v8.0.0

Introduce structured security headers support (CSP, HSTS, X-Frame-Options, COOP/COEP/CORP, Permissions-Policy, Referrer-Policy, X-XSS-Protection, etc.) and apply them to responses and OPTIONS preflight. Expose configuration via the server API and document usage. Also update UtilityWebsiteServer defaults (SPA fallback enabled by default) and related docs.

changelog.md

@@ -1,5 +1,84 @@
 # Changelog
 
+## 2025-12-20 - 8.0.0 - BREAKING CHANGE(typedserver)
+migrate route handlers to use IRequestContext and lazy body parsers
+
+- Route handlers now receive plugins.smartserve.IRequestContext instead of Request (breaking API change). addRoute no longer wraps handlers to convert context → Request.
+- createContext() is now synchronous and provides lazy body accessors: ctx.json(), ctx.text(), ctx.arrayBuffer(), ctx.formData(); ctx.body property was removed.
+- DevToolsController constructor now accepts optional options and supplies no-op defaults so controllers can be auto-instantiated without args.
+- TypedRequest controller now reads the request via await ctx.json() and forwards typed requests accordingly.
+- Utility website server handlers and other internal callsites updated to use ctx.params and the new context API.
+- Tests updated to the new TypedServer API, improved assertions, changed test port and reduced delays, and switched tap runner export to default.
+- Bumped dependency @push.rocks/smartserve to ^2.0.1 to match API changes.
+- npmextra.json reorganized git.zone/tsdoc entries and added release registries and @ship.zone/szci metadata.
+
+## 2025-12-08 - 7.11.1 - fix(dependencies)
+Upgrade dependencies: bump @design.estate/dees-catalog to v3.1.1 and @push.rocks/smartwatch to v6.0.0; update migration notes in readme.hints.md
+
+- package.json: @design.estate/dees-catalog updated from ^2.0.3 to ^3.1.1 (includes new icons, components and DeesIcon unified icon property; legacy iconFA deprecated)
+- package.json: @push.rocks/smartwatch updated from ^5.0.0 to ^6.0.0 (cross-runtime support, native fs.watch, API compatibility maintained: new Smartwatch class methods and events documented)
+- readme.hints.md: added migration notes for smartwatch v6 and dees-catalog v3, plus other dependency update summaries
+
+## 2025-12-08 - 7.11.0 - feat(typedserver)
+Add configurable response compression (Brotli + Gzip) with defaults enabled and documentation
+
+- Expose a new compression option on IServerOptions (plugins.smartserve.ICompressionConfig | boolean).
+- Pass the compression setting through to SmartServe (smartServeOptions.compression = this.options.compression).
+- Add compression option to UtilityWebsiteServer and forward it when creating SmartServe options.
+- Update README: new Compression section with global config examples, per-route decorator usage, and options reference.
+- Add a small readme.todo.md with service worker wake/reload TODO notes.
+
+## 2025-12-05 - 7.10.2 - fix(docs)
+Update README with routing examples and utility server config; bump @cloudflare/workers-types and @push.rocks/smartserve versions
+
+- Bumped dependency @cloudflare/workers-types to ^4.20251205.0
+- Bumped dependency @push.rocks/smartserve to ^1.3.0
+- Expanded README: added decorator-based routing examples (Route/Get/Post) using smartserve
+- Added programmatic routing examples (addRoute) and SPA/wildcard route samples
+- Enhanced UtilityWebsiteServer and UtilityServiceServer docs: default port, ads.txt, feedMetadata, addCustomRoutes example and other config options
+- Clarified security headers descriptions and configuration reference
+- Updated Quick Start console message to show running port ("Server running on port 3000!")
+- Documented EdgeWorker/domain routing caching example and noted service worker version update behavior
+- Adjusted TypedSocket example tag to use 'allClients' in README
+
+## 2025-12-05 - 7.10.1 - fix(typedserver)
+Use smartserve ControllerRegistry for custom routes and remove custom route parsing
+
+- addRoute now delegates to plugins.smartserve.ControllerRegistry instead of building its own regex-based matcher
+- Backwards compatibility: incoming smartserve IRequestContext is converted to a Request and ctx.params is attached to request.params before invoking the handler
+- Removed internal IRegisteredRoute, customRoutes storage, and parseRouteParams helper
+- Request handling now uses ControllerRegistry.matchRoute and registered controllers are compiled via ControllerRegistry.compileRoutes()
+
+## 2025-12-05 - 7.10.0 - feat(website-server)
+Add configurable ads.txt support to website server
+
+- Introduce adsTxt?: string[] option to the server options to allow configuring ads.txt entries.
+- Serve /ads.txt only when adsTxt is provided; the route is not registered if no entries are configured.
+- Replace previous hard-coded Google ads.txt entry with values joined from the provided adsTxt array and served as text/plain.
+- Preserves existing behavior when adsTxt is not set (no /ads.txt endpoint will be exposed).
+
+## 2025-12-05 - 7.9.0 - feat(typedserver)
+Add configurable security headers and default SPA behavior
+
+Introduce structured security headers support (CSP, HSTS, X-Frame-Options, COOP/COEP/CORP, Permissions-Policy, Referrer-Policy, X-XSS-Protection, etc.) and apply them to responses and OPTIONS preflight. Expose configuration via the server API and document usage. Also update UtilityWebsiteServer defaults (SPA fallback enabled by default) and related docs.
+
+- Add ISecurityHeaders and IContentSecurityPolicy TypeScript interfaces to configure CSP, HSTS and other security-related headers.
+- Implement buildCspHeader to serialize CSP config and applyResponseHeaders to add CORS and all configured security headers to outgoing responses.
+- Apply security headers to OPTIONS preflight responses and all other responses by default when securityHeaders option is provided.
+- Add securityHeaders option to IServerOptions and wire it through TypedServer and UtilityWebsiteServer constructors.
+- Update UtilityWebsiteServer: renamed template to UtilityWebsiteServer, enable SPA fallback by default, expose options (cors, spaFallback, securityHeaders, forceSsl, port, feedMetadata, etc.) and forward them into the TypedServer instance.
+- Documentation: add Security Headers section and example usage to readme.md; document the UtilityWebsiteServer defaults and example.
+- Ensure CORS headers are only added when cors option is enabled.
+
+## 2025-12-05 - 7.8.18 - fix(readme)
+Update README to reflect new features and updated examples (SPA/PWA/Edge/ServiceWorker) and clarify API usage
+
+- Rewrite project introduction and features list to highlight Service Worker, Edge Workers, SPA support, and PWA readiness
+- Replace and expand example sections: Basic Server, Full Configuration, TypedRequest handlers, WebSocket usage, Edge Worker entrypoint, and Service Worker client usage
+- Update configuration reference: remove legacy compression flags, add spaFallback, defaultAnswer, feedMetadata, and blockWaybackMachine options
+- Document package exports and add examples for utility servers (WebsiteServer, ServiceServer)
+- Clarify TypedRequest/TypedSocket usage by showing server.typedrouter and service worker client initializer (getServiceworkerClient)
+
 ## 2025-12-04 - 7.8.11 - fix(web_inject)
 Improve logging in web injection (TypedRequest) and update dees-comms dependency
 

npmextra.json

@@ -1,8 +1,5 @@
 {
-  "npmci": {
-    "npmAccessLevel": "public"
-  },
-  "gitzone": {
+  "@git.zone/cli": {
     "projectType": "npm",
     "module": {
       "githost": "code.foss.global",
@@ -27,9 +24,17 @@
         "robots.txt",
         "compression (gzip, deflate, brotli)"
       ]
+    },
+    "release": {
+      "registries": [
+        "https://verdaccio.lossless.digital",
+        "https://registry.npmjs.org"
+      ],
+      "accessLevel": "public"
     }
   },
-  "tsdoc": {
+  "@git.zone/tsdoc": {
     "legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH  \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n"
-  }
+  },
+  "@ship.zone/szci": {}
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@api.global/typedserver",
-  "version": "7.8.14",
+  "version": "8.0.0",
   "description": "A TypeScript-based project for easy serving of static files with support for live reloading, compression, and typed requests.",
   "type": "module",
   "exports": {
@@ -61,7 +61,8 @@
     "@api.global/typedrequest": "^3.2.5",
     "@api.global/typedrequest-interfaces": "^3.0.19",
     "@api.global/typedsocket": "^4.1.0",
-    "@cloudflare/workers-types": "^4.20251202.0",
+    "@cloudflare/workers-types": "^4.20251205.0",
+    "@design.estate/dees-catalog": "^3.1.1",
     "@design.estate/dees-comms": "^1.0.30",
     "@push.rocks/lik": "^6.2.2",
     "@push.rocks/smartdelay": "^3.0.5",
@@ -82,11 +83,11 @@
     "@push.rocks/smartpromise": "^4.2.3",
     "@push.rocks/smartrequest": "^5.0.1",
     "@push.rocks/smartrx": "^3.0.10",
-    "@push.rocks/smartserve": "^1.1.2",
+    "@push.rocks/smartserve": "^2.0.1",
     "@push.rocks/smartsitemap": "^2.0.4",
     "@push.rocks/smartstream": "^3.2.5",
     "@push.rocks/smarttime": "^4.1.1",
-    "@push.rocks/smartwatch": "^5.0.0",
+    "@push.rocks/smartwatch": "^6.0.0",
     "@push.rocks/taskbuffer": "^3.5.0",
     "@push.rocks/webrequest": "^4.0.1",
     "@push.rocks/webstore": "^2.0.20",

readme.hints.md

@@ -3,7 +3,9 @@
 ## Recent Changes (December 2025)
 
 ### Dependency Updates
-- `@push.rocks/smartchok` replaced with `@push.rocks/smartwatch` (renamed package, same API)
+- `@push.rocks/smartwatch` upgraded to v6.0.0 (cross-runtime, native fs.watch)
+- `@design.estate/dees-catalog` upgraded to v3.1.1 (new icons, components)
+- `@push.rocks/smartchok` replaced with `@push.rocks/smartwatch` (renamed package)
 - `@push.rocks/smartfile` upgraded from v11 to v13 (major API change - `fs` module removed)
 - `@push.rocks/smartfs` added for filesystem operations (v1.2.0+)
 - `@push.rocks/smartenv` upgraded to v6.0.0
@@ -14,6 +16,26 @@
 
 ### Code Migration Notes
 
+#### smartwatch v6.0.0
+- Cross-runtime support: Node.js 20+, Deno, Bun
+- Uses native `fs.watch({ recursive: true })` for performance
+- Minimal dependencies (no chokidar, no FSEvents bindings)
+- API unchanged: `new Smartwatch([patterns])`, `.start()`, `.stop()`, `.getObservableFor(event)`
+- Events: `add`, `addDir`, `change`, `unlink`, `unlinkDir`, `error`, `ready`
+- Dynamic watching: `.add(patterns)`, `.remove(pattern)`
+- Status property: `'idle' | 'starting' | 'watching'`
+
+#### dees-catalog v3.0.0+ Migration
+- **DeesIcon**: New unified `icon` property with library prefixes:
+  - FontAwesome: `icon="fa:check"` (prefix `fa:`)
+  - Lucide: `icon="lucide:menu"` (prefix `lucide:`)
+  - Legacy `iconFA` property deprecated but still supported
+- **DeesToast**: New convenience methods and positioning:
+  - `DeesToast.info()`, `.success()`, `.warning()`, `.error()`
+  - Position options: `top-right`, `top-left`, `bottom-right`, `bottom-left`, `top-center`, `bottom-center`
+- New components: DeesInputTags, DeesInputDatepicker, DeesStatsGrid, DeesPagination, DeesAppuiBase
+- DeesAppuiAppbar: Hierarchical menus with keyboard navigation
+
 #### smartfile v13 Migration
 - Old: `plugins.smartfile.fs.toStringSync(path)` / `plugins.smartfile.fs.toBufferSync(path)`
 - New: Use `plugins.fsInstance` (SmartFs instance with Node provider)
@@ -24,10 +46,6 @@
 - Old: `plugins.smartfile.fs.fileTreeToHash(dir, pattern)`
 - New: `await plugins.fsInstance.directory(dir).recursive().treeHash()`
 
-#### smartwatch (formerly smartchok)
-- Class renamed: `Smartchok` → `Smartwatch`
-- API remains the same: `new Smartwatch([paths])`, `.start()`, `.stop()`, `.getObservableFor(event)`
-
 #### webrequest v4
 - Class renamed: `WebRequest` → `WebrequestClient`
 

readme.md

@@ -1,6 +1,6 @@
 # @api.global/typedserver
 
-A powerful TypeScript-first web server framework featuring static file serving, live reload, compression, and seamless type-safe API integration. Part of the `@api.global` ecosystem, it provides a modern foundation for building full-stack TypeScript applications with first-class support for typed HTTP requests and WebSocket communication.
+A powerful TypeScript-first web server framework for building modern full-stack applications. Features static file serving, live reload, type-safe API integration, decorator-based routing, service worker support, and edge computing capabilities. Part of the `@api.global` ecosystem.
 
 ## Issue Reporting and Security
 
@@ -8,15 +8,16 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 
 ## ✨ Features
 
-- 🔒 **Type-Safe API Ecosystem** - Full TypeScript support with `@api.global/typedrequest` and `@api.global/typedsocket`
+- 🔒 **Type-Safe API** - Full TypeScript support with `@api.global/typedrequest` and `@api.global/typedsocket`
+- 🎯 **Decorator Routing** - Clean, expressive routing with `@Route`, `@Get`, `@Post` decorators via smartserve
+- 🛡️ **Security Headers** - Built-in CSP, HSTS, X-Frame-Options, and comprehensive security configuration
 - ⚡ **Live Reload** - Automatic browser refresh on file changes during development
-- 🗜️ **Compression** - Built-in support for gzip, deflate, and brotli compression
-- 🌐 **CORS Management** - Flexible cross-origin resource sharing configuration
-- 🔧 **Service Worker Integration** - Advanced caching and offline capabilities
-- ☁️ **Edge Worker Support** - Cloudflare Workers compatible edge computing
-- 📡 **WebSocket Support** - Real-time bidirectional communication via TypedSocket
-- 🗺️ **Sitemap & Feeds** - Automatic sitemap and RSS feed generation
-- 🤖 **Robots.txt** - Built-in robots.txt handling
+- 🛠️ **Service Worker** - Advanced caching, offline support, and background sync
+- ☁️ **Edge Workers** - Cloudflare Workers compatible edge computing with domain routing
+- 📡 **WebSocket** - Real-time bidirectional communication via TypedSocket
+- 🗺️ **SEO Tools** - Built-in sitemap, RSS feed, and robots.txt generation
+- 🎯 **SPA Support** - Single-page application fallback routing
+- 📱 **PWA Ready** - Web App Manifest generation for progressive web apps
 
 ## 📦 Installation
 
@@ -30,7 +31,7 @@ npm install @api.global/typedserver
 
 ## 🚀 Quick Start
 
-### Basic Static File Server
+### Basic Server
 
 ```typescript
 import { TypedServer } from '@api.global/typedserver';
@@ -43,10 +44,10 @@ const server = new TypedServer({
 });
 
 await server.start();
-console.log('Server running on port 3000');
+console.log('Server running on port 3000!');
 ```
 
-### Server with All Options
+### Full Configuration
 
 ```typescript
 import { TypedServer } from '@api.global/typedserver';
@@ -55,15 +56,23 @@ const server = new TypedServer({
   port: 8080,
   serveDir: './dist',
   cors: true,
+
+  // Development
   watch: true,
   injectReload: true,
-  enableCompression: true,
-  preferredCompressionMethod: 'brotli',
-  forceSsl: false,
+
+  // Production
+  forceSsl: true,
+  spaFallback: true,      // Serve index.html for client-side routes
+
+  // SEO
   sitemap: true,
   feed: true,
   robots: true,
   domain: 'example.com',
+  blockWaybackMachine: false,
+
+  // PWA
   appVersion: 'v1.0.0',
   manifest: {
     name: 'My App',
@@ -78,16 +87,95 @@ const server = new TypedServer({
 await server.start();
 ```
 
+## 🛣️ Routing
+
+TypedServer uses a unified routing system powered by `@push.rocks/smartserve`. You can add routes using decorators or the programmatic API.
+
+### Decorator-Based Routing
+
+Create clean, expressive controllers using decorators:
+
+```typescript
+import * as smartserve from '@push.rocks/smartserve';
+
+@smartserve.Route('/api/users')
+class UserController {
+  @smartserve.Get('/')
+  async listUsers(ctx: smartserve.IRequestContext): Promise<Response> {
+    const users = await getUsersFromDb();
+    return new Response(JSON.stringify(users), {
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  @smartserve.Get('/:id')
+  async getUser(ctx: smartserve.IRequestContext): Promise<Response> {
+    const userId = ctx.params.id;
+    const user = await getUserById(userId);
+    return new Response(JSON.stringify(user), {
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  @smartserve.Post('/')
+  async createUser(ctx: smartserve.IRequestContext): Promise<Response> {
+    const userData = await ctx.json();
+    const newUser = await createUserInDb(userData);
+    return new Response(JSON.stringify(newUser), {
+      status: 201,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+}
+
+// Register the controller
+smartserve.ControllerRegistry.registerInstance(new UserController());
+```
+
+### Programmatic Routes with `addRoute()`
+
+Add routes dynamically using the `addRoute()` API:
+
+```typescript
+import { TypedServer } from '@api.global/typedserver';
+
+const server = new TypedServer({ serveDir: './public', cors: true });
+
+// Simple route
+server.addRoute('/api/health', 'GET', async (request) => {
+  return new Response(JSON.stringify({ status: 'ok' }), {
+    headers: { 'Content-Type': 'application/json' },
+  });
+});
+
+// Route with parameters (Express-style :param syntax)
+server.addRoute('/api/items/:id', 'GET', async (request) => {
+  const itemId = (request as any).params.id;
+  return new Response(JSON.stringify({ id: itemId }), {
+    headers: { 'Content-Type': 'application/json' },
+  });
+});
+
+// Wildcard routes
+server.addRoute('/files/*path', 'GET', async (request) => {
+  const filePath = (request as any).params.path;
+  // Handle file serving logic
+  return new Response(`Requested: ${filePath}`);
+});
+
+await server.start();
+```
+
 ## 🔌 Type-Safe API Integration
 
 ### Adding TypedRequest Handlers
 
 ```typescript
-import { TypedServer, servertools } from '@api.global/typedserver';
+import { TypedServer } from '@api.global/typedserver';
 import * as typedrequest from '@api.global/typedrequest';
 
 // Define your typed request interface
-interface IGetUser {
+interface IGetUser extends typedrequest.implementsTR<IGetUser> {
   method: 'getUser';
   request: { userId: string };
   response: { name: string; email: string };
@@ -95,133 +183,233 @@ interface IGetUser {
 
 const server = new TypedServer({ serveDir: './public', cors: true });
 
-// Create a typed router
-const typedRouter = new typedrequest.TypedRouter();
-
-// Add a typed handler
-typedRouter.addTypedHandler<IGetUser>(
+// Add a typed handler directly to the server's router
+server.typedrouter.addTypedHandler<IGetUser>(
   new typedrequest.TypedHandler('getUser', async (data) => {
-    // Your logic here
     return { name: 'John Doe', email: 'john@example.com' };
   })
 );
 
-// Attach the router to the server
-server.server.addRoute('/api', new servertools.HandlerTypedRouter(typedRouter));
-
 await server.start();
 ```
 
-### WebSocket Communication with TypedSocket
+### Real-Time WebSocket Communication
+
+TypedServer automatically sets up TypedSocket for real-time communication:
 
 ```typescript
 import { TypedServer } from '@api.global/typedserver';
 import * as typedrequest from '@api.global/typedrequest';
-import * as typedsocket from '@api.global/typedsocket';
 
-const server = new TypedServer({ serveDir: './public', cors: true });
-const typedRouter = new typedrequest.TypedRouter();
-
-await server.start();
-
-// Create WebSocket server attached to the HTTP server
-const socketServer = await typedsocket.TypedSocket.createServer(
-  typedRouter,
-  server.server
-);
-
-// Handle real-time events
-interface IChatMessage {
+interface IChatMessage extends typedrequest.implementsTR<IChatMessage> {
   method: 'sendMessage';
   request: { text: string; room: string };
   response: { messageId: string; timestamp: number };
 }
 
-typedRouter.addTypedHandler<IChatMessage>(
+const server = new TypedServer({ serveDir: './public', cors: true });
+
+// Handle real-time messages
+server.typedrouter.addTypedHandler<IChatMessage>(
   new typedrequest.TypedHandler('sendMessage', async (data) => {
     return { messageId: crypto.randomUUID(), timestamp: Date.now() };
   })
 );
-```
 
-## 🛠️ Server Tools
+await server.start();
 
-### Custom Route Handlers
-
-```typescript
-import { servertools } from '@api.global/typedserver';
-
-const server = new servertools.Server({
-  cors: true,
-  domain: 'example.com',
-});
-
-// Add a custom route with handler
-server.addRoute('/api/hello', new servertools.Handler('GET', async (req, res) => {
-  res.json({ message: 'Hello, World!' });
-}));
-
-// Serve static files from a directory
-server.addRoute('/{*splat}', new servertools.HandlerStatic('./public', {
-  serveIndexHtmlDefault: true,
-  enableCompression: true,
-}));
-
-await server.start(3000);
-```
-
-### Proxy Handler
-
-```typescript
-import { servertools } from '@api.global/typedserver';
-
-const server = new servertools.Server({ cors: true });
-
-// Proxy requests to another server
-server.addRoute('/proxy/{*splat}', new servertools.HandlerProxy({
-  target: 'https://api.example.com',
-}));
-
-await server.start(3000);
+// Push messages to connected clients
+const connections = await server.typedsocket.findAllTargetConnectionsByTag('allClients');
+for (const conn of connections) {
+  // Push to specific clients via TypedSocket
+}
 ```
 
 ## ☁️ Edge Worker (Cloudflare Workers)
 
+Deploy your application to the edge with Cloudflare Workers:
+
 ```typescript
 import { EdgeWorker, DomainRouter } from '@api.global/typedserver/edgeworker';
 
-const router = new DomainRouter();
+const worker = new EdgeWorker();
 
-router.addDomainInstruction({
+// Configure domain routing with caching
+worker.domainRouter.addDomainInstruction({
   domainPattern: '*.example.com',
   originUrl: 'https://origin.example.com',
+  type: 'cache',
   cacheConfig: { maxAge: 3600 },
 });
 
-const worker = new EdgeWorker(router);
+// Pass-through to origin for API routes
+worker.domainRouter.addDomainInstruction({
+  domainPattern: 'api.example.com',
+  originUrl: 'https://api-origin.example.com',
+  type: 'origin',
+});
 
-// In your Cloudflare Worker entry point
+// Cloudflare Worker entry point
 export default {
-  fetch: (request: Request, env: any, ctx: any) => worker.handleRequest(request, env, ctx),
+  fetch: worker.fetchFunction.bind(worker),
 };
 ```
 
 ## 🔧 Service Worker Client
 
+Manage service workers in your frontend application:
+
 ```typescript
-import { ServiceWorkerClient } from '@api.global/typedserver/web_serviceworker_client';
+import { getServiceworkerClient } from '@api.global/typedserver/web_serviceworker_client';
 
-const swClient = new ServiceWorkerClient();
+// Initialize and register service worker
+const swClient = await getServiceworkerClient({
+  pollInterval: 30000,  // Poll for updates every 30s
+});
 
-// Register and manage service worker
-await swClient.register('/serviceworker.bundle.js');
+// The service worker handles:
+// - Cache invalidation from server
+// - Offline support
+// - Background sync
+// - Version updates
+```
 
-// Listen for updates
-swClient.onUpdate(() => {
-  console.log('New version available!');
+## 🛡️ Security Headers
+
+Configure comprehensive security headers including CSP, HSTS, and more:
+
+```typescript
+import { TypedServer } from '@api.global/typedserver';
+
+const server = new TypedServer({
+  serveDir: './dist',
+  cors: true,
+
+  securityHeaders: {
+    // Content Security Policy
+    csp: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'", 'https://cdn.example.com'],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", 'data:', 'https:'],
+      connectSrc: ["'self'", 'wss:', 'https://api.example.com'],
+      fontSrc: ["'self'", 'https://fonts.gstatic.com'],
+      frameAncestors: ["'none'"],
+      upgradeInsecureRequests: true,
+    },
+
+    // HSTS (HTTP Strict Transport Security)
+    hstsMaxAge: 31536000,         // 1 year
+    hstsIncludeSubDomains: true,
+    hstsPreload: true,
+
+    // Other security headers
+    xFrameOptions: 'DENY',
+    xContentTypeOptions: true,
+    xXssProtection: true,
+    referrerPolicy: 'strict-origin-when-cross-origin',
+
+    // Cross-Origin policies
+    crossOriginOpenerPolicy: 'same-origin',
+    crossOriginEmbedderPolicy: 'require-corp',
+    crossOriginResourcePolicy: 'same-origin',
+
+    // Permissions Policy
+    permissionsPolicy: {
+      camera: [],
+      microphone: [],
+      geolocation: ['self'],
+    },
+  },
+});
+
+await server.start();
+```
+
+### Security Headers Reference
+
+| Header | Option | Description |
+|--------|--------|-------------|
+| `Content-Security-Policy` | `csp` | Controls resources the browser can load |
+| `Strict-Transport-Security` | `hstsMaxAge`, `hstsIncludeSubDomains`, `hstsPreload` | Forces HTTPS connections |
+| `X-Frame-Options` | `xFrameOptions` | Prevents clickjacking attacks |
+| `X-Content-Type-Options` | `xContentTypeOptions` | Prevents MIME-sniffing |
+| `X-XSS-Protection` | `xXssProtection` | Legacy XSS filter |
+| `Referrer-Policy` | `referrerPolicy` | Controls referrer information |
+| `Permissions-Policy` | `permissionsPolicy` | Controls browser features |
+| `Cross-Origin-Opener-Policy` | `crossOriginOpenerPolicy` | Isolates browsing context |
+| `Cross-Origin-Embedder-Policy` | `crossOriginEmbedderPolicy` | Controls cross-origin embedding |
+| `Cross-Origin-Resource-Policy` | `crossOriginResourcePolicy` | Controls cross-origin resource sharing |
+
+## 🗜️ Compression
+
+TypedServer supports automatic response compression using Brotli and Gzip. Compression is powered by smartserve and enabled by default.
+
+### Global Configuration
+
+```typescript
+import { TypedServer } from '@api.global/typedserver';
+
+const server = new TypedServer({
+  serveDir: './dist',
+  cors: true,
+
+  // Enable with defaults (brotli + gzip, threshold: 1024 bytes)
+  compression: true,
+
+  // Or disable completely
+  compression: false,
+
+  // Or configure in detail
+  compression: {
+    enabled: true,
+    algorithms: ['br', 'gzip'],    // Preferred order
+    threshold: 1024,               // Min size to compress (bytes)
+    level: 4,                      // Compression level (1-11 for brotli, 1-9 for gzip)
+    exclude: ['/api/stream/*'],    // Skip these paths
+  },
 });
 ```
 
+### Per-Route Control with Decorators
+
+Use `@Compress` and `@NoCompress` decorators for fine-grained control:
+
+```typescript
+import * as smartserve from '@push.rocks/smartserve';
+
+@smartserve.Route('/api')
+class ApiController {
+  // Force maximum compression for this endpoint
+  @smartserve.Get('/large-data')
+  @smartserve.Compress({ level: 11 })
+  async getLargeData(ctx: smartserve.IRequestContext): Promise<Response> {
+    return new Response(JSON.stringify(largeDataset));
+  }
+
+  // Disable compression for streaming endpoint
+  @smartserve.Get('/events')
+  @smartserve.NoCompress()
+  async streamEvents(ctx: smartserve.IRequestContext): Promise<Response> {
+    // Server-Sent Events shouldn't be compressed
+    return new Response(eventStream, {
+      headers: { 'Content-Type': 'text/event-stream' },
+    });
+  }
+}
+```
+
+### Compression Options Reference
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `enabled` | `boolean` | `true` | Enable/disable compression |
+| `algorithms` | `string[]` | `['br', 'gzip']` | Preferred algorithms in order |
+| `threshold` | `number` | `1024` | Minimum response size (bytes) to compress |
+| `level` | `number` | `4` | Compression level (1-11 for brotli, 1-9 for gzip) |
+| `compressibleTypes` | `string[]` | auto | MIME types to compress |
+| `exclude` | `string[]` | `[]` | Path patterns to skip |
+
 ## 📋 Configuration Reference
 
 ### IServerOptions
@@ -233,9 +421,8 @@ swClient.onUpdate(() => {
 | `cors` | `boolean` | `true` | Enable CORS headers |
 | `watch` | `boolean` | `false` | Watch files for changes |
 | `injectReload` | `boolean` | `false` | Inject live reload script into HTML |
-| `enableCompression` | `boolean` | `false` | Enable response compression |
-| `preferredCompressionMethod` | `'gzip' \| 'deflate' \| 'brotli'` | - | Preferred compression algorithm |
 | `forceSsl` | `boolean` | `false` | Redirect HTTP to HTTPS |
+| `spaFallback` | `boolean` | `false` | Serve index.html for non-file routes |
 | `sitemap` | `boolean` | `false` | Generate sitemap at `/sitemap` |
 | `feed` | `boolean` | `false` | Generate RSS feed at `/feed` |
 | `robots` | `boolean` | `false` | Serve robots.txt |
@@ -244,16 +431,131 @@ swClient.onUpdate(() => {
 | `manifest` | `object` | - | Web App Manifest configuration |
 | `publicKey` | `string` | - | SSL certificate |
 | `privateKey` | `string` | - | SSL private key |
+| `defaultAnswer` | `function` | - | Custom default response handler |
+| `feedMetadata` | `object` | - | RSS feed metadata options |
+| `blockWaybackMachine` | `boolean` | `false` | Block Wayback Machine archiving |
+| `securityHeaders` | `ISecurityHeaders` | - | Security headers configuration |
+| `compression` | `ICompressionConfig \| boolean` | `true` | Response compression configuration |
 
-## 🏗️ Architecture
+## 🏗️ Package Exports
 
 ```
 @api.global/typedserver
-├── /backend         - Main server exports (TypedServer, servertools)
-├── /edgeworker      - Cloudflare Workers edge computing
-├── /web_inject      - Live reload script injection
-├── /web_serviceworker - Service Worker implementation
-└── /web_serviceworker_client - Service Worker client utilities
+├── .                           - Main server (TypedServer)
+├── /backend                    - Alias for main server
+├── /edgeworker                 - Cloudflare Workers edge computing
+├── /web_inject                 - Live reload script injection
+├── /web_serviceworker          - Service Worker implementation
+└── /web_serviceworker_client   - Service Worker client utilities
+```
+
+## 🔄 Utility Servers
+
+Pre-configured server templates with best practices built-in.
+
+### UtilityWebsiteServer
+
+Optimized for modern web applications with SPA support enabled by default:
+
+```typescript
+import { utilityservers } from '@api.global/typedserver';
+
+const websiteServer = new utilityservers.UtilityWebsiteServer({
+  serveDir: './dist',
+  domain: 'example.com',
+
+  // SPA fallback enabled by default
+  spaFallback: true,   // default: true
+
+  // Security headers
+  securityHeaders: {
+    csp: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+    },
+    xFrameOptions: 'SAMEORIGIN',
+    xContentTypeOptions: true,
+  },
+
+  // Compression (enabled by default)
+  compression: true,  // or { level: 6, threshold: 512 }
+
+  // Other options
+  cors: true,          // default: true
+  forceSsl: false,     // default: false
+  appSemVer: '1.0.0',
+  port: 3000,          // default: 3000
+
+  // Optional ads.txt entries (only served if configured)
+  adsTxt: [
+    'google.com, pub-1234567890, DIRECT, f08c47fec0942fa0',
+  ],
+
+  // RSS feed metadata
+  feedMetadata: {
+    title: 'My Blog',
+    description: 'A cool blog',
+    link: 'https://example.com',
+  },
+
+  // Add custom routes
+  addCustomRoutes: async (typedserver) => {
+    typedserver.addRoute('/api/custom', 'GET', async () => {
+      return new Response('Custom route!');
+    });
+  },
+});
+
+await websiteServer.start();
+```
+
+### UtilityServiceServer
+
+Optimized for API services with auto-generated info page:
+
+```typescript
+import { utilityservers } from '@api.global/typedserver';
+
+const serviceServer = new utilityservers.UtilityServiceServer({
+  serviceName: 'My API',
+  serviceVersion: '1.0.0',
+  serviceDomain: 'api.example.com',
+  port: 8080,
+
+  // Add custom routes
+  addCustomRoutes: async (typedserver) => {
+    typedserver.addRoute('/api/status', 'GET', async () => {
+      return new Response(JSON.stringify({ status: 'healthy' }), {
+        headers: { 'Content-Type': 'application/json' },
+      });
+    });
+  },
+});
+
+await serviceServer.start();
+```
+
+## 🧩 Architecture Overview
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                      TypedServer                            │
+├─────────────────────────────────────────────────────────────┤
+│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐ │
+│  │ SmartServe  │  │ TypedRouter │  │    TypedSocket      │ │
+│  │ (Routing)   │  │ (RPC)       │  │    (WebSocket)      │ │
+│  └─────────────┘  └─────────────┘  └─────────────────────┘ │
+│         │                │                    │             │
+│         ▼                ▼                    ▼             │
+│  ┌─────────────────────────────────────────────────────┐   │
+│  │              Request Handler Pipeline               │   │
+│  │  1. Controller Registry (Decorated Routes)          │   │
+│  │  2. TypedRequest/TypedSocket handlers               │   │
+│  │  3. Static File Serving                             │   │
+│  │  4. SPA Fallback                                    │   │
+│  └─────────────────────────────────────────────────────┘   │
+└─────────────────────────────────────────────────────────────┘
 ```
 
 ## License and Legal Information

readme.todo.md

@@ -0,0 +1,5 @@
+- Wake up the service worker before sending stuff.
+
+Handle reload properly. Make sure service worker is up.
+
+Pill handling of service worker status.

test/test.reload.ts

@@ -7,7 +7,7 @@ let testTypedServer: TypedServer;
 tap.test('should create a valid instance of TypedServer', async () => {
   testTypedServer = new TypedServer({
     injectReload: true,
-    port: 3000,
+    port: 3001,
     serveDir: smartpath.get.dirnameFromImportMetaUrl(import.meta.url),
     watch: true,
     cors: true,
@@ -17,15 +17,15 @@ tap.test('should create a valid instance of TypedServer', async () => {
 
 tap.test('should start to serve files', async (tools) => {
   await testTypedServer.start();
-  await tools.delayFor(5000);
+  await tools.delayFor(1000);
   await testTypedServer.reload();
-  await tools.delayFor(5000);
+  await tools.delayFor(1000);
   await testTypedServer.reload();
 });
 
-tap.test('should stop to serve files ', async (tools) => {
-  await tools.delayFor(5000);
+tap.test('should stop to serve files', async (tools) => {
+  await tools.delayFor(1000);
   await testTypedServer.stop();
 });
 
-tap.start();
+export default tap.start();

test/test.server.ts

@@ -1,28 +1,21 @@
-// tslint:disable-next-line:no-implicit-dependencies
 import { expect, tap } from '@git.zone/tstest/tapbundle';
-
-// helper dependencies
-// tslint:disable-next-line:no-implicit-dependencies
-
 import * as smartpath from '@push.rocks/smartpath';
 import * as smartrequest from '@push.rocks/smartrequest';
 
 import * as typedserver from '../ts/index.js';
 
-let testServer: typedserver.servertools.Server;
-let testRoute: typedserver.servertools.Route;
-let testRoute2: typedserver.servertools.Route;
-let testHandler: typedserver.servertools.Handler;
+let testServer: typedserver.TypedServer;
 
 // =================
-// Test class Server
+// Test TypedServer
 // =================
 
-tap.test('should create a valid Server', async () => {
-  testServer = new typedserver.servertools.Server({
+tap.test('should create a valid TypedServer', async () => {
+  testServer = new typedserver.TypedServer({
     cors: true,
     domain: 'testing.git.zone',
     forceSsl: false,
+    port: 3000,
     appVersion: 'v3.2.1',
     manifest: {
       name: 'Test App',
@@ -38,101 +31,137 @@ tap.test('should create a valid Server', async () => {
     feed: true,
     sitemap: true,
     robots: true,
+    serveDir: smartpath.get.dirnameFromImportMetaUrl(import.meta.url),
   });
-  expect(testServer).toBeInstanceOf(typedserver.servertools.Server);
+  expect(testServer).toBeInstanceOf(typedserver.TypedServer);
 });
 
 // ================
-// Test class Route
+// Test addRoute
 // ================
 
-tap.test('should create a valid Route', async () => {
-  testRoute = testServer.addRoute('/someroute');
-  testRoute2 = testServer.addRoute('/someroute/*splat');
-  expect(testRoute).toBeInstanceOf(typedserver.servertools.Route);
-});
-
-// ==================
-// Test class Handler
-// ==================
-
-tap.test('should produce a valid handler', async () => {
-  testHandler = new typedserver.servertools.Handler('POST', (request, response) => {
+tap.test('should add a POST route', async () => {
+  testServer.addRoute('/someroute', 'POST', async (ctx) => {
+    const body = await ctx.json();
     console.log('request body is:');
-    console.log(request.body);
-    response.send('hi');
+    console.log(body);
+    return new Response(JSON.stringify({ message: 'hi', received: body }), {
+      status: 200,
+      headers: { 'Content-Type': 'application/json' },
+    });
   });
-  expect(testHandler).toBeInstanceOf(typedserver.servertools.Handler);
 });
 
-tap.test('should add handler to route', async () => {
-  testRoute.addHandler(testHandler);
-});
-
-tap.test('should create a valid StaticHandler', async () => {
-  testRoute2.addHandler(
-    new typedserver.servertools.HandlerStatic(
-      smartpath.get.dirnameFromImportMetaUrl(import.meta.url)
-    )
-  );
-});
-
-tap.test('should add typedrequest and typedsocket', async () => {
-  const typedrequest = await import('@api.global/typedrequest');
-
-  const typedrouter = new typedrequest.TypedRouter();
-  testServer.addTypedRequest(typedrouter);
-  testServer.addTypedSocket(typedrouter);
+tap.test('should add a GET route with params', async () => {
+  testServer.addRoute('/users/:id', 'GET', async (ctx) => {
+    const userId = ctx.params.id;
+    return new Response(JSON.stringify({ userId }), {
+      status: 200,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  });
 });
 
 // =====================
-// start the server and test the configuration
+// Test typedrouter integration
 // =====================
 
-tap.test('should start the server allright', async () => {
-  await testServer.start(3000);
+tap.test('should have a typedrouter', async () => {
+  expect(testServer.typedrouter).toBeDefined();
 });
 
-// see if a demo request holds up
-tap.test('should issue a request', async (tools) => {
+// =====================
+// Start the server and test
+// =====================
+
+tap.test('should start the server', async () => {
+  await testServer.start();
+});
+
+// Test POST route
+tap.test('should handle a POST request', async () => {
   const smartRequestInstance = smartrequest.SmartRequest.create();
   const response = await smartRequestInstance
     .url('http://127.0.0.1:3000/someroute')
     .headers({
       'X-Forwarded-Proto': 'https',
+      'Content-Type': 'application/json',
     })
     .json({
-      someprop: 'hi',
+      someprop: 'hello world',
     })
     .post();
-  const responseBody = await response.text();
-  console.log(responseBody);
+  const responseBody = await response.json();
+  console.log('POST response:', responseBody);
+  expect(responseBody.message).toEqual('hi');
+  expect(responseBody.received.someprop).toEqual('hello world');
 });
 
-tap.test('should get a file from disk', async () => {
-  const response = await fetch('http://127.0.0.1:3000/someroute/testresponse.js');
-  console.log(response.status);
-  console.log(response.headers);
+// Test GET route with params
+tap.test('should handle a GET request with params', async () => {
+  const response = await fetch('http://127.0.0.1:3000/users/123');
+  const body = await response.json();
+  console.log('GET response:', body);
+  expect(body.userId).toEqual('123');
 });
 
+// Test static file serving
+tap.test('should serve a static file', async () => {
+  const response = await fetch('http://127.0.0.1:3000/test.server.ts');
+  console.log('Static file status:', response.status);
+  expect(response.status).toEqual(200);
+});
+
+// Test CORS preflight
 tap.test('should answer a preflight request', async () => {
   const response = await fetch('http://127.0.0.1:3000/some/randompath/', {
     method: 'OPTIONS',
   });
-  console.log(response.headers);
+  console.log('Preflight headers:', Object.fromEntries(response.headers.entries()));
+  // CORS should return appropriate headers
+  expect(response.headers.get('access-control-allow-origin')).toBeDefined();
 });
 
+// Test sitemap endpoint
 tap.test('should expose a sitemap', async () => {
   const response = await fetch('http://127.0.0.1:3000/sitemap');
-  console.log(await response.text());
+  const text = await response.text();
+  console.log('Sitemap:', text);
+  expect(response.status).toEqual(200);
+});
+
+// Test robots.txt endpoint
+tap.test('should expose robots.txt', async () => {
+  const response = await fetch('http://127.0.0.1:3000/robots.txt');
+  const text = await response.text();
+  console.log('Robots.txt:', text);
+  expect(response.status).toEqual(200);
+});
+
+// Test manifest endpoint
+tap.test('should expose manifest.json', async () => {
+  const response = await fetch('http://127.0.0.1:3000/manifest.json');
+  const json = await response.json();
+  console.log('Manifest:', json);
+  expect(response.status).toEqual(200);
+  expect(json.name).toEqual('Test App');
+});
+
+// Test appversion endpoint
+tap.test('should expose appversion', async () => {
+  const response = await fetch('http://127.0.0.1:3000/appversion');
+  const text = await response.text();
+  console.log('App version:', text);
+  expect(response.status).toEqual(200);
+  expect(text).toEqual('v3.2.1');
 });
 
 // ========
-// clean up
+// Clean up
 // ========
 
 tap.test('should stop the server', async () => {
   await testServer.stop();
 });
 
-tap.start();
+export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@api.global/typedserver',
-  version: '7.8.11',
+  version: '8.0.0',
   description: 'A TypeScript-based project for easy serving of static files with support for live reloading, compression, and typed requests.'
 }

ts/classes.typedserver.ts

@@ -1,10 +1,80 @@
 import * as plugins from './plugins.js';
-import * as paths from './paths.js';
 import * as interfaces from '../dist_ts_interfaces/index.js';
 import { DevToolsController } from './controllers/controller.devtools.js';
 import { TypedRequestController } from './controllers/controller.typedrequest.js';
 import { BuiltInRoutesController } from './controllers/controller.builtin.js';
 
+/**
+ * Content Security Policy configuration
+ * Each directive can be a string or array of sources
+ */
+export interface IContentSecurityPolicy {
+  /** Fallback for other directives */
+  defaultSrc?: string | string[];
+  /** Valid sources for scripts */
+  scriptSrc?: string | string[];
+  /** Valid sources for stylesheets */
+  styleSrc?: string | string[];
+  /** Valid sources for images */
+  imgSrc?: string | string[];
+  /** Valid sources for fonts */
+  fontSrc?: string | string[];
+  /** Valid sources for AJAX, WebSockets, etc. */
+  connectSrc?: string | string[];
+  /** Valid sources for media (audio/video) */
+  mediaSrc?: string | string[];
+  /** Valid sources for frames */
+  frameSrc?: string | string[];
+  /** Valid sources for <object>, <embed>, <applet> */
+  objectSrc?: string | string[];
+  /** Valid sources for web workers */
+  workerSrc?: string | string[];
+  /** Valid sources for form actions */
+  formAction?: string | string[];
+  /** Controls which URLs can embed the page */
+  frameAncestors?: string | string[];
+  /** Restricts URLs for <base> element */
+  baseUri?: string | string[];
+  /** Report violations to this URL */
+  reportUri?: string;
+  /** Report violations to this endpoint */
+  reportTo?: string;
+  /** Upgrade insecure requests to HTTPS */
+  upgradeInsecureRequests?: boolean;
+  /** Block all mixed content */
+  blockAllMixedContent?: boolean;
+}
+
+/**
+ * Security headers configuration
+ */
+export interface ISecurityHeaders {
+  /** Content Security Policy */
+  csp?: IContentSecurityPolicy;
+  /** X-Frame-Options: DENY, SAMEORIGIN, or ALLOW-FROM uri */
+  xFrameOptions?: 'DENY' | 'SAMEORIGIN' | string;
+  /** X-Content-Type-Options: nosniff */
+  xContentTypeOptions?: boolean;
+  /** X-XSS-Protection header (legacy, but still useful) */
+  xXssProtection?: boolean | string;
+  /** Referrer-Policy header */
+  referrerPolicy?: 'no-referrer' | 'no-referrer-when-downgrade' | 'origin' | 'origin-when-cross-origin' | 'same-origin' | 'strict-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url';
+  /** Strict-Transport-Security (HSTS) max-age in seconds */
+  hstsMaxAge?: number;
+  /** Include subdomains in HSTS */
+  hstsIncludeSubDomains?: boolean;
+  /** HSTS preload flag */
+  hstsPreload?: boolean;
+  /** Permissions-Policy (formerly Feature-Policy) */
+  permissionsPolicy?: Record<string, string[]>;
+  /** Cross-Origin-Opener-Policy */
+  crossOriginOpenerPolicy?: 'unsafe-none' | 'same-origin-allow-popups' | 'same-origin';
+  /** Cross-Origin-Embedder-Policy */
+  crossOriginEmbedderPolicy?: 'unsafe-none' | 'require-corp' | 'credentialless';
+  /** Cross-Origin-Resource-Policy */
+  crossOriginResourcePolicy?: 'same-site' | 'same-origin' | 'cross-origin';
+}
+
 export interface IServerOptions {
   /**
    * serve a particular directory
@@ -62,20 +132,23 @@ export interface IServerOptions {
    * Useful for single-page applications with client-side routing
    */
   spaFallback?: boolean;
+
+  /**
+   * Security headers configuration (CSP, HSTS, X-Frame-Options, etc.)
+   */
+  securityHeaders?: ISecurityHeaders;
+
+  /**
+   * Response compression configuration
+   * Set to true for defaults (brotli + gzip), false to disable, or provide detailed config
+   */
+  compression?: plugins.smartserve.ICompressionConfig | boolean;
 }
 
 export type THttpMethod = 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'HEAD' | 'OPTIONS' | 'ALL';
 
 export interface IRouteHandler {
-  (request: Request): Promise<Response | null>;
-}
-
-export interface IRegisteredRoute {
-  pattern: string;
-  regex: RegExp;
-  paramNames: string[];
-  method: THttpMethod;
-  handler: IRouteHandler;
+  (ctx: plugins.smartserve.IRequestContext): Promise<Response | null>;
 }
 
 export class TypedServer {
@@ -100,9 +173,6 @@ export class TypedServer {
   // File server for static files
   private fileServer: plugins.smartserve.FileServer;
 
-  // Custom route handlers (for addRoute API)
-  private customRoutes: IRegisteredRoute[] = [];
-
   public lastReload: number = Date.now();
   public ended = false;
 
@@ -132,50 +202,11 @@ export class TypedServer {
    * Supports Express-style path patterns like '/path/:param' and '/path/*splat'
    * @param path - The route path pattern
    * @param method - HTTP method (GET, POST, PUT, DELETE, PATCH, ALL)
-   * @param handler - Async function that receives Request and returns Response or null
+   * @param handler - Async function that receives IRequestContext and returns Response or null
    */
   public addRoute(path: string, method: THttpMethod, handler: IRouteHandler): void {
-    // Convert Express-style path to regex
-    const paramNames: string[] = [];
-    let regexPattern = path
-      // Handle named parameters :param
-      .replace(/:([a-zA-Z_][a-zA-Z0-9_]*)/g, (_, paramName) => {
-        paramNames.push(paramName);
-        return '([^/]+)';
-      })
-      // Handle wildcard *splat (matches everything including slashes)
-      .replace(/\*([a-zA-Z_][a-zA-Z0-9_]*)/g, (_, paramName) => {
-        paramNames.push(paramName);
-        return '(.*)';
-      });
-
-    // Ensure exact match
-    regexPattern = `^${regexPattern}$`;
-
-    this.customRoutes.push({
-      pattern: path,
-      regex: new RegExp(regexPattern),
-      paramNames,
-      method,
-      handler,
-    });
-  }
-
-  /**
-   * Parse route parameters from a path using a registered route
-   */
-  private parseRouteParams(
-    route: IRegisteredRoute,
-    pathname: string
-  ): Record<string, string> | null {
-    const match = pathname.match(route.regex);
-    if (!match) return null;
-
-    const params: Record<string, string> = {};
-    route.paramNames.forEach((name, index) => {
-      params[name] = match[index + 1];
-    });
-    return params;
+    // Delegate to smartserve's ControllerRegistry
+    plugins.smartserve.ControllerRegistry.addRoute(path, method, handler);
   }
 
   /**
@@ -235,6 +266,9 @@ export class TypedServer {
     });
 
     // Register controllers with SmartServe's ControllerRegistry
+    // Note: @Route decorators auto-register classes at import time.
+    // Controllers with constructor args (like DevToolsController) use default no-op
+    // constructors to handle auto-instantiation gracefully.
     if (this.options.injectReload) {
       plugins.smartserve.ControllerRegistry.registerInstance(this.devToolsController);
     }
@@ -248,6 +282,7 @@ export class TypedServer {
     const smartServeOptions: plugins.smartserve.ISmartServeOptions = {
       port,
       hostname: '0.0.0.0',
+      compression: this.options.compression,
       tls:
         this.options.privateKey && this.options.publicKey
           ? {
@@ -258,7 +293,7 @@ export class TypedServer {
       websocket: {
         typedRouter: this.typedrouter,
         onConnectionOpen: (peer) => {
-          peer.tags.add('typedserver_frontend');
+          peer.tags.add('allClients');
           console.log(`WebSocket connected: ${peer.id}`);
         },
         onConnectionClose: (peer) => {
@@ -349,10 +384,10 @@ export class TypedServer {
   /**
    * Create an IRequestContext from a Request
    */
-  private async createContext(
+  private createContext(
     request: Request,
     params: Record<string, string>
-  ): Promise<plugins.smartserve.IRequestContext> {
+  ): plugins.smartserve.IRequestContext {
     const url = new URL(request.url);
     const method = request.method.toUpperCase() as THttpMethod;
 
@@ -362,20 +397,14 @@ export class TypedServer {
       query[key] = value;
     });
 
-    // Parse body
-    let body: unknown = undefined;
-    const contentType = request.headers.get('content-type');
-    if (contentType?.includes('application/json')) {
-      try {
-        body = await request.clone().json();
-      } catch {
-        body = {};
-      }
-    }
+    // Cached body parsers (lazy evaluation)
+    let jsonCache: unknown;
+    let textCache: string;
+    let arrayBufferCache: ArrayBuffer;
+    let formDataCache: FormData;
 
     return {
       request,
-      body,
       params,
       query,
       headers: request.headers,
@@ -384,20 +413,161 @@ export class TypedServer {
       url,
       runtime: 'node' as const,
       state: {},
+      async json<T = unknown>(): Promise<T> {
+        if (jsonCache === undefined) {
+          jsonCache = await request.clone().json();
+        }
+        return jsonCache as T;
+      },
+      async text(): Promise<string> {
+        if (textCache === undefined) {
+          textCache = await request.clone().text();
+        }
+        return textCache;
+      },
+      async arrayBuffer(): Promise<ArrayBuffer> {
+        if (arrayBufferCache === undefined) {
+          arrayBufferCache = await request.clone().arrayBuffer();
+        }
+        return arrayBufferCache;
+      },
+      async formData(): Promise<FormData> {
+        if (formDataCache === undefined) {
+          formDataCache = await request.clone().formData();
+        }
+        return formDataCache;
+      },
     };
   }
 
   /**
-   * Add CORS headers to a response
+   * Build CSP header string from configuration
    */
-  private addCorsHeaders(response: Response): Response {
-    if (!this.options.cors) return response;
+  private buildCspHeader(csp: IContentSecurityPolicy): string {
+    const directives: string[] = [];
 
+    const addDirective = (name: string, value: string | string[] | undefined) => {
+      if (value) {
+        const sources = Array.isArray(value) ? value.join(' ') : value;
+        directives.push(`${name} ${sources}`);
+      }
+    };
+
+    addDirective('default-src', csp.defaultSrc);
+    addDirective('script-src', csp.scriptSrc);
+    addDirective('style-src', csp.styleSrc);
+    addDirective('img-src', csp.imgSrc);
+    addDirective('font-src', csp.fontSrc);
+    addDirective('connect-src', csp.connectSrc);
+    addDirective('media-src', csp.mediaSrc);
+    addDirective('frame-src', csp.frameSrc);
+    addDirective('object-src', csp.objectSrc);
+    addDirective('worker-src', csp.workerSrc);
+    addDirective('form-action', csp.formAction);
+    addDirective('frame-ancestors', csp.frameAncestors);
+    addDirective('base-uri', csp.baseUri);
+
+    if (csp.reportUri) {
+      directives.push(`report-uri ${csp.reportUri}`);
+    }
+    if (csp.reportTo) {
+      directives.push(`report-to ${csp.reportTo}`);
+    }
+    if (csp.upgradeInsecureRequests) {
+      directives.push('upgrade-insecure-requests');
+    }
+    if (csp.blockAllMixedContent) {
+      directives.push('block-all-mixed-content');
+    }
+
+    return directives.join('; ');
+  }
+
+  /**
+   * Apply all configured headers (CORS, security) to a response
+   */
+  private applyResponseHeaders(response: Response): Response {
     const headers = new Headers(response.headers);
-    headers.set('Access-Control-Allow-Origin', '*');
-    headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS, PATCH');
-    headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With');
-    headers.set('Access-Control-Max-Age', '86400');
+
+    // CORS headers
+    if (this.options.cors) {
+      headers.set('Access-Control-Allow-Origin', '*');
+      headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS, PATCH');
+      headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With');
+      headers.set('Access-Control-Max-Age', '86400');
+    }
+
+    // Security headers
+    const security = this.options.securityHeaders;
+    if (security) {
+      // Content Security Policy
+      if (security.csp) {
+        const cspHeader = this.buildCspHeader(security.csp);
+        if (cspHeader) {
+          headers.set('Content-Security-Policy', cspHeader);
+        }
+      }
+
+      // X-Frame-Options
+      if (security.xFrameOptions) {
+        headers.set('X-Frame-Options', security.xFrameOptions);
+      }
+
+      // X-Content-Type-Options
+      if (security.xContentTypeOptions) {
+        headers.set('X-Content-Type-Options', 'nosniff');
+      }
+
+      // X-XSS-Protection
+      if (security.xXssProtection) {
+        const value = typeof security.xXssProtection === 'string'
+          ? security.xXssProtection
+          : '1; mode=block';
+        headers.set('X-XSS-Protection', value);
+      }
+
+      // Referrer-Policy
+      if (security.referrerPolicy) {
+        headers.set('Referrer-Policy', security.referrerPolicy);
+      }
+
+      // Strict-Transport-Security (HSTS)
+      if (security.hstsMaxAge !== undefined) {
+        let hsts = `max-age=${security.hstsMaxAge}`;
+        if (security.hstsIncludeSubDomains) {
+          hsts += '; includeSubDomains';
+        }
+        if (security.hstsPreload) {
+          hsts += '; preload';
+        }
+        headers.set('Strict-Transport-Security', hsts);
+      }
+
+      // Permissions-Policy
+      if (security.permissionsPolicy) {
+        const policies = Object.entries(security.permissionsPolicy)
+          .map(([feature, allowlist]) => `${feature}=(${allowlist.join(' ')})`)
+          .join(', ');
+        if (policies) {
+          headers.set('Permissions-Policy', policies);
+        }
+      }
+
+      // Cross-Origin-Opener-Policy
+      if (security.crossOriginOpenerPolicy) {
+        headers.set('Cross-Origin-Opener-Policy', security.crossOriginOpenerPolicy);
+      }
+
+      // Cross-Origin-Embedder-Policy
+      if (security.crossOriginEmbedderPolicy) {
+        headers.set('Cross-Origin-Embedder-Policy', security.crossOriginEmbedderPolicy);
+      }
+
+      // Cross-Origin-Resource-Policy
+      if (security.crossOriginResourcePolicy) {
+        headers.set('Cross-Origin-Resource-Policy', security.crossOriginResourcePolicy);
+      }
+    }
 
     return new Response(response.body, {
       status: response.status,
@@ -416,12 +586,12 @@ export class TypedServer {
 
     // Handle OPTIONS preflight for CORS
     if (method === 'OPTIONS' && this.options.cors) {
-      return this.addCorsHeaders(new Response(null, { status: 204 }));
+      return this.applyResponseHeaders(new Response(null, { status: 204 }));
     }
 
-    // Process the request and wrap response with CORS headers
-    const response = await this.handleRequestInternal(request, url, path, method);
-    return this.addCorsHeaders(response);
+    // Process the request and wrap response with all configured headers
+    const response = await this.handleRequestInternal(request, path, method);
+    return this.applyResponseHeaders(response);
   }
 
   /**
@@ -429,7 +599,6 @@ export class TypedServer {
    */
   private async handleRequestInternal(
     request: Request,
-    url: URL,
     path: string,
     method: THttpMethod
   ): Promise<Response> {
@@ -437,7 +606,7 @@ export class TypedServer {
     const match = plugins.smartserve.ControllerRegistry.matchRoute(path, method);
     if (match) {
       try {
-        const context = await this.createContext(request, match.params);
+        const context = this.createContext(request, match.params);
         const result = await match.route.handler(context);
 
         // Handle Response or convert to Response
@@ -458,18 +627,6 @@ export class TypedServer {
       }
     }
 
-    // Custom routes (registered via addRoute)
-    for (const route of this.customRoutes) {
-      if (route.method === 'ALL' || route.method === method) {
-        const params = this.parseRouteParams(route, path);
-        if (params !== null) {
-          (request as any).params = params;
-          const response = await route.handler(request);
-          if (response) return response;
-        }
-      }
-    }
-
     // HTML injection for reload (if enabled)
     if (this.options.injectReload && this.options.serveDir) {
       const response = await this.handleHtmlWithInjection(request);
@@ -644,6 +801,8 @@ export class TypedServer {
           );
         pushTime.fire({
           time: this.lastReload,
+        }).catch(err => {
+          console.warn('Failed to push latest server change time to client:', err);
         });
       }
     } catch (error) {

ts/controllers/controller.devtools.ts

@@ -10,9 +10,10 @@ export class DevToolsController {
   private getLastReload: () => number;
   private getEnded: () => boolean;
 
-  constructor(options: { getLastReload: () => number; getEnded: () => boolean }) {
-    this.getLastReload = options.getLastReload;
-    this.getEnded = options.getEnded;
+  constructor(options?: { getLastReload: () => number; getEnded: () => boolean }) {
+    // Default no-op functions for when controller is auto-instantiated without options
+    this.getLastReload = options?.getLastReload ?? (() => 0);
+    this.getEnded = options?.getEnded ?? (() => false);
   }
 
   @plugins.smartserve.Get('/devtools')

ts/controllers/controller.typedrequest.ts

@@ -14,7 +14,8 @@ export class TypedRequestController {
   @plugins.smartserve.Post('')
   async handleTypedRequest(ctx: plugins.smartserve.IRequestContext): Promise<Response> {
     try {
-      const response = await this.typedRouter.routeAndAddResponse(ctx.body as plugins.typedrequestInterfaces.ITypedRequest);
+      const body = await ctx.json() as plugins.typedrequestInterfaces.ITypedRequest;
+      const response = await this.typedRouter.routeAndAddResponse(body);
 
       return new Response(plugins.smartjson.stringify(response), {
         status: 200,

ts/utilityservers/classes.websiteserver.ts

@@ -1,13 +1,32 @@
 import * as interfaces from '../../dist_ts_interfaces/index.js';
-import { type IServerOptions, TypedServer } from '../classes.typedserver.js';
+import { type IServerOptions, type ISecurityHeaders, TypedServer } from '../classes.typedserver.js';
 import * as plugins from '../plugins.js';
 
 export interface IUtilityWebsiteServerConstructorOptions {
+  /** Custom route handler to add additional routes */
   addCustomRoutes?: (typedserver: TypedServer) => Promise<any>;
+  /** Application semantic version */
   appSemVer?: string;
+  /** Domain name for the website */
   domain: string;
+  /** Directory to serve static files from */
   serveDir: string;
-  feedMetadata: IServerOptions['feedMetadata'];
+  /** RSS feed metadata */
+  feedMetadata?: IServerOptions['feedMetadata'];
+  /** Enable/disable CORS (default: true) */
+  cors?: boolean;
+  /** Enable/disable SPA fallback (default: true) */
+  spaFallback?: boolean;
+  /** Security headers configuration */
+  securityHeaders?: ISecurityHeaders;
+  /** Force SSL redirect (default: false) */
+  forceSsl?: boolean;
+  /** Port to listen on (default: 3000) */
+  port?: number;
+  /** ads.txt entries (only served if configured) */
+  adsTxt?: string[];
+  /** Response compression configuration (default: enabled with brotli + gzip) */
+  compression?: plugins.smartserve.ICompressionConfig | boolean;
 }
 
 /**
@@ -29,14 +48,31 @@ export class UtilityWebsiteServer {
   /**
    * Start the website server
    */
-  public async start(portArg = 3000) {
+  public async start(portArg?: number) {
+    const port = portArg ?? this.options.port ?? 3000;
+
     this.typedserver = new TypedServer({
-      cors: true,
-      injectReload: true,
-      watch: true,
+      // Core settings
+      cors: this.options.cors ?? true,
       serveDir: this.options.serveDir,
       domain: this.options.domain,
-      forceSsl: false,
+      port,
+
+      // Development features
+      injectReload: true,
+      watch: true,
+
+      // SPA support (enabled by default for modern web apps)
+      spaFallback: this.options.spaFallback ?? true,
+
+      // Security
+      forceSsl: this.options.forceSsl ?? false,
+      securityHeaders: this.options.securityHeaders,
+
+      // Compression
+      compression: this.options.compression,
+
+      // PWA manifest
       manifest: {
         name: this.options.domain,
         short_name: this.options.domain,
@@ -46,11 +82,11 @@ export class UtilityWebsiteServer {
         background_color: '#000000',
         scope: '/',
       },
-      port: portArg,
 
-      // features
+      // SEO features
       robots: true,
       sitemap: true,
+      feedMetadata: this.options.feedMetadata,
     });
 
     let lswData: interfaces.serviceworker.IRequest_Serviceworker_Backend_VersionInfo['response'] = {
@@ -65,22 +101,23 @@ export class UtilityWebsiteServer {
       })
     );
 
-    // ads.txt handler
-    this.typedserver.addRoute('/ads.txt', 'GET', async () => {
-      const adsTxt =
-        ['google.com, pub-4104137977476459, DIRECT, f08c47fec0942fa0'].join('\n') + '\n';
-      return new Response(adsTxt, {
-        status: 200,
-        headers: { 'Content-Type': 'text/plain' },
+    // ads.txt handler (only if configured)
+    if (this.options.adsTxt && this.options.adsTxt.length > 0) {
+      this.typedserver.addRoute('/ads.txt', 'GET', async () => {
+        const adsTxt = this.options.adsTxt.join('\n') + '\n';
+        return new Response(adsTxt, {
+          status: 200,
+          headers: { 'Content-Type': 'text/plain' },
+        });
       });
-    });
+    }
 
     // Asset broker manifest handler
     this.typedserver.addRoute(
       '/assetbroker/manifest/:manifestAsset',
       'GET',
-      async (request: Request) => {
-        let manifestAssetName = (request as any).params?.manifestAsset;
+      async (ctx) => {
+        let manifestAssetName = ctx.params?.manifestAsset;
         if (manifestAssetName === 'favicon.png') {
           manifestAssetName = `favicon_${this.options.domain
             .replace('.', '')

ts_swdash/plugins.ts

@@ -6,6 +6,9 @@ import { customElement, property, state } from 'lit/decorators.js';
 // DeesComms for push communication
 import * as deesComms from '@design.estate/dees-comms';
 
+// Dees-catalog for UI components
+import { DeesContextmenu } from '@design.estate/dees-catalog';
+
 export {
   LitElement,
   html,
@@ -14,6 +17,7 @@ export {
   property,
   state,
   deesComms,
+  DeesContextmenu,
 };
 
 export type { CSSResult, TemplateResult };

ts_swdash/sw-dash-requests.ts

@@ -1,4 +1,4 @@
-import { LitElement, html, css, property, state, customElement } from './plugins.js';
+import { LitElement, html, css, property, state, customElement, DeesContextmenu } from './plugins.js';
 import type { CSSResult, TemplateResult } from './plugins.js';
 import { sharedStyles, panelStyles, tableStyles, buttonStyles } from './sw-dash-styles.js';
 
@@ -237,6 +237,17 @@ export class SwDashRequests extends LitElement {
         background: var(--bg-tertiary);
         border-radius: var(--radius-sm);
         padding: var(--space-2);
+        cursor: pointer;
+        transition: background 0.15s ease;
+      }
+
+      .method-stat-card:hover {
+        background: var(--bg-secondary);
+      }
+
+      .method-stat-card.active {
+        background: rgba(99, 102, 241, 0.15);
+        border: 1px solid var(--accent-primary);
       }
 
       .method-stat-name {
@@ -504,6 +515,11 @@ export class SwDashRequests extends LitElement {
     // Local filtering - no HTTP request
   }
 
+  private setMethodFilter(method: string): void {
+    // Toggle: clicking the same method clears the filter
+    this.methodFilter = this.methodFilter === method ? '' : method;
+  }
+
   private handleSearch(e: Event): void {
     this.searchText = (e.target as HTMLInputElement).value.toLowerCase();
   }
@@ -546,6 +562,90 @@ export class SwDashRequests extends LitElement {
     this.modalOpen = true;
   }
 
+  private handleContextMenu(event: MouseEvent, group: IGroupedRequest): void {
+    // Build full message object for copying
+    const fullMessage = {
+      correlationId: group.correlationId,
+      method: group.method,
+      timestamp: group.timestamp,
+      durationMs: group.durationMs,
+      request: group.request ? {
+        direction: group.request.direction,
+        phase: group.request.phase,
+        timestamp: group.request.timestamp,
+        payload: group.request.payload,
+      } : null,
+      response: group.response ? {
+        direction: group.response.direction,
+        phase: group.response.phase,
+        timestamp: group.response.timestamp,
+        durationMs: group.response.durationMs,
+        payload: group.response.payload,
+        error: group.response.error,
+      } : null,
+    };
+
+    DeesContextmenu.openContextMenuWithOptions(event, [
+      {
+        name: 'Copy Full Message',
+        iconName: 'copy',
+        action: async () => {
+          await navigator.clipboard.writeText(JSON.stringify(fullMessage, null, 2));
+        },
+      },
+      {
+        name: 'Copy Request Payload',
+        iconName: 'upload',
+        disabled: !group.request,
+        action: async () => {
+          if (group.request) {
+            await navigator.clipboard.writeText(JSON.stringify(group.request.payload, null, 2));
+          }
+        },
+      },
+      {
+        name: 'Copy Response Payload',
+        iconName: 'download',
+        disabled: !group.response,
+        action: async () => {
+          if (group.response) {
+            await navigator.clipboard.writeText(JSON.stringify(group.response.payload, null, 2));
+          }
+        },
+      },
+      { divider: true },
+      {
+        name: 'Copy Correlation ID',
+        iconName: 'hash',
+        action: async () => {
+          await navigator.clipboard.writeText(group.correlationId);
+        },
+      },
+      {
+        name: 'Copy Method Name',
+        iconName: 'tag',
+        action: async () => {
+          await navigator.clipboard.writeText(group.method);
+        },
+      },
+      { divider: true },
+      {
+        name: 'Filter by Method',
+        iconName: 'filter',
+        action: async () => {
+          this.setMethodFilter(group.method);
+        },
+      },
+      {
+        name: 'Show Payload',
+        iconName: 'eye',
+        action: async () => {
+          this.openPayloadModal(group);
+        },
+      },
+    ]);
+  }
+
   private closeModal(): void {
     this.modalOpen = false;
     this.selectedGroup = null;
@@ -781,7 +881,10 @@ export class SwDashRequests extends LitElement {
           <div class="method-stats-title">Methods</div>
           <div class="method-stats-grid">
             ${Object.entries(this.stats.methodCounts).slice(0, 8).map(([method, data]) => html`
-              <div class="method-stat-card">
+              <div
+                class="method-stat-card ${this.methodFilter === method ? 'active' : ''}"
+                @click="${() => this.setMethodFilter(method)}"
+              >
                 <div class="method-stat-name" title="${method}">${method}</div>
                 <div class="method-stat-details">
                   <span>${data.requests} req</span>
@@ -813,9 +916,9 @@ export class SwDashRequests extends LitElement {
           </select>
 
           <span class="filter-label">Method:</span>
-          <select class="filter-select" @change="${this.handleMethodFilterChange}">
+          <select class="filter-select" .value="${this.methodFilter}" @change="${this.handleMethodFilterChange}">
             <option value="">All Methods</option>
-            ${this.methods.map(m => html`<option value="${m}">${m}</option>`)}
+            ${this.methods.map(m => html`<option value="${m}" ?selected="${this.methodFilter === m}">${m}</option>`)}
           </select>
 
           <input
@@ -838,7 +941,10 @@ export class SwDashRequests extends LitElement {
       ` : html`
         <div class="requests-list">
           ${groupedLogs.map(group => html`
-            <div class="request-card ${group.hasError ? 'has-error' : ''}">
+            <div
+              class="request-card ${group.hasError ? 'has-error' : ''}"
+              @contextmenu="${(e: MouseEvent) => this.handleContextMenu(e, group)}"
+            >
               <div class="request-header">
                 <div>
                   <div class="request-badges">