zero-http 0.2.5 → 0.3.1

package/documentation/public/data/examples.json

@@ -11,6 +11,12 @@
     "language": "javascript",
     "code": "const { createApp } = require('zero-http')\nconst app = createApp()\n\nconst clients = new Set()\n\napp.ws('/chat', {\n\tmaxPayload: 64 * 1024,\n\tpingInterval: 20000\n}, (ws, req) => {\n\tws.data.name = req.query.name || 'anon'\n\tclients.add(ws)\n\tws.send('Welcome, ' + ws.data.name + '!')\n\n\t// Broadcast to all other clients\n\tws.on('message', msg => {\n\t\tfor (const c of clients) {\n\t\t\tif (c !== ws && c.readyState === 1)\n\t\t\t\tc.send(ws.data.name + ': ' + msg)\n\t\t}\n\t})\n\n\tws.on('close', () => clients.delete(ws))\n})\n\napp.listen(3000)"
   },
+  {
+    "title": "WebSocket Rooms with Pool",
+    "description": "Use WebSocketPool for room-based messaging instead of manually tracking connections. Auto-removes on disconnect.",
+    "language": "javascript",
+    "code": "const { createApp, WebSocketPool } = require('zero-http')\nconst app = createApp()\nconst pool = new WebSocketPool()\n\napp.ws('/chat', (ws, req) => {\n\tconst room = req.query.room || 'general'\n\tpool.add(ws)         // auto-removed on close\n\tpool.join(ws, room)\n\n\tws.data.name = req.query.name || 'anon'\n\tpool.toRoomJSON(room, { type: 'join', user: ws.data.name }, ws)\n\n\tws.on('message', msg => {\n\t\tpool.toRoom(room, ws.data.name + ': ' + msg, ws)\n\t})\n\n\tws.on('close', () => {\n\t\tpool.toRoomJSON(room, { type: 'leave', user: ws.data.name })\n\t})\n})\n\n// Admin endpoint to see pool status\napp.get('/pool/status', (req, res) => res.json({\n\tconnections: pool.size,\n\trooms: pool.rooms,\n\troomSizes: pool.rooms.reduce((o, r) => (o[r] = pool.roomSize(r), o), {})\n}))\n\napp.listen(3000)"
+  },
   {
     "title": "Server-Sent Events (SSE) Stream",
     "description": "Push real-time events to browser clients using res.sse(). Supports auto-IDs, named events, keep-alive, and graceful cleanup on disconnect.",
@@ -23,12 +29,72 @@
     "language": "javascript",
     "code": "const { createApp, Router, json } = require('zero-http')\nconst app = createApp()\napp.use(json())\n\nconst users = Router()\nusers.get('/', (req, res) => res.json([]))\nusers.get('/:id', (req, res) => res.json({ id: req.params.id }))\nusers.post('/', (req, res) => res.status(201).json(req.body))\n\nconst posts = Router()\nposts.route('/').get((req, res) => res.json([])).post((req, res) => res.status(201).json(req.body))\nposts.get('/:id', (req, res) => res.json({ id: req.params.id }))\n\napp.use('/api/users', users)\napp.use('/api/posts', posts)\n\napp.get('/debug/routes', (req, res) => res.json(app.routes()))\n\napp.listen(3000)\n// GET /debug/routes returns the full route table"
   },
+  {
+    "title": "Security Headers with Helmet",
+    "description": "Harden your app in one line with helmet(). Sets CSP, HSTS, X-Frame-Options, Referrer-Policy, and more. Override or disable any header individually.",
+    "language": "javascript",
+    "code": "const { createApp, helmet, json } = require('zero-http')\nconst app = createApp()\n\n// Sensible defaults — just use it\napp.use(helmet())\napp.use(json())\n\napp.get('/api/data', (req, res) => res.json({ safe: true }))\n\n// Custom CSP + disable HSTS\napp.use(helmet({\n\tcontentSecurityPolicy: {\n\t\tdefaultSrc: [\"'self'\"],\n\t\tscriptSrc: [\"'self'\", 'cdn.example.com'],\n\t\timgSrc: [\"'self'\", 'data:', '*.cloudfront.net']\n\t},\n\thsts: false,\n\tframeguard: 'sameorigin'\n}))\n\napp.listen(3000)\n// Response headers set automatically:\n// Content-Security-Policy, X-Frame-Options, X-Content-Type-Options,\n// Referrer-Policy, X-DNS-Prefetch-Control, and more"
+  },
+  {
+    "title": "Request Timeout & Request ID",
+    "description": "Add a global timeout so no request hangs forever, and tag each request with a unique ID for log correlation.",
+    "language": "javascript",
+    "code": "const { createApp, timeout, requestId, logger, json } = require('zero-http')\nconst app = createApp()\n\napp.use(requestId())    // sets req.id + X-Request-Id header\napp.use(logger())       // logs method, url, status, time\napp.use(timeout(10000)) // 10s timeout → 408 if exceeded\napp.use(json())\n\napp.get('/fast', (req, res) => {\n\tconsole.log('Request:', req.id)\n\tres.json({ requestId: req.id })\n})\n\napp.get('/slow', async (req, res) => {\n\tawait new Promise(r => setTimeout(r, 15000))\n\tif (req.timedOut) return // already responded with 408\n\tres.json({ data: 'done' })\n})\n\napp.listen(3000)"
+  },
+  {
+    "title": "Cookie Parsing & Signing",
+    "description": "Parse cookies with timing-safe HMAC-SHA256 verification, JSON cookie support (j: prefix), auto-signing via signed option, priority, and partitioned (CHIPS) attributes.",
+    "language": "javascript",
+    "code": "const { createApp, cookieParser, json } = require('zero-http')\nconst app = createApp()\n\n// Enable cookie parsing with a signing secret\napp.use(cookieParser('super-secret-key'))\napp.use(json())\n\napp.get('/read', (req, res) => {\n\tres.json({\n\t\tcookies: req.cookies,           // { theme: 'dark', prefs: { lang: 'en' } }\n\t\tsigned: req.signedCookies,       // { session: 'abc123' }\n\t\tsecret: req.secret               // signing secret available downstream\n\t})\n})\n\napp.get('/set', (req, res) => {\n\t// Auto-sign with signed: true (uses req.secret)\n\tres.cookie('session', 'abc123', { signed: true, httpOnly: true, secure: true })\n\n\t// JSON cookie — objects auto-serialize with j: prefix\n\tres.cookie('prefs', { lang: 'en', theme: 'dark' }, { maxAge: 86400 })\n\n\t// Priority + Partitioned (CHIPS) attributes\n\tres.cookie('important', 'value', { priority: 'High', partitioned: true, secure: true })\n\n\tres.json({ ok: true })\n})\n\n// Static helpers for manual use\napp.get('/manual', (req, res) => {\n\tconst signed = cookieParser.sign('data', 'secret')\n\tconst value = cookieParser.unsign(signed, ['secret'])  // 'data' or false\n\tconst parsed = cookieParser.jsonCookie('j:{\"a\":1}')    // { a: 1 }\n\tres.json({ signed, value, parsed })\n})\n\napp.get('/clear', (req, res) => {\n\tres.clearCookie('session').clearCookie('prefs').json({ cleared: true })\n})\n\napp.listen(3000)"
+  },
+  {
+    "title": "CSRF Protection",
+    "description": "Protect state-changing requests with double-submit cookie CSRF tokens. GET/HEAD/OPTIONS are automatically skipped.",
+    "language": "javascript",
+    "code": "const { createApp, csrf, json, cookieParser } = require('zero-http')\nconst app = createApp()\n\napp.use(cookieParser())\napp.use(json())\napp.use(csrf())\n\n// GET is safe — use it to read the token\napp.get('/api/csrf-token', (req, res) => {\n\tres.json({ token: req.csrfToken })\n})\n\n// POST must include the token\napp.post('/api/transfer', (req, res) => {\n\t// csrf() middleware already validated the token\n\tres.json({ success: true, amount: req.body.amount })\n})\n\n// Client-side fetch example:\n// const { token } = await fetch('/api/csrf-token').then(r => r.json())\n// await fetch('/api/transfer', {\n//   method: 'POST',\n//   headers: { 'Content-Type': 'application/json', 'x-csrf-token': token },\n//   body: JSON.stringify({ amount: 100 })\n// })\n\napp.listen(3000)"
+  },
+  {
+    "title": "Request Validation",
+    "description": "Validate and coerce req.body, req.query, and req.params with schema rules. Supports 11 types, pattern matching, ranges, enums, and custom validators.",
+    "language": "javascript",
+    "code": "const { createApp, json, validate } = require('zero-http')\nconst app = createApp()\napp.use(json())\n\n// Validate body with auto-coercion\napp.post('/users', validate({\n\tbody: {\n\t\tname:  { type: 'string', required: true, minLength: 2, maxLength: 50 },\n\t\temail: { type: 'email', required: true },\n\t\tage:   { type: 'integer', min: 13, max: 120 },\n\t\trole:  { type: 'string', enum: ['user', 'admin'], default: 'user' },\n\t\ttags:  { type: 'array', minItems: 1, maxItems: 5 }\n\t}\n}), (req, res) => {\n\t// req.body is sanitized — unknown fields stripped\n\tres.status(201).json(req.body)\n})\n\n// Validate query + params\napp.get('/search/:category', validate({\n\tparams: { category: { type: 'string', enum: ['books', 'music', 'films'] } },\n\tquery: {\n\t\tq:     { type: 'string', required: true },\n\t\tpage:  { type: 'integer', min: 1, default: 1 },\n\t\tlimit: { type: 'integer', min: 1, max: 100, default: 20 }\n\t}\n}), (req, res) => {\n\tres.json({ params: req.params, query: req.query })\n})\n// Validation fails → 422 { errors: ['name is required', ...] }\n\napp.listen(3000)"
+  },
+  {
+    "title": "Environment Configuration",
+    "description": "Load and validate environment variables from .env files with type coercion. Supports multi-file loading, schema enforcement, and 9 data types.",
+    "language": "javascript",
+    "code": "const { createApp, env } = require('zero-http')\n\n// Load with schema — validates and coerces types\nenv.load({\n\tPORT:         { type: 'port', default: 3000 },\n\tDATABASE_URL: { type: 'url', required: true },\n\tDEBUG:        { type: 'boolean', default: false },\n\tALLOWED_IPS:  { type: 'array', separator: ',', default: [] },\n\tNODE_ENV:     { type: 'enum', values: ['development', 'production', 'test'], default: 'development' },\n\tMAX_UPLOAD_MB:{ type: 'integer', min: 1, max: 100, default: 10 },\n\tAPP_CONFIG:   { type: 'json', default: {} }\n})\n\nconst app = createApp()\n\napp.get('/config', (req, res) => res.json({\n\tport: env.PORT,                // number: 3000\n\tdebug: env.DEBUG,              // boolean: false\n\tips: env.ALLOWED_IPS,          // array: ['10.0.0.1', '10.0.0.2']\n\tenv: env.NODE_ENV              // string: 'development'\n}))\n\n// File load order: .env → .env.local → .env.{NODE_ENV} → .env.{NODE_ENV}.local\n// process.env always wins over file values\n\napp.listen(env.PORT)"
+  },
+  {
+    "title": "ORM — Models & CRUD",
+    "description": "Define models with scopes, hidden fields, relationships, and lifecycle hooks. Supports upsert, increment/decrement, belongsToMany, and transactions.",
+    "language": "javascript",
+    "code": "const { createApp, json, Database, Model, TYPES } = require('zero-http')\n\nclass User extends Model {\n\tstatic table = 'users'\n\tstatic timestamps = true\n\tstatic softDelete = true\n\tstatic hidden = ['password']   // excluded from toJSON()\n\tstatic scopes = {\n\t\tactive: (q) => q.where('active', true),\n\t\trole: (q, role) => q.where('role', role)\n\t}\n\tstatic schema = {\n\t\tid:       { type: TYPES.INTEGER, primaryKey: true, autoIncrement: true },\n\t\tname:     { type: TYPES.STRING, required: true, minLength: 2 },\n\t\temail:    { type: TYPES.STRING, required: true, unique: true },\n\t\tpassword: { type: TYPES.STRING },\n\t\trole:     { type: TYPES.STRING, enum: ['user', 'admin'], default: 'user' },\n\t\tlogins:   { type: TYPES.INTEGER, default: 0 },\n\t\tactive:   { type: TYPES.BOOLEAN, default: true }\n\t}\n\tstatic hooks = {\n\t\tbeforeCreate: (data) => { data.email = data.email.toLowerCase() }\n\t}\n}\n\nconst db = Database.connect('memory')\ndb.register(User)\n\nconst app = createApp()\napp.use(json())\n\n// Scoped queries\napp.get('/users/active', async (req, res) => {\n\tres.json(await User.scope('active'))\n})\n\n// Upsert — insert or update\napp.put('/users', async (req, res) => {\n\tconst { instance, created } = await User.upsert({ email: req.body.email }, req.body)\n\tres.status(created ? 201 : 200).json(instance.toJSON())\n})\n\n// Increment login count\napp.post('/users/:id/login', async (req, res) => {\n\tconst user = await User.findById(+req.params.id)\n\tawait user.increment('logins')\n\tres.json(user.toJSON())  // password excluded by hidden\n})\n\n// Check existence without fetching\napp.get('/users/exists/:email', async (req, res) => {\n\tres.json({ exists: await User.exists({ email: req.params.email }) })\n})\n\n// Transaction\napp.post('/transfer', async (req, res) => {\n\tawait db.transaction(async () => {\n\t\tconst from = await User.findById(req.body.from)\n\t\tconst to = await User.findById(req.body.to)\n\t\tawait from.decrement('balance', req.body.amount)\n\t\tawait to.increment('balance', req.body.amount)\n\t})\n\tres.json({ ok: true })\n})\n\n;(async () => {\n\tawait db.sync()\n\tapp.listen(3000, () => console.log('ORM demo on :3000'))\n})()"
+  },
+  {
+    "title": "ORM — Query Builder",
+    "description": "Fluent query builder with 30+ chainable methods — filtering, sorting, pagination, aggregates (sum/avg/min/max), scopes, pluck, exists, and more.",
+    "language": "javascript",
+    "code": "const { Model, TYPES } = require('zero-http')\n\n// Assuming User model with scopes is defined and db.sync() has run:\n\n// Filtering with negation\nconst results = await User.query()\n\t.whereNotIn('role', ['banned', 'suspended'])\n\t.whereNotBetween('age', 0, 12)\n\t.whereLike('email', '%@gmail.com')\n\t.orderBy('name')\n\t.exec()\n\n// Scoped queries (chainable)\nconst activeAdmins = await User.query()\n\t.scope('active')\n\t.scope('role', 'admin')\n\t.orderBy('name')\n\t.exec()\n\n// Aggregates\nconst avgAge = await User.query().avg('age')\nconst totalSales = await Order.query().where('status', 'paid').sum('total')\nconst maxPrice = await Product.query().max('price')\nconst minPrice = await Product.query().min('price')\nconst count = await User.query().where('role', 'admin').count()\n\n// Existence check (returns boolean)\nconst hasAdmins = await User.query().where('role', 'admin').exists()\n\n// Pluck a single column\nconst emails = await User.query()\n\t.where('active', true)\n\t.pluck('email')  // ['alice@x.com', 'bob@y.com', ...]\n\n// Pagination\nconst page2 = await User.query()\n\t.where('active', true)\n\t.orderBy('createdAt', 'desc')\n\t.page(2, 20)\n\t.exec()\n\n// Joins (inner, left, right)\nconst withOrders = await User.query()\n\t.leftJoin('orders', 'id', 'userId')\n\t.rightJoin('profiles', 'id', 'userId')\n\t.exec()\n\n// Thenable — just await directly\nconst users = await User.query().where('active', true)"
+  },
   {
     "title": "Response Compression",
     "description": "Automatically compress responses with brotli, gzip, or deflate above a size threshold using the compress() middleware.",
     "language": "javascript",
     "code": "const { createApp, compress, json } = require('zero-http')\nconst app = createApp()\n\n// brotli > gzip > deflate, auto-negotiated\napp.use(compress({ threshold: 512, level: 6 }))\napp.use(json())\n\napp.get('/big', (req, res) => {\n\t// This response is large enough to be compressed\n\tres.json({ data: 'x'.repeat(10000) })\n})\n\napp.get('/small', (req, res) => {\n\t// Below threshold — sent uncompressed\n\tres.json({ ok: true })\n})\n\napp.listen(3000)"
   },
+  {
+    "title": "Content Negotiation & File Downloads",
+    "description": "Use res.format() for Accept-header content negotiation, res.links() for pagination headers, and res.download() for file attachments.",
+    "language": "javascript",
+    "code": "const { createApp, json } = require('zero-http')\nconst app = createApp()\napp.use(json())\n\n// Content negotiation — respond based on Accept header\napp.get('/data', (req, res) => {\n\tres.format({\n\t\t'text/html': () => res.html('<h1>Data</h1>'),\n\t\t'application/json': () => res.json({ data: true }),\n\t\t'text/plain': () => res.text('data'),\n\t\tdefault: () => res.status(406).json({ error: 'Not Acceptable' })\n\t})\n})\n\n// Pagination links\napp.get('/items', (req, res) => {\n\tres.links({ next: '/items?page=3', last: '/items?page=10' })\n\t   .json([]) // Link: </items?page=3>; rel=\"next\", </items?page=10>; rel=\"last\"\n})\n\n// File download\napp.get('/report', (req, res) => {\n\tres.download('/path/to/report.pdf', 'monthly-report.pdf')\n})\n\n// Send status text\napp.get('/health', (req, res) => res.sendStatus(200)) // sends 'OK'\n\napp.listen(3000)"
+  },
+  {
+    "title": "App Settings, Groups & Chaining",
+    "description": "Use Express-like set/get/enable/disable settings, group routes under a prefix with shared middleware, and chain route registrations.",
+    "language": "javascript",
+    "code": "const { createApp, json } = require('zero-http')\nconst app = createApp()\n\n// App settings\napp.set('env', 'production')\napp.enable('trust proxy')\nconsole.log(app.get('env'))           // 'production'\nconsole.log(app.enabled('trust proxy')) // true\n\n// Shared locals available in every req.locals\napp.locals.appName = 'My API'\napp.locals.version = '1.0.0'\n\n// Route chaining — all methods return the app\napp.get('/', (req, res) => res.json({ app: req.locals.appName }))\n   .get('/health', (req, res) => res.sendStatus(200))\n   .get('/version', (req, res) => res.json({ v: res.locals.version }))\n\n// Route groups with shared middleware\napp.group('/api/v1', json(), (router) => {\n\trouter.get('/users', (req, res) => res.json([]))\n\trouter.post('/users', (req, res) => res.status(201).json(req.body))\n\trouter.get('/users/:id', (req, res) => res.json({ id: req.params.id }))\n})\n\n// Param handlers\napp.param('id', (req, res, next, value) => {\n\tif (!/^\\d+$/.test(value)) return res.status(400).json({ error: 'Invalid ID' })\n\tnext()\n})\n\n// Chain helper for a single path\napp.chain('/items')\n\t.get((req, res) => res.json([]))\n\t.post((req, res) => res.status(201).json(req.body))\n\napp.listen(3000)"
+  },
   {
     "title": "HTTPS Server",
     "description": "Start an HTTPS server by passing TLS options to listen(). All modules respect req.secure and req.protocol for protocol-aware logic.",
@@ -65,6 +131,18 @@
     "language": "javascript",
     "code": "const { createApp, json } = require('zero-http')\nconst app = createApp()\napp.use(json())\n\napp.get('/fail', (req, res) => {\n\tthrow new Error('Something broke!')\n})\n\napp.onError((err, req, res, next) => {\n\tconsole.error(`[${new Date().toISOString()}]`, err.stack)\n\tres.status(err.statusCode || 500).json({\n\t\terror: err.message,\n\t\tpath: req.url\n\t})\n})\n\napp.listen(3000)"
   },
+  {
+    "title": "Error Classes & errorHandler",
+    "description": "Use built-in HTTP error classes with the errorHandler middleware for structured error responses, field-level validation errors, and production-safe error formatting.",
+    "language": "javascript",
+    "code": "const { createApp, json, errorHandler,\n\tNotFoundError, ValidationError, ForbiddenError,\n\tcreateError, isHttpError } = require('zero-http')\nconst app = createApp()\napp.use(json())\n\n// Throw typed errors — automatically caught by the router\napp.get('/users/:id', async (req, res) => {\n\tconst user = await User.findById(req.params.id)\n\tif (!user) throw new NotFoundError('User not found')\n\tres.json(user)\n})\n\n// Validation with field-level errors\napp.post('/users', async (req, res) => {\n\tconst errors = {}\n\tif (!req.body.email) errors.email = 'Email is required'\n\tif (!req.body.name) errors.name = 'Name is required'\n\tif (Object.keys(errors).length > 0) {\n\t\tthrow new ValidationError('Invalid input', errors)\n\t\t// → 422 { error: 'Invalid input', code: 'VALIDATION_FAILED',\n\t\t//   statusCode: 422, details: { email: '...', name: '...' } }\n\t}\n\tres.status(201).json(req.body)\n})\n\n// Factory — create errors by status code\napp.delete('/items/:id', async (req, res) => {\n\tif (!req.user?.admin) throw createError(403, 'Admin only')\n\tres.json({ deleted: true })\n})\n\n// errorHandler: structured responses, stack in dev, hide 5xx in prod\napp.onError(errorHandler({\n\tformatter: (err, req, isDev) => ({\n\t\tsuccess: false,\n\t\tmessage: err.message,\n\t\tcode: err.code,\n\t\t...(err.details && { details: err.details }),\n\t\t...(isDev && { stack: err.stack })\n\t}),\n\tonError: (err) => console.error('[ERROR]', err.message)\n}))\n\napp.listen(3000)"
+  },
+  {
+    "title": "Debug Logger",
+    "description": "Use the built-in namespaced debug logger with log levels, JSON output mode for production, and environment variable control.",
+    "language": "javascript",
+    "code": "const { createApp, debug } = require('zero-http')\n\n// Create namespaced loggers\nconst log = debug('app:server')\nconst dbLog = debug('app:db')\nconst authLog = debug('app:auth')\n\n// Log at different levels\nlog.info('server starting on port %d', 3000)\ndbLog.trace('query executed: %s', 'SELECT * FROM users')\nauthLog.warn('failed login attempt from %s', '192.168.1.1')\nauthLog.error('token verification failed', new Error('expired'))\n\n// Conditional expensive logging\nif (dbLog.enabled) {\n\tdbLog('detailed query plan: %j', buildQueryPlan())\n}\n\n// Production: structured JSON output for log aggregators\nif (process.env.NODE_ENV === 'production') {\n\tdebug.json(true)       // { timestamp, level, namespace, message }\n\tdebug.level('info')    // only info and above\n\tdebug.colors(false)    // no ANSI codes\n}\n\n// Environment variables:\n// DEBUG=app:* node server.js          → enable all app:* namespaces\n// DEBUG=*,-app:db node server.js      → everything except app:db\n// DEBUG_LEVEL=warn node server.js     → only warn, error, fatal\n\nconst app = createApp()\napp.get('/', (req, res) => {\n\tlog.info('handling request: %s %s', req.method, req.url)\n\tres.json({ ok: true })\n})\napp.listen(3000)"
+  },
   {
     "title": "Server-Side Fetch with Progress & TLS",
     "description": "Use the built-in fetch client with timeout, abort support, download progress tracking, and custom TLS options for HTTPS URLs.",
@@ -79,8 +157,8 @@
   },
   {
     "title": "Full-Featured Server Skeleton",
-    "description": "Combines logging, CORS, compression, body parsing, rate limiting, static serving, WebSocket, SSE, Router sub-apps, error handling, and route parameters.",
+    "description": "Combines security headers, CSRF, cookies, timeouts, request IDs, logging, CORS, compression, body parsing, rate limiting, validation, static serving, WebSocket with room pools, SSE, Router sub-apps, app settings, and error handling.",
     "language": "javascript",
-    "code": "const path = require('path')\nconst { createApp, cors, json, urlencoded, text, compress,\n\tstatic: serveStatic, logger, rateLimit, Router } = require('zero-http')\n\nconst app = createApp()\n\n// Middleware stack\napp.use(logger({ format: 'dev' }))\napp.use(cors())\napp.use(compress())\napp.use(rateLimit({ windowMs: 60000, max: 200 }))\napp.use(json({ limit: '1mb' }))\napp.use(urlencoded({ extended: true }))\napp.use(text())\napp.use(serveStatic(path.join(__dirname, 'public')))\n\n// Router sub-app\nconst api = Router()\napi.get('/health', (req, res) => res.json({ status: 'ok' }))\napi.get('/users/:id', (req, res) => res.json({ id: req.params.id }))\napp.use('/api', api)\n\n// WebSocket\napp.ws('/chat', (ws) => {\n\tws.on('message', msg => ws.send('echo: ' + msg))\n})\n\n// SSE\napp.get('/events', (req, res) => {\n\tconst sse = res.sse({ retry: 3000, autoId: true })\n\tsse.send('connected')\n\tsse.on('close', () => console.log('bye'))\n})\n\n// Introspection\napp.get('/debug/routes', (req, res) => res.json(app.routes()))\n\napp.onError((err, req, res) => {\n\tres.status(500).json({ error: err.message })\n})\n\napp.listen(3000, () => console.log('Server running on :3000'))"
+    "code": "const path = require('path')\nconst { createApp, cors, json, urlencoded, text, compress, helmet, timeout,\n\trequestId, cookieParser, csrf, validate, rateLimit, logger,\n\tstatic: serveStatic, Router, WebSocketPool } = require('zero-http')\n\nconst app = createApp()\n\n// App settings\napp.set('env', process.env.NODE_ENV || 'development')\napp.locals.appName = 'My App'\n\n// Middleware stack\napp.use(requestId())\napp.use(logger({ format: 'dev' }))\napp.use(helmet())\napp.use(cors())\napp.use(compress())\napp.use(timeout(30000))\napp.use(rateLimit({ windowMs: 60000, max: 200 }))\napp.use(cookieParser('my-secret'))\napp.use(json({ limit: '1mb' }))\napp.use(urlencoded({ extended: true }))\napp.use(text())\napp.use(csrf())\napp.use(serveStatic(path.join(__dirname, 'public')))\n\n// API routes with validation\nconst api = Router()\napi.get('/health', (req, res) => res.json({ status: 'ok', id: req.id }))\napi.post('/users', validate({\n\tbody: {\n\t\tname:  { type: 'string', required: true, minLength: 2 },\n\t\temail: { type: 'email', required: true }\n\t}\n}), (req, res) => res.status(201).json(req.body))\napp.use('/api', api)\n\n// WebSocket with rooms\nconst pool = new WebSocketPool()\napp.ws('/chat', (ws, req) => {\n\tpool.add(ws)\n\tpool.join(ws, 'general')\n\tws.on('message', msg => pool.toRoom('general', msg, ws))\n})\n\n// SSE\napp.get('/events', (req, res) => {\n\tconst sse = res.sse({ retry: 3000, autoId: true })\n\tsse.send('connected')\n\tsse.on('close', () => console.log('bye'))\n})\n\napp.onError((err, req, res) => {\n\tres.status(500).json({ error: err.message, requestId: req.id })\n})\n\napp.listen(3000, () => console.log('Server running on :3000'))"
   }
 ]

package/documentation/public/data/options.json

@@ -1,5 +1,5 @@
 [
-  { "option": "createApp()", "type": "function", "default": "—", "notes": "Creates an app instance with use(), get(), post(), put(), delete(), patch(), options(), head(), all(), ws(), onError(), listen(port, [tlsOpts], [cb]), close(), routes(), and handler." },
+  { "option": "createApp()", "type": "function", "default": "—", "notes": "Creates an app instance with use(), get(), post(), put(), delete(), patch(), options(), head(), all(), ws(), onError(), listen(port, [tlsOpts], [cb]), close(), routes(), handler. Also: set/get (dual-purpose), enable/disable, enabled/disabled, locals, param, group, chain." },
   { "option": "Router()", "type": "function", "default": "—", "notes": "Creates a standalone router. Methods: get/post/put/delete/patch/options/head/all(path, [opts], ...handlers), use(fn|prefix+router), route(path), routes(). Supports { secure } option." },
   { "option": "json([opts])", "type": "function", "default": "—", "notes": "Parses JSON bodies into req.body. Options: limit, strict (true), reviver, type ('application/json'), requireSecure (false)." },
   { "option": "urlencoded([opts])", "type": "function", "default": "—", "notes": "Parses URL-encoded bodies. Options: extended (false), limit, type ('application/x-www-form-urlencoded'), requireSecure (false)." },
@@ -7,13 +7,28 @@
   { "option": "raw([opts])", "type": "function", "default": "—", "notes": "Reads raw bytes into a Buffer on req.body. Options: type ('application/octet-stream'), limit, requireSecure (false)." },
   { "option": "multipart([opts])", "type": "function", "default": "—", "notes": "Streams file parts to disk; sets req.body to { fields, files }. Options: dir (os.tmpdir()/zero-http-uploads), maxFileSize, requireSecure (false)." },
   { "option": "static(rootPath, [opts])", "type": "function", "default": "—", "notes": "Serves static files with 60+ MIME types. Options: index ('index.html'), maxAge (0), dotfiles ('ignore'), extensions, setHeaders." },
-  { "option": "cors([opts])", "type": "function", "default": "—", "notes": "CORS middleware with preflight handling. Options: origin ('*'), methods, allowedHeaders, credentials (false)." },
-{ "option": "compress([opts])", "type": "function", "default": "\u2014", "notes": "Response compression middleware (brotli/gzip/deflate, auto-negotiated). Brotli preferred when available (Node \u2265 11.7). Skips SSE streams. Options: threshold (1024), level (-1 zlib default), filter fn." },
+  { "option": "cors([opts])", "type": "function", "default": "—", "notes": "CORS middleware with preflight handling. Options: origin ('*'), methods, allowedHeaders, exposedHeaders, credentials (false), maxAge." },
+  { "option": "compress([opts])", "type": "function", "default": "—", "notes": "Response compression middleware (brotli/gzip/deflate, auto-negotiated). Brotli preferred when available (Node ≥ 11.7). Skips SSE streams. Options: threshold (1024), level (-1 zlib default), filter fn." },
+  { "option": "helmet([opts])", "type": "function", "default": "—", "notes": "Security headers middleware. Sets CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and 11 more headers. 16 configurable options — all can be set to false to disable individually." },
+  { "option": "timeout(ms, [opts])", "type": "function", "default": "—", "notes": "Request timeout middleware. Default 30s. Sends 408 if handler doesn't respond in time. Sets req.timedOut. Options: status (408), message ('Request Timeout')." },
+  { "option": "requestId([opts])", "type": "function", "default": "—", "notes": "Generates/extracts a unique request ID (crypto.randomUUID). Sets req.id and response header. Options: header ('X-Request-Id'), generator (UUID v4), trustProxy (false)." },
+  { "option": "cookieParser([secret], [opts])", "type": "function", "default": "—", "notes": "Parses Cookie header into req.cookies and req.signedCookies (timing-safe HMAC-SHA256). Auto-parses JSON cookies (j: prefix). Sets req.secret and req.secrets for downstream use. Static helpers: sign(value, secret), unsign(value, secrets), jsonCookie(str), parseJSON(obj). Options: decode (true). Supports secret rotation via array. res.cookie() enhanced: signed (auto-sign), priority (Low/Medium/High), partitioned (CHIPS)." },
+  { "option": "csrf([opts])", "type": "function", "default": "—", "notes": "Double-submit cookie CSRF protection. Sets req.csrfToken. Token checked via header, body._csrf, or query._csrf. Options: cookie ('_csrf'), header ('x-csrf-token'), saltLength (18), secret (auto), ignoreMethods (['GET','HEAD','OPTIONS']), ignorePaths ([]), onError." },
+  { "option": "validate(schema, [opts])", "type": "function", "default": "—", "notes": "Request validation with 11 types (string, integer, number, float, boolean, array, json, date, uuid, email, url) and auto-coercion. Validates body, query, params. Options: stripUnknown (true), onError. Static: validate.field(), validate.object()." },
+  { "option": "env", "type": "object", "default": "—", "notes": "Typed environment config — proxy-based accessor. env.load(schema, opts) loads .env files with type coercion. 9 schema types: string, number, integer, port, boolean, array, json, url, enum. Methods: load, get, require, has, all, reset, parse." },
+  { "option": "Database", "type": "class", "default": "—", "notes": "ORM entry point. Database.connect(type, opts) supports 6 adapters: memory, json, sqlite, mysql, postgres, mongo. Methods: register, registerAll, sync, drop, close, model, transaction(fn). transaction() wraps callback in begin/commit/rollback when supported." },
+  { "option": "Model", "type": "class", "default": "—", "notes": "ORM base class — extend with table, schema, timestamps, softDelete, hooks, hidden, scopes. Static CRUD: create, createMany, find, findOne, findById, findOrCreate, updateWhere, deleteWhere, count, query, exists, upsert, scope. Shortcuts: first, last, all, paginate, chunk, random, pluck. Instance: save, update, delete, restore, reload, toJSON, load, increment, decrement. Relationships: hasMany, hasOne, belongsTo, belongsToMany (junction table). hidden excludes fields from toJSON(). scopes define reusable named query conditions." },
+  { "option": "Query", "type": "class", "default": "—", "notes": "Fluent query builder from Model.query(). Chainable: select, distinct, where, orWhere, whereNull, whereNotNull, whereIn, whereNotIn, whereBetween, whereNotBetween, whereLike, whereRaw, orderBy, orderByDesc, limit, offset, page, groupBy, having, join, leftJoin, rightJoin, withDeleted, scope, when, unless, tap. Aliases: take (limit), skip (offset), toArray (exec). Execute: exec, first, last, count, exists, pluck. Aggregates: sum, avg, min, max. Functional: each, map, filter, reduce, chunk, paginate. Also thenable." },
+  { "option": "TYPES", "type": "object", "default": "—", "notes": "ORM column type constants: STRING, INTEGER, FLOAT, BOOLEAN, DATE, DATETIME, JSON, TEXT, BLOB, UUID." },
   { "option": "fetch(url, [opts])", "type": "function", "default": "—", "notes": "Node HTTP/HTTPS client. Response has ok, status, statusText, secure, url, headers.get(), text(), json(), arrayBuffer(). Options: method, headers, body (auto-serialized), timeout, signal, agent, onDownloadProgress, onUploadProgress, plus TLS options (rejectUnauthorized, ca, cert, key, pfx, passphrase, servername, minVersion, maxVersion)." },
-  { "option": "rateLimit([opts])", "type": "function", "default": "—", "notes": "Per-IP rate limiter. Sets X-RateLimit-* headers. Options: windowMs (60000), max (100), statusCode (429), message, keyGenerator." },
+  { "option": "rateLimit([opts])", "type": "function", "default": "—", "notes": "Per-IP rate limiter. Sets X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, and Retry-After headers. Options: windowMs (60000), max (100), statusCode (429), message, keyGenerator, skip (fn to bypass), handler (custom rate-limit response)." },
   { "option": "logger([opts])", "type": "function", "default": "—", "notes": "Request logger with response timing. Options: format ('dev'|'short'|'tiny'), logger (console.log), colors (auto TTY)." },
-{ "option": "app.ws(path, [opts], handler)", "type": "method", "default": "\u2014", "notes": "Register a WebSocket upgrade handler. handler receives (ws, req). Options: maxPayload (1MB), pingInterval (30s), verifyClient fn. ws has send/sendJSON/ping/pong/close/terminate, on/once/off/removeAllListeners/listenerCount. Events: message/close/error/ping/pong/drain." },
-{ "option": "res.sse([opts])", "type": "method", "default": "\u2014", "notes": "Open an SSE stream. Returns SSEStream with send/sendJSON/event/comment/retry/keepAlive/flush/close and on/once/off/removeAllListeners/listenerCount. Options: status (200), retry, keepAlive (0), keepAliveComment ('ping'), autoId (false), startId (1), pad (0), headers." },
-{ "option": "WebSocketConnection", "type": "class", "default": "\u2014", "notes": "WebSocket connection wrapper. Properties: id, readyState, protocol, extensions, headers, ip, query, url, secure, maxPayload, connectedAt, uptime, bufferedAmount, data (user store)." },
-{ "option": "SSEStream", "type": "class", "default": "\u2014", "notes": "SSE stream controller. Properties: connected, eventCount, bytesSent, connectedAt, uptime, lastEventId, secure, data (user store). Events: close, error." }
+  { "option": "app.ws(path, [opts], handler)", "type": "method", "default": "—", "notes": "Register a WebSocket upgrade handler. handler receives (ws, req). Options: maxPayload (1MB), pingInterval (30s), verifyClient fn. ws has send/sendJSON/ping/pong/close/terminate, on/once/off/removeAllListeners/listenerCount. Events: message/close/error/ping/pong/drain." },
+  { "option": "res.sse([opts])", "type": "method", "default": "—", "notes": "Open an SSE stream. Returns SSEStream with send/sendJSON/event/comment/retry/keepAlive/flush/close and on/once/off/removeAllListeners/listenerCount. Options: status (200), retry, keepAlive (0), keepAliveComment ('ping'), autoId (false), startId (1), pad (0), headers." },
+  { "option": "WebSocketConnection", "type": "class", "default": "—", "notes": "WebSocket connection wrapper. Properties: id, readyState, protocol, extensions, headers, ip, query, url, secure, maxPayload, connectedAt, uptime, bufferedAmount, data (user store). Constants: CONNECTING (0), OPEN (1), CLOSING (2), CLOSED (3)." },
+  { "option": "WebSocketPool", "type": "class", "default": "—", "notes": "Connection & room manager. Methods: add, remove, join, leave, broadcast, broadcastJSON, toRoom, toRoomJSON, in, roomsOf, closeAll. Getters: size, clients, rooms, roomSize(room). Auto-removes on close." },
+  { "option": "SSEStream", "type": "class", "default": "—", "notes": "SSE stream controller. Properties: connected, eventCount, bytesSent, connectedAt, uptime, lastEventId, secure, data (user store). Events: close, error." },
+  { "option": "HttpError", "type": "class", "default": "—", "notes": "Base HTTP error class with statusCode, code, details, toJSON(). 15 subclasses: BadRequestError (400), UnauthorizedError (401), ForbiddenError (403), NotFoundError (404), MethodNotAllowedError (405), ConflictError (409), GoneError (410), PayloadTooLargeError (413), UnprocessableEntityError (422), ValidationError (422 + field errors), TooManyRequestsError (429), InternalError (500), NotImplementedError (501), BadGatewayError (502), ServiceUnavailableError (503). Helpers: createError(statusCode), isHttpError(err)." },
+  { "option": "errorHandler([opts])", "type": "function", "default": "—", "notes": "Configurable error-handling middleware for app.onError(). Options: stack (auto from NODE_ENV), log (true), logger (console.error), formatter (custom response shape), onError (error monitoring callback). Hides 5xx details in production." },
+  { "option": "debug(namespace)", "type": "function", "default": "—", "notes": "Namespaced debug logger with levels. Returns a log function with .trace/.info/.warn/.error/.fatal methods. Global config: debug.enable(pattern), debug.disable(), debug.level(lvl), debug.json(bool), debug.timestamps(bool), debug.colors(bool), debug.output(stream), debug.reset(). Env vars: DEBUG (namespace patterns), DEBUG_LEVEL (min level)." }
 ]

package/documentation/public/index.html

@@ -6,10 +6,11 @@
 	<meta name="viewport" content="width=device-width,initial-scale=1" />
 	<title>zero-http — demo & reference</title>
 	<meta name="description"
-		content="zero-http is a zero-dependency, Express-like HTTP/HTTPS server for Node.js with built-in WebSocket, Server-Sent Events, body parsers, response compression, static serving, and upload handling." />
+		content="zero-http is a zero-dependency backend framework for Node.js with Express-like routing, built-in ORM, WebSocket, SSE, security middleware, body parsers, compression, and more." />
 	<meta name="keywords"
 		content="nodejs,http,https,server,express,expressjs,middleware,body-parser,multipart,uploads,static files,fetch,http client,websocket,sse,server-sent events,compression,router" />
 	<meta name="author" content="Anthony Wiedman" />
+	<link rel="icon" type="image/svg+xml" href="/vendor/icons/logo.svg" />
 
 	<link rel="stylesheet" href="/styles.css" />
 	<link rel="stylesheet" href="/vendor/prism-okaidia.css" />
@@ -23,6 +24,7 @@
 	<script src="/vendor/prism-toolbar.min.js" defer></script>
 
 	<script src="/scripts/helpers.js" defer></script>
+	<script src="/scripts/custom-select.js" defer></script>
 	<script src="/scripts/uploads.js" defer></script>
 	<script src="/scripts/playground.js" defer></script>
 	<script src="/scripts/proxy.js" defer></script>
@@ -45,12 +47,12 @@
 				<img src="/vendor/icons/logo.svg" alt="zero-http logo" class="header-logo" width="50" height="50" />
 				<div>
 					<div class="logo">zero-http</div>
-					<div class="subtitle">Zero-dependency Express-like server</div>
+					<div class="subtitle">Zero-dependency backend framework for Node.js</div>
 				</div>
 			</a>
 
 			<div class="repo-buttons" role="navigation" aria-label="Repository links">
-				<a class="icon-btn" href="https://github.com/tonywied17/zero-http-npm" target="_blank"
+				<a class="icon-btn" href="https://github.com/tonywied17/zero-http" target="_blank"
 					rel="noopener noreferrer" aria-label="View on GitHub">
 					<svg class="icon-svg" viewBox="0 0 24 24" fill="currentColor" aria-hidden="true">
 						<path
@@ -86,18 +88,17 @@
 					</button>
 				</div>
 				<ul>
-					<li><a href="#features">Features</a></li>
-					<li><a href="#quickstart">Quickstart</a></li>
-					<li><a href="#options">Options</a></li>
-					<li class="toc-collapsible"><a href="#api-reference">API Reference</a></li>
-					<li class="toc-collapsible"><a href="#simple-examples">Simple Examples</a></li>
-					<li class="toc-collapsible"><a href="#playground">Playground</a>
+					<li data-static="features"><a href="#features">Features</a></li>
+					<!-- Dynamic doc sections inserted here by data-sections.js -->
+					<li data-static="playground" class="toc-collapsible"><a href="#playground">Playground</a>
 						<ul class="toc-sub">
 							<li class="toc-sub-item"><a href="#upload-testing">Upload multipart data</a></li>
 							<li class="toc-sub-item"><a href="#parser-tests">Parser tests</a></li>
 							<li class="toc-sub-item"><a href="#proxy-test">Proxy test</a></li>
 							<li class="toc-sub-item"><a href="#ws-chat">WebSocket chat</a></li>
 							<li class="toc-sub-item"><a href="#sse-viewer">SSE viewer</a></li>
+							<li class="toc-sub-item"><a href="#orm-crud">ORM Task Manager</a></li>
+							<li class="toc-sub-item"><a href="#cookie-explorer">Cookie Explorer</a></li>
 						</ul>
 					</li>
 				</ul>
@@ -178,7 +179,7 @@
 											width="48" height="48" />
 									</div>
 									<div class="feature-text"><h5>Compression</h5>
-									<p>Gzip/deflate with threshold &amp; filter.</p></div>
+									<p>Brotli/gzip/deflate with threshold &amp; filter.</p></div>
 								</div>
 								<div class="feature-card">
 									<div class="feature-icon">
@@ -194,7 +195,39 @@
 											width="48" height="48" />
 									</div>
 									<div class="feature-text"><h5>Modular Router</h5>
-									<p>Sub-apps, chaining, introspection.</p></div>
+									<p>Sub-apps, groups, chaining, introspection.</p></div>
+								</div>
+								<div class="feature-card">
+									<div class="feature-icon">
+										<img class="icon-svg" src="/vendor/icons/security.svg" alt="" aria-hidden="true"
+											width="48" height="48" />
+									</div>
+									<div class="feature-text"><h5>Security</h5>
+									<p>Helmet headers, CSRF protection, cookies.</p></div>
+								</div>
+								<div class="feature-card">
+									<div class="feature-icon">
+										<img class="icon-svg" src="/vendor/icons/validate.svg" alt="" aria-hidden="true"
+											width="48" height="48" />
+									</div>
+									<div class="feature-text"><h5>Validation</h5>
+									<p>Schema-based request validation &amp; coercion.</p></div>
+								</div>
+								<div class="feature-card">
+									<div class="feature-icon">
+										<img class="icon-svg" src="/vendor/icons/database.svg" alt="" aria-hidden="true"
+											width="48" height="48" />
+									</div>
+									<div class="feature-text"><h5>ORM &amp; Database</h5>
+									<p>Models, query builder, 6 adapters.</p></div>
+								</div>
+								<div class="feature-card">
+									<div class="feature-icon">
+										<img class="icon-svg" src="/vendor/icons/env.svg" alt="" aria-hidden="true"
+											width="48" height="48" />
+									</div>
+									<div class="feature-text"><h5>Environment Config</h5>
+									<p>Typed .env loading with schema validation.</p></div>
 								</div>
 							</div>
 						</div>
@@ -228,95 +261,11 @@
 					</div>
 				</div>
 
-				<div class="acc-body">
-					<h4 id="quickstart">Quickstart</h4>
-
-					<p class="muted">Install from npm and create a simple server:</p>
-					<pre class="language-bash"><code class="language-bash">npm install zero-http</code></pre>
-
-					<pre class="language-javascript"><code class="language-javascript">const { createApp, json, static } = require('zero-http')
-const path = require('path')
-const app = createApp()
-
-app.use(json({ limit: '10kb' }))
-app.use(static(path.join(__dirname, 'public'), { index: 'index.html' }))
-
-app.get('/ping', (req, res) =&gt; res.json({ pong: true }))
-
-app.listen(3000, () =&gt; {
-	console.log('Server listening on http://localhost:3000')
-})
-</code></pre>
-
-					<p class="muted">To run this demo server from the repo root and open
-						<code>http://localhost:3000</code>.
-					</p>
-					<pre class="language-bash"><code class="language-bash">npm install zero-http
-npm run docs
-# open http://localhost:3000
-</code></pre>
-
-					<h4>API, Options & Examples</h4>
-
-					<div class="muted">Comprehensive reference for configuration options, runtime behavior, and API
-						examples. Expand each section for details and runnable snippets.</div>
-
-					<details class="acc" id="options">
-						<summary>Options (middleware & parser settings)</summary>
-						<div class="acc-body">
-							<p class="muted">Common option shapes and defaults for parsers and upload middleware.</p>
-							<div id="options-items">Loading options…</div>
-						</div>
-					</details>
-
-					<details class="acc" id="api-reference">
-						<summary>API Reference</summary>
-						<div class="acc-body">
-							<div style="display:flex;gap:8px;align-items:center;margin-bottom:8px">
-								<input id="api-search" placeholder="Search API (name, description)"
-									style="flex:1;padding:8px;border-radius:8px;border:1px solid rgba(0,0,0,0.06);background:transparent;color:inherit" />
-								<button id="api-clear" class="btn small" type="button">Clear</button>
-							</div>
-							<div id="api-items">Loading API reference…</div>
-						</div>
-					</details>
-
-					<details class="acc" id="simple-examples">
-						<summary>Simple Examples</summary>
-						<div class="acc-body">
-							<p class="muted">Snippets showing how to compose middleware for common
-								tasks.</p>
-							<div id="examples-items">Loading examples…</div>
-						</div>
-					</details>
-
-					<details class="acc">
-						<summary>Installation & tests</summary>
-						<div class="acc-body">
-
-							<pre class="language-bash"><code class="language-shell">#clone and install dependencies
-git clone https://github.com/tonywied17/zero-http-npm.git
-npm install
-
-# run demo server from repo root
-npm run docs
-
-# or directly:
-node documentation/full-server.js
-
-# run tests (project-specific)
-node test/test.js
-</code></pre>
-
-						</div>
-					</details>
-
-					<h4>Extending</h4>
-					<p>Use the provided middlewares and routing helpers to build controllers, add auth, or swap in
-						different storage backends. The multipart parser exposes file streams and writes each part to
-						disk so you can replace disk writes with S3 streams if desired.</p>
-
+				<!-- Dynamic documentation sections rendered by data-sections.js -->
+				<div id="doc-sections" class="doc-sections-container">
+					<p class="muted" style="padding:20px">Loading documentation…</p>
 				</div>
+
 			</div>
 
 			<div class="section-divider constrained" id="playground">
@@ -489,6 +438,96 @@ node test/test.js
 				</div>
 			</div>
 
+			<div class="card play-card constrained">
+				<div class="card-head">
+					<h3 id="orm-crud">ORM Task Manager</h3>
+					<div class="small muted">Full CRUD with the built-in ORM — in-memory Task model with search, filters, scopes, soft-delete &amp; restore.</div>
+				</div>
+				<div class="card-body">
+					<div class="orm-stats" id="ormStats"></div>
+					<div class="orm-toolbar">
+						<form id="taskForm" style="display:flex;gap:8px;flex-wrap:wrap;align-items:end">
+							<label style="flex:2;min-width:160px">Title
+								<input id="taskTitle" class="textInput" placeholder="Buy groceries…" required />
+							</label>
+							<label>Status
+								<select id="taskStatus" class="textInput">
+									<option value="pending">Pending</option>
+									<option value="in-progress">In-progress</option>
+									<option value="done">Done</option>
+								</select>
+							</label>
+							<label>Priority
+								<select id="taskPriority" class="textInput">
+									<option value="0">0</option>
+									<option value="1">1</option>
+									<option value="2">2</option>
+									<option value="3">3</option>
+									<option value="4">4</option>
+									<option value="5">5</option>
+								</select>
+							</label>
+							<button type="submit" class="btn primary">Add Task</button>
+						</form>
+						<div style="display:flex;gap:8px;margin-top:8px;flex-wrap:wrap;align-items:end">
+							<label style="flex:1;min-width:120px">Search
+								<input id="taskSearch" class="textInput" placeholder="Filter by title…" />
+							</label>
+							<label>Scope
+								<select id="taskScope" class="textInput">
+									<option value="">All</option>
+									<option value="active">Active</option>
+									<option value="done">Done</option>
+									<option value="highPriority">High Priority (≥3)</option>
+								</select>
+							</label>
+							<button id="taskDeleteAll" type="button" class="btn warn">Delete All</button>
+						</div>
+					</div>
+					<div id="taskList" class="result mono" style="min-height:100px;margin-top:12px;max-height:380px;overflow-y:auto"></div>
+					<pre id="taskResult" class="result mono" style="margin-top:8px;max-height:260px;overflow-y:auto"></pre>
+				</div>
+			</div>
+
+			<div class="card play-card constrained">
+				<div class="card-head">
+					<h3 id="cookie-explorer">Cookie Explorer</h3>
+					<div class="small muted">Set, inspect, and delete cookies in real time using the built-in cookieParser middleware.</div>
+				</div>
+				<div class="card-body">
+					<form id="cookieForm" style="display:flex;gap:8px;flex-wrap:wrap;align-items:end">
+						<label style="flex:1;min-width:100px">Name
+							<input id="cookieName" class="textInput" placeholder="theme" required />
+						</label>
+						<label style="flex:1;min-width:100px">Value
+							<input id="cookieValue" class="textInput" placeholder="dark" />
+						</label>
+						<label>HttpOnly
+							<select id="cookieHttpOnly" class="textInput">
+								<option value="false">No</option>
+								<option value="true">Yes</option>
+							</select>
+						</label>
+						<label>SameSite
+							<select id="cookieSameSite" class="textInput">
+								<option value="Lax">Lax</option>
+								<option value="Strict">Strict</option>
+								<option value="None">None</option>
+							</select>
+						</label>
+						<label>Max-Age (s)
+							<input id="cookieMaxAge" class="textInput" type="number" placeholder="3600" style="width:90px" />
+						</label>
+						<button type="submit" class="btn primary">Set Cookie</button>
+					</form>
+					<div style="display:flex;gap:8px;margin-top:8px">
+						<button id="cookieRefresh" type="button" class="btn">Refresh Cookies</button>
+					</div>
+					<div id="cookieJar" class="result mono" style="min-height:80px;margin-top:12px;max-height:320px;overflow-y:auto"></div>
+					<pre id="cookieResult" class="result mono" style="margin-top:8px"></pre>
+				</div>
+			</div>
+
 			<div class="card footnote" style="max-width:1300px;margin:18px auto;">
 				<p class="muted">This demo doubles as a readable API reference and playground — try uploading files,
 					inspect the returned JSON, and use the playground to test parsers.</p>

package/documentation/public/scripts/app.js

@@ -38,7 +38,5 @@ document.addEventListener('DOMContentLoaded', () =>
     initProxy();
 
     /* Data-driven documentation sections */
-    loadApiReference().catch(() => {});
-    loadOptions().catch(() => {});
-    loadExamples().catch(() => {});
+    loadDocs().catch(() => {});
 });