@harperfast/harper 5.0.0-beta.6 → 5.0.0-beta.8

package/security/jsLoader.ts

@@ -56,6 +56,9 @@ export async function scopedImport(filePath: string | URL, scope?: ApplicationSc
 			}
 			overridableProperty(Promise.prototype, 'then');
 			overridableProperty(Date, 'now');
+			for (let name of ['get', 'set', 'has', 'delete', 'clear', 'forEach', 'entries', 'keys', 'values']) {
+				overridableProperty(Map.prototype, name);
+			}
 			for (let Intrinsic of [
 				Object,
 				Array,
@@ -121,12 +124,13 @@ export async function scopedImport(filePath: string | URL, scope?: ApplicationSc
 
 let amaro: typeof import('amaro') | undefined;
 /**
- * Strip TypeScript types using the amaro library (what Node.js uses internally)
- * Falls back to regex-based stripping if amaro is not available
+ * Strip TypeScript types synchronously using the amaro library (what Node.js uses internally)
  */
-async function stripTypeScriptTypes(source: string): Promise<string> {
+function stripTypeScriptTypes(source: string): string {
 	// Use amaro - the library that Node.js uses internally for type stripping
-	amaro = await import('amaro');
+	if (!amaro) {
+		amaro = require('amaro');
+	}
 	return amaro.transformSync(source, { mode: 'strip-only' }).code;
 }
 
@@ -146,12 +150,27 @@ function parseJsonModule(source: string, url: string): any {
  * Load a module using Node's vm.Module API with (not really secure) sandboxing
  */
 async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
-	const moduleCache = new Map<string, Promise<SourceTextModule | SyntheticModule>>();
-	const linkingPromises = new Map<string, Promise<void>>();
-
-	// Create a secure context with limited globals
-	const contextObject = getGlobalObject(scope);
-	const context = createContext(contextObject);
+	// we want to retain the same module caches across any loading with the application scope
+	let moduleCaches = scope.moduleCache as {
+		moduleCache: Map<string, SourceTextModule | SyntheticModule | Promise<SourceTextModule | SyntheticModule>>;
+		linkingPromises: Map<string, Promise<void>>;
+		cjsCache: Map<string, { exports: any }>;
+		contextObject: any;
+		context: any;
+	};
+	if (!moduleCaches) {
+		// if they haven't been initialized, do so now
+		const contextObject = getGlobalObject(scope, true);
+		moduleCaches = scope.moduleCache = {
+			moduleCache: new Map(),
+			linkingPromises: new Map(),
+			cjsCache: new Map(),
+			// Create a secure context with limited globals
+			contextObject,
+			context: createContext(contextObject),
+		};
+	}
+	const { moduleCache, linkingPromises, cjsCache, contextObject, context } = moduleCaches;
 
 	/**
 	 * Resolve module specifier to absolute URL
@@ -165,6 +184,9 @@ async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
 			// block harper/* for now (reserving for potential future use)
 			throw new Error(`Module ${specifier} is not allowed, may only access the 'harper' module`);
 		}
+		if (parts[0] === 'file:') {
+			return specifier;
+		}
 		const resolved = createRequire(referrer).resolve(specifier);
 		if (isAbsolute(resolved)) {
 			return pathToFileURL(resolved).toString();
@@ -176,7 +198,16 @@ async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
 	 * Load a CommonJS module in our private context
 	 */
 	function loadCJS(url: string, source: string): { exports: any } {
+		// Check cache first to handle circular dependencies
+		if (cjsCache.has(url)) {
+			return cjsCache.get(url)!;
+		}
+
+		// Create module object and cache it immediately (before execution)
+		// This allows circular dependencies to get a reference to the incomplete module
 		const cjsModule = { exports: {} };
+		cjsCache.set(url, cjsModule);
+
 		if (url.endsWith('.json')) {
 			cjsModule.exports = parseJsonModule(source, url);
 			return cjsModule;
@@ -204,7 +235,7 @@ async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
 			filename: url,
 			async importModuleDynamically(specifier: string, script) {
 				const resolvedUrl = resolveModule(specifier, script.sourceURL);
-				const useContainment = specifier.startsWith('.') || scope.dependencyContainment;
+				const useContainment = specifier.startsWith('.') || scope.dependencyContainment !== false;
 				const dynamicModule = await loadModuleWithCache(resolvedUrl, useContainment);
 				return dynamicModule;
 			},
@@ -221,16 +252,18 @@ async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
 	}
 	function loadCJSModule(url: string, source: string, usePrivateGlobal: boolean): SyntheticModule {
 		const cjsModule = usePrivateGlobal ? loadCJS(url, source) : { exports: require(url) };
-		const exportNames = Object.keys(cjsModule.exports);
+		let exports = cjsModule.exports;
+		if (exports.default === undefined) {
+			// provide the default export for compatibility
+			exports = { default: exports, ...exports };
+		}
+		const exportNames = Object.keys(exports);
+
 		const synModule = new SyntheticModule(
-			exportNames.length > 0 ? exportNames : ['default'],
+			exportNames,
 			function () {
-				if (exportNames.length > 0) {
-					for (const key of exportNames) {
-						this.setExport(key, cjsModule.exports[key]);
-					}
-				} else {
-					this.setExport('default', cjsModule.exports);
+				for (const key of exportNames) {
+					this.setExport(key, exports[key]);
 				}
 			},
 			{ identifier: url, context }
@@ -240,21 +273,78 @@ async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
 	}
 
 	/**
-	 * Linker function for module resolution during instantiation
+	 * Check if a package (or any of its dependencies) depends on harper
+	 * Expects a file URL like: file:///path/to/node_modules/package-name/dist/index.js
+	 */
+	function packageDependsOnHarper(fileUrl: string): boolean {
+		try {
+			// Convert file:// URL to path
+			const filePath = fileURLToPath(fileUrl);
+
+			// Find the node_modules directory and package name
+			// Example: /path/to/node_modules/package-name/dist/index.js
+			// or: /path/to/node_modules/@scope/package-name/dist/index.js
+			const nodeModulesMarker = '/node_modules/';
+			const nodeModulesIndex = filePath.lastIndexOf(nodeModulesMarker);
+			if (nodeModulesIndex === -1) return false;
+
+			// Get the part after /node_modules/
+			const afterNodeModules = filePath.substring(nodeModulesIndex + nodeModulesMarker.length);
+			const parts = afterNodeModules.split('/');
+
+			// Handle scoped packages (@scope/package-name) vs regular packages (package-name)
+			const beforeNodeModules = filePath.substring(0, nodeModulesIndex);
+			const packageRoot = parts[0].startsWith('@')
+				? join(beforeNodeModules, 'node_modules', parts[0], parts[1])
+				: join(beforeNodeModules, 'node_modules', parts[0]);
+
+			// Read package.json from the package root
+			const packageJsonPath = join(packageRoot, 'package.json');
+			const packageJson = JSON.parse(readFileSync(packageJsonPath, 'utf-8'));
+
+			const deps = {
+				...packageJson.dependencies,
+				...packageJson.devDependencies,
+				...packageJson.peerDependencies,
+			};
+
+			// Check if harper is a direct dependency
+			return Object.keys(deps).some((dep) => HARPER_MODULE_IDS.has(dep));
+		} catch {
+			return false;
+		}
+	}
+
+	/**
+	 * Linker function for module resolution during instantiation.
+	 * This is synchronous because Node's module.link() requires the linker
+	 * to return modules synchronously.
 	 */
-	async function linker(specifier: string, referencingModule: SourceTextModule | SyntheticModule) {
+	function linker(specifier: string, referencingModule: SourceTextModule | SyntheticModule) {
 		const resolvedUrl = resolveModule(specifier, referencingModule.identifier);
 
-		const useContainment = specifier.startsWith('.') || scope.dependencyContainment;
-		// Return the module immediately (even if not yet linked) to support circular dependencies
-		return await getOrCreateModule(resolvedUrl, useContainment);
+		// Determine if we should use VM containment for this module
+		let useContainment = specifier.startsWith('.'); // Always contain relative imports
+
+		if (!useContainment && scope.dependencyContainment !== false) {
+			// For npm packages, check if they depend on harper
+			if (resolvedUrl.startsWith('file://') && resolvedUrl.includes('node_modules')) {
+				useContainment = packageDependsOnHarper(resolvedUrl);
+			} else {
+				// Non-file URLs (bare specifiers) - use default behavior
+				useContainment = scope.dependencyContainment === true;
+			}
+		}
+
+		// Return the module
+		return getOrCreateModule(resolvedUrl, useContainment);
 	}
 
-	async function getOrCreateModule(
+	function getOrCreateModule(
 		url: string,
 		usePrivateGlobal: boolean
-	): Promise<SourceTextModule | SyntheticModule> {
-		// Check cache first - return cached module immediately (even if not linked yet)
+	): SourceTextModule | SyntheticModule | Promise<SourceTextModule | SyntheticModule> {
+		// Check if module is already created
 		if (moduleCache.has(url)) {
 			return moduleCache.get(url)!;
 		}
@@ -275,8 +365,15 @@ async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
 		// Only link/evaluate once per module
 		if (!linkingPromises.has(url)) {
 			const linkingPromise = (async () => {
-				await module.link(linker);
-				await module.evaluate();
+				// Check module status - only link if it's 'unlinked'
+				// Status can be: 'unlinked', 'linking', 'linked', 'evaluating', 'evaluated'
+				if (module.status === 'unlinked') {
+					await module.link(linker);
+				}
+				// Only evaluate if not already evaluated
+				if (module.status === 'linked') {
+					await module.evaluate();
+				}
 			})();
 			linkingPromises.set(url, linkingPromise);
 		}
@@ -287,107 +384,107 @@ async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope) {
 		return module;
 	}
 	/**
-	 * Create a module from URL without linking or evaluating
+	 * Create a SyntheticModule from exported object
 	 */
-	async function createModule(url: string, usePrivateGlobal: boolean): Promise<SourceTextModule | SyntheticModule> {
-		let module: SourceTextModule | SyntheticModule;
+	function createSyntheticModule(url: string, exportedObject: any): SyntheticModule {
+		const exportNames = Object.keys(exportedObject);
+		return new SyntheticModule(
+			exportNames,
+			function () {
+				for (const key of exportNames) {
+					this.setExport(key, exportedObject[key]);
+				}
+			},
+			{ identifier: url, context }
+		);
+	}
 
-		// Handle special built-in modules
-		if (url === 'harper') {
-			let harperExports = getHarperExports(scope);
-			module = new SyntheticModule(
-				Object.keys(harperExports),
+	/**
+	 * Normalize imported module to ensure it has proper exports including default
+	 */
+	function normalizeImportedModule(importedModule: any): any {
+		const cjsModule = importedModule['module.exports'];
+		if (cjsModule) {
+			// back-compat import
+			importedModule = importedModule.default ? { default: importedModule.default, ...cjsModule } : cjsModule;
+		}
+		// Ensure there's a default export for ESM imports that expect it
+		if (!importedModule.default) {
+			importedModule = { default: importedModule, ...importedModule };
+		}
+		return importedModule;
+	}
+
+	/**
+	 * Create a SourceTextModule or SyntheticModule from source code
+	 */
+	function createModuleFromSource(
+		url: string,
+		source: string,
+		usePrivateGlobal: boolean
+	): SourceTextModule | SyntheticModule {
+		// Handle JSON modules
+		if (url.endsWith('.json')) {
+			const jsonData = parseJsonModule(source, url);
+			return new SyntheticModule(
+				['default'],
 				function () {
-					for (let key in harperExports) {
-						this.setExport(key, harperExports[key]);
-					}
+					this.setExport('default', jsonData);
 				},
 				{ identifier: url, context }
 			);
-		} else if (url.startsWith('file://') && usePrivateGlobal) {
-			checkAllowedModulePath(url, scope.verifyPath);
-			let source = await readFile(new URL(url), { encoding: 'utf-8' });
-
-			// Handle JSON modules as a SyntheticModule with a default export.
-			// JSON imports only support default exports per the ESM spec.
-			if (url.endsWith('.json')) {
-				const jsonData = parseJsonModule(source, url);
-				module = new SyntheticModule(
-					['default'],
-					function () {
-						this.setExport('default', jsonData);
-					},
-					{ identifier: url, context }
-				);
-			} else {
-				// Strip TypeScript types if this is a .ts file
-				if (url.endsWith('.ts') || url.endsWith('.tsx')) {
-					source = await stripTypeScriptTypes(source);
-				}
+		}
 
-				// Try CJS first since it will fail fast with clear syntax errors on ESM syntax
-				try {
-					module = loadCJSModule(url, source, usePrivateGlobal);
-				} catch {
-					// If CJS loading fails (likely due to ESM syntax like import/export), try ESM
-					try {
-						module = new SourceTextModule(source, {
-							identifier: url,
-							context,
-							initializeImportMeta(meta) {
-								meta.url = url;
-							},
-							async importModuleDynamically(specifier: string) {
-								const resolvedUrl = resolveModule(specifier, url);
-								const dynamicModule = await loadModuleWithCache(resolvedUrl, true);
-								return dynamicModule;
-							},
-						});
-					} catch (esmErr) {
-						// Both failed - throw the ESM error as it's likely more relevant
-						throw esmErr;
-					}
-				}
-			}
-		} else {
-			const replacedModule = checkAllowedModulePath(url, scope.verifyPath);
-			// For Node.js built-in modules (node:) and npm packages
-			// Always try require first to properly handle CJS modules with named exports
-			try {
-				const cjsExports = replacedModule ?? require(url);
-				// It's a CJS module - expose all properties as named exports
-				const exportNames = Object.keys(cjsExports);
-				module = new SyntheticModule(
-					exportNames.length > 0 ? [...exportNames, 'default'] : ['default'],
-					function () {
-						if (exportNames.length > 0) {
-							for (const key of exportNames) {
-								this.setExport(key, cjsExports[key]);
-							}
-						}
-						this.setExport('default', cjsExports);
-					},
-					{ identifier: url, context }
-				);
-			} catch {
-				// Fall back to dynamic import for ESM packages
-				const importedModule = await import(url);
-				const exportNames = Object.keys(importedModule);
-				module = new SyntheticModule(
-					exportNames,
-					function () {
-						for (const key of exportNames) {
-							this.setExport(key, importedModule[key]);
-						}
-					},
-					{ identifier: url, context }
-				);
-			}
+		// Strip TypeScript types if this is a .ts file
+		if (url.endsWith('.ts') || url.endsWith('.tsx')) {
+			source = stripTypeScriptTypes(source);
 		}
 
-		return module;
+		// Try CJS first since it will fail fast with clear syntax errors on ESM syntax
+		try {
+			return loadCJSModule(url, source, usePrivateGlobal);
+		} catch {
+			// If CJS loading fails (likely due to ESM syntax like import/export), try ESM
+			return new SourceTextModule(source, {
+				identifier: url,
+				context,
+				initializeImportMeta(meta) {
+					meta.url = url;
+				},
+				importModuleDynamically(specifier: string) {
+					const resolvedUrl = resolveModule(specifier, url);
+					const useContainment = specifier.startsWith('.') || scope.dependencyContainment !== false;
+					return loadModuleWithCache(resolvedUrl, useContainment);
+				},
+			});
+		}
 	}
 
+	/**
+	 * Create a module from URL without linking or evaluating (async version for initial load)
+	 */
+	function createModule(
+		url: string,
+		usePrivateGlobal: boolean
+	): SourceTextModule | SyntheticModule | Promise<SourceTextModule | SyntheticModule> {
+		// Handle special built-in modules
+		if (url === 'harper') {
+			return createSyntheticModule(url, getHarperExports(scope));
+		}
+
+		if (url.startsWith('file://') && usePrivateGlobal) {
+			checkAllowedModulePath(url, scope.verifyPath);
+			const source = readFileSync(new URL(url), { encoding: 'utf-8' });
+			return createModuleFromSource(url, source, usePrivateGlobal);
+		}
+
+		// For Node.js built-in modules (node:) and npm packages without dependency containment
+		const replacedModule = checkAllowedModulePath(url, scope.verifyPath);
+		if (replacedModule) {
+			return createSyntheticModule(url, normalizeImportedModule(replacedModule));
+		}
+		return import(url).then((importedModule) => createSyntheticModule(url, normalizeImportedModule(importedModule)));
+	}
 	// Load the entry module
 	const entryModule = await loadModuleWithCache(moduleUrl, true);
 
@@ -433,8 +530,8 @@ async function getCompartment(scope: ApplicationScope, globals) {
 						},
 					};
 				} else if (moduleSpecifier.startsWith('file:') && !moduleSpecifier.includes('node_modules')) {
-					const moduleText = await readFile(new URL(moduleSpecifier), { encoding: 'utf-8' });
-					// Handle JSON files in comparttment mode the same way as in VM mode
+					let moduleText = await readFile(new URL(moduleSpecifier), { encoding: 'utf-8' });
+					// Handle JSON files in compartment mode the same way as in VM mode
 					if (moduleSpecifier.endsWith('.json')) {
 						const jsonData = parseJsonModule(moduleText, moduleSpecifier);
 						return {
@@ -445,6 +542,10 @@ async function getCompartment(scope: ApplicationScope, globals) {
 							},
 						};
 					}
+					// Strip TypeScript types if this is a .ts file
+					if (moduleSpecifier.endsWith('.ts') || moduleSpecifier.endsWith('.tsx')) {
+						moduleText = stripTypeScriptTypes(moduleText);
+					}
 					return new StaticModuleRecord(moduleText, moduleSpecifier);
 				} else {
 					checkAllowedModulePath(moduleSpecifier, scope.verifyPath);
@@ -479,6 +580,9 @@ function secureOnlyFetch(resource, options) {
 	return fetch(resource, options);
 }
 
+// These globals need to match the literals produced in the VM context
+const contextualizedJSGlobals = ['Object', 'Array', 'Function', 'globalThis'];
+
 let defaultJSGlobalNames: string[];
 // get the global variable names that are intrinsically present in a VM context (so we don't override them)
 function getDefaultJSGlobalNames() {
@@ -494,12 +598,13 @@ function getDefaultJSGlobalNames() {
 /**
  * Get the set of global variables that should be available to modules that run in scoped compartments/contexts.
  */
-function getGlobalObject(scope: ApplicationScope) {
+function getGlobalObject(scope: ApplicationScope, copyIntrinsics = false) {
 	const appGlobal = {};
 	// create the new global object, assigning all the global variables from this global
 	// except those that will be natural intrinsics of the new VM
+	const globalsToExclude = copyIntrinsics ? contextualizedJSGlobals : getDefaultJSGlobalNames();
 	for (let name of Object.getOwnPropertyNames(global)) {
-		if (getDefaultJSGlobalNames().includes(name)) continue;
+		if (globalsToExclude.includes(name)) continue;
 		appGlobal[name] = global[name];
 	}
 	// now assign Harper scope-specific variables
@@ -533,6 +638,25 @@ function getHarperExports(scope: ApplicationScope) {
 		authenticateUser: server.authenticateUser,
 		operation: server.operation,
 		contentTypes,
+		Attribute: undefined,
+		Config: undefined,
+		ConfigValue: undefined,
+		Context: undefined,
+		FileAndURLPathConfig: undefined,
+		FilesOption: undefined,
+		FilesOptionObject: undefined,
+		IterableEventQueue: undefined,
+		Logger: undefined,
+		Query: undefined,
+		RecordObject: undefined,
+		RequestTargetOrId: undefined,
+		ResourceInterface: undefined,
+		Scope: undefined,
+		Session: undefined,
+		SourceContext: undefined,
+		SubscriptionRequest: undefined,
+		Table: undefined,
+		User: undefined,
 	};
 }
 const ALLOWED_NODE_BUILTIN_MODULES = env.get(CONFIG_PARAMS.APPLICATIONS_ALLOWEDBUILTINMODULES)
@@ -544,14 +668,19 @@ const ALLOWED_NODE_BUILTIN_MODULES = env.get(CONFIG_PARAMS.APPLICATIONS_ALLOWEDB
 			},
 		};
 const ALLOWED_COMMANDS = new Set(env.get(CONFIG_PARAMS.APPLICATIONS_ALLOWEDSPAWNCOMMANDS) ?? []);
-const REPLACED_BUILTIN_MODULES = {
-	child_process: {
-		exec: createSpawn(child_process.exec),
-		execFile: createSpawn(child_process.execFile),
-		fork: createSpawn(child_process.fork, true), // this is launching node, so deemed safe
-		spawn: createSpawn(child_process.spawn),
+const child_processConstrained = {
+	exec: createSpawn(child_process.exec),
+	execFile: createSpawn(child_process.execFile),
+	fork: createSpawn(child_process.fork, true), // this is launching node, so deemed safe
+	spawn: createSpawn(child_process.spawn),
+	execSync: function () {
+		throw new Error('execSync is not allowed');
 	},
 };
+child_processConstrained.default = child_processConstrained;
+const REPLACED_BUILTIN_MODULES = {
+	child_process: child_processConstrained,
+};
 /**
  * Creates a ChildProcess-like object for an existing process
  */

package/server/REST.ts

@@ -4,7 +4,7 @@ import * as harperLogger from '../utility/logging/harper_logger.js';
 import { ServerOptions } from 'http';
 import { ServerError, ClientError } from '../utility/errors/hdbError.js';
 import { Resources } from '../resources/Resources.ts';
-import { Resource } from '../resources/Resource.ts';
+import { Resource, missingMethod, allowedMethods } from '../resources/Resource.ts';
 import { IterableEventQueue } from '../resources/IterableEventQueue.ts';
 import { transaction } from '../resources/transaction.ts';
 import { Headers, mergeHeaders } from '../server/serverHelpers/Headers.ts';
@@ -114,29 +114,38 @@ async function http(request: Context & Request, nextHandler) {
 			switch (method) {
 				case 'GET':
 				case 'HEAD':
-					return resource.get(target, request);
+					return resource.get ? resource.get(target, request) : missingMethod(resource, 'get');
 				case 'POST':
-					return resource.post(target, request.data, request);
+					return resource.post ? resource.post(target, request.data, request) : missingMethod(resource, 'post');
 				case 'PUT':
-					return resource.put(target, request.data, request);
+					return resource.put ? resource.put(target, request.data, request) : missingMethod(resource, 'put');
 				case 'DELETE':
-					return resource.delete(target, request);
+					return resource.delete ? resource.delete(target, request) : missingMethod(resource, 'delete');
 				case 'PATCH':
-					return resource.patch(target, request.data, request);
+					return resource.patch ? resource.patch(target, request.data, request) : missingMethod(resource, 'patch');
 				case 'OPTIONS': // used primarily for CORS
-					headers.setIfNone('Allow', 'GET, HEAD, POST, PUT, DELETE, PATCH, OPTIONS, TRACE, QUERY, COPY, MOVE');
+					headers.setIfNone(
+						'Allow',
+						allowedMethods(resource)
+							.map((method) => method.toUpperCase())
+							.join(', ')
+					);
 					return;
 				case 'CONNECT':
 					// websockets? and event-stream
-					return resource.connect(target, null, request);
+					return resource.connect ? resource.connect(target, null, request) : missingMethod(resource, 'connect');
 				case 'TRACE':
 					return 'Harper is the terminating server';
 				case 'QUERY':
-					return resource.query(target, request.data, request);
+					return resource.query ? resource.query(target, request.data, request) : missingMethod(resource, 'query');
 				case 'COPY': // methods suggested from webdav RFC 4918
-					return resource.copy(target, headersObject.destination, request);
+					return resource.copy
+						? resource.copy(target, headersObject.destination, request)
+						: missingMethod(resource, 'copy');
 				case 'MOVE':
-					return resource.move(target, headersObject.destination, request);
+					return resource.move
+						? resource.move(target, headersObject.destination, request)
+						: missingMethod(resource, 'move');
 				case 'BREW': // RFC 2324
 					throw new ClientError("Harper is short and stout and can't brew coffee", 418);
 				default:
@@ -164,8 +173,18 @@ async function http(request: Context & Request, nextHandler) {
 				responseData.headers = responseHeaders;
 			// if no body, look for provided data to serialize
 			if (!responseData.body) {
-				if ('data' in responseData) responseData.body = serialize(responseData.data, request, responseData);
-				else responseData.body = serialize(responseData, request, responseData);
+				let body: any;
+				if ('data' in responseData) {
+					// a standard Response object does not have a setter for body, so we force it
+					body = serialize(responseData.data, request, responseData);
+				} else if (responseData.body === undefined) {
+					// if there is really no body, serialize this object into the body. Note that `new Response()` creates a response
+					// with a null body, and will not fall into this branch
+					body = serialize(responseData, request, responseData);
+				}
+				if (body) {
+					responseData = { status: responseData.status, headers: responseData.headers, body };
+				}
 			}
 			responseData.status ??= status ?? 200;
 			return responseData;

package/server/http.ts

@@ -8,7 +8,7 @@ import harperLogger from '../utility/logging/harper_logger.js';
 import { parentPort } from 'node:worker_threads';
 import env from '../utility/environment/environmentManager.js';
 import * as terms from '../utility/hdbTerms.ts';
-import { resolvePath } from '../config/configUtils.js';
+import { getConfigPath } from '../config/configUtils.js';
 import { getTicketKeys } from './threads/manageThreads.js';
 import { createTLSSelector } from '../security/keys.js';
 import { createSecureServer } from 'node:http2';
@@ -35,6 +35,7 @@ const httpServers = {},
 	httpChain = {},
 	httpResponders = [];
 let httpOptions: HttpOptions = {};
+export const universalHeaders: [string, string][] = [];
 
 export function handleApplication(scope: Scope) {
 	httpOptions = scope.options.getAll() as HttpOptions;
@@ -181,7 +182,7 @@ function getPorts(options) {
 
 	if (options?.usageType === 'operations-api' && env.get(terms.CONFIG_PARAMS.OPERATIONSAPI_NETWORK_DOMAINSOCKET)) {
 		ports.push({
-			port: resolvePath(env.get(terms.CONFIG_PARAMS.OPERATIONSAPI_NETWORK_DOMAINSOCKET)),
+			port: getConfigPath(terms.CONFIG_PARAMS.OPERATIONSAPI_NETWORK_DOMAINSOCKET),
 			secure: false,
 		});
 	}
@@ -269,7 +270,9 @@ function getHTTPServer(port: number, secure: boolean, options: ServerOptions) {
 				if (!response.headers?.set) {
 					response.headers = new Headers(response.headers);
 				}
-
+				for (let [key, value] of universalHeaders) {
+					response.headers.set(key, value);
+				}
 				if (response.status === -1) {
 					// This means the HDB stack didn't handle the request, and we can then cascade the request
 					// to the server-level handler, forming the bridge to the slower legacy fastify framework that expects

package/server/itc/serverHandlers.js

@@ -149,7 +149,7 @@ async function componentStatusRequestHandler(event) {
 			if (originatorThreadId === undefined) {
 				hdbLogger.debug('No originator threadId, falling back to broadcast');
 			} else {
-				hdbLogger.warn(`Failed to send direct response to thread ${originatorThreadId}, falling back to broadcast`);
+				hdbLogger.debug(`Failed to send direct response to thread ${originatorThreadId}, falling back to broadcast`);
 			}
 			await sendItcEvent(responseMessage);
 		}

package/static/defaultConfig.yaml

@@ -26,7 +26,7 @@ analytics:
 applications:
   lockdown: freeze
   containment: vm
-  dependencyContainment: false
+  dependencyContainment: auto
   allowedSpawnCommands:
     - npm
     - node