@wooksjs/event-wf 0.7.14 → 0.7.16

package/dist/index.cjs

@@ -2,7 +2,7 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 let _wooksjs_event_core = require("@wooksjs/event-core");
 let _wooksjs_event_http = require("@wooksjs/event-http");
 let _wooksjs_http_body = require("@wooksjs/http-body");
-let node_crypto = require("node:crypto");
+let _prostojs_wf_outlets = require("@prostojs/wf/outlets");
 let _prostojs_wf = require("@prostojs/wf");
 let wooks = require("wooks");
 
@@ -57,8 +57,6 @@ function resumeWfContext(options, seeds, fn) {
 //#region packages/event-wf/src/outlets/outlet-context.ts
 /** Registered outlet handlers, keyed by name */
 const outletsRegistryKey = (0, _wooksjs_event_core.key)("wf.outlets.registry");
-/** Active state strategy for current request */
-const stateStrategyKey = (0, _wooksjs_event_core.key)("wf.outlets.stateStrategy");
 /** Finished response set by workflow steps */
 const wfFinishedKey = (0, _wooksjs_event_core.key)("wf.outlets.finished");
 
@@ -72,7 +70,6 @@ const wfFinishedKey = (0, _wooksjs_event_core.key)("wf.outlets.finished");
 * where steps need to inspect or modify outlet state directly.
 */
 const useWfOutlet = (0, _wooksjs_event_core.defineWook)((ctx) => ({
-	getStateStrategy: () => ctx.get(stateStrategyKey),
 	getOutlets: () => ctx.get(outletsRegistryKey),
 	getOutlet: (name) => ctx.get(outletsRegistryKey)?.get(name) ?? null
 }));
@@ -96,8 +93,81 @@ const useWfFinished = (0, _wooksjs_event_core.defineWook)((ctx) => ({
 	get: () => ctx.has(wfFinishedKey) ? ctx.get(wfFinishedKey) : void 0
 }));
 
+//#endregion
+//#region packages/event-wf/src/strategy-context.ts
+/** Name of the strategy currently active for the running workflow. */
+const stateStrategyNameKey = (0, _wooksjs_event_core.key)("wf.strategyName");
+/** Strategy names must match this regex (validated at swap call + config). */
+const STRATEGY_NAME_RE = /^[A-Za-z0-9_-]+$/;
+
+//#endregion
+//#region packages/event-wf/src/outlets/use-wf-strategy.ts
+/**
+* Composable for inspecting / swapping the active state strategy name from
+* within a workflow step. The new name applies to the NEXT pause — it travels
+* back to the outlet trigger via `output.inputRequired.stateStrategy`, and
+* persists in the issued token's prefix.
+*
+* The composable only validates the name FORMAT (regex). Existence in the
+* trigger's strategy registry is validated at pause time by the trigger
+* itself — `swapStrategy('typo')` here will not throw; the trigger will
+* throw on pause when it can't find 'typo' in its registry.
+*
+* @example
+* ```ts
+* // Step that escalates from in-memory state to a durable KV store before
+* // pausing for a long-running approval:
+* app.step('await-approval', {
+*   handler: () => {
+*     swapStrategy('kv')
+*     return outletHttp({ fields: ['decision'] })
+*   },
+* })
+* ```
+*/
+const useWfStrategy = (0, _wooksjs_event_core.defineWook)((ctx) => ({
+	current: () => ctx.get(stateStrategyNameKey),
+	swap: (name) => {
+		if (!STRATEGY_NAME_RE.test(name)) throw new Error(`swapStrategy: invalid name '${name}' — must match ${STRATEGY_NAME_RE}`);
+		ctx.set(stateStrategyNameKey, name);
+	}
+}));
+/**
+* Sugar — calls `useWfStrategy().swap(name)`. Returns `undefined` so a step
+* can write `return swapStrategy('kv')` when no outlet pause follows.
+*/
+function swapStrategy(name) {
+	useWfStrategy().swap(name);
+}
+
 //#endregion
 //#region packages/event-wf/src/outlets/trigger.ts
+function wrapToken(name, raw) {
+	return `${name}.${raw}`;
+}
+function unwrapToken(token) {
+	const i = token.indexOf(".");
+	if (i <= 0 || i === token.length - 1) return null;
+	return {
+		name: token.slice(0, i),
+		raw: token.slice(i + 1)
+	};
+}
+function normalizeStateConfig(state) {
+	if (typeof state === "object" && state !== null && "strategies" in state) {
+		const registry = state.strategies;
+		for (const name of Object.keys(registry)) if (!STRATEGY_NAME_RE.test(name)) throw new Error(`Invalid strategy name '${name}': must match /^[A-Za-z0-9_-]+$/`);
+		const def = state.default;
+		return {
+			registry,
+			resolveDefaultName: typeof def === "function" ? def : (_wfid) => def
+		};
+	}
+	return {
+		registry: { default: state },
+		resolveDefaultName: () => "default"
+	};
+}
 /**
 * Handle an HTTP request that starts or resumes a workflow.
 *
@@ -129,6 +199,7 @@ async function handleWfOutletRequest(config, deps) {
 	const registry = new Map(config.outlets.map((o) => [o.name, o]));
 	ctx.set(outletsRegistryKey, registry);
 	ctx.set(wfFinishedKey, void 0);
+	const { registry: strategyRegistry, resolveDefaultName } = normalizeStateConfig(config.state);
 	const { parseBody } = (0, _wooksjs_http_body.useBody)();
 	const { params } = (0, _wooksjs_event_http.useUrlParams)();
 	const { getCookie } = (0, _wooksjs_event_http.useCookies)();
@@ -144,27 +215,31 @@ async function handleWfOutletRequest(config, deps) {
 	}
 	const wfid = body?.[wfidName] ?? queryParams.get(wfidName) ?? void 0;
 	const input = body?.input;
-	const resolveStrategy = (id) => typeof config.state === "function" ? config.state(id) : config.state;
 	let output;
-	let strategyReResolved = false;
+	let incomingName;
+	let incomingRaw;
 	if (token) {
-		const strategy = resolveStrategy(wfid ?? "");
-		ctx.set(stateStrategyKey, strategy);
-		const state = await strategy.consume(token);
+		const unwrapped = unwrapToken(token);
+		if (!unwrapped) {
+			response.setStatus(410);
+			return { error: "Invalid workflow state token" };
+		}
+		const strategy = Object.prototype.hasOwnProperty.call(strategyRegistry, unwrapped.name) ? strategyRegistry[unwrapped.name] : void 0;
+		if (!strategy) {
+			response.setStatus(410);
+			return { error: "Invalid workflow state token" };
+		}
+		incomingName = unwrapped.name;
+		incomingRaw = unwrapped.raw;
+		const state = await strategy.consume(unwrapped.raw);
 		if (!state) {
 			response.setStatus(410);
 			return { error: "Invalid or expired workflow state" };
 		}
-		if (state.schemaId !== (wfid ?? "")) {
-			const realStrategy = resolveStrategy(state.schemaId);
-			if (realStrategy !== strategy) {
-				ctx.set(stateStrategyKey, realStrategy);
-				strategyReResolved = true;
-			}
-		}
 		output = await deps.resume(state, {
 			input,
-			eventContext: ctx
+			eventContext: ctx,
+			strategy: { name: incomingName }
 		});
 	} else if (wfid) {
 		if (config.allow?.length && !config.allow.includes(wfid)) {
@@ -175,12 +250,13 @@ async function handleWfOutletRequest(config, deps) {
 			response.setStatus(403);
 			return { error: `Workflow '${wfid}' is blocked` };
 		}
-		const strategy = resolveStrategy(wfid);
-		ctx.set(stateStrategyKey, strategy);
+		const defaultName = resolveDefaultName(wfid);
+		if (!(Object.prototype.hasOwnProperty.call(strategyRegistry, defaultName) ? strategyRegistry[defaultName] : void 0)) throw new Error(`Default strategy '${defaultName}' not found in registry. Known: ${Object.keys(strategyRegistry).join(", ")}`);
 		const initialContext = config.initialContext ? config.initialContext(body, wfid) : {};
 		output = await deps.start(wfid, initialContext, {
 			input,
-			eventContext: ctx
+			eventContext: ctx,
+			strategy: { name: defaultName }
 		});
 	} else {
 		response.setStatus(400);
@@ -211,13 +287,16 @@ async function handleWfOutletRequest(config, deps) {
 			response.setStatus(500);
 			return { error: `Unknown outlet: '${outletReq.outlet}'` };
 		}
-		const strategy = ctx.get(stateStrategyKey);
+		const finalName = outletReq.stateStrategy;
+		if (finalName === void 0) throw new Error("Workflow paused without `stateStrategy` on inputRequired — the WF adapter must augment the output with the active strategy name.");
+		const finalStrategy = Object.prototype.hasOwnProperty.call(strategyRegistry, finalName) ? strategyRegistry[finalName] : void 0;
+		if (!finalStrategy) throw new Error(`Workflow paused with unknown strategy '${finalName}' — step swapped to a name not in the trigger's registry. Known: ${Object.keys(strategyRegistry).join(", ")}`);
 		const stateWithMeta = {
 			...output.state,
 			meta: { outlet: outletReq.outlet }
 		};
-		const reuseHandle = token && !strategyReResolved ? { handle: token } : void 0;
-		const newToken = await strategy.persist(stateWithMeta, output.expires ? { ttl: output.expires - Date.now() } : void 0, reuseHandle);
+		const reuseHandle = incomingName !== void 0 && incomingName === finalName && incomingRaw !== void 0 ? { handle: incomingRaw } : void 0;
+		const newToken = wrapToken(finalName, await finalStrategy.persist(stateWithMeta, output.expires ? { ttl: output.expires - Date.now() } : void 0, reuseHandle));
 		const outOfBand = outletHandler.tokenDelivery === "out-of-band";
 		if (tokenWrite === "cookie" && !outOfBand) response.setCookie(tokenName, newToken, {
 			httpOnly: true,
@@ -320,219 +399,6 @@ function createOutletHandler(wfApp) {
 	});
 }
 
-//#endregion
-//#region node_modules/.pnpm/@prostojs+wf@0.2.1/node_modules/@prostojs/wf/dist/outlets/index.mjs
-/**
-* Generic outlet request. Use for custom outlets.
-*
-* @example
-* return outlet('pending-task', {
-*   payload: ApprovalForm,
-*   target: managerId,
-*   context: { orderId, amount },
-* })
-*/
-function outlet(name, data) {
-	return { inputRequired: {
-		outlet: name,
-		...data
-	} };
-}
-/**
-* Pause for HTTP form input. The outlet returns the payload (form definition)
-* and state token in the HTTP response.
-*
-* @example
-* return outletHttp(LoginForm)
-* return outletHttp(LoginForm, { error: 'Invalid credentials' })
-*/
-function outletHttp(payload, context) {
-	return outlet("http", {
-		payload,
-		context
-	});
-}
-/**
-* Pause and send email with a magic link containing the state token.
-*
-* @example
-* return outletEmail('user@test.com', 'invite', { name: 'Alice' })
-*/
-function outletEmail(target, template, context) {
-	return outlet("email", {
-		target,
-		template,
-		context
-	});
-}
-/**
-* Self-contained AES-256-GCM encrypted state strategy.
-*
-* Workflow state is encrypted into a base64url token that travels with the
-* transport (cookie, URL param, hidden field). No server-side storage needed.
-*
-* Token format: `base64url(iv[12] + authTag[16] + ciphertext)`
-*
-* ## Security warning — replay
-*
-* This strategy is STATELESS. It cannot enforce single-use semantics:
-* `consume()` is a no-op alias for `retrieve()` because there is no
-* server-side record to delete. Anyone who obtains a copy of the token
-* (browser history, server logs, shoulder-surfing, intermediate proxy,
-* shared device) can replay it until the TTL expires.
-*
-* Use `EncapsulatedStateStrategy` ONLY when BOTH of the following hold:
-*
-* 1. Every workflow step is idempotent — re-executing a step with the same
-*    input produces no harmful side effects (pure data collection,
-*    validation-only steps).
-* 2. The flow is not security-sensitive — no credential changes, financial
-*    operations, account provisioning, permission grants, or any other
-*    privileged action.
-*
-* For auth flows (login, password reset, invite accept), financial
-* operations, or anything with meaningful side effects, use
-* `HandleStateStrategy` with a durable `WfStateStore`. `HandleStateStrategy`
-* supports true single-use tokens via atomic `getAndDelete` at the store
-* layer.
-*
-* @example
-* const strategy = new EncapsulatedStateStrategy({
-*     secret: crypto.randomBytes(32),
-*     defaultTtl: 3600_000, // 1 hour
-* });
-* const token = await strategy.persist(state);
-* const recovered = await strategy.retrieve(token);
-*/
-var EncapsulatedStateStrategy = class {
-	/** @throws if secret is not exactly 32 bytes */
-	constructor(config) {
-		this.config = config;
-		this.key = typeof config.secret === "string" ? Buffer.from(config.secret, "hex") : config.secret;
-		if (this.key.length !== 32) throw new Error("EncapsulatedStateStrategy: secret must be exactly 32 bytes");
-	}
-	/**
-	* Encrypt workflow state into a self-contained token.
-	*
-	* NOTE: the `overrides.handle` hint from `WfStateStrategy` is silently
-	* ignored — the encapsulated token IS the ciphertext of the state, so a
-	* fixed handle cannot map to changing state. Callers that need handle
-	* stability across calls must use `HandleStateStrategy`.
-	*
-	* @param state — workflow state to persist
-	* @param options.ttl — time-to-live in ms (overrides defaultTtl)
-	* @returns base64url-encoded encrypted token
-	*/
-	async persist(state, options, _overrides) {
-		const ttl = options?.ttl ?? this.config.defaultTtl ?? 0;
-		const exp = ttl > 0 ? Date.now() + ttl : 0;
-		const payload = JSON.stringify({
-			s: state,
-			e: exp
-		});
-		const iv = (0, node_crypto.randomBytes)(12);
-		const cipher = (0, node_crypto.createCipheriv)("aes-256-gcm", this.key, iv);
-		const encrypted = Buffer.concat([cipher.update(payload, "utf8"), cipher.final()]);
-		const tag = cipher.getAuthTag();
-		return Buffer.concat([
-			iv,
-			tag,
-			encrypted
-		]).toString("base64url");
-	}
-	/** Decrypt and return workflow state. Returns null if token is invalid, expired, or tampered. */
-	async retrieve(token) {
-		return this.decrypt(token);
-	}
-	/**
-	* Stateless — CANNOT invalidate the token. Returns identical result to
-	* `retrieve()`. See the class-level security warning.
-	*
-	* This method exists only to satisfy the `WfStateStrategy` contract.
-	* Callers that need true single-use semantics must use
-	* `HandleStateStrategy`.
-	*/
-	async consume(token) {
-		return this.decrypt(token);
-	}
-	decrypt(token) {
-		try {
-			const buf = Buffer.from(token, "base64url");
-			if (buf.length < 28) return null;
-			const iv = buf.subarray(0, 12);
-			const tag = buf.subarray(12, 28);
-			const ciphertext = buf.subarray(28);
-			const decipher = (0, node_crypto.createDecipheriv)("aes-256-gcm", this.key, iv);
-			decipher.setAuthTag(tag);
-			const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-			const { s: state, e: exp } = JSON.parse(decrypted.toString("utf8"));
-			if (exp > 0 && Date.now() > exp) return null;
-			return state;
-		} catch {
-			return null;
-		}
-	}
-};
-var HandleStateStrategy = class {
-	constructor(config) {
-		this.config = config;
-	}
-	async persist(state, options, overrides) {
-		const handle = overrides?.handle ?? (this.config.generateHandle ?? node_crypto.randomUUID)();
-		const ttl = options?.ttl ?? this.config.defaultTtl ?? 0;
-		const expiresAt = ttl > 0 ? Date.now() + ttl : void 0;
-		await this.config.store.set(handle, state, expiresAt);
-		return handle;
-	}
-	async retrieve(token) {
-		return (await this.config.store.get(token))?.state ?? null;
-	}
-	async consume(token) {
-		return (await this.config.store.getAndDelete(token))?.state ?? null;
-	}
-};
-/**
-* In-memory state store for development and testing.
-* State is lost on process restart.
-*/
-var WfStateStoreMemory = class {
-	constructor() {
-		this.store = /* @__PURE__ */ new Map();
-	}
-	async set(handle, state, expiresAt) {
-		this.store.set(handle, {
-			state,
-			expiresAt
-		});
-	}
-	async get(handle) {
-		const entry = this.store.get(handle);
-		if (!entry) return null;
-		if (entry.expiresAt && Date.now() > entry.expiresAt) {
-			this.store.delete(handle);
-			return null;
-		}
-		return entry;
-	}
-	async delete(handle) {
-		this.store.delete(handle);
-	}
-	async getAndDelete(handle) {
-		const entry = await this.get(handle);
-		if (entry) this.store.delete(handle);
-		return entry;
-	}
-	async cleanup() {
-		const now = Date.now();
-		let count = 0;
-		for (const [handle, entry] of this.store) if (entry.expiresAt && now > entry.expiresAt) {
-			this.store.delete(handle);
-			count++;
-		}
-		return count;
-	}
-};
-
 //#endregion
 //#region packages/event-wf/src/workflow.ts
 /** Workflow engine that resolves steps via Wooks router lookup. */
@@ -640,6 +506,7 @@ var WooksWf = class extends wooks.WooksAdapterBase {
 			indexes,
 			input
 		}, async () => {
+			if (opts?.strategy?.name !== void 0) (0, _wooksjs_event_core.current)().set(stateStrategyNameKey, opts.strategy.name);
 			const { handlers: foundHandlers } = this.wooks.lookup("WF_FLOW", `/${schemaId}`.replace(/^\/+/u, "/"));
 			const handlers = foundHandlers || this.opts?.onNotFound && [this.opts.onNotFound] || null;
 			if (handlers && handlers.length > 0) {
@@ -673,6 +540,10 @@ var WooksWf = class extends wooks.WooksAdapterBase {
 					throw error;
 				}
 				clean();
+				if (result.inputRequired) {
+					const finalName = (0, _wooksjs_event_core.current)().get(stateStrategyNameKey);
+					if (finalName !== void 0) result.inputRequired.stateStrategy = finalName;
+				}
 				if (result.resume) result.resume = (_input) => this.resume(result.state, {
 					input: _input,
 					spy,
@@ -717,15 +588,30 @@ function createWfApp(opts, wooks$2) {
 }
 
 //#endregion
-exports.EncapsulatedStateStrategy = EncapsulatedStateStrategy;
-exports.HandleStateStrategy = HandleStateStrategy;
+Object.defineProperty(exports, 'EncapsulatedStateStrategy', {
+  enumerable: true,
+  get: function () {
+    return _prostojs_wf_outlets.EncapsulatedStateStrategy;
+  }
+});
+Object.defineProperty(exports, 'HandleStateStrategy', {
+  enumerable: true,
+  get: function () {
+    return _prostojs_wf_outlets.HandleStateStrategy;
+  }
+});
 Object.defineProperty(exports, 'StepRetriableError', {
   enumerable: true,
   get: function () {
     return _prostojs_wf.StepRetriableError;
   }
 });
-exports.WfStateStoreMemory = WfStateStoreMemory;
+Object.defineProperty(exports, 'WfStateStoreMemory', {
+  enumerable: true,
+  get: function () {
+    return _prostojs_wf_outlets.WfStateStoreMemory;
+  }
+});
 exports.WooksWf = WooksWf;
 exports.createEmailOutlet = createEmailOutlet;
 exports.createHttpOutlet = createHttpOutlet;
@@ -733,11 +619,27 @@ exports.createOutletHandler = createOutletHandler;
 exports.createWfApp = createWfApp;
 exports.createWfContext = createWfContext;
 exports.handleWfOutletRequest = handleWfOutletRequest;
-exports.outlet = outlet;
-exports.outletEmail = outletEmail;
-exports.outletHttp = outletHttp;
+Object.defineProperty(exports, 'outlet', {
+  enumerable: true,
+  get: function () {
+    return _prostojs_wf_outlets.outlet;
+  }
+});
+Object.defineProperty(exports, 'outletEmail', {
+  enumerable: true,
+  get: function () {
+    return _prostojs_wf_outlets.outletEmail;
+  }
+});
+Object.defineProperty(exports, 'outletHttp', {
+  enumerable: true,
+  get: function () {
+    return _prostojs_wf_outlets.outletHttp;
+  }
+});
 exports.resumeKey = resumeKey;
 exports.resumeWfContext = resumeWfContext;
+exports.swapStrategy = swapStrategy;
 Object.defineProperty(exports, 'useLogger', {
   enumerable: true,
   get: function () {
@@ -753,5 +655,6 @@ Object.defineProperty(exports, 'useRouteParams', {
 exports.useWfFinished = useWfFinished;
 exports.useWfOutlet = useWfOutlet;
 exports.useWfState = useWfState;
+exports.useWfStrategy = useWfStrategy;
 exports.wfKind = wfKind;
 exports.wfShortcuts = wfShortcuts;

package/dist/index.d.ts

@@ -2,7 +2,7 @@ import * as _wooksjs_event_core from '@wooksjs/event-core';
 import { EventContextOptions, EventKindSeeds, EventContext } from '@wooksjs/event-core';
 export { EventContext, EventContextOptions, useLogger, useRouteParams } from '@wooksjs/event-core';
 import * as _prostojs_wf_outlets from '@prostojs/wf/outlets';
-import { WfStateStrategy, WfOutlet, WfOutletRequest } from '@prostojs/wf/outlets';
+import { WfOutletRequest, WfStateStrategy, WfOutlet } from '@prostojs/wf/outlets';
 export { EncapsulatedStateStrategy, HandleStateStrategy, WfOutlet, WfOutletRequest, WfOutletResult, WfState, WfStateStore, WfStateStoreMemory, WfStateStrategy, outlet, outletEmail, outletHttp } from '@prostojs/wf/outlets';
 import { TFlowOutput, Workflow, Step, TWorkflowSpy, TStepHandler, TWorkflowSchema } from '@prostojs/wf';
 export { StepRetriableError, TStepHandler, TWorkflowSchema } from '@prostojs/wf';
@@ -50,7 +50,6 @@ declare function resumeWfContext<R>(options: EventContextOptions, seeds: EventKi
  * where steps need to inspect or modify outlet state directly.
  */
 declare const useWfOutlet: _wooksjs_event_core.WookComposable<{
-    getStateStrategy: () => _prostojs_wf_outlets.WfStateStrategy;
     getOutlets: () => Map<string, _prostojs_wf_outlets.WfOutlet>;
     getOutlet: (name: string) => _prostojs_wf_outlets.WfOutlet | null;
 }>;
@@ -85,6 +84,58 @@ declare const useWfFinished: _wooksjs_event_core.WookComposable<{
     get: () => WfFinishedResponse | undefined;
 }>;
 
+/**
+ * Composable for inspecting / swapping the active state strategy name from
+ * within a workflow step. The new name applies to the NEXT pause — it travels
+ * back to the outlet trigger via `output.inputRequired.stateStrategy`, and
+ * persists in the issued token's prefix.
+ *
+ * The composable only validates the name FORMAT (regex). Existence in the
+ * trigger's strategy registry is validated at pause time by the trigger
+ * itself — `swapStrategy('typo')` here will not throw; the trigger will
+ * throw on pause when it can't find 'typo' in its registry.
+ *
+ * @example
+ * ```ts
+ * // Step that escalates from in-memory state to a durable KV store before
+ * // pausing for a long-running approval:
+ * app.step('await-approval', {
+ *   handler: () => {
+ *     swapStrategy('kv')
+ *     return outletHttp({ fields: ['decision'] })
+ *   },
+ * })
+ * ```
+ */
+declare const useWfStrategy: _wooksjs_event_core.WookComposable<{
+    /** Name of the strategy currently set for the next persist. */
+    current: () => string;
+    /**
+     * Swap the active strategy by name. Validates name format only; unknown
+     * names surface as a loud error at pause time from the trigger.
+     */
+    swap: (name: string) => void;
+}>;
+/**
+ * Sugar — calls `useWfStrategy().swap(name)`. Returns `undefined` so a step
+ * can write `return swapStrategy('kv')` when no outlet pause follows.
+ */
+declare function swapStrategy(name: string): undefined;
+
+/**
+ * `WfOutletRequest` extended with the strategy name that was active when the
+ * workflow paused. The WF adapter augments `output.inputRequired` with this
+ * field so callers can persist the next token under the post-swap strategy
+ * without depending on EventContext write-through.
+ *
+ * The field is named generically (`stateStrategy`) — outlet handlers that
+ * don't care about strategies ignore it; outlet triggers and offline
+ * resume drivers read it to look up the right strategy in their registry.
+ */
+type WfPauseRequest<P = unknown> = WfOutletRequest<P> & {
+    stateStrategy?: string;
+};
+
 interface WfOutletTokenConfig {
     /** Where to read state token from incoming request (default: `['body', 'query', 'cookie']`) */
     read?: Array<'body' | 'query' | 'cookie'>;
@@ -99,26 +150,28 @@ interface WfOutletTriggerConfig {
     /** Blacklist of workflow IDs. Checked after allow. */
     block?: string[];
     /**
-     * State persistence strategy. Either a single strategy shared by all
-     * workflows, or a function that returns a strategy per workflow ID.
+     * State persistence strategy. Two forms:
      *
-     * **Constraint when using the function form.** The trigger resolves the
-     * strategy at resume time using the `wfid` from the request. If the resume
-     * request does not include `wfid` (e.g. cookie-only transport, token-only
-     * body), the trigger calls `config.state('')` — meaning:
+     * - **Single-strategy shortcut**: pass a `WfStateStrategy` directly. The
+     *   trigger registers it internally under the name `'default'`.
+     * - **Named map**: `{ strategies, default }` where `strategies` is a
+     *   `Record<name, WfStateStrategy>` and `default` is either the name to use
+     *   on workflow start or a function `(wfid) => name` that picks per
+     *   workflow id. Steps may then call `swapStrategy(name)` to escalate the
+     *   *next* outlet pause to a different strategy.
      *
-     * - EITHER all strategies returned by the function must share the same
-     *   underlying storage (same Redis instance, same `WfStateStore`, same
-     *   encryption key), so `consume`/`retrieve` operations work regardless of
-     *   which strategy instance is picked;
-     * - OR every resume request must carry `wfid` so the correct strategy is
-     *   always resolved.
+     * The active strategy name is embedded in the issued token as `<name>.<raw>`,
+     * so resume always picks the strategy that persisted the state. Each
+     * strategy can therefore have its own independent storage (no need for
+     * shared keyspaces between strategies).
      *
-     * Violating this contract silently breaks single-use token invalidation:
-     * the `consume` call runs against the wrong strategy's storage, and the
-     * token remains live in the real strategy.
+     * Strategy names must match `/^[A-Za-z0-9_-]+$/` (validated at trigger
+     * invocation).
      */
-    state: WfStateStrategy | ((wfid: string) => WfStateStrategy);
+    state: WfStateStrategy | {
+        strategies: Record<string, WfStateStrategy>;
+        default: string | ((wfid: string) => string);
+    };
     /** Registered outlets */
     outlets: WfOutlet[];
     /** Token configuration (reading, writing, naming) */
@@ -148,7 +201,10 @@ interface WfOutletTriggerDeps {
     start: (schemaId: string, context: unknown, opts?: {
         input?: unknown;
         eventContext?: unknown;
-    }) => Promise<TFlowOutput<unknown, unknown, WfOutletRequest>>;
+        strategy?: {
+            name: string;
+        };
+    }) => Promise<TFlowOutput<unknown, unknown, WfPauseRequest>>;
     /** Resume a workflow. Provided by WooksWf or MoostWf. */
     resume: (state: {
         schemaId: string;
@@ -157,7 +213,10 @@ interface WfOutletTriggerDeps {
     }, opts?: {
         input?: unknown;
         eventContext?: unknown;
-    }) => Promise<TFlowOutput<unknown, unknown, WfOutletRequest>>;
+        strategy?: {
+            name: string;
+        };
+    }) => Promise<TFlowOutput<unknown, unknown, WfPauseRequest>>;
 }
 
 /**
@@ -281,6 +340,20 @@ interface TWfRunOptions<I = unknown, T = unknown, IR = unknown> {
      * Pass `current()` from within an active event scope (HTTP handler, etc.).
      */
     eventContext?: EventContext;
+    /**
+     * Initial state strategy for the workflow run. Sets the strategy name on
+     * the WF event context so steps can inspect it via `useWfStrategy().current()`
+     * and swap it via `useWfStrategy().swap(name)`. The final post-swap name
+     * is reflected on `output.inputRequired.stateStrategy` (when paused) so
+     * callers can persist under the right keyspace without depending on
+     * EventContext write-through.
+     *
+     * The adapter only carries the name — strategy instances live in the
+     * caller (HTTP trigger, offline driver, etc.).
+     */
+    strategy?: {
+        name: string;
+    };
 }
 /** Wooks adapter for defining and executing workflow schemas with step-based routing. */
 declare class WooksWf<T = any, IR = any> extends WooksAdapterBase {
@@ -349,5 +422,5 @@ declare class WooksWf<T = any, IR = any> extends WooksAdapterBase {
  */
 declare function createWfApp<T>(opts?: TWooksWfOptions, wooks?: Wooks | WooksAdapterBase): WooksWf<T, any>;
 
-export { WooksWf, createEmailOutlet, createHttpOutlet, createOutletHandler, createWfApp, createWfContext, handleWfOutletRequest, resumeKey, resumeWfContext, useWfFinished, useWfOutlet, useWfState, wfKind, wfShortcuts };
-export type { TWFEventInput, TWfRunOptions, TWooksWfOptions, WfFinishedResponse, WfOutletTokenConfig, WfOutletTriggerConfig, WfOutletTriggerDeps };
+export { WooksWf, createEmailOutlet, createHttpOutlet, createOutletHandler, createWfApp, createWfContext, handleWfOutletRequest, resumeKey, resumeWfContext, swapStrategy, useWfFinished, useWfOutlet, useWfState, useWfStrategy, wfKind, wfShortcuts };
+export type { TWFEventInput, TWfRunOptions, TWooksWfOptions, WfFinishedResponse, WfOutletTokenConfig, WfOutletTriggerConfig, WfOutletTriggerDeps, WfPauseRequest };

package/dist/index.mjs

@@ -1,7 +1,7 @@
 import { createEventContext, current, defineEventKind, defineWook, key, slot, useLogger, useRouteParams } from "@wooksjs/event-core";
 import { useCookies, useResponse, useUrlParams } from "@wooksjs/event-http";
 import { useBody } from "@wooksjs/http-body";
-import { createCipheriv, createDecipheriv, randomBytes, randomUUID } from "node:crypto";
+import { EncapsulatedStateStrategy, HandleStateStrategy, WfStateStoreMemory, outlet, outletEmail, outletHttp } from "@prostojs/wf/outlets";
 import { StepRetriableError, Workflow, createStep } from "@prostojs/wf";
 import { WooksAdapterBase } from "wooks";
 
@@ -56,8 +56,6 @@ function resumeWfContext(options, seeds, fn) {
 //#region packages/event-wf/src/outlets/outlet-context.ts
 /** Registered outlet handlers, keyed by name */
 const outletsRegistryKey = key("wf.outlets.registry");
-/** Active state strategy for current request */
-const stateStrategyKey = key("wf.outlets.stateStrategy");
 /** Finished response set by workflow steps */
 const wfFinishedKey = key("wf.outlets.finished");
 
@@ -71,7 +69,6 @@ const wfFinishedKey = key("wf.outlets.finished");
 * where steps need to inspect or modify outlet state directly.
 */
 const useWfOutlet = defineWook((ctx) => ({
-	getStateStrategy: () => ctx.get(stateStrategyKey),
 	getOutlets: () => ctx.get(outletsRegistryKey),
 	getOutlet: (name) => ctx.get(outletsRegistryKey)?.get(name) ?? null
 }));
@@ -95,8 +92,81 @@ const useWfFinished = defineWook((ctx) => ({
 	get: () => ctx.has(wfFinishedKey) ? ctx.get(wfFinishedKey) : void 0
 }));
 
+//#endregion
+//#region packages/event-wf/src/strategy-context.ts
+/** Name of the strategy currently active for the running workflow. */
+const stateStrategyNameKey = key("wf.strategyName");
+/** Strategy names must match this regex (validated at swap call + config). */
+const STRATEGY_NAME_RE = /^[A-Za-z0-9_-]+$/;
+
+//#endregion
+//#region packages/event-wf/src/outlets/use-wf-strategy.ts
+/**
+* Composable for inspecting / swapping the active state strategy name from
+* within a workflow step. The new name applies to the NEXT pause — it travels
+* back to the outlet trigger via `output.inputRequired.stateStrategy`, and
+* persists in the issued token's prefix.
+*
+* The composable only validates the name FORMAT (regex). Existence in the
+* trigger's strategy registry is validated at pause time by the trigger
+* itself — `swapStrategy('typo')` here will not throw; the trigger will
+* throw on pause when it can't find 'typo' in its registry.
+*
+* @example
+* ```ts
+* // Step that escalates from in-memory state to a durable KV store before
+* // pausing for a long-running approval:
+* app.step('await-approval', {
+*   handler: () => {
+*     swapStrategy('kv')
+*     return outletHttp({ fields: ['decision'] })
+*   },
+* })
+* ```
+*/
+const useWfStrategy = defineWook((ctx) => ({
+	current: () => ctx.get(stateStrategyNameKey),
+	swap: (name) => {
+		if (!STRATEGY_NAME_RE.test(name)) throw new Error(`swapStrategy: invalid name '${name}' — must match ${STRATEGY_NAME_RE}`);
+		ctx.set(stateStrategyNameKey, name);
+	}
+}));
+/**
+* Sugar — calls `useWfStrategy().swap(name)`. Returns `undefined` so a step
+* can write `return swapStrategy('kv')` when no outlet pause follows.
+*/
+function swapStrategy(name) {
+	useWfStrategy().swap(name);
+}
+
 //#endregion
 //#region packages/event-wf/src/outlets/trigger.ts
+function wrapToken(name, raw) {
+	return `${name}.${raw}`;
+}
+function unwrapToken(token) {
+	const i = token.indexOf(".");
+	if (i <= 0 || i === token.length - 1) return null;
+	return {
+		name: token.slice(0, i),
+		raw: token.slice(i + 1)
+	};
+}
+function normalizeStateConfig(state) {
+	if (typeof state === "object" && state !== null && "strategies" in state) {
+		const registry = state.strategies;
+		for (const name of Object.keys(registry)) if (!STRATEGY_NAME_RE.test(name)) throw new Error(`Invalid strategy name '${name}': must match /^[A-Za-z0-9_-]+$/`);
+		const def = state.default;
+		return {
+			registry,
+			resolveDefaultName: typeof def === "function" ? def : (_wfid) => def
+		};
+	}
+	return {
+		registry: { default: state },
+		resolveDefaultName: () => "default"
+	};
+}
 /**
 * Handle an HTTP request that starts or resumes a workflow.
 *
@@ -128,6 +198,7 @@ async function handleWfOutletRequest(config, deps) {
 	const registry = new Map(config.outlets.map((o) => [o.name, o]));
 	ctx.set(outletsRegistryKey, registry);
 	ctx.set(wfFinishedKey, void 0);
+	const { registry: strategyRegistry, resolveDefaultName } = normalizeStateConfig(config.state);
 	const { parseBody } = useBody();
 	const { params } = useUrlParams();
 	const { getCookie } = useCookies();
@@ -143,27 +214,31 @@ async function handleWfOutletRequest(config, deps) {
 	}
 	const wfid = body?.[wfidName] ?? queryParams.get(wfidName) ?? void 0;
 	const input = body?.input;
-	const resolveStrategy = (id) => typeof config.state === "function" ? config.state(id) : config.state;
 	let output;
-	let strategyReResolved = false;
+	let incomingName;
+	let incomingRaw;
 	if (token) {
-		const strategy = resolveStrategy(wfid ?? "");
-		ctx.set(stateStrategyKey, strategy);
-		const state = await strategy.consume(token);
+		const unwrapped = unwrapToken(token);
+		if (!unwrapped) {
+			response.setStatus(410);
+			return { error: "Invalid workflow state token" };
+		}
+		const strategy = Object.prototype.hasOwnProperty.call(strategyRegistry, unwrapped.name) ? strategyRegistry[unwrapped.name] : void 0;
+		if (!strategy) {
+			response.setStatus(410);
+			return { error: "Invalid workflow state token" };
+		}
+		incomingName = unwrapped.name;
+		incomingRaw = unwrapped.raw;
+		const state = await strategy.consume(unwrapped.raw);
 		if (!state) {
 			response.setStatus(410);
 			return { error: "Invalid or expired workflow state" };
 		}
-		if (state.schemaId !== (wfid ?? "")) {
-			const realStrategy = resolveStrategy(state.schemaId);
-			if (realStrategy !== strategy) {
-				ctx.set(stateStrategyKey, realStrategy);
-				strategyReResolved = true;
-			}
-		}
 		output = await deps.resume(state, {
 			input,
-			eventContext: ctx
+			eventContext: ctx,
+			strategy: { name: incomingName }
 		});
 	} else if (wfid) {
 		if (config.allow?.length && !config.allow.includes(wfid)) {
@@ -174,12 +249,13 @@ async function handleWfOutletRequest(config, deps) {
 			response.setStatus(403);
 			return { error: `Workflow '${wfid}' is blocked` };
 		}
-		const strategy = resolveStrategy(wfid);
-		ctx.set(stateStrategyKey, strategy);
+		const defaultName = resolveDefaultName(wfid);
+		if (!(Object.prototype.hasOwnProperty.call(strategyRegistry, defaultName) ? strategyRegistry[defaultName] : void 0)) throw new Error(`Default strategy '${defaultName}' not found in registry. Known: ${Object.keys(strategyRegistry).join(", ")}`);
 		const initialContext = config.initialContext ? config.initialContext(body, wfid) : {};
 		output = await deps.start(wfid, initialContext, {
 			input,
-			eventContext: ctx
+			eventContext: ctx,
+			strategy: { name: defaultName }
 		});
 	} else {
 		response.setStatus(400);
@@ -210,13 +286,16 @@ async function handleWfOutletRequest(config, deps) {
 			response.setStatus(500);
 			return { error: `Unknown outlet: '${outletReq.outlet}'` };
 		}
-		const strategy = ctx.get(stateStrategyKey);
+		const finalName = outletReq.stateStrategy;
+		if (finalName === void 0) throw new Error("Workflow paused without `stateStrategy` on inputRequired — the WF adapter must augment the output with the active strategy name.");
+		const finalStrategy = Object.prototype.hasOwnProperty.call(strategyRegistry, finalName) ? strategyRegistry[finalName] : void 0;
+		if (!finalStrategy) throw new Error(`Workflow paused with unknown strategy '${finalName}' — step swapped to a name not in the trigger's registry. Known: ${Object.keys(strategyRegistry).join(", ")}`);
 		const stateWithMeta = {
 			...output.state,
 			meta: { outlet: outletReq.outlet }
 		};
-		const reuseHandle = token && !strategyReResolved ? { handle: token } : void 0;
-		const newToken = await strategy.persist(stateWithMeta, output.expires ? { ttl: output.expires - Date.now() } : void 0, reuseHandle);
+		const reuseHandle = incomingName !== void 0 && incomingName === finalName && incomingRaw !== void 0 ? { handle: incomingRaw } : void 0;
+		const newToken = wrapToken(finalName, await finalStrategy.persist(stateWithMeta, output.expires ? { ttl: output.expires - Date.now() } : void 0, reuseHandle));
 		const outOfBand = outletHandler.tokenDelivery === "out-of-band";
 		if (tokenWrite === "cookie" && !outOfBand) response.setCookie(tokenName, newToken, {
 			httpOnly: true,
@@ -319,219 +398,6 @@ function createOutletHandler(wfApp) {
 	});
 }
 
-//#endregion
-//#region node_modules/.pnpm/@prostojs+wf@0.2.1/node_modules/@prostojs/wf/dist/outlets/index.mjs
-/**
-* Generic outlet request. Use for custom outlets.
-*
-* @example
-* return outlet('pending-task', {
-*   payload: ApprovalForm,
-*   target: managerId,
-*   context: { orderId, amount },
-* })
-*/
-function outlet(name, data) {
-	return { inputRequired: {
-		outlet: name,
-		...data
-	} };
-}
-/**
-* Pause for HTTP form input. The outlet returns the payload (form definition)
-* and state token in the HTTP response.
-*
-* @example
-* return outletHttp(LoginForm)
-* return outletHttp(LoginForm, { error: 'Invalid credentials' })
-*/
-function outletHttp(payload, context) {
-	return outlet("http", {
-		payload,
-		context
-	});
-}
-/**
-* Pause and send email with a magic link containing the state token.
-*
-* @example
-* return outletEmail('user@test.com', 'invite', { name: 'Alice' })
-*/
-function outletEmail(target, template, context) {
-	return outlet("email", {
-		target,
-		template,
-		context
-	});
-}
-/**
-* Self-contained AES-256-GCM encrypted state strategy.
-*
-* Workflow state is encrypted into a base64url token that travels with the
-* transport (cookie, URL param, hidden field). No server-side storage needed.
-*
-* Token format: `base64url(iv[12] + authTag[16] + ciphertext)`
-*
-* ## Security warning — replay
-*
-* This strategy is STATELESS. It cannot enforce single-use semantics:
-* `consume()` is a no-op alias for `retrieve()` because there is no
-* server-side record to delete. Anyone who obtains a copy of the token
-* (browser history, server logs, shoulder-surfing, intermediate proxy,
-* shared device) can replay it until the TTL expires.
-*
-* Use `EncapsulatedStateStrategy` ONLY when BOTH of the following hold:
-*
-* 1. Every workflow step is idempotent — re-executing a step with the same
-*    input produces no harmful side effects (pure data collection,
-*    validation-only steps).
-* 2. The flow is not security-sensitive — no credential changes, financial
-*    operations, account provisioning, permission grants, or any other
-*    privileged action.
-*
-* For auth flows (login, password reset, invite accept), financial
-* operations, or anything with meaningful side effects, use
-* `HandleStateStrategy` with a durable `WfStateStore`. `HandleStateStrategy`
-* supports true single-use tokens via atomic `getAndDelete` at the store
-* layer.
-*
-* @example
-* const strategy = new EncapsulatedStateStrategy({
-*     secret: crypto.randomBytes(32),
-*     defaultTtl: 3600_000, // 1 hour
-* });
-* const token = await strategy.persist(state);
-* const recovered = await strategy.retrieve(token);
-*/
-var EncapsulatedStateStrategy = class {
-	/** @throws if secret is not exactly 32 bytes */
-	constructor(config) {
-		this.config = config;
-		this.key = typeof config.secret === "string" ? Buffer.from(config.secret, "hex") : config.secret;
-		if (this.key.length !== 32) throw new Error("EncapsulatedStateStrategy: secret must be exactly 32 bytes");
-	}
-	/**
-	* Encrypt workflow state into a self-contained token.
-	*
-	* NOTE: the `overrides.handle` hint from `WfStateStrategy` is silently
-	* ignored — the encapsulated token IS the ciphertext of the state, so a
-	* fixed handle cannot map to changing state. Callers that need handle
-	* stability across calls must use `HandleStateStrategy`.
-	*
-	* @param state — workflow state to persist
-	* @param options.ttl — time-to-live in ms (overrides defaultTtl)
-	* @returns base64url-encoded encrypted token
-	*/
-	async persist(state, options, _overrides) {
-		const ttl = options?.ttl ?? this.config.defaultTtl ?? 0;
-		const exp = ttl > 0 ? Date.now() + ttl : 0;
-		const payload = JSON.stringify({
-			s: state,
-			e: exp
-		});
-		const iv = randomBytes(12);
-		const cipher = createCipheriv("aes-256-gcm", this.key, iv);
-		const encrypted = Buffer.concat([cipher.update(payload, "utf8"), cipher.final()]);
-		const tag = cipher.getAuthTag();
-		return Buffer.concat([
-			iv,
-			tag,
-			encrypted
-		]).toString("base64url");
-	}
-	/** Decrypt and return workflow state. Returns null if token is invalid, expired, or tampered. */
-	async retrieve(token) {
-		return this.decrypt(token);
-	}
-	/**
-	* Stateless — CANNOT invalidate the token. Returns identical result to
-	* `retrieve()`. See the class-level security warning.
-	*
-	* This method exists only to satisfy the `WfStateStrategy` contract.
-	* Callers that need true single-use semantics must use
-	* `HandleStateStrategy`.
-	*/
-	async consume(token) {
-		return this.decrypt(token);
-	}
-	decrypt(token) {
-		try {
-			const buf = Buffer.from(token, "base64url");
-			if (buf.length < 28) return null;
-			const iv = buf.subarray(0, 12);
-			const tag = buf.subarray(12, 28);
-			const ciphertext = buf.subarray(28);
-			const decipher = createDecipheriv("aes-256-gcm", this.key, iv);
-			decipher.setAuthTag(tag);
-			const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-			const { s: state, e: exp } = JSON.parse(decrypted.toString("utf8"));
-			if (exp > 0 && Date.now() > exp) return null;
-			return state;
-		} catch {
-			return null;
-		}
-	}
-};
-var HandleStateStrategy = class {
-	constructor(config) {
-		this.config = config;
-	}
-	async persist(state, options, overrides) {
-		const handle = overrides?.handle ?? (this.config.generateHandle ?? randomUUID)();
-		const ttl = options?.ttl ?? this.config.defaultTtl ?? 0;
-		const expiresAt = ttl > 0 ? Date.now() + ttl : void 0;
-		await this.config.store.set(handle, state, expiresAt);
-		return handle;
-	}
-	async retrieve(token) {
-		return (await this.config.store.get(token))?.state ?? null;
-	}
-	async consume(token) {
-		return (await this.config.store.getAndDelete(token))?.state ?? null;
-	}
-};
-/**
-* In-memory state store for development and testing.
-* State is lost on process restart.
-*/
-var WfStateStoreMemory = class {
-	constructor() {
-		this.store = /* @__PURE__ */ new Map();
-	}
-	async set(handle, state, expiresAt) {
-		this.store.set(handle, {
-			state,
-			expiresAt
-		});
-	}
-	async get(handle) {
-		const entry = this.store.get(handle);
-		if (!entry) return null;
-		if (entry.expiresAt && Date.now() > entry.expiresAt) {
-			this.store.delete(handle);
-			return null;
-		}
-		return entry;
-	}
-	async delete(handle) {
-		this.store.delete(handle);
-	}
-	async getAndDelete(handle) {
-		const entry = await this.get(handle);
-		if (entry) this.store.delete(handle);
-		return entry;
-	}
-	async cleanup() {
-		const now = Date.now();
-		let count = 0;
-		for (const [handle, entry] of this.store) if (entry.expiresAt && now > entry.expiresAt) {
-			this.store.delete(handle);
-			count++;
-		}
-		return count;
-	}
-};
-
 //#endregion
 //#region packages/event-wf/src/workflow.ts
 /** Workflow engine that resolves steps via Wooks router lookup. */
@@ -639,6 +505,7 @@ var WooksWf = class extends WooksAdapterBase {
 			indexes,
 			input
 		}, async () => {
+			if (opts?.strategy?.name !== void 0) current().set(stateStrategyNameKey, opts.strategy.name);
 			const { handlers: foundHandlers } = this.wooks.lookup("WF_FLOW", `/${schemaId}`.replace(/^\/+/u, "/"));
 			const handlers = foundHandlers || this.opts?.onNotFound && [this.opts.onNotFound] || null;
 			if (handlers && handlers.length > 0) {
@@ -672,6 +539,10 @@ var WooksWf = class extends WooksAdapterBase {
 					throw error;
 				}
 				clean();
+				if (result.inputRequired) {
+					const finalName = current().get(stateStrategyNameKey);
+					if (finalName !== void 0) result.inputRequired.stateStrategy = finalName;
+				}
 				if (result.resume) result.resume = (_input) => this.resume(result.state, {
 					input: _input,
 					spy,
@@ -716,4 +587,4 @@ function createWfApp(opts, wooks) {
 }
 
 //#endregion
-export { EncapsulatedStateStrategy, HandleStateStrategy, StepRetriableError, WfStateStoreMemory, WooksWf, createEmailOutlet, createHttpOutlet, createOutletHandler, createWfApp, createWfContext, handleWfOutletRequest, outlet, outletEmail, outletHttp, resumeKey, resumeWfContext, useLogger, useRouteParams, useWfFinished, useWfOutlet, useWfState, wfKind, wfShortcuts };
+export { EncapsulatedStateStrategy, HandleStateStrategy, StepRetriableError, WfStateStoreMemory, WooksWf, createEmailOutlet, createHttpOutlet, createOutletHandler, createWfApp, createWfContext, handleWfOutletRequest, outlet, outletEmail, outletHttp, resumeKey, resumeWfContext, swapStrategy, useLogger, useRouteParams, useWfFinished, useWfOutlet, useWfState, useWfStrategy, wfKind, wfShortcuts };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wooksjs/event-wf",
-  "version": "0.7.14",
+  "version": "0.7.16",
   "description": "@wooksjs/event-wf",
   "keywords": [
     "app",
@@ -42,17 +42,17 @@
   "devDependencies": {
     "typescript": "^5.9.3",
     "vitest": "^3.2.4",
-    "@wooksjs/event-http": "^0.7.14",
-    "wooks": "^0.7.14",
-    "@wooksjs/http-body": "^0.7.14",
-    "@wooksjs/event-core": "^0.7.14"
+    "@wooksjs/event-core": "^0.7.16",
+    "@wooksjs/event-http": "^0.7.16",
+    "wooks": "^0.7.16",
+    "@wooksjs/http-body": "^0.7.16"
   },
   "peerDependencies": {
     "@prostojs/logger": "^0.4.3",
-    "@wooksjs/event-core": "^0.7.14",
-    "@wooksjs/event-http": "^0.7.14",
-    "wooks": "^0.7.14",
-    "@wooksjs/http-body": "^0.7.14"
+    "@wooksjs/event-core": "^0.7.16",
+    "@wooksjs/http-body": "^0.7.16",
+    "wooks": "^0.7.16",
+    "@wooksjs/event-http": "^0.7.16"
   },
   "peerDependenciesMeta": {
     "@wooksjs/event-http": {