@rexeus/typeweaver-server 0.10.3 → 0.10.4

package/dist/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","names":[],"sources":["../src/routerGenerator.ts","../src/index.ts"],"sourcesContent":["import path from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport { HttpMethod } from \"@rexeus/typeweaver-core\";\nimport { compareRoutes, relative } from \"@rexeus/typeweaver-gen\";\nimport type {\n  GeneratorContext,\n  NormalizedOperation,\n  NormalizedResource,\n} from \"@rexeus/typeweaver-gen\";\nimport { pascalCase } from \"polycase\";\n\ntype OperationData = {\n  readonly operationId: string;\n  readonly className: string;\n  readonly handlerName: string;\n  readonly method: string;\n  readonly path: string;\n};\n\n/**\n * Generates TypeweaverRouter subclasses from API definitions.\n *\n * For each resource (e.g., `Todo`, `Account`), produces a `<ResourceName>Router.ts`\n * file that extends `TypeweaverRouter` and registers all operations as routes.\n */\n\n/**\n * Generates router files for all resources in the given context.\n *\n * @param context - The generator context containing resources, templates, and output configuration\n */\nexport function generate(context: GeneratorContext): void {\n  const moduleDir = path.dirname(fileURLToPath(import.meta.url));\n  const templateFile = path.join(moduleDir, \"templates\", \"Router.ejs\");\n\n  for (const resource of context.normalizedSpec.resources) {\n    writeRouter(resource, templateFile, context);\n  }\n}\n\nfunction writeRouter(\n  resource: NormalizedResource,\n  templateFile: string,\n  context: GeneratorContext\n): void {\n  const pascalCaseEntityName = pascalCase(resource.name);\n  const outputDir = context.getResourceOutputDir(resource.name);\n  const outputPath = path.join(outputDir, `${pascalCaseEntityName}Router.ts`);\n\n  const operations = resource.operations\n    .filter(operation => operation.method !== HttpMethod.HEAD)\n    .map(operation => createOperationData(operation))\n    .sort((a, b) => compareRoutes(a, b));\n\n  const content = context.renderTemplate(templateFile, {\n    coreDir: relative(outputDir, context.outputDir),\n    entityName: resource.name,\n    pascalCaseEntityName,\n    operations,\n  });\n\n  const relativePath = path.relative(context.outputDir, outputPath);\n  context.writeFile(relativePath, content);\n}\n\nfunction createOperationData(operation: NormalizedOperation): OperationData {\n  const operationId = operation.operationId;\n  const className = pascalCase(operationId);\n\n  return {\n    operationId,\n    className,\n    handlerName: `handle${className}Request`,\n    method: operation.method,\n    path: operation.path,\n  };\n}\n","import path from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport { BasePlugin } from \"@rexeus/typeweaver-gen\";\nimport type { GeneratorContext } from \"@rexeus/typeweaver-gen\";\nimport { generate as generateRouters } from \"./routerGenerator.js\";\n\nconst moduleDir = path.dirname(fileURLToPath(import.meta.url));\n\n/**\n * Typeweaver plugin that generates a lightweight, dependency-free server\n * with built-in routing and middleware support.\n *\n * Copies the runtime library files (`TypeweaverApp`, `TypeweaverRouter`, `Router`,\n * `Middleware`, etc.) and generates typed router classes for each resource.\n */\nexport class ServerPlugin extends BasePlugin {\n  public name = \"server\";\n  public override depends = [\"types\"];\n\n  /**\n   * Generates the server runtime and typed routers for all resources.\n   *\n   * @param context - The generator context\n   */\n  public override generate(context: GeneratorContext): void {\n    const libSourceDir = path.join(moduleDir, \"lib\");\n    this.copyLibFiles(context, libSourceDir, this.name);\n\n    generateRouters(context);\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA+BA,SAAgB,SAAS,SAAiC;CACxD,MAAM,YAAY,KAAK,QAAQ,cAAc,OAAO,KAAK,IAAI,CAAC;CAC9D,MAAM,eAAe,KAAK,KAAK,WAAW,aAAa,aAAa;AAEpE,MAAK,MAAM,YAAY,QAAQ,eAAe,UAC5C,aAAY,UAAU,cAAc,QAAQ;;AAIhD,SAAS,YACP,UACA,cACA,SACM;CACN,MAAM,uBAAuB,WAAW,SAAS,KAAK;CACtD,MAAM,YAAY,QAAQ,qBAAqB,SAAS,KAAK;CAC7D,MAAM,aAAa,KAAK,KAAK,WAAW,GAAG,qBAAqB,WAAW;CAE3E,MAAM,aAAa,SAAS,WACzB,QAAO,cAAa,UAAU,WAAW,WAAW,KAAK,CACzD,KAAI,cAAa,oBAAoB,UAAU,CAAC,CAChD,MAAM,GAAG,MAAM,cAAc,GAAG,EAAE,CAAC;CAEtC,MAAM,UAAU,QAAQ,eAAe,cAAc;EACnD,SAAS,SAAS,WAAW,QAAQ,UAAU;EAC/C,YAAY,SAAS;EACrB;EACA;EACD,CAAC;CAEF,MAAM,eAAe,KAAK,SAAS,QAAQ,WAAW,WAAW;AACjE,SAAQ,UAAU,cAAc,QAAQ;;AAG1C,SAAS,oBAAoB,WAA+C;CAC1E,MAAM,cAAc,UAAU;CAC9B,MAAM,YAAY,WAAW,YAAY;AAEzC,QAAO;EACL;EACA;EACA,aAAa,SAAS,UAAU;EAChC,QAAQ,UAAU;EAClB,MAAM,UAAU;EACjB;;;;ACrEH,MAAM,YAAY,KAAK,QAAQ,cAAc,OAAO,KAAK,IAAI,CAAC;;;;;;;;AAS9D,IAAa,eAAb,cAAkC,WAAW;CAC3C,OAAc;CACd,UAA0B,CAAC,QAAQ;;;;;;CAOnC,SAAyB,SAAiC;EACxD,MAAM,eAAe,KAAK,KAAK,WAAW,MAAM;AAChD,OAAK,aAAa,SAAS,cAAc,KAAK,KAAK;AAEnD,WAAgB,QAAQ"}
+{"version":3,"file":"index.mjs","names":[],"sources":["../src/routerGenerator.ts","../src/index.ts"],"sourcesContent":["import path from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport { HttpMethod } from \"@rexeus/typeweaver-core\";\nimport { compareRoutes, relative } from \"@rexeus/typeweaver-gen\";\nimport type {\n  GeneratorContext,\n  NormalizedOperation,\n  NormalizedResource,\n} from \"@rexeus/typeweaver-gen\";\nimport { pascalCase } from \"polycase\";\n\nexport type RouterGenerationContext = Pick<\n  GeneratorContext,\n  | \"normalizedSpec\"\n  | \"outputDir\"\n  | \"getResourceOutputDir\"\n  | \"renderTemplate\"\n  | \"writeFile\"\n>;\n\ntype OperationData = {\n  readonly operationId: string;\n  readonly className: string;\n  readonly handlerName: string;\n  readonly method: string;\n  readonly path: string;\n};\n\n/**\n * Generates TypeweaverRouter subclasses from API definitions.\n *\n * For each resource (e.g., `Todo`, `Account`), produces a `<ResourceName>Router.ts`\n * file that extends `TypeweaverRouter` and registers all operations as routes.\n */\n\n/**\n * Generates router files for all resources in the given context.\n *\n * @param context - The generator context containing resources, templates, and output configuration\n */\nexport function generate(context: RouterGenerationContext): void {\n  const moduleDir = path.dirname(fileURLToPath(import.meta.url));\n  const templateFile = path.join(moduleDir, \"templates\", \"Router.ejs\");\n\n  for (const resource of context.normalizedSpec.resources) {\n    writeRouter(resource, templateFile, context);\n  }\n}\n\nfunction writeRouter(\n  resource: NormalizedResource,\n  templateFile: string,\n  context: RouterGenerationContext\n): void {\n  const pascalCaseEntityName = pascalCase(resource.name);\n  const outputDir = context.getResourceOutputDir(resource.name);\n  const outputPath = path.join(outputDir, `${pascalCaseEntityName}Router.ts`);\n\n  const operations = resource.operations\n    .filter(operation => operation.method !== HttpMethod.HEAD)\n    .map(operation => createOperationData(operation))\n    .sort((a, b) => compareRoutes(a, b));\n\n  const content = context.renderTemplate(templateFile, {\n    coreDir: relative(outputDir, context.outputDir),\n    entityName: resource.name,\n    pascalCaseEntityName,\n    operations,\n  });\n\n  const relativePath = path.relative(context.outputDir, outputPath);\n  context.writeFile(relativePath, content);\n}\n\nfunction createOperationData(operation: NormalizedOperation): OperationData {\n  const operationId = operation.operationId;\n  const className = pascalCase(operationId);\n\n  return {\n    operationId,\n    className,\n    handlerName: `handle${className}Request`,\n    method: operation.method,\n    path: operation.path,\n  };\n}\n","import path from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport { BasePlugin } from \"@rexeus/typeweaver-gen\";\nimport type { GeneratorContext } from \"@rexeus/typeweaver-gen\";\nimport { generate as generateRouters } from \"./routerGenerator.js\";\n\nconst moduleDir = path.dirname(fileURLToPath(import.meta.url));\n\n/**\n * Typeweaver plugin that generates a lightweight, dependency-free server\n * with built-in routing and middleware support.\n *\n * Copies the runtime library files (`TypeweaverApp`, `TypeweaverRouter`, `Router`,\n * `Middleware`, etc.) and generates typed router classes for each resource.\n */\nexport class ServerPlugin extends BasePlugin {\n  public name = \"server\";\n  public override depends = [\"types\"];\n\n  /**\n   * Generates the server runtime and typed routers for all resources.\n   *\n   * @param context - The generator context\n   */\n  public override generate(context: GeneratorContext): void {\n    const libSourceDir = path.join(moduleDir, \"lib\");\n    this.copyLibFiles(context, libSourceDir, this.name);\n\n    generateRouters(context);\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAwCA,SAAgB,SAAS,SAAwC;CAC/D,MAAM,YAAY,KAAK,QAAQ,cAAc,OAAO,KAAK,IAAI,CAAC;CAC9D,MAAM,eAAe,KAAK,KAAK,WAAW,aAAa,aAAa;AAEpE,MAAK,MAAM,YAAY,QAAQ,eAAe,UAC5C,aAAY,UAAU,cAAc,QAAQ;;AAIhD,SAAS,YACP,UACA,cACA,SACM;CACN,MAAM,uBAAuB,WAAW,SAAS,KAAK;CACtD,MAAM,YAAY,QAAQ,qBAAqB,SAAS,KAAK;CAC7D,MAAM,aAAa,KAAK,KAAK,WAAW,GAAG,qBAAqB,WAAW;CAE3E,MAAM,aAAa,SAAS,WACzB,QAAO,cAAa,UAAU,WAAW,WAAW,KAAK,CACzD,KAAI,cAAa,oBAAoB,UAAU,CAAC,CAChD,MAAM,GAAG,MAAM,cAAc,GAAG,EAAE,CAAC;CAEtC,MAAM,UAAU,QAAQ,eAAe,cAAc;EACnD,SAAS,SAAS,WAAW,QAAQ,UAAU;EAC/C,YAAY,SAAS;EACrB;EACA;EACD,CAAC;CAEF,MAAM,eAAe,KAAK,SAAS,QAAQ,WAAW,WAAW;AACjE,SAAQ,UAAU,cAAc,QAAQ;;AAG1C,SAAS,oBAAoB,WAA+C;CAC1E,MAAM,cAAc,UAAU;CAC9B,MAAM,YAAY,WAAW,YAAY;AAEzC,QAAO;EACL;EACA;EACA,aAAa,SAAS,UAAU;EAChC,QAAQ,UAAU;EAClB,MAAM,UAAU;EACjB;;;;AC9EH,MAAM,YAAY,KAAK,QAAQ,cAAc,OAAO,KAAK,IAAI,CAAC;;;;;;;;AAS9D,IAAa,eAAb,cAAkC,WAAW;CAC3C,OAAc;CACd,UAA0B,CAAC,QAAQ;;;;;;CAOnC,SAAyB,SAAiC;EACxD,MAAM,eAAe,KAAK,KAAK,WAAW,MAAM;AAChD,OAAK,aAAa,SAAS,cAAc,KAAK,KAAK;AAEnD,WAAgB,QAAQ"}

package/dist/lib/BodyLimitPolicy.ts

@@ -34,6 +34,8 @@ const FETCH_BODY_LIMIT_CAPABILITY: BodyLimitCapability =
 const NODE_BODY_LIMIT_CAPABILITY: BodyLimitCapability =
   "prevalidated-request-body";
 
+const CONTENT_LENGTH_HEADER_PATTERN = /^\d+$/;
+
 export function createFetchBodyLimitPolicy(
   maxBodySize?: number
 ): BodyLimitPolicy {
@@ -64,7 +66,12 @@ export function parseContentLength(
     return undefined;
   }
 
-  const contentLength = Number(rawValue);
+  const trimmedValue = rawValue.trim();
+  if (!CONTENT_LENGTH_HEADER_PATTERN.test(trimmedValue)) {
+    return undefined;
+  }
+
+  const contentLength = Number(trimmedValue);
   if (!Number.isFinite(contentLength) || contentLength < 0) {
     return undefined;
   }

package/dist/lib/FetchApiAdapter.ts

@@ -326,7 +326,11 @@ export class FetchApiAdapter {
     if (body instanceof Blob) return body;
 
     try {
-      return JSON.stringify(body);
+      const serializedBody = JSON.stringify(body);
+      if (serializedBody === undefined) {
+        throw new TypeError("Response body cannot be serialized to JSON");
+      }
+      return serializedBody;
     } catch (error) {
       throw new ResponseSerializationError(
         "Failed to serialize response body to JSON",

package/dist/lib/NodeAdapter.ts

@@ -6,6 +6,7 @@
  */
 
 import {
+  badRequestDefaultError,
   createDefaultErrorBody,
   internalServerErrorDefaultError,
   payloadTooLargeDefaultError,
@@ -39,6 +40,15 @@ type DrainRequestOptions = {
 };
 
 const REQUEST_DRAIN_TIMEOUT_MS = 5_000;
+const ORIGIN_FORM_BASE_URL_PROTOCOL = "http:";
+const AUTHORITY_LIKE_REQUEST_TARGET_PREFIX = /^[\\/]{2}/;
+const ASTERISK_FORM_REQUEST_TARGET = "*";
+
+type ParsedAuthority = {
+  readonly host: string;
+  readonly hostname: string;
+  readonly port: string;
+};
 
 /**
  * Adapts a `TypeweaverApp` to Node.js `http.createServer`.
@@ -82,12 +92,16 @@ async function handleRequest(
   reportError: (error: unknown) => void
 ): Promise<void> {
   try {
-    const url = new URL(req.url ?? "/", `http://${req.headers.host}`);
+    const url = createRequestUrl(req);
+    if (url === undefined) {
+      writeBadRequestResponse(req, res, bodyLimitPolicy.maxBodySize);
+      return;
+    }
     const shouldValidateBody = shouldValidateRequestBody(req.method);
 
     enforceContentLengthLimit(req, bodyLimitPolicy.maxBodySize);
 
-    if (!shouldValidateBody) {
+    if (!shouldValidateBody && hasReadableRequestBody(req)) {
       const drainResult = await drainRequest(req, bodyLimitPolicy.maxBodySize, {
         destroyOnLimitExceeded: false,
       });
@@ -111,7 +125,7 @@ async function handleRequest(
 
     const request = new Request(url, {
       method: req.method,
-      headers: req.headers as Record<string, string>,
+      headers: createRequestHeaders(req.headers),
       body,
     });
     if (shouldValidateBody) {
@@ -119,6 +133,11 @@ async function handleRequest(
     }
 
     const response = await app.fetch(request);
+    const responseBody = await readWritableResponseBody(
+      req.method,
+      response,
+      reportError
+    );
 
     response.headers.forEach((value, key) => {
       if (key.toLowerCase() !== "set-cookie") {
@@ -130,20 +149,193 @@ async function handleRequest(
       res.setHeader("set-cookie", cookies);
     }
     res.writeHead(response.status);
-    res.end(Buffer.from(await response.arrayBuffer()));
+    res.end(responseBody);
   } catch (error) {
     reportError(error);
 
     if (isRequestBodyLimitError(error)) {
-      writeDefaultErrorResponse(res, payloadTooLargeDefaultError, () => {
-        void drainRequest(req, bodyLimitPolicy.maxBodySize, {
-          destroyOnLimitExceeded: true,
-        });
+      writeDefaultErrorResponse(res, payloadTooLargeDefaultError, {
+        method: req.method,
+        onFinished: () => {
+          void drainRequest(req, bodyLimitPolicy.maxBodySize, {
+            destroyOnLimitExceeded: true,
+          });
+        },
       });
       return;
     }
 
-    writeDefaultErrorResponse(res, internalServerErrorDefaultError);
+    writeDefaultErrorResponse(res, internalServerErrorDefaultError, {
+      method: req.method,
+    });
+  }
+}
+
+function createRequestUrl(req: IncomingMessage): URL | undefined {
+  const rawUrl = req.url ?? "/";
+
+  if (rawUrl === ASTERISK_FORM_REQUEST_TARGET) {
+    return createAsteriskFormRequestUrl(req);
+  }
+
+  if (hasAuthorityLikeRequestTargetPrefix(rawUrl)) {
+    return undefined;
+  }
+
+  try {
+    const url = new URL(rawUrl);
+    return isAbsoluteRequestHostAllowed(url, req) ? url : undefined;
+  } catch (error) {
+    if (!(error instanceof TypeError) || !rawUrl.startsWith("/")) {
+      throw error;
+    }
+  }
+
+  const host = parseRequestHostHeader(req, ORIGIN_FORM_BASE_URL_PROTOCOL);
+  if (host === undefined) {
+    return undefined;
+  }
+
+  return new URL(rawUrl, `${ORIGIN_FORM_BASE_URL_PROTOCOL}//${host.host}`);
+}
+
+function createAsteriskFormRequestUrl(req: IncomingMessage): URL | undefined {
+  if (req.method !== "OPTIONS") {
+    return undefined;
+  }
+
+  const host = parseRequestHostHeader(req, ORIGIN_FORM_BASE_URL_PROTOCOL);
+  if (host === undefined) {
+    return undefined;
+  }
+
+  return new URL(
+    ASTERISK_FORM_REQUEST_TARGET,
+    `${ORIGIN_FORM_BASE_URL_PROTOCOL}//${host.host}/`
+  );
+}
+
+function hasAuthorityLikeRequestTargetPrefix(rawUrl: string): boolean {
+  return AUTHORITY_LIKE_REQUEST_TARGET_PREFIX.test(rawUrl);
+}
+
+function isAbsoluteRequestHostAllowed(url: URL, req: IncomingMessage): boolean {
+  const host = parseRequestHostHeader(req, url.protocol);
+  if (host === undefined) {
+    return false;
+  }
+
+  const urlAuthority = getUrlAuthority(url);
+  return (
+    host.hostname.toLowerCase() === urlAuthority.hostname.toLowerCase() &&
+    host.port === urlAuthority.port
+  );
+}
+
+function parseRequestHostHeader(
+  req: IncomingMessage,
+  protocol: string
+): ParsedAuthority | undefined {
+  if (!hasExactlyOneHostHeaderLine(req)) {
+    return undefined;
+  }
+
+  return parseHostHeader(req.headers.host, protocol);
+}
+
+function hasExactlyOneHostHeaderLine(req: IncomingMessage): boolean {
+  const headersDistinctHostCount = getHeadersDistinctHostCount(req);
+  if (
+    headersDistinctHostCount !== undefined &&
+    headersDistinctHostCount !== 1
+  ) {
+    return false;
+  }
+
+  const rawHostHeaderCount = countRawHostHeaderLines(req.rawHeaders);
+  if (rawHostHeaderCount > 0) {
+    return rawHostHeaderCount === 1;
+  }
+
+  return headersDistinctHostCount === 1;
+}
+
+function getHeadersDistinctHostCount(req: IncomingMessage): number | undefined {
+  const hostHeader = req.headersDistinct?.host;
+  if (hostHeader === undefined) {
+    return undefined;
+  }
+
+  return Array.isArray(hostHeader) ? hostHeader.length : 1;
+}
+
+function countRawHostHeaderLines(rawHeaders: readonly string[]): number {
+  let count = 0;
+
+  for (let index = 0; index < rawHeaders.length; index += 2) {
+    if (rawHeaders[index]?.toLowerCase() === "host") {
+      count += 1;
+    }
+  }
+
+  return count;
+}
+
+function parseHostHeader(
+  hostHeader: IncomingMessage["headers"]["host"],
+  protocol: string
+): ParsedAuthority | undefined {
+  if (hostHeader === undefined || Array.isArray(hostHeader)) {
+    return undefined;
+  }
+
+  const host = hostHeader.trim();
+  if (host === "" || host !== hostHeader) {
+    return undefined;
+  }
+
+  try {
+    const parsed = new URL(`${protocol}//${host}`);
+    if (
+      parsed.username !== "" ||
+      parsed.password !== "" ||
+      parsed.pathname !== "/" ||
+      parsed.search !== "" ||
+      parsed.hash !== ""
+    ) {
+      return undefined;
+    }
+
+    return getUrlAuthority(parsed);
+  } catch {
+    return undefined;
+  }
+}
+
+function getUrlAuthority(url: URL): ParsedAuthority {
+  return {
+    host: url.host,
+    hostname: url.hostname,
+    port: getEffectivePort(url),
+  };
+}
+
+function getEffectivePort(url: URL): string {
+  return url.port === "" ? getDefaultPort(url.protocol) : url.port;
+}
+
+function getDefaultPort(protocol: string): string {
+  switch (protocol) {
+    case "http:":
+    case "ws:":
+      return "80";
+    case "https:":
+    case "wss:":
+      return "443";
+    case "ftp:":
+      return "21";
+    default:
+      return "";
   }
 }
 
@@ -151,6 +343,86 @@ function shouldValidateRequestBody(method?: string): boolean {
   return method !== "GET" && method !== "HEAD";
 }
 
+function shouldWriteResponseBody(
+  method: string | undefined,
+  status: number
+): boolean {
+  return method !== "HEAD" && status !== 204 && status !== 304;
+}
+
+async function readWritableResponseBody(
+  method: string | undefined,
+  response: Response,
+  reportError: (error: unknown) => void
+): Promise<Buffer | undefined> {
+  if (shouldWriteResponseBody(method, response.status)) {
+    return Buffer.from(await response.arrayBuffer());
+  }
+
+  cancelSuppressedResponseBody(response, reportError);
+  return undefined;
+}
+
+function cancelSuppressedResponseBody(
+  response: Response,
+  reportError: (error: unknown) => void
+): void {
+  try {
+    void response.body?.cancel().catch(error => {
+      reportSuppressedResponseBodyCancelError(error, reportError);
+    });
+  } catch (error) {
+    reportSuppressedResponseBodyCancelError(error, reportError);
+  }
+}
+
+function reportSuppressedResponseBodyCancelError(
+  error: unknown,
+  reportError: (error: unknown) => void
+): void {
+  try {
+    reportError(error);
+  } catch (onErrorFailure) {
+    console.error(
+      "TypeweaverApp: onError callback threw while handling error",
+      { onErrorFailure, originalError: error }
+    );
+  }
+}
+
+function hasReadableRequestBody(req: IncomingMessage): boolean {
+  return (
+    req.headers["content-length"] !== undefined ||
+    req.headers["transfer-encoding"] !== undefined
+  );
+}
+
+function createRequestHeaders(headers: IncomingMessage["headers"]): Headers {
+  const requestHeaders = new Headers();
+
+  for (const [name, value] of Object.entries(headers)) {
+    if (value === undefined) {
+      continue;
+    }
+
+    if (Array.isArray(value)) {
+      if (name.toLowerCase() === "cookie") {
+        requestHeaders.set(name, value.join("; "));
+        continue;
+      }
+
+      for (const item of value) {
+        requestHeaders.append(name, item);
+      }
+      continue;
+    }
+
+    requestHeaders.set(name, value);
+  }
+
+  return requestHeaders;
+}
+
 function isRequestBodyLimitError(
   error: unknown
 ): error is PayloadTooLargeError | RequestBodyDrainTimeoutError {
@@ -177,9 +449,13 @@ function enforceContentLengthLimit(
 function writeDefaultErrorResponse(
   res: ServerResponse,
   error:
+    | typeof badRequestDefaultError
     | typeof payloadTooLargeDefaultError
     | typeof internalServerErrorDefaultError,
-  onFinished?: () => void
+  options: {
+    readonly method?: string;
+    readonly onFinished?: () => void;
+  } = {}
 ): void {
   if (!res.headersSent) {
     res.writeHead(error.statusCode, {
@@ -187,11 +463,47 @@ function writeDefaultErrorResponse(
     });
   }
 
-  if (onFinished !== undefined) {
-    res.once("finish", onFinished);
+  if (options.onFinished !== undefined) {
+    res.once("finish", options.onFinished);
+  }
+
+  const body = shouldWriteResponseBody(options.method, error.statusCode)
+    ? JSON.stringify(createDefaultErrorBody(error))
+    : undefined;
+  res.end(body);
+}
+
+function writeBadRequestResponse(
+  req: IncomingMessage,
+  res: ServerResponse,
+  maxBodySize: number
+): void {
+  writeDefaultErrorResponse(res, badRequestDefaultError, {
+    method: req.method,
+    onFinished: createRejectedRequestBodyCleanup(req, maxBodySize),
+  });
+}
+
+function createRejectedRequestBodyCleanup(
+  req: IncomingMessage,
+  maxBodySize: number
+): (() => void) | undefined {
+  if (!hasReadableRequestBody(req)) {
+    return undefined;
   }
 
-  res.end(JSON.stringify(createDefaultErrorBody(error)));
+  return () => {
+    const contentLength = parseContentLength(req.headers["content-length"]);
+    if (
+      contentLength !== undefined &&
+      isBodySizeOverLimit(contentLength, maxBodySize)
+    ) {
+      req.destroy();
+      return;
+    }
+
+    void drainRequest(req, maxBodySize, { destroyOnLimitExceeded: true });
+  };
 }
 
 async function drainRequest(

package/dist/lib/PathMatcher.ts

@@ -9,13 +9,17 @@
  * Creates a predicate that tests whether a request path matches a pattern.
  *
  * Supports three pattern types:
- * - **Exact match**: `"/users"` matches only `"/users"`
+ * - **Exact match**: `"/users"` matches `"/users"` and canonically
+ *   equivalent rooted paths such as `"/users/"` and `"/users//"`
  * - **Prefix match**: `"/users/*"` matches `"/users"` and any path beneath it
  *   (e.g. `"/users/123"`, `"/users/123/posts"`)
  * - **Parameterized segments**: `"/users/:id"` matches paths where `:id` stands
  *   for exactly one segment (e.g. `"/users/123"` but not `"/users/123/posts"`)
  *
  * Uses the same `:paramName` syntax as typeweaver route definitions.
+ * Rooted request paths are canonicalized with the same empty-segment
+ * filtering used by the router, so duplicate and trailing slashes match the
+ * route they dispatch to. Unrooted request paths do not match rooted patterns.
  *
  * @example
  * ```typescript
@@ -30,27 +34,67 @@
  * ```
  */
 export function pathMatcher(pattern: string): (path: string) => boolean {
+  const patternSegments = patternToSegments(pattern);
+
   if (pattern.endsWith("/*")) {
-    const prefix = pattern.slice(0, -2);
-    return path => path === prefix || path.startsWith(prefix + "/");
+    const prefixSegments = patternToSegments(pattern.slice(0, -2));
+
+    return path => {
+      const pathSegments = toSegments(path);
+      if (pathSegments === undefined) return false;
+      if (pathSegments.length < prefixSegments.length) return false;
+
+      return prefixSegments.every(
+        (segment, index) => pathSegments[index] === segment
+      );
+    };
   }
 
-  const segments = pattern.split("/");
-  const hasParams = segments.some(s => s.startsWith(":"));
+  const hasParams = patternSegments.some(s => s.startsWith(":"));
 
   if (!hasParams) {
-    return path => path === pattern;
+    return path => {
+      const pathSegments = toSegments(path);
+      if (pathSegments === undefined) return false;
+
+      return segmentsEqual(patternSegments, pathSegments);
+    };
   }
 
-  const segmentCount = segments.length;
-  const matchers = segments.map(s => (s.startsWith(":") ? null : s));
+  const segmentCount = patternSegments.length;
+  const matchers = patternSegments.map(s => (s.startsWith(":") ? null : s));
 
   return path => {
-    const parts = path.split("/");
+    const parts = toSegments(path);
+    if (parts === undefined) return false;
     if (parts.length !== segmentCount) return false;
+
     for (let i = 0; i < segmentCount; i++) {
-      if (matchers[i] !== null && matchers[i] !== parts[i]) return false;
+      if (matchers[i] === null) {
+        continue;
+      }
+
+      if (matchers[i] !== parts[i]) return false;
     }
     return true;
   };
 }
+
+function toSegments(path: string): readonly string[] | undefined {
+  if (!path.startsWith("/")) return undefined;
+
+  return patternToSegments(path);
+}
+
+function patternToSegments(path: string): readonly string[] {
+  return path.split("/").filter(segment => segment.length > 0);
+}
+
+function segmentsEqual(
+  left: readonly string[],
+  right: readonly string[]
+): boolean {
+  if (left.length !== right.length) return false;
+
+  return left.every((segment, index) => right[index] === segment);
+}

package/dist/lib/Router.ts

@@ -135,6 +135,11 @@ export class Router {
    * Register a route in the radix tree.
    */
   public add(definition: RouteDefinition): void {
+    const method = definition.method.toUpperCase();
+    const normalizedDefinition =
+      definition.method === method
+        ? definition
+        : { ...definition, method: method as HttpMethod };
     const segments = Router.toSegments(definition.path);
 
     let current = this.root;
@@ -161,13 +166,13 @@ export class Router {
       }
     }
 
-    if (current.methods.has(definition.method)) {
+    if (current.methods.has(method)) {
       throw new Error(
-        `Route conflict: ${definition.method} ${definition.path} is already registered`
+        `Route conflict: ${method} ${definition.path} is already registered`
       );
     }
 
-    current.methods.set(definition.method, definition);
+    current.methods.set(method, normalizedDefinition);
   }
 
   /**
@@ -280,7 +285,14 @@ export class Router {
   private static decodePathSegment(segment: string): string {
     try {
       const decoded = decodeURIComponent(segment);
-      if (decoded === ".." || decoded === ".") return segment;
+      if (
+        decoded === ".." ||
+        decoded === "." ||
+        decoded.includes("/") ||
+        decoded.includes("\\")
+      ) {
+        return segment;
+      }
       return decoded;
     } catch {
       return segment;

package/dist/lib/TypeweaverApp.ts

@@ -13,9 +13,11 @@ import {
   internalServerErrorDefaultError,
   isTypedHttpResponse,
   methodNotAllowedDefaultError,
+  normalizeHttpResponse,
   notFoundDefaultError,
   payloadTooLargeDefaultError,
   RequestValidationError,
+  toHttpResponse,
   validationDefaultError,
 } from "@rexeus/typeweaver-core";
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
@@ -240,13 +242,21 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
       const routeCtx = this.withPathParams(ctx, match.params);
       try {
         const response = await this.executeHandler(routeCtx, match.route);
-        return await this.validateResponse(match.route, response, routeCtx);
+        return await this.validateResponse(
+          match.route,
+          normalizeHttpResponse(response),
+          routeCtx
+        );
       } catch (error) {
         if (
           isTypedHttpResponse(error) &&
           match.route.routerConfig.validateResponses
         ) {
-          return await this.validateResponse(match.route, error, routeCtx);
+          return await this.validateResponse(
+            match.route,
+            toHttpResponse(error),
+            routeCtx
+          );
         }
         return this.handleError(error, routeCtx, match.route);
       }
@@ -289,7 +299,7 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
    * - `validateResponses: true` (default) → runs validation:
    *   - Valid response → returns the stripped response (extra fields removed).
    *   - Invalid response + handler configured → calls the handler safely.
-   *     If the handler throws, falls back to the original response.
+   *     If the handler throws, fails closed with a sanitized 500 response.
    *   - Invalid response + `handleResponseValidationErrors: false` → returns
    *     the original (invalid) response as-is.
    *
@@ -307,7 +317,9 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
 
     const result = route.responseValidator.safeValidate(response);
 
-    if (result.isValid) return result.data;
+    if (result.isValid) {
+      return normalizeHttpResponse(result.data);
+    }
 
     const handler = this.resolveErrorHandler<ResponseValidationErrorHandler>(
       route.routerConfig.handleResponseValidationErrors,
@@ -319,6 +331,11 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
         handler(result.error, response, ctx)
       );
       if (handlerResponse) return handlerResponse;
+      return TypeweaverApp.defaultResponseValidationHandler(
+        result.error,
+        response,
+        ctx
+      );
     }
 
     return response;
@@ -461,7 +478,7 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
 
   private static defaultHttpResponseHandler: HttpResponseErrorHandler = (
     err
-  ): IHttpResponse => err;
+  ): IHttpResponse => toHttpResponse(err);
 
   private readonly defaultUnknownHandler: UnknownErrorHandler = (
     error

package/dist/lib/middleware/basicAuth.ts

@@ -4,6 +4,7 @@ import {
 } from "@rexeus/typeweaver-core";
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
 import { defineMiddleware } from "../TypedMiddleware.js";
+import { readSingletonHeader } from "./header.js";
 import type { ServerContext } from "../ServerContext.js";
 
 export type BasicAuthOptions = {
@@ -31,10 +32,18 @@ export function basicAuth(options: BasicAuthOptions) {
     options.onUnauthorized?.(ctx) ?? defaultResponse;
 
   return defineMiddleware<{ username: string }>(async (ctx, next) => {
-    const authorization = ctx.request.header?.["authorization"];
+    const authorization = readSingletonHeader(
+      ctx.request.header,
+      "authorization"
+    );
     if (typeof authorization !== "string") return deny(ctx);
 
-    if (!authorization.startsWith(BASIC_PREFIX)) return deny(ctx);
+    if (
+      authorization.slice(0, BASIC_PREFIX.length).toLowerCase() !==
+      BASIC_PREFIX.toLowerCase()
+    ) {
+      return deny(ctx);
+    }
 
     const encoded = authorization.slice(BASIC_PREFIX.length);
     if (encoded.length === 0) return deny(ctx);

package/dist/lib/middleware/bearerAuth.ts

@@ -4,6 +4,7 @@ import {
 } from "@rexeus/typeweaver-core";
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
 import { defineMiddleware } from "../TypedMiddleware.js";
+import { readSingletonHeader } from "./header.js";
 import type { ServerContext } from "../ServerContext.js";
 
 export type BearerAuthOptions = {
@@ -30,10 +31,18 @@ export function bearerAuth(options: BearerAuthOptions) {
     options.onUnauthorized?.(ctx) ?? defaultResponse;
 
   return defineMiddleware<{ token: string }>(async (ctx, next) => {
-    const authorization = ctx.request.header?.["authorization"];
+    const authorization = readSingletonHeader(
+      ctx.request.header,
+      "authorization"
+    );
     if (typeof authorization !== "string") return deny(ctx);
 
-    if (!authorization.startsWith(BEARER_PREFIX)) return deny(ctx);
+    if (
+      authorization.slice(0, BEARER_PREFIX.length).toLowerCase() !==
+      BEARER_PREFIX.toLowerCase()
+    ) {
+      return deny(ctx);
+    }
 
     const token = authorization.slice(BEARER_PREFIX.length);
     if (token.length === 0) return deny(ctx);

package/dist/lib/middleware/cors.ts

@@ -1,5 +1,10 @@
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
 import { defineMiddleware } from "../TypedMiddleware.js";
+import {
+  hasHeaderName,
+  readHeaderValues,
+  readSingletonHeader,
+} from "./header.js";
 
 export type CorsOptions = {
   readonly origin?:
@@ -22,13 +27,22 @@ const DEFAULT_METHODS = [
   "DELETE",
 ] as const;
 
+const POLICY_CONTROLLED_CORS_HEADERS = new Set([
+  "access-control-allow-origin",
+  "access-control-allow-credentials",
+  "access-control-expose-headers",
+  "access-control-allow-methods",
+  "access-control-allow-headers",
+  "access-control-max-age",
+]);
+
 function resolveOrigin(
   configOrigin: CorsOptions["origin"],
   requestOrigin: string | undefined,
   credentials: boolean
 ): string | undefined {
   if (configOrigin === undefined || configOrigin === "*") {
-    if (credentials && requestOrigin) return requestOrigin;
+    if (credentials) return undefined;
     return "*";
   }
 
@@ -48,21 +62,107 @@ function resolveOrigin(
 function getRequestOrigin(
   header: Record<string, string | string[]> | undefined
 ): string | undefined {
-  const origin = header?.["origin"];
-  return typeof origin === "string" ? origin : undefined;
+  return readSingletonHeader(header, "origin");
+}
+
+function isOriginDependentWithoutRequestOrigin(
+  configOrigin: CorsOptions["origin"],
+  credentials: boolean
+): boolean {
+  return (
+    typeof configOrigin === "function" ||
+    Array.isArray(configOrigin) ||
+    ((configOrigin === undefined || configOrigin === "*") && credentials)
+  );
+}
+
+function splitHeaderValues(values: readonly string[]): readonly string[] {
+  return values.flatMap(value =>
+    value
+      .split(",")
+      .map(item => item.trim())
+      .filter(item => item.length > 0)
+  );
+}
+
+function mergeVary(existing: readonly string[], value: string): string {
+  const values = splitHeaderValues(existing);
+  if (values.length === 0) return value;
+
+  const hasValue = values.some(
+    item => item.toLowerCase() === value.toLowerCase()
+  );
+
+  return hasValue ? values.join(", ") : [...values, value].join(", ");
+}
+
+function removePolicyControlledCorsHeaders(
+  responseHeaders: Record<string, string | string[]> | undefined
+): Record<string, string | string[]> {
+  const result: Record<string, string | string[]> = {};
+
+  for (const [key, value] of Object.entries(responseHeaders ?? {})) {
+    if (POLICY_CONTROLLED_CORS_HEADERS.has(key.toLowerCase())) continue;
+
+    result[key] = value;
+  }
+
+  return result;
+}
+
+function mergeResponseHeaders(
+  responseHeaders: Record<string, string | string[]> | undefined,
+  corsHeaders: Record<string, string>
+): Record<string, string | string[]> {
+  const result = removePolicyControlledCorsHeaders(responseHeaders);
+
+  const mergedCorsHeaders = { ...corsHeaders };
+  if (corsHeaders.vary !== undefined) {
+    for (const key of Object.keys(result)) {
+      if (key.toLowerCase() === "vary") delete result[key];
+    }
+
+    mergedCorsHeaders.vary = mergeVary(
+      readHeaderValues(responseHeaders, "vary"),
+      corsHeaders.vary
+    );
+  }
+
+  return { ...result, ...mergedCorsHeaders };
 }
 
 export function cors(options?: CorsOptions) {
   const credentials = options?.credentials ?? false;
+
   const methods = (options?.allowMethods ?? DEFAULT_METHODS).join(", ");
   const exposeHeaders = options?.exposeHeaders?.join(", ");
   const maxAge = options?.maxAge?.toString();
 
   return defineMiddleware(async (ctx, next) => {
     const requestOrigin = getRequestOrigin(ctx.request.header);
-    const origin = resolveOrigin(options?.origin, requestOrigin, credentials);
+    const hasOrigin = hasHeaderName(ctx.request.header, "origin");
+    const resolvedOrigin =
+      hasOrigin && requestOrigin === undefined
+        ? undefined
+        : resolveOrigin(options?.origin, requestOrigin, credentials);
+    const origin =
+      credentials && resolvedOrigin === "*" ? undefined : resolvedOrigin;
+
+    if (origin === undefined) {
+      const response = await next();
+
+      if (
+        !hasOrigin &&
+        !isOriginDependentWithoutRequestOrigin(options?.origin, credentials)
+      ) {
+        return response;
+      }
 
-    if (origin === undefined) return next();
+      return {
+        ...response,
+        header: mergeResponseHeaders(response.header, { vary: "Origin" }),
+      } satisfies IHttpResponse;
+    }
 
     const corsHeaders: Record<string, string> = {
       "access-control-allow-origin": origin,
@@ -82,18 +182,26 @@ export function cors(options?: CorsOptions) {
 
     const isPreflight =
       ctx.request.method === "OPTIONS" &&
-      ctx.request.header?.["access-control-request-method"] !== undefined;
+      requestOrigin !== undefined &&
+      readSingletonHeader(
+        ctx.request.header,
+        "access-control-request-method"
+      ) !== undefined;
 
     if (isPreflight) {
       corsHeaders["access-control-allow-methods"] = methods;
 
       const configuredHeaders = options?.allowHeaders;
-      if (configuredHeaders && configuredHeaders.length > 0) {
-        corsHeaders["access-control-allow-headers"] =
-          configuredHeaders.join(", ");
+      if (configuredHeaders !== undefined) {
+        if (configuredHeaders.length > 0) {
+          corsHeaders["access-control-allow-headers"] =
+            configuredHeaders.join(", ");
+        }
       } else {
-        const requestedHeaders =
-          ctx.request.header?.["access-control-request-headers"];
+        const requestedHeaders = readSingletonHeader(
+          ctx.request.header,
+          "access-control-request-headers"
+        );
         if (typeof requestedHeaders === "string") {
           corsHeaders["access-control-allow-headers"] = requestedHeaders;
         }
@@ -113,7 +221,7 @@ export function cors(options?: CorsOptions) {
 
     return {
       ...response,
-      header: { ...corsHeaders, ...response.header },
+      header: mergeResponseHeaders(response.header, corsHeaders),
     } satisfies IHttpResponse;
   });
 }

package/dist/lib/middleware/header.ts

@@ -0,0 +1,59 @@
+export type HeaderMap = Record<string, string | string[]> | undefined;
+
+export function readSingletonHeader(
+  header: HeaderMap,
+  name: string
+): string | undefined {
+  const normalizedName = name.toLowerCase();
+  let foundValue: string | undefined;
+
+  for (const [key, value] of Object.entries(header ?? {})) {
+    if (key.toLowerCase() !== normalizedName) continue;
+    if (foundValue !== undefined || typeof value !== "string") {
+      return undefined;
+    }
+
+    foundValue = value;
+  }
+
+  return foundValue;
+}
+
+export function hasHeaderName(header: HeaderMap, name: string): boolean {
+  const normalizedName = name.toLowerCase();
+
+  return Object.keys(header ?? {}).some(
+    key => key.toLowerCase() === normalizedName
+  );
+}
+
+export function readHeaderValues(
+  header: HeaderMap,
+  name: string
+): readonly string[] {
+  const normalizedName = name.toLowerCase();
+  const values: string[] = [];
+
+  for (const [key, value] of Object.entries(header ?? {})) {
+    if (key.toLowerCase() !== normalizedName) continue;
+
+    values.push(...(Array.isArray(value) ? value : [value]));
+  }
+
+  return values;
+}
+
+export function omitHeaders(
+  header: HeaderMap,
+  names: readonly string[]
+): Record<string, string | string[]> {
+  const normalizedNames = new Set(names.map(name => name.toLowerCase()));
+  const headers: Record<string, string | string[]> = {};
+
+  for (const [key, value] of Object.entries(header ?? {})) {
+    if (normalizedNames.has(key.toLowerCase())) continue;
+    headers[key] = value;
+  }
+
+  return headers;
+}

package/dist/lib/middleware/logger.ts

@@ -10,6 +10,7 @@ export type LogData = {
 export type LoggerOptions = {
   readonly logFn?: (message: string) => void;
   readonly format?: (data: LogData) => string;
+  readonly nowMs?: () => number;
 };
 
 const defaultFormat = (data: LogData): string =>
@@ -18,11 +19,12 @@ const defaultFormat = (data: LogData): string =>
 export function logger(options?: LoggerOptions) {
   const logFn = options?.logFn ?? console.log;
   const format = options?.format ?? defaultFormat;
+  const nowMs = options?.nowMs ?? (() => performance.now());
 
   return defineMiddleware(async (ctx, next) => {
-    const start = performance.now();
+    const start = nowMs();
     const response = await next();
-    const durationMs = Math.round(performance.now() - start);
+    const durationMs = Math.round(nowMs() - start);
 
     logFn(
       format({

package/dist/lib/middleware/poweredBy.ts

@@ -10,10 +10,15 @@ export function poweredBy(options?: PoweredByOptions) {
 
   return defineMiddleware(async (_ctx, next) => {
     const response = await next();
+    const responseHeaders = Object.fromEntries(
+      Object.entries(response.header ?? {}).filter(
+        ([headerName]) => headerName.toLowerCase() !== "x-powered-by"
+      )
+    );
 
     return {
       ...response,
-      header: { ...response.header, "x-powered-by": value },
+      header: { ...responseHeaders, "x-powered-by": value },
     } satisfies IHttpResponse;
   });
 }

package/dist/lib/middleware/requestId.ts

@@ -1,29 +1,29 @@
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
 import { defineMiddleware } from "../TypedMiddleware.js";
+import { omitHeaders, readSingletonHeader } from "./header.js";
 
 export type RequestIdOptions = {
   readonly headerName?: string;
   readonly generator?: () => string;
 };
 
+const isValidRequestId = (value: string | undefined): value is string =>
+  value !== undefined && value.length > 0 && !/[\r\n]/.test(value);
+
 export function requestId(options?: RequestIdOptions) {
   const headerName = (options?.headerName ?? "x-request-id").toLowerCase();
   const generator = options?.generator ?? (() => crypto.randomUUID());
 
   return defineMiddleware<{ requestId: string }>(async (ctx, next) => {
-    const existing = ctx.request.header?.[headerName];
-    const id =
-      typeof existing === "string"
-        ? existing
-        : Array.isArray(existing)
-          ? (existing[0] ?? generator())
-          : generator();
+    const existing = readSingletonHeader(ctx.request.header, headerName);
+    const id = isValidRequestId(existing) ? existing : generator();
 
     const response = await next({ requestId: id });
+    const header = omitHeaders(response.header, [headerName]);
 
     return {
       ...response,
-      header: { ...response.header, [headerName]: id },
+      header: { ...header, [headerName]: id },
     } satisfies IHttpResponse;
   });
 }

package/dist/lib/middleware/scoped.ts

@@ -2,55 +2,70 @@ import { pathMatcher } from "../PathMatcher.js";
 import { defineMiddleware } from "../TypedMiddleware.js";
 import type { TypedMiddleware } from "../TypedMiddleware.js";
 
+type NoProvidedKeys<TProvides extends Record<string, unknown>> = [
+  keyof TProvides,
+] extends [never]
+  ? unknown
+  : never;
+
 /**
  * Restricts a middleware to only run on paths matching the given patterns.
  *
  * Accepts the same pattern syntax as {@link pathMatcher}: exact (`"/users"`),
  * prefix (`"/api/*"`), and parameterized (`"/users/:id"`).
  *
- * Only accepts non-state middleware (`TypedMiddleware<{}, {}>`) to preserve
+ * Only accepts non-state-providing middleware to preserve
  * TypeWeaver's compile-time state guarantees — skipping a state-providing
  * middleware would leave downstream consumers with missing state.
+ * Any upstream state requirements declared by the wrapped middleware are
+ * preserved on the returned middleware descriptor.
  *
  * @example
  * ```typescript
  * app.use(scoped(["/api/*"], cors({ origin: "https://app.com" })));
  * ```
  */
-export function scoped(
+export function scoped<
+  TProvides extends Record<string, unknown>,
+  TRequires extends Record<string, unknown>,
+>(
   paths: readonly string[],
-  middleware: TypedMiddleware<{}, {}>
-): TypedMiddleware<{}, {}> {
+  middleware: TypedMiddleware<TProvides, TRequires> & NoProvidedKeys<TProvides>
+): TypedMiddleware<TProvides, TRequires> {
   const matchers = paths.map(pathMatcher);
 
-  return defineMiddleware(async (ctx, next) => {
+  return defineMiddleware<{}, TRequires>(async (ctx, next) => {
     if (!matchers.some(match => match(ctx.request.path))) {
       return next();
     }
     return middleware.handler(ctx, next);
-  });
+  }) as TypedMiddleware<TProvides, TRequires>;
 }
 
 /**
  * Runs a middleware on all paths *except* those matching the given patterns.
  *
- * The inverse of {@link scoped}. Same pattern syntax and type constraint.
+ * The inverse of {@link scoped}. Same pattern syntax and type constraints,
+ * including preservation of wrapped middleware state requirements.
  *
  * @example
  * ```typescript
  * app.use(except(["/health", "/ready"], logger()));
  * ```
  */
-export function except(
+export function except<
+  TProvides extends Record<string, unknown>,
+  TRequires extends Record<string, unknown>,
+>(
   paths: readonly string[],
-  middleware: TypedMiddleware<{}, {}>
-): TypedMiddleware<{}, {}> {
+  middleware: TypedMiddleware<TProvides, TRequires> & NoProvidedKeys<TProvides>
+): TypedMiddleware<TProvides, TRequires> {
   const matchers = paths.map(pathMatcher);
 
-  return defineMiddleware(async (ctx, next) => {
+  return defineMiddleware<{}, TRequires>(async (ctx, next) => {
     if (matchers.some(match => match(ctx.request.path))) {
       return next();
     }
     return middleware.handler(ctx, next);
-  });
+  }) as TypedMiddleware<TProvides, TRequires>;
 }

package/dist/lib/middleware/secureHeaders.ts

@@ -1,5 +1,6 @@
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
 import { defineMiddleware } from "../TypedMiddleware.js";
+import { omitHeaders } from "./header.js";
 
 export type SecureHeadersOptions = {
   readonly contentTypeOptions?: string | false;
@@ -48,10 +49,11 @@ export function secureHeaders(options?: SecureHeadersOptions) {
 
   return defineMiddleware(async (_ctx, next) => {
     const response = await next();
+    const header = omitHeaders(response.header, Object.keys(headers));
 
     return {
       ...response,
-      header: { ...headers, ...response.header },
+      header: { ...header, ...headers },
     } satisfies IHttpResponse;
   });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rexeus/typeweaver-server",
-  "version": "0.10.3",
+  "version": "0.10.4",
   "description": "Generates a lightweight, dependency-free server with built-in routing and middleware from your API definitions. Powered by Typeweaver.",
   "type": "module",
   "sideEffects": false,
@@ -47,15 +47,15 @@
   },
   "homepage": "https://github.com/rexeus/typeweaver#readme",
   "peerDependencies": {
-    "@rexeus/typeweaver-core": "^0.10.3",
-    "@rexeus/typeweaver-gen": "^0.10.3"
+    "@rexeus/typeweaver-core": "^0.10.4",
+    "@rexeus/typeweaver-gen": "^0.10.4"
   },
   "devDependencies": {
     "get-port": "^7.2.0",
     "test-utils": "file:../test-utils",
     "tsx": "^4.21.0",
-    "@rexeus/typeweaver-core": "^0.10.3",
-    "@rexeus/typeweaver-gen": "^0.10.3"
+    "@rexeus/typeweaver-core": "^0.10.4",
+    "@rexeus/typeweaver-gen": "^0.10.4"
   },
   "dependencies": {
     "polycase": "^1.1.0"