npm - create-fluxstack - Versions diffs - 1.12.1 → 1.14.0 - Mend

create-fluxstack 1.12.1 → 1.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (116) hide show

package/LLMD/INDEX.md +8 -1
package/LLMD/agent.md +867 -0
package/LLMD/config/environment-vars.md +30 -0
package/LLMD/patterns/anti-patterns.md +100 -0
package/LLMD/reference/routing.md +39 -39
package/LLMD/resources/live-auth.md +465 -0
package/LLMD/resources/live-components.md +168 -26
package/LLMD/resources/live-logging.md +220 -0
package/LLMD/resources/live-upload.md +59 -8
package/LLMD/resources/rest-auth.md +290 -0
package/README.md +520 -340
package/app/client/index.html +2 -2
package/app/client/public/favicon.svg +46 -0
package/app/client/src/App.tsx +13 -1
package/app/client/src/assets/fluxstack-static.svg +46 -0
package/app/client/src/assets/fluxstack.svg +183 -0
package/app/client/src/components/AppLayout.tsx +139 -9
package/app/client/src/components/BackButton.tsx +13 -13
package/app/client/src/components/DemoPage.tsx +4 -4
package/app/client/src/live/AuthDemo.tsx +334 -0
package/app/client/src/live/ChatDemo.tsx +2 -2
package/app/client/src/live/CounterDemo.tsx +12 -12
package/app/client/src/live/FormDemo.tsx +2 -2
package/app/client/src/live/LiveDebuggerPanel.tsx +779 -0
package/app/client/src/live/RoomChatDemo.tsx +24 -16
package/app/client/src/main.tsx +13 -13
package/app/client/src/pages/ApiTestPage.tsx +6 -6
package/app/client/src/pages/HomePage.tsx +80 -52
package/app/server/auth/AuthManager.ts +213 -0
package/app/server/auth/DevAuthProvider.ts +66 -0
package/app/server/auth/HashManager.ts +123 -0
package/app/server/auth/JWTAuthProvider.example.ts +101 -0
package/app/server/auth/RateLimiter.ts +106 -0
package/app/server/auth/contracts.ts +192 -0
package/app/server/auth/guards/SessionGuard.ts +167 -0
package/app/server/auth/guards/TokenGuard.ts +202 -0
package/app/server/auth/index.ts +174 -0
package/app/server/auth/middleware.ts +163 -0
package/app/server/auth/providers/InMemoryProvider.ts +162 -0
package/app/server/auth/sessions/SessionManager.ts +164 -0
package/app/server/cache/CacheManager.ts +81 -0
package/app/server/cache/MemoryDriver.ts +112 -0
package/app/server/cache/contracts.ts +49 -0
package/app/server/cache/index.ts +42 -0
package/app/server/index.ts +14 -0
package/app/server/live/LiveAdminPanel.ts +174 -0
package/app/server/live/LiveChat.ts +78 -77
package/app/server/live/LiveCounter.ts +1 -0
package/app/server/live/LiveForm.ts +1 -0
package/app/server/live/LiveLocalCounter.ts +38 -32
package/app/server/live/LiveProtectedChat.ts +151 -0
package/app/server/live/LiveRoomChat.ts +1 -0
package/app/server/live/LiveUpload.ts +1 -0
package/app/server/live/register-components.ts +19 -19
package/app/server/routes/auth.routes.ts +278 -0
package/app/server/routes/index.ts +2 -0
package/config/index.ts +8 -0
package/config/system/auth.config.ts +49 -0
package/config/system/runtime.config.ts +4 -0
package/config/system/session.config.ts +33 -0
package/core/build/optimizer.ts +235 -235
package/core/client/LiveComponentsProvider.tsx +76 -5
package/core/client/components/Live.tsx +17 -10
package/core/client/components/LiveDebugger.tsx +1324 -0
package/core/client/hooks/AdaptiveChunkSizer.ts +215 -215
package/core/client/hooks/useLiveComponent.ts +58 -5
package/core/client/hooks/useLiveDebugger.ts +392 -0
package/core/client/index.ts +16 -1
package/core/framework/server.ts +36 -4
package/core/plugins/built-in/index.ts +134 -134
package/core/plugins/built-in/live-components/commands/create-live-component.ts +19 -8
package/core/plugins/built-in/monitoring/index.ts +10 -3
package/core/plugins/built-in/vite/index.ts +151 -20
package/core/plugins/config.ts +5 -4
package/core/plugins/discovery.ts +11 -2
package/core/plugins/manager.ts +11 -5
package/core/plugins/module-resolver.ts +1 -1
package/core/plugins/registry.ts +53 -25
package/core/server/index.ts +15 -15
package/core/server/live/ComponentRegistry.ts +134 -50
package/core/server/live/FileUploadManager.ts +188 -24
package/core/server/live/LiveComponentPerformanceMonitor.ts +9 -8
package/core/server/live/LiveDebugger.ts +462 -0
package/core/server/live/LiveLogger.ts +144 -0
package/core/server/live/LiveRoomManager.ts +22 -5
package/core/server/live/StateSignature.ts +704 -643
package/core/server/live/WebSocketConnectionManager.ts +11 -10
package/core/server/live/auth/LiveAuthContext.ts +71 -0
package/core/server/live/auth/LiveAuthManager.ts +304 -0
package/core/server/live/auth/index.ts +19 -0
package/core/server/live/auth/types.ts +179 -0
package/core/server/live/auto-generated-components.ts +8 -2
package/core/server/live/index.ts +16 -0
package/core/server/live/websocket-plugin.ts +323 -22
package/core/server/plugins/static-files-plugin.ts +179 -69
package/core/templates/create-project.ts +0 -3
package/core/types/build.ts +219 -219
package/core/types/plugin.ts +107 -107
package/core/types/types.ts +278 -22
package/core/utils/index.ts +17 -17
package/core/utils/logger/index.ts +5 -2
package/core/utils/logger/startup-banner.ts +82 -82
package/core/utils/version.ts +6 -6
package/package.json +1 -8
package/plugins/crypto-auth/index.ts +6 -0
package/plugins/crypto-auth/server/CryptoAuthLiveProvider.ts +58 -0
package/plugins/crypto-auth/server/index.ts +24 -21
package/rest-tests/README.md +57 -0
package/rest-tests/auth-token.http +113 -0
package/rest-tests/auth.http +112 -0
package/rest-tests/rooms-token.http +69 -0
package/rest-tests/users-token.http +62 -0
package/.dockerignore +0 -81
package/Dockerfile +0 -70
package/LIVE_COMPONENTS_REVIEW.md +0 -781
package/app/client/src/assets/react.svg +0 -1

package/core/server/live/auto-generated-components.ts CHANGED Viewed

@@ -1,11 +1,13 @@
 // 🔥 Auto-generated Live Components Registration
 // This file is automatically generated during build time - DO NOT EDIT MANUALLY
-// Generated at: 2026-02-09T22:13:45.496Z
+// Generated at: 2026-02-21T20:03:53.569Z
+import { LiveAdminPanel } from "@app/server/live/LiveAdminPanel"
 import { LiveChat } from "@app/server/live/LiveChat"
 import { LiveCounter } from "@app/server/live/LiveCounter"
 import { LiveForm } from "@app/server/live/LiveForm"
 import { LiveLocalCounter } from "@app/server/live/LiveLocalCounter"
+import { LiveProtectedChat } from "@app/server/live/LiveProtectedChat"
 import { LiveRoomChat } from "@app/server/live/LiveRoomChat"
 import { LiveUpload } from "@app/server/live/LiveUpload"
 import { componentRegistry } from "@core/server/live/ComponentRegistry"
@@ -14,14 +16,16 @@ import { componentRegistry } from "@core/server/live/ComponentRegistry"
 function registerAllComponents() {
   try {
     // Auto-generated component registrations
+    componentRegistry.registerComponentClass('LiveAdminPanel', LiveAdminPanel)
     componentRegistry.registerComponentClass('LiveChat', LiveChat)
     componentRegistry.registerComponentClass('LiveCounter', LiveCounter)
     componentRegistry.registerComponentClass('LiveForm', LiveForm)
     componentRegistry.registerComponentClass('LiveLocalCounter', LiveLocalCounter)
+    componentRegistry.registerComponentClass('LiveProtectedChat', LiveProtectedChat)
     componentRegistry.registerComponentClass('LiveRoomChat', LiveRoomChat)
     componentRegistry.registerComponentClass('LiveUpload', LiveUpload)
-    console.log('📝 Live components registered successfully! (6 components)')
+    console.log('📝 Live components registered successfully! (8 components)')
   } catch (error) {
     console.warn('⚠️ Error registering components:', error)
   }
@@ -32,10 +36,12 @@ registerAllComponents()
 // Export all components to ensure they're included in the bundle
 export {
+  LiveAdminPanel,
   LiveChat,
   LiveCounter,
   LiveForm,
   LiveLocalCounter,
+  LiveProtectedChat,
   LiveRoomChat,
   LiveUpload
 }

package/core/server/live/index.ts CHANGED Viewed

@@ -12,3 +12,19 @@ export { connectionManager } from './WebSocketConnectionManager'
 export { fileUploadManager } from './FileUploadManager'
 export { stateSignature } from './StateSignature'
 export { performanceMonitor } from './LiveComponentPerformanceMonitor'
+export { liveLog, liveWarn, registerComponentLogging, unregisterComponentLogging } from './LiveLogger'
+export type { LiveLogCategory, LiveLogConfig } from './LiveLogger'
+// 🔒 Auth system
+export { liveAuthManager, LiveAuthManager } from './auth/LiveAuthManager'
+export { AuthenticatedContext, AnonymousContext, ANONYMOUS_CONTEXT } from './auth/LiveAuthContext'
+export type {
+  LiveAuthProvider,
+  LiveAuthCredentials,
+  LiveAuthUser,
+  LiveAuthContext,
+  LiveComponentAuth,
+  LiveActionAuth,
+  LiveActionAuthMap,
+  LiveAuthResult,
+} from './auth/types'

package/core/server/live/websocket-plugin.ts CHANGED Viewed

@@ -5,10 +5,14 @@ import { fileUploadManager } from './FileUploadManager'
 import { connectionManager } from './WebSocketConnectionManager'
 import { performanceMonitor } from './LiveComponentPerformanceMonitor'
 import { liveRoomManager, type RoomMessage } from './LiveRoomManager'
+import { liveAuthManager } from './auth/LiveAuthManager'
+import { ANONYMOUS_CONTEXT } from './auth/LiveAuthContext'
 import type { LiveMessage, FileUploadStartMessage, FileUploadChunkMessage, FileUploadCompleteMessage, BinaryChunkHeader, FluxStackWebSocket, FluxStackWSData } from '@core/types/types'
 import type { Plugin, PluginContext } from '@core/index'
 import { t, Elysia } from 'elysia'
 import path from 'path'
+import { liveLog } from './LiveLogger'
+import { liveDebugger } from './LiveDebugger'
 // ===== Response Schemas for Live Components Routes =====
@@ -113,6 +117,39 @@ const LiveAlertResolveSchema = t.Object({
   description: 'Result of alert resolution operation'
 })
+// 🔒 Per-connection rate limiter to prevent WebSocket message flooding
+class ConnectionRateLimiter {
+  private tokens: number
+  private lastRefill: number
+  private readonly maxTokens: number
+  private readonly refillRate: number // tokens per second
+  constructor(maxTokens = 100, refillRate = 50) {
+    this.maxTokens = maxTokens
+    this.tokens = maxTokens
+    this.refillRate = refillRate
+    this.lastRefill = Date.now()
+  }
+  tryConsume(count = 1): boolean {
+    this.refill()
+    if (this.tokens >= count) {
+      this.tokens -= count
+      return true
+    }
+    return false
+  }
+  private refill(): void {
+    const now = Date.now()
+    const elapsed = (now - this.lastRefill) / 1000
+    this.tokens = Math.min(this.maxTokens, this.tokens + elapsed * this.refillRate)
+    this.lastRefill = now
+  }
+}
+const connectionRateLimiters = new Map<string, ConnectionRateLimiter>()
 export const liveComponentsPlugin: Plugin = {
   name: 'live-components',
   version: '1.0.0',
@@ -138,10 +175,13 @@ export const liveComponentsPlugin: Plugin = {
         // Binary messages will be ArrayBuffer/Uint8Array, JSON will be parsed objects
         body: t.Any(),
-        open(ws) {
+        async open(ws) {
           const socket = ws as unknown as FluxStackWebSocket
-          const connectionId = `ws-${Date.now()}-${Math.random().toString(36).substr(2, 9)}`
-          console.log(`🔌 Live Components WebSocket connected: ${connectionId}`)
+          const connectionId = `ws-${crypto.randomUUID()}`
+          liveLog('websocket', null, `🔌 Live Components WebSocket connected: ${connectionId}`)
+          // 🔒 Initialize rate limiter for this connection
+          connectionRateLimiters.set(connectionId, new ConnectionRateLimiter())
           // Register connection with enhanced connection manager
           connectionManager.registerConnection(ws as unknown as FluxStackWebSocket, connectionId, 'live-components')
@@ -164,16 +204,42 @@ export const liveComponentsPlugin: Plugin = {
             socket.data.connectedAt = new Date()
           }
+          // 🔒 Try to authenticate from query params (token=xxx)
+          try {
+            const query = (ws as any).data?.query as Record<string, string> | undefined
+            const token = query?.token
+            if (token && liveAuthManager.hasProviders()) {
+              const authContext = await liveAuthManager.authenticate({ token })
+              socket.data.authContext = authContext
+              if (authContext.authenticated) {
+                socket.data.userId = authContext.user?.id
+                liveLog('websocket', null, `🔒 WebSocket authenticated via query: user=${authContext.user?.id}`)
+              } else {
+                // 🔒 Log failed auth attempts (token was provided but auth failed)
+                liveLog('websocket', null, `🔒 WebSocket authentication failed via query token`)
+              }
+            }
+          } catch (authError) {
+            // 🔒 Log auth errors instead of silently ignoring them
+            console.warn('🔒 WebSocket query auth error:', authError instanceof Error ? authError.message : 'Unknown error')
+          }
+          // Debug: track connection
+          liveDebugger.trackConnection(connectionId)
           // Send connection confirmation
           ws.send(JSON.stringify({
             type: 'CONNECTION_ESTABLISHED',
             connectionId,
             timestamp: Date.now(),
+            authenticated: socket.data.authContext?.authenticated ?? false,
+            userId: socket.data.authContext?.user?.id,
             features: {
               compression: true,
               encryption: true,
               offlineQueue: true,
-              loadBalancing: true
+              loadBalancing: true,
+              auth: liveAuthManager.hasProviders()
             }
           }))
         },
@@ -181,6 +247,20 @@ export const liveComponentsPlugin: Plugin = {
         async message(ws: unknown, rawMessage: LiveMessage | ArrayBuffer | Uint8Array) {
           const socket = ws as FluxStackWebSocket
           try {
+            // 🔒 Rate limiting: reject messages if connection exceeds rate limit
+            const connId = socket.data?.connectionId
+            if (connId) {
+              const limiter = connectionRateLimiters.get(connId)
+              if (limiter && !limiter.tryConsume()) {
+                socket.send(JSON.stringify({
+                  type: 'ERROR',
+                  error: 'Rate limit exceeded. Please slow down.',
+                  timestamp: Date.now()
+                }))
+                return
+              }
+            }
             let message: LiveMessage
             let binaryChunkData: Buffer | null = null
@@ -201,7 +281,7 @@ export const liveComponentsPlugin: Plugin = {
               // Extract binary chunk data
               binaryChunkData = buffer.slice(4 + headerLength)
-              console.log(`📦 Binary chunk received: ${binaryChunkData.length} bytes for upload ${header.uploadId}`)
+              liveLog('messages', null, `📦 Binary chunk received: ${binaryChunkData.length} bytes for upload ${header.uploadId}`)
               // Create message with binary data attached
               message = {
@@ -215,7 +295,7 @@ export const liveComponentsPlugin: Plugin = {
               message.timestamp = Date.now()
             }
-            console.log(`📨 Received message:`, {
+            liveLog('messages', message.componentId || null, `📨 Received message:`, {
               type: message.type,
               componentId: message.componentId,
               action: message.action,
@@ -243,6 +323,9 @@ export const liveComponentsPlugin: Plugin = {
               case 'COMPONENT_PING':
                 await handleComponentPing(socket, message)
                 break
+              case 'AUTH':
+                await handleAuth(socket, message)
+                break
               case 'FILE_UPLOAD_START':
                 await handleFileUploadStart(socket, message as FileUploadStartMessage)
                 break
@@ -286,7 +369,18 @@ export const liveComponentsPlugin: Plugin = {
         close(ws) {
           const socket = ws as unknown as FluxStackWebSocket
           const connectionId = socket.data?.connectionId
-          console.log(`🔌 Live Components WebSocket disconnected: ${connectionId}`)
+          liveLog('websocket', null, `🔌 Live Components WebSocket disconnected: ${connectionId}`)
+          // Debug: track disconnection
+          const componentCount = socket.data?.components?.size ?? 0
+          if (connectionId) {
+            liveDebugger.trackDisconnection(connectionId, componentCount)
+          }
+          // 🔒 Cleanup rate limiter
+          if (connectionId) {
+            connectionRateLimiters.delete(connectionId)
+          }
           // Cleanup connection in connection manager
           if (connectionId) {
@@ -486,6 +580,132 @@ export const liveComponentsPlugin: Plugin = {
         response: LiveAlertResolveSchema
       })
+      // ===== Live Component Debugger Routes =====
+      // Debug WebSocket - streams debug events in real-time
+      .ws('/debug/ws', {
+        body: t.Any(),
+        open(ws) {
+          const socket = ws as unknown as FluxStackWebSocket
+          liveLog('websocket', null, '🔍 Debug client connected')
+          liveDebugger.registerDebugClient(socket)
+        },
+        message() {
+          // Debug clients are read-only, no incoming messages to handle
+        },
+        close(ws) {
+          const socket = ws as unknown as FluxStackWebSocket
+          liveLog('websocket', null, '🔍 Debug client disconnected')
+          liveDebugger.unregisterDebugClient(socket)
+        }
+      })
+      // Debug snapshot - current state of all components
+      .get('/debug/snapshot', () => {
+        return {
+          success: true,
+          snapshot: liveDebugger.getSnapshot(),
+          timestamp: new Date().toISOString()
+        }
+      }, {
+        detail: {
+          summary: 'Debug Snapshot',
+          description: 'Returns current state of all active Live Components for debugging',
+          tags: ['Live Components', 'Debug']
+        }
+      })
+      // Debug events - recent event history
+      .get('/debug/events', ({ query }) => {
+        const filter: { componentId?: string; type?: any; limit?: number } = {}
+        if (query.componentId) filter.componentId = query.componentId as string
+        if (query.type) filter.type = query.type
+        if (query.limit) filter.limit = parseInt(query.limit as string, 10)
+        return {
+          success: true,
+          events: liveDebugger.getEvents(filter),
+          timestamp: new Date().toISOString()
+        }
+      }, {
+        detail: {
+          summary: 'Debug Events',
+          description: 'Returns recent debug events, optionally filtered by component or type',
+          tags: ['Live Components', 'Debug']
+        },
+        query: t.Object({
+          componentId: t.Optional(t.String()),
+          type: t.Optional(t.String()),
+          limit: t.Optional(t.String())
+        })
+      })
+      // Debug toggle - enable/disable debugger at runtime
+      .post('/debug/toggle', ({ body }) => {
+        const enabled = (body as any)?.enabled
+        if (typeof enabled === 'boolean') {
+          liveDebugger.enabled = enabled
+        } else {
+          liveDebugger.enabled = !liveDebugger.enabled
+        }
+        return {
+          success: true,
+          enabled: liveDebugger.enabled,
+          timestamp: new Date().toISOString()
+        }
+      }, {
+        detail: {
+          summary: 'Toggle Debugger',
+          description: 'Enable or disable the Live Component debugger at runtime',
+          tags: ['Live Components', 'Debug']
+        }
+      })
+      // Debug component state - get specific component state
+      .get('/debug/components/:componentId', ({ params }) => {
+        const snapshot = liveDebugger.getComponentState(params.componentId)
+        if (!snapshot) {
+          return { success: false, error: 'Component not found' }
+        }
+        return {
+          success: true,
+          component: snapshot,
+          events: liveDebugger.getEvents({
+            componentId: params.componentId,
+            limit: 50
+          }),
+          timestamp: new Date().toISOString()
+        }
+      }, {
+        detail: {
+          summary: 'Debug Component State',
+          description: 'Returns current state and recent events for a specific component',
+          tags: ['Live Components', 'Debug']
+        },
+        params: t.Object({
+          componentId: t.String()
+        })
+      })
+      // Clear debug events
+      .post('/debug/clear', () => {
+        liveDebugger.clearEvents()
+        return {
+          success: true,
+          message: 'Debug events cleared',
+          timestamp: new Date().toISOString()
+        }
+      }, {
+        detail: {
+          summary: 'Clear Debug Events',
+          description: 'Clears the debug event history buffer',
+          tags: ['Live Components', 'Debug']
+        }
+      })
     // Register the grouped routes with the main app
     context.app.use(liveRoutes)
   },
@@ -514,7 +734,7 @@ async function handleComponentMount(ws: FluxStackWebSocket, message: LiveMessage
 }
 async function handleComponentRehydrate(ws: FluxStackWebSocket, message: LiveMessage) {
-  console.log('🔄 Processing component re-hydration request:', {
+  liveLog('lifecycle', message.componentId, '🔄 Processing component re-hydration request:', {
     componentId: message.componentId,
     payload: message.payload
   })
@@ -547,7 +767,7 @@ async function handleComponentRehydrate(ws: FluxStackWebSocket, message: LiveMes
       timestamp: Date.now()
     }
-    console.log('📤 Sending COMPONENT_REHYDRATED response:', {
+    liveLog('lifecycle', message.componentId, '📤 Sending COMPONENT_REHYDRATED response:', {
       type: response.type,
       success: response.success,
       newComponentId: response.result?.newComponentId,
@@ -638,12 +858,65 @@ async function handleComponentPing(ws: FluxStackWebSocket, message: LiveMessage)
   ws.send(JSON.stringify(response))
 }
+// ===== Auth Handler =====
+async function handleAuth(ws: FluxStackWebSocket, message: LiveMessage) {
+  liveLog('websocket', null, '🔒 Processing WebSocket authentication request')
+  try {
+    const credentials = message.payload || {}
+    const providerName = credentials.provider as string | undefined
+    if (!liveAuthManager.hasProviders()) {
+      ws.send(JSON.stringify({
+        type: 'AUTH_RESPONSE',
+        success: false,
+        error: 'No auth providers configured',
+        requestId: message.requestId,
+        timestamp: Date.now()
+      }))
+      return
+    }
+    const authContext = await liveAuthManager.authenticate(credentials, providerName)
+    // Store auth context on the WebSocket connection
+    ws.data.authContext = authContext
+    if (authContext.authenticated) {
+      ws.data.userId = authContext.user?.id
+      liveLog('websocket', null, `🔒 WebSocket authenticated: user=${authContext.user?.id}`)
+    }
+    ws.send(JSON.stringify({
+      type: 'AUTH_RESPONSE',
+      success: authContext.authenticated,
+      authenticated: authContext.authenticated,
+      userId: authContext.user?.id,
+      roles: authContext.user?.roles,
+      requestId: message.requestId,
+      timestamp: Date.now()
+    }))
+  } catch (error: any) {
+    console.error('🔒 WebSocket auth error:', error.message)
+    ws.send(JSON.stringify({
+      type: 'AUTH_RESPONSE',
+      success: false,
+      error: error.message,
+      requestId: message.requestId,
+      timestamp: Date.now()
+    }))
+  }
+}
 // File Upload Handler Functions
 async function handleFileUploadStart(ws: FluxStackWebSocket, message: FileUploadStartMessage) {
-  console.log('📤 Starting file upload:', message.uploadId)
-  const result = await fileUploadManager.startUpload(message)
+  liveLog('messages', message.componentId || null, '📤 Starting file upload:', message.uploadId)
+  // 🔒 Pass userId for per-user upload quota enforcement
+  const userId = ws.data?.userId || ws.data?.authContext?.user?.id
+  const result = await fileUploadManager.startUpload(message, userId)
   const response = {
     type: 'FILE_UPLOAD_START_RESPONSE',
     componentId: message.componentId,
@@ -653,12 +926,12 @@ async function handleFileUploadStart(ws: FluxStackWebSocket, message: FileUpload
     requestId: message.requestId,
     timestamp: Date.now()
   }
   ws.send(JSON.stringify(response))
 }
 async function handleFileUploadChunk(ws: FluxStackWebSocket, message: FileUploadChunkMessage, binaryData: Buffer | null = null) {
-  console.log(`📦 Receiving chunk ${message.chunkIndex + 1} for upload ${message.uploadId}${binaryData ? ' (binary)' : ' (base64)'}`)
+  liveLog('messages', message.componentId || null, `📦 Receiving chunk ${message.chunkIndex + 1} for upload ${message.uploadId}${binaryData ? ' (binary)' : ' (base64)'}`)
   const progressResponse = await fileUploadManager.receiveChunk(message, ws, binaryData)
@@ -686,7 +959,7 @@ async function handleFileUploadChunk(ws: FluxStackWebSocket, message: FileUpload
 }
 async function handleFileUploadComplete(ws: FluxStackWebSocket, message: FileUploadCompleteMessage) {
-  console.log('✅ Completing file upload:', message.uploadId)
+  liveLog('messages', null, '✅ Completing file upload:', message.uploadId)
   const completeResponse = await fileUploadManager.completeUpload(message)
@@ -702,14 +975,26 @@ async function handleFileUploadComplete(ws: FluxStackWebSocket, message: FileUpl
 // ===== Room System Handlers =====
 async function handleRoomJoin(ws: FluxStackWebSocket, message: RoomMessage) {
-  console.log(`🚪 Component ${message.componentId} joining room ${message.roomId}`)
+  liveLog('rooms', message.componentId, `🚪 Component ${message.componentId} joining room ${message.roomId}`)
   try {
+    // 🔒 Validate room name format (alphanumeric, hyphens, underscores, max 64 chars)
+    if (!message.roomId || !/^[a-zA-Z0-9_:.-]{1,64}$/.test(message.roomId)) {
+      throw new Error('Invalid room name. Must be 1-64 alphanumeric characters, hyphens, underscores, dots, or colons.')
+    }
+    // 🔒 Room authorization check
+    const authContext = ws.data?.authContext || ANONYMOUS_CONTEXT
+    const authResult = await liveAuthManager.authorizeRoom(authContext, message.roomId)
+    if (!authResult.allowed) {
+      throw new Error(`Room access denied: ${authResult.reason}`)
+    }
     const result = liveRoomManager.joinRoom(
       message.componentId,
       message.roomId,
       ws,
-      message.data?.initialState
+      undefined // 🔒 Don't allow client to set initial room state - server controls this
     )
     const response = {
@@ -736,7 +1021,7 @@ async function handleRoomJoin(ws: FluxStackWebSocket, message: RoomMessage) {
 }
 async function handleRoomLeave(ws: FluxStackWebSocket, message: RoomMessage) {
-  console.log(`🚶 Component ${message.componentId} leaving room ${message.roomId}`)
+  liveLog('rooms', message.componentId, `🚶 Component ${message.componentId} leaving room ${message.roomId}`)
   try {
     liveRoomManager.leaveRoom(message.componentId, message.roomId)
@@ -764,9 +1049,14 @@ async function handleRoomLeave(ws: FluxStackWebSocket, message: RoomMessage) {
 }
 async function handleRoomEmit(ws: FluxStackWebSocket, message: RoomMessage) {
-  console.log(`📡 Component ${message.componentId} emitting '${message.event}' to room ${message.roomId}`)
+  liveLog('rooms', message.componentId, `📡 Component ${message.componentId} emitting '${message.event}' to room ${message.roomId}`)
   try {
+    // 🔒 Validate room name
+    if (!message.roomId || !/^[a-zA-Z0-9_:.-]{1,64}$/.test(message.roomId)) {
+      throw new Error('Invalid room name')
+    }
     const count = liveRoomManager.emitToRoom(
       message.roomId,
       message.event!,
@@ -774,7 +1064,7 @@ async function handleRoomEmit(ws: FluxStackWebSocket, message: RoomMessage) {
       message.componentId // Excluir quem enviou
     )
-    console.log(`   → Notified ${count} components`)
+    liveLog('rooms', message.componentId, `   → Notified ${count} components`)
   } catch (error: any) {
     ws.send(JSON.stringify({
       type: 'ERROR',
@@ -787,9 +1077,20 @@ async function handleRoomEmit(ws: FluxStackWebSocket, message: RoomMessage) {
 }
 async function handleRoomStateSet(ws: FluxStackWebSocket, message: RoomMessage) {
-  console.log(`📝 Component ${message.componentId} updating state in room ${message.roomId}`)
+  liveLog('rooms', message.componentId, `📝 Component ${message.componentId} updating state in room ${message.roomId}`)
   try {
+    // 🔒 Validate room name
+    if (!message.roomId || !/^[a-zA-Z0-9_:.-]{1,64}$/.test(message.roomId)) {
+      throw new Error('Invalid room name')
+    }
+    // 🔒 Validate state size (max 1MB per update to prevent memory attacks)
+    const stateStr = JSON.stringify(message.data ?? {})
+    if (stateStr.length > 1024 * 1024) {
+      throw new Error('Room state update too large (max 1MB)')
+    }
     liveRoomManager.setRoomState(
       message.roomId,
       message.data ?? {},