@usethink/cf-core 0.3.0

package/dist/features/webhook/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../features/webhook/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAiCH,kFAAkF;AAClF,iBAAiB;AACjB,kFAAkF;AAElF;;;;;;;;;;;;;;GAcG;AACH,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,SAAS,CAAC;IACjB,OAAO,GAAG,OAAO,CAAC;IAEnB,IAAI,CAAW;IACf,MAAM,CAAU;IAChB,SAAS,CAAS;IAClB,UAAU,CAAS;IAE3B,YAAY,MAAqB;QAC/B,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI;aACpB,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC;QAC1C,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,IAA6B;QACvD,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAEtC,MAAM,OAAO,GAAmB;YAC9B,KAAK;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,IAAI;SACL,CAAC;QAEF,MAAM,OAAO,GAAoB,EAAE,CAAC;QAEpC,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAClD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,OAAuB;QAC1D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAErC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,kBAAkB;YAClC,iBAAiB,EAAE,OAAO,CAAC,KAAK;YAChC,qBAAqB,EAAE,OAAO,CAAC,SAAS;SACzC,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACxC,OAAO,CAAC,qBAAqB,CAAC,GAAG,SAAS,CAAC;QAC7C,CAAC;QAED,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;YAC5D,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;gBACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;gBAErE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;oBAC3B,MAAM,EAAE,MAAM;oBACd,OAAO;oBACP,IAAI;oBACJ,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,YAAY,CAAC,OAAO,CAAC,CAAC;gBAEtB,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;oBACX,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC;gBAC/C,CAAC;gBAED,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;oBAC1C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;gBAC7E,CAAC;gBAED,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;oBAC9B,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBAC9D,SAAS;gBACX,CAAC;gBAED,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,GAAG,CAAC,MAAM,UAAU,IAAI,CAAC,UAAU,GAAG,CAAC,WAAW,EAAE,CAAC;YACnH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAChE,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;oBAC9B,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBAC9D,SAAS;gBACX,CAAC;gBACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;IACjD,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,IAAI,CAAC,IAAY;QAC7B,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAO,CAAC,EACtC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QACxF,OAAO,CAAC,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7F,CAAC;IAED;;OAEG;IACH,IAAI,YAAY;QACd,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;IAC9B,CAAC;CACF"}

package/dist/src/audit.d.ts

@@ -0,0 +1,45 @@
+/**
+ * 审计日志模块
+ *
+ * 提供管理员操作审计和通用事件日志。
+ * 设计为 fire-and-forget：写入失败不阻塞主流程。
+ * 内置 5% 概率自动清理旧日志，避免数据无限增长。
+ *
+ * 来源：eshop/vcode audit-service.ts 合并
+ */
+import { adminAuditLogs } from "./db/schema";
+/**
+ * 通用 Drizzle 数据库接口（仅约束审计模块需要的方法）
+ */
+interface AuditDbLike {
+    insert: (table: typeof adminAuditLogs) => {
+        values: (data: {
+            id: string;
+            action: string;
+            targetType: string;
+            targetId: string;
+            metadataJson: string;
+            ipHash: string;
+            createdAt: string;
+        }) => Promise<unknown>;
+    };
+    $client?: {
+        execute: (sql: string) => Promise<unknown>;
+    };
+}
+export interface AuditInput {
+    action: string;
+    targetType?: string;
+    targetId?: string;
+    metadata?: unknown;
+    ipHash?: string;
+}
+/**
+ * 写入管理员审计日志
+ *
+ * fire-and-forget 模式：调用方应使用 ctx.waitUntil() 或直接 await。
+ * 写入失败仅打印 warn，不抛异常。
+ */
+export declare function writeAdminAudit(db: AuditDbLike, input: AuditInput): Promise<void>;
+export {};
+//# sourceMappingURL=audit.d.ts.map

package/dist/src/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C;;GAEG;AACH,UAAU,WAAW;IACnB,MAAM,EAAE,CAAC,KAAK,EAAE,OAAO,cAAc,KAAK;QACxC,MAAM,EAAE,CAAC,IAAI,EAAE;YACb,EAAE,EAAE,MAAM,CAAC;YACX,MAAM,EAAE,MAAM,CAAC;YACf,UAAU,EAAE,MAAM,CAAC;YACnB,QAAQ,EAAE,MAAM,CAAC;YACjB,YAAY,EAAE,MAAM,CAAC;YACrB,MAAM,EAAE,MAAM,CAAC;YACf,SAAS,EAAE,MAAM,CAAC;SACnB,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;KACxB,CAAC;IACF,OAAO,CAAC,EAAE;QACR,OAAO,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;KAC5C,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBvF"}

package/dist/src/audit.js

@@ -0,0 +1,40 @@
+/**
+ * 审计日志模块
+ *
+ * 提供管理员操作审计和通用事件日志。
+ * 设计为 fire-and-forget：写入失败不阻塞主流程。
+ * 内置 5% 概率自动清理旧日志，避免数据无限增长。
+ *
+ * 来源：eshop/vcode audit-service.ts 合并
+ */
+import { adminAuditLogs } from "./db/schema";
+/**
+ * 写入管理员审计日志
+ *
+ * fire-and-forget 模式：调用方应使用 ctx.waitUntil() 或直接 await。
+ * 写入失败仅打印 warn，不抛异常。
+ */
+export async function writeAdminAudit(db, input) {
+    try {
+        await db.insert(adminAuditLogs).values({
+            id: crypto.randomUUID(),
+            action: input.action,
+            targetType: input.targetType || "",
+            targetId: input.targetId || "",
+            metadataJson: JSON.stringify(input.metadata || {}),
+            ipHash: input.ipHash || "",
+            createdAt: new Date().toISOString(),
+        });
+        // 5% 概率清理超过 90 天的旧日志
+        if (Math.random() < 0.05) {
+            try {
+                db.$client?.execute(`DELETE FROM admin_audit_logs WHERE created_at < datetime('now', '-90 days')`).catch(() => { });
+            }
+            catch { /* mock DB may not have execute */ }
+        }
+    }
+    catch (err) {
+        console.warn("[audit] writeAdminAudit failed:", err instanceof Error ? err.message : String(err));
+    }
+}
+//# sourceMappingURL=audit.js.map

package/dist/src/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AA8B7C;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,EAAe,EAAE,KAAiB;IACtE,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC;YACrC,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;YACvB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE;YAClC,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,EAAE;YAC9B,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC;YAClD,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,EAAE;YAC1B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC,CAAC;QAEH,qBAAqB;QACrB,IAAI,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,EAAE,CAAC,OAAO,EAAE,OAAO,CACjB,6EAA6E,CAC9E,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACpB,CAAC;YAAC,MAAM,CAAC,CAAC,kCAAkC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,iCAAiC,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IACpG,CAAC;AACH,CAAC"}

package/dist/src/auth/jwt.d.ts

@@ -0,0 +1,33 @@
+/**
+ * JWT 签发与验证（HMAC-SHA256）
+ *
+ * 纯 Web Crypto API 实现，零外部依赖。
+ * Workers 原生支持，性能优异。
+ *
+ * 来源：xtools src/lib/auth.ts
+ */
+export interface JwtPayload {
+    sub: string;
+    email: string;
+    iat: number;
+    exp: number;
+}
+/**
+ * 签发 JWT
+ */
+export declare function signJwt(userId: string, email: string, secret: string, expirySeconds?: number): Promise<string>;
+/**
+ * 验证并解析 JWT — 验证失败返回 null
+ */
+export declare function verifyJwt(token: string, secret: string): Promise<JwtPayload | null>;
+/**
+ * 从请求中提取 JWT Token
+ *
+ * 优先级：Authorization: Bearer > Cookie: token=
+ */
+export declare function extractJwt(c: {
+    req: {
+        header: (name: string) => string | undefined;
+    };
+}): string | null;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/src/auth/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/auth/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AA+BD;;GAEG;AACH,wBAAsB,OAAO,CAC3B,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,aAAa,SAAiB,GAC7B,OAAO,CAAC,MAAM,CAAC,CAYjB;AAED;;GAEG;AACH,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAwBzF;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE;IAAE,GAAG,EAAE;QAAE,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAA;KAAE,CAAA;CAAE,GAAG,MAAM,GAAG,IAAI,CAYtG"}

package/dist/src/auth/jwt.js

@@ -0,0 +1,87 @@
+/**
+ * JWT 签发与验证（HMAC-SHA256）
+ *
+ * 纯 Web Crypto API 实现，零外部依赖。
+ * Workers 原生支持，性能优异。
+ *
+ * 来源：xtools src/lib/auth.ts
+ */
+const DEFAULT_EXPIRY = 24 * 60 * 60; // 24 小时
+function base64UrlEncode(data) {
+    const bytes = typeof data === "string" ? new TextEncoder().encode(data) : data;
+    let binary = "";
+    for (const b of bytes)
+        binary += String.fromCharCode(b);
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlDecode(str) {
+    let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = 4 - (base64.length % 4);
+    if (padding !== 4)
+        base64 += "=".repeat(padding);
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++)
+        bytes[i] = binary.charCodeAt(i);
+    return bytes;
+}
+async function importHmacKey(secret) {
+    return crypto.subtle.importKey("raw", new TextEncoder().encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign", "verify"]);
+}
+/**
+ * 签发 JWT
+ */
+export async function signJwt(userId, email, secret, expirySeconds = DEFAULT_EXPIRY) {
+    const now = Math.floor(Date.now() / 1000);
+    const payload = { sub: userId, email, iat: now, exp: now + expirySeconds };
+    const header = base64UrlEncode(JSON.stringify({ alg: "HS256", typ: "JWT" }));
+    const body = base64UrlEncode(JSON.stringify(payload));
+    const signingInput = `${header}.${body}`;
+    const key = await importHmacKey(secret);
+    const signature = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(signingInput));
+    return `${signingInput}.${base64UrlEncode(new Uint8Array(signature))}`;
+}
+/**
+ * 验证并解析 JWT — 验证失败返回 null
+ */
+export async function verifyJwt(token, secret) {
+    try {
+        const parts = token.split(".");
+        if (parts.length !== 3)
+            return null;
+        const [header, body, signature] = parts;
+        const signingInput = `${header}.${body}`;
+        const key = await importHmacKey(secret);
+        const valid = await crypto.subtle.verify("HMAC", key, base64UrlDecode(signature), new TextEncoder().encode(signingInput));
+        if (!valid)
+            return null;
+        const payload = JSON.parse(new TextDecoder().decode(base64UrlDecode(body)));
+        if (payload.exp < Math.floor(Date.now() / 1000))
+            return null;
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * 从请求中提取 JWT Token
+ *
+ * 优先级：Authorization: Bearer > Cookie: token=
+ */
+export function extractJwt(c) {
+    const auth = c.req.header("Authorization");
+    if (auth?.startsWith("Bearer ")) {
+        const token = auth.slice(7).trim();
+        if (token.split(".").length === 3)
+            return token;
+    }
+    const cookie = c.req.header("Cookie");
+    if (cookie) {
+        const match = cookie.match(/(?:^|;\s*)token=([^;]+)/);
+        if (match)
+            return decodeURIComponent(match[1]);
+    }
+    return null;
+}
+//# sourceMappingURL=jwt.js.map

package/dist/src/auth/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../../src/auth/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AASH,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,QAAQ;AAE7C,SAAS,eAAe,CAAC,IAAyB;IAChD,MAAM,KAAK,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/E,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACxD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACjF,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACvD,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACxC,IAAI,OAAO,KAAK,CAAC;QAAE,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,MAAc;IACzC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAChC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,EAAE,QAAQ,CAAC,CACnB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,KAAa,EACb,MAAc,EACd,aAAa,GAAG,cAAc;IAE9B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAe,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,aAAa,EAAE,CAAC;IAEvF,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAC7E,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;IAEzC,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;IAEhG,OAAO,GAAG,YAAY,IAAI,eAAe,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;AACzE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,KAAa,EAAE,MAAc;IAC3D,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QACxC,MAAM,YAAY,GAAG,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;QAEzC,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QACxC,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACtC,MAAM,EACN,GAAG,EACH,eAAe,CAAC,SAAS,CAAC,EAC1B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CACvC,CAAC;QACF,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAe,CAAC;QAC1F,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QAE7D,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,CAA4D;IACrF,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IAC3C,IAAI,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IAClD,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACtC,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;QACtD,IAAI,KAAK;YAAE,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/src/auth/password.d.ts

@@ -0,0 +1,26 @@
+/**
+ * 密码哈希模块（PBKDF2-HMAC-SHA256）
+ *
+ * 纯 Web Crypto API 实现，零外部依赖。
+ * - 100,000 次迭代（OWASP 推荐最低值）
+ * - 16 字节随机 salt
+ * - 32 字节（256 bit）哈希输出
+ *
+ * 来源：xtools src/lib/auth.ts
+ */
+/**
+ * 哈希密码
+ *
+ * @param password - 明文密码
+ * @param saltHex - 盐值 hex（可选，不提供则自动生成）
+ * @returns { hash, salt } — 均为 hex 字符串
+ */
+export declare function hashPassword(password: string, saltHex?: string): Promise<{
+    hash: string;
+    salt: string;
+}>;
+/**
+ * 验证密码 — 恒定时间比较（防 timing attack）
+ */
+export declare function verifyPassword(password: string, hashHex: string, saltHex: string): Promise<boolean>;
+//# sourceMappingURL=password.d.ts.map

package/dist/src/auth/password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../../src/auth/password.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAkBH;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAoBzC;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CAQlB"}

package/dist/src/auth/password.js

@@ -0,0 +1,52 @@
+/**
+ * 密码哈希模块（PBKDF2-HMAC-SHA256）
+ *
+ * 纯 Web Crypto API 实现，零外部依赖。
+ * - 100,000 次迭代（OWASP 推荐最低值）
+ * - 16 字节随机 salt
+ * - 32 字节（256 bit）哈希输出
+ *
+ * 来源：xtools src/lib/auth.ts
+ */
+const ITERATIONS = 100_000;
+const SALT_LENGTH = 16;
+const HASH_LENGTH = 32;
+function toHex(bytes) {
+    return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function fromHex(hex) {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < hex.length; i += 2) {
+        bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+    }
+    return bytes;
+}
+/**
+ * 哈希密码
+ *
+ * @param password - 明文密码
+ * @param saltHex - 盐值 hex（可选，不提供则自动生成）
+ * @returns { hash, salt } — 均为 hex 字符串
+ */
+export async function hashPassword(password, saltHex) {
+    const salt = saltHex
+        ? fromHex(saltHex)
+        : crypto.getRandomValues(new Uint8Array(SALT_LENGTH));
+    const keyMaterial = await crypto.subtle.importKey("raw", new TextEncoder().encode(password), "PBKDF2", false, ["deriveBits"]);
+    const hashBuffer = await crypto.subtle.deriveBits({ name: "PBKDF2", salt, iterations: ITERATIONS, hash: "SHA-256" }, keyMaterial, HASH_LENGTH * 8);
+    return { hash: toHex(new Uint8Array(hashBuffer)), salt: toHex(salt) };
+}
+/**
+ * 验证密码 — 恒定时间比较（防 timing attack）
+ */
+export async function verifyPassword(password, hashHex, saltHex) {
+    const result = await hashPassword(password, saltHex);
+    if (result.hash.length !== hashHex.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < result.hash.length; i++) {
+        diff |= result.hash.charCodeAt(i) ^ hashHex.charCodeAt(i);
+    }
+    return diff === 0;
+}
+//# sourceMappingURL=password.js.map

package/dist/src/auth/password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.js","sourceRoot":"","sources":["../../../src/auth/password.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,UAAU,GAAG,OAAO,CAAC;AAC3B,MAAM,WAAW,GAAG,EAAE,CAAC;AACvB,MAAM,WAAW,GAAG,EAAE,CAAC;AAEvB,SAAS,KAAK,CAAC,KAAiB;IAC9B,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,OAAO,CAAC,GAAW;IAC1B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,OAAgB;IAEhB,MAAM,IAAI,GAAG,OAAO;QAClB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;QAClB,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;IAExD,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC/C,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAClC,QAAQ,EACR,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAC;IAEF,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC/C,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,EACjE,WAAW,EACX,WAAW,GAAG,CAAC,CAChB,CAAC;IAEF,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;AACxE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,QAAgB,EAChB,OAAe,EACf,OAAe;IAEf,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACrD,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxD,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5C,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5D,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC"}

package/dist/src/bootstrap.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Worker 入口工厂
+ *
+ * 将三项目 index.ts 中高度重复的 Worker 启动逻辑抽象为统一工厂函数：
+ * - 数据库初始化中间件
+ * - 请求体大小限制
+ * - 安全响应头注入
+ * - API 路由 / 静态资源分流
+ * - 全局错误处理
+ *
+ * 来源：eshop/xtools/vcode 三项目 index.ts 入口合并
+ */
+import { Hono } from "hono";
+import { type SecurityHeadersOptions } from "./security";
+export interface BootstrapOptions<TSchema extends Record<string, unknown> = Record<string, never>> {
+    /** Drizzle schema（传入后支持关系查询） */
+    schema?: TSchema;
+    /** API 路由前缀，默认 "/api" */
+    apiPrefix?: string;
+    /** 请求体大小限制（字节），默认 100KB */
+    maxBodySize?: number;
+    /**
+     * 请求级超时（毫秒），默认 25000（25 秒）。
+     * Cloudflare Workers 硬限制 30 秒，留 5 秒余量给 CF 运行时。
+     * 超时后请求会被中止并返回 504 Gateway Timeout。
+     */
+    requestTimeoutMs?: number;
+    /** 安全响应头配置 */
+    securityHeaders?: SecurityHeadersOptions;
+    /**
+     * 错误告警回调 — 生产环境错误通知。
+     * 当请求处理过程中发生未捕获错误时调用，可用于发送到外部告警系统
+     * （如 Slack webhook、邮件、PagerDuty 等）。
+     *
+     * @example
+     * ```ts
+     * onErrorAlert: async (error, context) => {
+     *   await fetch("https://hooks.slack.com/...", {
+     *     method: "POST",
+     *     body: JSON.stringify({ text: `[ERROR] ${error.message}` }),
+     *   });
+     * }
+     * ```
+     */
+    onErrorAlert?: (error: Error, context: {
+        path: string;
+        method: string;
+        ip?: string;
+    }) => void | Promise<void>;
+    /** 注册 API 路由的回调 */
+    registerRoutes: (api: Hono<any>) => void;
+    /**
+     * 静态资源路由表 — 页面路径到 HTML 文件的映射
+     * @example { "/admin": "/admin.html", "/shop": "/index.html" }
+     */
+    pageRoutes?: Record<string, string>;
+    /**
+     * SPA 路由 — 这些路径都返回同一个 HTML 文件
+     * @example { fallback: "/_app/index.html", paths: ["/shop", "/order"] }
+     */
+    spaRoutes?: {
+        fallback: string;
+        paths: string[];
+    };
+    /**
+     * 长缓存路径前缀（如 /_app/assets/）
+     * 匹配的路径会设置 Cache-Control: immutable, max-age=31536000
+     */
+    immutablePrefixes?: string[];
+}
+export declare function bootstrap<TSchema extends Record<string, unknown>>(options: BootstrapOptions<TSchema>): {
+    fetch(request: Request, env: Record<string, unknown>, ctx: ExecutionContext): Promise<Response>;
+};
+//# sourceMappingURL=bootstrap.d.ts.map

package/dist/src/bootstrap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.d.ts","sourceRoot":"","sources":["../../src/bootstrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAG5B,OAAO,EAAwB,KAAK,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAE/E,MAAM,WAAW,gBAAgB,CAAC,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC;IAC/F,gCAAgC;IAChC,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB,yBAAyB;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,2BAA2B;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,cAAc;IACd,eAAe,CAAC,EAAE,sBAAsB,CAAC;IAEzC;;;;;;;;;;;;;;OAcG;IACH,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,EAAE,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9G,mBAAmB;IAEnB,cAAc,EAAE,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC;IAEzC;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEpC;;;OAGG;IACH,SAAS,CAAC,EAAE;QACV,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC;IAEF;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC9B;AAoDD,wBAAgB,SAAS,CAAC,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/D,OAAO,EAAE,gBAAgB,CAAC,OAAO,CAAC;mBAyHX,OAAO,OAAO,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,gBAAgB;EAoEpF"}

package/dist/src/bootstrap.js

@@ -0,0 +1,231 @@
+/**
+ * Worker 入口工厂
+ *
+ * 将三项目 index.ts 中高度重复的 Worker 启动逻辑抽象为统一工厂函数：
+ * - 数据库初始化中间件
+ * - 请求体大小限制
+ * - 安全响应头注入
+ * - API 路由 / 静态资源分流
+ * - 全局错误处理
+ *
+ * 来源：eshop/xtools/vcode 三项目 index.ts 入口合并
+ */
+import { Hono } from "hono";
+import { initDatabaseWithHealthCheck } from "./db/connection";
+import { fail } from "./http";
+import { buildSecurityHeaders } from "./security";
+/**
+ * 创建 Cloudflare Workers 应用
+ *
+ * 返回标准的 Workers fetch handler 导出对象。
+ *
+ * @example
+ * ```ts
+ * import * as schema from "./db/schema";
+ * import { bootstrap } from "@usethink/cf-core/bootstrap";
+ *
+ * export default bootstrap({
+ *   schema,
+ *   registerRoutes: (api) => {
+ *     api.route("/products", productRoutes);
+ *     api.route("/orders", orderRoutes);
+ *   },
+ *   pageRoutes: { "/admin": "/admin.html" },
+ *   spaRoutes: { fallback: "/_app/index.html", paths: ["/shop", "/order"] },
+ *   immutablePrefixes: ["/_app/assets/"],
+ * });
+ * ```
+ */
+/** 生成友好的 HTML 错误页面（内联 CSS，无外部依赖） */
+function errorPageHtml(status, message) {
+    return `<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>${status} - ${message}</title>
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+body{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;background:#0f0f0f;color:#e0e0e0;display:flex;align-items:center;justify-content:center;min-height:100vh;padding:20px}
+.container{text-align:center;max-width:480px}
+.code{font-size:6rem;font-weight:800;background:linear-gradient(135deg,#6c63ff,#a78bfa);-webkit-background-clip:text;-webkit-text-fill-color:transparent;line-height:1}
+.msg{font-size:1.25rem;color:#888;margin:1rem 0 2rem}
+a{color:#6c63ff;text-decoration:none;font-weight:500}
+a:hover{text-decoration:underline}
+</style>
+</head>
+<body>
+<div class="container">
+<p class="code">${status}</p>
+<p class="msg">${message}</p>
+<a href="/">← 返回首页</a>
+</div>
+</body>
+</html>`;
+}
+export function bootstrap(options) {
+    const { schema, apiPrefix = "/api", maxBodySize = 1024 * 100, requestTimeoutMs = 25_000, securityHeaders: secOpts = {}, onErrorAlert, registerRoutes, pageRoutes = {}, spaRoutes, immutablePrefixes = [], } = options;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const api = new Hono();
+    // ── 请求级超时中间件（防止慢请求耗尽 Workers CPU） ──
+    api.use("*", async (c, next) => {
+        // /health 不受超时限制（用于监控探活）
+        if (c.req.path === "/health") {
+            await next();
+            return;
+        }
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), requestTimeoutMs);
+        try {
+            // 将 signal 传递给下游（路由可选择性使用）
+            c.set("abortSignal", controller.signal);
+            await next();
+        }
+        catch (err) {
+            if (err instanceof DOMException && err.name === "AbortError") {
+                console.error(`[bootstrap:timeout] 请求超时 ${requestTimeoutMs}ms: ${c.req.method} ${c.req.path}`);
+                return fail(c, "请求处理超时", 504);
+            }
+            throw err;
+        }
+        finally {
+            clearTimeout(timeoutId);
+        }
+    });
+    // ── DB 初始化中间件（带连接验证 + 重试） ──
+    api.use("*", async (c, next) => {
+        const isHealth = c.req.path === "/health";
+        try {
+            const db = await initDatabaseWithHealthCheck(c.env.TURSO_URL, c.env.TURSO_TOKEN, schema);
+            c.set("db", db);
+            if ("executionCtx" in c) {
+                c.set("executionCtx", c.env.executionCtx);
+            }
+            await next();
+        }
+        catch (err) {
+            console.error("[bootstrap:db-init]", err);
+            if (isHealth) {
+                c.set("db", undefined);
+                await next();
+                return;
+            }
+            return fail(c, "服务暂时不可用", 503);
+        }
+    });
+    // ── 请求体大小限制 ──
+    api.use("*", async (c, next) => {
+        const len = parseInt(c.req.header("content-length") || "0");
+        if (len > maxBodySize)
+            return fail(c, `请求体过大（最大 ${Math.floor(maxBodySize / 1024)}KB）`, 413);
+        await next();
+    });
+    // ── 注册业务路由 ──
+    registerRoutes(api);
+    // ── 404 + 全局错误（浏览器返回 HTML，API 返回 JSON） ──
+    api.notFound((c) => {
+        const accept = c.req.header("accept") || "";
+        if (accept.includes("text/html")) {
+            return c.html(errorPageHtml(404, "页面未找到"), 404);
+        }
+        return fail(c, "API not found", 404);
+    });
+    api.onError((error, c) => {
+        console.error("[bootstrap:onError]", error?.constructor?.name, error?.message, error?.stack);
+        // 触发告警回调（如果配置了）
+        if (onErrorAlert) {
+            const ip = c.req.header("cf-connecting-ip") || c.req.header("x-forwarded-for") || "unknown";
+            // 异步发送告警，不阻塞响应
+            Promise.resolve(onErrorAlert(error, {
+                path: c.req.path,
+                method: c.req.method,
+                ip,
+            })).catch((alertErr) => {
+                console.error("[bootstrap:onErrorAlert] 告警发送失败:", alertErr);
+            });
+        }
+        const accept = c.req.header("accept") || "";
+        if (accept.includes("text/html")) {
+            return c.html(errorPageHtml(500, "服务暂时不可用"), 500);
+        }
+        return fail(c, "服务暂时不可用", 500, { error: error?.message });
+    });
+    // ── 预计算安全响应头 ──
+    const defaultHeaders = buildSecurityHeaders(secOpts);
+    const adminHeaders = buildSecurityHeaders({ ...secOpts, allowUnsafeEval: true });
+    function applyHeaders(response, isImmutable = false, isAdmin = false) {
+        const headers = new Headers(response.headers);
+        const base = isAdmin ? adminHeaders : defaultHeaders;
+        for (const [k, v] of base)
+            headers.set(k, v);
+        if (isImmutable) {
+            headers.set("Cache-Control", "public, max-age=31536000, immutable");
+        }
+        return new Response(response.body, { status: response.status, statusText: response.statusText, headers });
+    }
+    return {
+        async fetch(request, env, ctx) {
+            try {
+                const url = new URL(request.url);
+                const path = url.pathname;
+                // API 路由 → Hono
+                const prefix = apiPrefix.replace(/\/$/, "");
+                if (path === prefix || path.startsWith(`${prefix}/`)) {
+                    url.pathname = path.replace(new RegExp(`^${prefix}`), "") || "/";
+                    return api.fetch(new Request(url, request), env, ctx);
+                }
+                // 静态资源处理需要 ASSETS binding
+                const assets = env.ASSETS;
+                if (!assets) {
+                    return new Response(JSON.stringify({ ok: false, error: "ASSETS binding not configured" }), {
+                        status: 500,
+                        headers: { "content-type": "application/json" },
+                    });
+                }
+                // 长缓存静态资源
+                if (immutablePrefixes.some((p) => path.startsWith(p))) {
+                    return applyHeaders(await assets.fetch(request), true);
+                }
+                // 页面路由（pageRoutes 精确匹配）
+                for (const [route, file] of Object.entries(pageRoutes)) {
+                    if (path === route || path.startsWith(`${route}/`)) {
+                        url.pathname = file;
+                        const isAdmin = route === "/admin" || route.startsWith("/admin");
+                        return applyHeaders(await assets.fetch(new Request(url, request)), false, isAdmin);
+                    }
+                }
+                // SPA 路由
+                if (spaRoutes && spaRoutes.paths.some((p) => path === p || path.startsWith(`${p}/`))) {
+                    url.pathname = spaRoutes.fallback;
+                    const res = await assets.fetch(new Request(url, request));
+                    if (res.ok)
+                        return applyHeaders(res);
+                    url.pathname = "/index.html";
+                    return applyHeaders(await assets.fetch(new Request(url, request)));
+                }
+                // 根路径
+                if (path === "/") {
+                    url.pathname = "/index.html";
+                    return applyHeaders(await assets.fetch(new Request(url, request)));
+                }
+                // 其他静态资源
+                return applyHeaders(await assets.fetch(request));
+            }
+            catch (err) {
+                console.error("[bootstrap:fetch]", err);
+                const accept = request.headers.get("accept") || "";
+                if (accept.includes("text/html")) {
+                    return new Response(errorPageHtml(500, "服务暂时不可用"), {
+                        status: 500,
+                        headers: { "content-type": "text/html; charset=utf-8" },
+                    });
+                }
+                return new Response(JSON.stringify({ ok: false, error: "服务暂时不可用" }), {
+                    status: 500,
+                    headers: { "content-type": "application/json" },
+                });
+            }
+        },
+    };
+}
+//# sourceMappingURL=bootstrap.js.map

package/dist/src/bootstrap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/bootstrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,2BAA2B,EAAwB,MAAM,iBAAiB,CAAC;AACpF,OAAO,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAA+B,MAAM,YAAY,CAAC;AAiE/E;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,oCAAoC;AACpC,SAAS,aAAa,CAAC,MAAc,EAAE,OAAe;IACpD,OAAO;;;;;SAKA,MAAM,MAAM,OAAO;;;;;;;;;;;;;kBAaV,MAAM;iBACP,OAAO;;;;QAIhB,CAAC;AACT,CAAC;AAED,MAAM,UAAU,SAAS,CACvB,OAAkC;IAElC,MAAM,EACJ,MAAM,EACN,SAAS,GAAG,MAAM,EAClB,WAAW,GAAG,IAAI,GAAG,GAAG,EACxB,gBAAgB,GAAG,MAAM,EACzB,eAAe,EAAE,OAAO,GAAG,EAAE,EAC7B,YAAY,EACZ,cAAc,EACd,UAAU,GAAG,EAAE,EACf,SAAS,EACT,iBAAiB,GAAG,EAAE,GACvB,GAAG,OAAO,CAAC;IAEZ,8DAA8D;IAC9D,MAAM,GAAG,GAAG,IAAI,IAAI,EAAO,CAAC;IAE5B,sCAAsC;IACtC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAC7B,yBAAyB;QACzB,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,IAAI,EAAE,CAAC;YACb,OAAO;QACT,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,gBAAgB,CAAC,CAAC;QAEzE,IAAI,CAAC;YACH,2BAA2B;YAC3B,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;YACxC,MAAM,IAAI,EAAE,CAAC;QACf,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,YAAY,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC7D,OAAO,CAAC,KAAK,CAAC,4BAA4B,gBAAgB,OAAO,CAAC,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC/F,OAAO,IAAI,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC;YAChC,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,SAAS,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,8BAA8B;IAC9B,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAC7B,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC;QAC1C,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,2BAA2B,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YACzF,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YAChB,IAAI,cAAc,IAAI,CAAC,EAAE,CAAC;gBACxB,CAAC,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YAC5C,CAAC;YACD,MAAM,IAAI,EAAE,CAAC;QACf,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,GAAG,CAAC,CAAC;YAC1C,IAAI,QAAQ,EAAE,CAAC;gBACb,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;gBACvB,MAAM,IAAI,EAAE,CAAC;gBACb,OAAO;YACT,CAAC;YACD,OAAO,IAAI,CAAC,CAAC,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;QACjC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,gBAAgB;IAChB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAC7B,MAAM,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,CAAC;QAC5D,IAAI,GAAG,GAAG,WAAW;YAAE,OAAO,IAAI,CAAC,CAAC,EAAE,YAAY,IAAI,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC5F,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,eAAe;IACf,cAAc,CAAC,GAAG,CAAC,CAAC;IAEpB,2CAA2C;IAC3C,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE;QACjB,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC5C,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,GAAG,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,IAAI,CAAC,CAAC,EAAE,eAAe,EAAE,GAAG,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IACH,GAAG,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QACvB,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;QAE7F,gBAAgB;QAChB,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,IAAI,SAAS,CAAC;YAC5F,eAAe;YACf,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,KAAc,EAAE;gBAC3C,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI;gBAChB,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM;gBACpB,EAAE;aACH,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,EAAE;gBACrB,OAAO,CAAC,KAAK,CAAC,kCAAkC,EAAE,QAAQ,CAAC,CAAC;YAC9D,CAAC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC5C,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,IAAI,CAAC,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,iBAAiB;IACjB,MAAM,cAAc,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IACrD,MAAM,YAAY,GAAG,oBAAoB,CAAC,EAAE,GAAG,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC,CAAC;IAEjF,SAAS,YAAY,CAAC,QAAkB,EAAE,WAAW,GAAG,KAAK,EAAE,OAAO,GAAG,KAAK;QAC5E,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC9C,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,cAAc,CAAC;QACrD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI;YAAE,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC7C,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,qCAAqC,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5G,CAAC;IAED,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,OAAgB,EAAE,GAA4B,EAAE,GAAqB;YAC/E,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBACjC,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC;gBAE1B,gBAAgB;gBAChB,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBAC5C,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC;oBACrD,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC;oBACjE,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;gBACxD,CAAC;gBAED,0BAA0B;gBAC1B,MAAM,MAAM,GAAG,GAAG,CAAC,MAA6B,CAAC;gBACjD,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC,EAAE;wBACzF,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;qBAChD,CAAC,CAAC;gBACL,CAAC;gBAED,UAAU;gBACV,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACtD,OAAO,YAAY,CAAC,MAAM,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,CAAC;gBACzD,CAAC;gBAED,wBAAwB;gBACxB,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;oBACvD,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,KAAK,GAAG,CAAC,EAAE,CAAC;wBACnD,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC;wBACpB,MAAM,OAAO,GAAG,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;wBACjE,OAAO,YAAY,CAAC,MAAM,MAAM,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;oBACrF,CAAC;gBACH,CAAC;gBAED,SAAS;gBACT,IAAI,SAAS,IAAI,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;oBACrF,GAAG,CAAC,QAAQ,GAAG,SAAS,CAAC,QAAQ,CAAC;oBAClC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC;oBAC1D,IAAI,GAAG,CAAC,EAAE;wBAAE,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;oBACrC,GAAG,CAAC,QAAQ,GAAG,aAAa,CAAC;oBAC7B,OAAO,YAAY,CAAC,MAAM,MAAM,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;gBACrE,CAAC;gBAED,MAAM;gBACN,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;oBACjB,GAAG,CAAC,QAAQ,GAAG,aAAa,CAAC;oBAC7B,OAAO,YAAY,CAAC,MAAM,MAAM,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;gBACrE,CAAC;gBAED,SAAS;gBACT,OAAO,YAAY,CAAC,MAAM,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;YACnD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC;gBACxC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACnD,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;oBACjC,OAAO,IAAI,QAAQ,CAAC,aAAa,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE;wBACjD,MAAM,EAAE,GAAG;wBACX,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;qBACxD,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE;oBACnE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;iBAChD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}