spooder 3.2.7 → 4.0.0

package/README.md

@@ -1,24 +1,16 @@
 <p align="center"><img src="docs/project-logo.png"/></p>
 
-# Spooder &middot; ![typescript](https://img.shields.io/badge/language-typescript-blue) [![license badge](https://img.shields.io/github/license/Kruithne/spooder?color=yellow)](LICENSE) ![npm version](https://img.shields.io/npm/v/spooder?color=c53635) ![bun](https://img.shields.io/badge/runtime-bun-f9f1e1)
+# spooder &middot; ![typescript](https://img.shields.io/badge/language-typescript-blue) [![license badge](https://img.shields.io/github/license/Kruithne/spooder?color=yellow)](LICENSE) ![npm version](https://img.shields.io/npm/v/spooder?color=c53635) ![bun](https://img.shields.io/badge/runtime-bun-f9f1e1)
 
-`spooder` is a purpose-built server solution written using the [Bun](https://bun.sh/) runtime.
+`spooder` is a purpose-built server solution that shifts away from the dependency hell of the Node.js ecosystem, with a focus on stability and performance, which is why:
+- It is built using the [Bun](https://bun.sh/) runtime and not designed to be compatible with Node.js or other runtimes.
+- It uses zero dependencies and only relies on code written explicitly for `spooder` or APIs provided by the Bun runtime, often implemented in native code.
+- It provides streamlined APIs for common server tasks in a minimalistic way, without the overhead of a full-featured web framework.
+- It is opinionated in its design to reduce complexity and overhead.
 
-### What does it do?
-
-`spooder` consists of a command-line tool which provides automatic updating/restarting and canary functionality, and a building-block API for creating servers.
-
-### Should I use it?
-
-Probably not. You are free to use `spooder` if you fully understand the risks and limitations of doing so, however here is a list of things you should consider before using it:
-
-⚠️ This is not a Node.js package. It is built using the [Bun](https://bun.sh/) runtime, which is still experimental as of writing.
-
-⚠️ It is designed to be highly opinionated and is not intended to be a general-purpose server, so configuration is limited.
-
-⚠️ It is not a full-featured web server and only provides the functionality as required for the projects it has been built for.
-
-⚠️ It has not been battle-tested and may contain bugs or security issues. The authors of this project are not responsible for any problems caused by using this software.
+It consists of two components, the `CLI` and the `API`. 
+- The `CLI` is responsible for keeping the server process running, applying updates in response to source control changes, and automatically raising issues on GitHub via the canary feature.
+- The `API` provides a minimal building-block style API for developing servers, with a focus on simplicity and performance.
 
 # Installation
 
@@ -32,42 +24,58 @@ bun add spooder
 
 # Configuration
 
-Both the runner and the API are configured in the same way by providing a `spooder` object in your `package.json` file.
+Both the `CLI` and the API are configured in the same way by providing a `spooder` object in your `package.json` file.
 
 ```json
 {
 	"spooder": {
-		"autoRestart": 5000,
-		"run": "bun run index.ts",
+		"auto_restart": 5000,
 		"update": [
 			"git pull",
 			"bun install"
-		]
+		],
+		"canary": {
+			"account": "",
+			"repository": "",
+			"labels": [],
+			"crash_console_history": 64,
+			"throttle": 86400,
+			"sanitize": true
+		}
 	}
 }
 ```
 
 If there are any issues with the provided configuration, a warning will be printed to the console but will not halt execution. `spooder` will always fall back to default values where invalid configuration is provided.
 
-Configuration warnings **do not** raise `caution` events with the `spooder` canary functionality.
+> [!NOTE]
+> Configuration warnings **do not** raise `caution` events with the `spooder` canary functionality.
 
-# Runner
+# CLI
 
-`spooder` includes a global command-line tool for running servers. It is recommended that you run this in a `screen` session.
+The `CLI` component of `spooder` is a global command-line tool for running server processes.
 
-```bash
-screen -S spooder # Create a new screen session
-cd /var/www/my_server/
-spooder
-```
+- [CLI > Usage](#cli-usage)
+- [CLI > Auto Restart](#cli-auto-restart)
+- [CLI > Auto Update](#cli-auto-update)
+- [CLI > Canary](#cli-canary)
+	- [CLI > Canary > Crash](#cli-canary-crash)
+	- [CLI > Canary > Sanitization](#cli-canary-sanitization)
+	- [CLI > Canary > System Information](#cli-canary-system-information)
 
-While the intended use of this runner is for web servers, it can be used to run anything. It provides two primary features: automatic updating and automatic restarting.
 
-## Entry Point
+<a id="cli-usage"></a>
+## CLI > Usage
 
-`spooder` will attempt to launch the server from the current working directory using the command `bun run index.ts` as a default.
+For convenience, it is recommended that you run this in a `screen` session.
 
-To customize this, provide an alternative command via the `run` configuration.
+```bash
+screen -S my-website-about-fish.net
+cd /var/www/my-website-about-fish.net/
+spooder
+```
+
+`spooder` will launch your server either by executing the `run` command provided in the configuration, or by executing `bun run index.ts` by default.
 
 ```json
 {
@@ -77,25 +85,40 @@ To customize this, provide an alternative command via the `run` configuration.
 }
 ```
 
-While `spooder` uses a `bun run` command by default, it is possible to use any command string.
+While `spooder` uses a `bun run` command by default, it is possible to use any command string. For example if you wanted to launch a server using `node` instead of `bun`, you could do the following.
+
+```json
+{
+	"spooder": {
+		"run": "node my_server.js"
+	}
+}
+```
+<a id="cli-auto-restart"></a>
+## CLI > Auto Restart
 
-## Auto Restart
+> [!NOTE]
+> This feature is not enabled by default.
 
-In the event that the server exits (regardless of exit code), `spooder` can automatically restart it after a short delay. To enable this feature specify the restart delay in milliseconds as `autoRestart` in the configuration.
+In the event that the server process exits, regardless of exit code, `spooder` can automatically restart it after a short delay. To enable this feature specify the restart delay in milliseconds as `auto_restart` in the configuration.
 
 ```json
 {
 	"spooder": {
-		"autoRestart": 5000
+		"auto_restart": 5000
 	}
 }
 ```
 
 If set to `0`, the server will be restarted immediately without delay. If set to `-1`, the server will not be restarted at all.
 
-## Auto Update
+<a id="cli-auto-update"></a>
+## CLI > Auto Update
 
-When starting your server, `spooder` can automatically update the source code in the working directory. To enable this feature, the necessary update commands can be provided in the configuration as an array of strings.
+> [!NOTE]
+> This feature is not enabled by default.
+
+When starting or restarting a server process, `spooder` can automatically update the source code in the working directory. To enable this feature, the necessary update commands can be provided in the configuration as an array of strings.
 
 ```json
 {
@@ -108,28 +131,31 @@ When starting your server, `spooder` can automatically update the source code in
 }
 ```
 
-Commands will be executed in sequence, and the server will not be started until after the commands have resolved.
+Each command should be a separate entry in the array and will be executed in sequence. The server process will be started once all commands have resolved.
 
-Each command should be a separate item in the array. Chaining commands in a single string using the `&&` or `||` operators will not work.
+> [!IMPORTANT]
+> Chainging commands using `&&` or `||` operators does not work.
 
 If a command in the sequence fails, the remaining commands will not be executed, however the server will still be started. This is preferred over entering a restart loop or failing to start the server at all.
 
-As well as being executed when the server is first started, the `update` commands are also run when `spooder` automatically restarts the server after it exits.
-
-You can utilize this to automatically update your server in response to a webhook or other event by simply exiting the process.
+You can utilize this to automatically update your server in response to a webhook by exiting the process.
 
 ```ts
-events.on('receive-webhook', () => {
-	// <- Gracefully finish processing here.
-	process.exit(0);
+server.webhook(process.env.WEBHOOK_SECRET, '/webhook', payload => {
+	setImmediate(() => server.stop(false));
+	return 200;
 });
 ```
 
-## Canary
+<a id="cli-canary"></a>
+## CLI > Canary
+
+> [!NOTE]
+> This feature is not enabled by default.
 
 `canary` is a feature in `spooder` which allows server problems to be raised as issues in your repository on GitHub.
 
-To enable this feature, there are a couple of steps you need to take.
+To enable this feature, you will need to configure a GitHub App and configure it:
 
 ### 1. Create a GitHub App
 
@@ -142,7 +168,8 @@ Once created, install the GitHub App to your account. The app will need to be gi
 
 In addition to the **App ID** that is assigned automatically, you will also need to generate a **Private Key** for the app. This can be done by clicking the **Generate a private key** button on the app page.
 
-> Note: The private keys provided by GitHub are in PKCS#1 format, but only PKCS#8 is supported. You can convert the key file with the following command.
+> [!NOTE]
+> The private keys provided by GitHub are in PKCS#1 format, but only PKCS#8 is supported. You can convert the key file with the following command.
 
 ```bash
 openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private-key-pkcs8.key
@@ -164,7 +191,7 @@ Each server that intends to use the canary feature will need to have the private
 
 Replace `<GITHUB_ACCOUNT_NAME>` with the account name you have installed the GitHub App to, and `<GITHUB_REPOSITORY>` with the repository name you want to use for issues.
 
-The repository name must in the format `owner/repo` (e.g. `facebook/react`).
+The repository name must in the full-name format `owner/repo` (e.g. `facebook/react`).
 
 The `labels` property can be used to provide a list of labels to automatically add to the issue. This property is optional and can be omitted.
 
@@ -178,26 +205,36 @@ SPOODER_CANARY_KEY=/home/bond/.ssh/id_007_pcks8.key
 ```
 
 `SPOODER_CANARY_APP_ID` is the **App ID** as shown on the GitHub App page.
+
 `SPOODER_CANARY_KEY` is the path to the private key file in PKCS#8 format.
 
+> [!NOTE]
+> Since `spooder` uses the Bun runtime, you can use the `.env.local` file in the project root directory to set these environment variables per-project.
+
 ### 4. Use canary
 
 Once configured, `spooder` will automatically raise an issue when the server exits with a non-zero exit code. 
 
 In addition, you can manually raise issues using the `spooder` API by calling `caution()` or `panic()`. More information about these functions can be found in the `API` section.
 
-## Crash
+If `canary` has not been configured correctly, `spooder` will only print warnings to the console when it attempts to raise an issue.
+
+> [!WARNING]
+> Consider testing the canary feature with the `caution()` function before relying on it for critical issues.
+
+<a id="cli-canary-crash"></a>
+## CLI > Canary > Crash
 
 It is recommended that you harden your server code against unexpected exceptions and use `panic()` and `caution()` to raise issues with selected diagnostic information.
 
-In the event that the server does encounter an unexpected exception which causes it to exit with a non-zero exit code, `spooder` will automatically raise an issue on GitHub using the canary feature, if configured.
+In the event that the server does encounter an unexpected exception which causes it to exit with a non-zero exit code, `spooder` will provide some diagnostic information in the canary report.
 
-Since this issue has been caught externally, `spooder` has no context of the exception which was raised. Instead, the canary report will contain the output from `stderr`.
+Since this issue has been caught externally, `spooder` has no context of the exception which was raised. Instead, the canary report will contain the output from both `stdout` and `stderr`.
 
 ```json
 {
-	"exitCode": 1,
-	"stderr": [
+	"proc_exit_code": 1,
+	"console_output": [
 		"[2.48ms] \".env.local\"",
 		"Test output",
 		"Test output",
@@ -216,11 +253,26 @@ Since this issue has been caught externally, `spooder` has no context of the exc
 }
 ```
 
-This information is subject to sanitization, as described in the `Sanitization` section, however you should be aware that stack traces may contain sensitive information.
+The `proc_exit_code` property contains the exit code that the server exited with.
 
-Additionally, Bun includes a relevant code snippet from the source file where the exception was raised. This is intended to help you identify the source of the problem.
+The `console_output` will contain the last `64` lines of output from `stdout` and `stderr` combined. This can be configured by setting the `spooder.canary.crash_console_history` property to a length of your choice.
 
-## Sanitization
+```json
+{
+	"spooder": {
+		"canary": {
+			"crash_console_history": 128
+		}
+	}
+}
+```
+
+This information is subject to sanitization, as described in the `CLI > Canary > Sanitization` section, however you should be aware that stack traces may contain sensitive information.
+
+Setting `spooder.canary.crash_console_history` to `0` will omit the `console_output` property from the report entirely, which may make it harder to diagnose the problem but will ensure that no sensitive information is leaked.
+
+<a id="cli-canary-sanitization"></a>
+## CLI > Canary > Sanitization
 
 All reports sent via the canary feature are sanitized to prevent sensitive information from being leaked. This includes:
 
@@ -265,9 +317,11 @@ The sanitization behavior can be disabled by setting `spooder.canary.sanitize` t
 }
 ```
 
-While this sanitization adds a layer of protection against information leaking, it does not catch everything. You should pay special attention to messages and objects provided to the canary to not unintentionally leak sensitive information.
+> [!WARNING]
+> While this sanitization adds a layer of protection against information leaking, it does not catch everything. You should pay special attention to messages and objects provided to the canary to not unintentionally leak sensitive information.
 
-## System Information
+<a id="cli-canary-system-information"></a>
+## CLI > Canary > System Information
 
 In addition to the information provided by the developer, `spooder` also includes some system information in the canary reports.
 
@@ -303,27 +357,74 @@ In addition to the information provided by the developer, `spooder` also include
 		"uv": "1.44.2",
 		"napi": "8",
 		"modules": "108"
+	},
+	"bun": {
+		"version": "0.6.4",
+		"rev": "f02561530fda1ee9396f51c8bc99b38716e38296",
+		"memory_usage": {
+			"rss": 99672064,
+			"heapTotal": 3039232,
+			"heapUsed": 2332783,
+			"external": 0,
+			"arrayBuffers": 0
+		},
+		"cpu_usage": {
+			"user": 50469,
+			"system": 0
+		}
 	}
 }
 ```
 
 # API
 
-`spooder` exposes a build-block style API for developing servers. The API is designed to be minimal to leave control in the hands of the developer and not add overhead for features you may not need.
+`spooder` exposes a simple yet powerful API for developing servers. The API is designed to be minimal to leave control in the hands of the developer and not add overhead for features you may not need.
+
+- [API > Serving](#api-serving)
+	- [`serve(port: number): Server`](#api-serving-serve)
+- [API > Routing](#api-routing)
+	- [`server.route(path: string, handler: RequestHandler)`](#api-routing-server-route)
+	- [Redirection Routes](#api-routing-redirection-routes)
+- [API > Routing > RequestHandler](#api-routing-request-handler)
+- [API > Routing > Fallback Handling](#api-routing-fallback-handlers)
+	- [`server.handle(status_code: number, handler: RequestHandler)`](#api-routing-server-handle)
+	- [`server.default(handler: DefaultHandler)`](#api-routing-server-default)
+	- [`server.error(handler: ErrorHandler)`](#api-routing-server-error)
+- [API > Routing > Directory Serving](#api-routing-directory-serving)
+	- [`server.dir(path: string, dir: string, handler?: DirHandler)`](#api-routing-server-dir)
+- [API > Routing > Server-Sent Events](#api-routing-server-sent-events)
+	- [`server.sse(path: string, handler: ServerSentEventHandler)`](#api-routing-server-sse)
+- [API > Routing > Webhooks](#api-routing-webhooks)
+	- [`server.webhook(secret: string, path: string, handler: WebhookHandler)`](#api-routing-server-webhook)
+- [API > Server Control](#api-server-control)
+	- [`server.stop(immediate: boolean)`](#api-server-control-server-stop)
+- [API > Error Handling](#api-error-handling)
+	- [`ErrorWithMetadata(message: string, metadata: object)`](#api-error-handling-error-with-metadata)
+	- [`caution(err_message_or_obj: string | object, ...err: object[]): Promise<void>`](#api-error-handling-caution)
+	- [`panic(err_message_or_obj: string | object, ...err: object[]): Promise<void>`](#api-error-handling-panic)
+- [API > Content](#api-content)
+	- [`template_sub(template: string, replacements: Record<string, string>): string`](#api-content-template-sub)
+	- [`generate_hash_subs(length: number, prefix: string): Promise<Record<string, string>>`](#api-content-generate-hash-subs)
+	- [`apply_range(file: BunFile, request: Request): HandlerReturnType`](#api-content-apply-range)
+- [API > State Management](#api-state-management)
+	- [`set_cookie(res: Response, name: string, value: string, options?: CookieOptions)`](#api-state-management-set-cookie)
+	- [`get_cookies(source: Request | Response): Record<string, string>`](#api-state-management-get-cookies)
+
+<a id="api-serving"></a>
+## API > Serving
+
+<a id="api-serving-serve"></a>
+### `serve(port: number): Server`
+
+Bootstrap a server on the specified port.
 
 ```ts
-import { ... } from 'spooder';
-```
+import { serve } from 'spooder';
 
-#### `serve(port: number): Server`
-
-The `serve` function simplifies the process of boostrapping a server. Setting up a functioning server is as simple as calling the function and passing a port number to listen on.
-
-```ts
 const server = serve(8080);
 ```
 
-Without any additional configuration, this will create a server which listens on the specified port and responds to all requests with the following response.
+By default, the server responds with:
 
 ```http
 HTTP/1.1 404 Not Found
@@ -333,11 +434,13 @@ Content-Type: text/plain;charset=utf-8
 Not Found
 ```
 
-To build functionality on top of this, there are a number of functions that can be called from the `Server` object.
+<a id="api-routing"></a>
+## API > Routing
 
-#### `server.route(path: string, handler: RequestHandler)`
+<a id="api-routing-server-route"></a>
+### 🔧 `server.route(path: string, handler: RequestHandler)`
 
-The `route` function allows you to register a handler for a specific path. The handler will be called for all requests that exactly match the given path.
+Register a handler for a specific path.
 
 ```ts
 server.route('/test/route', (req, url) => {
@@ -345,372 +448,577 @@ server.route('/test/route', (req, url) => {
 });
 ```
 
-Additionally, routes also support named parameters. These are defined by prefixing a path segment with a colon. These are added directly to the `searchParams` property of the `URL` object.
+<a id="api-routing-redirection-routes"></a>
+### Redirection Routes
+
+`spooder` does not provide a built-in redirection handler since it's trivial to implement one using [`Response.redirect`](https://developer.mozilla.org/en-US/docs/Web/API/Response/redirect_static), part of the standard Web API.
 
 ```ts
-server.route('/test/:param', (req, url) => {
-	return new Response(url.searchParams.get('param'), { status: 200 });
-});
+server.route('/redirect', () => Response.redirect('/redirected', 301));
 ```
-> Note: Named parameters will overwrite existing search parameters with the same name.
 
-By default routes are matched exactly, but you can also use a wildcard to match any path that starts with a given path.
+<a id="api-routing-request-handler"></a>
+## API > Routing > RequestHandler
+
+`RequestHandler` is a function that accepts a [`Request`](https://developer.mozilla.org/en-US/docs/Web/API/Request) object and a [`URL`](https://developer.mozilla.org/en-US/docs/Web/API/URL) object and returns a `HandlerReturnType`.
+
+`HandlerReturnType` must be one of the following.
+
+| Type | Description |
+| --- | --- |
+| `Response` | https://developer.mozilla.org/en-US/docs/Web/API/Response |
+| `Blob` | https://developer.mozilla.org/en-US/docs/Web/API/Blob |
+| `BunFile` | https://bun.sh/docs/api/file-io |
+| `object` | Will be serialized to JSON. |
+| `string` | Will be sent as `text/html``. |
+| `number` | Sets status code and sends status message as plain text. |
+
+> [!NOTE]
+> For custom JSON serialization on an object/class, implement the [`toJSON()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify) method.
+
+`HandleReturnType` can also be a promise resolving to any of the above types, which will be awaited before sending the response.
+
+> [!NOTE]
+> Returning `Bun.file()` directly is the most efficient way to serve static files as it uses system calls to stream the file directly to the client without loading into user-space.
+
+<a id="api-routing-query-parameters"></a>
+## API > Routing > Query Parameters
+
+Query parameters can be accessed from the `searchParams` property on the `URL` object.
 
 ```ts
-server.route('/test/*', (req, url) => {
-	return new Response('Hello, world!', { status: 200 });
+server.route('/test', (req, url) => {
+	return new Response(url.searchParams.get('foo'), { status: 200 });
 });
 ```
 
-The above will match any path the starts with `/test`, such as:
-- `/test`
-- `/test/`
-- `/test/route`
-- `/test/route/foo.txt`
+```http
+GET /test?foo=bar HTTP/1.1
+
+HTTP/1.1 200 OK
+Content-Length: 3
+
+bar
+```
 
-If you intend to use this for directory serving, you may be better suited looking at the `server.dir()` function.
+Named parameters can be used in paths by prefixing a path segment with a colon.
 
-Wildcards can also be placed anywhere in the path, allowing anything to be placed in a given single segment - it does not span multiple segments.
+> [!NOTE]
+> Named parameters will overwrite existing query parameters with the same name.
 
 ```ts
-server.route('/test/*/route', (req, url) => {
-	return new Response('Hello, world!', { status: 200 });
+server.route('/test/:param', (req, url) => {
+	return new Response(url.searchParams.get('param'), { status: 200 });
 });
 ```
 
-The above would allow anything to be placed in the middle segment. This behavior is documented for clarity as it is a byproduct of wildcard implementation for directories, but it is recommended you use the named parameters feature instead.
+<a id="api-routing-wildcards"></a>
+## API > Routing > Wildcards
 
-Using the standard Web API, the route handler above receives a [Request](https://developer.mozilla.org/en-US/docs/Web/API/Request) object and returns a [Response](https://developer.mozilla.org/en-US/docs/Web/API/Response) object, which is then sent to the client.
+Wildcards can be used to match any path that starts with a given path.
 
-All handle registration functions in `spooder` support registering async functions which will be awaited before sending the response.
+> [!NOTE]
+> If you intend to use this for directory serving, you may be better suited looking at the `server.dir()` function.
 
 ```ts
-server.route('/test/route', async (req, url) => {
-	await new Promise((resolve) => setTimeout(resolve, 1000));
+server.route('/test/*', (req, url) => {
 	return new Response('Hello, world!', { status: 200 });
 });
 ```
 
-To streamline this process, `spooder` allows a number of other return types to be used as shortcuts.
+> [!IMPORTANT]
+> Routes are [FIFO](https://en.wikipedia.org/wiki/FIFO_(computing_and_electronics)) and wildcards are greedy. Wildcards should be registered last to ensure they do not consume more specific routes.
 
-Returning a `number` type treats the number as a status code and sends a relevant response.
+```ts
+server.route('/*', () => 301);
+server.route('/test', () => 200);
 
-By default, this will be a plain text response with the applicable status message as the body. This can be overridden with `server.handle()` or `server.default()`, which will be covered later.
+// Accessing /test returns 301 here, because /* matches /test first.
+```
+
+<a id="api-routing-fallback-handlers"></a>
+## API > Routing > Fallback Handlers
 
+<a id="api-routing-server-handle"></a>
+### 🔧 `server.handle(status_code: number, handler: RequestHandler)`
+Register a custom handler for a specific status code.
 ```ts
-server.route('/test/route', (req) => {
-	return 500;
+server.handle(500, (req) => {
+	return new Response('Custom Internal Server Error Message', { status: 500 });
 });
 ```
-```http
-HTTP/1.1 500 Internal Server Error
-Content-Length: 21
-Content-Type: text/plain;charset=utf-8
 
-Internal Server Error
+<a id="api-routing-server-default"></a>
+### 🔧 `server.default(handler: DefaultHandler)`
+Register a handler for all unhandled response codes.
+> [!NOTE]
+> If you return a `Response` object from here, you must explicitly set the status code.
+```ts
+server.default((req, status_code) => {
+	return new Response(`Custom handler for: ${status_code}`, { status: status_code });
+});
 ```
 
-Returning a `Blob` type, such as the `FileBlob` returned from the `Bun.file()` API, will send the blob as the response body with the appropriate content type and length headers.
+<a id="api-routing-server-error"></a>
+### 🔧 `server.error(handler: ErrorHandler)`
+Register a handler for uncaught errors.
 
+> [!NOTE]
+> This handler does not accept asynchronous functions and must return a `Response` object.
 ```ts
-server.route('test/route', (req) => {
-	// Note that calling Bun.file() does not immediately read
-	// the file from disk, it will be streamed with the response.
-	return Bun.file('test.png');
+server.error((err, req, url) => {
+	return new Response('Custom Internal Server Error Message', { status: 500 });
 });
 ```
-```http
-HTTP/1.1 200 OK
-Content-Length: 12345
-Content-Type: image/png
 
-<binary data>
+> [!IMPORTANT]
+> It is highly recommended to use `caution()` or some form of reporting to notify you when this handler is called, as it means an error went entirely uncaught.
+
+```ts
+server.error((err, req, url) => {
+	// Notify yourself of the error.
+	caution({ err, url });
+
+	// Return a response to the client.
+	return new Response('Custom Internal Server Error Message', { status: 500 });
+});
 ```
 
-Return an `object` type, such as an array or a plain object, will send the object as JSON with the appropriate content type and length headers.
+<a id="api-routing-directory-serving"></a>
+## API > Routing > Directory Serving
 
+<a id="api-routing-server-dir"></a>
+### 🔧 `server.dir(path: string, dir: string, handler?: DirHandler)`
+Serve files from a directory.
 ```ts
-server.route('test/route', (req) => {
-	return { message: 'Hello, world!' };
-});
+server.dir('/content', './public/content');
 ```
-```http
-HTTP/1.1 200 OK
-Content-Length: 25
-Content-Type: application/json;charset=utf-8
 
-{"message":"Hello, world!"}
+> [!IMPORTANT]
+> `server.dir` registers a wildcard route. Routes are [FIFO](https://en.wikipedia.org/wiki/FIFO_(computing_and_electronics)) and wildcards are greedy. Directories should be registered last to ensure they do not consume more specific routes.
+
+```ts
+server.dir('/', '/files');
+server.route('/test', () => 200);
+
+// Route / is equal to /* with server.dir()
+// Accessing /test returns 404 here because /files/test does not exist.
 ```
 
-Since custom classes are also objects, you can also return a custom class instance and it will be serialized to JSON. To control the serialization process, you can implement the `toJSON()` method on your class.
+By default, spooder will use the following default handler for serving directories.
 
 ```ts
-class User {
-	constructor(public name: string, public age: number) {}
+function default_directory_handler(file_path: string, file: BunFile, stat: DirStat, request: Request): HandlerReturnType {
+	// ignore hidden files by default, return 404 to prevent file sniffing
+	if (path.basename(file_path).startsWith('.'))
+		return 404; // Not Found
 
-	toJSON() {
-		return {
-			name: this.name,
-			age: this.age,
-		};
-	}
-}
+	if (stat.isDirectory())
+		return 401; // Unauthorized
 
-server.route('test/route', (req) => {
-	return new User('Bob', 42);
-});
+	return apply_range(file, request);
+}
 ```
-```http
-HTTP/1.1 200 OK
-Content-Length: 25
-Content-Type: application/json;charset=utf-8
 
-{"name":"Bob","age":42}
-```
+> [!NOTE]
+> Uncaught `ENOENT` errors throw from the directory handler will return a `404` response, other errors will return a `500` response.
+
+> [!NOTE]
+> The call to `apply_range` in the default directory handler will automatically slice the file based on the [`Range`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Range) header. This function is also exposed as part of the `spooder` API for use in your own handlers.
+
+Provide your own directory handler for fine-grained control.
 
-Any other type that is returned from a route handler will be converted to a string and sent as the response body with the appropriate length header and the content type `text/plain`.
+> [!IMPORTANT]
+> Providing your own handler will override the default handler defined above. Be sure to implement the same logic if you want to retain the default behavior.
+
+| Parameter | Type | Reference |
+| --- | --- | --- |
+| `file_path` | `string` | The path to the file on disk. |
+| `file` | `BunFile` | https://bun.sh/docs/api/file-io |
+| `stat` | `fs.Stats` | https://nodejs.org/api/fs.html#class-fsstats |
+| `request` | `Request` | https://developer.mozilla.org/en-US/docs/Web/API/Request |
+| `url` | `URL` | https://developer.mozilla.org/en-US/docs/Web/API/URL |
 
 ```ts
-server.route('test/route', (req) => {
-	return Symbol('foo');
+server.dir('/static', '/static', (file_path, file, stat, request, url) => {
+	// Implement custom logic.
+	return file; // HandlerReturnType
 });
 ```
-```http
-HTTP/1.1 200 OK
-Content-Length: 7
-Content-Type: text/plain;charset=utf-8
 
-Symbol(foo)
-```
+> [!NOTE]
+> The directory handler function is only called for files that exist on disk - including directories.
 
-#### `server.default(handler: DefaultHandler)`
+<a id="api-routing-server-sse"></a>
+## API > Routing > Server-Sent Events
 
-The server uses a default handler which responds to requests for which there was no handler registered, or the registered handler returned a numeric status code.
+<a id="api-routing-server-sse"></a>
+### 🔧 `server.sse(path: string, handler: ServerSentEventHandler)`
 
-This default handler sends a simple response to the client with the status code and a body containing the status message.
+Setup a [server-sent event](https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events) stream.
 
-```http
-HTTP/1.1 404 Not Found
-Content-Length: 9
-Content-Type: text/plain;charset=utf-8
+```ts
+server.sse('/sse', (req, url, client) => {
+	client.message('Hello, client!'); // Unnamed event.
+	client.event('named_event', 'Hello, client!'); // Named event.
 
-Not Found
+	client.message(JSON.stringify({ foo: 'bar' })); // JSON message.
+});
 ```
 
-To customize the behavior of this handler, you can register a custom default handler using the `default` function.
+`client.closed` is a promise that resolves when the client closes the connection.
 
 ```ts
-server.default((req, status_code) => {
-	return new Response(`Custom error: ${status_code}`, { status: status_code });
+const clients = new Set();
+
+server.sse('/sse', (req, url, client) => {
+	clients.add(client);
+	client.closed.then(() => clients.delete(client));
+});
+```
+
+Connections can be manually closed with `client.close()`. This will also trigger the `client.closed` promise to resolve.
+
+```ts
+server.sse('/sse', (req, url, client) => {
+	client.message('Hello, client!');
+
+	setTimeout(() => {
+		client.message('Goodbye, client!');
+		client.close();
+	}, 5000);
 });
 ```
 
-Using your own default handler allows you to provide a custom response for unhandled requests based on the status code.
+<a id="api-routing-webhooks"></a>
+## API > Routing > Webhooks
 
-The return type from this handler can be any of the expected return types from a normal route handler with the exception that returning a `number` type will not be treated as a status code and will instead be treated as a plain text response.
+<a id="api-routing-server-webhook"></a>
+### 🔧 `server.webhook(secret: string, path: string, handler: WebhookHandler)`
 
-If is worth noting that if you return a `Response` object from this handler, you must implicitly set the status code. If you do not, the status code will be set to `200` by default.
+Setup a webhook handler.
 
 ```ts
-server.default((req, status_code) => {
-	return new Response(`Custom error: ${status_code}`);
+server.webhook(process.env.WEBHOOK_SECRET, '/webhook', payload => {
+	// React to the webhook.
+	return 200;
 });
 ```
-```http
-HTTP/1.1 200 OK
-Content-Length: 18
-Content-Type: text/plain;charset=utf-8
 
-Custom error: 404
-```
+A webhook callback will only be called if the following critera is met by a request:
+- Request method is `POST` (returns `405` otherwise)
+- Header `X-Hub-Signature-256` is present (returns `400` otherwise)
+- Header `Content-Type` is `application/json` (returns `401` otherwise)
+- Request body is a valid JSON object (returns `500` otherwise)
+- HMAC signature of the request body matches the `X-Hub-Signature-256` header (returns `401` otherwise)
 
-Returning anything else, such as a `Blob`, `object` or `string`, the status code will automatically be set to `status_code`. To override this behavior you must provide a `Response` object.
+> [!NOTE]
+> Constant-time comparison is used to prevent timing attacks when comparing the HMAC signature.
 
-#### `server.handle(status_code: number, handler: RequestHandler)`
+<a id="api-server-control"></a>
+## API > Server Control
 
-The `handle` function allows you to register a handler for a specific status code. This handler will take priority over the default handler.
+<a id="api-server-control-stop"></a>
+### 🔧 `server.stop(immediate: boolean)`
+
+Stop the server process immediately, terminating all in-flight requests.
 
 ```ts
-server.handle(500, (req) => {
-	return new Response('Custom Internal Server Error Message', { status: 500 });
-});
+server.stop(true);
 ```
-```http
-HTTP/1.1 500 Internal Server Error
-Content-Length: 36
-Content-Type: text/plain;charset=utf-8
 
-Custom Internal Server Error Message
+Stop the server process gracefully, waiting for all in-flight requests to complete.
+
+```ts
+server.stop(false);
 ```
 
-The return type from this handler can be any of the expected return types from a normal route handler with the exception that returning a `number` type will not be treated as a status code and will instead be treated as a plain text response.
+<a id="api-error-handling"></a>
+## API > Error Handling
 
-If is worth noting that if you return a `Response` object from this handler, you must implicitly set the status code. If you do not, the status code will be set to `200` by default.
+<a id="api-error-handling-error-with-metadata"></a>
+### 🔧 `ErrorWithMetadata(message: string, metadata: object)`
+
+The `ErrorWithMetadata` class allows you to attach metadata to errors, which can be used for debugging purposes when errors are dispatched to the canary.
 
 ```ts
-server.handle(500, (req) => {
-	return new Response('Custom Internal Server Error Message');
-});
+throw new ErrorWithMetadata('Something went wrong', { foo: 'bar' });
 ```
-```http
-HTTP/1.1 200 OK
-Content-Length: 36
-Content-Type: text/plain;charset=utf-8
 
-Custom Internal Server Error Message
-```
+Functions and promises contained in the metadata will be resolved and the return value will be used instead.
 
-Returning anything else, such as a `Blob`, `object` or `string`, the status code will automatically be set. To override this behavior you must provide a `Response` object.
+```ts
+throw new ErrorWithMetadata('Something went wrong', { foo: () => 'bar' });
+```
 
-#### `server.error(handler: ErrorHandler)`
+<a id="api-error-handling-caution"></a>
+### 🔧 `caution(err_message_or_obj: string | object, ...err: object[]): Promise<void>`
 
-The `error` function allows you to register a handler for any uncaught errors that occur during the request handling process. 
+Raise a warning issue on GitHub. This is useful for non-fatal issues which you want to be notified about.
 
-Unlike other handlers, it does not accept asynchronous functions and it must return a `Response` object.
+> [!NOTE]
+> This function is only available if the canary feature is enabled.
 
 ```ts
-server.error((req, err) => {
-	return new Response('Custom Internal Server Error Message', { status: 500 });
-});
+try {
+	// Perform a non-critical action, such as analytics.
+	// ...
+} catch (e) {
+	// `caution` is async, you can use it without awaiting.
+	caution(e);
+}
 ```
-```http
-HTTP/1.1 500 Internal Server Error
-Content-Length: 36
-Content-Type: text/plain;charset=utf-8
 
-Custom Internal Server Error Message
+Additional data can be provided as objects which will be serialized to JSON and included in the report.
+
+```ts
+caution(e, { foo: 42 });
 ```
-This should be used as a last resort to catch unintended errors and should not be part of your normal request handling process. Generally speaking, this handler should only be called if you have a bug in your code.
 
-#### `server.dir(path: string, dir: string)`
+A custom error message can be provided as the first parameter
 
-The `dir` function allows you to serve static files from a directory on your file system. 
+> [!NOTE]
+> Avoid including dynamic information in the title that would prevent the issue from being unique.
 
 ```ts
-server.dir('/content', './public/content');
+caution('Custom error', e, { foo: 42 });
 ```
 
-The above example will serve all files from `./public/content` to any requests made to `/content`. For example `/content/test.txt` will serve the file `./public/content/test.txt`.
+Issues raised with `caution()` are rate-limited. By default, the rate limit is `86400` seconds (24 hours), however this can be configured in the `spooder.canary.throttle` property.
+
+```json
+{
+	"spooder": {
+		"canary": {
+			"throttle": 86400
+		}
+	}
+}
+```
 
-- This function is recursive and will serve all files from the specified directory and any subdirectories.
-- Requesting a directory will return a 401 response (subject to your configured handlers).
-- Requesting a file that does not exist will return a 404 response (subject to your configured handlers).
-- Requesting a file that is not readable will return a 500 response (subject to your configured handlers).
+Issues are considered unique by the `err_message` parameter, so avoid using dynamic information that would prevent this from being unique.
 
-By default, hidden files (files prefixed with `.`) will not be served. To serve hidden files, you must set `ignoreHidden` to `false` in the `options` parameter.
+If you need to provide unique information, you can use the `err` parameter to provide an object which will be serialized to JSON and included in the issue body.
 
 ```ts
-server.dir('/content', './public/content', { ignoreHidden: false });
+const some_important_value = Math.random();
+
+// Bad: Do not use dynamic information in err_message.
+await caution('Error with number ' + some_important_value);
+
+// Good: Use err parameter to provide dynamic information.
+await caution('Error with number', { some_important_value });
 ```
 
-If `ignoreHidden` is set to `true` (default) then requesting a hidden file will return a 404 response (subject to your configured handlers).
+<a id="api-error-handling-panic"></a>
+### 🔧 `panic(err_message_or_obj: string | object, ...err: object[]): Promise<void>`
+
+This behaves the same as `caution()` with the difference that once `panic()` has raised the issue, it will exit the process with a non-zero exit code.
 
-Additionally, the `index` property can be set to a filename such as `index.html` to serve a default file when a directory is requested.
+> [!NOTE]
+> This function is only available if the canary feature is enabled.
+
+This should only be used as an absolute last resort when the server cannot continue to run and will be unable to respond to requests.
 
 ```ts
-server.dir('/content', './public/content', { index: 'index.html' });
+try {
+	// Perform a critical action.
+	// ...
+} catch (e) {
+	// You should await `panic` since the process will exit.
+	await panic(e);
+}
 ```
 
-The above will serve `./public/content/index.html` when `/content` is requested.
+<a id="api-content"></a>
+## API > Content
 
-#### `server.stop(method: ServerStop)`
+<a id="api-content-template-sub"></a>
+### 🔧 `template_sub(template: string, replacements: Record<string, string>): string`
 
-The `stop` function allows you to stop the server. `method` is one of `ServerStop.IMMEDIATE` or `ServerStop.GRACEFUL`.
+Replace placeholders in a template string with values from a replacement object.
 
-`ServerStop.GRACEFUL` will stop accepting new requests and wait for all in-flight requests to complete before stopping the server. This is the default behavior.
+> [!NOTE]
+> Placeholders that do not appear in the replacement object will be left as-is. See `ignored` in below example.
 
-`ServerStop.IMMEDIATE` will immediately stop the server, terminating all in-flight requests.
+```ts
+const template = `
+	<html>
+		<head>
+			<title>{title}</title>
+		</head>
+		<body>
+			<h1>{title}</h1>
+			<p>{content}</p>
+			<p>{ignored}</p>
+		</body>
+	</html>
+`;
+
+const replacements = {
+	title: 'Hello, world!',
+	content: 'This is a test.'
+};
+
+const html = template_sub(template, replacements);
+```
 
----
+```html
+<html>
+	<head>
+		<title>Hello, world!</title>
+	</head>
+	<body>
+		<h1>Hello, world!</h1>
+		<p>This is a test.</p>
+		<p>{ignored}</p>
+	</body>
+</html>
+```
 
-#### `ErrorWithMetadata(message: string, metadata: object)`
+<a id="api-content-generate-hash-subs"></a>
+### 🔧 `generate_hash_subs(prefix: string): Promise<Record<string, string>>`
 
-The `ErrorWithMetadata` class is a thin wrapper around the built-in `Error` class that allows you to attach metadata to the error.
+Generate a replacement table for mapping file paths to hashes in templates. This is useful for cache-busting static assets.
 
-Providing additional information to errors can be used for debugging purposes when errors are dispatched to the canary.
+> [!IMPORTANT]
+> Internally `generate_hash_subs()` uses `git ls-tree -r HEAD`, so the working directory must be a git repository.
 
 ```ts
-throw new ErrorWithMetadata('Something went wrong', { foo: 'bar' });
-```
+let hash_sub_table = {};
 
-For convinience, if any of the values in the `metadata` are functions, they will be called and the return value will be used instead.
+generate_hash_subs().then(subs => hash_sub_table = subs).catch(caution);
 
-Additionally, promises will be resolved and readable streams will be converted to strings.
+server.route('/test', (req, url) => {
+	return template_sub('Hello world {hash=docs/project-logo.png}', hash_sub_table);
+});
+```
 
----
+```html
+Hello world 754d9ea
+```
 
-#### `route_location(redirect_url: string)`
+> [!IMPORTANT]
+> Specify paths as they appear in git, relative to the repository root and with forward slashes (no leading slash).
 
-The `route_location` is a built-in request handler that redirects the client to a specified URL with the status code `301 Moved Permanently`.
+By default hashes are truncated to `7` characters (a short hash), a custom length can be provided instead.
 
 ```ts
-server.route('test/route', route_location('https://example.com');
+generate_hash_subs(40).then(...);
+// d65c52a41a75db43e184d2268c6ea9f9741de63e
 ```
 
-The above is a much shorter equivalent to the following:
+> [!NOTE]
+> SHA-1 hashes are `40` characters. Git is transitioning to SHA-256, which are `64` characters. Short hashes of `7` are generally sufficient for cache-busting.
+
+Use a different prefix other than `hash=` by passing it as the first parameter.
 
 ```ts
-server.route('test/route', (req, url) => {
-	return new Response(null, {
-		status: 301,
-		headers: {
-			Location: 'https://example.com',
-		},
-	});
+generate_hash_subs(7, '#').then(subs => hash_sub_table = subs).catch(caution);
+
+server.route('/test', (req, url) => {
+	return template_sub('Hello world {#docs/project-logo.png}', hash_sub_table);
 });
 ```
----
 
-#### `caution(err_message_or_obj: string | object, ...err: object[]): Promise<void>`
-Raise a warning issue on GitHub. This is useful for non-fatal errors which you want to be notified about.
+<a id="api-apply-range"></a>
+### 🔧 `apply_range(file: BunFile, request: Request): HandlerReturnType`
+
+`apply_range` parses the `Range` header for a request and slices the file accordingly. This is used internally by `server.dir()` and exposed for convenience.
 
 ```ts
-try {
-	// connect to database
-} catch (e) {
-	await caution('Failed to connect to database', e);
-}
+server.route('/test', (req, url) => {
+	const file = Bun.file('./test.txt');
+	return apply_range(file, req);
+});
+```
+
+```http
+GET /test HTTP/1.1
+Range: bytes=0-5
+
+HTTP/1.1 206 Partial Content
+Content-Length: 6
+Content-Range: bytes 0-5/6
+Content-Type: text/plain;charset=utf-8
+
+Hello,
 ```
 
-Providing a custom error message is optional and can be omitted. Additionally you can also provide additional error objects which will be serialized to JSON and included in the report.
+<a id="api-state-management"></a>
+## API > State Management
+
+<a id="api-state-management-set-cookie"></a>
+### 🔧 `set_cookie(res: Response, name: string, value: string, options?: CookieOptions)`
+
+Set a cookie onto a `Response` object.
 
 ```ts
-caution(e); // provide just the error
-caution(e, { foo: 42 }); // additional data
-caution('Custom error', e, { foo: 42 }); // all
+const res = new Response('Cookies!', { status: 200 });
+set_cookie(res, 'my_test_cookie', 'my_cookie_value');
 ```
 
-To prevent spam, issues raised with `caution()` are rate-limited based on a configurable threshold in seconds. By default, the threshold is set to 24 hours per unique issue.
+```http
+HTTP/1.1 200 OK
+Set-Cookie: my_test_cookie=my_cookie_value
+Content-Length: 8
 
-```json
-{
-	"spooder": {
-		"canary": {
-			"throttle": 86400
-		}
-	}
-}
+Cookies!
 ```
 
-Issues are considered unique by the `err_message` parameter, so it is recommended that you do not include any dynamic information in this parameter that would prevent the issue from being unique.
+> [!IMPORTANT]
+> Spooder does not URL encode cookies by default. This can result in invalid cookies if they contain special characters. See `encode` option on `CookieOptions` below.
 
-If you need to provide unique information, you can use the `err` parameter to provide an object which will be serialized to JSON and included in the issue body.
+```ts
+type CookieOptions = {
+	same_site?: 'Strict' | 'Lax' | 'None',
+	secure?: boolean,
+	http_only?: boolean,
+	path?: string,
+	expires?: number,
+	encode?: boolean
+};
+```
+
+Most of the options that can be provided as `CookieOptions` are part of the standard `Set-Cookie` header. See [HTTP Cookies - MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies).
+
+Passing `encode` as `true` will URL encode the cookie value.
 
 ```ts
-const some_important_value = Math.random();
+set_cookie(res, 'my_test_cookie', 'my cookie value', { encode: true });
+```
 
-// Bad: Do not use dynamic information in err_message.
-await caution('Error with number ' + some_important_value);
+```http
+Set-Cookie: my_test_cookie=my%20cookie%20value
+```
 
-// Good: Use err parameter to provide dynamic information.
-await caution('Error with number', { some_important_value });
+<a id="api-state-management-get-cookies"></a>
+### 🔧 `get_cookies(source: Request | Response, decode: boolean = false): Record<string, string>`
+
+Get cookies from a `Request` or `Response` object.
+
+```http
+GET /test HTTP/1.1
+Cookie: my_test_cookie=my_cookie_value
 ```
-It is not required that you `await` the `caution()`, and in situations where parallel processing is required, it is recommended that you do not.
 
-#### `panic(err_message_or_obj: string | object, ...err: object[]): Promise<void>`
-This behaves the same as `caution()` with the difference that once `panic()` has raised the issue, it will exit the process with a non-zero exit code.
+```ts
+const cookies = get_cookies(req);
+{ my_test_cookie: 'my_cookie_value' }
+```
+
+Cookies are not URL decoded by default. This can be enabled by passing `true` as the second parameter.
+
+```http
+GET /test HTTP/1.1
+Cookie: my_test_cookie=my%20cookie%20value
+```
+```ts
+const cookies = get_cookies(req, true);
+{ my_test_cookie: 'my cookie value' }
+```
 
-This should only be called in worst-case scenarios where the server cannot continue to run. Since the process will exit, it is recommended that you `await` the `panic()` call.
+## Legal
+This software is provided as-is with no warranty or guarantee. The authors of this project are not responsible or liable for any problems caused by using this software or any part thereof. Use of this software does not entitle you to any support or assistance from the authors of this project.
 
-## License
 The code in this repository is licensed under the ISC license. See the [LICENSE](LICENSE) file for more information.