {
-        if (!reply.raw.writableEnded) ac.abort("socket_closed");
-      });
-      reply.raw.on("finish", () => req.raw.off("aborted", onAborted));
-      if (ac.signal.aborted) {
-        logger.warn("SSR skipped; already aborted", { url: req.url });
-        return;
-      }
-      const initialDataResolved = await initialDataInput();
-      let headContent = "";
-      let appHtml = "";
+  }
+  return merged;
+};
+var findMatchingRoute = (routeMatchers, path7) => {
+  if (!routeMatchers) return null;
+  const match2 = matchRoute(path7, routeMatchers);
+  return match2 ? { route: match2.route, params: match2.params } : null;
+};
+var cspPlugin = (0, import_fastify_plugin.default)(
+  async (fastify, opts) => {
+    const { generateCSP = defaultGenerateCSP, routes = [], routeMatchers, debug } = opts;
+    const globalDirectives = opts.directives || DEV_CSP_DIRECTIVES;
+    const matchers = routeMatchers || (routes.length > 0 ? createRouteMatchers(routes) : null);
+    const logger = createLogger({
+      debug,
+      context: { component: "csp-plugin" }
+    });
+    fastify.addHook("onRequest", (req, reply, done) => {
+      const nonce = generateNonce();
+      req.cspNonce = nonce;
       try {
-        const res = await renderSSR(initialDataResolved, req.url, attr?.meta, ac.signal, { logger: reqLogger });
-        headContent = res.headContent;
-        appHtml = res.appHtml;
-      } catch (err) {
-        const msg = String(err?.message ?? err ?? "");
-        const benign = REGEX.BENIGN_NET_ERR.test(msg);
-        if (ac.signal.aborted || benign) {
-          logger.warn("SSR aborted mid-render (benign)", { url: req.url, reason: msg });
+        const routeMatch = findMatchingRoute(matchers, req.url);
+        const routeCSP = routeMatch?.route.attr?.middleware?.csp;
+        if (routeCSP === false) {
+          done();
           return;
         }
-        logger.error("SSR render failed", { url: req.url, error: normaliseError(err) });
-        throw err;
-      }
-      let aggregateHeadContent = headContent;
-      if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
-      if (manifest && cssLink) aggregateHeadContent += cssLink;
-      const shouldHydrate = attr?.hydrate !== false;
-      const nonceAttr = cspNonce ? ` nonce="${cspNonce}"` : "";
-      const initialDataScript = `<script${nonceAttr}>window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")};</script>`;
-      const bootstrapScriptTag = shouldHydrate && bootstrapModule ? `<script${nonceAttr} type="module" src="${bootstrapModule}" defer></script>` : "";
-      const safeAppHtml = appHtml.trim();
-      const fullHtml = rebuildTemplate(templateParts, aggregateHeadContent, `${safeAppHtml}${initialDataScript}${bootstrapScriptTag}`);
-      try {
-        return reply.status(200).header("Content-Type", "text/html").send(fullHtml);
-      } catch (err) {
-        const msg = String(err?.message ?? err ?? "");
-        const benign = REGEX.BENIGN_NET_ERR.test(msg);
-        if (!benign) logger.error("SSR send failed", { url: req.url, error: normaliseError(err) });
-        else logger.warn("SSR send aborted (benign)", { url: req.url, reason: msg });
-        return;
-      }
-    } else {
-      const { renderStream } = renderModule;
-      if (!renderStream) {
-        throw AppError.internal("renderStream function not found in module", {
-          details: { clientRoot, availableFunctions: Object.keys(renderModule) }
-        });
-      }
-      const cspHeader = reply.getHeader("Content-Security-Policy");
-      reply.raw.writeHead(200, {
-        "Content-Security-Policy": cspHeader,
-        "Content-Type": "text/html; charset=utf-8"
-      });
-      const ac = new AbortController();
-      const onAborted = () => ac.abort();
-      req.raw.on("aborted", onAborted);
-      reply.raw.on("close", () => {
-        if (!reply.raw.writableEnded) ac.abort();
-      });
-      reply.raw.on("finish", () => req.raw.off("aborted", onAborted));
-      const shouldHydrate = attr?.hydrate !== false;
-      const abortedState = { aborted: false };
-      const isBenignSocketAbort = (e) => {
-        const msg = String(e?.message ?? e ?? "");
-        return REGEX.BENIGN_NET_ERR.test(msg);
-      };
-      const writable = new PassThrough();
-      writable.on("error", (err) => {
-        if (!isBenignSocketAbort(err)) logger.error("PassThrough error:", { error: err });
-      });
-      reply.raw.on("error", (err) => {
-        if (!isBenignSocketAbort(err)) logger.error("HTTP socket error:", { error: err });
-      });
-      writable.pipe(reply.raw, { end: false });
-      let finalData = void 0;
-      renderStream(
-        writable,
-        {
-          onHead: (headContent) => {
-            let aggregateHeadContent = headContent;
-            if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
-            if (manifest && cssLink) aggregateHeadContent += cssLink;
-            return reply.raw.write(`${templateParts.beforeHead}${aggregateHeadContent}${templateParts.afterHead}${templateParts.beforeBody}`);
-          },
-          onShellReady: () => {
+        let finalDirectives = globalDirectives;
+        if (routeCSP && typeof routeCSP === "object") {
+          if (!routeCSP.disabled) {
+            let routeDirectives;
+            if (typeof routeCSP.directives === "function") {
+              const params = routeMatch?.params || {};
+              routeDirectives = routeCSP.directives({
+                url: req.url,
+                params,
+                headers: req.headers,
+                req
+              });
+            } else {
+              routeDirectives = routeCSP.directives || {};
+            }
+            if (routeCSP.mode === "replace") {
+              finalDirectives = routeDirectives;
+            } else {
+              finalDirectives = mergeDirectives(globalDirectives, routeDirectives);
+            }
+          }
+        }
+        let cspHeader;
+        if (routeCSP?.generateCSP) {
+          cspHeader = routeCSP.generateCSP(finalDirectives, nonce, req);
+        } else {
+          cspHeader = generateCSP(finalDirectives, nonce, req);
+        }
+        reply.header("Content-Security-Policy", cspHeader);
+      } catch (error) {
+        logger.error(
+          {
+            url: req.url,
+            error: error instanceof Error ? { name: error.name, message: error.message, stack: error.stack } : String(error)
           },
-          onAllReady: (data) => {
-            if (!abortedState.aborted) finalData = data;
+          "CSP plugin error"
+        );
+        const fallbackHeader = generateCSP(globalDirectives, nonce, req);
+        reply.header("Content-Security-Policy", fallbackHeader);
+      }
+      done();
+    });
+  },
+  { name: "taujs-csp-plugin" }
+);
+
+// src/security/CSPReporting.ts
+var import_fastify_plugin2 = __toESM(require_plugin(), 1);
+function sanitiseContext(ctx) {
+  return {
+    userAgent: ctx.userAgent,
+    ip: ctx.ip,
+    referer: ctx.referer,
+    timestamp: ctx.timestamp
+    // headers: ctx.headers,
+  };
+}
+function logCspViolation(logger, report, context) {
+  logger.warn(
+    {
+      violation: {
+        documentUri: report["document-uri"],
+        violatedDirective: report["violated-directive"],
+        blockedUri: report["blocked-uri"],
+        sourceFile: report["source-file"],
+        line: report["line-number"],
+        column: report["column-number"],
+        scriptSample: report["script-sample"],
+        originalPolicy: report["original-policy"],
+        disposition: report.disposition
+      },
+      context: {
+        userAgent: context.userAgent,
+        ip: context.ip,
+        referer: context.referer,
+        timestamp: context.timestamp
+      }
+    },
+    "CSP Violation"
+  );
+}
+var processCSPReport = (body, context, logger) => {
+  try {
+    const reportData = body?.["csp-report"] || body;
+    if (!reportData || typeof reportData !== "object") {
+      logger.warn(
+        {
+          bodyType: typeof body,
+          context: sanitiseContext(context)
+        },
+        "Ignoring malformed CSP report"
+      );
+      return;
+    }
+    const documentUri = reportData["document-uri"] ?? reportData["documentURL"];
+    const violatedDirective = reportData["violated-directive"] ?? reportData["violatedDirective"];
+    if (!documentUri || !violatedDirective) {
+      logger.warn(
+        {
+          hasDocumentUri: !!documentUri,
+          hasViolatedDirective: !!violatedDirective,
+          context: sanitiseContext(context)
+        },
+        "Ignoring incomplete CSP report"
+      );
+      return;
+    }
+    const violation = {
+      "document-uri": String(documentUri),
+      "violated-directive": String(violatedDirective),
+      "blocked-uri": reportData["blocked-uri"] ?? reportData["blockedURL"] ?? "",
+      "source-file": reportData["source-file"] ?? reportData["sourceFile"],
+      "line-number": reportData["line-number"] ?? reportData["lineNumber"],
+      "column-number": reportData["column-number"] ?? reportData["columnNumber"],
+      "script-sample": reportData["script-sample"] ?? reportData["sample"],
+      "original-policy": reportData["original-policy"] ?? reportData["originalPolicy"] ?? "",
+      disposition: reportData.disposition ?? "enforce"
+    };
+    logCspViolation(logger, violation, context);
+  } catch (processingError) {
+    logger.warn(
+      {
+        error: processingError instanceof Error ? processingError.message : String(processingError),
+        bodyType: typeof body,
+        context: sanitiseContext(context)
+      },
+      "CSP report processing failed"
+    );
+  }
+};
+var cspReportPlugin = (0, import_fastify_plugin2.default)(
+  async (fastify, opts) => {
+    const { onViolation } = opts;
+    if (!opts.path || typeof opts.path !== "string") throw AppError.badRequest("CSP report path is required and must be a string");
+    const logger = createLogger({
+      debug: opts.debug,
+      context: { service: "csp-reporting" },
+      minLevel: "info"
+    });
+    fastify.post(opts.path, async (req, reply) => {
+      const context = {
+        userAgent: req.headers["user-agent"],
+        ip: req.ip,
+        referer: req.headers.referer,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        headers: req.headers,
+        __fastifyRequest: req
+        // onViolation callback
+      };
+      try {
+        processCSPReport(req.body, context, logger);
+        const reportData = req.body?.["csp-report"] || req.body;
+        if (onViolation && reportData && typeof reportData === "object") {
+          const documentUri = reportData["document-uri"] ?? reportData["documentURL"];
+          const violatedDirective = reportData["violated-directive"] ?? reportData["violatedDirective"];
+          if (documentUri && violatedDirective) {
+            const violation = {
+              "document-uri": String(documentUri),
+              "violated-directive": String(violatedDirective),
+              "blocked-uri": reportData["blocked-uri"] ?? reportData["blockedURL"] ?? "",
+              "source-file": reportData["source-file"] ?? reportData["sourceFile"],
+              "line-number": reportData["line-number"] ?? reportData["lineNumber"],
+              "column-number": reportData["column-number"] ?? reportData["columnNumber"],
+              "script-sample": reportData["script-sample"] ?? reportData["sample"],
+              "original-policy": reportData["original-policy"] ?? reportData["originalPolicy"] ?? "",
+              disposition: reportData.disposition ?? "enforce"
+            };
+            onViolation(violation, req);
+          }
+        }
+      } catch (err) {
+        logger.warn(
+          {
+            error: err instanceof Error ? err.message : String(err)
           },
-          onError: (err) => {
-            if (abortedState.aborted || isBenignSocketAbort(err)) {
-              logger.warn("Client disconnected before stream finished");
-              try {
-                if (!reply.raw.writableEnded && !reply.raw.destroyed) reply.raw.destroy();
-              } catch (e) {
-                logger.debug?.("stream teardown: destroy() failed", { error: normaliseError(e) });
+          "CSP reporting route failed"
+        );
+      }
+      reply.code(204).send();
+    });
+  },
+  { name: "taujs-csp-report-plugin" }
+);
+
+// src/utils/AssetManager.ts
+import { readFile } from "fs/promises";
+import path2 from "path";
+import { pathToFileURL } from "url";
+
+// src/utils/Templates.ts
+var CSS_LANGS_RE = /\.(css|less|sass|scss|styl|stylus|pcss|postcss|sss)(?:$|\?)/;
+async function collectStyle(server, entries) {
+  const urls = await collectStyleUrls(server, entries);
+  const codes = await Promise.all(
+    urls.map(async (url) => {
+      const res = await server.transformRequest(url + "?direct");
+      return [`/* [collectStyle] ${url} */`, res?.code];
+    })
+  );
+  return codes.flat().filter(Boolean).join("\n\n");
+}
+async function collectStyleUrls(server, entries) {
+  const visited = /* @__PURE__ */ new Set();
+  async function traverse(url) {
+    const [, id] = await server.moduleGraph.resolveUrl(url);
+    if (visited.has(id)) return;
+    visited.add(id);
+    const mod = server.moduleGraph.getModuleById(id);
+    if (!mod) return;
+    await Promise.all([...mod.importedModules].map((childMod) => traverse(childMod.url)));
+  }
+  await Promise.all(entries.map((e) => server.transformRequest(e)));
+  await Promise.all(entries.map((url) => traverse(url)));
+  return [...visited].filter((url) => url.match(CSS_LANGS_RE));
+}
+function renderPreloadLinks(ssrManifest, basePath = "") {
+  const seen = /* @__PURE__ */ new Set();
+  let links = "";
+  for (const moduleId in ssrManifest) {
+    const files = ssrManifest[moduleId];
+    if (files) {
+      files.forEach((file) => {
+        if (!seen.has(file)) {
+          seen.add(file);
+          links += renderPreloadLink(basePath ? `${basePath}/${file}` : `${file}`);
+        }
+      });
+    }
+  }
+  return links;
+}
+function renderPreloadLink(file) {
+  const fileType = file.match(/\.(js|css|woff2?|gif|jpe?g|png|svg)$/)?.[1];
+  switch (fileType) {
+    case "js":
+      return `<link rel="modulepreload" href="${file}">`;
+    case "css":
+      return `<link rel="stylesheet" href="${file}">`;
+    case "woff":
+    case "woff2":
+      return `<link rel="preload" href="${file}" as="font" type="font/${fileType}" crossorigin>`;
+    case "gif":
+    case "jpeg":
+    case "jpg":
+    case "png":
+      return `<link rel="preload" href="${file}" as="image" type="image/${fileType}">`;
+    case "svg":
+      return `<link rel="preload" href="${file}" as="image" type="image/svg+xml">`;
+    default:
+      return "";
+  }
+}
+function getCssLinks(manifest, basePath = "") {
+  const seen = /* @__PURE__ */ new Set();
+  const styles = [];
+  for (const key in manifest) {
+    const entry = manifest[key];
+    if (entry && entry.css) {
+      for (const cssFile of entry.css) {
+        if (!seen.has(cssFile)) {
+          seen.add(cssFile);
+          styles.push(`<link rel="preload stylesheet" as="style" type="text/css" href="${basePath}/${cssFile}">`);
+        }
+      }
+    }
+  }
+  return styles.join("\n");
+}
+var overrideCSSHMRConsoleError = () => {
+  const originalConsoleError = console.error;
+  console.error = function(message, ...optionalParams) {
+    if (typeof message === "string" && message.includes("css hmr is not supported in runtime mode")) return;
+    originalConsoleError.apply(console, [message, ...optionalParams]);
+  };
+};
+var ensureNonNull = (value, errorMessage) => {
+  if (value === void 0 || value === null) throw new Error(errorMessage);
+  return value;
+};
+function processTemplate(template) {
+  const [headSplit, bodySplit] = template.split(SSRTAG.ssrHead);
+  if (typeof bodySplit === "undefined") throw new Error(`Template is missing ${SSRTAG.ssrHead} marker.`);
+  const [beforeBody, afterBody] = bodySplit.split(SSRTAG.ssrHtml);
+  if (typeof beforeBody === "undefined" || typeof afterBody === "undefined") throw new Error(`Template is missing ${SSRTAG.ssrHtml} marker.`);
+  return {
+    beforeHead: headSplit,
+    afterHead: "",
+    beforeBody: beforeBody.replace(/\s*$/, ""),
+    afterBody: afterBody.replace(/^\s*/, "")
+  };
+}
+var rebuildTemplate = (parts, headContent, bodyContent) => {
+  return `${parts.beforeHead}${headContent}${parts.afterHead}${parts.beforeBody}${bodyContent}${parts.afterBody}`;
+};
+
+// src/utils/AssetManager.ts
+var createMaps = () => ({
+  bootstrapModules: /* @__PURE__ */ new Map(),
+  cssLinks: /* @__PURE__ */ new Map(),
+  manifests: /* @__PURE__ */ new Map(),
+  preloadLinks: /* @__PURE__ */ new Map(),
+  renderModules: /* @__PURE__ */ new Map(),
+  ssrManifests: /* @__PURE__ */ new Map(),
+  templates: /* @__PURE__ */ new Map()
+});
+var processConfigs = (configs, baseClientRoot, templateDefaults) => {
+  return configs.map((config) => {
+    const clientRoot = path2.resolve(baseClientRoot, config.entryPoint);
+    return {
+      clientRoot,
+      entryPoint: config.entryPoint,
+      entryClient: config.entryClient || templateDefaults.defaultEntryClient,
+      entryServer: config.entryServer || templateDefaults.defaultEntryServer,
+      htmlTemplate: config.htmlTemplate || templateDefaults.defaultHtmlTemplate,
+      appId: config.appId
+    };
+  });
+};
+var loadAssets = async (processedConfigs, baseClientRoot, bootstrapModules, cssLinks, manifests, preloadLinks, renderModules, ssrManifests, templates, opts = {}) => {
+  const logger = opts.logger ?? createLogger({
+    debug: opts.debug,
+    includeContext: true
+  });
+  for (const config of processedConfigs) {
+    const { clientRoot, entryClient, entryServer, htmlTemplate } = config;
+    try {
+      const templateHtmlPath = path2.join(clientRoot, htmlTemplate);
+      const templateHtml = await readFile(templateHtmlPath, "utf-8");
+      templates.set(clientRoot, templateHtml);
+      const relativeBasePath = path2.relative(baseClientRoot, clientRoot).replace(/\\/g, "/");
+      const adjustedRelativePath = relativeBasePath ? `/${relativeBasePath}` : "";
+      if (!isDevelopment) {
+        try {
+          const manifestPath = path2.join(clientRoot, ".vite/manifest.json");
+          const manifestContent = await readFile(manifestPath, "utf-8");
+          const manifest = JSON.parse(manifestContent);
+          manifests.set(clientRoot, manifest);
+          const ssrManifestPath = path2.join(clientRoot, ".vite/ssr-manifest.json");
+          const ssrManifestContent = await readFile(ssrManifestPath, "utf-8");
+          const ssrManifest = JSON.parse(ssrManifestContent);
+          ssrManifests.set(clientRoot, ssrManifest);
+          const entryClientFile = manifest[`${entryClient}.tsx`]?.file;
+          if (!entryClientFile) {
+            throw AppError.internal(`Entry client file not found in manifest for ${entryClient}.tsx`, {
+              details: {
+                clientRoot,
+                entryClient,
+                availableKeys: Object.keys(manifest)
               }
-              return;
-            }
-            abortedState.aborted = true;
-            logger.error("Critical rendering error during stream", {
-              error: normaliseError(err),
-              clientRoot,
-              url: req.url
             });
-            try {
-              ac?.abort?.();
-            } catch (e) {
-              logger.debug?.("stream teardown: abort() failed", { error: normaliseError(e) });
-            }
-            const reason = toReason(err);
-            try {
-              if (!reply.raw.writableEnded && !reply.raw.destroyed) reply.raw.destroy(reason);
-            } catch (e) {
-              logger.debug?.("stream teardown: destroy() failed", { error: normaliseError(e) });
-            }
           }
+          const bootstrapModule = `/${adjustedRelativePath}/${entryClientFile}`.replace(/\/{2,}/g, "/");
+          bootstrapModules.set(clientRoot, bootstrapModule);
+          const preloadLink = renderPreloadLinks(ssrManifest, adjustedRelativePath);
+          preloadLinks.set(clientRoot, preloadLink);
+          const cssLink = getCssLinks(manifest, adjustedRelativePath);
+          cssLinks.set(clientRoot, cssLink);
+          const renderModulePath = path2.join(clientRoot, `${entryServer}.js`);
+          const moduleUrl = pathToFileURL(renderModulePath).href;
+          try {
+            const importedModule = await import(moduleUrl);
+            renderModules.set(clientRoot, importedModule);
+          } catch (err) {
+            throw AppError.internal(`Failed to load render module ${renderModulePath}`, {
+              cause: err,
+              details: { moduleUrl, clientRoot, entryServer }
+            });
+          }
+        } catch (err) {
+          if (err instanceof AppError) {
+            logger.error(
+              {
+                error: { name: err.name, message: err.message, stack: err.stack, code: err.code },
+                stage: "loadAssets:production"
+              },
+              "Asset load failed"
+            );
+          } else {
+            logger.error(
+              {
+                error: err instanceof Error ? { name: err.name, message: err.message, stack: err.stack } : String(err),
+                stage: "loadAssets:production"
+              },
+              "Asset load failed"
+            );
+          }
+        }
+      } else {
+        const bootstrapModule = `/${adjustedRelativePath}/${entryClient}`.replace(/\/{2,}/g, "/");
+        bootstrapModules.set(clientRoot, bootstrapModule);
+      }
+    } catch (err) {
+      logger.error(
+        {
+          error: err instanceof Error ? { name: err.name, message: err.message, stack: err.stack } : String(err),
+          stage: "loadAssets:config"
         },
-        initialDataInput,
-        req.url,
-        shouldHydrate ? bootstrapModule : void 0,
-        attr?.meta,
-        cspNonce,
-        ac.signal,
-        { logger: reqLogger }
+        "Failed to process config"
       );
-      writable.on("finish", () => {
-        if (abortedState.aborted || reply.raw.writableEnded) return;
-        const data = finalData ?? {};
-        const initialDataScript = `<script${cspNonce ? ` nonce="${cspNonce}"` : ""}>window.__INITIAL_DATA__ = ${JSON.stringify(data).replace(
-          /</g,
-          "\\u003c"
-        )}; window.dispatchEvent(new Event('taujs:data-ready'));</script>`;
-        reply.raw.write(initialDataScript);
-        reply.raw.write(templateParts.afterBody);
-        reply.raw.end();
-      });
     }
-  } catch (err) {
-    if (err instanceof AppError) throw err;
-    throw AppError.internal("handleRender failed", err, {
-      url: req.url,
-      route: req.routeOptions?.url
-    });
   }
 };
 
-// src/utils/HandleNotFound.ts
-var handleNotFound = async (req, reply, processedConfigs, maps, opts = {}) => {
-  const logger = opts.logger ?? createLogger({
-    debug: opts.debug,
-    context: { component: "handle-not-found", url: req.url, method: req.method, traceId: req.id }
+// src/utils/DevServer.ts
+import path3 from "path";
+var setupDevServer = async (app, baseClientRoot, alias, debug, devNet) => {
+  const logger = createLogger({
+    context: { service: "setupDevServer" },
+    debug,
+    minLevel: "debug"
   });
-  try {
-    if (/\.\w+$/.test(req.raw.url ?? "")) {
-      logger.debug?.("ssr", "Delegating asset-like request to Fastify notFound handler", { url: req.raw.url });
-      return reply.callNotFound();
+  const host = devNet?.host ?? process.env.HOST?.trim() ?? process.env.FASTIFY_ADDRESS?.trim() ?? "localhost";
+  const hmrPort = devNet?.hmrPort ?? (Number(process.env.HMR_PORT) || 5174);
+  const { createServer: createServer2 } = await import("vite");
+  const viteDevServer = await createServer2({
+    appType: "custom",
+    css: {
+      preprocessorOptions: {
+        scss: {
+          api: "modern-compiler"
+        }
+      }
+    },
+    mode: "development",
+    plugins: [
+      ...debug ? [
+        {
+          name: "\u03C4js-development-server-debug-logging",
+          configureServer(server) {
+            logger.debug("vite", `${CONTENT.TAG} Development server debug started`);
+            server.middlewares.use((req, res, next) => {
+              logger.debug(
+                "vite",
+                {
+                  method: req.method,
+                  url: req.url,
+                  host: req.headers.host,
+                  ua: req.headers["user-agent"]
+                },
+                "\u2190 rx"
+              );
+              res.on("finish", () => {
+                logger.debug(
+                  "vite",
+                  {
+                    method: req.method,
+                    url: req.url,
+                    statusCode: res.statusCode
+                  },
+                  "\u2192 tx"
+                );
+              });
+              next();
+            });
+          }
+        }
+      ] : []
+    ],
+    resolve: {
+      alias: {
+        "@client": path3.resolve(baseClientRoot),
+        "@server": path3.resolve(__dirname),
+        "@shared": path3.resolve(__dirname, "../shared"),
+        ...alias
+      }
+    },
+    root: baseClientRoot,
+    server: {
+      middlewareMode: true,
+      hmr: {
+        clientPort: hmrPort,
+        host: host !== "localhost" ? host : void 0,
+        port: hmrPort,
+        protocol: "ws"
+      }
     }
-    const defaultConfig = processedConfigs[0];
-    if (!defaultConfig) {
-      logger.error?.("No default configuration found", { configCount: processedConfigs.length, url: req.raw.url });
-      throw AppError.internal("No default configuration found", {
-        details: { configCount: processedConfigs.length, url: req.raw.url }
+  });
+  overrideCSSHMRConsoleError();
+  app.addHook("onRequest", async (request, reply) => {
+    await new Promise((resolve) => {
+      viteDevServer.middlewares(request.raw, reply.raw, () => {
+        if (!reply.sent) resolve();
       });
-    }
-    const { clientRoot } = defaultConfig;
-    const cspNonce = req.cspNonce ?? void 0;
-    const template = ensureNonNull(maps.templates.get(clientRoot), `Template not found for clientRoot: ${clientRoot}`);
-    const cssLink = maps.cssLinks.get(clientRoot);
-    const bootstrapModule = maps.bootstrapModules.get(clientRoot);
-    logger.debug?.("ssr", "Preparing not-found fallback HTML", {
-      clientRoot,
-      hasCssLink: Boolean(cssLink),
-      hasBootstrapModule: Boolean(bootstrapModule),
-      isDevelopment,
-      hasCspNonce: Boolean(cspNonce)
     });
-    let processedTemplate = template.replace(SSRTAG.ssrHead, "").replace(SSRTAG.ssrHtml, "");
-    if (!isDevelopment && cssLink) {
-      processedTemplate = processedTemplate.replace("</head>", `${cssLink}</head>`);
-    }
-    if (bootstrapModule) {
-      const nonceAttr = cspNonce ? ` nonce="${cspNonce}"` : "";
-      processedTemplate = processedTemplate.replace("</body>", `<script${nonceAttr} type="module" src="${bootstrapModule}" defer></script></body>`);
-    }
-    logger.debug?.("ssr", "Sending not-found fallback HTML", { status: 200 });
-    return reply.status(200).type("text/html").send(processedTemplate);
-  } catch (err) {
-    logger.error?.("handleNotFound failed", { error: err, url: req.url, clientRoot: processedConfigs[0]?.clientRoot });
-    throw AppError.internal("handleNotFound failed", err, {
-      stage: "handleNotFound",
-      url: req.url,
-      clientRoot: processedConfigs[0]?.clientRoot
-    });
-  }
+  });
+  return viteDevServer;
 };
 
-// src/security/CSPReporting.ts
-var import_fastify_plugin2 = __toESM(require_plugin(), 1);
-function sanitiseContext(ctx) {
-  return {
-    userAgent: ctx.userAgent,
-    ip: ctx.ip,
-    referer: ctx.referer,
-    timestamp: ctx.timestamp
-    // headers: ctx.headers,
-  };
+// src/utils/HandleRender.ts
+import path4 from "path";
+import { PassThrough } from "stream";
+
+// src/utils/Telemetry.ts
+import crypto2 from "crypto";
+function createRequestContext(req, reply, baseLogger) {
+  const raw = typeof req.headers["x-trace-id"] === "string" ? req.headers["x-trace-id"] : "";
+  const traceId = raw && REGEX.SAFE_TRACE.test(raw) ? raw : typeof req.id === "string" ? req.id : crypto2.randomUUID();
+  reply.header("x-trace-id", traceId);
+  const anyLogger = baseLogger;
+  const child = anyLogger.child;
+  const logger = typeof child === "function" ? child.call(baseLogger, { traceId, url: req.url, method: req.method }) : baseLogger;
+  const headers = Object.fromEntries(
+    Object.entries(req.headers).map(([headerName, headerValue]) => {
+      const normalisedValue = Array.isArray(headerValue) ? headerValue.join(",") : headerValue ?? "";
+      return [headerName, normalisedValue];
+    })
+  );
+  return { traceId, logger, headers };
 }
-function logCspViolation(logger, report, context) {
-  logger.warn("CSP Violation", {
-    violation: {
-      documentUri: report["document-uri"],
-      violatedDirective: report["violated-directive"],
-      blockedUri: report["blocked-uri"],
-      sourceFile: report["source-file"],
-      line: report["line-number"],
-      column: report["column-number"],
-      scriptSample: report["script-sample"],
-      originalPolicy: report["original-policy"],
-      disposition: report.disposition
-    },
-    context: {
-      userAgent: context.userAgent,
-      ip: context.ip,
-      referer: context.referer,
-      timestamp: context.timestamp
-    }
+
+// src/utils/HandleRender.ts
+var handleRender = async (req, reply, routeMatchers, processedConfigs, serviceRegistry, maps, opts = {}) => {
+  const { viteDevServer } = opts;
+  const logger = opts.logger ?? createLogger({
+    debug: opts.debug,
+    minLevel: isDevelopment ? "debug" : "info",
+    includeContext: true,
+    includeStack: (lvl) => lvl === "error" || isDevelopment
   });
-}
-var processCSPReport = (body, context, logger) => {
   try {
-    const reportData = body?.["csp-report"] || body;
-    if (!reportData || typeof reportData !== "object") {
-      logger.warn("Ignoring malformed CSP report", {
-        bodyType: typeof body,
-        context: sanitiseContext(context)
-      });
+    if (/\.\w+$/.test(req.raw.url ?? "")) return reply.callNotFound();
+    const url = req.url ? new URL(req.url, `http://${req.headers.host}`).pathname : "/";
+    const matchedRoute = matchRoute(url, routeMatchers);
+    const rawNonce = req.cspNonce;
+    const cspNonce = rawNonce && rawNonce.length > 0 ? rawNonce : void 0;
+    if (!matchedRoute) {
+      reply.callNotFound();
       return;
     }
-    const documentUri = reportData["document-uri"] ?? reportData["documentURL"];
-    const violatedDirective = reportData["violated-directive"] ?? reportData["violatedDirective"];
-    if (!documentUri || !violatedDirective) {
-      logger.warn("Ignoring incomplete CSP report", {
-        hasDocumentUri: !!documentUri,
-        hasViolatedDirective: !!violatedDirective,
-        context: sanitiseContext(context)
+    const { route, params } = matchedRoute;
+    const { attr, appId } = route;
+    const config = processedConfigs.find((c) => c.appId === appId);
+    if (!config) {
+      throw AppError.internal("No configuration found for the request", {
+        details: {
+          appId,
+          availableAppIds: processedConfigs.map((c) => c.appId),
+          url
+        }
       });
-      return;
     }
-    const violation = {
-      "document-uri": String(documentUri),
-      "violated-directive": String(violatedDirective),
-      "blocked-uri": reportData["blocked-uri"] ?? reportData["blockedURL"] ?? "",
-      "source-file": reportData["source-file"] ?? reportData["sourceFile"],
-      "line-number": reportData["line-number"] ?? reportData["lineNumber"],
-      "column-number": reportData["column-number"] ?? reportData["columnNumber"],
-      "script-sample": reportData["script-sample"] ?? reportData["sample"],
-      "original-policy": reportData["original-policy"] ?? reportData["originalPolicy"] ?? "",
-      disposition: reportData.disposition ?? "enforce"
-    };
-    logCspViolation(logger, violation, context);
-  } catch (processingError) {
-    logger.warn("CSP report processing failed", {
-      error: processingError instanceof Error ? processingError.message : String(processingError),
-      bodyType: typeof body,
-      context: sanitiseContext(context)
-    });
-  }
-};
-var cspReportPlugin = (0, import_fastify_plugin2.default)(
-  async (fastify, opts) => {
-    const { onViolation } = opts;
-    if (!opts.path || typeof opts.path !== "string") throw AppError.badRequest("CSP report path is required and must be a string");
-    const logger = createLogger({
-      debug: opts.debug,
-      context: { service: "csp-reporting" },
-      minLevel: "info"
-    });
-    fastify.post(opts.path, async (req, reply) => {
-      const context = {
-        userAgent: req.headers["user-agent"],
-        ip: req.ip,
-        referer: req.headers.referer,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-        headers: req.headers,
-        __fastifyRequest: req
-        // onViolation callback
-      };
+    const { clientRoot, entryServer } = config;
+    let template = ensureNonNull(maps.templates.get(clientRoot), `Template not found for clientRoot: ${clientRoot}`);
+    const bootstrapModule = maps.bootstrapModules.get(clientRoot);
+    const cssLink = maps.cssLinks.get(clientRoot);
+    const manifest = maps.manifests.get(clientRoot);
+    const preloadLink = maps.preloadLinks.get(clientRoot);
+    const ssrManifest = maps.ssrManifests.get(clientRoot);
+    let renderModule;
+    if (isDevelopment && viteDevServer) {
       try {
-        processCSPReport(req.body, context, logger);
-        const reportData = req.body?.["csp-report"] || req.body;
-        if (onViolation && reportData && typeof reportData === "object") {
-          const documentUri = reportData["document-uri"] ?? reportData["documentURL"];
-          const violatedDirective = reportData["violated-directive"] ?? reportData["violatedDirective"];
-          if (documentUri && violatedDirective) {
-            const violation = {
-              "document-uri": String(documentUri),
-              "violated-directive": String(violatedDirective),
-              "blocked-uri": reportData["blocked-uri"] ?? reportData["blockedURL"] ?? "",
-              "source-file": reportData["source-file"] ?? reportData["sourceFile"],
-              "line-number": reportData["line-number"] ?? reportData["lineNumber"],
-              "column-number": reportData["column-number"] ?? reportData["columnNumber"],
-              "script-sample": reportData["script-sample"] ?? reportData["sample"],
-              "original-policy": reportData["original-policy"] ?? reportData["originalPolicy"] ?? "",
-              disposition: reportData.disposition ?? "enforce"
-            };
-            onViolation(violation, req);
-          }
+        template = template.replace(/<script type="module" src="\/@vite\/client"><\/script>/g, "");
+        template = template.replace(/<style type="text\/css">[\s\S]*?<\/style>/g, "");
+        const entryServerPath = path4.join(clientRoot, `${entryServer}.tsx`);
+        const executedModule = await viteDevServer.ssrLoadModule(entryServerPath);
+        renderModule = executedModule;
+        const styles = await collectStyle(viteDevServer, [entryServerPath]);
+        const styleNonce = cspNonce ? ` nonce="${cspNonce}"` : "";
+        template = template?.replace("</head>", `<style type="text/css"${styleNonce}>${styles}</style></head>`);
+        template = await viteDevServer.transformIndexHtml(url, template);
+      } catch (error) {
+        throw AppError.internal("Failed to load dev assets", { cause: error, details: { clientRoot, entryServer, url } });
+      }
+    } else {
+      renderModule = maps.renderModules.get(clientRoot);
+      if (!renderModule) throw AppError.internal(`Render module not found for clientRoot: ${clientRoot}. Module should have been preloaded.`);
+    }
+    const renderType = attr?.render ?? RENDERTYPE.ssr;
+    const templateParts = processTemplate(template);
+    const baseLogger = opts.logger ?? logger;
+    const { traceId, logger: reqLogger, headers } = createRequestContext(req, reply, baseLogger);
+    const ctx = { traceId, logger: reqLogger, headers };
+    const initialDataInput = () => fetchInitialData(attr, params, serviceRegistry, ctx);
+    if (renderType === RENDERTYPE.ssr) {
+      const { renderSSR } = renderModule;
+      if (!renderSSR) {
+        throw AppError.internal("renderSSR function not found in module", {
+          details: { clientRoot, availableFunctions: Object.keys(renderModule) }
+        });
+      }
+      const ac = new AbortController();
+      const onAborted = () => ac.abort("client_aborted");
+      req.raw.on("aborted", onAborted);
+      reply.raw.on("close", () => {
+        if (!reply.raw.writableEnded) ac.abort("socket_closed");
+      });
+      reply.raw.on("finish", () => req.raw.off("aborted", onAborted));
+      if (ac.signal.aborted) {
+        logger.warn("SSR skipped; already aborted", { url: req.url });
+        return;
+      }
+      const initialDataResolved = await initialDataInput();
+      let headContent = "";
+      let appHtml = "";
+      try {
+        const res = await renderSSR(initialDataResolved, req.url, attr?.meta, ac.signal, { logger: reqLogger });
+        headContent = res.headContent;
+        appHtml = res.appHtml;
+      } catch (err) {
+        const msg = String(err?.message ?? err ?? "");
+        const benign = REGEX.BENIGN_NET_ERR.test(msg);
+        if (ac.signal.aborted || benign) {
+          logger.warn("SSR aborted mid-render (benign)", { url: req.url, reason: msg });
+          return;
         }
+        logger.error("SSR render failed", { url: req.url, error: normaliseError(err) });
+        throw err;
+      }
+      let aggregateHeadContent = headContent;
+      if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
+      if (manifest && cssLink) aggregateHeadContent += cssLink;
+      const shouldHydrate = attr?.hydrate !== false;
+      const nonceAttr = cspNonce ? ` nonce="${cspNonce}"` : "";
+      const initialDataScript = `<script${nonceAttr}>window.__INITIAL_DATA__ = ${JSON.stringify(initialDataResolved).replace(/</g, "\\u003c")};</script>`;
+      const bootstrapScriptTag = shouldHydrate && bootstrapModule ? `<script${nonceAttr} type="module" src="${bootstrapModule}" defer></script>` : "";
+      const safeAppHtml = appHtml.trim();
+      const fullHtml = rebuildTemplate(templateParts, aggregateHeadContent, `${safeAppHtml}${initialDataScript}${bootstrapScriptTag}`);
+      try {
+        return reply.status(200).header("Content-Type", "text/html").send(fullHtml);
       } catch (err) {
-        logger.warn("CSP reporting route failed", {
-          error: err instanceof Error ? err.message : String(err)
-        });
+        const msg = String(err?.message ?? err ?? "");
+        const benign = REGEX.BENIGN_NET_ERR.test(msg);
+        if (!benign) logger.error("SSR send failed", { url: req.url, error: normaliseError(err) });
+        else logger.warn("SSR send aborted (benign)", { url: req.url, reason: msg });
+        return;
       }
-      reply.code(204).send();
-    });
-  },
-  { name: "taujs-csp-report-plugin" }
-);
-
-// src/SSRServer.ts
-var SSRServer = (0, import_fastify_plugin3.default)(
-  async (app, opts) => {
-    const { alias, configs, routes, serviceRegistry, clientRoot: baseClientRoot, security } = opts;
-    const logger = createLogger({
-      debug: opts.debug,
-      context: { component: "ssr-server" },
-      minLevel: process.env.NODE_ENV === "production" ? "info" : "debug",
-      includeContext: true,
-      singleLine: true
-    });
-    const maps = createMaps();
-    const processedConfigs = processConfigs(configs, baseClientRoot, TEMPLATE);
-    const routeMatchers = createRouteMatchers(routes);
-    let viteDevServer;
-    await loadAssets(
-      processedConfigs,
-      baseClientRoot,
-      maps.bootstrapModules,
-      maps.cssLinks,
-      maps.manifests,
-      maps.preloadLinks,
-      maps.renderModules,
-      maps.ssrManifests,
-      maps.templates,
-      {
-        debug: opts.debug,
-        logger
+    } else {
+      const { renderStream } = renderModule;
+      if (!renderStream) {
+        throw AppError.internal("renderStream function not found in module", {
+          details: { clientRoot, availableFunctions: Object.keys(renderModule) }
+        });
       }
-    );
-    if (opts.registerStaticAssets && typeof opts.registerStaticAssets === "object") {
-      const { plugin, options } = opts.registerStaticAssets;
-      await app.register(plugin, {
-        root: baseClientRoot,
-        prefix: "/",
-        index: false,
-        wildcard: false,
-        ...options ?? {}
+      const cspHeader = reply.getHeader("Content-Security-Policy");
+      reply.raw.writeHead(200, {
+        "Content-Security-Policy": cspHeader,
+        "Content-Type": "text/html; charset=utf-8"
       });
-    }
-    if (security?.csp?.reporting) {
-      app.register(cspReportPlugin, {
-        path: security.csp.reporting.endpoint,
-        debug: opts.debug,
-        logger,
-        onViolation: security.csp.reporting.onViolation
+      const ac = new AbortController();
+      const onAborted = () => ac.abort();
+      req.raw.on("aborted", onAborted);
+      reply.raw.on("close", () => {
+        if (!reply.raw.writableEnded) ac.abort();
+      });
+      reply.raw.on("finish", () => req.raw.off("aborted", onAborted));
+      const shouldHydrate = attr?.hydrate !== false;
+      const abortedState = { aborted: false };
+      const isBenignSocketAbort = (e) => {
+        const msg = String(e?.message ?? e ?? "");
+        return REGEX.BENIGN_NET_ERR.test(msg);
+      };
+      const writable = new PassThrough();
+      writable.on("error", (err) => {
+        if (!isBenignSocketAbort(err)) logger.error("PassThrough error:", { error: err });
       });
-    }
-    app.register(cspPlugin, {
-      directives: opts.security?.csp?.directives,
-      generateCSP: opts.security?.csp?.generateCSP,
-      routeMatchers,
-      debug: opts.debug
-    });
-    if (isDevelopment) viteDevServer = await setupDevServer(app, baseClientRoot, alias, opts.debug, opts.devNet);
-    app.addHook("onRequest", createAuthHook(routeMatchers, logger));
-    app.get("/*", async (req, reply) => {
-      await handleRender(req, reply, routeMatchers, processedConfigs, serviceRegistry, maps, {
-        debug: opts.debug,
-        logger,
-        viteDevServer
+      reply.raw.on("error", (err) => {
+        if (!isBenignSocketAbort(err)) logger.error("HTTP socket error:", { error: err });
       });
-    });
-    app.setNotFoundHandler(async (req, reply) => {
-      await handleNotFound(
-        req,
-        reply,
-        processedConfigs,
+      writable.pipe(reply.raw, { end: false });
+      let finalData = void 0;
+      renderStream(
+        writable,
         {
-          cssLinks: maps.cssLinks,
-          bootstrapModules: maps.bootstrapModules,
-          templates: maps.templates
+          onHead: (headContent) => {
+            let aggregateHeadContent = headContent;
+            if (ssrManifest && preloadLink) aggregateHeadContent += preloadLink;
+            if (manifest && cssLink) aggregateHeadContent += cssLink;
+            return reply.raw.write(`${templateParts.beforeHead}${aggregateHeadContent}${templateParts.afterHead}${templateParts.beforeBody}`);
+          },
+          onShellReady: () => {
+          },
+          onAllReady: (data) => {
+            if (!abortedState.aborted) finalData = data;
+          },
+          onError: (err) => {
+            if (abortedState.aborted || isBenignSocketAbort(err)) {
+              logger.warn("Client disconnected before stream finished");
+              try {
+                if (!reply.raw.writableEnded && !reply.raw.destroyed) reply.raw.destroy();
+              } catch (e) {
+                logger.debug?.("stream teardown: destroy() failed", { error: normaliseError(e) });
+              }
+              return;
+            }
+            abortedState.aborted = true;
+            logger.error("Critical rendering error during stream", {
+              error: normaliseError(err),
+              clientRoot,
+              url: req.url
+            });
+            try {
+              ac?.abort?.();
+            } catch (e) {
+              logger.debug?.("stream teardown: abort() failed", { error: normaliseError(e) });
+            }
+            const reason = toReason(err);
+            try {
+              if (!reply.raw.writableEnded && !reply.raw.destroyed) reply.raw.destroy(reason);
+            } catch (e) {
+              logger.debug?.("stream teardown: destroy() failed", { error: normaliseError(e) });
+            }
+          }
         },
-        {
-          debug: opts.debug,
-          logger
-        }
+        initialDataInput,
+        req.url,
+        shouldHydrate ? bootstrapModule : void 0,
+        attr?.meta,
+        cspNonce,
+        ac.signal,
+        { logger: reqLogger }
       );
-    });
-    app.setErrorHandler((err, req, reply) => {
-      const e = AppError.from(err);
-      logger.error(e.message, {
-        kind: e.kind,
-        httpStatus: e.httpStatus,
-        ...e.code && { code: e.code },
-        details: e.details,
-        method: req.method,
-        url: req.url,
-        route: req.routeOptions?.url,
-        stack: e.stack
-      });
-      if (!reply.raw.headersSent) {
-        const { status, body } = toHttp(e);
-        reply.status(status).send(body);
-      } else {
+      writable.on("finish", () => {
+        if (abortedState.aborted || reply.raw.writableEnded) return;
+        const data = finalData ?? {};
+        const initialDataScript = `<script${cspNonce ? ` nonce="${cspNonce}"` : ""}>window.__INITIAL_DATA__ = ${JSON.stringify(data).replace(
+          /</g,
+          "\\u003c"
+        )}; window.dispatchEvent(new Event('taujs:data-ready'));</script>`;
+        reply.raw.write(initialDataScript);
+        reply.raw.write(templateParts.afterBody);
         reply.raw.end();
-      }
-    });
-  },
-  { name: "\u03C4js-ssr-server" }
-);
-
-// src/CreateServer.ts
-var import_picocolors4 = __toESM(require_picocolors(), 1);
-import path5 from "path";
-import { performance as performance2 } from "perf_hooks";
-import fastifyStatic from "@fastify/static";
-import Fastify from "fastify";
-
-// src/Setup.ts
-import { performance } from "perf_hooks";
-var extractBuildConfigs = (config) => {
-  return config.apps.map(({ appId, entryPoint, plugins }) => ({
-    appId,
-    entryPoint,
-    plugins
-  }));
-};
-var extractRoutes = (taujsConfig) => {
-  const t0 = performance.now();
-  const allRoutes = [];
-  const apps = [];
-  const warnings = [];
-  const pathTracker = /* @__PURE__ */ new Map();
-  for (const app of taujsConfig.apps) {
-    const appRoutes = (app.routes ?? []).map((route) => {
-      const fullRoute = { ...route, appId: app.appId };
-      if (!pathTracker.has(route.path)) pathTracker.set(route.path, []);
-      pathTracker.get(route.path).push(app.appId);
-      return fullRoute;
-    });
-    apps.push({ appId: app.appId, routeCount: appRoutes.length });
-    allRoutes.push(...appRoutes);
-  }
-  for (const [path6, appIds] of pathTracker.entries()) {
-    if (appIds.length > 1) warnings.push(`Route path "${path6}" is declared in multiple apps: ${appIds.join(", ")}`);
-  }
-  const sortedRoutes = allRoutes.sort((a, b) => computeScore(b.path) - computeScore(a.path));
-  const durationMs = performance.now() - t0;
-  return {
-    routes: sortedRoutes,
-    apps,
-    totalRoutes: allRoutes.length,
-    durationMs,
-    warnings
-  };
-};
-var extractSecurity = (taujsConfig) => {
-  const t0 = performance.now();
-  const user = taujsConfig.security ?? {};
-  const userCsp = user.csp;
-  const hasExplicitCSP = !!userCsp;
-  const normalisedCsp = userCsp ? {
-    defaultMode: userCsp.defaultMode ?? "merge",
-    directives: userCsp.directives,
-    generateCSP: userCsp.generateCSP,
-    reporting: userCsp.reporting ? {
-      endpoint: userCsp.reporting.endpoint,
-      onViolation: userCsp.reporting.onViolation,
-      reportOnly: userCsp.reporting.reportOnly ?? false
-    } : void 0
-  } : void 0;
-  const security = { csp: normalisedCsp };
-  const summary = {
-    mode: hasExplicitCSP ? "explicit" : "dev-defaults",
-    defaultMode: normalisedCsp?.defaultMode ?? "merge",
-    hasReporting: !!normalisedCsp?.reporting?.endpoint,
-    reportOnly: !!normalisedCsp?.reporting?.reportOnly
-  };
-  const durationMs = performance.now() - t0;
-  return {
-    security,
-    durationMs,
-    hasExplicitCSP,
-    summary
-  };
-};
-function printConfigSummary(logger, apps, configsCount, totalRoutes, durationMs, warnings) {
-  logger.info(`${CONTENT.TAG} [config] Loaded ${configsCount} app(s), ${totalRoutes} route(s) in ${durationMs.toFixed(1)}ms`);
-  apps.forEach((a) => logger.debug("routes", `\u2022 ${a.appId}: ${a.routeCount} route(s)`));
-  warnings.forEach((w) => logger.warn(`${CONTENT.TAG} [warn] ${w}`));
-}
-function printSecuritySummary(logger, routes, security, hasExplicitCSP, securityDurationMs) {
-  const total = routes.length;
-  const disabled = routes.filter((r) => r.attr?.middleware?.csp === false).length;
-  const custom = routes.filter((r) => {
-    const v = r.attr?.middleware?.csp;
-    return v !== void 0 && v !== false;
-  }).length;
-  const enabled = total - disabled;
-  const hasReporting = !!security.csp?.reporting?.endpoint;
-  const mode = security.csp?.defaultMode ?? "merge";
-  let status = "configured";
-  let detail = "";
-  if (hasExplicitCSP) {
-    detail = `explicit, mode=${mode}`;
-    if (hasReporting) detail += ", reporting";
-    if (custom > 0) detail += `, ${custom} route override(s)`;
-  } else {
-    if (process.env.NODE_ENV === "production") {
-      logger.warn("(consider explicit config for production)");
-    }
-  }
-  logger.info(`${CONTENT.TAG} [security] CSP ${status} (${enabled}/${total} routes) in ${securityDurationMs.toFixed(1)}ms`);
-}
-function printContractReport(logger, report) {
-  for (const r of report.items) {
-    const line = `${CONTENT.TAG} [security][${r.key}] ${r.message}`;
-    if (r.status === "error") {
-      logger.error(line);
-    } else if (r.status === "warning") {
-      logger.warn(line);
-    } else if (r.status === "skipped") {
-      logger.debug(r.key, line);
-    } else {
-      logger.info(line);
+      });
     }
+  } catch (err) {
+    if (err instanceof AppError) throw err;
+    throw AppError.internal("handleRender failed", err, {
+      url: req.url,
+      route: req.routeOptions?.url
+    });
   }
-}
-var computeScore = (path6) => {
-  return path6.split("/").filter(Boolean).reduce((score, segment) => score + (segment.startsWith(":") ? 1 : 10), 0);
 };
 
-// src/network/Network.ts
-var import_picocolors3 = __toESM(require_picocolors(), 1);
-import { networkInterfaces } from "os";
-var isPrivateIPv4 = (addr) => {
-  if (!/^\d+\.\d+\.\d+\.\d+$/.test(addr)) return false;
-  const [a, b, _c, _d] = addr.split(".").map(Number);
-  if (a === 10) return true;
-  if (a === 192 && b === 168) return true;
-  if (a === 172 && b >= 16 && b <= 31) return true;
-  return false;
-};
-var bannerPlugin = async (fastify, options) => {
-  const logger = createLogger({ debug: options.debug });
-  const dbgNetwork = logger.isDebugEnabled("network");
-  fastify.decorate("showBanner", function showBanner() {
-    const addr = this.server.address();
-    if (!addr || typeof addr === "string") return;
-    const { address, port } = addr;
-    const boundHost = address === "::1" ? "localhost" : address === "::" ? "::" : address === "0.0.0.0" ? "0.0.0.0" : address;
-    console.log(`\u2503 Local    ${import_picocolors3.default.bold(`http://localhost:${port}/`)}`);
-    if (boundHost === "localhost" || boundHost === "127.0.0.1") {
-      console.log("\u2503 Network  use --host to expose\n");
-      return;
-    }
-    const nets = networkInterfaces();
-    let networkAddress = null;
-    for (const ifaces of Object.values(nets)) {
-      if (!ifaces) continue;
-      for (const iface of ifaces) {
-        if (iface.internal || iface.family !== "IPv4") continue;
-        if (isPrivateIPv4(iface.address)) {
-          networkAddress = iface.address;
-          break;
-        }
-        if (!networkAddress) networkAddress = iface.address;
-      }
-      if (networkAddress && isPrivateIPv4(networkAddress)) break;
+// src/utils/HandleNotFound.ts
+var handleNotFound = async (req, reply, processedConfigs, maps, opts = {}) => {
+  const logger = opts.logger ?? createLogger({
+    debug: opts.debug,
+    context: { component: "handle-not-found", url: req.url, method: req.method, traceId: req.id }
+  });
+  try {
+    if (/\.\w+$/.test(req.raw.url ?? "")) {
+      logger.debug?.("ssr", { url: req.raw.url }, "Delegating asset-like request to Fastify notFound handler");
+      return reply.callNotFound();
     }
-    if (networkAddress) {
-      console.log(`\u2503 Network  http://${networkAddress}:${port}/
-`);
-      if (dbgNetwork) logger.warn(import_picocolors3.default.yellow(`${CONTENT.TAG} [network] Dev server exposed on network - for local testing only.`));
+    const defaultConfig = processedConfigs[0];
+    if (!defaultConfig) {
+      logger.error?.({ configCount: processedConfigs.length, url: req.raw.url }, "No default configuration found");
+      throw AppError.internal("No default configuration found", {
+        details: { configCount: processedConfigs.length, url: req.raw.url }
+      });
     }
-    logger.info(import_picocolors3.default.green(`${CONTENT.TAG} [network] Bound to host: ${boundHost}`));
-  });
-  fastify.addHook("onReady", async function() {
-    if (this.server.listening) {
-      this.showBanner();
-      return;
+    const { clientRoot } = defaultConfig;
+    const cspNonce = req.cspNonce ?? void 0;
+    const template = ensureNonNull(maps.templates.get(clientRoot), `Template not found for clientRoot: ${clientRoot}`);
+    const cssLink = maps.cssLinks.get(clientRoot);
+    const bootstrapModule = maps.bootstrapModules.get(clientRoot);
+    logger.debug?.(
+      "ssr",
+      {
+        clientRoot,
+        hasCssLink: !!cssLink,
+        hasBootstrapModule: !!bootstrapModule,
+        isDevelopment,
+        hasCspNonce: !!cspNonce
+      },
+      "Preparing not-found fallback HTML"
+    );
+    let processedTemplate = template.replace(SSRTAG.ssrHead, "").replace(SSRTAG.ssrHtml, "");
+    if (!isDevelopment && cssLink) {
+      processedTemplate = processedTemplate.replace("</head>", `${cssLink}</head>`);
     }
-    this.server.once("listening", () => this.showBanner());
-  });
-};
-
-// src/network/CLI.ts
-function readFlag(argv, keys, bareValue) {
-  const end = argv.indexOf("--");
-  const limit = end === -1 ? argv.length : end;
-  for (let i = 0; i < limit; i++) {
-    const arg = argv[i];
-    for (const key of keys) {
-      if (arg === key) {
-        const next = argv[i + 1];
-        if (!next || next.startsWith("-")) return bareValue;
-        return next.trim();
-      }
-      const pref = `${key}=`;
-      if (arg && arg.startsWith(pref)) {
-        const v = arg.slice(pref.length).trim();
-        return v || bareValue;
-      }
+    if (bootstrapModule) {
+      const nonceAttr = cspNonce ? ` nonce="${cspNonce}"` : "";
+      processedTemplate = processedTemplate.replace("</body>", `<script${nonceAttr} type="module" src="${bootstrapModule}" defer></script></body>`);
     }
+    logger.debug?.("ssr", { status: 200 }, "Sending not-found fallback HTML");
+    return reply.status(200).type("text/html").send(processedTemplate);
+  } catch (err) {
+    logger.error?.({ error: err, url: req.url, clientRoot: processedConfigs[0]?.clientRoot }, "handleNotFound failed");
+    throw AppError.internal("handleNotFound failed", err, {
+      stage: "handleNotFound",
+      url: req.url,
+      clientRoot: processedConfigs[0]?.clientRoot
+    });
   }
-  return void 0;
+};
+
+// src/utils/StaticAssets.ts
+function normalizeStaticAssets(reg) {
+  if (!reg) return [];
+  return Array.isArray(reg) ? reg : [reg];
 }
-function resolveNet(input) {
-  const env = process.env;
-  const argv = process.argv;
-  let host = "localhost";
-  let port = 5173;
-  let hmrPort = 5174;
-  if (input?.host) host = input.host;
-  if (Number.isFinite(input?.port)) port = Number(input.port);
-  if (Number.isFinite(input?.hmrPort)) hmrPort = Number(input.hmrPort);
-  if (env.HOST?.trim()) host = env.HOST.trim();
-  else if (env.FASTIFY_ADDRESS?.trim()) host = env.FASTIFY_ADDRESS.trim();
-  if (env.PORT) port = Number(env.PORT) || port;
-  if (env.FASTIFY_PORT) port = Number(env.FASTIFY_PORT) || port;
-  if (env.HMR_PORT) hmrPort = Number(env.HMR_PORT) || hmrPort;
-  const cliHost = readFlag(argv, ["--host", "--hostname", "-H"], "0.0.0.0");
-  const cliPort = readFlag(argv, ["--port", "-p"]);
-  const cliHMR = readFlag(argv, ["--hmr-port"]);
-  if (cliHost) host = cliHost;
-  if (cliPort) port = Number(cliPort) || port;
-  if (cliHMR) hmrPort = Number(cliHMR) || hmrPort;
-  if (host === "true" || host === "") host = "0.0.0.0";
-  return { host, port, hmrPort };
+function prefixWeight(prefix) {
+  if (typeof prefix !== "string" || prefix === "/" || prefix.length === 0) return 0;
+  return prefix.split("/").filter(Boolean).length;
 }
-
-// src/security/VerifyMiddleware.ts
-var isAuthRequired = (route) => Boolean(route.attr?.middleware?.auth);
-var hasAuthenticate = (app) => typeof app.authenticate === "function";
-function formatCspLoadedMsg(hasGlobal, custom) {
-  if (hasGlobal) {
-    return custom > 0 ? `Loaded global config with ${custom} route override(s)` : "Loaded global config";
+async function registerStaticAssets(app, baseClientRoot, reg, defaults) {
+  const entries = normalizeStaticAssets(reg).map(({ plugin, options }) => ({
+    plugin,
+    options: {
+      root: baseClientRoot,
+      prefix: "/",
+      index: false,
+      wildcard: false,
+      ...defaults ?? {},
+      ...options ?? {}
+    }
+  }));
+  entries.sort((a, b) => prefixWeight(b.options?.prefix) - prefixWeight(a.options?.prefix));
+  for (const { plugin, options } of entries) {
+    await app.register(plugin, options);
   }
-  return custom > 0 ? `Loaded development defaults with ${custom} route override(s)` : "Loaded development defaults";
 }
-var verifyContracts = (app, routes, contracts, security) => {
-  const items = [];
-  for (const contract of contracts) {
-    const isRequired = contract.required(routes, security);
-    if (!isRequired) {
-      items.push({
-        key: contract.key,
-        status: "skipped",
-        message: `No routes require "${contract.key}"`
-      });
-      continue;
-    }
-    if (!contract.verify(app)) {
-      const msg = `[\u03C4js] ${contract.errorMessage}`;
-      items.push({ key: contract.key, status: "error", message: msg });
-      throw new Error(msg);
-    }
-    if (contract.key === "csp") {
-      const total = routes.length;
-      const disabled = routes.filter((r) => r.attr?.middleware?.csp === false).length;
-      const custom = routes.filter((r) => {
-        const v = r.attr?.middleware?.csp;
-        return v !== void 0 && v !== false;
-      }).length;
-      const enabled = total - disabled;
-      const hasGlobal = !!security?.csp;
-      let status = "verified";
-      let tail = "";
-      if (!hasGlobal && process.env.NODE_ENV === "production") {
-        status = "warning";
-        tail = " (consider adding global CSP for production)";
+
+// src/SSRServer.ts
+var SSRServer = (0, import_fastify_plugin3.default)(
+  async (app, opts) => {
+    const { alias, configs, routes, serviceRegistry, clientRoot: baseClientRoot, security } = opts;
+    const logger = createLogger({
+      debug: opts.debug,
+      context: { component: "ssr-server" },
+      minLevel: process.env.NODE_ENV === "production" ? "info" : "debug",
+      includeContext: true,
+      singleLine: true
+    });
+    const maps = createMaps();
+    const processedConfigs = processConfigs(configs, baseClientRoot, TEMPLATE);
+    const routeMatchers = createRouteMatchers(routes);
+    let viteDevServer;
+    await loadAssets(
+      processedConfigs,
+      baseClientRoot,
+      maps.bootstrapModules,
+      maps.cssLinks,
+      maps.manifests,
+      maps.preloadLinks,
+      maps.renderModules,
+      maps.ssrManifests,
+      maps.templates,
+      {
+        debug: opts.debug,
+        logger
       }
-      const baseMsg = formatCspLoadedMsg(hasGlobal, custom);
-      items.push({
-        key: "csp",
-        status,
-        message: baseMsg + tail
-      });
-      items.push({
-        key: "csp",
-        status,
-        message: `\u2713 Verified (${enabled} enabled, ${disabled} disabled, ${total} total). ` + tail
-      });
-    } else {
-      const count = routes.filter((r) => contract.required([r], security)).length;
-      items.push({
-        key: contract.key,
-        status: "verified",
-        message: `\u2713 ${count} route(s)`
+    );
+    if (opts.staticAssets) await registerStaticAssets(app, baseClientRoot, opts.staticAssets);
+    if (security?.csp?.reporting) {
+      app.register(cspReportPlugin, {
+        path: security.csp.reporting.endpoint,
+        debug: opts.debug,
+        logger,
+        onViolation: security.csp.reporting.onViolation
       });
     }
-  }
-  return { items };
-};
+    app.register(cspPlugin, {
+      directives: opts.security?.csp?.directives,
+      generateCSP: opts.security?.csp?.generateCSP,
+      routeMatchers,
+      debug: opts.debug
+    });
+    if (isDevelopment) viteDevServer = await setupDevServer(app, baseClientRoot, alias, opts.debug, opts.devNet);
+    app.addHook("onRequest", createAuthHook(routeMatchers, logger));
+    app.get("/*", async (req, reply) => {
+      await handleRender(req, reply, routeMatchers, processedConfigs, serviceRegistry, maps, {
+        debug: opts.debug,
+        logger,
+        viteDevServer
+      });
+    });
+    app.setNotFoundHandler(async (req, reply) => {
+      await handleNotFound(
+        req,
+        reply,
+        processedConfigs,
+        {
+          cssLinks: maps.cssLinks,
+          bootstrapModules: maps.bootstrapModules,
+          templates: maps.templates
+        },
+        {
+          debug: opts.debug,
+          logger
+        }
+      );
+    });
+    app.setErrorHandler((err, req, reply) => {
+      const e = AppError.from(err);
+      const alreadyLogged = !!e?.details && e.details && e.details.logged;
+      if (!alreadyLogged) {
+        logger.error(
+          {
+            kind: e.kind,
+            httpStatus: e.httpStatus,
+            ...e.code ? { code: e.code } : {},
+            ...e.details ? { details: e.details } : {},
+            method: req.method,
+            url: req.url,
+            route: req.routeOptions?.url,
+            stack: e.stack
+          },
+          e.message
+        );
+      }
+      if (!reply.raw.headersSent) {
+        const { status, body } = toHttp(e);
+        reply.status(status).send(body);
+      } else {
+        reply.raw.end();
+      }
+    });
+  },
+  { name: "\u03C4js-ssr-server" }
+);
 
 // src/CreateServer.ts
 var createServer = async (opts) => {
@@ -1988,17 +2069,20 @@ var createServer = async (opts) => {
       configs,
       routes,
       serviceRegistry: opts.serviceRegistry,
-      registerStaticAssets: opts.registerStaticAssets !== void 0 ? opts.registerStaticAssets : { plugin: fastifyStatic },
+      staticAssets: opts.staticAssets !== void 0 ? opts.staticAssets : { plugin: fastifyStatic },
       debug: opts.debug,
       alias: opts.alias,
       security,
       devNet: { host: net.host, hmrPort: net.hmrPort }
     });
   } catch (err) {
-    logger.error("Failed to register SSRServer", {
-      step: "register:SSRServer",
-      error: normaliseError(err)
-    });
+    logger.error(
+      {
+        step: "register:SSRServer",
+        error: normaliseError(err)
+      },
+      "Failed to register SSRServer"
+    );
   }
   const t1 = performance2.now();
   console.log(`
@@ -2007,8 +2091,90 @@ ${import_picocolors4.default.bgGreen(import_picocolors4.default.black(` ${CONTEN
   if (opts.fastify) return { net };
   return { app, net };
 };
+
+// src/Build.ts
+import path6 from "path";
+import { build } from "vite";
+import { nodePolyfills } from "vite-plugin-node-polyfills";
+async function taujsBuild({
+  config,
+  projectRoot,
+  clientBaseDir,
+  isSSRBuild = process.env.BUILD_MODE === "ssr"
+}) {
+  const deleteDist = async () => {
+    const { rm } = await import("fs/promises");
+    const distPath = path6.resolve(projectRoot, "dist");
+    try {
+      await rm(distPath, { recursive: true, force: true });
+      console.log("Deleted the dist directory\n");
+    } catch (err) {
+      console.error("Error deleting dist directory:", err);
+    }
+  };
+  const extractedConfigs = extractBuildConfigs(config);
+  const processedConfigs = processConfigs(extractedConfigs, clientBaseDir, TEMPLATE);
+  if (!isSSRBuild) await deleteDist();
+  for (const config2 of processedConfigs) {
+    const { appId, entryPoint, clientRoot, entryClient, entryServer, htmlTemplate, plugins = [] } = config2;
+    const outDir = path6.resolve(projectRoot, `dist/client/${entryPoint}`);
+    const root = entryPoint ? path6.resolve(clientBaseDir, entryPoint) : clientBaseDir;
+    const server = path6.resolve(clientRoot, `${entryServer}.tsx`);
+    const client = path6.resolve(clientRoot, `${entryClient}.tsx`);
+    const main = path6.resolve(clientRoot, htmlTemplate);
+    const viteConfig = {
+      base: entryPoint ? `/${entryPoint}/` : "/",
+      build: {
+        outDir,
+        manifest: !isSSRBuild,
+        rollupOptions: {
+          input: isSSRBuild ? { server } : { client, main }
+        },
+        ssr: isSSRBuild ? server : void 0,
+        ssrManifest: isSSRBuild,
+        ...isSSRBuild && {
+          format: "esm",
+          target: `node${process.versions.node.split(".").map(Number)[0]}`
+        }
+      },
+      css: {
+        preprocessorOptions: {
+          scss: { api: "modern-compiler" }
+        }
+      },
+      plugins: [...plugins, nodePolyfills({ include: ["fs", "stream"] })],
+      publicDir: "public",
+      resolve: {
+        alias: {
+          "@client": root,
+          "@server": path6.resolve(projectRoot, "src/server"),
+          "@shared": path6.resolve(projectRoot, "src/shared")
+        }
+      },
+      root,
+      server: {
+        proxy: {
+          "/api": {
+            target: "http://localhost:3000",
+            changeOrigin: true,
+            rewrite: (path7) => path7.replace(/^\/api/, "")
+          }
+        }
+      }
+    };
+    try {
+      console.log(`Building for entryPoint: "${entryPoint}" (${appId})`);
+      await build(viteConfig);
+      console.log(`Build complete for entryPoint: "${entryPoint}"
+`);
+    } catch (error) {
+      console.error(`Error building for entryPoint: "${entryPoint}"
+`, error);
+      process.exit(1);
+    }
+  }
+}
 export {
-  SSRServer,
-  TEMPLATE,
-  createServer
+  createServer,
+  taujsBuild
 };