svelte-adapter-uws 0.6.0-next.13 → 0.6.0-next.15

package/README.md

@@ -442,6 +442,7 @@ These options control how the server handles misbehaving or slow clients at the
 - `maxConcurrent` caps how many upgrades may be in flight at once. Crossed requests get a fast `503 Service Unavailable` before any per-request work, so a connection storm can be shed without spending CPU on TLS, header parsing, or cookie decoding. Set this just above your steady-state in-flight count to act as a circuit breaker.
 - `perTickBudget` caps how many actual `res.upgrade()` calls run per Node.js event-loop tick. Once the budget is spent, subsequent calls are deferred via `setImmediate` so the loop is not starved by 10K synchronous handshakes from one I/O batch. Pre-upgrade work (rate limit, origin check, hook dispatch) still runs in the original tick; only the hand-off to the C++ upgrade path is paced. Start with `64` and adjust based on your peak burst envelope.
 - `waitingRoom` upgrades the over-capacity rejection from a bare `503` to a content-negotiated waiting room: a browser navigation gets a self-polling HTML holding page that auto-reloads when capacity frees, while a WebSocket upgrade or non-HTML client keeps a `503` with a jittered `Retry-After`. On by default once `maxConcurrent > 0`; set `waitingRoom: false` for the exact bare `503`. The page polls a read-only `/__admit-check` endpoint (`202` with a queue-depth/ETA body while full, `200` when capacity exists) that consumes no gate slot. Tune with `waitingRoom: { path, admitCheckPath, retryAfterSeconds, pollIntervalMs, template }`.
+- `cursorLane` reserves a fraction of `maxConcurrent` (default `0.25`, at least one slot) for a deprioritised cursor-only upgrade lane - a second WebSocket that requests the `svelte-realtime-cursor` subprotocol. A cursor upgrade is admitted only while both the main ceiling and the cursor sub-budget have room, so a flood of cursor connects can never starve main-WebSocket admission; the main lane never waits on the cursor sub-budget. The cursor lane is refused first and, under `siege`, refused entirely - always with a bare `503` (never the holding page, since the cursor connection is not a browser). Omit `cursorLane` to disable the lane: the second counter never increments and admission is unchanged. Set it with `cursorLane: { fraction }`.
 
 ```js
 adapter({

package/client-runtime.js

@@ -0,0 +1,109 @@
+// Injectable runtime environment for the BROWSER client bundle: the clock, RNG
+// and timers that the client reads through named helpers instead of touching the
+// native primitives directly. Same helper API and env shape as the server-side
+// runtime module so call sites are identical, but backed by browser globals (no
+// node: imports) so the client bundles can import it. A simulator running the
+// client code under node still drives it via setRuntimeEnv.
+//
+// The browser clock is a DIRECT wall read (the clients never had a 1Hz cache,
+// so a direct read preserves their existing behavior). `performance` is used for
+// monotonic duration math when present; a fake-timer Date mock therefore
+// propagates straight into now() with no extra bridge.
+
+const _hasPerf = typeof globalThis.performance !== 'undefined' && typeof globalThis.performance.now === 'function';
+// Snapshot at load: the wall time at performance.now() === 0. Adding
+// performance.now() yields a monotonic ms-since-epoch value immune to clock steps.
+const _processStartEpoch = _hasPerf ? Date.now() - globalThis.performance.now() : 0;
+const _webcrypto = (typeof globalThis.crypto !== 'undefined') ? globalThis.crypto : undefined;
+
+// v4-shaped fallback when Web Crypto randomUUID is unavailable (non-secure
+// context / old browser). Uses the env RNG so a seeded run still reproduces it.
+function _uuidFallback(rngFloat) {
+	let out = '';
+	for (let i = 0; i < 36; i++) {
+		if (i === 8 || i === 13 || i === 18 || i === 23) { out += '-'; continue; }
+		if (i === 14) { out += '4'; continue; }
+		const r = (rngFloat() * 16) | 0;
+		out += (i === 19 ? ((r & 0x3) | 0x8) : r).toString(16);
+	}
+	return out;
+}
+
+// One frozen environment object, one stable hidden class. In a real browser
+// `current === defaultEnv` for the whole page lifetime (no override ever
+// installs), so V8 sees a monomorphic shape and inlines the helpers to the
+// native primitives - zero measurable overhead on the hot path.
+const defaultEnv = Object.freeze({
+	clock: Object.freeze({
+		now: () => Date.now(),                                          // exact wall clock; direct read
+		monotonic: _hasPerf ? () => _processStartEpoch + globalThis.performance.now() : () => Date.now(), // duration math
+		wallEpoch: () => Date.now()                                     // exact wall clock; process-identity baseline
+	}),
+	rng: Object.freeze({
+		float: () => Math.random(),
+		u32: () => (Math.random() * 0x100000000) >>> 0,
+		uuid: (_webcrypto && typeof _webcrypto.randomUUID === 'function')
+			? () => _webcrypto.randomUUID()
+			: () => _uuidFallback(() => Math.random()),
+		bytes: (_webcrypto && typeof _webcrypto.getRandomValues === 'function')
+			? (n) => _webcrypto.getRandomValues(new Uint8Array(n))
+			: (n) => { const a = new Uint8Array(n); for (let i = 0; i < n; i++) a[i] = (Math.random() * 256) | 0; return a; }
+	}),
+	timers: Object.freeze({
+		set: (cb, ms, ...a) => setTimeout(cb, ms, ...a),
+		setInterval: (cb, ms, ...a) => setInterval(cb, ms, ...a),
+		// No setImmediate in the browser: a zero-delay macrotask is the closest.
+		setImmediate: (cb, ...a) => setTimeout(cb, 0, ...a),
+		clear: (h) => clearTimeout(h),
+		clearInterval: (h) => clearInterval(h),
+		queueMicrotask: (typeof globalThis.queueMicrotask === 'function')
+			? (cb) => globalThis.queueMicrotask(cb)
+			: (cb) => Promise.resolve().then(cb)
+	}),
+	tz: undefined // effective timezone for cron evaluation; undefined = real local TZ
+});
+
+let current = defaultEnv;
+
+// The named helpers are the ONLY thing client code imports. Each is a one-line
+// read over `current` - monomorphic in a real browser, inlined by V8.
+export const now = () => current.clock.now();
+export const monotonicNow = () => current.clock.monotonic();
+export const wallEpoch = () => current.clock.wallEpoch();
+export const randomFloat = () => current.rng.float();
+export const randomU32 = () => current.rng.u32();
+export const randomUuid = () => current.rng.uuid();
+export const randomBytes = (n) => current.rng.bytes(n);
+export const setTimer = (cb, ms, ...a) => current.timers.set(cb, ms, ...a);
+export const setIntervalTimer = (cb, ms, ...a) => current.timers.setInterval(cb, ms, ...a);
+export const setImmediateTimer = (cb, ...a) => current.timers.setImmediate(cb, ...a);
+export const clearTimer = (h) => current.timers.clear(h);
+export const clearIntervalTimer = (h) => current.timers.clearInterval(h);
+export const microtask = (cb) => current.timers.queueMicrotask(cb);
+export const effectiveTimeZone = () => current.tz;
+
+// Install a virtual environment (the simulator/test harness only). Refuses under
+// a node production build unless explicitly forced, so a stray call can never
+// swap the clock under a live deployment; in a real browser there is no process
+// and nothing calls this anyway. A partial env merges over the native defaults,
+// so a harness can override just the clock and keep native rng/timers.
+export function setRuntimeEnv(env, opts) {
+	const force = opts && opts.force === true;
+	if (typeof process !== 'undefined' && process.env && process.env.NODE_ENV === 'production' && !force) {
+		throw new Error('client runtime: setRuntimeEnv refused in production (pass { force: true } only inside a controlled simulation harness)');
+	}
+	current = Object.freeze({
+		clock: Object.freeze({ ...defaultEnv.clock, ...(env && env.clock) }),
+		rng: Object.freeze({ ...defaultEnv.rng, ...(env && env.rng) }),
+		timers: Object.freeze({ ...defaultEnv.timers, ...(env && env.timers) }),
+		tz: env && Object.prototype.hasOwnProperty.call(env, 'tz') ? env.tz : defaultEnv.tz
+	});
+	return current;
+}
+
+// Restore the native environment. Cheap wholesale reassignment (no per-field
+// mutation), so the hidden class stays stable.
+export function resetRuntimeEnv() { current = defaultEnv; }
+
+// Read-only accessor for the active env (test/sim introspection only).
+export function getRuntimeEnv() { return current; }

package/client.js

@@ -1,5 +1,6 @@
 import { writable, derived } from 'svelte/store';
 import { parseBinaryFrame, requestNFrame } from './files/wire.js';
+import { now, randomFloat, setTimer, setIntervalTimer, clearTimer, clearIntervalTimer, microtask } from './client-runtime.js';
 
 /** @type {ReturnType<typeof createConnection> | null} */
 let singleton = null;
@@ -290,7 +291,7 @@ export function ready() {
 		function cleanup() {
 			if (settled) return;
 			settled = true;
-			queueMicrotask(() => {
+			microtask(() => {
 				statusUnsub?.();
 				permaUnsub?.();
 			});
@@ -403,20 +404,20 @@ export function crud(topic, initial = [], options = {}) {
 	let list = [...initial];
 	/** @type {Map<string, number>} */
 	const timestamps = new Map();
-	const now = Date.now();
+	const seededAt = now();
 	for (const item of initial) {
-		timestamps.set(keyOf(item), now);
+		timestamps.set(keyOf(item), seededAt);
 	}
 
 	const output = writable(list);
 	/** @type {(() => void) | null} */
 	let sourceUnsub = null;
-	/** @type {ReturnType<typeof setInterval> | null} */
+	/** @type {ReturnType<typeof setIntervalTimer> | null} */
 	let sweepTimer = null;
 	let subCount = 0;
 
 	function sweep() {
-		const cutoff = Date.now() - /** @type {number} */ (maxAge);
+		const cutoff = now() - /** @type {number} */ (maxAge);
 		let changed = false;
 		for (const [id, ts] of timestamps) {
 			if (ts < cutoff) {
@@ -437,21 +438,21 @@ export function crud(topic, initial = [], options = {}) {
 			if (data == null || typeof data !== 'object') return;
 			const id = keyOf(data);
 			if (evt === 'deleted') timestamps.delete(id);
-			else timestamps.set(id, Date.now());
+			else timestamps.set(id, now());
 			list = applyCrudReducer(list, evt, data, arrayCrudStorage, reducerOpts);
 			output.set(list);
 		});
-		sweepTimer = setInterval(sweep, Math.max(maxAge / 2, 1000));
+		sweepTimer = setIntervalTimer(sweep, Math.max(maxAge / 2, 1000));
 	}
 
 	function stop() {
 		if (sourceUnsub) { sourceUnsub(); sourceUnsub = null; }
-		if (sweepTimer) { clearInterval(sweepTimer); sweepTimer = null; }
+		if (sweepTimer) { clearIntervalTimer(sweepTimer); sweepTimer = null; }
 		list = [...initial];
-		const now = Date.now();
+		const seededAt = now();
 		timestamps.clear();
 		for (const item of initial) {
-			timestamps.set(keyOf(item), now);
+			timestamps.set(keyOf(item), seededAt);
 		}
 		output.set(list);
 	}
@@ -508,20 +509,20 @@ export function lookup(topic, initial = [], options = {}) {
 	let map = { ...initialMap };
 	/** @type {Map<string, number>} */
 	const timestamps = new Map();
-	const now = Date.now();
+	const seededAt = now();
 	for (const id in initialMap) {
-		timestamps.set(id, now);
+		timestamps.set(id, seededAt);
 	}
 
 	const output = writable(map);
 	/** @type {(() => void) | null} */
 	let sourceUnsub = null;
-	/** @type {ReturnType<typeof setInterval> | null} */
+	/** @type {ReturnType<typeof setIntervalTimer> | null} */
 	let sweepTimer = null;
 	let subCount = 0;
 
 	function sweep() {
-		const cutoff = Date.now() - /** @type {number} */ (maxAge);
+		const cutoff = now() - /** @type {number} */ (maxAge);
 		let changed = false;
 		for (const [id, ts] of timestamps) {
 			if (ts < cutoff) {
@@ -544,7 +545,7 @@ export function lookup(topic, initial = [], options = {}) {
 			if (data == null || typeof data !== 'object') return;
 			const id = keyOf(data);
 			if (evt === 'deleted') timestamps.delete(id);
-			else timestamps.set(id, Date.now());
+			else timestamps.set(id, now());
 			const next = applyCrudReducer(map, evt, data, recordCrudStorage, reducerOpts);
 			if (next === map) return;
 			map = next;
@@ -552,17 +553,17 @@ export function lookup(topic, initial = [], options = {}) {
 		});
 		// Sweep at half the maxAge interval for responsive cleanup
 		// without burning cycles on very short intervals
-		sweepTimer = setInterval(sweep, Math.max(maxAge / 2, 1000));
+		sweepTimer = setIntervalTimer(sweep, Math.max(maxAge / 2, 1000));
 	}
 
 	function stop() {
 		if (sourceUnsub) { sourceUnsub(); sourceUnsub = null; }
-		if (sweepTimer) { clearInterval(sweepTimer); sweepTimer = null; }
+		if (sweepTimer) { clearIntervalTimer(sweepTimer); sweepTimer = null; }
 		map = { ...initialMap };
-		const now = Date.now();
+		const seededAt = now();
 		timestamps.clear();
 		for (const id in initialMap) {
-			timestamps.set(id, now);
+			timestamps.set(id, seededAt);
 		}
 		output.set(map);
 	}
@@ -638,8 +639,8 @@ export function once(topic, event, options) {
 		function cleanup() {
 			if (settled) return;
 			settled = true;
-			if (timer) clearTimeout(timer);
-			queueMicrotask(() => unsub());
+			if (timer) clearTimer(timer);
+			microtask(() => unsub());
 		}
 
 		const unsub = store.subscribe((data) => {
@@ -652,7 +653,7 @@ export function once(topic, event, options) {
 			}
 		});
 		if (timeout !== undefined) {
-			timer = setTimeout(() => {
+			timer = setTimer(() => {
 				cleanup();
 				reject(new Error(`once('${topic}'${event ? `, '${event}'` : ''}) timed out after ${timeout}ms`));
 			}, timeout);
@@ -716,21 +717,23 @@ export function classifyCloseCode(code) {
  * cap by attempt 6) and gentle enough that a brief restart resolves
  * before the user notices.
  *
- * Pure: no I/O, no globals. Pass a deterministic `randFactor` for
- * reproducible assertions in tests.
+ * Pure given an explicit `randFactor`: no I/O, no globals. Pass a fixed
+ * value for reproducible assertions in tests.
  *
- * The default `Math.random()` is the correct primitive here: this value
- * is reconnect-backoff jitter, used to spread retries across a fleet so a
+ * The default `randFactor` is the runtime float source: this value is
+ * reconnect-backoff jitter, used to spread retries across a fleet so a
  * server restart does not hit a thundering-herd. Not security-relevant -
- * the randFactor never crosses a trust boundary.
+ * the randFactor never crosses a trust boundary - so the runtime source is
+ * the right primitive; routing it through the runtime also lets a seeded
+ * harness reproduce the reconnect schedule exactly.
  *
  * @param {number} base       base interval in ms (e.g. 3000)
  * @param {number} maxDelay   cap in ms (e.g. 300000)
  * @param {number} attempt    zero-based attempt counter
- * @param {number} [randFactor]  random factor in [0, 1); defaults to Math.random()
+ * @param {number} [randFactor]  random factor in [0, 1); defaults to randomFloat()
  * @returns {number}
  */
-export function nextReconnectDelay(base, maxDelay, attempt, randFactor = Math.random()) {
+export function nextReconnectDelay(base, maxDelay, attempt, randFactor = randomFloat()) {
 	const capped = Math.min(base * Math.pow(2.2, attempt), maxDelay);
 	return capped * (0.75 + randFactor * 0.5);
 }
@@ -758,9 +761,9 @@ function createConnection(options) {
 	/** @type {WebSocket | null} */
 	let ws = null;
 
-	/** @type {ReturnType<typeof setTimeout> | null} */
+	/** @type {ReturnType<typeof setTimer> | null} */
 	let reconnectTimer = null;
-	/** @type {ReturnType<typeof setInterval> | null} */
+	/** @type {ReturnType<typeof setIntervalTimer> | null} */
 	let activityTimer = null;
 
 	/** @type {Promise<boolean> | null} deduped in-flight auth preflight */
@@ -777,7 +780,7 @@ function createConnection(options) {
 	let hiddenDisconnect = false;
 	// Timestamp of the last message received from the server. Used to detect
 	// zombie connections  - cases where onclose was suppressed by browser throttling.
-	let lastServerMessage = Date.now();
+	let lastServerMessage = now();
 	// 2.5x the server's 120s idle timeout. If the server has been completely
 	// silent for this long while the socket appears open, it is likely a zombie.
 	const SERVER_TIMEOUT_MS = 150000;
@@ -929,7 +932,7 @@ function createConnection(options) {
 	let _onFlowDegraded = null;
 
 	function _flowFresh() {
-		return _flowAvail > 0 && Date.now() < _flowExpiresAt;
+		return _flowAvail > 0 && now() < _flowExpiresAt;
 	}
 	function _setFlowDegraded(d) {
 		if (d === _flowDegraded) return;
@@ -963,7 +966,7 @@ function createConnection(options) {
 	// Apply a fresh window and drain the queue in FIFO order.
 	function _applyFlowWindow(count, ttlMs) {
 		_flowActive = true;
-		_flowExpiresAt = Date.now() + ttlMs;
+		_flowExpiresAt = now() + ttlMs;
 		_flowAvail = count;
 		// A fresh window clears the replenish latch so the next low-water
 		// crossing can ask for more again.
@@ -1210,7 +1213,7 @@ function createConnection(options) {
 
 		ws.onopen = () => {
 			attempt = 0;
-			lastServerMessage = Date.now();
+			lastServerMessage = now();
 			failureStore.set(null);
 			setStatusOpen();
 			if (debug) console.log('[ws] connected');
@@ -1308,7 +1311,7 @@ function createConnection(options) {
 		}
 
 		ws.onmessage = (rawEvent) => {
-			lastServerMessage = Date.now();
+			lastServerMessage = now();
 			try {
 				// Inbound binary demux, ahead of the JSON path. A 0x03 frame is
 				// a binary topic PAYLOAD: resolve its numeric topic-id to a name,
@@ -1504,7 +1507,7 @@ function createConnection(options) {
 		}
 		const delay = nextReconnectDelay(reconnectInterval, maxReconnectInterval, attempt);
 		attempt++;
-		reconnectTimer = setTimeout(() => {
+		reconnectTimer = setTimer(() => {
 			reconnectTimer = null;
 			doConnect();
 		}, delay);
@@ -1538,7 +1541,7 @@ function createConnection(options) {
 		if (ws?.readyState !== WebSocket.OPEN) return;
 		if (!pendingSubscribes) {
 			pendingSubscribes = [];
-			queueMicrotask(flushPendingSubscribes);
+			microtask(flushPendingSubscribes);
 		}
 		pendingSubscribes.push(topic);
 	}
@@ -1649,7 +1652,7 @@ function createConnection(options) {
 			// that never mount). Safe: if another wrapper for the same topic has
 			// an active subscriber, topicRefCounts will be non-empty and we skip.
 			const ownStore = store;
-			queueMicrotask(() => {
+			microtask(() => {
 				if (subs === 0 && !topicRefCounts.has(topic) && topicStores.get(topic) === ownStore) {
 					topicStores.delete(topic);
 				}
@@ -1698,7 +1701,7 @@ function createConnection(options) {
 			store = writable(null);
 			eventStores.set(key, store);
 			const ownStore = store;
-			queueMicrotask(() => {
+			microtask(() => {
 				if (subs === 0 && !topicRefCounts.has(topic) && eventStores.get(key) === ownStore) {
 					eventStores.delete(key);
 				}
@@ -1800,11 +1803,11 @@ function createConnection(options) {
 		intentionallyClosed = true;
 		permaClosedStore.set(true);
 		if (reconnectTimer) {
-			clearTimeout(reconnectTimer);
+			clearTimer(reconnectTimer);
 			reconnectTimer = null;
 		}
 		if (activityTimer) {
-			clearInterval(activityTimer);
+			clearIntervalTimer(activityTimer);
 			activityTimer = null;
 		}
 		if (visibilityHandler && typeof document !== 'undefined') {
@@ -1853,7 +1856,7 @@ function createConnection(options) {
 			hiddenDisconnect = false;
 			attempt = 0;
 			if (reconnectTimer) {
-				clearTimeout(reconnectTimer);
+				clearTimer(reconnectTimer);
 				reconnectTimer = null;
 			}
 			doConnect();
@@ -1867,9 +1870,9 @@ function createConnection(options) {
 	// on mobile after wake from sleep). Force a close so onclose fires and the
 	// normal reconnect path takes over.
 	if (typeof window !== 'undefined') {
-		activityTimer = setInterval(() => {
-			if (ws?.readyState === WebSocket.OPEN && Date.now() - lastServerMessage > SERVER_TIMEOUT_MS) {
-				if (debug) console.log('[ws] server silent for', Date.now() - lastServerMessage, 'ms, reconnecting');
+		activityTimer = setIntervalTimer(() => {
+			if (ws?.readyState === WebSocket.OPEN && now() - lastServerMessage > SERVER_TIMEOUT_MS) {
+				if (debug) console.log('[ws] server silent for', now() - lastServerMessage, 'ms, reconnecting');
 				ws.close();
 			}
 		}, 30000);

package/files/_init.js

@@ -29,14 +29,14 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { Readable } from 'node:stream';
-import { performance } from 'node:perf_hooks';
+import { monotonicNow } from './runtime.js';
 import { Server } from 'SERVER';
 import { manifest, base } from 'MANIFEST';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const asset_dir = `${__dirname}/client${base}`;
 
-const _t_init = performance.now();
+const _t_init = monotonicNow();
 
 /** @type {import('@sveltejs/kit').Server} */
 export const server = new Server(manifest);
@@ -46,4 +46,4 @@ await server.init({
 	read: (file) => /** @type {ReadableStream} */ (Readable.toWeb(fs.createReadStream(`${asset_dir}/${file}`)))
 });
 
-console.log(`SvelteKit server initialized in ${(performance.now() - _t_init).toFixed(1)}ms`);
+console.log(`SvelteKit server initialized in ${(monotonicNow() - _t_init).toFixed(1)}ms`);

package/files/cookies.js

@@ -149,7 +149,7 @@ export function createCookies(cookieHeader) {
 		delete(name, options = {}) {
 			api.set(name, '', {
 				...options,
-				expires: new Date(0),
+				expires: new Date(0), // determinism-allow: fixed Unix-epoch sentinel that forces immediate cookie deletion, not a wall-clock read
 				maxAge: 0
 			});
 			delete parsed[name];