@durable-streams/server-conformance-tests 0.1.4 → 0.1.6

package/dist/{src-DK3GDgwo.cjs → src-ChUwq33M.cjs}

@@ -61,7 +61,7 @@ async function fetchSSE(url, opts = {}) {
 */
 function parseSSEEvents(sseText) {
 	const events = [];
-	const normalized = sseText.replace(/\r\n/g, `\n`);
+	const normalized = sseText.replace(/\r\n/g, `\n`).replace(/\r/g, `\n`);
 	const eventBlocks = normalized.split(`\n\n`).filter((block) => block.trim());
 	for (const block of eventBlocks) {
 		const lines = block.split(`\n`);
@@ -84,6 +84,7 @@ function parseSSEEvents(sseText) {
 */
 function runConformanceTests(options) {
 	const getBaseUrl = () => options.baseUrl;
+	const getLongPollTestTimeoutMs = () => (options.longPollTimeoutMs ?? 2e4) + 1e3;
 	(0, vitest.describe)(`Basic Stream Operations`, () => {
 		(0, vitest.test)(`should create a stream`, async () => {
 			const streamPath = `/v1/stream/create-test-${Date.now()}`;
@@ -252,13 +253,14 @@ function runConformanceTests(options) {
 			const readPromise = (async () => {
 				const res = await stream.stream({ live: `long-poll` });
 				await new Promise((resolve) => {
-					const unsubscribe = res.subscribeBytes(async (chunk) => {
+					const unsubscribe = res.subscribeBytes((chunk) => {
 						if (chunk.data.length > 0) receivedData.push(new TextDecoder().decode(chunk.data));
 						if (receivedData.length >= 1) {
 							unsubscribe();
 							res.cancel();
 							resolve();
 						}
+						return Promise.resolve();
 					});
 				});
 			})();
@@ -266,7 +268,7 @@ function runConformanceTests(options) {
 			await stream.append(`new data`);
 			await readPromise;
 			(0, vitest.expect)(receivedData).toContain(`new data`);
-		}, 1e4);
+		}, getLongPollTestTimeoutMs());
 		(0, vitest.test)(`should return immediately if data already exists`, async () => {
 			const streamPath = `/v1/stream/longpoll-immediate-test-${Date.now()}`;
 			const stream = await __durable_streams_client.DurableStream.create({
@@ -301,7 +303,7 @@ function runConformanceTests(options) {
 				method: `PUT`,
 				headers: { "Content-Type": `text/plain` }
 			});
-			(0, vitest.expect)([200, 204]).toContain(secondResponse.status);
+			(0, vitest.expect)(secondResponse.status).toBe(200);
 		});
 		(0, vitest.test)(`should return 409 on PUT with different config`, async () => {
 			const streamPath = `/v1/stream/config-conflict-test-${Date.now()}`;
@@ -326,7 +328,7 @@ function runConformanceTests(options) {
 				headers: { "Content-Type": `text/plain` },
 				body: `hello world`
 			});
-			(0, vitest.expect)([200, 204]).toContain(response.status);
+			(0, vitest.expect)(response.status).toBe(204);
 			(0, vitest.expect)(response.headers.get(__durable_streams_client.STREAM_OFFSET_HEADER)).toBeDefined();
 		});
 		(0, vitest.test)(`should return 404 on POST to non-existent stream`, async () => {
@@ -509,7 +511,7 @@ function runConformanceTests(options) {
 				},
 				body: `second`
 			});
-			(0, vitest.expect)([200, 204]).toContain(response.status);
+			(0, vitest.expect)(response.status).toBe(204);
 		});
 		(0, vitest.test)(`should reject duplicate seq values`, async () => {
 			const streamPath = `/v1/stream/seq-duplicate-test-${Date.now()}`;
@@ -536,6 +538,140 @@ function runConformanceTests(options) {
 			(0, vitest.expect)(response.status).toBe(409);
 		});
 	});
+	(0, vitest.describe)(`Browser Security Headers`, () => {
+		(0, vitest.test)(`should include X-Content-Type-Options: nosniff on GET responses`, async () => {
+			const streamPath = `/v1/stream/security-get-nosniff-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` },
+				body: `test data`
+			});
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, { method: `GET` });
+			(0, vitest.expect)(response.status).toBe(200);
+			(0, vitest.expect)(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+		});
+		(0, vitest.test)(`should include X-Content-Type-Options: nosniff on PUT responses`, async () => {
+			const streamPath = `/v1/stream/security-put-nosniff-${Date.now()}`;
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` }
+			});
+			(0, vitest.expect)(response.status).toBe(201);
+			(0, vitest.expect)(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+		});
+		(0, vitest.test)(`should include X-Content-Type-Options: nosniff on POST responses`, async () => {
+			const streamPath = `/v1/stream/security-post-nosniff-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` }
+			});
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `POST`,
+				headers: { "Content-Type": `text/plain` },
+				body: `data`
+			});
+			(0, vitest.expect)([200, 204]).toContain(response.status);
+			(0, vitest.expect)(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+		});
+		(0, vitest.test)(`should include X-Content-Type-Options: nosniff on HEAD responses`, async () => {
+			const streamPath = `/v1/stream/security-head-nosniff-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` }
+			});
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, { method: `HEAD` });
+			(0, vitest.expect)(response.status).toBe(200);
+			(0, vitest.expect)(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+		});
+		(0, vitest.test)(`should include Cross-Origin-Resource-Policy header on GET responses`, async () => {
+			const streamPath = `/v1/stream/security-corp-get-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `application/octet-stream` },
+				body: new Uint8Array([
+					1,
+					2,
+					3,
+					4
+				])
+			});
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, { method: `GET` });
+			(0, vitest.expect)(response.status).toBe(200);
+			const corp = response.headers.get(`cross-origin-resource-policy`);
+			(0, vitest.expect)(corp).toBeDefined();
+			(0, vitest.expect)([
+				`cross-origin`,
+				`same-origin`,
+				`same-site`
+			]).toContain(corp);
+		});
+		(0, vitest.test)(`should include Cache-Control: no-store on HEAD responses`, async () => {
+			const streamPath = `/v1/stream/security-head-cache-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` }
+			});
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, { method: `HEAD` });
+			(0, vitest.expect)(response.status).toBe(200);
+			const cacheControl = response.headers.get(`cache-control`);
+			(0, vitest.expect)(cacheControl).toBeDefined();
+			(0, vitest.expect)(cacheControl).toContain(`no-store`);
+		});
+		(0, vitest.test)(`should include X-Content-Type-Options: nosniff on SSE responses`, async () => {
+			const streamPath = `/v1/stream/security-sse-nosniff-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `application/json` },
+				body: JSON.stringify({ test: `data` })
+			});
+			const headResponse = await fetch(`${getBaseUrl()}${streamPath}`, { method: `HEAD` });
+			const offset = headResponse.headers.get(__durable_streams_client.STREAM_OFFSET_HEADER) ?? `-1`;
+			const controller = new AbortController();
+			const timeoutId = setTimeout(() => controller.abort(), 500);
+			try {
+				const response = await fetch(`${getBaseUrl()}${streamPath}?offset=${offset}&live=sse`, {
+					method: `GET`,
+					signal: controller.signal
+				});
+				(0, vitest.expect)(response.status).toBe(200);
+				(0, vitest.expect)(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+			} catch (e) {
+				if (!(e instanceof Error && e.name === `AbortError`)) throw e;
+			} finally {
+				clearTimeout(timeoutId);
+			}
+		});
+		(0, vitest.test)(`should include X-Content-Type-Options: nosniff on long-poll responses`, async () => {
+			const streamPath = `/v1/stream/security-longpoll-nosniff-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` },
+				body: `initial data`
+			});
+			const headResponse = await fetch(`${getBaseUrl()}${streamPath}`, { method: `HEAD` });
+			const offset = headResponse.headers.get(__durable_streams_client.STREAM_OFFSET_HEADER) ?? `-1`;
+			const controller = new AbortController();
+			const timeoutId = setTimeout(() => controller.abort(), 500);
+			try {
+				const response = await fetch(`${getBaseUrl()}${streamPath}?offset=${offset}&live=long-poll`, {
+					method: `GET`,
+					signal: controller.signal
+				});
+				(0, vitest.expect)([200, 204]).toContain(response.status);
+				(0, vitest.expect)(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+			} catch (e) {
+				if (!(e instanceof Error && e.name === `AbortError`)) throw e;
+			} finally {
+				clearTimeout(timeoutId);
+			}
+		});
+		(0, vitest.test)(`should include security headers on error responses`, async () => {
+			const streamPath = `/v1/stream/security-error-headers-${Date.now()}`;
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, { method: `GET` });
+			(0, vitest.expect)(response.status).toBe(404);
+			(0, vitest.expect)(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+		});
+	});
 	(0, vitest.describe)(`TTL and Expiry Validation`, () => {
 		(0, vitest.test)(`should reject both TTL and Expires-At (400)`, async () => {
 			const streamPath = `/v1/stream/ttl-expires-conflict-test-${Date.now()}`;
@@ -606,7 +742,7 @@ function runConformanceTests(options) {
 				headers: { "Content-Type": `TEXT/PLAIN` },
 				body: `test`
 			});
-			(0, vitest.expect)([200, 204]).toContain(response.status);
+			(0, vitest.expect)(response.status).toBe(204);
 		});
 		(0, vitest.test)(`should allow idempotent create with different case content-type`, async () => {
 			const streamPath = `/v1/stream/case-idempotent-test-${Date.now()}`;
@@ -619,7 +755,7 @@ function runConformanceTests(options) {
 				method: `PUT`,
 				headers: { "Content-Type": `APPLICATION/JSON` }
 			});
-			(0, vitest.expect)([200, 204]).toContain(response2.status);
+			(0, vitest.expect)(response2.status).toBe(200);
 		});
 		(0, vitest.test)(`should accept headers with different casing`, async () => {
 			const streamPath = `/v1/stream/case-header-test-${Date.now()}`;
@@ -635,7 +771,7 @@ function runConformanceTests(options) {
 				},
 				body: `test`
 			});
-			(0, vitest.expect)([200, 204]).toContain(response.status);
+			(0, vitest.expect)(response.status).toBe(204);
 		});
 	});
 	(0, vitest.describe)(`Content-Type Validation`, () => {
@@ -663,7 +799,7 @@ function runConformanceTests(options) {
 				headers: { "Content-Type": `application/json` },
 				body: `{"test": true}`
 			});
-			(0, vitest.expect)([200, 204]).toContain(response.status);
+			(0, vitest.expect)(response.status).toBe(204);
 		});
 		(0, vitest.test)(`should return stream content-type on GET`, async () => {
 			const streamPath = `/v1/stream/content-type-get-test-${Date.now()}`;
@@ -955,7 +1091,8 @@ function runConformanceTests(options) {
 			(0, vitest.expect)(response.status).toBe(201);
 			const location = response.headers.get(`location`);
 			(0, vitest.expect)(location).toBeDefined();
-			(0, vitest.expect)(location).toBe(`${getBaseUrl()}${streamPath}`);
+			(0, vitest.expect)(location.endsWith(streamPath)).toBe(true);
+			(0, vitest.expect)(() => new URL(location)).not.toThrow();
 		});
 		(0, vitest.test)(`should reject missing Content-Type on POST`, async () => {
 			const streamPath = `/v1/stream/missing-ct-post-test-${Date.now()}`;
@@ -1059,7 +1196,7 @@ function runConformanceTests(options) {
 				clearTimeout(timeoutId);
 				if (e instanceof Error && e.name !== `AbortError`) throw e;
 			}
-		}, 1e4);
+		}, getLongPollTestTimeoutMs());
 	});
 	(0, vitest.describe)(`TTL and Expiry Edge Cases`, () => {
 		(0, vitest.test)(`should reject TTL with leading zeros`, async () => {
@@ -1159,7 +1296,7 @@ function runConformanceTests(options) {
 					"Stream-TTL": `3600`
 				}
 			});
-			(0, vitest.expect)([200, 204]).toContain(response2.status);
+			(0, vitest.expect)(response2.status).toBe(200);
 		});
 		(0, vitest.test)(`should reject idempotent PUT with different TTL`, async () => {
 			const streamPath = `/v1/stream/ttl-conflict-test-${Date.now()}`;
@@ -1263,7 +1400,7 @@ function runConformanceTests(options) {
 				headers: { "Content-Type": `text/plain` },
 				body: `appended data`
 			});
-			(0, vitest.expect)([200, 204]).toContain(postBefore.status);
+			(0, vitest.expect)(postBefore.status).toBe(204);
 			await sleep(1500);
 			const postAfter = await fetch(`${getBaseUrl()}${streamPath}`, {
 				method: `POST`,
@@ -1323,7 +1460,7 @@ function runConformanceTests(options) {
 				headers: { "Content-Type": `text/plain` },
 				body: `appended data`
 			});
-			(0, vitest.expect)([200, 204]).toContain(postBefore.status);
+			(0, vitest.expect)(postBefore.status).toBe(204);
 			await sleep(1500);
 			const postAfter = await fetch(`${getBaseUrl()}${streamPath}`, {
 				method: `POST`,
@@ -1746,6 +1883,88 @@ function runConformanceTests(options) {
 			(0, vitest.expect)(received).toContain(`data: line2`);
 			(0, vitest.expect)(received).toContain(`data: line3`);
 		});
+		(0, vitest.test)(`should prevent CRLF injection in payloads - embedded event boundaries become literal data`, async () => {
+			const streamPath = `/v1/stream/sse-crlf-injection-test-${Date.now()}`;
+			const maliciousPayload = `safe content\r\n\r\nevent: control\r\ndata: {"injected":true}\r\n\r\nmore safe content`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` },
+				body: maliciousPayload
+			});
+			const { response, received } = await fetchSSE(`${getBaseUrl()}${streamPath}?offset=-1&live=sse`, { untilContent: `event: control` });
+			(0, vitest.expect)(response.status).toBe(200);
+			const events = parseSSEEvents(received);
+			const dataEvents = events.filter((e) => e.type === `data`);
+			const controlEvents = events.filter((e) => e.type === `control`);
+			(0, vitest.expect)(dataEvents.length).toBe(1);
+			(0, vitest.expect)(controlEvents.length).toBe(1);
+			const dataContent = dataEvents[0].data;
+			(0, vitest.expect)(dataContent).toContain(`event: control`);
+			(0, vitest.expect)(dataContent).toContain(`data: {"injected":true}`);
+			const controlContent = JSON.parse(controlEvents[0].data);
+			(0, vitest.expect)(controlContent.injected).toBeUndefined();
+			(0, vitest.expect)(controlContent.streamNextOffset).toBeDefined();
+		});
+		(0, vitest.test)(`should prevent CRLF injection - LF-only attack vectors`, async () => {
+			const streamPath = `/v1/stream/sse-lf-injection-test-${Date.now()}`;
+			const maliciousPayload = `start\n\nevent: data\ndata: fake-event\n\nend`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` },
+				body: maliciousPayload
+			});
+			const { response, received } = await fetchSSE(`${getBaseUrl()}${streamPath}?offset=-1&live=sse`, { untilContent: `event: control` });
+			(0, vitest.expect)(response.status).toBe(200);
+			const events = parseSSEEvents(received);
+			const dataEvents = events.filter((e) => e.type === `data`);
+			(0, vitest.expect)(dataEvents.length).toBe(1);
+			const dataContent = dataEvents[0].data;
+			(0, vitest.expect)(dataContent).toContain(`event: data`);
+			(0, vitest.expect)(dataContent).toContain(`data: fake-event`);
+		});
+		(0, vitest.test)(`should prevent CRLF injection - carriage return only attack vectors`, async () => {
+			const streamPath = `/v1/stream/sse-cr-injection-test-${Date.now()}`;
+			const maliciousPayload = `start\r\revent: control\rdata: {"cr_injected":true}\r\rend`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` },
+				body: maliciousPayload
+			});
+			const { response, received } = await fetchSSE(`${getBaseUrl()}${streamPath}?offset=-1&live=sse`, { untilContent: `event: control` });
+			(0, vitest.expect)(response.status).toBe(200);
+			const events = parseSSEEvents(received);
+			const controlEvents = events.filter((e) => e.type === `control`);
+			(0, vitest.expect)(controlEvents.length).toBe(1);
+			const controlContent = JSON.parse(controlEvents[0].data);
+			(0, vitest.expect)(controlContent.cr_injected).toBeUndefined();
+			(0, vitest.expect)(controlContent.streamNextOffset).toBeDefined();
+		});
+		(0, vitest.test)(`should handle JSON payloads with embedded newlines safely`, async () => {
+			const streamPath = `/v1/stream/sse-json-newline-test-${Date.now()}`;
+			const jsonPayload = JSON.stringify({
+				message: `line1\nline2\nline3`,
+				attack: `try\r\n\r\nevent: control\r\ndata: {"bad":true}`
+			});
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `application/json` },
+				body: jsonPayload
+			});
+			const { response, received } = await fetchSSE(`${getBaseUrl()}${streamPath}?offset=-1&live=sse`, { untilContent: `event: control` });
+			(0, vitest.expect)(response.status).toBe(200);
+			const events = parseSSEEvents(received);
+			const dataEvents = events.filter((e) => e.type === `data`);
+			const controlEvents = events.filter((e) => e.type === `control`);
+			(0, vitest.expect)(dataEvents.length).toBe(1);
+			(0, vitest.expect)(controlEvents.length).toBe(1);
+			const parsedData = JSON.parse(dataEvents[0].data);
+			(0, vitest.expect)(Array.isArray(parsedData)).toBe(true);
+			(0, vitest.expect)(parsedData[0].message).toBe(`line1\nline2\nline3`);
+			(0, vitest.expect)(parsedData[0].attack).toContain(`event: control`);
+			const controlContent = JSON.parse(controlEvents[0].data);
+			(0, vitest.expect)(controlContent.bad).toBeUndefined();
+			(0, vitest.expect)(controlContent.streamNextOffset).toBeDefined();
+		});
 		(0, vitest.test)(`should generate unique, monotonically increasing offsets in SSE mode`, async () => {
 			const streamPath = `/v1/stream/sse-monotonic-offset-test-${Date.now()}`;
 			await fetch(`${getBaseUrl()}${streamPath}`, {
@@ -2131,7 +2350,7 @@ function runConformanceTests(options) {
 								headers: { "Content-Type": `application/octet-stream` },
 								body: chunk
 							});
-							(0, vitest.expect)([200, 204]).toContain(response.status);
+							(0, vitest.expect)(response.status).toBe(204);
 						}
 						const totalLength = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
 						const expected = new Uint8Array(totalLength);
@@ -2234,7 +2453,7 @@ function runConformanceTests(options) {
 								headers: { "Content-Type": `application/octet-stream` },
 								body: op.data
 							});
-							(0, vitest.expect)([200, 204]).toContain(response.status);
+							(0, vitest.expect)(response.status).toBe(204);
 							appendedData.push(...Array.from(op.data));
 							const offset = response.headers.get(__durable_streams_client.STREAM_OFFSET_HEADER);
 							if (offset) savedOffsets.push(offset);
@@ -2317,7 +2536,7 @@ function runConformanceTests(options) {
 						headers: { "Content-Type": `application/octet-stream` },
 						body: data
 					});
-					(0, vitest.expect)([200, 204]).toContain(appendResponse.status);
+					(0, vitest.expect)(appendResponse.status).toBe(204);
 					const readResponse = await fetch(`${getBaseUrl()}${streamPath}`);
 					(0, vitest.expect)(readResponse.status).toBe(200);
 					const buffer = await readResponse.arrayBuffer();
@@ -2429,7 +2648,7 @@ function runConformanceTests(options) {
 								},
 								body: `data-${seq}`
 							});
-							(0, vitest.expect)([200, 204]).toContain(response.status);
+							(0, vitest.expect)(response.status).toBe(204);
 						}
 						return true;
 					}
@@ -2453,7 +2672,7 @@ function runConformanceTests(options) {
 							},
 							body: `first`
 						});
-						(0, vitest.expect)([200, 204]).toContain(response1.status);
+						(0, vitest.expect)(response1.status).toBe(204);
 						const response2 = await fetch(`${getBaseUrl()}${streamPath}`, {
 							method: `POST`,
 							headers: {
@@ -2468,6 +2687,252 @@ function runConformanceTests(options) {
 ), { numRuns: 25 });
 			});
 		});
+		(0, vitest.describe)(`Concurrent Writer Stress Tests`, () => {
+			(0, vitest.test)(`concurrent writers with sequence numbers - server handles gracefully`, async () => {
+				const streamPath = `/v1/stream/concurrent-seq-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+				await fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `PUT`,
+					headers: { "Content-Type": `text/plain` }
+				});
+				const numWriters = 5;
+				const seqValue = `seq-001`;
+				const writePromises = Array.from({ length: numWriters }, (_, i) => fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `POST`,
+					headers: {
+						"Content-Type": `text/plain`,
+						[__durable_streams_client.STREAM_SEQ_HEADER]: seqValue
+					},
+					body: `writer-${i}`
+				}));
+				const responses = await Promise.all(writePromises);
+				const statuses = responses.map((r) => r.status);
+				for (const status of statuses) (0, vitest.expect)([
+					200,
+					204,
+					409
+				]).toContain(status);
+				const successes = statuses.filter((s) => s === 200 || s === 204);
+				(0, vitest.expect)(successes.length).toBeGreaterThanOrEqual(1);
+				const readResponse = await fetch(`${getBaseUrl()}${streamPath}`);
+				const content = await readResponse.text();
+				const matchingWriters = Array.from({ length: numWriters }, (_, i) => content.includes(`writer-${i}`)).filter(Boolean);
+				(0, vitest.expect)(matchingWriters.length).toBeGreaterThanOrEqual(1);
+			});
+			(0, vitest.test)(`concurrent writers racing with incrementing seq values`, async () => {
+				await fast_check.assert(fast_check.asyncProperty(fast_check.integer({
+					min: 3,
+					max: 8
+				}), async (numWriters) => {
+					const streamPath = `/v1/stream/concurrent-race-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+					await fetch(`${getBaseUrl()}${streamPath}`, {
+						method: `PUT`,
+						headers: { "Content-Type": `text/plain` }
+					});
+					const writePromises = Array.from({ length: numWriters }, (_, i) => fetch(`${getBaseUrl()}${streamPath}`, {
+						method: `POST`,
+						headers: {
+							"Content-Type": `text/plain`,
+							[__durable_streams_client.STREAM_SEQ_HEADER]: String(i).padStart(4, `0`)
+						},
+						body: `data-${i}`
+					}));
+					const responses = await Promise.all(writePromises);
+					const successIndices = [];
+					for (let i = 0; i < responses.length; i++) {
+						(0, vitest.expect)([
+							200,
+							204,
+							409
+						]).toContain(responses[i].status);
+						if (responses[i].status === 200 || responses[i].status === 204) successIndices.push(i);
+					}
+					(0, vitest.expect)(successIndices.length).toBeGreaterThanOrEqual(1);
+					const readResponse = await fetch(`${getBaseUrl()}${streamPath}`);
+					const content = await readResponse.text();
+					for (const i of successIndices) (0, vitest.expect)(content).toContain(`data-${i}`);
+					return true;
+				}), { numRuns: 10 });
+			});
+			(0, vitest.test)(`concurrent appends without seq - all data is persisted`, async () => {
+				const streamPath = `/v1/stream/concurrent-no-seq-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+				await fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `PUT`,
+					headers: { "Content-Type": `text/plain` }
+				});
+				const numWriters = 10;
+				const writePromises = Array.from({ length: numWriters }, (_, i) => fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `POST`,
+					headers: { "Content-Type": `text/plain` },
+					body: `concurrent-${i}`
+				}));
+				const responses = await Promise.all(writePromises);
+				for (const response of responses) (0, vitest.expect)([200, 204]).toContain(response.status);
+				const offsets = responses.map((r) => r.headers.get(__durable_streams_client.STREAM_OFFSET_HEADER));
+				for (const offset of offsets) (0, vitest.expect)(offset).not.toBeNull();
+				const readResponse = await fetch(`${getBaseUrl()}${streamPath}`);
+				const content = await readResponse.text();
+				for (let i = 0; i < numWriters; i++) (0, vitest.expect)(content).toContain(`concurrent-${i}`);
+			});
+			(0, vitest.test)(`mixed readers and writers - readers see consistent state`, async () => {
+				const streamPath = `/v1/stream/concurrent-rw-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+				await fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `PUT`,
+					headers: { "Content-Type": `text/plain` }
+				});
+				await fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `POST`,
+					headers: { "Content-Type": `text/plain` },
+					body: `initial`
+				});
+				const numOps = 20;
+				const operations = Array.from({ length: numOps }, (_, i) => {
+					if (i % 2 === 0) return fetch(`${getBaseUrl()}${streamPath}`, {
+						method: `POST`,
+						headers: { "Content-Type": `text/plain` },
+						body: `write-${i}`
+					});
+					else return fetch(`${getBaseUrl()}${streamPath}`);
+				});
+				const responses = await Promise.all(operations);
+				responses.forEach((response, i) => {
+					const expectedStatus = i % 2 === 0 ? 204 : 200;
+					(0, vitest.expect)(response.status).toBe(expectedStatus);
+				});
+				const finalRead = await fetch(`${getBaseUrl()}${streamPath}`);
+				const content = await finalRead.text();
+				(0, vitest.expect)(content).toContain(`initial`);
+				for (let i = 0; i < numOps; i += 2) (0, vitest.expect)(content).toContain(`write-${i}`);
+			});
+		});
+		(0, vitest.describe)(`State Hash Verification`, () => {
+			/**
+			* Simple hash function for content verification.
+			* Uses FNV-1a algorithm for deterministic hashing.
+			*/
+			function hashContent(data) {
+				let hash = 2166136261;
+				for (const byte of data) {
+					hash ^= byte;
+					hash = Math.imul(hash, 16777619);
+					hash = hash >>> 0;
+				}
+				return hash.toString(16).padStart(8, `0`);
+			}
+			(0, vitest.test)(`replay produces identical content hash`, async () => {
+				await fast_check.assert(fast_check.asyncProperty(
+					// Generate a sequence of appends
+					fast_check.array(fast_check.uint8Array({
+						minLength: 1,
+						maxLength: 100
+					}), {
+						minLength: 1,
+						maxLength: 10
+					}),
+					async (chunks) => {
+						const streamPath1 = `/v1/stream/hash-verify-1-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+						await fetch(`${getBaseUrl()}${streamPath1}`, {
+							method: `PUT`,
+							headers: { "Content-Type": `application/octet-stream` }
+						});
+						for (const chunk of chunks) await fetch(`${getBaseUrl()}${streamPath1}`, {
+							method: `POST`,
+							headers: { "Content-Type": `application/octet-stream` },
+							body: chunk
+						});
+						const response1 = await fetch(`${getBaseUrl()}${streamPath1}`);
+						const data1 = new Uint8Array(await response1.arrayBuffer());
+						const hash1 = hashContent(data1);
+						const streamPath2 = `/v1/stream/hash-verify-2-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+						await fetch(`${getBaseUrl()}${streamPath2}`, {
+							method: `PUT`,
+							headers: { "Content-Type": `application/octet-stream` }
+						});
+						for (const chunk of chunks) await fetch(`${getBaseUrl()}${streamPath2}`, {
+							method: `POST`,
+							headers: { "Content-Type": `application/octet-stream` },
+							body: chunk
+						});
+						const response2 = await fetch(`${getBaseUrl()}${streamPath2}`);
+						const data2 = new Uint8Array(await response2.arrayBuffer());
+						const hash2 = hashContent(data2);
+						(0, vitest.expect)(hash1).toBe(hash2);
+						(0, vitest.expect)(data1.length).toBe(data2.length);
+						return true;
+					}
+), { numRuns: 15 });
+			});
+			(0, vitest.test)(`content hash changes with each append`, async () => {
+				const streamPath = `/v1/stream/hash-changes-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+				await fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `PUT`,
+					headers: { "Content-Type": `application/octet-stream` }
+				});
+				const hashes = [];
+				for (let i = 0; i < 5; i++) {
+					await fetch(`${getBaseUrl()}${streamPath}`, {
+						method: `POST`,
+						headers: { "Content-Type": `application/octet-stream` },
+						body: new Uint8Array([
+							i,
+							i + 1,
+							i + 2
+						])
+					});
+					const response = await fetch(`${getBaseUrl()}${streamPath}`);
+					const data = new Uint8Array(await response.arrayBuffer());
+					hashes.push(hashContent(data));
+				}
+				const uniqueHashes = new Set(hashes);
+				(0, vitest.expect)(uniqueHashes.size).toBe(5);
+			});
+			(0, vitest.test)(`empty stream has consistent hash`, async () => {
+				const streamPath1 = `/v1/stream/empty-hash-1-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+				const streamPath2 = `/v1/stream/empty-hash-2-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+				await fetch(`${getBaseUrl()}${streamPath1}`, {
+					method: `PUT`,
+					headers: { "Content-Type": `application/octet-stream` }
+				});
+				await fetch(`${getBaseUrl()}${streamPath2}`, {
+					method: `PUT`,
+					headers: { "Content-Type": `application/octet-stream` }
+				});
+				const response1 = await fetch(`${getBaseUrl()}${streamPath1}`);
+				const response2 = await fetch(`${getBaseUrl()}${streamPath2}`);
+				const data1 = new Uint8Array(await response1.arrayBuffer());
+				const data2 = new Uint8Array(await response2.arrayBuffer());
+				(0, vitest.expect)(data1.length).toBe(0);
+				(0, vitest.expect)(data2.length).toBe(0);
+				(0, vitest.expect)(hashContent(data1)).toBe(hashContent(data2));
+			});
+			(0, vitest.test)(`deterministic ordering - same data in same order produces same hash`, async () => {
+				await fast_check.assert(fast_check.asyncProperty(fast_check.array(fast_check.uint8Array({
+					minLength: 1,
+					maxLength: 50
+				}), {
+					minLength: 2,
+					maxLength: 5
+				}), async (chunks) => {
+					const hashes = [];
+					for (let run = 0; run < 2; run++) {
+						const streamPath = `/v1/stream/order-hash-${run}-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+						await fetch(`${getBaseUrl()}${streamPath}`, {
+							method: `PUT`,
+							headers: { "Content-Type": `application/octet-stream` }
+						});
+						for (const chunk of chunks) await fetch(`${getBaseUrl()}${streamPath}`, {
+							method: `POST`,
+							headers: { "Content-Type": `application/octet-stream` },
+							body: chunk
+						});
+						const response = await fetch(`${getBaseUrl()}${streamPath}`);
+						const data = new Uint8Array(await response.arrayBuffer());
+						hashes.push(hashContent(data));
+					}
+					(0, vitest.expect)(hashes[0]).toBe(hashes[1]);
+					return true;
+				}), { numRuns: 10 });
+			});
+		});
 	});
 }