@nexus_js/server 0.9.28 → 0.9.29

package/dist/actions.js

@@ -30,10 +30,8 @@
 import { createContext, NotFoundSignal, RedirectSignal } from './context.js';
 import { serialize, deserialize } from '@nexus_js/serialize';
 import { validateActionToken, extractSessionId, ACTION_TOKEN_HEADER, } from './csrf.js';
-import { createRateLimiter, registerLimiter, getLimiter, RateLimitError, } from './rate-limit.js';
-import { randomUUID, createHmac, timingSafeEqual } from 'node:crypto';
+import { createRateLimiter, registerLimiter, RateLimitError, } from './rate-limit.js';
 import { emitDevRadar, newTraceId, sanitizeTelemetryValue } from './devradar.js';
-import { getExpectedNexusBuildId } from './build-id.js';
 const ACTION_PREFIX = '/_nexus/action/';
 const idempotencyCache = new Map();
 const IDEMPOTENCY_TTL = 30_000; // 30 seconds
@@ -42,49 +40,14 @@ const IDEMPOTENCY_TTL = 30_000; // 30 seconds
 const inFlightActions = new Map();
 const actionQueues = new Map();
 const actionRegistry = new Map();
-/**
- * Generates an HMAC-SHA256 signature for an action name.
- * Used to sign action URLs at SSR time so the server can verify they originated
- * from a server-rendered page — not from an attacker enumerating action names.
- * Skipped in dev mode (NODE_ENV !== 'production').
- */
-function signActionName(name) {
-    if (process.env['NODE_ENV'] !== 'production')
-        return null; // dev mode — no signing
-    const secret = process.env['NEXUS_SECRET'];
-    if (!secret)
-        return null; // no secret — skip signing
-    return createHmac('sha256', secret).update(`action:${name}`).digest('base64url').slice(0, 16);
-}
-/**
- * Verifies an action name signature. Returns true if the signature is valid or
- * if we are in dev mode (NODE_ENV !== 'production' — signature is optional in dev).
- */
-export function verifyActionSig(name, sig) {
-    const expected = signActionName(name);
-    if (expected === null)
-        return true; // dev mode — skip verification
-    if (!sig)
-        return false;
-    // Constant-time comparison (sig is 16 base64url chars = 96 bits)
-    try {
-        return timingSafeEqual(Buffer.from(expected), Buffer.from(sig));
-    }
-    catch {
-        return false;
-    }
-}
 /**
  * SSR and islands coerce `action={myAction}` with `String(myAction)`. The value is the
  * wrapper from `createAction`, whose default `Function#toString()` is the entire wrapper
  * source (CSRF, rate limit, …) — that string was being used as the form URL. After
  * registration we pin `toString` / `@@toPrimitive` to the real POST path.
- * In production (NEXUS_SECRET is set), the URL carries an HMAC query param
- * (`?__sig=…`) so the server can reject calls with unsigned / forged action URLs.
  */
 function patchRegisteredActionStringCoercion(fn, name) {
-    const sig = signActionName(name);
-    const url = sig ? `${ACTION_PREFIX}${name}?__sig=${sig}` : `${ACTION_PREFIX}${name}`;
+    const url = ACTION_PREFIX + name;
     Object.defineProperty(fn, 'toString', {
         value: function nexusActionUrlString() {
             return url;
@@ -110,7 +73,7 @@ function patchRegisteredActionStringCoercion(fn, name) {
  * and ready to be called by the client.
  *
  * Security layers applied (in order):
- *   1. CSRF: custom header `x-nexus-action: 1` (Tier 1) + optional HMAC token (Tier 2)
+ *   1. CSRF token validation (x-nexus-action-token header)
  *   2. Rate limiting (sliding window, per-IP or per-user)
  *   3. Input schema validation (Zod or any .parse() compatible schema)
  *   4. AbortController (client disconnect + timeout)
@@ -146,33 +109,14 @@ export function createAction(optsOrFn, legacyOpts = {}) {
                 throw new RateLimitError(result);
             }
         }
-        // 3. Schema validation — fail-fast before any business logic or DB access
+        // 3. Schema validation
         if (opts.schema) {
-            if (typeof opts.schema.safeParse === 'function') {
-                // Structured path: extract field-level errors for the client
-                const result = opts.schema.safeParse(input);
-                if (!result.success) {
-                    const issues = result.error?.issues ?? [];
-                    const fieldErrors = {};
-                    for (const issue of issues) {
-                        const path = issue.path.join('.') || '_root';
-                        fieldErrors[path] = issue.message;
-                    }
-                    throw new ActionError(issues.length > 0
-                        ? `Validation failed: ${issues.map((i) => `${i.path.join('.') || 'input'} — ${i.message}`).join('; ')}`
-                        : 'Input validation failed', 400, 'VALIDATION_ERROR', fieldErrors);
-                }
-                if (result.data !== undefined)
-                    input = result.data;
+            try {
+                input = opts.schema.parse(input);
             }
-            else {
-                try {
-                    input = opts.schema.parse(input);
-                }
-                catch (err) {
-                    const msg = err instanceof Error ? err.message : 'Input validation failed';
-                    throw new ActionError(`Invalid input: ${msg}`, 400, 'VALIDATION_ERROR');
-                }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : 'Input validation failed';
+                throw new ActionError(`Invalid input: ${msg}`, 400, 'VALIDATION_ERROR');
             }
         }
         return fn(input, ctx);
@@ -192,25 +136,11 @@ export function getRegisteredActionNames() {
 export class ActionError extends Error {
     status;
     code;
-    fieldErrors;
-    constructor(message, optionsOrStatus, code, fieldErrors) {
+    constructor(message, status = 400, code) {
         super(message);
+        this.status = status;
+        this.code = code;
         this.name = 'ActionError';
-        // Support both positional and options object formats
-        if (typeof optionsOrStatus === 'object') {
-            this.status = optionsOrStatus.status ?? 400;
-            if (optionsOrStatus.code !== undefined)
-                this.code = optionsOrStatus.code;
-            if (optionsOrStatus.fieldErrors !== undefined)
-                this.fieldErrors = optionsOrStatus.fieldErrors;
-        }
-        else {
-            this.status = optionsOrStatus ?? 400;
-            if (code !== undefined)
-                this.code = code;
-            if (fieldErrors !== undefined)
-                this.fieldErrors = fieldErrors;
-        }
     }
 }
 export class ActionAbortedError extends ActionError {
@@ -218,41 +148,6 @@ export class ActionAbortedError extends ActionError {
         super('Action was superseded by a newer request', 409, 'ABORTED');
     }
 }
-/**
- * Detects whether a request originates from a plain HTML form (no JS).
- *
- * A "native form" request:
- *   - Has `Content-Type: application/x-www-form-urlencoded`
- *   - Does NOT have the `x-nexus-action` custom header (added by the JS runtime)
- *   - Does NOT explicitly request `application/json` in Accept
- *
- * When true, the action handler responds with 303 redirects instead of JSON
- * (Progressive Enhancement — the action works even when JS is disabled).
- */
-function isNativeFormRequest(request) {
-    const ct = request.headers.get('content-type') ?? '';
-    const hasNexusHeader = request.headers.has('x-nexus-action');
-    const acceptsJson = (request.headers.get('accept') ?? '').includes('application/json');
-    return (ct.includes('application/x-www-form-urlencoded') &&
-        !hasNexusHeader &&
-        !acceptsJson);
-}
-/**
- * Builds a 303 See Other redirect for progressive-enhancement form submissions.
- * Follows the Post/Redirect/Get pattern to prevent duplicate submissions on refresh.
- *
- * Redirect target priority:
- *   1. `__redirectTo` hidden field in the form
- *   2. `Referer` header (the page that submitted the form)
- *   3. `/` as final fallback
- */
-function formRedirect(request, formData, status = 303) {
-    const redirectTo = formData.get('__redirectTo') ??
-        request.headers.get('referer') ??
-        '/';
-    const headers = new Headers({ location: redirectTo });
-    return new Response(null, { status, headers });
-}
 /**
  * Main HTTP handler for /_nexus/action/:name
  * This is where all the race-condition logic runs.
@@ -268,146 +163,54 @@ export async function handleActionRequest(request) {
             headers: { allow: 'POST' },
         });
     }
-    const nativeForm = isNativeFormRequest(request);
-    // ── Guard: opaque (null) Origin ────────────────────────────────────────────
-    // Sandboxed iframes (<iframe sandbox> without allow-same-origin) and data:
-    // URIs send the string "null" as the Origin header. This is never a
-    // legitimate same-origin action call and must be rejected before any CSRF
-    // header check — otherwise the custom-header tier can be bypassed.
-    const rawOrigin = request.headers.get('origin');
-    if (rawOrigin === 'null') {
-        emitDevRadar({
-            type: 'security:audit',
-            payload: { kind: 'csrf_blocked', message: 'Opaque (null) origin rejected', action: '?' },
-        });
-        return jsonResponse({ error: 'Forbidden: opaque origin', status: 403, code: 'OPAQUE_ORIGIN' }, 403);
-    }
-    // ── Guard: action name validation ──────────────────────────────────────────
-    // Ensure the action name extracted from the URL only contains characters that
-    // can appear in a valid registered action name. Rejects path-traversal
-    // sequences (../../ etc.) and injection attempts before any registry lookup.
-    const rawActionName = url.pathname.slice(ACTION_PREFIX.length);
-    if (!/^[\w][\w.-]*$/.test(rawActionName) || rawActionName.includes('..')) {
-        return jsonResponse({ error: 'Invalid action name', status: 400, code: 'INVALID_ACTION_NAME' }, 400);
-    }
-    const actionName = rawActionName;
+    const actionName = url.pathname.slice(ACTION_PREFIX.length);
     const registered = actionRegistry.get(actionName);
     if (!registered) {
         return jsonResponse({ error: `Action "${actionName}" not found`, status: 404 }, 404);
     }
-    // ── Action URL signature verification (production only) ───────────────────
-    // In production (NEXUS_SECRET is set), action URLs are HMAC-signed during SSR.
-    // A request without a valid signature means the URL was manually crafted or
-    // the action name was enumerated — not server-rendered.
-    // In dev mode (no secret), signature check is skipped so hot-reload works.
-    const actionSig = url.searchParams.get('__sig');
-    if (!verifyActionSig(actionName, actionSig)) {
-        emitDevRadar({
-            type: 'security:audit',
-            payload: {
-                kind: 'csrf_blocked',
-                message: 'Action URL signature missing or invalid — possible action enumeration',
-                action: actionName,
-            },
-        });
-        return jsonResponse({ error: 'Invalid action URL', status: 403, code: 'INVALID_ACTION_SIG' }, 403);
-    }
-    // ── Build ID (client–server contract) ─────────────────────────────────────
-    // When `.nexus/build-id.json` exists (after `nexus build`), every action call
-    // must carry `x-nexus-build-id` matching that file. Stale tabs from a prior
-    // deploy get 412 so the runtime can reload and pick up new action signatures.
-    const expectedBuildId = getExpectedNexusBuildId();
-    if (expectedBuildId !== null) {
-        const sent = request.headers.get('x-nexus-build-id') ?? '';
-        if (sent !== expectedBuildId) {
+    const { fn, opts } = registered;
+    const race = opts.race ?? 'cancel';
+    const timeout = opts.timeout ?? 30_000;
+    // ── CSRF token validation ──────────────────────────────────────────────────
+    if (opts.csrf !== false) {
+        const token = request.headers.get(ACTION_TOKEN_HEADER);
+        const secret = process.env['NEXUS_SECRET'] ?? 'nexus-dev-secret-change-me';
+        const sessionId = extractSessionId(request);
+        if (!token) {
             emitDevRadar({
                 type: 'security:audit',
                 payload: {
-                    kind: 'build_mismatch',
-                    message: 'x-nexus-build-id does not match deployed build',
+                    kind: 'csrf_blocked',
+                    message: 'Missing action token',
                     action: actionName,
                 },
             });
             return jsonResponse({
-                error: 'Application was updated. Please reload the page.',
-                status: 412,
-                code: 'BUILD_MISMATCH',
-            }, 412);
-        }
-    }
-    const { fn, opts } = registered;
-    const race = opts.race ?? 'cancel';
-    const timeout = opts.timeout ?? 30_000;
-    // ── CSRF protection (dual-tier) ────────────────────────────────────────────
-    //
-    // Tier 1 — Custom header (default): Browsers cannot add arbitrary headers to
-    //   cross-origin requests without a CORS preflight the server will reject.
-    //   Requiring a non-empty `x-nexus-action` header blocks form-based CSRF from
-    //   foreign origins without needing token generation on the server.
-    //
-    // Tier 2 — HMAC token (opt-in): When `x-nexus-action-token` is present the
-    //   server also validates the full HMAC-SHA256 signed, single-use, session-
-    //   bound token (generated via `generateActionToken`). This additionally
-    //   protects against same-origin XSS token theft.
-    //
-    // Flow:
-    //   token present  → Tier 2 full validation (strongest)
-    //   header present, no token → Tier 1 header check (standard)
-    //   neither present → 403 CSRF block
-    if (opts.csrf !== false) {
-        const token = request.headers.get(ACTION_TOKEN_HEADER);
-        const nexusHeader = request.headers.get('x-nexus-action');
-        if (token) {
-            // Tier 2: full HMAC validation
-            const envSecret = process.env['NEXUS_SECRET'];
-            if (!envSecret && process.env['NODE_ENV'] === 'production') {
-                // listen() already blocks start without NEXUS_SECRET; this catches
-                // edge-runtimes / tests that bypass createNexusServer.
-                return jsonResponse({ error: 'Server misconfiguration: NEXUS_SECRET not set', status: 500, code: 'INSECURE_SECRET' }, 500);
-            }
-            const secret = envSecret ?? 'nexus-dev-secret-change-me';
-            const sessionId = extractSessionId(request);
-            const validation = validateActionToken(token, sessionId, actionName, secret);
-            if (!validation.valid) {
-                emitDevRadar({
-                    type: 'security:audit',
-                    payload: {
-                        kind: validation.replayed ? 'replay' : 'csrf_blocked',
-                        message: validation.reason ?? 'Invalid action token',
-                        action: actionName,
-                    },
-                });
-                return jsonResponse({
-                    error: validation.reason ?? 'Invalid action token',
-                    status: 403,
-                    code: validation.replayed ? 'REPLAY_ATTACK' : 'INVALID_CSRF_TOKEN',
-                }, 403);
-            }
+                error: 'Missing action token — possible CSRF attack',
+                status: 403,
+                code: 'MISSING_CSRF_TOKEN',
+            }, 403);
         }
-        else if (!nexusHeader) {
-            // Neither token nor custom header → CSRF attack or missing client header
+        const validation = validateActionToken(token, sessionId, actionName, secret);
+        if (!validation.valid) {
             emitDevRadar({
                 type: 'security:audit',
                 payload: {
-                    kind: 'csrf_blocked',
-                    message: 'Missing x-nexus-action header — possible CSRF attack',
+                    kind: validation.replayed ? 'replay' : 'csrf_blocked',
+                    message: validation.reason ?? 'Invalid action token',
                     action: actionName,
                 },
             });
             return jsonResponse({
-                error: 'Missing x-nexus-action header — possible CSRF attack',
+                error: validation.reason ?? 'Invalid action token',
                 status: 403,
-                code: 'MISSING_CSRF_HEADER',
+                code: validation.replayed ? 'REPLAY_ATTACK' : 'INVALID_CSRF_TOKEN',
             }, 403);
         }
-        // Tier 1 satisfied: nexusHeader present, no token → header-based CSRF protection
     }
     // ── Rate limiting ──────────────────────────────────────────────────────────
-    // Use the pre-registered limiter (created once at registerAction time).
-    // Previously, a new limiter instance was created per-request, which reset
-    // the sliding-window state and made rate limiting completely ineffective.
-    const limiter = getLimiter(actionName);
-    if (limiter) {
+    if (opts.rateLimit) {
+        const limiter = createRateLimiter(opts.rateLimit);
         const result = limiter.check(request);
         if (!result.allowed) {
             emitDevRadar({
@@ -491,7 +294,7 @@ export async function handleActionRequest(request) {
     const startTime = Date.now();
     try {
         // Deserialize input using Nexus transport (preserves Date, Map, Set, etc.)
-        const input = await deserializeInput(request, opts.maxBodyBytes ?? MAX_ACTION_BODY_BYTES);
+        const input = await deserializeInput(request);
         emitDevRadar({
             type: 'action:call',
             payload: {
@@ -545,26 +348,15 @@ export async function handleActionRequest(request) {
             // Cleanup old entries periodically
             cleanIdempotencyCache();
         }
-        // Progressive Enhancement: native HTML form → Post/Redirect/Get pattern
-        if (nativeForm) {
-            const fd = input instanceof FormData ? input : new FormData();
-            return formRedirect(request, fd);
-        }
         // Serialize response with Nexus transport
         const serialized = serialize({ data: result, status: 200, duration, idempotencyKey });
-        // Merge response headers from context (includes Set-Cookie from ctx.setCookie)
-        const responseHeaders = new Headers({
-            'content-type': 'application/json',
-            'x-nexus-duration': String(duration),
-            ...(idempotencyKey ? { 'x-nexus-idempotency': idempotencyKey } : {}),
-        });
-        // Copy headers from context (cookies, custom headers, etc.)
-        ctxWithSignal._responseHeaders.forEach((value, key) => {
-            responseHeaders.append(key, value);
-        });
         return new Response(serialized, {
             status: 200,
-            headers: responseHeaders,
+            headers: {
+                'content-type': 'application/json',
+                'x-nexus-duration': String(duration),
+                ...(idempotencyKey ? { 'x-nexus-idempotency': idempotencyKey } : {}),
+            },
         });
     }
     catch (err) {
@@ -605,50 +397,19 @@ export async function handleActionRequest(request) {
                     ...(err.code !== undefined ? { code: err.code } : {}),
                 },
             });
-            // Progressive Enhancement: redirect back with error encoded in query string
-            if (nativeForm) {
-                const referer = request.headers.get('referer') ?? '/';
-                const target = new URL(referer, request.url);
-                target.searchParams.set('__nexus_error', err.message);
-                if (err.code)
-                    target.searchParams.set('__nexus_code', err.code);
-                return new Response(null, {
-                    status: 303,
-                    headers: { location: target.toString() },
-                });
-            }
-            return jsonResponse({
-                error: err.message,
-                status: err.status,
-                code: err.code,
-                ...(err.fieldErrors ? { fieldErrors: err.fieldErrors } : {}),
-            }, err.status);
+            return jsonResponse({ error: err.message, status: err.status, code: err.code }, err.status);
         }
-        const errorId = randomUUID();
-        const mask = process.env['NEXUS_EXPOSE_ERRORS'] !== 'true' &&
-            process.env['NODE_ENV'] === 'production';
-        console.error(`[Nexus Action ${errorId}] "${actionName}" failed:`, err);
         emitDevRadar({
             type: 'action:error',
             payload: {
                 id: traceId,
                 name: actionName,
-                error: mask ? 'Internal Server Error' : (err instanceof Error ? err.message : String(err)),
+                error: err instanceof Error ? err.message : String(err),
                 duration: Date.now() - startTime,
-                ...(mask ? { errorId } : {}),
             },
         });
-        if (mask) {
-            return jsonResponse({
-                error: 'Internal Server Error',
-                status: 500,
-                errorId,
-            }, 500);
-        }
-        return jsonResponse({
-            error: err instanceof Error ? err.message : String(err),
-            status: 500,
-        }, 500);
+        console.error(`[Nexus Action] "${actionName}" failed:`, err);
+        return jsonResponse({ error: 'Internal Server Error', status: 500 }, 500);
     }
     finally {
         clearTimeout(timeoutId);
@@ -657,105 +418,18 @@ export async function handleActionRequest(request) {
     }
 }
 /**
- * Validates that a request comes from a trusted Nexus client (inner CSRF check
- * used by `createAction` wrappers). Verifies:
- *  1. `x-nexus-action` custom header — cross-origin requests cannot add this
- *     without a CORS preflight the server will reject.
- *  2. `Origin` / `Referer` header sanity check — additional signal against
- *     misconfigured CORS or non-standard clients.
+ * Validates that a request comes from a trusted Nexus client.
+ * Checks x-nexus-action header and CSRF token.
  */
 export async function validateRequest(ctx) {
     const nexusHeader = ctx.request.headers.get('x-nexus-action');
     if (!nexusHeader) {
-        throw new ActionError('Missing x-nexus-action header', 403, 'MISSING_HEADER');
-    }
-    // Origin / Referer check: block requests that carry an explicit foreign origin.
-    // Same-origin and same-site fetch() calls either omit Origin or match the host.
-    const origin = ctx.request.headers.get('origin');
-    const referer = ctx.request.headers.get('referer');
-    const rawHost = ctx.request.headers.get('host') ?? '';
-    // Derive scheme from X-Forwarded-Proto or default to http (covered by HTTPS terminator upstream)
-    const proto = ctx.request.headers.get('x-forwarded-proto') ?? 'http';
-    const expectedOrigin = `${proto}://${rawHost}`;
-    function isSameOrigin(headerValue) {
-        try {
-            const parsed = new URL(headerValue);
-            const expected = new URL(expectedOrigin);
-            return parsed.protocol === expected.protocol
-                && parsed.hostname === expected.hostname
-                && parsed.port === expected.port;
-        }
-        catch {
-            return false;
-        }
-    }
-    const suspectOrigin = origin && !isSameOrigin(origin);
-    const suspectReferer = !origin && referer && !isSameOrigin(referer);
-    if (suspectOrigin || suspectReferer) {
-        throw new ActionError(`Cross-origin action request blocked (host: ${rawHost})`, 403, 'CROSS_ORIGIN_BLOCKED');
+        throw new ActionError('Missing Nexus action header', 403, 'MISSING_HEADER');
     }
 }
 // Re-export security primitives for use in app code
 export { generateActionToken, validateActionToken, extractSessionId, generateSessionId } from './csrf.js';
 export { createRateLimiter, RateLimitError, parseWindow } from './rate-limit.js';
-/**
- * Returns `true` when `url` is a safe **public** `http:` / `https:` target for
- * server-side `fetch` (not loopback, RFC1918, link-local, metadata IPs, etc.).
- * Use before `fetch(userUrl)` to reduce blind SSRF risk.
- */
-export function isSafeUrl(url) {
-    try {
-        const u = new URL(url);
-        if (u.protocol !== 'http:' && u.protocol !== 'https:')
-            return false;
-    }
-    catch {
-        return false;
-    }
-    return !isInternalUrl(url);
-}
-/**
- * Returns `true` when a URL resolves to a private, loopback, or link-local
- * address. Inverse of {@link isSafeUrl} for `http:` / `https:`.
- */
-export function isInternalUrl(url) {
-    let parsed;
-    try {
-        parsed = new URL(url);
-    }
-    catch {
-        return false; // unparseable URLs are not our SSRF concern — let the caller decide
-    }
-    // Only http/https are fetched in typical web actions; block everything else
-    // (file://, ftp://, etc.) as they access local resources.
-    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')
-        return true;
-    const h = parsed.hostname.toLowerCase();
-    // Loopback
-    if (h === 'localhost' || h === '127.0.0.1' || h === '::1')
-        return true;
-    if (/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(h))
-        return true;
-    // Link-local (AWS/GCP/Azure metadata service lives at 169.254.169.254)
-    if (h.startsWith('169.254.'))
-        return true;
-    if (h === 'fe80::1' || h.startsWith('fe80:'))
-        return true;
-    // RFC 1918 private ranges
-    if (h.startsWith('10.'))
-        return true;
-    if (/^172\.(1[6-9]|2\d|3[01])\./.test(h))
-        return true;
-    if (h.startsWith('192.168.'))
-        return true;
-    // Unique local IPv6
-    if (/^fd[0-9a-f]{2}:/i.test(h) || h.startsWith('fc'))
-        return true;
-    // Unspecified / broadcast
-    if (h === '0.0.0.0' || h === '255.255.255.255')
-        return true;
-    return false;
-}
 // ── Client-side race guard ────────────────────────────────────────────────────
 /**
  * Client-side AbortController factory.
@@ -796,71 +470,10 @@ export function createActionGuard(name, strategy = 'cancel') {
     };
 }
 // ── Helpers ───────────────────────────────────────────────────────────────────
-/** Maximum request body for a single server action (10 MB). Override per-action via opts.maxBodyBytes. */
-const MAX_ACTION_BODY_BYTES = 10 * 1_024 * 1_024;
-/** Maximum JSON object nesting depth. Prevents CPU DoS via pathological `{"a":{"b":{…}}}` inputs. */
-const MAX_JSON_DEPTH = 10;
-/** Maximum number of JSON object keys across all nesting levels. Prevents key-explosion attacks. */
-const MAX_JSON_KEYS = 1_000;
-/**
- * Walks the raw JSON text character-by-character (O(n)) tracking nesting depth and
- * key count WITHOUT running the full parser. Throws ActionError before `JSON.parse`
- * touches the data — prevents CPU DoS from deeply nested or key-explosion payloads
- * that fit within MAX_ACTION_BODY_BYTES but would block the event loop for seconds.
- */
-function assertJsonComplexity(text) {
-    let depth = 0;
-    let keys = 0;
-    let inStr = false;
-    let esc = false;
-    for (let i = 0; i < text.length; i++) {
-        const ch = text[i];
-        if (esc) {
-            esc = false;
-            continue;
-        }
-        if (ch === '\\' && inStr) {
-            esc = true;
-            continue;
-        }
-        if (ch === '"') {
-            inStr = !inStr;
-            continue;
-        }
-        if (inStr) {
-            continue;
-        }
-        if (ch === '{' || ch === '[') {
-            if (++depth > MAX_JSON_DEPTH) {
-                throw new ActionError(`JSON nesting too deep (limit ${MAX_JSON_DEPTH} levels)`, 400, 'JSON_TOO_DEEP');
-            }
-        }
-        else if (ch === '}' || ch === ']') {
-            depth--;
-        }
-        else if (ch === ':') {
-            if (++keys > MAX_JSON_KEYS) {
-                throw new ActionError(`JSON too complex (limit ${MAX_JSON_KEYS} keys)`, 400, 'JSON_TOO_COMPLEX');
-            }
-        }
-    }
-}
-async function deserializeInput(request, maxBytes = MAX_ACTION_BODY_BYTES) {
-    // DoS protection: reject oversized bodies before reading any bytes.
-    // Prevents memory exhaustion from clients that stream arbitrarily large payloads.
-    const cl = parseInt(request.headers.get('content-length') ?? '0', 10);
-    if (Number.isFinite(cl) && cl > maxBytes) {
-        throw new ActionError(`Request body too large (${cl} bytes, limit ${maxBytes})`, 413, 'PAYLOAD_TOO_LARGE');
-    }
+async function deserializeInput(request) {
     const contentType = request.headers.get('content-type') ?? '';
     if (contentType.includes('application/json')) {
         const text = await request.text();
-        if (text.length > maxBytes) {
-            throw new ActionError('Request body too large', 413, 'PAYLOAD_TOO_LARGE');
-        }
-        // Complexity guard: run BEFORE the parser so pathological payloads (deeply
-        // nested or key-explosion) are rejected without blocking the event loop.
-        assertJsonComplexity(text);
         try {
             return deserialize(text);
         }
@@ -872,11 +485,7 @@ async function deserializeInput(request, maxBytes = MAX_ACTION_BODY_BYTES) {
         contentType.includes('application/x-www-form-urlencoded')) {
         return request.formData();
     }
-    const text = await request.text();
-    if (text.length > maxBytes) {
-        throw new ActionError('Request body too large', 413, 'PAYLOAD_TOO_LARGE');
-    }
-    return text;
+    return request.text();
 }
 function jsonResponse(body, status) {
     return new Response(JSON.stringify(body), {