@nexus_js/server 0.7.5 → 0.9.0

package/dist/actions.d.ts

@@ -29,6 +29,25 @@
  */
 import type { NexusContext } from './context.js';
 import { type RateLimitConfig } from './rate-limit.js';
+/**
+ * Zod-compatible schema interface.
+ * Supports `.parse()` (throws on failure) and optionally `.safeParse()` (returns structured errors).
+ * Works with Zod, Valibot, ArkType, Superstruct, and any schema library following this contract.
+ */
+export interface NexusSchema<T> {
+    parse(data: unknown): T;
+    /** Optional — when present, used to extract structured field errors (Zod format). */
+    safeParse?: (data: unknown) => {
+        success: boolean;
+        error?: {
+            issues?: Array<{
+                path: Array<string | number>;
+                message: string;
+            }>;
+        };
+        data?: T;
+    };
+}
 export type ActionFn<TInput = FormData, TOutput = void> = (input: TInput, ctx: NexusContext & {
     signal: AbortSignal;
 }) => Promise<TOutput>;
@@ -70,13 +89,23 @@ export interface ActionOptions {
      */
     csrf?: boolean;
     /**
-     * A Zod-compatible schema for input validation.
-     * If provided, the action will reject requests with invalid input before
-     * calling the handler. Prevents SQL injection and type coercion attacks.
+     * Zod-compatible schema for input validation.
+     * The action rejects invalid input **before** calling the handler —
+     * preventing SQL injection, type coercion attacks, and untrusted data reaching business logic.
+     *
+     * Accepts any object with a `.parse()` method (Zod, Valibot, ArkType, etc.)
+     * or `.safeParse()` for structured error extraction.
+     *
+     * @example
+     * ```ts
+     * import { z } from 'zod';
+     * export const updateUser = createAction({
+     *   schema: z.object({ name: z.string().min(1).max(100), age: z.number().int().min(0) }),
+     *   handler: async ({ name, age }, ctx) => { ... },
+     * });
+     * ```
      */
-    schema?: {
-        parse: (data: unknown) => unknown;
-    };
+    schema?: NexusSchema<unknown>;
     /**
      * Maximum request body size in bytes. Default: 10 MB.
      * Lower this for actions that only receive small form payloads (e.g. login forms).
@@ -93,13 +122,18 @@ export interface ActionResult<T = unknown> {
     /** Server-side execution time in ms */
     duration?: number;
 }
+/**
+ * Verifies an action name signature. Returns true if the signature is valid or
+ * if we are in dev mode (no NEXUS_SECRET set — signature is optional in dev).
+ */
+export declare function verifyActionSig(name: string, sig: string | null): boolean;
 /**
  * Defines a Server Action with integrated security, rate limiting, and
  * race-condition management. The returned object is registered automatically
  * and ready to be called by the client.
  *
  * Security layers applied (in order):
- *   1. CSRF token validation (x-nexus-action-token header)
+ *   1. CSRF: custom header `x-nexus-action: 1` (Tier 1) + optional HMAC token (Tier 2)
  *   2. Rate limiting (sliding window, per-IP or per-user)
  *   3. Input schema validation (Zod or any .parse() compatible schema)
  *   4. AbortController (client disconnect + timeout)
@@ -126,7 +160,11 @@ export declare function getRegisteredActionNames(): ReadonlySet<string>;
 export declare class ActionError extends Error {
     readonly status: number;
     readonly code?: string | undefined;
-    constructor(message: string, status?: number, code?: string | undefined);
+    /** Structured field-level validation errors (Zod-style). Key: field path, Value: message. */
+    readonly fieldErrors?: Record<string, string> | undefined;
+    constructor(message: string, status?: number, code?: string | undefined, 
+    /** Structured field-level validation errors (Zod-style). Key: field path, Value: message. */
+    fieldErrors?: Record<string, string> | undefined);
 }
 export declare class ActionAbortedError extends ActionError {
     constructor();
@@ -148,6 +186,17 @@ export declare function validateRequest(ctx: NexusContext): Promise<void>;
 export { generateActionToken, validateActionToken, extractSessionId, generateSessionId } from './csrf.js';
 export { createRateLimiter, RateLimitError, parseWindow } from './rate-limit.js';
 export type { RateLimitConfig, RateLimitResult, RateLimiter } from './rate-limit.js';
+/**
+ * Returns `true` when `url` is a safe **public** `http:` / `https:` target for
+ * server-side `fetch` (not loopback, RFC1918, link-local, metadata IPs, etc.).
+ * Use before `fetch(userUrl)` to reduce blind SSRF risk.
+ */
+export declare function isSafeUrl(url: string): boolean;
+/**
+ * Returns `true` when a URL resolves to a private, loopback, or link-local
+ * address. Inverse of {@link isSafeUrl} for `http:` / `https:`.
+ */
+export declare function isInternalUrl(url: string): boolean;
 /**
  * Client-side AbortController factory.
  * Use this in island code to cancel in-flight action fetches

package/dist/actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../src/actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAOjD,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,iBAAiB,CAAC;AAGzB,MAAM,MAAM,QAAQ,CAAC,MAAM,GAAG,QAAQ,EAAE,OAAO,GAAG,IAAI,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,YAAY,GAAG;IAAE,MAAM,EAAE,WAAW,CAAA;CAAE,KACxC,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEpE,MAAM,WAAW,aAAa;IAC5B;;;;;;OAMG;IACH,IAAI,CAAC,EAAE,YAAY,CAAC;IACpB;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B;;;;OAIG;IACH,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;;OAIG;IACH,MAAM,CAAC,EAAE;QACP,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,OAAO,CAAC;KACnC,CAAC;IACF;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,YAAY,CAAC,CAAC,GAAG,OAAO;IACvC,IAAI,CAAC,EAAE,CAAC,CAAC;IACT,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAyDD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,YAAY,CAAC,MAAM,GAAG,QAAQ,EAAE,OAAO,GAAG,IAAI,EAC5D,QAAQ,EACJ,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,GACzB,CAAC,aAAa,GAAG;IAAE,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAC,EAC5D,UAAU,GAAE,aAAkB,GAC7B,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAqC3B;AAED,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,EAAE,EAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,EAC9B,IAAI,GAAE,aAAkB,GACvB,IAAI,CAKN;AAED,8FAA8F;AAC9F,wBAAgB,wBAAwB,IAAI,WAAW,CAAC,MAAM,CAAC,CAE9D;AAED,qBAAa,WAAY,SAAQ,KAAK;aAGlB,MAAM,EAAE,MAAM;aACd,IAAI,CAAC,EAAE,MAAM;gBAF7B,OAAO,EAAE,MAAM,EACC,MAAM,GAAE,MAAY,EACpB,IAAI,CAAC,EAAE,MAAM,YAAA;CAKhC;AAED,qBAAa,kBAAmB,SAAQ,WAAW;;CAIlD;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAsV7E;AAED;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAsBtE;AAGD,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC1G,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACjF,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAIrF;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,YAAuB,GAChC;IACD,GAAG,EAAE,MAAM,WAAW,CAAC;IACvB,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;CAClB,CAyBA"}
+{"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../src/actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAOjD,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,iBAAiB,CAAC;AAKzB;;;;GAIG;AACH,MAAM,WAAW,WAAW,CAAC,CAAC;IAC5B,KAAK,CAAC,IAAI,EAAE,OAAO,GAAG,CAAC,CAAC;IACxB,qFAAqF;IACrF,SAAS,CAAC,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK;QAC7B,OAAO,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE;YAAE,MAAM,CAAC,EAAE,KAAK,CAAC;gBAAE,IAAI,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;gBAAC,OAAO,EAAE,MAAM,CAAA;aAAE,CAAC,CAAA;SAAE,CAAC;QAC9E,IAAI,CAAC,EAAE,CAAC,CAAC;KACV,CAAC;CACH;AAED,MAAM,MAAM,QAAQ,CAAC,MAAM,GAAG,QAAQ,EAAE,OAAO,GAAG,IAAI,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,YAAY,GAAG;IAAE,MAAM,EAAE,WAAW,CAAA;CAAE,KACxC,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEpE,MAAM,WAAW,aAAa;IAC5B;;;;;;OAMG;IACH,IAAI,CAAC,EAAE,YAAY,CAAC;IACpB;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B;;;;OAIG;IACH,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;;;;;;;;;;;;;;OAgBG;IACH,MAAM,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;IAC9B;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,YAAY,CAAC,CAAC,GAAG,OAAO;IACvC,IAAI,CAAC,EAAE,CAAC,CAAC;IACT,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAyCD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAUzE;AAiCD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,YAAY,CAAC,MAAM,GAAG,QAAQ,EAAE,OAAO,GAAG,IAAI,EAC5D,QAAQ,EACJ,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,GACzB,CAAC,aAAa,GAAG;IAAE,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAC,EAC5D,UAAU,GAAE,aAAkB,GAC7B,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CA2D3B;AAED,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,EAAE,EAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,EAC9B,IAAI,GAAE,aAAkB,GACvB,IAAI,CAKN;AAED,8FAA8F;AAC9F,wBAAgB,wBAAwB,IAAI,WAAW,CAAC,MAAM,CAAC,CAE9D;AAED,qBAAa,WAAY,SAAQ,KAAK;aAGlB,MAAM,EAAE,MAAM;aACd,IAAI,CAAC,EAAE,MAAM;IAC7B,6FAA6F;aAC7E,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;gBAJpD,OAAO,EAAE,MAAM,EACC,MAAM,GAAE,MAAY,EACpB,IAAI,CAAC,EAAE,MAAM,YAAA;IAC7B,6FAA6F;IAC7E,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,YAAA;CAKvD;AAED,qBAAa,kBAAmB,SAAQ,WAAW;;CAIlD;AA2CD;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CA2b7E;AAED;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAsCtE;AAGD,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC1G,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACjF,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAErF;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAQ9C;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAkClD;AAID;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,YAAuB,GAChC;IACD,GAAG,EAAE,MAAM,WAAW,CAAC;IACvB,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;CAClB,CAyBA"}

package/dist/actions.js

@@ -31,7 +31,9 @@ import { createContext, NotFoundSignal, RedirectSignal } from './context.js';
 import { serialize, deserialize } from '@nexus_js/serialize';
 import { validateActionToken, extractSessionId, ACTION_TOKEN_HEADER, } from './csrf.js';
 import { createRateLimiter, registerLimiter, getLimiter, RateLimitError, } from './rate-limit.js';
+import { randomUUID, createHmac, timingSafeEqual } from 'node:crypto';
 import { emitDevRadar, newTraceId, sanitizeTelemetryValue } from './devradar.js';
+import { getExpectedNexusBuildId } from './build-id.js';
 const ACTION_PREFIX = '/_nexus/action/';
 const idempotencyCache = new Map();
 const IDEMPOTENCY_TTL = 30_000; // 30 seconds
@@ -40,14 +42,47 @@ const IDEMPOTENCY_TTL = 30_000; // 30 seconds
 const inFlightActions = new Map();
 const actionQueues = new Map();
 const actionRegistry = new Map();
+/**
+ * Generates an HMAC-SHA256 signature for an action name.
+ * Used to sign action URLs at SSR time so the server can verify they originated
+ * from a server-rendered page — not from an attacker enumerating action names.
+ * Skipped in dev (no NEXUS_SECRET required in dev mode).
+ */
+function signActionName(name) {
+    const secret = process.env['NEXUS_SECRET'];
+    if (!secret || secret === 'nexus-dev-secret-change-me')
+        return null;
+    return createHmac('sha256', secret).update(`action:${name}`).digest('base64url').slice(0, 16);
+}
+/**
+ * Verifies an action name signature. Returns true if the signature is valid or
+ * if we are in dev mode (no NEXUS_SECRET set — signature is optional in dev).
+ */
+export function verifyActionSig(name, sig) {
+    const expected = signActionName(name);
+    if (expected === null)
+        return true; // dev mode — skip verification
+    if (!sig)
+        return false;
+    // Constant-time comparison (sig is 16 base64url chars = 96 bits)
+    try {
+        return timingSafeEqual(Buffer.from(expected), Buffer.from(sig));
+    }
+    catch {
+        return false;
+    }
+}
 /**
  * SSR and islands coerce `action={myAction}` with `String(myAction)`. The value is the
  * wrapper from `createAction`, whose default `Function#toString()` is the entire wrapper
  * source (CSRF, rate limit, …) — that string was being used as the form URL. After
  * registration we pin `toString` / `@@toPrimitive` to the real POST path.
+ * In production (NEXUS_SECRET is set), the URL carries an HMAC query param
+ * (`?__sig=…`) so the server can reject calls with unsigned / forged action URLs.
  */
 function patchRegisteredActionStringCoercion(fn, name) {
-    const url = ACTION_PREFIX + name;
+    const sig = signActionName(name);
+    const url = sig ? `${ACTION_PREFIX}${name}?__sig=${sig}` : `${ACTION_PREFIX}${name}`;
     Object.defineProperty(fn, 'toString', {
         value: function nexusActionUrlString() {
             return url;
@@ -73,7 +108,7 @@ function patchRegisteredActionStringCoercion(fn, name) {
  * and ready to be called by the client.
  *
  * Security layers applied (in order):
- *   1. CSRF token validation (x-nexus-action-token header)
+ *   1. CSRF: custom header `x-nexus-action: 1` (Tier 1) + optional HMAC token (Tier 2)
  *   2. Rate limiting (sliding window, per-IP or per-user)
  *   3. Input schema validation (Zod or any .parse() compatible schema)
  *   4. AbortController (client disconnect + timeout)
@@ -109,14 +144,33 @@ export function createAction(optsOrFn, legacyOpts = {}) {
                 throw new RateLimitError(result);
             }
         }
-        // 3. Schema validation
+        // 3. Schema validation — fail-fast before any business logic or DB access
         if (opts.schema) {
-            try {
-                input = opts.schema.parse(input);
+            if (typeof opts.schema.safeParse === 'function') {
+                // Structured path: extract field-level errors for the client
+                const result = opts.schema.safeParse(input);
+                if (!result.success) {
+                    const issues = result.error?.issues ?? [];
+                    const fieldErrors = {};
+                    for (const issue of issues) {
+                        const path = issue.path.join('.') || '_root';
+                        fieldErrors[path] = issue.message;
+                    }
+                    throw new ActionError(issues.length > 0
+                        ? `Validation failed: ${issues.map((i) => `${i.path.join('.') || 'input'} — ${i.message}`).join('; ')}`
+                        : 'Input validation failed', 400, 'VALIDATION_ERROR', fieldErrors);
+                }
+                if (result.data !== undefined)
+                    input = result.data;
             }
-            catch (err) {
-                const msg = err instanceof Error ? err.message : 'Input validation failed';
-                throw new ActionError(`Invalid input: ${msg}`, 400, 'VALIDATION_ERROR');
+            else {
+                try {
+                    input = opts.schema.parse(input);
+                }
+                catch (err) {
+                    const msg = err instanceof Error ? err.message : 'Input validation failed';
+                    throw new ActionError(`Invalid input: ${msg}`, 400, 'VALIDATION_ERROR');
+                }
             }
         }
         return fn(input, ctx);
@@ -136,10 +190,14 @@ export function getRegisteredActionNames() {
 export class ActionError extends Error {
     status;
     code;
-    constructor(message, status = 400, code) {
+    fieldErrors;
+    constructor(message, status = 400, code, 
+    /** Structured field-level validation errors (Zod-style). Key: field path, Value: message. */
+    fieldErrors) {
         super(message);
         this.status = status;
         this.code = code;
+        this.fieldErrors = fieldErrors;
         this.name = 'ActionError';
     }
 }
@@ -148,6 +206,41 @@ export class ActionAbortedError extends ActionError {
         super('Action was superseded by a newer request', 409, 'ABORTED');
     }
 }
+/**
+ * Detects whether a request originates from a plain HTML form (no JS).
+ *
+ * A "native form" request:
+ *   - Has `Content-Type: application/x-www-form-urlencoded`
+ *   - Does NOT have the `x-nexus-action` custom header (added by the JS runtime)
+ *   - Does NOT explicitly request `application/json` in Accept
+ *
+ * When true, the action handler responds with 303 redirects instead of JSON
+ * (Progressive Enhancement — the action works even when JS is disabled).
+ */
+function isNativeFormRequest(request) {
+    const ct = request.headers.get('content-type') ?? '';
+    const hasNexusHeader = request.headers.has('x-nexus-action');
+    const acceptsJson = (request.headers.get('accept') ?? '').includes('application/json');
+    return (ct.includes('application/x-www-form-urlencoded') &&
+        !hasNexusHeader &&
+        !acceptsJson);
+}
+/**
+ * Builds a 303 See Other redirect for progressive-enhancement form submissions.
+ * Follows the Post/Redirect/Get pattern to prevent duplicate submissions on refresh.
+ *
+ * Redirect target priority:
+ *   1. `__redirectTo` hidden field in the form
+ *   2. `Referer` header (the page that submitted the form)
+ *   3. `/` as final fallback
+ */
+function formRedirect(request, formData, status = 303) {
+    const redirectTo = formData.get('__redirectTo') ??
+        request.headers.get('referer') ??
+        '/';
+    const headers = new Headers({ location: redirectTo });
+    return new Response(null, { status, headers });
+}
 /**
  * Main HTTP handler for /_nexus/action/:name
  * This is where all the race-condition logic runs.
@@ -163,6 +256,7 @@ export async function handleActionRequest(request) {
             headers: { allow: 'POST' },
         });
     }
+    const nativeForm = isNativeFormRequest(request);
     // ── Guard: opaque (null) Origin ────────────────────────────────────────────
     // Sandboxed iframes (<iframe sandbox> without allow-same-origin) and data:
     // URIs send the string "null" as the Origin header. This is never a
@@ -189,6 +283,46 @@ export async function handleActionRequest(request) {
     if (!registered) {
         return jsonResponse({ error: `Action "${actionName}" not found`, status: 404 }, 404);
     }
+    // ── Action URL signature verification (production only) ───────────────────
+    // In production (NEXUS_SECRET is set), action URLs are HMAC-signed during SSR.
+    // A request without a valid signature means the URL was manually crafted or
+    // the action name was enumerated — not server-rendered.
+    // In dev mode (no secret), signature check is skipped so hot-reload works.
+    const actionSig = url.searchParams.get('__sig');
+    if (!verifyActionSig(actionName, actionSig)) {
+        emitDevRadar({
+            type: 'security:audit',
+            payload: {
+                kind: 'csrf_blocked',
+                message: 'Action URL signature missing or invalid — possible action enumeration',
+                action: actionName,
+            },
+        });
+        return jsonResponse({ error: 'Invalid action URL', status: 403, code: 'INVALID_ACTION_SIG' }, 403);
+    }
+    // ── Build ID (client–server contract) ─────────────────────────────────────
+    // When `.nexus/build-id.json` exists (after `nexus build`), every action call
+    // must carry `x-nexus-build-id` matching that file. Stale tabs from a prior
+    // deploy get 412 so the runtime can reload and pick up new action signatures.
+    const expectedBuildId = getExpectedNexusBuildId();
+    if (expectedBuildId !== null) {
+        const sent = request.headers.get('x-nexus-build-id') ?? '';
+        if (sent !== expectedBuildId) {
+            emitDevRadar({
+                type: 'security:audit',
+                payload: {
+                    kind: 'build_mismatch',
+                    message: 'x-nexus-build-id does not match deployed build',
+                    action: actionName,
+                },
+            });
+            return jsonResponse({
+                error: 'Application was updated. Please reload the page.',
+                status: 412,
+                code: 'BUILD_MISMATCH',
+            }, 412);
+        }
+    }
     const { fn, opts } = registered;
     const race = opts.race ?? 'cancel';
     const timeout = opts.timeout ?? 30_000;
@@ -196,7 +330,7 @@ export async function handleActionRequest(request) {
     //
     // Tier 1 — Custom header (default): Browsers cannot add arbitrary headers to
     //   cross-origin requests without a CORS preflight the server will reject.
-    //   Requiring `x-nexus-action: 1` blocks all form-based CSRF attacks from
+    //   Requiring a non-empty `x-nexus-action` header blocks form-based CSRF from
     //   foreign origins without needing token generation on the server.
     //
     // Tier 2 — HMAC token (opt-in): When `x-nexus-action-token` is present the
@@ -213,7 +347,13 @@ export async function handleActionRequest(request) {
         const nexusHeader = request.headers.get('x-nexus-action');
         if (token) {
             // Tier 2: full HMAC validation
-            const secret = process.env['NEXUS_SECRET'] ?? 'nexus-dev-secret-change-me';
+            const envSecret = process.env['NEXUS_SECRET'];
+            if (!envSecret && process.env['NODE_ENV'] === 'production') {
+                // listen() already blocks start without NEXUS_SECRET; this catches
+                // edge-runtimes / tests that bypass createNexusServer.
+                return jsonResponse({ error: 'Server misconfiguration: NEXUS_SECRET not set', status: 500, code: 'INSECURE_SECRET' }, 500);
+            }
+            const secret = envSecret ?? 'nexus-dev-secret-change-me';
             const sessionId = extractSessionId(request);
             const validation = validateActionToken(token, sessionId, actionName, secret);
             if (!validation.valid) {
@@ -393,6 +533,11 @@ export async function handleActionRequest(request) {
             // Cleanup old entries periodically
             cleanIdempotencyCache();
         }
+        // Progressive Enhancement: native HTML form → Post/Redirect/Get pattern
+        if (nativeForm) {
+            const fd = input instanceof FormData ? input : new FormData();
+            return formRedirect(request, fd);
+        }
         // Serialize response with Nexus transport
         const serialized = serialize({ data: result, status: 200, duration, idempotencyKey });
         return new Response(serialized, {
@@ -442,19 +587,50 @@ export async function handleActionRequest(request) {
                     ...(err.code !== undefined ? { code: err.code } : {}),
                 },
             });
-            return jsonResponse({ error: err.message, status: err.status, code: err.code }, err.status);
+            // Progressive Enhancement: redirect back with error encoded in query string
+            if (nativeForm) {
+                const referer = request.headers.get('referer') ?? '/';
+                const target = new URL(referer, request.url);
+                target.searchParams.set('__nexus_error', err.message);
+                if (err.code)
+                    target.searchParams.set('__nexus_code', err.code);
+                return new Response(null, {
+                    status: 303,
+                    headers: { location: target.toString() },
+                });
+            }
+            return jsonResponse({
+                error: err.message,
+                status: err.status,
+                code: err.code,
+                ...(err.fieldErrors ? { fieldErrors: err.fieldErrors } : {}),
+            }, err.status);
         }
+        const errorId = randomUUID();
+        const mask = process.env['NEXUS_EXPOSE_ERRORS'] !== 'true' &&
+            process.env['NODE_ENV'] === 'production';
+        console.error(`[Nexus Action ${errorId}] "${actionName}" failed:`, err);
         emitDevRadar({
             type: 'action:error',
             payload: {
                 id: traceId,
                 name: actionName,
-                error: err instanceof Error ? err.message : String(err),
+                error: mask ? 'Internal Server Error' : (err instanceof Error ? err.message : String(err)),
                 duration: Date.now() - startTime,
+                ...(mask ? { errorId } : {}),
             },
         });
-        console.error(`[Nexus Action] "${actionName}" failed:`, err);
-        return jsonResponse({ error: 'Internal Server Error', status: 500 }, 500);
+        if (mask) {
+            return jsonResponse({
+                error: 'Internal Server Error',
+                status: 500,
+                errorId,
+            }, 500);
+        }
+        return jsonResponse({
+            error: err instanceof Error ? err.message : String(err),
+            status: 500,
+        }, 500);
     }
     finally {
         clearTimeout(timeoutId);
@@ -479,16 +655,89 @@ export async function validateRequest(ctx) {
     // Same-origin and same-site fetch() calls either omit Origin or match the host.
     const origin = ctx.request.headers.get('origin');
     const referer = ctx.request.headers.get('referer');
-    const host = ctx.request.headers.get('host') ?? '';
-    const suspectOrigin = origin && !origin.includes(host.split(':')[0] ?? host);
-    const suspectReferer = !origin && referer && !referer.includes(host.split(':')[0] ?? host);
+    const rawHost = ctx.request.headers.get('host') ?? '';
+    // Derive scheme from X-Forwarded-Proto or default to http (covered by HTTPS terminator upstream)
+    const proto = ctx.request.headers.get('x-forwarded-proto') ?? 'http';
+    const expectedOrigin = `${proto}://${rawHost}`;
+    function isSameOrigin(headerValue) {
+        try {
+            const parsed = new URL(headerValue);
+            const expected = new URL(expectedOrigin);
+            return parsed.protocol === expected.protocol
+                && parsed.hostname === expected.hostname
+                && parsed.port === expected.port;
+        }
+        catch {
+            return false;
+        }
+    }
+    const suspectOrigin = origin && !isSameOrigin(origin);
+    const suspectReferer = !origin && referer && !isSameOrigin(referer);
     if (suspectOrigin || suspectReferer) {
-        throw new ActionError(`Cross-origin action request blocked (host: ${host})`, 403, 'CROSS_ORIGIN_BLOCKED');
+        throw new ActionError(`Cross-origin action request blocked (host: ${rawHost})`, 403, 'CROSS_ORIGIN_BLOCKED');
     }
 }
 // Re-export security primitives for use in app code
 export { generateActionToken, validateActionToken, extractSessionId, generateSessionId } from './csrf.js';
 export { createRateLimiter, RateLimitError, parseWindow } from './rate-limit.js';
+/**
+ * Returns `true` when `url` is a safe **public** `http:` / `https:` target for
+ * server-side `fetch` (not loopback, RFC1918, link-local, metadata IPs, etc.).
+ * Use before `fetch(userUrl)` to reduce blind SSRF risk.
+ */
+export function isSafeUrl(url) {
+    try {
+        const u = new URL(url);
+        if (u.protocol !== 'http:' && u.protocol !== 'https:')
+            return false;
+    }
+    catch {
+        return false;
+    }
+    return !isInternalUrl(url);
+}
+/**
+ * Returns `true` when a URL resolves to a private, loopback, or link-local
+ * address. Inverse of {@link isSafeUrl} for `http:` / `https:`.
+ */
+export function isInternalUrl(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        return false; // unparseable URLs are not our SSRF concern — let the caller decide
+    }
+    // Only http/https are fetched in typical web actions; block everything else
+    // (file://, ftp://, etc.) as they access local resources.
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')
+        return true;
+    const h = parsed.hostname.toLowerCase();
+    // Loopback
+    if (h === 'localhost' || h === '127.0.0.1' || h === '::1')
+        return true;
+    if (/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(h))
+        return true;
+    // Link-local (AWS/GCP/Azure metadata service lives at 169.254.169.254)
+    if (h.startsWith('169.254.'))
+        return true;
+    if (h === 'fe80::1' || h.startsWith('fe80:'))
+        return true;
+    // RFC 1918 private ranges
+    if (h.startsWith('10.'))
+        return true;
+    if (/^172\.(1[6-9]|2\d|3[01])\./.test(h))
+        return true;
+    if (h.startsWith('192.168.'))
+        return true;
+    // Unique local IPv6
+    if (/^fd[0-9a-f]{2}:/i.test(h) || h.startsWith('fc'))
+        return true;
+    // Unspecified / broadcast
+    if (h === '0.0.0.0' || h === '255.255.255.255')
+        return true;
+    return false;
+}
 // ── Client-side race guard ────────────────────────────────────────────────────
 /**
  * Client-side AbortController factory.
@@ -531,6 +780,53 @@ export function createActionGuard(name, strategy = 'cancel') {
 // ── Helpers ───────────────────────────────────────────────────────────────────
 /** Maximum request body for a single server action (10 MB). Override per-action via opts.maxBodyBytes. */
 const MAX_ACTION_BODY_BYTES = 10 * 1_024 * 1_024;
+/** Maximum JSON object nesting depth. Prevents CPU DoS via pathological `{"a":{"b":{…}}}` inputs. */
+const MAX_JSON_DEPTH = 10;
+/** Maximum number of JSON object keys across all nesting levels. Prevents key-explosion attacks. */
+const MAX_JSON_KEYS = 1_000;
+/**
+ * Walks the raw JSON text character-by-character (O(n)) tracking nesting depth and
+ * key count WITHOUT running the full parser. Throws ActionError before `JSON.parse`
+ * touches the data — prevents CPU DoS from deeply nested or key-explosion payloads
+ * that fit within MAX_ACTION_BODY_BYTES but would block the event loop for seconds.
+ */
+function assertJsonComplexity(text) {
+    let depth = 0;
+    let keys = 0;
+    let inStr = false;
+    let esc = false;
+    for (let i = 0; i < text.length; i++) {
+        const ch = text[i];
+        if (esc) {
+            esc = false;
+            continue;
+        }
+        if (ch === '\\' && inStr) {
+            esc = true;
+            continue;
+        }
+        if (ch === '"') {
+            inStr = !inStr;
+            continue;
+        }
+        if (inStr) {
+            continue;
+        }
+        if (ch === '{' || ch === '[') {
+            if (++depth > MAX_JSON_DEPTH) {
+                throw new ActionError(`JSON nesting too deep (limit ${MAX_JSON_DEPTH} levels)`, 400, 'JSON_TOO_DEEP');
+            }
+        }
+        else if (ch === '}' || ch === ']') {
+            depth--;
+        }
+        else if (ch === ':') {
+            if (++keys > MAX_JSON_KEYS) {
+                throw new ActionError(`JSON too complex (limit ${MAX_JSON_KEYS} keys)`, 400, 'JSON_TOO_COMPLEX');
+            }
+        }
+    }
+}
 async function deserializeInput(request, maxBytes = MAX_ACTION_BODY_BYTES) {
     // DoS protection: reject oversized bodies before reading any bytes.
     // Prevents memory exhaustion from clients that stream arbitrarily large payloads.
@@ -544,6 +840,9 @@ async function deserializeInput(request, maxBytes = MAX_ACTION_BODY_BYTES) {
         if (text.length > maxBytes) {
             throw new ActionError('Request body too large', 413, 'PAYLOAD_TOO_LARGE');
         }
+        // Complexity guard: run BEFORE the parser so pathological payloads (deeply
+        // nested or key-explosion) are rejected without blocking the event loop.
+        assertJsonComplexity(text);
         try {
             return deserialize(text);
         }