expediate 1.0.4 → 1.0.5

package/dist/cjs/index.js

@@ -0,0 +1,2583 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  DESCRIBE_META: () => DESCRIBE_META,
+  apiBuilder: () => apis_default,
+  cacheControl: () => cacheControl,
+  compress: () => compress,
+  conditionalGet: () => conditionalGet,
+  cors: () => cors,
+  createJwtPlugin: () => jwt_auth_default,
+  createMapTokenStore: () => createMapTokenStore,
+  createRouter: () => router_default,
+  csrf: () => csrf,
+  describe: () => describe,
+  formData: () => formData,
+  formEncoded: () => formEncoded,
+  gitCreate: () => gitCreate,
+  gitHandler: () => gitHandler,
+  json: () => json,
+  logger: () => logger,
+  mime: () => mime,
+  openApiSpec: () => openApiSpec,
+  parseBody: () => parseBody,
+  parseMultipartBody: () => parseMultipartBody,
+  rateLimit: () => rateLimit,
+  requestId: () => requestId,
+  securityHeaders: () => securityHeaders,
+  sendFile: () => sendFile,
+  serializeSpec: () => serializeSpec,
+  serveFile: () => serveFile,
+  serveStatic: () => serveStatic,
+  streamFormData: () => streamFormData
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/router.ts
+var crypto = __toESM(require("crypto"), 1);
+var fs2 = __toESM(require("fs"), 1);
+var http = __toESM(require("http"), 1);
+var https = __toESM(require("https"), 1);
+var http2 = __toESM(require("http2"), 1);
+var path = __toESM(require("path"), 1);
+
+// src/misc.ts
+var import_stream = require("stream");
+var import_zlib = __toESM(require("zlib"), 1);
+var DECOMPRESS_ALGO = {
+  gzip: import_zlib.default.gunzip,
+  deflate: import_zlib.default.inflate
+};
+function readSize(value) {
+  if (typeof value === "number") return value;
+  const fmt = /^(\d+(\.\d+)?)([kmg]?b?)?$/i.exec(value);
+  if (!fmt) return 0;
+  const num = parseFloat(fmt[1] ?? "0");
+  const sfx = (fmt[3] ?? "b").toLowerCase();
+  if (sfx[0] === "k") return num * 1024;
+  if (sfx[0] === "m") return num * 1024 * 1024;
+  if (sfx[0] === "g") return num * 1024 * 1024 * 1024;
+  return num;
+}
+function splitBuffer(buffer, delimiter) {
+  const result = [];
+  let start = 0;
+  let index;
+  while ((index = buffer.indexOf(delimiter, start)) !== -1) {
+    result.push(buffer.slice(start, index));
+    start = index + delimiter.length;
+  }
+  result.push(buffer.slice(start));
+  return result;
+}
+function extractCharset(contentType) {
+  const param = contentType.split(";").map((s) => s.replace(/^\s+|\s+$/g, "")).find((s) => s.startsWith("charset="));
+  return param ? param.substring("charset=".length) : "utf8";
+}
+function readBody(req, res, opts, mimetype, next, callback) {
+  const length = parseInt(req.headers["content-length"] ?? "0", 10);
+  const isChunked = req.headers["transfer-encoding"]?.split(",").map((v) => v.trim()).some((v) => v.toLowerCase() === "chunked") ?? false;
+  if (!isChunked && (!length || length === 0)) return next();
+  const maxLength = readSize(opts.limit) || 102400;
+  if (!isChunked && length > maxLength)
+    return void res.status(413).send("Content Too Large");
+  const encoding = req.headers["content-encoding"];
+  if (encoding && (opts.inflate === false || !DECOMPRESS_ALGO[encoding]))
+    return void res.status(415).send("Unsupported Media Type: Wrong Content-Encoding");
+  const decompress = (encoding ? DECOMPRESS_ALGO[encoding] : void 0) ?? ((d, c) => c(null, d));
+  const contentType = req.headers["content-type"] ?? "";
+  if (mimetype && contentType.split(";")[0].trim() !== mimetype)
+    return void res.status(415).send("Unsupported Media Type: Wrong Content-Type");
+  let data = Buffer.alloc(0);
+  req.on("data", (chunk) => {
+    if (data === null) return;
+    const next_ = Buffer.concat([data, chunk]);
+    if (next_.length > maxLength) {
+      data = null;
+      res.status(413).send("Content Too Large");
+      return;
+    }
+    data = next_;
+  });
+  req.on("end", () => {
+    if (data === null) return;
+    decompress(data, (err, decompressed) => {
+      if (err) return void res.status(500).send(err.message);
+      callback(contentType, decompressed);
+    });
+  });
+}
+function readReqBody(req, opts, mimetype) {
+  return new Promise((resolve, reject) => {
+    const length = parseInt(req.headers["content-length"] ?? "0", 10);
+    const isChunked = req.headers["transfer-encoding"]?.split(",").map((v) => v.trim()).some((v) => v.toLowerCase() === "chunked") ?? false;
+    if (!isChunked && (!length || length === 0)) return resolve(null);
+    const maxLength = readSize(opts.limit) || 102400;
+    if (!isChunked && length > maxLength)
+      return reject({ status: 413, message: "Content Too Large" });
+    const encoding = req.headers["content-encoding"];
+    if (encoding && (opts.inflate === false || !DECOMPRESS_ALGO[encoding]))
+      return reject({ status: 415, message: "Unsupported Media Type: Wrong Content-Encoding" });
+    const decompress = (encoding ? DECOMPRESS_ALGO[encoding] : void 0) ?? ((d, c) => c(null, d));
+    const contentType = req.headers["content-type"] ?? "";
+    if (mimetype && contentType.split(";")[0].trim() !== mimetype)
+      return reject({ status: 415, message: "Unsupported Media Type: Wrong Content-Type" });
+    let data = Buffer.alloc(0);
+    req.on("data", (chunk) => {
+      if (data === null) return;
+      const next_ = Buffer.concat([data, chunk]);
+      if (next_.length > maxLength) {
+        data = null;
+        reject({ status: 413, message: "Content Too Large" });
+        return;
+      }
+      data = next_;
+    });
+    req.on("end", () => {
+      if (data === null) return;
+      decompress(data, (err, decompressed) => {
+        if (err) return reject({ status: 500, message: err.message });
+        resolve({ mimetype: contentType ?? "", content: decompressed });
+      });
+    });
+  });
+}
+function readBodyAsPlainText(req, res, next, contentType, data) {
+  const charset = extractCharset(contentType);
+  try {
+    req.body = data.toString(charset);
+    next();
+  } catch (ex) {
+    res.status(500).send(ex.message);
+  }
+}
+function readBodyAsJson(req, res, next, opts, contentType, data) {
+  const charset = extractCharset(contentType);
+  try {
+    const parsed = JSON.parse(
+      data.toString(charset),
+      opts.reviver ?? void 0
+    );
+    if (opts.strict && (typeof parsed !== "object" || parsed === null)) {
+      return void res.status(400).send("Bad Request: JSON body must be an object or array");
+    }
+    req.body = parsed;
+    next();
+  } catch (ex) {
+    res.status(400).send("Bad Request: " + ex.message);
+  }
+}
+function parseMultipartBody(contentType, data) {
+  const boundary = contentType.split(";").map((s) => s.replace(/^\s+|\s+$/g, "")).find((s) => s.startsWith("boundary="))?.substring("boundary=".length);
+  if (!boundary)
+    throw { status: 400, message: "Bad Request: missing multipart boundary" };
+  const delimiter = Buffer.from(`\r
+--${boundary}`);
+  const normalized = Buffer.concat([Buffer.from("\r\n"), data]);
+  const rawParts = splitBuffer(normalized, delimiter);
+  const parts = [];
+  for (const part of rawParts) {
+    if (part.toString("utf8", 0, 2) === "--") continue;
+    const partContent = part.slice(2);
+    const blankLine = Buffer.from("\r\n\r\n");
+    const blankIdx = partContent.indexOf(blankLine);
+    if (blankIdx === -1) continue;
+    const headerSection = partContent.slice(0, blankIdx).toString("utf8");
+    const content = partContent.slice(blankIdx + blankLine.length);
+    const headers = {};
+    for (const line of headerSection.split("\r\n")) {
+      if (!line) continue;
+      const colonIdx = line.indexOf(":");
+      if (colonIdx === -1) continue;
+      const key = line.substring(0, colonIdx).replace(/^\s+|\s+$/g, "").toLowerCase();
+      const value = line.substring(colonIdx + 1).replace(/^\s+|\s+$/g, "");
+      headers[key] = value;
+    }
+    parts.push({ headers, content });
+  }
+  return parts;
+}
+function readBodyAsFormData(req, res, next, contentType, data) {
+  try {
+    req.body = parseMultipartBody(contentType, data);
+    next();
+  } catch (ex) {
+    const status = ex.status ?? 500;
+    res.status(status).send(ex.message ?? String(ex));
+  }
+}
+function readBodyAsFormEncoded(req, res, next, contentType, data) {
+  const charset = extractCharset(contentType);
+  try {
+    const params = new URLSearchParams(data.toString(charset));
+    const result = {};
+    for (const [key, value] of params.entries()) {
+      const existing = result[key];
+      if (existing === void 0) {
+        result[key] = value;
+      } else if (Array.isArray(existing)) {
+        existing.push(value);
+      } else {
+        result[key] = [existing, value];
+      }
+    }
+    req.body = result;
+    next();
+  } catch (ex) {
+    res.status(400).send("Bad Request: " + ex.message);
+  }
+}
+var BODY_READERS = {
+  "multipart/form-data": (req, res, next, _opts, ct, data) => readBodyAsFormData(req, res, next, ct, data),
+  "application/json": (req, res, next, opts, ct, data) => readBodyAsJson(req, res, next, opts, ct, data),
+  "application/x-www-form-urlencoded": (req, res, next, _opts, ct, data) => readBodyAsFormEncoded(req, res, next, ct, data),
+  "text/plain": (req, res, next, _opts, ct, data) => readBodyAsPlainText(req, res, next, ct, data)
+};
+function json(opts) {
+  const resolved = {
+    inflate: true,
+    limit: "100kb",
+    reviver: null,
+    strict: true,
+    ...opts
+  };
+  return (req, res, next) => {
+    res.json = (data) => {
+      res.write(JSON.stringify(data));
+      res.end();
+    };
+    readBody(req, res, resolved, "application/json", next, (contentType, body) => {
+      readBodyAsJson(req, res, next, resolved, contentType, body);
+    });
+  };
+}
+function formData(opts) {
+  const resolved = {
+    inflate: true,
+    limit: "100kb",
+    reviver: null,
+    strict: true,
+    ...opts
+  };
+  return (req, res, next) => {
+    readBody(req, res, resolved, "multipart/form-data", next, (contentType, body) => {
+      readBodyAsFormData(req, res, next, contentType, body);
+    });
+  };
+}
+function formEncoded(opts) {
+  const resolved = {
+    inflate: true,
+    limit: "100kb",
+    reviver: null,
+    strict: true,
+    ...opts
+  };
+  return (req, res, next) => {
+    readBody(req, res, resolved, "application/x-www-form-urlencoded", next, (contentType, body) => {
+      readBodyAsFormEncoded(req, res, next, contentType, body);
+    });
+  };
+}
+function parseBody(opts) {
+  const resolved = {
+    inflate: true,
+    limit: "100kb",
+    reviver: null,
+    strict: true,
+    ...opts
+  };
+  return (req, res, next) => {
+    readBody(req, res, resolved, null, next, (contentType, body) => {
+      const mimetype = contentType.split(";")[0].trim();
+      if (!BODY_READERS[mimetype])
+        return res.status(415).send("Unsupported Media Type");
+      BODY_READERS[mimetype](req, res, next, resolved, contentType, body);
+    });
+  };
+}
+async function* streamFormData(req, opts) {
+  const maxSize = (opts?.limit !== void 0 ? readSize(opts.limit) : 0) || 102400;
+  const chunks = [];
+  let totalSize = 0;
+  for await (const chunk of req) {
+    totalSize += chunk.length;
+    if (totalSize > maxSize) throw { status: 413, message: "Content Too Large" };
+    chunks.push(chunk);
+  }
+  const body = Buffer.concat(chunks);
+  const contentType = req.headers["content-type"] ?? "";
+  const parts = parseMultipartBody(contentType, body);
+  for (const part of parts) {
+    yield { headers: part.headers, stream: import_stream.Readable.from(part.content) };
+  }
+}
+var STATUS_COLORS = [
+  "\x1B[0m",
+  // 0 — fallback / unknown
+  "\x1B[33m",
+  // 1xx — informational (yellow)
+  "\x1B[32m",
+  // 2xx — success (green)
+  "\x1B[33m",
+  // 3xx — redirection (yellow)
+  "\x1B[31m",
+  // 4xx — client error (red)
+  "\x1B[91m"
+  // 5xx — server error (bright red)
+];
+var ANSI_RESET = "\x1B[0m";
+function logger(opts) {
+  const options = opts ?? {};
+  const log = options.logger ?? console.log;
+  const formatter = new Intl.DateTimeFormat(
+    options.locale ?? "en-GB",
+    options.dateFormat ?? {
+      month: "short",
+      day: "2-digit",
+      hour: "2-digit",
+      minute: "2-digit"
+    }
+  );
+  return (req, res, next) => {
+    const timestamp = formatter.format(/* @__PURE__ */ new Date());
+    const requestPath = req.path ?? req.url ?? "/";
+    const ip = req.ip ?? "";
+    const user = options.user?.(req) ?? "-";
+    const receivedAt = Date.now();
+    const tracker = options.track === true ? setTimeout(() => {
+      log(`${timestamp} LOST ${req.method} ${requestPath} ${ip} <${user}>`);
+    }, options.trackTimeout ?? 3e4) : null;
+    res.on("finish", () => {
+      if (tracker !== null) clearTimeout(tracker);
+      const host = req.headers.host;
+      const elapsed = Date.now() - receivedAt;
+      const statusClass = Math.floor(res.statusCode / 100);
+      const colour = STATUS_COLORS[statusClass] ?? STATUS_COLORS[0];
+      const statusStr = `${colour}${res.statusCode}${ANSI_RESET}`;
+      const contentLen = res.getHeader("content-length") ?? "-";
+      if (options.json === true)
+        log({
+          timestamp,
+          status: res.statusCode,
+          method: req.method,
+          path: requestPath,
+          ip,
+          user,
+          elapsed,
+          host,
+          length: contentLen
+        });
+      else
+        log(`${timestamp} ${statusStr} ${req.method} ${requestPath} ${ip} <${user}> ${elapsed}ms (${contentLen})`);
+    });
+    next();
+  };
+}
+function cors(opts) {
+  const options = {
+    origin: opts?.origin || "*",
+    allowHeaders: opts?.allowHeaders || "Accept, Content-Type, Authorization",
+    allowMethods: opts?.allowMethods || "GET,HEAD,PUT,PATCH,POST,DELETE",
+    allowCredentials: opts?.allowCredentials,
+    maxAge: opts?.maxAge,
+    vary: opts?.vary,
+    optionsStatus: opts?.optionsStatus || 204,
+    preflight: opts?.preflight
+  };
+  return (req, res, next) => {
+    if (options.preflight && !options.preflight(req)) {
+      res.status(req.method == "OPTIONS" ? 403 : 400).end();
+      return;
+    }
+    if (req.headers.origin) {
+      res.setHeader("Access-Control-Allow-Origin", options.origin);
+      if (options.vary !== void 0)
+        res.setHeader("Vary", options.vary);
+    }
+    if (req.method == "OPTIONS") {
+      res.setHeader("Access-Control-Allow-Headers", options.allowHeaders);
+      res.setHeader("Access-Control-Allow-Methods", options.allowMethods);
+      if (options.allowCredentials !== void 0)
+        res.setHeader("Access-Control-Allow-Credentials", options.allowCredentials ? "true" : "false");
+      if (options.maxAge !== void 0)
+        res.setHeader("Access-Control-Max-Age", options.maxAge.toFixed(0));
+      res.status(options.optionsStatus).end();
+      return;
+    }
+    next();
+  };
+}
+
+// src/static.ts
+var import_fs = __toESM(require("fs"), 1);
+var import_path = __toESM(require("path"), 1);
+
+// src/mimetypes.json
+var mimetypes_default = { "application/andrew-inset": ["ez"], "application/applixware": ["aw"], "application/atom+xml": ["atom"], "application/atomcat+xml": ["atomcat"], "application/atomsvc+xml": ["atomsvc"], "application/bdoc": ["bdoc"], "application/ccxml+xml": ["ccxml"], "application/cdmi-capability": ["cdmia"], "application/cdmi-container": ["cdmic"], "application/cdmi-domain": ["cdmid"], "application/cdmi-object": ["cdmio"], "application/cdmi-queue": ["cdmiq"], "application/cu-seeme": ["cu"], "application/dash+xml": ["mpd"], "application/davmount+xml": ["davmount"], "application/docbook+xml": ["dbk"], "application/dssc+der": ["dssc"], "application/dssc+xml": ["xdssc"], "application/ecmascript": ["ecma"], "application/emma+xml": ["emma"], "application/epub+zip": ["epub"], "application/exi": ["exi"], "application/font-tdpfr": ["pfr"], "application/font-woff": [], "application/font-woff2": [], "application/geo+json": ["geojson"], "application/gml+xml": ["gml"], "application/gpx+xml": ["gpx"], "application/gxf": ["gxf"], "application/gzip": ["gz"], "application/hyperstudio": ["stk"], "application/inkml+xml": ["ink", "inkml"], "application/ipfix": ["ipfix"], "application/java-archive": ["jar", "war", "ear"], "application/java-serialized-object": ["ser"], "application/java-vm": ["class"], "application/javascript": ["js", "mjs"], "application/json": ["json", "map"], "application/json5": ["json5"], "application/jsonml+json": ["jsonml"], "application/ld+json": ["jsonld"], "application/lost+xml": ["lostxml"], "application/mac-binhex40": ["hqx"], "application/mac-compactpro": ["cpt"], "application/mads+xml": ["mads"], "application/manifest+json": ["webmanifest"], "application/marc": ["mrc"], "application/marcxml+xml": ["mrcx"], "application/mathematica": ["ma", "nb", "mb"], "application/mathml+xml": ["mathml"], "application/mbox": ["mbox"], "application/mediaservercontrol+xml": ["mscml"], "application/metalink+xml": ["metalink"], "application/metalink4+xml": ["meta4"], "application/mets+xml": ["mets"], "application/mods+xml": ["mods"], "application/mp21": ["m21", "mp21"], "application/mp4": ["mp4s", "m4p"], "application/msword": ["doc", "dot"], "application/mxf": ["mxf"], "application/octet-stream": ["bin", "dms", "lrf", "mar", "so", "dist", "distz", "pkg", "bpk", "dump", "elc", "deploy", "exe", "dll", "deb", "dmg", "iso", "img", "msi", "msp", "msm", "buffer"], "application/oda": ["oda"], "application/oebps-package+xml": ["opf"], "application/ogg": ["ogx"], "application/omdoc+xml": ["omdoc"], "application/onenote": ["onetoc", "onetoc2", "onetmp", "onepkg"], "application/oxps": ["oxps"], "application/patch-ops-error+xml": ["xer"], "application/pdf": ["pdf"], "application/pgp-encrypted": ["pgp"], "application/pgp-signature": ["asc", "sig"], "application/pics-rules": ["prf"], "application/pkcs10": ["p10"], "application/pkcs7-mime": ["p7m", "p7c"], "application/pkcs7-signature": ["p7s"], "application/pkcs8": ["p8"], "application/pkix-attr-cert": ["ac"], "application/pkix-cert": ["cer"], "application/pkix-crl": ["crl"], "application/pkix-pkipath": ["pkipath"], "application/pkixcmp": ["pki"], "application/pls+xml": ["pls"], "application/postscript": ["ai", "eps", "ps"], "application/prs.cww": ["cww"], "application/pskc+xml": ["pskcxml"], "application/raml+yaml": ["raml"], "application/rdf+xml": ["rdf"], "application/reginfo+xml": ["rif"], "application/relax-ng-compact-syntax": ["rnc"], "application/resource-lists+xml": ["rl"], "application/resource-lists-diff+xml": ["rld"], "application/rls-services+xml": ["rs"], "application/rpki-ghostbusters": ["gbr"], "application/rpki-manifest": ["mft"], "application/rpki-roa": ["roa"], "application/rsd+xml": ["rsd"], "application/rss+xml": ["rss"], "application/rtf": ["rtf"], "application/sbml+xml": ["sbml"], "application/scvp-cv-request": ["scq"], "application/scvp-cv-response": ["scs"], "application/scvp-vp-request": ["spq"], "application/scvp-vp-response": ["spp"], "application/sdp": ["sdp"], "application/set-payment-initiation": ["setpay"], "application/set-registration-initiation": ["setreg"], "application/shf+xml": ["shf"], "application/smil+xml": ["smi", "smil"], "application/sparql-query": ["rq"], "application/sparql-results+xml": ["srx"], "application/srgs": ["gram"], "application/srgs+xml": ["grxml"], "application/sru+xml": ["sru"], "application/ssdl+xml": ["ssdl"], "application/ssml+xml": ["ssml"], "application/tei+xml": ["tei", "teicorpus"], "application/thraud+xml": ["tfi"], "application/timestamped-data": ["tsd"], "application/vnd.3gpp.pic-bw-large": ["plb"], "application/vnd.3gpp.pic-bw-small": ["psb"], "application/vnd.3gpp.pic-bw-var": ["pvb"], "application/vnd.3gpp2.tcap": ["tcap"], "application/vnd.3m.post-it-notes": ["pwn"], "application/vnd.accpac.simply.aso": ["aso"], "application/vnd.accpac.simply.imp": ["imp"], "application/vnd.acucobol": ["acu"], "application/vnd.acucorp": ["atc", "acutc"], "application/vnd.adobe.air-application-installer-package+zip": ["air"], "application/vnd.adobe.formscentral.fcdt": ["fcdt"], "application/vnd.adobe.fxp": ["fxp", "fxpl"], "application/vnd.adobe.xdp+xml": ["xdp"], "application/vnd.adobe.xfdf": ["xfdf"], "application/vnd.ahead.space": ["ahead"], "application/vnd.airzip.filesecure.azf": ["azf"], "application/vnd.airzip.filesecure.azs": ["azs"], "application/vnd.amazon.ebook": ["azw"], "application/vnd.americandynamics.acc": ["acc"], "application/vnd.amiga.ami": ["ami"], "application/vnd.android.package-archive": ["apk"], "application/vnd.anser-web-certificate-issue-initiation": ["cii"], "application/vnd.anser-web-funds-transfer-initiation": ["fti"], "application/vnd.antix.game-component": ["atx"], "application/vnd.apple.installer+xml": ["mpkg"], "application/vnd.apple.mpegurl": ["m3u8"], "application/vnd.apple.pkpass": ["pkpass"], "application/vnd.aristanetworks.swi": ["swi"], "application/vnd.astraea-software.iota": ["iota"], "application/vnd.audiograph": ["aep"], "application/vnd.blueice.multipass": ["mpm"], "application/vnd.bmi": ["bmi"], "application/vnd.businessobjects": ["rep"], "application/vnd.chemdraw+xml": ["cdxml"], "application/vnd.chipnuts.karaoke-mmd": ["mmd"], "application/vnd.cinderella": ["cdy"], "application/vnd.claymore": ["cla"], "application/vnd.cloanto.rp9": ["rp9"], "application/vnd.clonk.c4group": ["c4g", "c4d", "c4f", "c4p", "c4u"], "application/vnd.cluetrust.cartomobile-config": ["c11amc"], "application/vnd.cluetrust.cartomobile-config-pkg": ["c11amz"], "application/vnd.commonspace": ["csp"], "application/vnd.contact.cmsg": ["cdbcmsg"], "application/vnd.cosmocaller": ["cmc"], "application/vnd.crick.clicker": ["clkx"], "application/vnd.crick.clicker.keyboard": ["clkk"], "application/vnd.crick.clicker.palette": ["clkp"], "application/vnd.crick.clicker.template": ["clkt"], "application/vnd.crick.clicker.wordbank": ["clkw"], "application/vnd.criticaltools.wbs+xml": ["wbs"], "application/vnd.ctc-posml": ["pml"], "application/vnd.cups-ppd": ["ppd"], "application/vnd.curl.car": ["car"], "application/vnd.curl.pcurl": ["pcurl"], "application/vnd.dart": ["dart"], "application/vnd.data-vision.rdz": ["rdz"], "application/vnd.dece.data": ["uvf", "uvvf", "uvd", "uvvd"], "application/vnd.dece.ttml+xml": ["uvt", "uvvt"], "application/vnd.dece.unspecified": ["uvx", "uvvx"], "application/vnd.dece.zip": ["uvz", "uvvz"], "application/vnd.denovo.fcselayout-link": ["fe_launch"], "application/vnd.dna": ["dna"], "application/vnd.dolby.mlp": ["mlp"], "application/vnd.dpgraph": ["dpg"], "application/vnd.dreamfactory": ["dfac"], "application/vnd.ds-keypoint": ["kpxx"], "application/vnd.dvb.ait": ["ait"], "application/vnd.dvb.service": ["svc"], "application/vnd.dynageo": ["geo"], "application/vnd.ecowin.chart": ["mag"], "application/vnd.enliven": ["nml"], "application/vnd.epson.esf": ["esf"], "application/vnd.epson.msf": ["msf"], "application/vnd.epson.quickanime": ["qam"], "application/vnd.epson.salt": ["slt"], "application/vnd.epson.ssf": ["ssf"], "application/vnd.eszigno3+xml": ["es3", "et3"], "application/vnd.ezpix-album": ["ez2"], "application/vnd.ezpix-package": ["ez3"], "application/vnd.fdf": ["fdf"], "application/vnd.fdsn.mseed": ["mseed"], "application/vnd.fdsn.seed": ["seed", "dataless"], "application/vnd.flographit": ["gph"], "application/vnd.fluxtime.clip": ["ftc"], "application/vnd.framemaker": ["fm", "frame", "maker", "book"], "application/vnd.frogans.fnc": ["fnc"], "application/vnd.frogans.ltf": ["ltf"], "application/vnd.fsc.weblaunch": ["fsc"], "application/vnd.fujitsu.oasys": ["oas"], "application/vnd.fujitsu.oasys2": ["oa2"], "application/vnd.fujitsu.oasys3": ["oa3"], "application/vnd.fujitsu.oasysgp": ["fg5"], "application/vnd.fujitsu.oasysprs": ["bh2"], "application/vnd.fujixerox.ddd": ["ddd"], "application/vnd.fujixerox.docuworks": ["xdw"], "application/vnd.fujixerox.docuworks.binder": ["xbd"], "application/vnd.fuzzysheet": ["fzs"], "application/vnd.genomatix.tuxedo": ["txd"], "application/vnd.geogebra.file": ["ggb"], "application/vnd.geogebra.tool": ["ggt"], "application/vnd.geometry-explorer": ["gex", "gre"], "application/vnd.geonext": ["gxt"], "application/vnd.geoplan": ["g2w"], "application/vnd.geospace": ["g3w"], "application/vnd.gmx": ["gmx"], "application/vnd.google-apps.document": ["gdoc"], "application/vnd.google-apps.presentation": ["gslides"], "application/vnd.google-apps.spreadsheet": ["gsheet"], "application/vnd.google-earth.kml+xml": ["kml"], "application/vnd.google-earth.kmz": ["kmz"], "application/vnd.grafeq": ["gqf", "gqs"], "application/vnd.groove-account": ["gac"], "application/vnd.groove-help": ["ghf"], "application/vnd.groove-identity-message": ["gim"], "application/vnd.groove-injector": ["grv"], "application/vnd.groove-tool-message": ["gtm"], "application/vnd.groove-tool-template": ["tpl"], "application/vnd.groove-vcard": ["vcg"], "application/vnd.hal+xml": ["hal"], "application/vnd.handheld-entertainment+xml": ["zmm"], "application/vnd.hbci": ["hbci"], "application/vnd.hhe.lesson-player": ["les"], "application/vnd.hp-hpgl": ["hpgl"], "application/vnd.hp-hpid": ["hpid"], "application/vnd.hp-hps": ["hps"], "application/vnd.hp-jlyt": ["jlt"], "application/vnd.hp-pcl": ["pcl"], "application/vnd.hp-pclxl": ["pclxl"], "application/vnd.hydrostatix.sof-data": ["sfd-hdstx"], "application/vnd.ibm.minipay": ["mpy"], "application/vnd.ibm.modcap": ["afp", "listafp", "list3820"], "application/vnd.ibm.rights-management": ["irm"], "application/vnd.ibm.secure-container": ["sc"], "application/vnd.iccprofile": ["icc", "icm"], "application/vnd.igloader": ["igl"], "application/vnd.immervision-ivp": ["ivp"], "application/vnd.immervision-ivu": ["ivu"], "application/vnd.insors.igm": ["igm"], "application/vnd.intercon.formnet": ["xpw", "xpx"], "application/vnd.intergeo": ["i2g"], "application/vnd.intu.qbo": ["qbo"], "application/vnd.intu.qfx": ["qfx"], "application/vnd.ipunplugged.rcprofile": ["rcprofile"], "application/vnd.irepository.package+xml": ["irp"], "application/vnd.is-xpr": ["xpr"], "application/vnd.isac.fcs": ["fcs"], "application/vnd.jam": ["jam"], "application/vnd.jcp.javame.midlet-rms": ["rms"], "application/vnd.jisp": ["jisp"], "application/vnd.joost.joda-archive": ["joda"], "application/vnd.kahootz": ["ktz", "ktr"], "application/vnd.kde.karbon": ["karbon"], "application/vnd.kde.kchart": ["chrt"], "application/vnd.kde.kformula": ["kfo"], "application/vnd.kde.kivio": ["flw"], "application/vnd.kde.kontour": ["kon"], "application/vnd.kde.kpresenter": ["kpr", "kpt"], "application/vnd.kde.kspread": ["ksp"], "application/vnd.kde.kword": ["kwd", "kwt"], "application/vnd.kenameaapp": ["htke"], "application/vnd.kidspiration": ["kia"], "application/vnd.kinar": ["kne", "knp"], "application/vnd.koan": ["skp", "skd", "skt", "skm"], "application/vnd.kodak-descriptor": ["sse"], "application/vnd.las.las+xml": ["lasxml"], "application/vnd.llamagraphics.life-balance.desktop": ["lbd"], "application/vnd.llamagraphics.life-balance.exchange+xml": ["lbe"], "application/vnd.lotus-1-2-3": ["123"], "application/vnd.lotus-approach": ["apr"], "application/vnd.lotus-freelance": ["pre"], "application/vnd.lotus-notes": ["nsf"], "application/vnd.lotus-organizer": ["org"], "application/vnd.lotus-screencam": ["scm"], "application/vnd.lotus-wordpro": ["lwp"], "application/vnd.macports.portpkg": ["portpkg"], "application/vnd.mcd": ["mcd"], "application/vnd.medcalcdata": ["mc1"], "application/vnd.mediastation.cdkey": ["cdkey"], "application/vnd.mfer": ["mwf"], "application/vnd.mfmp": ["mfm"], "application/vnd.micrografx.flo": ["flo"], "application/vnd.micrografx.igx": ["igx"], "application/vnd.mif": ["mif"], "application/vnd.mobius.daf": ["daf"], "application/vnd.mobius.dis": ["dis"], "application/vnd.mobius.mbk": ["mbk"], "application/vnd.mobius.mqy": ["mqy"], "application/vnd.mobius.msl": ["msl"], "application/vnd.mobius.plc": ["plc"], "application/vnd.mobius.txf": ["txf"], "application/vnd.mophun.application": ["mpn"], "application/vnd.mophun.certificate": ["mpc"], "application/vnd.mozilla.xul+xml": ["xul"], "application/vnd.ms-artgalry": ["cil"], "application/vnd.ms-cab-compressed": ["cab"], "application/vnd.ms-excel": ["xls", "xlm", "xla", "xlc", "xlt", "xlw"], "application/vnd.ms-excel.addin.macroenabled.12": ["xlam"], "application/vnd.ms-excel.sheet.binary.macroenabled.12": ["xlsb"], "application/vnd.ms-excel.sheet.macroenabled.12": ["xlsm"], "application/vnd.ms-excel.template.macroenabled.12": ["xltm"], "application/vnd.ms-fontobject": ["eot"], "application/vnd.ms-htmlhelp": ["chm"], "application/vnd.ms-ims": ["ims"], "application/vnd.ms-lrm": ["lrm"], "application/vnd.ms-officetheme": ["thmx"], "application/vnd.ms-outlook": ["msg"], "application/vnd.ms-pki.seccat": ["cat"], "application/vnd.ms-pki.stl": ["stl"], "application/vnd.ms-powerpoint": ["ppt", "pps", "pot"], "application/vnd.ms-powerpoint.addin.macroenabled.12": ["ppam"], "application/vnd.ms-powerpoint.presentation.macroenabled.12": ["pptm"], "application/vnd.ms-powerpoint.slide.macroenabled.12": ["sldm"], "application/vnd.ms-powerpoint.slideshow.macroenabled.12": ["ppsm"], "application/vnd.ms-powerpoint.template.macroenabled.12": ["potm"], "application/vnd.ms-project": ["mpp", "mpt"], "application/vnd.ms-word.document.macroenabled.12": ["docm"], "application/vnd.ms-word.template.macroenabled.12": ["dotm"], "application/vnd.ms-works": ["wps", "wks", "wcm", "wdb"], "application/vnd.ms-wpl": ["wpl"], "application/vnd.ms-xpsdocument": ["xps"], "application/vnd.mseq": ["mseq"], "application/vnd.musician": ["mus"], "application/vnd.muvee.style": ["msty"], "application/vnd.mynfc": ["taglet"], "application/vnd.neurolanguage.nlu": ["nlu"], "application/vnd.nitf": ["ntf", "nitf"], "application/vnd.noblenet-directory": ["nnd"], "application/vnd.noblenet-sealer": ["nns"], "application/vnd.noblenet-web": ["nnw"], "application/vnd.nokia.n-gage.data": ["ngdat"], "application/vnd.nokia.n-gage.symbian.install": ["n-gage"], "application/vnd.nokia.radio-preset": ["rpst"], "application/vnd.nokia.radio-presets": ["rpss"], "application/vnd.novadigm.edm": ["edm"], "application/vnd.novadigm.edx": ["edx"], "application/vnd.novadigm.ext": ["ext"], "application/vnd.oasis.opendocument.chart": ["odc"], "application/vnd.oasis.opendocument.chart-template": ["otc"], "application/vnd.oasis.opendocument.database": ["odb"], "application/vnd.oasis.opendocument.formula": ["odf"], "application/vnd.oasis.opendocument.formula-template": ["odft"], "application/vnd.oasis.opendocument.graphics": ["odg"], "application/vnd.oasis.opendocument.graphics-template": ["otg"], "application/vnd.oasis.opendocument.image": ["odi"], "application/vnd.oasis.opendocument.image-template": ["oti"], "application/vnd.oasis.opendocument.presentation": ["odp"], "application/vnd.oasis.opendocument.presentation-template": ["otp"], "application/vnd.oasis.opendocument.spreadsheet": ["ods"], "application/vnd.oasis.opendocument.spreadsheet-template": ["ots"], "application/vnd.oasis.opendocument.text": ["odt"], "application/vnd.oasis.opendocument.text-master": ["odm"], "application/vnd.oasis.opendocument.text-template": ["ott"], "application/vnd.oasis.opendocument.text-web": ["oth"], "application/vnd.olpc-sugar": ["xo"], "application/vnd.oma.dd2+xml": ["dd2"], "application/vnd.openofficeorg.extension": ["oxt"], "application/vnd.openxmlformats-officedocument.presentationml.presentation": ["pptx"], "application/vnd.openxmlformats-officedocument.presentationml.slide": ["sldx"], "application/vnd.openxmlformats-officedocument.presentationml.slideshow": ["ppsx"], "application/vnd.openxmlformats-officedocument.presentationml.template": ["potx"], "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet": ["xlsx"], "application/vnd.openxmlformats-officedocument.spreadsheetml.template": ["xltx"], "application/vnd.openxmlformats-officedocument.wordprocessingml.document": ["docx"], "application/vnd.openxmlformats-officedocument.wordprocessingml.template": ["dotx"], "application/vnd.osgeo.mapguide.package": ["mgp"], "application/vnd.osgi.dp": ["dp"], "application/vnd.osgi.subsystem": ["esa"], "application/vnd.palm": ["pdb", "pqa", "oprc"], "application/vnd.pawaafile": ["paw"], "application/vnd.pg.format": ["str"], "application/vnd.pg.osasli": ["ei6"], "application/vnd.picsel": ["efif"], "application/vnd.pmi.widget": ["wg"], "application/vnd.pocketlearn": ["plf"], "application/vnd.powerbuilder6": ["pbd"], "application/vnd.previewsystems.box": ["box"], "application/vnd.proteus.magazine": ["mgz"], "application/vnd.publishare-delta-tree": ["qps"], "application/vnd.pvi.ptid1": ["ptid"], "application/vnd.quark.quarkxpress": ["qxd", "qxt", "qwd", "qwt", "qxl", "qxb"], "application/vnd.realvnc.bed": ["bed"], "application/vnd.recordare.musicxml": ["mxl"], "application/vnd.recordare.musicxml+xml": ["musicxml"], "application/vnd.rig.cryptonote": ["cryptonote"], "application/vnd.rim.cod": ["cod"], "application/vnd.rn-realmedia": ["rm"], "application/vnd.rn-realmedia-vbr": ["rmvb"], "application/vnd.route66.link66+xml": ["link66"], "application/vnd.sailingtracker.track": ["st"], "application/vnd.seemail": ["see"], "application/vnd.sema": ["sema"], "application/vnd.semd": ["semd"], "application/vnd.semf": ["semf"], "application/vnd.shana.informed.formdata": ["ifm"], "application/vnd.shana.informed.formtemplate": ["itp"], "application/vnd.shana.informed.interchange": ["iif"], "application/vnd.shana.informed.package": ["ipk"], "application/vnd.simtech-mindmapper": ["twd", "twds"], "application/vnd.smaf": ["mmf"], "application/vnd.smart.teacher": ["teacher"], "application/vnd.solent.sdkm+xml": ["sdkm", "sdkd"], "application/vnd.spotfire.dxp": ["dxp"], "application/vnd.spotfire.sfs": ["sfs"], "application/vnd.stardivision.calc": ["sdc"], "application/vnd.stardivision.draw": ["sda"], "application/vnd.stardivision.impress": ["sdd"], "application/vnd.stardivision.math": ["smf"], "application/vnd.stardivision.writer": ["sdw", "vor"], "application/vnd.stardivision.writer-global": ["sgl"], "application/vnd.stepmania.package": ["smzip"], "application/vnd.stepmania.stepchart": ["sm"], "application/vnd.sun.wadl+xml": ["wadl"], "application/vnd.sun.xml.calc": ["sxc"], "application/vnd.sun.xml.calc.template": ["stc"], "application/vnd.sun.xml.draw": ["sxd"], "application/vnd.sun.xml.draw.template": ["std"], "application/vnd.sun.xml.impress": ["sxi"], "application/vnd.sun.xml.impress.template": ["sti"], "application/vnd.sun.xml.math": ["sxm"], "application/vnd.sun.xml.writer": ["sxw"], "application/vnd.sun.xml.writer.global": ["sxg"], "application/vnd.sun.xml.writer.template": ["stw"], "application/vnd.sus-calendar": ["sus", "susp"], "application/vnd.svd": ["svd"], "application/vnd.symbian.install": ["sis", "sisx"], "application/vnd.syncml+xml": ["xsm"], "application/vnd.syncml.dm+wbxml": ["bdm"], "application/vnd.syncml.dm+xml": ["xdm"], "application/vnd.tao.intent-module-archive": ["tao"], "application/vnd.tcpdump.pcap": ["pcap", "cap", "dmp"], "application/vnd.tmobile-livetv": ["tmo"], "application/vnd.trid.tpt": ["tpt"], "application/vnd.triscape.mxs": ["mxs"], "application/vnd.trueapp": ["tra"], "application/vnd.ufdl": ["ufd", "ufdl"], "application/vnd.uiq.theme": ["utz"], "application/vnd.umajin": ["umj"], "application/vnd.unity": ["unityweb"], "application/vnd.uoml+xml": ["uoml"], "application/vnd.vcx": ["vcx"], "application/vnd.visio": ["vsd", "vst", "vss", "vsw"], "application/vnd.visionary": ["vis"], "application/vnd.vsf": ["vsf"], "application/vnd.wap.wbxml": ["wbxml"], "application/vnd.wap.wmlc": ["wmlc"], "application/vnd.wap.wmlscriptc": ["wmlsc"], "application/vnd.webturbo": ["wtb"], "application/vnd.wolfram.player": ["nbp"], "application/vnd.wordperfect": ["wpd"], "application/vnd.wqd": ["wqd"], "application/vnd.wt.stf": ["stf"], "application/vnd.xara": ["xar"], "application/vnd.xfdl": ["xfdl"], "application/vnd.yamaha.hv-dic": ["hvd"], "application/vnd.yamaha.hv-script": ["hvs"], "application/vnd.yamaha.hv-voice": ["hvp"], "application/vnd.yamaha.openscoreformat": ["osf"], "application/vnd.yamaha.openscoreformat.osfpvg+xml": ["osfpvg"], "application/vnd.yamaha.smaf-audio": ["saf"], "application/vnd.yamaha.smaf-phrase": ["spf"], "application/vnd.yellowriver-custom-menu": ["cmp"], "application/vnd.zul": ["zir", "zirz"], "application/vnd.zzazz.deck+xml": ["zaz"], "application/voicexml+xml": ["vxml"], "application/wasm": ["wasm"], "application/widget": ["wgt"], "application/winhlp": ["hlp"], "application/wsdl+xml": ["wsdl"], "application/wspolicy+xml": ["wspolicy"], "application/x-7z-compressed": ["7z"], "application/x-abiword": ["abw"], "application/x-ace-compressed": ["ace"], "application/x-apple-diskimage": [], "application/x-arj": ["arj"], "application/x-authorware-bin": ["aab", "x32", "u32", "vox"], "application/x-authorware-map": ["aam"], "application/x-authorware-seg": ["aas"], "application/x-bcpio": ["bcpio"], "application/x-bdoc": [], "application/x-bittorrent": ["torrent"], "application/x-blorb": ["blb", "blorb"], "application/x-bzip": ["bz"], "application/x-bzip2": ["bz2", "boz"], "application/x-cbr": ["cbr", "cba", "cbt", "cbz", "cb7"], "application/x-cdlink": ["vcd"], "application/x-cfs-compressed": ["cfs"], "application/x-chat": ["chat"], "application/x-chess-pgn": ["pgn"], "application/x-chrome-extension": ["crx"], "application/x-cocoa": ["cco"], "application/x-conference": ["nsc"], "application/x-cpio": ["cpio"], "application/x-csh": ["csh"], "application/x-debian-package": ["udeb"], "application/x-dgc-compressed": ["dgc"], "application/x-director": ["dir", "dcr", "dxr", "cst", "cct", "cxt", "w3d", "fgd", "swa"], "application/x-doom": ["wad"], "application/x-dtbncx+xml": ["ncx"], "application/x-dtbook+xml": ["dtb"], "application/x-dtbresource+xml": ["res"], "application/x-dvi": ["dvi"], "application/x-envoy": ["evy"], "application/x-eva": ["eva"], "application/x-font-bdf": ["bdf"], "application/x-font-ghostscript": ["gsf"], "application/x-font-linux-psf": ["psf"], "application/x-font-pcf": ["pcf"], "application/x-font-snf": ["snf"], "application/x-font-type1": ["pfa", "pfb", "pfm", "afm"], "application/x-freearc": ["arc"], "application/x-futuresplash": ["spl"], "application/x-gca-compressed": ["gca"], "application/x-glulx": ["ulx"], "application/x-gnumeric": ["gnumeric"], "application/x-gramps-xml": ["gramps"], "application/x-gtar": ["gtar"], "application/x-hdf": ["hdf"], "application/x-httpd-php": ["php"], "application/x-install-instructions": ["install"], "application/x-iso9660-image": [], "application/x-java-archive-diff": ["jardiff"], "application/x-java-jnlp-file": ["jnlp"], "application/x-latex": ["latex"], "application/x-lua-bytecode": ["luac"], "application/x-lzh-compressed": ["lzh", "lha"], "application/x-makeself": ["run"], "application/x-mie": ["mie"], "application/x-mobipocket-ebook": ["prc", "mobi"], "application/x-ms-application": ["application"], "application/x-ms-shortcut": ["lnk"], "application/x-ms-wmd": ["wmd"], "application/x-ms-wmz": ["wmz"], "application/x-ms-xbap": ["xbap"], "application/x-msaccess": ["mdb"], "application/x-msbinder": ["obd"], "application/x-mscardfile": ["crd"], "application/x-msclip": ["clp"], "application/x-msdos-program": [], "application/x-msdownload": ["com", "bat"], "application/x-msmediaview": ["mvb", "m13", "m14"], "application/x-msmetafile": ["wmf", "emf", "emz"], "application/x-msmoney": ["mny"], "application/x-mspublisher": ["pub"], "application/x-msschedule": ["scd"], "application/x-msterminal": ["trm"], "application/x-mswrite": ["wri"], "application/x-netcdf": ["nc", "cdf"], "application/x-ns-proxy-autoconfig": ["pac"], "application/x-nzb": ["nzb"], "application/x-perl": ["pl", "pm"], "application/x-pilot": [], "application/x-pkcs12": ["p12", "pfx"], "application/x-pkcs7-certificates": ["p7b", "spc"], "application/x-pkcs7-certreqresp": ["p7r"], "application/x-rar-compressed": ["rar"], "application/x-redhat-package-manager": ["rpm"], "application/x-research-info-systems": ["ris"], "application/x-sea": ["sea"], "application/x-sh": ["sh"], "application/x-shar": ["shar"], "application/x-shockwave-flash": ["swf"], "application/x-silverlight-app": ["xap"], "application/x-sql": ["sql"], "application/x-stuffit": ["sit"], "application/x-stuffitx": ["sitx"], "application/x-subrip": ["srt"], "application/x-sv4cpio": ["sv4cpio"], "application/x-sv4crc": ["sv4crc"], "application/x-t3vm-image": ["t3"], "application/x-tads": ["gam"], "application/x-tar": ["tar"], "application/x-tcl": ["tcl", "tk"], "application/x-tex": ["tex"], "application/x-tex-tfm": ["tfm"], "application/x-texinfo": ["texinfo", "texi"], "application/x-tgif": ["obj"], "application/x-ustar": ["ustar"], "application/x-virtualbox-hdd": ["hdd"], "application/x-virtualbox-ova": ["ova"], "application/x-virtualbox-ovf": ["ovf"], "application/x-virtualbox-vbox": ["vbox"], "application/x-virtualbox-vbox-extpack": ["vbox-extpack"], "application/x-virtualbox-vdi": ["vdi"], "application/x-virtualbox-vhd": ["vhd"], "application/x-virtualbox-vmdk": ["vmdk"], "application/x-wais-source": ["src"], "application/x-web-app-manifest+json": ["webapp"], "application/x-x509-ca-cert": ["der", "crt", "pem"], "application/x-xfig": ["fig"], "application/x-xliff+xml": ["xlf"], "application/x-xpinstall": ["xpi"], "application/x-xz": ["xz"], "application/x-zmachine": ["z1", "z2", "z3", "z4", "z5", "z6", "z7", "z8"], "application/xaml+xml": ["xaml"], "application/xcap-diff+xml": ["xdf"], "application/xenc+xml": ["xenc"], "application/xhtml+xml": ["xhtml", "xht"], "application/xml": ["xml", "xsl", "xsd", "rng"], "application/xml-dtd": ["dtd"], "application/xop+xml": ["xop"], "application/xproc+xml": ["xpl"], "application/xslt+xml": ["xslt"], "application/xspf+xml": ["xspf"], "application/xv+xml": ["mxml", "xhvml", "xvml", "xvm"], "application/yang": ["yang"], "application/yin+xml": ["yin"], "application/zip": ["zip"], "audio/3gpp": [], "audio/adpcm": ["adp"], "audio/basic": ["au", "snd"], "audio/midi": ["mid", "midi", "kar", "rmi"], "audio/mp3": [], "audio/mp4": ["m4a", "mp4a"], "audio/mpeg": ["mpga", "mp2", "mp2a", "mp3", "m2a", "m3a"], "audio/ogg": ["oga", "ogg", "spx"], "audio/s3m": ["s3m"], "audio/silk": ["sil"], "audio/vnd.dece.audio": ["uva", "uvva"], "audio/vnd.digital-winds": ["eol"], "audio/vnd.dra": ["dra"], "audio/vnd.dts": ["dts"], "audio/vnd.dts.hd": ["dtshd"], "audio/vnd.lucent.voice": ["lvp"], "audio/vnd.ms-playready.media.pya": ["pya"], "audio/vnd.nuera.ecelp4800": ["ecelp4800"], "audio/vnd.nuera.ecelp7470": ["ecelp7470"], "audio/vnd.nuera.ecelp9600": ["ecelp9600"], "audio/vnd.rip": ["rip"], "audio/wav": ["wav"], "audio/wave": [], "audio/webm": ["weba"], "audio/x-aac": ["aac"], "audio/x-aiff": ["aif", "aiff", "aifc"], "audio/x-caf": ["caf"], "audio/x-flac": ["flac"], "audio/x-m4a": [], "audio/x-matroska": ["mka"], "audio/x-mpegurl": ["m3u"], "audio/x-ms-wax": ["wax"], "audio/x-ms-wma": ["wma"], "audio/x-pn-realaudio": ["ram", "ra"], "audio/x-pn-realaudio-plugin": ["rmp"], "audio/x-realaudio": [], "audio/x-wav": [], "audio/xm": ["xm"], "chemical/x-cdx": ["cdx"], "chemical/x-cif": ["cif"], "chemical/x-cmdf": ["cmdf"], "chemical/x-cml": ["cml"], "chemical/x-csml": ["csml"], "chemical/x-xyz": ["xyz"], "font/collection": ["ttc"], "font/otf": ["otf"], "font/ttf": ["ttf"], "font/woff": ["woff"], "font/woff2": ["woff2"], "image/apng": ["apng"], "image/bmp": ["bmp"], "image/cgm": ["cgm"], "image/g3fax": ["g3"], "image/gif": ["gif"], "image/ief": ["ief"], "image/jp2": ["jp2", "jpg2"], "image/jpeg": ["jpeg", "jpg", "jpe"], "image/jpm": ["jpm"], "image/jpx": ["jpx", "jpf"], "image/ktx": ["ktx"], "image/png": ["png"], "image/prs.btif": ["btif"], "image/sgi": ["sgi"], "image/svg+xml": ["svg", "svgz"], "image/tiff": ["tiff", "tif"], "image/vnd.adobe.photoshop": ["psd"], "image/vnd.dece.graphic": ["uvi", "uvvi", "uvg", "uvvg"], "image/vnd.djvu": ["djvu", "djv"], "image/vnd.dvb.subtitle": [], "image/vnd.dwg": ["dwg"], "image/vnd.dxf": ["dxf"], "image/vnd.fastbidsheet": ["fbs"], "image/vnd.fpx": ["fpx"], "image/vnd.fst": ["fst"], "image/vnd.fujixerox.edmics-mmr": ["mmr"], "image/vnd.fujixerox.edmics-rlc": ["rlc"], "image/vnd.ms-modi": ["mdi"], "image/vnd.ms-photo": ["wdp"], "image/vnd.net-fpx": ["npx"], "image/vnd.wap.wbmp": ["wbmp"], "image/vnd.xiff": ["xif"], "image/webp": ["webp"], "image/x-3ds": ["3ds"], "image/x-cmu-raster": ["ras"], "image/x-cmx": ["cmx"], "image/x-freehand": ["fh", "fhc", "fh4", "fh5", "fh7"], "image/x-icon": ["ico"], "image/x-jng": ["jng"], "image/x-mrsid-image": ["sid"], "image/x-ms-bmp": [], "image/x-pcx": ["pcx"], "image/x-pict": ["pic", "pct"], "image/x-portable-anymap": ["pnm"], "image/x-portable-bitmap": ["pbm"], "image/x-portable-graymap": ["pgm"], "image/x-portable-pixmap": ["ppm"], "image/x-rgb": ["rgb"], "image/x-tga": ["tga"], "image/x-xbitmap": ["xbm"], "image/x-xpixmap": ["xpm"], "image/x-xwindowdump": ["xwd"], "message/rfc822": ["eml", "mime"], "model/gltf+json": ["gltf"], "model/gltf-binary": ["glb"], "model/iges": ["igs", "iges"], "model/mesh": ["msh", "mesh", "silo"], "model/vnd.collada+xml": ["dae"], "model/vnd.dwf": ["dwf"], "model/vnd.gdl": ["gdl"], "model/vnd.gtw": ["gtw"], "model/vnd.mts": ["mts"], "model/vnd.vtu": ["vtu"], "model/vrml": ["wrl", "vrml"], "model/x3d+binary": ["x3db", "x3dbz"], "model/x3d+vrml": ["x3dv", "x3dvz"], "model/x3d+xml": ["x3d", "x3dz"], "text/cache-manifest": ["appcache", "manifest"], "text/calendar": ["ics", "ifb"], "text/coffeescript": ["coffee", "litcoffee"], "text/css": ["css"], "text/csv": ["csv"], "text/hjson": ["hjson"], "text/html": ["html", "htm", "shtml"], "text/jade": ["jade"], "text/jsx": ["jsx"], "text/less": ["less"], "text/markdown": ["markdown", "md"], "text/mathml": ["mml"], "text/n3": ["n3"], "text/plain": ["txt", "text", "conf", "def", "list", "log", "in", "ini"], "text/prs.lines.tag": ["dsc"], "text/richtext": ["rtx"], "text/rtf": [], "text/sgml": ["sgml", "sgm"], "text/slim": ["slim", "slm"], "text/stylus": ["stylus", "styl"], "text/tab-separated-values": ["tsv"], "text/troff": ["t", "tr", "roff", "man", "me", "ms"], "text/turtle": ["ttl"], "text/uri-list": ["uri", "uris", "urls"], "text/vcard": ["vcard"], "text/vnd.curl": ["curl"], "text/vnd.curl.dcurl": ["dcurl"], "text/vnd.curl.mcurl": ["mcurl"], "text/vnd.curl.scurl": ["scurl"], "text/vnd.dvb.subtitle": ["sub"], "text/vnd.fly": ["fly"], "text/vnd.fmi.flexstor": ["flx"], "text/vnd.graphviz": ["gv"], "text/vnd.in3d.3dml": ["3dml"], "text/vnd.in3d.spot": ["spot"], "text/vnd.sun.j2me.app-descriptor": ["jad"], "text/vnd.wap.wml": ["wml"], "text/vnd.wap.wmlscript": ["wmls"], "text/vtt": ["vtt"], "text/x-asm": ["s", "asm"], "text/x-c": ["c", "cc", "cxx", "cpp", "h", "hh", "dic"], "text/x-component": ["htc"], "text/x-fortran": ["f", "for", "f77", "f90"], "text/x-handlebars-template": ["hbs"], "text/x-java-source": ["java"], "text/x-lua": ["lua"], "text/x-markdown": ["mkd"], "text/x-nfo": ["nfo"], "text/x-opml": ["opml"], "text/x-org": [], "text/x-pascal": ["p", "pas"], "text/x-processing": ["pde"], "text/x-sass": ["sass"], "text/x-scss": ["scss"], "text/x-setext": ["etx"], "text/x-sfv": ["sfv"], "text/x-suse-ymp": ["ymp"], "text/x-uuencode": ["uu"], "text/x-vcalendar": ["vcs"], "text/x-vcard": ["vcf"], "text/xml": [], "text/yaml": ["yaml", "yml"], "video/3gpp": ["3gp", "3gpp"], "video/3gpp2": ["3g2"], "video/h261": ["h261"], "video/h263": ["h263"], "video/h264": ["h264"], "video/jpeg": ["jpgv"], "video/jpm": ["jpgm"], "video/mj2": ["mj2", "mjp2"], "video/mp2t": ["ts"], "video/mp4": ["mp4", "mp4v", "mpg4"], "video/mpeg": ["mpeg", "mpg", "mpe", "m1v", "m2v"], "video/ogg": ["ogv"], "video/quicktime": ["qt", "mov"], "video/vnd.dece.hd": ["uvh", "uvvh"], "video/vnd.dece.mobile": ["uvm", "uvvm"], "video/vnd.dece.pd": ["uvp", "uvvp"], "video/vnd.dece.sd": ["uvs", "uvvs"], "video/vnd.dece.video": ["uvv", "uvvv"], "video/vnd.dvb.file": ["dvb"], "video/vnd.fvt": ["fvt"], "video/vnd.mpegurl": ["mxu", "m4u"], "video/vnd.ms-playready.media.pyv": ["pyv"], "video/vnd.uvvu.mp4": ["uvu", "uvvu"], "video/vnd.vivo": ["viv"], "video/webm": ["webm"], "video/x-f4v": ["f4v"], "video/x-fli": ["fli"], "video/x-flv": ["flv"], "video/x-m4v": ["m4v"], "video/x-matroska": ["mkv", "mk3d", "mks"], "video/x-mng": ["mng"], "video/x-ms-asf": ["asf", "asx"], "video/x-ms-vob": ["vob"], "video/x-ms-wm": ["wm"], "video/x-ms-wmv": ["wmv"], "video/x-ms-wmx": ["wmx"], "video/x-ms-wvx": ["wvx"], "video/x-msvideo": ["avi"], "video/x-sgi-movie": ["movie"], "video/x-smv": ["smv"], "x-conference/x-cooltalk": ["ice"] };
+
+// src/static.ts
+var mime_types = /* @__PURE__ */ new Map();
+var mime_extensions = /* @__PURE__ */ new Map();
+function mime_define(map) {
+  for (var type in map) {
+    var exts = map[type];
+    for (var i = 0; i < exts.length; i++)
+      mime_types.set(exts[i], type);
+    if (!mime_extensions.has(type))
+      mime_extensions.set(type, exts[0]);
+  }
+}
+var mime = {
+  lookup: (path2, fallback = null) => mime_types.get(path2.replace(/^.*[\.\/\\]/, "").toLowerCase()) ?? fallback ?? "application/octet-stream",
+  charsets: (mimeType) => /^text\/|^application\/(javascript|json)/.test(mimeType) ? "UTF-8" : null
+};
+mime_define(mimetypes_default);
+var UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
+var DEFAULT_OPTIONS = {
+  headers: {
+    "Content-Security-Policy": "default-src 'self'",
+    "X-Content-Type-Options": "nosniff"
+  },
+  fallthrough: false,
+  maxage: 0,
+  immutable: false,
+  etag: true,
+  lastModified: true,
+  contentType: null,
+  dotfiles: "hide",
+  redirect: true,
+  indexOf: false
+};
+var HTTP = {
+  /** 304 Not Modified — sent for conditional GET cache hits. */
+  NOT_MODIFIED: (res, opts) => {
+    res.status(304, opts.headers).end();
+  },
+  /** 403 Forbidden — sent for denied dot-files or path traversal attempts. */
+  FORBIDDEN: (res, opts) => res.status(403, opts.headers).send("Forbidden"),
+  /** 404 Not Found — sent when the requested file does not exist. */
+  NOT_FOUND: (res, opts) => res.status(404, opts.headers).send("Not Found"),
+  /**
+   * 405 Method Not Allowed — sent when the HTTP method is neither GET nor
+   * HEAD and {@link ResolvedOptions.fallthrough} is `false`.
+   * Always includes an `Allow: GET, HEAD` header per RFC 7231 §6.5.5.
+   */
+  NOT_ALLOWED: (res, opts) => {
+    res.status(405, { ...opts.headers, Allow: "GET, HEAD" }).end();
+  },
+  /** 412 Precondition Failed — sent when `If-Match` / `If-Unmodified-Since` fails. */
+  PRECONDITION_FAILS: (res, opts) => res.status(412, opts.headers).send("Precondition Failed"),
+  /** 500 Internal Server Error — sent on unexpected filesystem or stream errors. */
+  INTERNAL_ERROR: (res, opts, err) => res.status(500, opts.headers).send(`Internal error: ${err}`)
+};
+function destroyReadStream(stream) {
+  stream.destroy();
+  if (typeof stream.close === "function") {
+    stream.on("open", () => {
+      if (typeof stream.fd === "number")
+        stream.close();
+    });
+  }
+}
+function removeContentHeaders(res) {
+  const keys = Object.keys(res.getHeaders() ?? {});
+  for (const key of keys) {
+    if (key.startsWith("content-") && key !== "content-location")
+      res.removeHeader(key);
+  }
+}
+function createETag(stat) {
+  const mtime = stat.mtime.getTime().toString(16);
+  const size = stat.size.toString(16);
+  return `W/"${size}-${mtime}"`;
+}
+function parseTokenList(str) {
+  const list = [];
+  let start = 0;
+  let end = 0;
+  for (let i = 0, len = str.length; i < len; i++) {
+    const ch = str.charCodeAt(i);
+    if (ch === 32) {
+      if (start === end) start = end = i + 1;
+    } else if (ch === 44) {
+      list.push(str.substring(start, end));
+      start = end = i + 1;
+    } else {
+      end = i + 1;
+    }
+  }
+  list.push(str.substring(start, end));
+  return list;
+}
+function parseHttpDate(date) {
+  const timestamp = date ? Date.parse(date) : NaN;
+  return typeof timestamp === "number" ? timestamp : NaN;
+}
+function conditionMatch(reqHeaders, resHeaders) {
+  const match = reqHeaders["if-match"];
+  if (match) {
+    const etag = resHeaders["etag"];
+    if (match === "*" || match === etag) return true;
+    for (const tag of parseTokenList(match)) {
+      if (tag === etag || `W/${tag}` === etag || tag === `W/${etag}`)
+        return true;
+    }
+    return false;
+  }
+  const lastModified = parseHttpDate(resHeaders["last-modified"]);
+  const unmodifiedSince = parseHttpDate(reqHeaders["if-unmodified-since"]);
+  if (!isNaN(unmodifiedSince) && !isNaN(lastModified))
+    return lastModified <= unmodifiedSince;
+  return false;
+}
+function isCacheFresh(reqHeaders, resHeaders) {
+  const CACHE_CONTROL_NO_CACHE_REGEXP = /(?:^|,)\s*?no-cache\s*?(?:,|$)/;
+  const modifiedSince = reqHeaders["if-modified-since"];
+  const noneMatch = reqHeaders["if-none-match"];
+  if (!modifiedSince && !noneMatch) return false;
+  const cacheControl2 = reqHeaders["cache-control"];
+  if (cacheControl2 && CACHE_CONTROL_NO_CACHE_REGEXP.test(cacheControl2))
+    return false;
+  if (noneMatch && noneMatch !== "*") {
+    const etag = resHeaders["etag"];
+    if (!etag) return false;
+    let etagStale = true;
+    for (const match of parseTokenList(noneMatch)) {
+      if (match === etag || `W/${match}` === etag || match === `W/${etag}`) {
+        etagStale = false;
+        break;
+      }
+    }
+    if (etagStale) return false;
+  }
+  if (modifiedSince) {
+    const lastModified = resHeaders["last-modified"];
+    if (!lastModified) return false;
+    if (!(parseHttpDate(lastModified) <= parseHttpDate(modifiedSince)))
+      return false;
+  }
+  return true;
+}
+function resolveOptions(root, options) {
+  if (!root)
+    throw new TypeError("root path required");
+  if (typeof root !== "string")
+    throw new TypeError("root path must be a string");
+  const mergedHeaders = { ...DEFAULT_OPTIONS.headers, ...options?.headers ?? {} };
+  const opts = { ...DEFAULT_OPTIONS, ...options, headers: mergedHeaders };
+  opts.fallthrough = options?.fallthrough !== false;
+  opts.redirect = options?.redirect !== false;
+  opts.maxage = options?.maxage ?? options?.maxAge ?? 0;
+  opts.root = import_path.default.resolve(root);
+  return opts;
+}
+function writeIndexOf(urlPath, directoryPath, parentUrlPath, queryString, callback) {
+  import_fs.default.readdir(directoryPath, (err, files) => {
+    if (err) return callback(null, err);
+    const params = new URLSearchParams(queryString.replace(/;/g, "&"));
+    const rawCol = params.get("C") ?? "N";
+    const rawOrd = params.get("O") ?? "A";
+    const col = ["N", "M", "S"].includes(rawCol) ? rawCol : "N";
+    const ord = rawOrd === "D" ? "D" : "A";
+    const entries = [];
+    for (const file of files) {
+      const fullPath = import_path.default.join(directoryPath, file);
+      let stat;
+      try {
+        stat = import_fs.default.statSync(fullPath);
+      } catch {
+        continue;
+      }
+      entries.push({ file, stat, isDir: stat.isDirectory() });
+    }
+    const sign = ord === "A" ? 1 : -1;
+    entries.sort((a, b) => {
+      if (a.isDir !== b.isDir) return a.isDir ? -1 : 1;
+      let cmp = 0;
+      if (col === "N") cmp = a.file.localeCompare(b.file);
+      else if (col === "M") cmp = a.stat.mtime.getTime() - b.stat.mtime.getTime();
+      else if (col === "S") cmp = (a.isDir ? 0 : a.stat.size) - (b.isDir ? 0 : b.stat.size);
+      return cmp * sign;
+    });
+    function thLink(c, label) {
+      const nextOrd = c === col && ord === "A" ? "D" : "A";
+      return `<a href="?C=${c};O=${nextOrd}">${label}</a>`;
+    }
+    let html = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">\n';
+    html += "<html>\n";
+    html += `<head><title>Index of ${urlPath}</title></head>
+`;
+    html += `<body><h1>Index of ${urlPath}</h1><table>
+`;
+    html += `<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th>${thLink("N", "Name")}</th><th>${thLink("M", "Last modified")}</th><th>${thLink("S", "Size")}</th><th><a href="?C=D;O=A">Description</a></th></tr>
+`;
+    html += '<tr><th colspan="5"><hr></th></tr>\n';
+    if (parentUrlPath)
+      html += `<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="${parentUrlPath}">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
+`;
+    for (const { file, stat, isDir } of entries) {
+      const fullPath = import_path.default.join(directoryPath, file);
+      const mimeType = mime.lookup(fullPath, "");
+      const mediaType = mimeType.includes("/") ? mimeType.split("/")[0] : "";
+      const alt = isDir ? "folder" : mediaType || "unknown";
+      const icon = `/icons/${alt}.gif`;
+      const name = file + (isDir ? "/" : "");
+      const modified = stat.mtime.toUTCString();
+      const size = isDir ? "-" : String(stat.size);
+      html += `<tr><td valign="top"><img src="${icon}" alt="[${alt.toUpperCase()}]"></td><td><a href="${name}">${name}</a></td><td align="right">${modified}</td><td align="right">${size}</td><td>&nbsp;</td></tr>
+`;
+    }
+    html += '<tr><th colspan="5"><hr></th></tr>\n';
+    html += "</table><address>Expediate/1.0.0</address></body></html>\n";
+    return callback(html, null);
+  });
+}
+function sendIt(req, res, pathname, stat, opts) {
+  const len = stat.size;
+  const etag = createETag(stat);
+  if (opts.headers) {
+    for (const [key, value] of Object.entries(opts.headers))
+      res.setHeader(key, value);
+  }
+  if (!res.getHeader("Cache-Control") && opts.maxage) {
+    let cacheControl2 = `public, max-age=${Math.floor(opts.maxage / 1e3)}`;
+    if (opts.immutable) cacheControl2 += ", immutable";
+    res.setHeader("Cache-Control", cacheControl2);
+  }
+  if (!res.getHeader("Last-Modified") && opts.lastModified !== false)
+    res.setHeader("Last-Modified", stat.mtime.toUTCString());
+  if (!res.getHeader("ETag") && opts.etag !== false)
+    res.setHeader("ETag", etag);
+  if (!res.getHeader("Content-Type")) {
+    if (opts.contentType) {
+      res.setHeader("Content-Type", opts.contentType);
+    } else {
+      const type = mime.lookup(pathname, "");
+      if (type) {
+        const charset = mime.charsets(type);
+        res.setHeader("Content-Type", charset ? `${type}; charset=${charset}` : type);
+      }
+    }
+  }
+  if (isCacheFresh(
+    req.headers,
+    res.getHeaders()
+  )) {
+    removeContentHeaders(res);
+    HTTP.NOT_MODIFIED(res, opts);
+    return;
+  }
+  const hasPrecondition = !!(req.headers["if-match"] || req.headers["if-unmodified-since"]);
+  if (hasPrecondition && !conditionMatch(
+    req.headers,
+    res.getHeaders()
+  )) {
+    HTTP.PRECONDITION_FAILS(res, opts);
+    return;
+  }
+  res.setHeader("Content-Length", len);
+  if (req.method === "HEAD") {
+    res.end();
+    return;
+  }
+  let finished = false;
+  const stream = import_fs.default.createReadStream(pathname);
+  res.on("finish", () => {
+    finished = true;
+    destroyReadStream(stream);
+  });
+  stream.on("error", (err) => {
+    if (finished) return;
+    console.warn("static stream error:", pathname, err);
+    HTTP.INTERNAL_ERROR(res, opts, err.code ?? "UNKNOWN");
+    finished = true;
+    destroyReadStream(stream);
+  });
+  stream.on("end", () => res.end());
+  stream.pipe(res);
+}
+function sendFile(req, res, pathname, opts) {
+  import_fs.default.stat(pathname, (err, stat) => {
+    if (err) {
+      if (err.code === "ENOENT" || err.code === "ENAMETOOLONG" || err.code === "ENOTDIR") return HTTP.NOT_FOUND(res, opts);
+      return HTTP.INTERNAL_ERROR(res, opts, err.code ?? "UNKNOWN");
+    }
+    if (stat.isDirectory()) {
+      if (opts.indexOf) {
+        const parentUrl = req.path !== "/" ? import_path.default.dirname(req.path) : null;
+        const queryString = (req.url ?? "").split("?")[1] ?? "";
+        return writeIndexOf(req.path, pathname, parentUrl, queryString, (html, indexErr) => {
+          if (indexErr)
+            return HTTP.INTERNAL_ERROR(res, opts, indexErr.code ?? "UNKNOWN");
+          return res.status(200, opts.headers).send(html);
+        });
+      }
+      return HTTP.NOT_FOUND(res, opts);
+    }
+    sendIt(req, res, pathname, stat, opts);
+  });
+}
+function serveStatic(root, options) {
+  const opts = resolveOptions(root, options);
+  return function(req, res, next) {
+    if (req.method !== "GET" && req.method !== "HEAD") {
+      if (opts.fallthrough)
+        return next();
+      return HTTP.NOT_ALLOWED(res, opts);
+    }
+    const originalUrl = decodeURIComponent(req.path ?? req.url ?? "/");
+    let pathname = originalUrl;
+    if (pathname === "/" && !originalUrl.endsWith("/"))
+      pathname = "";
+    if (UP_PATH_REGEXP.test(pathname))
+      return HTTP.FORBIDDEN(res, opts);
+    pathname = import_path.default.resolve(import_path.default.normalize(`${opts.root}/${pathname}`));
+    if (opts.dotfiles !== "allow" && pathname.includes("/.")) {
+      if (opts.dotfiles === "deny")
+        return HTTP.FORBIDDEN(res, opts);
+      return HTTP.NOT_FOUND(res, opts);
+    }
+    import_fs.default.stat(pathname, (err, stat) => {
+      if (err) {
+        if (err.code === "ENOENT" || err.code === "ENAMETOOLONG" || err.code === "ENOTDIR") {
+          if (opts.fallthrough)
+            return next();
+          return HTTP.NOT_FOUND(res, opts);
+        }
+        return HTTP.INTERNAL_ERROR(res, opts, err.code ?? "UNKNOWN");
+      }
+      if (stat.isDirectory()) {
+        if (!opts.redirect) {
+          if (opts.fallthrough)
+            return next();
+          return HTTP.NOT_FOUND(res, opts);
+        }
+        return sendFile(req, res, import_path.default.join(pathname, "index.html"), opts);
+      }
+      sendIt(req, res, pathname, stat, opts);
+    });
+  };
+}
+function serveFile(filePath, options) {
+  const opts = resolveOptions(filePath, options);
+  return function(req, res, next) {
+    if (req.method !== "GET" && req.method !== "HEAD") {
+      if (opts.fallthrough)
+        return next();
+      return HTTP.NOT_ALLOWED(res, opts);
+    }
+    const pathname = opts.root;
+    import_fs.default.stat(pathname, (err, stat) => {
+      if (err)
+        return HTTP.INTERNAL_ERROR(res, opts, err.code ?? "UNKNOWN");
+      if (stat.isDirectory())
+        return HTTP.INTERNAL_ERROR(res, opts, "EISDIR");
+      sendIt(req, res, pathname, stat, opts);
+    });
+  };
+}
+
+// src/router.ts
+function isGlobPattern(pattern) {
+  let i = 0;
+  while (i < pattern.length) {
+    const ch = pattern[i];
+    if (ch === "\\") {
+      i += 2;
+      continue;
+    }
+    if (ch === ":") {
+      i++;
+      while (i < pattern.length && /\w/.test(pattern[i])) i++;
+      if (i < pattern.length && pattern[i] === "(") {
+        let depth = 1;
+        i++;
+        while (i < pattern.length && depth > 0) {
+          if (pattern[i] === "\\") {
+            i += 2;
+            continue;
+          }
+          if (pattern[i] === "(") depth++;
+          else if (pattern[i] === ")") depth--;
+          i++;
+        }
+      }
+      continue;
+    }
+    if (ch === "*" || ch === "?") return true;
+    i++;
+  }
+  return false;
+}
+function compileGlob(glob) {
+  let src = glob.replace(/[.+^${}()|[\]\\]/g, "\\$&");
+  src = src.replace(/\*\*/g, "\0GLOBSTAR\0").replace(/\*/g, "[^/]*").replace(/\?/g, "[^/]").replace(/\x00GLOBSTAR\x00/g, ".*");
+  return new RegExp("^" + src);
+}
+function extractInlinePattern(str, openIdx) {
+  let depth = 0;
+  let i = openIdx;
+  for (; i < str.length; i++) {
+    if (str[i] === "\\") {
+      i++;
+      continue;
+    }
+    if (str[i] === "(") {
+      depth++;
+      continue;
+    }
+    if (str[i] === ")") {
+      depth--;
+      if (depth === 0) break;
+    }
+  }
+  if (depth !== 0)
+    throw new SyntaxError(`Unbalanced parentheses in route segment '${str}'`);
+  return { pattern: str.slice(openIdx + 1, i), closeIdx: i };
+}
+function compilePlainPath(path2) {
+  const segments = path2.split("/").filter((s) => s.length > 0);
+  const src = segments.map((seg) => {
+    if (!seg.startsWith(":"))
+      return seg.replace(/[.+^${}()|[\]\\]/g, "\\$&");
+    const parenIdx = seg.indexOf("(", 1);
+    if (parenIdx === -1) {
+      return `(?<${seg.slice(1)}>[^/]+)`;
+    }
+    const name = seg.slice(1, parenIdx);
+    if (!name)
+      throw new SyntaxError(`Route parameter missing name before '(' in segment '${seg}'`);
+    const { pattern, closeIdx } = extractInlinePattern(seg, parenIdx);
+    if (/\(\?<[^>]+>/.test(pattern))
+      throw new SyntaxError(
+        `Inline constraint for ':${name}' must not contain named capture groups.`
+      );
+    const suffix = seg.slice(closeIdx + 1);
+    const escapedSuffix = suffix.replace(/[.+^${}()|[\]\\]/g, "\\$&");
+    return `(?<${name}>${pattern})${escapedSuffix}`;
+  }).join("/");
+  try {
+    return new RegExp("^/?" + src + "(?=/|$)");
+  } catch (e) {
+    throw new SyntaxError(
+      `Invalid inline regex constraint in path '${path2}': ${e.message}`
+    );
+  }
+}
+function compilePattern(path2) {
+  if (path2 instanceof RegExp) return path2;
+  if (isGlobPattern(path2)) return compileGlob(path2);
+  return compilePlainPath(path2);
+}
+function buildRouteLayer(method, path2, middleware, stripPath) {
+  if (typeof middleware !== "function")
+    throw new TypeError("Incorrect middleware type: expected a function");
+  return { method, path: path2, regex: compilePattern(path2), stripPath, middleware };
+}
+function matchRouteLayer(layer, req, path2) {
+  if (layer.method && layer.method !== req.method) return false;
+  const m = layer.regex.exec(path2);
+  if (m === null) return false;
+  const captured = m.groups ?? {};
+  if (layer.stripPath) {
+    req.path = path2.slice(m[0].length) || "/";
+  }
+  req.queries.route = captured;
+  Object.assign(req.params, captured);
+  return true;
+}
+function decodeJsonCookie(raw) {
+  if (!raw.startsWith("j:")) return raw;
+  try {
+    return JSON.parse(raw.slice(2));
+  } catch {
+    return raw;
+  }
+}
+function signCookieValue(value, secret) {
+  const sig = crypto.createHmac("sha256", secret).update(value).digest("base64url");
+  return `s:${value}.${sig}`;
+}
+function verifyCookieValue(signed, secret) {
+  if (!signed.startsWith("s:")) return false;
+  const withoutPrefix = signed.slice(2);
+  const lastDot = withoutPrefix.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const value = withoutPrefix.slice(0, lastDot);
+  const received = withoutPrefix.slice(lastDot + 1);
+  const expected = crypto.createHmac("sha256", secret).update(value).digest("base64url");
+  const receivedBuf = Buffer.from(received, "base64url");
+  const expectedBuf = Buffer.from(expected, "base64url");
+  if (receivedBuf.length !== expectedBuf.length) return false;
+  if (!crypto.timingSafeEqual(receivedBuf, expectedBuf)) return false;
+  return value;
+}
+function updateHttpObjects(req, res, secret, trustProxy) {
+  const rReq = req;
+  const rRes = res;
+  if (rReq.queries) return;
+  rReq.queries = {};
+  if (trustProxy) {
+    const xff = req.headers["x-forwarded-for"];
+    const first = Array.isArray(xff) ? xff[0] : xff;
+    rReq.ip = (first ? first.split(",")[0].trim() : req.socket?.remoteAddress) ?? "";
+  } else {
+    rReq.ip = req.socket?.remoteAddress ?? "";
+  }
+  const qry = new URL(`http://${req.headers.host}${req.url}`);
+  rReq.originalUrl = req.url;
+  rReq.path = qry.pathname;
+  const urlParams = {};
+  for (const [key, value] of qry.searchParams.entries()) {
+    const existing = urlParams[key];
+    if (existing === void 0) {
+      urlParams[key] = value;
+    } else if (Array.isArray(existing)) {
+      existing.push(value);
+    } else {
+      urlParams[key] = [existing, value];
+    }
+  }
+  rReq.queries.url = urlParams;
+  const flatParams = {};
+  for (const [key, value] of Object.entries(urlParams)) {
+    flatParams[key] = Array.isArray(value) ? value[0] : value;
+  }
+  rReq.params = flatParams;
+  if (rReq.cookies == null) {
+    rReq.cookies = {};
+    if (req.headers.cookie) {
+      for (const part of req.headers.cookie.split(";")) {
+        const eqIdx = part.indexOf("=");
+        if (eqIdx === -1) continue;
+        const name = part.slice(0, eqIdx).trim();
+        const rawVal = part.slice(eqIdx + 1).trim();
+        if (rawVal.startsWith("s:")) {
+          if (secret) {
+            const inner = verifyCookieValue(rawVal, secret);
+            if (inner === false) continue;
+            rReq.cookies[name] = decodeJsonCookie(inner);
+          } else {
+            rReq.cookies[name] = rawVal;
+          }
+        } else {
+          rReq.cookies[name] = decodeJsonCookie(rawVal);
+        }
+      }
+    }
+  }
+  const resolvedReqOpts = (opts) => ({
+    limit: opts?.limit ?? "100kb",
+    inflate: opts?.inflate ?? true,
+    reviver: null,
+    strict: opts?.strict ?? false
+  });
+  rReq.json = (opts) => {
+    if ("body" in rReq) return Promise.resolve(rReq.body ?? null);
+    return readReqBody(rReq, resolvedReqOpts(opts), "application/json").then((ret) => {
+      if (ret == null) return null;
+      const charset = extractCharset(ret.mimetype);
+      try {
+        const parsed = JSON.parse(
+          ret.content.toString(charset),
+          opts?.reviver ?? void 0
+        );
+        rReq.body = parsed;
+        return parsed;
+      } catch (ex) {
+        return Promise.reject({ status: 400, message: "Bad Request: " + ex.message });
+      }
+    });
+  };
+  rReq.text = (opts) => {
+    const cached = rReq.body;
+    if (typeof cached === "string") return Promise.resolve(cached);
+    return readReqBody(rReq, resolvedReqOpts(opts), null).then((ret) => {
+      if (ret == null) return null;
+      const charset = extractCharset(ret.mimetype);
+      return ret.content.toString(charset);
+    });
+  };
+  rReq.formData = (opts) => {
+    const cached = rReq.body;
+    if (Array.isArray(cached)) return Promise.resolve(cached);
+    return readReqBody(rReq, resolvedReqOpts(opts), "multipart/form-data").then((ret) => {
+      if (ret == null) return null;
+      try {
+        const parts = parseMultipartBody(ret.mimetype, ret.content);
+        rReq.body = parts;
+        return parts;
+      } catch (ex) {
+        return Promise.reject({ status: ex.status ?? 500, message: ex.message ?? String(ex) });
+      }
+    });
+  };
+  rRes.setHeader("X-Powered-By", "Expediate");
+  rRes.send = (data) => {
+    if (data) res.write(data);
+    res.end();
+  };
+  rRes.json = (data) => {
+    res.setHeader("Content-Type", "application/json");
+    res.write(JSON.stringify(data));
+    res.end();
+  };
+  rRes.status = (code, headers) => {
+    res.statusCode = code;
+    if (headers)
+      for (const [k, v] of Object.entries(headers)) res.setHeader(k, v);
+    return rRes;
+  };
+  rRes.redirect = (url) => {
+    res.setHeader("location", url);
+    res.writeHead(302);
+    res.write(`Found. Redirecting to ${url}`);
+    res.end();
+  };
+  rRes.cookie = (name, value, options) => {
+    const opts = options ?? {};
+    let val = typeof value === "object" ? "j:" + JSON.stringify(value) : String(value);
+    if (opts.signed) {
+      if (!secret)
+        throw new Error(
+          "Signed cookies require a secret \u2014 pass { secret } to createRouter()"
+        );
+      val = signCookieValue(val, secret);
+    }
+    let txt = `${name}=${val}`;
+    if (opts.maxAge != null) {
+      const maxAgeMs = opts.maxAge;
+      const maxAgeSec = Math.floor(maxAgeMs / 1e3);
+      opts.expires = new Date(Date.now() + maxAgeMs);
+      txt += `; Max-Age=${maxAgeSec}`;
+    }
+    if (opts.expires) txt += `; Expires=${opts.expires.toUTCString()}`;
+    txt += `; Path=${opts.path ?? "/"}`;
+    if (opts.httpOnly) txt += "; HttpOnly";
+    if (opts.secure) txt += "; Secure";
+    if (opts.sameSite) txt += `; SameSite=${opts.sameSite}`;
+    const existing = res.getHeader("Set-Cookie");
+    if (existing == null) {
+      res.setHeader("Set-Cookie", txt);
+    } else if (Array.isArray(existing)) {
+      res.setHeader("Set-Cookie", [...existing, txt]);
+    } else {
+      res.setHeader("Set-Cookie", [existing, txt]);
+    }
+    return rRes;
+  };
+  rRes.download = (filepath, filename) => {
+    const name = filename ?? path.basename(filepath);
+    const safeName = name.replace(/"/g, '\\"');
+    res.setHeader("Content-Disposition", `attachment; filename="${safeName}"`);
+    fs2.access(filepath, fs2.constants.F_OK, (err) => {
+      if (err) {
+        if (!rRes.writableEnded) rRes.status(404).end("Not Found");
+        return;
+      }
+      serveFile(filepath)(rReq, rRes, () => {
+      });
+    });
+  };
+  rRes.type = (mime2) => {
+    res.setHeader("Content-Type", mime2);
+    return rRes;
+  };
+  rRes.etag = (value, strong = false) => {
+    res.setHeader("ETag", strong ? `"${value}"` : `W/"${value}"`);
+    return rRes;
+  };
+}
+function pathMatchesLayer(layer, path2) {
+  return layer.regex.test(path2);
+}
+function registerRoute(routes, method, path2, arg, stripPath) {
+  if (Array.isArray(arg)) {
+    for (const item of arg) registerRoute(routes, method, path2, item, stripPath);
+  } else if (typeof arg === "function") {
+    routes.push(buildRouteLayer(method, path2, arg, stripPath));
+  } else if (arg && typeof arg.listener === "function") {
+    routes.push(buildRouteLayer(method, path2, arg.listener, stripPath));
+  } else {
+    throw new TypeError(
+      "Unexpected value registered as middleware: expected a Middleware function, a Router instance, or an array of either"
+    );
+  }
+}
+function extractRouterPrefix(arg) {
+  if (Array.isArray(arg) || typeof arg === "function") return void 0;
+  return arg.prefix;
+}
+function createRouter(prefixOrOpts, opts) {
+  const routerPrefix = typeof prefixOrOpts === "string" ? prefixOrOpts : void 0;
+  const options = typeof prefixOrOpts === "object" ? prefixOrOpts : opts ?? {};
+  const secret = options.secret;
+  const timeoutMs = options.timeout;
+  const trustProxy = options.trustProxy ?? false;
+  const routes = [];
+  let errorHandler;
+  let notFoundHandler;
+  let activeServer = null;
+  const activeSockets = /* @__PURE__ */ new Set();
+  const listener = (req, res, done) => {
+    const method = req.method;
+    const url = req.url;
+    let idx = 0;
+    updateHttpObjects(req, res, secret, trustProxy);
+    if (timeoutMs) {
+      if (req.socket) req.socket.setTimeout(timeoutMs);
+      const timer = setTimeout(() => {
+        if (!res.writableEnded) res.status(408).end("Request Timeout");
+      }, timeoutMs);
+      res.once("finish", () => {
+        clearTimeout(timer);
+        if (req.socket) req.socket.setTimeout(0);
+      });
+    }
+    const invokeErrorHandler = (e) => {
+      if (res.writableEnded) return;
+      if (errorHandler) {
+        try {
+          errorHandler(e, req, res);
+        } catch (e2) {
+          if (!res.writableEnded) res.status(500).end(`Error ${method} ${url}`);
+        }
+      } else {
+        console.warn(e);
+        res.status(500).end(`Error ${method} ${url}`);
+      }
+    };
+    const invoke = (mw, nextFn) => {
+      try {
+        const ret = mw(req, res, nextFn);
+        if (ret instanceof Promise) ret.catch(invokeErrorHandler);
+      } catch (e) {
+        invokeErrorHandler(e);
+      }
+    };
+    const allowedMethods = /* @__PURE__ */ new Set();
+    const next = (err) => {
+      if (err != null) {
+        invokeErrorHandler(err);
+        return;
+      }
+      while (idx < routes.length) {
+        const layer = routes[idx++];
+        const pathBefore = req.path;
+        if (matchRouteLayer(layer, req, req.path)) {
+          if (layer.stripPath) {
+            invoke(layer.middleware, () => {
+              req.path = pathBefore;
+              next();
+            });
+            return;
+          }
+          invoke(layer.middleware, next);
+          return;
+        }
+        if (layer.method !== null && pathMatchesLayer(layer, pathBefore)) {
+          allowedMethods.add(layer.method);
+        }
+      }
+      if (allowedMethods.size > 0) {
+        const allow = [...allowedMethods].sort().join(", ");
+        res.status(405, { Allow: allow }).end(`Cannot ${method} ${url}`);
+        return;
+      }
+      if (done) return done();
+      if (notFoundHandler) {
+        try {
+          notFoundHandler(req, res, () => {
+          });
+        } catch (e) {
+          invokeErrorHandler(e);
+        }
+        return;
+      }
+      res.status(404).end(`Cannot ${method} ${url}`);
+    };
+    try {
+      next();
+    } catch (e) {
+      invokeErrorHandler(e);
+    }
+  };
+  function makeRegister(method, stripPath) {
+    return (path2, ...args) => {
+      for (const arg of args) registerRoute(routes, method, path2, arg, stripPath);
+    };
+  }
+  const use = (pathOrFirst, ...args) => {
+    if (typeof pathOrFirst === "string" || pathOrFirst instanceof RegExp) {
+      for (const arg of args) registerRoute(routes, null, pathOrFirst, arg, true);
+    } else {
+      const inferredPath = extractRouterPrefix(pathOrFirst) ?? "/";
+      registerRoute(routes, null, inferredPath, pathOrFirst, true);
+      for (const arg of args) registerRoute(routes, null, "/", arg, true);
+    }
+  };
+  const router = {
+    prefix: routerPrefix,
+    listener,
+    use,
+    all: makeRegister(null, false),
+    get: makeRegister("GET", false),
+    put: makeRegister("PUT", false),
+    post: makeRegister("POST", false),
+    delete: makeRegister("DELETE", false),
+    patch: makeRegister("PATCH", false),
+    // ── onError ─────────────────────────────────────────────────────────────
+    onError(handler) {
+      errorHandler = handler;
+    },
+    // ── setNotFound ──────────────────────────────────────────────────────────
+    setNotFound(handler) {
+      notFoundHandler = handler;
+    },
+    // ── routes ───────────────────────────────────────────────────────────────
+    routes() {
+      return routes.map((l) => ({
+        method: l.method,
+        path: l.path,
+        stripPath: l.stripPath
+      }));
+    },
+    // ── shutdown ─────────────────────────────────────────────────────────────
+    shutdown(timeout = 5e3) {
+      if (!activeServer) return Promise.resolve();
+      return new Promise((resolve, reject) => {
+        activeServer.close((err) => {
+          if (err) reject(err);
+          else resolve();
+        });
+        if (timeout > 0) {
+          setTimeout(() => {
+            for (const socket of activeSockets) socket.destroy();
+            activeSockets.clear();
+          }, timeout);
+        }
+      });
+    },
+    // ── listen ───────────────────────────────────────────────────────────────
+    listen(port, opts2, cb) {
+      if (typeof opts2 === "function") {
+        cb = opts2;
+        opts2 = void 0;
+      }
+      const rawListener = listener;
+      let server;
+      const tlsOpts = opts2;
+      if (tlsOpts?.key && tlsOpts?.cert) {
+        if (tlsOpts.http2) {
+          server = http2.createSecureServer(tlsOpts, rawListener);
+        } else {
+          server = https.createServer(tlsOpts, rawListener);
+        }
+      } else {
+        server = http.createServer(rawListener);
+      }
+      server.on("connection", (socket) => {
+        activeSockets.add(socket);
+        socket.once("close", () => activeSockets.delete(socket));
+      });
+      activeServer = server;
+      server.listen(port, cb);
+      return server;
+    }
+  };
+  return router;
+}
+var router_default = createRouter;
+
+// src/jwt-auth.ts
+var import_crypto = __toESM(require("crypto"), 1);
+function hashPassword(password) {
+  return import_crypto.default.createHash("sha256").update(password).digest("hex");
+}
+var userDatabase = /* @__PURE__ */ new Map([
+  ["alice", {
+    id: "usr_001",
+    username: "alice",
+    passwordHash: hashPassword("password123"),
+    roles: ["admin", "editor"],
+    permissions: ["read", "write", "delete", "manage_users"]
+  }],
+  ["bob", {
+    id: "usr_002",
+    username: "bob",
+    passwordHash: hashPassword("secret456"),
+    roles: ["editor"],
+    permissions: ["read", "write"]
+  }],
+  ["charlie", {
+    id: "usr_003",
+    username: "charlie",
+    passwordHash: hashPassword("pass789"),
+    roles: ["viewer"],
+    permissions: ["read"]
+  }]
+]);
+function createMapTokenStore() {
+  const map = /* @__PURE__ */ new Map();
+  return {
+    set(jti, record) {
+      map.set(jti, record);
+    },
+    get(jti) {
+      const record = map.get(jti);
+      if (!record) return void 0;
+      if (Date.now() > record.expiresAt) {
+        map.delete(jti);
+        return void 0;
+      }
+      return record;
+    },
+    delete(jti) {
+      map.delete(jti);
+    },
+    deleteBySubject(sub) {
+      for (const [jti, record] of map) {
+        if (record.sub === sub) map.delete(jti);
+      }
+    }
+  };
+}
+var DEFAULT_CONFIG = {
+  accessTokenSecret: "access-secret-change-in-production",
+  refreshTokenSecret: "refresh-secret-change-in-production",
+  accessTokenExpiry: 15 * 60,
+  // 15 minutes
+  refreshTokenExpiry: 7 * 24 * 3600,
+  // 7 days
+  issuer: "jwt-auth",
+  checkIssuer: false,
+  alg: "HS256",
+  username: (user) => user.username,
+  fetchUser: (sub) => userDatabase.get(sub),
+  isPasswordValid: (user, password) => user.passwordHash === hashPassword(password),
+  payload: (user) => ({
+    sub: user.username,
+    roles: user.roles,
+    permissions: user.permissions
+  })
+};
+function isHmac(alg) {
+  return alg[0] === "H";
+}
+function isEc(alg) {
+  return alg[0] === "E";
+}
+function nodeHashAlg(alg) {
+  return `SHA${alg.slice(2)}`;
+}
+function ecByteLength(alg) {
+  if (alg === "ES256") return 32;
+  if (alg === "ES384") return 48;
+  if (alg === "ES512") return 66;
+  throw new Error(`Not an EC algorithm: ${alg}`);
+}
+function encodeDerLength(len) {
+  if (len < 128) return Buffer.from([len]);
+  if (len < 256) return Buffer.from([129, len]);
+  return Buffer.from([130, len >> 8, len & 255]);
+}
+function derToJose(der, alg) {
+  const n = ecByteLength(alg);
+  let i = 0;
+  if (der[i++] !== 48) throw new Error("ECDSA DER: expected SEQUENCE tag 0x30");
+  if (der[i] & 128) i += (der[i] & 127) + 1;
+  else i++;
+  function readInt() {
+    if (der[i++] !== 2) throw new Error("ECDSA DER: expected INTEGER tag 0x02");
+    let len = der[i++];
+    if (len & 128) {
+      const nb = len & 127;
+      len = 0;
+      for (let k = 0; k < nb; k++) len = len << 8 | der[i++];
+    }
+    if (der[i] === 0 && len > 1) {
+      i++;
+      len--;
+    }
+    const val = der.slice(i, i + len);
+    i += len;
+    return val;
+  }
+  const r = readInt();
+  const s = readInt();
+  const out = Buffer.alloc(2 * n, 0);
+  r.copy(out, n - r.length);
+  s.copy(out, 2 * n - s.length);
+  return out;
+}
+function joseToDer(jose, alg) {
+  const n = ecByteLength(alg);
+  const r = jose.slice(0, n);
+  const s = jose.slice(n);
+  function encodeInt(buf) {
+    let start = 0;
+    while (start < buf.length - 1 && buf[start] === 0) start++;
+    const trimmed = buf.slice(start);
+    const padded = trimmed[0] & 128 ? Buffer.concat([Buffer.from([0]), trimmed]) : trimmed;
+    return Buffer.concat([Buffer.from([2, padded.length]), padded]);
+  }
+  const rDer = encodeInt(r);
+  const sDer = encodeInt(s);
+  const content = Buffer.concat([rDer, sDer]);
+  const lenBuf = encodeDerLength(content.length);
+  return Buffer.concat([Buffer.from([48]), lenBuf, content]);
+}
+function base64UrlEncode(data) {
+  return Buffer.from(JSON.stringify(data)).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function base64UrlDecode(str) {
+  const padded = str + "=".repeat((4 - str.length % 4) % 4);
+  return JSON.parse(
+    Buffer.from(padded.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString("utf8")
+  );
+}
+function computeSignature(encodedHeader, encodedPayload, key, alg) {
+  const signingInput = `${encodedHeader}.${encodedPayload}`;
+  if (isHmac(alg)) {
+    return import_crypto.default.createHmac(`sha${alg.slice(2)}`, key).update(signingInput).digest("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+  }
+  const hashAlg = nodeHashAlg(alg);
+  const derOrRaw = import_crypto.default.sign(hashAlg, Buffer.from(signingInput), key);
+  const sigBytes = isEc(alg) ? derToJose(derOrRaw, alg) : derOrRaw;
+  return sigBytes.toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function checkSignature(encodedHeader, encodedPayload, b64sig, key, alg) {
+  if (isHmac(alg)) {
+    const expected = computeSignature(encodedHeader, encodedPayload, key, alg);
+    const sigBuf = Buffer.from(b64sig);
+    const expectedBuf = Buffer.from(expected);
+    return sigBuf.length === expectedBuf.length && import_crypto.default.timingSafeEqual(sigBuf, expectedBuf);
+  }
+  try {
+    const hashAlg = nodeHashAlg(alg);
+    const rawSig = Buffer.from(b64sig.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+    const verBuf = isEc(alg) ? joseToDer(rawSig, alg) : rawSig;
+    const input = Buffer.from(`${encodedHeader}.${encodedPayload}`);
+    return import_crypto.default.verify(hashAlg, input, key, verBuf);
+  } catch {
+    return false;
+  }
+}
+function signToken(payload, key, expiresIn, alg = "HS256") {
+  const now = Math.floor(Date.now() / 1e3);
+  const encodedHeader = base64UrlEncode({ alg, typ: "JWT" });
+  const fullPayload = base64UrlEncode({ ...payload, iat: now, exp: now + expiresIn });
+  const signature = computeSignature(encodedHeader, fullPayload, key, alg);
+  return `${encodedHeader}.${fullPayload}.${signature}`;
+}
+function verifyToken(token, key, alg) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+      return { valid: false, error: "Invalid token format" };
+    const [encodedHeader, encodedPayload, signature] = parts;
+    const decodedHeader = base64UrlDecode(encodedHeader);
+    if (decodedHeader.alg !== alg)
+      return { valid: false, error: "Unauthorised signing algorithm" };
+    if (!checkSignature(encodedHeader, encodedPayload, signature, key, alg))
+      return { valid: false, error: "Invalid signature" };
+    const payload = base64UrlDecode(encodedPayload);
+    const now = Math.floor(Date.now() / 1e3);
+    if (payload.exp && payload.exp < now)
+      return { valid: false, error: "Token expired" };
+    return { valid: true, payload };
+  } catch {
+    return { valid: false, error: "Malformed token" };
+  }
+}
+function accessSignKey(cfg) {
+  return isHmac(cfg.alg) ? cfg.accessTokenSecret : cfg.accessTokenPrivateKey;
+}
+function accessVerifyKey(cfg) {
+  return isHmac(cfg.alg) ? cfg.accessTokenSecret : cfg.accessTokenPublicKey;
+}
+function refreshSignKey(cfg) {
+  return isHmac(cfg.alg) ? cfg.refreshTokenSecret : cfg.refreshTokenPrivateKey ?? cfg.accessTokenPrivateKey;
+}
+function refreshVerifyKey(cfg) {
+  return isHmac(cfg.alg) ? cfg.refreshTokenSecret : cfg.refreshTokenPublicKey ?? cfg.accessTokenPublicKey;
+}
+async function authenticateUser(username, password, config) {
+  const user = await config.fetchUser(username);
+  if (!user) return { success: false, error: "User not found" };
+  if (!await config.isPasswordValid(user, password))
+    return { success: false, error: "Incorrect password" };
+  return issueTokenPair(user, config);
+}
+async function issueTokenPair(user, config) {
+  const claims = config.payload(user);
+  const fullClaims = {
+    sub: config.username(user),
+    // fallback subject — overridden by payload() if it sets sub
+    ...claims,
+    iss: config.issuer
+  };
+  const accessToken = signToken(fullClaims, accessSignKey(config), config.accessTokenExpiry, config.alg);
+  if (!config.refreshTokenStore) {
+    return { success: true, accessToken, expiresIn: config.accessTokenExpiry, tokenType: "Bearer" };
+  }
+  const jti = import_crypto.default.randomUUID();
+  const sub = fullClaims.sub;
+  const refreshClaims = {
+    sub,
+    jti,
+    type: "refresh",
+    iss: config.issuer
+  };
+  const refreshToken = signToken(refreshClaims, refreshSignKey(config), config.refreshTokenExpiry, config.alg);
+  await config.refreshTokenStore.set(jti, {
+    sub,
+    issuedAt: Date.now(),
+    expiresAt: Date.now() + config.refreshTokenExpiry * 1e3
+  });
+  return {
+    success: true,
+    accessToken,
+    refreshToken,
+    expiresIn: config.accessTokenExpiry,
+    tokenType: "Bearer"
+  };
+}
+async function renewAccessToken(refreshToken, config) {
+  if (!config.refreshTokenStore)
+    return { success: false, error: "Refresh tokens are not configured" };
+  const result = verifyToken(refreshToken, refreshVerifyKey(config), config.alg);
+  if (!result.valid)
+    return { success: false, error: "Invalid or revoked refresh token" };
+  const refreshPayload = result.payload;
+  if (refreshPayload.type !== "refresh")
+    return { success: false, error: "Invalid token type" };
+  const jti = refreshPayload.jti;
+  if (!jti)
+    return { success: false, error: "Invalid refresh token: missing jti" };
+  const record = await config.refreshTokenStore.get(jti);
+  if (!record)
+    return { success: false, error: "Invalid or revoked refresh token" };
+  const user = await config.fetchUser(record.sub);
+  if (!user) {
+    await config.refreshTokenStore.delete(jti);
+    return { success: false, error: "User not found" };
+  }
+  await config.refreshTokenStore.delete(jti);
+  return issueTokenPair(user, config);
+}
+async function revokeRefreshToken(refreshToken, config) {
+  if (!config.refreshTokenStore) return;
+  const result = verifyToken(refreshToken, refreshVerifyKey(config), config.alg);
+  if (!result.valid) return;
+  const jti = result.payload.jti;
+  if (jti) await config.refreshTokenStore.delete(jti);
+}
+function createJwtPlugin(userConfig = {}) {
+  const config = { ...DEFAULT_CONFIG, ...userConfig };
+  if (!isHmac(config.alg)) {
+    if (!config.accessTokenPrivateKey || !config.accessTokenPublicKey) {
+      throw new Error(
+        `Algorithm '${config.alg}' requires both 'accessTokenPrivateKey' and 'accessTokenPublicKey' in JwtConfig.`
+      );
+    }
+  }
+  function sendJson2(res, status, data) {
+    const body = JSON.stringify(data);
+    res.setHeader("Content-Type", "application/json; charset=utf-8");
+    res.status(status).send(body);
+  }
+  const login = (req, res) => {
+    (async () => {
+      const { username, password } = req.body ?? {};
+      if (!username || !password) {
+        sendJson2(res, 400, { error: "Fields 'username' and 'password' are required" });
+        return;
+      }
+      const result = await authenticateUser(username, password, config);
+      if (!result.success) {
+        sendJson2(res, 401, { error: result.error });
+        return;
+      }
+      const body = {
+        message: "Authentication successful",
+        accessToken: result.accessToken,
+        expiresIn: result.expiresIn,
+        tokenType: result.tokenType
+      };
+      if (result.refreshToken !== void 0) body.refreshToken = result.refreshToken;
+      sendJson2(res, 200, body);
+    })().catch(() => sendJson2(res, 500, { error: "Internal server error" }));
+  };
+  const refresh = (req, res) => {
+    (async () => {
+      if (!config.refreshTokenStore) {
+        sendJson2(res, 501, { error: "Refresh tokens are not configured" });
+        return;
+      }
+      const { refreshToken } = req.body ?? {};
+      if (!refreshToken) {
+        sendJson2(res, 400, { error: "Field 'refreshToken' is required" });
+        return;
+      }
+      const result = await renewAccessToken(refreshToken, config);
+      if (!result.success) {
+        sendJson2(res, 401, { error: result.error });
+        return;
+      }
+      sendJson2(res, 200, {
+        message: "Token renewed successfully",
+        accessToken: result.accessToken,
+        refreshToken: result.refreshToken,
+        expiresIn: result.expiresIn,
+        tokenType: result.tokenType
+      });
+    })().catch(() => sendJson2(res, 500, { error: "Internal server error" }));
+  };
+  const logout = (req, res) => {
+    (async () => {
+      const { refreshToken } = req.body ?? {};
+      if (refreshToken && config.refreshTokenStore) {
+        await revokeRefreshToken(refreshToken, config);
+      }
+      sendJson2(res, 200, { message: "Logged out successfully" });
+    })().catch(() => sendJson2(res, 500, { error: "Internal server error" }));
+  };
+  const authenticate = (req, res, next) => {
+    delete req.user;
+    const authHeader = req.headers["authorization"];
+    if (!authHeader?.startsWith("Bearer ")) return next();
+    const token = authHeader.slice(7);
+    const result = verifyToken(token, accessVerifyKey(config), config.alg);
+    if (!result.valid) return next();
+    if (config.checkIssuer && result.payload.iss !== config.issuer) return next();
+    req.user = result.payload;
+    next();
+  };
+  const authorize = (req, res, next) => {
+    if (!req.user) {
+      sendJson2(res, 401, { error: "Authentication required" });
+      return;
+    }
+    next();
+  };
+  function requireRole(...roles) {
+    return [
+      authenticate,
+      (req, res, next) => {
+        const user = req.user;
+        if (!user) {
+          sendJson2(res, 401, { error: "Authentication required" });
+          return;
+        }
+        const userRoles = user.roles ?? [];
+        if (!roles.some((r) => userRoles.includes(r))) {
+          sendJson2(res, 403, {
+            error: `Access denied. Required role(s): ${roles.join(", ")}`,
+            yourRoles: userRoles
+          });
+          return;
+        }
+        next();
+      }
+    ];
+  }
+  function requirePermission(...permissions) {
+    return [
+      authenticate,
+      (req, res, next) => {
+        const user = req.user;
+        if (!user) {
+          sendJson2(res, 401, { error: "Authentication required" });
+          return;
+        }
+        const userPerms = user.permissions ?? [];
+        if (!permissions.every((p) => userPerms.includes(p))) {
+          sendJson2(res, 403, {
+            error: `Insufficient permissions. Required: ${permissions.join(", ")}`,
+            yourPermissions: userPerms
+          });
+          return;
+        }
+        next();
+      }
+    ];
+  }
+  return {
+    login,
+    refresh,
+    logout,
+    authenticate,
+    authorize,
+    requireRole,
+    requirePermission
+  };
+}
+var jwt_auth_default = createJwtPlugin;
+
+// src/git.ts
+var import_child_process = require("child_process");
+var import_zlib2 = require("zlib");
+var import_fs2 = require("fs");
+function pktLine(str) {
+  const byteLen = Buffer.byteLength(str, "utf8") + 4;
+  return byteLen.toString(16).padStart(4, "0") + str;
+}
+var PKT_FLUSH = "0000";
+function gitHandler(opt) {
+  if (typeof opt.repository !== "function")
+    throw new TypeError("gitHandler: opt.repository must be a function");
+  const gitHome = opt.gitPath ?? "";
+  return async (req, res) => {
+    const gitDirectory = await opt.repository(req);
+    if (!gitDirectory) {
+      res.status(404).send("Repository not found");
+      return;
+    }
+    const urlPath = req.path;
+    if (req.method === "GET" && urlPath === "/info/refs") {
+      let args = [];
+      const service = req.queries?.url?.service;
+      if (service === "git-upload-pack")
+        args = buildArgs(opt, ["--stateless-rpc", "--advertise-refs", gitDirectory]);
+      else if (service === "git-receive-pack")
+        args = ["--stateless-rpc", "--advertise-refs", gitDirectory];
+      else {
+        res.status(403).send(`Service ${service} is not supported`);
+        return;
+      }
+      res.setHeader("Content-Type", `application/x-${service}-advertisement`);
+      res.setHeader("Cache-Control", "no-cache");
+      res.write(pktLine(`# service=${service}
+`));
+      res.write(PKT_FLUSH);
+      const proc = (0, import_child_process.spawn)(gitHome + service, args, {
+        env: { ...process.env, GIT_PROTOCOL: req.headers["git-protocol"] || "" }
+      });
+      proc.on("error", (err) => {
+        console.error(`[${service} GET] spawn error:`, err.message);
+        if (!res.writableEnded) res.status(500).send(`${service} unavailable: ${err.message}`);
+      });
+      proc.stdout.pipe(res);
+      proc.stdout.on("error", (err) => {
+        console.warn(`[${service} GET] stdout error:`, err.message);
+      });
+      proc.stderr.on(
+        "data",
+        (d) => console.error(`[${service} GET]`, d.toString())
+      );
+      proc.on("close", (code) => {
+        if (code !== 0) {
+          console.error(`[${service} GET] exited with code ${code}`);
+          if (!res.writableEnded) res.status(500).send(`${service} failed`);
+        }
+      });
+      return;
+    }
+    if (req.method === "POST" && (urlPath === "/git-upload-pack" || urlPath === "/git-receive-pack")) {
+      const contentType = req.headers["content-type"] || "";
+      const service = urlPath.substring(1);
+      if (contentType !== `application/x-${service}-request`) {
+        res.status(415).send("Unsupported Media Type");
+        return;
+      }
+      let args = [];
+      if (service === "git-upload-pack")
+        args = buildArgs(opt, ["--stateless-rpc", gitDirectory]);
+      else if (service === "git-receive-pack")
+        args = ["--stateless-rpc", gitDirectory];
+      else {
+        res.status(403).send(`Service ${service} is not supported`);
+        return;
+      }
+      res.setHeader("Content-Type", `application/x-${service}-result`);
+      res.setHeader("Cache-Control", "no-cache");
+      const proc = (0, import_child_process.spawn)(gitHome + service, args, {
+        env: { ...process.env, GIT_PROTOCOL: req.headers["git-protocol"] || "" }
+      });
+      proc.on("error", (err) => {
+        console.error(`[${service} POST] spawn error:`, err.message);
+        if (!res.writableEnded) res.status(500).send(`${service} unavailable: ${err.message}`);
+      });
+      const encoding = req.headers["content-encoding"];
+      if (encoding === "gzip") {
+        const gunzip = (0, import_zlib2.createGunzip)();
+        gunzip.on("error", (err) => {
+          console.warn(`[${service} POST] gunzip error:`, err.message);
+          if (!res.writableEnded) res.status(400).send("Failed to decompress request body");
+        });
+        req.pipe(gunzip).pipe(proc.stdin);
+      } else {
+        req.pipe(proc.stdin);
+      }
+      proc.stdout.pipe(res);
+      proc.stdout.on("error", (err) => {
+        console.warn(`[${service} POST] stdout error:`, err.message);
+      });
+      proc.stderr.on(
+        "data",
+        (d) => console.error(`[${service} POST]`, d.toString())
+      );
+      proc.on("close", (code) => {
+        if (code !== 0) {
+          console.error(`[${service} POST] exited with code ${code}`);
+          if (!res.writableEnded) res.status(500).send(`${service} failed`);
+        }
+      });
+      proc.stdin.on("error", (err) => {
+        if (err.code !== "EPIPE")
+          console.warn(`[${service} POST] stdin error:`, err.message);
+      });
+      return;
+    }
+    res.status(404).send("Not found");
+  };
+}
+function gitCreate(gitDirectory, opt) {
+  return new Promise((resolve, reject) => {
+    const gitHome = opt.gitPath ?? "";
+    const isBare = opt.bare !== false;
+    const args = isBare ? ["init", "--bare", gitDirectory] : ["init", gitDirectory];
+    const proc = (0, import_child_process.spawn)(gitHome + "git", args, {
+      env: { ...process.env }
+    });
+    proc.on("error", (err) => {
+      console.error(`[git init] spawn error:`, err.message);
+      reject(`git unavailable: ${err.message}`);
+    });
+    proc.stdout.on("error", (err) => {
+      console.warn(`[git init] stdout error:`, err.message);
+    });
+    proc.stderr.on(
+      "data",
+      (d) => console.error(`[git init]`, d.toString())
+    );
+    proc.on("close", (code) => {
+      if (code !== 0) {
+        return reject("git failed");
+      }
+      if (opt.description) {
+        const descPath = isBare ? `${gitDirectory}/description` : `${gitDirectory}/.git/description`;
+        (0, import_fs2.writeFileSync)(descPath, opt.description);
+      }
+      resolve();
+    });
+  });
+}
+function buildArgs(opt, trailing) {
+  const args = [];
+  if (opt.timeout) {
+    const seconds = parseInt(String(opt.timeout), 10);
+    if (!isNaN(seconds) && seconds > 0)
+      args.push(`--timeout=${seconds}`);
+  }
+  if (!opt.strict)
+    args.push("--no-strict");
+  return [...args, ...trailing];
+}
+
+// src/openapi.ts
+var YAML_KW = /* @__PURE__ */ new Set([
+  "true",
+  "false",
+  "yes",
+  "no",
+  "on",
+  "off",
+  "null",
+  "~"
+]);
+var LOOKS_LIKE_NUMBER = /^[-+]?(\d+\.?\d*|\.\d+)([eE][+-]?\d+)?$|^0x[0-9a-fA-F]+$|^0o[0-7]+$/;
+function yamlString(s) {
+  if (s === "") return '""';
+  const needsQuote = (
+    // Would be misinterpreted as a YAML typed value.
+    YAML_KW.has(s.toLowerCase()) || LOOKS_LIKE_NUMBER.test(s) || // Starts with a YAML indicator that has special meaning at the start of a
+    // plain scalar (block context).
+    /^[-?:,[\]{}#&*!|>'"%@`~]/.test(s) || // Inline sequences that break block-mapping parsing.
+    s.includes(": ") || s.endsWith(":") || s.includes(" #") || // Leading / trailing whitespace.
+    s !== s.trim() || // Flow indicator characters anywhere — present in path patterns such as
+    // `/items/{id}` and must be quoted to avoid flow-collection ambiguity.
+    /[{}\[\]]/.test(s) || // Control characters.
+    /[\x00-\x1f\x7f]/.test(s)
+  );
+  if (!needsQuote) return s;
+  return '"' + s.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t").replace(/[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/g, (c) => `\\u${c.charCodeAt(0).toString(16).padStart(4, "0")}`) + '"';
+}
+function yamlKey(key) {
+  return yamlString(key);
+}
+function toYamlLines(value) {
+  if (value === null || value === void 0) return ["null"];
+  if (typeof value === "boolean") return [String(value)];
+  if (typeof value === "number") return [isFinite(value) ? String(value) : ".inf"];
+  if (typeof value === "string") return [yamlString(value)];
+  if (Array.isArray(value)) {
+    if (value.length === 0) return ["[]"];
+    const lines = [];
+    for (const item of value) {
+      const itemLines = toYamlLines(item);
+      lines.push(`- ${itemLines[0]}`);
+      for (const l of itemLines.slice(1)) lines.push(`  ${l}`);
+    }
+    return lines;
+  }
+  if (typeof value === "object") {
+    const obj = value;
+    const entries = Object.entries(obj).filter(([, v]) => v !== void 0);
+    if (entries.length === 0) return ["{}"];
+    const lines = [];
+    for (const [key, val] of entries) {
+      const k = yamlKey(key);
+      const valLines = toYamlLines(val);
+      const isComplex = typeof val === "object" && val !== null;
+      const isEmptyCollection = valLines.length === 1 && (valLines[0] === "{}" || valLines[0] === "[]");
+      if (!isComplex || isEmptyCollection) {
+        lines.push(`${k}: ${valLines[0]}`);
+      } else {
+        lines.push(`${k}:`);
+        for (const l of valLines) lines.push(`  ${l}`);
+      }
+    }
+    return lines;
+  }
+  return [String(value)];
+}
+function serializeSpec(doc, format = "json") {
+  if (format === "yaml") return toYamlLines(doc).join("\n") + "\n";
+  return JSON.stringify(doc, null, 2);
+}
+var DESCRIBE_META = /* @__PURE__ */ Symbol("expediate.openapi.meta");
+function describe(handler, meta) {
+  const described = function(ctx, body) {
+    return handler.apply(this, [ctx, body]);
+  };
+  Object.defineProperty(described, DESCRIBE_META, {
+    value: meta,
+    enumerable: false,
+    configurable: true,
+    writable: false
+  });
+  return described;
+}
+function toOpenApiPath(pattern, basePath) {
+  const converted = pattern.replace(/:([A-Za-z_][A-Za-z0-9_]*)/g, "{$1}");
+  if (!basePath) return converted;
+  const base = basePath.replace(/\/+$/, "");
+  const path2 = converted.replace(/^\/+/, "/");
+  return base + (path2.startsWith("/") ? path2 : `/${path2}`);
+}
+function extractPathParams(pattern, annotated) {
+  const annotatedNames = new Set(annotated.map((p) => p.name));
+  const params = [];
+  for (const match of pattern.matchAll(/:([A-Za-z_][A-Za-z0-9_]*)/g)) {
+    const name = match[1];
+    if (!annotatedNames.has(name)) {
+      params.push({
+        name,
+        in: "path",
+        required: true,
+        schema: { type: "string" }
+      });
+    }
+  }
+  return params;
+}
+function buildOperationId(verb, pattern) {
+  const parts = pattern.split(/[/:{} ]+/).filter(Boolean);
+  let result = verb.toLowerCase();
+  for (const part of parts) {
+    const isParam = pattern.includes(`:${part}`) || pattern.includes(`{${part}}`);
+    const pascal = part.charAt(0).toUpperCase() + part.slice(1);
+    result += isParam ? `By${pascal}` : pascal;
+  }
+  return result;
+}
+function buildDefaultResponses(verb) {
+  const ok = verb === "POST" ? { description: "Created" } : { description: "OK", content: { "application/json": {} } };
+  return {
+    [verb === "POST" ? "201" : "200"]: ok,
+    "500": { $ref: "#/components/responses/ApiError" }
+  };
+}
+function buildAnnotatedResponses(responses) {
+  const result = { ...responses };
+  if (!result["500"]) {
+    result["500"] = { $ref: "#/components/responses/ApiError" };
+  }
+  return result;
+}
+var VERBS = ["GET", "POST", "PUT", "DELETE", "PATCH"];
+function openApiSpec(service, opts) {
+  const basePath = opts.basePath ?? "";
+  const svcMeta = service.openapi;
+  const defaultTag = svcMeta?.tag;
+  const builtinSchemas = {
+    ApiError: {
+      type: "object",
+      properties: {
+        status: { type: "integer", description: "HTTP status code" },
+        message: { type: "string", description: "Human-readable error message" },
+        data: { description: "Structured error payload (overrides message when present)" }
+      }
+    }
+  };
+  const builtinResponses = {
+    ApiError: {
+      description: "API error response",
+      content: {
+        "application/json": { schema: { $ref: "#/components/schemas/ApiError" } }
+      }
+    }
+  };
+  const schemas = {
+    ...builtinSchemas,
+    ...svcMeta?.schemas,
+    ...opts.schemas
+  };
+  const responses = {
+    ...builtinResponses,
+    ...svcMeta?.responses
+  };
+  const tags = [];
+  if (defaultTag) {
+    tags.push({ name: defaultTag, description: svcMeta?.tagDescription });
+  }
+  const paths = {};
+  for (const verb of VERBS) {
+    const routeMap = service[verb];
+    if (!routeMap) continue;
+    for (const [pattern, handler] of Object.entries(routeMap)) {
+      const openApiPath = toOpenApiPath(pattern, basePath);
+      if (!paths[openApiPath]) paths[openApiPath] = {};
+      const meta = handler[DESCRIBE_META];
+      const annotatedParams = meta?.parameters ?? [];
+      const inferredParams = extractPathParams(pattern, annotatedParams);
+      const parameters = [...annotatedParams, ...inferredParams];
+      const operationResponses = meta?.responses ? buildAnnotatedResponses(meta.responses) : buildDefaultResponses(verb);
+      const operation = {
+        operationId: meta?.operationId ?? buildOperationId(verb, pattern),
+        ...meta?.summary && { summary: meta.summary },
+        ...meta?.description && { description: meta.description },
+        ...meta?.deprecated && { deprecated: true },
+        ...parameters.length > 0 && { parameters },
+        ...meta?.requestBody && { requestBody: meta.requestBody },
+        responses: operationResponses
+      };
+      const opTags = meta?.tags ?? (defaultTag ? [defaultTag] : void 0);
+      if (opTags) operation["tags"] = opTags;
+      if (meta) {
+        for (const [k, v] of Object.entries(meta)) {
+          if (k.startsWith("x-")) operation[k] = v;
+        }
+      }
+      paths[openApiPath][verb.toLowerCase()] = operation;
+    }
+  }
+  const doc = {
+    openapi: "3.1.0",
+    info: {
+      title: opts.title,
+      version: opts.version,
+      ...opts.description && { description: opts.description }
+    },
+    ...opts.servers && { servers: opts.servers },
+    ...tags.length > 0 && { tags },
+    paths,
+    components: { schemas, responses }
+  };
+  return doc;
+}
+
+// src/apis.ts
+async function buildModule(service, key) {
+  const instance = service.data ? service.data(key) : { $key: key };
+  if (service.methods) {
+    for (const methodName of Object.keys(service.methods)) {
+      const method = service.methods[methodName];
+      instance[methodName] = function(...args) {
+        return method.apply(instance, args);
+      };
+    }
+  }
+  if (service.setup)
+    await service.setup.apply(instance, []);
+  return instance;
+}
+async function resolveInstance(service, modules, building, req) {
+  if (typeof service.scope !== "function") {
+    return modules["singleton"];
+  }
+  const key = service.scope(req);
+  if (key === null) {
+    return buildModule(service, null);
+  }
+  if (modules[key]) return modules[key];
+  if (!building[key]) {
+    building[key] = buildModule(service, key).then((instance) => {
+      modules[key] = instance;
+      delete building[key];
+      return instance;
+    });
+  }
+  return building[key];
+}
+function sendJson(res, data) {
+  res.setHeader("Content-Type", "application/json; charset=utf-8");
+  res.send(JSON.stringify(data));
+}
+function sendError(res, err) {
+  const e = err;
+  const status = e?.status ?? 500;
+  if (e?.data !== void 0) {
+    res.setHeader("Content-Type", "application/json; charset=utf-8");
+    res.status(status).send(JSON.stringify(e.data));
+  } else {
+    res.status(status).send(e?.message ?? "Internal error");
+  }
+}
+function apiBuilder(service) {
+  const api = router_default();
+  const modules = {};
+  const building = {};
+  function buildRoutes(routeMap, register) {
+    if (!routeMap) return;
+    const sortedPaths = Object.keys(routeMap).sort((a, b) => {
+      const score = (p) => {
+        const segs = p.split("/").filter((s) => s.length > 0);
+        return segs.length * 100 - segs.filter((s) => s.startsWith(":")).length * 10;
+      };
+      return score(b) - score(a) || b.localeCompare(a);
+    });
+    for (const path2 of sortedPaths) {
+      const method = routeMap[path2];
+      register(path2, (req, res) => {
+        const ctx = {
+          query: {
+            route: req.queries?.route ?? {},
+            url: req.queries?.url ?? {}
+          },
+          path: req.path,
+          user: req.user
+        };
+        const body = req.body;
+        resolveInstance(service, modules, building, req).then((instance) => {
+          const ret = method.apply(instance, [ctx, body]);
+          if (ret instanceof Promise) {
+            return ret.then((val) => {
+              if (val !== void 0 && val !== null && val !== false && val !== 0 && val !== "")
+                sendJson(res, val);
+              else
+                res.status(201).end();
+            }).catch((err) => {
+              sendError(res, err);
+            });
+          }
+          if (ret !== void 0 && ret !== null && ret !== false && ret !== 0 && ret !== "")
+            sendJson(res, ret);
+          else
+            res.status(201).end();
+        }).catch((err) => {
+          sendError(res, err);
+        });
+      });
+    }
+  }
+  function registerAllRoutes() {
+    buildRoutes(service.GET, (path2, h) => api.get(path2, h));
+    buildRoutes(service.POST, (path2, h) => api.post(path2, h));
+    buildRoutes(service.PUT, (path2, h) => api.put(path2, h));
+    buildRoutes(service.DELETE, (path2, h) => api.delete(path2, h));
+    buildRoutes(service.PATCH, (path2, h) => api.patch(path2, h));
+  }
+  if (typeof service.scope !== "function") {
+    let ready = false;
+    api.use("/", (_req, res, next) => {
+      if (!ready) {
+        res.statusCode = 503;
+        res.end("Service not ready");
+        return;
+      }
+      next();
+    });
+    buildModule(service, "singleton").then((instance) => {
+      modules["singleton"] = instance;
+      ready = true;
+      registerAllRoutes();
+    }).catch((err) => {
+      console.error("[apiBuilder] singleton setup() rejected:", err);
+    });
+  } else {
+    registerAllRoutes();
+  }
+  api.spec = function(opts) {
+    return openApiSpec(service, opts);
+  };
+  api.specHandler = function(opts, format = "json") {
+    let cached = null;
+    const contentType = format === "yaml" ? "application/yaml; charset=utf-8" : "application/json; charset=utf-8";
+    return function(_req, res) {
+      if (!cached) cached = serializeSpec(openApiSpec(service, opts), format);
+      res.setHeader("Content-Type", contentType);
+      res.end(cached);
+    };
+  };
+  return api;
+}
+var apis_default = apiBuilder;
+
+// src/middleware.ts
+var crypto3 = __toESM(require("crypto"), 1);
+var zlib2 = __toESM(require("zlib"), 1);
+function toBuffer(chunk, encoding = "utf8") {
+  return Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, encoding);
+}
+function compress(opts) {
+  const threshold = opts?.threshold ?? 1024;
+  const brEnabled = opts?.br !== false;
+  const brotliQuality = opts?.brotliQuality ?? 4;
+  const gzipLevel = opts?.gzipLevel ?? zlib2.constants.Z_DEFAULT_COMPRESSION;
+  return (req, res, next) => {
+    if (opts?.filter && !opts.filter(req, res)) return next();
+    const ae = req.headers["accept-encoding"] ?? "";
+    let compressor = null;
+    let encoding = "";
+    if (brEnabled && /\bbr\b/.test(ae)) {
+      compressor = zlib2.createBrotliCompress({
+        params: { [zlib2.constants.BROTLI_PARAM_QUALITY]: brotliQuality }
+      });
+      encoding = "br";
+    } else if (/\bgzip\b/.test(ae)) {
+      compressor = zlib2.createGzip({ level: gzipLevel });
+      encoding = "gzip";
+    } else if (/\bdeflate\b/.test(ae)) {
+      compressor = zlib2.createDeflate({ level: gzipLevel });
+      encoding = "deflate";
+    }
+    if (!compressor) return next();
+    const comp = compressor;
+    const rawRes = res;
+    const origWrite = rawRes.write.bind(rawRes);
+    const origEnd = rawRes.end.bind(rawRes);
+    comp.on("data", (chunk) => {
+      origWrite(chunk);
+    });
+    comp.on("end", () => {
+      origEnd();
+    });
+    comp.on("error", (e) => {
+      console.error("[compress] stream error:", e.message);
+      if (!rawRes.writableEnded) origEnd();
+    });
+    const pending = [];
+    let totalBytes = 0;
+    let decided = false;
+    let doCompress = false;
+    const startCompressing = (andEnd) => {
+      decided = true;
+      doCompress = true;
+      res.setHeader("Content-Encoding", encoding);
+      res.setHeader("Vary", "Accept-Encoding");
+      res.removeHeader("Content-Length");
+      for (const buf of pending) comp.write(buf);
+      if (andEnd) comp.end();
+    };
+    const skipCompression = () => {
+      decided = true;
+      doCompress = false;
+      comp.destroy();
+      if (totalBytes > 0) res.setHeader("Content-Length", totalBytes);
+      for (const buf of pending) origWrite(buf);
+    };
+    res.write = (chunk, encOrCb, _cb) => {
+      const enc = typeof encOrCb === "string" ? encOrCb : "utf8";
+      const buf = toBuffer(chunk, enc);
+      if (decided) {
+        return doCompress ? comp.write(buf) : origWrite(buf);
+      }
+      pending.push(buf);
+      totalBytes += buf.length;
+      if (totalBytes >= threshold) startCompressing(false);
+      return true;
+    };
+    res.end = (chunk, encOrCb, _cb) => {
+      if (typeof chunk === "function") chunk = void 0;
+      if (typeof encOrCb === "function") encOrCb = void 0;
+      if (chunk != null) {
+        const enc = typeof encOrCb === "string" ? encOrCb : "utf8";
+        const buf = toBuffer(chunk, enc);
+        if (decided) {
+          if (doCompress) comp.write(buf);
+          else origWrite(buf);
+        } else {
+          pending.push(buf);
+          totalBytes += buf.length;
+        }
+      }
+      if (!decided) {
+        if (totalBytes >= threshold) startCompressing(true);
+        else {
+          skipCompression();
+          origEnd();
+        }
+      } else if (doCompress) {
+        comp.end();
+      } else {
+        origEnd();
+      }
+      return rawRes;
+    };
+    next();
+  };
+}
+function requestId(opts) {
+  const header = (opts?.header ?? "x-request-id").toLowerCase();
+  const allowFromHeader = opts?.allowFromHeader !== false;
+  const generator = opts?.generator ?? (() => crypto3.randomUUID());
+  return (req, res, next) => {
+    const incoming = req.headers[header];
+    const id = allowFromHeader && incoming ? incoming : generator();
+    req.id = id;
+    res.setHeader(header, id);
+    next();
+  };
+}
+function rateLimit(opts) {
+  const windowMs = opts.windowMs;
+  const max = opts.max;
+  const keyBy = opts.keyBy ?? ((req) => req.ip ?? "");
+  const message = opts.message ?? "Too Many Requests";
+  const statusCode = opts.statusCode ?? 429;
+  const sendHeaders = opts.headers !== false;
+  const store = /* @__PURE__ */ new Map();
+  return (req, res, next) => {
+    const key = keyBy(req);
+    const now = Date.now();
+    const windowStart = now - windowMs;
+    const timestamps = (store.get(key) ?? []).filter((t) => t > windowStart);
+    timestamps.push(now);
+    store.set(key, timestamps);
+    const count = timestamps.length;
+    const remaining = Math.max(0, max - count);
+    const resetAt = timestamps.length > 0 ? Math.ceil((timestamps[0] + windowMs) / 1e3) : Math.ceil((now + windowMs) / 1e3);
+    if (sendHeaders) {
+      res.setHeader("X-RateLimit-Limit", String(max));
+      res.setHeader("X-RateLimit-Remaining", String(remaining));
+      res.setHeader("X-RateLimit-Reset", String(resetAt));
+    }
+    if (count > max) {
+      res.setHeader("Retry-After", String(Math.ceil(windowMs / 1e3)));
+      res.statusCode = statusCode;
+      res.end(message);
+      return;
+    }
+    next();
+  };
+}
+function cacheControl(opts = {}) {
+  const directives = [];
+  if (opts.private) directives.push("private");
+  if (opts.public) directives.push("public");
+  if (opts.noStore) directives.push("no-store");
+  if (opts.noCache) directives.push("no-cache");
+  if (opts.mustRevalidate) directives.push("must-revalidate");
+  if (opts.immutable) directives.push("immutable");
+  if (opts.maxAge != null) directives.push(`max-age=${opts.maxAge}`);
+  if (opts.sMaxAge != null) directives.push(`s-maxage=${opts.sMaxAge}`);
+  const cacheControlValue = directives.join(", ");
+  const varyValue = Array.isArray(opts.vary) ? opts.vary.join(", ") : opts.vary ?? null;
+  return (_req, res, next) => {
+    if (cacheControlValue) res.setHeader("Cache-Control", cacheControlValue);
+    if (opts.maxAge != null) {
+      const expires = new Date(Date.now() + opts.maxAge * 1e3);
+      res.setHeader("Expires", expires.toUTCString());
+    }
+    if (varyValue) res.setHeader("Vary", varyValue);
+    next();
+  };
+}
+var SAFE_CSRF_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD", "OPTIONS", "TRACE"]);
+function csrf(opts) {
+  const cookieName = opts?.cookieName ?? "_csrf";
+  const headerName = (opts?.headerName ?? "x-csrf-token").toLowerCase();
+  const fieldName = opts?.fieldName ?? "_csrf";
+  const secure = opts?.secure ?? false;
+  const sameSite = opts?.sameSite ?? "Strict";
+  return (req, res, next) => {
+    const existing = req.cookies?.[cookieName];
+    const token = typeof existing === "string" && existing.length > 0 ? existing : crypto3.randomBytes(32).toString("hex");
+    if (!existing) {
+      let cookieStr = `${cookieName}=${token}; Path=/; SameSite=${sameSite}`;
+      if (secure) cookieStr += "; Secure";
+      const prev = res.getHeader("Set-Cookie");
+      if (prev == null) res.setHeader("Set-Cookie", cookieStr);
+      else if (Array.isArray(prev)) res.setHeader("Set-Cookie", [...prev, cookieStr]);
+      else res.setHeader("Set-Cookie", [prev, cookieStr]);
+    }
+    req.csrfToken = () => token;
+    if (SAFE_CSRF_METHODS.has(req.method ?? "")) return next();
+    const submitted = req.headers[headerName] ?? req.body?.[fieldName] ?? "";
+    if (!submitted || submitted !== token) {
+      res.statusCode = 403;
+      res.end("Forbidden: invalid CSRF token");
+      return;
+    }
+    next();
+  };
+}
+function isFreshResponse(etag, lastModified, ifNoneMatch, ifModSince) {
+  const inm = Array.isArray(ifNoneMatch) ? ifNoneMatch[0] : ifNoneMatch;
+  if (inm) {
+    if (!etag) return false;
+    if (inm.trim() === "*") return true;
+    const normalize = (tag) => tag.startsWith("W/") ? tag.slice(2) : tag;
+    const tags = inm.split(",").map((t) => normalize(t.trim()));
+    return tags.includes(normalize(etag));
+  }
+  const ims = Array.isArray(ifModSince) ? ifModSince[0] : ifModSince;
+  if (ims && lastModified) {
+    const imsMs = new Date(ims).getTime();
+    const lmMs = new Date(lastModified).getTime();
+    if (!isNaN(imsMs) && !isNaN(lmMs)) return lmMs <= imsMs;
+  }
+  return false;
+}
+function conditionalGet() {
+  return (req, res, next) => {
+    const method = req.method ?? "GET";
+    if (method !== "GET" && method !== "HEAD") return next();
+    const rawRes = res;
+    const origWrite = rawRes.write.bind(rawRes);
+    const origEnd = rawRes.end.bind(rawRes);
+    const pending = [];
+    res.write = (chunk, encOrCb, _cb) => {
+      const enc = typeof encOrCb === "string" ? encOrCb : "utf8";
+      const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, enc);
+      pending.push(buf);
+      return true;
+    };
+    res.end = (chunk, encOrCb, _cb) => {
+      if (typeof chunk === "function") chunk = void 0;
+      if (typeof encOrCb === "function") encOrCb = void 0;
+      if (chunk != null) {
+        const enc = typeof encOrCb === "string" ? encOrCb : "utf8";
+        const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, enc);
+        pending.push(buf);
+      }
+      const etag = rawRes.getHeader("etag");
+      const lastMod = rawRes.getHeader("last-modified");
+      const ifNoneMatch = req.headers["if-none-match"];
+      const ifModSince = req.headers["if-modified-since"];
+      if (isFreshResponse(etag, lastMod, ifNoneMatch, ifModSince)) {
+        rawRes.removeHeader("content-type");
+        rawRes.removeHeader("content-length");
+        rawRes.removeHeader("content-encoding");
+        rawRes.statusCode = 304;
+        origEnd();
+      } else {
+        for (const buf of pending) origWrite(buf);
+        origEnd();
+      }
+      return rawRes;
+    };
+    next();
+  };
+}
+function securityHeaders(opts) {
+  const headers = [];
+  const hsts = opts?.hsts;
+  if (hsts !== false) {
+    const h = typeof hsts === "object" ? hsts : {};
+    const maxAge = h.maxAge ?? 15552e3;
+    const subdomain = h.includeSubDomains !== false;
+    let value = `max-age=${maxAge}`;
+    if (subdomain) value += "; includeSubDomains";
+    if (h.preload) value += "; preload";
+    headers.push(["Strict-Transport-Security", value]);
+  }
+  const fo = opts?.frameOptions;
+  if (fo !== false) {
+    headers.push(["X-Frame-Options", fo ?? "SAMEORIGIN"]);
+  }
+  if (opts?.contentTypeOptions !== false) {
+    headers.push(["X-Content-Type-Options", "nosniff"]);
+  }
+  const rp = opts?.referrerPolicy;
+  if (rp !== false) {
+    headers.push(["Referrer-Policy", typeof rp === "string" ? rp : "strict-origin-when-cross-origin"]);
+  }
+  const pp = opts?.permissionsPolicy;
+  if (pp !== false) {
+    headers.push(["Permissions-Policy", typeof pp === "string" ? pp : "geolocation=(), microphone=(), camera=()"]);
+  }
+  const xxp = opts?.xssProtection;
+  if (xxp !== false) {
+    headers.push(["X-XSS-Protection", typeof xxp === "string" ? xxp : "0"]);
+  }
+  return (_req, res, next) => {
+    for (const [name, value] of headers) res.setHeader(name, value);
+    next();
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DESCRIBE_META,
+  apiBuilder,
+  cacheControl,
+  compress,
+  conditionalGet,
+  cors,
+  createJwtPlugin,
+  createMapTokenStore,
+  createRouter,
+  csrf,
+  describe,
+  formData,
+  formEncoded,
+  gitCreate,
+  gitHandler,
+  json,
+  logger,
+  mime,
+  openApiSpec,
+  parseBody,
+  parseMultipartBody,
+  rateLimit,
+  requestId,
+  securityHeaders,
+  sendFile,
+  serializeSpec,
+  serveFile,
+  serveStatic,
+  streamFormData
+});