From 53ea3b86336885fe54f0f2987cf42adfcf8e2f3a Mon Sep 17 00:00:00 2001
From: CanLite24 <canlite24@outlook.com>
Date: Tue, 31 Mar 2026 19:55:35 -0600
Subject: [PATCH 1/3] scrambling

---
 index.js              |   3 +
 scrambleMiddleware.js | 493 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 496 insertions(+)
 create mode 100644 scrambleMiddleware.js

diff --git a/index.js b/index.js
index fcb5579..8421a78 100644
--- a/index.js
+++ b/index.js
@@ -19,6 +19,7 @@ import { RedisStore } from "connect-redis";
 import { setupCanScreen } from "./CanScreen.js"
 import pool from "./db.js";
 import cors from "cors";
+import { scrambleMiddleware, startSessionCleanup } from './scrambleMiddleware.js';
 import axios from "axios";
 
 const __filename = fileURLToPath(import.meta.url);
@@ -87,6 +88,8 @@ app.use(
     sessionMiddleware
 );
 
+app.use(scrambleMiddleware);
+startSessionCleanup(redisClient);
 app.use(express.json({ limit: "50mb" }));
 app.use(express.urlencoded({ extended: true, limit: "50mb" }));
 
diff --git a/scrambleMiddleware.js b/scrambleMiddleware.js
new file mode 100644
index 0000000..7745279
--- /dev/null
+++ b/scrambleMiddleware.js
@@ -0,0 +1,493 @@
+/**
+ * scrambleMiddleware.js
+ *
+ * Express middleware that rewrites outgoing HTML/CSS/JS with session-unique
+ * random tokens so every user sees structurally different markup and code.
+ *
+ * Features:
+ *  - CSS class & ID scrambling (regex, fast)
+ *  - HTML attribute scrambling (class=, id=, inline <style>, inline <script>)
+ *  - Full JS variable/function/parameter renaming via acorn AST + astring
+ *  - DOM surface rewriting (getElementById, querySelector, classList, etc.)
+ *  - Session map reuse so CSS still matches HTML across requests
+ *  - Automatic session map expiry to prevent Redis bloat
+ *
+ * Install deps:
+ *   npm install acorn acorn-walk astring
+ *
+ * Usage in index.js (after session middleware, before static/routes):
+ *   import { scrambleMiddleware, startSessionCleanup } from './scrambleMiddleware.js';
+ *   app.use(scrambleMiddleware);
+ *   startSessionCleanup(redisClient);   // pass your existing redis client
+ */
+
+import crypto from 'crypto';
+import * as acorn from 'acorn';
+import * as walk from 'acorn-walk';
+import * as astring from 'astring';
+
+// ─── config ──────────────────────────────────────────────────────────────────
+
+// Session map TTL: maps older than this are wiped from the session.
+// Keeps Redis entries small — a user who hasn't visited in 30 min gets a
+// fresh map on their next request (fine, since it's just cosmetic scrambling).
+const MAP_TTL_MS = 30 * 60 * 1000; // 30 minutes
+
+// How often to scan Redis for stale session map entries (server-side cleanup).
+const CLEANUP_INTERVAL_MS = 10 * 60 * 1000; // every 10 minutes
+
+// CSS classes / IDs never scrambled (CDN framework names, etc.)
+const CLASS_WHITELIST = new Set([
+  'active', 'hidden', 'disabled', 'selected', 'open', 'closed',
+  'flex', 'grid', 'block', 'inline', 'relative', 'absolute', 'fixed',
+  'static', 'sticky', 'visible', 'invisible', 'overflow', 'truncate',
+  'container', 'row', 'col', 'sr-only',
+  // Add your Tailwind / Bootstrap utility classes here
+]);
+
+// JS identifiers never renamed by the AST pass
+const JS_WHITELIST = new Set([
+  // globals
+  'window','document','navigator','location','history','console','performance',
+  'fetch','XMLHttpRequest','WebSocket','EventSource','Worker','SharedWorker',
+  'localStorage','sessionStorage','indexedDB','caches','crypto',
+  'setTimeout','setInterval','clearTimeout','clearInterval','requestAnimationFrame',
+  'cancelAnimationFrame','queueMicrotask','Promise','Proxy','Reflect',
+  'JSON','Math','Date','RegExp','Error','Map','Set','WeakMap','WeakSet',
+  'Symbol','BigInt','ArrayBuffer','DataView','Uint8Array','Int8Array',
+  'Uint16Array','Int16Array','Uint32Array','Int32Array','Float32Array',
+  'Float64Array','Object','Array','String','Number','Boolean','Function',
+  'parseInt','parseFloat','isNaN','isFinite','encodeURIComponent',
+  'decodeURIComponent','encodeURI','decodeURI','atob','btoa','structuredClone',
+  'undefined','null','true','false','NaN','Infinity','globalThis','self',
+  // syntax keywords
+  'this','super','arguments','new','delete','typeof','instanceof','void',
+  'in','of','yield','await',
+  // DOM API methods & properties
+  'addEventListener','removeEventListener','dispatchEvent','preventDefault',
+  'stopPropagation','stopImmediatePropagation',
+  'querySelector','querySelectorAll','getElementById','getElementsByClassName',
+  'getElementsByTagName','closest','matches','contains',
+  'setAttribute','getAttribute','removeAttribute','hasAttribute',
+  'classList','className','id','style','dataset','innerHTML','outerHTML',
+  'innerText','textContent','value','checked','src','href','alt','title',
+  'parentNode','parentElement','children','childNodes','firstChild','lastChild',
+  'nextSibling','previousSibling','nextElementSibling','previousElementSibling',
+  'appendChild','removeChild','insertBefore','replaceChild','cloneNode',
+  'createElement','createTextNode','createDocumentFragment',
+  'getBoundingClientRect','offsetWidth','offsetHeight','scrollTop','scrollLeft',
+  'focus','blur','click','submit','reset',
+  'target','currentTarget','relatedTarget','key','keyCode','which',
+  'clientX','clientY','pageX','pageY','button','buttons','deltaY',
+  'type','name','placeholder','disabled','readonly','required','multiple',
+  'length','index','size','width','height','x','y','top','left','right','bottom',
+  // module
+  'default','module','exports','require','__dirname','__filename',
+  'import','export',
+  // common tiny names that are almost certainly framework-injected
+  'el','evt','cb','fn','e','i','j','k','n','v','s','t','d','p','r','c',
+]);
+
+// ─── token helpers ────────────────────────────────────────────────────────────
+
+const makeToken   = (prefix = 'c') => prefix + crypto.randomBytes(3).toString('hex');
+const makeJsToken = ()              => '_' + crypto.randomBytes(4).toString('hex');
+
+// ─── session map management ───────────────────────────────────────────────────
+
+function getSessionMap(req) {
+  const now = Date.now();
+
+  // Expire stale map — active users get their timestamp refreshed below,
+  // so this only fires for sessions that went quiet for MAP_TTL_MS.
+  if (req.session._scrTs && now - req.session._scrTs > MAP_TTL_MS) {
+    delete req.session._scrMaps;
+    delete req.session._scrTs;
+  }
+
+  if (!req.session._scrMaps) {
+    req.session._scrMaps = { css: {}, js: {} };
+  }
+
+  // Always refresh timestamp on activity
+  req.session._scrTs = now;
+
+  return req.session._scrMaps;
+}
+
+// ─── server-side Redis cleanup ────────────────────────────────────────────────
+
+/**
+ * Call once at startup. Periodically scans session keys in Redis and strips
+ * _scrMaps / _scrTs from sessions that haven't been active recently.
+ * This keeps per-session Redis payloads small without destroying the session.
+ *
+ * @param {import('redis').RedisClientType} redisClient
+ * @param {string} [prefix='myapp:']  — must match your RedisStore prefix
+ */
+export function startSessionCleanup(redisClient, prefix = 'myapp:') {
+  async function cleanup() {
+    try {
+      const now = Date.now();
+      let cursor = 0;
+      let cleaned = 0;
+
+      do {
+        const reply = await redisClient.scan(cursor, {
+          MATCH: `${prefix}sess:*`,   // connect-redis stores as prefix + "sess:" + id
+          COUNT: 200,
+        });
+
+        cursor = reply.cursor;
+
+        for (const key of reply.keys) {
+          try {
+            const raw = await redisClient.get(key);
+            if (!raw) continue;
+
+            const sess = JSON.parse(raw);
+            if (!sess._scrTs) continue;                    // never had a map
+            if (now - sess._scrTs <= MAP_TTL_MS) continue; // still fresh
+
+            delete sess._scrMaps;
+            delete sess._scrTs;
+
+            // Preserve whatever TTL the session key already has
+            const ttl = await redisClient.ttl(key);
+            const setOpts = ttl > 0 ? { EX: ttl } : {};
+            await redisClient.set(key, JSON.stringify(sess), setOpts);
+
+            cleaned++;
+          } catch (_) {
+            // Malformed or concurrently-deleted session — skip silently
+          }
+        }
+      } while (cursor !== 0);
+
+      if (cleaned > 0) {
+        console.log(`[scramble] stripped _scrMaps from ${cleaned} stale sessions`);
+      }
+    } catch (err) {
+      console.error('[scramble] cleanup error:', err);
+    }
+  }
+
+  cleanup(); // run immediately on startup
+  const handle = setInterval(cleanup, CLEANUP_INTERVAL_MS);
+  if (handle.unref) handle.unref(); // don't block process exit
+  return handle; // caller can clearInterval(handle) if needed
+}
+
+// ─── CSS scrambler ────────────────────────────────────────────────────────────
+
+function scrambleCSS(css, map) {
+  // .className
+  css = css.replace(/\.(-?[a-zA-Z_][a-zA-Z0-9_-]*)/g, (full, name) => {
+    if (CLASS_WHITELIST.has(name)) return full;
+    if (!map.css[name]) map.css[name] = makeToken('c');
+    return '.' + map.css[name];
+  });
+
+  // #idName
+  css = css.replace(/#([a-zA-Z_][a-zA-Z0-9_-]*)/g, (full, name) => {
+    if (CLASS_WHITELIST.has(name)) return full;
+    const key = '#' + name;
+    if (!map.css[key]) map.css[key] = makeToken('i');
+    return '#' + map.css[key];
+  });
+
+  return css;
+}
+
+// ─── DOM surface rewriter ─────────────────────────────────────────────────────
+
+/**
+ * Rewrites class/id *string literals* inside common DOM API calls so that
+ * JS references stay consistent with the scrambled HTML/CSS.
+ * Runs on the source text — either after AST rename or as standalone fallback.
+ */
+function domSurfaceRewrite(js, map) {
+  // getElementById('id')
+  js = js.replace(/getElementById\(['"]([^'"]+)['"]\)/g, (full, id) => {
+    const key = '#' + id;
+    if (!map.css[key]) map.css[key] = makeToken('i');
+    return `getElementById('${map.css[key]}')`;
+  });
+
+  // querySelector / querySelectorAll
+  js = js.replace(/(querySelectorAll?)\(['"]([^'"]+)['"]\)/g, (full, fn, sel) => {
+    const scrambled = sel
+      .replace(/\.(-?[a-zA-Z_][a-zA-Z0-9_-]*)/g, (m, c) => {
+        if (CLASS_WHITELIST.has(c)) return m;
+        if (!map.css[c]) map.css[c] = makeToken('c');
+        return '.' + map.css[c];
+      })
+      .replace(/#([a-zA-Z_][a-zA-Z0-9_-]*)/g, (m, id) => {
+        const key = '#' + id;
+        if (!map.css[key]) map.css[key] = makeToken('i');
+        return '#' + map.css[key];
+      });
+    return `${fn}('${scrambled}')`;
+  });
+
+  // classList.add/remove/toggle/contains/replace('cls')
+  js = js.replace(
+    /classList\.(add|remove|toggle|contains|replace)\(['"]([^'"]+)['"]\)/g,
+    (full, method, cls) => {
+      if (CLASS_WHITELIST.has(cls)) return full;
+      if (!map.css[cls]) map.css[cls] = makeToken('c');
+      return `classList.${method}('${map.css[cls]}')`;
+    }
+  );
+
+  // .className = 'foo bar'
+  js = js.replace(/\.className\s*=\s*['"]([^'"]*)['"]/g, (full, classes) => {
+    const scrambled = classes.split(/\s+/).map(c => {
+      if (!c || CLASS_WHITELIST.has(c)) return c;
+      if (!map.css[c]) map.css[c] = makeToken('c');
+      return map.css[c];
+    }).join(' ');
+    return `.className = '${scrambled}'`;
+  });
+
+  // setAttribute('class', 'foo bar')
+  js = js.replace(
+    /setAttribute\(['"]class['"]\s*,\s*['"]([^'"]*)['"]\)/g,
+    (full, classes) => {
+      const scrambled = classes.split(/\s+/).map(c => {
+        if (!c || CLASS_WHITELIST.has(c)) return c;
+        if (!map.css[c]) map.css[c] = makeToken('c');
+        return map.css[c];
+      }).join(' ');
+      return `setAttribute('class', '${scrambled}')`;
+    }
+  );
+
+  // setAttribute('id', 'foo')
+  js = js.replace(
+    /setAttribute\(['"]id['"]\s*,\s*['"]([^'"]*)['"]\)/g,
+    (full, id) => {
+      const key = '#' + id;
+      if (!map.css[key]) map.css[key] = makeToken('i');
+      return `setAttribute('id', '${map.css[key]}')`;
+    }
+  );
+
+  return js;
+}
+
+// ─── JS AST scrambler ────────────────────────────────────────────────────────
+
+function scrambleJS(src, map) {
+  let ast;
+  try {
+    ast = acorn.parse(src, {
+      ecmaVersion: 'latest',
+      sourceType: 'module',
+      allowImportExportEverywhere: true,
+      allowAwaitOutsideFunction: true,
+      allowReturnOutsideFunction: true,
+    });
+  } catch (_) {
+    // Unparseable snippet (template literal, partial chunk, etc.)
+    // Fall back to DOM-surface-only rewriting which is regex-safe.
+    return domSurfaceRewrite(src, map);
+  }
+
+  // ── scope-aware rename collection ────────────────────────────────────────
+  // nameAliases: scopeKey → scrambled name
+  // scopeKey = "varName@depth" so shadowed inner vars get independent names.
+  const nameAliases = new Map();
+
+  function scopeDepth(ancestors) {
+    return ancestors.filter(a =>
+      a.type === 'FunctionDeclaration'     ||
+      a.type === 'FunctionExpression'      ||
+      a.type === 'ArrowFunctionExpression' ||
+      a.type === 'BlockStatement'
+    ).length;
+  }
+
+  function declare(name, depth) {
+    if (JS_WHITELIST.has(name)) return;
+    const key = `${name}@${depth}`;
+    if (!nameAliases.has(key)) nameAliases.set(key, makeJsToken());
+  }
+
+  function resolve(name, depth) {
+    for (let d = depth; d >= 0; d--) {
+      const val = nameAliases.get(`${name}@${d}`);
+      if (val !== undefined) return val;
+    }
+    return null;
+  }
+
+  // Pass 1 — collect declarations
+  walk.ancestor(ast, {
+    VariableDeclarator(node, anc) {
+      const d = scopeDepth(anc);
+      const declarePattern = (pat) => {
+        if (!pat) return;
+        if (pat.type === 'Identifier') { declare(pat.name, d); return; }
+        if (pat.type === 'ObjectPattern') {
+          for (const p of pat.properties) declarePattern(p.value || p.argument);
+        }
+        if (pat.type === 'ArrayPattern') {
+          for (const el of pat.elements) declarePattern(el);
+        }
+        if (pat.type === 'AssignmentPattern') declarePattern(pat.left);
+        if (pat.type === 'RestElement')        declarePattern(pat.argument);
+      };
+      declarePattern(node.id);
+    },
+
+    FunctionDeclaration(node, anc) {
+      const d = scopeDepth(anc);
+      if (node.id) declare(node.id.name, d);
+      for (const p of node.params) {
+        if (p.type === 'Identifier') declare(p.name, d + 1);
+        if (p.type === 'AssignmentPattern' && p.left.type === 'Identifier')
+          declare(p.left.name, d + 1);
+        if (p.type === 'RestElement' && p.argument.type === 'Identifier')
+          declare(p.argument.name, d + 1);
+      }
+    },
+
+    FunctionExpression(node, anc) {
+      const d = scopeDepth(anc);
+      if (node.id) declare(node.id.name, d);
+      for (const p of node.params) {
+        if (p.type === 'Identifier') declare(p.name, d + 1);
+      }
+    },
+
+    ArrowFunctionExpression(node, anc) {
+      const d = scopeDepth(anc);
+      for (const p of node.params) {
+        if (p.type === 'Identifier') declare(p.name, d + 1);
+        if (p.type === 'AssignmentPattern' && p.left.type === 'Identifier')
+          declare(p.left.name, d + 1);
+      }
+    },
+
+    ClassDeclaration(node, anc) {
+      if (node.id) declare(node.id.name, scopeDepth(anc));
+    },
+
+    ImportDeclaration(node) {
+      for (const spec of node.specifiers) {
+        if (spec.local) declare(spec.local.name, 0);
+      }
+    },
+  });
+
+  // Pass 2 — rename usages
+  walk.ancestor(ast, {
+    Identifier(node, anc) {
+      if (JS_WHITELIST.has(node.name)) return;
+
+      // Skip property keys on member expressions (obj.foo) and object literals
+      const parent = anc[anc.length - 2];
+      if (parent) {
+        if (
+          (parent.type === 'MemberExpression' && parent.property === node && !parent.computed) ||
+          (parent.type === 'Property'         && parent.key === node      && !parent.computed) ||
+          (parent.type === 'MethodDefinition' && parent.key === node) ||
+          (parent.type === 'ImportSpecifier'  && parent.imported === node) ||
+          (parent.type === 'ExportSpecifier'  && parent.exported === node)
+        ) return;
+      }
+
+      const scrambled = resolve(node.name, scopeDepth(anc));
+      if (scrambled) node.name = scrambled;
+    },
+  });
+
+  // Re-serialise
+  let result;
+  try {
+    result = astring.generate(ast);
+  } catch (_) {
+    return domSurfaceRewrite(src, map);
+  }
+
+  // DOM surface pass to align class/id string literals with scrambled HTML
+  return domSurfaceRewrite(result, map);
+}
+
+// ─── HTML scrambler ───────────────────────────────────────────────────────────
+
+function scrambleHTML(html, map) {
+  // class="..." and class='...'
+  html = html.replace(/\bclass=(["'])([^"']*)\1/g, (full, q, classes) => {
+    const scrambled = classes.split(/\s+/).map(c => {
+      if (!c || CLASS_WHITELIST.has(c)) return c;
+      if (!map.css[c]) map.css[c] = makeToken('c');
+      return map.css[c];
+    }).join(' ');
+    return `class=${q}${scrambled}${q}`;
+  });
+
+  // id="..." and id='...'
+  html = html.replace(/\bid=(["'])([^"']*)\1/g, (full, q, id) => {
+    if (!id || CLASS_WHITELIST.has(id)) return full;
+    const key = '#' + id;
+    if (!map.css[key]) map.css[key] = makeToken('i');
+    return `id=${q}${map.css[key]}${q}`;
+  });
+
+  // Inline <style> blocks
+  html = html.replace(/(<style\b[^>]*>)([\s\S]*?)(<\/style>)/gi,
+    (_, open, style, close) => open + scrambleCSS(style, map) + close
+  );
+
+  // Inline <script> blocks — full AST rename
+  html = html.replace(/(<script\b[^>]*>)([\s\S]*?)(<\/script>)/gi,
+    (full, open, script, close) => {
+      if (!script.trim()) return full; // external script tag, no body
+      return open + scrambleJS(script, map) + close;
+    }
+  );
+
+  return html;
+}
+
+// ─── response interceptor ────────────────────────────────────────────────────
+
+function interceptResponse(req, res, map) {
+  const originalSend = res.send.bind(res);
+
+  res.send = function(body) {
+    if (typeof body !== 'string' && !Buffer.isBuffer(body)) {
+      return originalSend(body);
+    }
+
+    try {
+      const str = Buffer.isBuffer(body) ? body.toString('utf8') : body;
+      const ct  = (res.getHeader('Content-Type') || '').toLowerCase();
+
+      if (ct.includes('text/html'))  return originalSend(scrambleHTML(str, map));
+      if (ct.includes('text/css'))   return originalSend(scrambleCSS(str, map));
+      if (ct.includes('javascript')) return originalSend(scrambleJS(str, map));
+    } catch (e) {
+      console.error('[scramble] rewrite error:', e.message);
+    }
+
+    return originalSend(body);
+  };
+}
+
+// ─── middleware ───────────────────────────────────────────────────────────────
+
+const SKIP_EXT = /\.(png|jpg|jpeg|gif|webp|ico|woff2?|ttf|eot|svg|mp4|webm|json|xml|map|pdf)$/i;
+
+export function scrambleMiddleware(req, res, next) {
+  if (SKIP_EXT.test(req.path)) return next();
+  if (!req.session)             return next();
+
+  const map = getSessionMap(req);
+  interceptResponse(req, res, map);
+  next();
+}
+
+export default scrambleMiddleware;

From b8a6c1e82bbc079a8c0170d1d3070c823c845d2c Mon Sep 17 00:00:00 2001
From: CanLite24 <canlite24@outlook.com>
Date: Tue, 31 Mar 2026 20:10:45 -0600
Subject: [PATCH 2/3] Update scrambleMiddleware.js

---
 scrambleMiddleware.js | 474 ++++++++++++++++++------------------------
 1 file changed, 200 insertions(+), 274 deletions(-)

diff --git a/scrambleMiddleware.js b/scrambleMiddleware.js
index 7745279..3fb505f 100644
--- a/scrambleMiddleware.js
+++ b/scrambleMiddleware.js
@@ -1,282 +1,200 @@
 /**
  * scrambleMiddleware.js
  *
- * Express middleware that rewrites outgoing HTML/CSS/JS with session-unique
- * random tokens so every user sees structurally different markup and code.
- *
- * Features:
- *  - CSS class & ID scrambling (regex, fast)
- *  - HTML attribute scrambling (class=, id=, inline <style>, inline <script>)
- *  - Full JS variable/function/parameter renaming via acorn AST + astring
- *  - DOM surface rewriting (getElementById, querySelector, classList, etc.)
- *  - Session map reuse so CSS still matches HTML across requests
- *  - Automatic session map expiry to prevent Redis bloat
+ * Intercepts ALL outgoing HTML/CSS/JS — including res.render (EJS),
+ * res.sendFile (static), res.send, and res.end — and rewrites class names,
+ * IDs, and JS variable names with session-unique random tokens.
  *
  * Install deps:
  *   npm install acorn acorn-walk astring
  *
- * Usage in index.js (after session middleware, before static/routes):
+ * Usage in index.js (after sessionMiddleware, before static/routes):
  *   import { scrambleMiddleware, startSessionCleanup } from './scrambleMiddleware.js';
  *   app.use(scrambleMiddleware);
- *   startSessionCleanup(redisClient);   // pass your existing redis client
+ *   startSessionCleanup(redisClient);
  */
 
-import crypto from 'crypto';
-import * as acorn from 'acorn';
-import * as walk from 'acorn-walk';
-import * as astring from 'astring';
-
-// ─── config ──────────────────────────────────────────────────────────────────
+import crypto    from 'crypto';
+import fs        from 'node:fs/promises';
+import * as acorn    from 'acorn';
+import * as walk     from 'acorn-walk';
+import * as astring  from 'astring';
 
-// Session map TTL: maps older than this are wiped from the session.
-// Keeps Redis entries small — a user who hasn't visited in 30 min gets a
-// fresh map on their next request (fine, since it's just cosmetic scrambling).
-const MAP_TTL_MS = 30 * 60 * 1000; // 30 minutes
+// ─── config ───────────────────────────────────────────────────────────────────
 
-// How often to scan Redis for stale session map entries (server-side cleanup).
-const CLEANUP_INTERVAL_MS = 10 * 60 * 1000; // every 10 minutes
+const MAP_TTL_MS          = 30 * 60 * 1000;  // drop map after 30 min idle
+const CLEANUP_INTERVAL_MS = 10 * 60 * 1000;  // Redis scan every 10 min
 
-// CSS classes / IDs never scrambled (CDN framework names, etc.)
 const CLASS_WHITELIST = new Set([
-  'active', 'hidden', 'disabled', 'selected', 'open', 'closed',
-  'flex', 'grid', 'block', 'inline', 'relative', 'absolute', 'fixed',
-  'static', 'sticky', 'visible', 'invisible', 'overflow', 'truncate',
-  'container', 'row', 'col', 'sr-only',
-  // Add your Tailwind / Bootstrap utility classes here
+  'active','hidden','disabled','selected','open','closed',
+  'flex','grid','block','inline','relative','absolute','fixed',
+  'static','sticky','visible','invisible','overflow','truncate',
+  'container','row','col','sr-only',
 ]);
 
-// JS identifiers never renamed by the AST pass
 const JS_WHITELIST = new Set([
-  // globals
   'window','document','navigator','location','history','console','performance',
-  'fetch','XMLHttpRequest','WebSocket','EventSource','Worker','SharedWorker',
-  'localStorage','sessionStorage','indexedDB','caches','crypto',
-  'setTimeout','setInterval','clearTimeout','clearInterval','requestAnimationFrame',
-  'cancelAnimationFrame','queueMicrotask','Promise','Proxy','Reflect',
-  'JSON','Math','Date','RegExp','Error','Map','Set','WeakMap','WeakSet',
-  'Symbol','BigInt','ArrayBuffer','DataView','Uint8Array','Int8Array',
-  'Uint16Array','Int16Array','Uint32Array','Int32Array','Float32Array',
-  'Float64Array','Object','Array','String','Number','Boolean','Function',
-  'parseInt','parseFloat','isNaN','isFinite','encodeURIComponent',
-  'decodeURIComponent','encodeURI','decodeURI','atob','btoa','structuredClone',
+  'fetch','XMLHttpRequest','WebSocket','EventSource','Worker',
+  'localStorage','sessionStorage','indexedDB','crypto',
+  'setTimeout','setInterval','clearTimeout','clearInterval',
+  'requestAnimationFrame','cancelAnimationFrame','queueMicrotask',
+  'Promise','Proxy','Reflect','JSON','Math','Date','RegExp','Error',
+  'Map','Set','WeakMap','WeakSet','Symbol','BigInt','ArrayBuffer',
+  'Object','Array','String','Number','Boolean','Function',
+  'parseInt','parseFloat','isNaN','isFinite',
+  'encodeURIComponent','decodeURIComponent','encodeURI','decodeURI',
+  'atob','btoa','structuredClone',
   'undefined','null','true','false','NaN','Infinity','globalThis','self',
-  // syntax keywords
-  'this','super','arguments','new','delete','typeof','instanceof','void',
-  'in','of','yield','await',
-  // DOM API methods & properties
-  'addEventListener','removeEventListener','dispatchEvent','preventDefault',
-  'stopPropagation','stopImmediatePropagation',
-  'querySelector','querySelectorAll','getElementById','getElementsByClassName',
-  'getElementsByTagName','closest','matches','contains',
+  'this','super','arguments',
+  'addEventListener','removeEventListener','dispatchEvent',
+  'preventDefault','stopPropagation','stopImmediatePropagation',
+  'querySelector','querySelectorAll','getElementById',
+  'getElementsByClassName','getElementsByTagName','closest','matches',
   'setAttribute','getAttribute','removeAttribute','hasAttribute',
-  'classList','className','id','style','dataset','innerHTML','outerHTML',
-  'innerText','textContent','value','checked','src','href','alt','title',
-  'parentNode','parentElement','children','childNodes','firstChild','lastChild',
-  'nextSibling','previousSibling','nextElementSibling','previousElementSibling',
+  'classList','className','id','style','dataset',
+  'innerHTML','outerHTML','innerText','textContent',
+  'value','checked','src','href','alt','title','type','name',
+  'placeholder','disabled','readonly','required',
+  'parentNode','parentElement','children','childNodes',
   'appendChild','removeChild','insertBefore','replaceChild','cloneNode',
   'createElement','createTextNode','createDocumentFragment',
-  'getBoundingClientRect','offsetWidth','offsetHeight','scrollTop','scrollLeft',
-  'focus','blur','click','submit','reset',
-  'target','currentTarget','relatedTarget','key','keyCode','which',
-  'clientX','clientY','pageX','pageY','button','buttons','deltaY',
-  'type','name','placeholder','disabled','readonly','required','multiple',
-  'length','index','size','width','height','x','y','top','left','right','bottom',
-  // module
+  'getBoundingClientRect','offsetWidth','offsetHeight',
+  'scrollTop','scrollLeft','focus','blur','click','submit','reset',
+  'target','currentTarget','key','keyCode','clientX','clientY',
+  'length','width','height','top','left','right','bottom',
   'default','module','exports','require','__dirname','__filename',
-  'import','export',
-  // common tiny names that are almost certainly framework-injected
-  'el','evt','cb','fn','e','i','j','k','n','v','s','t','d','p','r','c',
+  // single-letter params that are almost certainly framework-injected
+  'e','i','j','k','n','v','s','t','d','p','r','c',
 ]);
 
 // ─── token helpers ────────────────────────────────────────────────────────────
 
-const makeToken   = (prefix = 'c') => prefix + crypto.randomBytes(3).toString('hex');
-const makeJsToken = ()              => '_' + crypto.randomBytes(4).toString('hex');
+const makeCssToken = (p = 'c') => p + crypto.randomBytes(3).toString('hex');
+const makeJsToken  = ()         => '_'  + crypto.randomBytes(4).toString('hex');
 
-// ─── session map management ───────────────────────────────────────────────────
+// ─── session map ──────────────────────────────────────────────────────────────
 
 function getSessionMap(req) {
   const now = Date.now();
-
-  // Expire stale map — active users get their timestamp refreshed below,
-  // so this only fires for sessions that went quiet for MAP_TTL_MS.
   if (req.session._scrTs && now - req.session._scrTs > MAP_TTL_MS) {
     delete req.session._scrMaps;
     delete req.session._scrTs;
   }
-
   if (!req.session._scrMaps) {
     req.session._scrMaps = { css: {}, js: {} };
   }
-
-  // Always refresh timestamp on activity
   req.session._scrTs = now;
-
   return req.session._scrMaps;
 }
 
-// ─── server-side Redis cleanup ────────────────────────────────────────────────
+// ─── Redis cleanup ────────────────────────────────────────────────────────────
 
-/**
- * Call once at startup. Periodically scans session keys in Redis and strips
- * _scrMaps / _scrTs from sessions that haven't been active recently.
- * This keeps per-session Redis payloads small without destroying the session.
- *
- * @param {import('redis').RedisClientType} redisClient
- * @param {string} [prefix='myapp:']  — must match your RedisStore prefix
- */
 export function startSessionCleanup(redisClient, prefix = 'myapp:') {
   async function cleanup() {
     try {
       const now = Date.now();
-      let cursor = 0;
-      let cleaned = 0;
-
+      let cursor = 0, cleaned = 0;
       do {
         const reply = await redisClient.scan(cursor, {
-          MATCH: `${prefix}sess:*`,   // connect-redis stores as prefix + "sess:" + id
+          MATCH: `${prefix}sess:*`,
           COUNT: 200,
         });
-
         cursor = reply.cursor;
-
         for (const key of reply.keys) {
           try {
             const raw = await redisClient.get(key);
             if (!raw) continue;
-
             const sess = JSON.parse(raw);
-            if (!sess._scrTs) continue;                    // never had a map
-            if (now - sess._scrTs <= MAP_TTL_MS) continue; // still fresh
-
+            if (!sess._scrTs || now - sess._scrTs <= MAP_TTL_MS) continue;
             delete sess._scrMaps;
             delete sess._scrTs;
-
-            // Preserve whatever TTL the session key already has
             const ttl = await redisClient.ttl(key);
-            const setOpts = ttl > 0 ? { EX: ttl } : {};
-            await redisClient.set(key, JSON.stringify(sess), setOpts);
-
+            await redisClient.set(key, JSON.stringify(sess), ttl > 0 ? { EX: ttl } : {});
             cleaned++;
-          } catch (_) {
-            // Malformed or concurrently-deleted session — skip silently
-          }
+          } catch (_) {}
         }
       } while (cursor !== 0);
-
-      if (cleaned > 0) {
-        console.log(`[scramble] stripped _scrMaps from ${cleaned} stale sessions`);
-      }
+      if (cleaned > 0) console.log(`[scramble] cleaned ${cleaned} stale session maps`);
     } catch (err) {
       console.error('[scramble] cleanup error:', err);
     }
   }
-
-  cleanup(); // run immediately on startup
-  const handle = setInterval(cleanup, CLEANUP_INTERVAL_MS);
-  if (handle.unref) handle.unref(); // don't block process exit
-  return handle; // caller can clearInterval(handle) if needed
+  cleanup();
+  const h = setInterval(cleanup, CLEANUP_INTERVAL_MS);
+  if (h.unref) h.unref();
+  return h;
 }
 
-// ─── CSS scrambler ────────────────────────────────────────────────────────────
+// ─── CSS ──────────────────────────────────────────────────────────────────────
 
 function scrambleCSS(css, map) {
-  // .className
   css = css.replace(/\.(-?[a-zA-Z_][a-zA-Z0-9_-]*)/g, (full, name) => {
     if (CLASS_WHITELIST.has(name)) return full;
-    if (!map.css[name]) map.css[name] = makeToken('c');
+    if (!map.css[name]) map.css[name] = makeCssToken('c');
     return '.' + map.css[name];
   });
-
-  // #idName
   css = css.replace(/#([a-zA-Z_][a-zA-Z0-9_-]*)/g, (full, name) => {
     if (CLASS_WHITELIST.has(name)) return full;
     const key = '#' + name;
-    if (!map.css[key]) map.css[key] = makeToken('i');
+    if (!map.css[key]) map.css[key] = makeCssToken('i');
     return '#' + map.css[key];
   });
-
   return css;
 }
 
-// ─── DOM surface rewriter ─────────────────────────────────────────────────────
+// ─── DOM surface (string literals in JS) ─────────────────────────────────────
 
-/**
- * Rewrites class/id *string literals* inside common DOM API calls so that
- * JS references stay consistent with the scrambled HTML/CSS.
- * Runs on the source text — either after AST rename or as standalone fallback.
- */
 function domSurfaceRewrite(js, map) {
-  // getElementById('id')
-  js = js.replace(/getElementById\(['"]([^'"]+)['"]\)/g, (full, id) => {
+  js = js.replace(/getElementById\(['"]([^'"]+)['"]\)/g, (_, id) => {
     const key = '#' + id;
-    if (!map.css[key]) map.css[key] = makeToken('i');
+    if (!map.css[key]) map.css[key] = makeCssToken('i');
     return `getElementById('${map.css[key]}')`;
   });
-
-  // querySelector / querySelectorAll
-  js = js.replace(/(querySelectorAll?)\(['"]([^'"]+)['"]\)/g, (full, fn, sel) => {
-    const scrambled = sel
+  js = js.replace(/(querySelectorAll?)\(['"]([^'"]+)['"]\)/g, (_, fn, sel) => {
+    const s = sel
       .replace(/\.(-?[a-zA-Z_][a-zA-Z0-9_-]*)/g, (m, c) => {
         if (CLASS_WHITELIST.has(c)) return m;
-        if (!map.css[c]) map.css[c] = makeToken('c');
+        if (!map.css[c]) map.css[c] = makeCssToken('c');
         return '.' + map.css[c];
       })
       .replace(/#([a-zA-Z_][a-zA-Z0-9_-]*)/g, (m, id) => {
         const key = '#' + id;
-        if (!map.css[key]) map.css[key] = makeToken('i');
+        if (!map.css[key]) map.css[key] = makeCssToken('i');
         return '#' + map.css[key];
       });
-    return `${fn}('${scrambled}')`;
+    return `${fn}('${s}')`;
   });
-
-  // classList.add/remove/toggle/contains/replace('cls')
-  js = js.replace(
-    /classList\.(add|remove|toggle|contains|replace)\(['"]([^'"]+)['"]\)/g,
+  js = js.replace(/classList\.(add|remove|toggle|contains|replace)\(['"]([^'"]+)['"]\)/g,
     (full, method, cls) => {
       if (CLASS_WHITELIST.has(cls)) return full;
-      if (!map.css[cls]) map.css[cls] = makeToken('c');
+      if (!map.css[cls]) map.css[cls] = makeCssToken('c');
       return `classList.${method}('${map.css[cls]}')`;
-    }
-  );
-
-  // .className = 'foo bar'
-  js = js.replace(/\.className\s*=\s*['"]([^'"]*)['"]/g, (full, classes) => {
-    const scrambled = classes.split(/\s+/).map(c => {
+    });
+  js = js.replace(/\.className\s*=\s*(['"])([^'"]*)\1/g, (_, q, classes) => {
+    const s = classes.split(/\s+/).map(c => {
       if (!c || CLASS_WHITELIST.has(c)) return c;
-      if (!map.css[c]) map.css[c] = makeToken('c');
+      if (!map.css[c]) map.css[c] = makeCssToken('c');
       return map.css[c];
     }).join(' ');
-    return `.className = '${scrambled}'`;
+    return `.className = ${q}${s}${q}`;
+  });
+  js = js.replace(/setAttribute\(['"]class['"]\s*,\s*(['"])([^'"]*)\1\)/g, (_, q, classes) => {
+    const s = classes.split(/\s+/).map(c => {
+      if (!c || CLASS_WHITELIST.has(c)) return c;
+      if (!map.css[c]) map.css[c] = makeCssToken('c');
+      return map.css[c];
+    }).join(' ');
+    return `setAttribute('class', '${s}')`;
+  });
+  js = js.replace(/setAttribute\(['"]id['"]\s*,\s*(['"])([^'"]*)\1\)/g, (_, q, id) => {
+    const key = '#' + id;
+    if (!map.css[key]) map.css[key] = makeCssToken('i');
+    return `setAttribute('id', '${map.css[key]}')`;
   });
-
-  // setAttribute('class', 'foo bar')
-  js = js.replace(
-    /setAttribute\(['"]class['"]\s*,\s*['"]([^'"]*)['"]\)/g,
-    (full, classes) => {
-      const scrambled = classes.split(/\s+/).map(c => {
-        if (!c || CLASS_WHITELIST.has(c)) return c;
-        if (!map.css[c]) map.css[c] = makeToken('c');
-        return map.css[c];
-      }).join(' ');
-      return `setAttribute('class', '${scrambled}')`;
-    }
-  );
-
-  // setAttribute('id', 'foo')
-  js = js.replace(
-    /setAttribute\(['"]id['"]\s*,\s*['"]([^'"]*)['"]\)/g,
-    (full, id) => {
-      const key = '#' + id;
-      if (!map.css[key]) map.css[key] = makeToken('i');
-      return `setAttribute('id', '${map.css[key]}')`;
-    }
-  );
-
   return js;
 }
 
-// ─── JS AST scrambler ────────────────────────────────────────────────────────
+// ─── JS AST rename ────────────────────────────────────────────────────────────
 
 function scrambleJS(src, map) {
   let ast;
@@ -289,18 +207,13 @@ function scrambleJS(src, map) {
       allowReturnOutsideFunction: true,
     });
   } catch (_) {
-    // Unparseable snippet (template literal, partial chunk, etc.)
-    // Fall back to DOM-surface-only rewriting which is regex-safe.
     return domSurfaceRewrite(src, map);
   }
 
-  // ── scope-aware rename collection ────────────────────────────────────────
-  // nameAliases: scopeKey → scrambled name
-  // scopeKey = "varName@depth" so shadowed inner vars get independent names.
-  const nameAliases = new Map();
+  const nameAliases = new Map(); // "name@depth" → scrambled
 
-  function scopeDepth(ancestors) {
-    return ancestors.filter(a =>
+  function scopeDepth(anc) {
+    return anc.filter(a =>
       a.type === 'FunctionDeclaration'     ||
       a.type === 'FunctionExpression'      ||
       a.type === 'ArrowFunctionExpression' ||
@@ -309,71 +222,48 @@ function scrambleJS(src, map) {
   }
 
   function declare(name, depth) {
-    if (JS_WHITELIST.has(name)) return;
+    if (!name || JS_WHITELIST.has(name)) return;
     const key = `${name}@${depth}`;
     if (!nameAliases.has(key)) nameAliases.set(key, makeJsToken());
   }
 
   function resolve(name, depth) {
     for (let d = depth; d >= 0; d--) {
-      const val = nameAliases.get(`${name}@${d}`);
-      if (val !== undefined) return val;
+      const v = nameAliases.get(`${name}@${d}`);
+      if (v !== undefined) return v;
     }
     return null;
   }
 
+  function declarePattern(pat, depth) {
+    if (!pat) return;
+    if (pat.type === 'Identifier')        { declare(pat.name, depth); return; }
+    if (pat.type === 'AssignmentPattern') { declarePattern(pat.left, depth); return; }
+    if (pat.type === 'RestElement')       { declarePattern(pat.argument, depth); return; }
+    if (pat.type === 'ObjectPattern')     { for (const p of pat.properties) declarePattern(p.value || p.argument, depth); return; }
+    if (pat.type === 'ArrayPattern')      { for (const el of pat.elements) declarePattern(el, depth); return; }
+  }
+
   // Pass 1 — collect declarations
   walk.ancestor(ast, {
-    VariableDeclarator(node, anc) {
-      const d = scopeDepth(anc);
-      const declarePattern = (pat) => {
-        if (!pat) return;
-        if (pat.type === 'Identifier') { declare(pat.name, d); return; }
-        if (pat.type === 'ObjectPattern') {
-          for (const p of pat.properties) declarePattern(p.value || p.argument);
-        }
-        if (pat.type === 'ArrayPattern') {
-          for (const el of pat.elements) declarePattern(el);
-        }
-        if (pat.type === 'AssignmentPattern') declarePattern(pat.left);
-        if (pat.type === 'RestElement')        declarePattern(pat.argument);
-      };
-      declarePattern(node.id);
-    },
-
+    VariableDeclarator(node, anc) { declarePattern(node.id, scopeDepth(anc)); },
     FunctionDeclaration(node, anc) {
       const d = scopeDepth(anc);
       if (node.id) declare(node.id.name, d);
-      for (const p of node.params) {
-        if (p.type === 'Identifier') declare(p.name, d + 1);
-        if (p.type === 'AssignmentPattern' && p.left.type === 'Identifier')
-          declare(p.left.name, d + 1);
-        if (p.type === 'RestElement' && p.argument.type === 'Identifier')
-          declare(p.argument.name, d + 1);
-      }
+      for (const p of node.params) declarePattern(p, d + 1);
     },
-
     FunctionExpression(node, anc) {
       const d = scopeDepth(anc);
       if (node.id) declare(node.id.name, d);
-      for (const p of node.params) {
-        if (p.type === 'Identifier') declare(p.name, d + 1);
-      }
+      for (const p of node.params) declarePattern(p, d + 1);
     },
-
     ArrowFunctionExpression(node, anc) {
       const d = scopeDepth(anc);
-      for (const p of node.params) {
-        if (p.type === 'Identifier') declare(p.name, d + 1);
-        if (p.type === 'AssignmentPattern' && p.left.type === 'Identifier')
-          declare(p.left.name, d + 1);
-      }
+      for (const p of node.params) declarePattern(p, d + 1);
     },
-
     ClassDeclaration(node, anc) {
       if (node.id) declare(node.id.name, scopeDepth(anc));
     },
-
     ImportDeclaration(node) {
       for (const spec of node.specifiers) {
         if (spec.local) declare(spec.local.name, 0);
@@ -381,100 +271,136 @@ function scrambleJS(src, map) {
     },
   });
 
-  // Pass 2 — rename usages
+  // Pass 2 — rewrite usages
   walk.ancestor(ast, {
     Identifier(node, anc) {
       if (JS_WHITELIST.has(node.name)) return;
-
-      // Skip property keys on member expressions (obj.foo) and object literals
       const parent = anc[anc.length - 2];
-      if (parent) {
-        if (
-          (parent.type === 'MemberExpression' && parent.property === node && !parent.computed) ||
-          (parent.type === 'Property'         && parent.key === node      && !parent.computed) ||
-          (parent.type === 'MethodDefinition' && parent.key === node) ||
-          (parent.type === 'ImportSpecifier'  && parent.imported === node) ||
-          (parent.type === 'ExportSpecifier'  && parent.exported === node)
-        ) return;
-      }
+      if (parent && (
+        (parent.type === 'MemberExpression' && parent.property === node && !parent.computed) ||
+        (parent.type === 'Property'         && parent.key      === node && !parent.computed) ||
+        (parent.type === 'MethodDefinition' && parent.key      === node) ||
+        (parent.type === 'ImportSpecifier'  && parent.imported === node) ||
+        (parent.type === 'ExportSpecifier'  && parent.exported === node)
+      )) return;
 
       const scrambled = resolve(node.name, scopeDepth(anc));
       if (scrambled) node.name = scrambled;
     },
   });
 
-  // Re-serialise
   let result;
-  try {
-    result = astring.generate(ast);
-  } catch (_) {
-    return domSurfaceRewrite(src, map);
-  }
+  try { result = astring.generate(ast); }
+  catch (_) { return domSurfaceRewrite(src, map); }
 
-  // DOM surface pass to align class/id string literals with scrambled HTML
   return domSurfaceRewrite(result, map);
 }
 
-// ─── HTML scrambler ───────────────────────────────────────────────────────────
+// ─── HTML ────────────────────────────────────────────────────────────────────
 
 function scrambleHTML(html, map) {
-  // class="..." and class='...'
-  html = html.replace(/\bclass=(["'])([^"']*)\1/g, (full, q, classes) => {
-    const scrambled = classes.split(/\s+/).map(c => {
+  html = html.replace(/\bclass=(["'])([^"']*)\1/g, (_, q, classes) => {
+    const s = classes.split(/\s+/).map(c => {
       if (!c || CLASS_WHITELIST.has(c)) return c;
-      if (!map.css[c]) map.css[c] = makeToken('c');
+      if (!map.css[c]) map.css[c] = makeCssToken('c');
       return map.css[c];
     }).join(' ');
-    return `class=${q}${scrambled}${q}`;
+    return `class=${q}${s}${q}`;
   });
-
-  // id="..." and id='...'
   html = html.replace(/\bid=(["'])([^"']*)\1/g, (full, q, id) => {
     if (!id || CLASS_WHITELIST.has(id)) return full;
     const key = '#' + id;
-    if (!map.css[key]) map.css[key] = makeToken('i');
+    if (!map.css[key]) map.css[key] = makeCssToken('i');
     return `id=${q}${map.css[key]}${q}`;
   });
-
-  // Inline <style> blocks
   html = html.replace(/(<style\b[^>]*>)([\s\S]*?)(<\/style>)/gi,
-    (_, open, style, close) => open + scrambleCSS(style, map) + close
-  );
-
-  // Inline <script> blocks — full AST rename
-  html = html.replace(/(<script\b[^>]*>)([\s\S]*?)(<\/script>)/gi,
+    (_, open, style, close) => open + scrambleCSS(style, map) + close);
+  html = html.replace(/(<script\b(?![^>]*\bsrc\b)[^>]*>)([\s\S]*?)(<\/script>)/gi,
     (full, open, script, close) => {
-      if (!script.trim()) return full; // external script tag, no body
+      if (!script.trim()) return full;
       return open + scrambleJS(script, map) + close;
-    }
-  );
-
+    });
   return html;
 }
 
-// ─── response interceptor ────────────────────────────────────────────────────
+// ─── content-type detection ───────────────────────────────────────────────────
+
+function getType(res) {
+  return (res.getHeader('Content-Type') || '').toLowerCase();
+}
+
+function rewrite(body, res, map) {
+  const ct = getType(res);
+  if (ct.includes('text/html'))  return scrambleHTML(body, map);
+  if (ct.includes('text/css'))   return scrambleCSS(body, map);
+  if (ct.includes('javascript')) return scrambleJS(body, map);
+  return null; // nothing to do
+}
 
-function interceptResponse(req, res, map) {
-  const originalSend = res.send.bind(res);
+// ─── THE FIX: patch all four outgoing paths ───────────────────────────────────
 
+function patchResponse(req, res, map) {
+
+  // ── 1. res.send ─────────────────────────────────────────────────────────────
+  const origSend = res.send.bind(res);
   res.send = function(body) {
-    if (typeof body !== 'string' && !Buffer.isBuffer(body)) {
-      return originalSend(body);
+    if (typeof body === 'string' || Buffer.isBuffer(body)) {
+      try {
+        const str = Buffer.isBuffer(body) ? body.toString('utf8') : body;
+        const out = rewrite(str, res, map);
+        if (out !== null) return origSend(out);
+      } catch (e) { console.error('[scramble] send error:', e.message); }
     }
+    return origSend(body);
+  };
 
-    try {
-      const str = Buffer.isBuffer(body) ? body.toString('utf8') : body;
-      const ct  = (res.getHeader('Content-Type') || '').toLowerCase();
-
-      if (ct.includes('text/html'))  return originalSend(scrambleHTML(str, map));
-      if (ct.includes('text/css'))   return originalSend(scrambleCSS(str, map));
-      if (ct.includes('javascript')) return originalSend(scrambleJS(str, map));
-    } catch (e) {
-      console.error('[scramble] rewrite error:', e.message);
+  // ── 2. res.end ──────────────────────────────────────────────────────────────
+  // EJS res.render() ultimately calls res.end() directly, bypassing res.send.
+  const origEnd = res.end.bind(res);
+  res.end = function(chunk, encoding, callback) {
+    if (chunk && (typeof chunk === 'string' || Buffer.isBuffer(chunk))) {
+      try {
+        const str = Buffer.isBuffer(chunk) ? chunk.toString('utf8') : chunk;
+        const out = rewrite(str, res, map);
+        if (out !== null) return origEnd(out, encoding, callback);
+      } catch (e) { console.error('[scramble] end error:', e.message); }
     }
+    return origEnd(chunk, encoding, callback);
+  };
 
-    return originalSend(body);
+  // ── 3. res.sendFile ─────────────────────────────────────────────────────────
+  // Static files (express.static, res.sendFile) stream directly from disk,
+  // completely bypassing send/end. We intercept by reading the file ourselves,
+  // rewriting, and sending it as a string response.
+  const origSendFile = res.sendFile.bind(res);
+  res.sendFile = function(filePath, options, callback) {
+    const ext = filePath.split('.').pop().toLowerCase();
+    const interesting = ['html','htm','css','js','mjs'];
+    if (!interesting.includes(ext)) {
+      return origSendFile(filePath, options, callback);
+    }
+
+    const typeMap = { html:'text/html', htm:'text/html', css:'text/css', js:'application/javascript', mjs:'application/javascript' };
+    const ct = typeMap[ext];
+
+    fs.readFile(filePath, 'utf8')
+      .then(content => {
+        res.setHeader('Content-Type', ct + '; charset=utf-8');
+        try {
+          const out = rewrite(content, res, map);
+          res.send(out !== null ? out : content);
+        } catch (e) {
+          console.error('[scramble] sendFile rewrite error:', e.message);
+          res.send(content);
+        }
+      })
+      .catch(() => origSendFile(filePath, options, callback)); // file not found etc — fall back
   };
+
+  // ── 4. res.render (EJS / template engines) ──────────────────────────────────
+  // Express sets Content-Type to text/html before calling res.end, so our
+  // patched res.end above already handles this. No extra work needed.
+  // (Verified: express/lib/response.js render → send → end chain.)
 }
 
 // ─── middleware ───────────────────────────────────────────────────────────────
@@ -486,8 +412,8 @@ export function scrambleMiddleware(req, res, next) {
   if (!req.session)             return next();
 
   const map = getSessionMap(req);
-  interceptResponse(req, res, map);
+  patchResponse(req, res, map);
   next();
 }
 
-export default scrambleMiddleware;
+export default scrambleMiddleware;
\ No newline at end of file

From f3903227df567852c69b3507a8082fcc131d72bf Mon Sep 17 00:00:00 2001
From: CanLite24 <canlite24@outlook.com>
Date: Tue, 31 Mar 2026 20:26:12 -0600
Subject: [PATCH 3/3] s

---
 index.js              |   5 +-
 scrambleMiddleware.js | 431 +++++++++++++++++++++---------------------
 2 files changed, 215 insertions(+), 221 deletions(-)

diff --git a/index.js b/index.js
index 8421a78..1e077d5 100644
--- a/index.js
+++ b/index.js
@@ -19,7 +19,7 @@ import { RedisStore } from "connect-redis";
 import { setupCanScreen } from "./CanScreen.js"
 import pool from "./db.js";
 import cors from "cors";
-import { scrambleMiddleware, startSessionCleanup } from './scrambleMiddleware.js';
+import { buildScrambleMap, scrambleMiddleware, startSessionCleanup } from './scrambleMiddleware.js';
 import axios from "axios";
 
 const __filename = fileURLToPath(import.meta.url);
@@ -40,6 +40,9 @@ try {
 
 let newgames = [];
 const newgamesFilePath = path.join(__dirname, "new.json");
+await buildScrambleMap([
+  path.join(__dirname, 'static'),
+]);
 try {
   const data = fs.readFileSync(newgamesFilePath, "utf8");
   newgames = JSON.parse(data);
diff --git a/scrambleMiddleware.js b/scrambleMiddleware.js
index 3fb505f..d1c7c99 100644
--- a/scrambleMiddleware.js
+++ b/scrambleMiddleware.js
@@ -1,29 +1,43 @@
 /**
  * scrambleMiddleware.js
  *
- * Intercepts ALL outgoing HTML/CSS/JS — including res.render (EJS),
- * res.sendFile (static), res.send, and res.end — and rewrites class names,
- * IDs, and JS variable names with session-unique random tokens.
+ * Two-layer design:
+ *
+ *  Layer 1 — Global seed map (built once at startup)
+ *    Crawls all static/view files and assigns every class, id, and JS
+ *    identifier a stable internal key (e.g. "btn" → "__btn__").
+ *    This ensures CSS/JS/HTML all agree on what needs replacing.
+ *
+ *  Layer 2 — Per-session token map (generated on first request)
+ *    Each session independently maps every internal key to its own
+ *    random token (e.g. "__btn__" → "c3a9f1" for Alice, "c7f002" for Bob).
+ *    Stored in req.session._scrTokens.
+ *    Expires after MAP_TTL_MS of inactivity and is regenerated fresh.
+ *
+ *  Result: CSS/JS/HTML are all consistent for one user, but different
+ *  across users — even for the same file served at the same time.
  *
  * Install deps:
  *   npm install acorn acorn-walk astring
  *
- * Usage in index.js (after sessionMiddleware, before static/routes):
- *   import { scrambleMiddleware, startSessionCleanup } from './scrambleMiddleware.js';
- *   app.use(scrambleMiddleware);
- *   startSessionCleanup(redisClient);
+ * Usage in index.js:
+ *   import { buildScrambleMap, scrambleMiddleware, startSessionCleanup } from './scrambleMiddbleMiddleware.js';
+ *   await buildScrambleMap([path.join(__dirname, 'static'), path.join(__dirname, 'dist'), path.join(__dirname, 'views')]);
+ *   app.use(scrambleMiddleware);          // before express.static and routes
+ *   startSessionCleanup(redisClient);     // optional, keeps Redis lean
  */
 
-import crypto    from 'crypto';
-import fs        from 'node:fs/promises';
-import * as acorn    from 'acorn';
-import * as walk     from 'acorn-walk';
-import * as astring  from 'astring';
+import crypto   from 'crypto';
+import fs       from 'node:fs/promises';
+import path     from 'node:path';
+import * as acorn   from 'acorn';
+import * as walk    from 'acorn-walk';
+import * as astring from 'astring';
 
 // ─── config ───────────────────────────────────────────────────────────────────
 
-const MAP_TTL_MS          = 30 * 60 * 1000;  // drop map after 30 min idle
-const CLEANUP_INTERVAL_MS = 10 * 60 * 1000;  // Redis scan every 10 min
+const MAP_TTL_MS          = 30 * 60 * 1000;
+const CLEANUP_INTERVAL_MS = 10 * 60 * 1000;
 
 const CLASS_WHITELIST = new Set([
   'active','hidden','disabled','selected','open','closed',
@@ -63,28 +77,42 @@ const JS_WHITELIST = new Set([
   'target','currentTarget','key','keyCode','clientX','clientY',
   'length','width','height','top','left','right','bottom',
   'default','module','exports','require','__dirname','__filename',
-  // single-letter params that are almost certainly framework-injected
   'e','i','j','k','n','v','s','t','d','p','r','c',
 ]);
 
-// ─── token helpers ────────────────────────────────────────────────────────────
+// ─── Layer 1: global seed map ────────────────────────────────────────────────
+// seedCss: Set of class/id names found in source  (ids stored as "#name")
+// seedJs:  Set of JS identifier names found in source
+const seedCss = new Set();
+const seedJs  = new Set();
+let mapReady  = false;
 
-const makeCssToken = (p = 'c') => p + crypto.randomBytes(3).toString('hex');
-const makeJsToken  = ()         => '_'  + crypto.randomBytes(4).toString('hex');
+// ─── Layer 2: per-session token map ──────────────────────────────────────────
 
-// ─── session map ──────────────────────────────────────────────────────────────
+function makeSessionTokens() {
+  const css = {}, js = {};
+  for (const name of seedCss) {
+    const isId = name.startsWith('#');
+    css[name] = (isId ? 'i' : 'c') + crypto.randomBytes(3).toString('hex');
+  }
+  for (const name of seedJs) {
+    js[name] = '_' + crypto.randomBytes(4).toString('hex');
+  }
+  return { css, js };
+}
 
-function getSessionMap(req) {
+function getTokens(req) {
   const now = Date.now();
+  // Expire idle maps
   if (req.session._scrTs && now - req.session._scrTs > MAP_TTL_MS) {
-    delete req.session._scrMaps;
+    delete req.session._scrTokens;
     delete req.session._scrTs;
   }
-  if (!req.session._scrMaps) {
-    req.session._scrMaps = { css: {}, js: {} };
+  if (!req.session._scrTokens) {
+    req.session._scrTokens = makeSessionTokens();
   }
   req.session._scrTs = now;
-  return req.session._scrMaps;
+  return req.session._scrTokens;
 }
 
 // ─── Redis cleanup ────────────────────────────────────────────────────────────
@@ -95,10 +123,7 @@ export function startSessionCleanup(redisClient, prefix = 'myapp:') {
       const now = Date.now();
       let cursor = 0, cleaned = 0;
       do {
-        const reply = await redisClient.scan(cursor, {
-          MATCH: `${prefix}sess:*`,
-          COUNT: 200,
-        });
+        const reply = await redisClient.scan(cursor, { MATCH: `${prefix}sess:*`, COUNT: 200 });
         cursor = reply.cursor;
         for (const key of reply.keys) {
           try {
@@ -106,7 +131,7 @@ export function startSessionCleanup(redisClient, prefix = 'myapp:') {
             if (!raw) continue;
             const sess = JSON.parse(raw);
             if (!sess._scrTs || now - sess._scrTs <= MAP_TTL_MS) continue;
-            delete sess._scrMaps;
+            delete sess._scrTokens;
             delete sess._scrTs;
             const ttl = await redisClient.ttl(key);
             await redisClient.set(key, JSON.stringify(sess), ttl > 0 ? { EX: ttl } : {});
@@ -114,7 +139,7 @@ export function startSessionCleanup(redisClient, prefix = 'myapp:') {
           } catch (_) {}
         }
       } while (cursor !== 0);
-      if (cleaned > 0) console.log(`[scramble] cleaned ${cleaned} stale session maps`);
+      if (cleaned > 0) console.log(`[scramble] cleaned ${cleaned} stale session token maps`);
     } catch (err) {
       console.error('[scramble] cleanup error:', err);
     }
@@ -125,156 +150,154 @@ export function startSessionCleanup(redisClient, prefix = 'myapp:') {
   return h;
 }
 
-// ─── CSS ──────────────────────────────────────────────────────────────────────
+// ─── seed extraction (runs at startup) ───────────────────────────────────────
+
+function seedFromHTML(html) {
+  for (const [, classes] of html.matchAll(/\bclass=["']([^"']*)["']/g))
+    for (const c of classes.split(/\s+/))
+      if (c && !CLASS_WHITELIST.has(c)) seedCss.add(c);
+
+  for (const [, id] of html.matchAll(/\bid=["']([^"']+)["']/g))
+    if (!CLASS_WHITELIST.has(id)) seedCss.add('#' + id);
+
+  for (const [, style] of html.matchAll(/<style\b[^>]*>([\s\S]*?)<\/style>/gi))
+    seedFromCSS(style);
+
+  for (const [, script] of html.matchAll(/<script\b(?![^>]*\bsrc\b)[^>]*>([\s\S]*?)<\/script>/gi))
+    if (script.trim()) seedFromJS(script);
+}
+
+function seedFromCSS(css) {
+  for (const [, name] of css.matchAll(/\.(-?[a-zA-Z_][a-zA-Z0-9_-]*)/g))
+    if (!CLASS_WHITELIST.has(name)) seedCss.add(name);
+  for (const [, name] of css.matchAll(/#([a-zA-Z_][a-zA-Z0-9_-]*)/g))
+    if (!CLASS_WHITELIST.has(name)) seedCss.add('#' + name);
+}
+
+function seedFromJS(src) {
+  let ast;
+  try {
+    ast = acorn.parse(src, {
+      ecmaVersion: 'latest', sourceType: 'module',
+      allowImportExportEverywhere: true,
+      allowAwaitOutsideFunction: true,
+      allowReturnOutsideFunction: true,
+    });
+  } catch { return; }
+
+  function declarePattern(pat) {
+    if (!pat) return;
+    if (pat.type === 'Identifier')        { if (!JS_WHITELIST.has(pat.name)) seedJs.add(pat.name); return; }
+    if (pat.type === 'AssignmentPattern') { declarePattern(pat.left); return; }
+    if (pat.type === 'RestElement')       { declarePattern(pat.argument); return; }
+    if (pat.type === 'ObjectPattern')     { for (const p of pat.properties) declarePattern(p.value || p.argument); return; }
+    if (pat.type === 'ArrayPattern')      { for (const el of pat.elements) declarePattern(el); return; }
+  }
+
+  walk.simple(ast, {
+    VariableDeclarator(node)      { declarePattern(node.id); },
+    FunctionDeclaration(node)     { if (node.id && !JS_WHITELIST.has(node.id.name)) seedJs.add(node.id.name); for (const p of node.params) declarePattern(p); },
+    FunctionExpression(node)      { if (node.id && !JS_WHITELIST.has(node.id.name)) seedJs.add(node.id.name); for (const p of node.params) declarePattern(p); },
+    ArrowFunctionExpression(node) { for (const p of node.params) declarePattern(p); },
+    ClassDeclaration(node)        { if (node.id && !JS_WHITELIST.has(node.id.name)) seedJs.add(node.id.name); },
+    ImportDeclaration(node)       { for (const s of node.specifiers) if (s.local && !JS_WHITELIST.has(s.local.name)) seedJs.add(s.local.name); },
+  });
+}
+
+async function listFiles(dir, exts) {
+  const results = [];
+  let entries;
+  try { entries = await fs.readdir(dir, { withFileTypes: true }); }
+  catch { return results; }
+  for (const entry of entries) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) results.push(...await listFiles(full, exts));
+    else if (exts.includes(path.extname(entry.name).toLowerCase())) results.push(full);
+  }
+  return results;
+}
+
+export async function buildScrambleMap(dirs) {
+  console.log('[scramble] seeding token map from source files...');
+  for (const dir of dirs) {
+    for (const f of await listFiles(dir, ['.html','.ejs','.htm','.css','.js','.mjs'])) {
+      try {
+        const src = await fs.readFile(f, 'utf8');
+        const ext = path.extname(f).toLowerCase();
+        if (['.html','.ejs','.htm'].includes(ext)) seedFromHTML(src);
+        else if (ext === '.css') seedFromCSS(src);
+        else seedFromJS(src);
+      } catch { /* skip unreadable */ }
+    }
+  }
+  console.log(`[scramble] seeded — ${seedCss.size} CSS names, ${seedJs.size} JS names`);
+  mapReady = true;
+}
+
+// ─── rewriters (take tokens as argument) ─────────────────────────────────────
 
-function scrambleCSS(css, map) {
+function rewriteCSS(css, tokens) {
   css = css.replace(/\.(-?[a-zA-Z_][a-zA-Z0-9_-]*)/g, (full, name) => {
     if (CLASS_WHITELIST.has(name)) return full;
-    if (!map.css[name]) map.css[name] = makeCssToken('c');
-    return '.' + map.css[name];
+    return '.' + (tokens.css[name] || name);
   });
   css = css.replace(/#([a-zA-Z_][a-zA-Z0-9_-]*)/g, (full, name) => {
     if (CLASS_WHITELIST.has(name)) return full;
-    const key = '#' + name;
-    if (!map.css[key]) map.css[key] = makeCssToken('i');
-    return '#' + map.css[key];
+    return '#' + (tokens.css['#' + name] || name);
   });
   return css;
 }
 
-// ─── DOM surface (string literals in JS) ─────────────────────────────────────
-
-function domSurfaceRewrite(js, map) {
-  js = js.replace(/getElementById\(['"]([^'"]+)['"]\)/g, (_, id) => {
-    const key = '#' + id;
-    if (!map.css[key]) map.css[key] = makeCssToken('i');
-    return `getElementById('${map.css[key]}')`;
+function domSurfaceRewrite(js, tokens) {
+  js = js.replace(/getElementById\(['"]([^'"]+)['"]\)/g, (full, id) => {
+    const t = tokens.css['#' + id];
+    return t ? `getElementById('${t}')` : full;
   });
-  js = js.replace(/(querySelectorAll?)\(['"]([^'"]+)['"]\)/g, (_, fn, sel) => {
+  js = js.replace(/(querySelectorAll?)\(['"]([^'"]+)['"]\)/g, (full, fn, sel) => {
     const s = sel
-      .replace(/\.(-?[a-zA-Z_][a-zA-Z0-9_-]*)/g, (m, c) => {
-        if (CLASS_WHITELIST.has(c)) return m;
-        if (!map.css[c]) map.css[c] = makeCssToken('c');
-        return '.' + map.css[c];
-      })
-      .replace(/#([a-zA-Z_][a-zA-Z0-9_-]*)/g, (m, id) => {
-        const key = '#' + id;
-        if (!map.css[key]) map.css[key] = makeCssToken('i');
-        return '#' + map.css[key];
-      });
+      .replace(/\.(-?[a-zA-Z_][a-zA-Z0-9_-]*)/g, (m, c) => CLASS_WHITELIST.has(c) ? m : '.' + (tokens.css[c] || c))
+      .replace(/#([a-zA-Z_][a-zA-Z0-9_-]*)/g,    (m, id) => '#' + (tokens.css['#' + id] || id));
     return `${fn}('${s}')`;
   });
   js = js.replace(/classList\.(add|remove|toggle|contains|replace)\(['"]([^'"]+)['"]\)/g,
     (full, method, cls) => {
       if (CLASS_WHITELIST.has(cls)) return full;
-      if (!map.css[cls]) map.css[cls] = makeCssToken('c');
-      return `classList.${method}('${map.css[cls]}')`;
+      const t = tokens.css[cls];
+      return t ? `classList.${method}('${t}')` : full;
     });
   js = js.replace(/\.className\s*=\s*(['"])([^'"]*)\1/g, (_, q, classes) => {
-    const s = classes.split(/\s+/).map(c => {
-      if (!c || CLASS_WHITELIST.has(c)) return c;
-      if (!map.css[c]) map.css[c] = makeCssToken('c');
-      return map.css[c];
-    }).join(' ');
+    const s = classes.split(/\s+/).map(c => (!c || CLASS_WHITELIST.has(c)) ? c : (tokens.css[c] || c)).join(' ');
     return `.className = ${q}${s}${q}`;
   });
   js = js.replace(/setAttribute\(['"]class['"]\s*,\s*(['"])([^'"]*)\1\)/g, (_, q, classes) => {
-    const s = classes.split(/\s+/).map(c => {
-      if (!c || CLASS_WHITELIST.has(c)) return c;
-      if (!map.css[c]) map.css[c] = makeCssToken('c');
-      return map.css[c];
-    }).join(' ');
+    const s = classes.split(/\s+/).map(c => (!c || CLASS_WHITELIST.has(c)) ? c : (tokens.css[c] || c)).join(' ');
     return `setAttribute('class', '${s}')`;
   });
   js = js.replace(/setAttribute\(['"]id['"]\s*,\s*(['"])([^'"]*)\1\)/g, (_, q, id) => {
-    const key = '#' + id;
-    if (!map.css[key]) map.css[key] = makeCssToken('i');
-    return `setAttribute('id', '${map.css[key]}')`;
+    const t = tokens.css['#' + id];
+    return t ? `setAttribute('id', '${t}')` : _;
   });
   return js;
 }
 
-// ─── JS AST rename ────────────────────────────────────────────────────────────
-
-function scrambleJS(src, map) {
+function rewriteJS(src, tokens) {
   let ast;
   try {
     ast = acorn.parse(src, {
-      ecmaVersion: 'latest',
-      sourceType: 'module',
+      ecmaVersion: 'latest', sourceType: 'module',
       allowImportExportEverywhere: true,
       allowAwaitOutsideFunction: true,
       allowReturnOutsideFunction: true,
     });
-  } catch (_) {
-    return domSurfaceRewrite(src, map);
+  } catch {
+    return domSurfaceRewrite(src, tokens);
   }
 
-  const nameAliases = new Map(); // "name@depth" → scrambled
-
-  function scopeDepth(anc) {
-    return anc.filter(a =>
-      a.type === 'FunctionDeclaration'     ||
-      a.type === 'FunctionExpression'      ||
-      a.type === 'ArrowFunctionExpression' ||
-      a.type === 'BlockStatement'
-    ).length;
-  }
-
-  function declare(name, depth) {
-    if (!name || JS_WHITELIST.has(name)) return;
-    const key = `${name}@${depth}`;
-    if (!nameAliases.has(key)) nameAliases.set(key, makeJsToken());
-  }
-
-  function resolve(name, depth) {
-    for (let d = depth; d >= 0; d--) {
-      const v = nameAliases.get(`${name}@${d}`);
-      if (v !== undefined) return v;
-    }
-    return null;
-  }
-
-  function declarePattern(pat, depth) {
-    if (!pat) return;
-    if (pat.type === 'Identifier')        { declare(pat.name, depth); return; }
-    if (pat.type === 'AssignmentPattern') { declarePattern(pat.left, depth); return; }
-    if (pat.type === 'RestElement')       { declarePattern(pat.argument, depth); return; }
-    if (pat.type === 'ObjectPattern')     { for (const p of pat.properties) declarePattern(p.value || p.argument, depth); return; }
-    if (pat.type === 'ArrayPattern')      { for (const el of pat.elements) declarePattern(el, depth); return; }
-  }
-
-  // Pass 1 — collect declarations
-  walk.ancestor(ast, {
-    VariableDeclarator(node, anc) { declarePattern(node.id, scopeDepth(anc)); },
-    FunctionDeclaration(node, anc) {
-      const d = scopeDepth(anc);
-      if (node.id) declare(node.id.name, d);
-      for (const p of node.params) declarePattern(p, d + 1);
-    },
-    FunctionExpression(node, anc) {
-      const d = scopeDepth(anc);
-      if (node.id) declare(node.id.name, d);
-      for (const p of node.params) declarePattern(p, d + 1);
-    },
-    ArrowFunctionExpression(node, anc) {
-      const d = scopeDepth(anc);
-      for (const p of node.params) declarePattern(p, d + 1);
-    },
-    ClassDeclaration(node, anc) {
-      if (node.id) declare(node.id.name, scopeDepth(anc));
-    },
-    ImportDeclaration(node) {
-      for (const spec of node.specifiers) {
-        if (spec.local) declare(spec.local.name, 0);
-      }
-    },
-  });
-
-  // Pass 2 — rewrite usages
   walk.ancestor(ast, {
     Identifier(node, anc) {
       if (JS_WHITELIST.has(node.name)) return;
+      const t = tokens.js[node.name];
+      if (!t) return;
       const parent = anc[anc.length - 2];
       if (parent && (
         (parent.type === 'MemberExpression' && parent.property === node && !parent.computed) ||
@@ -283,124 +306,91 @@ function scrambleJS(src, map) {
         (parent.type === 'ImportSpecifier'  && parent.imported === node) ||
         (parent.type === 'ExportSpecifier'  && parent.exported === node)
       )) return;
-
-      const scrambled = resolve(node.name, scopeDepth(anc));
-      if (scrambled) node.name = scrambled;
+      node.name = t;
     },
   });
 
   let result;
   try { result = astring.generate(ast); }
-  catch (_) { return domSurfaceRewrite(src, map); }
-
-  return domSurfaceRewrite(result, map);
+  catch { return domSurfaceRewrite(src, tokens); }
+  return domSurfaceRewrite(result, tokens);
 }
 
-// ─── HTML ────────────────────────────────────────────────────────────────────
-
-function scrambleHTML(html, map) {
+function rewriteHTML(html, tokens) {
   html = html.replace(/\bclass=(["'])([^"']*)\1/g, (_, q, classes) => {
-    const s = classes.split(/\s+/).map(c => {
-      if (!c || CLASS_WHITELIST.has(c)) return c;
-      if (!map.css[c]) map.css[c] = makeCssToken('c');
-      return map.css[c];
-    }).join(' ');
+    const s = classes.split(/\s+/).map(c => (!c || CLASS_WHITELIST.has(c)) ? c : (tokens.css[c] || c)).join(' ');
     return `class=${q}${s}${q}`;
   });
   html = html.replace(/\bid=(["'])([^"']*)\1/g, (full, q, id) => {
     if (!id || CLASS_WHITELIST.has(id)) return full;
-    const key = '#' + id;
-    if (!map.css[key]) map.css[key] = makeCssToken('i');
-    return `id=${q}${map.css[key]}${q}`;
+    const t = tokens.css['#' + id];
+    return t ? `id=${q}${t}${q}` : full;
   });
   html = html.replace(/(<style\b[^>]*>)([\s\S]*?)(<\/style>)/gi,
-    (_, open, style, close) => open + scrambleCSS(style, map) + close);
+    (_, open, style, close) => open + rewriteCSS(style, tokens) + close);
   html = html.replace(/(<script\b(?![^>]*\bsrc\b)[^>]*>)([\s\S]*?)(<\/script>)/gi,
     (full, open, script, close) => {
       if (!script.trim()) return full;
-      return open + scrambleJS(script, map) + close;
+      return open + rewriteJS(script, tokens) + close;
     });
   return html;
 }
 
-// ─── content-type detection ───────────────────────────────────────────────────
-
-function getType(res) {
-  return (res.getHeader('Content-Type') || '').toLowerCase();
-}
-
-function rewrite(body, res, map) {
-  const ct = getType(res);
-  if (ct.includes('text/html'))  return scrambleHTML(body, map);
-  if (ct.includes('text/css'))   return scrambleCSS(body, map);
-  if (ct.includes('javascript')) return scrambleJS(body, map);
-  return null; // nothing to do
-}
-
-// ─── THE FIX: patch all four outgoing paths ───────────────────────────────────
-
-function patchResponse(req, res, map) {
+// ─── response patcher ────────────────────────────────────────────────────────
+
+function patchResponse(res, tokens) {
+  function tryRewrite(body, ct) {
+    if (!body) return null;
+    const str = Buffer.isBuffer(body) ? body.toString('utf8') : body;
+    if (typeof str !== 'string') return null;
+    const t = ct.toLowerCase();
+    if (t.includes('text/html'))  return rewriteHTML(str, tokens);
+    if (t.includes('text/css'))   return rewriteCSS(str, tokens);
+    if (t.includes('javascript')) return rewriteJS(str, tokens);
+    return null;
+  }
 
-  // ── 1. res.send ─────────────────────────────────────────────────────────────
+  // res.send
   const origSend = res.send.bind(res);
   res.send = function(body) {
-    if (typeof body === 'string' || Buffer.isBuffer(body)) {
-      try {
-        const str = Buffer.isBuffer(body) ? body.toString('utf8') : body;
-        const out = rewrite(str, res, map);
-        if (out !== null) return origSend(out);
-      } catch (e) { console.error('[scramble] send error:', e.message); }
-    }
+    try {
+      const out = tryRewrite(body, res.getHeader('Content-Type') || '');
+      if (out !== null) return origSend(out);
+    } catch (e) { console.error('[scramble] send:', e.message); }
     return origSend(body);
   };
 
-  // ── 2. res.end ──────────────────────────────────────────────────────────────
-  // EJS res.render() ultimately calls res.end() directly, bypassing res.send.
+  // res.end  (EJS render, anything bypassing send)
   const origEnd = res.end.bind(res);
-  res.end = function(chunk, encoding, callback) {
-    if (chunk && (typeof chunk === 'string' || Buffer.isBuffer(chunk))) {
-      try {
-        const str = Buffer.isBuffer(chunk) ? chunk.toString('utf8') : chunk;
-        const out = rewrite(str, res, map);
-        if (out !== null) return origEnd(out, encoding, callback);
-      } catch (e) { console.error('[scramble] end error:', e.message); }
-    }
-    return origEnd(chunk, encoding, callback);
+  res.end = function(chunk, encoding, cb) {
+    try {
+      const out = tryRewrite(chunk, res.getHeader('Content-Type') || '');
+      if (out !== null) return origEnd(out, encoding, cb);
+    } catch (e) { console.error('[scramble] end:', e.message); }
+    return origEnd(chunk, encoding, cb);
   };
 
-  // ── 3. res.sendFile ─────────────────────────────────────────────────────────
-  // Static files (express.static, res.sendFile) stream directly from disk,
-  // completely bypassing send/end. We intercept by reading the file ourselves,
-  // rewriting, and sending it as a string response.
+  // res.sendFile  (static file streaming, bypasses send+end entirely)
   const origSendFile = res.sendFile.bind(res);
   res.sendFile = function(filePath, options, callback) {
-    const ext = filePath.split('.').pop().toLowerCase();
-    const interesting = ['html','htm','css','js','mjs'];
-    if (!interesting.includes(ext)) {
-      return origSendFile(filePath, options, callback);
-    }
-
-    const typeMap = { html:'text/html', htm:'text/html', css:'text/css', js:'application/javascript', mjs:'application/javascript' };
-    const ct = typeMap[ext];
+    const ext = path.extname(filePath).toLowerCase();
+    const ctMap = { '.html':'text/html', '.htm':'text/html', '.css':'text/css', '.js':'application/javascript', '.mjs':'application/javascript' };
+    const ct = ctMap[ext];
+    if (!ct) return origSendFile(filePath, options, callback);
 
     fs.readFile(filePath, 'utf8')
-      .then(content => {
+      .then(src => {
         res.setHeader('Content-Type', ct + '; charset=utf-8');
         try {
-          const out = rewrite(content, res, map);
-          res.send(out !== null ? out : content);
+          const out = tryRewrite(src, ct);
+          origSend(out !== null ? out : src);
         } catch (e) {
-          console.error('[scramble] sendFile rewrite error:', e.message);
-          res.send(content);
+          console.error('[scramble] sendFile rewrite:', e.message);
+          origSend(src);
         }
       })
-      .catch(() => origSendFile(filePath, options, callback)); // file not found etc — fall back
+      .catch(() => origSendFile(filePath, options, callback));
   };
-
-  // ── 4. res.render (EJS / template engines) ──────────────────────────────────
-  // Express sets Content-Type to text/html before calling res.end, so our
-  // patched res.end above already handles this. No extra work needed.
-  // (Verified: express/lib/response.js render → send → end chain.)
 }
 
 // ─── middleware ───────────────────────────────────────────────────────────────
@@ -408,11 +398,12 @@ function patchResponse(req, res, map) {
 const SKIP_EXT = /\.(png|jpg|jpeg|gif|webp|ico|woff2?|ttf|eot|svg|mp4|webm|json|xml|map|pdf)$/i;
 
 export function scrambleMiddleware(req, res, next) {
+  if (!mapReady)               return next();
   if (SKIP_EXT.test(req.path)) return next();
-  if (!req.session)             return next();
+  if (!req.session)            return next();
 
-  const map = getSessionMap(req);
-  patchResponse(req, res, map);
+  const tokens = getTokens(req);   // per-session, lazily created
+  patchResponse(res, tokens);
   next();
 }