weifuwu 0.15.0 → 0.16.0

package/README.md

@@ -28,6 +28,8 @@ Everything follows the same `(req, ctx) => Response` contract. The Router handle
 - **Data** — Redis client, job queue with cron scheduling
 - **Multi-tenant BaaS** — dynamic tables, auto REST + GraphQL, row-level isolation
 - **Deploy** — self-hosted PaaS: multi-app proxy, zero-downtime updates, auto SSL
+- **Security** — `helmet()` security headers, request ID tracing, rate limiting, CORS, auth
+- **SEO** — `robots.txt`, `sitemap.xml`, `X-Robots-Tag` middleware, `seoTags()` for meta / OG / Twitter Card
 - **i18n** — locale detection, JSON translations, `ctx.t()`
 - **Email** — SMTP or custom transport
 - **Health check** — configurable `/health` endpoint
@@ -106,6 +108,7 @@ All use the same pattern — `const m = module(options)` → `app.use('/path', m
 | `graphql(handler)` | GraphQL endpoint | — |
 | `logdb(options)` | Structured event logging | `log()`, `migrate()`, `clean()`, `close()` |
 | `health(options?)` | Health check | — |
+| `seo(options?)` | `robots.txt`, `sitemap.xml`, indexing control | `seoMiddleware()`, `seoTags()` |
 | `iii(options?)` | Worker/Function/Trigger service paradigm | `migrate()`, `trigger()`, `addWorker()`, `listWorkers()`, `listFunctions()`, `listTriggers()`, `shutdown()` |
 | `registerWorker(url)` | Pure WebSocket SDK (browser/Node) | `registerFunction()`, `registerTrigger()`, `trigger()`, `shutdown()` |
 
@@ -121,6 +124,9 @@ All use the same pattern — `const m = module(options)` → `app.use('/path', m
 | `validate(schemas)` | Zod validation (body, query, params) |
 | `upload(options?)` | Multipart file upload |
 | `i18n(options)` | Internationalization — `ctx.t()`, locale detection |
+| `seoMiddleware(options?)` | `X-Robots-Tag` header — string or path-based function |
+| `helmet(options?)` | Security headers — CSP, HSTS, X-Frame-Options, etc. |
+| `requestId(options?)` | `X-Request-ID` header + `ctx.requestId` |
 
 ## Utility functions
 
@@ -131,6 +137,10 @@ All use the same pattern — `const m = module(options)` → `app.use('/path', m
 | `getCookies(req)` / `setCookie(res, ...)` / `deleteCookie(res, ...)` | Cookie helpers |
 | `mailer(options)` | Email sender (SMTP or custom) |
 | `createTestServer(handler)` | Start test server → `{ server, url }` |
+| `seoTags(config)` | Generate `<title>`, `<meta>`, Open Graph, Twitter Card, canonical tags |
+| `createSSEStream(iterable, opts?)` | SSE response from `AsyncIterable` |
+| `formatSSE(event, data)` | Format SSE event string |
+| `formatSSEData(data)` | Format SSE data string |
 | `runWorkflow(options)` | DAG execution engine as AI SDK `Tool` |
 | `pgTable(name, columns)` | Type-safe table schema builder |
 | `pg.table(name, columns)` | Pre-bound table (no `sql` param needed) |
@@ -1485,6 +1495,176 @@ const oc = await opencode({
 
 ---
 
+# SEO
+
+Built-in SEO module — `robots.txt`, `sitemap.xml`, indexing headers, and meta tag utilities.
+
+```ts
+import { seo, seoMiddleware, seoTags } from 'weifuwu'
+
+const app = new Router()
+
+// robots.txt + sitemap.xml
+app.use(seo({
+  baseUrl: 'https://example.com',
+  robots: [
+    { userAgent: '*', allow: '/', disallow: ['/admin', '/api'] },
+  ],
+  sitemap: {
+    urls: [
+      { loc: '/', changefreq: 'daily', priority: 1.0 },
+      { loc: '/about', changefreq: 'monthly', priority: 0.8 },
+    ],
+    // Dynamic URLs from database
+    async resolve() {
+      const articles = await db.query('SELECT slug, updated_at FROM articles')
+      return articles.map(a => ({
+        loc: `/blog/${a.slug}`,
+        lastmod: a.updated_at,
+      }))
+    },
+    cacheTTL: 3_600_000,  // re-generate every hour (default)
+  },
+}))
+```
+
+### Endpoints
+
+| Path | Description |
+|------|-------------|
+| `GET /robots.txt` | Generated robots.txt with optional Sitemap reference |
+| `GET /sitemap.xml` | Generated XML sitemap with caching |
+
+### seoMiddleware — Indexing control
+
+```ts
+// Global — block all paths
+app.use(seoMiddleware({ headers: { 'X-Robots-Tag': 'noindex' } }))
+
+// Per-path via function
+app.use(seoMiddleware({
+  headers: {
+    'X-Robots-Tag': (path) => path.startsWith('/admin') ? 'noindex' : undefined,
+  },
+}))
+```
+
+### seoTags — Meta / OG / Twitter Card
+
+Generate SEO meta tags for SSR pages:
+
+```ts
+const tags = seoTags({
+  title: 'My Page',
+  description: 'A great page about things',
+  ogImage: 'https://example.com/og.png',
+  twitterCard: 'summary_large_image',
+  canonical: 'https://example.com/page',
+})
+// → <title>My Page</title>
+// → <meta property="og:title" content="My Page">
+// → <meta name="twitter:card" content="summary_large_image">
+// → <link rel="canonical" href="https://example.com/page">
+//   ...
+```
+
+Use in `layout.tsx` or `page.tsx` with `tsx()`:
+
+```tsx
+export default function RootLayout({ children }) {
+  return (
+    <html>
+      <head>{seoTags({ title: 'My App' })}</head>
+      <body>{children}</body>
+    </html>
+  )
+}
+```
+
+# Security
+
+## Helmet — Security headers
+
+```ts
+import { helmet } from 'weifuwu'
+
+// Apply all security headers with safe defaults
+app.use(helmet())
+
+// Customize individual headers (any can be set to false to remove)
+app.use(helmet({
+  contentSecurityPolicy: "default-src 'self'",
+  xFrameOptions: 'DENY',
+  strictTransportSecurity: 'max-age=63072000; includeSubDomains; preload',
+}))
+
+// Middleware-order: set after helmet to override
+app.use(helmet({ xFrameOptions: false }))  // remove a header
+```
+
+13 security headers set by default:
+
+| Header | Default |
+|--------|---------|
+| `Content-Security-Policy` | `default-src 'self'; ...` |
+| `X-Content-Type-Options` | `nosniff` |
+| `X-Frame-Options` | `SAMEORIGIN` |
+| `Strict-Transport-Security` | `max-age=15552000; includeSubDomains` |
+| `X-XSS-Protection` | `0` |
+| `Referrer-Policy` | `no-referrer` |
+| `Permissions-Policy` | `camera=(),geolocation=(),...` |
+| `Cross-Origin-Embedder-Policy` | `require-corp` |
+| `Cross-Origin-Opener-Policy` | `same-origin` |
+| `Cross-Origin-Resource-Policy` | `same-origin` |
+| `Origin-Agent-Cluster` | `?1` |
+| `X-DNS-Prefetch-Control` | `off` |
+| `X-Download-Options` | `noopen` |
+| `X-Permitted-Cross-Domain-Policies` | `none` |
+
+Does not override response headers already set by the application — your explicit headers take precedence.
+
+## Request ID
+
+```ts
+import { requestId } from 'weifuwu'
+
+// Every response gets X-Request-ID
+app.use(requestId())
+
+// Custom header name
+app.use(requestId({ header: 'X-Trace-Id' }))
+
+// Custom ID generator
+app.use(requestId({ generator: () => crypto.randomUUID() }))
+
+// Access the ID in handlers via ctx.requestId
+app.get('/log', (req, ctx) => {
+  console.log(`Handling request ${ctx.requestId}`)
+  return Response.json({ id: ctx.requestId })
+})
+```
+
+Preserves incoming `X-Request-ID` for distributed tracing — if the upstream service already set it, the value is reused and propagated.
+
+## Server-Sent Events
+
+```ts
+import { createSSEStream, formatSSE } from 'weifuwu'
+
+async function* eventStream() {
+  yield { type: 'ping', data: { time: Date.now() } }
+  yield { type: 'message', data: { text: 'hello' } }
+}
+
+app.get('/events', () => createSSEStream(eventStream()))
+```
+
+| Function | Description |
+|----------|-------------|
+| `createSSEStream(iterable, opts?)` | Returns a `Response` with `Content-Type: text/event-stream` |
+| `formatSSE(event, data)` | Formats an SSE event string (`event: ...\ndata: ...\n\n`) |
+| `formatSSEData(data)` | Formats SSE data-only string (`data: ...\n\n`) |
+
 # Health, i18n, Email & Testing
 
 ## Health check

package/dist/helmet.d.ts

@@ -0,0 +1,18 @@
+import type { Middleware } from './types.ts';
+export interface HelmetOptions {
+    contentSecurityPolicy?: string | false;
+    crossOriginEmbedderPolicy?: string | false;
+    crossOriginOpenerPolicy?: string | false;
+    crossOriginResourcePolicy?: string | false;
+    originAgentCluster?: string | false;
+    referrerPolicy?: string | false;
+    strictTransportSecurity?: string | false;
+    xContentTypeOptions?: string | false;
+    xDnsPrefetchControl?: string | false;
+    xDownloadOptions?: string | false;
+    xFrameOptions?: string | false;
+    xPermittedCrossDomainPolicies?: string | false;
+    xXssProtection?: string | false;
+    permissionsPolicy?: string | false;
+}
+export declare function helmet(options?: HelmetOptions): Middleware;

package/dist/iii/stream.d.ts

@@ -4,6 +4,7 @@ import type { StreamUpdateOp, StreamSubscription } from './types.ts';
 export declare function createStream(opts?: {
     pg?: PostgresClient;
     redis?: Redis;
+    streamTTL?: number;
 }): {
     subscribe(ws: WebSocket, sub: StreamSubscription): void;
     unsubscribe(ws: WebSocket): void;

package/dist/iii/types.d.ts

@@ -17,6 +17,8 @@ export interface TriggerInput {
 export interface IIIOptions {
     pg?: PostgresClient;
     redis?: Redis;
+    /** TTL in seconds for Redis stream keys. Default: 3600 (1 hour). Set to 0 for no expiration. */
+    streamTTL?: number;
 }
 export interface TriggerRequest {
     function_id: string;

package/dist/index.d.ts

@@ -20,6 +20,12 @@ export { rateLimit } from './rate-limit.ts';
 export type { RateLimitOptions } from './rate-limit.ts';
 export { compress } from './compress.ts';
 export type { CompressOptions } from './compress.ts';
+export { helmet } from './helmet.ts';
+export type { HelmetOptions } from './helmet.ts';
+export { requestId } from './request-id.ts';
+export type { RequestIdOptions } from './request-id.ts';
+export { createSSEStream, formatSSE, formatSSEData } from './sse.ts';
+export type { SSEEvent } from './sse.ts';
 export { graphql } from './graphql.ts';
 export type { GraphQLOptions, GraphQLHandler } from './graphql.ts';
 export { aiStream } from './ai.ts';
@@ -47,6 +53,8 @@ export { health } from './health.ts';
 export type { HealthOptions } from './health.ts';
 export { i18n } from './i18n.ts';
 export type { I18nOptions } from './i18n.ts';
+export { seo, seoMiddleware, seoTags } from './seo.ts';
+export type { SeoOptions, RobotsRule, SitemapUrl, SitemapConfig, SeoHeadersConfig, SeoTagsConfig } from './seo.ts';
 export { mailer } from './mailer.ts';
 export type { MailerOptions, MailOptions, Mailer } from './mailer.ts';
 export { logdb } from './logdb/index.ts';

package/dist/index.js

@@ -1859,6 +1859,118 @@ function compress(options) {
   };
 }
 
+// helmet.ts
+var DEFAULTS = {
+  contentSecurityPolicy: "default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests",
+  crossOriginEmbedderPolicy: "require-corp",
+  crossOriginOpenerPolicy: "same-origin",
+  crossOriginResourcePolicy: "same-origin",
+  originAgentCluster: "?1",
+  referrerPolicy: "no-referrer",
+  strictTransportSecurity: "max-age=15552000; includeSubDomains",
+  xContentTypeOptions: "nosniff",
+  xDnsPrefetchControl: "off",
+  xDownloadOptions: "noopen",
+  xFrameOptions: "SAMEORIGIN",
+  xPermittedCrossDomainPolicies: "none",
+  xXssProtection: "0",
+  permissionsPolicy: "camera=(),display-capture=(),fullscreen=(),geolocation=(),microphone=()"
+};
+var HEADER_MAP = {
+  "Content-Security-Policy": "contentSecurityPolicy",
+  "Cross-Origin-Embedder-Policy": "crossOriginEmbedderPolicy",
+  "Cross-Origin-Opener-Policy": "crossOriginOpenerPolicy",
+  "Cross-Origin-Resource-Policy": "crossOriginResourcePolicy",
+  "Origin-Agent-Cluster": "originAgentCluster",
+  "Referrer-Policy": "referrerPolicy",
+  "Strict-Transport-Security": "strictTransportSecurity",
+  "X-Content-Type-Options": "xContentTypeOptions",
+  "X-DNS-Prefetch-Control": "xDnsPrefetchControl",
+  "X-Download-Options": "xDownloadOptions",
+  "X-Frame-Options": "xFrameOptions",
+  "X-Permitted-Cross-Domain-Policies": "xPermittedCrossDomainPolicies",
+  "X-XSS-Protection": "xXssProtection",
+  "Permissions-Policy": "permissionsPolicy"
+};
+function helmet(options) {
+  const opts = { ...DEFAULTS, ...options };
+  const headers = new Headers();
+  for (const [header, key] of Object.entries(HEADER_MAP)) {
+    const val = opts[key];
+    if (val !== false && val !== void 0) headers.set(header, val);
+  }
+  return async (req, ctx, next) => {
+    const res = await next(req, ctx);
+    const h = new Headers(res.headers);
+    for (const [k, v] of headers) {
+      if (!h.has(k)) h.set(k, v);
+    }
+    return new Response(res.body, { status: res.status, statusText: res.statusText, headers: h });
+  };
+}
+
+// request-id.ts
+import crypto from "node:crypto";
+function requestId(options) {
+  const header = options?.header ?? "X-Request-ID";
+  const gen = options?.generator ?? (() => crypto.randomUUID());
+  return async (req, ctx, next) => {
+    const existing = req.headers.get(header);
+    const id2 = existing ?? gen();
+    ctx.requestId = id2;
+    const res = await next(req, ctx);
+    if (res.headers.has(header)) return res;
+    const h = new Headers(res.headers);
+    h.set(header, id2);
+    return new Response(res.body, { status: res.status, statusText: res.statusText, headers: h });
+  };
+}
+
+// sse.ts
+var encoder = new TextEncoder();
+function formatSSE(event, data) {
+  return `event: ${event}
+data: ${JSON.stringify(data)}
+
+`;
+}
+function formatSSEData(data) {
+  return `data: ${JSON.stringify(data)}
+
+`;
+}
+function createSSEStream(iterable, opts) {
+  return new Response(
+    new ReadableStream({
+      async start(controller) {
+        try {
+          for await (const event of iterable) {
+            const text2 = event.type ? formatSSE(event.type, event) : formatSSEData(event);
+            controller.enqueue(encoder.encode(text2));
+          }
+        } catch (e) {
+          if (e.name !== "AbortError") {
+            controller.enqueue(
+              encoder.encode(formatSSE("error", { error: e.message }))
+            );
+          }
+        } finally {
+          controller.close();
+        }
+      }
+    }),
+    {
+      status: opts?.status ?? 200,
+      headers: {
+        "Content-Type": "text/event-stream",
+        "Cache-Control": "no-cache",
+        Connection: "keep-alive",
+        ...opts?.headers
+      }
+    }
+  );
+}
+
 // graphql.ts
 import { buildSchema, graphql as executeGraphQL } from "graphql";
 import { makeExecutableSchema } from "@graphql-tools/schema";
@@ -2821,7 +2933,7 @@ import jwt2 from "jsonwebtoken";
 import { z as z2 } from "zod";
 
 // user/oauth2.ts
-import crypto from "node:crypto";
+import crypto2 from "node:crypto";
 import jwt from "jsonwebtoken";
 function createOAuth2Server(deps) {
   const { pg, users, jwtSecret, expiresIn } = deps;
@@ -2840,8 +2952,8 @@ function createOAuth2Server(deps) {
     };
   }
   async function registerClient(data) {
-    const clientId = crypto.randomUUID();
-    const clientSecret = crypto.randomBytes(32).toString("hex");
+    const clientId = crypto2.randomUUID();
+    const clientSecret = crypto2.randomBytes(32).toString("hex");
     const [row] = await pg.sql`
       INSERT INTO "_oauth2_clients" ("name", "client_id", "client_secret", "redirect_uris")
       VALUES (${data.name}, ${clientId}, ${clientSecret}, ${pg.sql.array(data.redirectUris)})
@@ -2989,7 +3101,7 @@ h2{color:#dc2626}.desc{color:#555}</style>
       const loc2 = `${redirectUri}?error=access_denied${state ? `&state=${state}` : ""}`;
       return Response.redirect(loc2, 302);
     }
-    const code = crypto.randomUUID();
+    const code = crypto2.randomUUID();
     const expiresAt = new Date(Date.now() + 10 * 60 * 1e3);
     await pg.sql`
       INSERT INTO "_oauth2_codes" ("code", "client_id", "user_id", "redirect_uri", "code_challenge", "code_challenge_method", "scope", "expires_at")
@@ -3054,7 +3166,7 @@ h2{color:#dc2626}.desc{color:#555}</style>
       if (stored.code_challenge_method === "plain") {
         expected = codeVerifier;
       } else {
-        expected = crypto.createHash("sha256").update(codeVerifier).digest().toString("base64url");
+        expected = crypto2.createHash("sha256").update(codeVerifier).digest().toString("base64url");
       }
       if (expected !== stored.code_challenge) {
         return Response.json({ error: "invalid_grant", error_description: "code_verifier mismatch" }, { status: 400 });
@@ -3071,7 +3183,7 @@ h2{color:#dc2626}.desc{color:#555}</style>
       jwtSecret,
       { expiresIn }
     );
-    const refreshToken = crypto.randomUUID();
+    const refreshToken = crypto2.randomUUID();
     const refreshExpires = new Date(Date.now() + 30 * 24 * 60 * 60 * 1e3);
     await pg.sql`
       INSERT INTO "_oauth2_tokens" ("token", "client_id", "user_id", "scope", "expires_at")
@@ -3339,7 +3451,7 @@ function redis(opts) {
 
 // queue/index.ts
 import { Redis as IORedis2 } from "ioredis";
-import crypto2 from "node:crypto";
+import crypto3 from "node:crypto";
 function cronNext(expr, from = /* @__PURE__ */ new Date()) {
   const parts = expr.trim().split(/\s+/);
   if (parts.length !== 5) throw new Error(`Invalid cron expression "${expr}": expected 5 fields`);
@@ -3430,7 +3542,7 @@ function queue(opts) {
             if (job.schedule) {
               try {
                 const nextRun = cronNext(job.schedule);
-                const nextJob = { ...job, id: crypto2.randomUUID(), runAt: nextRun, createdAt: Date.now() };
+                const nextJob = { ...job, id: crypto3.randomUUID(), runAt: nextRun, createdAt: Date.now() };
                 redis2.zadd(jobKey, nextRun, JSON.stringify(nextJob)).catch(() => {
                 });
               } catch {
@@ -3448,7 +3560,7 @@ function queue(opts) {
     }
   }
   mw.add = function add(type, payload, opts2) {
-    const id2 = crypto2.randomUUID();
+    const id2 = crypto3.randomUUID();
     let runAt;
     if (opts2?.schedule) {
       runAt = cronNext(opts2.schedule);
@@ -4495,53 +4607,6 @@ function buildRouter2(deps) {
 // agent/run.ts
 import { streamText, generateText as generateText2, embed } from "ai";
 import { z as z4 } from "zod";
-
-// sse.ts
-var encoder = new TextEncoder();
-function formatSSE(event, data) {
-  return `event: ${event}
-data: ${JSON.stringify(data)}
-
-`;
-}
-function formatSSEData(data) {
-  return `data: ${JSON.stringify(data)}
-
-`;
-}
-function createSSEStream(iterable, opts) {
-  return new Response(
-    new ReadableStream({
-      async start(controller) {
-        try {
-          for await (const event of iterable) {
-            const text2 = event.type ? formatSSE(event.type, event) : formatSSEData(event);
-            controller.enqueue(encoder.encode(text2));
-          }
-        } catch (e) {
-          if (e.name !== "AbortError") {
-            controller.enqueue(
-              encoder.encode(formatSSE("error", { error: e.message }))
-            );
-          }
-        } finally {
-          controller.close();
-        }
-      }
-    }),
-    {
-      status: opts?.status ?? 200,
-      headers: {
-        "Content-Type": "text/event-stream",
-        "Cache-Control": "no-cache",
-        Connection: "keep-alive",
-        ...opts?.headers
-      }
-    }
-  );
-}
-
-// agent/run.ts
 function hasKnowledgeDocs(sql2, agentId) {
   return sql2`SELECT 1 FROM "_knowledge_documents" WHERE agent_id = ${agentId} LIMIT 1`.then((r) => r.length > 0);
 }
@@ -5161,7 +5226,7 @@ function createGateway(config, getPort) {
 }
 
 // deploy/manager.ts
-import crypto3 from "node:crypto";
+import crypto4 from "node:crypto";
 function createManager(config, apps, manager) {
   const router = new Router();
   const auth2 = (req, ctx, next) => {
@@ -5170,7 +5235,7 @@ function createManager(config, apps, manager) {
     const token = header.replace("Bearer ", "");
     const tokenBuf = Buffer.from(token);
     const secretBuf = Buffer.from(config.deployToken);
-    if (tokenBuf.length !== secretBuf.length || !crypto3.timingSafeEqual(tokenBuf, secretBuf)) {
+    if (tokenBuf.length !== secretBuf.length || !crypto4.timingSafeEqual(tokenBuf, secretBuf)) {
       return Response.json({ error: "Unauthorized" }, { status: 401 });
     }
     return next(req, ctx);
@@ -5269,10 +5334,10 @@ function createManager(config, apps, manager) {
     const rawBody = await req.text();
     if (config.webhookSecret) {
       const sig = req.headers.get("x-hub-signature-256") ?? "";
-      const expected = `sha256=${crypto3.createHmac("sha256", config.webhookSecret).update(rawBody).digest("hex")}`;
+      const expected = `sha256=${crypto4.createHmac("sha256", config.webhookSecret).update(rawBody).digest("hex")}`;
       const sigBuf = Buffer.from(sig);
       const expectedBuf = Buffer.from(expected);
-      if (sigBuf.length !== expectedBuf.length || !crypto3.timingSafeEqual(sigBuf, expectedBuf)) {
+      if (sigBuf.length !== expectedBuf.length || !crypto4.timingSafeEqual(sigBuf, expectedBuf)) {
         return Response.json({ error: "invalid signature" }, { status: 401 });
       }
     }
@@ -6588,6 +6653,155 @@ function extractCookie(req, name) {
   return null;
 }
 
+// seo.ts
+function escapeXml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+}
+function buildRobotsTxt(rules, sitemapUrl) {
+  const lines = [];
+  for (const rule of rules) {
+    lines.push(`User-agent: ${rule.userAgent ?? "*"}`);
+    if (rule.allow) {
+      for (const a of Array.isArray(rule.allow) ? rule.allow : [rule.allow]) {
+        lines.push(`Allow: ${a}`);
+      }
+    }
+    if (rule.disallow) {
+      for (const d of Array.isArray(rule.disallow) ? rule.disallow : [rule.disallow]) {
+        lines.push(`Disallow: ${d}`);
+      }
+    }
+  }
+  if (sitemapUrl) {
+    lines.push(`Sitemap: ${sitemapUrl}`);
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+function buildSitemapXml(urls, baseUrl) {
+  if (urls.length === 0) {
+    return `<?xml version="1.0" encoding="UTF-8"?>
+<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
+</urlset>
+`;
+  }
+  let xml = `<?xml version="1.0" encoding="UTF-8"?>
+<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
+`;
+  for (const url of urls) {
+    let loc = url.loc;
+    if (baseUrl && loc.startsWith("/")) {
+      loc = baseUrl.replace(/\/+$/, "") + loc;
+    }
+    xml += `  <url>
+    <loc>${escapeXml(loc)}</loc>`;
+    if (url.lastmod) {
+      xml += `
+    <lastmod>${escapeXml(url.lastmod)}</lastmod>`;
+    }
+    if (url.changefreq) {
+      xml += `
+    <changefreq>${escapeXml(url.changefreq)}</changefreq>`;
+    }
+    if (url.priority !== void 0) {
+      xml += `
+    <priority>${url.priority.toFixed(1)}</priority>`;
+    }
+    xml += `
+  </url>
+`;
+  }
+  xml += `</urlset>
+`;
+  return xml;
+}
+function getRobotsHeader(headers, path2) {
+  if (!headers?.["X-Robots-Tag"]) return void 0;
+  const val = headers["X-Robots-Tag"];
+  if (typeof val === "function") return val(path2);
+  return val;
+}
+function seoMiddleware(options) {
+  const headers = options?.headers;
+  return async (req, ctx, next) => {
+    const res = await next(req, ctx);
+    if (!headers) return res;
+    const url = new URL(req.url);
+    const robotTag = getRobotsHeader(headers, url.pathname);
+    if (robotTag) {
+      const h = new Headers(res.headers);
+      h.set("X-Robots-Tag", robotTag);
+      return new Response(res.body, { status: res.status, statusText: res.statusText, headers: h });
+    }
+    return res;
+  };
+}
+function seo(options) {
+  const { robots, sitemap: sitemapConfig, baseUrl } = options ?? {};
+  const r = new Router();
+  const robotsHandler = () => {
+    const sitemapUrl = sitemapConfig ? `${baseUrl ?? ""}/sitemap.xml` : void 0;
+    const body = buildRobotsTxt(robots ?? [{ userAgent: "*", allow: "/" }], sitemapUrl);
+    return new Response(body, {
+      headers: { "Content-Type": "text/plain; charset=utf-8" }
+    });
+  };
+  let cached = null;
+  let cacheTime = 0;
+  const cacheTTL = sitemapConfig?.cacheTTL ?? 36e5;
+  const sitemapHandler = async () => {
+    if (cached && Date.now() - cacheTime < cacheTTL) {
+      return new Response(cached, {
+        headers: { "Content-Type": "application/xml; charset=utf-8" }
+      });
+    }
+    const urls = [...sitemapConfig?.urls ?? []];
+    if (sitemapConfig?.resolve) {
+      const dynamic = await sitemapConfig.resolve();
+      urls.push(...dynamic);
+    }
+    const xml = buildSitemapXml(urls, baseUrl);
+    cached = xml;
+    cacheTime = Date.now();
+    return new Response(xml, {
+      headers: { "Content-Type": "application/xml; charset=utf-8" }
+    });
+  };
+  r.get("/robots.txt", robotsHandler);
+  r.get("/sitemap.xml", sitemapHandler);
+  return r;
+}
+function seoTags(config) {
+  const tags = [];
+  if (config.title) {
+    tags.push(`<title>${escapeXml(config.title)}</title>`);
+    tags.push(`<meta property="og:title" content="${escapeXml(config.title)}">`);
+    tags.push(`<meta name="twitter:title" content="${escapeXml(config.title)}">`);
+  }
+  if (config.description) {
+    tags.push(`<meta name="description" content="${escapeXml(config.description)}">`);
+    tags.push(`<meta property="og:description" content="${escapeXml(config.description)}">`);
+    tags.push(`<meta name="twitter:description" content="${escapeXml(config.description)}">`);
+  }
+  if (config.ogTitle) {
+    tags.push(`<meta property="og:title" content="${escapeXml(config.ogTitle)}">`);
+  }
+  if (config.ogDescription) {
+    tags.push(`<meta property="og:description" content="${escapeXml(config.ogDescription)}">`);
+  }
+  if (config.ogImage) {
+    tags.push(`<meta property="og:image" content="${escapeXml(config.ogImage)}">`);
+    tags.push(`<meta name="twitter:image" content="${escapeXml(config.ogImage)}">`);
+  }
+  if (config.twitterCard) {
+    tags.push(`<meta name="twitter:card" content="${escapeXml(config.twitterCard)}">`);
+  }
+  if (config.canonical) {
+    tags.push(`<link rel="canonical" href="${escapeXml(config.canonical)}">`);
+  }
+  return tags.join("\n");
+}
+
 // mailer.ts
 import { createTransport } from "nodemailer";
 function mailer(options) {
@@ -6780,7 +6994,7 @@ function logdb(options) {
 }
 
 // iii/client.ts
-import crypto4 from "node:crypto";
+import crypto5 from "node:crypto";
 
 // iii/stream.ts
 var channels2 = /* @__PURE__ */ new Map();
@@ -6998,16 +7212,20 @@ function createPgStore(pg) {
     }
   };
 }
-function createRedisStore(redis2) {
+function createRedisStore(redis2, ttl) {
   function hashKey(stream, group) {
     return `iii:stream:${stream}:${group}`;
   }
+  function setTTL(hk) {
+    if (ttl) redis2.expire(hk, ttl);
+  }
   return {
     async set(stream, group, item, data) {
       const hk = hashKey(stream, group);
       const oldRaw = await redis2.hget(hk, item);
       let old = oldRaw ? JSON.parse(oldRaw) : null;
       await redis2.hset(hk, item, JSON.stringify(data));
+      setTTL(hk);
       await redis2.publish(`iii:stream:${stream}`, JSON.stringify({ event: "set", group, item, data }));
       notify(stream, group, item, "set", data);
       return { old_value: old, new_value: deepClone(data) };
@@ -7021,6 +7239,8 @@ function createRedisStore(redis2) {
       const oldRaw = await redis2.hget(hk, item);
       const old = oldRaw ? JSON.parse(oldRaw) : null;
       await redis2.hdel(hk, item);
+      const remaining = await redis2.hlen(hk);
+      if (remaining === 0) await redis2.del(hk);
       await redis2.publish(`iii:stream:${stream}`, JSON.stringify({ event: "delete", group, item }));
       notify(stream, group, item, "delete", null);
       return { old_value: old };
@@ -7081,6 +7301,7 @@ function createRedisStore(redis2) {
       const old = oldRaw ? JSON.parse(oldRaw) : null;
       const newVal = applyOps(old, ops);
       await redis2.hset(hk, item, JSON.stringify(newVal));
+      setTTL(hk);
       await redis2.publish(`iii:stream:${stream}`, JSON.stringify({ event: "update", group, item, data: newVal }));
       notify(stream, group, item, "update", newVal);
       return { old_value: old, new_value: deepClone(newVal) };
@@ -7088,7 +7309,7 @@ function createRedisStore(redis2) {
   };
 }
 function createStream(opts) {
-  const store = opts?.pg ? createPgStore(opts.pg) : opts?.redis ? createRedisStore(opts.redis) : createMemoryStore();
+  const store = opts?.pg ? createPgStore(opts.pg) : opts?.redis ? createRedisStore(opts.redis, opts.streamTTL ?? 3600) : createMemoryStore();
   let redisSub = null;
   if (opts?.redis) {
     redisSub = opts.redis.duplicate();
@@ -7272,7 +7493,7 @@ function buildRouter5(engine, wsHandler) {
 
 // iii/client.ts
 function iii(opts = {}) {
-  const stream = createStream({ pg: opts.pg, redis: opts.redis });
+  const stream = createStream({ pg: opts.pg, redis: opts.redis, streamTTL: opts.streamTTL });
   const workers = /* @__PURE__ */ new Map();
   const functions = /* @__PURE__ */ new Map();
   const triggers = /* @__PURE__ */ new Map();
@@ -7295,7 +7516,7 @@ function iii(opts = {}) {
   registerBuiltin("stream::send", (p) => stream.send(p.stream_name, p.group_id, p.type, p.data, p.id));
   registerBuiltin("stream::update", (p) => stream.update(p.stream_name, p.group_id, p.item_id, p.ops));
   function addLocalWorker(worker) {
-    const workerId = crypto4.randomUUID();
+    const workerId = crypto5.randomUUID();
     const reg = {
       id: workerId,
       name: worker.name,
@@ -7310,7 +7531,7 @@ function iii(opts = {}) {
       const triggerIds = [];
       for (const t of worker.getTriggers()) {
         if (t.input.function_id === fn.id) {
-          const tid = crypto4.randomUUID();
+          const tid = crypto5.randomUUID();
           triggers.set(tid, {
             id: tid,
             type: t.input.type,
@@ -7339,7 +7560,7 @@ function iii(opts = {}) {
     if (!worker) return;
     const handler = async (payload) => {
       if (!worker.ws) throw new Error(`Worker "${worker.name}" disconnected`);
-      const invocationId = crypto4.randomUUID();
+      const invocationId = crypto5.randomUUID();
       return new Promise((resolve11, reject) => {
         const timer = setTimeout(() => {
           pending.delete(invocationId);
@@ -7373,7 +7594,7 @@ function iii(opts = {}) {
   }
   const wsHandler = createWsHandler({
     registerRemoteWorker(ws, name) {
-      const id2 = crypto4.randomUUID();
+      const id2 = crypto5.randomUUID();
       workers.set(id2, { id: id2, name, ws, functions: [], triggers: [] });
       return id2;
     },
@@ -7384,7 +7605,7 @@ function iii(opts = {}) {
       addRemoteFunction(workerId, id2);
     },
     registerRemoteTrigger(workerId, input) {
-      const tid = crypto4.randomUUID();
+      const tid = crypto5.randomUUID();
       const reg = { id: tid, ...input, workerId };
       triggers.set(tid, reg);
       const worker = workers.get(workerId);
@@ -7740,13 +7961,17 @@ export {
   auth,
   compress,
   cors,
+  createSSEStream,
   createTestServer,
   defineConfig,
   deleteCookie,
   deploy,
+  formatSSE,
+  formatSSEData,
   getCookies,
   graphql,
   health,
+  helmet,
   i18n,
   iii,
   loadEnv,
@@ -7760,7 +7985,11 @@ export {
   rateLimit,
   redis,
   registerWorker,
+  requestId,
   runWorkflow,
+  seo,
+  seoMiddleware,
+  seoTags,
   serve,
   serveStatic,
   setCookie,

package/dist/request-id.d.ts

@@ -0,0 +1,6 @@
+import type { Middleware } from './types.ts';
+export interface RequestIdOptions {
+    header?: string;
+    generator?: () => string;
+}
+export declare function requestId(options?: RequestIdOptions): Middleware;

package/dist/seo.d.ts

@@ -0,0 +1,39 @@
+import type { Middleware } from './types.ts';
+import { Router } from './router.ts';
+export interface RobotsRule {
+    userAgent?: string;
+    allow?: string | string[];
+    disallow?: string | string[];
+}
+export interface SitemapUrl {
+    loc: string;
+    lastmod?: string;
+    changefreq?: 'always' | 'hourly' | 'daily' | 'weekly' | 'monthly' | 'yearly' | 'never';
+    priority?: number;
+}
+export interface SitemapConfig {
+    urls?: SitemapUrl[];
+    resolve?: () => SitemapUrl[] | Promise<SitemapUrl[]>;
+    cacheTTL?: number;
+}
+export interface SeoHeadersConfig {
+    'X-Robots-Tag'?: string | ((path: string) => string | undefined);
+}
+export interface SeoOptions {
+    robots?: RobotsRule[];
+    sitemap?: SitemapConfig;
+    headers?: SeoHeadersConfig;
+    baseUrl?: string;
+}
+export declare function seoMiddleware(options?: SeoOptions): Middleware;
+export declare function seo(options?: SeoOptions): Router;
+export interface SeoTagsConfig {
+    title?: string;
+    description?: string;
+    ogImage?: string;
+    ogTitle?: string;
+    ogDescription?: string;
+    twitterCard?: 'summary' | 'summary_large_image';
+    canonical?: string;
+}
+export declare function seoTags(config: SeoTagsConfig): string;

package/dist/types.d.ts

@@ -6,6 +6,7 @@ export interface Context {
     mountPath?: string;
     locale?: string;
     t?: (key: string, params?: Record<string, string>) => string;
+    requestId?: string;
 }
 export type Handler = (req: Request, ctx: Context) => Response | Promise<Response>;
 export type Middleware = (req: Request, ctx: Context, next: Handler) => Response | Promise<Response>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "weifuwu",
-  "version": "0.15.0",
+  "version": "0.16.0",
   "description": "Web-standard HTTP framework for Node.js — (req, ctx) => Response",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",