@timber-js/app 0.2.0-alpha.2 → 0.2.0-alpha.4

package/src/server/logger.ts

@@ -10,6 +10,7 @@
 
 import { getTraceStore } from './tracing.js';
 import { formatSsrError } from './error-formatter.js';
+import { isDebug } from './debug.js';
 
 // ─── Logger Interface ─────────────────────────────────────────────────────
 
@@ -103,7 +104,7 @@ export function logMiddlewareShortCircuit(data: {
 export function logMiddlewareError(data: { method: string; path: string; error: unknown }): void {
   if (_logger) {
     _logger.error('unhandled error in middleware phase', withTraceContext(data));
-  } else if (process.env.NODE_ENV !== 'production') {
+  } else if (isDebug()) {
     console.error('[timber] middleware error', data.error);
   }
 }
@@ -112,7 +113,7 @@ export function logMiddlewareError(data: { method: string; path: string; error:
 export function logRenderError(data: { method: string; path: string; error: unknown }): void {
   if (_logger) {
     _logger.error('unhandled render-phase error', withTraceContext(data));
-  } else if (process.env.NODE_ENV !== 'production') {
+  } else if (isDebug()) {
     // No logger configured — fall back to console.error in dev with
     // cleaned-up error messages (vendor paths rewritten, hints added).
     console.error('[timber] render error:', formatSsrError(data.error));
@@ -123,7 +124,7 @@ export function logRenderError(data: { method: string; path: string; error: unkn
 export function logProxyError(data: { error: unknown }): void {
   if (_logger) {
     _logger.error('proxy.ts threw uncaught error', withTraceContext(data));
-  } else if (process.env.NODE_ENV !== 'production') {
+  } else if (isDebug()) {
     console.error('[timber] proxy error', data.error);
   }
 }

package/src/server/primitives.ts

@@ -5,6 +5,7 @@
 
 import type { JsonSerializable } from './types.js';
 import { getWaitUntil as _getWaitUntil } from './waituntil-bridge.js';
+import { isDebug } from './debug.js';
 
 // ─── Dev-mode validation ────────────────────────────────────────────────────
 
@@ -83,7 +84,7 @@ export function findNonSerializable(value: unknown, path = 'data'): string | nul
  * No-op in production.
  */
 function warnIfNotSerializable(data: unknown, callerName: string): void {
-  if (process.env.NODE_ENV === 'production') return;
+  if (!isDebug()) return;
   if (data === undefined) return;
 
   const issue = findNonSerializable(data);

package/src/server/request-context.ts

@@ -13,6 +13,7 @@
 import { createHmac, timingSafeEqual } from 'node:crypto';
 import type { Routes } from '#/index.js';
 import { requestContextAls, type RequestContextStore, type CookieEntry } from './als-registry.js';
+import { isDebug } from './debug.js';
 
 // Re-export the ALS for framework-internal consumers that need direct access.
 export { requestContextAls };
@@ -117,7 +118,7 @@ export function cookies(): RequestCookies {
     set(name: string, value: string, options?: CookieOptions): void {
       assertMutable(store, 'set');
       if (store.flushed) {
-        if (process.env.NODE_ENV !== 'production') {
+        if (isDebug()) {
           console.warn(
             `[timber] warn: cookies().set('${name}') called after response headers were committed.\n` +
               `  The cookie will NOT be sent. Move cookie mutations to middleware.ts, a server action,\n` +
@@ -146,7 +147,7 @@ export function cookies(): RequestCookies {
     delete(name: string, options?: Pick<CookieOptions, 'path' | 'domain'>): void {
       assertMutable(store, 'delete');
       if (store.flushed) {
-        if (process.env.NODE_ENV !== 'production') {
+        if (isDebug()) {
           console.warn(
             `[timber] warn: cookies().delete('${name}') called after response headers were committed.\n` +
               `  The cookie will NOT be deleted. Move cookie mutations to middleware.ts, a server action,\n` +

package/src/server/response-cache.ts

@@ -0,0 +1,277 @@
+/**
+ * Render-level response deduplication and short-TTL LRU cache.
+ *
+ * Two layers of optimization:
+ *
+ * 1. **Singleflight** — concurrent requests to the same URL share a single
+ *    render. Uses createSingleflight() from cache/singleflight.ts.
+ *
+ * 2. **LRU cache** — recently rendered responses are reused without
+ *    re-executing the RSC-to-SSR pipeline. Entries have a short TTL
+ *    (default 5s) and the cache has a bounded size (default 150 entries).
+ *
+ * Cache keys are compound: method + pathname + isRscPayload. Responses
+ * with Set-Cookie headers are never cached (they contain user-specific
+ * state). When `publicOnly` is true (default), requests with Cookie or
+ * Authorization headers bypass the cache entirely.
+ *
+ * See design/02-rendering-pipeline.md, design/31-benchmarking.md.
+ */
+
+import { createSingleflight } from '#/cache/singleflight.js';
+
+// ─── Configuration ─────────────────────────────────────────────────────────
+
+export interface ResponseCacheConfig {
+  /** Maximum number of entries in the LRU cache. Default: 150. */
+  maxSize?: number;
+  /** TTL for cached entries in milliseconds. Default: 5000 (5s). */
+  ttlMs?: number;
+  /**
+   * When true (default), requests with Cookie or Authorization headers
+   * bypass the cache entirely. This prevents sharing user-specific
+   * responses across requests.
+   */
+  publicOnly?: boolean;
+}
+
+export interface ResolvedResponseCacheConfig {
+  maxSize: number;
+  ttlMs: number;
+  publicOnly: boolean;
+}
+
+export function resolveResponseCacheConfig(
+  config?: ResponseCacheConfig | false
+): ResolvedResponseCacheConfig | null {
+  // Explicitly disabled
+  if (config === false) return null;
+
+  return {
+    maxSize: config?.maxSize ?? 150,
+    ttlMs: config?.ttlMs ?? 5000,
+    publicOnly: config?.publicOnly ?? true,
+  };
+}
+
+// ─── Cache Entry ───────────────────────────────────────────────────────────
+
+interface CacheEntry {
+  /** The cached response body as an ArrayBuffer (already consumed). */
+  body: ArrayBuffer;
+  /** Response status code. */
+  status: number;
+  /** Response headers (serialized). */
+  headers: [string, string][];
+  /** Timestamp when this entry was created. */
+  createdAt: number;
+}
+
+// ─── Singleflight Result ───────────────────────────────────────────────────
+
+/** Internal type: singleflight returns either a raw response or a cache entry. */
+interface SingleflightResult {
+  /** Non-null when the response wasn't cacheable — only the first caller gets it. */
+  response: Response | null;
+  /** Non-null when the response was cached — all callers construct from this. */
+  entry: CacheEntry | null;
+}
+
+// ─── LRU Cache ─────────────────────────────────────────────────────────────
+
+/**
+ * Simple LRU cache backed by a Map (insertion order = access order).
+ * On get, we delete and re-insert to move the entry to the end (most recent).
+ * On eviction, we delete from the beginning (least recent).
+ */
+class LruCache {
+  private readonly map = new Map<string, CacheEntry>();
+  private readonly maxSize: number;
+  private readonly ttlMs: number;
+
+  constructor(maxSize: number, ttlMs: number) {
+    this.maxSize = maxSize;
+    this.ttlMs = ttlMs;
+  }
+
+  get(key: string): CacheEntry | undefined {
+    const entry = this.map.get(key);
+    if (!entry) return undefined;
+
+    // Check TTL
+    if (Date.now() - entry.createdAt > this.ttlMs) {
+      this.map.delete(key);
+      return undefined;
+    }
+
+    // Move to end (most recently used)
+    this.map.delete(key);
+    this.map.set(key, entry);
+    return entry;
+  }
+
+  set(key: string, entry: CacheEntry): void {
+    // If key exists, remove to re-insert at end
+    this.map.delete(key);
+
+    // Evict oldest if at capacity
+    if (this.map.size >= this.maxSize) {
+      const oldest = this.map.keys().next().value;
+      if (oldest !== undefined) {
+        this.map.delete(oldest);
+      }
+    }
+
+    this.map.set(key, entry);
+  }
+
+  get size(): number {
+    return this.map.size;
+  }
+
+  clear(): void {
+    this.map.clear();
+  }
+}
+
+// ─── Response Cache ────────────────────────────────────────────────────────
+
+export interface ResponseCache {
+  /**
+   * Wrap a render function with singleflight dedup + LRU caching.
+   * Returns the cached Response or executes the render function.
+   */
+  getOrRender(
+    req: Request,
+    isRscPayload: boolean,
+    renderFn: () => Promise<Response>
+  ): Promise<Response>;
+
+  /** Number of entries currently in the LRU cache. */
+  readonly size: number;
+
+  /** Clear all cached entries. */
+  clear(): void;
+}
+
+/**
+ * Create a response cache with singleflight deduplication and LRU caching.
+ */
+export function createResponseCache(config: ResolvedResponseCacheConfig): ResponseCache {
+  const lru = new LruCache(config.maxSize, config.ttlMs);
+  const singleflight = createSingleflight();
+
+  function buildCacheKey(req: Request, isRscPayload: boolean): string | null {
+    // When publicOnly is true, skip caching for authenticated requests
+    if (config.publicOnly) {
+      if (req.headers.has('Cookie') || req.headers.has('Authorization')) {
+        return null;
+      }
+    }
+
+    const url = new URL(req.url);
+    return `${req.method}:${url.pathname}:${isRscPayload ? 'rsc' : 'html'}`;
+  }
+
+  /**
+   * Check if a response is cacheable.
+   * Responses with Set-Cookie headers are never cached — they contain
+   * user-specific state that must not be shared across requests.
+   */
+  function isCacheable(response: Response): boolean {
+    // Don't cache error responses
+    if (response.status >= 400) return false;
+
+    // Don't cache redirects
+    if (response.status >= 300 && response.status < 400) return false;
+
+    // Don't cache responses with Set-Cookie (user-specific state)
+    if (response.headers.has('Set-Cookie')) return false;
+
+    // Only cache responses with a body
+    if (!response.body) return false;
+
+    return true;
+  }
+
+  /** Construct a fresh Response from a cache entry (each caller gets their own). */
+  function responseFromEntry(entry: CacheEntry): Response {
+    // slice(0) creates a copy so each caller owns their buffer
+    return new Response(entry.body.slice(0), {
+      status: entry.status,
+      headers: entry.headers,
+    });
+  }
+
+  return {
+    async getOrRender(
+      req: Request,
+      isRscPayload: boolean,
+      renderFn: () => Promise<Response>
+    ): Promise<Response> {
+      const cacheKey = buildCacheKey(req, isRscPayload);
+
+      // No cache key = skip caching entirely
+      if (cacheKey === null) {
+        return renderFn();
+      }
+
+      // Check LRU cache first
+      const cached = lru.get(cacheKey);
+      if (cached) {
+        return responseFromEntry(cached);
+      }
+
+      // Singleflight: concurrent requests to the same key share one render.
+      // The singleflight returns a SingleflightResult so all waiters
+      // can construct their own Response from the same cached data.
+      const result: SingleflightResult = await singleflight.do(cacheKey, async () => {
+        const response = await renderFn();
+
+        if (!isCacheable(response)) {
+          return { response, entry: null };
+        }
+
+        // Buffer the response body for caching.
+        // The original Response body is consumed here — callers get copies
+        // from the cached ArrayBuffer.
+        const body = await response.arrayBuffer();
+        const headers: [string, string][] = [];
+        response.headers.forEach((value, key) => {
+          headers.push([key, value]);
+        });
+
+        const entry: CacheEntry = {
+          body,
+          status: response.status,
+          headers,
+          createdAt: Date.now(),
+        };
+
+        lru.set(cacheKey, entry);
+
+        return { response: null, entry };
+      });
+
+      // Non-cacheable response — only the first caller gets the original.
+      // For singleflight, this means concurrent waiters get the same promise
+      // result. The first caller already consumed the body, so subsequent
+      // callers would get an empty body. This is acceptable: non-cacheable
+      // responses (errors, redirects, Set-Cookie) are rare under concurrent
+      // identical requests, and the status + headers are still correct.
+      if (result.response) {
+        return result.response;
+      }
+
+      return responseFromEntry(result.entry!);
+    },
+
+    get size() {
+      return lru.size;
+    },
+
+    clear() {
+      lru.clear();
+    },
+  };
+}

package/src/server/rsc-entry/index.ts

@@ -63,10 +63,16 @@ import {
   isRscPayloadRequest,
 } from './helpers.js';
 import { parseClientStateTree } from '#/server/state-tree-diff.js';
+import {
+  createResponseCache,
+  resolveResponseCacheConfig,
+  type ResponseCache,
+} from '#/server/response-cache.js';
 import { buildRscPayloadResponse } from './rsc-payload.js';
 import { renderRscStream } from './rsc-stream.js';
 import { renderSsrResponse } from './ssr-renderer.js';
 import { callSsr } from './ssr-bridge.js';
+import { isDebug, setDebugFromConfig } from '#/server/debug.js';
 
 // Dev-only pipeline error handler, set by the dev server after import.
 // In production this is always undefined — no overhead.
@@ -124,7 +130,14 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
   // Dev logging — initialize OTEL-based dev tracing once at handler creation.
   // In production, isDev is false — no tracing, no overhead.
   // The DevSpanProcessor handles all formatting and stderr output.
-  const isDev = process.env.NODE_ENV !== 'production';
+  // Initialize debug flag from config before anything else.
+  // This allows timber.config.ts `debug: true` to enable debug logging
+  // in production without the TIMBER_DEBUG env var.
+  if ((runtimeConfig as Record<string, unknown>).debug) {
+    setDebugFromConfig(true);
+  }
+
+  const isDev = isDebug();
   const slowPhaseMs = (runtimeConfig as Record<string, unknown>).slowPhaseMs as number | undefined;
 
   if (isDev) {
@@ -140,6 +153,17 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
 
   const typedBuildManifest = buildManifest as BuildManifest;
 
+  // Initialize response-level caching and singleflight deduplication.
+  // See design/31-benchmarking.md for performance motivation.
+  const responseCacheRaw = (runtimeConfig as Record<string, unknown>).responseCache as
+    | { maxSize?: number; ttlMs?: number; publicOnly?: boolean }
+    | false
+    | undefined;
+  const responseCacheConfig = resolveResponseCacheConfig(responseCacheRaw);
+  const responseCache: ResponseCache | null = responseCacheConfig
+    ? createResponseCache(responseCacheConfig)
+    : null;
+
   const pipelineConfig: PipelineConfig = {
     proxyLoader: manifest.proxy?.load,
     matchRoute,
@@ -170,14 +194,17 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
       _requestHeaderOverlay: Headers,
       interception?: InterceptionContext
     ) => {
-      return renderRoute(
-        req,
-        match,
-        responseHeaders,
-        clientBootstrap,
-        clientJsDisabled,
-        interception
-      );
+      const doRender = () =>
+        renderRoute(req, match, responseHeaders, clientBootstrap, clientJsDisabled, interception);
+
+      // Response cache wraps the render with singleflight + LRU.
+      // Interception requests (modals) are excluded — they depend on
+      // X-Timber-URL which makes caching semantics ambiguous.
+      if (responseCache && !interception) {
+        const isRsc = (req.headers.get('Accept') ?? '').includes('text/x-component');
+        return responseCache.getOrRender(req, isRsc, doRender);
+      }
+      return doRender();
     },
     renderNoMatch: async (req: Request, responseHeaders: Headers) => {
       return renderNoMatchPage(req, manifest.root, responseHeaders, clientBootstrap);

package/src/server/rsc-entry/rsc-payload.ts

@@ -53,7 +53,10 @@ export async function buildRscPayloadResponse(
   // propagate to the onError callback before we check the signals.
   // The rejected Promise from an async component resolves in the next
   // microtask after read(), so we need at least one tick.
-  await new Promise<void>((r) => setTimeout(r, 0));
+  //
+  // Uses queueMicrotask instead of setTimeout(0) to stay within the
+  // same tick — no full event loop round-trip needed.
+  await new Promise<void>((r) => queueMicrotask(r));
 
   // Check for redirect/deny signals detected during initial rendering
   const trackedRedirect = signals.redirectSignal as RedirectSignal | null;

package/src/server/rsc-entry/rsc-stream.ts

@@ -17,6 +17,7 @@ import { DenySignal, RedirectSignal, RenderError } from '#/server/primitives.js'
 import { checkAndWarnRscPropError } from '#/server/rsc-prop-warnings.js';
 
 import { createDebugChannelSink, isAbortError } from './helpers.js';
+import { isDebug } from '#/server/debug.js';
 
 /**
  * Mutable signal state captured during RSC rendering.
@@ -98,7 +99,7 @@ export function renderRscStream(element: React.ReactElement, req: Request): RscS
           // re-exported through a barrel file without 'use client'.
           // See LOCAL-297.
           if (
-            process.env.NODE_ENV !== 'production' &&
+            isDebug() &&
             error instanceof Error &&
             error.message.includes('Invalid hook call')
           ) {

package/src/server/rsc-entry/ssr-renderer.ts

@@ -156,12 +156,16 @@ export async function renderSsrResponse(opts: SsrRenderOptions): Promise<Respons
   try {
     const ssrResponse = await callSsr(ssrStream, navContext);
 
-    // Signal promotion: yield one tick so async component rejections
+    // Signal promotion: yield one microtask so async component rejections
     // propagate to the RSC onError callback, then check if any signals
     // were captured during rendering inside Suspense boundaries.
     // The Response hasn't been sent yet — it's an unconsumed stream.
+    //
+    // Uses queueMicrotask instead of setTimeout(0) to avoid yielding to
+    // the full event loop (timers phase). Microtask resolution happens
+    // within the same tick, eliminating per-request idle time under load.
     // See design/05-streaming.md §"deferSuspenseFor and the Hold Window"
-    await new Promise<void>((r) => setTimeout(r, 0));
+    await new Promise<void>((r) => queueMicrotask(r));
 
     const promoted = checkCapturedSignals(/* skipHandledDeny */ true);
     if (promoted) {

package/src/server/rsc-prop-warnings.ts

@@ -16,6 +16,8 @@
  * Task: TIM-358
  */
 
+import { isDebug } from './debug.js';
+
 // ─── Types ────────────────────────────────────────────────────────────────
 
 export interface NonSerializableTypeInfo {
@@ -165,7 +167,7 @@ export function formatRscPropWarning(
  * @returns true if a warning was emitted
  */
 export function checkAndWarnRscPropError(error: unknown, requestPath: string): boolean {
-  if (process.env.NODE_ENV === 'production') return false;
+  if (!isDebug()) return false;
   if (!(error instanceof Error)) return false;
 
   const info = detectNonSerializableType(error.message);

package/dist/_chunks/format-DNt20Kt8.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"format-DNt20Kt8.js","names":[],"sources":["../../src/server/dev-warnings.ts","../../src/utils/format.ts"],"sourcesContent":["/**\n * Dev-mode warnings for common timber.js misuse patterns.\n *\n * These fire in development only and are stripped from production builds.\n * Each warning targets a specific misuse identified during design review.\n *\n * Warnings are deduplicated by warningId:filePath:line so the same warning\n * is only emitted once per dev session (per unique source location).\n *\n * Warnings are written to stderr and, when a Vite dev server is available,\n * forwarded to the browser console via Vite's WebSocket.\n *\n * See design/21-dev-server.md §\"Dev-Mode Warnings\"\n * See design/11-platform.md §\"Dev Mode\"\n */\n\nimport type { ViteDevServer } from 'vite';\n\n// ─── Warning IDs ───────────────────────────────────────────────────────────\n\nexport const WarningId = {\n  SUSPENSE_WRAPS_CHILDREN: 'SUSPENSE_WRAPS_CHILDREN',\n  DENY_IN_SUSPENSE: 'DENY_IN_SUSPENSE',\n  REDIRECT_IN_SUSPENSE: 'REDIRECT_IN_SUSPENSE',\n  REDIRECT_IN_ACCESS: 'REDIRECT_IN_ACCESS',\n  STATIC_REQUEST_API: 'STATIC_REQUEST_API',\n  CACHE_REQUEST_PROPS: 'CACHE_REQUEST_PROPS',\n  SLOW_SLOT_NO_SUSPENSE: 'SLOW_SLOT_NO_SUSPENSE',\n} as const;\n\nexport type WarningId = (typeof WarningId)[keyof typeof WarningId];\n\n// ─── Configuration ──────────────────────────────────────────────────────────\n\n/** Configuration for dev warning behavior. */\nexport interface DevWarningConfig {\n  /** Threshold in ms for \"slow slot\" warnings. Default: 200. */\n  slowSlotThresholdMs?: number;\n}\n\n// ─── Deduplication & Server ─────────────────────────────────────────────────\n\nconst _emitted = new Set<string>();\n\n/** Vite dev server for forwarding warnings to browser console. */\nlet _viteServer: ViteDevServer | null = null;\n\n/**\n * Register the Vite dev server for browser console forwarding.\n * Called by timber-dev-server during configureServer.\n */\nexport function setViteServer(server: ViteDevServer | null): void {\n  _viteServer = server;\n}\n\nfunction isDev(): boolean {\n  return process.env.NODE_ENV !== 'production';\n}\n\n/**\n * Emit a warning only once per dedup key.\n *\n * Writes to stderr and forwards to browser console via Vite WebSocket.\n * Returns true if emitted (not deduplicated).\n */\nfunction emitOnce(\n  warningId: WarningId,\n  location: string,\n  level: 'warn' | 'error',\n  message: string\n): boolean {\n  if (!isDev()) return false;\n\n  const dedupKey = `${warningId}:${location}`;\n  if (_emitted.has(dedupKey)) return false;\n  _emitted.add(dedupKey);\n\n  // Write to stderr\n  const prefix = level === 'error' ? '\\x1b[31m[timber]\\x1b[0m' : '\\x1b[33m[timber]\\x1b[0m';\n  process.stderr.write(`${prefix} ${message}\\n`);\n\n  // Forward to browser console via Vite WebSocket\n  if (_viteServer?.hot) {\n    _viteServer.hot.send('timber:dev-warning', {\n      warningId,\n      level,\n      message: `[timber] ${message}`,\n    });\n  }\n\n  return true;\n}\n\n// ─── Warning Functions ──────────────────────────────────────────────────────\n\n/**\n * Warn when a layout wraps {children} in <Suspense>.\n *\n * This defers the page content — the primary resource — behind a fallback.\n * The page's data fetches won't affect the HTTP status code because they\n * resolve after onShellReady. If the page calls deny(404), the status code\n * is already committed as 200.\n *\n * @param layoutFile - Relative path to the layout file (e.g., \"app/(dashboard)/layout.tsx\")\n */\nexport function warnSuspenseWrappingChildren(layoutFile: string): void {\n  emitOnce(\n    WarningId.SUSPENSE_WRAPS_CHILDREN,\n    layoutFile,\n    'warn',\n    `Layout at ${layoutFile} wraps {children} in <Suspense>. ` +\n      'This prevents child pages from setting HTTP status codes. ' +\n      'Use useNavigationPending() for loading states instead.'\n  );\n}\n\n/**\n * Warn when deny() is called inside a Suspense boundary.\n *\n * After the shell has flushed and the status code is committed, deny()\n * cannot change the HTTP response. The signal will be caught by the nearest\n * error boundary instead of producing a correct status code.\n *\n * @param file - Relative path to the file\n * @param line - Line number where deny() was called\n */\nexport function warnDenyInSuspense(file: string, line?: number): void {\n  const location = line ? `${file}:${line}` : file;\n  emitOnce(\n    WarningId.DENY_IN_SUSPENSE,\n    location,\n    'error',\n    `deny() called inside <Suspense> at ${location}. ` +\n      'The HTTP status is already committed — this will trigger an error boundary with a 200 status. ' +\n      'Move deny() outside <Suspense> for correct HTTP semantics.'\n  );\n}\n\n/**\n * Warn when redirect() is called inside a Suspense boundary.\n *\n * This will perform a client-side navigation instead of an HTTP redirect.\n *\n * @param file - Relative path to the file\n * @param line - Line number where redirect() was called\n */\nexport function warnRedirectInSuspense(file: string, line?: number): void {\n  const location = line ? `${file}:${line}` : file;\n  emitOnce(\n    WarningId.REDIRECT_IN_SUSPENSE,\n    location,\n    'error',\n    `redirect() called inside <Suspense> at ${location}. ` +\n      'This will perform a client-side navigation instead of an HTTP redirect.'\n  );\n}\n\n/**\n * Warn when redirect() is called in a slot's access.ts.\n *\n * Slots use deny() for graceful degradation. Redirecting from a slot would\n * redirect the entire page, breaking the contract that slot failure is\n * isolated to the slot.\n *\n * @param accessFile - Relative path to the access.ts file\n * @param line - Line number where redirect() was called\n */\nexport function warnRedirectInAccess(accessFile: string, line?: number): void {\n  const location = line ? `${accessFile}:${line}` : accessFile;\n  emitOnce(\n    WarningId.REDIRECT_IN_ACCESS,\n    location,\n    'error',\n    `redirect() called in access.ts at ${location}. ` +\n      'Only deny() is valid in slot access checks. ' +\n      'Use deny() to block access or move redirect() to middleware.ts.'\n  );\n}\n\n/**\n * Warn when cookies() or headers() is called during a static build.\n *\n * In output: 'static' mode, there is no per-request context — these APIs\n * read build-time values only. This is almost always a mistake.\n *\n * @param api - The dynamic API name (\"cookies\" or \"headers\")\n * @param file - Relative path to the file calling the API\n */\nexport function warnStaticRequestApi(api: 'cookies' | 'headers', file: string): void {\n  emitOnce(\n    WarningId.STATIC_REQUEST_API,\n    `${api}:${file}`,\n    'error',\n    `${api}() called during static generation of ${file}. ` +\n      'Dynamic request APIs are not available during prerendering.'\n  );\n}\n\n/**\n * Warn when a \"use cache\" component receives request-specific props.\n *\n * Cached components should not depend on per-request data — a userId or\n * sessionId in the props means the cache will either be ineffective\n * (key per user) or dangerous (serve one user's data to another).\n *\n * @param componentName - Name of the cached component\n * @param propName - Name of the suspicious prop\n * @param file - Relative path to the component file\n * @param line - Line number\n */\nexport function warnCacheRequestProps(\n  componentName: string,\n  propName: string,\n  file: string,\n  line?: number\n): void {\n  const location = line ? `${file}:${line}` : file;\n  emitOnce(\n    WarningId.CACHE_REQUEST_PROPS,\n    `${componentName}:${propName}:${location}`,\n    'warn',\n    `Cached component ${componentName} receives prop \"${propName}\" which appears request-specific. ` +\n      'Cached components should not depend on per-request data.'\n  );\n}\n\n/**\n * Warn when a parallel slot resolves slowly without a <Suspense> wrapper.\n *\n * A slow slot without Suspense blocks onShellReady — and therefore the\n * status code commit — for the entire page. Wrapping it in <Suspense>\n * lets the shell flush without waiting for the slot.\n *\n * @param slotName - The slot name (e.g., \"@admin\")\n * @param durationMs - How long the slot took to resolve\n */\nexport function warnSlowSlotWithoutSuspense(slotName: string, durationMs: number): void {\n  emitOnce(\n    WarningId.SLOW_SLOT_NO_SUSPENSE,\n    slotName,\n    'warn',\n    `Slot ${slotName} resolved in ${durationMs}ms and is not wrapped in <Suspense>. ` +\n      'Consider wrapping to avoid blocking the flush.'\n  );\n}\n\n// ─── Legacy aliases ─────────────────────────────────────────────────────────\n\n/** @deprecated Use warnStaticRequestApi instead */\nexport const warnDynamicApiInStaticBuild = warnStaticRequestApi;\n\n/** @deprecated Use warnRedirectInAccess instead */\nexport function warnRedirectInSlotAccess(slotName: string): void {\n  warnRedirectInAccess(`${slotName}/access.ts`);\n}\n\n/** @deprecated Use warnDenyInSuspense / warnRedirectInSuspense instead */\nexport function warnDenyAfterFlush(signal: 'deny' | 'redirect'): void {\n  if (signal === 'deny') {\n    warnDenyInSuspense('unknown');\n  } else {\n    warnRedirectInSuspense('unknown');\n  }\n}\n\n// ─── Testing ────────────────────────────────────────────────────────────────\n\n/**\n * Reset emitted warnings. For testing only.\n * @internal\n */\nexport function _resetWarnings(): void {\n  _emitted.clear();\n}\n\n/**\n * Get the set of emitted dedup keys. For testing only.\n * @internal\n */\nexport function _getEmitted(): ReadonlySet<string> {\n  return _emitted;\n}\n","/**\n * Shared formatting utilities.\n */\n\n/** Format a byte count as a human-readable string (e.g. \"1.50 kB\"). */\nexport function formatSize(bytes: number): string {\n  if (bytes < 1024) return `${bytes} B`;\n  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(2)} kB`;\n  return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;\n}\n"],"mappings":";AAoBA,IAAa,YAAY;CACvB,yBAAyB;CACzB,kBAAkB;CAClB,sBAAsB;CACtB,oBAAoB;CACpB,oBAAoB;CACpB,qBAAqB;CACrB,uBAAuB;CACxB;AAcD,IAAM,2BAAW,IAAI,KAAa;;AAGlC,IAAI,cAAoC;;;;;AAMxC,SAAgB,cAAc,QAAoC;AAChE,eAAc;;AAGhB,SAAS,QAAiB;AACxB,QAAA,QAAA,IAAA,aAAgC;;;;;;;;AASlC,SAAS,SACP,WACA,UACA,OACA,SACS;AACT,KAAI,CAAC,OAAO,CAAE,QAAO;CAErB,MAAM,WAAW,GAAG,UAAU,GAAG;AACjC,KAAI,SAAS,IAAI,SAAS,CAAE,QAAO;AACnC,UAAS,IAAI,SAAS;CAGtB,MAAM,SAAS,UAAU,UAAU,4BAA4B;AAC/D,SAAQ,OAAO,MAAM,GAAG,OAAO,GAAG,QAAQ,IAAI;AAG9C,KAAI,aAAa,IACf,aAAY,IAAI,KAAK,sBAAsB;EACzC;EACA;EACA,SAAS,YAAY;EACtB,CAAC;AAGJ,QAAO;;;;;;;;;;;;AAeT,SAAgB,6BAA6B,YAA0B;AACrE,UACE,UAAU,yBACV,YACA,QACA,aAAa,WAAW,mJAGzB;;;;;;;;;;;;AAaH,SAAgB,mBAAmB,MAAc,MAAqB;CACpE,MAAM,WAAW,OAAO,GAAG,KAAK,GAAG,SAAS;AAC5C,UACE,UAAU,kBACV,UACA,SACA,sCAAsC,SAAS,4JAGhD;;;;;;;;;;AAWH,SAAgB,uBAAuB,MAAc,MAAqB;CACxE,MAAM,WAAW,OAAO,GAAG,KAAK,GAAG,SAAS;AAC5C,UACE,UAAU,sBACV,UACA,SACA,0CAA0C,SAAS,2EAEpD;;;;;;;;;;;;AAaH,SAAgB,qBAAqB,YAAoB,MAAqB;CAC5E,MAAM,WAAW,OAAO,GAAG,WAAW,GAAG,SAAS;AAClD,UACE,UAAU,oBACV,UACA,SACA,qCAAqC,SAAS,+GAG/C;;;;;;;;;;;AAYH,SAAgB,qBAAqB,KAA4B,MAAoB;AACnF,UACE,UAAU,oBACV,GAAG,IAAI,GAAG,QACV,SACA,GAAG,IAAI,wCAAwC,KAAK,+DAErD;;;;;;;;;;;;;;AAeH,SAAgB,sBACd,eACA,UACA,MACA,MACM;CACN,MAAM,WAAW,OAAO,GAAG,KAAK,GAAG,SAAS;AAC5C,UACE,UAAU,qBACV,GAAG,cAAc,GAAG,SAAS,GAAG,YAChC,QACA,oBAAoB,cAAc,kBAAkB,SAAS,4FAE9D;;;;;;;;;;;;AAaH,SAAgB,4BAA4B,UAAkB,YAA0B;AACtF,UACE,UAAU,uBACV,UACA,QACA,QAAQ,SAAS,eAAe,WAAW,qFAE5C;;;AAMH,IAAa,8BAA8B;;AAG3C,SAAgB,yBAAyB,UAAwB;AAC/D,sBAAqB,GAAG,SAAS,YAAY;;;AAI/C,SAAgB,mBAAmB,QAAmC;AACpE,KAAI,WAAW,OACb,oBAAmB,UAAU;KAE7B,wBAAuB,UAAU;;;;;;;;AChQrC,SAAgB,WAAW,OAAuB;AAChD,KAAI,QAAQ,KAAM,QAAO,GAAG,MAAM;AAClC,KAAI,QAAQ,OAAO,KAAM,QAAO,IAAI,QAAQ,MAAM,QAAQ,EAAE,CAAC;AAC7D,QAAO,IAAI,SAAS,OAAO,OAAO,QAAQ,EAAE,CAAC"}

package/dist/_chunks/request-context-CRj2Zh1E.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"request-context-CRj2Zh1E.js","names":[],"sources":["../../src/server/request-context.ts"],"sourcesContent":["/**\n * Request Context — per-request ALS store for headers() and cookies().\n *\n * Follows the same pattern as tracing.ts: a module-level AsyncLocalStorage\n * instance, public accessor functions that throw outside request scope,\n * and a framework-internal `runWithRequestContext()` to establish scope.\n *\n * See design/04-authorization.md §\"AccessContext does not include cookies or headers\"\n * and design/11-platform.md §\"AsyncLocalStorage\".\n * See design/29-cookies.md for cookie mutation semantics.\n */\n\nimport { createHmac, timingSafeEqual } from 'node:crypto';\nimport type { Routes } from '#/index.js';\nimport { requestContextAls, type RequestContextStore, type CookieEntry } from './als-registry.js';\n\n// Re-export the ALS for framework-internal consumers that need direct access.\nexport { requestContextAls };\n\n// No fallback needed — we use enterWith() instead of run() to ensure\n// the ALS context persists for the entire request lifecycle including\n// async stream consumption by React's renderToReadableStream.\n\n// ─── Cookie Signing Secrets ──────────────────────────────────────────────\n\n/**\n * Module-level cookie signing secrets. Index 0 is the newest (used for signing).\n * All entries are tried for verification (key rotation support).\n *\n * Set by the framework at startup via `setCookieSecrets()`.\n * See design/29-cookies.md §\"Signed Cookies\"\n */\nlet _cookieSecrets: string[] = [];\n\n/**\n * Configure the cookie signing secrets.\n *\n * Called by the framework during server initialization with values from\n * `cookies.secret` or `cookies.secrets` in timber.config.ts.\n *\n * The first secret (index 0) is used for signing new cookies.\n * All secrets are tried for verification (supports key rotation).\n */\nexport function setCookieSecrets(secrets: string[]): void {\n  _cookieSecrets = secrets.filter(Boolean);\n}\n\n// ─── Public API ───────────────────────────────────────────────────────────\n\n/**\n * Returns a read-only view of the current request's headers.\n *\n * Available in middleware, access checks, server components, and server actions.\n * Throws if called outside a request context (security principle #2: no global fallback).\n */\nexport function headers(): ReadonlyHeaders {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error(\n      '[timber] headers() called outside of a request context. ' +\n        'It can only be used in middleware, access checks, server components, and server actions.'\n    );\n  }\n  return store.headers;\n}\n\n/**\n * Returns a cookie accessor for the current request.\n *\n * Available in middleware, access checks, server components, and server actions.\n * Throws if called outside a request context (security principle #2: no global fallback).\n *\n * Read methods (.get, .has, .getAll) are always available and reflect\n * read-your-own-writes from .set() calls in the same request.\n *\n * Mutation methods (.set, .delete, .clear) are only available in mutable\n * contexts (middleware.ts, server actions, route.ts handlers). Calling them\n * in read-only contexts (access.ts, server components) throws.\n *\n * See design/29-cookies.md\n */\nexport function cookies(): RequestCookies {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error(\n      '[timber] cookies() called outside of a request context. ' +\n        'It can only be used in middleware, access checks, server components, and server actions.'\n    );\n  }\n\n  // Parse cookies lazily on first access\n  if (!store.parsedCookies) {\n    store.parsedCookies = parseCookieHeader(store.cookieHeader);\n  }\n\n  const map = store.parsedCookies;\n  return {\n    get(name: string): string | undefined {\n      return map.get(name);\n    },\n    has(name: string): boolean {\n      return map.has(name);\n    },\n    getAll(): Array<{ name: string; value: string }> {\n      return Array.from(map.entries()).map(([name, value]) => ({ name, value }));\n    },\n    get size(): number {\n      return map.size;\n    },\n\n    getSigned(name: string): string | undefined {\n      const raw = map.get(name);\n      if (!raw || _cookieSecrets.length === 0) return undefined;\n      return verifySignedCookie(raw, _cookieSecrets);\n    },\n\n    set(name: string, value: string, options?: CookieOptions): void {\n      assertMutable(store, 'set');\n      if (store.flushed) {\n        if (process.env.NODE_ENV !== 'production') {\n          console.warn(\n            `[timber] warn: cookies().set('${name}') called after response headers were committed.\\n` +\n              `  The cookie will NOT be sent. Move cookie mutations to middleware.ts, a server action,\\n` +\n              `  or a route.ts handler.`\n          );\n        }\n        return;\n      }\n      let storedValue = value;\n      if (options?.signed) {\n        if (_cookieSecrets.length === 0) {\n          throw new Error(\n            `[timber] cookies().set('${name}', ..., { signed: true }) requires ` +\n              `cookies.secret or cookies.secrets in timber.config.ts.`\n          );\n        }\n        storedValue = signCookieValue(value, _cookieSecrets[0]);\n      }\n      const opts = { ...DEFAULT_COOKIE_OPTIONS, ...options };\n      store.cookieJar.set(name, { name, value: storedValue, options: opts });\n      // Read-your-own-writes: update the parsed cookies map with the signed value\n      // so getSigned() can verify it in the same request\n      map.set(name, storedValue);\n    },\n\n    delete(name: string, options?: Pick<CookieOptions, 'path' | 'domain'>): void {\n      assertMutable(store, 'delete');\n      if (store.flushed) {\n        if (process.env.NODE_ENV !== 'production') {\n          console.warn(\n            `[timber] warn: cookies().delete('${name}') called after response headers were committed.\\n` +\n              `  The cookie will NOT be deleted. Move cookie mutations to middleware.ts, a server action,\\n` +\n              `  or a route.ts handler.`\n          );\n        }\n        return;\n      }\n      const opts: CookieOptions = {\n        ...DEFAULT_COOKIE_OPTIONS,\n        ...options,\n        maxAge: 0,\n        expires: new Date(0),\n      };\n      store.cookieJar.set(name, { name, value: '', options: opts });\n      // Remove from read view\n      map.delete(name);\n    },\n\n    clear(): void {\n      assertMutable(store, 'clear');\n      if (store.flushed) return;\n      // Delete every incoming cookie\n      for (const name of Array.from(map.keys())) {\n        store.cookieJar.set(name, {\n          name,\n          value: '',\n          options: { ...DEFAULT_COOKIE_OPTIONS, maxAge: 0, expires: new Date(0) },\n        });\n      }\n      map.clear();\n    },\n\n    toString(): string {\n      return Array.from(map.entries())\n        .map(([name, value]) => `${name}=${value}`)\n        .join('; ');\n    },\n  };\n}\n\n/**\n * Returns a Promise resolving to the current request's search params.\n *\n * In `page.tsx`, `middleware.ts`, and `access.ts` the framework pre-parses the\n * route's `search-params.ts` definition and the Promise resolves to the typed\n * object. In all other server component contexts it resolves to raw\n * `URLSearchParams`.\n *\n * Returned as a Promise to match the `params` prop convention and to allow\n * future partial pre-rendering support where param resolution may be deferred.\n *\n * Throws if called outside a request context.\n */\nexport function searchParams<R extends keyof Routes>(): Promise<Routes[R]['searchParams']>;\nexport function searchParams(): Promise<URLSearchParams | Record<string, unknown>>;\nexport function searchParams(): Promise<URLSearchParams | Record<string, unknown>> {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error(\n      '[timber] searchParams() called outside of a request context. ' +\n        'It can only be used in middleware, access checks, server components, and server actions.'\n    );\n  }\n  return store.searchParamsPromise;\n}\n\n/**\n * Replace the search params Promise for the current request with one that\n * resolves to the typed parsed result from the route's search-params.ts.\n * Called by the framework before rendering the page — not for app code.\n */\nexport function setParsedSearchParams(parsed: Record<string, unknown>): void {\n  const store = requestContextAls.getStore();\n  if (store) {\n    store.searchParamsPromise = Promise.resolve(parsed);\n  }\n}\n\n// ─── Types ────────────────────────────────────────────────────────────────\n\n/**\n * Read-only Headers interface. The standard Headers class is mutable;\n * this type narrows it to read-only methods. The underlying object is\n * still a Headers instance, but user code should not mutate it.\n */\nexport type ReadonlyHeaders = Pick<\n  Headers,\n  'get' | 'has' | 'entries' | 'keys' | 'values' | 'forEach' | typeof Symbol.iterator\n>;\n\n/** Options for setting a cookie. See design/29-cookies.md. */\nexport interface CookieOptions {\n  /** Domain scope. Default: omitted (current domain only). */\n  domain?: string;\n  /** URL path scope. Default: '/'. */\n  path?: string;\n  /** Expiration date. Mutually exclusive with maxAge. */\n  expires?: Date;\n  /** Max age in seconds. Mutually exclusive with expires. */\n  maxAge?: number;\n  /** Prevent client-side JS access. Default: true. */\n  httpOnly?: boolean;\n  /** Only send over HTTPS. Default: true. */\n  secure?: boolean;\n  /** Cross-site request policy. Default: 'lax'. */\n  sameSite?: 'strict' | 'lax' | 'none';\n  /** Partitioned (CHIPS) — isolate cookie per top-level site. Default: false. */\n  partitioned?: boolean;\n  /**\n   * Sign the cookie value with HMAC-SHA256 for integrity verification.\n   * Requires `cookies.secret` or `cookies.secrets` in timber.config.ts.\n   * See design/29-cookies.md §\"Signed Cookies\".\n   */\n  signed?: boolean;\n}\n\nconst DEFAULT_COOKIE_OPTIONS: CookieOptions = {\n  path: '/',\n  httpOnly: true,\n  secure: true,\n  sameSite: 'lax',\n};\n\n/**\n * Cookie accessor returned by `cookies()`.\n *\n * Read methods are always available. Mutation methods throw in read-only\n * contexts (access.ts, server components).\n */\nexport interface RequestCookies {\n  /** Get a cookie value by name. Returns undefined if not present. */\n  get(name: string): string | undefined;\n  /** Check if a cookie exists. */\n  has(name: string): boolean;\n  /** Get all cookies as an array of { name, value } pairs. */\n  getAll(): Array<{ name: string; value: string }>;\n  /** Number of cookies. */\n  readonly size: number;\n  /**\n   * Get a signed cookie value, verifying its HMAC-SHA256 signature.\n   * Returns undefined if the cookie is missing, the signature is invalid,\n   * or no secrets are configured. Never throws.\n   *\n   * See design/29-cookies.md §\"Signed Cookies\"\n   */\n  getSigned(name: string): string | undefined;\n  /** Set a cookie. Only available in mutable contexts (middleware, actions, route handlers). */\n  set(name: string, value: string, options?: CookieOptions): void;\n  /** Delete a cookie. Only available in mutable contexts. */\n  delete(name: string, options?: Pick<CookieOptions, 'path' | 'domain'>): void;\n  /** Delete all cookies. Only available in mutable contexts. */\n  clear(): void;\n  /** Serialize cookies as a Cookie header string. */\n  toString(): string;\n}\n\n// ─── Framework-Internal Helpers ───────────────────────────────────────────\n\n/**\n * Run a callback within a request context. Used by the pipeline to establish\n * per-request ALS scope so that `headers()` and `cookies()` work.\n *\n * @param req - The incoming Request object.\n * @param fn - The function to run within the request context.\n */\nexport function runWithRequestContext<T>(req: Request, fn: () => T): T {\n  const originalCopy = new Headers(req.headers);\n  const store: RequestContextStore = {\n    headers: freezeHeaders(req.headers),\n    originalHeaders: originalCopy,\n    cookieHeader: req.headers.get('cookie') ?? '',\n    searchParamsPromise: Promise.resolve(new URL(req.url).searchParams),\n    cookieJar: new Map(),\n    flushed: false,\n    mutableContext: false,\n  };\n  return requestContextAls.run(store, fn);\n}\n\n/**\n * Enable cookie mutation for the current context. Called by the framework\n * when entering middleware.ts, server actions, or route.ts handlers.\n *\n * See design/29-cookies.md §\"Context Tracking\"\n */\nexport function setMutableCookieContext(mutable: boolean): void {\n  const store = requestContextAls.getStore();\n  if (store) {\n    store.mutableContext = mutable;\n  }\n}\n\n/**\n * Mark the response as flushed (headers committed). After this point,\n * cookie mutations log a warning instead of throwing.\n *\n * See design/29-cookies.md §\"Streaming Constraint: Post-Flush Cookie Warning\"\n */\nexport function markResponseFlushed(): void {\n  const store = requestContextAls.getStore();\n  if (store) {\n    store.flushed = true;\n  }\n}\n\n/**\n * Collect all Set-Cookie headers from the cookie jar.\n * Called by the framework at flush time to apply cookies to the response.\n *\n * Returns an array of serialized Set-Cookie header values.\n */\nexport function getSetCookieHeaders(): string[] {\n  const store = requestContextAls.getStore();\n  if (!store) return [];\n  return Array.from(store.cookieJar.values()).map(serializeCookieEntry);\n}\n\n/**\n * Apply middleware-injected request headers to the current request context.\n *\n * Called by the pipeline after middleware.ts runs. Merges overlay headers\n * on top of the original request headers so downstream code (access.ts,\n * server components, server actions) sees them via `headers()`.\n *\n * The original request headers are never mutated — a new frozen Headers\n * object is created with the overlay applied on top.\n *\n * See design/07-routing.md §\"Request Header Injection\"\n */\nexport function applyRequestHeaderOverlay(overlay: Headers): void {\n  const store = requestContextAls.getStore();\n  if (!store) {\n    throw new Error('[timber] applyRequestHeaderOverlay() called outside of a request context.');\n  }\n\n  // Check if the overlay has any headers — skip if empty\n  let hasOverlay = false;\n  overlay.forEach(() => {\n    hasOverlay = true;\n  });\n  if (!hasOverlay) return;\n\n  // Merge: start with original headers, overlay on top\n  const merged = new Headers(store.originalHeaders);\n  overlay.forEach((value, key) => {\n    merged.set(key, value);\n  });\n  store.headers = freezeHeaders(merged);\n}\n\n// ─── Read-Only Headers ────────────────────────────────────────────────────\n\nconst MUTATING_METHODS = new Set(['set', 'append', 'delete']);\n\n/**\n * Wrap a Headers object in a Proxy that throws on mutating methods.\n * Object.freeze doesn't work on Headers (native internal slots), so we\n * intercept property access and reject set/append/delete at runtime.\n *\n * Read methods (get, has, entries, etc.) must be bound to the underlying\n * Headers instance because they access private #headersList slots.\n */\nfunction freezeHeaders(source: Headers): Headers {\n  const copy = new Headers(source);\n  return new Proxy(copy, {\n    get(target, prop) {\n      if (typeof prop === 'string' && MUTATING_METHODS.has(prop)) {\n        return () => {\n          throw new Error(\n            `[timber] headers() returns a read-only Headers object. ` +\n              `Calling .${prop}() is not allowed. ` +\n              `Use ctx.requestHeaders in middleware to inject headers for downstream components.`\n          );\n        };\n      }\n      const value = Reflect.get(target, prop);\n      // Bind methods to the real Headers instance so private slot access works\n      if (typeof value === 'function') {\n        return value.bind(target);\n      }\n      return value;\n    },\n  });\n}\n\n// ─── Cookie Helpers ───────────────────────────────────────────────────────\n\n/** Throw if cookie mutation is attempted in a read-only context. */\nfunction assertMutable(store: RequestContextStore, method: string): void {\n  if (!store.mutableContext) {\n    throw new Error(\n      `[timber] cookies().${method}() cannot be called in this context.\\n` +\n        `  Set cookies in middleware.ts, server actions, or route.ts handlers.`\n    );\n  }\n}\n\n/**\n * Parse a Cookie header string into a Map of name → value pairs.\n * Follows RFC 6265 §4.2.1: cookies are semicolon-separated key=value pairs.\n */\nfunction parseCookieHeader(header: string): Map<string, string> {\n  const map = new Map<string, string>();\n  if (!header) return map;\n\n  for (const pair of header.split(';')) {\n    const eqIndex = pair.indexOf('=');\n    if (eqIndex === -1) continue;\n    const name = pair.slice(0, eqIndex).trim();\n    const value = pair.slice(eqIndex + 1).trim();\n    if (name) {\n      map.set(name, value);\n    }\n  }\n\n  return map;\n}\n\n// ─── Cookie Signing ──────────────────────────────────────────────────────\n\n/**\n * Sign a cookie value with HMAC-SHA256.\n * Returns `value.hex_signature`.\n */\nfunction signCookieValue(value: string, secret: string): string {\n  const signature = createHmac('sha256', secret).update(value).digest('hex');\n  return `${value}.${signature}`;\n}\n\n/**\n * Verify a signed cookie value against an array of secrets.\n * Returns the original value if any secret produces a matching signature,\n * or undefined if none match. Uses timing-safe comparison.\n *\n * The signed format is `value.hex_signature` — split at the last `.`.\n */\nfunction verifySignedCookie(raw: string, secrets: string[]): string | undefined {\n  const lastDot = raw.lastIndexOf('.');\n  if (lastDot <= 0 || lastDot === raw.length - 1) return undefined;\n\n  const value = raw.slice(0, lastDot);\n  const signature = raw.slice(lastDot + 1);\n\n  // Hex-encoded SHA-256 is always 64 chars\n  if (signature.length !== 64) return undefined;\n\n  const signatureBuffer = Buffer.from(signature, 'hex');\n  // If the hex decode produced fewer bytes, the signature was not valid hex\n  if (signatureBuffer.length !== 32) return undefined;\n\n  for (const secret of secrets) {\n    const expected = createHmac('sha256', secret).update(value).digest();\n    if (timingSafeEqual(expected, signatureBuffer)) {\n      return value;\n    }\n  }\n  return undefined;\n}\n\n/** Serialize a CookieEntry into a Set-Cookie header value. */\nfunction serializeCookieEntry(entry: CookieEntry): string {\n  const parts = [`${entry.name}=${entry.value}`];\n  const opts = entry.options;\n\n  if (opts.domain) parts.push(`Domain=${opts.domain}`);\n  if (opts.path) parts.push(`Path=${opts.path}`);\n  if (opts.expires) parts.push(`Expires=${opts.expires.toUTCString()}`);\n  if (opts.maxAge !== undefined) parts.push(`Max-Age=${opts.maxAge}`);\n  if (opts.httpOnly) parts.push('HttpOnly');\n  if (opts.secure) parts.push('Secure');\n  if (opts.sameSite) {\n    parts.push(`SameSite=${opts.sameSite.charAt(0).toUpperCase()}${opts.sameSite.slice(1)}`);\n  }\n  if (opts.partitioned) parts.push('Partitioned');\n\n  return parts.join('; ');\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAgCA,IAAI,iBAA2B,EAAE;;;;;;;;;;AAWjC,SAAgB,iBAAiB,SAAyB;AACxD,kBAAiB,QAAQ,OAAO,QAAQ;;;;;;;;AAW1C,SAAgB,UAA2B;CACzC,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MACR,mJAED;AAEH,QAAO,MAAM;;;;;;;;;;;;;;;;;AAkBf,SAAgB,UAA0B;CACxC,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MACR,mJAED;AAIH,KAAI,CAAC,MAAM,cACT,OAAM,gBAAgB,kBAAkB,MAAM,aAAa;CAG7D,MAAM,MAAM,MAAM;AAClB,QAAO;EACL,IAAI,MAAkC;AACpC,UAAO,IAAI,IAAI,KAAK;;EAEtB,IAAI,MAAuB;AACzB,UAAO,IAAI,IAAI,KAAK;;EAEtB,SAAiD;AAC/C,UAAO,MAAM,KAAK,IAAI,SAAS,CAAC,CAAC,KAAK,CAAC,MAAM,YAAY;IAAE;IAAM;IAAO,EAAE;;EAE5E,IAAI,OAAe;AACjB,UAAO,IAAI;;EAGb,UAAU,MAAkC;GAC1C,MAAM,MAAM,IAAI,IAAI,KAAK;AACzB,OAAI,CAAC,OAAO,eAAe,WAAW,EAAG,QAAO,KAAA;AAChD,UAAO,mBAAmB,KAAK,eAAe;;EAGhD,IAAI,MAAc,OAAe,SAA+B;AAC9D,iBAAc,OAAO,MAAM;AAC3B,OAAI,MAAM,SAAS;AACjB,QAAA,QAAA,IAAA,aAA6B,aAC3B,SAAQ,KACN,iCAAiC,KAAK,qKAGvC;AAEH;;GAEF,IAAI,cAAc;AAClB,OAAI,SAAS,QAAQ;AACnB,QAAI,eAAe,WAAW,EAC5B,OAAM,IAAI,MACR,2BAA2B,KAAK,2FAEjC;AAEH,kBAAc,gBAAgB,OAAO,eAAe,GAAG;;GAEzD,MAAM,OAAO;IAAE,GAAG;IAAwB,GAAG;IAAS;AACtD,SAAM,UAAU,IAAI,MAAM;IAAE;IAAM,OAAO;IAAa,SAAS;IAAM,CAAC;AAGtE,OAAI,IAAI,MAAM,YAAY;;EAG5B,OAAO,MAAc,SAAwD;AAC3E,iBAAc,OAAO,SAAS;AAC9B,OAAI,MAAM,SAAS;AACjB,QAAA,QAAA,IAAA,aAA6B,aAC3B,SAAQ,KACN,oCAAoC,KAAK,wKAG1C;AAEH;;GAEF,MAAM,OAAsB;IAC1B,GAAG;IACH,GAAG;IACH,QAAQ;IACR,yBAAS,IAAI,KAAK,EAAE;IACrB;AACD,SAAM,UAAU,IAAI,MAAM;IAAE;IAAM,OAAO;IAAI,SAAS;IAAM,CAAC;AAE7D,OAAI,OAAO,KAAK;;EAGlB,QAAc;AACZ,iBAAc,OAAO,QAAQ;AAC7B,OAAI,MAAM,QAAS;AAEnB,QAAK,MAAM,QAAQ,MAAM,KAAK,IAAI,MAAM,CAAC,CACvC,OAAM,UAAU,IAAI,MAAM;IACxB;IACA,OAAO;IACP,SAAS;KAAE,GAAG;KAAwB,QAAQ;KAAG,yBAAS,IAAI,KAAK,EAAE;KAAE;IACxE,CAAC;AAEJ,OAAI,OAAO;;EAGb,WAAmB;AACjB,UAAO,MAAM,KAAK,IAAI,SAAS,CAAC,CAC7B,KAAK,CAAC,MAAM,WAAW,GAAG,KAAK,GAAG,QAAQ,CAC1C,KAAK,KAAK;;EAEhB;;AAkBH,SAAgB,eAAmE;CACjF,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MACR,wJAED;AAEH,QAAO,MAAM;;;;;;;AAQf,SAAgB,sBAAsB,QAAuC;CAC3E,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,MACF,OAAM,sBAAsB,QAAQ,QAAQ,OAAO;;AA0CvD,IAAM,yBAAwC;CAC5C,MAAM;CACN,UAAU;CACV,QAAQ;CACR,UAAU;CACX;;;;;;;;AA4CD,SAAgB,sBAAyB,KAAc,IAAgB;CACrE,MAAM,eAAe,IAAI,QAAQ,IAAI,QAAQ;CAC7C,MAAM,QAA6B;EACjC,SAAS,cAAc,IAAI,QAAQ;EACnC,iBAAiB;EACjB,cAAc,IAAI,QAAQ,IAAI,SAAS,IAAI;EAC3C,qBAAqB,QAAQ,QAAQ,IAAI,IAAI,IAAI,IAAI,CAAC,aAAa;EACnE,2BAAW,IAAI,KAAK;EACpB,SAAS;EACT,gBAAgB;EACjB;AACD,QAAO,kBAAkB,IAAI,OAAO,GAAG;;;;;;;;AASzC,SAAgB,wBAAwB,SAAwB;CAC9D,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,MACF,OAAM,iBAAiB;;;;;;;;AAU3B,SAAgB,sBAA4B;CAC1C,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,MACF,OAAM,UAAU;;;;;;;;AAUpB,SAAgB,sBAAgC;CAC9C,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MAAO,QAAO,EAAE;AACrB,QAAO,MAAM,KAAK,MAAM,UAAU,QAAQ,CAAC,CAAC,IAAI,qBAAqB;;;;;;;;;;;;;;AAevE,SAAgB,0BAA0B,SAAwB;CAChE,MAAM,QAAQ,kBAAkB,UAAU;AAC1C,KAAI,CAAC,MACH,OAAM,IAAI,MAAM,4EAA4E;CAI9F,IAAI,aAAa;AACjB,SAAQ,cAAc;AACpB,eAAa;GACb;AACF,KAAI,CAAC,WAAY;CAGjB,MAAM,SAAS,IAAI,QAAQ,MAAM,gBAAgB;AACjD,SAAQ,SAAS,OAAO,QAAQ;AAC9B,SAAO,IAAI,KAAK,MAAM;GACtB;AACF,OAAM,UAAU,cAAc,OAAO;;AAKvC,IAAM,mBAAmB,IAAI,IAAI;CAAC;CAAO;CAAU;CAAS,CAAC;;;;;;;;;AAU7D,SAAS,cAAc,QAA0B;CAC/C,MAAM,OAAO,IAAI,QAAQ,OAAO;AAChC,QAAO,IAAI,MAAM,MAAM,EACrB,IAAI,QAAQ,MAAM;AAChB,MAAI,OAAO,SAAS,YAAY,iBAAiB,IAAI,KAAK,CACxD,cAAa;AACX,SAAM,IAAI,MACR,mEACc,KAAK,sGAEpB;;EAGL,MAAM,QAAQ,QAAQ,IAAI,QAAQ,KAAK;AAEvC,MAAI,OAAO,UAAU,WACnB,QAAO,MAAM,KAAK,OAAO;AAE3B,SAAO;IAEV,CAAC;;;AAMJ,SAAS,cAAc,OAA4B,QAAsB;AACvE,KAAI,CAAC,MAAM,eACT,OAAM,IAAI,MACR,sBAAsB,OAAO,6GAE9B;;;;;;AAQL,SAAS,kBAAkB,QAAqC;CAC9D,MAAM,sBAAM,IAAI,KAAqB;AACrC,KAAI,CAAC,OAAQ,QAAO;AAEpB,MAAK,MAAM,QAAQ,OAAO,MAAM,IAAI,EAAE;EACpC,MAAM,UAAU,KAAK,QAAQ,IAAI;AACjC,MAAI,YAAY,GAAI;EACpB,MAAM,OAAO,KAAK,MAAM,GAAG,QAAQ,CAAC,MAAM;EAC1C,MAAM,QAAQ,KAAK,MAAM,UAAU,EAAE,CAAC,MAAM;AAC5C,MAAI,KACF,KAAI,IAAI,MAAM,MAAM;;AAIxB,QAAO;;;;;;AAST,SAAS,gBAAgB,OAAe,QAAwB;AAE9D,QAAO,GAAG,MAAM,GADE,WAAW,UAAU,OAAO,CAAC,OAAO,MAAM,CAAC,OAAO,MAAM;;;;;;;;;AAW5E,SAAS,mBAAmB,KAAa,SAAuC;CAC9E,MAAM,UAAU,IAAI,YAAY,IAAI;AACpC,KAAI,WAAW,KAAK,YAAY,IAAI,SAAS,EAAG,QAAO,KAAA;CAEvD,MAAM,QAAQ,IAAI,MAAM,GAAG,QAAQ;CACnC,MAAM,YAAY,IAAI,MAAM,UAAU,EAAE;AAGxC,KAAI,UAAU,WAAW,GAAI,QAAO,KAAA;CAEpC,MAAM,kBAAkB,OAAO,KAAK,WAAW,MAAM;AAErD,KAAI,gBAAgB,WAAW,GAAI,QAAO,KAAA;AAE1C,MAAK,MAAM,UAAU,QAEnB,KAAI,gBADa,WAAW,UAAU,OAAO,CAAC,OAAO,MAAM,CAAC,QAAQ,EACtC,gBAAgB,CAC5C,QAAO;;;AAOb,SAAS,qBAAqB,OAA4B;CACxD,MAAM,QAAQ,CAAC,GAAG,MAAM,KAAK,GAAG,MAAM,QAAQ;CAC9C,MAAM,OAAO,MAAM;AAEnB,KAAI,KAAK,OAAQ,OAAM,KAAK,UAAU,KAAK,SAAS;AACpD,KAAI,KAAK,KAAM,OAAM,KAAK,QAAQ,KAAK,OAAO;AAC9C,KAAI,KAAK,QAAS,OAAM,KAAK,WAAW,KAAK,QAAQ,aAAa,GAAG;AACrE,KAAI,KAAK,WAAW,KAAA,EAAW,OAAM,KAAK,WAAW,KAAK,SAAS;AACnE,KAAI,KAAK,SAAU,OAAM,KAAK,WAAW;AACzC,KAAI,KAAK,OAAQ,OAAM,KAAK,SAAS;AACrC,KAAI,KAAK,SACP,OAAM,KAAK,YAAY,KAAK,SAAS,OAAO,EAAE,CAAC,aAAa,GAAG,KAAK,SAAS,MAAM,EAAE,GAAG;AAE1F,KAAI,KAAK,YAAa,OAAM,KAAK,cAAc;AAE/C,QAAO,MAAM,KAAK,KAAK"}