@durable-streams/server 0.1.3 → 0.1.4

package/dist/index.cjs

@@ -1075,10 +1075,12 @@ const CURSOR_QUERY_PARAM = `cursor`;
 /**
 * Encode data for SSE format.
 * Per SSE spec, each line in the payload needs its own "data:" prefix.
-* Newlines in the payload become separate data: lines.
+* Line terminators in the payload (CR, LF, or CRLF) become separate data: lines.
+* This prevents CRLF injection attacks where malicious payloads could inject
+* fake SSE events using CR-only line terminators.
 */
 function encodeSSEData(payload) {
-	const lines = payload.split(`\n`);
+	const lines = payload.split(/\r\n|\r|\n/);
 	return lines.map((line) => `data: ${line}`).join(`\n`) + `\n\n`;
 }
 /**
@@ -1117,8 +1119,8 @@ var DurableStreamTestServer = class {
 	_url = null;
 	activeSSEResponses = new Set();
 	isShuttingDown = false;
-	/** Injected errors for testing retry/resilience */
-	injectedErrors = new Map();
+	/** Injected faults for testing retry/resilience */
+	injectedFaults = new Map();
 	constructor(options = {}) {
 		if (options.dataDir) this.store = new FileBackedStreamStore({ dataDir: options.dataDir });
 		else this.store = new StreamStore();
@@ -1203,30 +1205,71 @@ var DurableStreamTestServer = class {
 	/**
 	* Inject an error to be returned on the next N requests to a path.
 	* Used for testing retry/resilience behavior.
+	* @deprecated Use injectFault for full fault injection capabilities
 	*/
 	injectError(path, status, count = 1, retryAfter) {
-		this.injectedErrors.set(path, {
+		this.injectedFaults.set(path, {
 			status,
 			count,
 			retryAfter
 		});
 	}
 	/**
-	* Clear all injected errors.
+	* Inject a fault to be triggered on the next N requests to a path.
+	* Supports various fault types: delays, connection drops, body corruption, etc.
 	*/
-	clearInjectedErrors() {
-		this.injectedErrors.clear();
+	injectFault(path, fault) {
+		this.injectedFaults.set(path, {
+			count: 1,
+			...fault
+		});
+	}
+	/**
+	* Clear all injected faults.
+	*/
+	clearInjectedFaults() {
+		this.injectedFaults.clear();
+	}
+	/**
+	* Check if there's an injected fault for this path/method and consume it.
+	* Returns the fault config if one should be triggered, null otherwise.
+	*/
+	consumeInjectedFault(path, method) {
+		const fault = this.injectedFaults.get(path);
+		if (!fault) return null;
+		if (fault.method && fault.method.toUpperCase() !== method.toUpperCase()) return null;
+		if (fault.probability !== void 0 && Math.random() > fault.probability) return null;
+		fault.count--;
+		if (fault.count <= 0) this.injectedFaults.delete(path);
+		return fault;
+	}
+	/**
+	* Apply delay from fault config (including jitter).
+	*/
+	async applyFaultDelay(fault) {
+		if (fault.delayMs !== void 0 && fault.delayMs > 0) {
+			const jitter = fault.jitterMs ? Math.random() * fault.jitterMs : 0;
+			await new Promise((resolve) => setTimeout(resolve, fault.delayMs + jitter));
+		}
 	}
 	/**
-	* Check if there's an injected error for this path and consume it.
-	* Returns the error config if one should be returned, null otherwise.
+	* Apply body modifications from stored fault (truncation, corruption).
+	* Returns modified body, or original if no modifications needed.
 	*/
-	consumeInjectedError(path) {
-		const error = this.injectedErrors.get(path);
-		if (!error) return null;
-		error.count--;
-		if (error.count <= 0) this.injectedErrors.delete(path);
-		return error;
+	applyFaultBodyModification(res, body) {
+		const fault = res._injectedFault;
+		if (!fault) return body;
+		let modified = body;
+		if (fault.truncateBodyBytes !== void 0 && modified.length > fault.truncateBodyBytes) modified = modified.slice(0, fault.truncateBodyBytes);
+		if (fault.corruptBody && modified.length > 0) {
+			modified = new Uint8Array(modified);
+			const numCorrupt = Math.max(1, Math.floor(modified.length * .03));
+			for (let i = 0; i < numCorrupt; i++) {
+				const pos = Math.floor(Math.random() * modified.length);
+				modified[pos] = modified[pos] ^ 1 << Math.floor(Math.random() * 8);
+			}
+		}
+		return modified;
 	}
 	async handleRequest(req, res) {
 		const url = new URL(req.url ?? `/`, `http://${req.headers.host}`);
@@ -1236,6 +1279,8 @@ var DurableStreamTestServer = class {
 		res.setHeader(`access-control-allow-methods`, `GET, POST, PUT, DELETE, HEAD, OPTIONS`);
 		res.setHeader(`access-control-allow-headers`, `content-type, authorization, Stream-Seq, Stream-TTL, Stream-Expires-At`);
 		res.setHeader(`access-control-expose-headers`, `Stream-Next-Offset, Stream-Cursor, Stream-Up-To-Date, etag, content-type, content-encoding, vary`);
+		res.setHeader(`x-content-type-options`, `nosniff`);
+		res.setHeader(`cross-origin-resource-policy`, `cross-origin`);
 		if (method === `OPTIONS`) {
 			res.writeHead(204);
 			res.end();
@@ -1245,13 +1290,21 @@ var DurableStreamTestServer = class {
 			await this.handleTestInjectError(method, req, res);
 			return;
 		}
-		const injectedError = this.consumeInjectedError(path);
-		if (injectedError) {
-			const headers = { "content-type": `text/plain` };
-			if (injectedError.retryAfter !== void 0) headers[`retry-after`] = injectedError.retryAfter.toString();
-			res.writeHead(injectedError.status, headers);
-			res.end(`Injected error for testing`);
-			return;
+		const fault = this.consumeInjectedFault(path, method ?? `GET`);
+		if (fault) {
+			await this.applyFaultDelay(fault);
+			if (fault.dropConnection) {
+				res.socket?.destroy();
+				return;
+			}
+			if (fault.status !== void 0) {
+				const headers = { "content-type": `text/plain` };
+				if (fault.retryAfter !== void 0) headers[`retry-after`] = fault.retryAfter.toString();
+				res.writeHead(fault.status, headers);
+				res.end(`Injected error for testing`);
+				return;
+			}
+			if (fault.truncateBodyBytes !== void 0 || fault.corruptBody) res._injectedFault = fault;
 		}
 		try {
 			switch (method) {
@@ -1366,7 +1419,10 @@ var DurableStreamTestServer = class {
 			res.end();
 			return;
 		}
-		const headers = { [STREAM_OFFSET_HEADER]: stream.currentOffset };
+		const headers = {
+			[STREAM_OFFSET_HEADER]: stream.currentOffset,
+			"cache-control": `no-store`
+		};
 		if (stream.contentType) headers[`content-type`] = stream.contentType;
 		headers[`etag`] = `"${Buffer.from(path).toString(`base64`)}:-1:${stream.currentOffset}"`;
 		res.writeHead(200, headers);
@@ -1457,6 +1513,7 @@ var DurableStreamTestServer = class {
 				headers[`vary`] = `accept-encoding`;
 			}
 		}
+		finalData = this.applyFaultBodyModification(res, finalData);
 		res.writeHead(200, headers);
 		res.end(Buffer.from(finalData));
 	}
@@ -1469,7 +1526,9 @@ var DurableStreamTestServer = class {
 			"content-type": `text/event-stream`,
 			"cache-control": `no-cache`,
 			connection: `keep-alive`,
-			"access-control-allow-origin": `*`
+			"access-control-allow-origin": `*`,
+			"x-content-type-options": `nosniff`,
+			"cross-origin-resource-policy": `cross-origin`
 		});
 		let currentOffset = initialOffset;
 		let isConnected = true;
@@ -1540,7 +1599,7 @@ var DurableStreamTestServer = class {
 			seq,
 			contentType
 		}));
-		res.writeHead(200, { [STREAM_OFFSET_HEADER]: message.offset });
+		res.writeHead(204, { [STREAM_OFFSET_HEADER]: message.offset });
 		res.end();
 	}
 	/**
@@ -1571,12 +1630,29 @@ var DurableStreamTestServer = class {
 			const body = await this.readBody(req);
 			try {
 				const config = JSON.parse(new TextDecoder().decode(body));
-				if (!config.path || !config.status) {
+				if (!config.path) {
+					res.writeHead(400, { "content-type": `text/plain` });
+					res.end(`Missing required field: path`);
+					return;
+				}
+				const hasFaultType = config.status !== void 0 || config.delayMs !== void 0 || config.dropConnection || config.truncateBodyBytes !== void 0 || config.corruptBody;
+				if (!hasFaultType) {
 					res.writeHead(400, { "content-type": `text/plain` });
-					res.end(`Missing required fields: path, status`);
+					res.end(`Must specify at least one fault type: status, delayMs, dropConnection, truncateBodyBytes, or corruptBody`);
 					return;
 				}
-				this.injectError(config.path, config.status, config.count ?? 1, config.retryAfter);
+				this.injectFault(config.path, {
+					status: config.status,
+					count: config.count ?? 1,
+					retryAfter: config.retryAfter,
+					delayMs: config.delayMs,
+					dropConnection: config.dropConnection,
+					truncateBodyBytes: config.truncateBodyBytes,
+					probability: config.probability,
+					method: config.method,
+					corruptBody: config.corruptBody,
+					jitterMs: config.jitterMs
+				});
 				res.writeHead(200, { "content-type": `application/json` });
 				res.end(JSON.stringify({ ok: true }));
 			} catch {
@@ -1584,7 +1660,7 @@ var DurableStreamTestServer = class {
 				res.end(`Invalid JSON body`);
 			}
 		} else if (method === `DELETE`) {
-			this.clearInjectedErrors();
+			this.clearInjectedFaults();
 			res.writeHead(200, { "content-type": `application/json` });
 			res.end(JSON.stringify({ ok: true }));
 		} else {

package/dist/index.d.cts

@@ -332,6 +332,36 @@ declare class FileBackedStreamStore {
 
 //#endregion
 //#region src/server.d.ts
+/**
+* HTTP server for testing durable streams.
+* Supports both in-memory and file-backed storage modes.
+*/
+/**
+* Configuration for injected faults (for testing retry/resilience).
+* Supports various fault types beyond simple HTTP errors.
+*/
+interface InjectedFault {
+  /** HTTP status code to return (if set, returns error response) */
+  status?: number;
+  /** Number of times to trigger this fault (decremented on each use) */
+  count: number;
+  /** Optional Retry-After header value (seconds) */
+  retryAfter?: number;
+  /** Delay in milliseconds before responding */
+  delayMs?: number;
+  /** Drop the connection after sending headers (simulates network failure) */
+  dropConnection?: boolean;
+  /** Truncate response body to this many bytes */
+  truncateBodyBytes?: number;
+  /** Probability of triggering fault (0-1, default 1.0 = always) */
+  probability?: number;
+  /** Only match specific HTTP method (GET, POST, PUT, DELETE) */
+  method?: string;
+  /** Corrupt the response body by flipping random bits */
+  corruptBody?: boolean;
+  /** Add jitter to delay (random 0-jitterMs added to delayMs) */
+  jitterMs?: number;
+}
 declare class DurableStreamTestServer {
   readonly store: StreamStore | FileBackedStreamStore;
   private server;
@@ -339,8 +369,8 @@ declare class DurableStreamTestServer {
   private _url;
   private activeSSEResponses;
   private isShuttingDown;
-  /** Injected errors for testing retry/resilience */
-  private injectedErrors;
+  /** Injected faults for testing retry/resilience */
+  private injectedFaults;
   constructor(options?: TestServerOptions);
   /**
   * Start the server.
@@ -361,17 +391,34 @@ declare class DurableStreamTestServer {
   /**
   * Inject an error to be returned on the next N requests to a path.
   * Used for testing retry/resilience behavior.
+  * @deprecated Use injectFault for full fault injection capabilities
   */
   injectError(path: string, status: number, count?: number, retryAfter?: number): void;
   /**
-  * Clear all injected errors.
+  * Inject a fault to be triggered on the next N requests to a path.
+  * Supports various fault types: delays, connection drops, body corruption, etc.
+  */
+  injectFault(path: string, fault: Omit<InjectedFault, `count`> & {
+    count?: number;
+  }): void;
+  /**
+  * Clear all injected faults.
   */
-  clearInjectedErrors(): void;
+  clearInjectedFaults(): void;
   /**
-  * Check if there's an injected error for this path and consume it.
-  * Returns the error config if one should be returned, null otherwise.
+  * Check if there's an injected fault for this path/method and consume it.
+  * Returns the fault config if one should be triggered, null otherwise.
   */
-  private consumeInjectedError;
+  private consumeInjectedFault;
+  /**
+  * Apply delay from fault config (including jitter).
+  */
+  private applyFaultDelay;
+  /**
+  * Apply body modifications from stored fault (truncation, corruption).
+  * Returns modified body, or original if no modifications needed.
+  */
+  private applyFaultBodyModification;
   private handleRequest;
   /**
   * Handle PUT - create stream
@@ -404,9 +451,7 @@ declare class DurableStreamTestServer {
   */
   private handleTestInjectError;
   private readBody;
-}
-
-//#endregion
+} //#endregion
 //#region src/path-encoding.d.ts
 /**
 * Encode a stream path to a filesystem-safe directory name using base64url encoding.

package/dist/index.d.ts

@@ -332,6 +332,36 @@ declare class FileBackedStreamStore {
 
 //#endregion
 //#region src/server.d.ts
+/**
+* HTTP server for testing durable streams.
+* Supports both in-memory and file-backed storage modes.
+*/
+/**
+* Configuration for injected faults (for testing retry/resilience).
+* Supports various fault types beyond simple HTTP errors.
+*/
+interface InjectedFault {
+  /** HTTP status code to return (if set, returns error response) */
+  status?: number;
+  /** Number of times to trigger this fault (decremented on each use) */
+  count: number;
+  /** Optional Retry-After header value (seconds) */
+  retryAfter?: number;
+  /** Delay in milliseconds before responding */
+  delayMs?: number;
+  /** Drop the connection after sending headers (simulates network failure) */
+  dropConnection?: boolean;
+  /** Truncate response body to this many bytes */
+  truncateBodyBytes?: number;
+  /** Probability of triggering fault (0-1, default 1.0 = always) */
+  probability?: number;
+  /** Only match specific HTTP method (GET, POST, PUT, DELETE) */
+  method?: string;
+  /** Corrupt the response body by flipping random bits */
+  corruptBody?: boolean;
+  /** Add jitter to delay (random 0-jitterMs added to delayMs) */
+  jitterMs?: number;
+}
 declare class DurableStreamTestServer {
   readonly store: StreamStore | FileBackedStreamStore;
   private server;
@@ -339,8 +369,8 @@ declare class DurableStreamTestServer {
   private _url;
   private activeSSEResponses;
   private isShuttingDown;
-  /** Injected errors for testing retry/resilience */
-  private injectedErrors;
+  /** Injected faults for testing retry/resilience */
+  private injectedFaults;
   constructor(options?: TestServerOptions);
   /**
   * Start the server.
@@ -361,17 +391,34 @@ declare class DurableStreamTestServer {
   /**
   * Inject an error to be returned on the next N requests to a path.
   * Used for testing retry/resilience behavior.
+  * @deprecated Use injectFault for full fault injection capabilities
   */
   injectError(path: string, status: number, count?: number, retryAfter?: number): void;
   /**
-  * Clear all injected errors.
+  * Inject a fault to be triggered on the next N requests to a path.
+  * Supports various fault types: delays, connection drops, body corruption, etc.
+  */
+  injectFault(path: string, fault: Omit<InjectedFault, `count`> & {
+    count?: number;
+  }): void;
+  /**
+  * Clear all injected faults.
   */
-  clearInjectedErrors(): void;
+  clearInjectedFaults(): void;
   /**
-  * Check if there's an injected error for this path and consume it.
-  * Returns the error config if one should be returned, null otherwise.
+  * Check if there's an injected fault for this path/method and consume it.
+  * Returns the fault config if one should be triggered, null otherwise.
   */
-  private consumeInjectedError;
+  private consumeInjectedFault;
+  /**
+  * Apply delay from fault config (including jitter).
+  */
+  private applyFaultDelay;
+  /**
+  * Apply body modifications from stored fault (truncation, corruption).
+  * Returns modified body, or original if no modifications needed.
+  */
+  private applyFaultBodyModification;
   private handleRequest;
   /**
   * Handle PUT - create stream
@@ -404,9 +451,7 @@ declare class DurableStreamTestServer {
   */
   private handleTestInjectError;
   private readBody;
-}
-
-//#endregion
+} //#endregion
 //#region src/path-encoding.d.ts
 /**
 * Encode a stream path to a filesystem-safe directory name using base64url encoding.

package/dist/index.js

@@ -1052,10 +1052,12 @@ const CURSOR_QUERY_PARAM = `cursor`;
 /**
 * Encode data for SSE format.
 * Per SSE spec, each line in the payload needs its own "data:" prefix.
-* Newlines in the payload become separate data: lines.
+* Line terminators in the payload (CR, LF, or CRLF) become separate data: lines.
+* This prevents CRLF injection attacks where malicious payloads could inject
+* fake SSE events using CR-only line terminators.
 */
 function encodeSSEData(payload) {
-	const lines = payload.split(`\n`);
+	const lines = payload.split(/\r\n|\r|\n/);
 	return lines.map((line) => `data: ${line}`).join(`\n`) + `\n\n`;
 }
 /**
@@ -1094,8 +1096,8 @@ var DurableStreamTestServer = class {
 	_url = null;
 	activeSSEResponses = new Set();
 	isShuttingDown = false;
-	/** Injected errors for testing retry/resilience */
-	injectedErrors = new Map();
+	/** Injected faults for testing retry/resilience */
+	injectedFaults = new Map();
 	constructor(options = {}) {
 		if (options.dataDir) this.store = new FileBackedStreamStore({ dataDir: options.dataDir });
 		else this.store = new StreamStore();
@@ -1180,30 +1182,71 @@ var DurableStreamTestServer = class {
 	/**
 	* Inject an error to be returned on the next N requests to a path.
 	* Used for testing retry/resilience behavior.
+	* @deprecated Use injectFault for full fault injection capabilities
 	*/
 	injectError(path$2, status, count = 1, retryAfter) {
-		this.injectedErrors.set(path$2, {
+		this.injectedFaults.set(path$2, {
 			status,
 			count,
 			retryAfter
 		});
 	}
 	/**
-	* Clear all injected errors.
+	* Inject a fault to be triggered on the next N requests to a path.
+	* Supports various fault types: delays, connection drops, body corruption, etc.
 	*/
-	clearInjectedErrors() {
-		this.injectedErrors.clear();
+	injectFault(path$2, fault) {
+		this.injectedFaults.set(path$2, {
+			count: 1,
+			...fault
+		});
+	}
+	/**
+	* Clear all injected faults.
+	*/
+	clearInjectedFaults() {
+		this.injectedFaults.clear();
+	}
+	/**
+	* Check if there's an injected fault for this path/method and consume it.
+	* Returns the fault config if one should be triggered, null otherwise.
+	*/
+	consumeInjectedFault(path$2, method) {
+		const fault = this.injectedFaults.get(path$2);
+		if (!fault) return null;
+		if (fault.method && fault.method.toUpperCase() !== method.toUpperCase()) return null;
+		if (fault.probability !== void 0 && Math.random() > fault.probability) return null;
+		fault.count--;
+		if (fault.count <= 0) this.injectedFaults.delete(path$2);
+		return fault;
+	}
+	/**
+	* Apply delay from fault config (including jitter).
+	*/
+	async applyFaultDelay(fault) {
+		if (fault.delayMs !== void 0 && fault.delayMs > 0) {
+			const jitter = fault.jitterMs ? Math.random() * fault.jitterMs : 0;
+			await new Promise((resolve) => setTimeout(resolve, fault.delayMs + jitter));
+		}
 	}
 	/**
-	* Check if there's an injected error for this path and consume it.
-	* Returns the error config if one should be returned, null otherwise.
+	* Apply body modifications from stored fault (truncation, corruption).
+	* Returns modified body, or original if no modifications needed.
 	*/
-	consumeInjectedError(path$2) {
-		const error = this.injectedErrors.get(path$2);
-		if (!error) return null;
-		error.count--;
-		if (error.count <= 0) this.injectedErrors.delete(path$2);
-		return error;
+	applyFaultBodyModification(res, body) {
+		const fault = res._injectedFault;
+		if (!fault) return body;
+		let modified = body;
+		if (fault.truncateBodyBytes !== void 0 && modified.length > fault.truncateBodyBytes) modified = modified.slice(0, fault.truncateBodyBytes);
+		if (fault.corruptBody && modified.length > 0) {
+			modified = new Uint8Array(modified);
+			const numCorrupt = Math.max(1, Math.floor(modified.length * .03));
+			for (let i = 0; i < numCorrupt; i++) {
+				const pos = Math.floor(Math.random() * modified.length);
+				modified[pos] = modified[pos] ^ 1 << Math.floor(Math.random() * 8);
+			}
+		}
+		return modified;
 	}
 	async handleRequest(req, res) {
 		const url = new URL(req.url ?? `/`, `http://${req.headers.host}`);
@@ -1213,6 +1256,8 @@ var DurableStreamTestServer = class {
 		res.setHeader(`access-control-allow-methods`, `GET, POST, PUT, DELETE, HEAD, OPTIONS`);
 		res.setHeader(`access-control-allow-headers`, `content-type, authorization, Stream-Seq, Stream-TTL, Stream-Expires-At`);
 		res.setHeader(`access-control-expose-headers`, `Stream-Next-Offset, Stream-Cursor, Stream-Up-To-Date, etag, content-type, content-encoding, vary`);
+		res.setHeader(`x-content-type-options`, `nosniff`);
+		res.setHeader(`cross-origin-resource-policy`, `cross-origin`);
 		if (method === `OPTIONS`) {
 			res.writeHead(204);
 			res.end();
@@ -1222,13 +1267,21 @@ var DurableStreamTestServer = class {
 			await this.handleTestInjectError(method, req, res);
 			return;
 		}
-		const injectedError = this.consumeInjectedError(path$2);
-		if (injectedError) {
-			const headers = { "content-type": `text/plain` };
-			if (injectedError.retryAfter !== void 0) headers[`retry-after`] = injectedError.retryAfter.toString();
-			res.writeHead(injectedError.status, headers);
-			res.end(`Injected error for testing`);
-			return;
+		const fault = this.consumeInjectedFault(path$2, method ?? `GET`);
+		if (fault) {
+			await this.applyFaultDelay(fault);
+			if (fault.dropConnection) {
+				res.socket?.destroy();
+				return;
+			}
+			if (fault.status !== void 0) {
+				const headers = { "content-type": `text/plain` };
+				if (fault.retryAfter !== void 0) headers[`retry-after`] = fault.retryAfter.toString();
+				res.writeHead(fault.status, headers);
+				res.end(`Injected error for testing`);
+				return;
+			}
+			if (fault.truncateBodyBytes !== void 0 || fault.corruptBody) res._injectedFault = fault;
 		}
 		try {
 			switch (method) {
@@ -1343,7 +1396,10 @@ var DurableStreamTestServer = class {
 			res.end();
 			return;
 		}
-		const headers = { [STREAM_OFFSET_HEADER]: stream.currentOffset };
+		const headers = {
+			[STREAM_OFFSET_HEADER]: stream.currentOffset,
+			"cache-control": `no-store`
+		};
 		if (stream.contentType) headers[`content-type`] = stream.contentType;
 		headers[`etag`] = `"${Buffer.from(path$2).toString(`base64`)}:-1:${stream.currentOffset}"`;
 		res.writeHead(200, headers);
@@ -1434,6 +1490,7 @@ var DurableStreamTestServer = class {
 				headers[`vary`] = `accept-encoding`;
 			}
 		}
+		finalData = this.applyFaultBodyModification(res, finalData);
 		res.writeHead(200, headers);
 		res.end(Buffer.from(finalData));
 	}
@@ -1446,7 +1503,9 @@ var DurableStreamTestServer = class {
 			"content-type": `text/event-stream`,
 			"cache-control": `no-cache`,
 			connection: `keep-alive`,
-			"access-control-allow-origin": `*`
+			"access-control-allow-origin": `*`,
+			"x-content-type-options": `nosniff`,
+			"cross-origin-resource-policy": `cross-origin`
 		});
 		let currentOffset = initialOffset;
 		let isConnected = true;
@@ -1517,7 +1576,7 @@ var DurableStreamTestServer = class {
 			seq,
 			contentType
 		}));
-		res.writeHead(200, { [STREAM_OFFSET_HEADER]: message.offset });
+		res.writeHead(204, { [STREAM_OFFSET_HEADER]: message.offset });
 		res.end();
 	}
 	/**
@@ -1548,12 +1607,29 @@ var DurableStreamTestServer = class {
 			const body = await this.readBody(req);
 			try {
 				const config = JSON.parse(new TextDecoder().decode(body));
-				if (!config.path || !config.status) {
+				if (!config.path) {
+					res.writeHead(400, { "content-type": `text/plain` });
+					res.end(`Missing required field: path`);
+					return;
+				}
+				const hasFaultType = config.status !== void 0 || config.delayMs !== void 0 || config.dropConnection || config.truncateBodyBytes !== void 0 || config.corruptBody;
+				if (!hasFaultType) {
 					res.writeHead(400, { "content-type": `text/plain` });
-					res.end(`Missing required fields: path, status`);
+					res.end(`Must specify at least one fault type: status, delayMs, dropConnection, truncateBodyBytes, or corruptBody`);
 					return;
 				}
-				this.injectError(config.path, config.status, config.count ?? 1, config.retryAfter);
+				this.injectFault(config.path, {
+					status: config.status,
+					count: config.count ?? 1,
+					retryAfter: config.retryAfter,
+					delayMs: config.delayMs,
+					dropConnection: config.dropConnection,
+					truncateBodyBytes: config.truncateBodyBytes,
+					probability: config.probability,
+					method: config.method,
+					corruptBody: config.corruptBody,
+					jitterMs: config.jitterMs
+				});
 				res.writeHead(200, { "content-type": `application/json` });
 				res.end(JSON.stringify({ ok: true }));
 			} catch {
@@ -1561,7 +1637,7 @@ var DurableStreamTestServer = class {
 				res.end(`Invalid JSON body`);
 			}
 		} else if (method === `DELETE`) {
-			this.clearInjectedErrors();
+			this.clearInjectedFaults();
 			res.writeHead(200, { "content-type": `application/json` });
 			res.end(JSON.stringify({ ok: true }));
 		} else {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@durable-streams/server",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "description": "Node.js reference server implementation for Durable Streams",
   "author": "Durable Stream contributors",
   "license": "Apache-2.0",
@@ -39,15 +39,15 @@
   "dependencies": {
     "@neophi/sieve-cache": "^1.0.0",
     "lmdb": "^3.3.0",
-    "@durable-streams/client": "0.1.2",
-    "@durable-streams/state": "0.1.2"
+    "@durable-streams/client": "0.1.3",
+    "@durable-streams/state": "0.1.3"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",
     "tsdown": "^0.9.0",
     "typescript": "^5.0.0",
-    "vitest": "^3.2.4",
-    "@durable-streams/server-conformance-tests": "0.1.3"
+    "vitest": "^4.0.0",
+    "@durable-streams/server-conformance-tests": "0.1.6"
   },
   "files": [
     "dist",

package/src/server.ts

@@ -32,10 +32,14 @@ const CURSOR_QUERY_PARAM = `cursor`
 /**
  * Encode data for SSE format.
  * Per SSE spec, each line in the payload needs its own "data:" prefix.
- * Newlines in the payload become separate data: lines.
+ * Line terminators in the payload (CR, LF, or CRLF) become separate data: lines.
+ * This prevents CRLF injection attacks where malicious payloads could inject
+ * fake SSE events using CR-only line terminators.
  */
 function encodeSSEData(payload: string): string {
-  const lines = payload.split(`\n`)
+  // Split on all SSE-valid line terminators: CRLF, CR, or LF
+  // Order matters: \r\n must be matched before \r alone
+  const lines = payload.split(/\r\n|\r|\n/)
   return lines.map((line) => `data: ${line}`).join(`\n`) + `\n\n`
 }
 
@@ -92,15 +96,30 @@ function compressData(
  * Supports both in-memory and file-backed storage modes.
  */
 /**
- * Configuration for injected errors (for testing retry/resilience).
+ * Configuration for injected faults (for testing retry/resilience).
+ * Supports various fault types beyond simple HTTP errors.
  */
-interface InjectedError {
-  /** HTTP status code to return */
-  status: number
-  /** Number of times to return this error (decremented on each use) */
+interface InjectedFault {
+  /** HTTP status code to return (if set, returns error response) */
+  status?: number
+  /** Number of times to trigger this fault (decremented on each use) */
   count: number
   /** Optional Retry-After header value (seconds) */
   retryAfter?: number
+  /** Delay in milliseconds before responding */
+  delayMs?: number
+  /** Drop the connection after sending headers (simulates network failure) */
+  dropConnection?: boolean
+  /** Truncate response body to this many bytes */
+  truncateBodyBytes?: number
+  /** Probability of triggering fault (0-1, default 1.0 = always) */
+  probability?: number
+  /** Only match specific HTTP method (GET, POST, PUT, DELETE) */
+  method?: string
+  /** Corrupt the response body by flipping random bits */
+  corruptBody?: boolean
+  /** Add jitter to delay (random 0-jitterMs added to delayMs) */
+  jitterMs?: number
 }
 
 export class DurableStreamTestServer {
@@ -126,8 +145,8 @@ export class DurableStreamTestServer {
   private _url: string | null = null
   private activeSSEResponses = new Set<ServerResponse>()
   private isShuttingDown = false
-  /** Injected errors for testing retry/resilience */
-  private injectedErrors = new Map<string, InjectedError>()
+  /** Injected faults for testing retry/resilience */
+  private injectedFaults = new Map<string, InjectedFault>()
 
   constructor(options: TestServerOptions = {}) {
     // Choose store based on dataDir option
@@ -253,6 +272,7 @@ export class DurableStreamTestServer {
   /**
    * Inject an error to be returned on the next N requests to a path.
    * Used for testing retry/resilience behavior.
+   * @deprecated Use injectFault for full fault injection capabilities
    */
   injectError(
     path: string,
@@ -260,30 +280,102 @@ export class DurableStreamTestServer {
     count: number = 1,
     retryAfter?: number
   ): void {
-    this.injectedErrors.set(path, { status, count, retryAfter })
+    this.injectedFaults.set(path, { status, count, retryAfter })
   }
 
   /**
-   * Clear all injected errors.
+   * Inject a fault to be triggered on the next N requests to a path.
+   * Supports various fault types: delays, connection drops, body corruption, etc.
    */
-  clearInjectedErrors(): void {
-    this.injectedErrors.clear()
+  injectFault(
+    path: string,
+    fault: Omit<InjectedFault, `count`> & { count?: number }
+  ): void {
+    this.injectedFaults.set(path, { count: 1, ...fault })
+  }
+
+  /**
+   * Clear all injected faults.
+   */
+  clearInjectedFaults(): void {
+    this.injectedFaults.clear()
+  }
+
+  /**
+   * Check if there's an injected fault for this path/method and consume it.
+   * Returns the fault config if one should be triggered, null otherwise.
+   */
+  private consumeInjectedFault(
+    path: string,
+    method: string
+  ): InjectedFault | null {
+    const fault = this.injectedFaults.get(path)
+    if (!fault) return null
+
+    // Check method filter
+    if (fault.method && fault.method.toUpperCase() !== method.toUpperCase()) {
+      return null
+    }
+
+    // Check probability
+    if (fault.probability !== undefined && Math.random() > fault.probability) {
+      return null
+    }
+
+    fault.count--
+    if (fault.count <= 0) {
+      this.injectedFaults.delete(path)
+    }
+
+    return fault
+  }
+
+  /**
+   * Apply delay from fault config (including jitter).
+   */
+  private async applyFaultDelay(fault: InjectedFault): Promise<void> {
+    if (fault.delayMs !== undefined && fault.delayMs > 0) {
+      const jitter = fault.jitterMs ? Math.random() * fault.jitterMs : 0
+      await new Promise((resolve) =>
+        setTimeout(resolve, fault.delayMs! + jitter)
+      )
+    }
   }
 
   /**
-   * Check if there's an injected error for this path and consume it.
-   * Returns the error config if one should be returned, null otherwise.
+   * Apply body modifications from stored fault (truncation, corruption).
+   * Returns modified body, or original if no modifications needed.
    */
-  private consumeInjectedError(path: string): InjectedError | null {
-    const error = this.injectedErrors.get(path)
-    if (!error) return null
+  private applyFaultBodyModification(
+    res: ServerResponse,
+    body: Uint8Array
+  ): Uint8Array {
+    const fault = (res as ServerResponse & { _injectedFault?: InjectedFault })
+      ._injectedFault
+    if (!fault) return body
+
+    let modified = body
 
-    error.count--
-    if (error.count <= 0) {
-      this.injectedErrors.delete(path)
+    // Truncate body if configured
+    if (
+      fault.truncateBodyBytes !== undefined &&
+      modified.length > fault.truncateBodyBytes
+    ) {
+      modified = modified.slice(0, fault.truncateBodyBytes)
+    }
+
+    // Corrupt body if configured (flip random bits)
+    if (fault.corruptBody && modified.length > 0) {
+      modified = new Uint8Array(modified) // Make a copy to avoid mutating original
+      // Flip 1-5% of bytes
+      const numCorrupt = Math.max(1, Math.floor(modified.length * 0.03))
+      for (let i = 0; i < numCorrupt; i++) {
+        const pos = Math.floor(Math.random() * modified.length)
+        modified[pos] = modified[pos]! ^ (1 << Math.floor(Math.random() * 8))
+      }
     }
 
-    return error
+    return modified
   }
 
   // ============================================================================
@@ -313,6 +405,10 @@ export class DurableStreamTestServer {
       `Stream-Next-Offset, Stream-Cursor, Stream-Up-To-Date, etag, content-type, content-encoding, vary`
     )
 
+    // Browser security headers (Protocol Section 10.7)
+    res.setHeader(`x-content-type-options`, `nosniff`)
+    res.setHeader(`cross-origin-resource-policy`, `cross-origin`)
+
     // Handle CORS preflight
     if (method === `OPTIONS`) {
       res.writeHead(204)
@@ -326,18 +422,37 @@ export class DurableStreamTestServer {
       return
     }
 
-    // Check for injected errors (for testing retry/resilience)
-    const injectedError = this.consumeInjectedError(path)
-    if (injectedError) {
-      const headers: Record<string, string> = {
-        "content-type": `text/plain`,
+    // Check for injected faults (for testing retry/resilience)
+    const fault = this.consumeInjectedFault(path, method ?? `GET`)
+    if (fault) {
+      // Apply delay if configured
+      await this.applyFaultDelay(fault)
+
+      // Drop connection if configured (simulates network failure)
+      if (fault.dropConnection) {
+        res.socket?.destroy()
+        return
+      }
+
+      // If status is set, return an error response
+      if (fault.status !== undefined) {
+        const headers: Record<string, string> = {
+          "content-type": `text/plain`,
+        }
+        if (fault.retryAfter !== undefined) {
+          headers[`retry-after`] = fault.retryAfter.toString()
+        }
+        res.writeHead(fault.status, headers)
+        res.end(`Injected error for testing`)
+        return
       }
-      if (injectedError.retryAfter !== undefined) {
-        headers[`retry-after`] = injectedError.retryAfter.toString()
+
+      // Store fault for response modification (truncation, corruption)
+      if (fault.truncateBodyBytes !== undefined || fault.corruptBody) {
+        ;(
+          res as ServerResponse & { _injectedFault?: InjectedFault }
+        )._injectedFault = fault
       }
-      res.writeHead(injectedError.status, headers)
-      res.end(`Injected error for testing`)
-      return
     }
 
     try {
@@ -511,6 +626,8 @@ export class DurableStreamTestServer {
 
     const headers: Record<string, string> = {
       [STREAM_OFFSET_HEADER]: stream.currentOffset,
+      // HEAD responses should not be cached to avoid stale tail offsets (Protocol Section 5.4)
+      "cache-control": `no-store`,
     }
 
     if (stream.contentType) {
@@ -680,6 +797,9 @@ export class DurableStreamTestServer {
       }
     }
 
+    // Apply fault body modifications (truncation, corruption) if configured
+    finalData = this.applyFaultBodyModification(res, finalData)
+
     res.writeHead(200, headers)
     res.end(Buffer.from(finalData))
   }
@@ -697,12 +817,14 @@ export class DurableStreamTestServer {
     // Track this SSE connection
     this.activeSSEResponses.add(res)
 
-    // Set SSE headers
+    // Set SSE headers (explicitly including security headers for clarity)
     res.writeHead(200, {
       "content-type": `text/event-stream`,
       "cache-control": `no-cache`,
       connection: `keep-alive`,
       "access-control-allow-origin": `*`,
+      "x-content-type-options": `nosniff`,
+      "cross-origin-resource-policy": `cross-origin`,
     })
 
     let currentOffset = initialOffset
@@ -841,7 +963,7 @@ export class DurableStreamTestServer {
       this.store.append(path, body, { seq, contentType })
     )
 
-    res.writeHead(200, {
+    res.writeHead(204, {
       [STREAM_OFFSET_HEADER]: message!.offset,
     })
     res.end()
@@ -889,23 +1011,53 @@ export class DurableStreamTestServer {
       try {
         const config = JSON.parse(new TextDecoder().decode(body)) as {
           path: string
-          status: number
+          // Legacy fields (still supported)
+          status?: number
           count?: number
           retryAfter?: number
+          // New fault injection fields
+          delayMs?: number
+          dropConnection?: boolean
+          truncateBodyBytes?: number
+          probability?: number
+          method?: string
+          corruptBody?: boolean
+          jitterMs?: number
         }
 
-        if (!config.path || !config.status) {
+        if (!config.path) {
           res.writeHead(400, { "content-type": `text/plain` })
-          res.end(`Missing required fields: path, status`)
+          res.end(`Missing required field: path`)
           return
         }
 
-        this.injectError(
-          config.path,
-          config.status,
-          config.count ?? 1,
-          config.retryAfter
-        )
+        // Must have at least one fault type specified
+        const hasFaultType =
+          config.status !== undefined ||
+          config.delayMs !== undefined ||
+          config.dropConnection ||
+          config.truncateBodyBytes !== undefined ||
+          config.corruptBody
+        if (!hasFaultType) {
+          res.writeHead(400, { "content-type": `text/plain` })
+          res.end(
+            `Must specify at least one fault type: status, delayMs, dropConnection, truncateBodyBytes, or corruptBody`
+          )
+          return
+        }
+
+        this.injectFault(config.path, {
+          status: config.status,
+          count: config.count ?? 1,
+          retryAfter: config.retryAfter,
+          delayMs: config.delayMs,
+          dropConnection: config.dropConnection,
+          truncateBodyBytes: config.truncateBodyBytes,
+          probability: config.probability,
+          method: config.method,
+          corruptBody: config.corruptBody,
+          jitterMs: config.jitterMs,
+        })
 
         res.writeHead(200, { "content-type": `application/json` })
         res.end(JSON.stringify({ ok: true }))
@@ -914,7 +1066,7 @@ export class DurableStreamTestServer {
         res.end(`Invalid JSON body`)
       }
     } else if (method === `DELETE`) {
-      this.clearInjectedErrors()
+      this.clearInjectedFaults()
       res.writeHead(200, { "content-type": `application/json` })
       res.end(JSON.stringify({ ok: true }))
     } else {