nextlimiter 1.2.0 → 1.3.0

package/bin/commands/benchmark.js

@@ -0,0 +1,125 @@
+'use strict';
+const http = require('http');
+const https = require('https');
+
+function parseArgs() {
+    const args = process.argv.slice(3);
+    const options = { url: null, duration: 10, concurrency: 10, rps: 0 };
+    
+    for (let i = 0; i < args.length; i++) {
+        if (args[i] === '--url') options.url = args[++i];
+        else if (args[i] === '--duration') options.duration = parseInt(args[++i], 10);
+        else if (args[i] === '--concurrency') options.concurrency = parseInt(args[++i], 10);
+        else if (args[i] === '--rps') options.rps = parseInt(args[++i], 10);
+    }
+    
+    if (!options.url) {
+        console.error('Usage: npx nextlimiter benchmark --url <url> [options]');
+        process.exit(1);
+    }
+    return options;
+}
+
+function fetchTarget(targetUrl) {
+    const t0 = Date.now();
+    return new Promise((resolve) => {
+        const parsed = new URL(targetUrl);
+        const lib = parsed.protocol === 'https:' ? https : http;
+        const req = lib.request({
+            hostname: parsed.hostname,
+            port: parsed.port,
+            path: parsed.pathname + parsed.search,
+            method: 'GET',
+            timeout: 10000
+        }, (res) => {
+            res.on('data', () => {});
+            res.on('end', () => resolve({ t: Date.now() - t0, s: res.statusCode }));
+        });
+        req.on('error', () => resolve({ t: Date.now() - t0, s: 0 }));
+        req.on('timeout', () => { req.destroy(); resolve({ t: Date.now() - t0, s: 0 }); });
+        req.end();
+    });
+}
+
+function calculatePercentile(arr, p) {
+    if (arr.length === 0) return 0;
+    arr.sort((a,b) => a - b);
+    const idx = Math.floor(arr.length * p);
+    return arr[idx];
+}
+
+function drawProgressBar(pct, text) {
+    if (!process.stdout.isTTY) return;
+    const cw = process.stdout.columns || 80;
+    const meta = ` ${pct.toFixed(0)}% | ${text}`;
+    const barLen = Math.max(10, cw - meta.length - 4);
+    const filled = Math.floor(barLen * (pct / 100));
+    const empty = barLen - filled;
+    
+    const bar = '[' + '█'.repeat(filled) + '░'.repeat(empty) + ']';
+    process.stdout.write(`\r${bar}${meta}`);
+}
+
+module.exports = async function() {
+    const opts = parseArgs();
+    console.log(`Benchmarking ${opts.url} for ${opts.duration} seconds with ${opts.concurrency} workers...`);
+
+    const endAt = Date.now() + (opts.duration * 1000);
+    let running = true;
+    let totalReqs = 0, blocked = 0;
+    const latencies = [];
+    const codes = { 200: 0, 429: 0 };
+    let intervalTimer;
+
+    const worker = async () => {
+        while (running && Date.now() < endAt) {
+            const res = await fetchTarget(opts.url);
+            totalReqs++;
+            latencies.push(res.t);
+            if (res.s === 429) { blocked++; codes[429] = (codes[429] || 0) + 1; }
+            else if (res.s > 0) { codes[res.s] = (codes[res.s] || 0) + 1; }
+            
+            if (opts.rps > 0) {
+                const sleepMs = 1000 / opts.rps;
+                await new Promise(r => setTimeout(r, sleepMs));
+            }
+        }
+    };
+
+    const workers = [];
+    for (let i = 0; i < opts.concurrency; i++) {
+        workers.push(worker());
+    }
+
+    intervalTimer = setInterval(() => {
+        const remaining = endAt - Date.now();
+        if (remaining <= 0) return;
+        const elapsed = (opts.duration * 1000) - remaining;
+        const pct = Math.min(100, (elapsed / (opts.duration * 1000)) * 100);
+        const avg = latencies.length > 0 ? Math.round(latencies.reduce((a,b)=>a+b, 0) / latencies.length) : 0;
+        drawProgressBar(pct, `${totalReqs} req | ${blocked} blocked | ${avg}ms avg \x1b[K`);
+    }, 500);
+
+    await Promise.all(workers);
+    clearInterval(intervalTimer);
+    if (process.stdout.isTTY) process.stdout.write('\n\n');
+
+    const durationSec = opts.duration;
+    const throughput = (totalReqs / durationSec).toFixed(1);
+    const blockPct = totalReqs > 0 ? ((blocked / totalReqs) * 100).toFixed(2) : '0.00';
+    const avgLat = totalReqs > 0 ? Math.round(latencies.reduce((a,b)=>a+b,0) / latencies.length) : 0;
+    const p95 = calculatePercentile(latencies, 0.95);
+    const p99 = calculatePercentile(latencies, 0.99);
+    
+    let codesText = Object.entries(codes).filter(([_,v])=>v>0).map(([k,v])=>`${k}: ${v}`).join(', ');
+    
+    console.log(`Benchmark Results — ${opts.url}`);
+    console.log(`Duration:        ${durationSec.toFixed(1)}s`);
+    console.log(`Total requests:  ${totalReqs}`);
+    console.log(`Req/sec:         ${throughput}`);
+    console.log(`Blocked:         ${blocked} (${blockPct}%)`);
+    console.log(`Avg latency:     ${avgLat}ms`);
+    console.log(`p95 latency:     ${p95}ms`);
+    console.log(`p99 latency:     ${p99}ms`);
+    console.log(`Status codes:    ${codesText}`);
+};

package/bin/commands/inspect.js

@@ -0,0 +1,64 @@
+'use strict';
+const http = require('http');
+const https = require('https');
+
+function parseArgs() {
+    const args = process.argv.slice(3);
+    const options = { url: args[0] };
+    
+    if (!options.url || options.url.startsWith('-')) {
+        console.error('Usage: npx nextlimiter inspect <url>');
+        process.exit(1);
+    }
+    try { new URL(options.url); } catch(e) { console.error('Invalid URL'); process.exit(1); }
+    return options;
+}
+
+module.exports = async function() {
+    const opts = parseArgs();
+    const parsed = new URL(opts.url);
+    const lib = parsed.protocol === 'https:' ? https : http;
+    
+    return new Promise((resolve) => {
+        const req = lib.request({
+            hostname: parsed.hostname,
+            port: parsed.port,
+            path: parsed.pathname + parsed.search,
+            method: 'GET',
+            timeout: 10000
+        }, (res) => {
+            res.on('data', () => {});
+            res.on('end', () => {
+                const h = res.headers;
+                const pad = (s, len=26) => String(s).padEnd(len);
+                
+                console.log(`┌─ nextlimiter inspect ──────────────────┐`);
+                console.log(`│ URL:        ${pad(opts.url)} │`);
+                console.log(`│ Status:     ${pad(res.statusCode + ' ' + http.STATUS_CODES[res.statusCode])} │`);
+                
+                if (h['x-ratelimit-limit']) console.log(`│ Limit:      ${pad(h['x-ratelimit-limit'])} │`);
+                if (h['x-ratelimit-remaining']) console.log(`│ Remaining:  ${pad(h['x-ratelimit-remaining'])} │`);
+                if (h['x-ratelimit-reset']) {
+                    const date = new Date(parseInt(h['x-ratelimit-reset'], 10) * 1000);
+                    const txt = !isNaN(date.getTime()) ? date.toISOString().replace('T', ' ').substring(0, 19) + ' UTC' : h['x-ratelimit-reset'];
+                    console.log(`│ Reset:      ${pad(txt)} │`);
+                }
+                if (h['x-ratelimit-strategy']) console.log(`│ Strategy:   ${pad(h['x-ratelimit-strategy'])} │`);
+                if (h['retry-after']) console.log(`│ Retry-After: ${pad(h['retry-after'] + ' seconds')} │`);
+                
+                const other = Object.keys(h).filter(k => k.startsWith('x-ratelimit-') && !['x-ratelimit-limit','x-ratelimit-remaining','x-ratelimit-reset','x-ratelimit-strategy'].includes(k));
+                other.forEach(k => {
+                    const v = typeof h[k] === 'string' ? h[k].substring(0, 26) : h[k];
+                    const keyTxt = k.substring('x-ratelimit-'.length);
+                    console.log(`│ ${String(keyTxt + ':').padEnd(11)} ${pad(v)} │`);
+                });
+                console.log(`└────────────────────────────────────────┘`);
+                resolve();
+            });
+        });
+        
+        req.on('error', (err) => { console.error('Error fetching:', err.message); process.exit(1); resolve(); });
+        req.on('timeout', () => { console.error('Request timed out'); process.exit(1); resolve(); });
+        req.end();
+    });
+};

package/bin/commands/test.js

@@ -0,0 +1,123 @@
+'use strict';
+const http = require('http');
+const https = require('https');
+
+function parseArgs() {
+    const args = process.argv.slice(3);
+    const options = { url: args[0], requests: 110, concurrency: 1, method: 'GET', headers: {}, delay: 0, json: false };
+    
+    if (!options.url || options.url.startsWith('-')) {
+        console.error('Usage: npx nextlimiter test <url> [options]');
+        process.exit(1);
+    }
+    try { new URL(options.url); } catch(e) { console.error('Invalid URL'); process.exit(1); }
+
+    for (let i = 1; i < args.length; i++) {
+        if (args[i] === '--requests') options.requests = parseInt(args[++i], 10);
+        else if (args[i] === '--concurrency') options.concurrency = parseInt(args[++i], 10);
+        else if (args[i] === '--method') options.method = args[++i];
+        else if (args[i] === '--header') {
+            const [k, v] = args[++i].split(':');
+            if (k && v) options.headers[k.trim()] = v.trim();
+        }
+        else if (args[i] === '--delay') options.delay = parseInt(args[++i], 10);
+        else if (args[i] === '--json') options.json = true;
+    }
+    return options;
+}
+
+function doRequest(targetUrl, method, headers) {
+    return new Promise((resolve) => {
+        const parsed = new URL(targetUrl);
+        const lib = parsed.protocol === 'https:' ? https : http;
+        const req = lib.request({
+            hostname: parsed.hostname,
+            port: parsed.port,
+            path: parsed.pathname + parsed.search,
+            method,
+            headers,
+            timeout: 10000
+        }, (res) => {
+            if ([301, 302, 307, 308].includes(res.statusCode) && res.headers.location) {
+                // simple redirect follow
+                return resolve(doRequest(res.headers.location, method, headers));
+            }
+            res.on('data', () => {});
+            res.on('end', () => resolve({
+                status: res.statusCode,
+                limit: res.headers['x-ratelimit-limit'],
+                remaining: res.headers['x-ratelimit-remaining'],
+                strategy: res.headers['x-ratelimit-strategy'],
+                retryAfter: res.headers['retry-after'] || res.headers['x-ratelimit-reset'],
+            }));
+        });
+        req.on('error', (err) => resolve({ error: err.message }));
+        req.on('timeout', () => { req.destroy(); resolve({ error: 'timeout' }) });
+        req.end();
+    });
+}
+
+function delayBlock(ms) {
+    return new Promise(r => setTimeout(r, ms));
+}
+
+module.exports = async function() {
+    const opts = parseArgs();
+    const isTTY = process.stdout.isTTY;
+    const cGreen = isTTY ? '\x1b[32m' : '';
+    const cYellow = isTTY ? '\x1b[33m' : '';
+    const cRed = isTTY ? '\x1b[31m' : '';
+    const cReset = isTTY ? '\x1b[0m' : '';
+
+    let allowed = 0, blocked = 0, blockStrategy = '', firstBlock = -1;
+
+    for (let i = 1; i <= opts.requests; i += opts.concurrency) {
+        const batch = [];
+        for (let j = 0; j < opts.concurrency && (i + j) <= opts.requests; j++) {
+            batch.push(doRequest(opts.url, opts.method, opts.headers));
+        }
+        
+        const results = await Promise.all(batch);
+        results.forEach((r, idx) => {
+            const reqNum = i + idx;
+            if (r.error) {
+                if (!opts.json) console.log(`Request ${reqNum}: ${cRed}Error: ${r.error}${cReset}`);
+                return;
+            }
+            if (r.status >= 200 && r.status < 300) {
+                allowed++;
+                if (!opts.json) console.log(`Request ${reqNum}:\t${cGreen}${r.status} OK${cReset} \t(remaining: ${r.remaining || '?'})`);
+            } else if (r.status === 429) {
+                blocked++;
+                if (firstBlock === -1) firstBlock = reqNum;
+                blockStrategy = blockStrategy || r.strategy || 'unknown';
+                if (!opts.json) {
+                    console.log(`Request ${reqNum}:\t${cYellow}429 Too Many Requests${cReset}`);
+                    if (idx === batch.length-1) { // print extra details on last item in block batch
+                       console.log(`  Retry-After:\t${r.retryAfter || '?'}`);
+                       console.log(`  Strategy:\t${blockStrategy}`);
+                       console.log(`  Limit:\t${r.limit || '?'}`);
+                    }
+                }
+            } else {
+                if (!opts.json) console.log(`Request ${reqNum}:\t${cRed}${r.status}${cReset}`);
+            }
+        });
+        
+        if (opts.delay) await delayBlock(opts.delay);
+    }
+
+    if (opts.json) {
+        console.log(JSON.stringify({ total: opts.requests, allowed, blocked, firstBlock, blockStrategy }));
+    } else {
+        const pad = (s, len=31) => String(s).padEnd(len);
+        console.log(`\n┌─────────────────────────────────┐`);
+        console.log(`│ Total requests:     ${pad(opts.requests, 12)}│`);
+        console.log(`│ Allowed:            ${pad(allowed, 12)}│`);
+        console.log(`│ Blocked (429):      ${pad(blocked, 12)}│`);
+        console.log(`│ Block rate:         ${pad(((blocked/opts.requests)*100).toFixed(2)+'%', 12)}│`);
+        console.log(`│ First block at:     ${pad(firstBlock === -1 ? 'none' : 'request ' + firstBlock, 12)}│`);
+        console.log(`│ Strategy detected:  ${pad(blockStrategy || 'N/A', 12)}│`);
+        console.log(`└─────────────────────────────────┘`);
+    }
+};

package/bin/nextlimiter.js

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const cmd = process.argv[2];
+
+if (!cmd || cmd === '--help' || cmd === '-h') {
+  console.log(`
+  Usage: npx nextlimiter <command> [options]
+
+  Commands:
+    test <url>              Fire N requests and show rate limit behaviour
+    benchmark --url <url>   Load test a URL and measure throughput
+    inspect <url>           Show rate limit headers for a single request
+
+  Examples:
+    npx nextlimiter test https://api.example.com/users
+    npx nextlimiter test https://api.example.com --requests 200 --delay 10
+    npx nextlimiter benchmark --url http://localhost:3000 --duration 30
+    npx nextlimiter inspect https://api.example.com
+  `);
+  process.exit(0);
+}
+
+if (cmd === '--version' || cmd === '-v') {
+  const pkg = require('../package.json');
+  console.log('v' + pkg.version);
+  process.exit(0);
+}
+
+const commands = {
+  test: require('./commands/test'),
+  benchmark: require('./commands/benchmark'),
+  inspect: require('./commands/inspect')
+};
+
+if (!commands[cmd]) {
+  console.error(`Unknown command: ${cmd}`);
+  process.exit(1);
+}
+
+commands[cmd]();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nextlimiter",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Production-ready rate limiting for Node.js — sliding window, token bucket, SaaS plans, smart limiting, and built-in analytics.",
   "main": "src/index.js",
   "types": "types/index.d.ts",
@@ -10,7 +10,11 @@
     "./next": "./src/adapters/next.js",
     "./hono": "./src/adapters/hono.js"
   },
+  "bin": {
+    "nextlimiter": "./bin/nextlimiter.js"
+  },
   "files": [
+    "bin/",
     "src/",
     "types/",
     "README.md",

package/src/core/config.js

@@ -97,6 +97,9 @@ const DEFAULT_CONFIG = {
   webhookBackoff:    'exponential',
   webhookTimeout:    5000,
   webhookSecret:     null,
+
+  drainRateMs:       undefined,  // leaky-bucket only
+  capacity:          undefined,  // leaky-bucket only
 };
 
 /**
@@ -234,6 +237,24 @@ function resolveConfig(userOptions = {}) {
     if (base.webhookTimeout < 500) base.webhookTimeout = 5000;
   }
 
+  // Validate new strategies
+  if (base.strategy === 'sliding-window-log' && base.max > 10000) {
+    console.warn('[NextLimiter] Warning: "sliding-window-log" stores an array of timestamps. Using max > 10000 may impact memory and performance.');
+  }
+
+  if (base.drainRateMs !== undefined || base.capacity !== undefined) {
+    if (base.strategy !== 'leaky-bucket') {
+      console.warn('[NextLimiter] Warning: drainRateMs and capacity are ignored for strategy "' + base.strategy + '"');
+    } else {
+      if (base.drainRateMs !== undefined && (typeof base.drainRateMs !== 'number' || base.drainRateMs <= 0)) {
+        throw new Error('[NextLimiter] drainRateMs must be a positive number');
+      }
+      if (base.capacity !== undefined && (typeof base.capacity !== 'number' || base.capacity <= 0 || !Number.isInteger(base.capacity))) {
+        throw new Error('[NextLimiter] capacity must be a positive integer');
+      }
+    }
+  }
+
   return base;
 }
 

package/src/core/limiter.js

@@ -6,6 +6,8 @@ const { MemoryStore }             = require('../store/memoryStore');
 const { fixedWindowCheck }        = require('../strategies/fixedWindow');
 const { slidingWindowCheck }      = require('../strategies/slidingWindow');
 const { tokenBucketCheck }        = require('../strategies/tokenBucket');
+const { slidingWindowLog }        = require('../strategies/slidingWindowLog');
+const { leakyBucket }             = require('../strategies/leakyBucket');
 const { resolveKeyGenerator }     = require('../utils/keyGenerator');
 const { extractIp }               = require('../utils/keyGenerator');
 const { createLogger }            = require('../utils/logger');
@@ -17,11 +19,14 @@ const { PrometheusFormatter }     = require('../analytics/prometheus');
 const { RuleEngine }              = require('./ruleEngine');
 const { WebhookSender }           = require('../webhook/sender');
 const { Scheduler }               = require('./scheduler');
+const { dashboardMiddleware }     = require('../dashboard/dashboardMiddleware');
 
 const STRATEGY_MAP = {
   'fixed-window':   fixedWindowCheck,
   'sliding-window': slidingWindowCheck,
   'token-bucket':   tokenBucketCheck,
+  'sliding-window-log': slidingWindowLog,
+  'leaky-bucket':   leakyBucket,
 };
 
 /**
@@ -331,6 +336,19 @@ class Limiter extends EventEmitter {
     this._log.info(`Reset key: ${fullKey}`);
   }
 
+  /**
+   * Returns an Express middleware for displaying a live dashboard.
+   *
+   * @param {object} options
+   * @param {string} options.password - If set, enable HTTP Basic Auth
+   * @param {number} options.refreshMs - SSE push interval (default 2000ms)
+   * @param {string} options.path - Mount path prefix (default '/nextlimiter')
+   * @returns {function}
+   */
+  dashboardMiddleware(options = {}) {
+    return dashboardMiddleware(this, options);
+  }
+
   /**
    * Get analytics snapshot.
    *

package/src/core/ruleEngine.js

@@ -3,11 +3,15 @@ const { resolveKeyGenerator } = require('../utils/keyGenerator');
 const { fixedWindowCheck } = require('../strategies/fixedWindow');
 const { slidingWindowCheck } = require('../strategies/slidingWindow');
 const { tokenBucketCheck } = require('../strategies/tokenBucket');
+const { slidingWindowLog } = require('../strategies/slidingWindowLog');
+const { leakyBucket } = require('../strategies/leakyBucket');
 
 const STRATEGY_MAP = {
   'fixed-window': fixedWindowCheck,
   'sliding-window': slidingWindowCheck,
   'token-bucket': tokenBucketCheck,
+  'sliding-window-log': slidingWindowLog,
+  'leaky-bucket': leakyBucket,
 };
 
 class RuleEngine {

package/src/dashboard/dashboardMiddleware.js

@@ -0,0 +1,94 @@
+'use strict';
+
+const { Buffer } = require('buffer');
+const { generateDashboardHTML } = require('./html');
+
+function dashboardMiddleware(limiter, options = {}) {
+  const mountPath = options.path || '/nextlimiter';
+  const refreshMs = options.refreshMs || 2000;
+  
+  // Ring buffer for history (max 60 entries)
+  const history = [];
+  
+  const historyInterval = setInterval(() => {
+    history.push({ timestamp: Date.now(), stats: limiter.getStats() });
+    if (history.length > 60) history.shift();
+  }, refreshMs);
+  if (historyInterval.unref) historyInterval.unref();
+
+  return function(req, res, next) {
+    const fullPath = req.originalUrl || req.url || '';
+    if (!fullPath.startsWith(mountPath)) {
+      return next();
+    }
+
+    if (options.password) {
+      const authHeader = req.headers.authorization;
+      if (!authHeader || !authHeader.startsWith('Basic ')) {
+        res.setHeader('WWW-Authenticate', 'Basic realm="nextlimiter dashboard"');
+        res.statusCode = 401;
+        return res.end('Unauthorized');
+      }
+      const b64 = authHeader.substring(6);
+      const credentials = Buffer.from(b64, 'base64').toString();
+      const matchPos = credentials.indexOf(':');
+      const pass = matchPos >= 0 ? credentials.substring(matchPos + 1) : credentials;
+      if (pass !== options.password) {
+        res.setHeader('WWW-Authenticate', 'Basic realm="nextlimiter dashboard"');
+        res.statusCode = 401;
+        return res.end('Unauthorized');
+      }
+    }
+
+    const subPath = fullPath.substring(fullPath.indexOf(mountPath) + mountPath.length).split('?')[0] || '/';
+
+    if (req.method === 'GET' && (subPath === '/' || subPath === '')) {
+      res.setHeader('Content-Type', 'text/html');
+      res.statusCode = 200;
+      return res.end(generateDashboardHTML({ refreshMs }));
+    }
+
+    if (req.method === 'GET' && subPath === '/api/stats') {
+      res.setHeader('Content-Type', 'application/json');
+      res.statusCode = 200;
+      return res.end(JSON.stringify(limiter.getStats()));
+    }
+
+    if (req.method === 'GET' && subPath === '/api/history') {
+      res.setHeader('Content-Type', 'application/json');
+      res.statusCode = 200;
+      return res.end(JSON.stringify(history));
+    }
+
+    if (req.method === 'POST' && subPath.startsWith('/api/reset/')) {
+       const keyToReset = decodeURIComponent(subPath.substring('/api/reset/'.length));
+       limiter.resetKey(keyToReset);
+       res.setHeader('Content-Type', 'application/json');
+       res.statusCode = 200;
+       return res.end(JSON.stringify({ success: true }));
+    }
+
+    if (req.method === 'GET' && subPath === '/api/stream') {
+      res.setHeader('Content-Type', 'text/event-stream');
+      res.setHeader('Cache-Control', 'no-cache');
+      res.setHeader('Connection', 'keep-alive');
+      res.statusCode = 200;
+      
+      const sendData = () => {
+        res.write(`data: ${JSON.stringify(limiter.getStats())}\n\n`);
+      };
+      
+      const interval = setInterval(sendData, refreshMs);
+      sendData(); // Send initial state immediately
+
+      req.on('close', () => clearInterval(interval));
+      return;
+    }
+
+    // 404 for unknown dashboard routes
+    res.statusCode = 404;
+    res.end('Not Found');
+  };
+}
+
+module.exports = { dashboardMiddleware };

package/src/dashboard/html.js

@@ -0,0 +1,382 @@
+'use strict';
+
+function generateDashboardHTML(options) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>nextlimiter dashboard</title>
+<style>
+  :root {
+    --bg: #0d1117;
+    --card: #161b22;
+    --text: #c9d1d9;
+    --accent: #58a6ff;
+    --border: #30363d;
+    --red: #f85149;
+    --green: #2ea043;
+    --yellow: #d29922;
+    --font: 'Courier New', monospace;
+  }
+  body {
+    background: var(--bg);
+    color: var(--text);
+    font-family: var(--font);
+    margin: 0;
+    padding: 20px;
+  }
+  .header {
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+    border-bottom: 1px solid var(--border);
+    padding-bottom: 10px;
+    margin-bottom: 20px;
+  }
+  .title {
+    font-size: 24px;
+    font-weight: bold;
+    color: var(--accent);
+  }
+  .controls {
+    display: flex;
+    gap: 10px;
+    align-items: center;
+  }
+  .dot {
+    width: 12px;
+    height: 12px;
+    border-radius: 50%;
+    display: inline-block;
+  }
+  .dot.green { background: var(--green); }
+  .dot.red { background: var(--red); }
+  .btn {
+    background: var(--card);
+    border: 1px solid var(--border);
+    color: var(--text);
+    padding: 6px 12px;
+    font-family: inherit;
+    cursor: pointer;
+    border-radius: 4px;
+  }
+  .btn:hover { background: var(--border); }
+  .btn.danger { color: var(--red); border-color: var(--red); }
+  .btn.danger:hover { background: rgba(248, 81, 73, 0.1); }
+  
+  .cards {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
+    gap: 15px;
+    margin-bottom: 20px;
+  }
+  .card {
+    background: var(--card);
+    border: 1px solid var(--border);
+    padding: 15px;
+    border-radius: 6px;
+  }
+  .card-title {
+    font-size: 14px;
+    color: #8b949e;
+    margin-bottom: 10px;
+  }
+  .card-val {
+    font-size: 28px;
+    font-weight: bold;
+  }
+  
+  .chart-container {
+    background: var(--card);
+    border: 1px solid var(--border);
+    padding: 15px;
+    border-radius: 6px;
+    margin-bottom: 20px;
+    height: 200px;
+    position: relative;
+  }
+  
+  .tables {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(400px, 1fr));
+    gap: 20px;
+  }
+  .table-card {
+    background: var(--card);
+    border: 1px solid var(--border);
+    border-radius: 6px;
+    padding: 15px;
+    overflow-x: auto;
+  }
+  table {
+    width: 100%;
+    border-collapse: collapse;
+    margin-top: 10px;
+  }
+  th, td {
+    padding: 8px;
+    text-align: left;
+    border-bottom: 1px solid var(--border);
+  }
+  th {
+    color: #8b949e;
+    cursor: pointer;
+    user-select: none;
+  }
+  th:hover { color: var(--text); }
+  tr.highlight td { color: var(--red); }
+  
+</style>
+</head>
+<body>
+
+<div class="header">
+  <div class="title">nextlimiter dashboard</div>
+  <div class="controls">
+    <span id="timestamp"></span>
+    <span id="statusDot" class="dot red"></span>
+    <button id="pauseBtn" class="btn">Pause Updates</button>
+    <button id="resetAllBtn" class="btn danger" onclick="resetAll()">Reset All Blocks</button>
+  </div>
+</div>
+
+<div class="cards">
+  <div class="card">
+    <div class="card-title">Total Requests</div>
+    <div id="valTotal" class="card-val">0</div>
+  </div>
+  <div class="card">
+    <div class="card-title">Blocked Requests</div>
+    <div id="valBlocked" class="card-val" style="color: var(--text);">0</div>
+  </div>
+  <div class="card">
+    <div class="card-title">Block Rate %</div>
+    <div id="valRate" class="card-val" style="color: var(--green);">0.0%</div>
+  </div>
+  <div class="card">
+    <div class="card-title">Uptime</div>
+    <div id="valUptime" class="card-val">0s</div>
+  </div>
+</div>
+
+<div class="chart-container" id="sparkline">
+  <!-- SVG injected here -->
+</div>
+
+<div class="tables">
+  <div class="table-card">
+    <div class="card-title">Top 10 Blocked IPs</div>
+    <table id="tblBlocked">
+      <thead><tr><th onclick="sortTbl('tblBlocked', 0)">IP / Key</th><th onclick="sortTbl('tblBlocked', 1)">Count</th><th onclick="sortTbl('tblBlocked', 2)">%</th><th>Action</th></tr></thead>
+      <tbody></tbody>
+    </table>
+  </div>
+  <div class="table-card">
+    <div class="card-title">Top 10 Keys by Volume</div>
+    <table id="tblVol">
+      <thead><tr><th onclick="sortTbl('tblVol', 0)">Key</th><th onclick="sortTbl('tblVol', 1)">Requests</th><th>Action</th></tr></thead>
+      <tbody></tbody>
+    </table>
+  </div>
+</div>
+
+<script>
+  let es = null;
+  let isPaused = false;
+  let historyData = [];
+  let sortState = { tblBlocked: [1, false], tblVol: [1, false] };
+
+  const basePath = window.location.pathname.replace(/\/$/, '');
+
+  function parseUptime(ms) {
+    if (!ms) return '0s';
+    const totalSec = Math.floor(ms / 1000);
+    const h = Math.floor(totalSec / 3600);
+    const m = Math.floor((totalSec % 3600) / 60);
+    const s = totalSec % 60;
+    if (h > 0) return h + 'h ' + m + 'm';
+    if (m > 0) return m + 'm ' + s + 's';
+    return s + 's';
+  }
+
+  function mountSvgChart(containerId, historyArr) {
+    const container = document.getElementById(containerId);
+    if (!historyArr || historyArr.length === 0) {
+      container.innerHTML = '<div style="color:#8b949e; text-align:center; padding-top:80px;">Awaiting data...</div>';
+      return;
+    }
+    
+    // Compute diffs
+    const diffs = [];
+    for (let i = 1; i < historyArr.length; i++) {
+        const prev = historyArr[i-1].stats;
+        const curr = historyArr[i].stats;
+        const allowedDiff = Math.max(0, curr.totalRequests - prev.totalRequests - (curr.blockedRequests - prev.blockedRequests));
+        const blockedDiff = Math.max(0, curr.blockedRequests - prev.blockedRequests);
+        diffs.push({ a: allowedDiff, b: blockedDiff });
+    }
+    if (diffs.length === 0) return;
+
+    let maxVal = 10;
+    diffs.forEach(d => {
+        if (d.a + d.b > maxVal) maxVal = d.a + d.b;
+    });
+
+    const w = container.clientWidth - 20;
+    const h = container.clientHeight - 40;
+    const pxPerStep = w / Math.max(1, diffs.length - 1);
+
+    let ptsA = '0,'+h+' ';
+    let ptsB = '0,'+h+' ';
+
+    diffs.forEach((d, i) => {
+        const x = i * pxPerStep;
+        const ya = h - ((d.a / maxVal) * h);
+        const yb = h - ((d.b / maxVal) * h);
+        ptsA += x+','+ya+' ';
+        ptsB += x+','+yb+' ';
+    });
+    
+    const lastX = (diffs.length-1)*pxPerStep;
+    ptsA += lastX+','+h; // close path for area
+    ptsB += lastX+','+h;
+
+    const svg = '<svg width="100%" height="100%" viewBox="-10 -20 ' + (container.clientWidth) + ' ' + (container.clientHeight) + '">'+
+      '<text x="0" y="-5" fill="#8b949e" font-size="12">Requests / interval (Max: '+maxVal+')</text>'+
+      '<polyline fill="rgba(46,160,67,0.2)" stroke="#2ea043" stroke-width="2" points="'+ptsA+'" />'+
+      '<polyline fill="rgba(248,81,73,0.3)" stroke="#f85149" stroke-width="2" points="'+ptsB+'" />'+
+    '</svg>';
+    
+    container.innerHTML = svg;
+  }
+
+  function renderTable(tableId, data, isBlockedTbl) {
+    const tbody = document.querySelector('#' + tableId + ' tbody');
+    tbody.innerHTML = '';
+    
+    const [sortCol, asc] = sortState[tableId];
+    data.sort((a,b) => {
+        let valA, valB;
+        if (sortCol === 0) { valA = a.key; valB = b.key; }
+        else if (sortCol === 1) { valA = a.count; valB = b.count; }
+        else if (sortCol === 2) { valA = a.rate; valB = b.rate; }
+        if (valA < valB) return asc ? -1 : 1;
+        if (valA > valB) return asc ? 1 : -1;
+        return 0;
+    });
+
+    let html = '';
+    data.forEach(row => {
+        const hl = row.count > 1000 && isBlockedTbl ? 'highlight' : '';
+        const pct = isBlockedTbl ? '<td>' + (row.rate*100).toFixed(1) + '%</td>' : '';
+        html += '<tr class="'+hl+'">'+
+          '<td>'+row.key+'</td>'+
+          '<td>'+row.count+'</td>'+
+          pct +
+          '<td><button class="btn" style="padding: 2px 8px;" onclick="resetKey(\\''+encodeURIComponent(row.key)+'\\')">Reset</button></td>'+
+        '</tr>';
+    });
+    tbody.innerHTML = html;
+  }
+
+  function sortTbl(tableId, colIndex) {
+    if (sortState[tableId][0] === colIndex) {
+        sortState[tableId][1] = !sortState[tableId][1];
+    } else {
+        sortState[tableId] = [colIndex, false];
+    }
+    updateAllPanels(historyData[historyData.length-1].stats);
+  }
+
+  function updateAllPanels(stats) {
+    const d = new Date();
+    document.getElementById('timestamp').innerText = d.toLocaleTimeString();
+
+    document.getElementById('valTotal').innerText = stats.totalRequests || 0;
+    document.getElementById('valBlocked').innerText = stats.blockedRequests || 0;
+    document.getElementById('valBlocked').style.color = stats.blockedRequests > 0 ? 'var(--red)' : 'var(--text)';
+    
+    const blockRate = stats.totalRequests ? (stats.blockedRequests / stats.totalRequests) : 0;
+    const rateTxt = (blockRate * 100).toFixed(2) + '%';
+    document.getElementById('valRate').innerText = rateTxt;
+    document.getElementById('valRate').style.color = blockRate > 0.15 ? 'var(--red)' : (blockRate > 0.05 ? 'var(--yellow)' : 'var(--green)');
+    
+    document.getElementById('valUptime').innerText = parseUptime(stats.uptimeMs);
+
+    // Map top objects to array for table renderer
+    const topBlockedSource = Array.isArray(stats.topBlocked) ? stats.topBlocked : [];
+    const bArr = topBlockedSource.map(item => ({ key: item.key, count: item.count, rate: stats.blockedRequests ? item.count/stats.blockedRequests : 0 })).slice(0, 10);
+    renderTable('tblBlocked', bArr, true);
+
+    const topKeysSource = Array.isArray(stats.topKeys) ? stats.topKeys : [];
+    const vArr = topKeysSource.map(item => ({ key: item.key, count: item.count })).slice(0, 10);
+    renderTable('tblVol', vArr, false);
+
+    mountSvgChart('sparkline', historyData);
+  }
+
+  async function resetKey(keyUri) {
+    try {
+        await fetch(basePath + '/api/reset/' + keyUri, { method: 'POST' });
+        // Assume successful reset, next SSE tick will update UI
+    } catch(err) {
+        console.error(err);
+    }
+  }
+
+  async function resetAll() {
+    if (!historyData.length) return;
+    const stats = historyData[historyData.length-1].stats;
+    const items = Array.isArray(stats.topBlocked) ? stats.topBlocked : [];
+    for (let i=0; i < items.length; i++) {
+        await resetKey(encodeURIComponent(items[i].key));
+    }
+  }
+
+  function showDisconnectedState() {
+     document.getElementById('statusDot').className = 'dot red';
+  }
+
+  function fetchHistory() {
+      fetch(basePath + '/api/history').then(r=>r.json()).then(data => {
+          historyData = data;
+          if (historyData.length) {
+              updateAllPanels(historyData[historyData.length-1].stats);
+          }
+      }).catch(() => showDisconnectedState());
+  }
+
+  function connectSSE() {
+      es = new EventSource(basePath + '/api/stream');
+      es.onmessage = (e) => {
+          if (isPaused) return;
+          const stats = JSON.parse(e.data);
+          historyData.push({ timestamp: Date.now(), stats });
+          if (historyData.length > 60) historyData.shift();
+          
+          document.getElementById('statusDot').className = 'dot green';
+          updateAllPanels(stats);
+      };
+      es.onerror = () => {
+          showDisconnectedState();
+          es.close();
+          setTimeout(connectSSE, 5000);
+      };
+  }
+
+  document.getElementById('pauseBtn').addEventListener('click', (e) => {
+      isPaused = !isPaused;
+      e.target.innerText = isPaused ? 'Resume Updates' : 'Pause Updates';
+      e.target.style.background = isPaused ? 'var(--border)' : 'var(--card)';
+      document.getElementById('statusDot').className = isPaused ? 'dot yellow' : 'dot green';
+  });
+
+  fetchHistory();
+  connectSSE();
+</script>
+</body>
+</html>`;
+}
+
+module.exports = { generateDashboardHTML };

package/src/strategies/leakyBucket.js

@@ -0,0 +1,62 @@
+'use strict';
+
+const { RateLimitResult } = require('../core/result');
+
+/**
+ * Leaky Bucket strategy.
+ * Constant output rate, queues overflow.
+ * Key difference from token bucket: drains at constant rate (output is smooth, no bursts).
+ * 
+ * @param {string} key         - Rate limit key
+ * @param {object} config      - Resolved NextLimiter config
+ * @param {object} store       - Store instance
+ * @returns {Promise<RateLimitResult>}
+ */
+async function leakyBucket(key, config, store) {
+  const drainRateMs = config.drainRateMs || (config.windowMs / config.max);
+  const capacity = config.capacity || config.max;
+
+  let state = await Promise.resolve(store.get(key));
+  if (!state || typeof state.queue !== 'number') {
+    state = { queue: 0, lastDrain: Date.now() };
+  }
+
+  const now = Date.now();
+  const elapsed = now - state.lastDrain;
+
+  // Drain: reduce queue by elapsed time / drain rate
+  const drained = elapsed / drainRateMs;
+  state.queue = Math.max(0, state.queue - drained);
+  state.lastDrain = now;
+
+  if (state.queue >= capacity) {
+    // Bucket full — DROP
+    const msUntilSpace = (state.queue - capacity + 1) * drainRateMs;
+    const retryAfter = Math.ceil(msUntilSpace / 1000);
+    return new RateLimitResult({
+      allowed: false,
+      limit: capacity,
+      remaining: 0,
+      resetAt: now + msUntilSpace,
+      retryAfter,
+      key,
+      strategy: 'leaky-bucket'
+    });
+  }
+
+  state.queue += 1;
+  const ttl = config.windowMs * 2;
+  await Promise.resolve(store.set(key, state, ttl));
+
+  return new RateLimitResult({
+    allowed: true,
+    limit: capacity,
+    remaining: Math.floor(capacity - state.queue),
+    resetAt: now + drainRateMs,
+    retryAfter: 0,
+    key,
+    strategy: 'leaky-bucket'
+  });
+}
+
+module.exports = { leakyBucket };

package/src/strategies/slidingWindowLog.js

@@ -0,0 +1,54 @@
+'use strict';
+
+const { RateLimitResult } = require('../core/result');
+
+/**
+ * Sliding Window Log strategy.
+ * Perfect accuracy, O(n) memory. Stores a sorted list of timestamps.
+ * Note: O(n) memory usage where n = max requests per window.
+ * 
+ * @param {string} key         - Rate limit key
+ * @param {object} config      - Resolved NextLimiter config
+ * @param {object} store       - Store instance
+ * @returns {Promise<RateLimitResult>}
+ */
+async function slidingWindowLog(key, config, store) {
+  const now = Date.now();
+  let log = await Promise.resolve(store.get(key));
+  if (!log || !Array.isArray(log)) {
+    log = [];
+  }
+  
+  // Prune old timestamps
+  const windowStart = now - config.windowMs;
+  log = log.filter(t => t > windowStart);
+  
+  if (log.length >= config.max) {
+    const oldestInWindow = log[0];
+    const retryAfterMs = oldestInWindow + config.windowMs - now;
+    return new RateLimitResult({
+      allowed: false,
+      limit: config.max,
+      remaining: 0,
+      resetAt: oldestInWindow + config.windowMs,
+      retryAfter: Math.ceil(retryAfterMs / 1000),
+      key,
+      strategy: 'sliding-window-log'
+    });
+  }
+  
+  log.push(now);
+  await Promise.resolve(store.set(key, log, config.windowMs));
+  
+  return new RateLimitResult({
+    allowed: true,
+    limit: config.max,
+    remaining: config.max - log.length,
+    resetAt: (log[0] || now) + config.windowMs,
+    retryAfter: 0,
+    key,
+    strategy: 'sliding-window-log'
+  });
+}
+
+module.exports = { slidingWindowLog };

package/types/index.d.ts

@@ -27,7 +27,7 @@ export interface RuleConfig {
   keyBy: 'ip' | 'api-key' | 'user-id' | string | ((req: Request) => string);
   max: number;
   windowMs: number;
-  strategy?: 'sliding-window' | 'token-bucket' | 'fixed-window';
+  strategy?: 'sliding-window' | 'token-bucket' | 'fixed-window' | 'sliding-window-log' | 'leaky-bucket';
   name?: string;
 }
 
@@ -58,9 +58,15 @@ export interface WebhookPayload {
   ruleName?: string;
 }
 
+export interface DashboardOptions {
+  password?: string;
+  refreshMs?: number;
+  path?: string;
+}
+
 export type BuiltInPlan = 'free' | 'pro' | 'enterprise';
 export type BuiltInPreset = 'strict' | 'relaxed' | 'api' | 'auth';
-export type Strategy = 'fixed-window' | 'sliding-window' | 'token-bucket';
+export type Strategy = 'fixed-window' | 'sliding-window' | 'token-bucket' | 'sliding-window-log' | 'leaky-bucket';
 export type KeyBy = 'ip' | 'user-id' | 'api-key';
 
 // ── Configuration ────────────────────────────────────────────────────────────
@@ -138,6 +144,12 @@ export interface LimiterOptions {
   /** Array of IPs or CIDR ranges to block immediately (403) */
   blacklist?: string[];
 
+  /** Leaky bucket only: ms per request drain rate (default: windowMs / max) */
+  drainRateMs?: number;
+
+  /** Leaky bucket only: max queue size (default: max) */
+  capacity?: number;
+
   /** ms interval to emit 'stats' event. undefined = disabled. */
   statsInterval?: number;
 
@@ -262,9 +274,16 @@ export declare class Limiter extends EventEmitter {
   /** Reset rate limit state and clear from store immediately */
   resetKey(key: string): void;
 
-  /** Clean up stores and timers */
+  /**
+   * Destroys all internal timers appropriately gracefully.
+   */
   destroy(): void;
 
+  /**
+   * Returns an Express middleware that provides a live tracking dashboard.
+   */
+  dashboardMiddleware(options?: DashboardOptions): RequestHandler;
+
   /** Get analytics snapshot */
   getStats(): LimiterStats;