@edge-base/server 0.1.5 → 0.2.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@edge-base/server",
-  "version": "0.1.5",
+  "version": "0.2.1",
   "description": "EdgeBase runtime assets consumed by the EdgeBase CLI",
   "license": "MIT",
   "repository": {
@@ -34,7 +34,7 @@
     "jose": "^6.0.0",
     "pg": "^8.16.3",
     "zod": "^4.3.6",
-    "@edge-base/shared": "0.1.5"
+    "@edge-base/shared": "0.2.1"
   },
   "devDependencies": {
     "@cloudflare/vitest-pool-workers": "^0.8.71",

package/src/__tests__/functions-route.test.ts

@@ -1,4 +1,5 @@
 import { afterEach, describe, expect, it } from 'vitest';
+import type { FunctionDefinition } from '@edge-base/shared';
 import { OpenAPIHono } from '../lib/hono.js';
 import { setConfig } from '../lib/do-router.js';
 import {
@@ -73,6 +74,29 @@ function createExecutionContext(): ExecutionContext {
   } as unknown as ExecutionContext;
 }
 
+function httpFunction(
+  method: 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE',
+  handler: (ctx: Record<string, any>) => Promise<unknown> | unknown,
+  path?: string,
+): FunctionDefinition {
+  return {
+    trigger: {
+      type: 'http' as const,
+      method,
+      ...(path ? { path } : {}),
+    },
+    handler: async (ctx: unknown) => handler(ctx as Record<string, any>),
+  };
+}
+
+async function invokeFunction(path: string, method = 'GET') {
+  return createApp().fetch(
+    new Request(`http://localhost/api/functions/${path}`, { method }),
+    createEnv(),
+    createExecutionContext(),
+  );
+}
+
 afterEach(() => {
   clearFunctionRegistry();
   clearMiddlewareRegistry();
@@ -137,3 +161,132 @@ describe('functionsRoute FunctionError compatibility', () => {
     });
   });
 });
+
+describe('functionsRoute HTTP contracts', () => {
+  it('serializes plain objects as JSON responses', async () => {
+    registerFunction('reports/summary', httpFunction('GET', async () => ({
+      ok: true,
+      total: 3,
+    })));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('reports/summary');
+
+    expect(response.status).toBe(200);
+    expect(response.headers.get('content-type')).toContain('application/json');
+    await expect(response.json()).resolves.toEqual({ ok: true, total: 3 });
+  });
+
+  it('returns text/plain when handler returns a string', async () => {
+    registerFunction('health', httpFunction('GET', async () => 'healthy'));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('health');
+
+    expect(response.status).toBe(200);
+    expect(response.headers.get('content-type')).toContain('text/plain');
+    await expect(response.text()).resolves.toBe('healthy');
+  });
+
+  it('returns 204 when handler returns null', async () => {
+    registerFunction('empty', httpFunction('POST', async () => null));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('empty', 'POST');
+
+    expect(response.status).toBe(204);
+    await expect(response.text()).resolves.toBe('');
+  });
+
+  it('passes through native Response objects untouched', async () => {
+    registerFunction('created', httpFunction('POST', async () => (
+      new Response('created-body', {
+        status: 201,
+        headers: { 'content-type': 'text/plain', 'x-fn': 'direct-response' },
+      })
+    )));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('created', 'POST');
+
+    expect(response.status).toBe(201);
+    expect(response.headers.get('x-fn')).toBe('direct-response');
+    await expect(response.text()).resolves.toBe('created-body');
+  });
+
+  it('executes directory middleware before the handler', async () => {
+    const executionOrder: string[] = [];
+    registerMiddleware('secure', async () => {
+      executionOrder.push('middleware');
+    });
+    registerFunction('secure/audit', httpFunction('GET', async () => {
+      executionOrder.push('handler');
+      return { executionOrder };
+    }));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('secure/audit');
+
+    expect(response.status).toBe(200);
+    await expect(response.json()).resolves.toEqual({
+      executionOrder: ['middleware', 'handler'],
+    });
+  });
+
+  it('supports custom trigger.path params and preserves query strings', async () => {
+    registerFunction(
+      'shortlink/resolve',
+      httpFunction(
+        'GET',
+        async (ctx) => {
+          const requestUrl = new URL(ctx.request.url);
+          return {
+            code: ctx.params.code,
+            target: requestUrl.searchParams.get('target'),
+          };
+        },
+        '/s/:code',
+      ),
+    );
+    rebuildCompiledRoutes();
+
+    const response = await createApp().fetch(
+      new Request('http://localhost/api/functions/s/abc123?target=docs', { method: 'GET' }),
+      createEnv(),
+      createExecutionContext(),
+    );
+
+    expect(response.status).toBe(200);
+    await expect(response.json()).resolves.toEqual({
+      code: 'abc123',
+      target: 'docs',
+    });
+  });
+
+  it('supports catch-all params at execution time', async () => {
+    registerFunction('docs/[...slug]', httpFunction('GET', async (ctx) => ({
+      slug: ctx.params.slug,
+    })));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('docs/guides/getting-started/install');
+
+    expect(response.status).toBe(200);
+    await expect(response.json()).resolves.toEqual({
+      slug: 'guides/getting-started/install',
+    });
+  });
+
+  it('returns 405 with structured JSON when method does not match', async () => {
+    registerFunction('users', httpFunction('GET', async () => ({ ok: true })));
+    rebuildCompiledRoutes();
+
+    const response = await invokeFunction('users', 'POST');
+
+    expect(response.status).toBe(405);
+    await expect(response.json()).resolves.toEqual({
+      code: 405,
+      message: "Method POST not allowed for 'users'.",
+    });
+  });
+});

package/src/__tests__/internal-request.test.ts

@@ -21,16 +21,16 @@ function makeContext(
 }
 
 describe('internal request helpers', () => {
-  it('isTrustedInternalRequestUrl only trusts worker-internal hosts', () => {
-    expect(isTrustedInternalRequestUrl('http://internal/api/db/shared')).toBe(true);
-    expect(isTrustedInternalRequestUrl('http://do/internal/functions/reindex')).toBe(true);
+  it('isTrustedInternalRequestUrl never trusts hostnames', () => {
+    expect(isTrustedInternalRequestUrl('http://internal/api/db/shared')).toBe(false);
+    expect(isTrustedInternalRequestUrl('http://do/internal/functions/reindex')).toBe(false);
     expect(isTrustedInternalRequestUrl('http://localhost:8787/api/db/shared')).toBe(false);
     expect(isTrustedInternalRequestUrl('not-a-url')).toBe(false);
   });
 
-  it('isTrustedInternalContext accepts explicit internal flags or trusted internal hosts', () => {
+  it('isTrustedInternalContext only accepts explicit internal flags', () => {
     expect(isTrustedInternalContext(makeContext('http://localhost/api/db/shared', true))).toBe(true);
-    expect(isTrustedInternalContext(makeContext('http://do/api/db/shared'))).toBe(true);
+    expect(isTrustedInternalContext(makeContext('http://do/api/db/shared'))).toBe(false);
     expect(isTrustedInternalContext(makeContext('http://example.com/api/db/shared'))).toBe(false);
   });
 

package/src/__tests__/meta-export-coverage.test.ts

@@ -9,10 +9,11 @@
  */
 import { readFileSync, readdirSync } from 'fs';
 import { resolve } from 'path';
+import { fileURLToPath } from 'url';
 import { describe, it, expect } from 'vitest';
 
-const LIB_DIR = resolve(new URL('../lib', import.meta.url).pathname);
-const TEST_DIR = resolve(new URL('.', import.meta.url).pathname);
+const LIB_DIR = resolve(fileURLToPath(new URL('../lib', import.meta.url)));
+const TEST_DIR = resolve(fileURLToPath(new URL('.', import.meta.url)));
 
 // ─── Lib files that do NOT yet have dedicated tests ─────────────────────────
 // Remove entries as tests are added — each removal is a net win.

package/src/__tests__/meta-route-registration.test.ts

@@ -6,14 +6,15 @@
  */
 import { readFileSync, readdirSync } from 'fs';
 import { resolve } from 'path';
+import { fileURLToPath } from 'url';
 import { describe, it, expect } from 'vitest';
 
 describe('index.ts route registration completeness', () => {
   const source = readFileSync(
-    new URL('../index.ts', import.meta.url),
+    fileURLToPath(new URL('../index.ts', import.meta.url)),
     'utf-8',
   );
-  const routesDir = resolve(new URL('../routes', import.meta.url).pathname);
+  const routesDir = resolve(fileURLToPath(new URL('../routes', import.meta.url)));
   const EXPECTED_ROUTES = readdirSync(routesDir)
     .filter((fileName) => fileName.endsWith('.ts'))
     .sort()

package/src/__tests__/openapi-coverage.test.ts

@@ -12,10 +12,11 @@
  */
 import { readFileSync, readdirSync } from 'fs';
 import { resolve } from 'path';
+import { fileURLToPath } from 'url';
 import { describe, it, expect } from 'vitest';
 import { normalizeOpenApiDocument, type OpenApiSpec } from '../lib/openapi.js';
 
-const ROUTES_DIR = resolve(new URL('../routes', import.meta.url).pathname);
+const ROUTES_DIR = resolve(fileURLToPath(new URL('../routes', import.meta.url)));
 
 // ─── Intentionally non-OpenAPI route registrations ───────────────────────────
 // Format: "filename.ts:<line-content-substring>"
@@ -118,6 +119,7 @@ describe('OpenAPI route coverage', () => {
         '/admin/api/setup': { get: {} },
         '/admin/api/data/users': { get: {} },
         '/api/room/media/realtime/session': { post: {} },
+        '/api/room/media/cloudflare_realtimekit/session': { post: {} },
       },
     };
 
@@ -134,6 +136,8 @@ describe('OpenAPI route coverage', () => {
       .toEqual([{ userBearerAuth: [] }]);
     expect((normalized.paths?.['/api/room/media/realtime/session'] as Record<string, { security?: unknown }>).post.security)
       .toEqual([{ userBearerAuth: [] }]);
+    expect((normalized.paths?.['/api/room/media/cloudflare_realtimekit/session'] as Record<string, { security?: unknown }>).post.security)
+      .toEqual([{ userBearerAuth: [] }]);
     expect((normalized.paths?.['/api/sql'] as Record<string, { security?: unknown }>).post.security)
       .toEqual([{ serviceKeyAuth: [] }]);
     expect((normalized.paths?.['/admin/api/setup'] as Record<string, { security?: unknown }>).get.security)

package/src/__tests__/pagination.test.ts

@@ -10,7 +10,7 @@ import { parsePagination } from '../lib/pagination.js';
 describe('parsePagination', () => {
   // ── Defaults ──
   it('returns defaults when no params provided', () => {
-    expect(parsePagination(undefined, undefined)).toEqual({ limit: 20, offset: 0 });
+    expect(parsePagination(undefined, undefined)).toEqual({ limit: 100, offset: 0 });
   });
 
   // ── Valid values ──
@@ -23,21 +23,25 @@ describe('parsePagination', () => {
   });
 
   // ── Limit clamping ──
-  it('clamps limit to 100', () => {
-    expect(parsePagination('999', '0')).toEqual({ limit: 100, offset: 0 });
+  it('clamps limit to 1000', () => {
+    expect(parsePagination('9999', '0')).toEqual({ limit: 1000, offset: 0 });
+  });
+
+  it('accepts limit within range (500)', () => {
+    expect(parsePagination('500', '0')).toEqual({ limit: 500, offset: 0 });
   });
 
   it('rejects limit=0 (falls back to default)', () => {
-    expect(parsePagination('0', '0')).toEqual({ limit: 20, offset: 0 });
+    expect(parsePagination('0', '0')).toEqual({ limit: 100, offset: 0 });
   });
 
   // ── REGRESSION: negative and NaN values ──
   it('rejects negative limit', () => {
-    expect(parsePagination('-5', '0')).toEqual({ limit: 20, offset: 0 });
+    expect(parsePagination('-5', '0')).toEqual({ limit: 100, offset: 0 });
   });
 
   it('rejects NaN limit', () => {
-    expect(parsePagination('abc', '0')).toEqual({ limit: 20, offset: 0 });
+    expect(parsePagination('abc', '0')).toEqual({ limit: 100, offset: 0 });
   });
 
   it('rejects negative offset', () => {
@@ -49,11 +53,11 @@ describe('parsePagination', () => {
   });
 
   it('rejects Infinity limit', () => {
-    expect(parsePagination('Infinity', '0')).toEqual({ limit: 20, offset: 0 });
+    expect(parsePagination('Infinity', '0')).toEqual({ limit: 100, offset: 0 });
   });
 
   // ── Empty string (same as undefined) ──
   it('treats empty strings as defaults', () => {
-    expect(parsePagination('', '')).toEqual({ limit: 20, offset: 0 });
+    expect(parsePagination('', '')).toEqual({ limit: 100, offset: 0 });
   });
 });

package/src/__tests__/postgres-dialect.test.ts

@@ -43,7 +43,7 @@ describe('PostgreSQL dialect — bind params', () => {
     const { sql, params } = buildListQuery('products', {}, 'postgres');
     expect(sql).toContain('LIMIT $1');
     expect(sql).not.toContain('?');
-    expect(params).toEqual([20]);
+    expect(params).toEqual([100]);
   });
 
   it('buildListQuery with offset → $1 OFFSET $2', () => {
@@ -71,7 +71,7 @@ describe('PostgreSQL dialect — bind params', () => {
     expect(sql).toContain('"status" = $1');
     expect(sql).toContain('"price" > $2');
     expect(sql).toContain('LIMIT $3');
-    expect(params).toEqual(['active', 100, 20]);
+    expect(params).toEqual(['active', 100, 100]);
   });
 
   it('buildListQuery cursor after → $1 for cursor, $2 for limit', () => {

package/src/__tests__/query.test.ts

@@ -79,10 +79,10 @@ describe('buildListQuery — no filters', () => {
     expect(sql).toContain('LIMIT');
   });
 
-  it('default limit is 20', () => {
+  it('default limit is 100', () => {
     const { params } = buildListQuery('posts', {});
-    // params should contain 20 as default limit
-    expect(params).toContain(20);
+    // params should contain 100 as default limit
+    expect(params).toContain(100);
   });
 
   it('generates countSql for non-cursor pagination', () => {
@@ -313,9 +313,9 @@ describe('buildSearchQuery', () => {
     expect(sql).toContain('"posts_fts"');
   });
 
-  it('default limit 20, offset 0', () => {
+  it('default limit 100, offset 0', () => {
     const { params } = buildSearchQuery('posts', 'q');
-    expect(params[1]).toBe(20);
+    expect(params[1]).toBe(100);
     expect(params[2]).toBeUndefined();
   });
 
@@ -560,7 +560,7 @@ describe('3-way sync: QUERY_PARAM_KEYS ↔ Zod queryParamsSchema', () => {
 describe('buildListQuery — exact params verification', () => {
   it('no filters → params contains only default limit', () => {
     const { params } = buildListQuery('t', {});
-    expect(params).toEqual([20]);
+    expect(params).toEqual([100]);
   });
 
   it('no filters → countParams is empty array', () => {
@@ -722,7 +722,7 @@ describe('buildSubstringSearchQuery', () => {
     const { sql, params } = buildSubstringSearchQuery('posts', '준규', { fields: ['title', 'content'] });
     expect(sql).toContain('instr(lower(CAST("title" AS TEXT)), lower(?)) > 0');
     expect(sql).toContain('instr(lower(CAST("content" AS TEXT)), lower(?)) > 0');
-    expect(params).toEqual(['준규', '준규', 20]);
+    expect(params).toEqual(['준규', '준규', 100]);
   });
 
   it('passes the raw term through the SQLite instr() fallback', () => {

package/src/__tests__/rate-limit.test.ts

@@ -11,7 +11,6 @@ import {
   getLimit,
   parseWindow,
   FixedWindowCounter,
-  RATE_LIMIT_DEFAULTS,
   RATE_LIMIT_DEV_DEFAULTS,
   rateLimitMiddleware,
 } from '../middleware/rate-limit.js';

package/src/__tests__/room-handler-context.test.ts

@@ -127,4 +127,35 @@ describe('RoomsDO handler context', () => {
       }),
     );
   });
+
+  it('returns 409 when creating a Cloudflare RealtimeKit session while media is already published', async () => {
+    const { RoomsDO } = await import('../durable-objects/rooms-do.js');
+
+    const room: any = Object.create(RoomsDO.prototype);
+    room.readJsonBody = vi.fn().mockResolvedValue({ connectionId: 'conn-1' });
+    room.authenticateRealtimeRequest = vi.fn().mockResolvedValue({
+      memberId: 'member-1',
+      connectionId: 'conn-1',
+      meta: {
+        authenticated: true,
+        connectionId: 'conn-1',
+      },
+    });
+    room.hasPublishedTracks = vi.fn().mockReturnValue(true);
+
+    const response = await room.handleCloudflareRealtimeKitSessionCreate(
+      new Request('http://do/media/cloudflare_realtimekit/session?room=game::room-1', {
+        method: 'POST',
+        body: JSON.stringify({ connectionId: 'conn-1' }),
+        headers: { 'Content-Type': 'application/json' },
+      }),
+      new URL('http://do/media/cloudflare_realtimekit/session?room=game::room-1'),
+    );
+
+    expect(response.status).toBe(409);
+    await expect(response.json()).resolves.toEqual({
+      code: 409,
+      message: 'Unpublish existing room media before creating a new Cloudflare RealtimeKit session',
+    });
+  });
 });

package/src/__tests__/room-runtime-routing.test.ts

@@ -219,4 +219,52 @@ describe('room route runtime routing', () => {
     expect(doFetch).toHaveBeenCalledTimes(1);
     expect(new URL((doFetch.mock.calls[0][0] as Request).url).searchParams.get('room')).toBe('game::room-1');
   });
+
+  it('routes room cloudflare realtimekit session requests to the rooms runtime', async () => {
+    setConfig(defineConfig({
+      rooms: {
+        game: {
+          runtime: {
+            target: 'rooms',
+          },
+        },
+      },
+    }));
+
+    const doFetch = vi.fn(async (request: Request) => new Response(JSON.stringify({
+      runtime: 'rooms',
+      path: new URL(request.url).pathname,
+      auth: request.headers.get('Authorization'),
+      body: await request.clone().json(),
+    }), {
+      headers: { 'Content-Type': 'application/json' },
+      status: 201,
+    }));
+
+    const env = createRoomRuntimeEnv();
+    env.ROOMS = {
+      idFromName: (name: string) => name as unknown as DurableObjectId,
+      get: () => ({ fetch: doFetch }),
+    } as unknown as DurableObjectNamespace;
+
+    const app = createAuthedRoomApp();
+    const response = await app.request('/api/room/media/cloudflare_realtimekit/session?namespace=game&id=room-1', {
+      method: 'POST',
+      headers: {
+        Authorization: 'Bearer room-token',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ connectionId: 'conn-1' }),
+    }, env);
+
+    expect(response.status).toBe(201);
+    await expect(response.json()).resolves.toMatchObject({
+      runtime: 'rooms',
+      path: '/media/cloudflare_realtimekit/session',
+      auth: 'Bearer room-token',
+      body: { connectionId: 'conn-1' },
+    });
+    expect(doFetch).toHaveBeenCalledTimes(1);
+    expect(new URL((doFetch.mock.calls[0][0] as Request).url).searchParams.get('room')).toBe('game::room-1');
+  });
 });

package/src/__tests__/runtime-surface-accounting.test.ts

@@ -7,10 +7,11 @@
  * indirectly covered.
  */
 import { readFileSync, readdirSync } from 'fs';
-import { resolve } from 'path';
+import { basename, relative, resolve } from 'path';
+import { fileURLToPath } from 'url';
 import { describe, expect, it } from 'vitest';
 
-const SRC_ROOT = resolve(new URL('..', import.meta.url).pathname);
+const SRC_ROOT = resolve(fileURLToPath(new URL('..', import.meta.url)));
 const PACKAGE_ROOT = resolve(SRC_ROOT, '..');
 const RUNTIME_DIRS = [
   resolve(SRC_ROOT, 'routes'),
@@ -21,7 +22,7 @@ const TEST_DIRS = [
   resolve(SRC_ROOT, '__tests__'),
   resolve(PACKAGE_ROOT, 'test/integration'),
 ];
-const THIS_TEST_PATH = resolve(new URL(import.meta.url).pathname);
+const THIS_TEST_PATH = resolve(fileURLToPath(import.meta.url));
 
 // Files below are exercised indirectly, but the test sources do not mention the
 // exact filename/stem yet. Tracking them here keeps the gap reviewable.
@@ -60,7 +61,7 @@ function collectFiles(dir: string, predicate: (path: string) => boolean): string
 function toRuntimeKey(absPath: string): string {
   for (const dir of RUNTIME_DIRS) {
     if (absPath.startsWith(dir)) {
-      return absPath.slice(dir.length + 1).replace(/^/, `${dir.split('/').at(-1)}/`);
+      return `${basename(dir)}/${relative(dir, absPath).replace(/\\/g, '/')}`;
     }
   }
   throw new Error(`Unexpected runtime path: ${absPath}`);

package/src/__tests__/smoke-skip-report.test.ts

@@ -1,5 +1,6 @@
 import { readFileSync } from 'fs';
 import { resolve } from 'path';
+import { fileURLToPath } from 'url';
 import { describe, expect, it } from 'vitest';
 
 interface SmokeSkipEntry {
@@ -18,7 +19,7 @@ interface SmokeSkipReport {
 }
 
 const REPORT_PATH = resolve(
-  new URL('../../test/integration/generated/smoke-skip-report.json', import.meta.url).pathname,
+  fileURLToPath(new URL('../../test/integration/generated/smoke-skip-report.json', import.meta.url)),
 );
 
 function readReport(): SmokeSkipReport {
@@ -37,7 +38,7 @@ describe('smoke skip report', () => {
       {
         "skippedRouteCount": 0,
         "summaryByReason": {},
-        "totalRoutes": 192,
+        "totalRoutes": 197,
       }
     `);
   });

package/src/durable-objects/database-do.ts

@@ -48,7 +48,7 @@ import {
   type FilterTuple,
 } from '../lib/query-engine.js';
 import { summarizeValidationErrors, validateInsert, validateUpdate } from '../lib/validation.js';
-import { hookRejectedError, validationError, notFoundError } from '../lib/errors.js';
+import { hookRejectedError, validationError, notFoundError, normalizeDatabaseError } from '../lib/errors.js';
 import {
   executeDbTriggers,
   getRegisteredFunctions,
@@ -470,7 +470,7 @@ export class DatabaseDO extends DurableObject<DOEnv> {
       if (countSql && countParams) {
         const countResult = [...this.sql(countSql, ...countParams)];
         const total = (countResult[0]?.total as number) ?? 0;
-        const perPage = options.pagination?.perPage ?? options.pagination?.limit ?? 20;
+        const perPage = options.pagination?.perPage ?? options.pagination?.limit ?? 100;
         response.total = total;
         response.page = options.pagination?.page ?? 1;
         response.perPage = perPage;
@@ -478,7 +478,7 @@ export class DatabaseDO extends DurableObject<DOEnv> {
 
       // Cursor pagination: always include cursor and hasMore when items exist
       // so clients can start cursor-based pagination from any page (including the first)
-      const limit = options.pagination?.limit ?? options.pagination?.perPage ?? 20;
+      const limit = options.pagination?.limit ?? options.pagination?.perPage ?? 100;
       const hasMore = normalizedRows.length === limit;
       response.hasMore = hasMore;
       if (normalizedRows.length > 0) {
@@ -516,7 +516,7 @@ export class DatabaseDO extends DurableObject<DOEnv> {
         return c.json({ items: [] });
       }
 
-      const limit = options.pagination?.limit ?? options.pagination?.perPage ?? 20;
+      const limit = options.pagination?.limit ?? options.pagination?.perPage ?? 100;
       const offset = options.pagination?.offset ?? ((options.pagination?.page ?? 1) - 1) * limit;
 
       const tableConfig = this.getTableConfig(name);
@@ -1936,6 +1936,11 @@ export class DatabaseDO extends DurableObject<DOEnv> {
         const e = err as { code: number; message: string; data?: unknown };
         return c.json({ code: e.code, message: e.message, data: e.data }, e.code as 200);
       }
+      // Normalize well-known database errors (e.g. UNIQUE constraint violations → 409)
+      const normalizedDbError = normalizeDatabaseError(err);
+      if (normalizedDbError) {
+        return c.json(normalizedDbError.toJSON(), normalizedDbError.code as 400);
+      }
       console.error('DatabaseDO Error:', err);
       return c.json({ code: 500, message: 'Internal server error.' }, 500);
     });