@nexus_js/server 0.9.29 → 0.9.30

package/dist/actions.js

@@ -30,8 +30,10 @@
 import { createContext, NotFoundSignal, RedirectSignal } from './context.js';
 import { serialize, deserialize } from '@nexus_js/serialize';
 import { validateActionToken, extractSessionId, ACTION_TOKEN_HEADER, } from './csrf.js';
-import { createRateLimiter, registerLimiter, RateLimitError, } from './rate-limit.js';
+import { createRateLimiter, registerLimiter, getLimiter, RateLimitError, } from './rate-limit.js';
+import { randomUUID, createHmac, timingSafeEqual } from 'node:crypto';
 import { emitDevRadar, newTraceId, sanitizeTelemetryValue } from './devradar.js';
+import { getExpectedNexusBuildId } from './build-id.js';
 const ACTION_PREFIX = '/_nexus/action/';
 const idempotencyCache = new Map();
 const IDEMPOTENCY_TTL = 30_000; // 30 seconds
@@ -40,14 +42,49 @@ const IDEMPOTENCY_TTL = 30_000; // 30 seconds
 const inFlightActions = new Map();
 const actionQueues = new Map();
 const actionRegistry = new Map();
+/**
+ * Generates an HMAC-SHA256 signature for an action name.
+ * Used to sign action URLs at SSR time so the server can verify they originated
+ * from a server-rendered page — not from an attacker enumerating action names.
+ * Skipped in dev mode (NODE_ENV !== 'production').
+ */
+function signActionName(name) {
+    if (process.env['NODE_ENV'] !== 'production')
+        return null; // dev mode — no signing
+    const secret = process.env['NEXUS_SECRET'];
+    if (!secret)
+        return null; // no secret — skip signing
+    return createHmac('sha256', secret).update(`action:${name}`).digest('base64url').slice(0, 16);
+}
+/**
+ * Verifies an action name signature. Returns true if the signature is valid or
+ * if we are in dev mode (NODE_ENV !== 'production' — signature is optional in dev).
+ */
+export function verifyActionSig(name, sig) {
+    const expected = signActionName(name);
+    if (expected === null)
+        return true; // dev mode — skip verification
+    if (!sig)
+        return false;
+    // Constant-time comparison (sig is 16 base64url chars = 96 bits)
+    try {
+        return timingSafeEqual(Buffer.from(expected), Buffer.from(sig));
+    }
+    catch {
+        return false;
+    }
+}
 /**
  * SSR and islands coerce `action={myAction}` with `String(myAction)`. The value is the
  * wrapper from `createAction`, whose default `Function#toString()` is the entire wrapper
  * source (CSRF, rate limit, …) — that string was being used as the form URL. After
  * registration we pin `toString` / `@@toPrimitive` to the real POST path.
+ * In production (NEXUS_SECRET is set), the URL carries an HMAC query param
+ * (`?__sig=…`) so the server can reject calls with unsigned / forged action URLs.
  */
 function patchRegisteredActionStringCoercion(fn, name) {
-    const url = ACTION_PREFIX + name;
+    const sig = signActionName(name);
+    const url = sig ? `${ACTION_PREFIX}${name}?__sig=${sig}` : `${ACTION_PREFIX}${name}`;
     Object.defineProperty(fn, 'toString', {
         value: function nexusActionUrlString() {
             return url;
@@ -73,7 +110,7 @@ function patchRegisteredActionStringCoercion(fn, name) {
  * and ready to be called by the client.
  *
  * Security layers applied (in order):
- *   1. CSRF token validation (x-nexus-action-token header)
+ *   1. CSRF: custom header `x-nexus-action: 1` (Tier 1) + optional HMAC token (Tier 2)
  *   2. Rate limiting (sliding window, per-IP or per-user)
  *   3. Input schema validation (Zod or any .parse() compatible schema)
  *   4. AbortController (client disconnect + timeout)
@@ -109,14 +146,33 @@ export function createAction(optsOrFn, legacyOpts = {}) {
                 throw new RateLimitError(result);
             }
         }
-        // 3. Schema validation
+        // 3. Schema validation — fail-fast before any business logic or DB access
         if (opts.schema) {
-            try {
-                input = opts.schema.parse(input);
+            if (typeof opts.schema.safeParse === 'function') {
+                // Structured path: extract field-level errors for the client
+                const result = opts.schema.safeParse(input);
+                if (!result.success) {
+                    const issues = result.error?.issues ?? [];
+                    const fieldErrors = {};
+                    for (const issue of issues) {
+                        const path = issue.path.join('.') || '_root';
+                        fieldErrors[path] = issue.message;
+                    }
+                    throw new ActionError(issues.length > 0
+                        ? `Validation failed: ${issues.map((i) => `${i.path.join('.') || 'input'} — ${i.message}`).join('; ')}`
+                        : 'Input validation failed', 400, 'VALIDATION_ERROR', fieldErrors);
+                }
+                if (result.data !== undefined)
+                    input = result.data;
             }
-            catch (err) {
-                const msg = err instanceof Error ? err.message : 'Input validation failed';
-                throw new ActionError(`Invalid input: ${msg}`, 400, 'VALIDATION_ERROR');
+            else {
+                try {
+                    input = opts.schema.parse(input);
+                }
+                catch (err) {
+                    const msg = err instanceof Error ? err.message : 'Input validation failed';
+                    throw new ActionError(`Invalid input: ${msg}`, 400, 'VALIDATION_ERROR');
+                }
             }
         }
         return fn(input, ctx);
@@ -136,11 +192,25 @@ export function getRegisteredActionNames() {
 export class ActionError extends Error {
     status;
     code;
-    constructor(message, status = 400, code) {
+    fieldErrors;
+    constructor(message, optionsOrStatus, code, fieldErrors) {
         super(message);
-        this.status = status;
-        this.code = code;
         this.name = 'ActionError';
+        // Support both positional and options object formats
+        if (typeof optionsOrStatus === 'object') {
+            this.status = optionsOrStatus.status ?? 400;
+            if (optionsOrStatus.code !== undefined)
+                this.code = optionsOrStatus.code;
+            if (optionsOrStatus.fieldErrors !== undefined)
+                this.fieldErrors = optionsOrStatus.fieldErrors;
+        }
+        else {
+            this.status = optionsOrStatus ?? 400;
+            if (code !== undefined)
+                this.code = code;
+            if (fieldErrors !== undefined)
+                this.fieldErrors = fieldErrors;
+        }
     }
 }
 export class ActionAbortedError extends ActionError {
@@ -148,6 +218,41 @@ export class ActionAbortedError extends ActionError {
         super('Action was superseded by a newer request', 409, 'ABORTED');
     }
 }
+/**
+ * Detects whether a request originates from a plain HTML form (no JS).
+ *
+ * A "native form" request:
+ *   - Has `Content-Type: application/x-www-form-urlencoded`
+ *   - Does NOT have the `x-nexus-action` custom header (added by the JS runtime)
+ *   - Does NOT explicitly request `application/json` in Accept
+ *
+ * When true, the action handler responds with 303 redirects instead of JSON
+ * (Progressive Enhancement — the action works even when JS is disabled).
+ */
+function isNativeFormRequest(request) {
+    const ct = request.headers.get('content-type') ?? '';
+    const hasNexusHeader = request.headers.has('x-nexus-action');
+    const acceptsJson = (request.headers.get('accept') ?? '').includes('application/json');
+    return (ct.includes('application/x-www-form-urlencoded') &&
+        !hasNexusHeader &&
+        !acceptsJson);
+}
+/**
+ * Builds a 303 See Other redirect for progressive-enhancement form submissions.
+ * Follows the Post/Redirect/Get pattern to prevent duplicate submissions on refresh.
+ *
+ * Redirect target priority:
+ *   1. `__redirectTo` hidden field in the form
+ *   2. `Referer` header (the page that submitted the form)
+ *   3. `/` as final fallback
+ */
+function formRedirect(request, formData, status = 303) {
+    const redirectTo = formData.get('__redirectTo') ??
+        request.headers.get('referer') ??
+        '/';
+    const headers = new Headers({ location: redirectTo });
+    return new Response(null, { status, headers });
+}
 /**
  * Main HTTP handler for /_nexus/action/:name
  * This is where all the race-condition logic runs.
@@ -163,54 +268,146 @@ export async function handleActionRequest(request) {
             headers: { allow: 'POST' },
         });
     }
-    const actionName = url.pathname.slice(ACTION_PREFIX.length);
+    const nativeForm = isNativeFormRequest(request);
+    // ── Guard: opaque (null) Origin ────────────────────────────────────────────
+    // Sandboxed iframes (<iframe sandbox> without allow-same-origin) and data:
+    // URIs send the string "null" as the Origin header. This is never a
+    // legitimate same-origin action call and must be rejected before any CSRF
+    // header check — otherwise the custom-header tier can be bypassed.
+    const rawOrigin = request.headers.get('origin');
+    if (rawOrigin === 'null') {
+        emitDevRadar({
+            type: 'security:audit',
+            payload: { kind: 'csrf_blocked', message: 'Opaque (null) origin rejected', action: '?' },
+        });
+        return jsonResponse({ error: 'Forbidden: opaque origin', status: 403, code: 'OPAQUE_ORIGIN' }, 403);
+    }
+    // ── Guard: action name validation ──────────────────────────────────────────
+    // Ensure the action name extracted from the URL only contains characters that
+    // can appear in a valid registered action name. Rejects path-traversal
+    // sequences (../../ etc.) and injection attempts before any registry lookup.
+    const rawActionName = url.pathname.slice(ACTION_PREFIX.length);
+    if (!/^[\w][\w.-]*$/.test(rawActionName) || rawActionName.includes('..')) {
+        return jsonResponse({ error: 'Invalid action name', status: 400, code: 'INVALID_ACTION_NAME' }, 400);
+    }
+    const actionName = rawActionName;
     const registered = actionRegistry.get(actionName);
     if (!registered) {
         return jsonResponse({ error: `Action "${actionName}" not found`, status: 404 }, 404);
     }
-    const { fn, opts } = registered;
-    const race = opts.race ?? 'cancel';
-    const timeout = opts.timeout ?? 30_000;
-    // ── CSRF token validation ──────────────────────────────────────────────────
-    if (opts.csrf !== false) {
-        const token = request.headers.get(ACTION_TOKEN_HEADER);
-        const secret = process.env['NEXUS_SECRET'] ?? 'nexus-dev-secret-change-me';
-        const sessionId = extractSessionId(request);
-        if (!token) {
+    // ── Action URL signature verification (production only) ───────────────────
+    // In production (NEXUS_SECRET is set), action URLs are HMAC-signed during SSR.
+    // A request without a valid signature means the URL was manually crafted or
+    // the action name was enumerated — not server-rendered.
+    // In dev mode (no secret), signature check is skipped so hot-reload works.
+    const actionSig = url.searchParams.get('__sig');
+    if (!verifyActionSig(actionName, actionSig)) {
+        emitDevRadar({
+            type: 'security:audit',
+            payload: {
+                kind: 'csrf_blocked',
+                message: 'Action URL signature missing or invalid — possible action enumeration',
+                action: actionName,
+            },
+        });
+        return jsonResponse({ error: 'Invalid action URL', status: 403, code: 'INVALID_ACTION_SIG' }, 403);
+    }
+    // ── Build ID (client–server contract) ─────────────────────────────────────
+    // When `.nexus/build-id.json` exists (after `nexus build`), every action call
+    // must carry `x-nexus-build-id` matching that file. Stale tabs from a prior
+    // deploy get 412 so the runtime can reload and pick up new action signatures.
+    const expectedBuildId = getExpectedNexusBuildId();
+    if (expectedBuildId !== null) {
+        const sent = request.headers.get('x-nexus-build-id') ?? '';
+        if (sent !== expectedBuildId) {
             emitDevRadar({
                 type: 'security:audit',
                 payload: {
-                    kind: 'csrf_blocked',
-                    message: 'Missing action token',
+                    kind: 'build_mismatch',
+                    message: 'x-nexus-build-id does not match deployed build',
                     action: actionName,
                 },
             });
             return jsonResponse({
-                error: 'Missing action token — possible CSRF attack',
-                status: 403,
-                code: 'MISSING_CSRF_TOKEN',
-            }, 403);
+                error: 'Application was updated. Please reload the page.',
+                status: 412,
+                code: 'BUILD_MISMATCH',
+            }, 412);
+        }
+    }
+    const { fn, opts } = registered;
+    const race = opts.race ?? 'cancel';
+    const timeout = opts.timeout ?? 30_000;
+    // ── CSRF protection (dual-tier) ────────────────────────────────────────────
+    //
+    // Tier 1 — Custom header (default): Browsers cannot add arbitrary headers to
+    //   cross-origin requests without a CORS preflight the server will reject.
+    //   Requiring a non-empty `x-nexus-action` header blocks form-based CSRF from
+    //   foreign origins without needing token generation on the server.
+    //
+    // Tier 2 — HMAC token (opt-in): When `x-nexus-action-token` is present the
+    //   server also validates the full HMAC-SHA256 signed, single-use, session-
+    //   bound token (generated via `generateActionToken`). This additionally
+    //   protects against same-origin XSS token theft.
+    //
+    // Flow:
+    //   token present  → Tier 2 full validation (strongest)
+    //   header present, no token → Tier 1 header check (standard)
+    //   neither present → 403 CSRF block
+    if (opts.csrf !== false) {
+        const token = request.headers.get(ACTION_TOKEN_HEADER);
+        const nexusHeader = request.headers.get('x-nexus-action');
+        if (token) {
+            // Tier 2: full HMAC validation
+            const envSecret = process.env['NEXUS_SECRET'];
+            if (!envSecret && process.env['NODE_ENV'] === 'production') {
+                // listen() already blocks start without NEXUS_SECRET; this catches
+                // edge-runtimes / tests that bypass createNexusServer.
+                return jsonResponse({ error: 'Server misconfiguration: NEXUS_SECRET not set', status: 500, code: 'INSECURE_SECRET' }, 500);
+            }
+            const secret = envSecret ?? 'nexus-dev-secret-change-me';
+            const sessionId = extractSessionId(request);
+            const validation = validateActionToken(token, sessionId, actionName, secret);
+            if (!validation.valid) {
+                emitDevRadar({
+                    type: 'security:audit',
+                    payload: {
+                        kind: validation.replayed ? 'replay' : 'csrf_blocked',
+                        message: validation.reason ?? 'Invalid action token',
+                        action: actionName,
+                    },
+                });
+                return jsonResponse({
+                    error: validation.reason ?? 'Invalid action token',
+                    status: 403,
+                    code: validation.replayed ? 'REPLAY_ATTACK' : 'INVALID_CSRF_TOKEN',
+                }, 403);
+            }
         }
-        const validation = validateActionToken(token, sessionId, actionName, secret);
-        if (!validation.valid) {
+        else if (!nexusHeader) {
+            // Neither token nor custom header → CSRF attack or missing client header
             emitDevRadar({
                 type: 'security:audit',
                 payload: {
-                    kind: validation.replayed ? 'replay' : 'csrf_blocked',
-                    message: validation.reason ?? 'Invalid action token',
+                    kind: 'csrf_blocked',
+                    message: 'Missing x-nexus-action header — possible CSRF attack',
                     action: actionName,
                 },
             });
             return jsonResponse({
-                error: validation.reason ?? 'Invalid action token',
+                error: 'Missing x-nexus-action header — possible CSRF attack',
                 status: 403,
-                code: validation.replayed ? 'REPLAY_ATTACK' : 'INVALID_CSRF_TOKEN',
+                code: 'MISSING_CSRF_HEADER',
             }, 403);
         }
+        // Tier 1 satisfied: nexusHeader present, no token → header-based CSRF protection
     }
     // ── Rate limiting ──────────────────────────────────────────────────────────
-    if (opts.rateLimit) {
-        const limiter = createRateLimiter(opts.rateLimit);
+    // Use the pre-registered limiter (created once at registerAction time).
+    // Previously, a new limiter instance was created per-request, which reset
+    // the sliding-window state and made rate limiting completely ineffective.
+    const limiter = getLimiter(actionName);
+    if (limiter) {
         const result = limiter.check(request);
         if (!result.allowed) {
             emitDevRadar({
@@ -294,7 +491,7 @@ export async function handleActionRequest(request) {
     const startTime = Date.now();
     try {
         // Deserialize input using Nexus transport (preserves Date, Map, Set, etc.)
-        const input = await deserializeInput(request);
+        const input = await deserializeInput(request, opts.maxBodyBytes ?? MAX_ACTION_BODY_BYTES);
         emitDevRadar({
             type: 'action:call',
             payload: {
@@ -348,15 +545,26 @@ export async function handleActionRequest(request) {
             // Cleanup old entries periodically
             cleanIdempotencyCache();
         }
+        // Progressive Enhancement: native HTML form → Post/Redirect/Get pattern
+        if (nativeForm) {
+            const fd = input instanceof FormData ? input : new FormData();
+            return formRedirect(request, fd);
+        }
         // Serialize response with Nexus transport
         const serialized = serialize({ data: result, status: 200, duration, idempotencyKey });
+        // Merge response headers from context (includes Set-Cookie from ctx.setCookie)
+        const responseHeaders = new Headers({
+            'content-type': 'application/json',
+            'x-nexus-duration': String(duration),
+            ...(idempotencyKey ? { 'x-nexus-idempotency': idempotencyKey } : {}),
+        });
+        // Copy headers from context (cookies, custom headers, etc.)
+        ctxWithSignal._responseHeaders.forEach((value, key) => {
+            responseHeaders.append(key, value);
+        });
         return new Response(serialized, {
             status: 200,
-            headers: {
-                'content-type': 'application/json',
-                'x-nexus-duration': String(duration),
-                ...(idempotencyKey ? { 'x-nexus-idempotency': idempotencyKey } : {}),
-            },
+            headers: responseHeaders,
         });
     }
     catch (err) {
@@ -397,19 +605,50 @@ export async function handleActionRequest(request) {
                     ...(err.code !== undefined ? { code: err.code } : {}),
                 },
             });
-            return jsonResponse({ error: err.message, status: err.status, code: err.code }, err.status);
+            // Progressive Enhancement: redirect back with error encoded in query string
+            if (nativeForm) {
+                const referer = request.headers.get('referer') ?? '/';
+                const target = new URL(referer, request.url);
+                target.searchParams.set('__nexus_error', err.message);
+                if (err.code)
+                    target.searchParams.set('__nexus_code', err.code);
+                return new Response(null, {
+                    status: 303,
+                    headers: { location: target.toString() },
+                });
+            }
+            return jsonResponse({
+                error: err.message,
+                status: err.status,
+                code: err.code,
+                ...(err.fieldErrors ? { fieldErrors: err.fieldErrors } : {}),
+            }, err.status);
         }
+        const errorId = randomUUID();
+        const mask = process.env['NEXUS_EXPOSE_ERRORS'] !== 'true' &&
+            process.env['NODE_ENV'] === 'production';
+        console.error(`[Nexus Action ${errorId}] "${actionName}" failed:`, err);
         emitDevRadar({
             type: 'action:error',
             payload: {
                 id: traceId,
                 name: actionName,
-                error: err instanceof Error ? err.message : String(err),
+                error: mask ? 'Internal Server Error' : (err instanceof Error ? err.message : String(err)),
                 duration: Date.now() - startTime,
+                ...(mask ? { errorId } : {}),
             },
         });
-        console.error(`[Nexus Action] "${actionName}" failed:`, err);
-        return jsonResponse({ error: 'Internal Server Error', status: 500 }, 500);
+        if (mask) {
+            return jsonResponse({
+                error: 'Internal Server Error',
+                status: 500,
+                errorId,
+            }, 500);
+        }
+        return jsonResponse({
+            error: err instanceof Error ? err.message : String(err),
+            status: 500,
+        }, 500);
     }
     finally {
         clearTimeout(timeoutId);
@@ -418,18 +657,105 @@ export async function handleActionRequest(request) {
     }
 }
 /**
- * Validates that a request comes from a trusted Nexus client.
- * Checks x-nexus-action header and CSRF token.
+ * Validates that a request comes from a trusted Nexus client (inner CSRF check
+ * used by `createAction` wrappers). Verifies:
+ *  1. `x-nexus-action` custom header — cross-origin requests cannot add this
+ *     without a CORS preflight the server will reject.
+ *  2. `Origin` / `Referer` header sanity check — additional signal against
+ *     misconfigured CORS or non-standard clients.
  */
 export async function validateRequest(ctx) {
     const nexusHeader = ctx.request.headers.get('x-nexus-action');
     if (!nexusHeader) {
-        throw new ActionError('Missing Nexus action header', 403, 'MISSING_HEADER');
+        throw new ActionError('Missing x-nexus-action header', 403, 'MISSING_HEADER');
+    }
+    // Origin / Referer check: block requests that carry an explicit foreign origin.
+    // Same-origin and same-site fetch() calls either omit Origin or match the host.
+    const origin = ctx.request.headers.get('origin');
+    const referer = ctx.request.headers.get('referer');
+    const rawHost = ctx.request.headers.get('host') ?? '';
+    // Derive scheme from X-Forwarded-Proto or default to http (covered by HTTPS terminator upstream)
+    const proto = ctx.request.headers.get('x-forwarded-proto') ?? 'http';
+    const expectedOrigin = `${proto}://${rawHost}`;
+    function isSameOrigin(headerValue) {
+        try {
+            const parsed = new URL(headerValue);
+            const expected = new URL(expectedOrigin);
+            return parsed.protocol === expected.protocol
+                && parsed.hostname === expected.hostname
+                && parsed.port === expected.port;
+        }
+        catch {
+            return false;
+        }
+    }
+    const suspectOrigin = origin && !isSameOrigin(origin);
+    const suspectReferer = !origin && referer && !isSameOrigin(referer);
+    if (suspectOrigin || suspectReferer) {
+        throw new ActionError(`Cross-origin action request blocked (host: ${rawHost})`, 403, 'CROSS_ORIGIN_BLOCKED');
     }
 }
 // Re-export security primitives for use in app code
 export { generateActionToken, validateActionToken, extractSessionId, generateSessionId } from './csrf.js';
 export { createRateLimiter, RateLimitError, parseWindow } from './rate-limit.js';
+/**
+ * Returns `true` when `url` is a safe **public** `http:` / `https:` target for
+ * server-side `fetch` (not loopback, RFC1918, link-local, metadata IPs, etc.).
+ * Use before `fetch(userUrl)` to reduce blind SSRF risk.
+ */
+export function isSafeUrl(url) {
+    try {
+        const u = new URL(url);
+        if (u.protocol !== 'http:' && u.protocol !== 'https:')
+            return false;
+    }
+    catch {
+        return false;
+    }
+    return !isInternalUrl(url);
+}
+/**
+ * Returns `true` when a URL resolves to a private, loopback, or link-local
+ * address. Inverse of {@link isSafeUrl} for `http:` / `https:`.
+ */
+export function isInternalUrl(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        return false; // unparseable URLs are not our SSRF concern — let the caller decide
+    }
+    // Only http/https are fetched in typical web actions; block everything else
+    // (file://, ftp://, etc.) as they access local resources.
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')
+        return true;
+    const h = parsed.hostname.toLowerCase();
+    // Loopback
+    if (h === 'localhost' || h === '127.0.0.1' || h === '::1')
+        return true;
+    if (/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(h))
+        return true;
+    // Link-local (AWS/GCP/Azure metadata service lives at 169.254.169.254)
+    if (h.startsWith('169.254.'))
+        return true;
+    if (h === 'fe80::1' || h.startsWith('fe80:'))
+        return true;
+    // RFC 1918 private ranges
+    if (h.startsWith('10.'))
+        return true;
+    if (/^172\.(1[6-9]|2\d|3[01])\./.test(h))
+        return true;
+    if (h.startsWith('192.168.'))
+        return true;
+    // Unique local IPv6
+    if (/^fd[0-9a-f]{2}:/i.test(h) || h.startsWith('fc'))
+        return true;
+    // Unspecified / broadcast
+    if (h === '0.0.0.0' || h === '255.255.255.255')
+        return true;
+    return false;
+}
 // ── Client-side race guard ────────────────────────────────────────────────────
 /**
  * Client-side AbortController factory.
@@ -470,10 +796,71 @@ export function createActionGuard(name, strategy = 'cancel') {
     };
 }
 // ── Helpers ───────────────────────────────────────────────────────────────────
-async function deserializeInput(request) {
+/** Maximum request body for a single server action (10 MB). Override per-action via opts.maxBodyBytes. */
+const MAX_ACTION_BODY_BYTES = 10 * 1_024 * 1_024;
+/** Maximum JSON object nesting depth. Prevents CPU DoS via pathological `{"a":{"b":{…}}}` inputs. */
+const MAX_JSON_DEPTH = 10;
+/** Maximum number of JSON object keys across all nesting levels. Prevents key-explosion attacks. */
+const MAX_JSON_KEYS = 1_000;
+/**
+ * Walks the raw JSON text character-by-character (O(n)) tracking nesting depth and
+ * key count WITHOUT running the full parser. Throws ActionError before `JSON.parse`
+ * touches the data — prevents CPU DoS from deeply nested or key-explosion payloads
+ * that fit within MAX_ACTION_BODY_BYTES but would block the event loop for seconds.
+ */
+function assertJsonComplexity(text) {
+    let depth = 0;
+    let keys = 0;
+    let inStr = false;
+    let esc = false;
+    for (let i = 0; i < text.length; i++) {
+        const ch = text[i];
+        if (esc) {
+            esc = false;
+            continue;
+        }
+        if (ch === '\\' && inStr) {
+            esc = true;
+            continue;
+        }
+        if (ch === '"') {
+            inStr = !inStr;
+            continue;
+        }
+        if (inStr) {
+            continue;
+        }
+        if (ch === '{' || ch === '[') {
+            if (++depth > MAX_JSON_DEPTH) {
+                throw new ActionError(`JSON nesting too deep (limit ${MAX_JSON_DEPTH} levels)`, 400, 'JSON_TOO_DEEP');
+            }
+        }
+        else if (ch === '}' || ch === ']') {
+            depth--;
+        }
+        else if (ch === ':') {
+            if (++keys > MAX_JSON_KEYS) {
+                throw new ActionError(`JSON too complex (limit ${MAX_JSON_KEYS} keys)`, 400, 'JSON_TOO_COMPLEX');
+            }
+        }
+    }
+}
+async function deserializeInput(request, maxBytes = MAX_ACTION_BODY_BYTES) {
+    // DoS protection: reject oversized bodies before reading any bytes.
+    // Prevents memory exhaustion from clients that stream arbitrarily large payloads.
+    const cl = parseInt(request.headers.get('content-length') ?? '0', 10);
+    if (Number.isFinite(cl) && cl > maxBytes) {
+        throw new ActionError(`Request body too large (${cl} bytes, limit ${maxBytes})`, 413, 'PAYLOAD_TOO_LARGE');
+    }
     const contentType = request.headers.get('content-type') ?? '';
     if (contentType.includes('application/json')) {
         const text = await request.text();
+        if (text.length > maxBytes) {
+            throw new ActionError('Request body too large', 413, 'PAYLOAD_TOO_LARGE');
+        }
+        // Complexity guard: run BEFORE the parser so pathological payloads (deeply
+        // nested or key-explosion) are rejected without blocking the event loop.
+        assertJsonComplexity(text);
         try {
             return deserialize(text);
         }
@@ -485,7 +872,11 @@ async function deserializeInput(request) {
         contentType.includes('application/x-www-form-urlencoded')) {
         return request.formData();
     }
-    return request.text();
+    const text = await request.text();
+    if (text.length > maxBytes) {
+        throw new ActionError('Request body too large', 413, 'PAYLOAD_TOO_LARGE');
+    }
+    return text;
 }
 function jsonResponse(body, status) {
     return new Response(JSON.stringify(body), {