fastscript 1.0.0 → 2.0.0

package/node_modules/@fastscript/core-private/src/validate.mjs

@@ -0,0 +1,22 @@
+import { runCheck } from "./check.mjs";
+import { runBuild } from "./build.mjs";
+import { runBench } from "./bench.mjs";
+import { runCompat } from "./compat.mjs";
+import { runExport } from "./export.mjs";
+import { runDbMigrate, runDbSeed } from "./db-cli.mjs";
+import { runTypeCheck } from "./typecheck.mjs";
+import { runLint } from "./fs-linter.mjs";
+
+export async function runValidate() {
+  await runCheck();
+  await runLint(["--mode", "fail"]);
+  await runTypeCheck(["--mode", "fail"]);
+  await runBuild();
+  await runBench();
+  await runCompat();
+  await runDbMigrate();
+  await runDbSeed();
+  await runExport(["--to", "js", "--out", "exported-js-app"]);
+  await runExport(["--to", "ts", "--out", "exported-ts-app"]);
+  console.log("validate complete: check/lint/typecheck/build/bench/compat/db/export all passed");
+}

package/node_modules/@fastscript/core-private/src/validation.mjs

@@ -0,0 +1,88 @@
+export async function readBody(req, { maxBytes = 1024 * 1024 } = {}) {
+  const chunks = [];
+  let total = 0;
+  for await (const chunk of req) {
+    const buf = Buffer.from(chunk);
+    total += buf.byteLength;
+    if (total > maxBytes) {
+      const error = new Error(`Request body too large (max ${maxBytes} bytes)`);
+      error.status = 413;
+      throw error;
+    }
+    chunks.push(buf);
+  }
+  const text = Buffer.concat(chunks).toString("utf8");
+  return text;
+}
+
+export async function readJsonBody(req, { maxBytes = 1024 * 1024 } = {}) {
+  const raw = await readBody(req, { maxBytes });
+  if (!raw.trim()) return {};
+  try {
+    return JSON.parse(raw);
+  } catch {
+    const error = new Error("Invalid JSON body");
+    error.status = 400;
+    throw error;
+  }
+}
+
+export function validateShape(schema, input, scope = "input") {
+  if (!schema || typeof schema !== "object") return { ok: true, value: input ?? {} };
+  const errors = [];
+  const out = {};
+  const source = input && typeof input === "object" ? input : {};
+
+  for (const [key, rule] of Object.entries(schema)) {
+    const value = source[key];
+    const optional = typeof rule === "string" && rule.endsWith("?");
+    const t = typeof rule === "string" ? rule.replace(/\?$/, "") : String(rule);
+
+    if (value === undefined || value === null) {
+      if (!optional) errors.push(`${scope}.${key} is required`);
+      continue;
+    }
+
+    if (t === "array") {
+      if (!Array.isArray(value)) errors.push(`${scope}.${key} must be array`);
+      else out[key] = value;
+      continue;
+    }
+
+    if (t === "int") {
+      const n = Number(value);
+      if (!Number.isInteger(n)) errors.push(`${scope}.${key} must be integer`);
+      else out[key] = n;
+      continue;
+    }
+
+    if (t === "float" || t === "number") {
+      const n = Number(value);
+      if (!Number.isFinite(n)) errors.push(`${scope}.${key} must be number`);
+      else out[key] = n;
+      continue;
+    }
+
+    if (t === "bool" || t === "boolean") {
+      if (typeof value !== "boolean") errors.push(`${scope}.${key} must be boolean`);
+      else out[key] = value;
+      continue;
+    }
+
+    if (t === "str" || t === "string") {
+      if (typeof value !== "string") errors.push(`${scope}.${key} must be string`);
+      else out[key] = value;
+      continue;
+    }
+
+    out[key] = value;
+  }
+
+  if (errors.length) {
+    const error = new Error(`Validation failed: ${errors.join("; ")}`);
+    error.status = 400;
+    error.details = errors;
+    throw error;
+  }
+  return { ok: true, value: out };
+}

package/node_modules/@fastscript/core-private/src/webhook.mjs

@@ -0,0 +1,81 @@
+import { createHmac, timingSafeEqual } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { join, resolve } from "node:path";
+
+export async function readRawBody(req, { maxBytes = 1024 * 1024 } = {}) {
+  const chunks = [];
+  let total = 0;
+  for await (const chunk of req) {
+    const buf = Buffer.from(chunk);
+    total += buf.byteLength;
+    if (total > maxBytes) {
+      const error = new Error(`Webhook payload too large (max ${maxBytes} bytes)`);
+      error.status = 413;
+      throw error;
+    }
+    chunks.push(buf);
+  }
+  return Buffer.concat(chunks);
+}
+
+export function signPayload(payload, secret, algo = "sha256") {
+  const mac = createHmac(algo, secret).update(payload).digest("hex");
+  return `${algo}=${mac}`;
+}
+
+export function verifySignature(payload, header, secret, algo = "sha256") {
+  if (!header || typeof header !== "string") return false;
+  const expected = signPayload(payload, secret, algo);
+  const a = Buffer.from(expected);
+  const b = Buffer.from(header);
+  if (a.length !== b.length) return false;
+  return timingSafeEqual(a, b);
+}
+
+export function isReplay(tsSeconds, maxSkewSec = 300) {
+  const ts = Number(tsSeconds);
+  if (!Number.isFinite(ts)) return true;
+  const now = Math.floor(Date.now() / 1000);
+  return Math.abs(now - ts) > maxSkewSec;
+}
+
+function replayStore({ dir = ".fastscript", ttlSec = 600 } = {}) {
+  const root = resolve(dir);
+  mkdirSync(root, { recursive: true });
+  const file = join(root, "webhook-replay.json");
+  let state = { seen: {} };
+  if (existsSync(file)) {
+    try { state = JSON.parse(readFileSync(file, "utf8")); } catch {}
+  }
+  function persist() {
+    writeFileSync(file, JSON.stringify(state, null, 2), "utf8");
+  }
+  return {
+    has(id) {
+      const now = Date.now();
+      for (const [k, exp] of Object.entries(state.seen)) if (exp < now) delete state.seen[k];
+      persist();
+      return Boolean(state.seen[id]);
+    },
+    add(id) {
+      state.seen[id] = Date.now() + ttlSec * 1000;
+      persist();
+    },
+  };
+}
+
+export async function verifyWebhookRequest(req, { secret, signatureHeader = "x-signature", timestampHeader = "x-timestamp", idHeader = "x-event-id", maxSkewSec = 300, replayDir = ".fastscript", maxBytes = 1024 * 1024 } = {}) {
+  const raw = await readRawBody(req, { maxBytes });
+  const sig = req.headers[signatureHeader];
+  const ts = req.headers[timestampHeader];
+  const eventId = req.headers[idHeader];
+  const id = Array.isArray(eventId) ? eventId[0] : eventId;
+  if (isReplay(ts, maxSkewSec)) return { ok: false, reason: "replay_window" };
+  if (!verifySignature(raw, Array.isArray(sig) ? sig[0] : sig, secret)) return { ok: false, reason: "bad_signature" };
+  if (id) {
+    const store = replayStore({ dir: replayDir, ttlSec: Math.max(maxSkewSec, 600) });
+    if (store.has(id)) return { ok: false, reason: "duplicate_event" };
+    store.add(id);
+  }
+  return { ok: true, raw };
+}

package/node_modules/@fastscript/core-private/src/worker.mjs

@@ -0,0 +1,24 @@
+import { replayDeadLetter, runWorker } from "./jobs.mjs";
+
+export async function runWorkerCommand(args = []) {
+  if (args[0] === "replay-dead-letter") {
+    const limitArg = args.indexOf("--limit");
+    const nameArg = args.indexOf("--name");
+    const limit = limitArg >= 0 ? Number(args[limitArg + 1] || 20) : 20;
+    const name = nameArg >= 0 ? args[nameArg + 1] || null : null;
+    const replayed = await replayDeadLetter({
+      dir: ".fastscript",
+      limit,
+      name,
+      driver: process.env.JOBS_DRIVER || "file",
+    });
+    console.log(`dead-letter replayed: ${replayed.length}`);
+    return;
+  }
+
+  await runWorker({
+    dir: ".fastscript",
+    pollMs: Number(process.env.WORKER_POLL_MS || 350),
+    driver: process.env.JOBS_DRIVER || "file",
+  });
+}

package/package.json

@@ -1,9 +1,13 @@
 {
   "name": "fastscript",
-  "version": "1.0.0",
-  "description": "JavaScript-first full-stack framework that is simpler and faster.",
-  "license": "MIT",
+  "version": "2.0.0",
+  "description": "JavaScript-first full-stack language runtime with first-class .fs source.",
+  "license": "SEE LICENSE IN LICENSE",
   "type": "module",
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
   "bin": {
     "fastscript": "src/cli.mjs"
   },
@@ -17,48 +21,117 @@
     "dev": "node ./src/cli.mjs dev",
     "start": "node ./src/cli.mjs start",
     "build": "node ./src/cli.mjs build",
+    "build:ssg": "node ./src/cli.mjs ssg",
     "create": "node ./src/cli.mjs create",
+    "create:startup-mvp": "node ./src/cli.mjs create startup-mvp --template startup-mvp",
+    "create:fullstack": "node ./src/cli.mjs create fullstack --template fullstack",
     "check": "node ./src/cli.mjs check",
     "migrate": "node ./src/cli.mjs migrate",
+    "wizard:migrate": "node ./src/cli.mjs wizard:migrate app/pages/index.fs",
     "bench": "node ./src/cli.mjs bench",
     "export:js": "node ./src/cli.mjs export --to js --out exported-js-app",
     "export:ts": "node ./src/cli.mjs export --to ts --out exported-ts-app",
     "compat": "node ./src/cli.mjs compat",
     "validate": "node ./src/cli.mjs validate",
+    "repo:lock": "node ./scripts/ensure-canonical-repo.mjs",
+    "typecheck": "node ./src/cli.mjs typecheck --mode fail",
+    "typecheck:pass": "node ./src/cli.mjs typecheck --mode pass",
+    "format": "node ./src/cli.mjs format --write",
+    "format:check": "node ./src/cli.mjs format --check",
+    "lint:fs": "node ./src/cli.mjs lint --mode fail",
+    "lint:fs:pass": "node ./src/cli.mjs lint --mode pass",
     "db:migrate": "node ./src/cli.mjs db:migrate",
     "db:seed": "node ./src/cli.mjs db:seed",
+    "db:rollback": "node ./src/cli.mjs db:rollback --count 1",
     "deploy:node": "node ./src/cli.mjs deploy --target node",
     "deploy:vercel": "node ./src/cli.mjs deploy --target vercel",
     "deploy:cloudflare": "node ./src/cli.mjs deploy --target cloudflare",
     "worker": "node ./src/cli.mjs worker",
+    "worker:replay-dead-letter": "node ./src/cli.mjs worker replay-dead-letter --limit 50",
+    "style:generate": "node ./scripts/style-generate.mjs",
+    "style:check": "node ./scripts/style-check.mjs",
     "smoke:dev": "node ./scripts/smoke-dev.mjs",
     "smoke:start": "node ./scripts/smoke-start.mjs",
+    "rollback:drill": "node ./scripts/rollback-drill.mjs",
+    "soak:window": "node ./scripts/soak-window.mjs",
     "test:middleware": "node ./scripts/test-middleware.mjs",
     "test:auth": "node ./scripts/test-auth.mjs",
     "test:db": "node ./scripts/test-db.mjs",
+    "test:db-cli": "node ./scripts/test-db-cli.mjs",
+    "test:fs-diag": "node ./scripts/test-fs-diagnostics.mjs",
     "test:roundtrip": "node ./scripts/test-roundtrip.mjs",
     "test:validation": "node ./scripts/test-validation.mjs",
     "test:webhook-storage": "node ./scripts/test-webhook-storage.mjs",
     "test:jobs": "node ./scripts/test-jobs.mjs",
-    "test:language-spec": "node ./scripts/test-language-spec.mjs",
-    "test:parser-fuzz": "node ./scripts/test-parser-fuzz.mjs",
-    "test:normalizer-stress": "node ./scripts/test-normalizer-stress.mjs",
+    "test:plugins": "node ./scripts/test-plugins.mjs",
+    "test:metrics": "node ./scripts/test-metrics.mjs",
+    "test:sourcemap-fidelity": "node ./scripts/test-sourcemap-fidelity.mjs",
+    "test:cache-parity": "node ./scripts/test-cache-parity.mjs",
+    "test:typecheck": "node ./scripts/test-typecheck.mjs",
+    "test:v2:ambient-runtime": "node ./scripts/test-v2-ambient-runtime.mjs",
+    "test:v2:stdlib-methods": "node ./scripts/test-v2-stdlib-methods.mjs",
+    "test:v2:stdlib-matrix": "node ./scripts/test-v2-stdlib-matrix.mjs",
+    "test:v2:dom-globals": "node ./scripts/test-v2-dom-globals.mjs",
+    "test:v2:dom-patterns": "node ./scripts/test-v2-dom-patterns.mjs",
+    "test:v2:inference-corpus": "node ./scripts/test-v2-inference-corpus.mjs",
+    "test:v2:inference-patterns": "node ./scripts/test-v2-inference-patterns.mjs",
+    "test:v2:zero-js-app": "node ./scripts/test-v2-zero-js-app.mjs",
+    "test:v2:zero-js-corpora": "node ./scripts/test-v2-zero-js-corpora.mjs",
+    "test:runtime-scope-diagnostics": "node ./scripts/test-runtime-scope-diagnostics.mjs",
+    "test:runtime-context-rules": "node ./scripts/test-runtime-context-rules.mjs",
+    "test:format-lint": "node ./scripts/test-format-lint.mjs",
+    "test:style-rules": "node ./scripts/test-style-rules.mjs",
+    "test:style-primitives": "node ./scripts/test-style-primitives.mjs",
+    "test:routes": "node ./scripts/test-routes.mjs",
+    "test:deploy-adapters": "node ./scripts/test-deploy-adapters.mjs",
+    "test:typecheck-depth": "node ./scripts/test-typecheck-depth.mjs",
     "test:determinism": "node ./scripts/test-determinism.mjs",
+    "test:parser-fuzz": "node ./scripts/test-parser-fuzz.mjs",
     "test:runtime-contract": "node ./scripts/test-runtime-contract.mjs",
-    "bench:language": "node ./scripts/bench-language-normalize.mjs",
+    "test:security-baseline": "node ./scripts/test-security-baseline.mjs",
+    "test:interop-matrix": "node ./scripts/interop-matrix.mjs --mode test",
+    "test:vscode-language": "node ./vscode/fastscript-language/lsp/smoke-test.cjs",
+    "test:conformance": "node ./scripts/test-conformance.mjs",
+    "test:conformance:update": "node ./scripts/test-conformance.mjs --update",
     "bench:report": "node ./scripts/bench-report.mjs",
-    "test:core": "npm run test:middleware && npm run test:auth && npm run test:db && npm run test:validation && npm run test:webhook-storage && npm run test:jobs && npm run test:roundtrip && npm run test:language-spec && npm run test:parser-fuzz && npm run test:normalizer-stress && npm run test:determinism && npm run test:runtime-contract",
-    "qa:gate": "npm run validate && npm run test:core",
-    "qa:all": "npm run qa:gate && npm run smoke:dev && npm run smoke:start && npm run bench:language && npm run bench:report",
+    "benchmark:suite": "node ./scripts/benchmark-suite.mjs",
+    "interop:report": "node ./scripts/interop-matrix.mjs --mode report",
+    "sbom:generate": "node ./scripts/generate-sbom.mjs",
+    "proof:publish": "node ./scripts/publish-proof-pack.mjs",
+    "docs:index": "node ./scripts/build-docs-index.mjs",
+    "docs:api-ref": "node ./scripts/generate-api-reference.mjs",
+    "plugins:marketplace-sync": "node ./scripts/plugin-marketplace-sync.mjs",
+    "security:rotate-secrets": "node ./scripts/secret-rotation.mjs",
+    "backup:create": "node ./scripts/backup.mjs",
+    "backup:restore": "node ./scripts/restore.mjs",
+    "backup:verify": "node ./scripts/backup-verify.mjs",
+    "retention:sweep": "node ./scripts/retention-sweep.mjs",
+    "kpi:track": "node ./scripts/kpi-track.mjs",
+    "deploy:zero-downtime": "node ./scripts/zero-downtime-deploy.mjs",
+    "merge:gate": "node ./scripts/release-merge-gate.mjs",
+    "test:core": "npm run test:middleware && npm run test:auth && npm run test:db && npm run test:db-cli && npm run test:validation && npm run test:webhook-storage && npm run test:jobs && npm run test:plugins && npm run test:fs-diag && npm run test:metrics && npm run test:roundtrip && npm run test:sourcemap-fidelity && npm run test:cache-parity && npm run test:typecheck && npm run test:typecheck-depth && npm run test:format-lint && npm run test:style-rules && npm run test:style-primitives && npm run test:routes && npm run test:runtime-contract && npm run test:determinism && npm run test:parser-fuzz && npm run test:security-baseline && npm run test:deploy-adapters && npm run test:interop-matrix && npm run test:vscode-language && npm run test:runtime-context-rules && npm run test:runtime-scope-diagnostics && npm run test:v2:ambient-runtime && npm run test:v2:stdlib-methods && npm run test:v2:stdlib-matrix && npm run test:v2:dom-globals && npm run test:v2:dom-patterns && npm run test:v2:inference-corpus && npm run test:v2:inference-patterns && npm run test:v2:zero-js-app && npm run test:v2:zero-js-corpora && npm run test:conformance",
+    "qa:gate": "npm run repo:lock && npm run format:check && npm run lint:fs && npm run typecheck && npm run validate && npm run test:core && npm run smoke:dev && npm run smoke:start",
+    "qa:all": "npm run repo:lock && npm run format:check && npm run lint:fs && npm run typecheck && npm run docs:index && npm run docs:api-ref && npm run validate && npm run test:core && npm run smoke:dev && npm run smoke:start && npm run bench:report && npm run benchmark:suite && npm run interop:report && npm run sbom:generate && npm run proof:publish && npm run backup:create && npm run backup:verify",
     "release:patch": "node ./scripts/release.mjs patch",
     "release:minor": "node ./scripts/release.mjs minor",
     "release:major": "node ./scripts/release.mjs major",
-    "pack:check": "npm pack --dry-run"
+    "pack:check": "node ./scripts/prepare-npm-release.mjs --pack-dry-run",
+    "hooks:install": "node ./scripts/install-hooks.mjs",
+    "public:bundle": "node ./scripts/prepare-public-docs-bundle.mjs",
+    "release:npm:prepare": "node ./scripts/prepare-npm-release.mjs"
   },
   "engines": {
     "node": ">=20.0.0"
   },
   "dependencies": {
-    "esbuild": "^0.25.11"
-  }
+    "acorn": "^8.16.0",
+    "acorn-walk": "^8.3.5",
+    "astring": "^1.9.0",
+    "esbuild": "^0.25.11",
+    "@fastscript/core-private": "2.0.0"
+  },
+  "bundleDependencies": [
+    "@fastscript/core-private"
+  ],
+  "private": false
 }

package/src/asset-optimizer.mjs

@@ -0,0 +1,67 @@
+import { createHash } from "node:crypto";
+import { cpSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs";
+import { dirname, extname, join, relative, resolve } from "node:path";
+
+function walk(dir) {
+  if (!existsSync(dir)) return [];
+  const out = [];
+  for (const entry of readdirSync(dir)) {
+    const full = join(dir, entry);
+    const st = statSync(full);
+    if (st.isDirectory()) out.push(...walk(full));
+    else out.push(full);
+  }
+  return out;
+}
+
+function hashFile(path) {
+  return createHash("sha1").update(readFileSync(path)).digest("hex").slice(0, 8);
+}
+
+export async function optimizeImageAssets({ appDir = "app", distDir = "dist" } = {}) {
+  const sourceRoot = resolve(appDir, "assets", "images");
+  const targetRoot = resolve(distDir, "assets", "images");
+  mkdirSync(targetRoot, { recursive: true });
+  const files = walk(sourceRoot).filter((file) => [".png", ".jpg", ".jpeg", ".webp", ".svg", ".gif"].includes(extname(file).toLowerCase()));
+  const manifest = {};
+
+  for (const file of files) {
+    const rel = relative(sourceRoot, file).replace(/\\/g, "/");
+    const ext = extname(rel);
+    const base = rel.slice(0, -ext.length);
+    const hashed = `${base}.${hashFile(file)}${ext}`;
+    const out = join(targetRoot, hashed);
+    mkdirSync(dirname(out), { recursive: true });
+    cpSync(file, out);
+    manifest[`/assets/images/${rel}`] = `/assets/images/${hashed}`;
+  }
+
+  writeFileSync(resolve(distDir, "image-manifest.json"), JSON.stringify(manifest, null, 2), "utf8");
+  return manifest;
+}
+
+export async function optimizeFontAssets({ appDir = "app", distDir = "dist" } = {}) {
+  const sourceRoot = resolve(appDir, "assets", "fonts");
+  const targetRoot = resolve(distDir, "assets", "fonts");
+  mkdirSync(targetRoot, { recursive: true });
+  const files = walk(sourceRoot).filter((file) => [".woff2", ".woff", ".ttf", ".otf"].includes(extname(file).toLowerCase()));
+  const manifest = {};
+  const css = [];
+
+  for (const file of files) {
+    const rel = relative(sourceRoot, file).replace(/\\/g, "/");
+    const ext = extname(rel);
+    const base = rel.slice(0, -ext.length);
+    const hashed = `${base}.${hashFile(file)}${ext}`;
+    const out = join(targetRoot, hashed);
+    mkdirSync(dirname(out), { recursive: true });
+    cpSync(file, out);
+    manifest[`/assets/fonts/${rel}`] = `/assets/fonts/${hashed}`;
+    const family = base.split("/").pop().replace(/[-_]/g, " ");
+    css.push(`@font-face{font-family:"${family}";src:url('/assets/fonts/${hashed}') format('${ext.replace(".", "")}');font-display:swap;}`);
+  }
+
+  writeFileSync(resolve(distDir, "font-manifest.json"), JSON.stringify(manifest, null, 2), "utf8");
+  if (css.length) writeFileSync(resolve(distDir, "fonts.generated.css"), `${css.join("\n")}\n`, "utf8");
+  return manifest;
+}

package/src/audit-log.mjs

@@ -0,0 +1,50 @@
+import { createHash } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+
+function sha(input) {
+  return createHash("sha256").update(input).digest("hex");
+}
+
+function readLines(path) {
+  if (!existsSync(path)) return [];
+  return readFileSync(path, "utf8").split(/\r?\n/).filter(Boolean);
+}
+
+export function createAuditLog({ file = ".fastscript/audit.log" } = {}) {
+  const path = resolve(file);
+  mkdirSync(dirname(path), { recursive: true });
+
+  function append(event) {
+    const lines = readLines(path);
+    let prevHash = "genesis";
+    if (lines.length) {
+      const last = JSON.parse(lines[lines.length - 1]);
+      prevHash = last.hash || "genesis";
+    }
+    const record = {
+      ts: new Date().toISOString(),
+      prevHash,
+      ...event,
+    };
+    record.hash = sha(JSON.stringify({ ...record, hash: undefined }));
+    lines.push(JSON.stringify(record));
+    writeFileSync(path, `${lines.join("\n")}\n`, "utf8");
+    return record;
+  }
+
+  function verify() {
+    const lines = readLines(path);
+    let prevHash = "genesis";
+    for (const line of lines) {
+      const row = JSON.parse(line);
+      if (row.prevHash !== prevHash) return { ok: false, row };
+      const expected = sha(JSON.stringify({ ...row, hash: undefined }));
+      if (row.hash !== expected) return { ok: false, row };
+      prevHash = row.hash;
+    }
+    return { ok: true, count: lines.length };
+  }
+
+  return { append, verify, file: path };
+}

package/src/auth.mjs

@@ -1,115 +1 @@
-import { createHmac, randomBytes } from "node:crypto";
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
-import { join } from "node:path";
-
-function readJson(path, fallback) {
-  if (!existsSync(path)) return fallback;
-  try {
-    return JSON.parse(readFileSync(path, "utf8"));
-  } catch {
-    return fallback;
-  }
-}
-
-function writeJson(path, value) {
-  writeFileSync(path, JSON.stringify(value, null, 2), "utf8");
-}
-
-export function parseCookies(header) {
-  const out = {};
-  if (!header) return out;
-  for (const part of header.split(";")) {
-    const [k, ...rest] = part.trim().split("=");
-    if (!k) continue;
-    out[k] = decodeURIComponent(rest.join("=") || "");
-  }
-  return out;
-}
-
-export function serializeCookie(name, value, opts = {}) {
-  const bits = [`${name}=${encodeURIComponent(value)}`];
-  bits.push(`Path=${opts.path ?? "/"}`);
-  if (opts.httpOnly !== false) bits.push("HttpOnly");
-  if (opts.sameSite) bits.push(`SameSite=${opts.sameSite}`);
-  else bits.push("SameSite=Lax");
-  if (opts.secure) bits.push("Secure");
-  if (typeof opts.maxAge === "number") bits.push(`Max-Age=${opts.maxAge}`);
-  return bits.join("; ");
-}
-
-function sign(payload, secret) {
-  return createHmac("sha256", secret).update(payload).digest("hex");
-}
-
-export function createSessionManager({ dir = ".fastscript", cookieName = "fs_session", secret = "fastscript-dev-secret" } = {}) {
-  mkdirSync(dir, { recursive: true });
-  const path = join(dir, "sessions.json");
-  const state = readJson(path, { sessions: {} });
-
-  function persist() {
-    writeJson(path, state);
-  }
-
-  return {
-    cookieName,
-    sweepExpired() {
-      let removed = 0;
-      const now = Date.now();
-      for (const [id, row] of Object.entries(state.sessions)) {
-        if (!row || row.exp < now) {
-          delete state.sessions[id];
-          removed += 1;
-        }
-      }
-      if (removed) persist();
-      return removed;
-    },
-    create(user, maxAgeSec = 60 * 60 * 24 * 7) {
-      const id = randomBytes(12).toString("hex");
-      const exp = Date.now() + maxAgeSec * 1000;
-      state.sessions[id] = { user, exp };
-      persist();
-      const sig = sign(`${id}.${exp}`, secret);
-      return `${id}.${exp}.${sig}`;
-    },
-    read(token) {
-      if (!token) return null;
-      const [id, expStr, sig] = token.split(".");
-      if (!id || !expStr || !sig) return null;
-      const expected = sign(`${id}.${expStr}`, secret);
-      if (expected !== sig) return null;
-      const exp = Number(expStr);
-      if (!Number.isFinite(exp) || exp < Date.now()) return null;
-      const row = state.sessions[id];
-      if (!row || row.exp < Date.now()) {
-        if (row) {
-          delete state.sessions[id];
-          persist();
-        }
-        return null;
-      }
-      return row;
-    },
-    delete(token) {
-      const [id] = String(token || "").split(".");
-      if (!id) return;
-      delete state.sessions[id];
-      persist();
-    },
-    rotate(token, maxAgeSec = 60 * 60 * 24 * 7) {
-      const row = this.read(token);
-      if (!row?.user) return null;
-      this.delete(token);
-      return this.create(row.user, maxAgeSec);
-    },
-  };
-}
-
-export function requireUser(user) {
-  if (!user) {
-    const error = new Error("Unauthorized");
-    error.status = 401;
-    throw error;
-  }
-  return user;
-}
+export * from "@fastscript/core-private/auth";

package/src/bench.mjs

@@ -3,8 +3,8 @@ import { gzipSync } from "node:zlib";
 import { join, resolve } from "node:path";
 
 const DIST = resolve("dist");
-const JS_BUDGET_BYTES = 30 * 1024;
-const CSS_BUDGET_BYTES = 10 * 1024;
+const JS_BUDGET_BYTES = Number(process.env.FASTSCRIPT_JS_BUDGET_KB || 30) * 1024;
+const CSS_BUDGET_BYTES = Number(process.env.FASTSCRIPT_CSS_BUDGET_KB || 15) * 1024;
 
 function gzipSize(path) {
   if (!existsSync(path)) return 0;
@@ -16,15 +16,29 @@ function kb(bytes) {
   return `${(bytes / 1024).toFixed(2)}KB`;
 }
 
+function loadJson(path) {
+  if (!existsSync(path)) return null;
+  return JSON.parse(readFileSync(path, "utf8"));
+}
+
+function resolveAsset(distPath, assetManifest, logicalName) {
+  const direct = join(distPath, logicalName);
+  if (existsSync(direct)) return direct;
+  const mapped = assetManifest?.mapping?.[logicalName];
+  if (!mapped) return direct;
+  return join(distPath, mapped.replace(/^\.\//, ""));
+}
+
 export async function runBench() {
   const manifestPath = join(DIST, "fastscript-manifest.json");
   if (!existsSync(manifestPath)) {
     throw new Error("Missing dist build output. Run: fastscript build");
   }
 
-  const manifest = JSON.parse(readFileSync(manifestPath, "utf8"));
-  const jsAssets = [join(DIST, "router.js")];
-  const cssAssets = [join(DIST, "styles.css")];
+  const manifest = loadJson(manifestPath);
+  const assetManifest = loadJson(join(DIST, "asset-manifest.json"));
+  const jsAssets = [resolveAsset(DIST, assetManifest, "router.js")];
+  const cssAssets = [resolveAsset(DIST, assetManifest, "styles.css")];
 
   if (manifest.layout) jsAssets.push(join(DIST, manifest.layout.replace(/^\.\//, "")));
   const root = manifest.routes.find((r) => r.path === "/");
@@ -33,7 +47,7 @@ export async function runBench() {
   const totalJs = jsAssets.reduce((sum, p) => sum + gzipSize(p), 0);
   const totalCss = cssAssets.reduce((sum, p) => sum + gzipSize(p), 0);
 
-  console.log(`3G budget check -> JS: ${kb(totalJs)} / 30.00KB, CSS: ${kb(totalCss)} / 10.00KB`);
+  console.log(`3G budget check -> JS: ${kb(totalJs)} / ${kb(JS_BUDGET_BYTES)}, CSS: ${kb(totalCss)} / ${kb(CSS_BUDGET_BYTES)}`);
 
   const errors = [];
   if (totalJs > JS_BUDGET_BYTES) errors.push(`JS budget exceeded by ${kb(totalJs - JS_BUDGET_BYTES)}`);
@@ -43,4 +57,3 @@ export async function runBench() {
     throw new Error(errors.join("\n"));
   }
 }
-