theokit 0.1.0-alpha.0

package/dist/rate-limit-C6hHXIj1.d.ts

@@ -0,0 +1,13 @@
+import { IncomingMessage } from 'node:http';
+
+interface RateLimitConfig {
+    windowMs: number;
+    max: number;
+}
+interface RateLimitResult {
+    limited: boolean;
+    headers: Record<string, string>;
+}
+declare function createRateLimiter(config: RateLimitConfig): (req: IncomingMessage) => RateLimitResult;
+
+export { type RateLimitConfig as R, type RateLimitResult as a, createRateLimiter as c };

package/dist/routes-YP357VAC.js

@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+import {
+  validateProjectStructure
+} from "./chunk-KPU44T6G.js";
+import {
+  loadConfig
+} from "./chunk-N5YH2UDG.js";
+import {
+  scanServerActions,
+  scanServerRoutes,
+  scanWebSocketRoutes
+} from "./chunk-U3OJFWK3.js";
+
+// src/cli/commands/routes.ts
+import { resolve, relative } from "path";
+async function routesCommand() {
+  const cwd = process.cwd();
+  const config = await loadConfig(cwd);
+  validateProjectStructure(cwd);
+  const serverDir = resolve(cwd, config.serverDir);
+  const apiRoutes = scanServerRoutes(serverDir);
+  const actions = scanServerActions(serverDir);
+  const wsRoutes = scanWebSocketRoutes(serverDir);
+  const totalCount = apiRoutes.length + actions.length + wsRoutes.length;
+  if (totalCount === 0) {
+    console.log("\n  No routes found.\n");
+    return;
+  }
+  if (apiRoutes.length > 0) {
+    console.log("\n  API Routes");
+    console.log("  " + "\u2500".repeat(60));
+    for (const route of apiRoutes) {
+      const rel = relative(cwd, route.filePath);
+      console.log(`  GET/POST  ${route.routePath.padEnd(30)} ${rel}`);
+    }
+  }
+  if (actions.length > 0) {
+    console.log("\n  Actions");
+    console.log("  " + "\u2500".repeat(60));
+    for (const action of actions) {
+      const rel = relative(cwd, action.filePath);
+      console.log(`  POST      /api/__actions/${action.actionPath.padEnd(18)} ${rel}`);
+    }
+  }
+  if (wsRoutes.length > 0) {
+    console.log("\n  WebSocket");
+    console.log("  " + "\u2500".repeat(60));
+    for (const route of wsRoutes) {
+      const rel = relative(cwd, route.filePath);
+      console.log(`  WS        ${route.wsPath.padEnd(30)} ${rel}`);
+    }
+  }
+  console.log(`
+  Total: ${totalCount} endpoints
+`);
+}
+export {
+  routesCommand
+};
+//# sourceMappingURL=routes-YP357VAC.js.map

package/dist/routes-YP357VAC.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/cli/commands/routes.ts"],"sourcesContent":["import { resolve, relative } from 'node:path'\nimport { loadConfig } from '../../config/load-config.js'\nimport { validateProjectStructure } from '../../core/validate-structure.js'\nimport { scanServerRoutes } from '../../server/scan.js'\nimport { scanServerActions } from '../../server/action-scan.js'\nimport { scanWebSocketRoutes } from '../../server/ws-scan.js'\n\nexport async function routesCommand(): Promise<void> {\n  const cwd = process.cwd()\n  const config = await loadConfig(cwd)\n  validateProjectStructure(cwd)\n\n  const serverDir = resolve(cwd, config.serverDir)\n\n  const apiRoutes = scanServerRoutes(serverDir)\n  const actions = scanServerActions(serverDir)\n  const wsRoutes = scanWebSocketRoutes(serverDir)\n\n  const totalCount = apiRoutes.length + actions.length + wsRoutes.length\n\n  if (totalCount === 0) {\n    console.log('\\n  No routes found.\\n')\n    return\n  }\n\n  // API Routes\n  if (apiRoutes.length > 0) {\n    console.log('\\n  API Routes')\n    console.log('  ' + '─'.repeat(60))\n    for (const route of apiRoutes) {\n      const rel = relative(cwd, route.filePath)\n      console.log(`  GET/POST  ${route.routePath.padEnd(30)} ${rel}`)\n    }\n  }\n\n  // Actions\n  if (actions.length > 0) {\n    console.log('\\n  Actions')\n    console.log('  ' + '─'.repeat(60))\n    for (const action of actions) {\n      const rel = relative(cwd, action.filePath)\n      console.log(`  POST      /api/__actions/${action.actionPath.padEnd(18)} ${rel}`)\n    }\n  }\n\n  // WebSocket\n  if (wsRoutes.length > 0) {\n    console.log('\\n  WebSocket')\n    console.log('  ' + '─'.repeat(60))\n    for (const route of wsRoutes) {\n      const rel = relative(cwd, route.filePath)\n      console.log(`  WS        ${route.wsPath.padEnd(30)} ${rel}`)\n    }\n  }\n\n  console.log(`\\n  Total: ${totalCount} endpoints\\n`)\n}\n"],"mappings":";;;;;;;;;;;;;;AAAA,SAAS,SAAS,gBAAgB;AAOlC,eAAsB,gBAA+B;AACnD,QAAM,MAAM,QAAQ,IAAI;AACxB,QAAM,SAAS,MAAM,WAAW,GAAG;AACnC,2BAAyB,GAAG;AAE5B,QAAM,YAAY,QAAQ,KAAK,OAAO,SAAS;AAE/C,QAAM,YAAY,iBAAiB,SAAS;AAC5C,QAAM,UAAU,kBAAkB,SAAS;AAC3C,QAAM,WAAW,oBAAoB,SAAS;AAE9C,QAAM,aAAa,UAAU,SAAS,QAAQ,SAAS,SAAS;AAEhE,MAAI,eAAe,GAAG;AACpB,YAAQ,IAAI,wBAAwB;AACpC;AAAA,EACF;AAGA,MAAI,UAAU,SAAS,GAAG;AACxB,YAAQ,IAAI,gBAAgB;AAC5B,YAAQ,IAAI,OAAO,SAAI,OAAO,EAAE,CAAC;AACjC,eAAW,SAAS,WAAW;AAC7B,YAAM,MAAM,SAAS,KAAK,MAAM,QAAQ;AACxC,cAAQ,IAAI,eAAe,MAAM,UAAU,OAAO,EAAE,CAAC,IAAI,GAAG,EAAE;AAAA,IAChE;AAAA,EACF;AAGA,MAAI,QAAQ,SAAS,GAAG;AACtB,YAAQ,IAAI,aAAa;AACzB,YAAQ,IAAI,OAAO,SAAI,OAAO,EAAE,CAAC;AACjC,eAAW,UAAU,SAAS;AAC5B,YAAM,MAAM,SAAS,KAAK,OAAO,QAAQ;AACzC,cAAQ,IAAI,8BAA8B,OAAO,WAAW,OAAO,EAAE,CAAC,IAAI,GAAG,EAAE;AAAA,IACjF;AAAA,EACF;AAGA,MAAI,SAAS,SAAS,GAAG;AACvB,YAAQ,IAAI,eAAe;AAC3B,YAAQ,IAAI,OAAO,SAAI,OAAO,EAAE,CAAC;AACjC,eAAW,SAAS,UAAU;AAC5B,YAAM,MAAM,SAAS,KAAK,MAAM,QAAQ;AACxC,cAAQ,IAAI,eAAe,MAAM,OAAO,OAAO,EAAE,CAAC,IAAI,GAAG,EAAE;AAAA,IAC7D;AAAA,EACF;AAEA,UAAQ,IAAI;AAAA,WAAc,UAAU;AAAA,CAAc;AACpD;","names":[]}

package/dist/server/index.d.ts

@@ -0,0 +1,94 @@
+import { z } from 'zod';
+import * as node_http from 'node:http';
+import { ServerResponse, IncomingMessage } from 'node:http';
+export { R as RateLimitConfig, a as RateLimitResult, c as createRateLimiter } from '../rate-limit-C6hHXIj1.js';
+
+interface RouteConfig<TQuery extends z.ZodType = z.ZodUndefined, TBody extends z.ZodType = z.ZodUndefined, TParams extends z.ZodType = z.ZodUndefined, TCtx = unknown, TResponse = unknown> {
+    query?: TQuery;
+    body?: TBody;
+    params?: TParams;
+    status?: number;
+    handler: (ctx: {
+        query: z.infer<TQuery>;
+        body: z.infer<TBody>;
+        params: z.infer<TParams>;
+        request: Request;
+        ctx: TCtx;
+    }) => TResponse | Promise<TResponse>;
+}
+/**
+ * Define a typed HTTP route.
+ * Identity function — provides type inference for route handlers.
+ */
+declare function defineRoute<TQuery extends z.ZodType = z.ZodUndefined, TBody extends z.ZodType = z.ZodUndefined, TParams extends z.ZodType = z.ZodUndefined, TCtx = unknown, TResponse = unknown>(config: RouteConfig<TQuery, TBody, TParams, TCtx, TResponse>): RouteConfig<TQuery, TBody, TParams, TCtx, TResponse>;
+
+interface ActionConfig<TInput extends z.ZodType, TCtx = unknown> {
+    input: TInput;
+    handler: (ctx: {
+        input: z.infer<TInput>;
+        ctx: TCtx;
+    }) => unknown | Promise<unknown>;
+}
+/**
+ * Define a typed server action.
+ * Identity function — provides type inference for action handlers.
+ */
+declare function defineAction<TInput extends z.ZodType, TCtx = unknown>(config: ActionConfig<TInput, TCtx>): ActionConfig<TInput, TCtx>;
+
+type MiddlewareHandler = (request: Request, next: (request: Request) => Promise<Response>) => Response | Promise<Response>;
+/**
+ * Define a middleware handler.
+ * Identity function — provides type annotation for middleware.
+ */
+declare function defineMiddleware(handler: MiddlewareHandler): MiddlewareHandler;
+
+interface CookieOptions {
+    httpOnly?: boolean;
+    secure?: boolean;
+    sameSite?: 'strict' | 'lax' | 'none';
+    maxAge?: number;
+    path?: string;
+    domain?: string;
+}
+declare function getCookie(req: IncomingMessage, name: string): string | undefined;
+declare function setCookie(res: ServerResponse, name: string, value: string, options?: CookieOptions): void;
+declare function deleteCookie(res: ServerResponse, name: string, options?: {
+    path?: string;
+}): void;
+
+interface SessionConfig {
+    secret: string;
+    cookieName?: string;
+    maxAge?: number;
+}
+interface SessionManager<TSession> {
+    getSession(req: IncomingMessage): Promise<TSession | null>;
+    createSession(res: ServerResponse, data: TSession): Promise<void>;
+    destroySession(res: ServerResponse): void;
+}
+declare function createSessionManager<TSession>(config: SessionConfig): SessionManager<TSession>;
+
+declare class AuthRequiredError extends Error {
+    code: "AUTH_REQUIRED";
+    status: number;
+    constructor(message?: string);
+}
+declare function requireAuth<T>(session: T | null | undefined): asserts session is T;
+
+interface WebSocketLike {
+    send(data: string | Buffer): void;
+    close(code?: number, reason?: string): void;
+}
+interface WebSocketHandler {
+    onOpen?: (ws: WebSocketLike, req: node_http.IncomingMessage) => void;
+    onMessage?: (ws: WebSocketLike, data: string | Buffer) => void;
+    onClose?: (ws: WebSocketLike, code: number, reason: Buffer) => void;
+    onError?: (ws: WebSocketLike, error: Error) => void;
+}
+/**
+ * Define a WebSocket endpoint handler.
+ * Identity function — provides type inference for WebSocket handlers.
+ */
+declare function defineWebSocket(handler: WebSocketHandler): WebSocketHandler;
+
+export { type ActionConfig, AuthRequiredError, type CookieOptions, type MiddlewareHandler, type RouteConfig, type SessionConfig, type SessionManager, type WebSocketHandler, type WebSocketLike, createSessionManager, defineAction, defineMiddleware, defineRoute, defineWebSocket, deleteCookie, getCookie, requireAuth, setCookie };

package/dist/server/index.js

@@ -0,0 +1,148 @@
+import {
+  AuthRequiredError,
+  createRateLimiter,
+  requireAuth
+} from "../chunk-SAVVU5LG.js";
+
+// src/server/define-route.ts
+function defineRoute(config) {
+  return config;
+}
+
+// src/server/define-action.ts
+function defineAction(config) {
+  return config;
+}
+
+// src/server/define-middleware.ts
+function defineMiddleware(handler) {
+  return handler;
+}
+
+// src/server/cookies.ts
+function getCookie(req, name) {
+  const header = req.headers.cookie ?? "";
+  for (const pair of header.split(";")) {
+    const trimmed = pair.trim();
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1) continue;
+    const key = trimmed.slice(0, eqIdx);
+    if (key === name) {
+      return decodeURIComponent(trimmed.slice(eqIdx + 1));
+    }
+  }
+  return void 0;
+}
+function setCookie(res, name, value, options) {
+  const opts = {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    ...options
+  };
+  const parts = [`${name}=${encodeURIComponent(value)}`];
+  if (opts.httpOnly) parts.push("HttpOnly");
+  if (opts.secure) parts.push("Secure");
+  if (opts.sameSite) parts.push(`SameSite=${opts.sameSite.charAt(0).toUpperCase() + opts.sameSite.slice(1)}`);
+  if (opts.maxAge !== void 0) parts.push(`Max-Age=${opts.maxAge}`);
+  if (opts.path) parts.push(`Path=${opts.path}`);
+  if (opts.domain) parts.push(`Domain=${opts.domain}`);
+  const existing = res.getHeader("Set-Cookie");
+  const cookies = existing ? Array.isArray(existing) ? existing.map(String) : [String(existing)] : [];
+  cookies.push(parts.join("; "));
+  res.setHeader("Set-Cookie", cookies);
+}
+function deleteCookie(res, name, options) {
+  setCookie(res, name, "", { maxAge: 0, path: options?.path ?? "/" });
+}
+
+// src/server/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+async function deriveKey(secret) {
+  const keyMaterial = await crypto.subtle.digest("SHA-256", encoder.encode(secret));
+  return crypto.subtle.importKey("raw", keyMaterial, "AES-GCM", false, ["encrypt", "decrypt"]);
+}
+function toBase64Url(data) {
+  return Buffer.from(data).toString("base64url");
+}
+function fromBase64Url(str) {
+  return new Uint8Array(Buffer.from(str, "base64url"));
+}
+async function encrypt(data, secret) {
+  const key = await deriveKey(secret);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const plaintext = encoder.encode(JSON.stringify(data));
+  const ciphertext = new Uint8Array(await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, plaintext));
+  return `${toBase64Url(iv)}:${toBase64Url(ciphertext)}`;
+}
+async function decrypt(token, secret) {
+  try {
+    const parts = token.split(":");
+    if (parts.length !== 2) return null;
+    const iv = fromBase64Url(parts[0]);
+    const ciphertext = fromBase64Url(parts[1]);
+    const key = await deriveKey(secret);
+    const ivBuf = iv.buffer.slice(iv.byteOffset, iv.byteOffset + iv.byteLength);
+    const dataBuf = ciphertext.buffer.slice(ciphertext.byteOffset, ciphertext.byteOffset + ciphertext.byteLength);
+    const plaintext = await crypto.subtle.decrypt({ name: "AES-GCM", iv: ivBuf }, key, dataBuf);
+    return JSON.parse(decoder.decode(plaintext));
+  } catch {
+    return null;
+  }
+}
+
+// src/server/session.ts
+function createSessionManager(config) {
+  if (config.secret.length < 32) {
+    throw new Error("Session secret must be at least 32 characters for secure encryption");
+  }
+  const cookieName = config.cookieName ?? "theo_session";
+  const maxAge = config.maxAge ?? 604800;
+  return {
+    async getSession(req) {
+      const raw = getCookie(req, cookieName);
+      if (!raw) return null;
+      const envelope = await decrypt(raw, config.secret);
+      if (!envelope) return null;
+      if (envelope.exp < Date.now()) return null;
+      return envelope.data;
+    },
+    async createSession(res, data) {
+      const envelope = {
+        data,
+        exp: Date.now() + maxAge * 1e3
+      };
+      const token = await encrypt(envelope, config.secret);
+      setCookie(res, cookieName, token, {
+        httpOnly: true,
+        sameSite: "lax",
+        maxAge,
+        path: "/"
+      });
+    },
+    destroySession(res) {
+      deleteCookie(res, cookieName);
+    }
+  };
+}
+
+// src/server/define-websocket.ts
+function defineWebSocket(handler) {
+  return handler;
+}
+export {
+  AuthRequiredError,
+  createRateLimiter,
+  createSessionManager,
+  defineAction,
+  defineMiddleware,
+  defineRoute,
+  defineWebSocket,
+  deleteCookie,
+  getCookie,
+  requireAuth,
+  setCookie
+};
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/server/define-route.ts","../../src/server/define-action.ts","../../src/server/define-middleware.ts","../../src/server/cookies.ts","../../src/server/crypto.ts","../../src/server/session.ts","../../src/server/define-websocket.ts"],"sourcesContent":["import type { z } from 'zod'\n\nexport interface RouteConfig<\n  TQuery extends z.ZodType = z.ZodUndefined,\n  TBody extends z.ZodType = z.ZodUndefined,\n  TParams extends z.ZodType = z.ZodUndefined,\n  TCtx = unknown,\n  TResponse = unknown,\n> {\n  query?: TQuery\n  body?: TBody\n  params?: TParams\n  status?: number\n  handler: (ctx: {\n    query: z.infer<TQuery>\n    body: z.infer<TBody>\n    params: z.infer<TParams>\n    request: Request\n    ctx: TCtx\n  }) => TResponse | Promise<TResponse>\n}\n\n/**\n * Define a typed HTTP route.\n * Identity function — provides type inference for route handlers.\n */\nexport function defineRoute<\n  TQuery extends z.ZodType = z.ZodUndefined,\n  TBody extends z.ZodType = z.ZodUndefined,\n  TParams extends z.ZodType = z.ZodUndefined,\n  TCtx = unknown,\n  TResponse = unknown,\n>(config: RouteConfig<TQuery, TBody, TParams, TCtx, TResponse>): RouteConfig<TQuery, TBody, TParams, TCtx, TResponse> {\n  return config\n}\n","import type { z } from 'zod'\n\nexport interface ActionConfig<TInput extends z.ZodType, TCtx = unknown> {\n  input: TInput\n  handler: (ctx: { input: z.infer<TInput>; ctx: TCtx }) => unknown | Promise<unknown>\n}\n\n/**\n * Define a typed server action.\n * Identity function — provides type inference for action handlers.\n */\nexport function defineAction<TInput extends z.ZodType, TCtx = unknown>(\n  config: ActionConfig<TInput, TCtx>,\n): ActionConfig<TInput, TCtx> {\n  return config\n}\n","export type MiddlewareHandler = (\n  request: Request,\n  next: (request: Request) => Promise<Response>,\n) => Response | Promise<Response>\n\n/**\n * Define a middleware handler.\n * Identity function — provides type annotation for middleware.\n */\nexport function defineMiddleware(handler: MiddlewareHandler): MiddlewareHandler {\n  return handler\n}\n","import type { IncomingMessage, ServerResponse } from 'node:http'\n\nexport interface CookieOptions {\n  httpOnly?: boolean\n  secure?: boolean\n  sameSite?: 'strict' | 'lax' | 'none'\n  maxAge?: number\n  path?: string\n  domain?: string\n}\n\nexport function getCookie(req: IncomingMessage, name: string): string | undefined {\n  const header = req.headers.cookie ?? ''\n  for (const pair of header.split(';')) {\n    const trimmed = pair.trim()\n    const eqIdx = trimmed.indexOf('=')\n    if (eqIdx === -1) continue\n    const key = trimmed.slice(0, eqIdx)\n    if (key === name) {\n      return decodeURIComponent(trimmed.slice(eqIdx + 1))\n    }\n  }\n  return undefined\n}\n\nexport function setCookie(\n  res: ServerResponse,\n  name: string,\n  value: string,\n  options?: CookieOptions,\n): void {\n  const opts: Required<Omit<CookieOptions, 'maxAge' | 'domain'>> & Pick<CookieOptions, 'maxAge' | 'domain'> = {\n    httpOnly: true,\n    secure: process.env.NODE_ENV === 'production',\n    sameSite: 'lax',\n    path: '/',\n    ...options,\n  }\n\n  const parts = [`${name}=${encodeURIComponent(value)}`]\n  if (opts.httpOnly) parts.push('HttpOnly')\n  if (opts.secure) parts.push('Secure')\n  if (opts.sameSite) parts.push(`SameSite=${opts.sameSite.charAt(0).toUpperCase() + opts.sameSite.slice(1)}`)\n  if (opts.maxAge !== undefined) parts.push(`Max-Age=${opts.maxAge}`)\n  if (opts.path) parts.push(`Path=${opts.path}`)\n  if (opts.domain) parts.push(`Domain=${opts.domain}`)\n\n  // Append to existing Set-Cookie headers (EC-1: don't overwrite)\n  const existing = res.getHeader('Set-Cookie')\n  const cookies: string[] = existing\n    ? Array.isArray(existing) ? existing.map(String) : [String(existing)]\n    : []\n  cookies.push(parts.join('; '))\n  res.setHeader('Set-Cookie', cookies)\n}\n\nexport function deleteCookie(\n  res: ServerResponse,\n  name: string,\n  options?: { path?: string },\n): void {\n  setCookie(res, name, '', { maxAge: 0, path: options?.path ?? '/' })\n}\n","const encoder = new TextEncoder()\nconst decoder = new TextDecoder()\n\nasync function deriveKey(secret: string): Promise<CryptoKey> {\n  const keyMaterial = await crypto.subtle.digest('SHA-256', encoder.encode(secret))\n  return crypto.subtle.importKey('raw', keyMaterial, 'AES-GCM', false, ['encrypt', 'decrypt'])\n}\n\nfunction toBase64Url(data: Uint8Array): string {\n  return Buffer.from(data).toString('base64url')\n}\n\nfunction fromBase64Url(str: string): Uint8Array {\n  return new Uint8Array(Buffer.from(str, 'base64url'))\n}\n\nexport async function encrypt<T>(data: T, secret: string): Promise<string> {\n  const key = await deriveKey(secret)\n  const iv = crypto.getRandomValues(new Uint8Array(12))\n  const plaintext = encoder.encode(JSON.stringify(data))\n  const ciphertext = new Uint8Array(await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, plaintext))\n  return `${toBase64Url(iv)}:${toBase64Url(ciphertext)}`\n}\n\nexport async function decrypt<T>(token: string, secret: string): Promise<T | null> {\n  try {\n    const parts = token.split(':')\n    if (parts.length !== 2) return null\n\n    const iv = fromBase64Url(parts[0])\n    const ciphertext = fromBase64Url(parts[1])\n    const key = await deriveKey(secret)\n\n    const ivBuf = iv.buffer.slice(iv.byteOffset, iv.byteOffset + iv.byteLength) as unknown as ArrayBuffer\n    const dataBuf = ciphertext.buffer.slice(ciphertext.byteOffset, ciphertext.byteOffset + ciphertext.byteLength) as unknown as ArrayBuffer\n    const plaintext = await crypto.subtle.decrypt({ name: 'AES-GCM', iv: ivBuf }, key, dataBuf)\n    return JSON.parse(decoder.decode(plaintext)) as T\n  } catch {\n    return null\n  }\n}\n","import type { IncomingMessage, ServerResponse } from 'node:http'\nimport { encrypt, decrypt } from './crypto.js'\nimport { getCookie, setCookie, deleteCookie } from './cookies.js'\n\nexport interface SessionConfig {\n  secret: string\n  cookieName?: string\n  maxAge?: number\n}\n\ninterface SessionEnvelope<T> {\n  data: T\n  exp: number\n}\n\nexport interface SessionManager<TSession> {\n  getSession(req: IncomingMessage): Promise<TSession | null>\n  createSession(res: ServerResponse, data: TSession): Promise<void>\n  destroySession(res: ServerResponse): void\n}\n\nexport function createSessionManager<TSession>(config: SessionConfig): SessionManager<TSession> {\n  if (config.secret.length < 32) {\n    throw new Error('Session secret must be at least 32 characters for secure encryption')\n  }\n\n  const cookieName = config.cookieName ?? 'theo_session'\n  const maxAge = config.maxAge ?? 604800 // 7 days\n\n  return {\n    async getSession(req: IncomingMessage): Promise<TSession | null> {\n      const raw = getCookie(req, cookieName)\n      if (!raw) return null\n\n      const envelope = await decrypt<SessionEnvelope<TSession>>(raw, config.secret)\n      if (!envelope) return null\n\n      if (envelope.exp < Date.now()) return null\n\n      return envelope.data\n    },\n\n    async createSession(res: ServerResponse, data: TSession): Promise<void> {\n      const envelope: SessionEnvelope<TSession> = {\n        data,\n        exp: Date.now() + maxAge * 1000,\n      }\n      const token = await encrypt(envelope, config.secret)\n      setCookie(res, cookieName, token, {\n        httpOnly: true,\n        sameSite: 'lax',\n        maxAge,\n        path: '/',\n      })\n    },\n\n    destroySession(res: ServerResponse): void {\n      deleteCookie(res, cookieName)\n    },\n  }\n}\n","export interface WebSocketLike {\n  send(data: string | Buffer): void\n  close(code?: number, reason?: string): void\n}\n\nexport interface WebSocketHandler {\n  onOpen?: (ws: WebSocketLike, req: import('node:http').IncomingMessage) => void\n  onMessage?: (ws: WebSocketLike, data: string | Buffer) => void\n  onClose?: (ws: WebSocketLike, code: number, reason: Buffer) => void\n  onError?: (ws: WebSocketLike, error: Error) => void\n}\n\n/**\n * Define a WebSocket endpoint handler.\n * Identity function — provides type inference for WebSocket handlers.\n */\nexport function defineWebSocket(handler: WebSocketHandler): WebSocketHandler {\n  return handler\n}\n"],"mappings":";;;;;;;AA0BO,SAAS,YAMd,QAAoH;AACpH,SAAO;AACT;;;ACvBO,SAAS,aACd,QAC4B;AAC5B,SAAO;AACT;;;ACNO,SAAS,iBAAiB,SAA+C;AAC9E,SAAO;AACT;;;ACAO,SAAS,UAAU,KAAsB,MAAkC;AAChF,QAAM,SAAS,IAAI,QAAQ,UAAU;AACrC,aAAW,QAAQ,OAAO,MAAM,GAAG,GAAG;AACpC,UAAM,UAAU,KAAK,KAAK;AAC1B,UAAM,QAAQ,QAAQ,QAAQ,GAAG;AACjC,QAAI,UAAU,GAAI;AAClB,UAAM,MAAM,QAAQ,MAAM,GAAG,KAAK;AAClC,QAAI,QAAQ,MAAM;AAChB,aAAO,mBAAmB,QAAQ,MAAM,QAAQ,CAAC,CAAC;AAAA,IACpD;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,UACd,KACA,MACA,OACA,SACM;AACN,QAAM,OAAsG;AAAA,IAC1G,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,GAAG;AAAA,EACL;AAEA,QAAM,QAAQ,CAAC,GAAG,IAAI,IAAI,mBAAmB,KAAK,CAAC,EAAE;AACrD,MAAI,KAAK,SAAU,OAAM,KAAK,UAAU;AACxC,MAAI,KAAK,OAAQ,OAAM,KAAK,QAAQ;AACpC,MAAI,KAAK,SAAU,OAAM,KAAK,YAAY,KAAK,SAAS,OAAO,CAAC,EAAE,YAAY,IAAI,KAAK,SAAS,MAAM,CAAC,CAAC,EAAE;AAC1G,MAAI,KAAK,WAAW,OAAW,OAAM,KAAK,WAAW,KAAK,MAAM,EAAE;AAClE,MAAI,KAAK,KAAM,OAAM,KAAK,QAAQ,KAAK,IAAI,EAAE;AAC7C,MAAI,KAAK,OAAQ,OAAM,KAAK,UAAU,KAAK,MAAM,EAAE;AAGnD,QAAM,WAAW,IAAI,UAAU,YAAY;AAC3C,QAAM,UAAoB,WACtB,MAAM,QAAQ,QAAQ,IAAI,SAAS,IAAI,MAAM,IAAI,CAAC,OAAO,QAAQ,CAAC,IAClE,CAAC;AACL,UAAQ,KAAK,MAAM,KAAK,IAAI,CAAC;AAC7B,MAAI,UAAU,cAAc,OAAO;AACrC;AAEO,SAAS,aACd,KACA,MACA,SACM;AACN,YAAU,KAAK,MAAM,IAAI,EAAE,QAAQ,GAAG,MAAM,SAAS,QAAQ,IAAI,CAAC;AACpE;;;AC9DA,IAAM,UAAU,IAAI,YAAY;AAChC,IAAM,UAAU,IAAI,YAAY;AAEhC,eAAe,UAAU,QAAoC;AAC3D,QAAM,cAAc,MAAM,OAAO,OAAO,OAAO,WAAW,QAAQ,OAAO,MAAM,CAAC;AAChF,SAAO,OAAO,OAAO,UAAU,OAAO,aAAa,WAAW,OAAO,CAAC,WAAW,SAAS,CAAC;AAC7F;AAEA,SAAS,YAAY,MAA0B;AAC7C,SAAO,OAAO,KAAK,IAAI,EAAE,SAAS,WAAW;AAC/C;AAEA,SAAS,cAAc,KAAyB;AAC9C,SAAO,IAAI,WAAW,OAAO,KAAK,KAAK,WAAW,CAAC;AACrD;AAEA,eAAsB,QAAW,MAAS,QAAiC;AACzE,QAAM,MAAM,MAAM,UAAU,MAAM;AAClC,QAAM,KAAK,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AACpD,QAAM,YAAY,QAAQ,OAAO,KAAK,UAAU,IAAI,CAAC;AACrD,QAAM,aAAa,IAAI,WAAW,MAAM,OAAO,OAAO,QAAQ,EAAE,MAAM,WAAW,GAAG,GAAG,KAAK,SAAS,CAAC;AACtG,SAAO,GAAG,YAAY,EAAE,CAAC,IAAI,YAAY,UAAU,CAAC;AACtD;AAEA,eAAsB,QAAW,OAAe,QAAmC;AACjF,MAAI;AACF,UAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,QAAI,MAAM,WAAW,EAAG,QAAO;AAE/B,UAAM,KAAK,cAAc,MAAM,CAAC,CAAC;AACjC,UAAM,aAAa,cAAc,MAAM,CAAC,CAAC;AACzC,UAAM,MAAM,MAAM,UAAU,MAAM;AAElC,UAAM,QAAQ,GAAG,OAAO,MAAM,GAAG,YAAY,GAAG,aAAa,GAAG,UAAU;AAC1E,UAAM,UAAU,WAAW,OAAO,MAAM,WAAW,YAAY,WAAW,aAAa,WAAW,UAAU;AAC5G,UAAM,YAAY,MAAM,OAAO,OAAO,QAAQ,EAAE,MAAM,WAAW,IAAI,MAAM,GAAG,KAAK,OAAO;AAC1F,WAAO,KAAK,MAAM,QAAQ,OAAO,SAAS,CAAC;AAAA,EAC7C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ACnBO,SAAS,qBAA+B,QAAiD;AAC9F,MAAI,OAAO,OAAO,SAAS,IAAI;AAC7B,UAAM,IAAI,MAAM,qEAAqE;AAAA,EACvF;AAEA,QAAM,aAAa,OAAO,cAAc;AACxC,QAAM,SAAS,OAAO,UAAU;AAEhC,SAAO;AAAA,IACL,MAAM,WAAW,KAAgD;AAC/D,YAAM,MAAM,UAAU,KAAK,UAAU;AACrC,UAAI,CAAC,IAAK,QAAO;AAEjB,YAAM,WAAW,MAAM,QAAmC,KAAK,OAAO,MAAM;AAC5E,UAAI,CAAC,SAAU,QAAO;AAEtB,UAAI,SAAS,MAAM,KAAK,IAAI,EAAG,QAAO;AAEtC,aAAO,SAAS;AAAA,IAClB;AAAA,IAEA,MAAM,cAAc,KAAqB,MAA+B;AACtE,YAAM,WAAsC;AAAA,QAC1C;AAAA,QACA,KAAK,KAAK,IAAI,IAAI,SAAS;AAAA,MAC7B;AACA,YAAM,QAAQ,MAAM,QAAQ,UAAU,OAAO,MAAM;AACnD,gBAAU,KAAK,YAAY,OAAO;AAAA,QAChC,UAAU;AAAA,QACV,UAAU;AAAA,QACV;AAAA,QACA,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAAA,IAEA,eAAe,KAA2B;AACxC,mBAAa,KAAK,UAAU;AAAA,IAC9B;AAAA,EACF;AACF;;;AC5CO,SAAS,gBAAgB,SAA6C;AAC3E,SAAO;AACT;","names":[]}

package/dist/start-BIS3RCFQ.js

@@ -0,0 +1,243 @@
+#!/usr/bin/env node
+import {
+  createProductionLoader,
+  createRateLimiter,
+  executeAction,
+  executeRoute,
+  logRequest,
+  sendError
+} from "./chunk-MMZZBPMX.js";
+import {
+  loadConfig
+} from "./chunk-N5YH2UDG.js";
+import {
+  matchRoute,
+  scanServerActions,
+  scanServerRoutes,
+  scanWebSocketRoutes
+} from "./chunk-U3OJFWK3.js";
+
+// src/cli/commands/start.ts
+import { createServer } from "http";
+import { randomUUID } from "crypto";
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve2, join, extname as extname2 } from "path";
+
+// src/server/static.ts
+import { existsSync, readFileSync, statSync } from "fs";
+import { resolve, extname } from "path";
+var MIME_TYPES = {
+  ".html": "text/html",
+  ".js": "application/javascript",
+  ".mjs": "application/javascript",
+  ".css": "text/css",
+  ".json": "application/json",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".svg": "image/svg+xml",
+  ".ico": "image/x-icon",
+  ".woff": "font/woff",
+  ".woff2": "font/woff2",
+  ".ttf": "font/ttf",
+  ".txt": "text/plain",
+  ".map": "application/json"
+};
+function serveStaticFile(req, res, clientDir) {
+  const urlPath = (req.url ?? "/").split("?")[0];
+  const filePath = resolve(clientDir, "." + urlPath);
+  if (!filePath.startsWith(clientDir)) {
+    res.writeHead(403);
+    res.end("Forbidden");
+    return true;
+  }
+  if (!existsSync(filePath)) return false;
+  const stat = statSync(filePath);
+  if (!stat.isFile()) return false;
+  const ext = extname(filePath);
+  const contentType = MIME_TYPES[ext] ?? "application/octet-stream";
+  const content = readFileSync(filePath);
+  res.writeHead(200, {
+    "Content-Type": contentType,
+    "Content-Length": content.length
+  });
+  res.end(content);
+  return true;
+}
+
+// src/cli/commands/start.ts
+async function startCommand(options) {
+  const cwd = process.cwd();
+  const config = await loadConfig(cwd);
+  const distDir = resolve2(cwd, ".theo");
+  const clientDir = resolve2(distDir, "client");
+  const serverDir = resolve2(cwd, "server");
+  if (!existsSync2(clientDir)) {
+    throw new Error("No build found. Run `theo build` first.");
+  }
+  const indexHtml = readFileSync2(join(clientDir, "index.html"), "utf-8");
+  const loadModule = createProductionLoader();
+  const port = options.port ?? config.port;
+  const custom404Path = join(clientDir, "404.html");
+  const custom500Path = join(clientDir, "500.html");
+  const custom404Html = existsSync2(custom404Path) ? readFileSync2(custom404Path, "utf-8") : null;
+  const custom500Html = existsSync2(custom500Path) ? readFileSync2(custom500Path, "utf-8") : null;
+  const rateLimiter = config.rateLimit ? createRateLimiter(config.rateLimit) : null;
+  const ssrServerPath = resolve2(distDir, "server/entry-server.js");
+  const ssrEnabled = config.ssr && existsSync2(ssrServerPath);
+  let ssrRender = null;
+  let htmlHead = "";
+  let htmlTail = "";
+  if (ssrEnabled) {
+    const mod = await import(ssrServerPath);
+    ssrRender = mod.render;
+    const rootDivMatch = indexHtml.match(/<div id=["']root["'][^>]*>/);
+    if (rootDivMatch) {
+      const splitIdx = indexHtml.indexOf(rootDivMatch[0]) + rootDivMatch[0].length;
+      htmlHead = indexHtml.slice(0, splitIdx);
+      htmlTail = indexHtml.slice(splitIdx);
+    }
+  }
+  const server = createServer(async (req, res) => {
+    const url = req.url ?? "/";
+    const requestId = randomUUID();
+    const start = Date.now();
+    try {
+      if (url.startsWith("/api/__actions/")) {
+        res.setHeader("x-request-id", requestId);
+        if (rateLimiter) {
+          const check = rateLimiter(req);
+          for (const [k, v] of Object.entries(check.headers)) res.setHeader(k, v);
+          if (check.limited) {
+            sendError(res, "RATE_LIMITED", "Too many requests", 429, void 0, requestId);
+            logRequest({ method: req.method ?? "POST", url, status: 429, duration: Date.now() - start, requestId });
+            return;
+          }
+        }
+        const pathAfterPrefix = url.slice("/api/__actions/".length).split("?")[0];
+        const segments = pathAfterPrefix.split("/").filter(Boolean);
+        if (segments.length < 2) {
+          sendError(res, "BAD_REQUEST", "Action URL must be /api/__actions/{file}/{exportName}", 400, void 0, requestId);
+          logRequest({ method: req.method ?? "POST", url, status: 400, duration: Date.now() - start, requestId });
+          return;
+        }
+        const exportName = segments[segments.length - 1];
+        const actionPath = segments.slice(0, -1).join("/");
+        const actions = scanServerActions(serverDir);
+        const action = actions.find((a) => a.actionPath === actionPath);
+        if (!action) {
+          sendError(res, "NOT_FOUND", `Action "${actionPath}" not found`, 404, void 0, requestId);
+          logRequest({ method: req.method ?? "POST", url, status: 404, duration: Date.now() - start, requestId });
+          return;
+        }
+        await executeAction(action.filePath, exportName, req, res, loadModule, serverDir, requestId);
+        logRequest({ method: req.method ?? "POST", url, status: res.statusCode, duration: Date.now() - start, requestId });
+        return;
+      }
+      if (url.startsWith("/api/")) {
+        res.setHeader("x-request-id", requestId);
+        if (rateLimiter) {
+          const check = rateLimiter(req);
+          for (const [k, v] of Object.entries(check.headers)) res.setHeader(k, v);
+          if (check.limited) {
+            sendError(res, "RATE_LIMITED", "Too many requests", 429, void 0, requestId);
+            logRequest({ method: req.method ?? "GET", url, status: 429, duration: Date.now() - start, requestId });
+            return;
+          }
+        }
+        const routes = scanServerRoutes(serverDir);
+        const match = matchRoute(url, routes);
+        if (!match) {
+          sendError(res, "NOT_FOUND", "API route not found", 404, void 0, requestId);
+          logRequest({ method: req.method ?? "GET", url, status: 404, duration: Date.now() - start, requestId });
+          return;
+        }
+        const method = (req.method ?? "GET").toUpperCase();
+        await executeRoute(match.route, method, match.params, req, res, loadModule, serverDir, requestId);
+        logRequest({ method, url, status: res.statusCode, duration: Date.now() - start, requestId });
+        return;
+      }
+      if (serveStaticFile(req, res, clientDir)) return;
+      const urlPath = url.split("?")[0];
+      if (custom404Html && extname2(urlPath)) {
+        res.writeHead(404, { "Content-Type": "text/html" });
+        res.end(custom404Html);
+        return;
+      }
+      if (ssrRender) {
+        try {
+          const result = await ssrRender(url);
+          if (result && typeof result === "object" && "redirect" in result) {
+            res.writeHead(302, { Location: result.redirect.headers.get("location") ?? "/" });
+            res.end();
+            return;
+          }
+          const ssrHtml = result;
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(htmlHead + ssrHtml + htmlTail);
+          return;
+        } catch (ssrErr) {
+          console.error("[SSR Error] Falling back to CSR:", ssrErr.message);
+        }
+      }
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(indexHtml);
+    } catch (err) {
+      if (custom500Html && !res.headersSent) {
+        res.writeHead(500, { "Content-Type": "text/html" });
+        res.end(custom500Html);
+      } else if (!res.headersSent) {
+        sendError(res, "INTERNAL_ERROR", err.message, 500);
+      } else {
+        res.end();
+      }
+    }
+  });
+  const wsRoutes = scanWebSocketRoutes(serverDir);
+  if (wsRoutes.length > 0) {
+    try {
+      const { WebSocketServer } = await import("ws");
+      const wss = new WebSocketServer({ noServer: true });
+      server.on("upgrade", async (request, socket, head) => {
+        const url = request.url ?? "/";
+        if (!url.startsWith("/ws/")) {
+          socket.destroy();
+          return;
+        }
+        const wsPath = url.split("?")[0];
+        const match = wsRoutes.find((r) => r.wsPath === wsPath);
+        if (!match) {
+          socket.destroy();
+          return;
+        }
+        try {
+          const mod = await loadModule(match.filePath);
+          const handler = mod.default ?? mod;
+          wss.handleUpgrade(request, socket, head, (ws) => {
+            handler.onOpen?.(ws, request);
+            ws.on("message", (data) => handler.onMessage?.(ws, data.toString()));
+            ws.on("close", (code, reason) => handler.onClose?.(ws, code, reason));
+            ws.on("error", (err) => handler.onError?.(ws, err));
+          });
+        } catch {
+          socket.destroy();
+        }
+      });
+    } catch {
+      throw new Error(
+        'WebSocket routes found but "ws" package is not installed. Run: npm install ws'
+      );
+    }
+  }
+  server.listen(port, () => {
+    console.log(`
+  Theo production server`);
+    console.log(`  \u2192 http://localhost:${port}
+`);
+  });
+}
+export {
+  startCommand
+};
+//# sourceMappingURL=start-BIS3RCFQ.js.map

package/dist/start-BIS3RCFQ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/cli/commands/start.ts","../src/server/static.ts"],"sourcesContent":["import { createServer } from 'node:http'\nimport { randomUUID } from 'node:crypto'\nimport { existsSync, readFileSync } from 'node:fs'\nimport { resolve, join, extname } from 'node:path'\nimport { loadConfig } from '../../config/load-config.js'\nimport { scanServerRoutes } from '../../server/scan.js'\nimport { scanServerActions } from '../../server/action-scan.js'\nimport { matchRoute } from '../../server/match.js'\nimport { executeRoute, sendError } from '../../server/execute.js'\nimport { executeAction } from '../../server/action-execute.js'\nimport { createProductionLoader } from '../../server/module-loader.js'\nimport { serveStaticFile } from '../../server/static.js'\nimport { logRequest } from '../../server/logger.js'\nimport { createRateLimiter } from '../../server/rate-limit.js'\nimport { scanWebSocketRoutes } from '../../server/ws-scan.js'\n\ninterface StartOptions {\n  port?: number\n}\n\nexport async function startCommand(options: StartOptions): Promise<void> {\n  const cwd = process.cwd()\n  const config = await loadConfig(cwd)\n\n  const distDir = resolve(cwd, '.theo')\n  const clientDir = resolve(distDir, 'client')\n  const serverDir = resolve(cwd, 'server')\n\n  if (!existsSync(clientDir)) {\n    throw new Error('No build found. Run `theo build` first.')\n  }\n\n  const indexHtml = readFileSync(join(clientDir, 'index.html'), 'utf-8')\n  const loadModule = createProductionLoader()\n  const port = options.port ?? config.port\n\n  // Custom error pages (optional)\n  const custom404Path = join(clientDir, '404.html')\n  const custom500Path = join(clientDir, '500.html')\n  const custom404Html = existsSync(custom404Path) ? readFileSync(custom404Path, 'utf-8') : null\n  const custom500Html = existsSync(custom500Path) ? readFileSync(custom500Path, 'utf-8') : null\n\n  // Rate limiter (opt-in)\n  const rateLimiter = config.rateLimit\n    ? createRateLimiter(config.rateLimit)\n    : null\n\n  // SSR setup (opt-in)\n  const ssrServerPath = resolve(distDir, 'server/entry-server.js')\n  const ssrEnabled = config.ssr && existsSync(ssrServerPath)\n  let ssrRender: ((url: string) => Promise<string | { redirect: Response }>) | null = null\n  let htmlHead = ''\n  let htmlTail = ''\n\n  if (ssrEnabled) {\n    const mod = await import(ssrServerPath)\n    ssrRender = mod.render\n    // Split HTML template on root div\n    const rootDivMatch = indexHtml.match(/<div id=[\"']root[\"'][^>]*>/)\n    if (rootDivMatch) {\n      const splitIdx = indexHtml.indexOf(rootDivMatch[0]) + rootDivMatch[0].length\n      htmlHead = indexHtml.slice(0, splitIdx)\n      htmlTail = indexHtml.slice(splitIdx)\n    }\n  }\n\n  const server = createServer(async (req, res) => {\n    const url = req.url ?? '/'\n    const requestId = randomUUID()\n    const start = Date.now()\n\n    try {\n      // 1. Action routes\n      if (url.startsWith('/api/__actions/')) {\n        res.setHeader('x-request-id', requestId)\n\n        // Rate limit check\n        if (rateLimiter) {\n          const check = rateLimiter(req)\n          for (const [k, v] of Object.entries(check.headers)) res.setHeader(k, v)\n          if (check.limited) {\n            sendError(res, 'RATE_LIMITED', 'Too many requests', 429, undefined, requestId)\n            logRequest({ method: req.method ?? 'POST', url, status: 429, duration: Date.now() - start, requestId })\n            return\n          }\n        }\n\n        const pathAfterPrefix = url.slice('/api/__actions/'.length).split('?')[0]\n        const segments = pathAfterPrefix.split('/').filter(Boolean)\n        if (segments.length < 2) {\n          sendError(res, 'BAD_REQUEST', 'Action URL must be /api/__actions/{file}/{exportName}', 400, undefined, requestId)\n          logRequest({ method: req.method ?? 'POST', url, status: 400, duration: Date.now() - start, requestId })\n          return\n        }\n        const exportName = segments[segments.length - 1]\n        const actionPath = segments.slice(0, -1).join('/')\n        const actions = scanServerActions(serverDir)\n        const action = actions.find((a) => a.actionPath === actionPath)\n        if (!action) {\n          sendError(res, 'NOT_FOUND', `Action \"${actionPath}\" not found`, 404, undefined, requestId)\n          logRequest({ method: req.method ?? 'POST', url, status: 404, duration: Date.now() - start, requestId })\n          return\n        }\n        await executeAction(action.filePath, exportName, req, res, loadModule, serverDir, requestId)\n        logRequest({ method: req.method ?? 'POST', url, status: res.statusCode, duration: Date.now() - start, requestId })\n        return\n      }\n\n      // 2. API routes\n      if (url.startsWith('/api/')) {\n        res.setHeader('x-request-id', requestId)\n\n        // Rate limit check\n        if (rateLimiter) {\n          const check = rateLimiter(req)\n          for (const [k, v] of Object.entries(check.headers)) res.setHeader(k, v)\n          if (check.limited) {\n            sendError(res, 'RATE_LIMITED', 'Too many requests', 429, undefined, requestId)\n            logRequest({ method: req.method ?? 'GET', url, status: 429, duration: Date.now() - start, requestId })\n            return\n          }\n        }\n\n        const routes = scanServerRoutes(serverDir)\n        const match = matchRoute(url, routes)\n        if (!match) {\n          sendError(res, 'NOT_FOUND', 'API route not found', 404, undefined, requestId)\n          logRequest({ method: req.method ?? 'GET', url, status: 404, duration: Date.now() - start, requestId })\n          return\n        }\n        const method = (req.method ?? 'GET').toUpperCase()\n        await executeRoute(match.route, method, match.params, req, res, loadModule, serverDir, requestId)\n        logRequest({ method, url, status: res.statusCode, duration: Date.now() - start, requestId })\n        return\n      }\n\n      // 3. Static files\n      if (serveStaticFile(req, res, clientDir)) return\n\n      // 4. Custom 404 for URLs with file extensions (missing static files)\n      const urlPath = url.split('?')[0]\n      if (custom404Html && extname(urlPath)) {\n        res.writeHead(404, { 'Content-Type': 'text/html' })\n        res.end(custom404Html)\n        return\n      }\n\n      // 5. SSR or SPA fallback\n      if (ssrRender) {\n        try {\n          const result = await ssrRender(url)\n          if (result && typeof result === 'object' && 'redirect' in result) {\n            res.writeHead(302, { Location: result.redirect.headers.get('location') ?? '/' })\n            res.end()\n            return\n          }\n          const ssrHtml = result as string\n          res.writeHead(200, { 'Content-Type': 'text/html' })\n          res.end(htmlHead + ssrHtml + htmlTail)\n          return\n        } catch (ssrErr) {\n          console.error('[SSR Error] Falling back to CSR:', (ssrErr as Error).message)\n          // Fall through to CSR fallback\n        }\n      }\n\n      // CSR fallback\n      res.writeHead(200, { 'Content-Type': 'text/html' })\n      res.end(indexHtml)\n    } catch (err) {\n      // Custom 500 page for non-API errors\n      if (custom500Html && !res.headersSent) {\n        res.writeHead(500, { 'Content-Type': 'text/html' })\n        res.end(custom500Html)\n      } else if (!res.headersSent) {\n        sendError(res, 'INTERNAL_ERROR', (err as Error).message, 500)\n      } else {\n        res.end()\n      }\n    }\n  })\n\n  // WebSocket upgrade handler (opt-in: only if server/ws/ exists)\n  const wsRoutes = scanWebSocketRoutes(serverDir)\n  if (wsRoutes.length > 0) {\n    try {\n      const { WebSocketServer } = await import('ws')\n      const wss = new WebSocketServer({ noServer: true })\n\n      server.on('upgrade', async (request, socket, head) => {\n        const url = request.url ?? '/'\n        if (!url.startsWith('/ws/')) {\n          socket.destroy()\n          return\n        }\n\n        const wsPath = url.split('?')[0]\n        const match = wsRoutes.find(r => r.wsPath === wsPath)\n        if (!match) {\n          socket.destroy()\n          return\n        }\n\n        try {\n          const mod = await loadModule(match.filePath)\n          const handler = (mod.default ?? mod) as import('../../server/define-websocket.js').WebSocketHandler\n\n          wss.handleUpgrade(request, socket, head, (ws) => {\n            handler.onOpen?.(ws, request)\n            ws.on('message', (data: Buffer) => handler.onMessage?.(ws, data.toString()))\n            ws.on('close', (code: number, reason: Buffer) => handler.onClose?.(ws, code, reason))\n            ws.on('error', (err: Error) => handler.onError?.(ws, err))\n          })\n        } catch {\n          socket.destroy()\n        }\n      })\n    } catch {\n      throw new Error(\n        'WebSocket routes found but \"ws\" package is not installed. Run: npm install ws',\n      )\n    }\n  }\n\n  server.listen(port, () => {\n    console.log(`\\n  Theo production server`)\n    console.log(`  → http://localhost:${port}\\n`)\n  })\n}\n","import type { IncomingMessage, ServerResponse } from 'node:http'\nimport { existsSync, readFileSync, statSync } from 'node:fs'\nimport { resolve, extname } from 'node:path'\n\nconst MIME_TYPES: Record<string, string> = {\n  '.html': 'text/html',\n  '.js': 'application/javascript',\n  '.mjs': 'application/javascript',\n  '.css': 'text/css',\n  '.json': 'application/json',\n  '.png': 'image/png',\n  '.jpg': 'image/jpeg',\n  '.jpeg': 'image/jpeg',\n  '.gif': 'image/gif',\n  '.svg': 'image/svg+xml',\n  '.ico': 'image/x-icon',\n  '.woff': 'font/woff',\n  '.woff2': 'font/woff2',\n  '.ttf': 'font/ttf',\n  '.txt': 'text/plain',\n  '.map': 'application/json',\n}\n\nexport function serveStaticFile(\n  req: IncomingMessage,\n  res: ServerResponse,\n  clientDir: string,\n): boolean {\n  const urlPath = (req.url ?? '/').split('?')[0]\n\n  // Path traversal prevention (EC-1)\n  const filePath = resolve(clientDir, '.' + urlPath)\n  if (!filePath.startsWith(clientDir)) {\n    res.writeHead(403)\n    res.end('Forbidden')\n    return true\n  }\n\n  if (!existsSync(filePath)) return false\n\n  const stat = statSync(filePath)\n  if (!stat.isFile()) return false\n\n  const ext = extname(filePath)\n  const contentType = MIME_TYPES[ext] ?? 'application/octet-stream'\n  const content = readFileSync(filePath)\n\n  res.writeHead(200, {\n    'Content-Type': contentType,\n    'Content-Length': content.length,\n  })\n  res.end(content)\n  return true\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA,SAAS,oBAAoB;AAC7B,SAAS,kBAAkB;AAC3B,SAAS,cAAAA,aAAY,gBAAAC,qBAAoB;AACzC,SAAS,WAAAC,UAAS,MAAM,WAAAC,gBAAe;;;ACFvC,SAAS,YAAY,cAAc,gBAAgB;AACnD,SAAS,SAAS,eAAe;AAEjC,IAAM,aAAqC;AAAA,EACzC,SAAS;AAAA,EACT,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,UAAU;AAAA,EACV,QAAQ;AAAA,EACR,QAAQ;AAAA,EACR,QAAQ;AACV;AAEO,SAAS,gBACd,KACA,KACA,WACS;AACT,QAAM,WAAW,IAAI,OAAO,KAAK,MAAM,GAAG,EAAE,CAAC;AAG7C,QAAM,WAAW,QAAQ,WAAW,MAAM,OAAO;AACjD,MAAI,CAAC,SAAS,WAAW,SAAS,GAAG;AACnC,QAAI,UAAU,GAAG;AACjB,QAAI,IAAI,WAAW;AACnB,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,WAAW,QAAQ,EAAG,QAAO;AAElC,QAAM,OAAO,SAAS,QAAQ;AAC9B,MAAI,CAAC,KAAK,OAAO,EAAG,QAAO;AAE3B,QAAM,MAAM,QAAQ,QAAQ;AAC5B,QAAM,cAAc,WAAW,GAAG,KAAK;AACvC,QAAM,UAAU,aAAa,QAAQ;AAErC,MAAI,UAAU,KAAK;AAAA,IACjB,gBAAgB;AAAA,IAChB,kBAAkB,QAAQ;AAAA,EAC5B,CAAC;AACD,MAAI,IAAI,OAAO;AACf,SAAO;AACT;;;ADjCA,eAAsB,aAAa,SAAsC;AACvE,QAAM,MAAM,QAAQ,IAAI;AACxB,QAAM,SAAS,MAAM,WAAW,GAAG;AAEnC,QAAM,UAAUC,SAAQ,KAAK,OAAO;AACpC,QAAM,YAAYA,SAAQ,SAAS,QAAQ;AAC3C,QAAM,YAAYA,SAAQ,KAAK,QAAQ;AAEvC,MAAI,CAACC,YAAW,SAAS,GAAG;AAC1B,UAAM,IAAI,MAAM,yCAAyC;AAAA,EAC3D;AAEA,QAAM,YAAYC,cAAa,KAAK,WAAW,YAAY,GAAG,OAAO;AACrE,QAAM,aAAa,uBAAuB;AAC1C,QAAM,OAAO,QAAQ,QAAQ,OAAO;AAGpC,QAAM,gBAAgB,KAAK,WAAW,UAAU;AAChD,QAAM,gBAAgB,KAAK,WAAW,UAAU;AAChD,QAAM,gBAAgBD,YAAW,aAAa,IAAIC,cAAa,eAAe,OAAO,IAAI;AACzF,QAAM,gBAAgBD,YAAW,aAAa,IAAIC,cAAa,eAAe,OAAO,IAAI;AAGzF,QAAM,cAAc,OAAO,YACvB,kBAAkB,OAAO,SAAS,IAClC;AAGJ,QAAM,gBAAgBF,SAAQ,SAAS,wBAAwB;AAC/D,QAAM,aAAa,OAAO,OAAOC,YAAW,aAAa;AACzD,MAAI,YAAgF;AACpF,MAAI,WAAW;AACf,MAAI,WAAW;AAEf,MAAI,YAAY;AACd,UAAM,MAAM,MAAM,OAAO;AACzB,gBAAY,IAAI;AAEhB,UAAM,eAAe,UAAU,MAAM,4BAA4B;AACjE,QAAI,cAAc;AAChB,YAAM,WAAW,UAAU,QAAQ,aAAa,CAAC,CAAC,IAAI,aAAa,CAAC,EAAE;AACtE,iBAAW,UAAU,MAAM,GAAG,QAAQ;AACtC,iBAAW,UAAU,MAAM,QAAQ;AAAA,IACrC;AAAA,EACF;AAEA,QAAM,SAAS,aAAa,OAAO,KAAK,QAAQ;AAC9C,UAAM,MAAM,IAAI,OAAO;AACvB,UAAM,YAAY,WAAW;AAC7B,UAAM,QAAQ,KAAK,IAAI;AAEvB,QAAI;AAEF,UAAI,IAAI,WAAW,iBAAiB,GAAG;AACrC,YAAI,UAAU,gBAAgB,SAAS;AAGvC,YAAI,aAAa;AACf,gBAAM,QAAQ,YAAY,GAAG;AAC7B,qBAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,MAAM,OAAO,EAAG,KAAI,UAAU,GAAG,CAAC;AACtE,cAAI,MAAM,SAAS;AACjB,sBAAU,KAAK,gBAAgB,qBAAqB,KAAK,QAAW,SAAS;AAC7E,uBAAW,EAAE,QAAQ,IAAI,UAAU,QAAQ,KAAK,QAAQ,KAAK,UAAU,KAAK,IAAI,IAAI,OAAO,UAAU,CAAC;AACtG;AAAA,UACF;AAAA,QACF;AAEA,cAAM,kBAAkB,IAAI,MAAM,kBAAkB,MAAM,EAAE,MAAM,GAAG,EAAE,CAAC;AACxE,cAAM,WAAW,gBAAgB,MAAM,GAAG,EAAE,OAAO,OAAO;AAC1D,YAAI,SAAS,SAAS,GAAG;AACvB,oBAAU,KAAK,eAAe,yDAAyD,KAAK,QAAW,SAAS;AAChH,qBAAW,EAAE,QAAQ,IAAI,UAAU,QAAQ,KAAK,QAAQ,KAAK,UAAU,KAAK,IAAI,IAAI,OAAO,UAAU,CAAC;AACtG;AAAA,QACF;AACA,cAAM,aAAa,SAAS,SAAS,SAAS,CAAC;AAC/C,cAAM,aAAa,SAAS,MAAM,GAAG,EAAE,EAAE,KAAK,GAAG;AACjD,cAAM,UAAU,kBAAkB,SAAS;AAC3C,cAAM,SAAS,QAAQ,KAAK,CAAC,MAAM,EAAE,eAAe,UAAU;AAC9D,YAAI,CAAC,QAAQ;AACX,oBAAU,KAAK,aAAa,WAAW,UAAU,eAAe,KAAK,QAAW,SAAS;AACzF,qBAAW,EAAE,QAAQ,IAAI,UAAU,QAAQ,KAAK,QAAQ,KAAK,UAAU,KAAK,IAAI,IAAI,OAAO,UAAU,CAAC;AACtG;AAAA,QACF;AACA,cAAM,cAAc,OAAO,UAAU,YAAY,KAAK,KAAK,YAAY,WAAW,SAAS;AAC3F,mBAAW,EAAE,QAAQ,IAAI,UAAU,QAAQ,KAAK,QAAQ,IAAI,YAAY,UAAU,KAAK,IAAI,IAAI,OAAO,UAAU,CAAC;AACjH;AAAA,MACF;AAGA,UAAI,IAAI,WAAW,OAAO,GAAG;AAC3B,YAAI,UAAU,gBAAgB,SAAS;AAGvC,YAAI,aAAa;AACf,gBAAM,QAAQ,YAAY,GAAG;AAC7B,qBAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,MAAM,OAAO,EAAG,KAAI,UAAU,GAAG,CAAC;AACtE,cAAI,MAAM,SAAS;AACjB,sBAAU,KAAK,gBAAgB,qBAAqB,KAAK,QAAW,SAAS;AAC7E,uBAAW,EAAE,QAAQ,IAAI,UAAU,OAAO,KAAK,QAAQ,KAAK,UAAU,KAAK,IAAI,IAAI,OAAO,UAAU,CAAC;AACrG;AAAA,UACF;AAAA,QACF;AAEA,cAAM,SAAS,iBAAiB,SAAS;AACzC,cAAM,QAAQ,WAAW,KAAK,MAAM;AACpC,YAAI,CAAC,OAAO;AACV,oBAAU,KAAK,aAAa,uBAAuB,KAAK,QAAW,SAAS;AAC5E,qBAAW,EAAE,QAAQ,IAAI,UAAU,OAAO,KAAK,QAAQ,KAAK,UAAU,KAAK,IAAI,IAAI,OAAO,UAAU,CAAC;AACrG;AAAA,QACF;AACA,cAAM,UAAU,IAAI,UAAU,OAAO,YAAY;AACjD,cAAM,aAAa,MAAM,OAAO,QAAQ,MAAM,QAAQ,KAAK,KAAK,YAAY,WAAW,SAAS;AAChG,mBAAW,EAAE,QAAQ,KAAK,QAAQ,IAAI,YAAY,UAAU,KAAK,IAAI,IAAI,OAAO,UAAU,CAAC;AAC3F;AAAA,MACF;AAGA,UAAI,gBAAgB,KAAK,KAAK,SAAS,EAAG;AAG1C,YAAM,UAAU,IAAI,MAAM,GAAG,EAAE,CAAC;AAChC,UAAI,iBAAiBE,SAAQ,OAAO,GAAG;AACrC,YAAI,UAAU,KAAK,EAAE,gBAAgB,YAAY,CAAC;AAClD,YAAI,IAAI,aAAa;AACrB;AAAA,MACF;AAGA,UAAI,WAAW;AACb,YAAI;AACF,gBAAM,SAAS,MAAM,UAAU,GAAG;AAClC,cAAI,UAAU,OAAO,WAAW,YAAY,cAAc,QAAQ;AAChE,gBAAI,UAAU,KAAK,EAAE,UAAU,OAAO,SAAS,QAAQ,IAAI,UAAU,KAAK,IAAI,CAAC;AAC/E,gBAAI,IAAI;AACR;AAAA,UACF;AACA,gBAAM,UAAU;AAChB,cAAI,UAAU,KAAK,EAAE,gBAAgB,YAAY,CAAC;AAClD,cAAI,IAAI,WAAW,UAAU,QAAQ;AACrC;AAAA,QACF,SAAS,QAAQ;AACf,kBAAQ,MAAM,oCAAqC,OAAiB,OAAO;AAAA,QAE7E;AAAA,MACF;AAGA,UAAI,UAAU,KAAK,EAAE,gBAAgB,YAAY,CAAC;AAClD,UAAI,IAAI,SAAS;AAAA,IACnB,SAAS,KAAK;AAEZ,UAAI,iBAAiB,CAAC,IAAI,aAAa;AACrC,YAAI,UAAU,KAAK,EAAE,gBAAgB,YAAY,CAAC;AAClD,YAAI,IAAI,aAAa;AAAA,MACvB,WAAW,CAAC,IAAI,aAAa;AAC3B,kBAAU,KAAK,kBAAmB,IAAc,SAAS,GAAG;AAAA,MAC9D,OAAO;AACL,YAAI,IAAI;AAAA,MACV;AAAA,IACF;AAAA,EACF,CAAC;AAGD,QAAM,WAAW,oBAAoB,SAAS;AAC9C,MAAI,SAAS,SAAS,GAAG;AACvB,QAAI;AACF,YAAM,EAAE,gBAAgB,IAAI,MAAM,OAAO,IAAI;AAC7C,YAAM,MAAM,IAAI,gBAAgB,EAAE,UAAU,KAAK,CAAC;AAElD,aAAO,GAAG,WAAW,OAAO,SAAS,QAAQ,SAAS;AACpD,cAAM,MAAM,QAAQ,OAAO;AAC3B,YAAI,CAAC,IAAI,WAAW,MAAM,GAAG;AAC3B,iBAAO,QAAQ;AACf;AAAA,QACF;AAEA,cAAM,SAAS,IAAI,MAAM,GAAG,EAAE,CAAC;AAC/B,cAAM,QAAQ,SAAS,KAAK,OAAK,EAAE,WAAW,MAAM;AACpD,YAAI,CAAC,OAAO;AACV,iBAAO,QAAQ;AACf;AAAA,QACF;AAEA,YAAI;AACF,gBAAM,MAAM,MAAM,WAAW,MAAM,QAAQ;AAC3C,gBAAM,UAAW,IAAI,WAAW;AAEhC,cAAI,cAAc,SAAS,QAAQ,MAAM,CAAC,OAAO;AAC/C,oBAAQ,SAAS,IAAI,OAAO;AAC5B,eAAG,GAAG,WAAW,CAAC,SAAiB,QAAQ,YAAY,IAAI,KAAK,SAAS,CAAC,CAAC;AAC3E,eAAG,GAAG,SAAS,CAAC,MAAc,WAAmB,QAAQ,UAAU,IAAI,MAAM,MAAM,CAAC;AACpF,eAAG,GAAG,SAAS,CAAC,QAAe,QAAQ,UAAU,IAAI,GAAG,CAAC;AAAA,UAC3D,CAAC;AAAA,QACH,QAAQ;AACN,iBAAO,QAAQ;AAAA,QACjB;AAAA,MACF,CAAC;AAAA,IACH,QAAQ;AACN,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO,OAAO,MAAM,MAAM;AACxB,YAAQ,IAAI;AAAA,yBAA4B;AACxC,YAAQ,IAAI,6BAAwB,IAAI;AAAA,CAAI;AAAA,EAC9C,CAAC;AACH;","names":["existsSync","readFileSync","resolve","extname","resolve","existsSync","readFileSync","extname"]}