npm - @go-to-k/cdkd - Versions diffs - 0.132.2 → 0.132.3 - Mend

@go-to-k/cdkd 0.132.2 → 0.132.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js CHANGED Viewed

@@ -39510,6 +39510,24 @@ const STREAM_PRELUDE_SEPARATOR = Buffer.from([
 */
 const STREAM_PRELUDE_MAX_BYTES = 1024 * 1024;
 /**
+* Maximum cumulative bytes of body the streaming Readable will push
+* before destroying itself with a clear error (defense-in-depth against
+* a buggy / malicious handler streaming gigabytes — Node's chunked-pipe
+* machinery handles per-chunk backpressure, but the running total can
+* still grow without bound on a slow consumer).
+*
+* 100 MiB is the default cap — generous enough that no realistic
+* dev-loop streaming response (token-by-token LLM output, large-file
+* download, video segment) hits it, low enough that a genuine runaway
+* surfaces locally before swap pressure kicks in. The HTTP server
+* converts the destroyed Readable to a truncated response (best-effort —
+* headers may already be on the wire).
+*
+* Consistent with {@link STREAM_PRELUDE_MAX_BYTES} (1 MiB cap on the
+* pre-body buffer); this is the post-body counterpart.
+*/
+const STREAM_BODY_MAX_BYTES = 100 * 1024 * 1024;
+/**
 * POST the event payload to RIE with the `streaming` response-mode
 * header, parse the JSON prelude out of the response bytes, and return
 * a Readable carrying the post-separator body chunks.
@@ -39525,10 +39543,26 @@ const STREAM_PRELUDE_MAX_BYTES = 1024 * 1024;
 * the header, but setting it makes the contract explicit and survives
 * future RIE behavior changes.)
 *
-* `timeoutMs` bounds the total wall time including the prelude wait —
-* the handler can stream for the full Lambda timeout, so callers should
-* pass a generous value (typically the function's configured Timeout * 2
-* with a 30s floor, matching `invokeRie`'s convention).
+* **`timeoutMs` bounds the TOTAL wall time of the entire streaming
+* exchange**, NOT just the prelude wait — the single armed `setTimeout`
+* covers both the prelude arrival AND the body drain. Once it fires,
+* `controller.abort()` destroys the underlying Readable, so a
+* legitimately long-lived streaming handler (e.g. a 15-minute AI / LLM
+* proxy) will have its connection torn down mid-stream even though
+* bytes are arriving correctly. Callers MUST size `timeoutMs` to cover
+* the longest expected handler stream, NOT just the time to first byte.
+*
+* Convention: pass `lambda.Timeout * 2` with a 30-second floor — same
+* order-of-magnitude formula as `invokeRie`, but the absolute value
+* differs because streaming handlers can intentionally run for the full
+* Lambda timeout (default 15 minutes for streaming-capable functions).
+* Splitting the bound into a strict prelude timer + a per-chunk idle
+* timer that resets on each chunk is deferred to a follow-up — see
+* issue #503 item 1 for the design discussion.
+*
+* The body Readable is additionally guarded by {@link STREAM_BODY_MAX_BYTES}
+* (100 MiB by default) so a runaway handler can't blow host memory; the
+* Readable is destroyed with a clear error when the cap trips.
 */
 async function invokeRieStreaming(host, port, event, timeoutMs) {
 	const url = `http://${host}:${port}${INVOKE_PATH}`;
@@ -39562,7 +39596,7 @@ async function invokeRieStreaming(host, port, event, timeoutMs) {
 			preludeBytes = preludeBytes.subarray(0, separatorIdx);
 			break;
 		}
-		if (preludeBytes.length > STREAM_PRELUDE_MAX_BYTES) {
+		if (preludeBytes.length > 1048576) {
 			clearTimeout(timer);
 			reader.cancel().catch(() => void 0);
 			throw new Error(`RIE streaming response did not emit the prelude/body separator within ${STREAM_PRELUDE_MAX_BYTES} bytes. The handler likely did not call awslambda.HttpResponseStream.from(stream, metadata).`);
@@ -39581,13 +39615,31 @@ async function invokeRieStreaming(host, port, event, timeoutMs) {
 		throw new Error(`RIE streaming response prelude is not valid JSON: ${err instanceof Error ? err.message : String(err)}`);
 	}
 	const stream = new Readable({ read() {} });
+	let bodyBytesPushed = 0;
+	const exceedsCap = (added) => {
+		bodyBytesPushed += added;
+		return bodyBytesPushed > STREAM_BODY_MAX_BYTES;
+	};
 	(async () => {
 		try {
-			if (bodyTail && bodyTail.length > 0) stream.push(bodyTail);
+			if (bodyTail && bodyTail.length > 0) {
+				if (exceedsCap(bodyTail.length)) {
+					reader.cancel().catch(() => void 0);
+					stream.destroy(/* @__PURE__ */ new Error(`RIE streaming body exceeded ${STREAM_BODY_MAX_BYTES} bytes — destroying stream.`));
+					return;
+				}
+				stream.push(bodyTail);
+			}
 			while (true) {
 				const { value, done } = await reader.read();
 				if (done) break;
-				stream.push(Buffer.from(value));
+				const chunk = Buffer.from(value);
+				if (exceedsCap(chunk.length)) {
+					reader.cancel().catch(() => void 0);
+					stream.destroy(/* @__PURE__ */ new Error(`RIE streaming body exceeded ${STREAM_BODY_MAX_BYTES} bytes — destroying stream.`));
+					return;
+				}
+				stream.push(chunk);
 			}
 			stream.push(null);
 		} catch (err) {
@@ -45522,11 +45574,26 @@ async function handleRequest(req, res, state, opts) {
 *
 * Cookies in the prelude are emitted as multiple `Set-Cookie` headers
 * (HTTP API v2 semantics — matching the buffered path's behavior).
+*
+* **Conflicting headers stripped**: `Content-Length` and
+* `Transfer-Encoding` (case-insensitive) are removed from the prelude
+* before `res.writeHead(...)` — some handlers set these defensively,
+* but doing so either crashes Node (Content-Length doesn't match the
+* actual bytes that arrive on the chunked body) or produces a
+* corrupted Content-Length-but-actually-chunked wire response. Node
+* automatically emits `Transfer-Encoding: chunked` when no
+* Content-Length is set, which is what streaming Function URLs
+* always want.
 */
 function writeStreamingResponse(res, result, releasePool) {
 	const logger = getLogger().child("start-api");
 	const { prelude, body } = result;
-	const headersOut = { ...prelude.headers };
+	const headersOut = {};
+	for (const [key, value] of Object.entries(prelude.headers)) {
+		const lower = key.toLowerCase();
+		if (lower === "content-length" || lower === "transfer-encoding") continue;
+		headersOut[key] = value;
+	}
 	if (prelude.cookies && prelude.cookies.length > 0) headersOut["set-cookie"] = prelude.cookies;
 	res.writeHead(prelude.statusCode, headersOut);
 	let released = false;
@@ -51707,7 +51774,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.132.2");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.132.3");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());