npm - @zero-server/sdk - Versions diffs - 0.9.0 → 0.9.2 - Mend

@zero-server/sdk 0.9.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (126) hide show

package/LICENSE +21 -21
package/README.md +460 -437
package/index.js +414 -412
package/lib/app.js +1172 -1172
package/lib/auth/authorize.js +399 -399
package/lib/auth/enrollment.js +367 -367
package/lib/auth/index.js +57 -57
package/lib/auth/jwt.js +731 -731
package/lib/auth/oauth.js +362 -362
package/lib/auth/session.js +588 -588
package/lib/auth/trustedDevice.js +409 -409
package/lib/auth/twoFactor.js +1150 -1150
package/lib/auth/webauthn.js +946 -946
package/lib/body/index.js +14 -14
package/lib/body/json.js +109 -109
package/lib/body/multipart.js +440 -440
package/lib/body/raw.js +71 -71
package/lib/body/rawBuffer.js +160 -160
package/lib/body/sendError.js +25 -25
package/lib/body/text.js +75 -75
package/lib/body/typeMatch.js +41 -41
package/lib/body/urlencoded.js +235 -235
package/lib/cli.js +845 -845
package/lib/cluster.js +666 -666
package/lib/debug.js +372 -372
package/lib/env/index.js +460 -460
package/lib/errors.js +683 -683
package/lib/fetch/index.js +256 -256
package/lib/grpc/balancer.js +378 -378
package/lib/grpc/call.js +708 -708
package/lib/grpc/client.js +764 -764
package/lib/grpc/codec.js +1221 -1221
package/lib/grpc/credentials.js +398 -398
package/lib/grpc/frame.js +262 -262
package/lib/grpc/health.js +287 -287
package/lib/grpc/index.js +121 -121
package/lib/grpc/metadata.js +461 -461
package/lib/grpc/proto.js +821 -821
package/lib/grpc/reflection.js +590 -590
package/lib/grpc/server.js +445 -445
package/lib/grpc/status.js +118 -118
package/lib/grpc/watch.js +173 -173
package/lib/http/index.js +10 -10
package/lib/http/request.js +727 -727
package/lib/http/response.js +799 -799
package/lib/lifecycle.js +557 -557
package/lib/middleware/compress.js +230 -230
package/lib/middleware/cookieParser.js +237 -237
package/lib/middleware/cors.js +93 -93
package/lib/middleware/csrf.js +136 -136
package/lib/middleware/errorHandler.js +101 -101
package/lib/middleware/helmet.js +175 -175
package/lib/middleware/index.js +19 -17
package/lib/middleware/logger.js +74 -74
package/lib/middleware/rateLimit.js +88 -88
package/lib/middleware/requestId.js +53 -53
package/lib/middleware/static.js +326 -326
package/lib/middleware/timeout.js +71 -71
package/lib/middleware/validator.js +254 -254
package/lib/observe/health.js +326 -326
package/lib/observe/index.js +50 -50
package/lib/observe/logger.js +359 -359
package/lib/observe/metrics.js +805 -805
package/lib/observe/tracing.js +592 -592
package/lib/orm/adapters/json.js +290 -290
package/lib/orm/adapters/memory.js +764 -764
package/lib/orm/adapters/mongo.js +764 -764
package/lib/orm/adapters/mysql.js +933 -933
package/lib/orm/adapters/postgres.js +1144 -1144
package/lib/orm/adapters/redis.js +1534 -1534
package/lib/orm/adapters/sql-base.js +212 -212
package/lib/orm/adapters/sqlite.js +858 -858
package/lib/orm/audit.js +649 -649
package/lib/orm/cache.js +394 -394
package/lib/orm/geo.js +387 -387
package/lib/orm/index.js +784 -784
package/lib/orm/migrate.js +432 -432
package/lib/orm/model.js +1706 -1706
package/lib/orm/plugin.js +375 -375
package/lib/orm/procedures.js +836 -836
package/lib/orm/profiler.js +233 -233
package/lib/orm/query.js +1772 -1772
package/lib/orm/replicas.js +241 -241
package/lib/orm/schema.js +307 -307
package/lib/orm/search.js +380 -380
package/lib/orm/seed/data/commerce.js +136 -136
package/lib/orm/seed/data/internet.js +111 -111
package/lib/orm/seed/data/locations.js +204 -204
package/lib/orm/seed/data/names.js +338 -338
package/lib/orm/seed/data/person.js +128 -128
package/lib/orm/seed/data/phone.js +211 -211
package/lib/orm/seed/data/words.js +134 -134
package/lib/orm/seed/factory.js +178 -178
package/lib/orm/seed/fake.js +1186 -1186
package/lib/orm/seed/index.js +18 -18
package/lib/orm/seed/rng.js +70 -70
package/lib/orm/seed/seeder.js +124 -124
package/lib/orm/seed/unique.js +68 -68
package/lib/orm/snapshot.js +366 -366
package/lib/orm/tenancy.js +605 -605
package/lib/orm/views.js +350 -350
package/lib/router/index.js +436 -436
package/lib/sse/index.js +8 -8
package/lib/sse/stream.js +349 -349
package/lib/ws/connection.js +451 -451
package/lib/ws/handshake.js +125 -125
package/lib/ws/index.js +14 -14
package/lib/ws/room.js +223 -223
package/package.json +73 -73
package/types/app.d.ts +223 -223
package/types/auth.d.ts +520 -520
package/types/cluster.d.ts +75 -75
package/types/env.d.ts +80 -80
package/types/errors.d.ts +316 -316
package/types/fetch.d.ts +43 -43
package/types/grpc.d.ts +432 -432
package/types/index.d.ts +384 -384
package/types/lifecycle.d.ts +60 -60
package/types/middleware.d.ts +320 -320
package/types/observe.d.ts +304 -304
package/types/orm.d.ts +1887 -1887
package/types/request.d.ts +109 -109
package/types/response.d.ts +157 -157
package/types/router.d.ts +78 -78
package/types/sse.d.ts +78 -78
package/types/websocket.d.ts +126 -126

package/lib/middleware/helmet.js CHANGED Viewed

@@ -1,176 +1,176 @@
-/**
- * @module helmet
- * @description Security headers middleware.
- *              Sets common security-related HTTP response headers to help
- *              protect against well-known web vulnerabilities (XSS, clickjacking,
- *              MIME sniffing, etc.).
- *
- *              Inspired by the `helmet` npm package but zero-dependency.
- */
-/**
- * Create a security headers middleware.
- *
+/**
+ * @module helmet
+ * @description Security headers middleware.
+ *              Sets common security-related HTTP response headers to help
+ *              protect against well-known web vulnerabilities (XSS, clickjacking,
+ *              MIME sniffing, etc.).
+ *
+ *              Inspired by the `helmet` npm package but zero-dependency.
+ */
+/**
+ * Create a security headers middleware.
+ *
  * @param {object}  [opts] - Configuration options.
- * @param {object|false}  [opts.contentSecurityPolicy]      - CSP directive object or `false` to disable.
- * @param {boolean}       [opts.crossOriginEmbedderPolicy=false]  - Set COEP header.
- * @param {string|false}  [opts.crossOriginOpenerPolicy='same-origin'] - COOP value.
- * @param {string|false}  [opts.crossOriginResourcePolicy='same-origin'] - CORP value.
- * @param {boolean}       [opts.dnsPrefetchControl=true]    - Set X-DNS-Prefetch-Control: off.
- * @param {string|false}  [opts.frameguard='deny']          - X-Frame-Options value ('deny' | 'sameorigin').
- * @param {boolean}       [opts.hidePoweredBy=true]         - Remove X-Powered-By header.
- * @param {boolean|number}[opts.hsts=true]                  - Set Strict-Transport-Security.
- * @param {number}        [opts.hstsMaxAge=15552000]        - HSTS max-age in seconds (default ~180 days).
- * @param {boolean}       [opts.hstsIncludeSubDomains=true] - HSTS includeSubDomains directive.
- * @param {boolean}       [opts.hstsPreload=false]          - HSTS preload directive.
- * @param {boolean}       [opts.ieNoOpen=true]              - Set X-Download-Options: noopen.
- * @param {boolean}       [opts.noSniff=true]               - Set X-Content-Type-Options: nosniff.
- * @param {string|false}  [opts.permittedCrossDomainPolicies='none'] - X-Permitted-Cross-Domain-Policies.
- * @param {string|false}  [opts.referrerPolicy='no-referrer'] - Referrer-Policy value.
- * @param {boolean}       [opts.xssFilter=false]            - Set X-XSS-Protection (legacy, off by default).
- * @returns {Function} Middleware `(req, res, next) => void`.
- *
- * @example
- *   app.use(helmet());
- *   app.use(helmet({ frameguard: 'sameorigin', hsts: false }));
- *   app.use(helmet({
- *       contentSecurityPolicy: {
- *           directives: {
- *               defaultSrc: ["'self'"],
- *               scriptSrc: ["'self'", "'unsafe-inline'"],
- *               styleSrc: ["'self'", "'unsafe-inline'"],
- *               imgSrc: ["'self'", "data:", "https:"],
- *           }
- *       }
- *   }));
- */
-function helmet(opts = {})
-{
-    return (req, res, next) =>
-    {
-        const raw = res.raw || res;
-        // -- Content-Security-Policy --------------------
-        if (opts.contentSecurityPolicy !== false)
-        {
-            const csp = opts.contentSecurityPolicy || {};
-            const directives = csp.directives || {
-                defaultSrc: ["'self'"],
-                baseUri: ["'self'"],
-                fontSrc: ["'self'", 'https:', 'data:'],
-                formAction: ["'self'"],
-                frameAncestors: ["'self'"],
-                imgSrc: ["'self'", 'data:'],
-                objectSrc: ["'none'"],
-                scriptSrc: ["'self'"],
-                scriptSrcAttr: ["'none'"],
-                styleSrc: ["'self'", "'unsafe-inline'"],
-                upgradeInsecureRequests: [],
-            };
-            const cspString = Object.entries(directives)
-                .map(([key, values]) =>
-                {
-                    const directive = key.replace(/([A-Z])/g, '-$1').toLowerCase();
-                    if (Array.isArray(values) && values.length === 0) return directive;
-                    return `${directive} ${Array.isArray(values) ? values.join(' ') : values}`;
-                })
-                .join('; ');
-            if (cspString)
-            {
-                try { raw.setHeader('Content-Security-Policy', cspString); } catch (e) { }
-            }
-        }
-        // -- Cross-Origin-Embedder-Policy ---------------
-        if (opts.crossOriginEmbedderPolicy)
-        {
-            try { raw.setHeader('Cross-Origin-Embedder-Policy', 'require-corp'); } catch (e) { }
-        }
-        // -- Cross-Origin-Opener-Policy -----------------
-        if (opts.crossOriginOpenerPolicy !== false)
-        {
-            const coop = opts.crossOriginOpenerPolicy || 'same-origin';
-            try { raw.setHeader('Cross-Origin-Opener-Policy', coop); } catch (e) { }
-        }
-        // -- Cross-Origin-Resource-Policy ---------------
-        if (opts.crossOriginResourcePolicy !== false)
-        {
-            const corp = opts.crossOriginResourcePolicy || 'same-origin';
-            try { raw.setHeader('Cross-Origin-Resource-Policy', corp); } catch (e) { }
-        }
-        // -- DNS Prefetch Control -----------------------
-        if (opts.dnsPrefetchControl !== false)
-        {
-            try { raw.setHeader('X-DNS-Prefetch-Control', 'off'); } catch (e) { }
-        }
-        // -- Frameguard (X-Frame-Options) ---------------
-        if (opts.frameguard !== false)
-        {
-            const frame = (opts.frameguard || 'deny').toUpperCase();
-            try { raw.setHeader('X-Frame-Options', frame); } catch (e) { }
-        }
-        // -- Hide X-Powered-By -------------------------
-        if (opts.hidePoweredBy !== false)
-        {
-            try { raw.removeHeader('X-Powered-By'); } catch (e) { }
-        }
-        // -- HSTS ---------------------------------------
-        if (opts.hsts !== false)
-        {
-            const maxAge = opts.hstsMaxAge || 15552000;
-            let hstsValue = `max-age=${maxAge}`;
-            if (opts.hstsIncludeSubDomains !== false) hstsValue += '; includeSubDomains';
-            if (opts.hstsPreload) hstsValue += '; preload';
-            try { raw.setHeader('Strict-Transport-Security', hstsValue); } catch (e) { }
-        }
-        // -- IE No Open --------------------------------
-        if (opts.ieNoOpen !== false)
-        {
-            try { raw.setHeader('X-Download-Options', 'noopen'); } catch (e) { }
-        }
-        // -- No Sniff -----------------------------------
-        if (opts.noSniff !== false)
-        {
-            try { raw.setHeader('X-Content-Type-Options', 'nosniff'); } catch (e) { }
-        }
-        // -- Permitted Cross Domain Policies ------------
-        if (opts.permittedCrossDomainPolicies !== false)
-        {
-            const pcdp = opts.permittedCrossDomainPolicies || 'none';
-            try { raw.setHeader('X-Permitted-Cross-Domain-Policies', pcdp); } catch (e) { }
-        }
-        // -- Referrer Policy ----------------------------
-        if (opts.referrerPolicy !== false)
-        {
-            const rp = opts.referrerPolicy || 'no-referrer';
-            try { raw.setHeader('Referrer-Policy', rp); } catch (e) { }
-        }
-        // -- XSS Filter (legacy) -----------------------
-        if (opts.xssFilter)
-        {
-            try { raw.setHeader('X-XSS-Protection', '1; mode=block'); } catch (e) { }
-        }
-        else
-        {
-            // Modern best practice: disable legacy XSS auditor
-            try { raw.setHeader('X-XSS-Protection', '0'); } catch (e) { }
-        }
-        next();
-    };
-}
-module.exports = helmet;
+ * @param {object|false}  [opts.contentSecurityPolicy]      - CSP directive object or `false` to disable.
+ * @param {boolean}       [opts.crossOriginEmbedderPolicy=false]  - Set COEP header.
+ * @param {string|false}  [opts.crossOriginOpenerPolicy='same-origin'] - COOP value.
+ * @param {string|false}  [opts.crossOriginResourcePolicy='same-origin'] - CORP value.
+ * @param {boolean}       [opts.dnsPrefetchControl=true]    - Set X-DNS-Prefetch-Control: off.
+ * @param {string|false}  [opts.frameguard='deny']          - X-Frame-Options value ('deny' | 'sameorigin').
+ * @param {boolean}       [opts.hidePoweredBy=true]         - Remove X-Powered-By header.
+ * @param {boolean|number}[opts.hsts=true]                  - Set Strict-Transport-Security.
+ * @param {number}        [opts.hstsMaxAge=15552000]        - HSTS max-age in seconds (default ~180 days).
+ * @param {boolean}       [opts.hstsIncludeSubDomains=true] - HSTS includeSubDomains directive.
+ * @param {boolean}       [opts.hstsPreload=false]          - HSTS preload directive.
+ * @param {boolean}       [opts.ieNoOpen=true]              - Set X-Download-Options: noopen.
+ * @param {boolean}       [opts.noSniff=true]               - Set X-Content-Type-Options: nosniff.
+ * @param {string|false}  [opts.permittedCrossDomainPolicies='none'] - X-Permitted-Cross-Domain-Policies.
+ * @param {string|false}  [opts.referrerPolicy='no-referrer'] - Referrer-Policy value.
+ * @param {boolean}       [opts.xssFilter=false]            - Set X-XSS-Protection (legacy, off by default).
+ * @returns {Function} Middleware `(req, res, next) => void`.
+ *
+ * @example
+ *   app.use(helmet());
+ *   app.use(helmet({ frameguard: 'sameorigin', hsts: false }));
+ *   app.use(helmet({
+ *       contentSecurityPolicy: {
+ *           directives: {
+ *               defaultSrc: ["'self'"],
+ *               scriptSrc: ["'self'", "'unsafe-inline'"],
+ *               styleSrc: ["'self'", "'unsafe-inline'"],
+ *               imgSrc: ["'self'", "data:", "https:"],
+ *           }
+ *       }
+ *   }));
+ */
+function helmet(opts = {})
+{
+    return (req, res, next) =>
+    {
+        const raw = res.raw || res;
+        // -- Content-Security-Policy --------------------
+        if (opts.contentSecurityPolicy !== false)
+        {
+            const csp = opts.contentSecurityPolicy || {};
+            const directives = csp.directives || {
+                defaultSrc: ["'self'"],
+                baseUri: ["'self'"],
+                fontSrc: ["'self'", 'https:', 'data:'],
+                formAction: ["'self'"],
+                frameAncestors: ["'self'"],
+                imgSrc: ["'self'", 'data:'],
+                objectSrc: ["'none'"],
+                scriptSrc: ["'self'"],
+                scriptSrcAttr: ["'none'"],
+                styleSrc: ["'self'", "'unsafe-inline'"],
+                upgradeInsecureRequests: [],
+            };
+            const cspString = Object.entries(directives)
+                .map(([key, values]) =>
+                {
+                    const directive = key.replace(/([A-Z])/g, '-$1').toLowerCase();
+                    if (Array.isArray(values) && values.length === 0) return directive;
+                    return `${directive} ${Array.isArray(values) ? values.join(' ') : values}`;
+                })
+                .join('; ');
+            if (cspString)
+            {
+                try { raw.setHeader('Content-Security-Policy', cspString); } catch (e) { }
+            }
+        }
+        // -- Cross-Origin-Embedder-Policy ---------------
+        if (opts.crossOriginEmbedderPolicy)
+        {
+            try { raw.setHeader('Cross-Origin-Embedder-Policy', 'require-corp'); } catch (e) { }
+        }
+        // -- Cross-Origin-Opener-Policy -----------------
+        if (opts.crossOriginOpenerPolicy !== false)
+        {
+            const coop = opts.crossOriginOpenerPolicy || 'same-origin';
+            try { raw.setHeader('Cross-Origin-Opener-Policy', coop); } catch (e) { }
+        }
+        // -- Cross-Origin-Resource-Policy ---------------
+        if (opts.crossOriginResourcePolicy !== false)
+        {
+            const corp = opts.crossOriginResourcePolicy || 'same-origin';
+            try { raw.setHeader('Cross-Origin-Resource-Policy', corp); } catch (e) { }
+        }
+        // -- DNS Prefetch Control -----------------------
+        if (opts.dnsPrefetchControl !== false)
+        {
+            try { raw.setHeader('X-DNS-Prefetch-Control', 'off'); } catch (e) { }
+        }
+        // -- Frameguard (X-Frame-Options) ---------------
+        if (opts.frameguard !== false)
+        {
+            const frame = (opts.frameguard || 'deny').toUpperCase();
+            try { raw.setHeader('X-Frame-Options', frame); } catch (e) { }
+        }
+        // -- Hide X-Powered-By -------------------------
+        if (opts.hidePoweredBy !== false)
+        {
+            try { raw.removeHeader('X-Powered-By'); } catch (e) { }
+        }
+        // -- HSTS ---------------------------------------
+        if (opts.hsts !== false)
+        {
+            const maxAge = opts.hstsMaxAge || 15552000;
+            let hstsValue = `max-age=${maxAge}`;
+            if (opts.hstsIncludeSubDomains !== false) hstsValue += '; includeSubDomains';
+            if (opts.hstsPreload) hstsValue += '; preload';
+            try { raw.setHeader('Strict-Transport-Security', hstsValue); } catch (e) { }
+        }
+        // -- IE No Open --------------------------------
+        if (opts.ieNoOpen !== false)
+        {
+            try { raw.setHeader('X-Download-Options', 'noopen'); } catch (e) { }
+        }
+        // -- No Sniff -----------------------------------
+        if (opts.noSniff !== false)
+        {
+            try { raw.setHeader('X-Content-Type-Options', 'nosniff'); } catch (e) { }
+        }
+        // -- Permitted Cross Domain Policies ------------
+        if (opts.permittedCrossDomainPolicies !== false)
+        {
+            const pcdp = opts.permittedCrossDomainPolicies || 'none';
+            try { raw.setHeader('X-Permitted-Cross-Domain-Policies', pcdp); } catch (e) { }
+        }
+        // -- Referrer Policy ----------------------------
+        if (opts.referrerPolicy !== false)
+        {
+            const rp = opts.referrerPolicy || 'no-referrer';
+            try { raw.setHeader('Referrer-Policy', rp); } catch (e) { }
+        }
+        // -- XSS Filter (legacy) -----------------------
+        if (opts.xssFilter)
+        {
+            try { raw.setHeader('X-XSS-Protection', '1; mode=block'); } catch (e) { }
+        }
+        else
+        {
+            // Modern best practice: disable legacy XSS auditor
+            try { raw.setHeader('X-XSS-Protection', '0'); } catch (e) { }
+        }
+        next();
+    };
+}
+module.exports = helmet;

package/lib/middleware/index.js CHANGED Viewed

@@ -1,17 +1,19 @@
-/**
- * @module middleware
- * @description Built-in middleware for zero-server.
- *              Re-exports all middleware.
- */
-const cors = require('./cors');
-const logger = require('./logger');
-const rateLimit = require('./rateLimit');
-const compress = require('./compress');
-const serveStatic = require('./static');
-const helmet = require('./helmet');
-const timeout = require('./timeout');
-const requestId = require('./requestId');
-const cookieParser = require('./cookieParser');
-const errorHandler = require('./errorHandler');
-module.exports = { cors, logger, rateLimit, compress, static: serveStatic, helmet, timeout, requestId, cookieParser, errorHandler };
+/**
+ * @module middleware
+ * @description Built-in middleware for zero-server.
+ *              Re-exports all middleware.
+ */
+const cors = require('./cors');
+const logger = require('./logger');
+const rateLimit = require('./rateLimit');
+const compress = require('./compress');
+const serveStatic = require('./static');
+const helmet = require('./helmet');
+const timeout = require('./timeout');
+const requestId = require('./requestId');
+const cookieParser = require('./cookieParser');
+const errorHandler = require('./errorHandler');
+const csrf = require('./csrf');
+const validate = require('./validator');
+module.exports = { cors, logger, rateLimit, compress, static: serveStatic, helmet, timeout, requestId, cookieParser, errorHandler, csrf, validate };

package/lib/middleware/logger.js CHANGED Viewed

@@ -1,74 +1,74 @@
-/**
- * @module middleware/logger
- * @description Simple request-logging middleware.
- *              Logs method, url, status code, and response time.
- *
- * @param {object}  [opts] - Configuration options.
- * @param {function} [opts.logger]   - Custom log function (default: console.log).
- * @param {boolean}  [opts.colors]   - Colorize output (default: true when TTY).
- * @param {string}   [opts.format]   - 'tiny' | 'short' | 'dev' (default: 'dev').
- * @returns {Function} Middleware `(req, res, next) => void`.
- *
- * @example
- *   app.use(logger());                           // default 'dev' format
- *   app.use(logger({ format: 'tiny' }));          // minimal output
- *   app.use(logger({ colors: false, logger: msg => fs.appendFileSync('access.log', msg + '\n') }));
- */
-function logger(opts = {})
-{
-    const log = typeof opts.logger === 'function' ? opts.logger : console.log;
-    const useColors = opts.colors !== undefined ? opts.colors : (process.stdout.isTTY || false);
-    const format = opts.format || 'dev';
-    // ANSI color helpers
-    const c = {
-        reset: useColors ? '\x1b[0m' : '',
-        green: useColors ? '\x1b[32m' : '',
-        yellow: useColors ? '\x1b[33m' : '',
-        red: useColors ? '\x1b[31m' : '',
-        cyan: useColors ? '\x1b[36m' : '',
-        dim: useColors ? '\x1b[2m' : '',
-    };
-    function statusColor(code)
-    {
-        if (code >= 500) return c.red;
-        if (code >= 400) return c.yellow;
-        if (code >= 300) return c.cyan;
-        return c.green;
-    }
-    return (req, res, next) =>
-    {
-        const start = Date.now();
-        // Hook into the raw response 'finish' event
-        const raw = res.raw;
-        const onFinish = () =>
-        {
-            raw.removeListener('finish', onFinish);
-            const ms = Date.now() - start;
-            const status = raw.statusCode || res._status;
-            const sc = statusColor(status);
-            if (format === 'tiny')
-            {
-                log(`${req.method} ${req.url} ${status} - ${ms}ms`);
-            }
-            else if (format === 'short')
-            {
-                log(`${req.ip || '-'} ${req.method} ${req.url} ${sc}${status}${c.reset} ${ms}ms`);
-            }
-            else
-            {
-                // dev format
-                log(`  ${c.dim}${req.method}${c.reset} ${req.url} ${sc}${status}${c.reset} ${c.dim}${ms}ms${c.reset}`);
-            }
-        };
-        raw.on('finish', onFinish);
-        next();
-    };
-}
-module.exports = logger;
+/**
+ * @module middleware/logger
+ * @description Simple request-logging middleware.
+ *              Logs method, url, status code, and response time.
+ *
+ * @param {object}  [opts] - Configuration options.
+ * @param {function} [opts.logger]   - Custom log function (default: console.log).
+ * @param {boolean}  [opts.colors]   - Colorize output (default: true when TTY).
+ * @param {string}   [opts.format]   - 'tiny' | 'short' | 'dev' (default: 'dev').
+ * @returns {Function} Middleware `(req, res, next) => void`.
+ *
+ * @example
+ *   app.use(logger());                           // default 'dev' format
+ *   app.use(logger({ format: 'tiny' }));          // minimal output
+ *   app.use(logger({ colors: false, logger: msg => fs.appendFileSync('access.log', msg + '\n') }));
+ */
+function logger(opts = {})
+{
+    const log = typeof opts.logger === 'function' ? opts.logger : console.log;
+    const useColors = opts.colors !== undefined ? opts.colors : (process.stdout.isTTY || false);
+    const format = opts.format || 'dev';
+    // ANSI color helpers
+    const c = {
+        reset: useColors ? '\x1b[0m' : '',
+        green: useColors ? '\x1b[32m' : '',
+        yellow: useColors ? '\x1b[33m' : '',
+        red: useColors ? '\x1b[31m' : '',
+        cyan: useColors ? '\x1b[36m' : '',
+        dim: useColors ? '\x1b[2m' : '',
+    };
+    function statusColor(code)
+    {
+        if (code >= 500) return c.red;
+        if (code >= 400) return c.yellow;
+        if (code >= 300) return c.cyan;
+        return c.green;
+    }
+    return (req, res, next) =>
+    {
+        const start = Date.now();
+        // Hook into the raw response 'finish' event
+        const raw = res.raw;
+        const onFinish = () =>
+        {
+            raw.removeListener('finish', onFinish);
+            const ms = Date.now() - start;
+            const status = raw.statusCode || res._status;
+            const sc = statusColor(status);
+            if (format === 'tiny')
+            {
+                log(`${req.method} ${req.url} ${status} - ${ms}ms`);
+            }
+            else if (format === 'short')
+            {
+                log(`${req.ip || '-'} ${req.method} ${req.url} ${sc}${status}${c.reset} ${ms}ms`);
+            }
+            else
+            {
+                // dev format
+                log(`  ${c.dim}${req.method}${c.reset} ${req.url} ${sc}${status}${c.reset} ${c.dim}${ms}ms${c.reset}`);
+            }
+        };
+        raw.on('finish', onFinish);
+        next();
+    };
+}
+module.exports = logger;