@wooksjs/event-http 0.6.6 → 0.7.1

package/dist/index.mjs

@@ -1,31 +1,21 @@
-import { attachHook, createAsyncEventContext, useAsyncEventContext, useEventId, useEventLogger, useEventLogger as useEventLogger$1, useRouteParams } from "@wooksjs/event-core";
+import { EventContext, cached, cachedBy, current, defineEventKind, defineWook, routeParamsKey, run, slot, useEventId, useLogger, useRouteParams } from "@wooksjs/event-core";
 import { Buffer as Buffer$1 } from "buffer";
 import { Readable, pipeline } from "node:stream";
 import { promisify } from "node:util";
 import { createBrotliCompress, createBrotliDecompress, createDeflate, createGunzip, createGzip, createInflate } from "node:zlib";
 import { URLSearchParams } from "url";
-import http from "http";
-import { WooksAdapterBase } from "wooks";
 import { Readable as Readable$1 } from "stream";
+import http, { IncomingMessage, ServerResponse } from "http";
+import { WooksAdapterBase } from "wooks";
+import { Socket } from "net";
 
-//#region packages/event-http/src/event-http.ts
-/** Creates an async event context for an incoming HTTP request/response pair. */
-function createHttpContext(data, options) {
-	return createAsyncEventContext({
-		event: {
-			...data,
-			type: "HTTP"
-		},
-		options
-	});
-}
-/**
-* Wrapper on useEventContext with HTTP event types
-* @returns set of hooks { getCtx, restoreCtx, clearCtx, hookStore, getStore, setStore }
-*/
-function useHttpContext() {
-	return useAsyncEventContext("HTTP");
-}
+//#region packages/event-http/src/http-kind.ts
+/** Event kind definition for HTTP requests. Provides typed context slots for `req`, `response`, and `requestLimits`. */
+const httpKind = defineEventKind("http", {
+	req: slot(),
+	response: slot(),
+	requestLimits: slot()
+});
 
 //#endregion
 //#region packages/event-http/src/utils/helpers.ts
@@ -45,53 +35,114 @@ function safeDecodeURIComponent(uri) {
 }
 
 //#endregion
-//#region packages/event-http/src/utils/time.ts
-function convertTime(time, unit = "ms") {
-	if (typeof time === "number") return time / units[unit];
-	const rg = /(\d+)(\w+)/gu;
-	let t = 0;
-	let r;
-	while (r = rg.exec(time)) t += Number(r[1]) * (units[r[2]] || 0);
-	return t / units[unit];
+//#region packages/event-http/src/composables/cookies.ts
+const cookieRegExpCache = /* @__PURE__ */ new Map();
+function getCookieRegExp(name) {
+	let re = cookieRegExpCache.get(name);
+	if (!re) {
+		re = new RegExp(`(?:^|; )${escapeRegex(name)}=(.*?)(?:;?$|; )`, "i");
+		cookieRegExpCache.set(name, re);
+	}
+	return re;
 }
-const units = {
-	ms: 1,
-	s: 1e3,
-	m: 1e3 * 60,
-	h: 1e3 * 60 * 60,
-	d: 1e3 * 60 * 60 * 24,
-	w: 1e3 * 60 * 60 * 24 * 7,
-	M: 1e3 * 60 * 60 * 24 * 30,
-	Y: 1e3 * 60 * 60 * 24 * 365
+const parseCookieValue = cachedBy((name, ctx) => {
+	const cookie = ctx.get(httpKind.keys.req).headers.cookie;
+	if (cookie) {
+		const result = getCookieRegExp(name).exec(cookie);
+		return result?.[1] ? safeDecodeURIComponent(result[1]) : null;
+	}
+	return null;
+});
+/**
+* Provides access to parsed request cookies.
+* @example
+* ```ts
+* const { getCookie, raw } = useCookies()
+* const sessionId = getCookie('session_id')
+* ```
+*/
+const useCookies = defineWook((ctx) => ({
+	raw: ctx.get(httpKind.keys.req).headers.cookie,
+	getCookie: (name) => parseCookieValue(name, ctx)
+}));
+
+//#endregion
+//#region packages/event-http/src/composables/header-accept.ts
+const ACCEPT_TYPE_MAP = {
+	json: "application/json",
+	html: "text/html",
+	xml: "application/xml",
+	text: "text/plain"
 };
+const acceptsMime = cachedBy((type, ctx) => {
+	const accept = ctx.get(httpKind.keys.req).headers.accept;
+	const mime = ACCEPT_TYPE_MAP[type] || type;
+	return !!(accept && (accept === "*/*" || accept.includes(mime)));
+});
+/** Provides helpers to check the request's Accept header for supported MIME types. */
+const useAccept = defineWook((ctx) => {
+	const accept = ctx.get(httpKind.keys.req).headers.accept;
+	return {
+		accept,
+		has: (type) => acceptsMime(type, ctx)
+	};
+});
 
 //#endregion
-//#region packages/event-http/src/utils/set-cookie.ts
-const COOKIE_NAME_RE = /^[\w!#$%&'*+\-.^`|~]+$/;
-function sanitizeCookieAttrValue(v) {
-	return v.replace(/[;\r\n]/g, "");
-}
-function renderCookie(key, data) {
-	if (!COOKIE_NAME_RE.test(key)) throw new TypeError(`Invalid cookie name "${key}"`);
-	let attrs = "";
-	for (const [a, v] of Object.entries(data.attrs)) {
-		const func = cookieAttrFunc[a];
-		if (typeof func === "function") {
-			const val = func(v);
-			attrs += val ? `; ${val}` : "";
-		} else throw new TypeError(`Unknown Set-Cookie attribute ${a}`);
+//#region packages/event-http/src/composables/header-authorization.ts
+const authTypeSlot = cached((ctx) => {
+	const authorization = ctx.get(httpKind.keys.req).headers.authorization;
+	if (authorization) {
+		const space = authorization.indexOf(" ");
+		return authorization.slice(0, space);
+	}
+	return null;
+});
+const authCredentialsSlot = cached((ctx) => {
+	const authorization = ctx.get(httpKind.keys.req).headers.authorization;
+	if (authorization) {
+		const space = authorization.indexOf(" ");
+		return authorization.slice(space + 1);
+	}
+	return null;
+});
+const basicCredentialsSlot = cached((ctx) => {
+	const authorization = ctx.get(httpKind.keys.req).headers.authorization;
+	if (authorization) {
+		const type = ctx.get(authTypeSlot);
+		if (type?.toLocaleLowerCase() === "basic") {
+			const creds = Buffer$1.from(ctx.get(authCredentialsSlot) || "", "base64").toString("ascii");
+			const [username, password] = creds.split(":");
+			return {
+				username,
+				password
+			};
+		}
 	}
-	return `${key}=${encodeURIComponent(data.value)}${attrs}`;
-}
-const cookieAttrFunc = {
-	expires: (v) => `Expires=${typeof v === "string" || typeof v === "number" ? new Date(v).toUTCString() : v.toUTCString()}`,
-	maxAge: (v) => `Max-Age=${convertTime(v, "s").toString()}`,
-	domain: (v) => `Domain=${sanitizeCookieAttrValue(String(v))}`,
-	path: (v) => `Path=${sanitizeCookieAttrValue(String(v))}`,
-	secure: (v) => v ? "Secure" : "",
-	httpOnly: (v) => v ? "HttpOnly" : "",
-	sameSite: (v) => v ? `SameSite=${typeof v === "string" ? v : "Strict"}` : ""
-};
+	return null;
+});
+const authIsSlot = cachedBy((type, ctx) => {
+	const authType = ctx.get(authTypeSlot);
+	return authType?.toLowerCase() === type.toLowerCase();
+});
+/**
+* Provides parsed access to the Authorization header (type, credentials, Basic decoding).
+* @example
+* ```ts
+* const { is, credentials, basicCredentials } = useAuthorization()
+* if (is('bearer')) { const token = credentials() }
+* ```
+*/
+const useAuthorization = defineWook((ctx) => {
+	const authorization = ctx.get(httpKind.keys.req).headers.authorization;
+	return {
+		authorization,
+		type: () => ctx.get(authTypeSlot),
+		credentials: () => ctx.get(authCredentialsSlot),
+		is: (type) => authIsSlot(type, ctx),
+		basicCredentials: () => ctx.get(basicCredentialsSlot)
+	};
+});
 
 //#endregion
 //#region packages/event-http/src/compressor/body-compressor.ts
@@ -169,26 +220,9 @@ compressors.deflate.uncompress = async (b) => (await zlib()).inflate(b);
 compressors.br.compress = async (b) => (await zlib()).brotliCompress(b);
 compressors.br.uncompress = async (b) => (await zlib()).brotliDecompress(b);
 
-//#endregion
-//#region packages/event-http/src/response/renderer.ts
-var BaseHttpResponseRenderer = class {
-	render(response) {
-		if (typeof response.body === "string" || typeof response.body === "boolean" || typeof response.body === "number") {
-			if (!response.getContentType()) response.setContentType("text/plain");
-			return response.body.toString();
-		}
-		if (response.body === void 0) return "";
-		if (response.body instanceof Uint8Array) return response.body;
-		if (typeof response.body === "object") {
-			if (!response.getContentType()) response.setContentType("application/json");
-			return JSON.stringify(response.body);
-		}
-		throw new Error(`Unsupported body format "${typeof response.body}"`);
-	}
-};
-
 //#endregion
 //#region packages/event-http/src/utils/status-codes.ts
+/** Maps numeric HTTP status codes to their human-readable descriptions. */
 const httpStatusCodes = {
 	100: "Continue",
 	101: "Switching protocols",
@@ -254,6 +288,7 @@ const httpStatusCodes = {
 	510: "Not Extended",
 	511: "Network Authentication Required"
 };
+/** Enum of all standard HTTP status codes (100–511). */
 let EHttpStatusCode = /* @__PURE__ */ function(EHttpStatusCode$1) {
 	EHttpStatusCode$1[EHttpStatusCode$1["Continue"] = 100] = "Continue";
 	EHttpStatusCode$1[EHttpStatusCode$1["SwitchingProtocols"] = 101] = "SwitchingProtocols";
@@ -322,45 +357,707 @@ let EHttpStatusCode = /* @__PURE__ */ function(EHttpStatusCode$1) {
 }({});
 
 //#endregion
-//#region packages/event-http/src/errors/403.tl.svg
-function _403_tl_default(ctx) {
-	return `<svg height="64" viewBox="0 4 100 96" fill="none" xmlns="http://www.w3.org/2000/svg" stroke="#888888" stroke-width="2">
-  <path d="M50 90.625C64.4042 87.1875 83.5751 69.8667 83.5751 48.6937V24.0854L50 9.375L16.425 24.0833V48.6937C16.425 69.8667 35.5959 87.1875 50 90.625Z" fill="#ff000050">
-    <animate attributeName="fill" dur="2s" repeatCount="indefinite"
-             values="#ff000000;#ff000050;#ff000000" />
-  </path>
+//#region packages/event-http/src/errors/http-error.ts
+/** Represents an HTTP error with a status code and optional structured body. */
+var HttpError = class extends Error {
+	name = "HttpError";
+	constructor(code = 500, _body = "") {
+		const prev = Error.stackTraceLimit;
+		Error.stackTraceLimit = 0;
+		super(typeof _body === "string" ? _body : _body.message);
+		this.code = code;
+		this._body = _body;
+		Error.stackTraceLimit = prev;
+	}
+	get body() {
+		return typeof this._body === "string" ? {
+			statusCode: this.code,
+			message: this.message,
+			error: httpStatusCodes[this.code]
+		} : {
+			...this._body,
+			statusCode: this.code,
+			message: this.message,
+			error: httpStatusCodes[this.code]
+		};
+	}
+};
 
-  <path d="M61.5395 46.0812H38.4604C37.1061 46.0812 36.0083 47.1791 36.0083 48.5333V65.075C36.0083 66.4292 37.1061 67.5271 38.4604 67.5271H61.5395C62.8938 67.5271 63.9916 66.4292 63.9916 65.075V48.5333C63.9916 47.1791 62.8938 46.0812 61.5395 46.0812Z" />
+//#endregion
+//#region packages/event-http/src/composables/request.ts
+const xForwardedFor = "x-forwarded-for";
+/** Default safety limits for request body reading (size, ratio, timeout). */
+const DEFAULT_LIMITS = {
+	maxCompressed: 1 * 1024 * 1024,
+	maxInflated: 10 * 1024 * 1024,
+	maxRatio: 100,
+	readTimeoutMs: 1e4
+};
+const contentEncodingsSlot = cached((ctx) => {
+	const req = ctx.get(httpKind.keys.req);
+	const contentEncoding = req.headers["content-encoding"];
+	return (contentEncoding || "").split(",").map((p) => p.trim()).filter((p) => !!p);
+});
+const isCompressedSlot = cached((ctx) => {
+	const parts = ctx.get(contentEncodingsSlot);
+	for (const p of parts) if ([
+		"deflate",
+		"gzip",
+		"br"
+	].includes(p)) return true;
+	return false;
+});
+/** @internal Exported for test pre-seeding via `ctx.set(rawBodySlot, ...)`. */
+const rawBodySlot = cached(async (ctx) => {
+	const req = ctx.get(httpKind.keys.req);
+	const encs = ctx.get(contentEncodingsSlot);
+	const isZip = ctx.get(isCompressedSlot);
+	const streamable = isZip && encodingSupportsStream(encs);
+	const limits = ctx.get(httpKind.keys.requestLimits);
+	const maxCompressed = limits?.maxCompressed ?? DEFAULT_LIMITS.maxCompressed;
+	const maxInflated = limits?.maxInflated ?? DEFAULT_LIMITS.maxInflated;
+	const maxRatio = limits?.maxRatio ?? DEFAULT_LIMITS.maxRatio;
+	const timeoutMs = limits?.readTimeoutMs ?? DEFAULT_LIMITS.readTimeoutMs;
+	const cl = Number(req.headers["content-length"] ?? 0);
+	const upfrontLimit = isZip ? maxCompressed : maxInflated;
+	if (cl && cl > upfrontLimit) throw new HttpError(413, "Payload Too Large");
+	for (const enc of encs) if (!compressors[enc]) throw new HttpError(415, `Unsupported Content-Encoding "${enc}"`);
+	let timer = null;
+	function resetTimer() {
+		if (timeoutMs === 0) return;
+		clearTimer();
+		timer = setTimeout(() => {
+			clearTimer();
+			req.destroy();
+		}, timeoutMs);
+	}
+	function clearTimer() {
+		if (timer) {
+			clearTimeout(timer);
+			timer = null;
+		}
+	}
+	let rawBytes = 0;
+	async function* limitedCompressed() {
+		resetTimer();
+		try {
+			for await (const chunk of req) {
+				rawBytes += chunk.length;
+				if (rawBytes > upfrontLimit) {
+					req.destroy();
+					throw new HttpError(413, "Payload Too Large");
+				}
+				resetTimer();
+				yield chunk;
+			}
+		} finally {
+			clearTimer();
+		}
+	}
+	let stream = limitedCompressed();
+	if (streamable) stream = await uncompressBodyStream(encs, stream);
+	const chunks = [];
+	let inflatedBytes = 0;
+	try {
+		for await (const chunk of stream) {
+			inflatedBytes += chunk.length;
+			if (inflatedBytes > maxInflated) throw new HttpError(413, "Inflated body too large");
+			chunks.push(chunk);
+		}
+	} catch (error) {
+		if (error instanceof HttpError) throw error;
+		throw new HttpError(408, "Request body timeout");
+	}
+	let body = Buffer$1.concat(chunks);
+	if (!streamable && isZip) {
+		body = await uncompressBody(encs, body);
+		inflatedBytes = body.byteLength;
+		if (inflatedBytes > maxInflated) throw new HttpError(413, "Inflated body too large");
+	}
+	if (isZip && rawBytes > 0 && inflatedBytes / rawBytes > maxRatio) throw new HttpError(413, "Compression ratio too high");
+	return body;
+});
+const forwardedIpSlot = cached((ctx) => {
+	const req = ctx.get(httpKind.keys.req);
+	if (typeof req.headers[xForwardedFor] === "string" && req.headers[xForwardedFor]) return req.headers[xForwardedFor].split(",").shift()?.trim();
+	return "";
+});
+const remoteIpSlot = cached((ctx) => {
+	const req = ctx.get(httpKind.keys.req);
+	return req.socket.remoteAddress || req.connection.remoteAddress || "";
+});
+const ipListSlot = cached((ctx) => {
+	const req = ctx.get(httpKind.keys.req);
+	return {
+		remoteIp: req.socket.remoteAddress || req.connection.remoteAddress || "",
+		forwarded: (req.headers[xForwardedFor] || "").split(",").map((s) => s.trim())
+	};
+});
+/**
+* Provides access to the incoming HTTP request (method, url, headers, body, IP).
+* @example
+* ```ts
+* const { method, url, raw, rawBody, getIp } = useRequest()
+* const body = await rawBody()
+* ```
+*/
+const useRequest = defineWook((ctx) => {
+	const req = ctx.get(httpKind.keys.req);
+	const limits = () => ctx.get(httpKind.keys.requestLimits);
+	const setLimit = (limitKey, value) => {
+		let obj = limits();
+		if (!obj?.perRequest) {
+			obj = {
+				...obj,
+				perRequest: true
+			};
+			ctx.set(httpKind.keys.requestLimits, obj);
+		}
+		obj[limitKey] = value;
+	};
+	const getMaxCompressed = () => limits()?.maxCompressed ?? DEFAULT_LIMITS.maxCompressed;
+	const setMaxCompressed = (limit) => setLimit("maxCompressed", limit);
+	const getMaxInflated = () => limits()?.maxInflated ?? DEFAULT_LIMITS.maxInflated;
+	const setMaxInflated = (limit) => setLimit("maxInflated", limit);
+	const getMaxRatio = () => limits()?.maxRatio ?? DEFAULT_LIMITS.maxRatio;
+	const setMaxRatio = (limit) => setLimit("maxRatio", limit);
+	const getReadTimeoutMs = () => limits()?.readTimeoutMs ?? DEFAULT_LIMITS.readTimeoutMs;
+	const setReadTimeoutMs = (limit) => setLimit("readTimeoutMs", limit);
+	function getIp(options) {
+		if (options?.trustProxy) return ctx.get(forwardedIpSlot) || ctx.get(remoteIpSlot);
+		return ctx.get(remoteIpSlot);
+	}
+	return {
+		raw: req,
+		url: req.url,
+		method: req.method,
+		headers: req.headers,
+		rawBody: () => ctx.get(rawBodySlot),
+		reqId: useEventId(ctx).getId,
+		getIp,
+		getIpList: () => ctx.get(ipListSlot),
+		isCompressed: () => ctx.get(isCompressedSlot),
+		getMaxCompressed,
+		setMaxCompressed,
+		getReadTimeoutMs,
+		setReadTimeoutMs,
+		getMaxInflated,
+		setMaxInflated,
+		getMaxRatio,
+		setMaxRatio
+	};
+});
 
-  <path d="M41.7834 46.0834V39.6813C41.7834 37.5021 42.6491 35.4121 44.1901 33.8712C45.731 32.3303 47.8209 31.4646 50.0001 31.4646C52.1793 31.4646 54.2693 32.3303 55.8102 33.8712C57.3511 35.4121 58.2168 37.5021 58.2168 39.6813V46.0813" />
-</svg>
-`;
+//#endregion
+//#region packages/event-http/src/composables/headers.ts
+/**
+* Returns the incoming request headers.
+* @example
+* ```ts
+* const { host, authorization } = useHeaders()
+* ```
+*/
+function useHeaders(ctx) {
+	return useRequest(ctx).headers;
 }
 
 //#endregion
-//#region packages/event-http/src/errors/404.tl.svg
-function _404_tl_default(ctx) {
-	return `<svg height="64" viewBox="0 20 100 64" fill="none" xmlns="http://www.w3.org/2000/svg">
-  <defs>
-    <path id="sheet" d="M86.5 36.5V47.5H97.5V92.5H52.5V36.5H86.5ZM63 68.5H87V67.5H63V68.5ZM63 63.5H87V62.5H63V63.5ZM63 58.5H87V57.5H63V58.5ZM96.793 46.5H87.5V37.207L96.793 46.5Z" fill="#88888833" stroke="#888888aa"/>
-  </defs>
+//#region packages/event-http/src/composables/response.ts
+/**
+* Returns the HttpResponse instance for the current request.
+* All response operations (status, headers, cookies, cache control, sending)
+* are methods on the returned object.
+*
+* @example
+* ```ts
+* const response = useResponse()
+* response.status = 200
+* response.setHeader('x-custom', 'value')
+* response.setCookie('session', 'abc', { httpOnly: true })
+* ```
+*/
+function useResponse(ctx) {
+	return (ctx ?? current()).get(httpKind.keys.response);
+}
 
-  <g id="queue" transform="translate(-5 -10)">
-    <use href="#sheet" opacity="0">
-      <animateTransform attributeName="transform" type="translate"
-                        dur="3s" repeatCount="indefinite"
-                        keyTimes="0;0.1;0.32;0.42;1"
-                        values="30 0; -20 0; -20 0; -70 0; -70 0" />
-      <animate attributeName="opacity"
-               dur="3s" repeatCount="indefinite"
-                        keyTimes="0;0.1;0.32;0.42;1"
-               values="0;1;1;0;0" />
-    </use>
+//#endregion
+//#region packages/event-http/src/utils/url-search-params.ts
+const ILLEGAL_KEYS = new Set([
+	"__proto__",
+	"constructor",
+	"prototype"
+]);
+/**
+* Extended `URLSearchParams` with safe JSON conversion.
+*
+* Rejects prototype-pollution keys (`__proto__`, `constructor`, `prototype`) and duplicate non-array keys.
+* Array parameters are detected by a trailing `[]` in the key name (e.g. `tags[]=a&tags[]=b`).
+*/
+var WooksURLSearchParams = class extends URLSearchParams {
+	/** Converts query parameters to a plain object. Array params (keys ending with `[]`) become `string[]`. */
+	toJson() {
+		const json = Object.create(null);
+		for (const [key, value] of this.entries()) if (isArrayParam(key)) {
+			const a = json[key] = json[key] || [];
+			a.push(value);
+		} else {
+			if (ILLEGAL_KEYS.has(key)) throw new HttpError(400, `Illegal key name "${key}"`);
+			if (key in json) throw new HttpError(400, `Duplicate key "${key}"`);
+			json[key] = value;
+		}
+		return json;
+	}
+};
+function isArrayParam(name) {
+	return name.endsWith("[]");
+}
 
-    <use href="#sheet" opacity="0">
-      <animateTransform attributeName="transform" type="translate"
-                        dur="3s" begin="1s" repeatCount="indefinite"
-                        keyTimes="0;0.1;0.32;0.42;1"
+//#endregion
+//#region packages/event-http/src/composables/search-params.ts
+const rawSearchParamsSlot = cached((ctx) => {
+	const url = ctx.get(httpKind.keys.req).url || "";
+	const i = url.indexOf("?");
+	return i >= 0 ? url.slice(i) : "";
+});
+const urlSearchParamsSlot = cached((ctx) => new WooksURLSearchParams(ctx.get(rawSearchParamsSlot)));
+/**
+* Provides access to URL search (query) parameters from the request.
+* @example
+* ```ts
+* const { params, toJson } = useUrlParams()
+* const page = params().get('page')
+* ```
+*/
+const useUrlParams = defineWook((ctx) => ({
+	raw: () => ctx.get(rawSearchParamsSlot),
+	params: () => ctx.get(urlSearchParamsSlot),
+	toJson: () => ctx.get(urlSearchParamsSlot).toJson()
+}));
+
+//#endregion
+//#region packages/event-http/src/utils/time.ts
+function convertTime(time, unit = "ms") {
+	if (typeof time === "number") return time / units[unit];
+	const rg = /(\d+)(\w+)/gu;
+	let t = 0;
+	let r;
+	while (r = rg.exec(time)) t += Number(r[1]) * (units[r[2]] || 0);
+	return t / units[unit];
+}
+const units = {
+	ms: 1,
+	s: 1e3,
+	m: 1e3 * 60,
+	h: 1e3 * 60 * 60,
+	d: 1e3 * 60 * 60 * 24,
+	w: 1e3 * 60 * 60 * 24 * 7,
+	M: 1e3 * 60 * 60 * 24 * 30,
+	Y: 1e3 * 60 * 60 * 24 * 365
+};
+
+//#endregion
+//#region packages/event-http/src/utils/cache-control.ts
+/** Renders a `TCacheControl` object into a `Cache-Control` header string. */
+function renderCacheControl(data) {
+	let attrs = "";
+	for (const [a, v] of Object.entries(data)) {
+		if (v === void 0) continue;
+		const func = cacheControlFunc[a];
+		if (typeof func === "function") {
+			const val = func(v);
+			if (val) attrs += attrs ? `, ${val}` : val;
+		} else throw new TypeError(`Unknown Cache-Control attribute ${a}`);
+	}
+	return attrs;
+}
+const cacheControlFunc = {
+	mustRevalidate: (v) => v ? "must-revalidate" : "",
+	noCache: (v) => v ? typeof v === "string" ? `no-cache="${v}"` : "no-cache" : "",
+	noStore: (v) => v ? "no-store" : "",
+	noTransform: (v) => v ? "no-transform" : "",
+	public: (v) => v ? "public" : "",
+	private: (v) => v ? typeof v === "string" ? `private="${v}"` : "private" : "",
+	proxyRevalidate: (v) => v ? "proxy-revalidate" : "",
+	maxAge: (v) => `max-age=${convertTime(v, "s").toString()}`,
+	sMaxage: (v) => `s-maxage=${convertTime(v, "s").toString()}`
+};
+
+//#endregion
+//#region packages/event-http/src/utils/set-cookie.ts
+const COOKIE_NAME_RE = /^[\w!#$%&'*+\-.^`|~]+$/;
+function sanitizeCookieAttrValue(v) {
+	return v.replace(/[;\r\n]/g, "");
+}
+function renderCookie(key, data) {
+	if (!COOKIE_NAME_RE.test(key)) throw new TypeError(`Invalid cookie name "${key}"`);
+	let attrs = "";
+	for (const [a, v] of Object.entries(data.attrs)) {
+		const func = cookieAttrFunc[a];
+		if (typeof func === "function") {
+			const val = func(v);
+			attrs += val ? `; ${val}` : "";
+		} else throw new TypeError(`Unknown Set-Cookie attribute ${a}`);
+	}
+	return `${key}=${encodeURIComponent(data.value)}${attrs}`;
+}
+const cookieAttrFunc = {
+	expires: (v) => `Expires=${typeof v === "string" || typeof v === "number" ? new Date(v).toUTCString() : v.toUTCString()}`,
+	maxAge: (v) => `Max-Age=${convertTime(v, "s").toString()}`,
+	domain: (v) => `Domain=${sanitizeCookieAttrValue(String(v))}`,
+	path: (v) => `Path=${sanitizeCookieAttrValue(String(v))}`,
+	secure: (v) => v ? "Secure" : "",
+	httpOnly: (v) => v ? "HttpOnly" : "",
+	sameSite: (v) => v ? `SameSite=${typeof v === "string" ? v : "Strict"}` : ""
+};
+
+//#endregion
+//#region packages/event-http/src/response/http-response.ts
+const hasFetchResponse = typeof globalThis.Response === "function";
+const defaultStatus = {
+	GET: EHttpStatusCode.OK,
+	POST: EHttpStatusCode.Created,
+	PUT: EHttpStatusCode.Created,
+	PATCH: EHttpStatusCode.Accepted,
+	DELETE: EHttpStatusCode.Accepted
+};
+/**
+* Manages response status, headers, cookies, cache control, and body for an HTTP request.
+*
+* All header mutations are accumulated in memory and flushed in a single `writeHead()` call
+* when `send()` is invoked. Setter methods are chainable.
+*
+* @example
+* ```ts
+* const response = useResponse()
+* response.setStatus(200).setHeader('x-custom', 'value')
+* response.setCookie('session', 'abc', { httpOnly: true })
+* ```
+*/
+var HttpResponse = class {
+	/**
+	* @param _res - The underlying Node.js `ServerResponse`.
+	* @param _req - The underlying Node.js `IncomingMessage`.
+	* @param _logger - Logger instance for error reporting.
+	* @param defaultHeaders - Optional headers to pre-populate on this response (e.g. from `securityHeaders()`).
+	*/
+	constructor(_res, _req, _logger, defaultHeaders) {
+		this._res = _res;
+		this._req = _req;
+		this._logger = _logger;
+		if (defaultHeaders) for (const key in defaultHeaders) this._headers[key] = defaultHeaders[key];
+	}
+	_status = 0;
+	_body = void 0;
+	_headers = {};
+	_cookies = {};
+	_rawCookies = [];
+	_hasCookies = false;
+	_responded = false;
+	/** The HTTP status code. If not set, it is inferred automatically when `send()` is called. */
+	get status() {
+		return this._status;
+	}
+	set status(value) {
+		this._status = value;
+	}
+	/** Sets the HTTP status code (chainable). */
+	setStatus(value) {
+		this._status = value;
+		return this;
+	}
+	/** The response body. Automatically serialized by `send()` (objects → JSON, strings → text). */
+	get body() {
+		return this._body;
+	}
+	set body(value) {
+		this._body = value;
+	}
+	/** Sets the response body (chainable). */
+	setBody(value) {
+		this._body = value;
+		return this;
+	}
+	/** Sets a single response header (chainable). Arrays produce multi-value headers. */
+	setHeader(name, value) {
+		this._headers[name] = Array.isArray(value) ? value : value.toString();
+		return this;
+	}
+	/** Batch-sets multiple response headers from a record (chainable). Existing keys are overwritten. */
+	setHeaders(headers) {
+		for (const key in headers) this._headers[key] = headers[key];
+		return this;
+	}
+	/** Returns the value of a response header, or `undefined` if not set. */
+	getHeader(name) {
+		return this._headers[name];
+	}
+	/** Removes a response header (chainable). */
+	removeHeader(name) {
+		delete this._headers[name];
+		return this;
+	}
+	/** Returns a read-only snapshot of all response headers. */
+	headers() {
+		return this._headers;
+	}
+	/** Sets the `Content-Type` response header (chainable). */
+	setContentType(value) {
+		this._headers["content-type"] = value;
+		return this;
+	}
+	/** Returns the current `Content-Type` header value. */
+	getContentType() {
+		return this._headers["content-type"];
+	}
+	/** Sets the `Access-Control-Allow-Origin` header (chainable). Defaults to `'*'`. */
+	enableCors(origin = "*") {
+		this._headers["access-control-allow-origin"] = origin;
+		return this;
+	}
+	/** Sets an outgoing `Set-Cookie` header with optional attributes (chainable). */
+	setCookie(name, value, attrs) {
+		this._cookies[name] = {
+			value,
+			attrs: attrs || {}
+		};
+		this._hasCookies = true;
+		return this;
+	}
+	/** Returns a previously set cookie's data, or `undefined` if not set. */
+	getCookie(name) {
+		return this._cookies[name];
+	}
+	/** Removes a cookie from the outgoing set list (chainable). */
+	removeCookie(name) {
+		delete this._cookies[name];
+		return this;
+	}
+	/** Removes all outgoing cookies (chainable). */
+	clearCookies() {
+		this._cookies = {};
+		this._rawCookies = [];
+		this._hasCookies = false;
+		return this;
+	}
+	/** Appends a raw `Set-Cookie` header string (chainable). Use when you need full control over the cookie format. */
+	setCookieRaw(rawValue) {
+		this._rawCookies.push(rawValue);
+		this._hasCookies = true;
+		return this;
+	}
+	/** Sets the `Cache-Control` header from a directive object (chainable). */
+	setCacheControl(data) {
+		this._headers["cache-control"] = renderCacheControl(data);
+		return this;
+	}
+	/** Sets the `Age` header in seconds (chainable). Accepts a number or time string (e.g. `'2h 15m'`). */
+	setAge(value) {
+		this._headers.age = convertTime(value, "s").toString();
+		return this;
+	}
+	/** Sets the `Expires` header (chainable). Accepts a `Date`, date string, or timestamp. */
+	setExpires(value) {
+		this._headers.expires = typeof value === "string" || typeof value === "number" ? new Date(value).toUTCString() : value.toUTCString();
+		return this;
+	}
+	/** Sets or clears the `Pragma: no-cache` header (chainable). */
+	setPragmaNoCache(value = true) {
+		this._headers.pragma = value ? "no-cache" : "";
+		return this;
+	}
+	/**
+	* Returns the underlying Node.js `ServerResponse`.
+	* @param passthrough - If `true`, the framework still manages the response lifecycle. If `false` (default), the response is marked as "responded" and the framework will not touch it.
+	*/
+	getRawRes(passthrough) {
+		if (!passthrough) this._responded = true;
+		return this._res;
+	}
+	/** Whether the response has already been sent (or the underlying stream is no longer writable). */
+	get responded() {
+		return this._responded || !this._res.writable || this._res.writableEnded;
+	}
+	renderBody() {
+		const body = this._body;
+		if (body === void 0 || body === null) return "";
+		if (typeof body === "string") {
+			if (!this._headers["content-type"]) this._headers["content-type"] = "text/plain";
+			return body;
+		}
+		if (typeof body === "boolean" || typeof body === "number") {
+			if (!this._headers["content-type"]) this._headers["content-type"] = "text/plain";
+			return body.toString();
+		}
+		if (body instanceof Uint8Array) return body;
+		if (typeof body === "object") {
+			if (!this._headers["content-type"]) this._headers["content-type"] = "application/json";
+			return JSON.stringify(body);
+		}
+		throw new Error(`Unsupported body format "${typeof body}"`);
+	}
+	renderError(data, _ctx) {
+		this._status = data.statusCode || 500;
+		this._headers["content-type"] = "application/json";
+		this._body = JSON.stringify(data);
+	}
+	/** Renders and sends an HTTP error response. Called automatically by the framework when a handler throws an `HttpError`. */
+	sendError(error, ctx) {
+		const data = error.body;
+		this.renderError(data, ctx);
+		return this.send();
+	}
+	/**
+	* Finalizes and sends the response.
+	*
+	* Flushes all accumulated headers (including cookies) in a single `writeHead()` call,
+	* then writes the body. Supports `Readable` streams, `fetch` `Response` objects, and regular values.
+	*
+	* @throws Error if the response was already sent.
+	*/
+	send() {
+		if (this._responded) {
+			const err = /* @__PURE__ */ new Error("The response was already sent.");
+			this._logger.error(err.message, err);
+			throw err;
+		}
+		this._responded = true;
+		this.finalizeCookies();
+		const body = this._body;
+		const method = this._req.method;
+		if (body instanceof Readable$1) return this.sendStream(body, method);
+		if (hasFetchResponse && body instanceof Response) return this.sendFetchResponse(body, method);
+		this.sendRegular(method);
+	}
+	finalizeCookies() {
+		if (!this._hasCookies) return;
+		const entries = Object.entries(this._cookies);
+		const rendered = [];
+		for (const [name, data] of entries) if (data) rendered.push(renderCookie(name, data));
+		if (this._rawCookies.length > 0) rendered.push(...this._rawCookies);
+		if (rendered.length > 0) {
+			const existing = this._headers["set-cookie"];
+			if (existing) this._headers["set-cookie"] = [...Array.isArray(existing) ? existing : [existing], ...rendered];
+			else this._headers["set-cookie"] = rendered;
+		}
+	}
+	autoStatus(hasBody) {
+		if (this._status) return;
+		if (!hasBody) {
+			this._status = EHttpStatusCode.NoContent;
+			return;
+		}
+		this._status = defaultStatus[this._req.method] || EHttpStatusCode.OK;
+	}
+	sendStream(stream, method) {
+		this.autoStatus(true);
+		this._res.writeHead(this._status, this._headers);
+		this._req.once("close", () => {
+			stream.destroy();
+		});
+		if (method === "HEAD") {
+			stream.destroy();
+			this._res.end();
+			return Promise.resolve();
+		}
+		return new Promise((resolve, reject) => {
+			stream.on("error", (e) => {
+				this._logger.error("Stream error", e);
+				stream.destroy();
+				this._res.end();
+				reject(e);
+			});
+			stream.on("close", () => {
+				stream.destroy();
+				resolve();
+			});
+			stream.pipe(this._res);
+		});
+	}
+	async sendFetchResponse(fetchResponse, method) {
+		this._status = this._status || fetchResponse.status;
+		const fetchContentLength = fetchResponse.headers.get("content-length");
+		if (fetchContentLength) this._headers["content-length"] = fetchContentLength;
+		const fetchContentType = fetchResponse.headers.get("content-type");
+		if (fetchContentType) this._headers["content-type"] = fetchContentType;
+		this._res.writeHead(this._status, this._headers);
+		if (method === "HEAD") {
+			this._res.end();
+			return;
+		}
+		const fetchBody = fetchResponse.body;
+		if (fetchBody) try {
+			for await (const chunk of fetchBody) this._res.write(chunk);
+		} catch (error) {
+			this._logger.error("Error streaming fetch response body", error);
+		}
+		if (!this._res.writableEnded) this._res.end();
+	}
+	sendRegular(method) {
+		const renderedBody = this.renderBody();
+		this.autoStatus(!!renderedBody);
+		const contentLength = typeof renderedBody === "string" ? Buffer.byteLength(renderedBody) : renderedBody.byteLength;
+		this._headers["content-length"] = contentLength.toString();
+		this._res.writeHead(this._status, this._headers).end(method === "HEAD" ? "" : renderedBody);
+	}
+};
+
+//#endregion
+//#region packages/event-http/src/event-http.ts
+/** Creates an async event context for an incoming HTTP request/response pair. */
+function createHttpContext(data, options, ResponseClass = HttpResponse) {
+	const ctx = new EventContext(options);
+	const response = new ResponseClass(data.res, data.req, ctx.logger);
+	return (fn) => run(ctx, () => ctx.seed(httpKind, {
+		req: data.req,
+		response,
+		requestLimits: data.requestLimits
+	}, fn));
+}
+/** Returns the current HTTP event context. */
+function useHttpContext(ctx) {
+	return ctx ?? current();
+}
+
+//#endregion
+//#region packages/event-http/src/errors/403.tl.svg
+function _403_tl_default(ctx) {
+	return `<svg height="64" viewBox="0 4 100 96" fill="none" xmlns="http://www.w3.org/2000/svg" stroke="#888888" stroke-width="2">
+  <path d="M50 90.625C64.4042 87.1875 83.5751 69.8667 83.5751 48.6937V24.0854L50 9.375L16.425 24.0833V48.6937C16.425 69.8667 35.5959 87.1875 50 90.625Z" fill="#ff000050">
+    <animate attributeName="fill" dur="2s" repeatCount="indefinite"
+             values="#ff000000;#ff000050;#ff000000" />
+  </path>
+
+  <path d="M61.5395 46.0812H38.4604C37.1061 46.0812 36.0083 47.1791 36.0083 48.5333V65.075C36.0083 66.4292 37.1061 67.5271 38.4604 67.5271H61.5395C62.8938 67.5271 63.9916 66.4292 63.9916 65.075V48.5333C63.9916 47.1791 62.8938 46.0812 61.5395 46.0812Z" />
+
+  <path d="M41.7834 46.0834V39.6813C41.7834 37.5021 42.6491 35.4121 44.1901 33.8712C45.731 32.3303 47.8209 31.4646 50.0001 31.4646C52.1793 31.4646 54.2693 32.3303 55.8102 33.8712C57.3511 35.4121 58.2168 37.5021 58.2168 39.6813V46.0813" />
+</svg>
+`;
+}
+
+//#endregion
+//#region packages/event-http/src/errors/404.tl.svg
+function _404_tl_default(ctx) {
+	return `<svg height="64" viewBox="0 20 100 64" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <defs>
+    <path id="sheet" d="M86.5 36.5V47.5H97.5V92.5H52.5V36.5H86.5ZM63 68.5H87V67.5H63V68.5ZM63 63.5H87V62.5H63V63.5ZM63 58.5H87V57.5H63V58.5ZM96.793 46.5H87.5V37.207L96.793 46.5Z" fill="#88888833" stroke="#888888aa"/>
+  </defs>
+
+  <g id="queue" transform="translate(-5 -10)">
+    <use href="#sheet" opacity="0">
+      <animateTransform attributeName="transform" type="translate"
+                        dur="3s" repeatCount="indefinite"
+                        keyTimes="0;0.1;0.32;0.42;1"
+                        values="30 0; -20 0; -20 0; -70 0; -70 0" />
+      <animate attributeName="opacity"
+               dur="3s" repeatCount="indefinite"
+                        keyTimes="0;0.1;0.32;0.42;1"
+               values="0;1;1;0;0" />
+    </use>
+
+    <use href="#sheet" opacity="0">
+      <animateTransform attributeName="transform" type="translate"
+                        dur="3s" begin="1s" repeatCount="indefinite"
+                        keyTimes="0;0.1;0.32;0.42;1"
                         values="30 0; -20 0; -20 0; -70 0; -70 0" />
       <animate attributeName="opacity"
                dur="3s" begin="1s" repeatCount="indefinite"
@@ -672,799 +1369,90 @@ function error_tl_default(ctx) {
 }
 
 //#endregion
-//#region packages/event-http/src/errors/error-renderer.ts
+//#region packages/event-http/src/response/wooks-http-response.ts
 let framework = {
-	version: "0.6.5",
-	poweredBy: `wooksjs`,
-	link: `https://wooks.moost.org/`,
-	image: `https://wooks.moost.org/wooks-full-logo.png`
+	version: "0.7.0",
+	poweredBy: "wooksjs",
+	link: "https://wooks.moost.org/",
+	image: "https://wooks.moost.org/wooks-full-logo.png"
 };
-/** Renders HTTP error responses in HTML, JSON, or plain text based on the Accept header. */
-var HttpErrorRenderer = class extends BaseHttpResponseRenderer {
-	constructor(opts) {
-		super();
-		this.opts = opts;
-	}
-	icons = {
-		401: typeof _403_tl_default === "function" ? _403_tl_default({}) : "",
-		403: typeof _403_tl_default === "function" ? _403_tl_default({}) : "",
-		404: typeof _404_tl_default === "function" ? _404_tl_default({}) : "",
-		500: typeof _500_tl_default === "function" ? _500_tl_default({}) : ""
-	};
+const icons = {
+	401: typeof _403_tl_default === "function" ? _403_tl_default({}) : "",
+	403: typeof _403_tl_default === "function" ? _403_tl_default({}) : "",
+	404: typeof _404_tl_default === "function" ? _404_tl_default({}) : "",
+	500: typeof _500_tl_default === "function" ? _500_tl_default({}) : ""
+};
+/**
+* Default `HttpResponse` subclass used by `createHttpApp`.
+*
+* Overrides error rendering to produce content-negotiated responses (JSON, HTML, or plain text)
+* based on the request's `Accept` header. HTML error pages include SVG icons and framework branding.
+*/
+var WooksHttpResponse = class extends HttpResponse {
+	/** Registers framework metadata (name, version, link, logo) used in HTML error pages. */
 	static registerFramework(opts) {
 		framework = opts;
 	}
-	renderHtml(response) {
-		const data = response.body || {};
-		response.setContentType("text/html");
-		const hasDetails = Object.keys(data).length > 3;
-		const icon = data.statusCode >= 500 ? this.icons[500] : this.icons[data.statusCode] || "";
-		return typeof error_tl_default === "function" ? error_tl_default({
-			icon,
-			statusCode: data.statusCode,
-			statusMessage: httpStatusCodes[data.statusCode],
-			message: data.message,
-			details: hasDetails ? JSON.stringify(data, null, "  ") : "",
-			version: (this.opts || framework).version,
-			poweredBy: (this.opts || framework).poweredBy,
-			link: (this.opts || framework).link,
-			image: (this.opts || framework).image
-		}) : JSON.stringify(data, null, "  ");
-	}
-	renderText(response) {
-		const data = response.body || {};
-		response.setContentType("text/plain");
-		const keys = Object.keys(data).filter((key) => ![
-			"statusCode",
-			"error",
-			"message"
-		].includes(key));
-		return `${data.statusCode} ${httpStatusCodes[data.statusCode]}\n${data.message}\n\n${keys.length > 0 ? `${JSON.stringify({
-			...data,
-			statusCode: void 0,
-			message: void 0,
-			error: void 0
-		}, null, "  ")}` : ""}`;
-	}
-	renderJson(response) {
-		response.setContentType("application/json");
-		return JSON.stringify(response.body || {});
-	}
-	render(response) {
-		const { acceptsJson, acceptsText, acceptsHtml } = useAccept();
-		response.status = response.body?.statusCode || 500;
-		if (acceptsJson()) return this.renderJson(response);
-		else if (acceptsHtml()) return this.renderHtml(response);
-		else if (acceptsText()) return this.renderText(response);
-		else return this.renderJson(response);
+	renderError(data, ctx) {
+		this._status = data.statusCode || 500;
+		const { has } = useAccept(ctx);
+		if (has("json")) {
+			this._headers["content-type"] = "application/json";
+			this._body = JSON.stringify(data);
+		} else if (has("html")) {
+			this._headers["content-type"] = "text/html";
+			this._body = renderErrorHtml(data);
+		} else if (has("text")) {
+			this._headers["content-type"] = "text/plain";
+			this._body = renderErrorText(data);
+		} else {
+			this._headers["content-type"] = "application/json";
+			this._body = JSON.stringify(data);
+		}
 	}
 };
-
-//#endregion
-//#region packages/event-http/src/errors/http-error.ts
-/** Represents an HTTP error with a status code and optional structured body. */
-var HttpError = class extends Error {
-	name = "HttpError";
-	constructor(code = 500, _body = "") {
-		super(typeof _body === "string" ? _body : _body.message);
-		this.code = code;
-		this._body = _body;
-	}
-	get body() {
-		return typeof this._body === "string" ? {
-			statusCode: this.code,
-			message: this.message,
-			error: httpStatusCodes[this.code]
-		} : {
-			...this._body,
-			statusCode: this.code,
-			message: this.message,
-			error: httpStatusCodes[this.code]
-		};
-	}
-	renderer;
-	attachRenderer(renderer) {
-		this.renderer = renderer;
-	}
-	getRenderer() {
-		return this.renderer;
-	}
-};
-
-//#endregion
-//#region packages/event-http/src/composables/request.ts
-const xForwardedFor = "x-forwarded-for";
-/** Default safety limits for request body reading (size, ratio, timeout). */
-const DEFAULT_LIMITS = {
-	maxCompressed: 1 * 1024 * 1024,
-	maxInflated: 10 * 1024 * 1024,
-	maxRatio: 100,
-	readTimeoutMs: 1e4
-};
-/**
-* Provides access to the incoming HTTP request (method, url, headers, body, IP).
-* @example
-* ```ts
-* const { method, url, rawBody, getIp } = useRequest()
-* const body = await rawBody()
-* ```
-*/
-function useRequest() {
-	const { store } = useHttpContext();
-	const { init } = store("request");
-	const event = store("event");
-	const req = event.get("req");
-	const contentEncoding = req.headers["content-encoding"];
-	const contentEncodings = () => init("contentEncodings", () => (contentEncoding || "").split(",").map((p) => p.trim()).filter((p) => !!p));
-	const isCompressed = () => init("isCompressed", () => {
-		const parts = contentEncodings();
-		for (const p of parts) if ([
-			"deflate",
-			"gzip",
-			"br"
-		].includes(p)) return true;
-		return false;
-	});
-	const limits = () => event.get("requestLimits");
-	const setLimit = (key, value) => {
-		let obj = limits();
-		if (!obj?.perRequest) {
-			obj = {
-				...obj,
-				perRequest: true
-			};
-			event.set("requestLimits", obj);
-		}
-		obj[key] = value;
-	};
-	const getMaxCompressed = () => limits()?.maxCompressed ?? DEFAULT_LIMITS.maxCompressed;
-	const setMaxCompressed = (limit) => setLimit("maxCompressed", limit);
-	const getMaxInflated = () => limits()?.maxInflated ?? DEFAULT_LIMITS.maxInflated;
-	const setMaxInflated = (limit) => setLimit("maxInflated", limit);
-	const getMaxRatio = () => limits()?.maxRatio ?? DEFAULT_LIMITS.maxRatio;
-	const setMaxRatio = (limit) => setLimit("maxRatio", limit);
-	const getReadTimeoutMs = () => limits()?.readTimeoutMs ?? DEFAULT_LIMITS.readTimeoutMs;
-	const setReadTimeoutMs = (limit) => setLimit("readTimeoutMs", limit);
-	const rawBody = () => init("rawBody", async () => {
-		const encs = contentEncodings();
-		const isZip = isCompressed();
-		const streamable = isZip && encodingSupportsStream(encs);
-		const maxCompressed = getMaxCompressed();
-		const maxInflated = getMaxInflated();
-		const maxRatio = getMaxRatio();
-		const timeoutMs = getReadTimeoutMs();
-		const cl = Number(req.headers["content-length"] ?? 0);
-		const upfrontLimit = isZip ? maxCompressed : maxInflated;
-		if (cl && cl > upfrontLimit) throw new HttpError(413, "Payload Too Large");
-		for (const enc of encs) if (!compressors[enc]) throw new HttpError(415, `Unsupported Content-Encoding "${enc}"`);
-		let timer = null;
-		function resetTimer() {
-			if (timeoutMs === 0) return;
-			clearTimer();
-			timer = setTimeout(() => {
-				clearTimer();
-				req.destroy();
-			}, timeoutMs);
-		}
-		function clearTimer() {
-			if (timer) {
-				clearTimeout(timer);
-				timer = null;
-			}
-		}
-		let rawBytes = 0;
-		async function* limitedCompressed() {
-			resetTimer();
-			try {
-				for await (const chunk of req) {
-					rawBytes += chunk.length;
-					if (rawBytes > upfrontLimit) {
-						req.destroy();
-						throw new HttpError(413, "Payload Too Large");
-					}
-					resetTimer();
-					yield chunk;
-				}
-			} finally {
-				clearTimer();
-			}
-		}
-		let stream = limitedCompressed();
-		if (streamable) stream = await uncompressBodyStream(encs, stream);
-		const chunks = [];
-		let inflatedBytes = 0;
-		try {
-			for await (const chunk of stream) {
-				inflatedBytes += chunk.length;
-				if (inflatedBytes > maxInflated) throw new HttpError(413, "Inflated body too large");
-				chunks.push(chunk);
-			}
-		} catch (error) {
-			if (error instanceof HttpError) throw error;
-			throw new HttpError(408, "Request body timeout");
-		}
-		let body = Buffer$1.concat(chunks);
-		if (!streamable && isZip) {
-			body = await uncompressBody(encs, body);
-			inflatedBytes = body.byteLength;
-			if (inflatedBytes > maxInflated) throw new HttpError(413, "Inflated body too large");
-		}
-		if (isZip && rawBytes > 0 && inflatedBytes / rawBytes > maxRatio) throw new HttpError(413, "Compression ratio too high");
-		return body;
-	});
-	const reqId = useEventId().getId;
-	const forwardedIp = () => init("forwardedIp", () => {
-		if (typeof req.headers[xForwardedFor] === "string" && req.headers[xForwardedFor]) return req.headers[xForwardedFor].split(",").shift()?.trim();
-		else return "";
-	});
-	const remoteIp = () => init("remoteIp", () => req.socket.remoteAddress || req.connection.remoteAddress || "");
-	function getIp(options) {
-		if (options?.trustProxy) return forwardedIp() || getIp();
-		else return remoteIp();
-	}
-	const getIpList = () => init("ipList", () => ({
-		remoteIp: req.socket.remoteAddress || req.connection.remoteAddress || "",
-		forwarded: (req.headers[xForwardedFor] || "").split(",").map((s) => s.trim())
-	}));
-	return {
-		rawRequest: req,
-		url: req.url,
-		method: req.method,
-		headers: req.headers,
-		rawBody,
-		reqId,
-		getIp,
-		getIpList,
-		isCompressed,
-		getMaxCompressed,
-		setMaxCompressed,
-		getReadTimeoutMs,
-		setReadTimeoutMs,
-		getMaxInflated,
-		setMaxInflated,
-		getMaxRatio,
-		setMaxRatio
-	};
-}
-
-//#endregion
-//#region packages/event-http/src/composables/headers.ts
-/**
-* Returns the incoming request headers.
-* @example
-* ```ts
-* const { host, authorization } = useHeaders()
-* ```
-*/
-function useHeaders() {
-	return useRequest().headers;
-}
-/**
-* Provides methods to set, get, and remove outgoing response headers.
-* @example
-* ```ts
-* const { setHeader, setContentType, enableCors } = useSetHeaders()
-* setHeader('x-request-id', '123')
-* ```
-*/
-function useSetHeaders() {
-	const { store } = useHttpContext();
-	const setHeaderStore = store("setHeader");
-	function setHeader(name, value) {
-		setHeaderStore.set(name, value.toString());
-	}
-	function setContentType(value) {
-		setHeader("content-type", value);
-	}
-	function enableCors(origin = "*") {
-		setHeader("access-control-allow-origin", origin);
-	}
-	return {
-		setHeader,
-		getHeader: setHeaderStore.get,
-		removeHeader: setHeaderStore.del,
-		setContentType,
-		headers: () => setHeaderStore.value || {},
-		enableCors
-	};
-}
-/** Returns a hookable accessor for a single outgoing response header by name. */
-function useSetHeader(name) {
-	const { store } = useHttpContext();
-	const { hook } = store("setHeader");
-	return hook(name);
-}
-
-//#endregion
-//#region packages/event-http/src/composables/cookies.ts
-const cookieRegExpCache = /* @__PURE__ */ new Map();
-function getCookieRegExp(name) {
-	let re = cookieRegExpCache.get(name);
-	if (!re) {
-		re = new RegExp(`(?:^|; )${escapeRegex(name)}=(.*?)(?:;?$|; )`, "i");
-		cookieRegExpCache.set(name, re);
-	}
-	return re;
-}
-/**
-* Provides access to parsed request cookies.
-* @example
-* ```ts
-* const { getCookie, rawCookies } = useCookies()
-* const sessionId = getCookie('session_id')
-* ```
-*/
-function useCookies() {
-	const { store } = useHttpContext();
-	const { cookie } = useHeaders();
-	const { init } = store("cookies");
-	const getCookie = (name) => init(name, () => {
-		if (cookie) {
-			const result = getCookieRegExp(name).exec(cookie);
-			return result?.[1] ? safeDecodeURIComponent(result[1]) : null;
-		} else return null;
-	});
-	return {
-		rawCookies: cookie,
-		getCookie
-	};
-}
-/** Provides methods to set, get, remove, and clear outgoing response cookies. */
-function useSetCookies() {
-	const { store } = useHttpContext();
-	const cookiesStore = store("setCookies");
-	function setCookie(name, value, attrs) {
-		cookiesStore.set(name, {
-			value,
-			attrs: attrs || {}
-		});
-	}
-	function cookies() {
-		const entries = cookiesStore.entries();
-		if (entries.length === 0) return [];
-		return entries.filter((a) => !!a[1]).map(([key, value]) => renderCookie(key, value));
-	}
-	return {
-		setCookie,
-		getCookie: cookiesStore.get,
-		removeCookie: cookiesStore.del,
-		clearCookies: cookiesStore.clear,
-		cookies
-	};
-}
-/** Returns a hookable accessor for a single outgoing cookie by name. */
-function useSetCookie(name) {
-	const { setCookie, getCookie } = useSetCookies();
-	const valueHook = attachHook({
-		name,
-		type: "cookie"
-	}, {
-		get: () => getCookie(name)?.value,
-		set: (value) => {
-			setCookie(name, value, getCookie(name)?.attrs);
-		}
-	});
-	return attachHook(valueHook, {
-		get: () => getCookie(name)?.attrs,
-		set: (attrs) => {
-			setCookie(name, getCookie(name)?.value || "", attrs);
-		}
-	}, "attrs");
-}
-
-//#endregion
-//#region packages/event-http/src/composables/header-accept.ts
-/** Provides helpers to check the request's Accept header for supported MIME types. */
-function useAccept() {
-	const { store } = useHttpContext();
-	const { accept } = useHeaders();
-	const accepts = (mime) => {
-		const { set, get, has } = store("accept");
-		if (!has(mime)) return set(mime, !!(accept && (accept === "*/*" || accept.includes(mime))));
-		return get(mime);
-	};
-	return {
-		accept,
-		accepts,
-		acceptsJson: () => accepts("application/json"),
-		acceptsXml: () => accepts("application/xml"),
-		acceptsText: () => accepts("text/plain"),
-		acceptsHtml: () => accepts("text/html")
-	};
-}
-
-//#endregion
-//#region packages/event-http/src/composables/header-authorization.ts
-/**
-* Provides parsed access to the Authorization header (type, credentials, Basic decoding).
-* @example
-* ```ts
-* const { isBearer, authRawCredentials, basicCredentials } = useAuthorization()
-* if (isBearer()) { const token = authRawCredentials() }
-* ```
-*/
-function useAuthorization() {
-	const { store } = useHttpContext();
-	const { authorization } = useHeaders();
-	const { init } = store("authorization");
-	const authType = () => init("type", () => {
-		if (authorization) {
-			const space = authorization.indexOf(" ");
-			return authorization.slice(0, space);
-		}
-		return null;
-	});
-	const authRawCredentials = () => init("credentials", () => {
-		if (authorization) {
-			const space = authorization.indexOf(" ");
-			return authorization.slice(space + 1);
-		}
-		return null;
-	});
-	return {
-		authorization,
-		authType,
-		authRawCredentials,
-		isBasic: () => authType()?.toLocaleLowerCase() === "basic",
-		isBearer: () => authType()?.toLocaleLowerCase() === "bearer",
-		basicCredentials: () => init("basicCredentials", () => {
-			if (authorization) {
-				const type = authType();
-				if (type?.toLocaleLowerCase() === "basic") {
-					const creds = Buffer$1.from(authRawCredentials() || "", "base64").toString("ascii");
-					const [username, password] = creds.split(":");
-					return {
-						username,
-						password
-					};
-				}
-			}
-			return null;
-		})
-	};
-}
-
-//#endregion
-//#region packages/event-http/src/utils/cache-control.ts
-function renderCacheControl(data) {
-	let attrs = "";
-	for (const [a, v] of Object.entries(data)) {
-		if (v === void 0) continue;
-		const func = cacheControlFunc[a];
-		if (typeof func === "function") {
-			const val = func(v);
-			if (val) attrs += attrs ? `, ${val}` : val;
-		} else throw new TypeError(`Unknown Cache-Control attribute ${a}`);
-	}
-	return attrs;
-}
-const cacheControlFunc = {
-	mustRevalidate: (v) => v ? "must-revalidate" : "",
-	noCache: (v) => v ? typeof v === "string" ? `no-cache="${v}"` : "no-cache" : "",
-	noStore: (v) => v ? "no-store" : "",
-	noTransform: (v) => v ? "no-transform" : "",
-	public: (v) => v ? "public" : "",
-	private: (v) => v ? typeof v === "string" ? `private="${v}"` : "private" : "",
-	proxyRevalidate: (v) => v ? "proxy-revalidate" : "",
-	maxAge: (v) => `max-age=${convertTime(v, "s").toString()}`,
-	sMaxage: (v) => `s-maxage=${convertTime(v, "s").toString()}`
-};
-
-//#endregion
-//#region packages/event-http/src/composables/header-set-cache-control.ts
-const renderAge = (v) => convertTime(v, "s").toString();
-const renderExpires = (v) => typeof v === "string" || typeof v === "number" ? new Date(v).toUTCString() : v.toUTCString();
-const renderPragmaNoCache = (v) => v ? "no-cache" : "";
-/** Provides helpers to set cache-related response headers (Cache-Control, Expires, Age, Pragma). */
-function useSetCacheControl() {
-	const { setHeader } = useSetHeaders();
-	const setAge = (value) => {
-		setHeader("age", renderAge(value));
-	};
-	const setExpires = (value) => {
-		setHeader("expires", renderExpires(value));
-	};
-	const setPragmaNoCache = (value = true) => {
-		setHeader("pragma", renderPragmaNoCache(value));
-	};
-	const setCacheControl = (data) => {
-		setHeader("cache-control", renderCacheControl(data));
-	};
-	return {
-		setExpires,
-		setAge,
-		setPragmaNoCache,
-		setCacheControl
-	};
-}
-
-//#endregion
-//#region packages/event-http/src/composables/response.ts
-/**
-* Provides access to the raw HTTP response and status code management.
-* @example
-* ```ts
-* const { status, rawResponse, hasResponded } = useResponse()
-* status(200)
-* ```
-*/
-function useResponse() {
-	const { store } = useHttpContext();
-	const event = store("event");
-	const res = event.get("res");
-	const responded = store("response").hook("responded");
-	const statusCode = store("status").hook("code");
-	function status(code) {
-		return statusCode.value = code ? code : statusCode.value;
-	}
-	const rawResponse = (options) => {
-		if (!options || !options.passthrough) responded.value = true;
-		return res;
-	};
-	return {
-		rawResponse,
-		hasResponded: () => responded.value || !res.writable || res.writableEnded,
-		status: attachHook(status, {
-			get: () => statusCode.value,
-			set: (code) => statusCode.value = code
-		})
-	};
-}
-/** Returns a hookable accessor for the response status code. */
-function useStatus() {
-	const { store } = useHttpContext();
-	return store("status").hook("code");
-}
-
-//#endregion
-//#region packages/event-http/src/utils/url-search-params.ts
-const ILLEGAL_KEYS = new Set([
-	"__proto__",
-	"constructor",
-	"prototype"
-]);
-var WooksURLSearchParams = class extends URLSearchParams {
-	toJson() {
-		const json = Object.create(null);
-		for (const [key, value] of this.entries()) if (isArrayParam(key)) {
-			const a = json[key] = json[key] || [];
-			a.push(value);
-		} else {
-			if (ILLEGAL_KEYS.has(key)) throw new HttpError(400, `Illegal key name "${key}"`);
-			if (key in json) throw new HttpError(400, `Duplicate key "${key}"`);
-			json[key] = value;
-		}
-		return json;
-	}
-};
-function isArrayParam(name) {
-	return name.endsWith("[]");
-}
-
-//#endregion
-//#region packages/event-http/src/composables/search-params.ts
-/**
-* Provides access to URL search (query) parameters from the request.
-* @example
-* ```ts
-* const { urlSearchParams, jsonSearchParams } = useSearchParams()
-* const page = urlSearchParams().get('page')
-* ```
-*/
-function useSearchParams() {
-	const { store } = useHttpContext();
-	const url = useRequest().url || "";
-	const { init } = store("searchParams");
-	const rawSearchParams = () => init("raw", () => {
-		const i = url.indexOf("?");
-		return i >= 0 ? url.slice(i) : "";
-	});
-	const urlSearchParams = () => init("urlSearchParams", () => new WooksURLSearchParams(rawSearchParams()));
-	return {
-		rawSearchParams,
-		urlSearchParams,
-		jsonSearchParams: () => urlSearchParams().toJson()
-	};
-}
-
-//#endregion
-//#region packages/event-http/src/response/core.ts
-const defaultStatus = {
-	GET: EHttpStatusCode.OK,
-	POST: EHttpStatusCode.Created,
-	PUT: EHttpStatusCode.Created,
-	PATCH: EHttpStatusCode.Accepted,
-	DELETE: EHttpStatusCode.Accepted
-};
-const baseRenderer = new BaseHttpResponseRenderer();
-var BaseHttpResponse = class {
-	constructor(renderer = baseRenderer) {
-		this.renderer = renderer;
-	}
-	_status = 0;
-	_body;
-	_headers = {};
-	get status() {
-		return this._status;
-	}
-	set status(value) {
-		this._status = value;
-	}
-	get body() {
-		return this._body;
-	}
-	set body(value) {
-		this._body = value;
-	}
-	setStatus(value) {
-		this.status = value;
-		return this;
-	}
-	setBody(value) {
-		this.body = value;
-		return this;
-	}
-	getContentType() {
-		return this._headers["content-type"];
-	}
-	setContentType(value) {
-		this._headers["content-type"] = value;
-		return this;
-	}
-	enableCors(origin = "*") {
-		this._headers["Access-Control-Allow-Origin"] = origin;
-		return this;
-	}
-	setCookie(name, value, attrs) {
-		const cookies = this._headers["set-cookie"] = this._headers["set-cookie"] || [];
-		cookies.push(renderCookie(name, {
-			value,
-			attrs: attrs || {}
-		}));
-		return this;
-	}
-	setCacheControl(data) {
-		this.setHeader("cache-control", renderCacheControl(data));
-	}
-	setCookieRaw(rawValue) {
-		const cookies = this._headers["set-cookie"] = this._headers["set-cookie"] || [];
-		cookies.push(rawValue);
-		return this;
-	}
-	header(name, value) {
-		this._headers[name] = value;
-		return this;
-	}
-	setHeader(name, value) {
-		return this.header(name, value);
-	}
-	getHeader(name) {
-		return this._headers[name];
-	}
-	mergeHeaders() {
-		const { headers } = useSetHeaders();
-		const { cookies, removeCookie } = useSetCookies();
-		const newCookies = this._headers["set-cookie"] || [];
-		for (const cookie of newCookies) removeCookie(cookie.slice(0, cookie.indexOf("=")));
-		const composableHeaders = headers();
-		for (const key in composableHeaders) if (!(key in this._headers)) this._headers[key] = composableHeaders[key];
-		const renderedCookies = cookies();
-		if (newCookies.length > 0 || renderedCookies.length > 0) this._headers["set-cookie"] = newCookies.length > 0 && renderedCookies.length > 0 ? [...newCookies, ...renderedCookies] : newCookies.length > 0 ? newCookies : renderedCookies;
-		return this;
-	}
-	mergeStatus(renderedBody) {
-		this.status = this.status || useResponse().status();
-		if (!this.status) {
-			const { method } = useRequest();
-			this.status = renderedBody ? defaultStatus[method] || EHttpStatusCode.OK : EHttpStatusCode.NoContent;
-		}
-		return this;
-	}
-	mergeFetchStatus(fetchStatus) {
-		this.status = this.status || useResponse().status() || fetchStatus;
-	}
-	panic(text, logger) {
-		const error = new Error(text);
-		logger.error(error);
-		throw error;
-	}
-	async respond() {
-		const { rawResponse, hasResponded } = useResponse();
-		const { method, rawRequest } = useRequest();
-		const logger = useEventLogger$1("http-response") || console;
-		if (hasResponded()) this.panic("The response was already sent.", logger);
-		this.mergeHeaders();
-		const res = rawResponse();
-		if (this.body instanceof Readable$1) {
-			const stream = this.body;
-			this.mergeStatus(true);
-			res.writeHead(this.status, { ...this._headers });
-			rawRequest.once("close", () => {
-				stream.destroy();
-			});
-			if (method === "HEAD") {
-				stream.destroy();
-				res.end();
-			} else return new Promise((resolve, reject) => {
-				stream.on("error", (e) => {
-					stream.destroy();
-					res.end();
-					reject(e);
-				});
-				stream.on("close", () => {
-					stream.destroy();
-					resolve(void 0);
-				});
-				stream.pipe(res);
-			});
-		} else if (globalThis.Response && this.body instanceof Response) {
-			this.mergeFetchStatus(this.body.status);
-			const additionalHeaders = {};
-			const fetchContentLength = this.body.headers.get("content-length");
-			if (fetchContentLength) additionalHeaders["content-length"] = fetchContentLength;
-			const fetchContentType = this.body.headers.get("content-type");
-			if (fetchContentType) additionalHeaders["content-type"] = fetchContentType;
-			res.writeHead(this.status, {
-				...this._headers,
-				...additionalHeaders
-			});
-			if (method === "HEAD") res.end();
-			else await respondWithFetch(this.body.body, res, logger);
-		} else {
-			const renderedBody = this.renderer.render(this);
-			this.mergeStatus(renderedBody);
-			const contentLength = typeof renderedBody === "string" ? Buffer.byteLength(renderedBody) : renderedBody.byteLength;
-			return new Promise((resolve) => {
-				res.writeHead(this.status, {
-					"content-length": contentLength,
-					...this._headers
-				}).end(method === "HEAD" ? "" : renderedBody, resolve);
-			});
-		}
-	}
-};
-async function respondWithFetch(fetchBody, res, logger) {
-	if (fetchBody) try {
-		for await (const chunk of fetchBody) res.write(chunk);
-	} catch (error) {
-		logger.error("Error streaming fetch response body", error);
-	}
-	if (!res.writableEnded) res.end();
-}
-
-//#endregion
-//#region packages/event-http/src/response/factory.ts
-function createWooksResponder(renderer = new BaseHttpResponseRenderer(), errorRenderer = new HttpErrorRenderer()) {
-	function createResponse(data) {
-		const { hasResponded } = useResponse();
-		if (hasResponded()) return null;
-		if (data instanceof Error) {
-			const r = new BaseHttpResponse(errorRenderer);
-			let httpError;
-			if (data instanceof HttpError) httpError = data;
-			else httpError = new HttpError(500, data.message);
-			r.setBody(httpError.body);
-			return r;
-		} else if (data instanceof BaseHttpResponse) return data;
-		else return new BaseHttpResponse(renderer).setBody(data);
-	}
-	return {
-		createResponse,
-		respond: (data) => createResponse(data)?.respond()
-	};
-}
+function renderErrorHtml(data) {
+	const hasDetails = Object.keys(data).length > 3;
+	const icon = data.statusCode >= 500 ? icons[500] : icons[data.statusCode] || "";
+	return typeof error_tl_default === "function" ? error_tl_default({
+		icon,
+		statusCode: data.statusCode,
+		statusMessage: httpStatusCodes[data.statusCode],
+		message: data.message,
+		details: hasDetails ? JSON.stringify(data, null, "  ") : "",
+		version: framework.version,
+		poweredBy: framework.poweredBy,
+		link: framework.link,
+		image: framework.image
+	}) : JSON.stringify(data, null, "  ");
+}
+function renderErrorText(data) {
+	const keys = Object.keys(data).filter((key) => ![
+		"statusCode",
+		"error",
+		"message"
+	].includes(key));
+	return `${data.statusCode} ${httpStatusCodes[data.statusCode]}\n${data.message}\n\n${keys.length > 0 ? JSON.stringify({
+		...data,
+		statusCode: void 0,
+		message: void 0,
+		error: void 0
+	}, null, "  ") : ""}`;
+}
 
 //#endregion
 //#region packages/event-http/src/http-adapter.ts
 /** HTTP adapter for Wooks that provides route registration, server lifecycle, and request handling. */
 var WooksHttp = class extends WooksAdapterBase {
 	logger;
-	_cachedEventOptions;
+	ResponseClass;
+	eventContextOptions;
 	constructor(opts, wooks) {
 		super(wooks, opts?.logger, opts?.router);
 		this.opts = opts;
 		this.logger = opts?.logger || this.getLogger(`[wooks-http]`);
-		this._cachedEventOptions = this.mergeEventOptions(opts?.eventOptions);
+		this.ResponseClass = opts?.responseClass ?? WooksHttpResponse;
+		this.eventContextOptions = this.getEventContextOptions();
 	}
 	/** Registers a handler for all HTTP methods on the given path. */
 	all(path, handler) {
@@ -1498,9 +1486,22 @@ var WooksHttp = class extends WooksAdapterBase {
 	options(path, handler) {
 		return this.on("OPTIONS", path, handler);
 	}
+	/** Registers an UPGRADE route handler for WebSocket upgrade requests. */
+	upgrade(path, handler) {
+		return this.on("UPGRADE", path, handler);
+	}
+	wsHandler;
+	/** Register a WebSocket upgrade handler that implements the WooksUpgradeHandler contract. */
+	ws(handler) {
+		this.wsHandler = handler;
+	}
 	server;
 	async listen(port, hostname, backlog, listeningListener) {
 		const server = this.server = http.createServer(this.getServerCb());
+		if (this.wsHandler) {
+			const upgradeCb = this.getUpgradeCb();
+			server.on("upgrade", upgradeCb);
+		}
 		return new Promise((resolve, reject) => {
 			server.once("listening", resolve);
 			server.once("error", reject);
@@ -1550,11 +1551,14 @@ var WooksHttp = class extends WooksAdapterBase {
 	attachServer(server) {
 		this.server = server;
 	}
-	responder = createWooksResponder();
-	respond(data) {
-		return this.responder.respond(data)?.catch((error) => {
-			this.logger.error("Uncaught response exception", error);
-		});
+	respond(data, response, ctx) {
+		if (response.responded) return;
+		if (data instanceof Error) {
+			const httpError = data instanceof HttpError ? data : new HttpError(500, data.message);
+			return response.sendError(httpError, ctx);
+		}
+		if (data !== response) response.body = data;
+		return response.send();
 	}
 	/**
 	* Returns server callback function
@@ -1569,47 +1573,131 @@ var WooksHttp = class extends WooksAdapterBase {
 	* ```
 	*/
 	getServerCb() {
+		const ctxOptions = this.eventContextOptions;
+		const RequestLimits = this.opts?.requestLimits;
+		const notFoundHandler = this.opts?.onNotFound;
+		const defaultHeaders = this.opts?.defaultHeaders;
 		return (req, res) => {
-			const runInContext = createHttpContext({
-				req,
-				res,
-				requestLimits: this.opts?.requestLimits
-			}, this._cachedEventOptions);
+			const ctx = new EventContext(ctxOptions);
+			const response = new this.ResponseClass(res, req, ctx.logger, defaultHeaders);
 			const method = req.method || "";
 			const url = req.url || "";
-			runInContext(async () => {
-				const notFoundHandler = this.opts?.onNotFound;
-				const { handlers } = this.wooks.lookup(method, url);
-				if (handlers || notFoundHandler) try {
-					return await this.processHandlers(handlers || [notFoundHandler]);
-				} catch (error) {
-					this.logger.error("Internal error, please report", error);
-					await this.respond(error);
-					return error;
-				}
-				else {
+			run(ctx, () => {
+				ctx.seed(httpKind, {
+					req,
+					response,
+					requestLimits: RequestLimits
+				});
+				const handlers = this.wooks.lookupHandlers(method, url, ctx);
+				if (handlers || notFoundHandler) {
+					const result = this.processHandlers(handlers || [notFoundHandler], ctx, response);
+					if (result !== null && result !== void 0 && typeof result.then === "function") result.catch((error) => {
+						this.logger.error("Internal error, please report", error);
+						this.respond(error, response, ctx);
+					});
+				} else {
 					this.logger.debug(`404 Not found (${method})${url}`);
 					const error = new HttpError(404);
-					await this.respond(error);
-					return error;
+					this.respond(error, response, ctx);
 				}
 			});
 		};
 	}
-	async processHandlers(handlers) {
-		const { store } = useHttpContext();
+	/**
+	* Returns upgrade callback function for the HTTP server's 'upgrade' event.
+	* Creates an HTTP context, seeds it with upgrade data, and routes as method 'UPGRADE'.
+	*/
+	getUpgradeCb() {
+		const ctxOptions = this.eventContextOptions;
+		const requestLimits = this.opts?.requestLimits;
+		const wsHandler = this.wsHandler;
+		return (req, socket, head) => {
+			if (!wsHandler) {
+				socket.destroy();
+				return;
+			}
+			const ctx = new EventContext(ctxOptions);
+			const url = req.url || "";
+			run(ctx, () => {
+				ctx.seed(httpKind, {
+					req,
+					response: void 0,
+					requestLimits
+				});
+				ctx.set(wsHandler.reqKey, req);
+				ctx.set(wsHandler.socketKey, socket);
+				ctx.set(wsHandler.headKey, head);
+				const handlers = this.wooks.lookupHandlers("UPGRADE", url, ctx);
+				if (handlers) this.processUpgradeHandlers(handlers, ctx, socket);
+				else wsHandler.handleUpgrade(req, socket, head);
+			});
+		};
+	}
+	processUpgradeHandlers(handlers, ctx, socket) {
+		for (let i = 0; i < handlers.length; i++) {
+			const handler = handlers[i];
+			const isLastHandler = i === handlers.length - 1;
+			try {
+				const result = handler();
+				if (result !== null && result !== void 0 && typeof result.then === "function") {
+					result.catch((error) => {
+						this.logger.error(`Upgrade handler error: ${ctx.get(httpKind.keys.req)?.url || ""}`, error);
+						socket.destroy();
+					});
+					return;
+				}
+				return;
+			} catch (error) {
+				if (!(error instanceof HttpError)) this.logger.error(`Upgrade handler error: ${ctx.get(httpKind.keys.req)?.url || ""}`, error);
+				if (isLastHandler) {
+					socket.destroy();
+					return;
+				}
+			}
+		}
+	}
+	processHandlers(handlers, ctx, response) {
 		for (let i = 0; i < handlers.length; i++) {
 			const handler = handlers[i];
 			const isLastHandler = i === handlers.length - 1;
 			try {
-				const promise = handler();
-				const result = await promise;
-				await this.respond(result);
+				const result = handler();
+				if (result !== null && result !== void 0 && typeof result.then === "function") return this.processAsyncResult(result, handlers, i, ctx, response);
+				this.respond(result, response, ctx);
+				return;
+			} catch (error) {
+				if (!(error instanceof HttpError)) this.logger.error(`Uncaught route handler exception: ${ctx.get(httpKind.keys.req)?.url || ""}`, error);
+				if (isLastHandler) {
+					this.respond(error, response, ctx);
+					return;
+				}
+			}
+		}
+	}
+	async processAsyncResult(promise, handlers, startIndex, ctx, response) {
+		try {
+			const result = await promise;
+			await this.respond(result, response, ctx);
+			return result;
+		} catch (error) {
+			const isLastHandler = startIndex === handlers.length - 1;
+			if (!(error instanceof HttpError)) this.logger.error(`Uncaught route handler exception: ${ctx.get(httpKind.keys.req)?.url || ""}`, error);
+			if (isLastHandler) {
+				await this.respond(error, response, ctx);
+				return error;
+			}
+		}
+		for (let i = startIndex + 1; i < handlers.length; i++) {
+			const handler = handlers[i];
+			const isLastHandler = i === handlers.length - 1;
+			try {
+				const result = await handler();
+				await this.respond(result, response, ctx);
 				return result;
 			} catch (error) {
-				if (error instanceof HttpError) {} else this.logger.error(`Uncaught route handler exception: ${store("event").get("req")?.url || ""}`, error);
+				if (!(error instanceof HttpError)) this.logger.error(`Uncaught route handler exception: ${ctx.get(httpKind.keys.req)?.url || ""}`, error);
 				if (isLastHandler) {
-					await this.respond(error);
+					await this.respond(error, response, ctx);
 					return error;
 				}
 			}
@@ -1630,4 +1718,100 @@ function createHttpApp(opts, wooks) {
 }
 
 //#endregion
-export { BaseHttpResponse, BaseHttpResponseRenderer, DEFAULT_LIMITS, EHttpStatusCode, HttpError, HttpErrorRenderer, WooksHttp, WooksURLSearchParams, createHttpApp, createHttpContext, createWooksResponder, httpStatusCodes, renderCacheControl, useAccept, useAuthorization, useCookies, useEventLogger, useHeaders, useHttpContext, useRequest, useResponse, useRouteParams, useSearchParams, useSetCacheControl, useSetCookie, useSetCookies, useSetHeader, useSetHeaders, useStatus };
+//#region packages/event-http/src/utils/security-headers.ts
+const HEADER_MAP = [
+	[
+		"contentSecurityPolicy",
+		"content-security-policy",
+		"default-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'"
+	],
+	[
+		"crossOriginOpenerPolicy",
+		"cross-origin-opener-policy",
+		"same-origin"
+	],
+	[
+		"crossOriginResourcePolicy",
+		"cross-origin-resource-policy",
+		"same-origin"
+	],
+	[
+		"referrerPolicy",
+		"referrer-policy",
+		"no-referrer"
+	],
+	[
+		"strictTransportSecurity",
+		"strict-transport-security",
+		void 0
+	],
+	[
+		"xContentTypeOptions",
+		"x-content-type-options",
+		"nosniff"
+	],
+	[
+		"xFrameOptions",
+		"x-frame-options",
+		"SAMEORIGIN"
+	]
+];
+/**
+* Returns a record of recommended HTTP security headers.
+*
+* Each option accepts a `string` (override value) or `false` (disable).
+* Omitting an option uses the default value.
+*
+* `strictTransportSecurity` is opt-in only (no default) — HSTS is dangerous if not on HTTPS.
+*/
+function securityHeaders(opts) {
+	const result = {};
+	for (const [optKey, headerName, defaultValue] of HEADER_MAP) {
+		const value = opts?.[optKey];
+		if (value === false) continue;
+		if (typeof value === "string") result[headerName] = value;
+		else if (defaultValue !== void 0) result[headerName] = defaultValue;
+	}
+	return result;
+}
+
+//#endregion
+//#region packages/event-http/src/testing.ts
+/**
+* Creates a fully initialized HTTP event context for testing.
+*
+* Sets up an `EventContext` with a fake `IncomingMessage`, `HttpResponse`, route params,
+* and optional pre-seeded body. Returns a runner function that executes callbacks inside the context scope.
+*
+* @example
+* ```ts
+* const run = prepareTestHttpContext({ url: '/users/42', params: { id: '42' } })
+* run(() => {
+*   const { params } = useRouteParams()
+*   expect(params.id).toBe('42')
+* })
+* ```
+*/
+function prepareTestHttpContext(options) {
+	const req = new IncomingMessage(new Socket({}));
+	req.method = options.method || "GET";
+	req.headers = options.headers || {};
+	req.url = options.url;
+	const res = new ServerResponse(req);
+	const response = new HttpResponse(res, req, console, options.defaultHeaders);
+	const ctx = new EventContext({ logger: console });
+	ctx.seed(httpKind, {
+		req,
+		response,
+		requestLimits: options.requestLimits
+	});
+	if (options.params) ctx.set(routeParamsKey, options.params);
+	if (options.rawBody !== void 0) {
+		const buf = Buffer$1.isBuffer(options.rawBody) ? options.rawBody : Buffer$1.from(options.rawBody);
+		ctx.set(rawBodySlot, Promise.resolve(buf));
+	}
+	return (cb) => run(ctx, cb);
+}
+
+//#endregion
+export { DEFAULT_LIMITS, EHttpStatusCode, HttpError, HttpResponse, WooksHttp, WooksHttpResponse, WooksURLSearchParams, createHttpApp, createHttpContext, httpKind, httpStatusCodes, prepareTestHttpContext, rawBodySlot, renderCacheControl, securityHeaders, useAccept, useAuthorization, useCookies, useHeaders, useHttpContext, useLogger, useRequest, useResponse, useRouteParams, useUrlParams };