shokupan 0.11.0 → 0.12.0

package/dist/index.js

@@ -21,12 +21,121 @@ import os__default from "node:os";
 import { createRequire } from "node:module";
 import { monitorEventLoopDelay } from "node:perf_hooks";
 import { readFileSync } from "node:fs";
-import { OpenAPIAnalyzer } from "./analyzer-CnKnQ5KV.js";
+import { OpenAPIAnalyzer } from "./analyzer-BkNQHWj4.js";
+import { Readable } from "node:stream";
 import * as zlib from "node:zlib";
 import Ajv from "ajv";
 import addFormats from "ajv-formats";
 import { randomUUID, createHmac } from "crypto";
 import { EventEmitter } from "events";
+class BodyParser {
+  /**
+   * Parses the body of a request based on Content-Type header.
+   * @param req The ShokupanRequest object
+   * @param config Application configuration for limits and parser options
+   * @returns The parsed body or throws an error
+   */
+  static async parse(req, config = {}) {
+    const contentType = req.headers.get("content-type") || "";
+    const maxBodySize = config.maxBodySize ?? 10 * 1024 * 1024;
+    if (contentType.includes("application/json") || contentType.includes("+json")) {
+      return {
+        type: "json",
+        body: await BodyParser.parseJson(req, config.jsonParser || "native", maxBodySize)
+      };
+    } else if (contentType.includes("multipart/form-data") || contentType.includes("application/x-www-form-urlencoded")) {
+      return {
+        type: "formData",
+        body: await BodyParser.parseFormData(req, maxBodySize)
+      };
+    } else {
+      return {
+        type: "text",
+        body: await BodyParser.readRawBody(req, maxBodySize)
+      };
+    }
+  }
+  /**
+   * Parsing helper for JSON
+   */
+  static async parseJson(req, parserType, maxBodySize) {
+    const rawText = await BodyParser.readRawBody(req, maxBodySize);
+    if (parserType === "native") {
+      if (!rawText) return {};
+      return JSON.parse(rawText);
+    } else {
+      const { getJSONParser } = await import("./json-parser-B3dnQmCC.js");
+      const parser = getJSONParser(parserType);
+      return parser(rawText);
+    }
+  }
+  /**
+   * Parsing helper for FormData
+   */
+  static async parseFormData(req, maxBodySize) {
+    const clHeader = req.headers.get("content-length");
+    if (!clHeader) {
+      const err = new Error("Length Required");
+      err.status = 411;
+      throw err;
+    }
+    const cl = parseInt(clHeader, 10);
+    if (isNaN(cl)) {
+      const err = new Error("Bad Request");
+      err.status = 400;
+      throw err;
+    }
+    if (cl > maxBodySize) {
+      const err = new Error("Payload Too Large");
+      err.status = 413;
+      throw err;
+    }
+    return req.formData();
+  }
+  /**
+   * Reads raw body as string with size enforcement
+   */
+  static async readRawBody(req, maxBodySize) {
+    if (typeof req.body === "string") {
+      const body = req.body;
+      if (body.length > maxBodySize) {
+        const err = new Error("Payload Too Large");
+        err.status = 413;
+        throw err;
+      }
+      return body;
+    }
+    const reader = req.body?.getReader();
+    if (!reader) {
+      return "";
+    }
+    const chunks = [];
+    let totalSize = 0;
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        totalSize += value.length;
+        if (totalSize > maxBodySize) {
+          const err = new Error("Payload Too Large");
+          err.status = 413;
+          throw err;
+        }
+        chunks.push(value);
+      }
+    } finally {
+      reader.releaseLock();
+    }
+    const result = new Uint8Array(totalSize);
+    let offset = 0;
+    for (let i = 0; i < chunks.length; i++) {
+      const chunk = chunks[i];
+      result.set(chunk, offset);
+      offset += chunk.length;
+    }
+    return new TextDecoder().decode(result);
+  }
+}
 const HTTP_STATUS = {
   // 2xx Success
   OK: 200,
@@ -217,6 +326,7 @@ const $cachedProtocol = /* @__PURE__ */ Symbol.for("Shokupan.ctx.cachedProtocol"
 const $cachedHost = /* @__PURE__ */ Symbol.for("Shokupan.ctx.cachedHost");
 const $cachedOrigin = /* @__PURE__ */ Symbol.for("Shokupan.ctx.cachedOrigin");
 const $cachedQuery = /* @__PURE__ */ Symbol.for("Shokupan.ctx.cachedQuery");
+const $cachedCookies = /* @__PURE__ */ Symbol.for("Shokupan.ctx.cachedCookies");
 const $ws = /* @__PURE__ */ Symbol.for("Shokupan.ctx.ws");
 const $socket = /* @__PURE__ */ Symbol.for("Shokupan.ctx.socket");
 const $io = /* @__PURE__ */ Symbol.for("Shokupan.ctx.io");
@@ -275,6 +385,7 @@ class ShokupanContext {
   [$cachedHost];
   [$cachedOrigin];
   [$cachedQuery];
+  [$cachedCookies];
   disconnectCallbacks = [];
   /**
    * Registers a callback to be executed when the associated WebSocket disconnects.
@@ -372,13 +483,20 @@ class ShokupanContext {
     if (this[$cachedQuery]) return this[$cachedQuery];
     const q = /* @__PURE__ */ Object.create(null);
     const blocklist = ["__proto__", "constructor", "prototype"];
+    const mode = this.app?.applicationConfig?.queryParserMode || "extended";
     this.url.searchParams.forEach((value, key) => {
       if (blocklist.includes(key)) return;
       if (Object.prototype.hasOwnProperty.call(q, key)) {
-        if (Array.isArray(q[key])) {
-          q[key].push(value);
+        if (mode === "strict") {
+          throw new Error(`Duplicate query parameter '${key}' is not allowed in strict mode.`);
+        } else if (mode === "simple") {
+          q[key] = value;
         } else {
-          q[key] = [q[key], value];
+          if (Array.isArray(q[key])) {
+            q[key].push(value);
+          } else {
+            q[key] = [q[key], value];
+          }
         }
       } else {
         q[key] = value;
@@ -387,6 +505,28 @@ class ShokupanContext {
     this[$cachedQuery] = q;
     return q;
   }
+  /**
+   * Request cookies
+   */
+  get cookies() {
+    if (this[$cachedCookies]) return this[$cachedCookies];
+    const c = /* @__PURE__ */ Object.create(null);
+    const cookieHeader = this.request.headers.get("cookie");
+    if (cookieHeader) {
+      const pairs = cookieHeader.split(";");
+      for (let i = 0; i < pairs.length; i++) {
+        const pair = pairs[i];
+        const index = pair.indexOf("=");
+        if (index > 0) {
+          const key = pair.slice(0, index).trim();
+          const value = pair.slice(index + 1).trim();
+          c[key] = decodeURIComponent(value);
+        }
+      }
+    }
+    this[$cachedCookies] = c;
+    return c;
+  }
   /**
    * Client IP address
    */
@@ -561,6 +701,10 @@ class ShokupanContext {
     }
     return h;
   }
+  /**
+   * Read request body with caching to avoid double parsing.
+   * The body is only parsed once and cached for subsequent reads.
+   */
   /**
    * Read request body with caching to avoid double parsing.
    * The body is only parsed once and cached for subsequent reads.
@@ -572,29 +716,10 @@ class ShokupanContext {
     if (this[$bodyParsed] === true) {
       return this[$cachedBody];
     }
-    const contentType = this.request.headers.get("content-type") || "";
-    if (contentType.includes("application/json") || contentType.includes("+json")) {
-      const parserType = this.app?.applicationConfig?.jsonParser || "native";
-      if (parserType === "native") {
-        try {
-          this[$cachedBody] = await this.request.json();
-        } catch (e) {
-          throw e;
-        }
-      } else {
-        const rawText = await this.request.text();
-        const { getJSONParser } = await import("./json-parser-B3dnQmCC.js");
-        const parser = getJSONParser(parserType);
-        this[$cachedBody] = parser(rawText);
-      }
-      this[$bodyType] = "json";
-    } else if (contentType.includes("multipart/form-data") || contentType.includes("application/x-www-form-urlencoded")) {
-      this[$cachedBody] = await this.request.formData();
-      this[$bodyType] = "formData";
-    } else {
-      this[$cachedBody] = await this.request.text();
-      this[$bodyType] = "text";
-    }
+    const config = this.app?.applicationConfig || {};
+    const { type, body } = await BodyParser.parse(this.request, config);
+    this[$bodyType] = type;
+    this[$cachedBody] = body;
     this[$bodyParsed] = true;
     return this[$cachedBody];
   }
@@ -610,45 +735,22 @@ class ShokupanContext {
     if (this.request.method === "GET" || this.request.method === "HEAD") {
       return;
     }
+    const maxBodySize = this.app?.applicationConfig?.maxBodySize ?? 10 * 1024 * 1024;
+    const contentLength = parseInt(this.request.headers.get("content-length") || "0", 10);
+    if (contentLength > maxBodySize) {
+      this[$bodyParseError] = new Error("Payload Too Large");
+      this[$bodyParseError].status = 413;
+      return;
+    }
     try {
       await this.body();
     } catch (error) {
-      this[$bodyParseError] = error;
-    }
-  }
-  /**
-   * Read raw body from ReadableStream efficiently.
-   * This is much faster than request.text() for large payloads.
-   * Also handles the case where body is already a string (e.g., in tests).
-   */
-  async readRawBody() {
-    if (typeof this.request.body === "string") {
-      return this.request.body;
-    }
-    const reader = this.request.body?.getReader();
-    if (!reader) {
-      return "";
-    }
-    const chunks = [];
-    let totalSize = 0;
-    try {
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-        chunks.push(value);
-        totalSize += value.length;
+      if (error.status === 413 || error.message === "Payload Too Large") {
+        this[$bodyParseError] = error;
+      } else {
+        this[$bodyParseError] = error;
       }
-    } finally {
-      reader.releaseLock();
     }
-    const result = new Uint8Array(totalSize);
-    let offset = 0;
-    for (let i = 0; i < chunks.length; i++) {
-      const chunk = chunks[i];
-      result.set(chunk, offset);
-      offset += chunk.length;
-    }
-    return new TextDecoder().decode(result);
   }
   /**
    * Send a response
@@ -748,7 +850,15 @@ class ShokupanContext {
     }
     this.response.status = status;
     const finalHeaders = this.mergeHeaders();
-    finalHeaders.set("Location", url instanceof Promise ? await url : url);
+    const targetUrl = url instanceof Promise ? await url : url;
+    if (targetUrl.startsWith("//")) {
+      throw new Error("Invalid redirect: Protocol-relative URLs are not allowed.");
+    }
+    const lowerUrl = targetUrl.toLowerCase();
+    if (lowerUrl.startsWith("javascript:") || lowerUrl.startsWith("data:") || lowerUrl.startsWith("vbscript:")) {
+      throw new Error(`Invalid redirect: Unsafe protocol '${targetUrl.split(":")[0]}'`);
+    }
+    finalHeaders.set("Location", targetUrl);
     this[$finalResponse] = new Response(null, { status, headers: finalHeaders });
     return this[$finalResponse];
   }
@@ -806,6 +916,185 @@ class ShokupanContext {
     const html = await this.renderer(element, args);
     return this.html(html, status, headers);
   }
+  /**
+   * Pipe a ReadableStream to the response
+   * @param stream ReadableStream to pipe
+   * @param options Response options (status, headers)
+   */
+  pipe(stream, options) {
+    const headers = this.mergeHeaders(options?.headers);
+    const status = options?.status ?? this.response.status ?? 200;
+    if (this.app?.applicationConfig?.validateStatusCodes && !VALID_HTTP_STATUSES.has(status)) {
+      throw new Error(`Invalid HTTP status code: ${status}`);
+    }
+    this[$finalResponse] = new Response(stream, { status, headers });
+    return this[$finalResponse];
+  }
+  /**
+   * Internal helper to create a streaming response with common infrastructure
+   * @private
+   */
+  createStreamHelper(helperFactory, callback, onError, headers) {
+    let controller;
+    const aborted = { value: false };
+    const abortCallbacks = [];
+    const encoder = new TextEncoder();
+    let helper;
+    const stream = new ReadableStream({
+      start(ctrl) {
+        controller = ctrl;
+        helper = helperFactory(controller, aborted, abortCallbacks, encoder);
+        (async () => {
+          try {
+            await callback(helper);
+            controller.close();
+          } catch (err) {
+            if (onError) {
+              try {
+                await onError(err, helper);
+              } catch (handlerErr) {
+                console.error("Error in stream error handler:", handlerErr);
+              }
+            } else {
+              console.error("Stream error:", err);
+            }
+            if (!aborted.value) {
+              controller.close();
+            }
+          }
+        })();
+      },
+      async pull() {
+      },
+      cancel() {
+        aborted.value = true;
+        abortCallbacks.forEach((cb) => {
+          try {
+            cb();
+          } catch (err) {
+            console.error("Error in abort callback:", err);
+          }
+        });
+      }
+    });
+    return this.pipe(stream, { headers });
+  }
+  /**
+   * Generic streaming helper for binary/text data
+   * @param callback Callback function that receives a StreamHelper
+   * @param onError Optional error handler
+   */
+  stream(callback, onError) {
+    return this.createStreamHelper(
+      (controller, aborted, abortCallbacks, encoder) => ({
+        async write(data) {
+          if (aborted.value) return;
+          const chunk = typeof data === "string" ? encoder.encode(data) : data;
+          controller.enqueue(chunk);
+        },
+        async pipe(stream) {
+          if (aborted.value) return;
+          const reader = stream.getReader();
+          try {
+            while (true) {
+              const { done, value } = await reader.read();
+              if (done || aborted.value) break;
+              controller.enqueue(value);
+            }
+          } finally {
+            reader.releaseLock();
+          }
+        },
+        sleep(ms) {
+          return new Promise((resolve2) => setTimeout(resolve2, ms));
+        },
+        onAbort(callback2) {
+          abortCallbacks.push(callback2);
+        }
+      }),
+      callback,
+      onError
+    );
+  }
+  /**
+   * Text streaming helper with proper headers
+   * @param callback Callback function that receives a TextStreamHelper
+   * @param onError Optional error handler
+   */
+  streamText(callback, onError) {
+    const headers = new Headers(this.response.headers);
+    headers.set("Content-Type", "text/plain; charset=utf-8");
+    headers.set("Transfer-Encoding", "chunked");
+    headers.set("X-Content-Type-Options", "nosniff");
+    return this.createStreamHelper(
+      (controller, aborted, abortCallbacks, encoder) => ({
+        async write(text) {
+          if (aborted.value) return;
+          controller.enqueue(encoder.encode(text));
+        },
+        async writeln(text) {
+          if (aborted.value) return;
+          controller.enqueue(encoder.encode(text + "\n"));
+        },
+        sleep(ms) {
+          return new Promise((resolve2) => setTimeout(resolve2, ms));
+        },
+        onAbort(callback2) {
+          abortCallbacks.push(callback2);
+        }
+      }),
+      callback,
+      onError,
+      headers
+    );
+  }
+  /**
+   * Server-Sent Events (SSE) streaming helper
+   * @param callback Callback function that receives an SSEStreamHelper
+   * @param onError Optional error handler
+   */
+  streamSSE(callback, onError) {
+    const headers = new Headers(this.response.headers);
+    headers.set("Content-Type", "text/event-stream");
+    headers.set("Cache-Control", "no-cache");
+    headers.set("Connection", "keep-alive");
+    return this.createStreamHelper(
+      (controller, aborted, abortCallbacks, encoder) => ({
+        async writeSSE(message) {
+          if (aborted.value) return;
+          let sseMessage = "";
+          if (message.event) {
+            sseMessage += `event: ${message.event}
+`;
+          }
+          if (message.id !== void 0) {
+            sseMessage += `id: ${message.id}
+`;
+          }
+          if (message.retry !== void 0) {
+            sseMessage += `retry: ${message.retry}
+`;
+          }
+          const dataLines = message.data.split("\n");
+          for (const line of dataLines) {
+            sseMessage += `data: ${line}
+`;
+          }
+          sseMessage += "\n";
+          controller.enqueue(encoder.encode(sseMessage));
+        },
+        sleep(ms) {
+          return new Promise((resolve2) => setTimeout(resolve2, ms));
+        },
+        onAbort(callback2) {
+          abortCallbacks.push(callback2);
+        }
+      }),
+      callback,
+      onError,
+      headers
+    );
+  }
 }
 const compose = (middleware) => {
   if (!middleware.length) {
@@ -822,6 +1111,11 @@ const compose = (middleware) => {
         return next ? next() : Promise.resolve();
       }
       const fn = middleware[i];
+      if (typeof fn !== "function") {
+        const name = fn?.constructor?.name;
+        console.error(`[Middleware Error] Item at index ${i} is not a function! It is: ${typeof fn} (${name})`, fn);
+        throw new TypeError(`Middleware at index ${i} must be a function, got ${name}`);
+      }
       if (!context2[$debug]) {
         return fn(context2, () => runner(i + 1));
       }
@@ -1111,7 +1405,7 @@ async function generateOpenApi(rootRouter, options = {}) {
   let astMiddlewareRegistry = {};
   let applications = [];
   try {
-    const { OpenAPIAnalyzer: OpenAPIAnalyzer2 } = await import("./analyzer-CnKnQ5KV.js");
+    const { OpenAPIAnalyzer: OpenAPIAnalyzer2 } = await import("./analyzer-BkNQHWj4.js");
     const entrypoint = rootRouter.metadata?.file;
     const analyzer = new OpenAPIAnalyzer2(process.cwd(), entrypoint);
     const analysisResult = await analyzer.analyze();
@@ -1654,8 +1948,11 @@ function serveStatic(config, prefix) {
     if (typeof Bun !== "undefined") {
       response = new Response(Bun.file(finalPath));
     } else {
-      const fileBuffer = await readFile$1(finalPath, { encoding: "binary" });
-      response = new Response(fileBuffer);
+      const { createReadStream } = await import("node:fs");
+      const { Readable: Readable2 } = await import("node:stream");
+      const fileStream = createReadStream(finalPath);
+      const webStream = Readable2.toWeb(fileStream);
+      response = new Response(webStream);
     }
     if (config.hooks?.onResponse) {
       const hooked = await config.hooks.onResponse(ctx, response);
@@ -1667,6 +1964,37 @@ function serveStatic(config, prefix) {
   serveStaticMiddleware.pluginName = "ServeStatic";
   return serveStaticMiddleware;
 }
+const metadataStore = /* @__PURE__ */ new WeakMap();
+function defineMetadata(key, value, target, propertyKey) {
+  let targetMetadata = metadataStore.get(target);
+  if (!targetMetadata) {
+    targetMetadata = /* @__PURE__ */ new Map();
+    metadataStore.set(target, targetMetadata);
+  }
+  const storageKey = propertyKey ? `${String(propertyKey)}:${String(key)}` : key;
+  targetMetadata.set(storageKey, value);
+}
+function getMetadata(key, target, propertyKey) {
+  const targetMetadata = metadataStore.get(target);
+  if (!targetMetadata) return void 0;
+  const storageKey = propertyKey ? `${String(propertyKey)}:${String(key)}` : key;
+  return targetMetadata.get(storageKey);
+}
+if (typeof Reflect === "object") {
+  if (!Reflect.defineMetadata) {
+    Reflect.defineMetadata = defineMetadata;
+  }
+  if (!Reflect.getMetadata) {
+    Reflect.getMetadata = getMetadata;
+  }
+  if (!Reflect.metadata) {
+    Reflect.metadata = function(metadataKey, metadataValue) {
+      return function decorator(target, propertyKey) {
+        defineMetadata(metadataKey, metadataValue, target, propertyKey);
+      };
+    };
+  }
+}
 class Container {
   static services = /* @__PURE__ */ new Map();
   static register(target, instance) {
@@ -1678,28 +2006,60 @@ class Container {
   static has(target) {
     return this.services.has(target);
   }
+  static cache = /* @__PURE__ */ new Map();
+  static resolvingStack = /* @__PURE__ */ new Set();
   static resolve(target) {
     if (this.services.has(target)) {
       return this.services.get(target);
     }
-    const instance = new target();
-    this.services.set(target, instance);
-    return instance;
+    if (this.resolvingStack.has(target)) {
+      const cycle = Array.from(this.resolvingStack);
+      cycle.push(target);
+      throw new Error(`Circular dependency detected: ${cycle.map((t) => t.name || t).join(" -> ")}`);
+    }
+    this.resolvingStack.add(target);
+    try {
+      let meta = this.cache.get(target);
+      if (!meta) {
+        const scope = Reflect.getMetadata("di:scope", target) || "singleton";
+        const paramTypes = Reflect.getMetadata("design:paramtypes", target) || [];
+        const manualTokens = Reflect.getMetadata("di:constructor:params", target) || [];
+        const dependencies = paramTypes.map((param, index) => {
+          const manual = manualTokens.find((t) => t.index === index);
+          if (manual && manual.token) return manual.token;
+          if (param === String || param === Number || param === Boolean || param === Object || param === void 0) return void 0;
+          return param;
+        });
+        meta = { scope, dependencies };
+        this.cache.set(target, meta);
+      }
+      const args = meta.dependencies.map((dep) => dep ? Container.resolve(dep) : void 0);
+      const instance = new target(...args);
+      if (typeof instance.onInit === "function") {
+        instance.onInit();
+      }
+      if (meta.scope === "singleton") {
+        this.services.set(target, instance);
+      }
+      return instance;
+    } finally {
+      this.resolvingStack.delete(target);
+    }
+  }
+  static async teardown() {
+    for (const [target, instance] of this.services.entries()) {
+      if (typeof instance.onDestroy === "function") {
+        await instance.onDestroy();
+      }
+    }
+    this.services.clear();
+    this.cache.clear();
   }
 }
-function Injectable() {
-  return (target) => {
-  };
-}
-function Inject(token) {
-  return (target, key) => {
-    Object.defineProperty(target, key, {
-      get: () => Container.resolve(token),
-      enumerable: true,
-      configurable: true
-    });
-  };
-}
+const di = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  Container
+}, Symbol.toStringTag, { value: "Module" }));
 const tracer = trace.getTracer("shokupan.middleware");
 function traceHandler(fn, name) {
   return async function(...args) {
@@ -1762,6 +2122,7 @@ var RouteParamType = /* @__PURE__ */ ((RouteParamType2) => {
   RouteParamType2["HEADER"] = "HEADER";
   RouteParamType2["REQUEST"] = "REQUEST";
   RouteParamType2["CONTEXT"] = "CONTEXT";
+  RouteParamType2["SERVICE"] = "SERVICE";
   return RouteParamType2;
 })(RouteParamType || {});
 class ControllerScanner {
@@ -1793,7 +2154,7 @@ class ControllerScanner {
       line: info.line,
       name: instance.constructor.name
     };
-    router.registerControllerInstance(instance);
+    router.bindController(instance);
     const controllerMiddleware = (typeof controller === "function" ? controller[$middleware] : instance[$middleware]) || [];
     const proto = Object.getPrototypeOf(instance);
     const methods = /* @__PURE__ */ new Set();
@@ -1915,6 +2276,9 @@ class ControllerScanner {
                 case RouteParamType.CONTEXT:
                   args[arg.index] = ctx;
                   break;
+                case RouteParamType.SERVICE:
+                  args[arg.index] = Container.resolve(arg.token);
+                  break;
               }
             }
           }
@@ -2104,6 +2468,15 @@ class ShokupanRequestBase {
       this.headers = new Headers(this.headers);
     }
   }
+  clone() {
+    return new ShokupanRequest({
+      method: this.method,
+      url: this.url,
+      headers: new Headers(this.headers),
+      body: this.body
+      // Shallow copy of body, might need deep copy if object
+    });
+  }
 }
 const ShokupanRequest = ShokupanRequestBase;
 class RouterTrie {
@@ -2269,9 +2642,6 @@ class ShokupanRouter {
     return this._hasAfterValidateHook;
   }
   requestTimeout;
-  get db() {
-    return this.root?.db;
-  }
   hookCache = /* @__PURE__ */ new Map();
   hooksInitialized = false;
   middleware = [];
@@ -2297,7 +2667,7 @@ class ShokupanRouter {
     return this;
   }
   // Registry Accessor
-  getComponentRegistry() {
+  get registry() {
     const controllerRoutesMap = /* @__PURE__ */ new Map();
     const localRoutes = [];
     for (let i = 0; i < this[$routes].length; i++) {
@@ -2333,7 +2703,7 @@ class ShokupanRouter {
       type: "router",
       path: r[$mountPath].startsWith("/") ? r[$mountPath] : "/" + r[$mountPath],
       metadata: r.metadata,
-      children: r.getComponentRegistry()
+      children: r.registry
     }));
     const controllers = this[$childControllers].map((c) => {
       const routes = controllerRoutesMap.get(c) || [];
@@ -2428,7 +2798,7 @@ class ShokupanRouter {
   /**
    * Registers a controller instance to the router.
    */
-  registerControllerInstance(controller) {
+  bindController(controller) {
     this[$childControllers].push(controller);
   }
   /**
@@ -3005,68 +3375,6 @@ class ShokupanRouter {
     }
   }
 }
-function createHttpServer() {
-  return async (options) => {
-    const server = http$1.createServer(async (req, res) => {
-      const url = new URL(req.url, `http://${req.headers.host}`);
-      const request = new Request(url.toString(), {
-        method: req.method,
-        headers: req.headers,
-        body: ["GET", "HEAD"].includes(req.method) ? void 0 : new ReadableStream({
-          start(controller) {
-            req.on("data", (chunk) => controller.enqueue(chunk));
-            req.on("end", () => controller.close());
-            req.on("error", (err) => controller.error(err));
-          }
-        }),
-        // Required for Node.js undici when sending a body
-        duplex: "half"
-      });
-      const response = await options.fetch(request, fauxServer);
-      res.statusCode = response.status;
-      response.headers.forEach((v, k) => res.setHeader(k, v));
-      if (response.body) {
-        const buffer = await response.arrayBuffer();
-        res.end(Buffer.from(buffer));
-      } else {
-        res.end();
-      }
-    });
-    const fauxServer = {
-      stop: () => {
-        server.close();
-        return Promise.resolve();
-      },
-      upgrade(req, options2) {
-        return false;
-      },
-      reload(options2) {
-        return fauxServer;
-      },
-      get port() {
-        const addr = server.address();
-        if (typeof addr === "object" && addr !== null) {
-          return addr.port;
-        }
-        return options.port;
-      },
-      hostname: options.hostname,
-      development: options.development,
-      pendingRequests: 0,
-      requestIP: (req) => null,
-      publish: () => 0,
-      subscriberCount: () => 0,
-      url: new URL(`http://${options.hostname}:${options.port}`),
-      // Expose the raw Node.js server for generic socket/websocket support (e.g. Socket.IO)
-      nodeServer: server
-    };
-    return new Promise((resolve2) => {
-      server.listen(options.port, options.hostname, () => {
-        resolve2(fauxServer);
-      });
-    });
-  };
-}
 class BunAdapter {
   server;
   async listen(port, app) {
@@ -3203,25 +3511,143 @@ class BunAdapter {
 class NodeAdapter {
   server;
   async listen(port, app) {
-    let factory = app.applicationConfig.serverFactory;
-    if (!factory) {
-      factory = createHttpServer();
+    const factory = app.applicationConfig.serverFactory;
+    let nodeServer;
+    if (factory) {
+      const serveOptions = {
+        port,
+        hostname: app.applicationConfig.hostname,
+        development: app.applicationConfig.development,
+        fetch: app.fetch.bind(app),
+        reusePort: app.applicationConfig.reusePort
+      };
+      this.server = await factory(serveOptions);
+      return this.server;
     }
-    const serveOptions = {
-      port,
-      hostname: app.applicationConfig.hostname,
-      development: app.applicationConfig.development,
-      fetch: app.fetch.bind(app),
-      reusePort: app.applicationConfig.reusePort
-      // Node adapter might not support all options exactly the same
+    nodeServer = http$1.createServer(async (req, res) => {
+      const url = new URL(req.url, `http://${req.headers.host}`);
+      const request = new Request(url.toString(), {
+        method: req.method,
+        headers: req.headers,
+        body: ["GET", "HEAD"].includes(req.method) ? void 0 : new ReadableStream({
+          start(controller) {
+            req.on("data", (chunk) => controller.enqueue(chunk));
+            req.on("end", () => controller.close());
+            req.on("error", (err) => controller.error(err));
+          }
+        }),
+        // Required for Node.js undici when sending a body
+        // @ts-ignore
+        duplex: "half"
+      });
+      const response = await app.fetch(request, fauxServer);
+      res.statusCode = response.status;
+      response.headers.forEach((v, k) => res.setHeader(k, v));
+      if (response.body) {
+        const buffer = await response.arrayBuffer();
+        res.end(Buffer.from(buffer));
+      } else {
+        res.end();
+      }
+    });
+    this.server = nodeServer;
+    const fauxServer = {
+      stop: () => {
+        nodeServer.close();
+        return Promise.resolve();
+      },
+      upgrade(req, options) {
+        return false;
+      },
+      reload(options) {
+        return fauxServer;
+      },
+      get port() {
+        const addr = nodeServer.address();
+        if (typeof addr === "object" && addr !== null) {
+          return addr.port;
+        }
+        return port;
+      },
+      hostname: app.applicationConfig.hostname || "localhost",
+      development: app.applicationConfig.development || false,
+      pendingRequests: 0,
+      requestIP: (req) => null,
+      publish: () => 0,
+      subscriberCount: () => 0,
+      url: new URL(`http://${app.applicationConfig.hostname || "localhost"}:${port}`),
+      // Expose the raw Node.js server
+      // @ts-ignore
+      nodeServer
     };
-    this.server = await factory(serveOptions);
-    return this.server;
+    return new Promise((resolve2) => {
+      nodeServer.listen(port, app.applicationConfig.hostname, () => {
+        resolve2(fauxServer);
+      });
+    });
   }
   async stop() {
     if (this.server?.stop) {
       await this.server.stop();
+    } else if (this.server?.close) {
+      this.server.close();
+    }
+  }
+}
+class ShokupanServer {
+  constructor(app) {
+    this.app = app;
+  }
+  server;
+  adapter;
+  /**
+   * Starts the application server.
+   * @param port The port to listen on.
+   */
+  async listen(port) {
+    const config = this.app.applicationConfig;
+    const finalPort = port ?? config.port ?? 3e3;
+    if (finalPort < 0 || finalPort > 65535 || finalPort % 1 !== 0) {
+      throw new Error("Invalid port number");
+    }
+    await this.app.start();
+    let adapterName = config.adapter;
+    let adapter;
+    if (!adapterName) {
+      if (typeof Bun !== "undefined") {
+        config.adapter = "bun";
+        adapter = new BunAdapter();
+      } else {
+        config.adapter = "node";
+        adapter = new NodeAdapter();
+      }
+    } else if (adapterName === "bun") {
+      adapter = new BunAdapter();
+    } else if (adapterName === "node") {
+      adapter = new NodeAdapter();
+    } else if (adapterName === "wintercg") {
+      throw new Error("WinterCG adapter does not support listen(). Use fetch directly.");
+    } else {
+      adapter = new NodeAdapter();
+    }
+    this.adapter = adapter;
+    this.app.compile();
+    this.server = await adapter.listen(finalPort, this.app);
+    if (finalPort === 0 && this.server?.port) {
+      config.port = this.server.port;
     }
+    return this.server;
+  }
+  /**
+   * Stops the server.
+   */
+  async stop(closeActiveConnections) {
+    if (this.adapter?.stop) {
+      await this.adapter.stop();
+    } else if (this.server?.stop) {
+      await this.server.stop(closeActiveConnections);
+    }
+    this.server = void 0;
   }
 }
 let fs;
@@ -3412,6 +3838,7 @@ const defaults = {
   development: process.env.NODE_ENV !== "production",
   enableAsyncLocalStorage: false,
   enableHttpBridge: false,
+  enableOpenApiGen: true,
   reusePort: false
 };
 class Shokupan extends ShokupanRouter {
@@ -3423,8 +3850,11 @@ class Shokupan extends ShokupanRouter {
   composedMiddleware;
   cpuMonitor;
   server;
+  httpServer;
   datastore;
   dbPromise;
+  // Performance: Flattened Router Trie
+  rootTrie;
   get db() {
     return this.datastore;
   }
@@ -3445,6 +3875,10 @@ class Shokupan extends ShokupanRouter {
       line,
       name: "ShokupanApplication"
     };
+    if (this.applicationConfig.securityHeaders !== false) {
+      const { SecurityHeaders: SecurityHeaders2 } = require("./plugins/middleware/security-headers");
+      this.use(SecurityHeaders2(this.applicationConfig.securityHeaders === true ? {} : this.applicationConfig.securityHeaders));
+    }
     if (this.applicationConfig.adapter !== "wintercg") {
       this.dbPromise = this.initDatastore().catch((err) => {
         this.logger?.debug("Failed to initialize default datastore", { error: err });
@@ -3525,11 +3959,11 @@ class Shokupan extends ShokupanRouter {
    * @param port - The port to listen on. If not specified, the port from the configuration is used. If that is not specified, port 3000 is used.
    * @returns The server instance.
    */
-  async listen(port) {
-    const finalPort = port ?? this.applicationConfig.port ?? 3e3;
-    if (finalPort < 0 || finalPort > 65535 || finalPort % 1 !== 0) {
-      throw new Error("Invalid port number");
-    }
+  /**
+   * Prepare the application for listening.
+   * Use this if you want to initialize the app without starting the server immediately.
+   */
+  async start() {
     await Promise.all(this.startupHooks.map((hook) => hook()));
     if (this.applicationConfig.enableOpenApiGen) {
       this.get("/.well-known/openapi.yaml", async (ctx) => {
@@ -3560,13 +3994,13 @@ class Shokupan extends ShokupanRouter {
             auth: config.auth || { type: "none" },
             api: config.api || {
               type: "openapi",
-              url: `${this.applicationConfig.hostname === "localhost" ? "http" : "https"}://${this.applicationConfig.hostname}:${finalPort}/.well-known/openapi.yaml`,
+              url: `${this.applicationConfig.hostname === "localhost" ? "http" : "https"}://${this.applicationConfig.hostname}:${this.applicationConfig.port}/.well-known/openapi.yaml`,
               is_user_authenticated: false
             },
-            logo_url: config.logo_url || `${this.applicationConfig.hostname === "localhost" ? "http" : "https"}://${this.applicationConfig.hostname}:${finalPort}/logo.png`,
+            logo_url: config.logo_url || `${this.applicationConfig.hostname === "localhost" ? "http" : "https"}://${this.applicationConfig.hostname}:${this.applicationConfig.port}/logo.png`,
             // Placeholder default
             contact_email: config.contact_email || pkg.author?.email || "support@example.com",
-            legal_info_url: config.legal_info_url || `${this.applicationConfig.hostname === "localhost" ? "http" : "https"}://${this.applicationConfig.hostname}:${finalPort}/legal`
+            legal_info_url: config.legal_info_url || `${this.applicationConfig.hostname === "localhost" ? "http" : "https"}://${this.applicationConfig.hostname}:${this.applicationConfig.port}/legal`
           };
           return ctx.json(manifest);
         });
@@ -3579,8 +4013,8 @@ class Shokupan extends ShokupanRouter {
             versions: config.versions || [
               {
                 name: this.openApiSpec.info.version || "v1",
-                url: `${this.applicationConfig.hostname === "localhost" ? "http" : "https"}://${this.applicationConfig.hostname}:${finalPort}/`,
-                spec_url: `${this.applicationConfig.hostname === "localhost" ? "http" : "https"}://${this.applicationConfig.hostname}:${finalPort}/.well-known/openapi.yaml`
+                url: `${this.applicationConfig.hostname === "localhost" ? "http" : "https"}://${this.applicationConfig.hostname}:${this.applicationConfig.port}/`,
+                spec_url: `${this.applicationConfig.hostname === "localhost" ? "http" : "https"}://${this.applicationConfig.hostname}:${this.applicationConfig.port}/.well-known/openapi.yaml`
               }
             ]
           };
@@ -3616,28 +4050,20 @@ class Shokupan extends ShokupanRouter {
         await this.asyncApiSpecPromise;
       }
     }
-    if (port === 0 && process.platform === "linux") ;
     if (this.applicationConfig.autoBackpressureFeedback === true) {
       this.cpuMonitor = new SystemCpuMonitor();
       this.cpuMonitor.start();
     }
-    let adapter = this.applicationConfig.adapter;
-    if (!adapter) {
-      if (typeof Bun !== "undefined") {
-        this.applicationConfig.adapter = "bun";
-        adapter = new BunAdapter();
-      } else {
-        this.applicationConfig.adapter = "node";
-        adapter = new NodeAdapter();
-      }
-    } else if (adapter === "bun") {
-      adapter = new BunAdapter();
-    } else if (adapter === "node") {
-      adapter = new NodeAdapter();
-    } else if (adapter === "wintercg") {
-      throw new Error("WinterCG adapter does not support listen(). Use fetch directly.");
-    }
-    this.server = await adapter.listen(finalPort, this);
+  }
+  /**
+   * Starts the application server.
+   * 
+   * @param port - The port to listen on. If not specified, the port from the configuration is used. If that is not specified, port 3000 is used.
+   * @returns The server instance.
+   */
+  async listen(port) {
+    this.httpServer = new ShokupanServer(this);
+    this.server = await this.httpServer.listen(port);
     return this.server;
   }
   /**
@@ -3663,10 +4089,14 @@ class Shokupan extends ShokupanRouter {
       this.cpuMonitor.stop();
       this.cpuMonitor = void 0;
     }
-    if (this.server) {
+    if (this.httpServer !== void 0) {
+      await this.httpServer.stop(closeActiveConnections);
+    } else if (this.server?.stop) {
       await this.server.stop(closeActiveConnections);
-      this.server = void 0;
     }
+    this.server = void 0;
+    const { Container: Container2 } = await Promise.resolve().then(() => di);
+    await Container2.teardown();
   }
   [$dispatch](req) {
     return this.fetch(req);
@@ -3675,6 +4105,9 @@ class Shokupan extends ShokupanRouter {
    * Processes a request by wrapping the standard fetch method.
    */
   async testRequest(options) {
+    if (!this.rootTrie) {
+      this.compile();
+    }
     let url = options.url || options.path || "/";
     if (!url.startsWith("http")) {
       const base = `http://${this.applicationConfig.hostname || "localhost"}:${this.applicationConfig.port || 3e3}`;
@@ -3790,7 +4223,11 @@ class Shokupan extends ShokupanRouter {
           } else if (ctx.isUpgraded) {
             return void 0;
           } else if (ctx[$routeMatched]) {
-            response = ctx.send(null, { status: ctx.response.status, headers: ctx.response.headers });
+            let status = ctx.response.status;
+            if (status === HTTP_STATUS.OK) {
+              status = HTTP_STATUS.NO_CONTENT;
+            }
+            response = ctx.send(null, { status, headers: ctx.response.headers });
           } else {
             if (ctx.upgrade()) {
               return void 0;
@@ -3819,8 +4256,11 @@ class Shokupan extends ShokupanRouter {
         if (err instanceof SyntaxError && err.message.includes("JSON")) {
           status = 400;
         }
-        const body = { error: err.message || "Internal Server Error" };
-        if (err.errors) body.errors = err.errors;
+        const isDev = this.applicationConfig.development !== false;
+        const message = isDev ? err.message || "Internal Server Error" : "Internal Server Error";
+        const body = { error: message };
+        if (isDev && err.errors) body.errors = err.errors;
+        if (isDev && err.stack) body.stack = err.stack;
         if (this.hasOnErrorHook) await this.runHooks("onError", ctx, err);
         return ctx.json(body, status);
       }
@@ -3849,6 +4289,72 @@ class Shokupan extends ShokupanRouter {
       return res;
     });
   }
+  /**
+   * Compiles all routes into a master Trie for O(1) router lookup.
+   * Use this if adding routes dynamically after start (not recommended but possible).
+   */
+  compile() {
+    this.rootTrie = new RouterTrie();
+    this.flattenRoutes(this.rootTrie, this, "", []);
+  }
+  flattenRoutes(trie, router, prefix, middlewareStack) {
+    let effectiveStack = middlewareStack;
+    if (router !== this) {
+      effectiveStack = [...middlewareStack, ...router.middleware];
+    }
+    const joinPath = (base, segment) => {
+      let b = base;
+      if (b !== "/" && b.endsWith("/")) {
+        b = b.slice(0, -1);
+      }
+      let s = segment;
+      if (s === "/") {
+        return b;
+      }
+      if (s === "") {
+        return b;
+      }
+      if (!s.startsWith("/")) {
+        s = "/" + s;
+      }
+      if (b === "/") {
+        return s;
+      }
+      return b + s;
+    };
+    for (const route of router[$routes]) {
+      const fullPath = joinPath(prefix, route.path);
+      let handler = route.bakedHandler || route.handler;
+      if (effectiveStack.length > 0) {
+        const fn = compose(effectiveStack);
+        const originalHandler = handler;
+        handler = async (ctx) => {
+          return fn(ctx, () => originalHandler(ctx));
+        };
+        handler.originalHandler = originalHandler.originalHandler || originalHandler;
+      }
+      trie.insert(route.method, fullPath, handler);
+      if ((route.path === "/" || route.path === "") && fullPath !== "/") {
+        trie.insert(route.method, fullPath + "/", handler);
+      }
+    }
+    for (const child of router[$childRouters]) {
+      const mountPath = child[$mountPath];
+      const childPrefix = joinPath(prefix, mountPath);
+      this.flattenRoutes(trie, child, childPrefix, effectiveStack);
+    }
+  }
+  find(method, path) {
+    if (this.rootTrie) {
+      const result = this.rootTrie.search(method, path);
+      if (result) return result;
+      if (method === "HEAD") {
+        return this.rootTrie.search("GET", path);
+      }
+      return null;
+    }
+    return super.find(method, path);
+  }
 }
 function RateLimitMiddleware(options = {}) {
   const windowMs = options.windowMs || 60 * 1e3;
@@ -3858,6 +4364,7 @@ function RateLimitMiddleware(options = {}) {
   const headers = options.headers !== false;
   const mode = options.mode || "user";
   const trustedProxies = options.trustedProxies || [];
+  const cleanupInterval = options.cleanupInterval || windowMs;
   const keyGenerator = options.keyGenerator || ((ctx) => {
     if (mode === "absolute") {
       return "global";
@@ -3887,7 +4394,7 @@ function RateLimitMiddleware(options = {}) {
         hits.delete(key);
       }
     }
-  }, windowMs);
+  }, cleanupInterval);
   if (interval.unref) interval.unref();
   const rateLimitMiddleware = async function RateLimitMiddleware2(ctx, next) {
     if (skip(ctx)) return next();
@@ -3944,8 +4451,79 @@ function Controller(path = "/") {
     target[$controllerPath] = path;
   };
 }
-function Use(...middleware) {
-  return (target, propertyKey, descriptor) => {
+function Injectable(scope = "singleton") {
+  return (target) => {
+    Reflect.defineMetadata("di:scope", scope, target);
+  };
+}
+function Inject(token) {
+  return (target, propertyKey, indexOrDescriptor) => {
+    if (typeof indexOrDescriptor === "undefined" || typeof indexOrDescriptor === "object" && indexOrDescriptor !== null) {
+      const key = String(propertyKey);
+      Object.defineProperty(target, key, {
+        get: () => Container.resolve(token),
+        enumerable: true,
+        configurable: true
+      });
+      return;
+    }
+    if (typeof indexOrDescriptor === "number") {
+      const index = indexOrDescriptor;
+      const existing = Reflect.getMetadata("di:constructor:params", target) || [];
+      existing.push({ index, token });
+      Reflect.defineMetadata("di:constructor:params", existing, target);
+    }
+  };
+}
+function Use(tokenOrMiddleware, ...moreMiddleware) {
+  return (target, propertyKey, indexOrDescriptor) => {
+    if (typeof indexOrDescriptor === "number") {
+      const index = indexOrDescriptor;
+      if (!propertyKey) {
+        let token2 = tokenOrMiddleware;
+        if (!token2) {
+          const paramTypes = Reflect.getMetadata("design:paramtypes", target);
+          if (paramTypes && paramTypes[index]) {
+            token2 = paramTypes[index];
+          }
+        }
+        const existing = Reflect.getMetadata("di:constructor:params", target) || [];
+        existing.push({ index, token: token2 });
+        Reflect.defineMetadata("di:constructor:params", existing, target);
+        return;
+      }
+      if (!target[$routeArgs]) target[$routeArgs] = /* @__PURE__ */ new Map();
+      if (!target[$routeArgs].has(propertyKey)) target[$routeArgs].set(propertyKey, []);
+      let token = tokenOrMiddleware;
+      if (!token) {
+        const paramTypes = Reflect.getMetadata("design:paramtypes", target, propertyKey);
+        if (paramTypes && paramTypes[index]) {
+          token = paramTypes[index];
+        }
+      }
+      target[$routeArgs].get(propertyKey).push({
+        index,
+        type: RouteParamType.SERVICE,
+        token
+      });
+      return;
+    }
+    if (typeof propertyKey === "string" && indexOrDescriptor === void 0) {
+      let token = tokenOrMiddleware;
+      if (!token) {
+        token = Reflect.getMetadata("design:type", target, propertyKey);
+      }
+      Object.defineProperty(target, propertyKey, {
+        get: () => {
+          if (!token) throw new Error(`Cannot resolve dependency for ${target.constructor.name}.${propertyKey} - no token provided and types unavailable.`);
+          return Container.resolve(token);
+        },
+        enumerable: true,
+        configurable: true
+      });
+      return;
+    }
+    const middleware = [tokenOrMiddleware, ...moreMiddleware];
     if (!propertyKey) {
       const existing = target[$middleware] || [];
       target[$middleware] = [...existing, ...middleware];
@@ -4025,7 +4603,7 @@ function Event(eventName) {
 function RateLimit(options) {
   return Use(RateLimitMiddleware(options));
 }
-function ApiExplorerApp({ spec, asyncSpec, config }) {
+function ApiExplorerApp({ spec, base, asyncSpec, config }) {
   const hierarchy = /* @__PURE__ */ new Map();
   const addRoute = (groupKey, route) => {
     if (!hierarchy.has(groupKey)) {
@@ -4211,8 +4789,8 @@ function ApiExplorerApp({ spec, asyncSpec, config }) {
       /* @__PURE__ */ jsx("link", { rel: "preconnect", href: "https://fonts.googleapis.com" }),
       /* @__PURE__ */ jsx("link", { rel: "preconnect", href: "https://fonts.gstatic.com", crossorigin: "anonymous" }),
       /* @__PURE__ */ jsx("link", { href: "https://fonts.googleapis.com/css2?family=Google+Sans+Code:ital,wght@0,300..800;1,300..800&family=Vend+Sans:ital,wght@0,300..700;1,300..700&display=swap", rel: "stylesheet" }),
-      /* @__PURE__ */ jsx("link", { rel: "stylesheet", href: "style.css" }),
-      /* @__PURE__ */ jsx("link", { rel: "stylesheet", href: "theme.css" }),
+      /* @__PURE__ */ jsx("link", { rel: "stylesheet", href: `${base}/style.css` }),
+      /* @__PURE__ */ jsx("link", { rel: "stylesheet", href: `${base}/theme.css` }),
       /* @__PURE__ */ jsx("script", { src: "https://cdn.jsdelivr.net/npm/marked@4.3.0/marked.min.js" }),
       /* @__PURE__ */ jsx("script", { src: "https://cdn.jsdelivr.net/npm/monaco-editor@0.45.0/min/vs/loader.js" }),
       /* @__PURE__ */ jsx("script", { dangerouslySetInnerHTML: {
@@ -4232,7 +4810,7 @@ function ApiExplorerApp({ spec, asyncSpec, config }) {
         /* @__PURE__ */ jsx(Sidebar$1, { spec, hierarchicalGroups }),
         /* @__PURE__ */ jsx(MainContent$1, { allRoutes, config, spec })
       ] }),
-      /* @__PURE__ */ jsx("script", { src: "explorer-client.mjs", type: "module" })
+      /* @__PURE__ */ jsx("script", { src: `${base}/explorer-client.mjs`, type: "module" })
     ] })
   ] });
 }
@@ -4418,8 +4996,14 @@ class ApiExplorerPlugin extends ShokupanRouter {
     this.get("/_source", async (ctx) => {
       const file = ctx.query["file"];
       if (!file) return ctx.text("Missing file parameter", 400);
+      const { resolve: resolve2, normalize, isAbsolute } = await import("node:path");
+      const cwd = process.cwd();
+      const resolvedPath = resolve2(cwd, file);
+      if (!resolvedPath.startsWith(cwd)) {
+        return ctx.text("Forbidden: File must be within project root", 403);
+      }
       try {
-        const content = await readFile$1(file, "utf-8");
+        const content = await readFile$1(resolvedPath, "utf-8");
         return ctx.text(content);
       } catch (err) {
         return ctx.text("File not found", 404);
@@ -4432,7 +5016,8 @@ class ApiExplorerPlugin extends ShokupanRouter {
     this.get("/", async (ctx) => {
       const spec = this.root.openApiSpec ? structuredClone(this.root.openApiSpec) : await (this.root || this).generateApiSpec();
       const asyncSpec = ctx.app.asyncApiSpec;
-      const element = ApiExplorerApp({ spec: stripSourceCode(spec), asyncSpec });
+      const base = this.pluginOptions.path;
+      const element = ApiExplorerApp({ spec: stripSourceCode(spec), base, asyncSpec });
       const html = renderToString(element);
       if (html.length === 0) throw new Error("ApiExplorerPlugin: rendered page is blank.");
       return ctx.html(html);
@@ -4474,12 +5059,12 @@ function AsyncApiApp({ spec, serverUrl, base, disableSourceView, navTree }) {
   ] });
 }
 function Sidebar({ navTree, disableSourceView }) {
-  return /* @__PURE__ */ jsxs("div", { class: "sidebar scroller", id: "sidebar", children: [
+  return /* @__PURE__ */ jsxs("div", { class: "sidebar", id: "sidebar", children: [
     /* @__PURE__ */ jsxs("div", { class: "sidebar-header", style: "display:flex; justify-content:space-between; align-items:center;", children: [
       /* @__PURE__ */ jsx("h2", { children: "AsyncAPI" }),
       /* @__PURE__ */ jsx("button", { id: "btn-collapse-nav", class: "btn-icon", title: "Collapse Sidebar", children: /* @__PURE__ */ jsx("svg", { width: "18", height: "18", viewBox: "0 0 24 24", fill: "none", stroke: "currentColor", "stroke-width": "2", children: /* @__PURE__ */ jsx("polyline", { points: "15 18 9 12 15 6" }) }) })
     ] }),
-    /* @__PURE__ */ jsx("div", { class: "nav-list", id: "nav-list", children: /* @__PURE__ */ jsx(NavNode, { node: navTree, level: 0, disableSourceView }) })
+    /* @__PURE__ */ jsx("div", { class: "nav-list scroller", id: "nav-list", children: /* @__PURE__ */ jsx(NavNode, { node: navTree, level: 0, disableSourceView }) })
   ] });
 }
 function NavNode({ node, level, disableSourceView }) {
@@ -4649,7 +5234,7 @@ async function generateAsyncApi(rootRouter, options = {}) {
   let astMiddlewareRegistry = {};
   let applications = [];
   try {
-    const { OpenAPIAnalyzer: OpenAPIAnalyzer2 } = await import("./analyzer-CnKnQ5KV.js");
+    const { OpenAPIAnalyzer: OpenAPIAnalyzer2 } = await import("./analyzer-BkNQHWj4.js");
     const entrypoint = globalThis.Bun?.main || require.main?.filename || process.argv[1];
     const analyzer = new OpenAPIAnalyzer2(process.cwd(), entrypoint);
     const analysisResult = await analyzer.analyze();
@@ -5059,8 +5644,14 @@ class AsyncApiPlugin extends ShokupanRouter {
       if (!file || typeof file !== "string") {
         return ctx.text("Missing file parameter", 400);
       }
+      const { resolve: resolve2 } = await import("node:path");
+      const cwd = process.cwd();
+      const resolvedPath = resolve2(cwd, file);
+      if (!resolvedPath.startsWith(cwd)) {
+        return ctx.text("Forbidden: File must be within project root", 403);
+      }
       try {
-        const content = await readFile(file, "utf8");
+        const content = await readFile(resolvedPath, "utf8");
         return ctx.text(content);
       } catch (e) {
         return ctx.text("File not found: " + e.message, 404);
@@ -5115,7 +5706,7 @@ class AuthPlugin extends ShokupanRouter {
     }
   }
   async createSession(user, ctx) {
-    const alg = "HS256";
+    const alg = this.authConfig.jwtAlgorithm || "HS256";
     const jwt = await new this.jose.SignJWT({ ...user }).setProtectedHeader({ alg }).setIssuedAt().setExpirationTime(this.authConfig.jwtExpiration || "24h").sign(this.secret);
     const opts = this.authConfig.cookieOptions || {};
     let cookie = `auth_token=${jwt}; Path=${opts.path || "/"}; HttpOnly`;
@@ -5417,7 +6008,7 @@ class ClusterPlugin {
     }
   }
 }
-function DashboardApp({ metrics, uptime, integrations, base, getRequestHeadersSource, rootPath, linkPattern }) {
+function DashboardApp({ metrics, uptime, integrations, base, getRequestHeadersSource, rootPath, linkPattern, ignorePaths }) {
   return /* @__PURE__ */ jsxs("html", { lang: "en", children: [
     /* @__PURE__ */ jsxs("head", { children: [
       /* @__PURE__ */ jsx("meta", { charSet: "UTF-8" }),
@@ -5527,22 +6118,22 @@ function DashboardApp({ metrics, uptime, integrations, base, getRequestHeadersSo
                 /* @__PURE__ */ jsx("option", { value: "ws", children: "WS" }),
                 /* @__PURE__ */ jsx("option", { value: "other", children: "Other" })
               ] }),
+              /* @__PURE__ */ jsxs("div", { style: "display: flex; align-items: center; gap: 4px; background: var(--bg-primary); padding: 0 8px; border: 1px solid var(--card-border); border-radius: 4px; color: var(--text-primary);", children: [
+                /* @__PURE__ */ jsx("input", { type: "checkbox", id: "network-filter-ignore", checked: true }),
+                /* @__PURE__ */ jsx("label", { for: "network-filter-ignore", style: "cursor: pointer; font-size: 0.9em; user-select: none;", children: "Excl. Ignored" })
+              ] }),
               /* @__PURE__ */ jsx("button", { onclick: "fetchRequests()", style: "background: var(--bg-primary); color: var(--text-primary); border: 1px solid var(--card-border); padding: 4px 8px; border-radius: 4px; cursor: pointer;", children: "Refresh" }),
               /* @__PURE__ */ jsx("button", { onclick: "purgeRequests()", style: "background: var(--bg-primary); color: var(--color-error, #ef4444); border: 1px solid var(--card-border); padding: 4px 8px; border-radius: 4px; cursor: pointer;", children: "Purge" })
             ] }) }),
-            /* @__PURE__ */ jsx("div", { id: "network-view", class: "active", style: "display: block; height: calc(100vh - 170px);", children: /* @__PURE__ */ jsxs("div", { style: "margin: 0 2rem; display: flex; gap: 1rem; height: 100%;", children: [
+            /* @__PURE__ */ jsx("div", { id: "network-view", class: "active", style: "display: block; height: 100%; margin-bottom: 2rem; overflow: hidden;", children: /* @__PURE__ */ jsxs("div", { style: "margin: 0 2rem; display: flex; gap: 1rem; height: 100%;", children: [
               /* @__PURE__ */ jsx("div", { id: "requests-list-container", style: "flex: 1; height: 100%; border-radius: 6px; overflow: hidden; border: 1px solid var(--card-border);" }),
-              /* @__PURE__ */ jsxs("div", { id: "request-details-container", class: "card", style: "display: none; width: 500px; height: 100%; overflow-y: auto; flex-shrink: 0; background: var(--bg-secondary); border: 1px solid var(--card-border); position: relative;", children: [
+              /* @__PURE__ */ jsxs("div", { id: "request-details-container", class: "card", style: "display: none; width: 500px; height: 100%; overflow: hidden; flex-shrink: 0; background: var(--bg-secondary); border: 1px solid var(--card-border); position: relative;", children: [
                 /* @__PURE__ */ jsx("div", { id: "details-drag-handle", style: "position: absolute; left: 0; top: 0; bottom: 0; width: 5px; cursor: col-resize; z-index: 11; background: transparent;" }),
                 /* @__PURE__ */ jsxs("div", { style: "display: flex; justify-content: space-between; align-items: center; position: sticky; top: 0; background: var(--bg-secondary); padding: 0.5rem 1rem; border-bottom: 1px solid var(--border-color); z-index: 10;", children: [
-                  /* @__PURE__ */ jsx("div", { class: "card-title", style: "margin: 0;", children: "Request Details" }),
+                  /* @__PURE__ */ jsx("div", { class: "card-title", style: "margin: 0; padding: 0", children: "Request Details" }),
                   /* @__PURE__ */ jsx("button", { onclick: "closeRequestDetails()", style: "background: transparent; border: none; color: var(--text-secondary); cursor: pointer; font-size: 1.2rem;", children: "×" })
                 ] }),
-                /* @__PURE__ */ jsxs("div", { style: "padding: 1rem;", children: [
-                  /* @__PURE__ */ jsx("div", { id: "request-details-content" }),
-                  /* @__PURE__ */ jsx("div", { class: "card-title", style: "margin-top: 1rem;", children: "Middleware Trace" }),
-                  /* @__PURE__ */ jsx("div", { id: "middleware-trace-container" })
-                ] })
+                /* @__PURE__ */ jsx("div", { style: "display: flex; flex-direction: column; overflow: hidden; height: 100%", children: /* @__PURE__ */ jsx("div", { id: "request-details-content", style: "flex: 1; display: flex; flex-direction: column; height: 100%; overflow: hidden" }) })
               ] })
             ] }) })
           ] }),
@@ -5557,7 +6148,8 @@ function DashboardApp({ metrics, uptime, integrations, base, getRequestHeadersSo
                     const getRequestHeaders = ${getRequestHeadersSource};
                     window.SHOKUPAN_CONFIG = {
                         rootPath: "${rootPath || ""}",
-                        linkPattern: "${linkPattern || ""}"
+                        linkPattern: "${linkPattern || ""}",
+                        ignorePaths: ${JSON.stringify(ignorePaths || [])}
                     };
                 `
       } }),
@@ -5566,7 +6158,6 @@ function DashboardApp({ metrics, uptime, integrations, base, getRequestHeadersSo
       /* @__PURE__ */ jsx("script", { src: `${base}/charts.js` }),
       /* @__PURE__ */ jsx("script", { src: `${base}/tables.js` }),
       /* @__PURE__ */ jsx("script", { src: `${base}/registry.js` }),
-      /* @__PURE__ */ jsx("script", { src: `${base}/failures.js` }),
       /* @__PURE__ */ jsx("script", { src: `${base}/requests.js` }),
       /* @__PURE__ */ jsx("script", { src: `${base}/tabs.js` })
     ] })
@@ -5635,15 +6226,51 @@ const require$1 = createRequire(import.meta.url);
 const http = require$1("node:http");
 const https = require$1("node:https");
 class FetchInterceptor {
+  static originalFetch;
+  static originalHttpRequest;
+  static originalHttpsRequest;
   originalFetch;
   originalHttpRequest;
   originalHttpsRequest;
   callbacks = [];
   isPatched = false;
   constructor() {
-    this.originalFetch = global.fetch;
-    this.originalHttpRequest = http.request;
-    this.originalHttpsRequest = https.request;
+    if (!FetchInterceptor.originalFetch) {
+      if (global.fetch.__isPatched) {
+        console.warn("[FetchInterceptor] Global fetch is already patched! Cannot capture original.");
+      } else {
+        FetchInterceptor.originalFetch = global.fetch;
+        FetchInterceptor.originalHttpRequest = http.request;
+        FetchInterceptor.originalHttpsRequest = https.request;
+      }
+    }
+    this.originalFetch = FetchInterceptor.originalFetch || global.fetch;
+    this.originalHttpRequest = FetchInterceptor.originalHttpRequest || http.request;
+    this.originalHttpsRequest = FetchInterceptor.originalHttpsRequest || https.request;
+  }
+  /**
+   * Statically restore the original network methods.
+   * Useful for cleaning up in tests.
+   */
+  /**
+   * Statically restore the original network methods.
+   * Useful for cleaning up in tests.
+   */
+  static restore() {
+    if (FetchInterceptor.originalFetch) {
+      global.fetch = FetchInterceptor.originalFetch;
+    } else if (global.fetch?.__originalFetch) {
+      global.fetch = global.fetch.__originalFetch;
+    } else if (typeof Bun !== "undefined" && Bun.fetch) {
+      global.fetch = Bun.fetch;
+    }
+    if (FetchInterceptor.originalHttpRequest) {
+      http.request = FetchInterceptor.originalHttpRequest;
+    }
+    if (FetchInterceptor.originalHttpsRequest) {
+      https.request = FetchInterceptor.originalHttpsRequest;
+    }
+    console.log("[FetchInterceptor] Network layer restored (static).");
   }
   /**
    * Patches the global `fetch` function to intercept requests.
@@ -5658,37 +6285,33 @@ class FetchInterceptor {
   }
   patchGlobalFetch() {
     const self = this;
+    if (!this.originalFetch && global.fetch.__isPatched && global.fetch.__originalFetch) {
+      this.originalFetch = global.fetch.__originalFetch;
+    }
     const newFetch = async function(input, init) {
       const startTime = performance.now();
       const timestamp = Date.now();
-      let method = "GET";
       let url = "";
+      let method = "GET";
       let requestHeaders = {};
-      let requestBody = void 0;
       try {
-        if (input instanceof URL$1) {
-          url = input.toString();
-        } else if (typeof input === "string") {
+        if (typeof input === "string") {
           url = input;
-        } else if (typeof input === "object" && "url" in input) {
+        } else if (input instanceof URL$1) {
+          url = input.toString();
+        } else if (input instanceof Request) {
           url = input.url;
           method = input.method;
+          input.headers.forEach((v, k) => requestHeaders[k] = v);
         }
         if (init) {
-          if (init.method) method = init.method;
+          if (init.method) method = init.method.toUpperCase();
           if (init.headers) {
-            if (init.headers instanceof Headers) {
-              init.headers.forEach((v, k) => requestHeaders[k] = v);
-            } else if (Array.isArray(init.headers)) {
-              init.headers.forEach(([k, v]) => requestHeaders[k] = v);
-            } else {
-              Object.assign(requestHeaders, init.headers);
-            }
+            const h = new Headers(init.headers);
+            h.forEach((v, k) => requestHeaders[k] = v);
           }
-          if (init.body) requestBody = init.body;
         }
       } catch (e) {
-        console.warn("[FetchInterceptor] Failed to parse request arguments", e);
       }
       try {
         const response = await self.originalFetch.apply(global, [input, init]);
@@ -5698,14 +6321,11 @@ class FetchInterceptor {
           method,
           url,
           requestHeaders,
-          requestBody,
-          status: response.status,
           startTime: timestamp,
           duration,
-          ...self.extractRequestMeta(url, requestHeaders),
-          protocol: "1.1"
-          // native fetch doesn't expose this easily, assume 1.1/2
-        });
+          status: response.status,
+          ...self.extractRequestMeta(url, requestHeaders)
+        }).catch((err) => console.error("[FetchInterceptor] Error processing response:", err));
         return response;
       } catch (error) {
         const duration = performance.now() - startTime;
@@ -5713,17 +6333,18 @@ class FetchInterceptor {
           method,
           url,
           requestHeaders,
-          requestBody,
           status: 0,
           responseHeaders: {},
-          responseBody: `Network Error: ${String(error)}`,
           startTime: timestamp,
-          duration
+          duration,
+          responseBody: `Error: ${error.message}`,
+          ...self.extractRequestMeta(url, requestHeaders)
         });
         throw error;
       }
     };
-    Object.assign(newFetch, this.originalFetch);
+    newFetch.__isPatched = true;
+    newFetch.__originalFetch = this.originalFetch;
     global.fetch = newFetch;
   }
   patchNodeRequests() {
@@ -6068,6 +6689,9 @@ class Dashboard {
       this.broadcastMetricUpdate(metric);
     };
     this.metricsCollector = new MetricsCollector(this.db, onCollect);
+    if (app.applicationConfig) {
+      app.applicationConfig.enableMiddlewareTracking = true;
+    }
     const fetchInterceptor = new FetchInterceptor();
     fetchInterceptor.patch();
     fetchInterceptor.on((log) => {
@@ -6101,6 +6725,10 @@ class Dashboard {
         responseHeaders: log.responseHeaders
         // No handler stack for outbound
       };
+      const maxLogs = this.dashboardConfig.maxLogEntries ?? 1e3;
+      if (this.metrics.logs.length >= maxLogs) {
+        this.metrics.logs.shift();
+      }
       this.metrics.logs.push(requestData);
       const recordId = new RecordId("request", nanoid());
       const idString = recordId.toString();
@@ -6128,17 +6756,9 @@ class Dashboard {
     }
     this.mountPath = options?.path || this.dashboardConfig.path || "/dashboard";
     const hooks = this.getHooks();
-    if (!app.middleware) {
-      app.middleware = [];
+    if (hooks.onRequestStart) {
+      app.hook("onRequestStart", hooks.onRequestStart);
     }
-    const hooksMiddleware = async (ctx, next) => {
-      if (hooks.onRequestStart) {
-        await hooks.onRequestStart(ctx);
-      }
-      ctx._startTime = performance.now();
-      await next();
-    };
-    app.use(hooksMiddleware);
     if (hooks.onResponseEnd) {
       app.hook("onResponseEnd", hooks.onResponseEnd);
     }
@@ -6385,7 +7005,7 @@ class Dashboard {
       if (!this.instrumented && app) {
         this.instrumentApp(app);
       }
-      const registry = app?.getComponentRegistry?.();
+      const registry = app?.registry;
       if (registry) {
         this.assignIdsToRegistry(registry, "root");
       }
@@ -6422,23 +7042,48 @@ class Dashboard {
     });
     this.router.post("/replay", async (ctx) => {
       const body = await ctx.body();
-      const app = this[$appRoot];
-      if (!app) return unknownError(ctx);
-      try {
-        const result = await app.processRequest({
-          method: body.method,
-          path: body.url,
-          // or path
-          headers: body.headers,
-          body: body.body
-        });
-        return ctx.json({
-          status: result.status,
-          headers: result.headers,
-          data: result.data
-        });
-      } catch (e) {
-        return ctx.json({ error: String(e) }, 500);
+      const direction = body.direction || "inbound";
+      if (direction === "outbound") {
+        const start = performance.now();
+        try {
+          const res = await fetch(body.url, {
+            method: body.method,
+            headers: body.headers,
+            body: body.body ? typeof body.body === "object" ? JSON.stringify(body.body) : body.body : void 0
+          });
+          const text = await res.text();
+          const duration = performance.now() - start;
+          const resHeaders = {};
+          res.headers.forEach((v, k) => resHeaders[k] = v);
+          return ctx.json({
+            status: res.status,
+            statusText: res.statusText,
+            headers: resHeaders,
+            data: text,
+            duration
+          });
+        } catch (e) {
+          return ctx.json({ error: String(e) }, 500);
+        }
+      } else {
+        const app = this[$appRoot];
+        if (!app) return unknownError(ctx);
+        try {
+          const result = await app.internalRequest({
+            method: body.method,
+            path: body.url,
+            // or path
+            headers: body.headers,
+            body: body.body
+          });
+          return ctx.json({
+            status: result.status,
+            headers: result.headers,
+            data: result.body
+          });
+        } catch (e) {
+          return ctx.json({ error: String(e) }, 500);
+        }
       }
     });
     this.router.get("/**", async (ctx) => {
@@ -6476,6 +7121,14 @@ class Dashboard {
       const linkPattern = this.getLinkPattern();
       const integrations = this.detectIntegrations();
       const getRequestHeadersSource = this.dashboardConfig.getRequestHeaders ? this.dashboardConfig.getRequestHeaders.toString() : "undefined";
+      const ignorePaths = [
+        ...this.dashboardConfig.ignorePaths || [],
+        // Add default ignores for integrations
+        ...Object.values(integrations).filter((p) => !!p).flatMap((p) => {
+          const clean = p.endsWith("/") ? p.slice(0, -1) : p;
+          return [clean, `${clean}/**`];
+        })
+      ];
       const html = renderToString(DashboardApp({
         metrics: this.metrics,
         uptime,
@@ -6483,7 +7136,8 @@ class Dashboard {
         linkPattern,
         integrations,
         base: mountPath,
-        getRequestHeadersSource
+        getRequestHeadersSource,
+        ignorePaths
       }));
       return ctx.html(`<!DOCTYPE html>${html}`);
     });
@@ -6630,12 +7284,15 @@ class Dashboard {
   getHooks() {
     return {
       onRequestStart: (ctx) => {
+        if (ctx.path.startsWith(this.mountPath)) return;
         const app = this[$appRoot];
         if (!this.instrumented && app) {
           this.instrumentApp(app);
         }
         this.metrics.totalRequests++;
         this.metrics.activeRequests++;
+        ctx._startTime = performance.now();
+        ctx._reqStartTime = Date.now();
         ctx[$debug] = new Collector(this);
         if (!this.broadcastTimer) {
           this.broadcastTimer = setTimeout(() => {
@@ -6725,7 +7382,7 @@ class Dashboard {
           url: ctx.url.toString(),
           status: response.status,
           duration,
-          timestamp: Date.now(),
+          timestamp: ctx._reqStartTime || Date.now() - duration,
           handlerStack: this.serializeHandlerStack(ctx.handlerStack),
           body: this.serializeBody(ctx.responseBody),
           requestBody: ctx.bodyData || ctx.requestBody,
@@ -6746,17 +7403,12 @@ class Dashboard {
           responseHeaders: resHeaders
         };
         this.metrics.logs.push(logEntry);
-        try {
-          await this.db.query("UPSERT $id CONTENT $data", {
-            id: new RecordId("request", ctx.requestId),
-            data: {
-              ...logEntry,
-              direction: "inbound"
-            }
-          });
-        } catch (e) {
+        this.db.create(new RecordId("request", ctx.requestId), {
+          ...logEntry,
+          direction: "inbound"
+        }).catch((e) => {
           console.error("Failed to record request log", e);
-        }
+        });
         const retention = this.dashboardConfig.retentionMs ?? 72e5;
         const cutoff = Date.now() - retention;
         if (this.metrics.logs.length > 0 && this.metrics.logs[0].timestamp < cutoff) {
@@ -7116,10 +7768,77 @@ class ScalarPlugin extends ShokupanRouter {
     }
   }
 }
+function createLimitStream(maxSize) {
+  let size = 0;
+  return new TransformStream({
+    transform(chunk, controller) {
+      size += chunk.byteLength || chunk.length;
+      if (size > maxSize) {
+        controller.error(new Error(`Decompressed body size exceeded limit of ${maxSize} bytes`));
+      } else {
+        controller.enqueue(chunk);
+      }
+    }
+  });
+}
 function Compression(options = {}) {
   const threshold = options.threshold ?? 512;
   const allowedAlgorithms = new Set(options.allowedAlgorithms ?? ["br", "gzip", "zstd", "deflate"]);
+  const decompress = options.decompress ?? true;
+  const maxDecompressedSize = options.maxDecompressedSize ?? 10 * 1024 * 1024;
   const compressionMiddleware = async function CompressionMiddleware(ctx, next) {
+    const requestEncoding = ctx.headers.get("content-encoding");
+    if (decompress && requestEncoding && !ctx.headers.get("content-encoding")?.includes("identity") && ctx.req.body) {
+      let stream = null;
+      if (requestEncoding.includes("br")) {
+        const decompressor = zlib.createBrotliDecompress();
+        const nodeStream = Readable.fromWeb(ctx.req.body);
+        stream = Readable.toWeb(nodeStream.pipe(decompressor));
+      } else if (requestEncoding.includes("gzip")) {
+        if (typeof DecompressionStream !== "undefined") {
+          stream = ctx.req.body.pipeThrough(new DecompressionStream("gzip"));
+        } else {
+          const decompressor = zlib.createGunzip();
+          const nodeStream = Readable.fromWeb(ctx.req.body);
+          stream = Readable.toWeb(nodeStream.pipe(decompressor));
+        }
+      } else if (requestEncoding.includes("deflate")) {
+        if (typeof DecompressionStream !== "undefined") {
+          stream = ctx.req.body.pipeThrough(new DecompressionStream("deflate"));
+        } else {
+          const decompressor = zlib.createInflate();
+          const nodeStream = Readable.fromWeb(ctx.req.body);
+          stream = Readable.toWeb(nodeStream.pipe(decompressor));
+        }
+      }
+      if (stream) {
+        const outputStream = stream.pipeThrough(createLimitStream(maxDecompressedSize));
+        const originalIp = ctx.ip;
+        const originalReq = ctx.req;
+        const newHeaders = new Headers(originalReq.headers);
+        newHeaders.delete("content-encoding");
+        newHeaders.delete("content-length");
+        const newReq = new Proxy(originalReq, {
+          get(target, prop, receiver) {
+            if (prop === "body") return outputStream;
+            if (prop === "headers") return newHeaders;
+            if (prop === "json") return async () => JSON.parse(await new Response(outputStream).text());
+            if (prop === "text") return async () => await new Response(outputStream).text();
+            if (prop === "arrayBuffer") return async () => await new Response(outputStream).arrayBuffer();
+            if (prop === "blob") return async () => await new Response(outputStream).blob();
+            if (prop === "formData") return async () => await new Response(outputStream).formData();
+            return Reflect.get(target, prop, target);
+          }
+        });
+        ctx.request = newReq;
+        if (originalIp) {
+          Object.defineProperty(ctx, "ip", {
+            configurable: true,
+            get: () => originalIp
+          });
+        }
+      }
+    }
     const acceptEncoding = ctx.headers.get("accept-encoding") || "";
     let method = null;
     if (acceptEncoding.includes("br")) method = "br";
@@ -7571,7 +8290,7 @@ function openApiValidator() {
     if (validators.body) {
       let body;
       try {
-        body = await ctx.req.json().catch(() => ({}));
+        body = await ctx.body();
       } catch {
         body = {};
       }
@@ -7693,8 +8412,7 @@ function enableOpenApiValidation(app) {
 }
 function SecurityHeaders(options = {}) {
   const securityHeadersMiddleware = async function SecurityHeadersMiddleware(ctx, next) {
-    const headers = {};
-    const set = (k, v) => headers[k] = v;
+    const set = (k, v) => ctx.response.set(k, v);
     if (options.dnsPrefetchControl !== false) {
       const allow = options.dnsPrefetchControl?.allow;
       set("X-DNS-Prefetch-Control", allow ? "on" : "off");
@@ -7740,14 +8458,6 @@ function SecurityHeaders(options = {}) {
     }
     if (options.hidePoweredBy !== false) ;
     const response = await next();
-    if (response instanceof Response) {
-      const headerEntries = Object.entries(headers);
-      for (let i = 0; i < headerEntries.length; i++) {
-        const [k, v] = headerEntries[i];
-        response.headers.set(k, v);
-      }
-      return response;
-    }
     return response;
   };
   securityHeadersMiddleware.isBuiltin = true;
@@ -8024,6 +8734,7 @@ export {
   $bodyParsed,
   $bodyType,
   $cachedBody,
+  $cachedCookies,
   $cachedHost,
   $cachedHostname,
   $cachedOrigin,