shokupan 0.5.0 → 0.6.1

package/dist/index.js

@@ -1,10 +1,8 @@
 import { readFile } from "node:fs/promises";
 import { Eta } from "eta";
 import { stat, readdir, readFile as readFile$1 } from "fs/promises";
-import { resolve, join, basename } from "path";
+import { resolve, join, sep, basename } from "path";
 import { AsyncLocalStorage } from "node:async_hooks";
-import { createNodeEngines } from "@surrealdb/node";
-import { Surreal, RecordId } from "surrealdb";
 import { trace, SpanKind, SpanStatusCode, context } from "@opentelemetry/api";
 import * as os from "node:os";
 import { OAuth2Client, Okta, Auth0, Apple, MicrosoftEntraId, Google, GitHub, generateState, generateCodeVerifier } from "arctic";
@@ -12,9 +10,7 @@ import * as jose from "jose";
 import * as zlib from "node:zlib";
 import Ajv from "ajv";
 import addFormats from "ajv-formats";
-import { plainToInstance } from "class-transformer";
-import { validateOrReject } from "class-validator";
-import { OpenAPIAnalyzer } from "./openapi-analyzer-D7y6Qa38.js";
+import { OpenAPIAnalyzer } from "./openapi-analyzer-Ce_7JxZh.js";
 import { randomUUID, createHmac } from "crypto";
 import { EventEmitter } from "events";
 class ShokupanResponse {
@@ -80,8 +76,82 @@ class ShokupanResponse {
     return this._headers !== null;
   }
 }
+function isValidCookieDomain(domain, currentHost) {
+  const hostWithoutPort = currentHost.split(":")[0];
+  if (domain === hostWithoutPort) return true;
+  if (domain.startsWith(".")) {
+    const domainWithoutDot = domain.slice(1);
+    return hostWithoutPort.endsWith(domainWithoutDot);
+  }
+  return false;
+}
+const VALID_HTTP_STATUSES = /* @__PURE__ */ new Set([
+  100,
+  101,
+  102,
+  103,
+  200,
+  201,
+  202,
+  203,
+  204,
+  205,
+  206,
+  207,
+  208,
+  226,
+  300,
+  301,
+  302,
+  303,
+  304,
+  305,
+  306,
+  307,
+  308,
+  400,
+  401,
+  402,
+  403,
+  404,
+  405,
+  406,
+  407,
+  408,
+  409,
+  410,
+  411,
+  412,
+  413,
+  414,
+  415,
+  416,
+  417,
+  418,
+  421,
+  422,
+  423,
+  424,
+  425,
+  426,
+  428,
+  429,
+  431,
+  451,
+  500,
+  501,
+  502,
+  503,
+  504,
+  505,
+  506,
+  507,
+  508,
+  510,
+  511
+]);
+const VALID_REDIRECT_STATUSES = /* @__PURE__ */ new Set([301, 302, 303, 307, 308]);
 class ShokupanContext {
-  // Raw body for compression optimization
   constructor(request, server, state, app, signal, enableMiddlewareTracking = false) {
     this.request = request;
     this.server = server;
@@ -104,7 +174,6 @@ class ShokupanContext {
     }
     this.response = new ShokupanResponse();
   }
-  _url;
   params = {};
   // Router assigns this, but default to empty object
   state;
@@ -113,6 +182,19 @@ class ShokupanContext {
   _debug;
   _finalResponse;
   _rawBody;
+  // Raw body for compression optimization
+  // Body caching to avoid double parsing
+  _url;
+  _cachedBody;
+  _bodyType;
+  _bodyParsed = false;
+  _bodyParseError;
+  // Cached URL properties to avoid repeated parsing
+  _cachedHostname;
+  _cachedProtocol;
+  _cachedHost;
+  _cachedOrigin;
+  _cachedQuery;
   get url() {
     if (!this._url) {
       const urlString = this.request.url || "http://localhost/";
@@ -161,16 +243,24 @@ class ShokupanContext {
    * Request query params
    */
   get query() {
-    const q = {};
-    for (const [key, value] of this.url.searchParams) {
-      if (q[key] === void 0) {
-        q[key] = value;
-      } else if (Array.isArray(q[key])) {
-        q[key].push(value);
+    if (this._cachedQuery) return this._cachedQuery;
+    const q = /* @__PURE__ */ Object.create(null);
+    const blocklist = ["__proto__", "constructor", "prototype"];
+    const entries = Object.entries(this.url.searchParams);
+    for (let i = 0; i < entries.length; i++) {
+      const [key, value] = entries[i];
+      if (blocklist.includes(key)) continue;
+      if (Object.prototype.hasOwnProperty.call(q, key)) {
+        if (Array.isArray(q[key])) {
+          q[key].push(value);
+        } else {
+          q[key] = [q[key], value];
+        }
       } else {
-        q[key] = [q[key], value];
+        q[key] = value;
       }
     }
+    this._cachedQuery = q;
     return q;
   }
   /**
@@ -183,31 +273,31 @@ class ShokupanContext {
    * Request hostname (e.g. "localhost")
    */
   get hostname() {
-    return this.url.hostname;
+    return this._cachedHostname ??= this.url.hostname;
   }
   /**
    * Request host (e.g. "localhost:3000")
    */
   get host() {
-    return this.url.host;
+    return this._cachedHost ??= this.url.host;
   }
   /**
    * Request protocol (e.g. "http:", "https:")
    */
   get protocol() {
-    return this.url.protocol;
+    return this._cachedProtocol ??= this.url.protocol;
   }
   /**
    * Whether request is secure (https)
    */
   get secure() {
-    return this.url.protocol === "https:";
+    return this.protocol === "https:";
   }
   /**
    * Request origin (e.g. "http://localhost:3000")
    */
   get origin() {
-    return this.url.origin;
+    return this._cachedOrigin ??= this.url.origin;
   }
   /**
    * Request headers
@@ -244,6 +334,12 @@ class ShokupanContext {
    * @param options Cookie options
    */
   setCookie(name, value, options = {}) {
+    if (options.domain) {
+      const currentHost = this.hostname;
+      if (!isValidCookieDomain(options.domain, currentHost)) {
+        throw new Error(`Invalid cookie domain: ${options.domain} for host ${currentHost}`);
+      }
+    }
     let cookie = `${encodeURIComponent(name)}=${encodeURIComponent(value)}`;
     if (options.maxAge) cookie += `; Max-Age=${Math.floor(options.maxAge)}`;
     if (options.domain) cookie += `; Domain=${options.domain}`;
@@ -303,6 +399,91 @@ class ShokupanContext {
     }
     return h;
   }
+  /**
+   * Read request body with caching to avoid double parsing.
+   * The body is only parsed once and cached for subsequent reads.
+   */
+  async body() {
+    if (this._bodyParseError) {
+      throw this._bodyParseError;
+    }
+    if (this._bodyParsed) {
+      return this._cachedBody;
+    }
+    const contentType = this.request.headers.get("content-type") || "";
+    if (contentType.includes("application/json") || contentType.includes("+json")) {
+      const rawText = await this.readRawBody();
+      const parserType = this.app?.applicationConfig?.jsonParser || "native";
+      if (parserType === "native") {
+        this._cachedBody = JSON.parse(rawText);
+      } else {
+        const { getJSONParser } = await import("./json-parser-B3dnQmCC.js");
+        const parser = getJSONParser(parserType);
+        this._cachedBody = parser(rawText);
+      }
+      this._bodyType = "json";
+    } else if (contentType.includes("multipart/form-data") || contentType.includes("application/x-www-form-urlencoded")) {
+      this._cachedBody = await this.request.formData();
+      this._bodyType = "formData";
+    } else {
+      this._cachedBody = await this.readRawBody();
+      this._bodyType = "text";
+    }
+    this._bodyParsed = true;
+    return this._cachedBody;
+  }
+  /**
+   * Pre-parse the request body before handler execution.
+   * This improves performance and enables Node.js compatibility for large payloads.
+   * Errors are deferred until the body is actually accessed in the handler.
+   */
+  async parseBody() {
+    if (this._bodyParsed) {
+      return;
+    }
+    if (this.request.method === "GET" || this.request.method === "HEAD") {
+      return;
+    }
+    try {
+      await this.body();
+    } catch (error) {
+      this._bodyParseError = error;
+    }
+  }
+  /**
+   * Read raw body from ReadableStream efficiently.
+   * This is much faster than request.text() for large payloads.
+   * Also handles the case where body is already a string (e.g., in tests).
+   */
+  async readRawBody() {
+    if (typeof this.request.body === "string") {
+      return this.request.body;
+    }
+    const reader = this.request.body?.getReader();
+    if (!reader) {
+      return "";
+    }
+    const chunks = [];
+    let totalSize = 0;
+    try {
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        chunks.push(value);
+        totalSize += value.length;
+      }
+    } finally {
+      reader.releaseLock();
+    }
+    const result = new Uint8Array(totalSize);
+    let offset = 0;
+    for (let i = 0; i < chunks.length; i++) {
+      const chunk = chunks[i];
+      result.set(chunk, offset);
+      offset += chunk.length;
+    }
+    return new TextDecoder().decode(result);
+  }
   /**
    * Send a response
    * @param body Response body
@@ -311,31 +492,24 @@ class ShokupanContext {
    */
   send(body, options) {
     const headers = this.mergeHeaders(options?.headers);
-    const status = options?.status ?? this.response.status;
+    const status = options?.status ?? this.response.status ?? 200;
+    if (this.app.applicationConfig.validateStatusCodes && !VALID_HTTP_STATUSES.has(status)) {
+      throw new Error(`Invalid HTTP status code: ${status}`);
+    }
     if (typeof body === "string" || body instanceof ArrayBuffer || body instanceof Uint8Array) {
       this._rawBody = body;
     }
     this._finalResponse = new Response(body, { status, headers });
     return this._finalResponse;
   }
-  /**
-   * Read request body
-   */
-  async body() {
-    const contentType = this.request.headers.get("content-type") || "";
-    if (contentType.includes("application/json") || contentType.includes("+json")) {
-      return this.request.json();
-    }
-    if (contentType.includes("multipart/form-data") || contentType.includes("application/x-www-form-urlencoded")) {
-      return this.request.formData();
-    }
-    return this.request.text();
-  }
   /**
    * Respond with a JSON object
    */
   json(data, status, headers) {
-    const finalStatus = status ?? this.response.status;
+    const finalStatus = status ?? this.response.status ?? 200;
+    if (!VALID_HTTP_STATUSES.has(finalStatus)) {
+      throw new Error(`Invalid HTTP status code: ${finalStatus}`);
+    }
     const jsonString = JSON.stringify(data);
     this._rawBody = jsonString;
     if (!headers && !this.response.hasPopulatedHeaders) {
@@ -354,7 +528,10 @@ class ShokupanContext {
    * Respond with a text string
    */
   text(data, status, headers) {
-    const finalStatus = status ?? this.response.status;
+    const finalStatus = status ?? this.response.status ?? 200;
+    if (this.app.applicationConfig.validateStatusCodes && !VALID_HTTP_STATUSES.has(finalStatus)) {
+      throw new Error(`Invalid HTTP status code: ${finalStatus}`);
+    }
     this._rawBody = data;
     if (!headers && !this.response.hasPopulatedHeaders) {
       this._finalResponse = new Response(data, {
@@ -372,7 +549,10 @@ class ShokupanContext {
    * Respond with HTML content
    */
   html(html, status, headers) {
-    const finalStatus = status ?? this.response.status;
+    const finalStatus = status ?? this.response.status ?? 200;
+    if (this.app.applicationConfig.validateStatusCodes && !VALID_HTTP_STATUSES.has(finalStatus)) {
+      throw new Error(`Invalid HTTP status code: ${finalStatus}`);
+    }
     const finalHeaders = this.mergeHeaders(headers);
     finalHeaders.set("content-type", "text/html; charset=utf-8");
     this._rawBody = html;
@@ -383,6 +563,9 @@ class ShokupanContext {
    * Respond with a redirect
    */
   redirect(url, status = 302) {
+    if (this.app.applicationConfig.validateStatusCodes && !VALID_REDIRECT_STATUSES.has(status)) {
+      throw new Error(`Invalid redirect status code: ${status}`);
+    }
     const headers = this.mergeHeaders();
     headers.set("Location", url);
     this._finalResponse = new Response(null, { status, headers });
@@ -393,6 +576,9 @@ class ShokupanContext {
    * DOES NOT CHAIN!
    */
   status(status) {
+    if (this.app.applicationConfig.validateStatusCodes && !VALID_HTTP_STATUSES.has(status)) {
+      throw new Error(`Invalid HTTP status code: ${status}`);
+    }
     const headers = this.mergeHeaders();
     this._finalResponse = new Response(null, { status, headers });
     return this._finalResponse;
@@ -403,6 +589,9 @@ class ShokupanContext {
   async file(path, fileOptions, responseOptions) {
     const headers = this.mergeHeaders(responseOptions?.headers);
     const status = responseOptions?.status ?? this.response.status;
+    if (this.app.applicationConfig.validateStatusCodes && !VALID_HTTP_STATUSES.has(status)) {
+      throw new Error(`Invalid HTTP status code: ${status}`);
+    }
     if (typeof Bun !== "undefined") {
       this._finalResponse = new Response(Bun.file(path, fileOptions), { status, headers });
       return this._finalResponse;
@@ -426,6 +615,10 @@ class ShokupanContext {
    * @param headers HTTP Headers
    */
   async jsx(element, args, status, headers) {
+    status ??= 200;
+    if (this.app.applicationConfig.validateStatusCodes && !VALID_HTTP_STATUSES.has(status)) {
+      throw new Error(`Invalid HTTP status code: ${status}`);
+    }
     if (!this.renderer) {
       throw new Error("No JSX renderer configured");
     }
@@ -440,17 +633,32 @@ function RateLimitMiddleware(options = {}) {
   const statusCode = options.statusCode || 429;
   const headers = options.headers !== false;
   const mode = options.mode || "user";
+  const trustedProxies = options.trustedProxies || [];
   const keyGenerator = options.keyGenerator || ((ctx) => {
     if (mode === "absolute") {
       return "global";
     }
-    return ctx.headers.get("x-forwarded-for") || ctx.request.headers.get("x-forwarded-for") || ctx.server?.requestIP?.(ctx.request)?.address || "unknown";
+    const xForwardedFor = ctx.headers.get("x-forwarded-for");
+    if (xForwardedFor && trustedProxies.length > 0) {
+      const ips = xForwardedFor.split(",").map((ip) => ip.trim());
+      for (let i = ips.length - 1; i >= 0; i--) {
+        const ip = ips[i];
+        if (!trustedProxies.includes(ip)) {
+          if (/^[\d.:a-fA-F]+$/.test(ip)) {
+            return ip;
+          }
+        }
+      }
+    }
+    return ctx.server?.requestIP?.(ctx.request)?.address || "unknown";
   });
   const skip = options.skip || (() => false);
   const hits = /* @__PURE__ */ new Map();
   const interval = setInterval(() => {
     const now = Date.now();
-    for (const [key, record] of hits.entries()) {
+    const entries = Array.from(hits.entries());
+    for (let i = 0; i < entries.length; i++) {
+      const [key, record] = entries[i];
       if (record.resetTime <= now) {
         hits.delete(key);
       }
@@ -703,7 +911,9 @@ function deepMerge(target, ...sources) {
   if (!sources.length) return target;
   const source = sources.shift();
   if (isObject(target) && isObject(source)) {
-    for (const key in source) {
+    const sourceKeys = Object.keys(source);
+    for (let i = 0; i < sourceKeys.length; i++) {
+      const key = sourceKeys[i];
       if (isObject(source[key])) {
         if (!target[key]) Object.assign(target, { [key]: {} });
         deepMerge(target[key], source[key]);
@@ -727,15 +937,17 @@ function deepMerge(target, ...sources) {
   }
   return deepMerge(target, ...sources);
 }
-const REGEX_QUERY_INT = /parseInt\(ctx\.query\.(\w+)\)/g;
-const REGEX_QUERY_FLOAT = /parseFloat\(ctx\.query\.(\w+)\)/g;
-const REGEX_QUERY_NUMBER = /Number\(ctx\.query\.(\w+)\)/g;
-const REGEX_QUERY_BOOL = /(?:Boolean\(ctx\.query\.(\w+)\)|!+ctx\.query\.(\w+))/g;
-const REGEX_QUERY_GENERIC = /ctx\.query\.(\w+)/g;
-const REGEX_PARAM_INT = /parseInt\(ctx\.params\.(\w+)\)/g;
-const REGEX_PARAM_FLOAT = /parseFloat\(ctx\.params\.(\w+)\)/g;
-const REGEX_HEADER_GET = /ctx\.get\(['"](\w+)['"]\)/g;
-const REGEX_ERROR_STATUS = /ctx\.(?:json|text|html)\([^)]+,\s*(\d{3,})\)/g;
+const REGEX_PATTERNS = {
+  QUERY_INT: /parseInt\(ctx\.query\.(\w+)\)/g,
+  QUERY_FLOAT: /parseFloat\(ctx\.query\.(\w+)\)/g,
+  QUERY_NUMBER: /Number\(ctx\.query\.(\w+)\)/g,
+  QUERY_BOOL: /(?:Boolean\(ctx\.query\.(\w+)\)|!+ctx\.query\.(\w+))/g,
+  QUERY_GENERIC: /ctx\.query\.(\w+)/g,
+  PARAM_INT: /parseInt\(ctx\.params\.(\w+)\)/g,
+  PARAM_FLOAT: /parseFloat\(ctx\.params\.(\w+)\)/g,
+  HEADER_GET: /ctx\.get\(['"](\w+)['"]\)/g,
+  ERROR_STATUS: /ctx\.(?:json|text|html)\([^)]+,\s*(\d{3,})\)/g
+};
 function analyzeHandler(handler) {
   const handlerSource = handler.toString();
   const inferredSpec = {};
@@ -745,29 +957,20 @@ function analyzeHandler(handler) {
     };
   }
   const queryParams = /* @__PURE__ */ new Map();
-  for (const match of handlerSource.matchAll(REGEX_QUERY_INT)) {
-    if (match[1]) queryParams.set(match[1], { type: "integer", format: "int32" });
-  }
-  for (const match of handlerSource.matchAll(REGEX_QUERY_FLOAT)) {
-    if (match[1]) queryParams.set(match[1], { type: "number", format: "float" });
-  }
-  for (const match of handlerSource.matchAll(REGEX_QUERY_NUMBER)) {
-    if (match[1] && !queryParams.has(match[1])) {
-      queryParams.set(match[1], { type: "number" });
-    }
-  }
-  for (const match of handlerSource.matchAll(REGEX_QUERY_BOOL)) {
-    const name = match[1] || match[2];
-    if (name && !queryParams.has(name)) {
-      queryParams.set(name, { type: "boolean" });
-    }
-  }
-  for (const match of handlerSource.matchAll(REGEX_QUERY_GENERIC)) {
-    const name = match[1];
-    if (name && !queryParams.has(name)) {
-      queryParams.set(name, { type: "string" });
+  const processMatches = (regex, type, format) => {
+    const matches = Array.from(handlerSource.matchAll(regex));
+    for (const match of matches) {
+      const name = match[1] || match[2];
+      if (name && !queryParams.has(name)) {
+        queryParams.set(name, { type, format });
+      }
     }
-  }
+  };
+  processMatches(REGEX_PATTERNS.QUERY_INT, "integer", "int32");
+  processMatches(REGEX_PATTERNS.QUERY_FLOAT, "number", "float");
+  processMatches(REGEX_PATTERNS.QUERY_NUMBER, "number");
+  processMatches(REGEX_PATTERNS.QUERY_BOOL, "boolean");
+  processMatches(REGEX_PATTERNS.QUERY_GENERIC, "string");
   if (queryParams.size > 0) {
     if (!inferredSpec.parameters) inferredSpec.parameters = [];
     queryParams.forEach((schema, paramName) => {
@@ -779,12 +982,15 @@ function analyzeHandler(handler) {
     });
   }
   const pathParams = /* @__PURE__ */ new Map();
-  for (const match of handlerSource.matchAll(REGEX_PARAM_INT)) {
-    if (match[1]) pathParams.set(match[1], { type: "integer", format: "int32" });
-  }
-  for (const match of handlerSource.matchAll(REGEX_PARAM_FLOAT)) {
-    if (match[1]) pathParams.set(match[1], { type: "number", format: "float" });
-  }
+  const processPathMatches = (regex, type, format) => {
+    const matches = Array.from(handlerSource.matchAll(regex));
+    for (const match of matches) {
+      const name = match[1];
+      if (name) pathParams.set(name, { type, format });
+    }
+  };
+  processPathMatches(REGEX_PATTERNS.PARAM_INT, "integer", "int32");
+  processPathMatches(REGEX_PATTERNS.PARAM_FLOAT, "number", "float");
   if (pathParams.size > 0) {
     if (!inferredSpec.parameters) inferredSpec.parameters = [];
     pathParams.forEach((schema, paramName) => {
@@ -796,7 +1002,8 @@ function analyzeHandler(handler) {
       });
     });
   }
-  for (const match of handlerSource.matchAll(REGEX_HEADER_GET)) {
+  const headerMatches = Array.from(handlerSource.matchAll(REGEX_PATTERNS.HEADER_GET));
+  for (const match of headerMatches) {
     if (match[1]) {
       if (!inferredSpec.parameters) inferredSpec.parameters = [];
       inferredSpec.parameters.push({
@@ -815,13 +1022,19 @@ function analyzeHandler(handler) {
   }
   if (handlerSource.includes("ctx.html(")) {
     responses["200"] = {
-      description: "Successful response",
+      description: "Successful HTML response",
+      content: { "text/html": { schema: { type: "string" } } }
+    };
+  }
+  if (handlerSource.includes("ctx.jsx(")) {
+    responses["200"] = {
+      description: "Successful HTML response (Rendered JSX)",
       content: { "text/html": { schema: { type: "string" } } }
     };
   }
   if (handlerSource.includes("ctx.text(")) {
     responses["200"] = {
-      description: "Successful response",
+      description: "Successful text response",
       content: { "text/plain": { schema: { type: "string" } } }
     };
   }
@@ -832,7 +1045,18 @@ function analyzeHandler(handler) {
     };
   }
   if (handlerSource.includes("ctx.redirect(")) {
-    responses["302"] = { description: "Redirect" };
+    let hasSpecificRedirect = false;
+    const redirectMatches = Array.from(handlerSource.matchAll(/ctx\.redirect\([^,]+,\s*(\d{3})\)/g));
+    for (const match of redirectMatches) {
+      const status = match[1];
+      if (/^30[12378]$/.test(status)) {
+        responses[status] = { description: `Redirect (${status})` };
+        hasSpecificRedirect = true;
+      }
+    }
+    if (!hasSpecificRedirect) {
+      responses["302"] = { description: "Redirect" };
+    }
   }
   if (!responses["200"] && /return\s+\{/.test(handlerSource)) {
     responses["200"] = {
@@ -840,7 +1064,8 @@ function analyzeHandler(handler) {
       content: { "application/json": { schema: { type: "object" } } }
     };
   }
-  for (const match of handlerSource.matchAll(REGEX_ERROR_STATUS)) {
+  const errorStatusMatches = Array.from(handlerSource.matchAll(REGEX_PATTERNS.ERROR_STATUS));
+  for (const match of errorStatusMatches) {
     const statusCode = match[1];
     if (statusCode && statusCode !== "200") {
       responses[statusCode] = { description: `Error response (${statusCode})` };
@@ -851,6 +1076,52 @@ function analyzeHandler(handler) {
   }
   return { inferredSpec };
 }
+async function getAstRoutes(applications) {
+  const astRoutes = [];
+  const getExpandedRoutes = (app, prefix = "", seen = /* @__PURE__ */ new Set()) => {
+    if (seen.has(app.name)) return [];
+    const newSeen = new Set(seen);
+    newSeen.add(app.name);
+    const expanded = [];
+    for (const route of app.routes) {
+      const cleanPrefix = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
+      const cleanPath = route.path.startsWith("/") ? route.path : "/" + route.path;
+      let joined = cleanPrefix + cleanPath;
+      if (joined.length > 1 && joined.endsWith("/")) {
+        joined = joined.slice(0, -1);
+      }
+      expanded.push({
+        ...route,
+        path: joined || "/"
+      });
+    }
+    if (app.mounted) {
+      for (const mount of app.mounted) {
+        const targetApp = applications.find((a) => a.name === mount.target || a.className === mount.target);
+        if (targetApp) {
+          const cleanPrefix = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
+          const mountPrefix = mount.prefix.startsWith("/") ? mount.prefix : "/" + mount.prefix;
+          expanded.push(...getExpandedRoutes(targetApp, cleanPrefix + mountPrefix, newSeen));
+        }
+      }
+    }
+    return expanded;
+  };
+  applications.forEach((app) => {
+    astRoutes.push(...getExpandedRoutes(app));
+  });
+  const dedupedRoutes = /* @__PURE__ */ new Map();
+  for (const route of astRoutes) {
+    const key = `${route.method.toUpperCase()}:${route.path}`;
+    let score = 0;
+    if (route.responseSchema) score += 10;
+    if (route.handlerSource) score += 5;
+    if (!dedupedRoutes.has(key) || score > dedupedRoutes.get(key).score) {
+      dedupedRoutes.set(key, { route, score });
+    }
+  }
+  return Array.from(dedupedRoutes.values()).map((v) => v.route);
+}
 async function generateOpenApi(rootRouter, options = {}) {
   const paths = {};
   const tagGroups = /* @__PURE__ */ new Map();
@@ -858,61 +1129,11 @@ async function generateOpenApi(rootRouter, options = {}) {
   const defaultTagName = options.defaultTag || "Application";
   let astRoutes = [];
   try {
-    const { OpenAPIAnalyzer: OpenAPIAnalyzer2 } = await import("./openapi-analyzer-D7y6Qa38.js");
+    const { OpenAPIAnalyzer: OpenAPIAnalyzer2 } = await import("./openapi-analyzer-Ce_7JxZh.js");
     const analyzer = new OpenAPIAnalyzer2(process.cwd());
     const { applications } = await analyzer.analyze();
-    const appMap = /* @__PURE__ */ new Map();
-    applications.forEach((app) => {
-      appMap.set(app.name, app);
-      if (app.name !== app.className) {
-        appMap.set(app.className, app);
-      }
-    });
-    const getExpandedRoutes = (app, prefix = "", seen = /* @__PURE__ */ new Set()) => {
-      if (seen.has(app.name)) return [];
-      const newSeen = new Set(seen);
-      newSeen.add(app.name);
-      const expanded = [];
-      for (const route of app.routes) {
-        const cleanPrefix = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
-        const cleanPath = route.path.startsWith("/") ? route.path : "/" + route.path;
-        let joined = cleanPrefix + cleanPath;
-        if (joined.length > 1 && joined.endsWith("/")) {
-          joined = joined.slice(0, -1);
-        }
-        expanded.push({
-          ...route,
-          path: joined || "/"
-        });
-      }
-      if (app.mounted) {
-        for (const mount of app.mounted) {
-          const targetApp = appMap.get(mount.target);
-          if (targetApp) {
-            const cleanPrefix = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
-            const mountPrefix = mount.prefix.startsWith("/") ? mount.prefix : "/" + mount.prefix;
-            expanded.push(...getExpandedRoutes(targetApp, cleanPrefix + mountPrefix, newSeen));
-          }
-        }
-      }
-      return expanded;
-    };
-    applications.forEach((app) => {
-      astRoutes.push(...getExpandedRoutes(app));
-    });
-    const dedupedRoutes = /* @__PURE__ */ new Map();
-    for (const route of astRoutes) {
-      const key = `${route.method.toUpperCase()}:${route.path}`;
-      let score = 0;
-      if (route.responseSchema) score += 10;
-      if (route.handlerSource) score += 5;
-      if (!dedupedRoutes.has(key) || score > dedupedRoutes.get(key).score) {
-        dedupedRoutes.set(key, { route, score });
-      }
-    }
-    astRoutes = Array.from(dedupedRoutes.values()).map((v) => v.route);
+    astRoutes = await getAstRoutes(applications);
   } catch (e) {
-    console.warn("OpenAPI AST analysis failed or skipped:", e);
   }
   const collect = (router, prefix = "", currentGroup = defaultTagGroup, defaultTag = defaultTagName) => {
     let group = currentGroup;
@@ -969,33 +1190,15 @@ async function generateOpenApi(rootRouter, options = {}) {
         (r) => r.method.toUpperCase() === route.method.toUpperCase() && r.path === fullPath
       );
       if (!astMatch) {
-        let runtimeSource = route.handler.toString();
-        if (route.handler.originalHandler) {
-          runtimeSource = route.handler.originalHandler.toString();
-        }
+        const runtimeSource = (route.handler.originalHandler || route.handler).toString();
         const runtimeHandlerSrc = runtimeSource.replace(/\s+/g, " ");
         const sameMethodRoutes = astRoutes.filter((r) => r.method.toUpperCase() === route.method.toUpperCase());
         astMatch = sameMethodRoutes.find((r) => {
           const astHandlerSrc = (r.handlerSource || r.handlerName || "").replace(/\s+/g, " ");
           if (!astHandlerSrc || astHandlerSrc.length < 20) return false;
-          const match = runtimeHandlerSrc.includes(astHandlerSrc) || astHandlerSrc.includes(runtimeHandlerSrc) || r.handlerSource && runtimeHandlerSrc.includes(r.handlerSource.substring(0, 50));
-          return match;
+          return runtimeHandlerSrc.includes(astHandlerSrc) || astHandlerSrc.includes(runtimeHandlerSrc) || r.handlerSource && runtimeHandlerSrc.includes(r.handlerSource.substring(0, 50));
         });
       }
-      const potentialMatches = astRoutes.filter(
-        (r) => r.method.toUpperCase() === route.method.toUpperCase() && r.path === fullPath
-      );
-      if (potentialMatches.length > 1) {
-        const runtimeHandlerSrc = route.handler.toString().replace(/\s+/g, " ");
-        const preciseMatch = potentialMatches.find((r) => {
-          const astHandlerSrc = (r.handlerSource || r.handlerName || "").replace(/\s+/g, " ");
-          const match = runtimeHandlerSrc.includes(astHandlerSrc) || astHandlerSrc.includes(runtimeHandlerSrc) || r.handlerSource && runtimeHandlerSrc.includes(r.handlerSource.substring(0, 50));
-          return match;
-        });
-        if (preciseMatch) {
-          astMatch = preciseMatch;
-        }
-      }
       if (astMatch) {
         if (astMatch.summary) operation.summary = astMatch.summary;
         if (astMatch.description) operation.description = astMatch.description;
@@ -1003,25 +1206,19 @@ async function generateOpenApi(rootRouter, options = {}) {
         if (astMatch.operationId) operation.operationId = astMatch.operationId;
         if (astMatch.requestTypes?.body) {
           operation.requestBody = {
-            content: {
-              "application/json": { schema: astMatch.requestTypes.body }
-            }
+            content: { "application/json": { schema: astMatch.requestTypes.body } }
           };
         }
         if (astMatch.responseSchema) {
           operation.responses["200"] = {
             description: "Successful response",
-            content: {
-              "application/json": { schema: astMatch.responseSchema }
-            }
+            content: { "application/json": { schema: astMatch.responseSchema } }
           };
         } else if (astMatch.responseType) {
           const contentType = astMatch.responseType === "string" ? "text/plain" : "application/json";
           operation.responses["200"] = {
             description: "Successful response",
-            content: {
-              [contentType]: { schema: { type: astMatch.responseType } }
-            }
+            content: { [contentType]: { schema: { type: astMatch.responseType } } }
           };
         }
         const params = [];
@@ -1072,15 +1269,7 @@ async function generateOpenApi(rootRouter, options = {}) {
         deepMerge(operation, inferredSpec);
       }
       if (route.handlerSpec) {
-        const spec = route.handlerSpec;
-        if (spec.summary) operation.summary = spec.summary;
-        if (spec.description) operation.description = spec.description;
-        if (spec.operationId) operation.operationId = spec.operationId;
-        if (spec.tags) operation.tags = spec.tags;
-        if (spec.security) operation.security = spec.security;
-        if (spec.responses) {
-          operation.responses = { ...operation.responses, ...spec.responses };
-        }
+        deepMerge(operation, route.handlerSpec);
       }
       if (!operation.tags || operation.tags.length === 0) operation.tags = [tag];
       if (operation.tags) {
@@ -1099,11 +1288,13 @@ async function generateOpenApi(rootRouter, options = {}) {
         paths[fullPath][methodLower] = operation;
       }
     }
-    for (const controller of router[$childControllers]) {
+    const controllers = router[$childControllers];
+    for (const controller of controllers) {
       const controllerName = controller.constructor.name || "UnknownController";
       tagGroups.get(group)?.add(controllerName);
     }
-    for (const child of router[$childRouters]) {
+    const childRouters = router[$childRouters];
+    for (const child of childRouters) {
       const mountPath = child[$mountPath];
       const cleanPrefix = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
       const cleanMount = mountPath.startsWith("/") ? mountPath : "/" + mountPath;
@@ -1113,7 +1304,7 @@ async function generateOpenApi(rootRouter, options = {}) {
   };
   collect(rootRouter);
   const xTagGroups = [];
-  for (const [name, tags] of tagGroups) {
+  for (const [name, tags] of tagGroups.entries()) {
     xTagGroups.push({ name, tags: Array.from(tags).sort() });
   }
   return {
@@ -1135,12 +1326,23 @@ function serveStatic(config, prefix) {
     let relative = ctx.path.slice(normalizedPrefix.length);
     if (!relative.startsWith("/") && relative.length > 0) relative = "/" + relative;
     if (relative.length === 0) relative = "/";
-    relative = decodeURIComponent(relative);
-    const requestPath = join(rootPath, relative);
-    if (!requestPath.startsWith(rootPath)) {
+    if (relative.includes("\0")) {
+      return ctx.json({ error: "Forbidden" }, 403);
+    }
+    try {
+      relative = decodeURIComponent(relative);
+    } catch (e) {
+      return ctx.json({ error: "Bad Request" }, 400);
+    }
+    if (relative.includes("\0")) {
+      return ctx.json({ error: "Forbidden" }, 403);
+    }
+    if (relative.includes("../") || relative.includes("..\\")) {
       return ctx.json({ error: "Forbidden" }, 403);
     }
-    if (requestPath.includes("\0")) {
+    const requestPath = resolve(join(rootPath, relative));
+    const normalizedRoot = resolve(rootPath);
+    if (!requestPath.startsWith(normalizedRoot + sep) && requestPath !== normalizedRoot) {
       return ctx.json({ error: "Forbidden" }, 403);
     }
     if (config.hooks?.onRequest) {
@@ -1148,7 +1350,8 @@ function serveStatic(config, prefix) {
       if (res) return res;
     }
     if (config.exclude) {
-      for (const pattern of config.exclude) {
+      for (let i = 0; i < config.exclude.length; i++) {
+        const pattern = config.exclude[i];
         if (pattern instanceof RegExp) {
           if (pattern.test(relative)) return ctx.json({ error: "Forbidden" }, 403);
         } else if (typeof pattern === "string") {
@@ -1167,7 +1370,8 @@ function serveStatic(config, prefix) {
       stats = await stat(requestPath);
     } catch (e) {
       if (config.extensions) {
-        for (const ext of config.extensions) {
+        for (let i = 0; i < config.extensions.length; i++) {
+          const ext = config.extensions[i];
           const p = requestPath + (ext.startsWith(".") ? ext : "." + ext);
           try {
             const s = await stat(p);
@@ -1196,7 +1400,8 @@ function serveStatic(config, prefix) {
         indexes = [config.index];
       }
       let foundIndex = false;
-      for (const idx of indexes) {
+      for (let i = 0; i < indexes.length; i++) {
+        const idx = indexes[i];
         const idxPath = join(finalPath, idx);
         try {
           const idxStats = await stat(idxPath);
@@ -1278,7 +1483,8 @@ class RouterTrie {
   insert(method, path, handler) {
     let node = this.root;
     const segments = this.splitPath(path);
-    for (const segment of segments) {
+    for (let i = 0; i < segments.length; i++) {
+      const segment = segments[i];
       if (segment === "**") {
         if (!node.recursiveChild) {
           node.recursiveChild = this.createNode();
@@ -1365,40 +1571,68 @@ class RouterTrie {
   }
 }
 const asyncContext = new AsyncLocalStorage();
-const engine = process.env["SHOKUPAN_DB_ENGINE"] === "memory" ? "mem://" : "rocksdb://database";
-const db = new Surreal({
-  engines: createNodeEngines()
-});
-const ready = db.connect(engine, { namespace: "vendor", database: "shokupan" }).then(() => {
-  return db.query(`
-        DEFINE TABLE OVERWRITE failed_requests SCHEMALESS COMMENT "Created by Shokupan";
-        DEFINE TABLE OVERWRITE sessions SCHEMALESS COMMENT "Created by Shokupan";
-        DEFINE TABLE OVERWRITE users SCHEMALESS COMMENT "Created by Shokupan";
-        DEFINE TABLE OVERWRITE idempotency_keys SCHEMALESS COMMENT "Created by Shokupan";
-        DEFINE TABLE OVERWRITE middleware_tracking SCHEMALESS COMMENT "Created by Shokupan";
-        DEFINE TABLE OVERWRITE requests SCHEMALESS COMMENT "Created by Shokupan";
-    `);
-});
+let db;
+let dbPromise = null;
+let RecordId;
+async function ensureDb() {
+  if (db) return db;
+  if (dbPromise) return dbPromise;
+  dbPromise = (async () => {
+    try {
+      const { createNodeEngines } = await import("@surrealdb/node");
+      const surreal = await import("surrealdb");
+      const Surreal = surreal.Surreal;
+      RecordId = surreal.RecordId;
+      const engine = process.env["SHOKUPAN_DB_ENGINE"] === "memory" ? "mem://" : "rocksdb://database";
+      const _db = new Surreal({
+        engines: createNodeEngines()
+      });
+      await _db.connect(engine, { namespace: "vendor", database: "shokupan" });
+      await _db.query(`
+            DEFINE TABLE OVERWRITE failed_requests SCHEMALESS COMMENT "Created by Shokupan";
+            DEFINE TABLE OVERWRITE sessions SCHEMALESS COMMENT "Created by Shokupan";
+            DEFINE TABLE OVERWRITE users SCHEMALESS COMMENT "Created by Shokupan";
+            DEFINE TABLE OVERWRITE idempotency_keys SCHEMALESS COMMENT "Created by Shokupan";
+            DEFINE TABLE OVERWRITE middleware_tracking SCHEMALESS COMMENT "Created by Shokupan";
+            DEFINE TABLE OVERWRITE requests SCHEMALESS COMMENT "Created by Shokupan";
+        `);
+      db = _db;
+      return db;
+    } catch (e) {
+      dbPromise = null;
+      if (e.code === "ERR_MODULE_NOT_FOUND" || e.message.includes("Cannot find module")) {
+        throw new Error("SurrealDB dependencies not found. To use the datastore, please install 'surrealdb' and '@surrealdb/node'.");
+      }
+      throw e;
+    }
+  })();
+  return dbPromise;
+}
 const datastore = {
-  get(store, key) {
+  async get(store, key) {
+    await ensureDb();
     return db.select(new RecordId(store, key));
   },
-  set(store, key, value) {
+  async set(store, key, value) {
+    await ensureDb();
     return db.create(new RecordId(store, key)).content(value);
   },
   async query(query, vars) {
+    await ensureDb();
     try {
-      const r = await db.query(query, vars).collect();
-      return r;
+      const r = await db.query(query, vars);
+      return Array.isArray(r) ? r : r?.collect ? await r.collect() : r;
     } catch (e) {
       console.error("DS ERROR:", e);
       throw e;
     }
   },
-  ready
+  get ready() {
+    return ensureDb().then(() => void 0);
+  }
 };
 process.on("exit", async () => {
-  await db.close();
+  if (db) await db.close();
 });
 const tracer = trace.getTracer("shokupan.middleware");
 function traceHandler(fn, name) {
@@ -1471,6 +1705,8 @@ class ShokupanRouter {
   [$parent] = null;
   [$childRouters] = [];
   [$childControllers] = [];
+  hookCache = /* @__PURE__ */ new Map();
+  hooksInitialized = false;
   middleware = [];
   get rootConfig() {
     return this[$appRoot]?.applicationConfig;
@@ -1488,7 +1724,8 @@ class ShokupanRouter {
   getComponentRegistry() {
     const controllerRoutesMap = /* @__PURE__ */ new Map();
     const localRoutes = [];
-    for (const r of this[$routes]) {
+    for (let i = 0; i < this[$routes].length; i++) {
+      const r = this[$routes][i];
       const entry = {
         type: "route",
         path: r.path,
@@ -1625,7 +1862,8 @@ class ShokupanRouter {
       const decoratedArgs = instance[$routeArgs] || proto && proto[$routeArgs];
       const methodMiddlewareMap = instance[$middleware] || proto && proto[$middleware];
       let routesAttached = 0;
-      for (const name of Array.from(methods)) {
+      for (let i = 0; i < Array.from(methods).length; i++) {
+        const name = Array.from(methods)[i];
         if (name === "constructor") continue;
         if (["arguments", "caller", "callee"].includes(name)) continue;
         const originalHandler = instance[name];
@@ -1637,7 +1875,8 @@ class ShokupanRouter {
           method = config.method;
           subPath = config.path;
         } else {
-          for (const m of HTTPMethods) {
+          for (let j = 0; j < HTTPMethods.length; j++) {
+            const m = HTTPMethods[j];
             if (name.toUpperCase().startsWith(m)) {
               method = m;
               const rest = name.slice(m.length);
@@ -1652,8 +1891,8 @@ class ShokupanRouter {
                     buffer = "";
                   }
                 };
-                for (let i = 0; i < rest.length; i++) {
-                  const char = rest[i];
+                for (let i2 = 0; i2 < rest.length; i2++) {
+                  const char = rest[i2];
                   if (char === "$") {
                     flush();
                     subPath += "/:";
@@ -1691,7 +1930,8 @@ class ShokupanRouter {
             if (routeArgs?.length > 0) {
               args = [];
               const sortedArgs = [...routeArgs].sort((a, b) => a.index - b.index);
-              for (const arg of sortedArgs) {
+              for (let k = 0; k < sortedArgs.length; k++) {
+                const arg = sortedArgs[k];
                 switch (arg.type) {
                   case RouteParamType.BODY:
                     try {
@@ -1721,7 +1961,9 @@ class ShokupanRouter {
                       args[arg.index] = vals.length > 1 ? vals : vals[0];
                     } else {
                       const query = {};
-                      for (const key of url.searchParams.keys()) {
+                      const keys = Object.keys(url.searchParams);
+                      for (let k2 = 0; k2 < keys.length; k2++) {
+                        const key = keys[k2];
                         const vals = url.searchParams.getAll(key);
                         query[key] = vals.length > 1 ? vals : vals[0];
                       }
@@ -1778,9 +2020,11 @@ class ShokupanRouter {
       path: r.path,
       handler: r.handler
     }));
-    for (const child of this[$childRouters]) {
+    for (let i = 0; i < this[$childRouters].length; i++) {
+      const child = this[$childRouters][i];
       const childRoutes = child.getRoutes();
-      for (const route of childRoutes) {
+      for (let j = 0; j < childRoutes.length; j++) {
+        const route = childRoutes[j];
         const cleanPrefix = child[$mountPath].endsWith("/") ? child[$mountPath].slice(0, -1) : child[$mountPath];
         const cleanPath = route.path.startsWith("/") ? route.path : "/" + route.path;
         const fullPath = cleanPrefix + cleanPath || "/";
@@ -1794,12 +2038,12 @@ class ShokupanRouter {
     return routes;
   }
   /**
-   * Makes a sub request to this router.
-   * This is useful for triggering other methods or route handlers. 
+   * Makes an internal request through this router's full routing pipeline.
+   * This is useful for calling other routes internally and supports streaming responses.
    * @param options The request options.
-   * @returns The response.
+   * @returns The raw Response object.
    */
-  async subRequest(arg) {
+  async internalRequest(arg) {
     const options = typeof arg === "string" ? { path: arg } : arg;
     const store = asyncContext.getStore();
     store?.get("req");
@@ -1818,9 +2062,10 @@ class ShokupanRouter {
     return this.root[$dispatch](req);
   }
   /**
-   * Processes a request directly.
+   * Processes a request for testing purposes.
+   * Returns a simplified { status, headers, data } object instead of a Response.
    */
-  async processRequest(options) {
+  async testRequest(options) {
     let url = options.url || options.path || "/";
     if (!url.startsWith("http")) {
       const base = `http://${this.rootConfig?.hostname || "localhost"}:${this.rootConfig?.port || 3e3}`;
@@ -1829,7 +2074,9 @@ class ShokupanRouter {
     }
     if (options.query) {
       const u = new URL(url);
-      for (const [k, v] of Object.entries(options.query)) {
+      const entries = Object.entries(options.query);
+      for (let i = 0; i < entries.length; i++) {
+        const [k, v] = entries[i];
         u.searchParams.set(k, v);
       }
       url = u.toString();
@@ -1874,28 +2121,17 @@ class ShokupanRouter {
       data: result
     };
   }
-  applyRouterHooks(match) {
-    if (!this.config?.hooks) return match;
-    const hooks = this.config.hooks;
-    return {
-      ...match,
-      handler: this.wrapWithHooks(match.handler, hooks)
-    };
-  }
-  wrapWithHooks(handler, hooks) {
-    const hookList = Array.isArray(hooks) ? hooks : [hooks];
-    const hasStart = hookList.some((h) => !!h.onRequestStart);
-    const hasEnd = hookList.some((h) => !!h.onRequestEnd);
-    const hasError = hookList.some((h) => !!h.onError);
+  wrapWithHooks(handler) {
+    if (!this.hooksInitialized) {
+      this.ensureHooksInitialized();
+    }
+    const hasStart = this.hookCache.get("onRequestStart")?.length > 0;
+    const hasEnd = this.hookCache.get("onRequestEnd")?.length > 0;
+    const hasError = this.hookCache.get("onError")?.length > 0;
     if (!hasStart && !hasEnd && !hasError) return handler;
     const originalHandler = handler;
     const wrapped = async (ctx) => {
-      if (hasStart) {
-        for (let i = 0; i < hookList.length; i++) {
-          const h = hookList[i];
-          if (typeof h.onRequestStart === "function") await h.onRequestStart(ctx);
-        }
-      }
+      await this.runHooks("onRequestStart", ctx);
       const debug = ctx._debug;
       let debugId;
       let previousNode;
@@ -1909,17 +2145,11 @@ class ShokupanRouter {
       try {
         const res = await originalHandler(ctx);
         debug?.trackStep(debugId, "handler", performance.now() - start, "success");
-        for (let i = 0; i < hookList.length; i++) {
-          const h = hookList[i];
-          if (typeof h.onRequestEnd === "function") await h.onRequestEnd(ctx);
-        }
+        await this.runHooks("onRequestEnd", ctx);
         return res;
       } catch (err) {
         debug?.trackStep(debugId, "handler", performance.now() - start, "error", err);
-        for (let i = 0; i < hookList.length; i++) {
-          const h = hookList[i];
-          if (typeof h.onError === "function") await h.onError(err, ctx);
-        }
+        await this.runHooks("onError", ctx, err);
         throw err;
       } finally {
         if (debug && previousNode) debug.setNode(previousNode);
@@ -1941,18 +2171,19 @@ class ShokupanRouter {
       result = this.trie.search("GET", path);
       if (result) return result;
     }
-    for (const child of this[$childRouters]) {
+    for (let i = 0; i < this[$childRouters].length; i++) {
+      const child = this[$childRouters][i];
       const prefix = child[$mountPath];
       if (path === prefix || path.startsWith(prefix + "/")) {
         const subPath = path.slice(prefix.length) || "/";
         const match = child.find(method, subPath);
-        if (match) return this.applyRouterHooks(match);
+        if (match) return match;
       }
       if (prefix.endsWith("/")) {
         if (path.startsWith(prefix)) {
           const subPath = path.slice(prefix.length) || "/";
           const match = child.find(method, subPath);
-          if (match) return this.applyRouterHooks(match);
+          if (match) return match;
         }
       }
     }
@@ -1960,10 +2191,13 @@ class ShokupanRouter {
   }
   parsePath(path) {
     const keys = [];
+    if (path.length > 2048) {
+      throw new Error("Path too long");
+    }
     const pattern = path.replace(/:([a-zA-Z0-9_]+)/g, (_, key) => {
       keys.push(key);
-      return "([^/]+)";
-    }).replace(/\*\*/g, ".*").replace(/\*/g, "[^/]+");
+      return "([^/]{1,255})";
+    }).replace(/\*\*/g, ".{0,1000}").replace(/\*/g, "[^/]{1,255}");
     return {
       regex: new RegExp(`^${pattern}$`),
       keys
@@ -1974,17 +2208,23 @@ class ShokupanRouter {
   /**
    * Adds a route to the router.
    * 
-   * @param method - HTTP method
-   * @param path - URL path
-   * @param spec - OpenAPI specification for the route
-   * @param handler - Route handler function
-   * @param requestTimeout - Timeout for this route in milliseconds
+   * @param arg - Route configuration object
+   * @param arg.method - HTTP method
+   * @param arg.path - URL path
+   * @param arg.spec - OpenAPI specification for the route
+   * @param arg.handler - Route handler function
+   * @param arg.regex - Custom regex for path matching
+   * @param arg.group - Group for the route
+   * @param arg.requestTimeout - Timeout for this route in milliseconds
+   * @param arg.renderer - JSX renderer for the route
+   * @param arg.controller - Controller for the route
    */
   add({ method, path, spec, handler, regex: customRegex, group, requestTimeout, renderer, controller }) {
     const { regex, keys } = customRegex ? { regex: customRegex, keys: [] } : this.parsePath(path);
     if (this.currentGuards.length > 0) {
       spec = spec || {};
-      for (const guard of this.currentGuards) {
+      for (let i = 0; i < this.currentGuards.length; i++) {
+        const guard = this.currentGuards[i];
         if (guard.spec) {
           if (guard.spec.responses) {
             spec.responses = spec.responses || {};
@@ -2013,7 +2253,8 @@ class ShokupanRouter {
     if (routeGuards.length > 0) {
       const innerHandler = wrappedHandler;
       wrappedHandler = async (ctx) => {
-        for (const guard of routeGuards) {
+        for (let i = 0; i < routeGuards.length; i++) {
+          const guard = routeGuards[i];
           let guardPassed = false;
           let nextCalled = false;
           const next = () => {
@@ -2107,7 +2348,7 @@ class ShokupanRouter {
     wrappedHandler.originalHandler = trackingHandler.originalHandler || trackingHandler;
     let bakedHandler = wrappedHandler;
     if (this.config?.hooks) {
-      bakedHandler = this.wrapWithHooks(wrappedHandler, this.config.hooks);
+      bakedHandler = this.wrapWithHooks(wrappedHandler);
     }
     this[$routes].push({
       method,
@@ -2264,6 +2505,67 @@ class ShokupanRouter {
   generateApiSpec(options = {}) {
     return generateOpenApi(this, options);
   }
+  ensureHooksInitialized() {
+    const hooks = this.config?.hooks;
+    if (hooks) {
+      const hookList = Array.isArray(hooks) ? hooks : [hooks];
+      const hookTypes = [
+        "onRequestStart",
+        "onRequestEnd",
+        "onResponseStart",
+        "onResponseEnd",
+        "onError",
+        "beforeValidate",
+        "afterValidate",
+        "onRequestTimeout",
+        "onReadTimeout",
+        "onWriteTimeout"
+      ];
+      for (let i = 0; i < hookTypes.length; i++) {
+        const type = hookTypes[i];
+        const fns = [];
+        for (let j = 0; j < hookList.length; j++) {
+          const h = hookList[j];
+          if (h[type]) fns.push(h[type]);
+        }
+        if (fns.length > 0) {
+          this.hookCache.set(type, fns);
+        }
+      }
+    }
+    this.hooksInitialized = true;
+  }
+  async runHooks(name, ...args) {
+    if (!this.hooksInitialized) {
+      this.ensureHooksInitialized();
+    }
+    const fns = this.hookCache.get(name);
+    if (!fns) return;
+    const ctx = args?.[0] instanceof ShokupanContext ? args[0] : void 0;
+    const debug = ctx?._debug;
+    if (debug) {
+      await Promise.all(fns.map(async (fn, index) => {
+        const hookId = `hook_${name}_${fn.name || index}`;
+        const previousNode = debug.getCurrentNode();
+        debug.trackEdge(previousNode, hookId);
+        debug.setNode(hookId);
+        const start = performance.now();
+        try {
+          await fn(...args);
+          const duration = performance.now() - start;
+          debug.trackStep(hookId, "hook", duration, "success");
+        } catch (error) {
+          const duration = performance.now() - start;
+          debug.trackStep(hookId, "hook", duration, "error", error);
+          throw error;
+        } finally {
+          if (previousNode) debug.setNode(previousNode);
+        }
+      }));
+    } else {
+      await Promise.all(fns.map((fn) => fn(...args)));
+    }
+  }
 }
 class SystemCpuMonitor {
   constructor(intervalMs = 1e3) {
@@ -2321,15 +2623,13 @@ class Shokupan extends ShokupanRouter {
   openApiSpec;
   composedMiddleware;
   cpuMonitor;
-  hookCache = /* @__PURE__ */ new Map();
-  hooksInitialized = false;
   get logger() {
     return this.applicationConfig.logger;
   }
   constructor(applicationConfig = {}) {
     const config = Object.assign({}, defaults, applicationConfig);
     const { hooks, ...routerConfig } = config;
-    super(routerConfig);
+    super({ ...routerConfig, hooks });
     this[$isApplication] = true;
     this[$appRoot] = this;
     this.applicationConfig = config;
@@ -2344,7 +2644,6 @@ class Shokupan extends ShokupanRouter {
    * Adds middleware to the application.
    */
   use(middleware) {
-    let trackedMiddleware = middleware;
     const { file, line } = getCallerInfo();
     if (!middleware.metadata) {
       middleware.metadata = {
@@ -2355,32 +2654,36 @@ class Shokupan extends ShokupanRouter {
         pluginName: middleware.pluginName
       };
     }
-    trackedMiddleware = async (ctx, next) => {
-      const c = ctx;
-      if (c.handlerStack && c.app?.applicationConfig.enableMiddlewareTracking) {
-        const metadata = middleware.metadata || {};
-        const start = performance.now();
-        const item = {
-          name: metadata.pluginName ? `${metadata.pluginName} (${metadata.name})` : metadata.name || middleware.name || "middleware",
-          file: metadata.file || file,
-          line: metadata.line || line,
-          isBuiltin: metadata.isBuiltin,
-          startTime: start,
-          duration: -1
-        };
-        c.handlerStack.push(item);
-        try {
-          return await middleware(ctx, next);
-        } finally {
-          item.duration = performance.now() - start;
+    if (this.applicationConfig.enableMiddlewareTracking) {
+      const trackedMiddleware = async (ctx, next) => {
+        const c = ctx;
+        if (c.handlerStack && c.app?.applicationConfig.enableMiddlewareTracking) {
+          const metadata = middleware.metadata || {};
+          const start = performance.now();
+          const item = {
+            name: metadata.pluginName ? `${metadata.pluginName} (${metadata.name})` : metadata.name || middleware.name || "middleware",
+            file: metadata.file || file,
+            line: metadata.line || line,
+            isBuiltin: metadata.isBuiltin,
+            startTime: start,
+            duration: -1
+          };
+          c.handlerStack.push(item);
+          try {
+            return await middleware(ctx, next);
+          } finally {
+            item.duration = performance.now() - start;
+          }
         }
-      }
-      return middleware(ctx, next);
-    };
-    trackedMiddleware.metadata = middleware.metadata;
-    Object.defineProperty(trackedMiddleware, "name", { value: middleware.name || "middleware" });
-    trackedMiddleware.order = this.middleware.length;
-    this.middleware.push(trackedMiddleware);
+        return middleware(ctx, next);
+      };
+      trackedMiddleware.metadata = middleware.metadata;
+      Object.defineProperty(trackedMiddleware, "name", { value: middleware.name || "middleware" });
+      trackedMiddleware.order = this.middleware.length;
+      this.middleware.push(trackedMiddleware);
+    } else {
+      this.middleware.push(middleware);
+    }
     return this;
   }
   startupHooks = [];
@@ -2411,17 +2714,13 @@ class Shokupan extends ShokupanRouter {
     if (finalPort < 0 || finalPort > 65535) {
       throw new Error("Invalid port number");
     }
-    for (const hook of this.startupHooks) {
-      await hook();
-    }
+    await Promise.all(this.startupHooks.map((hook) => hook()));
     if (this.applicationConfig.enableOpenApiGen) {
       this.openApiSpec = await generateOpenApi(this);
-      for (const hook of this.specAvailableHooks) {
-        await hook(this.openApiSpec);
-      }
+      await Promise.all(this.specAvailableHooks.map((hook) => hook(this.openApiSpec)));
     }
     if (port === 0 && process.platform === "linux") ;
-    if (this.applicationConfig.autoBackpressureFeedback) {
+    if (this.applicationConfig.autoBackpressureFeedback === true) {
       this.cpuMonitor = new SystemCpuMonitor();
       this.cpuMonitor.start();
     }
@@ -2449,7 +2748,7 @@ class Shokupan extends ShokupanRouter {
     };
     let factory = this.applicationConfig.serverFactory;
     if (!factory && typeof Bun === "undefined") {
-      const { createHttpServer } = await import("./server-adapter-BWrEJbKL.js");
+      const { createHttpServer } = await import("./server-adapter-0xH174zz.js");
       factory = createHttpServer();
     }
     const server = factory ? await factory(serveOptions) : Bun.serve(serveOptions);
@@ -2462,7 +2761,7 @@ class Shokupan extends ShokupanRouter {
   /**
    * Processes a request by wrapping the standard fetch method.
    */
-  async processRequest(options) {
+  async testRequest(options) {
     let url = options.url || options.path || "/";
     if (!url.startsWith("http")) {
       const base = `http://${this.applicationConfig.hostname || "localhost"}:${this.applicationConfig.port || 3e3}`;
@@ -2471,7 +2770,9 @@ class Shokupan extends ShokupanRouter {
     }
     if (options.query) {
       const u = new URL(url);
-      for (const [k, v] of Object.entries(options.query)) {
+      const entries = Object.entries(options.query);
+      for (let i = 0; i < entries.length; i++) {
+        const [k, v] = entries[i];
         u.searchParams.set(k, v);
       }
       url = u.toString();
@@ -2540,18 +2841,18 @@ class Shokupan extends ShokupanRouter {
       if (this.cpuMonitor && this.cpuMonitor.getUsage() > (this.applicationConfig.autoBackpressureLevel ?? 60)) {
         const msg = "Too Many Requests (CPU Backpressure)";
         const res = ctx.text(msg, 429);
-        await this.executeHook("onResponseEnd", ctx, res);
+        await this.runHooks("onResponseEnd", ctx, res);
         return res;
       }
       try {
-        if (this.hasHook("onRequestStart")) {
-          await this.executeHook("onRequestStart", ctx);
-        }
+        await this.runHooks("onRequestStart", ctx);
         const fn = this.composedMiddleware ??= compose(this.middleware);
         const result = await fn(ctx, async () => {
+          const bodyParsing = ["POST", "PUT", "PATCH", "DELETE"].includes(req.method) ? ctx.parseBody() : Promise.resolve();
           const match = this.find(req.method, ctx.path);
           if (match) {
             ctx.params = match.params;
+            await bodyParsing;
             return match.handler(ctx);
           }
           return null;
@@ -2574,12 +2875,8 @@ class Shokupan extends ShokupanRouter {
         } else {
           response = ctx.text(String(result));
         }
-        if (this.hasHook("onRequestEnd")) {
-          await this.executeHook("onRequestEnd", ctx);
-        }
-        if (this.hasHook("onResponseStart")) {
-          await this.executeHook("onResponseStart", ctx, response);
-        }
+        await this.runHooks("onRequestEnd", ctx);
+        await this.runHooks("onResponseStart", ctx, response);
         return response;
       } catch (err) {
         console.error(err);
@@ -2588,9 +2885,7 @@ class Shokupan extends ShokupanRouter {
         const status = err.status || err.statusCode || 500;
         const body = { error: err.message || "Internal Server Error" };
         if (err.errors) body.errors = err.errors;
-        if (this.hasHook("onError")) {
-          await this.executeHook("onError", err, ctx);
-        }
+        await this.runHooks("onError", ctx, err);
         return ctx.json(body, status);
       }
     };
@@ -2601,9 +2896,7 @@ class Shokupan extends ShokupanRouter {
       const timeoutPromise = new Promise((_, reject) => {
         timeoutId = setTimeout(async () => {
           controller.abort();
-          if (this.hasHook("onRequestTimeout")) {
-            await this.executeHook("onRequestTimeout", ctx);
-          }
+          await this.runHooks("onRequestTimeout", ctx);
           reject(new Error("Request Timeout"));
         }, timeoutMs);
       });
@@ -2616,56 +2909,10 @@ class Shokupan extends ShokupanRouter {
       console.error("Unexpected error in request execution:", err);
       return ctx.text("Internal Server Error", 500);
     }).then(async (res) => {
-      if (this.hasHook("onResponseEnd")) {
-        await this.executeHook("onResponseEnd", ctx, res);
-      }
+      await this.runHooks("onResponseEnd", ctx, res);
       return res;
     });
   }
-  ensureHooksInitialized() {
-    const hooks = this.applicationConfig.hooks;
-    if (hooks) {
-      const hookList = Array.isArray(hooks) ? hooks : [hooks];
-      const hookTypes = [
-        "onRequestStart",
-        "onRequestEnd",
-        "onResponseStart",
-        "onResponseEnd",
-        "onError",
-        "beforeValidate",
-        "afterValidate",
-        "onRequestTimeout",
-        "onReadTimeout",
-        "onWriteTimeout"
-      ];
-      for (const type of hookTypes) {
-        const fns = [];
-        for (const h of hookList) {
-          if (h[type]) fns.push(h[type]);
-        }
-        if (fns.length > 0) {
-          this.hookCache.set(type, fns);
-        }
-      }
-    }
-    this.hooksInitialized = true;
-  }
-  async executeHook(name, ...args) {
-    if (!this.hooksInitialized) {
-      this.ensureHooksInitialized();
-    }
-    const fns = this.hookCache.get(name);
-    if (!fns) return;
-    for (const fn of fns) {
-      await fn(...args);
-    }
-  }
-  hasHook(name) {
-    if (!this.hooksInitialized) {
-      this.ensureHooksInitialized();
-    }
-    return this.hookCache.has(name);
-  }
 }
 class AuthPlugin extends ShokupanRouter {
   constructor(authConfig) {
@@ -2713,7 +2960,9 @@ class AuthPlugin extends ShokupanRouter {
     return jwt;
   }
   init() {
-    for (const [providerName, providerConfig] of Object.entries(this.authConfig.providers)) {
+    const providerEntries = Object.entries(this.authConfig.providers);
+    for (let i = 0; i < providerEntries.length; i++) {
+      const [providerName, providerConfig] = providerEntries[i];
       if (!providerConfig) continue;
       const provider = this.getProviderInstance(providerName, providerConfig);
       if (!provider) {
@@ -2736,9 +2985,10 @@ class AuthPlugin extends ShokupanRouter {
         } else {
           return ctx.text("Provider config error", 500);
         }
-        ctx.res.headers.set("Set-Cookie", `oauth_state=${state}; Path=/; HttpOnly; Max-Age=600`);
+        const isSecure = ctx.secure;
+        ctx.res.headers.set("Set-Cookie", `oauth_state=${state}; Path=/; HttpOnly; SameSite=Lax${isSecure ? "; Secure" : ""}; Max-Age=600`);
         if (codeVerifier) {
-          ctx.res.headers.append("Set-Cookie", `oauth_verifier=${codeVerifier}; Path=/; HttpOnly; Max-Age=600`);
+          ctx.res.headers.append("Set-Cookie", `oauth_verifier=${codeVerifier}; Path=/; HttpOnly; SameSite=Lax${isSecure ? "; Secure" : ""}; Max-Age=600`);
         }
         return ctx.redirect(url.toString());
       });
@@ -2779,7 +3029,7 @@ class AuthPlugin extends ShokupanRouter {
           return ctx.json({ token: jwt, user });
         } catch (e) {
           console.error("Auth Error", e);
-          return ctx.text("Authentication failed: " + e.message + "\n" + e.stack, 500);
+          return ctx.text("Authentication failed. Please try again.", 500);
         }
       });
     }
@@ -2990,14 +3240,21 @@ function Cors(options = {}) {
     const origin = ctx.headers.get("origin");
     const set = (k, v) => headers.set(k, v);
     const append = (k, v) => headers.append(k, v);
+    if (origin === "null" && opts.origin !== "null") {
+      return next();
+    }
     if (opts.origin === "*") {
       set("Access-Control-Allow-Origin", "*");
     } else if (typeof opts.origin === "string") {
       set("Access-Control-Allow-Origin", opts.origin);
     } else if (Array.isArray(opts.origin)) {
-      if (origin && opts.origin.includes(origin)) {
-        set("Access-Control-Allow-Origin", origin);
-        append("Vary", "Origin");
+      if (origin) {
+        const normalizedOrigin = origin.toLowerCase();
+        const normalizedAllowed = opts.origin.map((o) => o.toLowerCase());
+        if (normalizedAllowed.includes(normalizedOrigin)) {
+          set("Access-Control-Allow-Origin", origin);
+          append("Vary", "Origin");
+        }
       }
     } else if (typeof opts.origin === "function") {
       const allowed = opts.origin(ctx);
@@ -3041,7 +3298,9 @@ function Cors(options = {}) {
     }
     const response = await next();
     if (response instanceof Response) {
-      for (const [key, value] of headers.entries()) {
+      const headerEntries = Array.from(headers.entries());
+      for (let i = 0; i < headerEntries.length; i++) {
+        const [key, value] = headerEntries[i];
         response.headers.set(key, value);
       }
     }
@@ -3111,6 +3370,8 @@ function useExpress(expressMiddleware) {
     });
   };
 }
+let plainToInstance;
+let validateOrReject;
 class ValidationError extends Error {
   constructor(errors) {
     super("Validation Error");
@@ -3175,6 +3436,18 @@ function isClass(schema) {
   }
 }
 async function validateClassValidator(schema, data) {
+  if (!plainToInstance || !validateOrReject) {
+    try {
+      const ct = await import("class-transformer");
+      const cv = await import("class-validator");
+      plainToInstance = ct.plainToInstance;
+      validateOrReject = cv.validateOrReject;
+    } catch (e) {
+      throw new Error(
+        "class-transformer and class-validator are required for class-based validation. Install them with: bun add class-transformer class-validator reflect-metadata"
+      );
+    }
+  }
   const object = plainToInstance(schema, data);
   try {
     await validateOrReject(object);
@@ -3189,30 +3462,8 @@ async function validateClassValidator(schema, data) {
   }
 }
 const safelyGetBody = async (ctx) => {
-  const req = ctx.req;
-  if (req._bodyParsed) {
-    return req._bodyValue;
-  }
   try {
-    let data;
-    if (typeof req.json === "function") {
-      data = await req.json();
-    } else {
-      data = req.body;
-      if (typeof data === "string") {
-        try {
-          data = JSON.parse(data);
-        } catch {
-        }
-      }
-    }
-    req._bodyParsed = true;
-    req._bodyValue = data;
-    Object.defineProperty(req, "json", {
-      value: async () => req._bodyValue,
-      configurable: true
-    });
-    return data;
+    return await ctx.body();
   } catch (e) {
     return {};
   }
@@ -3259,9 +3510,7 @@ function validate(config) {
       body = await safelyGetBody(ctx);
       dataToValidate.body = body;
     }
-    if (ctx.app?.hasHook("beforeValidate")) {
-      await ctx.app.executeHook("beforeValidate", ctx, dataToValidate);
-    }
+    await ctx.app.runHooks("beforeValidate", ctx, dataToValidate);
     if (validators.params) {
       ctx.params = await validators.params(ctx.params);
     }
@@ -3277,21 +3526,20 @@ function validate(config) {
     if (validators.body) {
       const b = body ?? await safelyGetBody(ctx);
       validBody = await validators.body(b);
+      ctx._cachedBody = validBody;
       const req = ctx.req;
-      req._bodyValue = validBody;
       Object.defineProperty(req, "json", {
         value: async () => validBody,
+        writable: true,
         configurable: true
       });
       ctx.body = validBody;
     }
-    if (ctx.app?.hasHook("afterValidate")) {
-      const validatedData = { ...dataToValidate };
-      if (config.params) validatedData.params = ctx.params;
-      if (config.query) validatedData.query = validQuery;
-      if (config.body) validatedData.body = validBody;
-      await ctx.app?.executeHook("afterValidate", ctx, validatedData);
-    }
+    const validatedData = { ...dataToValidate };
+    if (config.params) validatedData.params = ctx.params;
+    if (config.query) validatedData.query = validQuery;
+    if (config.body) validatedData.body = validBody;
+    await ctx.app.runHooks("afterValidate", ctx, validatedData);
     return next();
   };
 }
@@ -3314,12 +3562,14 @@ function openApiValidator() {
     if (cache.validators.has(ctx.path)) {
       matchPath = ctx.path;
     } else {
-      for (const [path, { regex, paramNames }] of cache.paths) {
+      const pathEntries = Array.from(cache.paths.entries());
+      for (let i = 0; i < pathEntries.length; i++) {
+        const [path, { regex, paramNames }] = pathEntries[i];
         const match = regex.exec(ctx.path);
         if (match) {
           matchPath = path;
-          paramNames.forEach((name, i) => {
-            matchParams[name] = match[i + 1];
+          paramNames.forEach((name, i2) => {
+            matchParams[name] = match[i2 + 1];
           });
           break;
         }
@@ -3376,7 +3626,9 @@ function openApiValidator() {
 function compileValidators(spec) {
   const validators = /* @__PURE__ */ new Map();
   const paths = /* @__PURE__ */ new Map();
-  for (const [path, pathItem] of Object.entries(spec.paths || {})) {
+  const pathEntries = Object.entries(spec.paths || {});
+  for (let i = 0; i < pathEntries.length; i++) {
+    const [path, pathItem] = pathEntries[i];
     if (path.includes("{")) {
       const paramNames = [];
       const regexStr = "^" + path.replace(/{([^}]+)}/g, (_, name) => {
@@ -3389,7 +3641,9 @@ function compileValidators(spec) {
       });
     }
     const pathValidators = {};
-    for (const [method, operation] of Object.entries(pathItem)) {
+    const methodEntries = Object.entries(pathItem);
+    for (let k = 0; k < methodEntries.length; k++) {
+      const [method, operation] = methodEntries[k];
       if (method === "parameters" || method === "summary" || method === "description") continue;
       const oper = operation;
       const opValidators = {};
@@ -3403,7 +3657,8 @@ function compileValidators(spec) {
       const queryRequired = [];
       const pathRequired = [];
       const headerRequired = [];
-      for (const param of parameters) {
+      for (let j = 0; j < parameters.length; j++) {
+        const param = parameters[j];
         if (param.in === "query") {
           queryProps[param.name] = param.schema || {};
           if (param.required) queryRequired.push(param.name);
@@ -3564,14 +3819,18 @@ function SecurityHeaders(options = {}) {
       if (opt === void 0 || opt === true) {
         set("Content-Security-Policy", "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests");
       } else if (typeof opt === "object") {
-        for (const [key, val] of Object.entries(opt)) {
+        const optEntries = Object.entries(opt);
+        for (let i = 0; i < optEntries.length; i++) {
+          const [key, val] = optEntries[i];
         }
       }
     }
     if (options.hidePoweredBy !== false) ;
     const response = await next();
     if (response instanceof Response) {
-      for (const [k, v] of Object.entries(headers)) {
+      const headerEntries = Object.entries(headers);
+      for (let i = 0; i < headerEntries.length; i++) {
+        const [k, v] = headerEntries[i];
         response.headers.set(k, v);
       }
       return response;
@@ -3657,7 +3916,9 @@ class MemoryStore extends EventEmitter {
   }
   all(cb) {
     const result = {};
-    for (const sid in this.sessions) {
+    const sessionKeys = Object.keys(this.sessions);
+    for (let i = 0; i < sessionKeys.length; i++) {
+      const sid = sessionKeys[i];
       try {
         result[sid] = JSON.parse(this.sessions[sid]);
       } catch {
@@ -3680,11 +3941,17 @@ function unsign(input, secret) {
   if (typeof secret !== "string") throw new TypeError("Secret string must be provided.");
   const tentValue = input.slice(0, input.lastIndexOf("."));
   const expectedInput = sign(tentValue, secret);
-  const expectedBuffer = Buffer.from(expectedInput);
-  const inputBuffer = Buffer.from(input);
-  if (expectedBuffer.length !== inputBuffer.length) return false;
-  const valid = require("crypto").timingSafeEqual(expectedBuffer, inputBuffer);
-  return valid ? tentValue : false;
+  const maxLength = Math.max(expectedInput.length, input.length);
+  const paddedExpected = Buffer.alloc(maxLength);
+  const paddedInput = Buffer.alloc(maxLength);
+  Buffer.from(expectedInput).copy(paddedExpected);
+  Buffer.from(input).copy(paddedInput);
+  try {
+    const valid = require("crypto").timingSafeEqual(paddedExpected, paddedInput);
+    return valid ? tentValue : false;
+  } catch {
+    return false;
+  }
 }
 function Session(options) {
   const store = options.store || new MemoryStore();
@@ -3743,7 +4010,9 @@ function Session(options) {
       sessObj.regenerate = (cb) => {
         store.destroy(sessObj.id, (err) => {
           sessionID = generateId(ctx);
-          for (const key in sessObj) {
+          const keys = Object.keys(sessObj);
+          for (let i = 0; i < keys.length; i++) {
+            const key = keys[i];
             if (key !== "cookie" && key !== "id" && typeof sessObj[key] !== "function") {
               delete sessObj[key];
             }
@@ -3758,7 +4027,9 @@ function Session(options) {
         store.get(sessObj.id, (err, sess2) => {
           if (err) return cb(err);
           if (!sess2) return cb(new Error("Session not found"));
-          for (const key in sessObj) {
+          const keys = Object.keys(sessObj);
+          for (let i = 0; i < keys.length; i++) {
+            const key = keys[i];
             if (key !== "cookie" && key !== "id" && typeof sessObj[key] !== "function") {
               delete sessObj[key];
             }