@femtomc/mu-server 26.2.69 → 26.2.71

package/README.md

@@ -103,7 +103,8 @@ Bun.serve(server);
 ### Issues
 
 - `GET /api/issues` - List issues
-  - Query params: `?status=open&tag=bug`
+  - Query params: `?status=open&tag=bug&contains=crash&limit=50`
+  - `limit` defaults to `200` and is clamped to `<= 200`.
 - `GET /api/issues/:id` - Get issue by ID
 - `POST /api/issues` - Create new issue
   ```json
@@ -123,14 +124,17 @@ Bun.serve(server);
   ```
 - `POST /api/issues/:id/claim` - Claim issue (changes status to in_progress)
 - `GET /api/issues/ready` - Get ready issues
-  - Query param: `?root=issue-id`
+  - Query params: `?root=issue-id&contains=worker&limit=20`
+  - `limit` defaults to `200` and is clamped to `<= 200`.
 
 ### Forum
 
 - `GET /api/forum/topics` - List forum topics
-  - Query param: `?prefix=issue:`
+  - Query params: `?prefix=issue:&limit=20`
+  - `limit` defaults to `100` and is clamped to `<= 200`.
 - `GET /api/forum/read` - Read messages from topic
   - Query params: `?topic=issue:123&limit=50`
+  - `limit` defaults to `50` and is clamped to `<= 200`.
 - `POST /api/forum/post` - Post message to topic
   ```json
   {

package/dist/api/activities.d.ts

@@ -0,0 +1,2 @@
+import type { ServerRoutingDependencies } from "../server_routing.js";
+export declare function activityRoutes(request: Request, url: URL, deps: ServerRoutingDependencies, headers: Headers): Promise<Response>;

package/dist/api/activities.js

@@ -0,0 +1,160 @@
+export async function activityRoutes(request, url, deps, headers) {
+    const path = url.pathname;
+    if (path === "/api/activities") {
+        if (request.method !== "GET") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        const statusRaw = url.searchParams.get("status")?.trim().toLowerCase();
+        const status = statusRaw === "running" || statusRaw === "completed" || statusRaw === "failed" || statusRaw === "cancelled"
+            ? statusRaw
+            : undefined;
+        const kind = url.searchParams.get("kind")?.trim() || undefined;
+        const limitRaw = url.searchParams.get("limit");
+        const limit = limitRaw && /^\d+$/.test(limitRaw) ? Math.max(1, Math.min(500, Number.parseInt(limitRaw, 10))) : undefined;
+        const activities = deps.activitySupervisor.list({ status, kind, limit });
+        return Response.json({ count: activities.length, activities }, { headers });
+    }
+    if (path === "/api/activities/start") {
+        if (request.method !== "POST") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        let body;
+        try {
+            body = (await request.json());
+        }
+        catch {
+            return Response.json({ error: "invalid json body" }, { status: 400, headers });
+        }
+        const title = typeof body.title === "string" ? body.title.trim() : "";
+        if (!title) {
+            return Response.json({ error: "title is required" }, { status: 400, headers });
+        }
+        const kind = typeof body.kind === "string" ? body.kind.trim() : undefined;
+        const heartbeatEveryMs = typeof body.heartbeat_every_ms === "number" && Number.isFinite(body.heartbeat_every_ms)
+            ? Math.max(0, Math.trunc(body.heartbeat_every_ms))
+            : undefined;
+        const source = body.source === "api" || body.source === "command" || body.source === "system" ? body.source : "api";
+        try {
+            const activity = deps.activitySupervisor.start({
+                title,
+                kind,
+                heartbeatEveryMs,
+                metadata: body.metadata ?? undefined,
+                source,
+            });
+            return Response.json({ ok: true, activity }, { status: 201, headers });
+        }
+        catch (err) {
+            return Response.json({ error: deps.describeError(err) }, { status: 400, headers });
+        }
+    }
+    if (path === "/api/activities/progress") {
+        if (request.method !== "POST") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        let body;
+        try {
+            body = (await request.json());
+        }
+        catch {
+            return Response.json({ error: "invalid json body" }, { status: 400, headers });
+        }
+        const result = deps.activitySupervisor.progress({
+            activityId: typeof body.activity_id === "string" ? body.activity_id : null,
+            message: typeof body.message === "string" ? body.message : null,
+        });
+        if (result.ok) {
+            return Response.json(result, { headers });
+        }
+        if (result.reason === "missing_target") {
+            return Response.json(result, { status: 400, headers });
+        }
+        if (result.reason === "not_running") {
+            return Response.json(result, { status: 409, headers });
+        }
+        return Response.json(result, { status: 404, headers });
+    }
+    if (path === "/api/activities/heartbeat") {
+        if (request.method !== "POST") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        let body;
+        try {
+            body = (await request.json());
+        }
+        catch {
+            return Response.json({ error: "invalid json body" }, { status: 400, headers });
+        }
+        const result = deps.activitySupervisor.heartbeat({
+            activityId: typeof body.activity_id === "string" ? body.activity_id : null,
+            reason: typeof body.reason === "string" ? body.reason : null,
+        });
+        if (result.ok) {
+            return Response.json(result, { headers });
+        }
+        if (result.reason === "missing_target") {
+            return Response.json(result, { status: 400, headers });
+        }
+        if (result.reason === "not_running") {
+            return Response.json(result, { status: 409, headers });
+        }
+        return Response.json(result, { status: 404, headers });
+    }
+    if (path === "/api/activities/complete" || path === "/api/activities/fail" || path === "/api/activities/cancel") {
+        if (request.method !== "POST") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        let body;
+        try {
+            body = (await request.json());
+        }
+        catch {
+            return Response.json({ error: "invalid json body" }, { status: 400, headers });
+        }
+        const activityId = typeof body.activity_id === "string" ? body.activity_id : null;
+        const message = typeof body.message === "string" ? body.message : null;
+        const result = path === "/api/activities/complete"
+            ? deps.activitySupervisor.complete({ activityId, message })
+            : path === "/api/activities/fail"
+                ? deps.activitySupervisor.fail({ activityId, message })
+                : deps.activitySupervisor.cancel({ activityId, message });
+        if (result.ok) {
+            return Response.json(result, { headers });
+        }
+        if (result.reason === "missing_target") {
+            return Response.json(result, { status: 400, headers });
+        }
+        if (result.reason === "not_running") {
+            return Response.json(result, { status: 409, headers });
+        }
+        return Response.json(result, { status: 404, headers });
+    }
+    if (path.startsWith("/api/activities/")) {
+        if (request.method !== "GET") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        const rest = path.slice("/api/activities/".length);
+        const [rawId, maybeSub] = rest.split("/");
+        const activityId = decodeURIComponent(rawId ?? "").trim();
+        if (activityId.length === 0) {
+            return Response.json({ error: "missing activity id" }, { status: 400, headers });
+        }
+        if (maybeSub === "events") {
+            const limitRaw = url.searchParams.get("limit");
+            const limit = limitRaw && /^\d+$/.test(limitRaw)
+                ? Math.max(1, Math.min(2_000, Number.parseInt(limitRaw, 10)))
+                : undefined;
+            const events = deps.activitySupervisor.events(activityId, { limit });
+            if (!events) {
+                return Response.json({ error: "activity not found" }, { status: 404, headers });
+            }
+            return Response.json({ count: events.length, events }, { headers });
+        }
+        const activity = deps.activitySupervisor.get(activityId);
+        if (!activity) {
+            return Response.json({ error: "activity not found" }, { status: 404, headers });
+        }
+        return Response.json(activity, { headers });
+    }
+    return Response.json({ error: "Not Found" }, { status: 404, headers });
+}

package/dist/api/config.d.ts

@@ -0,0 +1,2 @@
+import type { ServerRoutingDependencies } from "../server_routing.js";
+export declare function configRoutes(request: Request, _url: URL, deps: ServerRoutingDependencies, headers: Headers): Promise<Response>;

package/dist/api/config.js

@@ -0,0 +1,45 @@
+import { applyMuConfigPatch, getMuConfigPath, muConfigPresence, redactMuConfigSecrets, } from "../config.js";
+export async function configRoutes(request, _url, deps, headers) {
+    if (request.method === "GET") {
+        try {
+            const config = await deps.loadConfigFromDisk();
+            return Response.json({
+                repo_root: deps.context.repoRoot,
+                config_path: getMuConfigPath(deps.context.repoRoot),
+                config: redactMuConfigSecrets(config),
+                presence: muConfigPresence(config),
+            }, { headers });
+        }
+        catch (err) {
+            return Response.json({ error: `failed to read config: ${deps.describeError(err)}` }, { status: 500, headers });
+        }
+    }
+    if (request.method === "POST") {
+        let body;
+        try {
+            body = (await request.json());
+        }
+        catch {
+            return Response.json({ error: "invalid json body" }, { status: 400, headers });
+        }
+        if (!body || !("patch" in body)) {
+            return Response.json({ error: "missing patch payload" }, { status: 400, headers });
+        }
+        try {
+            const base = await deps.loadConfigFromDisk();
+            const next = applyMuConfigPatch(base, body.patch);
+            const configPath = await deps.writeConfig(deps.context.repoRoot, next);
+            return Response.json({
+                ok: true,
+                repo_root: deps.context.repoRoot,
+                config_path: configPath,
+                config: redactMuConfigSecrets(next),
+                presence: muConfigPresence(next),
+            }, { headers });
+        }
+        catch (err) {
+            return Response.json({ error: `failed to write config: ${deps.describeError(err)}` }, { status: 500, headers });
+        }
+    }
+    return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+}

package/dist/api/control_plane.d.ts

@@ -0,0 +1,2 @@
+import type { ServerRoutingDependencies } from "../server_routing.js";
+export declare function controlPlaneRoutes(request: Request, url: URL, deps: ServerRoutingDependencies, headers: Headers): Promise<Response>;

package/dist/api/control_plane.js

@@ -0,0 +1,28 @@
+export async function controlPlaneRoutes(request, url, deps, headers) {
+    const path = url.pathname;
+    if (path === "/api/control-plane/reload") {
+        if (request.method !== "POST") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        let reason = "api_control_plane_reload";
+        try {
+            const body = (await request.json());
+            if (typeof body.reason === "string" && body.reason.trim().length > 0) {
+                reason = body.reason.trim();
+            }
+        }
+        catch {
+            // ignore invalid body for reason
+        }
+        const result = await deps.reloadControlPlane(reason);
+        return Response.json(result, { status: result.ok ? 200 : 500, headers });
+    }
+    if (path === "/api/control-plane/rollback") {
+        if (request.method !== "POST") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        const result = await deps.reloadControlPlane("rollback");
+        return Response.json(result, { status: result.ok ? 200 : 500, headers });
+    }
+    return Response.json({ error: "Not Found" }, { status: 404, headers });
+}

package/dist/api/cron.d.ts

@@ -0,0 +1,2 @@
+import type { ServerRoutingDependencies } from "../server_routing.js";
+export declare function cronRoutes(request: Request, url: URL, deps: ServerRoutingDependencies, headers: Headers): Promise<Response>;

package/dist/api/cron.js

@@ -0,0 +1,182 @@
+import { cronScheduleInputFromBody, hasCronScheduleInput, parseCronTarget, } from "../cron_request.js";
+import { normalizeWakeMode } from "../server_types.js";
+export async function cronRoutes(request, url, deps, headers) {
+    const path = url.pathname;
+    if (path === "/api/cron/status") {
+        if (request.method !== "GET") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        const status = await deps.cronPrograms.status();
+        return Response.json(status, { headers });
+    }
+    if (path === "/api/cron") {
+        if (request.method !== "GET") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        const enabledRaw = url.searchParams.get("enabled")?.trim().toLowerCase();
+        const enabled = enabledRaw === "true" ? true : enabledRaw === "false" ? false : undefined;
+        const targetKindRaw = url.searchParams.get("target_kind")?.trim().toLowerCase();
+        const targetKind = targetKindRaw === "run" || targetKindRaw === "activity" ? targetKindRaw : undefined;
+        const scheduleKindRaw = url.searchParams.get("schedule_kind")?.trim().toLowerCase();
+        const scheduleKind = scheduleKindRaw === "at" || scheduleKindRaw === "every" || scheduleKindRaw === "cron"
+            ? scheduleKindRaw
+            : undefined;
+        const limitRaw = url.searchParams.get("limit");
+        const limit = limitRaw && /^\d+$/.test(limitRaw) ? Math.max(1, Math.min(500, Number.parseInt(limitRaw, 10))) : undefined;
+        const programs = await deps.cronPrograms.list({ enabled, targetKind, scheduleKind, limit });
+        return Response.json({ count: programs.length, programs }, { headers });
+    }
+    if (path === "/api/cron/create") {
+        if (request.method !== "POST") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        let body;
+        try {
+            body = (await request.json());
+        }
+        catch {
+            return Response.json({ error: "invalid json body" }, { status: 400, headers });
+        }
+        const title = typeof body.title === "string" ? body.title.trim() : "";
+        if (!title) {
+            return Response.json({ error: "title is required" }, { status: 400, headers });
+        }
+        const parsedTarget = parseCronTarget(body);
+        if (!parsedTarget.target) {
+            return Response.json({ error: parsedTarget.error ?? "invalid target" }, { status: 400, headers });
+        }
+        if (!hasCronScheduleInput(body)) {
+            return Response.json({ error: "schedule is required" }, { status: 400, headers });
+        }
+        const schedule = cronScheduleInputFromBody(body);
+        const reason = typeof body.reason === "string" ? body.reason.trim() : undefined;
+        const wakeMode = normalizeWakeMode(body.wake_mode);
+        const enabled = typeof body.enabled === "boolean" ? body.enabled : undefined;
+        try {
+            const program = await deps.cronPrograms.create({
+                title,
+                target: parsedTarget.target,
+                schedule,
+                reason,
+                wakeMode,
+                enabled,
+                metadata: body.metadata && typeof body.metadata === "object" && !Array.isArray(body.metadata)
+                    ? body.metadata
+                    : undefined,
+            });
+            return Response.json({ ok: true, program }, { status: 201, headers });
+        }
+        catch (err) {
+            return Response.json({ error: deps.describeError(err) }, { status: 400, headers });
+        }
+    }
+    if (path === "/api/cron/update") {
+        if (request.method !== "POST") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        let body;
+        try {
+            body = (await request.json());
+        }
+        catch {
+            return Response.json({ error: "invalid json body" }, { status: 400, headers });
+        }
+        const programId = typeof body.program_id === "string" ? body.program_id.trim() : "";
+        if (!programId) {
+            return Response.json({ error: "program_id is required" }, { status: 400, headers });
+        }
+        let target;
+        if (typeof body.target_kind === "string") {
+            const parsedTarget = parseCronTarget(body);
+            if (!parsedTarget.target) {
+                return Response.json({ error: parsedTarget.error ?? "invalid target" }, { status: 400, headers });
+            }
+            target = parsedTarget.target;
+        }
+        const schedule = hasCronScheduleInput(body) ? cronScheduleInputFromBody(body) : undefined;
+        const wakeMode = Object.hasOwn(body, "wake_mode") ? normalizeWakeMode(body.wake_mode) : undefined;
+        try {
+            const result = await deps.cronPrograms.update({
+                programId,
+                title: typeof body.title === "string" ? body.title : undefined,
+                reason: typeof body.reason === "string" ? body.reason : undefined,
+                wakeMode,
+                enabled: typeof body.enabled === "boolean" ? body.enabled : undefined,
+                target,
+                schedule,
+                metadata: body.metadata && typeof body.metadata === "object" && !Array.isArray(body.metadata)
+                    ? body.metadata
+                    : undefined,
+            });
+            if (result.ok) {
+                return Response.json(result, { headers });
+            }
+            if (result.reason === "not_found") {
+                return Response.json(result, { status: 404, headers });
+            }
+            return Response.json(result, { status: 400, headers });
+        }
+        catch (err) {
+            return Response.json({ error: deps.describeError(err) }, { status: 400, headers });
+        }
+    }
+    if (path === "/api/cron/delete") {
+        if (request.method !== "POST") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        let body;
+        try {
+            body = (await request.json());
+        }
+        catch {
+            return Response.json({ error: "invalid json body" }, { status: 400, headers });
+        }
+        const programId = typeof body.program_id === "string" ? body.program_id.trim() : "";
+        if (!programId) {
+            return Response.json({ error: "program_id is required" }, { status: 400, headers });
+        }
+        const result = await deps.cronPrograms.remove(programId);
+        return Response.json(result, { status: result.ok ? 200 : result.reason === "not_found" ? 404 : 400, headers });
+    }
+    if (path === "/api/cron/trigger") {
+        if (request.method !== "POST") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        let body;
+        try {
+            body = (await request.json());
+        }
+        catch {
+            return Response.json({ error: "invalid json body" }, { status: 400, headers });
+        }
+        const result = await deps.cronPrograms.trigger({
+            programId: typeof body.program_id === "string" ? body.program_id : null,
+            reason: typeof body.reason === "string" ? body.reason : null,
+        });
+        if (result.ok) {
+            return Response.json(result, { headers });
+        }
+        if (result.reason === "missing_target") {
+            return Response.json(result, { status: 400, headers });
+        }
+        if (result.reason === "not_found") {
+            return Response.json(result, { status: 404, headers });
+        }
+        return Response.json(result, { status: 409, headers });
+    }
+    if (path.startsWith("/api/cron/")) {
+        if (request.method !== "GET") {
+            return Response.json({ error: "Method Not Allowed" }, { status: 405, headers });
+        }
+        const id = decodeURIComponent(path.slice("/api/cron/".length)).trim();
+        if (!id) {
+            return Response.json({ error: "missing program id" }, { status: 400, headers });
+        }
+        const program = await deps.cronPrograms.get(id);
+        if (!program) {
+            return Response.json({ error: "program not found" }, { status: 404, headers });
+        }
+        return Response.json(program, { headers });
+    }
+    return Response.json({ error: "Not Found" }, { status: 404, headers });
+}

package/dist/api/events.js

@@ -1,3 +1,67 @@
+function trimOrNull(value) {
+    if (value == null) {
+        return null;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function previewText(value) {
+    if (typeof value === "string") {
+        return value;
+    }
+    if (value == null) {
+        return "";
+    }
+    try {
+        return JSON.stringify(value);
+    }
+    catch {
+        return String(value);
+    }
+}
+function includeByContains(event, contains) {
+    if (!contains) {
+        return true;
+    }
+    const needle = contains.toLowerCase();
+    const haystack = [
+        event.type ?? "",
+        event.source ?? "",
+        event.issue_id ?? "",
+        event.run_id ?? "",
+        previewText(event.payload),
+    ]
+        .join("\n")
+        .toLowerCase();
+    return haystack.includes(needle);
+}
+function applyEventFilters(events, filters) {
+    return events
+        .filter((event) => (filters.type ? event.type === filters.type : true))
+        .filter((event) => (filters.source ? event.source === filters.source : true))
+        .filter((event) => (filters.issueId ? event.issue_id === filters.issueId : true))
+        .filter((event) => (filters.runId ? event.run_id === filters.runId : true))
+        .filter((event) => {
+        if (filters.sinceMs == null) {
+            return true;
+        }
+        if (typeof event.ts_ms !== "number") {
+            return false;
+        }
+        return event.ts_ms >= filters.sinceMs;
+    })
+        .filter((event) => includeByContains(event, filters.contains));
+}
+function parseSinceMs(value) {
+    if (value == null || value.trim().length === 0) {
+        return null;
+    }
+    const parsed = Number.parseInt(value, 10);
+    if (!Number.isFinite(parsed)) {
+        return null;
+    }
+    return parsed;
+}
 export async function eventRoutes(request, context) {
     const url = new URL(request.url);
     const path = url.pathname.replace("/api/events", "") || "/";
@@ -6,31 +70,25 @@ export async function eventRoutes(request, context) {
         return new Response("Method Not Allowed", { status: 405 });
     }
     try {
-        const allEvents = await context.eventsStore.read();
+        const allEvents = (await context.eventsStore.read());
+        const filters = {
+            type: trimOrNull(url.searchParams.get("type")),
+            source: trimOrNull(url.searchParams.get("source")),
+            issueId: trimOrNull(url.searchParams.get("issue_id")),
+            runId: trimOrNull(url.searchParams.get("run_id")),
+            sinceMs: parseSinceMs(url.searchParams.get("since")),
+            contains: trimOrNull(url.searchParams.get("contains")),
+        };
         // Tail - GET /api/events/tail?n=50
         if (path === "/tail") {
             const n = Math.min(Math.max(1, parseInt(url.searchParams.get("n") ?? "50", 10) || 50), 500);
-            return Response.json(allEvents.slice(-n));
+            const filtered = applyEventFilters(allEvents, filters);
+            return Response.json(filtered.slice(-n));
         }
-        // Query - GET /api/events?type=...&source=...&since=...&limit=50
+        // Query - GET /api/events?type=...&source=...&issue_id=...&run_id=...&since=...&contains=...&limit=50
         if (path === "/") {
-            const typeFilter = url.searchParams.get("type");
-            const sourceFilter = url.searchParams.get("source");
-            const sinceRaw = url.searchParams.get("since");
             const limit = Math.min(Math.max(1, parseInt(url.searchParams.get("limit") ?? "50", 10) || 50), 500);
-            let filtered = allEvents;
-            if (typeFilter) {
-                filtered = filtered.filter((e) => e.type === typeFilter);
-            }
-            if (sourceFilter) {
-                filtered = filtered.filter((e) => e.source === sourceFilter);
-            }
-            if (sinceRaw) {
-                const sinceMs = parseInt(sinceRaw, 10);
-                if (!Number.isNaN(sinceMs)) {
-                    filtered = filtered.filter((e) => e.ts_ms >= sinceMs);
-                }
-            }
+            const filtered = applyEventFilters(allEvents, filters);
             return Response.json(filtered.slice(-limit));
         }
         return new Response("Not Found", { status: 404 });

package/dist/api/forum.js

@@ -1,3 +1,33 @@
+import { DEFAULT_FORUM_TOPICS_LIMIT, ForumStoreValidationError, normalizeForumPrefix, normalizeForumReadLimit, normalizeForumTopic, normalizeForumTopicsLimit, } from "@femtomc/mu-forum";
+async function readJsonBody(request) {
+    let body;
+    try {
+        body = await request.json();
+    }
+    catch {
+        throw new ForumStoreValidationError("invalid json body");
+    }
+    if (!body || typeof body !== "object" || Array.isArray(body)) {
+        throw new ForumStoreValidationError("json body must be an object");
+    }
+    return body;
+}
+function errorResponse(status, message) {
+    return new Response(JSON.stringify({ error: message }), {
+        status,
+        headers: { "Content-Type": "application/json" },
+    });
+}
+function mapForumRouteError(error) {
+    if (error instanceof ForumStoreValidationError) {
+        return errorResponse(400, error.message);
+    }
+    if (error instanceof Error && error.name === "ZodError") {
+        return errorResponse(400, error.message);
+    }
+    console.error("Forum API error:", error);
+    return errorResponse(500, error instanceof Error ? error.message : "Internal server error");
+}
 export async function forumRoutes(request, context) {
     const url = new URL(request.url);
     const path = url.pathname.replace("/api/forum", "") || "/";
@@ -5,37 +35,41 @@ export async function forumRoutes(request, context) {
     try {
         // List topics - GET /api/forum/topics
         if (path === "/topics" && method === "GET") {
-            const prefix = url.searchParams.get("prefix");
-            const topics = await context.forumStore.topics(prefix);
+            const prefix = normalizeForumPrefix(url.searchParams.get("prefix"));
+            const limit = normalizeForumTopicsLimit(url.searchParams.get("limit"), {
+                defaultLimit: DEFAULT_FORUM_TOPICS_LIMIT,
+            });
+            const topics = await context.forumStore.topics(prefix, { limit });
             return Response.json(topics);
         }
         // Read messages - GET /api/forum/read
         if (path === "/read" && method === "GET") {
-            const topic = url.searchParams.get("topic");
-            const limit = url.searchParams.get("limit");
-            if (!topic) {
-                return new Response("Topic is required", { status: 400 });
-            }
-            const messages = await context.forumStore.read(topic, limit ? parseInt(limit, 10) : 50);
+            const topic = normalizeForumTopic(url.searchParams.get("topic"));
+            const limit = normalizeForumReadLimit(url.searchParams.get("limit"));
+            const messages = await context.forumStore.read(topic, limit);
             return Response.json(messages);
         }
         // Post message - POST /api/forum/post
         if (path === "/post" && method === "POST") {
-            const body = (await request.json());
-            const { topic, body: messageBody, author } = body;
-            if (!topic || !messageBody) {
-                return new Response("Topic and body are required", { status: 400 });
+            const body = await readJsonBody(request);
+            const topic = normalizeForumTopic(body.topic);
+            if (typeof body.body !== "string" || body.body.trim().length === 0) {
+                return errorResponse(400, "body is required");
+            }
+            const messageBody = body.body;
+            let author = "system";
+            if (body.author != null) {
+                if (typeof body.author !== "string" || body.author.trim().length === 0) {
+                    return errorResponse(400, "author must be a non-empty string when provided");
+                }
+                author = body.author.trim();
             }
-            const message = await context.forumStore.post(topic, messageBody, author || "system");
+            const message = await context.forumStore.post(topic, messageBody, author);
             return Response.json(message, { status: 201 });
         }
         return new Response("Not Found", { status: 404 });
     }
     catch (error) {
-        console.error("Forum API error:", error);
-        return new Response(JSON.stringify({ error: error instanceof Error ? error.message : "Internal server error" }), {
-            status: 500,
-            headers: { "Content-Type": "application/json" },
-        });
+        return mapForumRouteError(error);
     }
 }