just-chat

A real-time multi-room chat platform built on a typed Socket.IO protocol — 16 client-to-server events and 13 server broadcasts sharing one strongly-typed contract with Zod-validated payloads across server and client. Identity is pinned at the WebSocket handshake from HMAC-SHA256-signed cookies verified with a timing-safe comparison and never trusted from the client, backing a dual guest/registered model where guests are first-class but RAM-only.

Rooms are alive: a single restart-safe sweeper drives a live/idle/sleeping/cleaned lifecycle from persisted activity timestamps (no per-room timers), and a deterministic, exponentially-decaying heat engine scores each room and streams incremental directory and heat deltas to subscribers. Messages persist to a 15-table SQLite schema (WAL, foreign keys, hand-rolled transactional migrations with a version-tracked runner) while a per-room in-memory ring buffer serves instant scrollback and stays coherent through edits and soft-deletes.

It runs as one Fastify + Socket.IO service hardened with a WebSocket-aware helmet CSP, credentialed CORS, rate limiting and structured logging, with the pure heat and lifecycle engines plus the HTTP, schema and socket flows covered by Vitest.