npm - topbit - Versions diffs - 3.0.5 → 3.0.6 - Mend

topbit 3.0.5 → 3.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/LICENSE +15 -122
package/README.cn.md +1 -1
package/README.md +1 -1
package/docs/README.md +16 -0
package/docs/en/topbit-loader.md +305 -0
package/docs/en/topbit-token.md +136 -0
package/docs/topbit-loader.md +302 -0
package/docs/topbit-token.md +166 -0
package/images/topbit-middleware.webp +0 -0
package/package.json +1 -1
package/src/token/token.js +2 -2

package/LICENSE CHANGED Viewed

@@ -1,128 +1,21 @@
-                     木兰宽松许可证, 第2版
+Copyright (c) [2025] [Copyright Holder]
-   木兰宽松许可证， 第2版
-   2020年1月 http://license.coscl.org.cn/MulanPSL2
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-   您对“软件”的复制、使用、修改及分发受木兰宽松许可证，第2版（“本许可证”）的如下条款的约束：
+---------------------------------------------
-   0. 定义
+版权所有 (c) [2025] [版权所有者]
-      “软件”是指由“贡献”构成的许可在“本许可证”下的程序和相关文档的集合。
-      “贡献”是指由任一“贡献者”许可在“本许可证”下的受版权法保护的作品。
-      “贡献者”是指将受版权法保护的作品许可在“本许可证”下的自然人或“法人实体”。
-      “法人实体”是指提交贡献的机构及其“关联实体”。
-      “关联实体”是指，对“本许可证”下的行为方而言，控制、受控制或与其共同受控制的机构，此处的控制是指有受控方或共同受控方至少50%直接或间接的投票权、资金或其他有价证券。
-   1. 授予版权许可
-      每个“贡献者”根据“本许可证”授予您永久性的、全球性的、免费的、非独占的、不可撤销的版权许可，您可以复制、使用、修改、分发其“贡献”，不论修改与否。
-   2. 授予专利许可
-      每个“贡献者”根据“本许可证”授予您永久性的、全球性的、免费的、非独占的、不可撤销的（根据本条规定撤销除外）专利许可，供您制造、委托制造、使用、许诺销售、销售、进口其“贡献”或以其他方式转移其“贡献”。前述专利许可仅限于“贡献者”现在或将来拥有或控制的其“贡献”本身或其“贡献”与许可“贡献”时的“软件”结合而将必然会侵犯的专利权利要求，不包括对“贡献”的修改或包含“贡献”的其他结合。如果您或您的“关联实体”直接或间接地，就“软件”或其中的“贡献”对任何人发起专利侵权诉讼（包括反诉或交叉诉讼）或其他专利维权行动，指控其侵犯专利权，则“本许可证”授予您对“软件”的专利许可自您提起诉讼或发起维权行动之日终止。
-   3. 无商标许可
-      “本许可证”不提供对“贡献者”的商品名称、商标、服务标志或产品名称的商标许可，但您为满足第4条规定的声明义务而必须使用除外。
-   4. 分发限制
-      您可以在任何媒介中将“软件”以源程序形式或可执行形式重新分发，不论修改与否，但您必须向接收者提供“本许可证”的副本，并保留“软件”中的版权、商标、专利及免责声明。
-   5. 免责声明与责任限制
-      “软件”及其中的“贡献”在提供时不带任何明示或默示的担保。在任何情况下，“贡献者”或版权所有者不对任何人因使用“软件”或其中的“贡献”而引发的任何直接或间接损失承担责任，不论因何种原因导致或者基于何种法律理论，即使其曾被建议有此种损失的可能性。
-   6. 语言
-      “本许可证”以中英文双语表述，中英文版本具有同等法律效力。如果中英文版本存在任何冲突不一致，以中文版为准。
-   条款结束
-   如何将木兰宽松许可证，第2版，应用到您的软件
-   如果您希望将木兰宽松许可证，第2版，应用到您的新软件，为了方便接收者查阅，建议您完成如下三步：
-      1， 请您补充如下声明中的空白，包括软件名、软件的首次发表年份以及您作为版权人的名字；
-      2， 请您在软件包的一级目录下创建以“LICENSE”为名的文件，将整个许可证文本放入该文件中；
-      3， 请将如下声明文本放入每个源文件的头部注释中。
-   Copyright (c) [Year] [name of copyright holder]
-   [Software Name] is licensed under Mulan PSL v2.
-   You can use this software according to the terms and conditions of the Mulan PSL v2.
-   You may obtain a copy of Mulan PSL v2 at:
-            http://license.coscl.org.cn/MulanPSL2
-   THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
-   See the Mulan PSL v2 for more details.
-                     Mulan Permissive Software License，Version 2
-   Mulan Permissive Software License，Version 2 (Mulan PSL v2)
-   January 2020 http://license.coscl.org.cn/MulanPSL2
-   Your reproduction, use, modification and distribution of the Software shall be subject to Mulan PSL v2 (this License) with the following terms and conditions:
-   0. Definition
-      Software means the program and related documents which are licensed under this License and comprise all Contribution(s).
-      Contribution means the copyrightable work licensed by a particular Contributor under this License.
-      Contributor means the Individual or Legal Entity who licenses its copyrightable work under this License.
-      Legal Entity means the entity making a Contribution and all its Affiliates.
-      Affiliates means entities that control, are controlled by, or are under common control with the acting entity under this License, ‘control’ means direct or indirect ownership of at least fifty percent (50%) of the voting power, capital or other securities of controlled or commonly controlled entity.
-   1. Grant of Copyright License
-      Subject to the terms and conditions of this License, each Contributor hereby grants to you a perpetual, worldwide, royalty-free, non-exclusive, irrevocable copyright license to reproduce, use, modify, or distribute its Contribution, with modification or not.
-   2. Grant of Patent License
-      Subject to the terms and conditions of this License, each Contributor hereby grants to you a perpetual, worldwide, royalty-free, non-exclusive, irrevocable (except for revocation under this Section) patent license to make, have made, use, offer for sale, sell, import or otherwise transfer its Contribution, where such patent license is only limited to the patent claims owned or controlled by such Contributor now or in future which will be necessarily infringed by its Contribution alone, or by combination of the Contribution with the Software to which the Contribution was contributed. The patent license shall not apply to any modification of the Contribution, and any other combination which includes the Contribution. If you or your Affiliates directly or indirectly institute patent litigation (including a cross claim or counterclaim in a litigation) or other patent enforcement activities against any individual or entity by alleging that the Software or any Contribution in it infringes patents, then any patent license granted to you under this License for the Software shall terminate as of the date such litigation or activity is filed or taken.
-   3. No Trademark License
-      No trademark license is granted to use the trade names, trademarks, service marks, or product names of Contributor, except as required to fulfill notice requirements in Section 4.
-   4. Distribution Restriction
-      You may distribute the Software in any medium with or without modification, whether in source or executable forms, provided that you provide recipients with a copy of this License and retain copyright, patent, trademark and disclaimer statements in the Software.
-   5. Disclaimer of Warranty and Limitation of Liability
-      THE SOFTWARE AND CONTRIBUTION IN IT ARE PROVIDED WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL ANY CONTRIBUTOR OR COPYRIGHT HOLDER BE LIABLE TO YOU FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO ANY DIRECT, OR INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING FROM YOUR USE OR INABILITY TO USE THE SOFTWARE OR THE CONTRIBUTION IN IT, NO MATTER HOW IT’S CAUSED OR BASED ON WHICH LEGAL THEORY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-   6. Language
-      THIS LICENSE IS WRITTEN IN BOTH CHINESE AND ENGLISH, AND THE CHINESE VERSION AND ENGLISH VERSION SHALL HAVE THE SAME LEGAL EFFECT. IN THE CASE OF DIVERGENCE BETWEEN THE CHINESE AND ENGLISH VERSIONS, THE CHINESE VERSION SHALL PREVAIL.
-   END OF THE TERMS AND CONDITIONS
-   How to Apply the Mulan Permissive Software License，Version 2 (Mulan PSL v2) to Your Software
-      To apply the Mulan PSL v2 to your work, for easy identification by recipients, you are suggested to complete following three steps:
-      i Fill in the blanks in following statement, including insert your software name, the year of the first publication of your software, and your name identified as the copyright owner;
-      ii Create a file named “LICENSE” which contains the whole context of this License in the first directory of your software package;
-      iii Attach the statement to the appropriate annotated syntax at the beginning of each source file.
-   Copyright (c) [Year] [name of copyright holder]
-   [Software Name] is licensed under Mulan PSL v2.
-   You can use this software according to the terms and conditions of the Mulan PSL v2.
-   You may obtain a copy of Mulan PSL v2 at:
-               http://license.coscl.org.cn/MulanPSL2
-   THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
-   See the Mulan PSL v2 for more details.
+特此授权，允许出于任何目的使用、复制、修改和/或分发本软件，无论是否收费，前提是必须在所有副本中保留上述版权声明和本许可声明。
+本软件按“原样”提供，作者不作任何明示或暗示的保证，包括但不限于适销性和特定用途适用性的暗示保证。在任何情况下，作者均不对因使用或运行本软件而引起的或与之相关的任何特殊、直接、间接或后果性损害，或因使用、数据或利润损失而导致的任何损害承担责任，无论是在合同诉讼、疏忽或其他侵权行为诉讼中。

package/README.cn.md CHANGED Viewed

@@ -2,7 +2,7 @@
 # Topbit
-[English Documentation](README.en.md)
+#### [English Documentation](README.en.md)
 topbit是基于Node.js的运行于服务端的Web框架，它没有任何第三方依赖，在独特的路由和中间件分组执行机制上进行了极致优化。

package/README.md CHANGED Viewed

@@ -2,7 +2,7 @@
 # Topbit
-[中文文档](README.cn.md)
+#### [🪭 中文文档 ☯️](README.cn.md)
 Topbit is a server-side Web framework based on Node.js. It has no third-party dependencies and is optimized for extreme performance with a unique routing and middleware grouping execution mechanism.

package/docs/README.md ADDED Viewed

@@ -0,0 +1,16 @@
+# Extensions Document
+## 中文版
+[TopbitLoader](./topbit-loader.md)
+[TopbitToken](./topbit-token.md)
+---
+## English Document
+[TopbitLoader](./topbit-loader.md)
+[TopbitToken](./topbit-token.md)

package/docs/en/topbit-loader.md ADDED Viewed

@@ -0,0 +1,305 @@
+# TopbitLoader Complete User Manual
+---
+### 1. What is TopbitLoader?
+TopbitLoader is the official recommended auto-loading extension for the Topbit framework. It completely eliminates the need to manually write `app.get()`, `app.post()`, `app.use()`, etc.
+It implements a true MCM pattern (Middleware → Controller → Model) — lightweight, ultra-fast, and perfectly aligned with Topbit’s extreme-performance philosophy.
+**One sentence summary:**
+> Write your project following the conventional directory structure, then just call `new Loader().init(app)` once — all routes, middlewares, and models are automatically loaded.
+---
+### 2. Recommended Project Structure
+```
+project/
+├── app.js                  # Entry file (full example below)
+├── controller/             # Controllers (required)
+│   ├── __mid.js            # Global middleware list (optional)
+│   ├── user.js             # → /user group
+│   ├── admin/              # Sub-group
+│   │   ├── __mid.js        # Middleware only for admin group
+│   │   └── index.js        # → /admin
+│   └── api/
+│       ├── __mid.js
+│       └── v1/
+│           └── post.js     # → /api/v1/post
+├── middleware/            # Class-style middlewares (required)
+│   ├── @auth.js            # Must start with @
+│   ├── @cors.js
+│   └── rate-limit.js       # Plain function middleware (less common)
+└── model/                  # Models (optional)
+    └── user.js
+```
+---
+### 3. 30-Second Quick Start
+```js
+// app.js
+'use strict'
+process.chdir(__dirname)
+const Topbit = require('topbit')
+const { Loader } = Topbit
+const app = new Topbit({
+  debug: true,
+  http2: true,
+  allowHTTP1: true,
+  cert: './cert/fullchain.pem',
+  key: './cert/privkey.pem'
+})
+if (app.isWorker) {
+  // One line only – everything is auto-loaded
+  new Loader().init(app)
+}
+app.autoWorker(16)   // Max elastic workers
+app.daemon(443, 4)   // 4 base workers
+```
+Run `node app.js` → full-featured service is up!
+---
+### 4. Configuration Options
+| Option               | Type               | Default       | Description                                                                                     |
+|----------------------|--------------------|---------------|-------------------------------------------------------------------------------------------------|
+| `appPath`            | string             | `.`           | Project root directory                                                                         |
+| `controllerPath`     | string             | `./controller`| Controller folder                                                                               |
+| `midwarePath`        | string             | `./middleware`| Middleware class folder                                                                         |
+| `prePath`            | string             | `''`          | Global route prefix (e.g. `/api/v1`)                                                            |
+| `subgroup`           | string\|Array      | `null`        | Load only specified subdirectories (e.g. `['admin','api']`)                                     |
+| `fileAsGroup`        | boolean            | `true`        | Highly recommended – each controller file becomes its own route group (precise middleware)   |
+| `optionsRoute`       | boolean            | `true`        | Auto-add `OPTIONS /*` routes for CORS preflight                                                 |
+| `multi`              | boolean            | `false`       | Allow multiple `init()` calls (keep `false` in production)                                      |
+| `homeFile`           | string             | `''`          | Which file serves the root `/` route (e.g. `'index.js'`)                                        |
+| `initArgs`           | any                | `app.service` | Arguments passed to every controller’s `init()` method                                          |
+| `beforeController`   | function           | `null`        | Hook executed after controller instantiation, before route registration                       |
+| `afterController`    | function           | `null`        | Hook executed after route registration                                                         |
+| `modelLoader`        | async function     | `null`        | Powerful extension point – custom model loading (recommended with topbit-model)               |
+**Most common production config:**
+```js
+new Loader({
+  prePath: '/api/v1',
+  fileAsGroup: true,
+  optionsRoute: true,
+  modelLoader: async (service) => {
+    const UserModel = require('./model/user')
+    service.userModel = new UserModel(service)
+  }
+}).init(app)
+```
+---
+### 5. Controller Writing Guide
+#### 5.1 Minimal RESTful Style (Recommended)
+```js
+// controller/user.js
+class User {
+  async get(c) {               // GET    /user/:id
+    c.to({ id: c.param.id })
+  }
+  async list(c) {              // GET    /user
+    c.to(['alice', 'bob'])
+  }
+  async post(c) {              // POST   /user
+    c.to({ saved: true })
+  }
+  async put(c) {               // PUT    /user/:id
+    c.to({ updated: true })
+  }
+  async delete(c) {            // DELETE /user/:id
+    c.to({ deleted: true })
+  }
+}
+module.exports = User
+```
+#### 5.2 Custom Path Parameters
+```js
+class User {
+  static param = '/:uid/profile'     // overrides default /:id
+  static postParam = '/register'     // POST /user/register
+  async post(c) {
+    c.ok('registered')
+  }
+}
+```
+#### 5.3 File-Specific Middleware
+```js
+class User {
+  static __mid() {
+    return [
+      [require('../middleware/@auth'), { pre: true }],
+      require('../middleware/rate-limit')
+    ]
+  }
+}
+```
+#### 5.4 Homepage Controller
+```js
+// controller/index.js
+class Index {
+  async get(c) {
+    c.html('<h1>Welcome to Topbit</h1>')
+  }
+}
+module.exports = Index
+// In Loader config:
+new Loader({ homeFile: 'index.js' }).init(app)
+```
+---
+### 6. Middleware Writing Guide
+#### 6.1 Class-Style Middleware (Recommended – file name starts with `@`)
+```js
+// middleware/@auth.js
+class Auth {
+  async middleware(c, next) {
+    if (!c.headers.token) return c.status(401).to('Token required')
+    c.user = { id: 1 }
+    await next(c)
+  }
+}
+module.exports = Auth
+```
+#### 6.2 Global / Group Middleware via `__mid.js`
+```js
+// controller/__mid.js   (global)  or  controller/admin/__mid.js (group)
+module.exports = [
+  { name: '@auth' },                                     // class middleware
+  { name: 'rate-limit', method: ['GET','POST'] },        // plain function
+  { middleware: async (c, next) => {                     // inline
+      console.log('global mid')
+      await next(c)
+  }, pre: true }
+]
+```
+#### 6.3 File-Level Middleware (Most Precise)
+```js
+// Inside any controller file
+static __mid() {
+  return [
+    { name: '@vip-auth', pre: true },
+    { name: 'log', method: 'POST' }
+  ]
+}
+```
+---
+### 7. Model Loading (modelLoader) Best Practice
+```js
+new Loader({
+  modelLoader: async (service) => {
+    const glob = require('glob')
+    const path = require('path')
+    const files = glob.sync('model/**/*.js', { cwd: __dirname })
+    for (const f of files) {
+      const Model = require(path.resolve(__dirname, f))
+      const name = path.basename(f, '.js')
+      service[name + 'Model'] = new Model(service)
+    }
+  }
+}).init(app)
+```
+---
+### 8. Naming & Safety Rules
+- Folder and file names may only contain: `a-z 0-9 _ -` and must start with a letter
+- No spaces, Chinese characters, uppercase letters, or special symbols
+- Files/folders starting with `!` are automatically ignored
+- Violation → red warning + skip loading
+---
+### 9. Advanced Tips Collection
+| Need                            | Solution                                                                                              |
+|---------------------------------|-------------------------------------------------------------------------------------------------------|
+| Multiple API versions coexist   | Use different `prePath` and create multiple Loader instances                                         |
+| Canary / gray release           | `subgroup: ['v2']` + Nginx traffic split                                                             |
+| Plugin system                   | Each plugin has its own folder → `new Loader({ appPath: './plugins/xxx' }).init(app)`                |
+| Hot reload (dev)                | Set `multi: true` + watch files with chokidar and re-call `init()`                                   |
+---
+### 10. Production-Grade Full Entry Example
+```js
+// app.js (Ultimate production version)
+'use strict'
+process.chdir(__dirname)
+const Topbit = require('topbit')
+const { Loader } = Topbit
+const app = new Topbit({
+  debug: false,
+  http2: true,
+  allowHTTP1: true,
+  cert: '/etc/ssl/certs/fullchain.pem',
+  key: '/etc/ssl/private/privkey.pem',
+  globalLog: true,
+  logType: 'file',
+  logFile: '/var/log/topbit/access.log',
+  errorLogFile: '/var/log/topbit/error.log'
+})
+if (app.isWorker) {
+  new Loader({
+    prePath: '/api',
+    fileAsGroup: true,
+    optionsRoute: true,
+    modelLoader: async (svc) => {
+      svc.db    = require('./lib/mysql-pool')
+      svc.redis = require('./lib/redis-client')
+    }
+  }).init(app)
+}
+app.sched('none')
+app.autoWorker(32)
+app.daemon(443, 8)
+```
+---
+**You have now mastered the complete essence of TopbitLoader!**
+Start using it today and you’ll find:
+> Topbit + TopbitLoader = possibly the best developer experience + highest performance backend combination in the current Node.js ecosystem.
+Happy coding and may your services fly!

package/docs/en/topbit-token.md ADDED Viewed

@@ -0,0 +1,136 @@
+# TopbitToken – Ultra-Fast & Secure Token System for Topbit
+### 1. What is TopbitToken?
+TopbitToken is a zero-dependency, minimalist, high-security encrypted token system designed specifically for the Topbit framework.
+Built entirely on Node.js native `crypto`, supports:
+- AES-256-GCM (default, recommended)
+- AES-192-GCM / AES-128-CBC / AES-256-CBC
+- SM4-CBC (China GM standard)
+**One-sentence summary:**
+> 3 lines of code = Issue + Verify + Auto-refresh + Instant revocation (hot-swappable keys)
+---
+### 2. Why Choose TopbitToken?
+| Feature                        | Description                                                                      |
+|--------------------------------|----------------------------------------------------------------------------------|
+| **Zero Dependencies**          | Pure native crypto, no jwt/jsonwebtoken                                         |
+| **Lightning Fast**             | AES-NI + GCM mode, < 0.05ms per verification                                    |
+| **Refresh Auto Token Refresh** | Automatically issues new token when nearing expiry                              |
+| **Key Multiple Keys (tokenId)**| Supports multiple key sets, switch master key = instantly invalidate all old tokens |
+| **Shield Tamper-proof**        | Built-in timestamp + expiry + tokenId validation                                |
+| **Lock Instant Revocation**    | Remove a tokenId → all related tokens die immediately, no waiting              |
+| **Gear SM4 Support**           | Full support for China national crypto standard                                 |
+---
+### 3. 30-Second Quick Start
+```js
+// middleware/@token.js
+const TopbitToken = require('topbit-token')
+const token = new TopbitToken({
+  key     : 'your-very-strong-32-byte-secret!!',
+  expires : 60 * 60 * 24,      // 24 hours
+  refresh : true               // Enable auto refresh
+})
+module.exports = token
+```
+```js
+// controller/user.js
+async post(c) {
+  // After successful login
+  const userinfo = { uid: 1, name: 'Alice', role: 'admin' }
+  const t = token.make(userinfo)
+  c.setHeader('authorization', t)
+  c.to({ok: true})
+}
+// All protected routes automatically use token.mid()
+// Verified user info → c.user
+```
+---
+### 4. Full Configuration Options
+| Option         | Type           | Default           | Description                                              |
+|----------------|----------------|-------------------|----------------------------------------------------------|
+| `key`          | string         | random 32 bytes   | Master encryption key (32 bytes recommended)             |
+| `algorithm`    | string         | `aes-256-gcm`     | Supported: `aes-256-gcm`, `sm4-cbc`, etc.                |
+| `expires`      | number (sec)   | 3 hours           | Default token lifetime                                   |
+| `refresh`      | boolean        | `false`           | Auto refresh in last 1/5 of lifetime                     |
+| `encoding`     | string         | `base64url`       | Output encoding                                          |
+| `failedCode`   | number         | `401`             | HTTP status on auth failure                              |
+---
+### 5. Advanced: Multi-Key + Instant Revocation
+```js
+const token = new TopbitToken({ key: 'current-master-key' })
+// Add multiple key versions
+token.addTokenId({
+  'v2024' : 'old-key-jan-2024',
+  'mobile': 'mobile-app-key'
+})
+// Key leaked? Kill instantly:
+token.removeTokenId('v2024')  // All tokens issued with v2024 die now
+```
+---
+### 6. Auto Token Refresh
+```js
+new TopbitToken({
+  expires: 24*3600,
+  refresh: true
+})
+```
+→ When remaining time < 20%, server returns:
+`x-refresh-token: new-long-lived-token`
+Frontend just replaces the old one → seamless “never expire” experience.
+---
+### 7. Production Recommended Setup
+```js
+// middleware/@auth.js
+const TopbitToken = require('topbit-token')
+const token = new TopbitToken({
+  algorithm : 'aes-256-gcm',
+  key       : process.env.TOKEN_SECRET,
+  expires   : 30 * 24 * 3600,    // 30 days
+  refresh   : true
+})
+if (process.env.TOKEN_ID) {
+  token.addTokenId(process.env.TOKEN_ID)
+}
+module.exports = token
+```
+---
+**TopbitToken is currently the fastest, safest, and most operations-friendly authentication solution in the Topbit ecosystem.**
+With TopbitLoader, you get a true zero-config, fully automatic, high-performance authentication system.
+Enjoy secure, blazing-fast services!

package/docs/topbit-loader.md ADDED Viewed

@@ -0,0 +1,302 @@
+# TopbitLoader 完全使用手册
+### 一、TopbitLoader 是什么？
+TopbitLoader 是 Topbit 框架官方推荐的「自动化加载器」扩展，彻底告别手动 `app.get()`、`app.use()` 的繁琐写法。
+它实现了真正的 **MCM 模式**（Middleware → Controller → Model），类似 MVC 但更轻量、更符合 Topbit 的极致性能哲学。
+一句话总结：
+> **把整个项目按约定目录结构写好，一个 `ld.init(app)` 就自动完成所有路由 + 中间件 + 模型的加载。**
+---
+### 二、推荐项目结构
+```
+project/
+├── app.js                 # 入口文件（下面有完整示例）
+├── controller/            # 控制器目录（必须）
+│   ├── __mid.js           # 全局中间件（可选）
+│   ├── user.js            # /user 路由组
+│   ├── admin/             # /admin 路由组（子目录自动识别）
+│   │   ├── __mid.js       # admin 组专用中间件
+│   │   └── index.js       # /admin
+│   └── api/
+│       ├── __mid.js
+│       └── v1/
+│           └── post.js    # /api/v1/post
+├── middleware/           # 中间件类目录（必须）
+│   ├── @auth.js           # 必须以 @ 开头，类式中间件
+│   ├── @cors.js
+│   └── rate-limit.js      # 普通函数式中间件（不推荐）
+└── model/                 # 模型目录（可选，配合 modelLoader）
+    └── user.js
+```
+---
+### 三、快速上手
+```js
+// app.js
+'use strict'
+process.chdir(__dirname)
+const Topbit = require('topbit')
+const { Loader } = Topbit   // 关键：直接从 topbit 导出
+const app = new Topbit({
+  debug: true,
+  http2: true,
+  allowHTTP1: true,
+  cert: './cert/fullchain.pem',
+  key: './cert/privkey.pem'
+})
+if (app.isWorker) {
+  // 只需要这一行，所有路由、中间件、模型全部自动加载
+  new Loader().init(app)
+}
+app.autoWorker(16)      // 最大弹性进程数
+app.daemon(443, 4)      // 4 个基础进程
+```
+只需执行 `node app.js` 即可启动完整服务！
+---
+### 四、核心配置项详解
+| 配置项               | 类型               | 默认值         | 说明                                                                                                                    |
+|----------------------|--------------------|----------------|-------------------------------------------------------------------------------------------------------------------------|
+| `appPath`            | string             | `.`            | 项目根目录（一般不用改）                                                                                                 |
+| `controllerPath`     | string             | `./controller` | 控制器目录                                                                                                              |
+| `midwarePath`        | string             | `./middleware` | 中间件类目录                                                                                                            |
+| `prePath`            | string             | `''`           | 全局路由前缀，例如 `/api/v1`                                                                                            |
+| `subgroup`           | string\|Array      | `null`         | 只加载指定子目录，例如 `['admin', 'api']`                                                                                |
+| `fileAsGroup`        | boolean            | `true`         | **强烈推荐开启**，每个控制器文件自动成为一个路由分组，中间件更精准                                                      |
+| `optionsRoute`       | boolean            | `true`         | 自动为每个分组添加 `OPTIONS /*` 路由（CORS 预检必备）                                                                    |
+| `multi`              | boolean            | `false`        | 是否允许重复调用 `init()`，生产环境保持 `false`                                                                          |
+| `homeFile`           | string             | `''`           | 指定哪个文件作为首页路由 `/`，例如 `'index.js'`                                                                          |
+| `initArgs`           | any                | `app.service`  | 传给每个控制器的 `init()` 参数                                                                                           |
+| `beforeController`   | function           | `null`         | 控制器实例化后、注册路由前执行                                                                                           |
+| `afterController`    | function           | `null`         | 路由注册完成后执行                                                                                                       |
+| `modelLoader`        | async function     | `null`         | **最强大的扩展点**：自定义模型加载逻辑，推荐配合 `topbit-model` 使用                                                    |
+**最常用配置示例**：
+```js
+new Loader({
+  prePath: '/api/v1',
+  fileAsGroup: true,
+  optionsRoute: true,
+  modelLoader: async (service) => {
+    const UserModel = require('./model/user')
+    service.userModel = new UserModel(service)
+  }
+}).init(app)
+```
+---
+### 五、控制器（Controller）写法大全
+#### 1. 最简 RESTful 写法（推荐）
+```js
+// controller/user.js
+class User {
+  async get(ctx) {               // GET    /user/:id
+    ctx.to({ id: ctx.param.id })
+  }
+  async list(ctx) {              // GET    /user
+    ctx.to(['user1', 'user2'])
+  }
+  async post(ctx) {              // POST   /user
+    ctx.to({ saved: true })
+  }
+  async put(ctx) {               // PUT    /user/:id
+    ctx.to({ updated: true })
+  }
+  async delete(ctx) {            // DELETE /user/:id
+    ctx.to({ deleted: true })
+  }
+}
+module.exports = User
+```
+#### 2. 自定义路径
+```js
+class User {
+  static param = '/:uid/info'    // 自定义参数路径
+  static postParam = '/create'   // POST 专用路径
+  async post(ctx) {              // POST   /user/create
+    ctx.ok('created')
+  }
+}
+```
+#### 3. 为当前文件添加专属中间件
+```js
+class User {
+  // 返回中间件数组，只作用于本文件的所有路由
+  static __mid() {
+    return [
+      [require('../middleware/@auth'), { pre: true }],
+      require('../middleware/rate-limit')
+    ]
+  }
+}
+```
+#### 4. 首页控制器
+```js
+// controller/index.js
+class Index {
+  async get() {
+    this.ctx.html('<h1>Welcome to Topbit</h1>')
+  }
+}
+module.exports = Index
+// 在 Loader 配置中指定
+new Loader({ homeFile: 'index.js' }).init(app)
+```
+---
+### 六、中间件（Middleware）写法
+#### 1. 类式中间件（推荐，以 @ 开头）
+```js
+// middleware/@auth.js
+class Auth {
+  async middleware(c, next) {
+    if (!c.headers.token) return c.status(401).to('need token')
+    c.user = { id: 1 }
+    await next(c)
+  }
+}
+module.exports = Auth
+```
+#### 2. 全局中间件 __mid.js
+```js
+// controller/__mid.js   或   controller/admin/__mid.js
+module.exports = [
+  { name: '@auth' },                              // 类式中间件
+  { name: 'rate-limit', method: ['GET','POST'] }, // 普通函数中间件
+  { middleware: async (c, next) => {              // 直接写函数
+      console.log('global mid')
+      await next(c)
+  }, pre: true }
+]
+```
+#### 3. 文件级中间件（最精准）
+```js
+// 在 controller/user.js 中
+static __mid() {
+  return [
+    { name: '@vip-auth', pre: true },     // 只在本文件生效
+    { name: 'log', method: 'POST' }
+  ]
+}
+```
+---
+### 七、模型加载（modelLoader）最佳实践
+```js
+new Loader({
+  modelLoader: async (service) => {
+    const glob = require('glob')
+    const path = require('path')
+    const files = glob.sync('model/**/*.js', { cwd: __dirname })
+    for (const file of files) {
+      const Model = require(path.resolve(__dirname, file))
+      const name = path.basename(file, '.js')
+      service[name + 'Model'] = new Model(service)
+    }
+  }
+}).init(app)
+```
+---
+### 八、安全与命名规范
+- 文件夹名、文件名只能包含：`a-z 0-9 _ -`，且必须字母开头
+- 禁止空格、汉字、大写、特殊符号
+- 违反命名规范会直接报红字警告
+- 以 `!` 开头的文件/文件夹会被自动忽略（用于临时禁用）
+---
+### 九、高级技巧合集
+| 需求                           | 解决方案                                                                 |
+|-------------------------------|--------------------------------------------------------------------------|
+| 多个版本 API 并行             | 使用 `prePath: '/v1'`, `prePath: '/v2'` 分别创建多个 Loader 实例         |
+| 灰度发布                      | `subgroup: ['v2']` 只加载 v2 目录，配合 Nginx 分流                        |
+| 插件化开发                    | 每个插件一个独立目录，`new Loader({ appPath: './plugins/xxx' }).init(app)` |
+| 热更新（开发环境）            | `multi: true` + chokidar 监听文件变更重新调用 `init()`                   |
+---
+### 十、完整生产级入口示例
+```js
+// app.js（生产环境终极版本）
+'use strict'
+process.chdir(__dirname)
+const Topbit = require('topbit')
+const { Loader } = Topbit
+const app = new Topbit({
+  debug: false,
+  http2: true,
+  allowHTTP1: true,
+  cert: '/etc/ssl/fullchain.pem',
+  key: '/etc/ssl/privkey.pem',
+  globalLog: true,
+  logType: 'file',
+  logFile: '/var/log/topbit/access.log',
+  errorLogFile: '/var/log/topbit/error.log'
+})
+if (app.isWorker) {
+  new Loader({
+    prePath: '/api',
+    fileAsGroup: true,
+    optionsRoute: true,
+    modelLoader: async (svc) => {
+      svc.db = require('./lib/mysql-pool')
+      svc.redis = require('./lib/redis')
+    }
+  }).init(app)
+}
+app.sched('none')
+app.autoWorker(32)
+app.daemon(443, 8)
+```
+---
+**至此，你已经掌握了 TopbitLoader 的全部精髓！**
+把它用起来，你会发现：
+> **Topbit + TopbitLoader = 可能是目前 Node.js 生态里开发体验最好、性能最强的后端组合。**

package/docs/topbit-token.md ADDED Viewed

@@ -0,0 +1,166 @@
+# TopbitToken – 极简、高性能、可刷新的加密 Token 解决方案
+---
+### 一、TopbitToken 是什么？
+TopbitToken 是专为 Topbit 框架打造的零依赖、极简、高安全的加密用户凭证（Token）系统。
+它完全基于 Node.js 原生 `crypto` 实现，支持：
+- AES-256-GCM（默认，推荐）
+- AES-192-GCM / AES-128-CBC / AES-256-CBC
+- 国密 SM4-CBC
+一句话总结：
+> **3 行代码实现：签发 + 验证 + 自动刷新 + 即时失效（支持热更换密钥）**
+---
+### 二、核心特性（为什么选择它？）
+| 特性                         | 说明                                                                                   |
+|------------------------------|----------------------------------------------------------------------------------------|
+| **零依赖**                   | 完全原生实现，不依赖 jwt、jsonwebtoken 等第三方库                                     |
+| **闪电 超快加密解密**        | AES-NI 硬件加速 + GCM 模式，单次验证 < 0.05ms                                         |
+| **更新 自动刷新 Token**      | 接近过期时自动下发新 Token（`x-refresh-token` 头）                                    |
+| **钥匙 支持多套密钥（tokenId）** | 可同时存在多套密钥，随时切换主密钥，所有旧 Token 立即失效（防泄漏神器）                |
+| **盾牌 防篡改 + 防重放**     | 内置时间戳 + 有效期 + tokenId 校验                                                     |
+| **锁 即时失效**              | 修改 `tokenIds` 或删除某个 `tokenId`，对应 Token 立刻失效，无需等待过期               |
+| **设置 灵活算法支持**        | 支持国密 SM4，满足合规需求                                                             |
+---
+### 三、快速上手（30 秒搞定登录认证）
+```js
+// middleware/@token.js
+const TopbitToken = require('topbit-token')
+const token = new TopbitToken({
+  key       : 'your-32-byte-secret-key-here!!',   // 必须 32 字节（AES-256）
+  expires   : 60 * 60 * 24,                       // 24 小时（单位：秒）
+  refresh   : true                                // 开启自动刷新（最后 1/5 时间刷新）
+})
+module.exports = token   // 直接导出实例，TopbitLoader 自动识别
+```
+```js
+// controller/user.js
+class User {
+  async post(c) {                     // POST /user/login
+    // 登录验证成功后
+    let userinfo = {
+      uid   : 10010,
+      name  : 'Alice',
+      role  : 'admin',
+      // expires 可单独设置更长时间
+    }
+    let t = token.make(userinfo)      // 签发 Token
+    c.setHeader('authorization', t)
+    c.to({ok: true, msg: 'login success'})
+  }
+}
+// 所有需要登录的接口自动加上 token.mid()
+token.mid() 会自动把验证后的用户信息挂到 c.user
+```
+---
+### 四、配置项全解析
+| 参数           | 类型             | 默认值                 | 说明                                                                                 |
+|----------------|------------------|------------------------|--------------------------------------------------------------------------------------|
+| `key`          | string           | 随机32字节             | 主加密密钥（建议 32 字节）                                                           |
+| `iv`           | string           | 随机12/16字节          | 初始化向量（GCM=12，CBC=16）                                                         |
+| `algorithm`    | string           | `aes-256-gcm`          | 支持：`aes-256-gcm`（推荐）、`aes-192-gcm`、`sm4-cbc` 等                              |
+| `expires`      | number（秒）     | 3小时                  | Token 默认有效期                                                                     |
+| `refresh`      | boolean          | `false`                | 是否开启自动刷新（设为 `true` 则最后 1/5 时间自动刷新）                              |
+| `encoding`     | string           | `base64url`            | Token 输出编码（`base64url`、`hex`、`base64`）                                       |
+| `failedCode`   | number           | `401`                  | 验证失败时返回的 HTTP 状态码                                                         |
+| `tokenIds`     | array            | `[]`                   | 多密钥 ID 列表，用于支持密钥轮换                                                     |
+---
+### 五、高级功能：多密钥 + 即时失效（防泄漏神器）
+```js
+const token = new TopbitToken({
+  key: 'master-key-2025-01-01',
+  expires: 3600 * 24 * 30
+})
+// 添加多套密钥（可随时动态添加）
+token.addTokenId({
+  'user-v1'   : 'old-key-2024-v1',
+  'admin-v2'  : 'new-strong-key-2025',
+  'mobile'    : 'mobile-special-key'
+})
+// 如果发现密钥泄漏，立即执行：
+token.removeTokenId('user-v1')   // 所有使用 user-v1 签发的 Token 立刻失效！
+// 或者直接清空所有旧密钥，只保留当前主密钥
+token.tokenIds = []
+```
+---
+### 六、自动刷新 Token 机制
+```js
+const token = new TopbitToken({
+  expires: 3600 * 24,   // 24小时有效
+  refresh: true         // 开启自动刷新
+})
+```
+- 当剩余时间 < 24小时 × 1/5 = 4.8小时 时
+- 服务器自动返回新 Token：`x-refresh-token: new-token-here`
+- 前端收到后替换旧 Token 即可实现“永不过期”体验
+---
+### 七、最佳实践（生产级推荐配置）
+```js
+// middleware/@auth.js
+const TopbitToken = require('topbit-token')
+const token = new TopbitToken({
+  algorithm : 'aes-256-gcm',
+  key       : process.env.TOKEN_KEY,        // 从环境变量读取
+  expires   : 60 * 60 * 24 * 30,            // 30天
+  refresh   : true,
+  failedCode: 401
+})
+// 支持密钥轮换（每月换一次）
+if (process.env.TOKEN_ID) {
+  token.addTokenId(process.env.TOKEN_ID)
+}
+module.exports = token
+```
+---
+### 八、常见问题（FAQ）
+| 问题                           | 解答                                                                 |
+|--------------------------------|----------------------------------------------------------------------|
+| 是否比 JWT 更快？              | 是！原生 crypto + GCM 模式，比 jwt 快 3~10 倍                         |
+| 是否支持 Redis 黑名单？        | 不需要！通过 `removeTokenId()` 即可实现即时失效                      |
+| 是否支持单点登录退出？         | 是！删除对应 `tokenId` 或修改密钥，所有设备立即退出                  |
+| 是否支持国密 SM4？             | 支持！`algorithm: 'sm4-cbc'` 即可                                    |
+---
+**结论：TopbitToken 是目前 Topbit 生态中最快、最安全、最易用的认证方案。**
+配合 TopbitLoader 使用，真正实现：
+> **零配置、全自动、高性能、可运维的现代化认证系统**
+---

package/images/topbit-middleware.webp CHANGED Viewed

Binary file

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "topbit",
-  "version": "3.0.5",
+  "version": "3.0.6",
   "description": "A Server-side web framework support http/1.1 and http/2",
   "main": "src/topbit.js",
   "directories": {

package/src/token/token.js CHANGED Viewed

@@ -426,10 +426,10 @@ class TopbitToken {
         return c.status(self.failedCode).to(uinfo.errcode)
       }
-      c.box.user = uinfo
+      c.user = uinfo
       if (uinfo.data.expires + uinfo.data.timestamp - uinfo.now < self.refresh) {
-        let new_token = self.make(uinfo.data, uinfo.data.__tokenId__)
+        let new_token = self.makeToken(uinfo.data, uinfo.data.__tokenId__)
         c.setHeader('x-refresh-token', new_token)
       }