@bractjs/bractjs 0.1.5 → 0.1.6

package/src/__tests__/session.test.ts

@@ -3,7 +3,7 @@ import { createCookieSession } from "../server/session.ts";
 
 const sessionStorage = createCookieSession({
   name: "__test",
-  secrets: ["secret-one", "secret-two"],
+  secrets: ["secret-one-1234567890", "secret-two-1234567890"],
   secure: false,
   sameSite: "Lax",
 });
@@ -71,7 +71,7 @@ describe("createCookieSession — commitSession + roundtrip", () => {
   test("secret rotation: old secret still verifies", async () => {
     const oldStorage = createCookieSession({
       name: "__test",
-      secrets: ["secret-two"], // only the old secret
+      secrets: ["secret-two-1234567890"], // only the old secret
       secure: false,
     });
     const s1 = await oldStorage.getSession(null);
@@ -81,7 +81,7 @@ describe("createCookieSession — commitSession + roundtrip", () => {
     // New storage has new secret first, old secret second (rotation)
     const newStorage = createCookieSession({
       name: "__test",
-      secrets: ["secret-one", "secret-two"],
+      secrets: ["secret-one-1234567890", "secret-two-1234567890"],
       secure: false,
     });
     const cookieValue = cookie.split(";")[0];

package/src/build/bundler.ts

@@ -1,4 +1,4 @@
-import { join } from "node:path";
+import { join, basename, extname, resolve } from "node:path";
 import { rename } from "node:fs/promises";
 import type { BractJSConfig } from "../server/serve.ts";
 import { scanRoutes } from "../server/scanner.ts";
@@ -47,6 +47,10 @@ export async function runBuild(config: BractJSConfig): Promise<void> {
   const routeChunks = new Map<string, string>();
   let clientEntry = "";
   let rootChunk: string | undefined;
+  const outdirAbs = resolve("build/client");
+  const appDirClean = appDir.replace(/^\.\//, "");
+  const entryBase = basename("src/client/entry.tsx", extname("src/client/entry.tsx")); // "entry"
+  const rootBase = basename(rootFilePath, extname(rootFilePath)); // "root"
 
   for (const artifact of clientResult.outputs) {
     if (artifact.kind !== "chunk" && artifact.kind !== "entry-point") continue;
@@ -57,13 +61,19 @@ export async function runBuild(config: BractJSConfig): Promise<void> {
     await rename(artifact.path, hashedPath);
 
     const publicPath = "/" + hashedPath.replace(/^build\//, "build/");
-    if (artifact.kind === "entry-point" && artifact.path.includes("entry")) {
+    const absPath = resolve(artifact.path);
+    const rel = absPath.startsWith(outdirAbs + "/") ? absPath.slice(outdirAbs.length + 1) : basename(artifact.path);
+    const outBase = basename(artifact.path, extname(artifact.path));
+
+    if (artifact.kind === "entry-point" && outBase === entryBase) {
       clientEntry = publicPath;
-    } else if (artifact.kind === "entry-point" && artifact.path.includes("root")) {
+    } else if (artifact.kind === "entry-point" && outBase === rootBase) {
       rootChunk = publicPath;
     } else {
-      // Map route file path back to URL pattern
-      const matched = routes.find((r) => artifact.path.includes(r.filePath.replace("./", "")));
+      const matched = routes.find((r) => {
+        const expected = join(appDirClean, r.filePath).replace(/\.[^.]+$/, ".js");
+        return rel === expected;
+      });
       if (matched) routeChunks.set(matched.urlPattern, publicPath);
     }
   }

package/src/build/directives.ts

@@ -3,10 +3,37 @@ import type { BunPlugin } from "bun";
 const CLIENT_RE = /^["']use client["']/m;
 const SERVER_RE = /^["']use server["']/m;
 
+// Strip a UTF-8 BOM and any leading ASCII whitespace before testing the
+// directive regex. Editors that save files with BOM otherwise let "use server"
+// fall through and ship server code to the client bundle.
+function normalizeForDirectiveCheck(src: string): string {
+  return src.replace(/^/, "").replace(/^\s+/, "");
+}
+function hasClientDirective(src: string): boolean {
+  return CLIENT_RE.test(normalizeForDirectiveCheck(src));
+}
+function hasServerDirective(src: string): boolean {
+  return SERVER_RE.test(normalizeForDirectiveCheck(src));
+}
+
 function extractExports(src: string): string[] {
   const names: string[] = [];
   for (const m of src.matchAll(/^export\s+(?:async\s+)?function\s+(\w+)/gm)) names.push(m[1]);
-  for (const m of src.matchAll(/^export\s+(?:let|const)\s+(\w+)\s*=/gm)) names.push(m[1]);
+  for (const m of src.matchAll(/^export\s+(?:let|const|var)\s+(\w+)\s*=/gm)) names.push(m[1]);
+  for (const m of src.matchAll(/^export\s+default\s+(?:async\s+)?function\s+(\w+)/gm)) names.push(m[1]);
+  for (const m of src.matchAll(/^export\s+class\s+(\w+)/gm)) names.push(m[1]);
+  for (const m of src.matchAll(/^export\s*\{([^}]+)\}/gm)) {
+    for (const part of m[1].split(",")) {
+      const trimmed = part.trim();
+      if (!trimmed) continue;
+      const asMatch = trimmed.match(/\bas\s+(\w+)$/);
+      if (asMatch) names.push(asMatch[1]);
+      else {
+        const idMatch = trimmed.match(/^(\w+)/);
+        if (idMatch) names.push(idMatch[1]);
+      }
+    }
+  }
   return names;
 }
 
@@ -25,7 +52,7 @@ export const useClientStubPlugin: BunPlugin = {
   setup(build) {
     build.onLoad({ filter: /\.(tsx?|jsx?)$/ }, async ({ path }) => {
       const src = await Bun.file(path).text();
-      if (!CLIENT_RE.test(src)) return undefined;
+      if (!hasClientDirective(src)) return undefined;
       const stubs = extractExports(src).map((n) => `export const ${n} = () => null;`).join("\n");
       return { contents: stubs || "export {};", loader: "ts" };
     });
@@ -52,7 +79,7 @@ export const useServerProxyPlugin: BunPlugin = {
   setup(build) {
     build.onLoad({ filter: /\.(tsx?|jsx?)$/ }, async ({ path }) => {
       const src = await Bun.file(path).text();
-      if (!SERVER_RE.test(src)) return undefined;
+      if (!hasServerDirective(src)) return undefined;
       const names = extractExports(src);
       if (names.length === 0) return { contents: "export {};", loader: "ts" };
       const proxies = await Promise.all(

package/src/build/env-plugin.ts

@@ -41,6 +41,7 @@ export function clientEnvPlugin(
     name: "bractjs-client-env",
     setup(build) {
       build.onLoad({ filter: /\.(ts|tsx|js|jsx)$/ }, async (args) => {
+        if (args.path.includes("/node_modules/")) return undefined;
         const src = await Bun.file(args.path).text();
         const contents = src.replace(
           /process\.env\.([A-Z_][A-Z0-9_]*)/g,

package/src/build/hash.ts

@@ -1,5 +1,4 @@
 import { extname, basename, dirname, join } from "node:path";
-import { test, expect } from "bun:test";
 
 // ── Helpers ────────────────────────────────────────────────────────────────
 
@@ -35,22 +34,3 @@ export async function renameWithHash(filePath: string): Promise<string> {
   const base = basename(filePath, ext);
   return join(dirname(filePath), `${base}.${hash}${ext}`);
 }
-
-// ── Tests ──────────────────────────────────────────────────────────────────
-
-test("same content → same hash", async () => {
-  const a = await hashString("hello world");
-  const b = await hashString("hello world");
-  expect(a).toBe(b);
-});
-
-test("different content → different hash", async () => {
-  const a = await hashString("foo");
-  const b = await hashString("bar");
-  expect(a).not.toBe(b);
-});
-
-test("hash is 8 hex chars", async () => {
-  const h = await hashString("bractjs");
-  expect(h).toMatch(/^[0-9a-f]{8}$/);
-});

package/src/client/ClientRouter.tsx

@@ -68,8 +68,10 @@ export function ClientRouter({ children, initialData, initialModule = null }: Cl
         setPathname(to);
         setCurrentModule(routeModule);
       });
-      if ((data.meta as { title?: string })?.title) {
-        document.title = (data.meta as { title: string }).title;
+      const metaList = data.meta as Array<Record<string, unknown>> | undefined;
+      const titleEntry = metaList?.find((m) => "title" in m);
+      if (titleEntry && typeof titleEntry.title === "string") {
+        document.title = titleEntry.title;
       }
     } catch (err) {
       console.error("[bractjs] loadRoute error:", err);
@@ -93,9 +95,11 @@ export function ClientRouter({ children, initialData, initialModule = null }: Cl
   // Module-level HMR: swap the current route module without a full reload.
   // The injected HMR client script calls window.__BRACTJS_HMR_ACCEPT__(pattern, mod)
   // after importing the freshly-built chunk from /_hmr/module.
+  // Dev gate: prod builds inject __BRACT_DEV__ = false; absence in browser also
+  // counts as prod since we never reference `process` here.
   useEffect(() => {
-    if (process.env.NODE_ENV === "production") return;
-    const w = window as unknown as { __BRACTJS_HMR_ACCEPT__?: unknown };
+    const w = window as unknown as { __BRACT_DEV__?: boolean; __BRACTJS_HMR_ACCEPT__?: unknown };
+    if (w.__BRACT_DEV__ !== true) return;
     w.__BRACTJS_HMR_ACCEPT__ = (pattern: string, mod: RouteModuleClient) => {
       const current = matchPatternForPath(pathname, manifest);
       if (current === pattern) startTransition(() => setCurrentModule(mod));

package/src/codegen/route-codegen.ts

@@ -29,23 +29,44 @@ function substituteParams(pattern: string, params: string[]): string {
   ).join("/");
 }
 
+// Allowed pattern: "/" + (segment | ":ident") (segments are filename-derived).
+// Restricting upfront removes any chance that a hostile filename injects a
+// backtick, ${ }, or quote into the generated TS source.
+const SAFE_PATTERN_RE = /^\/(?:[A-Za-z0-9_\-]+|:[A-Za-z_][A-Za-z0-9_]*)(?:\/(?:[A-Za-z0-9_\-]+|:[A-Za-z_][A-Za-z0-9_]*))*$|^\/$/;
+const SAFE_IDENT_RE = /^[A-Za-z_][A-Za-z0-9_]*$/;
+
+function assertSafePattern(pattern: string): void {
+  if (!SAFE_PATTERN_RE.test(pattern)) {
+    throw new Error(`[bractjs] codegen: refusing to emit unsafe route pattern: ${JSON.stringify(pattern)}`);
+  }
+}
+function assertSafeParam(name: string): void {
+  if (!SAFE_IDENT_RE.test(name)) {
+    throw new Error(`[bractjs] codegen: refusing to emit unsafe param name: ${JSON.stringify(name)}`);
+  }
+}
+
 function builderEntry(pattern: string, params: string[]): string {
-  if (params.length === 0)
-    return "  \"" + pattern + "\": () => \"" + pattern + "\" as const,";
+  assertSafePattern(pattern);
+  params.forEach(assertSafeParam);
+  const key = JSON.stringify(pattern);
+  if (params.length === 0) return "  " + key + ": () => " + key + " as const,";
   const paramType = params.map((p) => p + ": string").join("; ");
   const body = substituteParams(pattern, params);
-  return "  \"" + pattern + "\": (params: { " + paramType + " }) => `" + body + "` as const,";
+  return "  " + key + ": (params: { " + paramType + " }) => `" + body + "` as const,";
 }
 
 function paramsTypeLines(routes: Array<{ pattern: string; params: string[] }>): string {
   const dynamic = routes.filter((r) => r.params.length > 0);
   if (dynamic.length === 0) return "export type RouteParams<_T extends AppRoutes> = Record<never, never>;";
   const branches = dynamic
-    .map((r) =>
-      "  T extends \"" + r.pattern + "\" ? { "
-      + r.params.map((p) => p + ": string").join("; ")
-      + " } :",
-    )
+    .map((r) => {
+      assertSafePattern(r.pattern);
+      r.params.forEach(assertSafeParam);
+      return "  T extends " + JSON.stringify(r.pattern) + " ? { "
+        + r.params.map((p) => p + ": string").join("; ")
+        + " } :";
+    })
     .join("\n");
   return "export type RouteParams<T extends AppRoutes> =\n" + branches + "\n  Record<never, never>;";
 }
@@ -65,7 +86,10 @@ export async function generateRouteTypes(appDir: string): Promise<string> {
   }));
 
   const union = routes.length > 0
-    ? routes.map((r) => "  | \"" + r.pattern + "\"").join("\n")
+    ? routes.map((r) => {
+        assertSafePattern(r.pattern);
+        return "  | " + JSON.stringify(r.pattern);
+      }).join("\n")
     : "  never";
 
   const builderEntries = routes.map((r) => builderEntry(r.pattern, r.params)).join("\n");

package/src/dev/hmr-module-handler.ts

@@ -1,4 +1,5 @@
-import { resolve, join } from "node:path";
+import { resolve, join, sep } from "node:path";
+import { realpath } from "node:fs/promises";
 
 /**
  * Dev-only HTTP handler for /_hmr/module?file=routes/about.tsx
@@ -17,10 +18,19 @@ export async function handleHmrModuleRequest(
     return new Response("Missing file param", { status: 400 });
   }
 
-  // Resolve and guard against path traversal
+  // Resolve and guard against path traversal AND symlink escape.
   const rootDir = resolve(appDir);
-  const fullPath = resolve(join(rootDir, file));
-  if (!fullPath.startsWith(rootDir + "/") && fullPath !== rootDir) {
+  const candidate = resolve(join(rootDir, file));
+  if (!candidate.startsWith(rootDir + sep) && candidate !== rootDir) {
+    return new Response("Forbidden", { status: 403 });
+  }
+  let fullPath: string;
+  try {
+    fullPath = await realpath(candidate);
+  } catch {
+    return new Response("Not Found", { status: 404 });
+  }
+  if (!fullPath.startsWith(rootDir + sep) && fullPath !== rootDir) {
     return new Response("Forbidden", { status: 403 });
   }
 

package/src/image/cache.ts

@@ -1,5 +1,5 @@
 import { join } from "node:path";
-import { mkdir } from "node:fs/promises";
+import { mkdir, rename, unlink } from "node:fs/promises";
 import type { ImageTransformParams, TransformResult, ImageFormat } from "./types.ts";
 
 const MAX_MEM = 200;
@@ -50,10 +50,14 @@ export async function getFromDisk(
   const key = await cacheKey(src, params);
   const metaFile = Bun.file(join(dir, `${key}.json`));
   const dataFile = Bun.file(join(dir, `${key}.bin`));
-  if (!(await metaFile.exists()) || !(await dataFile.exists())) return null;
+  // No existence pre-check: it would create a TOCTOU race where the file is
+  // deleted between exists() and read(). Just attempt the reads and let either
+  // a missing file or invalid JSON fall through to MISS.
   try {
-    const meta = await metaFile.json() as { contentType: string; format: ImageFormat };
-    const data = await dataFile.arrayBuffer();
+    const [meta, data] = await Promise.all([
+      metaFile.json() as Promise<{ contentType: string; format: ImageFormat }>,
+      dataFile.arrayBuffer(),
+    ]);
     return { data, contentType: meta.contentType, format: meta.format };
   } catch {
     return null;
@@ -68,8 +72,24 @@ export async function setOnDisk(
 ): Promise<void> {
   await mkdir(dir, { recursive: true });
   const key = await cacheKey(src, params);
-  await Promise.all([
-    Bun.write(join(dir, `${key}.json`), JSON.stringify({ contentType: result.contentType, format: result.format })),
-    Bun.write(join(dir, `${key}.bin`), result.data),
-  ]);
+  const jsonFinal = join(dir, `${key}.json`);
+  const binFinal = join(dir, `${key}.bin`);
+  const jsonTmp = `${jsonFinal}.tmp`;
+  const binTmp = `${binFinal}.tmp`;
+  // Write both temp files, then atomically rename. Readers see either both
+  // files present or neither — never a half-written pair.
+  try {
+    await Promise.all([
+      Bun.write(jsonTmp, JSON.stringify({ contentType: result.contentType, format: result.format })),
+      Bun.write(binTmp, result.data),
+    ]);
+    await Promise.all([rename(jsonTmp, jsonFinal), rename(binTmp, binFinal)]);
+  } catch (err) {
+    // Best-effort cleanup so failed writes don't leak .tmp files indefinitely.
+    await Promise.all([
+      unlink(jsonTmp).catch(() => {}),
+      unlink(binTmp).catch(() => {}),
+    ]);
+    throw err;
+  }
 }

package/src/image/handler.ts

@@ -1,36 +1,51 @@
-import { join, resolve } from "node:path";
+import { join, resolve, sep } from "node:path";
+import { realpath } from "node:fs/promises";
 import type { ImageTransformParams, ImageFormat, ImageFit } from "./types.ts";
-import { QUALITY_DEFAULT, FORMAT_DEFAULT, FIT_DEFAULT, MIME } from "./types.ts";
+import { QUALITY_DEFAULT, FORMAT_DEFAULT, FIT_DEFAULT, MIME, ALLOWED_FITS } from "./types.ts";
 import { transformImage } from "./optimizer.ts";
 import { getFromMemory, setInMemory, getFromDisk, setOnDisk } from "./cache.ts";
 
-const MAX_DIM = 4096;
+const ALLOWED_DIMS = new Set([320, 640, 768, 1024, 1280, 1536, 1920, 3840]);
+const MAX_AREA = 4_000_000;
 const CACHE_CTRL = "public, max-age=31536000, immutable";
 
-function parseParams(
+async function parseParams(
   sp: URLSearchParams,
   publicDir: string,
-): { src: string; filePath: string; params: ImageTransformParams } | null {
+): Promise<{ src: string; filePath: string; params: ImageTransformParams } | null> {
   const src = sp.get("src");
   // src must be a /public/ path with no traversal sequences
   if (!src || !src.startsWith("/public/") || src.includes("..")) return null;
 
   const rel = src.slice("/public/".length);
   const root = resolve(publicDir);
-  const filePath = resolve(join(root, rel));
-  if (!filePath.startsWith(root + "/") && filePath !== root) return null;
+  const candidate = resolve(join(root, rel));
+  if (!candidate.startsWith(root + sep) && candidate !== root) return null;
+  // Re-check after symlink resolution. If the file doesn't exist yet, realpath
+  // throws — fall through and let the existence check below handle it.
+  let filePath = candidate;
+  try {
+    const real = await realpath(candidate);
+    if (!real.startsWith(root + sep) && real !== root) return null;
+    filePath = real;
+  } catch {
+    // missing file: defer to Bun.file(...).exists() below
+  }
 
   const wRaw = sp.get("w");
   const hRaw = sp.get("h");
   const w = wRaw ? parseInt(wRaw, 10) : undefined;
   const h = hRaw ? parseInt(hRaw, 10) : undefined;
-  if (w !== undefined && (isNaN(w) || w < 1 || w > MAX_DIM)) return null;
-  if (h !== undefined && (isNaN(h) || h < 1 || h > MAX_DIM)) return null;
+  if (w !== undefined && (isNaN(w) || !ALLOWED_DIMS.has(w))) return null;
+  if (h !== undefined && (isNaN(h) || !ALLOWED_DIMS.has(h))) return null;
+  if (w !== undefined && h !== undefined && w * h > MAX_AREA) return null;
 
   const q = Math.min(100, Math.max(1, parseInt(sp.get("q") ?? String(QUALITY_DEFAULT), 10)));
   const fmt = (sp.get("format") ?? FORMAT_DEFAULT) as ImageFormat;
-  const fit = (sp.get("fit") ?? FIT_DEFAULT) as ImageFit;
+  const fitRaw = sp.get("fit") ?? FIT_DEFAULT;
   if (!MIME[fmt]) return null;
+  if (!ALLOWED_FITS.has(fitRaw as ImageFit)) return null;
+  const fit = fitRaw as ImageFit;
 
   return { src, filePath, params: { w, h, q, format: fmt, fit } };
 }
@@ -53,7 +68,7 @@ export async function handleImageRequest(
   const url = new URL(request.url);
   if (url.pathname !== "/_image") return null;
 
-  const parsed = parseParams(url.searchParams, publicDir);
+  const parsed = await parseParams(url.searchParams, publicDir);
   if (!parsed) return new Response("Bad Request", { status: 400 });
 
   const { src, filePath, params } = parsed;

package/src/image/optimizer.ts

@@ -1,6 +1,30 @@
 import type { ImageTransformParams, TransformResult, ImageFormat } from "./types.ts";
 import { MIME } from "./types.ts";
 
+// In-process semaphore (DoS guard): cap concurrent ImageMagick spawns so a
+// burst of /_image requests can't fork-bomb the server.
+const MAX_CONCURRENT = 4;
+// Per-spawn timeout (ms). A pathological input must not hold a slot forever;
+// without this, four hung spawns wedge the whole image pipeline.
+const SPAWN_TIMEOUT_MS = 15_000;
+let inFlight = 0;
+const waiters: Array<() => void> = [];
+
+async function acquireSlot(): Promise<void> {
+  if (inFlight < MAX_CONCURRENT) {
+    inFlight++;
+    return;
+  }
+  await new Promise<void>((resolve) => waiters.push(resolve));
+  inFlight++;
+}
+
+function releaseSlot(): void {
+  inFlight--;
+  const next = waiters.shift();
+  if (next) next();
+}
+
 // Probe for an available ImageMagick binary once, then cache the result.
 let _binary: string | null | undefined;
 
@@ -57,20 +81,28 @@ export async function transformImage(
     return { data, contentType: MIME[fmt] ?? "image/jpeg", format: fmt };
   }
 
-  const proc = Bun.spawn(buildArgs(binary, filePath, params), {
-    stdout: "pipe",
-    stderr: "pipe",
-  });
+  await acquireSlot();
+  try {
+    const proc = Bun.spawn(buildArgs(binary, filePath, params), {
+      stdout: "pipe",
+      stderr: "ignore",
+      timeout: SPAWN_TIMEOUT_MS,
+      killSignal: "SIGKILL",
+    });
 
-  const [data, , exitCode] = await Promise.all([
-    new Response(proc.stdout!).arrayBuffer(),
-    new Response(proc.stderr!).arrayBuffer(),
-    proc.exited,
-  ]);
+    const [data, exitCode] = await Promise.all([
+      new Response(proc.stdout!).arrayBuffer(),
+      proc.exited,
+    ]);
 
-  if (exitCode !== 0) {
-    throw new Error(`[bractjs] ImageMagick exited ${exitCode} for ${filePath}`);
-  }
+    if (exitCode !== 0) {
+      // Non-zero exit covers normal failures AND timeout-induced SIGKILL,
+      // since Bun reports the signal as a non-zero exit code.
+      throw new Error(`[bractjs] ImageMagick exited ${exitCode} for ${filePath}`);
+    }
 
-  return { data, contentType: MIME[params.format], format: params.format };
+    return { data, contentType: MIME[params.format], format: params.format };
+  } finally {
+    releaseSlot();
+  }
 }

package/src/image/types.ts

@@ -25,3 +25,4 @@ export const MIME: Record<ImageFormat, string> = {
   jpeg: "image/jpeg",
   png:  "image/png",
 };
+export const ALLOWED_FITS: ReadonlySet<ImageFit> = new Set(["cover", "contain", "fill"]);

package/src/middleware/cors.ts

@@ -3,25 +3,39 @@ import type { MiddlewareFn } from "../server/middleware.ts";
 export interface CorsOptions {
   origin: string | string[];
   methods?: string[];
+  credentials?: boolean;
 }
 
 /**
  * Sets CORS headers. Handles OPTIONS preflight with 204.
+ *
+ * Never reflects the Origin header when "*" is configured — emits literal "*".
+ * Refuses to combine credentials:true with "*" (browsers reject it anyway).
+ * Always sets `Vary: Origin` so caches don't serve a cross-origin response to
+ * the wrong site.
  */
 export function cors(options: CorsOptions): MiddlewareFn {
-  const allowedOrigins = Array.isArray(options.origin)
-    ? options.origin
-    : [options.origin];
+  const allowedOrigins = Array.isArray(options.origin) ? options.origin : [options.origin];
   const allowedMethods = options.methods?.join(", ") ?? "GET, POST, PUT, DELETE, PATCH, OPTIONS";
+  const wildcard = allowedOrigins.includes("*");
+  const credentials = options.credentials === true;
+  if (wildcard && credentials) {
+    throw new Error("cors: credentials=true cannot be combined with origin='*'");
+  }
 
   return async (ctx, next) => {
     const origin = ctx.request.headers.get("Origin") ?? "";
-    const allowed = allowedOrigins.includes("*") || allowedOrigins.includes(origin);
     const corsHeaders: Record<string, string> = {
       "Access-Control-Allow-Methods": allowedMethods,
       "Access-Control-Allow-Headers": "Content-Type, Authorization",
+      "Vary": "Origin",
     };
-    if (allowed) corsHeaders["Access-Control-Allow-Origin"] = origin || "*";
+    if (wildcard) {
+      corsHeaders["Access-Control-Allow-Origin"] = "*";
+    } else if (origin && allowedOrigins.includes(origin)) {
+      corsHeaders["Access-Control-Allow-Origin"] = origin;
+    }
+    if (credentials) corsHeaders["Access-Control-Allow-Credentials"] = "true";
 
     // Preflight
     if (ctx.request.method === "OPTIONS") {
@@ -29,8 +43,10 @@ export function cors(options: CorsOptions): MiddlewareFn {
     }
 
     const response = await next();
-    const patched = new Response(response.body, response);
-    for (const [k, v] of Object.entries(corsHeaders)) patched.headers.set(k, v);
-    return patched;
+    // Mutate headers in place rather than wrapping body. Wrapping with
+    // `new Response(response.body, response)` makes the original Response
+    // unusable to anyone holding a reference (single-shot stream).
+    for (const [k, v] of Object.entries(corsHeaders)) response.headers.set(k, v);
+    return response;
   };
 }

package/src/server/action-handler.ts

@@ -1,10 +1,25 @@
 import { resolveAction } from "./action-registry.ts";
 import { json } from "./response.ts";
+import { isAllowedMutation } from "./csrf.ts";
+
+const FORBIDDEN_KEYS = new Set(["__proto__", "constructor", "prototype"]);
+// Cap action JSON bodies. Anything over this looks like an abuse attempt;
+// FormData uploads (large files) take the multipart branch and bypass this.
+const MAX_JSON_BODY_BYTES = 1_048_576; // 1 MiB
+
+function hasForbiddenKey(value: unknown): boolean {
+  if (!value || typeof value !== "object") return false;
+  for (const key of Object.keys(value as Record<string, unknown>)) {
+    if (FORBIDDEN_KEYS.has(key)) return true;
+  }
+  return false;
+}
 
 export async function handleActionRequest(request: Request): Promise<Response | null> {
   const url = new URL(request.url);
   if (!url.pathname.startsWith("/_action")) return null;
   if (request.method !== "POST") return new Response("Method Not Allowed", { status: 405 });
+  if (!isAllowedMutation(request)) return new Response("Forbidden", { status: 403 });
 
   const id = url.searchParams.get("id");
   if (!id) return new Response("Bad Request: missing action id", { status: 400 });
@@ -18,8 +33,32 @@ export async function handleActionRequest(request: Request): Promise<Response |
     if (ct.includes("multipart/form-data") || ct.includes("application/x-www-form-urlencoded")) {
       args = [await request.formData()];
     } else {
+      // Cheap pre-check: trust Content-Length if the client sent one.
+      const clRaw = request.headers.get("Content-Length");
+      if (clRaw) {
+        const cl = Number(clRaw);
+        if (Number.isFinite(cl) && cl > MAX_JSON_BODY_BYTES) {
+          return new Response("Payload Too Large", { status: 413 });
+        }
+      }
       const text = await request.text();
-      args = text ? JSON.parse(text) as unknown[] : [];
+      // Defense in depth: clients can lie about Content-Length, so verify the
+      // actual decoded text length too.
+      if (text.length > MAX_JSON_BODY_BYTES) {
+        return new Response("Payload Too Large", { status: 413 });
+      }
+      if (!text) {
+        args = [];
+      } else {
+        const parsed: unknown = JSON.parse(text);
+        if (!Array.isArray(parsed)) {
+          return new Response("Bad Request: args must be array", { status: 400 });
+        }
+        if (parsed.some(hasForbiddenKey)) {
+          return new Response("Bad Request: forbidden keys", { status: 400 });
+        }
+        args = parsed;
+      }
     }
   } catch {
     return new Response("Bad Request: invalid body", { status: 400 });

package/src/server/action-registry.ts

@@ -1,6 +1,9 @@
 import { join } from "node:path";
 
-const SERVER_RE = /^["']use server["']/m;
+// Anchored at start-of-file. Allow whitespace and line/block comments before
+// the "use server" string literal. This prevents false matches from a "use
+// server" found inside template literals or runtime strings.
+const SERVER_RE = /^(?:\s|\/\/[^\n]*\n|\/\*[\s\S]*?\*\/)*["']use server["']/;
 const registry = new Map<string, (...args: unknown[]) => Promise<unknown>>();
 
 async function computeId(filePath: string, name: string): Promise<string> {
@@ -16,9 +19,19 @@ export function resolveAction(id: string): ((...args: unknown[]) => Promise<unkn
   return registry.get(id) ?? null;
 }
 
+function isEligible(rel: string): boolean {
+  return (
+    rel.endsWith(".server.ts") ||
+    rel.endsWith(".server.tsx") ||
+    rel.startsWith("routes/") ||
+    rel.startsWith("routes\\")
+  );
+}
+
 export async function loadServerActions(appDir: string): Promise<void> {
   const glob = new Bun.Glob("**/*.{ts,tsx}");
   for await (const rel of glob.scan(appDir)) {
+    if (!isEligible(rel)) continue;
     const filePath = join(appDir, rel);
     let src: string;
     try { src = await Bun.file(filePath).text(); } catch { continue; }