@tknf/matchbox 0.2.6 → 0.3.1

package/README.md

@@ -1,29 +1,36 @@
 # Matchbox
 
-A simple CGI-style web server framework built on top of Hono. Treats `.cgi.tsx` / `.cgi.jsx` files under `public/` as pages, and brings Apache-style conventions like `.htaccess` and `.htpasswd` into modern tooling.
+A modern CGI-style web framework built on [Hono](https://hono.dev). Brings Apache-style conventions (`.htaccess`, `.htpasswd`) into the modern TypeScript/JSX ecosystem with file-based routing and familiar CGI variables.
 
 ## Features
 
-- File-based routing (`.cgi.tsx` / `.cgi.jsx` map directly to endpoints)
-- CGI-style context (`$_GET`, `$_POST`, `$_SESSION`, etc.)
-- `.htaccess` rewrites/redirects and `.htpasswd` Basic Auth
-- Session cookie configuration and custom middleware
-- Vite + TypeScript + JSX support
+- **File-based routing** - `.cgi.tsx`/`.cgi.jsx` files map directly to URL endpoints
+- **CGI-style context** - Familiar `$_GET`, `$_POST`, `$_SESSION`, `$_SERVER`, `$_COOKIE`, etc.
+- **Apache compatibility** - `.htaccess` for rewrites/redirects/headers, `.htpasswd` for Basic Auth
+- **Modern tooling** - Full TypeScript support, Vite integration, JSX rendering
+- **Flexible configuration** - Session management, custom middleware, security headers
+- **Production ready** - Comprehensive test coverage, security best practices
 
-## Install
+## Installation
 
 ```bash
-pnpm add matchbox hono
+npm add @tknf/matchbox hono
+# or
+pnpm add @tknf/matchbox hono
+# or
+yarn add @tknf/matchbox hono
 ```
 
 ## Quick Start
 
-`vite.config.ts`:
+### 1. Configure Vite
 
-```ts
+Create `vite.config.ts`:
+
+```typescript
 import devServer from "@hono/vite-dev-server";
 import { defineConfig } from "vite";
-import { MatchboxPlugin } from "matchbox/plugin";
+import { MatchboxPlugin } from "@tknf/matchbox/plugin";
 
 export default defineConfig({
   plugins: [
@@ -36,98 +43,257 @@ export default defineConfig({
 });
 ```
 
-`server.ts`:
+### 2. Create Server Entry
+
+Create `server.ts`:
 
-```ts
-import { createCgi } from "matchbox";
+```typescript
+import { createCgi } from "@tknf/matchbox";
 
 export default createCgi();
 ```
 
-`public/index.cgi.tsx`:
+### 3. Create Your First Page
+
+Create `public/index.cgi.tsx`:
 
 ```tsx
-import type { CgiContext } from "matchbox";
+import type { CgiContext } from "@tknf/matchbox";
 
-export default function ({ $_SERVER }: CgiContext) {
+export default function ({ $_SERVER, $_GET }: CgiContext) {
   return (
     <html>
       <head>
         <title>Matchbox</title>
       </head>
       <body>
-        <h1>Hello Matchbox</h1>
-        <p>Method: {$_SERVER.REQUEST_METHOD}</p>
+        <h1>Hello from Matchbox!</h1>
+        <p>Request Method: {$_SERVER.REQUEST_METHOD}</p>
+        <p>Query Params: {JSON.stringify($_GET)}</p>
       </body>
     </html>
   );
 }
 ```
 
-Start the dev server:
+### 4. Start Development Server
 
 ```bash
-pnpm dev
+npm run dev
 ```
 
+Visit `http://localhost:5173` to see your page.
+
 ## CGI Context
 
-Page functions receive a `CgiContext`.
+Every page function receives a `CgiContext` object with:
+
+### Request Data
+
+- `$_GET` - Query parameters
+- `$_POST` - Form data (POST/PUT)
+- `$_FILES` - Uploaded files
+- `$_REQUEST` - Combined `$_GET` + `$_POST` + `$_COOKIE`
+- `$_COOKIE` - Cookie values
+- `$_SERVER` - Server and request information
+- `$_ENV` - Environment variables
+- `$_SESSION` - Session data
+
+### Helper Functions
 
-- `$_GET` / `$_POST` / `$_FILES` / `$_REQUEST`
-- `$_SESSION` / `$_COOKIE` / `$_ENV` / `$_SERVER`
-- `header(name, value)` / `status(code)` / `redirect(url, status?)`
-- `cgiinfo()` / `get_modules()` / `get_version()`
+- `header(name, value)` - Set response header
+- `status(code)` - Set HTTP status code
+- `redirect(url, status?)` - Redirect to another URL
+- `cgiinfo()` - HTML debug info block
+- `get_modules()` - List all available CGI modules
+- `get_version()` - Get Matchbox version string
+- `log(message)` - Custom logging
+- `request_headers()` - Get all request headers
+- `response_headers()` - Get current response headers
+
+### Example Usage
+
+```tsx
+export default function (ctx: CgiContext) {
+  const { $_GET, $_POST, $_SESSION, header, status, redirect } = ctx;
+
+  // Handle form submission
+  if ($_POST.username) {
+    $_SESSION.user = $_POST.username;
+    return redirect("/dashboard");
+  }
+
+  // Set custom headers
+  header("X-Custom-Header", "value");
+  status(200);
+
+  return <div>Welcome</div>;
+}
+```
 
 ## Configuration
 
-### MatchboxPlugin
+### Plugin Options
 
-```ts
+```typescript
 MatchboxPlugin({
-  publicDir: "public",
-  config: { siteName: "My Site" },
+  publicDir: "public",        // Directory for .cgi files (default: "public")
+  config: {                   // Custom config object injected into pages
+    siteName: "My Site",
+    apiUrl: "https://api.example.com"
+  }
 });
 ```
 
-- `publicDir`: Root directory for page discovery (default: `public`)
-- `config`: Configuration object injected into pages
+Access config in your pages via `context.config`.
 
-### createCgi
+### Runtime Options
 
-```ts
+```typescript
 createCgi({
+  // Session cookie configuration
   sessionCookie: {
-    name: "_SESSION_ID",
-    sameSite: "Lax",
-    secure: true,
-    maxAge: 3600,
+    name: "_SESSION_ID",      // Cookie name (default: "_SESSION_ID")
+    path: "/",                // Cookie path (default: "/")
+    domain: "example.com",    // Cookie domain
+    secure: true,             // HTTPS only (default: false)
+    sameSite: "Strict",       // CSRF protection: "Strict" | "Lax" | "None"
+    maxAge: 3600,             // Session timeout in seconds
   },
+
+  // URL trailing slash enforcement
   enforceTrailingSlash: true,
+
+  // Custom middleware (runs before page handlers)
   middleware: [
     async (c, next) => {
       c.header("X-App", "matchbox");
       await next();
     },
   ],
+
+  // Custom logger
   logger: (message, level) => {
     console.log(`[${level ?? "info"}] ${message}`);
   },
 });
 ```
 
-## Auth and Rewrites
+## Apache-Style Features
+
+### Basic Authentication (.htpasswd)
+
+Place a `.htpasswd` file in any directory under `public/` to protect it:
+
+```
+# Generate with: htpasswd -c .htpasswd username
+admin:$apr1$abc123$...
+user:$apr1$xyz789$...
+```
+
+All files in that directory and subdirectories will require authentication.
+
+### URL Rewriting and Redirects (.htaccess)
+
+Create `.htaccess` files to configure rewrites, redirects, headers, and error pages:
+
+```apache
+# Permanent redirect
+Redirect 301 /old-page /new-page
 
-Place these under `public/` to enable them.
+# Conditional rewrite
+RewriteCond %{HTTP_HOST} ^www\.example\.com$
+RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
 
-- `.htpasswd`: Directory-level Basic Auth
-- `.htaccess`: Simple `RewriteRule` / `Redirect` support
+# Pattern-based rewrite
+RewriteRule ^blog/(.+)$ /posts.cgi?slug=$1 [QSA,L]
 
-## References
+# Forbidden
+RewriteRule ^private$ - [F]
 
-- Examples: `examples/README.md`
-- Security: `docs/security.md`
+# Security headers
+Header set X-Frame-Options "SAMEORIGIN"
+Header set X-Content-Type-Options "nosniff"
+Header set Strict-Transport-Security "max-age=31536000"
+
+# Custom error pages
+ErrorDocument 404 /errors/404.html
+ErrorDocument 500 /errors/500.html
+```
+
+#### Supported RewriteRule Flags
+
+- `[L]` - Last rule, stop processing
+- `[R]` / `[R=301]` / `[R=302]` - Redirect with status code
+- `[F]` - Forbidden (403)
+- `[G]` - Gone (410)
+- `[NC]` - No Case (case-insensitive)
+- `[QSA]` - Query String Append
+- `[QSD]` - Query String Discard
+- `[NE]` - No Escape
+
+#### Supported RewriteCond Variables
+
+- `%{HTTP_HOST}` - Request host
+- `%{HTTP_USER_AGENT}` - User agent
+- `%{HTTP_REFERER}` - Referer header
+- `%{REQUEST_URI}` - Request URI
+- `%{REQUEST_METHOD}` - HTTP method
+- `%{QUERY_STRING}` - Query string
+- `%{REMOTE_ADDR}` - Client IP
+- And more... (see [documentation](./docs/htaccess.md))
+
+## Examples
+
+Check out the [`examples/`](./examples) directory for complete working examples:
+
+- **basic** - Minimal setup with a simple page
+- **htaccess-auth** - Authentication and URL rewriting
+- **custom-middleware** - Custom middleware and logging
+
+## Documentation
+
+- [Apache .htaccess Features](./docs/htaccess.md) - Complete `.htaccess` feature reference
+- [Security Guide](./docs/security.md) - Security best practices
+- [API Reference](./docs/api.md) - Complete API documentation
+- [Roadmap](./docs/roadmap.md) - Planned features and improvements
+
+## Migration from v0.2.x
+
+Version 0.3.0 introduced enhanced `.htaccess` parsing. If you're upgrading:
+
+- ✅ Existing `.htaccess` files work without changes
+- ✅ Both `[R=301]` and `R=301` flag syntaxes are supported
+- ⚠️ Malformed directives now throw errors (previously silently ignored)
+
+See the [migration guide](./docs/htaccess.md#migration-from-v02x-to-v03) for details.
+
+## Development
+
+```bash
+# Install dependencies
+pnpm install
+
+# Run tests
+pnpm test
+
+# Build
+pnpm run build
+
+# Type check
+pnpm run typecheck
+```
 
 ## License
 
-MIT License. See `LICENSE` for details.
+MIT License - see [LICENSE](./LICENSE) for details.
+
+## Contributing
+
+Contributions are welcome! Please read the [contributing guidelines](./CONTRIBUTING.md) before submitting PRs.
+
+## Links
+
+- [GitHub Repository](https://github.com/tknf-labs/matchbox)
+- [NPM Package](https://www.npmjs.com/package/@tknf/matchbox)
+- [Hono Framework](https://hono.dev)

package/dist/cgi.d.ts

@@ -1,8 +1,9 @@
 import * as hono_types from 'hono/types';
 import { Context, Hono } from 'hono';
 import { HtmlEscapedString } from 'hono/utils/html';
+import { HtaccessConfig } from './htaccess/types.js';
 
-type ConfigObject = Record<string, any>;
+type ConfigObject = Record<string, unknown>;
 /**
  * --- Session Cookie Configuration ---
  */
@@ -49,10 +50,10 @@ interface CgiContext<ConfigType = ConfigObject> {
     $_GET: Record<string, string>;
     $_POST: Record<string, string>;
     $_FILES: Record<string, File | File[]>;
-    $_REQUEST: Record<string, any>;
-    $_SESSION: Record<string, any>;
+    $_REQUEST: Record<string, unknown>;
+    $_SESSION: Record<string, unknown>;
     $_COOKIE: Record<string, string>;
-    $_ENV: Record<string, string | undefined>;
+    $_ENV: Record<string, unknown>;
     $_SERVER: {
         REQUEST_METHOD: string;
         REQUEST_URI: string;
@@ -61,7 +62,7 @@ interface CgiContext<ConfigType = ConfigObject> {
         SCRIPT_NAME: string;
         PATH_INFO: string;
         QUERY_STRING: string;
-        [key: string]: any;
+        [key: string]: unknown;
     };
     config: ConfigType;
     c: Context;
@@ -83,24 +84,12 @@ interface CgiContext<ConfigType = ConfigObject> {
 type Page = {
     urlPath: string;
     dirPath: string | null;
-    component: (context: CgiContext) => any | Promise<any>;
+    component: (context: CgiContext) => unknown | Promise<unknown>;
 };
-type RedirectRule = {
-    type: "redirect";
-    code: string;
-    source: string;
-    target: string;
-};
-type RewriteRule = {
-    type: "rewrite";
-    pattern: string;
-    target: string;
-    flags: string;
-};
-type RewriteMap = Record<string, Array<RedirectRule | RewriteRule>>;
+
 /**
  * --- Matchbox Runtime Engine ---
  */
-declare const createCgiWithPages: (pages: Page[], siteConfig?: ConfigObject, authMap?: Record<string, string>, rewriteMap?: RewriteMap, options?: MatchboxOptions) => Hono<hono_types.BlankEnv, hono_types.BlankSchema, "/">;
+declare const createCgiWithPages: (pages: Page[], siteConfig?: ConfigObject, authMap?: Record<string, string>, htaccessConfig?: HtaccessConfig, options?: MatchboxOptions) => Hono<hono_types.BlankEnv, hono_types.BlankSchema, "/">;
 
-export { type CgiContext, type ConfigObject, type MatchboxOptions, type ModuleInfo, type Page, type RewriteMap, type SessionCookieOptions, createCgiWithPages };
+export { type CgiContext, type ConfigObject, HtaccessConfig, type MatchboxOptions, type ModuleInfo, type Page, type SessionCookieOptions, createCgiWithPages };

package/dist/cgi.js

@@ -1,13 +1,20 @@
 import { Hono } from "hono";
-import { basicAuth } from "hono/basic-auth";
-import { getCookie, setCookie } from "hono/cookie";
+import { getCookie } from "hono/cookie";
 import { generateCgiError, generateCgiInfo } from "./html.js";
+import {
+  applyBasicAuth,
+  applyHtaccessMiddleware,
+  applyErrorDocumentMiddleware,
+  getSessionFromCookie,
+  saveSessionToCookie,
+  applyProtectedFilesMiddleware,
+  applyTrailingSlashMiddleware
+} from "./middleware/index.js";
 const isRedirectObject = (obj) => {
-  return obj && obj.__type === "redirect" && typeof obj.url === "string";
+  return typeof obj === "object" && obj !== null && "__type" in obj && obj.__type === "redirect" && "url" in obj && typeof obj.url === "string";
 };
-const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, rewriteMap = {}, options = {}) => {
+const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, htaccessConfig = {}, options = {}) => {
   const app = new Hono();
-  const SESS_KEY = options.sessionCookie?.name || "_SESSION_ID";
   if (options.middleware && options.middleware.length > 0) {
     for (const mw of options.middleware) {
       app.use("*", async (c, next) => {
@@ -18,66 +25,12 @@ const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, rewriteMap = {
       });
     }
   }
-  const protectedFiles = [".htaccess", ".htpasswd", ".htdigest", ".htgroup"];
-  app.use("*", async (c, next) => {
-    const path = c.req.path;
-    const lastSegment = path.slice(path.lastIndexOf("/") + 1);
-    if (protectedFiles.some((file) => lastSegment === file)) {
-      return c.text("Forbidden", 403);
-    }
-    await next();
-  });
+  applyProtectedFilesMiddleware(app);
   if (options.enforceTrailingSlash) {
-    app.use("*", async (c, next) => {
-      const path = c.req.path;
-      if (!path.endsWith("/") && !path.includes(".")) {
-        return c.redirect(`${path}/`, 301);
-      }
-      await next();
-    });
+    applyTrailingSlashMiddleware(app);
   }
-  Object.entries(rewriteMap).forEach(([dir, rules]) => {
-    const basePath = dir === "/" ? "" : dir.replace(/\/$/, "");
-    app.use(`${basePath}/*`, async (c, next) => {
-      const relPath = c.req.path.replace(basePath, "") || "/";
-      for (const rule of rules) {
-        if (rule.type === "redirect") {
-          if (relPath === rule.source) {
-            return c.redirect(
-              rule.target,
-              Number.parseInt(rule.code, 10) || 302
-            );
-          }
-        } else if (rule.type === "rewrite") {
-          const regex = new RegExp(rule.pattern);
-          if (regex.test(relPath)) {
-            const target = rule.target.startsWith("/") ? rule.target : `${basePath}/${rule.target}`;
-            if (rule.flags.includes("R")) {
-              const code = rule.flags.match(/R=(\d+)/)?.[1] || "302";
-              return c.redirect(target, Number.parseInt(code, 10));
-            }
-          }
-        }
-      }
-      await next();
-    });
-  });
-  Object.entries(authMap).forEach(([dir, content]) => {
-    const credentials = content.split("\n").map((line) => line.trim()).filter((line) => line && !line.startsWith("#")).map((line) => {
-      const [username, password] = line.split(":");
-      return { username, password };
-    });
-    if (credentials.length > 0) {
-      const authPath = dir === "/" ? "*" : `${dir.replace(/\/$/, "")}/*`;
-      app.use(authPath, async (c, next) => {
-        const handler = basicAuth({
-          verifyUser: (u, p) => credentials.some((cred) => cred.username === u && cred.password === p),
-          realm: "Restricted Area"
-        });
-        return handler(c, next);
-      });
-    }
-  });
+  applyHtaccessMiddleware(app, htaccessConfig);
+  applyBasicAuth(app, authMap);
   pages.forEach(({ urlPath, dirPath, component }) => {
     const routes = [urlPath, `${urlPath}/*`];
     if (dirPath) {
@@ -96,7 +49,7 @@ const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, rewriteMap = {
           if (value instanceof File || Array.isArray(value) && value[0] instanceof File) {
             $_FILES[key] = value;
           } else {
-            $_POST[key] = value;
+            $_POST[key] = String(value);
           }
         }
         const $_COOKIE = getCookie(c);
@@ -106,14 +59,10 @@ const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, rewriteMap = {
           ...$_POST
         };
         const $_ENV = typeof process !== "undefined" && process.env ? process.env : c.env || {};
-        let $_SESSION = {};
-        const sRaw = getCookie(c, SESS_KEY);
-        if (sRaw) {
-          try {
-            $_SESSION = JSON.parse(decodeURIComponent(sRaw));
-          } catch {
-          }
-        }
+        let $_SESSION = getSessionFromCookie(
+          c,
+          options.sessionCookie?.name
+        );
         let responseStatus = 200;
         const responseHeaders = {
           "Content-Type": "text/html; charset=utf-8"
@@ -169,7 +118,7 @@ const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, rewriteMap = {
             }
           },
           get_version: () => {
-            return `MatchboxCGI/v${"0.2.6"}`;
+            return `MatchboxCGI/v${"0.3.1"}`;
           },
           /**
            * Returns information about all loaded CGI modules
@@ -184,48 +133,28 @@ const createCgiWithPages = (pages, siteConfig = {}, authMap = {}, rewriteMap = {
         };
         try {
           const result = await component(context);
-          const sessionValue = encodeURIComponent(JSON.stringify($_SESSION));
-          const sessionOptions = {
-            path: options.sessionCookie?.path || "/",
-            httpOnly: true,
-            sameSite: options.sessionCookie?.sameSite || "Lax"
-          };
-          if (options.sessionCookie?.secure !== void 0) {
-            sessionOptions.secure = options.sessionCookie.secure;
-          }
-          if (options.sessionCookie?.domain) {
-            sessionOptions.domain = options.sessionCookie.domain;
-          }
-          if (options.sessionCookie?.maxAge) {
-            sessionOptions.maxAge = options.sessionCookie.maxAge;
-          }
+          saveSessionToCookie(c, $_SESSION, options.sessionCookie);
           if (isRedirectObject(result)) {
-            setCookie(c, SESS_KEY, sessionValue, sessionOptions);
             return c.redirect(result.url, result.status);
           }
           if (result instanceof Response) {
-            setCookie(c, SESS_KEY, sessionValue, sessionOptions);
             return result;
           }
-          setCookie(c, SESS_KEY, sessionValue, sessionOptions);
           Object.entries(responseHeaders).forEach(([key, value]) => {
             c.header(key, value);
           });
           const contentType = responseHeaders["content-type"];
           if (contentType?.includes("application/json")) {
-            return c.json(
-              // biome-ignore lint/suspicious/noExplicitAny: to JSON response
-              result ?? { success: true },
-              responseStatus
-            );
+            return c.json(result ?? { success: true }, responseStatus);
           }
-          return c.html(result, responseStatus);
+          return c.html(String(result ?? ""), responseStatus);
         } catch (error) {
           return c.html(generateCgiError({ error, $_SERVER }), 500);
         }
       });
     });
   });
+  applyErrorDocumentMiddleware(app, htaccessConfig);
   return app;
 };
 export {

package/dist/htaccess/access-control.d.ts

@@ -0,0 +1,9 @@
+import { Context } from 'hono';
+import { AccessControlConfig } from './types.js';
+
+/**
+ * Create middleware for access control (Order/Allow/Deny)
+ */
+declare function createAccessControlMiddleware(config: AccessControlConfig): (c: Context, next: () => Promise<void>) => Promise<Response | void>;
+
+export { createAccessControlMiddleware };

package/dist/htaccess/access-control.js

@@ -0,0 +1,91 @@
+function matchesIP(clientIP, ruleValue) {
+  const ips = Array.isArray(ruleValue) ? ruleValue : [ruleValue];
+  for (const ip of ips) {
+    if (clientIP === ip) return true;
+    if (ip.includes("/")) {
+      const [network, bits] = ip.split("/");
+      const mask = parseInt(bits, 10);
+      if (isSameNetwork(clientIP, network, mask)) return true;
+    }
+  }
+  return false;
+}
+function isSameNetwork(ip1, ip2, maskBits) {
+  const ip1Parts = ip1.split(".").map(Number);
+  const ip2Parts = ip2.split(".").map(Number);
+  let bits = maskBits;
+  for (let i = 0; i < 4; i++) {
+    if (bits <= 0) break;
+    const mask = bits >= 8 ? 255 : 256 - Math.pow(2, 8 - bits);
+    if ((ip1Parts[i] & mask) !== (ip2Parts[i] & mask)) {
+      return false;
+    }
+    bits -= 8;
+  }
+  return true;
+}
+function matchesHost(clientHost, ruleValue) {
+  const hosts = Array.isArray(ruleValue) ? ruleValue : [ruleValue];
+  for (const host of hosts) {
+    if (clientHost === host) return true;
+    if (host.startsWith("*.")) {
+      const domain = host.slice(2);
+      if (clientHost.endsWith(domain)) return true;
+    }
+  }
+  return false;
+}
+function matchesRule(rule, c) {
+  switch (rule.type) {
+    case "all":
+      return true;
+    case "ip": {
+      const clientIP = c.req.header("x-forwarded-for")?.split(",")[0].trim() || c.req.header("x-real-ip") || c.env?.REMOTE_ADDR || "127.0.0.1";
+      return rule.value ? matchesIP(clientIP, rule.value) : false;
+    }
+    case "host": {
+      const clientHost = c.req.header("host") || "";
+      return rule.value ? matchesHost(clientHost, rule.value) : false;
+    }
+    case "env": {
+      if (!rule.value) return false;
+      const envVar = typeof rule.value === "string" ? rule.value : rule.value[0];
+      return c.env?.[envVar] !== void 0;
+    }
+    default:
+      return false;
+  }
+}
+function evaluateAccessControl(config, c) {
+  const order = config.order || "allow,deny";
+  const allowMatches = config.allow.some((rule) => matchesRule(rule, c));
+  const denyMatches = config.deny.some((rule) => matchesRule(rule, c));
+  switch (order) {
+    case "allow,deny":
+      if (denyMatches) return false;
+      if (allowMatches) return true;
+      return false;
+    case "deny,allow":
+      if (allowMatches) return true;
+      if (denyMatches) return false;
+      return true;
+    case "mutual-failure":
+      if (denyMatches) return false;
+      if (allowMatches) return true;
+      return false;
+    default:
+      return false;
+  }
+}
+function createAccessControlMiddleware(config) {
+  return async (c, next) => {
+    const allowed = evaluateAccessControl(config, c);
+    if (!allowed) {
+      return c.text("Forbidden", 403);
+    }
+    await next();
+  };
+}
+export {
+  createAccessControlMiddleware
+};