zero-http 0.2.0 → 0.2.1

package/documentation/full-server.js

@@ -3,15 +3,20 @@
  * Organized with controllers and JSDoc comments for clarity and maintainability.
  */
 
+// --- Crash protection ---
+process.on('uncaughtException', (err) => { console.error('[UNCAUGHT]', err); });
+process.on('unhandledRejection', (err) => { console.error('[UNHANDLED]', err); });
+
 const path = require('path');
 const fs = require('fs');
 const os = require('os');
-const { createApp, cors, json, urlencoded, text, raw, multipart, static: serveStatic, fetch, logger } = require('..');
+const { createApp, cors, json, urlencoded, text, raw, multipart, static: serveStatic, fetch, logger, compress, Router } = require('..');
 
 // --- App Initialization ---
 const app = createApp();
 app.use(logger({ format: 'dev' }));
 app.use(cors());
+app.use(compress());
 app.use(json());
 app.use(urlencoded());
 app.use(text());
@@ -94,6 +99,82 @@ const proxyController = require('./controllers/proxy');
 const proxyFetch = (typeof globalThis !== 'undefined' && globalThis.fetch) || fetch;
 app.get('/proxy', proxyController.proxy(proxyFetch));
 
+// --- WebSocket Chat ---
+const wsClients = new Set();
+
+app.ws('/ws/chat', { maxPayload: 64 * 1024, pingInterval: 25000 }, (ws, req) =>
+{
+    ws.data.name = ws.query.name || 'anon';
+    wsClients.add(ws);
+    ws.send(JSON.stringify({ type: 'system', text: 'Welcome, ' + ws.data.name + '!' }));
+
+    // Broadcast join
+    for (const c of wsClients)
+    {
+        if (c !== ws && c.readyState === 1)
+            c.send(JSON.stringify({ type: 'system', text: ws.data.name + ' joined' }));
+    }
+
+    ws.on('message', (msg) =>
+    {
+        // Broadcast to all clients including sender
+        const payload = JSON.stringify({ type: 'message', name: ws.data.name, text: String(msg) });
+        for (const c of wsClients)
+        {
+            if (c.readyState === 1) c.send(payload);
+        }
+    });
+
+    ws.on('close', () =>
+    {
+        wsClients.delete(ws);
+        for (const c of wsClients)
+        {
+            if (c.readyState === 1)
+                c.send(JSON.stringify({ type: 'system', text: ws.data.name + ' left' }));
+        }
+    });
+});
+
+// --- Server-Sent Events ---
+const sseClients = new Set();
+
+app.get('/sse/events', (req, res) =>
+{
+    const sse = res.sse({ retry: 5000, autoId: true, keepAlive: 30000 });
+    sseClients.add(sse);
+    sse.send({ type: 'connected', clients: sseClients.size });
+
+    sse.on('close', () => sseClients.delete(sse));
+});
+
+app.post('/sse/broadcast', (req, res) =>
+{
+    const data = req.body || {};
+    for (const sse of sseClients)
+    {
+        sse.event('broadcast', data);
+    }
+    res.json({ sent: sseClients.size });
+});
+
+// --- Router Demo (API sub-app) ---
+const apiRouter = Router();
+
+apiRouter.get('/health', (req, res) => res.json({ status: 'ok', uptime: process.uptime() }));
+apiRouter.get('/info', (req, res) => res.json({
+    secure: req.secure,
+    protocol: req.protocol,
+    ip: req.ip,
+    method: req.method,
+    url: req.url
+}));
+
+app.use('/api', apiRouter);
+
+// --- Route introspection ---
+app.get('/debug/routes', (req, res) => res.json(app.routes()));
+
 // --- Server Startup ---
 const port = process.env.PORT || 3000;
 const server = app.listen(port, () =>

package/documentation/public/data/api.json

@@ -1,29 +1,51 @@
 [
   {
     "name": "createApp()",
-    "description": "Returns an application instance with Express-like routing, middleware support, error handling, and an HTTP server.",
-    "example": "const { createApp, json, cors, logger, static: serveStatic } = require('zero-http')\nconst app = createApp()\n\napp.use(logger({ format: 'dev' }))\napp.use(cors())\napp.use(json({ limit: '10kb' }))\napp.use(serveStatic(path.join(__dirname, 'public')))\n\napp.get('/', (req, res) => res.json({ hello: 'world' }))\n\napp.onError((err, req, res, next) => {\n\tconsole.error(err)\n\tres.status(500).json({ error: err.message })\n})\n\napp.listen(3000, () => console.log('listening on :3000'))",
+    "description": "Returns an application instance with Express-like routing, middleware support, WebSocket handling, error handling, and an HTTP/HTTPS server.",
+    "example": "const { createApp, json, cors, logger, compress,\n\tstatic: serveStatic } = require('zero-http')\nconst app = createApp()\n\napp.use(logger({ format: 'dev' }))\napp.use(cors())\napp.use(compress())\napp.use(json({ limit: '10kb' }))\napp.use(serveStatic(path.join(__dirname, 'public')))\n\napp.get('/', (req, res) => res.json({ hello: 'world' }))\n\napp.ws('/chat', (ws, req) => {\n\tws.on('message', msg => ws.send('echo: ' + msg))\n})\n\napp.onError((err, req, res, next) => {\n\tconsole.error(err)\n\tres.status(500).json({ error: err.message })\n})\n\n// HTTP\napp.listen(3000, () => console.log('listening on :3000'))\n\n// HTTPS\napp.listen(443, { key: fs.readFileSync('key.pem'), cert: fs.readFileSync('cert.pem') })",
     "methods": [
       { "method": "use", "signature": "use(fn)", "description": "Register global middleware; fn(req, res, next)." },
-      { "method": "use", "signature": "use(prefix, fn)", "description": "Register path-scoped middleware. The prefix is stripped from req.url before calling fn." },
-      { "method": "get", "signature": "get(path, ...handlers)", "description": "Register GET route handlers." },
-      { "method": "post", "signature": "post(path, ...handlers)", "description": "Register POST route handlers." },
-      { "method": "put", "signature": "put(path, ...handlers)", "description": "Register PUT route handlers." },
-      { "method": "delete", "signature": "delete(path, ...handlers)", "description": "Register DELETE route handlers." },
-      { "method": "patch", "signature": "patch(path, ...handlers)", "description": "Register PATCH route handlers." },
-      { "method": "options", "signature": "options(path, ...handlers)", "description": "Register OPTIONS route handlers." },
-      { "method": "head", "signature": "head(path, ...handlers)", "description": "Register HEAD route handlers." },
-      { "method": "all", "signature": "all(path, ...handlers)", "description": "Register handlers for ALL HTTP methods." },
+      { "method": "use", "signature": "use(prefix, fn|router)", "description": "Register path-scoped middleware or mount a Router sub-app. The prefix is stripped from req.url." },
+      { "method": "get", "signature": "get(path, [opts], ...handlers)", "description": "Register GET route handlers. Optional opts object for { secure } matching." },
+      { "method": "post", "signature": "post(path, [opts], ...handlers)", "description": "Register POST route handlers." },
+      { "method": "put", "signature": "put(path, [opts], ...handlers)", "description": "Register PUT route handlers." },
+      { "method": "delete", "signature": "delete(path, [opts], ...handlers)", "description": "Register DELETE route handlers." },
+      { "method": "patch", "signature": "patch(path, [opts], ...handlers)", "description": "Register PATCH route handlers." },
+      { "method": "options", "signature": "options(path, [opts], ...handlers)", "description": "Register OPTIONS route handlers." },
+      { "method": "head", "signature": "head(path, [opts], ...handlers)", "description": "Register HEAD route handlers." },
+      { "method": "all", "signature": "all(path, [opts], ...handlers)", "description": "Register handlers for ALL HTTP methods." },
+      { "method": "ws", "signature": "ws(path, [opts], handler)", "description": "Register a WebSocket upgrade handler. handler receives (ws, req)." },
       { "method": "onError", "signature": "onError(fn)", "description": "Register a global error handler: fn(err, req, res, next). Only one at a time." },
-      { "method": "listen", "signature": "listen(port = 3000, cb)", "description": "Start the HTTP server. Returns the http.Server instance." },
+      { "method": "listen", "signature": "listen(port, [tlsOpts], [cb])", "description": "Start HTTP server, or HTTPS if tlsOpts includes { key, cert }. Returns the server instance." },
+      { "method": "close", "signature": "close([cb])", "description": "Gracefully close the server and invoke the optional callback." },
+      { "method": "routes", "signature": "routes()", "description": "Return a flat array of all registered routes for introspection." },
       { "method": "handler", "signature": "(property)", "description": "Bound request handler suitable for http.createServer(app.handler)." }
     ],
     "options": []
   },
+  {
+    "name": "Router()",
+    "description": "Creates a standalone router for modular route grouping. Supports all HTTP method helpers, route chaining via .route(), sub-router mounting via .use(), protocol-aware { secure } matching, and introspection via .routes().",
+    "example": "const { createApp, Router, json } = require('zero-http')\nconst app = createApp()\nconst api = Router()\n\napi.use(json())\napi.get('/users', (req, res) => res.json([]))\napi.get('/users/:id', (req, res) => res.json({ id: req.params.id }))\n\n// Route chaining\napi.route('/items')\n\t.get((req, res) => res.json([]))\n\t.post((req, res) => res.status(201).json(req.body))\n\n// HTTPS-only route\napi.get('/secret', { secure: true }, (req, res) => res.json({ classified: true }))\n\napp.use('/api', api)\napp.listen(3000)\n\nconsole.log(app.routes())\n// [{ method:'GET', path:'/api/users' }, { method:'GET', path:'/api/users/:id' }, ...]",
+    "methods": [
+      { "method": "get", "signature": "get(path, [opts], ...handlers)", "description": "Register GET route. Optional { secure } option." },
+      { "method": "post", "signature": "post(path, [opts], ...handlers)", "description": "Register POST route." },
+      { "method": "put", "signature": "put(path, [opts], ...handlers)", "description": "Register PUT route." },
+      { "method": "delete", "signature": "delete(path, [opts], ...handlers)", "description": "Register DELETE route." },
+      { "method": "patch", "signature": "patch(path, [opts], ...handlers)", "description": "Register PATCH route." },
+      { "method": "options", "signature": "options(path, [opts], ...handlers)", "description": "Register OPTIONS route." },
+      { "method": "head", "signature": "head(path, [opts], ...handlers)", "description": "Register HEAD route." },
+      { "method": "all", "signature": "all(path, [opts], ...handlers)", "description": "Register route for all HTTP methods." },
+      { "method": "use", "signature": "use(fn) | use(prefix, fn|router)", "description": "Register middleware or mount a nested sub-router." },
+      { "method": "route", "signature": "route(path)", "description": "Return a chainable object with .get(), .post(), etc. for a single path." },
+      { "method": "routes", "signature": "routes()", "description": "Return an array of all registered routes with method, path, and secure flag." }
+    ],
+    "options": []
+  },
   {
     "name": "Request (req)",
-    "description": "Wraps the incoming Node http.IncomingMessage with convenient properties and helpers. Populated by the middleware chain.",
-    "example": "app.get('/info', (req, res) => {\n\tconsole.log(req.method)           // 'GET'\n\tconsole.log(req.url)              // '/info?foo=bar'\n\tconsole.log(req.query)            // { foo: 'bar' }\n\tconsole.log(req.ip)               // '127.0.0.1'\n\tconsole.log(req.get('host'))      // 'localhost:3000'\n\tconsole.log(req.is('json'))       // false\n\tres.json({ ok: true })\n})",
+    "description": "Wraps the incoming Node http.IncomingMessage with convenient properties and helpers. Includes HTTPS detection via req.secure and req.protocol.",
+    "example": "app.get('/info', (req, res) => {\n\tconsole.log(req.method)           // 'GET'\n\tconsole.log(req.url)              // '/info?foo=bar'\n\tconsole.log(req.query)            // { foo: 'bar' }\n\tconsole.log(req.ip)               // '127.0.0.1'\n\tconsole.log(req.secure)           // true/false\n\tconsole.log(req.protocol)         // 'https' or 'http'\n\tconsole.log(req.get('host'))      // 'localhost:3000'\n\tconsole.log(req.is('json'))       // false\n\tres.json({ ok: true })\n})",
     "methods": [
       { "method": "method", "signature": "(string)", "description": "HTTP method (GET, POST, etc.)." },
       { "method": "url", "signature": "(string)", "description": "Request URL path + query string." },
@@ -32,6 +54,8 @@
       { "method": "params", "signature": "(object)", "description": "Route parameters populated by the router (e.g. { id: '42' })." },
       { "method": "body", "signature": "(any)", "description": "Parsed request body (null until a body parser runs)." },
       { "method": "ip", "signature": "(string|null)", "description": "Remote IP address from req.socket.remoteAddress." },
+      { "method": "secure", "signature": "(boolean)", "description": "true when the connection is over TLS (HTTPS)." },
+      { "method": "protocol", "signature": "(string)", "description": "'https' or 'http' based on connection type." },
       { "method": "raw", "signature": "(object)", "description": "The underlying http.IncomingMessage." },
       { "method": "get", "signature": "get(name)", "description": "Get a request header (case-insensitive)." },
       { "method": "is", "signature": "is(type)", "description": "Check if Content-Type contains the given type string (e.g. 'json', 'text/html')." }
@@ -40,8 +64,8 @@
   },
   {
     "name": "Response (res)",
-    "description": "Wraps the outgoing Node http.ServerResponse with chainable helpers for setting status, headers, and sending responses.",
-    "example": "app.get('/demo', (req, res) => {\n\tres.status(200)\n\t   .set('X-Custom', 'hello')\n\t   .type('json')\n\t   .json({ message: 'ok' })\n})\n\napp.get('/page', (req, res) => res.html('<h1>Hello</h1>'))\napp.get('/go', (req, res) => res.redirect(301, '/new-location'))",
+    "description": "Wraps the outgoing Node http.ServerResponse with chainable helpers for setting status, headers, sending responses, and opening an SSE stream.",
+    "example": "app.get('/demo', (req, res) => {\n\tres.status(200)\n\t   .set('X-Custom', 'hello')\n\t   .type('json')\n\t   .json({ message: 'ok' })\n})\n\napp.get('/page', (req, res) => res.html('<h1>Hello</h1>'))\napp.get('/go', (req, res) => res.redirect(301, '/new-location'))\n\n// Open an SSE stream\napp.get('/events', (req, res) => {\n\tconst sse = res.sse({ retry: 5000, autoId: true })\n\tsse.send('hello')\n})",
     "methods": [
       { "method": "status", "signature": "status(code)", "description": "Set HTTP status code. Returns this (chainable)." },
       { "method": "set", "signature": "set(name, value)", "description": "Set a response header. Returns this (chainable)." },
@@ -51,57 +75,149 @@
       { "method": "json", "signature": "json(obj)", "description": "Set Content-Type to application/json and send the object." },
       { "method": "text", "signature": "text(str)", "description": "Set Content-Type to text/plain and send the string." },
       { "method": "html", "signature": "html(str)", "description": "Set Content-Type to text/html and send the string." },
-      { "method": "redirect", "signature": "redirect([status], url)", "description": "Redirect to URL. Default status is 302." }
+      { "method": "redirect", "signature": "redirect([status], url)", "description": "Redirect to URL. Default status is 302." },
+      { "method": "sse", "signature": "sse([opts])", "description": "Open a Server-Sent Events stream. Returns an SSEStream controller with send(), event(), comment(), close(), etc." }
+    ],
+    "options": []
+  },
+  {
+    "name": "app.ws(path, [opts], handler)",
+    "description": "Register a WebSocket upgrade handler on the application. Uses RFC 6455 framing with built-in ping/pong, sub-protocol negotiation, and client verification. The handler receives (ws, req) where ws is a WebSocketConnection with a rich event-driven API.",
+    "example": "const { createApp } = require('zero-http')\nconst app = createApp()\n\nconst clients = new Set()\n\napp.ws('/chat', {\n\tmaxPayload: 64 * 1024,\n\tpingInterval: 20000,\n\tverifyClient: (req) => req.headers['x-api-key'] === 'secret'\n}, (ws, req) => {\n\tclients.add(ws)\n\tws.data.name = req.query.name || 'anon'\n\tws.send('Welcome, ' + ws.data.name + '!')\n\n\tws.on('message', msg => {\n\t\tfor (const c of clients) {\n\t\t\tif (c !== ws && c.readyState === 1)\n\t\t\t\tc.send(ws.data.name + ': ' + msg)\n\t\t}\n\t})\n\n\tws.on('close', () => clients.delete(ws))\n})\n\napp.listen(3000)",
+    "methods": [
+      { "method": "ws.send", "signature": "send(data, [opts])", "description": "Send a text or binary message. opts.binary forces a binary frame." },
+      { "method": "ws.sendJSON", "signature": "sendJSON(obj)", "description": "JSON-serialize and send as a text frame." },
+      { "method": "ws.ping", "signature": "ping([payload])", "description": "Send a ping frame (auto-pings are built-in via pingInterval)." },
+      { "method": "ws.pong", "signature": "pong([payload])", "description": "Send a pong frame." },
+      { "method": "ws.close", "signature": "close([code], [reason])", "description": "Initiate a graceful close with optional status code and reason." },
+      { "method": "ws.terminate", "signature": "terminate()", "description": "Forcefully destroy the underlying socket." },
+      { "method": "ws.on", "signature": "on(event, fn)", "description": "Listen for events: 'message', 'close', 'error', 'ping', 'pong', 'drain'." },
+      { "method": "ws.once", "signature": "once(event, fn)", "description": "One-time event listener." },
+      { "method": "ws.off", "signature": "off(event, fn)", "description": "Remove a specific event listener." },
+      { "method": "ws.removeAllListeners", "signature": "removeAllListeners([event])", "description": "Remove all listeners for an event, or all events." },
+      { "method": "ws.listenerCount", "signature": "listenerCount(event)", "description": "Return the number of listeners for an event." }
+    ],
+    "options": [
+      { "option": "maxPayload", "type": "number", "default": "1048576 (1 MB)", "notes": "Maximum incoming frame size in bytes. Frames exceeding this close the connection with 1009." },
+      { "option": "pingInterval", "type": "number", "default": "30000", "notes": "Auto-ping interval in ms. Set to 0 to disable." },
+      { "option": "verifyClient", "type": "function", "default": "—", "notes": "fn(req) → boolean. Return false to reject the upgrade with 403 Forbidden." }
+    ]
+  },
+  {
+    "name": "WebSocketConnection",
+    "description": "Represents a single WebSocket connection. Created automatically when a client upgrades to WebSocket at a registered ws() path. Provides an event-driven API with per-connection data store, connection metadata, and binary/text messaging.",
+    "example": "// Properties available on each ws connection:\napp.ws('/demo', (ws, req) => {\n\tconsole.log(ws.id)             // 'ws_1_a3x9k'\n\tconsole.log(ws.readyState)     // 1 (OPEN)\n\tconsole.log(ws.protocol)       // negotiated sub-protocol\n\tconsole.log(ws.headers)        // upgrade request headers\n\tconsole.log(ws.ip)             // remote IP\n\tconsole.log(ws.query)          // parsed query params\n\tconsole.log(ws.url)            // upgrade URL\n\tconsole.log(ws.secure)         // true for wss://\n\tconsole.log(ws.connectedAt)    // timestamp of connection\n\tconsole.log(ws.uptime)         // ms since connected\n\tconsole.log(ws.bufferedAmount) // pending bytes\n\n\t// Per-connection data store\n\tws.data.role = 'admin'\n\tif (ws.data.role === 'admin') ws.send('admin tools unlocked')\n})",
+    "methods": [
+      { "method": "id", "signature": "(string)", "description": "Unique connection identifier (e.g. ws_1_l8x3k)." },
+      { "method": "readyState", "signature": "(number)", "description": "0=CONNECTING, 1=OPEN, 2=CLOSING, 3=CLOSED (mirrors the WebSocket spec)." },
+      { "method": "protocol", "signature": "(string)", "description": "Negotiated sub-protocol from the Sec-WebSocket-Protocol handshake." },
+      { "method": "headers", "signature": "(object)", "description": "Headers from the initial HTTP upgrade request." },
+      { "method": "ip", "signature": "(string)", "description": "Remote IP address of the WebSocket client." },
+      { "method": "query", "signature": "(object)", "description": "Parsed query parameters from the upgrade URL." },
+      { "method": "url", "signature": "(string)", "description": "Full upgrade request URL." },
+      { "method": "secure", "signature": "(boolean)", "description": "true when the connection is over TLS (WSS)." },
+      { "method": "extensions", "signature": "(string)", "description": "Requested WebSocket extensions header from the client." },
+      { "method": "maxPayload", "signature": "(number)", "description": "Maximum payload size in bytes for this connection." },
+      { "method": "connectedAt", "signature": "(number)", "description": "Timestamp (ms) when the connection was established." },
+      { "method": "uptime", "signature": "(number)", "description": "Milliseconds since the connection opened (computed getter)." },
+      { "method": "bufferedAmount", "signature": "(number)", "description": "Number of bytes queued for transmission." },
+      { "method": "data", "signature": "(object)", "description": "Arbitrary per-connection data store. Use ws.data.key = value for user data." }
     ],
     "options": []
   },
+  {
+    "name": "res.sse([opts]) / SSEStream",
+    "description": "Opens a Server-Sent Events stream from a route handler. Returns an SSEStream controller with methods for sending events, comments, and controlling the stream lifecycle. Supports auto-incrementing IDs, keep-alive, retry hints, and per-stream data store.",
+    "example": "app.get('/events', (req, res) => {\n\tconst sse = res.sse({\n\t\tstatus: 200,\n\t\tretry: 5000,\n\t\tkeepAlive: 30000,\n\t\tkeepAliveComment: 'ping',\n\t\tautoId: true,\n\t\tstartId: 1,\n\t\tpad: 2048,\n\t\theaders: { 'X-Stream': 'live' }\n\t})\n\n\t// Send unnamed data event\n\tsse.send('hello')\n\n\t// Send named event with object data\n\tsse.event('update', { x: 1, y: 2 })\n\n\t// Props\n\tconsole.log(sse.connected)   // true\n\tconsole.log(sse.eventCount)  // 2\n\tconsole.log(sse.bytesSent)   // bytes written\n\tconsole.log(sse.uptime)      // ms since opened\n\tconsole.log(sse.secure)      // true for HTTPS\n\tconsole.log(sse.data)        // {} user store\n\n\t// Periodic events\n\tconst iv = setInterval(() => sse.event('tick', Date.now()), 1000)\n\tsse.on('close', () => clearInterval(iv))\n})",
+    "methods": [
+      { "method": "send", "signature": "send(data, [id])", "description": "Send unnamed data event. Objects are auto-JSON-serialized." },
+      { "method": "sendJSON", "signature": "sendJSON(obj, [id])", "description": "Alias for send() with an object." },
+      { "method": "event", "signature": "event(name, data, [id])", "description": "Send a named event (event: name\\ndata: ...)." },
+      { "method": "comment", "signature": "comment(text)", "description": "Send a comment line (: text). Useful for keep-alive or debugging." },
+      { "method": "retry", "signature": "retry(ms)", "description": "Send a retry: ms hint to set the client's reconnection interval." },
+      { "method": "keepAlive", "signature": "keepAlive(ms, [comment])", "description": "Start or restart a keep-alive timer that sends periodic comments." },
+      { "method": "flush", "signature": "flush()", "description": "Flush buffered data through proxies (writes 2 KB padding)." },
+      { "method": "close", "signature": "close()", "description": "Close the SSE stream from the server side." },
+      { "method": "on", "signature": "on(event, fn)", "description": "Listen for 'close' or 'error' events." },
+      { "method": "once", "signature": "once(event, fn)", "description": "One-time event listener." },
+      { "method": "off", "signature": "off(event, fn)", "description": "Remove a specific event listener." },
+      { "method": "removeAllListeners", "signature": "removeAllListeners([event])", "description": "Remove all listeners for an event, or all events." },
+      { "method": "listenerCount", "signature": "listenerCount(event)", "description": "Return the number of listeners for an event." }
+    ],
+    "options": [
+      { "option": "retry", "type": "number", "default": "—", "notes": "Reconnection interval hint (ms) sent to the client on stream open." },
+      { "option": "keepAlive", "type": "number", "default": "0", "notes": "Auto keep-alive comment interval in ms. 0 = disabled." },
+      { "option": "keepAliveComment", "type": "string", "default": "ping", "notes": "Comment text sent by the keep-alive timer." },
+      { "option": "autoId", "type": "boolean", "default": "false", "notes": "Auto-increment event IDs starting from startId." },
+      { "option": "startId", "type": "number", "default": "1", "notes": "Starting value for auto-generated IDs." },
+      { "option": "pad", "type": "number", "default": "0", "notes": "Bytes of initial padding (helps flush proxy buffers on connect)." },
+      { "option": "status", "type": "number", "default": "200", "notes": "HTTP status code for the SSE response." },
+      { "option": "headers", "type": "object", "default": "—", "notes": "Additional response headers merged into the SSE response." }
+    ]
+  },
+  {
+    "name": "compress([opts])",
+    "description": "Response compression middleware using brotli, gzip, or deflate based on the client's Accept-Encoding header. Brotli is preferred when available (Node \u2265 11.7). Automatically negotiates encoding, respects threshold, skips SSE streams, and supports a filter function to skip specific requests.",
+    "example": "const { createApp, compress } = require('zero-http')\nconst app = createApp()\n\n// Compress responses over 512 bytes (brotli > gzip > deflate)\napp.use(compress({ threshold: 512, level: 6 }))\n\n// Skip compression for specific routes\napp.use(compress({\n\tfilter: (req, res) => !req.url.startsWith('/stream')\n}))\n\napp.get('/big', (req, res) => {\n\tres.json({ data: 'x'.repeat(10000) })\n})",
+    "methods": [],
+    "options": [
+      { "option": "threshold", "type": "number", "default": "1024", "notes": "Minimum response body size in bytes before compression is applied." },
+      { "option": "level", "type": "number", "default": "-1 (zlib default)", "notes": "Compression level (1–9). Higher = smaller output, more CPU." },
+      { "option": "filter", "type": "function", "default": "—", "notes": "fn(req, res) → boolean. Return false to skip compression for the request." }
+    ]
+  },
   {
     "name": "json([opts])",
-    "description": "Parses JSON request bodies and populates req.body. Skips non-matching Content-Types and calls next().",
-    "example": "app.use(json({\n\tlimit: '10kb',\n\tstrict: true,\n\treviver: (k, v) => {\n\t\tif (typeof v === 'string' && /^\\d{4}-\\d{2}-\\d{2}T/.test(v)) return new Date(v)\n\t\treturn v\n\t},\n\ttype: 'application/json'\n}))",
+    "description": "Parses JSON request bodies and populates req.body. Skips non-matching Content-Types and calls next(). Supports requireSecure to enforce HTTPS.",
+    "example": "app.use(json({\n\tlimit: '10kb',\n\tstrict: true,\n\trequireSecure: false,\n\treviver: (k, v) => {\n\t\tif (typeof v === 'string' && /^\\d{4}-\\d{2}-\\d{2}T/.test(v)) return new Date(v)\n\t\treturn v\n\t},\n\ttype: 'application/json'\n}))",
     "options": [
       { "option": "limit", "type": "number|string", "default": "null (no limit)", "notes": "Maximum body size. Accepts bytes or unit strings like '100kb', '1mb', '1gb'." },
       { "option": "strict", "type": "boolean", "default": "true", "notes": "When true, only accepts objects and arrays (rejects primitives)." },
       { "option": "reviver", "type": "function", "default": "—", "notes": "Optional function passed to JSON.parse for custom reviving." },
-      { "option": "type", "type": "string|function", "default": "application/json", "notes": "MIME type to match. Supports wildcards ('*/*') or a custom predicate function." }
+      { "option": "type", "type": "string|function", "default": "application/json", "notes": "MIME type to match. Supports wildcards ('*/*') or a custom predicate function." },
+      { "option": "requireSecure", "type": "boolean", "default": "false", "notes": "When true, rejects non-HTTPS requests with 403 'HTTPS required'." }
     ]
   },
   {
     "name": "urlencoded([opts])",
-    "description": "Parses application/x-www-form-urlencoded bodies into req.body.",
-    "example": "// Simple flat parsing\napp.use(urlencoded())\n\n// Extended mode with nested bracket syntax\napp.use(urlencoded({\n\textended: true,\n\tlimit: '20kb'\n}))\n// a[b][c]=1  → { a: { b: { c: '1' } } }\n// a[]=1&a[]=2 → { a: ['1', '2'] }",
+    "description": "Parses application/x-www-form-urlencoded bodies into req.body. Supports requireSecure.",
+    "example": "// Simple flat parsing\napp.use(urlencoded())\n\n// Extended mode with nested bracket syntax\napp.use(urlencoded({\n\textended: true,\n\tlimit: '20kb',\n\trequireSecure: false\n}))\n// a[b][c]=1  → { a: { b: { c: '1' } } }\n// a[]=1&a[]=2 → { a: ['1', '2'] }",
     "options": [
       { "option": "extended", "type": "boolean", "default": "false", "notes": "When true, supports rich nested bracket syntax (a[b]=1, a[]=1). When false, returns flat key/value pairs." },
       { "option": "limit", "type": "number|string", "default": "null (no limit)", "notes": "Maximum body size (bytes or unit string)." },
-      { "option": "type", "type": "string|function", "default": "application/x-www-form-urlencoded", "notes": "MIME type to match." }
+      { "option": "type", "type": "string|function", "default": "application/x-www-form-urlencoded", "notes": "MIME type to match." },
+      { "option": "requireSecure", "type": "boolean", "default": "false", "notes": "When true, rejects non-HTTPS requests with 403 'HTTPS required'." }
     ]
   },
   {
     "name": "text([opts])",
-    "description": "Reads plain text request bodies into req.body as a string.",
+    "description": "Reads plain text request bodies into req.body as a string. Supports requireSecure.",
     "example": "app.use(text({ type: 'text/*', limit: '50kb', encoding: 'utf8' }))\n\napp.post('/echo-text', (req, res) => {\n\tres.text(req.body) // echo back the plain text\n})",
     "options": [
       { "option": "type", "type": "string|function", "default": "text/*", "notes": "MIME matcher — uses wildcard by default so it matches text/plain, text/html, etc." },
       { "option": "limit", "type": "number|string", "default": "null (no limit)", "notes": "Maximum body size." },
-      { "option": "encoding", "type": "string", "default": "utf8", "notes": "Character encoding used to decode the incoming bytes." }
+      { "option": "encoding", "type": "string", "default": "utf8", "notes": "Character encoding used to decode the incoming bytes." },
+      { "option": "requireSecure", "type": "boolean", "default": "false", "notes": "When true, rejects non-HTTPS requests with 403 'HTTPS required'." }
     ]
   },
   {
     "name": "raw([opts])",
-    "description": "Receives raw bytes as a Buffer on req.body. Useful for binary payloads.",
+    "description": "Receives raw bytes as a Buffer on req.body. Useful for binary payloads. Supports requireSecure.",
     "example": "app.post('/binary', raw({ limit: '5mb' }), (req, res) => {\n\tconsole.log(req.body)        // <Buffer ...>\n\tconsole.log(req.body.length) // byte count\n\tres.json({ size: req.body.length })\n})",
     "options": [
       { "option": "type", "type": "string|function", "default": "application/octet-stream", "notes": "MIME type to match for the raw parser." },
-      { "option": "limit", "type": "number|string", "default": "null (no limit)", "notes": "Maximum body size. Returns 413 if exceeded." }
+      { "option": "limit", "type": "number|string", "default": "null (no limit)", "notes": "Maximum body size. Returns 413 if exceeded." },
+      { "option": "requireSecure", "type": "boolean", "default": "false", "notes": "When true, rejects non-HTTPS requests with 403 'HTTPS required'." }
     ]
   },
   {
     "name": "multipart([opts])",
-    "description": "Streaming multipart parser that writes file parts to disk and collects text fields. Sets req.body to { fields, files }. Files are named upload-<timestamp>-<random>.<ext> and streamed via fs.createWriteStream.",
-    "example": "const uploadsDir = path.join(os.tmpdir(), 'my-uploads')\n\napp.post('/upload', multipart({\n\tdir: uploadsDir,\n\tmaxFileSize: 10 * 1024 * 1024\n}), (req, res) => {\n\t// req.body.fields  → { desc: 'a photo' }\n\t// req.body.files   → { file: { originalFilename, storedName, path, contentType, size } }\n\tres.json({ files: req.body.files, fields: req.body.fields })\n})",
+    "description": "Streaming multipart parser that writes file parts to disk and collects text fields. Sets req.body to { fields, files }. Supports requireSecure.",
+    "example": "const uploadsDir = path.join(os.tmpdir(), 'my-uploads')\n\napp.post('/upload', multipart({\n\tdir: uploadsDir,\n\tmaxFileSize: 10 * 1024 * 1024,\n\trequireSecure: false\n}), (req, res) => {\n\t// req.body.fields  → { desc: 'a photo' }\n\t// req.body.files   → { file: { originalFilename, storedName, path, contentType, size } }\n\tres.json({ files: req.body.files, fields: req.body.fields })\n})",
     "options": [
       { "option": "dir", "type": "string", "default": "os.tmpdir()/zero-http-uploads", "notes": "Directory to store uploaded files. Relative paths resolve from process.cwd(). Created automatically if missing." },
-      { "option": "maxFileSize", "type": "number", "default": "null (no limit)", "notes": "Maximum file size in bytes. Exceeding this aborts the upload and returns HTTP 413." }
+      { "option": "maxFileSize", "type": "number", "default": "null (no limit)", "notes": "Maximum file size in bytes. Exceeding this aborts the upload and returns HTTP 413." },
+      { "option": "requireSecure", "type": "boolean", "default": "false", "notes": "When true, rejects non-HTTPS requests with 403 'HTTPS required'." }
     ]
   },
   {
@@ -129,8 +245,8 @@
   },
   {
     "name": "fetch(url, [opts])",
-    "description": "Small Node HTTP/HTTPS client returning a response with status, ok, statusText, headers.get(), and helpers: text(), json(), arrayBuffer(). Supports timeouts, AbortSignal, progress callbacks, and auto-serialization of request bodies.",
-    "example": "const { fetch } = require('zero-http')\n\n// Simple GET with timeout\nconst r = await fetch('https://jsonplaceholder.typicode.com/todos/1', {\n\ttimeout: 5000\n})\nconst data = await r.json()\nconsole.log(r.ok, r.status, data)\n\n// POST with auto-serialized JSON body\nawait fetch('https://httpbin.org/post', {\n\tmethod: 'POST',\n\tbody: { hello: 'world' }\n})\n\n// Download with progress tracking\nawait fetch('https://example.com/big-file.zip', {\n\tonDownloadProgress: ({ loaded, total }) =>\n\t\tconsole.log(`${loaded}/${total} bytes`)\n})",
+    "description": "Small Node HTTP/HTTPS client returning a response with status, ok, statusText, secure, url, headers.get(), and helpers: text(), json(), arrayBuffer(). Supports timeouts, AbortSignal, progress callbacks, auto-serialization, and TLS options passthrough for HTTPS URLs.",
+    "example": "const { fetch } = require('zero-http')\n\n// Simple GET with timeout\nconst r = await fetch('https://jsonplaceholder.typicode.com/todos/1', {\n\ttimeout: 5000\n})\nconst data = await r.json()\nconsole.log(r.ok, r.status, r.secure, r.url, data)\n\n// POST with auto-serialized JSON body\nawait fetch('https://httpbin.org/post', {\n\tmethod: 'POST',\n\tbody: { hello: 'world' }\n})\n\n// HTTPS with custom TLS options\nawait fetch('https://internal-api.local/data', {\n\trejectUnauthorized: false,\n\tca: fs.readFileSync('ca.pem')\n})\n\n// Download with progress tracking\nawait fetch('https://example.com/big-file.zip', {\n\tonDownloadProgress: ({ loaded, total }) =>\n\t\tconsole.log(`${loaded}/${total} bytes`)\n})",
     "options": [
       { "option": "method", "type": "string", "default": "GET", "notes": "HTTP method (uppercased internally)." },
       { "option": "headers", "type": "object", "default": "{}", "notes": "Request headers." },
@@ -139,7 +255,12 @@
       { "option": "signal", "type": "AbortSignal", "default": "undefined", "notes": "AbortController signal to cancel the request." },
       { "option": "agent", "type": "http.Agent", "default": "undefined", "notes": "Optional agent for connection pooling or proxies." },
       { "option": "onDownloadProgress", "type": "function", "default": "—", "notes": "Callback receiving { loaded, total } on each response chunk." },
-      { "option": "onUploadProgress", "type": "function", "default": "—", "notes": "Callback receiving { loaded, total } during body upload. Buffer bodies are chunked at 64KB to enable tracking." }
+      { "option": "onUploadProgress", "type": "function", "default": "—", "notes": "Callback receiving { loaded, total } during body upload." },
+      { "option": "rejectUnauthorized", "type": "boolean", "default": "true", "notes": "TLS option: set false to accept self-signed certs." },
+      { "option": "ca / cert / key / pfx", "type": "string|Buffer", "default": "—", "notes": "TLS options: custom certificate authority, client cert, key, or PKCS12 bundle." },
+      { "option": "passphrase", "type": "string", "default": "—", "notes": "Passphrase for the private key or pfx." },
+      { "option": "servername", "type": "string", "default": "—", "notes": "SNI hostname for TLS negotiation." },
+      { "option": "minVersion / maxVersion", "type": "string", "default": "—", "notes": "TLS version constraints (e.g. 'TLSv1.2', 'TLSv1.3')." }
     ]
   },
   {

package/documentation/public/data/examples.json

@@ -5,6 +5,36 @@
     "language": "javascript",
     "code": "const { createApp, json, cors } = require('zero-http')\nconst app = createApp()\n\napp.use(cors({ origin: ['https://example.com'] }))\napp.use(json({ limit: '10kb' }))\n\nconst items = []\n\napp.get('/items', (req, res) => res.json(items))\n\napp.post('/items', (req, res) => {\n\titems.push(req.body)\n\tres.status(201).json({ ok: true, count: items.length })\n})"
   },
+  {
+    "title": "WebSocket Chat Server",
+    "description": "A simple multi-client chat using the built-in WebSocket support. Clients connect, set a name via query param, and broadcast messages to all other connected clients.",
+    "language": "javascript",
+    "code": "const { createApp } = require('zero-http')\nconst app = createApp()\n\nconst clients = new Set()\n\napp.ws('/chat', {\n\tmaxPayload: 64 * 1024,\n\tpingInterval: 20000\n}, (ws, req) => {\n\tws.data.name = req.query.name || 'anon'\n\tclients.add(ws)\n\tws.send('Welcome, ' + ws.data.name + '!')\n\n\t// Broadcast to all other clients\n\tws.on('message', msg => {\n\t\tfor (const c of clients) {\n\t\t\tif (c !== ws && c.readyState === 1)\n\t\t\t\tc.send(ws.data.name + ': ' + msg)\n\t\t}\n\t})\n\n\tws.on('close', () => clients.delete(ws))\n})\n\napp.listen(3000)"
+  },
+  {
+    "title": "Server-Sent Events (SSE) Stream",
+    "description": "Push real-time events to browser clients using res.sse(). Supports auto-IDs, named events, keep-alive, and graceful cleanup on disconnect.",
+    "language": "javascript",
+    "code": "const { createApp } = require('zero-http')\nconst app = createApp()\n\napp.get('/events', (req, res) => {\n\tconst sse = res.sse({\n\t\tretry: 5000,\n\t\tautoId: true,\n\t\tkeepAlive: 30000\n\t})\n\n\tsse.send('connected')\n\n\tconst iv = setInterval(() => {\n\t\tsse.event('tick', { time: Date.now() })\n\t}, 1000)\n\n\tsse.on('close', () => {\n\t\tclearInterval(iv)\n\t\tconsole.log('client disconnected')\n\t})\n})\n\n// Browser: const es = new EventSource('/events')\n//          es.addEventListener('tick', e => console.log(JSON.parse(e.data)))\n\napp.listen(3000)"
+  },
+  {
+    "title": "Router Sub-Apps with Introspection",
+    "description": "Organize routes into modular Router instances, mount them under prefixes, and use .routes() to inspect the full route table at runtime.",
+    "language": "javascript",
+    "code": "const { createApp, Router, json } = require('zero-http')\nconst app = createApp()\napp.use(json())\n\nconst users = Router()\nusers.get('/', (req, res) => res.json([]))\nusers.get('/:id', (req, res) => res.json({ id: req.params.id }))\nusers.post('/', (req, res) => res.status(201).json(req.body))\n\nconst posts = Router()\nposts.route('/').get((req, res) => res.json([])).post((req, res) => res.status(201).json(req.body))\nposts.get('/:id', (req, res) => res.json({ id: req.params.id }))\n\napp.use('/api/users', users)\napp.use('/api/posts', posts)\n\napp.get('/debug/routes', (req, res) => res.json(app.routes()))\n\napp.listen(3000)\n// GET /debug/routes returns the full route table"
+  },
+  {
+    "title": "Response Compression",
+    "description": "Automatically compress responses with brotli, gzip, or deflate above a size threshold using the compress() middleware.",
+    "language": "javascript",
+    "code": "const { createApp, compress, json } = require('zero-http')\nconst app = createApp()\n\n// brotli > gzip > deflate, auto-negotiated\napp.use(compress({ threshold: 512, level: 6 }))\napp.use(json())\n\napp.get('/big', (req, res) => {\n\t// This response is large enough to be compressed\n\tres.json({ data: 'x'.repeat(10000) })\n})\n\napp.get('/small', (req, res) => {\n\t// Below threshold — sent uncompressed\n\tres.json({ ok: true })\n})\n\napp.listen(3000)"
+  },
+  {
+    "title": "HTTPS Server",
+    "description": "Start an HTTPS server by passing TLS options to listen(). All modules respect req.secure and req.protocol for protocol-aware logic.",
+    "language": "javascript",
+    "code": "const fs = require('fs')\nconst { createApp, json } = require('zero-http')\nconst app = createApp()\n\napp.use(json())\n\napp.get('/info', (req, res) => {\n\tres.json({\n\t\tsecure: req.secure,\n\t\tprotocol: req.protocol\n\t})\n})\n\n// HTTPS-only route\napp.get('/secret', { secure: true }, (req, res) => {\n\tres.json({ classified: true })\n})\n\napp.listen(443, {\n\tkey: fs.readFileSync('server-key.pem'),\n\tcert: fs.readFileSync('server-cert.pem')\n}, () => console.log('HTTPS on 443'))"
+  },
   {
     "title": "File Upload with Multipart Streaming",
     "description": "Stream uploaded files to disk and return metadata. Swap the disk writer for an S3 stream to go cloud-native.",
@@ -36,16 +66,10 @@
     "code": "const { createApp, json } = require('zero-http')\nconst app = createApp()\napp.use(json())\n\napp.get('/fail', (req, res) => {\n\tthrow new Error('Something broke!')\n})\n\napp.onError((err, req, res, next) => {\n\tconsole.error(`[${new Date().toISOString()}]`, err.stack)\n\tres.status(err.statusCode || 500).json({\n\t\terror: err.message,\n\t\tpath: req.url\n\t})\n})\n\napp.listen(3000)"
   },
   {
-    "title": "Server-Side Fetch with Progress",
-    "description": "Use the built-in fetch client with timeout, abort support, and download progress tracking.",
-    "language": "javascript",
-    "code": "const { fetch } = require('zero-http')\n\nasync function download(url) {\n\tconst controller = new AbortController()\n\tsetTimeout(() => controller.abort(), 10000)\n\n\tconst res = await fetch(url, {\n\t\ttimeout: 5000,\n\t\tsignal: controller.signal,\n\t\tonDownloadProgress: ({ loaded, total }) =>\n\t\t\tconsole.log(`${loaded}/${total || '?'} bytes`)\n\t})\n\n\tconsole.log(res.ok, res.status, res.statusText)\n\tconst data = await res.json()\n\treturn data\n}\n\ndownload('https://jsonplaceholder.typicode.com/todos/1')\n\t.then(console.log)\n\t.catch(console.error)"
-  },
-  {
-    "title": "Path-Prefix Middleware (Sub-App)",
-    "description": "Mount middleware on a path prefix. The prefix is stripped from req.url so downstream handlers see relative paths.",
+    "title": "Server-Side Fetch with Progress & TLS",
+    "description": "Use the built-in fetch client with timeout, abort support, download progress tracking, and custom TLS options for HTTPS URLs.",
     "language": "javascript",
-    "code": "const { createApp, json } = require('zero-http')\nconst app = createApp()\napp.use(json())\n\n// Everything under /api gets this middleware\napp.use('/api', (req, res, next) => {\n\tconsole.log('API request:', req.method, req.url)\n\t// req.url is now '/' instead of '/api/'\n\tnext()\n})\n\napp.get('/api/users', (req, res) => {\n\tres.json([{ id: 1, name: 'Alice' }])\n})\n\napp.listen(3000)"
+    "code": "const { fetch } = require('zero-http')\n\nasync function download(url) {\n\tconst controller = new AbortController()\n\tsetTimeout(() => controller.abort(), 10000)\n\n\tconst res = await fetch(url, {\n\t\ttimeout: 5000,\n\t\tsignal: controller.signal,\n\t\trejectUnauthorized: false,  // accept self-signed certs\n\t\tonDownloadProgress: ({ loaded, total }) =>\n\t\t\tconsole.log(`${loaded}/${total || '?'} bytes`)\n\t})\n\n\tconsole.log(res.ok, res.status, res.secure, res.url)\n\tconst data = await res.json()\n\treturn data\n}\n\ndownload('https://jsonplaceholder.typicode.com/todos/1')\n\t.then(console.log)\n\t.catch(console.error)"
   },
   {
     "title": "CORS with Subdomain Matching",
@@ -55,8 +79,8 @@
   },
   {
     "title": "Full-Featured Server Skeleton",
-    "description": "Combines logging, CORS, body parsing, rate limiting, static serving, error handling, and route parameters in one setup.",
+    "description": "Combines logging, CORS, compression, body parsing, rate limiting, static serving, WebSocket, SSE, Router sub-apps, error handling, and route parameters.",
     "language": "javascript",
-    "code": "const path = require('path')\nconst { createApp, cors, json, urlencoded, text,\n\tstatic: serveStatic, logger, rateLimit, multipart } = require('zero-http')\n\nconst app = createApp()\n\n// Middleware stack\napp.use(logger({ format: 'dev' }))\napp.use(cors())\napp.use(rateLimit({ windowMs: 60000, max: 200 }))\napp.use(json({ limit: '1mb' }))\napp.use(urlencoded({ extended: true }))\napp.use(text())\napp.use(serveStatic(path.join(__dirname, 'public')))\n\n// Routes\napp.get('/health', (req, res) => res.json({ status: 'ok' }))\napp.get('/users/:id', (req, res) => res.json({ id: req.params.id }))\napp.post('/upload', multipart({ maxFileSize: 5 * 1024 * 1024 }),\n\t(req, res) => res.json(req.body))\n\n// Error handler\napp.onError((err, req, res) => {\n\tres.status(500).json({ error: err.message })\n})\n\napp.listen(3000, () => console.log('Server running on :3000'))"
+    "code": "const path = require('path')\nconst { createApp, cors, json, urlencoded, text, compress,\n\tstatic: serveStatic, logger, rateLimit, Router } = require('zero-http')\n\nconst app = createApp()\n\n// Middleware stack\napp.use(logger({ format: 'dev' }))\napp.use(cors())\napp.use(compress())\napp.use(rateLimit({ windowMs: 60000, max: 200 }))\napp.use(json({ limit: '1mb' }))\napp.use(urlencoded({ extended: true }))\napp.use(text())\napp.use(serveStatic(path.join(__dirname, 'public')))\n\n// Router sub-app\nconst api = Router()\napi.get('/health', (req, res) => res.json({ status: 'ok' }))\napi.get('/users/:id', (req, res) => res.json({ id: req.params.id }))\napp.use('/api', api)\n\n// WebSocket\napp.ws('/chat', (ws) => {\n\tws.on('message', msg => ws.send('echo: ' + msg))\n})\n\n// SSE\napp.get('/events', (req, res) => {\n\tconst sse = res.sse({ retry: 3000, autoId: true })\n\tsse.send('connected')\n\tsse.on('close', () => console.log('bye'))\n})\n\n// Introspection\napp.get('/debug/routes', (req, res) => res.json(app.routes()))\n\napp.onError((err, req, res) => {\n\tres.status(500).json({ error: err.message })\n})\n\napp.listen(3000, () => console.log('Server running on :3000'))"
   }
 ]

package/documentation/public/data/options.json

@@ -1,13 +1,19 @@
 [
-  { "option": "createApp()", "type": "function", "default": "—", "notes": "Creates an app instance with use(), get(), post(), put(), delete(), patch(), options(), head(), all(), onError(), listen(), and handler." },
-  { "option": "json([opts])", "type": "function", "default": "—", "notes": "Parses JSON bodies into req.body. Options: limit, strict (true), reviver, type ('application/json')." },
-  { "option": "urlencoded([opts])", "type": "function", "default": "—", "notes": "Parses URL-encoded bodies. Options: extended (false), limit, type ('application/x-www-form-urlencoded')." },
-  { "option": "text([opts])", "type": "function", "default": "—", "notes": "Reads plain text into req.body. Options: type ('text/*'), limit, encoding ('utf8')." },
-  { "option": "raw([opts])", "type": "function", "default": "—", "notes": "Reads raw bytes into a Buffer on req.body. Options: type ('application/octet-stream'), limit." },
-  { "option": "multipart([opts])", "type": "function", "default": "—", "notes": "Streams file parts to disk; sets req.body to { fields, files }. Options: dir (os.tmpdir()/zero-http-uploads), maxFileSize." },
+  { "option": "createApp()", "type": "function", "default": "—", "notes": "Creates an app instance with use(), get(), post(), put(), delete(), patch(), options(), head(), all(), ws(), onError(), listen(port, [tlsOpts], [cb]), close(), routes(), and handler." },
+  { "option": "Router()", "type": "function", "default": "—", "notes": "Creates a standalone router. Methods: get/post/put/delete/patch/options/head/all(path, [opts], ...handlers), use(fn|prefix+router), route(path), routes(). Supports { secure } option." },
+  { "option": "json([opts])", "type": "function", "default": "—", "notes": "Parses JSON bodies into req.body. Options: limit, strict (true), reviver, type ('application/json'), requireSecure (false)." },
+  { "option": "urlencoded([opts])", "type": "function", "default": "—", "notes": "Parses URL-encoded bodies. Options: extended (false), limit, type ('application/x-www-form-urlencoded'), requireSecure (false)." },
+  { "option": "text([opts])", "type": "function", "default": "—", "notes": "Reads plain text into req.body. Options: type ('text/*'), limit, encoding ('utf8'), requireSecure (false)." },
+  { "option": "raw([opts])", "type": "function", "default": "—", "notes": "Reads raw bytes into a Buffer on req.body. Options: type ('application/octet-stream'), limit, requireSecure (false)." },
+  { "option": "multipart([opts])", "type": "function", "default": "—", "notes": "Streams file parts to disk; sets req.body to { fields, files }. Options: dir (os.tmpdir()/zero-http-uploads), maxFileSize, requireSecure (false)." },
   { "option": "static(rootPath, [opts])", "type": "function", "default": "—", "notes": "Serves static files with 60+ MIME types. Options: index ('index.html'), maxAge (0), dotfiles ('ignore'), extensions, setHeaders." },
   { "option": "cors([opts])", "type": "function", "default": "—", "notes": "CORS middleware with preflight handling. Options: origin ('*'), methods, allowedHeaders, credentials (false)." },
-  { "option": "fetch(url, [opts])", "type": "function", "default": "—", "notes": "Node HTTP/HTTPS client. Response has ok, status, statusText, headers.get(), text(), json(), arrayBuffer(). Options: method, headers, body (auto-serialized), timeout, signal, agent, onDownloadProgress, onUploadProgress." },
+{ "option": "compress([opts])", "type": "function", "default": "\u2014", "notes": "Response compression middleware (brotli/gzip/deflate, auto-negotiated). Brotli preferred when available (Node \u2265 11.7). Skips SSE streams. Options: threshold (1024), level (-1 zlib default), filter fn." },
+  { "option": "fetch(url, [opts])", "type": "function", "default": "—", "notes": "Node HTTP/HTTPS client. Response has ok, status, statusText, secure, url, headers.get(), text(), json(), arrayBuffer(). Options: method, headers, body (auto-serialized), timeout, signal, agent, onDownloadProgress, onUploadProgress, plus TLS options (rejectUnauthorized, ca, cert, key, pfx, passphrase, servername, minVersion, maxVersion)." },
   { "option": "rateLimit([opts])", "type": "function", "default": "—", "notes": "Per-IP rate limiter. Sets X-RateLimit-* headers. Options: windowMs (60000), max (100), statusCode (429), message, keyGenerator." },
-  { "option": "logger([opts])", "type": "function", "default": "—", "notes": "Request logger with response timing. Options: format ('dev'|'short'|'tiny'), logger (console.log), colors (auto TTY)." }
+  { "option": "logger([opts])", "type": "function", "default": "—", "notes": "Request logger with response timing. Options: format ('dev'|'short'|'tiny'), logger (console.log), colors (auto TTY)." },
+{ "option": "app.ws(path, [opts], handler)", "type": "method", "default": "\u2014", "notes": "Register a WebSocket upgrade handler. handler receives (ws, req). Options: maxPayload (1MB), pingInterval (30s), verifyClient fn. ws has send/sendJSON/ping/pong/close/terminate, on/once/off/removeAllListeners/listenerCount. Events: message/close/error/ping/pong/drain." },
+{ "option": "res.sse([opts])", "type": "method", "default": "\u2014", "notes": "Open an SSE stream. Returns SSEStream with send/sendJSON/event/comment/retry/keepAlive/flush/close and on/once/off/removeAllListeners/listenerCount. Options: status (200), retry, keepAlive (0), keepAliveComment ('ping'), autoId (false), startId (1), pad (0), headers." },
+{ "option": "WebSocketConnection", "type": "class", "default": "\u2014", "notes": "WebSocket connection wrapper. Properties: id, readyState, protocol, extensions, headers, ip, query, url, secure, maxPayload, connectedAt, uptime, bufferedAmount, data (user store)." },
+{ "option": "SSEStream", "type": "class", "default": "\u2014", "notes": "SSE stream controller. Properties: connected, eventCount, bytesSent, connectedAt, uptime, lastEventId, secure, data (user store). Events: close, error." }
 ]