shokupan 0.6.0 → 0.7.0

package/dist/index.js

@@ -1,81 +1,21 @@
 import { readFile } from "node:fs/promises";
+import { trace, SpanKind, SpanStatusCode, context } from "@opentelemetry/api";
+import { AsyncLocalStorage } from "node:async_hooks";
 import { Eta } from "eta";
 import { stat, readdir, readFile as readFile$1 } from "fs/promises";
-import { resolve, join, basename } from "path";
-import { AsyncLocalStorage } from "node:async_hooks";
-import { trace, SpanKind, SpanStatusCode, context } from "@opentelemetry/api";
+import { resolve, join, sep, basename } from "path";
 import * as os from "node:os";
+import os__default from "node:os";
 import { OAuth2Client, Okta, Auth0, Apple, MicrosoftEntraId, Google, GitHub, generateState, generateCodeVerifier } from "arctic";
 import * as jose from "jose";
+import cluster from "node:cluster";
+import net from "node:net";
+import { OpenAPIAnalyzer } from "./analyzer-Ce_7JxZh.js";
 import * as zlib from "node:zlib";
 import Ajv from "ajv";
 import addFormats from "ajv-formats";
-import { OpenAPIAnalyzer } from "./openapi-analyzer-Ce_7JxZh.js";
 import { randomUUID, createHmac } from "crypto";
 import { EventEmitter } from "events";
-class ShokupanResponse {
-  _headers = null;
-  _status = 200;
-  /**
-   * Get the current headers
-   */
-  get headers() {
-    if (!this._headers) this._headers = new Headers();
-    return this._headers;
-  }
-  /**
-   * Get the current status code
-   */
-  get status() {
-    return this._status;
-  }
-  /**
-   * Set the status code
-   */
-  set status(code) {
-    this._status = code;
-  }
-  /**
-   * Set a response header
-   * @param key Header name
-   * @param value Header value
-   */
-  set(key, value) {
-    if (!this._headers) this._headers = new Headers();
-    this._headers.set(key, value);
-    return this;
-  }
-  /**
-   * Append to a response header
-   * @param key Header name
-   * @param value Header value
-   */
-  append(key, value) {
-    if (!this._headers) this._headers = new Headers();
-    this._headers.append(key, value);
-    return this;
-  }
-  /**
-   * Get a response header value
-   * @param key Header name
-   */
-  get(key) {
-    return this._headers?.get(key) || null;
-  }
-  /**
-   * Check if a header exists
-   * @param key Header name
-   */
-  has(key) {
-    return this._headers?.has(key) || false;
-  }
-  /**
-   * Internal: check if headers have been initialized/modified
-   */
-  get hasPopulatedHeaders() {
-    return this._headers !== null;
-  }
-}
 const VALID_HTTP_STATUSES = /* @__PURE__ */ new Set([
   100,
   101,
@@ -142,6 +82,78 @@ const VALID_HTTP_STATUSES = /* @__PURE__ */ new Set([
   511
 ]);
 const VALID_REDIRECT_STATUSES = /* @__PURE__ */ new Set([301, 302, 303, 307, 308]);
+class ShokupanResponse {
+  _headers = null;
+  _status = 200;
+  /**
+   * Get the current headers
+   */
+  get headers() {
+    if (!this._headers) this._headers = new Headers();
+    return this._headers;
+  }
+  /**
+   * Get the current status code
+   */
+  get status() {
+    return this._status;
+  }
+  /**
+   * Set the status code
+   */
+  set status(code) {
+    this._status = code;
+  }
+  /**
+   * Set a response header
+   * @param key Header name
+   * @param value Header value
+   */
+  set(key, value) {
+    if (!this._headers) this._headers = new Headers();
+    this._headers.set(key, value);
+    return this;
+  }
+  /**
+   * Append to a response header
+   * @param key Header name
+   * @param value Header value
+   */
+  append(key, value) {
+    if (!this._headers) this._headers = new Headers();
+    this._headers.append(key, value);
+    return this;
+  }
+  /**
+   * Get a response header value
+   * @param key Header name
+   */
+  get(key) {
+    return this._headers?.get(key) || null;
+  }
+  /**
+   * Check if a header exists
+   * @param key Header name
+   */
+  has(key) {
+    return this._headers?.has(key) || false;
+  }
+  /**
+   * Internal: check if headers have been initialized/modified
+   */
+  get hasPopulatedHeaders() {
+    return this._headers !== null;
+  }
+}
+function isValidCookieDomain(domain, currentHost) {
+  const hostWithoutPort = currentHost.split(":")[0];
+  if (domain === hostWithoutPort) return true;
+  if (domain.startsWith(".")) {
+    const domainWithoutDot = domain.slice(1);
+    return hostWithoutPort.endsWith(domainWithoutDot);
+  }
+  return false;
+}
 class ShokupanContext {
   constructor(request, server, state, app, signal, enableMiddlewareTracking = false) {
     this.request = request;
@@ -180,12 +192,20 @@ class ShokupanContext {
   _bodyType;
   _bodyParsed = false;
   _bodyParseError;
+  _routeMatched = false;
   // Cached URL properties to avoid repeated parsing
   _cachedHostname;
   _cachedProtocol;
   _cachedHost;
   _cachedOrigin;
   _cachedQuery;
+  /**
+   * JSX Rendering Function
+   */
+  renderer;
+  setRenderer(renderer) {
+    this.renderer = renderer;
+  }
   get url() {
     if (!this._url) {
       const urlString = this.request.url || "http://localhost/";
@@ -235,16 +255,20 @@ class ShokupanContext {
    */
   get query() {
     if (this._cachedQuery) return this._cachedQuery;
-    const q = {};
+    const q = /* @__PURE__ */ Object.create(null);
+    const blocklist = ["__proto__", "constructor", "prototype"];
     const entries = Object.entries(this.url.searchParams);
     for (let i = 0; i < entries.length; i++) {
       const [key, value] = entries[i];
-      if (q[key] === void 0) {
-        q[key] = value;
-      } else if (Array.isArray(q[key])) {
-        q[key].push(value);
+      if (blocklist.includes(key)) continue;
+      if (Object.prototype.hasOwnProperty.call(q, key)) {
+        if (Array.isArray(q[key])) {
+          q[key].push(value);
+        } else {
+          q[key] = [q[key], value];
+        }
       } else {
-        q[key] = [q[key], value];
+        q[key] = value;
       }
     }
     this._cachedQuery = q;
@@ -321,6 +345,12 @@ class ShokupanContext {
    * @param options Cookie options
    */
   setCookie(name, value, options = {}) {
+    if (options.domain) {
+      const currentHost = this.hostname;
+      if (!isValidCookieDomain(options.domain, currentHost)) {
+        throw new Error(`Invalid cookie domain: ${options.domain} for host ${currentHost}`);
+      }
+    }
     let cookie = `${encodeURIComponent(name)}=${encodeURIComponent(value)}`;
     if (options.maxAge) cookie += `; Max-Age=${Math.floor(options.maxAge)}`;
     if (options.domain) cookie += `; Domain=${options.domain}`;
@@ -393,11 +423,15 @@ class ShokupanContext {
     }
     const contentType = this.request.headers.get("content-type") || "";
     if (contentType.includes("application/json") || contentType.includes("+json")) {
-      const rawText = await this.readRawBody();
       const parserType = this.app?.applicationConfig?.jsonParser || "native";
       if (parserType === "native") {
-        this._cachedBody = JSON.parse(rawText);
+        try {
+          this._cachedBody = await this.request.json();
+        } catch (e) {
+          throw e;
+        }
       } else {
+        const rawText = await this.request.text();
         const { getJSONParser } = await import("./json-parser-B3dnQmCC.js");
         const parser = getJSONParser(parserType);
         this._cachedBody = parser(rawText);
@@ -407,7 +441,7 @@ class ShokupanContext {
       this._cachedBody = await this.request.formData();
       this._bodyType = "formData";
     } else {
-      this._cachedBody = await this.readRawBody();
+      this._cachedBody = await this.request.text();
       this._bodyType = "text";
     }
     this._bodyParsed = true;
@@ -585,10 +619,6 @@ class ShokupanContext {
       return this._finalResponse;
     }
   }
-  /**
-   * JSX Rendering Function
-   */
-  renderer;
   /**
    * Render a JSX element
    * @param element JSX Element
@@ -607,271 +637,67 @@ class ShokupanContext {
     return this.html(html, status, headers);
   }
 }
-function RateLimitMiddleware(options = {}) {
-  const windowMs = options.windowMs || 60 * 1e3;
-  const max = options.limit || options.max || 5;
-  const message = options.message || "Too many requests, please try again later.";
-  const statusCode = options.statusCode || 429;
-  const headers = options.headers !== false;
-  const mode = options.mode || "user";
-  const keyGenerator = options.keyGenerator || ((ctx) => {
-    if (mode === "absolute") {
-      return "global";
-    }
-    return ctx.headers.get("x-forwarded-for") || ctx.request.headers.get("x-forwarded-for") || ctx.server?.requestIP?.(ctx.request)?.address || "unknown";
-  });
-  const skip = options.skip || (() => false);
-  const hits = /* @__PURE__ */ new Map();
-  const interval = setInterval(() => {
-    const now = Date.now();
-    const entries = Array.from(hits.entries());
-    for (let i = 0; i < entries.length; i++) {
-      const [key, record] = entries[i];
-      if (record.resetTime <= now) {
-        hits.delete(key);
+const compose = (middleware) => {
+  if (!middleware.length) {
+    return (context2, next) => {
+      return next ? next() : Promise.resolve();
+    };
+  }
+  return function dispatch(context2, next) {
+    let index = -1;
+    async function runner(i) {
+      if (i <= index) return Promise.reject(new Error("next() called multiple times"));
+      index = i;
+      if (i >= middleware.length) {
+        return next ? next() : Promise.resolve();
       }
-    }
-  }, windowMs);
-  if (interval.unref) interval.unref();
-  const rateLimitMiddleware = async function RateLimitMiddleware2(ctx, next) {
-    if (skip(ctx)) return next();
-    const key = keyGenerator(ctx);
-    const now = Date.now();
-    let record = hits.get(key);
-    if (!record || record.resetTime <= now) {
-      record = {
-        hits: 0,
-        resetTime: now + windowMs
-      };
-      hits.set(key, record);
-    }
-    record.hits++;
-    const remaining = Math.max(0, max - record.hits);
-    const resetTime = Math.ceil(record.resetTime / 1e3);
-    const retryAfter = Math.ceil((record.resetTime - now) / 1e3);
-    const setHeaders = (res) => {
-      if (!headers || !res || !res.headers) return;
-      try {
-        res.headers.set("X-RateLimit-Limit", String(max));
-        res.headers.set("X-RateLimit-Remaining", String(remaining));
-        res.headers.set("X-RateLimit-Reset", String(resetTime));
-      } catch (e) {
+      const fn = middleware[i];
+      if (!context2._debug) {
+        return fn(context2, () => runner(i + 1));
       }
-    };
-    if (record.hits > max) {
-      typeof message === "object" ? JSON.stringify(message) : String(message);
-      const res = typeof message === "object" ? ctx.json(message, statusCode) : ctx.text(String(message), statusCode);
-      if (headers) {
-        setHeaders(res);
-        res.headers.set("Retry-After", String(retryAfter));
+      const debug = context2._debug;
+      const debugId = fn._debugId || fn.name || "anonymous";
+      const previousNode = debug.getCurrentNode();
+      debug.trackEdge(previousNode, debugId);
+      debug.setNode(debugId);
+      const start = performance.now();
+      try {
+        const res = await Promise.resolve(fn(context2, () => runner(i + 1)));
+        debug.trackStep(debugId, "middleware", performance.now() - start, "success");
+        return res;
+      } catch (err) {
+        debug.trackStep(debugId, "middleware", performance.now() - start, "error", err);
+        return Promise.reject(err);
+      } finally {
+        if (previousNode) debug.setNode(previousNode);
       }
-      return res;
-    }
-    const response = await next();
-    if (response instanceof Response && headers) {
-      setHeaders(response);
     }
-    return response;
+    return runner(0);
   };
-  rateLimitMiddleware.isBuiltin = true;
-  rateLimitMiddleware.pluginName = "RateLimit";
-  return rateLimitMiddleware;
-}
-const $isApplication = /* @__PURE__ */ Symbol.for("Shokupan.app");
-const $appRoot = /* @__PURE__ */ Symbol.for("Shokupan.app-root");
-const $isMounted = /* @__PURE__ */ Symbol("Shokupan.isMounted");
-const $routeMethods = /* @__PURE__ */ Symbol("Shokupan.routeMethods");
-const $routeArgs = /* @__PURE__ */ Symbol("Shokupan.routeArgs");
-const $controllerPath = /* @__PURE__ */ Symbol("Shokupan.controllerPath");
-const $middleware = /* @__PURE__ */ Symbol("Shokupan.middleware");
-const $isRouter = /* @__PURE__ */ Symbol.for("Shokupan.router");
-const $parent = /* @__PURE__ */ Symbol.for("Shokupan.parent");
-const $childRouters = /* @__PURE__ */ Symbol.for("Shokupan.child-routers");
-const $childControllers = /* @__PURE__ */ Symbol.for("Shokupan.child-controllers");
-const $mountPath = /* @__PURE__ */ Symbol.for("Shokupan.mount-path");
-const $dispatch = /* @__PURE__ */ Symbol.for("Shokupan.dispatch");
-const $routes = /* @__PURE__ */ Symbol.for("Shokupan.routes");
-const $routeSpec = /* @__PURE__ */ Symbol.for("Shokupan.routeSpec");
-const HTTPMethods = ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "ALL"];
-var RouteParamType = /* @__PURE__ */ ((RouteParamType2) => {
-  RouteParamType2["BODY"] = "BODY";
-  RouteParamType2["PARAM"] = "PARAM";
-  RouteParamType2["QUERY"] = "QUERY";
-  RouteParamType2["HEADER"] = "HEADER";
-  RouteParamType2["REQUEST"] = "REQUEST";
-  RouteParamType2["CONTEXT"] = "CONTEXT";
-  return RouteParamType2;
-})(RouteParamType || {});
-function Controller(path = "/") {
-  return (target) => {
-    target[$controllerPath] = path;
-  };
-}
-function Use(...middleware) {
-  return (target, propertyKey, descriptor) => {
-    if (!propertyKey) {
-      const existing = target[$middleware] || [];
-      target[$middleware] = [...existing, ...middleware];
-    } else {
-      if (!target[$middleware]) {
-        target[$middleware] = /* @__PURE__ */ new Map();
-      }
-      const existing = target[$middleware].get(propertyKey) || [];
-      target[$middleware].set(propertyKey, [...existing, ...middleware]);
-    }
-  };
-}
-function createParamDecorator(type) {
-  return (name) => {
-    return (target, propertyKey, parameterIndex) => {
-      if (!target[$routeArgs]) {
-        target[$routeArgs] = /* @__PURE__ */ new Map();
-      }
-      if (!target[$routeArgs].has(propertyKey)) {
-        target[$routeArgs].set(propertyKey, []);
-      }
-      target[$routeArgs].get(propertyKey).push({
-        index: parameterIndex,
-        type,
-        name
-      });
-    };
-  };
-}
-const Body = createParamDecorator(RouteParamType.BODY);
-const Param = createParamDecorator(RouteParamType.PARAM);
-const Query = createParamDecorator(RouteParamType.QUERY);
-const Headers$1 = createParamDecorator(RouteParamType.HEADER);
-const Req = createParamDecorator(RouteParamType.REQUEST);
-const Ctx = createParamDecorator(RouteParamType.CONTEXT);
-function Spec(spec) {
-  return (target, propertyKey, descriptor) => {
-    if (!target[$routeSpec]) {
-      target[$routeSpec] = /* @__PURE__ */ new Map();
-    }
-    target[$routeSpec].set(propertyKey, spec);
-  };
-}
-function createMethodDecorator(method) {
-  return (path = "/") => {
-    return (target, propertyKey, descriptor) => {
-      if (!target[$routeMethods]) {
-        target[$routeMethods] = /* @__PURE__ */ new Map();
-      }
-      target[$routeMethods].set(propertyKey, {
-        method,
-        path
-      });
-    };
-  };
-}
-const Get = createMethodDecorator("GET");
-const Post = createMethodDecorator("POST");
-const Put = createMethodDecorator("PUT");
-const Delete = createMethodDecorator("DELETE");
-const Patch = createMethodDecorator("PATCH");
-const Options = createMethodDecorator("OPTIONS");
-const Head = createMethodDecorator("HEAD");
-const All = createMethodDecorator("ALL");
-function RateLimit(options) {
-  return Use(RateLimitMiddleware(options));
-}
-class Container {
-  static services = /* @__PURE__ */ new Map();
-  static register(target, instance) {
-    this.services.set(target, instance);
-  }
-  static get(target) {
-    return this.services.get(target);
-  }
-  static has(target) {
-    return this.services.has(target);
-  }
-  static resolve(target) {
-    if (this.services.has(target)) {
-      return this.services.get(target);
-    }
-    const instance = new target();
-    this.services.set(target, instance);
-    return instance;
-  }
-}
-function Injectable() {
-  return (target) => {
-  };
-}
-function Inject(token) {
-  return (target, key) => {
-    Object.defineProperty(target, key, {
-      get: () => Container.resolve(token),
-      enumerable: true,
-      configurable: true
-    });
-  };
-}
-const compose = (middleware) => {
-  if (!middleware.length) {
-    return (context2, next) => {
-      return next ? next() : Promise.resolve();
-    };
-  }
-  return function dispatch(context2, next) {
-    let index = -1;
-    async function runner(i) {
-      if (i <= index) return Promise.reject(new Error("next() called multiple times"));
-      index = i;
-      if (i >= middleware.length) {
-        return next ? next() : Promise.resolve();
-      }
-      const fn = middleware[i];
-      if (!context2._debug) {
-        return fn(context2, () => runner(i + 1));
+};
+const tracer = trace.getTracer("shokupan.middleware");
+function traceHandler(fn, name) {
+  return async function(...args) {
+    return tracer.startActiveSpan(`route handler - ${name}`, {
+      kind: SpanKind.INTERNAL,
+      attributes: {
+        "http.route": name,
+        "component": "shokupan.route"
       }
-      const debug = context2._debug;
-      const debugId = fn._debugId || fn.name || "anonymous";
-      const previousNode = debug.getCurrentNode();
-      debug.trackEdge(previousNode, debugId);
-      debug.setNode(debugId);
-      const start = performance.now();
+    }, async (span) => {
       try {
-        const res = await Promise.resolve(fn(context2, () => runner(i + 1)));
-        debug.trackStep(debugId, "middleware", performance.now() - start, "success");
-        return res;
+        const result = await fn.apply(this, args);
+        return result;
       } catch (err) {
-        debug.trackStep(debugId, "middleware", performance.now() - start, "error", err);
-        return Promise.reject(err);
+        span.recordException(err);
+        span.setStatus({ code: SpanStatusCode.ERROR, message: err.message });
+        throw err;
       } finally {
-        if (previousNode) debug.setNode(previousNode);
+        span.end();
       }
-    }
-    return runner(0);
+    });
   };
-};
-class ShokupanRequestBase {
-  method;
-  url;
-  headers;
-  body;
-  async json() {
-    return JSON.parse(this.body);
-  }
-  async text() {
-    return this.body;
-  }
-  async formData() {
-    if (this.body instanceof FormData) {
-      return this.body;
-    }
-    return new Response(this.body, { headers: this.headers }).formData();
-  }
-  constructor(props) {
-    Object.assign(this, props);
-    if (!(this.headers instanceof Headers)) {
-      this.headers = new Headers(this.headers);
-    }
-  }
 }
-const ShokupanRequest = ShokupanRequestBase;
 function isObject(item) {
   return item && typeof item === "object" && !Array.isArray(item);
 }
@@ -905,6 +731,21 @@ function deepMerge(target, ...sources) {
   }
   return deepMerge(target, ...sources);
 }
+const $isApplication = /* @__PURE__ */ Symbol.for("Shokupan.app");
+const $appRoot = /* @__PURE__ */ Symbol.for("Shokupan.app-root");
+const $isMounted = /* @__PURE__ */ Symbol("Shokupan.isMounted");
+const $routeMethods = /* @__PURE__ */ Symbol("Shokupan.routeMethods");
+const $routeArgs = /* @__PURE__ */ Symbol("Shokupan.routeArgs");
+const $controllerPath = /* @__PURE__ */ Symbol("Shokupan.controllerPath");
+const $middleware = /* @__PURE__ */ Symbol("Shokupan.middleware");
+const $isRouter = /* @__PURE__ */ Symbol.for("Shokupan.router");
+const $parent = /* @__PURE__ */ Symbol.for("Shokupan.parent");
+const $childRouters = /* @__PURE__ */ Symbol.for("Shokupan.child-routers");
+const $childControllers = /* @__PURE__ */ Symbol.for("Shokupan.child-controllers");
+const $mountPath = /* @__PURE__ */ Symbol.for("Shokupan.mount-path");
+const $dispatch = /* @__PURE__ */ Symbol.for("Shokupan.dispatch");
+const $routes = /* @__PURE__ */ Symbol.for("Shokupan.routes");
+const $routeSpec = /* @__PURE__ */ Symbol.for("Shokupan.routeSpec");
 const REGEX_PATTERNS = {
   QUERY_INT: /parseInt\(ctx\.query\.(\w+)\)/g,
   QUERY_FLOAT: /parseFloat\(ctx\.query\.(\w+)\)/g,
@@ -1097,7 +938,7 @@ async function generateOpenApi(rootRouter, options = {}) {
   const defaultTagName = options.defaultTag || "Application";
   let astRoutes = [];
   try {
-    const { OpenAPIAnalyzer: OpenAPIAnalyzer2 } = await import("./openapi-analyzer-Ce_7JxZh.js");
+    const { OpenAPIAnalyzer: OpenAPIAnalyzer2 } = await import("./analyzer-Ce_7JxZh.js");
     const analyzer = new OpenAPIAnalyzer2(process.cwd());
     const { applications } = await analyzer.analyze();
     astRoutes = await getAstRoutes(applications);
@@ -1286,6 +1127,11 @@ async function generateOpenApi(rootRouter, options = {}) {
     "x-tagGroups": xTagGroups
   };
 }
+class RequestContextStore {
+  request;
+  span;
+}
+const asyncContext = new AsyncLocalStorage();
 const eta$1 = new Eta();
 function serveStatic(config, prefix) {
   const rootPath = resolve(config.root || ".");
@@ -1294,12 +1140,23 @@ function serveStatic(config, prefix) {
     let relative = ctx.path.slice(normalizedPrefix.length);
     if (!relative.startsWith("/") && relative.length > 0) relative = "/" + relative;
     if (relative.length === 0) relative = "/";
-    relative = decodeURIComponent(relative);
-    const requestPath = join(rootPath, relative);
-    if (!requestPath.startsWith(rootPath)) {
+    if (relative.includes("\0")) {
+      return ctx.json({ error: "Forbidden" }, 403);
+    }
+    try {
+      relative = decodeURIComponent(relative);
+    } catch (e) {
+      return ctx.json({ error: "Bad Request" }, 400);
+    }
+    if (relative.includes("\0")) {
+      return ctx.json({ error: "Forbidden" }, 403);
+    }
+    if (relative.includes("../") || relative.includes("..\\")) {
       return ctx.json({ error: "Forbidden" }, 403);
     }
-    if (requestPath.includes("\0")) {
+    const requestPath = resolve(join(rootPath, relative));
+    const normalizedRoot = resolve(rootPath);
+    if (!requestPath.startsWith(normalizedRoot + sep) && requestPath !== normalizedRoot) {
       return ctx.json({ error: "Forbidden" }, 403);
     }
     if (config.hooks?.onRequest) {
@@ -1427,107 +1284,6 @@ function serveStatic(config, prefix) {
   serveStaticMiddleware.pluginName = "ServeStatic";
   return serveStaticMiddleware;
 }
-class RouterTrie {
-  root;
-  constructor() {
-    this.root = this.createNode();
-  }
-  createNode() {
-    return {
-      children: {}
-    };
-  }
-  insert(method, path, handler) {
-    let node = this.root;
-    const segments = this.splitPath(path);
-    for (let i = 0; i < segments.length; i++) {
-      const segment = segments[i];
-      if (segment === "**") {
-        if (!node.recursiveChild) {
-          node.recursiveChild = this.createNode();
-        }
-        node = node.recursiveChild;
-      } else if (segment === "*") {
-        if (!node.wildcardChild) {
-          node.wildcardChild = this.createNode();
-        }
-        node = node.wildcardChild;
-      } else if (segment.startsWith(":")) {
-        const paramName = segment.slice(1);
-        if (!node.paramChild) {
-          node.paramChild = this.createNode();
-          node.paramChild.paramName = paramName;
-        }
-        node = node.paramChild;
-        node.paramName = paramName;
-      } else {
-        if (!node.children[segment]) {
-          node.children[segment] = this.createNode();
-        }
-        node = node.children[segment];
-      }
-    }
-    if (!node.handlers) {
-      node.handlers = {};
-    }
-    node.handlers[method] = handler;
-  }
-  search(method, path) {
-    const segments = this.splitPath(path);
-    const params = {};
-    const match = this.findNode(this.root, segments, 0, params);
-    if (match && match.handlers) {
-      const handler = match.handlers[method] || match.handlers["ALL"];
-      if (handler) {
-        return { handler, params };
-      }
-      if (method === "HEAD" && match.handlers["GET"]) {
-        return { handler: match.handlers["GET"], params };
-      }
-    }
-    return null;
-  }
-  findNode(node, segments, index, params) {
-    if (index === segments.length) {
-      if (node.handlers) return node;
-      if (node.recursiveChild && node.recursiveChild.handlers) {
-        return node.recursiveChild;
-      }
-      return null;
-    }
-    const segment = segments[index];
-    const child = node.children[segment];
-    if (child) {
-      const result = this.findNode(child, segments, index + 1, params);
-      if (result) return result;
-    }
-    if (node.paramChild) {
-      params[node.paramChild.paramName] = segment;
-      const result = this.findNode(node.paramChild, segments, index + 1, params);
-      if (result) return result;
-      delete params[node.paramChild.paramName];
-    }
-    if (node.wildcardChild) {
-      const result = this.findNode(node.wildcardChild, segments, index + 1, params);
-      if (result) return result;
-    }
-    if (node.recursiveChild) {
-      const remaining = segments.length - index;
-      for (let k = 0; k <= remaining; k++) {
-        const result = this.findNode(node.recursiveChild, segments, index + k, params);
-        if (result) return result;
-      }
-    }
-    return null;
-  }
-  splitPath(path) {
-    if (path === "/" || path === "") return [];
-    const s = path.startsWith("/") ? path.slice(1) : path;
-    if (s === "") return [];
-    return s.split("/");
-  }
-}
-const asyncContext = new AsyncLocalStorage();
 let db;
 let dbPromise = null;
 let RecordId;
@@ -1591,29 +1347,64 @@ const datastore = {
 process.on("exit", async () => {
   if (db) await db.close();
 });
-const tracer = trace.getTracer("shokupan.middleware");
-function traceHandler(fn, name) {
-  return async function(...args) {
-    return tracer.startActiveSpan(`route handler - ${name}`, {
-      kind: SpanKind.INTERNAL,
-      attributes: {
-        "http.route": name,
-        "component": "shokupan.route"
-      }
-    }, async (span) => {
-      try {
-        const result = await fn.apply(this, args);
-        return result;
-      } catch (err) {
-        span.recordException(err);
-        span.setStatus({ code: SpanStatusCode.ERROR, message: err.message });
-        throw err;
-      } finally {
-        span.end();
-      }
+class Container {
+  static services = /* @__PURE__ */ new Map();
+  static register(target, instance) {
+    this.services.set(target, instance);
+  }
+  static get(target) {
+    return this.services.get(target);
+  }
+  static has(target) {
+    return this.services.has(target);
+  }
+  static resolve(target) {
+    if (this.services.has(target)) {
+      return this.services.get(target);
+    }
+    const instance = new target();
+    this.services.set(target, instance);
+    return instance;
+  }
+}
+function Injectable() {
+  return (target) => {
+  };
+}
+function Inject(token) {
+  return (target, key) => {
+    Object.defineProperty(target, key, {
+      get: () => Container.resolve(token),
+      enumerable: true,
+      configurable: true
     });
   };
 }
+class ShokupanRequestBase {
+  method;
+  url;
+  headers;
+  body;
+  async json() {
+    return JSON.parse(this.body);
+  }
+  async text() {
+    return this.body;
+  }
+  async formData() {
+    if (this.body instanceof FormData) {
+      return this.body;
+    }
+    return new Response(this.body, { headers: this.headers }).formData();
+  }
+  constructor(props) {
+    Object.assign(this, props);
+    if (!(this.headers instanceof Headers)) {
+      this.headers = new Headers(this.headers);
+    }
+  }
+}
+const ShokupanRequest = ShokupanRequestBase;
 function getCallerInfo(skipFrames = 1) {
   let file = "unknown";
   let line = 0;
@@ -1639,12 +1430,120 @@ function getCallerInfo(skipFrames = 1) {
         }
       }
     }
-  } catch (e) {
+  } catch (e) {
+  }
+  return { file, line };
+}
+class RouterTrie {
+  root;
+  constructor() {
+    this.root = this.createNode();
+  }
+  createNode() {
+    return {
+      children: {}
+    };
+  }
+  insert(method, path, handler) {
+    let node = this.root;
+    const segments = this.splitPath(path);
+    for (let i = 0; i < segments.length; i++) {
+      const segment = segments[i];
+      if (segment === "**") {
+        if (!node.recursiveChild) {
+          node.recursiveChild = this.createNode();
+        }
+        node = node.recursiveChild;
+      } else if (segment === "*") {
+        if (!node.wildcardChild) {
+          node.wildcardChild = this.createNode();
+        }
+        node = node.wildcardChild;
+      } else if (segment.startsWith(":")) {
+        const paramName = segment.slice(1);
+        if (!node.paramChild) {
+          node.paramChild = this.createNode();
+          node.paramChild.paramName = paramName;
+        }
+        node = node.paramChild;
+        node.paramName = paramName;
+      } else {
+        if (!node.children[segment]) {
+          node.children[segment] = this.createNode();
+        }
+        node = node.children[segment];
+      }
+    }
+    if (!node.handlers) {
+      node.handlers = {};
+    }
+    node.handlers[method] = handler;
+  }
+  search(method, path) {
+    const segments = this.splitPath(path);
+    const params = {};
+    const match = this.findNode(this.root, segments, 0, params);
+    if (match && match.handlers) {
+      const handler = match.handlers[method] || match.handlers["ALL"];
+      if (handler) {
+        return { handler, params };
+      }
+      if (method === "HEAD" && match.handlers["GET"]) {
+        return { handler: match.handlers["GET"], params };
+      }
+    }
+    return null;
+  }
+  findNode(node, segments, index, params) {
+    if (index === segments.length) {
+      if (node.handlers) return node;
+      if (node.recursiveChild && node.recursiveChild.handlers) {
+        return node.recursiveChild;
+      }
+      return null;
+    }
+    const segment = segments[index];
+    const child = node.children[segment];
+    if (child) {
+      const result = this.findNode(child, segments, index + 1, params);
+      if (result) return result;
+    }
+    if (node.paramChild) {
+      params[node.paramChild.paramName] = segment;
+      const result = this.findNode(node.paramChild, segments, index + 1, params);
+      if (result) return result;
+      delete params[node.paramChild.paramName];
+    }
+    if (node.wildcardChild) {
+      const result = this.findNode(node.wildcardChild, segments, index + 1, params);
+      if (result) return result;
+    }
+    if (node.recursiveChild) {
+      const remaining = segments.length - index;
+      for (let k = 0; k <= remaining; k++) {
+        const result = this.findNode(node.recursiveChild, segments, index + k, params);
+        if (result) return result;
+      }
+    }
+    return null;
+  }
+  splitPath(path) {
+    if (path === "/" || path === "") return [];
+    const s = path.startsWith("/") ? path.slice(1) : path;
+    if (s === "") return [];
+    return s.split("/");
   }
-  return { file, line };
 }
-const RouterRegistry = /* @__PURE__ */ new Map();
-const ShokupanApplicationTree = {};
+const HTTPMethods = ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "ALL"];
+var RouteParamType = /* @__PURE__ */ ((RouteParamType2) => {
+  RouteParamType2["BODY"] = "BODY";
+  RouteParamType2["PARAM"] = "PARAM";
+  RouteParamType2["QUERY"] = "QUERY";
+  RouteParamType2["HEADER"] = "HEADER";
+  RouteParamType2["REQUEST"] = "REQUEST";
+  RouteParamType2["CONTEXT"] = "CONTEXT";
+  return RouteParamType2;
+})(RouteParamType || {});
 class ShokupanRouter {
   constructor(config) {
     this.config = config;
@@ -1755,216 +1654,9 @@ class ShokupanRouter {
       throw new Error(`[Shokupan] strict controller check failed: ${controller.constructor.name || typeof controller} is not a class constructor.`);
     }
     if (this.isRouterInstance(controller)) {
-      if (controller[$isMounted]) {
-        throw new Error("Router is already mounted");
-      }
-      controller[$mountPath] = prefix;
-      if (!controller.metadata) {
-        const info = getCallerInfo();
-        controller.metadata = {
-          file: info.file,
-          line: info.line,
-          name: "MountedRouter"
-        };
-      }
-      this[$childRouters].push(controller);
-      controller[$parent] = this;
-      const setRouterContext = (router) => {
-        router[$appRoot] = this.root;
-        router[$childRouters].forEach((child) => setRouterContext(child));
-      };
-      setRouterContext(controller);
-      if (this[$appRoot]) ;
-      controller[$appRoot] = this.root;
-      controller[$isMounted] = true;
+      this.mountRouter(prefix, controller);
     } else {
-      let instance = controller;
-      if (typeof controller === "function") {
-        instance = Container.resolve(controller);
-        const controllerPath = controller[$controllerPath];
-        if (controllerPath) {
-          const p1 = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
-          const p2 = controllerPath.startsWith("/") ? controllerPath : "/" + controllerPath;
-          prefix = p1 + p2;
-          if (!prefix) prefix = "/";
-        }
-      } else {
-        const ctor = instance.constructor;
-        const controllerPath = ctor[$controllerPath];
-        if (controllerPath) {
-          const p1 = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
-          const p2 = controllerPath.startsWith("/") ? controllerPath : "/" + controllerPath;
-          prefix = p1 + p2;
-          if (!prefix) prefix = "/";
-        }
-      }
-      instance[$mountPath] = prefix;
-      const info = getCallerInfo();
-      instance.metadata = {
-        file: info.file,
-        line: info.line,
-        name: instance.constructor.name
-      };
-      this[$childControllers].push(instance);
-      const controllerMiddleware = (typeof controller === "function" ? controller[$middleware] : instance[$middleware]) || [];
-      const proto = Object.getPrototypeOf(instance);
-      const methods = /* @__PURE__ */ new Set();
-      let current = proto;
-      while (current && current !== Object.prototype) {
-        Object.getOwnPropertyNames(current).forEach((name) => methods.add(name));
-        current = Object.getPrototypeOf(current);
-      }
-      Object.getOwnPropertyNames(instance).forEach((name) => methods.add(name));
-      const decoratedRoutes = instance[$routeMethods] || proto && proto[$routeMethods];
-      const decoratedArgs = instance[$routeArgs] || proto && proto[$routeArgs];
-      const methodMiddlewareMap = instance[$middleware] || proto && proto[$middleware];
-      let routesAttached = 0;
-      for (let i = 0; i < Array.from(methods).length; i++) {
-        const name = Array.from(methods)[i];
-        if (name === "constructor") continue;
-        if (["arguments", "caller", "callee"].includes(name)) continue;
-        const originalHandler = instance[name];
-        if (typeof originalHandler !== "function") continue;
-        let method;
-        let subPath = "";
-        if (decoratedRoutes && decoratedRoutes.has(name)) {
-          const config = decoratedRoutes.get(name);
-          method = config.method;
-          subPath = config.path;
-        } else {
-          for (let j = 0; j < HTTPMethods.length; j++) {
-            const m = HTTPMethods[j];
-            if (name.toUpperCase().startsWith(m)) {
-              method = m;
-              const rest = name.slice(m.length);
-              if (rest.length === 0) {
-                subPath = "/";
-              } else {
-                subPath = "";
-                let buffer = "";
-                const flush = () => {
-                  if (buffer.length > 0) {
-                    subPath += "/" + buffer.toLowerCase();
-                    buffer = "";
-                  }
-                };
-                for (let i2 = 0; i2 < rest.length; i2++) {
-                  const char = rest[i2];
-                  if (char === "$") {
-                    flush();
-                    subPath += "/:";
-                    continue;
-                  }
-                }
-                subPath = rest.replace(/\$/g, "/:").replace(/([a-z0-9])([A-Z])/g, "$1/$2").toLowerCase();
-                if (!subPath.startsWith("/")) {
-                  subPath = "/" + subPath;
-                }
-              }
-              break;
-            }
-          }
-        }
-        if (method) {
-          routesAttached++;
-          const cleanPrefix = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
-          const cleanSubPath = subPath === "/" ? "" : subPath;
-          let joined;
-          if (cleanSubPath.length === 0) {
-            joined = cleanPrefix;
-          } else if (cleanSubPath.startsWith("/")) {
-            joined = cleanPrefix + cleanSubPath;
-          } else {
-            joined = cleanPrefix + "/" + cleanSubPath;
-          }
-          const fullPath = joined || "/";
-          const normalizedPath = fullPath.replace(/\/+/g, "/");
-          const methodMw = methodMiddlewareMap instanceof Map ? methodMiddlewareMap.get(name) || [] : [];
-          const allMiddleware = [...controllerMiddleware, ...methodMw];
-          const routeArgs = decoratedArgs && decoratedArgs.get(name);
-          const wrappedHandler = async (ctx) => {
-            let args = [ctx];
-            if (routeArgs?.length > 0) {
-              args = [];
-              const sortedArgs = [...routeArgs].sort((a, b) => a.index - b.index);
-              for (let k = 0; k < sortedArgs.length; k++) {
-                const arg = sortedArgs[k];
-                switch (arg.type) {
-                  case RouteParamType.BODY:
-                    try {
-                      if (ctx.req.headers.get("content-type")?.includes("application/json")) {
-                        args[arg.index] = await ctx.req.json();
-                      } else {
-                        const text = await ctx.req.text();
-                        if (!text) {
-                          args[arg.index] = {};
-                        } else {
-                          args[arg.index] = JSON.parse(text);
-                        }
-                      }
-                    } catch (e) {
-                      const err = new Error("Invalid JSON body");
-                      err.status = 400;
-                      throw err;
-                    }
-                    break;
-                  case RouteParamType.PARAM:
-                    args[arg.index] = arg.name ? ctx.params[arg.name] : ctx.params;
-                    break;
-                  case RouteParamType.QUERY: {
-                    const url = new URL(ctx.req.url);
-                    if (arg.name) {
-                      const vals = url.searchParams.getAll(arg.name);
-                      args[arg.index] = vals.length > 1 ? vals : vals[0];
-                    } else {
-                      const query = {};
-                      const keys = Object.keys(url.searchParams);
-                      for (let k2 = 0; k2 < keys.length; k2++) {
-                        const key = keys[k2];
-                        const vals = url.searchParams.getAll(key);
-                        query[key] = vals.length > 1 ? vals : vals[0];
-                      }
-                      args[arg.index] = query;
-                    }
-                    break;
-                  }
-                  case RouteParamType.HEADER:
-                    args[arg.index] = arg.name ? ctx.req.headers.get(arg.name) : ctx.req.headers;
-                    break;
-                  case RouteParamType.REQUEST:
-                    args[arg.index] = ctx.req;
-                    break;
-                  case RouteParamType.CONTEXT:
-                    args[arg.index] = ctx;
-                    break;
-                }
-              }
-            }
-            const tracedOriginalHandler = ctx.app?.applicationConfig.enableTracing ? traceHandler(originalHandler, normalizedPath) : originalHandler;
-            return tracedOriginalHandler.apply(instance, args);
-          };
-          let finalHandler = wrappedHandler;
-          if (allMiddleware.length > 0) {
-            const composed = compose(allMiddleware);
-            finalHandler = async (ctx) => {
-              return composed(ctx, () => wrappedHandler(ctx));
-            };
-          }
-          finalHandler.originalHandler = originalHandler;
-          if (finalHandler !== wrappedHandler) {
-            wrappedHandler.originalHandler = originalHandler;
-          }
-          const tagName = instance.constructor.name;
-          const decoratedSpecs = instance[$routeSpec] || proto && proto[$routeSpec];
-          const userSpec = decoratedSpecs && decoratedSpecs.get(name);
-          const spec = { tags: [tagName], ...userSpec };
-          this.add({ method, path: normalizedPath, handler: finalHandler, spec, controller: instance });
-        }
-      }
-      if (routesAttached === 0) {
-        console.warn(`No routes attached to controller ${instance.constructor.name}`);
-      }
-      instance[$isMounted] = true;
+      this.scanControllerRoutes(prefix, controller);
     }
     return this;
   }
@@ -2002,8 +1694,6 @@ class ShokupanRouter {
    */
   async internalRequest(arg) {
     const options = typeof arg === "string" ? { path: arg } : arg;
-    const store = asyncContext.getStore();
-    store?.get("req");
     let url = options.path;
     if (!url.startsWith("http")) {
       const base = `http://${this.rootConfig?.hostname || "localhost"}:${this.rootConfig.port || 3e3}`;
@@ -2115,6 +1805,220 @@ class ShokupanRouter {
     wrapped.originalHandler = originalHandler.originalHandler ?? originalHandler;
     return wrapped;
   }
+  mountRouter(prefix, router) {
+    if (router[$isMounted]) {
+      throw new Error("Router is already mounted");
+    }
+    router[$mountPath] = prefix;
+    if (!router.metadata) {
+      const info = getCallerInfo();
+      router.metadata = {
+        file: info.file,
+        line: info.line,
+        name: "MountedRouter"
+      };
+    }
+    this[$childRouters].push(router);
+    router[$parent] = this;
+    const setRouterContext = (router2) => {
+      router2[$appRoot] = this.root;
+      router2[$childRouters].forEach((child) => setRouterContext(child));
+    };
+    setRouterContext(router);
+    router[$appRoot] = this.root;
+    router[$isMounted] = true;
+  }
+  scanControllerRoutes(prefix, controller) {
+    let instance = controller;
+    if (typeof controller === "function") {
+      instance = Container.resolve(controller);
+      const controllerPath = controller[$controllerPath];
+      if (controllerPath) {
+        const p1 = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
+        const p2 = controllerPath.startsWith("/") ? controllerPath : "/" + controllerPath;
+        prefix = p1 + p2;
+        if (!prefix) prefix = "/";
+      }
+    } else {
+      const ctor = instance.constructor;
+      const controllerPath = ctor[$controllerPath];
+      if (controllerPath) {
+        const p1 = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
+        const p2 = controllerPath.startsWith("/") ? controllerPath : "/" + controllerPath;
+        prefix = p1 + p2;
+        if (!prefix) prefix = "/";
+      }
+    }
+    instance[$mountPath] = prefix;
+    const info = getCallerInfo();
+    instance.metadata = {
+      file: info.file,
+      line: info.line,
+      name: instance.constructor.name
+    };
+    this[$childControllers].push(instance);
+    const controllerMiddleware = (typeof controller === "function" ? controller[$middleware] : instance[$middleware]) || [];
+    const proto = Object.getPrototypeOf(instance);
+    const methods = /* @__PURE__ */ new Set();
+    let current = proto;
+    while (current && current !== Object.prototype) {
+      Object.getOwnPropertyNames(current).forEach((name) => methods.add(name));
+      current = Object.getPrototypeOf(current);
+    }
+    Object.getOwnPropertyNames(instance).forEach((name) => methods.add(name));
+    const decoratedRoutes = instance[$routeMethods] || proto && proto[$routeMethods];
+    const decoratedArgs = instance[$routeArgs] || proto && proto[$routeArgs];
+    const methodMiddlewareMap = instance[$middleware] || proto && proto[$middleware];
+    let routesAttached = 0;
+    for (let i = 0; i < Array.from(methods).length; i++) {
+      const name = Array.from(methods)[i];
+      if (name === "constructor") continue;
+      if (["arguments", "caller", "callee"].includes(name)) continue;
+      const originalHandler = instance[name];
+      if (typeof originalHandler !== "function") continue;
+      let method;
+      let subPath = "";
+      if (decoratedRoutes && decoratedRoutes.has(name)) {
+        const config = decoratedRoutes.get(name);
+        method = config.method;
+        subPath = config.path;
+      } else {
+        for (let j = 0; j < HTTPMethods.length; j++) {
+          const m = HTTPMethods[j];
+          if (name.toUpperCase().startsWith(m)) {
+            method = m;
+            const rest = name.slice(m.length);
+            if (rest.length === 0) {
+              subPath = "/";
+            } else {
+              subPath = "";
+              let buffer = "";
+              const flush = () => {
+                if (buffer.length > 0) {
+                  subPath += "/" + buffer.toLowerCase();
+                  buffer = "";
+                }
+              };
+              for (let i2 = 0; i2 < rest.length; i2++) {
+                const char = rest[i2];
+                if (char === "$") {
+                  flush();
+                  subPath += "/:";
+                  continue;
+                }
+                buffer += char;
+              }
+              if (buffer.length > 0) flush();
+              subPath = rest.replace(/\$/g, "/:").replace(/([a-z0-9])([A-Z])/g, "$1/$2").toLowerCase();
+              if (!subPath.startsWith("/")) {
+                subPath = "/" + subPath;
+              }
+            }
+            break;
+          }
+        }
+      }
+      if (method) {
+        routesAttached++;
+        const cleanPrefix = prefix.endsWith("/") ? prefix.slice(0, -1) : prefix;
+        const cleanSubPath = subPath === "/" ? "" : subPath;
+        let joined;
+        if (cleanSubPath.length === 0) {
+          joined = cleanPrefix;
+        } else if (cleanSubPath.startsWith("/")) {
+          joined = cleanPrefix + cleanSubPath;
+        } else {
+          joined = cleanPrefix + "/" + cleanSubPath;
+        }
+        const fullPath = joined || "/";
+        const normalizedPath = fullPath.replace(/\/+/g, "/");
+        const methodMw = methodMiddlewareMap instanceof Map ? methodMiddlewareMap.get(name) || [] : [];
+        const allMiddleware = [...controllerMiddleware, ...methodMw];
+        const routeArgs = decoratedArgs && decoratedArgs.get(name);
+        const wrappedHandler = async (ctx) => {
+          let args = [ctx];
+          if (routeArgs?.length > 0) {
+            args = [];
+            const sortedArgs = [...routeArgs].sort((a, b) => a.index - b.index);
+            for (let k = 0; k < sortedArgs.length; k++) {
+              const arg = sortedArgs[k];
+              switch (arg.type) {
+                case RouteParamType.BODY:
+                  try {
+                    if (ctx.req.headers.get("content-type")?.includes("application/json")) {
+                      args[arg.index] = await ctx.req.json();
+                    } else {
+                      const text = await ctx.req.text();
+                      if (!text) {
+                        args[arg.index] = {};
+                      } else {
+                        args[arg.index] = JSON.parse(text);
+                      }
+                    }
+                  } catch (e) {
+                    const err = new Error("Invalid JSON body");
+                    err.status = 400;
+                    throw err;
+                  }
+                  break;
+                case RouteParamType.PARAM:
+                  args[arg.index] = arg.name ? ctx.params[arg.name] : ctx.params;
+                  break;
+                case RouteParamType.QUERY: {
+                  const url = new URL(ctx.req.url);
+                  if (arg.name) {
+                    const vals = url.searchParams.getAll(arg.name);
+                    args[arg.index] = vals.length > 1 ? vals : vals[0];
+                  } else {
+                    const query = {};
+                    const keys = Object.keys(url.searchParams);
+                    for (let k2 = 0; k2 < keys.length; k2++) {
+                      const key = keys[k2];
+                      const vals = url.searchParams.getAll(key);
+                      query[key] = vals.length > 1 ? vals : vals[0];
+                    }
+                    args[arg.index] = query;
+                  }
+                  break;
+                }
+                case RouteParamType.HEADER:
+                  args[arg.index] = arg.name ? ctx.req.headers.get(arg.name) : ctx.req.headers;
+                  break;
+                case RouteParamType.REQUEST:
+                  args[arg.index] = ctx.req;
+                  break;
+                case RouteParamType.CONTEXT:
+                  args[arg.index] = ctx;
+                  break;
+              }
+            }
+          }
+          const tracedOriginalHandler = ctx.app?.applicationConfig.enableTracing ? traceHandler(originalHandler, normalizedPath) : originalHandler;
+          return tracedOriginalHandler.apply(instance, args);
+        };
+        let finalHandler = wrappedHandler;
+        if (allMiddleware.length > 0) {
+          const composed = compose(allMiddleware);
+          finalHandler = async (ctx) => {
+            return composed(ctx, () => wrappedHandler(ctx));
+          };
+        }
+        finalHandler.originalHandler = originalHandler;
+        if (finalHandler !== wrappedHandler) {
+          wrappedHandler.originalHandler = originalHandler;
+        }
+        const tagName = instance.constructor.name;
+        const decoratedSpecs = instance[$routeSpec] || proto && proto[$routeSpec];
+        const userSpec = decoratedSpecs && decoratedSpecs.get(name);
+        const spec = { tags: [tagName], ...userSpec };
+        this.add({ method, path: normalizedPath, handler: finalHandler, spec, controller: instance });
+      }
+    }
+    if (routesAttached === 0) {
+      console.warn(`No routes attached to controller ${instance.constructor.name}`);
+    }
+    instance[$isMounted] = true;
+  }
   /**
    * Find a route matching the given method and path.
    * @param method HTTP method
@@ -2148,10 +2052,13 @@ class ShokupanRouter {
   }
   parsePath(path) {
     const keys = [];
+    if (path.length > 2048) {
+      throw new Error("Path too long");
+    }
     const pattern = path.replace(/:([a-zA-Z0-9_]+)/g, (_, key) => {
       keys.push(key);
-      return "([^/]+)";
-    }).replace(/\*\*/g, ".*").replace(/\*/g, "[^/]+");
+      return "([^/]{1,255})";
+    }).replace(/\*\*/g, ".{0,1000}").replace(/\*/g, "[^/]{1,255}");
     return {
       regex: new RegExp(`^${pattern}$`),
       keys
@@ -2238,7 +2145,7 @@ class ShokupanRouter {
     if (effectiveRenderer) {
       const innerHandler = wrappedHandler;
       wrappedHandler = async (ctx) => {
-        ctx.renderer = effectiveRenderer;
+        ctx.setRenderer(effectiveRenderer);
         return innerHandler(ctx);
       };
     }
@@ -2640,6 +2547,13 @@ class Shokupan extends ShokupanRouter {
     }
     return this;
   }
+  /**
+   * Registers a plugin.
+   */
+  register(plugin, options) {
+    plugin.onInit(this, options);
+    return this;
+  }
   startupHooks = [];
   /**
    * Registers a callback to be executed before the server starts listening.
@@ -2702,7 +2616,7 @@ class Shokupan extends ShokupanRouter {
     };
     let factory = this.applicationConfig.serverFactory;
     if (!factory && typeof Bun === "undefined") {
-      const { createHttpServer } = await import("./server-adapter-0xH174zz.js");
+      const { createHttpServer } = await import("./http-server-0xH174zz.js");
       factory = createHttpServer();
     }
     const server = factory ? await factory(serveOptions) : Bun.serve(serveOptions);
@@ -2771,19 +2685,19 @@ class Shokupan extends ShokupanRouter {
           "http.method": req.method
         }
       };
-      const parent = store?.get("span");
+      const parent = store?.span;
       const ctx = parent ? trace.setSpan(context.active(), parent) : void 0;
       return tracer2.startActiveSpan(`${req.method} ${new URL(req.url).pathname}`, attrs, ctx, (span) => {
-        const ctxMap = /* @__PURE__ */ new Map();
-        ctxMap.set("span", span);
-        ctxMap.set("request", req);
-        return asyncContext.run(ctxMap, () => this.handleRequest(req, server).finally(() => span.end()));
+        const ctxStore = new RequestContextStore();
+        ctxStore.span = span;
+        ctxStore.request = req;
+        return asyncContext.run(ctxStore, () => this.handleRequest(req, server).finally(() => span.end()));
       });
     }
     if (this.applicationConfig.enableAsyncLocalStorage) {
-      const ctxMap = /* @__PURE__ */ new Map();
-      ctxMap.set("request", req);
-      return asyncContext.run(ctxMap, () => this.handleRequest(req, server));
+      const ctxStore = new RequestContextStore();
+      ctxStore.request = req;
+      return asyncContext.run(ctxStore, () => this.handleRequest(req, server));
     }
     return this.handleRequest(req, server);
   }
@@ -2805,6 +2719,7 @@ class Shokupan extends ShokupanRouter {
           const bodyParsing = ["POST", "PUT", "PATCH", "DELETE"].includes(req.method) ? ctx.parseBody() : Promise.resolve();
           const match = this.find(req.method, ctx.path);
           if (match) {
+            ctx._routeMatched = true;
             ctx.params = match.params;
             await bodyParsing;
             return match.handler(ctx);
@@ -2819,10 +2734,14 @@ class Shokupan extends ShokupanRouter {
         } else if (result === null || result === void 0) {
           if (ctx._finalResponse instanceof Response) {
             response = ctx._finalResponse;
-          } else if (ctx.response.status !== 200 || ctx.response.hasPopulatedHeaders) {
+          } else if (ctx._routeMatched) {
             response = ctx.send(null, { status: ctx.response.status, headers: ctx.response.headers });
           } else {
-            response = ctx.text("Not Found", 404);
+            if (ctx.response.status !== 200) {
+              response = ctx.send(null, { status: ctx.response.status, headers: ctx.response.headers });
+            } else {
+              response = ctx.text("Not Found", 404);
+            }
           }
         } else if (typeof result === "object") {
           response = ctx.json(result);
@@ -2834,7 +2753,7 @@ class Shokupan extends ShokupanRouter {
         return response;
       } catch (err) {
         console.error(err);
-        const span = asyncContext.getStore()?.get("span");
+        const span = asyncContext.getStore()?.span;
         if (span) span.setStatus({ code: 2 });
         const status = err.status || err.statusCode || 500;
         const body = { error: err.message || "Internal Server Error" };
@@ -2842,31 +2761,195 @@ class Shokupan extends ShokupanRouter {
         await this.runHooks("onError", ctx, err);
         return ctx.json(body, status);
       }
-    };
-    let executionPromise = handle();
-    const timeoutMs = this.applicationConfig.requestTimeout;
-    if (timeoutMs && timeoutMs > 0) {
-      let timeoutId;
-      const timeoutPromise = new Promise((_, reject) => {
-        timeoutId = setTimeout(async () => {
-          controller.abort();
-          await this.runHooks("onRequestTimeout", ctx);
-          reject(new Error("Request Timeout"));
-        }, timeoutMs);
+    };
+    let executionPromise = handle();
+    const timeoutMs = this.applicationConfig.requestTimeout;
+    if (timeoutMs && timeoutMs > 0) {
+      let timeoutId;
+      const timeoutPromise = new Promise((_, reject) => {
+        timeoutId = setTimeout(async () => {
+          controller.abort();
+          await this.runHooks("onRequestTimeout", ctx);
+          reject(new Error("Request Timeout"));
+        }, timeoutMs);
+      });
+      executionPromise = Promise.race([executionPromise, timeoutPromise]).finally(() => clearTimeout(timeoutId));
+    }
+    return executionPromise.catch((err) => {
+      if (err.message === "Request Timeout") {
+        return ctx.text("Request Timeout", 408);
+      }
+      console.error("Unexpected error in request execution:", err);
+      return ctx.text("Internal Server Error", 500);
+    }).then(async (res) => {
+      await this.runHooks("onResponseEnd", ctx, res);
+      return res;
+    });
+  }
+}
+function RateLimitMiddleware(options = {}) {
+  const windowMs = options.windowMs || 60 * 1e3;
+  const max = options.limit || options.max || 5;
+  const message = options.message || "Too many requests, please try again later.";
+  const statusCode = options.statusCode || 429;
+  const headers = options.headers !== false;
+  const mode = options.mode || "user";
+  const trustedProxies = options.trustedProxies || [];
+  const keyGenerator = options.keyGenerator || ((ctx) => {
+    if (mode === "absolute") {
+      return "global";
+    }
+    const xForwardedFor = ctx.headers.get("x-forwarded-for");
+    if (xForwardedFor && trustedProxies.length > 0) {
+      const ips = xForwardedFor.split(",").map((ip) => ip.trim());
+      for (let i = ips.length - 1; i >= 0; i--) {
+        const ip = ips[i];
+        if (!trustedProxies.includes(ip)) {
+          if (/^[\d.:a-fA-F]+$/.test(ip)) {
+            return ip;
+          }
+        }
+      }
+    }
+    return ctx.server?.requestIP?.(ctx.request)?.address || "unknown";
+  });
+  const skip = options.skip || (() => false);
+  const hits = /* @__PURE__ */ new Map();
+  const interval = setInterval(() => {
+    const now = Date.now();
+    const entries = Array.from(hits.entries());
+    for (let i = 0; i < entries.length; i++) {
+      const [key, record] = entries[i];
+      if (record.resetTime <= now) {
+        hits.delete(key);
+      }
+    }
+  }, windowMs);
+  if (interval.unref) interval.unref();
+  const rateLimitMiddleware = async function RateLimitMiddleware2(ctx, next) {
+    if (skip(ctx)) return next();
+    const key = keyGenerator(ctx);
+    const now = Date.now();
+    let record = hits.get(key);
+    if (!record || record.resetTime <= now) {
+      record = {
+        hits: 0,
+        resetTime: now + windowMs
+      };
+      hits.set(key, record);
+    }
+    record.hits++;
+    const remaining = Math.max(0, max - record.hits);
+    const resetTime = Math.ceil(record.resetTime / 1e3);
+    const retryAfter = Math.ceil((record.resetTime - now) / 1e3);
+    const setHeaders = (res) => {
+      if (!headers || !res || !res.headers) return;
+      try {
+        res.headers.set("X-RateLimit-Limit", String(max));
+        res.headers.set("X-RateLimit-Remaining", String(remaining));
+        res.headers.set("X-RateLimit-Reset", String(resetTime));
+      } catch (e) {
+      }
+    };
+    if (record.hits > max) {
+      if (options.onRateLimited) {
+        const result = await options.onRateLimited(ctx, key);
+        if (result instanceof Response) {
+          return result;
+        }
+      }
+      const msg = typeof message === "function" ? message(ctx, key) : message;
+      typeof msg === "object" ? JSON.stringify(msg) : String(msg);
+      const res = typeof msg === "object" ? ctx.json(msg, statusCode) : ctx.text(String(msg), statusCode);
+      if (headers) {
+        setHeaders(res);
+        res.headers.set("Retry-After", String(retryAfter));
+      }
+      return res;
+    }
+    const response = await next();
+    if (response instanceof Response && headers) {
+      setHeaders(response);
+    }
+    return response;
+  };
+  rateLimitMiddleware.isBuiltin = true;
+  rateLimitMiddleware.pluginName = "RateLimit";
+  return rateLimitMiddleware;
+}
+function Controller(path = "/") {
+  return (target) => {
+    target[$controllerPath] = path;
+  };
+}
+function Use(...middleware) {
+  return (target, propertyKey, descriptor) => {
+    if (!propertyKey) {
+      const existing = target[$middleware] || [];
+      target[$middleware] = [...existing, ...middleware];
+    } else {
+      if (!target[$middleware]) {
+        target[$middleware] = /* @__PURE__ */ new Map();
+      }
+      const existing = target[$middleware].get(propertyKey) || [];
+      target[$middleware].set(propertyKey, [...existing, ...middleware]);
+    }
+  };
+}
+function createParamDecorator(type) {
+  return (name) => {
+    return (target, propertyKey, parameterIndex) => {
+      if (!target[$routeArgs]) {
+        target[$routeArgs] = /* @__PURE__ */ new Map();
+      }
+      if (!target[$routeArgs].has(propertyKey)) {
+        target[$routeArgs].set(propertyKey, []);
+      }
+      target[$routeArgs].get(propertyKey).push({
+        index: parameterIndex,
+        type,
+        name
       });
-      executionPromise = Promise.race([executionPromise, timeoutPromise]).finally(() => clearTimeout(timeoutId));
+    };
+  };
+}
+const Body = createParamDecorator(RouteParamType.BODY);
+const Param = createParamDecorator(RouteParamType.PARAM);
+const Query = createParamDecorator(RouteParamType.QUERY);
+const Headers$1 = createParamDecorator(RouteParamType.HEADER);
+const Req = createParamDecorator(RouteParamType.REQUEST);
+const Ctx = createParamDecorator(RouteParamType.CONTEXT);
+function Spec(spec) {
+  return (target, propertyKey, descriptor) => {
+    if (!target[$routeSpec]) {
+      target[$routeSpec] = /* @__PURE__ */ new Map();
     }
-    return executionPromise.catch((err) => {
-      if (err.message === "Request Timeout") {
-        return ctx.text("Request Timeout", 408);
+    target[$routeSpec].set(propertyKey, spec);
+  };
+}
+function createMethodDecorator(method) {
+  return (path = "/") => {
+    return (target, propertyKey, descriptor) => {
+      if (!target[$routeMethods]) {
+        target[$routeMethods] = /* @__PURE__ */ new Map();
       }
-      console.error("Unexpected error in request execution:", err);
-      return ctx.text("Internal Server Error", 500);
-    }).then(async (res) => {
-      await this.runHooks("onResponseEnd", ctx, res);
-      return res;
-    });
-  }
+      target[$routeMethods].set(propertyKey, {
+        method,
+        path
+      });
+    };
+  };
+}
+const Get = createMethodDecorator("GET");
+const Post = createMethodDecorator("POST");
+const Put = createMethodDecorator("PUT");
+const Delete = createMethodDecorator("DELETE");
+const Patch = createMethodDecorator("PATCH");
+const Options = createMethodDecorator("OPTIONS");
+const Head = createMethodDecorator("HEAD");
+const All = createMethodDecorator("ALL");
+function RateLimit(options) {
+  return Use(RateLimitMiddleware(options));
 }
 class AuthPlugin extends ShokupanRouter {
   constructor(authConfig) {
@@ -2876,6 +2959,13 @@ class AuthPlugin extends ShokupanRouter {
     this.init();
   }
   secret;
+  onInit(app, options) {
+    if (options?.path) {
+      app.mount(options.path, this);
+    } else {
+      app.mount(options.path ?? "/", this);
+    }
+  }
   getProviderInstance(name, p) {
     switch (name) {
       case "github":
@@ -2939,9 +3029,10 @@ class AuthPlugin extends ShokupanRouter {
         } else {
           return ctx.text("Provider config error", 500);
         }
-        ctx.res.headers.set("Set-Cookie", `oauth_state=${state}; Path=/; HttpOnly; Max-Age=600`);
+        const isSecure = ctx.secure;
+        ctx.res.headers.set("Set-Cookie", `oauth_state=${state}; Path=/; HttpOnly; SameSite=Lax${isSecure ? "; Secure" : ""}; Max-Age=600`);
         if (codeVerifier) {
-          ctx.res.headers.append("Set-Cookie", `oauth_verifier=${codeVerifier}; Path=/; HttpOnly; Max-Age=600`);
+          ctx.res.headers.append("Set-Cookie", `oauth_verifier=${codeVerifier}; Path=/; HttpOnly; SameSite=Lax${isSecure ? "; Secure" : ""}; Max-Age=600`);
         }
         return ctx.redirect(url.toString());
       });
@@ -2982,7 +3073,7 @@ class AuthPlugin extends ShokupanRouter {
           return ctx.json({ token: jwt, user });
         } catch (e) {
           console.error("Auth Error", e);
-          return ctx.text("Authentication failed: " + e.message + "\n" + e.stack, 500);
+          return ctx.text("Authentication failed. Please try again.", 500);
         }
       });
     }
@@ -3092,8 +3183,196 @@ class AuthPlugin extends ShokupanRouter {
     };
   }
 }
+class ClusterPlugin {
+  constructor(options = {}) {
+    this.options = options;
+  }
+  onInit(app) {
+    const originalListen = app.listen.bind(app);
+    const { workers = "auto", silent = false, sticky = false } = this.options;
+    const isBun = typeof Bun !== "undefined";
+    const numCPUs = os__default.cpus().length;
+    const numWorkers = workers === "auto" || workers === -1 ? numCPUs : workers;
+    if (numWorkers <= 1) {
+      return;
+    }
+    app.listen = async (port) => {
+      const finalPort = port ?? app.applicationConfig.port ?? 3e3;
+      if (isBun) {
+        return this.handleBun(app, finalPort, numWorkers, originalListen);
+      } else {
+        return this.handleNode(app, finalPort, numWorkers, originalListen, silent, sticky);
+      }
+    };
+  }
+  async handleBun(app, port, workers, originalListen) {
+    const workerId = process.env["SHOKUPAN_WORKER_ID"];
+    if (workerId) {
+      app.applicationConfig.reusePort = true;
+      return originalListen(port);
+    }
+    console.log(`[Cluster] Starting ${workers} Bun workers on port ${port}...`);
+    const spawnWorker = (id) => {
+      Bun.spawn([process.argv0, ...process.argv.slice(1)], {
+        env: { ...process.env, SHOKUPAN_WORKER_ID: id },
+        stdio: ["inherit", "inherit", "inherit"],
+        onExit(proc, exitCode, signalCode, error) {
+          console.log(`[Cluster] Worker ${id} died (code: ${exitCode}). Restarting...`);
+          spawnWorker(id);
+        }
+      });
+    };
+    for (let i = 0; i < workers; i++) {
+      spawnWorker(process.pid + "_" + i + 1);
+    }
+    setInterval(() => {
+    }, 1e3 * 60 * 60);
+    return {
+      stop: () => {
+      },
+      port
+    };
+  }
+  async handleNode(app, port, workers, originalListen, silent, sticky) {
+    if (cluster.isPrimary) {
+      console.log(`[Cluster] Master ${process.pid} is running`);
+      const fork = () => cluster.fork(process.env);
+      for (let i = 0; i < workers; i++) {
+        fork();
+      }
+      cluster.on("exit", (worker, code, signal) => {
+        console.log(`[Cluster] Worker ${worker.process.pid} died. Restarting...`);
+        fork();
+      });
+      if (sticky) {
+        const server = net.createServer({ pauseOnConnect: true }, (connection) => {
+          const remote = connection.remoteAddress || "";
+          let hash = 0;
+          for (let i = 0; i < remote.length; i++) {
+            hash = (hash << 5) - hash + remote.charCodeAt(i);
+            hash |= 0;
+          }
+          const index = Math.abs(hash) % workers;
+          const worker = Object.values(cluster.workers)[index];
+          if (worker) {
+            worker.send("sticky-session:connection", connection);
+          } else {
+            connection.end();
+          }
+        });
+        server.listen(port, () => {
+          console.log(`[Cluster] Sticky Load Balancer listening on port ${port}`);
+        });
+        return {
+          close: () => server.close(),
+          port
+        };
+      } else {
+        return {
+          close: () => {
+          },
+          // Master controls
+          port
+        };
+      }
+    } else {
+      if (sticky) {
+        const server = await originalListen(0);
+        process.on("message", (message, handle) => {
+          if (message !== "sticky-session:connection") return;
+          if (!handle) return;
+          server.emit("connection", handle);
+          handle.resume();
+        });
+        return server;
+      } else {
+        return originalListen(port);
+      }
+    }
+  }
+}
+const eta = new Eta();
+class ScalarPlugin extends ShokupanRouter {
+  constructor(pluginOptions = {}) {
+    pluginOptions.config ??= {};
+    super();
+    this.pluginOptions = pluginOptions;
+    this.init();
+  }
+  onInit(app, options) {
+    if (options?.path) {
+      app.mount(options.path, this);
+    } else {
+      app.mount(options.path ?? "/", this);
+    }
+    this.onMount(app);
+  }
+  init() {
+    this.get("/", (ctx) => {
+      let path = ctx.url.toString();
+      if (!path.endsWith("/")) path += "/";
+      return ctx.html(eta.renderString(`<!doctype html>
+                <html>
+                <head>
+                    <title>API Reference</title>
+                    <meta charset = "utf-8" />
+                    <meta name="viewport" content = "width=device-width, initial-scale=1" />
+                </head>
+
+                <body>
+                    <div id="app"></div>
+                    <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"><\/script>
+                    <script>
+                        Scalar.createApiReference('#app', [{ ...<%~ JSON.stringify(it.config.baseDocument) %>,
+                            url: "<%= it.path %>openapi.json",
+                        }
+                    ])
+                    <\/script>
+                </body>
+
+                </html>`, { path, config: this.pluginOptions }));
+    });
+    this.get("/openapi.json", async (ctx) => {
+      let spec;
+      if (this.root.openApiSpec) {
+        try {
+          spec = structuredClone(this.root.openApiSpec);
+        } catch (e) {
+          spec = Object.assign({}, this.root.openApiSpec);
+        }
+      } else {
+        spec = await (this.root || this).generateApiSpec();
+      }
+      if (this.pluginOptions.baseDocument) {
+        deepMerge(spec, this.pluginOptions.baseDocument);
+      }
+      return ctx.json(spec);
+    });
+  }
+  // New lifecycle method to be called by router.mount
+  onMount(parent) {
+    if (parent.onStart) {
+      parent.onStart(async () => {
+        if (this.pluginOptions.enableStaticAnalysis) {
+          try {
+            const entrypoint = process.argv[1];
+            console.log(`[ScalarPlugin] Running eager static analysis on entrypoint: ${entrypoint}`);
+            const analyzer = new OpenAPIAnalyzer(process.cwd(), entrypoint);
+            let staticSpec = await analyzer.analyze();
+            if (!this.pluginOptions.baseDocument) this.pluginOptions.baseDocument = {};
+            deepMerge(this.pluginOptions.baseDocument, staticSpec);
+            console.log("[ScalarPlugin] Static analysis completed successfully.");
+          } catch (err) {
+            console.error("[ScalarPlugin] Failed to run static analysis:", err);
+          }
+        }
+      });
+    }
+  }
+}
 function Compression(options = {}) {
   const threshold = options.threshold ?? 512;
+  const allowedAlgorithms = new Set(options.allowedAlgorithms ?? ["br", "gzip", "zstd", "deflate"]);
   const compressionMiddleware = async function CompressionMiddleware(ctx, next) {
     const acceptEncoding = ctx.headers.get("accept-encoding") || "";
     let method = null;
@@ -3106,6 +3385,9 @@ function Compression(options = {}) {
     } else if (acceptEncoding.includes("gzip")) method = "gzip";
     else if (acceptEncoding.includes("deflate")) method = "deflate";
     if (!method) return next();
+    if (!allowedAlgorithms.has(method)) {
+      return next();
+    }
     let response = await next();
     if (!(response instanceof Response) && ctx._finalResponse instanceof Response) {
       response = ctx._finalResponse;
@@ -3193,14 +3475,21 @@ function Cors(options = {}) {
     const origin = ctx.headers.get("origin");
     const set = (k, v) => headers.set(k, v);
     const append = (k, v) => headers.append(k, v);
+    if (origin === "null" && opts.origin !== "null") {
+      return next();
+    }
     if (opts.origin === "*") {
       set("Access-Control-Allow-Origin", "*");
     } else if (typeof opts.origin === "string") {
       set("Access-Control-Allow-Origin", opts.origin);
     } else if (Array.isArray(opts.origin)) {
-      if (origin && opts.origin.includes(origin)) {
-        set("Access-Control-Allow-Origin", origin);
-        append("Vary", "Origin");
+      if (origin) {
+        const normalizedOrigin = origin.toLowerCase();
+        const normalizedAllowed = opts.origin.map((o) => o.toLowerCase());
+        if (normalizedAllowed.includes(normalizedOrigin)) {
+          set("Access-Control-Allow-Origin", origin);
+          append("Vary", "Origin");
+        }
       }
     } else if (typeof opts.origin === "function") {
       const allowed = opts.origin(ctx);
@@ -3653,77 +3942,6 @@ function enableOpenApiValidation(app) {
     precompileValidators(app, spec);
   });
 }
-const eta = new Eta();
-class ScalarPlugin extends ShokupanRouter {
-  constructor(pluginOptions = {}) {
-    pluginOptions.config ??= {};
-    super();
-    this.pluginOptions = pluginOptions;
-    this.init();
-  }
-  init() {
-    this.get("/", (ctx) => {
-      let path = ctx.url.toString();
-      if (!path.endsWith("/")) path += "/";
-      return ctx.html(eta.renderString(`<!doctype html>
-                <html>
-                <head>
-                    <title>API Reference</title>
-                    <meta charset = "utf-8" />
-                    <meta name="viewport" content = "width=device-width, initial-scale=1" />
-                </head>
-
-                <body>
-                    <div id="app"></div>
-                    <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"><\/script>
-                    <script>
-                        Scalar.createApiReference('#app', [{ ...<%~ JSON.stringify(it.config.baseDocument) %>,
-                            url: "<%= it.path %>openapi.json",
-                        }
-                    ])
-                    <\/script>
-                </body>
-
-                </html>`, { path, config: this.pluginOptions }));
-    });
-    this.get("/openapi.json", async (ctx) => {
-      let spec;
-      if (this.root.openApiSpec) {
-        try {
-          spec = structuredClone(this.root.openApiSpec);
-        } catch (e) {
-          spec = Object.assign({}, this.root.openApiSpec);
-        }
-      } else {
-        spec = await (this.root || this).generateApiSpec();
-      }
-      if (this.pluginOptions.baseDocument) {
-        deepMerge(spec, this.pluginOptions.baseDocument);
-      }
-      return ctx.json(spec);
-    });
-  }
-  // New lifecycle method to be called by router.mount
-  onMount(parent) {
-    if (parent.onStart) {
-      parent.onStart(async () => {
-        if (this.pluginOptions.enableStaticAnalysis) {
-          try {
-            const entrypoint = process.argv[1];
-            console.log(`[ScalarPlugin] Running eager static analysis on entrypoint: ${entrypoint}`);
-            const analyzer = new OpenAPIAnalyzer(process.cwd(), entrypoint);
-            let staticSpec = await analyzer.analyze();
-            if (!this.pluginOptions.baseDocument) this.pluginOptions.baseDocument = {};
-            deepMerge(this.pluginOptions.baseDocument, staticSpec);
-            console.log("[ScalarPlugin] Static analysis completed successfully.");
-          } catch (err) {
-            console.error("[ScalarPlugin] Failed to run static analysis:", err);
-          }
-        }
-      });
-    }
-  }
-}
 function SecurityHeaders(options = {}) {
   const securityHeadersMiddleware = async function SecurityHeadersMiddleware(ctx, next) {
     const headers = {};
@@ -3847,18 +4065,18 @@ class MemoryStore extends EventEmitter {
   }
   set(sid, sess, cb) {
     this.sessions[sid] = JSON.stringify(sess);
-    cb && cb();
+    cb?.();
   }
   destroy(sid, cb) {
     delete this.sessions[sid];
-    cb && cb();
+    cb?.();
   }
   touch(sid, sess, cb) {
     const current = this.sessions[sid];
     if (current) {
       this.sessions[sid] = JSON.stringify(sess);
     }
-    cb && cb();
+    cb?.();
   }
   all(cb) {
     const result = {};
@@ -3874,7 +4092,7 @@ class MemoryStore extends EventEmitter {
   }
   clear(cb) {
     this.sessions = {};
-    cb && cb();
+    cb?.();
   }
 }
 function sign(val, secret) {
@@ -3887,11 +4105,17 @@ function unsign(input, secret) {
   if (typeof secret !== "string") throw new TypeError("Secret string must be provided.");
   const tentValue = input.slice(0, input.lastIndexOf("."));
   const expectedInput = sign(tentValue, secret);
-  const expectedBuffer = Buffer.from(expectedInput);
-  const inputBuffer = Buffer.from(input);
-  if (expectedBuffer.length !== inputBuffer.length) return false;
-  const valid = require("crypto").timingSafeEqual(expectedBuffer, inputBuffer);
-  return valid ? tentValue : false;
+  const maxLength = Math.max(expectedInput.length, input.length);
+  const paddedExpected = Buffer.alloc(maxLength);
+  const paddedInput = Buffer.alloc(maxLength);
+  Buffer.from(expectedInput).copy(paddedExpected);
+  Buffer.from(input).copy(paddedInput);
+  try {
+    const valid = require("crypto").timingSafeEqual(paddedExpected, paddedInput);
+    return valid ? tentValue : false;
+  } catch {
+    return false;
+  }
 }
 function Session(options) {
   const store = options.store || new MemoryStore();
@@ -4064,6 +4288,7 @@ export {
   All,
   AuthPlugin,
   Body,
+  ClusterPlugin,
   Compression,
   Container,
   Controller,
@@ -4087,16 +4312,13 @@ export {
   RateLimitMiddleware,
   Req,
   RouteParamType,
-  RouterRegistry,
   ScalarPlugin,
   SecurityHeaders,
   Session,
   Shokupan,
-  ShokupanApplicationTree,
   ShokupanContext,
   ShokupanRequest,
   ShokupanResponse,
-  ShokupanRouter,
   Spec,
   Use,
   ValidationError,