veryfront 0.1.128 → 0.1.129

package/src/src/issues/core.ts

@@ -119,19 +119,11 @@ export function serializeYaml(metadata: IssueMetadata): string {
   lines.push(`id: ${metadata.id}`);
   lines.push(`title: "${metadata.title.replace(/"/g, '\\"')}"`);
   lines.push(`state: ${metadata.state}`);
-  lines.push(
-    metadata.labels.length
-      ? `labels: [${metadata.labels.map((l) => `"${l}"`).join(", ")}]`
-      : "labels: []",
-  );
+  lines.push(serializeYamlStringArray("labels", metadata.labels));
 
   if (metadata.milestone) lines.push(`milestone: ${metadata.milestone}`);
 
-  lines.push(
-    metadata.assignees.length
-      ? `assignees: [${metadata.assignees.map((a) => `"${a}"`).join(", ")}]`
-      : "assignees: []",
-  );
+  lines.push(serializeYamlStringArray("assignees", metadata.assignees));
 
   lines.push(`created_at: ${metadata.created_at}`);
   lines.push(`updated_at: ${metadata.updated_at}`);
@@ -139,6 +131,11 @@ export function serializeYaml(metadata: IssueMetadata): string {
   return lines.join("\n");
 }
 
+function serializeYamlStringArray(field: string, values: string[]): string {
+  if (!values.length) return `${field}: []`;
+  return `${field}: [${values.map((value) => `"${value}"`).join(", ")}]`;
+}
+
 /**
  * Serialize issue to markdown file content
  */
@@ -156,7 +153,7 @@ export function parseIssue(content: string, path: string): Issue | null {
   try {
     const metadata = validateMetadata(parseYaml(parsed.frontmatter));
     return { metadata, body: parsed.body, path };
-  } catch (_) {
+  } catch {
     // expected: invalid or unparseable frontmatter metadata
     return null;
   }
@@ -201,7 +198,7 @@ export class IssuesManager {
         const id = entry.name.replace(/\.md$/, "");
         if (ISSUE_ID_PATTERN.test(id)) ids.push(id);
       }
-    } catch (_) {
+    } catch {
       // expected: directory doesn't exist yet
     }
 
@@ -229,10 +226,10 @@ export class IssuesManager {
       updated_at: now,
     };
 
-    const path = `${ISSUES_DIR}/${id}.md`;
-    const issue: Issue = { metadata, body: validated.body ?? "", path };
+    const issuePath = `${ISSUES_DIR}/${id}.md`;
+    const issue: Issue = { metadata, body: validated.body ?? "", path: issuePath };
 
-    await this.fs.writeTextFile(join(this.projectDir, path), serializeIssue(issue));
+    await this.fs.writeTextFile(join(this.projectDir, issuePath), serializeIssue(issue));
     return issue;
   }
 
@@ -240,12 +237,12 @@ export class IssuesManager {
    * Get an issue by ID
    */
   async get(id: string): Promise<Issue | null> {
-    const path = `${ISSUES_DIR}/${id}.md`;
+    const issuePath = `${ISSUES_DIR}/${id}.md`;
 
     try {
-      const content = await this.fs.readTextFile(join(this.projectDir, path));
-      return parseIssue(content, path);
-    } catch (_) {
+      const content = await this.fs.readTextFile(join(this.projectDir, issuePath));
+      return parseIssue(content, issuePath);
+    } catch {
       // expected: issue file may not exist
       return null;
     }
@@ -284,12 +281,12 @@ export class IssuesManager {
    * Delete an issue
    */
   async delete(id: string): Promise<boolean> {
-    const path = `${ISSUES_DIR}/${id}.md`;
+    const issuePath = `${ISSUES_DIR}/${id}.md`;
 
     try {
-      await this.fs.remove(join(this.projectDir, path));
+      await this.fs.remove(join(this.projectDir, issuePath));
       return true;
-    } catch (_) {
+    } catch {
       // expected: issue file may not exist
       return false;
     }
@@ -325,16 +322,16 @@ export class IssuesManager {
     }
 
     const sortKey = validated.sortBy ?? "created_at";
-    const sortDir = validated.sortDirection ?? "desc";
+    const sortDirection = validated.sortDirection ?? "desc";
 
     issues.sort((a, b) => {
-      let cmp: number;
+      let comparison: number;
       if (sortKey === "id") {
-        cmp = a.metadata.id.localeCompare(b.metadata.id);
+        comparison = a.metadata.id.localeCompare(b.metadata.id);
       } else {
-        cmp = String(a.metadata[sortKey]).localeCompare(String(b.metadata[sortKey]));
+        comparison = String(a.metadata[sortKey]).localeCompare(String(b.metadata[sortKey]));
       }
-      return sortDir === "desc" ? -cmp : cmp;
+      return sortDirection === "desc" ? -comparison : comparison;
     });
 
     const total = issues.length;

package/src/src/issues/schemas/issue.schema.ts

@@ -1,7 +1,9 @@
 import { z } from "zod";
 
 export const ISSUE_PREFIXES = ["ISSUE", "TASK", "PLAN"] as const;
-export const ISSUE_ID_PATTERN = /^(ISSUE|TASK|PLAN)-(\d{3,})$/;
+const ISSUE_ID_BODY = `(${ISSUE_PREFIXES.join("|")})-(\\d{3,})`;
+
+export const ISSUE_ID_PATTERN = new RegExp(`^${ISSUE_ID_BODY}$`);
 
 export const issueStateSchema = z.enum(["open", "closed"]);
 

package/src/src/jobs/runtime-env.ts

@@ -6,7 +6,7 @@ export const INJECTED_TASK_ENV_JSON = "VERYFRONT_TASK_ENV_JSON";
 
 const UNSAFE_INJECTED_ENV_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 
-const HIDDEN_TASK_CONTEXT_ENV_KEYS = new Set([
+const RESERVED_TASK_ENV_KEYS = new Set([
   "VERYFRONT_API_TOKEN",
   "VERYFRONT_API_URL",
   "VERYFRONT_PROJECT_API_URL",
@@ -20,36 +20,18 @@ const HIDDEN_TASK_CONTEXT_ENV_KEYS = new Set([
   INJECTED_TASK_ENV_JSON,
 ]);
 
-const DISALLOWED_INJECTED_ENV_KEYS = new Set([
-  "VERYFRONT_API_TOKEN",
-  "VERYFRONT_API_URL",
-  "VERYFRONT_PROJECT_API_URL",
-  "VERYFRONT_API_BASE_URL",
-  "VERYFRONT_PROJECT_ID",
-  "VERYFRONT_PROJECT_SLUG",
-  "VERYFRONT_BRANCH_REF",
-  "VERYFRONT_API_USER",
-  "VERYFRONT_API_PASS",
-  "VERYFRONT_JOB_RESULT_PATH",
-  INJECTED_TASK_ENV_JSON,
-]);
-
-function isHiddenTaskContextEnvKey(key: string): boolean {
-  return key.startsWith("TENANT_") || HIDDEN_TASK_CONTEXT_ENV_KEYS.has(key);
-}
-
-function isDisallowedInjectedEnvKey(key: string): boolean {
-  return key.startsWith("TENANT_") || DISALLOWED_INJECTED_ENV_KEYS.has(key);
+function isReservedTaskEnvKey(key: string): boolean {
+  return key.startsWith("TENANT_") || RESERVED_TASK_ENV_KEYS.has(key);
 }
 
-function filterExistingProjectEnv(
-  env: Record<string, string> | undefined,
+function filterSafeWorkflowEnv(
+  env: Record<string, unknown> | undefined,
 ): Record<string, string> {
   const filtered: Record<string, string> = {};
   for (const [key, value] of Object.entries(env ?? {})) {
     if (
       UNSAFE_INJECTED_ENV_KEYS.has(key) ||
-      isDisallowedInjectedEnvKey(key) ||
+      isReservedTaskEnvKey(key) ||
       typeof value !== "string"
     ) {
       continue;
@@ -62,30 +44,22 @@ function filterExistingProjectEnv(
 export function readInjectedProjectEnv(
   allEnv: Record<string, string>,
 ): Record<string, string> {
-  const raw = allEnv[INJECTED_TASK_ENV_JSON];
-  if (!raw) {
+  const rawInjectedEnv = allEnv[INJECTED_TASK_ENV_JSON];
+  if (!rawInjectedEnv) {
     return {};
   }
 
   try {
-    const parsed = JSON.parse(raw);
-    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    const parsedInjectedEnv = JSON.parse(rawInjectedEnv);
+    if (
+      !parsedInjectedEnv ||
+      typeof parsedInjectedEnv !== "object" ||
+      Array.isArray(parsedInjectedEnv)
+    ) {
       return {};
     }
 
-    const injectedEnv = Object.create(null) as Record<string, string>;
-    for (const [key, value] of Object.entries(parsed)) {
-      if (
-        UNSAFE_INJECTED_ENV_KEYS.has(key) ||
-        isDisallowedInjectedEnvKey(key) ||
-        typeof value !== "string"
-      ) {
-        continue;
-      }
-      injectedEnv[key] = value;
-    }
-
-    return injectedEnv;
+    return filterSafeWorkflowEnv(parsedInjectedEnv as Record<string, unknown>);
   } catch {
     logger.warn(`Ignoring invalid ${INJECTED_TASK_ENV_JSON}`);
     return {};
@@ -96,27 +70,27 @@ export function buildTaskContextEnv(
   allEnv: Record<string, string>,
   envAllowlist?: string[],
 ): Record<string, string> {
-  const allowlistedEnvKeys = envAllowlist ? new Set(envAllowlist) : null;
-  const env: Record<string, string> = {};
+  const allowedEnvKeys = envAllowlist ? new Set(envAllowlist) : null;
+  const taskContextEnv: Record<string, string> = {};
 
   for (const [key, value] of Object.entries(allEnv)) {
-    if (isHiddenTaskContextEnvKey(key)) {
+    if (isReservedTaskEnvKey(key)) {
       continue;
     }
-    if (allowlistedEnvKeys && !allowlistedEnvKeys.has(key)) {
+    if (allowedEnvKeys && !allowedEnvKeys.has(key)) {
       continue;
     }
-    env[key] = value;
+    taskContextEnv[key] = value;
   }
 
   for (const [key, value] of Object.entries(readInjectedProjectEnv(allEnv))) {
-    if (allowlistedEnvKeys && !allowlistedEnvKeys.has(key)) {
+    if (allowedEnvKeys && !allowedEnvKeys.has(key)) {
       continue;
     }
-    env[key] = value;
+    taskContextEnv[key] = value;
   }
 
-  return env;
+  return taskContextEnv;
 }
 
 export function mergeInjectedWorkflowEnv(
@@ -124,7 +98,7 @@ export function mergeInjectedWorkflowEnv(
   allEnv: Record<string, string>,
 ): Record<string, string> | undefined {
   const mergedEnv = {
-    ...filterExistingProjectEnv(existingEnv),
+    ...filterSafeWorkflowEnv(existingEnv),
     ...readInjectedProjectEnv(allEnv),
   };
 

package/src/src/markdown/index.ts

@@ -10,14 +10,11 @@
  * <Markdown># Hello{"\n\n"}Some **bold** text with `code`.</Markdown>
  * ```
  */
-
-// veryfront/markdown — Markdown rendering component
-//
-// Renders markdown strings at runtime with syntax highlighting and
-// Mermaid diagram support. Used for displaying AI-generated content.
-// For MDX page customization, use veryfront/mdx instead.
 import "../../_dnt.polyfills.js";
 
 
-export { Markdown } from "../react/components/ai/markdown.js";
-export type { CodeBlockProps, MarkdownProps } from "../react/components/ai/markdown.js";
+export {
+  type CodeBlockProps,
+  Markdown,
+  type MarkdownProps,
+} from "../react/components/ai/markdown.js";

package/src/src/mcp/server.ts

@@ -17,14 +17,47 @@ import { logger as baseLogger } from "../utils/index.js";
 const logger = baseLogger.component("mcp-server");
 
 const MAX_REQUEST_BODY_SIZE = 1_048_576; // 1 MB
+const MAX_CONTEXT_HEADER_LENGTH = 255;
+const JSON_CONTENT_TYPE = "application/json";
+const END_USER_ID_PATTERN = /^[a-zA-Z0-9._@-]+$/;
+const PROJECT_ID_PATTERN = /^[a-zA-Z0-9._-]+$/;
 
 type JSONRPCParams = Record<string, unknown> | unknown[];
 
-function asParamsRecord(params: JSONRPCParams | undefined): Record<string, unknown> {
+function toParamsRecord(params: JSONRPCParams | undefined): Record<string, unknown> {
   if (!params || Array.isArray(params)) return {};
   return params;
 }
 
+function createJSONResponse(body: unknown, init?: dntShim.ResponseInit): dntShim.Response {
+  const headers = new dntShim.Headers(init?.headers);
+  headers.set("Content-Type", JSON_CONTENT_TYPE);
+  return new dntShim.Response(JSON.stringify(body), { ...init, headers });
+}
+
+function createJSONRPCErrorResponse(status: number, code: number, message: string): dntShim.Response {
+  return createJSONResponse(
+    {
+      jsonrpc: "2.0",
+      id: null,
+      error: { code, message },
+    },
+    { status },
+  );
+}
+
+function readAllowedHeader(
+  request: dntShim.Request,
+  headerName: string,
+  pattern: RegExp,
+): string | undefined {
+  const value = request.headers.get(headerName);
+  if (!value || value.length > MAX_CONTEXT_HEADER_LENGTH || !pattern.test(value)) {
+    return undefined;
+  }
+  return value;
+}
+
 interface JSONRPCRequest {
   jsonrpc: "2.0";
   id?: string | number;
@@ -168,7 +201,7 @@ export class MCPServer {
     params: JSONRPCParams | undefined,
     context?: ToolExecutionContext,
   ): Promise<Record<string, unknown>> {
-    const { name, arguments: args } = asParamsRecord(params);
+    const { name, arguments: args } = toParamsRecord(params);
 
     if (!name) {
       throw toError(
@@ -216,7 +249,7 @@ export class MCPServer {
   }
 
   private readResource(params: JSONRPCParams | undefined): Promise<Record<string, unknown>> {
-    const { uri } = asParamsRecord(params);
+    const { uri } = toParamsRecord(params);
 
     if (!uri) {
       throw toError(
@@ -275,7 +308,7 @@ export class MCPServer {
   }
 
   private getPrompt(params: JSONRPCParams | undefined): Promise<Record<string, unknown>> {
-    const { name, arguments: args } = asParamsRecord(params);
+    const { name, arguments: args } = toParamsRecord(params);
 
     if (!name) {
       throw toError(
@@ -316,7 +349,9 @@ export class MCPServer {
   createHTTPHandler(): (request: dntShim.Request) => Promise<dntShim.Response> {
     return async (request: dntShim.Request) => {
       const requestOrigin = request.headers.get("Origin");
-      if (request.method === "OPTIONS") return this.handleCORS(requestOrigin);
+      if (request.method === "OPTIONS") {
+        return new dntShim.Response(null, { status: 204, headers: this.getCORSHeaders(requestOrigin) });
+      }
 
       if (this.config.auth?.type && this.config.auth.type !== "none") {
         const authorized = await this.validateAuth(request);
@@ -326,66 +361,34 @@ export class MCPServer {
       // Enforce request body size limit (fast path via Content-Length header)
       const contentLength = request.headers.get("content-length");
       if (contentLength && Number(contentLength) > MAX_REQUEST_BODY_SIZE) {
-        return new dntShim.Response(
-          JSON.stringify({
-            jsonrpc: "2.0",
-            id: null,
-            error: { code: -32600, message: "Request body too large" },
-          }),
-          { status: 413, headers: { "Content-Type": "application/json" } },
-        );
+        return createJSONRPCErrorResponse(413, -32600, "Request body too large");
       }
 
       try {
-        validateContentType(request, "application/json");
+        validateContentType(request, JSON_CONTENT_TYPE);
       } catch (error) {
         const message = error instanceof VeryfrontError ? error.message : "Invalid Content-Type";
-        return new dntShim.Response(
-          JSON.stringify({
-            jsonrpc: "2.0",
-            id: null,
-            error: { code: -32700, message },
-          }),
-          { status: 400, headers: { "Content-Type": "application/json" } },
-        );
+        return createJSONRPCErrorResponse(400, -32700, message);
       }
 
       let rpcRequest: JSONRPCRequest;
       try {
         const bodyText = await request.text();
         if (bodyText.length > MAX_REQUEST_BODY_SIZE) {
-          return new dntShim.Response(
-            JSON.stringify({
-              jsonrpc: "2.0",
-              id: null,
-              error: { code: -32600, message: "Request body too large" },
-            }),
-            { status: 413, headers: { "Content-Type": "application/json" } },
-          );
+          return createJSONRPCErrorResponse(413, -32600, "Request body too large");
         }
         rpcRequest = JSON.parse(bodyText) as JSONRPCRequest;
       } catch (_) {
         // expected: malformed JSON in request body
-        return new dntShim.Response(
-          JSON.stringify({
-            jsonrpc: "2.0",
-            id: null,
-            error: { code: -32700, message: "Parse error" },
-          }),
-          {
-            status: 400,
-            headers: { "Content-Type": "application/json" },
-          },
-        );
+        return createJSONRPCErrorResponse(400, -32700, "Parse error");
       }
 
       // Extract end-user identity from request headers for per-user token flows
       const context = this.extractRequestContext(request);
       const rpcResponse = await this.handleRequest(rpcRequest, context);
 
-      return new dntShim.Response(JSON.stringify(rpcResponse), {
+      return createJSONResponse(rpcResponse, {
         headers: {
-          "Content-Type": "application/json",
           ...this.getCORSHeaders(requestOrigin),
         },
       });
@@ -395,15 +398,13 @@ export class MCPServer {
   private extractRequestContext(request: dntShim.Request): ToolExecutionContext | undefined {
     const context: ToolExecutionContext = {};
 
-    const endUserId = request.headers.get("x-end-user-id");
-    // Allowlist: alphanumeric, hyphens, underscores, dots, @ (for email-style IDs)
-    if (endUserId && endUserId.length <= 255 && /^[a-zA-Z0-9._@-]+$/.test(endUserId)) {
+    const endUserId = readAllowedHeader(request, "x-end-user-id", END_USER_ID_PATTERN);
+    if (endUserId) {
       context.endUserId = endUserId;
     }
 
-    const projectId = request.headers.get("x-project-id");
-    // Keep project IDs strict but compatible with UUID/slug formats.
-    if (projectId && projectId.length <= 255 && /^[a-zA-Z0-9._-]+$/.test(projectId)) {
+    const projectId = readAllowedHeader(request, "x-project-id", PROJECT_ID_PATTERN);
+    if (projectId) {
       context.projectId = projectId;
     }
 
@@ -432,10 +433,6 @@ export class MCPServer {
     return await validate(token);
   }
 
-  private handleCORS(requestOrigin?: string | null): dntShim.Response {
-    return new dntShim.Response(null, { status: 204, headers: this.getCORSHeaders(requestOrigin) });
-  }
-
   private getCORSHeaders(requestOrigin?: string | null): Record<string, string> {
     if (!this.config.cors?.enabled) return {};
 

package/src/src/mdx/index.ts

@@ -11,14 +11,13 @@
  *   {children}
  * </MDXProvider>
  * ```
+ *
+ * For runtime markdown string rendering, use `veryfront/markdown` instead.
  */
-
-// veryfront/mdx — MDX provider and component overrides
-//
-// For customizing how .mdx pages render components.
-// For runtime markdown string rendering, use veryfront/markdown instead.
 import "../../_dnt.polyfills.js";
 
-
-export { MDXProvider, useMDXComponents } from "../react/components/MDXProvider.js";
-export type { MDXProviderProps } from "../react/components/MDXProvider.js";
+export {
+  MDXProvider,
+  type MDXProviderProps,
+  useMDXComponents,
+} from "../react/components/MDXProvider.js";

package/src/src/middleware/builtin/logger.ts

@@ -19,6 +19,17 @@ export interface LoggerOptions {
   log?: (message: string) => void;
 }
 
+interface RequestLogDetails {
+  method: string;
+  pathname: string;
+  remoteAddr: string;
+  referer?: string;
+  requestId?: string;
+  traceId?: string;
+  projectSlug?: string;
+  userAgent?: string;
+}
+
 const colors = {
   reset: "\x1b[0m",
   red: "\x1b[31m",
@@ -61,6 +72,19 @@ function getRemoteAddr(req: dntShim.Request): string {
   return req.headers.get("x-forwarded-for") ?? req.headers.get("x-real-ip") ?? "-";
 }
 
+function getRequestLogDetails(req: dntShim.Request): RequestLogDetails {
+  return {
+    method: req.method,
+    pathname: new URL(req.url).pathname,
+    remoteAddr: getRemoteAddr(req),
+    referer: req.headers.get("referer") ?? undefined,
+    requestId: req.headers.get("x-request-id") ?? undefined,
+    traceId: req.headers.get("x-trace-id") ?? req.headers.get("traceparent") ?? undefined,
+    projectSlug: req.headers.get("x-project-slug") ?? undefined,
+    userAgent: req.headers.get("user-agent") ?? undefined,
+  };
+}
+
 interface HttpLogEntry {
   timestamp: string;
   level: "info" | "warn" | "error";
@@ -87,30 +111,25 @@ function getLogLevel(status: number): HttpLogEntry["level"] {
 }
 
 function formatJsonLog(req: dntShim.Request, status: number, duration: number): string {
-  const { pathname } = new URL(req.url);
-  const userAgent = req.headers.get("user-agent");
-  const referer = req.headers.get("referer");
-  const requestId = req.headers.get("x-request-id");
-  const traceId = req.headers.get("x-trace-id") ?? req.headers.get("traceparent");
-  const projectSlug = req.headers.get("x-project-slug");
+  const details = getRequestLogDetails(req);
 
   const entry: HttpLogEntry = {
     timestamp: new Date().toISOString(),
     level: getLogLevel(status),
     service: "server",
-    message: `${req.method} ${pathname} ${status}`,
+    message: `${details.method} ${details.pathname} ${status}`,
     http: {
-      method: req.method,
-      path: pathname,
+      method: details.method,
+      path: details.pathname,
       status,
       durationMs: Math.round(duration),
-      remoteAddr: getRemoteAddr(req),
-      ...(userAgent && userAgent !== "-" ? { userAgent } : {}),
-      ...(referer && referer !== "-" ? { referer } : {}),
+      remoteAddr: details.remoteAddr,
+      ...(details.userAgent && details.userAgent !== "-" ? { userAgent: details.userAgent } : {}),
+      ...(details.referer && details.referer !== "-" ? { referer: details.referer } : {}),
     },
-    ...(requestId ? { requestId } : {}),
-    ...(traceId ? { traceId } : {}),
-    ...(projectSlug ? { projectSlug } : {}),
+    ...(details.requestId ? { requestId: details.requestId } : {}),
+    ...(details.traceId ? { traceId: details.traceId } : {}),
+    ...(details.projectSlug ? { projectSlug: details.projectSlug } : {}),
   };
 
   return JSON.stringify(entry);
@@ -163,22 +182,18 @@ export function logger(options?: LoggerOptions): Middleware {
       return;
     }
 
-    const { pathname } = new URL(req.url);
-    const requestId = req.headers.get("x-request-id") ?? undefined;
-    const traceId = req.headers.get("x-trace-id") ?? req.headers.get("traceparent") ?? undefined;
-    const projectSlug = req.headers.get("x-project-slug") ?? undefined;
-    const userAgent = req.headers.get("user-agent") ?? undefined;
-
-    serverLogger.info(`${req.method} ${pathname} ${status}`, {
-      requestId,
-      traceId,
-      project_slug: projectSlug,
-      request_url: pathname,
+    const details = getRequestLogDetails(req);
+
+    serverLogger.info(`${details.method} ${details.pathname} ${status}`, {
+      requestId: details.requestId,
+      traceId: details.traceId,
+      project_slug: details.projectSlug,
+      request_url: details.pathname,
       durationMs: Math.round(duration),
-      method: req.method,
+      method: details.method,
       statusCode: status,
-      remoteAddr: getRemoteAddr(req),
-      ...(userAgent ? { userAgent } : {}),
+      remoteAddr: details.remoteAddr,
+      ...(details.userAgent ? { userAgent: details.userAgent } : {}),
     });
   }
 

package/src/src/middleware/builtin/security/rate-limit.ts

@@ -13,6 +13,22 @@ import { unrefTimer } from "../../../platform/compat/process.js";
 const DEFAULT_RATE_LIMIT_REQUESTS = 100;
 const DEFAULT_RATE_LIMIT_WINDOW_MS = MS_PER_MINUTE;
 
+function createRateLimitEntry(windowMs: number): RateLimitEntry {
+  return { count: 1, resetAt: Date.now() + windowMs };
+}
+
+function getRightmostForwardedIp(req: dntShim.Request): string | undefined {
+  const forwarded = req.headers.get("x-forwarded-for");
+  if (!forwarded) return undefined;
+
+  const parts = forwarded.split(",").map((value) => value.trim()).filter(Boolean);
+  return parts.at(-1);
+}
+
+function defaultKeyGenerator(req: dntShim.Request): string {
+  return getRightmostForwardedIp(req) ?? "anonymous";
+}
+
 export class MemoryRateLimitStore implements RateLimitStore {
   private counts = new Map<string, RateLimitEntry>();
   private cleanupInterval?: ReturnType<typeof dntShim.setInterval>;
@@ -34,11 +50,11 @@ export class MemoryRateLimitStore implements RateLimitStore {
   }
 
   increment(key: string, windowMs: number): Promise<RateLimitEntry> {
-    const now = Date.now();
     const existing = this.counts.get(key);
+    const now = Date.now();
 
     if (!existing || existing.resetAt < now) {
-      const entry: RateLimitEntry = { count: 1, resetAt: now + windowMs };
+      const entry = createRateLimitEntry(windowMs);
       this.counts.set(key, entry);
       return Promise.resolve(entry);
     }
@@ -55,6 +71,7 @@ export class MemoryRateLimitStore implements RateLimitStore {
   destroy(): void {
     if (!this.cleanupInterval) return;
     clearInterval(this.cleanupInterval);
+    this.cleanupInterval = undefined;
   }
 }
 
@@ -76,15 +93,7 @@ export function rateLimit(
   const maxRequests = options.maxRequests ?? DEFAULT_RATE_LIMIT_REQUESTS;
   const windowMs = options.windowMs ?? DEFAULT_RATE_LIMIT_WINDOW_MS;
   const store = options.store ?? new MemoryRateLimitStore(windowMs);
-  const keyGenerator = options.keyGenerator ?? ((req: dntShim.Request) => {
-    const forwarded = req.headers.get("x-forwarded-for");
-    if (forwarded) {
-      const parts = forwarded.split(",").map((s) => s.trim()).filter(Boolean);
-      // Use rightmost IP — added by nearest trusted proxy, not spoofable by clients
-      if (parts.length > 0) return parts[parts.length - 1]!;
-    }
-    return "anonymous";
-  });
+  const keyGenerator = options.keyGenerator ?? defaultKeyGenerator;
 
   return async (ctx, next) => {
     const req = getRequest(ctx);