@durable-streams/server-conformance-tests 0.1.5 → 0.1.6

package/dist/{src-BtF2jQ-Q.js → src-DWkKYD4d.js}

@@ -59,7 +59,7 @@ async function fetchSSE(url, opts = {}) {
 */
 function parseSSEEvents(sseText) {
 	const events = [];
-	const normalized = sseText.replace(/\r\n/g, `\n`);
+	const normalized = sseText.replace(/\r\n/g, `\n`).replace(/\r/g, `\n`);
 	const eventBlocks = normalized.split(`\n\n`).filter((block) => block.trim());
 	for (const block of eventBlocks) {
 		const lines = block.split(`\n`);
@@ -301,7 +301,7 @@ function runConformanceTests(options) {
 				method: `PUT`,
 				headers: { "Content-Type": `text/plain` }
 			});
-			expect([200, 204]).toContain(secondResponse.status);
+			expect(secondResponse.status).toBe(200);
 		});
 		test(`should return 409 on PUT with different config`, async () => {
 			const streamPath = `/v1/stream/config-conflict-test-${Date.now()}`;
@@ -326,7 +326,7 @@ function runConformanceTests(options) {
 				headers: { "Content-Type": `text/plain` },
 				body: `hello world`
 			});
-			expect([200, 204]).toContain(response.status);
+			expect(response.status).toBe(204);
 			expect(response.headers.get(STREAM_OFFSET_HEADER)).toBeDefined();
 		});
 		test(`should return 404 on POST to non-existent stream`, async () => {
@@ -509,7 +509,7 @@ function runConformanceTests(options) {
 				},
 				body: `second`
 			});
-			expect([200, 204]).toContain(response.status);
+			expect(response.status).toBe(204);
 		});
 		test(`should reject duplicate seq values`, async () => {
 			const streamPath = `/v1/stream/seq-duplicate-test-${Date.now()}`;
@@ -536,6 +536,140 @@ function runConformanceTests(options) {
 			expect(response.status).toBe(409);
 		});
 	});
+	describe(`Browser Security Headers`, () => {
+		test(`should include X-Content-Type-Options: nosniff on GET responses`, async () => {
+			const streamPath = `/v1/stream/security-get-nosniff-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` },
+				body: `test data`
+			});
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, { method: `GET` });
+			expect(response.status).toBe(200);
+			expect(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+		});
+		test(`should include X-Content-Type-Options: nosniff on PUT responses`, async () => {
+			const streamPath = `/v1/stream/security-put-nosniff-${Date.now()}`;
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` }
+			});
+			expect(response.status).toBe(201);
+			expect(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+		});
+		test(`should include X-Content-Type-Options: nosniff on POST responses`, async () => {
+			const streamPath = `/v1/stream/security-post-nosniff-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` }
+			});
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `POST`,
+				headers: { "Content-Type": `text/plain` },
+				body: `data`
+			});
+			expect([200, 204]).toContain(response.status);
+			expect(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+		});
+		test(`should include X-Content-Type-Options: nosniff on HEAD responses`, async () => {
+			const streamPath = `/v1/stream/security-head-nosniff-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` }
+			});
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, { method: `HEAD` });
+			expect(response.status).toBe(200);
+			expect(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+		});
+		test(`should include Cross-Origin-Resource-Policy header on GET responses`, async () => {
+			const streamPath = `/v1/stream/security-corp-get-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `application/octet-stream` },
+				body: new Uint8Array([
+					1,
+					2,
+					3,
+					4
+				])
+			});
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, { method: `GET` });
+			expect(response.status).toBe(200);
+			const corp = response.headers.get(`cross-origin-resource-policy`);
+			expect(corp).toBeDefined();
+			expect([
+				`cross-origin`,
+				`same-origin`,
+				`same-site`
+			]).toContain(corp);
+		});
+		test(`should include Cache-Control: no-store on HEAD responses`, async () => {
+			const streamPath = `/v1/stream/security-head-cache-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` }
+			});
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, { method: `HEAD` });
+			expect(response.status).toBe(200);
+			const cacheControl = response.headers.get(`cache-control`);
+			expect(cacheControl).toBeDefined();
+			expect(cacheControl).toContain(`no-store`);
+		});
+		test(`should include X-Content-Type-Options: nosniff on SSE responses`, async () => {
+			const streamPath = `/v1/stream/security-sse-nosniff-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `application/json` },
+				body: JSON.stringify({ test: `data` })
+			});
+			const headResponse = await fetch(`${getBaseUrl()}${streamPath}`, { method: `HEAD` });
+			const offset = headResponse.headers.get(STREAM_OFFSET_HEADER) ?? `-1`;
+			const controller = new AbortController();
+			const timeoutId = setTimeout(() => controller.abort(), 500);
+			try {
+				const response = await fetch(`${getBaseUrl()}${streamPath}?offset=${offset}&live=sse`, {
+					method: `GET`,
+					signal: controller.signal
+				});
+				expect(response.status).toBe(200);
+				expect(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+			} catch (e) {
+				if (!(e instanceof Error && e.name === `AbortError`)) throw e;
+			} finally {
+				clearTimeout(timeoutId);
+			}
+		});
+		test(`should include X-Content-Type-Options: nosniff on long-poll responses`, async () => {
+			const streamPath = `/v1/stream/security-longpoll-nosniff-${Date.now()}`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` },
+				body: `initial data`
+			});
+			const headResponse = await fetch(`${getBaseUrl()}${streamPath}`, { method: `HEAD` });
+			const offset = headResponse.headers.get(STREAM_OFFSET_HEADER) ?? `-1`;
+			const controller = new AbortController();
+			const timeoutId = setTimeout(() => controller.abort(), 500);
+			try {
+				const response = await fetch(`${getBaseUrl()}${streamPath}?offset=${offset}&live=long-poll`, {
+					method: `GET`,
+					signal: controller.signal
+				});
+				expect([200, 204]).toContain(response.status);
+				expect(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+			} catch (e) {
+				if (!(e instanceof Error && e.name === `AbortError`)) throw e;
+			} finally {
+				clearTimeout(timeoutId);
+			}
+		});
+		test(`should include security headers on error responses`, async () => {
+			const streamPath = `/v1/stream/security-error-headers-${Date.now()}`;
+			const response = await fetch(`${getBaseUrl()}${streamPath}`, { method: `GET` });
+			expect(response.status).toBe(404);
+			expect(response.headers.get(`x-content-type-options`)).toBe(`nosniff`);
+		});
+	});
 	describe(`TTL and Expiry Validation`, () => {
 		test(`should reject both TTL and Expires-At (400)`, async () => {
 			const streamPath = `/v1/stream/ttl-expires-conflict-test-${Date.now()}`;
@@ -606,7 +740,7 @@ function runConformanceTests(options) {
 				headers: { "Content-Type": `TEXT/PLAIN` },
 				body: `test`
 			});
-			expect([200, 204]).toContain(response.status);
+			expect(response.status).toBe(204);
 		});
 		test(`should allow idempotent create with different case content-type`, async () => {
 			const streamPath = `/v1/stream/case-idempotent-test-${Date.now()}`;
@@ -619,7 +753,7 @@ function runConformanceTests(options) {
 				method: `PUT`,
 				headers: { "Content-Type": `APPLICATION/JSON` }
 			});
-			expect([200, 204]).toContain(response2.status);
+			expect(response2.status).toBe(200);
 		});
 		test(`should accept headers with different casing`, async () => {
 			const streamPath = `/v1/stream/case-header-test-${Date.now()}`;
@@ -635,7 +769,7 @@ function runConformanceTests(options) {
 				},
 				body: `test`
 			});
-			expect([200, 204]).toContain(response.status);
+			expect(response.status).toBe(204);
 		});
 	});
 	describe(`Content-Type Validation`, () => {
@@ -663,7 +797,7 @@ function runConformanceTests(options) {
 				headers: { "Content-Type": `application/json` },
 				body: `{"test": true}`
 			});
-			expect([200, 204]).toContain(response.status);
+			expect(response.status).toBe(204);
 		});
 		test(`should return stream content-type on GET`, async () => {
 			const streamPath = `/v1/stream/content-type-get-test-${Date.now()}`;
@@ -955,7 +1089,8 @@ function runConformanceTests(options) {
 			expect(response.status).toBe(201);
 			const location = response.headers.get(`location`);
 			expect(location).toBeDefined();
-			expect(location).toBe(`${getBaseUrl()}${streamPath}`);
+			expect(location.endsWith(streamPath)).toBe(true);
+			expect(() => new URL(location)).not.toThrow();
 		});
 		test(`should reject missing Content-Type on POST`, async () => {
 			const streamPath = `/v1/stream/missing-ct-post-test-${Date.now()}`;
@@ -1159,7 +1294,7 @@ function runConformanceTests(options) {
 					"Stream-TTL": `3600`
 				}
 			});
-			expect([200, 204]).toContain(response2.status);
+			expect(response2.status).toBe(200);
 		});
 		test(`should reject idempotent PUT with different TTL`, async () => {
 			const streamPath = `/v1/stream/ttl-conflict-test-${Date.now()}`;
@@ -1263,7 +1398,7 @@ function runConformanceTests(options) {
 				headers: { "Content-Type": `text/plain` },
 				body: `appended data`
 			});
-			expect([200, 204]).toContain(postBefore.status);
+			expect(postBefore.status).toBe(204);
 			await sleep(1500);
 			const postAfter = await fetch(`${getBaseUrl()}${streamPath}`, {
 				method: `POST`,
@@ -1323,7 +1458,7 @@ function runConformanceTests(options) {
 				headers: { "Content-Type": `text/plain` },
 				body: `appended data`
 			});
-			expect([200, 204]).toContain(postBefore.status);
+			expect(postBefore.status).toBe(204);
 			await sleep(1500);
 			const postAfter = await fetch(`${getBaseUrl()}${streamPath}`, {
 				method: `POST`,
@@ -1746,6 +1881,88 @@ function runConformanceTests(options) {
 			expect(received).toContain(`data: line2`);
 			expect(received).toContain(`data: line3`);
 		});
+		test(`should prevent CRLF injection in payloads - embedded event boundaries become literal data`, async () => {
+			const streamPath = `/v1/stream/sse-crlf-injection-test-${Date.now()}`;
+			const maliciousPayload = `safe content\r\n\r\nevent: control\r\ndata: {"injected":true}\r\n\r\nmore safe content`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` },
+				body: maliciousPayload
+			});
+			const { response, received } = await fetchSSE(`${getBaseUrl()}${streamPath}?offset=-1&live=sse`, { untilContent: `event: control` });
+			expect(response.status).toBe(200);
+			const events = parseSSEEvents(received);
+			const dataEvents = events.filter((e) => e.type === `data`);
+			const controlEvents = events.filter((e) => e.type === `control`);
+			expect(dataEvents.length).toBe(1);
+			expect(controlEvents.length).toBe(1);
+			const dataContent = dataEvents[0].data;
+			expect(dataContent).toContain(`event: control`);
+			expect(dataContent).toContain(`data: {"injected":true}`);
+			const controlContent = JSON.parse(controlEvents[0].data);
+			expect(controlContent.injected).toBeUndefined();
+			expect(controlContent.streamNextOffset).toBeDefined();
+		});
+		test(`should prevent CRLF injection - LF-only attack vectors`, async () => {
+			const streamPath = `/v1/stream/sse-lf-injection-test-${Date.now()}`;
+			const maliciousPayload = `start\n\nevent: data\ndata: fake-event\n\nend`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` },
+				body: maliciousPayload
+			});
+			const { response, received } = await fetchSSE(`${getBaseUrl()}${streamPath}?offset=-1&live=sse`, { untilContent: `event: control` });
+			expect(response.status).toBe(200);
+			const events = parseSSEEvents(received);
+			const dataEvents = events.filter((e) => e.type === `data`);
+			expect(dataEvents.length).toBe(1);
+			const dataContent = dataEvents[0].data;
+			expect(dataContent).toContain(`event: data`);
+			expect(dataContent).toContain(`data: fake-event`);
+		});
+		test(`should prevent CRLF injection - carriage return only attack vectors`, async () => {
+			const streamPath = `/v1/stream/sse-cr-injection-test-${Date.now()}`;
+			const maliciousPayload = `start\r\revent: control\rdata: {"cr_injected":true}\r\rend`;
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `text/plain` },
+				body: maliciousPayload
+			});
+			const { response, received } = await fetchSSE(`${getBaseUrl()}${streamPath}?offset=-1&live=sse`, { untilContent: `event: control` });
+			expect(response.status).toBe(200);
+			const events = parseSSEEvents(received);
+			const controlEvents = events.filter((e) => e.type === `control`);
+			expect(controlEvents.length).toBe(1);
+			const controlContent = JSON.parse(controlEvents[0].data);
+			expect(controlContent.cr_injected).toBeUndefined();
+			expect(controlContent.streamNextOffset).toBeDefined();
+		});
+		test(`should handle JSON payloads with embedded newlines safely`, async () => {
+			const streamPath = `/v1/stream/sse-json-newline-test-${Date.now()}`;
+			const jsonPayload = JSON.stringify({
+				message: `line1\nline2\nline3`,
+				attack: `try\r\n\r\nevent: control\r\ndata: {"bad":true}`
+			});
+			await fetch(`${getBaseUrl()}${streamPath}`, {
+				method: `PUT`,
+				headers: { "Content-Type": `application/json` },
+				body: jsonPayload
+			});
+			const { response, received } = await fetchSSE(`${getBaseUrl()}${streamPath}?offset=-1&live=sse`, { untilContent: `event: control` });
+			expect(response.status).toBe(200);
+			const events = parseSSEEvents(received);
+			const dataEvents = events.filter((e) => e.type === `data`);
+			const controlEvents = events.filter((e) => e.type === `control`);
+			expect(dataEvents.length).toBe(1);
+			expect(controlEvents.length).toBe(1);
+			const parsedData = JSON.parse(dataEvents[0].data);
+			expect(Array.isArray(parsedData)).toBe(true);
+			expect(parsedData[0].message).toBe(`line1\nline2\nline3`);
+			expect(parsedData[0].attack).toContain(`event: control`);
+			const controlContent = JSON.parse(controlEvents[0].data);
+			expect(controlContent.bad).toBeUndefined();
+			expect(controlContent.streamNextOffset).toBeDefined();
+		});
 		test(`should generate unique, monotonically increasing offsets in SSE mode`, async () => {
 			const streamPath = `/v1/stream/sse-monotonic-offset-test-${Date.now()}`;
 			await fetch(`${getBaseUrl()}${streamPath}`, {
@@ -2131,7 +2348,7 @@ function runConformanceTests(options) {
 								headers: { "Content-Type": `application/octet-stream` },
 								body: chunk
 							});
-							expect([200, 204]).toContain(response.status);
+							expect(response.status).toBe(204);
 						}
 						const totalLength = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
 						const expected = new Uint8Array(totalLength);
@@ -2234,7 +2451,7 @@ function runConformanceTests(options) {
 								headers: { "Content-Type": `application/octet-stream` },
 								body: op.data
 							});
-							expect([200, 204]).toContain(response.status);
+							expect(response.status).toBe(204);
 							appendedData.push(...Array.from(op.data));
 							const offset = response.headers.get(STREAM_OFFSET_HEADER);
 							if (offset) savedOffsets.push(offset);
@@ -2317,7 +2534,7 @@ function runConformanceTests(options) {
 						headers: { "Content-Type": `application/octet-stream` },
 						body: data
 					});
-					expect([200, 204]).toContain(appendResponse.status);
+					expect(appendResponse.status).toBe(204);
 					const readResponse = await fetch(`${getBaseUrl()}${streamPath}`);
 					expect(readResponse.status).toBe(200);
 					const buffer = await readResponse.arrayBuffer();
@@ -2429,7 +2646,7 @@ function runConformanceTests(options) {
 								},
 								body: `data-${seq}`
 							});
-							expect([200, 204]).toContain(response.status);
+							expect(response.status).toBe(204);
 						}
 						return true;
 					}
@@ -2453,7 +2670,7 @@ function runConformanceTests(options) {
 							},
 							body: `first`
 						});
-						expect([200, 204]).toContain(response1.status);
+						expect(response1.status).toBe(204);
 						const response2 = await fetch(`${getBaseUrl()}${streamPath}`, {
 							method: `POST`,
 							headers: {
@@ -2468,6 +2685,252 @@ function runConformanceTests(options) {
 ), { numRuns: 25 });
 			});
 		});
+		describe(`Concurrent Writer Stress Tests`, () => {
+			test(`concurrent writers with sequence numbers - server handles gracefully`, async () => {
+				const streamPath = `/v1/stream/concurrent-seq-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+				await fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `PUT`,
+					headers: { "Content-Type": `text/plain` }
+				});
+				const numWriters = 5;
+				const seqValue = `seq-001`;
+				const writePromises = Array.from({ length: numWriters }, (_, i) => fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `POST`,
+					headers: {
+						"Content-Type": `text/plain`,
+						[STREAM_SEQ_HEADER]: seqValue
+					},
+					body: `writer-${i}`
+				}));
+				const responses = await Promise.all(writePromises);
+				const statuses = responses.map((r) => r.status);
+				for (const status of statuses) expect([
+					200,
+					204,
+					409
+				]).toContain(status);
+				const successes = statuses.filter((s) => s === 200 || s === 204);
+				expect(successes.length).toBeGreaterThanOrEqual(1);
+				const readResponse = await fetch(`${getBaseUrl()}${streamPath}`);
+				const content = await readResponse.text();
+				const matchingWriters = Array.from({ length: numWriters }, (_, i) => content.includes(`writer-${i}`)).filter(Boolean);
+				expect(matchingWriters.length).toBeGreaterThanOrEqual(1);
+			});
+			test(`concurrent writers racing with incrementing seq values`, async () => {
+				await fc.assert(fc.asyncProperty(fc.integer({
+					min: 3,
+					max: 8
+				}), async (numWriters) => {
+					const streamPath = `/v1/stream/concurrent-race-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+					await fetch(`${getBaseUrl()}${streamPath}`, {
+						method: `PUT`,
+						headers: { "Content-Type": `text/plain` }
+					});
+					const writePromises = Array.from({ length: numWriters }, (_, i) => fetch(`${getBaseUrl()}${streamPath}`, {
+						method: `POST`,
+						headers: {
+							"Content-Type": `text/plain`,
+							[STREAM_SEQ_HEADER]: String(i).padStart(4, `0`)
+						},
+						body: `data-${i}`
+					}));
+					const responses = await Promise.all(writePromises);
+					const successIndices = [];
+					for (let i = 0; i < responses.length; i++) {
+						expect([
+							200,
+							204,
+							409
+						]).toContain(responses[i].status);
+						if (responses[i].status === 200 || responses[i].status === 204) successIndices.push(i);
+					}
+					expect(successIndices.length).toBeGreaterThanOrEqual(1);
+					const readResponse = await fetch(`${getBaseUrl()}${streamPath}`);
+					const content = await readResponse.text();
+					for (const i of successIndices) expect(content).toContain(`data-${i}`);
+					return true;
+				}), { numRuns: 10 });
+			});
+			test(`concurrent appends without seq - all data is persisted`, async () => {
+				const streamPath = `/v1/stream/concurrent-no-seq-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+				await fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `PUT`,
+					headers: { "Content-Type": `text/plain` }
+				});
+				const numWriters = 10;
+				const writePromises = Array.from({ length: numWriters }, (_, i) => fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `POST`,
+					headers: { "Content-Type": `text/plain` },
+					body: `concurrent-${i}`
+				}));
+				const responses = await Promise.all(writePromises);
+				for (const response of responses) expect([200, 204]).toContain(response.status);
+				const offsets = responses.map((r) => r.headers.get(STREAM_OFFSET_HEADER));
+				for (const offset of offsets) expect(offset).not.toBeNull();
+				const readResponse = await fetch(`${getBaseUrl()}${streamPath}`);
+				const content = await readResponse.text();
+				for (let i = 0; i < numWriters; i++) expect(content).toContain(`concurrent-${i}`);
+			});
+			test(`mixed readers and writers - readers see consistent state`, async () => {
+				const streamPath = `/v1/stream/concurrent-rw-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+				await fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `PUT`,
+					headers: { "Content-Type": `text/plain` }
+				});
+				await fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `POST`,
+					headers: { "Content-Type": `text/plain` },
+					body: `initial`
+				});
+				const numOps = 20;
+				const operations = Array.from({ length: numOps }, (_, i) => {
+					if (i % 2 === 0) return fetch(`${getBaseUrl()}${streamPath}`, {
+						method: `POST`,
+						headers: { "Content-Type": `text/plain` },
+						body: `write-${i}`
+					});
+					else return fetch(`${getBaseUrl()}${streamPath}`);
+				});
+				const responses = await Promise.all(operations);
+				responses.forEach((response, i) => {
+					const expectedStatus = i % 2 === 0 ? 204 : 200;
+					expect(response.status).toBe(expectedStatus);
+				});
+				const finalRead = await fetch(`${getBaseUrl()}${streamPath}`);
+				const content = await finalRead.text();
+				expect(content).toContain(`initial`);
+				for (let i = 0; i < numOps; i += 2) expect(content).toContain(`write-${i}`);
+			});
+		});
+		describe(`State Hash Verification`, () => {
+			/**
+			* Simple hash function for content verification.
+			* Uses FNV-1a algorithm for deterministic hashing.
+			*/
+			function hashContent(data) {
+				let hash = 2166136261;
+				for (const byte of data) {
+					hash ^= byte;
+					hash = Math.imul(hash, 16777619);
+					hash = hash >>> 0;
+				}
+				return hash.toString(16).padStart(8, `0`);
+			}
+			test(`replay produces identical content hash`, async () => {
+				await fc.assert(fc.asyncProperty(
+					// Generate a sequence of appends
+					fc.array(fc.uint8Array({
+						minLength: 1,
+						maxLength: 100
+					}), {
+						minLength: 1,
+						maxLength: 10
+					}),
+					async (chunks) => {
+						const streamPath1 = `/v1/stream/hash-verify-1-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+						await fetch(`${getBaseUrl()}${streamPath1}`, {
+							method: `PUT`,
+							headers: { "Content-Type": `application/octet-stream` }
+						});
+						for (const chunk of chunks) await fetch(`${getBaseUrl()}${streamPath1}`, {
+							method: `POST`,
+							headers: { "Content-Type": `application/octet-stream` },
+							body: chunk
+						});
+						const response1 = await fetch(`${getBaseUrl()}${streamPath1}`);
+						const data1 = new Uint8Array(await response1.arrayBuffer());
+						const hash1 = hashContent(data1);
+						const streamPath2 = `/v1/stream/hash-verify-2-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+						await fetch(`${getBaseUrl()}${streamPath2}`, {
+							method: `PUT`,
+							headers: { "Content-Type": `application/octet-stream` }
+						});
+						for (const chunk of chunks) await fetch(`${getBaseUrl()}${streamPath2}`, {
+							method: `POST`,
+							headers: { "Content-Type": `application/octet-stream` },
+							body: chunk
+						});
+						const response2 = await fetch(`${getBaseUrl()}${streamPath2}`);
+						const data2 = new Uint8Array(await response2.arrayBuffer());
+						const hash2 = hashContent(data2);
+						expect(hash1).toBe(hash2);
+						expect(data1.length).toBe(data2.length);
+						return true;
+					}
+), { numRuns: 15 });
+			});
+			test(`content hash changes with each append`, async () => {
+				const streamPath = `/v1/stream/hash-changes-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+				await fetch(`${getBaseUrl()}${streamPath}`, {
+					method: `PUT`,
+					headers: { "Content-Type": `application/octet-stream` }
+				});
+				const hashes = [];
+				for (let i = 0; i < 5; i++) {
+					await fetch(`${getBaseUrl()}${streamPath}`, {
+						method: `POST`,
+						headers: { "Content-Type": `application/octet-stream` },
+						body: new Uint8Array([
+							i,
+							i + 1,
+							i + 2
+						])
+					});
+					const response = await fetch(`${getBaseUrl()}${streamPath}`);
+					const data = new Uint8Array(await response.arrayBuffer());
+					hashes.push(hashContent(data));
+				}
+				const uniqueHashes = new Set(hashes);
+				expect(uniqueHashes.size).toBe(5);
+			});
+			test(`empty stream has consistent hash`, async () => {
+				const streamPath1 = `/v1/stream/empty-hash-1-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+				const streamPath2 = `/v1/stream/empty-hash-2-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+				await fetch(`${getBaseUrl()}${streamPath1}`, {
+					method: `PUT`,
+					headers: { "Content-Type": `application/octet-stream` }
+				});
+				await fetch(`${getBaseUrl()}${streamPath2}`, {
+					method: `PUT`,
+					headers: { "Content-Type": `application/octet-stream` }
+				});
+				const response1 = await fetch(`${getBaseUrl()}${streamPath1}`);
+				const response2 = await fetch(`${getBaseUrl()}${streamPath2}`);
+				const data1 = new Uint8Array(await response1.arrayBuffer());
+				const data2 = new Uint8Array(await response2.arrayBuffer());
+				expect(data1.length).toBe(0);
+				expect(data2.length).toBe(0);
+				expect(hashContent(data1)).toBe(hashContent(data2));
+			});
+			test(`deterministic ordering - same data in same order produces same hash`, async () => {
+				await fc.assert(fc.asyncProperty(fc.array(fc.uint8Array({
+					minLength: 1,
+					maxLength: 50
+				}), {
+					minLength: 2,
+					maxLength: 5
+				}), async (chunks) => {
+					const hashes = [];
+					for (let run = 0; run < 2; run++) {
+						const streamPath = `/v1/stream/order-hash-${run}-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+						await fetch(`${getBaseUrl()}${streamPath}`, {
+							method: `PUT`,
+							headers: { "Content-Type": `application/octet-stream` }
+						});
+						for (const chunk of chunks) await fetch(`${getBaseUrl()}${streamPath}`, {
+							method: `POST`,
+							headers: { "Content-Type": `application/octet-stream` },
+							body: chunk
+						});
+						const response = await fetch(`${getBaseUrl()}${streamPath}`);
+						const data = new Uint8Array(await response.arrayBuffer());
+						hashes.push(hashContent(data));
+					}
+					expect(hashes[0]).toBe(hashes[1]);
+					return true;
+				}), { numRuns: 10 });
+			});
+		});
 	});
 }
 

package/dist/test-runner.cjs

@@ -1,5 +1,5 @@
 "use strict";
-const require_src = require('./src-BJQjRfnf.cjs');
+const require_src = require('./src-ChUwq33M.cjs');
 
 //#region src/test-runner.ts
 const baseUrl = process.env.CONFORMANCE_TEST_URL;

package/dist/test-runner.js

@@ -1,4 +1,4 @@
-import { runConformanceTests } from "./src-BtF2jQ-Q.js";
+import { runConformanceTests } from "./src-DWkKYD4d.js";
 
 //#region src/test-runner.ts
 const baseUrl = process.env.CONFORMANCE_TEST_URL;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@durable-streams/server-conformance-tests",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "description": "Conformance test suite for Durable Streams server implementations",
   "author": "Durable Stream contributors",
   "license": "Apache-2.0",
@@ -49,7 +49,7 @@
   "dependencies": {
     "fast-check": "^4.4.0",
     "vitest": "^4.0.0",
-    "@durable-streams/client": "0.1.2"
+    "@durable-streams/client": "0.1.3"
   },
   "devDependencies": {
     "tsdown": "^0.9.0",